;
; ͻ
; 	This file is generated by The Interactive Disassembler (IDA)	    
; 	Copyright (c) 2010 by Hex-Rays SA, <support@hex-rays.com>	    
; 			 Licensed to: Freeware version			    
; ͼ
;
; Input	MD5   :	24B533AB59B7030ED77FE189F0697B9F

; 
; File Name   :	C:\Windows\System32\ntoskrnl.exe
; Format      :	Portable executable for	80386 (PE)
; Imagebase   :	400000
; Section 1. (virtual address 00001000)
; Virtual size			: 002AA544 (2794820.)
; Section size in file		: 002AA600 (2795008.)
; Offset to raw	data for section: 00000800
; Flags	68000020: Text Not pageable Executable Readable
; Alignment	: default


unicode		macro page,string,zero
		irpc c,<string>
		db '&c', page
		endm
		ifnb <zero>
		dw zero
		endif
endm

		.686p
		.mmx
		.model flat

		include	3.inc

; 

; Segment type:	Pure code
; Segment permissions: Read/Execute
_text		segment	para public 'CODE' use32
		assume cs:_text
		;org 401000h
		assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing

_VrpRegistryString:			; DATA XREF: .text:00401C00w
					; .text:00401C04r ...
		adc	[eax], al
		adc	al, [eax]
; 
		dd offset loc_40ABB4+4
; 

_ExpSystemProcessName:			; DATA XREF: ExpGetProcessInformation:loc_813B4Ao
		or	al, 0
		push	cs
		add	al, dh
		mov	[eax+0], eax

_ExpCompressionProcessName:		; DATA XREF: ExpGetProcessInformation:loc_813B54o
		and	al, 0
		add	es:[eax], dh
		stosd
		inc	eax

loc_401017:				; DATA XREF: _CmOpenDeviceRegKeyWorker+1DCo
		add	[eax+eax], ah
		db	26h
		add	dh, bl

loc_40101D:				; DATA XREF: PiDmGetCacheKeys(x,x,x)+43o
		imul	ecx, [ebx+40FA0800h], 1100h
; 
		db 0
		dd 0
		dd 1
		dd offset _DEVPKEY_DeviceContainer_IsConnected
		dd 11h,	0
		dd 1
		dd offset _DEVPKEY_DeviceContainer_IsRebootRequired
		dd 11h,	0
		dd 1
dword_401050	dd 140012h		; DATA XREF: RtlpQueryPackageIdentityAttributes+106o
		dd offset ??_C@_1BE@ENMIMNBJ@?$AAX?$AAB?$AAO?$AAX?$AA?3?$AA?1?$AA?1?$AAL?$AAI@FNODOBFM@
dword_401058	dd 160014h		; DATA XREF: RtlpQueryPackageIdentityAttributes+E4o
		dd offset ??_C@_1BG@OLJFPOOD@?$AAW?$AAP?$AA?3?$AA?1?$AA?1?$AAS?$AAK?$AAU?$AAI?$AAD@FNODOBFM@
; 

_PiDqQueryConstraintData:		; DATA XREF: PiDqObjectManagerEnumerateAndRegisterQuery:loc_7FA853o
		add	eax, [eax]
; 
		dw 0
		dd offset _DEVPKEY_Device_InstanceId
		dd 20002h, 12h,	2 dup(1), 3
		dd offset _DEVPKEY_DeviceInterface_ClassGuid
		dd 2, 0Dh, 4, 0
		dd 3
		dd offset _DEVPKEY_Device_ContainerId
		dd 2, 0Dh, 5, 2, 1
		dd offset _DEVPKEY_Device_ContainerId
		dd 2, 0Dh, 5, 4, 1
		dd offset _DEVPKEY_Device_PanelId
		dd 20002h, 12h,	2 dup(6), 1
		dd offset _DEVPKEY_Device_ClassGuid
		dd 2, 0Dh, 2, 5
dword_4010F0	dd 2C002Ah		; DATA XREF: SepIsMinTCB:loc_7A2653o
		dd offset loc_40B0D8
; 

_AlpcReserveType:			; DATA XREF: .text:00403F68o
					; AlpcpCreateReserve(x,x,x)+38o ...
		pop	es
; 
		db 3 dup(0)
aAlrr		db 'AlRr',0
		align 8
		dd offset _AlpcReserveTypeCounters
		dd offset _PopPdcCallback@4 ; PopPdcCallback(x)
		dd offset _PopPdcCallback@4 ; PopPdcCallback(x)
		dd offset _AlpcReserveDestroyProcedure@4 ; AlpcReserveDestroyProcedure(x)
		dd 0
; 

_AlpcSectionType:			; DATA XREF: .text:00403F5Co
					; AlpcpCaptureViewAttributeInternal+8Co ...
		add	al, 0
; 
		dw 0
aAlsc		db 'AlSc',0
		align 4
		dd 0
		dd offset _AlpcSectionTypeCounters
		dd offset _PopPdcCallback@4 ; PopPdcCallback(x)
		dd offset _AlpcSectionDeleteProcedure@4	; AlpcSectionDeleteProcedure(x)
		dd offset AlpcSectionDestroyProcedure
		align 10h

_AlpcSecurityType:			; DATA XREF: .text:00403F58o
					; NtAlpcDeleteSecurityContext+59o ...
		add	eax, [eax]
; 
		dw 0
aAlse		db 'AlSe',0
		align 10h
		dd offset _AlpcSecurityTypeCounters
		dd offset _PopPdcCallback@4 ; PopPdcCallback(x)
		dd offset _PopPdcCallback@4 ; PopPdcCallback(x)
		dd offset _AlpcSecurityDestroyProcedure@4 ; AlpcSecurityDestroyProcedure(x)
		dd 0
dword_401164	dd 0C000Ah		; DATA XREF: _CmIsRootEnumeratedDevice(x)+23o
		dd offset ??_C@_1M@GMCFOPCE@?$AAR?$AAo?$AAo?$AAt?$AA?2@NNGAKEGL@
dword_40116C	dd 1A0018h		; DATA XREF: _CmIsRootDevice(x)+1Fo
		dd offset ??_C@_1BK@CCOOHMCM@?$AAH?$AAT?$AAR?$AAE?$AAE?$AA?2?$AAR?$AAO?$AAO?$AAT?$AA?2?$AA0@NNGAKEGL@
		align 8
_MiMemoryEventNames dd offset loc_4A0048 ; DATA	XREF: MiResolveMemoryEvent(x,x,x,x)+Br
					; MiInitializeMemoryEvents(x)+36o
off_40117C	dd offset aKernelobject_5 ; DATA XREF: MiResolveMemoryEvent(x,x,x,x)+14r
					; "\\KernelObjects\\LowPagedPoolCondition"
		dd offset loc_4C0049+1
		dd offset aKernelobjectsH ; "\\KernelObjects\\HighPagedPoolCondition"
		dd offset loc_50004D+1
		dd offset aKernelobject_4 ; "\\KernelObjects\\LowNonPagedPoolCondition"...
		dd offset loc_52004C+4
		dd offset aKernelobject_3 ; "\\KernelObjects\\HighNonPagedPoolConditio"...
		dd offset loc_440042
		dd offset aKernelobjectsL ; "\\KernelObjects\\LowMemoryCondition"
		dd offset loc_460042+2
		dd offset aKernelobject_7 ; "\\KernelObjects\\HighMemoryCondition"
		dd offset loc_440042
		dd offset aKernelobject_2 ; "\\KernelObjects\\LowCommitCondition"
		dd offset loc_460042+2
		dd offset aKernelobject_1 ; "\\KernelObjects\\HighCommitCondition"
		dd offset loc_4C0049+1
		dd offset aKernelobjectsM ; "\\KernelObjects\\MaximumCommitCondition"
		dd 380036h
		dd offset aKernelobject_0 ; "\\KernelObjects\\MemoryErrors"
		dd offset loc_480045+1
		dd offset aKernelobjectsP ; "\\KernelObjects\\PhysicalMemoryChange"
; 

_MiKernelObjectsDirectoryName:		; DATA XREF: MiCreatePartitionNamespace(x)+A7o
		sbb	al, [eax]
		sbb	al, 0
		pushf
		xor	al, [ecx+0]

_AlpcConnectionType:			; DATA XREF: .text:00403F50o
					; AlpcpCreateClientPort+15Eo ...
		add	[eax], eax
; 
		dw 0
		dd 49436C41h, 2	dup(1)
		dd offset _AlpcConnectionTypeCounters
		dd offset _PopPdcCallback@4 ; PopPdcCallback(x)
		dd offset _PopPdcCallback@4 ; PopPdcCallback(x)
		dd offset _AlpcConnectionDestroyProcedure@4 ; AlpcConnectionDestroyProcedure(x)
		dd 40h
; 

_SeSubsystemName:			; DATA XREF: SeReportSecurityEventWithSubCategory+1A7o
					; SePrivilegedServiceAuditAlarm(x,x,x,x)+64o ...
		adc	[eax], al
		adc	al, [eax]
		xor	dl, bh
		inc	eax
; 
		db 0
		align 8
_ActivityAttributes db 1		; DATA XREF: PopPepCompleteActivity+14r
					; PopPepVerifyActivities+12r ...
		align 4
dword_40120C	dd 1			; DATA XREF: PopPepCancelActivities(x,x,x)+13r
dword_401210	dd 1			; DATA XREF: PopPepAttemptAcitivityPromotion+17r
dword_401214	dd 3			; DATA XREF: PopPepProcessEvent(x,x,x,x,x,x)+31r
dword_401218	dd 7			; DATA XREF: PopPepVerifyActivities+2Er
		align 10h
		dd 2 dup(7), 0
		dd 7
dword_401230	dd 4 dup(0)		; DATA XREF: PopPepCancelActivityRange(x,x,x,x,x)+17o
		dd 3, 0
dword_401248	dd 4 dup(0)		; DATA XREF: PopPepShouldActivityWait(x,x,x,x,x)+17o
		align 10h
dword_401260	dd 4 dup(0)		; DATA XREF: PopPepShouldActivityWait(x,x,x,x,x)+8o
		dd 4, 0
off_401278	dd offset _xKdUnmapVirtualAddress@12
					; DATA XREF: PopPepTriggerActivity(x,x,x,x)+36r
					; xKdUnmapVirtualAddress(x,x,x)
off_40127C	dd offset _PopPepStartDevicePowerOnActivity@12
					; DATA XREF: PopPepStartActivity(x,x,x,x,x,x)+17r
					; PopPepStartDevicePowerOnActivity(x,x,x)
off_401280	dd offset _PopPepCompleteDevicePowerOnActivity@8
					; DATA XREF: PopPepCompleteActivity+3Cr
					; PopPepCompleteDevicePowerOnActivity(x,x)
		align 8
		dd 3 dup(2), 2 dup(0)
		dd 6, 7, 0
		dd 7, 0
		dd 3, 2	dup(0)
		dd 3, 0
		dd 7, 4, 2 dup(0)
		dd 4, 2	dup(0)
		dd 4, 2	dup(0)
		dd 4, 0
		dd offset _PopPepTriggerComponentIdleStateChangeActivity@12 ; PopPepTriggerComponentIdleStateChangeActivity(x,x,x)
		dd offset PopPepStartComponentIdleStateChangeActivity
		dd offset PopPepCompleteComponentIdleStateChangeActivity
		dd 0
		dd 1, 2, 1, 2 dup(0)
		dd 2 dup(7), 0
		dd 7, 0
		dd 3, 2	dup(0)
		dd 3, 0
		dd 2 dup(7), 2 dup(0)
		dd 4, 0
		dd 2 dup(7), 2 dup(0)
		align 10h
		dd offset _PopPepTriggerComponentActivatingActivity@12 ; PopPepTriggerComponentActivatingActivity(x,x,x)
		dd offset _PopPepStartComponentActivatingActivity@12 ; PopPepStartComponentActivatingActivity(x,x,x)
		dd offset _RtlEndStrongEnumerationHashTable@8 ;	RtlEndStrongEnumerationHashTable(x,x)
		dd 4 dup(0)
		dd 5 dup(7), 6,	12h dup(0)
		dd offset _PopPepTriggerComponentActiveActivity@12 ; PopPepTriggerComponentActiveActivity(x,x,x)
		dd offset _PopPepStartVoidActivity@12 ;	PopPepStartVoidActivity(x,x,x)
		dd offset _PopPepCompleteComponentActiveActivity@8 ; PopPepCompleteComponentActiveActivity(x,x)
		dd 1, 2	dup(0)
		dd 3, 6	dup(7),	12h dup(0)
		dd offset _xKdUnmapVirtualAddress@12 ; xKdUnmapVirtualAddress(x,x,x)
		dd offset _PopPepStartDevicePowerOffActivity@12	; PopPepStartDevicePowerOffActivity(x,x,x)
		dd offset _RtlEndStrongEnumerationHashTable@8 ;	RtlEndStrongEnumerationHashTable(x,x)
		dd 1, 0
		dd 3, 6	dup(0)
		dd 7, 6	dup(0)
		dd 3 dup(7), 0
		dd 7, 0
		dd 3 dup(7), 0
		dd 7, 0
		dd offset _xKdUnmapVirtualAddress@12 ; xKdUnmapVirtualAddress(x,x,x)
		dd offset _PopPepStartDeviceUnregisterActivity@12 ; PopPepStartDeviceUnregisterActivity(x,x,x)
		dd offset _RtlEndStrongEnumerationHashTable@8 ;	RtlEndStrongEnumerationHashTable(x,x)
dword_4014F0	dd 1E001Ch		; DATA XREF: RtlpQueryPackageIdentityAttributes+3Co
					; RtlpQueryPackageIdentityAttributes+68o ...
		dd offset ??_C@_1BO@BOGEHPME@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAS?$AAY?$AAS?$AAA?$AAP?$AAP?$AAI?$AAD@FNODOBFM@
		dd 140012h
		dd offset ??_C@_1BE@BDEKEKBI@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAP?$AAK?$AAG@FNODOBFM@
; 

_AlpcHandleDataType:			; DATA XREF: .text:00403F70o
					; AlpcpCaptureHandleAttributeInternal+53o
		or	[eax], eax
; 
		dw 0
aAlhd		db 'AlHd',0
		align 10h
		dd offset _AlpcHandleDataTypeCounters
		dd offset _PopPdcCallback@4 ; PopPdcCallback(x)
		dd offset _PopPdcCallback@4 ; PopPdcCallback(x)
		dd offset _AlpcHandleDataDestroyProcedure@4 ; AlpcHandleDataDestroyProcedure(x)
		dd 0
; `_CmOpenDeviceContainerRegKeyWorker'::`2'::DeviceContainersKeyPrefix
?DeviceContainersKeyPrefix@?1??_CmOpenDeviceContainerRegKeyWorker@@9@9 dd 340032h
					; DATA XREF: _CmOpenDeviceContainerRegKeyWorker+103o
		dd offset ??_C@_1DE@GJPKHPPK@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC@NNGAKEGL@
; `_CmOpenDeviceInterfaceRegKeyWorker'::`2'::ObjectPathRootPrefix
?ObjectPathRootPrefix@?1??_CmOpenDeviceInterfaceRegKeyWorker@@9@9 dd 340032h
					; DATA XREF: _CmOpenDeviceContainerRegKeyWorker+D8o
					; _CmOpenCommonClassRegKeyWorker+DBo ...
		dd offset ??_C@_1DE@JMADIDNJ@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@
dword_401534	dd 120010h		; DATA XREF: AuthzBasepIsCompareRelevantAttribute(x)+Co
		dd offset ??_C@_1BC@CFEJIEP@?$AAA?$AAP?$AAP?$AAI?$AAD?$AA?3?$AA?1?$AA?1@NNGAKEGL@
_CmpLogPath	dd offset off_420040	; DATA XREF: CmpInitCmRM:loc_7D97D7o
					; CmpStartRMLog+95o ...
		dd offset aSystemrootSy_0 ; "\\SystemRoot\\System32\\Config\\TxR\\"
; 

_CmpLogExt:				; DATA XREF: CmpStartCLFSLog+B0o
					; CmpStartCLFSLog+754D1o ...
		or	[eax], al
		or	al, [eax]
		adc	al, 31h
		inc	ecx
		add	[eax], dl	; DATA XREF: CmpStartCLFSLog+88o
		add	[edx], dl
		add	al, bh
		std
		inc	eax

loc_401553:				; DATA XREF: RtlGetProductInfo+DAo
		add	[esi], bh
		add	[eax+0], al

loc_401558:				; DATA XREF: RtlGetProductInfo+A0o
		xor	[ecx+240040h], dh
		add	es:[ecx+esi*4],	al
		inc	eax
; 
		db 0
; 

_ExpLeapSecondRegkeyPath:		; DATA XREF: ExpGetLeapSecondDataRegistryKeyHandle(x)+38o
		nop
		add	[edx+40B1B800h], dl
		add	[eax], cl	; DATA XREF: _CmGetDeviceInterfacePathFormat(x,x,x)+48o
		add	[edx], cl
		add	[esi+6Bh], bh
		mov	eax, [eax]

loc_401574:				; DATA XREF: _CmGetDeviceInterfacePathFormat(x,x,x)+35o
		or	[eax], al
		or	al, [eax]
		jz	short near ptr byte_4015E5
		mov	eax, [eax]
; 
off_40157C	dd offset off_6B3118	; DATA XREF: _PnpDeviceRaisePropertyChangeEventWorker+C7o
					; _PnpDeviceRaisePropertyChangeEventWorker+1B6o
		dd 3
		dd offset _DEVPKEY_DeviceContainer_IsConnected
		dd offset off_6B3150
		dd 6
		dd offset _DEVPKEY_DeviceContainer_HasProblem
		dd offset off_6B3108
		dd 4
		dd offset _DEVPKEY_DeviceContainer_IsRebootRequired
off_4015A0	dd offset off_6B3170	; DATA XREF: _PnpDeviceRaisePropertyChangeEventWorker+E4o
					; _PnpDeviceRaisePropertyChangeEventWorker+A093Eo
		dd 2
		dd offset _DEVPKEY_Device_ContainerId
		align 10h
off_4015B0	dd offset off_6B3168	; DATA XREF: _PnpDeviceRaisePropertyChangeEventWorker+B6o
		dd 2
		dd offset _DEVPKEY_NAME
		dd offset off_6B3150
		dd 6
		dd offset _DEVPKEY_Device_HasProblem
		dd offset off_6B3148
		dd 2
		dd offset _DEVPKEY_Device_ProblemCode
		dd offset off_6B3140
		dd 2
		dd offset _DEVPKEY_Device_DevNodeStatus
		dd offset off_6B313C
		db 1
byte_4015E5	db 3 dup(0)		; CODE XREF: .text:00401578j
		dd offset _DEVPKEY_Device_Class
		dd offset off_6B3128
		dd 5
		dd offset _DEVPKEY_Device_SafeRemovalRequired
		dd offset off_6B3124
		dd 1
		dd offset _DEVPKEY_Device_ContainerId
		dd offset off_6B3118
		dd 3
		dd offset _DEVPKEY_Device_IsConnected
		dd offset off_6B3108
		align 8
		dd offset _DEVPKEY_Device_IsRebootRequired
		dd offset off_6B3100
		dd 2
		dd offset _DEVPKEY_Device_CompoundUpperFilters
		dd offset off_6B30F8
		dd 2
		dd offset _DEVPKEY_Device_CompoundLowerFilters
		dd offset off_6B30F0
		dd 2
		dd offset _DEVPKEY_Device_OmitFromSystemSpec
; 

_KvfVelocityKeyName:			; DATA XREF: KvfCommitFeatureStates+31o
		add	byte ptr [eax],	84h
; 
		db 0
		dd offset aRegistryMach_6 ; "\\Registry\\Machine\\SYSTEM\\CurrentControl"...
; 

_AllowedCachedObjectNames:		; DATA XREF: SepValidateReferencedCachedHandles+223o
		or	al, [eax]
		or	al, 0
		and	al, 0ABh
		inc	eax
		add	[eax+eax], cl
		push	cs
		add	[ebx+ebp*4], dl
		inc	eax
		add	[esi], dl
		add	[eax], bl
		add	ah, bh
		stosb
		inc	eax
		add	[esi], cl
		add	[eax], dl
		add	ah, ch
		stosb
		inc	eax
		add	[eax], dh
		add	[edx], dh

loc_40166B:				; DATA XREF: DrvDbGetDriverInfFileMappedProperty:loc_7FB5AFr
					; DrvDbGetDriverInfFileMappedProperty+57o ...
		add	[eax-3BFFBF56h], bh
		mov	al, 40h
		add	[edx], dl
		and	[eax], al
		add	ah, al
		std
		inc	eax
		add	[edi], al
; 
		db 3 dup(0)
		dd 2 dup(0)
		dd offset _DEVPKEY_DriverInfFile_ActiveDriverPackage
		dd 12h
		dd offset loc_40B0A0
		dd 1, 2	dup(0)
		dd offset _DEVPKEY_DriverInfFile_ActiveConfigurations
		dd 2012h
		dd offset aConfigurations ; "Configurations"
		dd 7, 2	dup(0)
		dd offset _DEVPKEY_DriverInfFile_Locked
		dd 11h
		dd offset loc_40B048
		align 10h
; `_CmOpenDeviceInterfaceRegKeyWorker'::`2'::DeviceClassesKeyPrefix
?DeviceClassesKeyPrefix@?1??_CmOpenDeviceInterfaceRegKeyWorker@@9@9 dd 2E002Ch
					; DATA XREF: _CmOpenCommonClassRegKeyWorker+12Ao
					; _CmOpenDeviceInterfaceRegKeyWorker+11Bo
		dd offset ??_C@_1CO@PCPCFID@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC@NNGAKEGL@
off_4016D8	dd offset aD		; DATA XREF: PiDqIrpQueryCreate+D6o
					; PiDqQuerySerializeActionQueue+126o ...
					; "D"
		dd offset _MIDL_user_allocate@4	; MIDL_user_allocate(x)
		dd offset _MIDL_user_free@4 ; MIDL_user_free(x)
		dd offset unk_6FDA4C
		dd 4 dup(0)
		dd offset word_4077E2
		dd 1, 0A0000h, 0
		dd 801026Eh, 3 dup(0)
		dd 1, 3	dup(0)
; `_CmOpenCommonClassRegKeyWorker'::`2'::ClassKeyPrefix
?ClassKeyPrefix@?1??_CmOpenCommonClassRegKeyWorker@@9@9	dd 1E001Ch
					; DATA XREF: _CmOpenCommonClassRegKeyWorker+10Co
		dd offset ??_C@_1BO@BMNBPCJG@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAC?$AAl?$AAa?$AAs?$AAs?$AA?2@NNGAKEGL@
off_401730	dd offset _DEVPKEY_DriverPackage_DriverInfName
					; DATA XREF: DrvDbGetDriverPackageMappedProperty:loc_7FE112r
					; DrvDbGetDriverPackageMappedProperty+FCo ...
		dd 12h
off_401738	dd offset dword_40FDC4	; DATA XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x):loc_A38DFBr
		dd 1, 2	dup(0)
		dd offset _DEVPKEY_DriverPackage_OriginalInfName
		dd 12h
		dd offset aInfname	; "InfName"
		dd 1, 2	dup(0)
		dd offset _DEVPKEY_DriverPackage_SourceMediaPath
		dd 12h
		dd offset aOempath	; "OemPath"
		dd 1, 2	dup(0)
		dd offset _DEVPKEY_DriverPackage_Inbox
		dd 11h
		dd offset aInbox	; "Inbox"
		dd 4, 0
		dd 1
		dd offset _DEVPKEY_DriverPackage_Published
		dd 11h
		dd offset aPublished	; "Published"
		align 10h
		dd 2 dup(1)
		dd offset _DEVPKEY_DriverPackage_SignerName
		dd 12h
		dd offset aSignername	; "SignerName"
		dd 1, 2	dup(0)
		dd offset _DEVPKEY_DriverPackage_SignerScore
		dd 7
		dd offset aSignerscore	; "SignerScore"
		dd 4, 2	dup(0)
		dd offset _DEVPKEY_DriverPackage_F6
		dd 11h
		dd offset loc_40AF80
		align 10h
		dd offset _DEVPKEY_DriverPackage_ProcessorArchitecture
		dd 5
		dd offset aArchitecture	; "Architecture"
		align 10h
byte_401800	db 2, 0			; DATA XREF: EtwpTraceWdf(x,x,x,x,x)+30o
byte_401802	db 0			; DATA XREF: KiExecuteAllDpcs+483o
					; EtwpTraceFileName(x,x,x,x,x,x):loc_4F8B8Co ...
byte_401803	db 0			; DATA XREF: EtwpTraceIo:loc_4F88F7o
					; EtwpLogMemInfo(x,x):loc_67DE76o ...
		dd 2			; DATA XREF: EtwpLogMemInfoWsHelper(x,x)+37o
					; EtwpLogSessionWorkingSetInfo(x)+10Fo	...
		dd offset _DEVPKEY_DriverPackage_Locale
		dd 7
		dd offset aLocale	; "Locale"
		align 10h
		dd offset _DEVPKEY_DriverPackage_ProviderName
		dd 12h
		dd offset aProvider	; "Provider"
		dd 1, 2	dup(0)
		dd offset _DEVPKEY_DriverPackage_ClassGuid
		dd 0Dh
		dd offset aClassguid	; "ClassGuid"
		dd 3, 8, 10h
		dd offset _DEVPKEY_DriverPackage_DriverDate
		dd 10h
		dd offset aDriverdate	; "DriverDate"
		dd 3, 18h, 8
		dd offset _DEVPKEY_DriverPackage_DriverVersion
		dd 9
		dd offset loc_40AEC4
		dd 3, 20h, 8
		dd offset _DEVPKEY_DriverPackage_BootCritical
		dd 11h
		dd offset loc_40AE94
		dd 4, 2	dup(0)
		dd offset _DEVPKEY_DriverPackage_ConfigurableFlags
		dd 7
		dd offset loc_40AE5C
		align 8
		dd 28h,	4
		dd offset _DEVPKEY_DriverPackage_ConfigurableOverride
		dd 11h
		dd offset loc_40AE2B+1
		dd 4, 2	dup(0)
		dd offset _DEVPKEY_DriverPackage_ExtensionId
		dd 0Dh
		dd offset loc_40AE14
		dd 3, 2	dup(0)
		dd offset _DEVPKEY_DriverPackage_StatusFlags
		dd 7
		dd offset loc_40ADE8
		dd 4, 2	dup(0)
		dd offset _DEVPKEY_DriverPackage_LockLevel
		dd 7
off_401900	dd offset aLocklevel	; DATA XREF: CcPerfLogFlushCache+B2o
					; CcPerfLogFlushSection+7Eo ...
					; "LockLevel"
		align 10h
		dd offset _DEVPKEY_DriverPackage_ProductName
		dd 12h
		dd offset aProduct	; "Product"
		dd 1, 2	dup(0)
		dd offset _DEVPKEY_DriverPackage_TargetComputerIds
		dd 2012h
		dd offset aTargetcomputer ; "TargetComputerIds"
		dd 7, 2	dup(0)
		dd offset _DEVPKEY_DriverPackage_SystemCritical
		dd 11h
		dd offset loc_40AD44
		dd 4, 2	dup(0)
		dd offset _DEVPKEY_DriverPackage_ImportDate
		dd 10h
		dd offset loc_40AD18
		dd 3, 2	dup(0)
		dd offset _DEVPKEY_DriverPackage_ClassVersion
		dd 7
		dd offset loc_40ACE8
		dd 4, 2	dup(0)
		dd offset _DEVPKEY_DriverPackage_NeedsReconfig
		dd 11h
		dd offset aNeedsreconfig ; "NeedsReconfig"
		align 10h
		dd offset _DEVPKEY_DriverPackage_ExtensionContractIds
		dd 100Dh
		dd offset loc_40AC8C
		dd 3, 2	dup(0)
		dd offset _DEVPKEY_DriverPackage_FileSize
		dd 9
		dd offset loc_40AC64
		dd 0Bh,	2 dup(0)
		dd offset _DEVPKEY_DriverPackage_EffectiveFileSize
		dd 9
		dd offset loc_40AC3C
		dd 0Bh,	2 dup(0)
		dd offset _DEVPKEY_DriverPackage_CatalogFile
		dd 12h
		dd offset loc_40AC18
		dd 1, 2	dup(0)
off_401A00	dd offset _DEVPKEY_DriverPackage_PrimitiveFlags
					; DATA XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+613o
					; EtwTraceDebuggerEvent(x,x,x)+35o ...
		dd 7
		dd offset aPrimitiveflags ; "PrimitiveFlags"
		dd 4, 2	dup(0)
		dd offset _DEVPKEY_DriverPackage_Invalidated
		dd 11h
		dd offset aInvalidated	; "Invalidated"
		align 10h
dword_401A30	dd 0A0008h		; DATA XREF: _CmValidateDeviceInterfaceName(x,x)+6Do
		dd offset ??_C@_19MJCDBCKE@?$AA?2?$AA?2?$AA?$DP?$AA?2@NNGAKEGL@	; "\\"
dword_401A38	dd 0A0008h		; DATA XREF: _CmValidateDeviceInterfaceName(x,x)+5Ao
		dd offset ??_C@_19JHEHLFPM@?$AA?2?$AA?$DP?$AA?$DP?$AA?2@NNGAKEGL@ ; "\\??\\"
_PiDmCachedDeviceKeys dd offset	_DEVPKEY_Device_SessionId
					; DATA XREF: PiDmGetCacheKeys(x,x,x)+13o
		dd 7, 2	dup(0)
		dd offset _DEVPKEY_Device_RestrictedSD
		dd 13h,	2 dup(0)
		dd offset _DEVPKEY_Device_ClassGuid
		dd 0Dh,	2, 0
		dd offset _DEVPKEY_Device_ContainerId
		dd 0Dh,	5, 1
		dd offset _DEVPKEY_Device_PanelId
		dd 12h,	6, 0
		dd offset _DEVPKEY_Device_DevNodeStatus
		dd 7, 0
		dd 1
		dd offset _DEVPKEY_Device_ProblemCode
		dd 7, 0
		dd 1
		dd offset _DEVPKEY_Device_IsConnected
		dd 11h,	0
		dd 1
		dd offset _DEVPKEY_Device_HasProblem
		dd 11h,	0
		dd 1
		dd offset _DEVPKEY_Device_IsRebootRequired
		dd 11h,	0
		dd 1
; 

_PiDmCachedDeviceInterfaceKeys:		; DATA XREF: PiDmGetCacheKeys(x,x,x)+2Ao
		sub	al, 7Bh
		inc	eax
		add	[edx], dl
; 
		db 3 dup(0)
		dd 1, 0
; `_CmOpenDeviceRegKeyWorker'::`2'::EnumKeyPrefix
?EnumKeyPrefix@?1??_CmOpenDeviceRegKeyWorker@@9@9 dd 0C000Ah
					; DATA XREF: _CmOpenDeviceRegKeyWorker+133o
		dd offset ??_C@_1M@DCMFPONJ@?$AAE?$AAn?$AAu?$AAm?$AA?2@NNGAKEGL@
off_401AF8	dd offset off_6B30E4	; DATA XREF: _PnpInterfaceRaisePropertyChangeEventWorker(x,x,x,x,x,x)+39o
		dd 1
		dd offset _DEVPKEY_NAME
		dd offset off_6B30E0
		dd 1
		dd offset _DEVPKEY_Device_ContainerId
_PiDmAggregatedBooleanDefs dd 1		; DATA XREF: PiDmObjectGetAggregatedBooleanPropertyData+AAo
					; PiDmObjectProcessPropertyChange+28Cr	...
off_401B14	dd offset _DEVPKEY_Device_IsConnected
					; DATA XREF: PiDmObjectProcessPropertyChange:loc_85A578r
					; PiDmListUpdateAggregationCountWorker+64r ...
		dd offset _DEVPKEY_Device_ContainerId
dword_401B1C	dd 5			; DATA XREF: PiDmObjectGetAggregatedBooleanPropertyData+95r
					; PiDmListUpdateAggregationCountWorker+40r
off_401B20	dd offset _DEVPKEY_DeviceContainer_IsConnected
					; DATA XREF: PiDmObjectGetAggregatedBooleanPropertyData:loc_801763r
		align 8
dword_401B28	dd 34h			; DATA XREF: PiDmListUpdateAggregationCountWorker+48r
		dd 1
		dd offset _DEVPKEY_Device_HasProblem
		dd offset _DEVPKEY_Device_ContainerId
		dd 5
		dd offset _DEVPKEY_DeviceContainer_HasProblem
		dd 4, 38h, 1
		dd offset _DEVPKEY_Device_IsRebootRequired
		dd offset _DEVPKEY_Device_ContainerId
		dd 5
		dd offset _DEVPKEY_DeviceContainer_IsRebootRequired
		align 10h
		dd 3Ch,	0
_BuiltinCallbackReg dd offset _GUID_EM_CALLBACK_BIOS_DATE ; DATA XREF: EmInitSystem+285o
		dd offset _EmMatchDate@28 ; EmMatchDate(x,x,x,x,x,x,x)
		dd 0
		dd offset _GUID_EM_CPU_MATCH_CALLBACK
		dd offset _EmCpuMatchCallback@28 ; EmCpuMatchCallback(x,x,x,x,x,x,x)
		align 10h
		dd offset loc_40AB87+1
		dd offset _EmTrueCallback@28 ; EmTrueCallback(x,x,x,x,x,x,x)
		dd 0
		dd offset _GUID_EM_ALWAYS_FALSE_CALLBACK
		dd offset _EmFalseCallback@28 ;	EmFalseCallback(x,x,x,x,x,x,x)
		align 8
		dd offset loc_40AB67+1
		dd offset _EmSystemArchitectureCallback@28 ; EmSystemArchitectureCallback(x,x,x,x,x,x,x)
		dd 0
		dd offset _GUID_EM_CALLBACK_REMOVE_BAD_S3_PAGES
		dd offset _EmRemoveBadS3PagesCallback@28 ; EmRemoveBadS3PagesCallback(x,x,x,x,x,x,x)
		align 10h
dword_401BB0	dd 0B000Ah		; DATA XREF: IopCheckDiskName(x,x,x)+51o
		dd offset ??_C@_0L@MENOPLJP@partition?$CI@FNODOBFM@
_Crc64Ctrl	dd offset _crc64Mult_	; DATA XREF: RtlCrc64(x,x,x,x)+Bo
					; PopEnsureErratumSubscribed(x)+27o ...
		dd offset _crc64Map1_
		dd offset _crc64Map32_
		align 8
		dd 0AC4BC9B5h, 9A6C9329h, 2 dup(0FFFFFFFFh)
		dd offset aCrc64RefsV1	; "Crc64 ReFS-v1"
		align 10h

_KiDisableFgBoostDecayRegKeyName:	; DATA XREF: KiGetDisableFgBoostDecayRegKeyHandle()+34o
		add	byte ptr [eax],	84h
; 
		db 0
		dd offset aRegistryMach_6 ; "\\Registry\\Machine\\SYSTEM\\CurrentControl"...
; 

_CmpTransactionTypeNameString:		; DATA XREF: CmpInitializeLightWeightTransactionType()+7Fo
		add	es:[eax], ch
		add	[edx+esi+41h], dh

loc_401BEF:				; DATA XREF: DownLevelLanguageNameToLangID(x,x)+1Eo
					; DownLevelGetParentLanguageName(x,x,x,x)+1Ao
		add	ah, al
		std
		inc	eax
		add	ah, bh
		sub	al, [ecx+0]
		mov	eax, 0BC004125h
		sub	[ecx+0], eax
		movsb
		and	eax, [ecx+0]
		lodsb
		sub	al, 41h
		add	[edx+ebx+1A640041h], dl
		inc	ecx
		add	[ebp+ebx+41h], dh
		add	[eax-7FFBEE2h],	dl
		and	[ecx+0], al
		push	esp
		sbb	eax, [ecx+0]
		les	ebx, [edx+0]
		inc	ecx
		add	[ebx+ebx], cl
		inc	ecx
		add	al, dh
		sbb	eax, 1D040041h
		inc	ecx
		add	[eax+1Ch], dl
		inc	ecx
		add	[edx+ebx], dh
		inc	ecx
		add	[eax+28h], ah
		inc	ecx
		add	[ebx+ebx+1CAC0041h], bl
		inc	ecx
		add	al, bh
		sbb	eax, [ecx+0]
		fsubr	qword ptr [eax+0]
		inc	ecx
		add	ah, bh
		and	[ecx+0], eax
		inc	esp
		sub	al, [ecx+0]
		mov	al, ds:4C004124h
		sub	eax, [ecx+0]
		dec	eax
		sbb	[ecx+0], eax
		or	al, 20h
		inc	ecx
		add	[eax], bl
		sbb	[ecx+0], eax
		xor	al, 26h
		inc	ecx
		add	[ecx+ebp+41h], al
		add	[edx+2B940041h], dh
		inc	ecx
		add	[eax-5BFFBEDAh], bh
		sub	al, 41h
		add	[eax+ebp+41h], dl
		add	[ecx+ebp+41h], bh
		add	[ebx], ch
		inc	ecx
		add	[edx+ebp+1FA80041h], al
		inc	ecx
; 
		db 0
		dd offset aBnIn		; "bn-IN"
		dd offset aBo		; "bo"
		dd offset aBoCn		; "bo-CN"
		dd offset aBr		; "br"
		dd offset aBrFr		; "br-FR"
		dd offset aBs		; "bs"
		dd offset aBsCyrl	; "bs-Cyrl"
		dd offset aBsCyrlBa	; "bs-Cyrl-BA"
		dd offset aBsLatn	; "bs-Latn"
		dd offset aBsLatnBa	; "bs-Latn-BA"
		dd offset aCa		; "ca"
		dd offset aCaEs		; "ca-ES"
		dd offset aCaEsValencia	; "ca-ES-valencia"
		dd offset aChr		; "chr"
		dd offset aChrCher	; "chr-Cher"
		dd offset aChrCherUs	; "chr-Cher-US"
		dd offset aCo		; "co"
		dd offset aCoFr		; "co-FR"
		dd offset aCs		; "cs"
		dd offset aCsCz		; "cs-CZ"
		dd offset aCy		; "cy"
		dd offset aCyGb		; "cy-GB"
		dd offset aDa		; "da"
		dd offset aDaDk		; "da-DK"
		dd offset aDe		; "de"
		dd offset aDeAt		; "de-AT"
		dd offset aDeCh		; "de-CH"
		dd offset aDeDe		; "de-DE"
		dd offset aDeLi		; "de-LI"
		dd offset aDeLu		; "de-LU"
		dd offset aDsb		; "dsb"
		dd offset aDsbDe	; "dsb-DE"
		dd offset aDv		; "dv"
		dd offset aDvMv		; "dv-MV"
		dd offset aDzBt		; "dz-BT"
		dd offset aEl		; "el"
		dd offset aElGr		; "el-GR"
		dd offset aEn		; "en"
		dd offset aEn029	; "en-029"
		dd offset aEnAe		; "en-AE"
		dd offset aEnAu		; "en-AU"
		dd offset aEnBz		; "en-BZ"
		dd offset aEnCa		; "en-CA"
		dd offset aEnGb		; "en-GB"
		dd offset aEnHk		; "en-HK"
		dd offset aEnId		; "en-ID"
		dd offset aEnIe		; "en-IE"
		dd offset aEnIn		; "en-IN"
		dd offset aEnJm		; "en-JM"
		dd offset aEnMy		; "en-MY"
		dd offset aEnNz		; "en-NZ"
		dd offset aEnPh		; "en-PH"
		dd offset aEnSg		; "en-SG"
		dd offset aEnTt		; "en-TT"
		dd offset aEnUs		; "en-US"
		dd offset aEnZa		; "en-ZA"
		dd offset aEnZw		; "en-ZW"
		dd offset aEs		; "es"
		dd offset aEs419	; "es-419"
		dd offset aEsAr		; "es-AR"
		dd offset aEsBo		; "es-BO"
		dd offset aEsCl		; "es-CL"
		dd offset aEsCo		; "es-CO"
		dd offset aEsCr		; "es-CR"
		dd offset aEsCu		; "es-CU"
		dd offset aEsDo		; "es-DO"
		dd offset aEsEc		; "es-EC"
		dd offset aEsEs		; "es-ES"
		dd offset aEsEs_tradnl	; "es-ES_tradnl"
		dd offset aEsGt		; "es-GT"
		dd offset aEsHn		; "es-HN"
		dd offset aEsMx		; "es-MX"
		dd offset aEsNi		; "es-NI"
		dd offset aEsPa		; "es-PA"
		dd offset aEsPe		; "es-PE"
		dd offset aEsPr		; "es-PR"
		dd offset aEsPy		; "es-PY"
		dd offset aEsSv		; "es-SV"
		dd offset aEsUs		; "es-US"
		dd offset aEsUy		; "es-UY"
		dd offset aEsVe		; "es-VE"
		dd offset aEt		; "et"
		dd offset aEtEe		; "et-EE"
		dd offset aEu		; "eu"
		dd offset aEuEs		; "eu-ES"
		dd offset aFa		; "fa"
		dd offset aFaIr		; "fa-IR"
		dd offset aFf		; "ff"
		dd offset aFfLatn	; "ff-Latn"
		dd offset aFfLatnNg	; "ff-Latn-NG"
		dd offset aFfLatnSn	; "ff-Latn-SN"
		dd offset aFi		; "fi"
		dd offset aFiFi		; "fi-FI"
		dd offset aFil		; "fil"
		dd offset aFilPh	; "fil-PH"
		dd offset aFo		; "fo"
		dd offset aFoFo		; "fo-FO"
		dd offset aFr		; "fr"
		dd offset aFr029	; "fr-029"
		dd offset aFrBe		; "fr-BE"
		dd offset aFrCa		; "fr-CA"
		dd offset aFrCd		; "fr-CD"
		dd offset aFrCh		; "fr-CH"
		dd offset aFrCi		; "fr-CI"
		dd offset aFrCm		; "fr-CM"
		dd offset aFrFr		; "fr-FR"
		dd offset aFrHt		; "fr-HT"
		dd offset aFrLu		; "fr-LU"
		dd offset aFrMa		; "fr-MA"
		dd offset aFrMc		; "fr-MC"
		dd offset aFrMl		; "fr-ML"
		dd offset aFrRe		; "fr-RE"
		dd offset aFrSn		; "fr-SN"
		dd offset aFy		; "fy"
		dd offset aFyNl		; "fy-NL"
		dd offset aGa		; "ga"
		dd offset aGaIe		; "ga-IE"
		dd offset aGd		; "gd"
		dd offset aGdGb		; "gd-GB"
		dd offset aGl		; "gl"
		dd offset aGlEs		; "gl-ES"
		dd offset aGn		; "gn"
		dd offset aGnPy		; "gn-PY"
		dd offset aGsw		; "gsw"
		dd offset aGswFr	; "gsw-FR"
		dd offset aGu		; "gu"
		dd offset aGuIn		; "gu-IN"
		dd offset aHa		; "ha"
		dd offset aHaLatn	; "ha-Latn"
		dd offset aHaLatnNg	; "ha-Latn-NG"
		dd offset aHaw		; "haw"
		dd offset aHawUs	; "haw-US"
		dd offset aHe		; "he"
		dd offset aHeIl		; "he-IL"
		dd offset aHi		; "hi"
		dd offset aHiIn		; "hi-IN"
		dd offset aHr		; "hr"
		dd offset aHrBa		; "hr-BA"
		dd offset aHrHr		; "hr-HR"
		dd offset aHsb		; "hsb"
		dd offset aHsbDe	; "hsb-DE"
		dd offset aHu		; "hu"
		dd offset aHuHu		; "hu-HU"
		dd offset aHy		; "hy"
		dd offset aHyAm		; "hy-AM"
		dd offset aIbb		; "ibb"
		dd offset aIbbNg	; "ibb-NG"
		dd offset aId		; "id"
		dd offset aIdId		; "id-ID"
		dd offset aIg		; "ig"
		dd offset aIgNg		; "ig-NG"
		dd offset aIi		; "ii"
		dd offset aIiCn		; "ii-CN"
		dd offset aIs		; "is"
		dd offset aIsIs		; "is-IS"
		dd offset aIt		; "it"
		dd offset aItCh		; "it-CH"
		dd offset aItIt		; "it-IT"
		dd offset aIu_1		; "iu"
		dd offset aIuCans	; "iu-Cans"
		dd offset aIuCansCa	; "iu-Cans-CA"
		dd offset aIuLatn	; "iu-Latn"
		dd offset aIuLatnCa	; "iu-Latn-CA"
		dd offset aJa		; "ja"
		dd offset aJaJp		; "ja-JP"
		dd offset aKa		; "ka"
		dd offset aKaGe		; "ka-GE"
		dd offset aKk		; "kk"
		dd offset aKkKz		; "kk-KZ"
		dd offset aKl		; "kl"
		dd offset aKlGl		; "kl-GL"
		dd offset aKm		; "km"
		dd offset aKmKh		; "km-KH"
		dd offset aKn		; "kn"
		dd offset aKnIn		; "kn-IN"
		dd offset aKo		; "ko"
		dd offset aKoKr		; "ko-KR"
		dd offset aKok		; "kok"
		dd offset aKokIn	; "kok-IN"
		dd offset aKr		; "kr"
		dd offset aKrLatnNg	; "kr-Latn-NG"
		dd offset aKs		; "ks"
		dd offset aKsArab	; "ks-Arab"
		dd offset aKsDevaIn	; "ks-Deva-IN"
		dd offset aKu		; "ku"
		dd offset aKuArab	; "ku-Arab"
		dd offset aKuArabIq	; "ku-Arab-IQ"
		dd offset aKy		; "ky"
		dd offset aKyKg		; "ky-KG"
		dd offset aLa		; "la"
		dd offset aLa001	; "la-001"
		dd offset aLb		; "lb"
		dd offset aLbLu		; "lb-LU"
		dd offset aLo		; "lo"
		dd offset aLoLa		; "lo-LA"
		dd offset aLt		; "lt"
		dd offset aLtLt		; "lt-LT"
		dd offset aLv		; "lv"
		dd offset aLvLv		; "lv-LV"
		dd offset aMi		; "mi"
		dd offset aMiNz		; "mi-NZ"
		dd offset aMk		; "mk"
		dd offset aMkMk		; "mk-MK"
		dd offset aMl		; "ml"
		dd offset aMlIn		; "ml-IN"
		dd offset aMn		; "mn"
		dd offset aMnCyrl	; "mn-Cyrl"
		dd offset aMnMn		; "mn-MN"
		dd offset aMnMong	; "mn-Mong"
		dd offset aMnMongCn	; "mn-Mong-CN"
		dd offset aMnMongMn	; "mn-Mong-MN"
		dd offset aMni		; "mni"
		dd offset aMniIn	; "mni-IN"
		dd offset aMoh		; "moh"
		dd offset aMohCa	; "moh-CA"
		dd offset aMr		; "mr"
		dd offset aMrIn		; "mr-IN"
		dd offset aMs		; "ms"
		dd offset aMsBn		; "ms-BN"
off_402000	dd offset aMsMy		; DATA XREF: PspCreateSilo(x):loc_73F5E2o
					; MmEnumerateAddressSpaceAndReferenceImages:loc_8DAE7Do ...
					; "ms-MY"
		dd offset aMt		; "mt"
		dd offset aMtMt		; "mt-MT"
		dd offset aMy		; "my"
		dd offset aMyMm		; "my-MM"
		dd offset aNb		; "nb"
		dd offset aNbNo		; "nb-NO"
		dd offset aNe		; "ne"
		dd offset aNeIn		; "ne-IN"
		dd offset aNeNp		; "ne-NP"
		dd offset aNl		; "nl"
		dd offset aNlBe		; "nl-BE"
		dd offset aNlNl		; "nl-NL"
		dd offset aNn		; "nn"
		dd offset aNnNo		; "nn-NO"
		dd offset aNo		; "no"
		dd offset aNso		; "nso"
		dd offset aNsoZa	; "nso-ZA"
		dd offset aOc		; "oc"
		dd offset aOcFr		; "oc-FR"
		dd offset aOm		; "om"
		dd offset aOmEt		; "om-ET"
		dd offset aOr		; "or"
		dd offset aOrIn		; "or-IN"
		dd offset aPa		; "pa"
		dd offset aPaArab	; "pa-Arab"
		dd offset aPaArabPk	; "pa-Arab-PK"
		dd offset aPaIn		; "pa-IN"
		dd offset aPap		; "pap"
		dd offset aPap029	; "pap-029"
		dd offset aPl		; "pl"
		dd offset aPlPl		; "pl-PL"
		dd offset aPrs		; "prs"
		dd offset aPrsAf	; "prs-AF"
		dd offset aPs		; "ps"
		dd offset aPsAf		; "ps-AF"
		dd offset aPt		; "pt"
		dd offset aPtBr		; "pt-BR"
		dd offset aPtPt		; "pt-PT"
		dd offset aQpsLatnXSh	; "qps-Latn-x-sh"
		dd offset aQpsPloc	; "qps-ploc"
		dd offset aQpsPloca	; "qps-ploca"
		dd offset aQpsPlocm	; "qps-plocm"
		dd offset aQuc		; "quc"
		dd offset aQucLatn	; "quc-Latn"
		dd offset aQucLatnGt	; "quc-Latn-GT"
		dd offset aQuz		; "quz"
		dd offset aQuzBo	; "quz-BO"
		dd offset aQuzEc	; "quz-EC"
		dd offset aQuzPe	; "quz-PE"
		dd offset aRm		; "rm"
		dd offset aRmCh		; "rm-CH"
		dd offset aRo		; "ro"
		dd offset aRoMd		; "ro-MD"
		dd offset aRoRo		; "ro-RO"
		dd offset aRu		; "ru"
		dd offset aRuMd		; "ru-MD"
		dd offset aRuRu		; "ru-RU"
		dd offset aRw		; "rw"
		dd offset aRwRw		; "rw-RW"
		dd offset aSa		; "sa"
		dd offset aSaIn		; "sa-IN"
		dd offset aSah		; "sah"
		dd offset aSahRu	; "sah-RU"
		dd offset aSd_1		; "sd"
		dd offset aSdArab	; "sd-Arab"
		dd offset aSdArabPk	; "sd-Arab-PK"
		dd offset aSdDevaIn	; "sd-Deva-IN"
		dd offset aSe		; "se"
		dd offset aSeFi		; "se-FI"
		dd offset aSeNo		; "se-NO"
		dd offset aSeSe		; "se-SE"
		dd offset aSi		; "si"
		dd offset aSiLk		; "si-LK"
		dd offset aSk		; "sk"
		dd offset aSkSk		; "sk-SK"
		dd offset aSl		; "sl"
		dd offset aSlSi		; "sl-SI"
		dd offset aSma		; "sma"
		dd offset aSmaNo	; "sma-NO"
		dd offset aSmaSe	; "sma-SE"
		dd offset aSmj		; "smj"
		dd offset aSmjNo	; "smj-NO"
		dd offset aSmjSe	; "smj-SE"
		dd offset aSmn		; "smn"
		dd offset aSmnFi	; "smn-FI"
		dd offset aSms		; "sms"
		dd offset aSmsFi	; "sms-FI"
		dd offset aSo		; "so"
		dd offset aSoSo		; "so-SO"
		dd offset aSq		; "sq"
		dd offset aSqAl		; "sq-AL"
		dd offset aSr		; "sr"
		dd offset aSrCyrl	; "sr-Cyrl"
		dd offset aSrCyrlBa	; "sr-Cyrl-BA"
		dd offset aSrCyrlCs	; "sr-Cyrl-CS"
		dd offset aSrCyrlMe	; "sr-Cyrl-ME"
		dd offset aSrCyrlRs	; "sr-Cyrl-RS"
		dd offset aSrLatn	; "sr-Latn"
		dd offset aSrLatnBa	; "sr-Latn-BA"
		dd offset aSrLatnCs	; "sr-Latn-CS"
		dd offset aSrLatnMe	; "sr-Latn-ME"
		dd offset aSrLatnRs	; "sr-Latn-RS"
		dd offset aSt		; "st"
		dd offset aStZa		; "st-ZA"
		dd offset aSv		; "sv"
		dd offset aSvFi		; "sv-FI"
		dd offset aSvSe		; "sv-SE"
		dd offset aSw		; "sw"
		dd offset aSwKe		; "sw-KE"
		dd offset aSyr		; "syr"
		dd offset aSyrSy	; "syr-SY"
		dd offset aTa		; "ta"
		dd offset aTaIn		; "ta-IN"
		dd offset aTaLk		; "ta-LK"
		dd offset aTe		; "te"
		dd offset aTeIn		; "te-IN"
		dd offset aTg		; "tg"
		dd offset aTgCyrl	; "tg-Cyrl"
		dd offset aTgCyrlTj	; "tg-Cyrl-TJ"
		dd offset aTh		; "th"
		dd offset aThTh		; "th-TH"
		dd offset aTi		; "ti"
		dd offset aTiEr		; "ti-ER"
		dd offset aTiEt		; "ti-ET"
		dd offset aTk		; "tk"
		dd offset aTkTm		; "tk-TM"
		dd offset aTn		; "tn"
		dd offset aTnBw		; "tn-BW"
		dd offset aTnZa		; "tn-ZA"
		dd offset aTr		; "tr"
		dd offset aTrTr		; "tr-TR"
		dd offset aTs		; "ts"
		dd offset aTsZa		; "ts-ZA"
		dd offset aTt		; "tt"
		dd offset aTtRu		; "tt-RU"
		dd offset aTzm		; "tzm"
		dd offset aTzmArabMa	; "tzm-Arab-MA"
		dd offset aTzmLatn	; "tzm-Latn"
		dd offset aTzmLatnDz	; "tzm-Latn-DZ"
		dd offset aTzmTfng	; "tzm-Tfng"
		dd offset aTzmTfngMa	; "tzm-Tfng-MA"
		dd offset aUg		; "ug"
		dd offset aUgCn		; "ug-CN"
		dd offset aUk		; "uk"
		dd offset aUkUa		; "uk-UA"
		dd offset aUr		; "ur"
		dd offset aUrIn		; "ur-IN"
		dd offset aUrPk		; "ur-PK"
		dd offset aUz		; "uz"
		dd offset aUzCyrl	; "uz-Cyrl"
		dd offset aUzCyrlUz	; "uz-Cyrl-UZ"
		dd offset aUzLatn	; "uz-Latn"
		dd offset aUzLatnUz	; "uz-Latn-UZ"
		dd offset aVe		; "ve"
		dd offset aVeZa		; "ve-ZA"
		dd offset aVi		; "vi"
		dd offset aViVn		; "vi-VN"
		dd offset aWo		; "wo"
		dd offset aWoSn		; "wo-SN"
		dd offset aXh		; "xh"
		dd offset aXhZa		; "xh-ZA"
		dd offset aYi		; "yi"
		dd offset aYi001	; "yi-001"
		dd offset aYo		; "yo"
		dd offset aYoNg		; "yo-NG"
		dd offset aZh		; "zh"
		dd offset aZhCn		; "zh-CN"
		dd offset aZhHans	; "zh-Hans"
		dd offset aZhHant	; "zh-Hant"
		dd offset aZhHk		; "zh-HK"
		dd offset aZhMo		; "zh-MO"
		dd offset aZhSg		; "zh-SG"
		dd offset aZhTw		; "zh-TW"
		dd offset aZu		; "zu"
		dd offset aZuZa		; "zu-ZA"
; void off_4022C0
off_4022C0	dd offset aAr_1		; DATA XREF: DownLevelLangIDToLanguageName+36o
					; DownLevelLanguageNameToLangID(x,x)+41o ...
					; "ar"
		dd 1
dword_4022C8	dd 7Ch			; DATA XREF: DownLevelGetParentLanguageName(x,x,x,x)+3Dr
		dd offset aBg		; "bg"
		dd 2, 7Ch
		dd offset aCa		; "ca"
		dd 3, 7Ch
		dd offset aZhHans	; "zh-Hans"
		dd 4, 19Ah
		dd offset aCs		; "cs"
		dd 5, 7Ch
		dd offset aDa		; "da"
		dd 6, 7Ch
		dd offset aDe		; "de"
		dd 7, 7Ch
		dd offset aEl		; "el"
		dd 8, 7Ch
		dd offset aEn		; "en"
		dd 9, 7Ch
		dd offset aEs		; "es"
		dd 0Ah,	7Ch
		dd offset aFi		; "fi"
		dd 0Bh,	7Ch
		dd offset aFr		; "fr"
		dd 0Ch,	7Ch
		dd offset aHe		; "he"
		dd 0Dh,	7Ch
		dd offset aHu		; "hu"
		dd 0Eh,	7Ch
		dd offset aIs		; "is"
		dd 0Fh,	7Ch
		dd offset aIt		; "it"
		dd 10h,	7Ch
		dd offset aJa		; "ja"
		dd 11h,	7Ch
		dd offset aKo		; "ko"
		dd 12h,	7Ch
		dd offset aNl		; "nl"
		dd 13h,	7Ch
		dd offset aNo		; "no"
		dd 14h,	7Ch
		dd offset aPl		; "pl"
		dd 15h,	7Ch
		dd offset aPt		; "pt"
		dd 16h,	7Ch
		dd offset aRm		; "rm"
		dd 17h,	7Ch
		dd offset aRo		; "ro"
		dd 18h,	7Ch
		dd offset aRu		; "ru"
		dd 19h,	7Ch
		dd offset aHr		; "hr"
		dd 1Ah,	7Ch
		dd offset aSk		; "sk"
		dd 1Bh,	7Ch
		dd offset aSq		; "sq"
		dd 1Ch,	7Ch
		dd offset aSv		; "sv"
		dd 1Dh,	7Ch
		dd offset aTh		; "th"
		dd 1Eh,	7Ch
		dd offset aTr		; "tr"
		dd 1Fh,	7Ch
		dd offset aUr		; "ur"
		dd 20h,	7Ch
		dd offset aId		; "id"
		dd 21h,	7Ch
		dd offset aUk		; "uk"
		dd 22h,	7Ch
		dd offset aBe		; "be"
		dd 23h,	7Ch
		dd offset aSl		; "sl"
		dd 24h,	7Ch
		dd offset aEt		; "et"
		dd 25h,	7Ch
		dd offset aLv		; "lv"
		dd 26h,	7Ch
		dd offset aLt		; "lt"
		dd 27h,	7Ch
		dd offset aTg		; "tg"
		dd 28h,	7Ch
		dd offset aFa		; "fa"
		dd 29h,	7Ch
		dd offset aVi		; "vi"
		dd 2Ah,	7Ch
		dd offset aHy		; "hy"
		dd 2Bh,	7Ch
		dd offset aAz		; "az"
		dd 2Ch,	7Ch
		dd offset aEu		; "eu"
		dd 2Dh,	7Ch
		dd offset aHsb		; "hsb"
		dd 2Eh,	7Ch
		dd offset aMk		; "mk"
		dd 2Fh,	7Ch
		dd offset aSt		; "st"
		dd 30h,	7Ch
		dd offset aTs		; "ts"
		dd 31h,	7Ch
		dd offset aTn		; "tn"
		dd 32h,	7Ch
		dd offset aVe		; "ve"
		dd 33h,	7Ch
		dd offset aXh		; "xh"
		dd 34h,	7Ch
		dd offset aZu		; "zu"
		dd 35h,	7Ch
		dd offset aAf		; "af"
		dd 36h,	7Ch
		dd offset aKa		; "ka"
		dd 37h,	7Ch
		dd offset aFo		; "fo"
		dd 38h,	7Ch
		dd offset aHi		; "hi"
		dd 39h,	7Ch
		dd offset aMt		; "mt"
		dd 3Ah,	7Ch
		dd offset aSe		; "se"
		dd 3Bh,	7Ch
		dd offset aGa		; "ga"
		dd 3Ch,	7Ch
		dd offset aYi		; "yi"
		dd 3Dh,	7Ch
		dd offset aMs		; "ms"
		dd 3Eh,	7Ch
		dd offset aKk		; "kk"
		dd 3Fh,	7Ch
		dd offset aKy		; "ky"
		dd 40h,	7Ch
		dd offset aSw		; "sw"
		dd 41h,	7Ch
		dd offset aTk		; "tk"
		dd 42h,	7Ch
		dd offset aUz		; "uz"
		dd 43h,	7Ch
		dd offset aTt		; "tt"
		dd 44h,	7Ch
		dd offset aBn		; "bn"
		dd 45h,	7Ch
		dd offset aPa		; "pa"
		dd 46h,	7Ch
		dd offset aGu		; "gu"
		dd 47h,	7Ch
		dd offset aOr		; "or"
		dd 48h,	7Ch
		dd offset aTa		; "ta"
		dd 49h,	7Ch
		dd offset aTe		; "te"
		dd 4Ah,	7Ch
		dd offset aKn		; "kn"
		dd 4Bh,	7Ch
		dd offset aMl		; "ml"
		dd 4Ch,	7Ch
		dd offset aAs		; "as"
		dd 4Dh,	7Ch
		dd offset aMr		; "mr"
		dd 4Eh,	7Ch
		dd offset aSa		; "sa"
		dd 4Fh,	7Ch
		dd offset aMn		; "mn"
		dd 50h,	7Ch
		dd offset aBo		; "bo"
		dd 51h,	7Ch
		dd offset aCy		; "cy"
		dd 52h,	7Ch
		dd offset aKm		; "km"
		dd 53h,	7Ch
		dd offset aLo		; "lo"
		dd 54h,	7Ch
		dd offset aMy		; "my"
		dd 55h,	7Ch
		dd offset aGl		; "gl"
		dd 56h,	7Ch
		dd offset aKok		; "kok"
		dd 57h,	7Ch
		dd offset aMni		; "mni"
		dd 58h,	7Ch
		dd offset aSd_1		; "sd"
		dd 59h,	7Ch
		dd offset aSyr		; "syr"
		dd 5Ah,	7Ch
		dd offset aSi		; "si"
		dd 5Bh,	7Ch
		dd offset aChr		; "chr"
		dd 5Ch,	7Ch
		dd offset aIu_1		; "iu"
		dd 5Dh,	7Ch
		dd offset aAm		; "am"
		dd 5Eh,	7Ch
		dd offset aTzm		; "tzm"
		dd 5Fh,	7Ch
		dd offset aKs		; "ks"
		dd 60h,	7Ch
		dd offset aNe		; "ne"
		dd 61h,	7Ch
		dd offset aFy		; "fy"
		dd 62h,	7Ch
		dd offset aPs		; "ps"
		dd 63h,	7Ch
		dd offset aFil		; "fil"
		dd 64h,	7Ch
		dd offset aDv		; "dv"
		dd 65h,	7Ch
		dd offset aBin		; "bin"
		dd 66h,	7Ch
		dd offset aFf		; "ff"
		dd 67h,	7Ch
		dd offset aHa		; "ha"
		dd 68h,	7Ch
		dd offset aIbb		; "ibb"
		dd 69h,	7Ch
		dd offset aYo		; "yo"
		dd 6Ah,	7Ch
		dd offset aQuz		; "quz"
		dd 6Bh,	7Ch
		dd offset aNso		; "nso"
		dd 6Ch,	7Ch
		dd offset aBa		; "ba"
		dd 6Dh,	7Ch
		dd offset aLb		; "lb"
		dd 6Eh,	7Ch
		dd offset aKl		; "kl"
		dd 6Fh,	7Ch
		dd offset aIg		; "ig"
		dd 70h,	7Ch
		dd offset aKr		; "kr"
		dd 71h,	7Ch
		dd offset aOm		; "om"
		dd 72h,	7Ch
		dd offset aTi		; "ti"
		dd 73h,	7Ch
		dd offset aGn		; "gn"
		dd 74h,	7Ch
		dd offset aHaw		; "haw"
		dd 75h,	7Ch
		dd offset aLa		; "la"
		dd 76h,	7Ch
		dd offset aSo		; "so"
		dd 77h,	7Ch
		dd offset aIi		; "ii"
		dd 78h,	7Ch
		dd offset aPap		; "pap"
		dd 79h,	7Ch
		dd offset aArn		; "arn"
		dd 7Ah,	7Ch
		dd offset aMoh		; "moh"
		dd 2 dup(7Ch)
		dd offset aBr		; "br"
		dd 7Eh,	7Ch
		dd offset dword_40FDC4
		dd 7Fh,	7Ch
		dd offset aUg		; "ug"
		dd 80h,	7Ch
		dd offset aMi		; "mi"
		dd 81h,	7Ch
		dd offset aOc		; "oc"
		dd 82h,	7Ch
		dd offset aCo		; "co"
		dd 83h,	7Ch
		dd offset aGsw		; "gsw"
		dd 84h,	7Ch
		dd offset aSah		; "sah"
		dd 85h,	7Ch
		dd offset aQuc		; "quc"
		dd 86h,	7Ch
		dd offset aRw		; "rw"
		dd 87h,	7Ch
		dd offset aWo		; "wo"
		dd 88h,	7Ch
		dd offset aPrs		; "prs"
		dd 8Ch,	7Ch
		dd offset aGd		; "gd"
		dd 91h,	7Ch
		dd offset aKu		; "ku"
		dd 92h,	7Ch
		dd offset aArSa		; "ar-SA"
		dd 401h, 0
		dd offset aBgBg		; "bg-BG"
		dd 402h, 1
		dd offset aCaEs		; "ca-ES"
		dd 403h, 2
		dd offset aZhTw		; "zh-TW"
		dd 404h, 1A3h
		dd offset aCsCz		; "cs-CZ"
		dd 405h, 4
		dd offset aDaDk		; "da-DK"
		dd 406h, 5
		dd offset aDeDe		; "de-DE"
		dd 407h, 6
		dd offset aElGr		; "el-GR"
		dd 408h, 7
		dd offset aEnUs		; "en-US"
		dd 409h, 8
		dd offset aEsEs_tradnl	; "es-ES_tradnl"
		dd 40Ah, 9
		dd offset aFiFi		; "fi-FI"
		dd 40Bh, 0Ah
		dd offset aFrFr		; "fr-FR"
		dd 40Ch, 0Bh
		dd offset aHeIl		; "he-IL"
		dd 40Dh, 0Ch
		dd offset aHuHu		; "hu-HU"
		dd 40Eh, 0Dh
		dd offset aIsIs		; "is-IS"
		dd 40Fh, 0Eh
		dd offset aItIt		; "it-IT"
		dd 410h, 0Fh
		dd offset aJaJp		; "ja-JP"
		dd 411h, 10h
		dd offset aKoKr		; "ko-KR"
		dd 412h, 11h
		dd offset aNlNl		; "nl-NL"
		dd 413h, 12h
		dd offset aNbNo		; "nb-NO"
		dd 414h, 1A4h
		dd offset aPlPl		; "pl-PL"
		dd 415h, 14h
		dd offset aPtBr		; "pt-BR"
		dd 416h, 15h
		dd offset aRmCh		; "rm-CH"
		dd 417h, 16h
		dd offset aRoRo		; "ro-RO"
		dd 418h, 17h
		dd offset aRuRu		; "ru-RU"
		dd 419h, 18h
		dd offset aHrHr		; "hr-HR"
		dd 41Ah, 19h
		dd offset aSkSk		; "sk-SK"
		dd 41Bh, 1Ah
		dd offset aSqAl		; "sq-AL"
		dd 41Ch, 1Bh
		dd offset aSvSe		; "sv-SE"
		dd 41Dh, 1Ch
		dd offset aThTh		; "th-TH"
		dd 41Eh, 1Dh
		dd offset aTrTr		; "tr-TR"
		dd 41Fh, 1Eh
		dd offset aUrPk		; "ur-PK"
		dd 420h, 1Fh
		dd offset aIdId		; "id-ID"
		dd 421h, 20h
		dd offset aUkUa		; "uk-UA"
		dd 422h, 21h
		dd offset aBeBy		; "be-BY"
		dd 423h, 22h
		dd offset aSlSi		; "sl-SI"
		dd 424h, 23h
		dd offset aEtEe		; "et-EE"
		dd 425h, 24h
		dd offset aLvLv		; "lv-LV"
		align 10h
		dd 25h
		dd offset aLtLt		; "lt-LT"
		dd 427h, 26h
		dd offset aTgCyrlTj	; "tg-Cyrl-TJ"
		dd 428h, 1A6h
		dd offset aFaIr		; "fa-IR"
		dd 429h, 28h
		dd offset aViVn		; "vi-VN"
		dd 42Ah, 29h
		dd offset aHyAm		; "hy-AM"
		dd 42Bh, 2Ah
		dd offset aAzLatnAz	; "az-Latn-AZ"
		dd 42Ch, 19Dh
		dd offset aEuEs		; "eu-ES"
		dd 42Dh, 2Ch
		dd offset aHsbDe	; "hsb-DE"
		align 10h
		dd 2Dh
		dd offset aMkMk		; "mk-MK"
		dd 42Fh, 2Eh
		dd offset aStZa		; "st-ZA"
		dd 430h, 2Fh
		dd offset aTsZa		; "ts-ZA"
		dd 431h, 30h
		dd offset aTnZa		; "tn-ZA"
		dd 432h, 31h
		dd offset aVeZa		; "ve-ZA"
		dd 433h, 32h
		dd offset aXhZa		; "xh-ZA"
		dd 434h, 33h
		dd offset aZuZa		; "zu-ZA"
		dd 435h, 34h
		dd offset aAfZa		; "af-ZA"
		align 10h
		dd 35h
		dd offset aKaGe		; "ka-GE"
		dd 437h, 36h
		dd offset aFoFo		; "fo-FO"
		dd 438h, 37h
		dd offset aHiIn		; "hi-IN"
		dd 439h, 38h
		dd offset aMtMt		; "mt-MT"
		dd 43Ah, 39h
		dd offset aSeNo		; "se-NO"
		dd 43Bh, 3Ah
		dd offset aYi001	; "yi-001"
		dd 43Dh, 3Ch
		dd offset aMsMy		; "ms-MY"
		dd 43Eh, 3Dh
		dd offset aKkKz		; "kk-KZ"
		dd 43Fh, 3Eh
		dd offset aKyKg		; "ky-KG"
		dd 440h, 3Fh
		dd offset aSwKe		; "sw-KE"
		dd 441h, 40h
		dd offset aTkTm		; "tk-TM"
		dd 442h, 41h
		dd offset aUzLatnUz	; "uz-Latn-UZ"
		dd 443h, 1A9h
		dd offset aTtRu		; "tt-RU"
		dd 444h, 43h
		dd offset aBnIn		; "bn-IN"
		dd 445h, 44h
		dd offset aPaIn		; "pa-IN"
		dd 446h, 45h
		dd offset aGuIn		; "gu-IN"
		dd 447h, 46h
		dd offset aOrIn		; "or-IN"
		dd 448h, 47h
		dd offset aTaIn		; "ta-IN"
		dd 449h, 48h
		dd offset aTeIn		; "te-IN"
		dd 44Ah, 49h
		dd offset aKnIn		; "kn-IN"
		dd 44Bh, 4Ah
		dd offset aMlIn		; "ml-IN"
		dd 44Ch, 4Bh
		dd offset aAsIn		; "as-IN"
		dd 44Dh, 4Ch
		dd offset aMrIn		; "mr-IN"
		dd 44Eh, 4Dh
		dd offset aSaIn		; "sa-IN"
		dd 44Fh, 4Eh
		dd offset aMnMn		; "mn-MN"
		dd 450h, 1A0h
		dd offset aBoCn		; "bo-CN"
		dd 451h, 50h
		dd offset aCyGb		; "cy-GB"
		dd 452h, 51h
		dd offset aKmKh		; "km-KH"
		dd 453h, 52h
		dd offset aLoLa		; "lo-LA"
		dd 454h, 53h
		dd offset aMyMm		; "my-MM"
		dd 455h, 54h
		dd offset aGlEs		; "gl-ES"
		dd 456h, 55h
		dd offset aKokIn	; "kok-IN"
		dd 457h, 56h
		dd offset aMniIn	; "mni-IN"
		dd 458h, 57h
		dd offset aSdDevaIn	; "sd-Deva-IN"
		dd 459h, 58h
		dd offset aSyrSy	; "syr-SY"
		dd 45Ah, 59h
		dd offset aSiLk		; "si-LK"
		dd 45Bh, 5Ah
		dd offset aChrCherUs	; "chr-Cher-US"
		dd 45Ch, 1ADh
		dd offset aIuCansCa	; "iu-Cans-CA"
		dd 45Dh, 1A1h
		dd offset aAmEt		; "am-ET"
		dd 45Eh, 5Dh
		dd offset aTzmArabMa	; "tzm-Arab-MA"
		dd 45Fh, 5Eh
		dd offset aKsArab	; "ks-Arab"
		dd 460h, 5Fh
		dd offset aNeNp		; "ne-NP"
		dd 461h, 60h
		dd offset aFyNl		; "fy-NL"
		dd 462h, 61h
		dd offset aPsAf		; "ps-AF"
		dd 463h, 62h
		dd offset aFilPh	; "fil-PH"
		dd 464h, 63h
		dd offset aDvMv		; "dv-MV"
		align 8
		dd 64h
		dd offset aBinNg	; "bin-NG"
		dd 466h, 65h
		dd offset aFfLatnNg	; "ff-Latn-NG"
		align 10h
		dd 1B0h
		dd offset aHaLatnNg	; "ha-Latn-NG"
		dd 468h, 1B1h
		dd offset aIbbNg	; "ibb-NG"
		dd 469h, 68h
		dd offset aYoNg		; "yo-NG"
		dd 46Ah, 69h
		dd offset aQuzBo	; "quz-BO"
		dd 46Bh, 6Ah
		dd offset aNsoZa	; "nso-ZA"
		dd 46Ch, 6Bh
		dd offset aBaRu		; "ba-RU"
		dd 46Dh, 6Ch
		dd offset aLbLu		; "lb-LU"
		dd 46Eh, 6Dh
		dd offset aKlGl		; "kl-GL"
		dd 46Fh, 6Eh
		dd offset aIgNg		; "ig-NG"
		dd 470h, 6Fh
		dd offset aKrLatnNg	; "kr-Latn-NG"
		dd 471h, 70h
		dd offset aOmEt		; "om-ET"
		dd 472h, 71h
		dd offset aTiEt		; "ti-ET"
		dd 473h, 72h
		dd offset aGnPy		; "gn-PY"
		dd 474h, 73h
		dd offset aHawUs	; "haw-US"
		dd 475h, 74h
		dd offset aLa001	; "la-001"
		dd 476h, 75h
		dd offset aSoSo		; "so-SO"
		dd 477h, 76h
		dd offset aIiCn		; "ii-CN"
		dd 478h, 77h
		dd offset aPap029	; "pap-029"
		dd 479h, 78h
		dd offset aArnCl	; "arn-CL"
		dd 47Ah, 79h
		dd offset aMohCa	; "moh-CA"
		dd 47Ch, 7Ah
		dd offset aBrFr		; "br-FR"
		dd 47Eh, 7Bh
		dd offset aUgCn		; "ug-CN"
		dd 480h, 7Dh
		dd offset aMiNz		; "mi-NZ"
		dd 481h, 7Eh
		dd offset aOcFr		; "oc-FR"
		dd 482h, 7Fh
		dd offset aCoFr		; "co-FR"
		dd 483h, 80h
		dd offset aGswFr	; "gsw-FR"
		dd 484h, 81h
		dd offset aSahRu	; "sah-RU"
		dd 485h, 82h
		dd offset aQucLatnGt	; "quc-Latn-GT"
		dd 486h, 1B2h
		dd offset aRwRw		; "rw-RW"
		dd 487h, 84h
		dd offset aWoSn		; "wo-SN"
		dd 488h, 85h
		dd offset aPrsAf	; "prs-AF"
		dd 48Ch, 86h
		dd offset aGdGb		; "gd-GB"
		dd 491h, 87h
		dd offset aKuArabIq	; "ku-Arab-IQ"
		dd 492h, 1B3h
		dd offset aQpsPloc	; "qps-ploc"
		dd 501h, 8
		dd offset aQpsPloca	; "qps-ploca"
		dd 5FEh, 10h
		dd offset aArIq		; "ar-IQ"
		dd 801h, 0
		dd offset aCaEsValencia	; "ca-ES-valencia"
		dd 803h, 8Bh
		dd offset aZhCn		; "zh-CN"
		dd 804h, 3
		dd offset aDeCh		; "de-CH"
		dd 807h, 6
		dd offset aEnGb		; "en-GB"
		dd 809h, 8
		dd offset aEsMx		; "es-MX"
		dd 80Ah, 9
		dd offset aFrBe		; "fr-BE"
		dd 80Ch, 0Bh
		dd offset aItCh		; "it-CH"
		dd 810h, 0Fh
		dd offset aNlBe		; "nl-BE"
		dd 813h, 12h
		dd offset aNnNo		; "nn-NO"
		dd 814h, 19Bh
		dd offset aPtPt		; "pt-PT"
		dd 816h, 15h
		dd offset aRoMd		; "ro-MD"
		dd 818h, 17h
		dd offset aRuMd		; "ru-MD"
		dd 819h, 18h
		dd offset aSrLatnCs	; "sr-Latn-CS"
		dd 81Ah, 196h
		dd offset aSvFi		; "sv-FI"
		dd 81Dh, 1Ch
		dd offset aUrIn		; "ur-IN"
		dd 820h, 1Fh
		dd offset aAzCyrlAz	; "az-Cyrl-AZ"
		dd 82Ch, 198h
		dd offset aDsbDe	; "dsb-DE"
		dd 82Eh, 1A7h
		dd offset aTnBw		; "tn-BW"
		dd 832h, 31h
		dd offset aSeSe		; "se-SE"
		dd 83Bh, 3Ah
		dd offset aGaIe		; "ga-IE"
		dd 83Ch, 3Bh
		dd offset aMsBn		; "ms-BN"
		dd 83Eh, 3Dh
		dd offset aUzCyrlUz	; "uz-Cyrl-UZ"
		dd 843h, 19Fh
		dd offset aBnBd		; "bn-BD"
		dd 845h, 44h
		dd offset aPaArabPk	; "pa-Arab-PK"
		dd 846h, 1AAh
		dd offset aTaLk		; "ta-LK"
		dd 849h, 48h
		dd offset aMnMongCn	; "mn-Mong-CN"
		dd 850h, 1ABh
		dd offset aSdArabPk	; "sd-Arab-PK"
		dd 859h, 1ACh
		dd offset aIuLatnCa	; "iu-Latn-CA"
		dd 85Dh, 1AEh
		dd offset aTzmLatnDz	; "tzm-Latn-DZ"
		dd 85Fh, 1AFh
		dd offset aKsDevaIn	; "ks-Deva-IN"
		dd 860h, 5Fh
		dd offset aNeIn		; "ne-IN"
		dd 861h, 60h
		dd offset aFfLatnSn	; "ff-Latn-SN"
		dd 867h, 1B0h
		dd offset aQuzEc	; "quz-EC"
		dd 86Bh, 6Ah
		dd offset aTiEr		; "ti-ER"
		dd 873h, 72h
		dd offset aQpsLatnXSh	; "qps-Latn-x-sh"
		dd 901h, 8
		dd offset aQpsPlocm	; "qps-plocm"
		dd 9FFh, 0
		dd offset aArEg		; "ar-EG"
		dd 0C01h, 0
		dd offset aZhHk		; "zh-HK"
		dd 0C04h, 1A3h
		dd offset aDeAt		; "de-AT"
		dd 0C07h, 6
		dd offset aEnAu		; "en-AU"
		dd 0C09h, 8
		dd offset aEsEs		; "es-ES"
		dd 0C0Ah, 9
		dd offset aFrCa		; "fr-CA"
		dd 0C0Ch, 0Bh
		dd offset aSrCyrlCs	; "sr-Cyrl-CS"
		dd 0C1Ah, 195h
		dd offset aSeFi		; "se-FI"
		dd 0C3Bh, 3Ah
		dd offset aMnMongMn	; "mn-Mong-MN"
		dd 0C50h, 1ABh
		dd offset aDzBt		; "dz-BT"
		dd 0C51h, 7Ch
		dd offset aQuzPe	; "quz-PE"
		dd 0C6Bh, 6Ah
		dd offset aArLy		; "ar-LY"
		dd 1001h, 0
		dd offset aZhSg		; "zh-SG"
		dd 1004h, 3
		dd offset aDeLu		; "de-LU"
		dd 1007h, 6
		dd offset aEnCa		; "en-CA"
		dd 1009h, 8
		dd offset aEsGt		; "es-GT"
		dd 100Ah, 9
		dd offset aFrCh		; "fr-CH"
		dd 100Ch, 0Bh
		dd offset aHrBa		; "hr-BA"
		dd 101Ah, 19h
		dd offset aSmjNo	; "smj-NO"
		dd 103Bh, 1A8h
		dd offset aTzmTfngMa	; "tzm-Tfng-MA"
		dd 105Fh, 1A2h
		dd offset aArDz		; "ar-DZ"
		dd 1401h, 0
		dd offset aZhMo		; "zh-MO"
		dd 1404h, 1A3h
		dd offset aDeLi		; "de-LI"
		dd 1407h, 6
		dd offset aEnNz		; "en-NZ"
		dd 1409h, 8
		dd offset aEsCr		; "es-CR"
		dd 140Ah, 9
		dd offset aFrLu		; "fr-LU"
		dd 140Ch, 0Bh
		dd offset aBsLatnBa	; "bs-Latn-BA"
		dd 141Ah, 194h
		dd offset aSmjSe	; "smj-SE"
		dd 143Bh, 1A8h
		dd offset aArMa		; "ar-MA"
		dd 1801h, 0
		dd offset aEnIe		; "en-IE"
		dd 1809h, 8
		dd offset aEsPa		; "es-PA"
		dd 180Ah, 9
		dd offset aFrMc		; "fr-MC"
		dd 180Ch, 0Bh
		dd offset aSrLatnBa	; "sr-Latn-BA"
		dd 181Ah, 196h
		dd offset aSmaNo	; "sma-NO"
		dd 183Bh, 19Eh
		dd offset aArTn		; "ar-TN"
		dd 1C01h, 0
		dd offset aEnZa		; "en-ZA"
		dd 1C09h, 8
		dd offset aEsDo		; "es-DO"
		dd 1C0Ah, 9
		dd offset aFr029	; "fr-029"
		dd 1C0Ch, 0Bh
		dd offset aSrCyrlBa	; "sr-Cyrl-BA"
		dd 1C1Ah, 195h
		dd offset aSmaSe	; "sma-SE"
		dd 1C3Bh, 19Eh
		dd offset aArOm		; "ar-OM"
		dd 2001h, 0
		dd offset aEnJm		; "en-JM"
		dd 2009h, 8
		dd offset aEsVe		; "es-VE"
		dd 200Ah, 9
		dd offset aFrRe		; "fr-RE"
		dd 200Ch, 0Bh
		dd offset aBsCyrlBa	; "bs-Cyrl-BA"
		dd 201Ah, 193h
		dd offset aSmsFi	; "sms-FI"
		dd 203Bh, 199h
		dd offset aArYe		; "ar-YE"
		dd 2401h, 0
		dd offset aEn029	; "en-029"
		dd 2409h, 8
		dd offset aEsCo		; "es-CO"
		dd 240Ah, 9
		dd offset aFrCd		; "fr-CD"
		dd 240Ch, 0Bh
		dd offset aSrLatnRs	; "sr-Latn-RS"
		dd 241Ah, 196h
		dd offset aSmnFi	; "smn-FI"
		dd 243Bh, 197h
		dd offset aArSy		; "ar-SY"
		dd 2801h, 0
		dd offset aEnBz		; "en-BZ"
		dd 2809h, 8
		dd offset aEsPe		; "es-PE"
		dd 280Ah, 9
		dd offset aFrSn		; "fr-SN"
		dd 280Ch, 0Bh
		dd offset aSrCyrlRs	; "sr-Cyrl-RS"
		dd 281Ah, 195h
		dd offset aArJo		; "ar-JO"
		dd 2C01h, 0
		dd offset aEnTt		; "en-TT"
		dd 2C09h, 8
		dd offset aEsAr		; "es-AR"
		dd 2C0Ah, 9
		dd offset aFrCm		; "fr-CM"
		dd 2C0Ch, 0Bh
		dd offset aSrLatnMe	; "sr-Latn-ME"
		dd 2C1Ah, 196h
		dd offset aArLb		; "ar-LB"
		dd 3001h, 0
		dd offset aEnZw		; "en-ZW"
		dd 3009h, 8
		dd offset aEsEc		; "es-EC"
		dd 300Ah, 9
		dd offset aFrCi		; "fr-CI"
		dd 300Ch, 0Bh
		dd offset aSrCyrlMe	; "sr-Cyrl-ME"
		dd 301Ah, 195h
		dd offset aArKw		; "ar-KW"
		dd 3401h, 0
		dd offset aEnPh		; "en-PH"
		dd 3409h, 8
		dd offset aEsCl		; "es-CL"
		dd 340Ah, 9
		dd offset aFrMl		; "fr-ML"
		dd 340Ch, 0Bh
		dd offset aArAe		; "ar-AE"
		dd 3801h, 0
		dd offset aEnId		; "en-ID"
		dd 3809h, 8
		dd offset aEsUy		; "es-UY"
		dd 380Ah, 9
		dd offset aFrMa		; "fr-MA"
		dd 380Ch, 0Bh
		dd offset aArBh		; "ar-BH"
		dd 3C01h, 0
		dd offset aEnHk		; "en-HK"
		dd 3C09h, 8
		dd offset aEsPy		; "es-PY"
		dd 3C0Ah, 9
		dd offset aFrHt		; "fr-HT"
		dd 3C0Ch, 0Bh
		dd offset aArQa		; "ar-QA"
		dd 4001h, 0
		dd offset aEnIn		; "en-IN"
		dd 4009h, 8
		dd offset aEsBo		; "es-BO"
		dd 400Ah, 9
		dd offset aEnMy		; "en-MY"
		dd 4409h, 8
		dd offset aEsSv		; "es-SV"
		dd 440Ah, 9
		dd offset aEnSg		; "en-SG"
		dd 4809h, 8
		dd offset aEsHn		; "es-HN"
		dd 480Ah, 9
		dd offset aEnAe		; "en-AE"
		dd 4C09h, 8
		dd offset aEsNi		; "es-NI"
		dd 4C0Ah, 9
		dd offset aEsPr		; "es-PR"
		dd 500Ah, 9
		dd offset aEsUs		; "es-US"
		dd 540Ah, 9
		dd offset aEs419	; "es-419"
		dd 580Ah, 9
		dd offset aEsCu		; "es-CU"
		dd 5C0Ah, 9
		dd offset aBsCyrl	; "bs-Cyrl"
		dd 641Ah, 19Ch
		dd offset aBsLatn	; "bs-Latn"
		dd 681Ah, 19Ch
		dd offset aSrCyrl	; "sr-Cyrl"
		dd 6C1Ah, 1A5h
		dd offset aSrLatn	; "sr-Latn"
		dd 701Ah, 1A5h
		dd offset aSmn		; "smn"
		dd 703Bh, 3Ah
		dd offset aAzCyrl	; "az-Cyrl"
		dd 742Ch, 2Bh
		dd offset aSms		; "sms"
		dd 743Bh, 3Ah
		dd offset aZh		; "zh"
		dd 7804h, 7Ch
		dd offset aNn		; "nn"
		dd 7814h, 13h
		dd offset aBs		; "bs"
		dd 781Ah, 7Ch
		dd offset aAzLatn	; "az-Latn"
		dd 782Ch, 2Bh
		dd offset aSma		; "sma"
		dd 783Bh, 3Ah
		dd offset aUzCyrl	; "uz-Cyrl"
		dd 7843h, 42h
		dd offset aMnCyrl	; "mn-Cyrl"
		dd 7850h, 4Fh
		dd offset aIuCans	; "iu-Cans"
		dd 785Dh, 5Ch
		dd offset aTzmTfng	; "tzm-Tfng"
		dd 785Fh, 5Eh
		dd offset aZhHant	; "zh-Hant"
		dd 7C04h, 19Ah
		dd offset aNb		; "nb"
		dd 7C14h, 13h
		dd offset aSr		; "sr"
		dd 7C1Ah, 7Ch
		dd offset aTgCyrl	; "tg-Cyrl"
		dd 7C28h, 27h
		dd offset aDsb		; "dsb"
		dd 7C2Eh, 2Dh
		dd offset aSmj		; "smj"
		dd 7C3Bh, 3Ah
		dd offset aUzLatn	; "uz-Latn"
		dd 7C43h, 42h
		dd offset aPaArab	; "pa-Arab"
		dd 7C46h, 45h
		dd offset aMnMong	; "mn-Mong"
		dd 7C50h, 4Fh
		dd offset aSdArab	; "sd-Arab"
		dd 7C59h, 58h
		dd offset aChrCher	; "chr-Cher"
		dd 7C5Ch, 5Bh
		dd offset aIuLatn	; "iu-Latn"
		dd 7C5Dh, 5Ch
		dd offset aTzmLatn	; "tzm-Latn"
		dd 7C5Fh, 5Eh
		dd offset aFfLatn	; "ff-Latn"
		dd 7C67h, 66h
		db 0F4h	;  OFF32 SEGDEF [_text,4117F4]
; 
		pop	ss

loc_40370E:				; CODE XREF: .text:0040375Cj
		inc	ecx
		add	[eax+7Ch], ch
; 
		dd offset loc_66FFFE+2
		align 4
		dd offset aQucLatn	; "quc-Latn"
		dd 7C86h, 83h
		dd offset aKuArab	; "ku-Arab"
; 
		xchg	eax, edx
		jl	short $+2

loc_40372B:				; DATA XREF: .text:00404BF0o
					; BcpGetMaxResourceProfile(x,x)+22o ...
		add	[eax+4000000h],	cl
		add	[esi], al
		add	[ecx+esi], cl
		inc	ecx
		add	ds:66009EB1h, ch ; DATA	XREF: VmInitSystem(x)+10o
		mov	dl, 9Eh
		add	[ecx], cl
		mov	ah, 9Eh
		add	[ebx+esi*4], al
		sahf
		add	[ebx-4Dh], bh
		sahf
		add	dl, dl
		mov	dl, 9Eh
		add	dh, al
		lodsd
		sahf
		add	[ebp-4Dh], cl
		sahf
		add	[edx], bh
		mov	esp, [edi+0]
		jl	short loc_40370E
		sahf
		add	[edx+2500541Eh], ch
		lea	esp, [edi+0]
		int	3		; Trap to Debugger
		lea	esp, [edi+0]
		leave
		mov	bl, 9Eh
		add	[edi-65FF614Ch], cl
		push	ds
		push	esp
		add	[edx-4Ch], dl
		sahf
		add	al, bh
		mov	bl, 9Eh

loc_40377F:				; DATA XREF: IopInitializeIoRate()+3Bo
		add	[esi+ecx], ch
		push	ecx
		add	al, al

loc_403785:				; CODE XREF: .text:004037C4j
		adc	eax, 8EBC0043h
		push	eax
		add	[edx-14FFAFFBh], al
		or	esp, [ecx+0]
		adc	[ebx+0], bl
		inc	ebx
		add	[edi+0Bh], bl
		popa
		add	[edx-49h], ch
		dec	edi
		add	[ebx+740065F9h], ch
					; DATA XREF: PspInitializeBackgroundActivityModeratorCallouts()+3Bo
		sbb	edi, [ebp+0]
		into
		cdq
		pushf
		add	dl, ah
		pop	esp
		mov	eax, [eax]

_PspHwTraceHostInterface:		; DATA XREF: PspInitializeHwTraceCallouts()+3Bo
		fimul	word ptr [edi-6FE3FF64h]
		pushf
		add	dl, dh		; DATA XREF: PspInitializeMMCSSCallouts()+38o
		in	eax, dx
		add	gs:[esi-3Eh], dh
					; DATA XREF: PspInitializeOctagonExtensionHost()+32o
		pushf
		add	al, dl
		insb
		jp	short $+2
		jp	short near ptr loc_403785+4
		pushf
		add	[edi+23009CBFh], al ; DATA XREF: PspInitializeSecExtensionHost()+32o
		mov	ds, ds:_EtwpWriteProcessorTrace@16[eax+eax]
					; DATA XREF: EtwpInitializeProcessorTrace()+3Bo
					; EtwpWriteProcessorTrace(x,x,x,x)

_SeCiPrivateApis:			; DATA XREF: SepInitializeCodeIntegrity():loc_897440o
		or	cl, [esi+0]	; CmpCaptureKeyValueArray(x,x,x,x,x,x)
		jle	short $+2
; 
		dd 0
		dd offset _SepZwLockRegistryKey@4 ; SepZwLockRegistryKey(x)
		dd offset _PsQuerySectionSignatureInformation@8	; PsQuerySectionSignatureInformation(x,x)
		dd offset _SepSetRuntimeUpdatableSigningLevel@4	; SepSetRuntimeUpdatableSigningLevel(x)
		dd offset RtlValidProcessProtection
		dd offset MmGetImageFileSignatureInformation
		dd offset _SepGetSystemSigningLevel@0 ;	SepGetSystemSigningLevel()
		align 8
off_4037F8	dd offset _DEVPKEY_DriverDatabase_Version
					; DATA XREF: DrvDbGetDriverDatabaseMappedProperty:loc_8A85C1r
					; DrvDbGetDriverDatabaseMappedProperty+AFo ...
		dd 7
		dd offset aVersion	; "Version"
		align 10h
		dd offset _DEVPKEY_DriverDatabase_ProcessorArchitecture
		dd 5
		dd offset aArchitecture	; "Architecture"
		dd 4, 2	dup(0)
		dd offset _DEVPKEY_DriverDatabase_OemDriverInfFileMap
		dd 1003h
		dd offset aOeminfmap	; "OemInfMap"
		dd 3, 2	dup(0)
		dd offset _DEVPKEY_DriverDatabase_Updated
		dd 11h
		dd offset aUpdated	; "Updated"
		dd 4, 2	dup(0)
		dd offset _DEVPKEY_DriverDatabase_UnloadTimeout
		dd 7
		dd offset aUnloadtimeout ; "UnloadTimeout"
		align 10h
		dd offset _DEVPKEY_DriverDatabase_ConfigMode
		dd 7
		dd offset aConfigmode	; "ConfigMode"
		dd 4, 2	dup(0)
		dd offset _DEVPKEY_DriverDatabase_ConfigOptions
		dd 7
		dd offset aConfigoptions ; "ConfigOptions"
		align 10h
		dd offset _DEVPKEY_DriverDatabase_SchemaVersion
		dd 7
		dd offset aSchemaversion ; "SchemaVersion"
		dd 4, 2	dup(0)
		dd offset _DEVPKEY_DriverDatabase_LastUpdateDate
		dd 10h
		dd offset aUpdatedate	; "UpdateDate"
		dd 3, 2	dup(0)
		dd offset _DEVPKEY_DriverDatabase_SetupOptions
		dd 7
		dd offset aSetupoptions	; "SetupOptions"
		dd 4, 2	dup(0)
		dd offset _DEVPKEY_DriverDatabase_SetupStatus
		dd 18h
		dd offset aSetupstatus	; "SetupStatus"
		align 10h
		dd offset _DEVPKEY_DriverDatabase_SystemRoot
		dd 12h
		dd offset aSystemroot	; "SystemRoot"
		dd 1, 2	dup(0)
dword_403918	dd 760074h		; DATA XREF: SepLoadNgenLocations+58o
		dd offset aRegistryMachin ; "\\Registry\\MACHINE\\System\\CurrentControl"...
; 

_ExpUuidSequenceNumberRegName:		; DATA XREF: ExpUuidLoadSequenceNumber(x)+EAo
					; ExpUuidSaveSequenceNumber(x)+ECo
		and	al, 0
		add	es:[eax], dh
		xor	eax, [ecx+0]

loc_403928:				; DATA XREF: RtlpOpenBaseImageFileOptionsKeyEx(x,x,x)+30o
		mov	dh, 0
		mov	eax, 8B6A8400h
		add	[edx-57FF5C00h], ah ; DATA XREF: KitpOpenRegKey(x,x,x)+2Ao
		jge	short near ptr dword_403978
		add	[eax], cl	; DATA XREF: KitpReadUlongFromKey+34o
		add	[edx], cl
		add	[esi+edi*2+41h], cl
		add	[eax], bh	; DATA XREF: BiAcquireBcdSyncMutant+A1981o
					; BcdInitializeBcdSyncMutant+2Fo
		add	[edx], bh
		add	[eax+33h], bl
		inc	ecx
		add	[eax+eax+0], ch
; 
		dw 0
		dd 0Ah dup(0)
dword_403978	dd 3 dup(0)		; CODE XREF: .text:00403935j
		dd offset ___security_cookie
		dd offset ___safe_se_handler_table
		dd 53h
		dd offset ___guard_check_icall_fptr
		dd 3 dup(0)
		dd 100h, 14h dup(0)
___initiallocalestructinfo dd offset ___initiallocinfo ; DATA XREF: _strtol+12o
					; _strtolX+13o	...
		dd 0
; 

_CmpContainerSuffix:			; DATA XREF: CmpStartCLFSLog+754CCo
					; CmpAddRemoveRMLogContainer(x,x)+8Do
		sbb	[eax], al
		sbb	al, [eax]
		mov	ah, 0FEh
		inc	eax
; 
		db 0
; 

_VrpWcString:				; DATA XREF: VrpPreOpenOrCreate(x,x)+135o
					; VrpPreLoadKey(x,x)+21Co
		add	al, 0
		push	es
		add	[ebx+esi*4+40h], bh
; 
		db 0
; 

_VrpUserString:				; DATA XREF: VrpPreLoadKey(x,x)+3DAo
		or	[eax], al
		or	al, [eax]
		pop	esp
		mov	bl, 40h
		add	[esi], cl	; DATA XREF: VrpPreLoadKey(x,x)+3BCo
		add	[eax], dl
		add	[ebx+esi*4+40h], ch
		add	[edx], al	; DATA XREF: VrpPreLoadKey(x,x)+201o
		add	[eax+eax], al

loc_403A20:				; DATA XREF: EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)+44o
					; EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+381o ...
		push	40B3h
		add	[edx], al
		add	ah, al
		std
		inc	eax
		add	[eax], bl	; DATA XREF: VrpPreLoadKey(x,x):loc_953298o
		add	[edx], bl

loc_403A2F:				; DATA XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+74o
		add	[ebx+esi*4+220040h], al
		and	al, 0
		mov	al, ds:210040B3h
					; DATA XREF: NT_DISK::`scalar deleting destructor'(uint)+8o
					; IoReadPartitionTable(x,x,x,x)+3Do ...
		movsb
		xchg	eax, ebp
		add	[edx+590069B2h], dh
		movsb
		xchg	eax, ebp
		add	[esi+5Eh], bh
		test	[eax], al
		adc	dh, [edx-4E52FF97h]
		imul	eax, [eax+0], 69B574h ;	SC_DISK::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)
		mul	byte ptr [ebp+edx*4-6A5AA300h]
		add	[eax+eax], dl	; DATA XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+24Eo
		push	ss
		add	ah, cl
		add	dword ptr [ecx+0], 0C000Ah
					; DATA XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+187o
					; IoOpenDriverRegistryKey(x,x,x,x,x)+1E8o
; 
		dd offset aState	; "State"
_PlugPlayHandlerTable dd 0		; DATA XREF: NtPlugPlayControl+32r
		dd 0Ch,	2 dup(0)
		dd 1, 0Ch, 2 dup(0)
		dd 2, 0Ch, 2 dup(0)
		dd 3, 0Ch, 2 dup(0)
		dd 4, 0Ch
		dd offset _PiControlStartDevice@16 ; PiControlStartDevice(x,x,x,x)
		align 10h
		dd 5, 0Ch, 2 dup(0)
		dd 6, 18h
		dd offset _PiControlQueryAndRemoveDevice@16 ; PiControlQueryAndRemoveDevice(x,x,x,x)
		align 10h
		dd 7, 10h, 2 dup(0)
		dd 8, 10h, 0
		dd 1, 9, 18h, 0
		dd 1, 0Ah, 14h
		dd offset PiControlGetPropertyData
		dd 1, 0Bh, 20h,	2 dup(0)
		dd 0Ch,	14h
		dd offset PiControlGetRelatedDevice
		dd 1, 0Dh, 14h,	2 dup(0)
		dd 0Eh,	1Ch
		dd offset PiControlGetSetDeviceStatus
		dd 1, 0Fh, 0Ch
		dd offset PiControlGetDeviceDepth
		align 10h
		dd 10h,	14h
		dd offset _PiControlQueryDeviceRelations@16 ; PiControlQueryDeviceRelations(x,x,x,x)
		align 10h
		dd 11h,	10h, 0
		dd 1, 12h, 20h
		dd offset _PiControlQueryConflictList@16 ; PiControlQueryConflictList(x,x,x,x)
		align 10h
		dd 13h,	8, 0
		dd 1, 14h, 0Ch,	2 dup(0)
		dd 15h,	0Ch, 2 dup(0)
		dd 16h,	0Ch, 0
		dd 1, 17h, 10h
		dd offset PiControlGetDeviceInterfaceEnabled
		dd 1, 18h, 3 dup(0)
; 

_KiMsrFeatureTable:			; DATA XREF: PAGELK:007271C5o
		or	al, [ecx]
; 
		dw 0
		dd 10h
		dd offset _KiMsr_IA32_ARCH_CAPABILITIES
		align 10h
		dd 40h,	0
		dd 50000000h, 10h
		dd offset _KiMsr_VIRTUAL_ENUMERATION
		dd 0
		dd 10000000h, 0
; 

_AlpcMessageType:			; DATA XREF: .text:00403F54o
					; AlpcpAllocateMessage(x,x,x)+25o
		add	al, [eax]
; 
		dw 0
aAlms		db 'AlMs',0
		align 4
		dd 1
		dd offset _AlpcMessageTypeCounters
		dd offset AlpcMessageCleanupProcedure
		dd offset _PopPdcCallback@4 ; PopPdcCallback(x)
		dd offset AlpcMessageDestroyProcedure
		dd 1B0h
; 

_AlpcRegionType:			; DATA XREF: .text:00403F60o
					; AlpcpCreateRegion(x,x,x,x)+DFo
		add	eax, 41000000h
		insb
		push	edx
		add	gs:[eax], al
; 
		dw 0
		dd 0
		dd offset _AlpcRegionTypeCounters
		dd offset _PopPdcCallback@4 ; PopPdcCallback(x)
		dd offset _PopPdcCallback@4 ; PopPdcCallback(x)
		dd offset _AlpcRegionDestroyProcedure@4	; AlpcRegionDestroyProcedure(x)
		align 8

_AlpcViewType:				; DATA XREF: .text:00403F64o
					; AlpcpCreateView(x,x,x)+C8o
		push	es
; 
		db 3 dup(0)
aAlvi		db 'AlVi',0
		align 4
		dd 0
		dd offset _AlpcViewTypeCounters
		dd offset _PopPdcCallback@4 ; PopPdcCallback(x)
		dd offset _PopPdcCallback@4 ; PopPdcCallback(x)
		dd offset AlpcViewDestroyProcedure
		align 10h
_PopNotifyWork	dd offset _PopDispatchFullWake@4 ; DATA	XREF: PopPolicyWorkerNotify()+21r
					; PopDispatchFullWake(x)
dword_403CA4	dd 0			; DATA XREF: PopPolicyWorkerNotify()+2Cr
		dd offset _PopDispatchCallback@4 ; PopDispatchCallback(x)
		align 10h
		dd offset _PopDispatchAcDcCallback@4 ; PopDispatchAcDcCallback(x)
		align 8
		dd offset _PopDispatchCallout@4	; PopDispatchCallout(x)
		dd 2
		dd offset _PopDispatchShutdownEvent@4 ;	PopDispatchShutdownEvent(x)
		align 8
		dd offset PopDispatchPowerSettingCallbacks
		align 10h
		dd offset _PopSetSystemAwayMode@4 ; PopSetSystemAwayMode(x)
		align 8
		dd offset _PopDispatchNotifications@4 ;	PopDispatchNotifications(x)
		align 10h
		dd offset _PopPdcCallback@4 ; PopPdcCallback(x)
		align 8
_PpmCheckHeterogeneousPipelines	dd offset _PpmCheckPeriodicHeteroPipeline
					; DATA XREF: PpmCheckReInit()+135o
		dd offset _PpmCheckApplyDomainStatePipeline
		dd offset _PpmCheckForceDomainStatePipeline
		dd offset _PpmCheckAsyncLatencyHintPipeline
		dd offset _PpmCheckCoreParkingUpdatePipeline
		align 10h
_PpmCheckHomogeneousPipelines dd offset	_PpmCheckPeriodicPipeline
					; DATA XREF: PpmCheckReInit()+125o
		dd offset _PpmCheckApplyDomainStatePipeline
		dd offset _PpmCheckForceDomainStatePipeline
		dd offset _PpmCheckAsyncLatencyHintPipeline
		dd offset _PpmCheckCoreParkingUpdatePipeline
		align 8

_SepSamTypeNamePrefix:			; DATA XREF: SepAdtAuditObjectAccessWithContext+14A4D2o
		or	[eax], al
		or	al, [eax]
		inc	eax
		hlt
		inc	eax
; 
		db 0
; 

_TimeZoneCapability:			; DATA XREF: PAGE:007B3608o
					; PAGE:007B3668o
		adc	[eax], al
		adc	al, [eax]
		cmp	al, 0F7h
		inc	eax
; 
		db 0
; 

_ExpLeapSecondRegkeyValueLeapSeconds:	; DATA XREF: ExpReadLeapSecondData(x,x)+103o
					; ExpReadLeapSecondData(x,x)+137o
		push	ss
		add	[eax], bl
		add	[eax-9], dl
		inc	eax

loc_403D2F:				; DATA XREF: ExpReadLeapSecondData(x,x)+C1o
					; ExSetLeapSecondEnabled(x)+35o
		add	[esi], cl
		add	[eax], dl
		add	[eax-9], ch
		inc	eax
		add	al, dl
		adc	al, [ecx+0]
; 
dword_403D3C	dd 0			; DATA XREF: ExpCheckIRTimerAccess+2Dr
byte_403D40	db 1			; DATA XREF: ExCheckValidIRTimerId(x,x)+Cr
					; ExRecordOneTimerExpiry(x,x,x,x)+25r ...
		align 4
		dd offset aTestidentifier ; "TestIdentifier"
		dd 0
		dd 1
		dd offset aBrokerinfrastr ; "BrokerInfrastructure"
		dd offset dword_4115F0
		dd 1
		dd offset aTimebrokersvc ; "TimeBrokerSvc"
		dd offset dword_4115C0
		dd 1
		dd offset aLfsvc	; "LfSvc"
		dd offset dword_411708
		dd 9
		dd offset aWinlogon	; "WinLogon"
		dd 0
		dd 1
		dd offset aPower	; "Power"
		dd offset dword_4116E4
		dd 2
		dd offset aSensorservice ; "SensorService"
		dd offset dword_4116B4
		dd 1
		dd offset aNtospo	; "NtosPo"
		align 10h
		dd 6
		dd offset aAcpi		; "Acpi"
		dd 0
		dd 1
		dd offset aButton	; "Button"
		align 8
		dd 1
		dd offset aMsgpioclx	; "MsGpioClx"
		dd 0
		dd 2
		dd offset aButtonconverte ; "ButtonConverter"
		align 10h
		dd 1
		dd offset aMsgpiowin32	; "MsGpioWin32"
		dd 0
		dd 2
		dd offset aKnetpwrdepbrok ; "KNetPwrDepBroker"
		align 8
		dd 2
		dd offset aCmbatt	; "Cmbatt"
		db 0
byte_403DF1	db 3 dup(0)		; CODE XREF: .text:_Feature_PerfTestCen2__private_requiresFeaturesj
		dd 1, 240022h
off_403DFC	dd offset ??_C@_1CE@BGEMHEPM@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@NNGAKEGL@
					; DATA XREF: _RegRtlOpenPredefinedKey+1Dr
; 
		sbb	al, 0
		push	ds
		add	[edx-62h], dl	; DATA XREF: _RegRtlOpenPredefinedKey+58r
		mov	eax, [eax]

_Feature_TestUx32__private_requiresFeatures:
		insb
		mov	cl, 6Ah
; 
		db 0
		align 10h

_Feature_Standalone_24_09_NonSec__private_requiresFeatures:
		dec	esp
		mov	al, 6Ah
; 
		db 0
		align 8

_Feature_Servicing_Dcr_23_12_NonSec__private_requiresFeatures:
		pushf
		mov	cl, 6Ah
; 
		db 0
		align 10h

_Feature_TestConfVar__private_requiresFeatures:	; DATA XREF: .text:006AB0C0o
		sbb	al, 0B0h
		push	0
		inc	esp
		scasd
		push	0
; 
		dd 0
; 

_Feature_Servicing_Dcr_23_10_NonSec__private_requiresFeatures: ; Trap to Debugger
		int	3
		mov	cl, 6Ah
; 
		db 0
		dd 0
; 

_Feature_ValConf__private_requiresFeatures:
		mov	[edi-50EBFF96h], gs
		push	0
; 
		dd 0
; 

_Feature_PerfTestCen2__private_requiresFeatures:
		jz	short near ptr byte_403DF1
		push	0
		mov	esp, 6AAFh
; 
		db 3 dup(0)
; 

_Feature_Servicing_Dcr_24_06_NonSec__private_requiresFeatures:
		mov	esp, 6AAFh
; 
		db 3 dup(0)
; 

_Feature_Servicing_Dcr_23_01_NonSec__private_requiresFeatures:
		sub	al, 0AFh
		push	0
; 
		dd 0
; 

_Feature_Servicing_Dcr_23_03_NonSec__private_requiresFeatures:
		xchg	eax, esp

loc_403E5D:				; CODE XREF: .text:_Feature_Servicing_Dcr_23_11_NonSec__private_requiresFeaturesj
		mov	al, 6Ah
; 
		db 0
		dd 0
; 

_Feature_Standalone_24_05_NonSec__private_requiresFeatures:
		aam	0AFh
		push	0
; 
		dd 0
; 

_Feature_Servicing_Dcr_23_02_NonSec__private_requiresFeatures:
		in	al, dx
		scasd
		push	0
; 
		dd 0
; 

_Feature_Servicing_Dcr_23_07_NonSec__private_requiresFeatures:
		test	[ecx+6Ah], dh
; 
		dw 0
; 

_Feature_Servicing_Dcr_23_05_NonSec__private_requiresFeatures:
		push	esp
		mov	cl, 6Ah
; 
		db 0
		dd 0
; 

_Feature_Standalone_24_06_NonSec__private_requiresFeatures:
		add	al, 0B0h
		push	0
; 
		dd 0
; 

_Feature_Standalone_24_10_NonSec__private_requiresFeatures:
		les	esi, [eax+6Ah]
; 
		dw 0
; 

_Feature_Standalone_24_07_NonSec__private_requiresFeatures: ; Interrupt	Controller #2, 8259A
		in	al, 0AEh
		push	0
; 
		dd 0
; 

_Feature_Servicing_Dcr_23_08_NonSec__private_requiresFeatures: ; DATA XREF: .text:006AB078o
		xor	al, 0B0h
		push	0
; 
		dd 0
; 

_Feature_Standalone_24_04_NonSec__private_requiresFeatures: ; DATA XREF: .text:006AAFE8o
		mov	ah, 0AEh
		push	0
; 
		dd 0
; 

_Feature_Servicing_Dcr_23_11_NonSec__private_requiresFeatures:
		jl	short near ptr loc_403E5D+1
		push	0
; 
		dd 0
; 

_Feature_Standalone_24_08_NonSec__private_requiresFeatures:
		adc	al, 0AFh
		push	0
; 
		dd 0
; 

_Feature_SettingsDel__private_requiresFeatures:	; DATA XREF: .text:006AB030o
		movsb
		scasd
		push	0
		les	esi, [eax+6Ah]
; 
		dw 0
; 

_Feature_Servicing_Dcr_23_06_NonSec__private_requiresFeatures:
		cmp	al, 0B1h
		push	0
; 
		dd 0
; 

_Feature_UxConfTest__private_requiresFeatures:
		hlt
		mov	al, 6Ah
		add	[eax+esi*4+6Ah], cl
; 
		db 0
		dd 0
; 

_Feature_Servicing_Dcr_24_03_NonSec__private_requiresFeatures:
		or	al, 0B1h
		push	0
; 
		dd 0
; 

_Feature_UxSettingTest__private_requiresFeatures:
		fdiv	qword ptr [eax-5103FF96h]
		push	0
; 
		dd 0
; 

_Feature_Servicing_Dcr_23_09_NonSec__private_requiresFeatures:
		db	64h
		mov	al, 6Ah
; 
		db 0
		align 8

_Feature_Servicing_Dcr_24_02_NonSec__private_requiresFeatures:
		and	al, 0B1h
		push	0
; 
		dd 0
; 

_Feature_Servicing_Dcr_23_04_NonSec__private_requiresFeatures:
		pop	esp
		scasd
		push	0
; 
		dd 0
; 

_Feature_Servicing_Dcr_24_01_NonSec__private_requiresFeatures: ; Interrupt Controller #2, 8259A
		in	al, 0B1h
		push	0
; 
		dd 0
_IrpHandlingTable dd offset aDevQuery	; DATA XREF: PiDaDispatch+4Cr
					; "\\Dev\\Query"
off_403F14	dd offset PiDqDispatch	; DATA XREF: PiDaDispatch+2Br
dword_403F18	dd 0			; DATA XREF: PiDaFastIoDispatch(x,x,x,x,x,x,x,x,x)+15r
		dd offset aDevNostate	; "\\Dev\\NoState"
		dd offset PiDqDispatch
		align 8
		dd offset aCmapi	; "\\CMApi"
		dd offset _PiCMDispatch@8 ; PiCMDispatch(x,x)
		dd offset _PiCMFastIoDeviceDispatch@36 ; PiCMFastIoDeviceDispatch(x,x,x,x,x,x,x,x,x)
		dd offset aSwdevice	; "\\SwDevice"
		dd offset PiSwDispatch
		dd 0
		dd offset aCmnotify	; "\\CMNotify"
		dd offset PiUEventDispatch
		dd 0
_AlpcpRegisteredTypes dd 0		; DATA XREF: AlpcpDereferenceBlobEx+29r
					; AlpcpDeleteBlob+3Br ...
		dd offset _AlpcConnectionType
		dd offset _AlpcMessageType
		dd offset _AlpcSecurityType
		dd offset _AlpcSectionType
		dd offset _AlpcRegionType
		dd offset _AlpcViewType
		dd offset _AlpcReserveType
		dd 0
		dd offset _AlpcHandleDataType
; void *PopSessionSpecificGuids
_PopSessionSpecificGuids dd offset _GUID_SESSION_DISPLAY_STATUS
					; DATA XREF: PopGetListHead(x)+21r
					; PopStateIsSessionSpecific(x)+Er
		dd offset _GUID_SESSION_USER_PRESENCE
; 

_PopWorkerTypes:			; DATA XREF: PopPolicyWorkerThread+7Dr
		mov	dh, 0FDh
		test	[eax], eax
		pop	eax
		mov	dh, 85h
		add	[eax+3C007969h], al
		push	ecx
		jns	short $+2
		pop	edx
		add	eax, [esi-65427200h]
		add	[ecx], ah
		sbb	ebx, [ebx-649E3400h]
; 
		db 0
_RtlDecompressBufferProcs dd 0		; DATA XREF: RtlDecompressBufferEx(x,x,x,x,x,x,x)+2Cr
					; RtlDecompressBufferEx2(x,x,x,x,x,x,x,x)+2Dr ...
		dd 0
		dd offset RtlDecompressBufferLZNT1
		dd offset RtlDecompressBufferXpressLz
		dd offset RtlDecompressBufferXpressHuff
_RtlWorkSpaceProcs dd 0			; DATA XREF: RtlGetCompressionWorkSpaceSize(x,x,x)+26r
		align 8
		dd offset RtlCompressWorkSpaceSizeLZNT1
		dd offset RtlCompressWorkSpaceSizeXpressLz
		dd offset _RtlCompressWorkSpaceSizeXpressHuff@12 ; RtlCompressWorkSpaceSizeXpressHuff(x,x,x)
_RtlCompressBufferProcs	dd 0		; DATA XREF: SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxProcessEntry(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *,SMKM_STORE_MGR<SM_TRAITS> *,void *,void *,SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_ENTRY *)+86r
					; RtlCompressBuffer(x,x,x,x,x,x,x,x)+35r
		dd 0
		dd offset RtlCompressBufferLZNT1
		dd offset RtlCompressBufferXpressLz
		dd offset RtlCompressBufferXpressHuff
_Operators	dd offset aExists	; DATA XREF: LocalpGetStringForCondition+14Er
					; LocalpGetStringForCondition+204r ...
					; "Exists"
byte_403FDC	db 87h			; DATA XREF: GetOperatorIndexByToken(x):loc_7EC8C0r
					; LocalpGetStringForCondition:loc_90F551r ...
		align 10h
dword_403FE0	dd 14h			; DATA XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+28Ar
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+3BFr
byte_403FE4	db 1			; DATA XREF: LocalpGetStringForCondition+176r
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x):loc_9E2A0Br
byte_403FE5	db 1			; DATA XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+48Dr
byte_403FE6	db 0			; DATA XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+283r
byte_403FE7	db 1			; DATA XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+253r
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+2E6r ...
byte_403FE8	db 1			; DATA XREF: GetOperatorIndexByName(x):loc_9E249Ar
		align 4
		dd offset aNot_exists	; "Not_Exists"
		dd 8Dh,	14h, 1000101h, 1
		dd offset asc_40F44C	; "=="
		dd 80h,	0Fh, 1010000h, 0
		dd offset asc_40F474	; ">="
		dd 85h,	0Fh, 1010000h, 0
		dd offset asc_40F46C	; "!="
		dd 81h,	0Fh, 1010000h, 0
		dd offset asc_40F4CC	; "<="
		dd 83h,	0Fh, 1010000h, 0
		dd offset asc_40F4C4	; "&&"
		dd 0A0h, 0Ch, 100h, 0
		dd offset asc_40F4D8	; "||"
		dd 0A1h, 0Bh, 100h, 0
		dd offset asc_40F4D4	; "&"
		dd 0A3h, 0Ah, 1010000h,	0
		dd offset asc_40F490	; "<"
		dd 82h,	0Fh, 1010000h, 0
		dd offset asc_40F48C	; ">"
		dd 84h,	0Fh, 1010000h, 0
		dd offset aContains	; "Contains"
		dd 86h,	0Fh, 1010000h, 1
		dd offset aNot_contains	; "Not_Contains"
		dd 8Eh,	0Fh, 1010000h, 1
		dd offset aAny_of	; "Any_of"
		dd 88h,	0Fh, 1010000h, 1
		dd offset aNot_any_of	; "Not_Any_of"
		dd 8Fh,	0Fh, 1010000h, 1
		dd offset asc_40F5A4	; "!"
		dd 0A2h, 0Dh, 1000101h,	0
		dd offset aMember_of	; "Member_of"
		dd 89h,	0Fh, 1000101h, 1
		dd offset aNot_member_of ; "Not_Member_of"
		dd 90h,	0Fh, 1000101h, 1
		dd offset aDevice_membe_1 ; "Device_Member_of"
		dd 8Ah,	0Fh, 1000101h, 1
		dd offset aNot_device_m_1 ; "Not_Device_Member_of"
		dd 91h,	0Fh, 1000101h, 1
		dd offset aMember_of_any ; "Member_of_any"
		dd 8Bh,	0Fh, 1000101h, 1
		dd offset aNot_member_of_ ; "Not_Member_of_any"
		dd 92h,	0Fh, 1000101h, 1
		dd offset aDevice_member_ ; "Device_Member_of_any"
		dd 8Ch,	0Fh, 1000101h, 1
		dd offset aNot_device_mem ; "Not_Device_Member_of_any"
		dd 93h,	0Fh, 1000101h, 1
off_4041B8	dd offset _THREATINT_PROTECTVM_REMOTE ;	DATA XREF: EtwTiLogProtectExecVm+70r
		dd offset _THREATINT_PROTECTVM_LOCAL
		dd offset _THREATINT_PROTECTVM_REMOTE_KERNEL_CALLER
		dd offset _THREATINT_PROTECTVM_LOCAL_KERNEL_CALLER
off_4041C8	dd offset _THREATINT_MAPVIEW_REMOTE ; DATA XREF: EtwTiLogMapExecView+66r
		dd offset _THREATINT_MAPVIEW_LOCAL
		dd offset _THREATINT_MAPVIEW_REMOTE_KERNEL_CALLER
		dd offset _THREATINT_MAPVIEW_LOCAL_KERNEL_CALLER
off_4041D8	dd offset _THREATINT_ALLOCVM_REMOTE ; DATA XREF: EtwTiLogAllocExecVm+75r
		dd offset _THREATINT_ALLOCVM_LOCAL
		dd offset _THREATINT_ALLOCVM_REMOTE_KERNEL_CALLER
		dd offset _THREATINT_ALLOCVM_LOCAL_KERNEL_CALLER
off_4041E8	dd offset aCapabilityalwa ; DATA XREF: SdbpIsSdbCapabilityPresent(x,x,x)+1Ar
					; "CapabilityAlwaysExists"
		dd offset aTag_matching_s ; "Tag_MATCHING_SDB_CAPABILITY_Supported"
		dd offset aTag_match_logi ; "Tag_MATCH_LOGIC_NOT_IF_SDB_CAPABILITY_E"...
		dd offset aTag_matching_c ; "Tag_MATCHING_COMMAND_LINE_Supported"
; 

_Feature_CompatBuildInVb__private_requiresFeatures: ; DATA XREF: .text:006AB540o
		lodsb
		mov	al, 6Ah
; 
		db 0
		align 10h
dword_404200	dd 5			; DATA XREF: AslpFileMakeStringVersionAttributes(x,x)+EDr
off_404204	dd offset ??_C@_1BO@OKEPMKJE@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@NNGAKEGL@
					; DATA XREF: AslpFileMakeStringVersionAttributes(x,x):loc_A25E44r
		dd 6
		dd offset ??_C@_1CA@JGBAIPOO@?$AAF?$AAi?$AAl?$AAe?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		dd 7
		dd offset ??_C@_1BI@KBKGFMKH@?$AAC?$AAo?$AAm?$AAp?$AAa?$AAn?$AAy?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@
		dd 8
		dd offset ??_C@_1BI@CJGIOPAN@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@
		dd 9
		dd offset ??_C@_1BI@HCCAONKE@?$AAF?$AAi?$AAl?$AAe?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@NNGAKEGL@
		dd 0Ah
		dd offset ??_C@_1CC@CHBCEHAO@?$AAO?$AAr?$AAi?$AAg?$AAi?$AAn?$AAa?$AAl?$AAF?$AAi?$AAl?$AAe?$AAn?$AAa?$AAm@NNGAKEGL@
		dd 0Bh
		dd offset ??_C@_1BK@OCJLMIBB@?$AAI?$AAn?$AAt?$AAe?$AAr?$AAn?$AAa?$AAl?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@
		dd 0Ch
		dd offset loc_8C5A5B+1
off_404240	dd offset aProperties	; DATA XREF: DrvDbGetObjectSubKeyCallback(x,x,x,x):loc_A39166r
					; "Properties"
dword_404244	dd 0			; DATA XREF: DrvDbAcquireDatabaseNodeBaseKey+AAr
					; DrvDbAcquireDatabaseNodeBaseKey+F8r
		dd offset aNodes	; "Nodes"
		dd offset aDriverpackages ; "DriverPackages"
		dd offset aDriverinffiles ; "DriverInfFiles"
		dd offset aDriverfiles	; "DriverFiles"
		dd offset aDeviceids	; "DeviceIds"
		align 10h
_ControlLookup	dd offset aP		; DATA XREF: LocalGetStringForControl+BEr
					; "P"
dword_404264	dd 1			; DATA XREF: LocalGetStringForControl+42r
					; LocalGetStringForControl+E4r	...
dword_404268	dd 1000h		; DATA XREF: LocalGetStringForControl+5Dr
					; LocalGetSDControlForString+7Ar
dword_40426C	dd 1			; DATA XREF: LocalGetStringForControl:loc_7EB462r
		dd offset aAr		; "AR"
		dd 2, 100h, 1
		dd offset aAi		; "AI"
		dd 2, 400h, 1
		dd offset aP		; "P"
		dd 1, 2000h, 2
		dd offset aAr		; "AR"
		dd 2, 200h, 2
		dd offset aAi		; "AI"
		dd 2, 800h, 2
_PiDmListDefs	dd 4			; DATA XREF: PiDmGetObjectConstraintList(x,x,x,x,x,x,x)+36r
					; PiDmListInitEnumCallback+AFr
dword_4042C4	dd 1Ch			; DATA XREF: PiDmListEnumObjectsWithCallback+20r
					; PiDmListAddObjectWorker(x,x,x,x,x)+1Br ...
dword_4042C8	dd 3			; DATA XREF: PiDmGetCmObjectConstraintListFromCache+17r
					; PiDmListInit(x)+20r
dword_4042CC	dd 30h			; DATA XREF: PiDmListEnumObjectsWithCallback+75r
					; PiDmListAddObjectWorker(x,x,x,x,x)+12r ...
off_4042D0	dd offset _DEVPKEY_DeviceInterface_ClassGuid
					; DATA XREF: PiDmListInitEnumCallback+62r
		dd 1, 34h, 3, 28h
		dd offset _DEVPKEY_Device_InstanceId
		dd 5, 28h, 3, 20h
		dd offset _DEVPKEY_Device_ContainerId
		dd 6, 28h, 3, 38h
		dd offset _DEVPKEY_Device_PanelId
		dd 5, 1Ch, 1, 1Ch
		dd offset _DEVPKEY_Device_ContainerId
		dd 2, 1Ch, 1, 24h
		dd offset _DEVPKEY_Device_ClassGuid
		dd 6, 1Ch, 1, 2Ch
		dd offset _DEVPKEY_Device_PanelId
		align 10h
_KdComponentTable dd offset _Kd_SYSTEM_Mask ; DATA XREF: NtQueryDebugFilterState(x,x)+27r
					; NtSetDebugFilterState+38r ...
		dd offset _Kd_SMSS_Mask
		dd offset _Kd_SETUP_Mask
		dd offset _Kd_NTFS_Mask
		dd offset _Kd_FSTUB_Mask
		dd offset _Kd_CRASHDUMP_Mask
		dd offset _Kd_CDAUDIO_Mask
		dd offset _Kd_CDROM_Mask
		dd offset _Kd_CLASSPNP_Mask
		dd offset _Kd_DISK_Mask
		dd offset _Kd_REDBOOK_Mask
		dd offset _Kd_STORPROP_Mask
		dd offset _Kd_SCSIPORT_Mask
		dd offset _Kd_SCSIMINIPORT_Mask
		dd offset _Kd_CONFIG_Mask
		dd offset _Kd_I8042PRT_Mask
		dd offset _Kd_SERMOUSE_Mask
		dd offset _Kd_LSERMOUS_Mask
		dd offset _Kd_KBDHID_Mask
		dd offset _Kd_MOUHID_Mask
		dd offset _Kd_KBDCLASS_Mask
		dd offset _Kd_MOUCLASS_Mask
		dd offset _Kd_TWOTRACK_Mask
		dd offset _Kd_WMILIB_Mask
		dd offset _Kd_ACPI_Mask
		dd offset _Kd_AMLI_Mask
		dd offset _Kd_HALIA64_Mask
		dd offset _Kd_VIDEO_Mask
		dd offset _Kd_SVCHOST_Mask
		dd offset _Kd_VIDEOPRT_Mask
		dd offset _Kd_TCPIP_Mask
		dd offset _Kd_DMSYNTH_Mask
		dd offset _Kd_NTOSPNP_Mask
		dd offset _Kd_FASTFAT_Mask
		dd offset _Kd_SAMSS_Mask
		dd offset _Kd_PNPMGR_Mask
		dd offset _Kd_NETAPI_Mask
		dd offset _Kd_SCSERVER_Mask
		dd offset _Kd_SCCLIENT_Mask
		dd offset _Kd_SERIAL_Mask
		dd offset _Kd_SERENUM_Mask
		dd offset _Kd_UHCD_Mask
		dd offset _Kd_RPCPROXY_Mask
		dd offset _Kd_AUTOCHK_Mask
		dd offset _Kd_DCOMSS_Mask
		dd offset _Kd_UNIMODEM_Mask
		dd offset _Kd_SIS_Mask
		dd offset _Kd_FLTMGR_Mask
		dd offset _Kd_WMICORE_Mask
		dd offset _Kd_BURNENG_Mask
		dd offset _Kd_IMAPI_Mask
		dd offset _Kd_SXS_Mask
		dd offset _Kd_FUSION_Mask
		dd offset _Kd_IDLETASK_Mask
		dd offset _Kd_SOFTPCI_Mask
		dd offset _Kd_TAPE_Mask
		dd offset _Kd_MCHGR_Mask
		dd offset _Kd_IDEP_Mask
		dd offset _Kd_PCIIDE_Mask
		dd offset _Kd_FLOPPY_Mask
		dd offset _Kd_FDC_Mask
		dd offset _Kd_TERMSRV_Mask
		dd offset _Kd_W32TIME_Mask
		dd offset _Kd_PREFETCHER_Mask
		dd offset _Kd_RSFILTER_Mask
		dd offset _Kd_FCPORT_Mask
		dd offset _Kd_PCI_Mask
		dd offset _Kd_DMIO_Mask
		dd offset _Kd_DMCONFIG_Mask
		dd offset _Kd_DMADMIN_Mask
		dd offset _Kd_WSOCKTRANSPORT_Mask
		dd offset _Kd_VSS_Mask
		dd offset _Kd_PNPMEM_Mask
		dd offset _Kd_PROCESSOR_Mask
		dd offset _Kd_DMSERVER_Mask
		dd offset _Kd_SR_Mask
		dd offset _Kd_INFINIBAND_Mask
		dd offset _Kd_IHVDRIVER_Mask
		dd offset _Kd_IHVVIDEO_Mask
		dd offset _Kd_IHVAUDIO_Mask
		dd offset _Kd_IHVNETWORK_Mask
		dd offset _Kd_IHVSTREAMING_Mask
		dd offset _Kd_IHVBUS_Mask
		dd offset _Kd_HPS_Mask
		dd offset _Kd_RTLTHREADPOOL_Mask
		dd offset _Kd_LDR_Mask
		dd offset _Kd_TCPIP6_Mask
		dd offset _Kd_ISAPNP_Mask
		dd offset _Kd_SHPC_Mask
		dd offset _Kd_STORPORT_Mask
		dd offset _Kd_STORMINIPORT_Mask
		dd offset _Kd_PRINTSPOOLER_Mask
		dd offset _Kd_VSSDYNDISK_Mask
		dd offset _Kd_VERIFIER_Mask
		dd offset _Kd_VDS_Mask
		dd offset _Kd_VDSBAS_Mask
		dd offset _Kd_VDSDYN_Mask
		dd offset _Kd_VDSDYNDR_Mask
		dd offset _Kd_VDSLDR_Mask
		dd offset _Kd_VDSUTIL_Mask
		dd offset _Kd_DFRGIFC_Mask
off_4044E4	dd offset _Kd_DEFAULT_Mask ; DATA XREF:	NtSetDebugFilterState+65235r
		dd offset _Kd_MM_Mask
		dd offset _Kd_DFSC_Mask
		dd offset _Kd_WOW64_Mask
		dd offset _Kd_ALPC_Mask
		dd offset _Kd_WDI_Mask
		dd offset _Kd_PERFLIB_Mask
		dd offset _Kd_KTM_Mask
		dd offset _Kd_IOSTRESS_Mask
		dd offset _Kd_HEAP_Mask
		dd offset _Kd_WHEA_Mask
		dd offset _Kd_USERGDI_Mask
		dd offset _Kd_MMCSS_Mask
		dd offset _Kd_TPM_Mask
		dd offset _Kd_THREADORDER_Mask
		dd offset _Kd_ENVIRON_Mask
		dd offset _Kd_EMS_Mask
		dd offset _Kd_WDT_Mask
		dd offset _Kd_FVEVOL_Mask
		dd offset _Kd_NDIS_Mask
		dd offset _Kd_NVCTRACE_Mask
		dd offset _Kd_LUAFV_Mask
		dd offset _Kd_APPCOMPAT_Mask
		dd offset _Kd_USBSTOR_Mask
		dd offset _Kd_SBP2PORT_Mask
		dd offset _Kd_COVERAGE_Mask
		dd offset _Kd_CACHEMGR_Mask
		dd offset _Kd_MOUNTMGR_Mask
		dd offset _Kd_CFR_Mask
		dd offset _Kd_TXF_Mask
		dd offset _Kd_KSECDD_Mask
		dd offset _Kd_FLTREGRESS_Mask
		dd offset _Kd_MPIO_Mask
		dd offset _Kd_MSDSM_Mask
		dd offset _Kd_UDFS_Mask
		dd offset _Kd_PSHED_Mask
		dd offset _Kd_STORVSP_Mask
		dd offset _Kd_LSASS_Mask
		dd offset _Kd_SSPICLI_Mask
		dd offset _Kd_CNG_Mask
		dd offset _Kd_EXFAT_Mask
		dd offset _Kd_FILETRACE_Mask
		dd offset _Kd_XSAVE_Mask
		dd offset _Kd_SE_Mask
		dd offset _Kd_DRIVEEXTENDER_Mask
		dd offset _Kd_POWER_Mask
		dd offset _Kd_CRASHDUMPXHCI_Mask
		dd offset _Kd_GPIO_Mask
		dd offset _Kd_REFS_Mask
		dd offset _Kd_WER_Mask
		dd offset _Kd_CAPIMG_Mask
		dd offset _Kd_VPCI_Mask
		dd offset _Kd_STORAGECLASSMEMORY_Mask
		dd offset _Kd_FSLIB_Mask
		dd offset _Kd_ENDOFTABLE_Mask
		dd offset _DEVPKEY_Device_CompoundUpperFilters
dword_4045C4	dd 1			; DATA XREF: PiPnpRtlServiceFilterCallback:loc_846DFAo
		dd offset _DEVPKEY_Device_CompoundLowerFilters
		dd 1
		dd offset _DEVPKEY_DeviceClass_CompoundUpperFilters
		dd 2
		dd offset _DEVPKEY_DeviceClass_CompoundLowerFilters
		dd 2
dword_4045E0	dd 7008h		; DATA XREF: SdbpInitializeMatchers(x):loc_84F7F2r
off_4045E4	dd offset _SdbpCheckMatchingFiles@28
					; DATA XREF: SdbpInitializeMatchers(x)+11r
					; SdbpCheckMatchingFiles(x,x,x,x,x,x,x)
dword_4045E8	dd 0			; DATA XREF: SdbpInitializeMatchers(x)+1Cr
dword_4045EC	dd 0			; DATA XREF: SdbpInitializeMatchers(x)+25r
		dd 7032h
		dd offset _SdbpCheckMatchingRegistry@28	; SdbpCheckMatchingRegistry(x,x,x,x,x,x,x)
		align 10h
		dd 7033h
		dd offset _SdbpCheckMatchingText@28 ; SdbpCheckMatchingText(x,x,x,x,x,x,x)
		align 10h
		dd 701Eh
		dd offset _SdbpCheckMatchingDevice@28 ;	SdbpCheckMatchingDevice(x,x,x,x,x,x,x)
		align 10h
		dd 7037h
		dd offset _SdbpMatchOne@28 ; SdbpMatchOne(x,x,x,x,x,x,x)
		align 10h
		dd 4021h
		dd offset _SdbpCheckRuntimePlatform@28 ; SdbpCheckRuntimePlatform(x,x,x,x,x,x,x)
		align 10h
		dd 4013h
		dd offset _SdbpCheckOSKind@28 ;	SdbpCheckOSKind(x,x,x,x,x,x,x)
		align 10h
		dd 7036h
		dd offset _SdbpCheckPackageAttributes@28 ; SdbpCheckPackageAttributes(x,x,x,x,x,x,x)
		align 10h
		dd 7056h
		dd offset _SdbpCheckPackageAttributes@28 ; SdbpCheckPackageAttributes(x,x,x,x,x,x,x)
		align 10h
		dd 7059h
		dd offset _SdbpCheckPackageAttributes@28 ; SdbpCheckPackageAttributes(x,x,x,x,x,x,x)
		align 10h
		dd 7047h
		dd offset _SdbpCheckMatchingWildcardFiles@28 ; SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)
		align 10h
		dd 7048h
		dd offset _SdbpCheckMatchingWildcardRegistry@28	; SdbpCheckMatchingWildcardRegistry(x,x,x,x,x,x,x)
		align 10h
		dd 7049h
		dd offset _SdbpCheckMatchingDir@28 ; SdbpCheckMatchingDir(x,x,x,x,x,x,x)
		align 10h
		dd 704Ah
		dd offset _SdbpCheckSdbCapability@28 ; SdbpCheckSdbCapability(x,x,x,x,x,x,x)
		align 10h
		dd 7060h
		dd offset _SdbpCheckBackupApplicationAttributes@28 ; SdbpCheckBackupApplicationAttributes(x,x,x,x,x,x,x)
		align 10h
		dd 7058h
		dd offset _SdbpCheckBackupApplicationAttributes@28 ; SdbpCheckBackupApplicationAttributes(x,x,x,x,x,x,x)
		align 10h
		dd 7054h
		dd offset _SdbpCheckMatchingFiles@28 ; SdbpCheckMatchingFiles(x,x,x,x,x,x,x)
		align 10h
		dd 705Bh, 3 dup(0)
		dd 705Ch, 3 dup(0)
		dd 705Eh, 3 dup(0)
		dd 705Fh, 3 dup(0)
		dd 9014h, 3 dup(0)
		dd 704Bh, 2 dup(0)
		dd 1, 0
off_404754	dd offset _DEVPKEY_DeviceInterface_Enabled
					; DATA XREF: IopProcessSetInterfaceState+310r
_PiPnpRtlDeviceReadOnlyProps dd	offset _DEVPKEY_Device_BaseContainerId
					; DATA XREF: PiPnpRtlSetObjectProperty:loc_865B81r
		dd offset loc_4058A5+3
		dd offset _DEVPKEY_Device_LocationPaths
		dd offset _DEVPKEY_Device_LastKnownParent ; "&cڃ@S?W;)\n"
		dd offset _DEVPKEY_Device_Capabilities
		dd offset _DEVPKEY_Device_UINumber
		dd offset _DEVPKEY_Device_Address
		dd offset _DEVPKEY_Device_Reported
		dd offset _DEVPKEY_Device_LastArrivalDate ; "&cڃ@S?W;)f"
		dd offset _DEVPKEY_Device_LastRemovalDate ; "&cڃ@S?W;)g"
		dd offset _DEVPKEY_Device_ExtendedAddress
		dd offset _DEVPKEY_Device_DmaRemappingPolicy
		dd offset _DEVPKEY_Device_AssignedToGuest
_PiPnpRtlContainerReadOnlyProps	dd offset _DEVPKEY_DeviceContainer_BatteryLevel
					; DATA XREF: PiPnpRtlSetObjectProperty:loc_865CBFr
		dd offset _DEVPKEY_DeviceContainer_BatteryLow
_IndexToActionName dd offset aCriticalBatter
					; DATA XREF: PopDiagTraceBatteryTriggerFlags+32r
					; PopDiagTraceBatteryAlarmStatus(x,x,x)+2Er
					; "Critical Battery Index"
		dd offset aLowBatteryInde ; "Low Battery Index"
		dd offset word_41129A
		dd offset word_41129A
		align 8
dword_4047A8	dd 0			; DATA XREF: _PnpRaiseNtPlugPlayDevicePropertyChangeEvent+1Dr
		dd offset _DEVPKEY_Device_IsPresent
		dd offset _DEVPKEY_Device_PDOName
		dd offset _DEVPKEY_Device_BusTypeGuid
		dd offset _DEVPKEY_Device_LegacyBusType
		dd offset _DEVPKEY_Device_BusNumber
		dd offset _DEVPKEY_Device_Address
		dd offset _DEVPKEY_Device_PowerData
		dd offset _DEVPKEY_Device_RemovalPolicy
		dd offset _DEVPKEY_Device_RemovalPolicyDefault
		dd offset _DEVPKEY_Device_InstallState
		dd offset _DEVPKEY_Device_DevNodeStatus
		dd offset _DEVPKEY_Device_ProblemCode
		dd offset _DEVPKEY_Device_ProblemStatus
		dd offset _DEVPKEY_Device_Parent
		dd offset _DEVPKEY_Device_Children
		dd offset _DEVPKEY_Device_Siblings
		dd offset _DEVPKEY_Device_EjectionRelations
		dd offset _DEVPKEY_Device_RemovalRelations
		dd offset _DEVPKEY_Device_PowerRelations
		dd offset _DEVPKEY_Device_BusRelations
		dd offset _DEVPKEY_Device_TransportRelations
		dd offset _DEVPKEY_Device_ReportedDeviceIdsHash	; "~\vT@Ej\vL\b"
		dd offset _DEVPKEY_Device_Stack
		dd offset loc_410083+5
		dd offset _DEVPKEY_Device_DependencyDependents
		dd offset _DEVPKEY_Device_DevNodeStatusStarted
		dd offset _DEVPKEY_Device_DevNodeStatusHasProblem
		dd offset _DEVPKEY_Device_DevNodeStatusPrivateProblem
		dd offset _DEVPKEY_Device_DevNodeStatusDeviceDisconnected
		dd offset loc_4110EC+4
		align 8
off_404828	dd offset aSystemmanufact ; DATA XREF: PipInitComputerIds:loc_ABA773r
					; "SystemManufacturer"
		dd offset aSystemfamily	; "SystemFamily"
		dd offset aSystemproductn ; "SystemProductName"
		dd offset aSystemsku	; "SystemSKU"
		dd offset aBiosvendor	; "BIOSVendor"
		dd offset aBiosversion	; "BIOSVersion"
		dd offset aBaseboardmanuf ; "BaseBoardManufacturer"
		dd offset aBaseboardprodu ; "BaseBoardProduct"
		dd offset aBiosreleasedat ; "BIOSReleaseDate"
		dd offset aSystemversion ; "SystemVersion"
off_404850	dd offset _DEVPKEY_Device_RebootRequiredReason
					; DATA XREF: PnpClearDeviceTemporaryProperties(x,x)+19r
		dd offset _DEVPKEY_Device_BiosDeviceName
dword_404858	dd 13h			; DATA XREF: PpForEachDeviceInstanceDriver+1FCr
					; PpForEachDeviceInstanceDriver+6D2BCr	...
off_40485C	dd offset _DEVPKEY_DeviceClass_CompoundLowerFilters
					; DATA XREF: PpForEachDeviceInstanceDriver+10Dr
					; PpForEachDeviceInstanceDriver+6D2FFr
byte_404860	db 1			; DATA XREF: PpForEachDeviceInstanceDriver:loc_8759D0r
					; PpForEachDeviceInstanceDriver+6D2F8r
		align 4
		dd 13h
		dd offset _DEVPKEY_Device_CompoundLowerFilters
		dd 0
		dd 5, 2	dup(0)
		dd 12h
		dd offset _DEVPKEY_Device_CompoundUpperFilters
		align 8
		dd 12h
		dd offset _DEVPKEY_DeviceClass_CompoundUpperFilters
		dd 1
_PiDrvDbNodeDescriptors	dd offset aSystem ; DATA XREF: PiDrvDbInit(x)+69r
					; "SYSTEM"
dword_404898	dd 3			; DATA XREF: PiDrvDbInit(x):loc_88A680r
		dd offset aDrivers	; "DRIVERS"
		dd 4
; void *GUIDS_BATTERY_DISCHARGE_FLAGS
_GUIDS_BATTERY_DISCHARGE_FLAGS dd offset _GUID_BATTERY_DISCHARGE_FLAGS_0
					; DATA XREF: PopBatteryUpdateAlarms+CBr
					; PopInitializePowerSettingCallbacks()+57r
		dd offset _GUID_BATTERY_DISCHARGE_FLAGS_1
		dd offset _GUID_BATTERY_DISCHARGE_FLAGS_2
		dd offset _GUID_BATTERY_DISCHARGE_FLAGS_3
; void *GUIDS_BATTERY_DISCHARGE_LEVEL
_GUIDS_BATTERY_DISCHARGE_LEVEL dd offset _GUID_BATTERY_DISCHARGE_LEVEL_0
					; DATA XREF: PopBatteryUpdateAlarms+9Fr
					; PopInitializePowerSettingCallbacks()+47r
		dd offset locret_418A72+2
		dd offset _GUID_BATTERY_DISCHARGE_LEVEL_2
		dd offset _GUID_BATTERY_DISCHARGE_LEVEL_3
; void *GUIDS_BATTERY_DISCHARGE_ACTION
_GUIDS_BATTERY_DISCHARGE_ACTION	dd offset _GUID_BATTERY_DISCHARGE_ACTION_0
					; DATA XREF: PopBatteryUpdateAlarms+75r
					; PopInitializePowerSettingCallbacks()+37r
		dd offset _GUID_BATTERY_DISCHARGE_ACTION_1
		dd offset loc_418A4F+5
		dd offset loc_4189E3+1
; 

_PpmCheckCoreParkingUpdatePipeline:	; DATA XREF: .text:00403CF8o
					; .text:00403D10o
		mov	ds:50005643h, al
		repne dec eax
		add	dh, al
		out	48h, eax
		add	dl, ch
		out	48h, eax
		add	[eax+3A0048E8h], bh
		call	near ptr 69104936h
		dec	eax
		add	[ecx+ebx*8], ah
		push	edi
		add	[edx-19h], al
		dec	eax
; 
		db 0
		dd 0
; 

_PpmCheckAsyncLatencyHintPipeline:	; DATA XREF: .text:00403CF4o
					; .text:00403D0Co
		mov	ds:50005643h, al
		repne dec eax
		add	dh, al
		out	48h, eax
		add	dl, ch
		out	48h, eax
		add	[eax+3A0048E8h], bh
		call	near ptr 0E94E495Eh
		dec	eax
		add	[edi+esi*8+48h], dh
		add	[eax+ebp*8+48h], bl
		add	al, cl
		call	near ptr 21EC496Eh
		push	esi
		add	[eax+57h], ah
		push	esi
		add	[edx-19h], al
		dec	eax
; 
		db 0
		dd 0
; 

_PpmCheckApplyDomainStatePipeline:	; DATA XREF: .text:00403CECo
					; .text:00403D04o
		mov	ds:5C005643h, al
		call	near ptr 0E9084986h
		dec	eax
		add	[ecx+57600056h], ch
		push	esi
		add	[edx-19h], al
		dec	eax
; 
		db 0
		align 10h

_PpmCheckForceDomainStatePipeline:	; DATA XREF: .text:00403CF0o
					; .text:00403D08o
		mov	ds:80005643h, al
		dec	esi
		push	esi
		add	[eax+ebp*8+48h], bl
		add	al, cl
		call	near ptr 21EC49AAh
		push	esi
		add	[eax+57h], ah
		push	esi
		add	[edx-19h], al
		dec	eax
; 
		db 0
		align 10h

_PpmCheckPeriodicPipeline:		; DATA XREF: .text:_PpmCheckHomogeneousPipelineso
		sahf
		pop	ebp
		dec	eax
		add	[eax], dh
		xchg	eax, esi
		dec	eax
		add	al, al
		pop	ebp
		dec	eax
		add	[eax], dh
		loopne	loc_4049C7
		add	[eax-17h], ah
		dec	eax
		add	[esi], dh
		repne dec eax
		add	[eax-0Eh], dl
		dec	eax
		add	[edx-0D6FFFB8h], ah
		dec	eax
		add	[esi], cl
		jmp	near ptr 0F7B449E2h
; 
		dw 48h
		dd offset PpmPerfApplyDomainStates
		dd offset PpmCheckMakeupSkippedChecks
		dd offset PpmParkReportUnparkedCores
		dd offset PpmParkReportParkedCores
		dd offset PpmParkReportMask
		dd offset PpmParkUnblockIdle
		dd offset _PpmCheckAcquireProcessorPerformance@0 ; PpmCheckAcquireProcessorPerformance()
		dd offset _PpmPerfApplyProcessorStates@0 ; PpmPerfApplyProcessorStates()
		dd offset _PpmPerfCommitPerformance@0 ;	PpmPerfCommitPerformance()
		dd offset PpmParkSteerInterrupts
		db  42h	; B OFF32 SEGDEF [_text,48E742]
		db 0E7h, 48h
; 

loc_4049C7:				; CODE XREF: .text:0040497Dj
		add	[edx-9], bl
		dec	eax
; 
		db 0
		align 10h

_PpmCheckPeriodicHeteroPipeline:	; DATA XREF: .text:_PpmCheckHeterogeneousPipelineso
		sahf
		pop	ebp
		dec	eax
		add	[eax], dh
		xchg	eax, esi
		dec	eax
		add	al, al
		pop	ebp
		dec	eax
		add	[eax], dh
		loopne	loc_404A27
		add	[eax-17h], ah
		dec	eax
		add	[eax+50006574h], al
		repne dec eax
		add	[ebp+78h], bl
		add	gs:[eax+0E0048F2h], dl
		jmp	near ptr 0F7B44A42h
; 
		dw 48h
		dd offset PpmPerfApplyDomainStates
		dd offset PpmCheckMakeupSkippedChecks
		dd offset PpmParkReportUnparkedCores
		dd offset PpmParkReportParkedCores
		dd offset PpmParkReportMask
		dd offset PpmParkUnblockIdle
		dd offset _PpmCheckAcquireProcessorPerformance@0 ; PpmCheckAcquireProcessorPerformance()
		dd offset _PpmPerfApplyProcessorStates@0 ; PpmPerfApplyProcessorStates()
		dd offset _PpmPerfCommitPerformance@0 ;	PpmPerfCommitPerformance()
		dd offset PpmParkSteerInterrupts
		db  42h	; B OFF32 SEGDEF [_text,48E742]
		db 0E7h, 48h
; 

loc_404A27:				; CODE XREF: .text:004049DDj
		add	[edx-9], bl
		dec	eax
; 
		db 0
		align 10h
_PpmWmiGuidList	dd offset _PPM_PERFSTATE_CHANGE_GUID
					; DATA XREF: PpmWmiRegisterInfo:loc_8AA9A3r
dword_404A34	dd 1			; DATA XREF: PpmWmiRegisterInfo+4Fr
dword_404A38	dd 4			; DATA XREF: PpmWmiRegisterInfo+46r
		dd offset _PPM_PERFSTATE_DOMAIN_CHANGE_GUID
		dd 1, 4
		dd offset _PPM_IDLESTATE_CHANGE_GUID
		dd 1, 4
		dd offset _PPM_IDLE_ACCOUNTING_EX_GUID
		dd 1, 4
		dd offset _PPM_PERFSTATES_DATA_GUID
		dd 1, 4
		dd offset _PPM_IDLESTATES_DATA_GUID
		dd 1, 4
		dd offset _PPM_THERMALCONSTRAINT_GUID
		dd 1, 4
		dd offset _PPM_PERFMON_PERFSTATE_GUID
		dd 1, 4
_WheapWmiGuidList dd offset _WHEAErrorSourceMethods_GUID
					; DATA XREF: WheapWmiRegisterInfo:loc_57C556r
dword_404A94	dd 1			; DATA XREF: WheapWmiRegisterInfo+4Cr
dword_404A98	dd 8			; DATA XREF: WheapWmiRegisterInfo+43r
		dd offset _WHEAErrorInjectionMethods_GUID
		dd 1, 8
		dd offset _WHEAPolicyManagementMethods_GUID
		dd 1, 8, 0
off_404AB8	dd offset aSecreatetokenp
					; DATA XREF: AdtpDbInitializePrivilegeObject():loc_574F3Fr
					; "SeCreateTokenPrivilege"
		dd offset aSeassignprimar ; "SeAssignPrimaryTokenPrivilege"
		dd offset aSelockmemorypr ; "SeLockMemoryPrivilege"
		dd offset aSeincreasequot ; "SeIncreaseQuotaPrivilege"
		dd offset aSemachineaccou ; "SeMachineAccountPrivilege"
		dd offset aSetcbprivilege ; "SeTcbPrivilege"
		dd offset aSesecuritypriv ; "SeSecurityPrivilege"
		dd offset aSetakeownershi ; "SeTakeOwnershipPrivilege"
		dd offset aSeloaddriverpr ; "SeLoadDriverPrivilege"
		dd offset aSesystemprofil ; "SeSystemProfilePrivilege"
		dd offset aSesystemtimepr ; "SeSystemtimePrivilege"
		dd offset aSeprofilesingl ; "SeProfileSingleProcessPrivilege"
		dd offset aSeincreasebase ; "SeIncreaseBasePriorityPrivilege"
		dd offset aSecreatepagefi ; "SeCreatePagefilePrivilege"
		dd offset aSecreateperman ; "SeCreatePermanentPrivilege"
		dd offset aSebackupprivil ; "SeBackupPrivilege"
		dd offset aSerestoreprivi ; "SeRestorePrivilege"
		dd offset aSeshutdownpriv ; "SeShutdownPrivilege"
		dd offset aSedebugprivile ; "SeDebugPrivilege"
		dd offset aSeauditprivile ; "SeAuditPrivilege"
		dd offset aSesystemenviro ; "SeSystemEnvironmentPrivilege"
		dd offset aSechangenotify ; "SeChangeNotifyPrivilege"
		dd offset aSeremoteshutdo ; "SeRemoteShutdownPrivilege"
		dd offset aSeundockprivil ; "SeUndockPrivilege"
		dd offset aSesyncagentpri ; "SeSyncAgentPrivilege"
		dd offset aSeenabledelega ; "SeEnableDelegationPrivilege"
		dd offset aSemanagevolume ; "SeManageVolumePrivilege"
		dd offset aSeimpersonatep ; "SeImpersonatePrivilege"
		dd offset aSecreateglobal ; "SeCreateGlobalPrivilege"
		dd offset aSetrustedcredm ; "SeTrustedCredManAccessPrivilege"
		dd offset aSerelabelprivi ; "SeRelabelPrivilege"
		dd offset aSeincreasework ; "SeIncreaseWorkingSetPrivilege"
		dd offset aSetimezonepriv ; "SeTimeZonePrivilege"
		dd offset aSecreatesymbol ; "SeCreateSymbolicLinkPrivilege"
		dd offset aSedelegatesess ; "SeDelegateSessionUserImpersonatePrivile"...
off_404B44	dd offset unk_70006E	; DATA XREF: .text:00404BF8o
		dd offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklm"...
dword_404B4C	dd 240022h		; DATA XREF: .text:00404C08o
		dd offset aX0123456789abc ; "x0123456789ABCDEF"
		align 8
_BcpStringsAndSizes dd offset unk_6D6BE8
					; DATA XREF: BcpGetMaxResourceProfile(x,x):loc_56EBE0r
dword_404B5C	dd 2			; DATA XREF: BcpGetMaxResourceProfile(x,x)+32r
		dd offset unk_6D6BF0
		align 8
		dd offset unk_6D6BF8
		dd 2
		dd offset unk_6D6C00
		dd 2
		dd offset unk_6D6C08
		dd 2
		dd offset unk_6D6C10
		dd 2
		dd offset unk_6D6C18
		dd 2
		dd offset unk_6D6C20
		dd 2
		dd offset unk_6D6C28
		dd 2
		dd offset unk_6D6C30
		dd 2
		dd offset unk_6D6C38
		align 10h
		dd offset unk_6D6C40
		align 8
		dd offset unk_6D6C50
		dd 1
		dd offset unk_6D6C48
		dd 1
		dd offset unk_6D6C58
		dd 2
		dd offset unk_6D6C60
		dd 2
		dd offset unk_6D6C68
		dd 2
		dd offset unk_6D6C70
		dd 2
		dd offset dword_404C30
		dd 2
		dd offset loc_40372B+5
		dd 3
		dd offset off_404B44
		align 10h
		dd offset dword_404C38
		align 8
		dd offset dword_404B4C
		align 10h
		dd offset dword_404C28
		dd 1
		dd offset dword_404C28
		dd 2
		dd offset dword_404C28
		dd 3
dword_404C28	dd 40002h		; DATA XREF: .text:00404C10o
					; .text:00404C18o ...
		dd offset asc_419700	; " "
dword_404C30	dd 160014h		; DATA XREF: .text:00404BE8o
		dd offset a0123456789	; "0123456789"
dword_404C38	dd 60004h		; DATA XREF: .text:00404C00o
		dd offset asc_4196F8	; "()"
		dd offset _DEVPKEY_DeviceContainer_IsLocalMachine
					; DATA XREF: _CmSetDeviceContainerMappedProperty:loc_8AEAE6r
					; _CmGetDeviceContainerMappedPropertyKeys(x,x,x,x,x,x,x):loc_A30E2Fr ...
		dd 11h
		dd offset _DEVPKEY_DeviceContainer_HasProblem
		dd 11h
		dd offset _DEVPKEY_DeviceContainer_IsConnected
		dd 11h
		dd offset _DEVPKEY_DeviceContainer_IsRebootRequired
		dd 11h
dword_404C60	dd 7			; DATA XREF: DrvDbRegisterObjects(x,x):loc_88D052r
					; DrvDbRegisterObjects(x,x)+35r
off_404C64	dd offset DrvDbDispatchDriverDatabase
					; DATA XREF: DrvDbRegisterObjects(x,x)+20r
		dd 8
		dd offset DrvDbDispatchDriverPackage
		dd 9
		dd offset DrvDbDispatchDriverInfFile
		dd 0Ah
		dd offset _DrvDbDispatchDriverFile@20 ;	DrvDbDispatchDriverFile(x,x,x,x,x)
		dd 0Bh
		dd offset DrvDbDispatchDeviceId
; 

_VrpRootKeyPaths:			; DATA XREF: VrpHandleIoctlGetVirtualRootKey(x,x,x,x,x,x)+AAo
		xor	al, [eax]
		xor	al, 0
		pop	eax
		jo	short loc_404CD1
		add	[eax+eax], dh

loc_404C92:				; CODE XREF: .text:00404D05j
		add	ss:byte_4C0042[eax+esi*2], cl
		dec	esi
		add	[eax], cl
		jo	short near ptr loc_404CDF+2
; 
		db 0
word_404CA0	dw 24h			; DATA XREF: IopIsKnownGoodLegacyFsFilter(x):loc_60989Dr
		dw 26h
; void *off_404CA4
off_404CA4	dd offset aFilesystemFltm ; DATA XREF: IopIsKnownGoodLegacyFsFilter(x)+1Dr
					; "\\FileSystem\\FltMgr"
		dd 220020h
		dd offset aFilesystemMsfs ; "\\FileSystem\\Msfs"
		dd 220020h
		dd offset aFilesystemNpfs ; "\\FileSystem\\Npfs"
		dd offset ??_C@_11LOCGONAA@@NNGAKEGL@
off_404CBC	dd offset ??_C@_1BC@FBOHHDN@?$AAI?$AAn?$AAt?$AAe?$AAr?$AAn?$AAa?$AAl@NNGAKEGL@
					; DATA XREF: IopCreateLegacyDeviceIds(x,x,x):loc_987025r
					; IopCreateLegacyDeviceIds(x,x,x)+B4r
		dd offset ??_C@_17KCCDBGFJ@?$AAI?$AAs?$AAa@NNGAKEGL@
		dd offset loc_8BAC5F+1
		dd offset loc_8BAC45+1
		dd offset ??_C@_1BK@ECAGBAMG@?$AAT?$AAu?$AAr?$AAb?$AAo?$AAC?$AAh?$AAa?$AAn?$AAn?$AAe?$AAl@NNGAKEGL@
		db  1Eh	;  OFF32 SEGDEF	[PAGE,8BAC1E]
; 

loc_404CD1:				; CODE XREF: .text:00404C8Dj
		lodsb
		mov	eax, [eax]
		xchg	eax, esp
		lodsb
		mov	eax, [eax]
		mov	[ebx+ecx*4-74538C00h], ch

loc_404CDF:				; CODE XREF: .text:00404C9Dj
		add	[edx-54h], ch
		mov	eax, [eax]
		clc
		lodsb
		mov	eax, [eax]
		call	near ptr 0C440D899h
		lodsb
		mov	eax, [eax]
		mov	ds:32008BACh, al
		lodsd
		mov	eax, [eax]
		and	al, 0ADh
		mov	eax, [eax]
		sbb	[ebp-6453FF75h], ch
		mov	eax, [eax]
		xchg	eax, esi
		jnz	short loc_404C92
; 
		db 0
; 

_KiX87JMPPointers:			; DATA XREF: KiEnableX87Clearing():loc_AEE332r
		cmpsb
		pop	ds
		pop	edx
		add	[edx-1758FFA6h], bl ; DATA XREF: INIT:00AC0087o
		jb	short $+2
		in	al, dx
		loope	loc_404D78
		add	[ebx-18h], dl
		jb	short $+2
		insd
		loope	_Crc32Ctrl
; 
		db 0
; 

_PopCheckpointSystemSleepVariable:	; DATA XREF: PopCheckpointSystemSleepUnsafe(x)+20o
					; PopClearSystemSleepCheckpoint+A5C27o	...
		sub	al, [eax]
		sub	al, 0
		xor	[ebp+80042h], al ; DATA	XREF: PopBatteryDeviceState(x,x)+5Ao
		or	al, [eax]
		inc	esp
		xchg	al, [edx+0]

_PopDevicePrefixNt:			; DATA XREF: PopBatteryDeviceState(x,x)+47o
		or	[eax], al
		or	al, [eax]
		cmp	[esi-739BFFBEh], al ; DATA XREF: PopEmRegister()+Do
		inc	edx
		add	dh, ah
		test	[ebp+0], esp
; 
		dd 0
		dd offset _GUID_EM_PO_UPDATE_DEVICE_CONTRAINT_CALLBACK
		dd offset _PopEmUpdateDeviceConstraintCallback@28 ; PopEmUpdateDeviceConstraintCallback(x,x,x,x,x,x,x)
		align 10h
_PopEmEntry	dd offset _GUID_EM_PO_CALLER_MODULE_NAME_TYPE
					; DATA XREF: PopEmRegister()+14o
		dd 2 dup(0)
; 
; Exported entry 578. FsRtlLegalAnsiCharacterArray

		public _FsRtlLegalAnsiCharacterArray
_FsRtlLegalAnsiCharacterArray:		; DATA XREF: RtlpCapabilityCheckSystemCapability(x,x,x)+A2o
		mov	[edi+40040h], dh
		push	es
		add	[eax], cl
		xchg	eax, ebx
		inc	edx
		add	[esi], dh	; DATA XREF: RtlpGetPolicyValueForSystemCapability(x,x)+76o
		add	[eax], bh
		add	al, cl
		xchg	eax, edx
		inc	edx
		add	[eax+eax], al	; DATA XREF: RtlpCapabilityCheckSystemCapability(x,x,x)+5Bo
		push	es
; 
		db 0
		dd offset aDo		; "DO"
; 

loc_404D78:				; CODE XREF: .text:00404D15j
					; DATA XREF: RtlpConstructCrossVmObjectPath(x,x,x):loc_9D30FFo
		and	[eax], al
		and	al, [eax]
; 
		dd offset aSharedvmobject ; "\\SharedVmObjects"
; 

_Crc32Ctrl:				; CODE XREF: .text:00404D1Dj
					; DATA XREF: RtlCrc32(x,x,x)+Bo
		dec	eax
		rol	dword ptr [edx+0], cl
		dec	eax
		aad	42h
		add	[eax-6Dh], cl
		inc	edx
; 
		db 0
		align 10h
		dd 82F63B78h, 0
		dd 0FFFFFFFFh, 0
		dd offset aCrc32Castagnol ; "Crc32 Castagnoli"
		align 8
dword_404DA8	dd 18h,	0		; DATA XREF: RtlQueryValidationRunlevel(x)+3Co
		dd offset unk_6B3698
		dd 240h, 2 dup(0)
; 

_GlfsrXorLookupTables:			; DATA XREF: RtlpGenericRandomPatternWorker(x,x)+1Fr
		test	al, 0DEh
		inc	edx
		add	[eax], ch
		fiadd	word ptr [edx+0]
		test	al, 0DFh
		inc	edx
		add	[eax+280042DDh], ch
		fild	word ptr [edx+0]

loc_404DD4:				; DATA XREF: SepAdtAuditablePrivilege(x,x):loc_66F771r
		loopne	near ptr loc_404E1D+2
		test	eax, 0A94A2800h
		add	[eax], dh
		dec	edx
		test	eax, 0A94A1000h
		add	[eax+4Ah], bh
		test	eax, 0A94E0000h
		add	[eax+4Ah], dh
		test	eax, 0A94A4800h
		add	[eax-27FF56B6h], dl
		dec	ecx
		test	eax, 0A94A3800h
		add	[eax-4FFF56B4h], bh
		dec	ecx
		test	eax, 0A94A8000h
		add	[edx], bl	; DATA XREF: SepSecureBootSetRegistryKey+10C17o
		add	[eax+eax], bl
		clc
		loopne	near ptr loc_404E53+2
		add	[eax], ah	; DATA XREF: SepSecureBootCheckForUpdates()+66o
		add	[edx], ah
		add	[ecx], dh
		inc	edx
		add	[edx], ch	; DATA XREF: SepSecureBootSetRegistryKey+10BA4o

loc_404E1D:				; CODE XREF: .text:loc_404DD4j
		add	[eax+eax], ch
		pop	eax
		loope	loc_404E65
		add	[esi], bl	; DATA XREF: SepSecureBootSetRegistryKey+10BF7o
		add	[eax], ah
		add	[ecx], dl
		inc	edx
		add	[edx+0], bh	; DATA XREF: SepSecureBootSetRegistryKey+10B2Eo
					; SepSecureBootCheckForUpdates()+34o
		jl	short $+2
		mov	cl, ah
		inc	edx
		add	[edx], cl	; DATA XREF: SepSecureBootSetRegistryKey+10B70o
		add	[eax+eax], cl
		rol	byte ptr [ecx+60041h], 8
					; DATA XREF: SepAdtClassifyObjectIntoSubCategory(x,x,x,x)+B3o
		add	[edx+42h], cl
; 
		db 0
; 

_SepFileTypeName:			; DATA XREF: SepAdtClassifyObjectIntoSubCategory(x,x,x,x)+9Eo
					; SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+95o
		or	[eax], al
		or	al, [eax]
		push	esp
		loop	near ptr loc_404E8A+3

loc_404E4B:				; DATA XREF: SmEtwLogRegionOp(x,x,x,x,x,x,x)+4Fr
					; SmEtwLogStoreOp(x,x,x,x,x,x,x,x)+17r
		add	al, bl
		db	67h
		inc	edx
		add	al, cl
		db	67h
		inc	edx

loc_404E53:				; CODE XREF: .text:00404E11j
		add	[eax+67h], bh
		inc	edx
		add	[eax+67h], ch
		inc	edx
		add	[eax+67h], bl
		inc	edx
		add	[eax], ch
		db	67h
		inc	edx
		add	[eax], bl

loc_404E65:				; CODE XREF: .text:00404E21j
		db	67h
		inc	edx
		add	[eax], cl
		db	67h
		inc	edx

loc_404E6B:				; DATA XREF: SmEtwLogStoreCorruption(x,x,x,x,x,x)+19r
					; SmEtwLogStoreStateChange(x,x,x,x)+36r
		add	[eax+38004267h], cl
		db	67h
		inc	edx
		add	al, bh
		inc	dx

loc_404E77:				; DATA XREF: .data:006B3788o
					; .data:006B37A0o
		add	[eax+eax+66h], ah

loc_404E7B:				; DATA XREF: KitLogFeatureUsage(x,x,x):loc_68CC81r
		add	[eax+0E0042E4h], bl
		add	[eax], dl

loc_404E83:				; DATA XREF: KitLogFeatureUsage(x,x,x)+89r
		add	[eax], dh
		out	42h, eax	; Timer	8253-5 (AT: 8254.2).
		add	[edx+4Eh], dh	; DATA XREF: sub_A1AC58+3Eo

loc_404E8A:				; CODE XREF: .text:00404E49j
		imul	eax, [eax+0], 694B86h
; 
dword_404E90	dd 4 dup(0)		; DATA XREF: SdbpGetSystemSdbFilePath(x,x,x,x,x,x)+3Ao
dword_404EA0	dd 1			; DATA XREF: SdbpGetSystemSdbFilePath(x,x,x,x,x,x)+23o
		dd offset aSysmain_sdb	; "sysmain.sdb"
		dd offset _SdbpGetPathAppPatch@16 ; SdbpGetPathAppPatch(x,x,x,x)
		dd offset _SdbpGetPathAppPatchPreRS3@16	; SdbpGetPathAppPatchPreRS3(x,x,x,x)
		dd 2
		dd offset aPcamain_sdb	; "pcamain.sdb"
		dd offset _SdbpGetPathAppPatch@16 ; SdbpGetPathAppPatch(x,x,x,x)
		dd offset _SdbpGetPathAppPatchPreRS3@16	; SdbpGetPathAppPatchPreRS3(x,x,x,x)
		dd 3
		dd offset aDrvmain_sdb	; "drvmain.sdb"
		dd offset _SdbpGetPathAppPatch@16 ; SdbpGetPathAppPatch(x,x,x,x)
		dd offset _SdbpGetPathAppPatch@16 ; SdbpGetPathAppPatch(x,x,x,x)
		dd 4
		dd offset aMsimain_sdb	; "msimain.sdb"
		dd offset _SdbpGetPathAppPatch@16 ; SdbpGetPathAppPatch(x,x,x,x)
		dd offset _SdbpGetPathAppPatch@16 ; SdbpGetPathAppPatch(x,x,x,x)
		dd 5
		dd offset aFrxmain_sdb	; "frxmain.sdb"
		dd offset _SdbpGetPathAppPatch@16 ; SdbpGetPathAppPatch(x,x,x,x)
		dd offset _SdbpGetPathAppPatch@16 ; SdbpGetPathAppPatch(x,x,x,x)
		dd 6
		dd offset aAppraiser_sdb ; "appraiser.sdb"
		dd offset _SdbpGetPathAppraiser@16 ; SdbpGetPathAppraiser(x,x,x,x)
		dd offset _SdbpGetPathAppraiser@16 ; SdbpGetPathAppraiser(x,x,x,x)
		dd 7, 0
		dd offset _SdbpGetPathCustomSdb@16 ; SdbpGetPathCustomSdb(x,x,x,x)
		dd offset _SdbpGetPathCustomSdbPreRS3@16 ; SdbpGetPathCustomSdbPreRS3(x,x,x,x)
		dd 8
		dd offset aAcres_dll	; "acres.dll"
		dd offset _SdbpGetPathAppPatch@16 ; SdbpGetPathAppPatch(x,x,x,x)
		dd offset _SdbpGetPathAppPatch@16 ; SdbpGetPathAppPatch(x,x,x,x)
		dd 9, 0
		dd offset _SdbpGetPathSystem@16	; SdbpGetPathSystem(x,x,x,x)
		dd offset _SdbpGetPathAppPatchPreRS3@16	; SdbpGetPathAppPatchPreRS3(x,x,x,x)
; 

_g_ustrDatabaseType:			; DATA XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+1F0o
		sbb	[eax], al
		sbb	al, [eax]
		pushf
; 
		db 0EAh, 42h, 0
; 

_g_ustrRuntimePlatform:			; DATA XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+233o
		add	cs:[eax], dh
		add	[eax-1BFFBD16h], bh
					; DATA XREF: AslpFileQueryVersionString(x,x,x,x,x,x):loc_A261E7r
		pop	edx
		mov	word ptr [eax],	es
		sbb	[ebx-74h], bl
		add	al, bl
		pop	esp
		mov	word ptr [eax],	es
		or	al, 5Dh
		mov	word ptr [eax],	es

_AttributeTokenIntegrityLevel:		; DATA XREF: .data:006B37F4o
		sbb	al, 0
		push	ds
		add	[edi+ebp*8], cl
		inc	edx

loc_404F57:				; DATA XREF: .data:_TokenAttributeLookupTableo
		add	[eax+eax], dl
		push	ss
		add	[edi+ebp*8+42h], dl

loc_404F5F:				; DATA XREF: .data:006B3800o
		add	[esi], ah
		add	[eax], ch
		add	[edi+ebp*8], ch
		inc	edx

loc_404F67:				; DATA XREF: .data:006B380Co
		add	[eax], ch
		add	[edx], ch
		add	[edi+ebp*8+42h], ch
		add	[esi+668E008Ch], dh
					; DATA XREF: AdtpBuildObjectTypeStrings(x,x,x,x,x,x)+FEr
		mov	word ptr [eax],	es
		xchg	eax, esp
		mov	word ptr [eax],	es
		js	short loc_404FE4
		mov	word ptr [eax],	es

loc_404F80:				; DATA XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+10Co
		add	al, 0
		push	es
		add	[ebx+esi*8], al
		inc	edx
		add	[eax+eax], ah	; DATA XREF: _CmOpenCommonClassRegKeyWorker+117E59o
					; _CmOpenDeviceInterfaceRegKeyWorker+11ACF2o ...
		db	26h
		add	dh, bl
		imul	ecx, [ebx+34003200h], 8B699E00h
					; DATA XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+124o
					; _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+112o	...
		add	[eax+eax], ch	; DATA XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+181o
					; _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+13Co
		add	cs:[edx+ebp*2],	al
		mov	eax, [eax]

; `_CmDeleteCommonClassRegKeyWorker'::`2'::ClassKeyPrefix
?ClassKeyPrefix@?1??_CmDeleteCommonClassRegKeyWorker@@9@9:
					; DATA XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+15Bo
		sbb	al, 0
		push	ds
		add	[esi+6Ah], ah
		mov	eax, [eax]

; `_CmDeleteDeviceRegKeyWorker'::`2'::EnumKeyPrefix
?EnumKeyPrefix@?1??_CmDeleteDeviceRegKeyWorker@@9@9:
					; DATA XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+151o
		or	al, [eax]
		or	al, 0
		shr	byte ptr [ecx-75h], cl
		add	[edx], dh	; DATA XREF: _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+118o
		add	[eax+eax], dh
		xor	ch, [edx-75h]
		add	[eax], bl	; DATA XREF: _PnpInstallerClassRaisePropertyChangeEventWorker(x,x,x,x,x,x)+39o
		cmp	[ebx+0], ch
		add	al, [eax]
; 
		dw 0
		dd offset _DEVPKEY_NAME
		dd offset off_6B3820
		dd 2
		dd offset _DEVPKEY_DeviceClass_CompoundUpperFilters
		dd offset off_6B3828
		dd 2
		dd offset _DEVPKEY_DeviceClass_CompoundLowerFilters
off_404FDC	dd offset off_6B3830	; DATA XREF: _PnpInterfaceClassRaisePropertyChangeEventWorker(x,x,x,x,x,x)+39o
		dd 1
; 

loc_404FE4:				; CODE XREF: .text:00404F7Cj
		fdiv	qword ptr [esi+40h]
		add	[eax+800406Ah],	ah
					; DATA XREF: _PnpContainerRaiseDevicesChangeEvent(x,x,x):loc_A321D7r
		cli
		inc	eax
		add	[edx+ebx*2], dh
		inc	eax
		add	[edx], ch	; DATA XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+116o
					; _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+12Co
		add	[eax+eax], ch
		cli
		xchg	eax, edx
		mov	word ptr [eax],	es
; 
off_404FFC	dd offset _DEVPKEY_DevicePanel_ContainerId
					; DATA XREF: _CmGetDevicePanelMappedPropertyKeys(x,x,x,x,x,x,x)+22r
					; _CmGetDevicePanelMappedPropertyLocales(x,x,x,x,x,x,x):loc_A3310Ar ...
		dd 0Dh
		dd offset loc_427D7B+1
		dd 7
		dd offset _DEVPKEY_DevicePanel_Side
		dd 7
dword_405014	dd 20001Eh		; DATA XREF: _SysCtxRegOpenCurrentUserKey(x,x,x,x)+1E4o
		dd offset ??_C@_1CA@BAGEJGFP@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAU?$AAS?$AAE?$AAR?$AA?2@NNGAKEGL@ ;	"\\REGISTRY\\USER\\"
		dd offset loc_460042+2
off_405020	dd offset loc_8C94DD+1	; DATA XREF: _RegRtlOpenPredefinedKey:loc_8B2288r
		dd 8A0088h
off_405028	dd offset loc_8C9453+1	; DATA XREF: _RegRtlOpenPredefinedKey+84995r
off_40502C	dd offset _DEVPKEY_DriverPackage_Configurations
					; DATA XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+A7r
					; DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+D8r
		dd offset _DEVPKEY_DriverPackage_ConfigurationScopes
off_405034	dd offset _DEVPKEY_DriverFile_DriverInfName
					; DATA XREF: DrvDbGetDriverFileMappedProperty(x,x,x,x,x,x,x,x):loc_A38AFFr
					; DrvDbGetDriverFileMappedProperty(x,x,x,x,x,x,x,x)+ACo ...
		dd 12h
		dd offset dword_40FDC4
		dd 1, 2	dup(0)
		dd offset _DEVPKEY_DriverFile_SubDirectory
		dd 12h
		dd offset aSubdir	; "SubDir"
		dd 1, 2	dup(0)
off_405064	dd offset _DEVPKEY_DeviceId_DriverInfMatches
					; DATA XREF: DrvDbGetDeviceIdMappedProperty:loc_9004FDr
					; DrvDbGetDeviceIdMappedProperty+AEA04o ...
		dd 2012h
		dd offset dword_40FDC4
		dd 7, 3	dup(0)
off_405080	dd offset _DEVPKEY_DriverDatabase_SystemPath
					; DATA XREF: DrvDbGetDriverDatabaseMappedProperty:loc_932F61r
					; DrvDbGetDriverDatabaseMappedProperty+8AA50o ...
		dd 12h
		dd offset aSystempath	; "SystemPath"
		dd 1, 2	dup(0)
		dd offset _DEVPKEY_DriverDatabase_FilePath
		dd 12h
		dd offset aFilepath	; "FilePath"
		dd 1, 2	dup(0)
		dd offset _DEVPKEY_DriverDatabase_RegistryPath
		dd 12h
		dd offset aKeypath	; "KeyPath"
		dd 1, 2	dup(0)
		dd offset _DEVPKEY_DriverDatabase_SoftwareRegistryPath
		dd 12h
		dd offset aSoftwarekeypat ; "SoftwareKeyPath"
		dd 1, 2	dup(0)
; const	SC_DISK::`vftable'
??_7SC_DISK@@6B@ dd offset ??_ESC_DISK@@UAEPAXI@Z ; DATA XREF: SC_DISK::SC_DISK(void)+1Eo
					; SC_DISK::~SC_DISK(void)+Bo
					; SC_DISK::`vector deleting destructor'(uint)
		dd offset ?Initialize@SC_DISK@@UAEJXZ ;	SC_DISK::Initialize(void)
		dd offset __purecall
		dd offset __purecall
		dd offset ?GetStoragePropertyPre@SC_DISK@@MAEJW4_STORAGE_PROPERTY_ID@@PAK@Z ; SC_DISK::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong	*)
		dd offset ?GetStoragePropertyPost@SC_DISK@@MAEJW4_STORAGE_PROPERTY_ID@@PAU_STORAGE_DESCRIPTOR_HEADER@@@Z ; SC_DISK::GetStoragePropertyPost(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)
		dd offset ?SaveStorageProperty@SC_DISK@@MAEXW4_STORAGE_PROPERTY_ID@@PAU_STORAGE_DESCRIPTOR_HEADER@@@Z ;	SC_DISK::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)
		dd offset __purecall
		dd offset __purecall
; const	SC_DEVICE::`vftable'
??_7SC_DEVICE@@6B@ dd offset ??_GSC_DEVICE@@UAEPAXI@Z
					; DATA XREF: SC_DEVICE::SC_DEVICE(void)+9o
					; SC_DEVICE::~SC_DEVICE(void)+Bo
					; SC_DEVICE::`scalar deleting destructor'(uint)
		dd offset ?Initialize@SC_DEVICE@@UAEJXZ	; SC_DEVICE::Initialize(void)
		dd offset __purecall
		dd offset __purecall
		dd offset ?GetStoragePropertyPre@SC_DEVICE@@MAEJW4_STORAGE_PROPERTY_ID@@PAK@Z ;	SC_DEVICE::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)
		dd offset _xKdGetAcpiTablePhase0@8 ; xKdGetAcpiTablePhase0(x,x)
		dd offset ?SaveStorageProperty@SC_DEVICE@@MAEXW4_STORAGE_PROPERTY_ID@@PAU_STORAGE_DESCRIPTOR_HEADER@@@Z	; SC_DEVICE::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)
_UartHardwareDrivers dd	offset _Legacy16550HardwareDriver
					; DATA XREF: InbvPortInitialize(x,x,x,x,x,x,x,x)+66r
		dd offset _Uart16550HardwareDriver
		dd offset _SpiMax311HardwareDriver
		dd 8 dup(0)
		dd offset _UsifHardwareDriver
		dd 6 dup(0)
		dd offset _MM16550HardwareDriver
		dd 25h dup(0)
; 

; void VRP_ORIGINAL_KEY_NAME_PARAMETER_GUID
_VRP_ORIGINAL_KEY_NAME_PARAMETER_GUID:	; DATA XREF: CmAllocateExtraParameter(x,x,x)+25o
					; VrpRegistryCallback+1B7o ...
		call	far ptr	0C0CFh:0BB85B866h
		dec	edx
		mov	dh, 89h
		insd
		stosb
; 
		dd 2277E5BFh
; 

_MiFreeThenFree:			; DATA XREF: MiGetPage:loc_46E713o
					; MiGetPage+1D8o ...
		add	[eax], eax
; 
		dw 0
		dd 1
; 

_ETW_EVENT_GROUP_JOIN:			; DATA XREF: EtwpAddRegEntryToGroup+2F1o
					; EtwpEventWriteGroupJoin(x,x,x,x)+34o
		sbb	eax, 5110000h
		sbb	al, [ebx]
		add	[eax], ah
		or	al, [eax]
; 
		db 0
		dd 40000000h
; 

_POP_ETW_EVENT_TIME_RESOLUTION_UPDATE:	; DATA XREF: PoTraceSystemTimerResolutionUpdate+2Bo
		pop	edi
; 
		db 2 dup(0), 10h
		dd offset loc_5BFFFF+5
		dd 4004h, 40000000h
; 

_POP_ETW_EVENT_STRS:			; DATA XREF: PoTraceSystemTimerResolution+2Eo
					; PoTraceSystemTimerResolution+18CD70o
		aas
		add	[ecx], al
		adc	[eax+eax], al
		inc	ebp
		add	[eax+eax*2], al
; 
		dw 0
		dd 40000000h
; 

_PsIoRateControlStart:			; DATA XREF: EtwTracePsIoRateControl+20o
		adc	eax, [eax]
		add	dl, [eax]
		add	al, 1
		adc	[eax], eax
		add	[eax], dl
; 
		dw 0
dword_405254	dd 80000000h		; CODE XREF: .text:00405279j
; 

_THREATINT_WRITEVM_REMOTE:		; DATA XREF: EtwTiLogReadWriteVm+8Co
		push	cs
		add	[ecx], al
		adc	[eax+eax], al
		pop	es
; 
		db 0
		dd 80000h, 80000000h
; 

_THREATINT_WRITEVM_LOCAL:		; DATA XREF: EtwTiLogReadWriteVm+1A2o
		or	al, 0
		add	[eax], edx
		add	al, 0
		pop	es
; 
		db 0
		dd 40000h, 80000000h
; 

; void DEVPKEY_Device_SafeRemovalRequired
_DEVPKEY_Device_SafeRemovalRequired:	; DATA XREF: .text:004015F4o
					; _CmGetDeviceMappedPropertyFromComposite:loc_7F97E4o ...
		inc	eax
		jbe	short near ptr dword_405254
		scasd
		mov	ds:0B6421086h, eax
		jl	short near ptr loc_4052AA+1
		pushf
		inc	ecx
		stosb
		mov	esi, 255h
; 
		db 0
; void DEVPKEY_Device_ReportedDeviceIdsHash
_DEVPKEY_Device_ReportedDeviceIdsHash db '~',0Bh,'T@Ej',0Bh,'L',8,0
					; CODE XREF: .text:_DEVPKEY_Device_HasProblemj
					; DATA XREF: .text:00404800o ...
		align 10h

_DEVPKEY_Device_UpdateWithUngroupedDrivers: ; DATA XREF: .data:off_6B30F0o
					; _CmGetDeviceMappedPropertyFromComposite+6E1o
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi

loc_4052AA:				; CODE XREF: .text:00405281j
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc
		sbb	al, 0
; 
		dw 0
; 

; void DEVPKEY_Device_OmitFromSystemSpec
_DEVPKEY_Device_OmitFromSystemSpec:	; DATA XREF: .text:0040163Co
					; _CmGetDeviceMappedPropertyFromComposite+683o	...
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc
		sbb	al, [eax]
; 
		dw 0
; 

_DEVPKEY_Device_DriverInGroup:		; DATA XREF: .data:006B30F4o
					; _CmGetDeviceMappedPropertyFromComposite+73Eo	...
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc
		sbb	eax, [eax]
; 
		dw 0
		align 10h

_ETW_EVENT_PROVIDER_ENABLED:		; DATA XREF: EtwpEnableGuid+5B0o
		push	cs

loc_4052E1:				; CODE XREF: .text:_DEVPKEY_Device_IsRebootRequiredj
		add	[ecx], al
		adc	ds:20000312h, eax
		add	al, 0
; 
		db 0
		dd 40000000h
; 

; void DEVPKEY_Device_PowerRelations
_DEVPKEY_Device_PowerRelations:		; DATA XREF: .text:004047F4o
					; _CmGetDeviceMappedPropertyFromComposite:loc_7F9A9Do ...
		lds	esp, [esi-6C05BCC0h]
		push	es
		inc	edi
		xchg	eax, edi
		sub	al, 7Bh
		or	byte ptr fs:[eax], 0A5h
		cmpsd
		push	es
; 
		db 3 dup(0)
; 

; void DEVPKEY_Device_HasProblem
_DEVPKEY_Device_HasProblem:		; DATA XREF: .text:004015C4o
					; .text:00401AC0o ...
		jle	short near ptr _DEVPKEY_Device_ReportedDeviceIdsHash+0Eh
		or	edx, [eax+eax*2-75h]
		mov	esp, 6AA2A845h
		or	ecx, [ecx+6A2BD4Ch]
; 
		db 3 dup(0)
; void dword_405318
dword_405318	dd 910C653Dh, 4719A4EBh, 884509B9h, 91ECBAE3h
					; DATA XREF: EtwpIsSpecialGuidEnabledOnDifferentLogger(x,x,x)+26o
; 

_REG_EVENT_CLEAR_ACCESS:		; DATA XREF: CmpLogClearAccessBitsEvent(x,x,x)+6Bo
		adc	[eax], al
		add	[eax], cl
		add	al, 0
; 
		dw 0
		dd 0
		dd 80000000h
; 

_DEVPKEY_Device_PresenceNotForDevice:	; DATA XREF: .data:006B311Co
					; _CmGetDeviceMappedPropertyFromComposite+C25o
		cmpsb
		push	ds
		fadd	dword ptr [eax+4B0C7473h]
		adc	byte ptr [esi],	0EFh
		rcr	dword ptr [edx], 2Ch
		dec	esp
; 
		db 8Bh
		dd 5
; 

; void DEVPKEY_Device_IsRebootRequired
_DEVPKEY_Device_IsRebootRequired:	; DATA XREF: .text:00401618o
					; .text:00401AD0o ...
		jle	short near ptr loc_4052E1+1
		or	edx, [eax+eax*2-75h]
		mov	esp, 6AA2A845h
		or	ecx, [ecx+10A2BD4Ch]
; 
		db 3 dup(0)
; 

; void DEVPKEY_Device_IsConnected
_DEVPKEY_Device_IsConnected:		; DATA XREF: .text:0040160Co
					; .text:00401AB0o ...
		db	26h
		arpl	dx, bx
		and	dword ptr [esi-6BBF7769h], 53h
		mov	eax, ds:3B573F92h
		sub	[edi], ecx
; 
		db 3 dup(0)
; 

; void CKCLGuid
_CKCLGuid:				; DATA XREF: EtwpStartLogger+28Ao
					; EtwpStartLogger+933o
		cmp	ah, [edi-12E0AB22h]
		movsb
		inc	edx
		scasd
		jno	short loc_4053BD
		arpl	ax, dx
		push	esi
		icebp
		jz	short $+2
; 
		db 3 dup(0)
; 

_ETW_EVENT_START_TRACE:			; DATA XREF: EtwpStartLogger:loc_7F10C0o
					; EtwpStartLogger+120B55o ...
		or	al, [eax]
		add	[ecx], edx
		add	eax, 1000020Ch
; 
		db 3 dup(0)
		dd 40000000h
; 

; void AuditLoggerGuid
_AuditLoggerGuid:			; DATA XREF: EtwpStartLogger+2BCo
		or	esp, edx
		db	66h
		push	cs
		add	bh, [eax+7292BA6Ah]
		xor	[ecx], ebx
		popf
		push	cs
; 
		dw 95D2h
; 

_DEVPKEY_Device_Capabilities:		; DATA XREF: .text:00404768o
					; .data:006B3130o ...
		dec	esi

loc_4053A9:				; CODE XREF: .text:00405409j
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h

loc_4053B3:				; CODE XREF: .text:_ThreatIntProviderGuidj
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	loc_4053CA
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_LocationPaths:		; DATA XREF: .text:00404760o
					; PiProcessNewDeviceNode+7EEo ...
		dec	esi

loc_4053BD:				; CODE XREF: .text:0040537Dj
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1

loc_4053CA:				; CODE XREF: .text:004053B7j
		push	eax
		loopne	near ptr word_4053F2
; 
		db 3 dup(0)
; 

_ETW_EVENT_PROVIDER_DISABLED:		; DATA XREF: EtwpEnableGuid+651o
		sldt	word ptr [eax]
		adc	ds:20000313h, eax

loc_4053D9:				; CODE XREF: .text:0040540Bj
		add	al, 0
; 
		db 0
		dd 40000000h
_PathPrefixWin32 dd offset loc_5C005C	; DATA XREF: PiDmEnumObjectsWithCallback(x,x,x)+5Fo
		dd offset loc_5C0039+6
		align 10h

_POP_ETW_EVENT_DEVICE_POWER_REQUIREMENT_TO_DEVICE:
					; DATA XREF: PopDiagTraceFxDevicePowerRequirement:loc_4D9B4Co
		xor	eax, [ecx]
; 
word_4053F2	dw 0			; CODE XREF: .text:004053CBj
		dd 8B0004h, 100h, 0
; 

; void DEVPKEY_DriverPackage_SignerName
_DEVPKEY_DriverPackage_SignerName:	; DATA XREF: .text:004017A8o
					; DrvDbGetDriverPackageMappedProperty+28Do ...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_4053A9+4
		jz	short loc_4053D9
		inc	edi
		fstp	tbyte ptr [edx+7]
; 
		dd 0
; 

_POP_ETW_EVENT_SYSTEM_LATENCY_RUNDOWN:	; DATA XREF: PopDiagTraceSystemLatencyUpdate:loc_43D880o
					; PopDiagTraceSystemLatencyUpdate+16E026o
		stc
		add	[eax], eax
		adc	[eax+eax], al
		cdq

loc_40541F:				; CODE XREF: .text:0040542Aj
		add	[eax+eax], al
; 
		dw 0
		dd 40000000h
; 

_ThreatIntProviderGuid:			; DATA XREF: EtwpInitialize+31Ao
		jl	short loc_4053B3
		loope	near ptr loc_40541F+1

loc_40542C:				; CODE XREF: .text:00405495j
		pop	ebp
		mov	ebx, 0D8F15668h
		add	al, 0Fh
		dec	ebp
; 
		db 8Dh,	0D3h, 44h
; 

_SecurityMitigationsProviderGuid:	; DATA XREF: EtwpInitialize+34Do
		xchg	eax, edx
		add	esp, ecx
		cli
		scasd
		lock ror byte ptr [edx-48h], 0FFh
		lahf
		dec	ebp
		xchg	eax, edx
		or	al, 3Ch
; 
		db 0DFh
; 

_PsProvGuid:				; DATA XREF: EtwpCrimsonProvEnableCallback+85113o
					; EtwpInitialize+258o
		setalc
		sub	al, 0FBh
		and	bh, [ebx+0Eh]
		sub	eax, [edx-60h]
		mov	dword ptr [edi], 0E7D01FADh
		push	ss

_NetProvGuid:				; DATA XREF: EtwpInitialize+282o
		dec	ecx

loc_405459:				; CODE XREF: _MS_Windows_Security_LPAC_Provider+8j
		sub	dl, ah
		jge	short loc_405486
		push	ebx
		xor	cl, [eax-73h]
		std
		inc	ebx
		fnstcw	word ptr [ecx+15h]
		cmp	cl, [eax-2E26C109h] ; DATA XREF: EtwpInitialize+2D6o
		repne loope near ptr loc_4054B1+3
		dec	edi
		cdq
		inc	ebx
		add	edx, edx
		inc	ebp
; 
		db 0FEh, 6Ch, 0

;  S U B	R O U T	I N E 


_MS_Windows_Security_LPAC_Provider proc	near ; DATA XREF: EtwpInitialize+32Bo
		in	eax, 0C9h	; DMA controller, 8237A-5.
					; request register bits:
					; 0-1: select channel (00=0; 01=1; 10=2; 11=3)
					; 2: 1=set request bit for channel; 0=reset request
		out	dx, al
		inc	ebp
		sbb	ecx, [edx+46h]
		push	esp
		jp	short near ptr loc_405459+1
		movsb
		stosd
		adc	edx, [ebx]

loc_405486:				; CODE XREF: .text:0040545Bj
		les	esi, [edi]

_MS_Windows_Security_Adminless_Provider: ; DATA	XREF: EtwpInitialize+33Co
		bound	ebp, [ecx+21h]
		jmp	far ptr	0C5F7h:5B73877Bh
_MS_Windows_Security_LPAC_Provider endp

; 
		mov	ch, bh
		push	ebx
		jnz	short loc_40542C
		sahf

_MS_Windows_Kernel_AppCompat_Provider:	; DATA XREF: EtwpInitialize+2E7o
		shr	dword ptr [ebp-6480E95Fh], 0D9h
		dec	esp
		xchg	eax, esp
		mov	bl, 0D8h

loc_4054A3:				; CODE XREF: .text:004054C3j
		sub	[edx-4Fh], ebp
		mov	cl, 30h

_KernelShimEngineProvider:		; DATA XREF: KseInitialize+126o
		xchg	eax, esp
		sti
		repne or esp, [eax+7Bh]
		dec	ebp
		dec	ebx
		xchg	eax, edi

loc_4054B1:				; CODE XREF: .text:0040546Cj
		call	small near ptr 0B9E4h
; 
		db 8Dh,	0F5h, 40h
; 

_KernelProvGuid:			; DATA XREF: EtwpInitialize+237o
		mov	bh, 0A8h
		mov	word ptr [esi-2849FFB1h], fs
		cmpsb
		cwde
		pop	es
		loop	loc_4054A3
; 
		db 0Fh,	1Fh, 5Dh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_KernelAuditApiCallsGuid proc near	; DATA XREF: EtwpInitialize+2F8o

; FUNCTION CHUNK AT 004054FB SIZE 00000007 BYTES

		sbb	al, 84h
		sub	ah, al
		mov	ds:0AF4FA775h, eax
		enter	9AEh, 0CFh
		wait
		jg	short loc_4054FB
_KernelAuditApiCallsGuid endp


;  S U B	R O U T	I N E 


_KMPnPEvt_SystemStart_Stop proc	far	; DATA XREF: IopInitializeSystemDrivers+1E3o
		retf
_KMPnPEvt_SystemStart_Stop endp

; 
		db 2 dup(0), 11h
; 
		add	al, 2
		retf	2000h
; 
		align 4
		dd 20000000h

;  S U B	R O U T	I N E 


_KMPnPEvt_SystemStart_Start proc far	; DATA XREF: IopInitializeSystemDrivers+13o
		retf	0
_KMPnPEvt_SystemStart_Start endp

; 
		adc	[ecx+eax], eax
		retf	2000h
; 
		align 2
word_4054F2	dw 0			; CODE XREF: .text:0040553Aj
		dd 20000000h
; 

_KMPnPEvt_BootStart_Stop:		; DATA XREF: IopInitializeBootDrivers+55Ao
		leave
; 
		db 2 dup(0)
; 
; START	OF FUNCTION CHUNK FOR _KernelAuditApiCallsGuid

loc_4054FB:				; CODE XREF: _KernelAuditApiCallsGuid+Ej
		adc	[edx+eax], eax

loc_4054FE:				; CODE XREF: .text:00405562j
		enter	2000h, 0
; END OF FUNCTION CHUNK	FOR _KernelAuditApiCallsGuid
; 
		dw 0
		dd 20000000h
; 

_KMPnPEvt_BootStart_Start:		; DATA XREF: IopInitializeBootDrivers+25o
		enter	0, 11h
		add	al, 1
		enter	2000h, 0
; 
		dw 0
		dd 20000000h
; const	IID GUID_NULL
_GUID_NULL	IID <0>			; DATA XREF: IopProcessWorkItem+3Bo
					; .text:loc_528D54r ...
; 

_FileProvGuid:				; DATA XREF: EtwpLogFileNameRundown(x,x)+10o
					; EtwpInitialize+2ACo
		daa
		mov	eax, edx
		in	eax, dx
		les	ebx, [ebp-3D8F46B2h]
		push	esi
; 
		dd 89C2B50Fh
; 

; void EventTracingProvGuid
_EventTracingProvGuid:			; DATA XREF: .text:00528A5Ao
					; EtwpCrimsonStackWalkApc(x,x,x,x,x)+57o ...
		aaa
		in	al, dx
		jnz	short near ptr word_4054F2
		mov	dh, 0BDh
		dec	eax
		inc	esi
		mov	esp, 0C7FDF392h
		dec	ebp
		cmp	al, 0A2h

_DiskProvGuid:				; DATA XREF: EtwpInitialize+297o
		call	far ptr	77E1h:0E0C7BDE6h
		inc	ecx
		mov	dh, 0EFh
		sub	[edx], bh
		rcl	dword ptr [edx+52h], 1
		jno	short near ptr loc_405564+2 ; DATA XREF: EtwpInitialize+309o
		sub	ah, [esi+5F7E1785h]
		dec	eax
		popf
		dec	edi
		jz	short loc_4054FE

loc_405564:				; CODE XREF: .text:00405557j
		sub	[ecx-6Dh], dh
		cmpsb

_WNF_ETW_SUBSYSTEM_INITIALIZED:		; DATA XREF: EtwpInitialize+35Do
		jnz	short near ptr a??Volume+2
		mov	esp, 911A28A3h
		inc	ecx
; 
; wchar_t a??Volume
a??Volume:				; CODE XREF: .text:_WNF_ETW_SUBSYSTEM_INITIALIZEDj
					; DATA XREF: IoVolumeDeviceNameToGuidPath+216o
		unicode	0, <\??\Volume>,0
		align 4

; void WmipDataProviderPnPIdInstanceNamesGuid
_WmipDataProviderPnPIdInstanceNamesGuid: ; DATA	XREF: WmipForwardWmiIrp+82o
					; WmipTranslatePDOInstanceNames+70o ...
		sal	dword ptr ds:0AADBC7BFh, cl
		rcl	dword ptr [ecx], 1
		mov	edi, 0C9A0004Ah
		push	es
		sub	[eax], edx

; void WmipDataProviderPnpidGuid
_WmipDataProviderPnpidGuid:		; DATA XREF: WmipForwardWmiIrp+64o
					; WmipTranslatePDOInstanceNames+58o ...
		sal	byte ptr ds:0AADBC7BFh,	cl
		rcl	dword ptr [ecx], 1
		mov	edi, 0C9A0004Ah
		push	es
		sub	[eax], edx

_ProcessStop:				; DATA XREF: EtwpPsProvTraceProcess+6A8o
		add	al, [eax]
		add	dl, [eax]
		add	al, 2
		add	al, [eax]
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_ProcessStart:				; DATA XREF: EtwpPsProvTraceProcess+9Eo
					; EtwpCrimsonProvEnableCallback+3Fo
		add	[eax], eax
		add	edx, [eax]
		add	al, 1
		add	[eax], eax
		adc	[eax], al
; 
		dw 0
		dd 80000000h

;  S U B	R O U T	I N E 


; void GUID_TARGET_DEVICE_REMOVE_COMPLETE
_GUID_TARGET_DEVICE_REMOVE_COMPLETE proc far
					; DATA XREF: IoReportTargetDeviceChangeAsynchronous+76o
					; PnpProcessDeferredRegistrations()+123o ...
		or	[eax+3Ah], al
		retf
_GUID_TARGET_DEVICE_REMOVE_COMPLETE endp

; 
		dd 11D046F0h, 60008FB0h, 3F051397h

;  S U B	R O U T	I N E 


; void GUID_TARGET_DEVICE_REMOVE_CANCELLED
_GUID_TARGET_DEVICE_REMOVE_CANCELLED proc far
					; DATA XREF: IoReportTargetDeviceChangeAsynchronous+5Fo
					; PnpNotifyTargetDeviceChange+72o ...
		pop	es
		inc	eax
		cmp	cl, bl
		lock inc esi
		rcl	byte ptr [ecx],	1
		mov	al, 8Fh
		add	[eax-69h], ah

loc_4055E5:				; DATA XREF: IoReportTargetDeviceChangeAsynchronous+3Ao
					; PiUEventIsDeviceEventVetoable(x)+8o ...
		adc	eax, ds:3A40063Fh
		retf
_GUID_TARGET_DEVICE_REMOVE_CANCELLED endp ; sp =  4

; 
		dd 11D046F0h, 60008FB0h, 3F051397h
; 

; void GUID_DEVICE_KERNEL_INITIATED_EJECT
_GUID_DEVICE_KERNEL_INITIATED_EJECT:	; DATA XREF: PiUEventIsDeviceEventVetoable(x)+1Co
		push	esp
		wait
		push	0D3070314h
		adc	[edi-365FFF2Eh], edx
		inc	eax
		push	edx

loc_405607:				; DATA XREF: PopSetNewPolicyValue(x)+56o
		db	2Eh
		push	ecx
		xor	dl, [ebx+54h]
		mov	esi, 96482482h
		rol	dword ptr [edi-4Ah], 0Bh
		jz	short near ptr loc_405620+4

loc_405617:				; DATA XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+3DDo
					; PopValidatePowerSettingData+47o ...
		add	[esi-1B6287EBh], ah
		jle	short near ptr loc_40569C+1
		dec	ecx

loc_405620:				; CODE XREF: .text:00405615j
		mov	[eax-0FFAA5AFh], cl
; 
		dw 6423h
; 

; void GUID_STANDBY_TIMEOUT
_GUID_STANDBY_TIMEOUT:			; DATA XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+389o
					; PopValidatePowerSettingData+31o ...
		fcmovnb	st, st(1)
		imul	byte ptr [ecx]
		fiadd	dword ptr [esi-2460B73Bh]
		repne mov dh, 7Bh
		pop	ds
		inc	esp
; 
		db 0DAh
; void GUID_DISK_POWERDOWN_TIMEOUT
_GUID_DISK_POWERDOWN_TIMEOUT db	'8gBJj@iun',0
					; DATA XREF: PopValidatePowerSettingData+10o
					; PopHardDiskPowerSettingCallback+16o
		dw 1000h
		dd 0D80004h, 4,	40000000h
; 

_POP_ETW_DEEP_SLEEP_SET_CONSTRAINT:	; DATA XREF: PopDiagTraceSetDeepSleepConstraint+26o
		mov	ch, 0
		add	[eax], dl
		add	al, 0
		xlat
		add	[eax+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_SYSTEM_LATENCY_UPDATE:	; DATA XREF: PopDiagTraceSystemLatencyUpdate+33o
					; PopDiagTraceSystemLatencyUpdate:loc_5AB857o
		clc
		add	[eax], eax
		adc	[eax+eax], al
		cwde
		add	[eax+eax], al
; 
		dw 0
		dd 40000000h
; 

; void GUID_POWER_POLICY_PROFILE_LOW_POWER
_GUID_POWER_POLICY_PROFILE_LOW_POWER:	; DATA XREF: PpmSetProfilePolicySetting+47o
					; PpmEnableProfile+9o ...
		add	esi, esp
		imul	eax, [ebp+2Eh],	0BC486927h
		stosd
		sbb	al, 6Ch
		add	edx, edi
		xchg	eax, esi
		outsd

_PfSnEvt_PrefetchSections_Stop:		; DATA XREF: PfSnLogPrefetchSectionsStop+53o
		add	al, [eax]
		add	[eax], edx
		add	al, 2
		add	[eax], eax
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_PfSnEvt_GetReadLists_Stop:		; DATA XREF: PfSnLogGetReadListsStop+30o
		or	al, [eax]
		add	[eax], edx

loc_40569C:				; CODE XREF: .text:0040561Dj
		add	al, 2
		or	[eax], eax
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_PfSnEvt_GetReadLists_Start:		; DATA XREF: PfSnLogGetReadListsStart+35o
		or	[eax], eax
		add	[eax], edx
		add	al, 1
		or	[eax], eax
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_PfSnEvt_PrefetchSections_Start:	; DATA XREF: PfSnLogPrefetchSectionsStart+3Bo
		add	[eax], eax
		add	[eax], edx
		add	al, 1
		add	[eax], eax
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_PfSnEvt_AsyncWorker_Start:		; DATA XREF: PfSnEndTrace+1F4o
					; PfSnLogAsyncWorker+16DAC0o
		or	eax, [eax]
		add	[eax], dl
		add	al, 1
		or	al, [eax]
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_PfSnEvt_SyncPrefetchingDone_Info:	; DATA XREF: PfSnEndTrace+332o
					; PfSnEndTrace+16DEAFo
		or	eax, 4100000h
		add	[edx], cl
		add	[eax], ah
; 
		db 3 dup(0)
		dd 80000000h
; 

_PfSnEvt_AsyncWorker_Stop:		; DATA XREF: PfSnEndTrace:loc_76A9DBo
		or	al, 0
		add	[eax], dl
		add	al, 2
		or	al, [eax]
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_PfSnEvt_EndTrace_Info:			; DATA XREF: PfSnLogEndTrace+32o
		pop	es
; 
		db 2 dup(0), 10h
		dd 70004h, 20h,	80000000h
; 

_PfSnEvt_ScenarioDecision_Info:		; DATA XREF: PfSnLogScenarioDecision+3Ao
		or	[eax], al
		add	[eax], edx
		add	al, 0
		or	[eax], al
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_ThreadStart:				; DATA XREF: EtwpPsProvTraceThread:loc_76E07Ao
					; PfSnLogPrefetchMetadata+19o ...
		add	eax, [eax]
		add	[eax], edx
		add	al, 1
		add	eax, [eax]
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_ThreadStop:				; DATA XREF: EtwpPsProvTraceThread+45o
		add	al, 0
		add	[eax], edx
		add	al, 2
		add	al, 0
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_ImageUnload:				; DATA XREF: EtwpPsProvTraceImage(x,x,x,x)+F1o
		push	es
; 
		db 2 dup(0), 10h
		dd 60004h, 40h,	80000000h
; 

_ImageLoad:				; DATA XREF: EtwpPsProvTraceImage(x,x,x,x)+27o
					; EtwpCrimsonProvEnableCallback:loc_8B165Eo
		add	eax, 4100000h
		add	large ds:4000h,	al
; 
		db 0
		dd 80000000h
_EtwpNull	dd 0			; DATA XREF: EtwpTraceImageUnload(x,x,x,x,x,x,x,x,x,x)+E5o
					; EtwpTraceThreadRundown:loc_4DD03Bo ...
_MiZeroThenZero	dd 3 dup(0)		; DATA XREF: MiGetPage+6Ao
					; MiGetPage+342o ...
; 

_PPM_ETW_INTERRUPT_STEERING_STATE_RETARGET: ; DATA XREF: PpmParkSteerInterrupts+3B6o
					; PpmParkSteerInterrupts:loc_5B63B7o ...
		push	es
; 
		db 3 dup(0)
		dd 60004h, 1, 0
; 

_PPM_ETW_PERF_CHECK_START:		; DATA XREF: PpmCheckStart+59o
					; PpmCheckStart+12F446o
		add	fs:[eax], al
		add	ds:2000B01h, al
; 
		db 3 dup(0)
		align 8

_PPM_ETW_COMPUTE_ENERGY:		; DATA XREF: PpmCheckComputeEnergy+185o
					; PpmCheckComputeEnergy+12A345o
		popa
; 
		db 3 dup(0)
		dd offset loc_4BFFFF+5
		dd 100h, 0
; 

_PPM_ETW_PERF_CHECK_STOP:		; DATA XREF: PpmEventTracePerfCheckStop+23o
		adc	[eax], al
; 
		dw 0
		dd 0B0205h, 2, 0
; 

_PPM_ETW_PARK_NODE_STATS:		; DATA XREF: PpmParkRecordNodeStatistics+BDo
					; PpmParkRecordNodeStatistics+129F21o
		xor	eax, 5000100h
		add	[esi], ah
		add	[edx], al
; 
		db 3 dup(0)
		align 8

_KERNEL_MEM_EVENT_MDL_ALLOCATION:	; DATA XREF: MiAllocatePagesForMdl+100o
					; MiAllocatePagesForMdl+12158Eo
		or	al, [eax]
		add	[eax], dl
		add	al, 0
		pop	es
; 
		db 0
		dd 200h, 80000000h
_Mi10Milliseconds dd 0FFFE7960h		; DATA XREF: MiGatherMappedPages+72o
					; MiDelayFaultingThread+15o ...
dword_4057CC	dd 0FFFFFFFFh		; DATA XREF: .text:005C0796r
					; MiProcessDeleteOnClose(x)+11Br ...
; 

_POP_ETW_EVENT_SYSTEM_IDLE_UPDATE:	; DATA XREF: PopTraceSystemIdleUpdate(x,x,x,x,x,x,x,x,x,x,x,x)+36o
					; PopTraceSystemIdleUpdate(x,x,x,x,x,x,x,x,x,x,x,x)+EFo
		cmpsb
		add	[ecx], al
		adc	[eax+eax], al
		leave
		add	[esp+eax], al
; 
		dw 0
		dd 40000000h

;  S U B	R O U T	I N E 


; void EM_RULE_DISABLE_FASTS4_GUID
_EM_RULE_DISABLE_FASTS4_GUID proc near	; DATA XREF: PopFilterCapabilities+5Co
		sbb	eax, 9DE0574Dh
		mov	eax, 0C5A5461Ch
		mov	al, ds:707C8B99h

locret_4057EF:				; DATA XREF: PopCallPowerSettingCallback+C8o
					; PopCallPowerSettingCallback+149BA6o
		retn	93h
_EM_RULE_DISABLE_FASTS4_GUID endp

; 
		dw 1000h
		dd 0B10204h, 4,	40000000h
; 

_POP_ETW_EVENT_POWER_SETTING_CALLBACK_START: ; DATA XREF: PopCallPowerSettingCallback+70o
					; PopDispatchPowerSettingCallbacks+149C1Bo
		xchg	eax, edx
; 
		db 2 dup(0), 10h
		dd 0B10104h, 4,	40000000h
; 

_POP_ETW_EVENT_POWER_SETTING_RUNDOWN:	; DATA XREF: PopDiagTracePowerSetting+16o
		outsd
		add	[ecx], al
		adc	[eax+eax], al
		imul	eax, [eax], 80h
; 
		dd 40000000h
; 

_POP_ETW_EVENT_POWER_SETTING_CHANGE:	; DATA XREF: PopDiagTracePowerSetting:loc_796C97o
		jo	short $+2
		add	[eax], edx
		add	al, 0
		push	0
		add	byte ptr [eax],	0
; 
		db 0
		dd 40000000h
; 

_POP_ETW_EVENT_SYSTEM_IDLE_TIME_RESET:	; DATA XREF: PopTraceSystemIdleTimeReset(x)+26o
		cmpsd
; 
		db 2 dup(0), 10h
		dd 0C90004h, 404h, 40000000h

;  S U B	R O U T	I N E 


; void GUID_DEVICE_ENUMERATED
_GUID_DEVICE_ENUMERATED	proc far	; DATA XREF: PipProcessStartPhase3+2F7o
					; PnpSetPlugPlayEvent+57o ...
		or	al, [eax+3Ah]
		retf
_GUID_DEVICE_ENUMERATED	endp

; 
		dd 11D046F0h, 60008FB0h, 3F051397h
; 

; void DEVPKEY_Device_PanelId
_DEVPKEY_Device_PanelId:		; DATA XREF: .text:004010C4o
					; .text:00401A80o ...
		xchg	bl, [esp+edi*4-685673h]
		dec	ebx
		wait
		mov	byte ptr [edi+6D3E5DE9h], 0ADh
		add	al, [eax]
; 
		dw 0
; void DEVPKEY_Device_PhysicalDeviceLocation
_DEVPKEY_Device_PhysicalDeviceLocation db '~',0Bh,'T@Ej',0Bh,'L',9,0
					; DATA XREF: _CmUpdateDevicePanel+D5o
					; PiPnpRtlSetObjectProperty+A176Co ...
		align 4

;  S U B	R O U T	I N E 


; void GUID_DEVICE_ARRIVAL
_GUID_DEVICE_ARRIVAL proc far		; DATA XREF: PnpSetDeviceInstanceStartedEventFromDeviceInstance+3Bo
					; PiUEventProcessBroadcastNotifications+1CCo ...
		or	[eax+3Ah], eax
		retf
_GUID_DEVICE_ARRIVAL endp

; 
		dd 11D046F0h, 60008FB0h, 3F051397h

;  S U B	R O U T	I N E 


; void GUID_DEVICE_EJECT
_GUID_DEVICE_EJECT proc	far		; DATA XREF: PnpProcessTargetDeviceEvent+4Co
					; PnpInsertEventInQueue+E1E75o	...
		cmovo	edi, [edx]
		retf
_GUID_DEVICE_EJECT endp

; 
		dd 11D046F0h, 60008FB0h, 3F051397h
; 

; void GUID_DEVICE_QUERY_AND_REMOVE
_GUID_DEVICE_QUERY_AND_REMOVE:		; DATA XREF: PnpProcessTargetDeviceEvent+34o
					; PnpInsertEventInQueue+E1E61o	...
		push	cs
		inc	eax
		cmp	cl, bl
		lock inc esi
		rcl	byte ptr [ecx],	1
		mov	al, 8Fh
		add	[eax-69h], ah

loc_4058A5:				; DATA XREF: .text:0040475Co
					; PiProcessNewDeviceNode+7A4o ...
		adc	eax, ds:0B947E3Fh
		push	esp
		inc	eax
		mov	edi, [ebp+eax*2+0B6AA2A8h]
		mov	[ebp+edi*4-5Eh], ecx
		add	al, 0
; 
		dw 0
; 

_DEVPKEY_Device_HardwareConfigurationIndex: ; DATA XREF: PipProcessStartPhase3+278o
					; PiProcessNewDeviceNode+3DFo
		add	[ecx+49h], dh
		xor	byte ptr [ebx-74h], 0B9h
		dec	eax
		stosb
		fxch	st(6)
		cmp	[esi+19h], bh
		lds	ebp, [esi+6]
; 
		db 3 dup(0)
_DEVPKEY_Device_LastRemovalDate	db '&cڃ@S?W;)g',0 ; DATA XREF: .text:0040477Co
					; PiProcessNewDeviceNode+3BCo ...
		align 4
_DEVPKEY_Device_LastArrivalDate	db '&cڃ@S?W;)f',0 ; DATA XREF: .text:00404778o
					; PiProcessNewDeviceNode+39Do
		align 4
_DEVPKEY_Device_LastKnownParent	db '&cڃ@S?W;)',0Ah,0 ; DATA XREF: .text:00404764o
					; _CmGetDeviceParent+F8o ...
		align 4

;  S U B	R O U T	I N E 


_GUID_PNP_EXTENDED_ADDRESS_INTERFACE proc near ; DATA XREF: PiProcessNewDeviceNode+1B7o
		in	al, dx
		xchg	eax, edx
		jmp	near ptr 0C4E7F0CBh
_GUID_PNP_EXTENDED_ADDRESS_INTERFACE endp

; 
		dec	ebp
		mov	[esi-7Ch], al
		rol	byte ptr [ecx+70h], 1
		jz	short loc_405962

_GUID_IOMMU_BUS_INTERFACE:		; DATA XREF: ExShareAddressSpaceWithDevice(x,x)+A1o
					; PiIommuGetInterface+3Ao
		mov	dl, 0E0h
; 
		dw 1EFEh
		dd 4AE4D278h, 341BDCBDh, 438064DDh
; 

_GUID_PNP_LOCATION_INTERFACE:		; CODE XREF: .text:0040592Fj
					; DATA XREF: PnpGetDeviceLocationStrings+F8o
		push	cs
		sbb	esp, [ecx]
		jo	short _GUID_PNP_LOCATION_INTERFACE
		or	bl, bl
		inc	edi
		scasd
		rol	dword ptr [ecx+0Bh], 0F8h
		inc	edx
		dec	ecx
; 
		db 7Ah
; 

; void GUID_TRANSLATOR_INTERFACE_STANDARD
_GUID_TRANSLATOR_INTERFACE_STANDARD:	; DATA XREF: IopQueryResourceHandlerInterface+5Bo
					; IopPnPDispatch+14Co
		xchg	eax, edx
		dec	edx
		adc	eax, 0D0AACF6Ch
		adc	[ebp-365FFFD6h], ecx
		push	es
		mov	dl, 44h

; void GUID_ARBITER_INTERFACE_STANDARD
_GUID_ARBITER_INTERFACE_STANDARD:	; DATA XREF: IopQueryResourceHandlerInterface+103o
					; IopPnPDispatch+12Ao
		test	esi, ecx
		inc	esp
		out	0Eh, al		; DMA controller, 8237A-5.
					; Clear	mask registers.
					; Any OUT enables all 4	channels.
		mov	eax, ss
		adc	[esi+2B0008CFh], edi
		loop	near ptr loc_405962+2
		das
; 
		dd 0
; 

_KMPnPEvt_BootInit_Stop:		; DATA XREF: PnpInitializeBootStartDriver+E4o
		rol	dword ptr [eax], cl

loc_405962:				; CODE XREF: .text:0040591Aj
					; .text:00405959j
		add	[esp+eax], dl
		add	dl, dl
		add	[eax], ah
		adc	[eax], al
; 
		db 0
		dd 4000000h
; 

_KMPnPEvt_BootInit_Start:		; DATA XREF: PnpInitializeBootStartDriver+BFo
		rol	byte ptr [eax],	cl
		add	[esp+eax], dl
		add	edx, edx
		add	[eax], ah
		adc	[eax], al
; 
		db 0
		dd 4000000h
; 

_KMPnPEvt_EarlyLaunch_PolicyCheck:	; DATA XREF: PnpDiagnosticTraceElamDecision(x,x,x,x)+2Co
					; PnpDiagnosticTraceElamDecision(x,x,x,x)+5Bo
		rol	dword ptr [eax], 1
; 
		dw 0
		dd 0CD0004h, 20h, 0
; void PnpWstrTranslated
_PnpWstrTranslated dd offset loc_54002E	; DATA XREF: PnpBuildCmResourceList+465o
					; IopInitializeResourceMap+DBo	...
		dd offset loc_61006E+4
aNslated:
		unicode	0, <nslated>,0
; void PnpWstrRaw
_PnpWstrRaw	dd offset loc_52002E	; DATA XREF: PnpBuildCmResourceList+406o
					; IopInitializeResourceMap+60o	...
aAw:
		unicode	0, <aw>,0
		align 4

; void DEVPKEY_Device_Reported
_DEVPKEY_Device_Reported:		; DATA XREF: .text:00404774o
					; PnpAssignResourcesToDevices(x,x,x)+73o ...
		add	[ecx+49h], dh
		xor	byte ptr [ebx-74h], 0B9h
		dec	eax
		stosb
		fxch	st(6)
		cmp	[esi+19h], bh
		lds	ebp, [esi+2]
; 
		db 3 dup(0)
; 

_Mi30Milliseconds:			; DATA XREF: MiFlushAllHintedStorePages(x)+8Ao
					; MiFlushAllPagesWorker:loc_5519D6o ...
		and	[ebx+edi*8-1], ch
; 
		dd 0FFFFFFFFh
; 

_RtlpRestrictedMapping:			; DATA XREF: RtlIsSandboxedToken+4Do
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1B2o
		add	[eax], eax
		add	al, [eax]
		add	[eax], eax
		add	al, [eax]
; 
		dd 20000h, 1F0001h
; 

_POP_ETW_EVENT_DEVICE_POWER_REQUIREMENT_FROM_PEP:
					; DATA XREF: PopDiagTraceFxDevicePowerRequirement+23o
		cmp	eax, 4000001h
		add	[ebp+10000h], dl
; 
		db 0
		align 10h

_POP_ETW_EVENT_COMPONENT_CONDITION:	; DATA XREF: PopDiagTraceFxComponentLogicalCondition+29o
		cmp	[ecx], al
; 
		dw 0
		dd 900004h, 100h, 0
; 

_POP_ETW_EVENT_DEVICE_POWERED:		; DATA XREF: PopDiagTraceFxDevicePowered+39o
					; PopDiagTraceFxDevicePowered+EF545o
		xor	eax, 4000001h

loc_405A05:				; CODE XREF: .text:00405A61j
		add	[ebp+10000h], cl
; 
		db 0
		align 10h

_KERNEL_AUDIT_API_OPENTHREAD:		; DATA XREF: PspLogAuditOpenThreadEvent(x,x,x,x)+3Bo
		push	es
; 
		db 3 dup(0)
		dd 4
		db 0
byte_405A19	db 3 dup(0)		; CODE XREF: .text:00405A75j
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void DEVPKEY_DeviceContainer_IsLocalMachine
_DEVPKEY_DeviceContainer_IsLocalMachine	proc near ; DATA XREF: .text:00404C40o
					; _CmGetDeviceContainerMappedProperty+66o ...
		enter	0FFFFC34Fh, 78h
		dec	edx
		adc	dl, cl
		dec	edx
		sahf
		movsb
		push	edx
		dec	ebp
		push	edx
		cdq
		outsb
_DEVPKEY_DeviceContainer_IsLocalMachine	endp

		push	edi
		inc	esi
; 
byte_405A31	db 3 dup(0)		; CODE XREF: .text:00405A63j

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void DEVPKEY_DeviceContainer_IsRebootRequired
_DEVPKEY_DeviceContainer_IsRebootRequired proc near ; DATA XREF: .text:00401040o
					; .text:0040159Co ...
		enter	0FFFFC34Fh, 78h
		dec	edx
		adc	dl, cl
		dec	edx
		sahf
		movsb
		push	edx
		dec	ebp
		push	edx
		cdq
		outsb
_DEVPKEY_DeviceContainer_IsRebootRequired endp

		push	edi
		insb
; 
byte_405A45	db 3 dup(0)		; CODE XREF: .text:00405A77j
; 

_KERNEL_MEM_EVENT_CONT_ALLOCATION:	; DATA XREF: MiAllocateContiguousMemory:loc_4F16D8o
					; MiAllocateContiguousMemory+DF549o
		or	eax, [eax]
		add	[eax], dl
		add	al, 0
		or	[eax], al
		add	[edx], al
; 
		dw 0
		dd 80000000h
; 

; void DEVPKEY_DriverDatabase_SchemaVersion
_DEVPKEY_DriverDatabase_SchemaVersion:	; DATA XREF: .text:004038A0o
					; DrvDbLoadDatabaseNode+132o ...
		add	bl, ch
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	loc_405A05
		jz	short near ptr byte_405A31
		inc	edi
		fstp	tbyte ptr [edx+11h]

; void DEVPKEY_DriverDatabase_Version
_DEVPKEY_DriverDatabase_Version:	; DATA XREF: .text:off_4037F8o
					; DrvDbLoadDatabaseNode+E6o ...
		add	bl, ch
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr byte_405A19
		jz	short near ptr byte_405A45
		inc	edi
		fstp	tbyte ptr [edx+2]

_POP_ETW_EVENT_KERNEL_STRS_INTERNAL:	; DATA XREF: PoTraceSystemTimerResolutionKernel+1Ao
		sub	eax, 4100002h
		add	[ebx], al
		add	[eax+eax], eax
; 
		dw 0
		dd 40000000h
; 

_ExpRestrictedGenericMapping:		; DATA XREF: ExCpuSetResourceManagerAccessCheck(x)+66o
					; ExIsRestrictedCaller(x)+4Fo
		add	[eax], eax
		add	al, [eax]
		add	[eax], eax
		add	al, [eax]
; 
		dd 20000h, 1F0001h
_PiAuLocalSystemSecurityMapping	dd 3 dup(20000h), 0F0000h
					; DATA XREF: ExpWnfCreateProcessContext+123o
; 

_KERNEL_AUDIT_API_CREATESYMBOLICLINKOBJECT: ; DATA XREF: NtCreateSymbolicLinkObject+2C8o
		add	eax, [eax]
; 
		dw 0
		align 10h

_POP_ETW_EVENT_DEFAULT_PEP_WORKER_DEVICE_ORPHANED:
					; DATA XREF: PopDiagTraceFxDefaultPepWorkerEnd+74o
					; PopDiagTraceFxDefaultPepWorkerEnd+D25DCo
		dec	ebp
		add	[eax], eax
		add	[ecx], al
		add	ah, dl
; 
		db 0
		dd 100h, 0
; 

_POP_ETW_EVENT_DEFAULT_PEP_WORKER_DEVICE_RECOVERED:
					; DATA XREF: PopDiagTraceFxDefaultPepWorkerEnd+60o
					; PopDiagTraceFxDefaultPepWorkerEnd+D259Fo ...
		dec	esp
		add	[eax], eax
		add	[ecx], al
		add	bl, dl
; 
		db 0
		dd 100h, 0
; 

_POP_ETW_EVENT_DEFAULT_PEP_WORKER_END:	; DATA XREF: PopDiagTraceFxDefaultPepWorkerEnd+4Co
					; PopDiagTraceFxDefaultPepWorkerEnd+D252Ao ...
		dec	ebx
		add	[eax], eax
		add	[edx+eax], al
		rol	byte ptr [eax],	cl
		add	[ecx], al
; 
		dw 0
		align 10h

; void DEVPKEY_DeviceInterface_Enabled
_DEVPKEY_DeviceInterface_Enabled:	; DATA XREF: .text:off_404754o
					; _CmGetDeviceInterfaceMappedPropertyFromRegValue+1BAo	...
		outsb
		push	ecx
		outsb
		add	dl, [eax+edi*4]
		dec	ebx
		inc	ecx
		or	ebp, 0FFFFFF85h
		insd
		outsd
		out	dx, eax
		dec	eax
		and	al, [ebx]
; 
		db 3 dup(0)
; 

; void DEVPKEY_DeviceInterface_FriendlyName
_DEVPKEY_DeviceInterface_FriendlyName:	; DATA XREF: .data:off_6B30E4o
					; _CmGetDeviceInterfaceMappedPropertyFromRegValue+212o	...
		outsb
		push	ecx
		outsb
		add	dl, [eax+edi*4]
		dec	ebx
		inc	ecx
		or	ebp, 0FFFFFF85h
		insd
		outsd
		out	dx, eax
		dec	eax
		and	al, [edx]
; 
		db 3 dup(0)
; 

_POP_ETW_EVENT_DEFAULT_PEP_WORKER_START: ; DATA	XREF: PopPepWork+67o
					; PopPepWork+F00E3o
		dec	edx
		add	[eax], eax
		add	[ecx+eax], al
		rol	byte ptr [eax],	cl
		add	[ecx], al
; 
		dw 0
		align 8

_WDI_SEM_EVENT_SCENARIO_END:		; DATA XREF: WdipSemDisableScenario+8Eo
		and	[eax], eax
		add	[eax], dl
		add	al, 0Bh
		or	[eax], eax
; 
		dd 0
		dd 80000001h
; 

_WDI_SEM_EVENT_SCENARIO_END_FAILED:	; DATA XREF: WdipSemDisableScenario:loc_7DA587o
					; WdipSemDisableScenario+11CF27o
		and	eax, 3110000h
		push	cs
		or	[eax], eax
; 
		dd 0
		dd 40000000h
; 

_POP_ETW_EVENT_DEVICE_RUNDOWN:		; DATA XREF: PoDiagTraceDeviceRundown(x,x,x,x)+BCo
		mov	[eax], al
		add	[eax], dl
		add	al, 0
		xchg	eax, edi
		add	[eax+eax], al
; 
		dw 0
		dd 40000000h
; 

; void GUID_TARGET_DEVICE_TRANSPORT_RELATIONS_CHANGED
_GUID_TARGET_DEVICE_TRANSPORT_RELATIONS_CHANGED: ; DATA	XREF: .text:005DD7ACo
					; PiDcHandleCustomDeviceEvent+1Eo
		imul	byte ptr [eax]
		cmc
		cld
		das
		test	al, 0B1h
		inc	edi
		lodsd
		cmp	al, [eax-52B3A6B0h]
; 
		db 28h
; 

_PPM_ETW_PERF_CHECK_FAILED_START:	; DATA XREF: PpmEventTraceFailedPerfCheckStart+23o
		inc	edi
; 
		db 3 dup(0)
		dd 0B2205h, 2, 0
; 

_KERNEL_AUDIT_API_TERMINATEPROCESS:	; DATA XREF: PspLogAuditTerminateRemoteProcessEvent(x,x)+30o
		add	al, [eax]
; 
		dw 0
		dd 4, 2	dup(0)
; 

_WNF_SEB_APP_LAUNCH_PREFETCH:		; DATA XREF: PfSnPowerBoostUpdate(x)+42o
		jnz	short near ptr loc_405B98+2

loc_405B8A:				; CODE XREF: .text:00405BE9j
		mov	ebp, 840B3EA3h
		inc	ecx

_GUID_ECP_NETWORK_OPEN_CONTEXT:		; DATA XREF: IopSymlinkEnforceEnabledTypes+25o
					; IopSymlinkEnforceEnabledTypes+11873Do
		mov	edi, 0DFC584EDh
		add	[eax], ch
		dec	ebp

loc_405B98:				; CODE XREF: .text:_WNF_SEB_APP_LAUNCH_PREFETCHj
		mov	eax, 0CABA3584h
		mov	[ecx], edx
; 
		db 0E8h
; 

_WNF_WER_SERVICE_START:			; DATA XREF: DbgkpStartSystemErrorHandler()+20o
		jnz	short loc_405BAA
		mov	esp, 940B3AA3h
		inc	ecx

; void loc_405BA8
loc_405BA8:				; DATA XREF: DbgkpStartSystemErrorHandler()+55o
		fsubr	st, st(2)

loc_405BAA:				; CODE XREF: .text:_WNF_WER_SERVICE_STARTj
		outsb
		in	al, 54h
		or	al, 89h
		inc	esp
		cwde
		cwde
; 
		dw 0A78Fh
		dd 0E9E059Dh
; 

; void DEVPKEY_DeviceClass_NoUseClass
_DEVPKEY_DeviceClass_NoUseClass:	; DATA XREF: _CmGetInstallerClassMappedPropertyFromRegValue+1AAo
					; _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+137o ...
		cld

loc_405BB9:				; CODE XREF: .text:00405BEBj
		mov	edi, 50A7259Ah
		into
		inc	edi
		scasd
		or	[eax-37h], ch
		cmpsd
		xlat
		xor	esp, [esi+0Ah]
; 
		db 3 dup(0)
		align 10h

_PPM_ETW_MEDIA_BUFFERING_NOTIFY:	; DATA XREF: PpmMediaBufferingWorker+77o
					; PpmMediaBufferingWorker+95116o
		pusha
; 
		db 3 dup(0)
		dd offset loc_4B0004
		dd 20h,	0
; 

; void DEVPKEY_DriverPackage_SignerScore
_DEVPKEY_DriverPackage_SignerScore:	; DATA XREF: .text:004017C0o
					; DrvDbGetDriverPackageSignerScore(x,x,x,x)+1Co ...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_405B8A+3
		jz	short loc_405BB9
		inc	edi
		fstp	tbyte ptr [edx+8]
; 
		dd 0
; 

_KShimInfoMessage:			; DATA XREF: KsepLogEtwMessage(x,x,x,x)+B0o
		add	al, [eax]
		add	[eax], edx
		add	al, 0
; 
		dw 0
		dd 0
		dd 80000000h
; 

_KShimErrorMessage:			; DATA XREF: KsepLogEtwMessage(x,x,x,x)+A7o
		add	[eax], eax
		add	[eax], edx
		add	al, [eax]
; 
		dw 0
		dd 0
		dd 80000000h
; 

_KMPnPEvt_DriverLoad_Stop:		; DATA XREF: IopLoadDriver+551o
		aad	0
		add	[esp+eax], dl
		add	dl, ah
		add	[eax], ah
		and	[eax], al
; 
		db 0
		dd 4000000h
; 

_KMPnPEvt_DriverLoad_Start:		; DATA XREF: IopLoadDriver+165o
		aam	0
		add	[esp+eax], dl
		add	esp, edx
		add	[eax], ah
		and	[eax], al
; 
		db 0
		dd 4000000h
; 

_KMPnPEvt_DriverInit_Stop:		; DATA XREF: IopLoadDriver+49Bo
		jecxz	short $+2
		add	[esp+eax], dl
		add	ah, dl
		add	[eax], ah
		add	[edx], al
; 
		db 0
		dd 4000000h
; 

_KMPnPEvt_DriverInit_Start:		; DATA XREF: IopLoadDriver+464o
		loop	$+2
		add	[esp+eax], dl
		add	edx, esp
		add	[eax], ah
		add	[edx], al
; 
		db 0
		dd 4000000h
; 

_THREATINT_DRIVER_OBJECT_LOAD:		; DATA XREF: EtwTiLogDriverObjectLoad+27o
					; EtwTiLogDriverObjectLoad+AF3C3o
		sbb	eax, 4100100h
		add	[edx], cl
; 
		db 0
		dd 40000000h, 80000000h
aSystemrootAppp:			; DATA XREF: KsepShimDbChanged+87o
					; KseShimDatabaseOpen+92o ...
		unicode	0, <\SystemRoot\AppPatch\drvpatch.sdb>,0
		align 10h
aSystemrootAp_1:			; DATA XREF: KsepShimDbChanged+3Ao
					; KseShimDatabaseOpen+79o
		unicode	0, <\SystemRoot\AppPatch\drvmain.sdb>,0
		align 8

_KMPnPEvt_DriverUnload_Stop:		; DATA XREF: IopUnloadDriver+22Ao
		xlat
; 
		db 2 dup(0), 14h
; 
		add	al, 2
		setalc
		add	[eax], ah

loc_405D01:				; CODE XREF: .text:00405D33j
		inc	eax
; 
		dw 0
		dd 4000000h
; 

_KMPnPEvt_DriverUnload_Start:		; DATA XREF: IopUnloadDriver+44o
		setalc
; 
		db 2 dup(0), 14h
		dd 0D60104h, 4020h, 4000000h
; 

_ETW_EVENT_PROVIDER_UNREGISTERS:	; DATA XREF: EtwpCloseRegistrationObject+19o
					; EtwUnregister:loc_850195o
		or	[eax], eax
		add	[ecx], dl
		add	eax, 20000311h
		add	al, [eax]
; 
		db 0
		dd 40000000h
; 

; void DEVPKEY_DeviceId_DriverInfMatches
_DEVPKEY_DeviceId_DriverInfMatches:	; DATA XREF: .text:off_405064o
					; .data:006B3838o ...
		add	al, 0EBh
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr aSystemrootAp_1+25h
		jz	short loc_405D01
		inc	edi
		fstp	tbyte ptr [edx+3]

_PiAuSecurityObjectMapping:		; DATA XREF: PiAuDoesClientHaveAccess(x)+14o
		add	[eax], eax
		add	al, [eax]
		inc	edx
		add	[edx], eax
		add	[eax+eax], ah
		add	al, [eax]
		inc	dword ptr [ecx]
		sldt	word ptr [eax]
; 
		db 3 dup(0)
; 

_KERNEL_AUDIT_API_PSSETLOADIMAGENOTIFYROUTINE:
					; DATA XREF: PspLogAuditSetLoadImageNotifyRoutineEvent(x,x)+4Ao
		add	[eax], eax
; 
		dw 0
		align 10h

_POP_ETW_EVENT_DIRECTED_DRIPS_DISENGAGE_MASK_CHANGED:
					; DATA XREF: PopDirectedDripsDiagTraceDisengageReasonChange+33o
					; PopDirectedDripsDiagTraceDisengageReasonChange+AA388o
		and	[edx], al
		add	[eax], dl
		add	al, 0
		hlt
		add	[eax+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_DIRECTED_DRIPS_WORKER:	; DATA XREF: NtAlpcCancelMessage+137o
		sbb	[edx], al
		add	[eax], edx
		add	al, 0
		jmp	short $+2
		add	al, 0
; 
		dw 0
		dd 40000000h

;  S U B	R O U T	I N E 


_MS_Kernel_Prefetch_Provider proc near	; DATA XREF: PfSnBeginBootPhase+8Eo
		sbb	dl, dh
		and	dl, [ebx-6]
		sahf
		retn
_MS_Kernel_Prefetch_Provider endp

; 
		db 4Bh
		dd 0BE14F9A3h, 0F844C195h
; 

_POP_ETW_EVENT_STES:			; DATA XREF: PopDiagTraceSetThreadExecutionState(x,x)+33o
					; PopDiagTraceSetThreadExecutionState(x,x)+ECo
		db	3Eh
		add	[ecx], al
		adc	[eax+eax], al
		inc	esp
		add	[esp+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_DEVICESSUSPENDLEVEL_END:	; DATA XREF: PopDiagTraceDevicesLevel(x,x,x,x)+1Fo
		jg	short $+2
		add	[eax], dl
		add	al, 0
; 
		dw 0
		dd 0C0Ch, 40000000h
; 

_POP_ETW_EVENT_DEVICESSUSPENDLEVEL:	; DATA XREF: PopDiagTraceDevicesLevel(x,x,x,x):loc_71E8F3o
		jle	short $+2
		add	[eax], dl
		add	al, 0
; 
		dw 0
		dd 0C0Ch, 40000000h
; 

_POP_ETW_EVENT_DEVICESWAKELEVEL_END:	; DATA XREF: PopDiagTraceDevicesLevel(x,x,x,x)+A1o
		add	dword ptr [eax], 41000h
; 
		dw 0
		dd 0C0Ch, 40000000h
; 

_POP_ETW_EVENT_DEVICESWAKELEVEL:	; DATA XREF: PopDiagTraceDevicesLevel(x,x,x,x)+9Ao
		add	byte ptr [eax],	0
		adc	[eax+eax], al
; 
		dw 0
		dd 0C0Ch, 40000000h
; 

_POP_ETW_EVENT_POWER_AGGREGATOR_HANDLE_INTENT:
					; DATA XREF: PopPowerAggregatorDiagTraceHandleIntent(x,x,x,x,x,x)+7Ao
		add	al, cs:[eax]
		adc	[eax+eax], al
		add	al, 1
		add	al, 80h
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_POWER_AGGREGATOR_INTERNAL_STATE_CHANGE:
					; DATA XREF: PopPowerAggregatorDiagTraceInternalStateChange(x,x)+35o
		xor	[edx], eax
		add	[eax], dl
		add	al, 0
		pop	es
		add	[eax+eax*4], eax
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_POWER_AGGREGATOR_SUSPEND_RESUME:
					; DATA XREF: PopPowerAggregatorNotifySuspendResume(x)+69o
		xor	eax, 4100002h
		add	[ebx], cl
		add	[eax+eax*4], eax
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_POWER_AGGREGATOR_HANDLER_INVOKE:
					; DATA XREF: PopPowerAggregatorDiagTraceHandlerInvoke(x,x)+35o
		xor	al, [edx]
		add	[eax], dl
		add	al, 0
		or	[ecx], al
		add	al, 80h
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_POWER_AGGREGATOR_WORKER_END: ; DATA XREF: PopPowerAggregatorWorker(x)+6Co
		xor	[edx], al
		add	[eax], dl
		add	al, 0
		push	es
		add	[eax+eax*4], eax
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_POWER_AGGREGATOR_WORKER_START: ;	DATA XREF: PopPowerAggregatorWorker(x)+2Eo
		das
		add	al, [eax]
		adc	[eax+eax], al
		add	eax, 800401h
; 
		db 0
		dd 40000000h
; 

_POP_ETW_EVENT_DEVICESSUSPEND:		; DATA XREF: PopDiagTraceDevicesSuspend(x,x,x)+2Fo
					; PopDiagTraceDevicesSuspend(x,x,x)+63o
		and	eax, [eax]
		add	[eax], dl
		add	al, 21h
		sub	[eax], eax
		or	al, 3Ch
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_PREPARESLEEP_END:	; DATA XREF: PopDiagTracePrepareSleepEnd()o
		mov	ebp, 4100000h
		add	bh, cl
		add	[eax], cl
		or	[eax], al
; 
		db 0
		dd 40000000h
; 

_POP_ETW_EVENT_PREPARESLEEP:		; DATA XREF: PopDiagTracePrepareSleep()o
		mov	esp, 4100000h
		add	ecx, edi
		add	[eax], cl
		or	[eax], al
; 
		db 0
		dd 40000000h
; 

_POP_ETW_EVENT_FLUSHSLEEPSTUDYLOGGER_STOP:
					; DATA XREF: PopDiagTraceFlushSleepStudyLoggerEnd()o
		scasb
; 
		db 2 dup(0), 10h
		dd 0CC0204h, 802h, 40000000h
; 

_POP_ETW_EVENT_FLUSHSLEEPSTUDYLOGGER_START:
					; DATA XREF: PopDiagTraceFlushSleepStudyLogger()o
		lodsd
; 
		db 2 dup(0), 10h
		dd 0CC0104h, 808h, 40000000h
; 

_POP_ETW_EVENT_SUPERFETCH_STOP:		; DATA XREF: PopDispatchSuperfetchNotification(x,x)+2Do
		inc	ecx
; 
		db 2 dup(0), 10h
		dd 362204h, 808h, 40000000h
; 

_POP_ETW_EVENT_SUPERFETCH_START:	; DATA XREF: PopDispatchSuperfetchNotification(x,x):loc_85A916o
		inc	eax
; 
		db 2 dup(0), 10h
		dd 362104h, 808h, 40000000h
; 

_POP_ETW_EVENT_DEVICESWAKE_END:		; DATA XREF: PopDiagTraceDevicesWakeEnd()o
		add	es:[eax], al
		adc	[edx], al
		sub	al, [eax]
		or	al, 0Ch
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_EXECUTE_POWER_ACTION:	; DATA XREF: PopExecutePowerAction+ACo
					; PopExecutePowerAction+A6B59o
		sub	eax, [edx]
		add	[eax], dl
		add	al, 0
		add	[ecx], eax
		add	al, 0
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_NTINITIATEPOWERACTION_API_CALL:
					; DATA XREF: PopDiagTracePolicyInitiatePowerActionApiCall(x,x)+71o
		mov	ebx, 4080000h
		add	bl, dh
		add	[esp+eax], al
; 
		dw 0
		dd 80004000h
; 

_POP_ETW_EVENT_PRESLEEP_CALLBACKS_STOP:	; DATA XREF: PopNotifyCallbacksPreSleep()+24o
		inc	ebp
; 
		db 2 dup(0), 10h
		dd 382204h, 808h, 40000000h
; 

_POP_ETW_EVENT_PRESLEEP_CALLBACKS_START: ; DATA	XREF: PopNotifyCallbacksPreSleep()+Bo
		inc	esp
; 
		db 2 dup(0), 10h
		dd 382104h, 808h, 40000000h
; 

_POP_ETW_EVENT_RESUMESERVICES_END:	; DATA XREF: PopResumeServices(x,x)+4Bo
		xchg	al, [eax]
		add	[eax], dl
		add	al, 22h
		sub	eax, [eax]
		or	[eax], cl
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_RESUMESERVICES:		; DATA XREF: PopResumeServices(x,x)+1Co
		sbb	eax, [eax]
		add	[eax], dl
		add	al, 21h
		sub	eax, [eax]
		or	[eax], cl
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_RESUMEAPPS_END:		; DATA XREF: PopResumeApps(x,x)+49o
		test	[eax], eax
		add	[eax], dl
		add	al, 22h
		sub	al, 0
		or	[eax], cl
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_RESUMEAPPS:		; DATA XREF: PopResumeApps(x,x)+1Bo
		sbb	al, [eax]
		add	[eax], dl
		add	al, 21h
		sub	al, 0
		or	[eax], cl
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_SUSPENDSERVICES_END:	; DATA XREF: PopSuspendServices(x,x)+30o
		sbb	[eax], eax
		add	[eax], dl
		add	al, 22h
		add	es:[eax], cl
		or	[eax], al
; 
		db 0
		dd 40000000h
; 

_POP_ETW_EVENT_SUSPENDSERVICES:		; DATA XREF: PopSuspendServices(x,x)+Do
		sbb	[eax], al
		add	[eax], dl
		add	al, 21h
		add	es:[eax], cl
		or	[eax], al
; 
		db 0
		dd 40000000h
; 

_POP_ETW_EVENT_SUSPENDAPPS_END:		; DATA XREF: PopSuspendApps(x,x)+27o
		pop	ss
; 
		db 2 dup(0), 10h
		dd 252204h, 808h, 40000000h
; 

_POP_ETW_EVENT_SUSPENDAPPS:		; DATA XREF: PopSuspendApps(x,x)+5o
		push	ss
; 
		db 2 dup(0), 10h
		dd 252104h, 808h, 40000000h
; 

_POP_ETW_EVENT_POWERTRANSITION_END:	; DATA XREF: PopDiagTracePowerTransitionEnd(x)+4Ao
		add	al, [eax]
		add	[eax], dl
		add	[edx], eax
		and	[eax], eax
		or	[eax], edx
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_HIBER_STATS:		; DATA XREF: PopDiagTraceHiberStats+400o
					; PopDiagTraceHiberStats+41Ao
		jnz	short $+2
		add	[eax], edx
		add	al, 0
		and	[eax], eax
		or	al, 2Ch
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_TRANSITIONTIMES:		; DATA XREF: PopDiagTracePerfTrackData+4Eo
					; PopDiagTracePowerTransitionTime()+56o ...
		daa
		add	[ecx], al
		adc	[eax+eax], al
		and	[eax], eax
		or	al, 3Ch
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_POWERTRANSITION_START:	; DATA XREF: PopDiagTracePowerTransitionStart(x,x)+56o
		add	[eax], eax
		add	[eax], dl
		add	[ecx], eax
		and	[eax], eax
		or	[eax], esi
; 
		dw 0
		dd 40000000h
_PopAwayModePolicyRegName:		; DATA XREF: PopReadSystemAwayModePolicy+4Do
		unicode	0, <AwayModeEnabled>,0
_POP_ETW_EVENT_FLUSHALLPAGES_END:	; DATA XREF: PopTransitionToSleep:loc_72066Ao
		unicode	0, <e>
		dw 1000h
		dd offset loc_612204
		dd 808h, 40000000h
; 

_POP_ETW_EVENT_FLUSHALLPAGES:		; DATA XREF: PopTransitionToSleep:loc_72063Do
		add	fs:[eax], al
		adc	[ecx], al
		popa
		add	[eax], cl
		or	[eax], al
; 
		db 0
		dd 40000000h
_XpressHighBitIndexTable db 0		; DATA XREF: RtlCompressBufferXpressHuffStandard+2D3r
					; RtlCompressBufferXpressHuffStandard+402r ...
		align 2
		dw 101h
		dd 2020202h, 2 dup(3030303h), 4	dup(4040404h), 8 dup(5050505h)
		dd 10h dup(6060606h), 20h dup(7070707h)
_XpressHashFunction dw 1664h		; DATA XREF: RtlMarkHiberPhase()+Ao
					; RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+15Dr ...
		dw 3887h
		dd 62285EE9h, 58B82CEEh, 55D15948h, 5D8F3E9Dh, 35E206F9h
		dd 4790E79h, 1BD94099h,	7C7E662Ch, 50575B7Ah, 0DA73BAh
		dd 7941CCCh, 47934320h,	219C2787h, 34485C45h, 23BA7410h
		dd 69DC5049h, 5BCF16DAh, 6DEE5A88h, 6A901244h, 22027C0Ch
		dd 6BEA3CC7h, 0CD14983h, 0FD029C4h, 28FD4F23h, 1C5C6D41h
		dd 448D60EFh, 41354A32h, 41F779B4h, 7BE6210Bh, 304E7FCEh
		dd 3C851C0Dh, 676C5F19h, 375F1CBBh, 12D633ECh, 0D75909h
		dd 2C26093h, 4A8353BBh,	7E2464CFh, 729A1E87h, 24552A25h
		dd 61FC54BFh, 7A286459h, 3783435Fh, 688423E5h, 398C485Ch
		dd 2170182Ch, 664D3563h, 0FF97F94h, 5A000F88h, 500F7324h
		dd 13F61C93h, 45866FAAh, 15874D0h, 69E75773h, 178E2636h
		dd 1CFF484Dh, 7C2C23EDh, 4F8C6436h, 175347B2h, 16E2ABAh
		dd 47C33CCBh, 0E4929BBh, 3C4E484Fh, 1A61590h, 74863482h
		dd 3C676CBDh, 327939D6h, 57040F2Bh, 7BF14003h, 4B245497h
		dd 500C4FF6h, 606E2DE7h, 0B1864F4h, 268D23E5h, 61104B26h
		dd 64D13C78h, 2CCE50C9h, 24C16582h, 408C60B3h, 530A5E2Bh
		dd 6EF3361Dh, 53A71776h, 0A0A5AF0h, 4E912F17h, 0DEA1473h
		dd 2DD1B8Fh, 24FE769Dh,	23DA5F24h, 6F505372h, 0E932B80h
		dd 3E950BE7h, 59362E40h, 48B1038Bh, 49FF1271h, 68D73867h
		dd 3BD00976h, 657B2D79h, 7C1900C7h, 5C241472h, 3C0E5B69h
		dd 399E0616h, 79975E55h, 65A43626h, 7607922h, 6982CAAh
		dd 26E715BAh, 222608E8h, 646D05A3h, 60512A98h, 18EC5D4Ch
		dd 4E650FA8h, 189F6D81h, 76194B48h, 4599437Fh, 70575E41h
		dd 1A2A03A7h, 7F423F9Fh, 44B33854h, 435148D5h, 3D962121h
		dd 0FF00D12h, 2D936347h, 0C4D3C55h, 3816438Ah, 72F06DE0h
		dd 4F014439h, 4C1922C1h
word_406300	dw 59h			; DATA XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+144r
					; RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+117r
		dw 5EF9h
dword_406304	dd 207238FFh, 49C4592Ch, 67591F36h, 77F1612Dh, 1F255E65h
		dd 24463FBFh, 75455895h, 1EC81EDDh, 0FA84673h, 73910961h
		dd 31F95441h, 24465B13h, 67AB2A64h, 662C3382h, 54646954h
		dd 3E2C2071h, 3B424567h, 669367C5h, 7A542DADh, 58897134h
		dd 404F01F0h, 13F72FE5h, 67C0797h, 33C95D7Ah, 7B4B1295h
		dd 494B3C6Dh, 540D45F2h, 4794741Bh, 5C024E5Eh, 605D234Fh
		dd 41837C1Fh, 795442DFh, 20450A1Bh, 42835611h, 6C115D9h
		dd 0B6200D6h, 48005559h, 53F21D05h, 74A76605h, 47E85763h
		dd 4BA40318h, 71154A4h,	1354545Ah, 7E34FE8h, 5967726Ah
		dd 573F7196h, 13E823E3h, 59842FAh, 57EE4BA6h, 639E1CFEh
		dd 2D1632D1h, 0A571EC3h, 2FAD1E68h, 4BC52FD3h, 14F43D7Ch
		dd 65CD1011h, 1EB06399h, 7E470785h, 186E2FB2h, 698869F2h
		dd 2EF24E99h, 24381374h, 29D41399h, 624A7960h, 339364FBh
		dd 76893E25h, 4D7E67EAh, 1257308Dh, 4453094Fh, 7B5B020Ch
		dd 30530526h, 4CAD4B52h, 560506ECh, 63AC31E7h, 66BD08D1h
		dd 6C5D2917h, 6A8215B0h, 6ECB34ECh, 7A0D485Ch, 438E175Eh
		dd 35175451h, 7C3C7A46h, 3CAD319Eh, 5D5173C8h, 40775EF8h
		dd 56513ACEh, 11CD4545h, 0D9558A5h, 46C1413Ch, 2AAE2DACh
		dd 259108A7h, 0F745EB8h, 617858ADh, 364103AAh, 5ED3105Fh
		dd 3D80238Dh, 2F324B68h, 44DA193Bh, 0AB07E2Ah, 6FC32151h
		dd 0F343D37h, 652C6895h, 5E47198Dh, 6126507Bh, 0FB36D16h
		dd 6E5C6F56h, 148327ECh, 65C56427h, 25FA6307h, 0FF60BCCh
		dd 63F171CDh, 4C6C5CE5h, 5CC0715Ch, 774306D8h, 76F35FA4h
		dd 2A9C6539h, 4CF43DECh, 67DE372Ah, 14B34644h, 56815BD7h
		dd 26776950h, 482213FFh, 0E08191Fh, 1CE61B50h, 5F302640h
		dd 6CB04D44h, 302417Eh
word_406500	dw 71D5h		; DATA XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+150r
					; RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+123r
		dw 0B80h
; 
		jmp	short loc_406559
; 
		dw 29Bh
		dd 5B98713Eh
		db 64h,	31h
; 

loc_40650E:				; CODE XREF: .text:0040657Dj
		lahf
		push	ds
		test	eax, 0E84D2355h
		inc	eax
		xchg	eax, esi
		inc	edx
		hlt
		dec	edx
		cli
		jg	short near ptr loc_40654E+1
; 
		db 62h,	0CFh, 61h
		dd 2D44B89h, 133274EEh
; 
		lahf
		pop	eax
		dec	ecx

loc_40652B:				; CODE XREF: .text:loc_40657Bj
		add	esi, [ecx+37h]
		mov	cl, 59h
		out	dx, eax
		push	es
		neg	byte ptr [edx]
		xchg	eax, esp
		pop	edx
		sub	[ebx-63h], cl
		sbb	eax, [eax]
		sbb	bh, fs:54931382h
		or	cl, [esi]
		push	ebx
		insb
		fisttp	qword ptr [ebp-68h]
		sub	eax, 556B5165h

loc_40654E:				; CODE XREF: .text:0040651Bj
		rep or ebx, esp
		ja	short near ptr dword_406304+1ECh
		adc	esi, esp
		sysexit
; 
		db 0Dh
; 
		cli

loc_406559:				; CODE XREF: .text:00406504j
		push	ecx
		pusha
		or	al, dh
		sbb	edi, ebp
		xor	eax, 2F61E73h
		sub	al, 51h
		push	esi
		push	ecx
		mov	[edi+53h], edi
		fisttp	dword ptr es:[eax]
		and	[ebp+56h], esp
		sub	al, 1Fh

loc_406573:				; CODE XREF: .text:004065EFj
		imul	eax, [eax-38E43FF5h], 57h
		std

loc_40657B:				; CODE XREF: .text:004065D1j
		jp	short loc_40652B
		jns	short loc_40650E
		and	al, 0D2h
		ja	short near ptr loc_4065C9+1
		xor	eax, 51517CF1h
		loopne	near ptr loc_4065B2+5
		test	[eax+6], al
		sub	al, 0CCh
		pop	edi
		jns	short loc_40659E
		jnb	short loc_4065DB
		stosb
		adc	al, 25h
		pop	ds
		inc	edx
		bound	ecx, [eax]
		jge	short near ptr loc_4065F5+2
		inc	ebp

loc_40659E:				; CODE XREF: .text:00406590j
		rep or al, 7Dh
		imul	ebp, 0BF3D4F54h
		dec	edi
		jnz	short near ptr loc_4065C9+2
		rep invd
		pop	esp
		sbb	ah, [ecx-5Ch]
		pop	esi

loc_4065B2:				; CODE XREF: .text:00406588j
		mov	dword ptr [ebx], 382539BCh
		pop	ecx
		push	edi
		inc	esp
		push	ecx
		call	far ptr	31Fh:4341CF0Bh
		arpl	cx, bp
		sbb	esp, edx
		jno	short near ptr loc_406605+4

loc_4065C9:				; CODE XREF: .text:00406581j
					; .text:004065A8j
		bound	ebp, [edi+41h]
		adc	eax, 8120DD27h
		jl	short loc_40657B
		xor	[esi+ebp*2], edx
		add	ebx, [ebx+31h]

loc_4065D9:				; CODE XREF: .text:00406631j
		inc	eax
		dec	edx

loc_4065DB:				; CODE XREF: .text:00406592j
		push	cs
		push	0B670D61Eh
		dec	ebp
		push	ebx
		dec	ecx
		mov	ds:85024C02h, eax
		add	ebx, [esi+ebx*2]
		fild	dword ptr [esi]
		aaa
		ja	short near ptr loc_406573+6
		lds	edi, cs:[edx]
		inc	esp

loc_4065F5:				; CODE XREF: .text:0040659Bj
		cmp	eax, 274823DFh

loc_4065FA:				; CODE XREF: .text:004065FFj
		rol	byte ptr [ecx+78h], 1
		aas
		lodsd
		jle	short near ptr loc_4065FA+2
		or	[eax+2Ch], esp
		xchg	eax, esi

loc_406605:				; CODE XREF: .text:00406661j
					; .text:004065C7j
		mov	cs:0F54C2B7Dh, al
		sub	dh, [ebp+4Fh]
		adc	[edi], edx
		in	al, dx
		inc	eax
		jl	short loc_406691
		lahf
		insb
		add	al, 4Ch
		xchg	bl, [esi-77h]
		add	esi, [eax+13h]
		lahf
		cmp	[eax+45h], bl
		in	al, 3Ah
		cli
		jl	short loc_40668B
		sub	eax, 3E996B56h
		out	7Ah, eax
		insd
		xlat	byte ptr gs:[ebx]
		jo	short loc_4065D9
		inc	esi
		fimul	word ptr [esi]
		push	edx
		sub	al, 2Dh
		sbb	bl, [eax+6Bh]
		pop	edx
		jnz	short loc_40667C
		add	[esi], dh
		pop	es
		pop	dword ptr [eax-78h]

loc_406645:				; CODE XREF: .text:00406656j
		and	esi, [ebx-15F32BEAh]
		add	esi, [edx-5FBE23AEh]
		push	edx
		ficom	dword ptr [ecx]
		aam	27h
		lock jg	short near ptr loc_406645+5
		and	esi, [edi+58h]
		jnb	short loc_40669F
		add	edi, [esi+21h]
		jz	short near ptr loc_406605+3
		pop	edx
		retn	594Dh
; 
		db 51h
		dd 0CA579CDh, 624403A3h, 402B4EDCh, 4A31383Ah, 625B1EB1h
; 

loc_40667C:				; CODE XREF: .text:0040663Dj
		shl	byte ptr [ebp-71h], 1
		push	es
		jmp	far ptr	6328h:3B7FF95Ch
; 
		db 7
		db 0D7h, 36h, 0Bh
; 

loc_40668B:				; CODE XREF: .text:00406625j
		add	al, 9Ah
		dec	ebx
		and	al, 19h
		push	es

loc_406691:				; CODE XREF: .text:00406612j
		cmp	al, 57h
		cmp	esp, esi
		push	12FE4DEBh
		mov	eax, ds:0EF1CEF4Ah

loc_40669F:				; CODE XREF: .text:0040665Cj
		xor	ch, [ebp+3459BA0Fh]
		aas
		dec	esp
		cmp	[ebp+0Dh], cl
		js	short near ptr loc_4066BE+1
		dec	eax
		push	14F11B7Bh
		xchg	eax, ebx
		xor	cs:[ecx-4Bh], dl
		pop	ebx
		sbb	ah, ds:65422284h

loc_4066BE:				; CODE XREF: .text:004066AAj
		jnz	short loc_40673F
		cmc
		imul	edx, [edx], 0DD46DD79h
		push	ebp
		imul	dword ptr [edx+1Ah]
		pop	ebp
		db	2Eh
		pop	edi
		sub	al, [di]
		sbb	[eax], ah
		push	esi
		setalc
		db	2Eh
		in	eax, dx
		xor	al, 0DBh
		adc	[edi], al
		push	cs
		insd
		pop	es
		insb
		push	ebp
		xchg	eax, ebp
		pop	edx
		mov	ds:0DC6E0E62h, eax
		sbb	[esi], ebp
		sub	eax, 17157B49h
		or	ch, [ecx]
		adc	[esp+edx], edx
		and	[eax], ah
		dec	esi
		or	[eax], edi
		icebp
		inc	ebx
		mov	ch, 1Ch
		xor	al, [ebx-36h]
; 
		db 3Ch

;  S U B	R O U T	I N E 


_FILE_TYPE_NOTIFICATION_GUID_HIBERNATION_FILE proc near	; DATA XREF: PopResizeHiberFile+13Ao
					; PopCreateHiberFile(x,x)+398o
		db	64h
		dec	ebp
		bound	esi, [edi+4CF8B9A3h]
		adc	byte ptr [ecx],	5Bh
		xchg	cl, cl
		inc	eax
		out	0B7h, eax	; Interrupt Controller #2, 8259A
_FILE_TYPE_NOTIFICATION_GUID_HIBERNATION_FILE endp


;  S U B	R O U T	I N E 


_GUID_WINDOWS_BOOTMGR proc near		; DATA XREF: PopBcdSetPendingResume+7Fo
					; PopBcdClearPendingResume(x)+11o ...
		sub	al, 86h
		jmp	far ptr	0AC4Eh:705CDD9Dh
_GUID_WINDOWS_BOOTMGR endp

; 
		sal	ebx, 2Bh
		xor	al, 4Dh
		inc	edi
		xchg	eax, ebp

; void GUID_CURRENT_BOOT_ENTRY
_GUID_CURRENT_BOOT_ENTRY:		; DATA XREF: PopBcdEstablishResumeObject+40o
					; BiIsObjectAliased+Bo
		xchg	eax, ebx
		db	64h
		xchg	eax, edx
		cli
		sbb	al, 6Fh
		xchg	eax, ebx
		inc	ecx
		movsb
		adc	al, 58h
		lock mov dl, 45h
		insd
		push	ds

; void GUID_DEFAULT_BOOT_ENTRY
_GUID_DEFAULT_BOOT_ENTRY:		; DATA XREF: BiIsObjectAliased+23o
		mov	bh, 1Eh
		scasb
		sbb	al, 0DFh
		mov	al, ds:51984D4Dh
		dec	eax
		pusha
		jecxz	short near ptr dword_40678C
		cmc

loc_40673F:				; CODE XREF: .text:loc_4066BEj
					; DATA XREF: PopBuildDeviceNotifyList+88o
		xor	eax, 10000067h
		add	al, 22h
		bound	eax, [eax]
		or	[eax], cl
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_BUILDNOTIFYLIST:		; DATA XREF: PopBuildDeviceNotifyList:loc_722295o
		db	66h
		add	[eax], al
		adc	[ecx], al
		bound	eax, [eax]
		or	[eax], cl
; 
		dw 0
		dd 40000000h
; 

_PPM_ETW_INTERRUPT_STEERING_STATE_DISCONNECT: ;	DATA XREF: KiIntSteerDisable+1Eo
		add	eax, 4000000h
		add	large ds:100h, al
; 
		db 0
		align 10h

_POP_ETW_EVENT_SUSPENDSERVICE_END:	; DATA XREF: PopDiagTraceServiceNotification(x)+22o
		adc	eax, [eax]
		add	[eax], dl
		add	al, 2
		add	es:[eax], cl
		or	[eax], al
; 
		db 0
		dd 40000000h
; 

_POP_ETW_EVENT_SUSPENDSERVICE:		; DATA XREF: PopDiagTraceServiceNotification(x)+19o
		adc	al, [eax]
		add	[eax], dl
		add	al, 1
		add	es:[eax], cl
		or	[eax], al
; 
		db 0
dword_40678C	dd 40000000h		; CODE XREF: .text:0040673Cj
; 

_POP_ETW_EVENT_FLUSHVOLUMES_STOP:	; DATA XREF: PopFlushVolumes:loc_722B6Bo
		add	cs:[eax], al
		adc	[edx+eax], al
		das
		add	[eax], cl
		or	[eax], al
; 
		db 0
		dd 40000000h
; 

_POP_ETW_EVENT_FLUSHVOLUMES_START:	; DATA XREF: PopFlushVolumes+19o
		sub	eax, 4100000h
		add	[edi], ebp
		add	[eax], cl
		or	[eax], al
; 
		db 0
		dd 40000000h
_PopHiberbootEnabledRegName dd offset loc_690048 ; DATA	XREF: PopReadHiberbootPolicy+44o
					; PopReadHiberbootGroupPolicy(x)+6Co
		dd offset loc_650061+1
		dd offset loc_620072
aOotenabled:
		unicode	0, <ootEnabled>,0
		align 8

_PopHiberbootGroupPolicyRegKey:		; DATA XREF: PopReadHiberbootGroupPolicy(x)+29o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		outsd
		add	[esi+0], ah
		jz	short $+2
		ja	short $+2
		popa
		add	[edx+0], dh
		add	gs:[eax+eax+50h], bl
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 730065h
		pop	esp
		add	[ebp+0], cl
		imul	eax, [eax], 720063h
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		pop	esp
		add	[edi+0], dl
		imul	eax, [eax], 64006Eh
		outsd
		add	[edi+0], dh
		jnb	short $+2
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
; 
		dd 2 dup(0)
; 

_POP_ETW_EVENT_RTC_WAKE_INFO:		; DATA XREF: PopDiagTraceRtcWakeInfo+12Co
					; PopDiagTraceRtcWakeInfo+1E2o
		mov	ecx, 4100000h
		add	ch, bl
		add	[esp+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_SUSPENDAPP:		; DATA XREF: PopDiagTraceAppPowerMessage(x)+2Do
					; PopDiagTraceAppPowerMessage(x)+B0o
		adc	[eax], al
		add	[eax], dl
		add	al, 1
		and	eax, 80800h
; 
		db 0
		dd 40000000h
; 

_POP_ETW_ADPM_SESSION_CLOSED:		; DATA XREF: PopSessionClosed(x)+17o
		xchg	eax, ecx
		add	[eax], eax
		adc	[eax+eax], al
		outsb
		add	[esp+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_SESSION_DISPLAY_ON:	; DATA XREF: PopDiagTraceSessionDisplayStateChange(x,x,x,x)+1Fo
		xchg	eax, esi
; 
		db 2 dup(0), 10h
		dd 0BA0004h, 404h, 40004000h
; 

_POP_ETW_EVENT_SESSION_DISPLAY_OFF:	; DATA XREF: PopDiagTraceSessionDisplayStateChange(x,x,x,x)+16o
		xchg	eax, ebp
; 
		db 2 dup(0), 10h
		dd 0B90004h, 404h, 40004000h
; 

_POP_ETW_EVENT_SUSPENDAPP_END:		; DATA XREF: PopDiagTraceAppPowerMessageEnd(x)+2Co
					; PopDiagTraceAppPowerMessageEnd(x)+50o
		adc	[eax], eax
		add	[eax], dl
		add	al, 2
		and	eax, 80800h
; 
		db 0
		dd 40000000h
; 

_POP_ETW_EVENT_POSTSLEEP_NOTIFICATION:	; DATA XREF: PopDiagTracePostSleepNotification+F1o
		imul	eax, [eax], 1
		or	[eax+eax], al
		db	66h
		add	[esp+eax+0], al
; 
		db 0
		dd 80000000h
; 

_KernelSystemTimeChange:		; DATA XREF: EtwTraceSystemTimeChange+104o
		add	[eax], eax
		add	cl, [eax]
		add	al, 0
		add	eax, 1000h
; 
		db 0
		dd 80000000h
; 

_POP_ETW_ADPM_SESSION_DISCONNECTED:	; DATA XREF: PopSessionDisconnected(x,x)+Do
		xchg	eax, ebx
		add	[eax], eax
		adc	[eax+eax], al
		jo	short $+2
		add	al, 4
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_PRESLEEP_NOTIFICATION3:	; DATA XREF: PopDiagTracePreSleepNotification(x,x,x,x,x)+51o
		sub	al, [eax]
		add	ecx, [eax]
		add	al, 0
		inc	eax
		add	[esp+eax], al
; 
		dw 0
		dd 80000000h
; 

_POP_ETW_EVENT_KERNEL_QUERY_ALLOWED:	; DATA XREF: PopDiagTraceKernelQueriesAllowed(x)+2Co
					; PopDiagTraceKernelQueriesAllowed(x)+51o
		cmp	eax, 4100000h
		add	[ebx+0], al
		add	al, 24h
; 
		dw 0
		dd 40000000h
; 

_WNF_PO_SYSTEM_TIME_CHANGED:		; DATA XREF: PopPolicyTimeChange()+14o
		jnz	short $+2
		mov	ebp, 0C6013DA3h
		inc	ecx

_KMPnPEvt_DeviceEnum_Start:		; DATA XREF: PipEnumerateDevice+72o
					; PipEnumerateDevice+A1D44o
		fadd	qword ptr [eax]
		add	[edx], dl
		add	al, 1
		fadd	qword ptr [eax]
		and	[eax], al
		add	[eax], eax
; 
		dd 10000000h
; 

_DEVPKEY_Device_PreventDriverLoad:	; DATA XREF: PipCallDriverAddDevice+16Fo
		db	26h
		arpl	dx, bx
		and	dword ptr [esi-6BBF7769h], 53h
		mov	eax, ds:3B573F92h
		sub	[ebx], edx
; 
		db 3 dup(0)
		align 8

_KMPnPEvt_DeviceEnum_Stop:		; DATA XREF: PnpDeviceCompletionRoutine(x,x,x)+46o
					; PipEnumerateDevice+A1D13o ...
		fiadd	word ptr [eax]
		add	[edx], dl
		add	al, 2
		fadd	qword ptr [eax]
		and	[eax], al
		add	[eax], eax
; 
		dd 10000000h
; 

_DEVPKEY_DeviceClass_LowerFilters:	; DATA XREF: .data:off_6B3828o
					; _CmGetInstallerClassCompoundFilters:loc_8591A7o ...
		mov	edx, [ecx-961BCDFh]
		or	eax, 4DDEA547h
		mov	bh, al
		pop	edx
		ror	byte ptr [ebx+14h], cl
; 
		db 3 dup(0)
; 

; void DEVPKEY_DeviceClass_CompoundLowerFilters
_DEVPKEY_DeviceClass_CompoundLowerFilters: ; DATA XREF:	.text:004045D8o
					; .text:off_40485Co ...
		hlt
		xor	esi, [edx+ebp*2]
		db	26h
		push	esi
		call	near ptr 0DBFA12A7h
		fldlg2
		ror	byte ptr [eax+154Bh], cl
; 
		db 0
; 

_DEVPKEY_DeviceClass_UpperFilters:	; DATA XREF: .data:off_6B3820o
					; _CmGetInstallerClassCompoundFilters+D8o ...
		mov	edx, [ecx-961BCDFh]
		or	eax, 4DDEA547h
		mov	bh, al
		pop	edx
		ror	byte ptr [ebx+13h], cl
; 
		db 3 dup(0)
; 

; void DEVPKEY_DeviceClass_CompoundUpperFilters
_DEVPKEY_DeviceClass_CompoundUpperFilters: ; DATA XREF:	.text:004045D0o
					; .text:0040488Co ...
		hlt
		xor	esi, [edx+ebp*2]
		db	26h
		push	esi
		call	near ptr 0DBFA12CFh
		fldlg2
		ror	byte ptr [eax+144Bh], cl
		add	[esi-6Ch], bh	; DATA XREF: PipCallDriverAddDevice+457o
		or	edx, [eax+eax*2-75h]
		mov	esp, 6AA2A845h
		or	ecx, [ecx+1A2BD4Ch]
; 
		db 3 dup(0)
_DEVPKEY_Device_DriverProblemDesc db '~',0Bh,'T@Ej',0Bh,'L',0Bh,0
					; DATA XREF: PnpDeviceCompletionProcessCompletedRequest+8Do
					; PnpStartDeviceNode+92DE4o
		align 10h

; void DEVPKEY_Device_ClassGuid
_DEVPKEY_Device_ClassGuid:		; DATA XREF: .text:004010DCo
					; .text:00401A60o ...
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	near ptr loc_4069D7+4
; 
		db 3 dup(0)
; 

; void DEVPKEY_Device_InstallError
_DEVPKEY_Device_InstallError:		; DATA XREF: PiPnpRtlSetObjectProperty+24Eo
					; PiPnpRtlSetObjectProperty+26Bo ...
		db	26h
		arpl	dx, bx

loc_4069D7:				; CODE XREF: .text:004069CFj
		and	dword ptr [esi-6BBF7769h], 53h
		mov	eax, ds:3B573F92h

loc_4069E3:				; DATA XREF: PiPnpRtlSetObjectProperty+231o
					; PiAuditDeviceOperation(x,x,x)+134o ...
		sub	ds:4E000000h, eax
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	_DEVPKEY_Device_CompatibleIds
; 
		db 3 dup(0)
; 

; void DEVPKEY_Device_CompatibleIds
_DEVPKEY_Device_CompatibleIds:		; CODE XREF: .text:004069F7j
					; DATA XREF: PiPnpRtlSetObjectProperty+288o ...
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	near ptr _DEVPKEY_DeviceClass_ClassCoInstallers+1
; 
		db 3 dup(0)
; 

; void DEVPKEY_DeviceClass_ClassCoInstallers
_DEVPKEY_DeviceClass_ClassCoInstallers:	; CODE XREF: .text:00406A0Bj
					; DATA XREF: _CmGetInstallerClassMappedProperty+13Ao ...
		add	edx, [edi]
		cmp	eax, 0F5A2E271h
		dec	ecx
		xchg	eax, edx
		adc	al, 56h
		inc	edi
		rep ficomp dword ptr cs:[edx+eax+0]
; 
		dw 0
; 

; void DEVPKEY_Device_ConfigFlags
_DEVPKEY_Device_ConfigFlags:		; DATA XREF: .data:006B3144o
					; .data:006B314Co ...
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	loc_406A41
; 
		db 3 dup(0)
; 

; void DEVPKEY_Device_ProblemCode
_DEVPKEY_Device_ProblemCode:		; DATA XREF: .text:004015D0o
					; .text:00401AA0o ...
		lds	esp, [esi-6C05BCC0h]
		push	es
		inc	edi
		xchg	eax, edi

loc_406A41:				; CODE XREF: .text:00406A33j
		sub	al, 7Bh
		or	byte ptr fs:[eax], 0A5h
		cmpsd
		add	eax, [eax]
; 
		dw 0
		align 10h

_POP_ETW_EVENT_IRPFINISH:		; DATA XREF: PopDiagTraceIrpFinish(x)+35o
					; PopDiagTraceIrpFinish(x)+EBo
		or	[eax], al
		add	[eax], dl
		add	al, 2
		daa
		add	[eax], cl
; 
		db 3 dup(0)
		dd 40000000h
; 

_POP_ETW_EVENT_DEVICE_POWER_STATE:	; DATA XREF: PopDiagTraceFxDevicePowerState+3Do
					; PopDiagTraceFxDevicePowerState+8570Eo
		xor	al, 1
; 
		dw 0
		dd 8C0004h, 100h, 0
; 

_POP_ETW_EVENT_IRPSTART:		; DATA XREF: PopDiagTraceIrpStart+A2o
					; PopDiagTraceIrpStart+15Do
		pop	es
		add	[ecx], al
		adc	[ecx+eax], al
		daa
		add	[eax], cl
; 
		db 3 dup(0)
		dd 40000000h
; 

_POP_ETW_EVENT_IRP_DRIVERRELEASE:	; DATA XREF: PopDiagTraceDeviceReleaseIrp(x,x)+29o
		adc	eax, 4100000h
		add	ch, [eax]
		add	[eax], cl
; 
		db 3 dup(0)
		dd 40000000h
; 

_POP_ETW_EVENT_IRP_DRIVERACQUIRE:	; DATA XREF: PopDiagTraceDeviceAcquireIrp(x,x)+32o
		adc	al, 0
		add	[eax], dl
		add	al, 1
		sub	[eax], al
		or	[eax], al
; 
		dw 0
		dd 40000000h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void DEVPKEY_DeviceContainer_IsConnected
_DEVPKEY_DeviceContainer_IsConnected proc near ; DATA XREF: .text:00401030o
					; .text:00401584o ...
		enter	0FFFFC34Fh, 78h
		dec	edx
		adc	dl, cl
		dec	edx
		sahf
		movsb
		push	edx
		dec	ebp
		push	edx
		cdq
		outsb
_DEVPKEY_DeviceContainer_IsConnected endp

		push	edi
		aaa
; 
		db 3 dup(0)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void DEVPKEY_DeviceContainer_ConfigFlags
_DEVPKEY_DeviceContainer_ConfigFlags proc near ; DATA XREF: PiPnpRtlSetObjectProperty+1EDo
					; PiDcGenerateConfigNotificationIfContainerRequiresConfiguration+68o ...
		enter	0FFFFC34Fh, 78h
		dec	edx
		adc	dl, cl
		dec	edx
		sahf
		movsb
		push	edx
		dec	ebp
		push	edx
		cdq
		outsb
_DEVPKEY_DeviceContainer_ConfigFlags endp


loc_406AC3:				; CODE XREF: .text:00406AE8j
		push	edi
; 
		dd 69h
; 

_WNF_PNPC_CONTAINER_CONFIG_REQUESTED:	; DATA XREF: PiDcGenerateConfigNotificationIfContainerRequiresConfiguration+A4o
					; PiDcContainerRequiresConfiguration(x)+86o
		jnz	short near ptr asc_406AE0+2
		mov	esp, 96003DA3h
		add	dl, [edx]	; DATA XREF: PipCreateComputerId+119o
		fdivr	st, st(7)
		jo	short loc_406B54
		dec	esp
		jge	short loc_406B24
; 
dword_406AD8	dd 2 dup(0)		; CODE XREF: .text:00406AE6j
; char asc_406AE0[]
asc_406AE0	db ' ',9,0Dh,0          ; CODE XREF: .text:_WNF_PNPC_CONTAINER_CONFIG_REQUESTEDj
					; DATA XREF: PipSmBiosGetString+AEo ...
; 

; void INTERRUPT_CONNECTION_DATA_PKEY
_INTERRUPT_CONNECTION_DATA_PKEY:	; DATA XREF: PnpGetDevicePropertyData+10Bo
					; IopGetInterruptConnectionData+20o ...
		or	[edi], ecx
		loop	near ptr dword_406AD8
		jp	short loc_406AC3
		test	eax, 0BB468049h
		outsb
		and	ah, dh
		mov	ebx, 22Eh

loc_406AF7:				; DATA XREF: KiIntSteerConnect+217o
		add	[eax+eax], al
; 
		dw 0
		align 10h
		dd 1, 0

;  S U B	R O U T	I N E 


_INTSTEER_ETW_PROVIDER proc near	; DATA XREF: KiIntSteerConnect+293o
		jmp	far ptr	0DCC8h:30951B41h
_INTSTEER_ETW_PROVIDER endp

; 
		db 44h
		dd 0C9E271A6h, 0B8098895h
dword_406B18	dd 3 dup(10001h)	; DATA XREF: RtlpHpLfhContextInitialize(x,x,x,x,x,x,x)+A6o
; 

loc_406B24:				; CODE XREF: .text:00406AD6j
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax
		add	[eax], eax

loc_406B54:				; CODE XREF: .text:00406AD3j
		add	[ecx], eax
		add	al, [eax]
		add	[edx], eax
		add	[ecx], al
		add	al, [eax]
		add	[edx], eax
		add	[ecx], al
		add	al, [eax]
		add	[edx], eax
		add	[ecx], al
		add	al, [eax]
		add	[edx], eax
		add	[ecx], al
		add	al, [eax]
		add	[edx], eax
		add	[ecx], al
		add	al, [eax]
		add	[edx], eax
		add	[ecx], al
		add	al, [eax]
		add	[edx], eax
		add	[ecx], al
		add	al, [eax]
		add	[edx], eax
		add	[ecx], al
		add	al, [eax]
		add	[edx], eax
		add	[ecx], al
		add	al, [eax]
		add	[edx], eax
		add	[ecx], al
		add	al, [ebx]
		add	[ecx], al
		add	al, [ebx]
		add	[ecx], al
		add	al, [ebx]
		add	[ecx], al
		add	al, [ebx]
		add	[ecx], al
		add	al, [ebx]
		add	[ecx], al
		add	al, [ebx]
		add	[ecx], al
		add	al, [ebx]
		add	[ecx], al
		add	al, [ebx]
		add	[ecx], al
		add	al, [ebx]
		add	[ecx], al
		add	al, [ebx]
		add	[ecx], al
		add	al, [ebx]
		add	[ecx], al
		add	al, [ebx]
		add	[ecx], al
		add	al, [ebx]
		add	[ecx], al
		add	al, [ebx]
		add	[ecx], al
		add	al, [ebx]
		add	[edx], eax
		add	eax, [eax+eax]
		add	[edx], eax
		add	eax, [eax+eax]
		add	[edx], eax
		add	eax, [eax+eax]
		add	[edx], eax
		add	eax, [eax+eax]
		add	[edx], eax
		add	eax, [eax+eax]
		add	[edx], eax
		add	eax, [eax+eax]
		add	[edx], eax
		add	eax, [eax+eax]
		add	[edx], eax
		add	eax, [eax+eax]
		add	[edx], eax
		add	eax, [eax+eax]
		add	[edx], eax
		add	eax, [eax+eax]
		add	[edx], eax
		add	eax, [eax+eax]
		add	[edx], eax
		add	eax, [ecx]
		add	al, [ebx]
		add	al, 5
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		add	[ecx], al
		add	al, [ebx]
		add	[edx], eax
		add	eax, ds:2010006h[eax]
		add	eax, ds:2010006h[eax]
		add	eax, ds:2010006h[eax]
		add	eax, ds:2010006h[eax]
		add	eax, ds:2010006h[eax]
		add	eax, ds:2010006h[eax]
		add	eax, ds:2010006h[eax]
		add	eax, ds:2010006h[eax]
		add	eax, ds:1000706h[eax]
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		add	[edx], eax
		add	eax, ds:80706h[eax]
		add	[edx], eax
		add	eax, ds:80706h[eax]
		add	[edx], eax
		add	eax, ds:80706h[eax]
		add	[edx], eax
		add	eax, ds:80706h[eax]
		add	[edx], eax
		add	eax, ds:80706h[eax]
		add	[edx], eax
		add	eax, ds:80706h[eax]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		add	[ecx], al
		add	al, [ebx]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	al, [eax]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	al, [eax]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	al, [eax]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	al, [eax]
		add	[edx], eax
		add	eax, ds:1080706h[eax]
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		add	[ecx], al
		add	al, [ebx]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		or	al, 0Dh
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		or	al, 0Dh
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		add	[ecx], al
		add	al, [ebx]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		sldt	word ptr [ecx]
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		sldt	word ptr [ecx]
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		sgdt	fword ptr [edx]
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm0, oword ptr	[eax]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm0, oword ptr	[eax]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 1
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	al, [eax]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	al, [eax]
		add	[edx], eax
		add	eax, ds:3020106h[eax]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		add	[ecx], al
		add	al, [ebx]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 0
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 0
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 15h
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 15h
		push	ss
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 15h
		push	ss
		pop	ss
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		sgdt	fword ptr [edx]
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 15h
		push	ss
		pop	ss
		sbb	[eax], al
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 15h
		push	ss
		pop	ss
		sbb	[ecx], bl
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 15h
		push	ss
		pop	ss
		sbb	[ecx], bl
		sbb	al, [eax]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 15h
		push	ss
		pop	ss
		sbb	[ecx], bl
		sbb	bl, [ebx]
		add	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 15h
		push	ss
		pop	ss
		sbb	[ecx], bl
		sbb	bl, [ebx]
		sbb	al, 0
		add	[edx], eax
		add	eax, ds:4030201h[eax]
		add	eax, 9080706h
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 15h
		push	ss
		pop	ss
		sbb	[ecx], bl
		sbb	bl, [ebx]
		sbb	al, 1Dh
		add	[ecx], al
		add	al, [ebx]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 15h
		push	ss
		pop	ss
		sbb	[ecx], bl
		sbb	bl, [ebx]
		sbb	al, 1Dh
		push	ds
		add	[ecx], al
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 15h
		push	ss
		pop	ss
		sbb	[ecx], bl
		sbb	bl, [ebx]
		sbb	al, 1Dh
		push	ds
		pop	ds
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 15h
		push	ss
		pop	ss
		sbb	[ecx], bl
		sbb	bl, [ebx]
		sbb	al, 1Dh
		push	ds
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 15h
		push	ss
		pop	ss
		sbb	[ecx], bl
		sbb	bl, [ebx]
		sbb	al, 1Dh
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 15h
		push	ss
		pop	ss
		sbb	[ecx], bl
		sbb	bl, [ebx]
		sbb	al, 1
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 15h
		push	ss
		pop	ss
		sbb	[ecx], bl
		sbb	bl, [ebx]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 15h
		push	ss
		pop	ss
		sbb	[ecx], bl
		sbb	al, [ecx]
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 15h
		push	ss
		pop	ss
		sbb	[ecx], bl
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 15h
		push	ss
		pop	ss
		sbb	[ecx], al
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 15h
		push	ss
		pop	ss
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 15h
		push	ss
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 15h
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		adc	al, 1
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	dl, [ebx]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		adc	al, [ecx]
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm2, oword ptr	[ecx]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		movups	xmm0, oword ptr	[ecx]
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		sgdt	fword ptr [edx]
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 0Dh
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	cl, [ebx]
		or	al, 1
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		add	[edx], eax
		add	eax, ds:9080706h[eax]
		or	al, [ecx]
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		or	[ecx], cl
		add	[edx], eax
		add	eax, ds:1080706h[eax]
		add	al, [ebx]
		add	al, 5
		push	es
		pop	es
		add	[edx], eax
		add	eax, ds:3020106h[eax]
		add	al, 5
		add	[edx], eax
		add	eax, [ecx+eax]
		add	al, [ebx]
		add	[edx], eax
		add	[eax], eax
; 
; void dword_40727C
dword_40727C	dd 4 dup(0)		; DATA XREF: _PnpDeviceRaisePropertyChangeEventWorker+165o
; 

_WNF_UBPM_CONSOLE_MONITOR:		; DATA XREF: PopUpdateConsoleDisplayState(x)+6Co
		jnz	short near ptr loc_40729D+1
		mov	esp, 960C38A3h
; 
		db 0Ch
; 

_GUID_MONITOR_POWER_ON:			; DATA XREF: PopUpdateConsoleDisplayState(x)+43o
		adc	eax, 10027310h
		inc	ebp
		db	26h
		inc	ebp
		cdq

loc_40729D:				; CODE XREF: .text:_WNF_UBPM_CONSOLE_MONITORj
		out	0E5h, al
		mov	eax, ds:0EA1ABD7Eh
; 
; void GUID_CONSOLE_DISPLAY_STATE
_GUID_CONSOLE_DISPLAY_STATE db 'VoJpG$oG',0
					; DATA XREF: PoRegisterPowerSettingCallback+71o
					; PopUpdateConsoleDisplayState(x)+26o ...
		align 4
_POP_ETW_EVENT_IDLE_CHECK:		; DATA XREF: PopDiagTraceIdleCheck+34o
					; PopDiagTraceIdleCheck+D3DFCo
		unicode	0, <H>
		dw 1000h
		dd offset loc_460004
		dd 10h,	40000000h
; 

; void GUID_IDLE_BACKGROUND_TASK
_GUID_IDLE_BACKGROUND_TASK:		; DATA XREF: PopScanIdleList(x,x,x)+26Co
					; PoRegisterPowerSettingCallback+105o
		fdiv	dword ptr [ecx]
		pop	esp
		push	ecx
		xor	al, 0F7h
		cmp	eax, 11FDA016h
		mov	al, ds:0F1E8918Ch

; void GUID_BACKGROUND_TASK_NOTIFICATION
_GUID_BACKGROUND_TASK_NOTIFICATION:	; DATA XREF: PopScanIdleList(x,x,x)+2D1o
					; PoRegisterPowerSettingCallback+11Do
		inc	eax
		repne and ecx, edi
		push	esp
		sub	bl, al
		dec	eax
		mov	cl, 14h
		ficom	word ptr ds:2E05FF18h

; void GUID_EM_PO_CONSOLE_STATE_CHANGE_REMAP_RULE
_GUID_EM_PO_CONSOLE_STATE_CHANGE_REMAP_RULE:
					; DATA XREF: PoRegisterPowerSettingCallback+22Fo
		lodsb
		xchg	bl, [ebx+1EC3B2B0h]
		dec	edx
		xchg	dl, ds:0F81221B3h
		mov	bh, 37h

_WNF_PO_DISCHARGE_ESTIMATE:		; DATA XREF: PopBatteryWorker+2B9o
		jnz	short near ptr loc_407346+4
		mov	esp, 0C6013DA3h
		inc	ecx

_WNF_PO_CHARGE_ESTIMATE:		; DATA XREF: PopBatteryWorker+289o
		jnz	short near ptr byte_407362
		mov	esp, 0C6013DA3h
		inc	ecx

_BATTERY_EVT_SYSTEM_BATTERY_STATUS_CHANGE:
					; DATA XREF: PopBatteryTraceSystemBatteryStatus+13o
		add	[eax], eax
		add	[eax], dl

loc_40730C:				; CODE XREF: .text:00407331j
		add	al, 0
		add	[eax], eax
; 
		dd 0
		dd 80000000h
; 

_WNF_PO_DISCHARGE_START_FILETIME:	; DATA XREF: PopGetDischargeStartStatus+23o
					; PopBatteryWorker+A0658o
		jnz	short loc_407376
		mov	esp, 0C6013DA3h
		inc	ecx

_POP_ETW_EVENT_CONSOLE_DISPLAY_STATE:	; DATA XREF: PopDiagTraceConsoleDisplayState(x)+26o
		xchg	eax, [eax]
		add	[eax], dl
		add	al, 0
; 
		dw 0
		dd 404h, 40002000h
; 

_DEVPKEY_Device_SafeRemovalRequiredOverride: ; DATA XREF: .data:006B3134o
					; _CmIsDeviceSafeRemovalRequired+10Bo
		inc	eax
		jbe	short loc_40730C
		scasd
		mov	ds:0B6421086h, eax
		jl	short loc_407363
		pushf
		inc	ecx
		stosb
		mov	esi, 355h
		add	[ebp-10h], dh	; DATA XREF: PopPerfBoostPowerRequest(x,x,x)+50o

loc_407346:				; CODE XREF: .text:_WNF_PO_DISCHARGE_ESTIMATEj
		mov	esp, 840B3EA3h
		inc	ecx

; void GUID_POWER_POLICY_PROFILE_LOW_LATENCY
_GUID_POWER_POLICY_PROFILE_LOW_LATENCY:	; DATA XREF: PpmPerfCalculateQosClassPolicies+109o
		fsub	qword ptr [ebp-57h]
		or	eax, 4C0B8FCFh
; 
		dd 0D58DFE8Eh, 9A95BCE7h, 0
; 

_PPM_ETW_QOS_SUPPORT_CHANGED:		; DATA XREF: PpmEventQosSupport+1Co
		jg	short $+2
; 
byte_407362	db 0			; CODE XREF: .text:_WNF_PO_CHARGE_ESTIMATEj
; 

loc_407363:				; CODE XREF: .text:00407339j
		add	[eax+eax], al
		imul	eax, [eax], 82h
; 
		dd 0
; 

_PPM_ETW_LATENCY_SENSITIVITY_HINT:	; DATA XREF: PoLatencySensitivityHint+64o
					; PoLatencySensitivityHint+8202Eo
		xor	al, 0
; 
		dw 0
		db 4, 0
; 

loc_407376:				; CODE XREF: .text:_WNF_PO_DISCHARGE_START_FILETIMEj
		and	eax, 200h
; 
		db 0
		align 10h

_PPM_ETW_PROCESSOR_PERF_STATE_CHANGE:	; DATA XREF: PpmEventProcessorPerfStateChange+78o
					; PpmEventProcessorPerfStateChange+81B61o ...
		or	al, [eax]
		add	al, 0
		add	al, 0
		or	al, [eax]
		add	[eax], eax
; 
		dw 0
		align 10h

_PPM_ETW_EXPECTED_UTILITY:		; DATA XREF: PpmEventTraceExpectedUtility+53o
					; PpmEventTraceExpectedUtility+81B88o
		or	eax, 4000000h
		add	large ds:200h, cl
; 
		db 0
		align 10h

_WDI_SEM_EVENT_SCENARIO_START:		; DATA XREF: WdipSemEnableScenario+89o
		and	[eax], al
		add	[eax], dl
		add	al, 0Ah
		or	[eax], eax
; 
		dd 0
		dd 80000001h
; 

_WDI_SEM_EVENT_SCENARIO_START_FAILED:	; DATA XREF: WdipSemEnableScenario:loc_86C8CCo
					; WdipSemEnableScenario+9EBB6o
		and	al, 0
		add	[ecx], dl
		add	ecx, large ds:9
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_SYSTEM_IDLE_TIMEOUT_INITIALIZED:
					; DATA XREF: PopTraceSystemIdleTimeoutInitialization(x,x,x,x,x,x,x)+2Fo
					; PopTraceSystemIdleTimeoutInitialization(x,x,x,x,x,x,x)+8Co
		movsd
		add	[ecx], al
		adc	[eax+eax], al
		leave
		add	[esp+eax], al
; 
		dw 0
		dd 40000000h

;  S U B	R O U T	I N E 


_WNF_PO_ENERGY_SAVER_OVERRIDE proc near	; DATA XREF: PopEsWorker+1B3o

; FUNCTION CHUNK AT 00407402 SIZE 00000004 BYTES

		jnz	short loc_407402
		mov	esp, 0C6013DA3h
		inc	ecx
_WNF_PO_ENERGY_SAVER_OVERRIDE endp


;  S U B	R O U T	I N E 


_WNF_PO_ENERGY_SAVER_SETTING proc near	; DATA XREF: PopEsWorker+13Co
		jnz	short loc_407402
		mov	esp, 0C6013DA3h
		inc	ecx
_WNF_PO_ENERGY_SAVER_SETTING endp


;  S U B	R O U T	I N E 


_GUID_SESSION_DISPLAY_STATUS proc near	; DATA XREF: .text:_PopSessionSpecificGuidso
					; PopSetSessionDisplayStatus(x,x,x)+41o
		push	cs
		retn	2B84h
_GUID_SESSION_DISPLAY_STATUS endp ; sp = -4

; 
		and	ebp, [ebp-246CB221h]
		add	eax, 0FC7EBDFFh
		movsd

_POP_ETW_ADPM_SESSION_DISPLAY_STATE:	; DATA XREF: PopSetSessionDisplayStatus(x,x,x)+12o
		pushf
		add	[eax], eax
		adc	[eax+eax], al
		jns	short $+2
		add	al, 4
; 
		dw 0
		dd 40000000h
; 

_APPCOMPAT_REG_WRP_ACCESS_DENIED:	; DATA XREF: CmpPublishEventForPcaResolver+3Ao
					; CmpPublishEventForPcaResolver+C0o
		add	[eax], eax
; START	OF FUNCTION CHUNK FOR _WNF_PO_ENERGY_SAVER_OVERRIDE

loc_407402:				; CODE XREF: _WNF_PO_ENERGY_SAVER_OVERRIDEj
					; _WNF_PO_ENERGY_SAVER_SETTINGj
		add	[eax], dl
		add	al, 0
; END OF FUNCTION CHUNK	FOR _WNF_PO_ENERGY_SAVER_OVERRIDE
; 
		dw 0
		dd 8, 80000000h
; 

_POP_ETW_EVENT_SETSYSTEMSTATE:		; DATA XREF: PopDiagTraceSetSystemState(x)+26o
		dec	ecx
; 
		db 2 dup(0), 10h
		dd offset loc_470002+2
		dd 2404h, 40000000h
; 

_POP_ETW_EVENT_COMPONENT_IDLE_STATE:	; DATA XREF: PopDiagTraceFxComponentIdleState+3Co
					; PopDiagTraceFxComponentIdleState+820E3o
		cmp	[ecx], eax
; 
		dw 0
		dd 910004h, 100h, 0
; 

_PPM_ETW_DELIVERED_PERF_CHANGE:		; DATA XREF: PpmPerfSnapDeliveredPerformance+406o
					; PpmCheckUpdateDeliveredPerformanceIfTracingEnabled()+9o
		outsd
		add	[edx], al
		add	[eax+eax], al
		pop	ecx
		add	[eax+0], al
; 
		db 3 dup(0)
_PopSimulateRegName:			; DATA XREF: PopInitializePowerPolicySimulate:loc_870490o
		unicode	0, <PowerPolicySimulate>,0
_PopSimulateHiberBugcheckRegName:	; DATA XREF: PopInitializePowerPolicySimulate+C4o
		unicode	0, <PowerSimulateHiberBugcheck>,0
		align 10h
_PopSimulateRegKey:			; DATA XREF: PopInitializePowerPolicySimulate+73o
		unicode	0, <Control\Session Manager>,0

;  S U B	R O U T	I N E 


; void GUID_SYSTEM_COOLING_POLICY
_GUID_SYSTEM_COOLING_POLICY proc near	; DATA XREF: PopThermalCoolingPowerSettingCallback+32o
		adc	eax, 9994D3A6h
		test	al, 0C5h
		dec	edx
		scasb
		sub	esp, esp
		fdiv	st, st(6)
		xor	al, 36h
		jg	short near ptr loc_407517+2
					; DATA XREF: PopWnfSprActiveSessionChangeCallback(x,x,x,x,x,x)+4Fo
		into
		and	al, 0Eh
		xchg	eax, ebx
		retn
_GUID_SYSTEM_COOLING_POLICY endp

; 
		dw 4742h
		dd 4F74B1BDh, 8EE09E4Bh

;  S U B	R O U T	I N E 


_GUID_MIXED_REALITY_MODE proc near	; DATA XREF: PopWnfMixedRealityCallback(x,x,x,x,x,x)+3Eo
		dec	esi
		imul	esp, [edx+1Eh],	4
		iret
_GUID_MIXED_REALITY_MODE endp

; 
		lea	ecx, [edi-64h]
		mov	ecx, 230F5B7Ch
		xchg	eax, ecx

_PPM_ETW_DOMAIN_PERF_STATE_CHANGE:	; DATA XREF: PpmEventDomainPerfStateChange+50o
					; PpmEventDomainPerfStateChange+819A1o
		or	[eax], eax
		add	eax, [eax]
		add	al, 0
		or	[eax], eax
		add	[eax], eax
; 
		dw 0
		align 10h

_POP_ETW_ADPM_SESSION_CREATED:		; DATA XREF: PopSessionCreated(x)+17o
		nop
		add	[eax], eax
		adc	[eax+eax], al
		insd

loc_407517:				; CODE XREF: _GUID_SYSTEM_COOLING_POLICY+Fj
		add	[esp+eax], al
; 
		dw 0
		dd 40000000h
; 

_ETW_EVENT_UPDATE_TRACE:		; DATA XREF: EtwpTransitionToRealtime(x,x)+10Bo
					; EtwpUpdateTrace+231o
		or	al, 0
		add	[ecx], dl
		add	eax, 10000214h
; 
		db 3 dup(0)
		dd 40000000h
; 

; void CritSecGuid
_CritSecGuid:				; DATA XREF: EtwpStartLogger+3DDo
					; EtwpUpdateTrace+14Bo	...
		db	36h
		mov	byte ptr [bp+si], 59h
		int	3		; Trap to Debugger
		dec	dword ptr [ecx+eax*4+15h]
; 
		dw 0F58Dh
		dd 6B81390Eh
; 

; void HeapGuid
_HeapGuid:				; DATA XREF: EtwpStartLogger+3C1o
					; EtwpUpdateTrace+133o	...
		stosd
		bound	ebp, [ecx]
		and	al, [eax-57B4779Fh]
		and	eax, 0F2756B34h

loc_40754E:				; DATA XREF: EtwpFlushTrace+C5o
		mov	large ds:0D4Ah,	al
		adc	ds:1000020Fh, eax
; 
		db 3 dup(0)
		dd 40000000h
; 

; void SystemTraceControlGuid
_SystemTraceControlGuid:		; DATA XREF: EtwpAcquireLoggerContext+1Co
					; EtwpStartLogger+26Fo	...
		lodsd
		dec	edx
		sbb	dword ptr [esi+11D23204h], 6000829Ah

loc_40756C:				; DATA XREF: EtwpStopTrace+12Fo
					; EtwpLogger(x)+3F9o ...
		or	[eax+0B3969h], ch
		add	dl, [ecx]
		add	eax, 1000020Eh
; 
		db 3 dup(0)
		dd 40000000h
aDeviceNamedpip:			; DATA XREF: SepValidateReferencedCachedHandles+E2o
		unicode	0, <\Device\NamedPipe>,0
		align 8

_PsDiskIoAttributionStart:		; DATA XREF: EtwTracePsIoAttribution+17o
		adc	[eax], eax
		add	[eax], dl
		add	al, 1
		adc	[eax], al
		add	[eax], dl
; 
		dw 0
		dd 80000000h
; 

_PsDiskIoAttributionStop:		; DATA XREF: EtwTracePsIoAttribution:loc_7E6AB6o
		adc	al, [eax]
		add	[eax], dl
		add	al, 2
		adc	[eax], al
		add	[eax], dl
; 
		dw 0
		dd 80000000h
; void RtlpAppPackageAuthority
_RtlpAppPackageAuthority dd 0		; DATA XREF: RtlCheckTokenMembershipEx(x,x,x,x)+18Eo
					; RtlCheckTokenMembershipEx(x,x,x,x)+1C0o ...
		db 0, 0Fh, 0
byte_4075CF	db 0			; CODE XREF: .text:00407631j
_RtlpNtAuthority dd 0			; DATA XREF: .text:00513670o
		dd 500h
; 

_THREATINT_DEVICE_OBJECT_LOAD:		; DATA XREF: EtwTiLogDeviceObjectLoadUnload+14o
		pop	ds
		add	[ecx], al
		adc	[eax+eax], al
		or	al, [eax]
; 
		dd 2 dup(80000000h)
; 

_THREATINT_DEVICE_OBJECT_UNLOAD:	; DATA XREF: EtwTiLogDeviceObjectLoadUnload:loc_7EE835o
		and	[eax], al
		add	[eax], edx
		add	al, 0
		or	al, [eax]
; 
		dd 2 dup(80000000h)
; 

; void loc_4075F8
loc_4075F8:				; DATA XREF: EtwpEnableAutoLoggerProvider+434o
		sbb	al, 84h
		sub	ah, al
		mov	ds:0AF4FA775h, eax
		enter	9AEh, 0CFh
		wait
		jg	short loc_40762B

_PfSnEvt_PrefetchMetadata_Stop:		; DATA XREF: PfSnLogPrefetchMetadata+29o
		add	al, 0
		add	[eax], edx
		add	al, 2
		add	eax, [eax]

loc_407610:				; CODE XREF: .text:0040761Aj
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

; void s_ProviderThreatInt
_s_ProviderThreatInt:			; DATA XREF: EtwpCheckNotificationAccess+2Fo
					; EtwpEnableAutoLoggerProvider+452o
		jl	short near ptr aDeviceNamedpip+23h
		loope	loc_407610
		pop	ebp
		mov	ebx, 0D8F15668h
		add	al, 0Fh
		dec	ebp
; 
		db 8Dh,	0D3h, 44h
; 

; void KernelRundownGuid
_KernelRundownGuid:			; DATA XREF: EtwpEnableDisableSpecialGuids+63o
		push	ecx
		cdq
		pushf

loc_40762B:				; CODE XREF: .text:00407606j
		cmp	eax, [eax-6CBDDFCCh]
		ja	short near ptr byte_4075CF
		mov	ss, word ptr [ecx-7Ch]

loc_407636:				; CODE XREF: .text:_DEVPKEY_Device_IsPresentj
		cmc
; 
		db 0CDh
; 

; void PrivateLoggerNotificationGuid
_PrivateLoggerNotificationGuid:		; DATA XREF: EtwpNotifyGuid(x,x,x)+FFo
					; EtwpValidateEnableNotification+5Fo ...
		pop	esp
		stosd
		xchg	eax, ebp
		xor	eax, 4C8E042Ah
		mov	ecx, 9B052D42h
; 
		db 0FEh, 2 dup(0B1h)
; 

_PfSnEvt_OpenVolumes_Stop:		; DATA XREF: PfSnLogOpenVolumesForPrefetch+23o
		push	es
; 
		db 2 dup(0), 10h
		dd 50204h, 20h,	80000000h
; 

_PfSnEvt_OpenVolumes_Start:		; DATA XREF: PfSnLogOpenVolumesForPrefetch+17o
		add	eax, 4100000h
		add	large ds:2000h,	eax
; 
		db 0
		dd 80000000h
; 

; void GUID_DEVINTERFACE_VOLUME
_GUID_DEVINTERFACE_VOLUME:		; DATA XREF: PfSnOpenVolumesForPrefetch+119o
					; PiUEventProcessBroadcastNotifications+176o
		or	eax, 0BF53F563h
		mov	dh, 0D0h
		adc	[edx+esi*8+1EC9A000h], edx
		sti
; 
		db 8Bh
; 

; void DEVPKEY_Device_Parent
_DEVPKEY_Device_Parent:			; DATA XREF: .text:004047E0o
					; .data:006B3138o ...
		lds	esp, [esi-6C05BCC0h]
		push	es
		inc	edi
		xchg	eax, edi
		sub	al, 7Bh
		or	byte ptr fs:[eax], 0A5h
		cmpsd
		or	[eax], al
; 
		dw 0
; 

; void DEVPKEY_Device_RemovalRelations
_DEVPKEY_Device_RemovalRelations:	; DATA XREF: .text:004047F0o
					; _CmGetDeviceMappedPropertyFromComposite:loc_7F9694o ...
		lds	esp, [esi-6C05BCC0h]
		push	es
		inc	edi
		xchg	eax, edi
		sub	al, 7Bh

loc_407697:				; CODE XREF: _DEVPKEY_NAME+Ej
		or	byte ptr fs:[eax], 0A5h
		cmpsd
; 
		dd 5
; 

; void DEVPKEY_Device_IsPresent
_DEVPKEY_Device_IsPresent:		; DATA XREF: .text:004047ACo
					; .data:006B3114o ...
		jle	short loc_407636
		or	edx, [eax+eax*2-75h]
		mov	esp, 6AA2A845h
		or	ecx, [ecx+5A2BD4Ch]
; 
		db 3 dup(0)
; 

; void DEVPKEY_Device_ContainerId
_DEVPKEY_Device_ContainerId:		; DATA XREF: .text:00401094o
					; .text:004010ACo ...
		push	es
		sar	byte ptr [esi-74h], cl
		mov	bh, [edi]
		daa
		dec	eax
		mov	bl, 0ABh
		scasb
		sahf
		pop	ds
		scasb
		cld
		insb
		add	al, [eax]
; 
		dw 0
; 

; void DEVPKEY_Device_FriendlyName
_DEVPKEY_Device_FriendlyName:		; DATA XREF: .data:off_6B3168o
					; _CmGetDeviceMappedPropertyFromComposite+25Eo	...
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	near ptr loc_4076E3+4
; 
		db 3 dup(0)

;  S U B	R O U T	I N E 


; void DEVPKEY_NAME
_DEVPKEY_NAME	proc near		; DATA XREF: .text:004015B8o
					; .text:00401B00o ...
		xor	cl, dh
		and	eax, 1A47EFB7h

loc_4076E3:				; CODE XREF: .text:004076D7j
		adc	[ebp-739FFD0Fh], ah
		sahf
		jmp	short near ptr loc_407697+1
_DEVPKEY_NAME	endp

; 
		dd 0Ah
; 

; void DEVPKEY_Device_BaseContainerId
_DEVPKEY_Device_BaseContainerId:	; DATA XREF: .text:_PiPnpRtlDeviceReadOnlyPropso
					; .data:off_6B3124o ...
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	loc_407727
; 
		db 3 dup(0)
; 

; void DEVPKEY_Device_InLocalMachineContainer
_DEVPKEY_Device_InLocalMachineContainer:
					; DATA XREF: _CmGetDeviceMappedPropertyFromComposite+2FCo
					; PiAuditDeviceStart(x)+28o ...
		push	es
		sar	byte ptr [esi-74h], cl
		mov	bh, [edi]
		daa
		dec	eax
		mov	bl, 0ABh
		scasb
		sahf
		pop	ds
		scasb
		cld
		insb
		add	al, 0
; 
		dw 0
; 

; void DEVPKEY_Device_EjectionRelations
_DEVPKEY_Device_EjectionRelations:	; DATA XREF: .text:004047ECo
					; _CmGetDeviceMappedPropertyFromComposite:loc_7F94A4o ...
		lds	esp, [esi-6C05BCC0h]
		push	es
		inc	edi
		xchg	eax, edi
		sub	al, 7Bh
		or	byte ptr fs:[eax], 0A5h

loc_407727:				; CODE XREF: .text:004076FFj
		cmpsd
		add	al, 0
; 
		dw 0
; 

_DEVPKEY_Device_DeviceDesc:		; DATA XREF: .data:006B316Co
					; _CmGetDeviceMappedPropertyFromComposite+2B9o	...
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	near ptr byte_40773F
; 
		db 2 dup(0)
byte_40773F	db 0			; CODE XREF: .text:0040773Bj
; 

; void DEVPKEY_Device_CompoundLowerFilters
_DEVPKEY_Device_CompoundLowerFilters:	; DATA XREF: .text:00401630o
					; .text:004045C8o ...
		db	26h
		arpl	dx, bx
		and	dword ptr [esi-6BBF7769h], 53h
		mov	eax, ds:3B573F92h
		sub	[edi], edx
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_LowerFilters:		; DATA XREF: .data:off_6B30F8o
					; _CmGetDeviceCompoundFilters:loc_8596EFo ...
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	near ptr byte_407779
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_UpperFilters:		; DATA XREF: .data:off_6B3100o
					; _CmGetDeviceCompoundFilters+D3o ...
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	near ptr loc_40778B+1
; 
byte_407779	db 3 dup(0)		; CODE XREF: .text:00407763j
; 

; void DEVPKEY_Device_CompoundUpperFilters
_DEVPKEY_Device_CompoundUpperFilters:	; DATA XREF: .text:00401624o
					; .text:004045C0o ...
		db	26h
		arpl	dx, bx
		and	dword ptr [esi-6BBF7769h], 53h
		mov	eax, ds:3B573F92h

loc_40778B:				; CODE XREF: .text:00407777j
		sub	[esi], edx
; 
		db 3 dup(0)
; 

; void DEVPKEY_Device_DevNodeStatus
_DEVPKEY_Device_DevNodeStatus:		; DATA XREF: .text:004015DCo
					; .text:00401A90o ...
		lds	esp, [esi-6C05BCC0h]
		push	es
		inc	edi

loc_407798:				; CODE XREF: .text:004077C3j
		xchg	eax, edi
		sub	al, 7Bh
		or	byte ptr fs:[eax], 0A5h
		cmpsd
		add	al, [eax]
; 
		dw 0
; 

; void DEVPKEY_NODE
_DEVPKEY_NODE:				; DATA XREF: .data:off_6B2AC4o
					; .data:off_6B3834o ...
		xlat
		pop	ebx
		insb
		or	eax, 498DAD27h
		mov	edi, edi
		fidiv	dword ptr [edi]
		sub	edi, [eax]
		imul	dword ptr [edi+2]

; void DEVPKEY_DeviceInterfaceClass_DefaultInterface
_DEVPKEY_DeviceInterfaceClass_DefaultInterface:
					; DATA XREF: _CmGetInterfaceClassMappedPropertyFromRegValue+A2o
					; IopGetDeviceInterfaces+115o ...
		cdq
		cmp	cl, al
		adc	al, 3Fh
		or	esi, [edi-5EB341BCh]
		js	short loc_407798
		cdq
		add	eax, 264h

loc_4077CB:				; DATA XREF: PiDqIrpQueryCreate+DBo
					; PiDqQuerySerializeActionQueue+12Bo ...
		add	[eax+edx*2+20h], dl
		xor	eax, [edi]
; 
		db 3 dup(0)
		dd 3 dup(0)
		db 2 dup(0)
word_4077E2	dw 0			; DATA XREF: .text:004016F8o
dword_4077E4	dd 1860112h, 8001Dh, 3155B01h, 6080010h, 0F1004C06h, 82B5BFFh
					; DATA XREF: PiDqIrpQueryCreate+D1o
		dd 0FFFC0008h, 1, 2 dup(0)
		dd 80002h, 10003h, 100000h, 2, 24h, 80020000h, 812FFFFh
		dd 11B5C25h, 190002h, 10000h, 2	dup(0)
		dd 5B050000h, 80316h, 5C465C4Bh, 40004h, 0FFDC2012h, 5B08085Bh
		dd 140315h, 0FF94004Ch,	3165B08h, 5C4B001Ch, 185C46h, 8120018h
		dd 4C5B5C25h, 0EFFE300h, 31B5B08h, 19001Ch, 11002Ch, 1
		dd 27100000h, 5C4B0000h, 1C4948h, 10000h, 180018h, 5C250812h
		dd 0BF004C5Bh, 1B5BFFh,	190001h, 10024h, 2 dup(0)
		dd 5B020000h, 2C0316h, 5C465C4Bh, 1C001Ch, 5C250812h, 285C46h
		dd 20120028h, 0E5BFFD2h, 0FF88004Ch, 5B080808h,	2C031Bh
		dd 340019h, 10011h, 0
		dd 2710h, 49485C4Bh, 2Ch, 1C0002h, 812001Ch, 285C25h, 20120028h
		dd 4C5BFF9Ah, 5BFFAB00h, 1001Bh, 180019h, 1, 2 dup(0)
		dd 3165B02h, 5C4B0020h,	1C5C46h, 2012001Ch, 4C5BFFDCh
		dd 8FF1B00h, 5B5C0808h,	20031Bh, 3C0019h, 1, 2 dup(0)
		dd 49485C4Bh, 20h, 1C0001h, 2012001Ch, 4C5BFFACh, 5BFFBD00h
		dd 44031Ah, 180000h, 0FE78004Ch, 4C0E0Eh, 4C08FE7Eh, 8FEBF00h
		dd 8360836h, 20125B36h,	2012FEEAh, 2012FF4Ch
		db 0ACh, 0FFh
; 

loc_407996:				; DATA XREF: PiDqQuerySerializeActionQueue+121o
		adc	al, [eax]
		retn	2B00h
; 
		db 8
		dd 0FFFC0008h, 1, 2 dup(0)
		dd 100002h, 4, 800E0000h, 1, 2007Eh, 780000h, 3, 0FFFF0072h
		dd 1001Bh, 200019h, 1, 2 dup(0)
		dd 3165B02h, 5C4B0028h,	185C46h, 8120018h, 5C465C25h, 240024h
		dd 0FFD22012h, 5F004C5Bh, 80808FEh, 31B5B5Ch, 190028h
		dd 110008h, 1, 27100000h, 5C4B0000h, 284948h, 20000h, 180018h
		dd 5C250812h, 240024h, 0FF9A2012h, 0AB004C5Bh, 3165BFFh
		dd 5C4B0010h, 45C46h, 8120004h,	5C465C25h, 0C000Ch, 0FFB42012h
		dd 8080E5Bh, 31A5B08h, 14h, 4C0E0000h, 5BFF3500h
dword_407A68	dd 0FFD00112h, 0FEFE0011h, 5C0B0C11h, 20411h, 0A30B6h
					; DATA XREF: PiDqIrpPropertySet+53o
		dd 0B0h, 1, 0A030h, 20411h, 0A30B6h, 0F1h, 1, 0E130h, 0A30B6h
		dd 51h,	1, 4130h, 5C080C11h, 21411h, 22012h, 1001Bh, 45429h
		dd 1, 2	dup(0)
		dd 8115B02h, 8B75C25h, 0
		dd 2710h, 22012h, 28031Bh, 0C0029h, 10011h, 0
		dd 2710h, 49485C4Bh, 28h, 180002h, 8120018h, 245C25h, 20120024h
		dd 4C5BFEC0h, 5BFED100h, 0
; 

; void DEVPKEY_DeviceInterface_ClassGuid
_DEVPKEY_DeviceInterface_ClassGuid:	; DATA XREF: .text:0040107Co
					; .text:off_4042D0o ...
		outsb
		push	ecx
		outsb
		add	dl, [eax+edi*4]
		dec	ebx
		inc	ecx
		or	ebp, 0FFFFFF85h
		insd
		outsd
		out	dx, eax
		dec	eax
		and	al, [eax+eax]
; 
		dw 0

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void DEVPKEY_Device_InstanceId
_DEVPKEY_Device_InstanceId proc	near	; DATA XREF: .text:00401064o
					; .text:004042E4o ...
		enter	0FFFFC34Fh, 78h
		dec	edx
		adc	dl, cl
		dec	edx
		sahf
		movsb
		push	edx
		dec	ebp
		push	edx
		cdq
		outsb
_DEVPKEY_Device_InstanceId endp

		push	edi
		add	[ecx], al
; 
		dw 0
; 

; void DEVPKEY_Device_SessionId
_DEVPKEY_Device_SessionId:		; DATA XREF: .text:_PiDmCachedDeviceKeyso
					; PiUEventCacheObjectProperties+95o ...
		db	26h
		arpl	dx, bx
		and	dword ptr [esi-6BBF7769h], 53h
		mov	eax, ds:3B573F92h
		sub	[esi], eax
; 
		db 3 dup(0)
; 

; void DEVPKEY_Device_RestrictedSD
_DEVPKEY_Device_RestrictedSD:		; DATA XREF: .text:00401A50o
					; PiUEventCacheObjectProperties+57o ...
		lock lahf
		inc	ebx
; 
		db 8Ch
		dd 43CD9CF7h, 99921E96h, 57C1C6A4h, 64h
; 

_KERNEL_AUDIT_API_OPENPROCESS:		; DATA XREF: PspLogAuditOpenProcessEvent(x,x,x)+34o
		add	eax, 4000000h
; 
		db 3 dup(0)
		dd 2 dup(0)
; 

_PPM_ETW_INTERRUPT_STEERING_PROC_CHANGE: ; DATA	XREF: KiIntSteerLogProc+1Co
		or	[eax], al
; 
		dw 0
		dd 80004h, 1, 0
; 

_PPM_ETW_INTERRUPT_STEERING_MASK_CHANGE: ; DATA	XREF: PpmParkSteerInterrupts+392o
					; KiIntSteerLogMask+13o ...
		add	al, [eax]
; 
		dw 0
		dd 20004h, 1, 0
; 

_ThreadWorkOnBehalfUpdate:		; DATA XREF: EtwTraceThreadWorkOnBehalfUpdate+23o
					; PsImpersonateContainerOfThread+17Eo ...
		adc	eax, 4100000h
		add	[edx], dl
; 
		db 0
		dd 2000h, 80000000h

;  S U B	R O U T	I N E 


_EtwpGenericMapping proc near		; DATA XREF: EtwpAccessCheck(x,x,x)+5Eo
					; EtwpAccessCheckFromState(x,x,x)+26o ...
		or	eax, 62000200h
		add	[edx], al
		add	[eax-0FFFDE2h],	dl
		push	ds
		add	al, [eax]

; void SecurityProviderGuid
_SecurityProviderGuid:			; DATA XREF: EtwpRegisterProvider+43o
					; EtwpRegisterUMGuid+20o ...
		and	eax, 78548496h
		push	esp
		xchg	eax, esp
		dec	ecx
		movsd
		mov	edx, 28033B3Eh
		retn
_EtwpGenericMapping endp ; sp =	-8

; 
		db 0Dh
; 

_ETW_EVENT_PROVIDER_REGISTER:		; DATA XREF: EtwpRegisterProvider:loc_7EF639o
					; EtwpRegisterUMGuid+25Bo ...
		or	[eax], al
		add	[ecx], dl
		add	eax, 20000310h
		add	al, [eax]
; 
		db 0
		dd 40000000h
; 

_POP_ETW_ADPM_ACTIVE_INPUT:		; DATA XREF: PopSessionInputChange(x,x,x):loc_840FB6o
		xchg	eax, esp
		add	[eax], eax
		adc	[eax+eax], al
		jno	short $+2
		add	al, 4
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_TIME_RESOLUTION_RUNDOWN:	; DATA XREF: PoRundownSystemTimer+53o
		pusha
		add	[ecx], al
		adc	[eax+eax], al
		pop	ebp
		add	[eax+eax*2], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_DEEP_SLEEP_CONSTRAINT_RUNDOWN:	; DATA XREF: PopDiagTraceDeepSleepConstraintRundown+21o
					; sub_5F3088+CDo
		mov	bh, 0
		add	[eax], dl
		add	al, 0
		fld	dword ptr [eax]
		add	al, 0
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_STANDBY_CONNECTIVITY_RUNDOWN:
					; DATA XREF: PopTraceStandbyConnectivityRundown+23o
		scasd
; 
		db 2 dup(0), 10h
		dd 0CD0004h, 4,	40000000h
; 

_POP_ETW_EVENT_CS_COMPLIANCE_RUNDOWN:	; DATA XREF: PopDiagTraceDeviceComplianceRundown+1Co
		mov	al, 0
		add	[eax], dl
		add	al, 0
		into
		add	[eax+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_POWER_STATE_RUNDOWN:	; DATA XREF: PopDiagTracePowerStateEventRundown+1Co
		lar	eax, [eax]
		adc	[eax+eax], al
		loop	$+2
		add	al, 0
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_SYSTEM_IDLE_RUNDOWN:	; DATA XREF: PopDiagTraceSystemIdleRundown+23o
		daa
		add	al, [eax]
		adc	[eax+eax], al
		std
		add	[eax+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_THERMAL_ZONE_RUNDOWN:	; DATA XREF: PopDiagTraceThermalZoneRundown+3Eo
					; PopDiagTraceThermalZoneRundown+B4145o
		xchg	eax, ecx
		add	[edx], al
		adc	[eax+eax], eax
		mov	al, 0
		and	[eax], al
; 
		dw 0
		dd 20000000h
; 

_POP_ETW_EVENT_DEVICE_VERBOSE_RUNDOWN:	; DATA XREF: PopDiagTraceDeviceVerboseRundown+33o
					; PopDiagTraceDeviceVerboseRundown+25Do
		inc	eax
		add	[ebx], eax
		add	[eax+eax], al
		stosb
; 
		db 0
		dd 200h, 0
; 

_POP_ETW_EVENT_DEVICE_REGISTRATION_RUNDOWN: ; DATA XREF: PopFxTraceDeviceRegistration+21o
		xor	[ecx], al
		add	[eax], eax
		add	al, 0
		mov	[eax], al
		add	[ecx], al
; 
		dw 0
		align 8

_POP_ETW_EVENT_DEVICE_REGISTRATION:	; DATA XREF: PopFxTraceDeviceRegistration+6Do
		das
		add	[ecx], eax
		add	[eax+eax], al
		xchg	eax, [eax]
		add	[ecx], al
; 
		dw 0
		align 8

_POP_ETW_EVENT_PLATFORMROLE_RUNDOWN:	; DATA XREF: PopDiagTracePlatformRoleRundown()+23o
		test	[eax], al
		add	[eax], dl
		add	al, 0
		xchg	eax, esi
		add	[esp+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_DYNAMIC_TICK_STATUS_RUNDOWN:
					; DATA XREF: PopDiagTraceDynamicTickStatusRundown()+23o
		std
		add	[eax], eax
		adc	[eax+eax], al

loc_407C9E:				; CODE XREF: .text:_WNF_PO_SLEEP_STUDY_USER_PRESENCE_CHANGEDj
		mov	al, ds:40400h
; 
		db 0
		dd 40000000h
; 

_POP_ETW_EVENT_ACDC_STATE_RUNDOWN:	; DATA XREF: PopDiagTraceControlCallback+DAo
		push	0
		add	[eax], dl
		add	al, 0
		add	gs:[esp+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_ADPM_PASSIVE_INPUT:		; DATA XREF: PopSessionInputChange(x,x,x)+5Do
		xchg	eax, ebp
		add	[eax], eax
		adc	[eax+eax], al
		jb	short $+2
		add	al, 4
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_ADPM_GLOBAL_INPUT_STATE:	; DATA XREF: PopDiagTraceSessionStateCounted(x,x,x,x)+2Fo
		sahf
		add	[ecx], eax
		adc	[eax+eax], al
		jnp	short $+2
		add	al, 4
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_ADPM_INPUT_TIMEOUT:		; DATA XREF: PopDiagTraceInputTimeout(x,x,x)+29o
		mov	al, ds:4100001h
		add	[ebp+0], bh
		add	al, 4
; 
		dw 0
		dd 40000000h
; 

_GUID_SESSION_USER_PRESENCE:		; DATA XREF: .text:00403F78o
					; PopSetSessionUserStatus(x,x)+4Bo
		dec	eax
		inc	ebp
; 
		dw 3C0Fh
		dd 4C4DC03Fh, 7E23F2B9h, 766368DEh
; 

_POP_ETW_ADPM_SESSION_INPUT_STATE:	; DATA XREF: PopSetSessionUserStatus(x,x)+3Do
		popf
		add	[eax], eax
		adc	[eax+eax], al
		jp	short $+2
		add	al, 4
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_ADPM_DISPLAY_TIMEOUT:		; DATA XREF: PopDiagTraceDisplayTimeout(x,x,x)+29o
		mov	eax, ds:4100001h
		add	[esi+0], bh
		add	al, 4
; 
		dw 0
		dd 40000000h
; 

_WNF_PO_SLEEP_STUDY_USER_PRESENCE_CHANGED: ; DATA XREF:	PopEvaluateGlobalUserStatus+C7o
		jnz	short near ptr loc_407C9E+4
		mov	esp, 0C6013DA3h
		inc	ecx

; void GUID_GLOBAL_USER_PRESENCE
_GUID_GLOBAL_USER_PRESENCE:		; DATA XREF: PopEvaluateGlobalUserStatus+7Bo
					; PopIdleGlobalUserPresenceCallback(x,x,x,x)+8o ...
		sbb	eax, 27786E8Ah
		mov	ah, 44h
		inc	ebx
		xchg	eax, edx
		pop	es
		or	edi, esp
		or	ebx, esp
		mov	esi, 68A9h	; DATA XREF: PopDiagTraceControlCallback+151o
		adc	[eax+eax], al
		arpl	[eax], ax
		add	al, 4
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_CHANGE_POWER_REQUEST:	; DATA XREF: PopDiagTracePowerRequestChange(x)+33o
					; PopDiagTracePowerRequestChange(x)+7Do
		pop	ebp
		add	[ecx], al
		adc	[eax+eax], al
		pop	edx
		add	[esp+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_CLOSE_POWER_REQUEST:	; DATA XREF: PopDiagTracePowerRequestClose(x)+26o
		pop	esi
; 
		db 2 dup(0), 10h
		dd offset loc_5B0002+2
		dd 404h, 40000000h
; 

_SystemContextGenericMapping:		; DATA XREF: SeIsSystemContext(x,x)+36o
					; SeIsAppContainerOrIdentifyLevelContext(x,x)+65o
		add	[eax], eax
		add	al, [eax]
; 
		dd 2 dup(20000h), 1F0001h
; void GUID_PNP_CUSTOM_NOTIFICATION
_GUID_PNP_CUSTOM_NOTIFICATION dd 0ACA73F8Eh, 11D18D23h,	7DACh, 0D07175F8h
					; DATA XREF: PnpSetCustomTargetEvent+77o
					; PiUEventNotifyTargetDeviceChange+72o
; 

; void GUID_DEVICE_REMOVE_PENDING
_GUID_DEVICE_REMOVE_PENDING:		; DATA XREF: PiUEventNotifyTargetDeviceChange+4Ao
					; PiUEventProcessBroadcastNotifications+E2182o	...
		or	eax, 0F0CB3A40h
		inc	esi
		rcl	byte ptr [ecx],	1
		mov	al, 8Fh
		add	[eax-69h], ah
; 
		db 13h,	5, 3Fh
; 

; void GUID_IO_VOLUME_NAME_CHANGE
_GUID_IO_VOLUME_NAME_CHANGE:		; DATA XREF: PiUEventProcessBroadcastNotifications+C3o
		cmp	dword ptr [edi-17h], 2Dh
		push	es
		dec	esp
		rcl	byte ptr [ecx],	cl
		movsd
		xor	al, [eax]
		pusha
		xchg	eax, edi
		adc	eax, ds:0E0D1E05Ah
					; DATA XREF: PiUEventProcessBroadcastNotifications+1AAo
		xchg	cl, [ecx-63EE2F80h]
		in	al, 8		; DMA 8237A-5. status register bits:
					; 0-3: channel 0-3 has reached terminal	count
					; 4-7: channel 0-3 has a request pending
		add	[esi], bh
		xor	[edi], bl
; 
		db 73h
; 

; void GUID_DEVINTERFACE_PARALLEL
_GUID_DEVINTERFACE_PARALLEL:		; DATA XREF: PiUEventProcessBroadcastNotifications+190o
		lock outsb
		not	dword ptr [edi+11D0F883h]
		scasd
		pop	ds
; 
		dw 0
		dd 5C8400F8h

;  S U B	R O U T	I N E 


; void GUID_DEVICE_INTERFACE_ARRIVAL
_GUID_DEVICE_INTERFACE_ARRIVAL proc far	; DATA XREF: PiUEventProcessBroadcastNotifications+158o
					; PiUEventNotifyDeviceInterfaceChange(x)+11o ...
		add	al, 40h
		cmp	cl, bl
		lock inc esi
		rcl	byte ptr [ecx],	1
		mov	al, 8Fh
		add	[eax-69h], ah
		adc	eax, ds:3A40053Fh
					; DATA XREF: PiUEventProcessBroadcastNotifications+24Ao
					; PiUEventNotifyDeviceInterfaceChange(x)+C4o ...
		retf
_GUID_DEVICE_INTERFACE_ARRIVAL endp

; 
		dd 11D046F0h, 60008FB0h, 3F051397h
; 

_POP_ETW_EVENT_THERMAL_REQUEST_ADD:	; DATA XREF: PopAssociateThermalRequest+176o
		pushf
; 
		db 2 dup(0), 11h
		dd 0C00004h, 20h, 20000000h
; 

_POP_ETW_EVENT_COOLING_EXTENSION_ADD:	; DATA XREF: PopAssociateThermalRequest+113o
					; PopCoolingExtensionPnpNotification(x,x)+79o
		xchg	eax, edi
; 
		db 2 dup(0), 11h
		dd 0BB0004h, 20h, 20000000h
; 

_GUID_THERMAL_COOLING_INTERFACE:	; DATA XREF: PopAcquireCoolingInterface(x)+3Bo
		test	al, 47h
		mov	esi, 0B9C498ECh
		dec	ebx
		mov	ebp, 0E067E870h
		xchg	eax, esp
		or	eax, 9D9D0D22h	; DATA XREF: PoInitHiberServices+66o
		or	[ecx], dl
		cmp	ah, ch
		dec	eax
; 
		dd 9FD3728Fh, 9AE8F327h
; 

; void GUID_NON_ADAPTIVE_INPUT_TIMEOUT
_GUID_NON_ADAPTIVE_INPUT_TIMEOUT:	; DATA XREF: PopAdaptivePowerSettingCallback+3Co
		mov	esp, 4E5ADBBFh
		pop	es
		mov	eax, ds:0DB38BA4Dh
		mov	esi, [esi]
		mov	dl, 0C8h
		rep mov	ds:4100001h, al	; DATA XREF: PopDiagTracePolicyChange+4Co
					; PopDiagTracePolicyChange+A13CDo
		add	[edi+0], bh
		add	al, 4
; 
		dw 0
		dd 40000000h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void GUID_VIDEO_POWERDOWN_TIMEOUT
_GUID_VIDEO_POWERDOWN_TIMEOUT proc far	; DATA XREF: PopVideoPowerSettingCallback(x,x,x,x)+1Bo
					; PopCaptureSleepStudyStatistics(x,x,x,x)+349o	...
		and	eax, eax
		or	edi, [eax+ebp*4]
		enter	4E07h, 0A9h
		jnb	short near ptr loc_407EB5+1
		adc	al, 0CBh

locret_407E4D:				; CODE XREF: _GUID_DISK_BURST_IGNORE_THRESHOLD+45j
		retf
_GUID_VIDEO_POWERDOWN_TIMEOUT endp ; sp	= -4E0Ah

; 
		dw 7E2Bh

;  S U B	R O U T	I N E 


; void GUID_VIDEO_CONSOLE_LOCK_TIMEOUT
_GUID_VIDEO_CONSOLE_LOCK_TIMEOUT proc near
					; DATA XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+365o
					; PopAdaptivePowerSettingCallback+68o
		movsd

loc_407E51:				; CODE XREF: _GUID_DISK_BURST_IGNORE_THRESHOLD+53j
		mov	bl, 0C4h

loc_407E53:				; CODE XREF: _GUID_DISK_BURST_IGNORE_THRESHOLD+4Fj
		mov	gs, [eax+68h]
		retn	0BE48h
_GUID_VIDEO_CONSOLE_LOCK_TIMEOUT endp

; 
		db 75h,	4Fh, 30h
		dd 0A788BE44h

;  S U B	R O U T	I N E 


; void GUID_DISK_BURST_IGNORE_THRESHOLD
_GUID_DISK_BURST_IGNORE_THRESHOLD proc near ; DATA XREF: PopHardDiskPowerSettingCallback+A2o

var_16		= byte ptr -16h

		push	cs
		mov	bl, 80h
		xchg	eax, esp
		mov	ebx, 0E0BB4AD8h
		or	eax, 0C6EF9531h
		arpl	bx, bx		; DATA XREF: PopConsoleLockPowerSettingCallback(x,x,x,x)+29o
		imul	edi, [ecx+0Eh],	0Dh
		adc	dh, dl
		inc	edi
		mov	ds:0DAD2F7D5h, al
		movsd
		pop	ds
		push	ecx

; void GUID_UNATTEND_SLEEP_TIMEOUT
_GUID_UNATTEND_SLEEP_TIMEOUT:		; DATA XREF: PopSleepPowerSettingCallback+A2o
		stc
		mov	ds:0D8FC7BC4h, al
		imul	eax, [eax+esi*4+7Bh], 5A78EB33h
		lodsb
		mov	al, ds:0ABFC2519h ; DATA XREF: PopSleepPowerSettingCallback+88o
		or	[esi], dh
		sub	cl, [esp+edx*4+var_16]
		pop	ss
		sbb	ecx, [esi]
		aad	46h
		stosd

; void GUID_HIBERNATE_FASTS4_POLICY
_GUID_HIBERNATE_FASTS4_POLICY:		; DATA XREF: PopSleepPowerSettingCallback+6Eo
		sub	[ebp-54h], ebp
		xchg	eax, esp
		into
		jnb	short locret_407E4D
		inc	ecx
		sbb	byte ptr [edi+21BA6363h], 0B4h
		jle	short near ptr loc_407E53+1
					; DATA XREF: PopPowerButtonSettingCallback+3Eo
		out	dx, eax
		dec	eax
		jbe	short loc_407E51

loc_407EB5:				; CODE XREF: _GUID_VIDEO_POWERDOWN_TIMEOUT+9j
		fnstsw	word ptr [esi]
		dec	esi
		mov	ch, 66h
		push	eax
		stc
		sub	[eax], edi
		bound	eax, [eax+790053h] ; DATA XREF:	PopResetCurrentPolicies+50o
					; PopApplyPolicy+120o
_GUID_DISK_BURST_IGNORE_THRESHOLD endp

		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
; 
		dw 0
; 

; void GUID_SLEEPBUTTON_ACTION
_GUID_SLEEPBUTTON_ACTION:		; DATA XREF: PopPowerButtonSettingCallback+51o
		shr	byte ptr [ebx-67h], 96h
		push	eax
		lodsd
		in	al, dx
		inc	edi
		xchg	eax, edx
		cmp	ebp, [edi+41h]
		xchg	ecx, [ebp-27h]
; 
		db 0EBh
; 

; void GUID_LIDCLOSE_ACTION
_GUID_LIDCLOSE_ACTION:			; DATA XREF: PopPowerButtonSettingCallback+68o
		xor	ebp, [bx+si+455Ch]
		outsb
		lahf
		inc	ebp
		mov	ds:1D6B477Bh, al
		add	ecx, ecx
		db	36h		; DATA XREF: PopPowerButtonSettingCallback+7Fo
		out	10h, eax

loc_407F06:				; CODE XREF: .text:00407F84j
		call	fword ptr [ecx+4C0723B1h]
		test	eax, 6325CD1h
		xlat
		inc	ecx
; 
		db 0B4h
_PopOneSettingPowerButtonBugcheckRegName:
					; DATA XREF: PopQueryPowerButtonBugcheckConfiguration+44o
		unicode	0, <OneSettingPowerButtonBugcheck>,0
_PopPowerButtonBugcheckRegName:		; CODE XREF: .text:_GUID_PDC_IDLE_RESILIENCY_ENGAGEDj
					; DATA XREF: PopQueryPowerButtonBugcheckConfiguration+21o
		unicode	0, <PowerButtonBugcheck>,0
; 

; void SLEEPSTUDY_ETW_PROVIDER
_SLEEPSTUDY_ETW_PROVIDER:		; DATA XREF: PopDiagSleepStudyInitialize()+1Do
					; SSHSupportEtwRegister(x,x,x,x)+12o
		out	87h, eax	; DMA page register 74LS612:
					; Channel 0 (address bits 16-23)
		jbe	short near ptr _PopOneSettingPowerButtonBugcheckRegName+3Bh
		lock mov edx, [ecx]
		dec	ebp
		mov	ch, 89h
		cmpsd
		stosd
		loopne	loc_407F06
		jnz	short loc_407FF2

; void WNF_PO_UMPO_SCENARIO_CHANGE
_WNF_PO_UMPO_SCENARIO_CHANGE:		; CODE XREF: .text:00407FE5j
					; DATA XREF: PopSleepstudyStartNextSession+A6D2Ao ...
		jnz	short loc_407FEA
		mov	ebp, 0C6013DA3h
		inc	ecx

; void GUID_PDC_IDLE_RESILIENCY_ENGAGED
_GUID_PDC_IDLE_RESILIENCY_ENGAGED:	; DATA XREF: SSHSupportRegisterPowerSettingCallback(x,x,x,x,x)+Co
					; PopPdcIdleResiliencyCallback(x,x)+17o ...
		ja	short near ptr _PopPowerButtonBugcheckRegName+0Eh
		jnp	short near ptr loc_407FC1+3
		wait
		loopne	near ptr _PopPowerButtonBugcheckRegName+15h
		inc	ebx
		lea	edx, [edi-4908ABAh]
		add	al, 0A7h

_WNF_PO_OPPORTUNISTIC_CS:		; CODE XREF: .text:00407FD3j
					; DATA XREF: PopNetDisengageNetworkRefresh()+13o ...
		jnz	short loc_407FCA
		mov	ebp, 0C6013DA3h
		inc	ecx

; void GUID_BATTERY_COUNT
_GUID_BATTERY_COUNT:			; DATA XREF: PopPowerSourceChangeCallback+86o
					; PopPowerSourceChangeCallback+89A33o ...
		adc	eax, 0A47D263Fh
		cld
		in	eax, 49h
		test	[ebx-57h], ecx

loc_407FB3:				; CODE XREF: .text:00407FE7j
					; DATA XREF: PopPowerSourceChangeCallback+2Do ...
		repne mov edi, 59245CBDh
		call	far ptr	4B00h:0E9D55D3Eh
		cmpsb

loc_407FC1:				; CODE XREF: .text:00407F92j
		mov	ebp, 51FF34FFh
		db	65h
		dec	eax

_DEVPKEY_DriverDatabase_SetupStatus:	; DATA XREF: .text:004038E8o
					; PiDrvDbLoadNodeWorkerCallback+1CDo ...
		add	bl, ch

loc_407FCA:				; CODE XREF: .text:_WNF_PO_OPPORTUNISTIC_CSj
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr _PopPowerButtonBugcheckRegName+25h
		jz	short near ptr _WNF_PO_OPPORTUNISTIC_CS+1
		inc	edi
		fstp	tbyte ptr [edx+14h]

_DEVPKEY_DriverDatabase_SetupOptions:	; DATA XREF: .text:004038D0o
					; PiDrvDbLoadNodeWorkerCallback+195o ...
		add	bl, ch
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr _WNF_PO_UMPO_SCENARIO_CHANGE+1
		jz	short near ptr loc_407FB3+2
		inc	edi

loc_407FEA:				; CODE XREF: .text:_WNF_PO_UMPO_SCENARIO_CHANGEj
		fstp	tbyte ptr [edx+13h]

_KMPnPEvt_DriverDatabaseUnload_Pend:	; DATA XREF: PiDrvDbUnloadNodeWorkerCallback(x)+5Eo
		adc	al, [ecx]

loc_407FF2:				; CODE XREF: .text:00407F86j
		add	[ebx], dl
		add	al, 8
		adc	[ecx], eax
; 
		dd 100000h, 8000000h
; 

_KMPnPEvt_DriverDatabaseUnload_Start:	; DATA XREF: PiDrvDbUnloadNodeWorkerCallback(x)+37o
		adc	[ecx], eax
		add	[ebx], dl
		add	al, 1
		adc	[ecx], eax
; 
		dd 100000h
		db 0
byte_40800D	db 2 dup(0), 8		; CODE XREF: .text:00408069j
; 

_KMPnPEvt_DriverDatabaseLoad_Stop:	; DATA XREF: PiDrvDbLoadNodeWorkerCallback+F4o
		adc	[ecx], al
		add	[ebx], dl
		add	al, 2
		push	cs
		add	[eax], eax
		add	[eax], dl
; 
		db 0
		dd 8000000h
; 

_KMPnPEvt_DriverDatabaseLoaded_Start:	; DATA XREF: PiDrvDbLoadNodeWorkerCallback+3Co
		adc	al, 1
; 
		dw 0
		dd 1140104h, 100000h, 10000h
; 

_KMPnPEvt_DriverDatabaseLoad_Start:	; DATA XREF: PiDrvDbLoadNodeWorkerCallback+13o
		push	cs
		add	[eax], eax
		adc	eax, [ecx+eax]
		push	cs
		add	[eax], eax

loc_408039:				; CODE XREF: .text:0040806Bj
		add	[eax], dl
; 
		db 0
		dd 8000000h
; 

_KMPnPEvt_DriverDatabaseLoaded_Stop:	; DATA XREF: PiDrvDbUnloadNodeWaitWorkerCallback(x)+58o
					; PiDrvDbLoadNode+129796o ...
		adc	eax, 4000001h
		add	dl, [ecx+eax]
; 
		dd 100000h, 10000h
; 

_KMPnPEvt_DriverDatabaseUnload_Stop:	; DATA XREF: PiDrvDbUnloadNodeWaitWorkerCallback(x)+4Ao
					; PiDrvDbLoadNode+129788o
		adc	eax, [ecx]
		add	[ebx], dl
		add	al, 2
		adc	[ecx], eax
; 
		dd 100000h, 8000000h
; 

_DEVPKEY_DriverDatabase_UnloadTimeout:	; DATA XREF: .text:00403858o
					; PiDrvDbLoadNodeWorkerCallback+12Eo
		add	bl, ch
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr byte_40800D
		jz	short loc_408039
		inc	edi
		fstp	tbyte ptr [edx+9]

_WNF_PNPA_DEVNODES_CHANGED:		; DATA XREF: PiUEventBroadcastDevnodesChangedEvent(x)+16o
					; PiUEventInit(x)+CEo
		jnz	short near ptr _WNF_PNPA_DEVNODES_CHANGED_SESSION+2
		mov	esp, 96003DA3h
; 
		db 0
; 

_WNF_PNPA_DEVNODES_CHANGED_SESSION:	; CODE XREF: .text:_WNF_PNPA_DEVNODES_CHANGEDj
					; DATA XREF: PiUEventBroadcastDevnodesChangedEvent(x)+39o
		xor	eax, 3DA3BC10h
		add	[esi+0], dl
		add	[edi], al	; DATA XREF: IoRegisterLastChanceShutdownNotification(x)+41o
; 
		db 3 dup(0)
		dd 4, 2	dup(0)
; 

_KERNEL_AUDIT_API_IOREGISTERSHUTDOWNNOTIFICATION:
					; DATA XREF: IoRegisterShutdownNotification(x)+41o
		or	[eax], al
; 
		dw 0
		dd 4, 2	dup(0)
a425000:				; DATA XREF: CmpInitCallbacks()+Ao
		unicode	0, <425000>,0
		align 4

; wchar_t PiSwBusName
_PiSwBusName:				; DATA XREF: PiSwStopDestroy(x,x,x,x)+4Co
					; PiSwIrpCleanup+2Eo ...
		push	ebx
		add	[edi+0], dl
		inc	esp
		add	[eax+eax+0], bl
; 
		db 3 dup(0)
		align 8
aRegistryMach_4:			; DATA XREF: _IsMachineLanguageListInMutableLocation+9o
					; _RtlpMuiRegLoadInstalled+8Fo
		unicode	0, <\Registry\Machine\OSDATA\System\CurrentControlSet\Control>
		unicode	0, <\MUI\UILanguages>,0
; 

; void GUID_EM_CPU_TYPE_INTEL_DTT_DISABLE
_GUID_EM_CPU_TYPE_INTEL_DTT_DISABLE:	; DATA XREF: KeInitializeClock+67o
		xor	dl, 5Eh
		cmp	al, 0E7h
		inc	edx
		sbb	eax, 0B7BDAE44h
		xor	al, 2Fh
		adc	eax, 2E21h	; DATA XREF: EtwRegisterCounters()+81o
; 
		dw 0
		dd 40000h, 1, 40004h, 2, 80008h, 3, 40010h, 4, 40014h
; `PcwpRegisterEventTracingCounterSet'::`2'::Descriptors
?Descriptors@?1??PcwpRegisterEventTracingCounterSet@@9@9 dd 0
					; DATA XREF: EtwRegisterCounters()+39o
		dd 4000Ch, 1, 40014h, 2, 40010h, 3, 40000h, 4, 40008h
		dd 5, 40004h
; `PcwpRegisterThermalCounterSet'::`2'::Descriptors
?Descriptors@?1??PcwpRegisterThermalCounterSet@@9@9 dd 0
					; DATA XREF: ExpPcwHostCallback+19Co
		dd 40000h, 1, 40004h, 2, 40008h, 3, 4000Ch
; `PcwpRegisterFileSystemDiskIOCounterSet'::`2'::Descriptors
?Descriptors@?1??PcwpRegisterFileSystemDiskIOCounterSet@@9@9 dd	0
					; DATA XREF: ExpPcwHostCallback+150o
		dd 80000h, 1, 80008h, 0
; `PcwpRegisterProcessorCounterSet'::`2'::Descriptors
?Descriptors@?1??PcwpRegisterProcessorCounterSet@@9@9 dd 0
					; DATA XREF: ExpPcwHostCallback+F8o
		dd 80000h, 1, 80010h, 2, 80018h, 3, 40020h, 4, 80028h
		dd 5, 80030h, 6, 4003Ch, 7, 40040h, 8, 80000h, 9, 80048h
		dd 0Ah,	80050h,	0Bh, 80058h, 0Ch, 80060h, 0Dh, 80068h
		dd 0Eh,	80070h,	0Fh, 80008h, 10h, 40080h, 11h, 40084h
		dd 12h,	40088h,	13h, 4008Ch, 14h, 40038h, 15h, 800A8h
		dd 16h,	800B0h,	17h, 800B0h, 18h, 80098h, 19h, 40094h
		dd 1Ah,	80098h,	1Bh, 40090h, 1Ch, 800A0h, 1Dh, 40090h
		dd 1Eh,	400B8h,	1Fh, 400BCh, 20h, 80078h, 21h, 800C0h
		dd 22h,	40094h
; `PcwpRegisterSynchCounterSet'::`2'::Descriptors
?Descriptors@?1??PcwpRegisterSynchCounterSet@@9@9 dd 0 ; DATA XREF: ExpPcwHostCallback+65o
					; ExpPcwHostCallback+B0o
		align 8
		dd 1, 40004h, 2, 40008h, 3, 4000Ch, 4, 40010h, 5, 40014h
		dd 6, 40018h, 7, 4001Ch, 8, 40020h, 9, 40024h, 0Ah, 40028h
		dd 0Bh,	4002Ch,	0Ch, 40030h, 0Dh, 40034h, 0Eh, 40038h
		dd 0Fh,	4003Ch,	10h, 40040h, 11h, 40044h, 12h, 40048h
		dd 13h,	4004Ch,	14h, 40050h, 15h, 40054h, 16h, 40058h
		dd 17h,	4005Ch,	18h, 40060h, 19h, 40064h, 1Ah, 40068h
		dd 1Bh,	4006Ch,	1Ch, 40070h, 1Dh, 40074h, 1Eh, 40078h
		dd 1Fh,	4007Ch,	20h, 40080h, 21h, 40084h, 22h, 40088h
		db 23h,	2 dup(0)
; 

loc_40842B:				; CODE XREF: .text:0040849Bj
		add	[eax+eax+240004h], cl
; 
		dw 0
		align 8
		dd 25h
		db 94h,	0, 4
; 

loc_40843F:				; CODE XREF: .text:00408491j
		add	[esi], ah
; 
		db 3 dup(0)
		dd 40098h, 27h,	4009Ch,	28h, 400A8h, 29h, 400ACh
; 

_FILE_TYPE_NOTIFICATION_GUID_PAGE_FILE:	; DATA XREF: MiCreatePagingFile+4EBo
		mov	eax, ds:0FC0D0A64h

loc_408465:				; CODE XREF: .text:_DEVPKEY_Device_BiosDeviceNamej
		cmp	[eax+3FE79F4Dh], bh
		inc	ebx
		push	edx
		int	7Ch		; IBM REXX88PC command language
		pop	esp

_FILE_TYPE_NOTIFICATION_GUID_CRASHDUMP_FILE: ; DATA XREF: IopInitializeCrashDump+C9o
		mov	bh, 3Eh
		inc	ebp
		popf
		cmpsb
		sar	byte ptr [ebp-41C5DB3h], cl
		shr	ch, 1
		xchg	eax, ecx
		or	[ecx+100001F5h], ebp ; DATA XREF: PerfDiagInitialize()+9Co
		add	al, 1
		cmc
		add	[eax], eax
; 
		db 3 dup(0)
		dd 80010000h
; 

_MS_Kernel_BootDiagnostics_Provider:	; DATA XREF: PerfDiagInitialize()+81o
		aaa
		jbe	short loc_40843F
		xchg	eax, esi
		push	eax
		pop	ecx
		xor	[edx-48h], cl
		mul	eax
		jle	short loc_40842B
		push	edi
		xor	al, 0C1h

_WDI_SEM_EVENT_SQM_INIT:		; DATA XREF: WdipSemSqmInit()+50o
		sub	eax, [eax]
; 
		dw 0
		dd 4, 0
		dd 80000h

;  S U B	R O U T	I N E 


; void WDI_SEM_PROVIDER
_WDI_SEM_PROVIDER proc far		; DATA XREF: WdipSemEnableSemProvider()+24o
					; WdipSemLoadNextContextProvider+117o ...
		mov	bh, 0E6h
		rep das
		nop
		retf
_WDI_SEM_PROVIDER endp

; 
		add	[edi-6Ah], al
		and	[edi+edi+38h], eax
		xchg	eax, edi
		xor	al, 0EDh

_KMPnPEvt_DeviceStart_Start:		; DATA XREF: PnpStartDeviceNode+99o
					; PnpStartDeviceNode+92D7Co
		fadd	dword ptr [eax]
		add	[edx], dl
		add	al, 1
		fadd	dword ptr [eax]
		and	[eax+0], al
		add	[eax], dl

_DEVPKEY_Device_BiosDeviceName:		; DATA XREF: .text:00404854o
					; PopFxQueryBiosDeviceName(x,x)+26o ...
		jle	short near ptr loc_408465+1
		or	edx, [eax+eax*2-75h]
		mov	esp, 6AA2A845h
		or	ecx, [ecx+0AA2BD4Ch]
; 
		db 3 dup(0)
		align 8

_KMPnPEvt_DeviceStart_Pend:		; DATA XREF: PnpStartDeviceNode+DCo
		fld	dword ptr [eax]
		add	[edx], dl
		add	al, 8
		fadd	dword ptr [eax]

loc_4084F0:				; CODE XREF: .text:00408505j
		and	[eax+0], al
		add	[eax], dl

_POP_TRIGGER_ETW_PROVIDER:		; DATA XREF: PopDiagInitialize()+73o
		call	near ptr 0FDEAA470h
		adc	eax, 0FDAB45D2h
		out	0F6h, eax
		dec	edi
		js	short near ptr loc_4084F0+2

loc_408507:				; DATA XREF: BapdRecordFirmwareBootStats+1CAo
		adc	[esi], ebx
; 
		db 2 dup(0), 8
		dd 150004h, 0
		dd 80000000h
; 

; void BOOTENV_ETW_PROVIDER
_BOOTENV_ETW_PROVIDER:			; DATA XREF: BapdWriteEtwEvents+30o
					; BapdWriteEtwEvents+B4o ...
		inc	dword ptr [edx+ecx*8+15h]
		jp	short near ptr byte_40856B
		stosb
		dec	ebx
		mov	ebx, 959809A5h
		pop	esi
		push	ebx
		push	ds

; void BOOT_PROVIDER_GUID
_BOOT_PROVIDER_GUID:			; DATA XREF: BapdWriteEtwEvents+6Eo
					; BapdWriteEtwEvents+17Co
		jnz	short loc_408594
		mov	bh, 23h
		dec	edi
		into
		out	dx, eax
		push	esi
		stc
		add	eax, ebx
		mov	ds:6B3FAED6h, al

; `EnableManifestedProviderForMicrosoftTelemetry'::`2'::Traits
?Traits@?1??EnableManifestedProviderForMicrosoftTelemetry@@9@9:
					; DATA XREF: BapdRegisterEtwProvider(x,x,x)+20r
					; BapdRegisterEtwProvider(x,x,x)+28o ...
		push	ss
; 
		db 2 dup(0), 13h
		dd 731A0100h, 89CF4F50h, 0E0B34782h, 4C9E8DCh, 0BA76h
; 

_POP_ETW_PROVIDER:			; DATA XREF: PopDiagInitialize()+12o
		cmp	bh, [ebx]
		sbb	al, 33h
		add	eax, 0AC44C220h
		pop	esi
		ja	short near ptr off_40857E
		or	al, 37h
		setalc
		mov	ah, 77h		; DATA XREF: PpmEventHeteroPolicy+1Fo
; 
		db 3 dup(0)
		dd offset loc_610001+3
		db 2, 2	dup(0)
byte_40856B	db 0			; CODE XREF: .text:0040851Cj
		align 10h

_PPM_ETW_PROCESSOR_CLASS_UPDATE:	; DATA XREF: PpmEventHeteroConfigUpdate+2Ao
		jbe	short $+2
		add	[eax], eax
		add	al, 0
		pusha
		add	[edx], al
; 
		db 3 dup(0)
		db 2 dup(0)
off_40857E	dd offset loc_56FFFF+1	; CODE XREF: .text:0040855Aj
					; DATA XREF: PnpWatchdogBugcheckConfigure+Do
; 
		popa
		add	[eax+eax+63h], dh
		add	[eax+0], ch
		add	fs:[edi+0], ch
		add	[bp+si+0], al
		jnz	short $+2

loc_408594:				; CODE XREF: .text:_BOOT_PROVIDER_GUIDj
		add	[bp+di+0], ah
		push	63006500h
		add	[ebx+0], ch
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 0
_PnpWatchdogSecondChanceRegName	dd offset loc_610055+2
					; DATA XREF: PnpQueryWatchdogTimeoutConfiguration+30o
		dd offset loc_630074
		dd offset loc_640068
		dd offset loc_67006B+4
		dd offset loc_650052+1
aCondchanceinms:
		unicode	0, <condChanceInMs>,0
		align 4
_PnpWatchdogFirstChanceRegName dd offset loc_610055+2
					; DATA XREF: PnpQueryWatchdogTimeoutConfiguration+Fo
		dd offset loc_630074
		dd offset loc_640068
		dd offset loc_67006B+4
		dd offset loc_690046
aRstchanceinms:
		unicode	0, <rstChanceInMs>,0
		align 8
_GlobalSaclKeyPrefix dd	offset loc_52005B+1 ; DATA XREF: SepRmFetchGlobalSacl+31o
		dd offset loc_670065
aIstryMachineSe:
		unicode	0, <istry\Machine\SECURITY\Policy\GlobalSaclName>,0
		align 10h

_KMPnPEvt_DriverInitPhase_Stop:		; DATA XREF: PnpCompleteSystemStartProcess()+7Bo
		sub	eax, 4110001h
; 
		db 3 dup(0)
		dd 0
		dd 20000000h
; 

_KMPnPEvt_SystemStartLegacyEnum_Stop:	; DATA XREF: PnpCompleteSystemStartProcess()+58o
		pop	es
		add	[eax], eax
		adc	[edx+eax], eax
		push	es
		add	[eax], esp
; 
		db 3 dup(0)
		dd 20000000h
; 

_KMPnPEvt_SystemStartDriverReinit_Stop:	; DATA XREF: PnpCompleteSystemStartProcess()+29o
		or	eax, [ecx]
		add	[esp+eax], dl

loc_4086A5:				; CODE XREF: .text:00408701j
		add	cl, [edx]
		add	[eax], esp
; 
		db 3 dup(0)
		dd 4000000h
; 

_KMPnPEvt_SystemStartDriverReinit_Start: ; DATA	XREF: PnpCompleteSystemStartProcess()+15o
		or	al, [ecx]
		add	[esp+eax], dl
		add	[edx], ecx
		add	[eax], esp
; 
byte_4086B9	db 3 dup(0)		; CODE XREF: .text:00408715j
		dd 4000000h
; 

_KMPnPEvt_SystemStartLegacyEnum_Start:	; DATA XREF: PnpCompleteSystemStartProcess()+8o
		push	es
		add	[eax], eax
		adc	[ecx+eax], eax
		push	es
		add	[eax], esp
; 
		db 3 dup(0)
		db 0
byte_4086CD	db 2 dup(0), 20h	; CODE XREF: .text:00408729j
; 

_WNF_CONT_RESTORE_FROM_SNAPSHOT_COMPLETE: ; CODE XREF: .text:00408703j
					; DATA XREF: EtwInitializeSiloState+1EFo
		jnz	short loc_4086DA
		mov	esp, 88012EA3h
; 
		db 15h
; 

_KMPnPEvt_DeviceStart_Stop:		; DATA XREF: PnpTraceStartDevice+20o
		fiadd	dword ptr [eax]

loc_4086DA:				; CODE XREF: .text:_WNF_CONT_RESTORE_FROM_SNAPSHOT_COMPLETEj
		add	[edx], dl
		add	al, 2
		fadd	dword ptr [eax]

loc_4086E0:				; CODE XREF: .text:00408717j
		and	[eax+0], al
		add	[eax], dl

_POP_ETW_EVENT_DEVICE_START_POWER_MANAGEMENT:
					; DATA XREF: PopDiagTraceFxDeviceStartPowerManagement+39o
					; PopDiagTraceFxDeviceStartPowerManagement+8BA90o
		xor	al, [ecx]
; 
		dw 0
		dd 8A0004h, 100h, 0
; 

_DEVPKEY_DriverDatabase_Updated:	; CODE XREF: .text:0040872Bj
					; DATA XREF: .text:00403840o ...
		add	bl, ch
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	loc_4086A5
		jz	short near ptr _WNF_CONT_RESTORE_FROM_SNAPSHOT_COMPLETE+1
		inc	edi
		fstp	tbyte ptr [edx+8]

_DEVPKEY_DriverDatabase_ConfigOptions:	; DATA XREF: .text:00403888o
					; PpDevCfgInit+7Ao
		add	bl, ch
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr byte_4086B9
		jz	short near ptr loc_4086E0+5
		inc	edi
		fstp	tbyte ptr [edx+10h]

_DEVPKEY_DriverDatabase_ConfigMode:	; DATA XREF: .text:00403870o
					; PpDevCfgInit+70o
		add	bl, ch
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr byte_4086CD
		jz	short near ptr _DEVPKEY_DriverDatabase_Updated+1
		inc	edi
		fstp	tbyte ptr [edx+0Ah]
; 
_PopProcessorThrottleLogIntervalRegKey:	; DATA XREF: PpmInitIllegalThrottleLogging+37o
		unicode	0, <ProcessorThrottleLogInterval>,0
		align 10h
_PopRegKey:				; DATA XREF: PopOpenPowerKey(x)+8o
					; PpmInitIllegalThrottleLogging+1Do
		unicode	0, <Control\Session Manager\Power>,0
		db 0
byte_4087AD	db 3 dup(0)		; CODE XREF: .text:004087E3j
; 

_KMPnPEvt_EarlyLaunch_LoadNotification_Start:
					; DATA XREF: PnpEarlyLaunchImageNotificationPreProcess(x,x,x,x,x)+56o
		int	0		; - internal hardware -	DIVIDE ERROR
					; Automatically	called at end of DIV or	IDIV operation that results in error
					; or overflow.	 Normally set by DOS to	display	an error message and abort
					; the program.
; 
		dw 0
		dd 0CD0104h, 20h, 0
; 

_EVENT_WHEA_INIT_OP:			; DATA XREF: WheapLogInitEvent()+7Bo
					; WheapLogInitEvent()+D3o
		add	eax, 4110000h
; 
		db 3 dup(0)
		dd 0
		dd 20000000h
; 

_EVENT_WHEA_LOG_ENTRY:			; DATA XREF: WheaLogInternalEvent+72o
		sub	al, [eax]
		add	[ecx], dl
		add	al, 0
; 
		dw 0
		dd 400h, 20000000h
; 

_WHEA_ETW_PROVIDER:			; DATA XREF: WheapInitializeEventing+53o
		jns	short near ptr loc_408815+2
		push	esi
		jnp	short near ptr byte_4087AD
		push	ebx
		out	44h, eax
		xor	byte ptr [esi],	0Fh

loc_4087EB:				; DATA XREF: EtwTraceJobServerSiloMonitorCallback:loc_578991o
		xchg	edi, [ecx+179465FEh]
; 
		db 2 dup(0), 10h
		dd 130104h, 4000h, 80000000h
; 

_ServerSiloCreateCallbackStop:		; DATA XREF: EtwTraceJobServerSiloMonitorCallback+40o
		sbb	[eax], al
		add	[eax], dl
		add	al, 2
		adc	eax, [eax]
		add	[eax+0], al
; 
		db 0
		dd 80000000h

;  S U B	R O U T	I N E 


; wchar_t PiSwGenericRawCompatibleId
_PiSwGenericRawCompatibleId proc near	; DATA XREF: PiSwDeviceMakeCompatibleIds+38o
					; PiSwDeviceMakeCompatibleIds+C1o ...
		push	ebx
		add	[edi+0], dl
		inc	esp

loc_408815:				; CODE XREF: .text:_WHEA_ETW_PROVIDERj
		add	[eax+eax+47h], bl
		add	[ebp+0], ah
		outsb
_PiSwGenericRawCompatibleId endp

		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 520063h
		popa
		add	[edi+0], dh
; 
		dd 0

;  S U B	R O U T	I N E 


; wchar_t PiSwGenericCompatibleId
_PiSwGenericCompatibleId proc near	; DATA XREF: PiSwDeviceMakeCompatibleIds+4Fo
					; PiSwDeviceMakeCompatibleIds+D7o ...
		push	ebx
		add	[edi+0], dl
		inc	esp
		add	[eax+eax+47h], bl
		add	[ebp+0], ah
		outsb
_PiSwGenericCompatibleId endp

		add	[ebp+0], ah
		jb	short $+2

loc_408842:				; CODE XREF: .text:004088BCj
		imul	eax, [eax], 63h

_KMPnPEvt_EarlyLaunch_LoadNotification_Stop:
					; DATA XREF: PnpEarlyLaunchImageNotificationPostProcess(x,x,x,x,x)+8o
		into
; 
		db 3 dup(0)
		dd 0CD0204h, 20h, 0
; 

_PPM_ETW_PROCESSOR_PROFILE_SETTING_CHANGE: ; DATA XREF:	PpmEventTraceProfileSetting+2Eo
					; PpmEventTraceProfileSetting:loc_93480Ao
		imul	eax, [eax], 40000h
		push	ebx
		add	[eax+0], ah
; 
		dw 0
		align 8

_GUID_BUS_INTERFACE_STANDARD:		; DATA XREF: PiGetDmaAdapterFromBusInterface+47o
		add	byte ptr [edx+6F25496Bh], 0D0h
		adc	[esi+2B0008AFh], edi
		loop	loc_408880
		das

; void GUID_POWER_POLICY_PROFILE_QOS_MULTIMEDIA
_GUID_POWER_POLICY_PROFILE_QOS_MULTIMEDIA: ; DATA XREF:	PpmEnableProfile+57o
					; PpmDisableProfile(x)+81o
		db	26h
		push	ebx
		cmp	eax, 0AB944B0Ch
		dec	edx

loc_408880:				; CODE XREF: .text:00408875j
		mov	bl, al
		inc	byte ptr [edx+2Ah]
		push	cs
		push	eax
; 
		db 0E0h
; 

; void GUID_POWER_POLICY_PROFILE_ENTRY_LEVEL_PERF
_GUID_POWER_POLICY_PROFILE_ENTRY_LEVEL_PERF: ; DATA XREF: PpmEnableProfile+3Fo
					; PpmDisableProfile(x)+65o
		pop	edi
		sbb	esp, [esi+23F42CA4h]
		dec	ebp
		mov	bl, 0ABh
		pop	esp
		daa
		fistp	word ptr [edi-7FD2E7F1h] ; DATA	XREF: PpmEnableProfile+27o
					; PpmDisableProfile(x)+49o
		dec	edx
		rol	byte ptr ds:0AE491022h,	98h
		cmp	edx, [ecx-1Dh]
		mov	ebx, offset unk_6CF272 ; DATA XREF: PpmEventTraceProfileEnable+16o
; 
		dw 0
		dd offset loc_560001+3
		dd 60h,	0
; 

_SmEventProvider:			; DATA XREF: SmInitSystem(x)+18o
		jecxz	short near ptr aControlPower ; "Control\\Power"
		lodsd
		cmpsb
		jp	short near ptr loc_408842+2
		xor	eax, 49B39146h
		add	al, 0BAh
		arpl	[edi+edx*8+1], si ; DATA XREF: NtSetUuidSeed+181o
		add	[edx], al
		add	[ecx], al
		add	[edx], al
; 
		db 0
		dd 20000h, 1F0001h
; 

_KseFlagsApplied:			; DATA XREF: KsepEvntLogFlagsApplied(x,x,x,x,x)+2Co
					; KsepEvntLogFlagsApplied(x,x,x,x,x)+82o
		add	al, 0
		add	[ecx], edx
		add	al, 0
; 
		dw 0
		dd 0
		dd 40000000h
; 

_POP_ETW_EVENT_DIRECTED_DRIPS_INITIALIZATION:
					; DATA XREF: PopDiagTraceDirectedDripsInitialization+5Bo
		sbb	al, 2
		add	[eax], dl
		add	al, 0
		out	dx, eax
		add	[eax+eax], al
; 
		dw 0
		dd 40000000h
; [00000005 BYTES: COLLAPSED FUNCTION _GUID_EM_RULE_DIRECTED_DRIPS_PLATFORM_DISABLE_PS4_MATCH. PRESS KEYPAD "+"	TO EXPAND]
		db 59h,	4Fh, 41h
		dd 0B5518F9Eh, 114EE25h
aDirecteddripsa:			; DATA XREF: PopDirectedDripsQueryRegistryValues:loc_8AE0F9o
		unicode	0, <DirectedDripsAction>,0
aControlPower:				; CODE XREF: .text:_SmEventProviderj
					; DATA XREF: PopDirectedDripsQueryRegistryValues+81o
		unicode	0, <Control\Power>,0
; 

; void GUID_DEVICE_POWER_POLICY_VIDEO_BRIGHTNESS
_GUID_DEVICE_POWER_POLICY_VIDEO_BRIGHTNESS:
					; DATA XREF: PopVideoBrightnessSettingsCallback+2Co
					; PopMonitorProcessBrightnessAction(x,x):loc_9B76B8o
		sbb	byte ptr [esi-13h], 0ADh
		or	[ecx+49994619h], edi
		cmc
		xlat

loc_408958:				; DATA XREF: PopVideoBrightnessSettingsCallback+15o
					; NtPowerInformation+17221Fo
		sbb	eax, 98CB0BACh
		jb	short near ptr loc_408965+1
		sbb	eax, 4F03E31Ch
		popf

loc_408965:				; CODE XREF: .text:0040895Dj
		jmp	near ptr 1BF6FCDEh
; 
		db 1Dh
byte_40896B	db 29h			; CODE XREF: .text:_GUID_DEVICE_POWER_POLICY_VIDEO_DIM_BRIGHTNESSj
; 

; void GUID_DEVICE_POWER_POLICY_VIDEO_DIM_BRIGHTNESS
_GUID_DEVICE_POWER_POLICY_VIDEO_DIM_BRIGHTNESS:
					; DATA XREF: PopVideoBrightnessSettingsCallback+3Fo
		loop	near ptr byte_40896B
		sti
		icebp
		pusha
		test	eax, 889F4165h
		push	eax
		db	66h
		jns	short near ptr byte_40898B
		into
		xchg	eax, esi

; void GUID_VIDEO_ADAPTIVE_DISPLAY_BRIGHTNESS
_GUID_VIDEO_ADAPTIVE_DISPLAY_BRIGHTNESS: ; DATA	XREF: PopVideoBrightnessSettingsCallback+56o
		db	66h
		stosb
		fsincos
		push	ebx
		xchg	eax, ebp
		xchg	eax, edi
		inc	eax
		mov	edx, 9D6EED44h
; 
		db 65h,	0EAh
byte_40898B	db 0B8h			; CODE XREF: .text:00408977j
; 

; void GUID_ENERGY_SAVER_BRIGHTNESS
_GUID_ENERGY_SAVER_BRIGHTNESS:		; DATA XREF: PopVideoBrightnessSettingsCallback+6Do
		test	[eax-8B1EC30h],	bl
		dec	edx
		inc	edi
		test	al, 52h
		mov	dh, 0BDh

loc_408998:				; DATA XREF: PopVideoBrightnessSettingsCallback+84o
					; TtmInitCurrentSession()+171o	...
		call	near ptr 9BE88D4Ah
		mov	ds:8B4317AAh, al
		xchg	eax, esp
		dec	ebx
		stosb
; 
		db 0FEh, 35h, 0F6h
		dd 0EEF1AA4Dh
; wchar_t a??WsSystem32
a??WsSystem32:				; DATA XREF: SepSetSystemPaths+4Co
		unicode	0, <\??\%ws\System32\>,0
; 

_KMPnPEvt_EarlyLaunch_StatusNotification_Stop:
					; DATA XREF: PnpNotifyEarlyLaunchStatusUpdate(x)+53o
		rol	byte ptr [eax],	1
; 
		dw 0
		dd 0CD0204h, 20h, 0

;  S U B	R O U T	I N E 


_KMPnPEvt_EarlyLaunch_StatusNotification_Start proc near
					; DATA XREF: PnpNotifyEarlyLaunchStatusUpdate(x)+1Ao
		iret
_KMPnPEvt_EarlyLaunch_StatusNotification_Start endp

; 
		align 4
		dd 0CD0104h, 20h, 0
aSystem_1:				; DATA XREF: PopEtInit+D7o
		unicode	0, <System>,0
		align 10h
aIsrdpc:				; CODE XREF: _WNF_SEB_NETWORK_CONNECTIVITY_IN_STANDBYj
					; DATA XREF: PopEtInit+C7o
		unicode	0, <IsrDpc>,0
		align 10h
aOverflow:				; DATA XREF: PopEtInit+B7o
		unicode	0, <Overflow>,0
		align 4
aDefault_1:				; DATA XREF: PopEtInit+9Bo
		unicode	0, <Default>,0
		align 8

_BootPerformanceData:			; DATA XREF: EtwpTraceSystemInitialization+340o
					; EtwpTraceSystemInitialization+11815o
		adc	eax, [eax]
		add	eax, [eax]
		add	al, 0
		add	al, 0
		add	byte ptr [eax],	0
; 
		db 0
		align 8

_KernelSystemStart:			; DATA XREF: EtwpTraceSystemInitialization+2E4o
		or	al, 0
		add	[eax], cl
		add	al, 0
		add	[eax], eax
		add	byte ptr [eax],	0
; 
		db 0
		dd 80000000h
; 

_POP_ETW_EVENT_STANDBY_CONNECTIVITY_UPDATE:
					; DATA XREF: PopTraceStandbyConnectivityUpdate+5Fo
					; PopTraceStandbyConnectivityUpdate+8Eo
		lodsb
; 
		db 2 dup(0), 8
		dd 0CB0004h, 404h, 80000000h

;  S U B	R O U T	I N E 


_WNF_SEB_NETWORK_CONNECTIVITY_IN_STANDBY proc near
					; DATA XREF: PopNetPublishWnfStateUpdate(x)+29o
		jnz	short near ptr aIsrdpc+0Ah
		mov	ebp, 840B3EA3h
		inc	ecx

_WNF_USB_ERROR_NOTIFICATION:		; DATA XREF: PopBatteryInitPhaseTwo()+6Eo
		jnz	short near ptr word_408AA2
		mov	esp, 841D38A3h
		inc	ecx
_WNF_SEB_NETWORK_CONNECTIVITY_IN_STANDBY endp


;  S U B	R O U T	I N E 


_BATTERY_ETW_PROVIDER proc near		; DATA XREF: PopBatteryInitPhaseTwo()+50o
		or	bl, [ebp-5250A67Fh]
		mov	dl, 46h
		lea	edi, [ecx+ebx*4+0Bh]
		retn
_BATTERY_ETW_PROVIDER endp

; 
		pushf
		jl	short loc_408A9D

_KMPnPEvt_BootDriverReinit_Stop:	; DATA XREF: IopCallBootDriverReinitializationRoutines()+6Eo
		or	[ecx], eax
		add	[esp+eax], dl
		add	cl, [eax]
		add	[eax], esp
; 
		db 3 dup(0)
		dd 4000000h
; 

_KMPnPEvt_BootDriverReinit_Start:	; DATA XREF: IopCallBootDriverReinitializationRoutines()+Eo
		or	[ecx], al
		add	[esp+eax], dl

loc_408A9D:				; CODE XREF: .text:00408A86j
		add	[eax], ecx
		add	[eax], esp
; 
		db 0
word_408AA2	dw 0			; CODE XREF: _WNF_SEB_NETWORK_CONNECTIVITY_IN_STANDBY:_WNF_USB_ERROR_NOTIFICATIONj
		dd 4000000h
; 

_JobStart:				; DATA XREF: EtwpCrimsonProvEnableCallback:loc_8B1672o
					; EtwpPsProvTraceJob(x,x,x):loc_9F26ECo
		or	eax, 4100000h
		add	ds:40000h, ecx
; 
		db 0
		dd 80000000h
; 

_EnableProcessTracingCallbacks:		; DATA XREF: EtwpCrimsonProvEnableCallback+4Fo
		adc	[eax], al
; 
		dw 0
		dd 4, 800h, 0
; 

_PsProvTraceLoggingGuid:		; DATA XREF: EtwpTraceLoggingProvEnableCallback:loc_936AB4o
					; EtwpPsProvCaptureState(x,x,x)+1Eo ...
		xchg	eax, esp
; 
		db 0FFh, 39h, 28h
		dd 4E1B8F12h, 7AAFE382h, 0F457AF7h
; 

_KernelTimeZoneInformationRefresh:	; DATA XREF: EtwTraceTimeZoneInformationRefresh+15Fo
		sbb	[eax], al
		add	[eax], cl
		add	al, 0
		or	eax, [eax]
		adc	[eax], al
; 
		dw 0
		dd 80000000h

;  S U B	R O U T	I N E 


_PopThermalShutdownTemperatureName proc	near
					; DATA XREF: PopThermalWriteShutdownToRegistry(x,x)+54o
					; PopThermalHandlePreviousShutdown+6Bo
		push	ebx
		add	[eax+0], ch
		jnz	short $+2
		jz	short $+2
		add	fs:[edi+0], ch
		ja	short $+2
		outsb
_PopThermalShutdownTemperatureName endp

		add	[eax+eax+65h], dl
		add	[ebp+0], ch
		jo	short $+2
		add	gs:[edx+0], dh
		popa
		add	[eax+eax+75h], dh
		add	[edx+0], dh
		add	gs:[eax], al

loc_408B0F:				; DATA XREF: PopThermalWriteShutdownToRegistry(x,x)+46o
					; PopThermalHandlePreviousShutdown+5Do
		add	[ebx+0], dl
		push	74007500h
		add	[eax+eax+6Fh], ah
		add	[edi+0], dh
		outsb
		endp

		add	[ebx+0], dl
		outsd
		add	[ebp+0], dh
		jb	short $+2
		arpl	[eax], ax
		add	gs:[eax], al
; 
		db 3 dup(0)

;  S U B	R O U T	I N E 


_PopThermalShutdownOccurredName	proc near
					; DATA XREF: PopThermalWriteShutdownToRegistry(x,x)+38o
					; PopThermalHandlePreviousShutdown+4Co
		push	ebx
		add	[eax+0], ch
		jnz	short $+2
		jz	short $+2
		add	fs:[edi+0], ch
		ja	short $+2
		outsb
_PopThermalShutdownOccurredName	endp

		add	[edi+0], cl
		arpl	[eax], ax
		arpl	[eax], ax
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[eax+eax+0],	ah
; 
		db 3 dup(0)
		align 8
; void PopThermalLoggingDefaultRegKey
_PopThermalLoggingDefaultRegKey	dd offset loc_52005B+1
					; DATA XREF: PopOpenThermalLoggingKey+4Ao
		dd offset loc_670065
aIstryMachineSy:
		unicode	0, <istry\Machine\SYSTEM\CurrentContro>
		db 6Ch
; 
; START	OF FUNCTION CHUNK FOR _GUID_LOW_POWER_EPOCH

loc_408BA5:				; CODE XREF: _GUID_LOW_POWER_EPOCH+3j
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[eax+0], dl
		outsd

loc_408BE1:				; CODE XREF: .text:_WNF_PO_PRIMARY_DISPLAY_VISIBLE_STATEj
		add	[edi+0], dh
		add	gs:[edx+0], dh
; END OF FUNCTION CHUNK	FOR _GUID_LOW_POWER_EPOCH
; 
		dd 0
; 

_MS_Windows_AIT_Provider:		; DATA XREF: KitInitialize+11o
		hlt
		stosd
; 
		dw 6ADDh
		dd 4EAB8C54h, 0EFFB4FBFh, 0B02EB661h

;  S U B	R O U T	I N E 


; void GUID_LOW_POWER_EPOCH
_GUID_LOW_POWER_EPOCH proc near		; DATA XREF: PdcPoLowPower(x)+14o
					; MmLowPowerEpochCallback(x,x,x,x)+Ao ...

; FUNCTION CHUNK AT 00408BA5 SIZE 00000043 BYTES

		xchg	eax, ebx
		cmp	[ebx], esp
		loope	loc_408BA5
		jmp	far ptr	51A3h:0E79D470Fh
_GUID_LOW_POWER_EPOCH endp

; 
		dd 71FBB6C1h
; 

; void GUID_EXECUTION_REQUIRED_REQUEST_TIMEOUT
_GUID_EXECUTION_REQUIRED_REQUEST_TIMEOUT:
					; DATA XREF: PopExecutionRequiredSettingCallback+35o
		inc	ecx
		mov	esp, 7E983166h
		add	ecx, [esi-4Dh]
		dec	esi
		in	al, dx
		maxps	xmm5, oword ptr	[ebx]
; 
		dw 8E21h
; 

; void GUID_DEVINTERFACE_HPMI
_GUID_DEVINTERFACE_HPMI:		; DATA XREF: PopCadHpmiPnpNotification(x,x)+Eo
					; PoInitDriverServices()+B1o
		add	ah, dl
		fcmovu	st, st(6)
		and	ds:0F3A64C40h, bl
		sbb	[edi+4FD519E3h], dl
; 
		dd 0
; 

_KernelLeapSecondDataUpdate:		; DATA XREF: EtwTraceLeapSecondDataUpdate+87o
		adc	al, 0
		add	[eax], cl
		add	al, 0
		push	es
		add	[eax], dl
; 
		db 3 dup(0)
		dd 80000000h
; 

_WNF_PO_PRIMARY_DISPLAY_VISIBLE_STATE:	; DATA XREF: NtPowerInformation+ED8o
					; TtmpUpdatePrimaryDisplayWnf(x,x,x)+43o ...
		jnz	short near ptr loc_408BE1+1
		mov	esp, 0C6013DA3h
		inc	ecx

; void GUID_USER_PRESENCE_PREDICTION
_GUID_USER_PRESENCE_PREDICTION:		; DATA XREF: PopUserPresencePredictionModeCallback+Eo
		add	eax, 95820117h
		sti
		inc	esi
		dec	ebp
		lea	esi, ds:0D2B14240h
		or	eax, 2F7EEEFh	; DATA XREF: PopDeepSleepPowerSettingCallback(x,x,x,x)+10o
		aad	0C7h
		sbb	eax, 5DA54EFDh
		lock dec ebx
		outsd
		pop	esp
		add	eax, 0A0C2C845h	; DATA XREF: PnpDiagInitialize()+3Co
		mov	bl, 0BBh
		sbb	edi, 4Dh
		lahf

loc_408C71:				; CODE XREF: .text:_WNF_PO_BRIGHTNESS_ALS_OFFSETj
					; .text:_WNF_PO_BASIC_BRIGHTNESS_ENGINE_DISABLEDj
		lea	ecx, [ebx+22h]
		rol	ebx, cl
		mov	dl, bh

_MS_KernelPnP_Provider:			; DATA XREF: PnpDiagInitialize()+8o
		cmp	[edx+20h], ebx
		pushf
		push	eax
		adc	bh, [ebp+48h]
		stosd
		xlat
		call	near ptr 56A52B8h
		cmp	[ecx], eax	; DATA XREF: PopTriggerDiagTraceAoAcCapability(x)+23o
; 
		db 0
word_408C8A	dw 0			; CODE XREF: .text:_WNF_PO_VIDEO_INITIALIALIZEDj
		align 10h
		dd 1, 0
; 

_WNF_PO_BRIGHTNESS_ALS_OFFSET:		; DATA XREF: PopInitVideoWnfState()+44o
		jnz	short near ptr loc_408C71+1
		mov	esp, 0C6013DA3h
		inc	ecx

_WNF_PO_BASIC_BRIGHTNESS_ENGINE_DISABLED: ; DATA XREF: PopPowerInformationInternal+1714CFo
					; PopInitVideoWnfState()+29o
		jnz	short near ptr loc_408C71+1

loc_408CA2:				; CODE XREF: .text:00408CB9j
		mov	esp, 0C6013DA3h
		inc	ecx

_WNF_PO_VIDEO_INITIALIALIZED:		; DATA XREF: PopPowerInformationInternal+410o
					; PopInitVideoWnfState()+14o
		jnz	short near ptr word_408C8A
		mov	esp, 0C6013DA3h
		inc	ecx

; void GUID_PROCESSOR_HETEROGENEOUS_POLICY
_GUID_PROCESSOR_HETEROGENEOUS_POLICY:	; DATA XREF: PopPpmHeteroPolicyCallback+Co
		cli
		pop	esp
		das
		jg	short loc_408CC1
		icebp
		and	ecx, [eax-4Bh]
		loope	near ptr loc_408CA2+2
		cmp	ch, al
		pop	edi
		inc	esi
		mov	ch, 0C0h	; DATA XREF: PopEsPublishState()+3Fo

loc_408CC1:				; CODE XREF: .text:00408CB3j
		pop	eax
		or	eax, esp
		adc	eax, edx
		into
		dec	edx
		lodsb

loc_408CC9:				; CODE XREF: .text:loc_408CC9j
					; _WNF_SEB_MIXED_REALITYj
		ja	short loc_408CC9
		int	3		; Trap to Debugger
		in	eax, dx
		db	2Eh
		out	dx, al
		movsd

_WNF_PO_ENERGY_SAVER_STATE:		; DATA XREF: PopEsPublishState()+2Do
		jnz	short near ptr word_408CF2
		mov	esp, 0C6013DA3h
		inc	ecx

_KMPnPEvt_SystemStartPnPEnum_Stop:	; DATA XREF: PiProcessStartSystemDevices(x)+4Do
		add	eax, 4110001h
		add	al, [ecx+eax]
		and	[eax], al
; 
		dw 0
		dd 20000000h
; 

_KMPnPEvt_SystemStartPnPEnum_Start:	; DATA XREF: PiProcessStartSystemDevices(x)+13o
		add	al, 1
		add	[ecx], dl
		add	al, 1
		add	al, 1
		and	[eax], al
; 
word_408CF2	dw 0			; CODE XREF: .text:_WNF_PO_ENERGY_SAVER_STATEj
		dd 20000000h

;  S U B	R O U T	I N E 


_WNF_SEB_MIXED_REALITY proc near	; DATA XREF: PopSetupMixedRealitytNotification()+Co
		jnz	short near ptr loc_408CC9+1
		mov	ebp, 840B3EA3h
		inc	ecx
_WNF_SEB_MIXED_REALITY endp


;  S U B	R O U T	I N E 


; void GUID_DISK_COALESCING_POWERDOWN_TIMEOUT
_GUID_DISK_COALESCING_POWERDOWN_TIMEOUT	proc near
					; DATA XREF: PopCoalescingPowerSettingCallback+15o
		mov	ah, 0Eh
		outsd
		retn
_GUID_DISK_COALESCING_POWERDOWN_TIMEOUT	endp

; 
		dd 4A702988h, 8408EE8Eh, 33242CFCh
; 

; void GUID_DEVICE_IDLE_POLICY
_GUID_DEVICE_IDLE_POLICY:		; DATA XREF: PopDeviceIdlePolicySettingCallback(x,x,x,x)+Ao
		sbb	dh, [edi-6D1AB056h]
		db	26h
		inc	edi
		mov	ch, 31h
		and	al, [ebp+59h]
; 
		db 67h,	2Dh, 19h
; 

; void GUID_ALLOW_AWAYMODE
_GUID_ALLOW_AWAYMODE:			; DATA XREF: PopAllowAwayModeSettingCallback+15o
		dec	ecx
		mov	eax, ds:5DD125DFh
		db	36h
		inc	edi
		mov	ch, 0ABh
		call	near ptr 819C08D2h

loc_408D2F:				; DATA XREF: PAGELK:0071EE12o
					; PopCheckPowerSourceAfterRtcWakeTimerWorker(x)+3Fo ...
		xchg	ecx, [edx-7F42C48Fh]
		push	es
		popf
		dec	ebp
		mov	dh, [edx-534B2D1Fh]
; 
		dw 6D80h
; 

; void GUID_ENABLE_SWITCH_FORCED_SHUTDOWN
_GUID_ENABLE_SWITCH_FORCED_SHUTDOWN:	; DATA XREF: PopSwitchForcedShutdownSettingCallback(x,x,x,x)+15o
		bound	ebp, [ebx+3Ah]
		and	dword ptr [edi+ebx*8-77DB92Fh],	0FFFFFFE0h
		sahf
		xor	al, 0D0h
		sub	esi, edx
; 
; void GUID_EM_RULE_SKIP_MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_ACTION_QUERY
_GUID_EM_RULE_SKIP_MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_ACTION_QUERY dd 0E2B8E68Fh, 49DDDF61h,	9D503D8Eh, 8803DA81h
					; DATA XREF: PopReadErrataSkipMemoryOverwriteRequestControlLockAction()+26o
; 

_GUID_EM_RULE_SKIP_MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_ACTION:
					; DATA XREF: PopReadErrataSkipMemoryOverwriteRequestControlLockAction()+32o
		cdq
		and	edi, [edi+1Dh]
		mov	word ptr ds:0B2B34FF1h,	es

loc_408D6A:				; CODE XREF: .text:00408DCEj
					; DATA XREF: PopReadErrataSkipHibernateMemoryMapValidation()+12o
		sub	dword ptr [edi-707C6113h], 248F82A5h
		or	ecx, 72h
		inc	edx
		mov	ebp, 6D1446Ah
		inc	eax

loc_408D7E:				; DATA XREF: PnpDiagnosticTraceDriverInitPhaseStart(x)+1Bo
		db	66h
		mov	cl, 2Ch
		add	[eax], eax
		adc	[eax+eax], eax
; 
		dw 0
		dd 0
		dd 20000000h
; 

_THREATINT_DRIVER_OBJECT_UNLOAD:	; DATA XREF: EtwTiLogDriverObjectUnLoad+23o
					; EtwTiLogDriverObjectUnLoad+82EF0o
		push	ds
		add	[ecx], al
		adc	[eax+eax], al
		or	al, [eax]
; 
		dd 40000000h, 80000000h
; 

; void GUID_EM_RULE_DISABLE_DEVICE_FAST_RESUME
_GUID_EM_RULE_DISABLE_DEVICE_FAST_RESUME:
					; DATA XREF: PopReadErrataDisablePrimaryDeviceFastResume()+11o
		push	cs
		not	byte ptr [edi+30h]
		mov	eax, 9242AF34h
		repne arpl [edi+29h], bx
		or	edi, edx

loc_408DAF:				; CODE XREF: .text:_WNF_SEB_MOBILE_HOTSPOTj
					; .text:_WNF_SEB_AUDIO_ACTIVITYj
					; DATA XREF: ...
		mov	ds:0F67E49Fh, eax
		push	ecx
; 
byte_408DB5	db 0FEh, 9Fh, 4Eh	; CODE XREF: .text:00408E11j
		dd 296F90B4h, 2760CC48h
; 

_LiveDumpProvGuid:			; DATA XREF: IoInitializeLiveDump()+Fo
		mov	gs, [edx-7E32410Eh]
		loop	near ptr _WNF_BLTH_BLUETOOTH_DEVICE_DOCK_STATUS+1
		cmpsd

loc_408DC9:				; CODE XREF: .text:00408E25j
		mov	ebx, 8861AC5Eh
		jo	short near ptr loc_408D6A+1

_WNF_SEB_MOBILE_HOTSPOT:		; DATA XREF: PopSetupMobileHotspotNotification()+12o
		jnz	short near ptr loc_408DAF+3
		mov	ebp, 840B3EA3h
		inc	ecx

_WNF_BLTH_BLUETOOTH_DEVICE_DOCK_STATUS:	; CODE XREF: .text:00408DC6j
					; DATA XREF: PopSetupBluetoothChargingNotification()+12o
		jnz	short near ptr loc_408E39+1

loc_408DDA:				; CODE XREF: .text:loc_408E39j
		mov	esp, 92022FA3h

loc_408DDF:				; CODE XREF: .text:00408E13j
					; DATA XREF: PopSetupAirplaneModeNotification()+12o
		or	[ebp+8], esi
		mov	esp, 851C3EA3h
		inc	ecx

_WNF_SRUM_SCREENONSTUDY_SESSION:	; DATA XREF: PopSetupSprActiveSessionChangeNotification()+12o
		jnz	short near ptr loc_408DF1+1
		mov	esp, 931C3EA3h
		or	al, 75h		; DATA XREF: PopSetupFullScrenVideoNotification()+12o

loc_408DF1:				; CODE XREF: .text:00408E4Dj
					; .text:_WNF_SRUM_SCREENONSTUDY_SESSIONj ...
		add	[ebp-7BF4C15Dh], bh
		inc	ecx

_WNF_PO_USER_AWAY_PREDICTION:		; DATA XREF: PopSetupUserPresencePredictionNotification()+12o
		jnz	short near ptr loc_408E66+4
		mov	esp, 0C6013DA3h
		inc	ecx

_WNF_SEB_AUDIO_ACTIVITY:		; DATA XREF: PopSetupAudioEventNotification()+12o
		jnz	short near ptr loc_408DAF+3

loc_408E02:				; CODE XREF: .text:00408E61j
		mov	ebp, 840B3EA3h
		inc	ecx

_DEVPKEY_DriverPackage_Invalidated:	; CODE XREF: .text:00408E3Bj
					; DATA XREF: .text:00401A18o ...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr byte_408DB5
		jz	short near ptr loc_408DDF+2
		inc	edi

loc_408E16:				; CODE XREF: .text:00408E75j
		fstp	tbyte ptr [edx+29h]

_DEVPKEY_DriverPackage_ExtensionContractIds: ; CODE XREF: .text:00408E4Fj
					; DATA XREF: .text:004019A0o ...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	loc_408DC9
		jz	short near ptr loc_408DF1+4
		inc	edi

loc_408E2A:				; CODE XREF: .text:00408E89j
		fstp	tbyte ptr [edx+22h]

_DEVPKEY_DriverPackage_TargetComputerIds: ; CODE XREF: .text:00408E63j
					; DATA XREF: .text:00401928o ...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp

loc_408E39:				; CODE XREF: .text:_WNF_BLTH_BLUETOOTH_DEVICE_DOCK_STATUSj
		loope	near ptr loc_408DDA+3
		jz	short near ptr _DEVPKEY_DriverPackage_Invalidated+1
		inc	edi

loc_408E3E:				; CODE XREF: .text:00408E9Dj
		fstp	tbyte ptr [edx+18h]

_DEVPKEY_DriverPackage_ExtensionId:	; CODE XREF: .text:00408E77j
					; DATA XREF: .text:004018C8o ...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	loc_408DF1
		jz	short near ptr _DEVPKEY_DriverPackage_ExtensionContractIds+1
		inc	edi
		fstp	tbyte ptr [edx+14h]

_DEVPKEY_DriverPackage_DriverVersion:	; CODE XREF: .text:00408E8Bj
					; DATA XREF: .text:00401868o ...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_408E02+3
		jz	short near ptr _DEVPKEY_DriverPackage_TargetComputerIds+1
		inc	edi

loc_408E66:				; CODE XREF: .text:_WNF_PO_USER_AWAY_PREDICTIONj
		fstp	tbyte ptr [edx+0Fh]

_DEVPKEY_DriverPackage_DriverDate:	; CODE XREF: .text:00408E9Fj
					; DATA XREF: .text:00401850o ...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_408E16+3
		jz	short near ptr _DEVPKEY_DriverPackage_ExtensionId+1
		inc	edi
		fstp	tbyte ptr [edx+0Eh]

_DEVPKEY_DriverPackage_F6:		; DATA XREF: .text:004017D8o
					; PiDevCfgQueryDriverNode(x,x,x,x,x,x)+3D3o
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_408E2A+3
		jz	short near ptr _DEVPKEY_DriverPackage_DriverVersion+1
		inc	edi

loc_408E8E:				; DATA XREF: __woutput_l+B9r
					; __output_l+B7r
		fstp	tbyte ptr [edx+9]

; void DEVPKEY_DriverPackage_SourceMediaPath
_DEVPKEY_DriverPackage_SourceMediaPath:	; DATA XREF: .text:00401760o
					; PiCMSetObjectProperty+A1738o
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_408E3E+3
		jz	short near ptr _DEVPKEY_DriverPackage_DriverDate+1
		inc	edi
		fstp	tbyte ptr [edx+4]

loc_408EA8:				; DATA XREF: __woutput_l+54Fo
					; __woutput_l+59Co ...
		sub	[esi+75h], ch
		insb
		insb
		sub	[eax], eax

loc_408EAF:				; DATA XREF: __woutput_l+CDr
					; __output_l+CBr
		add	[esi], al
; 
		db 2 dup(0), 6
		dd 100h, 6030010h, 10020600h, 45454504h, 5050505h, 303505h
		dd 50h,	38202000h, 75050h, 30303700h, 75057h, 8202000h
		dd 0
		dd 60686008h, 606060h, 78707000h, 707078h, 70807h, 8000007h
		dd 8000008h, 7000807h, 70008h, 0
___newctype	dd 40h dup(0)
asc_409010:				; DATA XREF: .data:__pctypeo
					; .data:off_6B10F8o
		unicode	0, <	     (((((		    H>
		dw 10h
		dd 7 dup(100010h), 5 dup(840084h), 3 dup(100010h), 810010h
		dd 2 dup(810081h), 10081h, 9 dup(10001h), 100001h, 2 dup(100010h)
		dd 820010h, 2 dup(820082h), 20082h, 9 dup(20002h), 100002h
		dd 100010h, 200010h, 3Ch dup(0)
dword_409200	dd 4 dup(0)		; DATA XREF: KiSystemStartup(x)+3Bo
__wctype	db 2 dup(0)
word_409212	dw 20h			; DATA XREF: .data:__pwctypeo
aHH:
		unicode	0, <	    h((((		   H>
		dd 7 dup(100010h), 840010h, 4 dup(840084h), 100084h, 3 dup(100010h)
		dd 3 dup(1810181h), 0Ah	dup(1010101h), 3 dup(100010h)
		dd 3 dup(1820182h), 0Ah	dup(1020102h), 2 dup(100010h)
		dd 10h dup(200020h), 480020h, 8	dup(100010h), 140010h
		dd 100014h, 2 dup(100010h), 100014h, 2 dup(100010h), 1010010h
		dd 0Bh dup(1010101h), 1010010h,	3 dup(1010101h), 0Ch dup(1020102h)
		dd 1020010h, 3 dup(1020102h), 1010102h,	0

;  S U B	R O U T	I N E 


___newclmap	proc near
		add	byte ptr [ecx-7A7B7C7Eh], 86h
		xchg	ecx, [eax-73747577h]
		lea	ecx, [esi-6D6E6F71h]
		xchg	eax, ebx
		xchg	eax, esp
		xchg	eax, ebp
		xchg	eax, esi
		xchg	eax, edi
		cwde
		cdq
		call	far ptr	0A09Fh:9E9D9C9Bh
		mov	eax, ds:0A5A4A3A2h
		cmpsb
		cmpsd
		test	al, 0A9h
		stosb
		stosd
		lodsb
		lodsd
		scasb
		scasd
		mov	al, 0B1h
		mov	dl, 0B3h
		mov	ah, 0B5h
		mov	dh, 0B7h
		mov	eax, 0BCBBBAB9h
		mov	ebp, 0C1C0BFBEh
		retn	0C4C3h
___newclmap	endp

; 
		db 0C5h, 0C6h, 0C7h
dword_409460	dd 0CBCAC9C8h, 0CFCECDCCh, 0D3D2D1D0h, 0D7D6D5D4h, 0DBDAD9D8h
		dd 0DFDEDDDCh, 0E3E2E1E0h, 0E7E6E5E4h, 0EBEAE9E8h, 0EFEEEDECh
		dd 0F3F2F1F0h, 0F7F6F5F4h, 0FBFAF9F8h, 0FFFEFDFCh, 3020100h
		dd 7060504h, 0B0A0908h,	0F0E0D0Ch, 13121110h, 17161514h
		dd 1B1A1918h, 1F1E1D1Ch, 23222120h, 27262524h, 2B2A2928h
		dd 2F2E2D2Ch, 33323130h, 37363534h, 3B3A3938h, 3F3E3D3Ch
		dd 63626140h, 67666564h, 6B6A6968h, 6F6E6D6Ch, 73727170h
		dd 77767574h, 5B7A7978h, 5F5E5D5Ch, 63626160h, 67666564h
		dd 6B6A6968h, 6F6E6D6Ch, 73727170h, 77767574h, 7B7A7978h
		dd 7F7E7D7Ch, 83828180h, 87868584h, 8B8A8988h, 8F8E8D8Ch
		dd 93929190h, 97969594h, 9B9A9998h, 9F9E9D9Ch, 0A3A2A1A0h
		dd 0A7A6A5A4h, 0ABAAA9A8h, 0AFAEADACh, 0B3B2B1B0h, 0B7B6B5B4h
		dd 0BBBAB9B8h, 0BFBEBDBCh, 0C3C2C1C0h, 0C7C6C5C4h, 0CBCAC9C8h
		dd 0CFCECDCCh, 0D3D2D1D0h, 0D7D6D5D4h, 0DBDAD9D8h, 0DFDEDDDCh
		dd 0E3E2E1E0h, 0E7E6E5E4h, 0EBEAE9E8h, 0EFEEEDECh, 0F3F2F1F0h
		dd 0F7F6F5F4h, 0FBFAF9F8h, 0FFFEFDFCh

;  S U B	R O U T	I N E 


___newcumap	proc near
		add	byte ptr [ecx-7A7B7C7Eh], 86h
		xchg	ecx, [eax-73747577h]
		lea	ecx, [esi-6D6E6F71h]
		xchg	eax, ebx
		xchg	eax, esp
		xchg	eax, ebp
		xchg	eax, esi
		xchg	eax, edi
		cwde
		cdq
		call	far ptr	0A09Fh:9E9D9C9Bh
		mov	eax, ds:0A5A4A3A2h
		cmpsb
		cmpsd
		test	al, 0A9h
		stosb
		stosd
		lodsb
		lodsd
		scasb
		scasd
		mov	al, 0B1h
		mov	dl, 0B3h
		mov	ah, 0B5h
		mov	dh, 0B7h
		mov	eax, 0BCBBBAB9h
		mov	ebp, 0C1C0BFBEh
		retn	0C4C3h
___newcumap	endp

; 
		db 0C5h, 0C6h, 0C7h
dword_4095E0	dd 0CBCAC9C8h, 0CFCECDCCh, 0D3D2D1D0h, 0D7D6D5D4h, 0DBDAD9D8h
		dd 0DFDEDDDCh, 0E3E2E1E0h, 0E7E6E5E4h, 0EBEAE9E8h, 0EFEEEDECh
		dd 0F3F2F1F0h, 0F7F6F5F4h, 0FBFAF9F8h, 0FFFEFDFCh, 3020100h
		dd 7060504h, 0B0A0908h,	0F0E0D0Ch, 13121110h, 17161514h
		dd 1B1A1918h, 1F1E1D1Ch, 23222120h, 27262524h, 2B2A2928h
		dd 2F2E2D2Ch, 33323130h, 37363534h, 3B3A3938h, 3F3E3D3Ch
		dd 43424140h, 47464544h, 4B4A4948h, 4F4E4D4Ch, 53525150h
		dd 57565554h, 5B5A5958h, 5F5E5D5Ch, 43424160h, 47464544h
		dd 4B4A4948h, 4F4E4D4Ch, 53525150h, 57565554h, 7B5A5958h
		dd 7F7E7D7Ch, 83828180h, 87868584h, 8B8A8988h, 8F8E8D8Ch
		dd 93929190h, 97969594h, 9B9A9998h, 9F9E9D9Ch, 0A3A2A1A0h
		dd 0A7A6A5A4h, 0ABAAA9A8h, 0AFAEADACh, 0B3B2B1B0h, 0B7B6B5B4h
		dd 0BBBAB9B8h, 0BFBEBDBCh, 0C3C2C1C0h, 0C7C6C5C4h, 0CBCAC9C8h
		dd 0CFCECDCCh, 0D3D2D1D0h, 0D7D6D5D4h, 0DBDAD9D8h, 0DFDEDDDCh
		dd 0E3E2E1E0h, 0E7E6E5E4h, 0EBEAE9E8h, 0EFEEEDECh, 0F3F2F1F0h
		dd 0F7F6F5F4h, 0FBFAF9F8h, 0FFFEFDFCh
; 

___clocalestr:				; DATA XREF: .data:006B1088o
					; .data:006B1098o ...
		inc	ebx
; 
		db 3 dup(0)
		align 10h
dbl_409720	dq 1.0			; DATA XREF: __convertTOStoQNaN:loc_588229r
; 

__DEFAULT_CW_in_mem:			; DATA XREF: sub_58302F+Fr
					; sub_5830EF+Fr
		jg	short near ptr __pi_by_2_to_61+2

__pi_by_2_to_61:			; CODE XREF: .text:__DEFAULT_CW_in_memj
					; DATA XREF: sub_58302F:loc_583069r ...
		xor	eax, 0A22168C2h
		fimul	dword ptr [edi]
		leave
		db	3Eh
		inc	eax
; 
dbl_409734	dq 1.797693134862316e308 ; DATA	XREF: __check_overflow_exit+9Er
dbl_40973C	dq 2.225073858507201e-308 ; DATA XREF: __check_overflow_exit+75r
dbl_409744	dq -1.536e3		; DATA XREF: __check_overflow_exit:loc_588353r
dbl_40974C	dq 1.536e3		; DATA XREF: __check_overflow_exit:loc_58832Ar
dbl_409754	dq 1.797693134862316e308 ; DATA	XREF: __check_overflow_exit+AFr
dbl_40975C	dq 0.0			; DATA XREF: __check_overflow_exit+86r
		align 8
__d_inf		dq 1.797693134862316e308 ; DATA	XREF: __handle_exc:loc_58863Fr
					; __handle_exc:loc_588647r ...
__d_max		dq 1.797693134862316e308 ; DATA	XREF: __handle_exc+88r
					; __handle_exc+A3r ...
; 

___lconv_static_decimal:		; DATA XREF: .data:___lconv_co
					; .data:006B110Co ...
		add	cs:[eax], al
; 
		db 0
; 

___lconv_static_W_decimal:		; DATA XREF: .data:006B1138o
		add	cs:[eax], al
; 
		db 0
___lconv_static_W_null dd 2 dup(0)	; DATA XREF: .data:006B113Co
					; .data:006B1140o ...
___lookuptable_s db 6			; DATA XREF: __output_s+DDr
					; __woutput_s+E8r
		db 2 dup(80h), 86h
		dd 808180h, 86031000h, 80828680h, 45050514h, 85854545h
		dd 585h, 50803030h, 8008080h, 30272000h, 805750h, 30370007h
		dd 88505030h, 20000000h, 80888028h, 80h, 68606060h, 6068h
		dd 70777807h, 8707077h,	8000008h, 7000807h, 70008h
dword_4097E4	dd 6A09E667h, 0BB67AE85h, 3C6EF372h, 0A54FF53Ah, 510E527Fh
					; DATA XREF: SymCryptSha256Init(x)+Eo
					; SymCryptSha256Result(x,x)+9Bo
		dd 9B05688Ch, 1F83D9ABh, 5BE0CD19h, 3Fh	dup(0)
_SymCryptSha256K db 98h, 2Fh, 8Ah, 42h,	91h, 44h, 37h, 71h, 0CFh, 0FBh
					; DATA XREF: .text:0058DDC5r
		db 0C0h, 0B5h, 0A5h, 0DBh, 0B5h, 0E9h
; 

loc_409910:				; DATA XREF: .text:0058DDF9o
		pop	ebx
		retn	3956h
; 
dword_409914	dd 59F111F1h, 923F82A4h, 0AB1C5ED5h, 0D807AA98h, 12835B01h
					; DATA XREF: .text:0058DE11o
		dd 243185BEh, 550C7DC3h, 72BE5D74h, 80DEB1FEh, 9BDC06A7h
		dd 0C19BF174h, 0E49B69C1h
dword_409944	dd 0EFBE4786h, 0FC19DC6h, 240CA1CCh, 2DE92C6Fh,	4A7484AAh
					; DATA XREF: SymCryptSha256AppendBlocks_ul1(x,x,x,x)+86Fo
					; .text:0058DE93o
		dd 5CB0A9DCh, 76F988DAh, 983E5152h, 0A831C66Dh,	0B00327C8h
		dd 0BF597FC7h, 0C6E00BF3h, 0D5A79147h, 6CA6351h, 14292967h
		dd 27B70A85h, 2E1B2138h, 4D2C6DFCh, 53380D13h, 650A7354h
		dd 766A0ABBh, 81C2C92Eh, 92722C85h, 0A2BFE8A1h,	0A81A664Bh
		dd 0C24B8B70h, 0C76C51A3h, 0D192E819h, 0D6990624h, 0F40E3585h
		dd 106AA070h, 19A4C116h, 1E376C08h, 2748774Ch, 34B0BCB5h
		dd 391C0CB3h, 4ED8AA4Ah, 5B9CCA4Fh, 682E6FF3h, 748F82EEh
		dd 78A5636Fh, 84C87814h, 8CC70208h, 90BEFFFAh, 0A4506CEBh
		dd 0BEF9A3F7h, 0C67178F2h
__xmm@0c0d0e0f08090a0b0405060700010203 db 3, 2,	1, 0, 7, 6, 5, 4, 0Bh, 0Ah, 9, 8, 0Fh, 0Eh, 0Dh
					; DATA XREF: .text:0058DD91r
					; .text:0058E0C2o ...
		db 0Ch
; 

_cpuidBitInfo:				; DATA XREF: .text:loc_58F984r
					; .text:0058F99Fr ...
		add	[edx], eax

loc_409A12:				; DATA XREF: .text:0058F9B6r
		push	ds
; 
		db 0
dword_409A14	dd 200h			; DATA XREF: .text:loc_58F9C5r
		dd 10201h, 8, 190201h, 4, 190301h, 3, 1A0301h, 3, 201h
		dd 2, 90201h, 2, 1C0201h, 10h, 50107h, 10h, 120107h, 400h
		dd 1D0107h, 40h, 130107h, 100h,	80107h,	80h
aV100_5_vb_rele	db 'v100.5_vb_release_svc_2021-10-19T12:53:25_2021-10-19T12:53:25',0
					; CODE XREF: .text:_WNF_SEB_DEV_MNF_CUSTOM_NOTIFICATION_RECEIVEDj
					; DATA XREF: .data:_SymCryptBuildStringo
		align 4
		dd 0
		dd 0FFFFFFFFh
; 

_WNF_SEB_DEV_MNF_CUSTOM_NOTIFICATION_RECEIVED:
					; DATA XREF: RtlRaiseCustomSystemEventTrigger(x)+3Cr
					; RtlpCtContextInit(x,x)+5Eo
		jnz	short near ptr aV100_5_vb_rele+2

loc_409AC2:				; DATA XREF: RtlRaiseCustomSystemEventTrigger(x)+49r
		mov	esp, 840B3EA3h
		inc	ecx

_WNF_BOOT_INVALID_TIME_SOURCE:		; DATA XREF: PAGELK:0071F216o
					; Phase1InitializationDiscard(x)+B78o
		jnz	short loc_409ADA
		mov	esp, 89012FA3h
		adc	eax, 0A3BD3075h	; DATA XREF: PopEvaluateInputSuppressionAction()+F6o
; 
		dd 41C6013Dh
; 

_WNF_CMFC_FEATURE_CONFIGURATION_CHANGED:
					; DATA XREF: CmFcpManagerPublishChangeNotifications(x,x,x)+7Co
					; CmFcpManagerPublishChangeNotifications(x,x,x)+A4o ...
		jnz	short loc_409AE2

loc_409ADA:				; CODE XREF: .text:_WNF_BOOT_INVALID_TIME_SOURCEj
		mov	esp, 80032EA3h

loc_409ADF:				; DATA XREF: sub_787DE0+6DEo
		add	dh, [ebp+68h]

loc_409AE2:				; CODE XREF: .text:_WNF_CMFC_FEATURE_CONFIGURATION_CHANGEDj
		mov	esp, 8F0222A3h

loc_409AE7:				; DATA XREF: ExpRefreshTimeZoneInformation(x)+540o
		add	dh, [ebp+38h]
		mov	esp, 840B3EA3h
		inc	ecx

_WNF_PO_INPUT_SUPPRESS_NOTIFICATION:	; DATA XREF: PopEvaluateInputSuppressionAction()+136o
		jnz	short near ptr word_409B0A
		mov	ebp, 0C6013DA3h
		inc	ecx

_WNF_PO_RECONCILED_WEAK_CHARGER:	; DATA XREF: PopBatteryWorker+9FDCBo
					; PopBatteryWorker+A023Ao
		jnz	short near ptr word_409B62
		mov	ebp, 0C6013DA3h
		inc	ecx

_WNF_PNPB_AWAITING_RESPONSE:		; DATA XREF: PAGE:008D5B0Fo
					; PiUEventNotifyTargetDeviceChange+E201Co
		jnz	short near ptr word_409B0A
		mov	esp, 96003DA3h

loc_409B07:				; DATA XREF: KiIntSteerLogStatus(x)+21o
		add	eax, [ebx]
; 
		db 0
word_409B0A	dw 0			; CODE XREF: .text:_WNF_PO_INPUT_SUPPRESS_NOTIFICATIONj
					; .text:_WNF_PNPB_AWAITING_RESPONSEj
		dd 30004h, 1, 0
; 

_PPM_ETW_PERF_SELECT_PROCESSOR_STATE:	; DATA XREF: PpmPerfSelectProcessorState+12A617o
		pop	edx
; 
		db 3 dup(0)
		dd offset loc_450002+2
		dd 20h,	0
; 

_PPM_ETW_RECORDED_UTILITY:		; DATA XREF: PpmPerfRecordUtility+12A0BBo
		or	al, 0
		add	al, [eax]
		add	eax, 2000C00h
; 
		db 3 dup(0)
		align 8

_POP_ETW_EVENT_POWER_AGGREGATOR_PDC_PHASES_EXITED:
					; DATA XREF: PopPowerAggregatorNotifyPdcPhasesExit()+36o
		xor	eax, [edx]
		add	[eax], dl
		add	al, 0
		or	[ecx], eax
		add	al, 80h
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_ADPM_SESSION_CONNECTED:	; DATA XREF: PopSessionConnected(x,x,x)+15o
		xchg	eax, edx
		add	[eax], eax
		adc	[eax+eax], al
		outsd
		add	[esp+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_THERMAL_STANDBY_NOTIFICATION: ; DATA XREF: PopThermalStandbyNotify(x)+Do
		movsb
; 
		db 2 dup(0), 11h
		dd 0C80004h
		db 20h,	0
word_409B62	dw 0			; CODE XREF: .text:_WNF_PO_RECONCILED_WEAK_CHARGERj
		dd 20000000h
; 

_POP_ETW_EVENT_THERMAL_REQUEST_REMOVE:	; DATA XREF: PopDeactiveThermalRequest(x):loc_9AA8F2o
					; PopOrphanCoolingExtension(x):loc_9AAC4Fo
		sahf
; 
		db 2 dup(0), 11h
		dd 0C20004h, 20h, 20000000h
; 

_POP_ETW_EVENT_COOLING_EXTENSION_REMOVE: ; DATA	XREF: PopDeactiveThermalRequest(x)+136o
					; PopDisableCoolingExtension(x):loc_9AAB15o
		cdq
; 
		db 2 dup(0), 11h
		dd 0BD0004h, 20h, 20000000h
; 

_POP_ETW_EVENT_POWER_REQUEST_RUNDOWN:	; DATA XREF: PopDiagTracePowerRequestCreate(x,x):loc_842387o
					; PopDiagTracePowerRequestCreate(x,x)+56Ao
		arpl	[eax], ax
		add	[eax], edx
		add	al, 0
		pusha
		add	[esp+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_CREATE_POWER_REQUEST:	; DATA XREF: PopDiagTracePowerRequestCreate(x,x)+5Eo
					; PopDiagTracePowerRequestCreate(x,x):loc_842893o
		pop	esp
		add	[ecx], al
		adc	[eax+eax], al
		pop	ecx
		add	[esp+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_AWAYMODE:		; DATA XREF: PopSetSystemAwayMode(x)+90o
		cmp	eax, [eax]
		add	[eax], cl
		add	al, 0
		inc	ecx
		add	[esp+eax], al
; 
		dw 0
		dd 80000000h
; 

_MITIGATION_ENFORCE_PROHIBIT_FSCTL_SYSTEM_CALLS:
					; DATA XREF: EtwTimLogProhibitFsctlSystemCalls(x,x)+18o
		and	al, [eax]
		add	[eax], dl
		add	eax, [eax]
		adc	[eax], eax
; 
		dd 0
		dd 80000000h
; 

_MITIGATION_AUDIT_PROHIBIT_FSCTL_SYSTEM_CALLS:
					; DATA XREF: EtwTimLogProhibitFsctlSystemCalls(x,x)+Eo
		and	[eax], eax
		add	[eax], dl
; 
		dd 110000h, 0
		dd 80000000h
; 

_MITIGATION_ENFORCE_REDIRECTION_TRUST_POLICY:
					; DATA XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+367o
		and	[eax], al
		add	[eax], dl
		add	al, [eax]
		adc	[eax], al
; 
		dd 0
		dd 80000000h
; 

_MITIGATION_AUDIT_REDIRECTION_TRUST_POLICY:
					; DATA XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+354o
		pop	ds
; 
		db 2 dup(0), 10h
		dd 100003h, 0
		dd 80000000h
; 

_MITIGATION_ENFORCE_BLOCK_NON_CET_BINARIES:
					; DATA XREF: EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)+2E0o
		push	ds
; 
		db 2 dup(0), 10h
		dd 0F0002h, 0
		dd 80000000h
; 

_MITIGATION_AUDIT_BLOCK_NON_CET_BINARIES:
					; DATA XREF: EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)+2D6o
		sbb	eax, 3100000h
		add	[edi], cl
; 
		db 0
		dd 0
		dd 80000000h
; 

_IoMgrProvider:				; DATA XREF: INIT:00AC2CD9o
		xchg	dh, ch
		icebp
		stosd
		push	eax
		db	2Eh
		test	al, 4Bh
		xchg	eax, edx
		lea	ecx, [ecx+4]
		dec	esi
		outsd
		or	eax, 3CABDB7h	; DATA XREF: INIT:00AC2CB3o
		mov	eax, ds:4A938242h
; 
		dd 0DF1CF58Dh, 0A6263F3Bh
; 

_ETW_EVENT_SET_TRAITS_FAILED:		; DATA XREF: EtwpSetProviderTraitsUm(x,x,x)+159o
					; EtwpSetProviderTraitsKm(x,x,x):loc_872363o ...
		sbb	al, 0
		add	[eax], dl
		add	bl, [ecx]
		add	eax, [eax]
		and	[edx], cl
; 
		dw 0
		dd 80000000h
; 

_ETW_EVENT_SAVE_PERSISTED_LOGGER_START:	; DATA XREF: EtwpSavePersistedLogger(x,x,x)+7Fo
		adc	eax, 4000000h
		add	[eax], ecx
		add	[eax+0], al
; 
		db 3 dup(0)
; 

_ETW_EVENT_LOST_EVENT:			; DATA XREF: .text:loc_528C24o
					; EtwpFailLogging+95441o ...
		adc	eax, [eax]
; 
		dw 0
		dd 70002h, 40h,	0
; 

_ETW_EVENT_SWITCH_TO_NEW_FILE_FAILED:	; DATA XREF: EtwpLogger(x)+20Bo
					; EtwpLogger(x)+234o
		add	eax, 2100000h
		or	eax, [ecx]
		add	[eax], dl
; 
		db 3 dup(0)
		dd 80000000h
; 

_ETW_EVENT_SESSION_END_FAILED:		; DATA XREF: EtwpLogger(x):loc_7F2CC7o
					; EtwpEventWriteTemplateSessionEnd(x,x,x,x,x,x,x,x,x)+58o
		add	eax, [eax]
		add	[eax], edx
		add	cl, [esi]
		add	al, [eax]
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_REG_EVENT_TXR_INIT:			; DATA XREF: CmpLogTxrInitEvent(x,x,x)+ADo
		or	eax, [eax]
		add	[eax], cl
		add	al, 0
; 
		dw 0
		dd 0
		dd 80000000h
; 

_REG_EVENT_SELFHEAL:			; DATA XREF: CmpInitHiveFromFile+17DE8Ao
		add	eax, 2080000h
; 
		db 3 dup(0)
		dd 0
		dd 80000000h
aOSygSydAGaSyAG:			; DATA XREF: CmFcInitSystem2()+20o
		unicode	0, <O:SYG:SYD:(A;;GA;;;SY)(A;;GA;;;BA)>,0
		align 10h
aOSygSydAGrSyAG:			; DATA XREF: CmFcManagerStartRuntimePhase(x)+68o
		unicode	0, <O:SYG:SYD:(A;;GR;;;SY)(A;;GR;;;BA)(A;;GR;;;IU)(A;;GR;;;AU>
		unicode	0, <)(A;;GR;;;AC)(A;;GR;;;S-1-5-32-1045063015-423899465-30127>
		unicode	0, <69174-65638258-1865874412-2349348127-763856749-1075684855>
		unicode	0, <)(A;;GR;;;S-1-15-3-1024-1045063015-423899465-3012769174-6>
		unicode	0, <5638258-1865874412-2349348127-763856749-1075684855)(A;;GR>
		unicode	0, <;;;S-1-5-80-2970612574-78537857-698502321-558674196-14516>
		unicode	0, <44582)(A;;GR;;;S-1-15-3-1024-1502825166-1963708345-261637>
		unicode	0, <7461-2562897074-4192028372-3968301570-1997628692-14359536>
		unicode	0, <22)>,0
; 

_CmFcpWnfTypeId:			; DATA XREF: CmFcpManagerPublishChangeNotifications(x,x,x)+57o
					; CmFcManagerStartRuntimePhase(x)+1C1o
		arpl	[ecx+edi*8+48h], sp
		setalc
		push	edx
		test	[esi-64h], ecx
		add	dh, dl
		ror	dword ptr [esi+17h], 26h
		dec	esi

_HV_EVENTLOG_START_SUCCEEDED:		; DATA XREF: HvlPhase2Initialize+7DDE1o
		add	[eax], eax
		add	[eax], cl
		add	al, 0
; 
		dw 0
		dd 0
		dd 80004000h
; 

_HV_EVENTLOG_CORE_SCHEDULER_PROCESSOR_CONFIGURATION_WARNING:
					; DATA XREF: HvlPhase2Initialize+7DE33o
		mov	eax, ds:3080000h
; 
		db 3 dup(0)
		dd 0
		dd 80004000h

;  S U B	R O U T	I N E 


; void GUID_HWPROFILE_CHANGE_CANCELLED
_GUID_HWPROFILE_CHANGE_CANCELLED proc far
					; DATA XREF: IoReportTargetDeviceChange(x,x):loc_967E9Eo
					; PnpRequestHwProfileChangeNotification(x,x,x,x)+37o ...
		add	al, [eax+3Ah]
		retf
_GUID_HWPROFILE_CHANGE_CANCELLED endp

; 
		dd 11D046F0h, 60008FB0h, 3F051397h

;  S U B	R O U T	I N E 


; void GUID_HWPROFILE_CHANGE_COMPLETE
_GUID_HWPROFILE_CHANGE_COMPLETE	proc far
					; DATA XREF: PnpRequestHwProfileChangeNotification(x,x,x,x)+4Co
					; PpProfileCancelTransitioningDock(x,x)+53o ...
		add	eax, [eax+3Ah]
		retf
_GUID_HWPROFILE_CHANGE_COMPLETE	endp

; 
		dd 11D046F0h, 60008FB0h, 3F051397h
; 

_KMPnPEvt_CfgMgr_DeviceInterfaceList_Start:
					; DATA XREF: McTemplateK0jzt_EtwWriteTransfer(x,x,x,x,x,x)+6Eo
		mov	esi, 4000002h
		add	[esi+40000002h], edi
		add	[eax], eax
; 
		db 3 dup(0)
; 

_KMPnPEvt_CfgMgr_DeviceList_Start:	; DATA XREF: McTemplateK0zzt_EtwWriteTransfer(x,x,x,x,x,x)+8Bo
		mov	esp, 4000002h
		add	[edx+eax+1400000h], edi
; 
		dd 0
; 

_KMPnPEvt_CfgMgr_DeviceList_Stop:	; DATA XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+168o
		mov	ebp, 4000002h
		add	bh, [edx+eax+1400000h]
; 
		dd 0
; 

_KMPnPEvt_CfgMgr_DeviceInterfaceList_Stop: ; DATA XREF:	PiCMGetDeviceInterfaceList+11882Ao
		mov	edi, 4000002h
		add	bh, [esi+40000002h]
		add	[eax], eax
; 
		db 3 dup(0)
; 

_KMPnPEvt_OsLoader_Time:		; DATA XREF: IopInitializePlugPlayServices(x,x)+936o
		int	3		; Trap to Debugger
		add	[edx], al
		adc	[eax+eax], eax
		int	3		; Trap to Debugger
		add	[eax], ah
; 
		db 3 dup(0)
		dd 20000000h
; 

_DEVPKEY_Device_DmaRemappingPolicy:	; DATA XREF: .text:00404784o
					; PipDmgSaveDeviceDmarPolicy(x,x,x)+33o ...
		db	26h
		arpl	dx, bx
		and	dword ptr [esi-6BBF7769h], 53h
		mov	eax, ds:3B573F92h
		sub	[edx], edx
; 
		db 3 dup(0)
; 

; void DEVPKEY_Device_FriendlyNameAttributes
_DEVPKEY_Device_FriendlyNameAttributes:	; DATA XREF: PiCMSetObjectProperty+A171Co
		cmpsb
		push	ds
		fadd	dword ptr [eax+4B0C7473h]
		adc	byte ptr [esi],	0EFh
		rcr	dword ptr [edx], 2Ch
		dec	esp
		mov	eax, [ebx]
; 
		db 3 dup(0)
; 

; void DEVPKEY_WIA_DeviceType
_DEVPKEY_WIA_DeviceType:		; DATA XREF: PiCMSetObjectProperty+A1754o
		mov	byte ptr [edi],	0DDh
		imul	ecx, [edi], -7Fh
		rcl	byte ptr [ecx],	1
		mov	esi, 2B0008C7h
		loop	near ptr _KiCpuFeatureTable
		das
		add	al, [eax]
; 
		dw 0
		align 8
_KiCpuFeatureTable dd 1			; CODE XREF: .text:0040A15Dj
					; DATA XREF: PAGELK:loc_726F1Ar ...
dword_40A16C	dd 0			; DATA XREF: PAGELK:00726F25r
					; PAGELK:00726F30r
dword_40A170	dd 1			; DATA XREF: PAGELK:00726F7Cr
					; PAGELK:00727126r ...
dword_40A174	dd 2			; DATA XREF: PAGELK:00726F73r
					; PAGELK:loc_727120r ...
dword_40A178	dd 0Ch			; DATA XREF: PAGELK:loc_726EE4r
		align 10h
dword_40A180	dd 80000h		; DATA XREF: PAGELK:00726F9Ar
					; PAGELK:00726FCBr ...
dword_40A184	dd 0			; DATA XREF: PAGELK:00726FA0r
					; PAGELK:00726FD4r ...
		dd 1, 0
		dd 200h, 2, 0Ch, 2 dup(0)
		dd 40h,	1, 0
		dd 2000h, 2 dup(2), 3 dup(0)
		dd 1, 0
		dd 20000h, 2, 0Ah, 3 dup(0)
		dd 1, 0
		dd 80000h, 2, 0Ch, 2 dup(0)
		dd 80h,	1, 0
		dd 100000h, 2, 0Ch, 2 dup(0)
		dd 100h, 1, 0
		dd 10000000h, 2, 0Ch, 2	dup(0)
		dd 200h, 1, 0
		dd 40000000h, 2, 0Ch, 0
		dd 2000000h, 0
		dd 1, 0
		dd 200000h, 3, 0Ch, 0
		dd 20000h, 0
		dd 6, 0
		dd 2000h, 0
		dd 200000Ch, 2 dup(0)
		align 8
		dd 6, 0
		dd 2 dup(2), 200000Ch, 0
		dd 200000h, 0
		dd 7, 0
		dd 2 dup(1), 600000Ah, 3 dup(0)
		dd 7, 0
		dd 20h,	1, 0Ch,	2 dup(0)
		align 8
		dd 7, 0
		dd 80h,	1, 0Ch,	0
		dd 1000000h, 0
		dd 7, 0
		dd 400h, 1, 0Ah, 3 dup(0)
		dd 7, 0
		dd 10000h, 1, 0Ch, 2 dup(0)
		dd 800h, 7, 0
		dd 100000h, 1, 0Ah, 0
		dd 10000000h, 0
		dd 7, 0
		dd 800000h, 1, 200000Ah, 2 dup(0)
		dd 2, 7, 0
		dd 1000000h, 1,	200000Ah, 3 dup(0)
		dd 7, 0
		dd 4, 2, 14h, 0
		dd 4, 0
		dd 7, 0
		dd 400000h, 2, 14h, 0
		dd 2, 0
		dd 7, 0
		dd 400h, 3, 14h, 0
		dd 8, 0
		dd 7, 0
		dd 8000h, 3, 200000Ch, 2 dup(0)
		dd 1000h, 7, 0
		dd 4000000h, 3,	22000014h, 0
		dd 0A00h, 0
		dd 7, 0
		dd 8000000h, 3,	22000014h, 0
		dd 0C00h, 0
		dd 7, 0
		dd 10000000h, 3, 14h, 0
		dd 1, 0
		dd 7, 0
		dd 20000000h, 3, 14h, 0
		dd 40h,	0
		dd 7, 0
		dd 80000000h, 3, 22000014h, 0
		dd 1000h, 0
		dd 7, 2, 10h, 3, 2000014h, 0
		dd 8000000h, 0
		dd 80000001h, 0
		dd 1, 2	dup(2),	3 dup(0)
		dd 80000001h, 0
		dd 20000000h, 2, 4000014h, 0
		dd 2000h, 0
		dd 80000001h, 0
		dd 800h, 3, 2, 3 dup(0)
		dd 80000001h, 0
		dd 100000h, 3, 2000002h, 3 dup(0)
		dd 80000001h, 0
		dd 4000000h, 3,	0Ah, 3 dup(0)
		dd 80000001h, 0
		dd 8000000h, 3,	0Ch, 2 dup(0)
		dd 1, 80000001h, 0
		dd 80000000h, 3, 0Ch, 0
		dd 4000h, 0
		dd 80000008h, 0
		dd 1000h, 1, 4000014h, 0
		dd 800h, 0
		dd 80000008h, 0
		dd 4000h, 1, 4000014h, 0
		dd 200h, 0
		dd 80000008h, 0
		dd 8000h, 1, 4000014h, 0
		dd 400h, 0
		dd 80000008h, 0
		dd 10000000h, 1, 4000014h, 0
		dd 20000h, 0
		dd 80000008h, 0
		dd 20000000h, 1, 4000014h, 0
		dd 1000000h, 0
		dd 80000008h, 0
		dd 40000000h, 1, 4000014h, 0
		dd 2000000h, 0
		dd 80000021h, 0
		dd 20h,	0
		dd 4000014h, 2 dup(0)
		dd 1000h, 80000021h, 0
		dd 10000000h, 0
		dd 4000014h, 2 dup(0)
		dd 2, 80000021h, 0
		dd 20000000h, 0
		dd 4000014h, 2 dup(0)
		align 8
		dd 80000021h, 0
		dd 2 dup(2), 4000014h, 2 dup(0)
		align 8
		dd 80000021h, 0
		dd 4, 2, 4000014h, 2 dup(0)
		dd 800h
; 

_MiShortTime:				; DATA XREF: .text:004786BAo
					; MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+39Co ...
		pusha

loc_40A749:				; CODE XREF: .text:loc_40A749j
		jns	short loc_40A749
; 
		db 0FFh
		dd 0FFFFFFFFh
; 

_MiFiveSeconds:				; DATA XREF: .text:loc_46F202o
					; MiWaitForFreePagesToZero(x,x,x):loc_63A04Ao
		or	byte ptr [edi],	5
		std
; 
		dd 0FFFFFFFFh
; 

; void GUID_LIDSWITCH_STATE_CHANGE
_GUID_LIDSWITCH_STATE_CHANGE:		; DATA XREF: PopBroadcastInputSuppressionCallback+9B549o
					; PopLidSwitchChangeCallback(x,x,x,x)+1Co ...
		dec	ebp
; 
		db 0Fh,	3Eh, 0BAh
		dd 4094B817h, 63D5D1A2h, 0F3A0E679h

;  S U B	R O U T	I N E 


_GUID_ENERGY_SAVER_POLICY proc near	; DATA XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+31Eo
		dec	ecx
		mov	bl, 5Bh
		pop	esp
		sub	[ebp+0B9D4EE2h], ebp
		sub	esp, ds:817A0F27h
_GUID_ENERGY_SAVER_POLICY endp


;  S U B	R O U T	I N E 


_GUID_LEGACY_RTC_MITIGATION proc near	; DATA XREF: PAGELK:0071F561o
					; PopDeferDoze(x,x,x)+78o
		retn
_GUID_LEGACY_RTC_MITIGATION endp

; 
		db 0BDh, 34h, 1Ah
		dd 442E7E6Bh, 0B664D0A9h, 848E37EFh
; 

_GUID_STANDBY_BUDGET_PERCENT:		; DATA XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+3F9o
		mov	esi, 709FE527h
		sbb	ebx, edx
		dec	eax
		xchg	eax, ebx
		or	eax, 0B417CF7Bh
		dec	ecx
		nop

; void EM_RULE_DISABLE_MULTI_PHASE_RESUME
_EM_RULE_DISABLE_MULTI_PHASE_RESUME:	; DATA XREF: PopEnableHiberFile(x,x)+3A1o
		ror	ecx, cl
		sahf
		enter	0FFFF83DBh, 0F0h
		inc	edx
		lea	ecx, ds:0F14BCC98h
; 
		dw 0AF10h
; 

; void GUID_SPM_LOW_POWER_CS
_GUID_SPM_LOW_POWER_CS:			; DATA XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+90o
					; PopCaptureSleepStudyStatistics(x,x,x,x)+BFo ...
		sub	ebx, [ecx]
		cdq
		int	3		; Trap to Debugger
; 
		dd 44FD8B8Eh, 62EFA9B0h, 294D1B14h
; 

_PspShortTime:				; DATA XREF: PAGE:loc_7A7850o
					; PspExitThread:loc_8D9734o ...
		sar	byte ptr [ebp-10h], 0FFh
; 
		db 0FFh
; 

_RtlpCheckTokenCapabilityGenericMapping: ; DATA	XREF: RtlCheckTokenCapability(x,x,x)+284o
		add	[eax], eax
		add	al, [eax]
; 
		dd 30000h, 20000h, 1F0001h
; 

_RtlpCheckTokenMembershipGenericMapping:
					; DATA XREF: RtlCheckTokenMembershipEx(x,x,x,x)+279o
		add	[eax], eax
		add	al, [eax]
; 
		dd 2 dup(20000h), 1F0001h
_StandardBitMapping dd 20000h, 10D0000h, 100000h, 11F0000h
					; DATA XREF: SeComputeCreatorDeniedRights(x,x,x,x)+130o
					; SeComputeCreatorDeniedRights(x,x,x,x)+17Eo

;  S U B	R O U T	I N E 


_PrivateLoggerSecurityGuid proc	near	; DATA XREF: EtwpNotifyGuid(x,x,x)+E5o
		iret
_PrivateLoggerSecurityGuid endp

; 
		db 96h,	24h, 47h
		dd 4F7C0DAFh, 843F2EACh, 0BBC6EC57h
; 

_EtwpOneSecond:				; DATA XREF: EtwpLogger(x)+35Bo
		sub	byte ptr [ecx+67h], 0FFh
; 
		dd 0FFFFFFFFh
off_40A808	dd offset loc_530059+3	; DATA XREF: PAGE:007B37B3o
					; PAGE:007B37C7o ...
aYstemrootSyste:
		unicode	0, <ystemRoot\System32\win32k.sys>,0
aSilotimezonema:			; DATA XREF: ExpReadSiloTimeZoneMarker()+11o
					; ExpWriteSiloTimeZoneMarker(x)+15o
		unicode	0, <SiloTimeZoneMarker>,0
		align 10h
aTimezoneinform:			; DATA XREF: ExpReadTimeZoneInformation+24o
					; ExpWriteSiloTimeZoneMarker(x)+1Ao
		unicode	0, <TimeZoneInformation>,0
aTimezonevirtua:			; DATA XREF: ExpTimeZoneInitSiloState(x)+22o
		unicode	0, <TimeZoneVirtualizationSupported>,0
aActivetimebias:			; DATA XREF: ExpTimeZoneInitSiloState(x)+7Ao
		unicode	0, <ActiveTimeBias>,0
		align 4
_abWPAStringKey	dd 0FF8BC3CCh		; DATA XREF: NtLockProductActivationKeys+95r
					; NtLockProductActivationKeys+BBr
		dd 0FF8BC3CCh, 424448Bh, 4C2CCh
dword_40A908	dd 2Dh,	2 dup(0)	; DATA XREF: AdtpEtwBuildDashString(x)+8o
					; AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)+36o ...
		dd 17A4645Fh, 0
		dd 2, 25h, 2F5BCh, 2EDBCh, 0
		dd 17A4645Fh, 0
		dd 0Dh,	11C0h, 2F5E4h, 2EDE4h, 0
		dd 17A4645Fh, 0
		dd 10h,	24h, 307FCh, 2FFFCh
; __declspec(dllimport)	__stdcall ZwPowerInformation(x,	x, x, x, x)
__imp__ZwPowerInformation@20 dd	offset _ZwPowerInformation@20
					; DATA XREF: PdcPortOpenCommon+E0r
					; ZwPowerInformation(x,x,x,x,x)
; 

; __declspec(dllimport)	__stdcall RtlInitUnicodeString(x, x)
__imp__RtlInitUnicodeString@8:		; DATA XREF: SddlpUuidFromString(x,x)+9Ar
					; GetFlags(x,x,x)+2Ar
		lock sbb ebx, [eax+0]
; 
; __declspec(dllimport)	__stdcall ZwClose(x)
__imp__ZwClose@4 dd offset _ZwClose@4	; DATA XREF: KGetUnlockSetting+98r
					; LkmdTelpWriteDumpFile(x)+E0r
					; ZwClose(x)
; __declspec(dllimport)	__stdcall ZwQueryValueKey(x, x,	x, x, x, x)
__imp__ZwQueryValueKey@24 dd offset _ZwQueryValueKey@24	; DATA XREF: KGetUnlockSetting+65r
					; ZwQueryValueKey(x,x,x,x,x,x)
; __declspec(dllimport)	__stdcall ZwOpenKey(x, x, x)
__imp__ZwOpenKey@12 dd offset _ZwOpenKey@12 ; DATA XREF: KGetUnlockSetting+49r
					; ZwOpenKey(x,x,x)
; __declspec(dllimport)	__stdcall KeBugCheckEx(x, x, x,	x, x)
__imp__KeBugCheckEx@20 dd offset _KeBugCheckEx@20
					; DATA XREF: InsertEventEntryInLookUpTable+8Ar
					; KeBugCheckEx(x,x,x,x,x)
; 

; __declspec(dllimport)	__stdcall RtlCaptureContext(x)
__imp__RtlCaptureContext@4:		; DATA XREF: LkmdTelCreateReport(x,x,x,x,x,x)+100r
		xor	fs:[edx+0], bl
; 
; __declspec(dllimport)	__stdcall ZwWriteFile(x, x, x, x, x, x,	x, x, x)
__imp__ZwWriteFile@36 dd offset	_ZwWriteFile@36	; DATA XREF: LkmdTelpWriteDumpFile(x)+6Cr
					; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		align 8

_REGISTRY_PERF_EVENT_HIVE_FLUSH_WROTE_PRIMARY_FILE:
					; DATA XREF: CmpTraceHiveFlushWrotePrimaryFile+14o
		sbb	eax, [eax]
		add	[ecx], dl
		add	al, 0Eh
		add	eax, [eax]
; 
		dd 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_HIVE_UNLOAD_START:	; DATA XREF: CmpTraceHiveUnloadStart+15o
		adc	al, 0
		add	[ecx], dl
		add	al, 1
		add	al, [eax]
; 
		dd 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_HIVE_UNLOAD_STOP:	; DATA XREF: CmpTraceHiveUnloadStop+14o
		adc	eax, 4110000h
		add	al, [edx]
; 
		db 0
		dd 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_HIVE_MOUNT_BASE_FILE_MOUNTED:
					; DATA XREF: CmpTraceHiveMountBaseFileMounted+15o
		adc	[eax], eax
		add	[ecx], dl
		add	al, 0Ah
		add	[eax], eax
; 
		dd 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_HIVE_MOUNT_STOP:	; DATA XREF: CmpTraceHiveMountStop+14o
		adc	eax, [eax]
		add	[ecx], dl
		add	al, 2
		add	[eax], eax
; 
		dd 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_HIVE_MOUNT_START:	; DATA XREF: CmpTraceHiveMountStart+14o
		adc	[eax], al
		add	[ecx], dl
		add	al, 1
		add	[eax], eax
; 
		dd 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_HIVE_FLUSH_WROTE_LOG_FILE:
					; DATA XREF: CmpTraceHiveFlushWroteLogFile+14o
		sbb	al, [eax]
		add	[ecx], dl
		add	al, 0Dh
		add	eax, [eax]
; 
		dd 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_HIVE_LOAD_STOP:	; DATA XREF: CmpTraceHiveLoadStop+18o
		add	es:[eax], al
		adc	[edx+eax], eax
		add	eax, 0
; 
		db 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_HIVE_LOAD_START:	; DATA XREF: CmpTraceHiveLoadStart+19o
		and	eax, 4110000h
		add	large ds:0, eax
; 
		db 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_HIVE_FLUSH_STOP:	; DATA XREF: CmpTraceHiveFlushStop+14o
		pop	ds
; 
		db 2 dup(0), 11h
		dd 30204h, 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_HIVE_FLUSH_START:	; DATA XREF: CmpFlushHive:loc_753EB7o
		push	ss
; 
		db 2 dup(0), 11h
		dd 30104h, 0
		dd 40000000h

;  S U B	R O U T	I N E 


_GUID_ECP_CREATE_USER_PROCESS proc near	; DATA XREF: PspCreateUserProcessEcp(x,x)+Bo
		jmp	fword ptr [ecx]
_GUID_ECP_CREATE_USER_PROCESS endp

; 
		dw 0E0E4h
		dd 4E656DDCh, 0D045B6AAh, 88A035Ah
byte_40AA48	db 0FFh			; DATA XREF: MiDeleteVad(x,x,x)+E74r
					; RtlSetBits(x,x,x)+3Br ...
		db 0FEh, 0FCh, 0F8h
		dd 80C0E0F0h
dword_40AA50	dd 0			; DATA XREF: RtlFindClearRuns+CFo
					; RtlFindLongestRunClearCapped(x,x,x)+CCo
dword_40AA54	dd 6, 4	dup(0)		; DATA XREF: RtlGetProductInfo+68o
_WdipSemOneSecond dd 0FF676980h		; DATA XREF: WdipTimeoutCheckRoutine+50r
dword_40AA6C	dd 0FFFFFFFFh		; DATA XREF: WdipTimeoutCheckRoutine+4Ar
; 

_SessionNotificationGuid:		; DATA XREF: EtwpSendSessionNotification(x,x,x)+47o
		pop	ebx
		sbb	[esi+2Ah], ch
		ficom	word ptr [eax+6C824FC5h]
		lahf
		inc	esp
		out	8, al		; DMA 8237A-5. cmd reg bits:
					; 0: enable mem-to-mem DMA
					; 1: enable Ch0	address	hold
					; 2: disable controller
					; 3: compressed	timing mode
					; 4: enable rotating priority
					; 5: extended write mode; 0=late write
					; 6: DRQ sensing - active high
					; 7: DACK sensing - active high
		movsb
		daa

_GUID_IO_VOLUME_MOUNT:			; DATA XREF: FsRtlNotifyVolumeEventEx:loc_7EE169o
		js	short near ptr aAppcontainerna+12h
		xor	byte ptr [ebp+11D21A96h], 8Fh
		std
		add	[eax+326DA0C9h], ah
; 
_ExpLuidIncrement dd 1			; DATA XREF: ExAllocateLocallyUniqueId(x)+1Br
					; ExAllocateLocallyUniqueId(x)+63r ...
dword_40AA94	dd 0			; DATA XREF: ExAllocateLocallyUniqueId(x)+26r
					; ExAllocateLocallyUniqueId(x)+69r ...
_GUID_ECP_OPLOCK_KEY dd	48850596h	; DATA XREF: FsRtlCheckOplockEx2+125r
					; FsRtlpAttachOplockKey+6Co
dword_40AA9C	dd 4BE73050h		; DATA XREF: FsRtlCheckOplockEx2+12Dr
dword_40AAA0	dd 0C3FE6398h		; DATA XREF: FsRtlCheckOplockEx2+135r
dword_40AAA4	dd 7F8DCE50h		; DATA XREF: FsRtlCheckOplockEx2+13Dr
_GUID_ECP_DUAL_OPLOCK_KEY dd 41621A14h	; DATA XREF: FsRtlCheckOplockEx2+EDr
					; FsRtlpAttachOplockKey+44o
dword_40AAAC	dd 4DF1B08Bh		; DATA XREF: FsRtlCheckOplockEx2+F5r
dword_40AAB0	dd 5FA076B6h		; DATA XREF: FsRtlCheckOplockEx2+FDr
dword_40AAB4	dd 0EA1BF0FDh		; DATA XREF: FsRtlCheckOplockEx2+105r
aAppcontainerna:
		unicode	0, <AppContainerNamedObjects>,0
		align 4
aSession:
		unicode	0, <Session>,0
aRpcControl:
		unicode	0, <RPC	Control>,0
aGlobal:
		unicode	0, <Global>,0
		align 4
aLocal:
		unicode	0, <Local>,0
aMemoryCompress:			; CODE XREF: .text:0040AB85j
		unicode	0, <Memory Compression>,0
		align 4

_GUID_EM_CALLBACK_REMOVE_BAD_S3_PAGES:	; DATA XREF: .text:00401BA4o
		cmpsb
		pushf
		and	bl, [ecx-59h]
		pop	ss
		adc	[esi-62h], ecx
		fcmovu	st, st(7)
		push	cs
		xchg	eax, ebx
		xlat
		scasd

loc_40AB67:				; DATA XREF: .text:00401B98o
		cmp	al, [esi-17DBBACEh]
		mov	ebp, 0D18546BCh
		sbb	[edx+12E2F3EDh], eax

_GUID_EM_ALWAYS_FALSE_CALLBACK:		; DATA XREF: .text:00401B8Co
		adc	dword ptr [ecx], 0C86A9D99h
		pop	ss
		inc	ebp
		lahf
		out	32h, eax
		sub	[ebx], eax
		ja	short near ptr aMemoryCompress+0Ch

loc_40AB87:				; DATA XREF: .text:00401B80o
		db	64h
		push	0D08026FFh
		cmp	esp, [ebx+ecx*2+72DED4A1h]
		dec	edi
		js	short loc_40ABB2
; 
		db 78h
; 

_GUID_EM_CPU_MATCH_CALLBACK:		; DATA XREF: .text:00401B74o
		sub	al, 86h
		out	0D2h, eax
		cli
		mov	eax, 0D19B4274h
		pop	ecx
		mov	edx, 0C2A7A08Dh

_GUID_EM_CALLBACK_BIOS_DATE:		; DATA XREF: .text:_BuiltinCallbackRego
		xor	[ebx], ebp
		sub	bl, [eax]
		mov	eax, 0BB45EFD5h

loc_40ABB1:				; CODE XREF: .text:0040AC0Dj
		insd

loc_40ABB2:				; CODE XREF: .text:0040AB95j
		outs	dx, byte ptr fs:[esi]

loc_40ABB4:				; DATA XREF: .text:00401004o
		mov	edx, 52F1D8EDh
		add	[ebp+0], al
		inc	edi
		add	[ecx+0], cl
		push	ebx
		add	[eax+eax+52h], dl
		add	[ecx+0], bl
; 
		dd 0
aInvalidated:				; CODE XREF: .text:0040AC31j
					; DATA XREF: .text:00401A20o
		unicode	0, <Invalidated>,0
aPrimitiveflags:			; DATA XREF: .text:00401A08o
		unicode	0, <PrimitiveFlags>,0
		align 4

; void DEVPKEY_DriverPackage_PrimitiveFlags
_DEVPKEY_DriverPackage_PrimitiveFlags:	; DATA XREF: .text:off_401A00o
					; DrvDbGetDriverPackageMappedProperty+11B0F9o
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	loc_40ABB1
		jz	short near ptr aInvalidated+11h
		inc	edi
		fstp	tbyte ptr [edx+27h]

loc_40AC18:				; DATA XREF: .text:004019F0o
		inc	ebx
		add	[ecx+0], ah
		jz	short $+2
		popa
		add	[eax+eax+6Fh], ch

loc_40AC23:				; CODE XREF: .text:loc_40AC81j
		add	[edi+0], ah
; 
		dw 0
; 

_DEVPKEY_DriverPackage_CatalogFile:	; CODE XREF: .text:0040AC5Bj
					; DATA XREF: .text:004019E8o
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr aInvalidated+9
		jz	short near ptr aPrimitiveflags+1Dh
		inc	edi
		fstp	tbyte ptr [edx+25h]

loc_40AC3C:				; DATA XREF: .text:004019D8o
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		imul	eax, [eax], 53h
		add	[ecx+0], ch
		jp	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

_DEVPKEY_DriverPackage_EffectiveFileSize: ; CODE XREF: .text:0040AC83j
					; DATA XREF: .text:004019D0o
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr aPrimitiveflags+19h
		jz	short near ptr _DEVPKEY_DriverPackage_CatalogFile+1
		inc	edi
		fstp	tbyte ptr [edx+24h]

loc_40AC64:				; DATA XREF: .text:004019C0o
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		push	ebx
		add	[ecx+0], ch
		jp	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

_DEVPKEY_DriverPackage_FileSize:	; DATA XREF: .text:004019B8o
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp

loc_40AC81:				; CODE XREF: .text:loc_40ACDDj
		loope	near ptr loc_40AC23+2
		jz	short near ptr _DEVPKEY_DriverPackage_EffectiveFileSize+1
		inc	edi
		fstp	tbyte ptr [edx+23h]

loc_40AC8C:				; DATA XREF: .text:004019A8o
		inc	ebp
		add	[eax+0], bh
		jz	short $+2
		add	gs:[esi+0], ch
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[ecx+0], ah
		arpl	[eax], ax

loc_40ACAC:				; CODE XREF: .text:0040ACDFj
		jz	short $+2
		dec	ecx

loc_40ACAF:				; CODE XREF: .text:0040AD0Dj
		add	[eax+eax+73h], ah
; 
		db 0
		align 8
aNeedsreconfig:				; DATA XREF: .text:00401990o
		unicode	0, <NeedsReconfig>,0
; 

_DEVPKEY_DriverPackage_NeedsReconfig:	; DATA XREF: .text:00401988o
					; PiDevCfgQueryDriverConfiguration(x)+3FBo
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp

loc_40ACDD:				; CODE XREF: .text:0040AD0Fj
					; .text:0040AD39j
		loope	loc_40AC81
		jz	short near ptr loc_40ACAC+1
		inc	edi
		fstp	tbyte ptr [edx+1Ch]

loc_40ACE8:				; DATA XREF: .text:00401978o
		inc	ebx
		add	[eax+eax+61h], ch
		add	[ebx+0], dh
		jnb	short $+2
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dd 0
; 

_DEVPKEY_DriverPackage_ClassVersion:	; DATA XREF: .text:00401970o
					; PiDevCfgConfigureDevice(x,x,x,x,x)+825o
		add	ebx, ebp

loc_40AD06:				; CODE XREF: .text:0040AD3Bj
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_40ACAF+2
		jz	short loc_40ACDD

loc_40AD11:				; CODE XREF: .text:0040AD6Dj
		inc	edi
		fstp	tbyte ptr [edx+1Bh]

loc_40AD18:				; DATA XREF: .text:00401960o
		dec	ecx
		add	[ebp+0], ch
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

_DEVPKEY_DriverPackage_ImportDate:	; DATA XREF: .text:00401958o
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	loc_40ACDD
		jz	short near ptr loc_40AD06+3

loc_40AD3D:				; CODE XREF: .text:0040AD6Fj
		inc	edi
		fstp	tbyte ptr [edx+1Ah]

loc_40AD44:				; DATA XREF: .text:00401948o
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		inc	ebx
		add	[edx+0], dh

loc_40AD54:				; CODE XREF: .text:0040ADB5j
		imul	eax, [eax], 690074h
		arpl	[eax], ax
		popa
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

_DEVPKEY_DriverPackage_SystemCritical:	; DATA XREF: .text:00401940o
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	loc_40AD11
		jz	short loc_40AD3D
		inc	edi
		fstp	tbyte ptr [edx+19h]
; 
aTargetcomputer:			; CODE XREF: .text:0040ADDDj
					; .text:0040ADB7j
					; DATA XREF: ...
		unicode	0, <TargetComputerIds>,0
aProduct:				; DATA XREF: .text:00401918o
		unicode	0, <Product>,0
; 

_DEVPKEY_DriverPackage_ProductName:	; CODE XREF: .text:0040ADDFj
					; .text:0040AE09j
					; DATA XREF: ...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_40AD54+5
		jz	short near ptr aTargetcomputer+0Dh
		inc	edi
		fstp	tbyte ptr [edx+17h]
; 
aLocklevel:				; DATA XREF: .text:off_401900o
		unicode	0, <LockLevel>,0
; 

_DEVPKEY_DriverPackage_LockLevel:	; DATA XREF: .text:004018F8o
		add	ebx, ebp

loc_40ADD6:				; CODE XREF: .text:0040AE0Bj
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr aTargetcomputer+9
		jz	short near ptr _DEVPKEY_DriverPackage_ProductName+1
		inc	edi
		fstp	tbyte ptr [edx+16h]

loc_40ADE8:				; DATA XREF: .text:004018E8o
		push	ebx
		add	[eax+eax+61h], dh
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		inc	esi

loc_40ADF5:				; CODE XREF: .text:0040AE51j
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		jnb	short $+2
; 
		dw 0
; 

_DEVPKEY_DriverPackage_StatusFlags:	; DATA XREF: .text:004018E0o
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr _DEVPKEY_DriverPackage_ProductName+1
		jz	short near ptr loc_40ADD6+3
		inc	edi
		fstp	tbyte ptr [edx+15h]

loc_40AE14:				; DATA XREF: .text:004018D0o
		inc	ebp
		add	[eax+0], bh
		jz	short $+2
		add	gs:[esi+0], ch
		jnb	short $+2

loc_40AE20:				; CODE XREF: .text:0040AE53j
		imul	eax, [eax], 6E006Fh
		dec	ecx
		add	[eax+eax+0], ah

loc_40AE2B:				; CODE XREF: .text:loc_40AE89j
					; DATA XREF: .text:004018B8o
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		db	66h
		add	[ecx+0], ch
		add	[di+0],	dh
		jb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
; 
		dd 0
; 

; void DEVPKEY_DriverPackage_ConfigurableOverride
_DEVPKEY_DriverPackage_ConfigurableOverride: ; DATA XREF: .text:004018B0o
					; DrvDbGetDriverPackageMappedProperty+11AAA6o
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	loc_40ADF5
		jz	short near ptr loc_40AE20+1
		inc	edi

loc_40AE56:				; CODE XREF: .text:0040AE8Bj
		fstp	tbyte ptr [edx+13h]

loc_40AE5C:				; DATA XREF: .text:004018A0o
		inc	ebx

loc_40AE5D:				; CODE XREF: .text:loc_40AEB9j
		add	[edi+0], ch
		outsb
		add	[esi+0], ah
		imul	eax, [eax], 750067h
		jb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		inc	esi
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		jnb	short $+2
; 
		dw 0
; 

; void DEVPKEY_DriverPackage_ConfigurableFlags
_DEVPKEY_DriverPackage_ConfigurableFlags: ; DATA XREF: .text:00401898o
					; .data:006B3860o ...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp

loc_40AE89:				; CODE XREF: .text:0040AEBBj
		loope	near ptr loc_40AE2B+2
		jz	short near ptr loc_40AE56+3
		inc	edi
		fstp	tbyte ptr [edx+11h]

loc_40AE94:				; DATA XREF: .text:00401888o
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+43h], dh
		add	[edx+0], dh
		imul	eax, [eax], 690074h
		arpl	[eax], ax
		popa
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

_DEVPKEY_DriverPackage_BootCritical:	; DATA XREF: .text:00401880o
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp

loc_40AEB9:				; CODE XREF: .text:0040AF15j
		loope	loc_40AE5D
		jz	short loc_40AE89
		inc	edi
		fstp	tbyte ptr [edx+10h]

loc_40AEC4:				; DATA XREF: .text:00401870o
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dw 0
aDriverdate:				; CODE XREF: .text:0040AF3Dj
					; .text:0040AF17j
					; DATA XREF: ...
		unicode	0, <DriverDate>,0
		align 4
aClassguid:				; CODE XREF: .text:0040AF61j
					; DATA XREF: .text:00401840o
		unicode	0, <ClassGuid>,0
; 

_DEVPKEY_DriverPackage_ClassGuid:	; CODE XREF: .text:0040AF3Fj
					; DATA XREF: .text:00401838o ...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	loc_40AEB9
		jz	short near ptr aDriverdate+5

loc_40AF19:				; CODE XREF: .text:0040AF75j
		inc	edi
		fstp	tbyte ptr [edx+0Dh]
; 
aProvider:				; DATA XREF: .text:00401828o
		unicode	0, <Provider>,0
		align 4

; void DEVPKEY_DriverPackage_ProviderName
_DEVPKEY_DriverPackage_ProviderName:	; DATA XREF: .text:00401820o
					; DrvDbGetDriverPackageMappedProperty+11ABCFo ...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr aDriverdate+1
		jz	short near ptr _DEVPKEY_DriverPackage_ClassGuid+1
		inc	edi

loc_40AF42:				; CODE XREF: .text:0040AF77j
		fstp	tbyte ptr [edx+0Ch]
; 
aLocale:				; DATA XREF: .text:00401810o
		unicode	0, <Locale>,0
		align 4

_DEVPKEY_DriverPackage_Locale:		; DATA XREF: .text:00401808o
					; .data:006B3848o
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr aClassguid+0Dh
		jz	short near ptr aProvider+11h
		inc	edi
		fstp	tbyte ptr [edx+0Bh]

_DEVPKEY_DriverPackage_ProcessorArchitecture: ;	DATA XREF: .text:004017F0o
					; .data:006B3844o
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	loc_40AF19
		jz	short near ptr loc_40AF42+3

loc_40AF79:				; CODE XREF: .text:0040AFD5j
		inc	edi
		fstp	tbyte ptr [edx+0Ah]

loc_40AF80:				; DATA XREF: .text:004017E0o
		inc	esi
		add	[esi], dh
; 
		db 0
		align 8
aSignerscore:				; DATA XREF: .text:004017C8o
		unicode	0, <SignerScore>,0
aSignername:				; CODE XREF: .text:0040AFD7j
					; DATA XREF: .text:004017B0o
		unicode	0, <SignerName>,0
		align 4
aPublished:				; CODE XREF: .text:0040AFF7j
					; DATA XREF: .text:00401798o
		unicode	0, <Published>,0
; 

_DEVPKEY_DriverPackage_Published:	; CODE XREF: .text:0040B029j
					; DATA XREF: .text:00401790o ...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	loc_40AF79
		jz	short near ptr aSignername+5
		inc	edi
		fstp	tbyte ptr [edx+6]
; 
aInbox:					; CODE XREF: .text:0040B03Dj
					; DATA XREF: .text:00401780o
		unicode	0, <Inbox>,0
; 

; void DEVPKEY_DriverPackage_Inbox
_DEVPKEY_DriverPackage_Inbox:		; DATA XREF: .text:00401778o
					; .data:006B384Co ...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr aSignerscore+11h
		jz	short near ptr aPublished+0Dh

loc_40AFF9:				; CODE XREF: .text:0040B02Bj
		inc	edi
		fstp	tbyte ptr [edx+5]
; 
aOempath:				; CODE XREF: .text:0040B061j
					; .text:0040B03Fj
					; DATA XREF: ...
		unicode	0, <OemPath>,0
aInfname:				; DATA XREF: .text:00401750o
		unicode	0, <InfName>,0
; 

; void DEVPKEY_DriverPackage_OriginalInfName
_DEVPKEY_DriverPackage_OriginalInfName:	; DATA XREF: .text:00401748o
					; DrvDbGetDriverPackageMappedProperty+11AC69o ...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr _DEVPKEY_DriverPackage_Published+1
		jz	short loc_40AFF9
		inc	edi

loc_40B02E:				; CODE XREF: .text:0040B063j
		fstp	tbyte ptr [edx+3]

; void DEVPKEY_DriverPackage_DriverInfName
_DEVPKEY_DriverPackage_DriverInfName:	; DATA XREF: .text:off_401730o
					; DrvDbGetDriverPackageMappedProperty+11ACA4o
		add	ebx, ebp

loc_40B036:				; CODE XREF: .text:0040B095j
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr aInbox+1
		jz	short near ptr aOempath+0Dh
		inc	edi
		fstp	tbyte ptr [edx+2]

loc_40B048:				; DATA XREF: .text:004016C0o
		dec	esp
		add	[edi+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 65h
		add	[eax+eax+0], ah
; 
		db 3 dup(0)
; 

_DEVPKEY_DriverInfFile_Locked:		; DATA XREF: .text:004016B8o
		add	ch, bl

loc_40B05A:				; CODE XREF: .text:0040B0B9j
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr aOempath+5
		jz	short near ptr loc_40B02E+3

loc_40B065:				; CODE XREF: .text:0040B097j
		inc	edi
		fstp	tbyte ptr [edx+5]
; 
aConfigurations:			; CODE XREF: .text:0040B0CDj
					; DATA XREF: .text:004016A8o
		unicode	0, <Configurations>,0
		align 4

_DEVPKEY_DriverInfFile_ActiveConfigurations: ; DATA XREF: .text:004016A0o
		add	ch, bl
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_40B036+3
		jz	short loc_40B065
		inc	edi

loc_40B09A:				; CODE XREF: .text:0040B0CFj
		fstp	tbyte ptr [edx+4]

loc_40B0A0:				; DATA XREF: .text:00401690o
		inc	ecx
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 650076h
; 
		dd 0
; 

_DEVPKEY_DriverInfFile_ActiveDriverPackage: ; DATA XREF: .text:00401688o
					; PiDevCfgGetDriverPackageId(x,x)+48o
		add	ch, bl
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_40B05A+3
		jz	short near ptr aConfigurations+1Dh
		inc	edi
		fstp	tbyte ptr [edx+3]

_DEVPKEY_DriverInfFile_DriverPackages:
		add	ch, bl
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr aConfigurations+5
		jz	short near ptr loc_40B09A+3
		inc	edi
		fstp	tbyte ptr [edx+2]

loc_40B0D8:				; DATA XREF: .text:004010F4o
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+5Ch], dh
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		xor	eax, [eax]
		xor	al, [eax]
		pop	esp
; 
		db 3 dup(0)
aKernelProduc_1:
		unicode	0, <Kernel-ProductInfo>,0
		align 10h
aKernelProducti:
		unicode	0, <Kernel-ProductInfoLegacyMapping>,0
aD:					; DATA XREF: .text:off_4016D8o
		unicode	0, <D>,0
		dd 0BD84CD86h, 43769825h, 4C333D81h, 0B1893F54h, 1, 8A885D04h
		dd 11C91CEBh, 8E89Fh, 6048102Bh, 2, 7 dup(0)
aRegistryMac_15:
		unicode	0, <\Registry\Machine\System\CurrentControlSet\Control\LeapSe>
		unicode	0, <condInformation>,0
		align 4
_Feature_UxConfTest_logged_traits dd 0	; DATA XREF: .text:006AB2ACo
					; .text:006AB2C4o ...
		dd 3
_Feature_Servicing_HibernateRelaxVBSPolicy_logged_traits dd 0 ;	DATA XREF: .text:006AB234o
					; .text:006AB24Co ...
		dd 2, 0
_CcFirstDelay	dd 0FE363C80h		; DATA XREF: CcScheduleLazyWriteScan(x,x,x)+50r
dword_40B264	dd 0FFFFFFFFh		; DATA XREF: CcScheduleLazyWriteScan(x,x,x):loc_4AA285r
; 

_THREATINT_MAPVIEW_LOCAL_KERNEL_CALLER:	; DATA XREF: .text:004041D4o
		sbb	al, 0
		add	[eax], edx
		add	al, 0
		add	eax, [eax]
		add	[edx], al
; 
		dw 0
		dd 80000000h
; 

_THREATINT_PROTECTVM_LOCAL_KERNEL_CALLER: ; DATA XREF: .text:004041C4o
		sbb	eax, [eax]
		add	[eax], edx
		add	al, 0
		add	al, [eax]
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_THREATINT_ALLOCVM_LOCAL_KERNEL_CALLER:	; DATA XREF: .text:004041E4o
		sbb	al, [eax]
		add	[eax], edx
		add	al, 0
		add	[eax], eax
		add	al, [eax]
; 
		dw 0
		dd 80000000h
; 

_THREATINT_MAPVIEW_REMOTE_KERNEL_CALLER: ; DATA	XREF: .text:004041D0o
		pop	ss
		add	[ecx], al
		adc	[eax+eax], al
		add	eax, [eax]
		add	[eax], cl
; 
		dw 0
		dd 80000000h
; 

_THREATINT_PROTECTVM_REMOTE_KERNEL_CALLER: ; DATA XREF:	.text:004041C0o
		push	ss
		add	[ecx], al
		adc	[eax+eax], al
		add	al, [eax]
		add	byte ptr [eax],	0
; 
		db 0
		dd 80000000h
; 

_THREATINT_ALLOCVM_REMOTE_KERNEL_CALLER: ; DATA	XREF: .text:004041E0o
		adc	eax, 4100100h
		add	[ecx], al
		add	[eax], cl
; 
		db 3 dup(0)
		dd 80000000h
; 

_THREATINT_MAPVIEW_LOCAL:		; DATA XREF: .text:004041CCo
		or	[eax], al
		add	[eax], edx
		add	al, 0
		add	eax, [eax]
		add	[ecx], al
; 
		dw 0
		dd 80000000h
; 

_THREATINT_PROTECTVM_LOCAL:		; DATA XREF: .text:004041BCo
		pop	es
		add	[ecx], al
		adc	[eax+eax], al
		add	al, [eax]
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_THREATINT_ALLOCVM_LOCAL:		; DATA XREF: .text:004041DCo
		push	es
		add	[ecx], al
		adc	[eax+eax], al
		add	[eax], eax
		add	[eax], eax
; 
		dw 0
		dd 80000000h
; 

_THREATINT_MAPVIEW_REMOTE:		; DATA XREF: .text:off_4041C8o
		add	eax, [eax]
		add	[eax], edx
		add	al, 0
		add	eax, [eax]
		add	[eax+eax], al
; 
		db 0
		dd 80000000h
; 

_THREATINT_PROTECTVM_REMOTE:		; DATA XREF: .text:off_4041B8o
		add	al, [eax]
		add	[eax], edx
		add	al, 0
		add	al, [eax]
		inc	eax
; 
		db 3 dup(0)
		dd 80000000h
; 

_THREATINT_ALLOCVM_REMOTE:		; DATA XREF: .text:off_4041D8o
		add	[eax], eax
		add	[eax], edx
		add	al, 0
		add	[eax], eax
		add	al, 0
; 
		dw 0
		dd 80000000h
a_tm:					; DATA XREF: .data:006B1EE4o
		unicode	0, <.TM>,0
aAllowcontainer:			; DATA XREF: .data:006B1EF8o
		unicode	0, <AllowContainerNesting>,0
aUser_1:
		unicode	0, <USER>,0
		align 4
aA:
		unicode	0, <A>,0
aMachine:				; CODE XREF: .text:_PARTITION_LEGACY_BL_GUIDj
		unicode	0, <MACHINE>,0
aWc:
		unicode	0, <WC>,0
		align 4
aRegistryWc:
		unicode	0, <\Registry\WC>,0
		align 10h
aRegistryMac_21:
		unicode	0, <\REGISTRY\MACHINE>,0

;  S U B	R O U T	I N E 


; void GUID_DEVICE_NOOP
_GUID_DEVICE_NOOP proc far		; DATA XREF: PnpInsertNoopEvent(x,x)+26o
					; PnpProcessTargetDeviceEvent+6DBFFo
		adc	[eax+3Ah], al
		retf
_GUID_DEVICE_NOOP endp

; 
		dd 11D046F0h, 60008FB0h, 3F051397h
; 

_PARTITION_LEGACY_BL_GUID:		; DATA XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+122o
		loop	near ptr aMachine+0Ah
		dec	esp
		inc	edx
		mov	dl, 7Ch
		mov	ecx, 0C543814Fh
; 
		db 2Ah
		dd 0C68B3999h
aDevQuery:				; DATA XREF: .text:_IrpHandlingTableo
		unicode	0, <\Dev\Query>,0
		align 4
aCmnotify:				; DATA XREF: .text:00403F40o
		unicode	0, <\CMNotify>,0
aSwdevice:				; DATA XREF: .text:00403F34o
		unicode	0, <\SwDevice>,0
aCmapi:					; DATA XREF: .text:00403F28o
		unicode	0, <\CMApi>,0
		align 4
aDevNostate:				; DATA XREF: .text:00403F1Co
		unicode	0, <\Dev\NoState>,0
		align 10h
_Feature_RelaxTcbForUWP_logged_traits dd 2 dup(0) ; DATA XREF: .text:006AB3E4o
					; .text:006AB414o ...
_KiDebugRegisterTrapOffsets dd 14h	; DATA XREF: KeContextToKframes:loc_4460F2r
					; KiProcessDebugRegister(x,x)+15r ...
		dd 18h,	1Ch, 20h, 2 dup(0)
		dd 24h,	28h
_KiDebugRegisterContextOffsets dd 4	; DATA XREF: KeContextToKframes:loc_4460E0r
		dd 8, 0Ch, 10h,	2 dup(0)
		dd 14h,	18h
_MmMakeSectionAccess dd	4		; DATA XREF: MiMapViewOfSectionCommon+ADr
		align 10h
		dd 8, 0Ch, 2, 4, 0Ah, 0Ch
_MmMakeFileAccess dd 1			; DATA XREF: MiCreateImageOrDataSection+6Er
		dd 1, 20h, 21h,	3, 1, 23h, 21h
_MmProtectToPteMask dd 0		; DATA XREF: MiRevertValidPte+107r
					; .text:0045D3ACr ...
dword_40B4DC	dd 80000000h		; DATA XREF: MiRevertValidPte+10Er
					; .text:0045D3B3r ...
		dd 0
		dd 80000000h, 4	dup(0)
		dd 800h, 80000000h, 200h, 80000000h, 800h, 0
		dd 200h, 2 dup(0)
		dd 80000000h, 18h, 80000000h, 18h, 0
		dd 18h,	0
		dd 818h, 80000000h, 218h, 80000000h, 818h, 0
		dd 218h, 2 dup(0)
		dd 80000000h, 0
		dd 80000000h, 4	dup(0)
		dd 800h, 80000000h, 200h, 80000000h, 800h, 0
		dd 200h, 2 dup(0)
		dd 80000000h, 8, 80000000h, 8, 0
		dd 8, 0
		dd 808h, 80000000h, 208h, 80000000h, 808h, 0
		dd 208h, 0
_MmProtectToValue dd 1			; DATA XREF: .text:004511D8r
					; .text:loc_451357r ...
		dd 2, 10h, 20h,	4, 8, 40h, 80h,	1, 202h, 210h, 220h, 204h
		dd 208h, 240h, 280h, 1,	102h, 110h, 120h, 104h,	108h, 140h
		dd 180h, 1, 402h, 410h,	420h, 404h, 408h, 440h,	480h
_MmMakeProtectNotWriteCopy dd 18h	; DATA XREF: MiCopyOnWrite(x,x,x,x):loc_44FFAEr
					; .text:0045363Fr ...
		dd 1, 2, 3, 2 dup(4), 2	dup(6),	18h, 9,	0Ah, 0Bh, 2 dup(0Ch)
		dd 2 dup(0Eh), 18h, 11h, 12h, 13h, 2 dup(14h), 2 dup(16h)
		dd 18h,	19h, 1Ah, 1Bh, 2 dup(1Ch), 2 dup(1Eh)
_MiImageProtectionArray	db 18h		; DATA XREF: MiGetSubsectionImageProtection(x):loc_79113Dr
		db 2, 1, 3
		dd 7050705h, 3010218h, 6040604h
_MiLargeZero	dd 0			; DATA XREF: MiSetPagesModified(x,x)+8Cr
					; PAGE:00793622r
dword_40B6EC	dd 0			; DATA XREF: MiSetPagesModified(x,x):loc_62BA62r
					; PAGE:0079361Cr
_MiTrimPassToAge db 6			; DATA XREF: .text:00516C29r
					; MiTrimOrAgeWorkingSet+3E4r ...
		db 4, 2, 1
		align 8
_MmCompatibleProtectionMask dd 1	; DATA XREF: MiIsPteProtectionCompatible(x,x)+3r
					; MiMapViewOfSection+129r ...
		dd 0Bh,	11h, 0BBh, 0Fh,	0Bh, 0FFh, 0BBh
; 

_MmUserProtectionToMask1:		; DATA XREF: .text:00452A42r
					; .text:loc_462E17r ...
		add	[eax], bl
		add	edi, edi
		add	al, 0FFh
; 
		dw 0FFFFh
		dd 0FFFFFF05h, 0FFFFFFFFh
; 

_MmUserProtectionToMask2:		; DATA XREF: .text:00452A58r
					; .text:loc_462E2Er ...
		add	[edx], al
		add	edi, edi
		push	es
; 
		db 3 dup(0FFh)
		dd 0FFFFFF07h, 0FFFFFFFFh
_MiReadWrite	db 1			; DATA XREF: .text:00467C77r
					; MiResolveProtoPteFault(x,x,x)+98Er ...
		db 3 dup(0Ah)
dword_40B73C	dd 0B0B0B0Bh, 0		; DATA XREF: .text:006AB474o
		dd 1
_PopFxAccountingBucketLimits dd	0	; DATA XREF: PopFxUpdateAccountingActiveTime+52r
					; PopFxUpdateGlobalDeviceAccountingInfo(x,x,x,x)+4Er
dword_40B74C	dd 0			; DATA XREF: PopFxUpdateAccountingActiveTime:loc_4DA225r
					; PopFxUpdateGlobalDeviceAccountingInfo(x,x,x,x):loc_64BF0Er
dword_40B750	dd 11E1A300h		; DATA XREF: PopFxUpdateAccountingActiveTime+66r
					; PopFxUpdateGlobalDeviceAccountingInfo(x,x,x,x)+62r ...
dword_40B754	dd 0			; DATA XREF: PopFxUpdateAccountingActiveTime:loc_4DA239r
					; PopFxUpdateGlobalDeviceAccountingInfo(x,x,x,x):loc_64BF22r
		dd 23C34600h, 0
		dd 47868C00h, 0
		dd 0B2D05E00h, 0
		dd 2 dup(0FFFFFFFFh)
; 

_GUID_INPUT_SUPPRESS_REQUESTED:		; DATA XREF: PopEvaluateInputSuppressionAction()+148o
		mov	ds:0FA3A861Ah, al
		in	eax, 5Fh
		dec	edx
		mov	[esi+49h], dl
		fldenv	byte ptr [ebp-1Eh]
; 
		dw 0FE9Ah
byte_40B788	db 0			; DATA XREF: RtlDoesNameContainWildCards(x):loc_4DDDDAr
					; FsRtlIsFatDbcsLegal+66r ...
		db 3 dup(10h)
		dd 7 dup(10101010h), 17180717h,	17171717h, 16181717h, 71716h
		dd 2 dup(17171717h), 16041717h,	18181618h, 6 dup(17171717h)
		dd 16171717h, 17171600h, 7 dup(17171717h), 17171710h
_SidHashByteToIndexLookupTable db 9	; DATA XREF: SepMaximumAccessCheck+136r
					; SepNormalAccessCheck+176r ...
		align 2
		dw 1
		dd 10002h, 10003h, 10002h, 10004h, 10002h, 10003h, 10002h
		dd 10005h, 10002h, 10003h, 10002h, 10004h, 10002h, 10003h
		dd 10002h, 10006h, 10002h, 10003h, 10002h, 10004h, 10002h
		dd 10003h, 10002h, 10005h, 10002h, 10003h, 10002h, 10004h
		dd 10002h, 10003h, 10002h, 10007h, 10002h, 10003h, 10002h
		dd 10004h, 10002h, 10003h, 10002h, 10005h, 10002h, 10003h
		dd 10002h, 10004h, 10002h, 10003h, 10002h, 10006h, 10002h
		dd 10003h, 10002h, 10004h, 10002h, 10003h, 10002h, 10005h
		dd 10002h, 10003h, 10002h, 10004h, 10002h, 10003h, 10002h
dword_40B908	dd 200h			; DATA XREF: RtlIsElevatedRid(x):loc_7EC831r
		dd 204h, 209h, 1F2h, 205h, 206h, 207h, 208h, 220h, 223h
		dd 224h, 225h, 226h, 227h, 229h, 22Ah, 22Ch, 239h, 72h
		dd 0
_RtlpBitsClearLow db 8			; DATA XREF: RtlFindLeastSignificantBit(x,x)+30r
					; RtlFindClearRuns+B7r	...
		align 2
		dw 1
		dd 10002h, 10003h, 10002h, 10004h, 10002h, 10003h, 10002h
		dd 10005h, 10002h, 10003h, 10002h, 10004h, 10002h, 10003h
		dd 10002h, 10006h, 10002h, 10003h, 10002h, 10004h, 10002h
		dd 10003h, 10002h, 10005h, 10002h, 10003h, 10002h, 10004h
		dd 10002h, 10003h, 10002h, 10007h, 10002h, 10003h, 10002h
		dd 10004h, 10002h, 10003h, 10002h, 10005h, 10002h, 10003h
		dd 10002h, 10004h, 10002h, 10003h, 10002h, 10006h, 10002h
		dd 10003h, 10002h, 10004h, 10002h, 10003h, 10002h, 10005h
		dd 10002h, 10003h, 10002h, 10004h, 10002h, 10003h, 10002h
byte_40BA58	db 0			; DATA XREF: RtlNumberOfSetBits(x)+9Dr
					; RtlNumberOfSetBits(x)+153r ...
byte_40BA59	db 1			; DATA XREF: RtlNumberOfSetBitsInRange(x,x,x)+6Ar
					; RtlNumberOfSetBitsInRange(x,x,x)+1C2r
		dw 703h
		dd 7F3F1F0Fh, 0FFh, 0
dword_40BA68	dd 0			; DATA XREF: RtlFindNextForwardRunClear+36r
					; RtlFindNextForwardRunClear+6Ar ...
dword_40BA6C	dd 1			; DATA XREF: RtlFindLastBackwardRunClear+29r
		dd 3, 7, 0Fh, 1Fh, 3Fh,	7Fh, 0FFh, 1FFh, 3FFh, 7FFh, 0FFFh
		dd 1FFFh, 3FFFh, 7FFFh,	0FFFFh,	1FFFFh,	3FFFFh,	7FFFFh
		dd 0FFFFFh, 1FFFFFh, 3FFFFFh, 7FFFFFh, 0FFFFFFh, 1FFFFFFh
		dd 3FFFFFFh, 7FFFFFFh, 0FFFFFFFh, 1FFFFFFFh, 3FFFFFFFh
		dd 7FFFFFFFh, 0FFFFFFFFh, 0
_RtlpBitsClearHigh db 8			; DATA XREF: RtlFindClearRuns:loc_4E11D8r
					; RtlFindMostSignificantBit+3Dr ...
		db 7, 2	dup(6)
		dd 5050505h, 2 dup(4040404h), 4	dup(3030303h), 8 dup(2020202h)
		dd 10h dup(1010101h), 20h dup(0)
_RtlpBitsClearAnywhere db 8		; DATA XREF: RtlFindClearRuns+1B8r
					; RtlFindClearRuns:loc_4E12DAr	...
		db 7, 2	dup(6)
		dd 5050505h, 2 dup(4040404h), 3030304h,	3 dup(3030303h)
		dd 3030405h, 2020202h, 2020203h, 2020202h, 2020304h, 2020202h
		dd 2020203h, 2020202h, 4040506h, 3030303h, 2020203h, 2020202h
		dd 2020304h, 1010102h, 1010203h, 1010102h, 3030405h, 2020202h
		dd 1010203h, 1010102h, 2020304h, 1010102h, 1010203h, 1010102h
		dd 5050607h, 4040404h, 2 dup(3030303h),	2020304h, 2020202h
		dd 2020203h, 2020202h, 3030405h, 2020202h, 1010203h, 1010102h
		dd 2020304h, 1010102h, 1010203h, 1010102h, 4040506h, 3030303h
		dd 2020203h, 2020202h, 2020304h, 1010102h, 1010203h, 1010102h
		dd 3030405h, 2020202h, 1010203h, 1010102h, 2020304h, 1010102h
		dd 1010203h, 10102h
_RtlpBootStatusFields dd 0		; DATA XREF: RtlBootStatusItemInfo(x,x,x)+Er
dword_40BCF4	dd 4			; DATA XREF: RtlBootStatusItemInfo(x,x,x)+1Ar
		align 10h
		dd 8, 1, 9, 1, 0Ah, 1, 0Bh, 1, 0Ch, 1, 10h, 20h, 30h, 1
		dd 31h,	1, 34h,	4, 38h,	4, 3Ch,	4, 40h,	14h, 58h, 30h
		dd 32h,	1, 88h,	20h, 0A8h, 4
_RtlCrc32Table	dd 0			; DATA XREF: RtlComputeCrc32(x,x,x)+21r
		dd 77073096h, 0EE0E612Ch, 990951BAh, 76DC419h, 706AF48Fh
		dd 0E963A535h, 9E6495A3h, 0EDB8832h, 79DCB8A4h,	0E0D5E91Eh
		dd 97D2D988h, 9B64C2Bh,	7EB17CBDh, 0E7B82D07h, 90BF1D91h
		dd 1DB71064h, 6AB020F2h, 0F3B97148h, 84BE41DEh,	1ADAD47Dh
		dd 6DDDE4EBh, 0F4D4B551h, 83D385C7h, 136C9856h,	646BA8C0h
		dd 0FD62F97Ah, 8A65C9ECh, 14015C4Fh, 63066CD9h,	0FA0F3D63h
		dd 8D080DF5h, 3B6E20C8h, 4C69105Eh, 0D56041E4h,	0A2677172h
		dd 3C03E4D1h, 4B04D447h, 0D20D85FDh, 0A50AB56Bh, 35B5A8FAh
		dd 42B2986Ch, 0DBBBC9D6h, 0ACBCF940h, 32D86CE3h, 45DF5C75h
		dd 0DCD60DCFh, 0ABD13D59h, 26D930ACh, 51DE003Ah, 0C8D75180h
		dd 0BFD06116h, 21B4F4B5h, 56B3C423h, 0CFBA9599h, 0B8BDA50Fh
		dd 2802B89Eh, 5F058808h, 0C60CD9B2h, 0B10BE924h, 2F6F7C87h
		dd 58684C11h, 0C1611DABh, 0B6662D3Dh, 76DC4190h, 1DB7106h
		dd 98D220BCh, 0EFD5102Ah, 71B18589h, 6B6B51Fh, 9FBFE4A5h
		dd 0E8B8D433h, 7807C9A2h, 0F00F934h, 9609A88Eh,	0E10E9818h
		dd 7F6A0DBBh, 86D3D2Dh,	91646C97h, 0E6635C01h, 6B6B51F4h
		dd 1C6C6162h, 856530D8h, 0F262004Eh, 6C0695EDh,	1B01A57Bh
		dd 8208F4C1h, 0F50FC457h, 65B0D9C6h, 12B7E950h,	8BBEB8EAh
		dd 0FCB9887Ch, 62DD1DDFh, 15DA2D49h, 8CD37CF3h,	0FBD44C65h
		dd 4DB26158h, 3AB551CEh, 0A3BC0074h, 0D4BB30E2h, 4ADFA541h
		dd 3DD895D7h, 0A4D1C46Dh, 0D3D6F4FBh, 4369E96Ah, 346ED9FCh
		dd 0AD678846h, 0DA60B8D0h, 44042D73h, 33031DE5h, 0AA0A4C5Fh
		dd 0DD0D7CC9h, 5005713Ch, 270241AAh, 0BE0B1010h, 0C90C2086h
		dd 5768B525h, 206F85B3h, 0B966D409h, 0CE61E49Fh, 5EDEF90Eh
		dd 29D9C998h, 0B0D09822h, 0C7D7A8B4h, 59B33D17h, 2EB40D81h
		dd 0B7BD5C3Bh, 0C0BA6CADh, 0EDB88320h, 9ABFB3B6h, 3B6E20Ch
		dd 74B1D29Ah, 0EAD54739h, 9DD277AFh, 4DB2615h, 73DC1683h
		dd 0E3630B12h, 94643B84h, 0D6D6A3Eh, 7A6A5AA8h,	0E40ECF0Bh
		dd 9309FF9Dh, 0A00AE27h, 7D079EB1h, 0F00F9344h,	8708A3D2h
		dd 1E01F268h, 6906C2FEh, 0F762575Dh, 806567CBh,	196C3671h
		dd 6E6B06E7h, 0FED41B76h, 89D32BE0h, 10DA7A5Ah,	67DD4ACCh
		dd 0F9B9DF6Fh, 8EBEEFF9h, 17B7BE43h, 60B08ED5h,	0D6D6A3E8h
		dd 0A1D1937Eh, 38D8C2C4h, 4FDFF252h, 0D1BB67F1h, 0A6BC5767h
		dd 3FB506DDh, 48B2364Bh, 0D80D2BDAh, 0AF0A1B4Ch, 36034AF6h
		dd 41047A60h, 0DF60EFC3h, 0A867DF55h, 316E8EEFh, 4669BE79h
		dd 0CB61B38Ch, 0BC66831Ah, 256FD2A0h, 5268E236h, 0CC0C7795h
		dd 0BB0B4703h, 220216B9h, 5505262Fh, 0C5BA3BBEh, 0B2BD0B28h
		dd 2BB45A92h, 5CB36A04h, 0C2D7FFA7h, 0B5D0CF31h, 2CD99E8Bh
		dd 5BDEAE1Dh, 9B64C2B0h, 0EC63F226h, 756AA39Ch,	26D930Ah
		dd 9C0906A9h, 0EB0E363Fh, 72076785h, 5005713h, 95BF4A82h
		dd 0E2B87A14h, 7BB12BAEh, 0CB61B38h, 92D28E9Bh,	0E5D5BE0Dh
		dd 7CDCEFB7h, 0BDBDF21h, 86D3D2D4h, 0F1D4E242h,	68DDB3F8h
		dd 1FDA836Eh, 81BE16CDh, 0F6B9265Bh, 6FB077E1h,	18B74777h
		dd 88085AE6h, 0FF0F6A70h, 66063BCAh, 11010B5Ch,	8F659EFFh
		dd 0F862AE69h, 616BFFD3h, 166CCF45h, 0A00AE278h, 0D70DD2EEh
		dd 4E048354h, 3903B3C2h, 0A7672661h, 0D06016F7h, 4969474Dh
		dd 3E6E77DBh, 0AED16A4Ah, 0D9D65ADCh, 40DF0B66h, 37D83BF0h
		dd 0A9BCAE53h, 0DEBB9EC5h, 47B2CF7Fh, 30B5FFE9h, 0BDBDF21Ch
		dd 0CABAC28Ah, 53B39330h, 24B4A3A6h, 0BAD03605h, 0CDD70693h
		dd 54DE5729h, 23D967BFh, 0B3667A2Eh, 0C4614AB8h, 5D681B02h
		dd 2A6F2B94h, 0B40BBE37h, 0C30C8EA1h, 5A05DF1Bh, 2D02EF8Dh
_RtlpRunTable	dd 0			; DATA XREF: RtlNtStatusToDosErrorNoTeb+57r
byte_40C184	db 4			; DATA XREF: RtlNtStatusToDosErrorNoTeb+64r
byte_40C185	db 1			; DATA XREF: RtlNtStatusToDosErrorNoTeb:loc_4F8567r
word_40C186	dw 0			; DATA XREF: RtlNtStatusToDosErrorNoTeb+89r
		dd 3Fh,	40101h,	80h, 50101h, 0BFh, 60102h, 0FFh, 80110h
		dd 110h, 18010Ah, 120h,	220111h, 202h, 330101h,	210h, 340107h
		dd 367h, 3B0102h, 10001h, 3D0102h, 90368h, 3F0101h, 1C0001h
		dd 400201h, 293000h, 420102h, 350059h, 440201h,	0E70000h
		dd 460204h, 40000000h, 4E0134h,	40000034h, 820204h, 40000294h
		dd 8A0101h, 40000370h, 8B0101h,	40000807h, 8C0101h, 4000A144h
		dd 8D0101h, 40010001h, 8E010Ah,	40020056h, 980101h, 400200AFh
		dd 990101h, 400A0004h, 9A0102h,	4015000Dh, 9C0101h, 40190001h
		dd 9D0101h, 40190034h, 9E0102h,	401A000Ch, 0A00101h, 401B00ECh
		dd 0A10201h, 401E000Ah,	0A30201h, 401E0201h, 0A50201h
		dd 401E0307h, 0A70201h,	401E031Eh, 0A90201h, 401E034Bh
		dd 0AB0202h, 401E0351h,	0AF0201h, 401E042Fh, 0B10201h
		dd 401E0437h, 0B30201h,	401E0439h, 0B50202h, 401E043Ch
		dd 0B90201h, 40230001h,	0BB0201h, 40292023h, 0BD0201h
		dd 80000001h, 0BF0207h,	8000000Ah, 0CD010Fh, 8000001Ah
		dd 0DC0117h, 80000031h,	0F30203h, 80000288h, 0F90102h
		dd 80000803h, 0FB0101h,	8000A127h, 0FC0101h, 8000CF00h
		dd 0FD0101h, 8000CF04h,	0FE0102h, 80010001h, 1000101h
		dd 80090300h, 1010112h,	80090316h, 1130103h, 80090320h
		dd 1160103h, 80090325h,	1190105h, 80090330h, 11E0102h
		dd 80090333h, 1200101h,	8009033Fh, 1210101h, 80090347h
		dd 1220101h, 80090349h,	1230101h, 8009035Dh, 1240103h
		dd 80090363h, 1270101h,	80090367h, 1280101h, 80092010h
		dd 1290101h, 80092012h,	12A0102h, 80096004h, 12C0101h
		dd 800B0110h, 12D0101h,	80130001h, 12E0105h, 80190009h
		dd 1330101h, 80190029h,	1340101h, 80190031h, 1350101h
		dd 80190041h, 1360102h,	801B00EBh, 1380201h, 801C0001h
		dd 13A0101h, 80210001h,	13B0202h, 80370001h, 13F0201h
		dd 80380001h, 1410202h,	80390001h, 1450201h, 80390003h
		dd 1470201h, 803A0001h,	1490201h, 803F0001h, 14B0101h
		dd 80430006h, 14C0101h,	0C0000001h, 14D011Ch, 0C000001Dh
		dd 1690201h, 0C000001Eh, 16B0107h, 0C0000025h, 1720207h
		dd 0C000002Ch, 1800160h, 0C000008Ch, 1E0020Bh, 0C0000097h
		dd 1F601D8h, 0C0000172h, 2CE0107h, 0C000017Ah, 2D50139h
		dd 0C0000201h, 30E0149h, 0C0000250h, 357010Dh, 0C000025Eh
		dd 3640116h, 0C0000275h, 37A0108h, 0C0000280h, 3820108h
		dd 0C000028Ah, 38A010Ah, 0C0000295h, 3940126h, 0C00002C1h
		dd 3BA012Dh, 0C00002EEh, 3E70210h, 0C00002FEh, 4070107h
		dd 0C0000305h, 40E0209h, 0C0000320h, 4200203h, 0C0000350h
		dd 4260210h, 0C0000361h, 4460106h, 0C0000368h, 44C0108h
		dd 0C0000371h, 4540104h, 0C0000380h, 4580210h, 0C0000401h
		dd 4780109h, 0C000040Ah, 4810206h, 0C0000410h, 48D0105h
		dd 0C0000415h, 4920201h, 0C0000416h, 4940108h, 0C0000420h
		dd 49C0102h, 0C0000423h, 49E010Ah, 0C000042Dh, 4A80201h
		dd 0C000042Fh, 4AA0201h, 0C0000432h, 4AC0104h, 0C0000440h
		dd 4B00201h, 0C0000441h, 4B20106h, 0C0000450h, 4B8010Ah
		dd 0C0000460h, 4C20124h, 0C0000484h, 4E60202h, 0C0000486h
		dd 4EA0112h, 0C0000499h, 4FC0122h, 0C00004BCh, 51E0102h
		dd 0C0000500h, 520010Ah, 0C000050Ah, 52A0204h, 0C000050Eh
		dd 5320107h, 0C0000515h, 5390202h, 0C0000518h, 53D0101h
		dd 0C0000602h, 53E0205h, 0C000060Ah, 5480102h, 0C0000700h
		dd 54A0127h, 0C0000800h, 5710103h, 0C0000804h, 5740103h
		dd 0C0000808h, 577010Ah, 0C0000901h, 5810109h, 0C000090Ah
		dd 58A0203h, 0C0000910h, 5900101h, 0C0009898h, 5910101h
		dd 0C000A000h, 5920202h, 0C000A002h, 5960107h, 0C000A010h
		dd 59D0105h, 0C000A080h, 5A2010Fh, 0C000A100h, 5B10102h
		dd 0C000A121h, 5B30106h, 0C000A141h, 5B90103h, 0C000A145h
		dd 5BC0102h, 0C000A200h, 5BE0105h, 0C000A281h, 5C30105h
		dd 0C000A2A1h, 5C80107h, 0C000C001h, 5CF0101h, 0C000CE01h
		dd 5D00105h, 0C000CF00h, 5D50104h, 0C000CF06h, 5D90116h
		dd 0C000CF1Dh, 5EF0105h, 0C000F500h, 5F40106h, 0C0010001h
		dd 5FA0102h, 0C0020001h, 5FC011Dh, 0C002001Fh, 6190101h
		dd 0C0020021h, 61A0106h, 0C0020028h, 6200126h, 0C002004Fh
		dd 6460107h, 0C0020057h, 64D0102h, 0C0020062h, 64F0104h
		dd 0C0030001h, 653010Ch, 0C0030059h, 65F0109h, 0C0040035h
		dd 6680105h, 0C00A0001h, 66D0103h, 0C00A0006h, 670010Bh
		dd 0C00A0012h, 67B0107h, 0C00A0022h, 6820101h, 0C00A0024h
		dd 6830101h, 0C00A0026h, 6840103h, 0C00A002Ah, 6870102h
		dd 0C00A002Eh, 689010Dh, 0C00B0001h, 6960107h, 0C0130001h
		dd 69D0119h, 0C0130020h, 6B6010Ah, 0C0130030h, 6C00102h
		dd 0C0140001h, 6C20119h, 0C0140020h, 6DB0102h, 0C0150001h
		dd 6DD010Ch, 0C015000Eh, 6E9011Ah, 0C0190001h, 7030108h
		dd 0C019000Ah, 70B0103h, 0C019000Fh, 70E010Bh, 0C0190021h
		dd 7190106h, 0C0190028h, 71F0101h, 0C0190030h, 7200101h
		dd 0C0190032h, 7210102h, 0C0190036h, 723010Bh, 0C0190043h
		dd 72E011Fh, 0C01A0001h, 74D010Bh, 0C01A000Dh, 7580124h
		dd 0C01B00EAh, 77C0201h, 0C01C0001h, 77E021Ch, 0C01C0020h
		dd 7B60201h, 0C01C0023h, 7B80201h, 0C01D0001h, 7BA020Ah
		dd 0C01E0000h, 7CE020Ah, 0C01E000Bh, 7E20209h, 0C01E0100h
		dd 7F4020Ah, 0C01E0110h, 8080207h, 0C01E0200h, 8160201h
		dd 0C01E0300h, 8180207h, 0C01E0308h, 8260205h, 0C01E0310h
		dd 830020Eh, 0C01E031Fh, 84C022Ch, 0C01E034Dh, 8A40204h
		dd 0C01E0352h, 8AC020Bh, 0C01E0400h, 8C20202h, 0C01E0430h
		dd 8C60207h, 0C01E0438h, 8D40201h, 0C01E043Bh, 8D60201h
		dd 0C01E0500h, 8D80204h, 0C01E0505h, 8E00201h, 0C01E050Bh
		dd 8E20202h, 0C01E050Eh, 8E6020Bh, 0C01E051Ah, 8FC0201h
		dd 0C01E051Ch, 8FE0206h, 0C01E0580h, 90A020Eh, 0C01E05E0h
		dd 9260209h, 0C0210000h, 938022Bh, 0C0210030h, 98E0211h
		dd 0C0220001h, 9B00244h, 0C0220100h, 0A380205h,	0C0230002h
		dd 0A420201h, 0C0230004h, 0A44020Ah, 0C023000Fh, 0A580203h
		dd 0C0230014h, 0A5E020Ch, 0C0230022h, 0A760201h, 0C023002Ah
		dd 0A780208h, 0C02300BBh, 0A880201h, 0C023100Fh, 0A8A0201h
		dd 0C0231012h, 0A8C0202h, 0C0232000h, 0A900209h, 0C0240000h
		dd 0AA20202h, 0C0290000h, 0AA60260h, 0C0290061h, 0B660203h
		dd 0C0290081h, 0B6C0205h, 0C0290087h, 0B76020Ah, 0C0290092h
		dd 0B8A0201h, 0C0290095h, 0B8C0204h, 0C029009Ah, 0B940204h
		dd 0C029009Fh, 0B9C0209h, 0C0290100h, 0BAE0202h, 0C0290103h
		dd 0BB20201h, 0C029010Bh, 0BB40201h, 0C0290119h, 0BB60201h
		dd 0C0290120h, 0BB80202h, 0C0290123h, 0BBC0206h, 0C029012Dh
		dd 0BC80205h, 0C0290142h, 0BD2020Bh
		dd 0C0290150h, 0BE80206h, 0C0290400h, 0BF40205h, 0C0290800h
		dd 0BFE0204h, 0C0291001h, 0C060206h, 0C0292000h, 0C120223h
		dd 0C0293002h, 0C580104h, 0C0294000h, 0C5C0201h, 0C0350002h
		dd 0C5E020Dh, 0C0350011h, 0C78020Eh, 0C0350033h, 0C940201h
		dd 0C0350038h, 0C960201h, 0C035003Ch, 0C980204h, 0C0350041h
		dd 0CA00201h, 0C0350050h, 0CA20202h, 0C0350055h, 0CA60201h
		dd 0C0350057h, 0CA80202h, 0C0350060h, 0CAC0201h, 0C035006Fh
		dd 0CAE0207h, 0C0351000h, 0CBC0201h, 0C0360001h, 0CBE0109h
		dd 0C0368000h, 0CC70107h, 0C0370001h, 0CCE022Ah, 0C0380001h
		dd 0D22025Ch, 0C0390002h, 0DDA0201h, 0C03A0001h, 0DDC0224h
		dd 0C03A0028h, 0E240203h, 0C03A0030h, 0E2A0204h, 0C0400001h
		dd 0E320106h, 0C0410001h, 0E380104h, 0C0420001h, 0E3C0211h
		dd 0C0421000h, 0E5E0201h, 0C0430001h, 0E600105h, 0C0430007h
		dd 0E65010Ah, 0C0440001h, 0E6F0205h, 0C0450000h, 0E790102h
		dd 0C0500003h, 0E7B0202h, 0C0510001h, 0E7F0201h, 0C05C0000h
		dd 0E810201h, 0C05CFF00h, 0E83020Dh, 0C05D0000h, 0E9D0203h
		dd 0C0980001h, 0EA30102h, 0C0980008h, 0EA50101h, 0C0E70001h
		dd 0EA60201h, 0C0E70003h, 0EA80202h, 0C0E70006h, 0EAC0202h
		dd 0C0E70009h, 0EB00218h, 0C0E80000h, 0EE00201h, 0C0E90001h
		dd 0EE20106h, 0C0EA0001h, 0EE8020Ah, 0C0EB0001h, 0EFC0107h
		dd 0C0EC0000h, 0F030108h, 0FFFFFFFFh, 0F0B0101h, 2 dup(0)
_RtlpStatusTable dw 0			; DATA XREF: RtlNtStatusToDosErrorNoTeb+99r
					; RtlNtStatusToDosErrorNoTeb+DABA5r
word_40CB32	dw 2DBh			; DATA XREF: RtlNtStatusToDosErrorNoTeb+DAB9Dr
		dd 2DD02DCh, 8002DEh, 2E102E0h,	2E20000h, 5B402E3h, 2E503E5h
		dd 51400EAh, 2E60515h, 2E802E7h, 3FE02E9h, 2EA0516h, 2EC02EBh
		dd 2EE02EDh, 2F002EFh, 2F202F1h, 2F402F3h, 200902F5h, 2F702F6h
		dd 2F902F8h, 2FB02FAh, 2FCh, 3 dup(0)
		dd 1A330000h, 2	dup(0)
		dd 3200000h, 2FD0323h, 2FE02E5h, 3E502FFh, 1F0001h, 0
aY5:
		unicode	0, <Y5>,0
		align 10h
		dd 2 dup(0)
		dd 80E70002h, 2BB02BAh,	2BC0057h, 2BE02BDh, 2BF0517h, 3F60460h
		dd 2C102C0h, 5180461h, 2C302C2h, 2C502C4h, 2C702C6h, 2C902C8h
		dd 2CB02CAh, 2CD02CCh, 2CF02CEh, 3 dup(21B021Bh), 2D0021Bh
		dd 2D202D1h, 2D402D3h, 2D5021Bh, 2D702D6h, 2D902D8h, 30E054Fh
		dd 30F054Fh, 3130311h, 0C0090003h, 0
		dd 327h, 0
		db 0DAh	; 
		db 2, 0ACh, 20h
		db  18h
		db 3, 2Dh, 3Ch
		db 0B1h	; 
		db 2, 0B2h, 2
		db 0B3h	; 
		db 2, 0B4h, 2
		db 0B5h	; 
		db 2, 0B6h, 2
		db 0B7h	; 
		db 2, 0B8h, 2
		db 0B9h	; 
		db 2, 0B6h, 2
		db  20h
		db 7, 79h, 7
		db  9Ah	; 
		db 1Bh,	9Bh, 1Bh
		db    8
		db 37h,	4Bh, 1Ah
		db 0A5h	; 
		db 1Ah,	0A6h, 1Ah
		db 0D3h	; 
		db 19h,	1, 0
		db  26h	; &
		db 80h,	0Ah, 20h
		db  26h	; &
		db 40h,	1, 22h
		db  26h	; &
		db 40h,	7, 23h
		db  26h	; &
		align 2
		dw 231Eh
		db  26h	; &
		align 2
		dw 234Bh
		db  26h	; &
		align 2
		dw 234Ch
		db  26h	; &
		align 2
		dw 2351h
		db  26h	; &
		align 2
		dw 242Fh
		db  26h	; &
		db 40h,	37h, 24h
		db  26h	; &
		db 40h,	39h, 24h
		db  26h	; &
		db 40h,	3Ah, 24h
		db  26h	; &
		db 40h,	3Ch, 24h
		db  26h	; &
		db 40h,	1, 0
		db  34h	; 4
		align 2
		dw 423h
		db  29h	; )
		db 40h,	1, 0
		db    0
		db 80h,	0E6h, 3
		db    0
		align 2
		dw 3
		db    0
		db 80h,	4, 0
		db    0
		align 10h
		db    0
		align 2
		dw 12h
		db    0
		align 2
		dw 2A3h
		db    0
		align 2
		dw 2A4h
		db  6Fh	; o
		db 5, 0A8h, 2
		db  2Bh	; +
		db 1, 1Ch, 0
		db  15h
		align 2
		dw 15h
		db 0AAh	; 
		align 2
		dw 103h
		db 0FEh	; 
		align 2
		dw 0FFh
		db 0FFh
		align 2
		dw 456h
		db 0A5h	; 
		db 2, 0A6h, 2
		db    3
		db 1, 4Dh, 4
		db  56h	; V
		db 4, 57h, 4
		db  4Ch	; L
		db 4, 4Eh, 4
		db 0A7h	; 
		db 2, 4Fh, 4
		db  50h	; P
		db 4, 2, 7
		db  13h
		db 7, 62h, 9
		db 0AAh	; 
		db 2, 0F4h, 10h
		db 0ABh	; 
		db 2, 0ACh, 2
		db 0ADh	; 
		db 2, 0AEh, 2
		db 0AFh	; 
		db 2, 0A9h, 2
		db  21h	; !
		db 3, 24h, 3
		db 0ABh	; 
		align 2
		dw 207h
		db    3
		align 2
		dw 0EBh
		db    0
		align 2
		dw 67Eh
		db    0
		align 2
		dw 48Dh
		db  8Eh	; 
		db 4, 0BBh, 1Ah
		db 0DFh	; 
		db 3Bh,	6Eh, 1
		db  6Dh	; m
		db 1, 76h, 1
		db 0B0h	; 
		db 2, 0AAh, 5
		db    6
		align 2
		dw 1
		db  35h	; 5
		align 2
		dw 54Fh
		db  54h	; T
		db 5, 20h, 1
		dd offset loc_570553+1
		db  57h	; W
		align 2
		dw 32h
		db  58h	; X
		db 5, 2Eh, 5
		db  57h	; W
		align 2
		dw 520h
		db    5
		align 2
		dw 5
		db  1Fh
		db 5, 54h, 5
		db  8Bh	; 
		db 7, 0F8h, 6
		db  57h	; W
		align 2
		dw 7Ah
		db  74h	; t
		db 5, 0FEh, 6
		dd offset loc_570056+1
		db  32h	; 2
		db 5, 70h, 17h
		db  71h	; q
		db 17h,	1, 0
		db  8Bh	; 
		db 7, 5Bh, 4
		db  58h	; X
		db 5, 45h, 5
		db  57h	; W
		align 2
		dw 5
		db    5
		align 2
		dw 575h
		db  32h	; 2
		align 2
		dw 575h
		db  75h	; u
		db 5, 75h, 5
		db  75h	; u
		db 5, 45h, 5
		db 0C5h	; 
		db 13h,	0C6h, 13h
		db 0C7h	; 
		db 13h,	0C8h, 13h
		db 0C9h	; 
		db 13h,	0E5h, 19h
		db 0A0h	; 
		db 1Ah,	0A2h, 1Ah
		db 0B3h	; 
		db 1Ah,	0B4h, 1Ah
		db    1
		align 2
		dw 8026h
		db  7Ah	; z
		align 2
		dw 10h
		dd offset loc_57802E+3
		db  31h	; 1
		db 80h,	1, 0
		db  37h	; 7
		db 80h,	1, 0
		db  38h	; 8
		db 80h,	2, 0
		db  38h	; 8
		db 80h,	1, 0
		db  39h	; 9
		db 80h,	3, 0
		db  39h	; 9
		db 80h,	1, 0
		db  3Ah	; :
		db 80h,	75h, 1
		db  49h	; I
		db 11h,	1Fh, 0
		dd offset loc_570001
		db  18h
		align 2
		dw 3E6h
		db 0E7h	; 
		db 3, 0AEh, 5
		db    6
		align 2
		dw 3E9h
		dd offset loc_5700BF+2
		dd offset loc_57021D
		db 0B1h	; 
		db 1, 2, 0
		db    1
		align 2
		dw 26h
		db  22h	; "
		align 2
		dw 15h
		db 0F9h	; 
		db 6, 1Bh, 0
		db 0EAh	; 
		align 2
		dw 8
		db 0E7h	; 
		db 1, 0E7h, 1
		dd offset loc_570056+1
		db    1
		align 2
		dw 1Dh
		db    0
		db 0C0h, 5, 0
		db    5
		align 2
		dw 0C1h
		db    5
		align 2
		dw 5
		db  7Ah	; z
		align 2
		dw 6
		db  25h	; %
		db 2 dup(0), 0C0h
		db  26h	; &
		db 2 dup(0), 0C0h
		db  1Eh
		db 2, 2	dup(0)
		db  1Fh
		db 2, 2	dup(0)
		db  20h
		db 2, 2	dup(0)
		db  9Eh	; 
		align 4
		db  2Bh	; +
		db 2 dup(0), 0C0h
		db 0E7h	; 
		db 1, 0E7h, 1
		db  21h	; !
		db 2, 22h, 2
		db  57h	; W
		align 2
		dw 223h
		db  71h	; q
		db 5, 7Bh, 0
		db    2
		align 2
		dw 0B7h
		db  2Ah	; *
		db 7, 6, 0
		db  24h	; $
		db 2, 0A1h, 0
		db    3
		align 2
		dw 0A1h
		db  5Dh	; ]
		db 4, 5Dh, 4
		db  17h
		align 2
		dw 17h
		db    8
		align 2
		dw 5
		db    6
		align 2
		dw 20h
		dd offset loc_570718
		db  20h
		db 1, 2Ah, 1
		dd offset loc_570056+1
		db  9Ch	; 
		align 2
		dd offset loc_570003+2
		dd offset loc_570056+1
		dw 11Ah
		db 0FFh
		align 2
		dw 570h
		db  70h	; p
		db 5, 70h, 5
		db  21h	; !
		align 2
		dw 21h
		db    5
		align 2
		dw 32h
		db  19h
		db 5, 1Ah, 5
		db  1Bh
		db 5, 1Ch, 5
		db  1Dh
		db 5, 1Eh, 5
		db  1Fh
		db 5, 20h, 5
		db  21h	; !
		db 5, 22h, 5
		db  23h	; #
		db 5, 24h, 5
		db  25h	; %
		db 5, 26h, 5
		db  27h	; '
		db 5, 28h, 5
		db  29h	; )
		db 5, 2Ah, 5
		db  56h	; V
		align 2
		dw 52Ch
		db  2Dh	; -
		db 5, 2Eh, 5
		db  2Fh	; /
		db 5, 30h, 5
		db  31h	; 1
		db 5, 32h, 5
		db  33h	; 3
		db 5, 34h, 5
		db  35h	; 5
		db 5, 36h, 5
		db  37h	; 7
		db 5, 38h, 5
		db  39h	; 9
		db 5, 3Ah, 5
		db  7Fh	; 
		align 2
		dw 0C1h
		db 0F0h	; 
		db 3, 3Ch, 5
		db  9Eh	; 
		align 2
		dw 70h
		db  3Dh	; =
		db 5, 3Eh, 5
		db  44h	; D
		align 2
		dw 103h
		db  3Fh	; ?
		db 5, 3, 1
		db  9Ah	; 
		align 2
		dw 0Eh
		db 0E7h	; 
		db 1, 14h, 7
		db  15h
		db 7, 16h, 7
		db  8Ch	; 
		db 2 dup(0), 0C0h
		db  8Dh	; 
		db 2 dup(0), 0C0h
		db  8Eh	; 
		db 2 dup(0), 0C0h
		db  8Fh	; 
		db 2 dup(0), 0C0h
		db  90h	; 
		db 2 dup(0), 0C0h
		db  91h	; 
		db 2 dup(0), 0C0h
		db  92h	; 
		db 2 dup(0), 0C0h
		db  93h	; 
		db 2 dup(0), 0C0h
		db  94h	; 
		db 2 dup(0), 0C0h
		db  16h
		db 2, 2	dup(0)
		db  96h	; 
		db 2 dup(0), 0C0h
		db    8
		align 2
		dw 3EEh
		db  40h	; @
		db 5, 0AAh, 5
		db    3
		align 2
		dw 17h
		db  8Fh	; 
		db 4, 15h, 0
		db 0E7h	; 
		db 1, 0E7h, 1
		db 0ADh	; 
		db 5, 13h, 0
		db  15h
		align 2
		dw 541h
		db  42h	; B
		db 5, 43h, 5
		db  44h	; D
		db 5, 45h, 5
		db  57h	; W
		align 2
		dw 225h
aCccc:
		unicode	0, <>
		db    1
		align 2
		dw 0E9h
		db 0E8h	; 
		align 2
		dw 217h
		db  18h
		db 2, 0E6h, 0
		db  79h	; y
		align 2
		dw 26h
		db  26h	; &
		db 2, 27h, 2
		db  28h	; (
		db 2, 5, 0
a23456789?@abcd:
		unicode	0, <23456789:;>
		dw 3Ch
		unicode	0, <=>
		dw 3Eh
		unicode	0, <?@ABCDEFGHX>
		db  29h	; )
		db 2, 11h, 0
		db    5
		align 2
		dw 0F0h
		db  46h	; F
		db 5, 2Ah, 2
		db 0E8h	; 
		align 2
		dw 547h
		db  2Bh	; +
		db 2, 48h, 5
		db  49h	; I
		db 5, 4Ah, 5
		db  4Bh	; K
		db 5, 4Ch, 5
		db  4Dh	; M
		db 5, 2Ch, 1
		db  2Dh	; -
		db 1, 4Eh, 5
		db  4Fh	; O
		db 5, 50h, 5
		db  51h	; Q
		db 5, 0F8h, 6
		db  5Dh	; ]
		db 4, 2Ch, 2
		db  2Dh	; -
		db 2, 2Eh, 2
		db  52h	; R
		db 5, 53h, 5
		dd offset loc_570056+1
		dd offset loc_570056+1
		dd offset loc_570056+1
		dd offset loc_570056+1
		dd offset loc_570056+1
		dd offset loc_570056+1
		db    3
		align 2
		dw 420h
		db 0E9h	; 
		db 3, 54h, 5
		db  2Fh	; /
		db 2, 0CBh, 0
		db  91h	; 
		align 2
		dw 570h
		db  0Bh
		db 1, 55h, 5
		db  56h	; V
		db 5, 0CEh, 0
		db  61h	; a
		db 9, 64h, 9
		db  3Dh	; =
		db 1, 5, 0
		db  57h	; W
		db 5, 30h, 2
		db  58h	; X
		db 5, 20h, 4
		db  1Ah
		db 2, 1Ah, 2
		db  1Ah
		db 2, 1Ah, 2
		db  1Ah
		db 2, 1Ah, 2
		db  1Ah
		db 2, 1Ah, 2
		db 0A4h	; 
		db 5, 31h, 2
		db  33h	; 3
		db 2, 34h, 2
		db 0C1h	; 
		align 2
		dw 559h
		db  5Ah	; Z
		db 5, 0EEh, 3
		db    4
		align 2
		dw 3E3h
		db    5
		align 2
		dw 4BAh
		db    5
		align 2
		dw 55Bh
		db  5Ch	; \
		db 5, 5Dh, 5
		db  5Eh	; ^
		db 5, 6, 0
		db  35h	; 5
		db 2, 36h, 2
		db  5Fh	; _
		db 5, 37h, 2
		db 0AFh	; 
		db 5, 0C1h, 0
		unicode	0, <>
		dw 238h
		db  76h	; v
		db 5, 39h, 2
		db  7Eh	; ~
		align 2
		dw 23Ah
		db  3Bh	; ;
		db 2, 0B6h, 0
		db  7Fh	; 
		align 2
		dw 23Ch
a@@3:
		unicode	0, <@@3;;;;>
		dw 45Ah
		db  3Dh	; =
		db 2, 3Eh, 2
		db  3Fh	; ?
		db 2, 40h, 2
		db  42h	; B
		db 2, 7Ch, 0
		db  56h	; V
		align 2
		dw 243h
		db  6Dh	; m
		align 2
		dw 3F1h
		db 0F8h	; 
		db 3, 44h, 2
		db 0EDh	; 
		db 3, 5Eh, 4
		db  60h	; `
		db 5, 61h, 5
		db  62h	; b
		db 5, 63h, 5
		db  64h	; d
		db 5, 65h, 5
		db  66h	; f
		db 5, 67h, 5
		db 0EFh	; 
		db 3, 68h, 5
		db  69h	; i
		db 5, 0F9h, 3
		db  6Ah	; j
		db 5, 45h, 2
		db  5Dh	; ]
		db 4, 0DBh, 4
		db  46h	; F
		db 2, 59h, 4
		db  47h	; G
		db 2, 48h, 2
		db  62h	; b
		db 4, 63h, 4
		db  64h	; d
		db 4, 65h, 4
		db  66h	; f
		db 4, 67h, 4
		db  68h	; h
		db 4, 5Fh, 4
		db  5Dh	; ]
		db 4, 49h, 2
		db  51h	; Q
		db 4, 52h, 4
		db  53h	; S
		db 4, 54h, 4
		db  55h	; U
		db 4, 69h, 4
		db  58h	; X
		db 4, 6Bh, 5
		db  6Ch	; l
		db 5, 0FAh, 3
		db 0FBh	; 
		db 3, 6Dh, 5
		db  6Eh	; n
		db 5, 0FCh, 3
		dd offset loc_5703FC+1
		db  5Dh	; ]
		db 4, 16h, 0
		db  5Dh	; ]
		db 4, 5Dh, 4
		db  4Ah	; J
		db 2, 0DEh, 5
		db  13h
		align 2
		dw 6FAh
		db 0FBh	; 
		db 6, 0FCh, 6
		db 0FDh	; 
		db 6, 0DCh, 5
		db 0DDh	; 
		db 5, 0FEh, 6
		db  4Bh	; K
		db 2, 0, 7
		db    1
		db 7, 6Bh, 4
; 
		retn
; 
		db 4, 0C4h, 4
		db 0DFh	; 
		db 5, 0Fh, 7
		db  10h
		db 7, 11h, 7
		db  12h
		db 7, 4Ch, 2
		db  20h
		db 4, 30h, 1
		db  31h	; 1
		db 1, 32h, 1
		db  33h	; 3
		db 1, 25h, 3
		db  34h	; 4
		db 1, 35h, 1
		db  36h	; 6
		db 1, 37h, 1
		db  39h	; 9
		db 1, 0BBh, 1Ah
		db  32h	; 2
		align 2
		dw 3D54h
		db  29h	; )
		db 3, 78h, 6
		db    8
		align 2
		dw 2F7h
		db  2Dh	; -
		db 3, 0Dh, 0
		db  0Dh
		align 2
		dd offset loc_4103E2+4
		dw 572h
		db  3Bh	; ;
		align 2
		dw 717h
		db  6Ah	; j
		db 4, 0F8h, 6
		db 0BEh	; 
		db 4, 0BEh, 4
aD4@@@d22:
		unicode	0, <D4@@@D;;;;;;;22>
		dw 24Dh
		db  4Eh	; N
		db 2, 4Fh, 2
		db  50h	; P
		db 2, 0E6h, 17h
		db  51h	; Q
		db 2, 52h, 2
		db  53h	; S
		db 2, 6Ch, 4
		db 0C1h	; 
		align 2
		dw 254h
		db  55h	; U
		db 2, 73h, 7
		db  90h	; 
		db 4, 56h, 2
		db 0FFh
		db 4, 57h, 2
		db  57h	; W
		align 2
		dw 1392h
		db  92h	; 
		db 13h,	58h, 2
		db 0D5h	; 
		db 4, 59h, 2
		db  5Ah	; Z
		db 2, 92h, 4
		db  5Bh	; [
		db 2, 5Ch, 2
		db  74h	; t
		db 7, 75h, 7
		db    6
		align 2
		dw 4C9h
; 
		retf	0CB04h
; 
		db 4
		db 0CCh	; 
		db 4, 0CDh, 4
		db 0CEh	; 
		db 4, 0CFh, 4
		db 0D0h	; 
		db 4, 0D1h, 4
		db 0D2h	; 
		db 4, 0D3h, 4
		db 0D4h	; 
		db 4, 5Dh, 2
		db 0C8h	; 
		db 4, 5Eh, 2
		db  5Fh	; _
		db 2, 0D6h, 4
		db 0D7h	; 
		db 4, 0D8h, 4
		db 0C1h	; 
		align 2
		dw 260h
		db  61h	; a
		db 2, 62h, 2
		db 0D4h	; 
		db 4, 63h, 2
		db  64h	; d
		db 2, 65h, 2
		db 0D0h	; 
		db 4, 66h, 2
		db  73h	; s
		db 5, 67h, 2
		db  68h	; h
		db 2, 69h, 2
		db  22h	; "
		db 4, 6Ah, 2
		db  6Bh	; k
		db 2, 6Ch, 2
		db 0B6h	; 
		align 2
		dw 7Fh
		db  20h
		db 1, 76h, 4
		db  6Dh	; m
		db 2, 0FEh, 10h
		db  6Eh	; n
		db 2, 6Fh, 2
		db  8Eh	; 
		db 1Bh,	70h, 2
		db 0D1h	; 
		db 7, 0B1h, 4
		db  15h
		align 2
		dw 21Ch
		db  1Ch
		db 2, 71h, 2
		db  91h	; 
		db 4, 72h, 2
		db  26h	; &
		db 11h,	29h, 11h
		db  2Ah	; *
		db 11h,	28h, 11h
		db  80h	; 
		db 7, 91h, 2
		db  4Fh	; O
		db 5, 4Fh, 5
		db  81h	; 
		db 7, 0A1h, 0
		db  73h	; s
		db 2, 88h, 4
		db  89h	; 
		db 4, 8Ah, 4
		db  8Bh	; 
		db 4, 8Ch, 4
		db    5
		align 2
		dw 5
		db  84h	; 
		db 2, 5, 0
		db    5
		align 2
		dw 5
		db    5
		align 2
		dw 1777h
		db  78h	; x
		db 17h,	72h, 17h
		db  68h	; h
		db 10h,	69h, 10h
		db  6Ah	; j
		db 10h,	6Bh, 10h
		db  1Ah
		db 20h,	1Bh, 20h
		db  1Ch
		db 20h,	1, 0
		db 0FFh
		db 10h,	0, 11h
		db  94h	; 
		db 4, 74h, 2
		db  0Ah
		db 20h,	0Bh, 20h
		db  0Ch
		db 20h,	0Dh, 20h
		db  0Eh
		db 20h,	0Fh, 20h
		db  10h
		db 20h,	11h, 20h
		db  12h
		db 20h,	13h, 20h
		db  14h
		db 20h,	15h, 20h
		db  16h
		db 20h,	17h, 20h
		db  18h
		db 20h,	19h, 20h
		db  1Eh
		db 21h,	27h, 11h
		db  75h	; u
		db 2, 76h, 2
		db  77h	; w
		db 2, 51h, 6
		db  9Ah	; 
		db 4, 9Bh, 4
		db  78h	; x
		db 2, 47h, 20h
		db  24h	; $
		db 20h,	79h, 2
		db  75h	; u
		db 5, 7Ah, 2
		db 0E6h	; 
		db 3, 75h, 10h
		db  76h	; v
		db 10h,	7Bh, 2
		db 0EDh	; 
		db 4, 0E8h, 10h
		db  38h	; 8
		db 21h,	0E3h, 4
		db  39h	; 9
		db 21h,	7Ch, 2
		db  9Dh	; 
		db 4, 3Ah, 21h
		db  7Dh	; }
		db 2, 7Eh, 2
		db  15h
		align 2
aABCDEFGHI2	db 'A!B!C!D!E!F!G!H!I!2',0
		dw 27Fh
		dd 21522151h, 21542153h, 2163215Dh, 21652164h, 280216Dh
		dd 520577h, 21710281h, 3332172h, 3348009h, 28009h, 3350000h
		dd 3368009h, 3378009h, 3388009h, 3398009h, 33A8009h, 33B8009h
		dd 33C8009h, 33D8009h, 33E8009h, 3408009h, 3418009h, 3428009h
		dd 45B8009h, 4E604E7h, 1074106Fh, 12E106Eh, 80030305h
		dd 80030306h, 80030307h, 80030308h, 80030309h, 8003030Ah
		dd 8003030Bh, 792h, 793h, 4EFh,	4F0h, 80090348h, 4E8h
		dd 80090343h, 177Dh, 282h, 504h, 283h, 0C0090001h, 217Ch
		dd 2182h, 2 dup(0C1h), 80090346h, 572h,	4EBh, 0C0090002h
		dd 286h, 2 dup(4EC04ECh), 2880287h, 28A0289h, 4FB028Bh
		dd 28C04FBh, 4FC028Dh, 31221ACh, 54F0008h, 8010006Bh, 8010006Ch
		dd 8010006Fh, 8010000Ch, 8009000Dh, 8010002Ch, 80090016h
		dd 8010002Fh, 4F1h, 80090351h, 80090352h, 80090353h, 80090354h
		dd 80090355h, 28Eh, 80090022h, 78D078Ch, 217B078Eh, 219F219Dh
		dd 52E028Fh, 3560502h, 3578009h, 3588009h, 3598009h, 35A8009h
		dd 35B8009h, 5038009h, 5050290h, 506078Fh, 80260001h, 5080008h
		dd 215B0791h, 21BB21BAh, 2C921BCh, 219029Ch, 4FB0300h
		dd 30103FAh, 2410299h, 3080307h, 2E4050Ch, 80090361h, 80090362h
		dd 0AA0509h, 4C800AAh, 80097019h, 17821781h, 17841783h
		dd 5131785h, 3B92050Bh,	5BB3BC3h, 605BEh, 570057h, 0BEA0057h
		dd 13A0138h, 13C3CFCh, 13B0141h, 200040h, 3D000142h, 1520151h
		dd 1560153h, 1580157h, 1440143h, 14B0146h, 1480147h, 14A0149h
		dd 14D014Ch, 14F014Eh, 5B40150h, 3D083D07h, 7E0040h, 1E3007Eh
		dd 80030208h, 80030209h, 1F0159h, 3D0F015Ah, 32C032Ah
		dd 15C015Bh, 15D0162h, 20491h, 4920490h, 150307h, 3D5A0163h
		dd 1680167h, 169012Eh, 170016Fh, 4A0049Fh, 32F018Fh, 1970196h
		dd 1990198h, 19B019Ah, 19D019Ch, 21019Fh, 1A101A0h, 1A301A2h
		dd 1A501A4h, 1A901A8h, 1AE01ADh, 1B001AFh, 1BA01B9h, 1E801C0h
		dd 60F060Eh, 150610h, 140013Fh,	0AA05BFh, 5E105E0h, 8003020Ah
		dd 112Bh, 8083000Ah, 80830009h,	10D3115Ch, 32E04DFh, 1800005h
		dd 515115Dh, 57C000h, 1FE0000h,	675h, 800B010Ch, 677h
		dd 800B0101h, 679h, 67D067Ch, 54F054Fh,	54F0057h, 570032h
		dd 320057h, 30B054Fh, 3	dup(60006h), 10001h, 310050Dh
		dd 5B7052Eh, 459007Bh, 54F054Fh, 1054Fh, 10057h, 2 dup(10001h)
		dd 1F072Bh, 1F001Fh, 30C001Fh, 50F21A4h, 1AC10510h, 3191AC3h
		dd 31B031Ah, 31D031Ch, 31F031Eh, 32804D5h, 0DC054Fh, 0DE00DDh
		dd 0E000DFh, 0E200E1h, 3220317h, 80090003h, 80090005h
		dd 8009000Dh, 29E0326h,	80090006h, 8009002Fh, 139F0017h
		dd 1550154h, 32032Bh, 0EA01BBh,	4D000EAh, 4D10032h, 3150314h
		dd 5B90316h, 5BC05BAh, 21BD05BDh, 21C621BEh, 21CE21CDh
		dd 21D021CFh, 3BC421D1h, 3BD93BC5h, 3BDB3BDAh, 3BDD3BDCh
		dd 3C283BDEh, 3C2A3C29h, 3C2C3C2Bh, 109C109Ah, 5109Dh
		dd 11300005h, 11321131h, 11341133h, 11591158h, 115B115Ah
		dd 115F115Eh, 1D61160h,	1720171h, 1740173h, 1660181h, 16B016Ah
		dd 177016Ch, 1790178h, 17B017Ah, 17D017Ch, 17F017Eh, 1830182h
		dd 1850184h, 1870186h, 1890188h, 18B018Ah, 18D018Ch, 194018Eh
		dd 1AA0195h, 1DB01B2h, 1B401B3h, 1B601B5h, 1B801B7h, 20001h
		dd 6A506A4h, 6A70006h, 6A906A8h, 6AB06AAh, 6AD06ACh, 6AF06AEh
		dd 6B106B0h, 6B306B2h, 6B506B4h, 6B706B6h, 6B906B8h, 6BB06BAh
		dd 6BD06BCh, 6BF06BEh, 6C206C0h, 6C506C4h, 6C706C6h, 6C906C8h
		dd 6CC06CBh, 6CE06CDh, 6D006CFh, 6D206D1h, 6D406D3h, 6D606D5h
		dd 6D806D7h, 6DA06D9h, 6DC06DBh, 6DE06DDh, 6E006DFh, 6E206E1h
		dd 6E406E3h, 6E606E5h, 6E806E7h, 6EA06E9h, 6FF06EBh, 76A070Eh
		dd 76C076Bh, 71A0719h, 71C071Bh, 71E071Dh, 721071Fh, 77A0722h
		dd 6C1077Bh, 6EC0729h, 6EE06EDh, 60006h, 6F206F1h, 6F406F3h
		dd 6F606F5h, 72306F7h, 7250724h, 7270726h, 77C0728h, 77E077Dh
		dd 2A0029Fh, 2A202A1h, 1B590F6Eh, 1B5B1B5Ah, 1B601B5Fh
		dd 1B621B61h, 1B641B63h, 1B661B65h, 1B681B67h, 1B8F1B69h
		dd 1B901B8Eh, 1B6F1B6Eh, 1B711B70h, 1B7E1B7Bh, 1B811B80h
		dd 1B841B82h, 1B891B85h, 1B8A1B5Ch, 1B991B8Bh, 1B8C1B8Dh
		dd 1B911B92h, 1B9C1B7Dh, 1B9E1B9Dh, 3AFD3AFCh, 3AFF3AFEh
		dd 3B013B00h, 13AF3B02h, 13B113B0h, 13B313B2h, 13B513B4h
		dd 13B713B6h, 13B913B8h, 13BB13BAh, 13BD13BCh, 171213BEh
		dd 13CE13C0h, 13C313C2h, 171313C4h, 173F173Eh, 4D504D5h
		dd 320032h, 2 dup(4D50032h), 1765175Bh,	51766h,	0Dh dup(29D029Dh)
		dd 36B0029Dh, 36B236B1h, 36B436B3h, 36B636B5h, 36B836B7h
		dd 36BA36B9h, 36BB3701h, 37053704h, 37093706h, 37023707h
		dd 370A3703h, 370C370Bh, 3712370Dh, 371536CCh, 37173716h
		dd 37133718h, 37193714h, 371B371Ah, 371D371Ch, 1A90371Eh
		dd 1A2D1A2Ch, 1A911A32h, 1A341A92h, 1A951A93h, 1A9E1A96h
		dd 1A371A36h, 1A351A38h, 1A2F1A2Eh, 1A311A30h, 1A3A1A39h
		dd 1A971AB1h, 1A991A98h, 1A9B1A9Ah, 1A9F1A9Ch, 1AA31AA1h
		dd 1AA71AA4h, 1AA91AA8h, 1AAB1AAAh, 1AAD1AACh, 1AAF1AAEh
		dd 1AB21AB0h, 1AB61AB5h, 1AB81AB7h, 1ABA1AB9h, 1ABD1ABCh
		dd 1ABF1ABEh, 1A3B1AC0h, 1A3D1A3Ch, 1A3F1A3Eh, 1A411A40h
		dd 1AC21A42h, 1A441A43h, 1AC51AC4h, 1A471A46h, 1A491A48h
		dd 1AC61A4Ah, 19C81AC7h, 19CA19C9h, 19CC19CBh, 19CE19CDh
		dd 19D019CFh, 19D219D1h, 19D519D4h, 19D719D6h, 19D919D8h
		dd 19DB19DAh, 19DD19DCh, 19DF19DEh, 19E119E0h, 19E319E2h
		dd 19E619E4h, 19E819E7h, 19EA19E9h, 19EC19EBh, 19EE19EDh
		dd 19F019EFh, 19F219F1h, 19F419F3h, 19F619F5h, 19F819F7h
		dd 80260001h, 801F0001h, 801F0002h, 801F0003h, 801F0004h
		dd 801F0005h, 801F0006h, 801F0007h, 801F0008h, 801F0009h
		dd 801F000Ah, 801F000Bh, 801F000Ch, 801F000Dh, 801F000Eh
		dd 801F000Fh, 801F0010h, 801F0011h, 801F0012h, 801F0013h
		dd 801F0014h, 801F0015h, 801F0016h, 801F0017h, 801F0018h
		dd 801F0019h, 801F001Ah, 801F001Bh, 801F001Ch, 801F0020h
		dd 801F0023h, 261001h, 261002h,	0C0261003h, 0C0261004h
		dd 0C0261005h, 0C0261006h, 0C0261007h, 0C0261008h, 0C0261009h
		dd 0C026100Ah, 0C0262000h, 0C0262001h, 0C0262002h, 0C0262003h
		dd 0C0262004h, 0C0262005h, 0C0262006h, 0C0262007h, 0C0262008h
		dd 0C0262009h, 0C026200Bh, 0C026200Ch, 0C026200Dh, 0C026200Eh
		dd 0C026200Fh, 0C0262010h, 0C0262011h, 0C0262012h, 0C0262013h
		dd 0C0262100h, 0C0262101h, 0C0262102h, 0C0262103h
		dd 0C0262104h, 0C0262105h, 0C0262106h, 0C0262107h, 0C0262108h
		dd 0C0262109h, 0C0262110h, 0C0262111h, 0C0262112h, 0C0262113h
		dd 0C0262114h, 0C0262115h, 0C0262116h, 0C0262200h, 0C0262300h
		dd 0C0262301h, 0C0262302h, 0C0262303h, 0C0262304h, 0C0262305h
		dd 0C0262306h, 0C0262308h, 0C0262309h, 0C026230Ah, 0C026230Bh
		dd 0C026230Ch, 0C0262310h, 0C0262311h, 0C0262312h, 0C0262313h
		dd 0C0262314h, 0C0262315h, 0C0262316h, 0C0262317h, 0C0262318h
		dd 0C0262319h, 0C026231Ah, 0C026231Bh, 0C026231Ch, 0C026231Dh
		dd 0C026231Fh, 0C0262320h, 0C0262321h, 0C0262322h, 0C0262323h
		dd 0C0262324h, 0C0262325h, 0C0262326h, 0C0262327h, 0C0262328h
		dd 0C0262329h, 0C026232Ah, 0C026232Bh, 0C026232Ch, 0C026232Dh
		dd 0C026232Eh, 0C026232Fh, 0C0262330h, 0C0262331h, 0C0262332h
		dd 0C0262333h, 0C0262334h, 0C0262335h, 0C0262336h, 0C0262337h
		dd 0C0262338h, 0C0262339h, 0C026233Ah, 0C026233Bh, 0C026233Ch
		dd 0C026233Dh, 0C026233Eh, 0C026233Fh, 0C0262340h, 0C0262341h
		dd 0C0262342h, 0C0262343h, 0C0262344h, 0C0262345h, 0C0262346h
		dd 0C0262347h, 0C0262348h, 0C0262349h, 0C026234Ah, 0C026234Dh
		dd 0C026234Eh, 0C026234Fh, 0C0262350h, 0C0262352h, 0C0262353h
		dd 0C0262354h, 0C0262355h, 0C0262356h, 0C0262357h, 0C0262358h
		dd 0C0262359h, 0C026235Ah, 0C026235Bh, 0C026235Ch, 0C0262400h
		dd 0C0262401h, 0C0262430h, 0C0262431h, 0C0262432h, 0C0262433h
		dd 0C0262434h, 0C0262435h, 0C0262436h, 0C0262438h, 0C026243Bh
		dd 0C0262500h, 0C0262501h, 0C0262502h, 0C0262503h, 0C0262505h
		dd 0C026250Bh, 0C026250Ch, 0C026250Eh, 0C026250Fh, 0C0262510h
		dd 0C0262511h, 0C0262512h, 0C0262513h, 0C0262514h, 0C0262515h
		dd 0C0262516h, 0C0262517h, 0C0262518h, 0C026251Ah, 0C026251Ch
		dd 0C026251Dh, 0C026251Eh, 0C026251Fh, 0C0262520h, 0C0262521h
		dd 0C0262580h, 0C0262581h, 0C0262582h, 0C0262583h, 0C0262584h
		dd 0C0262585h, 0C0262586h, 0C0262587h, 0C0262588h, 0C0262589h
		dd 0C026258Ah, 0C026258Bh, 0C026258Ch, 0C026258Dh, 0C02625E0h
		dd 0C02625E1h, 0C02625E2h, 0C02625E3h, 0C02625E4h, 0C02625E5h
		dd 0C02625E6h, 0C02625E7h, 0C02605E8h, 80310000h, 80310001h
		dd 80310010h, 80310011h, 80310013h, 80310014h, 80310047h
		dd 8031004Bh, 80310049h, 80310009h, 80310016h, 80310017h
		dd 80310019h, 8031001Bh, 8031001Ch, 80310024h, 80310026h
		dd 80310027h, 80310028h, 8031003Ch, 8031003Dh, 8031003Eh
		dd 8031003Fh, 80310025h, 80310041h, 80310042h, 80310043h
		dd 80310044h, 80310045h, 8031004Fh, 8031004Dh, 2 dup(80310010h)
		dd 8031004Eh, 80310050h, 80310051h, 80310054h, 80310055h
		dd 8031005Ah, 80310079h, 80310088h, 80310089h, 8031009Bh
		dd 8031006Fh, 80310099h, 803100A5h, 803100A6h, 803100ADh
		dd 803100AEh, 803100B3h, 803100B9h, 803100BCh, 803100BAh
		dd 803100BBh, 803100CAh, 803100D6h, 803100D7h, 80310021h
		dd 803100D8h, 803100D9h, 80320001h, 80320002h, 80320003h
		dd 80320004h, 80320005h, 80320006h, 80320007h, 80320008h
		dd 80320009h, 8032000Ah, 8032000Bh, 8032000Ch, 8032000Dh
		dd 8032000Eh, 8032000Fh, 80320010h, 80320011h, 80320012h
		dd 80320013h, 80320014h, 80320015h, 80320016h, 80320017h
		dd 80320018h, 80320019h, 8032001Ah, 8032001Bh, 8032001Ch
		dd 8032001Dh, 8032001Eh, 8032001Fh, 80320020h, 80320021h
		dd 80320022h, 80320023h, 80320024h, 80320025h, 80320026h
		dd 80320027h, 80320028h, 80320029h, 8032002Ah, 8032002Bh
		dd 8032002Ch, 8032002Dh, 8032002Eh, 8032002Fh, 80320030h
		dd 80320031h, 80320032h, 80320033h, 80320034h, 80320035h
		dd 80320036h, 80320037h, 80320038h, 80320039h, 8032003Ah
		dd 8032003Bh, 8032003Ch, 8032003Dh, 8032003Eh, 8032003Fh
		dd 80320040h, 80320041h, 80320042h, 80320043h, 80320044h
		dd 15h,	3E3h, 4D5h, 10DDh, 80320104h, 80340002h, 80340004h
		dd 80340005h, 80340006h, 80340007h, 80340008h, 80340009h
		dd 8034000Ah, 8034000Bh, 8034000Ch, 8034000Dh, 8034000Fh
		dd 80340010h, 80340011h, 80340014h, 80340015h, 80340016h
		dd 80340017h, 80340018h, 80340019h, 8034001Ah, 8034001Bh
		dd 8034001Ch, 8034001Dh, 8034001Eh, 8034001Fh, 80340022h
		dd 8034002Ah, 8034002Bh, 8034002Ch, 8034002Dh, 8034002Eh
		dd 8034002Fh, 80340030h, 80340031h, 803400BBh, 0C034100Fh
		dd 0C0341012h, 0C0341013h, 80342000h, 80342001h, 80342002h
		dd 80342003h, 80342004h, 80342005h, 80342006h, 80342007h
		dd 80342008h, 80410000h, 80410001h, 80280000h, 80280001h
		dd 80280002h, 80280003h, 80280004h, 80280005h, 80280006h
		dd 80280007h, 80280008h, 80280009h, 8028000Ah, 8028000Bh
		dd 8028000Ch, 8028000Dh, 8028000Eh, 8028000Fh, 80280010h
		dd 80280011h, 80280012h, 80280013h, 80280014h, 80280015h
		dd 80280016h, 80280017h, 80280018h, 80280019h, 8028001Ah
		dd 8028001Bh, 8028001Ch, 8028001Dh, 8028001Eh, 8028001Fh
		dd 80280020h, 80280021h, 80280022h, 80280023h, 80280024h
		dd 80280025h, 80280026h, 80280027h, 80280028h, 80280029h
		dd 8028002Ah, 8028002Bh, 8028002Ch, 8028002Dh, 8028002Eh
		dd 8028002Fh, 80280030h, 80280031h, 80280032h, 80280033h
		dd 80280034h, 80280035h, 80280036h, 80280037h, 80280038h
		dd 80280039h, 8028003Ah, 8028003Bh, 8028003Ch, 8028003Dh
		dd 8028003Eh, 8028003Fh, 80280040h, 80280041h, 80280042h
		dd 80280043h, 80280044h, 80280045h, 80280046h, 80280047h
		dd 80280048h, 80280049h, 8028004Ah, 8028004Bh, 8028004Ch
		dd 8028004Dh, 8028004Eh, 8028004Fh, 80280050h, 80280051h
		dd 80280052h, 80280053h, 80280054h, 80280055h, 80280056h
		dd 80280057h, 80280058h, 80280059h, 8028005Ah, 8028005Bh
		dd 8028005Ch, 8028005Dh, 8028005Eh, 8028005Fh, 80280061h
		dd 80280062h, 80280063h, 80280081h, 80280082h, 80280083h
		dd 80280084h, 80280085h, 80280087h, 80280088h, 80280089h
		dd 8028008Ah, 8028008Bh, 8028008Ch, 8028008Dh, 8028008Eh
		dd 8028008Fh, 80280090h, 80280092h, 80280095h, 80280096h
		dd 80280097h, 80280098h, 8028009Ah, 8028009Bh, 8028009Ch
		dd 8028009Dh, 8028009Fh, 802800A0h, 802800A1h, 802800A2h
		dd 802800A3h, 802800A4h, 802800A5h, 802800A6h, 802800A7h
		dd 80280100h, 80280101h, 80280103h, 8028010Bh, 80280119h
		dd 80280120h, 80280121h, 80280123h, 80280124h, 80280125h
		dd 80280126h, 80280127h, 80280128h, 8028012Dh, 8028012Eh
		dd 8028012Fh, 80280130h, 80280131h, 80280142h, 80280143h
		dd 80280144h, 80280145h, 80280146h, 80280147h, 80280148h
		dd 80280149h, 8028014Ah, 8028014Bh, 8028014Ch, 80280150h
		dd 80280151h, 80280152h, 80280153h, 80280154h, 80280155h
		dd 80280400h, 80280401h, 80280402h, 80280403h, 80280404h
		dd 80280800h, 80280801h, 80280802h, 80280803h, 8028400Dh
		dd 80284009h, 8028400Fh, 80284012h, 80284005h, 80284014h
		dd 80290400h, 80290401h, 80290402h, 80290403h, 80290404h
		dd 80290405h, 80290406h, 80290407h, 80290408h, 80290409h
		dd 8029040Ah, 8029040Bh, 8029040Ch, 80090035h, 8029040Eh
		dd 8029040Fh, 80290410h, 80290411h, 80290412h, 80290413h
		dd 80290414h, 80290415h, 80290416h, 80290417h, 80290418h
		dd 80290419h, 8029041Ah, 8029041Bh, 8029041Ch, 8029041Dh
		dd 8029041Eh, 8029041Fh, 80290420h, 80290421h, 80290422h
		dd 2 dup(54F0057h), 80290500h, 0C0350002h, 0C0350003h
		dd 0C0350004h, 0C0350005h, 0C0350006h, 0C0350007h, 0C0350008h
		dd 0C0350009h, 0C035000Ah, 0C035000Bh, 0C035000Ch, 0C035000Dh
		dd 0C035000Eh, 0C0350011h, 0C0350012h, 0C0350013h, 0C0350014h
		dd 0C0350015h, 0C0350016h, 0C0350017h, 0C0350018h, 0C0350019h
		dd 0C035001Ah, 0C035001Bh, 0C035001Ch, 0C035001Dh, 0C035001Eh
		dd 0C0350033h, 0C0350038h, 0C035003Ch, 0C035003Dh, 0C035003Eh
		dd 0C035003Fh, 0C0350041h, 0C0350050h, 0C0350051h, 0C0350055h
		dd 0C0350057h, 0C0350058h, 0C0350060h, 0C035006Fh, 0C0350070h
		dd 0C0350071h, 0C0350072h, 0C0350073h, 0C0350074h, 0C0350075h
		dd 0C0351000h, 36573656h, 36593658h, 365B365Ah,	365D365Ch
		dd 3665365Eh, 36673666h, 36693668h, 366C366Ah, 0C0370001h
		dd 0C0370002h, 0C0370003h, 0C0370004h, 0C0370005h, 0C0370006h
		dd 0C0370007h, 0C0370008h, 0C0370009h, 0C037000Ah, 0C037000Bh
		dd 0C037000Ch, 0C037000Dh, 0C037000Eh, 0C037000Fh, 0C0370010h
		dd 0C0370011h, 0C0370012h, 0C0370013h, 0C0370014h, 0C0370015h
		dd 0C0370016h, 0C0370017h, 0C0370018h, 0C0370019h, 0C037001Ah
		dd 0C037001Bh, 0C037001Ch, 0C037001Dh, 0C037001Eh, 0C037001Fh
		dd 0C0370020h, 0C0370021h, 0C0370022h, 0C0370023h, 0C0370024h
		dd 0C0370025h, 0C0370026h, 0C0370027h, 0C0370028h, 0C0370029h
		dd 0C037002Ah, 0C0380001h, 0C0380002h, 0C0380003h, 0C0380004h
		dd 0C0380005h, 0C0380006h, 0C0380007h, 0C0380008h, 0C0380009h
		dd 0C038000Ah, 0C038000Bh, 0C038000Ch, 0C038000Dh, 0C038000Eh
		dd 0C038000Fh, 0C0380010h, 0C0380011h, 0C0380012h, 0C0380013h
		dd 0C0380014h, 0C0380015h, 0C0380016h, 0C0380017h, 0C0380018h
		dd 0C0380019h, 0C038001Ah, 0C038001Bh, 0C038001Ch, 0C038001Dh
		dd 0C038001Eh, 0C038001Fh, 0C0380020h, 0C0380021h, 0C0380022h
		dd 0C0380023h, 0C0380024h, 0C0380025h, 0C0380026h, 0C0380027h
		dd 0C0380028h, 0C0380029h, 0C038002Ah, 0C038002Bh, 0C038002Ch
		dd 0C038002Dh, 0C038002Eh, 0C038002Fh, 0C0380030h, 0C0380031h
		dd 0C0380032h, 0C0380033h, 0C0380034h, 0C0380035h, 0C0380036h
		dd 0C0380037h, 0C0380038h, 0C0380039h, 0C038003Ah, 0C038003Bh
		dd 0C038003Ch, 0C038003Dh, 0C038003Eh, 0C038003Fh, 0C0380040h
		dd 0C0380041h, 0C0380042h, 0C0380043h, 0C0380044h, 0C0380045h
		dd 0C0380046h, 0C0380047h, 0C0380048h, 0C0380049h, 0C038004Ah
		dd 0C038004Bh, 0C038004Ch, 0C038004Dh, 0C038004Eh, 0C038004Fh
		dd 0C0380050h, 0C0380051h, 0C0380052h, 0C0380053h, 0C0380054h
		dd 0C0380055h, 0C0380056h, 0C0380057h, 0C0380058h, 0C0380059h
		dd 0C038005Ah, 0C038005Bh, 0C038005Ch, 0C0390002h, 0C03A0001h
		dd 0C03A0002h, 0C03A0003h, 0C03A0004h, 0C03A0005h, 0C03A0006h
		dd 0C03A0007h, 0C03A0008h, 0C03A0009h, 0C03A000Ah, 0C03A000Bh
		dd 0C03A000Ch, 0C03A000Dh, 0C03A000Eh, 0C03A000Fh, 0C03A0010h
		dd 0C03A0011h, 0C03A0012h, 0C03A0013h, 0C03A0014h, 0C03A0015h
		dd 0C03A0016h, 0C03A0017h, 0C03A0018h, 0C03A0019h, 0C03A001Ah
		dd 0C03A001Bh, 0C03A001Ch, 0C03A001Dh, 0C03A001Eh, 0C03A001Fh
		dd 0C03A0020h, 0C03A0021h, 0C03A0022h, 0C03A0023h, 0C03A0024h
		dd 0C03A0028h, 0C03A0029h, 0C03A002Ah, 0C03A0030h, 0C03A0025h
		dd 0C03A0026h, 0C03A0027h, 570057h, 19E419E4h, 570020h
		dd 2 dup(54F054Fh), 80650001h, 80650002h, 80650003h, 80650004h
		dd 80650005h, 80650006h, 80650007h, 80650008h, 80650009h
		dd 8065000Ah, 8065000Bh, 8065000Ch, 8065000Dh, 8065000Eh
		dd 8065000Fh, 80650010h, 80650011h, 80651000h, 11451144h
		dd 11471146h, 114A1148h, 114C114Bh, 114E114Dh, 1150114Fh
		dd 11521151h, 11153h, 28066h, 38066h, 48066h, 58066h, 11D08066h
		dd 111D1h, 28082h, 18082h, 8901h, 0FF00C05Ch, 0FF01C05Ch
		dd 0FF02C05Ch, 0FF03C05Ch, 0FF04C05Ch, 0FF05C05Ch, 0FF06C05Ch
		dd 0FF07C05Ch, 0FF08C05Ch, 0FF09C05Ch, 0FF0AC05Ch, 0FF0BC05Ch
		dd 0FF0CC05Ch, 0C05Ch, 1C05Dh, 4F8C05Dh, 370000h, 370037h
		dd 80E70001h, 80E70003h, 80E70004h, 80E70006h, 80E70007h
		dd 80E70009h, 80E7000Ah, 80E7000Bh, 80E7000Ch, 80E7000Dh
		dd 80E7000Eh, 80E7000Fh, 80E70010h, 80E70011h, 80E70012h
		dd 0Bh dup(80E70002h), 80E70013h, 80E70014h, 80E70002h
		dd 0C0E80000h, 11C711C6h, 11C911C8h, 11CB11CAh,	0C0EA0001h
		dd 0C0EA0002h, 0C0EA0003h, 0C0EA0004h, 0C0EA0005h, 0C0EA0006h
		dd 0C0EA0007h, 0C0EA0008h, 0C0EA0009h, 0C0EA000Ah, 11DB11DAh
		dd 11DD11DCh, 11DF11DEh, 0BF411E0h, 0BF60BF5h, 0BF80BF7h
		dd 0BFA0BF9h, 0BFBh, 2 dup(0)
_RtlpBitsClearTotal db 8		; DATA XREF: RtlNumberOfSetBits(x)+6Br
					; RtlNumberOfSetBits(x)+DDr ...
		db 2 dup(7), 6
		dd 2 dup(5060607h), 4050506h, 5060607h,	2 dup(4050506h)
		dd 3040405h, 5060607h, 2 dup(4050506h),	3040405h, 4050506h
		dd 2 dup(3040405h), 2030304h, 5060607h,	2 dup(4050506h)
		dd 3040405h, 4050506h, 2 dup(3040405h),	2030304h, 4050506h
		dd 2 dup(3040405h), 2030304h, 3040405h,	2 dup(2030304h)
		dd 1020203h, 5060607h, 2 dup(4050506h),	3040405h, 4050506h
		dd 2 dup(3040405h), 2030304h, 4050506h,	2 dup(3040405h)
		dd 2030304h, 3040405h, 2 dup(2030304h),	1020203h, 4050506h
		dd 2 dup(3040405h), 2030304h, 3040405h,	2 dup(2030304h)
		dd 1020203h, 3040405h, 2 dup(2030304h),	1020203h, 2030304h
		dd 2 dup(1020203h), 10102h
_RtlpRvaCompressionTableScales dd 40000h ; DATA	XREF: MiCopyToCfgBitMap+26Fr
					; MiUpdateCfgSystemWideBitmapWorker+191r ...
		dd 1000h, 40h, 1
_RtlpInterceptorRoutines dd 0		; DATA XREF: ExFreeHeapPool+8A6r
					; RtlpHpFreeHeap+11FF44r ...
		align 8
_RtlpSearchWidth db 20h			; DATA XREF: RtlpHpLfhSlotAllocate+9Er
					; RtlpHpLfhSlotAllocate+4A7r
		db 3 dup(20h)
		dd 0Fh dup(20202020h), 1A1C1E20h, 16161818h, 12121414h
		dd 10101012h, 0C0E0E10h, 0A0A0C0Ch, 8080A0Ah, 9	dup(8080808h)
		dd 8, 0
_RtlpBucketBlockSizes dw 0		; DATA XREF: RtlpHpLfhBucketComputeNewSubsegmentBlockCount(x,x)+9r
					; RtlpHpLfhSubsegmentCreate+25r ...
		dw 8
		dd 180010h, 280020h, 380030h, 480040h, 580050h,	680060h
		dd 780070h, 880080h, 980090h, 0A800A0h,	0B800B0h, 0C800C0h
		dd 0D800D0h, 0E800E0h, 0F800F0h, 1100100h, 1300120h, 1500140h
		dd 1700160h, 1900180h, 1B001A0h, 1D001C0h, 1F001E0h, 2200200h
		dd 2600240h, 2A00280h, 2E002C0h, 3200300h, 3600340h, 3A00380h
		dd 3E003C0h, 4400400h, 4C00480h, 5400500h, 5C00580h, 6400600h
		dd 6C00680h, 7400700h, 7C00780h, 8800800h, 9800900h, 0A800A00h
		dd 0B800B00h, 0C800C00h, 0D800D00h, 0E800E00h, 0F800F00h
		dd 11001000h, 13001200h, 15001400h, 17001600h, 19001800h
		dd 1B001A00h, 1D001C00h, 1F001E00h, 22002000h, 26002400h
		dd 2A002800h, 2E002C00h, 32003000h, 36003400h, 3A003800h
		dd 3E003C00h, 4000h, 0
_RtlpLfhBucketIndexMap db 0		; DATA XREF: RtlpHpLfhSubsegmentFreeBlock+64r
					; RtlpHpLfhSubsegmentFreeBlock+394r ...
		db 1, 2, 3
		dd 7060504h, 0B0A0908h,	0F0E0D0Ch, 13121110h, 17161514h
		dd 1B1A1918h, 1F1E1D1Ch, 22212120h, 24232322h, 26252524h
		dd 28272726h, 2A292928h, 2C2B2B2Ah, 2E2D2D2Ch, 302F2F2Eh
		dd 31313130h, 32323231h, 33333332h, 34343433h, 35353534h
		dd 36363635h, 37373736h, 38383837h, 39393938h, 3A3A3A39h
		dd 3B3B3B3Ah, 3C3C3C3Bh, 3D3D3D3Ch, 3E3E3E3Dh, 3F3F3F3Eh
		dd 4040403Fh, 41414140h, 41414141h, 42424241h, 42424242h
		dd 43434342h, 43434343h, 44444443h, 44444444h, 45454544h
		dd 45454545h, 46464645h, 46464646h, 47474746h, 47474747h
		dd 48484847h, 48484848h, 49494948h, 49494949h, 4A4A4A49h
		dd 4A4A4A4Ah, 4B4B4B4Ah, 4B4B4B4Bh, 4C4C4C4Bh, 4C4C4C4Ch
		dd 4D4D4D4Ch, 4D4D4D4Dh, 4E4E4E4Dh, 4E4E4E4Eh, 4F4F4F4Eh
		dd 4F4F4F4Fh, 5050504Fh, 50505050h, 51515150h, 3 dup(51515151h)
		dd 52525251h, 3	dup(52525252h),	53535352h, 3 dup(53535353h)
		dd 54545453h, 3	dup(54545454h),	55555554h, 3 dup(55555555h)
		dd 56565655h, 3	dup(56565656h),	57575756h, 3 dup(57575757h)
		dd 58585857h, 3	dup(58585858h),	59595958h, 3 dup(59595959h)
		dd 5A5A5A59h, 3	dup(5A5A5A5Ah),	5B5B5B5Ah, 3 dup(5B5B5B5Bh)
		dd 5C5C5C5Bh, 3	dup(5C5C5C5Ch),	5D5D5D5Ch, 3 dup(5D5D5D5Dh)
		dd 5E5E5E5Dh, 3	dup(5E5E5E5Eh),	5F5F5F5Eh, 3 dup(5F5F5F5Fh)
		dd 6060605Fh, 3	dup(60606060h),	61616160h, 7 dup(61616161h)
		dd 62626261h, 7	dup(62626262h),	63636362h, 7 dup(63636363h)
		dd 64646463h, 7	dup(64646464h),	65656564h, 7 dup(65656565h)
		dd 66666665h, 7	dup(66666666h),	67676766h, 7 dup(67676767h)
		dd 68686867h, 7	dup(68686868h),	69696968h, 7 dup(69696969h)
		dd 6A6A6A69h, 7	dup(6A6A6A6Ah),	6B6B6B6Ah, 7 dup(6B6B6B6Bh)
		dd 6C6C6C6Bh, 7	dup(6C6C6C6Ch),	6D6D6D6Ch, 7 dup(6D6D6D6Dh)
		dd 6E6E6E6Dh, 7	dup(6E6E6E6Eh),	6F6F6F6Eh, 7 dup(6F6F6F6Fh)
		dd 7070706Fh, 7	dup(70707070h),	71717170h, 0Fh dup(71717171h)
		dd 72727271h, 0Fh dup(72727272h), 73737372h, 0Fh dup(73737373h)
		dd 74747473h, 0Fh dup(74747474h), 75757574h, 0Fh dup(75757575h)
		dd 76767675h, 0Fh dup(76767676h), 77777776h, 0Fh dup(77777777h)
		dd 78787877h, 0Fh dup(78787878h), 79797978h, 0Fh dup(79797979h)
		dd 7A7A7A79h, 0Fh dup(7A7A7A7Ah), 7B7B7B7Ah, 0Fh dup(7B7B7B7Bh)
		dd 7C7C7C7Bh, 0Fh dup(7C7C7C7Ch), 7D7D7D7Ch, 0Fh dup(7D7D7D7Dh)
		dd 7E7E7E7Dh, 0Fh dup(7E7E7E7Eh), 7F7F7F7Eh, 0Fh dup(7F7F7F7Fh)
		dd 8080807Fh, 0Fh dup(80808080h), 80h
aKernelOnecoreV:			; DATA XREF: .data:006B1F84o
		unicode	0, <Kernel-OneCore-VailGuest>,0
		align 10h
aEdp:					; DATA XREF: .data:006B1F8Co
		unicode	0, <EDP://>,0
		align 10h
aSam_:
		unicode	0, <SAM_>,0
		align 4
asc_40F44C:				; DATA XREF: .text:00404000o
		unicode	0, <==>,0
		align 4
aNot_exists:				; DATA XREF: .text:00403FECo
		unicode	0, <Not_Exists>,0
		align 4
asc_40F46C:				; DATA XREF: .text:00404028o
		unicode	0, <!=>,0
		align 4
asc_40F474:				; DATA XREF: .text:00404014o
		dw 3Eh
		unicode	0, <=>,0
		align 4
aExists:				; DATA XREF: .text:_Operatorso
		unicode	0, <Exists>,0
		align 4
asc_40F48C:				; DATA XREF: .text:004040A0o
		dw 3Eh
		unicode	0, <>,0
asc_40F490:				; DATA XREF: .text:0040408Co
		dw 3Ch
		unicode	0, <>,0
aNot_contains:				; DATA XREF: .text:004040C8o
		unicode	0, <Not_Contains>,0
		align 10h
aContains:				; DATA XREF: .text:004040B4o
		unicode	0, <Contains>,0
		align 4
asc_40F4C4:				; DATA XREF: .text:00404050o
		unicode	0, <&&>,0
		align 4
asc_40F4CC:				; DATA XREF: .text:0040403Co
		dw 3Ch
		unicode	0, <=>,0
		align 4
asc_40F4D4:				; DATA XREF: .text:00404078o
		unicode	0, <&>,0
asc_40F4D8:				; DATA XREF: .text:00404064o
		unicode	0, <||>,0
		align 10h
aDevice_membe_1:			; DATA XREF: .text:00404140o
		unicode	0, <Device_Member_of>,0
		align 4
aNot_member_of:				; DATA XREF: .text:0040412Co
		unicode	0, <Not_Member_of>,0
aMember_of_any:				; DATA XREF: .text:00404168o
		unicode	0, <Member_of_any>,0
aNot_device_m_1:			; DATA XREF: .text:00404154o
		unicode	0, <Not_Device_Member_of>,0
		align 4
aNot_any_of:				; DATA XREF: .text:004040F0o
		unicode	0, <Not_Any_of>,0
		align 10h
aAny_of:				; DATA XREF: .text:004040DCo
		unicode	0, <Any_of>,0
		align 10h
aMember_of:				; DATA XREF: .text:00404118o
		unicode	0, <Member_of>,0
asc_40F5A4:				; DATA XREF: .text:00404104o
		unicode	0, <!>,0
aDevice_member_:			; DATA XREF: .text:00404190o
		unicode	0, <Device_Member_of_any>,0
		align 4
aNot_member_of_:			; DATA XREF: .text:0040417Co
		unicode	0, <Not_Member_of_any>,0
aNot_device_mem:			; DATA XREF: .text:004041A4o
		unicode	0, <Not_Device_Member_of_any>,0
		align 4
; long * `public: static long __stdcall	SMKM_STORE<struct SM_TRAITS>::SmStGetPriorityByMemoryCondition(enum  _SMP_MEMORY_CONDITION, long)'::`2'::PriorityByMemoryCondition
?PriorityByMemoryCondition@?1??SmStGetPriorityByMemoryCondition@?$SMKM_STORE@USM_TRAITS@@@@SGJW4_SMP_MEMORY_CONDITION@@J@Z@4PAJA dd 12h
					; DATA XREF: SMKM_STORE_SM_TRAITS___SmStWorker:loc_482CCEr
					; SMKM_STORE_SM_TRAITS___SmStWorkItemGet:loc_482FC0r ...
		dd 12h,	0Ah, 8,	0FFFFFFFFh
aRegistryMach_7:			; DATA XREF: .data:006B2344o
		unicode	0, <\REGISTRY\MACHINE\OSBOOT\ControlSetOverride\Session	Manag>
		unicode	0, <er\Memory Management>,0
		align 10h
aSystemrootSyst:			; DATA XREF: PAGEDATA:_EtwpRTBacklogFileRooto
		unicode	0, <%SystemRoot%\system32\Logfiles\WMI\RtBackup\>,0
		align 4
aTimezone:
		unicode	0, <timezone>,0
		align 10h
aLeapseconds:
		unicode	0, <LeapSeconds>,0
aEnabled:
		unicode	0, <Enabled>,0
_ExpBuiltinPriorities dd 0Dh		; DATA XREF: ExQueueWorkItemEx(x,x,x)+15r
					; ExQueueWorkItem+18r ...
		dd 0Ch,	0Fh, 8,	7, 12h,	0Eh
aCapabilityalwa:			; DATA XREF: .text:off_4041E8o
		unicode	0, <CapabilityAlwaysExists>,0
		align 8
aTag_matching_c:			; DATA XREF: .text:004041F4o
		unicode	0, <Tag_MATCHING_COMMAND_LINE_Supported>,0
aTag_matching_s:			; DATA XREF: .text:004041ECo
		unicode	0, <Tag_MATCHING_SDB_CAPABILITY_Supported>,0
		align 10h
aTag_match_logi:			; DATA XREF: .text:004041F0o
		unicode	0, <Tag_MATCH_LOGIC_NOT_IF_SDB_CAPABILITY_EXISTS_Supported>,0
		align 10h
_AdtpStandardAccessTypes dd 10000h	; DATA XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x):loc_6971EBr
					; AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x):loc_A285D8r ...
		dd 20000h, 40000h, 80000h, 100000h, 1000000h, 2000000h
; int dword_40F8EC
dword_40F8EC	dd 1			; DATA XREF: _CmUpdateDevicePanel+6DB24r
					; _CmUpdateDevicePanel+6E41Br ...
		dd 2, 3, 4, 5, 6, 0
dword_40F908	dd 1			; DATA XREF: _CmUpdateDevicePanel+6E672r
					; _CmUpdateDevicePanel+6E764r
		dd 2, 3, 4, 0
dword_40F91C	dd 2			; DATA XREF: _CmUpdateDevicePanel+6E2F3r
		dd 2, 5	dup(1),	0
		dd 1
dword_40F940	dd 0			; DATA XREF: _CmUpdateDevicePanel+6E962r
		dd 1
dword_40F948	dd 0			; DATA XREF: _CmUpdateDevicePanel+6E62Cr
		dd 1, 2, 3, 4
aProperties:				; DATA XREF: .text:off_404240o
		unicode	0, <Properties>,0
		align 4
aDriverinffiles:			; DATA XREF: .text:00404250o
		unicode	0, <DriverInfFiles>,0
		align 4
aDriverpackages:			; DATA XREF: .text:0040424Co
		unicode	0, <DriverPackages>,0
		align 4
aNodes:					; DATA XREF: .text:00404248o
		unicode	0, <Nodes>,0
aDeviceids:				; DATA XREF: .text:00404258o
		unicode	0, <DeviceIds>,0
aDriverfiles:				; DATA XREF: .text:00404254o
		unicode	0, <DriverFiles>,0
		align 10h
__real@41612a8800000000	dq 9.0e6	; DATA XREF: sub_787DE0+6B2r
_ZeroPte	dd 0			; DATA XREF: .text:loc_432207r
					; MiMakeSystemRangeAvailable+112r ...
dword_40F9FC	dd 0			; DATA XREF: .text:0043220Fr
					; MiMakeSystemRangeAvailable+11Er ...
_EtwpOneMs	dd 0FFFFD8F0h		; DATA XREF: EtwpRequestFlushTimer+5Cr
					; EtwpTraceThreadRundownWithStack(x,x)+80r ...
dword_40FA04	dd 0FFFFFFFFh		; DATA XREF: EtwpRequestFlushTimer:loc_51503Er
					; EtwpTraceThreadRundownWithStack(x,x)+7Ar ...
; 

; void DEVPKEY_DeviceContainer_HasProblem
_DEVPKEY_DeviceContainer_HasProblem:	; DATA XREF: .text:00401590o
					; .text:00401B3Co ...
		enter	0FFFFC34Fh, 78h
		dec	edx
		adc	dl, cl
		dec	edx
		sahf
		movsb
		push	edx
		dec	ebp
		push	edx
		cdq
		outsb
		push	edi
		push	ebx
; 
		db 3 dup(0)
aAi:					; DATA XREF: .text:00404280o
					; .text:004042B0o
		unicode	0, <AI>,0
		align 4
aAr:					; DATA XREF: .text:00404270o
					; .text:004042A0o
		unicode	0, <AR>,0
		align 4
aP:					; DATA XREF: .text:_ControlLookupo
					; .text:00404290o
		unicode	0, <P>,0
aSecurity:
		unicode	0, <Security>,0
		align 8
aKernelobjectsP:			; DATA XREF: .text:004011CCo
		unicode	0, <\KernelObjects\PhysicalMemoryChange>,0
aKernelobject_0:			; DATA XREF: .text:004011C4o
		unicode	0, <\KernelObjects\MemoryErrors>,0
aKernelobjectsM:			; DATA XREF: .text:004011BCo
		unicode	0, <\KernelObjects\MaximumCommitCondition>,0
		align 8
aKernelobject_1:			; DATA XREF: .text:004011B4o
		unicode	0, <\KernelObjects\HighCommitCondition>,0
		align 10h
aKernelobject_2:			; DATA XREF: .text:004011ACo
		unicode	0, <\KernelObjects\LowCommitCondition>,0
		align 8
aKernelobject_7:			; DATA XREF: .text:004011A4o
		unicode	0, <\KernelObjects\HighMemoryCondition>,0
		align 10h
aKernelobjectsL:			; DATA XREF: .text:0040119Co
		unicode	0, <\KernelObjects\LowMemoryCondition>,0
		align 8
aKernelobject_3:			; DATA XREF: .text:00401194o
		unicode	0, <\KernelObjects\HighNonPagedPoolCondition>,0
		align 10h
aKernelobject_4:			; DATA XREF: .text:0040118Co
		unicode	0, <\KernelObjects\LowNonPagedPoolCondition>,0
aKernelobjectsH:			; DATA XREF: .text:00401184o
		unicode	0, <\KernelObjects\HighPagedPoolCondition>,0
		align 10h
aKernelobject_5:			; DATA XREF: .text:off_40117Co
		unicode	0, <\KernelObjects\LowPagedPoolCondition>,0
		align 10h
aSystemrootSy_0:			; DATA XREF: .text:00401540o
		unicode	0, <\SystemRoot\System32\Config\TxR\>,0
		align 4
dword_40FDC4	dd 0			; DATA XREF: .text:off_401738o
					; .text:00402890o ...
; 

_DEVPKEY_Device_Class:			; DATA XREF: .text:004015E8o
					; PiAuditDeviceOperation(x,x,x)+3A6o ...
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	near ptr aArchitecture+6
; 
		db 3 dup(0)
aArchitecture:				; CODE XREF: .text:0040FDD7j
					; DATA XREF: .text:004017F8o ...
		unicode	0, <Architecture>,0
		align 4
a??Log:					; DATA XREF: .data:006B1EECo
		unicode	0, <\??\LOG:>,0
		align 4
aHardware:				; DATA XREF: .data:_CmpMachineHiveListo
					; .data:_CmpBootLoadControlo
		unicode	0, <HARDWARE>,0
		align 10h
aMachine_1:				; DATA XREF: .data:off_6B162Co
					; .data:006B16A4o ...
		unicode	0, <MACHINE\>,0
		align 4
aSecurity_1:				; DATA XREF: .data:006B16A0o
					; .data:006B19FCo
		unicode	0, <SECURITY>,0
		align 4
aSoftware:				; DATA XREF: .data:006B1718o
					; .data:006B1A10o
		unicode	0, <SOFTWARE>,0
		align 4
aSystem:				; DATA XREF: .text:_PiDrvDbNodeDescriptorso
					; .data:006B1790o ...
		unicode	0, <SYSTEM>,0
		align 4
aDefault:				; DATA XREF: .data:006B1808o
		unicode	0, <DEFAULT>,0
aUser:					; DATA XREF: .data:006B180Co
		unicode	0, <USER\>,0
a_default:				; DATA XREF: .data:006B1810o
					; .data:006B1A38o
		unicode	0, <.DEFAULT>,0
		align 4
aSam:					; DATA XREF: .data:006B1880o
					; .data:006B1A60o
		unicode	0, <SAM>,0
aOsdata:				; DATA XREF: .data:006B18F8o
					; .data:006B1A74o
		unicode	0, <OSDATA>,0
		align 4
a_regtransMs:				; DATA XREF: .data:off_6B30D4o
		unicode	0, <.regtrans-ms>,0
		align 10h

_Microsoft_Windows_Kernel_PnPLevels:	; DATA XREF: .data:006B23F4o
		add	al, 4
		add	al, 4
		add	al, 4
		add	eax, [esp+eax]
		add	al, 4
		add	al, 2
		add	al, 4
		add	al, 4
		add	al, 4
		add	al, 2
		add	eax, [esp+eax]
		add	al, 4
		add	al, 4
		add	al, 3
		add	al, 0

_Microsoft_Windows_Kernel_PnPKeywords:	; DATA XREF: .data:006B23F0o
		and	[eax], al
; 
		dw 0
		dd 20000000h, 20h, 0
		dd 1020h, 4000000h, 2020h, 4000000h, 4020h, 4000000h, 8020h
		dd 10000000h, 0
		dd 80000000h, 10020h, 10000000h, 40000h, 10000000h, 20020h
		dd 4000000h, 0
		dd 80000h, 0
		dd 80000000h, 0
		dd 80000000h, 80000h, 8000000h,	20h, 4000000h, 100000h
		dd 8000000h, 100000h, 10000h, 3	dup(0)
		dd 20000000h, 0
		dd 40000000h, 0
		db 0
byte_40FF95	db 2 dup(0), 40h	; CODE XREF: .text:0040FFF1j
		dd 0
		dd 40000000h, 1200000h,	0
		db 0
; 

loc_40FFA9:				; CODE XREF: .text:00410005j
		add	[eax], ah
; 
		db 0
		dd 2 dup(0)
		dd 4000000h, 1400000h
		db 0
byte_40FFBD	db 3 dup(0)		; CODE XREF: .text:00410019j
		db 0
; 

loc_40FFC1:				; CODE XREF: .text:0040FFF3j
		add	[eax+0], al
; 
		dd 0
		dd 800000h, 10000000h
		db 0
; 

loc_40FFD1:				; CODE XREF: .text:0041002Dj
					; .text:00410007j
		add	[eax+0], al
; 
		db 0
		dd 0
		dd 2000000h, 0
		db 0
byte_40FFE5	db 2 dup(0), 2		; CODE XREF: .text:00410041j
; 

; void DEVPKEY_DriverDatabase_Extended
_DEVPKEY_DriverDatabase_Extended:	; CODE XREF: .text:0041001Bj
					; DATA XREF: .data:006B2ADCo ...
		add	bl, ch
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr byte_40FF95
		jz	short loc_40FFC1
		inc	edi

loc_40FFF6:				; CODE XREF: .text:00410055j
		fstp	tbyte ptr [edx+17h]

; void DEVPKEY_DriverDatabase_LoadStatus
_DEVPKEY_DriverDatabase_LoadStatus:	; CODE XREF: .text:0041002Fj
					; DATA XREF: .data:006B2AD8o ...
		add	bl, ch

loc_40FFFE:				; DATA XREF: .text:0041D81Bo
					; .text:0042270Co ...
		arpl	[ecx+4F7A142Ch], ax

loc_410004:				; DATA XREF: .text:0042562Co
		xchg	eax, esp
		loope	loc_40FFA9
		jz	short near ptr loc_40FFD1+4
		inc	edi
		fstp	tbyte ptr [edx+0Fh]

; void DEVPKEY_DriverDatabase_AccessMask
_DEVPKEY_DriverDatabase_AccessMask:	; CODE XREF: .text:loc_410043j
					; DATA XREF: .data:006B2AD4o ...
		add	bl, ch
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr byte_40FFBD
		jz	short near ptr _DEVPKEY_DriverDatabase_Extended+1
		inc	edi
		fstp	tbyte ptr [edx+0Bh]

; void DEVPKEY_DriverDatabase_Loaded
_DEVPKEY_DriverDatabase_Loaded:		; CODE XREF: .text:00410057j
					; DATA XREF: .data:006B2AC8o ...
		add	bl, ch
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	loc_40FFD1
		jz	short near ptr _DEVPKEY_DriverDatabase_LoadStatus+1
		inc	edi

loc_410032:				; CODE XREF: .text:_DEVPKEY_Device_DependencyDependentsj
		fstp	tbyte ptr [edx+5]

; void DEVPKEY_DriverDatabase_Selected
_DEVPKEY_DriverDatabase_Selected:	; DATA XREF: .data:006B2ACCo
					; DrvDbGetDriverDatabaseMappedProperty+8A87Do ...
		add	bl, ch
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr byte_40FFE5

loc_410043:				; DATA XREF: .data:off_6B3FFAo
		jz	short near ptr _DEVPKEY_DriverDatabase_AccessMask+1
		inc	edi

loc_410046:				; CODE XREF: .text:_DEVPKEY_Device_Stackj
		fstp	tbyte ptr [edx+6]

; void DEVPKEY_DriverDatabase_Disabled
_DEVPKEY_DriverDatabase_Disabled:	; DATA XREF: .data:006B2AD0o
					; DrvDbGetDriverDatabaseMappedProperty+8A8CCo ...
		add	bl, ch

loc_41004E:				; DATA XREF: PAGE:??_C@_17BPAADKPP@?$AAR?$AAA?$AAW@NNGAKEGL@o
					; .text:005A4968o
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_40FFF6+3
		jz	short near ptr _DEVPKEY_DriverDatabase_Loaded+1
		inc	edi
		fstp	tbyte ptr [edx+7]

_DEVPKEY_Device_InstallFlags:		; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+92Ao
					; PiDevCfgConfigureDevice(x,x,x,x,x)+17CEo ...
		add	[ecx+49h], dh
		xor	byte ptr [ebx-74h], 0B9h
		dec	eax
		stosb
		fxch	st(6)
		cmp	[esi+19h], bh
		lds	ebp, [esi+4]
; 
		db 3 dup(0)
; 

; void DEVPKEY_DeviceInterface_ReferenceString
_DEVPKEY_DeviceInterface_ReferenceString:
					; DATA XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+11ABE2o
		outsb
		push	ecx
		outsb
		add	dl, [eax+edi*4]
		dec	ebx
		inc	ecx
		or	ebp, 0FFFFFF85h
		insd
		outsd
		out	dx, eax
		dec	eax

loc_410083:				; DATA XREF: .text:00404808o
					; _CmGetDeviceMappedPropertyFromComposite+11A017o ...
		and	al, ds:7E000000h
		xchg	eax, esp
		or	edx, [eax+eax*2-75h]
		mov	esp, 6AA2A845h
		or	ecx, [ecx+14A2BD4Ch]
; 
		db 3 dup(0)
; 

; void DEVPKEY_Device_DependencyDependents
_DEVPKEY_Device_DependencyDependents:	; DATA XREF: .text:0040480Co
					; _CmGetDeviceMappedPropertyFromComposite+11A06Bo ...
		jle	short loc_410032
		or	edx, [eax+eax*2-75h]
		mov	esp, 6AA2A845h
		or	ecx, [ecx+15A2BD4Ch]
; 
		db 3 dup(0)
; 

; void DEVPKEY_Device_Stack
_DEVPKEY_Device_Stack:			; DATA XREF: .text:00404804o
					; _CmGetDeviceMappedPropertyFromComposite+119FA6o ...
		jle	short loc_410046
		or	edx, [eax+eax*2-75h]
		mov	esp, 6AA2A845h
		or	ecx, [ecx+0EA2BD4Ch]
; 
		db 3 dup(0)
; 

; void DEVPKEY_Device_TransportRelations
_DEVPKEY_Device_TransportRelations:	; DATA XREF: .text:004047FCo
					; _CmGetDeviceMappedPropertyFromComposite:loc_912FC7o ...
		lds	esp, [esi-6C05BCC0h]
		push	es
		inc	edi
		xchg	eax, edi
		sub	al, 7Bh
		or	byte ptr fs:[eax], 0A5h
		cmpsd
		or	eax, [eax]
; 
		dw 0
; 

; void DEVPKEY_Device_ProblemStatus
_DEVPKEY_Device_ProblemStatus:		; DATA XREF: .text:004047DCo
					; _CmGetDeviceMappedPropertyFromComposite+119CEDo ...
		lds	esp, [esi-6C05BCC0h]
		push	es
		inc	edi
		xchg	eax, edi
		sub	al, 7Bh
		or	byte ptr fs:[eax], 0A5h
		cmpsd
		or	al, 0
; 
		dw 0
; 

; void DEVPKEY_Device_BusRelations
_DEVPKEY_Device_BusRelations:		; DATA XREF: .text:004047F8o
					; _CmGetDeviceMappedPropertyFromComposite:loc_912FADo ...
		lds	esp, [esi-6C05BCC0h]
		push	es
		inc	edi
		xchg	eax, edi
		sub	al, 7Bh
		or	byte ptr fs:[eax], 0A5h
		cmpsd
		pop	es
; 
		db 3 dup(0)
; 

; void DEVPKEY_Device_Children
_DEVPKEY_Device_Children:		; DATA XREF: .text:004047E4o
					; _CmGetDeviceMappedPropertyFromComposite:loc_91309Bo ...
		lds	esp, [esi-6C05BCC0h]
		push	es
		inc	edi
		xchg	eax, edi
		sub	al, 7Bh
		or	byte ptr fs:[eax], 0A5h
		cmpsd
		or	[eax], eax
; 
		dw 0
; 

; void DEVPKEY_Device_Siblings
_DEVPKEY_Device_Siblings:		; DATA XREF: .text:004047E8o
					; _CmGetDeviceMappedPropertyFromComposite+119C8Bo ...
		lds	esp, [esi-6C05BCC0h]
		push	es
		inc	edi
		xchg	eax, edi
		sub	al, 7Bh
		or	byte ptr fs:[eax], 0A5h
		cmpsd
		or	al, [eax]
; 
		dw 0
; 

_DEVPKEY_Device_RemovalPolicyOverride:	; DATA XREF: PAGE:00A42C08o
					; PAGEDATA:00A93418o
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	near ptr loc_41015B+1
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_InstallState:		; DATA XREF: .text:004047D0o
					; PAGE:00A42C18o
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	near ptr loc_41016F+2
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_UINumberDescFormat:	; DATA XREF: PAGE:00A42BC8o
					; PAGEDATA:00A93414o
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h

loc_41015B:				; CODE XREF: .text:00410137j
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	loc_410180
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_PowerData:		; DATA XREF: .text:004047C4o
					; PAGE:00A42BD8o
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h

loc_41016F:				; CODE XREF: .text:0041014Bj
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	near ptr loc_410194+1
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_RemovalPolicy:		; DATA XREF: .text:004047C8o
					; PAGE:00A42BE8o
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi

loc_410180:				; CODE XREF: .text:0041015Fj
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	near ptr loc_4101A8+2
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_RemovalPolicyDefault:	; DATA XREF: .text:004047CCo
					; PAGE:00A42BF8o
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi

loc_410194:				; CODE XREF: .text:00410173j
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	loc_4101BF
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_DevType:		; DATA XREF: PAGE:00A42B88o
					; PAGEDATA:00A93408o
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi

loc_4101A8:				; CODE XREF: .text:00410187j
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	near ptr loc_4101C9+3
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_Exclusive:		; DATA XREF: PAGE:00A42B98o
					; PAGEDATA:00A9340Co
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h

loc_4101BF:				; CODE XREF: .text:0041019Bj
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	near ptr loc_4101DD+4
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_Characteristics:	; DATA XREF: PAGE:00A42BA8o
					; PAGEDATA:00A93410o
		dec	esi

loc_4101C9:				; CODE XREF: .text:004101AFj
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	loc_4101F6
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_Address:		; DATA XREF: .text:00404770o
					; .text:004047C0o ...
		dec	esi

loc_4101DD:				; CODE XREF: .text:004101C3j
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	loc_41020B
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_BusNumber:		; DATA XREF: .text:004047BCo
					; PAGE:00A42B48o
		dec	esi
		and	eax, 0DF1CA45Ch

loc_4101F6:				; CODE XREF: .text:004101D7j
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	_DEVPKEY_Device_Security
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_EnumeratorName:		; DATA XREF: PopFxIsDevicePotentialDripsConstraint(x)+BAo
					; PAGE:00A42B58o
		dec	esi
		and	eax, 0DF1CA45Ch
		std

loc_41020B:				; CODE XREF: .text:004101EBj
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	loc_41022D
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_Security:		; CODE XREF: .text:004101FFj
					; DATA XREF: PAGE:00A42B68o
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	near ptr loc_410241+1
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_SecuritySDS:		; DATA XREF: PAGE:00A42B78o
					; PAGEDATA:00A93404o
		dec	esi

loc_41022D:				; CODE XREF: .text:00410213j
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	near ptr loc_410255+2
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_BusTypeGuid:		; DATA XREF: .text:004047B4o
					; PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+90o ...
		dec	esi

loc_410241:				; CODE XREF: .text:00410227j
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	near ptr word_410266
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_LegacyBusType:		; DATA XREF: .text:004047B8o
					; PAGE:00A42B38o
		dec	esi

loc_410255:				; CODE XREF: .text:0041023Bj
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	near ptr byte_41027B
; 
		db 0
word_410266	dw 0			; CODE XREF: .text:0041024Fj
; 

_DEVPKEY_Device_LocationInfo:		; DATA XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+3D8o
					; PiAuditDeviceOperation(x,x,x)+2BBo ...
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	near ptr loc_410287+1
; 
		db 2 dup(0)
byte_41027B	db 0			; CODE XREF: .text:00410263j
; 

_DEVPKEY_Device_PDOName:		; DATA XREF: .text:004047B0o
					; PAGE:00A42AD8o
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h

loc_410287:				; CODE XREF: .text:00410277j
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	near ptr loc_41029B+2
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_UINumber:		; DATA XREF: .text:0040476Co
					; PAGE:00A42AF8o ...
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h

loc_41029B:				; CODE XREF: .text:0041028Bj
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	loc_4102B3
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_Driver:			; DATA XREF: PAGE:00A42A88o
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax

loc_4102B3:				; CODE XREF: .text:0041029Fj
		loopne	loc_4102C0
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_Manufacturer:		; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+11A9o
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1229o ...
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi

loc_4102C0:				; CODE XREF: .text:loc_4102B3j
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	near ptr loc_4102D4+2
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_Service:		; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+DDBo
					; PiDevCfgConfigureDevice(x,x,x,x,x)+E93o ...
		dec	esi
		and	eax, 0DF1CA45Ch
		std
		dec	esi

loc_4102D4:				; CODE XREF: .text:004102C7j
		and	byte ptr [eax],	67h
		rol	dword ptr [esi-58h], 1
		push	eax
		loopne	loc_4102E3
; 
		db 3 dup(0)
_KiTimer2Combinations db 8		; DATA XREF: KiInitializeTimer2(x,x,x,x):loc_4D71AEr
					; KiUpdateTimer2Collections(x):loc_5742E7r
byte_4102E1	db 20h			; DATA XREF: KiInitializeTimer2(x,x,x,x)+4Ar
					; KiUpdateTimer2Collections(x):loc_5742F9r
byte_4102E2	db 23h			; DATA XREF: KiInitializeTimer2(x,x,x,x)+53r
					; KiUpdateTimer2Collections(x)+26r
; 

loc_4102E3:				; CODE XREF: .text:004102DBj
		add	ds:2151003h, dl
		add	al, 1
		and	eax, [edx]
		and	[esi+eax], ah
; 
dword_4102F0	dd 2401h		; DATA XREF: MiPfnRangeIsZero+202r
					; MiUpdateLargePageBitMap:loc_5D3971r ...
_MiLargePageSizes dd 200h		; DATA XREF: MiFreeMdlPageRun(x,x,x):loc_44AC27r
					; MiGetPageChain(x,x,x,x,x,x,x)+272r ...
dword_4102F8	dd 10h			; DATA XREF: MiInsertLargePageChain(x,x,x,x,x):loc_4EC5AAr
					; MiGetBaseResidentPage(x)+25o	...
; 

_GUID_PROCESSOR_RESPONSIVENESS_ENABLE_TIME: ; DATA XREF: ALMOSTRO:00705C3Co
		mov	[ecx-6Fh], dl
		cmp	eax, 49AE7830h
		cmpsd
		call	far ptr	0A2h:0E5A1B00Fh

_GUID_PROCESSOR_RESPONSIVENESS_DISABLE_TIME: ; DATA XREF: ALMOSTRO:00705C20o
		lahf
		cdq
		db	65h
		cmc
		mov	al, 3Fh
		sbb	al, [ecx-5Eh]
		db	26h
		aas
; 
		db 1
		dd 30C1DE98h
; 

_GUID_PROCESSOR_RESPONSIVENESS_PERF_FLOOR: ; DATA XREF:	ALMOSTRO:00705C74o
		out	dx, al
		xchg	eax, edx
; 
		dw 0CE8Eh
; 
		xchg	ch, [edx+72h]
		inc	ebp
		mov	edi, 1DC220E0h
		add	ecx, ebp
		inc	eax

;  S U B	R O U T	I N E 


_GUID_PROCESSOR_RESPONSIVENESS_EPP_CEILING proc	near ; DATA XREF: ALMOSTRO:00705C58o
		cmp	eax, edi
		daa
		inc	esp
		push	esi
		xchg	eax, edi
		pop	esp
		dec	edx
		mov	eax, 0A7BDC74Bh
		pushf
		jnb	short near ptr loc_410358+4

_GUID_PROCESSOR_SHORT_THREAD_SCHEDULING_POLICY:	; DATA XREF: ALMOSTRO:00705BCCo
		or	dword ptr [ebx+2D5EBAE0h], 6AAD4688h
		adc	esp, [ebx+esi]
		push	esi
		db	65h
		dec	ebx
_GUID_PROCESSOR_RESPONSIVENESS_EPP_CEILING endp


;  S U B	R O U T	I N E 


_GUID_PROCESSOR_THREAD_SCHEDULING_POLICY proc near ; DATA XREF:	ALMOSTRO:00705BB0o
		fdiv	qword ptr [esi+69893B8h]
		sbb	al, 4Dh
		sahf
		in	al, 6		; DMA controller, 8237A-5.
					; channel 3 current address
		inc	esp

loc_410358:				; CODE XREF: _GUID_PROCESSOR_RESPONSIVENESS_EPP_CEILING+Ej
					; DATA XREF: ALMOSTRO:00705B94o
		jmp	near ptr 659ECB5Dh
_GUID_PROCESSOR_THREAD_SCHEDULING_POLICY endp

; 
		align 2
		lodsb

loc_41035F:				; CODE XREF: .text:00410399j
		pop	ds
		xor	[ecx+389F4BC5h], ch
		push	eax
		dec	esi
; 
		dd 0C0BB97C0h

;  S U B	R O U T	I N E 


_GUID_PROCESSOR_CLASS0_FLOOR_PERF proc near ; DATA XREF: ALMOSTRO:00705B78o

var_237C9B04	= dword	ptr -237C9B04h

		sub	eax, [esp+ebx*8+var_237C9B04+1]
		dec	esi
		xchg	eax, esp
		iret
_GUID_PROCESSOR_CLASS0_FLOOR_PERF endp

; 
		sar	dword ptr [edi+60h], 0DEh
		sbb	al, 80h

_GUID_PROCESSOR_RESPONSIVENESS_ENABLE_THRESHOLD: ; DATA	XREF: ALMOSTRO:00705C04o
		push	esi
		loop	near ptr loc_4103BE+5
		cmp	eax, 44157222h
		test	eax, 0FA459CEDh

loc_410389:				; DATA XREF: ALMOSTRO:00705BE8o
		cmp	eax, 383D30D8h
		mov	eax, 79CCE038h
		dec	esp
		sahf
		db	3Eh
		push	esi
		movsb
		icebp
		jl	short loc_41035F

loc_41039B:				; DATA XREF: ALMOSTRO:007059D4o
					; ALMOSTRO:00705EB4o
		xor	byte ptr [eax],	73h
		add	al, ah
		mov	ebp, esi
		in	eax, dx
		inc	edx
		movsb
		add	[ebp-25h], ebx
		adc	bh, ah
		test	edx, ebx

_GUID_PROCESSOR_LATENCY_HINT_MIN_UNPARK: ; DATA	XREF: ALMOSTRO:007058BCo
		movsd
		fisubr	dword ptr [ecx+5Eh]
		imul	eax, [ebp+45h],	0DC97AD97h
; 
		dd 88DD1B2Dh

;  S U B	R O U T	I N E 


_GUID_PROCESSOR_HETERO_INCREASE_THRESHOLD proc far ; DATA XREF:	ALMOSTRO:00705B5Co
		jge	short loc_4103F7

loc_4103BE:				; CODE XREF: .text:0041037Dj
		add	[eax+483D9B0Bh], dh
		cwde
		leave
		imul	ebp, [edx], 0BFCF6060h

_GUID_PROCESSOR_HETERO_DECREASE_THRESHOLD: ; DATA XREF:	ALMOSTRO:00705B40o
		daa
		sbb	al, 86h
		clc
		out	95h, eax
		pop	esp
		inc	edi
		xchg	bl, [ebx+13h]
		ror	bl, 3Fh
		popf

loc_4103DB:				; DATA XREF: ALMOSTRO:00705B24o
		imul	esp, [edi+2D4009EFh], -19h

loc_4103E2:				; CODE XREF: .text:00410428j
					; DATA XREF: .text:0040D14Ao
		mov	edx, 91DF9E4Ch
		or	[esi-58h], cl
		retf
; 
		retn
; 

_GUID_PROCESSOR_HETERO_DECREASE_TIME:	; DATA XREF: ALMOSTRO:00705B08o
		mov	dh, 92h
		and	al, 7Fh
		mov	cl, 60h
		in	eax, 45h
		scasb
		push	ebp
; 
		db 77h
; 

loc_4103F7:				; CODE XREF: _GUID_PROCESSOR_HETERO_INCREASE_THRESHOLDj
		aas
		mov	ebp, ss

locret_4103FA:				; DATA XREF: ALMOSTRO:00705884o
		retf	0A7ECh
_GUID_PROCESSOR_HETERO_INCREASE_THRESHOLD endp ; sp =  8

; 
		db 0BAh, 24h, 7Dh
		dd 480F0B84h
; 

loc_410404:				; CODE XREF: .text:_GUID_PROCESSOR_PARKING_HEADROOM_THRESHOLDj
		test	[ebx+ebx], cl
		pop	es
		inc	ebx
		ror	byte ptr [edi],	5Fh

_GUID_PROCESSOR_PERF_LATENCY_HINT_PERF:	; DATA XREF: ALMOSTRO:007058A0o
					; ALMOSTRO:00705E94o
		add	eax, 3B619B75h
		add	[edx+4DA6B74Eh], al
; 
		db 0D2h
		dd 7109309Ch
; 

_GUID_PROCESSOR_PARKING_PERF_STATE:	; CODE XREF: .text:00410485j
					; DATA XREF: ALMOSTRO:00705868o
		mov	dword ptr ds:6A8D4472h,	248E4CC0h
		sahf
		scasd
		jo	short near ptr loc_4103E2+1
		outsb
; 
		db 2Bh

;  S U B	R O U T	I N E 


_GUID_PROCESSOR_CORE_PARKING_OVER_UTILIZATION_THRESHOLD	proc near
					; DATA XREF: ALMOSTRO:007059B8o
		mov	dh, 8Ch
		cmp	al, 94h
		xchg	eax, ebx
		outsd
		daa
		inc	edx
		lodsd
		xchg	ebp, ecx
		mov	ds:0D108ECFEh, eax

_GUID_PROCESSOR_SOFT_PARKING_LATENCY:	; DATA XREF: ALMOSTRO:00705A44o
		inc	ecx
		lodsb
		iret
_GUID_PROCESSOR_CORE_PARKING_OVER_UTILIZATION_THRESHOLD	endp

; 
		xchg	eax, edi
		pop	ss
		and	ch, bl
		inc	edi
		cdq
		sub	eax, 77198B61h
		leave
		pop	es
; [00000005 BYTES: COLLAPSED FUNCTION _GUID_PROCESSOR_PARKING_DISTRIBUTION_THRESHOLD. PRESS KEYPAD "+" TO EXPAND]
		db 0D1h, 0D7h, 46h
		dd 8062F0A5h, 0EF161612h
; 

_GUID_PROCESSOR_PARKING_HEADROOM_THRESHOLD: ; DATA XREF: ALMOSTRO:00705A0Co
					; ALMOSTRO:00705EACo
		jnb	short loc_410404

loc_41045E:				; CODE XREF: .text:004104A1j
		xor	eax, 802066F7h
		dec	edi
		mov	al, ds:0CEEDDC5h
		icebp

loc_41046A:				; DATA XREF: ALMOSTRO:007059F0o
					; ALMOSTRO:00705EA4o
		mov	edi, 30AB6F5Dh
		and	al, 20h
		movsd
		mov	ds:0F7019644h, al
		repne cmp edx, [ecx+34h]

loc_41047B:				; DATA XREF: ALMOSTRO:00705980o
					; ALMOSTRO:00705E6Co
		mov	cl, 17h
		or	eax, 0D5EBDFD1h
		fld	qword ptr [ebp-79h]
		jp	short near ptr _GUID_PROCESSOR_PARKING_PERF_STATE+5
		xor	al, 0DDh

loc_410489:				; DATA XREF: ALMOSTRO:0070599Co
					; ALMOSTRO:00705E74o
		rcr	dword ptr [edx+eax*4-7Ch], 1
		pop	edx
; 
		dw 2DDDh
		dd 437E5A71h, 0BDB2A91h, 3287788Ch
; 

_GUID_PROCESSOR_PERF_ENERGY_PERFORMANCE_PREFERENCE: ; DATA XREF: ALMOSTRO:007057F8o
		sahf
		jg	short loc_410507
		movs	dword ptr es:[edi], dword ptr ss:[esi]
		jecxz	short near ptr loc_41045E+4
		dec	ebp
		mov	cl, 0DCh
		adc	eax, 681C38EBh
; 
		db 63h
; 

_GUID_PROCESSOR_PERF_AUTONOMOUS_MODE:	; DATA XREF: ALMOSTRO:00705830o
		mov	cl, [edx-56h]
		mov	eax, esi
		adc	al, 51h
		inc	esp
; 
		dd 0BD148B8Eh, 377519BDh
; 

_GUID_PROCESSOR_IDLE_ALLOW_SCALING:	; DATA XREF: ALMOSTRO:00705A60o
		mov	al, 93h
		sub	[eax+ecx*2-71h], ebp
		pop	ds
		dec	eax

loc_4104C4:				; CODE XREF: .text:00410545j
		mov	esp, 27DD00C6h
		inc	edx
		stosb
		push	es

_GUID_PROCESSOR_DUTY_CYCLING:		; DATA XREF: ALMOSTRO:007058D8o
		mov	bl, 50h
		inc	esp
		dec	esi
		jns	short loc_410533
		xchg	eax, ecx
		dec	esi
		mov	eax, 93B95BF1h

loc_4104D9:				; DATA XREF: ALMOSTRO:00705814o
		pop	dword ptr [ecx-125C2F5Fh]
		iret
; 
		dd 45667697h, 8A922A9h,	0FA9DD46Ch
_GUID_PROCESSOR_FREQUENCY_LIMIT	dd 75B0AE3Fh, 45A7BCE0h, 61C9898Ch
					; DATA XREF: ALMOSTRO:007058F4o
dword_4104F8	dd 0E1251Ch		; CODE XREF: .text:00410548j
; 

_GUID_PROCESSOR_ALLOW_THROTTLING:	; DATA XREF: ALMOSTRO:0070584Co
					; ALMOSTRO:00705E8Co
		std
		aam	4
		cmp	eax, edi
		sbb	al, 23h
		dec	edi
		stosd
		sbb	al, 0D1h

loc_410507:				; CODE XREF: .text:0041049Dj
		xor	edi, [eax+19h]

loc_41050A:				; CODE XREF: .text:00410539j
					; DATA XREF: ALMOSTRO:00705964o ...
		les	edi, [ebx-15F9DFCFh]
		xor	al, 0Eh
		icebp
		dec	edi
		wait
		insd
		jmp	short loc_410528
; 
		pop	ecx
		xor	eax, [eax+28h]

_GUID_PROCESSOR_IDLE_PROMOTE_THRESHOLD:	; DATA XREF: ALMOSTRO:00705AD0o
					; INIT:00AF67A8o
		or	dword ptr [eax+22h], 7Bh
		int	3		; Trap to Debugger
		mov	bl, 79h
		dec	ebp
; 
		dd 74839F81h
; 

loc_410528:				; CODE XREF: .text:00410516j
					; DATA XREF: ALMOSTRO:0070592Co ...
		adc	eax, 797CBE2Ch
		push	es
		mov	esi, 692817C7h

loc_410533:				; CODE XREF: .text:004104D0j
		dec	ebp
		popf
		add	dl, [ecx-66h]
		push	ebx
		jle	short near ptr loc_41050A+1

loc_41053B:				; DATA XREF: ALMOSTRO:00705AB4o
					; INIT:00AF67B0o
		mov	byte ptr [eax-29h], 92h
		dec	ebx
		and	al, 5Ah
		push	ecx
		dec	eax
		movsb
		jo	short near ptr loc_4104C4+4
		pop	ebp
		js	short near ptr dword_4104F8
		loope	near ptr loc_410561+4

_GUID_PROCESSOR_PERF_DECREASE_THRESHOLD: ; DATA	XREF: ALMOSTRO:00705734o
					; ALMOSTRO:00705E4Co ...
		inc	esp
		stosd

loc_41054E:				; CODE XREF: .text:004105C1j
		mov	al, ds:0A9FE2812h
		dec	edi
		mov	bl, 0BDh
		dec	ebx
		db	64h
		hlt
		dec	ecx
		pusha
		cmpsb

_GUID_PROCESSOR_PERF_INCREASE_TIME:	; DATA XREF: ALMOSTRO:00705718o
					; ALMOSTRO:00705E84o ...
		xchg	eax, edx
		hlt
		dec	esp
		cwde

loc_410560:				; CODE XREF: .text:00410569j
		in	eax, dx

loc_410561:				; CODE XREF: .text:0041054Aj
		cmp	ecx, [eax+42F9A844h]
		xchg	cl, cl
		jnp	short loc_410560
		stosb

_GUID_PROCESSOR_CORE_PARKING_MIN_CORES:	; DATA XREF: ALMOSTRO:00705948o
					; ALMOSTRO:00705E64o ...
		inc	edi
		mov	dh, 0C5h
		or	al, 0DFh
		sal	dword ptr [edi], 46h
		mov	[edx], ebx
		faddp	st(3), st
		pop	esp

loc_410579:				; DATA XREF: ALMOSTRO:007056FCo
					; ALMOSTRO:00705E7Co ...
		xor	[ebp-1214647Dh], eax

loc_41057F:				; CODE XREF: .text:004105B9j
		fmul	st, st(7)
		xchg	eax, ebp
		xchg	eax, ebp
		dec	edi
		cmpsd
		cmp	al, 0B0h
		popa
		xchg	eax, edi
		db	36h
		xchg	eax, ebx

loc_41058B:				; DATA XREF: ALMOSTRO:00705AECo
					; INIT:00AF67B8o
		enter	0FFFFE905h, 43h
		cdq

loc_410590:				; CODE XREF: .text:00410599j
		xor	[edx-6664B13Fh], bl
		inc	esp
		fnstsw	word ptr [ebx]
		jbe	short near ptr loc_410590+2

loc_41059B:				; DATA XREF: ALMOSTRO:007057DCo
					; INIT:00AF6790o
		mov	ds:0BE337238h, al
		or	byte ptr ds:60A94146h, 4Fh
		aaa
		dec	ecx
		aam	70h

loc_4105AB:				; DATA XREF: ALMOSTRO:007056E0o
					; ALMOSTRO:00705EBCo ...
		mov	dword ptr [eax+1Fh], 0B610465Eh
		cmp	al, [edi-55h]
		pop	eax
		add	cl, dl
		pop	es
		jge	short loc_41057F
; 
		db 18h
; 

_GUID_PROCESSOR_PERF_TIME_CHECK:	; DATA XREF: ALMOSTRO:007057A4o
					; ALMOSTRO:00705E9Co ...
		push	edx
		add	[ebx], ebp
		dec	ebp
		pop	esp
		jge	short loc_41054E
		dec	ecx
		mov	dl, ah
		xor	al, 34h
		push	ebx
		xchg	eax, edx

loc_4105CA:				; DATA XREF: ALMOSTRO:00705910o
					; INIT:00AF6758o
		mov	ds:21B41C5h, al
		jno	short loc_41061A
		mov	dword ptr [ecx], 0A074BE4Dh
		rdpmc
		pop	ebp
		pop	eax

loc_4105DB:				; DATA XREF: ALMOSTRO:00705A7Co
		sub	ecx, edx
		mov	ds:0E8C05D76h, al
		das
		inc	eax
		mov	eax, ds:49582133h

loc_4105E9:				; DATA XREF: ALMOSTRO:00705A98o
					; INIT:00AF67A0o
		sub	eax, 1C31AD58h
		pop	eax
		les	ebp, [ebx-71BA6877h]
		sub	ebx, [esp+ebx*4+6B0E44ABh]

_GUID_PROCESSOR_PERF_DECREASE_POLICY:	; DATA XREF: ALMOSTRO:off_7056C4o
					; INIT:00AF6748o
		mov	edi, 2E9D40FBh
		and	eax, 0C85A14Dh
		std
		test	[edx+edi*4-3Ah], esi

_GUID_PROCESSOR_THROTTLE_MINIMUM:	; DATA XREF: ALMOSTRO:0070576Co
					; ALMOSTRO:00705E44o
		mov	gs, si
		cmp	eax, 0E02BEF89h
		inc	ecx
		mov	esi, eax
		mov	ch, 5Dh
		or	[ecx], ebp

loc_41061A:				; CODE XREF: .text:004105CFj
		xchg	eax, esi
		dec	esp

_GUID_PROCESSOR_PERF_BOOST_POLICY:	; DATA XREF: ALMOSTRO:007057C0o
					; INIT:00AF6788o
		inc	esp
		sar	byte ptr [ebp+eax*2+43E2D885h],	86h
		add	eax, 0E9C60EEEh

loc_41062A:				; DATA XREF: ALMOSTRO:00705788o
					; ALMOSTRO:00705E3Co
		imul	ebx, [ecx-9], 38h
		push	eax
		mov	esp, 496023E0h
		xchg	eax, esi
		fidiv	dword ptr [ebx]
		stosd
		scasd
		pop	ecx

loc_41063A:				; DATA XREF: ALMOSTRO:00705750o
					; ALMOSTRO:00705E54o ...
		xor	eax, 0CADF0EECh
		push	es
		in	eax, dx

loc_410641:				; CODE XREF: .text:00410647j
		mov	al, fs:[ecx+ecx*4+27h]
		into
		jnp	short near ptr loc_410641+1
		push	cs
		mov	bl, 5Dh

loc_41064C:				; DATA XREF: ALMOSTRO:00705714o
		push	eax
		db	65h
		jb	short near ptr aPerfincreasepo+2
		dec	ecx
		outsb
		arpl	[edx+65h], si
		popa
		jnb	short near ptr aPerfincreasepo+9
		push	esp
		imul	ebp, [ebp+65h],	0

loc_410660:				; DATA XREF: ALMOSTRO:00705730o
		push	eax
		db	65h
		jb	short near ptr aPerfdecreaseti+2
		inc	esp
		arpl	gs:[edx+65h], si
		popa
		jnb	short near ptr aPerfdecreaseti+9
		push	esp
		push	68736572h
		outsd
		insb
		add	fs:[eax], al

loc_410677:				; DATA XREF: ALMOSTRO:0070574Co
		add	[eax+65h], dl
		jb	short near ptr aEnergyperfpref+6
		dec	ecx
		outsb
		arpl	[edx+65h], si
		popa
		jnb	short near ptr aEnergyperfpref+0Dh
		push	esp
		push	68736572h
		outsd
		insb
		add	fs:[eax], al

loc_41068F:				; DATA XREF: ALMOSTRO:00705768o
		add	[eax+65h], dl
		jb	short near ptr aAutonomousacti+6
		dec	ebp
		imul	ebp, [esi+50h],	63696C6Fh
		jns	short $+2
; 
		dw 0
aPerfdecreasepo	db 'PerfDecreasePolicy',0 ; DATA XREF: ALMOSTRO:_PpmPolicyConfigTableo
		align 4
aPerfincreasepo	db 'PerfIncreasePolicy',0 ; CODE XREF: .text:0041064Dj
					; .text:00410656j
					; DATA XREF: ...
		align 4
aPerfdecreaseti	db 'PerfDecreaseTime',0 ; CODE XREF: .text:00410661j
					; .text:0041066Aj
					; DATA XREF: ...
		align 4
aEnergyperfpref	db 'EnergyPerfPreference',0 ; CODE XREF: .text:0041067Aj
					; .text:00410682j
					; DATA XREF: ...
		align 4
aAutonomousacti	db 'AutonomousActivityWindow',0 ; CODE XREF: .text:00410692j
					; DATA XREF: ALMOSTRO:00705810o
		align 10h
aAutonomouspref	db 'AutonomousPreference',0 ; DATA XREF: ALMOSTRO:0070582Co
		align 4
aThrottlingpoli	db 'ThrottlingPolicy',0 ; DATA XREF: ALMOSTRO:00705848o
		align 4
aPerfmaxpolicy	db 'PerfMaxPolicy',0    ; DATA XREF: ALMOSTRO:00705784o
		align 4
aPerftimecheck	db 'PerfTimeCheck',0    ; DATA XREF: ALMOSTRO:007057A0o
		align 4
aPerfboostpolic	db 'PerfBoostPolicy',0  ; DATA XREF: ALMOSTRO:007057BCo
aPerfboostmode	db 'PerfBoostMode',0    ; DATA XREF: ALMOSTRO:007057D8o
		align 4
aDutycycling	db 'DutyCycling',0      ; DATA XREF: ALMOSTRO:007058D4o
aFrequencycap	db 'FrequencyCap',0     ; DATA XREF: ALMOSTRO:007058F0o
		align 4
aCpdecreasepoli	db 'CPDecreasePolicy',0 ; DATA XREF: ALMOSTRO:0070590Co
		align 4
aCpincreasepoli	db 'CPIncreasePolicy',0 ; DATA XREF: ALMOSTRO:00705928o
		align 10h
aParkingperfsta	db 'ParkingPerfState',0 ; DATA XREF: ALMOSTRO:00705864o
		align 4
aPerfhistorycou	db 'PerfHistoryCount',0 ; DATA XREF: ALMOSTRO:00705880o
		align 4
aLatencyhintper	db 'LatencyHintPerf',0  ; DATA XREF: ALMOSTRO:0070589Co
aLatencyhintunp	db 'LatencyHintUnpark',0 ; DATA XREF: ALMOSTRO:007058B8o
		align 4
aCpoverutilizat	db 'CPOverUtilizationThreshold',0 ; DATA XREF: ALMOSTRO:007059B4o
		align 4
aCpdistributeut	db 'CPDistributeUtility',0 ; DATA XREF: ALMOSTRO:007059D0o
aCpconcurrencyt	db 'CPConcurrencyThreshold',0 ; DATA XREF: ALMOSTRO:007059ECo
		align 4
aCpheadroomthre	db 'CPHeadroomThreshold',0 ; DATA XREF: ALMOSTRO:00705A08o
aCpmincores_1	db 'CPMinCores',0       ; DATA XREF: ALMOSTRO:00705944o
		align 4
aCpmaxcores_1	db 'CPMaxCores',0       ; DATA XREF: ALMOSTRO:00705960o
		align 10h
aCpdecreaseti_1	db 'CPDecreaseTime',0   ; DATA XREF: ALMOSTRO:0070597Co
		align 10h
aCpincreaseti_1	db 'CPIncreaseTime',0   ; DATA XREF: ALMOSTRO:00705998o
		align 10h
aIdletimecheck	db 'IdleTimeCheck',0    ; DATA XREF: ALMOSTRO:00705A94o
		align 10h
aIdledemotethre	db 'IdleDemoteThreshold',0 ; DATA XREF: ALMOSTRO:00705AB0o
aIdlepromotethr	db 'IdlePromoteThreshold',0 ; DATA XREF: ALMOSTRO:00705ACCo
		align 4
aIdlestatemax	db 'IdleStateMax',0     ; DATA XREF: ALMOSTRO:00705AE8o
		align 4
aCpdistributeth	db 'CPDistributeThreshold',0 ; DATA XREF: ALMOSTRO:00705A24o
		align 4
aSoftparklatenc	db 'SoftParkLatency',0  ; DATA XREF: ALMOSTRO:00705A40o
aIdleallowscali	db 'IdleAllowScaling',0 ; DATA XREF: ALMOSTRO:00705A5Co
		align 4
aIdledisable	db 'IdleDisable',0      ; DATA XREF: ALMOSTRO:00705A78o
aClass0floorper	db 'Class0FloorPerformance',0 ; DATA XREF: ALMOSTRO:00705B74o
		align 4
aClass1initialp	db 'Class1InitialPerformance',0 ; DATA XREF: ALMOSTRO:00705B90o
		align 4
aSchedulingpoli	db 'SchedulingPolicy',0 ; DATA XREF: ALMOSTRO:00705BACo
		align 4
aShortschedulin	db 'ShortSchedulingPolicy',0 ; DATA XREF: ALMOSTRO:00705BC8o
		align 4
aHeterodecrease	db 'HeteroDecreaseTime',0 ; DATA XREF: ALMOSTRO:00705B04o
		align 4
aHeteroincrease	db 'HeteroIncreaseTime',0 ; DATA XREF: ALMOSTRO:00705B20o
		align 4
aHeterodecrea_1	db 'HeteroDecreaseThreshold',0 ; DATA XREF: ALMOSTRO:00705B3Co
aHeteroincrea_1	db 'HeteroIncreaseThreshold',0 ; DATA XREF: ALMOSTRO:00705B58o
aResponsiveness	db 'ResponsivenessEppCeiling',0 ; DATA XREF: ALMOSTRO:00705C54o
		align 4
aResponsivene_1	db 'ResponsivenessPerfFloor',0 ; DATA XREF: ALMOSTRO:00705C70o
aResponsivene_3	db 'ResponsivenessDisableThreshold',0 ; DATA XREF: ALMOSTRO:00705BE4o
		align 10h
aResponsivene_2	db 'ResponsivenessEnableThreshold',0 ; DATA XREF: ALMOSTRO:00705C00o
		align 10h
aResponsivene_5	db 'ResponsivenessDisableTime',0 ; DATA XREF: ALMOSTRO:00705C1Co
		align 4
aResponsivene_0	db 'ResponsivenessEnableTime',0 ; DATA XREF: ALMOSTRO:00705C38o
		align 4
aBlackboxScm	db 'blackbox - SCM',0   ; DATA XREF: .data:off_6B2424o
		align 4
aBlackboxBsd	db 'blackbox - BSD',0   ; DATA XREF: .data:006B2464o
		align 4
aBlackboxPnp	db 'blackbox - PNP',0   ; DATA XREF: .data:006B24A4o
		align 4
aBlackboxPepwor	db 'blackbox - PEPWORKORDER',0 ; DATA XREF: .data:006B25E4o
aBlackboxPowerw	db 'blackbox - POWERWATCHDOG',0 ; DATA XREF: .data:006B2624o
		align 4
aBlackboxPnpeve	db 'blackbox - PNPEVENTWORKER',0 ; DATA XREF: .data:006B2664o
		align 4
aBlackboxDevice	db 'blackbox - DEVICECOMPLETIONQUEUE',0 ; DATA XREF: .data:006B26A4o
		align 4
aBlackboxAcpi	db 'blackbox - ACPI',0  ; DATA XREF: .data:006B24E4o
aBlackboxPoirp	db 'blackbox - POIRP',0 ; DATA XREF: .data:006B2524o
		align 10h
aBlackboxWinlog	db 'blackbox - WINLOGON-NOTIFY',0 ; DATA XREF: .data:006B2564o
		align 4
aBlackboxPdcloc	db 'blackbox - PDCLOCK',0 ; DATA XREF: .data:006B25A4o
		align 10h
aBlackboxWhea	db 'blackbox - WHEA',0  ; DATA XREF: .data:006B27E4o
aBlackboxNtfs	db 'blackbox - NTFS',0  ; DATA XREF: .data:006B2824o
aBlackboxWinl_1	db 'blackbox - Winlogon',0 ; DATA XREF: .data:006B2864o
aBlackboxExplor	db 'blackbox - Explorer logon tasks',0 ; DATA XREF: .data:006B28A4o
aBlackboxPnpdel	db 'blackbox - PNPDELAYEDREMOVEWORKER',0 ; DATA XREF: .data:006B26E4o
		align 4
aBlackboxDxgDis	db 'blackbox - DXG-DISPLAY',0 ; DATA XREF: .data:006B2724o
		align 10h
aBlackboxCrashe	db 'blackbox - CrashedProcess',0 ; DATA XREF: .data:006B2764o
		align 4
aBlackboxUsocom	db 'blackbox - UsoCommit',0 ; DATA XREF: .data:006B27A4o
		align 4
aBlackboxExpl_1	db 'blackbox - Explorer core startup',0 ; DATA XREF: .data:006B28E4o
		align 4
aBlackboxUserMo	db 'blackbox - User mode LKD API caller data',0 ; DATA XREF: .data:006B2924o
		align 4
aBlackboxCi	db 'blackbox - CI',0    ; DATA XREF: .data:006B2964o
		align 4

_PopBlackBoxCodeIntegrityGuid:		; DATA XREF: .data:006B2960o
		fsubr	dword ptr [ebx-19h]
		dec	esi
		hlt
		cmp	al, 0A0h
		inc	esp
		mov	al, ds:643739ACh
		db	3Eh
		aaa

loc_410CC3:				; DATA XREF: .data:006B2820o
		mov	ds:dword_AFE9C4, eax

loc_410CC8:				; CODE XREF: .text:_PopBlackBoxExplorerCoreStartupGuidj
		or	eax, 80421394h
		push	ss
		fistp	dword ptr [ecx]	; (emulator call)
		mov	ch, 0BCh
; 
		db 20h

;  S U B	R O U T	I N E 


_PopBlackBoxWheaGuid proc near		; DATA XREF: .data:006B27E0o
		dec	ecx
		jmp	far ptr	457Dh:912A32D3h
_PopBlackBoxWheaGuid endp

; 
		dd 29DDE6B7h
		db 29h
; 

loc_410CE1:				; CODE XREF: .text:00410D57j
		out	dx, eax
		push	ebx
		cld

_PopBlackBoxUsoCommitGuid:		; DATA XREF: .data:006B27A0o
		pop	edx
		enter	6DE4h, 0F3h
		push	edi
		fimul	dword ptr [edx+eax*4-2]
		enter	5A85h, 58h
		clc
; 
		db 0E4h
; 

_PopBlackBoxCrashedProcessGuid:		; DATA XREF: .data:006B2760o
		push	ecx
		setalc
		test	[esi+4367A550h], bh

loc_410CFC:				; CODE XREF: .text:00410D71j
		mov	fs, word ptr [ebx-55h]
		jns	short near ptr loc_410D29+3
		arpl	[edi], bx
		xchg	eax, esp

_PopBlackBoxUserModeLKDReason:		; DATA XREF: .data:006B2920o
		fild	word ptr [ecx-47h]

loc_410D07:				; CODE XREF: .text:00410D6Fj
		shl	dword ptr [ebp-62BB414Fh], 5Ch
; 
		dw 0F1DAh
; 
		mov	sp, 225Eh

_PopBlackBoxExplorerCoreStartupGuid:	; DATA XREF: .data:006B28E0o
		loope	loc_410CC8
		cmpsb
		cmc
		and	edx, [esi]
		adc	cl, [esi-80h]
		cmp	[eax-58h], ecx
		wait

loc_410D21:				; DATA XREF: .data:006B28A0o
		add	byte ptr [eax-659AE806h], 0AAh
		lodsb

loc_410D29:				; CODE XREF: .text:00410CFFj
		mov	ecx, 0D08B4D93h
		db	26h, 66h
		out	36h, al

loc_410D32:				; DATA XREF: .data:006B2860o
		cmp	[eax-7F338631h], esp
		sbb	[edi-6840B50Fh], esp
; 
		dw 29FEh
		dd 0C1EB76FFh
; 

_PopBlackBoxPoPowerWatchdogGuid:	; DATA XREF: .data:006B2620o
		sahf
		test	dword ptr [ebp+55h], 44675326h
		scasb

loc_410D4D:				; DATA XREF: .data:006B25E0o
		imul	eax, [ecx+31E33A63h], 0E85A5555h
		loopne	loc_410CE1
		push	cs
		jnz	short loc_410D9E
		xchg	eax, esi
		aas
		adc	edi, [edi]
		sti
		pop	edx
		xor	al, 0D0h

_PopBlackBoxPdcLockGuid:		; DATA XREF: .data:006B25A0o
		mov	ebx, 6E33DBDDh

loc_410D69:				; CODE XREF: .text:00410DC7j
		sub	dl, [ecx+5D429E4Eh]
		loope	near ptr loc_410D07+3
		jnp	short near ptr loc_410CFC+1

loc_410D73:				; DATA XREF: .data:006B2560o
		test	[ebx+76B2D3Eh],	dl
		stosb
		db	3Eh
		dec	esi
		movsb
		sbb	dl, [ecx-39C3F193h]

loc_410D83:				; DATA XREF: .data:006B26E0o
		cmp	edi, [ebx]
		movsb
		xchg	eax, edx
		jnb	short near ptr loc_410DC2+1
		call	fword ptr [ebp+ecx*2-55AFCE46h]
		db	65h
		int	0EDh		; used by BASIC	while in interpreter

loc_410D93:				; DATA XREF: .data:006B2720o
		or	dh, ch
		mov	bh, 0BEh
		mov	bl, 0
		in	eax, dx
		setalc
		inc	esp
		lodsd
		pusha

loc_410D9E:				; CODE XREF: .text:00410D5Aj
					; DATA XREF: .data:006B26A0o
		shr	dword ptr [ecx+1C0FF82Dh], 5Eh
		dec	ebp
		sub	ecx, eax
		nop
		test	[esi], ebp
		inc	ebp
		mov	esp, 0F7457F71h
		add	dl, cl
; 
		db 68h
; 

_PopBlackBoxPnpEventWorkerGuid:		; DATA XREF: .data:006B2660o
		adc	bl, dh
		out	dx, eax
		mov	ebp, [eax+edi+31h]
		inc	ecx
		mov	cl, 0B1h
		or	al, [edx+edi*8+1Eh]

loc_410DC2:				; CODE XREF: .text:00410E10j
					; .text:00410D87j
					; DATA XREF: ...
		push	0D088914Ah
		loope	near ptr loc_410D69+3
		aad	0F9h
		inc	ebp
		mov	eax, 1D71AD11h
		sti
		db	26h
		pop	es

_PopBlackBoxPoIrpGuid:			; DATA XREF: .data:006B2520o
		inc	esi
; 
		db 0DBh, 23h, 25h
		dd 4A654DDBh, 0E9139A8h, 0C65C983Fh
; 

_PopBlackBoxAcpiGuid:			; DATA XREF: .data:006B24E0o
		mov	ebp, [ecx-8AAC4D2h]
		lahf
		inc	edx
		add	cl, 31h
		mov	eax, ds:8C520681h

_PopBlackBoxPnpGuid:			; DATA XREF: .data:006B24A0o
		inc	ecx
		sbb	[ebx-49h], esp
		sub	dl, [ebx-2Ah]
		dec	esp

loc_410DFC:				; CODE XREF: .text:00410E06j
		mov	cl, 0B1h
		in	eax, dx
		mov	ch, 91h
		jge	short loc_410E48
		push	edi

_PopBlackBoxBsdGuid:			; DATA XREF: .data:006B2460o
		fisttp	word ptr [eax]
		jnb	short near ptr loc_410DFC+1
		inc	ebp
		int	3		; Trap to Debugger
		add	[esi-53h], ecx
		jbe	short loc_410E38
		movsb
		jmp	short loc_410DC2
; 
		dw 0EC10h
_LeapYearDaysPrecedingMonth dw 0	; CODE XREF: .text:00410E8Dj
					; DATA XREF: RtlpTimeFieldsToTimeNoLeapSeconds(x,x)+192r ...
word_410E16	dw 1Fh			; DATA XREF: RtlpTimeFieldsToTimeNoLeapSeconds(x,x):loc_5027FCr
		dd offset loc_5B003C
aYs:
		unicode	0, <y>
		dd 11200F4h, 14F0131h, 16Eh
_NormalYearDaysPrecedingMonth dw 0	; DATA XREF: RtlpTimeFieldsToTimeNoLeapSeconds(x,x)+B3r
					; RtlpTimeFieldsToTimeNoLeapSeconds(x,x):loc_5027A8r ...
word_410E32	dw 1Fh			; DATA XREF: RtlpTimeFieldsToTimeNoLeapSeconds(x,x)+ABr
		dd offset loc_5A0039+2
; 

loc_410E38:				; CODE XREF: .text:00410E0Dj
		js	short $+2
		xchg	eax, edi
		add	[ebp-0CFF2C00h], dh
		add	[ecx], dl
		add	[eax], esi
		add	[esi+1], ecx

loc_410E48:				; CODE XREF: .text:00410E01j
		insd
		add	[eax], eax
; 
		db 0

;  S U B	R O U T	I N E 


_WnfGuid	proc near		; DATA XREF: PAGE:00A41150o
		bound	edx, [edi+69h]
		inc	edx
		push	eax
		jmp	far ptr	0BB5Ch:6890497Ah
_WnfGuid	endp

; 
		dd 950B5EB3h
; 

_LoadMUIDllGuid:			; DATA XREF: PAGE:00A41118o
		mov	dl, 60h
		fcomp5	st(3)
		arpl	[esi+269845D5h], sp
		mov	al, ds:2C9D94A5h
		mov	al, 8Ah
		cmc
		out	dx, al
		cmp	ecx, [edi]
		outsb
		pop	ebp
		inc	esp
		mov	dl, 0A4h
		aaa
		stosd
		jnb	short near ptr loc_410EF1+4
		aam	7Eh

_UmsTraceGuid:				; DATA XREF: PAGE:00A41128o
		rcl	edx, 0DAh
		mov	ebp, 4AEA52D1h
		xchg	eax, esp
		setalc
		mov	bl, 0CAh
		xchg	eax, edx
		imul	byte ptr ss:[esi]

_HeapSummaryGuid:			; DATA XREF: PAGE:00A41130o
		push	es
		js	short near ptr _LeapYearDaysPrecedingMonth+1
		add	eax, 43EFC246h
		mov	eax, ds:2B7DE147h
		fist	dword ptr [esi+edx*4]

_HeapRangeGuid:				; DATA XREF: PAGE:_EtwpUmglProviderso
		adc	edx, ecx
		adc	edi, 438761C0h
		mov	eax, 0D352AF3Dh
		rcr	ch, cl

loc_410EAB:				; DATA XREF: PAGE:00A41120o
		push	0FFFFFFE2h
		shl	byte ptr [ecx-38h], 1
		shl	dword ptr [edx-6360B2CAh], 97h
		or	ebp, [ebx+123A94h]
; 
		db 3 dup(0)
; 

_SecondsToStartOf1970:			; DATA XREF: RtlSecondsSince1970ToTime(x,x)+Ar
					; RtlTimeToSecondsSince1970(x,x)+22r ...
		add	[ecx+2B610h], dl
; 
		dw 0
; 

; void DEVPKEY_DeviceClass_Configurable
_DEVPKEY_DeviceClass_Configurable:	; DATA XREF: _CmGetInstallerClassMappedPropertyFromComposite+ADBE9o
					; PiDevCfgConfigureDevice(x,x,x,x,x)+6C2o ...
		hlt
		xor	esi, [edx+ebp*2]
		db	26h
		push	esi
		call	near ptr 0DBFAB813h
		fldlg2
		ror	byte ptr [eax+44Bh], cl

loc_410EDB:				; DATA XREF: PAGE:00A42CC8o
		add	ah, bh
		mov	edi, 50A7259Ah
		into
		inc	edi
		scasd
		or	[eax-37h], ch
		cmpsd
		xlat
		xor	esp, [esi+0Dh]
; 
		db 3 dup(0)
; 

_DEVPKEY_DeviceClass_LastDeleteDate:	; DATA XREF: PiPnpRtlCmActionCallback+115AB8o
					; PAGE:00A42CE8o
		cld

loc_410EF1:				; CODE XREF: .text:00410E78j
		mov	edi, 50A7259Ah
		into
		inc	edi
		scasd
		or	[eax-37h], ch
		cmpsd
		xlat
		xor	esp, [esi+0Eh]
; 
		db 3 dup(0)
; 

; void DEVPKEY_DeviceClass_FSFilterClass
_DEVPKEY_DeviceClass_FSFilterClass:	; DATA XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B380Do
					; _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+153o ...
		cld
		mov	edi, 50A7259Ah
		into
		inc	edi
		scasd
		or	[eax-37h], ch
		cmpsd
		xlat
		xor	esp, [esi+0Fh]
; 
		db 3 dup(0)
; 

; void DEVPKEY_DeviceClass_DHPRebalanceOptOut
_DEVPKEY_DeviceClass_DHPRebalanceOptOut: ; DATA	XREF: PiRebalanceOptOut(x)+90o
					; _CmGetInstallerClassMappedPropertyFromRegValue+B3968o ...
		db	3Eh
		rep dec	ebp
		ror	edi, 1
		db	66h
		mov	ds:0D389D4Bh, al
; 
		db 0DBh
		dd 147AB37h, 2
; 

; void DEVPKEY_DeviceClass_SilentInstall
_DEVPKEY_DeviceClass_SilentInstall:	; DATA XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B37EEo
					; _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+11Bo ...
		cld
		mov	edi, 50A7259Ah
		into
		inc	edi
		scasd
		or	[eax-37h], ch
		cmpsd
		xlat
		xor	esp, [esi+9]
; 
		db 3 dup(0)
; 

_DEVPKEY_DeviceClass_DefaultService:	; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+6E1o
					; PAGE:00A42CA8o
		cld
		mov	edi, 50A7259Ah
		into
		inc	edi
		scasd
		or	[eax-37h], ch
		cmpsd
		xlat
		xor	esp, [esi+0Bh]
; 
		db 3 dup(0)
; 

_DEVPKEY_DeviceClass_IconPath:		; DATA XREF: PAGE:00A42CB8o
		cld
		mov	edi, 50A7259Ah
		into
		inc	edi
		scasd
		or	[eax-37h], ch
		cmpsd
		xlat
		xor	esp, [esi+0Ch]
; 
		db 3 dup(0)
; 

_DEVPKEY_DeviceClass_ClassInstaller:	; DATA XREF: _CmGetInstallerClassMappedPropertyFromComposite+ADC54o
					; PAGE:00A42C48o
		cld
		mov	edi, 50A7259Ah
		into
		inc	edi
		scasd
		or	[eax-37h], ch
		cmpsd
		xlat
		xor	esp, [esi+5]
; 
		db 3 dup(0)
; 

_DEVPKEY_DeviceClass_PropPageProvider:	; DATA XREF: PAGE:00A42C58o
		cld
		mov	edi, 50A7259Ah
		into
		inc	edi
		scasd
		or	[eax-37h], ch
		cmpsd
		xlat
		xor	esp, [esi+6]
; 
		db 3 dup(0)
; 

; void DEVPKEY_DeviceClass_NoInstallClass
_DEVPKEY_DeviceClass_NoInstallClass:	; DATA XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B37B1o
					; _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+E3o ...
		cld
		mov	edi, 50A7259Ah
		into
		inc	edi
		scasd
		or	[eax-37h], ch
		cmpsd
		xlat
		xor	esp, [esi+7]
; 
		db 3 dup(0)
; 

; void DEVPKEY_DeviceClass_NoDisplayClass
_DEVPKEY_DeviceClass_NoDisplayClass:	; DATA XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B37D1o
					; _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+FFo ...
		cld
		mov	edi, 50A7259Ah
		into
		inc	edi
		scasd
		or	[eax-37h], ch
		cmpsd
		xlat
		xor	esp, [esi+8]
; 
		db 3 dup(0)
; 

_DEVPKEY_DeviceClass_Characteristics:	; DATA XREF: PAGE:00A42A18o
		mov	edx, [ecx-961BCDFh]
		or	eax, 4DDEA547h
		mov	bh, al
		pop	edx
		ror	byte ptr [ebx+1Dh], cl
; 
		db 3 dup(0)
; 

; void DEVPKEY_DeviceClass_Name
_DEVPKEY_DeviceClass_Name:		; DATA XREF: .data:006B3818o
					; _CmGetInstallerClassMappedPropertyFromRegValue+B3892o ...
		cld
		mov	edi, 50A7259Ah
		into
		inc	edi
		scasd
		or	[eax-37h], ch
		cmpsd
		xlat
		xor	esp, [esi+2]
; 
		db 3 dup(0)
; 

; void DEVPKEY_DeviceClass_ClassName
_DEVPKEY_DeviceClass_ClassName:		; DATA XREF: .data:006B381Co
					; _CmGetInstallerClassMappedPropertyFromComposite+ADBBDo ...
		cld
		mov	edi, 50A7259Ah
		into
		inc	edi
		scasd
		or	[eax-37h], ch
		cmpsd
		xlat
		xor	esp, [esi+3]
; 
		db 3 dup(0)
; 

_DEVPKEY_DeviceClass_Icon:		; DATA XREF: PAGE:off_A42C38o
		cld
		mov	edi, 50A7259Ah
		into
		inc	edi
		scasd
		or	[eax-37h], ch
		cmpsd
		xlat
		xor	esp, [esi+4]
; 
		db 3 dup(0)
; 

_DEVPKEY_DeviceClass_Security:		; DATA XREF: PAGE:00A429D8o
		mov	edx, [ecx-961BCDFh]
		or	eax, 4DDEA547h
		mov	bh, al
		pop	edx
		ror	byte ptr [ebx+19h], cl
; 
		db 3 dup(0)
; 

_DEVPKEY_DeviceClass_SecuritySDS:	; DATA XREF: PAGE:00A429E8o
		mov	edx, [ecx-961BCDFh]
		or	eax, 4DDEA547h
		mov	bh, al
		pop	edx
		ror	byte ptr [ebx+1Ah], cl
; 
		db 3 dup(0)
; 

_DEVPKEY_DeviceClass_DevType:		; DATA XREF: PAGE:00A429F8o
		mov	edx, [ecx-961BCDFh]
		or	eax, 4DDEA547h
		mov	bh, al
		pop	edx
		ror	byte ptr [ebx+1Bh], cl
; 
		db 3 dup(0)
; 

_DEVPKEY_DeviceClass_Exclusive:		; DATA XREF: PAGE:00A42A08o
		mov	edx, [ecx-961BCDFh]
		or	eax, 4DDEA547h
		mov	bh, al
		pop	edx
		ror	byte ptr [ebx+1Ch], cl
; 
		db 3 dup(0)
_CLFS_LSN_INVALID_EXT dd 0		; DATA XREF: CmpTransAllocateTrans(x,x,x,x)+33r
					; CmpStartRMLog+79r ...
dword_41105C	dd 0FFFFFFFFh		; DATA XREF: CmpTransAllocateTrans(x,x,x,x)+3Br
					; CmpStartRMLog+81r ...
___WIL_WNF_WIL_MACHINE_FEATURE_STORE dd	0A3BC7C75h
					; DATA XREF: wil_details_StagingConfig_Load+4Er
dword_411064	dd 418A073Ah		; DATA XREF: wil_details_StagingConfig_Load+53r
; 

_LegacyEventLogGuid:			; DATA XREF: EtwWriteErrorLogEntry+321o
		inc	edx
		cmp	bl, [edi+3301D42Dh]
		inc	edi
		xchg	eax, edi
		test	dword ptr [esi+ebx], 84DC2180h
; 
_Magic86400000	dd 0FA67B90Eh		; DATA XREF: TimeToDaysAndFraction+2Br
dword_41107C	dd 0C6D750EBh		; DATA XREF: TimeToDaysAndFraction+23r
_Magic10000	dd 0E219652Ch		; DATA XREF: TimeToDaysAndFraction+11r
dword_411084	dd 0D1B71758h		; DATA XREF: TimeToDaysAndFraction+9r
; 

_GUID_BUS_TYPE_SW_DEVICE:		; DATA XREF: PiSwPdoPnPDispatch+2EBo
		and	al, [ebx]
		rol	dword ptr [esi], 1
		loopne	near ptr loc_411107+4
		out	dx, eax
		dec	esp
		mov	fs, word ptr ds:740E7D19h
		inc	edx
; 
		db 0E2h
_WNF_FSRL_OPLOCK_BREAK dd 0A3BC1075h	; DATA XREF: FsRtlSendModernAppTermination+43r
dword_41109C	dd 0D941D2Bh		; DATA XREF: FsRtlSendModernAppTermination+4Br
; 

_DEVPKEY_Device_DevNodeStatusStarted:	; DATA XREF: .text:00404810o
					; .data:006B312Co ...
		adc	[edi+7EB53D48h], dl
		mov	bl, 41h
		test	al, 77h
		test	al, 0EAh
		dec	edi
		lds	edi, [edx+1Dh]
		add	al, [eax]
; 
		dw 0
; 

_DEVPKEY_Device_DevNodeStatusHasProblem: ; DATA	XREF: .text:00404814o
					; .data:006B310Co ...
		adc	[edi+7EB53D48h], dl
		mov	bl, 41h
		test	al, 77h
		test	al, 0EAh
		dec	edi
		lds	edi, [edx+1Dh]
		add	eax, [eax]
; 
		dw 0
; 

_DEVPKEY_Device_DevNodeStatusPrivateProblem: ; DATA XREF: .text:00404818o
					; .data:off_6B3150o
		adc	[edi+7EB53D48h], dl
		mov	bl, 41h
		test	al, 77h
		test	al, 0EAh
		dec	edi
		lds	edi, [edx+1Dh]
		add	al, 0
; 
		dw 0
; 

_DEVPKEY_Device_DevNodeStatusDeviceDisconnected: ; DATA	XREF: .text:0040481Co
					; .data:006B3120o
		adc	[edi+7EB53D48h], dl
		mov	bl, 41h
		test	al, 77h
		test	al, 0EAh
		dec	edi
		lds	edi, [edx+1Dh]

loc_4110EC:				; DATA XREF: .text:00404820o
					; .data:off_6B3108o
		add	eax, 10000000h
		xchg	eax, edi
		dec	eax

loc_4110F3:				; CODE XREF: .text:00411111j
		cmp	eax, 41B37EB5h
		test	al, 77h
		test	al, 0EAh
		dec	edi

loc_4110FD:				; CODE XREF: .text:_DEVPKEY_Device_ExtendedAddressj
		lds	edi, [edx+1Dh]
		push	es
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_UpperFilterCache:	; DATA XREF: .data:006B3104o
					; _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+68o ...
		jge	short loc_411136
		xchg	eax, ebx

loc_411107:				; CODE XREF: .text:00411125j
					; .text:0041108Cj
		mov	eax, ds:46D31245h
		mov	esi, 8612D867h
		jo	short loc_4110F3
		wait
		add	al, [eax]
; 
		dw 0
; 

_DEVPKEY_Device_LowerFilterCache:	; DATA XREF: .data:006B30FCo
					; _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x):loc_A34EC9o ...
		jge	short loc_41114A
		xchg	eax, ebx
		mov	eax, ds:46D31245h
		mov	esi, 8612D867h
		jo	short loc_411107
		wait
		add	eax, [eax]
; 
		dw 0

;  S U B	R O U T	I N E 


_DEVPKEY_DeviceContainer_BatteryLevel proc near
					; DATA XREF: .text:_PiPnpRtlContainerReadOnlyPropso
		sbb	[edx], al
		pusha
		int	0D5h		; used by BASIC	while in interpreter
		dec	ebp
		out	49h, al
		xchg	eax, edi
		xlat

loc_411136:				; CODE XREF: .text:_DEVPKEY_Device_UpperFilterCachej
		or	[ebp+4Dh], ch
		jmp	far ptr	0:2D1CEh
_DEVPKEY_DeviceContainer_BatteryLevel endp


;  S U B	R O U T	I N E 


_DEVPKEY_DeviceContainer_BatteryLow proc near ;	DATA XREF: .text:00404790o
		sbb	[edx], al
		pusha
		int	0D5h		; used by BASIC	while in interpreter
		dec	ebp
		out	49h, al
		xchg	eax, edi
		xlat

loc_41114A:				; CODE XREF: .text:_DEVPKEY_Device_LowerFilterCachej
		or	[ebp+4Dh], ch
		jmp	far ptr	0:3D1CEh
_DEVPKEY_DeviceContainer_BatteryLow endp

; 

_DEVPKEY_Device_DriverIncludedInfs:	; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+15ABo
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1627o ...
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc
		adc	[eax], al
; 
		dw 0
; 

_DEVPKEY_Device_ExtendedAddress:	; DATA XREF: .text:00404780o
					; PiProcessNewDeviceNode+6EA8Do
		jle	short near ptr loc_4110FD+1
		or	edx, [eax+eax*2-75h]
		mov	esp, 6AA2A845h
		or	ecx, [ecx+17A2BD4Ch]
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_ResourcePickerExceptions: ; DATA XREF: PAGE:00A42DB8o
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc

loc_41118C:				; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+11F3o
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1253o ...
		or	eax, 0DD000000h
		db	65h
		mov	eax, 942E3DA8h
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc
		or	[eax], eax
; 
		dw 0
; 

_DEVPKEY_Device_DriverPropPageProvider:	; DATA XREF: PAGE:00A42D88o
					; PAGEDATA:00A933BCo
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc
		or	al, [eax]
; 
		dw 0
; 

_DEVPKEY_Device_DriverCoInstallers:	; DATA XREF: PAGE:00A42D98o
					; PAGEDATA:00A933B8o
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc
		or	eax, [eax]
; 
		dw 0
; 

_DEVPKEY_Device_ResourcePickerTags:	; DATA XREF: PAGE:00A42DA8o
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc
		or	al, 0
; 
		dw 0
; 

_DEVPKEY_Device_DriverInfPath:		; DATA XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+129o
					; PiDevCfgConfigureDevice(x,x,x,x,x)+9E6o ...
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc
; 
		dd 5
; 

_DEVPKEY_Device_DriverInfSection:	; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1370o
					; PiDevCfgConfigureDevice(x,x,x,x,x)+151Fo ...
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd

loc_411201:				; CODE XREF: .text:_DEVPKEY_Device_AssignedToGuestj
		or	al, 75h
		setalc
		push	es
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_DriverInfSectionExt:	; DATA XREF: PAGE:00A42D58o
					; PAGEDATA:00A933B4o
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc
		pop	es
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_MatchingDeviceId:	; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+16E0o
					; PiDevCfgConfigureDevice(x,x,x,x,x)+177Do ...
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc
		or	[eax], al
; 
		dw 0
; 

; void DEVPKEY_Device_DriverDate
_DEVPKEY_Device_DriverDate:		; DATA XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+136o
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1287o ...
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc
		add	al, [eax]
; 
		dw 0
; 

_DEVPKEY_Device_DriverVersion:		; DATA XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+189o
					; PiDevCfgConfigureDevice(x,x,x,x,x)+12FAo ...
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc
		add	eax, [eax]
; 
		dw 0
; 

_DEVPKEY_Device_DriverDesc:		; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+FE4o
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1051o ...
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc
		add	al, 0
; 
		dw 0
; 

_DEVPKEY_Device_AssignedToGuest:	; DATA XREF: .text:00404788o
					; PipSetGuestAssignedProperty(x,x)+25o	...
		jle	short near ptr loc_411201+1
		or	edx, [eax+eax*2-75h]
		mov	esp, 6AA2A845h
		or	ecx, [ecx+18A2BD4Ch]
; 
		db 3 dup(0)
_PopCompressMethodMap dw 3		; DATA XREF: PopAddPagesToCompressedPageSet+68r
					; PopDecompressHiberBlocks+2F0r
		dw 103h
		dd 1040004h
aLowBatteryInde	db 'Low Battery Index',0 ; DATA XREF: .text:00404798o
word_41129A	dw 0			; DATA XREF: .text:0040479Co
					; .text:004047A0o
aCriticalBatter	db 'Critical Battery Index',0 ; DATA XREF: .text:_IndexToActionNameo
		align 4
_PopPowerStateHandlerLookup dd 7	; DATA XREF: PAGELK:loc_71EEDDr
		dd 7, 0
		dd 1, 2, 3, 4
aUnknown:				; DATA XREF: PAGEDATA:00A9351Co
		unicode	0, <Unknown>,0
_LeapYearDayToMonth db 0		; DATA XREF: RtlpTimeToTimeFieldsNoLeapSeconds(x,x):loc_561295r
		align 4
		dd 6 dup(0)
		dd 1000000h, 7 dup(1010101h), 7	dup(2020202h), 3020202h
		dd 7 dup(3030303h), 4040403h, 7	dup(4040404h), 7 dup(5050505h)
		dd 6060505h, 7 dup(6060606h), 7070706h,	7 dup(7070707h)
		dd 7 dup(8080808h), 9090808h, 7	dup(9090909h), 0A0A0A09h
		dd 6 dup(0A0A0A0Ah), 0B0A0A0Ah,	7 dup(0B0B0B0Bh), 0B0Bh
_NormalYearDayToMonth db 0		; DATA XREF: RtlpTimeToTimeFieldsNoLeapSeconds(x,x):loc_561228r
		align 4
		dd 6 dup(0)
		dd 1000000h, 6 dup(1010101h), 2010101h,	7 dup(2020202h)
		dd 3030202h, 7 dup(3030303h), 7	dup(4040404h), 5040404h
		dd 7 dup(5050505h), 6060605h, 7	dup(6060606h), 7 dup(7070707h)
		dd 8070707h, 7 dup(8080808h), 9090908h,	7 dup(9090909h)
		dd 7 dup(0A0A0A0Ah), 0B0B0A0Ah,	7 dup(0B0B0B0Bh), 0Bh
dword_4115C0	dd 601h, 5000000h, 50h,	187ED4D7h, 980B98E7h, 66628D6Fh
					; DATA XREF: .text:00403D60o
		dd 8A5CB7F7h, 0DFDF7EBBh, 0
aLfsvc:					; DATA XREF: .text:00403D68o
		unicode	0, <LfSvc>,0
dword_4115F0	dd 601h, 5000000h, 50h,	7688ED03h, 7283ADE4h, 168B5A20h
					; DATA XREF: .text:00403D54o
		dd 0A12DF105h, 35134F48h, 0
aTimebrokersvc:				; DATA XREF: .text:00403D5Co
		unicode	0, <TimeBrokerSvc>,0
aTestidentifier:			; DATA XREF: .text:00403D44o
		unicode	0, <TestIdentifier>,0
		align 10h
aBrokerinfrastr:			; DATA XREF: .text:00403D50o
		unicode	0, <BrokerInfrastructure>,0
		align 4
aNtospo:				; DATA XREF: .text:00403D98o
		unicode	0, <NtosPo>,0
		align 4
aAcpi:					; DATA XREF: .text:00403DA4o
		unicode	0, <Acpi>,0
		align 4
aSensorservice:				; DATA XREF: .text:00403D8Co
		unicode	0, <SensorService>,0
dword_4116B4	dd 601h, 5000000h, 50h,	33CE37B6h, 1930A4EDh, 0CD85060Eh
					; DATA XREF: .text:00403D90o
		dd 53474620h, 0A89B2B75h, 0
aPower:					; DATA XREF: .text:00403D80o
		unicode	0, <Power>,0
dword_4116E4	dd 601h, 5000000h, 50h,	8BADB25Bh, 0B081AED1h, 23AD640Dh
					; DATA XREF: .text:00403D84o
		dd 17671DFAh, 7DDA4F79h, 0
dword_411708	dd 601h, 5000000h, 50h,	0DCC6F35Ch, 41413E3Bh, 46113B07h
					; DATA XREF: .text:00403D6Co
		dd 7C7ACB0Fh, 2EADF7A2h, 0
aWinlogon:				; DATA XREF: .text:00403D74o
		unicode	0, <WinLogon>,0
		align 10h
aKnetpwrdepbrok:			; DATA XREF: .text:00403DE0o
		unicode	0, <KNetPwrDepBroker>,0
		align 4
aCmbatt:				; DATA XREF: .text:00403DECo
		unicode	0, <Cmbatt>,0
		align 4
aButtonconverte:			; DATA XREF: .text:00403DC8o
		unicode	0, <ButtonConverter>,0
aMsgpiowin32:				; DATA XREF: .text:00403DD4o
		unicode	0, <MsGpioWin32>,0
aButton:				; DATA XREF: .text:00403DB0o
		unicode	0, <Button>,0
		align 4
aMsgpioclx:				; DATA XREF: .text:00403DBCo
		unicode	0, <MsGpioClx>,0
aKuArab:				; DATA XREF: .text:00401F78o
					; .text:00403724o
		unicode	0, <ku-Arab>,0
aQucLatn:				; DATA XREF: .text:004020B0o
					; .text:00403718o
		unicode	0, <quc-Latn>,0
		align 4
aHaLatn:				; DATA XREF: .text:00401E94o
		unicode	0, <ha-Latn>,0
aFfLatn:				; DATA XREF: .text:00401DF4o
					; .text:00403700o
		unicode	0, <ff-Latn>,0
aTzmLatn:				; DATA XREF: .text:00402228o
					; .text:004036F4o
		unicode	0, <tzm-Latn>,0
		align 4
aIuLatn:				; DATA XREF: .text:00401F18o
					; .text:004036E8o
		unicode	0, <iu-Latn>,0
aChrCher:				; DATA XREF: .text:00401CCCo
					; .text:004036DCo
		unicode	0, <chr-Cher>,0
		align 4
aSdArab:				; DATA XREF: .text:00402104o
					; .text:004036D0o
		unicode	0, <sd-Arab>,0
aMnMong:				; DATA XREF: .text:00401FD4o
					; .text:004036C4o
		unicode	0, <mn-Mong>,0
aPaArab:				; DATA XREF: .text:00402064o
					; .text:004036B8o
		unicode	0, <pa-Arab>,0
aUzLatn:				; DATA XREF: .text:00402260o
					; .text:004036ACo
		unicode	0, <uz-Latn>,0
aSmj:					; DATA XREF: .text:00402144o
					; .text:004036A0o
		unicode	0, <smj>,0
aDsb:					; DATA XREF: .text:00401D0Co
					; .text:00403694o
		unicode	0, <dsb>,0
aTgCyrl:				; DATA XREF: .text:004021D8o
					; .text:00403688o
		unicode	0, <tg-Cyrl>,0
aSr:					; DATA XREF: .text:00402170o
					; .text:0040367Co
		unicode	0, <sr>,0
		align 4
aNb:					; DATA XREF: .text:00402014o
					; .text:00403670o
		unicode	0, <nb>,0
		align 4
aZhHant:				; DATA XREF: .text:004022A4o
					; .text:00403664o
		unicode	0, <zh-Hant>,0
aTzmTfng:				; DATA XREF: .text:00402230o
					; .text:00403658o
		unicode	0, <tzm-Tfng>,0
		align 10h
aIuCans:				; DATA XREF: .text:00401F10o
					; .text:0040364Co
		unicode	0, <iu-Cans>,0
aMnCyrl:				; DATA XREF: .text:00401FCCo
					; .text:00403640o
		unicode	0, <mn-Cyrl>,0
aUzCyrl:				; DATA XREF: .text:00402258o
					; .text:00403634o
		unicode	0, <uz-Cyrl>,0
aSma:					; DATA XREF: .text:00402138o
					; .text:00403628o
		unicode	0, <sma>,0
aAzLatn:				; DATA XREF: .text:0040361Co
		unicode	0, <az-Latn>,0
aBs:					; DATA XREF: .text:00401CA8o
					; .text:00403610o
		unicode	0, <bs>,0
		align 10h
aNn:					; DATA XREF: .text:00402034o
					; .text:00403604o
		unicode	0, <nn>,0
		align 4
aZh:					; DATA XREF: .text:00402298o
					; .text:004035F8o
		unicode	0, <zh>,0
		align 10h
aSms:					; DATA XREF: .text:00402158o
					; .text:004035ECo
		unicode	0, <sms>,0
aAzCyrl:				; DATA XREF: .text:004035E0o
		unicode	0, <az-Cyrl>,0
aSmn:					; DATA XREF: .text:00402150o
					; .text:004035D4o
		unicode	0, <smn>,0
aSrLatn:				; DATA XREF: .text:00402188o
					; .text:004035C8o
		unicode	0, <sr-Latn>,0
aSrCyrl:				; DATA XREF: .text:00402174o
					; .text:004035BCo
		unicode	0, <sr-Cyrl>,0
aBsLatn:				; DATA XREF: .text:00401CB4o
					; .text:004035B0o
		unicode	0, <bs-Latn>,0
aBsCyrl:				; DATA XREF: .text:00401CACo
					; .text:004035A4o
		unicode	0, <bs-Cyrl>,0
aEsCu:					; DATA XREF: .text:00401D94o
					; .text:00403598o
		unicode	0, <es-CU>,0
aEs419:					; DATA XREF: .text:00401D7Co
					; .text:0040358Co
		unicode	0, <es-419>,0
		align 4
aEsUs:					; DATA XREF: .text:00401DCCo
					; .text:00403580o
		unicode	0, <es-US>,0
aEsPr:					; DATA XREF: .text:00401DC0o
					; .text:00403574o
		unicode	0, <es-PR>,0
aEsNi:					; DATA XREF: .text:00401DB4o
					; .text:00403568o
		unicode	0, <es-NI>,0
aEnAe:					; DATA XREF: .text:00401D30o
					; .text:0040355Co
		unicode	0, <en-AE>,0
aEsHn:					; DATA XREF: .text:00401DACo
					; .text:00403550o
		unicode	0, <es-HN>,0
aEnSg:					; DATA XREF: .text:00401D64o
					; .text:00403544o
		unicode	0, <en-SG>,0
aEsSv:					; DATA XREF: .text:00401DC8o
					; .text:00403538o
		unicode	0, <es-SV>,0
aEnMy:					; DATA XREF: .text:00401D58o
					; .text:0040352Co
		unicode	0, <en-MY>,0
aEsBo:					; DATA XREF: .text:00401D84o
					; .text:00403520o
		unicode	0, <es-BO>,0
aEnIn:					; DATA XREF: .text:00401D50o
					; .text:00403514o
		unicode	0, <en-IN>,0
aArQa:					; DATA XREF: .text:00403508o
		unicode	0, <ar-QA>,0
aFrHt:					; DATA XREF: .text:00401E3Co
					; .text:004034FCo
		unicode	0, <fr-HT>,0
aEsPy:					; DATA XREF: .text:00401DC4o
					; .text:004034F0o
		unicode	0, <es-PY>,0
aEnHk:					; DATA XREF: .text:00401D44o
					; .text:004034E4o
		unicode	0, <en-HK>,0
aArBh:					; DATA XREF: .text:004034D8o
		unicode	0, <ar-BH>,0
aFrMa:					; DATA XREF: .text:00401E44o
					; .text:004034CCo
		unicode	0, <fr-MA>,0
aEsUy:					; DATA XREF: .text:00401DD0o
					; .text:004034C0o
		unicode	0, <es-UY>,0
aEnId:					; DATA XREF: .text:00401D48o
					; .text:004034B4o
		unicode	0, <en-ID>,0
aArAe:					; DATA XREF: .text:004034A8o
		unicode	0, <ar-AE>,0
aFrMl:					; DATA XREF: .text:00401E4Co
					; .text:0040349Co
		unicode	0, <fr-ML>,0
aEsCl:					; DATA XREF: .text:00401D88o
					; .text:00403490o
		unicode	0, <es-CL>,0
aEnPh:					; DATA XREF: .text:00401D60o
					; .text:00403484o
		unicode	0, <en-PH>,0
aArKw:					; DATA XREF: .text:00403478o
		unicode	0, <ar-KW>,0
aSrCyrlMe:				; DATA XREF: .text:00402180o
					; .text:0040346Co
		unicode	0, <sr-Cyrl-ME>,0
		align 4
aFrCi:					; DATA XREF: .text:00401E30o
					; .text:00403460o
		unicode	0, <fr-CI>,0
aEsEc:					; DATA XREF: .text:00401D9Co
					; .text:00403454o
		unicode	0, <es-EC>,0
aEnZw:					; DATA XREF: .text:00401D74o
					; .text:00403448o
		unicode	0, <en-ZW>,0
aArLb:					; DATA XREF: .text:0040343Co
		unicode	0, <ar-LB>,0
aSrLatnMe:				; DATA XREF: .text:00402194o
					; .text:00403430o
		unicode	0, <sr-Latn-ME>,0
		align 10h
aFrCm:					; DATA XREF: .text:00401E34o
					; .text:00403424o
		unicode	0, <fr-CM>,0
aEsAr:					; DATA XREF: .text:00401D80o
					; .text:00403418o
		unicode	0, <es-AR>,0
aEnTt:					; DATA XREF: .text:00401D68o
					; .text:0040340Co
		unicode	0, <en-TT>,0
aArJo:					; DATA XREF: .text:00403400o
		unicode	0, <ar-JO>,0
aSrCyrlRs:				; DATA XREF: .text:00402184o
					; .text:004033F4o
		unicode	0, <sr-Cyrl-RS>,0
		align 4
aFrSn:					; DATA XREF: .text:00401E54o
					; .text:004033E8o
		unicode	0, <fr-SN>,0
aEsPe:					; DATA XREF: .text:00401DBCo
					; .text:004033DCo
		unicode	0, <es-PE>,0
aEnBz:					; DATA XREF: .text:00401D38o
					; .text:004033D0o
		unicode	0, <en-BZ>,0
aArSy:					; DATA XREF: .text:004033C4o
		unicode	0, <ar-SY>,0
aSmnFi:					; DATA XREF: .text:00402154o
					; .text:004033B8o
		unicode	0, <smn-FI>,0
		align 4
aSrLatnRs:				; DATA XREF: .text:00402198o
					; .text:004033ACo
		unicode	0, <sr-Latn-RS>,0
		align 10h
aFrCd:					; DATA XREF: .text:00401E28o
					; .text:004033A0o
		unicode	0, <fr-CD>,0
aEsCo:					; DATA XREF: .text:00401D8Co
					; .text:00403394o
		unicode	0, <es-CO>,0
aEn029:					; DATA XREF: .text:00401D2Co
					; .text:00403388o
		unicode	0, <en-029>,0
		align 4
aArYe:					; DATA XREF: .text:0040337Co
		unicode	0, <ar-YE>,0
aSmsFi:					; DATA XREF: .text:0040215Co
					; .text:00403370o
		unicode	0, <sms-FI>,0
		align 4
aBsCyrlBa:				; DATA XREF: .text:00401CB0o
					; .text:00403364o
		unicode	0, <bs-Cyrl-BA>,0
		align 4
aFrRe:					; DATA XREF: .text:00401E50o
					; .text:00403358o
		unicode	0, <fr-RE>,0
aEsVe:					; DATA XREF: .text:00401DD4o
					; .text:0040334Co
		unicode	0, <es-VE>,0
aEnJm:					; DATA XREF: .text:00401D54o
					; .text:00403340o
		unicode	0, <en-JM>,0
aArOm:					; DATA XREF: .text:00403334o
		unicode	0, <ar-OM>,0
aSmaSe:					; DATA XREF: .text:00402140o
					; .text:00403328o
		unicode	0, <sma-SE>,0
		align 4
aSrCyrlBa:				; DATA XREF: .text:00402178o
					; .text:0040331Co
		unicode	0, <sr-Cyrl-BA>,0
		align 4
aFr029:					; DATA XREF: .text:00401E1Co
					; .text:00403310o
		unicode	0, <fr-029>,0
		align 4
aEsDo:					; DATA XREF: .text:00401D98o
					; .text:00403304o
		unicode	0, <es-DO>,0
aEnZa:					; DATA XREF: .text:00401D70o
					; .text:004032F8o
		unicode	0, <en-ZA>,0
aArTn:					; DATA XREF: .text:004032ECo
		unicode	0, <ar-TN>,0
aSmaNo:					; DATA XREF: .text:0040213Co
					; .text:004032E0o
		unicode	0, <sma-NO>,0
		align 4
aSrLatnBa:				; DATA XREF: .text:0040218Co
					; .text:004032D4o
		unicode	0, <sr-Latn-BA>,0
		align 10h
aFrMc:					; DATA XREF: .text:00401E48o
					; .text:004032C8o
		unicode	0, <fr-MC>,0
aEsPa:					; DATA XREF: .text:00401DB8o
					; .text:004032BCo
		unicode	0, <es-PA>,0
aEnIe:					; DATA XREF: .text:00401D4Co
					; .text:004032B0o
		unicode	0, <en-IE>,0
aArMa:					; DATA XREF: .text:004032A4o
		unicode	0, <ar-MA>,0
aSmjSe:					; DATA XREF: .text:0040214Co
					; .text:00403298o
		unicode	0, <smj-SE>,0
		align 10h
aBsLatnBa:				; DATA XREF: .text:00401CB8o
					; .text:0040328Co
		unicode	0, <bs-Latn-BA>,0
		align 4
aFrLu:					; DATA XREF: .text:00401E40o
					; .text:00403280o
		unicode	0, <fr-LU>,0
aEsCr:					; DATA XREF: .text:00401D90o
					; .text:00403274o
		unicode	0, <es-CR>,0
aEnNz:					; DATA XREF: .text:00401D5Co
					; .text:00403268o
		unicode	0, <en-NZ>,0
aDeLi:					; DATA XREF: .text:00401D04o
					; .text:0040325Co
		unicode	0, <de-LI>,0
aZhMo:					; DATA XREF: .text:004022ACo
					; .text:00403250o
		unicode	0, <zh-MO>,0
aArDz:					; DATA XREF: .text:00403244o
		unicode	0, <ar-DZ>,0
aTzmTfngMa:				; DATA XREF: .text:00402234o
					; .text:00403238o
		unicode	0, <tzm-Tfng-MA>,0
aSmjNo:					; DATA XREF: .text:00402148o
					; .text:0040322Co
		unicode	0, <smj-NO>,0
		align 4
aHrBa:					; DATA XREF: .text:00401EB8o
					; .text:00403220o
		unicode	0, <hr-BA>,0
aFrCh:					; DATA XREF: .text:00401E2Co
					; .text:00403214o
		unicode	0, <fr-CH>,0
aEsGt:					; DATA XREF: .text:00401DA8o
					; .text:00403208o
		unicode	0, <es-GT>,0
aEnCa:					; DATA XREF: .text:00401D3Co
					; .text:004031FCo
		unicode	0, <en-CA>,0
aDeLu:					; DATA XREF: .text:00401D08o
					; .text:004031F0o
		unicode	0, <de-LU>,0
aZhSg:					; DATA XREF: .text:004022B0o
					; .text:004031E4o
		unicode	0, <zh-SG>,0
aArLy:					; DATA XREF: .text:004031D8o
		unicode	0, <ar-LY>,0
aQuzPe:					; DATA XREF: .text:004020C4o
					; .text:004031CCo
		unicode	0, <quz-PE>,0
		align 4
aDzBt:					; DATA XREF: .text:00401D1Co
					; .text:004031C0o
		unicode	0, <dz-BT>,0
aMnMongMn:				; DATA XREF: .text:00401FDCo
					; .text:004031B4o
		unicode	0, <mn-Mong-MN>,0
		align 10h
aSeFi:					; DATA XREF: .text:00402114o
					; .text:004031A8o
		unicode	0, <se-FI>,0
aSrCyrlCs:				; DATA XREF: .text:0040217Co
					; .text:0040319Co
		unicode	0, <sr-Cyrl-CS>,0
		align 4
aFrCa:					; DATA XREF: .text:00401E24o
					; .text:00403190o
		unicode	0, <fr-CA>,0
aEsEs:					; DATA XREF: .text:00401DA0o
					; .text:00403184o
		unicode	0, <es-ES>,0
aEnAu:					; DATA XREF: .text:00401D34o
					; .text:00403178o
		unicode	0, <en-AU>,0
aDeAt:					; DATA XREF: .text:00401CF8o
					; .text:0040316Co
		unicode	0, <de-AT>,0
aZhHk:					; DATA XREF: .text:004022A8o
					; .text:00403160o
		unicode	0, <zh-HK>,0
aArEg:					; DATA XREF: .text:00403154o
		unicode	0, <ar-EG>,0
aQpsPlocm:				; DATA XREF: .text:004020A8o
					; .text:00403148o
		unicode	0, <qps-plocm>,0
aQpsLatnXSh:				; DATA XREF: .text:0040209Co
					; .text:0040313Co
		unicode	0, <qps-Latn-x-sh>,0
aTiEr:					; DATA XREF: .text:004021ECo
					; .text:00403130o
		unicode	0, <ti-ER>,0
aQuzEc:					; DATA XREF: .text:004020C0o
					; .text:00403124o
		unicode	0, <quz-EC>,0
		align 4
aFfLatnSn:				; DATA XREF: .text:00401DFCo
					; .text:00403118o
		unicode	0, <ff-Latn-SN>,0
		align 10h
aNeIn:					; DATA XREF: .text:00402020o
					; .text:0040310Co
		unicode	0, <ne-IN>,0
aKsDevaIn:				; DATA XREF: .text:00401F70o
					; .text:00403100o
		unicode	0, <ks-Deva-IN>,0
		align 4
aTzmLatnDz:				; DATA XREF: .text:0040222Co
					; .text:004030F4o
		unicode	0, <tzm-Latn-DZ>,0
aIuLatnCa:				; DATA XREF: .text:00401F1Co
					; .text:004030E8o
		unicode	0, <iu-Latn-CA>,0
		align 4
aSdArabPk:				; DATA XREF: .text:00402108o
					; .text:004030DCo
		unicode	0, <sd-Arab-PK>,0
		align 4
aMnMongCn:				; DATA XREF: .text:00401FD8o
					; .text:004030D0o
		unicode	0, <mn-Mong-CN>,0
		align 4
aTaLk:					; DATA XREF: .text:004021C8o
					; .text:004030C4o
		unicode	0, <ta-LK>,0
aPaArabPk:				; DATA XREF: .text:00402068o
					; .text:004030B8o
		unicode	0, <pa-Arab-PK>,0
		align 4
aBnBd:					; DATA XREF: .text:004030ACo
		unicode	0, <bn-BD>,0
aUzCyrlUz:				; DATA XREF: .text:0040225Co
					; .text:004030A0o
		unicode	0, <uz-Cyrl-UZ>,0
		align 4
aMsBn:					; DATA XREF: .text:00401FFCo
					; .text:00403094o
		unicode	0, <ms-BN>,0
aGaIe:					; DATA XREF: .text:00401E64o
					; .text:00403088o
		unicode	0, <ga-IE>,0
aSeSe:					; DATA XREF: .text:0040211Co
					; .text:0040307Co
		unicode	0, <se-SE>,0
aTnBw:					; DATA XREF: .text:00402200o
					; .text:00403070o
		unicode	0, <tn-BW>,0
aDsbDe:					; DATA XREF: .text:00401D10o
					; .text:00403064o
		unicode	0, <dsb-DE>,0
		align 4
aAzCyrlAz:				; DATA XREF: .text:00403058o
		unicode	0, <az-Cyrl-AZ>,0
		align 4
aUrIn:					; DATA XREF: .text:0040224Co
					; .text:0040304Co
		unicode	0, <ur-IN>,0
aSvFi:					; DATA XREF: .text:004021A8o
					; .text:00403040o
		unicode	0, <sv-FI>,0
aSrLatnCs:				; DATA XREF: .text:00402190o
					; .text:00403034o
		unicode	0, <sr-Latn-CS>,0
		align 4
aRuMd:					; DATA XREF: .text:004020E0o
					; .text:00403028o
		unicode	0, <ru-MD>,0
aRoMd:					; DATA XREF: .text:004020D4o
					; .text:0040301Co
		unicode	0, <ro-MD>,0
aPtPt:					; DATA XREF: .text:00402098o
					; .text:00403010o
		unicode	0, <pt-PT>,0
aNnNo:					; DATA XREF: .text:00402038o
					; .text:00403004o
		unicode	0, <nn-NO>,0
aNlBe:					; DATA XREF: .text:0040202Co
					; .text:00402FF8o
		unicode	0, <nl-BE>,0
aItCh:					; DATA XREF: .text:00401F04o
					; .text:00402FECo
		unicode	0, <it-CH>,0
aFrBe:					; DATA XREF: .text:00401E20o
					; .text:00402FE0o
		unicode	0, <fr-BE>,0
aEsMx:					; DATA XREF: .text:00401DB0o
					; .text:00402FD4o
		unicode	0, <es-MX>,0
aEnGb:					; DATA XREF: .text:00401D40o
					; .text:00402FC8o
		unicode	0, <en-GB>,0
aDeCh:					; DATA XREF: .text:00401CFCo
					; .text:00402FBCo
		unicode	0, <de-CH>,0
aZhCn:					; DATA XREF: .text:0040229Co
					; .text:00402FB0o
		unicode	0, <zh-CN>,0
aCaEsValencia:				; DATA XREF: .text:00401CC4o
					; .text:00402FA4o
		unicode	0, <ca-ES-valencia>,0
		align 4
aArIq:					; DATA XREF: .text:00402F98o
		unicode	0, <ar-IQ>,0
aQpsPloca:				; DATA XREF: .text:004020A4o
					; .text:00402F8Co
		unicode	0, <qps-ploca>,0
aQpsPloc:				; DATA XREF: .text:004020A0o
					; .text:00402F80o
		unicode	0, <qps-ploc>,0
		align 4
aKuArabIq:				; DATA XREF: .text:00401F7Co
					; .text:00402F74o
		unicode	0, <ku-Arab-IQ>,0
		align 4
aGdGb:					; DATA XREF: .text:00401E6Co
					; .text:00402F68o
		unicode	0, <gd-GB>,0
aPrsAf:					; DATA XREF: .text:00402084o
					; .text:00402F5Co
		unicode	0, <prs-AF>,0
		align 10h
aWoSn:					; DATA XREF: .text:0040227Co
					; .text:00402F50o
		unicode	0, <wo-SN>,0
aRwRw:					; DATA XREF: .text:004020ECo
					; .text:00402F44o
		unicode	0, <rw-RW>,0
aQucLatnGt:				; DATA XREF: .text:004020B4o
					; .text:00402F38o
		unicode	0, <quc-Latn-GT>,0
aSahRu:					; DATA XREF: .text:004020FCo
					; .text:00402F2Co
		unicode	0, <sah-RU>,0
		align 10h
aGswFr:					; DATA XREF: .text:00401E84o
					; .text:00402F20o
		unicode	0, <gsw-FR>,0
		align 10h
aCoFr:					; DATA XREF: .text:00401CD8o
					; .text:00402F14o
		unicode	0, <co-FR>,0
aOcFr:					; DATA XREF: .text:0040204Co
					; .text:00402F08o
		unicode	0, <oc-FR>,0
aMiNz:					; DATA XREF: .text:00401FB4o
					; .text:00402EFCo
		unicode	0, <mi-NZ>,0
aUgCn:					; DATA XREF: .text:0040223Co
					; .text:00402EF0o
		unicode	0, <ug-CN>,0
aBrFr:					; DATA XREF: .text:00401CA4o
					; .text:00402EE4o
		unicode	0, <br-FR>,0
aMohCa:					; DATA XREF: .text:00401FECo
					; .text:00402ED8o
		unicode	0, <moh-CA>,0
		align 4
aArnCl:					; DATA XREF: .text:00402ECCo
		unicode	0, <arn-CL>,0
		align 4
aPap029:				; DATA XREF: .text:00402074o
					; .text:00402EC0o
		unicode	0, <pap-029>,0
aIiCn:					; DATA XREF: .text:00401EF4o
					; .text:00402EB4o
		unicode	0, <ii-CN>,0
aSoSo:					; DATA XREF: .text:00402164o
					; .text:00402EA8o
		unicode	0, <so-SO>,0
aLa001:					; DATA XREF: .text:00401F8Co
					; .text:00402E9Co
		unicode	0, <la-001>,0
		align 4
aHawUs:					; DATA XREF: .text:00401EA0o
					; .text:00402E90o
		unicode	0, <haw-US>,0
		align 4
aGnPy:					; DATA XREF: .text:00401E7Co
					; .text:00402E84o
		unicode	0, <gn-PY>,0
aTiEt:					; DATA XREF: .text:004021F0o
					; .text:00402E78o
		unicode	0, <ti-ET>,0
aOmEt:					; DATA XREF: .text:00402054o
					; .text:00402E6Co
		unicode	0, <om-ET>,0
aKrLatnNg:				; DATA XREF: .text:00401F64o
					; .text:00402E60o
		unicode	0, <kr-Latn-NG>,0
		align 10h
aIgNg:					; DATA XREF: .text:00401EECo
					; .text:00402E54o
		unicode	0, <ig-NG>,0
aKlGl:					; DATA XREF: .text:00401F3Co
					; .text:00402E48o
		unicode	0, <kl-GL>,0
aLbLu:					; DATA XREF: .text:00401F94o
					; .text:00402E3Co
		unicode	0, <lb-LU>,0
aBaRu:					; DATA XREF: .text:00402E30o
		unicode	0, <ba-RU>,0
aNsoZa:					; DATA XREF: .text:00402044o
					; .text:00402E24o
		unicode	0, <nso-ZA>,0
		align 10h
aQuzBo:					; DATA XREF: .text:004020BCo
					; .text:00402E18o
		unicode	0, <quz-BO>,0
		align 10h
aYoNg:					; DATA XREF: .text:00402294o
					; .text:00402E0Co
		unicode	0, <yo-NG>,0
aIbbNg:					; DATA XREF: .text:00401EDCo
					; .text:00402E00o
		unicode	0, <ibb-NG>,0
		align 4
aHaLatnNg:				; DATA XREF: .text:00401E98o
					; .text:00402DF4o
		unicode	0, <ha-Latn-NG>,0
		align 4
aFfLatnNg:				; DATA XREF: .text:00401DF8o
					; .text:00402DE8o
		unicode	0, <ff-Latn-NG>,0
		align 4
aBinNg:					; DATA XREF: .text:00402DDCo
		unicode	0, <bin-NG>,0
		align 4
aDvMv:					; DATA XREF: .text:00401D18o
					; .text:00402DD0o
		unicode	0, <dv-MV>,0
aFilPh:					; DATA XREF: .text:00401E0Co
					; .text:00402DC4o
		unicode	0, <fil-PH>,0
		align 4
aPsAf:					; DATA XREF: .text:0040208Co
					; .text:00402DB8o
		unicode	0, <ps-AF>,0
aFyNl:					; DATA XREF: .text:00401E5Co
					; .text:00402DACo
		unicode	0, <fy-NL>,0
aNeNp:					; DATA XREF: .text:00402024o
					; .text:00402DA0o
		unicode	0, <ne-NP>,0
aKsArab:				; DATA XREF: .text:00401F6Co
					; .text:00402D94o
		unicode	0, <ks-Arab>,0
aTzmArabMa:				; DATA XREF: .text:00402224o
					; .text:00402D88o
		unicode	0, <tzm-Arab-MA>,0
aAmEt:					; DATA XREF: .text:00402D7Co
		unicode	0, <am-ET>,0
aIuCansCa:				; DATA XREF: .text:00401F14o
					; .text:00402D70o
		unicode	0, <iu-Cans-CA>,0
		align 4
aChrCherUs:				; DATA XREF: .text:00401CD0o
					; .text:00402D64o
		unicode	0, <chr-Cher-US>,0
aSiLk:					; DATA XREF: .text:00402124o
					; .text:00402D58o
		unicode	0, <si-LK>,0
aSyrSy:					; DATA XREF: .text:004021BCo
					; .text:00402D4Co
		unicode	0, <syr-SY>,0
		align 4
aSdDevaIn:				; DATA XREF: .text:0040210Co
					; .text:00402D40o
		unicode	0, <sd-Deva-IN>,0
		align 4
aMniIn:					; DATA XREF: .text:00401FE4o
					; .text:00402D34o
		unicode	0, <mni-IN>,0
		align 4
aKokIn:					; DATA XREF: .text:00401F5Co
					; .text:00402D28o
		unicode	0, <kok-IN>,0
		align 4
aGlEs:					; DATA XREF: .text:00401E74o
					; .text:00402D1Co
		unicode	0, <gl-ES>,0
aMyMm:					; DATA XREF: .text:00402010o
					; .text:00402D10o
		unicode	0, <my-MM>,0
aLoLa:					; DATA XREF: .text:00401F9Co
					; .text:00402D04o
		unicode	0, <lo-LA>,0
aKmKh:					; DATA XREF: .text:00401F44o
					; .text:00402CF8o
		unicode	0, <km-KH>,0
aCyGb:					; DATA XREF: .text:00401CE8o
					; .text:00402CECo
		unicode	0, <cy-GB>,0
aBoCn:					; DATA XREF: .text:00401C9Co
					; .text:00402CE0o
		unicode	0, <bo-CN>,0
aMnMn:					; DATA XREF: .text:00401FD0o
					; .text:00402CD4o
		unicode	0, <mn-MN>,0
aSaIn:					; DATA XREF: .text:004020F4o
					; .text:00402CC8o
		unicode	0, <sa-IN>,0
aMrIn:					; DATA XREF: .text:00401FF4o
					; .text:00402CBCo
		unicode	0, <mr-IN>,0
aAsIn:					; DATA XREF: .text:00402CB0o
		unicode	0, <as-IN>,0
aMlIn:					; DATA XREF: .text:00401FC4o
					; .text:00402CA4o
		unicode	0, <ml-IN>,0
aKnIn:					; DATA XREF: .text:00401F4Co
					; .text:00402C98o
		unicode	0, <kn-IN>,0
aTeIn:					; DATA XREF: .text:004021D0o
					; .text:00402C8Co
		unicode	0, <te-IN>,0
aTaIn:					; DATA XREF: .text:004021C4o
					; .text:00402C80o
		unicode	0, <ta-IN>,0
aOrIn:					; DATA XREF: .text:0040205Co
					; .text:00402C74o
		unicode	0, <or-IN>,0
aGuIn:					; DATA XREF: .text:00401E8Co
					; .text:00402C68o
		unicode	0, <gu-IN>,0
aPaIn:					; DATA XREF: .text:0040206Co
					; .text:00402C5Co
		unicode	0, <pa-IN>,0
aBnIn:					; DATA XREF: .text:00401C94o
					; .text:00402C50o
		unicode	0, <bn-IN>,0
aTtRu:					; DATA XREF: .text:0040221Co
					; .text:00402C44o
		unicode	0, <tt-RU>,0
aUzLatnUz:				; DATA XREF: .text:00402264o
					; .text:00402C38o
		unicode	0, <uz-Latn-UZ>,0
		align 10h
aTkTm:					; DATA XREF: .text:004021F8o
					; .text:00402C2Co
		unicode	0, <tk-TM>,0
aSwKe:					; DATA XREF: .text:004021B4o
					; .text:00402C20o
		unicode	0, <sw-KE>,0
aKyKg:					; DATA XREF: .text:00401F84o
					; .text:00402C14o
		unicode	0, <ky-KG>,0
aKkKz:					; DATA XREF: .text:00401F34o
					; .text:00402C08o
		unicode	0, <kk-KZ>,0
aMsMy:					; DATA XREF: .text:off_402000o
					; .text:00402BFCo
		unicode	0, <ms-MY>,0
aYi001:					; DATA XREF: .text:0040228Co
					; .text:00402BF0o
		unicode	0, <yi-001>,0
		align 4
aSeNo:					; DATA XREF: .text:00402118o
					; .text:00402BE4o
		unicode	0, <se-NO>,0
aMtMt:					; DATA XREF: .text:00402008o
					; .text:00402BD8o
		unicode	0, <mt-MT>,0
aHiIn:					; DATA XREF: .text:00401EB0o
					; .text:00402BCCo
		unicode	0, <hi-IN>,0
aFoFo:					; DATA XREF: .text:00401E14o
					; .text:00402BC0o
		unicode	0, <fo-FO>,0
aKaGe:					; DATA XREF: .text:00401F2Co
					; .text:00402BB4o
		unicode	0, <ka-GE>,0
aAfZa:					; DATA XREF: .text:00402BA8o
		unicode	0, <af-ZA>,0
aZuZa:					; DATA XREF: .text:004022BCo
					; .text:00402B9Co
		unicode	0, <zu-ZA>,0
aXhZa:					; DATA XREF: .text:00402284o
					; .text:00402B90o
		unicode	0, <xh-ZA>,0
aVeZa:					; DATA XREF: .text:0040226Co
					; .text:00402B84o
		unicode	0, <ve-ZA>,0
aTnZa:					; DATA XREF: .text:00402204o
					; .text:00402B78o
		unicode	0, <tn-ZA>,0
aTsZa:					; DATA XREF: .text:00402214o
					; .text:00402B6Co
		unicode	0, <ts-ZA>,0
aStZa:					; DATA XREF: .text:004021A0o
					; .text:00402B60o
		unicode	0, <st-ZA>,0
aMkMk:					; DATA XREF: .text:00401FBCo
					; .text:00402B54o
		unicode	0, <mk-MK>,0
aHsbDe:					; DATA XREF: .text:00401EC4o
					; .text:00402B48o
		unicode	0, <hsb-DE>,0
		align 4
aEuEs:					; DATA XREF: .text:00401DE4o
					; .text:00402B3Co
		unicode	0, <eu-ES>,0
aAzLatnAz:				; DATA XREF: .text:00402B30o
		unicode	0, <az-Latn-AZ>,0
		align 4
aHyAm:					; DATA XREF: .text:00401ED4o
					; .text:00402B24o
		unicode	0, <hy-AM>,0
aViVn:					; DATA XREF: .text:00402274o
					; .text:00402B18o
		unicode	0, <vi-VN>,0
aFaIr:					; DATA XREF: .text:00401DECo
					; .text:00402B0Co
		unicode	0, <fa-IR>,0
aTgCyrlTj:				; DATA XREF: .text:004021DCo
					; .text:00402B00o
		unicode	0, <tg-Cyrl-TJ>,0
		align 4
aLtLt:					; DATA XREF: .text:00401FA4o
					; .text:00402AF4o
		unicode	0, <lt-LT>,0
aLvLv:					; DATA XREF: .text:00401FACo
					; .text:00402AE8o
		unicode	0, <lv-LV>,0
aEtEe:					; DATA XREF: .text:00401DDCo
					; .text:00402ADCo
		unicode	0, <et-EE>,0
aSlSi:					; DATA XREF: .text:00402134o
					; .text:00402AD0o
		unicode	0, <sl-SI>,0
aBeBy:					; DATA XREF: .text:00402AC4o
		unicode	0, <be-BY>,0
aUkUa:					; DATA XREF: .text:00402244o
					; .text:00402AB8o
		unicode	0, <uk-UA>,0
aIdId:					; DATA XREF: .text:00401EE4o
					; .text:00402AACo
		unicode	0, <id-ID>,0
aUrPk:					; DATA XREF: .text:00402250o
					; .text:00402AA0o
		unicode	0, <ur-PK>,0
aTrTr:					; DATA XREF: .text:0040220Co
					; .text:00402A94o
		unicode	0, <tr-TR>,0
aThTh:					; DATA XREF: .text:004021E4o
					; .text:00402A88o
		unicode	0, <th-TH>,0
aSvSe:					; DATA XREF: .text:004021ACo
					; .text:00402A7Co
		unicode	0, <sv-SE>,0
aSqAl:					; DATA XREF: .text:0040216Co
					; .text:00402A70o
		unicode	0, <sq-AL>,0
aSkSk:					; DATA XREF: .text:0040212Co
					; .text:00402A64o
		unicode	0, <sk-SK>,0
aHrHr:					; DATA XREF: .text:00401EBCo
					; .text:00402A58o
		unicode	0, <hr-HR>,0
aRuRu:					; DATA XREF: .text:004020E4o
					; .text:00402A4Co
		unicode	0, <ru-RU>,0
aRoRo:					; DATA XREF: .text:004020D8o
					; .text:00402A40o
		unicode	0, <ro-RO>,0
aRmCh:					; DATA XREF: .text:004020CCo
					; .text:00402A34o
		unicode	0, <rm-CH>,0
aPtBr:					; DATA XREF: .text:00402094o
					; .text:00402A28o
		unicode	0, <pt-BR>,0
aPlPl:					; DATA XREF: .text:0040207Co
					; .text:00402A1Co
		unicode	0, <pl-PL>,0
aNbNo:					; DATA XREF: .text:00402018o
					; .text:00402A10o
		unicode	0, <nb-NO>,0
aNlNl:					; DATA XREF: .text:00402030o
					; .text:00402A04o
		unicode	0, <nl-NL>,0
aKoKr:					; DATA XREF: .text:00401F54o
					; .text:004029F8o
		unicode	0, <ko-KR>,0
aJaJp:					; DATA XREF: .text:00401F24o
					; .text:004029ECo
		unicode	0, <ja-JP>,0
aItIt:					; DATA XREF: .text:00401F08o
					; .text:004029E0o
		unicode	0, <it-IT>,0
aIsIs:					; DATA XREF: .text:00401EFCo
					; .text:004029D4o
		unicode	0, <is-IS>,0
aHuHu:					; DATA XREF: .text:00401ECCo
					; .text:004029C8o
		unicode	0, <hu-HU>,0
aHeIl:					; DATA XREF: .text:00401EA8o
					; .text:004029BCo
		unicode	0, <he-IL>,0
aFrFr:					; DATA XREF: .text:00401E38o
					; .text:004029B0o
		unicode	0, <fr-FR>,0
aFiFi:					; DATA XREF: .text:00401E04o
					; .text:004029A4o
		unicode	0, <fi-FI>,0
aEsEs_tradnl:				; DATA XREF: .text:00401DA4o
					; .text:00402998o
		unicode	0, <es-ES_tradnl>,0
		align 10h
aEnUs:					; DATA XREF: .text:00401D6Co
					; .text:0040298Co
		unicode	0, <en-US>,0
aElGr:					; DATA XREF: .text:00401D24o
					; .text:00402980o
		unicode	0, <el-GR>,0
aDeDe:					; DATA XREF: .text:00401D00o
					; .text:00402974o
		unicode	0, <de-DE>,0
aDaDk:					; DATA XREF: .text:00401CF0o
					; .text:00402968o
		unicode	0, <da-DK>,0
aCsCz:					; DATA XREF: .text:00401CE0o
					; .text:0040295Co
		unicode	0, <cs-CZ>,0
aZhTw:					; DATA XREF: .text:004022B4o
					; .text:00402950o
		unicode	0, <zh-TW>,0
aCaEs:					; DATA XREF: .text:00401CC0o
					; .text:00402944o
		unicode	0, <ca-ES>,0
aBgBg:					; DATA XREF: .text:00402938o
		unicode	0, <bg-BG>,0
aArSa:					; DATA XREF: .text:0040292Co
		unicode	0, <ar-SA>,0
aKu:					; DATA XREF: .text:00401F74o
					; .text:00402920o
		unicode	0, <ku>,0
		align 4
aGd:					; DATA XREF: .text:00401E68o
					; .text:00402914o
		unicode	0, <gd>,0
		align 4
aPrs:					; DATA XREF: .text:00402080o
					; .text:00402908o
		unicode	0, <prs>,0
aWo:					; DATA XREF: .text:00402278o
					; .text:004028FCo
		unicode	0, <wo>,0
		align 4
aRw:					; DATA XREF: .text:004020E8o
					; .text:004028F0o
		unicode	0, <rw>,0
		align 4
aQuc:					; DATA XREF: .text:004020ACo
					; .text:004028E4o
		unicode	0, <quc>,0
aSah:					; DATA XREF: .text:004020F8o
					; .text:004028D8o
		unicode	0, <sah>,0
aGsw:					; DATA XREF: .text:00401E80o
					; .text:004028CCo
		unicode	0, <gsw>,0
aCo:					; DATA XREF: .text:00401CD4o
					; .text:004028C0o
		unicode	0, <co>,0
		align 4
aOc:					; DATA XREF: .text:00402048o
					; .text:004028B4o
		unicode	0, <oc>,0
		align 4
aMi:					; DATA XREF: .text:00401FB0o
					; .text:004028A8o
		unicode	0, <mi>,0
		align 4
aUg:					; DATA XREF: .text:00402238o
					; .text:0040289Co
		unicode	0, <ug>,0
		align 4
aBr:					; DATA XREF: .text:00401CA0o
					; .text:00402884o
		unicode	0, <br>,0
		align 4
aMoh:					; DATA XREF: .text:00401FE8o
					; .text:00402878o
		unicode	0, <moh>,0
aArn:					; DATA XREF: .text:0040286Co
		unicode	0, <arn>,0
aPap:					; DATA XREF: .text:00402070o
					; .text:00402860o
		unicode	0, <pap>,0
aIi:					; DATA XREF: .text:00401EF0o
					; .text:00402854o
		unicode	0, <ii>,0
		align 4
aSo:					; DATA XREF: .text:00402160o
					; .text:00402848o
		unicode	0, <so>,0
		align 4
aLa:					; DATA XREF: .text:00401F88o
					; .text:0040283Co
		unicode	0, <la>,0
		align 4
aHaw:					; DATA XREF: .text:00401E9Co
					; .text:00402830o
		unicode	0, <haw>,0
aGn:					; DATA XREF: .text:00401E78o
					; .text:00402824o
		unicode	0, <gn>,0
		align 4
aTi:					; DATA XREF: .text:004021E8o
					; .text:00402818o
		unicode	0, <ti>,0
		align 4
aOm:					; DATA XREF: .text:00402050o
					; .text:0040280Co
		unicode	0, <om>,0
		align 4
aKr:					; DATA XREF: .text:00401F60o
					; .text:00402800o
		unicode	0, <kr>,0
		align 4
aIg:					; DATA XREF: .text:00401EE8o
					; .text:004027F4o
		unicode	0, <ig>,0
		align 4
aKl:					; DATA XREF: .text:00401F38o
					; .text:004027E8o
		unicode	0, <kl>,0
		align 4
aLb:					; DATA XREF: .text:00401F90o
					; .text:004027DCo
		unicode	0, <lb>,0
		align 4
aBa:					; DATA XREF: .text:004027D0o
		unicode	0, <ba>,0
		align 4
aNso:					; DATA XREF: .text:00402040o
					; .text:004027C4o
		unicode	0, <nso>,0
aQuz:					; DATA XREF: .text:004020B8o
					; .text:004027B8o
		unicode	0, <quz>,0
aYo:					; DATA XREF: .text:00402290o
					; .text:004027ACo
		unicode	0, <yo>,0
		align 4
aIbb:					; DATA XREF: .text:00401ED8o
					; .text:004027A0o
		unicode	0, <ibb>,0
aHa:					; DATA XREF: .text:00401E90o
					; .text:00402794o
		unicode	0, <ha>,0
		align 4
aFf:					; DATA XREF: .text:00401DF0o
					; .text:00402788o
		unicode	0, <ff>,0
		align 4
aBin:					; DATA XREF: .text:0040277Co
		unicode	0, <bin>,0
aDv:					; DATA XREF: .text:00401D14o
					; .text:00402770o
		unicode	0, <dv>,0
		align 4
aFil:					; DATA XREF: .text:00401E08o
					; .text:00402764o
		unicode	0, <fil>,0
aPs:					; DATA XREF: .text:00402088o
					; .text:00402758o
		unicode	0, <ps>,0
		align 4
aFy:					; DATA XREF: .text:00401E58o
					; .text:0040274Co
		unicode	0, <fy>,0
		align 4
aNe:					; DATA XREF: .text:0040201Co
					; .text:00402740o
		unicode	0, <ne>,0
		align 4
aKs:					; DATA XREF: .text:00401F68o
					; .text:00402734o
		unicode	0, <ks>,0
		align 4
aTzm:					; DATA XREF: .text:00402220o
					; .text:00402728o
		unicode	0, <tzm>,0
aAm:					; DATA XREF: .text:0040271Co
		unicode	0, <am>,0
		align 4
aIu_1:					; DATA XREF: .text:00401F0Co
					; .text:00402710o
		unicode	0, <iu>,0
		align 4
aChr:					; DATA XREF: .text:00401CC8o
					; .text:00402704o
		unicode	0, <chr>,0
aSi:					; DATA XREF: .text:00402120o
					; .text:004026F8o
		unicode	0, <si>,0
		align 4
aSyr:					; DATA XREF: .text:004021B8o
					; .text:004026ECo
		unicode	0, <syr>,0
aSd_1:					; DATA XREF: .text:00402100o
					; .text:004026E0o
		unicode	0, <sd>,0
		align 4
aMni:					; DATA XREF: .text:00401FE0o
					; .text:004026D4o
		unicode	0, <mni>,0
aKok:					; DATA XREF: .text:00401F58o
					; .text:004026C8o
		unicode	0, <kok>,0
aGl:					; DATA XREF: .text:00401E70o
					; .text:004026BCo
		unicode	0, <gl>,0
		align 4
aMy:					; DATA XREF: .text:0040200Co
					; .text:004026B0o
		unicode	0, <my>,0
		align 4
aLo:					; DATA XREF: .text:00401F98o
					; .text:004026A4o
		unicode	0, <lo>,0
		align 4
aKm:					; DATA XREF: .text:00401F40o
					; .text:00402698o
		unicode	0, <km>,0
		align 4
aCy:					; DATA XREF: .text:00401CE4o
					; .text:0040268Co
		unicode	0, <cy>,0
		align 4
aBo:					; DATA XREF: .text:00401C98o
					; .text:00402680o
		unicode	0, <bo>,0
		align 4
aMn:					; DATA XREF: .text:00401FC8o
					; .text:00402674o
		unicode	0, <mn>,0
		align 4
aSa:					; DATA XREF: .text:004020F0o
					; .text:00402668o
		unicode	0, <sa>,0
		align 4
aMr:					; DATA XREF: .text:00401FF0o
					; .text:0040265Co
		unicode	0, <mr>,0
		align 4
aAs:					; DATA XREF: .text:00402650o
		unicode	0, <as>,0
		align 4
aMl:					; DATA XREF: .text:00401FC0o
					; .text:00402644o
		unicode	0, <ml>,0
		align 4
aKn:					; DATA XREF: .text:00401F48o
					; .text:00402638o
		unicode	0, <kn>,0
		align 4
aTe:					; DATA XREF: .text:004021CCo
					; .text:0040262Co
		unicode	0, <te>,0
		align 4
aTa:					; DATA XREF: .text:004021C0o
					; .text:00402620o
		unicode	0, <ta>,0
		align 4
aOr:					; DATA XREF: .text:00402058o
					; .text:00402614o
		unicode	0, <or>,0
		align 4
aGu:					; DATA XREF: .text:00401E88o
					; .text:00402608o
		unicode	0, <gu>,0
		align 4
aPa:					; DATA XREF: .text:00402060o
					; .text:004025FCo
		unicode	0, <pa>,0
		align 4
aBn:					; DATA XREF: .text:004025F0o
		unicode	0, <bn>,0
		align 4
aTt:					; DATA XREF: .text:00402218o
					; .text:004025E4o
		unicode	0, <tt>,0
		align 4
aUz:					; DATA XREF: .text:00402254o
					; .text:004025D8o
		unicode	0, <uz>,0
		align 4
aTk:					; DATA XREF: .text:004021F4o
					; .text:004025CCo
		unicode	0, <tk>,0
		align 4
aSw:					; DATA XREF: .text:004021B0o
					; .text:004025C0o
		unicode	0, <sw>,0
		align 4
aKy:					; DATA XREF: .text:00401F80o
					; .text:004025B4o
		unicode	0, <ky>,0
		align 4
aKk:					; DATA XREF: .text:00401F30o
					; .text:004025A8o
		unicode	0, <kk>,0
		align 4
aMs:					; DATA XREF: .text:00401FF8o
					; .text:0040259Co
		unicode	0, <ms>,0
		align 4
aYi:					; DATA XREF: .text:00402288o
					; .text:00402590o
		unicode	0, <yi>,0
		align 4
aGa:					; DATA XREF: .text:00401E60o
					; .text:00402584o
		unicode	0, <ga>,0
		align 4
aSe:					; DATA XREF: .text:00402110o
					; .text:00402578o
		unicode	0, <se>,0
		align 4
aMt:					; DATA XREF: .text:00402004o
					; .text:0040256Co
		unicode	0, <mt>,0
		align 4
aHi:					; DATA XREF: .text:00401EACo
					; .text:00402560o
		unicode	0, <hi>,0
		align 4
aFo:					; DATA XREF: .text:00401E10o
					; .text:00402554o
		unicode	0, <fo>,0
		align 4
aKa:					; DATA XREF: .text:00401F28o
					; .text:00402548o
		unicode	0, <ka>,0
		align 4
aAf:					; DATA XREF: .text:0040253Co
		unicode	0, <af>,0
		align 4
aZu:					; DATA XREF: .text:004022B8o
					; .text:00402530o
		unicode	0, <zu>,0
		align 4
aXh:					; DATA XREF: .text:00402280o
					; .text:00402524o
		unicode	0, <xh>,0
		align 4
aVe:					; DATA XREF: .text:00402268o
					; .text:00402518o
		unicode	0, <ve>,0
		align 4
aTn:					; DATA XREF: .text:004021FCo
					; .text:0040250Co
		unicode	0, <tn>,0
		align 4
aTs:					; DATA XREF: .text:00402210o
					; .text:00402500o
		unicode	0, <ts>,0
		align 4
aSt:					; DATA XREF: .text:0040219Co
					; .text:004024F4o
		unicode	0, <st>,0
		align 4
aMk:					; DATA XREF: .text:00401FB8o
					; .text:004024E8o
		unicode	0, <mk>,0
		align 4
aHsb:					; DATA XREF: .text:00401EC0o
					; .text:004024DCo
		unicode	0, <hsb>,0
aEu:					; DATA XREF: .text:00401DE0o
					; .text:004024D0o
		unicode	0, <eu>,0
		align 4
aAz:					; DATA XREF: .text:004024C4o
		unicode	0, <az>,0
		align 4
aHy:					; DATA XREF: .text:00401ED0o
					; .text:004024B8o
		unicode	0, <hy>,0
		align 4
aVi:					; DATA XREF: .text:00402270o
					; .text:004024ACo
		unicode	0, <vi>,0
		align 4
aFa:					; DATA XREF: .text:00401DE8o
					; .text:004024A0o
		unicode	0, <fa>,0
		align 4
aTg:					; DATA XREF: .text:004021D4o
					; .text:00402494o
		unicode	0, <tg>,0
		align 4
aLt:					; DATA XREF: .text:00401FA0o
					; .text:00402488o
		unicode	0, <lt>,0
		align 4
aLv:					; DATA XREF: .text:00401FA8o
					; .text:0040247Co
		unicode	0, <lv>,0
		align 4
aEt:					; DATA XREF: .text:00401DD8o
					; .text:00402470o
		unicode	0, <et>,0
		align 4
aSl:					; DATA XREF: .text:00402130o
					; .text:00402464o
		unicode	0, <sl>,0
		align 4
aBe:					; DATA XREF: .text:00402458o
		unicode	0, <be>,0
		align 4
aUk:					; DATA XREF: .text:00402240o
					; .text:0040244Co
		unicode	0, <uk>,0
		align 4
aId:					; DATA XREF: .text:00401EE0o
					; .text:00402440o
		unicode	0, <id>,0
		align 4
aUr:					; DATA XREF: .text:00402248o
					; .text:00402434o
		unicode	0, <ur>,0
		align 4
aTr:					; DATA XREF: .text:00402208o
					; .text:00402428o
		unicode	0, <tr>,0
		align 4
aTh:					; DATA XREF: .text:004021E0o
					; .text:0040241Co
		unicode	0, <th>,0
		align 4
aSv:					; DATA XREF: .text:004021A4o
					; .text:00402410o
		unicode	0, <sv>,0
		align 4
aSq:					; DATA XREF: .text:00402168o
					; .text:00402404o
		unicode	0, <sq>,0
		align 4
aSk:					; DATA XREF: .text:00402128o
					; .text:004023F8o
		unicode	0, <sk>,0
		align 4
aHr:					; DATA XREF: .text:00401EB4o
					; .text:004023ECo
		unicode	0, <hr>,0
		align 4
aRu:					; DATA XREF: .text:004020DCo
					; .text:004023E0o
		unicode	0, <ru>,0
		align 4
aRo:					; DATA XREF: .text:004020D0o
					; .text:004023D4o
		unicode	0, <ro>,0
		align 4
aRm:					; DATA XREF: .text:004020C8o
					; .text:004023C8o
		unicode	0, <rm>,0
		align 4
aPt:					; DATA XREF: .text:00402090o
					; .text:004023BCo
		unicode	0, <pt>,0
		align 4
aPl:					; DATA XREF: .text:00402078o
					; .text:004023B0o
		unicode	0, <pl>,0
		align 4
aNo:					; DATA XREF: .text:0040203Co
					; .text:004023A4o
		unicode	0, <no>,0
		align 4
aNl:					; DATA XREF: .text:00402028o
					; .text:00402398o
		unicode	0, <nl>,0
		align 4
aKo:					; DATA XREF: .text:00401F50o
					; .text:0040238Co
		unicode	0, <ko>,0
		align 4
aJa:					; DATA XREF: .text:00401F20o
					; .text:00402380o
		unicode	0, <ja>,0
		align 4
aIt:					; DATA XREF: .text:00401F00o
					; .text:00402374o
		unicode	0, <it>,0
		align 4
aIs:					; DATA XREF: .text:00401EF8o
					; .text:00402368o
		unicode	0, <is>,0
		align 4
aHu:					; DATA XREF: .text:00401EC8o
					; .text:0040235Co
		unicode	0, <hu>,0
		align 4
aHe:					; DATA XREF: .text:00401EA4o
					; .text:00402350o
		unicode	0, <he>,0
		align 4
aFr:					; DATA XREF: .text:00401E18o
					; .text:00402344o
		unicode	0, <fr>,0
		align 4
aFi:					; DATA XREF: .text:00401E00o
					; .text:00402338o
		unicode	0, <fi>,0
		align 4
aEs:					; DATA XREF: .text:00401D78o
					; .text:0040232Co
		unicode	0, <es>,0
		align 4
aEn:					; DATA XREF: .text:00401D28o
					; .text:00402320o
		unicode	0, <en>,0
		align 4
aEl:					; DATA XREF: .text:00401D20o
					; .text:00402314o
		unicode	0, <el>,0
		align 4
aDe:					; DATA XREF: .text:00401CF4o
					; .text:00402308o
		unicode	0, <de>,0
		align 4
aDa:					; DATA XREF: .text:00401CECo
					; .text:004022FCo
		unicode	0, <da>,0
		align 4
aCs:					; DATA XREF: .text:00401CDCo
					; .text:004022F0o
		unicode	0, <cs>,0
		align 4
aZhHans:				; DATA XREF: .text:004022A0o
					; .text:004022E4o
		unicode	0, <zh-Hans>,0
aCa:					; DATA XREF: .text:00401CBCo
					; .text:004022D8o
		unicode	0, <ca>,0
		align 4
aBg:					; DATA XREF: .text:004022CCo
		unicode	0, <bg>,0
		align 4
aAr_1:					; DATA XREF: .text:off_4022C0o
		unicode	0, <ar>,0
		align 8
aRegistryMach_6:			; DATA XREF: .text:00401644o
					; .text:00401BE4o
		unicode	0, <\Registry\Machine\SYSTEM\CurrentControlSet\Control\Kernel>
		unicode	0, <Velocity>,0
aKvf_hotpatchsi:			; DATA XREF: .data:006B3180o
		unicode	0, <KVF_HotPatchSimulation>,0
		align 10h

_GUID_LEGACY_DEVICE_DETECTION_STANDARD:	; DATA XREF: IopQueryResourceHandlerInterface+13Fo
		fidiv	word ptr [eax+596A50FEh]
		rcl	byte ptr [ecx],	cl
		movsd
		mov	eax, 1AF80000h
		inc	esi
		sbb	[esi+6752ACC9h], ebp ; DATA XREF: _CmUpdateDevicePanel+1EEo
		js	short near ptr dword_412DE4+1
		inc	esp
		test	eax, 0AE685C15h
		jmp	far ptr	0:263C8h
; 

_DEVPKEY_Device_PhysicalDeviceLocationPanel: ; DATA XREF: _CmUpdateDevicePanel+1E1o
		sub	bl, 0DAh
		and	al, 23h
		cwde
		clc
		dec	edi
		xchg	eax, edx
		cmpsb
		cmp	cl, [ecx-77h]
		clc
		sub	al, 2
; 
		db 3 dup(0)
_CLFS_LSN_NULL_EXT dd 0			; DATA XREF: CmpLogCheckpoint+34r
					; CmpTransWriteLog:loc_8F6E1Fr
dword_412DAC	dd 0			; CODE XREF: .text:00412DD9j
					; DATA XREF: CmpLogCheckpoint+3Fr ...
; 

_GUID_DEVINTERFACE_DISK:		; DATA XREF: IopCreateArcNamesDisk+4Eo
		pop	es
		arpl	bp, si
		push	ebx
		mov	edi, 9411D0B6h
		repne add [eax-7404E137h], ah

_GUID_DEVINTERFACE_CDROM:		; DATA XREF: IopCreateArcNamesCd+7Do
		or	[ebx-0Bh], ah
		push	ebx
		mov	edi, 9411D0B6h
		repne add [eax-7404E137h], ah

_GUID_DEVICE_PROPERTY_CHANGED:		; DATA XREF: PnpSetDeviceInstancePropertyChangeEventFromDeviceInstance+39o
		xchg	eax, ecx
		xlat
		push	ebp
		hlt
		jg	short loc_412DDB
		fmul	dword ptr [eax-50h]
		jnz	short near ptr dword_412DAC

loc_412DDB:				; CODE XREF: .text:00412DD4j
		and	eax, 37A101C4h
; 
_WNF_PO_PREVIOUS_SHUTDOWN_STATE	dd 0A3BCB075h ;	DATA XREF: PopCheckShutdownMarker+FDr
dword_412DE4	dd 41C6013Dh		; CODE XREF: .text:00412D85j
					; DATA XREF: PopCheckShutdownMarker+108r
; 

_WHEA_RECORD_CREATOR_GUID:		; DATA XREF: WheapInitializeErrorRecordWrapper(x,x,x)+1Ao
					; WheaInitializeRecordHeader(x)+28o
		mov	ebp, 89CF07C4h
		mov	bh, 18h
		dec	esi
		mov	bl, 0C4h
		pop	ds
		jnb	short loc_412E21
		mov	ch, 71h
; 
		db 31h
; 

_ulInvalidTypes:			; DATA XREF: ValidateRegistrLangType(x)+12o
		sbb	[eax], al
; 
		dw 0
		dd 6, 3, 5
		db 2 dup(4)
word_412E0A	dw 0			; CODE XREF: .text:loc_412E21j
		dd 204h, 180h, 1000h
dword_412E18	dd 9786744Dh, 0AD5998F8h ; DATA	XREF: ValidateRegistrLangType(x)+24o
					; NtLockProductActivationKeys+35o
		db 3Eh
; 

loc_412E21:				; CODE XREF: .text:00412DF3j
		jl	short near ptr word_412E0A
		das
		xor	ecx, esi
		movsb
		fstp	qword ptr [eax+39h]
		js	short loc_412EA9
		db	2Eh
		inc	ecx
		in	eax, dx

loc_412E2F:				; CODE XREF: .text:00412E3Aj
		mov	dh, 9Bh
		lea	ebx, [ebp+1Eh]
		fimul	dword ptr [esi-346EB233h]
		jno	short near ptr loc_412E2F+1
		scasd
		and	al, 0BDh
		mov	eax, ds:6334363Ch
		cwde
		std
		retn	0DACFh
; 
		db 34h,	87h, 82h
		dd 2C7EFB57h, 235F1812h, 0
; 

_PiAuSwDeviceCreateSidSubAuthorities:	; DATA XREF: PiAuCreateStandardSecurityObject+49o
		push	es
; 
		db 3 dup(0)
		dd 50h,	7814C1FAh, 62BFFACDh, 0E553E9D8h, 36C5CE3Fh, 932F1D58h
		dd 6, 50h, 6C0FB67h, 80F4626Eh,	0A61FA01Fh, 0D337C11h
		dd 0C788D56h, 6, 50h, 0EB83221Fh, 63A193E8h, 546B16CFh
		dd 0E04E4C2Bh
		db 0CAh
; 

loc_412EA9:				; CODE XREF: .text:00412E2Aj
		mov	ds:6EA46h, eax
; 
		dd offset loc_500000
		align 4
		dd 40E99055h, 0A5BC6D4Ah, 0AC6C902Eh, 33590007h, 2282253Ch
		dd 6, 50h, 88E22455h, 30BEAA59h, 76257957h, 0C90888C8h
		dd 7E1018CEh, 6, 50h, 1A963466h, 5CF1AAB9h, 0F8123019h
		dd 7448CE95h, 304EFDA0h, 6, 50h, 5E3B5DD1h, 0C118A0D1h
		dd 96C11A43h, 0E02DB9E5h, 485FE331h, 6,	50h, 0AB6AFCE3h
		dd 0F1187771h, 47C59827h, 0F2850F72h, 0B9CDB924h, 6, 50h
		dd 0BCDB0D9Ch, 0A889886h, 0B0F4CAA0h, 8B87F47Dh, 859C4D88h
		dd 6, 50h, 0ED564F19h, 22AD3107h, 43BBB8E3h, 7B31F7C2h
		dd 18699616h, 6, 50h, 0CCC8A67Eh, 2FA7AE2Ah, 0E1FBEBC1h
		dd 0C06BE3BAh, 0AF2BD0DAh, 6, 50h, 0F8EE4D1Ah, 1231C877h
		dd 8682C501h, 0A1C73FCBh, 0D3BF5936h, 6, 50h, 0EE0C95A0h
		dd 984BD7A0h, 0D19BA62Eh, 0A30C68BAh, 0C34282BFh, 6, 50h
		dd 4D7B47h, 0A9C72120h,	7F2FC2D6h, 0C0B08940h, 0B1B7AE4Fh
		dd 6, 50h, 33CE37B6h, 1930A4EDh, 0CD85060Eh, 53474620h
		dd 0A89B2B75h, 6, 50h, 0AFDC689Eh, 890A9D68h, 0C660FEE7h
		dd 4F0D4AE0h, 0B992095Ch, 6, 50h, 0E967CCF4h, 7D6A138Dh
		dd 0B5A1A4F6h, 6BFBC5BAh, 2E2D1C23h, 6,	50h, 84BCD217h
		dd 2CFDBC23h, 63057641h, 0A7088411h, 8D395ED0h,	6, 50h
		dd 0D6E5F306h, 28FF93D8h, 55E74BBAh, 631AA5B5h,	0FCD12D75h
		dd 6, 50h, 9A2BBAE3h, 0A0C06AFh, 51DCD4E8h, 3A9A76D0h
		dd 59649BB6h
		db 6, 2	dup(0)
; 

loc_41308B:				; CODE XREF: .text:004130BFj
		add	[eax+0], dl
; 
		dw 0
		dd 0F89DBB43h, 606F2B65h, 0AB133054h, 576AA6B1h, 7DB64680h
_CPER_EMPTY_GUID dd 4 dup(0)		; DATA XREF: WheaAddErrorSourceDeviceDriverV1(x,x,x,x)+3Bo
; 

_DEFAULT_DEVICE_DRIVER_CREATOR_GUID:	; DATA XREF: WheaAddErrorSourceDeviceDriverV1(x,x,x,x)+2Bo
		lea	edi, [ecx+57h]
		pop	si
		sti
		inc	esp
		xor	byte ptr [ebx],	9Bh
		jz	short loc_41308B
		into
		fistp	word ptr [ebx+0] ; DATA	XREF: PpmInfoRegisterCallbacks()+21o
; 
		db 3 dup(0)
		dd 2 dup(0)
		dd 20000h
_GUID_PROC_CAP_BASE dd 3 dup(0)		; DATA XREF: PpmPerfProcCapFloorSettingCallback(x,x,x,x)+23o
					; PpmInfoRegisterCallbacks()+15o
		dd 10000h
_WmipFirmwareTableArray	dd 0C0000h	; CODE XREF: .text:00413141j
					; DATA XREF: WmipFirmwareTableHandler+41r ...
dword_4130E8	dd 20000h		; DATA XREF: WmipFirmwareTableHandler+4Dr
		dd 0E0000h, 20000h
_PopPowerRequestMapping	dd 3 dup(20000h), 1F0000h ; DATA XREF: PopPowerRequestInit()+68o
_WNF_EXEC_THERMAL_LIMITER_TERMINATE_BACKGROUND_TASKS dd	0A3BC2075h
					; DATA XREF: PopUpdateBackgroundCoolingStatus(x)+12r
dword_413108	dd 2831628h		; DATA XREF: PopUpdateBackgroundCoolingStatus(x)+1Ar
asc_41310C:				; CODE XREF: .text:00413143j
		unicode	0, <:(>,0
		align 4
a_txr:
		unicode	0, <.TxR>,0
		align 10h
aSystemroot:				; DATA XREF: .text:00403908o
		unicode	0, <SystemRoot>,0
		align 4

_DEVPKEY_DriverDatabase_SystemRoot:	; DATA XREF: .text:00403900o
					; PiDrvDbGetNodeSystemRoot(x,x)+6Bo
		add	bl, ch
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr _WmipFirmwareTableArray+1
		jz	short near ptr asc_41310C+5

loc_413145:				; CODE XREF: .text:004131A1j
		inc	edi
		fstp	tbyte ptr [edx+15h]
; 
aSetupstatus:				; DATA XREF: .text:004038F0o
		unicode	0, <SetupStatus>,0
aSetupoptions:				; CODE XREF: .text:004131A3j
					; DATA XREF: .text:004038D8o
		unicode	0, <SetupOptions>,0
		align 10h
aUpdatedate:				; DATA XREF: .text:004038C0o
		unicode	0, <UpdateDate>,0
		align 4

_DEVPKEY_DriverDatabase_LastUpdateDate:	; DATA XREF: .text:004038B8o
					; PiDrvDbQuerySyncNodesUpdated(x,x)+113o
		add	bl, ch
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	loc_413145
		jz	short near ptr aSetupoptions+0Dh
		inc	edi
		fstp	tbyte ptr [edx+12h]
; 
aSchemaversion:				; DATA XREF: .text:004038A8o
		unicode	0, <SchemaVersion>,0
aConfigoptions:				; DATA XREF: .text:00403890o
		unicode	0, <ConfigOptions>,0
aConfigmode:				; CODE XREF: .text:00413245j
					; DATA XREF: .text:00403878o
		unicode	0, <ConfigMode>,0
		align 4
aUnloadtimeout:				; CODE XREF: .text:00413259j
					; DATA XREF: .text:00403860o
		unicode	0, <UnloadTimeout>,0
aUpdated:				; DATA XREF: .text:00403848o
		unicode	0, <Updated>,0
aOeminfmap:				; CODE XREF: .text:0041325Bj
					; DATA XREF: .text:00403830o
		unicode	0, <OemInfMap>,0
; 

_DEVPKEY_DriverDatabase_OemDriverInfFileMap: ; DATA XREF: .text:00403828o
		add	bl, ch
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr aConfigmode+5
		jz	short near ptr aUnloadtimeout+19h
		inc	edi
		fstp	tbyte ptr [edx+4]

_DEVPKEY_DriverDatabase_ProcessorArchitecture: ; DATA XREF: .text:00403810o
		add	bl, ch
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr aUnloadtimeout+1
		jz	short near ptr aOeminfmap+1
		inc	edi
		fstp	tbyte ptr [edx+3]
; 
aVersion:				; DATA XREF: .text:00403800o
		unicode	0, <Version>,0
aRegistrytransa:
		unicode	0, <RegistryTransaction>,0
aKernelobjects:
		unicode	0, <KernelObjects>,0
aRegistryMachin:			; DATA XREF: .text:0040391Co
		unicode	0, <\Registry\MACHINE\System\CurrentControlSet\Control\CI\NGE>
		unicode	0, <N>,0
		align 10h
aUuidsequencenu:
		unicode	0, <UuidSequenceNumber>,0
		align 4
aKernelobjectsB:
		unicode	0, <\KernelObjects\BcdSyncMutant>,0
		align 4
aCrc64RefsV1	db 'Crc64 ReFS-v1',0    ; DATA XREF: .text:00401BD8o
		align 8
_crc64Map32_	dd 2 dup(0)		; DATA XREF: .text:00401BC0o
		dd 177EB231h, 0B8C533C1h, 766AF709h, 455341D1h,	61144538h
		dd 0FD967210h, 0ECD5EE12h, 8AA683A2h, 0FBAB5C23h, 3263B063h
		dd 9ABF191Bh, 0CFF5C273h, 8DC1AB2Ah, 7730F1B2h,	813C4F4Fh
		dd 21942116h, 9642FD7Eh, 995112D7h, 0F756B846h,	64C760C7h
		dd 0E0280A77h, 0DC025306h, 6DE9A15Dh, 0AB32A2B4h, 7A97136Ch
		dd 13F79175h, 1B835654h, 0EE61E365h, 0CFDE465h,	56A4D0A4h
		dd 2789E9Eh, 4328422Dh,	15062CAFh, 0FBED71ECh, 74126997h
		dd 67B03FCh, 636CDBA6h,	0BEBE303Dh, 0EEAD708Ch,	0C98EC18Fh
		dd 0F9D3C2BDh, 714BF24Eh, 98C78785h, 8CDD805Eh,	8FB935B4h
		dd 3418B39Fh, 8344D1D1h, 62BC633Bh, 943A63E0h, 0DA7950FAh
		dd 0F52E26D8h, 27EF22EAh, 0E25094E9h, 9F2A112Bh, 6F913FC3h
		dd 0E81AE099h, 78EF8DF2h, 50DFD358h, 19FBC8CAh,	0AD49A148h
		dd 0E857AFBh, 158C9289h, 4F13D3Ch, 8650845Ah, 138F8F0Dh
		dd 3E95B79Bh, 729BCA35h, 0C303C58Bh, 65E57804h,	7BC6F64Ah
		dd 0E824D32Eh, 0CF607F8h, 0FF5A611Fh, 0B4333439h, 9E4E2427h
		dd 49A54629h, 89309616h, 0F16075E8h, 85CD7273h,	0A7C4A54Ch
		dd 92B3C042h, 1F01968Dh, 0F3A7857Ah, 0E297E49Dh, 0E4D9374Bh
		dd 5A52D75Ch, 69189C61h, 2D6226EEh, 7E662E50h, 95A7152Fh
		dd 1F726B68h, 6831673Fh, 80CD959h, 0D0F454FEh, 689A3A2h
		dd 0C578C677h, 11F71193h, 7DBDF5B6h, 70E354ABh,	802B87A6h
		dd 679DE69Ah, 38EEB467h, 0EA5C4DB0h, 4FDE45D5h,	0FD22FF81h
		dd 0F71B7614h, 9C36BAB9h, 0A8D0404h, 8B480888h,	0B24837C5h
		dd 87B5ECEDh, 0E4ECE761h, 90CB5EDCh, 5C29D4A0h,	0F1DF1BE4h
		dd 0A1BFA6B0h, 0E6A1A9D5h, 197A9571h, 6B6002FFh, 6E4A64C3h
		dd 7C1EB0CEh, 0D68F5702h, 1D0AF5F6h, 2B192512h,	0A7447C7h
		dd 93DC16D3h, 5175E913h, 38782EE7h, 460B5B22h, 80BD1D26h
		dd 271F1E1Ah, 7D2B6F36h, 3061AC2Bh, 0C5EE5CF7h,	0BDA00701h
		dd 0B2DEAD45h, 0AADEB530h, 0A1B9E84h, 0CBCAF008h, 0F78DEC94h
		dd 0DCB44239h, 4F48DF55h, 0D049A65Ch, 19EC0FF1h, 0C737146Dh
		dd 0A1293C30h, 0A6235155h, 5CBF4E20h, 0B15DE364h, 0E47A7DE1h
		dd 3C9C484Eh, 934A8C53h, 2BE2FA7Fh, 2B8FBF92h, 4AF6BF47h
		dd 0D619CD82h, 5D880D76h, 6EDCFE43h, 530D778Dh,	7B506CCAh
		dd 4473C5BCh, 0C3955F0Bh, 25678084h, 3E032D1Bh,	321932B5h
		dd 86C61EDAh, 0BFD8999Fh, 0F1F6EF68h, 0A8A62BAEh, 4933DCA9h
		dd 0C9B26E96h, 0B4A5AEB9h, 0DECCDCA7h, 0C609D78h, 0D23138C2h
		dd 5AC44DDCh, 0C54F8AF3h, 0E2017E1Dh, 0A45BCFCBh, 1F970C0Dh
		dd 0B3257DFAh, 0A7523FCCh, 3EE4D6D0h, 0D062CE7Eh, 299A64E1h
		dd 68A7FDBFh, 488E21D9h, 95318FAFh, 5FF093E8h, 2DF4BC6Eh
		dd 5584D42Fh, 0BE28AABDh, 42FA661Eh, 6ED997Ch, 23EE2326h
		dd 0FB7BEB6Ch, 34909117h, 43BED8ADh, 0B9513A3Dh, 348E291Fh
		dd 0AE2F880Ch, 8C4B1ADEh, 0CF3BCD34h, 71DD68CEh, 0D8457F05h
		dd 0C9185B0Fh, 0D4B89B60h, 9FBC8BABh, 0C3C62951h, 2779B86Ah
		dd 0A2D26C69h, 0DAEFCA7Ah, 0B5ACDE58h, 622AF9BBh, 386D7572h
		dd 151A0809h, 2F13C743h, 0ADDF3BC8h, 4E07827Bh,	504949D8h
		dd 5979304Ah, 0E88C7A19h, 57FC4AB1h, 0FD00E890h, 4082F880h
		dd 45C5DB51h, 2196BDB8h, 0B853A941h, 36E80F89h,	969A80h
		dd 0BB29A4A3h, 77A66B32h, 0AC571692h, 0CF6358F3h, 0CD4353AAh
		dd 32F52AE3h, 0DA3DE19Bh, 8A301922h, 0D6C005FEh, 0DC94C986h
		dd 0C1BEB7CFh, 6451FA47h, 0A0AAF2F7h, 99C78857h, 0B7D440C6h
		dd 2102BB96h, 3A15EBECh, 56324A24h, 2D6B59DDh, 0EEF779E5h
		dd 4C7F1CE5h, 13610BF5h, 5B01AED4h, 0ABA43834h,	0A2EBD226h
		dd 70F05DCEh, 0B5956017h, 0C8356E0Fh, 0D481252Fh, 35A31C1Fh
		dd 0C3FF971Eh, 8D662FDEh, 4E3E3C34h, 0FA56DE6Ch, 59408E05h
		dd 4293EDADh, 3854CB3Dh, 0BF059FBDh, 2F2A790Ch,	7C0AC7Ch
		dd 23D79D69h, 51647CD8h, 34A92F58h, 0E9A14F19h,	55BD6A60h
		dd 14373D09h, 42C3D851h, 0ACF20EC8h, 0CF02737Bh, 0DBC2FF7Ah
		dd 0D87CC14Ah, 6307CCBBh, 0B9688472h, 9E91BEABh, 0AE163643h
		dd 26548D6Ah, 0A0934CB8h, 33D81FE3h, 0B7EDFE89h, 8B1D2C22h
		dd 0D6F9BBB1h, 768B5E32h, 0C1870980h, 0CE4E6DF3h, 4C46A2AAh
		dd 0B97E9C41h, 5B38109Bh, 1BBAF80h, 3A2C55A3h, 0FC2DDD90h
		dd 2D52E792h, 44E8EE51h, 21AF03F7h, 124C3EF5h, 36D1B1C6h
		dd 0AA890D34h, 57C5F4FEh, 571F7F24h, 40BB46CFh,	0EFDA4CE5h
		dd 0CD7AEDE5h, 98EABD57h, 0DA045FD4h, 202F8E96h, 0BB101AECh
		dd 0DDB9FC86h, 0AC6EA8DDh, 657CCF47h, 0A61AEF1Ah, 0F6A0D994h
		dd 0B1645D2Bh, 4E65EA55h, 0D0701813h, 0B3F39845h, 0C70EAA22h
		dd 0B36AB84h, 4ACF0108h, 7C065A36h, 5DB1B339h, 0C4C369F7h
		dd 3CA5F601h, 39551BE7h, 2BDB4430h, 81902826h, 2726A055h
		dd 0D734F882h, 30581264h, 6FF1CB43h, 514C575Ch,	9267B953h
		dd 4632E56Dh, 2AA28A92h, 0CBF34E47h, 5D927B20h,	0DC8DFC76h
		dd 0E55748E1h, 0BD99B94Eh, 18C13AF1h, 0AAE70B7Fh, 0A0040930h
		dd 0A4627184h, 0B5889BB9h, 0B31CC3B5h, 0D4DA878h, 0D208868Dh
		dd 0F0DBDA68h, 0C57634BCh, 481EE9A9h, 48B79F96h, 3F2E181Bh
		dd 5FC92DA7h, 87EB2BDAh, 3EDD689Fh, 7A7D59CAh, 29A3DAAEh
		dd 0C2B86A0Bh, 255E3ECBh, 941CBAAFh, 32208CFAh,	2CD9896Eh
		dd 5334C9C2h, 0D14FFB7Eh, 444A7BF3h, 698AC8BFh,	0C98BD0D9h
		dd 1EBA390Dh, 0DEF562E8h, 0A67F0ACCh, 0BFE127D0h, 5BE978DCh
		dd 0A89F95E1h, 0E32C4B1Dh, 0F39E3B35h, 48887329h, 0E4E08904h
		dd 0F04D40E8h, 85F4CC3Ch, 0DDB32F8h, 928A7E0Dh,	0B51E0139h
		dd 1F4BD527h, 0C22EF08Bh, 8356716h, 7AEBC34Ah, 6921222Eh
		dd 877DB15Ah, 7E5F901Fh, 3FB8829Bh, 72A2747Ah, 691C523Fh
		dd 65DCC64Bh, 0D1D961FEh, 4C88373h, 2C4F13EEh, 13B63142h
		dd 948A202Fh, 9E779A68h, 0E3BAD19Dh, 89092859h,	5B7FE25Ch
		dd 0E81D6D61h, 0A6E9904Ch, 0FF63DF50h, 1E2CA38Dh, 0F1E6A5ABh
		dd 0BA03104h, 0E698179Ah, 0B36502C5h, 878C52A2h, 4EF370D5h
		dd 90F2E093h, 0F6364314h, 1D334BB9h, 8106B2A6h,	0A4DF988h
		dd 39C38167h, 6B59BCB0h, 0C455F377h, 7C270E81h,	7C90C0B6h
		dd 70DAEAE4h, 2A341012h, 67A458D5h, 92F123D3h, 6B01DEDh
		dd 6F6751C3h, 11CEAFDCh, 0D7A26202h, 9C0F04F6h,	0A09293B0h
		dd 8B71B6C7h, 1857A071h, 0EA65F3FFh, 0E5C1D261h, 0FD1B41CEh
		dd 5D04E1A0h, 0F76F0609h, 0CED8F773h, 0E011B438h, 761DC4B2h
		dd 8105F100h, 8B8BB6A2h, 967B4331h, 334E8563h, 1BBAE81Bh
		dd 447E74D1h, 0CC45A2Ah, 0FCBB4710h, 6DD01F12h,	12D3500h
		dd 7AAEAD23h, 0B9E806C1h, 76534946h, 0EF4CD665h, 612DFB77h
		dd 5789E5A4h, 39BE4Fh, 0AA1F97B4h, 17470C7Eh, 12DAA475h
		dd 9A86A754h, 65EA55C7h, 8DF81565h, 0DD2F6606h,	0ECEC505Dh
		dd 20B91416h, 0FB92E26Ch, 987C27D7h, 0F5179897h, 8DF0B55Eh
		dd 0E2692AA6h, 3535869Fh, 837D6F9Eh, 0C8A3F48Fh, 9403DDAFh
		dd 7066C74Eh, 19C27685h, 75636FCh, 0EBCC4B4h, 0BF93053Dh
		dd 6FA8818Ch, 4205772Dh, 78D633BDh, 0FAC044ECh,	742BD7D8h
		dd 0AC649448h, 635565E9h, 14A1A789h, 24120D1h, 0E937D599h
		dd 153F92E0h, 51F2E658h, 98FE39CAh, 26C217EAh, 8F808BFBh
		dd 9E07242Bh, 0EE94CEC3h, 6391563Bh, 0F9EA7CF2h, 0DB5465FAh
		dd 2 dup(0)
		dd 68E04748h, 0F6F734B7h, 89571DFBh, 0D9374F3Dh, 0E1B75AB3h
		dd 2FC07B8Ah, 4A39A89Dh, 86B7B828h, 22D9EFD5h, 70408C9Fh
		dd 0C36EB566h, 5F80F715h, 0AB8EF22Eh, 0A977C3A2h, 0CCE4C251h
		dd 39B65603h, 0A4048519h, 0CF4162B4h, 45B3DFAAh, 0E081193Eh
		dd 2D5398E2h, 16762D89h, 86DD6ACCh, 0BF01EE2Bh,	0EE3D2D84h
		dd 49F6DA9Ch, 0F8A7737h, 6636A116h, 676A307Fh, 90C195A1h
		dd 99C984A2h, 736CAC07h, 0F129C3EAh, 859B98B0h,	109E9959h
		dd 0AA5BE33Ah, 787EDE11h, 5CACD78Dh, 0D3F02C3Fh, 0F5DB142Fh
		dd 0BB106B77h, 32C2098h, 5AA731C4h, 2CEC5B12h, 3247768Ch
		dd 0DA1B6FA5h, 552D46F3h, 4ADAFA04h, 3DCD01BBh,	0BC2DCEB3h
		dd 0DC7A5B08h, 93EDB539h, 0B49A1C40h, 651A818Eh, 1F14EE6Eh
		dd 0CC6D422Ch, 77F4A926h, 3A9A769Bh, 9643F395h,	155A0D11h
		dd 0FEA3B4DDh, 0E3AD39A6h, 33930944h, 0E6D9580Fh, 5B734E0Ch
		dd 102E6CB8h, 0BAC414BFh, 3FEE1732h, 0D22453F7h, 0C9192385h
		dd 79AAA1D9h, 606EE027h, 114AE691h, 9699D490h, 0F0FDBC22h
		dd 0B959AF1Ah, 981DFB6Ah, 4FAE9BADh, 0FF77CB15h, 0DF6F0E0Ch
		dd 97978C5Dh, 29983ABBh, 7620D6EEh, 6584131h, 1EC091A6h
		dd 0F0AF7586h, 0B54E6388h, 59D8B624h, 0DDAE24C0h, 0AF2F8293h
		dd 3C197E73h, 80EFF919h, 54F9393Bh, 7618CDAEh, 0AA5A8DE6h
		dd 95B5F408h, 0C2BACAAEh, 6342C0BFh, 230D901Dh,	4C82BB35h
		dd 4BEDD755h, 0BA758F82h, 0E063257Bh, 13024C20h, 88836233h
		dd 0E5F57897h, 69343880h, 0CA35031Dh, 1D47FC8h,	3CC237AAh
		dd 66BE4FB7h, 0AC03A20Bh, 0E5E08FFh, 5AF496BCh,	0EFE9524Ch
		dd 7534ED36h, 87091504h, 83C3D981h, 2C87E72Ah, 2AB41A23h
		dd 4467A062h, 0DC432E94h, 0A5D0FAD1h, 0F383551Eh, 0CD30BD99h
		dd 57461A9h, 3FB181E3h,	0F96B964Dh, 5751C6ABh, 0F9CA2FAh
		dd 0B6E69C18h, 205CD970h, 0DE06DB50h, 0D6ABEDC7h, 7588297Eh
		dd 7FDC2E65h, 1D686E36h, 892B1AD2h, 0FCDF3485h,	0A6EB6158h
		dd 943F73CDh, 501C55EFh, 0F35543B2h, 0C0DDC04Eh, 9BB504FAh
		dd 362AF4F9h, 7A025E49h, 19EA8F73h, 12E21901h, 0EF1DBBC4h
		dd 0B96CEB2Fh, 466A7866h, 0D18CAC67h, 0B09D4CD1h, 303BF6D4h
		dd 9F5D375Bh, 58DBB19Ch, 69AA03ECh, 0A6780541h,	8A073A4Ah
		dd 0CE984209h, 7CF00EFDh, 2F2F18BAh, 53307577h,	47CF5FF2h
		dd 0A5C741C0h, 0EC41ADDCh, 0CB08262h, 84A1EA94h, 0FA47B6D5h
		dd 6516B027h, 0D587CD5Fh, 0DF6F76Fh, 2370F9E8h,	6A9CC710h
		dd 0B3B16C49h, 27C8058h, 454658FEh, 0E3CBDAEBh,	6A862374h
		dd 8B2B9DA3h, 9C7117C3h, 20A56F8Dh, 3506D461h, 484528C5h
		dd 0C3F1E0D6h, 0A9F27276h, 0EC319B5Ch, 0C112353Eh, 1AC6AFEBh
		dd 0C2288A7h, 1FB2CE42h, 64C2CFEFh, 0E945FAF5h,	8575955Ch
		dd 0C685817Fh, 0ED95D214h, 3072B5C8h, 461B203Ah, 9905766Ah
		dd 2EFB6772h, 6FF242DDh, 0CF4C3DC1h, 40323957h,	0A7AC7A89h
		dd 0B6C50DE0h, 0C0C64AF6h, 26049841h, 0A8260DBEh, 0D0F3ACF6h
		dd 4991570Dh, 0FF33D77Ch, 21711045h, 9C4E3CBh, 8AFFE26Bh
		dd 0A0B32069h, 0E21FA523h, 564414DEh, 3A8FF90h,	79846F54h
		dd 6B48B8D8h, 8F735BE3h, 95EB0C05h, 6CDE6245h, 0FD0B4B4Dh
		dd 9A2956F2h, 1CBC11FEh, 0B5E92D78h, 745C56B6h,	431E19CFh
		dd 0DFD2A498h, 0EA69DA6Dh, 0B732E3D0h, 1C9EEEDAh, 5685B963h
		dd 335E9550h, 3E65FE2Bh, 0C5A9A1E7h, 590FCE54h,	55683446h
		dd 31EF891Ch, 0A39F00F1h, 0D058D3AFh, 8C5F7B7Bh, 0B8B894E7h
		dd 7AA84FCCh, 133666C9h, 0D3DF8C6Eh, 7BD62181h,	2528B8D9h
		dd 9A617B32h, 0AE8C353h, 0F2813C7Ah, 0FC1FF7E4h, 27F490ADh
		dd 0C60E0AC9h, 4F14D7E5h, 30F93E7Eh, 0AEA38D56h, 1F3945F4h
		dd 0C643CA1Eh, 0E9CE7143h, 6DCD3830h, 40B9B2E1h, 52D7F78h
		dd 0B64E8656h, 0E49A25CBh, 998EFDDCh, 8C7A6283h, 6F79C96Bh
		dd 0EB1052FCh, 0FFB85CCAh, 83F015B4h, 94F687Dh,	62474F07h
		dd 268F13F7h, 0AA7084Fh, 0D0782740h, 0A129FA61h, 790FE4E2h
		dd 0C9C9BD29h, 8FF8D055h, 287EE79Ah, 0A038ABDFh, 409EA0D2h
		dd 56CF9F68h, 0BE3D140Fh, 0B562A6CEh, 0D6DD5347h, 43959279h
		dd 376A09F4h, 6C55E9F3h, 5F8A4EBCh, 9AA2DD44h, 0F404BC92h
		dd 33D51EE6h, 9CE4FBDAh, 0C5222A51h, 7D53A169h,	0EAE251DBh
		dd 15B3E621h, 1C15656Ch, 72D9D65Eh, 8CD4F0CDh, 1A399116h
		dd 7A23C47Ah, 0FB8ECBA5h, 55E3BFF0h, 936E8CEDh,	0A3148B47h
		dd 38E07EC3h, 0A6348E5h, 5000398Bh, 0FC947C52h,	0B1B76338h
		dd 0D35407D8h, 0D9572470h, 25A3336Fh, 146799E9h, 20D752C6h
		dd 7C87DEA1h, 0D6206671h, 9D308412h, 0F9E01DFBh, 0F5D0C35Ah
		dd 0F17294Ch, 5E5E3174h, 0A660EAEEh, 36BE763Ch,	5097DE59h
		dd 0D7092C8Fh, 7F57A5D3h, 0BFE96BC7h, 89A09164h, 0D8835BB8h
		dd 196104C5h, 0B0631CF0h, 0EF963072h, 51D44643h, 0C0564BF8h
		dd 3934010Bh, 36A17F4Fh, 92BAF325h, 9FD6BCEDh, 0FA5AB46Dh
		dd 6921885Ah, 1BEDEEDEh, 46E1F3D0h, 730DA996h, 0B016C767h
		dd 8DAE1D4Bh, 53BBFEC1h, 0E54E5A03h, 0A54CCA76h, 4F900B0h
		dd 8A8CB1FCh, 6C1947F8h, 7C7B854Bh, 0C797B5D6h,	0D50C46E9h
		dd 0AF77F29Eh, 23FB725Eh, 4EC0A82Dh, 0C3B09D4h,	2620EF65h
		dd 0FACC3D63h, 414ADF1Ah, 6A0DA8C2h, 29AA9852h,	9CFA9C75h
		dd 0C81DC2E1h, 0B33AE7FFh, 0A0FD85A9h, 45CDD348h, 0B737787h
		dd 0ECBA10EAh, 639330CFh, 1A4D245Dh, 82246A7Ch,	358D5FD7h
		dd 0EAC42D34h, 0C37A6B60h, 1845114Eh, 3F659C84h, 70A55606h
		dd 0C992A833h, 91120CB5h, 0E652D3B9h, 0F9F24BFDh, 10A5E70Eh
		dd 527CB9D3h, 0B9D224ACh, 3A9CFE9Bh, 4F25101Bh,	0DB2BA428h
		dd 60E56B91h, 0B3CBE360h, 96125F26h, 0D4A1D31Fh, 6D3CA87h
		dd 0BC419457h, 0F024FE30h, 5DF6CEE4h, 0DFE485BAh, 351689ACh
		dd 2913B10Dh, 9E987B82h, 806472AFh, 0F6783CCAh,	76934618h
		dd 17CF6679h, 59533D92h, 7F2F2131h, 0AFA40925h,	818C95ECh
		dd 4C093083h, 0E96CD2A4h, 0BAFE0434h, 8DB8817h,	953E7FBEh
		dd 603BCF5Fh, 63C94B09h, 0CBB53D71h, 0CABE88ABh, 0A3557A39h
		dd 3C49BC1Ch, 42E2208Ah, 1389C796h, 2A0267C2h, 0E57EF321h
		dd 4D6857BDh, 75BF6680h, 258810F5h, 83485237h, 0C43F4A46h
		dd 0AC8829BDh, 0ACDF0D0Eh, 5A7F1D0Ah, 751FF20h,	0F308DEA8h
		dd 6FB1B868h, 5FFEA1Fh,	8E06E2DBh, 2A3F9195h, 0E6E6A593h
		dd 0DCC8A522h, 2BD6180Ah, 0D9BCC48Bh, 43365F42h, 2F4BF03Ch
		dd 0A28105F1h, 8B8BB6h,	0CA6142B9h, 0F67CBF01h,	61EFB097h
		dd 5F0B7CA3h, 90FF7DFh,	0A9FC4814h, 0E8B8AD6Ch,	863C339Eh
		dd 8058EA24h, 70CB0729h, 0E732DA5Bh, 0E00A9288h, 8FD29D13h
		dd 16FDA63Fh, 6E65C7A0h, 393DDDB5h, 68580E8h, 0CFCAE902h
		dd 0AD0B72C6h, 66BD2AA0h, 0C5EB358Eh, 904A1E17h, 245C6F3Dh
		dd 0BF8A659Dh, 4CBC2875h, 497D512Ah, 0B21F9CA8h, 0AAD0688Ch
		dd 0DAFFDBE0h, 5C275C3Bh, 3B488153h, 73E727B1h,	53A8C61Bh
		dd 85101306h, 0F8263435h, 2C67D0A4h, 90C6737Dh,	0DA90E413h
		dd 717129CEh, 0F5509F99h, 19916E86h, 3A7AB2Eh, 7EFB5EF9h
		dd 93663E8Fh, 161B19B1h, 65910A38h, 0F7AC4302h,	4A5171B2h
		dd 9F4C044Ah, 0BCA64505h, 34C2F664h, 15D186A7h,	5C22B12Ch
		dd 0E326B210h, 0BD95EB9Fh, 0CCE6C99Ah, 0D575ACD7h, 3A11FD2Dh
		dd 2 dup(0)
		dd 0A512335Dh, 71B0C13Dh, 4A2466BAh, 0E361827Bh, 0EF3655E7h
		dd 92D14346h, 0CCDF5E1Fh, 0F21A22A5h, 69CD6D42h, 83AAE398h
		dd 86FB38A5h, 117BA0DEh, 23E90BF8h, 60CB61E3h, 0C1292F55h
		dd 0D0ED6318h, 643B1C08h, 0A15DA225h, 8B0D49EFh, 338CE163h
		dd 2E1F7AB2h, 423C205Eh, 0DF6714Ah, 22F741BDh, 0A8E44217h
		dd 53478080h, 47D217F0h, 0C196C3C6h, 0E2C024ADh, 0B02602FBh
		dd 0DAC5CDC1h, 9503E062h, 7FD7FE9Ch, 0E4B3215Fh, 90E1AB7Bh
		dd 76626219h, 35F39826h, 7D2A324h, 161A93DEh, 6719C2C7h
		dd 0B308A083h, 16A903FAh, 5C3EF564h, 847840BCh,	0F92CC639h
		dd 0F5C88181h, 1BECE294h, 45EE837Ah, 0BEFED1C9h, 345E4247h
		dd 51C8842Eh, 0A68F0101h, 0F4DAB773h, 0D73FC03Ch, 0D733BC8Bh
		dd 0B7F4A1DFh, 72218FD6h, 0C64460E2h, 9D17DA31h, 549523A4h
		dd 3805E96Ch, 2525E299h, 0ED1C08E9h, 1EDEE696h,	480E3BB4h
		dd 6F6E27ABh, 0A7386E53h, 0FDBF64EDh, 22A5D0Eh,	8C0FA5D0h
		dd 21C356F6h, 0ECC4C433h, 84D165ABh, 9D74050Eh,	6BE7304Ch
		dd 0FA54648h, 0CEF50311h, 7E158775h, 2C3527BCh,	0CE33858Eh
		dd 892714E1h, 0BF8344B3h, 66114106h, 2D5207F5h,	0C303725Bh
		dd 5CE2C6C8h, 0E0EA79A3h, 3C29A72Bh, 45F84AFEh,	4D996616h
		dd 0AACE1F19h, 0DF482550h, 0FDC2C44h, 0AEF8E46Dh, 37D9C528h
		dd 8BDD06F4h, 92CBF675h, 0FA6DC7C9h, 7DFDA392h,	68BC848Fh
		dd 0D8EF90CFh, 190C45B2h, 0FB069B37h, 79C72451h, 5E14A86Ah
		dd 877E56Ch, 0B122FD8Dh, 9AA6A62Ah, 1430CED0h, 0EB166717h
		dd 0F6F0EA7Dh, 5B3065ECh, 53E2D920h, 2A80A4D1h,	0BCD48CC7h
		dd 0B851E797h, 19C6BF9Ah, 0C9E126AAh, 3A2FB462h, 0A92A4749h
		dd 9F3D873Fh, 0D89A8674h, 700BD2D8h, 4A4BC532h,	0D519E185h
		dd 3BFB040Fh, 0DA3811D2h, 3DBDCD2Dh, 7F2A228Fh,	4C0D0C10h
		dd 901C7768h, 0DEDC4F56h, 350E4435h, 0AF6C8E6Bh, 16E74FCDh
		dd 0CFA7EF88h, 0B3F57C90h, 0BE172EB5h, 5CC32977h, 2CC66DF3h
		dd 0F9D11A2Ah, 5D76ACCEh, 1B113E87h, 0ED50AE35h, 0BE030DDAh
		dd 9CE06F08h, 5135583Dh, 0E312C4Eh, 0F4276B60h,	7F81ED73h
		dd 0D7CE6098h, 1F4A8C90h, 72DC53C5h, 6EFA4DADh,	9DEA0622h
		dd 0FC2B0EEBh, 38F8357Fh, 8D9BCFD6h, 0FDDC13h, 0A8BE2D4Fh
		dd 0A5EFEF4Eh, 0D90EEC72h, 4AD9BAA9h, 4BDFAF34h, 0EFCB89F4h
		dd 3A6F6E09h, 0CC22820Ch, 5AA40FEAh, 6930B151h,	2B14CED7h
		dd 8606E4B6h, 0B9C58D91h, 2314D7EBh, 0C8754CACh, 0C1D4F346h
		dd 78534E57h, 64C6C01Bh, 9E38F6Ah, 8BF095FCh, 9B32CC2Ch
		dd 2EE2A6A1h, 0EA820D11h, 0D0BAD59h, 8A496CF2h,	0A8199E04h
		dd 0FBF9ADCFh, 472FCBE3h, 6928EE89h, 0E23DF8BEh, 18982FB4h
		dd 3724193Bh, 23632BBBh, 92362A66h, 52D3EA86h, 7D007F81h
		dd 0C002A9C0h, 0D8124CDCh, 0B1B268FDh, 0FBFB4724h, 0D179091Eh
		dd 5EE97479h, 0A0C9C823h, 0B1DF219Eh, 32188B65h, 14CD12C3h
		dd 43A84A58h, 0F60D366Eh, 0F38E48A3h, 531F0533h, 823E899Eh
		dd 0BC2950D4h, 10EFCAD8h, 193B6389h, 615F0BE5h,	3AD26871h
		dd 1946A06h, 9FC05B2Ch,	7024AB3Bh, 70F60ECBh, 0E2F5E87Dh
		dd 0D5E43D96h, 93452940h, 0EDE1D4FAh, 0B660CBD9h, 48F3E7A7h
		dd 0C7D00AE4h, 0A7C5B240h, 550149A2h, 2D7811Dh,	24B1889Fh
		dd 213E8AE5h, 447AE97Ch, 842CB9B8h, 35CA2841h, 6B1AEC5Fh
		dd 0A71B6B07h, 0CE08DF02h, 0D6ABAA3Ah, 2CC8FBAFh, 668DA8C1h
		dd 89DAC8F2h, 173D69FCh, 66EC9D15h, 85EC2ABAh, 0C3FEAE48h
		dd 0F45CEB87h, 0E017A5B0h, 94978A64h, 450596EDh, 0E5274B59h
		dd 0AA33C30Ah, 77F6081Fh, 0F21F057h, 646C922h, 0B47023A4h
		dd 7B7B9A5Bh, 116210F9h, 0ACB5B66h, 0FE54451Eh,	981A1820h
		dd 5B467643h, 0E9AAD91Dh, 78AF7DBBh, 8961B8FEh,	0DDBD4EE6h
		dd 0F8D179C3h, 328B1B01h, 6A003A85h, 9799285Ch,	1BB0FBB8h
		dd 75590CF1h, 0AB96F943h, 0D04B3FACh, 0DA26387Eh, 3F7D6A4Bh
		dd 48F77B38h, 9A6F5916h, 3947BA05h, 0B98652EEh,	598CDBE6h
		dd 1C9461B3h, 283C1ADBh, 0F3A23454h, 0BAED599Dh, 56B00709h
		dd 0CB5D98A0h, 6EB5EE65h, 0EE787A39h, 0CBA7DD38h, 9FC8BB04h
		dd 249188DFh, 0D19F842h, 8183BB82h, 7CA9397Fh, 0A26AB07Ah
		dd 1C62589Ch, 7788327h,	6DD299A1h, 0E84ED6C0h, 0FF03DAE7h
		dd 4D5CE59Dh, 8EB31BDAh, 0AF9CC130h, 3E951921h,	0A8EF26Dh
		dd 4F25D81Ch, 0E5B8A78Ah, 0DDF49B5Ah, 40AA94D7h, 0AC445A67h
		dd 63439F2Fh, 0CC8F3B84h, 0C651AC72h, 0BD3FFAB9h, 2967F995h
		dd 2FEEB9FFh, 8C75CAC8h, 5E5E78C2h, 596C2B4Dh, 65A57CCDh
		dd 0FC7E1810h, 1415BDF0h, 13484DF7h, 86C4FEB6h,	0B65A7EAAh
		dd 0F7743F8Bh, 95B37552h, 97BF5E68h, 30A1460Fh,	0E60F9F55h
		dd 0DF9713E8h, 74DEDC13h, 7A8520B5h, 56E1D2Eh, 98450418h
		dd 0B5481FD5h, 3D573745h, 0C4F8DEE8h, 0D26162A2h, 56299DAEh
		dd 777351FFh, 27995C93h, 549A5A07h, 47523D70h, 0F188695Ah
		dd 36E2FC4Dh, 1EBE3CBDh, 0A433BF0Bh, 0BBAC0FE0h, 0D5837E36h
		dd 83A9E68Ch, 0F0A69CAFh, 26BBD5D1h, 81165D92h,	0C98D8036h
		dd 13C71ED4h, 6C9FB36Bh, 6277DFE9h, 4F76B893h, 2BCBE0Ah
		dd 0EA648BCEh, 730C7F37h, 552DE29h, 0E1DD3C71h,	0A040ED74h
		dd 906DFD4Ch, 4280C9D9h, 204BFFB7h, 0E792FA84h,	51FB3E8Ah
		dd 8A4AF63h, 0C32A7DCCh, 0ADB69C3Eh, 0B29ABCF1h, 8E5F97C6h
		dd 0D251DD12h, 2B4DA49Bh, 0A3E11C2Fh, 0C47BF17Ch, 31305F69h
		dd 6169C221h, 40809E54h, 6E483276h, 46C65776h, 0CB5A012Bh
		dd 3776964Bh, 246C54CCh, 0A5A7D50Dh, 817E6791h,	0D4171430h
		dd 0A2976C69h, 0B4DC75D3h, 7855F34h, 0C56CB4EEh, 0E8B30AD3h
		dd 57BDF7A8h, 4DA1398Eh, 260D3695h, 0AF611D23h,	962B346Eh
		dd 0A732E7Eh, 0E79BF553h, 0E5457B99h, 754AB615h, 405748C4h
		dd 4FA7728h, 63BE433Ch,	643116CBh, 0C6AC7061h, 1581D7F6h
		dd 299A2586h, 875094B0h, 8C8816DBh, 0F6E0558Dh,	0B48DFFB7h
		dd 0D3C5B714h, 119FCCEAh, 0A2757629h, 0FEA9990Dh, 30A4356Fh
		dd 5BBBAA50h, 4114F452h, 7852A1A8h, 21DF95B1h, 0DD4092F5h
		dd 506F548Ch, 3276C712h, 0C2BE17CAh, 9764F44Fh,	0B30ED6F7h
		dd 75A4D0E2h, 328D40Ch,	0D0B6E3BFh, 72981531h, 3F80B658h
		dd 0E0495677h, 9A928505h, 91F9974Ah, 0B97B8EFDh, 0F132F6A9h
		dd 1C69BDA0h, 80823794h, 0F35FE847h, 125374D2h,	564DDB1Ah
		dd 63E3B5EFh, 83543A9Fh, 5818B1E0h, 264609C2h, 29A870DDh
		dd 0C9705C25h, 0BB79339Bh, 6C626F78h, 0CAC9F2A6h, 4F8B6480h
		dd 0AA029345h, 0EA9957DDh, 0DBB25278h, 5AF023Ah, 4963113Eh
		dd 0A0BD3167h, 38D3D003h, 427D15CAh, 88F5D2F8h,	0E76F2697h
		dd 0F94513C5h, 8597370h, 6B945083h, 0AD4B402Dh,	1A2491BEh
		dd 8EA24BD5h, 7AEFF05Dh, 2BB07888h, 0B5F3160h, 0C4862D6Fh
		dd 998E7226h, 61941E32h, 0E83EB31Bh, 5991F75Eh,	0CD1B5182h
		dd 0FC83C403h, 0BCAB90BFh, 13B591E4h, 2E7AD3F9h, 0B6A7A2B9h
		dd 5FCA12C4h, 954EA941h, 3F017327h, 305C9A1Ch, 4EB1B21Ah
		dd 0DF6ACFFBh, 0DC60F15Ch, 7A78FCA6h, 0ADD03061h, 98B8D80Bh
		dd 1DF6329Ah, 3DAAEB56h, 6C46F3A7h, 0D29CBEB1h,	0FE97B0E1h
		dd 778E8DECh, 8F2771DCh, 54678614h, 0EFEC103Fh,	0F175B549h
		dd 9E5CD102h, 1E43E0AEh, 0C8D9244h, 0BB51D3F3h,	7D3D5379h
		dd 2 dup(0)
; 
		pop	esi
		xchg	eax, ecx
		adc	eax, 0DB6C480Fh
		mov	edi, 46BCB1D7h
		retn
; 
		db 0FEh, 6Fh, 4Bh
		dd 49A92089h, 0F4B4928Bh, 8D7963AEh, 96DFFD86h,	826CF2F0h
		dd 290491CEh, 0CBC5D279h, 0DDB00345h, 0C4D04327h, 626B6F0Dh
		dd 42655437h, 1966DD5Eh, 4D70C569h, 0A6BDB116h,	4D9E5E0h
		dd 5209239Dh, 0BCC74BEh, 0EDD24FD5h, 0CF1C3799h, 8FB920D8h
		dd 0C009A6C7h, 30624C90h, 89A0864Eh, 0C4D6DE1Bh, 86B51710h
		dd 7B0DB253h, 84CAA86Eh, 32CDBABCh, 8BDF3930h, 8D16D6F4h
		dd 0C27619B9h, 79A2447Fh, 0CD6388E7h, 0C6792837h, 9B3CBC0h
		dd 0A412473Ah, 6A65A9Eh, 1BC92B72h, 4F0F7A17h, 0EF7DB9F9h
		dd 401AEB49h, 50A6D5B1h, 0C6AFFC59h, 2BAB67E2h,	0C9BA6D07h
		dd 94700BAAh, 80134D8Eh, 60C49921h, 8F06DCD0h, 0DF1FF569h
		dd 4BD69FF7h, 0BD749A64h, 44C30EA9h, 2AFF62Ch, 0D6A2E20h
		dd 0F61B64A7h, 27FBF7Eh, 49C008EFh, 99550DCh, 659B7579h
		dd 680C182h, 0DA401931h, 4F29E10Bh, 2EF48BBAh, 403C7055h
		dd 912FE7F2h, 84EC3372h, 0F34488FFh, 8BF9A22Ch,	4C9FE4B7h
		dd 0C25082A5h, 0B82B763Ch, 0CD4513FBh, 7F01A74h, 4BF004EBh
		dd 7CFDA827h, 44E595B5h, 0C326C46Fh, 0D4CB53Ch,	379256E4h
		dd 2592462h, 88493AACh,	0C6896745h, 0EA2255A1h,	0C99CF61Bh
		dd 55F939E9h, 8035D692h, 0A14DAB62h, 8F2047CCh,	1E96C72Ah
		dd 8D5FF8B2h, 5756CFC5h, 824A69ECh, 0E88DA38Dh,	0CBE34965h
		dd 1C393106h, 0C4F6D83Bh, 0A3E25D4Eh, 269B1Ch, 0C1893243h
		dd 0F330A42h, 7E525E0Bh, 469A2ACBh, 8AE6CC80h, 498FBB95h
		dd 353DA0C8h, 0CF3AAC85h, 4E30129Bh, 0C02F3DDBh, 0F1EB7ED3h
		dd 89861D52h, 55FEC58h,	86938C0Ch, 0BA848010h, 4243CF2Bh
		dd 0D8EFEF1Dh, 4D565E75h, 67348355h, 4FF7EFCh, 938011DEh
		dd 0BEAEFA2h, 2C5B7D96h, 132AA1B8h, 0CB36EAF2h,	1C3F30E6h
		dd 74ED86BAh, 5596106Fh, 80591431h, 5A838131h, 3F827879h
		dd 9E53C216h, 5DE91774h, 91465348h, 0E2327B3Ch,	0D8EF73C1h
		dd 1686E9B7h, 0D7FAE29Fh, 0A95D85FFh, 514FF58Fh, 0D25037ACh
		dd 5E5A64D1h, 6D8B5BE4h, 17F34458h, 993FC96Fh, 18E6D506h
		dd 26E4A527h, 0DC369621h, 448FCA2Ah, 0D323077Fh, 0FB54A662h
		dd 9A8A27F6h, 0FE034E9h, 959FB6A8h, 0B03B58A1h,	97E009D6h
		dd 0F9FB504Eh, 98F59888h, 46203C06h, 0D15CB801h, 0B294AE8Dh
		dd 0DE49295Fh, 0D4FC2C5h, 1A996A78h, 6F24ADC8h,	158CFB26h
		dd 0D0FFC180h, 5C25DBAFh, 244B530Bh, 53304AF1h,	9B903F43h
		dd 0D5855DE1h, 0E09D8D10h, 0DA90CCBFh, 5F46E158h, 9339EC36h
		dd 0ABF273D3h, 9C2C7D68h, 14291F9Bh, 58FC3E4Fh,	76427096h
		dd 57E9AF11h, 0C9991CDEh, 1E408F98h, 3D2D8E55h,	11551EC6h
		dd 82F6E21Dh, 1ABFF164h, 0AEAD9F8Bh, 15AA603Ah,	1176F3C3h
		dd 5C0340B3h, 0E5C26148h, 5316D1EDh, 5A190D00h,	97C692CAh
		dd 3872620Dh, 98D30394h, 87A90E45h, 0D17A231Dh,	731D9CCEh
		dd 0DE6FB243h, 0CCC6F086h, 58DAA553h, 0B7CB42D5h, 57CF340Dh
		dd 8102E9Dh, 1E661484h,	0FCA4BC16h, 117385DAh, 437FD05Eh
		dd 0D5A3C6FDh, 2114BF53h, 0DAB657A3h, 9ECFD31Bh, 931F772Ah
		dd 6A7B4190h, 9C0AE674h, 0D5A02DD8h, 9E75590Ah,	9C602537h
		dd 9160C854h, 23BB497Fh, 0D8C9E8DDh, 0D70FDBF4h, 0D7DC7983h
		dd 68D4B7BCh, 130C3AA4h, 0ABFD8B1h, 1C19ABFAh, 0B564B4F9h
		dd 55B08B73h, 41D02672h, 5AA51A2Dh, 0FE0B4A3Ah,	0DC100D3Dh
		dd 8506F869h, 0D3059C63h, 3ADD9421h, 9AACBCEAh,	0CE6906AAh
		dd 95B92DB4h, 71B26AE2h, 51696E93h, 13D905EFh, 5E7CFFCDh
		dd 0AC0269A7h, 17D5DF44h, 58B6FB2Ch, 18C04E1Ah,	0E76D9764h
		dd 7EC2D01Bh, 0A2B4F3B7h, 71D74145h, 1D6F9FFFh,	387E61CCh
		dd 0E9DB0D74h, 376BF092h, 5600613Ch, 0F3BBB3B5h, 346B0E31h
		dd 0FCAE22EBh, 8BB06279h, 0B5070262h, 7F04F0F2h, 0BA12933Ch
		dd 0C0DF9CBAh, 3CA7842Ch, 0BBD22EE9h, 33B21572h, 40942A1h
		dd 7A1B35FBh, 0F0BDD02Ah, 750EA4A5h, 4F66BC62h,	0B1DEE782h
		dd 2D0DD36Fh, 0BECB76DCh, 92D6BF27h, 0F7625655h, 66622DACh
		dd 0F877C70Bh, 0D9B941E4h, 0FA087875h, 9079490Bh, 0F51DE92Bh
		dd 2FA22543h, 0BCB4C9A2h, 0DB16B7C8h, 0B3A158FCh, 64CDDB80h
		dd 77711BDBh, 6A6B48Dh,	78648A85h, 0B97DD8C5h, 31CDAA0Ch
		dd 4DC94A4Eh, 3ED83B52h, 0F2122606h, 0B86D2C42h, 891F9455h
		dd 0B778BD1Ch, 36C4F81Dh, 0FED19D95h, 0C2706A96h, 0F1C40CCBh
		dd 7DAB06DEh, 35144FECh, 1FC069D3h, 3A01DEB2h, 0A01B059Bh
		dd 73A8FE3Bh, 54AF9710h, 7CBD6F65h, 0EB74FB58h,	775780C7h
		dd 0C72F86CEh, 78421199h, 78F4EA86h, 31EB3110h,	8C40780Dh
		dd 3EFEA04Eh, 339B1445h, 0FA2EE369h, 51F07B48h,	0F53B7237h
		dd 0EE2B1700h, 0BC9252BEh, 1A9F858Bh, 0B387C3E0h, 0A544E9C3h
		dd 3532D4F0h, 0DE495B90h, 3A2745AEh, 619237D8h,	738E6527h
		dd 9526A553h, 7C9BF479h, 2AFDC91Bh, 0B84BB75Eh,	4896A616h
		dd 0B75E2600h, 0F74DCA5Eh, 0FEF70689h, 3F958D5h, 0F1E297D7h
		dd 0BC22349Dh, 0F39D28A9h, 0F5E23C72h, 0FC88B9F7h, 4A39503Ah
		dd 0B521997Eh, 0BE8DC2B1h, 0BA340820h, 156AEF9h, 7EE44B07h
		dd 633DC1F4h, 71F1DA59h, 0DCE6ADBCh, 3858FAD0h,	28523F37h
		dd 374D6B8Eh, 9789537Fh, 0B1F87C9Eh, 0EC84E12Ch, 0BEEDEDC0h
		dd 535F8D64h, 0F744CD49h, 0A7EB1FEFh, 0F8515C17h, 183073A7h
		dd 3C811F30h, 7A5B1CAAh, 33948E6Eh, 0C58070E2h,	7A3DAEE7h
		dd 3134E269h, 75283FB9h, 8EEF8E21h, 6DE871A3h, 69821945h
		dd 62FDE0FDh, 0D659750Dh, 2B54C074h, 22EDE786h,	2441512Ah
		dd 9D368BCEh, 0E091120Dh, 0FF5DE4C3h, 0EF848353h, 4086888Bh
		dd 0A62DA3DAh, 0B4321A00h, 0A9383284h, 0BE97648h, 2F8D2594h
		dd 70E4C41Bh, 2098B4CAh, 0CF3FA853h, 69319443h,	3B8B3AD8h
		dd 6624051Dh, 84505690h, 0A2F4463Ah, 0E63B399Dh, 0ADE1D764h
		dd 59E055D5h, 0E448F7EDh, 0AD54C75Eh, 0EB5D66B3h, 128FAB16h
		dd 0E922D9CDh, 5B4FA3F9h, 0E6374893h, 0E494CFB1h, 0AF9E681Ah
		dd 10205D3Ah, 0A08BF944h, 0AFFB3172h, 645BBA63h, 0CD905E7Fh
		dd 6B4E2B3Dh, 724B3237h, 22E70BB4h, 86FFA0BCh, 2DF29AEAh
		dd 3924CCF4h, 0AB478DFAh, 42297EA7h, 0A4521CA4h, 0FDF212EFh
		dd 0EDFB3C2Dh, 9468064h, 0E2EEAD73h, 0B69DEC2Ch, 263EEE54h
		dd 0D4F68321h, 292B7F0Ah, 6B2DEF69h, 60825F83h,	9F997DE2h
		dd 6F97CEDDh, 204211AAh, 647D217Fh, 0C196C3Ch, 6B68B021h
		dd 0B3C20074h, 22C190A8h, 477692FFh, 2DD401F6h,	0F8ADFEB7h
		dd 0E90442D1h, 9AC691BAh, 0E611D38Fh, 251DFDF2h, 0AFB8F306h
		dd 0D1A96F79h, 0A0AD6258h, 6E720331h, 26187548h, 157FB162h
		dd 290DE416h, 0AAA4DD2Ah, 60A4C49Fh, 5E104FA1h,	6FB155C1h
		dd 0E1CB23E9h, 0AB6116E6h, 83A04CE4h, 0A47487B8h, 3C7B20ACh
		dd 0EDDDA731h, 0C8CFB227h, 0E2C8366Fh, 7714DE6Fh, 0E0B78911h
		dd 3ED4D680h, 0EFA2184Fh, 810FBAC8h, 0A60B38C6h, 75BB2843h
		dd 0A91EA998h, 0CA60440Bh, 6DCEEABFh, 0A80B2B06h, 62DB7BE1h
		dd 17D0474Eh, 2B725B68h, 0E364D5C5h, 2467CA36h,	5CBFB98Dh
		dd 0A2D2DD26h, 27B20BDEh, 0ADC74C78h, 98696796h, 0E46E6CF1h
		dd 6CDDF51Dh, 0EB7BFDAFh, 0D3069955h, 2FABBE88h, 0B16DF658h
		dd 20BE2FD6h, 0EB69A10h, 69170F5Fh, 0FA02089Bh,	66029E01h
		dd 45D964D3h, 2	dup(0)
		dd 2AE10D77h, 3EA616BDh, 55C21AEEh, 7D4C2D7Ah, 7F231799h
		dd 43EA3BC7h, 0AB8435DCh, 0FA985AF4h, 816538ABh, 0C43E4C49h
		dd 0FE462F32h, 87D4778Eh, 0D4A72245h, 0B9726133h, 0F9FF8D3h
		dd 0C1E993BAh, 257EF5A4h, 0FF4F8507h, 5A5DE23Dh, 0BCA5BEC0h
		dd 70BCEF4Ah, 8203A87Dh, 0A41BCD0Fh, 3B71C94Eh,	8EFAC078h
		dd 5D7DFF3h, 0F1D9D7E1h, 463DE434h, 0DB38DA96h,	789BF289h
		dd 47A862CDh, 0B70A0127h, 6D496FBAh, 89AC179Ah,	126A7823h
		dd 0CA462C5Dh, 388B7554h, 0F4E03AE0h, 0EC2C5711h, 4D925BD3h
		dd 0C6CD5A66h, 73344D6Eh, 0B9EE4DFFh, 30DE76A9h, 930F4088h
		dd 0E786014h, 48379A1Eh, 76E3929Dh, 62D69769h, 48458420h
		dd 1DF580F0h, 0BAFBFE7h, 37148D87h, 3509A95Ah, 0E3B3AFC2h
		dd 8C7BC869h, 0C952A2B5h, 0B2DDDED4h, 0B671B52Ch, 0F137E513h
		dd 9C90B85Bh, 0CF91F3AEh, 0D7C756F1h, 5ACD241Dh, 0FD265B86h
		dd 646B32A0h, 82054C1Fh, 27810967h, 0A8E44168h,	19271FDAh
		dd 7C43632Dh, 0A0557EE9h, 56A26E5Ah, 9EF36854h,	298179C3h
		dd 0DD195393h, 36074B4h, 0E3BF452Eh, 0D858AE22h, 9B24B7A7h
		dd 0F2B9A355h, 0A582A11Ah, 8D9AB4CCh, 0E6689ADDh, 0A77BB9BBh
		dd 0D8CE8C60h, 73DC9BFEh, 61BCED53h, 593D9689h,	5F1AFBEEh
		dd 261E8110h, 1CF0C029h, 0CFF8C67h, 2256D694h, 906F343Ch
		dd 0EDC7253Ah, 0BA8E394Bh, 0D3613387h, 0C5AD2ED2h, 908B0840h
		dd 0EF4C23A5h, 0AE2D1EFDh, 3BEB01E0h, 175F7FCEh, 110A0C97h
		dd 29F96973h, 6E291B0Eh, 6A1352B4h, 44C81679h, 54B54409h
		dd 9FF0CCEFh, 2C2EB680h, 0B511C198h, 1288A03Dh,	0CA32D601h
		dd 51629BFAh, 0E0D3DB76h, 6FC48D47h, 3474F933h,	0D6B6EC74h
		dd 1E95F444h, 0E810FAC9h, 61B6E3DDh, 0ABFAC10Eh, 4B57EEAAh
		dd 955CD7B3h, 0AF8EADE2h, 0B59A483Bh, 856FA095h, 8B3C5E86h
		dd 0FA4CB70Ch, 0C8D66541h, 0D0ADBA7Bh, 0F67073FCh, 40A983Eh
		dd 4F0212CFh, 2EEB9549h, 71A40472h, 51C882D0h, 324E3FB5h
		dd 7B298FA7h, 0CE82908h, 0A0115531h, 7473DB81h,	8AF05846h
		dd 4AD5CD3Ch, 0F5D34FDFh, 93FF6FBh, 0DF3242A8h,	3799E046h
		dd 0B9560EDh, 8EEB8175h, 21746D9Ah, 0B04D97C8h,	5E577A03h
		dd 0F3A7AC0Fh, 74B67774h, 0CD01BAB2h, 0E826CF2Fh, 290491Ch
		dd 0C2C7C258h, 3C365FA1h, 0BDE4D5C1h, 7FDC6466h, 9705D8B6h
		dd 417A72DBh, 43A2FAF3h, 0F80813E8h, 6943F784h,	0C6AE0555h
		dd 1660E01Dh, 85443E92h, 3C81ED6Ah, 0BBE2282Fh,	0E7B937FCh
		dd 0C379DAA6h, 0CD583A8Bh, 0FDDFCC1Bh, 0B27B2D12h, 0BE35F7DCh
		dd 989A2065h, 8093E161h, 4C3D0220h, 39E18052h, 66DC0F57h
		dd 74796EFh, 19FF18CEh,	44ADAD28h, 331E15B9h, 7A0BBB95h
		dd 7849FB13h, 0EF576C26h, 52A8F664h, 0D1F17A9Bh, 2D8BE1FDh
		dd 921B415Ch, 76AEC8Ah,	0ACBD57E1h, 0D3CDCECFh,	15CF36D2h
		dd 0F92CC3B8h, 2B69206Fh, 860FD421h, 68831BA8h,	0ACEED956h
		dd 56250D15h, 77D603C0h, 2EBEFF9Ch, 5D370EB7h, 1018E921h
		dd 2214192Eh, 53F2D2E6h, 8F51459h, 6D54C45Bh, 0DC52361Ch
		dd 0D426A568h, 0F6B33B6Bh, 0EA80B3D5h, 89902CF2h, 0A96A8812h
		dd 0A3712185h, 97CC9EAFh, 3FE199DEh, 585D6D01h,	150094A9h
		dd 66FB7BBCh, 6A238330h, 2511407Bh, 40C28E47h, 1BB756C6h
		dd 9465AC02h, 0A2C537F5h, 0BE84A175h, 9C632148h, 0C1A7B6ECh
		dd 0DF891A8Fh, 0EB46BB9Bh, 0E12F0C32h, 307E610Dh, 99B4FEBBh
		dd 1A9F6C7Ah, 0A712E806h, 65BC7BE3h, 0E4F8D3C1h, 4F5D7694h
		dd 0DA5EC57Ch, 9BFA54D1h, 632CA44Fh, 0B11B59A6h, 5D8AB2F2h
		dd 0CE384E3Fh, 1E608935h, 0E4D94348h, 20C69F88h, 78AC8AFh
		dd 5FEDB624h, 2D6BC5D8h, 614BA099h, 5248D241h, 22A19B5Eh
		dd 78A9DF36h, 1C078DE3h, 0AC0EFD73h, 0A575ECD0h, 86EFF004h
		dd 9BD3FA6Dh, 0F9CCE79Dh, 0D839C1AAh, 0D32DEAEAh, 0E69FD717h
		dd 815307Ch, 9E04259Eh,	22F43D0Bh, 0A0A23323h, 5DD72A92h
		dd 0E34808E4h, 773627E5h, 0DDEE1E59h, 0A39105A0h, 649C7F6Ah
		dd 897008D7h, 5A3A69D7h, 0F6531F4Eh, 19D05210h,	0DCB21239h
		dd 277644ADh, 4022AA62h, 0E8E7B703h, 6AC3A715h,	0D641A1BEh
		dd 15E0B08Ch, 95AB9A79h, 3F01BDFBh, 0AB0D8CC4h,	0EBA69FBEh
		dd 127FEDF7h, 0C14792C9h, 2CD9FB4Ah, 0BE648550h, 6F33C08Dh
		dd 94858827h, 5195D630h, 4FBD52B1h, 290E24B9h, 655C5FC6h
		dd 17A83204h, 1A7F485Fh, 544209C3h, 309E4528h, 6AE41F7Eh
		dd 0E439676Dh, 0D3967E4Dh, 0CED86A1Ah, 0ED3068F0h, 0B1FB7D83h
		dd 0AEDA5337h, 9B1A70F4h, 907C458Ah, 0D04D9E5Eh, 5209239h
		dd 0FAAC9329h, 3B868484h, 858F84B0h, 786CBF43h,	0AF6E89C7h
		dd 46CAA9FEh, 7BC9AB82h, 0FFB8C8CDh, 5128A6F5h,	0C11EDE70h
		dd 2E0BB16Ch, 82F4E5B7h, 4EABC1Bh, 0BC52F30Ah, 0DFD2668Dh
		dd 0C4C90183h, 0F5336BFAh, 0FA6F173Eh, 8A107C63h, 0B9852CF9h
		dd 0A0F17114h, 87233A44h, 74565351h, 3E515B77h,	5EB75E26h
		dd 0F74DCAh, 219449BFh,	431D760Dh, 0B7544C8h, 7DBB60B0h
		dd 97E5FC93h, 0B22A931Eh, 0BD04F1E4h, 8C8C85A3h, 0C227E67Dh
		dd 0CF66BE64h, 0E8C6EB0Ah, 0F1C0A8D9h, 3C61C94Fh, 48B2C9EAh
		dd 1680C438h, 7614DF57h, 69A3D3A1h, 35FEE490h, 4342DED6h
		dd 0B58F22Dh, 987A0440h, 73C300A4h, 0B29B0937h,	4D651619h
		dd 0CDB81EAEh, 0E8F2DDEh, 0E75913D9h, 30293B63h, 33FE319Ch
		dd 895B5A50h, 191F3CEBh, 0B7FD4CEDh, 663C2B72h,	0F417772Ah
		dd 4CDD2605h, 0CAB16197h, 0A804654Dh, 0EA77FE1Fh, 82E5683Ah
		dd 0D4D1E8A2h, 0FDC67FA3h, 973BD365h, 0D72772D4h, 0A99DC5D8h
		dd 3805091h, 10EFA4EBh,	29615DE6h, 2E49B256h, 56424A7Fh
		dd 6DA38991h, 7CA34708h, 53059F2Ch, 0A79B9D9Eh,	2B9E6DA5h
		dd 8D7A90E9h, 15387B18h, 0F2598770h, 56D240DFh,	0D8B88A07h
		dd 68745662h, 0C1FA842h, 0D1063751h, 26FEA535h,	0EFA021ECh
		dd 59DDB2ACh, 0AC4A1A2Bh, 733CBFDBh, 92EC0C96h,	0EFAC0780h
		dd 5D7DFF38h, 0C54D0AF7h, 63DBE985h, 0BA6E1D6Eh, 2031D242h
		dd 908F1019h, 1E97C4FFh, 4428325Ch, 0A7E5A5CCh,	6EC93F2Bh
		dd 9943B371h, 11EA28B2h, 0DAA988B6h, 3B0B25C5h,	0E40F9E0Bh
		dd 0E033FF53h, 9C946C82h, 0CAD2F224h, 0A2327A3Fh, 0B5F1E5BDh
		dd 0E1D841F8h, 9F10E8CAh, 0DF7E5745h, 4BB7CA8Fh, 660C3676h
		dd 6156C7F8h, 58AA20CBh, 1E75D061h, 1B401B0Ch, 3494DD16h
		dd 25E60DB1h, 7FC333BCh, 0B0BADA02h, 55223ECBh,	8E1CCCBFh
		dd 2A012952h, 0CDF6F778h, 0E02425h, 0F350E1C5h,	0D4470660h
		dd 4A2280F6h, 0FEA60B17h, 7484964Bh, 81851C8Eh,	376EAD8Ch
		dd 0AB6411F9h, 9C8BB31h, 705CCB6Fh, 715349B8h, 5ABDC618h
		dd 4FF55F05h, 259ED181h, 0C1F64C2h, 0F7FDCF6h, 32B9727Fh
		dd 0DBD8FEB3h, 8BCB134Ch, 0F139F3C4h, 0B56D05F1h, 8E1AE45Dh
		dd 0F6873E36h, 0A4FBE92Ah, 0C821288Bh, 386B5171h, 7B0DB25h
		dd 128A5C06h, 3916CD98h, 6DA94B9Fh, 7AFCF65Fh, 474846E8h
		dd 445AE0E2h, 93EF64ADh, 0FD2881D1h, 0B90E69DAh, 0C38E976Ch
		dd 0C62D7E43h, 8064ACABh, 0ECCC7334h, 0BEC2BA16h, 37F4A9A2h
		dd 0C659489Fh, 1D15A4D5h, 0F8FF5E22h, 6236B34Ch, 0BB1565E5h
		dd 48D7BE3Bh, 85B37358h, 9C709C7Eh, 3CC1126Bh, 0B6919109h
		dd 26704D6h, 0C9B28690h, 418D3F11h, 0E3538BE7h,	7F2B29ACh
		dd 2 dup(0)
		dd 969951E5h, 169489CCh, 2D32A3CAh, 2D291399h, 0BBABF22Fh
		dd 3BBD9A55h, 5A654794h, 5A522732h, 0CCFC1671h,	4CC6AEFEh
		dd 7757E45Eh, 777B34ABh, 0E1CEB5BBh, 61EFBD67h,	0B4CA8F28h
		dd 0B4A44E64h, 2253DECDh, 0A230C7A8h, 99F82CE2h, 998D5DFDh
		dd 0F617D07h, 8F19D431h, 0EEAFC8BCh, 0EEF66956h, 78369959h
		dd 0F862E09Ah, 0C39D6B76h, 0C3DF7ACFh, 55043A93h, 0D54BF303h
		dd 31028D3Bh, 5D91BA9Ah, 0A79BDCDEh, 4B053356h,	1C302EF1h
		dd 70B8A903h, 8AA97F14h, 662C20CFh, 6B67CAAFh, 7C39DA8h
		dd 0FDFE9B4Ah, 11571464h, 46556965h, 2AEA8E31h,	0D0CC3880h
		dd 3C7E07FDh, 85C80213h, 0E935F4FEh, 135153F6h,	0FFA17D32h
		dd 0A8FAA1D9h, 0C41CE767h, 3E63F03Ch, 0D2886EABh, 0DFAD4587h
		dd 0B367D3CCh, 49341462h, 0A5F35A00h, 0F29FE64Dh, 9E4EC055h
		dd 6406B7A8h, 88DA4999h, 62051A76h, 0BB237534h,	0F49C4B93h
		dd 0ADB7FCF8h, 4F37B9BCh, 960A66ADh, 0D9AEE859h, 809EEF61h
		dd 38605DE2h, 0E1715206h, 0AEF90C07h, 0F7E5DBCAh, 1552FE28h
		dd 0CC58419Fh, 83CBAFCDh, 0DACCC853h, 0D6CF955Eh, 0F873B50h
		dd 4056C4BBh, 1913B29Ch, 0FBFD3694h, 22AE28C9h,	6D646771h
		dd 343AA105h, 8CAAD2CAh, 55D51C62h, 1A33832Fh, 434195AEh
		dd 0A1987100h, 78FC0FFBh, 370120E5h, 6E688637h,	5307974Dh
		dd 0E6B2CFAEh, 0C59EC6A8h, 0F0264662h, 7E353487h, 0CB9BDC37h
		dd 0E8AC6562h, 0DD0F55FBh, 962D0D9h, 0BCE0E89Ch, 9FFB813Ch
		dd 0AA746150h, 24507313h, 91C9FB05h, 0B2C922F6h, 875D72C9h
		dd 0E7CD1865h, 521681CAh, 71544980h, 44820806h,	0CAFFBBAFh
		dd 7F3F9253h, 5C66EA4Ah, 69AB1B9Fh, 0BDA85FF1h,	844A6F8h
		dd 2B310E14h, 1ED02F34h, 909AFC3Bh, 256DB561h, 603ADDEh
		dd 33F93CADh, 9C9DA787h, 429FCC3Bh, 0A04F662h, 540B45F7h
		dd 0B1AF044Dh, 6FB6DFA2h, 273655A8h, 7922566Eh,	0C6F8E013h
		dd 18CDEB09h, 5061B1F6h, 0E5962C5h, 0EBCA43D9h,	35E4F890h
		dd 7D53123Ch, 2370715Ch, 285728AFh, 0F63B825Fh,	0BECE794Ah
		dd 0E0AF0B93h, 5658B65h, 0DB1291C6h, 93FCDA80h,	0CD86180Ah
		dd 72326F3Bh, 0AC69A56Dh, 0E4AB3EDEh, 0BAFD2CA1h, 5F00CCF1h
		dd 8140B6F4h, 0C9999D14h, 97D43F38h, 0AD9F2ABCh, 1F0E76A1h
		dd 3B067B59h, 99AFF6Dh,	80AD8976h, 32276538h, 1634D893h
		dd 24B3ECF4h, 0F7FA6D28h, 455C5193h, 61633CCDh,	53C8D85Fh
		dd 0DAC8CEE2h, 6875420Ah, 4C519F07h, 7EE1CBC6h,	1955A594h
		dd 0ABAA38C5h, 8FCCF471h, 0BD3EB109h, 3467065Eh, 86832B5Ch
		dd 0A2FE57BBh, 9017A290h, 4330E200h, 0F1F81FF7h, 0D5A9B3E5h
		dd 0E76C963Bh, 6E0241CAh, 0DCD10C6Eh, 0F89B102Fh, 0CA4585A2h
		dd 0FE98BDF1h, 0F9BCB90Fh, 6801EC14h, 0EF2830C3h, 0D3AA1E3Bh
		dd 0D495AA96h, 45334FDEh, 0C201235Ah, 0A4FDFA65h, 0A3EE9E3Dh
		dd 3264AB80h, 0B57A17F1h, 89CF59AFh, 8EC78DA4h,	1F56084Ah
		dd 98530468h, 4A5232D9h, 4D18F76Bh, 0DCCB633Ch,	5B8C7EA7h
		dd 67609113h, 6031E4F2h, 0F1F9C0F6h, 76A56D3Eh,	1037754Dh
		dd 174AD059h, 86AE24A8h, 1DE5995h, 3D05D687h, 3A63C3C0h
		dd 0AB9C8762h, 2CF74A0Ch, 0CF9A30CAh, 0A42D0395h, 5903612Fh
		dd 0B2B98A59h, 0E2A89300h, 8904100Ch, 7431C2E5h, 9F9099C0h
		dd 95FF775Eh, 0FE7F24A7h, 36626BBh, 0E8EBAD6Bh,	0B8CDD494h
		dd 0D356373Eh, 2E548571h, 0C5C2BEF2h, 7B50BFE2h, 10894DF1h
		dd 0EDC9EE07h, 61DC43Dh, 56621C28h, 3DA05E68h, 0C0FB4DCDh
		dd 2B34D7A4h, 2135F876h, 4ADB6AC3h, 0B7ACA993h,	5C4FE30Fh
		dd 0C075BBCh, 67F2795Ah, 9A9E0A59h, 7166F096h, 393B4F0Eh
		dd 853F9877h, 0AFA21EEBh, 93AB11BBh, 1409ECC4h,	0A8168BEEh
		dd 8290BD21h, 0BE820222h, 635E089Ah, 0DF6DBF45h, 0F5C7597Fh
		dd 0C9F93689h, 4E6CAB50h, 0F244ACDCh, 0D8F5FAB5h, 0E4D02510h
		dd 8DF1C026h, 319BD613h, 1B6891C3h, 270F5FDFh, 0A0C363ECh
		dd 1CB2C58Ah, 365A3209h, 0A264C46h, 0D79487B2h,	6BC9F121h
		dd 410DD657h, 7D5D78EDh, 0FAA62478h, 46E0E2B8h,	6C3F759Dh
		dd 50746B74h, 839C235h,	0D8AE22EDh, 9EA093D0h, 0CE3AAB21h
		dd 250B61FFh, 0F5873174h, 0B392301Ah, 0E313B8B8h, 525C85A1h
		dd 82FC05DFh, 0C4C5D444h, 94688C13h, 7F6E266Bh,	0AFD51646h
		dd 0E9F7778Eh, 0B9419F8Ah, 0BCF34D1Dh, 6C0A6C89h, 2A6A1CF8h
		dd 7A9EE545h, 91C1EED7h, 41237F10h, 758BF32h, 57B7F6DCh
		dd 0E6960A89h, 36584BBBh, 700F5B6Ch, 20CCC277h,	0CBA4A943h
		dd 1B715822h, 5D3DF8A6h, 0DE5D1EEh, 5B3E5578h, 3E1CED43h
		dd 0CDA7049Dh, 2888648Fh, 760CF6B2h, 1335FEDAh,	0E095A757h
		dd 5A17716h, 15B12ECh, 644ECA71h, 97C24309h, 72DA43BDh
		dd 2C69B126h, 4967D9E8h, 0BAF0E0C3h, 5FF35024h,	0EFF4DA50h
		dd 8AB8A327h, 796D8BB5h, 9C2C2AEBh, 0C2C6799Ah,	0A791B0BEh
		dd 545F287Fh, 0B1053972h, 0B5919DC4h, 0D0EA8415h, 2308CC21h
		dd 0C67E0DD9h, 98A33E0Eh, 0FDC3978Ch, 0E3A6FEBh, 0EB571E40h
		dd 6A3CD843h, 638D57D9h, 0FCA589A6h, 7519DE15h,	470E7B89h
		dd 4EA44440h, 0D1972A6Ch, 5830CD8Ch, 30599FD7h,	39DF70EBh
		dd 0A6C0CE32h, 2F4BF927h, 1D6B3C1Dh, 14F66372h,	8BF26DF8h
		dd 262EABEh, 0DEF6576Bh, 0D72919BDh, 486F068Eh,	0C1BD9071h
		dd 0F3C4F4A1h, 0FA000A24h, 655DA544h, 0EC9483E8h, 849310FFh
		dd 8D7B3E8Fh, 120A411Ah, 9BEFB743h, 0A9A1B335h,	0A0522D16h
		dd 3F38E2D0h, 0B6C6A4DAh, 0A5A6E889h, 0C7A0544Ch, 333FB96Ch
		dd 0D134DD80h, 88944B43h, 0EA8947D5h, 1E0D1AA6h, 0FC1DCE19h
		dd 0FFC3AF1Dh, 9DF2737Eh, 695AFEF8h, 8B66FAB2h,	0D2F10CD7h
		dd 0B0DB60E7h, 44685D32h, 0A64FE92Bh, 116C67A1h, 73041A28h
		dd 87F53644h, 659093E4h, 3C5EC46Bh, 5E2D09B1h, 0AAC7958Eh
		dd 48B9807Dh, 4B092035h, 29563D1Ah, 0DD9071D0h,	3FC2B4D6h
		dd 663B83FFh, 47F2E83h,	0F0A2D21Ah, 12EBA74Fh, 94A465B2h
		dd 9A31EED6h, 23D3457h,	8CA5671Ah, 0B996C678h, 0B718FD4Fh
		dd 2F0F979Dh, 0A18C7483h, 0CEC12226h, 0C063C9E4h, 585873C3h
		dd 0D6F74028h, 0E3F381ECh, 0ED4ADA7Dh, 756AD009h, 0FBDE53B1h
		dd 206EEA9Ah, 2E95A0B2h, 0B6F7BB7Fh, 3801297Eh,	0D5C4950h
		dd 3BCB32Bh, 9BC518B5h,	15283AE7h, 7A0BAD0Eh, 74C78780h
		dd 0EC92FCEBh, 62530E4Ch, 57390EC4h, 59EE9419h,	0C1A05F21h
		dd 4F7A1DD5h, 0C7A3F2FFh, 7C832178h, 513AA31Ah,	6A17A8B4h
		dd 0EA915135h, 51AA32E1h, 7C0800D0h, 473EBB2Dh,	9DC6B56Bh
		dd 26D1064Ah, 0B5FE48Eh, 30458F86h, 0B0F416A1h,	0BF815D3h
		dd 266D4744h, 1D6C9C1Fh, 73697DD7h, 0C8276F1Ch,	0E5F02C32h
		dd 0DEB3E6D0h, 5E5BDE1Dh, 0E50E7C85h, 0C8C28FF8h, 0F39AF549h
		dd 290C3A43h, 9275482Eh, 0BF956BA6h, 84E1C1E2h,	43E9989h
		dd 0BF5C5BB7h, 92A7C86Ch, 0A9C8D27Bh, 0F6A17FC4h, 21129BE2h
		dd 60382E21h, 3786122Eh, 0DB93DC0Eh, 0C3B887Bh,	4D0A8DEBh
		dd 1AAF01B7h, 0ACC43850h, 7B40BCD0h, 3A5D69B5h,	6DD4351Ch
		dd 81F69B9Ah, 5669AF49h, 176FCA7Fh, 40FD2685h, 426BF0ECh
		dd 95B6D586h, 0D4F2A109h, 83225C4Ah, 6F595326h,	0B89FC61Fh
		dd 0F9C002C3h, 0AE0B4FD3h, 180EB778h, 0CFE4F2B4h, 8E97E69Dh
		dd 0D9707B78h, 353C14B2h, 0E2CDE12Dh, 0A3A54557h, 0F45968E1h
		dd 2 dup(0)
		dd 0A3BB9D7Fh, 0AED36D1h, 47773AFEh, 15DA6DA3h,	0E4CCA781h
		dd 1F375B72h, 8EEE75FCh, 2BB4DB46h, 2D55E883h, 2159ED97h
		dd 0C9994F02h, 3E6EB6E5h, 6A22D27Dh, 34838034h,	1DDCEBF8h
		dd 5769B68Dh, 0BE677687h, 5D84805Ch, 5AABD106h,	42B3DB2Eh
		dd 0F9104C79h, 485EEDFFh, 93329E04h, 7CDD6DCBh,	3089037Bh
		dd 76305B1Ah, 0D445A4FAh, 69070068h, 77FE3985h,	63EA36B9h
		dd 3BB9D7F0h, 0AED36D1Ah, 98024A8Fh, 0A43E5BCBh, 7CCEED0Eh
		dd 0BB0900B9h, 0DF757071h, 0B1E43668h, 0B557A20Ch, 8567B65Ch
		dd 16EC3F73h, 8F8A808Dh, 0F22098F2h, 90BDDBFFh,	519B058Dh
		dd 9A50ED2Eh, 26653C08h, 0F9BADB97h, 85DEA177h,	0F357ED46h
		dd 611206F6h, 0EC60B634h, 0C2A99B89h, 0E68D80E5h, 0A88B49F4h
		dd 0D20E00D1h, 0B30D48Bh, 0D8E33600h, 0EFFC730Ah, 0C7D46D72h
		dd 4C47EE75h, 0CD395BA3h, 2FE43C8Bh, 697FFC67h,	8C5FA1F4h
		dd 6392CAB6h, 68930675h, 7CA591C4h, 0CB289B0Ah,	7648A715h
		dd 0A10A4977h, 42CB2721h, 2B1D408h, 482611F0h, 0E67D7389h
		dd 57114A82h, 45C6EEF6h, 5DFC7C53h, 3238D773h, 3E164AEAh
		dd 91834A0Ch, 34FB7C3Bh, 754FED8Dh, 2BCC2749h, 0D6F470F2h
		dd 21211198h, 0BCD6A28Fh, 15A291ACh, 1F6D3FF0h,	1F4FA77Dh
		dd 0FBA19871h, 78FC0Fh,	581A050Eh, 0A95CADEh, 145DEB7Bh
		dd 0C7AC917Dh, 0B7E67604h, 0CD41A7ACh, 532AD185h, 0D276FCDEh
		dd 0F0914CFAh, 0D89BCA0Fh, 9AB39E87h, 0EC184A3Bh, 390803F8h
		dd 0E6F57CEAh, 0DDC4A479h, 0F9C22798h, 7E7F3906h, 0F32F1149h
		dd 9810083h, 90C527F0h,	0AA3A9DFCh, 9A281121h, 4EF63A7Dh
		dd 851F4A53h, 0ED4DA702h, 8FF27C82h, 876F757Fh,	0BB71FCB6h
		dd 24D4E800h, 0B19CCA67h, 0C0184F81h, 0AEAB9115h, 63A3D2FEh
		dd 0A446A7C4h, 5FC87916h, 0D2FFF8CEh, 0FC73E469h, 0D812CE1Fh
		dd 18BF43E8h, 0C725956Dh, 0BB04DE97h, 0CDC8A3BCh, 0D1260CEAh
		dd 0F94B2388h, 729D9195h, 0F3A61559h, 96513614h, 0EC914E2Bh
		dd 35EAAB6Bh, 0E67C78FAh, 421492EEh, 85964E43h,	0E1AF0F91h
		dd 8F7B7892h, 563A810h,	904C23E0h, 0A6D8356Fh, 9AA11531h
		dd 0CCFAE712h, 0AE229505h, 6F417A6Dh, 0A4CFA3D4h, 8B8DDDECh
		dd 0BBF8F8A6h, 28364093h, 0B115CE77h, 6471AEE6h, 7C2C95D4h
		dd 0C7CA3399h, 76C1A305h, 23069418h, 69F6F877h,	80BD0967h
		dd 631BCEA6h, 0EA9FDB1Ah, 57984E92h, 49244665h,	5D757843h
		dd 0ADE8E1E4h, 42422331h, 0E537C9Bh, 48AF15E0h,	79AD451Eh
		dd 2B452359h, 0DA16D861h, 21A81588h, 3EDA7FE0h,	3E9F4EFAh
		dd 9D61E29Fh, 3472782Bh, 0F74330E2h, 0F1F81Fh, 54F8AD9Dh
		dd 0A1CCECEh, 0B0340A1Ch, 152B95BCh, 138F9763h,	1FC6A36Dh
		dd 702C459Dh, 0BB8004A9h, 0D397D8E2h, 0B16D3278h, 375B7F63h
		dd 0AE5A690Ah, 94E0E21Ch, 0A4B75FDBh, 0FEC23061h, 9034DFEFh
		dd 5D79AD1Eh, 9AD9E93Eh, 0B9B50A9Fh, 85EEB24Ch,	1A0E97E0h
		dd 8F03849Dh, 6DF0AE65h, 0ECE9B224h, 0CE4B331Ah, 0E60484F5h
		dd 2A87949Bh, 0F933DF87h, 893C09E4h, 0F3DEE956h, 0E31EDB99h
		dd 0C75D6962h, 40A546E6h, 0CDB05FB3h, 0A469E167h, 0D28704C1h
		dd 7D27C18h, 0D86A3210h, 4B95926Dh, 155369B3h, 0E82E0F12h
		dd 1FBE5F62h, 0CE2A893h, 890410h, 0AF5935ECh, 0A6432C1h
		dd 0C57BE791h, 3EE7B2F5h, 66C07AEEh, 340A8424h,	820CDD6Fh
		dd 2B3DDF56h, 21B74010h, 21D0E987h, 56497995h, 423ADF3Eh
		dd 0F5F2E4EAh, 48D7E9EFh, 113E436Bh, 57E0B29Dh,	0B285DE14h
		dd 5D0D844Ch, 0D8A70C69h, 698E0478h, 7B1C9116h,	636332A9h
		dd 9FD03697h, 7C5469DBh, 3C6BABE8h, 76B95F0Ah, 0E7076147h
		dd 9126D7CFh, 44BCFC38h, 9BCBE11Eh, 0A0705BB9h,	84FCBA6Ch
		dd 3CBC6C6h, 8E118CBDh,	69E914BBh, 0BA920C89h, 0CA5289C4h
		dd 0B07F3A58h, 2E9E2E45h, 0AF48612Ah, 8D25B33Ah, 0A5A557FBh
		dd 0FADB8ABFh, 0C64F6142h, 596017C0h, 0CCA25793h, 0BDACB041h
		dd 0D3950CE1h, 1E172D3Eh, 0D9783A30h, 7435FF43h, 0EDFBBA04h
		dd 0D78E623Ch, 0E7168CD5h, 3342C5BDh, 0F821D7A7h, 90F958C2h
		dd 0F2CCE176h, 0DCBEB6B7h, 3FF5BAD5h, 7F052BC8h, 35188C04h
		dd 9BC98C49h, 2A2FD776h, 38721136h, 20C2E1A7h, 5250C34Bh
		dd 14416193h, 0F1EB5E34h, 1EAC5742h, 1527F9B5h,	19B0C30h
		dd 0B69C64CAh, 0B763AE1h, 0C1625D4Fh, 689C0C58h, 62D9C030h
		dd 62713A89h, 861567B1h, 7D4661FBh, 25AEFACEh, 77AB572Ah
		dd 4F8C28B3h, 4328D71Eh, 0EC37B5CCh, 49C5E1CFh,	8FB124Dh
		dd 56F2BABDh, 0AB408F32h, 5C1F8C6Ch, 0C8E35DCCh, 0F8592BA8h
		dd 6B58C0B3h, 0F2B41D79h, 8F946732h, 0ED83460Bh, 2C2FFA4Dh
		dd 0E76E70DAh, 460D2830h, 0D3EDF0EEh, 0E5B6B54Fh, 0D900C63Fh
		dd 17A12CEh, 0C6379D4Dh, 0A2C18FB1h, 0CCDAAB9Ch, 0D53FB634h
		dd 0AF309D25h, 76842B4Bh, 0A5DDABF4h, 92488CCAh, 0BAEAF086h
		dd 31F311B5h, 0B007C657h, 5BD1C3C8h, 84844663h,	0F86A5EB7h
		dd 8E6970B2h, 1CA6F936h, 915E2BC0h, 0BF1D6449h,	9BB31D11h
		dd 0F35A8A3Ch, 568A46B2h, 50E11743h, 5C677063h,	0B42DB0C2h
		dd 43502B11h, 17962DBDh, 49BD1DC0h, 7DB4FFC0h, 7D3E9DF4h
		dd 0DE0F62BFh, 77D3AB25h, 3AC3C53Eh, 68E4F057h,	99785841h
		dd 6209C686h, 0EE8661C4h, 1E3F03Fh, 4D3DFCBBh, 0B0EC6EEh
		dd 0A9F15B3Ah, 14399D9Ch, 0A4AC645h, 1ED4AB4Dh,	60681438h
		dd 2A572B79h, 0C3D38947h, 20BA1DA8h, 271F2EC6h,	3F8D46DAh
		dd 84A4B3B9h, 3560700Bh, 0B8CF1851h, 43D92F01h,	1B74852Eh
		dd 493419D0h, 0FFB822AFh, 560342A2h, 5C03BFD0h,	5CEE7473h
		dd 36216DADh, 686DF447h, 959AF0D2h, 6280C296h, 71565753h
		dd 7DB799E4h, 0D2EDCA2Ch, 775AAF35h, 0A513F3A9h, 14B0998Ch
		dd 6A86ED6h, 1E5DAF5Dh,	0E264C957h, 16AF42Fh, 41DF5428h
		dd 0B87C2FEh, 2BFD8655h, 3F0442CAh, 88461B2Ah, 35E9741Bh
		dd 6C8ABCABh, 2ADE2F69h, 0CF3121D4h, 203319B8h,	8376CFA1h
		dd 0ED0A421Bh, 20CD52DEh, 0E7E774CAh, 0C401F55Fh, 0F8D02FB8h
		dd 67BA6820h, 0F23D1969h, 0D98BA5Dh, 0C6BE995Dh, 0AE232722h
		dd 0CC53AF8Ch, 4AEF80A3h, 0D364F4FEh, 0E9541DDCh, 0D989C22Fh
		dd 9EAA2459h, 0BA63F496h, 3D11B926h, 0B08EC247h, 0D9DD1EA7h
		dd 0AFB99935h, 7A6683D8h, 0A554AFE4h, 104451A5h, 91D72FD0h
		dd 0B3FFCCDAh, 9B3A1901h, 57336B5Bh, 840D4273h,	0F488F624h
		dd 8EE074A2h, 972B24DAh, 2AA6D366h, 3490B9A5h, 204BE5B7h
		dd 0D05C1E24h, 3F7CBEC5h, 73E7835Bh, 35918814h,	19C55126h
		dd 1120820h, 0BA7ECC59h, 0BFF3EF1h, 5EB26BD8h, 14C86583h
		dd 0FD09F6A7h, 1E255352h, 8AF7CF22h, 7DCF65EBh,	294C525Dh
		dd 7722533Ah, 0CD80F5DCh, 68150848h, 6E3B68A3h,	62F83E99h
		dd 419BADEh, 567BBEADh,	0A7A227A1h, 5C96887Ch, 436E8020h
		dd 43A1D30Eh, 0E0D51D5Fh, 494CE5DFh, 0AC92F32Ah, 8475BE7Ch
		dd 0F296E55h, 8E9888ADh, 0EBE5C9D4h, 91AFD3DFh,	485E54ABh
		dd 9B42E50Eh, 227C86D6h, 0AFC1653Ah, 81C71BA9h,	0A52C53EBh
		dd 650BBC28h, 0BA1B0899h, 0C6B02157h, 0B0F63E48h, 0B14E18D2h
		dd 0D31C08F1h, 12F585ADh, 0D9F13E20h, 0F639222Ch, 0C6C66552h
		dd 5582BF53h, 0CC2B5383h, 3FA06D2Eh, 0F8A8D3B7h, 9C1BF051h
		dd 0F245E566h, 78D757D0h, 0ED72BE14h, 0DB6CCAAFh, 0E79F88C5h
		dd 2 dup(0)
		dd 9204F500h, 0B0BC2E58h, 7C9E796Bh, 55A17AE2h,	0EE9A8C6Bh
		dd 0E51D54BAh, 0F93CF2D6h, 0AB42F5C4h, 6B3807D6h, 1BFEDB9Ch
		dd 85A28BBDh, 0FEE38F26h, 17A67EBDh, 4E5FA17Eh,	0AAEE76C7h
		dd 625CCDDAh, 38EA83C7h, 0D2E0E382h, 0D6700FACh, 37FDB738h
		dd 4474FAACh, 87419960h, 53D28411h, 0C91E381Eh,	0C1D67111h
		dd 79A21646h, 2F4CFD7Ah, 9CBF42FCh, 0BD48087Ah,	2C036CA4h
		dd 55DCED8Eh, 0C4B99BB5h, 0C7D8188Eh, 7405B5EDh, 294294E5h
		dd 9118E157h, 0BB4661E5h, 21A4CF0Fh, 0ACE01F58h, 6FFB6E71h
		dd 3EE4EA58h, 0DF474029h, 0D07E6633h, 3A5A1493h, 427A9333h
		dd 8AE63ACBh, 0FF329B49h, 0A6E5566Fh, 6D366E49h, 16597837h
		dd 83ACE222h, 0F3442C8Dh, 11A81722h, 43F802D5h,	60E699Fh
		dd 0DA7A3ABh, 940A9C9Fh, 0BD1B8DF3h, 7A9010F4h,	5806D949h
		dd 0E894E5F4h, 0E8BAF711h, 0F32E4877h, 0BDAA1139h, 612ABD77h
		dd 0D163F61h, 8FB0311Ch, 0E80B6BDBh, 1DB4C41Ch,	58B74583h
		dd 0A12BAA1h, 16E8E4FDh, 98164FA1h, 0A654CAA5h,	768CC3CAh
		dd 43499E1Fh, 0E48836CAh, 0F3F5B047h, 59C03EB0h, 0DFF6DCE3h
		dd 0CBC4CBB0h, 6F4AF2BBh, 255E47DBh, 8A57A601h,	0B75AB2DBh
		dd 3AEB8859h, 0A0FCCC66h, 74B42927h, 32F83966h,	0C408077Fh
		dd 0DC62B50Dh, 211553C5h, 4E66400Dh, 91A97D9Dh,	0A6F2A5F9h
		dd 79138A8Ch, 34F650F9h, 0C9AFA4D4h, 0DA6CDC92h, 2CB2F06Eh
		dd 48682992h, 9C0EDE36h, 5FCE572Fh, 0D2517F48h,	0CDCAA22Fh
		dd 62ED5110h, 23502E44h, 87F005AAh, 0B154DB44h,	374C2BF2h
		dd 0C1CD33Eh, 1B4F4756h, 9E18263Eh, 0ABF3690Eh,	7082AA55h
		dd 4EEE3DB4h, 0E2865F55h, 0FE5213ECh, 0F52021E8h, 0B00DB292h
		dd 6724D4E8h, 0B19CCAh,	89BE5883h, 0E5ACC870h, 1BBAAD83h
		dd 5510E628h, 0BECB0385h, 4F8D0420h, 2CCFF685h,	0FF312A78h
		dd 0C2557AEEh, 1A2C7EC2h, 50518FEEh, 0AA90509Ah, 47F7F153h
		dd 0E4CFF1E4h, 0D5F30453h, 5473DFBCh, 3B698838h, 0B16E8B06h
		dd 0A96D7D38h, 1D2A55Eh, 14257542h, 2DD1C9FAh, 86218042h
		dd 9D6DE7A2h, 68BB0C29h, 7870B318h, 0FABFF929h,	0C8CC9D40h
		dd 0ED198794h, 86933C3Eh, 7F1D7294h, 362F1266h,	9187FEFFh
		dd 0D33246DCh, 3830BFFh, 638E6884h, 0EB17EE0Bh,	8B349F95h
		dd 79131B0Bh, 3B88B1CDh, 97899760h, 0DE95E577h,	58D6260h
		dd 6E29CB2Fh, 122B1CDDh, 20766A51h, 802FE9DDh, 90CA4409h
		dd 6EB565B6h, 75D710B3h, 0FCB190B6h, 0C56B3EEBh, 41F998CCh
		dd 0E968524Fh, 0D3FD6DCCh, 59D47C17h, 3D67E1A7h, 0BCC928ADh
		dd 0AF6314A7h, 0C7506F5h, 0B8C56A1Ah, 422AA78Bh, 2AC19F1Ah
		dd 0F29689D3h, 0C45B1371h, 178BDD69h, 565FE671h, 0A737F331h
		dd 4DE54BF2h, 0F2271519h, 0DFE1BEF2h, 429B3B41h, 317B3299h
		dd 0A7866FFBh, 0A37FC799h, 173A41A3h, 0B4D9B924h, 5965E0DDh
		dd 26DD4C24h, 0E9D9CE85h, 0C847C04Fh, 0CC49A3Fh, 5A43354Fh
		dd 0BC78B467h, 0E70B3D35h, 907BD8C3h, 750FC835h, 20C7F69Bh
		dd 9B95445Eh, 0C5DAA221h, 991B15Eh, 75668C79h, 1E37CFE3h
		dd 3B392D07h, 8C333AE3h, 8B85035Fh, 62A9B688h, 6E9857E5h
		dd 0F0AD4388h, 0DE2479BDh, 1839A67Ch, 369E8EACh, 8A3D537Ch
		dd 8622A0F4h, 64A7DF17h, 633FF44Eh, 0F6A32A17h,	0D383DA16h
		dd 0E10554AAh, 9DDC7B68h, 7301A1AAh, 2D605530h,	9D9B2DC1h
		dd 0C87D018Ah, 0F9FD8C1h, 78C12FD2h, 0B2D7D0BBh, 54C24376h
		dd 20D325BBh, 0E47E6D2Eh, 0CE49A9D0h, 1633994h,	5C4D5CD0h
		dd 0B1DF17CCh, 4BEB226Dh, 0FF80B6B2h, 0D9EFD76Dh, 4F3C98EAh
		dd 37755B06h, 0AA21CC50h, 0A571AE06h, 1A9DE208h, 7D96070Ah
		dd 9F1A0841h, 0EF92F20Ah, 2FA62619h, 1087E61h, 0CABB72A3h
		dd 930C8B61h, 7A075CFBh, 84AAF5DCh, 3458FD85h, 16AE00DCh
		dd 84E4D3DDh, 0F8348CB7h, 61F98767h, 6A3079B7h,	0D145A93Fh
		dd 0D77871CDh, 0FD46C59Bh, 457C84CDh, 4DFAEBC3h, 0ABE608A6h
		dd 0A8E7BF79h, 39E2FDA6h, 185B9121h, 2E44831Bh,	5604305Fh
		dd 0BC40761Bh, 0E6B81E07h, 52DAFA70h, 3A54ABDh,	0C0DE0F70h
		dd 0B31964E5h, 284AEA84h, 5BA393F4h, 0BA4E1F84h, 0EB1FBDACh
		dd 54D493EFh, 0E02E916h, 0C6D066EFh, 0BEBEC74Eh, 0D1761852h
		dd 0F0E16630h, 4372ED52h, 405D4868h, 0ADE86139h, 0A5401CD2h
		dd 3FEC9439h, 15FC328Ah, 82A49C43h, 39FF5E2Eh, 10A06943h
		dd 89437076h, 0FE3AE528h, 6C5E24CCh, 6C3E1028h,	0DCE20A94h
		dd 7B986E95h, 92BDABEAh, 0E99C9B95h, 220185B2h,	70617FEh
		dd 0C71CD108h, 9502E2FEh, 77A0FF50h, 8EB84F7Dh,	22B01978h
		dd 1CBCBA7Dh, 920C3720h, 0F2263616h, 7711639Ah,	6022C316h
		dd 0C7AD4DC2h, 7784BDABh, 89F2ECBCh, 0E58048ABh, 394EC2E4h
		dd 0B1AC4C0h, 0DC53965Eh, 991E31C0h, 6CEFB806h,	245639BAh
		dd 40ECD4A2h, 0B652CCBAh, 0F050FAFAh, 58C840D1h, 154DAE40h
		dd 0CACCB5D1h, 0A5F18018h, 0DD6ACB6Ch, 0EBAE2166h, 4F6E3E6Ch
		dd 5B120F3Eh, 0A1F4B207h, 0BE0F5B84h, 33F04707h, 0EB375DCh
		dd 0DB64A2F3h, 0E60982CDh, 496057F3h, 56B5AC95h, 0A7FADB98h
		dd 0B3A8F82Fh, 35FE2E98h, 314D677h, 22585025h, 4D4B7709h
		dd 0B05CA525h, 0FDF75951h, 5EC6294Eh, 18EA0DEBh, 0CCC2DC4Eh
		dd 0A85623B3h, 718AD434h, 84554F17h, 0E38E2134h, 34E9614Fh
		dd 0D14AD5Fh, 0D1F435F5h, 9F10585Fh, 61481BADh,	88B626E2h
		dd 2F17BAD3h, 1AB2D3E2h, 9FAB948Bh, 0F4285F89h,	7AB6C031h
		dd 662CAA89h, 0CA0AEE69h, 0C35D048Fh, 0D0970C61h, 5159F18Fh
		dd 602B2239h, 0BFC37DE4h, 85367683h, 2DC788E4h,	358A58DBh
		dd 3A61F659h, 7BD5F9A5h, 0A8650359h, 0CB69D7FDh, 46FF8F32h
		dd 2E748347h, 0D4FB7A32h, 9EC8AD1Fh, 69B37248h,	0B2CBC1BBh
		dd 0FBB78748h, 277EFE3h, 152D0B23h, 0E76ABB59h,	8729FE23h
		dd 57D69501h, 908F809Eh, 1989347Fh, 28B759Eh, 0A9351A27h
		dd 0EC11F9F5h, 4C284E9Dh, 7E150CF5h, 0FC9460C5h, 9681E901h
		dd 142E97D4h, 4851C01h,	0A492B98Ch, 0EA1F906Ah,	418FED36h
		dd 781B656Ah, 0F133C36Eh, 6FBD1BD7h, 0BF6C6210h, 0FDB9EED7h
		dd 0FD04C48h, 132362BCh, 0EACD18F2h, 812797BCh,	5A7136AAh
		dd 3C6F9FC6h, 76725A0Eh, 0AE6B6AC6h, 0C6CE7456h, 40F1E6ADh
		dd 23D320ECh, 0D2F513ADh, 936F0EB4h, 0C5536D10h, 0DD30AFCAh
		dd 57579810h, 6D8C8192h, 0B9CD147Bh, 8891D528h,	2BC9E17Bh
		dd 382DFB70h, 30734CF8h, 6D3D1D58h, 0A277B9F8h,	0DD813300h
		dd 4CED3593h, 389C67BAh, 0DEE9C093h, 882049E2h,	0C94FBE2Eh
		dd 0C67FE89Ch, 5B4B4B2Eh, 76C3C6C4h, 0B5D1C745h, 93DE927Eh
		dd 27D53245h, 2362BC26h, 9A9D3A3Fh, 0F61D082h, 899CF3Fh
		dd 0BFDDFEDAh, 0E6034354h, 5AC0AA60h, 7407B654h, 0EA7C8438h
		dd 63A1C8E9h, 0A4232546h, 0F1A53DE9h, 149F0B1Eh, 1F3FB182h
		dd 0F1825FA4h, 8D3B4482h, 413E71FCh, 65AFA176h,	0A98486EDh
		dd 0F7AB5476h, 1938A8B5h, 1931D81Dh, 0FC25FC0Fh, 8B352D1Dh
		dd 4C99D257h, 9C9353A0h, 2C67329h, 0E97A6A0h, 0B27A5D71h
		dd 0E00D2ACBh, 576709CBh, 7209DFCBh, 0E7DB2793h, 0CF41D7B1h
		dd 0CBD84B37h, 5D4522B1h, 7B64656Fh, 0B3DFAEDAh, 9E7931D5h
		dd 21DB5BDAh, 2EC51F8Dh, 367D2567h, 609ABEF3h, 0A479D067h
		dd 0D02690ABh, 4AE35C0Ch, 353BC411h, 0D8E7A90Ch, 8587EA49h
_crc64Map1_	dd 2 dup(0)		; DATA XREF: .text:00401BBCo
		dd 30358979h, 7F6EF0C8h, 606B12F2h, 0FEDDE190h,	505E9B8Bh
		dd 81B31158h, 9841B68Fh, 0C962E573h, 0A8743FF6h, 0B60C15BBh
		dd 0F82AA47Dh, 37BF04E3h, 0C81F2D04h, 48D1F42Bh, 6814FE75h
		dd 0A61CECB4h, 5821770Ch, 0D9721C7Ch, 87FEC87h,	58C10D24h
		dd 384A65FEh, 27AFFDECh, 0F05548FAh, 6F7E09C7h,	0C060C183h
		dd 1010F90Fh, 903E5A08h, 91A3E857h, 0A00BD371h,	0EECD189Fh
		dd 88BE6F81h, 78E0FF3Bh, 0B88BE6F8h, 78E0FF3h, 0E8D57D73h
		dd 863D1EABh, 0D8E0F40Ah, 0F953EE63h, 10FFD90Eh, 0B1821A48h
		dd 20CA5077h, 0CEECEA80h, 7094CBFCh, 4F5FFBD8h,	40A14285h
		dd 30310B10h, 0E0AA91F4h, 0DEFC138Fh, 0D09F188Dh, 0A192E347h
		dd 80C18306h, 2021F21Fh, 0B0F40A7Fh, 5F4F02D7h,	78EB277Bh
		dd 179EF6FCh, 48DEAE02h, 68F00634h, 18803589h, 0E943176Ch
		dd 28B5BCF0h, 962DE7A4h, 117CDF02h, 0F1C1FE77h,	2149567Bh
		dd 8EAF0EBFh, 7117CDF0h, 0F1C1FE7h, 41224489h, 7072EF2Fh
		dd 893D698Dh, 38A31B04h, 0B908E0F4h, 47CDEBCCh,	0E9567B7Fh
		dd 0C67EFA94h, 0D963F206h, 0B9100A5Ch, 79682177h, 57DD12C3h
		dd 495DA80Eh, 28B3E20Bh, 19033385h, 0A900F353h,	2936BAFCh
		dd 0D66E039Bh, 0E12997F8h, 9EBFF7B0h, 0D11C1E81h, 0E1D10778h
		dd 8142850Ah, 60621620h, 0B1770C73h, 1F0CE6E8h,	99C2B083h
		dd 8921014Ch, 0A9F739FAh, 0F64FF184h, 0F9A9A271h, 77FCE0DCh
		dd 0C99C2B08h, 8921014h, 183060Ch, 4043E43Fh, 31B68F75h
		dd 3F2D14F7h, 61E814FEh, 0BE9E05AFh, 51DD9D87h,	0C1F0F567h
		dd 0F1D64EF6h, 2F3DEDF8h, 0C1E3C78Fh, 50531D30h, 91BD5C04h
		dd 0D1E00C68h, 0A188D57Dh, 0AE8EFCA0h, 6997F879h, 0E65F088Bh
		dd 59A27100h, 9931F843h, 9FCEA8Bh, 1882E91Bh, 39C963F2h
		dd 67EC19D3h, 7A6E2D6Fh, 0D75ADABDh, 4A5BA416h,	0A8342A75h
		dd 1A053F9Dh, 29873B2Dh, 2A30B6E4h, 56E9CBE5h, 0E22F9BE0h
		dd 1E383FCEh, 0D21A1299h, 6156CF06h, 82448912h,	0E0E5DE5Eh
		dd 0B271006Bh, 9F8B2E96h, 127AD31Ah, 71463609h,	224F5A63h
		dd 0E28C6C1h, 7211C1E8h, 8F9BD799h, 42244891h, 0F0F52751h
		dd 8A3B6595h, 0B824D37Ah, 0BA0EECECh, 0C74A23B2h, 0EA507767h
		dd 46F932EAh, 0DA65FE1Eh, 3997C222h, 0F2D042EEh, 0AFBA2586h
		dd 0C2E5CB97h, 0D0D4D54Eh, 92BB501Ch, 5167C416h, 0A28ED965h
		dd 2E0934DEh, 6A91F461h, 66D8C0F5h, 5AA47D18h, 19B6303Dh
		dd 0AFAE693h, 98052165h, 3ACF6FEAh, 0E76BD1ADh,	9AC4BC9Bh
		dd 9A6C932h, 0AAF135E2h, 76C839FAh, 0FAAFAE69h,	0F77B28A2h
		dd 0CA9A2710h, 8815D86Ah, 2850A14h, 0C0C42C41h,	32B0836Dh
		dd 0BFAADC89h, 62EE18E6h, 3E19CDD1h, 52DB919Fh,	41773D19h
		dd 6B12F26Dh, 269B24CAh, 5B277B14h, 59F5D402h, 0B79E09Fh
		dd 0D846C55Ah, 3B4C69E6h, 0A7283592h, 0F35344E2h, 0EFF9C1B9h
		dd 0C366CD9Bh, 90973171h, 93385610h, 11242029h,	0A30DDF69h
		dd 6E4AD0E1h, 3060C18h,	8087C87Eh, 33338561h, 0FFE938B6h
		dd 636D1EEAh, 7E5A29EEh, 53589793h, 134D926h, 9B47BA97h
		dd 49E52D0Dh, 0AB7233EEh, 368BDDC5h, 0FB2CA865h, 0B738CC9Dh
		dd 0CB19211Ch, 0C8563C55h, 0E3AC9DECh, 5E7BDBF1h, 0D3991495h
		dd 21152B39h, 83C78F1Eh, 0A0A63A61h, 0B3F20667h, 0DFC8CAA9h
		dd 7BED2B63h, 97193E82h, 4BD8A21Ah, 0E877CE4Ah,	1B863991h
		dd 69C4DF12h, 2BB3B0E8h, 16AA2FDAh, 8BB86399h, 0F8673745h
		dd 0BB8DEAE0h, 8709C78Dh, 0EBD3716Bh, 6BAD6D5h,	0DBE6F812h
		dd 79D4261Dh, 13F9D516h, 3105D236h, 23CC5C6Fh, 4E6B22FEh
		dd 7392C7E4h, 0CFD833A6h, 43A74E9Dh, 0B0B6C36Eh, 0AC4BC9B5h
		dd 9A6C9329h, 9C7E40CCh, 0E50263E1h, 0CC20DB47h, 64B172B9h
		dd 0FC15523Eh, 1BDF8271h, 340A7F3Ah, 530E765Ah,	43FF643h
		dd 2C608692h, 54616DC8h, 0ADD397CAh, 6454E4B1h,	0D2BD6702h
		dd 0C45F37C0h, 3C707F9Dh, 0F46ABEB9h, 431E8F55h, 0A4342532h
		dd 0C2AD9E0Dh, 9401AC4Bh, 0BDC36EC5h, 5C1E814Fh, 0F5129AEEh
		dd 6C2B0836h, 8A7C6A26h, 3C7593BDh, 0BCF7B7Eh, 0C401AC4h
		dd 74A18BB6h, 24F5A634h, 0E28C6C12h, 14C02F4Dh,	9DE29CDAh
		dd 449EB4C6h, 1C518D82h, 74AB3DBFh, 633F7D4Ah, 0BCB410BBh
		dd 2BEE8961h, 8C8199C2h, 548079A9h, 0DCDF0249h,	0D53368F1h
		dd 0ECEA8B30h, 0AA5D9839h, 4CE15841h, 449080A6h, 7CD4D138h
		dd 3BFE706Eh, 2C8A4AB3h, 0BA4D6136h, 1CBFC3CAh,	0C52391FEh
		dd 0D4A0EECEh, 8DF265D5h, 0E49567B7h, 0F29C951Dh, 0B4CBFC3Ch
		dd 732F8445h, 84FE7545h, 0C41748Dh, 0BD3716B7h,	6BAD6D5Eh
		dd 8D029FCEh, 14C39D96h, 0DD5C0445h, 95708CCEh,	0ED698D3Ch
		dd 0EA1E7C06h, 2576A038h, 0A2CF882Dh, 15432941h, 0DDA178E5h
		dd 451DB2CAh, 5C1269BDh, 75283BB3h, 237C9975h, 0D523E8C2h
		dd 0CDB181EAh, 0E51661BBh, 0B2DF7122h, 0B548FA30h, 336C607Ah
		dd 857D7349h, 4C0290B2h, 4D625E4Dh, 4D36499h, 7D57D734h
		dd 7BBD9451h, 2D094CBFh, 0FA0E8509h, 1D3CC5C6h,	856075C1h
		dd 35897936h, 134D9265h, 5BCF04Fh, 6C2362ADh, 55E26BC4h
		dd 0ED9073F5h, 65D7E2BDh, 92FE833Dh, 0ADC8CFB9h, 0DA2F7716h
		dd 9DFD46C0h, 0A54187DEh, 0CDA3DD4Bh, 24F29686h, 0FD965432h
		dd 5B9C664Eh, 5D9D8743h, 0B5517ED1h, 6DA80E3Ah,	0CA3F8E19h
		dd 3DF695B1h, 4B8C9F41h, 0DC31CC8h, 34E26F89h, 0C5DC31CCh
		dd 7C339BA2h, 0F5E9B8B5h, 35D6B6Ah, 0A5B7233Eh,	82EE7A32h
		dd 9582AA47h, 0FD808AFAh, 0D625E4DAh, 4D364994h, 0E6106DA3h
		dd 3258B95Ch, 0B64EF628h, 0B3EBA804h, 867B7F51h, 0CC8558CCh
		dd 4E645255h, 8454ACE7h, 7E51DB2Ch, 0FB3A5C2Fh,	2E0F40A7h
		dd 7A894D77h, 1E3AC9DEh, 5E7BDBFh, 0BE311AAFh, 0EB2AA520h
		dd 8E0493D6h, 944455E8h, 0DE5A085Dh, 15F744B0h,	0EE6F8124h
		dd 6A99B478h, 2670AC20h, 22484053h, 16452559h, 5D26B09Bh
		dd 461BBED2h, 0DC95A1C3h, 762E37ABh, 0A3FB510Bh, 5E9B8B5Bh
		dd 35D6B6AFh, 6EAE0222h, 4AB84667h, 3EF099A9h, 0CB0B573Fh
		dd 0EC510D0h, 0B465A7F7h, 0C6DA3DD4h, 0FCB453DCh, 0F6EFB4ADh
		dd 83DAA314h, 0A6B12F26h, 269B24Ch, 9684A65Fh, 7D074284h
		dd 368F752Eh, 93CA5A1Bh, 6BAFC57h, 0ECA4AAD3h, 56E467DCh
		dd 6D17BB8Bh, 66D1EEA5h, 12794B43h, 0AECEC3A1h,	5AA8BF68h
		dd 9EFB4AD8h, 25C64FA0h, 0CEA5D153h, 0A4755EF8h, 0FE90582Ah
		dd 0DB1BAE30h, 0C7593BD8h, 0BCF7B7E3h, 0F76CB2A1h, 0C399472Bh
		dd 0A732292Ah, 422A5673h, 9707A053h, 3D44A6BBh,	5F188D57h
		dd 75955290h, 6F2D042Eh, 0AFBA258h, 3F739FA5h, 8B48B300h
		dd 0F4616DCh, 0F42643C8h, 0AF4DC5ADh, 1AEB5B57h, 9F784CD4h
		dd 6585AB9Fh, 0CF26D75Fh, 0E436BAC7h, 0FF135E26h, 9B584A0Fh
		dd 370C7322h, 0D389BE24h, 739FA5Bh, 0ACE74EECh,	576761D0h
		dd 2D545FB4h, 6752E8A9h, 523AAF7Ch, 4FE75459h, 0C41748D8h
		dd 7FD2DD20h, 0BB79B810h, 2F8C46ABh, 3ACAA948h,	1FB9CFD2h
		dd 45A45980h, 0D7A6E2D6h, 0D75ADABh, 0E7936BAFh, 721B5D63h
		dd 0B7CDF024h, 0F3A84C3Bh, 87F8795Dh, 8CC6BCF3h, 27F3AA2Ch
		dd 620BA46Ch, 17C62355h, 1D6554A4h, 4798B8DEh, 9CD645FCh
		dd 77AD31A7h, 0E3B8B534h, 0BFB21CA3h, 0AB69411Fh, 8F8795DAh
		dd 0D407B1D7h, 0DFD90E51h, 55B4A08Fh, 0EFEC8728h, 2ADA5047h
_crc64Mult_	dd 0			; DATA XREF: .text:_Crc64Ctrlo
		dd 800000h, 0
		dd 8000h, 80000000h, 0
		dd 0AC4BC9B5h, 9A6C9329h, 129310D6h, 10F4BB0Fh,	0A2EBD226h
		dd 70F05DCEh, 5672822Dh, 31121120h, 0F46C96Eh, 2FC297DBh
		dd 0ABF7DA84h, 0CA4D536Fh, 379EE6EDh, 0FB4CDC3Bh, 0DF25140Ah
		dd 0EA261148h, 7AA6C9B4h, 59CCB2C0h, 839AF27Ah,	20B3674Ah
		dd 0DA94D583h, 2D8E1986h, 337635Dh, 42CDF4C2h, 0F0F26839h
		dd 1D78724Bh, 0AFB34BD5h, 0B96C84E0h, 2DF0A3EAh, 5D2E1FCDh
		dd 2332BE42h, 0CD950657h, 7F7D690Fh, 23BDA242h,	32374F07h
		dd 347A9532h, 0C2A8CEEAh, 1C2A807Ah, 14FE1460h,	9B92AD0Eh
		dd 89F670B2h, 25741148h, 5E3BF520h, 4A84A6C4h, 1CD1C7FFh
		dd 915BBAC2h, 79F291F5h, 0B0290EC5h, 5C624E6Eh,	0CF254850h
		dd 0F08A8207h, 0B154F27Bh, 4BAF7D35h, 0CE4E9234h, 57C5EB3h
		dd 51DA8D7Eh, 0F5BE15DFh, 9FB10823h, 0FF1F71CFh, 73B825B3h
		dd 406EBB74h, 5DB436C5h, 0EC3F2BCAh, 0FA7ED8F3h, 0C61B9EF6h
		dd 0C4D58EFDh, 0E855BD45h, 0A7E39E61h, 0DD1BF2F1h, 97AD46F9h
		dd 0F853EE6Bh, 1A0ABB01h, 348F8215h, 3F0827C3h,	6134607h
		dd 4EB68C45h, 5DF34E0Ah, 4A46F6DEh, 1C57A8DDh, 2D855D6Ah
		dd 0E1115812h, 8688DA58h, 0FC7C7300h, 5232F417h, 0E767D8DAh
		dd 0A4080FB2h, 7693E562h, 0D515A7E1h, 62E94226h, 1181F7C8h
		dd 8204CA91h, 9E23CD05h, 7A0AED82h, 9B8992C5h, 4609B6FFh
		dd 0B2C0AFB8h, 3A5EA018h, 2F716055h, 0C99F2722h, 3CD378B5h
		dd 61A3B058h, 814054ADh, 0FCE806D8h, 0BF766189h, 0AC49F86Fh
		dd 85A5E898h, 0BC84F346h, 34830D11h, 173C8C1Ch,	9644D95Bh
		dd 9AC759B1h, 150401ACh, 6FB00EBAh, 0EBE1F7F4h,	2E2BD662h
		dd 8EE4CE0Ch, 0
		dd 40000000h, 0
		dd 20000000h, 0
		dd 8000000h
aRegistryMac_20:
		unicode	0, <\Registry\Machine\System\CurrentControlSet\Control\Sessio>
		unicode	0, <n Manager\AppCompatCache>,0
aRate:
		unicode	0, <Rate>,0
		align 4
aRegistryMac_23:			; DATA XREF: .data:_VersionDataKeyso
		unicode	0, <\REGISTRY\MACHINE\SOFTWARE\Microsoft>,0
		align 4
aS1518:					; DATA XREF: .data:006B1A4Co
		unicode	0, <S-1-5-18>,0
		align 4
aRegistryMac_22:			; DATA XREF: .data:006B2BBCo
		unicode	0, <\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSIO>
		unicode	0, <N MANAGER\Configuration Manager>,0
		align 10h
aRegistryMac_19:			; DATA XREF: .data:006B2D68o
		unicode	0, <\Registry\Machine\Software\Policies\Microsoft\Windows\Fil>
		unicode	0, <eSystems\NTFS>,0
		align 10h
aRegistryMac_24:			; DATA XREF: .data:_IopRegistryRegisteredCallbackso
		unicode	0, <\Registry\Machine\System\CurrentControlSet\Control\FileSy>
		unicode	0, <stem>,0
aSystemsku:				; DATA XREF: .text:00404834o
		unicode	0, <SystemSKU>,0
aSystemproductn:			; DATA XREF: .text:00404830o
		unicode	0, <SystemProductName>,0
aSystemfamily:				; DATA XREF: .text:0040482Co
		unicode	0, <SystemFamily>,0
		align 10h
aSystemmanufact:			; DATA XREF: .text:off_404828o
		unicode	0, <SystemManufacturer>,0
		align 4
aBaseboardprodu:			; DATA XREF: .text:00404844o
		unicode	0, <BaseBoardProduct>,0
		align 4
aBaseboardmanuf:			; DATA XREF: .text:00404840o
		unicode	0, <BaseBoardManufacturer>,0
aBiosversion:				; DATA XREF: .text:0040483Co
		unicode	0, <BIOSVersion>,0
aBiosvendor:				; DATA XREF: .text:00404838o
		unicode	0, <BIOSVendor>,0
		align 4
aSystemversion:				; DATA XREF: .text:0040484Co
		unicode	0, <SystemVersion>,0
aBiosreleasedat:			; DATA XREF: .text:00404848o
		unicode	0, <BIOSReleaseDate>,0
dword_4181B4	dd 0Bh			; DATA XREF: PipInitDeviceOverrideCache:loc_AD755Er
		dd 43h,	101h
aState:					; DATA XREF: .text:00403A6Co
		unicode	0, <State>,0
aParameters:
		unicode	0, <Parameters>,0
		align 4

_DEVPKEY_Device_RebootRequiredReason:	; DATA XREF: .text:off_404850o
					; PnpUpdateRebootRequiredReason(x,x,x,x,x)+70o	...
		db	26h
		arpl	dx, bx
		and	dword ptr [esi-6BBF7769h], 53h
		mov	eax, ds:3B573F92h
		sub	[eax], ebx
; 
		db 3 dup(0)
aDrivers:				; DATA XREF: .text:0040489Co
		unicode	0, <DRIVERS>,0
; 

_KiMsr_VIRTUAL_ENUMERATION:		; DATA XREF: .text:00403C20o
		add	[eax], eax
; 
		dw 0
		align 10h
		dd 14h,	0
		dd 20000000h, 7	dup(0)
; 

_KiMsr_IA32_ARCH_CAPABILITIES:		; DATA XREF: .text:00403C08o
		add	[eax], eax
; 
		dw 0
		align 10h
		dd 14h,	0
		dd 10h,	0
		dd 2, 0
		dd 14h,	0
		dd 80h,	0
		align 10h
		dd 14h,	0
		dd 100h, 0
		dd 20h,	0
		dd 14h,	0
		dd 20h,	0
		dd 80h,	0
		dd 14h,	0
		dd 8000h, 0
		dd 100h, 0
		dd 14h,	0
		dd 10000h, 0
		dd 2000h, 0
		dd 14h,	0
		dd 80000h, 0
		dd 4000h, 0
		dd 14h,	0
		dd 100000h, 0
		dd 8000h, 0
		dd 14h,	0
		dd 200000h, 0
		dd 20000h, 0
		dd 14h,	0
		dd 400000h, 0
		dd 100000h, 0
		dd 14h,	0
		dd 4000000h, 0
		dd 8000000h, 0
		dd 14h,	2 dup(0)
		dd 8, 10000000h, 0
		dd 14h,	2 dup(0)
		dd 10h,	0
		dd 80000000h, 14h, 0
		dd 10000000h, 7	dup(0)
_KiCpuTable	dd 1			; DATA XREF: PAGELK:loc_72651Er
					; PAGELK:loc_727458r
dword_4183A4	dd 106A4h		; DATA XREF: PAGELK:00726526r
					; PAGELK:00727460r
dword_4183A8	dd 7			; DATA XREF: PAGELK:00726532r
					; PAGELK:0072746Fr
dword_4183AC	dd 2Ch			; DATA XREF: PAGELK:00726540r
dword_4183B0	dd 2			; DATA XREF: PAGELK:0072747Dr
		dd 1, 106A5h, 7, 2Ch, 2, 1, 106E4h, 7, 2Ch, 2, 1, 106E5h
		dd 7, 2Ch, 2, 1, 20652h, 8, 2Ch, 2, 1, 20655h, 8, 2Ch
		dd 2, 1, 206A7h, 9, 2Eh, 2 dup(1), 206C2h, 8, 2Ch, 2, 1
		dd 206D6h, 9, 2Eh, 2 dup(1), 206D7h, 9,	2Eh, 2 dup(1)
		dd 206E6h, 7, 2Ch, 2, 1, 206F2h, 8, 2Ch, 2, 1, 30673h
		dd 1, 0FFFFFFFFh, 2, 1,	30678h,	1, 0FFFFFFFFh, 2, 1, 30679h
		dd 1, 0FFFFFFFFh, 2, 1,	306A9h,	0Ah, 2Eh, 2 dup(1), 306C3h
		dd 0Bh,	2Eh, 2 dup(1), 306D4h, 0Ch, 2Eh, 2 dup(1), 306E4h
		dd 0Ah,	2Eh, 2 dup(1), 306E7h, 0Ah, 2Eh, 2 dup(1), 306F2h
		dd 0Bh,	2Eh, 2 dup(1), 306F4h, 0Bh, 2Eh, 2 dup(1), 40651h
		dd 0Bh,	2Eh, 2 dup(1), 40661h, 0Bh, 2Eh, 2 dup(1), 406A8h
		dd 1, 0FFFFFFFFh, 2, 1,	406A9h,	1, 0FFFFFFFFh, 2, 1, 406C3h
		dd 2, 0FFFFFFFFh, 6, 1,	406C4h,	2, 0FFFFFFFFh, 6, 1, 406D8h
		dd 1, 0FFFFFFFFh, 2, 1,	406E3h,	0Dh, 2Eh, 2 dup(1), 406F1h
		dd 0Ch,	2Eh, 2 dup(1), 40751h, 0Ch, 2Eh, 2 dup(1), 50653h
		dd 0Fh,	2Eh, 2 dup(1), 50654h, 0Fh, 2Eh, 2 dup(1), 50662h
		dd 0Ch,	2Eh, 2 dup(1), 50663h, 0Ch, 2Eh, 2 dup(1), 50664h
		dd 0Ch,	2Eh, 2 dup(1), 50665h, 0Ch, 2Eh, 2 dup(1), 50671h
		dd 5, 0FFFFFFFFh, 2, 1,	506A0h,	1, 0FFFFFFFFh, 2, 1, 506A1h
		dd 1, 0FFFFFFFFh, 2, 1,	506C2h,	3, 0FFFFFFFFh, 6, 1, 506C9h
		dd 3, 0FFFFFFFFh, 6, 1,	506CAh,	3, 0FFFFFFFFh, 6, 1, 506D1h
		dd 6, 0FFFFFFFFh, 2, 1,	506E3h,	0Dh, 2Eh, 2 dup(1), 506F1h
		dd 3, 0FFFFFFFFh, 6, 1,	60663h,	11h, 2Eh, 2 dup(1), 606E1h
		dd 2, 0FFFFFFFFh, 6, 1,	706A1h,	4, 0FFFFFFFFh, 6, 1, 80650h
		dd 5, 0FFFFFFFFh, 2, 1,	806E9h,	0Eh, 2Eh, 2 dup(1), 806EAh
		dd 10h,	2Eh, 2 dup(1), 806EBh, 12h, 2Eh, 2 dup(1), 906E9h
		dd 0Eh,	2Eh, 2 dup(1), 906EAh, 10h, 2Eh, 2 dup(1), 906EBh
		dd 10h,	2Eh, 2 dup(1), 906ECh, 10h, 2Eh, 1, 7, 0
		dd 13h,	2 dup(0)
aExallocatepo_1	db 'ExAllocatePoolWithTag',0 ; DATA XREF: .data:006B31E0o
					; .data:006B33ECo
		align 4
aZeropool:				; DATA XREF: .data:006B2E30o
		unicode	0, <ZeroPool>,0
		align 4
aRtlgetversion	db 'RtlGetVersion',0    ; DATA XREF: .data:006B3218o
					; .data:006B3248o ...
		align 4
aKmwin81version:			; DATA XREF: .data:006B2E84o
		unicode	0, <KmWin81VersionLie>,0
aKmwin8versionl:			; DATA XREF: .data:006B2E68o
		unicode	0, <KmWin8VersionLie>,0
		align 10h
aKmwin7versionl:			; DATA XREF: .data:006B2E4Co
		unicode	0, <KmWin7VersionLie>,0
		align 4
aPsgetversion	db 'PsGetVersion',0     ; DATA XREF: .data:006B3228o
					; .data:006B3258o ...
		align 4
aPorequestpower	db 'PoRequestPowerIrp',0 ; DATA XREF: .data:006B33DCo
		align 4
aIocreatedevice	db 'IoCreateDevice',0   ; DATA XREF: .data:006B33CCo
		align 4
aDriverscope:				; DATA XREF: .data:006B2EA0o
		unicode	0, <driverscope>,0
aExfreepool	db 'ExFreePool',0       ; DATA XREF: .data:006B341Co
		align 4
aExallocatepool	db 'ExAllocatePool',0   ; DATA XREF: .data:006B340Co
		align 4
aExfreepoolwith	db 'ExFreePoolWithTag',0 ; DATA XREF: .data:006B33FCo
		align 10h
aSkipdriverunlo:			; DATA XREF: .data:006B2EBCo
		unicode	0, <SkipDriverUnload>,0
		align 4

_GUID_INTSTEER_MODE:
		stc
		and	al, 0FCh
		sub	esp, [edx-7DB7FEA2h]
		adc	edi, ds:0A31AE0BAh
		popf

_GUID_INTSTEER_TIME_UNPARK_TRIGGER:
		add	ecx, [ecx-46h]
		setalc
		outsd
		cmp	[esp+ecx*2], ch
		mov	bl, bl
		pop	esp
		and	[ebx+4D258D32h], esi
		out	0CDh, al	; DMA controller, 8237A-5.
					; master clear.
					; Any OUT clears the ctrlr (must be re-initialized)
		jnb	short loc_4189C9
		xlat
		mov	dl, 4Bh
		test	al, 60h
		mov	dword ptr [ebp-51h], 0E8F27EE7h
		jbe	short loc_418A0C
		icebp
		mov	bh, 98h
		xchg	al, [ecx-47h]
		inc	esp

loc_4189BE:				; CODE XREF: _GUID_BATTERY_DISCHARGE_FLAGS_0-36j
		jmp	far ptr	0D9D9h:24466FAh
; 
		db 0B2h, 0AFh, 68h
; 
		xchg	eax, ebp

loc_4189C9:				; CODE XREF: .text:004189A7j
		out	dx, al
		test	al, 47h
; 
		dd 1541508Fh, 0B1738008h

;  S U B	R O U T	I N E 


_GUID_BATTERY_DISCHARGE_LEVEL_3	proc near ; DATA XREF: .text:004048C0o
		cmpsb
		aad	0AFh
		pop	eax
		ffree	st(2)
		rol	byte ptr [edi-61h], cl
		mov	edi, 5CCC70EFh
_GUID_BATTERY_DISCHARGE_LEVEL_3	endp

; START	OF FUNCTION CHUNK FOR _GUID_BATTERY_DISCHARGE_FLAGS_0

loc_4189E2:				; CODE XREF: _GUID_BATTERY_DISCHARGE_FLAGS_0+1j
		pop	ecx

loc_4189E3:				; DATA XREF: .text:004048D0o
		adc	esp, gs:[esi]
		inc	edi
		add	byte ptr [eax-4CBAA169h], 8
		jb	short near ptr loc_4189BE+5
		add	[edx+esi*8], bh
		clc
; END OF FUNCTION CHUNK	FOR _GUID_BATTERY_DISCHARGE_FLAGS_0
; 
_GUID_BATTERY_DISCHARGE_FLAGS_2	dd 7FD2F0C4h, 4DA3FEB7h, 0FBE31781h, 8265C4EDh
					; DATA XREF: .text:004048ACo
; 

_GUID_BATTERY_DISCHARGE_LEVEL_2:	; DATA XREF: .text:004048BCo
		mov	ds:0AF07A07Ch, al
		lodsd
		xlat
		inc	eax

loc_418A0C:				; CODE XREF: .text:004189B5j
		mov	al, 77h
		push	ebx
; 
		db 3Ah
		dd 0FA1BEDADh

;  S U B	R O U T	I N E 


_GUID_BATTERY_DISCHARGE_FLAGS_3	proc near ; DATA XREF: .text:004048B0o
		iret
_GUID_BATTERY_DISCHARGE_FLAGS_3	endp

; 
		db 3Ch,	61h, 73h
		dd 4279DBFAh, 35495683h, 0F362BFF6h

;  S U B	R O U T	I N E 


_GUID_BATTERY_DISCHARGE_FLAGS_0	proc near ; DATA XREF: .text:_GUIDS_BATTERY_DISCHARGE_FLAGSo

; FUNCTION CHUNK AT 004189E2 SIZE 00000012 BYTES

		lahf
		jl	short loc_4189E2
		pop	ebp
		jmp	near ptr 97825C65h
_GUID_BATTERY_DISCHARGE_FLAGS_0	endp

; 
		db 49h,	4Fh, 8Ah
		dd 0F649F0Eh
; 

_GUID_BATTERY_DISCHARGE_LEVEL_0:	; DATA XREF: .text:_GUIDS_BATTERY_DISCHARGE_LEVELo
		xlat
		fsub	dword ptr [esi-66h]
		test	dword ptr [edi-7], 5AA2B54Eh
		xor	ch, [edx-5Ch]
; 
		db 69h
; 

_GUID_BATTERY_DISCHARGE_ACTION_0:	; DATA XREF: .text:_GUIDS_BATTERY_DISCHARGE_ACTIONo
		das
		mov	al, ds:0BBCB637Eh
		adc	eax, 0A12C8E40h

loc_418A4F:				; DATA XREF: .text:004048CCo
		mov	dword ptr [ecx+3846B5C0h], 8E421CBAh
		sbb	al, [ecx-1C7653B8h]
; 
		db 3Ah
		db 8Bh,	4
; 
; START	OF FUNCTION CHUNK FOR _PPM_PERFMON_PERFSTATE_GUID

loc_418A62:				; CODE XREF: _PPM_PERFMON_PERFSTATE_GUID+Ej
		in	al, dx
; END OF FUNCTION CHUNK	FOR _PPM_PERFMON_PERFSTATE_GUID
; 
		db 0E4h

;  S U B	R O U T	I N E 


_GUID_BATTERY_DISCHARGE_FLAGS_1	proc near ; DATA XREF: .text:004048A8o
		push	ecx
		fstp1	st(6)
		mov	esp, 4D05187Bh
		mov	esp, 19E5F7CCh
		pusha

locret_418A72:				; DATA XREF: .text:004048B8o
		retn	9A58h
_GUID_BATTERY_DISCHARGE_FLAGS_1	endp ; sp = -24h

; 
		mov	edx, 0E9108183h
		fimul	dword ptr [eax-79h]
		imul	edx, [esi+ebp*4], 0A17C16Dh

;  S U B	R O U T	I N E 


_GUID_BATTERY_DISCHARGE_ACTION_1 proc far ; DATA XREF: .text:004048C8o
		retf
_GUID_BATTERY_DISCHARGE_ACTION_1 endp

; 
		db 2Dh,	74h, 0D8h
		dd 4B3C3E6Ah, 4637FEB3h, 6CFCD23h

;  S U B	R O U T	I N E 


_GUID_ENERGY_SAVER_BATTERY_THRESHOLD proc far
		retf	9653h
_GUID_ENERGY_SAVER_BATTERY_THRESHOLD endp

; 
		db 0E6h
		dd 4F05CF7Fh, 83CB73AAh, 0D40AA93Fh
; 

_GUID_IDLE_RESILIENCY_PERIOD:
		stosb
		jns	short loc_418AD2
		les	edi, [edx]
		stosb
		dec	ebx
		dec	eax
		test	eax, 2AF32C8Fh
; 
		db 0A9h, 0Ah, 28h

;  S U B	R O U T	I N E 


; void PPM_PERFMON_PERFSTATE_GUID
_PPM_PERFMON_PERFSTATE_GUID proc near	; DATA XREF: .text:00404A84o
					; PpmWmiGetAllData(x,x,x,x,x,x)+ACo ...

; FUNCTION CHUNK AT 00418A62 SIZE 00000001 BYTES

		push	edx
		xchg	dl, cl

loc_418AB7:				; CODE XREF: _PPM_PERFMON_PERFSTATE_GUID:loc_418AB7j
		jg	short loc_418AB7
		or	al, 0D2h
		inc	eax
		mov	al, 0A1h
		or	eax, [esi]
		push	0FFFFFF87h
		jnz	short loc_418A62

; void PPM_IDLESTATES_DATA_GUID
_PPM_IDLESTATES_DATA_GUID:		; DATA XREF: .text:00404A6Co
					; PpmWmiGetAllData(x,x,x,x,x,x)+21o ...
		adc	[esi-1DAF45EDh], cl
		xlat
		dec	edx
		xchg	dl, [esi]
		iret
_PPM_PERFMON_PERFSTATE_GUID endp ; sp =	-8

; 
		sbb	bh, [edx-2Ch]

loc_418AD2:				; CODE XREF: .text:00418AA5j
		adc	bh, ah

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void PPM_THERMALCONSTRAINT_GUID
_PPM_THERMALCONSTRAINT_GUID proc near	; DATA XREF: .text:00404A78o
					; PpmEventThermalCapChange(x,x)+86o ...

var_7E072986	= dword	ptr -7E072986h

		enter	52C2h, 0A8h
		dec	esp
		sbb	bh, [ebx]
		inc	edx
		mov	[ebx+esi*8], gs
		or	eax, 881A9382h

; void PPM_IDLE_ACCOUNTING_EX_GUID
_PPM_IDLE_ACCOUNTING_EX_GUID:		; DATA XREF: .text:00404A54o
					; PpmWmiFireIdleAccountingEvent(x,x,x)+34o ...
		cmp	[ebp+var_7E072986], edi
		pop	esi
		dec	edx

loc_418AEC:				; CODE XREF: _PPM_PERFSTATES_DATA_GUID+5j
		adc	dword ptr [edx+72h], 12C91EE3h
		out	dx, al
_PPM_THERMALCONSTRAINT_GUID endp


;  S U B	R O U T	I N E 


; void PPM_PERFSTATES_DATA_GUID
_PPM_PERFSTATES_DATA_GUID proc near	; DATA XREF: .text:00404A60o
					; PpmWmiGetAllData(x,x,x,x,x,x)+67o ...
		and	ah, cl
		or	[edi+40h], dl
		jge	short near ptr loc_418AEC+3
_PPM_PERFSTATES_DATA_GUID endp

		dec	ebx
		mov	ah, 0AAh
		sub	eax, [ecx]
; 
		dd 26018D33h
; 

; void PPM_PERFSTATE_DOMAIN_CHANGE_GUID
_PPM_PERFSTATE_DOMAIN_CHANGE_GUID:	; DATA XREF: .text:00404A3Co
					; PpmEventDomainPerfStateChange+81758o	...
		jg	short loc_418B71
		pop	esi
		cdq
		push	ebx
		setalc
		jp	short near ptr aDefaultcap+9
		mov	ecx, 0CA33678h
; 
		db 29h,	0BFh, 1
; 

; void PPM_IDLESTATE_CHANGE_GUID
_PPM_IDLESTATE_CHANGE_GUID:		; DATA XREF: .text:00404A48o
					; PpmWmiDispatch+892FCo
		dec	edi
; 
		db 0FEh, 38h, 48h
		dd 4E51F71Ch, 3084CC9Eh, 6C4CACA7h
; void PPM_PERFSTATE_CHANGE_GUID
_PPM_PERFSTATE_CHANGE_GUID dd 0A5B32DDDh, 4ABC7F39h, 0E9092B8h,	0BB9EB543h
					; DATA XREF: .text:_PpmWmiGuidListo
					; PpmEventLegacyProcessorPerfStateChange+81C15o ...
aDefaultcape:				; CODE XREF: .text:00418BB6j
					; DATA XREF: PAGEDATA:off_A93D84o
		unicode	0, <DefaultCape>,0
aDefaultcap:				; CODE XREF: .text:00418B0Aj
					; DATA XREF: PAGEDATA:off_A93D9Co
		unicode	0, <DefaultCap>,0
		align 8
dword_418B68	dd 0F54D3D83h		; DATA XREF: ExpStringCheck+282r
		dd 6D3CBFAFh
		db 1Ch
; 

loc_418B71:				; CODE XREF: .text:_PPM_PERFSTATE_DOMAIN_CHANGE_GUIDj
		mov	ds:57041418h, eax
		push	ebx
		out	93h, eax
		or	byte ptr [esi],	72h

loc_418B7C:				; CODE XREF: .text:00418BB1j
		mov	edi, 781AEC49h
		mov	[edi+497A34Dh],	ecx
		loopne	loc_418BFE
		enter	0FFFF9788h, 66h
		dec	esi
		movsb
		push	0FFFFFFCFh
		xor	dl, dh
		pop	ss
		cmp	eax, [edi-43h]

loc_418B97:				; CODE XREF: .text:00418BBCj
		and	[ebx+5772DEEDh], ebx
		or	dword ptr [edi-25h], 0
		sar	byte ptr [esi-43h], cl
		out	dx, al
		and	eax, 0A2FF064Fh
		aaa
		or	al, 2Fh
		add	dh, [edx-12h]
		popf
		jz	short near ptr loc_418B7C+3
		push	edx
		jnz	short near ptr loc_418BDD+4
		jz	short near ptr aDefaultcape+0Ch
		push	esi
		sub	edi, esp
		xchg	eax, ecx
		jp	short near ptr loc_418B97+3
		or	[ebx+71h], ebp
		adc	edx, 21h
		xor	eax, ebx
		add	[ebp+56h], bl
		dec	ebp
		push	ss
		setalc
		sbb	bl, 0C6h
		fcomp	st(2)
		push	ebx
		inc	ebp
		jmp	fword ptr [edi+6Ch]
; 
		dw 0C046h
		dd 7287EB93h
; 

; void WHEAPolicyManagementMethods_GUID
_WHEAPolicyManagementMethods_GUID:	; DATA XREF: .text:00404AA8o
					; WheapWmiExecuteMethod(x,x,x,x)+81o
		out	dx, al

loc_418BDD:				; CODE XREF: .text:00418BB4j
		imul	eax, [ebp+79h],	4A06137Ch
		mov	bl, ch
		shl	byte ptr ds:4BFC3DB5h, cl

; void WHEAErrorSourceMethods_GUID
_WHEAErrorSourceMethods_GUID:		; DATA XREF: .text:_WheapWmiGuidListo
					; WheapWmiExecuteMethod(x,x,x,x)+1Do
		pop	es
		rol	bl, 91h
		pop	ebp
		sbb	[eax+4Dh], bh
		cmpsd
		push	ecx
		mov	edi, 0C6C231CBh
		dec	ebp

; void WHEAErrorInjectionMethods_GUID
_WHEAErrorInjectionMethods_GUID:	; CODE XREF: .text:_WHEAErrorInjectionMethods_GUIDj
					; DATA XREF: .text:00404A9Co ...
		jnb	short near ptr _WHEAErrorInjectionMethods_GUID+1

loc_418BFE:				; CODE XREF: .text:00418B87j
		or	al, ch
		xchg	eax, ebx
		and	[edx], ch
		inc	edi
		movsd
		int	3		; Trap to Debugger
		fbld	tbyte ptr [eax+esi*8]
		xor	[eax+35h], esi

loc_418C0F:				; DATA XREF: DownLevelLanguageNameToLangID(x,x)+36r
					; DownLevelGetParentLanguageName(x,x,x,x)+32r
		add	[eax+eax+35h], bh
		add	[esi-1AFFA300h], bh
; 
		db 3 dup(0)
		dd 182017Eh, 137014Bh, 1700112h, 175017Ah, 1530142h, 186015Fh
		dd 16B0089h, 1650159h, 1010079h, 0D4004Ch, 198002Bh, 19D0122h
		dd 6C00B4h, 2200F4h, 100ABh, 65008Ah, 4400EDh, 0CC0129h
		dd 0D80050h, 103007Bh, 193019Ch, 1940163h, 20151h, 113008Bh
		dd 1AD005Bh, 8000E3h, 40107h, 51008Dh, 500D9h, 6008Eh
		dd 1150139h, 14D008Fh, 1A70144h, 640123h, 14000ECh, 900007h
		dd 1660008h, 13A018Dh, 145016Ch, 1830116h, 154017Fh, 1600187h
		dd 14E0189h, 18B017Bh, 910171h,	176015Ah, 1910009h, 1880172h
		dd 167017Ch, 192014Fh, 177015Bh, 92013Bh, 18C0146h, 18E0117h
		dd 16D0155h, 184018Fh, 190018Ah, 1610180h, 0AD0024h, 0B5002Ch
		dd 0B10028h, 1B00066h, 13200EEh, 93000Ah, 0EB0063h, 0C00037h
		dd 15C000Bh, 13C0118h, 1470168h, 1730178h, 1850094h, 1810150h
		dd 17D0156h, 16E0162h, 0E90061h, 126003Bh, 10E0087h, 0DD0055h
		dd 0FB0073h, 1080081h, 0CE0046h, 1B10067h, 7400EFh, 0C00FCh
		dd 380095h, 1900C1h, 0A20148h, 0B6002Dh, 96000Dh, 0B3002Ah
		dd 0F00068h, 0A90020h, 0F7006Fh, 0FF0077h, 97000Eh, 119000Fh
		dd 5C0098h, 0E401A1h, 12E01AEh,	990010h, 0BF0036h, 0C6003Eh
		dd 0F6006Eh, 0DA0052h, 0D2004Ah, 9A0011h, 0DE0056h, 0F80070h
		dd 0E7005Fh, 880130h, 10F01B3h,	0C7003Fh, 0FD0075h, 0F5006Dh
		dd 0DB0053h, 0AF0026h, 0AE0025h, 105007Eh, 0B7002Eh, 0D3004Bh
		dd 1A0004Fh, 1AB00D7h, 13F012Ch, 0DF0057h, 102007Ah, 0D5004Dh
		dd 127003Dh, 3900C5h, 5400C2h, 1A400DCh, 60009Ch, 0E80131h
		dd 11A0012h, 19B009Bh, 13011Bh,	0F3006Bh, 106007Fh, 0F90071h
		dd 0CF0047h, 1AA0045h, 0CD012Ah, 1000078h, 9D0014h, 10D0086h
		dd 0EA0062h, 9E0015h, 135011Ch,	1110110h, 830136h, 10A01B2h
		dd 0F2006Ah, 1410133h, 9F0016h,	11D0017h, 1800A0h, 0A1011Eh
		dd 10B0084h, 0D6004Eh, 1090082h, 1AC0058h, 0E0012Dh, 13E003Ah
		dd 12500C3h, 0E2005Ah, 0A3001Ah, 0AC0023h, 158019Eh, 1A8015Eh
		dd 1520149h, 16A0197h, 1640199h, 0FE0076h, 0A4001Bh, 19501A5h
		dd 13D015Dh, 16F0179h, 1570196h, 174011Fh, 2F0169h, 1C00B8h
		dd 0A50120h, 0C80040h, 0E10059h, 0D00048h, 49012Bh, 2700D1h
		dd 0B001A6h, 0A6001Dh, 1340072h, 4100FAh, 3100C9h, 0BA0124h
		dd 0A7001Eh, 0B90030h, 0CB0043h, 0E6005Eh, 12F01AFh, 14A01A2h
		dd 104007Dh, 0AA0021h, 121001Fh, 4200A8h, 128019Fh, 0CA01A9h
		dd 0BB0032h, 0B20029h, 10C0085h, 0BC0033h, 0C4003Ch, 0F10069h
		dd 114019Ah, 1A30003h, 14C0138h, 8C0143h, 0BD0034h
aSysarm32:				; DATA XREF: .data:006B34A4o
		unicode	0, <\SysARM32>,0
aSystem32:				; DATA XREF: .data:off_6B3474o
					; .data:006B347Co ...
		unicode	0, <\System32>,0
aSyswow64:				; DATA XREF: .data:006B348Co
					; .data:006B349Co
		unicode	0, <\SysWOW64>,0
aSelockmemorypr:			; DATA XREF: .text:00404AC0o
		unicode	0, <SeLockMemoryPrivilege>,0
aSeincreasequot:			; DATA XREF: .text:00404AC4o
		unicode	0, <SeIncreaseQuotaPrivilege>,0
		align 4
aSecreatetokenp:			; DATA XREF: .text:off_404AB8o
		unicode	0, <SeCreateTokenPrivilege>,0
		align 4
aSeassignprimar:			; DATA XREF: .text:00404ABCo
		unicode	0, <SeAssignPrimaryTokenPrivilege>,0
aSesystemtimepr:			; DATA XREF: .text:00404AE0o
		unicode	0, <SeSystemtimePrivilege>,0
		align 10h
aSeprofilesingl:			; DATA XREF: .text:00404AE4o
		unicode	0, <SeProfileSingleProcessPrivilege>,0
aSeloaddriverpr:			; DATA XREF: .text:00404AD8o
		unicode	0, <SeLoadDriverPrivilege>,0
aSesystemprofil:			; DATA XREF: .text:00404ADCo
		unicode	0, <SeSystemProfilePrivilege>,0
		align 10h
aSesecuritypriv:			; DATA XREF: .text:00404AD0o
		unicode	0, <SeSecurityPrivilege>,0
aSetakeownershi:			; DATA XREF: .text:00404AD4o
		unicode	0, <SeTakeOwnershipPrivilege>,0
		align 4
aSemachineaccou:			; DATA XREF: .text:00404AC8o
		unicode	0, <SeMachineAccountPrivilege>,0
aSetcbprivilege:			; DATA XREF: .text:00404ACCo
		unicode	0, <SeTcbPrivilege>,0
		align 10h
aSedebugprivile:			; DATA XREF: .text:00404B00o
		unicode	0, <SeDebugPrivilege>,0
		align 4
aSeauditprivile:			; DATA XREF: .text:00404B04o
		unicode	0, <SeAuditPrivilege>,0
		align 4
aSerestoreprivi:			; DATA XREF: .text:00404AF8o
		unicode	0, <SeRestorePrivilege>,0
		align 10h
aSeshutdownpriv:			; DATA XREF: .text:00404AFCo
		unicode	0, <SeShutdownPrivilege>,0
aSecreateperman:			; DATA XREF: .text:00404AF0o
		unicode	0, <SeCreatePermanentPrivilege>,0
		align 10h
aSebackupprivil:			; DATA XREF: .text:00404AF4o
		unicode	0, <SeBackupPrivilege>,0
		align 8
aSeincreasebase:			; DATA XREF: .text:00404AE8o
		unicode	0, <SeIncreaseBasePriorityPrivilege>,0
aSecreatepagefi:			; DATA XREF: .text:00404AECo
		unicode	0, <SeCreatePagefilePrivilege>,0
aSemanagevolume:			; DATA XREF: .text:00404B20o
		unicode	0, <SeManageVolumePrivilege>,0
aSeimpersonatep:			; DATA XREF: .text:00404B24o
		unicode	0, <SeImpersonatePrivilege>,0
		align 4
aSesyncagentpri:			; DATA XREF: .text:00404B18o
		unicode	0, <SeSyncAgentPrivilege>,0
		align 4
aSeenabledelega:			; DATA XREF: .text:00404B1Co
		unicode	0, <SeEnableDelegationPrivilege>,0
aSeremoteshutdo:			; DATA XREF: .text:00404B10o
		unicode	0, <SeRemoteShutdownPrivilege>,0
aSeundockprivil:			; DATA XREF: .text:00404B14o
		unicode	0, <SeUndockPrivilege>,0
aSesystemenviro:			; DATA XREF: .text:00404B08o
		unicode	0, <SeSystemEnvironmentPrivilege>,0
		align 4
aSechangenotify:			; DATA XREF: .text:00404B0Co
		unicode	0, <SeChangeNotifyPrivilege>,0
		align 8
aSedelegatesess:			; DATA XREF: .text:00404B40o
		unicode	0, <SeDelegateSessionUserImpersonatePrivilege>,0
aSetimezonepriv:			; DATA XREF: .text:00404B38o
		unicode	0, <SeTimeZonePrivilege>,0
aSecreatesymbol:			; DATA XREF: .text:00404B3Co
		unicode	0, <SeCreateSymbolicLinkPrivilege>,0
aSerelabelprivi:			; DATA XREF: .text:00404B30o
		unicode	0, <SeRelabelPrivilege>,0
		align 4
aSeincreasework:			; DATA XREF: .text:00404B34o
		unicode	0, <SeIncreaseWorkingSetPrivilege>,0
aSecreateglobal:			; DATA XREF: .text:00404B28o
		unicode	0, <SeCreateGlobalPrivilege>,0
		align 8
aSetrustedcredm:			; DATA XREF: .text:00404B2Co
		unicode	0, <SeTrustedCredManAccessPrivilege>,0
aAbcdefghijklmn:			; DATA XREF: .text:00404B48o
		unicode	0, <ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz._ >,0
asc_4196F8:				; DATA XREF: .text:00404C3Co
		unicode	0, <()>,0
		align 10h
asc_419700:				; DATA XREF: .text:00404C2Co
		unicode	0, < >,0
aX0123456789abc:			; DATA XREF: .text:00404B50o
		unicode	0, <x0123456789ABCDEF>,0
a0123456789:				; DATA XREF: .text:00404C34o
		unicode	0, <0123456789>,0
		align 10h

___safe_se_handler_table:		; DATA XREF: .text:00403988o
		in	al, 6		; DMA controller, 8237A-5.
					; channel 3 current address
		sbb	[eax], al
		pop	esp
		xor	bl, [eax]
		add	[eax+8001866h],	dh
		mov	ds, word ptr [eax]
		add	[edx+esi*4-480DFFE7h], bl
		sbb	[eax], eax
		sub	cl, dh
		sbb	[eax], eax
		push	ss
		xor	[edx], bl
		add	ds:28001A30h, bh
		xor	[edx], ebx
		add	[ecx], ch
		xor	[edx], ebx
		add	[edx], ch
		xor	[edx], ebx
		add	[ebx], ch
		xor	[edx], ebx
		add	[ecx+esi], ch
		sbb	al, [eax]
		sub	eax, 2E001A31h
		xor	[edx], ebx
		add	[edi], ch
		xor	[edx], ebx
		add	[eax], dh
		xor	[edx], ebx
		add	[ecx], dh
		xor	[edx], ebx
		add	[edx], dh
		xor	[edx], ebx
		add	[ebx], dh
		xor	[edx], ebx
		add	[ecx+esi], dh
		sbb	al, [eax]
		xor	eax, 36001A31h
		xor	[edx], ebx
		add	[edi], dh
		xor	[edx], ebx
		add	[eax], bh
		xor	[edx], ebx
		add	[ecx], bh
		xor	[edx], ebx
		add	[edx], bh
		xor	[edx], ebx
		add	[ebx], bh
		xor	[edx], ebx
		add	[ecx+esi], bh
		sbb	al, [eax]
		cmp	eax, 3E001A31h
		xor	[edx], ebx
		add	[edi], bh
		xor	[edx], ebx
		add	[eax+31h], al
		sbb	al, [eax]
		inc	ecx
		xor	[edx], ebx
		add	[edx+31h], al
		sbb	al, [eax]
		inc	ebx
		xor	[edx], ebx
		add	[ecx+esi+1Ah], al
		add	[ebp+31h], al
		sbb	al, [eax]
		inc	esi
		xor	[edx], ebx
		add	[edi+31h], al
		sbb	al, [eax]
		dec	eax
		xor	[edx], ebx
		add	[ecx+31h], cl
		sbb	al, [eax]
		dec	edx
		xor	[edx], ebx
		add	[ebx+31h], cl
		sbb	al, [eax]
		dec	esp
		xor	[edx], ebx
		add	[ebp+31h], cl
		sbb	al, [eax]
		dec	esi
		xor	[edx], ebx
		add	[edi+31h], cl
		sbb	al, [eax]
		push	eax
		xor	[edx], ebx
		add	[ecx+31h], dl
		sbb	al, [eax]
		push	edx
		xor	[edx], ebx
		add	[ebx+31h], dl
		sbb	al, [eax]
		push	esp
		xor	[edx], ebx
		add	[ebp+31h], dl
		sbb	al, [eax]
		push	esi
		xor	[edx], ebx
		add	[edi+31h], dl
		sbb	al, [eax]
		pop	eax
		xor	[edx], ebx
		add	[ecx+31h], bl
		sbb	al, [eax]
		pop	edx
		xor	[edx], ebx
		add	[ebx+31h], bl
		sbb	al, [eax]
		pop	esp
		xor	[edx], ebx
		add	[ebp+31h], bl
		sbb	al, [eax]
		pop	esi
		xor	[edx], ebx
		add	[edi+31h], bl
		sbb	al, [eax]
		pusha
		xor	[edx], ebx
		add	[ecx+31h], ah
		sbb	al, [eax]
		bound	esi, [ecx]
		sbb	al, [eax]
		arpl	[ecx], si
		sbb	al, [eax]
		xor	fs:[edx], ebx
		add	[ebp+31h], ah
		sbb	al, [eax]
		xor	[edx], bx
		add	[edi+31h], ah
		sbb	al, [eax]
		inc	ecx
		jbe	short loc_4198CB
		add	[ebx+59006476h], ch
		jp	short loc_4198D3
		add	ch, bh
		jnp	short loc_4198D7
		add	[edx+3300647Dh], bh
		jle	short near ptr loc_4198DE+1
		add	[esi-7Fh], dh
		add	fs:[edi-2BFF9B7Fh], al
		xchg	ah, [eax+eax+43h]
		mov	ah, [eax+eax+0]
; 
		db 3 dup(0)
; 

__TraceLoggingMetadata:			; DATA XREF: _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)+71o
					; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)+71o ...
		inc	ebp
		push	esp
		push	edi
		xor	[eax], dl
; 
		db 3 dup(0)
		dd 88040E86h, 0BB8A052Bh
		db 6
		db 0Bh,	5, 0		; DATA XREF: CmpSaveBootControlSet(x)+591o
		dd 0
		dd 4000h, 800039h, 53706D43h, 42657661h, 43746F6Fh, 72746E6Fh
		dd 65536C6Fh, 69614674h
		db 6Ch,	65h, 64h
; 

loc_4198CB:				; CODE XREF: .text:00419865j
		add	[ebx+74h], dh
		popa
		jz	short loc_419946
		jnb	short $+2

loc_4198D3:				; CODE XREF: .text:0041986Dj
		mov	[esi], cl
		push	eax
		popa

loc_4198D7:				; CODE XREF: .text:00419871j
		jb	short near ptr loc_41994C+1
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_419946+1

loc_4198DE:				; CODE XREF: .text:00419879j
		jbe	short loc_419934
		popa
		db	67h
		jnb	near ptr 98E4h
		or	al, [esi]

loc_4198E6:				; DATA XREF: CmpSaveBootControlSet(x)+484o
		or	eax, large ds:0
; 
		db    0
		align 2
		dw 40h
		db    0
		db 48h,	0, 80h
		db    0
aCmpsavebootcon	db 'CmpSaveBootControlSetSucceeded',0
aOpenkeysinvali	db 'openKeysInvalidated',0
; 
		or	[eax+61h], dl
		jb	short loc_4199A1
		inc	ecx
		pop	edi
		push	eax
		jb	short loc_41999B
		jbe	short loc_419988

loc_419934:				; CODE XREF: .text:loc_4198DEj
		popa
		db	67h
		jnb	near ptr 9938h
		or	al, [esi]

loc_41993A:				; DATA XREF: CmpInitHiveFromFile+17DEB0o
		or	eax, [edx+eax]
		or	[eax], al
; 
		db 0
		dd 0
; 
		add	[esi], bl

loc_419946:				; CODE XREF: .text:004198CFj
					; .text:004198DCj
		add	[eax+76694800h], al

loc_41994C:				; CODE XREF: .text:loc_4198D7j
		db	65h
		dec	esp
		outsd
		popa
		db	64h
		inc	esi
		jb	short loc_4199C3
		insd
		inc	esi
		imul	ebp, [ebp+0], 74617473h
		jnz	short loc_4199D3
		add	[eax+40B060Eh],	cl ; DATA XREF:	CmpInitHiveFromFile+17DD73o
		add	[eax], ecx
; 
		dd 0
		dd 1F000000h, 48008000h, 4C657669h, 4664616Fh, 466D6F72h
		dd 656C69h, 656C6966h
; 

loc_419988:				; CODE XREF: .text:00419932j
		push	eax
		popa
		jz	short loc_4199F4
		add	[esi], dl
		push	es

loc_41998F:				; DATA XREF: NtReplaceKey(x,x,x)+18Fo
		or	eax, large ds:0
; 
		db 2 dup(0), 40h
		db 2 dup(0), 30h
; 

loc_41999B:				; CODE XREF: .text:00419930j
		add	[eax+52744E00h], al

loc_4199A1:				; CODE XREF: .text:0041992Bj
		db	65h
		jo	short loc_419A10
		popa
		arpl	[ebp+4Bh], sp
		db	65h
		jns	short loc_4199F1
		popa
		imul	ebp, [ebp+64h],	61745300h
		jz	short loc_419A2B
		jnb	short $+2
		mov	[esi], cl
		push	eax
		popa
		jb	short loc_419A32
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_419A2B+1

loc_4199C3:				; CODE XREF: .text:00419952j
		jbe	short loc_419A19
		popa
		db	67h
		jnb	near ptr 99C9h
		or	al, [esi]

loc_4199CB:				; DATA XREF: NtReplaceKey(x,x,x)+35Bo
		or	eax, large ds:0
; 
		db 2 dup(0)
; 

loc_4199D3:				; CODE XREF: .text:0041995Ej
		inc	eax
; 
		db    0
		align 2
		dw 2Ah
		db  80h	; 
		align 2
aNtreplacekeysu	db 'NtReplaceKeySucceeded',0
; 
		push	eax

loc_4199F1:				; CODE XREF: .text:004199A8j
		popa
		jb	short loc_419A68

loc_4199F4:				; CODE XREF: .text:0041998Aj
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_419A60+2
		jbe	short loc_419A4F
		popa
		db	67h
		jnb	near ptr 99FFh
		or	al, [esi]

loc_419A01:				; DATA XREF: CmFcInitSystem3()+114o
		or	eax, large ds:0
; 
		db 0
		dd 4000h, 8000F9h
; 

loc_419A10:				; CODE XREF: .text:loc_4199A1j
		inc	edx
		outsd
		outsd
		jz	short near ptr loc_419A60+1
		outsd
		popa
; 
		db 64h
		db 65h
; 

loc_419A19:				; CODE XREF: .text:loc_4199C3j
		jb	short loc_419A5F
		imul	esp, [ecx+67h],	74736F6Eh
		imul	esp, [ebx+49h],	726F666Eh
		insd
		popa

loc_419A2B:				; CODE XREF: .text:004199B4j
					; .text:004199C1j
		jz	short near ptr loc_419A95+1
		outsd
		outsb
		add	[edi+72h], cl

loc_419A32:				; CODE XREF: .text:004199BCj
		imul	esp, [edi+69h],	426C616Eh
		outsd
		outsd
		jz	short loc_419A90
		jz	short near ptr loc_419A9F+1
		jz	short loc_419AB6
		jnb	short near ptr loc_419A95+1
		jz	short near ptr loc_419AA3+3
		jz	short loc_419AAC
		add	[esi+ecx*2], al
		db	65h
		ja	short loc_419A8F
		outsd
		outsd

loc_419A4F:				; CODE XREF: .text:004199F9j
		jz	short near ptr loc_419AA3+1
		jz	short loc_419AB4
		jz	short loc_419ACA
		jnb	short near ptr loc_419AA9+1
		jz	short loc_419ABA
		jz	short loc_419AC0
		add	[ebx+eax*2], al
		outsd

loc_419A5F:				; CODE XREF: .text:loc_419A19j
		outsb

loc_419A60:				; CODE XREF: .text:00419A13j
					; .text:004199F7j
		imul	sp, [edi+75h], 6172h
		jz	short loc_419AD1

loc_419A68:				; CODE XREF: .text:004199F2j
		outsd
		outsb
		dec	esp
		outsd
		popa
		db	64h, 65h
		add	fs:[esi+eax*2],	al
		insb
		popa
		db	67h
		jnb	near ptr 9A78h
		or	[ebx+6Fh], al
		outsb
		imul	sp, [edi+75h], 6172h
		jz	short loc_419AED
		outsd
		outsb
		inc	ebx
		outsd
		insd
		jo	short loc_419AEC
		jb	short loc_419AF6
		jnb	short loc_419AFE

loc_419A8F:				; CODE XREF: .text:00419A4Aj
		outsb

loc_419A90:				; CODE XREF: .text:00419A3Bj
		push	ebx
		jz	short near ptr loc_419AF3+1
		jz	short near ptr loc_419B06+4

loc_419A95:				; CODE XREF: .text:loc_419A2Bj
					; .text:00419A41j
		jnb	short $+2
		mov	[esi], cl
		inc	ebx
		jnz	short near ptr word_419B0E
		jb	short near ptr loc_419B01+2
		outsb

loc_419A9F:				; CODE XREF: .text:00419A3Dj
		jz	short near ptr loc_419AE3+1
		outsd
		outsb

loc_419AA3:				; CODE XREF: .text:loc_419A4Fj
					; .text:00419A43j
		imul	sp, [edi+75h], 6172h

loc_419AA9:				; CODE XREF: .text:00419A55j
		jz	short loc_419B14
		outsd

loc_419AAC:				; CODE XREF: .text:00419A45j
		outsb
		dec	esp
		outsd
		popa
		db	64h
		push	ebx
		jz	short near ptr loc_419B14+1

loc_419AB4:				; CODE XREF: .text:00419A51j
		jz	short near ptr loc_419B25+6

loc_419AB6:				; CODE XREF: .text:00419A3Fj
		jnb	short $+2
		mov	[esi], cl

loc_419ABA:				; CODE XREF: .text:00419A57j
		dec	esp
		imul	esp, [edi+43h],	6Fh
		outsb

loc_419AC0:				; CODE XREF: .text:00419A59j
		imul	sp, [edi+75h], 6172h
		jz	short loc_419B31
		outsd
		outsb

loc_419ACA:				; CODE XREF: .text:00419A53j
		dec	esp
		outsd
		popa
		db	64h
		push	ebx
		jz	short near ptr loc_419B31+1

loc_419AD1:				; CODE XREF: .text:00419A66j
		jz	short loc_419B48
		jnb	short $+2
		mov	[esi], cl
		push	ebp
		jnb	short near ptr loc_419B37+4
		db	67h, 65h
		push	ebx
		jnz	short loc_419B41
		jnb	short loc_419B44
		jb	short near ptr loc_419B49+3

loc_419AE3:				; CODE XREF: .text:loc_419A9Fj
		jo	short near ptr loc_419B53+6
		imul	ebp, [edi+6Eh],	64616F4Ch

loc_419AEC:				; CODE XREF: .text:00419A89j
		push	ebx

loc_419AED:				; CODE XREF: .text:00419A82j
		jz	short near ptr loc_419B4F+1
		jz	short near ptr loc_419B65+1
		jnb	short $+2

loc_419AF3:				; CODE XREF: .text:00419A91j
		mov	[esi], cl
		push	eax

loc_419AF6:				; CODE XREF: .text:00419A8Bj
		popa
		jb	short loc_419B6D
		inc	ecx
		pop	edi
		push	eax
		jb	short loc_419B67

loc_419AFE:				; CODE XREF: .text:00419A8Dj
		jbe	short near ptr loc_419B53+1
		popa

loc_419B01:				; CODE XREF: .text:00419A9Cj
		db	67h
		jnb	near ptr 9B04h
		or	al, [esi]

loc_419B06:				; CODE XREF: .text:00419A93j
					; DATA XREF: CmpOKToFollowLink(x,x):loc_7FFFFAo
		or	eax, large ds:0
; 
		db 2 dup(0)
word_419B0E	dw 0			; CODE XREF: .text:00419A9Aj
		dd 80002B00h
; 

loc_419B14:				; CODE XREF: .text:loc_419AA9j
					; .text:00419AB2j
		add	[ebx+65h], dl
		jb	short loc_419B8F
		db	65h
		jb	short near ptr loc_419B6E+1
		imul	ebp, [edi+ebp*2+53h], 6F626D79h
		insb

loc_419B25:				; CODE XREF: .text:loc_419AB4j
		imul	esp, [ebx+4Ch],	546B6E69h
		jb	short loc_419BA3
		jnb	short near ptr loc_419BA3+1
		inc	ebx

loc_419B31:				; CODE XREF: .text:00419AC6j
					; .text:00419ACFj
		push	466B6365h
		popa

loc_419B37:				; CODE XREF: .text:00419AD8j
					; DATA XREF: CmpOKToFollowLink(x,x)+B1o
		imul	ebp, [ebp+64h],	50B0600h
; 
		db 0
		db 0
; 

loc_419B41:				; CODE XREF: .text:00419ADDj
		add	[ecx], al
; 
		db 0
; 

loc_419B44:				; CODE XREF: .text:00419ADFj
		add	[eax], ah
; 
		dw 0
; 

loc_419B48:				; CODE XREF: .text:loc_419AD1j
		inc	esi

loc_419B49:				; CODE XREF: .text:00419AE1j
		add	[eax+72655300h], al

loc_419B4F:				; CODE XREF: .text:loc_419AEDj
		jbe	short near ptr loc_419BB5+1
		jb	short near ptr loc_419BA5+1

loc_419B53:				; CODE XREF: .text:loc_419AFEj
					; .text:loc_419AE3j
		imul	ebp, [edi+ebp*2+53h], 6F626D79h
		insb
		imul	esp, [ebx+4Ch],	546B6E69h
		jb	short near ptr loc_419BD9+1

loc_419B65:				; CODE XREF: .text:00419AEFj
		jnb	short loc_419BDB

loc_419B67:				; CODE XREF: .text:00419AFCj
		inc	ebx
		push	466B6365h

loc_419B6D:				; CODE XREF: .text:00419AF7j
		popa

loc_419B6E:				; CODE XREF: .text:00419B19j
		imul	ebp, [ebp+64h],	67674128h
		jb	short near ptr loc_419BDC+1
		db	67h
		popa
		jz	short near ptr loc_419BDC+5
		sub	[eax], eax
		push	eax
		popa
		jb	short loc_419BF6
		inc	ecx
		pop	edi
		push	eax
		jb	short loc_419BF0
		jbe	short near ptr loc_419BDC+1
		popa
		db	67h
		jnb	near ptr 9B8Dh
		or	al, [esi]

loc_419B8F:				; CODE XREF: .text:00419B17j
					; DATA XREF: CmLoadKey+11B8D3o
		or	eax, large ds:800h
; 
		db 3 dup(0)
		dd 12D0000h, 6D430080h
		db 4Ch,	6Fh, 61h
; 

loc_419BA3:				; CODE XREF: .text:00419B2Cj
					; .text:00419B2Ej
		db	64h
		dec	ebx

loc_419BA5:				; CODE XREF: .text:00419B51j
		db	65h
		jns	short near ptr loc_419BED+1
		popa
		imul	ebp, [ebp+64h],	61745300h
		jz	short loc_419C28
		jnb	short $+2

loc_419BB5:				; CODE XREF: .text:loc_419B4Fj
		mov	[esi], cl
		dec	eax
		imul	esi, [esi+65h],	64616F4Ch
		inc	esi
		popa
		imul	ebp, [ebp+esi*2+72h], 6980065h
		push	ebp
		outsb
		jb	short loc_419C32
		arpl	[edi+76h], bp
		db	65h
		jb	short loc_419C34
		bound	ebp, [ebp+4Ch]
		outsd
		popa

loc_419BD9:				; CODE XREF: .text:00419B63j
		db	64h
		inc	esi

loc_419BDB:				; CODE XREF: .text:loc_419B65j
		popa

loc_419BDC:				; CODE XREF: .text:00419B76j
					; .text:00419B87j ...
		imul	ebp, [ebp+esi*2+72h], 756F4365h
		outsb
		jz	short $+2
		push	es
		push	edx
		arpl	gs:[edi+76h], bp

loc_419BED:				; CODE XREF: .text:loc_419BA5j
		db	65h
		jb	short loc_419C51

loc_419BF0:				; CODE XREF: .text:00419B85j
		bound	ebp, [ebp+4Ch]
		outsd
		popa

loc_419BF6:				; CODE XREF: .text:00419B80j
		db	64h
		inc	esi
		popa
		imul	ebp, [ebp+esi*2+72h], 756F4365h
		outsb
		jz	short $+2
		push	es
		push	ebp
		outsb
		jb	short loc_419C6E
		arpl	[edi+76h], bp
		db	65h
		jb	short near ptr loc_419C6E+2
		bound	ebp, [ebp+4Ch]
		imul	ebp, [esi+6Bh],	6C696146h
		jnz	short near ptr loc_419C8C+2
		db	65h
		inc	ebx
		outsd
		jnz	short loc_419C8F
		jz	short $+2
		push	es
		push	ebp
		outsb
		jb	short near ptr loc_419C8C+1

loc_419C28:				; CODE XREF: .text:00419BB1j
		arpl	[edi+76h], bp
		db	65h
		jb	short loc_419C8F
		bound	ebp, [ebp+4Ch]

loc_419C32:				; CODE XREF: .text:00419BCBj
		outsd
		popa

loc_419C34:				; CODE XREF: .text:00419BD0j
		db	64h
		inc	esi
		popa
		imul	ebp, [ebp+esi*2+72h], 636F4C65h
		popa
		jz	short loc_419CAB
		outsd
		outsb
		jnb	short $+2
		fadd	dword ptr [ebx]
		push	esp
		jns	short loc_419CBB
		add	gs:[edi], al
		push	ebx
		jz	short near ptr loc_419CB1+1

loc_419C51:				; CODE XREF: .text:loc_419BEDj
		jz	short near ptr loc_419CC2+6
		jnb	short $+2
		or	[eax+6Fh], dl
		imul	ebp, [esi+74h],	65520800h
		arpl	[edi+76h], bp
		db	65h
		jb	short near ptr loc_419CC2+4
		bound	ebp, [ebp+4Ch]
		outsd
		popa
		db	64h
		inc	esi
		popa

loc_419C6E:				; CODE XREF: .text:00419C07j
					; .text:00419C0Cj
		imul	ebp, [ebp+esi*2+72h], 636F4C65h
		popa
		jz	short loc_419CE2
		outsd
		outsb
		jnb	short $+2
		fadd	dword ptr [ebx]
		push	esp
		jns	short near ptr loc_419CF1+1
		add	gs:[edi], al
		push	ebx
		jz	short near ptr loc_419CE5+4
		jz	short near ptr loc_419CFB+4
		jnb	short $+2

loc_419C8C:				; CODE XREF: .text:00419C26j
					; .text:00419C1Aj
		or	[eax+6Fh], dl

loc_419C8F:				; CODE XREF: .text:00419C1Fj
					; .text:00419C2Bj
		imul	ebp, [esi+74h],	6E550800h
		jb	short near ptr loc_419CFB+2
		arpl	[edi+76h], bp
		db	65h
		jb	short near ptr loc_419CFB+4
		bound	ebp, [ebp+4Ch]
		imul	ebp, [esi+6Bh],	6C696146h
		jnz	short near ptr loc_419D1B+2

loc_419CAB:				; CODE XREF: .text:00419C40j
		db	65h
		dec	esp
		outsd
		arpl	[ecx+74h], sp

loc_419CB1:				; CODE XREF: .text:00419C4Fj
		imul	ebp, [edi+6Eh],	2D80073h
		push	ebx
		jz	short near ptr loc_419D1B+1

loc_419CBB:				; CODE XREF: .text:00419C49j
		jz	short loc_419D32
		jnb	short $+2
		or	[eax+6Fh], dl

loc_419CC2:				; CODE XREF: .text:00419C62j
					; .text:loc_419C51j
					; DATA XREF: ...
		imul	ebp, [esi+74h],	0B060800h
		add	eax, 800h
; 
		dw 0
		dd 47000040h, 43008000h, 616F4C6Dh, 79654B64h
		db 53h,	75h
; 

loc_419CE2:				; CODE XREF: .text:00419C77j
		arpl	[ebx+65h], sp

loc_419CE5:				; CODE XREF: .text:00419C86j
		db	65h, 64h, 65h
		sub	fs:[ecx+67h], al
		db	67h
		jb	near ptr 9D54h
		db	67h
		popa

loc_419CF1:				; CODE XREF: .text:00419C80j
		jz	short loc_419D58
		sub	[eax], eax
		inc	ebx
		outsd
		jnz	short near ptr loc_419D64+3
		jz	short $+2

loc_419CFB:				; CODE XREF: .text:00419C96j
					; .text:00419C88j ...
		mov	[eax+71808080h], eax
		push	ebx
		jz	short near ptr loc_419D64+1
		jz	short loc_419D7B
		jnb	short $+2
		mov	[esi], cl
		push	eax
		popa
		jb	short near ptr loc_419D7F+3
		inc	ecx
		pop	edi
		push	eax
		jb	short loc_419D7C
		jbe	short near ptr loc_419D64+5
		popa
		db	67h
		jnb	near ptr 9D19h
		or	al, [esi]

loc_419D1B:				; CODE XREF: .text:00419CB9j
					; .text:00419CA9j
					; DATA XREF: ...
		or	eax, large ds:800h
; 
		db 2 dup(0), 40h
		dd 1540000h, 6D430080h,	64616F4Ch
		db 4Bh,	65h
; 

loc_419D32:				; CODE XREF: .text:loc_419CBBj
		jns	short loc_419D7A
		popa
		imul	ebp, [ebp+64h],	67674128h
		jb	short loc_419DA4
		db	67h
		popa
		jz	short loc_419DA8
		sub	[eax], eax
		inc	ebx
		outsd
		jnz	short near ptr loc_419DB6+1
		jz	short $+2
		mov	[eax+71808080h], eax
		push	ebx
		jz	short near ptr loc_419DB2+3
		jz	short loc_419DCB
		jnb	short $+2

loc_419D58:				; CODE XREF: .text:loc_419CF1j
		mov	[esi], cl
		dec	eax
		imul	esi, [esi+65h],	64616F4Ch
		inc	esi
		popa

loc_419D64:				; CODE XREF: .text:00419D02j
					; .text:00419CF7j ...
		imul	ebp, [ebp+esi*2+72h], 6980065h
		push	ebp
		outsb
		jb	short loc_419DD5
		arpl	[edi+76h], bp
		db	65h
		jb	short loc_419DD7
		bound	ebp, [ebp+4Ch]

loc_419D7A:				; CODE XREF: .text:loc_419D32j
		outsd

loc_419D7B:				; CODE XREF: .text:00419D04j
		popa

loc_419D7C:				; CODE XREF: .text:00419D11j
		db	64h
		inc	esi
		popa

loc_419D7F:				; CODE XREF: .text:00419D0Cj
		imul	ebp, [ebp+esi*2+72h], 756F4365h
		outsb
		jz	short $+2
		push	es
		push	edx
		arpl	gs:[edi+76h], bp
		db	65h
		jb	short loc_419DF4
		bound	ebp, [ebp+4Ch]
		outsd
		popa
		db	64h
		inc	esi
		popa
		imul	ebp, [ebp+esi*2+72h], 756F4365h

loc_419DA4:				; CODE XREF: .text:00419D3Dj
		outsb
		jz	short $+2
		push	es

loc_419DA8:				; CODE XREF: .text:00419D41j
		push	ebp
		outsb
		jb	short loc_419E11
		arpl	[edi+76h], bp
		db	65h
		jb	short near ptr loc_419E11+2

loc_419DB2:				; CODE XREF: .text:00419D52j
		bound	ebp, [ebp+4Ch]

loc_419DB6:				; CODE XREF: .text:00419D47j
		imul	ebp, [esi+6Bh],	6C696146h
		jnz	short near ptr loc_419E2F+2
		db	65h
		inc	ebx
		outsd
		jnz	short loc_419E32
		jz	short $+2
		push	es
		push	ebp
		outsb
		jb	short near ptr loc_419E2F+1

loc_419DCB:				; CODE XREF: .text:00419D54j
		arpl	[edi+76h], bp
		db	65h
		jb	short loc_419E32
		bound	ebp, [ebp+4Ch]

loc_419DD5:				; CODE XREF: .text:00419D6Ej
		outsd
		popa

loc_419DD7:				; CODE XREF: .text:00419D73j
		db	64h
		inc	esi
		popa
		imul	ebp, [ebp+esi*2+72h], 636F4C65h
		popa
		jz	short loc_419E4E
		outsd
		outsb
		jnb	short $+2
		fadd	dword ptr [ebx]
		push	esp
		jns	short loc_419E5E
		add	gs:[edi], al
		push	ebx
		jz	short near ptr loc_419E54+1

loc_419DF4:				; CODE XREF: .text:00419D90j
		jz	short near ptr loc_419E65+6
		jnb	short $+2
		or	[eax+6Fh], dl
		imul	ebp, [esi+74h],	65520800h
		arpl	[edi+76h], bp
		db	65h
		jb	short near ptr loc_419E65+4
		bound	ebp, [ebp+4Ch]
		outsd
		popa
		db	64h
		inc	esi
		popa

loc_419E11:				; CODE XREF: .text:00419DAAj
					; .text:00419DAFj
		imul	ebp, [ebp+esi*2+72h], 636F4C65h
		popa
		jz	short loc_419E85
		outsd
		outsb
		jnb	short $+2
		fadd	dword ptr [ebx]
		push	esp
		jns	short near ptr loc_419E94+1
		add	gs:[edi], al
		push	ebx
		jz	short loc_419E8C
		jz	short loc_419EA2
		jnb	short $+2

loc_419E2F:				; CODE XREF: .text:00419DC9j
					; .text:00419DBDj
		or	[eax+6Fh], dl

loc_419E32:				; CODE XREF: .text:00419DC2j
					; .text:00419DCEj
		imul	ebp, [esi+74h],	6E550800h
		jb	short near ptr loc_419E9C+4
		arpl	[edi+76h], bp
		db	65h
		jb	short loc_419EA2
		bound	ebp, [ebp+4Ch]
		imul	ebp, [esi+6Bh],	6C696146h
		jnz	short loc_419EC0

loc_419E4E:				; CODE XREF: .text:00419DE3j
		db	65h
		dec	esp
		outsd
		arpl	[ecx+74h], sp

loc_419E54:				; CODE XREF: .text:00419DF2j
		imul	ebp, [edi+6Eh],	2D80073h
		push	ebx
		jz	short near ptr loc_419EBE+1

loc_419E5E:				; CODE XREF: .text:00419DECj
		jz	short near ptr loc_419ECE+7
		jnb	short $+2
		or	[eax+6Fh], dl

loc_419E65:				; CODE XREF: .text:00419E05j
					; .text:loc_419DF4j
		imul	ebp, [esi+74h],	61500800h
		jb	short near ptr loc_419EE0+2
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_419EDB+1
		jbe	short loc_419EC9
		popa
		db	67h
		jnb	near ptr 9E79h
		or	al, [esi]

loc_419E7B:				; DATA XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+DD2o
		or	eax, large ds:800h
; 
		db 2 dup(0), 40h
		db 0
; 

loc_419E85:				; CODE XREF: .text:00419E1Aj
		add	[esi+0], bl
		add	byte ptr [eax],	43h
		insd

loc_419E8C:				; CODE XREF: .text:00419E29j
		dec	esp
		outsd
		popa
		db	64h
		inc	ecx
		jo	short near ptr loc_419F02+1
		dec	ebx

loc_419E94:				; CODE XREF: .text:00419E23j
		db	65h
		jns	short near ptr loc_419EE5+5
		jnz	short loc_419EFC
		arpl	[ebp+65h], sp

loc_419E9C:				; CODE XREF: .text:00419E39j
		db	64h, 65h
		sub	fs:[ecx+67h], al

loc_419EA2:				; CODE XREF: .text:00419E2Bj
					; .text:00419E3Ej
		db	67h
		jb	near ptr 9F0Ah
		db	67h
		popa
		jz	short loc_419F0E
		sub	[eax], eax
		inc	ebx
		outsd
		jnz	short near ptr loc_419F18+5
		jz	short $+2
		mov	[eax+71808080h], eax
		push	ebx
		jz	short near ptr loc_419F18+3
		jz	short loc_419F31
		jnb	short $+2

loc_419EBE:				; CODE XREF: .text:00419E5Cj
		mov	[esi], cl

loc_419EC0:				; CODE XREF: .text:00419E4Cj
		dec	eax
		imul	esi, [esi+65h],	65726C41h
		popa

loc_419EC9:				; CODE XREF: .text:00419E73j
		db	64h
		jns	short loc_419F18
		outsd
		popa

loc_419ECE:				; CODE XREF: .text:loc_419E5Ej
		db	64h, 65h
		add	fs:[ebx+eax+74726150h],	al
		inc	ecx
		pop	edi
		push	eax

loc_419EDB:				; CODE XREF: .text:00419E71j
		jb	short near ptr loc_419F43+3
		jbe	short near ptr loc_419F31+2
		popa

loc_419EE0:				; CODE XREF: .text:00419E6Cj
		db	67h
		jnb	near ptr 9EE3h
		or	al, [esi]

loc_419EE5:				; CODE XREF: .text:loc_419E94j
					; DATA XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+B1Eo
		or	eax, large ds:800h
; 
		db 0
		dd 4000h, 800157h, 6F4C6D43h, 70416461h
; 

loc_419EFC:				; CODE XREF: .text:00419E97j
		jo	short loc_419F49
		db	65h
		jns	short loc_419F47
		popa

loc_419F02:				; CODE XREF: .text:00419E91j
		imul	ebp, [ebp+64h],	67674128h
		jb	short loc_419F71
		db	67h
		popa

loc_419F0E:				; CODE XREF: .text:00419EA7j
		jz	short loc_419F75
		sub	[eax], eax
		inc	ebx
		outsd
		jnz	short near ptr loc_419F83+1
		jz	short $+2

loc_419F18:				; CODE XREF: .text:loc_419EC9j
					; .text:00419EB8j ...
		mov	[eax+71808080h], eax
		push	ebx
		jz	short near ptr loc_419F7F+3
		jz	short loc_419F98
		jnb	short $+2
		mov	[esi], cl
		dec	eax
		imul	esi, [esi+65h],	64616F4Ch
		inc	esi
		popa

loc_419F31:				; CODE XREF: .text:00419EBAj
					; .text:00419EDDj
		imul	ebp, [ebp+esi*2+72h], 6980065h
		push	ebp
		outsb
		jb	short loc_419FA2
		arpl	[edi+76h], bp
		db	65h
		jb	short loc_419FA4

loc_419F43:				; CODE XREF: .text:loc_419EDBj
		bound	ebp, [ebp+4Ch]

loc_419F47:				; CODE XREF: .text:00419EFEj
		outsd
		popa

loc_419F49:				; CODE XREF: .text:loc_419EFCj
		db	64h
		inc	esi
		popa
		imul	ebp, [ebp+esi*2+72h], 756F4365h
		outsb
		jz	short $+2
		push	es
		push	edx
		arpl	gs:[edi+76h], bp
		db	65h
		jb	short loc_419FC1
		bound	ebp, [ebp+4Ch]
		outsd
		popa
		db	64h
		inc	esi
		popa
		imul	ebp, [ebp+esi*2+72h], 756F4365h

loc_419F71:				; CODE XREF: .text:00419F0Aj
		outsb
		jz	short $+2
		push	es

loc_419F75:				; CODE XREF: .text:loc_419F0Ej
		push	ebp
		outsb
		jb	short loc_419FDE
		arpl	[edi+76h], bp
		db	65h
		jb	short near ptr loc_419FDE+2

loc_419F7F:				; CODE XREF: .text:00419F1Fj
		bound	ebp, [ebp+4Ch]

loc_419F83:				; CODE XREF: .text:00419F14j
		imul	ebp, [esi+6Bh],	6C696146h
		jnz	short near ptr loc_419FFC+2
		db	65h
		inc	ebx
		outsd
		jnz	short loc_419FFF
		jz	short $+2
		push	es
		push	ebp
		outsb
		jb	short near ptr loc_419FFC+1

loc_419F98:				; CODE XREF: .text:00419F21j
		arpl	[edi+76h], bp
		db	65h
		jb	short loc_419FFF
		bound	ebp, [ebp+4Ch]

loc_419FA2:				; CODE XREF: .text:00419F3Bj
		outsd
		popa

loc_419FA4:				; CODE XREF: .text:00419F40j
		db	64h
		inc	esi
		popa
		imul	ebp, [ebp+esi*2+72h], 636F4C65h
		popa
		jz	short loc_41A01B
		outsd
		outsb
		jnb	short $+2
		fadd	dword ptr [ebx]
		push	esp
		jns	short loc_41A02B
		add	gs:[edi], al
		push	ebx
		jz	short near ptr loc_41A021+1

loc_419FC1:				; CODE XREF: .text:00419F5Dj
		jz	short near ptr loc_41A032+6
		jnb	short $+2
		or	[eax+6Fh], dl
		imul	ebp, [esi+74h],	65520800h
		arpl	[edi+76h], bp
		db	65h
		jb	short near ptr loc_41A032+4
		bound	ebp, [ebp+4Ch]
		outsd
		popa
		db	64h
		inc	esi
		popa

loc_419FDE:				; CODE XREF: .text:00419F77j
					; .text:00419F7Cj
		imul	ebp, [ebp+esi*2+72h], 636F4C65h
		popa
		jz	short loc_41A052
		outsd
		outsb
		jnb	short $+2
		fadd	dword ptr [ebx]
		push	esp
		jns	short near ptr loc_41A061+1
		add	gs:[edi], al
		push	ebx
		jz	short near ptr loc_41A054+5
		jz	short loc_41A06F
		jnb	short $+2

loc_419FFC:				; CODE XREF: .text:00419F96j
					; .text:00419F8Aj
		or	[eax+6Fh], dl

loc_419FFF:				; CODE XREF: .text:00419F8Fj
					; .text:00419F9Bj
		imul	ebp, [esi+74h],	6E550800h
		jb	short loc_41A06D
		arpl	[edi+76h], bp
		db	65h
		jb	short loc_41A06F
		bound	ebp, [ebp+4Ch]
		imul	ebp, [esi+6Bh],	6C696146h
		jnz	short near ptr loc_41A08C+1

loc_41A01B:				; CODE XREF: .text:00419FB0j
		db	65h
		dec	esp
		outsd
		arpl	[ecx+74h], sp

loc_41A021:				; CODE XREF: .text:00419FBFj
		imul	ebp, [edi+6Eh],	2D80073h
		push	ebx
		jz	short loc_41A08C

loc_41A02B:				; CODE XREF: .text:00419FB9j
		jz	short near ptr loc_41A0A1+1
		jnb	short $+2
		or	[eax+6Fh], dl

loc_41A032:				; CODE XREF: .text:00419FD2j
					; .text:loc_419FC1j
		imul	ebp, [esi+74h],	61500800h
		jb	short near ptr loc_41A0AC+3
		inc	ecx
		pop	edi
		push	eax
		jb	short loc_41A0A9
		jbe	short near ptr loc_41A095+1
		popa
		db	67h
		jnb	near ptr 0A046h
		or	al, [esi]

loc_41A048:				; DATA XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+D2Bo
		or	eax, large ds:800h
; 
		dw 0
		db 2 dup(0)
; 

loc_41A052:				; CODE XREF: .text:00419FE7j
		add	[eax], dh

loc_41A054:				; CODE XREF: .text:00419FF6j
		add	[eax+4C6D4300h], eax
		outsd
		popa
		db	64h
		inc	ecx
		jo	short near ptr loc_41A0CF+1
		dec	ebx

loc_41A061:				; CODE XREF: .text:00419FF0j
		db	65h
		jns	short near ptr loc_41A0A9+1
		popa
		imul	ebp, [ebp+64h],	61745300h

loc_41A06D:				; CODE XREF: .text:0041A006j
		jz	short loc_41A0E4

loc_41A06F:				; CODE XREF: .text:00419FF8j
					; .text:0041A00Bj
		jnb	short $+2
		mov	[esi], cl
		dec	eax
		imul	esi, [esi+65h],	64616F4Ch
		inc	esi
		popa
		imul	ebp, [ebp+esi*2+72h], 6980065h
		push	ebp
		outsb
		jb	short loc_41A0EE
		arpl	[edi+76h], bp

loc_41A08C:				; CODE XREF: .text:0041A029j
					; .text:0041A019j
		db	65h
		jb	short loc_41A0F0
		bound	ebp, [ebp+4Ch]
		outsd
		popa

loc_41A095:				; CODE XREF: .text:0041A040j
		db	64h
		inc	esi
		popa
		imul	ebp, [ebp+esi*2+72h], 756F4365h
		outsb

loc_41A0A1:				; CODE XREF: .text:loc_41A02Bj
		jz	short $+2
		push	es
		push	edx
		arpl	gs:[edi+76h], bp

loc_41A0A9:				; CODE XREF: .text:0041A03Ej
					; .text:loc_41A061j
		db	65h
		jb	short loc_41A10D

loc_41A0AC:				; CODE XREF: .text:0041A039j
		bound	ebp, [ebp+4Ch]
		outsd
		popa
		db	64h
		inc	esi
		popa
		imul	ebp, [ebp+esi*2+72h], 756F4365h
		outsb
		jz	short $+2
		push	es
		push	ebp
		outsb
		jb	short loc_41A12A
		arpl	[edi+76h], bp
		db	65h
		jb	short near ptr loc_41A12A+2
		bound	ebp, [ebp+4Ch]

loc_41A0CF:				; CODE XREF: .text:0041A05Ej
		imul	ebp, [esi+6Bh],	6C696146h
		jnz	short near ptr loc_41A148+2
		db	65h
		inc	ebx
		outsd
		jnz	short loc_41A14B
		jz	short $+2
		push	es
		push	ebp
		outsb
		jb	short near ptr loc_41A148+1

loc_41A0E4:				; CODE XREF: .text:loc_41A06Dj
		arpl	[edi+76h], bp
		db	65h
		jb	short loc_41A14B
		bound	ebp, [ebp+4Ch]

loc_41A0EE:				; CODE XREF: .text:0041A087j
		outsd
		popa

loc_41A0F0:				; CODE XREF: .text:loc_41A08Cj
		db	64h
		inc	esi
		popa
		imul	ebp, [ebp+esi*2+72h], 636F4C65h
		popa
		jz	short loc_41A167
		outsd
		outsb
		jnb	short $+2
		fadd	dword ptr [ebx]
		push	esp
		jns	short loc_41A177
		add	gs:[edi], al
		push	ebx
		jz	short near ptr loc_41A16D+1

loc_41A10D:				; CODE XREF: .text:loc_41A0A9j
		jz	short near ptr loc_41A17E+6
		jnb	short $+2
		or	[eax+6Fh], dl
		imul	ebp, [esi+74h],	65520800h
		arpl	[edi+76h], bp
		db	65h
		jb	short near ptr loc_41A17E+4
		bound	ebp, [ebp+4Ch]
		outsd
		popa
		db	64h
		inc	esi
		popa

loc_41A12A:				; CODE XREF: .text:0041A0C3j
					; .text:0041A0C8j
		imul	ebp, [ebp+esi*2+72h], 636F4C65h
		popa
		jz	short loc_41A19E
		outsd
		outsb
		jnb	short $+2
		fadd	dword ptr [ebx]
		push	esp
		jns	short loc_41A1AE
		add	gs:[edi], al
		push	ebx
		jz	short near ptr loc_41A1A1+4
		jz	short loc_41A1BB
		jnb	short $+2

loc_41A148:				; CODE XREF: .text:0041A0E2j
					; .text:0041A0D6j
		or	[eax+6Fh], dl

loc_41A14B:				; CODE XREF: .text:0041A0DBj
					; .text:0041A0E7j
		imul	ebp, [esi+74h],	6E550800h
		jb	short loc_41A1B9
		arpl	[edi+76h], bp
		db	65h
		jb	short loc_41A1BB
		bound	ebp, [ebp+4Ch]
		imul	ebp, [esi+6Bh],	6C696146h
		jnz	short near ptr loc_41A1D8+1

loc_41A167:				; CODE XREF: .text:0041A0FCj
		db	65h
		dec	esp
		outsd
		arpl	[ecx+74h], sp

loc_41A16D:				; CODE XREF: .text:0041A10Bj
		imul	ebp, [edi+6Eh],	2D80073h
		push	ebx
		jz	short loc_41A1D8

loc_41A177:				; CODE XREF: .text:0041A105j
		jz	short loc_41A1EE
		jnb	short $+2
		or	[eax+6Fh], dl

loc_41A17E:				; CODE XREF: .text:0041A11Ej
					; .text:loc_41A10Dj
					; DATA XREF: ...
		imul	ebp, [esi+74h],	0B060800h
		add	eax, 800h
; 
		dw 0
		dd 4D000040h, 43008000h, 616F4C6Dh, 70704164h
		db 4Bh,	65h
; 

loc_41A19E:				; CODE XREF: .text:0041A133j
		jns	short near ptr off_41A1E6
		popa

loc_41A1A1:				; CODE XREF: .text:0041A142j
		imul	ebp, [ebp+64h],	6E496F4Eh
		outsw
		sub	[ecx+67h], al

loc_41A1AE:				; CODE XREF: .text:0041A13Cj
		db	67h
		jb	near ptr 0A216h
		db	67h
		popa
		jz	short near ptr loc_41A213+7
		sub	[eax], eax
		inc	ebx
		outsd

loc_41A1B9:				; CODE XREF: .text:0041A152j
		jnz	short loc_41A229

loc_41A1BB:				; CODE XREF: .text:0041A144j
					; .text:0041A157j
		jz	short $+2
		mov	[eax+71808080h], eax
		push	ebx
		jz	short loc_41A227
		jz	short near ptr loc_41A23C+1
		jnb	short $+2
		mov	[esi], cl
		push	eax
		popa
		jb	short near ptr loc_41A243+1
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_41A23C+2
		jbe	short near ptr loc_41A22A+1
		popa

loc_41A1D8:				; CODE XREF: .text:0041A175j
					; .text:0041A165j
		db	67h
		jnb	near ptr 0A1DBh
		or	al, [esi]

loc_41A1DD:				; DATA XREF: CmpTraceSecurityChanging+183090o
		or	eax, large ds:200h
; 
		db 0
		db 2 dup(0)
off_41A1E6	dd offset loc_5FFFFF+1	; CODE XREF: .text:loc_41A19Ej
		dw 80h
		db 53h,	65h
; 

loc_41A1EE:				; CODE XREF: .text:loc_41A177j
		arpl	[ebp+72h], si
		imul	esi, [ecx+edi*2+44h], 72637365h
		imul	esi, [eax+74h],	6843726Fh
		popa
		outsb
		imul	ebp, [bp+67h], 79654B00h
		push	eax
		popa
		jz	short loc_41A276
		add	[esi], dl
		dec	edi
		jb	short loc_41A27C

loc_41A213:				; CODE XREF: .text:0041A1B3j
		imul	ebp, [bp+61h], 44536Ch
		push	cs
		dec	ecx
		outsb
		outsw
		jb	short near ptr loc_41A288+7
		popa
		jz	short near ptr loc_41A288+6
		outsd
		outsb

loc_41A227:				; CODE XREF: .text:0041A1C4j
		push	esp
		outsd

loc_41A229:				; CODE XREF: .text:loc_41A1B9j
		inc	ebx

loc_41A22A:				; CODE XREF: .text:0041A1D5j
		push	65676E61h
		add	[eax], cl
		inc	ebx
		push	65676E61h
		push	ebx
		inc	esp
		add	[esi], cl
		push	edx

loc_41A23C:				; CODE XREF: .text:0041A1C6j
					; .text:0041A1D3j
		db	65h
		jnb	short loc_41A2B4
		insb
		jz	short loc_41A2AB
		outsb

loc_41A243:				; CODE XREF: .text:0041A1CEj
		db	67h
		push	ebx
		inc	esp
		add	[esi], cl
		push	es

loc_41A249:				; DATA XREF: CmpFlushHive+25Ao
		or	eax, [eax+eax]
; 
		dd 2 dup(0)
		dd 80003Fh, 65766948h, 73756C46h, 6E6F4368h, 6C6F7274h
		dd 61746144h, 656E6547h, 65746172h
		db 64h,	0
; 

loc_41A276:				; CODE XREF: .text:0041A20Cj
		arpl	[edi+6Eh], bp
		jz	short loc_41A2ED
		outsd

loc_41A27C:				; CODE XREF: .text:0041A211j
		insb
		inc	esi
		insb
		popa
		db	67h
		jnb	near ptr 0A283h
		or	[edi+ebp*2+67h], ch
		inc	esi

loc_41A288:				; CODE XREF: .text:0041A223j
					; .text:0041A220j
		imul	ebp, [ebp+53h],	75746174h
		jnb	short $+2
		or	[esi], al

loc_41A294:				; DATA XREF: CmpFlushHive+96o
		or	eax, [ecx+eax]
; 
		db 0
		dd 0
		dd 2B000000h, 48008000h, 46657669h
		db 6Ch,	75h, 73h
; 

loc_41A2AB:				; CODE XREF: .text:0041A240j
		push	756F6D00h
		outsb
		jz	short loc_41A303
		outsd

loc_41A2B4:				; CODE XREF: .text:loc_41A23Cj
		imul	ebp, [esi+74h],	69661600h
		insb
		db	65h
		push	eax
		popa
		jz	short loc_41A329
		add	[esi], dl
		db	66h
		insb
		popa
		db	67h
		jnb	near ptr 0A2C9h
		or	[esi], al

loc_41A2CB:				; DATA XREF: CmpFlushHive+153o
		or	eax, [edx+eax]
; 
		dw 0
		dd 0
		dd 170000h, 69480080h, 6C466576h, 687375h, 74617473h, 88007375h
; 
		push	cs

loc_41A2ED:				; CODE XREF: .text:0041A279j
		push	es

loc_41A2EE:				; DATA XREF: CmpLogFlushPhaseEnd(x,x,x)+3Co
		or	eax, [edx+eax]
; 
		db 3 dup(0)
		dd 0
		dd 80002300h, 76694800h
		db 65h,	46h, 6Ch
; 

loc_41A303:				; CODE XREF: .text:0041A2B1j
		jnz	short loc_41A378
		push	73616850h
		add	gs:[eax+68h], dh
		popa
		jnb	short loc_41A376
		add	[ebx+esi*2], al
		jz	short near ptr loc_41A376+1
		jz	short loc_41A38D
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_41A31D:				; DATA XREF: CmpLogFlushPhaseStart(x,x)+31o
		or	eax, [ecx+eax]
; 
		dd 2 dup(0)
		db 1Ah
; 

loc_41A329:				; CODE XREF: .text:0041A2BFj
		add	[eax+76694800h], al
		db	65h
		inc	esi
		insb
		jnz	short near ptr loc_41A3A5+2
		push	73616850h
		add	gs:[eax+68h], dh
		popa
		jnb	short loc_41A3A5
		add	[esi+eax], al

loc_41A343:				; DATA XREF: CmpAbortLightWeightTransaction(x)+91o
		or	eax, large ds:102h
; 
		db 3 dup(0)
		db    0
		align 2
		dw 2Ah
		db  80h	; 
		align 2
aCmptranslightw	db 'CmpTransLightWeightRollback',0
		dw 6F55h
		dd 756F4377h
		db 6Eh,	74h
; 

loc_41A376:				; CODE XREF: .text:0041A30Fj
					; .text:0041A314j
		add	[eax], cl

loc_41A378:				; CODE XREF: .text:loc_41A303j
		push	es

loc_41A379:				; DATA XREF: CmpAbortLightWeightTransaction(x)+40o
		or	eax, large ds:101h
; 
		db 0
		dd 0
		dd 800020h, 54706D43h
		db 72h
; 

loc_41A38D:				; CODE XREF: .text:0041A316j
		popa
		outsb
		jnb	short loc_41A3DD
		imul	esp, [edi+68h],	69655774h
		db	67h
		push	6C6F5274h
		insb
		bound	esp, [ecx+63h]
		imul	eax, [eax], 6

loc_41A3A5:				; CODE XREF: .text:0041A33Ej
					; .text:0041A332j
					; DATA XREF: ...
		or	eax, large ds:102h
; 
		db 0
		align 10h
		dd 800037h
aCmpcommitprepa	db 'CmpCommitPreparedLightWeightTransaction',0
; 
		push	ebp

loc_41A3DD:				; CODE XREF: .text:0041A38Fj
		outsd
		push	edi
		and	[ebx+6Fh], al
		jnz	short loc_41A452
		jz	short $+2
		or	[esi], al

loc_41A3E8:				; DATA XREF: CmpCommitPreparedLightWeightTransaction+ABF68o
		or	eax, large ds:101h
; 
		dw 0
		db    0
		db 2 dup(0), 2Ch
		db    0
		db 80h,	0, 43h
aMpcommitprepar	db 'mpCommitPreparedLightWeightTransaction',0
		db 6
dword_41A420	dd 102050Bh, 0		; DATA XREF: CmpPrepareLightWeightTransaction+ABF01o
		db    0
		db 2 dup(0), 25h
		db    0
		db 80h,	0, 43h
aMppreparelight	db 'mpPrepareLightWeightTransaction',0
		db 6
byte_41A451	db 0Bh			; DATA XREF: CmpPrepareLightWeightTransaction+ABED8o
; 

loc_41A452:				; CODE XREF: .text:0041A3E2j
		add	eax, 101h
; 
		db 0
		dd 0
		dd 800025h, 50706D43h, 61706572h, 694C6572h, 57746867h
		dd 68676965h, 61725474h, 6361736Eh, 6E6F6974h
		db 0, 6
word_41A482	dw 50Bh			; DATA XREF: CmpBounceContextStart+105F78o
		dd 400h, 0
		db    0
		db 37h,	0, 80h
		db    0
aBouncebufferne	db 'BounceBufferNeeded',0
aCount		db 'Count',0
aIaaaaqreason	db 'qReason',0
		db 4
aSizebucket	db 'SizeBucket',0
		db 0Ah
		db 6
byte_41A4C5	db 0Bh,	5, 0		; DATA XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+74Ao
		dd 0
		db    0
		db 40h,	2 dup(0)
		db  4Dh	; M
		db 1, 80h, 0
aHiveselfhealed	db 'HiveSelfHealed',0
aCheckregistryr	db 'CheckRegistryReturnCode',0
		db 88h
		db  0Eh
aHiveloadfailur	db 'HiveLoadFailure',0
		db 98h,	6, 55h
aNrecoverablelo	db 'nrecoverableLoadFailureCount',0
		db 6, 52h, 65h
aCoverableloadf	db 'coverableLoadFailureCount',0
		dw 5506h
aNrecoverableli	db 'nrecoverableLinkFailureCount',0
		db 6, 55h, 6Eh
aRecoverableloa	db 'recoverableLoadFailureLocations',0
		db 0D8h	; 
		db 3, 54h, 79h
		db  70h	; p
		db 65h,	0, 7
aStatus		db 'Status',0
aPoint		db 8,'Point',0
aRecoverablel_0	db 8,'RecoverableLoadFailureLocations',0
		db 0D8h
		db    3
aType		db 'Type',0
aStatus_0	db 7,'Status',0
aPoint_0	db 8,'Point',0
aUnrecoverablel	db 8,'UnrecoverableLinkFailureLocations',0
		dd 745302D8h, 73757461h, 6F500800h, 746E69h, 72615008h
		dd 505F4174h, 54766972h, 736761h
		db 0Ah,	6
word_41A61E	dw 50Bh			; DATA XREF: CmpReorganizeHive+184CE2o
		dd 0
		db    0
		align 2
		dw 40h
		db    0
		db 4Ah,	0, 80h
		db    0
aHivereorganize	db 'HiveReorganized',0
aLastreorganize	db 'lastReorganizeTime',0
aOldsize	db 0Ah
		db 'oldSize',0
aNewsize	db 8,'newSize',0
aParta_privtags	db 8,'PartA_PrivTags',0
		dw 60Ah
dword_41A674	dd 50Bh, 0		; DATA XREF: CmpReorganizeHive+184BB5o
		db  40h	; @
		dd offset loc_5BFFFF+1
		db 80h,	0, 48h
aIvereorganizat	db 'iveReorganizationResultedInDifferentKeyCount',0
aOldkeycount	db 'oldKeyCount',0
aNewkeycount	db 8,'newKeyCount',0
aParta_privta_0	db 8,'PartA_PrivTags',0
		dw 60Ah
dword_41A6DC	dd 50Bh, 0		; DATA XREF: CmpReorganizeHive+184743o
		db  40h	; @
		db 2 dup(0), 36h
		db    0
		db 80h,	0, 48h
aIvereorganiz_0	db 'iveReorganizationFailed',0
aStatus_1	db 'status',0
		db 88h
		dd 7261500Eh, 505F4174h, 54766972h, 736761h
		db 0Ah,	6
word_41A71E	dw 50Bh			; DATA XREF: CmpReorganizeHive+184AA3o
		dd 0
		db    0
		align 2
		dw 40h
		db    0
		db 61h,	1, 80h
		db    0
aHivereorganiza	db 'HiveReorganizationValidationFailed',0
aCheckregistr_0	db 'checkRegistryReturnCode',0
		dd 69680E88h, 6F4C6576h, 61466461h, 72756C69h, 6980065h
aUnrecoverabl_0	db 'UnrecoverableLoadFailureCount',0
		dw 5206h
aEcoverableload	db 'ecoverableLoadFailureCount',0
		db 6
aUnrecoverabl_1	db 'UnrecoverableLinkFailureCount',0
		dw 5506h
aNrecoverable_0	db 'nrecoverableLoadFailureLocations',0
		db 0D8h, 3, 54h
		dd offset loc_657075+4
		db    7
aStatus_2	db 'Status',0
aPoint_1	db 8,'Point',0
aRecoverablel_1	db 8,'RecoverableLoadFailureLocations',0
		db 0D8h	; 
		db 3, 54h, 79h
		db  70h	; p
		db 65h,	0, 7
aStatus_3	db 'Status',0
aPoint_2	db 8,'Point',0
aUnrecoverabl_2	db 8,'UnrecoverableLinkFailureLocations',0
		db 0D8h, 2, 53h
aTatus		db 'tatus',0
aPoint_3	db 8,'Point',0
aParta_privta_1	db 8,'PartA_PrivTags',0
		db 0Ah,	6
byte_41A88B	db 0Bh			; DATA XREF: CmpLogHiveFileInaccessible+12424Fo
		db    3
		align 2
		dw 8
		db    0
		db 2 dup(0), 20h
		dd offset loc_52FFFF+1
		db  80h	; 
		align 2
aHiveloadfilein	db 'HiveLoadFileInaccessible',0
aStatus_4	db 'Status',0
		dw 0E88h
aSecuritydescri	db 'SecurityDescriptor',0
		db 1
aUsersid	db 'UserSID',0
		dd 72615013h, 505F4174h, 54766972h, 736761h
		db 0Ah,	6
word_41A8EA	dw 50Bh			; DATA XREF: HvLoadHive+189A39o
		dd 0
		db    0
		align 2
		dw 20h
		db    0
		db 5Ah,	0, 80h
		db    0
aTruncatedprima	db 'TruncatedPrimaryHiveRecovered',0
aHivelengthfrom	db 'hiveLengthFromHeader',0
aHivelengthondi	db 8,'hiveLengthOnDisk',0
aParta_privta_2	db 8,'PartA_PrivTags',0
		dw 60Ah
dword_41A950	dd 100040Bh, 0		; DATA XREF: CmpLogTransactionAbortedByName(x,x,x,x)+64o
		dd 28000000h, 54008000h, 736E6172h, 69746361h, 62416E6Fh
		dd 6574726Fh, 656B0064h, 74615079h, 72160068h, 6F736165h
		dd 608006Eh, 102050Bh, 0
		dd 19000000h, 43008000h, 7254706Dh, 4D736E61h, 6F437267h
		dd 74696D6Dh, 576F55h, 1050B06h, 1, 0
		dd 800019h, 54706D43h, 736E6172h, 4372674Dh, 696D6D6Fh
		dd 576F5574h
		db 0, 6
word_41A9CE	dw 50Bh			; DATA XREF: CmpTransMgrCommit(x,x,x)+119o
		dd 102h, 0
		db    0
		db 16h,	0, 80h
		db    0
aCmptransmgrcom	db 'CmpTransMgrCommit',0
		db 6
dword_41A9F0	dd 101050Bh, 0		; DATA XREF: CmpTransMgrCommit(x,x,x)+64o
		dd 16000000h, 43008000h, 7254706Dh, 4D736E61h, 6F437267h
		dd 74696D6Dh
		db 0, 6
word_41AA12	dw 50Bh			; DATA XREF: CmpLogCheckpoint+755EEo
		dd 100h, 0
		dd 80001E00h, 706D4300h, 43676F4Ch, 6B636568h, 6E696F70h
		dd 74530074h, 73757461h, 60E8800h
dword_41AA3C	dd 100050Bh, 0		; DATA XREF: CmpAddRemoveRMLogContainer(x,x)+E4o
		db    0
		db 2 dup(0), 1Dh
		db    0
		db 80h,	0, 4Ch
aOgcontainerlim	db 'ogContainerLimitReached',0
		db 6
byte_41AA65	db 0Bh,	5, 0		; DATA XREF: CmpTransWriteLog+75629o
		dd 1, 0
		dd 800027h, 4C646441h, 6F43676Fh, 6961746Eh, 72656Eh, 61636F4Ch
		dd 6E6F6974h, 74530800h, 73757461h, 60E8800h
dword_41AA98	dd 100050Bh, 0		; DATA XREF: CmpTransWriteLog+755A5o
		dd 27000000h, 41008000h, 6F4C6464h, 6E6F4367h, 6E696174h
		dd 4C007265h, 7461636Fh, 6E6F69h, 61745308h, 737574h
		db 88h,	0Eh, 6
byte_41AACB	db 0Bh			; DATA XREF: CmpLogUnsupportedOperation(x)+62o
		dd 5, 0
		db    0
		align 2
		dw 24h
		db  80h	; 
		align 2
aUnsupportedope	db 'UnsupportedOperation',0
aOperation	db 'Operation',0
		db 8, 6
byte_41AAFB	db 0Bh			; DATA XREF: CmpSendUnsupportedOperationTelemetryEvent(x,x)+58o
		db    5
		align 10h
		db    0
		db 2 dup(0), 40h
		dd offset loc_45FFFF+1
		db  80h	; 
		align 2
aUnsupportedo_0	db 'UnsupportedOperation(Aggregate)',0
aOperation_0	db 'Operation',0
aCount_0	db 8,'Count',0
aParta_privta_3	db 8,'PartA_PrivTags',0
		db 0Ah
		db 6
byte_41AB4D	db 0Bh,	5, 0		; DATA XREF: CmpLogFailureToGetFileSize(x,x,x)+5Bo
		dd 0
		dd 4000h, 800048h
aHiveloadfailed	db 'HiveLoadFailedToQueryLogFileSize',0
aFiletype	db 'fileType',0
		dw 7304h
aTatus_0	db 'tatus',0
		dw 0E88h
aParta_privta_4	db 'PartA_PrivTags',0
		db 0Ah
		db 6
byte_41ABA1	db 0Bh,	5, 0		; DATA XREF: HvSwapLogFiles(x,x)+16Fo
		dd 2 dup(0)
		db  8Ah	; 
		align 2
		dw 80h
aLogfileswap	db 'LogFileSwap',0
aSwapreason	db 'swapReason',0
		db 4
aHivelength	db 'hiveLength',0
aVolumelogsizec	db 8,'volumeLogSizeCap',0
aEffectivelogsi	db 8,'effectiveLogSizeCap',0
aLogdatalength	db 8,'logDataLength',0
aLogfilesize	db 8,'logFileSize',0
aLogentries	db 8,'logEntries',0
aTimesincelasts	db 8,'timeSinceLastSwap',0
		db 9, 6
byte_41AC37	db 0Bh			; DATA XREF: CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)+1B5o
		db    5
		align 2
		dw 8
		db    0
		db 2 dup(0), 40h
		db    0
		align 2
		dw 39h
		db  80h	; 
		align 2
aHiveloadapphiv	db 'HiveLoadAppHiveImpersonationRequired',0
aParta_privta_5	db 'PartA_PrivTags',0
		dw 60Ah
dword_41AC7C	dd 50Bh, 0		; DATA XREF: CmSaveMergedKeys(x,x,x,x)+346o
		db  40h	; @
		db 2 dup(0), 3Ch
		db    0
		db 80h,	0, 43h
aMsavemergedkey	db 'mSaveMergedKeysAttemptToSaveMasterHive',0
aParta_privta_6	db 'PartA_PrivTags',0
		dw 60Ah
dword_41ACC4	dd 100050Bh, 0		; DATA XREF: CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+17Ao
		db  40h	; @
		db 2 dup(0), 3Bh
		db    0
		db 80h,	0, 55h
aSagesubscripti	db 'sageSubscriptionUpdateCorruptedBuffer',0
aParta_privta_7	db 'PartA_PrivTags',0
		db 0Ah,	6
byte_41AD0B	db 0Bh			; DATA XREF: CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+1E2o
		db    5
		align 2
		dw 1
		db    0
		db 2 dup(0), 40h
		db    0
		align 2
		dw 3Eh
		db  80h	; 
		align 2
aFeatureconfigu	db 'FeatureConfigurationUpdateCorruptedBuffer',0
aParta_privta_8	db 'PartA_PrivTags',0
		db 0Ah
		db 6
byte_41AD55	db 0Bh,	5, 0		; DATA XREF: CmpLightWeightCommitDeleteKeyUoW(x,x,x)+80o
		dd 0
		dd 2000h, 800036h
aCommitDeleteUo	db 'Commit delete UOW failed',0
aStatus_5	db 'Status',0
		dd 61500E88h, 5F417472h, 76697250h, 73676154h
		db 0, 0Ah, 6
byte_41AD97	db 0Bh			; DATA XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+3F2o
		db    5
		align 4
		db    0
		db 2 dup(0), 40h
		db    0
		align 2
		dw 31h
		db  80h	; 
		align 2
aLogsequencenum	db 'LogSequenceNumberGapDetected',0
aParta_privta_9	db 'PartA_PrivTags',0
		dw 60Ah
dword_41ADD4	dd 800050Bh, 0		; DATA XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+316o
		db    0
		dd offset loc_50FFFF+1
		db 80h,	0, 48h
aIveloadlogsfou	db 'iveLoadLogsFound',0
aValidlogs	db 'validLogs',0
		db 4
aLog1type	db 'log1Type',0
		db 4, 6Ch, 6Fh
aG2type		db 'g2Type',0
		db 4
aLog1sequence	db 'log1Sequence',0
aLog2sequence	db 8,'log2Sequence',0
		db 8
		db 6
byte_41AE31	db 0Bh,	5, 0		; DATA XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+50Fo
		dd 8, 4000h, 800028h
aHiveloadlogmis	db 'HiveLoadLogMismatch',0
aParta_privt_10	db 'PartA_PrivTags',0
		db 0Ah
		db 6
byte_41AE65	db 0Bh,	5, 0		; DATA XREF: HvpLogIneligibleLogHeader(x,x,x)+5Bo
		dd 8, 0
		dd 80003Eh
aHiveloadlogine	db 'HiveLoadLogIneligible',0
aLogtype	db 'logType',0
		dw 6D04h
aInimumsequence	db 'inimumSequence',0
aSequence	db 8,'sequence',0
		db 8, 6
byte_41AEAF	db 0Bh			; DATA XREF: HvpLogInvalidLogHeader(x,x,x)+19Ao
		dd 80005h, 0
		db    0
		align 2
		dw 89h
		db  80h	; 
		align 2
aHiveloadloginv	db 'HiveLoadLogInvalid',0
aLogtype_0	db 'logType',0
		db 4, 73h, 69h
aGnature	db 'gnature',0
aSequence1	db 8,'sequence1',0
aSequence2	db 8,'sequence2',0
aTimestamp	db 8,'timestamp',0
aExpectedtimest	db 0Ah
		db 'expectedTimestamp',0
aType_0		db 0Ah
		db 'type',0
aLength		db 8,'length',0
aChecksum	db 8,'checksum',0
aExpectedchecks	db 8,'expectedChecksum',0
		dw 608h
dword_41AF44	dd 800050Bh, 0		; DATA XREF: HvpLogUnreadableLog(x,x)+4Eo
		db    0
		db 2 dup(0), 2Ch
		db    0
		db 80h,	0, 48h
aIveloadlogunre	db 'iveLoadLogUnreadable',0
aLogtype_1	db 'logType',0
; 
		add	al, 73h
		jz	short loc_41AFD6
		jz	short near ptr loc_41AFE7+5
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_41AF7C:				; CODE XREF: HvpReadLogEntryHeader(x,x,x,x)+14p
					; DATA XREF: HvpIsReadErrorTransient(x)+90o
		or	eax, large ds:0
; 
		dw 0
		db  40h	; @
		db 2 dup(0), 3Fh
		db    0
		db 80h,	0, 55h
aNclassifiedrea	db 'nclassifiedReadError',0
aCount_1	db 'Count',0
aIaaaaqstatus	db 'qStatus',0
		dd 61500E88h, 5F417472h, 76697250h, 73676154h
		db 0, 0Ah, 6
byte_41AFC7	db 0Bh			; DATA XREF: CmpAddRemoveContainerToCLFSLog(x,x,x,x,x,x,x,x)+256o
		dd 10005h, 0
		dd offset loc_4A0000
		db 80h,	0
; 

loc_41AFD6:				; CODE XREF: .text:0041AF73j
		inc	ebx
		insd
		jo	short near ptr loc_41B019+2
		db	64h, 64h
		push	edx
		db	65h
		insd
		outsd
		jbe	short loc_41B047
		inc	ebx
		outsd
		outsb
		jz	short near ptr loc_41B047+1

loc_41AFE7:				; CODE XREF: .text:0041AF75j
		imul	ebp, [esi+65h],	436F5472h
		dec	esp
		inc	esi
		push	ebx
		dec	esp
		outsd
		add	[bx+di+64h], al
		db	64h
		dec	edi
		jo	short loc_41B060
		jb	short loc_41B05E
		jz	short loc_41B068
		outsd
		outsb
		add	[ebx+eax+74617453h], al
		jnz	short loc_41B07D
		add	[eax+6E6F430Eh], cl
		jz	short near ptr byte_41B073
		imul	ebp, [esi+65h],	6D614E72h

loc_41B019:				; CODE XREF: .text:0041AFD8j
		add	gs:[esi], dl
		push	es

loc_41B01D:				; DATA XREF: VrpIoctlDeviceDispatch+18F80Eo
		or	eax, [edx]
; 
		db 0
		dd 2 dup(0)
		dd 800020h, 6E6B6E55h, 496E776Fh, 6C74436Fh, 436F4900h
		dd 72746E6Fh, 6F436C6Fh
		db 64h,	65h, 0
; 

loc_41B047:				; CODE XREF: .text:0041AFE0j
					; .text:0041AFE5j
		or	[esi], al

loc_41B049:				; DATA XREF: VrpIoctlDeviceDispatch+18F766o
		or	eax, [ecx+eax]
; 
		dd 2 dup(0)
		dd 800019h, 74436F49h
		db 6Ch,	0
; 

loc_41B05E:				; CODE XREF: .text:0041AFFBj
		dec	ecx
		outsd

loc_41B060:				; CODE XREF: .text:0041AFF9j
		inc	ebx
		outsd
		outsb
		jz	short loc_41B0D7
		outsd
		insb
		inc	ebx

loc_41B068:				; CODE XREF: .text:0041AFFDj
		outsd
		db	64h
		add	gs:[eax], cl
		push	es

loc_41B06E:				; DATA XREF: VrpIoctlDeviceDispatch+18F87Eo
		or	eax, [edx+eax]
; 
		db 2 dup(0)
byte_41B073	db 0			; CODE XREF: .text:0041B010j
		dd 0
		dd 80001B00h
		db 0
; 

loc_41B07D:				; CODE XREF: .text:0041B008j
		dec	ecx
		outsd
		inc	ebx
		jz	short loc_41B0EE
		inc	ebx
		outsd
		insd
		jo	short near ptr loc_41B0F1+2
		db	65h
		jz	short loc_41B0EF
		add	[ebx+74h], dl
		popa
		jz	short loc_41B105
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_41B095:				; DATA XREF: VrpIoctlDeviceDispatch+18F71Fo
		or	eax, [edx]
; 
		db 0
		align 10h
		dd 800036h
aIoctlCalledFro	db 'IOCTL Called from inside Container',0
aIocontrolcode	db 'IoControlCode',0
; 
		or	[esi], al

loc_41B0D7:				; CODE XREF: .text:0041B063j
					; DATA XREF: VrpRegistryUnload(x)+47o
		or	eax, large ds:0
; 
		db 3 dup(0)
		dd 110000h, 72440080h, 72657669h
		db 55h,	6Eh
; 

loc_41B0EE:				; CODE XREF: .text:0041B080j
		insb

loc_41B0EF:				; CODE XREF: .text:0041B087j
		outsd
		popa

loc_41B0F1:				; CODE XREF: .text:0041B085j
		add	fs:[esi], al

loc_41B0F4:				; DATA XREF: VrpPostEnumerateKey(x,x)+15Eo
		or	eax, large ds:0
; 
		dw 0
		dd 44000000h, 50008000h
		db 6Fh
; 

loc_41B105:				; CODE XREF: .text:0041B08Ej
		jnb	short near ptr loc_41B17A+1
		inc	ebp
		outsb
		jnz	short loc_41B178
		db	65h
		jb	short near ptr byte_41B16F
		jz	short near ptr byte_41B175
		dec	ebx
		db	65h
		jns	short $+3
		dec	ecx
		outsb
		outsw
		jb	short near ptr loc_41B185+2
		popa
		jz	short near ptr loc_41B185+1
		outsd
		outsb
		inc	ebx
		insb
		popa
		jnb	short loc_41B197
		add	ds:656D756Eh[eax*2], dl
		jb	short near ptr loc_41B18D+1
		jz	short near ptr loc_41B18D+7
		db	64h
		dec	ebx
		db	65h
		jns	short near ptr loc_41B18D+6
		inc	ebx
		outsd
		outsb
		jz	short near ptr loc_41B197+3
		imul	ebp, [esi+65h],	74615072h
		push	0B061600h	; DATA XREF: VrpPreLoadKey(x,x)+19Fo
		add	eax, 0
; 
		dw 0
		dd 1D000000h, 50008000h, 6F4C6572h, 654B6461h, 62410079h
		dd 756C6F73h, 61506574h, 16006874h
		db 6
byte_41B16D	db 0Bh,	2		; DATA XREF: VrpPreQueryKeyName(x,x)+230o
byte_41B16F	db 0			; CODE XREF: .text:0041B10Bj
		dd 0
		db 0
byte_41B175	db 3 dup(0)		; CODE XREF: .text:0041B10Ej
; 

loc_41B178:				; CODE XREF: .text:0041B109j
		xor	al, [eax]

loc_41B17A:				; CODE XREF: .text:loc_41B105j
		add	byte ptr [eax],	50h
		jb	short loc_41B1E4
		push	ecx
		jnz	short near ptr loc_41B1E6+1
		jb	short loc_41B1FD
		dec	ebx

loc_41B185:				; CODE XREF: .text:0041B11Bj
					; .text:0041B118j
		db	65h
		jns	short loc_41B1D6
		popa
		insd
		db	65h
		inc	esi
		popa

loc_41B18D:				; CODE XREF: .text:0041B12Bj
					; .text:0041B131j ...
		imul	ebp, [ebp+64h],	6E6F4300h
		jz	short loc_41B1F8

loc_41B197:				; CODE XREF: .text:0041B122j
					; .text:0041B137j
		imul	ebp, [esi+65h],	74615072h
		push	74531600h
		popa
		jz	short near ptr byte_41B21B
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_41B1AB:				; DATA XREF: VrpPreLoadKey(x,x)+2E4o
		or	eax, [edx]
; 
		db 3 dup(0)
		dd 0
		dd 1E0000h, 72500080h, 616F4C65h, 79654B64h, 6C696146h
		dd 53006465h, 75746174h, 0E880073h
		db 6
byte_41B1D5	db 0Bh			; DATA XREF: VrpPostQueryKey+18DAB6o
; 

loc_41B1D6:				; CODE XREF: .text:loc_41B185j
		add	eax, 0
; 
		db 0
		align 10h
		dd 800032h
; 

loc_41B1E4:				; CODE XREF: .text:0041B17Dj
		push	eax
		outsd

loc_41B1E6:				; CODE XREF: .text:0041B180j
		jnb	short loc_41B25C
		push	ecx
		jnz	short loc_41B250
		jb	short near ptr loc_41B265+1
		dec	ebx
		db	65h
		jns	short $+3
		dec	ecx
		outsb
		outsw
		jb	short near ptr loc_41B25E+6
		popa

loc_41B1F8:				; CODE XREF: .text:0041B195j
		jz	short near ptr loc_41B25E+5
		outsd
		outsb
		inc	ebx

loc_41B1FD:				; CODE XREF: .text:0041B182j
		insb
		popa
		jnb	short near ptr loc_41B273+1
		add	[ebx+eax*2], dl
		outsd
		outsb
		jz	short near ptr loc_41B265+4
		imul	ebp, [esi+65h],	74615072h

loc_41B20F:				; DATA XREF: VrpPostEnumerateKey(x,x)+6EFo
		push	0B061600h
		add	al, [eax]
; 
		dw 0
		db 3 dup(0)
byte_41B21B	db 0			; CODE XREF: .text:0041B1A4j
		db    0
		align 2
		dw 74h
		db  80h	; 
		align 2
aPostenumeratek	db 'PostEnumerateKeyFailed',0
aInformationcla	db 'InformationClass',0
		dw 4514h
		dd 656D756Eh
; 

loc_41B250:				; CODE XREF: .text:0041B1E9j
		jb	short loc_41B2B3
		jz	short near ptr loc_41B2B8+1
		db	64h
		dec	ebx
		db	65h
		jns	short loc_41B2B8
		inc	ebx
		outsd
		outsb

loc_41B25C:				; CODE XREF: .text:loc_41B1E6j
		jz	short near ptr loc_41B2BE+1

loc_41B25E:				; CODE XREF: .text:loc_41B1F8j
					; .text:0041B1F5j
		imul	ebp, [esi+65h],	74615072h

loc_41B265:				; CODE XREF: .text:0041B1EBj
					; .text:0041B206j
		push	75461600h
		insb
		insb
		inc	ebp
		outsb
		jnz	short loc_41B2DD
		db	65h
		jb	short near ptr loc_41B2D2+2

loc_41B273:				; CODE XREF: .text:0041B1FFj
		jz	short near ptr word_41B2DA
		db	64h
		dec	ebx
		db	65h
		jns	short near ptr byte_41B2D9
		inc	ebx
		outsd
		outsb
		jz	short near ptr loc_41B2DE+2
		imul	ebp, [esi+65h],	74615072h
		push	74531600h
		popa
		jz	short loc_41B303
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_41B293:				; DATA XREF: VrpPreQueryKeyName(x,x)+100o
		or	eax, large ds:0
; 
		db 3 dup(0)
		dd 330000h, 72500080h, 65755165h, 654B7972h, 6D614E79h
		db 65h,	53h, 75h
; 

loc_41B2B3:				; CODE XREF: .text:loc_41B250j
		arpl	[ebx+65h], sp
		jnb	short near ptr loc_41B32A+1

loc_41B2B8:				; CODE XREF: .text:0041B256j
					; .text:0041B252j
		add	[ebx+6Fh], al
		outsb
		jz	short loc_41B31F

loc_41B2BE:				; CODE XREF: .text:loc_41B25Cj
		imul	ebp, [esi+65h],	74615072h
		push	74531600h
		popa
		jz	short loc_41B342
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_41B2D2:				; CODE XREF: .text:0041B270j
					; DATA XREF: VrpPostOpenOrCreate(x,x)+2D6o
		or	eax, large ds:0
; 
		db 0
byte_41B2D9	db 0			; CODE XREF: .text:0041B277j
word_41B2DA	dw 0			; CODE XREF: .text:loc_41B273j
		db 0
; 

loc_41B2DD:				; CODE XREF: .text:0041B26Ej
		aaa

loc_41B2DE:				; CODE XREF: .text:0041B27Dj
		add	[eax+736F5000h], al
		jz	short near ptr loc_41B333+2
		jo	short loc_41B34D
		outsb
		dec	edi
		jb	short near ptr loc_41B32E+1
		jb	short loc_41B353
		popa
		jz	short near ptr loc_41B354+2
		push	edx
		db	65h
		jo	short near ptr loc_41B354+2
		jb	short loc_41B36A
		db	65h
		inc	esp
		db	65h
		jz	short near ptr loc_41B35E+3
		arpl	[ebp+64h], si
		add	[eax+6Fh], cl

loc_41B303:				; CODE XREF: .text:0041B28Cj
		jnb	short near ptr byte_41B379
		push	eax
		popa
		jz	short loc_41B371
		add	[esi], dl
		push	ebx
		jz	short loc_41B36F
		jz	short loc_41B385
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_41B315:				; DATA XREF: VrpPreFlushKey(x,x)+46o
		or	eax, large ds:0
; 
		db 0
		db 3 dup(0)
; 

loc_41B31F:				; CODE XREF: .text:0041B2BCj
		add	[esi], dl
		add	[eax+756C4600h], al
		jnb	short near ptr loc_41B390+1
		dec	ebx

loc_41B32A:				; CODE XREF: .text:0041B2B6j
		db	65h
		jns	short loc_41B34D
		inc	edx

loc_41B32E:				; CODE XREF: .text:0041B2EAj
		jns	short loc_41B3A0
		popa
		jnb	short loc_41B3A6

loc_41B333:				; CODE XREF: .text:0041B2E4j
		db	65h
		add	fs:[esi], al

loc_41B337:				; DATA XREF: VrpPostQueryKey+18DBD8o
		or	eax, [edx]
; 
		db 3 dup(0)
		dd 0
		db 2 dup(0)
; 

loc_41B342:				; CODE XREF: .text:0041B2CBj
		das
		add	[eax+736F5000h], al
		jz	short near ptr off_41B39C
		jnz	short near ptr loc_41B3AF+3

loc_41B34D:				; CODE XREF: .text:0041B2E6j
					; .text:loc_41B32Aj
		jb	short loc_41B3C8
		dec	ebx
		db	65h
		jns	short near ptr byte_41B399

loc_41B353:				; CODE XREF: .text:0041B2ECj
		popa

loc_41B354:				; CODE XREF: .text:0041B2EFj
					; .text:0041B2F2j
		imul	ebp, [ebp+64h],	6E6F4300h
		jz	short near ptr loc_41B3BC+3

loc_41B35E:				; CODE XREF: .text:0041B2F9j
		imul	ebp, [esi+65h],	74615072h
		push	74531600h

loc_41B36A:				; CODE XREF: .text:0041B2F5j
		popa
		jz	short near ptr loc_41B3E0+2
		jnb	short $+2

loc_41B36F:				; CODE XREF: .text:0041B30Cj
		mov	[esi], cl

loc_41B371:				; CODE XREF: .text:0041B307j
		push	es

loc_41B372:				; DATA XREF: VrpPreFlushKey(x,x)+71o
		or	eax, large ds:0
; 
		db 0
byte_41B379	db 3 dup(0)		; CODE XREF: .text:loc_41B303j
		dd 80001500h, 756C4600h
		db 73h
; 

loc_41B385:				; CODE XREF: .text:0041B30Ej
		push	2079654Bh
		push	ebx
		jnz	short near ptr loc_41B3EF+1
		arpl	[ebp+73h], sp

loc_41B390:				; CODE XREF: .text:0041B327j
		jnb	short $+2
		push	es

loc_41B393:				; DATA XREF: VrpPostQueryKey+18DB53o
		or	eax, large ds:0
; 
byte_41B399	db 3 dup(0)		; CODE XREF: .text:0041B350j
off_41B39C	dd offset loc_52FFFF+1	; CODE XREF: .text:0041B349j
; 

loc_41B3A0:				; CODE XREF: .text:loc_41B32Ej
		add	byte ptr [eax],	50h
		outsd
		jnb	short near ptr loc_41B416+4

loc_41B3A6:				; CODE XREF: .text:0041B331j
		push	ecx
		jnz	short loc_41B40E
		jb	short near ptr loc_41B422+2
		dec	ebx
		db	65h
		jns	short near ptr byte_41B3F5

loc_41B3AF:				; CODE XREF: .text:0041B34Bj
		imul	ebp, [esi+69h],	64656873h
		add	[ebx+6Fh], al
		outsb
		jz	short loc_41B41D

loc_41B3BC:				; CODE XREF: .text:0041B35Cj
		imul	ebp, [esi+65h],	74615072h
		push	6E491600h

loc_41B3C8:				; CODE XREF: .text:loc_41B34Dj
		outsw
		jb	short near ptr loc_41B438+1
		popa
		jz	short loc_41B438
		outsd
		outsb
		inc	ebx
		insb
		popa
		jnb	short loc_41B449
		add	[eax+edx*2], dl
		outsd
		jnb	short near ptr loc_41B44F+1
		dec	ecx
		outsb
		outsw

loc_41B3E0:				; CODE XREF: .text:0041B36Bj
		sub	eax, 7465523Eh
		jnz	short loc_41B459
		outsb
		push	ebx
		jz	short near ptr loc_41B44B+1
		jz	short near ptr word_41B462
		jnb	short $+2

loc_41B3EF:				; CODE XREF: .text:0041B38Bj
		mov	[esi], cl
		push	es

loc_41B3F2:				; DATA XREF: VrpPreQueryKeyName(x,x)+84o
		or	eax, [edx]
; 
		db 0
byte_41B3F5	db 3 dup(0)		; CODE XREF: .text:0041B3ACj
		dd 0
		dd 80002300h, 65725000h, 72657551h, 79654B79h
; 
		dec	esi
		popa

loc_41B40E:				; CODE XREF: .text:0041B3A7j
		insd
		add	gs:[ebx+6Fh], al
		outsb
		jz	short loc_41B477

loc_41B416:				; CODE XREF: .text:0041B3A4j
		imul	ebp, [esi+65h],	74615072h

loc_41B41D:				; CODE XREF: .text:0041B3BAj
					; DATA XREF: VrpPreOpenOrCreate(x,x)+429o
		push	0B061600h

loc_41B422:				; CODE XREF: .text:0041B3A9j
		add	eax, 0
; 
		db 0
		dd 0
		dd 800033h, 4F657250h, 4F6E6570h
; 

loc_41B438:				; CODE XREF: .text:0041B3CDj
					; .text:0041B3CAj
		jb	short loc_41B47D
		jb	short near ptr byte_41B4A1
		popa
		jz	short loc_41B4A4
		inc	edi
		insb
		outsd
		bound	esp, [ecx+6Ch]
		push	edx
		db	65h
		jo	short near ptr loc_41B4A6+4

loc_41B449:				; CODE XREF: .text:0041B3D4j
		jb	short near ptr loc_41B4BA+4

loc_41B44B:				; CODE XREF: .text:0041B3E9j
		add	gs:[esi+65h], cl

loc_41B44F:				; CODE XREF: .text:0041B3DAj
		ja	short near ptr byte_41B4A1
		popa
		jz	short near ptr loc_41B4BA+2
		add	[esi], dl
		push	ebx
		jz	short loc_41B4BA

loc_41B459:				; CODE XREF: .text:0041B3E5j
		jz	short near ptr loc_41B4CE+2
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_41B460:				; DATA XREF: VrpPostOpenOrCreate(x,x)+1ECo
		or	eax, [edx]
; 
word_41B462	dw 0			; CODE XREF: .text:0041B3EBj
		dd 0
		dd 2E000000h, 50008000h, 4F74736Fh
		db 70h,	65h, 6Eh
; 

loc_41B477:				; CODE XREF: .text:0041B414j
		dec	edi
		jb	short near ptr loc_41B4BA+3
		jb	short loc_41B4E1
		popa

loc_41B47D:				; CODE XREF: .text:loc_41B438j
		jz	short near ptr loc_41B4E3+1
		inc	esi
		popa
		imul	ebp, [ebp+64h],	736F4800h
		jz	short loc_41B4DB
		popa
		jz	short loc_41B4F6
		add	[esi], dl
		push	ebx
		jz	short loc_41B4F4
		jz	short loc_41B50A
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_41B49A:				; DATA XREF: VrpPreOpenOrCreate(x,x)+18Co
		or	eax, [edx]
; 
		dd 0
		db 0
byte_41B4A1	db 3 dup(0)		; CODE XREF: .text:0041B43Aj
					; .text:loc_41B44Fj
; 

loc_41B4A4:				; CODE XREF: .text:0041B43Dj
		add	[eax], ch

loc_41B4A6:				; CODE XREF: .text:0041B446j
		add	[eax+65725000h], al
		dec	edi
		jo	short near ptr loc_41B513+1
		outsb
		dec	edi
		jb	short loc_41B4F6
		jb	short near ptr loc_41B516+4
		popa
		jz	short loc_41B51D
		inc	esi
		popa

loc_41B4BA:				; CODE XREF: .text:0041B457j
					; .text:0041B452j ...
		imul	ebp, [ebp+64h],	79654B00h
		add	[esi], dl
		push	ebx
		jz	short loc_41B528
		jz	short near ptr loc_41B53D+1
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_41B4CE:				; CODE XREF: .text:loc_41B459j
					; DATA XREF: VrpPreLoadKey(x,x)+938o
		or	eax, large ds:0
; 
		dd 0
; 
		add	[eax+eax], bh

loc_41B4DB:				; CODE XREF: .text:0041B489j
		add	byte ptr [eax],	50h
		jb	short near ptr loc_41B544+1
		dec	esp

loc_41B4E1:				; CODE XREF: .text:0041B47Aj
		outsd
		popa

loc_41B4E3:				; CODE XREF: .text:loc_41B47Dj
		db	64h
		dec	ebx
		db	65h
		jns	short loc_41B53B
		jnz	short near ptr loc_41B549+4
		arpl	[ebp+73h], sp
		jnb	short $+2
		inc	ecx
		bound	esi, [ebx+6Fh]
		insb

loc_41B4F4:				; CODE XREF: .text:0041B491j
		jnz	short loc_41B56A

loc_41B4F6:				; CODE XREF: .text:0041B48Cj
					; .text:0041B4B1j
		db	65h
		push	eax
		popa
		jz	short near ptr loc_41B562+1
		add	[esi], dl
		dec	eax
		outsd
		jnb	short near ptr loc_41B574+1
		dec	ebp
		outsd
		jnz	short near ptr loc_41B572+1
		jz	short near ptr loc_41B556+1
		popa
		jz	short loc_41B572

loc_41B50A:				; CODE XREF: .text:0041B493j
		add	[esi], dl
		push	ebx
		jz	short near ptr loc_41B56F+1
		jz	short near ptr loc_41B584+2
		jnb	short $+2

loc_41B513:				; CODE XREF: .text:0041B4ADj
		mov	[esi], cl
		push	es

loc_41B516:				; CODE XREF: .text:0041B4B3j
					; DATA XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+383o
		or	eax, large ds:0
; 
		db 0
; 

loc_41B51D:				; CODE XREF: .text:0041B4B6j
		add	[eax+0], al
		add	[edi+0], ah
		add	byte ptr [eax],	44h
		outs	dx, byte ptr gs:[esi]

loc_41B528:				; CODE XREF: .text:0041B4C5j
		jns	short loc_41B57D
		push	62617261h
		insb
		db	65h
		dec	edi
		jo	short loc_41B5A0
		outsd
		arpl	[ebx+46h], bp
		outsd
		jb	short near ptr off_41B592

loc_41B53B:				; CODE XREF: .text:0041B4E5j
		jb	short near ptr loc_41B5A2+4

loc_41B53D:				; CODE XREF: .text:0041B4C7j
		jz	short loc_41B5A0
		bound	ebp, [ebp+4Dh]
		popa

loc_41B544:				; CODE XREF: .text:0041B4DEj
		jo	short near ptr loc_41B5B3+3
		db	65h, 64h
		push	ebx

loc_41B549:				; CODE XREF: .text:0041B4E8j
		arpl	gs:[ecx+ebp*2+6Fh], si
		outsb
		add	[ebx+6Fh], al
		jnz	short loc_41B5C2
		jz	short $+2

loc_41B556:				; CODE XREF: .text:0041B505j
		mov	[eax+71808080h], eax
		inc	esp
		db	65h
		jnb	short near ptr loc_41B5C8+1
		jb	short near ptr loc_41B5C6+1

loc_41B562:				; CODE XREF: .text:0041B4F9j
		db	64h
		dec	edi
		jo	short near ptr loc_41B5D1+1
		outsd
		arpl	[ebx+0], bp

loc_41B56A:				; CODE XREF: .text:loc_41B4F4j
		adc	al, 4Fh
		jo	short near ptr loc_41B5D8+2
		outsd

loc_41B56F:				; CODE XREF: .text:0041B50Dj
		arpl	[ebx+53h], bp

loc_41B572:				; CODE XREF: .text:0041B508j
					; .text:0041B503j
		jz	short loc_41B5D5

loc_41B574:				; CODE XREF: .text:0041B4FFj
		jz	short loc_41B5DB
		add	[eax+edx*2], dl
		popa
		jb	short loc_41B5F0
		inc	ecx

loc_41B57D:				; CODE XREF: .text:loc_41B528j
		pop	edi
		push	eax
		jb	short loc_41B5EA
		jbe	short loc_41B5D7
		popa

loc_41B584:				; CODE XREF: .text:0041B50Fj
		db	67h
		jnb	near ptr 0B587h
		or	al, [esi]

loc_41B589:				; DATA XREF: LdrpGetResourceFileName+45Do
		or	eax, large ds:0
; 
		db 0
		db 0, 40h
off_41B592	dd offset loc_6A0000	; CODE XREF: .text:0041B539j
		dw 80h
		dd 796E6544h, 6C637845h
; 

loc_41B5A0:				; CODE XREF: .text:0041B532j
					; .text:loc_41B53Dj
		jnz	short near ptr loc_41B612+3

loc_41B5A2:				; CODE XREF: .text:loc_41B53Bj
		imul	esi, [esi+65h],	6F6C704Fh
		arpl	[ebx+46h], bp
		outsd
		jb	short loc_41B606
		jb	short loc_41B61A
		jz	short near ptr loc_41B612+2

loc_41B5B3:				; CODE XREF: .text:loc_41B544j
		bound	ebp, [ebp+4Dh]
		popa
		jo	short loc_41B62A
		db	65h, 64h
		push	ebx
		arpl	gs:[ecx+ebp*2+6Fh], si

loc_41B5C2:				; CODE XREF: .text:0041B552j
		outsb
		add	[ebx+6Fh], al

loc_41B5C6:				; CODE XREF: .text:0041B560j
		jnz	short near ptr loc_41B635+1

loc_41B5C8:				; CODE XREF: .text:0041B55Dj
		jz	short $+2
		mov	[eax+71808080h], eax
		dec	esi

loc_41B5D1:				; CODE XREF: .text:0041B564j
		db	65h
		js	short loc_41B648
		dec	edi

loc_41B5D5:				; CODE XREF: .text:loc_41B572j
		jo	short near ptr loc_41B640+3

loc_41B5D7:				; CODE XREF: .text:0041B581j
		outsd

loc_41B5D8:				; CODE XREF: .text:0041B56Cj
		arpl	[ebx+53h], bp

loc_41B5DB:				; CODE XREF: .text:loc_41B574j
		jz	short loc_41B63E
		jz	short loc_41B644
		add	[edi+ecx*2], dl
		jo	short loc_41B650
		outsd
		arpl	[ebx+53h], bp
		jz	short near ptr loc_41B649+2

loc_41B5EA:				; CODE XREF: .text:0041B57Fj
		jz	short near ptr loc_41B650+1
		add	[eax+edx*2], dl
		popa

loc_41B5F0:				; CODE XREF: .text:0041B57Aj
		jb	short loc_41B666
		inc	ecx
		pop	edi
		push	eax
		jb	short loc_41B660
		jbe	short near ptr loc_41B64C+1
		popa
		db	67h
		jnb	near ptr 0B5FDh
		or	al, [esi]

loc_41B5FF:				; DATA XREF: FsRtlCheckOplockForFsFilterCallback(x,x,x)+188o
		or	eax, large ds:0
; 
		db 0
; 

loc_41B606:				; CODE XREF: .text:0041B5ADj
		add	[eax+0], al
		add	[edx+0], ch
		add	byte ptr [eax],	42h
		jb	short near ptr loc_41B675+1
		popa

loc_41B612:				; CODE XREF: .text:0041B5B1j
					; .text:loc_41B5A0j
		imul	ecx, [edi+70h],	6Ch
		outsd
		arpl	[ebx+4Fh], bp

loc_41B61A:				; CODE XREF: .text:0041B5AFj
		outsb
		push	edi
		jb	short loc_41B687
		jz	short loc_41B681
		bound	ebp, [ebp+4Dh]
		popa
		jo	short loc_41B697
		db	65h, 64h
		push	ebx

loc_41B62A:				; CODE XREF: .text:0041B5B8j
		arpl	gs:[ecx+ebp*2+6Fh], si
		outsb
		add	[ebx+6Fh], al
		jnz	short near ptr loc_41B69E+5

loc_41B635:				; CODE XREF: .text:loc_41B5C6j
		jz	short $+2
		mov	[eax+71808080h], eax
		push	ebx

loc_41B63E:				; CODE XREF: .text:loc_41B5DBj
		jns	short loc_41B6AE

loc_41B640:				; CODE XREF: .text:loc_41B5D5j
		arpl	[ecx+edi*2+70h], dx

loc_41B644:				; CODE XREF: .text:0041B5DDj
		add	gs:[eax], cl
		push	eax

loc_41B648:				; CODE XREF: .text:loc_41B5D1j
		popa

loc_41B649:				; CODE XREF: .text:0041B5E8j
		db	67h, 65h
		push	eax

loc_41B64C:				; CODE XREF: .text:0041B5F7j
		jb	short loc_41B6BD
		jz	short near ptr loc_41B6B2+3

loc_41B650:				; CODE XREF: .text:0041B5E2j
					; .text:loc_41B5EAj
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		add	[edi+ecx*2], dl
		jo	short loc_41B6C6
		outsd
		arpl	[ebx+53h], bp
		jz	short near ptr loc_41B6BD+4

loc_41B660:				; CODE XREF: .text:0041B5F5j
		jz	short near ptr loc_41B6C6+1
		add	[eax+edx*2], dl
		popa

loc_41B666:				; CODE XREF: .text:loc_41B5F0j
		jb	short near ptr loc_41B6D7+5
		inc	ecx
		pop	edi
		push	eax
		jb	short loc_41B6D6
		jbe	short near ptr loc_41B6BD+6
		popa
		db	67h
		jnb	near ptr 0B673h
		or	al, [esi]

loc_41B675:				; CODE XREF: .text:0041B60Fj
					; DATA XREF: IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)+194o
		or	eax, large ds:0
; 
		db 0
		dd 2000h
; 
		push	esi

loc_41B681:				; CODE XREF: .text:0041B61Ej
		add	[eax+6C6C4100h], al

loc_41B687:				; CODE XREF: .text:0041B61Cj
		outsd
		arpl	[ecx+74h], sp
		imul	ebp, [edi+6Eh],	6D6F7246h
		push	esi
		dec	ebp
		dec	ebp
		db	65h
		insd

loc_41B697:				; CODE XREF: .text:0041B625j
		outsd
		jb	short loc_41B713
		push	eax
		popa
		jb	short loc_41B712

loc_41B69E:				; CODE XREF: .text:0041B633j
		imul	esi, [ecx+ebp*2+6Fh], 6961466Eh
		insb
		jnz	short loc_41B71B
		add	gs:[ecx+6Ch], ah
		insb

loc_41B6AE:				; CODE XREF: .text:loc_41B63Ej
		outsd
		arpl	[ecx+74h], sp

loc_41B6B2:				; CODE XREF: .text:0041B64Ej
		imul	ebp, [edi+6Eh],	6D6F7246h
		push	eax
		popa
		jb	short near ptr loc_41B730+1

loc_41B6BD:				; CODE XREF: .text:loc_41B64Cj
					; .text:0041B65Ej ...
		imul	esi, [ecx+ebp*2+6Fh], 6961466Eh
		insb

loc_41B6C6:				; CODE XREF: .text:0041B658j
					; .text:loc_41B660j
		db	65h
		add	fs:[ebx+eax+7453746Eh],	al
		popa
		jz	short loc_41B747
		jnb	short $+2
		mov	[esi], cl

loc_41B6D6:				; CODE XREF: .text:0041B66Bj
		push	es

loc_41B6D7:				; CODE XREF: .text:loc_41B666j
					; DATA XREF: IoWriteDeferredLiveDumpData(x)+101o
		or	eax, large ds:0
; 
		db 2 dup(0), 20h
		dd offset loc_4CFFFE+2
		db  80h	; 
		align 2
aWritedeferredd	db 'WriteDeferredDumpDataEnded',0
aTotalbytes	db 'totalBytes',0
		dd 6972770Ah
; 
		jz	short loc_41B777

loc_41B712:				; CODE XREF: .text:0041B69Cj
		inc	esp

loc_41B713:				; CODE XREF: .text:0041B698j
		db	65h, 66h, 65h
		jb	short loc_41B78A
		db	65h, 64h
		inc	esp

loc_41B71B:				; CODE XREF: .text:0041B6A7j
		jnz	short loc_41B78A
		jo	short near ptr loc_41B762+1
		popa
		jz	short near ptr loc_41B77E+5
		inc	esp
		jnz	short near ptr loc_41B796+1
		popa
		jz	short loc_41B791
		outsd
		outsb
		pop	edi
		insd
		jnb	short $+2
		or	al, [esi]

loc_41B730:				; CODE XREF: .text:0041B6BBj
					; DATA XREF: IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)+24Co
		or	eax, large ds:0
; 
		dw 0
		dd 42000020h, 4F008000h, 566E6570h
		db 2 dup(4Dh), 65h
; 

loc_41B747:				; CODE XREF: .text:0041B6D0j
		insd
		outsd
		jb	short near ptr loc_41B7C3+1
		push	eax
		popa
		jb	short loc_41B7C3
		imul	esi, [ecx+ebp*2+6Fh], 6961466Eh
		insb
		jnz	short loc_41B7CC
		add	gs:[edi+70h], ch
		outs	dx, byte ptr gs:[esi]
		push	eax
		popa

loc_41B762:				; CODE XREF: .text:0041B71Dj
		jb	short near ptr loc_41B7D7+1
		imul	esi, [ecx+ebp*2+6Fh], 6961466Eh
		insb
		db	65h
		add	fs:[ebx+eax+7453746Eh],	al
		popa

loc_41B777:				; CODE XREF: .text:0041B710j
		jz	short loc_41B7EE
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_41B77E:				; CODE XREF: .text:0041B720j
					; DATA XREF: IopLiveDumpTraceUncorralProcessorsDuration(x,x,x,x,x,x,x,x,x)+15Eo
		or	eax, large ds:0
; 
		dd 200000h
		db 0, 89h
; 

loc_41B78A:				; CODE XREF: .text:loc_41B713j
					; .text:loc_41B71Bj
		add	[eax+636E5500h], al
		outsd

loc_41B791:				; CODE XREF: .text:0041B726j
		jb	short near ptr loc_41B801+4
		popa
		insb
		push	eax

loc_41B796:				; CODE XREF: .text:0041B723j
		jb	short near ptr loc_41B801+6
		arpl	[ebp+73h], sp
		jnb	short loc_41B80C
		jb	short near ptr loc_41B811+1
		add	[ebp+6Eh], dh
		arpl	[edi+72h], bp
		jb	short loc_41B808
		insb
		inc	esp
		jnz	short loc_41B81D
		popa
		jz	short near ptr loc_41B813+4
		outsd
		outsb
		pop	edi
		insd
		jnb	short $+2
		or	ah, [ebp+6Eh]
		popa
		bound	ebp, [ebp+49h]
		outsb
		jz	short loc_41B824
		jb	short near ptr loc_41B832+1
		jnz	short near ptr loc_41B832+1

loc_41B7C3:				; CODE XREF: .text:0041B74Dj
					; .text:0041B749j
		jz	short loc_41B838
		inc	esp
		jnz	short loc_41B83A
		popa
		jz	short near ptr loc_41B832+2
		outsd

loc_41B7CC:				; CODE XREF: .text:0041B758j
		outsb
		pop	edi
		insd
		jnb	short $+2
		or	dh, [edx+65h]
		jnb	short loc_41B84A
		outsd

loc_41B7D7:				; CODE XREF: .text:loc_41B762j
		jb	short near ptr loc_41B83D+1
		push	ebx
		jnz	short near ptr loc_41B84A+2
		db	65h
		jb	short loc_41B855
		imul	esi, [ebx+6Fh],	61745372h
		jz	short near ptr loc_41B84A+3
		inc	esp
		jnz	short loc_41B85D
		popa
		jz	short loc_41B857

loc_41B7EE:				; CODE XREF: .text:loc_41B777j
		outsd
		outsb
		pop	edi
		insd
		jnb	short $+2
		or	dh, [edx+65h]
		jnb	short loc_41B86E
		insd
		db	65h
		inc	ebx
		insb
		outsd
		arpl	[ebx+54h], bp

loc_41B801:				; CODE XREF: .text:loc_41B791j
					; .text:loc_41B796j
		imul	ebp, [ebp+65h],	72754472h

loc_41B808:				; CODE XREF: .text:0041B7A5j
		popa
		jz	short near ptr loc_41B86E+6
		outsd

loc_41B80C:				; CODE XREF: .text:0041B79Bj
		outsb
		pop	edi
		insd
		jnb	short $+2

loc_41B811:				; CODE XREF: .text:0041B79Dj
		or	al, [esi]

loc_41B813:				; CODE XREF: .text:0041B7ACj
					; DATA XREF: IopLiveDumpTraceCorralProcessorsDuration(x,x,x,x,x,x,x,x,x)+15Eo
		or	eax, large ds:0
; 
		db 2 dup(0), 20h
		db 0
; 

loc_41B81D:				; CODE XREF: .text:0041B7A9j
		add	[eax+eax+6F430080h], al

loc_41B824:				; CODE XREF: .text:0041B7BDj
		jb	short loc_41B898
		popa
		insb
		push	eax
		jb	short near ptr loc_41B899+1
		arpl	[ebp+73h], sp
		jnb	short loc_41B89F
		jb	short near ptr loc_41B8A3+2

loc_41B832:				; CODE XREF: .text:0041B7BFj
					; .text:0041B7C1j ...
		add	[ebx+6Fh], ah
		jb	short near ptr byte_41B8A9
		popa

loc_41B838:				; CODE XREF: .text:loc_41B7C3j
		insb
		inc	esp

loc_41B83A:				; CODE XREF: .text:0041B7C6j
		jnz	short loc_41B8AE
		popa

loc_41B83D:				; CODE XREF: .text:loc_41B7D7j
		jz	short near ptr loc_41B8A3+5
		outsd
		outsb
		pop	edi
		insd
		jnb	short $+2
		or	ah, [ecx+ebp*2+73h]
		popa

loc_41B84A:				; CODE XREF: .text:0041B7D4j
					; .text:0041B7DAj ...
		bound	ebp, [ebp+49h]
		outsb
		jz	short near ptr loc_41B8B5+1
		jb	short near ptr loc_41B8C1+4
		jnz	short near ptr loc_41B8C1+4

loc_41B855:				; CODE XREF: .text:0041B7DCj
		jz	short loc_41B8CA

loc_41B857:				; CODE XREF: .text:0041B7ECj
		inc	esp
		jnz	short near ptr loc_41B8CB+1
		popa
		jz	short near ptr loc_41B8C1+5

loc_41B85D:				; CODE XREF: .text:0041B7E9j
		outsd
		outsb
		pop	edi
		insd
		jnb	short $+2
		or	dh, [ebx+61h]
		jbe	short loc_41B8CD
		push	ebx
		jnz	short loc_41B8DB
		db	65h
		jb	short loc_41B8E4

loc_41B86E:				; CODE XREF: .text:0041B7F7j
					; .text:0041B809j
		imul	esi, [ebx+6Fh],	61745372h
		jz	short loc_41B8DC
		inc	esp
		jnz	short loc_41B8EC
		popa
		jz	short loc_41B8E6
		outsd
		outsb
		pop	edi
		insd
		jnb	short $+2
		or	dh, [ebx+75h]
		jnb	short loc_41B8F8
		outs	dx, byte ptr gs:[esi]
		db	64h
		inc	ebx
		insb
		outsd
		arpl	[ebx+54h], bp
		imul	ebp, [ebp+65h],	72754472h

loc_41B898:				; CODE XREF: .text:loc_41B824j
		popa

loc_41B899:				; CODE XREF: .text:0041B829j
		jz	short near ptr loc_41B903+1
		outsd
		outsb
		pop	edi
		insd

loc_41B89F:				; CODE XREF: .text:0041B82Ej
		jnb	short $+2
		or	al, [esi]

loc_41B8A3:				; CODE XREF: .text:0041B830j
					; .text:loc_41B83Dj
					; DATA XREF: ...
		or	eax, large ds:0
; 
byte_41B8A9	db 2 dup(0), 20h	; CODE XREF: .text:0041B835j
		db 2 dup(0)
; 

loc_41B8AE:				; CODE XREF: .text:loc_41B83Aj
		cmp	eax, 57008000h
		jb	short near ptr loc_41B91B+3

loc_41B8B5:				; CODE XREF: .text:0041B84Fj
		jz	short near ptr loc_41B91B+1
		inc	esp
		jnz	short loc_41B927
		jo	short loc_41B900
		popa
		jz	short near ptr loc_41B91B+5
		inc	ebp
		outsb

loc_41B8C1:				; CODE XREF: .text:0041B851j
					; .text:0041B853j ...
		db	64h, 65h
		add	fs:[edi+ebp*2+74h], dh
		popa
		insb

loc_41B8CA:				; CODE XREF: .text:loc_41B855j
		inc	edx

loc_41B8CB:				; CODE XREF: .text:0041B858j
		jns	short near ptr loc_41B940+1

loc_41B8CD:				; CODE XREF: .text:0041B866j
		db	65h
		jnb	short $+3
		or	dh, [edi+72h]
		imul	esi, [ebp+44h],	44706D75h

loc_41B8DB:				; CODE XREF: .text:0041B869j
		popa

loc_41B8DC:				; CODE XREF: .text:0041B875j
		jz	short loc_41B93F
		inc	esp
		jnz	short near ptr loc_41B952+1
		popa
		jz	short near ptr loc_41B94C+1

loc_41B8E4:				; CODE XREF: .text:0041B86Bj
		outsd
		outsb

loc_41B8E6:				; CODE XREF: .text:0041B87Bj
		pop	edi
		insd
		jnb	short $+2
		or	al, [esi]

loc_41B8EC:				; CODE XREF: .text:0041B878j
					; DATA XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+30Bo
		or	eax, large ds:1
; 
		dw 0
		dd 2F000020h
; 

loc_41B8F8:				; CODE XREF: .text:0041B886j
		add	[eax+70614300h], al
		jz	short loc_41B975

loc_41B900:				; CODE XREF: .text:0041B8BAj
		jb	short near ptr loc_41B964+3
		inc	esp

loc_41B903:				; CODE XREF: .text:loc_41B899j
		jnz	short loc_41B972
		jo	short loc_41B95A
		jz	short near ptr loc_41B964+6
		jb	short near ptr loc_41B97B+4
		db	65h
		add	fs:[edx+75h], ah
		db	66h, 66h, 65h
		jb	short near ptr loc_41B952+4
		insb
		insb
		outsd
		arpl	[ecx+74h], sp

loc_41B91B:				; CODE XREF: .text:loc_41B8B5j
					; .text:0041B8B3j ...
		imul	ebp, [edi+6Eh],	65686353h
		insd
		add	gs:[eax], cl
		push	es

loc_41B927:				; CODE XREF: .text:0041B8B8j
					; DATA XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+690o
		or	eax, large ds:2
; 
		db 2 dup(0), 20h
		dd 6B0000h, 61430080h, 72757470h
		db 65h,	44h, 75h
; 

loc_41B93F:				; CODE XREF: .text:loc_41B8DCj
		insd

loc_41B940:				; CODE XREF: .text:loc_41B8CBj
		jo	short loc_41B987
		outsb
		db	64h, 65h
		add	fs:[esi+74h], ch
		push	ebx
		jz	short loc_41B9AD

loc_41B94C:				; CODE XREF: .text:0041B8E2j
		jz	short loc_41B9C3
		jnb	short $+2
		mov	[esi], cl

loc_41B952:				; CODE XREF: .text:0041B8DFj
					; .text:0041B910j
		db	64h, 65h, 66h, 65h
		jb	short loc_41B99C
		jnz	short near ptr loc_41B9C5+2

loc_41B95A:				; CODE XREF: .text:0041B905j
		jo	short near ptr loc_41B99E+4
		imul	ebp, [ebp+57h],	65746972h

loc_41B964:				; CODE XREF: .text:loc_41B900j
					; .text:0041B907j
		add	[ebx+eax+726F6261h], al
		jz	short loc_41B9B6
		dec	bp
		db	65h
		insd
		outsd

loc_41B972:				; CODE XREF: .text:loc_41B903j
		jb	short near ptr loc_41B9EC+1
		push	eax

loc_41B975:				; CODE XREF: .text:0041B8FEj
		jb	short loc_41B9DC
		jnb	short loc_41B9EC
		jnz	short near ptr loc_41B9EC+1

loc_41B97B:				; CODE XREF: .text:0041B909j
		add	gs:[ebx+eax+61746F74h],	al
		insb
		inc	esp
		jnz	short loc_41B9F4

loc_41B987:				; CODE XREF: .text:loc_41B940j
		jo	short loc_41B9CC
		jb	short near ptr loc_41B9EC+4
		popa
		jz	short near ptr loc_41B9F6+1
		outsd
		outsb
		inc	esp
		jnz	short loc_41BA05
		popa
		jz	short loc_41B9FF
		outsd
		outsb
		pop	edi
		insd
		jnb	short $+2

loc_41B99C:				; CODE XREF: .text:loc_41B952j
		or	al, [esi]

loc_41B99E:				; CODE XREF: .text:loc_41B95Aj
					; DATA XREF: IopLiveDumpTraceCaptureGenerateIptSecondaryDataDuration(x,x,x)+B7o
		or	eax, large ds:0
; 
		dd 200000h, 80004200h
		db 0
; 

loc_41B9AD:				; CODE XREF: .text:0041B94Aj
		inc	edi
		outs	dx, byte ptr gs:[esi]
		db	65h
		jb	short near ptr loc_41BA13+1
		jz	short loc_41BA1A
		dec	ecx

loc_41B9B6:				; CODE XREF: .text:0041B96Bj
		jo	short near ptr loc_41BA2B+1
		push	ebx
		arpl	gs:[edi+6Eh], bp
		db	64h
		popa
		jb	short near ptr loc_41BA39+1
		inc	esp
		popa

loc_41B9C3:				; CODE XREF: .text:loc_41B94Cj
		jz	short loc_41BA26

loc_41B9C5:				; CODE XREF: .text:0041B958j
		add	[edi+65h], ah
		outsb
		db	65h
		jb	short loc_41BA2D

loc_41B9CC:				; CODE XREF: .text:loc_41B987j
		jz	short near ptr loc_41BA32+1
		dec	ecx
		jo	short loc_41BA45
		push	ebx
		arpl	gs:[edi+6Eh], bp
		db	64h
		popa
		jb	short near ptr loc_41BA51+2
		inc	esp
		popa

loc_41B9DC:				; CODE XREF: .text:loc_41B975j
		jz	short near ptr loc_41BA39+6
		inc	esp
		jnz	short near ptr loc_41BA51+2
		popa
		jz	short loc_41BA4D
		outsd
		outsb
		pop	edi
		insd
		jnb	short $+2
		or	al, [esi]

loc_41B9EC:				; CODE XREF: .text:0041B977j
					; .text:loc_41B972j ...
		or	eax, large ds:0
; 
		dw 0
; 

loc_41B9F4:				; CODE XREF: .text:0041B985j
		and	[eax], al

loc_41B9F6:				; CODE XREF: .text:0041B98Cj
		add	[ebp+0], bh
		add	byte ptr [eax],	43h
		popa
		jo	short loc_41BA73

loc_41B9FF:				; CODE XREF: .text:0041B994j
		jnz	short loc_41BA73
		db	65h
		inc	esp
		jnz	short near ptr loc_41BA71+1

loc_41BA05:				; CODE XREF: .text:0041B991j
		jo	short loc_41BA54
		db	65h
		insd
		outsd
		jb	short loc_41BA85
		inc	ecx
		insb
		insb
		outsd
		arpl	[ecx+74h], sp

loc_41BA13:				; CODE XREF: .text:0041B9B0j
		imul	ebp, [edi+6Eh],	65646E45h

loc_41BA1A:				; CODE XREF: .text:0041B9B3j
		add	fs:[ecx+6Ch], ah
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h, 64h
		push	eax

loc_41BA26:				; CODE XREF: .text:loc_41B9C3j
		popa
		db	67h, 65h
		inc	ebx
		outsd

loc_41BA2B:				; CODE XREF: .text:loc_41B9B6j
		jnz	short loc_41BA9B

loc_41BA2D:				; CODE XREF: .text:0041B9C9j
		jz	short $+2
		or	ah, [ecx+64h]

loc_41BA32:				; CODE XREF: .text:loc_41B9CCj
		db	64h
		dec	eax
		jns	short near ptr loc_41BAA1+5
		db	65h
		jb	short near ptr loc_41BAAE+1

loc_41BA39:				; CODE XREF: .text:0041B9BFj
					; .text:loc_41B9DCj
		imul	esi, [ebx+6Fh],	67615072h
		db	65h
		jnb	short $+3
		test	[ebx], al

loc_41BA45:				; CODE XREF: .text:0041B9CFj
		push	67615076h
		db	65h
		inc	ebx
		outsd

loc_41BA4D:				; CODE XREF: .text:0041B9E2j
		jnz	short near ptr loc_41BABB+2
		jz	short $+2

loc_41BA51:				; CODE XREF: .text:0041B9D8j
					; .text:0041B9DFj
		or	dh, [ebx+6Bh]

loc_41BA54:				; CODE XREF: .text:loc_41BA05j
		push	eax
		popa
		db	67h, 65h
		inc	ebx
		outsd
		jnz	short loc_41BACA
		jz	short $+2
		or	ch, [ebp+65h]
		insd
		inc	ecx
		insb
		insb
		outsd
		arpl	[ebp+esi*2+72h], ax
		popa
		jz	short near ptr loc_41BAD4+2
		outsd
		outsb
		pop	edi
		insd

loc_41BA71:				; CODE XREF: .text:0041BA03j
		jnb	short $+2

loc_41BA73:				; CODE XREF: .text:0041B9FDj
					; .text:loc_41B9FFj
		or	al, [esi]

loc_41BA75:				; DATA XREF: IopLiveDumpTraceMarkRequiredDumpDataDuration(x,x,x)+CAo
		or	eax, large ds:0
; 
		db 0
		dd 2000h, 80003Ah
; 
		dec	ebp

loc_41BA85:				; CODE XREF: .text:0041BA0Aj
		popa
		jb	short loc_41BAF3
		push	edx
		db	65h
		jno	short loc_41BB01
		imul	esi, [edx+65h],	6D754464h
		jo	short loc_41BAD9
		popa
		jz	short loc_41BAF9
		add	[ebp+61h], ch

loc_41BA9B:				; CODE XREF: .text:loc_41BA2Bj
		jb	short near ptr loc_41BB07+1
		push	edx
		db	65h
		jno	short loc_41BB16

loc_41BAA1:				; CODE XREF: .text:0041BA34j
		imul	esi, [edx+65h],	6D754464h
		jo	short near ptr loc_41BAEC+2
		popa
		jz	short loc_41BB0E
		inc	esp

loc_41BAAE:				; CODE XREF: .text:0041BA36j
		jnz	short near ptr loc_41BB1F+3
		popa
		jz	short loc_41BB1C
		outsd
		outsb
		pop	edi
		insd
		jnb	short $+2
		or	al, [esi]

loc_41BABB:				; CODE XREF: .text:loc_41BA4Dj
					; DATA XREF: IopLiveDumpTraceCaptureProcessorContextDuration(x,x,x)+CAo
		or	eax, large ds:0
; 
		db 2 dup(0), 20h
		dd 400000h
		db 80h,	0
; 

loc_41BACA:				; CODE XREF: .text:0041BA5Aj
		inc	ebx
		popa
		jo	short loc_41BB42
		jnz	short loc_41BB42
		db	65h
		push	eax
		jb	short near ptr loc_41BB42+1

loc_41BAD4:				; CODE XREF: .text:0041BA6Bj
		arpl	[ebp+73h], sp
		jnb	short loc_41BB48

loc_41BAD9:				; CODE XREF: .text:0041BA93j
		jb	short loc_41BB1E
		outsd
		outsb
		jz	short loc_41BB44
		js	short loc_41BB55
		add	[ebx+61h], ah
		jo	short loc_41BB5A
		jnz	short loc_41BB5A
		db	65h
		push	eax
		jb	short loc_41BB5B

loc_41BAEC:				; CODE XREF: .text:0041BAA8j
		arpl	[ebp+73h], sp
		jnb	short loc_41BB60
		jb	short near ptr loc_41BB35+1

loc_41BAF3:				; CODE XREF: .text:0041BA86j
		outsd
		outsb
		jz	short loc_41BB5C
		js	short loc_41BB6D

loc_41BAF9:				; CODE XREF: .text:0041BA96j
		inc	esp
		jnz	short loc_41BB6E
		popa
		jz	short loc_41BB68
		outsd
		outsb

loc_41BB01:				; CODE XREF: .text:0041BA89j
		pop	edi
		insd
		jnb	short $+2
		or	al, [esi]

loc_41BB07:				; CODE XREF: .text:loc_41BA9Bj
					; DATA XREF: IopLiveDumpTracePopulateBitmapForDumpDuration(x,x,x,x,x)+E4o
		or	eax, large ds:0
; 
		db 0
; 

loc_41BB0E:				; CODE XREF: .text:0041BAABj
		add	[eax], ah
; 
		dd offset loc_61FFFF+1
		db 80h,	0
; 

loc_41BB16:				; CODE XREF: .text:0041BA9Ej
		push	eax
		outsd
		jo	short loc_41BB8F
		insb
		popa

loc_41BB1C:				; CODE XREF: .text:0041BAB1j
		jz	short loc_41BB83

loc_41BB1E:				; CODE XREF: .text:loc_41BAD9j
		inc	edx

loc_41BB1F:				; CODE XREF: .text:loc_41BAAEj
		imul	esi, [ebp+ebp*2+61h], 726F4670h
		inc	esp
		jnz	short loc_41BB97
		jo	short $+2
		jo	short near ptr loc_41BB9C+1
		jo	short loc_41BBA5
		insb
		popa
		jz	short loc_41BB99
		inc	edx

loc_41BB35:				; CODE XREF: .text:0041BAF1j
		imul	esi, [ebp+ebp*2+61h], 726F4670h
		inc	esp
		jnz	short loc_41BBAD
		jo	short loc_41BB86

loc_41BB42:				; CODE XREF: .text:0041BACCj
					; .text:0041BACEj ...
		jnz	short loc_41BBB6

loc_41BB44:				; CODE XREF: .text:0041BADDj
		popa
		jz	short loc_41BBB0
		outsd

loc_41BB48:				; CODE XREF: .text:0041BAD7j
		outsb
		pop	edi
		insd
		jnb	short $+2
		or	dh, [edx+65h]
		insd
		outsd
		jbe	short loc_41BBB9
		push	ebx

loc_41BB55:				; CODE XREF: .text:0041BADFj
		jns	short loc_41BBCA
		jz	short near ptr loc_41BBBD+1
		insd

loc_41BB5A:				; CODE XREF: .text:0041BAE4j
					; .text:0041BAE6j
		inc	ebx

loc_41BB5B:				; CODE XREF: .text:0041BAEAj
		popa

loc_41BB5C:				; CODE XREF: .text:0041BAF5j
		arpl	[eax+65h], bp
		inc	esi

loc_41BB60:				; CODE XREF: .text:0041BAEFj
		jb	short loc_41BBD1
		insd
		inc	esp
		jnz	short near ptr loc_41BBD2+1
		jo	short loc_41BBAC

loc_41BB68:				; CODE XREF: .text:0041BAFDj
		jnz	short loc_41BBDC
		popa
		jz	short near ptr loc_41BBD5+1

loc_41BB6D:				; CODE XREF: .text:0041BAF7j
		outsd

loc_41BB6E:				; CODE XREF: .text:0041BAFAj
		outsb
		pop	edi
		insd
		jnb	short $+2
		or	al, [esi]

loc_41BB75:				; DATA XREF: IopLiveDumpTraceMarkImportantDumpDataDuration(x,x,x)+CAo
		or	eax, large ds:0
; 
		db 0
		dd 2000h
		db 3Ch,	0, 80h
; 

loc_41BB83:				; CODE XREF: .text:loc_41BB1Cj
		add	[ebp+61h], cl

loc_41BB86:				; CODE XREF: .text:0041BB40j
		jb	short loc_41BBF3
		dec	ecx
		insd
		jo	short loc_41BBFB
		jb	short near ptr loc_41BBFD+5
		popa

loc_41BB8F:				; CODE XREF: .text:0041BB18j
		outsb
		jz	short near ptr loc_41BBD5+1
		jnz	short near ptr loc_41BBFD+4
		jo	short near ptr loc_41BBD7+3
		popa

loc_41BB97:				; CODE XREF: .text:0041BB28j
		jz	short near ptr loc_41BBF9+1

loc_41BB99:				; CODE XREF: .text:0041BB32j
		add	[ebp+61h], ch

loc_41BB9C:				; CODE XREF: .text:0041BB2Cj
		jb	short loc_41BC09
		dec	ecx
		insd
		jo	short loc_41BC11
		jb	short loc_41BC18
		popa

loc_41BBA5:				; CODE XREF: .text:0041BB2Ej
		outsb
		jz	short near ptr loc_41BBE9+3
		jnz	short near ptr loc_41BC13+4
		jo	short loc_41BBF0

loc_41BBAC:				; CODE XREF: .text:0041BB66j
		popa

loc_41BBAD:				; CODE XREF: .text:0041BB3Ej
		jz	short loc_41BC10
		inc	esp

loc_41BBB0:				; CODE XREF: .text:0041BB45j
		jnz	short loc_41BC24
		popa
		jz	short near ptr loc_41BC1D+1
		outsd

loc_41BBB6:				; CODE XREF: .text:loc_41BB42j
		outsb
		pop	edi
		insd

loc_41BBB9:				; CODE XREF: .text:0041BB52j
		jnb	short $+2
		or	al, [esi]

loc_41BBBD:				; CODE XREF: .text:0041BB57j
					; DATA XREF: IopLiveDumpTraceCaptureDumpDataBufferingDuration(x)+BEo
		or	eax, large ds:0
; 
		db 0
		dd 2000h
		db 34h,	0
; 

loc_41BBCA:				; CODE XREF: .text:loc_41BB55j
		add	byte ptr [eax],	44h
		jnz	short near ptr loc_41BC3B+1
		jo	short near ptr loc_41BC13+2

loc_41BBD1:				; CODE XREF: .text:loc_41BB60j
		popa

loc_41BBD2:				; CODE XREF: .text:0041BB64j
		jz	short loc_41BC35
		inc	edx

loc_41BBD5:				; CODE XREF: .text:0041BB6Bj
					; .text:0041BB90j
		jnz	short loc_41BC3D

loc_41BBD7:				; CODE XREF: .text:0041BB94j
		db	66h, 65h
		jb	short near ptr loc_41BC3F+5
		outsb

loc_41BBDC:				; CODE XREF: .text:loc_41BB68j
		add	[si+75h], ah
		insd
		jo	short near ptr loc_41BC26+1
		popa
		jz	short loc_41BC47
		inc	edx
		jnz	short loc_41BC4F

loc_41BBE9:				; CODE XREF: .text:0041BBA6j
		db	66h, 65h
		jb	short loc_41BC56
		outsb
		db	67h
		inc	esp

loc_41BBF0:				; CODE XREF: .text:0041BBAAj
		jnz	short near ptr loc_41BC62+2
		popa

loc_41BBF3:				; CODE XREF: .text:loc_41BB86j
		jz	short near ptr loc_41BC5D+1
		outsd
		outsb
		pop	edi
		insd

loc_41BBF9:				; CODE XREF: .text:loc_41BB97j
		jnb	short $+2

loc_41BBFB:				; CODE XREF: .text:0041BB8Aj
		or	al, [esi]

loc_41BBFD:				; CODE XREF: .text:0041BB92j
					; .text:0041BB8Cj
		or	eax, large ds:0
; 
		db 0
		dd 2000h
		db 36h
; 

loc_41BC09:				; CODE XREF: .text:loc_41BB9Cj
		add	[eax+6C764800h], al
		inc	ebx

loc_41BC10:				; CODE XREF: .text:loc_41BBADj
		outsd

loc_41BC11:				; CODE XREF: .text:0041BBA0j
		insb
		insb

loc_41BC13:				; CODE XREF: .text:0041BBCFj
					; .text:0041BBA8j
		arpl	gs:[esp+ecx*2+69h], si

loc_41BC18:				; CODE XREF: .text:0041BBA2j
		jbe	short loc_41BC7F
		inc	esp
		jnz	short loc_41BC8A

loc_41BC1D:				; CODE XREF: .text:0041BBB3j
		jo	short $+2
		push	6F436C76h

loc_41BC24:				; CODE XREF: .text:loc_41BBB0j
		insb
		insb

loc_41BC26:				; CODE XREF: .text:0041BBE1j
		arpl	gs:[esp+ecx*2+69h], si
		jbe	short near ptr loc_41BC91+1
		inc	esp
		jnz	short loc_41BC9D
		jo	short loc_41BC76
		jnz	short near ptr loc_41BCA5+1
		popa

loc_41BC35:				; CODE XREF: .text:loc_41BBD2j
		jz	short loc_41BCA0
		outsd
		outsb
		pop	edi
		insd

loc_41BC3B:				; CODE XREF: .text:0041BBCDj
		jnb	short $+2

loc_41BC3D:				; CODE XREF: .text:loc_41BBD5j
		or	al, [esi]

loc_41BC3F:				; CODE XREF: .text:loc_41BBD7j
					; DATA XREF: IopLiveDumpEstimateMemoryPages(x)+2ACo
		or	eax, large ds:0
; 
		db 2 dup(0)
; 

loc_41BC47:				; CODE XREF: .text:0041BBE4j
		and	[eax], al
; 
		db 2 dup(0), 1
; 
		add	byte ptr [eax],	43h

loc_41BC4F:				; CODE XREF: .text:0041BBE7j
		popa
		jo	short loc_41BCC6
		jnz	short loc_41BCC6
		db	65h
		inc	esp

loc_41BC56:				; CODE XREF: .text:loc_41BBE9j
		jnz	short loc_41BCC5
		jo	short loc_41BCA7
		db	65h
		insd
		outsd

loc_41BC5D:				; CODE XREF: .text:loc_41BBF3j
		jb	short near ptr loc_41BCD2+6
		inc	ebp
		jnb	short near ptr loc_41BCD2+4

loc_41BC62:				; CODE XREF: .text:loc_41BBF0j
		imul	ebp, [ebp+61h],	6E456574h
		db	64h, 65h
		add	fs:[ebp+65h], ch
		insd
		outsd
		jb	short loc_41BCEC
		inc	ebp
		jnb	short near ptr loc_41BCE9+1

loc_41BC76:				; CODE XREF: .text:0041BC30j
		imul	ebp, [ebp+61h],	75446574h
		jb	short near ptr loc_41BCDB+5

loc_41BC7F:				; CODE XREF: .text:loc_41BC18j
		jz	short near ptr loc_41BCE9+1
		outsd
		outsb
		pop	edi
		insd
		jnb	short $+2
		or	dh, [ebx+79h]

loc_41BC8A:				; CODE XREF: .text:0041BC1Bj
		jnb	short loc_41BD00
		db	65h
		insd
		push	ecx
		jnz	short near ptr loc_41BCF9+1

loc_41BC91:				; CODE XREF: .text:0041BC2Bj
		db	65h
		jnb	short loc_41BCF7
		db	65h, 64h
		inc	esp
		jnz	short near ptr loc_41BD09+2
		popa
		jz	short near ptr loc_41BD00+5
		outsd

loc_41BC9D:				; CODE XREF: .text:0041BC2Ej
		outsb
		pop	edi
		insd

loc_41BCA0:				; CODE XREF: .text:loc_41BC35j
		jnb	short $+2
		or	ah, [ebp+6Eh]

loc_41BCA5:				; CODE XREF: .text:0041BC32j
		db	64h
		dec	ebp

loc_41BCA7:				; CODE XREF: .text:0041BC58j
		imul	esi, [edx+72h],	6E69726Fh
		db	67h
		push	eax
		push	45657361h
		outsb
		db	64h
		dec	ecx
		outsb
		jz	short near ptr loc_41BD1E+2
		jb	short near ptr loc_41BD32+1
		popa
		insb
		inc	esp
		jnz	short near ptr loc_41BD32+2
		popa
		jz	short loc_41BD2E

loc_41BCC5:				; CODE XREF: .text:loc_41BC56j
		outsd

loc_41BCC6:				; CODE XREF: .text:0041BC50j
					; .text:0041BC52j
		outsb
		pop	edi
		insd
		jnb	short $+2
		or	dh, [edi+ebp*2+74h]
		popa
		insb
		dec	ebp

loc_41BCD2:				; CODE XREF: .text:0041BC60j
					; .text:loc_41BC5Dj
		imul	esi, [edx+72h],	6850726Fh
		jns	short near ptr loc_41BD4B+3

loc_41BCDB:				; CODE XREF: .text:0041BC7Dj
		imul	esp, [ebx+61h],	6D654D6Ch
		outsd
		jb	short loc_41BD5E
		inc	ebx
		popa
		insb
		insb

loc_41BCE9:				; CODE XREF: .text:0041BC74j
					; .text:loc_41BC7Fj
		bound	esp, [ecx+63h]

loc_41BCEC:				; CODE XREF: .text:0041BC71j
		imul	eax, [ebp+esi*2+72h], 61h
		jz	short loc_41BD5C
		outsd
		outsb
		pop	edi
		insd

loc_41BCF7:				; CODE XREF: .text:loc_41BC91j
		jnb	short $+2

loc_41BCF9:				; CODE XREF: .text:0041BC8Fj
		or	dh, [edi+ebp*2+74h]
		popa
		insb
		dec	ebp

loc_41BD00:				; CODE XREF: .text:loc_41BC8Aj
					; .text:0041BC9Aj
		imul	esi, [edx+72h],	6850726Fh
		jns	short loc_41BD7C

loc_41BD09:				; CODE XREF: .text:0041BC97j
		imul	esp, [ebx+61h],	6D654D6Ch
		outsd
		jb	short loc_41BD8C
		inc	ebx
		popa
		insb
		insb
		bound	esp, [ecx+63h]
		imul	eax, [edx+79h],	74h

loc_41BD1E:				; CODE XREF: .text:0041BCB9j
		db	65h
		jnb	short loc_41BD80
		insd
		jnb	short $+2
		or	ch, [eax+76h]
		insb
		inc	ebx
		popa
		insb
		arpl	[ebp+6Ch], si

loc_41BD2E:				; CODE XREF: .text:0041BCC3j
		popa
		jz	short loc_41BD96
		dec	esp

loc_41BD32:				; CODE XREF: .text:0041BCBBj
					; .text:0041BCC0j
		imul	esi, [esi+65h],	706D7544h
		push	ebx
		imul	edi, [edx+65h],	61727544h
		jz	short loc_41BDAC
		outsd
		outsb
		pop	edi
		insd
		jnb	short $+2
		or	al, [esi]

loc_41BD4B:				; CODE XREF: .text:0041BCD9j
					; DATA XREF: IopLiveDumpCaptureMemoryPages(x)+27Eo
		or	eax, large ds:0
; 
		db 2 dup(0), 20h
		dd 1160000h, 61430080h
; 

loc_41BD5C:				; CODE XREF: .text:0041BCF1j
		jo	short loc_41BDD2

loc_41BD5E:				; CODE XREF: .text:0041BCE3j
		jnz	short loc_41BDD2
		db	65h
		inc	esp
		jnz	short loc_41BDD1
		jo	short near ptr loc_41BDB1+2
		db	65h
		insd
		outsd
		jb	short near ptr loc_41BDE3+1
		inc	ebx
		popa
		jo	short loc_41BDE3
		jnz	short loc_41BDE3
		db	65h
		inc	ebp
		outsb
		db	64h, 65h
		add	fs:[ebp+65h], ch
		insd
		outsd

loc_41BD7C:				; CODE XREF: .text:0041BD07j
		jb	short near ptr loc_41BDF6+1
		inc	ebx
		popa

loc_41BD80:				; CODE XREF: .text:loc_41BD1Ej
		jo	short loc_41BDF6
		jnz	short loc_41BDF6
		db	65h
		inc	esp
		jnz	short near ptr loc_41BDF6+4
		popa
		jz	short near ptr loc_41BDF3+1
		outsd

loc_41BD8C:				; CODE XREF: .text:0041BD11j
		outsb
		pop	edi
		insd
		jnb	short $+2
		or	dh, [ebx+79h]
		jnb	short loc_41BE0A

loc_41BD96:				; CODE XREF: .text:0041BD2Fj
		db	65h
		insd
		push	ecx
		jnz	short near ptr loc_41BE03+1
		db	65h
		jnb	short loc_41BE01
		db	65h, 64h
		inc	esp
		jnz	short near ptr loc_41BE13+2
		popa
		jz	short near ptr loc_41BE0A+5
		outsd
		outsb
		pop	edi
		insd
		jnb	short $+2

loc_41BDAC:				; CODE XREF: .text:0041BD41j
		or	ah, [ebp+6Eh]
		db	64h
		dec	ebp

loc_41BDB1:				; CODE XREF: .text:0041BD64j
		imul	esi, [edx+72h],	6E69726Fh
		db	67h
		push	eax
		push	45657361h
		outsb
		db	64h
		dec	ecx
		outsb
		jz	short near ptr loc_41BE28+2
		jb	short loc_41BE3D
		popa
		insb
		inc	esp
		jnz	short near ptr loc_41BE3D+1
		popa
		jz	short near ptr loc_41BE36+2
		outsd
		outsb

loc_41BDD1:				; CODE XREF: .text:0041BD62j
		pop	edi

loc_41BDD2:				; CODE XREF: .text:loc_41BD5Cj
					; .text:loc_41BD5Ej
		insd
		jnb	short $+2
		or	dh, [edi+ebp*2+74h]
		popa
		insb
		dec	ebp
		imul	esi, [edx+72h],	6850726Fh

loc_41BDE3:				; CODE XREF: .text:0041BD6Dj
					; .text:0041BD6Fj ...
		jns	short near ptr loc_41BE57+1
		imul	esp, [ebx+61h],	6D654D6Ch
		outsd
		jb	short loc_41BE68
		inc	ebx
		popa
		insb
		insb

loc_41BDF3:				; CODE XREF: .text:0041BD89j
		bound	esp, [ecx+63h]

loc_41BDF6:				; CODE XREF: .text:loc_41BD80j
					; .text:0041BD82j ...
		imul	eax, [ebp+esi*2+72h], 61h
		jz	short loc_41BE66
		outsd
		outsb
		pop	edi
		insd

loc_41BE01:				; CODE XREF: .text:0041BD9Bj
		jnb	short $+2

loc_41BE03:				; CODE XREF: .text:0041BD99j
		or	dh, [edi+ebp*2+74h]
		popa
		insb
		dec	ebp

loc_41BE0A:				; CODE XREF: .text:0041BD94j
					; .text:0041BDA4j
		imul	esi, [edx+72h],	6850726Fh
		jns	short loc_41BE86

loc_41BE13:				; CODE XREF: .text:0041BDA1j
		imul	esp, [ebx+61h],	6D654D6Ch
		outsd
		jb	short loc_41BE96
		inc	ebx
		popa
		insb
		insb
		bound	esp, [ecx+63h]
		imul	eax, [edx+79h],	74h

loc_41BE28:				; CODE XREF: .text:0041BDC3j
		db	65h
		jnb	short loc_41BE8A
		insd
		jnb	short $+2
		or	ch, [eax+76h]
		insb
		inc	ebx
		outsd
		insb
		insb

loc_41BE36:				; CODE XREF: .text:0041BDCDj
		arpl	gs:[esp+ecx*2+69h], si
		jbe	short loc_41BEA2

loc_41BE3D:				; CODE XREF: .text:0041BDC5j
					; .text:0041BDCAj
		db	64h
		jnz	short loc_41BEAD
		jo	short loc_41BE86
		jnz	short near ptr loc_41BEB4+2
		popa
		jz	short loc_41BEB0
		outsd
		outsb
		pop	edi
		insd
		jnb	short $+2
		or	ah, [ebp+esi*2+6Dh]
		jo	short near ptr loc_41BE96+1
		popa
		jz	short loc_41BEB7
		inc	edx

loc_41BE57:				; CODE XREF: .text:loc_41BDE3j
		jnz	short near ptr loc_41BEBE+1
		db	66h, 65h
		jb	short near ptr loc_41BEC5+1
		outsb
		db	67h
		inc	esp
		jnz	short loc_41BED4
		popa
		jz	short near ptr off_41BECE
		outsd

loc_41BE66:				; CODE XREF: .text:0041BDFBj
		outsb
		pop	edi

loc_41BE68:				; CODE XREF: .text:0041BDEDj
		insd
		jnb	short $+2
		or	al, [esi]

loc_41BE6D:				; DATA XREF: IoSetEnvironmentVariableEx(x,x,x,x,x)+E9o
		or	eax, large ds:0
; 
		db 0
		dd 2000h, 80004Ch, 56746553h, 61697261h
		db 62h,	6Ch
; 

loc_41BE86:				; CODE XREF: .text:0041BE11j
					; .text:0041BE40j
		add	gs:[esi+61h], dh

loc_41BE8A:				; CODE XREF: .text:loc_41BE28j
		jb	short loc_41BEF5
		popa
		bound	ebp, [ebp+4Eh]
		popa
		insd
		add	gs:[ecx], al

loc_41BE96:				; CODE XREF: .text:0041BE1Bj
					; .text:0041BE51j
		jbe	short loc_41BEFD
		outsb
		outs	dx, dword ptr fs:[esi]
		jb	short loc_41BEE4
		jnz	short loc_41BF08
		add	fs:[edi], cl

loc_41BEA2:				; CODE XREF: .text:0041BE3Bj
		jbe	short loc_41BF05
		insb
		jnz	short loc_41BF0C
		dec	esp
		outs	dx, byte ptr gs:[esi]
		db	67h
		jz	near ptr 0BF15h

loc_41BEAD:				; CODE XREF: .text:loc_41BE3Dj
		add	[eax], cl
		popa

loc_41BEB0:				; CODE XREF: .text:0041BE45j
		jz	short near ptr word_41BF26
		jb	short loc_41BF1D

loc_41BEB4:				; CODE XREF: .text:0041BE42j
		bound	esi, [ebp+74h]

loc_41BEB7:				; CODE XREF: .text:0041BE54j
		db	65h
		jnb	short $+3
		or	[ebx+74h], dh
		popa

loc_41BEBE:				; CODE XREF: .text:loc_41BE57j
		jz	short loc_41BF35
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_41BEC5:				; CODE XREF: .text:0041BE59j
					; DATA XREF: IoGetEnvironmentVariableEx(x,x,x,x,x)+115o
		or	eax, large ds:0
; 
		db 0
		db 0, 20h
off_41BECE	dd offset loc_4BFFFF+1	; CODE XREF: .text:0041BE63j
		dw 80h
; 

loc_41BED4:				; CODE XREF: .text:0041BE60j
		inc	edi
		db	65h
		jz	short loc_41BF2E
		popa
		jb	short near ptr loc_41BF3F+5
		popa
		bound	ebp, [ebp+0]
		jbe	short near ptr loc_41BF3F+4
		jb	short near ptr loc_41BF4C+1

loc_41BEE4:				; CODE XREF: .text:0041BE9Bj
		popa
		bound	ebp, [ebp+4Eh]
		popa
		insd
		add	gs:[ecx], al
		jbe	short near ptr loc_41BF53+2
		outsb
		outs	dx, dword ptr fs:[esi]
		jb	short near ptr loc_41BF3A+2

loc_41BEF5:				; CODE XREF: .text:loc_41BE8Aj
		jnz	short near ptr loc_41BF5E+2
		add	fs:[edi], cl
		jbe	short near ptr loc_41BF5B+2
		insb

loc_41BEFD:				; CODE XREF: .text:loc_41BE96j
		jnz	short near ptr loc_41BF5E+6
		dec	esp
		outs	dx, byte ptr gs:[esi]
		db	67h
		jz	near ptr 0BF6Dh

loc_41BF05:				; CODE XREF: .text:loc_41BEA2j
		add	[eax], cl
		popa

loc_41BF08:				; CODE XREF: .text:0041BE9Dj
		jz	short near ptr loc_41BF7C+2
		jb	short loc_41BF75

loc_41BF0C:				; CODE XREF: .text:0041BEA5j
		bound	esi, [ebp+74h]
		db	65h
		jnb	short $+3
		or	[ebx+74h], dh
		popa
		jz	short loc_41BF8D
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_41BF1D:				; CODE XREF: .text:0041BEB2j
					; DATA XREF: IoQueryEnvironmentVariableInfoEx(x,x,x,x)+123o
		or	eax, large ds:0
; 
		db 0
		db 0, 20h
word_41BF26	dw 0			; CODE XREF: .text:loc_41BEB0j
		dd 800077h
		db 51h,	75h
; 

loc_41BF2E:				; CODE XREF: .text:0041BED5j
		db	65h
		jb	short loc_41BFAA
		push	esi
		popa
		jb	short near ptr loc_41BF9D+1

loc_41BF35:				; CODE XREF: .text:loc_41BEBEj
		popa
		bound	ebp, [ebp+73h]

loc_41BF3A:				; CODE XREF: .text:0041BEF3j
		add	[ecx+74h], ah
		jz	short loc_41BFB1

loc_41BF3F:				; CODE XREF: .text:0041BEE0j
					; .text:0041BED9j
		imul	esp, [edx+75h],	736574h
		or	[ebp+61h], ch
		js	short near ptr loc_41BFB3+1
		insd

loc_41BF4C:				; CODE XREF: .text:0041BEE2j
		jnz	short near ptr loc_41BFBA+1
		push	esi
		popa
		jb	short near ptr loc_41BFBA+1
		popa

loc_41BF53:				; CODE XREF: .text:0041BEEEj
		bound	ebp, [ebp+53h]
		jz	short loc_41BFC8
		jb	short loc_41BFBC

loc_41BF5B:				; CODE XREF: .text:0041BEFAj
		db	67h, 65h
		push	ebx

loc_41BF5E:				; CODE XREF: .text:loc_41BEF5j
					; .text:loc_41BEFDj
		imul	edi, [edx+65h],	65720A00h
		insd
		popa
		imul	ebp, [esi+69h],	6156676Eh
		jb	short near ptr loc_41BFD8+1
		popa
		bound	ebp, [ebp+53h]

loc_41BF75:				; CODE XREF: .text:0041BF0Aj
		jz	short loc_41BFE6
		jb	short near ptr loc_41BFD8+2
		db	67h, 65h
		push	ebx

loc_41BF7C:				; CODE XREF: .text:loc_41BF08j
		imul	edi, [edx+65h],	616D0A00h
		js	short near ptr loc_41BFED+1
		insd
		jnz	short near ptr loc_41BFF4+1
		push	esi
		popa
		jb	short near ptr loc_41BFF4+1
		popa

loc_41BF8D:				; CODE XREF: .text:0041BF16j
		bound	ebp, [ebp+53h]
		imul	edi, [edx+65h],	74730A00h
		popa
		jz	short loc_41C010
		jnb	short $+2

loc_41BF9D:				; CODE XREF: .text:0041BF33j
		mov	[esi], cl
		push	es

loc_41BFA0:				; DATA XREF: IoEnumerateEnvironmentVariablesEx(x,x,x,x)+F3o
		or	eax, large ds:0
; 
		dw 0
		db 20h,	0
; 

loc_41BFAA:				; CODE XREF: .text:loc_41BF2Ej
		add	[ebx+0], dl
		add	byte ptr [eax],	45h
		outsb

loc_41BFB1:				; CODE XREF: .text:0041BF3Dj
		jnz	short loc_41C020

loc_41BFB3:				; CODE XREF: .text:0041BF49j
		db	65h
		jb	short loc_41C017
		jz	short near ptr loc_41C017+6
		push	esi
		popa

loc_41BFBA:				; CODE XREF: .text:loc_41BF4Cj
					; .text:0041BF50j
		jb	short near ptr loc_41C021+4

loc_41BFBC:				; CODE XREF: .text:0041BF59j
		popa
		bound	ebp, [ebp+73h]
		add	[ecx+6Eh], ch
		outsw
		jb	short loc_41C035

loc_41BFC8:				; CODE XREF: .text:0041BF57j
		popa
		jz	short loc_41C034
		outsd
		outsb
		inc	ebx
		insb
		popa
		jnb	short loc_41C045
		add	[eax], cl
		jb	short near ptr loc_41C03A+1
		jno	short loc_41C04D

loc_41BFD8:				; CODE XREF: .text:0041BF6Ej
					; .text:0041BF77j
		imul	esi, [edx+65h],	6E654C64h
		db	67h
		jz	near ptr 0C04Ah
		add	[eax], cl
		jnb	short loc_41C05A

loc_41BFE6:				; CODE XREF: .text:loc_41BF75j
		popa
		jz	short near ptr loc_41C05B+3
		jnb	short $+2
		mov	[esi], cl

loc_41BFED:				; CODE XREF: .text:0041BF83j
		imul	bp, [esp+esi*2+65h], 5072h

loc_41BFF4:				; CODE XREF: .text:0041BF86j
					; .text:0041BF8Aj
		jb	short near ptr loc_41C064+1
		jbe	short near ptr loc_41C05B+6
		db	64h, 65h	; DATA XREF: IopInitializePlugPlayServices(x,x)+AF0o
		add	fs:[ebx+eax+40B06h], al
; 
		dw 0
		dd 40000000h, 9A0000h, 734F0080h
; 

loc_41C010:				; CODE XREF: .text:0041BF99j
		insb
		outsd
		popa
		db	64h, 65h
		jb	short near ptr loc_41C06A+1

loc_41C017:				; CODE XREF: .text:loc_41BFB3j
					; .text:0041BFB6j
		imul	ebp, [ebp+65h],	61745300h
		jb	short near ptr loc_41C08F+5

loc_41C020:				; CODE XREF: .text:loc_41BFB1j
		push	esp

loc_41C021:				; CODE XREF: .text:loc_41BFBAj
		imul	ebp, [ebp+65h],	6E450A00h
		db	64h
		push	esp
		imul	ebp, [ebp+65h],	72500A00h
		db	65h
		insb
		outsd

loc_41C034:				; CODE XREF: .text:0041BFC9j
		popa

loc_41C035:				; CODE XREF: .text:0041BFC6j
		db	64h
		inc	ebp
		outsb
		db	64h
		push	esp

loc_41C03A:				; CODE XREF: .text:0041BFD4j
		imul	ebp, [ebp+65h],	63540A00h
		bound	ecx, [edi+ebp*2+61h]

loc_41C045:				; CODE XREF: .text:0041BFD0j
		db	64h, 65h
		jb	short loc_41C09C
		jz	short loc_41C0AC
		jb	short near ptr loc_41C0C0+1

loc_41C04D:				; CODE XREF: .text:0041BFD6j
		push	esp
		imul	ebp, [ebp+65h],	6F4C0A00h
		popa
		db	64h
		push	esi
		jnb	short near ptr loc_41C0C6+1

loc_41C05A:				; CODE XREF: .text:0041BFE4j
		push	esp

loc_41C05B:				; CODE XREF: .text:0041BFE7j
					; .text:0041BFF6j
		imul	ebp, [ebp+65h],	614C0A00h
		jnz	short loc_41C0D2

loc_41C064:				; CODE XREF: .text:loc_41BFF4j
		arpl	[eax+56h], bp
		jnb	short loc_41C0D6
		push	esp

loc_41C06A:				; CODE XREF: .text:0041C013j
		imul	ebp, [ebp+65h],	6F4C0A00h
		popa
		db	64h
		dec	eax
		jns	short near ptr loc_41C0E3+3
		db	65h
		jb	short near ptr loc_41C0ED+2
		imul	esi, [ebx+6Fh],	6D695472h
		add	gs:[edx], cl
		dec	esp
		popa
		jnz	short loc_41C0F5
		arpl	[eax+48h], bp
		jns	short loc_41C0FC
		db	65h
		jb	short near ptr byte_41C105

loc_41C08F:				; CODE XREF: .text:0041C01Ej
		imul	esi, [ebx+6Fh],	6D695472h
		add	gs:[edx], cl
		inc	esi
		jb	short near ptr loc_41C0FC+5

loc_41C09C:				; CODE XREF: .text:loc_41C045j
		jno	short loc_41C113
		outs	dx, byte ptr gs:[esi]
		arpl	[ecx+0], di
		or	al, [esi]

loc_41C0A5:				; DATA XREF: PnpCompareInterruptInformation+9CD0Eo
		or	eax, large ds:0
; 
		db 0
; 

loc_41C0AC:				; CODE XREF: .text:0041C049j
		add	[eax+0], al
		add	[ebx+0], cl
		add	byte ptr [eax],	50h
		outsb
		jo	short loc_41C0FB
		outsd
		insd
		jo	short loc_41C11D
		jb	short near ptr loc_41C122+1
		dec	ecx
		outsb

loc_41C0C0:				; CODE XREF: .text:0041C04Bj
		jz	short loc_41C127
		jb	short loc_41C136
		jnz	short loc_41C136

loc_41C0C6:				; CODE XREF: .text:0041C058j
		jz	short loc_41C111
		outsb
		outsw
		jb	short loc_41C13A
		popa
		jz	short loc_41C139
		outsd
		outsb

loc_41C0D2:				; CODE XREF: .text:0041C062j
		add	[edx+65h], dl
		popa

loc_41C0D6:				; CODE XREF: .text:0041C067j
		jnb	short near ptr loc_41C145+2
		outsb
		add	[edx], al
		push	ebx
		imul	edi, [edx+65h],	53080031h

loc_41C0E3:				; CODE XREF: .text:0041C074j
		imul	edi, [edx+65h],	44080032h
		db	65h
		jbe	short loc_41C156

loc_41C0ED:				; CODE XREF: .text:0041C076j
		arpl	[ebp+49h], sp
		outsb
		jnb	short near ptr loc_41C166+1
		popa
		outsb

loc_41C0F5:				; CODE XREF: .text:0041C085j
		arpl	[ebp+49h], sp
		add	fs:[esi], dl

loc_41C0FB:				; CODE XREF: .text:0041C0B6j
		push	es

loc_41C0FC:				; CODE XREF: .text:0041C08Aj
					; .text:0041C09Aj
					; DATA XREF: ...
		or	eax, large ds:0
; 
		dw 0
		db 40h
byte_41C105	db 2 dup(0), 3Dh	; CODE XREF: .text:0041C08Cj
		dd 50008000h, 6F43706Eh
		db 6Dh
; 

loc_41C111:				; CODE XREF: .text:loc_41C0C6j
		jo	short near ptr loc_41C172+2

loc_41C113:				; CODE XREF: .text:loc_41C09Cj
		jb	short near ptr loc_41C179+1
		dec	ecx
		outsb
		jz	short near ptr loc_41C17C+2
		jb	short loc_41C18D
		jnz	short loc_41C18D

loc_41C11D:				; CODE XREF: .text:0041C0BAj
		jz	short loc_41C168
		outsb
		outsw

loc_41C122:				; CODE XREF: .text:0041C0BCj
		jb	short loc_41C191
		popa
		jz	short loc_41C190

loc_41C127:				; CODE XREF: .text:loc_41C0C0j
		outsd
		outsb
		add	[edx+65h], dl
		popa
		jnb	short near ptr loc_41C19C+2
		outsb
		add	[edx], al
		inc	esp
		db	65h
		jbe	short near ptr loc_41C19C+3

loc_41C136:				; CODE XREF: .text:0041C0C2j
					; .text:0041C0C4j
		arpl	[ebp+49h], sp

loc_41C139:				; CODE XREF: .text:0041C0CEj
		outsb

loc_41C13A:				; CODE XREF: .text:0041C0CBj
		jnb	short loc_41C1B0
		popa
		outsb
		arpl	[ebp+49h], sp
		add	fs:[esi], dl
		push	es

loc_41C145:				; CODE XREF: .text:loc_41C0D6j
					; DATA XREF: PnpCompareInterruptInformation+9CD96o
		or	eax, large ds:0
; 
		db 0
		dd 4000h, 80004Bh
		db 50h,	6Eh
; 

loc_41C156:				; CODE XREF: .text:0041C0EAj
		jo	short loc_41C19B
		outsd
		insd
		jo	short near ptr loc_41C1BC+1
		jb	short loc_41C1C3
		dec	ecx
		outsb
		jz	short near ptr loc_41C1C3+4
		jb	short loc_41C1D6
		jnz	short loc_41C1D6

loc_41C166:				; CODE XREF: .text:0041C0F1j
		jz	short loc_41C1B1

loc_41C168:				; CODE XREF: .text:loc_41C11Dj
		outsb
		outsw
		jb	short near ptr loc_41C1D9+1
		popa
		jz	short loc_41C1D9
		outsd
		outsb

loc_41C172:				; CODE XREF: .text:loc_41C111j
		add	[edx+65h], dl
		popa
		jnb	short near ptr loc_41C1E6+1
		outsb

loc_41C179:				; CODE XREF: .text:loc_41C113j
		add	[edx], al
		push	ebx

loc_41C17C:				; CODE XREF: .text:0041C117j
		imul	edi, [edx+65h],	53080031h
		imul	edi, [edx+65h],	44080032h
		db	65h
		jbe	short near ptr loc_41C1F2+4

loc_41C18D:				; CODE XREF: .text:0041C119j
					; .text:0041C11Bj
		arpl	[ebp+49h], sp

loc_41C190:				; CODE XREF: .text:0041C125j
		outsb

loc_41C191:				; CODE XREF: .text:loc_41C122j
		jnb	short near ptr loc_41C206+1
		popa
		outsb
		arpl	[ebp+49h], sp
		add	fs:[esi], dl

loc_41C19B:				; CODE XREF: .text:loc_41C156j
		push	es

loc_41C19C:				; CODE XREF: .text:0041C12Dj
					; .text:0041C133j
					; DATA XREF: ...
		or	eax, large ds:0
; 
		dw 0
		dd 21000040h, 44008000h, 7547616Dh
; 

loc_41C1B0:				; CODE XREF: .text:loc_41C13Aj
		popa

loc_41C1B1:				; CODE XREF: .text:loc_41C166j
		jb	short near ptr loc_41C216+1
		push	ebx
		jns	short near ptr loc_41C227+2
		jz	short near ptr loc_41C21B+2
		insd
		push	eax
		outsd
		insb

loc_41C1BC:				; CODE XREF: .text:0041C15Aj
		imul	esp, [ebx+79h],	6C6F5000h

loc_41C1C3:				; CODE XREF: .text:0041C15Cj
					; .text:0041C160j
		imul	esp, [ebx+79h],	0B060800h
		add	eax, 0
; 
		db 0
		dd 4000h
		db 52h,	0
; 

loc_41C1D6:				; CODE XREF: .text:0041C162j
					; .text:0041C164j
		add	byte ptr [eax],	53h

loc_41C1D9:				; CODE XREF: .text:0041C16Ej
					; .text:0041C16Bj
		arpl	gs:[ebp+72h], si
		db	65h
		inc	esp
		db	65h
		jbe	short loc_41C24B
		arpl	[ebp+45h], sp
		outsb

loc_41C1E6:				; CODE XREF: .text:0041C176j
		jnz	short near ptr loc_41C250+5
		db	65h
		jb	short loc_41C24C
		jz	short near ptr loc_41C250+2
		add	fs:[ebp+76h], al

loc_41C1F2:				; CODE XREF: .text:0041C18Aj
		imul	esp, [ebx+65h],	74736E49h
		popa
		outsb
		arpl	[ebp+49h], sp
		add	fs:[esi], dl
		push	ebx
		arpl	gs:[ebp+72h], si

loc_41C206:				; CODE XREF: .text:loc_41C191j
		db	65h
		inc	esp
		db	65h
		jbe	short loc_41C274
		arpl	[ebp+53h], sp
		jz	short near ptr loc_41C26D+4
		jz	short near ptr loc_41C274+3
		add	[eax], cl
		push	ebp
		outsb

loc_41C216:				; CODE XREF: .text:loc_41C1B1j
		jo	short near ptr loc_41C289+1
		outsd
		jz	short loc_41C280

loc_41C21B:				; CODE XREF: .text:0041C1B6j
		arpl	[ebx+edx*2+74h], si
		popa
		jz	short loc_41C297
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_41C227:				; CODE XREF: .text:0041C1B4j
					; DATA XREF: PnpTraceIommuDeviceProperties(x,x)+62o
		or	eax, large ds:0
; 
		db 2 dup(0), 40h
		dd 400000h, 6D440080h, 61754761h, 6F496472h, 44756D6Dh
		dd 63697665h
		db 65h,	50h, 72h
; 

loc_41C24B:				; CODE XREF: .text:0041C1DFj
		outsd

loc_41C24C:				; CODE XREF: .text:0041C1E8j
		jo	short loc_41C2B3
		jb	short near ptr loc_41C2C1+3

loc_41C250:				; CODE XREF: .text:0041C1EBj
					; .text:loc_41C1E6j
		imul	esp, [ebp+73h],	76654400h
		imul	esp, [ebx+65h],	74736E49h
		popa
		outsb
		arpl	[ebp+49h], sp
		add	fs:[esi], dl
		push	eax
		jb	short near ptr loc_41C2D7+1
		jo	short near ptr loc_41C2CF+1
		jb	short loc_41C2E1

loc_41C26D:				; CODE XREF: .text:0041C20Ej
					; DATA XREF: PipDmgSaveDeviceDmarPolicy(x,x,x)+101o
		imul	esp, [ebp+73h],	0B060800h

loc_41C274:				; CODE XREF: .text:0041C208j
					; .text:0041C210j
		add	eax, 0
; 
		db 2 dup(0), 40h
		dd offset loc_57FFFD+3
; 

loc_41C280:				; CODE XREF: .text:0041C219j
		add	byte ptr [eax],	41h
		db	67h, 67h
		jb	short near ptr loc_41C2EB+1
		db	67h
		popa

loc_41C289:				; CODE XREF: .text:loc_41C216j
		jz	short near ptr loc_41C2EF+1
		inc	esp
		insd
		popa
		inc	edi
		jnz	short loc_41C2F2
		jb	short near ptr loc_41C2F6+1
		inc	esp
		db	65h
		jbe	short loc_41C300

loc_41C297:				; CODE XREF: .text:0041C220j
		arpl	[ebp+50h], sp
		outsd
		insb
		imul	esp, [ebx+79h],	756F4300h
		outsb
		jz	short $+2
		mov	[eax+71808080h], eax
		inc	esp
		db	65h
		jbe	short loc_41C319
		arpl	[ebp+49h], sp

loc_41C2B3:				; CODE XREF: .text:loc_41C24Cj
		outsb
		jnb	short loc_41C32A
		popa
		outsb
		arpl	[ebp+49h], sp
		add	fs:[esi], dl
		push	eax
		outsd
		insb

loc_41C2C1:				; CODE XREF: .text:0041C24Ej
		imul	esp, [ebx+79h],	61500800h
		jb	short loc_41C33E
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_41C336+2

loc_41C2CF:				; CODE XREF: .text:0041C269j
		jbe	short near ptr loc_41C323+2
		popa
		db	67h
		jnb	near ptr 0C2D5h
		or	al, [esi]

loc_41C2D7:				; CODE XREF: .text:0041C267j
					; DATA XREF: PnpTraceDriverBlocked(x,x,x,x)+96o
		or	eax, large ds:0
; 
		db 2 dup(0), 40h
		db 0
; 

loc_41C2E1:				; CODE XREF: .text:0041C26Bj
		add	[ebx+0], dl
		add	byte ptr [eax],	44h
		jb	short loc_41C352
		jbe	short loc_41C350

loc_41C2EB:				; CODE XREF: .text:0041C283j
		jb	short loc_41C32F
		insb
		outsd

loc_41C2EF:				; CODE XREF: .text:loc_41C289j
		arpl	[ebx+65h], bp

loc_41C2F2:				; CODE XREF: .text:0041C28Fj
		add	fs:[eax+61h], dl

loc_41C2F6:				; CODE XREF: .text:0041C291j
		jb	short near ptr loc_41C368+4
		inc	ecx
		pop	edi
		push	eax
		jb	short loc_41C366
		jbe	short near ptr loc_41C352+1
		popa

loc_41C300:				; CODE XREF: .text:0041C294j
		db	67h
		jnb	near ptr 0C303h
		or	al, [esi+69h]
		insb
		db	65h
		dec	esi
		popa
		insd
		add	gs:[ecx], al
		inc	ebp
		outsb
		jz	short near ptr loc_41C383+1
		jns	short loc_41C35B
		jnz	short loc_41C37F
		add	fs:[edi], cl

loc_41C319:				; CODE XREF: .text:0041C2ADj
		push	eax
		outsd
		insb
		imul	esp, [ebx+79h],	636F6C42h

loc_41C323:				; CODE XREF: .text:loc_41C2CFj
		imul	edx, [edx+65h],	61h
		jnb	short loc_41C398
		outsb

loc_41C32A:				; CODE XREF: .text:0041C2B4j
		add	[eax], cl
		push	ebx
		jz	short near ptr loc_41C38B+5

loc_41C32F:				; CODE XREF: .text:loc_41C2EBj
		jz	short near ptr loc_41C3A4+2
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_41C336:				; CODE XREF: .text:0041C2CDj
					; DATA XREF: PnpTraceInterruptConnection+A138Eo
		or	eax, large ds:0
; 
		db 2 dup(0)
; 

loc_41C33E:				; CODE XREF: .text:0041C2C8j
		inc	eax
; 
		dd offset loc_48FFFF+1
		db 80h
		dd 67674100h, 61676572h, 6E496574h
; 

loc_41C350:				; CODE XREF: .text:0041C2E9j
		jz	short loc_41C3B7

loc_41C352:				; CODE XREF: .text:0041C2E7j
					; .text:0041C2FDj
		jb	short near ptr loc_41C3C5+1
		jnz	short near ptr loc_41C3C5+1
		jz	short loc_41C39B
		outsd
		outsb
		outsb

loc_41C35B:				; CODE XREF: .text:0041C312j
		arpl	gs:[ecx+ebp*2+6Fh], si
		outsb
		add	[ebx+6Fh], al
		jnz	short loc_41C3D4

loc_41C366:				; CODE XREF: .text:0041C2FBj
		jz	short $+2

loc_41C368:				; CODE XREF: .text:loc_41C2F6j
		mov	[eax+71808080h], eax
		inc	ebx
		outsd
		outsb
		outsb
		arpl	gs:[ebp+64h], si
		add	[ebx+eax+74726150h], al
		inc	ecx

loc_41C37F:				; CODE XREF: .text:0041C314j
		pop	edi
		push	eax
		jb	short loc_41C3EC

loc_41C383:				; CODE XREF: .text:0041C310j
		jbe	short near ptr loc_41C3D7+2
		popa
		db	67h
		jnb	near ptr 0C389h
		or	al, [esi]

loc_41C38B:				; CODE XREF: .text:0041C32Dj
					; DATA XREF: PnpTraceSetDevNodeProblem(x,x,x,x,x,x,x)+13Do
		or	eax, large ds:0
; 
		db 2 dup(0), 80h
		dd 840000h
; 

loc_41C398:				; CODE XREF: .text:0041C327j
		add	byte ptr [eax],	41h

loc_41C39B:				; CODE XREF: .text:0041C356j
		db	67h, 67h
		jb	short loc_41C404
		db	67h
		popa
		jz	short loc_41C408
		push	ebx

loc_41C3A4:				; CODE XREF: .text:loc_41C32Fj
		db	65h
		jz	short near ptr loc_41C3EA+1
		db	65h
		jbe	short near ptr loc_41C3F7+1
		outsd
		db	64h, 65h
		push	eax
		jb	short near ptr loc_41C41B+4
		bound	ebp, [ebp+6Dh]
		add	[ebx+6Fh], al

loc_41C3B7:				; CODE XREF: .text:loc_41C350j
		jnz	short loc_41C427
		jz	short $+2
		mov	[eax+71808080h], eax
		inc	esp
		db	65h
		jbe	short near ptr loc_41C42D+1

loc_41C3C5:				; CODE XREF: .text:loc_41C352j
					; .text:0041C354j
		arpl	[ebp+49h], sp
		outsb
		jnb	short near ptr loc_41C43D+2
		popa
		outsb
		arpl	[ebp+49h], sp
		add	fs:[esi], dl
		push	ebx

loc_41C3D4:				; CODE XREF: .text:0041C364j
		db	65h
		jb	short loc_41C44D

loc_41C3D7:				; CODE XREF: .text:loc_41C383j
		imul	esp, [ebx+65h],	656D614Eh
		add	[esi], dl
		push	eax
		jb	short near ptr loc_41C44D+5
		bound	ebp, [ebp+6Dh]
		add	[eax], cl
		push	eax

loc_41C3EA:				; CODE XREF: .text:loc_41C3A4j
		jb	short loc_41C45B

loc_41C3EC:				; CODE XREF: .text:0041C381j
		bound	ebp, [ebp+6Dh]
		push	ebx
		jz	short loc_41C454
		jz	short near ptr loc_41C469+1
		jnb	short $+2

loc_41C3F7:				; CODE XREF: .text:0041C3A7j
		mov	[esi], cl
		dec	esp
		popa
		jnb	short near ptr loc_41C470+1
		push	eax
		jb	short near ptr loc_41C469+6
		bound	ebp, [ebp+6Dh]

loc_41C404:				; CODE XREF: .text:loc_41C39Bj
		add	[eax], cl
		dec	esp
		popa

loc_41C408:				; CODE XREF: .text:0041C3A1j
		jnb	short near ptr loc_41C47D+1
		push	eax
		jb	short near ptr loc_41C479+3
		bound	ebp, [ebp+6Dh]
		push	ebx
		jz	short near ptr loc_41C474+1
		jz	short loc_41C48B
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_41C41B:				; CODE XREF: .text:0041C3AEj
					; DATA XREF: PnpTraceClearDevNodeProblem(x,x,x,x)+12Bo
		or	eax, large ds:0
; 
		db 2 dup(0), 80h
		db 2 dup(0), 6Dh
; 

loc_41C427:				; CODE XREF: .text:loc_41C3B7j
		add	[eax+67674100h], al

loc_41C42D:				; CODE XREF: .text:0041C3C2j
		jb	short loc_41C494
		db	67h
		popa
		jz	short near ptr loc_41C494+4
		inc	ebx
		insb
		db	65h
		popa
		jb	short loc_41C47D
		db	65h
		jbe	short loc_41C48A
		outsd

loc_41C43D:				; CODE XREF: .text:0041C3C9j
		db	64h, 65h
		push	eax
		jb	short loc_41C4B1
		bound	ebp, [ebp+6Dh]
		add	[ebx+6Fh], al
		jnz	short near ptr loc_41C4B7+2
		jz	short $+2

loc_41C44D:				; CODE XREF: .text:loc_41C3D4j
					; .text:0041C3E1j
		mov	[eax+71808080h], eax
		inc	esp

loc_41C454:				; CODE XREF: .text:0041C3F1j
		db	65h
		jbe	short near ptr loc_41C4BE+2
		arpl	[ebp+49h], sp
		outsb

loc_41C45B:				; CODE XREF: .text:loc_41C3EAj
		jnb	short loc_41C4D1
		popa
		outsb
		arpl	[ebp+49h], sp
		add	fs:[esi], dl
		push	ebx
		db	65h
		jb	short loc_41C4DF

loc_41C469:				; CODE XREF: .text:0041C3F3j
					; .text:0041C3FEj
		imul	esp, [ebx+65h],	656D614Eh

loc_41C470:				; CODE XREF: .text:0041C3FBj
		add	[esi], dl
		dec	esp
		popa

loc_41C474:				; CODE XREF: .text:0041C412j
		jnb	short near ptr loc_41C4E8+2
		push	eax
		jb	short loc_41C4E8

loc_41C479:				; CODE XREF: .text:0041C40Bj
		bound	ebp, [ebp+6Dh]

loc_41C47D:				; CODE XREF: .text:0041C437j
					; .text:loc_41C408j
		add	[eax], cl
		dec	esp
		popa
		jnb	short near ptr loc_41C4F3+4
		push	eax
		jb	short near ptr loc_41C4F3+2
		bound	ebp, [ebp+6Dh]

loc_41C48A:				; CODE XREF: .text:0041C439j
		push	ebx

loc_41C48B:				; CODE XREF: .text:0041C414j
		jz	short loc_41C4EE
		jz	short loc_41C504
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_41C494:				; CODE XREF: .text:loc_41C42Dj
					; .text:0041C431j
					; DATA XREF: ...
		or	eax, large ds:0
; 
		dw 0
		dd 53000040h, 44008000h, 63697665h, 6D655265h, 5065766Fh
		db 72h
; 

loc_41C4B1:				; CODE XREF: .text:0041C440j
		outsd
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_41C50B+2

loc_41C4B7:				; CODE XREF: .text:0041C449j
		db	65h
		jz	short near ptr loc_41C526+3
		add	[ebp+76h], al

loc_41C4BE:				; CODE XREF: .text:loc_41C454j
		imul	esp, [ebx+65h],	74736E49h
		popa
		outsb
		arpl	[ebp+49h], sp
		add	fs:[esi], dl
		push	esi
		db	65h
		jz	short loc_41C540

loc_41C4D1:				; CODE XREF: .text:loc_41C45Bj
		db	65h, 64h
		inc	esp
		db	65h
		jbe	short loc_41C540
		arpl	[ebp+49h], sp
		outsb
		jnb	short near ptr loc_41C54B+6
		popa
		outsb

loc_41C4DF:				; CODE XREF: .text:0041C466j
		arpl	[ebp+49h], sp
		add	fs:[esi], dl
		push	eax
		jb	short loc_41C557

loc_41C4E8:				; CODE XREF: .text:0041C477j
					; .text:loc_41C474j
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_41C53A+1
		popa

loc_41C4EE:				; CODE XREF: .text:loc_41C48Bj
		insd
		add	gs:[esi], dl
		push	es

loc_41C4F3:				; CODE XREF: .text:0041C484j
					; .text:0041C481j
					; DATA XREF: ...
		or	eax, large ds:0
; 
		db 2 dup(0), 80h
		dd 1310000h, 65440080h
; 

loc_41C504:				; CODE XREF: .text:0041C48Dj
		jbe	short loc_41C56F
		arpl	[ebp+43h], sp
		outsd
		outsb

loc_41C50B:				; CODE XREF: .text:0041C4B5j
		imul	sp, [edi+0], 6150h
		jb	short loc_41C587
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_41C580+1
		jbe	short loc_41C56E
		popa
		db	67h
		jnb	near ptr 0C51Eh
		or	cl, [ebp+67h]
		popa
		arpl	[ecx+0], di

loc_41C526:				; CODE XREF: .text:loc_41C4B7j
		or	eax, 69766544h
		arpl	[ebp+49h], sp
		outsb
		jnb	short near ptr loc_41C5A4+1
		popa
		outsb
		arpl	[ebp+49h], sp
		add	fs:[esi], dl
		inc	esp

loc_41C53A:				; CODE XREF: .text:0041C4EBj
		jb	short near ptr loc_41C5A4+1
		jbe	short loc_41C5A3
		jb	short near ptr loc_41C584+2

loc_41C540:				; CODE XREF: .text:0041C4CEj
					; .text:0041C4D4j
		insb
		imul	esp, [edi+68h],	73644974h
		add	[esi], dl
		inc	esi

loc_41C54B:				; CODE XREF: .text:0041C4DBj
		imul	esi, [edx+73h],	72614874h
		db	64h
		ja	short near ptr loc_41C5B4+2
		jb	short loc_41C5BC

loc_41C557:				; CODE XREF: .text:0041C4E6j
		dec	ecx
		add	fs:[ecx], al
		dec	esp
		popa
		jnb	short near ptr loc_41C5D2+1
		inc	ebx
		outsd
		insd
		jo	short near ptr loc_41C5C3+2
		jz	short loc_41C5CF
		bound	ebp, [ebp+49h]
		add	fs:[ecx], al
		inc	ebx

loc_41C56E:				; CODE XREF: .text:0041C518j
		insb

loc_41C56F:				; CODE XREF: .text:loc_41C504j
		popa
		jnb	short near ptr loc_41C5E4+1
		inc	edi
		jnz	short loc_41C5DE
		add	fs:[ecx], al
		inc	esp
		jb	short loc_41C5E4
		jbe	short loc_41C5E2
		jb	short near ptr loc_41C5C7+1
		outsb

loc_41C580:				; CODE XREF: .text:0041C516j
		dec	si
		popa
		insd

loc_41C584:				; CODE XREF: .text:0041C53Ej
		add	gs:[ecx], al

loc_41C587:				; CODE XREF: .text:0041C511j
		inc	esp
		jb	short near ptr loc_41C5ED+6
		jbe	short near ptr loc_41C5ED+4
		jb	short loc_41C5DE
		jb	short loc_41C5FF
		jbe	short loc_41C5FB
		db	64h, 65h
		jb	short $+4
		add	[edx+esi*2+69h], eax
		jbe	short near ptr loc_41C600+1
		jb	short loc_41C5E2
		popa
		jz	short loc_41C606
		add	[ecx], al

loc_41C5A3:				; CODE XREF: .text:0041C53Cj
		inc	esp

loc_41C5A4:				; CODE XREF: .text:0041C52Fj
					; .text:loc_41C53Aj
		jb	short near ptr loc_41C609+6
		jbe	short near ptr loc_41C609+4
		jb	short loc_41C600
		db	65h
		jb	short near ptr loc_41C61D+3
		imul	ebp, [edi+6Eh],	72440100h

loc_41C5B4:				; CODE XREF: .text:0041C552j
		imul	esi, [esi+65h],	62755372h
		insd

loc_41C5BC:				; CODE XREF: .text:0041C555j
		imul	esi, [ebx+73h],	496E6F69h

loc_41C5C3:				; CODE XREF: .text:0041C562j
		add	fs:[ecx], al
		inc	ebp

loc_41C5C7:				; CODE XREF: .text:0041C57Dj
		js	short near ptr loc_41C63C+1
		outs	dx, byte ptr gs:[esi]
		jnb	short near ptr word_41C636
		outsd
		outsb

loc_41C5CF:				; CODE XREF: .text:0041C564j
		inc	esp
		jb	short loc_41C63B

loc_41C5D2:				; CODE XREF: .text:0041C55Dj
		jbe	short near ptr byte_41C639
		jb	short near ptr loc_41C647+2
		add	[ecx], al
		dec	ecx
		outsb
		bound	ebp, [edi+78h]
		inc	esp

loc_41C5DE:				; CODE XREF: .text:0041C573j
					; .text:0041C58Cj
		jb	short near ptr loc_41C647+2
		jbe	short loc_41C647

loc_41C5E2:				; CODE XREF: .text:0041C57Bj
					; .text:0041C59Cj
		jb	short $+2

loc_41C5E4:				; CODE XREF: .text:0041C579j
					; .text:0041C570j
		test	[ebx], al
		push	ebx
		db	65h
		jz	short loc_41C65F
		jo	short near ptr byte_41C639
		outsd

loc_41C5ED:				; CODE XREF: .text:0041C58Aj
					; .text:0041C588j
		db	64h
		add	gs:[ebx+eax+6465654Eh],	al
		push	edx
		bound	ebp, gs:[edi+6Fh]

loc_41C5FB:				; CODE XREF: .text:0041C590j
		jz	short $+2
		test	[ebx], al

loc_41C5FF:				; CODE XREF: .text:0041C58Ej
		push	edx

loc_41C600:				; CODE XREF: .text:0041C5A8j
					; .text:0041C59Aj
		bound	ebp, gs:[edi+6Fh]
		jz	short near ptr loc_41C657+1

loc_41C606:				; CODE XREF: .text:0041C59Fj
		db	65h
		jno	short loc_41C67E

loc_41C609:				; CODE XREF: .text:0041C5A6j
					; .text:loc_41C5A4j
		imul	esi, [edx+65h],	61655264h
		jnb	short loc_41C681
		outsb
		add	ds:74617453h, dl
		jnz	short loc_41C68E
		inc	ebx
		outsd

loc_41C61D:				; CODE XREF: .text:0041C5AAj
		db	64h
		add	gs:[eax+736E490Eh], cl
		jz	short near ptr loc_41C687+1
		insb
		insb
		inc	esp
		popa
		jz	short near ptr loc_41C691+1
		add	[ecx], dl
		push	es

loc_41C630:				; DATA XREF: PnpTraceDockDeviceEnumeration(x,x)+72o
		or	eax, large ds:0
; 
word_41C636	dw 0			; CODE XREF: .text:0041C5CBj
		db 40h
byte_41C639	db 2 dup(0)		; CODE XREF: .text:loc_41C5D2j
					; .text:0041C5EAj
; 

loc_41C63B:				; CODE XREF: .text:0041C5D0j
		dec	ebx

loc_41C63C:				; CODE XREF: .text:loc_41C5C7j
		add	[eax+636F4400h], al
		imul	eax, [ebp+76h],	69h

loc_41C647:				; CODE XREF: .text:0041C5E0j
					; .text:0041C5D4j ...
		arpl	[ebp+45h], sp
		outsb
		jnz	short near ptr loc_41C6B9+1
		db	65h
		jb	short loc_41C6B1
		jz	short near ptr loc_41C6B5+2
		add	fs:[ebp+76h], al

loc_41C657:				; CODE XREF: .text:0041C604j
		imul	esp, [ebx+65h],	74736E49h
		popa

loc_41C65F:				; CODE XREF: .text:0041C5E7j
		outsb
		arpl	[ebp+49h], sp
		add	fs:[esi], dl
		inc	esp
		outsd
		arpl	[ebx+53h], bp
		jz	short near ptr loc_41C6CD+1
		jz	short near ptr loc_41C6E3+1
		jnb	short $+2
		or	[ebp+6Eh], al
		jnz	short loc_41C6E3
		db	65h
		jb	short loc_41C6DA
		jz	short near ptr loc_41C6E3+1
		outsd
		outsb
		push	edx

loc_41C67E:				; CODE XREF: .text:loc_41C606j
		db	65h
		jnb	short loc_41C6F6

loc_41C681:				; CODE XREF: .text:0041C610j
		insb
		jz	short $+2
		mov	[esi], cl
		push	es

loc_41C687:				; CODE XREF: .text:0041C625j
					; DATA XREF: PnpTraceRebalanceResult(x)+221o
		or	eax, large ds:0
; 
		db 0
; 

loc_41C68E:				; CODE XREF: .text:0041C619j
		add	[eax+0], al

loc_41C691:				; CODE XREF: .text:0041C62Bj
		add	[ecx+52008000h], bh
		bound	esp, gs:[ecx+6Ch]
		popa
		outsb
		arpl	[ebp+52h], sp
		db	65h
		jnb	short near ptr loc_41C712+6
		insb
		jz	short $+2
		inc	esp
		db	65h
		jbe	short near ptr loc_41C712+1
		arpl	[ebp+49h], sp
		outsb
		jnb	short loc_41C724
		popa

loc_41C6B1:				; CODE XREF: .text:0041C64Dj
		outsb
		arpl	[ebp+49h], sp

loc_41C6B5:				; CODE XREF: .text:0041C650j
		add	fs:[esi], dl
		push	ebx

loc_41C6B9:				; CODE XREF: .text:0041C64Bj
		db	65h
		jb	short near ptr loc_41C72D+5
		imul	esp, [ebx+65h],	656D614Eh
		add	[esi], dl
		inc	esp
		db	65h
		jbe	short near ptr loc_41C72D+5
		arpl	[ebp+43h], sp
		outsd

loc_41C6CD:				; CODE XREF: .text:0041C66Bj
		jnz	short loc_41C73D
		jz	short $+2
		or	[ebx+75h], dl
		bound	esi, [edx+esi*2+65h]
		db	65h
		push	edx

loc_41C6DA:				; CODE XREF: .text:0041C676j
		outsd
		outsd
		jz	short near ptr loc_41C726+1
		outsb
		jnb	short near ptr byte_41C755
		popa
		outsb

loc_41C6E3:				; CODE XREF: .text:0041C674j
					; .text:0041C66Dj ...
		arpl	[ebp+49h], sp
		add	fs:[esi], dl
		push	ebx
		jnz	short near ptr loc_41C74D+1
		jz	short loc_41C760
		db	65h, 65h
		dec	ecx
		outsb
		arpl	[ebp+esi*2+64h], bp

loc_41C6F6:				; CODE XREF: .text:loc_41C67Ej
		db	65h
		jnb	short near ptr loc_41C746+5
		outsd
		outsd
		jz	short $+2
		test	[ebx], al
		push	edx
		bound	esp, gs:[ecx+6Ch]
		popa
		outsb
		arpl	[ebp+44h], sp
		jnz	short near ptr loc_41C76F+1
		push	esp
		outsd
		inc	esp
		jns	short near ptr loc_41C77C+2
		popa
		insd

loc_41C712:				; CODE XREF: .text:0041C6A7j
					; .text:0041C6A0j
		imul	esp, [ebx+50h],	69747261h
		jz	short loc_41C784
		outsd
		outsb
		imul	ebp, [esi+67h],	52038400h

loc_41C724:				; CODE XREF: .text:0041C6AEj
		db	65h
		popa

loc_41C726:				; CODE XREF: .text:0041C6DCj
		jnb	short near ptr loc_41C796+1
		outsb
		add	[eax], cl
		inc	esi
		popa

loc_41C72D:				; CODE XREF: .text:loc_41C6B9j
					; .text:0041C6C6j
		imul	ebp, [ebp+esi*2+72h], 44080065h
		jnz	short loc_41C7A9
		popa
		jz	short near ptr loc_41C7A2+1
		outsd
		outsb
		dec	ecx

loc_41C73D:				; CODE XREF: .text:loc_41C6CDj
		outsb
		dec	ebp
		jnb	short $+2
		or	al, [ebp+6Eh]
		db	64h
		push	esp

loc_41C746:				; CODE XREF: .text:loc_41C6F6j
					; DATA XREF: PnpTraceDeviceRemovalForResetComplete(x,x)+151o
		imul	ebp, [ebp+65h],	0B060A00h

loc_41C74D:				; CODE XREF: .text:0041C6EAj
		add	eax, 0
; 
		dw 0
		db 40h
byte_41C755	db 2 dup(0), 87h	; CODE XREF: .text:0041C6DFj
		dd 44008000h, 63697665h
; 

loc_41C760:				; CODE XREF: .text:0041C6ECj
		db	65h
		push	edx
		db	65h
		insd
		outsd
		jbe	short loc_41C7C8
		insb
		inc	esi
		outsd
		jb	short near ptr loc_41C7BD+1
		db	65h
		jnb	short loc_41C7D4

loc_41C76F:				; CODE XREF: .text:0041C709j
		jz	short near ptr loc_41C7B3+1
		outsd
		insd
		jo	short near ptr loc_41C7DF+2
		db	65h
		jz	short near ptr loc_41C7DB+2
		add	[ebp+76h], al

loc_41C77C:				; CODE XREF: .text:0041C70Ej
		imul	esp, [ebx+65h],	74736E49h
		popa

loc_41C784:				; CODE XREF: .text:0041C719j
		outsb
		arpl	[ebp+49h], sp
		add	fs:[esi], dl
		push	ebx
		db	65h
		jb	short near ptr loc_41C804+1
		imul	esp, [ebx+65h],	656D614Eh

loc_41C796:				; CODE XREF: .text:loc_41C726j
		add	[esi], dl
		inc	esp
		db	65h
		jbe	short loc_41C7EA
		outsd
		db	64h, 65h
		push	ebx
		jz	short loc_41C803

loc_41C7A2:				; CODE XREF: .text:0041C738j
		jz	short loc_41C809
		add	[eax], cl
		push	ebx
		jz	short near ptr loc_41C809+1

loc_41C7A9:				; CODE XREF: .text:0041C735j
		jz	short near ptr loc_41C81E+2
		jnb	short $+2
		mov	[esi], cl
		push	edx
		db	65h
		jz	short near ptr loc_41C821+4

loc_41C7B3:				; CODE XREF: .text:loc_41C76Fj
		jns	short near ptr loc_41C7F6+2
		outsd
		jnz	short near ptr loc_41C821+5
		jz	short $+2
		or	[edx+65h], dl

loc_41C7BD:				; CODE XREF: .text:0041C76Aj
		jz	short near ptr loc_41C82F+2
		jns	short near ptr loc_41C809+1
		outsb
		jz	short near ptr loc_41C828+1
		jb	short near ptr loc_41C83B+1
		popa
		insb

loc_41C7C8:				; CODE XREF: .text:0041C765j
		add	[ecx], cl
		push	esi
		db	65h
		jz	short near ptr loc_41C83B+2
		push	esp
		jns	short loc_41C841
		add	gs:[eax], cl

loc_41C7D4:				; CODE XREF: .text:0041C76Cj
		push	esi
		db	65h
		jz	short near ptr loc_41C846+1
		dec	esi
		popa
		insd

loc_41C7DB:				; CODE XREF: .text:0041C775j
		add	gs:[esi], dl
		push	es

loc_41C7DF:				; CODE XREF: .text:0041C773j
					; DATA XREF: PnpTraceRebalanceResult(x)+355o
		or	eax, large ds:0
; 
		db 2 dup(0), 40h
		db 2 dup(0)
; 

loc_41C7EA:				; CODE XREF: .text:0041C799j
		pop	esi
		add	[eax+71655200h], al
		jnz	short loc_41C858
		jnb	short loc_41C869
		inc	esp

loc_41C7F6:				; CODE XREF: .text:loc_41C7B3j
		db	65h
		jbe	short loc_41C862
		arpl	[ebp+52h], sp
		db	65h
		insd
		outsd
		jbe	short loc_41C862
		insb
		inc	esi

loc_41C803:				; CODE XREF: .text:0041C7A0j
		outsd

loc_41C804:				; CODE XREF: .text:0041C78Cj
		jb	short loc_41C858
		db	65h
		jnb	short near ptr loc_41C86C+2

loc_41C809:				; CODE XREF: .text:loc_41C7A2j
					; .text:0041C7A7j ...
		jz	short $+2
		inc	esp
		db	65h
		jbe	short near ptr loc_41C875+3
		arpl	[ebp+49h], sp
		outsb
		jnb	short loc_41C889
		popa
		outsb
		arpl	[ebp+49h], sp
		add	fs:[esi], dl
		push	ebx

loc_41C81E:				; CODE XREF: .text:loc_41C7A9j
		db	65h
		jb	short near ptr loc_41C895+2

loc_41C821:				; CODE XREF: .text:0041C7B0j
					; .text:0041C7B6j
		imul	esp, [ebx+65h],	656D614Eh

loc_41C828:				; CODE XREF: .text:0041C7C2j
		add	[esi], dl
		inc	esp
		db	65h
		jbe	short near ptr loc_41C87B+1
		outsd

loc_41C82F:				; CODE XREF: .text:loc_41C7BDj
		db	64h, 65h
		push	ebx
		jz	short loc_41C895
		jz	short near ptr loc_41C895+6
		add	[eax], cl
		inc	esi
		insb
		popa

loc_41C83B:				; CODE XREF: .text:0041C7C4j
					; .text:0041C7CBj
		db	67h
		jnb	near ptr 0C83Eh
		or	[edx+65h], dl

loc_41C841:				; CODE XREF: .text:0041C7CFj
		jnb	short near ptr loc_41C8B7+1
		insb
		jz	short $+2

loc_41C846:				; CODE XREF: .text:0041C7D5j
		mov	[esi], cl
		push	es

loc_41C849:				; DATA XREF: KiTraceLogNmiCallback(x)+158o
		or	eax, large ds:0
; 
		db 0
		dd 4000h, 80008Dh
; 

loc_41C858:				; CODE XREF: .text:0041C7F1j
					; .text:loc_41C804j
		inc	ebp
		js	short loc_41C8CF
		db	65h
		jb	short near ptr loc_41C8C9+3
		popa
		insb
		dec	esi
		insd

loc_41C862:				; CODE XREF: .text:loc_41C7F6j
					; .text:0041C7FFj
		imul	eax, [ebx+61h],	61626C6Ch

loc_41C869:				; CODE XREF: .text:0041C7F3j
		arpl	[ebx+52h], bp

loc_41C86C:				; CODE XREF: .text:0041C806j
		imul	esi, gs:[bp+di+74h], 64657265h

loc_41C875:				; CODE XREF: .text:0041C80Cj
		add	[edx+esi*2+69h], al
		jbe	short loc_41C8E0

loc_41C87B:				; CODE XREF: .text:0041C82Bj
		jb	short near ptr loc_41C8C9+2
		popa
		insd
		add	gs:[esi], dl
		inc	esp
		jb	short near ptr loc_41C8EC+2
		jbe	short loc_41C8EC
		jb	short near ptr loc_41C8C9+2

loc_41C889:				; CODE XREF: .text:0041C813j
		popa
		jnb	short near ptr loc_41C8EF+2
		add	[esp+eax*2], dl
		jb	short near ptr loc_41C8F5+5
		jbe	short near ptr loc_41C8F5+3
		jb	short near ptr dword_41C8E8

loc_41C895:				; CODE XREF: .text:0041C832j
					; .text:loc_41C81Ej ...
		imul	edi, [edx+65h],	6D490800h
		popa
		db	67h, 65h
		inc	ebx
		push	736B6365h
		jnz	short loc_41C914
		add	[ecx+ecx*2], dl
		insd
		popa
		db	67h, 65h
		push	esp
		imul	ebp, [ebp+65h],	65746144h
		push	ebx

loc_41C8B7:				; CODE XREF: .text:loc_41C841j
		jz	short near ptr loc_41C917+3
		insd
		jo	short $+2
		adc	al, 4Eh
		insd
		imul	eax, [ebx+61h],	61626C6Ch
		arpl	[ebx+41h], bp

loc_41C8C9:				; CODE XREF: .text:loc_41C87Bj
					; .text:0041C887j ...
		db	64h, 64h
		jb	short near ptr loc_41C931+1
		jnb	short loc_41C942

loc_41C8CF:				; CODE XREF: .text:0041C859j
		add	[eax+edx*2], dl
		popa
		jb	short near ptr loc_41C948+1
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_41C942+1
		jbe	short loc_41C930
		popa
		db	67h
		jnb	near ptr 0C8E0h

loc_41C8E0:				; CODE XREF: .text:0041C879j
		or	al, [esi]

loc_41C8E2:				; DATA XREF: MmNotifyProcessInSwapTrigger+E53A2o
		or	eax, large ds:800h
; 
dword_41C8E8	dd 400000h		; CODE XREF: .text:0041C893j
; 

loc_41C8EC:				; CODE XREF: .text:0041C885j
					; .text:0041C883j
		add	[eax+0], cl

loc_41C8EF:				; CODE XREF: .text:0041C88Aj
		add	byte ptr [eax],	43h
		outsd
		insd
		insd

loc_41C8F5:				; CODE XREF: .text:0041C891j
					; .text:0041C88Fj
		imul	esi, [ebx+edx*2+61h], 50646576h
		jb	short near ptr loc_41C96A+4
		arpl	[ebp+73h], sp
		jnb	short loc_41C94D
		outsb
		push	ebx
		ja	short near ptr loc_41C967+2
		jo	short near ptr loc_41C95A+4
		jb	short loc_41C975
		db	67h, 67h, 65h
		jb	short $+5
		dec	ecx
		insd
		popa

loc_41C914:				; CODE XREF: .text:0041C8A5j
		db	67h, 65h
		inc	esi

loc_41C917:				; CODE XREF: .text:loc_41C8B7j
		imul	ebp, [ebp+4Eh],	656D61h
		add	dl, [eax+69h]
		add	fs:[eax], cl
		push	eax
		popa
		jb	short near ptr loc_41C99C+1
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_41C993+4
		jbe	short near ptr loc_41C983+1

loc_41C930:				; CODE XREF: .text:0041C8DAj
		popa

loc_41C931:				; CODE XREF: .text:loc_41C8C9j
		db	67h
		jnb	near ptr 0C934h
		or	al, [esi]

loc_41C936:				; DATA XREF: MiLogResetPagesCommitRelease(x,x)+A2o
		or	eax, large ds:400h
; 
		dd 0
		db 0, 5Ah
; 

loc_41C942:				; CODE XREF: .text:0041C8CDj
					; .text:0041C8D8j
		add	[eax+6F725000h], al

loc_41C948:				; CODE XREF: .text:0041C8D3j
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_41C99C+3

loc_41C94D:				; CODE XREF: .text:0041C902j
		db	65h
		jnb	short loc_41C9B5
		jz	short near ptr word_41C9A2
		popa
		db	67h, 65h
		jnb	near ptr 0C99Ah
		outsd
		insd
		insd

loc_41C95A:				; CODE XREF: .text:0041C908j
		imul	esi, [edx+edx*2+65h], 7361656Ch
		add	gs:[ecx+6Dh], cl
		popa

loc_41C967:				; CODE XREF: .text:0041C906j
		db	67h, 65h
		inc	esi

loc_41C96A:				; CODE XREF: .text:0041C8FDj
		imul	ebp, [ebp+4Eh],	656D61h
		add	dl, [eax+69h]

loc_41C975:				; CODE XREF: .text:0041C90Aj
		add	fs:[eax], cl
		push	edx
		db	65h
		jnb	short near ptr loc_41C9DA+7
		jz	short near ptr loc_41C9C8+6
		popa
		db	67h, 65h
		jnb	near ptr 0C9D5h

loc_41C983:				; CODE XREF: .text:0041C92Ej
		db	65h
		insb
		db	65h
		popa
		jnb	short near ptr loc_41C9EC+2
		add	fs:[edx], cl
		dec	esi
		db	65h
		ja	short loc_41C9D3
		outsd
		insd
		insd

loc_41C993:				; CODE XREF: .text:0041C92Cj
		imul	esi, [esp+eax*2+65h], 0A007462h
		push	es

loc_41C99C:				; CODE XREF: .text:0041C927j
					; .text:0041C94Bj
					; DATA XREF: ...
		or	eax, large ds:400h
; 
word_41C9A2	dw 0			; CODE XREF: .text:0041C950j
		dd 44000000h, 50008000h, 65636F72h, 6F437373h
		db 6Dh
; 

loc_41C9B5:				; CODE XREF: .text:loc_41C94Dj
		insd
		imul	esi, [edx+edx*2+65h], 75716361h
		imul	esi, [edx+65h],	616D4900h
		db	67h, 65h
		inc	esi

loc_41C9C8:				; CODE XREF: .text:0041C97Cj
		imul	ebp, [ebp+4Eh],	656D61h
		add	dl, [eax+69h]

loc_41C9D3:				; CODE XREF: .text:0041C98Dj
		add	fs:[eax], cl
		inc	ebx
		outsd
		insd
		insd

loc_41C9DA:				; CODE XREF: .text:0041C979j
		imul	esi, [eax+edx*2+61h], 52736567h
		db	65h
		insb
		db	65h
		popa
		jnb	short loc_41CA4D
		add	fs:[edx], cl
		push	es

loc_41C9EC:				; CODE XREF: .text:0041C987j
					; DATA XREF: MiLogOutswappedProcessCommitReacquire(x,x,x,x)+9Co
		or	eax, large ds:400h
; 
		dw 0
		db    0
		dd offset loc_47FFFE+2
		db 80h,	0, 50h
aRocesscommitre	db 'rocessCommitReacquireSkip',0
aImagefilename	db 'ImageFileName',0
		db    2
		dd offset loc_646950
aCommitpagesrel	db 8,'CommitPagesReleased',0
		dw 60Ah
dword_41CA40	dd 400050Bh, 0		; DATA XREF: MiLogOutswappedProcessCommitReacquire(x,x,x,x)+CBo
		dd 48000000h
		db 0
; 

loc_41CA4D:				; CODE XREF: .text:0041C9E6j
		add	byte ptr [eax],	50h
		jb	short loc_41CAC1
		arpl	[ebp+73h], sp
		jnb	short near ptr word_41CA9A
		outsd
		insd
		insd
		imul	esi, [edx+edx*2+65h], 75716361h
		imul	esi, [edx+65h],	6C696146h
		add	[ecx+6Dh], cl
		popa
		db	67h, 65h
		inc	esi
		imul	ebp, [ebp+4Eh],	656D61h
		add	dl, [eax+69h]
		add	fs:[eax], cl
		inc	ebx
		outsd
		insd
		insd
		imul	esi, [eax+edx*2+61h], 52736567h
		db	65h
		insb
		db	65h
		popa
		jnb	short loc_41CAF5
		add	fs:[edx], cl
		push	es

loc_41CA94:				; DATA XREF: MiLogOutswappedProcessCommitRelease(x,x,x)+A5o
		or	eax, large ds:400h
; 
word_41CA9A	dw 0			; CODE XREF: .text:0041CA55j
		db    0
		dd offset locret_590000
		db 80h,	0, 50h
aRocesscommit_0	db 'rocessCommitRelease',0
		dd 67616D49h, 6C694665h
		db 65h
; 

loc_41CAC1:				; CODE XREF: .text:0041CA50j
		dec	esi
		popa
		insd
		add	gs:[edx], al
		push	eax
		imul	esp, [eax+eax+8], 6D6D6F43h
		imul	esi, [eax+edx*2+61h], 52736567h
		db	65h
		insb
		db	65h
		popa
		jnb	short near ptr loc_41CB41+2
		add	fs:[edx], cl
		push	edx
		db	65h
		jnb	short loc_41CB4A
		jz	short loc_41CB37
		popa
		db	67h, 65h
		jnb	near ptr 0CB3Ah
		outsd
		jz	short loc_41CB41
		db	65h
		insb
		db	65h
		popa
		jnb	short near ptr loc_41CB57+3

loc_41CAF5:				; CODE XREF: .text:0041CA8Ej
		add	fs:[edx], cl
		push	es

loc_41CAF9:				; DATA XREF: MiLogReserveVaFailed+B38F3o
		or	eax, large ds:0
; 
		db 0
		dd 4000h, 8000B2h
aProcessreserve	db 'ProcessReserveMemFailed',0
aAppsessionguid	db 'AppSessionGuid',0
; 
		rcpps	xmm5, oword ptr	[ecx+7Ah]
		db	65h
		dec	edi
		push	dx

loc_41CB37:				; CODE XREF: .text:0041CAE5j
		popa
		outsb
		db	67h, 65h
		inc	edx
		jns	short near ptr loc_41CBB1+1
		db	65h
		jnb	short $+3

loc_41CB41:				; CODE XREF: .text:0041CAEDj
					; .text:0041CADCj
		or	dl, [esi+69h]
		jb	short near ptr loc_41CBB7+3
		jnz	short loc_41CBA9
		insb
		push	ebx

loc_41CB4A:				; CODE XREF: .text:0041CAE2j
		imul	edi, [edx+65h],	65747942h
		jnb	short $+2
		or	dl, [eax+65h]
		popa

loc_41CB57:				; CODE XREF: .text:0041CAF3j
		imul	edx, [esi+69h],	72h
		jz	short loc_41CBD2
		popa
		insb
		push	ebx
		imul	edi, [edx+65h],	65747942h
		jnb	short $+2
		or	cl, [eax+69h]
		db	67h
		push	55747365h
		jnb	short near ptr loc_41CBD4+5
		jb	short loc_41CBB7
		db	64h, 64h
		jb	short near ptr loc_41CBDC+3
		jnb	short near ptr loc_41CBEA+5
		add	[edx], cl
		inc	ecx
		insb
		imul	esp, [edi+6Eh],	746E656Dh
		add	[edx], cl
		dec	esp
		outsd
		ja	short loc_41CBF2
		jnb	short near ptr loc_41CBFE+5
		push	ebx
		jz	short loc_41CBF3
		jb	short near ptr loc_41CC07+1
		imul	ebp, [esi+67h],	72646441h
		db	65h
		jnb	short loc_41CC11
		add	[edx], cl
		dec	eax
		imul	esp, [edi+68h],	45747365h
		outsb

loc_41CBA9:				; CODE XREF: .text:0041CB46j
		imul	ebp, fs:[esi+67h], 72646441h

loc_41CBB1:				; CODE XREF: .text:0041CB3Cj
		db	65h
		jnb	short loc_41CC27
		add	[edx], cl
		push	es

loc_41CBB7:				; CODE XREF: .text:0041CB74j
					; .text:0041CB44j
					; DATA XREF: ...
		or	eax, large ds:0
; 
		db 2 dup(0), 40h
		dd offset loc_55FFFD+3
		dd 6D490080h, 46656761h, 4D656C69h
		db 61h,	70h
; 

loc_41CBD2:				; CODE XREF: .text:0041CB5Bj
		inc	esi
		popa

loc_41CBD4:				; CODE XREF: .text:0041CB72j
		imul	ebp, [ebp+esi*2+72h], 61460065h

loc_41CBDC:				; CODE XREF: .text:0041CB76j
		imul	ebp, [ebp+esi*2+72h], 61655265h
		jnb	short loc_41CC55
		outsb
		add	[edx], al
		inc	esi

loc_41CBEA:				; CODE XREF: .text:0041CB7Aj
		imul	ebp, [ebp+4Eh],	656D61h

loc_41CBF2:				; CODE XREF: .text:0041CB8Bj
		push	ss

loc_41CBF3:				; CODE XREF: .text:0041CB90j
		inc	ebx
		push	736B6365h
		jnz	short loc_41CC68
		add	[eax], cl
		push	esp

loc_41CBFE:				; CODE XREF: .text:0041CB8Dj
		imul	ebp, [ebp+65h],	6D617473h
		jo	short $+2

loc_41CC07:				; CODE XREF: .text:0041CB92j
		or	[eax+61h], dl
		jb	short near ptr dword_41CC80
		inc	ecx
		pop	edi
		push	eax
		jb	short loc_41CC7A

loc_41CC11:				; CODE XREF: .text:0041CB9Bj
		jbe	short near ptr loc_41CC66+1
		popa
		db	67h
		jnb	near ptr 0CC17h
		or	al, [esi]

loc_41CC19:				; DATA XREF: MiLogStrongCodeDriverLoadFailure(x,x)+E5o
		or	eax, large ds:0
; 
		db 0
		dd 4000h
		db 55h,	0, 80h
; 

loc_41CC27:				; CODE XREF: .text:loc_41CBB1j
		add	[eax+76h], cl
		arpl	[ecx+44h], bp
		jb	short loc_41CC98
		jbe	short loc_41CC96
		jb	short near ptr loc_41CC7A+5
		outsd
		popa
		db	64h
		inc	esi
		popa
		imul	ebp, [eax+eax+46h], 756C6961h
		jb	short loc_41CCA7
		push	edx
		db	65h
		popa
		jnb	short near ptr loc_41CCB5+1
		outsb
		add	[edx], al
		inc	edx
		popa
		jnb	short loc_41CCB3
		dec	esi
		popa
		insd
		add	gs:[esi], dl
		inc	ebx

loc_41CC55:				; CODE XREF: .text:0041CBE4j
		push	736B6365h
		jnz	short near ptr loc_41CCC8+1
		add	[eax], cl
		push	esp
		imul	ebp, [ebp+65h],	6D617473h

loc_41CC66:				; CODE XREF: .text:loc_41CC11j
		jo	short $+2

loc_41CC68:				; CODE XREF: .text:0041CBF9j
		or	[eax+61h], dl
		jb	short loc_41CCE1
		inc	ecx
		pop	edi
		push	eax
		jb	short loc_41CCDB
		jbe	short loc_41CCC8
		popa
		db	67h
		jnb	near ptr 0CC78h
		or	al, [esi]

loc_41CC7A:				; CODE XREF: .text:0041CC0Fj
					; .text:0041CC31j
					; DATA XREF: ...
		or	eax, large ds:0
; 
dword_41CC80	dd 400000h, 80005D00h, 63764800h, 69724469h, 4C726576h
					; CODE XREF: .text:0041CC0Aj
		db 6Fh,	61h
; 

loc_41CC96:				; CODE XREF: .text:0041CC2Fj
		db	64h
		inc	esi

loc_41CC98:				; CODE XREF: .text:0041CC2Dj
		popa
		imul	ebp, [eax+eax+52h], 726F6365h
		db	64h
		sub	eax, 6961463Eh

loc_41CCA7:				; CODE XREF: .text:0041CC40j
		insb
		jnz	short loc_41CD1C
		db	65h
		push	edx
		db	65h
		popa
		jnb	short loc_41CD1F
		outsb
		add	[edx], al

loc_41CCB3:				; CODE XREF: .text:0041CC4Cj
		inc	edx
		popa

loc_41CCB5:				; CODE XREF: .text:0041CC45j
		jnb	short loc_41CD1C
		dec	esi
		popa
		insd
		add	gs:[esi], dl
		inc	ebx
		push	736B6365h
		jnz	short near ptr loc_41CD31+1
		add	[eax], cl
		push	esp

loc_41CCC8:				; CODE XREF: .text:0041CC72j
					; .text:0041CC5Aj
		imul	ebp, [ebp+65h],	6D617473h
		jo	short $+2
		or	[eax+61h], dl
		jb	short near ptr loc_41CD47+3
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_41CD3F+5

loc_41CCDB:				; CODE XREF: .text:0041CC70j
		jbe	short loc_41CD31
		popa
		db	67h
		jnb	near ptr 0CCE1h

loc_41CCE1:				; CODE XREF: .text:0041CC6Bj
		or	al, [esi]

loc_41CCE3:				; DATA XREF: MiLogContinueTrim(x,x)+B0o
		or	eax, large ds:101h
; 
		db 3 dup(0)
		dd offset loc_5DFFFD+3
		db  80h	; 
		align 2
aContinuetrimpa	db 'ContinueTrimPasses',0
aNumpasses	db 'NumPasses',0
		db 8
		dd 65676150h, 69725473h, 64656D6Dh
; 

loc_41CD1C:				; CODE XREF: .text:0041CCA8j
					; .text:loc_41CCB5j
		add	[edx], cl
		push	eax

loc_41CD1F:				; CODE XREF: .text:0041CCAEj
		popa
		db	67h, 65h
		jnb	near ptr 0CD78h
		outsd
		push	esp
		jb	short loc_41CD91
		insd
		add	[edx], cl
		inc	esp
		db	65h
		jnb	short loc_41CD98
		jb	short near ptr loc_41CD95+1

loc_41CD31:				; CODE XREF: .text:loc_41CCDBj
					; .text:0041CCC3j
		db	64h
		inc	esi
		jb	short loc_41CD9A
		db	65h
		inc	edi
		outsd
		popa
		insb
		add	[edx], cl
		inc	ecx
		jbe	short near ptr loc_41CD9E+2

loc_41CD3F:				; CODE XREF: .text:0041CCD9j
		imul	ebp, [ecx+62h],	6150656Ch

loc_41CD47:				; CODE XREF: .text:0041CCD4j
		db	67h, 65h
		jnb	near ptr 0CD4Bh
		or	al, [esi]

loc_41CD4D:				; DATA XREF: MiLogProcessWorkingSetsStart+174918o
		or	eax, large ds:101h
; 
		db 0
		align 8
		dd 80009Bh
aProcessworking	db 'ProcessWorkingSets',0
aTrimreason	db 'TrimReason',0
		dw 4104h
aGepercent	db 'gePercent',0
		dw 5706h
		dd 696B726Fh, 6553676Eh
		db 74h
; 

loc_41CD91:				; CODE XREF: .text:0041CD26j
		push	edx
		db	65h
		jno	short loc_41CE0A

loc_41CD95:				; CODE XREF: .text:0041CD2Fj
		db	65h
		jnb	short loc_41CE0C

loc_41CD98:				; CODE XREF: .text:0041CD2Cj
		inc	esi
		insb

loc_41CD9A:				; CODE XREF: .text:0041CD33j
		popa
		db	67h
		jnb	near ptr 0CD9Eh

loc_41CD9E:				; CODE XREF: .text:0041CD3Dj
		or	[eax+61h], dl
		db	67h, 65h
		jnb	near ptr 0CDF9h
		outsd
		push	esp
		jb	short near ptr loc_41CE0E+4
		insd
		add	[edx], cl
		inc	esp
		db	65h
		jnb	short loc_41CE19
		jb	short near ptr loc_41CE15+2
		db	64h
		inc	esi
		jb	short near ptr loc_41CE19+2
		db	65h
		inc	edi
		outsd
		popa
		insb
		add	[edx], cl
		inc	ecx
		jbe	short loc_41CE21
		imul	ebp, [ecx+62h],	6150656Ch
		db	67h, 65h
		jnb	near ptr 0CDCCh
		or	cl, [ebp+6Fh]
		imul	esp, fs:[esi+69h], 61506465h
		db	67h, 65h
		jnb	near ptr 0CDDBh
		or	cl, [ebp+6Fh]
		imul	esp, fs:[esi+69h], 61506465h
		imul	bp, gs:[si+65h], 6150h
		db	67h, 65h
		jnb	near ptr 0CDF2h
		or	al, [esi]

loc_41CDF4:				; DATA XREF: MiLogProcessWorkingSetsStop+1748F8o
		or	eax, large ds:102h
; 
		dw 0
		dd 4D000000h, 50008000h, 65636F72h
		db 2 dup(73h)
; 

loc_41CE0A:				; CODE XREF: .text:0041CD92j
		push	edi
		outsd

loc_41CE0C:				; CODE XREF: .text:loc_41CD95j
		jb	short loc_41CE79

loc_41CE0E:				; CODE XREF: .text:0041CDA7j
		imul	ebp, [esi+67h],	73746553h

loc_41CE15:				; CODE XREF: .text:0041CDB0j
		add	[ecx+76h], al
		popa

loc_41CE19:				; CODE XREF: .text:0041CDADj
					; .text:0041CDB4j
		imul	ebp, [ecx+62h],	6150656Ch

loc_41CE21:				; CODE XREF: .text:0041CDBEj
		db	67h, 65h
		jnb	near ptr 0CE25h
		or	cl, [ebp+6Fh]
		imul	esp, fs:[esi+69h], 61506465h
		db	67h, 65h
		jnb	near ptr 0CE34h
		or	cl, [ebp+6Fh]
		imul	esp, fs:[esi+69h], 61506465h
		imul	bp, gs:[si+65h], 6150h
		db	67h, 65h
		jnb	near ptr 0CE4Bh
		or	al, [esi]

loc_41CE4D:				; DATA XREF: MiTrimWorkingSet+FEE2Eo
		or	eax, large ds:100h
; 
		db 0
		align 8
		dd 80009Ah, 72547357h, 57006D69h, 696B726Fh, 6553676Eh
		dd 70795474h, 49040065h, 6567616Dh
; 
		inc	esi

loc_41CE79:				; CODE XREF: .text:loc_41CE0Cj
		imul	ebp, [ebp+4Eh],	656D61h
		add	cl, [ebx+65h]
		jns	short $+2
		or	[esi+75h], cl
		insd
		bound	esp, [ebp+72h]
		inc	ebp
		js	short loc_41CEF1
		insd
		imul	ebp, [esi+65h],	500A0064h
		popa
		db	67h, 65h
		jnb	near ptr 0CEF1h
		jb	short loc_41CF08
		insd
		insd
		db	65h
		add	fs:[edx], cl
		inc	ecx
		jbe	short near ptr loc_41CF08+1
		imul	ebp, [ecx+62h],	6150656Ch
		db	67h, 65h
		jnb	near ptr 0CEB4h
		or	cl, [ebp+6Fh]
		imul	esp, fs:[esi+69h], 61506465h
		db	67h, 65h
		jnb	near ptr 0CEC3h
		or	cl, [ebp+6Fh]
		imul	esp, fs:[esi+69h], 61506465h
		imul	bp, gs:[si+65h], 6150h
		db	67h, 65h
		jnb	near ptr 0CEDAh
		or	cl, [ebp+69h]
		outsb
		push	esp
		jb	short near ptr loc_41CF48+2
		insd
		inc	ecx
		add	gs:[bx+si], cl
		push	esp
		jb	short near ptr loc_41CF52+1
		insd
		inc	esi
		insb
		popa
		db	67h
		jnb	near ptr 0CEF1h

loc_41CEF1:				; CODE XREF: .text:0041CE8Ej
		or	[esi], al

loc_41CEF3:				; DATA XREF: MiAgeWorkingSet+D22FCo
		or	eax, large ds:100h
; 
		db 3 dup(0)
		dd 710000h, 73570080h, 6E696741h
; 

loc_41CF08:				; CODE XREF: .text:0041CE9Dj
					; .text:0041CEA6j
		add	[bx+6Fh], dl
		jb	short near ptr byte_41CF79
		imul	ebp, [esi+67h],	54746553h
		jns	short loc_41CF87
		add	gs:[ecx+ecx*2],	al
		insd
		popa
		db	67h, 65h
		inc	esi
		imul	ebp, [ebp+4Eh],	656D61h
		add	cl, [ebx+65h]
		jns	short $+2
		or	[esi+75h], cl
		insd
		bound	esp, [ebp+72h]
		inc	ebp
		js	short loc_41CF98
		insd
		imul	ebp, [esi+65h],	410A0064h
		db	67h, 65h, 64h
		inc	ebx
		outsd
		jnz	short loc_41CFB4
		jz	short $+2

loc_41CF48:				; CODE XREF: .text:0041CEDFj
		or	dl, [edx+65h]
		insd
		outsd
		jbe	short loc_41CFB4
		db	64h
		inc	ebx
		outsd

loc_41CF52:				; CODE XREF: .text:0041CEE8j
		jnz	short loc_41CFC2
		jz	short $+2
		or	al, [ebx+6Ch]
		db	65h
		popa
		jb	short loc_41CFC2
		db	64h
		inc	ebx
		outsd
		jnz	short near ptr loc_41CFCB+5
		jz	short $+2
		or	al, [ecx+67h]
		db	65h
		inc	esi
		insb
		popa
		db	67h
		jnb	near ptr 0CF6Eh
		or	[esi], al

loc_41CF70:				; DATA XREF: MiLogCommitRequestFailed(x,x,x)+385o
		or	eax, large ds:0
; 
		dw 0
		db 40h
byte_41CF79	db 2 dup(0), 4Ch	; CODE XREF: .text:0041CF0Cj
		dd 50008001h, 65636F72h
		db 2 dup(73h), 43h
; 

loc_41CF87:				; CODE XREF: .text:0041CF15j
		outsd
		insd
		insd
		imul	esi, [esi+eax*2+61h], 72756C69h
		add	gs:[ecx+70h], al
		jo	short near ptr loc_41CFE6+5

loc_41CF98:				; CODE XREF: .text:0041CF35j
		db	65h
		jnb	short near ptr loc_41D00D+1
		imul	ebp, [edi+6Eh],	64697547h
		add	[edi], cl
		inc	esi
		popa
		imul	ebp, [ebp+64h],	657A6953h
		push	eax
		popa
		db	67h, 65h
		jnb	near ptr 0CFB4h

loc_41CFB4:				; CODE XREF: .text:0041CF44j
					; .text:0041CF4Dj
		or	cl, [edi+ebp*2+63h]
		popa
		jz	short near ptr loc_41D021+3
		outsd
		outsb
		add	[eax], cl
		push	eax
		jb	short near ptr loc_41D02B+6

loc_41CFC2:				; CODE XREF: .text:loc_41CF52j
					; .text:0041CF5Bj
		arpl	[ebp+73h], sp
		jnb	short loc_41D017
		popa
		db	67h, 65h
		inc	esi

loc_41CFCB:				; CODE XREF: .text:0041CF60j
		imul	ebp, [ebp+4Ch],	74696D69h
		push	eax
		popa
		db	67h, 65h
		jnb	near ptr 0CFD9h
		or	dl, [eax+72h]
		outsd
		arpl	[ebp+73h], sp
		jnb	short loc_41D032
		popa
		db	67h, 65h
		inc	esi

loc_41CFE6:				; CODE XREF: .text:0041CF96j
		imul	ebp, [ebp+55h],	65676173h
		push	eax
		popa
		db	67h, 65h
		jnb	near ptr 0CFF4h
		or	dl, [eax+72h]
		outsd
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_41D03D+3
		outsd
		insd
		insd
		imul	esi, [esp+ecx*2+69h], 5074696Dh
		popa
		db	67h, 65h
		jnb	near ptr 0D00Dh

loc_41D00D:				; CODE XREF: .text:loc_41CF98j
		or	dl, [eax+72h]
		outsd
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_41D057+2
		outsd

loc_41D017:				; CODE XREF: .text:0041CFC5j
		insd
		insd
		imul	esi, [ebp+edx*2+73h], 61506465h

loc_41D021:				; CODE XREF: .text:0041CFB9j
		db	67h, 65h
		jnb	near ptr 0D025h
		or	cl, [edx+6Fh]
		bound	edx, [eax+72h]

loc_41D02B:				; CODE XREF: .text:0041CFC0j
		imul	esi, [esi+61h],	6F436574h

loc_41D032:				; CODE XREF: .text:0041CFE0j
		insd
		insd
		imul	esi, [esp+ecx*2+69h], 5074696Dh
		popa

loc_41D03D:				; CODE XREF: .text:0041CFFBj
		db	67h, 65h
		jnb	near ptr 0D041h
		or	cl, [edx+6Fh]
		bound	edx, [edi+ebp*2+74h]
		popa
		insb
		inc	ebx
		outsd
		insd
		insd
		imul	esi, [esp+ecx*2+69h], 5074696Dh
		popa

loc_41D057:				; CODE XREF: .text:0041D014j
		db	67h, 65h
		jnb	near ptr 0D05Bh
		or	cl, [edx+6Fh]
		bound	edx, [eax+72h]
		imul	esi, [esi+61h],	6F436574h
		insd
		insd
		imul	esi, [ebp+edx*2+73h], 61506465h
		db	67h, 65h
		jnb	near ptr 0D076h
		or	cl, [edx+6Fh]
		bound	edx, [ebx+68h]
		popa
		jb	short loc_41D0E4
		db	64h
		inc	ebx
		outsd
		insd
		insd
		imul	esi, [ebp+edx*2+73h], 61506465h
		db	67h, 65h
		jnb	near ptr 0D090h
		or	dl, [eax+61h]
		jb	short loc_41D109
		imul	esi, [ecx+ebp*2+6Fh], 6D6F436Eh
		insd
		imul	esi, [esp+ecx*2+69h], 5074696Dh
		popa
		db	67h, 65h
		jnb	near ptr 0D0ABh
		or	dl, [eax+61h]
		jb	short near ptr loc_41D120+4
		imul	esi, [ecx+ebp*2+6Fh], 6D6F436Eh
		insd
		imul	esi, [ebp+edx*2+73h], 50656761h
		popa
		db	67h, 65h
		jnb	near ptr 0D0C6h
		or	al, [esi]

loc_41D0C8:				; DATA XREF: MiLogPinDriverAddressesWorker+A0117o
		or	eax, large ds:0
; 
		dw 0
		dd 6A000040h, 53008000h, 65747379h, 616D496Dh, 69506567h
; 

loc_41D0E4:				; CODE XREF: .text:0041D07Dj
		outsb
		inc	ecx
		db	64h, 64h
		jb	short loc_41D14F
		jnb	short near ptr loc_41D159+6
		inc	esp
		jb	short near ptr loc_41D159+5
		jo	short near ptr loc_41D160+1
		db	65h, 64h
		inc	ecx
		db	67h, 67h
		jb	short near ptr loc_41D159+4
		db	67h
		popa
		jz	short near ptr loc_41D160+1
		add	[ebx+6Fh], al
		jnz	short near ptr loc_41D16E+1
		jz	short $+2
		mov	[eax+71808080h], eax

loc_41D109:				; CODE XREF: .text:0041D093j
		inc	ebx
		popa
		insb
		insb
		db	65h
		jb	short loc_41D159
		add	fs:[eax], cl
		inc	ecx
		bound	ebp, [edi+76h]
		db	65h
		inc	esp
		imul	esi, [ebx+70h],	68637461h

loc_41D120:				; CODE XREF: .text:0041D0AEj
		add	ds:6E45644Bh, cl
		popa
		bound	ebp, [ebp+64h]
		add	ds:74726150h, cl
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_41D19B+4
		jbe	short near ptr loc_41D18A+2
		popa
		db	67h
		jnb	near ptr 0D13Ch
		or	al, [esi]

loc_41D13E:				; DATA XREF: MiLogPinDriverAddress+A0294o
		or	eax, large ds:0
; 
		dd 400000h, 8000CE00h
; 
		add	[ebx+79h], dl

loc_41D14F:				; CODE XREF: .text:0041D0E6j
		jnb	short loc_41D1C5
		db	65h
		insd
		dec	ecx
		insd
		popa
		db	67h, 65h
		push	eax

loc_41D159:				; CODE XREF: .text:0041D10Dj
					; .text:0041D0F4j ...
		imul	ebp, [esi+41h],	65726464h

loc_41D160:				; CODE XREF: .text:0041D0EFj
					; .text:0041D0FAj
		jnb	short near ptr loc_41D1D3+2
		inc	ecx
		db	67h, 67h
		jb	short loc_41D1CC
		db	67h
		popa
		jz	short loc_41D1D0
		add	[ebx+6Fh], al

loc_41D16E:				; CODE XREF: .text:0041D0FFj
		jnz	short near ptr loc_41D1DC+2
		jz	short $+2
		mov	[eax+71808080h], eax
		inc	ebx
		popa
		insb
		insb
		db	65h
		jb	short loc_41D1C8
		add	fs:[eax], cl
		push	eax
		jz	short loc_41D1EA
		dec	ecx
		outsb
		jbe	short loc_41D1EA
		insb

loc_41D18A:				; CODE XREF: .text:0041D136j
		imul	esp, [eax+eax+0Dh], 57657450h
		jb	short near ptr loc_41D1F9+4
		jz	short near ptr loc_41D1F9+2
		popa
		bound	ebp, [ebp+0]

loc_41D19B:				; CODE XREF: .text:0041D134j
		or	eax, 45657450h
		js	short near ptr loc_41D206+1
		arpl	[ebp+74h], si
		popa
		bound	ebp, [ebp+0]
		or	eax, 65726C41h
		popa
		db	64h
		jns	short near ptr loc_41D1F9+6
		outsd
		arpl	[ebx+65h], bp
		add	fs:6C717249h, cl
		push	ebx
		jz	short loc_41D222
		jz	short loc_41D228
		add	[eax], cl

loc_41D1C5:				; CODE XREF: .text:loc_41D14Fj
		dec	ebx
		db	64h
		push	ebx

loc_41D1C8:				; CODE XREF: .text:0041D17Cj
		jz	short near ptr loc_41D22A+1
		jz	short near ptr loc_41D230+1

loc_41D1CC:				; CODE XREF: .text:0041D163j
		add	[eax], cl
		inc	edx
		outsd

loc_41D1D0:				; CODE XREF: .text:0041D169j
		outsd
		jz	short near ptr loc_41D222+1

loc_41D1D3:				; CODE XREF: .text:loc_41D160j
		push	offset loc_657361
		or	[ecx+6Dh], cl
		popa

loc_41D1DC:				; CODE XREF: .text:loc_41D16Ej
		db	67h, 65h
		dec	esi
		popa
		insd
		add	gs:[esi], dl
		dec	ecx
		insd
		popa
		db	67h, 65h
		inc	ebx

loc_41D1EA:				; CODE XREF: .text:0041D183j
					; .text:0041D187j
		push	536B6365h
		jnz	short near ptr loc_41D25D+1
		add	[ecx+ecx*2], dl
		insd
		popa
		db	67h, 65h
		push	esp

loc_41D1F9:				; CODE XREF: .text:0041D194j
					; .text:0041D192j ...
		imul	ebp, [ebp+65h],	65746144h
		push	ebx
		jz	short near ptr loc_41D261+3
		insd
		jo	short $+2

loc_41D206:				; CODE XREF: .text:0041D1A0j
		adc	al, 50h
		popa
		jb	short near ptr loc_41D27D+2
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_41D278+1
		jbe	short near ptr loc_41D261+5
		popa
		db	67h
		jnb	near ptr 0D216h
		or	al, [esi]

loc_41D218:				; DATA XREF: MmStoreLogCorruptionFixed(x,x,x)+158o
		or	eax, large ds:200h
; 
		dw 0
		db 40h,	0
; 

loc_41D222:				; CODE XREF: .text:0041D1BFj
					; .text:0041D1D1j
		add	[eax+0], bh
		add	byte ptr [eax],	53h

loc_41D228:				; CODE XREF: .text:0041D1C1j
		jz	short near ptr loc_41D297+2

loc_41D22A:				; CODE XREF: .text:loc_41D1C8j
		jb	short loc_41D291
		inc	ebx
		outsd
		jb	short near ptr word_41D2A2

loc_41D230:				; CODE XREF: .text:0041D1CAj
		jnz	short near ptr word_41D2A2
		jz	short near ptr loc_41D29C+1
		outsd
		outsb
		inc	esi
		imul	edi, [eax+65h],	6F530064h
		jnz	short loc_41D2B2
		arpl	[ebp+50h], sp
		outsd
		imul	ebp, [esi+74h],	14007265h
		inc	ebx
		outsd
		insd
		jo	short near ptr loc_41D2BE+4
		db	65h
		jnb	short near ptr word_41D2C6
		db	65h, 64h
		push	ebx
		imul	edi, [edx+65h],	6F541400h

loc_41D25D:				; CODE XREF: .text:0041D1EFj
		jz	short near ptr loc_41D2BE+2
		insb
		inc	esi

loc_41D261:				; CODE XREF: .text:0041D201j
					; .text:0041D210j
		imul	edi, [eax+65h],	53080064h
		outsd
		jnz	short near ptr loc_41D2D8+5
		arpl	[ebp+50h], sp
		popa
		db	67h, 65h
		inc	esi
		jb	short loc_41D2D5
		insd
		xor	gs:[eax], eax

loc_41D278:				; CODE XREF: .text:0041D20Ej
		or	[ebx+6Fh], dl
		jnz	short near ptr loc_41D2ED+2

loc_41D27D:				; CODE XREF: .text:0041D209j
		arpl	[ebp+50h], sp
		popa
		db	67h, 65h
		inc	esi
		jb	short near ptr loc_41D2E4+3
		insd
		xor	al, gs:[eax]
		or	[eax+61h], dl
		jb	short near ptr byte_41D303
		inc	ecx
		pop	edi

loc_41D291:				; CODE XREF: .text:loc_41D22Aj
		push	eax
		jb	short loc_41D2FD
		jbe	short near ptr loc_41D2E9+1
		popa

loc_41D297:				; CODE XREF: .text:loc_41D228j
		db	67h
		jnb	near ptr 0D29Ah
		or	al, [esi]

loc_41D29C:				; CODE XREF: .text:0041D232j
					; DATA XREF: MiStoreLogFullPagefile()+34o
		or	eax, large ds:200h
; 
word_41D2A2	dw 0			; CODE XREF: .text:0041D22Ej
					; .text:loc_41D230j
		dd 16000000h, 53008000h, 65726F74h
; 
		push	eax
		popa

loc_41D2B2:				; CODE XREF: .text:0041D23Ej
		db	67h, 65h
		inc	esi
		imul	ebp, [ebp+46h],	6C6C75h
		push	es

loc_41D2BE:				; CODE XREF: .text:loc_41D25Dj
					; .text:0041D24Ej
					; DATA XREF: ...
		or	eax, large ds:200h
; 
		db 2 dup(0)
word_41D2C6	dw 0			; CODE XREF: .text:0041D250j
		dd 80003300h, 6F745300h, 72576572h
		db 69h
; 

loc_41D2D5:				; CODE XREF: .text:0041D272j
		jz	short loc_41D33C
		inc	esp

loc_41D2D8:				; CODE XREF: .text:0041D269j
		imul	esi, [ebx+61h],	64656C62h
		add	[ecx+ebp*2+73h], al
		popa

loc_41D2E4:				; CODE XREF: .text:0041D284j
		bound	ebp, [ebp+43h]
		outsd

loc_41D2E9:				; CODE XREF: .text:0041D294j
		jnz	short loc_41D359
		jz	short $+2

loc_41D2ED:				; CODE XREF: .text:0041D27Bj
		or	[eax+61h], dl
		db	67h, 65h
		jnb	near ptr 0D34Bh
		jb	short loc_41D35F
		jz	short loc_41D36C
		outs	dx, byte ptr gs:[esi]
		add	[eax], cl
		push	es

loc_41D2FD:				; CODE XREF: .text:0041D292j
					; DATA XREF: MiStoreWriteModifiedPages+133C04o
		or	eax, large ds:200h
; 
byte_41D303	db 0			; CODE XREF: .text:0041D28Dj
		dd 4000h, 800038h
aPagenotstoreca	db 'PageNotStoreCandidate',0
aStatus_6	db 'Status',0
		db 88h,	0Eh, 53h
		dd 65726F74h, 65676150h, 656C6946h, 7366664Fh
; 

loc_41D33C:				; CODE XREF: .text:loc_41D2D5j
		db	65h
		jz	short $+3
		adc	al, 6

loc_41D341:				; DATA XREF: MiStoreLogWriteIssueFailure(x,x,x,x,x,x)+115o
		or	eax, large ds:200h
; 
		db 0
		dd 0
		dd 800083h, 726F7453h, 69725765h
		db 74h
; 

loc_41D359:				; CODE XREF: .text:loc_41D2E9j
		db	65h
		dec	ecx
		jnb	short loc_41D3D0
		jnz	short near ptr loc_41D3C3+1

loc_41D35F:				; CODE XREF: .text:0041D2F4j
		inc	esi
		popa
		imul	ebp, [ebp+esi*2+72h], 74530065h
		popa
		jz	short loc_41D3E1

loc_41D36C:				; CODE XREF: .text:0041D2F6j
		jnb	short $+2
		mov	[esi], cl
		inc	ebx
		outsd
		outsb
		jz	short near ptr word_41D3D6
		imul	ebp, [esi+65h],	79654B72h
		add	ds:4B627553h, dl
		db	65h
		jns	short loc_41D3C6
		db	64h, 64h
		jb	short loc_41D3EE
		jnb	short near ptr loc_41D3F9+5
		add	[ebx+edx*2], dl
		jz	short near ptr loc_41D3F9+6
		jb	short loc_41D3F7
		push	eax
		popa
		db	67h, 65h
		inc	esi
		imul	ebp, [ebp+4Fh],	65736666h
		jz	short $+2
		adc	al, 52h
		db	65h
		jz	short loc_41D418
		jns	short near ptr loc_41D3EA+1
		outsd
		jnz	short near ptr loc_41D418+1
		jz	short $+2
		or	[edi+61h], dl
		imul	esi, [ecx+eax*2+6Ch], 65776F6Ch
		add	fs:[eax], cl
		push	esp
		outsd
		jz	short near ptr loc_41D41B+5
		insb
		push	edi
		jb	short loc_41D42C

loc_41D3C3:				; CODE XREF: .text:0041D35Dj
		jz	short loc_41D42A
		inc	esi

loc_41D3C6:				; CODE XREF: .text:0041D382j
		popa
		imul	ebp, [ebp+esi*2+72h], 8007365h
		push	es

loc_41D3D0:				; CODE XREF: .text:0041D35Bj
					; DATA XREF: MiStoreLogWriteIssueRetry(x,x,x,x,x)+CEo
		or	eax, large ds:200h
; 
word_41D3D6	dw 0			; CODE XREF: .text:0041D373j
		dd 78000000h, 53008000h
		db 74h
; 

loc_41D3E1:				; CODE XREF: .text:0041D36Aj
		outsd
		jb	short loc_41D449
		push	edi
		jb	short near ptr loc_41D44B+5
		jz	short near ptr loc_41D44B+3
		dec	ecx

loc_41D3EA:				; CODE XREF: .text:0041D3A6j
		jnb	short loc_41D45F
		jnz	short loc_41D453

loc_41D3EE:				; CODE XREF: .text:0041D385j
		push	edx
		db	65h
		jz	short near ptr loc_41D460+4
		jns	short $+2
		inc	ebx
		outsd
		outsb

loc_41D3F7:				; CODE XREF: .text:0041D390j
		jz	short near ptr word_41D45A

loc_41D3F9:				; CODE XREF: .text:0041D389j
					; .text:0041D38Ej
		imul	ebp, [esi+65h],	79654B72h
		add	ds:4B627553h, dl
		db	65h
		jns	short loc_41D44A
		db	64h, 64h
		jb	short loc_41D472
		jnb	short loc_41D482
		add	[ebx+edx*2], dl
		jz	short near ptr loc_41D482+1
		jb	short near ptr loc_41D477+4
		push	eax
		popa

loc_41D418:				; CODE XREF: .text:0041D3A3j
					; .text:0041D3A9j
		db	67h, 65h
		inc	esi

loc_41D41B:				; CODE XREF: .text:0041D3BDj
		imul	ebp, [ebp+4Fh],	65736666h
		jz	short $+2
		adc	al, 52h
		db	65h
		jz	short loc_41D49C

loc_41D42A:				; CODE XREF: .text:loc_41D3C3j
		jns	short loc_41D46F

loc_41D42C:				; CODE XREF: .text:0041D3C1j
		outsd
		jnz	short near ptr loc_41D49C+1
		jz	short $+2
		or	[edi+61h], dl
		imul	esi, [ecx+eax*2+6Ch], 65776F6Ch
		add	fs:[eax], cl
		push	esp
		outsd
		jz	short loc_41D4A4
		insb
		push	edi
		jb	short loc_41D4B0
		jz	short near ptr loc_41D4A9+5

loc_41D449:				; CODE XREF: .text:0041D3E2j
		inc	esi

loc_41D44A:				; CODE XREF: .text:0041D406j
		popa

loc_41D44B:				; CODE XREF: .text:0041D3E7j
					; .text:0041D3E5j
		imul	ebp, [ebp+esi*2+72h], 8007365h

loc_41D453:				; CODE XREF: .text:0041D3ECj
		push	es

loc_41D454:				; DATA XREF: ExHandleLogBadReference+95109o
		or	eax, large ds:200h
; 
word_41D45A	dw 0			; CODE XREF: .text:loc_41D3F7j
		db 3 dup(0)
; 

loc_41D45F:				; CODE XREF: .text:loc_41D3EAj
		daa

loc_41D460:				; CODE XREF: .text:0041D3EFj
		add	[eax+6F745300h], al
		jb	short near ptr loc_41D4CC+1
		push	edi
		jb	short near ptr loc_41D4D3+1
		jz	short loc_41D4D2
		inc	ebx
		outsd

loc_41D46F:				; CODE XREF: .text:loc_41D42Aj
		insd
		jo	short near ptr word_41D4DE

loc_41D472:				; CODE XREF: .text:0041D409j
		db	65h
		jz	short near ptr loc_41D4D8+2
		inc	esi
		popa

loc_41D477:				; CODE XREF: .text:0041D414j
		imul	ebp, [ebp+esi*2+72h], 74530065h
		popa
		jz	short loc_41D4F7

loc_41D482:				; CODE XREF: .text:0041D40Dj
					; .text:0041D412j
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_41D487:				; DATA XREF: MiLogWsEmptyControl+FEDA2o
		or	eax, large ds:1000h
; 
		db 3 dup(0)
		dd offset loc_450000
		dd 73570080h, 74706D45h
; 

loc_41D49C:				; CODE XREF: .text:0041D427j
					; .text:0041D42Dj
		jns	short near ptr byte_41D4E1
		outsd
		outsb
		jz	short near ptr loc_41D511+3
		outsd
		insb

loc_41D4A4:				; CODE XREF: .text:0041D441j
		add	[edi+6Fh], dl
		jb	short near ptr loc_41D511+3

loc_41D4A9:				; CODE XREF: .text:0041D447j
		imul	ebp, [esi+67h],	54746553h

loc_41D4B0:				; CODE XREF: .text:0041D445j
		jns	short near ptr loc_41D521+1
		add	gs:[ecx+ecx*2],	al
		insd
		popa
		db	67h, 65h
		inc	esi
		imul	ebp, [ebp+4Eh],	656D61h
		add	cl, [ebx+65h]
		jns	short $+2
		or	[ebx+6Fh], al
		outsb

loc_41D4CC:				; CODE XREF: .text:0041D466j
		jz	short near ptr loc_41D53F+1
		outsd
		insb
		inc	esi
		insb

loc_41D4D2:				; CODE XREF: .text:0041D46Bj
		popa

loc_41D4D3:				; CODE XREF: .text:0041D469j
		db	67h
		jnb	near ptr 0D4D6h
		or	[esi], al

loc_41D4D8:				; CODE XREF: .text:loc_41D472j
					; DATA XREF: MiLogNotifyPageHeat(x)+1DFo
		or	eax, large ds:4000h
; 
word_41D4DE	dw 0			; CODE XREF: .text:0041D470j
		db 0
byte_41D4E1	db 2 dup(0), 7Bh	; CODE XREF: .text:loc_41D49Cj
		dd 4D008000h, 726F6D65h, 6C6F4379h, 6E694864h
; 
		jz	short $+2
		push	edx

loc_41D4F7:				; CODE XREF: .text:0041D480j
		popa
		outsb
		db	67h, 65h
		inc	ebx
		outsd
		jnz	short loc_41D56D
		jz	short $+2
		or	[edi+ebp*2+74h], dl
		popa
		insb
		dec	esi
		jnz	short near ptr loc_41D576+1
		bound	esp, [ebp+72h]
		dec	edi
		push	ax
		popa

loc_41D511:				; CODE XREF: .text:0041D4A0j
					; .text:0041D4A7j
		db	67h, 65h
		jnb	near ptr 0D515h
		adc	eax, 73726946h
		jz	short near ptr loc_41D56D+1
		popa
		outsb
		db	67h, 65h
		push	eax

loc_41D521:				; CODE XREF: .text:loc_41D4B0j
		db	66h
		outsb
		add	ds:73726946h, dl
		jz	short near ptr loc_41D578+5
		popa
		outsb
		db	67h, 65h
		dec	esi
		jnz	short near ptr loc_41D59B+4
		bound	esp, [ebp+72h]
		dec	edi
		push	ax
		popa
		db	67h, 65h
		jnb	near ptr 0D53Dh
		adc	al, 46h

loc_41D53F:				; CODE XREF: .text:loc_41D4CCj
		imul	esi, [edx+73h],	6E615274h
		db	67h, 65h
		push	eax
		popa
		db	67h, 65h
		push	ebx
		imul	edi, [edx+65h],	61520800h
		outsb
		db	67h, 65h
		inc	ecx
		jb	short loc_41D5CC
		popa
		jns	short $+2
		push	ebp
		push	es

loc_41D55F:				; DATA XREF: MiLogNotifyPageHeat(x)+30Ao
		or	eax, large ds:4000h
; 
		db 3 dup(0)
		dd 7A0000h
		db 80h
; 

loc_41D56D:				; CODE XREF: .text:0041D4FDj
					; .text:0041D51Aj
		add	[ebp+65h], cl
		insd
		outsd
		jb	short loc_41D5ED
		dec	eax
		outsd

loc_41D576:				; CODE XREF: .text:0041D508j
		jz	short near ptr loc_41D5BF+1

loc_41D578:				; CODE XREF: .text:0041D529j
		imul	ebp, [esi+74h],	6E615200h
		db	67h, 65h
		inc	ebx
		outsd
		jnz	short near ptr loc_41D5F1+2
		jz	short $+2
		or	[edi+ebp*2+74h], dl
		popa
		insb
		dec	esi
		jnz	short loc_41D5FD
		bound	esp, [ebp+72h]
		dec	edi
		push	ax
		popa
		db	67h, 65h
		jnb	near ptr 0D59Bh

loc_41D59B:				; CODE XREF: .text:0041D530j
		adc	eax, 73726946h
		jz	short near ptr loc_41D5F1+3
		popa
		outsb
		db	67h, 65h
		push	eax
		db	66h
		outsb
		add	ds:73726946h, dl
		jz	short near ptr loc_41D602+1
		popa
		outsb
		db	67h, 65h
		dec	esi
		jnz	short near ptr loc_41D621+4
		bound	esp, [ebp+72h]
		dec	edi
		push	ax
		popa

loc_41D5BF:				; CODE XREF: .text:loc_41D576j
		db	67h, 65h
		jnb	near ptr 0D5C3h
		adc	al, 46h
		imul	esi, [edx+73h],	6E615274h

loc_41D5CC:				; CODE XREF: .text:0041D558j
		db	67h, 65h
		push	eax
		popa
		db	67h, 65h
		push	ebx
		imul	edi, [edx+65h],	61520800h
		outsb
		db	67h, 65h
		inc	ecx
		jb	short loc_41D652
		popa
		jns	short $+2
		push	ebp
		push	es

loc_41D5E5:				; DATA XREF: PopCheckShutdownMarker+27294o
		or	eax, large ds:0
; 
		db 0
		db 0
; 

loc_41D5ED:				; CODE XREF: .text:0041D572j
		and	[eax], al
		add	ch, ah

loc_41D5F1:				; CODE XREF: .text:0041D583j
					; .text:0041D5A0j
		add	[eax+79685000h], al
		jnb	short loc_41D662
		arpl	[ecx+6Ch], sp
		push	eax

loc_41D5FD:				; CODE XREF: .text:0041D58Ej
		outsd
		ja	short loc_41D665
		jb	short loc_41D644

loc_41D602:				; CODE XREF: .text:0041D5AFj
		jnz	short near ptr loc_41D677+1
		jz	short near ptr loc_41D674+1
		outsb
		push	eax
		jb	short near ptr loc_41D66E+1
		jnb	short near ptr loc_41D67E+1
		dec	ecx
		outsb
		outsw
		inc	ecx
		jz	short near ptr loc_41D654+1
		outsd
		outsd
		jz	short $+2
		dec	esp
		popa
		jnb	short loc_41D68F
		push	eax
		jb	short loc_41D683
		jnb	short near ptr loc_41D692+1
		push	esp

loc_41D621:				; CODE XREF: .text:0041D5B6j
		imul	ebp, [ebp+65h],	614C1100h
		jnb	short near ptr loc_41D69D+1
		push	eax
		jb	short loc_41D692
		jnb	short loc_41D6A2
		inc	edx
		outsd
		outsd
		jz	short near ptr loc_41D67C+1
		add	fs:[eax], cl
		inc	ebx
		jnz	short loc_41D6A7
		jnz	short near ptr loc_41D6A7+1
		popa
		jz	short near ptr loc_41D6A7+1
		jbe	short near ptr loc_41D6A2+4
		push	eax
		jb	short loc_41D6A9

loc_41D644:				; CODE XREF: .text:0041D600j
		jnb	short near ptr loc_41D6B6+3
		inc	ebx
		outsd
		jnz	short near ptr loc_41D6B6+2
		jz	short $+2
		or	[ecx+73h], cl
		jz	short near ptr loc_41D6A2+2

loc_41D652:				; CODE XREF: .text:0041D5DEj
		db	65h
		insb

loc_41D654:				; CODE XREF: .text:0041D611j
		db	65h
		popa
		jnb	short loc_41D6BD
		push	esp
		imul	ebp, [ebp+65h],	614C1100h
		jnb	short loc_41D6D6

loc_41D662:				; CODE XREF: .text:0041D5F7j
		push	edx
		db	65h
		insb

loc_41D665:				; CODE XREF: .text:0041D5FEj
		db	65h
		popa
		jnb	short loc_41D6CE
		inc	edx
		outsd
		outsd
		jz	short near ptr loc_41D6B6+1

loc_41D66E:				; CODE XREF: .text:0041D608j
		add	fs:[eax], cl
		inc	ebx
		jnz	short near ptr loc_41D6E0+1

loc_41D674:				; CODE XREF: .text:0041D604j
		jnz	short near ptr loc_41D6E0+2
		popa

loc_41D677:				; CODE XREF: .text:loc_41D602j
		jz	short near ptr loc_41D6E0+2
		jbe	short loc_41D6E0
		push	edx

loc_41D67C:				; CODE XREF: .text:0041D632j
		db	65h
		insb

loc_41D67E:				; CODE XREF: .text:0041D60Aj
		db	65h
		popa
		jnb	short near ptr loc_41D6E6+1
		inc	ebx

loc_41D683:				; CODE XREF: .text:0041D61Cj
		outsd
		jnz	short near ptr loc_41D6F2+2
		jz	short $+2
		or	[ebp+72h], al
		jb	short near ptr loc_41D6FB+1
		jb	short near ptr loc_41D6D1+1

loc_41D68F:				; CODE XREF: .text:0041D619j
		outsd
		jnz	short loc_41D700

loc_41D692:				; CODE XREF: .text:0041D62Bj
					; .text:0041D61Ej
		jz	short $+2
		or	[ecx+73h], cl
		jz	short loc_41D6EA
		outsd
		ja	short near ptr loc_41D701+1

loc_41D69D:				; CODE XREF: .text:0041D628j
		jb	short near ptr loc_41D6F2+4
		popa
		jz	short near ptr loc_41D703+2

loc_41D6A2:				; CODE XREF: .text:0041D62Dj
					; .text:0041D650j ...
		push	53676F64h

loc_41D6A7:				; CODE XREF: .text:0041D638j
					; .text:0041D63Aj ...
		jz	short near ptr loc_41D706+4

loc_41D6A9:				; CODE XREF: .text:0041D642j
		add	gs:[bx+si], cl
		push	eax
		outsd
		ja	short near ptr loc_41D715+1
		jb	short near ptr loc_41D706+4
		popa
		jz	short loc_41D719

loc_41D6B6:				; CODE XREF: .text:0041D66Cj
					; .text:0041D648j ...
		push	41676F64h
		jb	short loc_41D72A

loc_41D6BD:				; CODE XREF: .text:0041D656j
		db	65h
		add	fs:[ebx+edx*2],	al
		push	6F647475h
		ja	short near ptr loc_41D734+3
		dec	ecx
		outsb
		push	eax
		jb	short loc_41D73D

loc_41D6CE:				; CODE XREF: .text:0041D667j
		db	67h
		jb	near ptr 0D736h

loc_41D6D1:				; CODE XREF: .text:0041D68Dj
		jnb	short near ptr loc_41D745+1
		add	[esi+eax], al

loc_41D6D6:				; CODE XREF: .text:0041D660j
					; DATA XREF: PpmPerfTelemetryWorker(x)+16Ao
		or	eax, large ds:0
; 
		dd 400000h
; 

loc_41D6E0:				; CODE XREF: .text:0041D679j
					; .text:0041D672j ...
		add	[edx+0], dh
		add	byte ptr [eax],	50h

loc_41D6E6:				; CODE XREF: .text:0041D680j
		jo	short near ptr loc_41D754+1
		push	ecx
		outsd

loc_41D6EA:				; CODE XREF: .text:0041D698j
		jnb	short near ptr loc_41D730+1
		outsb
		popa
		bound	ebp, [ebp+44h]

loc_41D6F2:				; CODE XREF: .text:0041D684j
					; .text:loc_41D69Dj
		imul	esi, [ebx+61h],	53656C62h
		jz	short loc_41D75C

loc_41D6FB:				; CODE XREF: .text:0041D68Bj
		jz	short loc_41D770
		add	[ebp+6Ch], ah

loc_41D700:				; CODE XREF: .text:0041D690j
		popa

loc_41D701:				; CODE XREF: .text:0041D69Bj
		jo	short loc_41D776

loc_41D703:				; CODE XREF: .text:0041D6A0j
		db	65h, 64h
		push	esp

loc_41D706:				; CODE XREF: .text:loc_41D6A7j
					; .text:0041D6B1j
		imul	ebp, [ebp+65h],	6F636553h
		outsb
		db	64h
		jnb	short $+3
		or	[ebp+6Eh], ah
		popa

loc_41D715:				; CODE XREF: .text:0041D6AFj
		bound	ebp, [ebp+64h]

loc_41D719:				; CODE XREF: .text:0041D6B4j
		push	esp
		imul	ebp, [ebp+65h],	6F636553h
		outsb
		db	64h
		jnb	short $+3
		or	[ecx+ebp*2+73h], ah
		popa

loc_41D72A:				; CODE XREF: .text:0041D6BBj
		bound	ebp, [ebp+52h]
		db	65h
		popa

loc_41D730:				; CODE XREF: .text:loc_41D6EAj
		jnb	short loc_41D7A1
		outsb
		push	esp

loc_41D734:				; CODE XREF: .text:0041D6C7j
		imul	ebp, [ebp+65h],	63655373h
		outsd
		outsb

loc_41D73D:				; CODE XREF: .text:0041D6CCj
		db	64h
		jnb	short $+3
		sub	[ecx], cl
		add	[eax+61h], dl

loc_41D745:				; CODE XREF: .text:loc_41D6D1j
		jb	short loc_41D7BB
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_41D7B3+2
		jbe	short near ptr loc_41D7A1+1
		popa
		db	67h
		jnb	near ptr 0D752h
		or	al, [esi]

loc_41D754:				; CODE XREF: .text:loc_41D6E6j
					; DATA XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+63Co
		or	eax, large ds:0
; 
		dw 0
; 

loc_41D75C:				; CODE XREF: .text:0041D6F9j
		inc	eax
; 
		dd offset loc_52FFFF+1
		db 80h,	0, 49h
		dd 6C61766Eh, 61576469h, 64686374h
; 

loc_41D770:				; CODE XREF: .text:loc_41D6FBj
		outsd
		db	67h
		inc	edx
		insb
		popa
		insd

loc_41D776:				; CODE XREF: .text:loc_41D701j
		db	65h, 64h
		inc	ebx
		push	43646C69h
		outsd
		jnz	short loc_41D7EF
		jz	short $+2
		inc	ebx
		push	44646C69h
		db	65h
		jbe	short loc_41D7F5
		arpl	[ebp+0], sp
		or	[ebx+68h], al
		imul	ebp, [esp+44h],	63697665h
		db	65h
		inc	ebx
		outsd
		jnz	short loc_41D80D
		jz	short $+2

loc_41D7A1:				; CODE XREF: .text:loc_41D730j
					; .text:0041D74Cj
		or	[eax+61h], dl
		jb	short loc_41D81A
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_41D812+2
		jbe	short near ptr loc_41D800+1
		popa
		db	67h
		jnb	near ptr 0D7B1h
		or	al, [esi]

loc_41D7B3:				; CODE XREF: .text:0041D74Aj
					; DATA XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+707o
		or	eax, large ds:0
; 
		db 2 dup(0)
; 

loc_41D7BB:				; CODE XREF: .text:loc_41D745j
		inc	eax
; 
		dd offset loc_52FFFF+1
		db  80h	; 
		align 2
aInvalidwatchdo	db 'InvalidWatchdogBlamedChildCount',0
aChilddevice	db 'ChildDevice',0
		db 8
; 

loc_41D7EF:				; CODE XREF: .text:0041D77Fj
		inc	ebx
		push	44646C69h

loc_41D7F5:				; CODE XREF: .text:0041D789j
		db	65h
		jbe	short near ptr loc_41D860+1
		arpl	[ebp+43h], sp
		outsd
		jnz	short loc_41D86C
		jz	short $+2

loc_41D800:				; CODE XREF: .text:0041D7ABj
		or	[eax+61h], dl
		jb	short near ptr loc_41D876+3
		inc	ecx
		pop	edi
		push	eax
		jb	short loc_41D873
		jbe	short loc_41D860
		popa

loc_41D80D:				; CODE XREF: .text:0041D79Dj
		db	67h
		jnb	near ptr 0D810h
		or	al, [esi]

loc_41D812:				; CODE XREF: .text:0041D7A9j
					; DATA XREF: PopThermalHandlePreviousShutdown+84552o
		or	eax, large ds:0
; 
		db 2 dup(0)
; 

loc_41D81A:				; CODE XREF: .text:0041D7A4j
		inc	eax
; 
		dd offset loc_40FFFE+2
		db 80h
		db    0
aPreviousshutdo	db 'PreviousShutdownWasThermalShutdown',0
aThermalzone	db 'thermalZone',0
		dd 6D657401h, 61726570h, 65727574h
		db 0, 8, 6
byte_41D85F	db 0Bh			; DATA XREF: PopDiagTraceBsdWriteTime(x,x,x)+7Eo
; 

loc_41D860:				; CODE XREF: .text:0041D80Aj
					; .text:loc_41D7F5j
		add	eax, 0
; 
		db 2 dup(0), 20h
		dd offset loc_5BFFFF+1
; 

loc_41D86C:				; CODE XREF: .text:0041D7FCj
		add	byte ptr [eax],	45h
		insb
		popa
		jo	short loc_41D8E6

loc_41D873:				; CODE XREF: .text:0041D808j
		db	65h, 64h
		push	esp

loc_41D876:				; CODE XREF: .text:0041D803j
		imul	ebp, [ebp+65h],	57647342h
		jb	short loc_41D8E8
		jz	short loc_41D8E6
		add	[edx+74h], dl
		insb
		inc	edx
		jnb	short near ptr loc_41D8EB+1
		dec	ecx
		jz	short loc_41D8F0
		insd
		push	esp
		jns	short near ptr loc_41D8FD+2
		add	gs:[eax], cl
		inc	ebp
		insb
		popa
		jo	short near ptr loc_41D906+4
		db	65h, 64h
		push	esp
		imul	ebp, [ebp+65h],	73426E49h
		db	64h
		push	edi
		jb	short near ptr loc_41D90D+1
		jz	short near ptr loc_41D906+6
		dec	ecx
		outsb
		dec	ebp
		jnb	short $+2
		or	dl, [ebx+74h]
		popa
		jz	short near ptr loc_41D925+2
		jnb	short $+2
		mov	[esi], cl
		push	eax
		popa
		jb	short near ptr loc_41D92C+2
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_41D925+3
		jbe	short near ptr loc_41D912+3
		popa
		db	67h
		jnb	near ptr 0D8C5h
		or	al, [esi]

loc_41D8C7:				; DATA XREF: PopDiagTraceCsResiliencyStats(x)+441o
		or	eax, large ds:0
; 
		db 2 dup(0), 40h
		dd 20F0000h, 65520080h,	696C6973h, 79636E65h, 73616850h
; 
		db	65h
		inc	ebp

loc_41D8E6:				; CODE XREF: .text:0041D871j
					; .text:0041D87Fj
		js	short near ptr loc_41D950+1

loc_41D8E8:				; CODE XREF: .text:0041D87Dj
		jz	short $+2
		inc	ebx

loc_41D8EB:				; CODE XREF: .text:0041D886j
		jnb	short near ptr loc_41D93F+1
		db	65h
		jnb	short loc_41D963

loc_41D8F0:				; CODE XREF: .text:0041D889j
		imul	ebp, [edi+6Eh],	0A006449h
		inc	esi
		insb
		popa
		db	67h
		jnb	near ptr 0D8FDh

loc_41D8FD:				; CODE XREF: .text:0041D88Dj
		or	[ebp+6Eh], al
		db	65h
		jb	short near ptr loc_41D97B+1
		inc	esp
		jb	short loc_41D967

loc_41D906:				; CODE XREF: .text:0041D895j
					; .text:0041D8A5j
		imul	ebp, [esi+0], 656E4508h

loc_41D90D:				; CODE XREF: .text:0041D8A3j
		jb	short near ptr loc_41D986+2
		inc	esp
		jb	short near ptr loc_41D970+3

loc_41D912:				; CODE XREF: .text:0041D8BFj
		imul	ebp, [esi+56h],	6C615632h
		jnz	short near ptr loc_41D97F+1
		add	[ecx], cl
		inc	ebp
		outsb
		db	65h
		jb	short loc_41D99B
		inc	esp
		jb	short loc_41D986

loc_41D925:				; CODE XREF: .text:0041D8B0j
					; .text:0041D8BDj
		imul	ebp, [esi+56h],	616C4632h

loc_41D92C:				; CODE XREF: .text:0041D8B8j
		db	67h
		jnb	near ptr 0D92Fh
		or	[ebp+73h], eax
		push	ebx
		jz	short near ptr loc_41D995+1
		jz	short loc_41D99C
		dec	edi
		outsb
		inc	ebp
		outsb
		jz	short near ptr loc_41D9AD+2
		jns	short $+2

loc_41D93F:				; CODE XREF: .text:loc_41D8EBj
		or	[ebp+73h], al
		push	edx
		db	65h
		popa
		jnb	short loc_41D9B6
		outsb
		dec	edi
		outsb
		inc	ebp
		outsb
		jz	short near ptr loc_41D9BF+1
		jns	short $+2

loc_41D950:				; CODE XREF: .text:loc_41D8E6j
		or	[ebp+73h], al
		push	ebp
		jo	short loc_41D9BA
		popa
		jz	short loc_41D9BE
		inc	ebx
		outsd
		jnz	short loc_41D9CB
		jz	short $+2
		or	[ebx+esi*2+52h], al

loc_41D963:				; CODE XREF: .text:0041D8EDj
		db	65h
		popa
		jnb	short near ptr loc_41D9D4+2

loc_41D967:				; CODE XREF: .text:0041D904j
		outsb
		add	[eax], cl
		push	esp
		outsd
		jz	short loc_41D9CF
		insb
		push	esp

loc_41D970:				; CODE XREF: .text:0041D910j
		imul	ebp, [ebp+65h],	73556E49h
		add	[edx], cl
		push	esp
		outsd

loc_41D97B:				; CODE XREF: .text:0041D900j
		jz	short loc_41D9DE
		insb
		push	ebx

loc_41D97F:				; CODE XREF: .text:0041D919j
		ja	short loc_41D9C5
		jb	short near ptr loc_41D9EA+2
		jo	short loc_41D9F8
		push	esp

loc_41D986:				; CODE XREF: .text:0041D923j
					; .text:loc_41D90Dj
		imul	ebp, [ebp+65h],	73556E49h
		add	[edx], cl
		push	esp
		outsd
		jz	short loc_41D9F4
		insb
		dec	eax

loc_41D995:				; CODE XREF: .text:0041D933j
		ja	short loc_41D9DB
		jb	short loc_41DA02
		jo	short near ptr loc_41DA0C+2

loc_41D99B:				; CODE XREF: .text:0041D91Fj
		push	esp

loc_41D99C:				; CODE XREF: .text:0041D935j
		imul	ebp, [ebp+65h],	73556E49h
		add	[edx], cl
		push	esp
		outsd
		jz	short loc_41DA0A
		insb
		inc	esp
		jnb	short loc_41DA01

loc_41D9AD:				; CODE XREF: .text:0041D93Bj
		imul	ebp, [ebp+65h],	73556E49h
		add	[edx], cl

loc_41D9B6:				; CODE XREF: .text:0041D945j
		dec	ebp
		popa
		js	short near ptr loc_41D9FA+1

loc_41D9BA:				; CODE XREF: .text:0041D954j
		arpl	[ecx+ebp*2+76h], si

loc_41D9BE:				; CODE XREF: .text:0041D957j
		popa

loc_41D9BF:				; CODE XREF: .text:0041D94Cj
		jz	short near ptr loc_41DA29+1
		outsd
		outsb
		inc	ebx
		outsd

loc_41D9C5:				; CODE XREF: .text:loc_41D97Fj
		outsb
		arpl	[ebp+72h], si
		jb	short near ptr loc_41DA2F+1

loc_41D9CB:				; CODE XREF: .text:0041D95Bj
		outsb
		arpl	[ecx+0], di

loc_41D9CF:				; CODE XREF: .text:0041D96Cj
		or	[ebp+69h], cl
		outsb
		inc	ecx

loc_41D9D4:				; CODE XREF: .text:0041D965j
		arpl	[ecx+ebp*2+76h], si
		popa
		jz	short near ptr loc_41DA43+1

loc_41D9DB:				; CODE XREF: .text:loc_41D995j
		outsd
		outsb
		dec	ecx

loc_41D9DE:				; CODE XREF: .text:loc_41D97Bj
		outsb
		jz	short loc_41DA46
		jb	short loc_41DA59
		popa
		insb
		dec	ecx
		outsb
		push	ebp
		jnb	short $+2

loc_41D9EA:				; CODE XREF: .text:0041D981j
		or	cl, [ebp+61h]
		js	short near ptr loc_41DA2F+1
		arpl	[ecx+ebp*2+76h], si
		popa

loc_41D9F4:				; CODE XREF: .text:0041D991j
		jz	short loc_41DA5F
		outsd
		outsb

loc_41D9F8:				; CODE XREF: .text:0041D983j
		dec	ecx
		outsb

loc_41D9FA:				; CODE XREF: .text:0041D9B8j
		jz	short loc_41DA61
		jb	short loc_41DA74
		popa
		insb
		dec	ecx

loc_41DA01:				; CODE XREF: .text:0041D9ABj
		outsb

loc_41DA02:				; CODE XREF: .text:0041D997j
		push	ebp
		jnb	short $+2
		or	dl, [edi+ebp*2+74h]
		popa

loc_41DA0A:				; CODE XREF: .text:0041D9A7j
		insb
		inc	ecx

loc_41DA0C:				; CODE XREF: .text:0041D999j
		arpl	[ecx+ebp*2+76h], si
		popa
		jz	short near ptr loc_41DA7B+1
		outsd
		outsb
		dec	ecx
		outsb
		jz	short near ptr loc_41DA7D+1
		jb	short near ptr loc_41DA90+1
		popa
		insb
		dec	ecx
		outsb
		push	ebp
		jnb	short $+2
		or	al, [ecx+63h]
		jz	short loc_41DA90
		jbe	short loc_41DA8A

loc_41DA29:				; CODE XREF: .text:loc_41D9BFj
		jz	short near ptr loc_41DA90+4
		outsd
		outsb
		dec	ecx
		outsb

loc_41DA2F:				; CODE XREF: .text:0041D9C9j
					; .text:0041D9EDj
		jz	short near ptr loc_41DA90+6
		jb	short near ptr loc_41DAA4+5
		popa
		insb
		inc	ebx
		outsd
		jnz	short near ptr loc_41DAA4+3
		jz	short $+2
		or	[ebp+69h], cl
		outsb
		inc	esp
		db	65h
		jbe	short near ptr loc_41DAAB+1

loc_41DA43:				; CODE XREF: .text:0041D9D9j
		arpl	[ebp+43h], sp

loc_41DA46:				; CODE XREF: .text:0041D9DFj
		outsd
		outsb
		jnb	short near ptr loc_41DABD+1
		jb	short loc_41DAAD
		imul	ebp, [esi+74h],	65746E49h
		jb	short loc_41DACB
		popa
		insb
		dec	ecx
		outsb

loc_41DA59:				; CODE XREF: .text:0041D9E1j
		push	ebp
		jnb	short $+2
		or	cl, [ebp+61h]

loc_41DA5F:				; CODE XREF: .text:loc_41D9F4j
		js	short near ptr loc_41DAA4+1

loc_41DA61:				; CODE XREF: .text:loc_41D9FAj
		db	65h
		jbe	short near ptr loc_41DACC+1
		arpl	[ebp+43h], sp
		outsd
		outsb
		jnb	short near ptr loc_41DADE+1
		jb	short near ptr loc_41DACC+2
		imul	ebp, [esi+74h],	65746E49h

loc_41DA74:				; CODE XREF: .text:0041D9FCj
		jb	short loc_41DAEC
		popa
		insb
		dec	ecx
		outsb
		push	ebp

loc_41DA7B:				; CODE XREF: .text:0041DA11j
		jnb	short $+2

loc_41DA7D:				; CODE XREF: .text:0041DA17j
		or	dl, [edi+ebp*2+74h]
		popa
		insb
		inc	esp
		db	65h
		jbe	short near ptr loc_41DAEC+4
		arpl	[ebp+43h], sp

loc_41DA8A:				; CODE XREF: .text:0041DA27j
		outsd
		outsb
		jnb	short loc_41DB02
		jb	short near ptr loc_41DAEC+5

loc_41DA90:				; CODE XREF: .text:0041DA25j
					; .text:0041DA19j ...
		imul	ebp, [esi+74h],	65746E49h
		jb	short near ptr loc_41DB0E+1
		popa
		insb
		dec	ecx
		outsb
		push	ebp
		jnb	short $+2
		or	al, [ebp+76h]

loc_41DAA4:				; CODE XREF: .text:loc_41DA5Fj
					; .text:0041DA37j ...
		imul	esp, [ebx+65h],	736E6F43h

loc_41DAAB:				; CODE XREF: .text:0041DA40j
		jz	short loc_41DB1F

loc_41DAAD:				; CODE XREF: .text:0041DA4Aj
		popa
		imul	ebp, [esi+74h],	65746E49h
		jb	short near ptr loc_41DB29+4
		popa
		insb
		inc	ebx
		outsd
		jnz	short near ptr loc_41DB29+2

loc_41DABD:				; CODE XREF: .text:0041DA48j
		jz	short $+2
		or	[ebp+65h], al
		jo	short loc_41DB18
		insb
		db	65h, 65h
		jo	short near ptr loc_41DB08+4
		insb

loc_41DACB:				; CODE XREF: .text:0041DA53j
		outsd

loc_41DACC:				; CODE XREF: .text:loc_41DA61j
					; .text:0041DA6Bj
		arpl	[ebx+65h], bp
		jb	short loc_41DB15
		jnz	short near ptr loc_41DB43+2
		popa
		jz	short near ptr loc_41DB3E+1
		outsd
		outsb
		jnb	short near ptr loc_41DB22+1
		outsb
		push	ebp
		jnb	short $+2

loc_41DADE:				; CODE XREF: .text:0041DA69j
		sub	cl, [edx]
		add	[esi], al

loc_41DAE2:				; DATA XREF: PopDiagTraceBatteryAlarmStatus(x,x,x)+302o
		or	eax, large ds:0
; 
		dd 400000h
; 

loc_41DAEC:				; CODE XREF: .text:loc_41DA74j
					; .text:0041DA84j ...
		add	[eax+42008000h], cl
		popa
		jz	short loc_41DB69
		db	65h
		jb	short near ptr loc_41DB6F+2
		push	ebx
		jz	short near ptr loc_41DB5B+1
		jz	short loc_41DB72
		jnb	short loc_41DB40
		jz	short near ptr loc_41DB41+1
		insb

loc_41DB02:				; CODE XREF: .text:0041DA8Cj
		popa
		jb	short loc_41DB72
		push	esp
		jb	short near ptr loc_41DB6F+2

loc_41DB08:				; CODE XREF: .text:0041DAC6j
		db	67h, 67h, 65h
		jb	short $+5
		popa

loc_41DB0E:				; CODE XREF: .text:0041DA97j
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		add	[edx], al

loc_41DB15:				; CODE XREF: .text:0041DACFj
		bound	esp, [ecx+74h]

loc_41DB18:				; CODE XREF: .text:0041DAC3j
		jz	short near ptr byte_41DB7F
		jb	short loc_41DB95
		dec	esi
		jnz	short loc_41DB8C

loc_41DB1F:				; CODE XREF: .text:loc_41DAABj
		bound	esp, [ebp+72h]

loc_41DB22:				; CODE XREF: .text:0041DAD8j
		add	[eax], cl
		db	66h
		jnz	short loc_41DB93
		insb
		inc	ebx

loc_41DB29:				; CODE XREF: .text:0041DABBj
					; .text:0041DAB5j
		push	65677261h
		inc	ebx
		popa
		jo	short loc_41DB93
		arpl	[ecx+74h], bp
		jns	short $+2
		or	[ebx+75h], ah
		jb	short near ptr loc_41DBAD+1
		outs	dx, byte ptr gs:[esi]

loc_41DB3E:				; CODE XREF: .text:0041DAD4j
		jz	short loc_41DB83

loc_41DB40:				; CODE XREF: .text:0041DAFDj
		popa

loc_41DB41:				; CODE XREF: .text:0041DAFFj
		jo	short near ptr loc_41DBA2+2

loc_41DB43:				; CODE XREF: .text:0041DAD1j
		arpl	[ecx+74h], bp
		jns	short $+2
		or	[edx+61h], ah
		jz	short near ptr loc_41DBC0+1
		db	65h
		jb	short loc_41DBC9
		dec	ebp
		imul	ebp, [esp+ebp*2+69h], 63726550h
		outs	dx, byte ptr gs:[esi]

loc_41DB5B:				; CODE XREF: .text:0041DAF9j
		jz	short loc_41DBA0
		popa
		jo	short near ptr loc_41DBC0+1
		arpl	[ecx+74h], bp
		jns	short $+2
		or	[ebp+66h], ah

loc_41DB69:				; CODE XREF: .text:0041DAF3j
		popa
		jnz	short near ptr loc_41DBD7+1
		jz	short loc_41DBAF
		insb

loc_41DB6F:				; CODE XREF: .text:0041DAF5j
					; .text:0041DB06j
		db	65h
		jb	short loc_41DBE6

loc_41DB72:				; CODE XREF: .text:0041DAFBj
					; .text:0041DB03j
		xor	[eax], eax
		or	[esi], al

loc_41DB76:				; DATA XREF: PopDiagTraceBatteryAlarmStatus(x,x,x)+210o
		or	eax, large ds:0
; 
		db 2 dup(0), 40h
byte_41DB7F	db 0			; CODE XREF: .text:loc_41DB18j
		db 0, 2Eh, 1
; 

loc_41DB83:				; CODE XREF: .text:loc_41DB3Ej
		add	byte ptr [eax],	42h
		popa
		jz	short loc_41DBFD
		db	65h
		jb	short loc_41DC05

loc_41DB8C:				; CODE XREF: .text:0041DB1Dj
		inc	ebx
		outsd
		insd
		insd
		outsd
		outsb
		push	ebx

loc_41DB93:				; CODE XREF: .text:0041DB24j
					; .text:0041DB30j
		jz	short near ptr loc_41DBF1+5

loc_41DB95:				; CODE XREF: .text:0041DB1Aj
		jz	short loc_41DC0C
		jnb	short near ptr loc_41DBD9+1
		jz	short near ptr loc_41DBDB+1
		insb
		popa
		jb	short loc_41DC0C
		push	esp

loc_41DBA0:				; CODE XREF: .text:loc_41DB5Bj
		jb	short near ptr loc_41DC09+2

loc_41DBA2:				; CODE XREF: .text:loc_41DB41j
		db	67h, 67h, 65h
		jb	short $+5
		popa
		arpl	[ecx+ebp*2+6Fh], si
		outsb

loc_41DBAD:				; CODE XREF: .text:0041DB3Aj
		add	[edx], al

loc_41DBAF:				; CODE XREF: .text:0041DB6Cj
		imul	esi, [ebx+41h],	6C6E4F63h
		imul	ebp, [esi+65h],	72038400h
		db	65h
		insd
		popa

loc_41DBC0:				; CODE XREF: .text:0041DB4Bj
					; .text:0041DB5Ej
		imul	ebp, [esi+69h],	694D676Eh
		insb
		insb

loc_41DBC9:				; CODE XREF: .text:0041DB4Dj
		imul	edx, [eax+65h],	6E656372h
		jz	short $+2
		or	[eax+6Fh], dh
		ja	short loc_41DC3C

loc_41DBD7:				; CODE XREF: .text:0041DB6Aj
		jb	short loc_41DC2C

loc_41DBD9:				; CODE XREF: .text:0041DB97j
		jz	short loc_41DC3C

loc_41DBDB:				; CODE XREF: .text:0041DB99j
		jz	short near ptr loc_41DC41+1
		add	[eax], cl
		imul	esi, [ebx+50h],	7265776Fh

loc_41DBE6:				; CODE XREF: .text:loc_41DB6Fj
		push	eax
		outsd
		insb
		imul	esp, [ebx+79h],	62616E45h
		insb

loc_41DBF1:				; CODE XREF: .text:loc_41DB93j
		db	65h
		add	fs:[ebx+eax+65776F70h],	al
		jb	short near ptr loc_41DC49+3
		outsd

loc_41DBFD:				; CODE XREF: .text:0041DB87j
		insb
		imul	esp, [ebx+79h],	74746142h

loc_41DC05:				; CODE XREF: .text:0041DB89j
		db	65h
		jb	short loc_41DC81
		dec	esp

loc_41DC09:				; CODE XREF: .text:loc_41DBA0j
		db	65h
		jbe	short near ptr loc_41DC6B+6

loc_41DC0C:				; CODE XREF: .text:loc_41DB95j
					; .text:0041DB9Dj
		insb
		add	[eax], cl
		jo	short near ptr loc_41DC7F+1
		ja	short loc_41DC78
		jb	short loc_41DC65
		outsd
		insb
		imul	esp, [ebx+79h],	536E694Dh
		jns	short loc_41DC93
		jz	short loc_41DC87
		insd
		push	ebx
		jz	short loc_41DC87
		jz	short loc_41DC8D
		add	[eax], cl
		jo	short near ptr loc_41DC95+6

loc_41DC2C:				; CODE XREF: .text:loc_41DBD7j
		ja	short loc_41DC93
		jb	short near ptr loc_41DC7F+1
		outsd
		insb
		imul	esp, [ebx+79h],	69746341h
		outsd
		outsb
		push	esp

loc_41DC3C:				; CODE XREF: .text:0041DBD5j
					; .text:loc_41DBD9j
		jns	short loc_41DCAE
		add	gs:[eax], cl

loc_41DC41:				; CODE XREF: .text:loc_41DBDBj
		jo	short near ptr loc_41DCB0+2
		ja	short loc_41DCAA
		jb	short near ptr loc_41DC95+2
		outsd
		insb

loc_41DC49:				; CODE XREF: .text:0041DBFAj
		imul	esp, [ebx+79h],	67616C46h
		jnb	short $+2
		adc	al, 70h
		outsd
		ja	short loc_41DCBC
		jb	short near ptr loc_41DCA8+1
		outsd
		insb
		imul	esp, [ebx+79h],	6E657645h
		jz	short loc_41DCA7
		outsd

loc_41DC65:				; CODE XREF: .text:0041DC13j
		db	64h
		add	gs:[eax], cl
		jz	short loc_41DCDD

loc_41DC6B:				; CODE XREF: .text:loc_41DC09j
		imul	esp, [edi+67h],	61427265h
		jz	short near ptr loc_41DCE6+2
		db	65h
		jb	short near ptr loc_41DCEF+1
		inc	esi

loc_41DC78:				; CODE XREF: .text:0041DC11j
		insb
		popa
		db	67h
		jnb	near ptr 0DC7Dh
		adc	al, 74h

loc_41DC7F:				; CODE XREF: .text:0041DC0Fj
					; .text:0041DC2Ej
		jb	short near ptr loc_41DCE9+1

loc_41DC81:				; CODE XREF: .text:loc_41DC05j
		db	67h, 67h, 65h
		jb	short near ptr loc_41DCC7+1
		popa

loc_41DC87:				; CODE XREF: .text:0041DC20j
					; .text:0041DC24j
		jz	short loc_41DCFD
		db	65h
		jb	short near ptr loc_41DCFF+6
		dec	esp

loc_41DC8D:				; CODE XREF: .text:0041DC26j
		db	65h
		jbe	short loc_41DCF5
		insb
		add	[eax], cl

loc_41DC93:				; CODE XREF: .text:0041DC1Ej
					; .text:loc_41DC2Cj
		jz	short near ptr loc_41DD06+1

loc_41DC95:				; CODE XREF: .text:0041DC45j
					; .text:0041DC2Aj
		imul	esp, [edi+67h],	61427265h
		jz	short loc_41DD12
		db	65h
		jb	short near ptr loc_41DD14+6
		dec	ecx
		outs	dx, byte ptr [si]
		outsd
		jb	short loc_41DD0C

loc_41DCA7:				; CODE XREF: .text:0041DC62j
		push	ebx

loc_41DCA8:				; CODE XREF: .text:0041DC57j
		jz	short near ptr loc_41DD0A+1

loc_41DCAA:				; CODE XREF: .text:0041DC43j
		jz	short near ptr loc_41DD1D+4
		jnb	short $+2

loc_41DCAE:				; CODE XREF: .text:loc_41DC3Cj
		or	[esi], al

loc_41DCB0:				; CODE XREF: .text:loc_41DC41j
					; DATA XREF: PopDiagTraceBatteryTriggerMet(x,x,x)+4A5o
		or	eax, large ds:0
; 
		dw 0
		dd 1B000040h
; 

loc_41DCBC:				; CODE XREF: .text:0041DC55j
		add	[eax+74614200h], eax
		jz	short loc_41DD29
		jb	short loc_41DD3F
		push	esp

loc_41DCC7:				; CODE XREF: .text:loc_41DC81j
		jb	short near ptr loc_41DD2E+4
		db	67h, 67h, 65h
		jb	short loc_41DD1B
		db	65h
		jz	short $+3
		imul	esi, fs:[ebx+63h], 67726168h
		db	65h
		push	eax
		outsd
		insb

loc_41DCDD:				; CODE XREF: .text:0041DC69j
		imul	esp, [ebx+79h],	65646E49h
		js	short $+2

loc_41DCE6:				; CODE XREF: .text:0041DC72j
		or	[ecx+63h], ah

loc_41DCE9:				; CODE XREF: .text:loc_41DC7Fj
		jz	short near ptr loc_41DD53+1
		jbe	short loc_41DD52
		inc	edx
		popa

loc_41DCEF:				; CODE XREF: .text:0041DC74j
		jz	short near ptr loc_41DD64+1
		db	65h
		jb	short near ptr loc_41DD69+4
		inc	ebx

loc_41DCF5:				; CODE XREF: .text:loc_41DC8Dj
		outsd
		jnz	short loc_41DD66
		jz	short $+2
		or	[edx+65h], dh

loc_41DCFD:				; CODE XREF: .text:loc_41DC87j
		insd
		popa

loc_41DCFF:				; CODE XREF: .text:0041DC89j
		imul	ebp, [esi+69h],	6550676Eh

loc_41DD06:				; CODE XREF: .text:loc_41DC93j
		jb	short near ptr loc_41DD69+2
		outs	dx, byte ptr gs:[esi]

loc_41DD0A:				; CODE XREF: .text:loc_41DCA8j
		jz	short near ptr loc_41DD69+4

loc_41DD0C:				; CODE XREF: .text:0041DCA5j
		add	gs:[bx+si], cl
		jb	short near ptr loc_41DD73+4

loc_41DD12:				; CODE XREF: .text:0041DC9Cj
		insd
		popa

loc_41DD14:				; CODE XREF: .text:0041DC9Ej
		imul	ebp, [esi+69h],	694D676Eh

loc_41DD1B:				; CODE XREF: .text:0041DCC9j
		insb
		insb

loc_41DD1D:				; CODE XREF: .text:loc_41DCAAj
		imul	edx, [eax+65h],	6E656372h
		jz	short $+2
		or	[ecx+73h], ch

loc_41DD29:				; CODE XREF: .text:0041DCC2j
		inc	ecx
		arpl	[edi+6Eh], cx
		insb

loc_41DD2E:				; CODE XREF: .text:loc_41DCC7j
		imul	ebp, [esi+65h],	61620800h
		jz	short loc_41DDAB
		db	65h
		jb	short loc_41DDB3
		inc	ecx
		arpl	[ecx+ebp*2+6Fh], si

loc_41DD3F:				; CODE XREF: .text:0041DCC4j
		outsb
		dec	ecx
		outsb
		jz	short loc_41DDA9
		jb	short near ptr loc_41DDB3+1
		popa
		insb
		inc	esi
		insb
		popa
		db	67h
		jnb	near ptr 0DD4Eh
		or	[ecx+73h], ch
		push	eax

loc_41DD52:				; CODE XREF: .text:0041DCEBj
		outsd

loc_41DD53:				; CODE XREF: .text:loc_41DCE9j
		ja	short loc_41DDBA
		jb	short loc_41DD98
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		inc	ebx
		popa
		insb
		insb
		dec	ecx
		outs	dx, byte ptr [si]
		outsd

loc_41DD64:				; CODE XREF: .text:loc_41DCEFj
		jb	short near ptr loc_41DDC9+2

loc_41DD66:				; CODE XREF: .text:0041DCF6j
		add	fs:[eax], cl

loc_41DD69:				; CODE XREF: .text:loc_41DD06j
					; .text:0041DCF1j ...
		imul	esi, [ebx+50h],	7265776Fh
		push	eax
		outsd
		insb

loc_41DD73:				; CODE XREF: .text:0041DD10j
		imul	esp, [ebx+79h],	62616E45h
		insb
		db	65h
		add	fs:[eax], cl
		jo	short near ptr loc_41DDE9+7
		ja	short loc_41DDE8
		jb	short near ptr loc_41DDD4+1
		outsd
		insb
		imul	esp, [ebx+79h],	69746341h
		outsd
		outsb
		add	[eax], cl
		jo	short loc_41DE03
		ja	short near ptr loc_41DDF4+7
		jb	short loc_41DDE8

loc_41DD98:				; CODE XREF: .text:0041DD55j
		outsd
		insb
		imul	esp, [ebx+79h],	74746142h
		db	65h
		jb	short near ptr loc_41DE1B+2
		dec	esp
		db	65h
		jbe	short near ptr loc_41DE0C+1
		insb

loc_41DDA9:				; CODE XREF: .text:0041DD42j
		add	[eax], cl

loc_41DDAB:				; CODE XREF: .text:0041DD35j
		jo	short near ptr loc_41DE1B+1
		ja	short near ptr loc_41DE13+1
		jb	short loc_41DE01
		outsd
		insb

loc_41DDB3:				; CODE XREF: .text:0041DD37j
					; .text:0041DD44j
		imul	esp, [ebx+79h],	6E657645h

loc_41DDBA:				; CODE XREF: .text:loc_41DD53j
		jz	short near ptr loc_41DDFC+3
		outsd
		db	64h
		add	gs:[eax], cl
		jo	short near ptr loc_41DE30+2
		ja	short near ptr loc_41DE25+5
		jb	short near ptr loc_41DE13+4
		outsd
		insb

loc_41DDC9:				; CODE XREF: .text:loc_41DD64j
		imul	esp, [ebx+79h],	536E694Dh
		jz	short loc_41DE33
		jz	short loc_41DE39

loc_41DDD4:				; CODE XREF: .text:0041DD83j
		add	[eax], cl
		push	es

loc_41DDD7:				; DATA XREF: PopDiagTraceMonitorOnWithLidClosed(x)+B7o
		or	eax, large ds:0
; 
		db 2 dup(0), 40h
		dd 860000h, 6F4D0080h
; 

loc_41DDE8:				; CODE XREF: .text:0041DD81j
					; .text:0041DD96j
		outsb

loc_41DDE9:				; CODE XREF: .text:0041DD7Fj
		imul	esi, [edi+ebp*2+72h], 69576E4Fh
		jz	short near ptr loc_41DE58+3
		dec	esp

loc_41DDF4:				; CODE XREF: .text:0041DD94j
		imul	esp, [ebx+eax*2+6Ch], 6465736Fh

loc_41DDFC:				; CODE XREF: .text:loc_41DDBAj
		add	[ecx+ebp*2+64h], ch
		push	ebx

loc_41DE01:				; CODE XREF: .text:0041DDAFj
		jz	short near ptr loc_41DE61+3

loc_41DE03:				; CODE XREF: .text:0041DD92j
		jz	short near ptr loc_41DE69+1
		add	[ebx+eax+65747865h], al

loc_41DE0C:				; CODE XREF: .text:0041DDA5j
		jb	short loc_41DE7C
		popa
		insb
		dec	ebp
		outsd
		outsb

loc_41DE13:				; CODE XREF: .text:0041DDADj
					; .text:0041DDC5j
		imul	esi, [edi+ebp*2+72h], 6E6E6F43h

loc_41DE1B:				; CODE XREF: .text:loc_41DDABj
					; .text:0041DDA1j
		arpl	gs:[ebp+64h], si
		push	ebx
		jz	short near ptr loc_41DE81+3
		jz	short near ptr loc_41DE88+2

loc_41DE25:				; CODE XREF: .text:0041DDC3j
		add	[ebx+eax+696E6F6Dh], al
		jz	short loc_41DE9D
		jb	short near ptr loc_41DE81+1

loc_41DE30:				; CODE XREF: .text:0041DDC1j
		db	65h
		jno	short near ptr loc_41DEA2+6

loc_41DE33:				; CODE XREF: .text:0041DDD0j
		db	65h
		jnb	short loc_41DEAA
		push	edx
		db	65h
		popa

loc_41DE39:				; CODE XREF: .text:0041DDD2j
		jnb	short loc_41DEAA
		outsb
		inc	ebx
		outsd
		db	64h
		add	gs:[eax], cl
		imul	esi, [ebx+50h],	7265776Fh
		push	ebx
		outsd
		jnz	short loc_41DEBF
		arpl	[ebp+43h], sp
		outsd
		outsb
		outsb
		arpl	gs:[ebp+64h], si

loc_41DE58:				; CODE XREF: .text:0041DDF1j
		add	[ebx+eax+65537343h], al
		jnb	short loc_41DED4

loc_41DE61:				; CODE XREF: .text:loc_41DE01j
		imul	ebp, [edi+6Eh],	0A006449h
		push	es

loc_41DE69:				; CODE XREF: .text:loc_41DE03j
					; DATA XREF: PopDiagTraceDozeDeferralDecision(x,x,x,x,x,x,x,x,x)+262o
		or	eax, large ds:0
; 
		db 0
		dd 4000h, 800133h, 657A6F44h
; 

loc_41DE7C:				; CODE XREF: .text:loc_41DE0Cj
		push	esp
		outsd
		push	ebx
		xor	al, 44h

loc_41DE81:				; CODE XREF: .text:0041DE2Ej
					; .text:0041DE21j
		db	65h, 66h, 65h
		jb	short near ptr loc_41DEF7+1
		popa
		insb

loc_41DE88:				; CODE XREF: .text:0041DE23j
		add	[ebp+66h], al
		db	65h
		jb	short loc_41DF01
		db	65h
		add	fs:657A6F44h, cl
		inc	esp
		db	65h, 66h, 65h
		jb	short loc_41DF0F

loc_41DE9D:				; CODE XREF: .text:0041DE2Cj
		popa
		insb
		inc	esp
		outs	dx, byte ptr gs:[esi]

loc_41DEA2:				; CODE XREF: .text:loc_41DE30j
		imul	esp, [ebp+64h],	73616552h
		outsd

loc_41DEAA:				; CODE XREF: .text:loc_41DE33j
					; .text:loc_41DE39j
		outsb
		jnb	short $+2
		adc	al, 44h
		outsd
		jp	short loc_41DF17
		inc	esp
		db	65h, 66h, 65h
		jb	short near ptr loc_41DF28+2
		popa
		insb
		push	ebx
		jz	short near ptr loc_41DF1D+1
		jb	short loc_41DF33

loc_41DEBF:				; CODE XREF: .text:0041DE4Bj
		push	esp
		imul	ebp, [ebp+65h],	75431500h
		jb	short loc_41DF3B
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_41DF14+2
		outsb
		jz	short loc_41DF35
		jb	short loc_41DF44
		jnz	short loc_41DF44

loc_41DED4:				; CODE XREF: .text:0041DE5Fj
		jz	short near ptr loc_41DF28+2
		imul	ebp, [ebp+65h],	61451500h
		jb	short near ptr loc_41DF48+3
		imul	esp, [ebp+73h],	6B615774h
		db	65h
		push	esp
		imul	ebp, [ebp+65h],	65754472h
		push	esp
		imul	ebp, [ebp+65h],	6F441500h

loc_41DEF7:				; CODE XREF: .text:loc_41DE81j
		jp	short loc_41DF5E
		inc	esp
		db	65h, 66h, 65h
		jb	short loc_41DF71
		popa
		insb

loc_41DF01:				; CODE XREF: .text:0041DE8Cj
		dec	ebp
		popa
		js	short near ptr loc_41DF57+1
		arpl	gs:[edi+6Eh], bp
		db	64h
		jnb	short $+3
		or	[edi+61h], dl

loc_41DF0F:				; CODE XREF: .text:0041DE98j
		imul	esp, [ebp+54h],	69h
		insd

loc_41DF14:				; CODE XREF: .text:0041DECBj
		db	65h
		jb	short loc_41DF69

loc_41DF17:				; CODE XREF: .text:0041DEB0j
		db	65h
		jno	short loc_41DF8F
		db	65h
		jnb	short near ptr loc_41DF8F+2

loc_41DF1D:				; CODE XREF: .text:0041DEBBj
		db	65h
		jb	short $+3
		add	[edi+61h], edx
		imul	esp, [ebp+54h],	69h
		insd

loc_41DF28:				; CODE XREF: .text:0041DEB3j
					; .text:loc_41DED4j
		db	65h
		jb	short near ptr loc_41DF7B+2
		db	65h
		popa
		jnb	short near ptr loc_41DF9D+1
		outsb
		add	[ecx], al
		push	edx

loc_41DF33:				; CODE XREF: .text:0041DEBDj
		jz	short loc_41DF98

loc_41DF35:				; CODE XREF: .text:0041DECEj
		push	edi
		popa
		imul	esp, [ebp+50h],	6Fh

loc_41DF3B:				; CODE XREF: .text:0041DEC7j
		insb
		imul	esp, [ebx+79h],	4006341h
		push	edx

loc_41DF44:				; CODE XREF: .text:0041DED0j
					; .text:0041DED2j
		jz	short near ptr loc_41DFA2+7
		push	edi
		popa

loc_41DF48:				; CODE XREF: .text:0041DEDDj
		imul	esp, [ebp+50h],	6Fh
		insb
		imul	esp, [ebx+79h],	4006344h
		push	eax
		insb
		popa

loc_41DF57:				; CODE XREF: .text:0041DF03j
		jz	short loc_41DFBF
		outsd
		jb	short loc_41DFC9
		push	edx
		outsd

loc_41DF5E:				; CODE XREF: .text:loc_41DEF7j
		insb
		add	gs:[ebx], al
		dec	ecx
		jnb	short near ptr loc_41DFA2+4
		outsd
		popa
		arpl	[eax], ax

loc_41DF69:				; CODE XREF: .text:loc_41DF14j
		or	eax, 656B6157h
		inc	ecx
		insb
		popa

loc_41DF71:				; CODE XREF: .text:0041DEFAj
		jb	short near ptr loc_41DFDB+5
		push	eax
		jb	short loc_41DFDB
		jnb	short near ptr loc_41DFDB+2
		outsb
		jz	short $+2

loc_41DF7B:				; CODE XREF: .text:loc_41DF28j
		add	eax, [ecx+63h]
		dec	edi
		outsb
		dec	esp
		imul	ebp, [esi+65h],	656B6157h
		inc	ebx
		popa
		jo	short loc_41DFED
		bound	ebp, [ecx+6Ch]

loc_41DF8F:				; CODE XREF: .text:loc_41DF17j
					; .text:0041DF1Aj
		imul	esi, [ecx+edi*2+0], 63745203h
		push	edi

loc_41DF98:				; CODE XREF: .text:loc_41DF33j
		popa
		imul	esp, [ebp+43h],	61h

loc_41DF9D:				; CODE XREF: .text:0041DF2Dj
		jo	short near ptr loc_41DFFF+1
		bound	ebp, [ecx+6Ch]

loc_41DFA2:				; CODE XREF: .text:0041DF63j
					; .text:loc_41DF44j
					; DATA XREF: ...
		imul	esi, [ecx+edi*2+0], 50B0603h
; 
		dw 0
		align 10h
		dd 0D6000040h, 52008000h, 61576374h
		db 6Bh,	65h, 49h
; 

loc_41DFBF:				; CODE XREF: .text:loc_41DF57j
		outsb
		outsw
		add	[edi+6Fh], dh
		imul	esp, [ebp+53h],	79h

loc_41DFC9:				; CODE XREF: .text:0041DF5Aj
		jnb	short loc_41E03F
		db	65h
		insd
		add	ds:656A6572h, cl
		arpl	[edx+edx*2+65h], si
		popa
		jnb	short loc_41E049
		outsb

loc_41DFDB:				; CODE XREF: .text:0041DF74j
					; .text:0041DF76j ...
		add	ds:7265636Eh[esi*2], al
		jz	short near ptr loc_41E03F+6
		imul	ebp, [esi+0], 7570730Dh
		jb	short near ptr loc_41E051+5

loc_41DFED:				; CODE XREF: .text:0041DF8Aj
		outsd
		jnz	short near ptr loc_41E060+3
		add	ds:65786966h, cl
		db	64h
		push	edi
		popa
		imul	esp, [ebp+53h],	6Fh
		jnz	short loc_41E071

loc_41DFFF:				; CODE XREF: .text:loc_41DF9Dj
		arpl	[ebp+0], sp
		or	[ecx+63h], ah
		inc	ecx
		insb
		popa
		jb	short loc_41E077
		push	ebx
		imul	esp, [edi+6Eh],	64656C61h
		add	ds:6C416364h, cl
		popa
		jb	short near ptr loc_41E085+3
		push	ebx
		imul	esp, [edi+6Eh],	64656C61h
		add	ds:53637472h, cl
		imul	esp, [edi+6Eh],	64656C61h
		add	ds:72506361h, cl
		outsd
		db	67h
		jb	near ptr 0E09Bh
		insd
		insd
		db	65h, 64h
		push	esp

loc_41E03F:				; CODE XREF: .text:loc_41DFC9j
					; .text:0041DFE2j
		imul	ebp, [ebp+65h],	63641100h
		push	eax
		jb	short loc_41E0B8

loc_41E049:				; CODE XREF: .text:0041DFD8j
		db	67h
		jb	near ptr 0E0ADh
		insd
		insd
		db	65h, 64h
		push	esp

loc_41E051:				; CODE XREF: .text:0041DFEBj
		imul	ebp, [ebp+65h],	73751100h
		imul	ebp, [esi+67h],	69546341h
		insd

loc_41E060:				; CODE XREF: .text:0041DFEEj
		add	gs:656B6177h, cl
		push	esp
		imul	ebp, [ebp+65h],	64611100h
		push	75h

loc_41E071:				; CODE XREF: .text:0041DFFDj
		jnb	short loc_41E0E7
		db	65h, 64h
		push	edi
		popa

loc_41E077:				; CODE XREF: .text:0041E008j
		imul	esp, [ebp+54h],	69h
		insd
		add	gs:[ecx], dl
		db	66h
		jnz	short loc_41E0EE
		insb
		push	edi
		popa

loc_41E085:				; CODE XREF: .text:0041E019j
		imul	esp, [ebp+0], 0Dh
		push	es

loc_41E08A:				; DATA XREF: PopTraceMonitorOnRequestUserInput(x)+5Eo
		or	eax, large ds:0
; 
		dd 400000h, 80005100h, 706E4900h, 75537475h, 65727070h
		dd 6F697373h, 6E6F4D6Eh, 726F7469h, 65526E4Fh, 73657571h
; 

loc_41E0B8:				; CODE XREF: .text:0041E047j
		jz	short near ptr loc_41E10E+1
		jnb	short loc_41E121
		jb	short near ptr loc_41E106+1
		outsb
		jo	short loc_41E136
		jz	short $+2
		inc	ebx
		jnb	short near ptr loc_41E118+1
		db	65h
		jnb	short near ptr loc_41E13B+1
		imul	ebp, [edi+6Eh],	0A006449h
		dec	ebp
		outsd
		outsb
		imul	esi, [edi+ebp*2+72h], 75716552h
		db	65h
		jnb	short near ptr loc_41E150+2
		push	edx
		db	65h
		popa
		jnb	short near ptr loc_41E150+2
		outsb
		add	[eax], cl
		push	es

loc_41E0E7:				; CODE XREF: .text:loc_41E071j
					; DATA XREF: PopDiagTraceUmpoAlpcProcessingError(x)+49o
		or	eax, large ds:0
; 
		db 0
; 

loc_41E0EE:				; CODE XREF: .text:0041E07Fj
		add	[eax+0], al
		add	[esi], ch
		add	[eax+706D5500h], al
		outsd
		inc	ecx
		dec	esp
		push	eax
		inc	ebx
		dec	ebp
		db	65h
		jnb	short loc_41E175
		popa
		db	67h, 65h
		push	eax

loc_41E106:				; CODE XREF: .text:0041E0BCj
		jb	short near ptr loc_41E176+1
		arpl	[ebp+73h], sp
		jnb	short loc_41E176
		outsb

loc_41E10E:				; CODE XREF: .text:loc_41E0B8j
		db	67h
		inc	ebp
		jb	short loc_41E184
		outsd
		jb	short $+2
		dec	esi
		jz	short near ptr loc_41E166+5

loc_41E118:				; CODE XREF: .text:0041E0C4j
		jz	short near ptr loc_41E176+5
		jz	short near ptr loc_41E18E+3
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_41E121:				; CODE XREF: .text:0041E0BAj
					; DATA XREF: PopDiagTraceDirectedDripsInitialization+87837o
		or	eax, large ds:0
; 
		db 0
		dd 4000h, 800039h, 69446F50h
		db 72h,	65h
; 

loc_41E136:				; CODE XREF: .text:0041E0BFj
		arpl	[ebp+64h], si
		inc	esp

loc_41E13B:				; CODE XREF: .text:0041E0C6j
		jb	short loc_41E1A6
		jo	short loc_41E1B2
		dec	ecx
		outsb
		imul	esi, [ecx+ebp*2+61h], 617A696Ch
		jz	short loc_41E1B4
		outsd
		outsb
		add	[ecx+6Eh], cl

loc_41E150:				; CODE XREF: .text:0041E0DBj
					; .text:0041E0E1j
		imul	esi, [ecx+ebp*2+61h], 617A696Ch
		jz	short near ptr loc_41E1C2+1
		outsd
		outsb
		push	edx
		db	65h
		jnb	short near ptr loc_41E1D0+5
		insb
		jz	short $+2
		mov	[esi], cl
		push	es

loc_41E166:				; CODE XREF: .text:0041E116j
					; DATA XREF: PoDiagTraceDirectedDripsCandidateDevice(x)+A5o
		or	eax, large ds:0
; 
		dd 400000h, 80005E00h
		db 0
; 

loc_41E175:				; CODE XREF: .text:0041E0FFj
		inc	esp

loc_41E176:				; CODE XREF: .text:0041E10Bj
					; .text:loc_41E106j ...
		imul	esi, [edx+65h],	64657463h
		inc	esp
		jb	short loc_41E1E9
		jo	short loc_41E1F5
		inc	ebx
		popa

loc_41E184:				; CODE XREF: .text:0041E110j
		outsb
		imul	esp, fs:[ecx+74h], 76654465h

loc_41E18E:				; CODE XREF: .text:0041E11Aj
		imul	esp, [ebx+65h],	53734300h
		db	65h
		jnb	short near ptr loc_41E206+5
		imul	ebp, [edi+6Eh],	0A006449h
		inc	esp
		db	65h
		jbe	short near ptr loc_41E206+6
		arpl	[ebp+4Fh], sp

loc_41E1A6:				; CODE XREF: .text:loc_41E13Bj
		bound	ebp, [edx+65h]
		arpl	[eax+eax-6Ch], si
		and	eax, 74736E49h

loc_41E1B2:				; CODE XREF: .text:0041E13Dj
		popa
		outsb

loc_41E1B4:				; CODE XREF: .text:0041E149j
		arpl	[ebp+50h], sp
		popa
		jz	short loc_41E222
		add	[esi], dl
		inc	ebx
		jnz	short loc_41E231
		jb	short near ptr loc_41E225+1
		outsb

loc_41E1C2:				; CODE XREF: .text:0041E158j
		jz	short loc_41E214
		outsd
		ja	short near ptr loc_41E229+3
		jb	short loc_41E21C
		jz	short near ptr loc_41E229+3
		jz	short near ptr loc_41E231+1
		add	[eax], cl
		push	es

loc_41E1D0:				; CODE XREF: .text:0041E15Dj
					; DATA XREF: PopTraceInputSuppressionActionUpdate(x,x,x,x,x,x,x)+EEo
		or	eax, large ds:0
; 
		dw 0
		dd 0C0000040h, 49008000h, 7475706Eh, 70707553h
		db 72h
; 

loc_41E1E9:				; CODE XREF: .text:0041E17Ej
		db	65h
		jnb	short loc_41E25F
		imul	ebp, [edi+6Eh],	69746341h
		outsd
		outsb

loc_41E1F5:				; CODE XREF: .text:0041E180j
		add	[ecx+73h], ch
		dec	esp
		imul	esp, [ebx+edx*2+74h], 49657461h
		outs	dx, byte ptr [si]
		outsd
		jb	short loc_41E26B

loc_41E206:				; CODE XREF: .text:0041E195j
					; .text:0041E1A0j
		add	fs:[ebx+eax+694C7369h],	al
		db	64h
		inc	ebx
		insb
		outsd
		jnb	short loc_41E279

loc_41E214:				; CODE XREF: .text:loc_41E1C2j
		add	fs:[ebx+eax+6F507369h],	al

loc_41E21C:				; CODE XREF: .text:0041E1C7j
		ja	short near ptr loc_41E27E+5
		jb	short near ptr loc_41E26E+5
		jz	short near ptr loc_41E27E+5

loc_41E222:				; CODE XREF: .text:0041E1B8j
		jz	short near ptr loc_41E287+2
		inc	esp

loc_41E225:				; CODE XREF: .text:0041E1BFj
		arpl	[eax], ax
		test	[ebx], al

loc_41E229:				; CODE XREF: .text:0041E1C5j
					; .text:0041E1C9j
		imul	esi, [ebx+44h],	6C707369h
		popa

loc_41E231:				; CODE XREF: .text:0041E1BDj
					; .text:0041E1CBj
		jns	short near ptr loc_41E27E+4
		db	66h, 66h
		add	[ebx+eax+6F4E7369h], al
		inc	ebp
		js	short loc_41E2B3
		db	65h
		jb	short loc_41E2B0
		popa
		insb
		dec	ebp
		outsd
		outsb
		imul	esi, [edi+ebp*2+72h], 73657250h
		outs	dx, byte ptr gs:[esi]
		jz	short $+2
		test	[ebx], al
		imul	esi, [ebx+49h],	7475706Eh
		push	ebx
		jnz	short loc_41E2CF

loc_41E25F:				; CODE XREF: .text:loc_41E1E9j
		jo	short near ptr loc_41E2D2+1
		db	65h
		jnb	short loc_41E2D7
		imul	ebp, [edi+6Eh],	6574704Fh

loc_41E26B:				; CODE XREF: .text:0041E204j
		db	64h
		dec	ecx
		outsb

loc_41E26E:				; CODE XREF: .text:0041E21Ej
		add	[ebx+eax+75706E69h], al
		jz	short loc_41E2CA
		jnz	short near ptr loc_41E2E6+3

loc_41E279:				; CODE XREF: .text:0041E212j
		jo	short near ptr loc_41E2EC+1
		db	65h
		jnb	short loc_41E2F1

loc_41E27E:				; CODE XREF: .text:loc_41E231j
					; .text:loc_41E21Cj ...
		imul	ebp, [edi+6Eh],	616E6946h
		insb
		inc	ecx

loc_41E287:				; CODE XREF: .text:loc_41E222j
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		add	[eax], cl
		inc	ebx
		jnb	short loc_41E2E4
		db	65h
		jnb	short loc_41E307
		imul	ebp, [edi+6Eh],	0A006449h
		push	es

loc_41E29C:				; DATA XREF: PopDiagTraceBatteryTriggerFlags+A058Ao
		or	eax, large ds:0
; 
		dw 0
		dd 9B000000h, 42008000h, 65747461h
; 

loc_41E2B0:				; CODE XREF: .text:0041E23Fj
		jb	short near ptr loc_41E325+6
		push	esp

loc_41E2B3:				; CODE XREF: .text:0041E23Dj
		jb	short near ptr loc_41E31A+4
		db	67h, 67h, 65h
		jb	short loc_41E300
		insb
		popa
		db	67h
		jnb	near ptr 0E314h
		jo	short loc_41E325
		popa
		jz	short near ptr loc_41E325+4
		add	fs:[ecx+63h], ah
		jz	short near ptr loc_41E32F+4

loc_41E2CA:				; CODE XREF: .text:0041E275j
		outsd
		outsb
		dec	esi
		popa
		insd

loc_41E2CF:				; CODE XREF: .text:0041E25Dj
		add	gs:[edx], al

loc_41E2D2:				; CODE XREF: .text:loc_41E25Fj
		bound	esp, [ecx+74h]
		jz	short near ptr loc_41E338+4

loc_41E2D7:				; CODE XREF: .text:0041E261j
		jb	short loc_41E352
		push	esp
		jb	short near ptr loc_41E343+2
		db	67h, 67h, 65h
		jb	short near ptr loc_41E32F+5
		db	65h
		jz	short near ptr loc_41E325+5

loc_41E2E4:				; CODE XREF: .text:0041E28Fj
		insb
		popa

loc_41E2E6:				; CODE XREF: .text:0041E277j
		add	[si+6203h], al
		popa

loc_41E2EC:				; CODE XREF: .text:loc_41E279j
		jz	short near ptr loc_41E35B+7
		db	65h
		jb	short loc_41E36A

loc_41E2F1:				; CODE XREF: .text:0041E27Bj
		push	esp
		jb	short near ptr loc_41E35B+2
		db	67h, 67h, 65h
		jb	short near ptr dword_41E34C
		jns	short near ptr loc_41E36D+1
		jz	short near ptr loc_41E35B+7
		insd
		inc	esi
		insb

loc_41E300:				; CODE XREF: .text:0041E2B5j
		popa
		add	[si+6203h], al
		popa

loc_41E307:				; CODE XREF: .text:0041E291j
		jz	short loc_41E37D
		db	65h
		jb	short near ptr loc_41E384+1
		push	esp
		jb	short loc_41E378
		db	67h, 67h, 65h
		jb	short near ptr loc_41E368+1
		jnb	short loc_41E37B
		jb	short near ptr loc_41E35B+3
		insb
		popa

loc_41E31A:				; CODE XREF: .text:loc_41E2B3j
		add	[si+6903h], al
		jnb	short near ptr loc_41E35B+7
		arpl	[edi+6Eh], cx
		insb

loc_41E325:				; CODE XREF: .text:0041E2BFj
					; .text:0041E2C2j ...
		imul	ebp, [esi+65h],	72038400h
		db	65h
		insd
		popa

loc_41E32F:				; CODE XREF: .text:0041E2C8j
					; .text:0041E2DCj
		imul	ebp, [esi+69h],	694D676Eh
		insb
		insb

loc_41E338:				; CODE XREF: .text:0041E2D5j
		imul	edx, [eax+65h],	6E656372h
		jz	short $+2
		or	[esi], al

loc_41E343:				; CODE XREF: .text:0041E2DAj
					; DATA XREF: PopTraceStandbyConnectivityUpdate+85717o
		or	eax, large ds:0
; 
		db 2 dup(0), 40h
dword_41E34C	dd 3F0000h		; CODE XREF: .text:0041E2F4j
		db 80h,	0
; 

loc_41E352:				; CODE XREF: .text:loc_41E2D7j
		inc	ebx
		outsd
		outsb
		outsb
		arpl	gs:[ecx+ebp*2+76h], si

loc_41E35B:				; CODE XREF: .text:0041E2F2j
					; .text:0041E316j ...
		imul	esi, [ecx+edi*2+49h], 6174536Eh
		outsb
		bound	edi, fs:[ecx+55h]

loc_41E368:				; CODE XREF: .text:0041E30Fj
		jo	short loc_41E3CE

loc_41E36A:				; CODE XREF: .text:0041E2EEj
		popa
		jz	short loc_41E3D2

loc_41E36D:				; CODE XREF: .text:0041E2F9j
		add	[ebx+74h], dl
		popa
		jz	short near ptr loc_41E3D2+6
		add	[eax], cl
		push	edx
		db	65h
		popa

loc_41E378:				; CODE XREF: .text:0041E30Dj
		jnb	short loc_41E3E9
		outsb

loc_41E37B:				; CODE XREF: .text:0041E314j
		add	[eax], cl

loc_41E37D:				; CODE XREF: .text:loc_41E307j
		push	eax
		popa
		jb	short loc_41E3F5
		inc	ecx
		pop	edi
		push	eax

loc_41E384:				; CODE XREF: .text:0041E309j
		jb	short near ptr loc_41E3EE+1
		jbe	short near ptr loc_41E3DA+2
		popa
		db	67h
		jnb	near ptr 0E38Ch
		or	al, [esi]

loc_41E38E:				; DATA XREF: PopDiagTraceDisplayBurstWin32kCallout(x,x,x)+61o
		or	eax, large ds:0
; 
		dd 0
		db    0
		db 64h,	0, 80h
		db    0
aUserinitiatedd	db 'UserInitiatedDisplayBurstStatus',0
aLidopen	db 'LidOpen',0
		db 84h,	3, 45h
		dd 72657478h
		db 6Eh,	61h
; 

loc_41E3CE:				; CODE XREF: .text:loc_41E368j
		insb
		dec	ebp
		outsd
		outsb

loc_41E3D2:				; CODE XREF: .text:0041E36Bj
					; .text:0041E371j
		imul	esi, [edi+ebp*2+72h], 6E6E6F43h

loc_41E3DA:				; CODE XREF: .text:0041E386j
		arpl	gs:[ebp+64h], si
		add	[ebx+eax+69447349h], al
		jnb	short loc_41E458
		insb

loc_41E3E9:				; CODE XREF: .text:loc_41E378j
		popa
		jns	short loc_41E42E
		jnz	short loc_41E460

loc_41E3EE:				; CODE XREF: .text:loc_41E384j
		jnb	short loc_41E464
		push	ebx
		jnz	short loc_41E463
		jo	short loc_41E467

loc_41E3F5:				; CODE XREF: .text:0041E37Fj
		db	65h
		jnb	short loc_41E46B
		db	65h		; DATA XREF: PopDiagTraceExternalDisplayState(x)+31o
		add	fs:[ebx+eax+50B06h], al
; 
		db 3 dup(0)
		dd 0
		dd 80004200h, 706F5000h, 67616944h, 63617254h, 74784565h
		dd 616E7265h, 7369446Ch, 79616C70h, 74617453h
		db 65h,	0
; 

loc_41E42E:				; CODE XREF: .text:0041E3EAj
		dec	ecx
		jnb	short near ptr loc_41E475+1
		js	short loc_41E4A7
		db	65h
		jb	short near ptr loc_41E4A3+1
		popa
		insb
		dec	ebp
		outsd
		outsb
		imul	esi, [edi+ebp*2+72h], 6E6E6F43h
		arpl	gs:[ebp+64h], si

loc_41E448:				; DATA XREF: PopTraceBootError(x)+9Co
		add	[ebx+eax+50B06h], al
; 
		db 0
		dd 0
; 
		add	byte ptr [eax],	0
		pop	ecx

loc_41E458:				; CODE XREF: .text:0041E3E6j
		add	[eax+6E695700h], al
		insb
		outsd

loc_41E460:				; CODE XREF: .text:0041E3ECj
		popa
		db	64h
		inc	esi

loc_41E463:				; CODE XREF: .text:0041E3F1j
		popa

loc_41E464:				; CODE XREF: .text:loc_41E3EEj
		jz	short near ptr loc_41E4C6+1
		insb

loc_41E467:				; CODE XREF: .text:0041E3F3j
		inc	ebp
		jb	short near ptr loc_41E4DB+1
		outsd

loc_41E46B:				; CODE XREF: .text:loc_41E3F5j
		jb	short $+2
		db	65h
		jb	short near ptr loc_41E4DE+4
		outsd
		jb	short near ptr loc_41E4B1+4
		outsd
		outsd

loc_41E475:				; CODE XREF: .text:0041E42Fj
		jz	short loc_41E4C0
		add	fs:[eax], cl
		jb	short near ptr loc_41E4DE+3
		jo	short near ptr loc_41E4DE+5
		popa
		jz	short loc_41E4C4
		outsd
		jnz	short loc_41E4F2
		jz	short $+2
		or	[edi+74h], ch
		push	72457265h
		jb	short near ptr loc_41E4F9+6
		jb	short near ptr loc_41E4D4+1
		outsd
		jnz	short near ptr loc_41E502+1
		jz	short $+2
		or	[ebp+72h], ah
		jb	short near ptr loc_41E50A+1
		jb	short near ptr loc_41E4DE+3
		outsd
		db	64h
		add	gs:[eax], cl

loc_41E4A3:				; CODE XREF: .text:0041E433j
		db	65h
		jb	short loc_41E518
		outsd

loc_41E4A7:				; CODE XREF: .text:0041E431j
		jb	short near ptr loc_41E4F9+3
		jz	short loc_41E50C
		jz	short near ptr loc_41E51D+5
		jnb	short $+2
		or	al, [esi]

loc_41E4B1:				; CODE XREF: .text:0041E471j
					; DATA XREF: PoTraceForceIdleReset(x)+4Co
		or	eax, large ds:0
; 
		db 0
		dd 4000h, 800021h
; 

loc_41E4C0:				; CODE XREF: .text:loc_41E475j
		inc	esi
		outsd
		jb	short loc_41E527

loc_41E4C4:				; CODE XREF: .text:0041E47Fj
		db	65h
		dec	ecx

loc_41E4C6:				; CODE XREF: .text:loc_41E464j
		db	64h
		insb
		db	65h
		push	edx
		db	65h
		jnb	short near ptr loc_41E52F+3
		jz	short near ptr loc_41E51D+4
		db	65h
		popa
		jnb	short near ptr loc_41E541+1
		outsb

loc_41E4D4:				; CODE XREF: .text:0041E490j
		add	[edx+65h], dl
		popa
		jnb	short loc_41E549
		outsb

loc_41E4DB:				; CODE XREF: .text:0041E468j
		add	[eax], cl
		push	es

loc_41E4DE:				; CODE XREF: .text:0041E47Aj
					; .text:0041E49Cj ...
		or	eax, large ds:0
; 
		dd 400000h, 80002700h, 656C5300h
		db 65h,	70h
; 

loc_41E4F2:				; CODE XREF: .text:0041E482j
		inc	ebx
		push	706B6365h
		outsd

loc_41E4F9:				; CODE XREF: .text:loc_41E4A7j
					; .text:0041E48Ej
		imul	ebp, [esi+74h],	74696E49h
		inc	esi
		popa

loc_41E502:				; CODE XREF: .text:0041E493j
		imul	ebp, [ebp+64h],	61745300h

loc_41E50A:				; CODE XREF: .text:0041E49Aj
		jz	short loc_41E581

loc_41E50C:				; CODE XREF: .text:0041E4A9j
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_41E511:				; DATA XREF: PopTraceEsBgActivityPolicyUpdate(x,x)+67o
		or	eax, large ds:0
; 
		db 0
; 

loc_41E518:				; CODE XREF: .text:loc_41E4A3j
		add	[eax+0], al
		add	[esi], bh

loc_41E51D:				; CODE XREF: .text:0041E4CDj
					; .text:0041E4ABj
		add	[eax+63614200h], al
		imul	esp, [edi+72h],	6Fh

loc_41E527:				; CODE XREF: .text:0041E4C2j
		jnz	short near ptr loc_41E596+1
		db	64h
		inc	ecx
		arpl	[ecx+ebp*2+76h], si

loc_41E52F:				; CODE XREF: .text:0041E4CAj
		imul	esi, [ecx+edi*2+50h], 63696C6Fh
		jns	short loc_41E58E
		jo	short near ptr loc_41E59C+3
		popa
		jz	short loc_41E5A3
		add	[eax+72h], dl

loc_41E541:				; CODE XREF: .text:0041E4D1j
		db	65h
		jbe	short near ptr loc_41E5A9+4
		outsd
		jnz	short near ptr loc_41E5B4+6
		push	eax
		outsd

loc_41E549:				; CODE XREF: .text:0041E4D8j
		insb
		imul	esp, [ebx+79h],	654E0800h
		ja	short loc_41E5A3
		outsd
		insb

loc_41E555:				; DATA XREF: PopTraceThermalRequestActiveActivity(x)+18Ao
		imul	esp, [ebx+79h],	0B060800h
		add	eax, 0
; 
		db 2 dup(0), 40h
		dd 6F0000h, 68540080h, 616D7265h, 7165526Ch, 74736575h
		dd 69746341h, 63416576h
		db 74h
; 

loc_41E581:				; CODE XREF: .text:loc_41E50Aj
		imul	esi, [esi+69h],	74007974h
		popa
		jb	short loc_41E5F2
		db	65h
		jz	short near ptr loc_41E5D1+1

loc_41E58E:				; CODE XREF: .text:0041E537j
		db	65h
		jbe	short near ptr loc_41E5F7+3
		arpl	[ebp+4Eh], sp
		popa
		insd

loc_41E596:				; CODE XREF: .text:loc_41E527j
		add	gs:[esi], dl
		jo	short near ptr loc_41E607+3
		insb

loc_41E59C:				; CODE XREF: .text:0041E539j
		imul	esp, [ebx+79h],	69766544h

loc_41E5A3:				; CODE XREF: .text:0041E53Cj
					; .text:0041E551j
		arpl	[ebp+53h], sp
		db	65h
		jb	short near ptr loc_41E619+6

loc_41E5A9:				; CODE XREF: .text:loc_41E541j
		imul	esp, [ebx+65h],	6F740100h
		jz	short loc_41E613
		insb
		push	esp

loc_41E5B4:				; CODE XREF: .text:0041E545j
		imul	ebp, [ebp+65h],	63610800h
		jz	short loc_41E626
		jbe	short near ptr loc_41E623+1
		push	esp
		imul	ebp, [ebp+65h],	61500800h
		jb	short near ptr loc_41E63C+1
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_41E634+3
		jbe	short near ptr loc_41E623+1
		popa

loc_41E5D1:				; CODE XREF: .text:0041E58Bj
		db	67h
		jnb	near ptr 0E5D4h
		or	al, [esi]

loc_41E5D6:				; DATA XREF: PopTraceThermalRequestPassiveHistogram+898B0o
		or	eax, large ds:0
; 
		dd 400000h, 80007300h, 65685400h, 6C616D72h, 75716552h
		db 65h,	73h
; 

loc_41E5F2:				; CODE XREF: .text:0041E589j
		jz	short near ptr loc_41E643+1
		popa
		jnb	short loc_41E66A

loc_41E5F7:				; CODE XREF: .text:loc_41E58Ej
		imul	esi, [esi+65h],	74736948h
		outsd
		db	67h
		jb	near ptr 0E663h
		insd
		add	[ecx+72h], dh

loc_41E607:				; CODE XREF: .text:0041E599j
		db	67h, 65h
		jz	near ptr 0E64Fh
		db	65h
		jbe	short near ptr loc_41E676+1
		arpl	[ebp+4Eh], sp
		popa
		insd

loc_41E613:				; CODE XREF: .text:0041E5B0j
		add	gs:[esi], dl
		jo	short loc_41E687
		insb

loc_41E619:				; CODE XREF: .text:0041E5A6j
		imul	esp, [ebx+79h],	69766544h
		arpl	[ebp+53h], sp

loc_41E623:				; CODE XREF: .text:0041E5BDj
					; .text:0041E5CEj
		db	65h
		jb	short near ptr loc_41E69B+1

loc_41E626:				; CODE XREF: .text:0041E5BBj
		imul	esp, [ebx+65h],	68740100h
		jb	short near ptr loc_41E69B+3
		jz	short loc_41E6A5
		insb
		db	65h
		dec	eax

loc_41E634:				; CODE XREF: .text:0041E5CCj
		imul	esi, [ebx+74h],	6172676Fh
		insd

loc_41E63C:				; CODE XREF: .text:0041E5C7j
		add	[eax], ch
		adc	eax, 63756200h

loc_41E643:				; CODE XREF: .text:loc_41E5F2j
		imul	esp, [ebp+74h],	54h
		push	68736572h
		outsd
		insb
		db	64h
		jnb	short $+3
		and	al, 15h
		add	[esi], al

loc_41E655:				; DATA XREF: PopTraceThermalZoneActiveActivity+8979Co
		or	eax, large ds:0
; 
		db 0
		dd 4000h, 800068h, 72656854h
		db 6Dh,	61h
; 

loc_41E66A:				; CODE XREF: .text:0041E5F5j
		insb
		pop	edx
		outsd
		outsb
		db	65h
		inc	ecx
		arpl	[ecx+ebp*2+76h], si
		db	65h
		inc	ecx

loc_41E676:				; CODE XREF: .text:0041E60Bj
		arpl	[ecx+ebp*2+76h], si
		imul	esi, [ecx+edi*2+0], 72656874h
		insd
		popa
		insb
		pop	edx
		outsd

loc_41E687:				; CODE XREF: .text:0041E616j
		outsb
		db	65h
		dec	esi
		popa
		insd
		add	gs:[esi], dl
		jp	short loc_41E700
		outsb
		db	65h
		inc	esp
		db	65h
		jnb	short loc_41E6FA
		jb	short loc_41E702
		jo	short near ptr loc_41E70E+1

loc_41E69B:				; CODE XREF: .text:loc_41E623j
					; .text:0041E62Dj
		imul	ebp, [edi+6Eh],	6F740100h
		jz	short loc_41E705
		insb

loc_41E6A5:				; CODE XREF: .text:0041E62Fj
		push	esp
		imul	ebp, [ebp+65h],	63610800h
		jz	short loc_41E718
		jbe	short loc_41E716
		push	esp
		imul	ebp, [ebp+65h],	50480073h
		popa
		jb	short loc_41E730
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_41E729+1
		jbe	short loc_41E717
		popa
		db	67h
		jnb	near ptr 0E6C7h
		or	al, [esi]

loc_41E6C9:				; DATA XREF: PopTransitionTelemetryOsState+5E8o
		or	eax, large ds:0
; 
		db 0
		dd 8000h, 800164h, 7453534Fh, 43657461h, 676E6168h, 74530065h
		dd 54657461h, 736E6172h, 6F697469h, 5306006Eh
		db 74h,	61h
; 

loc_41E6FA:				; CODE XREF: .text:0041E694j
		jz	short loc_41E761
		push	esp
		jb	short loc_41E760
		outsb

loc_41E700:				; CODE XREF: .text:0041E68Fj
		jnb	short near ptr loc_41E76A+1

loc_41E702:				; CODE XREF: .text:0041E697j
		jz	short loc_41E76D
		outsd

loc_41E705:				; CODE XREF: .text:0041E6A2j
		outsb
		push	ebx
		jnz	short near ptr loc_41E76A+1
		add	[esi], al
		push	ebx
		jz	short loc_41E76F

loc_41E70E:				; CODE XREF: .text:0041E699j
		jz	short loc_41E775
		inc	esp
		jnz	short near ptr loc_41E784+1
		popa
		jz	short loc_41E77F

loc_41E716:				; CODE XREF: .text:0041E6AFj
		outsd

loc_41E717:				; CODE XREF: .text:0041E6C1j
		outsb

loc_41E718:				; CODE XREF: .text:0041E6ADj
		dec	ebp
		push	ebx
		add	[edx], cl
		inc	edx
		outsd
		outsd
		jz	short loc_41E76A
		add	fs:[eax], cl
		inc	edx
		outsd
		outsd
		jz	short near ptr loc_41E77C+1

loc_41E729:				; CODE XREF: .text:0041E6BFj
		imul	ebp, [ebp+65h],	435455h

loc_41E730:				; CODE XREF: .text:0041E6BAj
		adc	[ebp+70h], edx
		jz	short loc_41E79E
		insd
		db	65h
		inc	esp
		db	65h
		insb
		jz	short near ptr loc_41E79B+2
		dec	ebp
		push	ebx
		add	[edx], cl
		push	esp
		outsd
		jz	short loc_41E7A5
		insb
		inc	esp
		jnz	short near ptr loc_41E7B9+1
		popa
		jz	short near ptr loc_41E7B3+1
		outsd
		outsb
		dec	ebp
		push	ebx
		add	[edx], cl
		push	esp
		outsd
		jz	short near ptr loc_41E7B5+1
		insb
		push	ebp
		jo	short near ptr loc_41E7CB+2
		imul	ebp, [ebp+65h],	0A00534Dh

loc_41E760:				; CODE XREF: .text:0041E6FDj
		dec	esp

loc_41E761:				; CODE XREF: .text:loc_41E6FAj
		popa
		jnb	short loc_41E7D8
		push	ebx
		jz	short loc_41E7C8
		jz	short loc_41E7CE
		push	esp

loc_41E76A:				; CODE XREF: .text:0041E71Fj
					; .text:loc_41E700j ...
		jb	short near ptr loc_41E7CB+2
		outsb

loc_41E76D:				; CODE XREF: .text:loc_41E702j
		jnb	short loc_41E7D8

loc_41E76F:				; CODE XREF: .text:0041E70Cj
		jz	short near ptr loc_41E7D9+1
		outsd
		outsb
		add	[esi], al

loc_41E775:				; CODE XREF: .text:loc_41E70Ej
		dec	esp
		popa
		jnb	short loc_41E7ED
		push	ebx
		jz	short near ptr loc_41E7D9+4

loc_41E77C:				; CODE XREF: .text:0041E727j
		jz	short near ptr loc_41E7E2+1
		push	esp

loc_41E77F:				; CODE XREF: .text:0041E714j
		jb	short loc_41E7E2
		outsb
		jnb	short loc_41E7ED

loc_41E784:				; CODE XREF: .text:0041E711j
		jz	short loc_41E7EF
		outsd
		outsb
		push	ebx
		jnz	short loc_41E7ED
		add	[esi], al
		inc	ebp
		jbe	short loc_41E7F5
		outsb
		jz	short near ptr loc_41E7E5+1
		db	65h
		jno	short loc_41E80B
		outs	dx, byte ptr gs:[esi]
		arpl	[ebp+0], sp

loc_41E79B:				; CODE XREF: .text:0041E73Aj
		or	[ecx+63h], al

loc_41E79E:				; CODE XREF: .text:0041E733j
		jz	short near ptr loc_41E80F+6
		popa
		insb
		push	esp
		jb	short near ptr loc_41E804+2

loc_41E7A5:				; CODE XREF: .text:0041E742j
		outsb
		jnb	short near ptr loc_41E80F+2
		jz	short near ptr loc_41E80F+4
		outsd
		outsb
		jnb	short $+2
		or	[edx+esi*2+61h], dl
		outsb

loc_41E7B3:				; CODE XREF: .text:0041E749j
		jnb	short near ptr loc_41E81C+2

loc_41E7B5:				; CODE XREF: .text:0041E753j
		jz	short near ptr loc_41E81C+4
		outsd
		outsb

loc_41E7B9:				; CODE XREF: .text:0041E746j
		jnb	short loc_41E80F
		outsd
		dec	edi
		outsb
		add	[eax], cl
		inc	edx
		popa
		jz	short near ptr loc_41E837+1
		db	65h
		jb	short loc_41E840
		inc	ebx

loc_41E7C8:				; CODE XREF: .text:0041E765j
		popa
		jo	short loc_41E82C

loc_41E7CB:				; CODE XREF: .text:0041E757j
					; .text:loc_41E76Aj
		arpl	[ecx+74h], bp

loc_41E7CE:				; CODE XREF: .text:0041E767j
		jns	short $+2
		or	[edx+61h], al
		jz	short loc_41E849
		db	65h
		jb	short near ptr loc_41E84E+3

loc_41E7D8:				; CODE XREF: .text:0041E762j
					; .text:loc_41E76Dj
		inc	ebx

loc_41E7D9:				; CODE XREF: .text:loc_41E76Fj
					; .text:0041E77Aj
		push	65677261h
		add	[eax], cl
		inc	ebp
		outsb

loc_41E7E2:				; CODE XREF: .text:loc_41E77Fj
					; .text:loc_41E77Cj
		db	65h
		jb	short loc_41E84C

loc_41E7E5:				; CODE XREF: .text:0041E791j
		jns	short loc_41E82A
		push	65676E61h
		push	esi

loc_41E7ED:				; CODE XREF: .text:0041E777j
					; .text:0041E782j ...
		xor	al, [eax]

loc_41E7EF:				; CODE XREF: .text:loc_41E784j
		or	[ebp+6Eh], eax
		db	65h
		jb	short near ptr loc_41E858+4

loc_41E7F5:				; CODE XREF: .text:0041E78Ej
		jns	short near ptr loc_41E839+1
		push	65676E61h
		push	esi
		xor	al, [esi+6Ch]
		popa
		db	67h
		jnb	near ptr 0E804h

loc_41E804:				; CODE XREF: .text:0041E7A3j
		or	[ecx+63h], al
		push	eax
		outsd
		ja	short loc_41E870

loc_41E80B:				; CODE XREF: .text:0041E793j
		jb	short near ptr loc_41E858+4
		outsb
		insb

loc_41E80F:				; CODE XREF: .text:loc_41E7B9j
					; .text:0041E7A6j ...
		imul	ebp, [esi+65h],	61420D00h
		jz	short loc_41E88C
		db	65h
		jb	short near ptr loc_41E893+1
		inc	esp

loc_41E81C:				; CODE XREF: .text:loc_41E7B3j
					; .text:loc_41E7B5j
		imul	esi, [ebx+63h],	67726168h
		imul	ebp, [esi+67h],	61500D00h

loc_41E82A:				; CODE XREF: .text:loc_41E7E5j
		jb	short near ptr loc_41E89F+1

loc_41E82C:				; CODE XREF: .text:0041E7C9j
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_41E897+3
		jbe	short loc_41E887
		popa
		db	67h
		jnb	near ptr 0E837h

loc_41E837:				; CODE XREF: .text:0041E7C2j
		or	al, [esi]

loc_41E839:				; CODE XREF: .text:loc_41E7F5j
					; DATA XREF: PopTracePowerReconfig()+144o
		or	eax, large ds:0
; 
		db 0
; 

loc_41E840:				; CODE XREF: .text:0041E7C4j
		add	[eax+0], al
		add	[edi+50008000h], dh

loc_41E849:				; CODE XREF: .text:0041E7D3j
		outsd
		ja	short near ptr loc_41E8B0+1

loc_41E84C:				; CODE XREF: .text:loc_41E7E2j
		jb	short near ptr loc_41E89F+1

loc_41E84E:				; CODE XREF: .text:0041E7D5j
		arpl	gs:[edi+6Eh], bp
		imul	sp, [edi+4Eh], 746Fh

loc_41E858:				; CODE XREF: .text:0041E7F2j
					; .text:loc_41E80Bj
		imul	esp, [esi+69h],	69746163h
		outsd
		outsb
		add	[ecx+ebp*2+6Dh], dh
		db	65h
		push	ebx
		jz	short near ptr loc_41E8C9+1
		insd
		jo	short loc_41E8C1
		push	esp
		inc	ebx
		add	[ecx], dl

loc_41E870:				; CODE XREF: .text:0041E809j
		bound	esp, [ecx+74h]
		jz	short near ptr loc_41E8D9+1
		jb	short near ptr loc_41E8ED+3
		inc	ebx
		outsd
		jnz	short loc_41E8E9
		jz	short $+2
		or	[edx+61h], ah
		jz	short near ptr loc_41E8F5+1
		db	65h
		jb	short near ptr loc_41E8FC+2
		inc	ebx
		popa

loc_41E887:				; CODE XREF: .text:0041E831j
		jo	short near ptr loc_41E8E9+1
		arpl	[ecx+74h], bp

loc_41E88C:				; CODE XREF: .text:0041E816j
		jns	short $+2
		or	[edx+61h], ah
		jz	short loc_41E907

loc_41E893:				; CODE XREF: .text:0041E818j
		db	65h
		jb	short near ptr loc_41E90E+1
		inc	ebx

loc_41E897:				; CODE XREF: .text:0041E82Fj
		push	65677261h
		add	[eax], cl
		popa

loc_41E89F:				; CODE XREF: .text:loc_41E82Aj
					; .text:loc_41E84Cj
		arpl	[eax+6Fh], dx
		ja	short near ptr loc_41E908+1
		jb	short loc_41E8F5
		outsb
		insb
		imul	ebp, [esi+65h],	65770D00h
		popa

loc_41E8B0:				; CODE XREF: .text:0041E84Aj
		imul	eax, [ebx+68h],	61h
		jb	short loc_41E91D
		db	65h
		jb	short $+3
		or	eax, 74746162h
		db	65h
		jb	short loc_41E93A

loc_41E8C1:				; CODE XREF: .text:0041E86Aj
		inc	esp
		imul	esi, [ebx+63h],	67726168h

loc_41E8C9:				; CODE XREF: .text:0041E867j
		imul	ebp, [esi+67h],	61620D00h
		jz	short near ptr loc_41E945+1
		db	65h
		jb	short near ptr loc_41E94A+4
		push	ebp
		jnb	short loc_41E93A
		push	edi

loc_41E8D9:				; CODE XREF: .text:0041E873j
		db	65h
		popa
		imul	eax, [ebx+68h],	61h
		jb	short loc_41E948
		db	65h
		jb	short $+3
		or	eax, 74746162h

loc_41E8E9:				; CODE XREF: .text:0041E879j
					; .text:loc_41E887j
		db	65h
		jb	short loc_41E965
		inc	ebx

loc_41E8ED:				; CODE XREF: .text:0041E875j
		push	69677261h
		outsb
		db	67h
		push	ebx

loc_41E8F5:				; CODE XREF: .text:0041E8A4j
					; .text:0041E880j
		jz	short near ptr loc_41E956+2
		jz	short loc_41E95E
		add	[eax], cl
		push	es

loc_41E8FC:				; CODE XREF: .text:0041E882j
					; DATA XREF: PopDiagTraceFxDefaultPepWorkerEnd+D247Eo
		or	eax, large ds:0
; 
		dw 0
		db 40h,	2 dup(0)
; 

loc_41E907:				; CODE XREF: .text:0041E891j
		inc	edx

loc_41E908:				; CODE XREF: .text:0041E8A2j
		add	[eax+466F5000h], al

loc_41E90E:				; CODE XREF: .text:loc_41E893j
		js	short loc_41E954
		db	65h
		popaw
		jnz	short near ptr loc_41E980+1
		jz	short near ptr loc_41E965+2
		db	65h
		jo	short near ptr loc_41E96E+3
		outsd
		jb	short loc_41E988

loc_41E91D:				; CODE XREF: .text:0041E8B4j
		db	65h
		jb	short near ptr loc_41E96E+1
		jb	short near ptr word_41E992
		push	64656E61h
		add	[esi+75h], cl
		insd
		inc	ebp
		js	short loc_41E9A2
		jb	short loc_41E991
		inc	esp
		db	65h
		jbe	short near ptr loc_41E999+4
		arpl	[ebp+73h], sp
		add	[eax], cl
		push	eax

loc_41E93A:				; CODE XREF: .text:0041E8BEj
					; .text:0041E8D6j
		popa
		jb	short near ptr loc_41E9AF+2
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_41E9A7+4
		jbe	short loc_41E998
		popa

loc_41E945:				; CODE XREF: .text:0041E8D0j
		db	67h
		jnb	near ptr 0E948h

loc_41E948:				; CODE XREF: .text:0041E8DFj
		or	al, [esi]

loc_41E94A:				; CODE XREF: .text:0041E8D2j
					; DATA XREF: MiUnlockImageSection+D2616o
		or	eax, large ds:0
; 
		dd 400000h
; 

loc_41E954:				; CODE XREF: .text:loc_41E90Ej
		add	[ebx], dh

loc_41E956:				; CODE XREF: .text:loc_41E8F5j
		add	[eax+466F5000h], al
		js	short loc_41E9A2

loc_41E95E:				; CODE XREF: .text:0041E8F7j
		db	65h
		popaw
		jnz	short loc_41E9CF
		jz	short near ptr loc_41E9B3+2

loc_41E965:				; CODE XREF: .text:loc_41E8E9j
					; .text:0041E915j
		db	65h
		jo	short near ptr loc_41E9BE+1
		outsd
		jb	short near ptr loc_41E9D1+5
		db	65h
		jb	short loc_41E9C0

loc_41E96E:				; CODE XREF: .text:loc_41E91Dj
					; .text:0041E917j
		arpl	gs:[edi+76h], bp
		db	65h
		jb	short loc_41E9DA
		add	fs:[esi+75h], cl
		insd
		inc	ebp
		js	short near ptr loc_41E9EE+3
		jb	short near ptr loc_41E9DF+1
		inc	esp

loc_41E980:				; CODE XREF: .text:0041E913j
		db	65h
		jbe	short near ptr loc_41E9E9+3
		arpl	[ebp+73h], sp
		add	[eax], cl

loc_41E988:				; CODE XREF: .text:0041E91Bj
		push	es

loc_41E989:				; DATA XREF: PopTraceThermalZonePassiveHistogram+89960o
		or	eax, large ds:0
; 
		db 0
		db 0
; 

loc_41E991:				; CODE XREF: .text:0041E92Ej
		inc	eax
; 
word_41E992	dw 0			; CODE XREF: .text:0041E920j
		dd 80006Bh
; 

loc_41E998:				; CODE XREF: .text:0041E942j
		push	esp

loc_41E999:				; CODE XREF: .text:0041E931j
		push	616D7265h
		insb
		pop	edx
		outsd
		outsb

loc_41E9A2:				; CODE XREF: .text:0041E92Cj
					; .text:0041E95Cj
		db	65h
		push	eax
		popa
		jnb	short loc_41EA1A

loc_41E9A7:				; CODE XREF: .text:0041E940j
		imul	esi, [esi+65h],	74736948h
		outsd

loc_41E9AF:				; CODE XREF: .text:0041E93Bj
		db	67h
		jb	near ptr 0EA13h
		insd

loc_41E9B3:				; CODE XREF: .text:0041E963j
		add	[eax+ebp*2+65h], dh
		jb	short near ptr loc_41EA25+1
		popa
		insb
		pop	edx
		outsd
		outsb

loc_41E9BE:				; CODE XREF: .text:loc_41E965j
		db	65h
		dec	esi

loc_41E9C0:				; CODE XREF: .text:0041E96Bj
		popa
		insd
		add	gs:[esi], dl
		jp	short loc_41EA36
		outsb
		db	65h
		inc	esp
		db	65h
		jnb	short loc_41EA30
		jb	short loc_41EA38

loc_41E9CF:				; CODE XREF: .text:0041E961j
		jo	short near ptr loc_41EA40+5

loc_41E9D1:				; CODE XREF: .text:0041E969j
		imul	ebp, [edi+6Eh],	68740100h
		jb	short loc_41EA49

loc_41E9DA:				; CODE XREF: .text:0041E972j
		jz	short loc_41EA50
		insb
		db	65h
		dec	eax

loc_41E9DF:				; CODE XREF: .text:0041E97Dj
		imul	esi, [ebx+74h],	6172676Fh
		insd
		add	[eax], ch

loc_41E9E9:				; CODE XREF: .text:loc_41E980j
		adc	eax, 63756200h

loc_41E9EE:				; CODE XREF: .text:0041E97Bj
		imul	esp, [ebp+74h],	54h
		push	68736572h
		outsd
		insb
		db	64h
		jnb	short $+3
		and	al, 15h
		add	[esi], al

loc_41EA00:				; DATA XREF: PopTraceThermalStandbyComplete(x,x,x)+5Fo
		or	eax, large ds:0
; 
		dw 0
		dd 4F000040h, 54008000h, 6D726568h, 74536C61h
		db 61h,	6Eh
; 

loc_41EA1A:				; CODE XREF: .text:0041E9A5j
		bound	edi, fs:[ecx+43h]
		outsd
		insd
		jo	short loc_41EA8E
		db	65h
		jz	short loc_41EA8A

loc_41EA25:				; CODE XREF: .text:0041E9B7j
		add	[ebx+6Fh], ah
		insd
		jo	short near ptr loc_41EA96+1
		db	65h
		jz	short near ptr loc_41EA96+1
		outsd
		outsb

loc_41EA30:				; CODE XREF: .text:0041E9CAj
		push	edx
		db	65h
		popa
		jnb	short near ptr loc_41EAA1+3
		outsb

loc_41EA36:				; CODE XREF: .text:0041E9C5j
		add	[eax], cl

loc_41EA38:				; CODE XREF: .text:0041E9CDj
		jnb	short loc_41EAAE
		popa
		outsb
		bound	edi, fs:[ecx+54h]

loc_41EA40:				; CODE XREF: .text:loc_41E9CFj
		imul	ebp, [ebp+65h],	69660800h
		jb	short loc_41EABC

loc_41EA49:				; CODE XREF: .text:0041E9D8j
		jz	short near ptr loc_41EA9D+2
		push	616D7265h

loc_41EA50:				; CODE XREF: .text:loc_41E9DAj
		insb
		push	ebx
		jz	short loc_41EAB5
		outsb
		bound	edi, fs:[ecx+0]

loc_41EA59:				; DATA XREF: PopTraceZoneCr3Mitigated(x,x)+A0o
		or	eax, 50B06h
; 
		dw 0
		dd 40000000h, 3A0000h, 6F5A0080h, 7243656Eh, 74694D33h
		dd 74616769h, 67006465h, 72656E65h, 6F697461h, 64496Eh
		db 8, 74h
; 

loc_41EA8A:				; CODE XREF: .text:0041EA22j
		db	65h
		insd
		jo	short near ptr loc_41EAF2+1

loc_41EA8E:				; CODE XREF: .text:0041EA20j
		jb	short near ptr loc_41EAEE+3
		jz	short near ptr loc_41EB06+1
		jb	short near ptr loc_41EAF7+2
		add	[eax], cl

loc_41EA96:				; CODE XREF: .text:0041EA29j
					; .text:0041EA2Bj
		jp	short near ptr loc_41EB06+1
		outsb
		db	65h
		dec	esi
		popa
		insd

loc_41EA9D:				; CODE XREF: .text:loc_41EA49j
		add	gs:[ecx], al
		push	es

loc_41EAA1:				; CODE XREF: .text:0041EA33j
					; DATA XREF: PopTraceZoneCr3Tripped(x,x)+180o
		or	eax, large ds:0
; 
		db 0
		dd 4000h
; 
		pop	dword ptr [eax]

loc_41EAAE:				; CODE XREF: .text:loc_41EA38j
		add	byte ptr [eax],	5Ah
		outsd
		outsb
		db	65h
		inc	ebx

loc_41EAB5:				; CODE XREF: .text:0041EA52j
		jb	short near ptr loc_41EAE7+3
		push	esp
		jb	short loc_41EB23
		jo	short loc_41EB2C

loc_41EABC:				; CODE XREF: .text:0041EA47j
		db	65h
		add	fs:[edi+65h], ah
		outsb
		db	65h
		jb	short loc_41EB26
		jz	short near ptr loc_41EB2F+1
		outsd
		outsb
		dec	ecx
		add	fs:[eax], cl
		jo	short near ptr loc_41EB3D+1
		insb
		imul	esp, [ebx+79h],	76697244h
		db	65h
		jb	short $+3
		test	[ebx], al
		jo	short near ptr loc_41EB3D+2
		jnb	short loc_41EB53
		imul	esi, [esi+65h],	61676E45h

loc_41EAE7:				; CODE XREF: .text:loc_41EAB5j
		db	65h
		add	fs:[si+6103h], al

loc_41EAEE:				; CODE XREF: .text:loc_41EA8Ej
		arpl	[ecx+ebp*2+76h], si

loc_41EAF2:				; CODE XREF: .text:0041EA8Cj
		db	65h
		inc	ebp
		outsb
		db	67h
		popa

loc_41EAF7:				; CODE XREF: .text:0041EA92j
		db	65h
		add	fs:[si+7403h], al
		db	65h
		insd
		jo	short near ptr loc_41EB63+4
		jb	short near ptr loc_41EB63+2
		jz	short near ptr loc_41EB77+4

loc_41EB06:				; CODE XREF: .text:0041EA90j
					; .text:loc_41EA96j
		jb	short near ptr loc_41EB69+4
		add	[eax], cl
		jz	short near ptr word_41EB7E
		imul	esi, [eax+50h],	746E696Fh
		push	esp
		db	65h
		insd
		jo	short near ptr byte_41EB7D
		jb	short near ptr loc_41EB77+4
		jz	short near ptr loc_41EB8F+2
		jb	short loc_41EB83
		add	[eax], cl
		jp	short near ptr loc_41EB8F+2
		outsb

loc_41EB23:				; CODE XREF: .text:0041EAB8j
		db	65h
		dec	esi
		popa

loc_41EB26:				; CODE XREF: .text:0041EAC2j
		insd
		add	gs:[ecx], al
		jp	short near ptr loc_41EB9A+1

loc_41EB2C:				; CODE XREF: .text:0041EABAj
		outsb
		db	65h
		inc	esp

loc_41EB2F:				; CODE XREF: .text:0041EAC5j
		db	65h
		jnb	short near ptr loc_41EB94+1
		jb	short near ptr loc_41EB9A+3
		jo	short near ptr loc_41EBA8+2

loc_41EB36:				; DATA XREF: PopTraceThermalStandbyInitiated(x)+4Co
		imul	ebp, [edi+6Eh],	0B060100h

loc_41EB3D:				; CODE XREF: .text:0041EACDj
					; .text:0041EADCj
		add	eax, 0
; 
		dw 0
		dd 31000040h, 54008000h, 6D726568h
		db 61h,	6Ch, 53h
; 

loc_41EB53:				; CODE XREF: .text:0041EADEj
		jz	short near ptr loc_41EBB5+1
		outsb
		bound	edi, fs:[ecx+49h]
		outsb
		imul	esi, [ecx+ebp*2+61h], 646574h

loc_41EB63:				; CODE XREF: .text:0041EB02j
					; .text:0041EB00j
		imul	si, [edx+73h], 5474h

loc_41EB69:				; CODE XREF: .text:loc_41EB06j
		push	616D7265h
		insb
		push	ebx
		jz	short loc_41EBD3
		outsb
		bound	edi, fs:[ecx+0]

loc_41EB77:				; CODE XREF: .text:0041EB04j
					; .text:0041EB18j
					; DATA XREF: ...
		or	eax, 50B06h
; 
		db 0
byte_41EB7D	db 0			; CODE XREF: .text:0041EB16j
word_41EB7E	dw 0			; CODE XREF: .text:0041EB0Aj
		db 0, 40h, 0
; 

loc_41EB83:				; CODE XREF: .text:0041EB1Cj
		add	[edi+0], al
		add	byte ptr [eax],	53h
		insd
		bound	ebp, [ecx+6Fh]
		jnb	short near ptr byte_41EBD2

loc_41EB8F:				; CODE XREF: .text:0041EB1Aj
					; .text:0041EB20j
		push	65676E61h

loc_41EB94:				; CODE XREF: .text:loc_41EB2Fj
		add	[edi+6Ch], cl
		db	64h
		push	esp
		popa

loc_41EB9A:				; CODE XREF: .text:0041EB2Aj
					; .text:0041EB32j
		bound	ebp, [ebp+41h]
		db	64h, 64h
		jb	short $+4
		or	cl, [edi+6Ch]
		db	64h
		push	esp
		popa

loc_41EBA8:				; CODE XREF: .text:0041EB34j
		bound	ebp, [ebp+4Ch]
		outs	dx, byte ptr gs:[esi]
		add	[eax], cl
		dec	esi
		db	65h
		ja	short loc_41EC08
		popa

loc_41EBB5:				; CODE XREF: .text:loc_41EB53j
		bound	ebp, [ebp+41h]
		db	64h, 64h
		jb	short $+4
		or	cl, [esi+65h]
		ja	short near ptr loc_41EC14+2
		popa
		bound	ebp, [ebp+4Ch]
		outs	dx, byte ptr gs:[esi]
		add	[eax], cl
		push	es

loc_41EBCC:				; DATA XREF: PopTraceCr3Mitigated(x)+49o
		or	eax, large ds:0
; 
byte_41EBD2	db 0			; CODE XREF: .text:0041EB8Dj
; 

loc_41EBD3:				; CODE XREF: .text:0041EB70j
		add	[eax+0], al
		add	[edi], bl
		add	[eax+33724300h], al
		dec	ebp
		imul	esi, [ecx+ebp*2+67h], 64657461h
		add	[edi+65h], ah
		outsb
		db	65h
		jb	short loc_41EC4F
		jz	short loc_41EC59
		outsd
		outsb
		dec	ecx
		add	fs:[eax], cl
		push	es

loc_41EBF7:				; DATA XREF: PopTraceCr3Tripped(x)+49o
		or	eax, large ds:0
; 
		db 2 dup(0), 40h
		dd 1D0000h, 72430080h
; 

loc_41EC08:				; CODE XREF: .text:0041EBB1j
		xor	edx, [edx+esi*2+69h]
		jo	short loc_41EC7E
		db	65h
		add	fs:[edi+65h], ah
		outsb

loc_41EC14:				; CODE XREF: .text:0041EBC0j
		db	65h
		jb	short near ptr loc_41EC77+1
		jz	short near ptr loc_41EC7F+3
		outsd
		outsb
		dec	ecx
		add	fs:[eax], cl
		push	es

loc_41EC20:				; DATA XREF: PopDiagTraceCsExitReason(x,x,x)+8C9o
		or	eax, large ds:0
; 
		dw 0
		dd 9A000040h, 43008002h, 69784573h, 61655274h, 6E6F73h
		dd 65537343h, 6F697373h, 64496Eh, 656E450Ah
		db 72h,	67h, 79h
; 

loc_41EC4F:				; CODE XREF: .text:0041EBEBj
		inc	esp
		jb	short near ptr loc_41ECB2+1
		imul	ebp, [esi+0], 74634108h

loc_41EC59:				; CODE XREF: .text:0041EBEEj
		imul	esi, [esi+65h],	69736552h
		db	64h
		outs	dx, byte ptr gs:[esi]
		arpl	[ecx+0], di
		or	cl, [esi+6Fh]
		outsb
		inc	esp
		jb	short near ptr loc_41ECD5+1
		jo	short loc_41ECE2
		push	esp
		imul	ebp, [ebp+65h],	69746341h

loc_41EC77:				; CODE XREF: .text:loc_41EC14j
		jbe	short near ptr loc_41ECD7+3
		jz	short near ptr loc_41ECDE+2
		add	fs:[edx], cl

loc_41EC7E:				; CODE XREF: .text:0041EC0Cj
		inc	esi

loc_41EC7F:				; CODE XREF: .text:0041EC17j
		imul	esi, [edx+73h],	69724474h
		jo	short near ptr loc_41ECFA+1
		inc	ebp
		outsb
		jz	short near ptr loc_41ECFA+4
		jns	short $+2
		or	al, [edx+esi*2+69h]
		jo	short near ptr loc_41ED05+2
		push	edx
		db	65h
		jnb	short loc_41ED01
		db	64h
		outs	dx, byte ptr gs:[esi]
		arpl	[ecx+0], di
		or	al, [ebp+esi*2+72h]
		popa
		jz	short loc_41ED0E
		outsd
		outsb
		add	[edx], cl
		inc	esp
		jb	short loc_41ED15
		jo	short near ptr loc_41ED1A+7
		push	esp
		jb	short near ptr loc_41ED11+1
		outsb

loc_41ECB2:				; CODE XREF: .text:0041EC50j
		jnb	short near ptr loc_41ED1A+3
		jz	short near ptr loc_41ED1A+5
		outsd
		outsb
		jnb	short $+2
		or	[esi+75h], al
		insb
		insb
		inc	ebx
		push	65677261h
		inc	ebx
		popa
		jo	short loc_41ED2A
		arpl	[ecx+74h], bp
		jns	short near ptr loc_41ED1A+6
		popa
		jz	short loc_41ED3A
		outsd
		add	[ecx+eax*2], al

loc_41ECD5:				; CODE XREF: .text:0041EC6Bj
		jnz	short near ptr loc_41ED3A+1

loc_41ECD7:				; CODE XREF: .text:loc_41EC77j
		imul	ebp, [edi+50h],	6579616Ch

loc_41ECDE:				; CODE XREF: .text:0041EC79j
		add	fs:[eax], cl
		dec	ebp

loc_41ECE2:				; CODE XREF: .text:0041EC6Dj
		outsd
		outsb
		imul	esi, [edi+ebp*2+72h], 75716552h
		db	65h
		jnb	short near ptr loc_41ED61+2
		push	edx
		db	65h
		popa
		jnb	short near ptr loc_41ED61+2
		outsb
		add	[eax], cl
		inc	ecx
		jnz	short loc_41ED5E

loc_41ECFA:				; CODE XREF: .text:0041EC86j
					; .text:0041EC8Aj
		imul	ebp, [edi+50h],	6279616Ch

loc_41ED01:				; CODE XREF: .text:0041EC95j
		popa
		arpl	[ebx+0], bp

loc_41ED05:				; CODE XREF: .text:0041EC92j
		or	cl, [esi+6Fh]
		outsb
		inc	ecx
		arpl	[ecx+ebp*2+76h], si

loc_41ED0E:				; CODE XREF: .text:0041ECA3j
		popa
		jz	short loc_41ED76

loc_41ED11:				; CODE XREF: .text:0041ECAFj
		db	64h
		inc	ebx
		jo	short near ptr loc_41ED89+1

loc_41ED15:				; CODE XREF: .text:0041ECAAj
		inc	ecx
		arpl	[ecx+ebp*2+76h], si

loc_41ED1A:				; CODE XREF: .text:loc_41ECB2j
					; .text:0041ECB4j ...
		imul	esi, [ecx+edi*2+0], 776F500Ah
		db	65h
		jb	short loc_41ED78
		jz	short loc_41ED88
		jz	short near ptr loc_41ED8D+1
		inc	ecx

loc_41ED2A:				; CODE XREF: .text:0041ECC7j
		arpl	[eax], ax
		or	[edi+ebp*2+74h], dl
		popa
		insb
		dec	eax
		ja	short loc_41ED79
		jb	short loc_41EDA0
		jo	short near ptr loc_41EDAB+1
		push	edx

loc_41ED3A:				; CODE XREF: .text:0041ECCFj
					; .text:loc_41ECD5j
		db	65h
		jnb	short loc_41EDA6
		db	64h
		outs	dx, byte ptr gs:[esi]
		arpl	[ecx+0], di
		or	al, [ebp+78h]
		imul	esi, [esp+ecx*2+61h], 636E6574h
		jns	short $+2
		or	al, [ecx+ebp*2+73h]
		arpl	[edi+6Eh], bp
		outsb
		arpl	gs:[ebp+64h], si
		push	ebx

loc_41ED5E:				; CODE XREF: .text:0041ECF8j
		jz	short loc_41EDC1
		outsb

loc_41ED61:				; CODE XREF: .text:0041ECECj
					; .text:0041ECF2j
		bound	edi, fs:[ecx+0]
		or	[ecx+6Fh], al
		inc	ecx
		arpl	[ebx+6Fh], ax
		insd
		jo	short near ptr loc_41EDDA+1
		imul	esp, [ecx+6Eh],	63694E74h

loc_41ED76:				; CODE XREF: .text:0041ED0Fj
		add	[eax], cl

loc_41ED78:				; CODE XREF: .text:0041ED22j
		dec	esi

loc_41ED79:				; CODE XREF: .text:0041ED33j
		outsd
		outsb
		inc	ecx
		jz	short loc_41EDF2
		jb	short loc_41EDE9
		bound	esi, [ebp+74h]
		db	65h, 64h
		inc	ebx
		jo	short loc_41EDFD

loc_41ED88:				; CODE XREF: .text:0041ED25j
		inc	ecx

loc_41ED89:				; CODE XREF: .text:0041ED13j
		arpl	[ecx+ebp*2+76h], si

loc_41ED8D:				; CODE XREF: .text:0041ED27j
		imul	esi, [ecx+edi*2+0], 64694C0Ah
		dec	edi
		jo	short loc_41EDFD
		outsb
		push	ebx
		jz	short loc_41EDFD
		jz	short near ptr loc_41EE02+1
		add	[eax], cl

loc_41EDA0:				; CODE XREF: .text:0041ED35j
		inc	ebp
		js	short loc_41EE17
		db	65h
		jb	short near ptr loc_41EE0E+6

loc_41EDA6:				; CODE XREF: .text:loc_41ED3Aj
		popa
		insb
		dec	ebp
		outsd
		outsb

loc_41EDAB:				; CODE XREF: .text:0041ED37j
		imul	esi, [edi+ebp*2+72h], 6E6E6F43h
		arpl	gs:[ebp+64h], si
		push	ebx
		jz	short near ptr loc_41EE17+5
		jz	short loc_41EE22
		add	[eax], cl
		inc	edx
		popa

loc_41EDC1:				; CODE XREF: .text:loc_41ED5Ej
		jz	short near ptr loc_41EE35+2
		db	65h
		jb	short near ptr loc_41EE39+6
		push	edx
		db	65h
		insd
		popa
		imul	ebp, [esi+69h],	6143676Eh
		jo	short loc_41EE34
		arpl	[ecx+74h], bp
		jns	short loc_41EE27
		outsb
		inc	ebp

loc_41EDDA:				; CODE XREF: .text:0041ED6Dj
		js	short loc_41EE45
		jz	short $+2
		or	[edx+61h], al
		jz	short loc_41EE57
		db	65h
		jb	short near ptr loc_41EE5E+1
		inc	esi
		jnz	short near ptr loc_41EE50+5

loc_41EDE9:				; CODE XREF: .text:0041ED7Ej
		insb
		inc	ebx
		push	65677261h
		inc	ebx
		popa

loc_41EDF2:				; CODE XREF: .text:0041ED7Cj
		jo	short near ptr loc_41EE50+5
		arpl	[ecx+74h], bp
		jns	short loc_41EE48
		outsb
		inc	ebp
		js	short loc_41EE66

loc_41EDFD:				; CODE XREF: .text:0041ED86j
					; .text:0041ED96j ...
		jz	short $+2
		or	[ebp+74h], al

loc_41EE02:				; CODE XREF: .text:0041ED9Cj
		ja	short near ptr loc_41EE50+4
		outsd
		outsd
		insb
		inc	ecx
		insb
		insb
		outsd
		arpl	[ecx+74h], sp

loc_41EE0E:				; CODE XREF: .text:0041EDA3j
		imul	ebp, [edi+6Eh],	74617453h
		jnz	short near ptr loc_41EE86+4

loc_41EE17:				; CODE XREF: .text:0041EDA1j
					; .text:0041EDB9j
		add	[eax+706E490Eh], cl
		jnz	short near ptr loc_41EE90+3
		push	ebx
		jnz	short near ptr loc_41EE90+2

loc_41EE22:				; CODE XREF: .text:0041EDBBj
		jo	short near ptr loc_41EE90+6
		db	65h
		jnb	short loc_41EE9A

loc_41EE27:				; CODE XREF: .text:0041EDD6j
		imul	ebp, [edi+6Eh],	6E756F43h
		jz	short $+2
		or	[esi+6Fh], cl
		outsb

loc_41EE34:				; CODE XREF: .text:0041EDD1j
		push	edx

loc_41EE35:				; CODE XREF: .text:loc_41EDC1j
		db	65h
		jnb	short near ptr loc_41EE9C+5
		insb

loc_41EE39:				; CODE XREF: .text:0041EDC3j
		imul	esp, [ebp+6Eh],	69547963h
		insd
		add	gs:[edx], cl
		push	edx

loc_41EE45:				; CODE XREF: .text:loc_41EDDAj
		db	65h
		jnb	short near ptr loc_41EEB0+1

loc_41EE48:				; CODE XREF: .text:0041EDF7j
		insb
		imul	esp, [ebp+6Eh],	72447963h

loc_41EE50:				; CODE XREF: .text:loc_41EE02j
					; .text:0041EDE7j ...
		imul	esi, [eax+73h],	656D6954h

loc_41EE57:				; CODE XREF: .text:0041EDE1j
		add	[edx], cl
		push	edx
		db	65h
		jnb	short loc_41EEC6
		insb

loc_41EE5E:				; CODE XREF: .text:0041EDE3j
		imul	esp, [ebp+6Eh],	77487963h
		inc	esp

loc_41EE66:				; CODE XREF: .text:0041EDFBj
		jb	short loc_41EED1
		jo	short loc_41EEDD
		push	esp
		imul	ebp, [ebp+65h],	64470A00h
		imul	ecx, [edi+6Eh],	656D6954h
		add	[edx], cl
		inc	esp
		ja	short near ptr loc_41EEE6+1
		push	ebx
		jns	short near ptr loc_41EEE9+6
		arpl	[esi+6Ch], ax
		jnz	short near ptr loc_41EEF3+6

loc_41EE86:				; CODE XREF: .text:0041EE15j
		push	656D6954h
		add	[edx], cl
		dec	ebp
		outsd
		outsb

loc_41EE90:				; CODE XREF: .text:0041EE20j
					; .text:0041EE1Dj ...
		imul	esi, [edi+ebp*2+72h], 65776F50h
		jb	short loc_41EEE9

loc_41EE9A:				; CODE XREF: .text:0041EE24j
		outsb
		push	esp

loc_41EE9C:				; CODE XREF: .text:loc_41EE35j
		imul	ebp, [ebp+65h],	67410A00h
		db	67h
		jb	near ptr 0EF0Bh
		db	67h
		popa
		jz	short near ptr loc_41EF17+2
		jb	short near ptr loc_41EEF3+2
		outsb
		jz	short loc_41EF14
		outsb

loc_41EEB0:				; CODE XREF: .text:loc_41EE45j
		jz	short $+2
		add	al, 41h
		db	67h, 67h
		jb	short loc_41EF1D
		db	67h
		popa
		jz	short near ptr loc_41EF27+4
		jb	short loc_41EEFF
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		add	[esi+eax], al

loc_41EEC6:				; CODE XREF: .text:0041EE5Aj
					; DATA XREF: PopDiagTraceCsEnterReason(x,x,x)+229o
		or	eax, large ds:0
; 
		dd 400000h
		db 0
; 

loc_41EED1:				; CODE XREF: .text:loc_41EE66j
		lahf
		add	[eax+45734300h], al
		outsb
		jz	short near ptr loc_41EF3E+2
		jb	short loc_41EF2F

loc_41EEDD:				; CODE XREF: .text:0041EE68j
		db	65h
		popa
		jnb	short near ptr loc_41EF4F+1
		outsb
		add	[ebx+73h], al
		push	ebx

loc_41EEE6:				; CODE XREF: .text:0041EE7Cj
		db	65h
		jnb	short loc_41EF5C

loc_41EEE9:				; CODE XREF: .text:0041EE98j
					; .text:0041EE7Fj
		imul	ebp, [edi+6Eh],	0A006449h
		dec	ebp
		outsd
		outsb

loc_41EEF3:				; CODE XREF: .text:0041EEAAj
					; .text:0041EE84j
		imul	esi, [edi+ebp*2+72h], 75716552h
		db	65h
		jnb	short near ptr loc_41EF71+1
		push	edx

loc_41EEFF:				; CODE XREF: .text:0041EEBCj
		db	65h
		popa
		jnb	short near ptr loc_41EF71+1
		outsb
		add	[eax], cl
		dec	esp
		imul	esp, [edi+ecx*2+70h], 74536E65h
		popa
		jz	short near ptr byte_41EF77
		add	[eax], cl

loc_41EF14:				; CODE XREF: .text:0041EEADj
		inc	ebp
		js	short near ptr loc_41EF8A+1

loc_41EF17:				; CODE XREF: .text:0041EEA8j
		db	65h
		jb	short loc_41EF88
		popa
		insb
		dec	ebp

loc_41EF1D:				; CODE XREF: .text:0041EEB4j
		outsd
		outsb
		imul	esi, [edi+ebp*2+72h], 6E6E6F43h

loc_41EF27:				; CODE XREF: .text:0041EEBAj
		arpl	gs:[ebp+64h], si
		push	ebx
		jz	short near ptr loc_41EF8F+1

loc_41EF2F:				; CODE XREF: .text:0041EEDBj
		jz	short loc_41EF96
		add	[eax], cl
		inc	edx
		popa
		jz	short loc_41EFAB
		db	65h
		jb	short loc_41EFB3
		push	edx
		db	65h
		insd
		popa

loc_41EF3E:				; CODE XREF: .text:0041EED9j
		imul	ebp, [esi+69h],	6143676Eh
		jo	short near ptr loc_41EFA7+1
		arpl	[ecx+74h], bp
		jns	short near ptr loc_41EF96+5
		outsb
		inc	ebp
		outsb

loc_41EF4F:				; CODE XREF: .text:0041EEDFj
		jz	short near ptr loc_41EFB3+3
		jb	short $+2
		or	[edx+61h], al
		jz	short near ptr dword_41EFCC
		db	65h
		jb	short near ptr loc_41EFD2+2
		inc	esi

loc_41EF5C:				; CODE XREF: .text:loc_41EEE6j
		jnz	short near ptr loc_41EFC6+4
		insb
		inc	ebx
		popa
		jo	short loc_41EFC4
		arpl	[ecx+74h], bp
		jns	short near ptr loc_41EFB3+4
		outsb
		inc	ebp
		outsb
		jz	short loc_41EFD2
		jb	short $+2
		or	[esi], al

loc_41EF71:				; CODE XREF: .text:0041EEFBj
					; .text:0041EF01j
					; DATA XREF: ...
		or	eax, large ds:0
; 
byte_41EF77	db 0			; CODE XREF: .text:0041EF10j
		dd 0
		dd 80004Bh, 72656E45h, 61537967h
; 

loc_41EF88:				; CODE XREF: .text:loc_41EF17j
		jbe	short near ptr loc_41EFED+2

loc_41EF8A:				; CODE XREF: .text:0041EF15j
		jb	short loc_41EFDF
		db	65h
		jz	short loc_41F003

loc_41EF8F:				; CODE XREF: .text:0041EF2Dj
		imul	ebp, [esi+67h],	6E616843h

loc_41EF96:				; CODE XREF: .text:loc_41EF2Fj
					; .text:0041EF4Aj
		db	65h
		add	fs:[di+6Eh], ah
		db	65h
		jb	short loc_41F006
		jns	short near ptr loc_41EFF2+2
		popa
		jbe	short loc_41F009
		jb	short near ptr loc_41EFF2+1
		outsd

loc_41EFA7:				; CODE XREF: .text:0041EF45j
		db	64h
		add	gs:[eax], cl

loc_41EFAB:				; CODE XREF: .text:0041EF35j
		bound	esp, [ecx+74h]
		jz	short loc_41F015
		jb	short near ptr loc_41F028+3
		push	esp

loc_41EFB3:				; CODE XREF: .text:0041EF37j
					; .text:loc_41EF4Fj ...
		push	68736572h
		outsd
		insb
		add	fs:[eax], cl
		jnz	short loc_41F032
		db	65h
		jb	short loc_41F003
		ja	short near ptr loc_41F024+1

loc_41EFC4:				; CODE XREF: .text:0041EF61j
		jns	short $+2

loc_41EFC6:				; CODE XREF: .text:loc_41EF5Cj
					; DATA XREF: PopTraceEsState(x,x,x,x,x,x,x,x)+E8o
		or	eax, 50B06h
; 
		db 0
dword_41EFCC	dd 0			; CODE XREF: .text:0041EF56j
		db 2 dup(0)
; 

loc_41EFD2:				; CODE XREF: .text:0041EF6Bj
					; .text:0041EF58j
		add	[edi+45008000h], dl
		outsb
		db	65h
		jb	short loc_41F043
		jns	short near ptr loc_41F02F+2
		popa

loc_41EFDF:				; CODE XREF: .text:loc_41EF8Aj
		jbe	short loc_41F046
		jb	short loc_41F028
		outsb
		db	67h
		popa
		db	65h
		ins	dword ptr es:[di], dx
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_41F02F+1

loc_41EFED:				; CODE XREF: .text:loc_41EF88j
		push	65676E61h

loc_41EFF2:				; CODE XREF: .text:0041EFA4j
					; .text:0041EF9Fj
		add	fs:[ebp+6Eh], ah
		db	67h
		popa
		db	65h
		ins	dword ptr es:[di], dx
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_41F050+1
		db	65h
		popa
		jnb	short loc_41F072

loc_41F003:				; CODE XREF: .text:0041EF8Cj
					; .text:0041EFBFj
		outsb
		add	[eax], cl

loc_41F006:				; CODE XREF: .text:0041EF9Cj
		db	64h
		jnz	short loc_41F07B

loc_41F009:				; CODE XREF: .text:0041EFA2j
		popa
		jz	short loc_41F075
		outsd
		outsb
		add	[edx], cl
		bound	esp, [ecx+74h]
		jz	short near ptr loc_41F075+5

loc_41F015:				; CODE XREF: .text:0041EFAEj
		jb	short loc_41F090
		inc	esp
		db	65h
		insb
		jz	short near ptr loc_41F07C+1
		add	[edi], al
		popa
		arpl	[eax+6Fh], dx
		ja	short loc_41F089

loc_41F024:				; CODE XREF: .text:0041EFC2j
		jb	short loc_41F075
		outsb
		insb

loc_41F028:				; CODE XREF: .text:0041EFE1j
					; .text:0041EFB0j
		imul	ebp, [esi+65h],	6E650D00h

loc_41F02F:				; CODE XREF: .text:0041EFEBj
					; .text:0041EFDCj
		db	65h
		jb	short near ptr loc_41F098+1

loc_41F032:				; CODE XREF: .text:0041EFBDj
		jns	short near ptr loc_41F086+1
		popa
		jbe	short loc_41F09C
		jb	short loc_41F086
		outsd
		db	64h
		add	gs:[eax], cl
		bound	esp, [ecx+74h]
		jz	short near ptr loc_41F0A7+1

loc_41F043:				; CODE XREF: .text:0041EFD9j
		jb	short near ptr loc_41F0BD+1
		push	esp

loc_41F046:				; CODE XREF: .text:loc_41EFDFj
		push	68736572h
		outsd
		insb
		add	fs:[eax], cl

loc_41F050:				; CODE XREF: .text:0041EFFDj
		jnz	short near ptr loc_41F0C4+1
		db	65h
		jb	short near ptr loc_41F095+1
		ja	short near ptr loc_41F0B7+1
		jns	short $+2
		or	eax, 74726150h
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_41F0C9+3
		jbe	short near ptr loc_41F0B7+2
		popa
		db	67h
		jnb	near ptr 0F069h
		or	al, [esi]

loc_41F06B:				; DATA XREF: PopDiagTraceFxGlobalDeviceAccounting(x,x,x,x,x,x)+B0o
		or	eax, large ds:0
; 
		db 0
; 

loc_41F072:				; CODE XREF: .text:0041F001j
		add	[eax+0], al

loc_41F075:				; CODE XREF: .text:0041F00Aj
					; .text:loc_41F024j ...
		add	[edx+50008000h], al

loc_41F07B:				; CODE XREF: .text:loc_41F006j
		outsd

loc_41F07C:				; CODE XREF: .text:0041F01Aj
		jo	short near ptr loc_41F0BD+5
		imul	esp, [ecx+67h],	6C477846h
		outsd

loc_41F086:				; CODE XREF: .text:0041F037j
					; .text:loc_41F032j
		bound	esp, [ecx+6Ch]

loc_41F089:				; CODE XREF: .text:0041F022j
		inc	esp
		db	65h
		jbe	short near ptr loc_41F0F3+3
		arpl	[ebp+41h], sp

loc_41F090:				; CODE XREF: .text:loc_41F015j
		arpl	[ebx+6Fh], sp
		jnz	short loc_41F103

loc_41F095:				; CODE XREF: .text:0041F052j
		jz	short loc_41F100
		outsb

loc_41F098:				; CODE XREF: .text:loc_41F02Fj
		add	[bp+di+63h], dl

loc_41F09C:				; CODE XREF: .text:0041F035j
		outs	dx, byte ptr gs:[esi]
		popa
		jb	short near ptr loc_41F105+5
		outsd
		dec	ecx
		add	fs:[edx], cl
		inc	ebx

loc_41F0A7:				; CODE XREF: .text:0041F041j
		jnb	short near ptr loc_41F0E9+1
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	esp
		imul	ebp, [ebp+65h],	73430A00h
		inc	ecx

loc_41F0B7:				; CODE XREF: .text:0041F055j
					; .text:0041F063j
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	esp

loc_41F0BD:				; CODE XREF: .text:loc_41F043j
					; .text:loc_41F07Cj
		imul	ebp, [ebp+65h],	6B637542h

loc_41F0C4:				; CODE XREF: .text:loc_41F050j
		db	65h
		jz	short loc_41F13A
		add	[edx], ch

loc_41F0C9:				; CODE XREF: .text:0041F061j
		add	eax, 41734300h
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	esp
		imul	ebp, [ebp+65h],	42726550h
		jnz	short near ptr loc_41F13F+1
		imul	esp, [ebp+74h],	0
		sub	al, ds:55734300h
		outsb
		popa

loc_41F0E9:				; CODE XREF: .text:loc_41F0A7j
		jz	short loc_41F15F
		jb	short near ptr loc_41F153+3
		bound	esi, [ebp+74h]
		db	65h, 64h
		push	esp

loc_41F0F3:				; CODE XREF: .text:0041F08Aj
					; DATA XREF: PopDiagTraceFxDeviceAccounting(x,x,x,x,x,x)+335o
		imul	ebp, [ebp+65h],	0B060A00h
		add	eax, 0
; 
		db 0
; 

loc_41F100:				; CODE XREF: .text:loc_41F095j
		add	[eax+0], al

loc_41F103:				; CODE XREF: .text:0041F093j
		add	al, al

loc_41F105:				; CODE XREF: .text:0041F09Fj
		add	[eax+706F5000h], al
		inc	esp
		imul	esp, [ecx+67h],	65447846h
		jbe	short near ptr loc_41F17D+1
		arpl	[ebp+41h], sp
		arpl	[ebx+6Fh], sp
		jnz	short near ptr loc_41F18A+1
		jz	short near ptr loc_41F183+5
		outsb
		add	[bp+di+63h], dl
		outs	dx, byte ptr gs:[esi]
		popa
		jb	short near ptr loc_41F18C+6
		outsd
		dec	ecx
		add	fs:[edx], cl
		dec	ecx
		outsb
		jnb	short loc_41F1A6
		popa
		outsb
		arpl	[ebp+50h], sp
		popa
		jz	short loc_41F1A2

loc_41F13A:				; CODE XREF: .text:loc_41F0C4j
		add	[esi], dl
		inc	ebx
		jnb	short near ptr loc_41F17D+3

loc_41F13F:				; CODE XREF: .text:0041F0DBj
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	esp
		imul	ebp, [ebp+65h],	73430A00h
		inc	ecx
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	esp

loc_41F153:				; CODE XREF: .text:0041F0EBj
		imul	ebp, [ebp+65h],	6B637542h
		db	65h
		jz	short loc_41F1D0
		add	[edx], ch

loc_41F15F:				; CODE XREF: .text:loc_41F0E9j
		add	eax, 41734300h
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	esp
		imul	ebp, [ebp+65h],	42726550h
		jnz	short near ptr loc_41F1D1+5
		imul	esp, [ebp+74h],	0
		sub	al, ds:41734300h

loc_41F17D:				; CODE XREF: .text:0041F113j
					; .text:0041F13Dj
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	esp

loc_41F183:				; CODE XREF: .text:0041F11Dj
		imul	ebp, [ebp+65h],	74616E55h

loc_41F18A:				; CODE XREF: .text:0041F11Bj
		jz	short loc_41F1FE

loc_41F18C:				; CODE XREF: .text:0041F127j
		imul	esp, [edx+75h],	646574h
		or	al, [ebp+76h]
		imul	esp, [ebx+65h],	73616C43h
		jnb	short loc_41F1EE
		popa
		insd

loc_41F1A2:				; CODE XREF: .text:0041F138j
		add	gs:[esi], dl
		inc	esp

loc_41F1A6:				; CODE XREF: .text:0041F130j
		db	65h
		jbe	short near ptr loc_41F211+1
		arpl	[ebp+43h], sp
		insb
		popa
		jnb	short near ptr loc_41F21F+4
		inc	edi
		jnz	short near ptr loc_41F219+3
		add	fs:[esi], dl
		inc	esi
		jb	short near ptr loc_41F21F+3
		outs	dx, byte ptr gs:[esi]
		db	64h
		insb
		jns	short loc_41F20D
		popa
		insd
		add	gs:[esi], dl
		push	es

loc_41F1C5:				; DATA XREF: PopDiagTraceFxComponentAccounting(x,x,x,x,x,x,x)+385o
		or	eax, large ds:0
; 
		db 0
		dd 4000h
; 

loc_41F1D0:				; CODE XREF: .text:0041F15Aj
		into

loc_41F1D1:				; CODE XREF: .text:0041F171j
		add	[eax+706F5000h], al
		inc	esp
		imul	esp, [ecx+67h],	6F437846h
		insd
		jo	short loc_41F251
		outsb
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_41F227+1
		arpl	[ebx+6Fh], sp
		jnz	short near ptr loc_41F257+3
		jz	short loc_41F257

loc_41F1EE:				; CODE XREF: .text:0041F19Ej
		outsb
		add	[bp+di+63h], dl
		outs	dx, byte ptr gs:[esi]
		popa
		jb	short near ptr loc_41F25D+4
		outsd
		dec	ecx
		add	fs:[edx], cl
		dec	ecx

loc_41F1FE:				; CODE XREF: .text:loc_41F18Aj
		outsb
		jnb	short near ptr loc_41F271+4
		popa
		outsb
		arpl	[ebp+50h], sp
		popa
		jz	short loc_41F271
		add	[esi], dl
		inc	ebx
		outsd

loc_41F20D:				; CODE XREF: .text:0041F1BDj
		insd
		jo	short loc_41F27F
		outsb

loc_41F211:				; CODE XREF: .text:loc_41F1A6j
		outs	dx, byte ptr gs:[esi]
		jz	short $+2
		or	[ebx+73h], al
		inc	ecx

loc_41F219:				; CODE XREF: .text:0041F1B1j
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	esp

loc_41F21F:				; CODE XREF: .text:0041F1B7j
					; .text:0041F1AEj
		imul	ebp, [ebp+65h],	73430A00h
		inc	ecx

loc_41F227:				; CODE XREF: .text:0041F1E5j
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	esp
		imul	ebp, [ebp+65h],	6B637542h
		db	65h
		jz	short loc_41F2AA
		add	[edx], ch
		add	eax, 41734300h
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	esp
		imul	ebp, [ebp+65h],	42726550h
		jnz	short near ptr loc_41F2AF+1
		imul	esp, [ebp+74h],	0

loc_41F251:				; CODE XREF: .text:0041F1E0j
		sub	al, ds:41734300h

loc_41F257:				; CODE XREF: .text:0041F1ECj
					; .text:0041F1EAj
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	esp

loc_41F25D:				; CODE XREF: .text:0041F1F6j
		imul	ebp, [ebp+65h],	74616E55h
		jz	short near ptr loc_41F2D7+1
		imul	esp, [edx+75h],	646574h
		or	al, [ebp+76h]

loc_41F271:				; CODE XREF: .text:0041F207j
					; .text:0041F1FFj
		imul	esp, [ebx+65h],	73616C43h
		jnb	short near ptr loc_41F2C3+5
		popa
		insd
		add	gs:[esi], dl

loc_41F27F:				; CODE XREF: .text:0041F20Ej
		inc	esp
		db	65h
		jbe	short loc_41F2EC
		arpl	[ebp+43h], sp
		insb
		popa
		jnb	short loc_41F2FD
		inc	edi
		jnz	short near ptr loc_41F2F3+3
		add	fs:[esi], dl
		inc	esi
		jb	short near ptr loc_41F2FB+1
		outs	dx, byte ptr gs:[esi]
		db	64h
		insb
		jns	short near ptr loc_41F2E5+2
		popa
		insd
		add	gs:[esi], dl
		push	es

loc_41F29F:				; DATA XREF: PopDiagTraceDripsHistogram(x,x,x,x,x,x,x,x)+249o
		or	eax, large ds:0
; 
		db 2 dup(0), 40h
		db 2 dup(0)
; 

loc_41F2AA:				; CODE XREF: .text:0041F234j
		jb	short $+2
		add	byte ptr [eax],	44h

loc_41F2AF:				; CODE XREF: .text:0041F24Bj
		jb	short loc_41F31A
		jo	short near ptr word_41F326
		dec	eax
		imul	esi, [ebx+74h],	6172676Fh
		insd
		add	[ebx+73h], ah
		push	ebx
		db	65h
		jnb	short loc_41F336

loc_41F2C3:				; CODE XREF: .text:0041F278j
		imul	ebp, [edi+6Eh],	0A006449h
		inc	ebx
		jnb	short near ptr loc_41F310+1
		jnz	short near ptr loc_41F340+1
		popa
		jz	short loc_41F33B
		outsd
		outsb
		dec	ecx
		outsb
		dec	ebp

loc_41F2D7:				; CODE XREF: .text:0041F264j
		imul	ebp, [esi+75h],	736574h
		push	es
		inc	esp
		jb	short loc_41F34B
		jo	short near ptr loc_41F353+4
		push	eax

loc_41F2E5:				; CODE XREF: .text:0041F297j
		db	65h
		jb	short loc_41F34B
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_41F34B+2

loc_41F2EC:				; CODE XREF: .text:0041F280j
		add	gs:[si], al
		inc	edx
		jnz	short near ptr loc_41F353+3

loc_41F2F3:				; CODE XREF: .text:0041F28Bj
		imul	esp, [ebp+74h],	32h
		jnb	short $+2
		add	al, 42h

loc_41F2FB:				; CODE XREF: .text:0041F291j
		jnz	short near ptr loc_41F35F+1

loc_41F2FD:				; CODE XREF: .text:0041F288j
		imul	esp, [ebp+74h],	31h
		db	36h
		jnb	short $+3
		add	al, 42h
		jnz	short near ptr loc_41F368+3
		imul	esp, [ebp+74h],	31h
		insd
		add	[edx+eax*2], al

loc_41F310:				; CODE XREF: .text:0041F2CBj
		jnz	short near ptr loc_41F374+1
		imul	esp, [ebp+74h],	4Dh
		popa
		js	short loc_41F382
		insd

loc_41F31A:				; CODE XREF: .text:loc_41F2AFj
		add	[esi+eax], al

loc_41F31D:				; DATA XREF: PopDequeueQuerySetIrp+859B6o
		or	eax, large ds:0
; 
		db 0
		db 0, 40h
word_41F326	dw 0			; CODE XREF: .text:0041F2B1j
		dd 800085h, 72496F50h, 6E694670h
		db 69h,	73h
; 

loc_41F336:				; CODE XREF: .text:0041F2C0j
		push	616C4500h

loc_41F33B:				; CODE XREF: .text:0041F2D0j
		jo	short near ptr loc_41F3AE+2
		db	65h, 64h
		push	esp

loc_41F340:				; CODE XREF: .text:0041F2CDj
		imul	ebp, [ebp+65h],	74530800h
		popa
		jb	short loc_41F3BE
		push	esp

loc_41F34B:				; CODE XREF: .text:0041F2E0j
					; .text:loc_41F2E5j ...
		imul	ebp, [ebp+65h],	69460A00h
		outsb

loc_41F353:				; CODE XREF: .text:0041F2F1j
					; .text:0041F2E2j
		imul	esi, [ebx+68h],	656D6954h
		add	[edx], cl
		inc	esp
		jb	short loc_41F3C8

loc_41F35F:				; CODE XREF: .text:loc_41F2FBj
		jbe	short loc_41F3C6
		jb	short $+2
		add	[edi+61h], edx
		jz	short loc_41F3CB

loc_41F368:				; CODE XREF: .text:0041F306j
		push	54676F64h
		imul	ebp, [ebp+65h],	74756Fh

loc_41F374:				; CODE XREF: .text:loc_41F310j
		or	[eax+6Fh], dl
		ja	short near ptr loc_41F3DC+2
		jb	short near ptr loc_41F3CD+1
		jz	short near ptr loc_41F3DC+2
		jz	short near ptr loc_41F3E0+4
		push	esp
		jns	short loc_41F3F2

loc_41F382:				; CODE XREF: .text:0041F317j
		add	gs:[eax], cl
		push	eax
		outsd
		ja	short loc_41F3EE
		jb	short near ptr loc_41F3DC+2
		jz	short loc_41F3EE
		jz	short near ptr loc_41F3F3+1
		add	[eax], cl
		dec	ecx
		jb	short loc_41F404
		push	ebx
		jz	short loc_41F3F8
		jz	short near ptr loc_41F40D+1
		jnb	short $+2
		mov	[esi], cl
		push	eax
		popa
		jb	short loc_41F415
		inc	ecx
		pop	edi
		push	eax
		jb	short loc_41F40F
		jbe	short near ptr loc_41F3FB+1
		popa
		db	67h
		jnb	near ptr 0F3ACh
		or	al, [esi]

loc_41F3AE:				; CODE XREF: .text:loc_41F33Bj
					; DATA XREF: PopDiagTracePowerButtonBugcheck(x)+39Ao
		or	eax, large ds:0
; 
		dd 800000h, 80011900h
		db 0, 53h
; 

loc_41F3BE:				; CODE XREF: .text:0041F348j
		jo	short near ptr loc_41F433+2
		jb	short near ptr loc_41F42A+1
		outsd
		jnz	short loc_41F438
		dec	ebp

loc_41F3C6:				; CODE XREF: .text:loc_41F35Fj
		popa
		outsb

loc_41F3C8:				; CODE XREF: .text:0041F35Dj
		jnz	short near ptr loc_41F42A+1
		insb

loc_41F3CB:				; CODE XREF: .text:0041F366j
		push	eax
		outsd

loc_41F3CD:				; CODE XREF: .text:0041F379j
		ja	short near ptr loc_41F433+1
		jb	short loc_41F413
		jnz	short loc_41F447
		jz	short near ptr loc_41F443+1
		outsb
		inc	edx
		jnz	short near ptr loc_41F43F+1
		arpl	[eax+65h], bp

loc_41F3DC:				; CODE XREF: .text:0041F377j
					; .text:0041F37Bj ...
		arpl	[ebx+0], bp
		push	esp

loc_41F3E0:				; CODE XREF: .text:0041F37Dj
		imul	ebp, [ebp+65h],	74756Fh
		or	[ebx+75h], al
		insd
		jnz	short near ptr loc_41F458+1
		popa

loc_41F3EE:				; CODE XREF: .text:0041F387j
					; .text:0041F38Bj
		jz	short near ptr loc_41F458+1
		jbe	short near ptr loc_41F456+1

loc_41F3F2:				; CODE XREF: .text:0041F380j
		push	eax

loc_41F3F3:				; CODE XREF: .text:0041F38Dj
		jb	short loc_41F45A
		jnb	short near ptr loc_41F468+2
		inc	ebx

loc_41F3F8:				; CODE XREF: .text:0041F395j
		outsd
		jnz	short near ptr loc_41F468+1

loc_41F3FB:				; CODE XREF: .text:0041F3A6j
		jz	short $+2
		or	[ebx+75h], al
		insd
		jnz	short loc_41F46F
		popa

loc_41F404:				; CODE XREF: .text:0041F392j
		jz	short loc_41F46F
		jbe	short loc_41F46D
		push	edx
		db	65h
		insb
		db	65h
		popa

loc_41F40D:				; CODE XREF: .text:0041F397j
		jnb	short near ptr loc_41F470+4

loc_41F40F:				; CODE XREF: .text:0041F3A4j
		inc	ebx
		outsd
		jnz	short loc_41F481

loc_41F413:				; CODE XREF: .text:0041F3CFj
		jz	short $+2

loc_41F415:				; CODE XREF: .text:0041F39Fj
		or	[ebx+70h], dl
		jnz	short near ptr loc_41F48B+1
		imul	ebp, [edi+75h],	65764573h
		outsb
		jz	short $+2
		test	[ebx], al
		inc	ebx
		jnz	short loc_41F496
		insd

loc_41F42A:				; CODE XREF: .text:0041F3C0j
					; .text:loc_41F3C8j
		jnz	short loc_41F498
		popa
		jz	short loc_41F498
		jbe	short loc_41F496
		dec	esp
		outsd

loc_41F433:				; CODE XREF: .text:loc_41F3CDj
					; .text:loc_41F3BEj
		db	67h, 67h, 65h
		jb	short $+5

loc_41F438:				; CODE XREF: .text:0041F3C3j
		or	dl, [eax+72h]
		outsd
		arpl	[ebp+73h], sp

loc_41F43F:				; CODE XREF: .text:0041F3D7j
		jnb	short near ptr loc_41F4A1+5
		db	64h
		push	eax

loc_41F443:				; CODE XREF: .text:0041F3D3j
		jb	short loc_41F4AA
		jnb	short near ptr loc_41F4B7+3

loc_41F447:				; CODE XREF: .text:0041F3D1j
		inc	ebx
		outsd
		jnz	short near ptr loc_41F4B7+2
		jz	short $+2
		or	[eax+72h], dl
		outsd
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_41F4B7+4

loc_41F456:				; CODE XREF: .text:0041F3F0j
		db	64h
		push	edx

loc_41F458:				; CODE XREF: .text:0041F3EBj
					; .text:loc_41F3EEj
		db	65h
		insb

loc_41F45A:				; CODE XREF: .text:loc_41F3F3j
		db	65h
		popa
		jnb	short loc_41F4C3
		inc	ebx
		outsd
		jnz	short near ptr loc_41F4CD+3
		jz	short $+2
		or	[eax+72h], dl
		outsd

loc_41F468:				; CODE XREF: .text:0041F3F9j
					; .text:0041F3F5j
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_41F4CD+5

loc_41F46D:				; CODE XREF: .text:0041F406j
		db	64h
		dec	esp

loc_41F46F:				; CODE XREF: .text:0041F401j
					; .text:loc_41F404j
		outsd

loc_41F470:				; CODE XREF: .text:loc_41F40Dj
		db	67h, 67h, 65h
		jb	short $+5
		or	cl, [ecx+ebp*2+64h]
		push	ebx
		jz	short loc_41F4DD
		jz	short near ptr loc_41F4DF+4
		add	[eax], cl
		inc	edx

loc_41F481:				; CODE XREF: .text:0041F411j
		jnz	short loc_41F4EA
		arpl	[eax+65h], bp
		arpl	[ebx+45h], bp
		outsb
		popa

loc_41F48B:				; CODE XREF: .text:0041F418j
		bound	ebp, [ebp+64h]
		add	[ebx+eax+756E614Dh], al

loc_41F496:				; CODE XREF: .text:0041F427j
					; .text:0041F42Fj
		popa
		insb

loc_41F498:				; CODE XREF: .text:loc_41F42Aj
					; .text:0041F42Dj
		inc	edx
		jnz	short near ptr loc_41F4FD+5
		arpl	[eax+65h], bp
		arpl	[ebx+52h], bp

loc_41F4A1:				; CODE XREF: .text:loc_41F43Fj
		imul	esi, gs:[bp+di+74h], 6F437972h

loc_41F4AA:				; CODE XREF: .text:loc_41F443j
		outsb
		imul	sp, [edi+0], 4F08h
		outsb
		db	65h
		push	ebx
		db	65h
		jz	short near ptr loc_41F52A+1

loc_41F4B7:				; CODE XREF: .text:0041F449j
					; .text:0041F445j ...
		imul	ebp, [esi+67h],	63677542h
		push	526B6365h

loc_41F4C3:				; CODE XREF: .text:0041F45Cj
		imul	esi, gs:[bp+di+74h], 6F437972h
		outsb

loc_41F4CD:				; CODE XREF: .text:0041F460j
					; .text:0041F46Bj
		imul	sp, [edi+0], 608h

loc_41F4D3:				; DATA XREF: PopDiagTracePowerButtonBugcheck(x)+1D9o
		or	eax, large ds:0
; 
		db 2 dup(0), 40h
		db 0
; 

loc_41F4DD:				; CODE XREF: .text:0041F47Aj
		add	[ecx], dl

loc_41F4DF:				; CODE XREF: .text:0041F47Cj
		add	[eax+6E614D00h], eax
		jnz	short near ptr loc_41F547+1
		insb
		push	eax
		outsd

loc_41F4EA:				; CODE XREF: .text:loc_41F481j
		ja	short near ptr loc_41F550+1
		jb	short loc_41F530
		jnz	short loc_41F564
		jz	short near ptr loc_41F560+1
		outsb
		inc	edx
		jnz	short near ptr loc_41F55C+1
		arpl	[eax+65h], bp
		arpl	[ebx+0], bp
		push	esp

loc_41F4FD:				; CODE XREF: .text:0041F499j
		imul	ebp, [ebp+65h],	74756Fh
		or	[ebx+75h], al
		insd
		jnz	short near ptr loc_41F575+1
		popa
		jz	short near ptr loc_41F575+1
		jbe	short near ptr loc_41F573+1
		push	eax
		jb	short loc_41F577
		jnb	short near ptr loc_41F585+2
		inc	ebx
		outsd
		jnz	short near ptr loc_41F585+1
		jz	short $+2
		or	[ebx+75h], al
		insd
		jnz	short loc_41F58C
		popa
		jz	short loc_41F58C
		jbe	short loc_41F58A
		push	edx
		db	65h
		insb
		db	65h
		popa

loc_41F52A:				; CODE XREF: .text:0041F4B4j
		jnb	short near ptr loc_41F58D+4
		inc	ebx
		outsd
		jnz	short loc_41F59E

loc_41F530:				; CODE XREF: .text:0041F4ECj
		jz	short $+2
		or	[ebx+70h], dl
		jnz	short near ptr loc_41F5A8+1
		imul	ebp, [edi+75h],	65764573h
		outsb
		jz	short $+2
		test	[ebx], al
		inc	ebx
		jnz	short loc_41F5B3
		insd

loc_41F547:				; CODE XREF: .text:0041F4E5j
		jnz	short loc_41F5B5
		popa
		jz	short loc_41F5B5
		jbe	short loc_41F5B3
		dec	esp
		outsd

loc_41F550:				; CODE XREF: .text:loc_41F4EAj
		db	67h, 67h, 65h
		jb	short $+5
		or	dl, [eax+72h]
		outsd
		arpl	[ebp+73h], sp

loc_41F55C:				; CODE XREF: .text:0041F4F4j
		jnb	short near ptr loc_41F5BE+5
		db	64h
		push	eax

loc_41F560:				; CODE XREF: .text:0041F4F0j
		jb	short loc_41F5C7
		jnb	short near ptr loc_41F5D4+3

loc_41F564:				; CODE XREF: .text:0041F4EEj
		inc	ebx
		outsd
		jnz	short near ptr loc_41F5D4+2
		jz	short $+2
		or	[eax+72h], dl
		outsd
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_41F5D4+4

loc_41F573:				; CODE XREF: .text:0041F50Dj
		db	64h
		push	edx

loc_41F575:				; CODE XREF: .text:0041F508j
					; .text:0041F50Bj
		db	65h
		insb

loc_41F577:				; CODE XREF: .text:0041F510j
		db	65h
		popa
		jnb	short loc_41F5E0
		inc	ebx
		outsd
		jnz	short near ptr loc_41F5EA+3
		jz	short $+2
		or	[eax+72h], dl
		outsd

loc_41F585:				; CODE XREF: .text:0041F516j
					; .text:0041F512j
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_41F5EA+5

loc_41F58A:				; CODE XREF: .text:0041F523j
		db	64h
		dec	esp

loc_41F58C:				; CODE XREF: .text:0041F51Ej
					; .text:0041F521j
		outsd

loc_41F58D:				; CODE XREF: .text:loc_41F52Aj
		db	67h, 67h, 65h
		jb	short $+5
		or	cl, [ecx+ebp*2+64h]
		push	ebx
		jz	short loc_41F5FA
		jz	short near ptr loc_41F5FC+4
		add	[eax], cl
		inc	edx

loc_41F59E:				; CODE XREF: .text:0041F52Ej
		jnz	short near ptr loc_41F606+1
		arpl	[eax+65h], bp
		arpl	[ebx+45h], bp
		outsb
		popa

loc_41F5A8:				; CODE XREF: .text:0041F535j
		bound	ebp, [ebp+64h]
		add	[ebx+eax+756E614Dh], al

loc_41F5B3:				; CODE XREF: .text:0041F544j
					; .text:0041F54Cj
		popa
		insb

loc_41F5B5:				; CODE XREF: .text:loc_41F547j
					; .text:0041F54Aj
		inc	edx
		jnz	short near ptr loc_41F61E+1
		arpl	[eax+65h], bp
		arpl	[ebx+52h], bp

loc_41F5BE:				; CODE XREF: .text:loc_41F55Cj
		imul	esi, gs:[bp+di+74h], 6F437972h

loc_41F5C7:				; CODE XREF: .text:loc_41F560j
		outsb
		imul	sp, [edi+0], 4F08h
		outsb
		db	65h
		push	ebx
		db	65h
		jz	short near ptr loc_41F641+7

loc_41F5D4:				; CODE XREF: .text:0041F566j
					; .text:0041F562j ...
		imul	ebp, [esi+67h],	63677542h
		push	526B6365h

loc_41F5E0:				; CODE XREF: .text:0041F579j
		imul	esi, gs:[bp+di+74h], 6F437972h
		outsb

loc_41F5EA:				; CODE XREF: .text:0041F57Dj
					; .text:0041F588j
		imul	sp, [edi+0], 608h

loc_41F5F0:				; DATA XREF: PopAccountCbEnergyChange+A07D3o
		or	eax, large ds:0
; 
		dw 0
		db 2 dup(0)
; 

loc_41F5FA:				; CODE XREF: .text:0041F597j
		add	ah, dh

loc_41F5FC:				; CODE XREF: .text:0041F599j
		add	[eax+6D6F4300h], eax
		jo	short near ptr loc_41F66F+4
		jnb	short loc_41F66F

loc_41F606:				; CODE XREF: .text:loc_41F59Ej
		jz	short near ptr loc_41F667+6
		inc	edx
		popa
		jz	short near ptr loc_41F67E+2
		db	65h
		jb	short loc_41F688
		inc	ebp
		outsb
		db	65h
		jb	short near ptr loc_41F676+5
		jns	short near ptr loc_41F658+1
		push	65676E61h
		add	[ebp+6Eh], ah

loc_41F61E:				; CODE XREF: .text:0041F5B6j
		db	65h
		jb	short loc_41F688
		jns	short near ptr loc_41F665+1
		outsd
		jnz	short loc_41F694
		jz	short loc_41F68D
		jb	short loc_41F697
		push	edi
		add	[edx], cl
		imul	esi, [ebx+45h],	6772656Eh
		jns	short near ptr loc_41F676+3
		outsd
		jnz	short loc_41F6A7
		jz	short loc_41F6A0
		jb	short loc_41F692
		outsb
		popa
		jbe	short near ptr loc_41F6A0+2

loc_41F641:				; CODE XREF: .text:0041F5D1j
		imul	ebp, [ecx+62h],	200656Ch
		imul	esi, [ebx+43h],	63617061h
		imul	esi, [ecx+edi*2+52h], 74616C65h

loc_41F658:				; CODE XREF: .text:0041F614j
		imul	esi, [esi+65h],	73690200h
		inc	esi
		arpl	[ebx+55h], sp
		outsb
		popa

loc_41F665:				; CODE XREF: .text:0041F621j
		jbe	short near ptr loc_41F6C4+4

loc_41F667:				; CODE XREF: .text:loc_41F606j
		imul	ebp, [ecx+62h],	200656Ch

loc_41F66F:				; CODE XREF: .text:0041F604j
					; .text:0041F602j
		imul	esi, [ebx+43h],	63617061h

loc_41F676:				; CODE XREF: .text:0041F634j
					; .text:0041F611j
		imul	esi, [ecx+edi*2+55h], 6176616Eh

loc_41F67E:				; CODE XREF: .text:0041F60Aj
		imul	ebp, [ecx+62h],	200656Ch
		outs	dx, byte ptr gs:[esi]

loc_41F688:				; CODE XREF: .text:0041F60Cj
					; .text:loc_41F61Ej
		db	65h
		jb	short loc_41F6F2
		jns	short near ptr loc_41F6CE+2

loc_41F68D:				; CODE XREF: .text:0041F626j
		push	65676E61h

loc_41F692:				; CODE XREF: .text:0041F63Bj
		insd
		push	edi

loc_41F694:				; CODE XREF: .text:0041F624j
		add	[ecx], cl
		popa

loc_41F697:				; CODE XREF: .text:0041F628j
		arpl	[ecx+ebp*2+76h], si
		db	65h
		inc	edx
		popa
		jz	short near ptr loc_41F713+1

loc_41F6A0:				; CODE XREF: .text:0041F639j
					; .text:0041F63Fj
		db	65h
		jb	short loc_41F71C
		inc	ebx
		outsd
		jnz	short loc_41F715

loc_41F6A7:				; CODE XREF: .text:0041F637j
		jz	short $+2
		or	[ecx+73h], ch
		push	eax
		outsd
		ja	short loc_41F715
		jb	short loc_41F701
		outsb
		insb
		imul	ebp, [esi+65h],	74746142h
		db	65h
		jb	short near ptr loc_41F733+4
		inc	esi
		insb
		popa
		add	[bp+si], al

loc_41F6C4:				; CODE XREF: .text:loc_41F665j
		imul	esi, [ebx+44h],	68637369h
		popa
		jb	short near ptr loc_41F733+2

loc_41F6CE:				; CODE XREF: .text:0041F68Bj
		imul	ebp, [esi+67h],	74746142h
		db	65h
		jb	short near ptr loc_41F750+1
		inc	esi
		insb
		popa
		add	[bp+si], al
		imul	esi, [ebx+43h],	67726168h
		imul	ebp, [esi+67h],	74746142h
		db	65h
		jb	short near ptr loc_41F767+1
		inc	esi
		insb
		popa

loc_41F6F2:				; CODE XREF: .text:loc_41F688j
		add	[bp+si], al
		imul	esi, [ebx+43h],	69746972h
		arpl	[ecx+6Ch], sp
		inc	edx
		popa

loc_41F701:				; CODE XREF: .text:0041F6B0j
		jz	short loc_41F777
		db	65h
		jb	short loc_41F77F
		inc	esi
		insb
		popa
		add	[bp+si], al
		imul	esi, [ebx+42h],	65747461h

loc_41F713:				; CODE XREF: .text:0041F69Ej
		jb	short loc_41F78E

loc_41F715:				; CODE XREF: .text:0041F6A5j
					; .text:0041F6AEj
		inc	ebx
		push	65677261h
		dec	esp

loc_41F71C:				; CODE XREF: .text:loc_41F6A0j
		imul	ebp, [ebp+69h],	676E6974h
		inc	esi
		insb
		popa
		add	[bp+si], al
		imul	esi, [ebx+42h],	65747461h
		jb	short near ptr loc_41F7AA+1
		inc	ebx

loc_41F733:				; CODE XREF: .text:0041F6CCj
					; .text:0041F6BBj
		push	69677261h
		outsb
		db	67h
		push	ebx
		jz	short near ptr loc_41F79C+2
		jz	short loc_41F7A4
		push	eax
		outsd
		ja	short loc_41F7A8
		jb	short near ptr loc_41F797+1
		jnz	short near ptr loc_41F7B6+1
		jo	short loc_41F7B5
		jns	short near ptr loc_41F79A+1
		jb	short near ptr loc_41F7B1+1
		jnb	short loc_41F7B4
		outsb

loc_41F750:				; CODE XREF: .text:0041F6D5j
		jz	short near ptr loc_41F797+1
		insb
		popa
		add	[bp+si], al
		imul	esi, [ebx+42h],	65747461h
		jb	short near ptr loc_41F7D8+1
		inc	ebx
		push	69677261h
		outsb

loc_41F767:				; CODE XREF: .text:0041F6ECj
		db	67h
		push	ebx
		jz	short loc_41F7CC
		jz	short near ptr loc_41F7D1+1
		inc	ecx
		db	64h, 65h
		jno	short loc_41F7E7
		popa
		jz	short near ptr loc_41F7D8+2
		inc	esi
		insb

loc_41F777:				; CODE XREF: .text:loc_41F701j
		popa
		add	[bp+si], al
		jo	short near ptr loc_41F7DC+6
		jb	short near ptr loc_41F7DC+6

loc_41F77F:				; CODE XREF: .text:0041F703j
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_41F7C5+1
		popa
		jo	short loc_41F7E7
		arpl	[ecx+74h], bp
		jns	short $+2
		or	[ebp+69h], ch

loc_41F78E:				; CODE XREF: .text:loc_41F713j
		insb
		insb
		imul	edx, [eax+65h],	6E656372h

loc_41F797:				; CODE XREF: .text:0041F743j
					; .text:loc_41F750j
		jz	short loc_41F7DC
		popa

loc_41F79A:				; CODE XREF: .text:0041F749j
		jo	short loc_41F7FD

loc_41F79C:				; CODE XREF: .text:0041F73Bj
		arpl	[ecx+74h], bp
		jns	short $+2
		or	[ebx+74h], dh

loc_41F7A4:				; CODE XREF: .text:0041F73Dj
		popa
		jz	short near ptr loc_41F80B+1
		dec	edi

loc_41F7A8:				; CODE XREF: .text:0041F741j
		inc	bx

loc_41F7AA:				; CODE XREF: .text:0041F730j
		push	65677261h
		add	[eax], cl

loc_41F7B1:				; CODE XREF: .text:0041F74Bj
		db	66h
		jnz	short near ptr loc_41F81F+1

loc_41F7B4:				; CODE XREF: .text:0041F74Dj
		insb

loc_41F7B5:				; CODE XREF: .text:0041F747j
		inc	ebx

loc_41F7B6:				; CODE XREF: .text:0041F745j
		push	65677261h
		db	64h
		inc	ebx
		popa
		jo	short loc_41F821
		arpl	[ecx+74h], bp
		jns	short $+2

loc_41F7C5:				; CODE XREF: .text:0041F781j
		or	[ecx+6Eh], ch
		jnb	short loc_41F83E
		popa
		outsb

loc_41F7CC:				; CODE XREF: .text:0041F769j
		jz	short near ptr loc_41F82E+1
		outsb
		outs	dx, dword ptr gs:[esi]

loc_41F7D1:				; CODE XREF: .text:0041F76Bj
		jnz	short near ptr loc_41F844+2
		push	esi
		outsd
		insb
		jz	short loc_41F839

loc_41F7D8:				; CODE XREF: .text:0041F75Ej
					; .text:0041F773j
		add	gs:[bx+si], cl

loc_41F7DC:				; CODE XREF: .text:loc_41F797j
					; .text:0041F77Bj ...
		imul	ebp, [esi+73h],	746E6174h
		popa
		outsb
		outs	dx, dword ptr gs:[esi]

loc_41F7E7:				; CODE XREF: .text:0041F76Ej
					; .text:0041F784j
		jnz	short near ptr loc_41F85B+1
		push	edx
		popa
		jz	short near ptr loc_41F84C+6
		add	[edi], al
		push	es

loc_41F7F0:				; DATA XREF: PopAccountBatteryEnergyChange(x)+4B3o
		or	eax, large ds:0
; 
		dw 0
		dd 41000000h
		db 2
; 

loc_41F7FD:				; CODE XREF: .text:loc_41F79Aj
		add	byte ptr [eax],	42h
		popa
		jz	short near ptr loc_41F872+5
		db	65h
		jb	short near ptr loc_41F879+6
		inc	ebp
		outsb
		db	65h
		jb	short loc_41F872

loc_41F80B:				; CODE XREF: .text:0041F7A5j
		jns	short near ptr loc_41F84C+4
		push	65676E61h
		add	[ebp+76h], ah
		imul	esp, [ebx+65h],	656D614Eh
		add	[esi], dl

loc_41F81F:				; CODE XREF: .text:loc_41F7B1j
		outs	dx, byte ptr gs:[esi]

loc_41F821:				; CODE XREF: .text:0041F7BEj
		db	65h
		jb	short loc_41F88B
		jns	short near ptr loc_41F868+1
		outsd
		jnz	short loc_41F897
		jz	short loc_41F890
		jb	short loc_41F89A
		push	edi

loc_41F82E:				; CODE XREF: .text:loc_41F7CCj
		add	[edx], cl
		imul	esi, [ebx+45h],	6772656Eh
		jns	short near ptr loc_41F879+3

loc_41F839:				; CODE XREF: .text:0041F7D6j
		outsd
		jnz	short loc_41F8AA
		jz	short loc_41F8A3

loc_41F83E:				; CODE XREF: .text:0041F7C8j
		jb	short loc_41F895
		outsb
		popa
		jbe	short loc_41F8A5

loc_41F844:				; CODE XREF: .text:loc_41F7D1j
		imul	ebp, [ecx+62h],	200656Ch

loc_41F84C:				; CODE XREF: .text:loc_41F80Bj
					; .text:0041F7EBj
		imul	esi, [ebx+43h],	63617061h
		imul	esi, [ecx+edi*2+52h], 74616C65h

loc_41F85B:				; CODE XREF: .text:loc_41F7E7j
		imul	esi, [esi+65h],	73690200h
		inc	esi
		arpl	[ebx+55h], sp
		outsb
		popa

loc_41F868:				; CODE XREF: .text:0041F824j
		jbe	short loc_41F8CB
		imul	ebp, [ecx+62h],	200656Ch

loc_41F872:				; CODE XREF: .text:0041F808j
					; .text:0041F801j
		imul	esi, [ebx+43h],	63617061h

loc_41F879:				; CODE XREF: .text:0041F837j
					; .text:0041F803j
		imul	esi, [ecx+edi*2+55h], 6176616Eh
		imul	ebp, [ecx+62h],	200656Ch
		outs	dx, byte ptr gs:[esi]

loc_41F88B:				; CODE XREF: .text:loc_41F821j
		db	65h
		jb	short near ptr loc_41F8F4+1
		jns	short loc_41F8D3

loc_41F890:				; CODE XREF: .text:0041F829j
		push	65676E61h

loc_41F895:				; CODE XREF: .text:loc_41F83Ej
		insd
		push	edi

loc_41F897:				; CODE XREF: .text:0041F827j
		add	[ecx], cl
		insb

loc_41F89A:				; CODE XREF: .text:0041F82Bj
		popa
		jnb	short loc_41F911
		push	ebx
		jz	short loc_41F901
		jz	short near ptr loc_41F901+6
		dec	edi

loc_41F8A3:				; CODE XREF: .text:0041F83Cj
		inc	bx

loc_41F8A5:				; CODE XREF: .text:0041F842j
		push	65677261h

loc_41F8AA:				; CODE XREF: .text:0041F83Aj
		add	[eax], cl
		insb
		popa
		jnb	short near ptr loc_41F922+2
		push	ebx
		jz	short near ptr loc_41F911+3
		jz	short near ptr loc_41F919+1
		dec	edi
		inc	bx
		push	65677261h
		inc	esi
		arpl	[ebx+41h], sp
		db	64h
		push	75h
		jnb	short near ptr loc_41F939+1
		db	65h
		add	fs:[eax], cl
		insb

loc_41F8CB:				; CODE XREF: .text:loc_41F868j
		popa
		jnb	short loc_41F942
		inc	esi
		jnz	short loc_41F93D
		insb
		inc	ebx

loc_41F8D3:				; CODE XREF: .text:0041F88Ej
		push	65677261h
		db	64h
		inc	ebx
		popa
		jo	short loc_41F93E
		arpl	[ecx+74h], bp
		jns	short $+2
		or	[ecx+63h], ah
		jz	short loc_41F950
		jbe	short loc_41F94E
		inc	edx
		popa
		jz	short near ptr loc_41F960+1
		db	65h
		jb	short loc_41F969
		inc	ebx
		outsd
		jnz	short loc_41F962

loc_41F8F4:				; CODE XREF: .text:loc_41F88Bj
		jz	short $+2
		or	[ecx+73h], ch
		push	eax
		outsd
		ja	short loc_41F962
		jb	short loc_41F94E
		outsb
		insb

loc_41F901:				; CODE XREF: .text:0041F89Ej
					; .text:0041F8A0j
		imul	ebp, [esi+65h],	74746142h
		db	65h
		jb	short near ptr loc_41F980+4
		inc	esi
		insb
		popa
		add	[bp+si], al

loc_41F911:				; CODE XREF: .text:0041F89Bj
					; .text:0041F8B1j
		imul	esi, [ebx+44h],	68637369h
		popa

loc_41F919:				; CODE XREF: .text:0041F8B3j
		jb	short near ptr loc_41F980+2
		imul	ebp, [esi+67h],	74746142h

loc_41F922:				; CODE XREF: .text:0041F8AEj
		db	65h
		jb	short near ptr loc_41F99D+1
		inc	esi
		insb
		popa
		add	[bp+si], al
		imul	esi, [ebx+43h],	67726168h
		imul	ebp, [esi+67h],	74746142h

loc_41F939:				; CODE XREF: .text:0041F8C4j
		db	65h
		jb	short near ptr loc_41F9B4+1
		inc	esi

loc_41F93D:				; CODE XREF: .text:0041F8CFj
		insb

loc_41F93E:				; CODE XREF: .text:0041F8DBj
		popa
		add	[bp+si], al

loc_41F942:				; CODE XREF: .text:0041F8CCj
		imul	esi, [ebx+43h],	69746972h
		arpl	[ecx+6Ch], sp
		inc	edx
		popa

loc_41F94E:				; CODE XREF: .text:0041F8E7j
					; .text:0041F8FDj
		jz	short loc_41F9C4

loc_41F950:				; CODE XREF: .text:0041F8E5j
		db	65h
		jb	short loc_41F9CC
		inc	esi
		insb
		popa
		add	[bp+si], al
		imul	esi, [ebx+42h],	65747461h

loc_41F960:				; CODE XREF: .text:0041F8EBj
		jb	short loc_41F9DB

loc_41F962:				; CODE XREF: .text:0041F8F2j
					; .text:0041F8FBj
		inc	ebx
		push	65677261h
		dec	esp

loc_41F969:				; CODE XREF: .text:0041F8EDj
		imul	ebp, [ebp+69h],	676E6974h
		inc	esi
		insb
		popa
		add	[bp+si], al
		imul	esi, [ebx+42h],	65747461h
		jb	short near ptr loc_41F9F7+1
		inc	ebx

loc_41F980:				; CODE XREF: .text:loc_41F919j
					; .text:0041F908j
		push	69677261h
		outsb
		db	67h
		push	ebx
		jz	short near ptr loc_41F9E9+2
		jz	short loc_41F9F1
		push	eax
		outsd
		ja	short loc_41F9F5
		jb	short near ptr loc_41F9E4+1
		jnz	short near ptr loc_41FA03+1
		jo	short loc_41FA02
		jns	short near ptr loc_41F9E7+1
		jb	short near ptr loc_41F9FE+1
		jnb	short loc_41FA01
		outsb

loc_41F99D:				; CODE XREF: .text:loc_41F922j
		jz	short near ptr loc_41F9E4+1
		insb
		popa
		add	[bp+si], al
		imul	esi, [ebx+42h],	65747461h
		jb	short near ptr loc_41FA25+1
		inc	ebx
		push	69677261h
		outsb

loc_41F9B4:				; CODE XREF: .text:loc_41F939j
		db	67h
		push	ebx
		jz	short loc_41FA19
		jz	short near ptr loc_41FA1E+1
		inc	ecx
		db	64h, 65h
		jno	short loc_41FA34
		popa
		jz	short near ptr loc_41FA25+2
		inc	esi
		insb

loc_41F9C4:				; CODE XREF: .text:loc_41F94Ej
		popa
		add	[bp+si], al
		jo	short near ptr loc_41FA29+6
		jb	short near ptr loc_41FA29+6

loc_41F9CC:				; CODE XREF: .text:loc_41F950j
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_41FA12+1
		popa
		jo	short loc_41FA34
		arpl	[ecx+74h], bp
		jns	short $+2
		or	[ebp+69h], ch

loc_41F9DB:				; CODE XREF: .text:loc_41F960j
		insb
		insb
		imul	edx, [eax+65h],	6E656372h

loc_41F9E4:				; CODE XREF: .text:0041F990j
					; .text:loc_41F99Dj
		jz	short loc_41FA29
		popa

loc_41F9E7:				; CODE XREF: .text:0041F996j
		jo	short loc_41FA4A

loc_41F9E9:				; CODE XREF: .text:0041F988j
		arpl	[ecx+74h], bp
		jns	short $+2
		or	[ebx+74h], dh

loc_41F9F1:				; CODE XREF: .text:0041F98Aj
		popa
		jz	short near ptr loc_41FA54+5
		dec	edi

loc_41F9F5:				; CODE XREF: .text:0041F98Ej
		inc	bx

loc_41F9F7:				; CODE XREF: .text:0041F97Dj
		push	65677261h
		add	[eax], cl

loc_41F9FE:				; CODE XREF: .text:0041F998j
		db	66h
		jnz	short near ptr loc_41FA6B+2

loc_41FA01:				; CODE XREF: .text:0041F99Aj
		insb

loc_41FA02:				; CODE XREF: .text:0041F994j
		inc	ebx

loc_41FA03:				; CODE XREF: .text:0041F992j
		push	65677261h
		db	64h
		inc	ebx
		popa
		jo	short near ptr loc_41FA6B+3
		arpl	[ecx+74h], bp
		jns	short $+2

loc_41FA12:				; CODE XREF: .text:0041F9CEj
		or	[ecx+6Eh], ch
		jnb	short loc_41FA8B
		popa
		outsb

loc_41FA19:				; CODE XREF: .text:0041F9B6j
		jz	short near ptr loc_41FA77+5
		outsb
		outs	dx, dword ptr gs:[esi]

loc_41FA1E:				; CODE XREF: .text:0041F9B8j
		jnz	short near ptr loc_41FA92+1
		push	esi
		outsd
		insb
		jz	short near ptr loc_41FA85+1

loc_41FA25:				; CODE XREF: .text:0041F9ABj
					; .text:0041F9C0j
		add	gs:[bx+si], cl

loc_41FA29:				; CODE XREF: .text:loc_41F9E4j
					; .text:0041F9C8j ...
		imul	ebp, [esi+73h],	746E6174h
		popa
		outsb
		outs	dx, dword ptr gs:[esi]

loc_41FA34:				; CODE XREF: .text:0041F9BBj
					; .text:0041F9D1j
		jnz	short near ptr loc_41FAA8+1
		push	edx
		popa
		jz	short loc_41FA9F
		add	[edi], al
		push	es

loc_41FA3D:				; DATA XREF: PopBatteryCheckCompositeCapacity+A0D67o
		or	eax, large ds:0
; 
		db 0
		dd 4000h
		db 0A7h, 1
; 

loc_41FA4A:				; CODE XREF: .text:loc_41F9E7j
		add	byte ptr [eax],	42h
		popa
		jz	short near ptr loc_41FAC2+2
		db	65h
		jb	short near ptr loc_41FACB+1
		inc	esp

loc_41FA54:				; CODE XREF: .text:0041F9F2j
		imul	esi, [ebx+63h],	67726168h
		imul	ebp, [esi+67h],	4B736900h
		db	65h
		jb	short near ptr loc_41FAD2+1
		db	65h
		insb
		inc	esp
		db	65h
		jz	short near ptr loc_41FACB+5

loc_41FA6B:				; CODE XREF: .text:loc_41F9FEj
					; .text:0041FA0Bj
		arpl	[ebp+64h], si
		inc	edx
		popa
		jz	short near ptr loc_41FAE2+5
		db	65h
		jb	short near ptr loc_41FAEE+1
		inc	esp

loc_41FA77:				; CODE XREF: .text:loc_41FA19j
		imul	esi, [ebx+63h],	67726168h
		imul	ebp, [esi+67h],	63610D00h

loc_41FA85:				; CODE XREF: .text:0041FA23j
		jz	short loc_41FAF0
		jbe	short loc_41FAEE
		inc	edx
		popa

loc_41FA8B:				; CODE XREF: .text:0041FA15j
		jz	short near ptr loc_41FB00+1
		db	65h
		jb	short loc_41FB09
		inc	ebx
		outsd

loc_41FA92:				; CODE XREF: .text:loc_41FA1Ej
		jnz	short loc_41FB02
		jz	short $+2
		or	[ecx+73h], ch
		push	eax
		outsd
		ja	short loc_41FB02
		jb	short loc_41FAEE

loc_41FA9F:				; CODE XREF: .text:0041FA38j
		outsb
		insb
		imul	ebp, [esi+65h],	74746142h

loc_41FAA8:				; CODE XREF: .text:loc_41FA34j
		db	65h
		jb	short near ptr loc_41FB20+4
		inc	esi
		insb
		popa
		add	[bp+si], al
		imul	esi, [ebx+44h],	68637369h
		popa
		jb	short near ptr loc_41FB20+2
		imul	ebp, [esi+67h],	74746142h

loc_41FAC2:				; CODE XREF: .text:0041FA4Ej
		db	65h
		jb	short near ptr loc_41FB3D+1
		inc	esi
		insb
		popa
		add	[bp+si], al

loc_41FACB:				; CODE XREF: .text:0041FA50j
					; .text:0041FA68j
		imul	esi, [ebx+43h],	67726168h

loc_41FAD2:				; CODE XREF: .text:0041FA62j
		imul	ebp, [esi+67h],	74746142h
		db	65h
		jb	short near ptr loc_41FB54+1
		inc	esi
		insb
		popa
		add	[bp+si], al

loc_41FAE2:				; CODE XREF: .text:0041FA71j
		imul	esi, [ebx+43h],	69746972h
		arpl	[ecx+6Ch], sp
		inc	edx
		popa

loc_41FAEE:				; CODE XREF: .text:0041FA87j
					; .text:0041FA9Dj ...
		jz	short loc_41FB64

loc_41FAF0:				; CODE XREF: .text:loc_41FA85j
		db	65h
		jb	short loc_41FB6C
		inc	esi
		insb
		popa
		add	[bp+si], al
		imul	esi, [ebx+42h],	65747461h

loc_41FB00:				; CODE XREF: .text:loc_41FA8Bj
		jb	short loc_41FB7B

loc_41FB02:				; CODE XREF: .text:loc_41FA92j
					; .text:0041FA9Bj
		inc	ebx
		push	65677261h
		dec	esp

loc_41FB09:				; CODE XREF: .text:0041FA8Dj
		imul	ebp, [ebp+69h],	676E6974h
		inc	esi
		insb
		popa
		add	[bp+si], al
		imul	esi, [ebx+42h],	65747461h
		jb	short near ptr loc_41FB97+1
		inc	ebx

loc_41FB20:				; CODE XREF: .text:0041FAB9j
					; .text:loc_41FAA8j
		push	69677261h
		outsb
		db	67h
		push	ebx
		jz	short near ptr loc_41FB89+2
		jz	short loc_41FB91
		push	eax
		outsd
		ja	short loc_41FB95
		jb	short near ptr loc_41FB84+1
		jnz	short near ptr loc_41FBA3+1
		jo	short loc_41FBA2
		jns	short near ptr loc_41FB87+1
		jb	short near ptr loc_41FB9E+1
		jnb	short loc_41FBA1
		outsb

loc_41FB3D:				; CODE XREF: .text:loc_41FAC2j
		jz	short near ptr loc_41FB84+1
		insb
		popa
		add	[bp+si], al
		imul	esi, [ebx+42h],	65747461h
		jb	short near ptr loc_41FBC5+1
		inc	ebx
		push	69677261h
		outsb

loc_41FB54:				; CODE XREF: .text:0041FAD9j
		db	67h
		push	ebx
		jz	short loc_41FBB9
		jz	short near ptr loc_41FBBE+1
		inc	ecx
		db	64h, 65h
		jno	short loc_41FBD4
		popa
		jz	short near ptr loc_41FBC5+2
		inc	esi
		insb

loc_41FB64:				; CODE XREF: .text:loc_41FAEEj
		popa
		add	[bp+si], al
		jo	short near ptr loc_41FBC9+6
		jb	short near ptr loc_41FBC9+6

loc_41FB6C:				; CODE XREF: .text:loc_41FAF0j
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_41FBB2+1
		popa
		jo	short loc_41FBD4
		arpl	[ecx+74h], bp
		jns	short $+2
		or	[ebp+69h], ch

loc_41FB7B:				; CODE XREF: .text:loc_41FB00j
		insb
		insb
		imul	edx, [eax+65h],	6E656372h

loc_41FB84:				; CODE XREF: .text:0041FB30j
					; .text:loc_41FB3Dj
		jz	short loc_41FBC9
		popa

loc_41FB87:				; CODE XREF: .text:0041FB36j
		jo	short loc_41FBEA

loc_41FB89:				; CODE XREF: .text:0041FB28j
		arpl	[ecx+74h], bp
		jns	short $+2
		or	[ebx+74h], dh

loc_41FB91:				; CODE XREF: .text:0041FB2Aj
		popa
		jz	short near ptr byte_41FBF9
		dec	edi

loc_41FB95:				; CODE XREF: .text:0041FB2Ej
		inc	bx

loc_41FB97:				; CODE XREF: .text:0041FB1Dj
		push	65677261h
		add	[eax], cl

loc_41FB9E:				; CODE XREF: .text:0041FB38j
		db	66h
		jnz	short loc_41FC0D

loc_41FBA1:				; CODE XREF: .text:0041FB3Aj
		insb

loc_41FBA2:				; CODE XREF: .text:0041FB34j
		inc	ebx

loc_41FBA3:				; CODE XREF: .text:0041FB32j
		push	65677261h
		db	64h
		inc	ebx
		popa
		jo	short loc_41FC0E
		arpl	[ecx+74h], bp
		jns	short $+2

loc_41FBB2:				; CODE XREF: .text:0041FB6Ej
		or	[ecx+6Eh], ch
		jnb	short near ptr loc_41FC27+4
		popa
		outsb

loc_41FBB9:				; CODE XREF: .text:0041FB56j
		jz	short loc_41FC1C
		outsb
		outs	dx, dword ptr gs:[esi]

loc_41FBBE:				; CODE XREF: .text:0041FB58j
		jnz	short near ptr loc_41FC32+1
		push	esi
		outsd
		insb
		jz	short near ptr loc_41FC24+2

loc_41FBC5:				; CODE XREF: .text:0041FB4Bj
					; .text:0041FB60j
		add	gs:[bx+si], cl

loc_41FBC9:				; CODE XREF: .text:loc_41FB84j
					; .text:0041FB68j ...
		imul	ebp, [esi+73h],	746E6174h
		popa
		outsb
		outs	dx, dword ptr gs:[esi]

loc_41FBD4:				; CODE XREF: .text:0041FB5Bj
					; .text:0041FB71j
		jnz	short near ptr loc_41FC46+3
		push	edx
		popa
		jz	short loc_41FC3F
		add	[edi], al
		ja	short near ptr loc_41FC46+6
		push	ax
		jnz	short loc_41FC44
		insb
		imul	esi, [ebx+68h],	74617453h

loc_41FBEA:				; CODE XREF: .text:loc_41FB87j
		jnz	short near ptr loc_41FC5E+1
		add	[eax+50B060Eh],	cl
					; DATA XREF: PopBatteryCheckCompositeCapacity+A0ADFo
; 
		dw 0
		align 8
		db 40h
byte_41FBF9	db 2 dup(0), 0A9h	; CODE XREF: .text:0041FB92j
		dd 57008001h, 436B6165h, 67726168h, 69007265h
		db 73h
; 

loc_41FC0D:				; CODE XREF: .text:loc_41FB9Ej
		dec	ebx

loc_41FC0E:				; CODE XREF: .text:0041FBABj
		db	65h
		jb	short near ptr loc_41FC7E+1
		db	65h
		insb
		inc	esp
		db	65h
		jz	short near ptr loc_41FC77+5
		arpl	[ebp+64h], si
		push	edi

loc_41FC1C:				; CODE XREF: .text:loc_41FBB9j
		db	65h
		popa
		imul	eax, [ebx+68h],	61h
		jb	short near ptr loc_41FC87+4

loc_41FC24:				; CODE XREF: .text:0041FBC3j
		db	65h
		jb	short $+3

loc_41FC27:				; CODE XREF: .text:0041FBB5j
		or	eax, 69746361h
		jbe	short loc_41FC93
		inc	edx
		popa
		jz	short near ptr loc_41FCA5+1

loc_41FC32:				; CODE XREF: .text:loc_41FBBEj
		db	65h
		jb	short loc_41FCAE
		inc	ebx
		outsd
		jnz	short loc_41FCA7
		jz	short $+2
		or	[ecx+73h], ch
		push	eax

loc_41FC3F:				; CODE XREF: .text:0041FBD8j
		outsd
		ja	short loc_41FCA7
		jb	short loc_41FC93

loc_41FC44:				; CODE XREF: .text:0041FBE0j
		outsb
		insb

loc_41FC46:				; CODE XREF: .text:loc_41FBD4j
					; .text:0041FBDCj
		imul	ebp, [esi+65h],	74746142h
		db	65h
		jb	short near ptr loc_41FCC5+4
		inc	esi
		insb
		popa
		add	[bp+si], al
		imul	esi, [ebx+44h],	68637369h
		popa

loc_41FC5E:				; CODE XREF: .text:loc_41FBEAj
		jb	short near ptr loc_41FCC5+2
		imul	ebp, [esi+67h],	74746142h
		db	65h
		jb	short near ptr loc_41FCE2+1
		inc	esi
		insb
		popa
		add	[bp+si], al
		imul	esi, [ebx+43h],	67726168h

loc_41FC77:				; CODE XREF: .text:0041FC14j
		imul	ebp, [esi+67h],	74746142h

loc_41FC7E:				; CODE XREF: .text:loc_41FC0Ej
		db	65h
		jb	short near ptr loc_41FCF9+1
		inc	esi
		insb
		popa
		add	[bp+si], al

loc_41FC87:				; CODE XREF: .text:0041FC22j
		imul	esi, [ebx+43h],	69746972h
		arpl	[ecx+6Ch], sp
		inc	edx
		popa

loc_41FC93:				; CODE XREF: .text:0041FC2Cj
					; .text:0041FC42j
		jz	short loc_41FD09
		db	65h
		jb	short loc_41FD11
		inc	esi
		insb
		popa
		add	[bp+si], al
		imul	esi, [ebx+42h],	65747461h

loc_41FCA5:				; CODE XREF: .text:0041FC30j
		jb	short loc_41FD20

loc_41FCA7:				; CODE XREF: .text:0041FC37j
					; .text:0041FC40j
		inc	ebx
		push	65677261h
		dec	esp

loc_41FCAE:				; CODE XREF: .text:loc_41FC32j
		imul	ebp, [ebp+69h],	676E6974h
		inc	esi
		insb
		popa
		add	[bp+si], al
		imul	esi, [ebx+42h],	65747461h
		jb	short near ptr loc_41FD3C+1
		inc	ebx

loc_41FCC5:				; CODE XREF: .text:loc_41FC5Ej
					; .text:0041FC4Dj
		push	69677261h
		outsb
		db	67h
		push	ebx
		jz	short near ptr loc_41FD2E+2
		jz	short loc_41FD36
		push	eax
		outsd
		ja	short loc_41FD3A
		jb	short near ptr loc_41FD29+1
		jnz	short near ptr loc_41FD48+1
		jo	short loc_41FD47
		jns	short near ptr loc_41FD2C+1
		jb	short near ptr loc_41FD43+1
		jnb	short loc_41FD46
		outsb

loc_41FCE2:				; CODE XREF: .text:0041FC67j
		jz	short near ptr loc_41FD29+1
		insb
		popa
		add	[bp+si], al
		imul	esi, [ebx+42h],	65747461h
		jb	short near ptr loc_41FD6A+1
		inc	ebx
		push	69677261h
		outsb

loc_41FCF9:				; CODE XREF: .text:loc_41FC7Ej
		db	67h
		push	ebx
		jz	short loc_41FD5E
		jz	short near ptr loc_41FD63+1
		inc	ecx
		db	64h, 65h
		jno	short loc_41FD79
		popa
		jz	short near ptr loc_41FD6A+2
		inc	esi
		insb

loc_41FD09:				; CODE XREF: .text:loc_41FC93j
		popa
		add	[bp+si], al
		jo	short near ptr loc_41FD6E+6
		jb	short near ptr loc_41FD6E+6

loc_41FD11:				; CODE XREF: .text:0041FC95j
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_41FD57+1
		popa
		jo	short loc_41FD79
		arpl	[ecx+74h], bp
		jns	short $+2
		or	[ebp+69h], ch

loc_41FD20:				; CODE XREF: .text:loc_41FCA5j
		insb
		insb
		imul	edx, [eax+65h],	6E656372h

loc_41FD29:				; CODE XREF: .text:0041FCD5j
					; .text:loc_41FCE2j
		jz	short loc_41FD6E
		popa

loc_41FD2C:				; CODE XREF: .text:0041FCDBj
		jo	short loc_41FD8F

loc_41FD2E:				; CODE XREF: .text:0041FCCDj
		arpl	[ecx+74h], bp
		jns	short $+2
		or	[ebx+74h], dh

loc_41FD36:				; CODE XREF: .text:0041FCCFj
		popa
		jz	short near ptr loc_41FD9D+1
		dec	edi

loc_41FD3A:				; CODE XREF: .text:0041FCD3j
		inc	bx

loc_41FD3C:				; CODE XREF: .text:0041FCC2j
		push	65677261h
		add	[eax], cl

loc_41FD43:				; CODE XREF: .text:0041FCDDj
		db	66h
		jnz	short loc_41FDB2

loc_41FD46:				; CODE XREF: .text:0041FCDFj
		insb

loc_41FD47:				; CODE XREF: .text:0041FCD9j
		inc	ebx

loc_41FD48:				; CODE XREF: .text:0041FCD7j
		push	65677261h
		db	64h
		inc	ebx
		popa
		jo	short near ptr loc_41FDB2+1
		arpl	[ecx+74h], bp
		jns	short $+2

loc_41FD57:				; CODE XREF: .text:0041FD13j
		or	[ecx+6Eh], ch
		jnb	short loc_41FDD0
		popa
		outsb

loc_41FD5E:				; CODE XREF: .text:0041FCFBj
		jz	short loc_41FDC1
		outsb
		outs	dx, dword ptr gs:[esi]

loc_41FD63:				; CODE XREF: .text:0041FCFDj
		jnz	short loc_41FDD8
		push	esi
		outsd
		insb
		jz	short loc_41FDCB

loc_41FD6A:				; CODE XREF: .text:0041FCF0j
					; .text:0041FD05j
		add	gs:[bx+si], cl

loc_41FD6E:				; CODE XREF: .text:loc_41FD29j
					; .text:0041FD0Dj ...
		imul	ebp, [esi+73h],	746E6174h
		popa
		outsb
		outs	dx, dword ptr gs:[esi]

loc_41FD79:				; CODE XREF: .text:0041FD00j
					; .text:0041FD16j
		jnz	short near ptr loc_41FDE7+7
		push	edx
		popa
		jz	short near ptr loc_41FDDE+6
		add	[edi], al
		ja	short near ptr loc_41FDF0+1
		push	ax
		jnz	short near ptr loc_41FDE7+2
		insb
		imul	esi, [ebx+68h],	74617453h

loc_41FD8F:				; CODE XREF: .text:loc_41FD2Cj
		jnz	short near ptr byte_41FE04
		add	[eax+7261500Eh], cl
		jz	short near ptr loc_41FDD8+2
		pop	edi
		push	eax
		jb	short near ptr word_41FE06

loc_41FD9D:				; CODE XREF: .text:0041FD37j
		jbe	short loc_41FDF3
		popa
		db	67h
		jnb	near ptr 0FDA3h
		or	al, [esi]

loc_41FDA5:				; DATA XREF: PopBatteryWorker+A0174o
		or	eax, large ds:0
; 
		db 0
		align 10h
		db 4Fh,	0
; 

loc_41FDB2:				; CODE XREF: .text:loc_41FD43j
					; .text:0041FD50j
		add	byte ptr [eax],	42h
		popa
		jz	short loc_41FE2C
		db	65h
		jb	short near ptr loc_41FE31+3
		inc	ebx
		push	65677261h

loc_41FDC1:				; CODE XREF: .text:loc_41FD5Ej
		dec	esp
		imul	ebp, [ebp+69h],	676E6974h
		dec	ebp
		outsd

loc_41FDCB:				; CODE XREF: .text:0041FD68j
		db	64h
		add	gs:[ecx+73h], cl

loc_41FDD0:				; CODE XREF: .text:0041FD5Aj
		inc	edx
		popa
		jz	short loc_41FE48
		db	65h
		jb	short near ptr dword_41FE50
		inc	ebx

loc_41FDD8:				; CODE XREF: .text:loc_41FD63j
					; .text:0041FD97j
		push	65677261h
		dec	esp

loc_41FDDE:				; CODE XREF: .text:0041FD7Dj
		imul	ebp, [ebp+69h],	676E6974h
		dec	ebp
		outsd

loc_41FDE7:				; CODE XREF: .text:0041FD85j
					; .text:loc_41FD79j
		db	64h
		add	gs:[ebx+eax+50666E77h],	al

loc_41FDF0:				; CODE XREF: .text:0041FD81j
		jnz	short loc_41FE54
		insb

loc_41FDF3:				; CODE XREF: .text:loc_41FD9Dj
		imul	esi, [ebx+68h],	74617453h
		jnz	short loc_41FE6F
		add	[eax+50B060Eh],	cl ; DATA XREF:	PopSpoilBatteryEstimate(x,x)+9Do
; 
		dw 0
byte_41FE04	db 2 dup(0)		; CODE XREF: .text:loc_41FD8Fj
word_41FE06	dw 0			; CODE XREF: .text:0041FD9Bj
		db    0
		db 2 dup(0), 3Dh
		db    0
		db 80h,	0, 53h
aPoilbatteryest	db 'poilBatteryEstimation',0
		dw 7369h
		dd 696F7053h
; 

loc_41FE2C:				; CODE XREF: .text:0041FDB6j
		insb
		db	65h, 64h
		dec	ecx
		outsb

loc_41FE31:				; CODE XREF: .text:0041FDB8j
		db	64h
		imul	bp, gs:[esi+61h], 6574h
		add	ds:696F7073h, cl
		insb
		db	65h
		jb	short loc_41FE97
		jns	short loc_41FEB5
		add	gs:[eax], cl

loc_41FE48:				; CODE XREF: .text:0041FDD2j
		push	es

loc_41FE49:				; DATA XREF: PopEstimateChargeTime()+258o
		or	eax, large ds:0
; 
		db 0
dword_41FE50	dd 0			; CODE XREF: .text:0041FDD4j
; 

loc_41FE54:				; CODE XREF: .text:loc_41FDF0j
		dec	eax
		add	[eax+61684300h], al
		jb	short loc_41FEC4
		db	65h
		push	esp
		imul	ebp, [ebp+65h],	69747345h
		insd
		popa
		jz	short near ptr loc_41FECE+1
		add	[ebx+61h], ah
		jo	short near ptr loc_41FECE+2

loc_41FE6F:				; CODE XREF: .text:0041FDFAj
		arpl	[ecx+74h], bp
		jns	short $+2
		or	ah, [ebp+73h]
		jz	short near ptr loc_41FEE0+2
		insd
		popa
		jz	short near ptr loc_41FEE0+2
		add	[edx], cl
		insd
		popa
		js	short loc_41FED5
		popa
		jz	short near ptr loc_41FEEA+1
		add	[edx], cl
		jo	short near ptr loc_41FEEA+1
		jz	short near ptr loc_41FEF2+2
		add	[edx+eax+65746172h], al
		add	[edx], cl
		jnb	short loc_41FF0B

loc_41FE97:				; CODE XREF: .text:0041FE40j
		popa
		jz	short loc_41FEFF
		add	[eax], cl
		push	es

loc_41FE9D:				; DATA XREF: PopBatteryTracePercentageRemaining(x,x,x,x)+153o
		or	eax, large ds:0
; 
		db 0
		dd 4000h, 800063h, 74746142h, 43797265h
		db 68h
; 

loc_41FEB5:				; CODE XREF: .text:0041FE43j
		popa
		jb	short loc_41FF1F
		db	65h
		push	eax
		db	65h
		jb	short near ptr loc_41FF1F+1
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_41FF21+1
		db	67h, 65h
		inc	ebx

loc_41FEC4:				; CODE XREF: .text:0041FE5Bj
		push	65676E61h
		add	[edx+65h], dl
		insd
		popa

loc_41FECE:				; CODE XREF: .text:0041FE68j
					; .text:0041FE6Dj
		imul	ebp, [esi+69h],	6550676Eh

loc_41FED5:				; CODE XREF: .text:0041FE81j
		jb	short loc_41FF3A
		outs	dx, byte ptr gs:[esi]
		jz	short loc_41FF3C
		add	gs:[bx+si], cl
		push	eax

loc_41FEE0:				; CODE XREF: .text:0041FE77j
					; .text:0041FE7Bj
		db	65h
		jb	short near ptr word_41FF46
		outs	dx, byte ptr gs:[esi]
		jz	short loc_41FF48
		db	67h, 65h
		inc	ebx

loc_41FEEA:				; CODE XREF: .text:0041FE84j
					; .text:0041FE88j
		push	65676E61h
		add	[edi], al
		inc	ecx

loc_41FEF2:				; CODE XREF: .text:0041FE8Aj
		arpl	[ebx+53h], ax
		jz	short loc_41FF59
		jz	short loc_41FF5F
		add	[eax], cl
		inc	ebp
		insb
		popa

loc_41FEFF:				; CODE XREF: .text:0041FE98j
		jo	short near ptr loc_41FF73+1
		db	65h, 64h
		push	esp
		imul	ebp, [ebp+65h],	800734Dh

loc_41FF0B:				; CODE XREF: .text:0041FE95j
		push	es

loc_41FF0C:				; DATA XREF: PopBatteryWorker+A06B8o
		or	eax, large ds:0
; 
		dw 0
		dd 28000000h, 50008000h
		db 6Fh,	77h, 65h
; 

loc_41FF1F:				; CODE XREF: .text:0041FEB6j
					; .text:0041FEBAj
		jb	short near ptr loc_41FF73+1

loc_41FF21:				; CODE XREF: .text:0041FEBFj
		jz	short near ptr loc_41FF7E+6
		jz	short loc_41FF8A
		inc	ebx
		push	65676E61h
		add	[edi+6Eh], dh
		push	ax
		jnz	short near ptr loc_41FF8E+6
		insb
		imul	esi, [ebx+68h],	74617453h

loc_41FF3A:				; CODE XREF: .text:loc_41FED5j
		jnz	short loc_41FFAF

loc_41FF3C:				; CODE XREF: .text:0041FED9j
					; DATA XREF: PopBatteryWorker+A05E3o
		add	[eax+50B060Eh],	cl
; 
		dw 0
		db 2 dup(0)
word_41FF46	dw 0			; CODE XREF: .text:loc_41FEE0j
; 

loc_41FF48:				; CODE XREF: .text:0041FEE5j
		inc	eax
; 
		db 2 dup(0), 0DAh
		dd 43008001h, 6F706D6Fh, 65746973h
; 
		inc	edx

loc_41FF59:				; CODE XREF: .text:0041FEF6j
		popa
		jz	short loc_41FFD0
		db	65h
		jb	short near ptr loc_41FFD6+2

loc_41FF5F:				; CODE XREF: .text:0041FEF8j
		add	[ecx+63h], ah
		jz	short loc_41FFCD
		jbe	short loc_41FFCB
		inc	edx
		popa
		jz	short near ptr loc_41FFDD+1
		db	65h
		jb	short loc_41FFE6
		inc	ebx
		outsd
		jnz	short loc_41FFDF
		jz	short $+2

loc_41FF73:				; CODE XREF: .text:loc_41FEFFj
					; .text:loc_41FF1Fj
		or	[ecx+73h], ch
		push	eax
		outsd
		ja	short loc_41FFDF
		jb	short loc_41FFCB
		outsb
		insb

loc_41FF7E:				; CODE XREF: .text:loc_41FF21j
		imul	ebp, [esi+65h],	74746142h
		db	65h
		jb	short near ptr loc_41FFFD+4
		inc	esi
		insb

loc_41FF8A:				; CODE XREF: .text:0041FF23j
		popa
		add	[bp+si], al

loc_41FF8E:				; CODE XREF: .text:0041FF30j
		imul	esi, [ebx+44h],	68637369h
		popa
		jb	short near ptr loc_41FFFD+2
		imul	ebp, [esi+67h],	74746142h
		db	65h
		jb	short near ptr loc_42001A+1
		inc	esi
		insb
		popa
		add	[bp+si], al
		imul	esi, [ebx+43h],	67726168h

loc_41FFAF:				; CODE XREF: .text:loc_41FF3Aj
		imul	ebp, [esi+67h],	74746142h
		db	65h
		jb	short near ptr loc_420031+1
		inc	esi
		insb
		popa
		add	[bp+si], al
		imul	esi, [ebx+43h],	69746972h
		arpl	[ecx+6Ch], sp
		inc	edx
		popa

loc_41FFCB:				; CODE XREF: .text:0041FF64j
					; .text:0041FF7Aj
		jz	short near ptr off_420040+1

loc_41FFCD:				; CODE XREF: .text:0041FF62j
		db	65h
		jb	short loc_420049

loc_41FFD0:				; CODE XREF: .text:0041FF5Aj
		inc	esi
		insb
		popa
		add	[bp+si], al

loc_41FFD6:				; CODE XREF: .text:0041FF5Cj
		imul	esi, [ebx+42h],	65747461h

loc_41FFDD:				; CODE XREF: .text:0041FF68j
		jb	short loc_420058

loc_41FFDF:				; CODE XREF: .text:0041FF6Fj
					; .text:0041FF78j
		inc	ebx
		push	65677261h
		dec	esp

loc_41FFE6:				; CODE XREF: .text:0041FF6Aj
		imul	ebp, [ebp+69h],	676E6974h
		inc	esi
		insb
		popa
		add	[bp+si], al
		imul	esi, [ebx+42h],	65747461h
		jb	short near ptr loc_420074+1
		inc	ebx

loc_41FFFD:				; CODE XREF: .text:0041FF96j
					; .text:0041FF85j
					; DATA XREF: ...
		push	69677261h
		outsb

loc_420003:				; DATA XREF: .text:0042561Co
		db	67h
		push	ebx
		jz	short near ptr loc_420066+2
		jz	short loc_42006E
		push	eax
		outsd
		ja	short loc_420072
		jb	short near ptr loc_420061+1
		jnz	short near ptr loc_420080+1
		jo	short loc_42007F
		jns	short near ptr loc_420064+1
		jb	short near ptr loc_42007B+1
		jnb	short loc_42007E
		outsb

loc_42001A:				; CODE XREF: .text:0041FF9Fj
		jz	short near ptr loc_420061+1
		insb
		popa
		add	[bp+si], al
		imul	esi, [ebx+42h],	65747461h
		jb	short near ptr loc_4200A2+1
		inc	ebx
		push	69677261h
		outsb

loc_420031:				; CODE XREF: .text:0041FFB6j
		db	67h
		push	ebx
		jz	short loc_420096
		jz	short near ptr loc_42009B+1
		inc	ecx
		db	64h, 65h
		jno	short loc_4200B1
		popa
		jz	short near ptr loc_4200A2+2
		inc	esi
; 
off_420040	dd offset loc_67616C	; CODE XREF: .text:loc_41FFCBj
					; DATA XREF: .text:_CmpLogPatho ...
		dd 72657002h
		db 63h
; 

loc_420049:				; CODE XREF: .text:loc_41FFCDj
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_42008F+1
		popa
		jo	short loc_4200B1
		arpl	[ecx+74h], bp
		jns	short $+2	; DATA XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x):loc_9E42B2o

loc_420055:				; DATA XREF: .text:005A49C2o
		or	[ebp+69h], ch

loc_420058:				; CODE XREF: .text:loc_41FFDDj
		insb
		insb
		imul	edx, [eax+65h],	6E656372h

loc_420061:				; CODE XREF: .text:0042000Dj
					; .text:loc_42001Aj
		jz	short loc_4200A6
		popa

loc_420064:				; CODE XREF: .text:00420013j
		jo	short loc_4200C7

loc_420066:				; CODE XREF: .text:00420005j
		arpl	[ecx+74h], bp
		jns	short $+2
		or	[ebx+74h], dh

loc_42006E:				; CODE XREF: .text:00420007j
		popa
		jz	short near ptr loc_4200D5+1
		dec	edi

loc_420072:				; CODE XREF: .text:0042000Bj
		inc	bx

loc_420074:				; CODE XREF: .text:0041FFFAj
		push	65677261h
		add	[eax], cl

loc_42007B:				; CODE XREF: .text:00420015j
		db	66h
		jnz	short loc_4200EA

loc_42007E:				; CODE XREF: .text:00420017j
		insb

loc_42007F:				; CODE XREF: .text:00420011j
		inc	ebx

loc_420080:				; CODE XREF: .text:0042000Fj
		push	65677261h
		db	64h
		inc	ebx
		popa
		jo	short near ptr loc_4200EA+1
		arpl	[ecx+74h], bp
		jns	short $+2

loc_42008F:				; CODE XREF: .text:0042004Bj
		or	[ecx+6Eh], ch
		jnb	short near ptr loc_420106+2
		popa
		outsb

loc_420096:				; CODE XREF: .text:00420033j
		jz	short near ptr loc_4200F7+2
		outsb
		outs	dx, dword ptr gs:[esi]

loc_42009B:				; CODE XREF: .text:00420035j
		jnz	short near ptr loc_42010F+1
		push	esi
		outsd
		insb
		jz	short near ptr loc_420100+3

loc_4200A2:				; CODE XREF: .text:00420028j
					; .text:0042003Dj
		add	gs:[bx+si], cl

loc_4200A6:				; CODE XREF: .text:loc_420061j
		imul	ebp, [esi+73h],	746E6174h
		popa
		outsb
		outs	dx, dword ptr gs:[esi]

loc_4200B1:				; CODE XREF: .text:00420038j
					; .text:0042004Ej
		jnz	short near ptr loc_420122+4
		push	edx
		popa
		jz	short near ptr loc_420119+3
		add	[edi], al
		ins	byte ptr es:[di], dx
		outsd
		bound	esp, [ecx+6Ch]
		inc	edx
		popa
		jz	short loc_420137
		db	65h
		jb	short loc_42013F
		inc	ebx

loc_4200C7:				; CODE XREF: .text:loc_420064j
		outsd
		jnz	short near ptr loc_420137+1
		jz	short $+2
		or	[ecx+63h], ah
		jz	short near ptr loc_420139+1
		jbe	short near ptr loc_420137+1
		inc	edx
		popa

loc_4200D5:				; CODE XREF: .text:0042006Fj
		jz	short loc_42014B
		db	65h
		jb	short near ptr loc_420152+1
		inc	ebx
		outsd
		jnz	short loc_42014C
		jz	short $+2
		or	[ecx+73h], ch
		inc	ebx
		popa
		jo	short near ptr loc_420145+3
		arpl	[ecx+74h], bp

loc_4200EA:				; CODE XREF: .text:loc_42007Bj
					; .text:00420088j
		jns	short near ptr loc_42013D+1
		db	65h
		insb
		popa
		jz	short near ptr loc_420159+1
		jbe	short near ptr loc_420157+1
		inc	edx
		popa
		jz	short near ptr loc_420169+2

loc_4200F7:				; CODE XREF: .text:loc_420096j
		db	65h
		jb	short loc_420173
		inc	esi
		insb
		popa
		add	[bp+si], al

loc_420100:				; CODE XREF: .text:004200A0j
		db	64h, 65h
		jnb	short near ptr loc_420169+4
		outs	dx, byte ptr [si]

loc_420106:				; CODE XREF: .text:00420092j
		db	65h, 64h
		inc	ebx
		popa
		jo	short near ptr loc_420169+4
		arpl	[ecx+74h], bp

loc_42010F:				; CODE XREF: .text:loc_42009Bj
		jns	short $+2
		or	[edi+6Eh], dh
		push	ax
		jnz	short near ptr loc_420175+5
		insb

loc_420119:				; CODE XREF: .text:004200B5j
		imul	esi, [ebx+68h],	74617453h
		jnz	short near ptr loc_420193+2

loc_420122:				; CODE XREF: .text:loc_4200B1j
					; DATA XREF: PopBatteryApplyCompositeState+A0600o
		add	[eax+50B060Eh],	cl
; 
		dd 0
		dd 400000h, 80003700h
; 
		add	[edx+61h], al

loc_420137:				; CODE XREF: .text:004200C1j
					; .text:004200C8j ...
		jz	short near ptr loc_4201A9+4

loc_420139:				; CODE XREF: .text:004200CFj
		db	65h
		jb	short loc_4201B5
		push	ebx

loc_42013D:				; CODE XREF: .text:loc_4200EAj
		jz	short loc_4201A0

loc_42013F:				; CODE XREF: .text:004200C3j
		jz	short near ptr loc_4201A0+6
		dec	esi
		outsd
		jz	short near ptr loc_4201A9+5

loc_420145:				; CODE XREF: .text:004200E5j
		imul	sp, [ebx+61h], 6974h

loc_42014B:				; CODE XREF: .text:loc_4200D5j
		outsd

loc_42014C:				; CODE XREF: .text:004200DCj
		outsb
		add	[edx+61h], ah
		jz	short loc_4201C6

loc_420152:				; CODE XREF: .text:004200D7j
		db	65h
		jb	short near ptr loc_4201CC+2
		dec	esp
		outsd

loc_420157:				; CODE XREF: .text:004200F1j
		ja	short $+2

loc_420159:				; CODE XREF: .text:004200EFj
		or	eax, 74746162h
		db	65h
		jb	short loc_4201DA
		dec	esp
		db	65h
		jbe	short loc_4201CA
		insb
		add	[eax], cl
		push	es

loc_420169:				; CODE XREF: .text:004200F5j
					; .text:loc_420100j ...
		or	eax, large ds:0
; 
		db 0
		db 3 dup(0)
; 

loc_420173:				; CODE XREF: .text:loc_4200F7j
		add	[eax], bh

loc_420175:				; CODE XREF: .text:00420116j
		add	[eax+74614200h], al
		jz	short near ptr loc_4201DE+4
		jb	short loc_4201F8
		inc	ebx
		push	65677261h
		dec	esp
		db	65h
		jbe	short loc_4201EE
		insb
		add	[edx+61h], ah
		jz	short near ptr loc_420202+1
		db	65h
		jb	short near ptr loc_420209+2
		dec	esp

loc_420193:				; CODE XREF: .text:00420120j
		db	65h
		jbe	short loc_4201FB
		insb
		add	[edx], al
		ja	short loc_420209
		push	ax
		jnz	short near ptr loc_420200+1
		insb

loc_4201A0:				; CODE XREF: .text:loc_42013Dj
					; .text:loc_42013Fj
		imul	esi, [ebx+68h],	74617453h
		jnz	short loc_42021C

loc_4201A9:				; CODE XREF: .text:loc_420137j
					; .text:00420143j
					; DATA XREF: ...
		add	[eax+50B060Eh],	cl
; 
		db 0
		dd 0
		db 0
; 

loc_4201B5:				; CODE XREF: .text:loc_420139j
		inc	eax
; 
		dw 0
		dd 800072h, 44706F50h, 73706972h
; 
		push	edi
		popa

loc_4201C6:				; CODE XREF: .text:00420150j
		imul	esp, [ebp+53h],	70h

loc_4201CA:				; CODE XREF: .text:00420162j
		jnz	short near ptr loc_42023D+1

loc_4201CC:				; CODE XREF: .text:loc_420152j
		imul	ebp, [edi+75h],	63754273h
		imul	esp, [ebp+74h],	73h
		add	[ebx+73h], al

loc_4201DA:				; CODE XREF: .text:0042015Ej
		push	ebx
		db	65h
		jnb	short near ptr loc_42024F+2

loc_4201DE:				; CODE XREF: .text:0042017Bj
		imul	ebp, [edi+6Eh],	0A006449h
		push	ebx
		jo	short near ptr loc_42025C+1
		jb	short near ptr loc_420252+1
		outsd
		jnz	short loc_420260
		push	edi

loc_4201EE:				; CODE XREF: .text:00420186j
		popa
		imul	esp, [ebp+42h],	75h
		arpl	[ebx+65h], bp
		jz	short loc_42023B

loc_4201F8:				; CODE XREF: .text:0042017Dj
		outsd
		jnz	short loc_420269

loc_4201FB:				; CODE XREF: .text:loc_420193j
		jz	short loc_420270
		add	[eax+53h], cl

loc_420200:				; CODE XREF: .text:0042019Dj
		jo	short loc_420277

loc_420202:				; CODE XREF: .text:0042018Dj
		jb	short loc_42026D
		outsd
		jnz	short loc_42027A
		push	edi
		popa

loc_420209:				; CODE XREF: .text:00420199j
					; .text:0042018Fj
		imul	esp, [ebp+42h],	75h
		arpl	[ebx+65h], bp
		jz	short near ptr loc_420265+1
		imul	ebp, [ebp+65h],	734D73h
		dec	edx
		push	eax
		popa

loc_42021C:				; CODE XREF: .text:004201A7j
		jb	short near ptr loc_42028D+5
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_420286+6
		jbe	short loc_420279
		popa
		db	67h
		jnb	near ptr 229h
		or	al, [esi]

loc_42022B:				; DATA XREF: PopIdleWakeTraceWakeSourceDiagnostic(x,x,x)+4ACo
		or	eax, large ds:0
; 
		db 2 dup(0), 40h
		dd 23E0000h
; 
		add	byte ptr [eax],	50h

loc_42023B:				; CODE XREF: .text:004201F6j
		outsd
		inc	esp

loc_42023D:				; CODE XREF: .text:loc_4201CAj
		jb	short loc_4202A8
		jo	short loc_4202B4
		push	edi
		popa
		imul	esp, [ebp+53h],	6Fh
		jnz	short loc_4202BB
		arpl	[ebp+0], sp
		inc	ebx
		jnb	short near ptr loc_4202A1+1

loc_42024F:				; CODE XREF: .text:004201DBj
		db	65h
		jnb	short near ptr loc_4202C4+1

loc_420252:				; CODE XREF: .text:004201E8j
		imul	ebp, [edi+6Eh],	0A006449h
		push	esp
		jns	short near ptr loc_4202CB+1

loc_42025C:				; CODE XREF: .text:004201E6j
		add	gs:[eax], cl
		push	edx

loc_420260:				; CODE XREF: .text:004201EBj
		db	65h
		popa
		jnb	short near ptr loc_4202D2+1
		outsb

loc_420265:				; CODE XREF: .text:00420210j
		xor	[eax], eax
		push	ss
		push	edx

loc_420269:				; CODE XREF: .text:004201F9j
		db	65h
		popa
		jnb	short loc_4202DC

loc_42026D:				; CODE XREF: .text:loc_420202j
		outsb
		xor	al, [eax]

loc_420270:				; CODE XREF: .text:loc_4201FBj
		push	ss
		push	edx
		db	65h
		popa
		jnb	short near ptr loc_4202E4+1
		outsb

loc_420277:				; CODE XREF: .text:loc_420200j
		xor	eax, [eax]

loc_420279:				; CODE XREF: .text:00420223j
		push	ss

loc_42027A:				; CODE XREF: .text:00420205j
		inc	ebx
		outsd
		jnz	short loc_4202EC
		jz	short $+2
		or	[ecx+64h], cl
		insb
		db	65h
		dec	ebp

loc_420286:				; CODE XREF: .text:00420221j
		imul	ebp, [esi+44h],	74617275h

loc_42028D:				; CODE XREF: .text:loc_42021Cj
		imul	ebp, [edi+6Eh],	73556E49h
		add	[edx], cl
		dec	ecx
		db	64h
		insb
		db	65h
		dec	ebp
		popa
		js	short near ptr loc_4202E1+1
		jnz	short near ptr loc_420311+1
		popa

loc_4202A1:				; CODE XREF: .text:0042024Dj
		jz	short near ptr loc_42030B+1
		outsd
		outsb
		dec	ecx
		outsb
		push	ebp

loc_4202A8:				; CODE XREF: .text:loc_42023Dj
		jnb	short $+2
		or	cl, [ecx+64h]
		insb
		db	65h
		push	esp
		outsd
		jz	short near ptr loc_420313+1
		insb

loc_4202B4:				; CODE XREF: .text:0042023Fj
		inc	esp
		jnz	short loc_420329
		popa
		jz	short loc_420323
		outsd

loc_4202BB:				; CODE XREF: .text:00420247j
		outsb
		dec	ecx
		outsb
		push	ebp
		jnb	short $+2
		or	al, [ebx+70h]

loc_4202C4:				; CODE XREF: .text:loc_42024Fj
		jnz	short loc_42031D
		popa
		imul	esp, [ebp+4Dh],	61h

loc_4202CB:				; CODE XREF: .text:0042025Aj
		jnb	short near ptr loc_420335+3
		jnb	short $+2
		fadd	dword ptr [edx]
		inc	edi

loc_4202D2:				; CODE XREF: .text:00420262j
		jb	short loc_420343
		jnz	short loc_420346
		add	[esi], al
		dec	ebp
		popa
		jnb	short loc_420347

loc_4202DC:				; CODE XREF: .text:0042026Bj
		add	[edx], cl
		dec	ecx
		db	64h
		insb

loc_4202E1:				; CODE XREF: .text:0042029Cj
		db	65h
		dec	ecx
		outsb

loc_4202E4:				; CODE XREF: .text:00420274j
		jz	short loc_42034B
		jb	short near ptr loc_42035C+2
		popa
		insb
		inc	ebx
		outsd

loc_4202EC:				; CODE XREF: .text:0042027Cj
		jnz	short loc_42035C
		jz	short near ptr loc_420331+1
		jnz	short loc_420355
		imul	esp, [ebp+74h],	4Ch
		imul	ebp, [ebp+69h],	6E497374h
		dec	ebp
		jnb	short $+2
		sub	cl, [edx]
		add	[ecx+64h], cl
		insb
		db	65h
		dec	ecx
		outsb
		jz	short near ptr loc_42036F+1

loc_42030B:				; CODE XREF: .text:loc_4202A1j
		jb	short loc_420383
		popa
		insb
		inc	ebx
		outsd

loc_420311:				; CODE XREF: .text:0042029Ej
		jnz	short near ptr loc_42037F+2

loc_420313:				; CODE XREF: .text:004202B1j
		jz	short near ptr loc_420356+1
		jnz	short near ptr loc_420377+3
		imul	esp, [ebp+74h],	73h
		add	[eax], ch

loc_42031D:				; CODE XREF: .text:loc_4202C4j
		or	[eax], eax
		push	eax
		db	65h
		jb	short loc_42038C

loc_420323:				; CODE XREF: .text:004202B8j
		outsd
		db	64h
		dec	ecx
		outsb
		jz	short loc_42038E

loc_420329:				; CODE XREF: .text:004202B5j
		jb	short loc_4203A1
		popa
		insb
		inc	ebx
		outsd
		jnz	short near ptr loc_42039E+1

loc_420331:				; CODE XREF: .text:004202EEj
		jz	short loc_420375
		jnz	short near ptr loc_420397+1

loc_420335:				; CODE XREF: .text:loc_4202CBj
		imul	esp, [ebp+74h],	4Ch
		imul	ebp, [ebp+69h],	6E497374h
		dec	ebp
		jnb	short $+2

loc_420343:				; CODE XREF: .text:loc_4202D2j
		sub	cl, [eax+eax]

loc_420346:				; CODE XREF: .text:004202D4j
		push	eax

loc_420347:				; CODE XREF: .text:004202DAj
		db	65h
		jb	short near ptr loc_4203AE+5
		outsd

loc_42034B:				; CODE XREF: .text:loc_4202E4j
		db	64h
		dec	ecx
		outsb
		jz	short loc_4203B5
		jb	short near ptr loc_4203C7+1
		popa
		insb
		inc	ebx

loc_420355:				; CODE XREF: .text:004202F0j
		outsd

loc_420356:				; CODE XREF: .text:loc_420313j
		jnz	short loc_4203C6
		jz	short near ptr loc_420397+5
		jnz	short near ptr loc_4203BA+5

loc_42035C:				; CODE XREF: .text:loc_4202ECj
					; .text:004202E6j
		imul	esp, [ebp+74h],	73h
		add	[eax], ch
		or	eax, [eax]
		inc	esi
		insb
		popa
		db	67h
		jnb	near ptr 36Ah
		or	[ecx+63h], al
		jz	short loc_4203D8

loc_42036F:				; CODE XREF: .text:00420309j
		jbe	short loc_4203D6
		push	esp
		outsd
		jz	short loc_4203D6

loc_420375:				; CODE XREF: .text:loc_420331j
		insb
		push	esp

loc_420377:				; CODE XREF: .text:00420315j
		imul	ebp, [ebp+65h],	0A007355h
		inc	ecx

loc_42037F:				; CODE XREF: .text:loc_420311j
		arpl	[ecx+ebp*2+76h], si

loc_420383:				; CODE XREF: .text:loc_42030Bj
		db	65h
		inc	edx
		jnz	short loc_4203EA
		imul	esp, [ebp+74h],	43h
		outsd

loc_42038C:				; CODE XREF: .text:00420320j
		jnz	short near ptr loc_4203F7+5

loc_42038E:				; CODE XREF: .text:00420327j
		jz	short near ptr loc_420400+3
		add	[eax], ch
		add	eax, 74634100h

loc_420397:				; CODE XREF: .text:00420333j
					; .text:00420358j
		imul	esi, [esi+65h],	6B637542h

loc_42039E:				; CODE XREF: .text:0042032Fj
		db	65h
		jz	short near ptr loc_4203F1+4

loc_4203A1:				; CODE XREF: .text:loc_420329j
		imul	ebp, [ebp+65h],	735573h
		sub	al, ds:74634100h

loc_4203AE:				; CODE XREF: .text:loc_420347j
		imul	esi, [esi+61h],	54726F74h

loc_4203B5:				; CODE XREF: .text:0042034Ej
		outsd
		jz	short loc_420419
		insb
		push	esp

loc_4203BA:				; CODE XREF: .text:0042035Aj
		imul	ebp, [ebp+65h],	0A007355h
		inc	ecx
		arpl	[ecx+ebp*2+76h], si

loc_4203C6:				; CODE XREF: .text:loc_420356j
		popa

loc_4203C7:				; CODE XREF: .text:00420350j
		jz	short near ptr loc_420437+1
		jb	short near ptr loc_42040B+2
		jnz	short near ptr loc_42042A+6
		imul	esp, [ebp+74h],	43h
		outsd
		jnz	short near ptr loc_420440+2
		jz	short near ptr loc_420448+1

loc_4203D6:				; CODE XREF: .text:loc_42036Fj
					; .text:00420373j
		add	[eax], ch

loc_4203D8:				; CODE XREF: .text:0042036Dj
		add	eax, 74634100h
		imul	esi, [esi+61h],	42726F74h
		jnz	short near ptr loc_420448+1
		imul	esp, [ebp+74h],	54h

loc_4203EA:				; CODE XREF: .text:00420385j
		imul	ebp, [ebp+65h],	735573h

loc_4203F1:				; CODE XREF: .text:loc_42039Ej
		sub	al, ds:76654400h

loc_4203F7:				; CODE XREF: .text:loc_42038Cj
		imul	esp, [ebx+65h],	61746F54h
		insb
		push	esp

loc_420400:				; CODE XREF: .text:loc_42038Ej
		imul	ebp, [ebp+65h],	0A007355h
		inc	esp
		db	65h
		jbe	short near ptr loc_420473+1

loc_42040B:				; CODE XREF: .text:004203C9j
		arpl	[ebp+42h], sp
		jnz	short loc_420473
		imul	esp, [ebp+74h],	43h
		outsd
		jnz	short loc_420485
		jz	short near ptr loc_420489+3

loc_420419:				; CODE XREF: .text:004203B6j
		add	[eax], ch
		add	eax, 76654400h
		imul	esp, [ebx+65h],	6B637542h
		db	65h
		jz	short near ptr word_42047E

loc_42042A:				; CODE XREF: .text:004203CBj
		imul	ebp, [ebp+65h],	735573h
		sub	al, ds:63784500h

loc_420437:				; CODE XREF: .text:loc_4203C7j
		db	65h
		jnb	short loc_4204AD
		push	esp
		outsd
		jz	short near ptr loc_42049B+4
		insb
		push	esp

loc_420440:				; CODE XREF: .text:004203D2j
		imul	ebp, [ebp+65h],	0A007355h
		inc	ebp

loc_420448:				; CODE XREF: .text:004203D4j
					; .text:004203E4j
		js	short loc_4204AD
		db	65h
		jnb	short loc_4204C0
		inc	edx
		jnz	short near ptr loc_4204B2+1
		imul	esp, [ebp+74h],	43h
		outsd
		jnz	short near ptr loc_4204C3+2
		jz	short loc_4204CC
		add	[eax], ch
		add	eax, [eax]
		inc	ebp
		js	short loc_4204C3
		db	65h
		jnb	short loc_4204D6
		inc	edx
		jnz	short near ptr loc_4204C3+6
		imul	esp, [ebp+74h],	54h
		imul	ebp, [ebp+65h],	735573h
		sub	al, [ebx]

loc_420473:				; CODE XREF: .text:0042040Ej
					; .text:00420408j
		add	[esi], al

loc_420475:				; DATA XREF: PopGetLockConsoleTimeoutUnsafe(x)+5Ao
		or	eax, large ds:0
; 
		db 0
		db 0, 40h
word_42047E	dw 0			; CODE XREF: .text:00420427j
; 
		and	eax, 4C008000h

loc_420485:				; CODE XREF: .text:00420415j
		outsd
		arpl	[ebx+44h], bp

loc_420489:				; CODE XREF: .text:00420417j
		imul	esi, [ebx+70h],	5479616Ch
		imul	ebp, [ebp+65h],	4F74756Fh
		jbe	short loc_4204FE
		jb	short near ptr loc_42050C+1

loc_42049B:				; CODE XREF: .text:0042043Cj
		imul	esp, [ebp+41h],	76697463h
		add	gs:[esi], al

loc_4204A6:				; DATA XREF: PopDirectedDripsDiagRundownDevices()+454o
		or	eax, large ds:0
; 
		db 0
; 

loc_4204AD:				; CODE XREF: .text:loc_420437j
					; .text:loc_420448j
		add	[eax+0], al
		add	cl, ah

loc_4204B2:				; CODE XREF: .text:0042044Ej
		add	[eax+76654400h], al
		imul	esp, [ebx+65h],	67616944h
		outsb

loc_4204C0:				; CODE XREF: .text:0042044Aj
		outsd
		jnb	short near ptr loc_420536+1

loc_4204C3:				; CODE XREF: .text:0042045Ej
					; .text:00420455j ...
		imul	esp, [ebx+73h],	65635300h
		outsb
		popa

loc_4204CC:				; CODE XREF: .text:00420457j
		jb	short near ptr loc_420536+1
		outsd
		dec	ecx
		add	fs:[esi+eax*2],	al
		jb	short loc_42053F

loc_4204D6:				; CODE XREF: .text:00420460j
		outs	dx, byte ptr gs:[esi]
		db	64h
		insb
		jns	short near ptr loc_420529+1
		popa
		insd
		add	gs:[esi], dl
		dec	eax
		popa
		jb	short near ptr loc_420547+2
		ja	short near ptr loc_420547+1
		jb	short loc_42054E
		dec	ecx
		add	fs:[esi], dl
		inc	esp
		db	65h
		jbe	short near ptr loc_420559+1
		arpl	[ebp+43h], sp
		insb
		popa
		jnb	short near ptr loc_42056A+1
		dec	esi
		popa
		insd
		add	gs:[esi], dl

loc_4204FE:				; CODE XREF: .text:00420497j
		inc	esp
		db	65h
		jbe	short near ptr loc_42056A+1
		arpl	[ebp+43h], sp
		insb
		popa
		jnb	short near ptr loc_420579+3
		inc	edi
		jnz	short loc_420575

loc_42050C:				; CODE XREF: .text:00420499j
		add	fs:[esi], dl
		inc	edx
		jb	short near ptr loc_420580+1
		popa
		arpl	fs:[ecx+73h], sp
		jz	short near ptr loc_42056A+3
		jb	short loc_420580
		db	65h
		dec	ecx
		add	fs:[eax], cl
		inc	esp
		db	66h
		js	short near ptr loc_420576+2
		jb	short loc_420587
		outsb
		jnb	short near ptr loc_420591+1

loc_420529:				; CODE XREF: .text:004204DAj
		jz	short near ptr loc_420593+1
		outsd
		outsb
		inc	ebx
		outsd
		jnz	short loc_42059F
		jz	short $+2
		or	[eax+73h], dl

loc_420536:				; CODE XREF: .text:004204C1j
					; .text:loc_4204CCj
		xor	al, 54h
		jb	short loc_42059B
		outsb
		jnb	short loc_4205A6
		jz	short near ptr loc_4205A6+2

loc_42053F:				; CODE XREF: .text:004204D4j
		outsd
		outsb
		inc	ebx
		outsd
		jnz	short near ptr loc_4205B2+1
		jz	short $+2

loc_420547:				; CODE XREF: .text:004204E5j
					; .text:004204E3j
		or	[esi+6Ch], al
		popa
		db	67h
		jnb	near ptr 54Eh

loc_42054E:				; CODE XREF: .text:004204E7j
		or	[ecx+6Eh], cl
		jnb	short loc_4205C7
		popa
		outsb
		arpl	[ebp+50h], sp
		popa

loc_420559:				; CODE XREF: .text:004204EEj
		jz	short loc_4205C3
		add	[esi], dl
		push	ebx
		arpl	[ebp+6Eh], sp
		popa
		jb	short near ptr loc_4205CB+2
		outsd
		dec	ecx
		db	64h
		push	esi
		xor	al, [eax]

loc_42056A:				; CODE XREF: .text:004204F6j
					; .text:004204FFj ...
		or	al, [ebp+76h]
		imul	esp, [ebx+65h],	8006449h

loc_420575:				; CODE XREF: .text:0042050Aj
		push	ebx

loc_420576:				; CODE XREF: .text:00420521j
		db	65h
		jb	short loc_4205EF

loc_420579:				; CODE XREF: .text:00420507j
		imul	esp, [ebx+65h],	656D614Eh

loc_420580:				; CODE XREF: .text:00420519j
					; .text:00420510j
		add	[esi], dl
		push	eax
		popa
		jb	short loc_4205FA
		inc	ecx

loc_420587:				; CODE XREF: .text:00420524j
		pop	edi
		push	eax
		jb	short near ptr loc_4205F3+1
		jbe	short loc_4205E1
		popa
		db	67h
		jnb	near ptr 591h

loc_420591:				; CODE XREF: .text:00420527j
		or	al, [esi]

loc_420593:				; CODE XREF: .text:loc_420529j
					; DATA XREF: PopDirectedDripsDiagRundownBroadcastTrees()+1D5o
		or	eax, large ds:0
; 
		db 2 dup(0)
; 

loc_42059B:				; CODE XREF: .text:00420538j
		inc	eax
; 
		db 2 dup(0), 0FCh
; 

loc_42059F:				; CODE XREF: .text:0042052Fj
		add	[eax+6F724200h], al
		popa

loc_4205A6:				; CODE XREF: .text:0042053Bj
					; .text:0042053Dj
		arpl	fs:[ecx+73h], sp
		jz	short near ptr loc_4205FE+2
		jb	short near ptr loc_42060F+4
		db	65h
		push	ebx
		jz	short near ptr loc_42060F+4

loc_4205B2:				; CODE XREF: .text:00420543j
		jz	short near ptr loc_42061B+2
		jnb	short near ptr loc_420627+3
		imul	esp, [ebx+73h],	65635300h
		outsb
		popa
		jb	short near ptr loc_420627+3
		outsd
		dec	ecx

loc_4205C3:				; CODE XREF: .text:loc_420559j
		add	fs:[edx], cl
		push	edx

loc_4205C7:				; CODE XREF: .text:00420551j
		outsd
		outsd
		jz	short loc_42060F

loc_4205CB:				; CODE XREF: .text:00420562j
		db	65h
		jbe	short near ptr loc_420636+1
		arpl	[ebp+49h], sp
		add	fs:[eax], cl
		inc	esp
		db	65h
		jbe	short loc_420641
		arpl	[ebp+4Dh], sp
		popa
		jb	short loc_420649
		db	65h, 64h
		inc	ebx

loc_4205E1:				; CODE XREF: .text:0042058Bj
		outsd
		jnz	short loc_420652
		jz	short $+2
		or	[edx+72h], al
		outsd
		popa
		arpl	fs:[ecx+73h], sp

loc_4205EF:				; CODE XREF: .text:loc_420576j
		jz	short loc_420645
		jb	short loc_420658

loc_4205F3:				; CODE XREF: .text:00420589j
		db	65h
		dec	ecx
		add	fs:[eax], cl
		inc	esi
		insb

loc_4205FA:				; CODE XREF: .text:00420584j
		popa
		db	67h
		jnb	near ptr 5FEh

loc_4205FE:				; CODE XREF: .text:004205AAj
		or	[ebp+69h], cl
		jz	short loc_42066C
		db	67h
		popa
		jz	short loc_42066C
		db	64h
		inc	ecx
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	esp

loc_42060F:				; CODE XREF: .text:004205C9j
					; .text:004205ACj ...
		imul	ebp, [ebp+65h],	6B637542h
		db	65h
		jz	short near ptr loc_420687+5
		add	[eax], ch

loc_42061B:				; CODE XREF: .text:loc_4205B2j
		add	eax, 74694D00h
		imul	esp, [edi+61h],	41646574h

loc_420627:				; CODE XREF: .text:004205B4j
					; .text:004205BFj
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	esp
		imul	ebp, [ebp+65h],	42726550h
		jnz	short loc_420699

loc_420636:				; CODE XREF: .text:loc_4205CBj
		imul	esp, [ebp+74h],	0
		sub	al, ds:69614600h
		insb

loc_420641:				; CODE XREF: .text:004205D5j
		jnz	short loc_4206B5
		db	65h
		push	edx

loc_420645:				; CODE XREF: .text:loc_4205EFj
		db	65h
		popa
		jnb	short loc_4206B8

loc_420649:				; CODE XREF: .text:004205DCj
		outsb
		inc	ebx
		outsd
		jnz	short near ptr loc_4206BB+1
		jz	short near ptr loc_4206C1+2
		add	[eax], ch

loc_420652:				; CODE XREF: .text:004205E2j
		or	[eax], eax
		push	eax
		outsd
		ja	short loc_4206BD

loc_420658:				; CODE XREF: .text:004205F1j
		jb	short near ptr loc_4206BD+2
		db	64h
		inc	esp
		outsd
		ja	short near ptr loc_4206CC+1
		push	esp
		imul	ebp, [ebp+65h],	6B637542h
		db	65h
		jz	short loc_4206DD
		add	[eax], ch

loc_42066C:				; CODE XREF: .text:00420601j
					; .text:00420605j
		add	eax, 776F5000h
		db	65h
		jb	short near ptr loc_4206D7+2
		db	64h
		inc	esp
		outsd
		ja	short loc_4206E7
		push	esp
		imul	ebp, [ebp+65h],	42726550h
		jnz	short near ptr loc_4206E5+1
		imul	esp, [ebp+74h],	0

loc_420687:				; CODE XREF: .text:00420616j
		sub	al, ds:72615000h
		jz	short loc_4206D0
		pop	edi
		push	eax
		jb	short near ptr loc_4206FB+1
		jbe	short loc_4206E9
		popa
		db	67h
		jnb	near ptr 699h

loc_420699:				; CODE XREF: .text:00420634j
		or	al, [esi]

loc_42069B:				; DATA XREF: PopDirectedDripsDiagRundownBroadcastTrees()+2E5o
		or	eax, large ds:0
; 
		db 2 dup(0), 40h
		dd 810000h, 72420080h, 6364616Fh, 54747361h
		db 72h
; 

loc_4206B5:				; CODE XREF: .text:loc_420641j
		db	65h, 65h
		inc	ebp

loc_4206B8:				; CODE XREF: .text:00420647j
		jb	short near ptr loc_420728+4
		outsd

loc_4206BB:				; CODE XREF: .text:0042064Cj
		jb	short near ptr loc_42070C+3

loc_4206BD:				; CODE XREF: .text:00420656j
					; .text:loc_420658j
		arpl	gs:[edi+72h], bp

loc_4206C1:				; CODE XREF: .text:0042064Ej
		add	fs:[ebx+63h], dl
		outs	dx, byte ptr gs:[esi]
		popa
		jb	short loc_420733
		outsd
		dec	ecx

loc_4206CC:				; CODE XREF: .text:0042065Dj
		add	fs:[edx], cl
		push	edx

loc_4206D0:				; CODE XREF: .text:0042068Dj
		outsd
		outsd
		jz	short near ptr loc_420716+2
		db	65h
		jbe	short near ptr loc_42073F+1

loc_4206D7:				; CODE XREF: .text:00420671j
		arpl	[ebp+49h], sp
		add	fs:[eax], cl

loc_4206DD:				; CODE XREF: .text:00420667j
		inc	edx
		jb	short near ptr loc_42074E+1
		popa
		arpl	fs:[ecx+73h], sp

loc_4206E5:				; CODE XREF: .text:00420681j
		jz	short near ptr loc_42073A+1

loc_4206E7:				; CODE XREF: .text:00420677j
		jb	short loc_42074E

loc_4206E9:				; CODE XREF: .text:00420693j
		db	65h
		dec	ecx
		add	fs:[eax], cl
		inc	esi
		insb
		popa
		db	67h
		jnb	near ptr 6F4h
		or	[ebp+72h], al
		jb	short loc_420768
		jb	short loc_42073F

loc_4206FB:				; CODE XREF: .text:00420691j
		db	65h
		jbe	short near ptr loc_420766+1
		arpl	[ebp+49h], sp
		add	fs:[eax], cl
		push	edx
		db	65h
		popa
		jnb	short near ptr loc_420771+7
		outsb
		inc	ebx
		outsd

loc_42070C:				; CODE XREF: .text:loc_4206BBj
		db	64h
		add	gs:[eax], cl
		inc	ebx
		outsd
		jnz	short near ptr loc_420781+1
		jz	short $+2

loc_420716:				; CODE XREF: .text:004206D2j
		or	[eax+61h], dl
		jb	short near ptr loc_42078E+1
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_420785+4
		jbe	short near ptr loc_420771+5
		popa
		db	67h
		jnb	near ptr 726h
		or	al, [esi]

loc_420728:				; CODE XREF: .text:loc_4206B8j
					; DATA XREF: PopDirectedDripsDiagNotifySessionStop(x,x,x)+131o
		or	eax, large ds:0
; 
		dw 0
		db 40h,	2 dup(0)
; 

loc_420733:				; CODE XREF: .text:004206C8j
		scasb
		add	[eax+73655300h], al

loc_42073A:				; CODE XREF: .text:loc_4206E5j
		jnb	short loc_4207A5
		outsd
		outsb
		push	ebx

loc_42073F:				; CODE XREF: .text:004206F9j
					; .text:004206D4j
		jz	short near ptr loc_42079E+4
		jz	short loc_4207AC
		jnb	short loc_4207B9
		imul	esp, [ebx+73h],	65635300h
		outsb
		popa

loc_42074E:				; CODE XREF: .text:loc_4206E7j
					; .text:004206DEj
		jb	short loc_4207B9
		outsd
		dec	ecx
		add	fs:[edx], cl
		inc	ebp
		outsb
		popa
		bound	ebp, [ebp+64h]
		dec	ebp
		imul	esi, [ecx+ebp*2+67h], 6F697461h
		outsb

loc_420766:				; CODE XREF: .text:loc_4206FBj
		jnb	short $+2

loc_420768:				; CODE XREF: .text:004206F7j
		or	[ecx+6Ch], al
		insb
		outsd
		ja	short near ptr loc_4207D3+1
		db	64h
		dec	ebp

loc_420771:				; CODE XREF: .text:00420720j
					; .text:00420707j
		imul	esi, [ecx+ebp*2+67h], 6F697461h
		outsb
		jnb	short $+2
		or	[ebp+6Eh], al
		db	67h
		popa

loc_420781:				; CODE XREF: .text:00420712j
		db	67h, 65h, 64h
		dec	ebp

loc_420785:				; CODE XREF: .text:0042071Ej
		imul	esi, [ecx+ebp*2+67h], 6F697461h
		outsb

loc_42078E:				; CODE XREF: .text:00420719j
		jnb	short $+2
		or	[eax+6Eh], dl
		jo	short near ptr loc_4207D8+1
		imul	esi, [ebx+65h],	6761676Eh
		db	65h
		push	esp

loc_42079E:				; CODE XREF: .text:loc_42073Fj
		imul	ebp, [ebp+65h],	65520A00h

loc_4207A5:				; CODE XREF: .text:loc_42073Aj
		jno	short loc_42081C
		db	65h
		jnb	short near ptr loc_42081C+2
		inc	ebx
		outsd

loc_4207AC:				; CODE XREF: .text:00420741j
		jnz	short loc_42081C
		jz	short near ptr loc_420822+1
		push	esp
		outsd
		jz	short loc_420815
		insb
		add	[eax], ch
		sbb	al, [eax]

loc_4207B9:				; CODE XREF: .text:00420743j
					; .text:loc_42074Ej
		push	edx
		db	65h
		jno	short near ptr loc_420830+2
		db	65h
		jnb	short loc_420834
		inc	edx
		insb
		outsd
		arpl	[ebx+69h], bp
		outsb
		db	67h
		push	esp
		imul	ebp, [ebp+65h],	1A2A0073h
		add	[eax+61h], dl

loc_4207D3:				; CODE XREF: .text:0042076Dj
		jb	short loc_420849
		inc	ecx
		pop	edi
		push	eax

loc_4207D8:				; CODE XREF: .text:00420793j
		jb	short near ptr loc_420842+1
		jbe	short loc_420830
		popa
		db	67h
		jnb	near ptr 7E0h
		or	al, [esi]

loc_4207E2:				; DATA XREF: PopPlTraceLogPowerPlane(x)+1E4o
		or	eax, large ds:0
; 
		dd 0
		db    0
		db 8Ch,	0, 80h
		db    0
aPlpowerplanede	db 'PlPowerPlaneDeviceProfile',0
		db 4Dh
		dd 61737365h, 65566567h
		db 72h
; 

loc_420815:				; CODE XREF: .text:004207B2j
		jnb	short near ptr dword_420880
		outsd
		outsb
		add	[esi], al
		inc	esp

loc_42081C:				; CODE XREF: .text:loc_4207A5j
					; .text:loc_4207ACj ...
		db	65h
		jbe	short loc_420888
		arpl	[ebp+49h], sp

loc_420822:				; CODE XREF: .text:004207AEj
		add	fs:[esi], dl
		push	eax
		outsd
		ja	short near ptr loc_42088D+1
		jb	short near ptr loc_42087A+1
		insb
		popa
		outsb
		db	65h
		dec	ecx

loc_420830:				; CODE XREF: .text:004207DAj
					; .text:004207BAj
		add	fs:[esi], dl
		inc	ebx

loc_420834:				; CODE XREF: .text:004207BDj
		outsd
		insd
		jo	short near ptr loc_4208A1+6
		outsb
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr dword_420880
		outsd
		jnz	short loc_4208AE
		jz	short $+2

loc_420842:				; CODE XREF: .text:loc_4207D8j
		or	[eax+6Fh], dl
		ja	short near ptr loc_4208AB+1
		jb	short loc_42088D

loc_420849:				; CODE XREF: .text:loc_4207D3j
		jb	short near ptr loc_4208AB+1
		ja	short loc_42089A
		ja	short $+2
		pop	es
		inc	esp
		js	short near ptr loc_4208A1+2
		outsd
		ja	short loc_4208BB
		jb	short $+2
		fadd	dword ptr [edx]
		inc	ebp
		js	short loc_4208C0
		insb
		jnz	short loc_4208D3
		imul	esi, [esi+65h],	65776F50h
		jb	short near ptr loc_4208B1+5
		ja	short $+2
		or	[eax+65h], dl
		popa
		imul	edx, [eax+6Fh],	77h
		db	65h
		jb	short near ptr loc_4208C2+1
		ja	short $+2
		or	[esi], al

loc_42087A:				; CODE XREF: .text:00420829j
					; DATA XREF: PopPlTraceLogPowerPlane(x)+33Co
		or	eax, large ds:0
; 
dword_420880	dd 0			; CODE XREF: .text:loc_420815j
					; .text:0042083Bj
		dd 80008100h
; 

loc_420888:				; CODE XREF: .text:loc_42081Cj
		add	[eax+6Ch], dl
		push	eax
		outsd

loc_42088D:				; CODE XREF: .text:00420847j
					; .text:00420827j
		ja	short loc_4208F4
		jb	short loc_4208E1
		insb
		popa
		outsb
		db	65h
		inc	ebx
		outsd
		insd
		jo	short near ptr loc_420907+2

loc_42089A:				; CODE XREF: .text:0042084Bj
		outsb
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_4208ED+2
		jb	short near ptr off_420910

loc_4208A1:				; CODE XREF: .text:00420851j
					; .text:00420836j
		imul	bp, [ebp+0], 654Dh
		jnb	short loc_42091D
		popa

loc_4208AB:				; CODE XREF: .text:00420845j
					; .text:loc_420849j
		db	67h, 65h
		push	esi

loc_4208AE:				; CODE XREF: .text:0042083Ej
		db	65h
		jb	short near ptr loc_420923+1

loc_4208B1:				; CODE XREF: .text:00420867j
		imul	ebp, [edi+6Eh],	6F430600h
		insd
		jo	short near ptr loc_420925+5

loc_4208BB:				; CODE XREF: .text:00420854j
		outsb
		outs	dx, byte ptr gs:[esi]
		jz	short loc_420907

loc_4208C0:				; CODE XREF: .text:0042085Bj
		jnz	short near ptr loc_420925+6

loc_4208C2:				; CODE XREF: .text:00420873j
		add	fs:[edi], cl
		inc	esp
		db	65h
		jbe	short loc_420932
		arpl	[ebp+49h], sp
		add	fs:[esi], dl
		push	eax
		outsd
		ja	short near ptr loc_420935+3

loc_4208D3:				; CODE XREF: .text:0042085Ej
		jb	short loc_420925
		insb
		popa
		outsb
		db	65h
		dec	ecx
		add	fs:[esi], dl
		inc	esi
		js	short near ptr loc_42092F+1
		outsd

loc_4208E1:				; CODE XREF: .text:0042088Fj
		ja	short loc_420948
		jb	short $+2
		fadd	dword ptr [edx]
		inc	ebp
		js	short near ptr loc_42094C+1
		insb
		jnz	short near ptr loc_42095F+1

loc_4208ED:				; CODE XREF: .text:0042089Dj
		imul	esi, [esi+65h],	65776F50h

loc_4208F4:				; CODE XREF: .text:loc_42088Dj
		jb	short loc_420943
		ja	short $+2
		or	[eax+65h], dl
		popa
		imul	edx, [eax+6Fh],	77h
		db	65h
		jb	short loc_420950
		ja	short $+2
		or	[esi], al

loc_420907:				; CODE XREF: .text:004208BEj
					; .text:00420898j
					; DATA XREF: ...
		or	eax, large ds:0
; 
		db 3 dup(0)
off_420910	dd offset loc_51FFFF+1	; CODE XREF: .text:0042089Fj
		dd 6C500080h, 65776F50h
		db 72h
; 

loc_42091D:				; CODE XREF: .text:004208A8j
		push	eax
		insb
		popa
		outsb
		db	65h
		push	eax

loc_420923:				; CODE XREF: .text:loc_4208AEj
		jb	short near ptr loc_420992+2

loc_420925:				; CODE XREF: .text:loc_4208D3j
					; .text:004208B9j ...
		imul	bp, [ebp+0], 654Dh
		jnb	short loc_4209A1
		popa

loc_42092F:				; CODE XREF: .text:004208DEj
		db	67h, 65h
		push	esi

loc_420932:				; CODE XREF: .text:004208C6j
		db	65h
		jb	short loc_4209A8

loc_420935:				; CODE XREF: .text:004208D1j
		imul	ebp, [edi+6Eh],	6F500600h
		ja	short near ptr loc_4209A2+1
		jb	short loc_420990
		insb
		popa
		outsb

loc_420943:				; CODE XREF: .text:loc_4208F4j
		db	65h
		dec	ecx
		add	fs:[esi], dl

loc_420948:				; CODE XREF: .text:loc_4208E1j
		inc	esp
		db	65h
		jbe	short loc_4209B5

loc_42094C:				; CODE XREF: .text:004208E8j
		arpl	[ebp+43h], sp
		outsd

loc_420950:				; CODE XREF: .text:00420900j
		jnz	short near ptr loc_4209BF+1
		jz	short $+2
		or	[ebp+76h], al
		imul	esp, [ebx+65h],	65776F50h

loc_42095F:				; CODE XREF: .text:004208EBj
		jb	short near ptr loc_4209AD+1
		ja	short $+2
		pop	es
		push	es

loc_420965:				; DATA XREF: PopPlUnregisterDevice(x)+164o
		or	eax, large ds:0
; 
		db 0
		align 10h
		dd 800077h
aPlunregisterde	db 'PlUnregisterDevice',0
		db 4Dh
		dd 61737365h, 65566567h
; 

loc_420990:				; CODE XREF: .text:0042093Ej
		jb	short loc_420A05

loc_420992:				; CODE XREF: .text:loc_420923j
		imul	ebp, [edi+6Eh],	65440600h
		jbe	short loc_420A04
		arpl	[ebp+49h], sp
		add	fs:[esi], dl

loc_4209A1:				; CODE XREF: .text:0042092Cj
		inc	esp

loc_4209A2:				; CODE XREF: .text:0042093Cj
		db	65h
		jbe	short loc_420A0E
		arpl	[ebp+50h], sp

loc_4209A8:				; CODE XREF: .text:loc_420932j
		outsd
		ja	short near ptr loc_420A0E+2
		jb	short near ptr byte_4209F1

loc_4209AD:				; CODE XREF: .text:loc_42095Fj
		db	65h
		insb
		jz	short loc_420A12
		dec	ebp
		ja	short $+2
		pop	es

loc_4209B5:				; CODE XREF: .text:00420949j
		inc	esp
		db	65h
		jbe	short loc_420A22
		arpl	[ebp+50h], sp
		outsd
		ja	short near ptr loc_420A23+1

loc_4209BF:				; CODE XREF: .text:loc_420950j
		jb	short loc_420A0E
		ja	short $+2
		pop	es
		push	ebx
		jns	short loc_420A3A
		jz	short near ptr loc_420A2D+1
		insd
		push	eax
		outsd
		ja	short near ptr byte_420A33
		jb	short near ptr loc_420A12+2
		db	65h
		insb
		jz	short near ptr byte_420A35
		dec	ebp
		ja	short $+2
		pop	es
		push	ebx
		jns	short loc_420A4E
		jz	short near ptr loc_420A3F+3
		insd
		push	eax
		outsd
		ja	short near ptr loc_420A3F+8
		jb	short near ptr loc_420A2D+4
		ja	short $+2
		pop	es
		push	es

loc_4209E8:				; DATA XREF: PopPlUnregisterComponent(x)+36o
		or	eax, large ds:0
; 
		dw 0
		db 0
byte_4209F1	db 2 dup(0), 39h	; CODE XREF: .text:004209ABj
		dd 50008000h, 726E556Ch, 73696765h, 43726574h
; 

loc_420A04:				; CODE XREF: .text:00420999j
		outsd

loc_420A05:				; CODE XREF: .text:loc_420990j
		insd
		jo	short near ptr loc_420A76+1
		outsb
		outs	dx, byte ptr gs:[esi]
		jz	short $+2
		dec	ebp

loc_420A0E:				; CODE XREF: .text:loc_4209A2j
					; .text:loc_4209BFj ...
		db	65h
		jnb	short loc_420A84
		popa

loc_420A12:				; CODE XREF: .text:004209AFj
					; .text:004209CEj
		db	67h, 65h
		push	esi
		db	65h
		jb	short near ptr loc_420A8A+1
		imul	ebp, [edi+6Eh],	6F430600h
		insd
		jo	short near ptr loc_420A90+1

loc_420A22:				; CODE XREF: .text:004209B6j
		outsb

loc_420A23:				; CODE XREF: .text:004209BDj
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_420A6D+1
		jnz	short near ptr loc_420A90+2
		add	fs:[edi], cl
		push	es

loc_420A2D:				; CODE XREF: .text:004209C7j
					; .text:004209E2j
					; DATA XREF: ...
		or	eax, large ds:0
; 
byte_420A33	db 0			; CODE XREF: .text:004209CCj
		db 0
byte_420A35	db 3 dup(0)		; CODE XREF: .text:004209D2j
		db 57h,	0
; 

loc_420A3A:				; CODE XREF: .text:004209C5j
		add	byte ptr [eax],	50h
		insb
		push	edx

loc_420A3F:				; CODE XREF: .text:004209DBj
					; .text:004209E0j
		imul	esi, gs:[bp+di+74h], 65447265h
		jbe	short loc_420AB3
		arpl	[ebp+0], sp
		dec	ebp

loc_420A4E:				; CODE XREF: .text:004209D9j
		db	65h
		jnb	short near ptr loc_420ABE+6
		popa
		db	67h, 65h
		push	esi
		db	65h
		jb	short loc_420ACB
		imul	ebp, [edi+6Eh],	65440600h
		jbe	short near ptr loc_420AC9+1
		arpl	[ebp+49h], sp
		add	fs:[esi], dl
		push	eax
		outsd
		ja	short near ptr loc_420ACF+1
		jb	short near ptr loc_420ABB+2

loc_420A6D:				; CODE XREF: .text:00420A25j
		jb	short near ptr loc_420ADA+4
		imul	bp, [ebp+52h], 6765h

loc_420A76:				; CODE XREF: .text:00420A06j
		imul	esi, [ebx+74h],	64657265h
		add	ds:706D6F43h, cl
		outsd

loc_420A84:				; CODE XREF: .text:loc_420A0Ej
		outsb
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_420ACB+1
		outsd

loc_420A8A:				; CODE XREF: .text:00420A15j
		jnz	short near ptr loc_420AF9+1
		jz	short $+2
		or	[esi], al

loc_420A90:				; CODE XREF: .text:00420A20j
					; .text:00420A27j
					; DATA XREF: ...
		or	eax, large ds:0
; 
		dw 0
		dd 69000000h, 50008000h, 6765526Ch, 65747369h, 6D6F4372h
		dd 656E6F70h
		db 6Eh,	74h, 0
; 

loc_420AB3:				; CODE XREF: .text:00420A48j
		dec	ebp
		db	65h
		jnb	short near ptr loc_420B28+2
		popa
		db	67h, 65h
		push	esi

loc_420ABB:				; CODE XREF: .text:00420A6Bj
		db	65h
		jb	short near ptr loc_420B2F+2

loc_420ABE:				; CODE XREF: .text:loc_420A4Ej
		imul	ebp, [edi+6Eh],	6F430600h
		insd
		jo	short near ptr loc_420B32+5
		outsb

loc_420AC9:				; CODE XREF: .text:00420A5Fj
		outs	dx, byte ptr gs:[esi]

loc_420ACB:				; CODE XREF: .text:00420A55j
					; .text:00420A87j
		jz	short loc_420B14
		jnz	short near ptr loc_420B32+6

loc_420ACF:				; CODE XREF: .text:00420A69j
		add	fs:[edi], cl
		push	eax
		outsd
		ja	short loc_420B3B
		jb	short loc_420B28
		jb	short loc_420B49

loc_420ADA:				; CODE XREF: .text:loc_420A6Dj
		imul	bp, [ebp+52h], 6765h
		imul	esi, [ebx+74h],	64657265h
		add	ds:656C6449h, cl
		push	ebx
		jz	short loc_420B52
		jz	short near ptr loc_420B56+2
		inc	ebx
		outsd
		jnz	short loc_420B65
		jz	short $+2

loc_420AF9:				; CODE XREF: .text:loc_420A8Aj
		or	[ebp+76h], al
		imul	esp, [ebx+65h],	16006449h
		push	es

loc_420B05:				; DATA XREF: PopPlRegisterDeviceIterator(x,x)+171o
		or	eax, large ds:0
; 
		db 0
		align 10h
		dd 800077h
; 

loc_420B14:				; CODE XREF: .text:loc_420ACBj
		push	eax
		insb
		push	edx
		imul	esi, gs:[bp+di+74h], 78467265h
		inc	esp
		db	65h
		jbe	short near ptr loc_420B88+5
		arpl	[ebp+0], sp
		dec	ebp

loc_420B28:				; CODE XREF: .text:00420AD6j
					; .text:00420AB4j
		db	65h
		jnb	short loc_420B9E
		popa
		db	67h, 65h
		push	esi

loc_420B2F:				; CODE XREF: .text:loc_420ABBj
		db	65h
		jb	short loc_420BA5

loc_420B32:				; CODE XREF: .text:00420AC6j
					; .text:00420ACDj
		imul	ebp, [edi+6Eh],	65440600h
		jbe	short near ptr loc_420BA3+1

loc_420B3B:				; CODE XREF: .text:00420AD4j
		arpl	[ebp+49h], sp
		add	fs:[esi], dl
		inc	esp
		db	65h
		jbe	short loc_420BAE
		arpl	[ebp+50h], sp
		outsd

loc_420B49:				; CODE XREF: .text:00420AD8j
		ja	short loc_420BB0
		jb	short near ptr byte_420B91
		db	65h
		insb
		jz	short near ptr loc_420BB0+2
		dec	ebp

loc_420B52:				; CODE XREF: .text:00420AEFj
		ja	short $+2
		pop	es
		inc	esp

loc_420B56:				; CODE XREF: .text:00420AF1j
		db	65h
		jbe	short near ptr loc_420BC1+1
		arpl	[ebp+50h], sp
		outsd
		ja	short near ptr loc_420BC1+3
		jb	short loc_420BAE
		ja	short $+2
		pop	es
		push	ebx

loc_420B65:				; CODE XREF: .text:00420AF5j
		jns	short loc_420BDA
		jz	short near ptr loc_420BCD+1
		insd
		push	eax
		outsd
		ja	short near ptr loc_420BD1+2
		jb	short near ptr loc_420BB3+1
		db	65h
		insb
		jz	short near ptr loc_420BD4+1
		dec	ebp
		ja	short $+2
		pop	es
		push	ebx
		jns	short loc_420BEE
		jz	short near ptr loc_420BE1+1
		insd
		push	eax
		outsd
		ja	short near ptr loc_420BE5+2
		jb	short loc_420BD1
		ja	short $+2
		pop	es
		push	es

loc_420B88:				; CODE XREF: .text:00420B21j
					; DATA XREF: PopPlPublishInitialPowerDraw(x,x)+AAo
		or	eax, large ds:0
; 
		dw 0
		db 0
byte_420B91	db 2 dup(0), 83h	; CODE XREF: .text:00420B4Bj
		dd 50008000h, 6765526Ch
		db 69h,	73h
; 

loc_420B9E:				; CODE XREF: .text:loc_420B28j
		jz	short near ptr loc_420C04+1
		jb	short near ptr loc_420BF6+1
		outsb

loc_420BA3:				; CODE XREF: .text:00420B39j
		jb	short loc_420C0A

loc_420BA5:				; CODE XREF: .text:loc_420B2Fj
		imul	esi, [bp+di+74h], 64657265h
		inc	esi

loc_420BAE:				; CODE XREF: .text:00420B42j
					; .text:00420B5Fj
		js	short loc_420BF4

loc_420BB0:				; CODE XREF: .text:loc_420B49j
					; .text:00420B4Fj
		db	65h
		jbe	short near ptr loc_420C17+5

loc_420BB3:				; CODE XREF: .text:00420B6Ej
		arpl	[ebp+0], sp
		dec	ebp
		db	65h
		jnb	short loc_420C2D
		popa
		db	67h, 65h
		push	esi
		db	65h
		jb	short loc_420C34

loc_420BC1:				; CODE XREF: .text:loc_420B56j
					; .text:00420B5Dj
		imul	ebp, [edi+6Eh],	65440600h
		jbe	short near ptr loc_420C32+1
		arpl	[ebp+49h], sp

loc_420BCD:				; CODE XREF: .text:00420B67j
		add	fs:[esi], dl
		inc	esp

loc_420BD1:				; CODE XREF: .text:00420B82j
					; .text:00420B6Cj
		db	65h
		jbe	short loc_420C3D

loc_420BD4:				; CODE XREF: .text:00420B72j
		arpl	[ebp+50h], sp
		outsd
		ja	short loc_420C3F

loc_420BDA:				; CODE XREF: .text:loc_420B65j
		jb	short near ptr dword_420C20
		db	65h
		insb
		jz	short loc_420C41
		dec	ebp

loc_420BE1:				; CODE XREF: .text:00420B7Bj
		ja	short $+2
		pop	es
		inc	esp

loc_420BE5:				; CODE XREF: .text:00420B80j
		db	65h
		jbe	short near ptr loc_420C4C+5
		arpl	[ebp+50h], sp
		outsd
		ja	short loc_420C53

loc_420BEE:				; CODE XREF: .text:00420B79j
		jb	short loc_420C3D
		ja	short $+2
		pop	es
		push	ebx

loc_420BF4:				; CODE XREF: .text:loc_420BAEj
		jns	short near ptr byte_420C69

loc_420BF6:				; CODE XREF: .text:00420BA0j
		jz	short near ptr loc_420C5C+1
		insd
		push	eax
		outsd
		ja	short near ptr loc_420C5E+4
		jb	short near ptr loc_420C42+1
		db	65h
		insb
		jz	short near ptr dword_420C64
		dec	ebp

loc_420C04:				; CODE XREF: .text:loc_420B9Ej
		ja	short $+2
		pop	es
		push	ebx
		jns	short near ptr loc_420C77+6

loc_420C0A:				; CODE XREF: .text:loc_420BA3j
		jz	short loc_420C71
		insd
		push	eax
		outsd
		ja	short loc_420C76
		jb	short near ptr loc_420C5E+2
		ja	short $+2
		pop	es
		push	es

loc_420C17:				; CODE XREF: .text:loc_420BB0j
					; DATA XREF: PopPlRegisterPowerPlane(x,x)+DEo
		or	eax, large ds:0
; 
		db 3 dup(0)
dword_420C20	dd 3F0000h, 6C500080h, 69676552h ; CODE	XREF: .text:loc_420BDAj
		db 73h
; 

loc_420C2D:				; CODE XREF: .text:00420BB7j
		jz	short loc_420C94
		jb	short loc_420C81
		outsd

loc_420C32:				; CODE XREF: .text:00420BC8j
		ja	short near ptr loc_420C97+2

loc_420C34:				; CODE XREF: .text:00420BBEj
		jb	short loc_420C86
		insb
		popa
		outsb
		db	65h
		push	ebx
		jz	short loc_420C9E

loc_420C3D:				; CODE XREF: .text:loc_420BD1j
					; .text:loc_420BEEj
		jz	short loc_420CB4

loc_420C3F:				; CODE XREF: .text:00420BD8j
		jnb	short $+2

loc_420C41:				; CODE XREF: .text:00420BDEj
		dec	ebp

loc_420C42:				; CODE XREF: .text:00420BFDj
		db	65h
		jnb	short loc_420CB8
		popa
		db	67h, 65h
		push	esi
		db	65h
		jb	short loc_420CBF

loc_420C4C:				; CODE XREF: .text:loc_420BE5j
		imul	ebp, [edi+6Eh],	61500600h

loc_420C53:				; CODE XREF: .text:00420BECj
		jb	short loc_420CC8
		imul	ebp, [esi+67h],	74617453h

loc_420C5C:				; CODE XREF: .text:loc_420BF6j
		jnz	short near ptr loc_420CCE+3

loc_420C5E:				; CODE XREF: .text:00420C11j
					; .text:00420BFBj
					; DATA XREF: ...
		add	[eax+50B060Eh],	cl
; 
dword_420C64	dd 0			; CODE XREF: .text:00420C01j
		db 0
byte_420C69	db 3 dup(0)		; CODE XREF: .text:loc_420BF4j
		dd 80006000h
		db 0
; 

loc_420C71:				; CODE XREF: .text:loc_420C0Aj
		push	eax
		insb
		push	eax
		jnz	short loc_420CD8

loc_420C76:				; CODE XREF: .text:00420C0Fj
		insb

loc_420C77:				; CODE XREF: .text:00420C08j
		imul	esi, [ebx+68h],	74737953h
		db	65h
		insd
		push	eax

loc_420C81:				; CODE XREF: .text:00420C2Fj
		outsd
		ja	short loc_420CE9
		jb	short near ptr loc_420CC8+1

loc_420C86:				; CODE XREF: .text:loc_420C34j
		push	65676E61h
		add	[ebp+65h], cl
		jnb	short near ptr loc_420CFD+6
		popa
		db	67h, 65h
		push	esi

loc_420C94:				; CODE XREF: .text:loc_420C2Dj
		db	65h
		jb	short near ptr loc_420D09+1

loc_420C97:				; CODE XREF: .text:loc_420C32j
		imul	ebp, [edi+6Eh],	6F500600h

loc_420C9E:				; CODE XREF: .text:00420C3Bj
		ja	short near ptr loc_420D04+1
		jb	short near ptr loc_420CF1+1
		insb
		popa
		outsb
		db	65h
		dec	ecx
		add	fs:[esi], dl
		push	ebx
		jns	short near ptr loc_420D1F+1
		jz	short near ptr loc_420D12+2
		insd
		push	eax
		outsd
		ja	short near ptr loc_420D18+1

loc_420CB4:				; CODE XREF: .text:loc_420C3Dj
		jb	short loc_420CFA
		db	65h
		insb

loc_420CB8:				; CODE XREF: .text:loc_420C42j
		jz	short near ptr loc_420D1A+1
		dec	ebp
		ja	short $+2
		pop	es
		push	ebx

loc_420CBF:				; CODE XREF: .text:00420C49j
		jns	short near ptr loc_420D33+1
		jz	short loc_420D28
		insd
		push	eax
		outsd
		ja	short near ptr loc_420D2B+2

loc_420CC8:				; CODE XREF: .text:loc_420C53j
					; .text:00420C84j
		jb	short loc_420D17
		ja	short $+2
		pop	es
		push	es

loc_420CCE:				; CODE XREF: .text:loc_420C5Cj
					; DATA XREF: PopPlNotifyDeviceDState+84B7Co
		or	eax, large ds:0
; 
		dd 0
; 

loc_420CD8:				; CODE XREF: .text:00420C74j
		add	[eax+eax+6C500080h], dl
		dec	esi
		outsd
		jz	short near ptr loc_420D4B+1
		db	66h
		jns	short near ptr loc_420D28+2
		db	65h
		jbe	short loc_420D52

loc_420CE9:				; CODE XREF: .text:00420C82j
		arpl	[ebp+44h], sp
		push	ebx
		jz	short loc_420D50
		jz	short loc_420D56

loc_420CF1:				; CODE XREF: .text:00420CA0j
		add	[ebp+65h], cl
		jnb	short near ptr loc_420D68+1
		popa
		db	67h, 65h
		push	esi

loc_420CFA:				; CODE XREF: .text:loc_420CB4j
		db	65h
		jb	short near ptr loc_420D6E+2

loc_420CFD:				; CODE XREF: .text:00420C8Ej
		imul	ebp, [edi+6Eh],	65440600h

loc_420D04:				; CODE XREF: .text:loc_420C9Ej
		jbe	short near ptr loc_420D6E+1
		arpl	[ebp+49h], sp

loc_420D09:				; CODE XREF: .text:loc_420C94j
		add	fs:[esi], dl
		push	esp
		jb	short near ptr loc_420D6E+2
		outsb
		jnb	short near ptr loc_420D6E+5

loc_420D12:				; CODE XREF: .text:00420CADj
		arpl	[ecx+ebp*2+6Fh], si
		outsb

loc_420D17:				; CODE XREF: .text:loc_420CC8j
		push	ebx

loc_420D18:				; CODE XREF: .text:00420CB2j
		jz	short loc_420D7B

loc_420D1A:				; CODE XREF: .text:loc_420CB8j
		jz	short loc_420D81
		add	[edx], al
		inc	esp

loc_420D1F:				; CODE XREF: .text:00420CABj
		js	short near ptr byte_420D74
		jz	short near ptr loc_420D83+1
		jz	short near ptr loc_420D89+1
		add	[edx], al
		inc	esp

loc_420D28:				; CODE XREF: .text:00420CC1j
					; .text:00420CE3j
		db	65h
		jbe	short loc_420D94

loc_420D2B:				; CODE XREF: .text:00420CC6j
		arpl	[ebp+50h], sp
		outsd
		ja	short loc_420D96
		jb	short near ptr byte_420D77

loc_420D33:				; CODE XREF: .text:loc_420CBFj
		db	65h
		insb
		jz	short near ptr loc_420D97+1
		dec	ebp
		ja	short $+2
		pop	es
		inc	esp
		db	65h
		jbe	short loc_420DA8
		arpl	[ebp+50h], sp
		outsd
		ja	short loc_420DAA
		jb	short loc_420D94
		ja	short $+2
		pop	es
		push	ebx

loc_420D4B:				; CODE XREF: .text:00420CE1j
		jns	short near ptr loc_420DBF+1
		jz	short loc_420DB4
		insd

loc_420D50:				; CODE XREF: .text:00420CEDj
		push	eax
		outsd

loc_420D52:				; CODE XREF: .text:00420CE6j
		ja	short near ptr loc_420DB7+2
		jb	short loc_420D9A

loc_420D56:				; CODE XREF: .text:00420CEFj
		db	65h
		insb
		jz	short loc_420DBB
		dec	ebp
		ja	short $+2
		pop	es
		push	ebx
		jns	short loc_420DD4
		jz	short loc_420DC8
		insd
		push	eax
		outsd
		ja	short loc_420DCD

loc_420D68:				; CODE XREF: .text:00420CF4j
		jb	short loc_420DB7
		ja	short $+2
		pop	es
		push	es

loc_420D6E:				; CODE XREF: .text:loc_420D04j
					; .text:loc_420CFAj ...
		or	eax, large ds:0
; 
byte_420D74	db 3 dup(0)		; CODE XREF: .text:loc_420D1Fj
byte_420D77	db 0			; CODE XREF: .text:00420D31j
		db 0, 0A3h, 0
; 

loc_420D7B:				; CODE XREF: .text:loc_420D18j
		add	byte ptr [eax],	50h
		insb
		dec	esi
		outsd

loc_420D81:				; CODE XREF: .text:loc_420D1Aj
		jz	short loc_420DEC

loc_420D83:				; CODE XREF: .text:00420D21j
		db	66h
		jns	short loc_420DCA
		db	65h
		jbe	short loc_420DF2

loc_420D89:				; CODE XREF: .text:00420D23j
		arpl	[ebp+46h], sp
		push	ebx
		jz	short loc_420DF0
		jz	short loc_420DF6
		add	[ebp+65h], cl

loc_420D94:				; CODE XREF: .text:loc_420D28j
					; .text:00420D45j
		jnb	short loc_420E09

loc_420D96:				; CODE XREF: .text:00420D2Fj
		popa

loc_420D97:				; CODE XREF: .text:00420D35j
		db	67h, 65h
		push	esi

loc_420D9A:				; CODE XREF: .text:00420D54j
		db	65h
		jb	short near ptr loc_420E0F+1
		imul	ebp, [edi+6Eh],	6F430600h
		insd
		jo	short loc_420E16
		outsb

loc_420DA8:				; CODE XREF: .text:00420D3Cj
		outs	dx, byte ptr gs:[esi]

loc_420DAA:				; CODE XREF: .text:00420D43j
		jz	short near ptr loc_420DF2+1
		jnz	short near ptr loc_420E16+1
		add	fs:[edi], cl
		push	esp
		jb	short near ptr loc_420E13+2

loc_420DB4:				; CODE XREF: .text:00420D4Dj
		outsb
		jnb	short near ptr loc_420E16+2

loc_420DB7:				; CODE XREF: .text:loc_420D68j
					; .text:loc_420D52j
		arpl	[ecx+ebp*2+6Fh], si

loc_420DBB:				; CODE XREF: .text:00420D58j
		outsb
		push	ebx
		jz	short near ptr loc_420E1D+3

loc_420DBF:				; CODE XREF: .text:loc_420D4Bj
		jz	short near ptr word_420E26
		add	[edx], al
		inc	esi
		js	short loc_420E19
		jz	short loc_420E29

loc_420DC8:				; CODE XREF: .text:00420D61j
		jz	short loc_420E2F

loc_420DCA:				; CODE XREF: .text:loc_420D83j
		add	[eax], cl
		inc	esp

loc_420DCD:				; CODE XREF: .text:00420D66j
		db	65h
		jbe	short loc_420E39
		arpl	[ebp+50h], sp
		outsd

loc_420DD4:				; CODE XREF: .text:00420D5Fj
		ja	short loc_420E3B
		jb	short loc_420E1C
		db	65h
		insb
		jz	short loc_420E3D
		dec	ebp
		ja	short $+2
		pop	es
		inc	esp
		db	65h
		jbe	short near ptr loc_420E4C+1
		arpl	[ebp+50h], sp
		outsd
		ja	short loc_420E4F
		jb	short loc_420E39

loc_420DEC:				; CODE XREF: .text:loc_420D81j
		ja	short $+2
		pop	es
		push	ebx

loc_420DF0:				; CODE XREF: .text:00420D8Dj
		jns	short near ptr loc_420E62+3

loc_420DF2:				; CODE XREF: .text:00420D86j
					; .text:loc_420DAAj
		jz	short near ptr loc_420E57+2
		insd
		push	eax

loc_420DF6:				; CODE XREF: .text:00420D8Fj
		outsd
		ja	short loc_420E5E
		jb	short near ptr loc_420E3D+2
		db	65h
		insb
		jz	short loc_420E60
		dec	ebp
		ja	short $+2
		pop	es
		push	ebx
		jns	short near ptr loc_420E78+1
		jz	short loc_420E6D
		insd

loc_420E09:				; CODE XREF: .text:loc_420D94j
		push	eax
		outsd
		ja	short near ptr loc_420E6E+4
		jb	short near ptr loc_420E5B+1

loc_420E0F:				; CODE XREF: .text:loc_420D9Aj
		ja	short $+2
		pop	es
		inc	esp

loc_420E13:				; CODE XREF: .text:00420DB2j
		db	65h
		jbe	short loc_420E7F

loc_420E16:				; CODE XREF: .text:00420DA5j
					; .text:00420DACj ...
		arpl	[ebp+49h], sp

loc_420E19:				; CODE XREF: .text:00420DC4j
		add	fs:[esi], dl

loc_420E1C:				; CODE XREF: .text:00420DD6j
		push	es

loc_420E1D:				; CODE XREF: .text:00420DBDj
					; DATA XREF: PopPublishAndPurgePowerRequestStats(x,x,x)+1D4o
		or	eax, large ds:0
; 
		db 0
		db 2 dup(0)
word_420E26	dw 0			; CODE XREF: .text:loc_420DBFj
; 
		pop	edi

loc_420E29:				; CODE XREF: .text:00420DC6j
		add	[eax+776F5000h], al

loc_420E2F:				; CODE XREF: .text:loc_420DC8j
		db	65h
		jb	short loc_420E84
		db	65h
		jno	short near ptr loc_420EA8+2
		db	65h
		jnb	short near ptr loc_420EAB+1
		push	ebx

loc_420E39:				; CODE XREF: .text:loc_420DCDj
					; .text:00420DEAj
		jz	short loc_420E9C

loc_420E3B:				; CODE XREF: .text:loc_420DD4j
		jz	short near ptr loc_420EAF+1

loc_420E3D:				; CODE XREF: .text:00420DDAj
					; .text:00420DF9j
		add	[ecx+63h], al
		jz	short loc_420EAB
		outsd
		outsb
		add	[edx], al
		push	eax
		outsd
		ja	short loc_420EAF
		jb	short near ptr loc_420E9D+1

loc_420E4C:				; CODE XREF: .text:00420DE1j
		db	65h
		jno	short near ptr loc_420EC3+1

loc_420E4F:				; CODE XREF: .text:00420DE8j
		db	65h
		jnb	short near ptr loc_420EC5+1
		db	65h
		jb	short loc_420EA3
		popa
		insd

loc_420E57:				; CODE XREF: .text:loc_420DF2j
		add	gs:[ecx], al
		inc	ecx

loc_420E5B:				; CODE XREF: .text:00420E0Dj
		arpl	[ebx+72h], sp

loc_420E5E:				; CODE XREF: .text:00420DF7j
		jnz	short loc_420EC5

loc_420E60:				; CODE XREF: .text:00420DFDj
		db	64h
		push	esp

loc_420E62:				; CODE XREF: .text:loc_420DF0j
		imul	ebp, [ebp+65h],	636553h
		or	dl, [edx+75h]
		outsb

loc_420E6D:				; CODE XREF: .text:00420E06j
		outsb

loc_420E6E:				; CODE XREF: .text:00420E0Bj
		imul	ebp, [esi+67h],	63530D00h
		outs	dx, byte ptr gs:[esi]
		popa

loc_420E78:				; CODE XREF: .text:00420E04j
		jb	short near ptr loc_420EE2+1
		outsd
		dec	ecx
		outsb
		jnb	short loc_420EF3

loc_420E7F:				; CODE XREF: .text:loc_420E13j
		popa
		outsb
		arpl	[ebp+49h], sp

loc_420E84:				; CODE XREF: .text:loc_420E2Fj
		add	fs:[edx], cl
		push	es

loc_420E88:				; DATA XREF: PopLogPowerRequestAction(x,x,x)+83o
		or	eax, large ds:0
; 
		dw 0
		dd 52000000h, 50008000h, 7265776Fh
; 

loc_420E9C:				; CODE XREF: .text:loc_420E39j
		push	edx

loc_420E9D:				; CODE XREF: .text:00420E4Aj
		db	65h
		jno	short near ptr loc_420F0F+6
		db	65h
		jnb	short loc_420F17

loc_420EA3:				; CODE XREF: .text:00420E52j
		push	ebx
		jz	short loc_420F07
		jz	short loc_420F1B

loc_420EA8:				; CODE XREF: .text:00420E32j
		add	[ecx+63h], al

loc_420EAB:				; CODE XREF: .text:00420E40j
					; .text:00420E35j
		jz	short loc_420F16
		outsd
		outsb

loc_420EAF:				; CODE XREF: .text:00420E48j
					; .text:loc_420E3Bj
		add	[edx], al
		push	eax
		outsd
		ja	short near ptr loc_420F18+2
		jb	short loc_420F09
		db	65h
		jno	short loc_420F2F
		db	65h
		jnb	short near ptr loc_420F2F+2
		db	65h
		jb	short $+3
		add	[eax+6Fh], edx

loc_420EC3:				; CODE XREF: .text:loc_420E4Cj
		ja	short near ptr loc_420F28+2

loc_420EC5:				; CODE XREF: .text:loc_420E5Ej
					; .text:loc_420E4Fj
		jb	short near ptr loc_420F18+1
		db	65h
		jno	short near ptr loc_420F3A+5
		db	65h
		jnb	short loc_420F41
		dec	ecx
		add	fs:[edi], al
		push	eax
		outsd
		ja	short loc_420F3A
		jb	short near ptr loc_420F28+1
		db	65h
		jno	short near ptr loc_420F4E+1
		db	65h
		jnb	short near ptr loc_420F4E+3
		db	65h
		jb	short near ptr loc_420F33+1
		jns	short near ptr loc_420F4E+4

loc_420EE2:				; CODE XREF: .text:loc_420E78j
		add	gs:[eax], cl
		push	es

loc_420EE6:				; DATA XREF: PopSqmThermalZoneEnumeration(x,x,x,x,x,x,x,x,x,x,x,x)+1ABo
		or	eax, large ds:0
; 
		dd 400000h
		db 0, 2	dup(1)
; 

loc_420EF3:				; CODE XREF: .text:00420E7Dj
		add	byte ptr [eax],	54h
		push	616D7265h
		insb
		pop	edx
		outsd
		outsb
		db	65h
		inc	ebp
		outsb
		jnz	short near ptr loc_420F70+1
		db	65h
		jb	short near ptr loc_420F67+1

loc_420F07:				; CODE XREF: .text:00420EA4j
		jz	short near ptr loc_420F70+2

loc_420F09:				; CODE XREF: .text:00420EB5j
		outsd
		outsb
		add	[ebp+76h], ah

loc_420F0F:				; CODE XREF: .text:loc_420E9Dj
		imul	esp, [ebx+65h],	74736E49h

loc_420F16:				; CODE XREF: .text:loc_420EABj
		popa

loc_420F17:				; CODE XREF: .text:00420EA0j
		outsb

loc_420F18:				; CODE XREF: .text:loc_420EC5j
					; .text:00420EB3j
		arpl	[ebp+0], sp

loc_420F1B:				; CODE XREF: .text:00420EA6j
		add	[ecx+63h], esp
		jz	short loc_420F89
		jbe	short near ptr loc_420F86+1
		push	esp
		jb	short near ptr loc_420F8D+1
		jo	short near ptr loc_420F76+1
		outsd

loc_420F28:				; CODE XREF: .text:00420ED5j
					; .text:loc_420EC3j
		imul	ebp, [esi+74h],	61080030h

loc_420F2F:				; CODE XREF: .text:00420EB7j
					; .text:00420EBAj
		arpl	[ecx+ebp*2+76h], si

loc_420F33:				; CODE XREF: .text:00420EDDj
		db	65h
		push	esp
		jb	short near ptr loc_420F9A+6
		jo	short loc_420F89
		outsd

loc_420F3A:				; CODE XREF: .text:00420ED3j
					; .text:00420EC7j
		imul	ebp, [esi+74h],	63080031h

loc_420F41:				; CODE XREF: .text:00420ECAj
		jb	short loc_420FAC
		jz	short loc_420FAE
		arpl	[ecx+6Ch], sp
		push	esp
		jb	short near ptr loc_420FB3+1
		jo	short near ptr loc_420F9A+3
		outsd

loc_420F4E:				; CODE XREF: .text:00420ED7j
					; .text:00420EDAj ...
		imul	ebp, [esi+74h],	61700800h
		jnb	short near ptr loc_420FC9+1
		imul	esi, [esi+65h],	70697254h
		push	eax
		outsd
		imul	ebp, [esi+74h],	68740800h

loc_420F67:				; CODE XREF: .text:00420F04j
		db	65h
		jb	short near ptr loc_420FD5+2
		popa
		insb
		jnb	short near ptr loc_420FE1+1
		popa
		outsb

loc_420F70:				; CODE XREF: .text:00420F02j
					; .text:loc_420F07j
		bound	edi, fs:[ecx+54h]
		jb	short near ptr loc_420FDC+3

loc_420F76:				; CODE XREF: .text:00420F25j
		jo	short near ptr loc_420FC7+1
		outsd
		imul	ebp, [esi+74h],	34730800h
		push	esp
		jb	short loc_420FE4
		outsb
		jnb	short loc_420FEF

loc_420F86:				; CODE XREF: .text:00420F20j
		jz	short near ptr loc_420FEF+2
		outsd

loc_420F89:				; CODE XREF: .text:00420F1Ej
					; .text:00420F37j
		outsb
		push	esp
		jb	short near ptr loc_420FF3+3

loc_420F8D:				; CODE XREF: .text:00420F23j
		jo	short near ptr loc_420FDC+3
		outsd
		imul	ebp, [esi+74h],	61730800h
		insd
		jo	short loc_421006

loc_420F9A:				; CODE XREF: .text:00420F4Bj
					; .text:00420F35j
		imul	ebp, [esi+67h],	69726550h
		outsd
		add	fs:[eax], cl
		jz	short near ptr loc_42100E+1
		db	65h
		jb	short loc_421017
		popa
		insb

loc_420FAC:				; CODE XREF: .text:loc_420F41j
		inc	ebx
		outsd

loc_420FAE:				; CODE XREF: .text:00420F43j
		outsb
		jnb	short near ptr loc_421024+1
		popa
		outsb

loc_420FB3:				; CODE XREF: .text:00420F49j
		jz	short loc_420FE6
		add	[eax], cl
		jz	short loc_421021
		db	65h
		jb	short near ptr loc_421028+1
		popa
		insb
		inc	ebx
		outsd
		outsb
		jnb	short near ptr loc_421031+6
		popa
		outsb
		jz	short near ptr byte_420FF9

loc_420FC7:				; CODE XREF: .text:loc_420F76j
		add	[eax], cl

loc_420FC9:				; CODE XREF: .text:00420F55j
		jp	short near ptr loc_421038+2
		outsb
		db	65h
		inc	esp
		db	65h
		jnb	short near ptr loc_421031+3
		jb	short loc_42103C
		jo	short near ptr loc_421048+1

loc_420FD5:				; CODE XREF: .text:loc_420F67j
		imul	ebp, [edi+6Eh],	75730100h

loc_420FDC:				; CODE XREF: .text:00420F74j
					; .text:loc_420F8Dj
		db	67h, 67h, 65h
		jnb	short near ptr loc_421054+1

loc_420FE1:				; CODE XREF: .text:00420F6Cj
		db	65h, 64h
		push	eax

loc_420FE4:				; CODE XREF: .text:00420F81j
		outsd
		insb

loc_420FE6:				; CODE XREF: .text:loc_420FB3j
		insb
		imul	ebp, [esi+67h],	69726550h
		outsd

loc_420FEF:				; CODE XREF: .text:00420F84j
					; .text:loc_420F86j
		add	fs:[eax], cl
		push	es

loc_420FF3:				; CODE XREF: .text:00420F8Bj
					; DATA XREF: PopSqmThermalCriticalEvent(x,x,x)+1ABo
		or	eax, large ds:0
; 
byte_420FF9	db 2 dup(0), 80h	; CODE XREF: .text:00420FC5j
		dd 0B30000h, 68540080h
		db 65h,	72h
; 

loc_421006:				; CODE XREF: .text:00420F98j
		insd
		popa
		insb
		inc	ebx
		jb	short near ptr loc_421074+1
		jz	short near ptr loc_421076+1

loc_42100E:				; CODE XREF: .text:00420FA5j
		arpl	[ecx+6Ch], sp
		inc	ebp
		jbe	short near ptr loc_421078+1
		outsb
		jz	short $+2

loc_421017:				; CODE XREF: .text:00420FA7j
		jo	short near ptr loc_421086+2
		insb
		imul	esp, [ebx+79h],	76697244h

loc_421021:				; CODE XREF: .text:00420FB7j
		db	65h
		jb	short $+3

loc_421024:				; CODE XREF: .text:00420FAFj
		test	[ebx], al
		jo	short loc_421089

loc_421028:				; CODE XREF: .text:00420FB9j
		jnb	short loc_42109D
		imul	esi, [esi+65h],	61676E45h

loc_421031:				; CODE XREF: .text:00420FCEj
					; .text:00420FC1j
		db	65h
		add	fs:[si+6103h], al

loc_421038:				; CODE XREF: .text:loc_420FC9j
		arpl	[ecx+ebp*2+76h], si

loc_42103C:				; CODE XREF: .text:00420FD1j
		db	65h
		inc	ebp
		outsb
		db	67h
		popa
		db	65h
		add	fs:[si+6D03h], al

loc_421048:				; CODE XREF: .text:00420FD3j
		imul	esi, [ecx+ebp*2+67h], 6F697461h
		outsb
		push	esp
		jns	short loc_4210C4

loc_421054:				; CODE XREF: .text:loc_420FDCj
		add	gs:[eax], cl
		jz	short loc_4210BE
		insd
		jo	short near ptr loc_4210BE+3
		jb	short near ptr loc_4210BE+1
		jz	short near ptr loc_4210D4+1
		jb	short loc_4210C7
		add	[eax], cl
		jz	short loc_4210D8
		imul	esi, [eax+50h],	746E696Fh
		push	esp
		db	65h
		insd
		jo	short near ptr loc_4210D6+1
		jb	short near ptr loc_4210D4+1

loc_421074:				; CODE XREF: .text:0042100Aj
		jz	short near ptr loc_4210EA+1

loc_421076:				; CODE XREF: .text:0042100Cj
		jb	short near ptr loc_4210D8+5

loc_421078:				; CODE XREF: .text:00421012j
		add	[eax], cl
		jz	short loc_4210E1
		insd
		jo	short loc_4210E4
		jb	short near ptr loc_4210E1+1
		jz	short loc_4210F8
		jb	short loc_4210EA
		inc	ecx

loc_421086:				; CODE XREF: .text:loc_421017j
		bound	ebp, [edi+76h]

loc_421089:				; CODE XREF: .text:00421026j
		db	65h
		push	esp
		jb	short near ptr loc_4210EF+7
		jo	short loc_4210DF
		outsd
		imul	ebp, [esi+74h],	7A038400h
		outsd
		outsb
		db	65h
		dec	esi
		popa
		insd

loc_42109D:				; CODE XREF: .text:loc_421028j
		add	gs:[ecx], al
		jp	short loc_421111
		outsb
		db	65h
		inc	esp
		db	65h
		jnb	short near ptr loc_42110A+1
		jb	short near ptr loc_421111+2
		jo	short loc_421120
		imul	ebp, [edi+6Eh],	0B060100h
					; DATA XREF: PopSqmThermalUsermodeEvent(x,x,x,x,x)+98o
		add	eax, 0
; 
		dd 800000h
		db 0, 4Ch
; 

loc_4210BE:				; CODE XREF: .text:00421057j
					; .text:0042105Cj ...
		add	[eax+65685400h], al

loc_4210C4:				; CODE XREF: .text:00421052j
		jb	short loc_421133
		popa

loc_4210C7:				; CODE XREF: .text:00421060j
		insb
		push	ebp
		jnb	short loc_421130
		jb	short near ptr loc_421138+2
		outsd
		db	64h, 65h
		inc	ebp
		jbe	short loc_421138
		outsb

loc_4210D4:				; CODE XREF: .text:0042105Ej
					; .text:00421072j
		jz	short $+2

loc_4210D6:				; CODE XREF: .text:00421070j
		jz	short loc_42114A

loc_4210D8:				; CODE XREF: .text:00421064j
					; .text:loc_421076j
		imul	esi, [eax+50h],	746E696Fh

loc_4210DF:				; CODE XREF: .text:0042108Dj
		add	[eax], cl

loc_4210E1:				; CODE XREF: .text:0042107Aj
					; .text:0042107Fj
		jz	short loc_421148
		insd

loc_4210E4:				; CODE XREF: .text:0042107Dj
		jo	short near ptr loc_42114A+1
		jb	short near ptr loc_421148+1
		jz	short loc_42115F

loc_4210EA:				; CODE XREF: .text:00421083j
					; .text:loc_421074j
		jb	short loc_421151
		add	[eax], cl
		insd

loc_4210EF:				; CODE XREF: .text:0042108Bj
		imul	esi, [ecx+ebp*2+67h], 6F697461h
		outsb

loc_4210F8:				; CODE XREF: .text:00421081j
		push	esp
		jns	short near ptr loc_42116A+1
		add	gs:[eax], cl
		imul	ebp, [esi+69h],	74616974h
		outsd
		jb	short $+2
		push	ss
		push	es

loc_42110A:				; CODE XREF: .text:004210A5j
					; DATA XREF: PopSqmFanEnumeration()+42o
		or	eax, large ds:0
; 
		db 0
; 

loc_421111:				; CODE XREF: .text:004210A0j
					; .text:004210A8j
		add	[eax+0], al
		add	[edx], dl
		add	[eax+6E614600h], al
		inc	ebp
		outsb
		jnz	short loc_42118D

loc_421120:				; CODE XREF: .text:004210AAj
		db	65h
		jb	short near ptr loc_421182+2
		jz	short near ptr loc_421189+1
		add	fs:[esi], al

loc_421128:				; DATA XREF: SshpWriteBlocker(x,x,x)+45Eo
		or	eax, large ds:0
; 
		dw 0
; 

loc_421130:				; CODE XREF: .text:004210C9j
		inc	eax
; 
		db 2 dup(0)
; 

loc_421133:				; CODE XREF: .text:loc_4210C4j
		jo	short near ptr loc_421135+1

loc_421135:				; CODE XREF: .text:loc_421133j
		add	byte ptr [eax],	53h

loc_421138:				; CODE XREF: .text:004210D1j
					; .text:004210CBj
		arpl	[ebp+6Eh], sp
		popa
		jb	short near ptr loc_4211A6+1
		outsd
		inc	edx
		insb
		outsd
		arpl	[ebx+65h], bp
		jb	short near ptr loc_421189+2
		popa

loc_421148:				; CODE XREF: .text:loc_4210E1j
					; .text:004210E6j
		jz	short loc_4211AB

loc_42114A:				; CODE XREF: .text:loc_4210D6j
					; .text:loc_4210E4j
		add	[ebx+73h], al
		push	ebx
		db	65h
		jnb	short near ptr loc_4211C1+3

loc_421151:				; CODE XREF: .text:loc_4210EAj
		imul	ebp, [edi+6Eh],	0A006449h
		push	eax
		popa
		jb	short loc_4211C1
		outsb
		jz	short loc_4211A6

loc_42115F:				; CODE XREF: .text:004210E8j
		jnz	short near ptr loc_4211C9+1
		add	fs:[edi], cl
		inc	edx
		insb
		outsd
		arpl	[ebx+65h], bp

loc_42116A:				; CODE XREF: .text:004210F9j
		jb	short near ptr loc_4211B0+3
		jnz	short loc_4211D7
		add	fs:[edi], cl
		inc	esi
		jb	short near ptr loc_4211D7+6
		outs	dx, byte ptr gs:[esi]
		db	64h
		insb
		jns	short near ptr loc_4211C7+1
		popa
		insd
		add	gs:[esi], dl
		inc	edx
		insb
		outsd

loc_421182:				; CODE XREF: .text:loc_421120j
		arpl	[ebx+65h], bp
		jb	short near ptr loc_4211D7+4
		jns	short near ptr loc_4211F8+1

loc_421189:				; CODE XREF: .text:00421123j
					; .text:00421145j
		add	gs:[eax], cl
		inc	ecx

loc_42118D:				; CODE XREF: .text:0042111Ej
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	esp
		imul	ebp, [ebp+65h],	63410A00h
		jz	short loc_421205
		jbe	short near ptr loc_421201+2
		push	esp
		imul	ebp, [ebp+65h],	6B637542h

loc_4211A6:				; CODE XREF: .text:0042115Dj
					; .text:0042113Cj
		db	65h
		jz	short near ptr loc_42121B+1
		add	[eax], ch

loc_4211AB:				; CODE XREF: .text:loc_421148j
		add	eax, 74634100h

loc_4211B0:				; CODE XREF: .text:loc_42116Aj
		imul	esi, [esi+65h],	656D6954h
		push	eax
		db	65h
		jb	short near ptr loc_4211F8+5
		jnz	short near ptr loc_42121F+1
		imul	esp, [ebp+74h],	0

loc_4211C1:				; CODE XREF: .text:0042115Aj
					; .text:0042114Ej
		sub	al, ds:616E5500h

loc_4211C7:				; CODE XREF: .text:00421178j
		jz	short near ptr loc_421239+4

loc_4211C9:				; CODE XREF: .text:loc_42115Fj
		jb	short near ptr loc_421233+1
		bound	esi, [ebp+74h]
		db	65h, 64h
		inc	ecx
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	esp

loc_4211D7:				; CODE XREF: .text:0042116Cj
					; .text:00421185j ...
		imul	ebp, [ebp+65h],	6B637542h
		db	65h
		jz	short near ptr loc_421253+1
		add	[eax], ch
		add	eax, 616E5500h
		jz	short near ptr loc_42125D+1
		jb	short near ptr loc_421253+2
		bound	esi, [ebp+74h]
		db	65h, 64h
		inc	ecx
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	esp

loc_4211F8:				; CODE XREF: .text:00421187j
					; .text:004211B8j
		imul	ebp, [ebp+65h],	42726550h
		jnz	short near ptr loc_42125F+5

loc_421201:				; CODE XREF: .text:0042119Cj
		imul	esp, [ebp+74h],	0

loc_421205:				; CODE XREF: .text:0042119Aj
		sub	al, ds:6E6F4E00h
		inc	ecx
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	esp
		imul	ebp, [ebp+65h],	6F4E0A00h
		outsb
		inc	ecx

loc_42121B:				; CODE XREF: .text:loc_4211A6j
		arpl	[ecx+ebp*2+76h], si

loc_42121F:				; CODE XREF: .text:004211BBj
		db	65h
		push	esp
		imul	ebp, [ebp+65h],	6B637542h
		db	65h
		jz	short loc_42129E
		add	[eax], ch
		add	eax, 6E6F4E00h
		inc	ecx

loc_421233:				; CODE XREF: .text:loc_4211C9j
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	esp

loc_421239:				; CODE XREF: .text:loc_4211C7j
		imul	ebp, [ebp+65h],	42726550h
		jnz	short near ptr loc_4212A4+1
		imul	esp, [ebp+74h],	0
		sub	al, ds:616E5500h
		jz	short loc_4212C2
		jb	short loc_4212B9
		bound	esi, [ebp+74h]

loc_421253:				; CODE XREF: .text:004211DEj
					; .text:004211EAj
		db	65h, 64h
		dec	esi
		outsd
		outsb
		inc	ecx
		arpl	[ecx+ebp*2+76h], si

loc_42125D:				; CODE XREF: .text:004211E8j
		db	65h
		push	esp

loc_42125F:				; CODE XREF: .text:004211FFj
		imul	ebp, [ebp+65h],	6B637542h
		db	65h
		jz	short loc_4212DC
		add	[eax], ch
		add	eax, 616E5500h
		jz	short near ptr loc_4212E4+2
		jb	short near ptr loc_4212DC+1
		bound	esi, [ebp+74h]
		db	65h, 64h
		dec	esi
		outsd
		outsb
		inc	ecx
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	esp
		imul	ebp, [ebp+65h],	42726550h
		jnz	short near ptr loc_4212EE+1
		imul	esp, [ebp+74h],	0
		sub	al, ds:72615000h
		jz	short loc_4212D9
		pop	edi
		push	eax
		jb	short loc_421305
		jbe	short loc_4212F2

loc_42129E:				; CODE XREF: .text:00421228j
		popa
		db	67h
		jnb	near ptr 12A2h
		or	al, [esi]

loc_4212A4:				; CODE XREF: .text:00421240j
					; DATA XREF: TtmiLogTerminalDisplayStateChangedEvent(x,x,x)+79o
		or	eax, large ds:100h
; 
		dw 0
		dd 56000000h, 54008000h, 545F4D54h
		db 65h
; 

loc_4212B9:				; CODE XREF: .text:0042124Ej
		jb	short near ptr loc_421322+6
		imul	ebp, [esi+61h],	7369446Ch

loc_4212C2:				; CODE XREF: .text:0042124Cj
		jo	short near ptr loc_42132B+5
		popa
		jns	short loc_42131A
		jz	short near ptr loc_421329+1
		jz	short near ptr loc_42132B+5
		inc	ebx
		push	65676E61h
		db	64h
		inc	ebp
		jbe	short near ptr loc_421337+3
		outsb
		jz	short $+2
		push	ebx

loc_4212D9:				; CODE XREF: .text:00421296j
		db	65h
		jnb	short near ptr loc_42134E+1

loc_4212DC:				; CODE XREF: .text:00421266j
					; .text:00421272j
		imul	ebp, [edi+6Eh],	8006449h
		push	esp

loc_4212E4:				; CODE XREF: .text:00421270j
		db	65h
		jb	short near ptr loc_421352+2
		imul	ebp, [esi+61h],	64496Ch

loc_4212EE:				; CODE XREF: .text:0042128Aj
		or	[ecx+ebp*2+73h], al

loc_4212F2:				; CODE XREF: .text:0042129Cj
		jo	short near ptr loc_42135E+2
		popa
		jns	short loc_42134A
		jz	short near ptr loc_421359+1
		jz	short near ptr loc_42135E+2
		add	[eax], cl
		push	edx
		db	65h
		popa
		jnb	short near ptr loc_421370+1
		outsb
		add	[eax], cl

loc_421305:				; CODE XREF: .text:0042129Aj
		push	es

loc_421306:				; DATA XREF: TtmiLogDeviceArrivalNotified(x,x,x,x,x,x)+C1o
		or	eax, large ds:100h
; 
		dd 0
; 
		add	[eax+eax-80h], bl
		add	[esp+edx*2+4Dh], dl
		pop	edi
		inc	esp

loc_42131A:				; CODE XREF: .text:004212C5j
		db	65h
		jbe	short loc_421386
		arpl	[ebp+41h], sp
		jb	short near ptr loc_421393+1

loc_421322:				; CODE XREF: .text:loc_4212B9j
		imul	esi, [esi+65h],	65530064h

loc_421329:				; CODE XREF: .text:004212C7j
		jnb	short near ptr loc_42139D+1

loc_42132B:				; CODE XREF: .text:loc_4212C2j
					; .text:004212C9j
		imul	ebp, [edi+6Eh],	8006449h
		push	eax
		jb	short loc_4213A4
		jbe	short near ptr loc_42139D+3

loc_421337:				; CODE XREF: .text:004212D3j
		db	64h, 65h
		jb	short $+4
		or	[edi+ebp*2+6Bh], dl
		outs	dx, byte ptr gs:[esi]
		add	ds:69766544h, dl
		arpl	[ebp+49h], sp

loc_42134A:				; CODE XREF: .text:004212F5j
		add	fs:[eax], cl
		push	eax

loc_42134E:				; CODE XREF: .text:loc_4212D9j
		jb	short near ptr byte_4213BF
		jbe	short near ptr loc_4213B6+5

loc_421352:				; CODE XREF: .text:loc_4212E4j
		db	64h, 65h
		jb	short loc_42139A
		db	65h
		jbe	short near ptr word_4213C2

loc_421359:				; CODE XREF: .text:004212F7j
		arpl	[ebp+54h], sp
		jns	short loc_4213CE

loc_42135E:				; CODE XREF: .text:loc_4212F2j
					; .text:004212F9j
		add	gs:[ebx+edx*2],	dl
		jz	short loc_4213C5
		jz	short near ptr loc_4213DA+1
		jnb	short near ptr loc_4213B6+1
		jnz	short near ptr loc_4213DD+1
		add	[eax+50B060Eh],	cl ; DATA XREF:	TtmiLogError(x,x,x,x)+ECo

loc_421370:				; CODE XREF: .text:00421300j
		add	[edx], al
; 
		dw 0
		dd 0
		dd 80004000h, 4D545400h, 7272455Fh
		db 6Fh,	72h
; 

loc_421386:				; CODE XREF: .text:loc_42131Aj
		add	[ebx+65h], dl
		jnb	short near ptr loc_4213F9+5
		imul	ebp, [edi+6Eh],	8006449h
		inc	esi

loc_421393:				; CODE XREF: .text:00421320j
		jnz	short near ptr loc_421400+3
		arpl	[ecx+ebp*2+6Fh], si
		outsb

loc_42139A:				; CODE XREF: .text:loc_421352j
		add	[edx], al
		dec	esp

loc_42139D:				; CODE XREF: .text:loc_421329j
					; .text:00421335j
		imul	ebp, [esi+65h],	74530800h

loc_4213A4:				; CODE XREF: .text:00421333j
		popa
		jz	short near ptr dword_42141C
		jnb	short near ptr loc_4213EE+4
		outsb
		add	[eax+6174530Eh], cl
		jz	short loc_421427
		jnb	short near ptr loc_421400+3
		jnz	short near ptr loc_421428+2

loc_4213B6:				; CODE XREF: .text:00421366j
					; .text:00421350j
					; DATA XREF: ...
		add	[eax+50B060Eh],	cl
		add	[ecx], al
; 
		db 0
byte_4213BF	db 0			; CODE XREF: .text:loc_42134Ej
		db 2 dup(0)
word_4213C2	dw 0			; CODE XREF: .text:00421356j
		db 0
; 

loc_4213C5:				; CODE XREF: .text:00421362j
		dec	esi
		add	[eax+4D545400h], al
		pop	edi
		inc	esp

loc_4213CE:				; CODE XREF: .text:0042135Cj
		db	65h
		jbe	short near ptr loc_421439+1
		arpl	[ebp+53h], sp
		db	65h
		jz	short loc_421420
		outsb
		jo	short near ptr loc_42144D+2

loc_4213DA:				; CODE XREF: .text:00421364j
		jz	short loc_421433
		popa

loc_4213DD:				; CODE XREF: .text:00421368j
		imul	esp, [ebp+43h],	61h
		jo	short near ptr loc_421443+1
		bound	ebp, [ecx+6Ch]
		imul	esi, [ecx+edi*2+0], 73736553h

loc_4213EE:				; CODE XREF: .text:004213A7j
		imul	ebp, [edi+6Eh],	8006449h
		push	esp
		db	65h
		jb	short loc_421466

loc_4213F9:				; CODE XREF: .text:00421389j
		imul	ebp, [esi+61h],	64496Ch

loc_421400:				; CODE XREF: .text:loc_421393j
					; .text:004213B2j
		or	[ebp+76h], al
		imul	esp, [ebx+65h],	8006449h
		inc	ebp
		outsb
		popa
		bound	ebp, [ebp+0]
		or	eax, 50B06h	; DATA XREF: TtmiLogTerminalCleanup(x,x,x)+5Bo
		add	[eax], eax
; 
		db 3 dup(0)
dword_42141C	dd 39000000h		; CODE XREF: .text:004213A5j
; 

loc_421420:				; CODE XREF: .text:004213D4j
		add	[eax+4D545400h], al
		pop	edi

loc_421427:				; CODE XREF: .text:004213B0j
		push	esp

loc_421428:				; CODE XREF: .text:004213B4j
		db	65h
		jb	short near ptr loc_421491+7
		imul	ebp, [esi+61h],	656C436Ch
		popa

loc_421433:				; CODE XREF: .text:loc_4213DAj
		outsb
		jnz	short near ptr loc_4214A5+1
		add	[ebx+65h], dl

loc_421439:				; CODE XREF: .text:loc_4213CEj
		jnb	short near ptr loc_4214AD+1
		imul	ebp, [edi+6Eh],	8006449h
		push	esp

loc_421443:				; CODE XREF: .text:004213E1j
		db	65h
		jb	short loc_4214B3
		imul	ebp, [esi+61h],	64496Ch

loc_42144D:				; CODE XREF: .text:004213D8j
		or	[ebp+72h], dl
		insd
		imul	ebp, [esi+61h],	614006Ch

loc_421459:				; DATA XREF: TtmiLogProximityPowerPress(x,x,x,x,x,x)+C1o
		or	eax, large ds:100h
; 
		db 0
		dd 0
; 
		jb	short $+2

loc_421466:				; CODE XREF: .text:004213F6j
		add	byte ptr [eax],	54h
		push	esp
		dec	ebp
		pop	edi
		push	eax
		jb	short near ptr word_4214DE
		js	short near ptr loc_4214D7+3
		insd
		imul	esi, [ecx+edi*2+50h], 7265776Fh
		push	eax
		jb	short loc_4214E2
		jnb	short loc_4214F2
		add	[ebx+65h], dl
		jnb	short near ptr loc_4214F5+2
		imul	ebp, [edi+6Eh],	8006449h
		inc	ebp
		jnb	short near ptr loc_4214F0+1
		popa
		jo	short near ptr loc_4214F5+1

loc_421491:				; CODE XREF: .text:loc_421428j
		add	fs:[ebx+eax+6E617053h],	al
		push	ebx
		imul	ebp, [esi+63h],	73614C65h
		jz	short near ptr loc_4214F2+1
		jb	short near ptr loc_421509+1

loc_4214A5:				; CODE XREF: .text:00421434j
		jnb	short near ptr word_42151A
		add	[edx], cl
		push	eax
		outsd
		ja	short loc_421512

loc_4214AD:				; CODE XREF: .text:loc_421439j
		jb	short near ptr loc_4214FD+2
		jb	short near ptr loc_421514+2
		jnb	short loc_421526

loc_4214B3:				; CODE XREF: .text:loc_421443j
		inc	ebx
		outsd
		jnz	short loc_421525
		jz	short $+2
		or	[ebx+63h], dl
		outs	dx, byte ptr gs:[esi]
		popa
		jb	short near ptr loc_421528+2
		outsd
		inc	ebx
		outsd
		jnz	short near ptr loc_421530+4
		jz	short $+2
		or	[ebp+73h], al
		arpl	[ecx+70h], sp
		db	65h
		inc	ebx
		outsd
		jnz	short loc_421541
		jz	short $+2
		or	[esi], al

loc_4214D7:				; CODE XREF: .text:0042146Fj
					; DATA XREF: TtmiLogEnterProximity(x)+5Fo
		or	eax, large ds:100h
; 
		db 0
word_4214DE	dw 0			; CODE XREF: .text:0042146Dj
		db 2 dup(0)
; 

loc_4214E2:				; CODE XREF: .text:0042147Bj
		xor	[eax], eax
		add	byte ptr [eax],	54h
		push	esp
		dec	ebp
		pop	edi
		inc	ebp
		outsb
		jz	short near ptr loc_421552+1
		jb	short loc_421540

loc_4214F0:				; CODE XREF: .text:0042148Cj
		jb	short near ptr loc_42155B+6

loc_4214F2:				; CODE XREF: .text:0042147Dj
					; .text:004214A1j
		js	short near ptr loc_42155B+2
		insd

loc_4214F5:				; CODE XREF: .text:0042148Fj
					; .text:00421482j
		imul	esi, [ecx+edi*2+0], 73736553h

loc_4214FD:				; CODE XREF: .text:loc_4214ADj
		imul	ebp, [edi+6Eh],	8006449h
		push	ebx
		arpl	[ebp+6Eh], sp
		popa

loc_421509:				; CODE XREF: .text:004214A3j
		jb	short near ptr dword_421574
		outsd
		inc	ebx
		outsd
		jnz	short loc_42157E
		jz	short $+2

loc_421512:				; CODE XREF: .text:004214ABj
		or	[esi], al

loc_421514:				; CODE XREF: .text:004214AFj
					; DATA XREF: TtmiLogDeviceAssignedTerminalEvent(x,x)+66o
		or	eax, large ds:100h
; 
word_42151A	dw 0			; CODE XREF: .text:loc_4214A5j
		dd 4D000000h, 54008000h
; 
		push	esp

loc_421525:				; CODE XREF: .text:004214B5j
		dec	ebp

loc_421526:				; CODE XREF: .text:004214B1j
		pop	edi
		inc	esp

loc_421528:				; CODE XREF: .text:004214BFj
		db	65h
		jbe	short near ptr loc_421592+2
		arpl	[ebp+41h], sp
		jnb	short near ptr loc_4215A0+3

loc_421530:				; CODE XREF: .text:004214C4j
		imul	esp, [edi+6Eh],	65546465h
		jb	short near ptr loc_4215A0+6
		imul	ebp, [esi+61h],	6576456Ch

loc_421540:				; CODE XREF: .text:004214EEj
		outsb

loc_421541:				; CODE XREF: .text:004214D1j
		jz	short $+2
		push	ebx
		db	65h
		jnb	short loc_4215BA
		imul	ebp, [edi+6Eh],	8006449h
		inc	esp
		db	65h
		jbe	short near ptr loc_4215BA+1

loc_421552:				; CODE XREF: .text:004214ECj
		arpl	[ebp+49h], sp
		add	fs:[eax], cl
		inc	ecx
		jnb	short near ptr loc_4215CD+1

loc_42155B:				; CODE XREF: .text:loc_4214F2j
					; .text:loc_4214F0j
		imul	esp, [edi+6Eh],	65546465h
		jb	short loc_4215D1
		imul	ebp, [esi+61h],	64496Ch
		or	[esi], al

loc_42156D:				; DATA XREF: TtmiLogTerminalDisplayTimeouts(x,x,x,x,x,x,x,x)+CEo
		or	eax, large ds:100h
; 
		db 0
dword_421574	dd 0			; CODE XREF: .text:loc_421509j
		dd 800080h
; 
		push	esp
		push	esp

loc_42157E:				; CODE XREF: .text:0042150Ej
		dec	ebp
		pop	edi
		push	esp
		db	65h
		jb	short loc_4215F1
		imul	ebp, [esi+61h],	6D69546Ch
		outs	dx, dword ptr gs:[esi]
		jnz	short loc_421603
		jnb	short $+2
		push	ebx

loc_421592:				; CODE XREF: .text:loc_421528j
		db	65h
		jnb	short near ptr loc_421606+2
		imul	ebp, [edi+6Eh],	8006449h
		push	esp
		db	65h
		jb	short loc_42160D

loc_4215A0:				; CODE XREF: .text:0042152Ej
					; .text:00421537j
		imul	ebp, [esi+61h],	64496Ch
		or	[ecx+ebp*2+6Dh], al
		push	esp
		imul	ebp, [ebp+65h],	5374756Fh
		arpl	gs:[edi+6Eh], bp
		db	64h
		jnb	short $+3

loc_4215BA:				; CODE XREF: .text:00421544j
					; .text:0042154Fj
		or	[edi+66h], cl
		push	sp
		imul	ebp, [ebp+65h],	5374756Fh
		arpl	gs:[edi+6Eh], bp
		db	64h
		jnb	short $+3

loc_4215CD:				; CODE XREF: .text:00421559j
		or	[ebx+61h], dl
		outsb

loc_4215D1:				; CODE XREF: .text:00421562j
		imul	esi, [ecx+ebp*2+7Ah], 69446465h
		insd
		dec	ecx
		outsb
		jz	short near ptr loc_42162D+5
		imul	ebp, [ebp+65h],	61530A00h
		outsb
		imul	esi, [ecx+ebp*2+7Ah], 664F6465h
		dec	cx
		outsb

loc_4215F1:				; CODE XREF: .text:00421581j
		jz	short loc_421647
		imul	ebp, [ebp+65h],	0B060A00h
					; DATA XREF: TtmiLogTerminalOnRequest(x,x,x)+83o
		add	eax, 100h
; 
		db 0
		db 3 dup(0)
; 

loc_421603:				; CODE XREF: .text:0042158Dj
		add	[edx+0], al

loc_421606:				; CODE XREF: .text:loc_421592j
		add	byte ptr [eax],	54h
		push	esp
		dec	ebp
		pop	edi
		push	esp

loc_42160D:				; CODE XREF: .text:0042159Dj
		db	65h
		jb	short loc_42167D
		imul	ebp, [esi+61h],	526E4F6Ch
		db	65h
		jno	short near ptr loc_42168E+1
		db	65h
		jnb	short loc_421691
		add	[ebx+65h], dl
		jnb	short loc_421695
		imul	ebp, [edi+6Eh],	8006449h
		push	esp
		db	65h
		jb	short near ptr loc_421696+4

loc_42162D:				; CODE XREF: .text:004215DCj
		imul	ebp, [esi+61h],	64496Ch
		or	[edx+65h], dl
		popa
		jnb	short loc_4216A9
		outsb
		add	[eax], cl
		push	eax
		popa
		jz	short loc_4216A9
		push	esp
		popa
		add	[bx], dl
		push	es

loc_421647:				; CODE XREF: .text:loc_4215F1j
					; DATA XREF: TtmiLogTerminalOffRequest(x,x,x)+83o
		or	eax, large ds:100h
; 
		db 3 dup(0)
		dd offset dword_430000
		db  80h	; 
		align 2
aTtm_terminalof	db 'TTM_TerminalOffRequest',0
aSessionid	db 'SessionId',0
		db 8
		dd 6D726554h
		db 69h
; 

loc_42167D:				; CODE XREF: .text:loc_42160Dj
		outsb
		popa
		insb
		dec	ecx
		add	fs:[eax], cl
		push	edx
		db	65h
		popa
		jnb	short near ptr loc_4216F7+1
		outsb
		add	[eax], cl
		push	eax
		popa

loc_42168E:				; CODE XREF: .text:00421617j
		jz	short near ptr loc_4216F7+1
		push	esp

loc_421691:				; CODE XREF: .text:0042161Aj
		popa
		add	[bx], dl

loc_421695:				; CODE XREF: .text:00421620j
		push	es

loc_421696:				; CODE XREF: .text:0042162Aj
					; DATA XREF: TtmiLogTerminalRundown(x)+272o
		or	eax, large ds:100h
; 
		dd 0
; 
		add	[ecx+eax], bh
		add	byte ptr [eax],	54h
		push	esp
		dec	ebp
		pop	edi

loc_4216A9:				; CODE XREF: .text:00421638j
					; .text:0042163Fj
		push	esp
		db	65h
		jb	short near ptr loc_421713+7
		imul	ebp, [esi+61h],	6E75526Ch
		outs	dx, dword ptr fs:[esi]
		ja	short near ptr loc_421721+5
		add	[ebx+65h], dl
		jnb	short loc_421730
		imul	ebp, [edi+6Eh],	8006449h
		push	esp
		db	65h
		jb	short near ptr loc_421733+2
		imul	ebp, [esi+61h],	64496Ch
		or	[ebp+72h], dl
		insd
		imul	ebp, [esi+61h],	6174536Ch
		jz	short near ptr loc_421741+1
		add	[eax], cl
		inc	esp
		imul	esi, [ebx+70h],	5379616Ch
		jz	short near ptr loc_421749+1
		jz	short loc_421750
		add	[eax], cl
		inc	esp
		imul	esi, [ebx+70h],	5379616Ch
		jz	short near ptr loc_421757+1

loc_4216F7:				; CODE XREF: .text:00421687j
					; .text:loc_42168Ej
		jz	short near ptr loc_42175D+1
		push	edx
		db	65h
		popa
		jnb	short near ptr loc_42176B+2
		outsb
		add	[eax], cl
		inc	esi
		imul	ebp, [esp+esi*2+65h], 49646572h
		outsb
		jo	short loc_421782
		jz	short $+2
		or	[eax+65h], dl
		outsb

loc_421713:				; CODE XREF: .text:004216AAj
		imul	ebp, fs:[esi+67h], 664F6E4Fh
		db	66h
		add	[eax], cl
		push	eax
		outs	dx, byte ptr gs:[esi]

loc_421721:				; CODE XREF: .text:004216B6j
		imul	ebp, fs:[esi+67h], 664F6E4Fh
		push	dx
		db	65h
		popa
		jnb	short near ptr loc_42179D+1
		outsb

loc_421730:				; CODE XREF: .text:004216BBj
		add	[eax], cl
		inc	esp

loc_421733:				; CODE XREF: .text:004216C5j
		imul	ebp, [ebp+54h],	6F656D69h
		jnz	short loc_4217B0
		push	ebx
		arpl	gs:[edi+6Eh], bp

loc_421741:				; CODE XREF: .text:004216DBj
		db	64h
		jnb	short $+3
		or	cl, [edi+66h]
		push	sp

loc_421749:				; CODE XREF: .text:004216E7j
		imul	ebp, [ebp+65h],	5374756Fh

loc_421750:				; CODE XREF: .text:004216E9j
		arpl	gs:[edi+6Eh], bp
		db	64h
		jnb	short $+3

loc_421757:				; CODE XREF: .text:004216F5j
		or	bl, [edx+65h]
		jb	short near ptr loc_4217CA+1
		push	esp

loc_42175D:				; CODE XREF: .text:loc_4216F7j
		imul	ebp, [ebp+65h],	72500A00h
		js	short loc_4217D3
		push	ebx
		jo	short loc_4217CA
		outsb
		push	ebx

loc_42176B:				; CODE XREF: .text:004216FCj
		imul	ebp, [esi+63h],	73614C65h
		jz	short near ptr loc_4217C3+1
		jb	short loc_4217DB
		jnb	short loc_4217EB
		add	[edx], cl
		push	eax
		jb	short loc_4217F5
		insd
		push	eax
		outsd
		ja	short near ptr off_4217E7

loc_421782:				; CODE XREF: .text:0042170Bj
		jb	short near ptr loc_4217D3+1
		jb	short loc_4217EB
		jnb	short near ptr loc_4217FA+1
		inc	ebx
		outsd
		jnz	short loc_4217FA
		jz	short $+2
		or	[eax+72h], dl
		js	short near ptr loc_4217FD+3
		push	ebx
		arpl	[ebp+6Eh], sp
		popa
		jb	short near ptr loc_4217FD+6
		outsd
		inc	ebx
		outsd

loc_42179D:				; CODE XREF: .text:0042172Dj
		jnz	short near ptr loc_42180B+2
		jz	short $+2
		or	[eax+72h], dl
		js	short near ptr loc_42180E+5
		inc	ebp
		jnb	short near ptr loc_42180B+1
		popa
		jo	short near ptr loc_42180E+3
		inc	ebx
		outsd
		jnz	short near ptr loc_421819+5

loc_4217B0:				; CODE XREF: .text:0042173Aj
		jz	short $+2
		or	[eax+72h], dl
		js	short loc_421824
		inc	esp
		imul	esi, [ebx+70h],	5379616Ch
		jz	short near ptr loc_421820+2
		jz	short near ptr loc_421824+4

loc_4217C3:				; CODE XREF: .text:00421772j
		add	[eax], cl
		push	eax
		jb	short loc_421840
		insd
		inc	esp

loc_4217CA:				; CODE XREF: .text:00421767j
					; .text:0042175Aj
		imul	esi, [ebx+70h],	5379616Ch
		jz	short near ptr dword_421834

loc_4217D3:				; CODE XREF: .text:00421764j
					; .text:loc_421782j
		jz	short loc_42183A
		push	edx
		db	65h
		popa
		jnb	short loc_421849
		outsb

loc_4217DB:				; CODE XREF: .text:00421774j
		add	[eax], cl
		push	es

loc_4217DE:				; DATA XREF: TtmiLogDeviceToTerminalAssigned(x,x)+66o
		or	eax, large ds:100h
; 
		db 3 dup(0)
off_4217E7	dd offset loc_41FFFD+3	; CODE XREF: .text:00421780j
; 

loc_4217EB:				; CODE XREF: .text:00421776j
					; .text:00421784j
		add	byte ptr [eax],	54h
		push	esp
		dec	ebp
		pop	edi
		inc	esp
		db	65h
		jbe	short loc_42185E

loc_4217F5:				; CODE XREF: .text:0042177Bj
		arpl	[ebp+54h], sp
		outsd
		push	esp

loc_4217FA:				; CODE XREF: .text:0042178Aj
					; .text:00421786j
		db	65h
		jb	short near ptr loc_421868+2

loc_4217FD:				; CODE XREF: .text:00421791j
					; .text:00421798j
		imul	ebp, [esi+61h],	7373416Ch
		imul	esp, [edi+6Eh],	53006465h

loc_42180B:				; CODE XREF: .text:004217A7j
					; .text:loc_42179Dj
		db	65h
		jnb	short near ptr loc_421880+1

loc_42180E:				; CODE XREF: .text:004217AAj
					; .text:004217A4j
		imul	ebp, [edi+6Eh],	8006449h
		push	esp
		db	65h
		jb	short near ptr word_421886

loc_421819:				; CODE XREF: .text:004217AEj
		imul	ebp, [esi+61h],	64496Ch

loc_421820:				; CODE XREF: .text:004217BFj
		or	[ebp+76h], al

loc_421824:				; CODE XREF: .text:004217B5j
					; .text:004217C1j
		imul	esp, [ebx+65h],	8006449h
		push	es

loc_42182C:				; DATA XREF: TtmiLogInitiateModernStandbyTransitionStart(x,x)+66o
		or	eax, large ds:101h
; 
		dw 0
dword_421834	dd 48000000h		; CODE XREF: .text:004217D1j
		db 0, 80h
; 

loc_42183A:				; CODE XREF: .text:loc_4217D3j
		add	[esp+edx*2+4Dh], dl
		pop	edi
		dec	ecx

loc_421840:				; CODE XREF: .text:004217C6j
		outsb
		imul	esi, [ecx+ebp*2+61h], 6F4D6574h

loc_421849:				; CODE XREF: .text:004217D8j
		db	64h, 65h
		jb	short loc_4218BB
		push	ebx
		jz	short loc_4218B1
		outsb
		bound	edi, fs:[ecx+54h]
		jb	short near ptr loc_4218B5+3
		outsb
		jnb	short near ptr loc_4218C2+1
		jz	short loc_4218C5
		outsd
		outsb

loc_42185E:				; CODE XREF: .text:004217F2j
		push	ebx
		jz	short loc_4218C2
		jb	short near ptr byte_4218D7
		add	[ebx+65h], dl
		jnb	short loc_4218DB

loc_421868:				; CODE XREF: .text:loc_4217FAj
		imul	ebp, [edi+6Eh],	8006449h
		inc	ebp
		outsb
		jz	short near ptr byte_4218D8
		jb	short $+2
		test	[ebx], al
		push	edx
		db	65h
		popa
		jnb	short loc_4218EB
		outsb
		add	[eax], cl
		push	es

loc_421880:				; CODE XREF: .text:loc_42180Bj
					; DATA XREF: TtmiLogCalloutStart(x,x,x,x,x)+BBo
		or	eax, large ds:101h
; 
word_421886	dw 0			; CODE XREF: .text:00421816j
		db    0
		dd offset loc_440000
		db 80h,	0, 54h
aTm_devicecallo	db 'TM_DeviceCallout',0
aSessionid_0	db 'SessionId',0
		db 8
		dd 766F7250h
		db 69h
; 

loc_4218B1:				; CODE XREF: .text:0042184Ej
		db	64h, 65h
		jb	short $+4

loc_4218B5:				; CODE XREF: .text:00421855j
		or	[edi+ebp*2+6Bh], dl
		outs	dx, byte ptr gs:[esi]

loc_4218BB:				; CODE XREF: .text:loc_421849j
		add	ds:6C6C6143h, dl
		outsd

loc_4218C2:				; CODE XREF: .text:0042185Fj
					; .text:00421858j
		jnz	short near ptr loc_421932+6
		push	esp

loc_4218C5:				; CODE XREF: .text:0042185Aj
		popa
		add	[bx], dl
		inc	esp
		popa
		jz	short loc_42192E
		add	[eax], cl
		push	es

loc_4218D0:				; DATA XREF: TtmiLogQueueHandleClosed(x,x,x)+68o
		or	eax, large ds:100h
; 
		db 0
byte_4218D7	db 0			; CODE XREF: .text:00421861j
byte_4218D8	db 3 dup(0)		; CODE XREF: .text:00421871j
; 

loc_4218DB:				; CODE XREF: .text:00421866j
		aas
		add	[eax+4D545400h], al
		pop	edi
		push	ecx
		jnz	short near ptr loc_421948+3
		jnz	short near ptr loc_421948+5
		dec	eax
		popa
		outsb

loc_4218EB:				; CODE XREF: .text:0042187Aj
		db	64h
		insb
		db	65h
		inc	ebx
		insb
		outsd
		jnb	short loc_421958
		add	fs:[ecx+75h], dl
		db	65h
		jnz	short near ptr loc_42195E+1
		add	[eax+edx*2], dl
		jb	short near ptr word_42196E
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_421948+5
		add	fs:[ebx+edx*2],	dl
		jns	short near ptr loc_42197B+2
		jz	short loc_421971
		insd
		dec	eax
		popa
		outsb
		db	64h
		insb
		db	65h
		inc	ebx
		outsd
		jnz	short loc_421985
		jz	short $+2
		or	[esi], al

loc_42191B:				; DATA XREF: TtmiLogSessionMonitorControl(x,x,x,x)+67o
		or	eax, large ds:100h
; 
		db 3 dup(0)
		dd 400000h, 54540080h
; 
		dec	ebp
		pop	edi

loc_42192E:				; CODE XREF: .text:004218CBj
		push	ebx
		db	65h
		jnb	short near ptr byte_4219A5

loc_421932:				; CODE XREF: .text:loc_4218C2j
		imul	ebp, [edi+6Eh],	696E6F4Dh
		jz	short loc_4219AA
		jb	short near ptr loc_42197E+2
		outsd
		outsb
		jz	short near ptr loc_4219B2+1
		outsd
		insb
		add	[ebx+65h], dl
		jnb	short near ptr loc_4219BA+1

loc_421948:				; CODE XREF: .text:004218E4j
					; .text:004218E6j ...
		imul	ebp, [edi+6Eh],	8006449h
		push	edx
		db	65h
		popa
		jnb	short near ptr loc_4219C0+3
		outsb
		add	[eax], cl
		push	esp

loc_421958:				; CODE XREF: .text:004218F1j
		jns	short loc_4219CA
		add	gs:[eax], cl
		push	ebx

loc_42195E:				; CODE XREF: .text:004218F7j
		jz	short near ptr loc_4219C0+1
		jz	short loc_4219D7
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_421967:				; DATA XREF: TtmiLogSessionCsExitComplete(x)+46o
		or	eax, large ds:100h
; 
		db 0
word_42196E	dw 0			; CODE XREF: .text:004218FDj
		db 0
; 

loc_421971:				; CODE XREF: .text:0042190Aj
		add	[ecx], ch
		add	[eax+4D545400h], al
		pop	edi
		push	ebx

loc_42197B:				; CODE XREF: .text:00421908j
		db	65h
		jnb	short loc_4219F1

loc_42197E:				; CODE XREF: .text:0042193Bj
		imul	ebp, [edi+6Eh],	78457343h

loc_421985:				; CODE XREF: .text:00421915j
		imul	esi, [ebx+eax*2+6Fh], 656C706Dh
		jz	short near ptr loc_4219F3+1
		add	[ebx+65h], dl
		jnb	short near ptr loc_421A06+1
		imul	ebp, [edi+6Eh],	8006449h
		push	es

loc_42199C:				; DATA XREF: TtmiLogQueueCreated(x)+5Fo
		or	eax, large ds:100h
; 
		dw 0
		db 0
byte_4219A5	db 2 dup(0), 27h	; CODE XREF: .text:0042192Fj
		db 0, 80h
; 

loc_4219AA:				; CODE XREF: .text:00421939j
		add	[esp+edx*2+4Dh], dl
		pop	edi
		push	ecx
		jnz	short near ptr loc_421A15+2

loc_4219B2:				; CODE XREF: .text:0042193Fj
		jnz	short loc_421A19
		inc	ebx
		jb	short loc_421A1C
		popa
		jz	short near ptr loc_421A1E+1

loc_4219BA:				; CODE XREF: .text:00421946j
		add	fs:[ebx+65h], dl
		jnb	short loc_421A33

loc_4219C0:				; CODE XREF: .text:loc_42195Ej
					; .text:00421952j
		imul	ebp, [edi+6Eh],	8006449h
		push	ecx
		jnz	short loc_421A2F

loc_4219CA:				; CODE XREF: .text:loc_421958j
		jnz	short near ptr loc_421A30+1
		add	[esi+eax], dl

loc_4219CF:				; DATA XREF: TtmiLogCalloutWatchdogCrashSkipped(x,x,x,x,x,x)+CFo
		or	eax, large ds:100h
; 
		db 2 dup(0)
; 

loc_4219D7:				; CODE XREF: .text:00421960j
		inc	eax
; 
		dd 780000h, 54540080h, 65445F4Dh, 65636976h, 6C6C6143h
		dd 5774756Fh
; 
		popa

loc_4219F1:				; CODE XREF: .text:loc_42197Bj
		jz	short near ptr loc_421A53+3

loc_4219F3:				; CODE XREF: .text:0042198Dj
		push	43676F64h
		jb	short near ptr byte_421A5B
		jnb	short loc_421A64
		push	ebx
		imul	ebp, [ecx+70h],	70h
		db	65h
		add	fs:[ebx+65h], dl

loc_421A06:				; CODE XREF: .text:00421992j
		jnb	short near ptr loc_421A7A+1
		imul	ebp, [edi+6Eh],	8006449h
		push	eax
		outsd
		ja	short near ptr loc_421A76+2
		jb	short near ptr loc_421A53+3

loc_421A15:				; CODE XREF: .text:004219B0j
		arpl	[ecx+ebp*2+6Fh], si

loc_421A19:				; CODE XREF: .text:loc_4219B2j
		outsb
		add	[eax], cl

loc_421A1C:				; CODE XREF: .text:004219B5j
		inc	ebx
		outsd

loc_421A1E:				; CODE XREF: .text:004219B8j
		db	64h
		add	gs:[eax], cl
		push	eax
		popa
		jb	short near ptr loc_421A85+2
		insd
		db	65h
		jz	short near ptr loc_421A8E+1
		jb	short loc_421A5D
		add	[eax], cl
		push	eax

loc_421A2F:				; CODE XREF: .text:004219C8j
		popa

loc_421A30:				; CODE XREF: .text:loc_4219CAj
		jb	short near ptr loc_421A92+1
		insd

loc_421A33:				; CODE XREF: .text:004219BEj
		db	65h
		jz	short near ptr loc_421A99+2
		jb	short loc_421A6A
		add	[eax], cl
		push	eax
		popa
		jb	short loc_421A9F
		insd
		db	65h
		jz	short near ptr loc_421AA3+4
		jb	short near ptr loc_421A76+1
		add	[eax], cl
		push	eax
		popa
		jb	short near ptr loc_421AA8+3
		insd
		db	65h
		jz	short loc_421AB3
		jb	short near ptr loc_421A83+1
		add	[eax], cl
		push	es

loc_421A53:				; CODE XREF: .text:loc_4219F1j
					; .text:00421A13j
					; DATA XREF: ...
		or	eax, large ds:100h
; 
		db 2 dup(0)
byte_421A5B	db 0			; CODE XREF: .text:004219F8j
		db 0
; 

loc_421A5D:				; CODE XREF: .text:00421A2Aj
		add	[ecx+0], cl
		add	byte ptr [eax],	54h
		push	esp

loc_421A64:				; CODE XREF: .text:004219FAj
		dec	ebp
		pop	edi
		push	ebx
		db	65h
		jnb	short loc_421ADD

loc_421A6A:				; CODE XREF: .text:00421A36j
		imul	ebp, [edi+6Eh],	65776F50h
		jb	short loc_421AC5
		db	65h
		jno	short near ptr loc_421AEA+1

loc_421A76:				; CODE XREF: .text:00421A42j
					; .text:00421A11j
		db	65h
		jnb	short loc_421AED
		inc	ebx

loc_421A7A:				; CODE XREF: .text:loc_421A06j
		jb	short loc_421AE1
		popa
		jz	short loc_421AE4
		add	fs:[ebx+65h], dl

loc_421A83:				; CODE XREF: .text:00421A4Ej
		jnb	short loc_421AF8

loc_421A85:				; CODE XREF: .text:00421A24j
		imul	ebp, [edi+6Eh],	8006449h
		push	eax
		outsd

loc_421A8E:				; CODE XREF: .text:00421A27j
		ja	short near ptr byte_421AF5
		jb	short loc_421AE4

loc_421A92:				; CODE XREF: .text:loc_421A30j
		db	65h
		jno	short loc_421B0A
		db	65h
		jnb	short near ptr loc_421B0A+2
		dec	ecx

loc_421A99:				; CODE XREF: .text:loc_421A33j
		add	fs:[edi], al
		push	esp
		jb	short loc_421B00

loc_421A9F:				; CODE XREF: .text:00421A3Cj
		arpl	[ebx+69h], bp
		outsb

loc_421AA3:				; CODE XREF: .text:00421A3Fj
		add	[si+603h], al

loc_421AA8:				; CODE XREF: .text:00421A48j
					; DATA XREF: TtmiLogQueueHandleOpened(x,x,x)+68o
		or	eax, large ds:100h
; 
		dw 0
		db 3 dup(0)
; 

loc_421AB3:				; CODE XREF: .text:00421A4Bj
		cmp	[eax], eax
		add	byte ptr [eax],	54h
		push	esp
		dec	ebp
		pop	edi
		push	ecx
		jnz	short near ptr loc_421B22+1
		jnz	short near ptr loc_421B22+3
		dec	eax
		popa
		outsb
		db	64h
		insb

loc_421AC5:				; CODE XREF: .text:00421A71j
		db	65h
		inc	ebx
		jb	short near ptr loc_421B2D+1
		popa
		jz	short near ptr loc_421B30+1
		add	fs:[ecx+75h], dl
		db	65h
		jnz	short near ptr loc_421B36+2
		add	[eax+edx*2], dl
		jb	short near ptr loc_421B46+1
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_421B22+4

loc_421ADD:				; CODE XREF: .text:00421A67j
		add	fs:[edi+ecx*2],	dl

loc_421AE1:				; CODE XREF: .text:loc_421A7Aj
		jo	short near ptr loc_421B46+2
		outsb

loc_421AE4:				; CODE XREF: .text:00421A7Dj
					; .text:00421A90j
		push	edx
		db	65h
		popa
		jnb	short near ptr loc_421B56+2
		outsb

loc_421AEA:				; CODE XREF: .text:00421A73j
		add	[eax], cl
		push	es

loc_421AED:				; CODE XREF: .text:loc_421A76j
					; DATA XREF: TtmiLogDeviceEnumeratedTerminalEvent(x,x,x,x,x)+EDo
		or	eax, large ds:100h
; 
		db 0
		db 0
byte_421AF5	db 3 dup(0)		; CODE XREF: .text:loc_421A8Ej
; 

loc_421AF8:				; CODE XREF: .text:loc_421A83j
		jns	short $+2
		add	byte ptr [eax],	54h
		push	esp
		dec	ebp
		pop	edi

loc_421B00:				; CODE XREF: .text:00421A9Dj
		inc	esp
		db	65h
		jbe	short loc_421B6D
		arpl	[ebp+45h], sp
		outsb
		jnz	short near ptr loc_421B72+5

loc_421B0A:				; CODE XREF: .text:loc_421A92j
					; .text:00421A95j
		db	65h
		jb	short near ptr loc_421B6D+1
		jz	short near ptr loc_421B72+2
		db	64h
		push	esp
		db	65h
		jb	short loc_421B81
		imul	ebp, [esi+61h],	6576456Ch
		outsb
		jz	short $+2
		push	ebx
		db	65h
		jnb	short loc_421B95

loc_421B22:				; CODE XREF: .text:00421ABCj
					; .text:00421ABEj ...
		imul	ebp, [edi+6Eh],	8006449h
		inc	esp
		db	65h
		jbe	short loc_421B96

loc_421B2D:				; CODE XREF: .text:00421AC7j
		arpl	[ebp+49h], sp

loc_421B30:				; CODE XREF: .text:00421ACAj
		add	fs:[eax], cl
		inc	ecx
		jnb	short near ptr loc_421BA3+6

loc_421B36:				; CODE XREF: .text:00421AD0j
		imul	esp, [edi+6Eh],	65546465h
		jb	short near ptr loc_421BAB+1
		imul	ebp, [esi+61h],	64496Ch

loc_421B46:				; CODE XREF: .text:00421AD6j
					; .text:loc_421AE1j
		or	[eax+72h], dl
		outsd
		jbe	short near ptr loc_421BB1+4
		db	64h, 65h
		jb	short $+4
		or	[eax+72h], dl
		outsd
		jbe	short near ptr loc_421BBA+5

loc_421B56:				; CODE XREF: .text:00421AE7j
		db	64h, 65h
		jb	short loc_421BAD
		jo	short loc_421BC1
		arpl	[ecx+66h], bp
		imul	esp, [ebx+54h],	657079h
		or	[ecx+64h], cl
		outs	dx, byte ptr gs:[esi]
		jz	short loc_421BD6

loc_421B6D:				; CODE XREF: .text:00421B01j
					; .text:loc_421B0Aj
		jz	short near ptr loc_421BE6+2
		add	[ecx], al
		push	es

loc_421B72:				; CODE XREF: .text:00421B0Dj
					; .text:00421B08j
					; DATA XREF: ...
		or	eax, large ds:100h
; 
		dd 0
		dd 80004500h
		db 0
; 

loc_421B81:				; CODE XREF: .text:00421B11j
		push	esp
		push	esp
		dec	ebp
		pop	edi
		inc	esp
		db	65h
		jbe	short near ptr loc_421BEF+3
		arpl	[ebp+41h], sp
		jnb	short near ptr loc_421C00+1
		imul	esp, [edi+6Eh],	746E656Dh

loc_421B95:				; CODE XREF: .text:00421B1Fj
		push	eax

loc_421B96:				; CODE XREF: .text:00421B2Aj
		outsd
		insb
		imul	esp, [ebx+79h],	746553h
		push	ebx
		db	65h
		jnb	short loc_421C16

loc_421BA3:				; CODE XREF: .text:00421B34j
		imul	ebp, [edi+6Eh],	8006449h
		inc	ecx

loc_421BAB:				; CODE XREF: .text:00421B3Dj
		jnz	short near ptr loc_421C1F+2

loc_421BAD:				; CODE XREF: .text:loc_421B56j
		outsd
		inc	ecx
		jnb	short near ptr loc_421C1F+5

loc_421BB1:				; CODE XREF: .text:00421B4Aj
		imul	esp, [edi+6Eh],	65546F54h
		jb	short near ptr loc_421C26+1

loc_421BBA:				; CODE XREF: .text:00421B54j
		imul	ebp, [esi+61h],	8400306Ch

loc_421BC1:				; CODE XREF: .text:00421B5Aj
		add	eax, [esi]

loc_421BC3:				; DATA XREF: TtmiLogSessionDisplayRequiredPowerRequestUpdated(x,x,x)+5Bo
		or	eax, large ds:100h
; 
		db 3 dup(0)
		dd offset loc_540000
; 
		add	byte ptr [eax],	54h
		push	esp
		dec	ebp
		pop	edi

loc_421BD6:				; CODE XREF: .text:00421B6Bj
		push	ebx
		db	65h
		jnb	short near ptr loc_421C4C+1
		imul	ebp, [edi+6Eh],	65776F50h
		jb	short loc_421C35
		db	65h
		jno	short near ptr byte_421C5B

loc_421BE6:				; CODE XREF: .text:loc_421B6Dj
		db	65h
		jnb	short loc_421C5D
		push	ebp
		jo	short near ptr loc_421C4C+4
		popa
		jz	short near ptr loc_421C53+1

loc_421BEF:				; CODE XREF: .text:00421B86j
		add	fs:[ebx+65h], dl
		jnb	short near ptr loc_421C67+1
		imul	ebp, [edi+6Eh],	8006449h
		push	eax
		outsd
		ja	short loc_421C65

loc_421C00:				; CODE XREF: .text:00421B8Cj
		jb	short near ptr loc_421C53+1
		db	65h
		jno	short near ptr loc_421C78+2
		db	65h
		jnb	short near ptr loc_421C78+4
		dec	ecx
		add	fs:[edi], al
		push	edi
		popa
		jnb	short loc_421C65
		jo	short near ptr loc_421C70+6
		popa
		jz	short near ptr loc_421C78+2
		push	ebx

loc_421C16:				; CODE XREF: .text:00421BA0j
		jnz	short near ptr loc_421C78+3
		arpl	[ebp+73h], sp
		jnb	short loc_421C83
		jnz	short loc_421C8B

loc_421C1F:				; CODE XREF: .text:loc_421BABj
					; .text:00421BAFj
					; DATA XREF: ...
		add	[ebx+eax+50B06h], al

loc_421C26:				; CODE XREF: .text:00421BB8j
		add	[eax], eax
; 
		dd 0
		dd 240000h, 54540080h
; 
		dec	ebp

loc_421C35:				; CODE XREF: .text:00421BE1j
		pop	edi
		push	esp
		db	65h
		jb	short near ptr loc_421CA0+7
		imul	ebp, [esi+61h],	7365446Ch
		jz	short loc_421CB5
		outsd
		jns	short near ptr byte_421CAB
		add	fs:[ebp+72h], dl
		insd

loc_421C4C:				; CODE XREF: .text:00421BD7j
					; .text:00421BEAj
		imul	ebp, [esi+61h],	614006Ch

loc_421C53:				; CODE XREF: .text:00421BEDj
					; .text:loc_421C00j
					; DATA XREF: ...
		or	eax, large ds:100h
; 
		db 2 dup(0)
byte_421C5B	db 0			; CODE XREF: .text:00421BE3j
		db 0
; 

loc_421C5D:				; CODE XREF: .text:loc_421BE6j
		add	[edi+0], al
		add	byte ptr [eax],	54h
		push	esp
		dec	ebp

loc_421C65:				; CODE XREF: .text:00421BFEj
					; .text:00421C0Ej
		pop	edi
		inc	ebp

loc_421C67:				; CODE XREF: .text:00421BF3j
		js	short loc_421CD2
		jz	short near ptr loc_421CBA+1
		jb	short near ptr loc_421CD8+4
		js	short loc_421CD8
		insd

loc_421C70:				; CODE XREF: .text:00421C10j
		imul	esi, [ecx+edi*2+0], 73736553h

loc_421C78:				; CODE XREF: .text:00421C02j
					; .text:00421C13j ...
		imul	ebp, [edi+6Eh],	8006449h
		push	ebx
		arpl	[ebp+6Eh], sp

loc_421C83:				; CODE XREF: .text:00421C1Bj
		popa
		jb	short loc_421CEF
		outsd
		inc	ebx
		outsd
		jnz	short near ptr loc_421CF7+2

loc_421C8B:				; CODE XREF: .text:00421C1Dj
		jz	short $+2
		or	[ebp+73h], al
		arpl	[ecx+70h], sp
		db	65h
		inc	ebx
		outsd
		jnz	short loc_421D06
		jz	short $+2
		or	[ebp+73h], al
		arpl	[ecx+70h], sp

loc_421CA0:				; CODE XREF: .text:00421C37j
					; DATA XREF: TtmiLogSessionPowerRequestAcknowledged(x,x,x,x,x,x,x,x)+F0o
		db	65h
		add	fs:[ebx+eax+50B06h], al
		add	[eax], eax
; 
byte_421CAB	db 0			; CODE XREF: .text:00421C44j
		dd 0
		dd 80008E00h
		db 0
; 

loc_421CB5:				; CODE XREF: .text:00421C41j
		push	esp
		push	esp
		dec	ebp
		pop	edi
		push	ebx

loc_421CBA:				; CODE XREF: .text:00421C69j
		db	65h
		jnb	short near ptr loc_421D2B+5
		imul	ebp, [edi+6Eh],	65776F50h
		jb	short near ptr loc_421D13+5
		db	65h
		jno	short near ptr loc_421D3B+3
		db	65h
		jnb	short loc_421D40
		push	eax
		jb	short loc_421D34
		jnb	short near ptr loc_421D35+1
		outsb

loc_421CD2:				; CODE XREF: .text:loc_421C67j
		jz	short $+2
		push	ebx
		db	65h
		jnb	short loc_421D4B

loc_421CD8:				; CODE XREF: .text:00421C6Dj
					; .text:00421C6Bj
		imul	ebp, [edi+6Eh],	8006449h
		push	eax
		outsd
		ja	short near ptr byte_421D48
		jb	short loc_421D37
		db	65h
		jno	short near ptr loc_421D57+6
		db	65h
		jnb	short near ptr loc_421D5E+1
		dec	ecx
		add	fs:[edi], al

loc_421CEF:				; CODE XREF: .text:00421C84j
		push	eax
		jb	short loc_421D61
		arpl	[ebp+73h], sp
		jnb	short loc_421D40

loc_421CF7:				; CODE XREF: .text:00421C89j
		add	fs:[eax], cl
		push	eax
		outsd
		ja	short near ptr loc_421D62+1
		jb	short loc_421D52
		db	65h
		jno	short loc_421D78
		db	65h
		jnb	short near ptr loc_421D79+1

loc_421D06:				; CODE XREF: .text:00421C96j
		dec	eax
		popa
		outsb
		db	64h
		insb
		add	gs:[ebx+eax*2],	dl
		outsd
		jb	short loc_421D77
		push	edi

loc_421D13:				; CODE XREF: .text:00421CC4j
		imul	ebp, [esi+64h],	6148776Fh
		outsb
		db	64h
		insb
		add	gs:[ebx+eax*2],	dl
		outsd
		jnz	short loc_421D92
		jz	short $+2
		or	[ecx+74h], al
		jz	short loc_421D9D

loc_421D2B:				; CODE XREF: .text:loc_421CBAj
		imul	esp, [edx+75h],	646574h
		test	[ebx], al

loc_421D34:				; CODE XREF: .text:00421CCDj
		push	esp

loc_421D35:				; CODE XREF: .text:00421CCFj
		jb	short loc_421D98

loc_421D37:				; CODE XREF: .text:00421CE3j
		arpl	[ebx+69h], bp
		outsb

loc_421D3B:				; CODE XREF: .text:00421CC6j
		add	[si+603h], al

loc_421D40:				; CODE XREF: .text:00421CC9j
					; .text:00421CF5j
					; DATA XREF: ...
		or	eax, large ds:101h
; 
		dw 0
byte_421D48	db 3 dup(0)		; CODE XREF: .text:00421CE1j
; 

loc_421D4B:				; CODE XREF: .text:00421CD5j
		cmp	[eax], eax
		add	byte ptr [eax],	54h
		push	esp
		dec	ebp

loc_421D52:				; CODE XREF: .text:00421CFEj
		pop	edi
		push	ebx
		db	65h
		jnb	short loc_421DCA

loc_421D57:				; CODE XREF: .text:00421CE5j
		imul	ebp, [edi+6Eh],	65776F50h

loc_421D5E:				; CODE XREF: .text:00421CE8j
		jb	short near ptr loc_421DA2+1
		outsd

loc_421D61:				; CODE XREF: .text:00421CF0j
		outsb

loc_421D62:				; CODE XREF: .text:00421CFCj
		jz	short near ptr loc_421DD1+5
		outsd
		insb
		push	ebx
		jz	short loc_421DCA
		jb	short near ptr loc_421DDD+2
		add	[ebx+65h], dl
		jnb	short loc_421DE3
		imul	ebp, [edi+6Eh],	8006449h

loc_421D77:				; CODE XREF: .text:00421D10j
		dec	edi

loc_421D78:				; CODE XREF: .text:00421D00j
		outsb

loc_421D79:				; CODE XREF: .text:00421D03j
		add	[ebx+eax+73616552h], al
		outsd
		outsb
		add	[eax], cl
		push	es

loc_421D85:				; DATA XREF: TtmiLogCleanupCurrentSessionStart()+5Co
		or	eax, large ds:101h
; 
		db 0
		align 10h
		db 29h,	0
; 

loc_421D92:				; CODE XREF: .text:00421D22j
		add	byte ptr [eax],	54h
		push	esp
		dec	ebp
		pop	edi

loc_421D98:				; CODE XREF: .text:loc_421D35j
		inc	ebx
		insb
		db	65h
		popa
		outsb

loc_421D9D:				; CODE XREF: .text:00421D29j
		jnz	short near ptr loc_421E09+6
		inc	ebx
		jnz	short loc_421E14

loc_421DA2:				; CODE XREF: .text:loc_421D5Ej
		jb	short loc_421E09
		outsb
		jz	short near ptr loc_421DF9+1
		db	65h
		jnb	short near ptr byte_421E1D
		imul	ebp, [edi+6Eh],	73655300h
		jnb	short near ptr byte_421E1C
		outsd
		outsb
		dec	ecx
		add	fs:[eax], cl
		push	es

loc_421DBA:				; DATA XREF: TtmiLogSessionPowerRequestDeleted(x,x,x)+5Bo
		or	eax, large ds:100h
; 
		dd 0
; 
		add	[esi+0], cl
		add	byte ptr [eax],	54h

loc_421DCA:				; CODE XREF: .text:00421D54j
					; .text:00421D67j
		push	esp
		dec	ebp
		pop	edi
		push	ebx
		db	65h
		jnb	short near ptr loc_421E3F+5

loc_421DD1:				; CODE XREF: .text:loc_421D62j
		imul	ebp, [edi+6Eh],	65776F50h
		jb	short loc_421E2C
		db	65h
		jno	short near ptr loc_421E4F+3

loc_421DDD:				; CODE XREF: .text:00421D69j
		db	65h
		jnb	short near ptr loc_421E4F+5
		inc	esp
		db	65h
		insb

loc_421DE3:				; CODE XREF: .text:00421D6Ej
		db	65h
		jz	short loc_421E4B
		add	fs:[ebx+65h], dl
		jnb	short loc_421E5F
		imul	ebp, [edi+6Eh],	8006449h
		push	eax
		outsd
		ja	short loc_421E5C
		jb	short loc_421E4B

loc_421DF9:				; CODE XREF: .text:00421DA5j
		db	65h
		jno	short near ptr loc_421E70+1
		db	65h
		jnb	short near ptr loc_421E70+3
		dec	ecx
		add	fs:[edi], al
		push	edi
		popa
		jnb	short near ptr loc_421E5C+1
		popa
		insb

loc_421E09:				; CODE XREF: .text:loc_421DA2j
					; .text:loc_421D9Dj
		imul	esp, [ebp+eax*2+6Eh], 797274h
		test	[ebx], al
		push	es

loc_421E14:				; CODE XREF: .text:00421DA0j
					; DATA XREF: TtmiLogQueueEnqueueEvent(x,x)+5Ao
		or	eax, large ds:100h
; 
		dw 0
byte_421E1C	db 0			; CODE XREF: .text:00421DB1j
byte_421E1D	db 2 dup(0), 2Fh	; CODE XREF: .text:00421DA7j
		dd 54008000h, 515F4D54h, 65756575h
; 

loc_421E2C:				; CODE XREF: .text:00421DD8j
		inc	ebp
		jbe	short near ptr loc_421E92+2
		outsb
		jz	short loc_421E77
		outsb
		jno	short near ptr loc_421EA8+2
		db	65h
		jnz	short near ptr loc_421E9C+1
		add	fs:[ecx+75h], dl
		db	65h
		jnz	short near ptr loc_421EA2+2

loc_421E3F:				; CODE XREF: .text:00421DCEj
		add	ds:746E6576h[eax*2], dl
		add	[esp+edx*2], dl
		jns	short loc_421EBB

loc_421E4B:				; CODE XREF: .text:loc_421DE3j
					; .text:00421DF7j
		add	gs:[eax], cl
		push	es

loc_421E4F:				; CODE XREF: .text:00421DDAj
					; .text:loc_421DDDj
					; DATA XREF: ...
		or	eax, large ds:100h
; 
		db 3 dup(0)
		dd offset loc_540000
; 

loc_421E5C:				; CODE XREF: .text:00421DF5j
					; .text:00421E05j
		add	byte ptr [eax],	54h

loc_421E5F:				; CODE XREF: .text:00421DEAj
		push	esp
		dec	ebp
		pop	edi
		inc	esp
		db	65h
		jbe	short near ptr loc_421ECE+1
		arpl	[ebp+46h], sp
		jb	short near ptr loc_421ED9+1
		insd
		push	esp
		db	65h
		jb	short near ptr loc_421ED9+4

loc_421E70:				; CODE XREF: .text:loc_421DF9j
					; .text:00421DFCj
		imul	ebp, [esi+61h],	6D65526Ch

loc_421E77:				; CODE XREF: .text:00421E30j
		outsd
		jbe	short near ptr loc_421ED9+6
		add	fs:[ebx+65h], dl
		jnb	short near ptr loc_421EF2+1
		imul	ebp, [edi+6Eh],	8006449h
		push	esp
		db	65h
		jb	short near ptr dword_421EF8
		imul	ebp, [esi+61h],	64496Ch

loc_421E92:				; CODE XREF: .text:00421E2Dj
		or	[eax+72h], dl
		outsd
		jbe	short loc_421F01
		db	64h, 65h
		jb	short $+4

loc_421E9C:				; CODE XREF: .text:00421E35j
		or	[edi+ebp*2+6Bh], dl
		outs	dx, byte ptr gs:[esi]

loc_421EA2:				; CODE XREF: .text:00421E3Cj
		add	ds:69766544h, dl

loc_421EA8:				; CODE XREF: .text:00421E33j
		arpl	[ebp+49h], sp
		add	fs:[eax], cl
		push	es

loc_421EAF:				; DATA XREF: TtmiLogConsoleUserPresent(x,x,x)+5Bo
		or	eax, large ds:100h
; 
		db 3 dup(0)
		db 2 dup(0), 37h
; 

loc_421EBB:				; CODE XREF: .text:00421E49j
		add	[eax+4D545400h], al
		pop	edi
		inc	ebx
		outsd
		outsb
		jnb	short loc_421F36
		insb
		db	65h
		push	ebp
		jnb	short loc_421F31
		jb	short loc_421F1E

loc_421ECE:				; CODE XREF: .text:00421E63j
		jb	short near ptr loc_421F34+1
		jnb	short near ptr loc_421F36+1
		outsb
		jz	short $+2
		push	ebx
		db	65h
		jnb	short loc_421F4C

loc_421ED9:				; CODE XREF: .text:00421E69j
					; .text:00421E6Dj ...
		imul	ebp, [edi+6Eh],	8006449h
		push	edx
		db	65h
		popa
		jnb	short loc_421F54
		outsb
		add	[eax], cl
		push	ebx
		jz	short loc_421F4C
		jz	short near ptr loc_421F61+1
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_421EF2:				; CODE XREF: .text:00421E7Ej
					; DATA XREF: TtmiLogSessionDisplayRequiredReference(x,x,x)+5Bo
		or	eax, large ds:100h
; 
dword_421EF8	dd 0			; CODE XREF: .text:00421E88j
		dd 80004300h
		db 0
; 

loc_421F01:				; CODE XREF: .text:00421E96j
		push	esp
		push	esp
		dec	ebp
		pop	edi
		push	ebx
		db	65h
		jnb	short loc_421F7C
		imul	ebp, [edi+6Eh],	70736944h
		insb
		popa
		jns	short loc_421F66
		db	65h
		jno	short loc_421F8C
		imul	esi, [edx+65h],	66655264h

loc_421F1E:				; CODE XREF: .text:00421ECCj
		db	65h
		jb	short loc_421F86
		outsb
		arpl	[ebp+0], sp
		push	ebx
		db	65h
		jnb	short near ptr loc_421F9B+1
		imul	ebp, [edi+6Eh],	8006449h
		inc	ebx

loc_421F31:				; CODE XREF: .text:00421ECAj
		outsd
		jnz	short near ptr loc_421FA1+1

loc_421F34:				; CODE XREF: .text:loc_421ECEj
		jz	short $+2

loc_421F36:				; CODE XREF: .text:00421EC5j
					; .text:00421ED0j
		or	[ebx+74h], dl
		popa
		jz	short loc_421FB1
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_421F41:				; DATA XREF: TtmiLogCalloutStop(x,x,x,x,x,x,x,x)+25Bo
		or	eax, large ds:102h
; 
		db 0
		dd 4000h
; 

loc_421F4C:				; CODE XREF: .text:00421ED6j
					; .text:00421EE9j
		add	gs:[eax+4D545400h], al
		pop	edi

loc_421F54:				; CODE XREF: .text:00421EE3j
		inc	esp
		db	65h
		jbe	short loc_421FC1
		arpl	[ebp+43h], sp
		popa
		insb
		insb
		outsd
		jnz	short near ptr loc_421FD2+3

loc_421F61:				; CODE XREF: .text:00421EEBj
		add	[ebx+65h], dl
		jnb	short loc_421FD9

loc_421F66:				; CODE XREF: .text:00421F12j
		imul	ebp, [edi+6Eh],	8006449h
		push	eax
		jb	short near ptr loc_421FDC+3
		jbe	short near ptr loc_421FD9+2
		db	64h, 65h
		jb	short $+4
		or	[eax+72h], dl
		outsd
		jbe	short near ptr off_421FE5

loc_421F7C:				; CODE XREF: .text:00421F06j
		db	64h, 65h
		jb	short loc_421FC4
		db	65h
		jbe	short loc_421FEC
		arpl	[ebp+54h], sp

loc_421F86:				; CODE XREF: .text:loc_421F1Ej
		jns	short near ptr loc_421FF3+5
		add	gs:[esp+edx*2],	dl

loc_421F8C:				; CODE XREF: .text:00421F14j
		outsd
		imul	esp, [ebp+6Eh],	0
		adc	eax, 6C6C6143h
		outsd
		jnz	short loc_42200D
		push	esp
		popa

loc_421F9B:				; CODE XREF: .text:00421F26j
		add	[bx], dl
		push	ebx
		jz	short near ptr loc_422001+1

loc_421FA1:				; CODE XREF: .text:00421F32j
		jz	short near ptr loc_422015+3
		jnb	short $+2
		mov	[esi], cl
		inc	esp
		jnz	short loc_42201C
		popa
		jz	short near ptr loc_422015+1
		outsd
		outsb
		add	[edx], cl

loc_421FB1:				; CODE XREF: .text:00421F3Aj
		push	es

loc_421FB2:				; DATA XREF: TtmiLogQueueDestroyed(x)+4Eo
		or	eax, large ds:100h
; 
		dd 0
		dd 80001E00h
		db 0
; 

loc_421FC1:				; CODE XREF: .text:00421F55j
		push	esp
		push	esp
		dec	ebp

loc_421FC4:				; CODE XREF: .text:loc_421F7Cj
		pop	edi
		push	ecx
		jnz	short loc_42202D
		jnz	short near ptr loc_42202D+2
		inc	esp
		db	65h
		jnb	short near ptr loc_422041+1
		jb	short loc_42203F
		jns	short loc_422037

loc_421FD2:				; CODE XREF: .text:00421F5Fj
		add	fs:[ecx+75h], dl
		db	65h
		jnz	short near ptr loc_422039+5

loc_421FD9:				; CODE XREF: .text:00421F64j
					; .text:00421F70j
		add	[esi+eax], dl

loc_421FDC:				; CODE XREF: .text:00421F6Ej
					; DATA XREF: TtmiLogSessionDisplayRequiredDereference(x,x,x)+5Bo
		or	eax, large ds:100h
; 
		dw 0
		db 0
off_421FE5	dd offset loc_450000	; CODE XREF: .text:00421F7Aj
; 
		add	byte ptr [eax],	54h

loc_421FEC:				; CODE XREF: .text:00421F80j
		push	esp
		dec	ebp
		pop	edi
		push	ebx
		db	65h
		jnb	short loc_422066

loc_421FF3:				; CODE XREF: .text:loc_421F86j
		imul	ebp, [edi+6Eh],	70736944h
		insb
		popa
		jns	short near ptr loc_42204F+1
		db	65h
		jno	short near ptr loc_422073+3

loc_422001:				; CODE XREF: .text:00421F9Fj
		imul	esi, [edx+65h],	72654464h
		db	65h, 66h, 65h
		jb	short near ptr loc_422070+2

loc_42200D:				; CODE XREF: .text:00421F97j
		outsb
		arpl	[ebp+0], sp
		push	ebx
		db	65h
		jnb	short loc_422088

loc_422015:				; CODE XREF: .text:00421FABj
					; .text:loc_421FA1j
		imul	ebp, [edi+6Eh],	8006449h

loc_42201C:				; CODE XREF: .text:00421FA8j
		inc	ebx
		outsd
		jnz	short near ptr loc_422088+6
		jz	short $+2
		or	[ebx+74h], dl
		popa
		jz	short loc_42209D
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_42202D:				; CODE XREF: .text:00421FC6j
					; .text:00421FC8j
					; DATA XREF: ...
		or	eax, large ds:100h
; 
		db 0
		db 3 dup(0)
; 

loc_422037:				; CODE XREF: .text:00421FD0j
		add	[ebx], ah

loc_422039:				; CODE XREF: .text:00421FD6j
		add	[eax+4D545400h], al

loc_42203F:				; CODE XREF: .text:00421FCEj
		pop	edi
		push	ebx

loc_422041:				; CODE XREF: .text:00421FCBj
		db	65h
		jnb	short near ptr loc_4220B6+1
		imul	ebp, [edi+6Eh],	69746341h
		jbe	short loc_4220AE
		jz	short loc_4220B4

loc_42204F:				; CODE XREF: .text:00421FFCj
		add	[ebx+65h], dl
		jnb	short loc_4220C7
		imul	ebp, [edi+6Eh],	8006449h
		push	es

loc_42205C:				; DATA XREF: TtmiLogTerminalHandleClosed(x,x,x,x)+7Fo
		or	eax, large ds:100h
; 
		dw 0
		db 2 dup(0)
; 

loc_422066:				; CODE XREF: .text:00421FF0j
		add	[edx+0], dl
		add	byte ptr [eax],	54h
		push	esp
		dec	ebp
		pop	edi
		push	esp

loc_422070:				; CODE XREF: .text:00422008j
		db	65h
		jb	short near ptr loc_4220DE+2

loc_422073:				; CODE XREF: .text:00421FFEj
		imul	ebp, [esi+61h],	6E61486Ch
		db	64h
		insb
		db	65h
		inc	ebx
		insb
		outsd
		jnb	short near ptr loc_4220E5+2
		add	fs:[ebx+65h], dl
		jnb	short near ptr byte_4220FB

loc_422088:				; CODE XREF: .text:00422012j
					; .text:0042201Ej
		imul	ebp, [edi+6Eh],	8006449h
		push	esp
		db	65h
		jb	short loc_422100
		imul	ebp, [esi+61h],	64496Ch
		or	[eax+72h], dl

loc_42209D:				; CODE XREF: .text:00422026j
		outsd
		arpl	[ebp+73h], sp
		jnb	short loc_4220EC
		add	fs:[ebx+edx*2],	dl
		jns	short near ptr loc_42211A+2
		jz	short near ptr loc_42210F+1
		insd
		dec	eax
		popa

loc_4220AE:				; CODE XREF: .text:0042204Bj
		outsb
		db	64h
		insb
		db	65h
		inc	ebx
		outsd

loc_4220B4:				; CODE XREF: .text:0042204Dj
		jnz	short loc_422124

loc_4220B6:				; CODE XREF: .text:loc_422041j
		jz	short $+2
		or	[esi], al

loc_4220BA:				; DATA XREF: TtmiLogQueueDequeueEvent(x,x)+5Ao
		or	eax, large ds:100h
; 
		dd 0
		db 0, 2Fh, 0
; 

loc_4220C7:				; CODE XREF: .text:00422052j
		add	byte ptr [eax],	54h
		push	esp
		dec	ebp
		pop	edi
		push	ecx
		jnz	short near ptr loc_422133+2
		jnz	short near ptr loc_422136+1
		inc	ebp
		jbe	short loc_42213A
		outsb
		jz	short near ptr loc_42211A+2
		db	65h
		jno	short near ptr loc_42214E+2
		db	65h
		jnz	short near ptr byte_422143

loc_4220DE:				; CODE XREF: .text:loc_422070j
		add	fs:[ecx+75h], dl
		db	65h
		jnz	short loc_42214A

loc_4220E5:				; CODE XREF: .text:00422080j
		add	ds:746E6576h[eax*2], dl

loc_4220EC:				; CODE XREF: .text:004220A1j
		add	[esp+edx*2], dl
		jns	short near ptr loc_42215E+3
		add	gs:[eax], cl
		push	es

loc_4220F5:				; DATA XREF: TtmiLogDeviceDepartedTerminalEvent(x)+5Fo
		or	eax, large ds:100h
; 
byte_4220FB	db 0			; CODE XREF: .text:00422086j
		align 10h

loc_422100:				; CODE XREF: .text:00422090j
		cmp	[eax], eax
		add	byte ptr [eax],	54h
		push	esp
		dec	ebp
		pop	edi
		inc	esp
		db	65h
		jbe	short near ptr loc_422174+1
		arpl	[ebp+44h], sp

loc_42210F:				; CODE XREF: .text:004220A9j
		db	65h
		jo	short loc_422173
		jb	short near ptr loc_422187+1
		db	65h, 64h
		push	esp
		db	65h
		jb	short loc_422187

loc_42211A:				; CODE XREF: .text:004220A7j
					; .text:004220D6j
		imul	ebp, [esi+61h],	6576456Ch
		outsb
		jz	short $+2

loc_422124:				; CODE XREF: .text:loc_4220B4j
		push	ebx
		db	65h
		jnb	short near ptr loc_42219A+1
		imul	ebp, [edi+6Eh],	8006449h
		inc	esp
		db	65h
		jbe	short near ptr loc_42219A+2

loc_422133:				; CODE XREF: .text:004220CEj
		arpl	[ebp+49h], sp

loc_422136:				; CODE XREF: .text:004220D0j
		add	fs:[eax], cl
		push	es

loc_42213A:				; CODE XREF: .text:004220D3j
					; DATA XREF: TtmiLogDeviceArrivedTerminalEvent(x,x,x,x,x)+EDo
		or	eax, large ds:100h
; 
		db 3 dup(0)
byte_422143	db 0			; CODE XREF: .text:004220DBj
; 
		add	[esi+0], dh
		add	byte ptr [eax],	54h

loc_42214A:				; CODE XREF: .text:004220E2j
		push	esp
		dec	ebp
		pop	edi
		inc	esp

loc_42214E:				; CODE XREF: .text:004220D8j
		db	65h
		jbe	short near ptr loc_4221B9+1
		arpl	[ebp+41h], sp
		jb	short loc_4221C8
		imul	esi, [esi+65h],	72655464h
		insd

loc_42215E:				; CODE XREF: .text:004220EFj
		imul	ebp, [esi+61h],	6576456Ch
		outsb
		jz	short $+2
		push	ebx
		db	65h
		jnb	short near ptr loc_4221DE+1
		imul	ebp, [edi+6Eh],	8006449h

loc_422173:				; CODE XREF: .text:loc_42210Fj
		inc	esp

loc_422174:				; CODE XREF: .text:00422109j
		db	65h
		jbe	short near ptr loc_4221DE+2
		arpl	[ebp+49h], sp
		add	fs:[eax], cl
		inc	ecx
		jnb	short loc_4221F3
		imul	esp, [edi+6Eh],	65546465h

loc_422187:				; CODE XREF: .text:00422117j
					; .text:00422112j
		jb	short near ptr loc_4221F3+3
		imul	ebp, [esi+61h],	64496Ch
		or	[eax+72h], dl
		outsd
		jbe	short near ptr loc_4221FD+2
		db	64h, 65h
		jb	short $+4

loc_42219A:				; CODE XREF: .text:00422125j
					; .text:00422130j
		or	[eax+72h], dl
		outsd
		jbe	short near ptr loc_422204+5
		db	64h, 65h
		jb	short near ptr loc_4221F3+4
		jo	short loc_42220B
		arpl	[ecx+66h], bp
		imul	esp, [ebx+54h],	657079h
		or	[ecx+64h], cl
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_42221E+2
		jz	short near ptr loc_422230+2

loc_4221B9:				; CODE XREF: .text:loc_42214Ej
		add	[ecx], al
		push	es

loc_4221BC:				; DATA XREF: TtmiLogTerminalStateMachine(x,x,x)+273o
		or	eax, large ds:100h
; 
		dw 0
		dd 31000000h
; 

loc_4221C8:				; CODE XREF: .text:00422154j
		add	[eax+4D545400h], eax
		pop	edi
		push	esp
		db	65h
		jb	short loc_422240
		imul	ebp, [esi+61h],	6174536Ch
		jz	short near ptr loc_422240+1
		dec	ebp
		popa

loc_4221DE:				; CODE XREF: .text:00422169j
					; .text:loc_422174j
		arpl	[eax+69h], bp
		outsb
		add	gs:[ebx+65h], dl
		jnb	short loc_42225B
		imul	ebp, [edi+6Eh],	8006449h
		push	esp
		db	65h
		jb	short near ptr loc_42225F+1

loc_4221F3:				; CODE XREF: .text:0042217Ej
					; .text:loc_422187j ...
		imul	ebp, [esi+61h],	64496Ch
		or	[eax+72h], dl

loc_4221FD:				; CODE XREF: .text:00422194j
		db	65h
		jbe	short loc_422269
		outsd
		jnz	short near ptr loc_422273+3
		inc	esp

loc_422204:				; CODE XREF: .text:0042219Ej
		imul	esi, [ebx+70h],	5379616Ch

loc_42220B:				; CODE XREF: .text:004221A4j
		jz	short loc_42226E
		jz	short near ptr loc_422273+1
		add	[eax], cl
		push	eax
		jb	short near ptr loc_422273+6
		jbe	short loc_42227F
		outsd
		jnz	short near ptr loc_42228A+2
		pop	edx
		db	65h
		jb	short near ptr loc_42228A+2
		push	esp

loc_42221E:				; CODE XREF: .text:004221B5j
		imul	ebp, [ebp+65h],	6F4E0A00h
		ja	short near ptr loc_422273+8
		imul	ebp, [ebp+65h],	69440A00h
		insd
		push	esp

loc_422230:				; CODE XREF: .text:004221B7j
		imul	ebp, [ebp+65h],	5374756Fh
		jo	short near ptr loc_422299+1
		outsb
		add	[edx], cl
		dec	edi
		db	66h, 66h
		push	esp

loc_422240:				; CODE XREF: .text:004221D0j
					; .text:004221DAj
		imul	ebp, [ebp+65h],	5374756Fh
		jo	short loc_4222AA
		outsb
		add	[edx], cl
		inc	esp
		imul	esi, [ebx+70h],	5279616Ch
		db	65h
		jno	short loc_4222CC
		db	65h
		jnb	short near ptr loc_4222CC+2
		inc	ecx

loc_42225B:				; CODE XREF: .text:004221E6j
		arpl	[ecx+ebp*2+76h], si

loc_42225F:				; CODE XREF: .text:004221F0j
		add	gs:[ebx+eax+70736944h],	al
		insb
		popa

loc_422269:				; CODE XREF: .text:loc_4221FDj
		jns	short near ptr loc_4222BB+2
		db	65h
		jno	short near ptr loc_4222DF+4

loc_42226E:				; CODE XREF: .text:loc_42220Bj
		db	65h
		jnb	short near ptr loc_4222DF+6
		inc	ebp
		outsb

loc_422273:				; CODE XREF: .text:0042220Dj
					; .text:00422201j ...
		db	64h, 65h
		add	fs:[ebx+eax+664F6E4Fh],	al
		push	dx

loc_42227F:				; CODE XREF: .text:00422214j
		db	65h
		jno	short near ptr loc_4222F6+1
		db	65h
		jnb	short loc_4222F9
		add	[eax], cl
		dec	edi
		outsb
		dec	edi

loc_42228A:				; CODE XREF: .text:00422217j
					; .text:0042221Aj
		db	66h, 66h
		push	edx
		db	65h
		jno	short loc_422305
		db	65h
		jnb	short near ptr loc_422305+2
		push	edx
		db	65h
		popa
		jnb	short near ptr loc_422305+2
		outsb

loc_422299:				; CODE XREF: .text:00422237j
		add	[eax], cl
		inc	esp
		imul	esi, [ebx+70h],	5379616Ch
		jz	short near ptr loc_422305+1
		jz	short loc_42230C
		add	[eax], cl
		inc	esp

loc_4222AA:				; CODE XREF: .text:00422247j
		imul	esi, [ebx+70h],	5379616Ch
		jz	short near ptr loc_42230E+6
		jz	short loc_42231A
		inc	ebx
		push	65676E61h

loc_4222BB:				; CODE XREF: .text:loc_422269j
		add	fs:[ebx+eax+70736944h],	al
		insb
		popa
		jns	short loc_42231A
		jz	short loc_42232A
		jz	short loc_422330
		inc	ebx

loc_4222CC:				; CODE XREF: .text:00422254j
					; .text:00422257j
		push	65676E61h
		db	64h
		push	edx
		db	65h
		popa
		jnb	short near ptr loc_422345+1
		outsb
		add	[eax], cl
		pop	edx
		db	65h
		jb	short near ptr byte_42234D
		push	esp

loc_4222DF:				; CODE XREF: .text:0042226Bj
					; .text:loc_42226Ej
		imul	ebp, [ebp+65h],	654E0A00h
		js	short near ptr loc_42235B+1
		inc	ebp
		jbe	short near ptr byte_42234C
		insb
		jnz	short loc_42234F
		jz	short loc_422359
		outsd
		outsb
		push	ebx
		jo	short loc_422356
		outsb

loc_4222F6:				; CODE XREF: .text:loc_42227Fj
		add	[edx], cl
		push	es

loc_4222F9:				; CODE XREF: .text:00422282j
					; DATA XREF: TtmiLogInitiateModernStandbyTransitionStop(x)+5Fo
		or	eax, large ds:102h
; 
		db 0
		dd 0
; 
		inc	eax

loc_422305:				; CODE XREF: .text:0042228Dj
					; .text:004222A3j ...
		add	[eax+4D545400h], al
		pop	edi

loc_42230C:				; CODE XREF: .text:004222A5j
		dec	ecx
		outsb

loc_42230E:				; CODE XREF: .text:004222B1j
		imul	esi, [ecx+ebp*2+61h], 6F4D6574h
		db	64h, 65h
		jb	short loc_422388

loc_42231A:				; CODE XREF: .text:004222B3j
					; .text:004222C5j
		push	ebx
		jz	short near ptr loc_42237D+1
		outsb
		bound	edi, fs:[ecx+54h]
		jb	short loc_422385
		outsb
		jnb	short near ptr loc_42238E+2
		jz	short loc_422392
		outsd

loc_42232A:				; CODE XREF: .text:004222C7j
		outsb
		push	ebx
		jz	short loc_42239D
		jo	short $+2

loc_422330:				; CODE XREF: .text:004222C9j
		push	ebx
		db	65h
		jnb	short near ptr loc_4223A6+1
		imul	ebp, [edi+6Eh],	8006449h
		push	ebx
		jz	short loc_42239F
		jz	short near ptr loc_4223B4+1
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_422345:				; CODE XREF: .text:004222D5j
					; DATA XREF: TtmiLogProximityBlockedRequest(x,x,x)+86o
		or	eax, large ds:100h
; 
		db 0
byte_42234C	db 0			; CODE XREF: .text:004222E9j
byte_42234D	db 2 dup(0)		; CODE XREF: .text:004222DBj
; 

loc_42234F:				; CODE XREF: .text:004222ECj
		add	[ecx+0], al
		add	byte ptr [eax],	54h
		push	esp

loc_422356:				; CODE XREF: .text:004222F3j
		dec	ebp
		pop	edi
		push	eax

loc_422359:				; CODE XREF: .text:004222EEj
		jb	short loc_4223CA

loc_42235B:				; CODE XREF: .text:004222E6j
		js	short near ptr word_4223C6
		insd
		imul	esi, [ecx+edi*2+42h], 6B636F6Ch
		db	65h, 64h
		push	edx
		db	65h
		jno	short near ptr loc_4223DF+2
		db	65h
		jnb	short near ptr loc_4223E2+1
		add	[ebx+65h], dl
		jnb	short near ptr loc_4223E2+5
		imul	ebp, [edi+6Eh],	8006449h
		dec	edi
		outsb

loc_42237D:				; CODE XREF: .text:0042231Bj
		add	[ebx+eax+73616552h], al
		outsd

loc_422385:				; CODE XREF: .text:00422322j
		outsb
		add	[eax], cl

loc_422388:				; CODE XREF: .text:00422316j
		push	eax
		popa
		jz	short near ptr loc_4223F2+2
		push	esp
		popa

loc_42238E:				; CODE XREF: .text:00422325j
		add	[bx], dl
		push	es

loc_422392:				; CODE XREF: .text:00422327j
					; DATA XREF: TtmiLogSessionWorkerStart(x)+46o
		or	eax, large ds:101h
; 
		dd 0
		db 0
; 

loc_42239D:				; CODE XREF: .text:0042232Cj
		and	[eax], eax

loc_42239F:				; CODE XREF: .text:0042233Cj
		add	byte ptr [eax],	54h
		push	esp
		dec	ebp
		pop	edi
		push	ebx

loc_4223A6:				; CODE XREF: .text:00422331j
		db	65h
		jnb	short loc_42241C
		imul	ebp, [edi+6Eh],	6B726F57h
		db	65h
		jb	short $+3
		push	ebx

loc_4223B4:				; CODE XREF: .text:0042233Ej
		db	65h
		jnb	short near ptr loc_422427+3
		imul	ebp, [edi+6Eh],	8006449h
		push	es

loc_4223BF:				; DATA XREF: TtmiLogDeviceInputNotified(x,x,x,x,x,x,x)+E0o
		or	eax, large ds:100h
; 
		db 0
word_4223C6	dw 0			; CODE XREF: .text:loc_42235Bj
		db 2 dup(0)
; 

loc_4223CA:				; CODE XREF: .text:loc_422359j
		pusha
		add	[eax+4D545400h], al
		pop	edi
		inc	esp
		db	65h
		jbe	short loc_42243F
		arpl	[ebp+49h], sp
		outsb
		jo	short near ptr loc_42244E+3
		jz	short $+2
		push	ebx

loc_4223DF:				; CODE XREF: .text:00422369j
		db	65h
		jnb	short loc_422455

loc_4223E2:				; CODE XREF: .text:0042236Cj
					; .text:00422372j
		imul	ebp, [edi+6Eh],	8006449h
		push	eax
		jb	short near ptr loc_42245A+1
		jbe	short near ptr loc_422456+1
		db	64h, 65h
		jb	short $+4

loc_4223F2:				; CODE XREF: .text:0042238Aj
		or	[edi+ebp*2+6Bh], dl
		outs	dx, byte ptr gs:[esi]
		add	ds:75706E49h, dl
		jz	short loc_422446
		insb
		popa
		db	67h
		jnb	near ptr 2405h
		or	[ebp+76h], al
		imul	esp, [ebx+65h],	6E756F46h
		add	fs:[ebx+eax+6C6C6957h],	al
		inc	ebp
		jbe	short loc_42247C
		insb

loc_42241C:				; CODE XREF: .text:loc_4223A6j
		jnz	short loc_42247F
		jz	short near ptr loc_422484+1
		add	[ebx+eax+656B6157h], al

loc_422427:				; CODE XREF: .text:loc_4223B4j
					; DATA XREF: TtmiLogDispatchApiStart(x)+5Fo
		add	[ebx+eax+1050B06h], al
		add	[eax], eax
; 
		dd 0
		dd 260000h, 54540080h
; 
		dec	ebp
		pop	edi
		inc	esp

loc_42243F:				; CODE XREF: .text:004223D3j
		imul	esi, [ebx+70h],	68637461h

loc_422446:				; CODE XREF: .text:004223FEj
		inc	ecx
		jo	short loc_4224B2
		add	[ebx+65h], dl
		jnb	short near ptr loc_4224BF+2

loc_42244E:				; CODE XREF: .text:004223DAj
		imul	ebp, [edi+6Eh],	8006449h

loc_422455:				; CODE XREF: .text:loc_4223DFj
		dec	esp

loc_422456:				; CODE XREF: .text:004223ECj
		db	65h
		jbe	short near ptr loc_4224BC+2
		insb

loc_42245A:				; CODE XREF: .text:004223EAj
		add	[eax], cl
		push	es

loc_42245D:				; DATA XREF: TtmiLogSessionPowerControlStop()+54o
		or	eax, large ds:102h
; 
		db 0
		align 8
		dd 80002Bh, 5F4D5454h, 73736553h, 506E6F69h, 7265776Fh
; 

loc_42247C:				; CODE XREF: .text:00422419j
		inc	ebx
		outsd
		outsb

loc_42247F:				; CODE XREF: .text:loc_42241Cj
		jz	short loc_4224F3
		outsd
		insb
		push	ebx

loc_422484:				; CODE XREF: .text:0042241Ej
		jz	short near ptr loc_4224F3+2
		jo	short $+2
		push	ebx
		db	65h
		jnb	short near ptr byte_4224FF
		imul	ebp, [edi+6Eh],	8006449h
		push	es

loc_422494:				; DATA XREF: TtmiLogDisplayPowerRequestSet(x,x,x,x)+98o
		or	eax, large ds:100h
; 
		dw 0
		dd 57000000h, 54008000h, 545F4D54h, 696D7265h, 446C616Eh
		db 69h,	73h
; 

loc_4224B2:				; CODE XREF: .text:00422447j
		jo	short near ptr loc_42251C+4
		popa
		jns	short loc_422507
		outsd
		ja	short near ptr loc_42251C+3
		jb	short loc_42250E

loc_4224BC:				; CODE XREF: .text:loc_422456j
		db	65h
		jno	short near ptr loc_42252F+5

loc_4224BF:				; CODE XREF: .text:0042244Cj
		db	65h
		jnb	short loc_422536
		add	[ebx+65h], dl
		jnb	short near ptr word_42253A
		imul	ebp, [edi+6Eh],	8006449h
		push	esp
		db	65h
		jb	short loc_42253F
		imul	ebp, [esi+61h],	64496Ch
		or	[edx+65h], dl
		jno	short near ptr loc_422552+1
		db	65h
		jnb	short loc_422555
		dec	ecx
		add	fs:[edi], al
		inc	ecx
		arpl	[ecx+ebp*2+76h], si
		add	gs:74617453h, cl
		jnz	short near ptr loc_422565+1

loc_4224F3:				; CODE XREF: .text:loc_42247Fj
					; .text:loc_422484j
					; DATA XREF: ...
		add	[eax+50B060Eh],	cl
		add	[ecx], al
; 
		db 0
		db 3 dup(0)
byte_4224FF	db 0			; CODE XREF: .text:00422489j
		dd 300000h
; 
		add	byte ptr [eax],	54h

loc_422507:				; CODE XREF: .text:004224B5j
		push	esp
		dec	ebp
		pop	edi
		push	ebx
		db	65h
		jnb	short loc_422581

loc_42250E:				; CODE XREF: .text:004224BAj
		imul	ebp, [edi+6Eh],	65776F50h
		jb	short near ptr loc_422569+1
		jz	short loc_42257A
		jz	short loc_422580
		inc	ebx

loc_42251C:				; CODE XREF: .text:004224B8j
					; .text:loc_4224B2j
		push	65676E61h
		add	[ebx+65h], dl
		jnb	short near ptr loc_422597+2
		imul	ebp, [edi+6Eh],	8006449h
		dec	edi
		outsb

loc_42252F:				; CODE XREF: .text:loc_4224BCj
					; DATA XREF: TtmiLogInitCurrentSessionStop(x)+5Fo
		add	[ebx+eax+2050B06h], al

loc_422536:				; CODE XREF: .text:loc_4224BFj
		add	[eax], eax
; 
		db 2 dup(0)
word_42253A	dw 0			; CODE XREF: .text:004224C5j
		db 2 dup(0), 2Fh
; 

loc_42253F:				; CODE XREF: .text:004224CFj
		add	[eax+4D545400h], al
		pop	edi
		dec	ecx
		outsb
		imul	esi, [ebx+eax*2+75h], 6E657272h
		jz	short near ptr byte_4225A5

loc_422552:				; CODE XREF: .text:004224DCj
		db	65h
		jnb	short near ptr loc_4225C7+1

loc_422555:				; CODE XREF: .text:004224DEj
		imul	ebp, [edi+6Eh],	73655300h
		jnb	short loc_4225C7
		outsd
		outsb
		dec	ecx
		add	fs:[eax], cl
		push	ebx

loc_422565:				; CODE XREF: .text:004224F1j
		jz	short near ptr loc_4225C7+1
		jz	short loc_4225DE

loc_422569:				; CODE XREF: .text:00422515j
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_42256E:				; DATA XREF: TtmiLogSessionDeactivate()+54o
		or	eax, large ds:100h
; 
		dd 0
		db 0, 25h
; 

loc_42257A:				; CODE XREF: .text:00422517j
		add	[eax+4D545400h], al

loc_422580:				; CODE XREF: .text:00422519j
		pop	edi

loc_422581:				; CODE XREF: .text:0042250Bj
		push	ebx
		db	65h
		jnb	short loc_4225F8
		imul	ebp, [edi+6Eh],	63616544h
		jz	short loc_4225F7
		jbe	short loc_4225F1
		jz	short loc_4225F7
		add	[ebx+65h], dl
		jnb	short loc_42260A

loc_422597:				; CODE XREF: .text:00422524j
		imul	ebp, [edi+6Eh],	8006449h
		push	es

loc_42259F:				; DATA XREF: TtmiLogSessionWorkerPass(x,x,x)+5Bo
		or	eax, large ds:100h
; 
byte_4225A5	db 3 dup(0)		; CODE XREF: .text:00422550j
		db    0
		align 2
		dw 3Ah
		db  80h	; 
		align 2
aTtm_sessionwor	db 'TTM_SessionWorkerPass',0
		db 53h,	65h, 73h
; 

loc_4225C7:				; CODE XREF: .text:0042255Cj
					; .text:loc_422552j ...
		jnb	short loc_422632
		outsd
		outsb
		dec	ecx
		add	fs:[eax], cl
		push	edi
		outsd
		jb	short near ptr loc_42263C+2
		push	esp
		outsd
		inc	esp
		outsd
		add	[eax], cl
		dec	ecx
		jz	short near ptr loc_422640+1
		jb	short near ptr loc_42263C+3

loc_4225DE:				; CODE XREF: .text:00422567j
		jz	short loc_422649
		outsd
		outsb
		add	[eax], cl
		push	es

loc_4225E5:				; DATA XREF: TtmiLogSessionWorkerStop(x,x)+4Eo
		or	eax, large ds:102h
; 
		db 0
		align 10h
		db 2Ah
; 

loc_4225F1:				; CODE XREF: .text:0042258Ej
		add	[eax+4D545400h], al

loc_4225F7:				; CODE XREF: .text:0042258Cj
					; .text:00422590j
		pop	edi

loc_4225F8:				; CODE XREF: .text:00422582j
		push	ebx
		db	65h
		jnb	short loc_42266F
		imul	ebp, [edi+6Eh],	6B726F57h
		db	65h
		jb	short $+3
		push	ebx
		db	65h
		jnb	short loc_42267D

loc_42260A:				; CODE XREF: .text:00422595j
		imul	ebp, [edi+6Eh],	8006449h
		push	ebx
		jz	short near ptr loc_422674+1
		jz	short near ptr loc_422685+6
		jnb	short $+2
		mov	[esi], cl
		push	es

loc_42261B:				; DATA XREF: TtmiLogTerminalCreated(x,x)+66o
		or	eax, large ds:100h
; 
		db 3 dup(0)
		dd 390000h, 54540080h, 65545F4Dh
; 
		jb	short loc_42269F

loc_422632:				; CODE XREF: .text:loc_4225C7j
		imul	ebp, [esi+61h],	6572436Ch
		popa
		jz	short near ptr loc_42269F+2

loc_42263C:				; CODE XREF: .text:004225D1j
					; .text:004225DCj
		add	fs:[ebx+65h], dl

loc_422640:				; CODE XREF: .text:004225DAj
		jnb	short loc_4226B5
		imul	ebp, [edi+6Eh],	8006449h

loc_422649:				; CODE XREF: .text:loc_4225DEj
		push	esp
		db	65h
		jb	short loc_4226BA
		imul	ebp, [esi+61h],	64496Ch
		or	[ebp+72h], dl
		insd
		imul	ebp, [esi+61h],	614006Ch

loc_422660:				; DATA XREF: TtmiLogCalloutStop(x,x,x,x,x,x,x,x)+10Co
		or	eax, large ds:102h
; 
		dw 0
		dd 65000000h
		db 0, 80h, 0
; 

loc_42266F:				; CODE XREF: .text:004225F9j
		push	esp
		push	esp
		dec	ebp
		pop	edi
		inc	esp

loc_422674:				; CODE XREF: .text:00422612j
		db	65h
		jbe	short loc_4226E0
		arpl	[ebp+43h], sp
		popa
		insb
		insb

loc_42267D:				; CODE XREF: .text:00422607j
		outsd
		jnz	short near ptr loc_4226F3+1
		add	[ebx+65h], dl
		jnb	short near ptr loc_4226F3+5

loc_422685:				; CODE XREF: .text:00422614j
		imul	ebp, [edi+6Eh],	8006449h
		push	eax
		jb	short loc_4226FE
		jbe	short loc_4226FA
		db	64h, 65h
		jb	short $+4
		or	[eax+72h], dl
		outsd
		jbe	short near ptr loc_422703+1
		db	64h, 65h
		jb	short loc_4226E3

loc_42269F:				; CODE XREF: .text:00422630j
					; .text:0042263Aj
		db	65h
		jbe	short near ptr byte_42270B
		arpl	[ebp+54h], sp
		jns	short loc_422717
		add	gs:[esp+edx*2],	dl
		outsd
		imul	esp, [ebp+6Eh],	0
		adc	eax, 6C6C6143h

loc_4226B5:				; CODE XREF: .text:loc_422640j
		outsd
		jnz	short near ptr loc_422729+3
		push	esp
		popa

loc_4226BA:				; CODE XREF: .text:0042264Aj
		add	[bx], dl
		push	ebx
		jz	short near ptr loc_422720+1
		jz	short near ptr loc_422735+2
		jnb	short $+2
		mov	[esi], cl
		inc	esp
		jnz	short near ptr loc_422739+2
		popa
		jz	short loc_422735
		outsd
		outsb
		add	[edx], cl
		push	es

loc_4226D1:				; DATA XREF: TtmiLogInitCurrentSessionStart()+54o
		or	eax, large ds:101h
; 
		db 0
		dd 0
		dd 800026h
; 

loc_4226E0:				; CODE XREF: .text:loc_422674j
		push	esp
		push	esp
		dec	ebp

loc_4226E3:				; CODE XREF: .text:0042269Bj
		pop	edi
		dec	ecx
		outsb
		imul	esi, [ebx+eax*2+75h], 6E657272h
		jz	short near ptr loc_42273F+4
		db	65h
		jnb	short near ptr loc_422765+1

loc_4226F3:				; CODE XREF: .text:0042267Ej
					; .text:00422683j
		imul	ebp, [edi+6Eh],	73655300h

loc_4226FA:				; CODE XREF: .text:0042268Fj
		jnb	short loc_422765
		outsd
		outsb

loc_4226FE:				; CODE XREF: .text:0042268Dj
		dec	ecx
		add	fs:[eax], cl
		push	es

loc_422703:				; CODE XREF: .text:00422699j
					; DATA XREF: TtmiLogDeviceDepartureNotified(x,x,x,x)+83o
		or	eax, large ds:100h
; 
		db 2 dup(0)
byte_42270B	db 0			; CODE XREF: .text:loc_42269Fj
		dd offset loc_40FFFE+2
; 
		add	byte ptr [eax],	54h
		push	esp
		dec	ebp
		pop	edi
		inc	esp

loc_422717:				; CODE XREF: .text:004226A5j
		db	65h
		jbe	short near ptr loc_422781+2
		arpl	[ebp+44h], sp
		db	65h
		jo	short loc_422781

loc_422720:				; CODE XREF: .text:004226BEj
		jb	short loc_422796
		db	65h
		add	fs:[ebx+65h], dl
		jnb	short loc_42279C

loc_422729:				; CODE XREF: .text:004226B6j
		imul	ebp, [edi+6Eh],	8006449h
		push	eax
		jb	short near ptr loc_42279C+6
		jbe	short near ptr loc_42279C+2

loc_422735:				; CODE XREF: .text:004226CAj
					; .text:004226C0j
		db	64h, 65h
		jb	short $+4

loc_422739:				; CODE XREF: .text:004226C7j
		or	[edi+ebp*2+6Bh], dl
		outs	dx, byte ptr gs:[esi]

loc_42273F:				; CODE XREF: .text:004226EEj
		add	ds:69766544h, dl
		arpl	[ebp+46h], sp
		outsd
		jnz	short near ptr loc_4227B6+3
		add	fs:[ebx+eax+2050B06h], al
					; DATA XREF: TtmiLogCleanupCurrentSessionStop()+5Co
		add	[eax], eax
; 
		db 3 dup(0)
		dd 29000000h, 54008000h, 435F4D54h
		db 6Ch
; 

loc_422765:				; CODE XREF: .text:loc_4226FAj
					; .text:004226F0j
		db	65h
		popa
		outsb
		jnz	short near ptr loc_4227D9+1
		inc	ebx
		jnz	short loc_4227DF
		jb	short near ptr loc_4227D3+1
		outsb
		jz	short loc_4227C5
		db	65h
		jnb	short loc_4227E8
		imul	ebp, [edi+6Eh],	73655300h
		jnb	short near ptr loc_4227E6+1
		outsd
		outsb
		dec	ecx

loc_422781:				; CODE XREF: .text:0042271Dj
					; .text:loc_422717j
		add	fs:[eax], cl
		push	es

loc_422785:				; DATA XREF: TtmiLogSessionRundown(x)+10Ao
		or	eax, large ds:100h
; 
		db 0
		align 10h
		dd 8000A6h
; 
		push	esp
		push	esp

loc_422796:				; CODE XREF: .text:loc_422720j
		dec	ebp
		pop	edi
		push	ebx
		db	65h
		jnb	short loc_42280F

loc_42279C:				; CODE XREF: .text:00422727j
					; .text:00422733j ...
		imul	ebp, [edi+6Eh],	646E7552h
		outsd
		ja	short near ptr loc_422813+1
		add	[ebx+65h], dl
		jnb	short near ptr loc_422818+6
		imul	ebp, [edi+6Eh],	8006449h
		push	ebx
		db	65h
		jnb	short near ptr loc_422824+5

loc_4227B6:				; CODE XREF: .text:00422749j
		imul	ebp, [edi+6Eh],	74617453h
		add	gs:[eax], cl
		push	edx
		db	65h
		inc	bx
		outsb

loc_4227C5:				; CODE XREF: .text:00422770j
		jz	short $+2
		pop	es
		push	esp
		db	65h
		jb	short near ptr loc_422837+2
		imul	ebp, [esi+61h],	746E436Ch

loc_4227D3:				; CODE XREF: .text:0042276Dj
		add	[eax], cl
		inc	esp
		db	65h
		jbe	short loc_422842

loc_4227D9:				; CODE XREF: .text:00422768j
		arpl	[ebp+43h], sp
		outsb
		jz	short $+2

loc_4227DF:				; CODE XREF: .text:0042276Bj
		or	[ecx+63h], al
		jz	short near ptr loc_42284B+2
		jbe	short loc_422847

loc_4227E6:				; CODE XREF: .text:0042277Cj
		jz	short near ptr loc_42284B+2

loc_4227E8:				; CODE XREF: .text:00422772j
		push	edx
		db	65h
		popa
		jnb	short loc_42285C
		outsb
		add	[eax], cl
		inc	esp
		db	65h
		popa
		arpl	[ecx+ebp*2+76h], si
		popa
		jz	short near ptr loc_42285C+3
		push	edx
		db	65h
		popa
		jnb	short loc_42286E
		outsb
		add	[eax], cl
		inc	esp
		imul	esi, [ebx+70h],	4379616Ch
		outsd
		jnz	short near ptr loc_422878+3
		jz	short $+2

loc_42280F:				; CODE XREF: .text:00422799j
		or	[ecx+ebp*2+73h], al

loc_422813:				; CODE XREF: .text:004227A4j
		jo	short near ptr loc_42287E+3
		popa
		jns	short loc_42285C

loc_422818:				; CODE XREF: .text:004227A9j
		imul	ebp, [ebp+54h],	6F656D69h
		jnz	short near ptr loc_422893+2
		add	[eax], cl
		inc	esp

loc_422824:				; CODE XREF: .text:004227B3j
		imul	esi, [ebx+70h],	4F79616Ch
		db	66h, 66h
		push	esp
		imul	ebp, [ebp+65h],	74756Fh
		or	[esi], al

loc_422837:				; CODE XREF: .text:004227C9j
					; DATA XREF: TtmiLogDeviceRundown(x)+F5o
		or	eax, large ds:100h
; 
		db 3 dup(0)
		db 2 dup(0)
; 

loc_422842:				; CODE XREF: .text:004227D6j
		js	short $+2
		add	byte ptr [eax],	54h

loc_422847:				; CODE XREF: .text:004227E4j
		push	esp
		dec	ebp
		pop	edi
		inc	esp

loc_42284B:				; CODE XREF: .text:004227E2j
					; .text:loc_4227E6j
		db	65h
		jbe	short near ptr loc_4228B6+1
		arpl	[ebp+52h], sp
		jnz	short near ptr byte_4228C1
		outs	dx, dword ptr fs:[esi]
		ja	short loc_4228C5
		add	[ebx+65h], dl
		jnb	short loc_4228CF

loc_42285C:				; CODE XREF: .text:004227EBj
					; .text:00422816j ...
		imul	ebp, [edi+6Eh],	8006449h
		push	esp
		db	65h
		jb	short near ptr loc_4228D2+2
		imul	ebp, [esi+61h],	64496Ch

loc_42286E:				; CODE XREF: .text:004227FDj
		or	[eax+72h], dl
		outsd
		jbe	short loc_4228DD
		db	64h, 65h
		jb	short $+4

loc_422878:				; CODE XREF: .text:0042280Bj
		or	[edi+ebp*2+6Bh], dl
		outs	dx, byte ptr gs:[esi]

loc_42287E:				; CODE XREF: .text:loc_422813j
		add	ds:69766544h, dl
		arpl	[ebp+49h], sp
		add	fs:[eax], cl
		push	eax
		jb	short near ptr loc_4228FA+2
		jbe	short near ptr loc_4228F3+5
		db	64h, 65h
		jb	short near ptr loc_4228D2+5

loc_422893:				; CODE XREF: .text:0042281Fj
		db	65h
		jbe	short near ptr loc_4228FE+1
		arpl	[ebp+54h], sp
		jns	short loc_42290B
		add	gs:[esp+ecx*2],	dl
		popa
		jnb	short near ptr loc_422913+3
		dec	ecx
		outsb
		jo	short near ptr byte_42291B
		jz	short near ptr loc_4228FA+2
		imul	ebp, [ebp+65h],	65440A00h
		jbe	short near ptr byte_42291A
		arpl	[ebp+53h], sp
		jz	short near ptr loc_422913+4

loc_4228B6:				; CODE XREF: .text:loc_42284Bj
		jz	short loc_42291D
		add	[esi+eax], dl

loc_4228BB:				; DATA XREF: TtmiLogTerminalHandleOpened(x,x,x,x)+7Fo
		or	eax, large ds:100h
; 
byte_4228C1	db 3 dup(0)		; CODE XREF: .text:00422851j
		db 0
; 

loc_4228C5:				; CODE XREF: .text:00422855j
		add	[eax+eax-80h], cl
		add	[esp+edx*2+4Dh], dl
		pop	edi
		push	esp

loc_4228CF:				; CODE XREF: .text:0042285Aj
		db	65h
		jb	short near ptr loc_42293E+1

loc_4228D2:				; CODE XREF: .text:00422864j
					; .text:0042288Fj
		imul	ebp, [esi+61h],	6E61486Ch
		db	64h
		insb
		db	65h
		inc	ebx

loc_4228DD:				; CODE XREF: .text:00422872j
		jb	short loc_422944
		popa
		jz	short loc_422947
		add	fs:[ebx+65h], dl
		jnb	short loc_42295B
		imul	ebp, [edi+6Eh],	8006449h
		push	esp
		db	65h
		jb	short near ptr loc_42295E+2

loc_4228F3:				; CODE XREF: .text:0042288Dj
		imul	ebp, [esi+61h],	64496Ch

loc_4228FA:				; CODE XREF: .text:0042288Bj
					; .text:004228A6j
		or	[eax+72h], dl
		outsd

loc_4228FE:				; CODE XREF: .text:loc_422893j
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_42294B+1
		add	fs:[edi+ecx*2],	dl
		jo	short near ptr loc_422969+5
		outsb
		push	edx

loc_42290B:				; CODE XREF: .text:00422899j
		db	65h
		popa
		jnb	short near ptr loc_42297D+1
		outsb
		add	[eax], cl
		push	es

loc_422913:				; CODE XREF: .text:004228A0j
					; .text:004228B4j
					; DATA XREF: ...
		or	eax, large ds:102h
; 
		db 0
byte_42291A	db 0			; CODE XREF: .text:004228AFj
byte_42291B	db 0			; CODE XREF: .text:004228A4j
		db 0
; 

loc_42291D:				; CODE XREF: .text:loc_4228B6j
		add	[edi], ch
		add	[eax+4D545400h], al
		pop	edi
		inc	esp
		imul	esi, [ebx+70h],	68637461h
		inc	ecx
		jo	short near ptr loc_422999+1
		add	[ebx+65h], dl
		jnb	short loc_4229A9
		imul	ebp, [edi+6Eh],	8006449h
		dec	esp

loc_42293E:				; CODE XREF: .text:loc_4228CFj
		db	65h
		jbe	short near ptr loc_4229A4+2
		insb
		add	[eax], cl

loc_422944:				; CODE XREF: .text:loc_4228DDj
		push	ebx
		jz	short near ptr loc_4229A7+1

loc_422947:				; CODE XREF: .text:004228E0j
		jz	short near ptr loc_4229BC+2
		jnb	short $+2

loc_42294B:				; CODE XREF: .text:00422901j
		mov	[esi], cl
		push	es

loc_42294E:				; DATA XREF: PsOpenThread+139278o
		or	eax, large ds:0
; 
		dd 400000h
		db 0, 92h, 0
; 

loc_42295B:				; CODE XREF: .text:004228E6j
		add	byte ptr [eax],	54h

loc_42295E:				; CODE XREF: .text:004228F0j
		push	64616572h
		dec	edi
		jo	short loc_4229CB
		outsb
		inc	esi
		popa

loc_422969:				; CODE XREF: .text:00422907j
		imul	ebp, [ebp+64h],	46726F46h
		outsd
		jb	short loc_4229D7
		db	65h, 64h
		inc	ecx
		arpl	[ebx+65h], sp
		jnb	short near ptr loc_4229EC+3
		inc	ebx

loc_42297D:				; CODE XREF: .text:0042290Dj
		push	offset unk_6B6365
		push	esp
		popa
		jb	short near ptr loc_4229EC+1
		db	65h
		jz	short loc_4229DD
		push	64616572h
		dec	ecx
		add	fs:[eax], cl
		push	esp
		popa
		jb	short loc_4229FD
		db	65h
		jz	short near ptr loc_4229E7+2

loc_422999:				; CODE XREF: .text:0042292Fj
		jb	short near ptr loc_422A08+2
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_4229E7+2
		add	fs:[eax], cl
		inc	esp

loc_4229A4:				; CODE XREF: .text:loc_42293Ej
		db	65h
		jnb	short loc_422A10

loc_4229A7:				; CODE XREF: .text:00422945j
		jb	short near ptr loc_422A08+6

loc_4229A9:				; CODE XREF: .text:00422934j
		db	64h
		inc	ecx
		arpl	[ebx+65h], sp
		jnb	short loc_422A23
		add	[edi+ecx*2], dl
		bound	ebp, [edx+65h]
		arpl	[ecx+eax*2+74h], si
		jz	short near ptr loc_422A2D+1

loc_4229BC:				; CODE XREF: .text:loc_422947j
		imul	esp, [edx+75h],	736574h
		adc	al, 50h
		jb	short loc_422A36
		bound	esp, [ebp+4Dh]
		outsd

loc_4229CB:				; CODE XREF: .text:00422964j
		db	64h
		add	gs:[ecx+eax*2],	al
		arpl	[ebx+65h], sp
		jnb	short near ptr loc_422A45+3
		dec	ebp
		outsd

loc_4229D7:				; CODE XREF: .text:00422972j
		db	64h
		add	gs:[eax+edx*2],	al
		popa

loc_4229DD:				; CODE XREF: .text:00422986j
		jb	short near ptr loc_422A52+1
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_422A4B+2
		jbe	short loc_422A3A
		popa

loc_4229E7:				; CODE XREF: .text:00422996j
					; .text:0042299Ej
		db	67h
		jnb	near ptr 29EAh
		or	al, [esi]

loc_4229EC:				; CODE XREF: .text:00422984j
					; .text:0042297Aj
					; DATA XREF: ...
		or	eax, large ds:0
; 
		dw 0
		dd 83000040h, 50008000h
		db 72h
; 

loc_4229FD:				; CODE XREF: .text:00422994j
		outsd
		arpl	[ebp+73h], sp
		jnb	short loc_422A52
		jo	short near ptr loc_422A66+4
		outsb
		inc	esi
		popa

loc_422A08:				; CODE XREF: .text:loc_422999j
					; .text:loc_4229A7j
		imul	ebp, [ebp+64h],	46726F46h

loc_422A10:				; CODE XREF: .text:loc_4229A4j
		outsd
		jb	short loc_422A76
		db	65h, 64h
		inc	ecx
		arpl	[ebx+65h], sp
		jnb	short loc_422A8E
		inc	ebx
		push	offset unk_6B6365
		push	esp
		popa

loc_422A23:				; CODE XREF: .text:004229AEj
		jb	short loc_422A8C
		db	65h
		jz	short near ptr loc_422A76+2
		jb	short near ptr loc_422A94+5
		arpl	[ebp+73h], sp

loc_422A2D:				; CODE XREF: .text:004229BAj
		jnb	short near ptr loc_422A76+2
		add	fs:[eax], cl
		inc	esp
		db	65h
		jnb	short near ptr loc_422A9E+1

loc_422A36:				; CODE XREF: .text:004229C5j
		jb	short loc_422A9D
		db	64h
		inc	ecx

loc_422A3A:				; CODE XREF: .text:004229E4j
		arpl	[ebx+65h], sp
		jnb	short loc_422AB2
		add	[edi+ecx*2], dl
		bound	ebp, [edx+65h]

loc_422A45:				; CODE XREF: .text:004229D3j
		arpl	[ecx+eax*2+74h], si
		jz	short loc_422ABD

loc_422A4B:				; CODE XREF: .text:004229E2j
		imul	esp, [edx+75h],	736574h

loc_422A52:				; CODE XREF: .text:00422A01j
					; .text:loc_4229DDj
		adc	al, 50h
		jb	short loc_422AC5
		bound	esp, [ebp+4Dh]
		outsd
		db	64h
		add	gs:[ecx+eax*2],	al
		arpl	[ebx+65h], sp
		jnb	short loc_422AD7
		dec	ebp
		outsd

loc_422A66:				; CODE XREF: .text:00422A03j
		db	64h
		add	gs:[eax+edx*2],	al
		popa
		jb	short near ptr loc_422AE1+1
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_422AD7+5
		jbe	short loc_422AC9
		popa

loc_422A76:				; CODE XREF: .text:00422A11j
					; .text:00422A25j ...
		db	67h
		jnb	near ptr 2A79h
		or	al, [esi]

loc_422A7B:				; DATA XREF: RtlpLogCapabilityCheckLatency(x,x,x,x,x,x)+120o
		or	eax, large ds:0
; 
		db 2 dup(0), 20h
		dd offset loc_68FFFB+5
		dd 74520080h
; 

loc_422A8C:				; CODE XREF: .text:loc_422A23j
		insb
		inc	ebx

loc_422A8E:				; CODE XREF: .text:00422A19j
		popa
		jo	short near ptr loc_422AF1+1
		bound	ebp, [ecx+6Ch]

loc_422A94:				; CODE XREF: .text:00422A28j
		imul	esi, [ecx+edi*2+43h], 6B636568h
		dec	esp

loc_422A9D:				; CODE XREF: .text:loc_422A36j
		popa

loc_422A9E:				; CODE XREF: .text:00422A33j
		jz	short loc_422B05
		outsb
		arpl	[ecx+0], di
		dec	esp
		popa
		jz	short near ptr loc_422B0B+2
		outsb
		arpl	[ecx+0], di
		or	[ecx+73h], ecx
		inc	ecx
		db	64h
		insd

loc_422AB2:				; CODE XREF: .text:00422A3Dj
		imul	ebp, [esi+0], 73490384h
		dec	ecx
		outsb
		jz	short near ptr word_422B22

loc_422ABD:				; CODE XREF: .text:00422A49j
		jb	short near ptr loc_422B1C+4
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	ebp

loc_422AC5:				; CODE XREF: .text:00422A54j
		jnb	short near ptr loc_422B26+6
		jb	short $+2

loc_422AC9:				; CODE XREF: .text:00422A73j
		test	[ebx], al
		dec	ecx
		jnb	short near ptr loc_422B0B+4
		db	64h
		insd
		imul	ebp, [esi+43h],	62617061h

loc_422AD7:				; CODE XREF: .text:00422A62j
					; .text:00422A71j
		imul	ebp, [ecx+ebp*2+74h], 3840079h
		dec	eax
		popa

loc_422AE1:				; CODE XREF: .text:00422A6Cj
		jnb	short loc_422B26
		popa
		jo	short loc_422B47
		bound	ebp, [ecx+6Ch]
		imul	esi, [ecx+edi*2+0], 0B060384h
					; DATA XREF: SeCheckForCriticalAceRemoval+183B51o

loc_422AF1:				; CODE XREF: .text:00422A8Fj
		add	eax, 0
; 
		dw 0
		dd 20000020h, 43008000h, 69746972h
		db 63h
; 

loc_422B05:				; CODE XREF: .text:loc_422A9Ej
		popa
		insb
		inc	ecx
		arpl	[ebp+43h], sp

loc_422B0B:				; CODE XREF: .text:00422AA6j
					; .text:00422ACCj
		push	65676E61h
		add	fs:[eax+72h], dl
		outsd
		arpl	[ebp+73h], sp
		jnb	short $+2
		push	ss
		push	es

loc_422B1C:				; CODE XREF: .text:loc_422ABDj
					; DATA XREF: SepLogUnmatchedSessionFlagImpersonationAttempt(x,x)+115o
		or	eax, large ds:0
; 
word_422B22	dw 0			; CODE XREF: .text:00422ABBj
		db 40h,	0
; 

loc_422B26:				; CODE XREF: .text:loc_422AE1j
					; .text:loc_422AC5j
		add	[eax+eax+694C0080h], cl
		insd
		imul	esi, [ebp+64h],	6F4E6F54h
		outsb
		dec	esp
		imul	ebp, [ebp+69h],	54646574h
		outsd
		imul	esp, [ebp+6Eh],	53h
		db	65h
		jnb	short near ptr word_422BBA

loc_422B47:				; CODE XREF: .text:00422AE4j
		imul	ebp, [edi+6Eh],	65706D49h
		jb	short near ptr loc_422BC1+2
		outsd
		outsb
		popa
		jz	short loc_422BBE
		outsd
		outsb
		add	[eax+72h], dh
		imul	ebp, [ebp+61h],	6F547972h
		imul	esp, [ebp+6Eh],	53h
		db	65h
		jnb	short near ptr loc_422BD7+4
		imul	ebp, [edi+6Eh],	67616C46h
		jnb	short $+2
		or	[ecx+6Dh], ch
		jo	short near ptr loc_422BD7+4
		jb	short near ptr loc_422BE8+3
		outsd
		outsb
		popa
		jz	short loc_422BE6
		outsd
		outsb
		push	esp
		outsd
		imul	esp, [ebp+6Eh],	53h
		db	65h
		jnb	short loc_422BFB
		imul	ebp, [edi+6Eh],	67616C46h
		jnb	short $+2
		or	[eax+72h], dh
		outsd
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_422BE8+2
		popa
		jz	short near ptr loc_422C04+1
		add	[esi], dl
		jo	short near ptr loc_422C12+1
		outsd
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_422BE8+2
		outsd
		insd
		insd
		popa
		outsb
		db	64h
		dec	esp

loc_422BAE:				; DATA XREF: VmpLogAccessFault(x,x,x,x,x,x,x,x)+E9o
		imul	ebp, [esi+65h],	0B061600h
		add	eax, 800h
; 
word_422BBA	dw 0			; CODE XREF: .text:00422B44j
		db 2 dup(0)
; 

loc_422BBE:				; CODE XREF: .text:00422B53j
		add	[edi+0], dh

loc_422BC1:				; CODE XREF: .text:00422B4Ej
		add	byte ptr [eax],	41h
		arpl	[ebx+65h], sp
		jnb	short near ptr loc_422C37+5
		inc	esi
		popa
		jnz	short near ptr loc_422C37+2
		jz	short $+2
		push	eax
		jb	short loc_422C41
		arpl	[ebp+73h], sp
		jnb	short loc_422C20

loc_422BD7:				; CODE XREF: .text:00422B65j
					; .text:00422B74j
		add	fs:[eax+73614205h], cl
		db	65h
		push	ebx
		jns	short near ptr loc_422C53+2
		jz	short near ptr loc_422C47+2
		insd
		push	esi

loc_422BE6:				; CODE XREF: .text:00422B7Bj
		jo	short near ptr loc_422C53+3

loc_422BE8:				; CODE XREF: .text:00422B98j
					; .text:00422BA5j ...
		add	ds:65736142h, dl
		inc	edi
		jo	short near ptr loc_422C5D+2
		add	ds:65676150h, dl
		inc	ebx
		outsd
		jnz	short loc_422C69

loc_422BFB:				; CODE XREF: .text:00422B85j
		jz	short $+2
		adc	eax, 6C756146h
		jz	short loc_422C58

loc_422C04:				; CODE XREF: .text:00422B9Bj
		jns	short near ptr loc_422C75+1
		db	65h
		inc	esi
		insb
		popa
		db	67h
		jnb	near ptr 2C0Dh
		adc	al, 41h
		insb
		insb
		outsd

loc_422C12:				; CODE XREF: .text:00422B9Fj
		ja	short near ptr loc_422C75+4
		db	64h
		push	eax
		jb	short near ptr loc_422C84+3
		insd
		outsd
		jz	short near ptr loc_422C84+1
		outsd
		outsb
		inc	esi
		insb

loc_422C20:				; CODE XREF: .text:00422BD5j
		popa
		db	67h
		jnb	near ptr 2C24h
		adc	al, 44h
		db	65h
		jnb	short near ptr loc_422C90+2
		jb	short loc_422C90
		db	64h
		dec	esi
		jnz	short loc_422C9C
		popa
		dec	esi
		outsd
		db	64h
		add	gs:[esi+eax], dl

loc_422C37:				; CODE XREF: .text:00422BCBj
					; .text:00422BC7j
					; DATA XREF: ...
		or	eax, large ds:100h
; 
		db 3 dup(0)
		db 0
; 

loc_422C41:				; CODE XREF: .text:00422BD0j
		add	[ebp+0], cl
		add	byte ptr [eax],	46h

loc_422C47:				; CODE XREF: .text:00422BE2j
		imul	ebp, [esp+ebp*2+53h], 5374616Ch
		jo	short near ptr loc_422CAE+4
		jb	short near ptr loc_422CC4+2

loc_422C53:				; CODE XREF: .text:00422BE0j
					; .text:loc_422BE6j
		add	gs:[eax+72h], dl
		outsd

loc_422C58:				; CODE XREF: .text:00422C02j
		arpl	[ebp+73h], sp
		jnb	short loc_422CA6

loc_422C5D:				; CODE XREF: .text:00422BEFj
		add	fs:[eax+67615005h], cl
		db	65h
		inc	ebx
		outsd
		jnz	short near ptr loc_422CD5+2

loc_422C69:				; CODE XREF: .text:00422BF9j
		jz	short $+2
		adc	eax, 70477648h
		popa
		dec	ebp
		popa
		jo	short loc_422CE5

loc_422C75:				; CODE XREF: .text:loc_422C04j
					; .text:loc_422C12j
		imul	ebp, [esi+67h],	4702D800h
		jo	short loc_422CEC
		add	byte_6E7053, dl

loc_422C84:				; CODE XREF: .text:00422C1Aj
					; .text:00422C16j
		adc	eax, 4670614Dh
		insb
		popa
		db	67h
		jnb	near ptr 2C8Eh
		adc	al, 6

loc_422C90:				; CODE XREF: .text:00422C29j
					; .text:00422C26j
					; DATA XREF: ...
		or	eax, large ds:100h
; 
		dw 0
		dd 3E000000h
; 

loc_422C9C:				; CODE XREF: .text:00422C2Dj
		add	[eax+6C694600h], al
		insb
		push	ebx
		insb
		popa

loc_422CA6:				; CODE XREF: .text:00422C5Bj
		jz	short near ptr loc_422CEE+6
		popa
		jb	short loc_422D12
		db	65h
		push	eax
		popa

loc_422CAE:				; CODE XREF: .text:00422C4Fj
		add	gs:[bx+si+72h],	dl
		outsd
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_422D01+1
		add	fs:[eax+73614205h], cl
		db	65h
		inc	edi
		jo	short loc_422D32

loc_422CC4:				; CODE XREF: .text:00422C51j
		add	ds:65736142h, dl
		push	ebx
		jo	short near ptr loc_422D37+4
		add	ds:4670614Dh, dl
		insb
		popa

loc_422CD5:				; CODE XREF: .text:00422C67j
		db	67h
		jnb	near ptr 2CD8h
		adc	al, 6

loc_422CDA:				; DATA XREF: VmpLogColdHint(x,x,x,x,x)+43o
		or	eax, large ds:400h
; 
		dd 0
		db 0
; 

loc_422CE5:				; CODE XREF: .text:00422C73j
		cmp	al, 0
		add	byte ptr [eax],	43h
		outsd
		insb

loc_422CEC:				; CODE XREF: .text:00422C7Cj
		db	64h
		dec	eax

loc_422CEE:				; CODE XREF: .text:loc_422CA6j
		imul	ebp, [esi+74h],	6F725000h
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_422D41+2
		add	fs:[eax+73614205h], cl

loc_422D01:				; CODE XREF: .text:00422CB7j
		db	65h
		inc	edi
		jo	short near ptr loc_422D71+2
		add	ds:65736142h, dl
		push	ebx
		jns	short loc_422D81
		jz	short loc_422D75
		insd
		push	esi

loc_422D12:				; CODE XREF: .text:00422CA9j
		jo	short near ptr loc_422D81+1
		add	ds:65676150h, dl
		inc	ebx
		outsd
		jnz	short loc_422D8C
		jz	short $+2

loc_422D20:				; DATA XREF: VmpLogTbFlushSlatInvalidate(x,x,x,x,x)+43o
		adc	eax, 50B06h
		add	al, [eax]
; 
		db 0
		dd 0
		dd 80004900h
		db 0, 54h
; 

loc_422D32:				; CODE XREF: .text:00422CC2j
		bound	eax, [esi+6Ch]
		jnz	short near ptr loc_422DA5+5

loc_422D37:				; CODE XREF: .text:00422CCBj
		push	74616C53h
		dec	ecx
		outsb
		jbe	short loc_422DA1
		insb

loc_422D41:				; CODE XREF: .text:00422CF8j
		imul	esp, [ecx+74h],	72500065h
		outsd
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_422D95+3
		add	fs:[eax+61745305h], cl
		jb	short near ptr loc_422DC9+3
		push	esi
		jo	short loc_422DC9
		add	ds:72617453h, dl
		jz	short near ptr loc_422DA5+5
		jo	short near ptr loc_422DCD+6
		add	ds:626D754Eh, dl
		db	65h
		jb	short near ptr loc_422DB7+6
		push	ax
		popa

loc_422D71:				; CODE XREF: .text:00422D03j
		db	67h, 65h
		jnb	near ptr 2D75h

loc_422D75:				; CODE XREF: .text:00422D0Ej
					; DATA XREF: EtwTelemetryCoverageReport(x)+40Co
		adc	eax, 50B06h
		add	[eax], eax
; 
		dd 0
		db 0
; 

loc_422D81:				; CODE XREF: .text:00422D0Cj
					; .text:loc_422D12j
		add	[eax+0], ch
		add	byte ptr [eax],	43h
		outsd
		jbe	short $+2
		push	edx
		outsd

loc_422D8C:				; CODE XREF: .text:00422D1Cj
		jnz	short loc_422DFC
		db	64h
		dec	ecx
		add	fs:[eax], cl
		inc	esi
		popa

loc_422D95:				; CODE XREF: .text:00422D4Dj
		imul	ebp, [ebp+esi*2+72h], 6E497365h
		push	edx
		outsd
		jnz	short near ptr loc_422E0C+3

loc_422DA1:				; CODE XREF: .text:00422D3Ej
		add	fs:[eax], cl
		push	ebx

loc_422DA5:				; CODE XREF: .text:00422D35j
					; .text:00422D61j
		imul	ebp, [esi+63h],	73614C65h
		jz	short near ptr off_422DF4
		insb
		jnz	short near ptr loc_422E23+1
		push	800534Dh
		push	ebx

loc_422DB7:				; CODE XREF: .text:00422D6Bj
		imul	ebp, [esi+63h],	73614C65h
		jz	short near ptr loc_422E0C+6
		db	65h
		jnb	short loc_422E28
		jz	short near ptr loc_422E0C+6
		push	ebx
		add	[eax], cl
		push	edx

loc_422DC9:				; CODE XREF: .text:00422D59j
					; .text:00422D56j
		arpl	gs:[edi+72h], bp

loc_422DCD:				; CODE XREF: .text:00422D63j
		db	64h, 65h
		add	fs:65726C41h, cl
		popa
		db	64h
		jns	short loc_422E2D
		db	65h
		jz	short $+3
		or	eax, 65766F43h
		jb	short loc_422E45
		db	67h, 65h
		dec	ecx
		add	fs:[edx], al
		push	es

loc_422DEB:				; DATA XREF: EtwpCoverageRecord(x,x)+33Ao
		or	eax, large ds:200h
; 
		db 3 dup(0)
off_422DF4	dd offset loc_54FFFC+4	; CODE XREF: .text:00422DACj
		dd 6F430080h
; 

loc_422DFC:				; CODE XREF: .text:loc_422D8Cj
		jbe	short loc_422E4C
		db	65h
		ja	short $+3
		push	edx
		outsd
		jnz	short loc_422E73
		db	64h
		dec	ecx
		add	fs:[eax], cl
		inc	esi
		popa

loc_422E0C:				; CODE XREF: .text:00422D9Fj
					; .text:00422DBEj ...
		imul	ebp, [ebp+esi*2+72h], 6E497365h
		push	edx
		outsd
		jnz	short loc_422E86
		add	fs:[eax], cl
		push	ebx
		imul	ebp, [esi+63h],	73614C65h

loc_422E23:				; CODE XREF: .text:00422DAFj
		jz	short loc_422E6B
		insb
		jnz	short loc_422E9B

loc_422E28:				; CODE XREF: .text:00422DC0j
		push	800534Dh

loc_422E2D:				; CODE XREF: .text:00422DD7j
		push	ebx
		imul	ebp, [esi+63h],	73614C65h
		jz	short near ptr loc_422E86+3
		db	65h
		jnb	short near ptr loc_422E9E+1
		jz	short near ptr loc_422E86+3
		push	ebx
		add	[eax], cl
		inc	ebx
		outsd
		jbe	short near ptr loc_422EA2+6
		jb	short near ptr loc_422EA2+4

loc_422E45:				; CODE XREF: .text:00422DE2j
		db	67h, 65h
		dec	ecx
		add	fs:[edx], al
		push	es

loc_422E4C:				; CODE XREF: .text:loc_422DFCj
					; DATA XREF: EtwpCoverageRecord(x,x)+445o
		or	eax, large ds:100h
; 
		dw 0
		dd 68000000h, 43008000h, 5200766Fh, 646E756Fh, 8006449h
		db 46h,	61h, 69h
; 

loc_422E6B:				; CODE XREF: .text:loc_422E23j
		insb
		jnz	short loc_422EE0
		db	65h
		jnb	short near ptr loc_422EB9+1
		outsb
		push	edx

loc_422E73:				; CODE XREF: .text:00422E03j
		outsd
		jnz	short near ptr loc_422EE1+3
		add	fs:[eax], cl
		push	ebx
		imul	ebp, [esi+63h],	73614C65h
		jz	short near ptr off_422EC9
		insb
		jnz	short near ptr loc_422EF8+1

loc_422E86:				; CODE XREF: .text:00422E16j
					; .text:00422E35j ...
		push	800534Dh
		push	ebx
		imul	ebp, [esi+63h],	73614C65h
		jz	short near ptr loc_422EE1+6
		db	65h
		jnb	short loc_422EFD
		jz	short near ptr loc_422EE1+6
		push	ebx

loc_422E9B:				; CODE XREF: .text:00422E26j
		add	[eax], cl
		push	edx

loc_422E9E:				; CODE XREF: .text:00422E37j
		arpl	gs:[edi+72h], bp

loc_422EA2:				; CODE XREF: .text:00422E43j
					; .text:00422E41j
		db	64h, 65h
		add	fs:65726C41h, cl
		popa
		db	64h
		jns	short loc_422F02
		db	65h
		jz	short $+3
		or	eax, 65766F43h
		jb	short near ptr loc_422F18+2

loc_422EB9:				; CODE XREF: .text:00422E6Ej
		db	67h, 65h
		dec	ecx
		add	fs:[edx], al
		push	es

loc_422EC0:				; DATA XREF: EtwpCoverageFlushPending(x)+149o
		or	eax, large ds:0
; 
		dw 0
		db 40h
off_422EC9	dd offset loc_51FFFF+1	; CODE XREF: .text:00422E81j
		db 80h,	0, 43h
aOvsum		db 'ovSum',0
aRoundid	db 'RoundId',0
		dw 4608h
; 

loc_422EE0:				; CODE XREF: .text:00422E6Cj
		popa

loc_422EE1:				; CODE XREF: .text:00422E74j
					; .text:00422E93j ...
		imul	ebp, [ebp+esi*2+72h], 6E497365h
		push	edx
		outsd
		jnz	short loc_422F5B
		add	fs:[eax], cl
		push	ebx
		imul	ebp, [esi+63h],	73614C65h

loc_422EF8:				; CODE XREF: .text:00422E84j
		jz	short loc_422F40
		insb
		jnz	short near ptr loc_422F6D+3

loc_422EFD:				; CODE XREF: .text:00422E95j
		push	800534Dh

loc_422F02:				; CODE XREF: .text:00422EACj
		push	ebx
		imul	ebp, [esi+63h],	73614C65h
		jz	short loc_422F5E
		db	65h
		jnb	short loc_422F74
		jz	short loc_422F5E
		push	ebx
		add	[eax], cl
		inc	ebp
		outsb
		jz	short loc_422F8A

loc_422F18:				; CODE XREF: .text:00422EB7j
					; DATA XREF: EtwTraceSystemTimeChange+6F56o
		imul	esp, [ebp+73h],	0B064200h
		add	eax, 0
; 
		dd 400000h, 80004300h, 73795300h, 546D6574h, 43656D69h
		dd 676E6168h, 654E0065h
; 

loc_422F40:				; CODE XREF: .text:loc_422EF8j
		ja	short near ptr loc_422F95+1
		imul	ebp, [ebp+65h],	6C4F0900h
		db	64h
		push	esp
		imul	ebp, [ebp+65h],	68430900h
		popa
		outsb
		db	67h, 65h
		push	edx
		db	65h
		popa
		jnb	short loc_422FCA

loc_422F5B:				; CODE XREF: .text:00422EEBj
		outsb
		add	[eax], cl

loc_422F5E:				; CODE XREF: .text:00422F0Aj
					; .text:00422F0Fj
		push	eax
		jb	short loc_422FD0
		arpl	[ebp+73h], sp
		jnb	short $+2
		push	ss
		push	eax
		dec	ecx
		inc	esp
		add	[eax], cl
		push	es

loc_422F6D:				; CODE XREF: .text:00422EFBj
					; DATA XREF: EtwTraceLeapSecondDataUpdate+83AC0o
		or	eax, large ds:0
; 
		db 0
; 

loc_422F74:				; CODE XREF: .text:00422F0Cj
		add	[eax+0], al
		add	[edi+0], al
		add	byte ptr [eax],	4Ch
		db	65h
		popa
		jo	short loc_422FD4
		arpl	gs:[edi+6Eh], bp
		db	64h
		inc	esp
		popa
		jz	short near ptr loc_422FE4+7

loc_422F8A:				; CODE XREF: .text:00422F16j
		push	ebp
		jo	short loc_422FF1
		popa
		jz	short loc_422FF5
		add	[ebp+70h], dl
		db	64h
		popa

loc_422F95:				; CODE XREF: .text:loc_422F40j
		jz	short near ptr loc_422FF9+3
		push	edx
		db	65h
		popa
		jnb	short loc_42300B
		outsb
		add	[eax], cl
		inc	ebp
		outsb
		popa
		bound	ebp, [ebp+64h]
		dec	esi
		db	65h
		ja	short $+3
		or	[ebx+6Fh], al
		jnz	short loc_42301D
		jz	short near ptr byte_422FFF
		db	65h
		ja	short $+3
		or	[ebx+6Fh], al
		jnz	short near ptr loc_423026+1
		jz	short loc_42300A
		insb
		add	fs:[eax], cl
		push	es

loc_422FC0:				; DATA XREF: EtwTraceLeapSecondDataParseFailure(x)+4Do
		or	eax, large ds:0
; 
		dw 0
		db 40h,	0
; 

loc_422FCA:				; CODE XREF: .text:00422F59j
		add	ds:4C008000h, ch

loc_422FD0:				; CODE XREF: .text:00422F5Fj
		db	65h
		popa
		jo	short near ptr loc_423026+1

loc_422FD4:				; CODE XREF: .text:00422F7Fj
		arpl	gs:[edi+6Eh], bp
		db	64h
		inc	esp
		popa
		jz	short loc_42303E
		push	eax
		popa
		jb	short loc_423054
		db	65h
		inc	esi
		popa

loc_422FE4:				; CODE XREF: .text:00422F88j
		imul	ebp, [ebp+64h],	69614600h
		insb
		jnz	short loc_423061
		db	65h
		push	edx

loc_422FF1:				; CODE XREF: .text:00422F8Bj
		db	65h
		jnb	short loc_423069
		insb

loc_422FF5:				; CODE XREF: .text:00422F8Ej
		jz	short $+2
		or	[esi], al

loc_422FF9:				; CODE XREF: .text:loc_422F95j
					; DATA XREF: EtwTraceTimeZoneBiasChange(x,x)+57o
		or	eax, large ds:0
; 
byte_422FFF	db 0			; CODE XREF: .text:00422FAFj
		dd 4000h, 800029h
		db 54h,	69h
; 

loc_42300A:				; CODE XREF: .text:00422FB9j
		insd

loc_42300B:				; CODE XREF: .text:00422F9Aj
		db	65h
		pop	edx
		outsd
		outsb
		db	65h
		inc	edx
		imul	esp, [ecx+73h],	6E616843h
		add	gs:[bp+65h], cl

loc_42301D:				; CODE XREF: .text:00422FADj
		ja	short loc_423061
		imul	esp, [ecx+73h],	6C4F0700h

loc_423026:				; CODE XREF: .text:00422FB7j
					; .text:00422FD2j
		db	64h
		inc	edx
		imul	esp, [ecx+73h],	0B060700h
					; DATA XREF: EtwpWriteAppStateChangeWithStats+1CEo
		add	eax, 300h
; 
		dd 200000h, 80022C00h
		db 0, 41h
; 

loc_42303E:				; CODE XREF: .text:00422FDBj
		jo	short loc_4230B0
		push	ebx
		jz	short loc_4230A4
		jz	short near ptr loc_4230A9+1
		inc	ebx
		push	65676E61h
		add	[ecx+70h], al
		jo	short loc_4230A3
		jz	short loc_4230B3
		jz	short near ptr loc_4230B3+6

loc_423054:				; CODE XREF: .text:00422FDFj
		inc	ebx
		push	65676E61h
		add	[eax+edx*2], al
		jb	short near ptr loc_4230C2+2
		jbe	short near ptr loc_4230C9+1

loc_423061:				; CODE XREF: .text:00422FEDj
					; .text:loc_42301Dj
		outsd
		jnz	short near ptr loc_4230D5+2
		push	ebx
		jz	short near ptr loc_4230C2+6
		jz	short near ptr loc_4230CB+3

loc_423069:				; CODE XREF: .text:loc_422FF1j
		add	ds:65524354h[edx*2], al
		jo	short loc_4230DE
		popa
		arpl	[ebp+5Fh], sp
		push	esp
		popa
		jb	short near ptr loc_4230E0+1
		db	65h
		jz	short loc_4230BE
		jo	short loc_4230EF
		dec	ecx
		add	fs:[edi], cl
		push	ebp
		push	esp
		inc	ebx
		push	edx
		db	65h
		jo	short loc_4230F6
		popa
		arpl	[ebp+5Fh], sp
		push	esp
		popa
		jb	short loc_4230F9
		db	65h
		jz	short near ptr loc_4230D5+1
		jo	short loc_423107
		push	esi
		db	65h
		jb	short $+3
		add	al, 55h
		push	esp
		inc	ebx
		push	edx
		db	65h
		jo	short loc_42310F

loc_4230A3:				; CODE XREF: .text:0042304Ej
		popa

loc_4230A4:				; CODE XREF: .text:00423041j
		arpl	[ebp+5Fh], sp
		push	esp
		popa

loc_4230A9:				; CODE XREF: .text:00423043j
		jb	short loc_423112
		db	65h
		jz	short loc_4230EF
		jo	short loc_423120

loc_4230B0:				; CODE XREF: .text:loc_42303Ej
		push	esp
		jns	short loc_423123

loc_4230B3:				; CODE XREF: .text:00423050j
					; .text:00423052j
		add	gs:65524354h[edx*2], al
		jo	short near ptr loc_423123+6
		popa

loc_4230BE:				; CODE XREF: .text:0042307Aj
		arpl	[ebp+5Fh], sp
		dec	esp

loc_4230C2:				; CODE XREF: .text:0042305Dj
					; .text:00423065j
		imul	esp, [ebx+65h],	5465736Eh

loc_4230C9:				; CODE XREF: .text:0042305Fj
		jns	short near ptr loc_42313A+1

loc_4230CB:				; CODE XREF: .text:00423067j
		add	gs:[ecx+eax*2],	al
		jo	short near ptr loc_423140+1
		push	ebx
		db	65h
		jnb	short loc_423148

loc_4230D5:				; CODE XREF: .text:00423092j
					; .text:00423062j
		imul	ebp, [edi+6Eh],	64697547h
		add	[edi], cl

loc_4230DE:				; CODE XREF: .text:00423070j
		push	esp
		popa

loc_4230E0:				; CODE XREF: .text:00423078j
		jb	short loc_423149
		db	65h
		jz	short near ptr loc_423123+3
		jnb	short loc_423130
		add	fs:[eax], cl
		push	ebx
		jz	short near ptr loc_42314D+1
		jz	short near ptr loc_42314F+5

loc_4230EF:				; CODE XREF: .text:0042307Dj
					; .text:004230ABj
		inc	esp
		jnz	short near ptr loc_423163+1
		popa
		jz	short loc_42315E
		outsd

loc_4230F6:				; CODE XREF: .text:00423087j
		outsb
		dec	ebp
		push	ebx

loc_4230F9:				; CODE XREF: .text:00423090j
		add	[edx], cl
		push	ebp
		jo	short loc_423172
		imul	ebp, [ebp+65h],	746C6544h
		popa
		dec	ebp

loc_423107:				; CODE XREF: .text:00423095j
		push	ebx
		add	[edx], cl
		push	esp
		outsd
		jz	short loc_42316F
		insb

loc_42310F:				; CODE XREF: .text:004230A0j
		inc	esp
		jnz	short loc_423184

loc_423112:				; CODE XREF: .text:loc_4230A9j
		popa
		jz	short loc_42317E
		outsd
		outsb
		dec	ebp
		push	ebx
		add	[edx], cl
		push	esp
		outsd
		jz	short near ptr loc_42317E+2
		insb

loc_423120:				; CODE XREF: .text:004230AEj
		push	ebp
		jo	short loc_423197

loc_423123:				; CODE XREF: .text:004230B1j
					; .text:004230E2j ...
		imul	ebp, [ebp+65h],	0A00534Dh
		push	esp
		outsd
		jz	short near ptr loc_42318E+1
		insb
		push	ebx

loc_423130:				; CODE XREF: .text:004230E5j
		jnz	short near ptr loc_4231A4+1
		jo	short near ptr loc_423197+2
		outsb
		db	64h, 65h, 64h
		dec	ebp
		push	ebx

loc_42313A:				; CODE XREF: .text:loc_4230C9j
		add	[edx], cl
		push	ebp
		push	esp
		inc	ebx
		push	edx

loc_423140:				; CODE XREF: .text:004230CFj
		db	65h
		jo	short loc_4231AF
		popa
		arpl	[ebp+5Fh], sp
		inc	ebx

loc_423148:				; CODE XREF: .text:004230D2j
		outsd

loc_423149:				; CODE XREF: .text:loc_4230E0j
		insd
		insd
		popa
		outsb

loc_42314D:				; CODE XREF: .text:004230EBj
		db	64h
		dec	esp

loc_42314F:				; CODE XREF: .text:004230EDj
		imul	ebp, [esi+65h],	68736148h
		add	ds:746E6576h[eax*2], al
		push	ebx

loc_42315E:				; CODE XREF: .text:004230F3j
		db	65h
		jno	short loc_4231D6
		outs	dx, byte ptr gs:[esi]

loc_423163:				; CODE XREF: .text:004230F0j
		arpl	[ebp+0], sp
		or	dl, [eax+72h]
		outsd
		arpl	[ebp+73h], sp
		jnb	short loc_4231C2

loc_42316F:				; CODE XREF: .text:0042310Cj
		db	65h
		jno	short near ptr loc_4231E2+5

loc_423172:				; CODE XREF: .text:004230FCj
		outs	dx, byte ptr gs:[esi]
		arpl	[ebp+0], sp
		or	cl, [ecx+6Eh]
		jnb	short loc_4231F0
		popa
		outsb

loc_42317E:				; CODE XREF: .text:00423113j
					; .text:0042311Dj
		arpl	[ebp+49h], sp
		add	fs:[eax], cl

loc_423184:				; CODE XREF: .text:00423110j
		push	eax
		jb	short near ptr loc_4231F0+6
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_4231DD+2
		jz	short loc_4231EF

loc_42318E:				; CODE XREF: .text:0042312Cj
		jb	short loc_423204
		dec	ebx
		db	65h
		jns	short $+3
		or	al, [ebp+78h]

loc_423197:				; CODE XREF: .text:00423121j
					; .text:00423132j
		imul	esi, [ebx+edx*2+74h], 73757461h
		add	[eax], cl
		inc	ebx
		jb	short loc_423205

loc_4231A4:				; CODE XREF: .text:loc_423130j
		jnb	short near ptr loc_42320C+2
		db	65h
		add	fs:[eax+ecx*2],	al
		popa
		outsb
		db	67h
		inc	ebx

loc_4231AF:				; CODE XREF: .text:loc_423140j
		outsd
		jnz	short near ptr loc_42321A+6
		jz	short $+2
		add	al, 47h
		push	4374736Fh
		outsd
		jnz	short near ptr loc_423229+3
		jz	short $+2
		add	al, 48h

loc_4231C2:				; CODE XREF: .text:0042316Dj
		imul	esi, [eax+edx*2+72h], 6C696665h
		jz	short near ptr loc_423230+1
		jb	short near ptr loc_423222+1
		inc	ebp
		add	[eax+ecx*2], al
		popa
		outsb
		db	64h
		insb

loc_4231D6:				; CODE XREF: .text:loc_42315Ej
		db	65h
		inc	ebx
		outsd
		jnz	short loc_423249
		jz	short $+2

loc_4231DD:				; CODE XREF: .text:0042318Aj
		or	[ebx+6Fh], al
		insd
		insd

loc_4231E2:				; CODE XREF: .text:loc_42316Fj
		imul	esi, [ebx+eax*2+68h], 65677261h
		add	[edx], cl
		inc	ebx
		outsd
		insd

loc_4231EF:				; CODE XREF: .text:0042318Cj
		insd

loc_4231F0:				; CODE XREF: .text:0042317Aj
					; .text:00423185j
		imul	esi, [ebx+eax*2+68h], 65677261h
		push	eax
		db	65h
		popa
		imul	eax, [eax], 0Ah
		inc	ebx
		push	eax
		push	ebp
		inc	ebx
		jns	short near ptr loc_423266+1

loc_423204:				; CODE XREF: .text:loc_42318Ej
		insb

loc_423205:				; CODE XREF: .text:004231A2j
		db	65h
		inc	ebx
		outsd
		jnz	short loc_423278
		jz	short $+2

loc_42320C:				; CODE XREF: .text:loc_4231A4j
		or	dl, [edx+65h]
		popa
		db	64h
		inc	ebx
		outsd
		jnz	short loc_423283
		jz	short $+2
		or	[edi+72h], dl

loc_42321A:				; CODE XREF: .text:004231B0j
		imul	esi, [ebp+43h],	746E756Fh

loc_423222:				; CODE XREF: .text:004231CCj
		add	[eax], cl
		push	edx
		db	65h
		popa
		db	64h
		push	ebx

loc_423229:				; CODE XREF: .text:004231BCj
		imul	edi, [edx+65h],	424B6E49h

loc_423230:				; CODE XREF: .text:004231CAj
		add	[eax], cl
		push	edi
		jb	short loc_42329E
		jz	short near ptr loc_423297+5
		push	ebx
		imul	edi, [edx+65h],	424B6E49h
		add	[eax], cl
		dec	eax
		popa
		jb	short near ptr loc_4232A8+1
		inc	esi
		popa
		jnz	short loc_4232B5

loc_423249:				; CODE XREF: .text:004231D9j
		jz	short loc_42328E
		outsd
		jnz	short loc_4232BC
		jz	short $+2
		or	[ebx+68h], dl
		popa
		jb	short near ptr loc_4232BA+1
		db	64h
		inc	ebx
		outsd
		insd
		insd
		imul	esi, [ebx+eax*2+68h], 65677261h
		add	[edx], cl
		push	es

loc_423266:				; CODE XREF: .text:00423202j
					; DATA XREF: EtwpWriteAppStateChangeSummary+17D90Ao
		or	eax, large ds:0
; 
		dd 400000h, 80042500h, 70704100h
; 

loc_423278:				; CODE XREF: .text:00423208j
		push	ebx
		jz	short loc_4232DC
		jz	short loc_4232E2
		inc	ebx
		push	65676E61h

loc_423283:				; CODE XREF: .text:00423213j
		push	ebx
		jnz	short loc_4232F3
		insd
		popa
		jb	short near ptr loc_423302+1
		add	[ecx+75h], cl

loc_42328E:				; CODE XREF: .text:loc_423249j
		outsb
		arpl	[eax+43h], bp
		outsd
		jnz	short near ptr loc_423302+1
		jz	short $+2

loc_423297:				; CODE XREF: .text:00423235j
		mov	[eax+71808080h], eax
		push	ebx

loc_42329E:				; CODE XREF: .text:00423233j
		jnz	short loc_423313
		jo	short loc_423307
		outsb
		db	64h
		inc	ebx
		outsd
		jnz	short near ptr loc_423315+1

loc_4232A8:				; CODE XREF: .text:00423243j
		jz	short $+2
		mov	[eax+71808080h], eax
		push	edx
		db	65h
		jnb	short loc_423329
		insd

loc_4232B5:				; CODE XREF: .text:00423247j
		db	65h
		inc	ebx
		outsd
		jnz	short loc_423328

loc_4232BA:				; CODE XREF: .text:00423254j
		jz	short $+2

loc_4232BC:				; CODE XREF: .text:0042324Cj
		mov	[eax+71808080h], eax
		push	esp
		db	65h
		jb	short near ptr loc_423330+3
		imul	ebp, [esi+61h],	6F436574h
		jnz	short near ptr loc_42333B+2
		jz	short $+2
		mov	[eax+71808080h], eax
		inc	ebx
		jb	short loc_42333B
		jnb	short loc_423344

loc_4232DC:				; CODE XREF: .text:00423279j
		inc	ebx
		outsd
		jnz	short near ptr loc_42334C+2
		jz	short $+2

loc_4232E2:				; CODE XREF: .text:0042327Bj
		mov	[eax+71808080h], eax
		dec	eax
		db	65h
		popa
		jb	short near ptr loc_423360+1
		bound	esp, [ebp+61h]
		jz	short near ptr loc_423330+5
		outsd

loc_4232F3:				; CODE XREF: .text:00423284j
		jnz	short near ptr loc_423360+3
		jz	short $+2
		mov	[eax+71808080h], eax
		dec	eax
		db	65h
		popa
		jb	short near ptr loc_423375+1

loc_423302:				; CODE XREF: .text:00423288j
					; .text:00423293j
		bound	esp, [ebp+61h]
		jz	short near ptr loc_423359+1

loc_423307:				; CODE XREF: .text:004232A0j
		jnz	short near ptr loc_42337B+1
		jo	short loc_423370
		outsb
		db	64h, 65h, 64h
		inc	ebx
		outsd
		jnz	short loc_423381

loc_423313:				; CODE XREF: .text:loc_42329Ej
		jz	short $+2

loc_423315:				; CODE XREF: .text:004232A6j
		mov	[eax+71808080h], eax
		push	eax
		jb	short near ptr loc_42338C+1
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_423366+1
		jnz	short loc_423397
		popa
		jz	short loc_423391

loc_423328:				; CODE XREF: .text:004232B8j
		outsd

loc_423329:				; CODE XREF: .text:004232B1j
		outsb
		dec	ebp
		push	ebx
		pop	edi
		push	ebx
		jnz	short near ptr loc_42339C+1

loc_423330:				; CODE XREF: .text:004232C3j
					; .text:004232F0j
		add	[ecx-7F7F7F80h], cl
		jno	short loc_42338A
		jnz	short near ptr loc_4233A7+1
		outsb

loc_42333B:				; CODE XREF: .text:004232D8j
					; .text:004232CDj
		imul	ebp, [esi+67h],	61727544h
		jz	short near ptr loc_4233AC+1

loc_423344:				; CODE XREF: .text:004232DAj
		outsd
		outsb
		dec	ebp
		push	ebx
		pop	edi
		push	ebx
		jnz	short loc_4233B9

loc_42334C:				; CODE XREF: .text:004232DEj
		add	[ecx-7F7F7F80h], cl
		jno	short loc_42339C
		popa
		outsb
		db	67h
		inc	ebx
		outsd

loc_423359:				; CODE XREF: .text:00423305j
		jnz	short near ptr loc_4233C8+1
		jz	short near ptr loc_4233B9+3
		push	ebx
		jnz	short loc_4233CD

loc_423360:				; CODE XREF: .text:004232EBj
					; .text:loc_4232F3j
		add	[ecx-7F7F7F80h], cl

loc_423366:				; CODE XREF: .text:00423321j
		jno	short near ptr loc_4233AE+1
		push	4374736Fh
		outsd
		jnz	short loc_4233DE

loc_423370:				; CODE XREF: .text:00423309j
		jz	short near ptr loc_4233CF+2
		push	ebx
		jnz	short loc_4233E2

loc_423375:				; CODE XREF: .text:00423300j
		add	[ecx-7F7F7F80h], cl

loc_42337B:				; CODE XREF: .text:loc_423307j
		jno	short near ptr loc_4233C4+1
		popa
		outsb
		db	64h
		insb

loc_423381:				; CODE XREF: .text:00423311j
		db	65h
		inc	ebx
		outsd
		jnz	short near ptr loc_4233F3+1
		jz	short near ptr loc_4233C8+1
		jz	short loc_4233CF

loc_42338A:				; CODE XREF: .text:00423336j
		js	short loc_4233F5

loc_42338C:				; CODE XREF: .text:0042331Cj
		jz	short near ptr loc_4233E9+4
		push	ebx
		jnz	short near ptr loc_4233FD+1

loc_423391:				; CODE XREF: .text:00423326j
		add	[ecx-7F7F7F80h], cl

loc_423397:				; CODE XREF: .text:00423323j
		jno	short loc_4233DC
		outsd
		insd
		insd

loc_42339C:				; CODE XREF: .text:00423352j
					; .text:0042332Ej
		imul	esi, [ebx+eax*2+68h], 65677261h
		inc	ecx
		jz	short near ptr loc_4233E9+3

loc_4233A7:				; CODE XREF: .text:00423338j
		js	short loc_423412
		jz	short near ptr loc_423406+4
		push	ebx

loc_4233AC:				; CODE XREF: .text:00423342j
		jnz	short near ptr loc_42341A+1

loc_4233AE:				; CODE XREF: .text:loc_423366j
		add	[ecx-7F7F7F80h], cl
		jno	short near ptr loc_4233F5+4
		outsd
		insd
		insd

loc_4233B9:				; CODE XREF: .text:0042334Aj
					; .text:0042335Bj
		imul	esi, [ebx+eax*2+68h], 65677261h
		push	eax
		db	65h
		popa

loc_4233C4:				; CODE XREF: .text:loc_42337Bj
		imul	eax, [ecx+74h],	45h

loc_4233C8:				; CODE XREF: .text:loc_423359j
					; .text:00423386j
		js	short near ptr loc_42342E+5
		jz	short loc_42342B
		push	ebx

loc_4233CD:				; CODE XREF: .text:0042335Ej
		jnz	short loc_42343C

loc_4233CF:				; CODE XREF: .text:00423388j
					; .text:loc_423370j
		add	[ecx-7F7F7F80h], cl
		jno	short loc_423429
		db	65h
		popa
		db	64h
		inc	ebx
		outsd

loc_4233DC:				; CODE XREF: .text:loc_423397j
		jnz	short loc_42344C

loc_4233DE:				; CODE XREF: .text:0042336Ej
		jz	short loc_423421
		jz	short loc_423427

loc_4233E2:				; CODE XREF: .text:00423373j
		js	short loc_42344D
		jz	short loc_423445
		push	ebx
		jnz	short near ptr loc_423455+1

loc_4233E9:				; CODE XREF: .text:004233A5j
					; .text:loc_42338Cj
		add	[ecx-7F7F7F80h], cl
		jno	short near ptr loc_42343F+4
		db	65h
		popa

loc_4233F3:				; CODE XREF: .text:00423384j
		db	64h
		push	ebx

loc_4233F5:				; CODE XREF: .text:loc_42338Aj
					; .text:004233B4j
		imul	edi, [edx+65h],	424B6E49h
		inc	ecx

loc_4233FD:				; CODE XREF: .text:0042338Fj
		jz	short near ptr loc_42343F+5
		js	short loc_42346A
		jz	short loc_423462
		push	ebx
		jnz	short loc_423473

loc_423406:				; CODE XREF: .text:004233A9j
		add	[ecx-7F7F7F80h], cl
		jno	short near ptr loc_423464+1
		jb	short loc_423479
		jz	short loc_423477

loc_423412:				; CODE XREF: .text:loc_4233A7j
		inc	ebx
		outsd
		jnz	short loc_423484
		jz	short near ptr loc_423458+1
		jz	short near ptr loc_42345A+5

loc_42341A:				; CODE XREF: .text:loc_4233ACj
		js	short near ptr loc_423484+1
		jz	short near ptr loc_423479+4
		push	ebx
		jnz	short loc_42348E

loc_423421:				; CODE XREF: .text:loc_4233DEj
		add	[ecx-7F7F7F80h], cl

loc_423427:				; CODE XREF: .text:004233E0j
		jno	short loc_423480

loc_423429:				; CODE XREF: .text:004233D5j
		jb	short near ptr loc_423493+1

loc_42342B:				; CODE XREF: .text:004233CAj
		jz	short near ptr loc_423491+1
		push	ebx

loc_42342E:				; CODE XREF: .text:loc_4233C8j
		imul	edi, [edx+65h],	424B6E49h
		inc	ecx
		jz	short near ptr loc_423479+4
		js	short near ptr loc_4234A2+1
		jz	short near ptr loc_42349A+1

loc_42343C:				; CODE XREF: .text:loc_4233CDj
		push	ebx
		jnz	short loc_4234AC

loc_42343F:				; CODE XREF: .text:004233EFj
					; .text:loc_4233FDj
		add	[ecx-7F7F7F80h], cl

loc_423445:				; CODE XREF: .text:004233E4j
		jno	short loc_42348A
		jns	short loc_4234AC
		insb
		db	65h
		inc	ebx

loc_42344C:				; CODE XREF: .text:loc_4233DCj
		outsd

loc_42344D:				; CODE XREF: .text:loc_4233E2j
		jnz	short loc_4234BD
		jz	short near ptr loc_423491+1
		jz	short near ptr loc_423493+5
		js	short near ptr loc_4234BD+1

loc_423455:				; CODE XREF: .text:004233E7j
		jz	short near ptr loc_4234B3+3
		push	ebx

loc_423458:				; CODE XREF: .text:00423416j
		jnz	short near ptr loc_4234C6+1

loc_42345A:				; CODE XREF: .text:00423418j
		add	[ecx-7F7F7F80h], cl
		jno	short loc_4234A7

loc_423462:				; CODE XREF: .text:00423401j
		js	short loc_4234CD

loc_423464:				; CODE XREF: .text:0042340Cj
		jz	short near ptr loc_4234B3+6
		jz	short near ptr loc_4234C6+3
		jz	short loc_4234DF

loc_42346A:				; CODE XREF: .text:004233FFj
		jnb	short near ptr loc_4234B3+7
		db	65h, 67h
		popa
		jz	short near ptr loc_4234D9+1
		jbe	short near ptr loc_4234D7+1

loc_423473:				; CODE XREF: .text:00423404j
		inc	ebx
		outsd
		jnz	short near ptr loc_4234E4+1

loc_423477:				; CODE XREF: .text:00423410j
		jz	short $+2

loc_423479:				; CODE XREF: .text:0042340Ej
					; .text:0042341Cj ...
		mov	[eax+71808080h], eax
		inc	ebp

loc_423480:				; CODE XREF: .text:loc_423427j
		js	short near ptr loc_4234EA+1
		jz	short loc_4234D7

loc_423484:				; CODE XREF: .text:00423414j
					; .text:loc_42341Aj
		jz	short near ptr loc_4234E4+3
		jz	short loc_4234FD
		jnb	short loc_4234E4

loc_42348A:				; CODE XREF: .text:loc_423445j
		db	65h
		jb	short near ptr loc_4234FA+2
		inc	ebx

loc_42348E:				; CODE XREF: .text:0042341Fj
		outsd
		jnz	short near ptr loc_4234FD+2

loc_423491:				; CODE XREF: .text:loc_42342Bj
					; .text:0042344Fj
		jz	short $+2

loc_423493:				; CODE XREF: .text:loc_423429j
					; .text:00423451j
		mov	[eax+71808080h], eax
		inc	ebp

loc_42349A:				; CODE XREF: .text:0042343Aj
		js	short loc_423505
		jz	short near ptr loc_4234EF+2
		jz	short near ptr loc_4234FD+4
		jz	short loc_423517

loc_4234A2:				; CODE XREF: .text:00423438j
		jnb	short near ptr loc_4234F2+1
		outsb
		db	65h
		inc	ebx

loc_4234A7:				; CODE XREF: .text:00423460j
		outsd
		jnz	short loc_423518
		jz	short $+2

loc_4234AC:				; CODE XREF: .text:0042343Dj
					; .text:00423447j
		mov	[eax+71808080h], eax
		dec	eax

loc_4234B3:				; CODE XREF: .text:loc_423455j
					; .text:loc_423464j ...
		imul	esi, [eax+edx*2+72h], 6C696665h
		jz	short near ptr loc_423521+1

loc_4234BD:				; CODE XREF: .text:loc_42344Dj
					; .text:00423453j
		jb	short loc_423514
		inc	ebp
		inc	ebx
		outsd
		jnz	short loc_423532
		jz	short $+2

loc_4234C6:				; CODE XREF: .text:loc_423458j
					; .text:00423466j
		mov	[eax+71808080h], eax
		dec	eax

loc_4234CD:				; CODE XREF: .text:loc_423462j
		popa
		jb	short loc_423534
		inc	esi
		popa
		jnz	short loc_423540
		jz	short loc_423519
		outsd

loc_4234D7:				; CODE XREF: .text:00423482j
					; .text:00423471j
		jnz	short near ptr loc_423545+2

loc_4234D9:				; CODE XREF: .text:0042346Fj
		jz	short loc_42351C
		jz	short near ptr loc_423521+1
		js	short loc_423548

loc_4234DF:				; CODE XREF: .text:00423468j
		jz	short loc_423540
		push	ebx
		jnz	short near ptr loc_423550+1

loc_4234E4:				; CODE XREF: .text:00423488j
					; .text:00423475j ...
		add	[ecx-7F7F7F80h], cl

loc_4234EA:				; CODE XREF: .text:loc_423480j
		jno	short near ptr loc_423540+1
		push	esp
		inc	ebx
		dec	ebp

loc_4234EF:				; CODE XREF: .text:0042349Cj
		db	65h
		jz	short loc_423553

loc_4234F2:				; CODE XREF: .text:loc_4234A2j
		db	64h
		popa
		jz	short near ptr loc_423553+4
		pop	edi
		dec	ecx
		insd
		popa

loc_4234FA:				; CODE XREF: .text:loc_42348Aj
		db	67h, 65h
		inc	esi

loc_4234FD:				; CODE XREF: .text:00423486j
					; .text:0042348Fj ...
		imul	ebp, [ebp+4Eh],	656D61h

loc_423505:				; CODE XREF: .text:loc_42349Aj
		xchg	eax, esi
		and	byte ptr [eax+55008080h], 54h
		inc	ebx
		dec	ebp
		db	65h
		jz	short loc_423573
		db	64h
		popa

loc_423514:				; CODE XREF: .text:loc_4234BDj
		jz	short near ptr loc_423573+4
		pop	edi

loc_423517:				; CODE XREF: .text:004234A0j
		push	eax

loc_423518:				; CODE XREF: .text:004234A8j
		popa

loc_423519:				; CODE XREF: .text:004234D4j
		arpl	[ebx+61h], bp

loc_42351C:				; CODE XREF: .text:loc_4234D9j
		db	67h, 65h
		dec	esi
		popa
		insd

loc_423521:				; CODE XREF: .text:004234BBj
					; .text:004234DBj
		add	gs:[ecx-7F7F5F80h], al
		add	[ebp+54h], dl
		inc	ebx
		dec	ebp
		db	65h
		jz	short loc_423591
		db	64h
		popa

loc_423532:				; CODE XREF: .text:004234C2j
		jz	short loc_423595

loc_423534:				; CODE XREF: .text:004234CEj
		pop	edi
		push	eax
		push	edx
		inc	ecx
		dec	ecx
		inc	esp
		add	[ecx-7F7F5F80h], al

loc_423540:				; CODE XREF: .text:004234D2j
					; .text:loc_4234DFj ...
		add	[ebp+54h], dl
		inc	ebx
		dec	ebp

loc_423545:				; CODE XREF: .text:loc_4234D7j
		db	65h
		jz	short loc_4235A9

loc_423548:				; CODE XREF: .text:004234DDj
		db	64h
		popa
		jz	short loc_4235AD
		pop	edi
		dec	ecx
		insd
		popa

loc_423550:				; CODE XREF: .text:004234E2j
		db	67h, 65h
		inc	ebx

loc_423553:				; CODE XREF: .text:loc_4234EFj
					; .text:004234F4j
		push	736B6365h
		jnz	short near ptr loc_4235C6+1
		add	[eax-7F7F5F80h], cl
		add	[ebp+54h], dl
		inc	ebx
		dec	ebp
		db	65h
		jz	short loc_4235C9
		db	64h
		popa
		jz	short near ptr loc_4235CC+1
		pop	edi
		dec	ecx
		insd
		popa
		db	67h, 65h
		push	esp

loc_423573:				; CODE XREF: .text:0042350Fj
					; .text:loc_423514j
		imul	ebp, [ebp+65h],	65746144h
		push	ebx
		jz	short near ptr loc_4235D8+6
		insd
		jo	short $+2
		mov	[eax+8080A0h], al
		push	ebp
		push	esp
		inc	ebx
		dec	ebp
		db	65h
		jz	short loc_4235EE
		db	64h
		popa
		jz	short loc_4235F2

loc_423591:				; CODE XREF: .text:0042352Dj
		pop	edi
		inc	ebx
		outsd
		insd

loc_423595:				; CODE XREF: .text:loc_423532j
		insd
		popa
		outsb
		db	64h
		insb
		imul	ebp, [esi+65h],	0A0809600h
		add	byte ptr [eax+74784500h], 72h
		popa

loc_4235A9:				; CODE XREF: .text:loc_423545j
		dec	ecx
		outsb
		outsw

loc_4235AD:				; CODE XREF: .text:0042354Aj
		inc	esi
		insb
		popa
		db	67h
		jnb	near ptr 35B3h
		adc	eax, 52435455h
		db	65h
		jo	short loc_423627
		popa
		arpl	[ebp+5Fh], sp
		push	esp
		popa
		jb	short near ptr loc_423627+3
		db	65h
		jz	short near ptr loc_423606+1

loc_4235C6:				; CODE XREF: .text:00423558j
		jo	short near ptr loc_423635+3
		dec	ecx

loc_4235C9:				; CODE XREF: .text:00423565j
		db	64h
		pop	edi
		inc	esi

loc_4235CC:				; CODE XREF: .text:0042356Aj
		jb	short near ptr loc_42363C+1
		insd
		inc	ebp
		jbe	short near ptr loc_423635+2
		outsb
		jz	short near ptr loc_423618+1
		popa
		jz	short near ptr loc_423635+4

loc_4235D8:				; CODE XREF: .text:0042357Bj
		add	ds:65524354h[edx*2], al
		jo	short loc_42364D
		popa
		arpl	[ebp+5Fh], sp
		push	esp
		popa
		jb	short near ptr loc_42364D+3
		db	65h
		jz	short near ptr loc_423627+6
		jo	short loc_42365E

loc_4235EE:				; CODE XREF: .text:0042358Aj
		push	esi
		db	65h
		jb	short near ptr loc_42364D+4

loc_4235F2:				; CODE XREF: .text:0042358Fj
		inc	esi
		jb	short near ptr loc_423662+2
		insd
		inc	ebp
		jbe	short loc_42365E
		outsb
		jz	short loc_423640
		popa
		jz	short loc_423660
		add	ds:65524354h[edx*2], al

loc_423606:				; CODE XREF: .text:004235C3j
		jo	short loc_423674
		popa
		arpl	[ebp+5Fh], sp
		push	esp
		popa
		jb	short loc_423677
		db	65h
		jz	short loc_423654
		jo	short loc_423685
		push	esp
		jns	short near ptr loc_423685+3

loc_423618:				; CODE XREF: .text:004235D3j
		db	65h
		pop	edi
		inc	esi
		jb	short loc_42368C
		insd
		inc	ebp
		jbe	short near ptr loc_423685+1
		outsb
		jz	short near ptr loc_423662+6
		popa
		jz	short near ptr loc_423685+3

loc_423627:				; CODE XREF: .text:004235B8j
					; .text:004235C1j ...
		add	ds:65524354h[edx*2], al
		jo	short near ptr loc_423697+5
		popa
		arpl	[ebp+5Fh], sp
		dec	esp

loc_423635:				; CODE XREF: .text:004235D0j
					; .text:loc_4235C6j ...
		imul	esp, [ebx+65h],	5465736Eh

loc_42363C:				; CODE XREF: .text:loc_4235CCj
		jns	short loc_4236AE
		db	65h
		pop	edi

loc_423640:				; CODE XREF: .text:004235FAj
		inc	esi
		jb	short loc_4236B2
		insd
		inc	ebp
		jbe	short loc_4236AC
		outsb
		jz	short near ptr loc_42368D+1
		popa
		jz	short loc_4236AE

loc_42364D:				; CODE XREF: .text:004235DFj
					; .text:004235E7j ...
		add	ds:65524354h[edx*2], al

loc_423654:				; CODE XREF: .text:00423610j
		jo	short loc_4236C2
		popa
		arpl	[ebp+5Fh], sp
		inc	ebx
		outsd
		insd
		insd

loc_42365E:				; CODE XREF: .text:004235ECj
					; .text:004235F7j
		popa
		outsb

loc_423660:				; CODE XREF: .text:004235FDj
		db	64h
		dec	esp

loc_423662:				; CODE XREF: .text:004235F3j
					; .text:00423622j
		imul	ebp, [esi+65h],	68736148h
		pop	edi
		inc	esi
		jb	short near ptr loc_4236DB+1
		insd
		inc	ebp
		jbe	short loc_4236D6
		outsb
		jz	short near ptr loc_4236B7+1

loc_423674:				; CODE XREF: .text:loc_423606j
		popa
		jz	short loc_4236D8

loc_423677:				; CODE XREF: .text:0042360Ej
		add	[ebx+eax*2], al
		outsd
		outsb
		jz	short near ptr loc_4236DB+4
		imul	ebp, [esi+65h],	644972h

loc_423685:				; CODE XREF: .text:00423613j
					; .text:0042361Fj ...
		movmskps esp, oword ptr	[ecx+72h]
		jz	short loc_4236CC
		pop	edi

loc_42368C:				; CODE XREF: .text:0042361Bj
		push	eax

loc_42368D:				; CODE XREF: .text:00423648j
		jb	short loc_4236F8
		jbe	short near ptr loc_4236E3+2
		popa
		db	67h
		jnb	near ptr 3695h
		or	al, [esi]

loc_423697:				; CODE XREF: .text:0042362Ej
					; DATA XREF: EtwpWriteProcessStarted+2C8o
		or	eax, large ds:300h
; 
		db 3 dup(0)
		dd 0EE0000h, 72500080h,	7365636Fh
; 

loc_4236AC:				; CODE XREF: .text:00423645j
		jnb	short loc_423701

loc_4236AE:				; CODE XREF: .text:loc_42363Cj
					; .text:0042364Bj
		jz	short near ptr loc_423710+1
		jb	short near ptr loc_423725+1

loc_4236B2:				; CODE XREF: .text:00423641j
		db	65h
		add	fs:[ecx+6Eh], cl

loc_4236B7:				; CODE XREF: .text:00423672j
		jnb	short near ptr loc_42372B+2
		popa
		outsb
		arpl	[ebp+53h], sp
		jz	short loc_423721
		jb	short near ptr loc_423734+2

loc_4236C2:				; CODE XREF: .text:loc_423654j
		push	esp
		imul	ebp, [ebp+65h],	6E490900h
		jnb	short near ptr loc_42373E+2

loc_4236CC:				; CODE XREF: .text:00423689j
		popa
		outsb
		arpl	[ebp+49h], sp
		add	fs:[eax], cl
		push	eax
		popa

loc_4236D6:				; CODE XREF: .text:0042366Fj
		jb	short loc_42373D

loc_4236D8:				; CODE XREF: .text:00423675j
		outsb
		jz	short loc_42372B

loc_4236DB:				; CODE XREF: .text:0042366Bj
					; .text:0042367Cj
		imul	esp, [eax+eax+8], 73736553h

loc_4236E3:				; CODE XREF: .text:0042368Fj
		imul	ebp, [edi+6Eh],	8006449h
		dec	ecx
		insd
		popa
		db	67h, 65h
		inc	esi
		imul	ebp, [ebp+4Eh],	656D61h

loc_4236F8:				; CODE XREF: .text:loc_42368Dj
		push	ss
		push	eax
		jb	short loc_42376B
		arpl	[ebp+73h], sp
		jnb	short loc_423754

loc_423701:				; CODE XREF: .text:loc_4236ACj
		jz	short near ptr loc_423763+1
		jb	short near ptr loc_423778+1
		dec	ebx
		db	65h
		jns	short $+3
		or	dl, [eax+72h]
		outsd
		arpl	[ebp+73h], sp

loc_423710:				; CODE XREF: .text:loc_4236AEj
		jnb	short loc_423765
		db	65h
		jno	short near ptr loc_423789+1
		outs	dx, byte ptr gs:[esi]
		arpl	[ebp+0], sp
		or	al, [ebx+72h]
		db	65h
		popa
		jz	short near ptr loc_42377F+7

loc_423721:				; CODE XREF: .text:004236BEj
		dec	ecx
		outsb
		jz	short near ptr loc_423789+1

loc_423725:				; CODE XREF: .text:004236B0j
		jb	short near ptr byte_423799
		jnz	short near ptr byte_423799
		jz	short loc_42377F

loc_42372B:				; CODE XREF: .text:004236D9j
					; .text:loc_4236B7j
		imul	ebp, [ebp+65h],	65530A00h
		jnb	short loc_4237A7

loc_423734:				; CODE XREF: .text:004236C0j
		imul	ebp, [edi+6Eh],	61657243h
		jz	short loc_4237A2

loc_42373D:				; CODE XREF: .text:loc_4236D6j
		push	esp

loc_42373E:				; CODE XREF: .text:004236CAj
		imul	ebp, [ebp+65h],	6D490A00h
		popa
		db	67h, 65h
		inc	ebx
		push	736B6365h
		jnz	short loc_4237BD
		add	[eax], cl
		dec	ecx
		insd

loc_423754:				; CODE XREF: .text:004236FFj
		popa
		db	67h, 65h
		push	esp
		imul	ebp, [ebp+65h],	65746144h
		push	ebx
		jz	short near ptr loc_4237BD+6
		insd

loc_423763:				; CODE XREF: .text:loc_423701j
		jo	short $+2

loc_423765:				; CODE XREF: .text:loc_423710j
		or	[eax+61h], dl
		arpl	[ebx+61h], bp

loc_42376B:				; CODE XREF: .text:004236FAj
		db	67h, 65h
		dec	esi
		popa
		insd
		add	gs:[ecx], al
		push	eax
		push	edx
		inc	ecx
		dec	ecx
		inc	esp

loc_423778:				; CODE XREF: .text:00423703j
		add	[ecx], al
		push	ebp
		jnb	short near ptr loc_4237E0+2
		jb	short near ptr loc_4237CF+3

loc_42377F:				; CODE XREF: .text:00423729j
					; .text:0042371Fj
		imul	esp, [eax+eax+13h], 6D6D6F43h
		popa
		outsb

loc_423789:				; CODE XREF: .text:00423712j
					; .text:00423723j
		db	64h
		dec	esp
		imul	ebp, [esi+65h],	0B061600h
					; DATA XREF: EtwTraceTimeZoneInformationRefresh+CCo
		add	eax, 0
; 
		db 0
		db 0
byte_423799	db 3 dup(0)		; CODE XREF: .text:loc_423725j
					; .text:00423727j
		dd 80007Ah
		db 54h,	69h
; 

loc_4237A2:				; CODE XREF: .text:0042373Bj
		insd
		db	65h
		pop	edx
		outsd
		outsb

loc_4237A7:				; CODE XREF: .text:00423732j
		db	65h
		dec	ecx
		outsb
		outsw
		jb	short near ptr byte_42381B
		popa
		jz	short near ptr byte_42381A
		outsd
		outsb
		push	edx
		db	65h, 66h
		jb	short near ptr byte_42381D
		jnb	short loc_423822
		add	[ebp+78h], al

loc_4237BD:				; CODE XREF: .text:0042374Ej
					; .text:00423760j
		imul	esi, [edx+edx*2+65h], 6E6F7361h
		add	[eax], cl
		inc	ebx
		jnz	short near ptr loc_42383B+1
		jb	short loc_423831
		outsb
		jz	short near ptr loc_423822+1

loc_4237CF:				; CODE XREF: .text:0042377Dj
		imul	ebp, [ebp+65h],	656E6F5Ah
		inc	edx
		imul	esp, [ecx+73h],	654E0700h
		ja	short loc_423834

loc_4237E0:				; CODE XREF: .text:0042377Bj
		imul	ebp, [ebp+65h],	656E6F5Ah
		dec	ecx
		add	fs:[edx+eax+656D6954h],	al
		pop	edx
		outsd
		outsb
		db	65h
		dec	ecx
		outsb
		outsw
		inc	ebx
		popa
		arpl	[eax+65h], bp
		push	ebp
		jo	short loc_423864
		popa
		jz	short loc_423868
		add	fs:[ebx+eax+73726946h],	al
		jz	short near ptr loc_42385E+1
		db	65h, 66h
		jb	short near ptr loc_423874+2
		jnb	short loc_42387B
		add	[ebx+eax+50B06h], al ; DATA XREF: EtwpTraceSystemInitialization+1A3o
; 
byte_42381A	db 0			; CODE XREF: .text:004237AFj
byte_42381B	db 0			; CODE XREF: .text:004237ACj
		db 0
byte_42381D	db 2 dup(0), 80h	; CODE XREF: .text:004237B4j
		db 2 dup(0)
; 

loc_423822:				; CODE XREF: .text:004237B8j
					; .text:004237CDj
		mov	al, [eax]
		add	byte ptr [eax],	53h
		jns	short loc_42389C
		jz	short near ptr loc_42388C+4
		insd
		push	ebx
		jz	short near ptr loc_42388C+4
		jb	short loc_4238A5

loc_423831:				; CODE XREF: .text:004237CAj
		add	[ebp+61h], cl

loc_423834:				; CODE XREF: .text:004237DEj
		push	6Fh
		jb	short near ptr loc_42388C+2
		db	65h
		jb	short near ptr loc_4238AD+1

loc_42383B:				; CODE XREF: .text:004237C8j
		imul	ebp, [edi+6Eh],	694D0800h
		outsb
		outsd
		jb	short loc_42389C
		db	65h
		jb	short near ptr loc_4238BA+2
		imul	ebp, [edi+6Eh],	75420800h
		imul	ebp, [esp+4Eh],	65626D75h
		jb	short $+2
		or	[ebx+74h], dl
		popa

loc_42385E:				; CODE XREF: .text:0042380Bj
		jz	short near ptr loc_4238C3+2
		inc	ebp
		jbe	short loc_4238C8
		outsb

loc_423864:				; CODE XREF: .text:004237FEj
		jz	short loc_4238BA
		jns	short loc_4238D8

loc_423868:				; CODE XREF: .text:00423801j
		add	gs:[eax], cl
		push	ecx
		inc	esi
		inc	ebp
		add	[eax], cl
		push	ebx
		db	65h
		jb	short near ptr loc_4238E4+6

loc_423874:				; CODE XREF: .text:0042380Dj
		imul	esp, [ebx+65h],	6B636150h

loc_42387B:				; CODE XREF: .text:00423811j
		add	[esi], al
		inc	edx
		outsd
		outsd
		jz	short near ptr loc_4238CE+1
		outsd
		db	64h
		add	gs:[eax], cl
		inc	edx
		outsd
		outsd
		jz	short near ptr loc_4238DC+4

loc_42388C:				; CODE XREF: .text:00423836j
					; .text:00423829j ...
		imul	ebp, [ebp+65h],	6E490900h
		bound	esi, [esi+4Dh]
		outsd
		db	64h
		add	gs:[eax], cl
		dec	ebp

loc_42389C:				; CODE XREF: .text:00423827j
					; .text:00423844j
		db	65h
		popa
		jnb	short near ptr loc_423911+4
		jb	short loc_423907
		db	64h
		dec	esp
		popa

loc_4238A5:				; CODE XREF: .text:0042382Fj
		jnz	short near ptr loc_423911+4
		arpl	[eax+0], bp
		test	[ebx], al
		push	es

loc_4238AD:				; CODE XREF: .text:00423838j
					; DATA XREF: EtwpTraceSystemShutdown()+71o
		or	eax, large ds:0
; 
		db 0
		dd 4000h
		db 31h,	0
; 

loc_4238BA:				; CODE XREF: .text:loc_423864j
					; .text:00423846j
		add	byte ptr [eax],	53h
		jns	short loc_423932
		jz	short near ptr loc_423925+1
		insd
		push	ebx

loc_4238C3:				; CODE XREF: .text:loc_42385Ej
		push	6F647475h

loc_4238C8:				; CODE XREF: .text:00423861j
		ja	short near ptr loc_423936+2
		add	[ebx+74h], dl
		popa

loc_4238CE:				; CODE XREF: .text:00423880j
		jz	short near ptr loc_423934+1
		inc	ebp
		jbe	short near ptr loc_423936+2
		outsb
		jz	short near ptr loc_423925+5
		jns	short near ptr loc_423947+1

loc_4238D8:				; CODE XREF: .text:00423866j
		add	gs:[eax], cl
		push	ebx

loc_4238DC:				; CODE XREF: .text:0042388Aj
		push	6F647475h
		ja	short loc_423951
		push	esp

loc_4238E4:				; CODE XREF: .text:00423871j
					; DATA XREF: EtwpWriteAppStateChange+17DA9Bo
		imul	ebp, [ebp+65h],	0B060900h
		add	eax, 100h
; 
		dd 200000h, 80013F00h, 70704100h, 74617453h, 61684365h
		db 6Eh,	67h, 65h
; 

loc_423907:				; CODE XREF: .text:004238A0j
		add	[ecx+70h], al
		jo	short loc_42395F
		jz	short loc_42396F
		jz	short near ptr loc_42396F+6
		inc	ebx

loc_423911:				; CODE XREF: .text:0042389Ej
					; .text:loc_4238A5j
		push	65676E61h
		add	[eax+edx*2], al
		jb	short near ptr loc_42397E+2
		jbe	short near ptr loc_423985+1
		outsd
		jnz	short near ptr loc_423991+2
		push	ebx
		jz	short near ptr loc_42397E+6
		jz	short near ptr loc_423987+3

loc_423925:				; CODE XREF: .text:004238BFj
					; .text:004238D4j
		add	ds:65524354h[edx*2], al
		jo	short loc_42399A
		popa
		arpl	[ebp+5Fh], sp

loc_423932:				; CODE XREF: .text:004238BDj
		push	esp
		popa

loc_423934:				; CODE XREF: .text:loc_4238CEj
		jb	short near ptr loc_42399C+1

loc_423936:				; CODE XREF: .text:loc_4238C8j
					; .text:004238D1j
		db	65h
		jz	short loc_42397A
		jo	short loc_4239AB
		dec	ecx
		add	fs:[edi], cl
		push	ebp
		push	esp
		inc	ebx
		push	edx
		db	65h
		jo	short loc_4239B2
		popa

loc_423947:				; CODE XREF: .text:004238D6j
		arpl	[ebp+5Fh], sp
		push	esp
		popa
		jb	short loc_4239B5
		db	65h
		jz	short near ptr loc_423991+1

loc_423951:				; CODE XREF: .text:004238E1j
		jo	short loc_4239C3
		push	esi
		db	65h
		jb	short $+3
		add	al, 55h
		push	esp
		inc	ebx
		push	edx
		db	65h
		jo	short loc_4239CB

loc_42395F:				; CODE XREF: .text:0042390Aj
		popa
		arpl	[ebp+5Fh], sp
		push	esp
		popa
		jb	short loc_4239CE
		db	65h
		jz	short loc_4239AB
		jo	short loc_4239DC
		push	esp
		jns	short loc_4239DF

loc_42396F:				; CODE XREF: .text:0042390Cj
					; .text:0042390Ej
		add	gs:65524354h[edx*2], al
		jo	short near ptr loc_4239DF+6
		popa

loc_42397A:				; CODE XREF: .text:loc_423936j
		arpl	[ebp+5Fh], sp
		dec	esp

loc_42397E:				; CODE XREF: .text:00423919j
					; .text:00423921j
		imul	esp, [ebx+65h],	5465736Eh

loc_423985:				; CODE XREF: .text:0042391Bj
		jns	short near ptr loc_4239F6+1

loc_423987:				; CODE XREF: .text:00423923j
		add	gs:[ecx+eax*2],	al
		jo	short near ptr loc_4239FC+1
		push	ebx
		db	65h
		jnb	short loc_423A04

loc_423991:				; CODE XREF: .text:0042394Ej
					; .text:0042391Ej
		imul	ebp, [edi+6Eh],	64697547h
		add	[edi], cl

loc_42399A:				; CODE XREF: .text:0042392Cj
		push	esp
		popa

loc_42399C:				; CODE XREF: .text:loc_423934j
		jb	short loc_423A05
		db	65h
		jz	short near ptr loc_4239DF+3
		jnb	short loc_4239EC
		add	fs:[eax], cl
		push	ebx
		jz	short near ptr loc_423A09+1
		jz	short near ptr loc_423A0B+5

loc_4239AB:				; CODE XREF: .text:00423939j
					; .text:00423967j
		inc	esp
		jnz	short near ptr loc_423A1F+1
		popa
		jz	short loc_423A1A
		outsd

loc_4239B2:				; CODE XREF: .text:00423943j
		outsb
		dec	ebp
		push	ebx

loc_4239B5:				; CODE XREF: .text:0042394Cj
		add	[edx], cl
		push	ebp
		jo	short loc_423A2E
		imul	ebp, [ebp+65h],	746C6544h
		popa
		dec	ebp

loc_4239C3:				; CODE XREF: .text:loc_423951j
		push	ebx
		add	[edx], cl
		push	esp
		outsd
		jz	short loc_423A2B
		insb

loc_4239CB:				; CODE XREF: .text:0042395Cj
		inc	esp
		jnz	short near ptr loc_423A3C+4

loc_4239CE:				; CODE XREF: .text:00423965j
		popa
		jz	short near ptr loc_423A35+5
		outsd
		outsb
		dec	ebp
		push	ebx
		add	[edx], cl
		push	esp
		outsd
		jz	short loc_423A3C
		insb

loc_4239DC:				; CODE XREF: .text:0042396Aj
		push	ebp
		jo	short loc_423A53

loc_4239DF:				; CODE XREF: .text:0042396Dj
					; .text:0042399Ej ...
		imul	ebp, [ebp+65h],	0A00534Dh
		push	esp
		outsd
		jz	short loc_423A4B
		insb
		push	ebx

loc_4239EC:				; CODE XREF: .text:004239A1j
		jnz	short near ptr loc_423A5D+4
		jo	short loc_423A55
		outsb
		db	64h, 65h, 64h
		dec	ebp
		push	ebx

loc_4239F6:				; CODE XREF: .text:loc_423985j
		add	[edx], cl
		push	ebp
		push	esp
		inc	ebx
		push	edx

loc_4239FC:				; CODE XREF: .text:0042398Bj
		db	65h
		jo	short near ptr byte_423A6B
		popa
		arpl	[ebp+5Fh], sp
		inc	ebx

loc_423A04:				; CODE XREF: .text:0042398Ej
		outsd

loc_423A05:				; CODE XREF: .text:loc_42399Cj
		insd
		insd
		popa
		outsb

loc_423A09:				; CODE XREF: .text:004239A7j
		db	64h
		dec	esp

loc_423A0B:				; CODE XREF: .text:004239A9j
		imul	ebp, [esi+65h],	68736148h
		add	ds:746E6576h[eax*2], al
		push	ebx

loc_423A1A:				; CODE XREF: .text:004239AFj
		db	65h
		jno	short loc_423A92
		outs	dx, byte ptr gs:[esi]

loc_423A1F:				; CODE XREF: .text:004239ACj
		arpl	[ebp+0], sp
		or	dl, [eax+72h]
		outsd
		arpl	[ebp+73h], sp
		jnb	short loc_423A7E

loc_423A2B:				; CODE XREF: .text:004239C8j
		db	65h
		jno	short near ptr loc_423AA2+1

loc_423A2E:				; CODE XREF: .text:004239B8j
		outs	dx, byte ptr gs:[esi]
		arpl	[ebp+0], sp
		or	al, [esi]

loc_423A35:				; CODE XREF: .text:004239CFj
					; DATA XREF: EtwpStartLogger+1209E9o
		or	eax, large ds:0
; 
		db 0
; 

loc_423A3C:				; CODE XREF: .text:004239D9j
					; .text:004239CCj
		add	[eax+240000h], al
		add	byte ptr [eax],	45h
		jz	short loc_423ABE
		dec	edi
		jnz	short loc_423ABE
		dec	edi

loc_423A4B:				; CODE XREF: .text:004239E8j
		dec	sp
		outsd
		db	67h, 67h, 65h
		jb	short near ptr loc_423AA5+1

loc_423A53:				; CODE XREF: .text:004239DDj
		insb
		outsd

loc_423A55:				; CODE XREF: .text:004239EEj
		jz	short near ptr loc_423AC9+1
		add	[ebp+61h], cl
		js	short loc_423AA8
		outsd

loc_423A5D:				; CODE XREF: .text:loc_4239ECj
		db	67h, 67h, 65h
		jb	short near ptr loc_423AD3+2
		add	[eax], cl
		push	es
		or	eax, large ds:0
; 
byte_423A6B	db 0			; CODE XREF: .text:loc_4239FCj
		dd 4000h, 0C000A1h, 72657355h, 53746543h
		db 65h,	74h
; 

loc_423A7E:				; CODE XREF: .text:00423A29j
		inc	ebx
		outsd
		outsb
		jz	short near ptr loc_423AE7+1
		js	short near ptr loc_423AF7+2
		dec	ecx
		jo	short loc_423ADE
		popa
		insb
		imul	esp, [ecx+74h],	466E6F69h

loc_423A92:				; CODE XREF: .text:loc_423A1Aj
		popa
		imul	ebp, [ebp+esi*2+72h], 6F6C0065h
		db	67h
		dec	ebp
		outsd
		db	64h
		add	gs:[eax], cl

loc_423AA2:				; CODE XREF: .text:loc_423A2Bj
		jo	short near ptr loc_423B12+4
		outsd

loc_423AA5:				; CODE XREF: .text:00423A4Ej
		arpl	[ebp+73h], sp

loc_423AA8:				; CODE XREF: .text:00423A5Aj
		jnb	short near ptr loc_423AF7+3
		popa
		jz	short near ptr loc_423B12+3
		add	[esi], dl
		jo	short loc_423B23
		outsd
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_423AF7+3
		outsd
		insd
		insd
		popa
		outsb
		db	64h
		dec	esp

loc_423ABE:				; CODE XREF: .text:00423A45j
					; .text:00423A48j
		imul	ebp, [esi+65h],	72701600h
		outsd
		arpl	[ebp+73h], sp

loc_423AC9:				; CODE XREF: .text:loc_423A55j
		jnb	short loc_423B1E
		jz	short near ptr loc_423B2D+1
		jb	short near ptr loc_423B41+2
		dec	ebx
		db	65h
		jns	short $+3

loc_423AD3:				; CODE XREF: .text:loc_423A5Dj
		adc	eax, 67726174h
		db	65h
		jz	short loc_423B24
		jo	short near ptr loc_423B24+2
		insd

loc_423ADE:				; CODE XREF: .text:00423A86j
		popa
		db	67h, 65h
		dec	esi
		popa
		insd
		add	gs:[esi], dl

loc_423AE7:				; CODE XREF: .text:00423A81j
		jnb	short near ptr loc_423B5A+3
		jb	short loc_423B54
		arpl	[ebp+ecx*2+6Fh], si
		db	64h
		add	gs:746E6F63h, cl

loc_423AF7:				; CODE XREF: .text:00423A83j
					; .text:loc_423AA8j ...
		imul	ebp, [esi+75h],	70795465h
		add	gs:[eax], cl
		push	eax
		popa
		jb	short loc_423B79
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_423B6F+4
		jbe	short near ptr loc_423B5A+6
		popa
		db	67h
		jnb	near ptr 3B10h
		or	al, [esi]

loc_423B12:				; CODE XREF: .text:00423AABj
					; .text:loc_423AA2j
					; DATA XREF: ...
		or	eax, large ds:0
; 
		dd 400000h
		db 0, 0BFh
; 

loc_423B1E:				; CODE XREF: .text:loc_423AC9j
		add	al, al
		add	[edx+6Ch], al

loc_423B23:				; CODE XREF: .text:00423AAFj
		outsd

loc_423B24:				; CODE XREF: .text:00423AD8j
					; .text:00423ADBj
		arpl	[ebx+4Eh], bp
		outsd
		outsb
		inc	ebx
		db	65h
		jz	short loc_423B6F

loc_423B2D:				; CODE XREF: .text:00423ACBj
		imul	ebp, [esi+61h],	73656972h
		add	[edi+ebp*2+67h], ch
		dec	ebp
		outsd
		db	64h
		add	gs:[eax], cl
		jo	short near ptr loc_423BB1+1
		outsd

loc_423B41:				; CODE XREF: .text:00423ACDj
		arpl	[ebp+73h], sp
		jnb	short loc_423B96
		popa
		jz	short loc_423BB1
		add	[esi], dl
		jo	short near ptr loc_423BBC+3
		outsd
		arpl	[ebp+73h], sp
		jnb	short loc_423B96
		outsd

loc_423B54:				; CODE XREF: .text:00423AE9j
		insd
		insd
		popa
		outsb
		db	64h
		dec	esp

loc_423B5A:				; CODE XREF: .text:loc_423AE7j
					; .text:00423B0Aj
		imul	ebp, [esi+65h],	72701600h
		outsd
		arpl	[ebp+73h], sp
		jnb	short loc_423BBA
		jz	short near ptr loc_423BC8+2
		jb	short near ptr loc_423BDD+2
		dec	ebx
		db	65h
		jns	short $+3

loc_423B6F:				; CODE XREF: .text:00423B2Aj
					; .text:00423B08j
		adc	eax, 7070616Dh
		db	65h, 64h
		dec	ecx
		insd
		popa

loc_423B79:				; CODE XREF: .text:00423B03j
		db	67h, 65h
		dec	esi
		popa
		insd
		add	gs:[esi], dl
		imul	ebp, [ebp+61h],	65436567h
		jz	short loc_423BDD
		push	776F6461h
		push	ebx
		jz	short loc_423BF3
		arpl	[ebx+73h], bp
		push	edx

loc_423B96:				; CODE XREF: .text:00423B44j
					; .text:00423B51j
		db	65h
		popa
		db	64h
		jns	short $+3
		or	eax, 67616D69h
		db	65h
		inc	ebp
		dec	eax
		inc	ebx
		outsd
		outsb
		jz	short near ptr loc_423C0F+2
		outsb
		jnz	short loc_423C0C
		jz	short loc_423C16
		outsd
		outsb
		push	esp
		popa

loc_423BB1:				; CODE XREF: .text:00423B47j
					; .text:00423B3Ej
		bound	ebp, [ebp+50h]
		jb	short near ptr loc_423C1B+1
		jnb	short near ptr loc_423C1B+3
		outsb

loc_423BBA:				; CODE XREF: .text:00423B65j
		jz	short $+2

loc_423BBC:				; CODE XREF: .text:00423B4Bj
		or	eax, 456E6F6Eh
		push	746E6F63h
		dec	ebp
		outsd

loc_423BC8:				; CODE XREF: .text:00423B67j
		db	64h
		add	gs:74726150h, cl
		inc	ecx
		pop	edi
		push	eax
		jb	short loc_423C3E
		jbe	short loc_423C2B
		popa
		db	67h
		jnb	near ptr 3BDBh
		or	al, [esi]

loc_423BDD:				; CODE XREF: .text:00423B88j
					; .text:00423B69j
					; DATA XREF: ...
		or	eax, large ds:0
; 
		db 0
		dd 4000h, 9000BFh, 69646552h
		db 72h,	65h, 63h
; 

loc_423BF3:				; CODE XREF: .text:00423B90j
		jz	short near ptr loc_423C5C+2
		outsd
		outsb
		push	esp
		jb	short near ptr loc_423C6D+2
		jnb	short loc_423C70
		push	eax
		outsd
		insb
		imul	esp, [ebx+79h],	72615000h
		jz	short near ptr loc_423C48+1
		pop	edi
		push	eax
		jb	short near ptr loc_423C70+5

loc_423C0C:				; CODE XREF: .text:00423BA9j
		jbe	short loc_423C62
		popa

loc_423C0F:				; CODE XREF: .text:00423BA6j
		db	67h
		jnb	near ptr 3C12h
		or	dl, [ecx+edi*2+70h]

loc_423C16:				; CODE XREF: .text:00423BABj
		add	gs:[eax], cl
		dec	ebp
		outsd

loc_423C1B:				; CODE XREF: .text:00423BB5j
					; .text:00423BB7j
		db	64h
		add	gs:[eax], cl
		dec	ecx
		insd
		jo	short near ptr loc_423C87+1
		jb	short loc_423C98
		outsd
		outsb
		popa
		jz	short loc_423C93
		outsb

loc_423C2B:				; CODE XREF: .text:00423BD5j
		add	[si+4D03h], al
		outsd
		db	64h
		jnz	short near ptr loc_423C9E+2
		and	gs:[edx], dh
		add	[esi], dl
		dec	edi
		db	66h, 66h
		jnb	short near ptr loc_423CA2+1

loc_423C3E:				; CODE XREF: .text:00423BD3j
		jz	short loc_423C60
		xor	al, [eax]
		or	cl, [ebp+6Fh]
		db	64h
		jnz	short loc_423CB4

loc_423C48:				; CODE XREF: .text:00423C06j
		and	gs:[ebx], dh
		add	[esi], dl
		dec	edi
		db	66h, 66h
		jnb	short near ptr loc_423CB4+3
		jz	short near ptr loc_423C70+4
		xor	eax, [eax]
		or	cl, [ebp+6Fh]
		db	64h
		jnz	short loc_423CC8

loc_423C5C:				; CODE XREF: .text:loc_423BF3j
		and	gs:[eax+eax], dh

loc_423C60:				; CODE XREF: .text:loc_423C3Ej
		push	ss
		dec	edi

loc_423C62:				; CODE XREF: .text:loc_423C0Cj
		db	66h, 66h
		jnb	short near ptr loc_423CCA+1
		jz	short near ptr loc_423C87+1
		xor	al, 0
		or	cl, [ebp+6Fh]

loc_423C6D:				; CODE XREF: .text:00423BF8j
		db	64h
		jnz	short near ptr loc_423CDA+2

loc_423C70:				; CODE XREF: .text:00423BFAj
					; .text:00423C52j ...
		and	gs:664F1600h, dh
		db	66h
		jnb	short near ptr loc_423CDD+2
		jz	short near ptr loc_423C9B+1
		xor	eax, 6F4D0A00h
		db	64h
		jnz	short loc_423CF0
		and	gs:[esi], dh

loc_423C87:				; CODE XREF: .text:00423C21j
					; .text:00423C66j
		add	[esi], dl
		dec	edi
		db	66h, 66h
		jnb	short loc_423CF3
		jz	short loc_423CB0
		add	ss:[edx], cl

loc_423C93:				; CODE XREF: .text:00423C28j
		dec	ebp
		outsd
		db	64h
		jnz	short loc_423D04

loc_423C98:				; CODE XREF: .text:00423C23j
		and	gs:[edi], dh

loc_423C9B:				; CODE XREF: .text:00423C7Aj
		add	[esi], dl
		dec	edi

loc_423C9E:				; CODE XREF: .text:00423C31j
		db	66h, 66h
		jnb	short near ptr loc_423D05+2

loc_423CA2:				; CODE XREF: .text:00423C3Aj
		jz	short near ptr loc_423CC3+1
		aaa
		add	[edx], cl
		push	es

loc_423CA8:				; DATA XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+CE6o
		or	eax, large ds:0
; 
		dw 0
; 

loc_423CB0:				; CODE XREF: .text:00423C8Ej
		inc	eax
; 
		db 2 dup(0), 51h
; 

loc_423CB4:				; CODE XREF: .text:00423C45j
					; .text:00423C4Ej
		add	[eax+64655200h], dl
		imul	esi, [edx+65h],	6F697463h
		outsb
		push	esp

loc_423CC3:				; CODE XREF: .text:loc_423CA2j
		jb	short loc_423D3A
		jnb	short loc_423D3B
		push	eax

loc_423CC8:				; CODE XREF: .text:00423C59j
		outsd
		insb

loc_423CCA:				; CODE XREF: .text:loc_423C62j
		imul	esp, [ebx+79h],	72615000h
		jz	short loc_423D14
		pop	edi
		push	eax
		jb	short loc_423D40
		jbe	short near ptr loc_423D2B+2
		popa

loc_423CDA:				; CODE XREF: .text:loc_423C6Dj
		db	67h
		jnb	near ptr 3CDDh

loc_423CDD:				; CODE XREF: .text:00423C77j
		or	dl, [ecx+edi*2+70h]
		add	gs:[eax], cl
		dec	ebp
		outsd
		db	64h
		add	gs:[eax], cl
		dec	ecx
		insd
		jo	short loc_423D53
		jb	short near ptr loc_423D60+3

loc_423CF0:				; CODE XREF: .text:00423C81j
		outsd
		outsb
		popa

loc_423CF3:				; CODE XREF: .text:00423C8Aj
		jz	short loc_423D5E
		outsb
		add	[si+4D03h], al
		outsd
		db	64h
		jnz	short loc_423D6B
		and	gs:[edx], dh
		add	[esi], dl

loc_423D04:				; CODE XREF: .text:00423C95j
		push	es

loc_423D05:				; CODE XREF: .text:loc_423C9Ej
					; DATA XREF: EtwpTimLogMitigationForProcess(x,x,x,x)+24Eo
		or	eax, large ds:0
; 
		db 0
		dd 2000h, 0C00066h
; 

loc_423D14:				; CODE XREF: .text:00423CD1j
		inc	edi
		outs	dx, byte ptr gs:[esi]
		db	65h
		jb	short loc_423D83
		arpl	[ebp+69h], cx
		jz	short loc_423D88
		db	67h
		popa
		jz	short near ptr loc_423D89+3
		outsd
		outsb
		inc	esi
		outsd
		jb	short near ptr loc_423D75+4
		jb	short near ptr loc_423D99+1

loc_423D2B:				; CODE XREF: .text:00423CD7j
		arpl	[ebp+73h], sp
		jnb	short $+2
		insd
		imul	esi, [ecx+ebp*2+67h], 6F697461h
		outsb

loc_423D3A:				; CODE XREF: .text:loc_423CC3j
		dec	ecx

loc_423D3B:				; CODE XREF: .text:00423CC5j
		add	fs:[eax], cl
		insd
		outsd

loc_423D40:				; CODE XREF: .text:00423CD5j
		db	64h
		add	gs:[eax], cl
		jo	short loc_423DB8
		outsd
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_423D9B+1
		popa
		jz	short near ptr loc_423DB6+1
		add	[esi], dl
		jo	short loc_423DC5

loc_423D53:				; CODE XREF: .text:00423CECj
		outsd
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_423D9B+1
		outsd
		insd
		insd
		popa
		outsb

loc_423D5E:				; CODE XREF: .text:loc_423CF3j
		db	64h
		dec	esp

loc_423D60:				; CODE XREF: .text:00423CEEj
		imul	ebp, [esi+65h],	72701600h
		outsd
		arpl	[ebp+73h], sp

loc_423D6B:				; CODE XREF: .text:00423CFCj
		jnb	short loc_423DC0
		jz	short loc_423DD0
		jb	short near ptr loc_423DE3+2
		dec	ebx
		db	65h
		jns	short $+3

loc_423D75:				; CODE XREF: .text:00423D27j
					; DATA XREF: EtwTimLogProhibitNonMicrosoftBinaries(x,x,x,x,x)+3B6o
		adc	eax, 50B06h
; 
		dw 0
		dd 40000000h
		db 2 dup(0), 8Ch
; 

loc_423D83:				; CODE XREF: .text:00423D17j
		add	al, al
		add	[eax+72h], dl

loc_423D88:				; CODE XREF: .text:00423D1Dj
		outsd

loc_423D89:				; CODE XREF: .text:00423D21j
		push	74696269h
		dec	esi
		outsd
		outsb
		dec	ebp
		imul	esp, [ebx+72h],	666F736Fh

loc_423D99:				; CODE XREF: .text:00423D29j
		jz	short near ptr loc_423DDA+3

loc_423D9B:				; CODE XREF: .text:00423D4Aj
					; .text:00423D57j
		imul	ebp, [esi+61h],	73656972h
		add	[ebp+6Fh], ch
		db	64h
		add	gs:[eax], cl
		jo	short near ptr loc_423E1C+1
		outsd
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_423DFF+2
		popa
		jz	short loc_423E1C
		add	[esi], dl

loc_423DB6:				; CODE XREF: .text:00423D4Dj
		jo	short loc_423E2A

loc_423DB8:				; CODE XREF: .text:00423D44j
		outsd
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_423DFF+2
		outsd
		insd

loc_423DC0:				; CODE XREF: .text:loc_423D6Bj
		insd
		popa
		outsb
		db	64h
		dec	esp

loc_423DC5:				; CODE XREF: .text:00423D51j
		imul	ebp, [esi+65h],	72701600h
		outsd
		arpl	[ebp+73h], sp

loc_423DD0:				; CODE XREF: .text:00423D6Dj
		jnb	short loc_423E25
		jz	short loc_423E35
		jb	short near ptr loc_423E48+2
		dec	ebx
		db	65h
		jns	short $+3

loc_423DDA:				; CODE XREF: .text:loc_423D99j
		adc	eax, 67616D69h
		db	65h
		dec	esi
		popa
		insd

loc_423DE3:				; CODE XREF: .text:00423D6Fj
		add	gs:[esi], dl
		jb	short near ptr loc_423E4C+1
		jno	short loc_423E5F
		imul	esi, [edx+65h],	67695364h
		outsb
		popa
		jz	short near ptr loc_423E68+2
		jb	short loc_423E5C
		dec	esp
		db	65h
		jbe	short near ptr loc_423E5F+1
		insb
		add	[ebx+esi*2], al

loc_423DFF:				; CODE XREF: .text:00423DAFj
					; .text:00423DBCj
		imul	esp, [edi+6Eh],	72757461h
		db	65h
		dec	esp
		db	65h
		jbe	short loc_423E70
		insb
		add	[esi+eax], al
		or	eax, large ds:0
; 
		db 2 dup(0), 40h
		dd offset unk_AA0000
; 

loc_423E1C:				; CODE XREF: .text:00423DB2j
					; .text:00423DA9j
		rol	byte ptr [eax],	43h
		outsd
		outsb
		jz	short near ptr loc_423E94+1
		outsd
		insb

loc_423E25:				; CODE XREF: .text:loc_423DD0j
		push	eax
		jb	short loc_423E97
		jz	short loc_423E8F

loc_423E2A:				; CODE XREF: .text:loc_423DB6j
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		push	ebp
		jnb	short loc_423E97
		jb	short near ptr loc_423E7D+4
		outsd

loc_423E35:				; CODE XREF: .text:00423DD2j
		db	64h, 65h
		push	edx
		db	65h
		jz	short loc_423EB0
		jb	short near ptr loc_423EAA+1
		dec	ebp
		imul	esi, [ebx+6Dh],	68637461h
		add	[ebp+6Fh], ch

loc_423E48:				; CODE XREF: .text:00423DD4j
		db	64h
		add	gs:[eax], cl

loc_423E4C:				; CODE XREF: .text:00423DE6j
		jo	short loc_423EC0
		outsd
		arpl	[ebp+73h], sp
		jnb	short loc_423EA4
		popa
		jz	short loc_423EBF
		add	[esi], dl
		jo	short loc_423ECD
		outsd

loc_423E5C:				; CODE XREF: .text:00423DF5j
		arpl	[ebp+73h], sp

loc_423E5F:				; CODE XREF: .text:00423DE8j
					; .text:00423DF8j
		jnb	short loc_423EA4
		outsd
		insd
		insd
		popa
		outsb
		db	64h
		dec	esp

loc_423E68:				; CODE XREF: .text:00423DF3j
		imul	ebp, [esi+65h],	72701600h
		outsd

loc_423E70:				; CODE XREF: .text:00423E08j
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_423EC5+3
		jz	short near ptr loc_423ED7+1
		jb	short loc_423EED
		dec	ebx
		db	65h
		jns	short $+3

loc_423E7D:				; CODE XREF: .text:00423E32j
		adc	eax, 746E6F63h
		jb	short near ptr loc_423EF2+1
		insb
		push	eax
		arpl	[ecx+6Dh], cx
		popa
		db	67h, 65h
		dec	esi
		popa
		insd

loc_423E8F:				; CODE XREF: .text:00423E28j
		add	gs:[esi], dl
		jb	short loc_423F07

loc_423E94:				; CODE XREF: .text:00423E21j
		jo	short near ptr loc_423ED7+2
		outsd

loc_423E97:				; CODE XREF: .text:00423E26j
					; .text:00423E30j
		outsb
		jz	short loc_423EFF
		outsb
		jz	short loc_423F10
		dec	ecx
		insd
		popa
		db	67h, 65h
		dec	esi
		popa

loc_423EA4:				; CODE XREF: .text:00423E52j
					; .text:loc_423E5Fj
		insd
		add	gs:[esi], dl
		jnb	short loc_423F1E

loc_423EAA:				; CODE XREF: .text:00423E3Bj
		jb	short near ptr loc_423F10+5
		arpl	[ebp+ecx*2+6Fh], si

loc_423EB0:				; CODE XREF: .text:00423E38j
		db	64h
		add	gs:74726150h, cl
		inc	ecx
		pop	edi
		push	eax
		jb	short near ptr loc_423F23+3
		jbe	short near ptr loc_423F10+3

loc_423EBF:				; CODE XREF: .text:00423E55j
		popa

loc_423EC0:				; CODE XREF: .text:loc_423E4Cj
		db	67h
		jnb	near ptr 3EC3h
		or	al, [esi]

loc_423EC5:				; CODE XREF: .text:00423E73j
					; DATA XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+1F9o
		or	eax, large ds:100h
; 
		db 0
		db 0
; 

loc_423ECD:				; CODE XREF: .text:00423E59j
		and	[eax], al
		add	[eax+eax-40h], ah
		add	[ebp+6Eh], al

loc_423ED7:				; CODE XREF: .text:00423E75j
					; .text:loc_423E94j
		imul	esp, [ebp+64h],	656B6F54h
		outsb
		inc	ebx
		jb	short loc_423F47
		popa
		jz	short near ptr loc_423F4D+1
		outsd
		outsb
		add	[esi+75h], al
		insb
		insb
		dec	ecx

loc_423EED:				; CODE XREF: .text:00423E77j
		insd
		popa
		db	67h, 65h
		inc	esi

loc_423EF2:				; CODE XREF: .text:00423E82j
		imul	ebp, [ebp+4Eh],	656D61h
		push	ss
		push	eax
		popa
		jb	short near ptr loc_423F63+1

loc_423EFF:				; CODE XREF: .text:00423E98j
		outsb
		jz	short loc_423F45
		outsd
		insd
		insd
		popa
		outsb

loc_423F07:				; CODE XREF: .text:00423E92j
		db	64h
		dec	esp
		imul	ebp, [esi+65h],	68431600h

loc_423F10:				; CODE XREF: .text:00423E9Bj
					; .text:00423EBDj ...
		imul	ebp, [esp+49h],	6567616Dh
		push	eax
		popa
		jz	short loc_423F84
		dec	esi
		popa

loc_423F1E:				; CODE XREF: .text:00423EA8j
		insd
		add	gs:[esi], dl
		inc	ebx

loc_423F23:				; CODE XREF: .text:00423EBBj
		push	43646C69h
		outsd
		insd
		insd
		popa
		outsb
		db	64h
		dec	esp
		imul	ebp, [esi+65h],	0B061600h
					; DATA XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+643o
		add	eax, 0
; 
		db 0
		dd 4000h, 0C0008Ch
; 
		push	eax

loc_423F45:				; CODE XREF: .text:00423F00j
		jb	short loc_423FB6

loc_423F47:				; CODE XREF: .text:00423EE0j
		push	74696269h
		inc	ebx

loc_423F4D:				; CODE XREF: .text:00423EE3j
		push	50646C69h
		jb	short loc_423FC3
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_423F9B+1
		jb	short loc_423FC0
		popa
		jz	short loc_423FC7
		outsd
		outsb
		add	[ebp+6Fh], ch

loc_423F63:				; CODE XREF: .text:00423EFDj
		db	64h
		add	gs:[eax], cl
		jo	short near ptr loc_423FC7+3
		jb	short near ptr loc_423FCE+2
		outsb
		jz	short loc_423FB7
		insd
		popa
		db	67h, 65h
		push	eax
		popa
		jz	short loc_423FDE
		dec	esi
		popa
		insd
		add	gs:[esi], dl
		jo	short loc_423FDF
		jb	short loc_423FE5
		outsb
		jz	short near ptr loc_423FC5+1
		outsd

loc_423F84:				; CODE XREF: .text:00423F1Aj
		insd
		insd
		popa
		outsb
		db	64h
		dec	esp
		imul	ebp, [esi+65h],	61701600h
		jb	short loc_423FF8
		outsb
		jz	short loc_423FE6
		jb	short loc_424007
		arpl	[ebp+73h], sp

loc_423F9B:				; CODE XREF: .text:00423F57j
		jnb	short loc_423FF0
		jz	short loc_424000
		jb	short near ptr loc_424014+1
		dec	ebx
		db	65h
		jns	short $+3
		adc	eax, 6C696863h
		db	64h
		dec	ecx
		insd
		popa
		db	67h, 65h
		push	eax
		popa
		jz	short loc_42401C
		dec	esi
		popa

loc_423FB6:				; CODE XREF: .text:loc_423F45j
		insd

loc_423FB7:				; CODE XREF: .text:00423F6Cj
		add	gs:[esi], dl
		arpl	[eax+69h], bp
		insb
		db	64h
		inc	ebx

loc_423FC0:				; CODE XREF: .text:00423F59j
		outsd
		insd
		insd

loc_423FC3:				; CODE XREF: .text:00423F52j
		popa
		outsb

loc_423FC5:				; CODE XREF: .text:00423F81j
		db	64h
		dec	esp

loc_423FC7:				; CODE XREF: .text:00423F5Cj
					; .text:00423F67j
					; DATA XREF: ...
		imul	ebp, [esi+65h],	0B061600h

loc_423FCE:				; CODE XREF: .text:00423F69j
		add	eax, 0
; 
		db 0
		dd 4000h, 0C0005Dh
		db 50h,	72h
; 

loc_423FDE:				; CODE XREF: .text:00423F74j
		outsd

loc_423FDF:				; CODE XREF: .text:00423F7Cj
		push	74696269h
		dec	esp

loc_423FE5:				; CODE XREF: .text:00423F7Ej
		outsd

loc_423FE6:				; CODE XREF: .text:00423F94j
		ja	short loc_424031
		dec	esp
		dec	ecx
		insd
		popa
		db	67h, 65h
		dec	ebp
		popa

loc_423FF0:				; CODE XREF: .text:loc_423F9Bj
		jo	short $+2
		insd
		outsd
		db	64h
		add	gs:[eax], cl

loc_423FF8:				; CODE XREF: .text:00423F91j
		jo	short near ptr loc_424069+3
		outsd
		arpl	[ebp+73h], sp
		jnb	short loc_424050

loc_424000:				; CODE XREF: .text:00423F9Dj
		popa
		jz	short near ptr loc_424069+2
		add	[esi], dl
		jo	short loc_424079

loc_424007:				; CODE XREF: .text:00423F96j
		outsd
		arpl	[ebp+73h], sp
		jnb	short loc_424050
		outsd
		insd
		insd
		popa
		outsb
		db	64h
		dec	esp

loc_424014:				; CODE XREF: .text:00423F9Fj
		imul	ebp, [esi+65h],	72701600h
		outsd

loc_42401C:				; CODE XREF: .text:00423FB2j
		arpl	[ebp+73h], sp
		jnb	short loc_424074
		jz	short near ptr loc_424083+1
		jb	short loc_424099
		dec	ebx
		db	65h
		jns	short $+3
		adc	eax, 67616D69h
		db	65h
		dec	esi
		popa

loc_424031:				; CODE XREF: .text:loc_423FE6j
		insd
		add	gs:[esi], dl
		push	es

loc_424036:				; DATA XREF: EtwpSendDataBlock+11FED3o
		or	eax, ds:80000h
; 
		dd 200000h, 80004500h, 72654B00h, 436C656Eh, 626C6C61h
; 

loc_424050:				; CODE XREF: .text:00423FFEj
					; .text:0042400Bj
		popa
		arpl	[ebx+54h], bp
		imul	ebp, [ebp+69h],	5000676Eh
		popa
		jb	short near ptr loc_4240CF+3
		inc	ecx
		pop	edi
		push	eax
		jb	short loc_4240CC
		jbe	short loc_4240B9
		popa
		db	67h
		jnb	near ptr 4069h

loc_424069:				; CODE XREF: .text:00424001j
					; .text:loc_423FF8j
		or	al, [ebp+esi*2+72h]
		popa
		jz	short loc_4240D9
		outsd
		outsb
		dec	ecx
		outsb

loc_424074:				; CODE XREF: .text:0042401Fj
		dec	ebp
		push	ebx
		add	[ecx], cl
		push	eax

loc_424079:				; CODE XREF: .text:00424005j
		jb	short loc_4240EA
		jbe	short near ptr loc_4240E1+5
		db	64h, 65h
		jb	short near ptr loc_4240C6+2
		jnz	short near ptr loc_4240EB+1

loc_424083:				; CODE XREF: .text:00424021j
		add	fs:[edi], cl
		push	es

loc_424087:				; DATA XREF: EtwTraceAdminlessAccessFailure(x,x,x,x)+327o
		or	eax, large ds:0
; 
		db 2 dup(0), 40h
		dd 3C0000h, 694C0080h
		db 6Eh
; 

loc_424099:				; CODE XREF: .text:00424023j
		imul	esp, [ebp+64h],	54h
		outsd
		imul	esp, [ebp+6Eh],	51h
		jnz	short near ptr loc_424108+1
		jb	short near ptr loc_42411E+1
		add	[ebp+6Fh], ch
		db	64h
		add	gs:[eax], cl
		db	66h
		jnz	short near ptr loc_42411A+2
		insb
		push	eax
		jb	short loc_424123
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_424101+1

loc_4240B9:				; CODE XREF: .text:00424063j
		insd
		popa
		db	67h, 65h
		dec	esi
		popa
		insd
		add	gs:[esi], dl
		jnb	short near ptr loc_424137+2
		popa

loc_4240C6:				; CODE XREF: .text:0042407Dj
		arpl	[ebx+48h], bp
		popa
		jnb	short loc_424134

loc_4240CC:				; CODE XREF: .text:00424061j
		add	[eax], cl
		push	es

loc_4240CF:				; CODE XREF: .text:0042405Cj
					; DATA XREF: EtwTraceAdminlessAccessFailure(x,x,x,x)+162o
		or	eax, large ds:0
; 
		db 2 dup(0), 40h
		db 0
; 

loc_4240D9:				; CODE XREF: .text:0042406Ej
		add	[eax+0], ah
		add	byte ptr [eax],	41h
		db	64h
		insd

loc_4240E1:				; CODE XREF: .text:0042407Bj
		imul	ebp, [esi+41h],	73656363h
		jnb	short loc_424137

loc_4240EA:				; CODE XREF: .text:loc_424079j
		popa

loc_4240EB:				; CODE XREF: .text:00424081j
		js	short near ptr loc_42412C+2
		insb
		insb
		outsd
		ja	short near ptr loc_424156+1
		db	64h
		inc	esp
		imul	esp, [esi+66h],	737265h
		insd
		outsd
		db	64h
		add	gs:[eax], cl

loc_424101:				; CODE XREF: .text:004240B7j
		db	66h
		jnz	short loc_424170
		insb
		push	eax
		jb	short loc_424177

loc_424108:				; CODE XREF: .text:004240A2j
		arpl	[ebp+73h], sp
		jnb	short loc_424156
		insd
		popa
		db	67h, 65h
		dec	esi
		popa
		insd
		add	gs:[esi], dl
		jnb	short loc_42418D
		popa

loc_42411A:				; CODE XREF: .text:004240ADj
		arpl	[ebx+48h], bp
		popa

loc_42411E:				; CODE XREF: .text:004240A4j
		jnb	short near ptr loc_424186+2
		add	[eax], cl
		popa

loc_424123:				; CODE XREF: .text:004240B2j
		db	64h
		insd
		imul	ebp, [esi+6Ch],	41737365h

loc_42412C:				; CODE XREF: .text:loc_4240EBj
		arpl	[ebx+65h], sp
		jnb	short near ptr loc_4241A3+1
		inc	edi
		jb	short loc_424195

loc_424134:				; CODE XREF: .text:004240CAj
		outsb
		jz	short near ptr loc_424196+6

loc_424137:				; CODE XREF: .text:004240E8j
					; .text:004240C3j
		add	fs:[eax], cl
		push	es

loc_42413B:				; DATA XREF: EtwTraceAdminlessAccessFailure(x,x,x,x)+247o
		or	eax, large ds:0
; 
		db 2 dup(0), 40h
		dd 3F0000h, 64410080h, 416E696Dh, 73656363h
; 
		jnb	short loc_4241A8

loc_424156:				; CODE XREF: .text:0042410Bj
					; .text:004240F0j
		db	65h
		jno	short loc_4241CE
		imul	esi, [edx+65h],	6F6D0064h
		db	64h
		add	gs:[eax], cl
		db	66h
		jnz	short loc_4241D3
		insb
		push	eax
		jb	short loc_4241DA
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_4241B8+1

loc_424170:				; CODE XREF: .text:loc_424101j
		insd
		popa
		db	67h, 65h
		dec	esi
		popa
		insd

loc_424177:				; CODE XREF: .text:00424106j
		add	gs:[esi], dl
		jnb	short near ptr loc_4241EC+4
		popa
		arpl	[ebx+48h], bp
		popa
		jnb	short loc_4241EB
		add	[eax], cl
		push	es

loc_424186:				; CODE XREF: .text:loc_42411Ej
					; DATA XREF: ExpGetSystemFirmwareTableInformation+130238o
		or	eax, large ds:0
; 
		db 0
; 

loc_42418D:				; CODE XREF: .text:00424117j
		add	[eax], ah
; 
		db 0
		dd 80003100h
		db 0
; 

loc_424195:				; CODE XREF: .text:00424132j
		inc	esi

loc_424196:				; CODE XREF: .text:00424135j
		imul	esi, [edx+6Dh],	65726177h
		push	esp
		popa
		bound	ebp, [ebp+41h]

loc_4241A3:				; CODE XREF: .text:0042412Fj
		arpl	[ebx+65h], sp
		jnb	short near ptr loc_424216+5

loc_4241A8:				; CODE XREF: .text:00424154j
		inc	esp
		outs	dx, byte ptr gs:[esi]
		imul	esp, [ebp+64h],	6F725000h
		jbe	short loc_42421D
		db	64h, 65h
		jb	short near ptr loc_424209+2

loc_4241B8:				; CODE XREF: .text:0042416Ej
		imul	esp, [edi+6Eh],	72757461h
		add	gs:[eax], cl
		push	es

loc_4241C3:				; DATA XREF: ExpLogRefreshTimeZoneInformationQueryFail(x,x)+C1o
		or	eax, large ds:0
; 
		db 3 dup(0)
		db 2 dup(0)
; 

loc_4241CE:				; CODE XREF: .text:loc_424156j
		mov	es, word ptr [eax]
		add	byte ptr [eax],	52h

loc_4241D3:				; CODE XREF: .text:00424164j
		db	65h, 66h
		jb	short near ptr loc_424238+4
		jnb	short near ptr loc_42423F+2
		push	esp

loc_4241DA:				; CODE XREF: .text:00424169j
		imul	ebp, [ebp+65h],	656E6F5Ah
		dec	ecx
		outsb
		outsw
		push	ecx
		jnz	short loc_42424D
		jb	short near ptr byte_424263
		inc	esi

loc_4241EB:				; CODE XREF: .text:00424181j
		popa

loc_4241EC:				; CODE XREF: .text:0042417Aj
		imul	ebp, [eax+eax+46h], 756C6961h
		jb	short near ptr loc_424259+2
		and	[ebx+74h], dh
		popa
		jz	short near ptr loc_42426D+4
		jnb	short $+2
		mov	[esi], cl
		push	edx
		db	65h, 66h
		jb	short loc_42426A
		jnb	short near ptr loc_42426D+2
		inc	esi
		popa

loc_424209:				; CODE XREF: .text:004241B4j
		imul	ebp, [ebp+esi*2+72h], 8007365h
		dec	esp
		popa
		jnb	short near ptr loc_424287+2
		push	esp

loc_424216:				; CODE XREF: .text:004241A6j
		imul	ebp, [ebp+65h],	656E6F5Ah

loc_42421D:				; CODE XREF: .text:004241B2j
		inc	edx
		imul	esp, [ecx+73h],	614C0700h
		jnb	short near ptr loc_424298+3
		push	esp
		imul	ebp, [ebp+65h],	656E6F5Ah
		dec	ecx
		add	fs:[edi], al
		push	edx
		db	65h
		popa
		insb
		push	esp

loc_424238:				; CODE XREF: .text:loc_4241D3j
		imul	ebp, [ebp+65h],	6E557349h

loc_42423F:				; CODE XREF: .text:004241D7j
		imul	esi, [esi+65h],	6C617372h
		add	[ebx+eax+73726946h], al

loc_42424D:				; CODE XREF: .text:004241E6j
		jz	short near ptr loc_42429E+5
		imul	ebp, [ebp+65h],	72666552h
		db	65h
		jnb	short loc_4242C1

loc_424259:				; CODE XREF: .text:004241F4j
					; DATA XREF: ExLogTimeZoneInformation()+1BDo
		add	[ebx+eax+50B06h], al
; 
		db 3 dup(0)
byte_424263	db 0			; CODE XREF: .text:004241E8j
		align 8
		db 42h,	2
; 

loc_42426A:				; CODE XREF: .text:00424201j
		add	byte ptr [eax],	54h

loc_42426D:				; CODE XREF: .text:00424205j
					; .text:004241FAj
		imul	ebp, [ebp+65h],	656E6F5Ah
		dec	ecx
		outsb
		outsw
		jb	short near ptr loc_4242E6+1
		popa
		jz	short loc_4242E6
		outsd
		outsb
		inc	ecx
		jz	short near ptr loc_4242C2+2
		outsd
		outsd
		jz	short $+2
		push	edx

loc_424287:				; CODE XREF: .text:00424213j
		db	65h, 66h
		jb	short loc_4242F0
		jnb	short near ptr loc_4242F4+1
		inc	esi
		popa
		imul	ebp, [ebp+esi*2+72h], 8007365h
		inc	ecx

loc_424298:				; CODE XREF: .text:00424225j
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	esp

loc_42429E:				; CODE XREF: .text:loc_42424Dj
		imul	ebp, [ebp+65h],	656E6F5Ah
		inc	edx
		imul	esp, [ecx+73h],	63410700h
		jz	short near ptr loc_424317+1
		jbe	short near ptr loc_424310+6
		push	esp
		imul	ebp, [ebp+65h],	656E6F5Ah
		dec	ecx
		add	fs:[edi], al
		push	edx
		db	65h
		popa
		insb

loc_4242C1:				; CODE XREF: .text:00424256j
		push	esp

loc_4242C2:				; CODE XREF: .text:00424280j
		imul	ebp, [ebp+65h],	6E557349h
		imul	esi, [esi+65h],	6C617372h
		add	[ebx+eax+7478654Eh], al
		inc	ebx
		jnz	short near ptr loc_424349+5
		outsd
		jbe	short loc_424342
		jb	short loc_424328
		outsb
		dec	esp
		outsd
		arpl	[ecx+6Ch], sp
		push	esp

loc_4242E6:				; CODE XREF: .text:0042427Bj
					; .text:00424278j
		imul	ebp, [ebp+65h],	69540A00h
		insd
		db	65h
		pop	edx

loc_4242F0:				; CODE XREF: .text:loc_424287j
		outsd
		outsb
		db	65h
		dec	ebx

loc_4242F4:				; CODE XREF: .text:0042428Bj
		db	65h
		jns	short loc_424345
		popa
		insd
		add	gs:[ecx], al
		inc	esp
		jns	short loc_42436D
		popa
		insd
		imul	esp, [ebx+44h],	696C7961h
		db	67h
		push	6D695474h
		db	65h
		inc	esp

loc_424310:				; CODE XREF: .text:004242AFj
		imul	esi, [ebx+61h],	64656C62h

loc_424317:				; CODE XREF: .text:004242ADj
		add	[ebx+eax+73616942h], al
		add	[edi], al
		push	ebx
		jz	short loc_424384
		outsb
		db	64h
		popa
		jb	short near ptr loc_42438B+1

loc_424328:				; CODE XREF: .text:004242DDj
		inc	edx
		imul	esp, [ecx+73h],	61440700h
		jns	short loc_42439E
		imul	esp, [edi+68h],	61694274h
		jnb	short $+2
		pop	es
		push	ebx
		jz	short loc_4243A0
		outsb
		db	64h
		popa

loc_424342:				; CODE XREF: .text:004242DBj
		jb	short near ptr loc_4243A6+2
		push	ebx

loc_424345:				; CODE XREF: .text:loc_4242F4j
		jz	short near ptr loc_4243A6+2
		jb	short near ptr loc_4243BB+2

loc_424349:				; CODE XREF: .text:004242D8j
		add	[eax+61745308h], bl
		outsb
		db	64h
		popa
		jb	short loc_4243B8
		push	ebx
		jz	short loc_4243B8
		jb	short loc_4243CD
		pop	ecx
		db	65h
		popa
		jb	short $+2
		push	es
		push	ebx
		jz	short loc_4243C3
		outsb
		db	64h
		popa
		jb	short loc_4243CB
		push	ebx
		jz	short loc_4243CB
		jb	short loc_4243E0
		dec	ebp

loc_42436D:				; CODE XREF: .text:004242FDj
		outsd
		outsb
		jz	short loc_4243D9
		add	[esi], al
		push	ebx
		jz	short near ptr loc_4243D0+7
		outsb
		db	64h
		popa
		jb	short near ptr loc_4243DE+1
		push	ebx
		jz	short near ptr loc_4243DE+1
		jb	short loc_4243F4
		inc	esp
		popa
		jns	short $+2

loc_424384:				; CODE XREF: .text:00424321j
		push	es
		push	ebx
		jz	short near ptr loc_4243E8+1
		outsb
		db	64h
		popa

loc_42438B:				; CODE XREF: .text:00424326j
		jb	short near ptr loc_4243EB+6
		push	ebx
		jz	short near ptr loc_4243EB+6
		jb	short loc_424406
		dec	eax
		outsd
		jnz	short near ptr loc_424407+1
		add	[esi], al
		push	ebx
		jz	short near ptr loc_4243F7+5
		outsb
		db	64h
		popa

loc_42439E:				; CODE XREF: .text:00424330j
		jb	short near ptr loc_424400+4

loc_4243A0:				; CODE XREF: .text:0042433Dj
		push	ebx
		jz	short near ptr loc_424400+4
		jb	short near ptr loc_424418+1
		dec	ebp

loc_4243A6:				; CODE XREF: .text:loc_424342j
					; .text:loc_424345j
		imul	ebp, [esi+75h],	6006574h
		push	ebx
		jz	short loc_424411
		outsb
		db	64h
		popa
		jb	short near ptr loc_424418+1
		push	ebx
		jz	short near ptr loc_424418+1

loc_4243B8:				; CODE XREF: .text:00424352j
					; .text:00424355j
		jb	short loc_42442E
		push	ebx

loc_4243BB:				; CODE XREF: .text:00424347j
		arpl	gs:[edi+6Eh], bp
		add	fs:[esi], al
		push	ebx

loc_4243C3:				; CODE XREF: .text:00424360j
		jz	short loc_424426
		outsb
		db	64h
		popa
		jb	short loc_42442E
		push	ebx

loc_4243CB:				; CODE XREF: .text:00424365j
					; .text:00424368j
		jz	short loc_42442E

loc_4243CD:				; CODE XREF: .text:00424357j
		jb	short near ptr loc_424440+3
		dec	ebp

loc_4243D0:				; CODE XREF: .text:00424374j
		imul	ebp, [esp+ebp*2+69h], 6F636573h
		outsb

loc_4243D9:				; CODE XREF: .text:0042436Fj
		db	64h
		jnb	short $+3
		push	es
		push	ebx

loc_4243DE:				; CODE XREF: .text:00424379j
					; .text:0042437Cj
		jz	short near ptr loc_424440+1

loc_4243E0:				; CODE XREF: .text:0042436Aj
		outsb
		db	64h
		popa
		jb	short loc_424449
		push	ebx
		jz	short loc_424449

loc_4243E8:				; CODE XREF: .text:00424386j
		jb	short near ptr loc_42445D+1
		push	edi

loc_4243EB:				; CODE XREF: .text:loc_42438Bj
					; .text:0042438Ej
		db	65h
		imul	esp, gs:[ecx+79h], 0
		push	es
		inc	esp

loc_4243F4:				; CODE XREF: .text:0042437Ej
		popa
		jns	short near ptr loc_42445D+6

loc_4243F7:				; CODE XREF: .text:00424399j
		imul	esp, [edi+68h],	61745374h
		jb	short near ptr loc_424472+2

loc_424400:				; CODE XREF: .text:loc_42439Ej
					; .text:004243A1j
		add	[eax+79614408h], bl

loc_424406:				; CODE XREF: .text:00424390j
		insb

loc_424407:				; CODE XREF: .text:00424394j
		imul	esp, [edi+68h],	61745374h
		jb	short loc_424484
		pop	ecx

loc_424411:				; CODE XREF: .text:004243AEj
		db	65h
		popa
		jb	short $+2
		push	es
		inc	esp
		popa

loc_424418:				; CODE XREF: .text:004243A3j
					; .text:004243B3j ...
		jns	short loc_424486
		imul	esp, [edi+68h],	61745374h
		jb	short near ptr loc_424496+1
		dec	ebp
		outsd
		outsb

loc_424426:				; CODE XREF: .text:loc_4243C3j
		jz	short loc_424490
		add	[esi], al
		inc	esp
		popa
		jns	short near ptr loc_424498+2

loc_42442E:				; CODE XREF: .text:loc_4243B8j
					; .text:004243C8j ...
		imul	esp, [edi+68h],	61745374h
		jb	short loc_4244AB
		inc	esp
		popa
		jns	short $+2
		push	es
		inc	esp
		popa
		jns	short near ptr loc_4244AB+1

loc_424440:				; CODE XREF: .text:loc_4243DEj
					; .text:loc_4243CDj
		imul	esp, [edi+68h],	61745374h
		jb	short loc_4244BD

loc_424449:				; CODE XREF: .text:004243E3j
					; .text:004243E6j
		dec	eax
		outsd
		jnz	short loc_4244BF
		add	[esi], al
		inc	esp
		popa
		jns	short loc_4244BF
		imul	esp, [edi+68h],	61745374h
		jb	short loc_4244D0
		dec	ebp

loc_42445D:				; CODE XREF: .text:loc_4243E8j
					; .text:004243F5j
		imul	ebp, [esi+75h],	6006574h
		inc	esp
		popa
		jns	short near ptr loc_4244D3+1
		imul	esp, [edi+68h],	61745374h
		jb	short near ptr loc_4244DE+7
		push	ebx

loc_424472:				; CODE XREF: .text:004243FEj
		arpl	gs:[edi+6Eh], bp
		add	fs:[esi], al
		inc	esp
		popa
		jns	short near ptr loc_4244E7+2
		imul	esp, [edi+68h],	61745374h

loc_424484:				; CODE XREF: .text:0042440Ej
		jb	short near ptr loc_4244F5+5

loc_424486:				; CODE XREF: .text:loc_424418j
		dec	ebp
		imul	ebp, [esp+ebp*2+69h], 6F636573h
		outsb

loc_424490:				; CODE XREF: .text:loc_424426j
		db	64h
		jnb	short $+3
		push	es
		inc	esp
		popa

loc_424496:				; CODE XREF: .text:00424421j
		jns	short near ptr loc_424501+3

loc_424498:				; CODE XREF: .text:0042442Cj
		imul	esp, [edi+68h],	61745374h
		jb	short near ptr loc_424511+4
		push	edi
		db	65h
		imul	esp, gs:[ecx+79h], 0
		push	es
		push	es

loc_4244AB:				; CODE XREF: .text:00424435j
					; .text:0042443Ej
					; DATA XREF: ...
		or	eax, large ds:0
; 
		db 3 dup(0)
		dd 2900000h, 65520080h
		db 66h
; 

loc_4244BD:				; CODE XREF: .text:00424447j
		jb	short near ptr loc_42451F+5

loc_4244BF:				; CODE XREF: .text:0042444Bj
					; .text:00424451j
		jnb	short near ptr loc_424528+1
		push	esp
		imul	ebp, [ebp+65h],	656E6F5Ah
		dec	ecx
		outsb
		outsw
		push	ebx
		jnz	short near ptr loc_424532+1

loc_4244D0:				; CODE XREF: .text:0042445Aj
		arpl	[ebp+73h], sp

loc_4244D3:				; CODE XREF: .text:00424466j
		jnb	short $+2
		push	edx
		db	65h, 66h
		jb	short loc_42453F
		jnb	short near ptr loc_424543+1
		inc	esi
		popa

loc_4244DE:				; CODE XREF: .text:0042446Fj
		imul	ebp, [ebp+esi*2+72h], 8007365h
		inc	ecx

loc_4244E7:				; CODE XREF: .text:0042447Bj
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	esp
		imul	ebp, [ebp+65h],	656E6F5Ah
		inc	edx

loc_4244F5:				; CODE XREF: .text:loc_424484j
		imul	esp, [ecx+73h],	63410700h
		jz	short near ptr loc_424566+1
		jbe	short loc_424565
		push	esp

loc_424501:				; CODE XREF: .text:loc_424496j
		imul	ebp, [ebp+65h],	656E6F5Ah
		dec	ecx
		add	fs:[edi], al
		push	edx
		db	65h
		popa
		insb
		push	esp

loc_424511:				; CODE XREF: .text:0042449Fj
		imul	ebp, [ebp+65h],	6E557349h
		imul	esi, [esi+65h],	6C617372h

loc_42451F:				; CODE XREF: .text:loc_4244BDj
		add	[ebx+eax+73726946h], al
		jz	short loc_42457C

loc_424528:				; CODE XREF: .text:loc_4244BFj
		imul	ebp, [ebp+65h],	72666552h
		db	65h
		jnb	short near ptr loc_424599+1

loc_424532:				; CODE XREF: .text:004244CEj
		add	[ebx+eax+6E617453h], al
		db	64h
		popa
		jb	short near ptr loc_42459D+4
		inc	edx
		outsd

loc_42453F:				; CODE XREF: .text:004244D6j
		jnz	short near ptr loc_4245AC+3
		db	64h
		popa

loc_424543:				; CODE XREF: .text:004244DAj
		jb	short near ptr loc_4245BD+1
		dec	ecx
		outsb
		dec	esp
		outsd
		arpl	[ecx+6Ch], sp
		push	esp
		imul	ebp, [ebp+65h],	61440A00h
		jns	short loc_4245C2
		imul	esp, [edi+68h],	756F4274h
		outsb
		db	64h
		popa
		jb	short loc_4245DB
		dec	ecx
		outsb
		dec	esp

loc_424565:				; CODE XREF: .text:004244FEj
		outsd

loc_424566:				; CODE XREF: .text:004244FCj
		arpl	[ecx+6Ch], sp
		push	esp
		imul	ebp, [ebp+65h],	654E0A00h
		js	short near ptr loc_4245E5+2
		inc	ebx
		jnz	short near ptr loc_4245E5+5
		outsd
		jbe	short loc_4245DE
		jb	short loc_4245C4
		outsb

loc_42457C:				; CODE XREF: .text:00424526j
		dec	esp
		outsd
		arpl	[ecx+6Ch], sp
		push	esp
		imul	ebp, [ebp+65h],	69540A00h
		insd
		db	65h
		pop	edx
		outsd
		outsb
		db	65h
		dec	ebx
		db	65h
		jns	short loc_4245E1
		popa
		insd
		add	gs:[ecx], al
		inc	esp

loc_424599:				; CODE XREF: .text:0042452Fj
		jns	short loc_424609
		popa
		insd

loc_42459D:				; CODE XREF: .text:0042453Bj
		imul	esp, [ebx+44h],	696C7961h
		db	67h
		push	6D695474h
		db	65h
		inc	esp

loc_4245AC:				; CODE XREF: .text:loc_42453Fj
		imul	esi, [ebx+61h],	64656C62h
		add	[ebx+eax+73616942h], al
		add	[edi], al
		push	ebx

loc_4245BD:				; CODE XREF: .text:loc_424543j
		jz	short loc_424620
		outsb
		db	64h
		popa

loc_4245C2:				; CODE XREF: .text:00424554j
		jb	short near ptr loc_424627+1

loc_4245C4:				; CODE XREF: .text:00424579j
		inc	edx
		imul	esp, [ecx+73h],	61440700h
		jns	short loc_42463A
		imul	esp, [edi+68h],	61694274h
		jnb	short $+2
		pop	es
		push	ebx
		jz	short loc_42463C

loc_4245DB:				; CODE XREF: .text:00424560j
		outsb
		db	64h
		popa

loc_4245DE:				; CODE XREF: .text:00424577j
		jb	short near ptr loc_424642+2
		push	ebx

loc_4245E1:				; CODE XREF: .text:00424590j
		jz	short near ptr loc_424642+2
		jb	short near ptr loc_424657+2

loc_4245E5:				; CODE XREF: .text:00424571j
					; .text:00424574j
		add	[eax+61745308h], bl
		outsb
		db	64h
		popa
		jb	short loc_424654
		push	ebx
		jz	short loc_424654
		jb	short loc_424669
		pop	ecx
		db	65h
		popa
		jb	short $+2
		push	es
		push	ebx
		jz	short loc_42465F
		outsb
		db	64h
		popa
		jb	short loc_424667
		push	ebx
		jz	short loc_424667
		jb	short loc_42467C
		dec	ebp

loc_424609:				; CODE XREF: .text:loc_424599j
		outsd
		outsb
		jz	short loc_424675
		add	[esi], al
		push	ebx
		jz	short near ptr loc_42466C+7
		outsb
		db	64h
		popa
		jb	short near ptr loc_42467A+1
		push	ebx
		jz	short near ptr loc_42467A+1
		jb	short loc_424690
		inc	esp
		popa
		jns	short $+2

loc_424620:				; CODE XREF: .text:loc_4245BDj
		push	es
		push	ebx
		jz	short near ptr loc_424684+1
		outsb
		db	64h
		popa

loc_424627:				; CODE XREF: .text:loc_4245C2j
		jb	short near ptr loc_424687+6
		push	ebx
		jz	short near ptr loc_424687+6
		jb	short loc_4246A2
		dec	eax
		outsd
		jnz	short near ptr loc_4246A3+1
		add	[esi], al
		push	ebx
		jz	short near ptr loc_424693+5
		outsb
		db	64h
		popa

loc_42463A:				; CODE XREF: .text:004245CCj
		jb	short near ptr loc_42469C+4

loc_42463C:				; CODE XREF: .text:004245D9j
		push	ebx
		jz	short near ptr loc_42469C+4
		jb	short near ptr loc_4246B4+1
		dec	ebp

loc_424642:				; CODE XREF: .text:loc_4245DEj
					; .text:loc_4245E1j
		imul	ebp, [esi+75h],	6006574h
		push	ebx
		jz	short loc_4246AD
		outsb
		db	64h
		popa
		jb	short near ptr loc_4246B4+1
		push	ebx
		jz	short near ptr loc_4246B4+1

loc_424654:				; CODE XREF: .text:004245EEj
					; .text:004245F1j
		jb	short loc_4246CA
		push	ebx

loc_424657:				; CODE XREF: .text:004245E3j
		arpl	gs:[edi+6Eh], bp
		add	fs:[esi], al
		push	ebx

loc_42465F:				; CODE XREF: .text:004245FCj
		jz	short loc_4246C2
		outsb
		db	64h
		popa
		jb	short loc_4246CA
		push	ebx

loc_424667:				; CODE XREF: .text:00424601j
					; .text:00424604j
		jz	short loc_4246CA

loc_424669:				; CODE XREF: .text:004245F3j
		jb	short near ptr loc_4246DC+3
		dec	ebp

loc_42466C:				; CODE XREF: .text:00424610j
		imul	ebp, [esp+ebp*2+69h], 6F636573h
		outsb

loc_424675:				; CODE XREF: .text:0042460Bj
		db	64h
		jnb	short $+3
		push	es
		push	ebx

loc_42467A:				; CODE XREF: .text:00424615j
					; .text:00424618j
		jz	short near ptr loc_4246DC+1

loc_42467C:				; CODE XREF: .text:00424606j
		outsb
		db	64h
		popa
		jb	short loc_4246E5
		push	ebx
		jz	short loc_4246E5

loc_424684:				; CODE XREF: .text:00424622j
		jb	short near ptr loc_4246F9+1
		push	edi

loc_424687:				; CODE XREF: .text:loc_424627j
					; .text:0042462Aj
		db	65h
		imul	esp, gs:[ecx+79h], 0
		push	es
		inc	esp

loc_424690:				; CODE XREF: .text:0042461Aj
		popa
		jns	short near ptr loc_4246F9+6

loc_424693:				; CODE XREF: .text:00424635j
		imul	esp, [edi+68h],	61745374h
		jb	short near ptr loc_42470E+2

loc_42469C:				; CODE XREF: .text:loc_42463Aj
					; .text:0042463Dj
		add	[eax+79614408h], bl

loc_4246A2:				; CODE XREF: .text:0042462Cj
		insb

loc_4246A3:				; CODE XREF: .text:00424630j
		imul	esp, [edi+68h],	61745374h
		jb	short loc_424720
		pop	ecx

loc_4246AD:				; CODE XREF: .text:0042464Aj
		db	65h
		popa
		jb	short $+2
		push	es
		inc	esp
		popa

loc_4246B4:				; CODE XREF: .text:0042463Fj
					; .text:0042464Fj ...
		jns	short loc_424722
		imul	esp, [edi+68h],	61745374h
		jb	short near ptr loc_424732+1
		dec	ebp
		outsd
		outsb

loc_4246C2:				; CODE XREF: .text:loc_42465Fj
		jz	short loc_42472C
		add	[esi], al
		inc	esp
		popa
		jns	short near ptr loc_424734+2

loc_4246CA:				; CODE XREF: .text:loc_424654j
					; .text:00424664j ...
		imul	esp, [edi+68h],	61745374h
		jb	short loc_424747
		inc	esp
		popa
		jns	short $+2
		push	es
		inc	esp
		popa
		jns	short near ptr loc_424747+1

loc_4246DC:				; CODE XREF: .text:loc_42467Aj
					; .text:loc_424669j
		imul	esp, [edi+68h],	61745374h
		jb	short loc_424759

loc_4246E5:				; CODE XREF: .text:0042467Fj
					; .text:00424682j
		dec	eax
		outsd
		jnz	short loc_42475B
		add	[esi], al
		inc	esp
		popa
		jns	short loc_42475B
		imul	esp, [edi+68h],	61745374h
		jb	short loc_42476C
		dec	ebp

loc_4246F9:				; CODE XREF: .text:loc_424684j
					; .text:00424691j
		imul	ebp, [esi+75h],	6006574h
		inc	esp
		popa
		jns	short near ptr loc_42476F+1
		imul	esp, [edi+68h],	61745374h
		jb	short near ptr loc_42477F+2
		push	ebx

loc_42470E:				; CODE XREF: .text:0042469Aj
		arpl	gs:[edi+6Eh], bp
		add	fs:[esi], al
		inc	esp
		popa
		jns	short near ptr loc_424782+3
		imul	esp, [edi+68h],	61745374h

loc_424720:				; CODE XREF: .text:004246AAj
		jb	short loc_424796

loc_424722:				; CODE XREF: .text:loc_4246B4j
		dec	ebp
		imul	ebp, [esp+ebp*2+69h], 6F636573h
		outsb

loc_42472C:				; CODE XREF: .text:loc_4246C2j
		db	64h
		jnb	short $+3
		push	es
		inc	esp
		popa

loc_424732:				; CODE XREF: .text:004246BDj
		jns	short near ptr loc_42479F+1

loc_424734:				; CODE XREF: .text:004246C8j
		imul	esp, [edi+68h],	61745374h
		jb	short loc_4247B1
		push	edi
		db	65h
		imul	esp, gs:[ecx+79h], 0
		push	es
		push	es

loc_424747:				; CODE XREF: .text:004246D1j
					; .text:004246DAj
					; DATA XREF: ...
		or	eax, large ds:0
; 
		db 3 dup(0)
		dd 2670000h, 65520080h
		db 66h
; 

loc_424759:				; CODE XREF: .text:004246E3j
		jb	short loc_4247C0

loc_42475B:				; CODE XREF: .text:004246E7j
					; .text:004246EDj
		jnb	short near ptr loc_4247C0+5
		push	esp
		imul	ebp, [ebp+65h],	656E6F5Ah
		dec	ecx
		outsb
		outsw
		inc	ebx
		jnz	short near ptr loc_4247DA+6

loc_42476C:				; CODE XREF: .text:004246F6j
		outsd
		jbe	short near ptr loc_4247D0+4

loc_42476F:				; CODE XREF: .text:00424702j
		jb	short loc_4247B7
		popa
		imul	ebp, [eax+eax+45h], 52746978h
		db	65h
		popa
		jnb	short loc_4247ED
		outsb

loc_42477F:				; CODE XREF: .text:0042470Bj
		add	[edx+edx*2], al

loc_424782:				; CODE XREF: .text:00424717j
		db	65h, 66h
		jb	short loc_4247EB
		jnb	short loc_4247F0
		inc	esi
		popa
		imul	ebp, [ebp+esi*2+72h], 8007365h
		dec	esp
		popa
		jnb	short near ptr loc_424808+2

loc_424796:				; CODE XREF: .text:loc_424720j
		push	esp
		imul	ebp, [ebp+65h],	656E6F5Ah
		inc	edx

loc_42479F:				; CODE XREF: .text:loc_424732j
		imul	esp, [ecx+73h],	614C0700h
		jnb	short near ptr loc_424817+5
		push	esp
		imul	ebp, [ebp+65h],	656E6F5Ah
		dec	ecx

loc_4247B1:				; CODE XREF: .text:0042473Bj
		add	fs:[edi], al
		push	edx
		db	65h
		popa

loc_4247B7:				; CODE XREF: .text:loc_42476Fj
		insb
		push	esp
		imul	ebp, [ebp+65h],	6E557349h

loc_4247C0:				; CODE XREF: .text:loc_424759j
					; .text:loc_42475Bj
		imul	esi, [esi+65h],	6C617372h
		add	[ebx+eax+73726946h], al
		jz	short near ptr loc_42481F+5

loc_4247D0:				; CODE XREF: .text:0042476Dj
		imul	ebp, [ebp+65h],	72666552h
		db	65h
		jnb	short near ptr loc_424841+1

loc_4247DA:				; CODE XREF: .text:0042476Aj
		add	[ebx+eax+6E617453h], al
		db	64h
		popa
		jb	short near ptr loc_424848+1
		inc	edx
		outsd
		jnz	short near ptr loc_424856+1
		db	64h
		popa

loc_4247EB:				; CODE XREF: .text:loc_424782j
		jb	short loc_424866

loc_4247ED:				; CODE XREF: .text:0042477Cj
		dec	ecx
		outsb
		dec	esp

loc_4247F0:				; CODE XREF: .text:00424786j
		outsd
		arpl	[ecx+6Ch], sp
		push	esp
		imul	ebp, [ebp+65h],	69540A00h
		insd
		db	65h
		pop	edx
		outsd
		outsb
		db	65h
		dec	ebx
		db	65h
		jns	short loc_424854
		popa
		insd

loc_424808:				; CODE XREF: .text:00424794j
		add	gs:[ecx], al
		inc	esp
		jns	short loc_42487C
		popa
		insd
		imul	esp, [ebx+44h],	696C7961h

loc_424817:				; CODE XREF: .text:004247A6j
		db	67h
		push	6D695474h
		db	65h
		inc	esp

loc_42481F:				; CODE XREF: .text:004247CEj
		imul	esi, [ebx+61h],	64656C62h
		add	[ebx+eax+73616942h], al
		add	[edi], al
		push	ebx
		jz	short loc_424893
		outsb
		db	64h
		popa
		jb	short near ptr loc_42489A+1
		inc	edx
		imul	esp, [ecx+73h],	61440700h
		jns	short loc_4248AD

loc_424841:				; CODE XREF: .text:004247D7j
		imul	esp, [edi+68h],	61694274h

loc_424848:				; CODE XREF: .text:004247E3j
		jnb	short $+2
		pop	es
		push	ebx
		jz	short loc_4248AF
		outsb
		db	64h
		popa
		jb	short near ptr loc_4248B5+2
		push	ebx

loc_424854:				; CODE XREF: .text:00424803j
		jz	short near ptr loc_4248B5+2

loc_424856:				; CODE XREF: .text:004247E7j
		jb	short near ptr loc_4248CA+2
		add	[eax+61745308h], bl
		outsb
		db	64h
		popa
		jb	short loc_4248C7
		push	ebx
		jz	short loc_4248C7

loc_424866:				; CODE XREF: .text:loc_4247EBj
		jb	short loc_4248DC
		pop	ecx
		db	65h
		popa
		jb	short $+2
		push	es
		push	ebx
		jz	short loc_4248D2
		outsb
		db	64h
		popa
		jb	short loc_4248DA
		push	ebx
		jz	short loc_4248DA
		jb	short loc_4248EF
		dec	ebp

loc_42487C:				; CODE XREF: .text:0042480Cj
		outsd
		outsb
		jz	short loc_4248E8
		add	[esi], al
		push	ebx
		jz	short near ptr loc_4248DF+7
		outsb
		db	64h
		popa
		jb	short near ptr loc_4248ED+1
		push	ebx
		jz	short near ptr loc_4248ED+1
		jb	short loc_424903
		inc	esp
		popa
		jns	short $+2

loc_424893:				; CODE XREF: .text:00424830j
		push	es
		push	ebx
		jz	short near ptr loc_4248F7+1
		outsb
		db	64h
		popa

loc_42489A:				; CODE XREF: .text:00424835j
		jb	short near ptr loc_4248FA+6
		push	ebx
		jz	short near ptr loc_4248FA+6
		jb	short loc_424915
		dec	eax
		outsd
		jnz	short near ptr loc_424916+1
		add	[esi], al
		push	ebx
		jz	short near ptr loc_424906+5
		outsb
		db	64h
		popa

loc_4248AD:				; CODE XREF: .text:0042483Fj
		jb	short near ptr loc_42490F+4

loc_4248AF:				; CODE XREF: .text:0042484Cj
		push	ebx
		jz	short near ptr loc_42490F+4
		jb	short near ptr loc_424927+1
		dec	ebp

loc_4248B5:				; CODE XREF: .text:00424851j
					; .text:loc_424854j
		imul	ebp, [esi+75h],	6006574h
		push	ebx
		jz	short loc_424920
		outsb
		db	64h
		popa
		jb	short near ptr loc_424927+1
		push	ebx
		jz	short near ptr loc_424927+1

loc_4248C7:				; CODE XREF: .text:00424861j
					; .text:00424864j
		jb	short loc_42493D
		push	ebx

loc_4248CA:				; CODE XREF: .text:loc_424856j
		arpl	gs:[edi+6Eh], bp
		add	fs:[esi], al
		push	ebx

loc_4248D2:				; CODE XREF: .text:0042486Fj
		jz	short loc_424935
		outsb
		db	64h
		popa
		jb	short loc_42493D
		push	ebx

loc_4248DA:				; CODE XREF: .text:00424874j
					; .text:00424877j
		jz	short loc_42493D

loc_4248DC:				; CODE XREF: .text:loc_424866j
		jb	short near ptr loc_42494F+3
		dec	ebp

loc_4248DF:				; CODE XREF: .text:00424883j
		imul	ebp, [esp+ebp*2+69h], 6F636573h
		outsb

loc_4248E8:				; CODE XREF: .text:0042487Ej
		db	64h
		jnb	short $+3
		push	es
		push	ebx

loc_4248ED:				; CODE XREF: .text:00424888j
					; .text:0042488Bj
		jz	short near ptr loc_42494F+1

loc_4248EF:				; CODE XREF: .text:00424879j
		outsb
		db	64h
		popa
		jb	short loc_424958
		push	ebx
		jz	short loc_424958

loc_4248F7:				; CODE XREF: .text:00424895j
		jb	short near ptr loc_42496C+1
		push	edi

loc_4248FA:				; CODE XREF: .text:loc_42489Aj
					; .text:0042489Dj
		db	65h
		imul	esp, gs:[ecx+79h], 0
		push	es
		inc	esp

loc_424903:				; CODE XREF: .text:0042488Dj
		popa
		jns	short near ptr loc_42496C+6

loc_424906:				; CODE XREF: .text:004248A8j
		imul	esp, [edi+68h],	61745374h
		jb	short near ptr loc_424981+2

loc_42490F:				; CODE XREF: .text:loc_4248ADj
					; .text:004248B0j
		add	[eax+79614408h], bl

loc_424915:				; CODE XREF: .text:0042489Fj
		insb

loc_424916:				; CODE XREF: .text:004248A3j
		imul	esp, [edi+68h],	61745374h
		jb	short loc_424993
		pop	ecx

loc_424920:				; CODE XREF: .text:004248BDj
		db	65h
		popa
		jb	short $+2
		push	es
		inc	esp
		popa

loc_424927:				; CODE XREF: .text:004248B2j
					; .text:004248C2j ...
		jns	short loc_424995
		imul	esp, [edi+68h],	61745374h
		jb	short near ptr loc_4249A5+1
		dec	ebp
		outsd
		outsb

loc_424935:				; CODE XREF: .text:loc_4248D2j
		jz	short loc_42499F
		add	[esi], al
		inc	esp
		popa
		jns	short near ptr loc_4249A7+2

loc_42493D:				; CODE XREF: .text:loc_4248C7j
					; .text:004248D7j ...
		imul	esp, [edi+68h],	61745374h
		jb	short loc_4249BA
		inc	esp
		popa
		jns	short $+2
		push	es
		inc	esp
		popa
		jns	short near ptr loc_4249BA+1

loc_42494F:				; CODE XREF: .text:loc_4248EDj
					; .text:loc_4248DCj
		imul	esp, [edi+68h],	61745374h
		jb	short loc_4249CC

loc_424958:				; CODE XREF: .text:004248F2j
					; .text:004248F5j
		dec	eax
		outsd
		jnz	short near ptr loc_4249CD+1
		add	[esi], al
		inc	esp
		popa
		jns	short near ptr loc_4249CD+1
		imul	esp, [edi+68h],	61745374h
		jb	short near ptr loc_4249DE+1
		dec	ebp

loc_42496C:				; CODE XREF: .text:loc_4248F7j
					; .text:00424904j
		imul	ebp, [esi+75h],	6006574h
		inc	esp
		popa
		jns	short near ptr loc_4249E1+2
		imul	esp, [edi+68h],	61745374h
		jb	short loc_4249F4
		push	ebx

loc_424981:				; CODE XREF: .text:0042490Dj
		arpl	gs:[edi+6Eh], bp
		add	fs:[esi], al
		inc	esp
		popa
		jns	short near ptr loc_4249F7+1
		imul	esp, [edi+68h],	61745374h

loc_424993:				; CODE XREF: .text:0042491Dj
		jb	short near ptr loc_424A08+1

loc_424995:				; CODE XREF: .text:loc_424927j
		dec	ebp
		imul	ebp, [esp+ebp*2+69h], 6F636573h
		outsb

loc_42499F:				; CODE XREF: .text:loc_424935j
		db	64h
		jnb	short $+3
		push	es
		inc	esp
		popa

loc_4249A5:				; CODE XREF: .text:00424930j
		jns	short near ptr loc_424A11+2

loc_4249A7:				; CODE XREF: .text:0042493Bj
		imul	esp, [edi+68h],	61745374h
		jb	short near ptr loc_424A23+1
		push	edi
		db	65h
		imul	esp, gs:[ecx+79h], 0
		push	es
		push	es

loc_4249BA:				; CODE XREF: .text:00424944j
					; .text:0042494Dj
					; DATA XREF: ...
		or	eax, [eax+eax]
; 
		db 3 dup(0)
		dd 400000h, 80006D00h, 72694600h
; 

loc_4249CC:				; CODE XREF: .text:00424956j
		insd

loc_4249CD:				; CODE XREF: .text:0042495Aj
					; .text:00424960j
		ja	short near ptr loc_424A2F+1
		jb	short near ptr loc_424A33+3
		inc	edx
		outsd
		outsd
		jz	short loc_424A1A
		popa
		jz	short near ptr word_424A3A
		add	[edx+65h], dl
		jnb	short loc_424A43

loc_4249DE:				; CODE XREF: .text:00424969j
		jz	short loc_424A25
		outsb

loc_4249E1:				; CODE XREF: .text:00424975j
		add	fs:[edx], cl
		dec	esp
		outsd
		popa
		db	64h
		dec	ecx
		insd
		popa
		db	67h, 65h
		push	ebx
		jz	short near ptr loc_424A50+1
		jb	short loc_424A66
		add	[edx], cl

loc_4249F4:				; CODE XREF: .text:0042497Ej
		push	ebx
		jz	short near ptr loc_424A57+1

loc_4249F7:				; CODE XREF: .text:0042498Aj
		jb	short near ptr loc_424A6A+3
		dec	ecx
		insd
		popa
		db	67h, 65h
		push	ebx
		jz	short loc_424A62
		jb	short loc_424A77
		add	[edx], cl
		inc	ebp
		js	short near ptr loc_424A6A+7

loc_424A08:				; CODE XREF: .text:loc_424993j
		jz	short near ptr loc_424A4B+1
		outsd
		outsd
		jz	short near ptr loc_424A5F+2
		db	65h
		jb	short near ptr loc_424A83+4

loc_424A11:				; CODE XREF: .text:loc_4249A5j
		imul	esp, [ebx+65h],	746E4573h
		jb	short loc_424A93

loc_424A1A:				; CODE XREF: .text:004249D4j
		add	[edx], cl
		inc	ebp
		js	short near ptr loc_424A83+5
		jz	short near ptr loc_424A62+1
		outsd
		outsd

loc_424A23:				; CODE XREF: .text:004249AEj
		jz	short loc_424A78

loc_424A25:				; CODE XREF: .text:loc_4249DEj
		db	65h
		jb	short near ptr loc_424A9B+3
		imul	esp, [ebx+65h],	69784573h

loc_424A2F:				; CODE XREF: .text:loc_4249CDj
		jz	short $+2
		or	al, [esi]

loc_424A33:				; CODE XREF: .text:004249CFj
					; DATA XREF: SetFailureLocation+5Co
		or	eax, large ds:0
; 
		db 0
word_424A3A	dw 0			; CODE XREF: .text:004249D7j
		dd offset loc_4A0000
; 
		add	byte ptr [eax],	48h

loc_424A43:				; CODE XREF: .text:004249DCj
		imul	esi, [esi+65h],	64616F4Ch
		inc	ebp

loc_424A4B:				; CODE XREF: .text:loc_424A08j
		jb	short near ptr loc_424ABC+3
		outsd
		jb	short near ptr loc_424A93+1

loc_424A50:				; CODE XREF: .text:004249EEj
		db	65h
		jz	short loc_424AB8
		arpl	[ebp+64h], si

loc_424A57:				; CODE XREF: .text:004249F5j
		add	[ecx+73h], ch
		push	edx
		arpl	gs:[edi+76h], bp

loc_424A5F:				; CODE XREF: .text:00424A0Cj
		db	65h
		jb	short loc_424AC3

loc_424A62:				; CODE XREF: .text:004249FFj
					; .text:00424A1Fj
		bound	ebp, [ebp+0]

loc_424A66:				; CODE XREF: .text:004249F0j
		test	[ebx], al
		popaw

loc_424A6A:				; CODE XREF: .text:loc_4249F7j
					; .text:00424A06j
		imul	ebp, [ebp+esi*2+72h], 70795465h
		add	gs:[eax], cl
		jnb	short near ptr loc_424AEA+1

loc_424A77:				; CODE XREF: .text:00424A01j
		popa

loc_424A78:				; CODE XREF: .text:loc_424A23j
		jz	short loc_424AEF
		jnb	short $+2
		mov	[esi], cl
		insb
		outsd
		arpl	[ecx+74h], sp

loc_424A83:				; CODE XREF: .text:00424A0Ej
					; .text:00424A1Dj
					; DATA XREF: ...
		imul	ebp, [edi+6Eh],	0B060800h
		add	eax, 0
; 
		db 0
		db 0, 40h, 0
; 

loc_424A93:				; CODE XREF: .text:00424A18j
					; .text:00424A4Ej
		add	[edi+6C540000h], bh
		db	67h
		inc	ecx

loc_424A9B:				; CODE XREF: .text:loc_424A25j
		db	67h, 67h
		jb	short near ptr loc_424B03+1
		db	67h
		popa
		jz	short near ptr loc_424B07+1
		push	ebx
		jnz	short near ptr loc_424B12+1
		insd
		popa
		jb	short near ptr loc_424B22+1
		add	[eax+72h], dl
		outsd
		jbe	short near ptr loc_424B18+1
		db	64h, 65h
		jb	short $+4
		cmovle	esi, [ebp+6Dh]

loc_424AB8:				; CODE XREF: .text:loc_424A50j
		inc	esi
		insb
		jnz	short loc_424B2F

loc_424ABC:				; CODE XREF: .text:loc_424A4Bj
		push	0A007365h
		dec	ebp
		popa

loc_424AC3:				; CODE XREF: .text:loc_424A5Fj
		js	short near ptr loc_424B09+1
		outsb
		jz	short near ptr loc_424B38+2
		imul	esp, [ebp+73h],	726F7453h
		db	65h
		add	fs:[edx], cl
		push	esp
		outsd
		jz	short loc_424B38
		insb
		inc	ebp
		outsb
		jz	short near ptr loc_424B4B+3
		imul	esp, [ebp+73h],	73756C46h
		push	0A006465h
		dec	ebp
		popa

loc_424AEA:				; CODE XREF: .text:00424A75j
		js	short near ptr loc_424B2F+2
		outsb
		jz	short loc_424B61

loc_424AEF:				; CODE XREF: .text:loc_424A78j
		imul	esp, [ebp+73h],	73756C46h
		push	8006465h
		dec	ebp
		imul	ebp, [esi+45h],	6972746Eh

loc_424B03:				; CODE XREF: .text:loc_424A9Bj
		db	65h
		jnb	short near ptr loc_424B4B+1
		insb

loc_424B07:				; CODE XREF: .text:00424AA1j
		jnz	short loc_424B7C

loc_424B09:				; CODE XREF: .text:loc_424AC3j
		push	8006465h
		dec	esi
		jnz	short loc_424B7E
		inc	edx

loc_424B12:				; CODE XREF: .text:00424AA4j
		jnz	short near ptr loc_424B71+6
		imul	esp, [ebp+74h],	4Ch

loc_424B18:				; CODE XREF: .text:00424AAEj
		imul	ebp, [ebp+69h],	61655274h
		arpl	[eax+65h], bp

loc_424B22:				; CODE XREF: .text:00424AA8j
		add	fs:[eax], cl
		dec	esi
		jnz	short near ptr loc_424B90+5
		inc	ecx
		insb
		insb
		outsd
		arpl	[ecx+74h], sp

loc_424B2F:				; CODE XREF: .text:00424ABAj
					; .text:loc_424AEAj
		imul	ebp, [edi+6Eh],	6C696146h
		jnz	short near ptr loc_424BA9+1

loc_424B38:				; CODE XREF: .text:00424AD5j
					; .text:00424AC6j
		db	65h
		jnb	short $+3
		or	[esi+75h], cl
		insd
		dec	esp
		popa
		jb	short near ptr loc_424BA9+1
		db	65h
		inc	ebp
		jbe	short near ptr loc_424BAB+1
		outsb
		jz	short loc_424B90
		popa

loc_424B4B:				; CODE XREF: .text:loc_424B03j
					; .text:00424ADAj
		imul	ebp, [ebp+esi*2+72h], 8007365h
		add	al, 18h
		hlt
		jmp	far ptr	0AD46h:4C0C07E9h
; 
		db 14h,	0A7h, 0F3h
; 
		push	ebx

loc_424B61:				; CODE XREF: .text:00424AEDj
		xor	al, 9Ah

loc_424B63:				; DATA XREF: .data:006B234Co
		add	[edi], dh
		add	[ebp+69h], cl
		arpl	[edx+6Fh], si
		jnb	short loc_424BDC
		db	66h
		jz	short near ptr loc_424B9D+1
		push	edi

loc_424B71:				; CODE XREF: .text:loc_424B12j
		imul	ebp, [esi+64h],	2E73776Fh
		dec	ebx
		db	65h
		jb	short locret_424BEA

loc_424B7C:				; CODE XREF: .text:loc_424B07j
		db	65h
		insb

loc_424B7E:				; CODE XREF: .text:00424B0Fj
		db	2Eh
		push	edx
		imul	esi, gs:[bp+di+74h], 13007972h
		add	[ecx], al
		sbb	dh, [ebx+50h]
		dec	edi
		iret
; 

loc_424B90:				; CODE XREF: .text:00424B48j
					; .text:00424B26j
		mov	[edx-231F4CB9h], eax
		call	near ptr 0BAB85064h
		add	al, 26h

loc_424B9D:				; CODE XREF: .text:00424B6Dj
		xor	al, 0E8h
		test	dword ptr [ecx-3AA706D5h], 6DDBF2D4h

loc_424BA9:				; CODE XREF: .text:00424B36j
					; .text:00424B41j
		or	dl, ah

loc_424BAB:				; CODE XREF: .text:00424B45j
					; .text:00424C02j
					; DATA XREF: ...
		jnb	short loc_424BF7
		add	[ebp+69h], cl
		arpl	[edx+6Fh], si
		jnb	short near ptr loc_424C20+4
		db	66h
		jz	short near ptr loc_424BE5+1
		push	edi
		imul	ebp, [esi+64h],	2E73776Fh
		dec	ebx
		db	65h
		jb	short loc_424C32
		db	65h
		insb
		db	2Eh
		inc	esi
		db	65h
		popa
		jz	short near ptr loc_424C3F+2
		jb	short near ptr loc_424C32+1
		inc	ebx
		outsd
		outsb
		imul	sp, [edi+75h], 6172h
		jz	short loc_424C42
		outsd
		outsb
		dec	ebp

loc_424BDC:				; CODE XREF: .text:00424B6Bj
		popa
		outsb
		popa
		db	67h, 65h
		jb	near ptr 4BE3h
		adc	eax, [eax]

loc_424BE5:				; CODE XREF: .text:00424BB5j
		add	[edx], ebx
		jnb	short near ptr loc_424C35+4
		dec	edi

locret_424BEA:				; CODE XREF: .text:00424B79j
		iret
; 
		db 89h
		dd 0E0B34782h, 4C9E8DCh
		db 76h,	0BAh, 4
; 

loc_424BF7:				; CODE XREF: .text:loc_424BABj
		int	3		; Trap to Debugger
		sahf
		sub	eax, 171C9F25h
		dec	ecx
		xchg	esp, [eax-8]
		jb	short near ptr loc_424BAB+1
		cmp	esi, eax

loc_424C06:				; DATA XREF: .data:006B2374o
		sbb	[esi], dh
		add	[ebp+69h], cl
		arpl	[edx+6Fh], si
		jnb	short loc_424C7F
		db	66h
		jz	short near ptr loc_424C3F+2
		push	edi
		imul	ebp, [esi+64h],	2E73776Fh
		inc	ebx
		outsd
		outsb
		jz	short near ptr loc_424C7F+2

loc_424C20:				; CODE XREF: .text:00424BB3j
		imul	ebp, [esi+65h],	522E7372h
		imul	esi, gs:[bp+di+74h], 69567972h
		jb	short near ptr loc_424CA2+4

loc_424C32:				; CODE XREF: .text:00424BC1j
					; .text:00424BCCj
		jnz	short loc_424C95
		insb

loc_424C35:				; CODE XREF: .text:00424BE7j
		imul	edi, [edx+61h],	6E6F6974h
		add	[edi+ecx*4], al

loc_424C3F:				; CODE XREF: .text:00424BCAj
					; .text:00424C10j
		rep jl short near ptr loc_424C51+1

loc_424C42:				; CODE XREF: .text:00424BD7j
		sbb	esi, [eax+6BBF4FFCh]
		shr	ch, 1
		xchg	eax, esi
		fsubr	st, st(4)

loc_424C4D:				; DATA XREF: .data:006B239Co
		mov	byte ptr [esi],	0
		dec	ebp

loc_424C51:				; CODE XREF: .text:loc_424C3Fj
		imul	esp, [ebx+72h],	666F736Fh
		jz	short near ptr loc_424C87+1
		push	edi
		imul	ebp, [esi+64h],	2E73776Fh
		dec	ebx
		db	65h
		jb	short near ptr loc_424CD0+4
		db	65h
		insb
		db	2Eh
		dec	edi
		jo	short near ptr loc_424CD5+3
		outsd
		arpl	[ebx+73h], bp
		add	[ebx], dl
		add	[ecx], al
		sbb	dh, [ebx+50h]
		dec	edi
		iret
; 
		mov	[edx-231F4CB9h], eax

loc_424C7F:				; CODE XREF: .text:00424C0Ej
					; .text:00424C1Ej
		call	near ptr 0BAB8514Dh
		add	al, 0C5h
		outsd

loc_424C87:				; CODE XREF: .text:00424C58j
		shl	dword ptr [edi+ecx*8-5FB28D2Fh], 1
		push	ebp
		and	eax, 0A702EBF3h
		push	cs

loc_424C95:				; CODE XREF: .text:loc_424C32j
					; DATA XREF: .data:006B2CE4o
		aaa
		add	[ebp+69h], cl
		arpl	[edx+6Fh], si
		jnb	short loc_424D0D
		db	66h
		jz	short loc_424CCF
		push	edi

loc_424CA2:				; CODE XREF: .text:00424C30j
		imul	ebp, [esi+64h],	2E73776Fh
		dec	ebx
		db	65h
		jb	short loc_424D1B
		db	65h
		insb
		db	2Eh
		dec	esp
		imul	esi, [esi+65h],	706D7544h
		add	[ebx], dl
		add	[ecx], al
		sbb	dh, [ebx+50h]
		dec	edi
		iret
; 
		db 89h,	82h, 47h
		dd 0E8DCE0B3h, 0BA7604C9h
		db 4, 7Bh, 0F3h
; 

loc_424CCF:				; CODE XREF: .text:00424C9Ej
		std

loc_424CD0:				; CODE XREF: .text:00424C63j
		test	eax, 4051D72Dh

loc_424CD5:				; CODE XREF: .text:00424C6Aj
		mov	ds:1022D4CDh, eax
		cmp	al, 0E0h

loc_424CDC:				; DATA XREF: .data:006B2D0Co
		jns	short near ptr loc_424D12+1
		add	[ebp+69h], cl
		arpl	[edx+6Fh], si
		jnb	short loc_424D55
		db	66h
		jz	short near ptr loc_424D14+3
		push	edi
		imul	ebp, [esi+64h],	2E73776Fh
		dec	ebx
		db	65h
		jb	short near ptr loc_424D60+3
		db	65h
		insb
		db	2Eh
		push	ebx
		jns	short loc_424D6E
		inc	ebp
		outsb
		jbe	short $+2
		adc	eax, [eax]
		add	[edx], ebx
		jnb	short loc_424D55
		dec	edi
		iret
; 
		mov	[edx-231F4CB9h], eax

loc_424D0D:				; CODE XREF: .text:00424C9Cj
		call	near ptr 0BAB851DBh

loc_424D12:				; CODE XREF: .text:loc_424CDCj
		add	al, 0FFh

loc_424D14:				; CODE XREF: .text:00424CE6j
		jmp	near ptr 0F36215D6h
; 
		db 0DCh, 59h
; 

loc_424D1B:				; CODE XREF: .text:00424CAAj
		insb
		daa
		retf	0C537h
; 
dword_424D20	dd 3BA5AD16h, 63694D00h, 6F736F72h, 572E7466h, 6F646E69h
					; DATA XREF: .data:006B2E04o
		dd 4B2E7377h, 656E7265h, 65442E6Ch, 65636976h, 666E6F43h
		db 69h
; 

loc_424D49:				; CODE XREF: .text:00424D68j
		add	[bp+di], dl
		add	[ecx], al
		cmp	al, ds:0C2EC7DEh
		inc	esp

loc_424D55:				; CODE XREF: .text:00424CE4j
					; .text:00424D03j
		dec	edx
		xchg	eax, ecx
		mov	ds:2EEC2252h, al
		int	0F1h		; reserved for user interrupt
		add	al, 0BBh

loc_424D60:				; CODE XREF: .text:00424CF2j
		mov	ebx, 0C2926C0Eh
		jge	short near ptr loc_424DAB+1
		xchg	eax, esi
		jnz	short loc_424D49
		int	3		; Trap to Debugger
		sbb	al, 0Dh
		pop	eax

loc_424D6E:				; CODE XREF: .text:00424CF9j
					; DATA XREF: .data:006B2B1Co
		mov	al, 32h
		add	[ebp+69h], cl
		arpl	[edx+6Fh], si
		jnb	short loc_424DE7
		db	66h
		jz	short loc_424DA9
		push	edi
		imul	ebp, [esi+64h],	2E73776Fh
		dec	ebx
		db	65h
		jb	short loc_424DF5
		db	65h
		insb
		db	2Eh
		push	eax
		outsb

loc_424D8C:				; CODE XREF: .text:loc_424DABj
		push	eax
		add	[ebx], dl
		add	[ecx], al
		sbb	dh, [ebx+50h]
		dec	edi
		iret
; 
		dw 8289h
		dd 0DCE0B347h, 7604C9E8h, 0BBBB04BAh, 0C2926C0Eh
		db 7Dh
; 

loc_424DA9:				; CODE XREF: .text:00424D78j
		inc	ebp
		xchg	eax, esi

loc_424DAB:				; CODE XREF: .text:00424D65j
		jnz	short loc_424D8C
		int	3		; Trap to Debugger
		sbb	al, 0Dh
		pop	eax

loc_424DB1:				; DATA XREF: .data:006B2DDCo
		mov	al, 32h
		add	[ebp+69h], cl
		arpl	[edx+6Fh], si
		jnb	short loc_424E2A
		db	66h
		jz	short near ptr loc_424DEB+1
		push	edi
		imul	ebp, [esi+64h],	2E73776Fh
		dec	ebx
		db	65h
		jb	short loc_424E38
		db	65h
		insb
		db	2Eh
		push	eax
		outsb
		push	eax
		add	[ebx], dl
		add	[ecx], al
		cmp	al, ds:0C2EC7DEh
		inc	esp
		dec	edx
		xchg	eax, ecx
		mov	ds:2EEC2252h, al
		int	0F1h		; reserved for user interrupt

loc_424DE4:				; CODE XREF: .text:00424E28j
		add	al, 0C3h
		aaa

loc_424DE7:				; CODE XREF: .text:00424D76j
		sbb	al, 6
		arpl	[ebx], dx

loc_424DEB:				; CODE XREF: .text:00424DBBj
		sbb	ebx, [eax+edi*4-13h]
		rep fdiv st, st(7)
		inc	esi
		xor	ecx, esi

loc_424DF5:				; CODE XREF: .text:00424D84j
					; DATA XREF: .data:006B1F2Co
		xor	eax, 63694D00h
		jb	short loc_424E6B
		jnb	short near ptr loc_424E6B+2
		db	66h
		jz	short near ptr loc_424E2C+3
		push	edi
		imul	ebp, [esi+64h],	2E73776Fh
		dec	ebx
		db	65h
		jb	short near ptr loc_424E76+5
		db	65h
		insb
		db	2Eh
		dec	ebx
		db	65h
		jb	short near ptr loc_424E80+2
		db	65h
		insb
		add	[ebx], dl
		add	[ecx], al

loc_424E1A:				; CODE XREF: .text:00424E72j
		sbb	dh, [ebx+50h]
		dec	edi
		iret
; 
		db 89h
		dd 0E0B34782h, 4C9E8DCh
; 
		jbe	short loc_424DE4

loc_424E2A:				; CODE XREF: .text:00424DB9j
		add	al, 9Ch

loc_424E2C:				; CODE XREF: .text:00424DFEj
		mov	ebx, [esi+73406C7Eh]
		pop	ebp
		in	eax, 66h
		movmskps ebp, xmm2

loc_424E38:				; CODE XREF: .text:00424DC7j
		cmp	bl, dh

loc_424E3A:				; DATA XREF: .data:006B2EDCo
		db	3Eh
		xor	[eax], eax
		dec	ebp
		imul	esp, [ebx+72h],	666F736Fh
		jz	short loc_424E74
		push	edi
		imul	ebp, [esi+64h],	2D73776Fh
		dec	ebx
		db	65h
		jb	short loc_424EC1
		db	65h
		insb
		sub	eax, 13006D4Dh
		add	[ecx], al
		sbb	dh, [ebx+50h]
		dec	edi
		iret
; 
		db 89h,	82h, 47h
; 
		mov	bl, 0E0h
		fsub	st, st
		leave
		add	al, 76h

loc_424E6B:				; CODE XREF: .text:00424DFAj
					; .text:00424DFCj
		mov	edx, 0BCA7A104h
		arpl	sp, bp
		ja	short near ptr loc_424E1A+1

loc_424E74:				; CODE XREF: .text:00424E45j
					; .text:00424EBDj
		dec	esi
		xchg	eax, ebp

loc_424E76:				; CODE XREF: .text:00424E0Aj
		rcr	byte ptr [eax-143F0F2Dh], 1

loc_424E7C:				; DATA XREF: .data:006B23FCo
		div	dword ptr [eax+eax]
		dec	ebp

loc_424E80:				; CODE XREF: .text:00424E11j
		imul	esp, [ebx+72h],	666F736Fh
		jz	short loc_424EB7
		push	edi
		imul	ebp, [esi+64h],	2E73776Fh
		dec	ebx
		db	65h
		jb	short loc_424F03
		db	65h
		insb
		db	2Eh
		push	eax
		outsd
		ja	short loc_424F01
		jb	short $+2
		adc	eax, [eax]
		add	[edx], ebx
		jnb	short loc_424EF4
		dec	edi
		iret
; 
		dw 8289h
; 
		inc	edi

loc_424EA9:				; CODE XREF: .text:00424EBBj
		mov	bl, 0E0h
		fsub	st, st
		leave
		add	al, 76h
		mov	edx, 2ED72704h
; 
		db 0Dh,	0A0h
; 

loc_424EB7:				; CODE XREF: .text:00424E87j
		cmp	[ebx], ch
		dec	ebx
		lahf
		jle	short loc_424EA9
		jns	short loc_424E74
		in	al, dx
		dec	edx

loc_424EC1:				; CODE XREF: .text:00424E50j
		movsd

loc_424EC2:				; DATA XREF: PAGEDATA:00A93B0Co
		inc	edx
		add	[ebp+69h], cl
		arpl	[edx+6Fh], si
		jnb	short loc_424F3A
		db	66h
		jz	short loc_424EFC
		push	edi
		imul	ebp, [esi+64h],	2E73776Fh
		dec	ebx

loc_424ED7:				; CODE XREF: .text:loc_424F10j
		db	65h
		jb	short loc_424F48
		db	65h
		insb
		db	2Eh
		push	eax
		outsd
		ja	short loc_424F46
		jb	short near ptr loc_424F10+1
		inc	esp
		imul	esi, [edx+65h],	64657463h
		inc	esp
		jb	short near ptr loc_424F55+2
		jo	short near ptr loc_424F62+1
		add	[ebx], dl
		add	[ecx], al

loc_424EF4:				; CODE XREF: .text:00424EA2j
		sbb	dh, [ebx+50h]
		dec	edi
		iret
; 
		db 89h,	82h, 47h
; 

loc_424EFC:				; CODE XREF: .text:00424ECBj
		mov	bl, 0E0h
		fsub	st, st

locret_424F00:				; CODE XREF: .text:00424F09j
		leave

loc_424F01:				; CODE XREF: .text:00424E9Aj
		add	al, 76h

loc_424F03:				; CODE XREF: .text:00424E92j
		mov	edx, 0DC1E3404h
		sahf
		jno	short locret_424F00
		jz	short near ptr loc_424F4E+2
		xchg	ebx, [eax+edi*4]

loc_424F10:				; CODE XREF: .text:00424EE1j
		jl	short near ptr loc_424ED7+2
		inc	edx

loc_424F13:				; DATA XREF: .data:006B2FD4o
		add	[ebx+3Eh], edi
		add	[ebp+69h], cl
		arpl	[edx+6Fh], si
		jnb	short loc_424F8D
		db	66h
		jz	short near ptr loc_424F4E+1
		push	edi
		imul	ebp, [esi+64h],	2E73776Fh
		push	eax
		outsd
		ja	short locret_424F92
		jb	short loc_424F5D
		push	ebx
		insb
		db	65h, 65h
		jo	short near ptr loc_424FA5+3
		jz	short near ptr loc_424FAA+2
		db	64h
		jns	short loc_424F82

loc_424F3A:				; CODE XREF: .text:00424EC9j
		db	65h
		insb
		jo	short near ptr loc_424FA1+2
		jb	short $+2
		adc	eax, [eax]
		add	[edx], ebx
		jnb	short near ptr loc_424F95+1

loc_424F46:				; CODE XREF: .text:00424EDFj
		dec	edi
		iret
; 

loc_424F48:				; CODE XREF: .text:loc_424ED7j
		mov	[edx-231F4CB9h], eax

loc_424F4E:				; CODE XREF: .text:00424F1Ej
					; .text:00424F0Bj
		call	near ptr 0BAB8541Ch
		add	al, 4Dh

loc_424F55:				; CODE XREF: .text:00424EECj
		db	3Eh
		jnz	short near ptr loc_424FB4+2
		or	eax, 0B844512Bh

loc_424F5D:				; CODE XREF: .text:00424F2Dj
		stc

loc_424F5E:				; CODE XREF: .text:00424FC8j
		movlps	xmm2, qword ptr	[ebx-36h]

loc_424F62:				; CODE XREF: .text:00424EEEj
					; DATA XREF: PAGEDATA:00A93C04o
		or	eax, [edx+esi+0]
		dec	ebp
		imul	esp, [ebx+72h],	666F736Fh
		jz	short near ptr loc_424F9B+3
		push	edi
		imul	ebp, [esi+64h],	2E73776Fh
		dec	ebx
		db	65h
		jb	short near ptr loc_424FE4+6
		db	65h
		insb
		db	2Eh
		push	esp
		jz	short loc_424FEF

loc_424F82:				; CODE XREF: .text:00424F37j
		add	[ebx], dl
		add	[ecx], al
		sbb	dh, [ebx+50h]
		dec	edi
		iret
; 
		db 89h
		db 82h
; 

loc_424F8D:				; CODE XREF: .text:00424F1Cj
		inc	edi
		mov	bl, 0E0h
		fsub	st, st

locret_424F92:				; CODE XREF: .text:00424F2Bj
		leave
		add	al, 76h

loc_424F95:				; CODE XREF: .text:00424F44j
		mov	edx, 753E4D04h
		pop	esi

loc_424F9B:				; CODE XREF: .text:00424F6Ej
		or	eax, 0B844512Bh
		stc

loc_424FA1:				; CODE XREF: .text:00424F3Cj
		movlps	xmm2, qword ptr	[ebx-36h]

loc_424FA5:				; CODE XREF: .text:00424F31j
					; DATA XREF: PAGEDATA:00A93BCCo
		or	eax, [edi+ebx+0]
		dec	ebp

loc_424FAA:				; CODE XREF: .text:00424F35j
		imul	esp, [ebx+72h],	666F736Fh
		jz	short near ptr loc_424FE0+1
		push	edi

loc_424FB4:				; CODE XREF: .text:loc_424F55j
					; .text:0042501Bj
		imul	ebp, [esi+64h],	2E73776Fh
		dec	ebx
		db	65h
		jb	short near ptr loc_42502B+2
		db	65h
		insb
		db	2Eh
		push	esp
		jz	short near ptr loc_425030+2
		add	[eax+ebx*8], al
		jnb	short near ptr loc_424F5E+2
		lds	edx, [esi-4A72049h]
		clc
		cmpsd

loc_424FD2:				; DATA XREF: .data:006B1F54o
		or	ebp, [ebp+3FCA6D65h]
		add	[ebp+69h], cl
		arpl	[edx+6Fh], si
		jnb	short near ptr loc_42504B+4

loc_424FE0:				; CODE XREF: .text:00424FB1j
		db	66h
		jz	short loc_425011
		push	edi

loc_424FE4:				; CODE XREF: .text:00424F79j
		imul	ebp, [esi+64h],	2E73776Fh
		dec	ebx
		db	65h
		jb	short loc_42505D

loc_424FEF:				; CODE XREF: .text:00424F80j
		db	65h
		insb
		db	2Eh
		push	eax
		jb	short loc_425064
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_42504B+2
		jnz	short near ptr loc_42505D+1
		jnb	short near ptr loc_425076+1
		jnb	short near ptr loc_425072+2
		db	65h
		insd
		add	[ebx], dl
		add	[ecx], al
		sbb	dh, [ebx+50h]
		dec	edi
		iret
; 
		mov	[edx-231F4CB9h], eax

loc_425011:				; CODE XREF: .text:loc_424FE0j
		call	near ptr 0BAB854DFh
		add	al, 0F4h
		std
		test	al, 27h
		ja	short near ptr loc_424FB4+4
		pop	ebx
		push	edi
		mov	esi, 3E16E73Bh
		icebp
		pop	ecx

loc_425026:				; DATA XREF: .data:006B36A4o
		mov	ebx, 694D003Dh

loc_42502B:				; CODE XREF: .text:00424FBCj
		arpl	[edx+6Fh], si
		jnb	short loc_42509F

loc_425030:				; CODE XREF: .text:00424FC3j
		db	66h
		jz	short near ptr loc_42505F+2
		push	edi
		imul	ebp, [esi+64h],	2E73776Fh

loc_42503B:				; CODE XREF: .text:loc_42505Dj
		push	ebx
		arpl	gs:[ebp+72h], si
		imul	esi, [ecx+edi*2+2Eh], 61706143h
		bound	ebp, [ecx+6Ch]

loc_42504B:				; CODE XREF: .text:00424FF8j
					; .text:00424FDEj
		imul	esi, [ecx+ebp*2+65h], 130073h
		add	[edx], ebx
		jnb	short loc_4250A7
		dec	edi
		iret
; 
		db 89h,	82h, 47h
		db 0B3h
; 

loc_42505D:				; CODE XREF: .text:00424FECj
					; .text:00424FFAj
		loopne	loc_42503B

loc_42505F:				; CODE XREF: .text:loc_425030j
		call	near ptr 0BAB8552Dh

loc_425064:				; CODE XREF: .text:00424FF3j
		add	al, 38h
		call	far ptr	4BFAh:268009A6h
		lodsd
		add	[ecx+2Ah], edi
		setalc

loc_425072:				; CODE XREF: .text:00424FFEj
		cmp	cl, [edi-0Eh]

loc_425075:				; DATA XREF: .data:006B29ACo
		aaa

loc_425076:				; CODE XREF: .text:00424FFCj
		add	[ebp+69h], cl
		arpl	[edx+6Fh], si
		jnb	short loc_4250ED
		db	66h
		jz	short near ptr loc_4250AE+1
		push	edi
		imul	ebp, [esi+64h],	2E73776Fh
		dec	ebx
		db	65h
		jb	short near ptr loc_4250FA+1
		db	65h
		insb
		db	2Eh
		push	ebx
		arpl	gs:[ebp+72h], si
		imul	esi, [ecx+edi*2+0], 1A010013h
		jnb	short near ptr loc_4250ED+2

loc_42509F:				; CODE XREF: .text:0042502Ej
		dec	edi
		iret
; 
		mov	[edx-231F4CB9h], eax

loc_4250A7:				; CODE XREF: .text:00425055j
		call	near ptr 0BAB85575h
		add	al, 0E0h

loc_4250AE:				; CODE XREF: .text:0042507Ej
		aam	0FBh
		mov	bh, 8Fh
		cli
		pop	eax
		dec	esp
		mov	al, 0FBh
		cmp	al, 0C2h
		daa

loc_4250BA:				; DATA XREF: ALMOSTRO:00705F3Co
		mov	eax, 31D66Eh
		dec	ebp
		imul	esp, [ebx+72h],	666F736Fh
		jz	short loc_4250F6
		push	edi
		imul	ebp, [esi+64h],	2D73776Fh
		dec	ebx
		db	65h
		jb	short loc_425143
		db	65h
		insb
		sub	eax, 13006D56h
		add	[ecx], al
		sbb	dh, [ebx+50h]
		dec	edi
		iret
; 
		db 89h
; 
		add	byte ptr [edi-4Dh], 0E0h
		fsub	st, st
		leave
		add	al, 76h

loc_4250ED:				; CODE XREF: .text:0042507Cj
					; .text:0042509Dj
		mov	edx, 39FF9404h

loc_4250F2:				; CODE XREF: .text:loc_4250FAj
		sub	[edx], dl
; 
		db 8Fh,	1Bh
; 

loc_4250F6:				; CODE XREF: .text:004250C7j
		dec	esi
		and	bl, 0AFh

loc_4250FA:				; CODE XREF: .text:0042508Aj
		jp	short near ptr loc_4250F2+1
		jp	short loc_425143
; 
word_4250FE	dw 230Fh		; DATA XREF: .data:006B2A1Co
dword_425100	dd 72654B00h, 506C656Eh, 65636F72h, 13007373h, 731A0100h
		dd 89CF4F50h, 0E0B34782h, 4C9E8DCh, 1C04BA76h, 0B761452h
		dd 0BF43414Dh, 823087C9h, 23D3F1C0h, 72654B00h,	476C656Eh
		dd 72656E65h
		db 61h,	6Ch, 0
; 

loc_425143:				; CODE XREF: .text:004250D2j
					; .text:004250FCj
		adc	eax, [eax]
		add	[edx], ebx
		jnb	short loc_425199
		dec	edi
		iret
; 
		db 89h
dword_42514C	dd 0E0B34782h, 4C9E8DCh, 0C904BA76h, 781DD9B8h,	0B94075E0h
		dd 25514EDEh, 1E181A07h, 54534D00h, 6F436C65h, 130076h
		dd 50731A01h, 8289CF4Fh, 0DCE0B347h, 7604C9E8h,	0A53C04BAh
		dd 0A5618944h, 0C6A04E53h, 474165D5h, 25FC45h
; 
		dec	ebx

loc_425199:				; CODE XREF: .text:00425147j
		db	65h
		jb	short near ptr loc_425209+1
		db	65h
		insb
		inc	ebp
		js	short locret_425206
		arpl	[ebp+74h], si
		imul	esi, [esi+65h],	1001300h
		sbb	dh, [ebx+50h]
		dec	edi
		iret
; 
		db  89h	; 
		db 82h,	47h, 0B3h
		db 0E0h	; 
		db 0DCh, 0E8h, 0C9h
		db    4
		db 76h,	0BAh, 4
		db  75h	; u
		db 6Ah,	0B7h, 23h
		db  4Fh	; O
		db 0CEh, 0EFh, 56h
		db 0F9h	; 
		db 3, 0C3h, 0A2h
		db 0D6h	; 
		db 0AEh, 3Fh, 6Bh
unk_4251CC	db  3Eh	; >		; DATA XREF: .data:006B2B5Co
		align 2
aMicrosoft_wind	db 'Microsoft.Windows.Kernel.BootEnvironment',0
		db 13h
		dd 731A0100h, 89CF4F50h, 0E0B34782h
; 
		fsub	st, st

locret_425206:				; CODE XREF: .text:0042519Fj
		leave
		add	al, 76h

loc_425209:				; CODE XREF: .text:loc_425199j
		mov	edx, 771D9304h
		aas
; 
		db 0FEh
		db 0E3h	; 
		db 0F4h, 4Ch, 0BBh
		db  9Fh	; 
		db 4Ch,	6, 0DEh
		db  78h	; x
byte_425219	db 0C5h, 1Bh, 3Eh	; DATA XREF: .data:006B3044o
		db    0
aMicrosoft_wi_0	db 'Microsoft.Windows.Security.LicensingTool',0
		dw 13h
dword_425248	dd 50731A01h, 8289CF4Fh, 0DCE0B347h, 7604C9E8h,	0CC1304BAh
		dd 0B66F703Fh, 0D9DD5868h, 387FDBE2h, 3CFB1Fh, 7263694Dh
		dd 666F736Fh, 69572E74h, 776F646Eh, 6C542E73h, 67674167h
		dd 61676572h
; 
		jz	short near ptr byte_4252EF
		dec	ecx

loc_42528B:				; CODE XREF: .text:004252ABj
		outsb
		jz	short loc_4252F3
		jb	short loc_4252FE
		popa
		insb
		add	[ebx], dl
		add	[ecx], al
		sbb	dh, [ebx+50h]
		dec	edi
		iret
; 
		db 89h
		dd 0E0B34782h, 4C9E8DCh
		db 76h,	0BAh
; 

__TraceLoggingMetadataEnd:		; DATA XREF: _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)+65o
					; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)+64o ...
		add	[eax], eax

_RegistryProvGuid:			; DATA XREF: EtwpInitialize+2C1o
		add	ecx, [edi-15h]
		jo	short loc_42528B
		sal	dword ptr [ebx+4Fh], 0A0h
		push	ecx
		xor	edx, ecx

loc_4252B4:				; DATA XREF: PoBroadcastSystemState+2CBo
		cmp	eax, 25BD1354h
; 
		db 2 dup(0), 10h
		dd 2A2104h, 1C0Ch, 40000000h
; 

_EtwpComponentName:			; DATA XREF: EtwpInitialize+1E7o
		inc	ebp
		jz	short loc_425342
; 
		db 0
		align 10h

_POP_ETW_EVENT_DEVICESSUSPEND_END:	; DATA XREF: PoBroadcastSystemState:loc_71E593o
		and	al, 0
		add	[eax], dl
		add	al, 22h
		sub	[eax], eax
		or	[eax], cl
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_THERMAL_REQUEST_RUNDOWN:	; DATA XREF: PopRundownThermalRequests()+52o
		popf
; 
		db 2 dup(0), 11h
		dd 0C10004h, 20h
		db 3 dup(0)
byte_4252EF	db 20h			; CODE XREF: .text:00425288j
; 

_POP_ETW_EVENT_COOLING_EXTENSION_RUNDOWN: ; DATA XREF: PopRundownThermalRequests()+37o
		cwde
; 
		db 2 dup(0)
; 

loc_4252F3:				; CODE XREF: .text:0042528Cj
		adc	[eax+eax], eax
		mov	esp, 2000h
; 
		db 0
		db 2 dup(0)
; 

loc_4252FE:				; CODE XREF: .text:0042528Ej
		add	[eax], ah

_WNF_PO_POWER_STATE_CHANGE:		; DATA XREF: PopBatteryWorker+A0680o
		jnz	short near ptr loc_425315+5
		mov	esp, 0C6013DA3h
		inc	ecx

_WNF_PNPA_HARDWAREPROFILES_CHANGED:	; DATA XREF: PiUEventBroadcastHardwareProfilesChangedEvent(x,x)+1Ao
		jnz	short loc_425332
		mov	esp, 96003DA3h
; 
		db 0
; 

_WNF_PNPA_PORTS_CHANGED_SESSION:	; DATA XREF: PiUEventBroadcastPortsChangedEvent(x,x,x)+B6o
		xor	eax, 3DA3BC40h

loc_425315:				; CODE XREF: .text:_WNF_PO_POWER_STATE_CHANGEj
					; DATA XREF: MiAddPhysicalMemory(x,x,x,x,x)+444o ...
		add	[esi-43EF8B00h], dl
		mov	ds:41C60320h, eax

_WNF_FSRL_TIERED_VOLUME_DETECTED:	; DATA XREF: FsRtlpHeatRegisterVolume(x,x,x)+133o
		jnz	short near ptr loc_425327+3
		mov	esp, 941D2BA3h

loc_425327:				; CODE XREF: .text:_WNF_FSRL_TIERED_VOLUME_DETECTEDj
					; DATA XREF: PopUpdateWakeOnVoiceState(x)+15o
		or	eax, 0A3BD2075h

loc_42532C:				; DATA XREF: sub_5DF8EC+6o
		cmp	eax, 7541C601h
		dec	eax

loc_425332:				; CODE XREF: .text:_WNF_PNPA_HARDWAREPROFILES_CHANGEDj
		mov	esp, 0C6013DA3h
		inc	ecx

_WNF_PO_THERMAL_OVERTHROTTLE:		; DATA XREF: PopUpdateOverThrottledCount(x,x)+4Eo
		jnz	short loc_4253A2
		mov	esp, 0C6013DA3h
		inc	ecx

_WNF_PNPC_DEVICE_INSTALL_REQUESTED:	; DATA XREF: PiUEventSendDeviceInstallNotification(x)+Do
					; PpDevCfgInit+1468Bo
		jnz	short loc_425352

loc_425342:				; CODE XREF: .text:004252C9j
		mov	esp, 96003DA3h

loc_425347:				; DATA XREF: IoInitializeBugCheckProgress(x,x)+73o
					; IoInitializeBugCheckProgress(x,x)+B5o ...
		add	dl, ds:0B3BA57E0h
		db	65h
		cmp	al, 4Ch
		mov	dl, 74h

loc_425352:				; CODE XREF: .text:_WNF_PNPC_DEVICE_INSTALL_REQUESTEDj
					; .text:_WNF_PO_BATTERY_CHARGE_LEVELj
		db	65h
		xchg	eax, ecx
		xchg	eax, edx
		neg	byte ptr [ecx-42EF8A1Dh] ; DATA	XREF: PopPreSleepNotifyWorker(x)+13o
		mov	ds:41C6013Dh, eax

_WNF_PO_DRIPS_DEVICE_CONSTRAINTS_UPDATED: ; DATA XREF: PopFxClearDeviceConstraints(x)+1F3o
					; PopFxUpdateVetoMaskWork(x)+B1o
		jnz	short loc_4253BA

loc_425362:				; CODE XREF: .text:_WNF_PO_BATTERY_DISCHARGINGj
		mov	ebp, 0C6013DA3h
		inc	ecx

_WNF_PNPA_PORTS_CHANGED:		; DATA XREF: PiUEventBroadcastPortsChangedEvent(x,x,x)+92o
		jnz	short loc_4253A2

loc_42536A:				; CODE XREF: .text:___WIL_WNF_WIL_MACHINE_FEATURE_STORE_MODIFIEDj
		mov	esp, 96003DA3h
		add	ds:3DA3BC78h, dh
					; DATA XREF: TtmNotifySessionDisplayRequiredChange(x,x,x)+CEo
		add	esi, eax
		inc	ecx

_WNF_PO_COMPOSITE_BATTERY:		; DATA XREF: PopBatteryWorker+A02E1o
		jnz	short near ptr _WNF_PNPA_VOLUMES_CHANGED_SESSION+2

loc_42537A:				; CODE XREF: .text:_WNF_PO_SW_HW_DRIPS_DIVERGENCEj
		mov	esp, 0C6013DA3h
		inc	ecx

___WIL_WNF_WIL_USER_FEATURE_STORE:	; DATA XREF: wil_details_StagingConfig_Load:loc_5E0894r
		cmc

loc_425381:				; DATA XREF: wil_details_StagingConfig_Load+88925r
		mov	[ebx+418A073Ah], bh

_WNF_PNPA_VOLUMES_CHANGED_SESSION:	; CODE XREF: .text:_WNF_PO_COMPOSITE_BATTERYj
					; .text:_WNF_PO_DRIPS_DEVICE_CONSTRAINTS_REGISTEREDj
					; DATA XREF: ...
		xor	eax, 3DA3BC20h

loc_42538D:				; CODE XREF: .text:_WNF_PO_POWER_BUTTON_STATEj
					; DATA XREF: MmMarkPhysicalMemoryAsBad(x,x)+4A5o
		add	[esi-43F78B00h], dl
		mov	ds:41C60320h, eax

_WNF_PO_POWER_BUTTON_STATE:		; DATA XREF: PopPublishPowerButtonState(x)+30o
		jnz	short near ptr loc_42538D+5
		mov	esp, 0C6013DA3h
		inc	ecx

_WNF_PO_THERMAL_SHUTDOWN_OCCURRED:	; DATA XREF: PopThermalHandlePreviousShutdown+84508o
		jnz	short loc_4253E2

loc_4253A2:				; CODE XREF: .text:_WNF_PO_THERMAL_OVERTHROTTLEj
					; .text:_WNF_PNPA_PORTS_CHANGEDj
		mov	esp, 0C6013DA3h
		inc	ecx

_WNF_BOOT_DIRTY_SHUTDOWN:		; DATA XREF: BapdWriteEtwEvents+90E6Ao
		jnz	short near ptr loc_4253AF+3
		mov	esp, 89012FA3h

loc_4253AF:				; CODE XREF: .text:_WNF_BOOT_DIRTY_SHUTDOWNj
					; DATA XREF: SepSecureBootCheckForUpdates()+8Eo
		adc	eax, 0A3BC0875h
		db	3Eh
		or	al, 95h
		inc	ecx

_WNF_PO_SW_HW_DRIPS_DIVERGENCE:		; DATA XREF: PopDripsWatchdogCheckHwDivergence(x,x,x,x)+66o
		jnz	short loc_42537A

loc_4253BA:				; CODE XREF: .text:_WNF_PO_DRIPS_DEVICE_CONSTRAINTS_UPDATEDj
					; _WNF_PO_MODERN_STANDBY_EXIT_INITIATEDj
		mov	esp, 0C6013DA3h
		inc	ecx

_WNF_PO_DRIPS_DEVICE_CONSTRAINTS_REGISTERED:
					; DATA XREF: PopFxSetDeviceAccountingCsPlatformState(x)+257o
		jnz	short near ptr _WNF_PNPA_VOLUMES_CHANGED_SESSION+2
		mov	esp, 0C6013DA3h
		inc	ecx

_WNF_PO_BATTERY_DISCHARGING:		; DATA XREF: PopBatteryCheckCompositeCapacity+A0B68o
		jnz	short loc_425362
		mov	esp, 0C6013DA3h
		inc	ecx

_WNF_PO_BATTERY_CHARGE_LEVEL:		; DATA XREF: PopBatteryApplyCompositeState+A04FDo
		jnz	short loc_425352
		mov	esp, 0C6013DA3h
		inc	ecx

_WNF_FLT_RUNDOWN_WAIT:			; DATA XREF: FsRtlSendModernAppTermination:loc_5E6650r
		jnz	short loc_4253E2

loc_4253DA:				; DATA XREF: FsRtlSendModernAppTermination+81C38r
		mov	esp, 92022BA3h
		inc	ecx

_WNF_PO_SCENARIO_CHANGE:		; DATA XREF: PopSleepstudyStartNextSession+A6C2Eo
					; PopSleepstudyStartNextSession+A6D8Eo
		jnz	short loc_4253EA

loc_4253E2:				; CODE XREF: .text:_WNF_PO_THERMAL_SHUTDOWN_OCCURREDj
					; .text:_WNF_FLT_RUNDOWN_WAITj
		mov	esp, 0C6013DA3h
		inc	ecx

___WIL_WNF_WIL_MACHINE_FEATURE_STORE_MODIFIED:
					; DATA XREF: wil_details_StagingConfig_Load+889F5r
		jnz	short loc_42536A

loc_4253EA:				; CODE XREF: .text:_WNF_PO_SCENARIO_CHANGEj
					; DATA XREF: wil_details_StagingConfig_Load+889FBr
		mov	esp, 8A073AA3h
		inc	ecx

_WNF_PO_WEAK_CHARGER:			; DATA XREF: PopBatteryCheckCompositeCapacity+A08CDo
		jnz	short near ptr word_4253FA
		mov	ebp, 0C6013DA3h
		inc	ecx
; 
byte_4253F8	db 2 dup(0)		; DATA XREF: DisplayFilter(x)+3Ao
word_4253FA	dw 0			; CODE XREF: .text:_WNF_PO_WEAK_CHARGERj

;  S U B	R O U T	I N E 


_WNF_PO_THERMAL_STANDBY	proc near	; DATA XREF: PopThermalStandbyNotify(x)+2Do
		jnz	short near ptr loc_425433+3
		mov	esp, 0C6013DA3h
		inc	ecx
_WNF_PO_THERMAL_STANDBY	endp


;  S U B	R O U T	I N E 


_WNF_PO_MODERN_STANDBY_EXIT_INITIATED proc near	; DATA XREF: PopMonitorInvocation+A94CBo
		jnz	short near ptr loc_4253BA+4
		mov	esp, 0C6013DA3h
		inc	ecx

_WNF_DEP_OOBE_COMPLETE:			; DATA XREF: CmpInitializeSystemHivesLoad+A1F0Co
		jnz	short near ptr loc_425416+4
		mov	esp, 960B29A3h
		inc	ecx

___WIL_WNF_WIL_USER_FEATURE_STORE_MODIFIED:
					; DATA XREF: wil_details_StagingConfig_Load:loc_5E0977r
		cmc
		nop

loc_425416:				; CODE XREF: _WNF_PO_MODERN_STANDBY_EXIT_INITIATED:_WNF_DEP_OOBE_COMPLETEj
					; DATA XREF: wil_details_StagingConfig_Load+88A09r
		mov	esp, 8A073AA3h
		inc	ecx
_WNF_PO_MODERN_STANDBY_EXIT_INITIATED endp

; Exported entry 1500. NtBuildGUID

		public _NtBuildGUID
_NtBuildGUID:
		db	66h, 66h, 66h, 66h, 66h, 66h, 66h, 66h
		sub	eax, 66666666h
		sub	eax, 66666666h
		sub	eax, 66666666h

loc_425433:				; CODE XREF: _WNF_PO_THERMAL_STANDBYj
		sub	eax, 66666666h
		db	66h, 66h, 66h, 66h, 66h, 66h, 66h, 66h
		add	[eax], al
; 
		dw 0
; 

_WNF_CI_BLOCKED_DRIVER:			; DATA XREF: PiNotifyCiDriverBlocked(x,x)+6Do
		jnz	short near ptr loc_425459+5
		mov	esp, 0C6072EA3h
		inc	ecx

_WNF_PS_WAKE_CHARGE_RESOURCE_POLICY:	; DATA XREF: PspEnforceLimits+17AE5Co
					; PspSendNoWakeChargeLimitNotification(x)+63o
		jnz	short near ptr _WNF_PNPA_HARDWAREPROFILES_CHANGED_SESSION+2
		mov	esp, 0C61D3DA3h
		inc	ecx

_WNF_PNPA_HARDWAREPROFILES_CHANGED_SESSION:
					; CODE XREF: .text:_WNF_PS_WAKE_CHARGE_RESOURCE_POLICYj
					; DATA XREF: PiUEventBroadcastHardwareProfilesChangedEvent(x,x)+3Eo
		xor	eax, 3DA3BC30h

loc_425459:				; CODE XREF: .text:_WNF_CI_BLOCKED_DRIVERj
					; DATA XREF: PopNetInitialize+22EFAo
		add	[esi-43678B00h], dl
		mov	ds:41840B3Eh, eax

_WNF_PNPA_VOLUMES_CHANGED:		; DATA XREF: PiUEventBroadcastVolumesChangedEvent(x)+16o
		jnz	short loc_42547E
		mov	esp, 96003DA3h
		add	[ebp+38h], dh	; DATA XREF: PopBatteryWorker+A0100o
		mov	ebp, 0C6013DA3h
		inc	ecx
; 
		dd 0
; 

_PPM_ETW_INTERRUPT_STEERING_PROC_RUNDOWN: ; DATA XREF: KiIntSteerLogProc:loc_5393C1o
		pop	es
; 
		db 3 dup(0)
		db 4, 0
; 

loc_42547E:				; CODE XREF: .text:_WNF_PNPA_VOLUMES_CHANGEDj
		pop	es
		add	[ecx], al
; 
		db 3 dup(0)
		align 8

_PPM_ETW_INTERRUPT_STEERING_MASK_RUNDOWN: ; DATA XREF: KiIntSteerLogMask:loc_539400o
					; PnpDiagRundownForEachDevice(x,x)+AAo	...
		add	[eax], eax
; 
		dw 0
		dd 10004h, 1, 0
; 

_PPM_ETW_PERF_DOMAIN_RUNDOWN:		; DATA XREF: PpmEventTraceProcessorPerformanceDomainRundown(x)+22o
					; PpmEventTraceProcessorPerformanceDomainRundown(x)+FBo
		xchg	eax, ebp
; 
		db 3 dup(0)
		dd 7E0004h, 83h, 0
; 

_PPM_ETW_SOFT_PARK_STATE_CHANGE:	; DATA XREF: PpmEventCoreParkingSoftParkedStateChange(x,x)+33o
					; PpmEventCoreParkingSoftParkedStateChange(x,x)+7Fo
		mov	al, [eax]
; 
		dw 0
		dd 740004h, 3, 0
; 

_PPM_ETW_SOFT_PARKING_SELECTION:	; DATA XREF: PpmEventTraceSoftCoreParkingSelection(x,x,x,x,x,x,x,x,x,x)+39o
					; PpmEventTraceSoftCoreParkingSelection(x,x,x,x,x,x,x,x,x,x)+1B9o
		mov	[eax], eax
; 
		dw 0
		dd 730005h, 20h, 0
; 

_PPM_ETW_PARK_NODE_PARK_HINT_CHANGE:	; DATA XREF: PpmEventParkNodeParkHintChanged(x,x,x)+2Ao
		test	[eax], al
; 
		dw 0
		dd 6E0005h, 2, 0
; 

_PPM_ETW_PARK_NODE_CLASS_STATS:		; DATA XREF: PpmEventParkNodeClassRecordedStats(x,x,x,x,x)+34o
					; PpmEventParkNodeClassRecordedStats(x,x,x,x,x)+94o
		add	dword ptr [eax], 0
		add	ds:2006D00h, al
; 
		db 3 dup(0)
		align 8

_PPM_ETW_HGS_UPDATE:			; DATA XREF: PpmEventHgsUpdate()+11o
		add	byte ptr [eax],	0
		add	[eax+eax], al
		insb
		add	[edx], al
; 
		db 3 dup(0)
		align 8

_PPM_ETW_QOS_SUPPORT_RUNDOWN:		; DATA XREF: PpmEventQosSupport+13o
		jle	short $+2
; 
		dw 0
		dd offset loc_680000+4
		dd 82h,	0
; 

_PPM_ETW_AUTONOMOUS_MODE_CHANGE:	; DATA XREF: PpmEventAutonomousModeChange(x,x)+58o
					; PpmEventAutonomousModeChange(x,x)+78o
		jns	short $+2
; 
		dw 0
		dd offset loc_630003+1
		dd 2, 0
; 

_PPM_ETW_HETEROGENEOUS_POLICIES_RUNDOWN: ; DATA	XREF: PpmEventHeteroPolicy+16o
		js	short $+2
; 
		dw 0
		dd offset loc_620004
		dd 2, 0
; 

_PPM_ETW_PLATFORM_PRE_VETO_ACCOUNTING_RUNDOWN:
					; DATA XREF: PpmEventPlatformVetoRundown()+4Eo
		jz	short $+2
; 
		dw 0
		dd offset loc_5E0004+1
		dd 2, 0
; 

_PPM_ETW_PROCESSOR_PRE_VETO_ACCOUNTING_RUNDOWN:
					; DATA XREF: PpmEventProcessorVetoRundown(x)+58o
		jnb	short $+2
; 
		dw 0
		dd offset loc_5D0002+3
		dd 2, 0
; 

_PPM_ETW_IDLE_DURATION_EXPIRATION:	; DATA XREF: PpmEventIdleDurationExpiration(x)+22o
					; PpmEventIdleDurationExpiration(x)+E9o
		outsb
; 
		db 3 dup(0)
		dd offset loc_580004
		dd 2, 0
; 

_PPM_ETW_PROCESSOR_PROFILE_DISABLED:	; DATA XREF: PpmEventTraceProfileEnable:loc_8ABFF1o
		insd
; 
		db 3 dup(0)
		dd offset loc_570003+1
		dd 60h,	0
; 

_PPM_ETW_PROCESSOR_PROFILE_STATUS_RUNDOWN:
					; DATA XREF: PpmEventTracePpmProfileStatusRundown()+23o
		imul	eax, [eax], 0
		add	[eax+eax], al
		push	ebp
		add	[eax+eax+0], ah
; 
		db 0
		align 8

_PPM_ETW_PROCESSOR_PROFILE_SETTING_RUNDOWN:
					; DATA XREF: PpmEventTraceProfileSetting:loc_8ABA35o
					; PpmEventTraceProfileSetting+88E25o ...
		push	0
; 
		dw 0
		dd offset loc_540004
		dd 64h,	0
; 

_PPM_ETW_PROCESSOR_PROFILE_CHANGE:	; DATA XREF: PpmEventTraceProfileChange(x,x)+2Fo
					; PpmEventTraceProfileChange(x,x)+63o
		push	4000000h
		add	[edx+0], dl
		pusha
; 
		db 3 dup(0)
		align 8

_PPM_ETW_PROCESSOR_PROFILE_RUNDOWN:	; DATA XREF: PpmEventTraceProfiles:loc_9344EFo
					; PpmEventTraceProfiles+88E87o
		add	[bx+si], al
		add	[eax+eax], al
		push	ecx
		add	[eax+eax+0], ah
; 
		db 0
		align 8

_PPM_ETW_PROCESSOR_PROFILE_REGISTERED:	; DATA XREF: PpmEventTraceProfiles+88CEEo
					; PpmEventTraceProfiles:loc_934688o
		db	66h
		add	[eax], al
		add	[eax+eax], al
		push	eax
		add	[eax+0], ah
; 
		dw 0
		align 8

_PPM_ETW_HETERO_DISTRIBUTE_UTILITY:	; DATA XREF: PpmEventTraceHeteroDistributeUtility(x,x,x)+2Fo
					; PpmEventTraceHeteroDistributeUtility(x,x,x)+71o
		add	gs:[eax], al
		add	ds:20004F00h, al
; 
		db 3 dup(0)
		align 8

_PPM_ETW_HETERO_RESPONSE:		; DATA XREF: PpmEventTraceHeteroResponse(x,x,x,x,x,x,x)+35o
					; PpmEventTraceHeteroResponse(x,x,x,x,x,x,x)+128o
		arpl	[eax], ax
; 
		dw 0
		dd offset loc_4E0004+1
		dd 20h,	0
; 

_PPM_ETW_COORDINATED_IDLE_RUNDOWN:	; DATA XREF: PpmEventTraceCoordinatedIdleStates()+15o
					; PpmEventTraceCoordinatedIdleStates()+10Fo
		bound	eax, [eax]
; 
		dw 0
		dd offset loc_4D0003+1
		dd 2, 0
; 

_PPM_ETW_VETO_NAME_RUNDOWN:		; DATA XREF: PpmEventVetoReasonRundown()+26o
		pop	ebx
; 
		db 3 dup(0)
		dd offset loc_460004
		dd 2, 0
; 

_PPM_ETW_STATIC_POLICY_RUNDOWN:		; DATA XREF: PpmEventStaticPolicyRundown()+2Ao
		pop	ecx
		add	[ecx], al
		add	[eax+eax], al
		inc	esp
		add	[edx], al
; 
		db 3 dup(0)
		align 8

_PPM_ETW_PROCESSOR_IDLE_VETO_RUNDOWN:	; DATA XREF: PpmEventProcessorVetoRundown(x)+99o
					; PpmEventProcessorVetoRundown(x)+150o
		pop	eax
; 
		db 3 dup(0)
		dd offset a20_pri7	; "20_pri7"
		dd 2, 0
; 

_PPM_ETW_PLATFORM_IDLE_VETO_RUNDOWN:	; DATA XREF: PpmEventPlatformVetoRundown()+77o
					; PpmEventPlatformVetoRundown()+FFo
		push	edi
; 
		db 3 dup(0)
		dd offset loc_420003+1
		dd 2, 0
; 

_PPM_ETW_PROCESSOR_IDLE_VETO_DECREMENT:	; DATA XREF: PpmEventProcessorVetoRequest(x,x,x,x)+1Ao
		push	esi
; 
		db 3 dup(0)
		dd offset loc_410004
		dd 2, 0
; 

_PPM_ETW_PROCESSOR_IDLE_VETO_INCREMENT:	; DATA XREF: PpmEventProcessorVetoRequest(x,x,x,x)+24o
		push	ebp
; 
		db 3 dup(0)
		dd 400004h, 2, 0
; 

_PPM_ETW_PLATFORM_IDLE_VETO_DECREMENT:	; DATA XREF: PpmEventPlatformVetoRequest(x,x,x)+1Ao
		push	esp
; 
		db 3 dup(0)
		dd 3F0004h, 2, 0
; 

_PPM_ETW_PLATFORM_IDLE_VETO_INCREMENT:	; DATA XREF: PpmEventPlatformVetoRequest(x,x,x)+24o
		push	ebx
; 
		db 3 dup(0)
		dd 3E0004h, 2, 0
; 

_PPM_ETW_ACCOUNTING_BUCKET_INTERVALS_RUNDOWN:
					; DATA XREF: PpmEventTraceAccountingBucketIntervalsRundown()+23o
		push	edx
; 
		db 3 dup(0)
		dd 3D0004h, 10h, 0
; 

_PPM_ETW_DRIPS_ACCOUNTING_SNAPSHOT:	; DATA XREF: PpmEventTraceDripsAccountingSnapshot(x,x)+37o
					; PpmEventTraceDripsAccountingSnapshot(x,x)+66o
		push	ecx
		add	[ecx], al
		add	[eax+eax], al
		cmp	al, 0
		adc	[eax], al
; 
		dw 0
		align 8

_PPM_ETW_PLATFORM_PARKING_PREFERENCE:	; DATA XREF: PpmEventParkNodePreference(x,x,x,x,x,x,x)+2Eo
		dec	ecx
; 
		db 3 dup(0)
		dd 340004h, 2, 0
; 

_PPM_ETW_PLATFORM_IDLE_ACCOUNTING_RUNDOWN:
					; DATA XREF: PpmEventTracePlatformIdleAccounting()+31o
					; PpmEventTracePlatformIdleAccounting()+20Co
		dec	eax
		add	[ecx], al
		add	[eax+eax], al
		xor	eax, [eax]
		add	al, [eax]
; 
		dw 0
		align 8

_PPM_ETW_CURRENT_IDLE_RUNDOWN:		; DATA XREF: PpmEventTraceProcessorIdle(x)+1Bo
					; PpmEventTraceProcessorIdle(x)+19Do
		inc	ebx
		add	[ecx], al
		add	[eax+eax], al
		xor	[eax], al
		add	al, [eax]
; 
		dw 0
		align 8

_PPM_ETW_PARK_NODE_CAP_CHANGE:		; DATA XREF: PpmEventParkNodeCapChange(x,x,x,x)+30o
					; PpmEventParkNodeCapChange(x,x,x,x)+77o
		inc	edx
		add	[ecx], al
		add	[eax+eax], al
		add	cs:[edx], al
; 
		db 3 dup(0)
		align 8

_PPM_ETW_PARK_NODE_RUNDOWN:		; DATA XREF: PpmEventTraceParkNodeRundown(x)+22o
					; PpmEventTraceParkNodeRundown(x)+BCo
		inc	ecx
		add	[ebx], al
		add	[eax+eax], al
		sub	eax, 200h
; 
		db 0
		align 8

_PPM_ETW_CURRENT_PERF_RUNDOWN:		; DATA XREF: PpmEventTraceProcessorPerformance(x)+31o
					; PpmEventTraceProcessorPerformance(x)+393o
		inc	eax
		add	[eax], cl
		add	[eax+eax], al
		sub	al, 0
		add	byte ptr [eax],	0
; 
		db 0
		align 8

_PPM_ETW_LPI_RUNDOWN:			; DATA XREF: PpmEventTraceLPIState()+23o
		xor	eax, [eax]
; 
		dw 0
		dd 240004h, 0Ah, 0
; 

_PPM_ETW_LPI_CORE_PARK:			; DATA XREF: PpmEventLPICoreParking(x,x)+2Eo
		xor	al, [eax]
; 
		dw 0
		dd 230004h, 0Ah, 0
; 

_PPM_ETW_PERF_CHECK_MAKEUP:		; DATA XREF: PpmEventTraceMakeupPerfCheck()+11o
		xor	[eax], eax
; 
		dw 0
		dd 0B2105h, 2, 0
; 

_PPM_ETW_THERMAL_CAP_CHANGE:		; DATA XREF: PpmEventThermalCapChange(x,x)+D7o
					; PpmEventThermalCapChange(x,x)+FBo
		xor	[eax], al
; 
		dw 0
		dd 220004h, 2, 0
; 

_PPM_ETW_BIOS_CAP_CHANGE:		; DATA XREF: PpmEventBiosCapChange(x,x)+58o
					; PpmEventBiosCapChange(x,x)+78o
		das
; 
		db 3 dup(0)
		dd 210004h, 2, 0
; 

_PPM_ETW_IDLE_ACCOUNTING_RUNDOWN:	; DATA XREF: PpmEventTraceProcessorIdleAccounting(x,x,x)+39o
					; PpmEventTraceProcessorIdleAccounting(x,x,x)+24Co
		adc	eax, [eax]
		add	al, [eax]
		add	al, 0
		adc	[eax], eax
		push	es
; 
		db 3 dup(0)
		align 8

_PPM_ETW_UNPARK_CORE:			; DATA XREF: PpmEventCoreParkingStateChange(x,x)+2Co
					; PpmEventCoreParkingStateChange(x,x)+5Eo
		sldt	word ptr [eax]
		add	[eax+eax], al
		sldt	word ptr [ebx]
; 
		db 3 dup(0)
		align 8

_PPM_ETW_PARK_CORE:			; DATA XREF: PpmEventCoreParkingStateChangeEx(x,x)+33o
					; PpmEventCoreParkingStateChangeEx(x,x)+7Fo
		push	cs
		add	[ecx], al
		add	[eax+eax], al
		push	cs
		add	[ebx], al
; 
		db 3 dup(0)
		align 8

_POP_ETW_EVENT_POWER_AGGREGATOR_PDC_SLEEP_TRANSITION:
					; DATA XREF: PopPowerAggregatorDiagTracePdcSleepTransition(x,x,x,x,x)+6Eo
		xor	al, 2
		add	[eax], dl
		add	al, 0
		or	al, [ecx]
		add	al, 80h
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_DIRECTED_DRIPS_ERROR_RECORD:
					; DATA XREF: PopDirectedDripsDiagRundownBroadcastTrees()+340o
					; PopDirectedDripsDiagRundownBroadcastTrees()+3CBo
		sub	al, 2
		add	[eax], dl
		add	al, 0
		add	al, [ecx]
		add	al, 0
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_DIRECTED_DRIPS_DEVICE_STATS:
					; DATA XREF: PopDirectedDripsDiagRundownDevices()+4B0o
					; PopDirectedDripsDiagRundownDevices()+670o
		sub	al, [edx]
		add	[eax], dl
		add	al, 0
		add	[ecx], al
		add	al, 0
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_DIRECTED_FX_POWER_STATE_FAILURE:
					; DATA XREF: PopDirectedDripsDiagTraceDfxPowerStateFailure(x)+33o
					; PopDirectedDripsDiagTraceDfxPowerStateFailure(x)+99o
		sub	[edx], eax
		add	[eax], dl
		add	al, 0
		inc	dword ptr [eax]
		add	al, 0
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_SYSTEM_IDLE_CONTEXT_UPDATE:
					; DATA XREF: PopDiagTraceSystemIdleContextUpdate(x,x,x,x,x)+2Do
		sub	[edx], al
		add	[eax], dl
		add	al, 0
		inc	byte ptr [eax]
		add	al, 0
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_SYSTEM_IDLE_EVENT_ASSESSMENT:
					; DATA XREF: PopDiagTraceSystemIdleEventAssessment(x,x,x,x,x)+2Do
		add	al, es:[eax]
		adc	[eax+eax], al
		cld
		add	[eax+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_SYSTEM_IDLE_ASSESSMENT:	; DATA XREF: PopDiagTraceSystemIdleAssessment(x,x,x)+29o
		and	eax, 4100002h
		add	bl, bh
		add	[eax+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_DIRECTED_POWER_TRANSITION_END:
					; DATA XREF: PopDiagTraceFxDeviceDirectedCompletion(x,x)+3Eo
					; PopDiagTraceFxDeviceDirectedCompletion(x,x)+7Bo
		and	al, 2
		add	[eax], edx
		add	al, 0
		clc
		add	[eax+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_DIRECTED_POWER_TRANSITION_START:
					; DATA XREF: PopDiagTraceFxDeviceDirectedTransition(x,x)+3Eo
					; PopDiagTraceFxDeviceDirectedTransition(x,x)+6Co
		and	eax, [edx]
		add	[eax], dl
		add	al, 0
		test	dword ptr [eax], 4
; 
		dd 40000000h
; 

_POP_ETW_EVENT_DIRECTED_DRIPS_PROBLEM_DEVICE:
					; DATA XREF: PopDirectedDripsDiagTraceProblemDevice(x,x,x)+7Eo
					; PopDirectedDripsDiagTraceProblemDevice(x,x,x)+ACo
		and	al, [edx]
		add	[eax], dl
		add	al, 0
		test	byte ptr [eax],	4
; 
		db 3 dup(0)
		dd 40000000h
; 

_POP_ETW_EVENT_DIRECTED_DRIPS_DEVICE_VISIT:
					; DATA XREF: PopDirectedDripsDiagTraceBroadcastVisit(x,x,x)+90o
					; PopDirectedDripsDiagTraceBroadcastVisit(x,x,x)+11Bo
		and	[edx], eax
		add	[eax], edx
		add	al, 0
		cmc
		add	[eax+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_DRIPS_WAKE_ACCOUNTING_SUMMARY:
					; DATA XREF: PopIdleWakeTraceWakeSourceDiagnostic(x,x,x)+529o
					; PopIdleWakeTraceWakeSourceDiagnostic(x,x,x)+6EAo
		pop	ds
		add	al, [ecx]
		adc	[eax+eax], al
		repne add [edx+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_SIDLE_UPDATE_NOTIFICATION_WORKER:
					; DATA XREF: PopDiagTraceSystemIdleAction(x,x,x)+2Fo
					; PopDiagTraceSystemIdleAction(x,x,x)+63o
		sbb	eax, 4100102h
		add	al, dh
		add	[eax+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_DIRECTED_DRIPS_NOTIFY_DEVICES:
					; DATA XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+338o
					; PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+378o
		sbb	eax, [edx]
		add	[eax], edx
		add	al, 0
		out	dx, al
		add	[eax+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_DIRECTED_DRIPS_NOTIFY_APPS_SERVICES:
					; DATA XREF: PopDiagTraceDirectedDripsNotifyAppsAndServices(x,x,x,x)+34o
					; PopDiagTraceDirectedDripsNotifyAppsAndServices(x,x,x,x)+7Fo
		sbb	al, [edx]
		add	[eax], edx
		add	al, 0
		in	eax, dx
		add	[eax+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_DIRECTED_DRIPS_MARK_DEVICE:
					; DATA XREF: PopDirectedDripsDiagTraceMarkDevice(x)+54o
					; PopDirectedDripsDiagTraceMarkDevice(x)+7Do
		sbb	[edx], eax
		add	[eax], dl
		add	al, 0
		in	al, dx
		add	[eax+eax], al
; 
		dw 0
		dd 40000000h

;  S U B	R O U T	I N E 


_POP_ETW_EVENT_DIRECTED_DRIPS_ENGAGED proc near
					; DATA XREF: PopDiagTraceDirectedDripsInitialization+8786Do
		pop	ss
		add	al, [ecx]
		adc	[eax+eax], al
		jmp	far ptr	0:400h
_POP_ETW_EVENT_DIRECTED_DRIPS_ENGAGED endp

; 
		db 2 dup(0), 40h
; 

_POP_ETW_EVENT_POWER_STATE:		; DATA XREF: PopDiagTracePowerStateEvent(x,x)+29o
		adc	[edx], al
		add	[eax], dl
		add	al, 0
		jecxz	short $+2
		add	al, 0
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_NET_REFRESH_TIMER_DISARMED:
					; DATA XREF: PopTraceNetRefreshTimerDisarmed()+11o
		push	cs
		add	al, [eax]
		adc	[eax+eax], al
		loope	$+2
		add	al, 0
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_NET_REFRESH_TIMER_ARMED:	; DATA XREF: PopTraceNetRefreshTimerArmed(x,x)+29o
					; PopTraceNetRefreshTimerArmed(x,x)+5Ao
		or	eax, 4100002h
		add	al, ah
		add	[eax+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_BATTERY_TRIGGER_MET:	; DATA XREF: PopDiagTraceBatteryTriggerMet(x,x,x)+FFo
					; PopDiagTraceBatteryTriggerMet(x,x,x)+191o
		or	al, 2
		add	[eax], cl
		add	al, 0
		fild	word ptr [eax]
		add	al, 4
; 
		dw 0
		dd 80000000h
; 

_POP_ETW_EVENT_CS_DRIPS_DIVERGENCE:	; DATA XREF: PopDiagTraceCsDripsDivergence(x,x,x,x,x,x)+34o
					; PopDiagTraceCsDripsDivergence(x,x,x,x,x,x)+71o
		or	al, [edx]
		add	[eax], dl
		add	al, 0
		fiadd	word ptr [eax]
		add	al, 4
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_BATTERY_COUNT_CHANGE:	; DATA XREF: PopDiagTraceBatteryCountChange(x,x,x)+29o
		or	[edx], eax
		add	[eax], cl
		add	al, 0
		fadd	qword ptr [eax]
		add	al, 4
; 
		dw 0
		dd 80000000h
; 

_POP_ETW_EVENT_BASIC_BRIGHTNESS_ENGINE_OFF: ; DATA XREF: PopPowerInformationInternal+1714D9o
		or	[edx], al
		add	[eax], cl
		add	al, 0
		fiadd	dword ptr [eax]
		add	al, 4
; 
		dw 0
		dd 80004000h
; 

_POP_ETW_EVENT_IOSHUTDOWN_FILE_SYSTEMS_STOP: ; DATA XREF: PopGracefulShutdown(x)+1D5o
		pop	es
		add	al, [eax]
		adc	[edx+eax], al
		rol	dword ptr [eax], 1
		or	[eax], cl
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_IOSHUTDOWN_FILE_SYSTEMS_START: ;	DATA XREF: PopGracefulShutdown(x)+1C3o
		push	es
		add	al, [eax]
		adc	[ecx+eax], al
		rol	dword ptr [eax], 1
		or	[eax], cl
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_DEVICE_ACCOUNTING:	; DATA XREF: PopDiagTraceFxDeviceAccounting(x,x,x,x,x,x)+79o
					; PopDiagTraceFxDeviceAccounting(x,x,x,x,x,x)+C4o
		add	eax, 4100102h
		add	[ebx+20000h], ch
; 
		db 0
		dd 40000000h
; 

_POP_ETW_EVENT_SPM_SCENARIO_STOP:	; DATA XREF: PopDiagTraceSleepStudyStop()+30o
					; PopDiagTraceSleepStudyStop()+3B9o
		add	al, 2
		or	[eax], edx
		add	al, 0
		cmpsd
; 
		db 0
		dd 200h, 40000000h
; 

_POP_ETW_EVENT_SPM_SCENARIO_START:	; DATA XREF: PopDiagTraceSleepStudyStart()+32o
		add	eax, [edx]
		add	edx, [eax]
		add	al, 0
		cmpsb
; 
		db 0
		dd 200h, 40000000h
; 

_POP_ETW_EVENT_COMPONENT_ACCOUNTING:	; DATA XREF: PopDiagTraceFxComponentAccounting(x,x,x,x,x,x,x)+79o
					; PopDiagTraceFxComponentAccounting(x,x,x,x,x,x,x)+CEo
		add	al, [edx]
		add	[eax], edx
		add	al, 0
		movsd
; 
		db 0
		dd 200h, 40000000h
; 

_POP_ETW_EVENT_DYNAMIC_TICK_DISABLED:	; DATA XREF: PoTraceDynamicTickDisabled()+2Co
		cld
		add	[eax], eax
		or	[eax+eax], al
		lahf
		add	[esp+eax], al
; 
		dw 0
		dd 80000000h
; 

_POP_ETW_EVENT_CS_EXIT_REASON:		; DATA XREF: PopDiagTraceCsExitReason(x,x,x)+2A3o
					; PopDiagTraceCsExitReason(x,x,x)+E78o
		sti
		add	[ecx], ecx
		or	[eax+eax], al
		sahf
		add	[esi+eax], al
; 
		dw 0
		dd 80000000h
; 

_POP_ETW_EVENT_CS_ENTER_REASON:		; DATA XREF: PopDiagTraceCsEnterReason(x,x,x)+8Co
					; PopDiagTraceCsEnterReason(x,x,x)+F7o
		cli
		add	[ebx], eax
		or	[eax+eax], al
		popf
		add	[esp+eax], al
; 
		dw 0
		dd 80000000h
; 

_POP_ETW_IO_COALESCING_DSK_IDLE:	; DATA XREF: PopDiagTraceIoCoalescingDiskIdle(x)+26o
		test	dword ptr [ecx], 41000h
		add	dword ptr [eax], 4
; 
		db 3 dup(0)
		dd 40000000h
; 

_POP_ETW_IO_COALESCING_FLUSH:		; DATA XREF: PopDiagTraceIoCoalescingFlush()+Eo
		test	byte ptr [ecx],	0
		adc	[eax+eax], al
		add	byte ptr [eax],	4
; 
		db 3 dup(0)
		dd 40000000h
; 

_POP_ETW_IO_COALESCING_OFF:		; DATA XREF: PopDiagTraceIoCoalescingOff()+Eo
		cmc
		add	[eax], eax
		adc	[eax+eax], al
		add	dword ptr [eax], 4
; 
		dd 40000000h
; 

_POP_ETW_IO_COALESCING_ON:		; DATA XREF: PopDiagTraceIoCoalescingOn(x,x,x,x)+52o
		hlt
		add	[eax], eax
		adc	[eax+eax], al
		add	byte ptr [eax],	4
; 
		db 3 dup(0)
		dd 40000000h
; 

_POP_ETW_ADPM_SESSION_UNLOCKED:		; DATA XREF: PopSessionWinlogonNotification(x,x)+26o
		xchg	eax, edi
		add	[eax], eax
		adc	[eax+eax], al
		jz	short $+2
		add	al, 4
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_ADPM_SESSION_LOCKED:		; DATA XREF: PopSessionWinlogonNotification(x,x)+1Do
		xchg	eax, esi
		add	[eax], eax
		adc	[eax+eax], al
		jnb	short $+2
		add	al, 4
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_DEBUGGER_TRANSITION_REQUIREMENTS:
					; DATA XREF: PopDiagTraceDebuggerTransitionRequirements(x,x,x)+2Fo
					; PopDiagTraceDebuggerTransitionRequirements(x,x,x)+63o
		dec	ecx
		add	[eax], eax
		add	[eax+eax], al
		mov	eax, 10000h
; 
		db 0
		align 8

_POP_ETW_EVENT_COMPONENT_PERFORMANCE_STATE_NOMINAL_CHANGE:
					; DATA XREF: PopDiagTraceFxPerfNominalChange(x,x,x,x,x)+37o
					; PopDiagTraceFxPerfNominalChange(x,x,x,x,x)+D6o
		dec	eax
		add	[eax], eax
		add	[eax+eax], al
		mov	bh, 0
		add	[ecx], al
; 
		dw 0
		align 8

_POP_ETW_EVENT_COMPONENT_PERFORMANCE_STATE_COMPLETED:
					; DATA XREF: PopDiagTraceFxPerfRequestComplete(x,x)+2Fo
					; PopDiagTraceFxPerfRequestComplete(x,x)+73o
		inc	edi
		add	[eax], eax
		add	[eax+eax], al
		mov	bh, 0
		add	[ecx], al
; 
		dw 0
		align 8

_POP_ETW_EVENT_COMPONENT_PERFORMANCE_STATE_PROCESSING:
					; DATA XREF: PopDiagTraceFxPerfRequestProgress(x,x)+2Fo
					; PopDiagTraceFxPerfRequestProgress(x,x)+65o
		inc	esi
		add	[eax], eax
		add	[eax+eax], al
		mov	bh, 0
		add	[ecx], al
; 
		dw 0
		align 8

_POP_ETW_EVENT_COMPONENT_PERFORMANCE_STATE_INITIATING:
					; DATA XREF: PopDiagTraceFxPerfRequest(x,x,x)+3Ao
					; PopDiagTraceFxPerfRequest(x,x,x)+B9o
		inc	ebp
		add	[eax], eax
		add	[eax+eax], al
		mov	bh, 0
		add	[ecx], al
; 
		dw 0
		align 8

_POP_ETW_EVENT_PERFORMANCE_STATE_SET_REGISTRATION_RUNDOWN:
					; DATA XREF: PopFxTracePerfRegistration(x,x)+75o
		inc	esp
		add	[eax], eax
		add	[eax+eax], al
		mov	dh, 0
		add	[ecx], al
; 
		dw 0
		align 8

_POP_ETW_EVENT_PERFORMANCE_STATE_SET_REGISTRATION:
					; DATA XREF: PopFxTracePerfRegistration(x,x)+7Eo
		inc	ebx
		add	[eax], eax
		add	[eax+eax], al
		mov	ch, 0
		add	[ecx], al
; 
		dw 0
		align 8

_POP_ETW_EVENT_PERFORMANCE_STATE_REGISTRATION_RUNDOWN:
					; DATA XREF: PopFxTracePerfRegistration(x,x)+16o
		inc	edx
		add	[eax], eax
		add	[eax+eax], al
		mov	ah, 0
		add	[ecx], al
; 
		dw 0
		align 8

_POP_ETW_EVENT_PERFORMANCE_STATE_REGISTRATION:
					; DATA XREF: PopFxTracePerfRegistration(x,x)+1Fo
		inc	ecx
		add	[eax], eax
		add	[eax+eax], al
		mov	bl, 0
		add	[ecx], al
; 
		dw 0
		align 8

_POP_ETW_EVENT_COMPONENT_IDLE_CONSTRAINTS:
					; DATA XREF: PopDiagTraceFxComponentIdleConstraints(x,x,x,x)+29o
		aas
		add	[eax], eax
		add	[eax+eax], al
		test	eax, 10000h
; 
		db 0
		align 8

_POP_ETW_EVENT_DEVICE_IDLE_CONSTRAINTS:	; DATA XREF: PopDiagTraceFxDeviceIdleConstraints(x,x,x)+2Fo
					; PopDiagTraceFxDeviceIdleConstraints(x,x,x)+66o
		db	3Eh
		add	[eax], eax
		add	[eax+eax], al
		test	al, 0
		add	[ecx], al
; 
		dw 0
		align 8

_POP_ETW_EVENT_COMPONENT_WAKE:		; DATA XREF: PopDiagTraceFxComponentWake(x,x,x)+44o
					; PopDiagTraceFxComponentWake(x,x,x)+78o
		cmp	al, 1
; 
		dw 0
		dd 940004h, 100h, 0
; 

_POP_ETW_EVENT_COMPONENT_RESIDENCY:	; DATA XREF: PoFxSetComponentResidency+7E079o
					; PoFxSetComponentResidency+7E0C1o
		cmp	eax, [ecx]
; 
		dw 0
		dd 930004h, 100h, 0
; 

_POP_ETW_EVENT_COMPONENT_LATENCY:	; DATA XREF: PoFxSetComponentLatency+85224o
					; PoFxSetComponentLatency+8526Co
		cmp	al, [ecx]
; 
		dw 0
		dd 920004h, 100h, 0
; 

_POP_ETW_EVENT_COMPONENT_REGISTRATION_RUNDOWN:
					; DATA XREF: PopFxTraceDeviceRegistration+E6057o
		aaa
		add	[ecx], eax
		add	[eax+eax], al
		pop	dword ptr [eax]
		add	[ecx], al
; 
		dw 0
		align 8

_POP_ETW_EVENT_COMPONENT_REGISTRATION:	; DATA XREF: PopFxTraceDeviceRegistration+E605Eo
		add	ss:[ecx], eax
		add	[eax+eax], al
		mov	es, word ptr [eax]
		add	[ecx], al
; 
		dw 0
		align 8

_POP_ETW_EVENT_DEVICE_UNREGISTRATION:	; DATA XREF: PopDiagTraceFxDeviceUnregistration(x)+39o
					; PopDiagTraceFxDeviceUnregistration(x)+59o
		xor	[ecx], eax
; 
		dw 0
		dd 890004h, 100h, 0
; 

_POP_ETW_EVENT_DEVICE_PREPARATION:	; DATA XREF: PopDiagTraceFxDevicePreparation(x,x,x,x)+33o
					; PopDiagTraceFxDevicePreparation(x,x,x,x)+A8o
		add	cs:[eax], eax
		add	[eax+eax], al
		xchg	al, [eax]
		add	[ecx], al
; 
		dw 0
		align 8

_POP_ETW_EVENT_PLUGIN_REGISTRATION_RUNDOWN:
					; DATA XREF: PopDiagTraceFxPluginRegistration(x,x,x,x)+16o
		sub	eax, 4000001h
		add	[ebp+10000h], al
; 
		db 0
		align 8

_POP_ETW_EVENT_PLUGIN_REGISTRATION:	; DATA XREF: PopDiagTraceFxPluginRegistration(x,x,x,x)+1Fo
		sub	al, 1
; 
		dw 0
		dd 840004h, 100h, 0
; 

_PopSqm_Add_StreamRow:			; DATA XREF: PopSqmAddToStream(x,x,x,x)+187o
		rol	byte ptr [eax],	1
; 
		dw 0
		dd 4, 0
		dd 80000h
; 

_POP_ETW_EVENT_IRPPENDED:		; DATA XREF: PopDiagTraceIrpPended(x)+26o
		mov	edx, 4100000h
		and	al, 27h
		add	[eax], cl
; 
		db 3 dup(0)
		dd 40000000h
; 

_POP_ETW_DEEP_SLEEP_IR_TIMER_DATA:	; DATA XREF: PoDiagTraceIRTimerSleepStudyRundown(x,x,x)+30o
		mov	eax, 4100000h
		add	bl, bl
; 
		db 0
		dd 200h, 40000000h
; 

_POP_ETW_FORCEIDLE_RESET:		; DATA XREF: PoTraceForceIdleReset(x)+78o
					; PoTraceForceIdleReset(x)+98o
		mov	ah, 0
		add	[eax], dl
		add	al, 0
		setalc
		add	[eax+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_FORCEIDLE_STATE_CHANGE:	; DATA XREF: PoTraceForceIdleStateChange(x,x)+29o
		mov	bl, 0
		add	[eax], dl
		add	al, 0
		aad	0
		add	al, 0
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_BACKGROUND_ACTIVITY_POLICY_UPDATE:
					; DATA XREF: PopTraceEsBgActivityPolicyUpdate(x,x)+B5o
					; PopTraceEsBgActivityPolicyUpdate(x,x)+E4o
		mov	dl, 0
		add	[eax], dl
		add	al, 0
		rol	byte ptr [eax],	1
		add	al, 4
; 
		dw 0
		dd 40000000h

;  S U B	R O U T	I N E 


_POP_ETW_EVENT_CS_COMPLIANCE_UPDATE proc near
					; DATA XREF: PopDiagTraceDeviceComplianceUpdate(x,x)+29o
		mov	cl, 0
		add	[eax], dl
		add	al, 0
		iret
_POP_ETW_EVENT_CS_COMPLIANCE_UPDATE endp

; 
		align 10h
		dd 4, 40000000h

;  S U B	R O U T	I N E 


_POP_ETW_EVENT_CS_DEEP_SLEEP_WATCHDOG proc far
					; DATA XREF: PopDiagTraceCsDeepSleepWatchdog(x,x,x,x,x,x)+2Do
		stosd
		add	[ecx], al
		adc	[eax+eax], al
		retf	400h
_POP_ETW_EVENT_CS_DEEP_SLEEP_WATCHDOG endp

; 
		align 4
		dd 40000000h
; 

_POP_ETW_EVENT_SYSTEM_IDLE_S0_LOW_POWER_DOZE_TIMER_CANCELLED:
					; DATA XREF: PopTraceSystemIdleS0LowPowerDozeTimerCancelled(x)+26o
		stosb
; 
		db 2 dup(0), 10h
		dd 0C90204h, 404h, 40000000h
; 

_POP_ETW_EVENT_SYSTEM_IDLE_S0_LOW_POWER_DOZE_TIMER_ARMED:
					; DATA XREF: PopTraceSystemIdleS0LowPowerDozeTimerArmed(x,x,x)+28o
		test	eax, 4100000h
		add	ecx, ecx
		add	[esp+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_SYSTEM_IDLE_S0_LOW_POWER_DOZE:
					; DATA XREF: PopTraceSystemIdleS0LowPowerDoze(x)+23o
		test	al, 0
		add	[eax], dl
		add	al, 0
		leave
		add	[esp+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_THERMAL_ZONE_OVERTHROTTLED_UPDATE:
					; DATA XREF: PopDiagTraceThermalOverthrottleState(x,x)+3o
		mov	ds:4110000h, eax
		add	bh, al
		add	[eax], ah
; 
		db 3 dup(0)
		dd 20000000h
; 

_POP_ETW_EVENT_THERMAL_ZONE_THERMAL_STANDBY_UPDATE:
					; DATA XREF: PopCheckAndHandleThermalConditions+82AE0o
					; PopDiagTraceThermalStandbyState(x,x)+3o
		mov	ds:4110000h, al
		add	dh, al
		add	[eax], ah
; 
		db 3 dup(0)
		dd 20000000h
; 

_POP_ETW_EVENT_CS_DRIPS_WATCHDOG:	; DATA XREF: PopDiagTraceCsDripsWatchdog(x,x,x,x,x,x,x,x,x,x,x)+3Co
					; PopDiagTraceCsDripsWatchdog(x,x,x,x,x,x,x,x,x,x,x)+1C5o
		mov	eax, ds:4100300h
		add	ch, al
		add	[esp+eax], al
; 
		dw 0
		dd 40004000h
; 

_POP_ETW_EVENT_THERMAL_REQUEST_ACTIVE_UPDATE:
					; DATA XREF: PopDiagTraceThermalRequestActiveUpdate(x)+2Co
					; PopDiagTraceThermalRequestActiveUpdate(x)+62o
		mov	al, ds:4110000h
		add	ah, al
		add	[eax], ah
; 
		db 3 dup(0)
		dd 20000000h
; 

_POP_ETW_EVENT_THERMAL_REQUEST_PASSIVE_UPDATE:
					; DATA XREF: PopDiagTraceThermalRequestPassiveUpdate(x)+2Co
					; PopDiagTraceThermalRequestPassiveUpdate(x)+57o
		lahf
; 
		db 2 dup(0), 11h
		dd 0C30004h, 20h, 20000000h
; 

_POP_ETW_EVENT_COOLING_EXTENSION_ACTIVE_UPDATE:
					; DATA XREF: PopDiagTraceCoolingExtensionActiveUpdate(x)+2Co
					; PopDiagTraceCoolingExtensionActiveUpdate(x)+62o
		wait
; 
		db 2 dup(0), 11h
		dd 0BF0004h, 20h, 20000000h
; 

_POP_ETW_EVENT_COOLING_EXTENSION_PASSIVE_UPDATE:
					; DATA XREF: PopDiagTraceCoolingExtensionPassiveUpdate(x)+2Co
					; PopDiagTraceCoolingExtensionPassiveUpdate(x)+57o
		call	far ptr	0BE00h:4110000h
		add	[eax], ah
; 
		db 3 dup(0)
		dd 20000000h
; 

_POP_ETW_EVENT_ENERGY_SAVER_STATE:	; DATA XREF: PopDiagTraceEsState(x,x)+2Bo
		xchg	eax, esp
; 
		db 2 dup(0), 10h
		dd 0B20004h, 809h, 40000000h
; 

_POP_ETW_EVENT_THERMAL_EVENT:		; DATA XREF: PopDiagTraceUsermodeThermalEvent(x)+30o
					; PopDiagTraceUsermodeThermalEvent(x)+76o
		nop
; 
		db 2 dup(0), 11h
		dd 0AF0004h, 20h, 20000000h
; 

_POP_ETW_EVENT_CS_DRIPS_WATCHDOG_PERFTRACK:
					; DATA XREF: PopDiagTraceCsDripsWatchdogPerfTrack(x,x,x,x,x,x,x)+2Ao
					; PopDiagTraceCsDripsWatchdogPerfTrack(x,x,x,x,x,x,x)+D6o
		pop	dword ptr [eax]
		add	[eax], dl
		add	al, 0
		scasb
; 
		db 0
		dd 0
		dd 40010000h
; 

_POP_ETW_EVENT_ABNORMAL_RESET:		; DATA XREF: PopDiagTraceAbnormalReset(x)+26o
		mov	es, word ptr [eax]
		add	[eax], cl
		add	[eax], eax
		lodsd
		add	[edx], al
; 
		db 3 dup(0)
		dd 80000000h
; 

_POP_ETW_EVENT_CS_FAN_PERFTRACK:	; DATA XREF: PopDiagTraceCsFanPerfTrack(x,x)+29o
		lea	eax, [eax]
		add	[eax], dl
		add	al, 0
		lodsb
; 
		db 0
		dd 0
		dd 40010000h
; 

_POP_ETW_EVENT_CS_CONSUMPTION_PERFTRACK: ; DATA	XREF: PopDiagTraceCsConsumption(x)+1A7o
		mov	word ptr [eax],	es
		add	[eax], dl
		add	al, 0
		pushf
; 
		db 0
		dd 0
		dd 40010000h
; 

_POP_ETW_EVENT_THERMAL_DURATION_PERFTRACK:
					; DATA XREF: PopDiagTraceProcessorThrottleDurationPerfTrack(x,x)+3Ao
					; PopDiagTraceThermalZoneThrottleDurationPerfTrack(x,x)+2Bo ...
		mov	eax, [eax]
		add	[eax], dl
		add	al, 0
		wait
; 
		db 0
		dd 0
		dd 40010000h
; 

_POP_ETW_EVENT_THERMAL_PERFTRACK:	; DATA XREF: PopDiagTraceProcessorThrottlePerfTrack(x,x)+3Do
					; PopDiagTraceThermalZoneThrottlePerfTrack(x,x,x)+2Fo ...
		mov	al, [eax]
		add	[eax], dl
		add	al, 0
		call	far ptr	0:0
		add	[ecx], al
		inc	eax

_POP_ETW_EVENT_MTRR_CHANGED:		; DATA XREF: PopDiagTraceMtrrError()+23o
		mov	[eax], eax
		add	[eax], cl
		add	al, [eax]
; 
		dw 0
		dd 404h, 80000000h
; 

_POP_ETW_EVENT_S3FWSTATS_RESUME:	; DATA XREF: PopDiagTraceFirmwareS3Stats()+101o
		add	dword ptr [eax], 0
		or	[eax+eax], al
		and	[eax], eax
		add	al, 4
; 
		dw 0
		dd 80000000h
; 

_POP_ETW_EVENT_S3FWSTATS_SUSPEND:	; DATA XREF: PopDiagTraceFirmwareS3Stats()+1CCo
		add	byte ptr [eax],	0
		or	[eax+eax], al
		and	[eax], eax
		add	al, 4
; 
		dw 0
		dd 80000000h
; 

_POP_ETW_EVENT_THERMAL_ZONE_ENUMERATED:	; DATA XREF: PopDiagTraceThermalZoneEnumeration+82BD6o
					; PopDiagTraceThermalZoneEnumeration+82D75o
		jge	short $+2
		add	al, 8
		add	al, 0
		push	esi
		add	[eax], ah
; 
		db 3 dup(0)
		dd 80000000h
; 

_POP_ETW_EVENT_PERFTRACK_HYBRID_RESUME:	; DATA XREF: PopDiagTracePerfTrackData+A67B9o
		jl	short $+2
		add	[eax], dl
		add	al, 0
		and	[eax], eax
		or	[eax], ecx
; 
		dw 0
		dd 40010000h
; 

_POP_ETW_EVENT_PERFTRACK_HYBRID_SHUTDOWN: ; DATA XREF: PopDiagTracePerfTrackData+A657Co
		jnp	short $+2
		add	[eax], edx
		add	al, 0
		and	[eax], eax
		or	[eax], ecx
; 
		dw 0
		dd 40010000h
; 

_POP_ETW_EVENT_PERFTRACK_RESUME_FROM_HIBERNATE:
					; DATA XREF: PopDiagTracePerfTrackData+A6A5Ao
		jp	short $+2
		add	[eax], dl
		add	al, 0
		and	[eax], eax
		or	[eax], ecx
; 
		dw 0
		dd 40010000h
; 

_POP_ETW_EVENT_PERFTRACK_STANDBY:	; DATA XREF: PopDiagTracePerfTrackData+A64EEo
		jns	short $+2
		add	[eax], edx
		add	al, 0
		and	[eax], eax
		or	[eax], ecx
; 
		dw 0
		dd 40010000h
; 

_POP_ETW_EVENT_PERFTRACK_HIBERNATE:	; DATA XREF: PopDiagTracePerfTrackData+A67E7o
		js	short $+2
		add	[eax], dl
		add	al, 0
		and	[eax], eax
		or	[eax], ecx
; 
		dw 0
		dd 40010000h
; 

_POP_ETW_IDLE_RESILIENCY_END:		; DATA XREF: PopDiagTraceIdleResiliencyEnd(x,x,x)+3Co
		ja	short $+2
		add	[eax], dl
		add	al, 0
		insb
		add	[esp+eax], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_IDLE_RESILIENCY_START:		; DATA XREF: PopDiagTraceIdleResiliencyStart(x,x,x,x,x)+57o
		jbe	short $+2
		add	[eax], dl
		add	al, 0
		imul	eax, [eax], 4
		add	al, 0
; 
		db 0
		dd 40000000h
; 

_POP_ETW_EVENT_ACTIVE_COOLING_OPERATIONAL: ; DATA XREF:	PopDiagTraceActiveCooling+8A961o
					; PopDiagTraceActiveCooling:loc_9329E0o
		jz	short $+2
		add	[edx], dl
		add	al, 0
		push	ecx
		add	[eax], ah
; 
		db 3 dup(0)
		dd 10000000h
; 

_POP_ETW_EVENT_ACTIVE_COOLING_DIAGNOSTIC: ; DATA XREF: PopDiagTraceActiveCooling+8A93Eo
					; PopDiagTraceActiveCooling+8AB17o
		jnb	short $+2
		add	[ecx], dl
		add	al, 0
		push	eax
		add	[eax], ah
; 
		db 3 dup(0)
		dd 20000000h
; 

_POP_ETW_EVENT_PASSIVE_COOLING_OPERATIONAL:
					; DATA XREF: PopDiagTracePassiveCooling(x,x,x,x,x)+78o
					; PopDiagTracePassiveCooling(x,x,x,x,x):loc_9B0714o
		jb	short $+2
		add	[edx], edx
		add	al, 0
		dec	edi
		add	[eax], ah
; 
		db 3 dup(0)
		dd 10000000h
; 

_POP_ETW_EVENT_PASSIVE_COOLING_DIAGNOSTIC:
					; DATA XREF: PopDiagTracePassiveCooling(x,x,x,x,x)+55o
					; PopDiagTracePassiveCooling(x,x,x,x,x)+244o
		jno	short $+2
		add	[ecx], edx
		add	al, 0
		dec	esi
		add	[eax], ah
; 
		db 3 dup(0)
		dd 20000000h
; 

_POP_ETW_EVENT_TIME_RESOLUTION_STACK_RUNDOWN:
					; DATA XREF: PoTraceSystemTimerResolution+18CC6Fo
					; PoTraceSystemTimerResolution+18CE04o
		outsb
; 
		db 2 dup(0), 10h
		dd offset loc_680000+4
		dd 4, 40000000h
; 

_POP_ETW_EVENT_SHUTDOWN_ACTION:		; DATA XREF: PopDiagTraceShutdownAction(x,x,x)+2Fo
					; PopDiagTraceShutdownAction(x,x,x)+63o
		insd
; 
		db 2 dup(0), 8
		dd offset loc_670004
		dd 404h, 80004000h
; 

_POP_ETW_EVENT_ACDC_STATE_CHANGE:	; DATA XREF: PopDiagTraceAcDcStateChange(x,x,x)+2Fo
					; PopDiagTraceAcDcStateChange(x,x,x)+67o
		imul	eax, [eax], 40801h
		add	fs:[esp+eax], al
; 
		dw 0
		dd 80000000h
; 

_POP_ETW_EVENT_KERNEL_STRS:		; DATA XREF: PoTraceSystemTimerResolutionKernel:loc_4FE806o
		bound	eax, [eax]
		add	[eax], edx
		add	al, 0
		pop	edi
		add	[eax+eax*2], al
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_TIME_RESOLUTION_REQUEST_RUNDOWN:
					; DATA XREF: PoTraceSystemTimerResolution:loc_8CADC5o
					; PoTraceSystemTimerResolution+18CDA0o
		popa
; 
		db 2 dup(0), 10h
		dd offset loc_5E0004
		dd 4004h, 40000000h
; 

_POP_ETW_EVENT_ILLEGAL_PROCESSOR_THROTTLE_OPERATIONAL:
					; DATA XREF: PopDiagTraceIllegalProcessorThrottle(x,x,x,x)+55o
					; PopDiagTraceIllegalProcessorThrottle(x,x,x,x)+158o
		pop	ebx
; 
		db 2 dup(0), 12h
		dd offset loc_580002+1
		dd 20h,	10000000h
; 

_POP_ETW_EVENT_ILLEGAL_PROCESSOR_THROTTLE_DIAGNOSTIC:
					; DATA XREF: PopDiagTraceIllegalProcessorThrottle(x,x,x,x)+33o
					; PopDiagTraceIllegalProcessorThrottle(x,x,x,x)+132o
		pop	edx
; 
		db 2 dup(0), 11h
		dd offset loc_570003
		dd 20h,	20000000h
; 

_POP_ETW_EVENT_S4_TRIP_POINT_SYSTEM:	; DATA XREF: PopDiagTraceUsermodeTripPointExceeded(x,x,x,x):loc_9B1773o
					; PopDiagTraceZoneS4TripPointExceeded(x,x)+91o
		pop	eax
; 
		db 2 dup(0), 8
		dd offset loc_550002
		dd 20h,	80000000h
; 

_POP_ETW_EVENT_S4_TRIP_POINT_DIAGNOSTIC:
					; DATA XREF: PopDiagTraceUsermodeTripPointExceeded(x,x,x,x)+23o
					; PopDiagTraceZoneS4TripPointExceeded(x,x)+6Fo
		push	edi
; 
		db 2 dup(0), 11h
		dd offset loc_540000+2
		dd 20h,	20000000h
; 

_POP_ETW_EVENT_CRITICAL_TRIP_POINT_SYSTEM:
					; DATA XREF: PopDiagTraceUsermodeTripPointExceeded(x,x,x,x)+12o
					; PopDiagTraceZoneCriticalTripPointExceeded(x,x)+37o ...
		push	esi
; 
		db 2 dup(0), 8
		dd offset loc_52FFFF+3
		dd 20h,	80000000h
; 

_POP_ETW_EVENT_CRITICAL_TRIP_POINT_DIAGNOSTIC:
					; DATA XREF: PopDiagTraceUsermodeTripPointExceeded(x,x,x,x)+17o
					; PopDiagTraceZoneCriticalTripPointExceeded(x,x)+27o ...
		push	ebp
; 
		db 2 dup(0), 11h
		dd offset loc_520002
		dd 20h,	20000000h
; 

_POP_ETW_EVENT_COOLING_MODE:		; DATA XREF: PopDiagTraceThermalCoolingMode:loc_932A0Fo
					; PopDiagTraceThermalCoolingMode+8ABAAo
		push	eax
; 
		db 2 dup(0), 11h
		dd offset loc_4D0003+1
		dd 20h,	20000000h
; 

_POP_ETW_EVENT_SKIP_TICK:		; DATA XREF: PopDiagTraceSkipTick(x,x)+2Eo
					; PopDiagTraceSkipTick(x,x)+62o
		dec	edi
; 
		db 2 dup(0), 10h
		dd offset loc_4BFFFF+5
		dd 0Ch,	40000000h
; 

_POP_ETW_EVENT_DISK_IDLE_CHECK:		; DATA XREF: PopDiagTraceDiskIdleCheck(x,x,x)+33o
					; PopDiagTraceDiskIdleCheck(x,x,x)+6Do
		dec	esi
; 
		db 2 dup(0), 10h
		dd offset loc_4B0004
		dd 10h,	40000000h
; 

_POP_ETW_EVENT_DEVICE_IDLE_CHECK:	; DATA XREF: PopDiagTraceDeviceIdleCheck(x,x,x)+40o
					; PopDiagTraceDeviceIdleCheck(x,x,x)+16Bo
		dec	ebp
; 
		db 2 dup(0), 10h
		dd offset loc_4A0000+4
		dd 10h,	40000000h
; 

_POP_ETW_EVENT_DEVICE_IDLE_END:		; DATA XREF: PopScanIdleList(x,x,x):loc_596F0Eo
		dec	esp
; 
		db 2 dup(0), 10h
		dd offset loc_490202+2
		dd 10h,	40000000h
; 

_POP_ETW_EVENT_DEVICE_IDLE_START:	; DATA XREF: PopScanIdleList(x,x,x):loc_596D9Co
		dec	ebx
; 
		db 2 dup(0), 10h
		dd offset loc_490104
		dd 10h,	40000000h
; 

_POP_ETW_EVENT_REGISTERSYSTEMSTATE:	; DATA XREF: PopDiagTraceRegisterSystemState(x,x)+29o
		dec	edx
; 
		db 2 dup(0), 10h
		dd offset loc_480003+1
		dd 404h, 40000000h
; 

_POP_ETW_EVENT_CMSHUTDOWNSYSTEM_STOP:	; DATA XREF: PopGracefulShutdown(x)+168o
		cmp	[eax], al
		add	[eax], dl
		add	al, 2
		xor	al, 0
		or	[eax], cl
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_CMSHUTDOWNSYSTEM_START:	; DATA XREF: PopGracefulShutdown(x):loc_72F5ABo
		aaa
; 
		db 2 dup(0), 10h
		dd 340104h, 808h, 40000000h
; 

_POP_ETW_EVENT_WAITFORPROCESSES_STOP:	; DATA XREF: PopGracefulShutdown(x)+13Co
		add	ss:[eax], al
		adc	[edx+eax], al
		xor	eax, [eax]
		or	[eax], cl
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_WAITFORPROCESSES_START:	; DATA XREF: PopGracefulShutdown(x)+12Do
		xor	eax, 4100000h
		add	[ebx], esi
		add	[eax], cl
		or	[eax], al
; 
		db 0
		dd 40000000h
; 

_POP_ETW_EVENT_IOSHUTDOWNSYSTEM_STOP:	; DATA XREF: PopGracefulShutdown(x)+11Bo
		xor	al, 0
		add	[eax], dl
		add	al, 2
		xor	al, [eax]
		or	[eax], cl
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_IOSHUTDOWNSYSTEM_START:	; DATA XREF: PopGracefulShutdown(x)+10Ao
		xor	eax, [eax]
		add	[eax], dl
		add	al, 1
		xor	al, [eax]
		or	[eax], cl
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_ZEROPAGEFILE_STOP:	; DATA XREF: PopGracefulShutdown(x)+3Do
		xor	al, [eax]
		add	[eax], dl
		add	al, 2
		xor	[eax], eax
		or	[eax], cl
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_ZEROPAGEFILE_START:	; DATA XREF: PopGracefulShutdown(x)+2Eo
		xor	[eax], eax
		add	[eax], dl
		add	al, 1
		xor	[eax], eax
		or	[eax], cl
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_GRACEFULSHUTDOWN_STOP:	; DATA XREF: PopGracefulShutdown(x)+181o
		xor	[eax], al
		add	[eax], dl
		add	al, 2
		xor	[eax], al
		or	[eax], eax
; 
		dw 0
		dd 40000000h
; 

_POP_ETW_EVENT_GRACEFULSHUTDOWN_START:	; DATA XREF: PopGracefulShutdown(x)+15o
		das
; 
		db 2 dup(0), 10h
		dd 300104h, 808h, 40000000h
; 

_POP_ETW_EVENT_ZEROHIBERFILE_STOP:	; DATA XREF: PopDiagTraceZeroHiberFileEnd()o
		sub	al, 0
		add	[eax], dl
		add	al, 2
		add	cs:[eax], cl
		or	[eax], al
; 
		db 0
		dd 40000000h
; 

_POP_ETW_EVENT_ZEROHIBERFILE_START:	; DATA XREF: PopDiagTraceZeroHiberFile()o
		sub	eax, [eax]
		add	[eax], dl
		add	al, 1
		add	cs:[eax], cl
		or	[eax], al
; 
		db 0
		dd 40000000h
; 

_POP_ETW_EVENT_DIRTY_TRANSITION:	; DATA XREF: PopDiagTraceDirtyTransition(x,x,x,x,x,x,x,x,x,x,x,x)+34o
					; PopDiagTraceDirtyTransition(x,x,x,x,x,x,x,x,x,x,x,x)+229o
		sub	[eax], eax
		or	[eax], cl
		add	[eax], eax
		aas
		add	[edx], al
; 
		db 3 dup(0)
		dd 80004000h
; 

_POP_ETW_EVENT_DRIVERVETO:		; DATA XREF: PopDiagTraceDriverVeto(x,x)+36o
					; PopDiagTraceDriverVeto(x,x)+183o
		sub	[eax], al
		add	[eax], cl
		add	al, 23h
		and	al, 0
		add	al, 24h
; 
		dw 0
		dd 80000000h
; 

_POP_ETW_EVENT_HIBERNATE_STATUS:	; DATA XREF: PopDiagTraceHibernateErrorStatus(x)+26o
		and	al, [eax]
		add	[eax], dl
		add	al, 0
		sub	eax, 2C0C00h
; 
		db 0
		dd 40000000h
; 

_THREATINT_SETTHREADCONTEXT_REMOTE_KERNEL_CALLER:
					; DATA XREF: EtwTiLogSetContextThread(x,x,x,x)+6Fo
		sbb	[eax], eax
		add	[eax], edx
		add	al, 0
		add	eax, 800000h
; 
		db 0
		dd 80000000h
; 

_THREATINT_QUEUEUSERAPC_REMOTE_KERNEL_CALLER:
					; DATA XREF: EtwTiLogInsertQueueUserApc(x,x,x,x,x,x,x)+85o
		sbb	[eax], al
		add	[eax], edx
		add	al, 0
		add	al, 0
		add	[eax], ah
; 
		dw 0
		dd 80000000h
; 

_THREATINT_THAW_PROCESS:		; DATA XREF: EtwTiLogSuspendResumeProcess(x,x,x,x)+95o
		adc	al, 0
		add	[eax], edx
		add	al, 0
		or	[eax], eax
; 
		dd 2000000h, 80000000h
; 

_THREATINT_FREEZE_PROCESS:		; DATA XREF: EtwTiLogSuspendResumeProcess(x,x,x,x):loc_9F7017o
		adc	eax, [eax]
		add	[eax], edx
		add	al, 0
		or	[eax], eax
; 
		dd 1000000h, 80000000h
; 

_THREATINT_RESUME_PROCESS:		; DATA XREF: EtwTiLogSuspendResumeProcess(x,x,x,x):loc_9F701Eo
		adc	al, [eax]
		add	[eax], edx
		add	al, 0
		or	[eax], eax
; 
		dd 800000h, 80000000h
; 

_THREATINT_SUSPEND_PROCESS:		; DATA XREF: EtwTiLogSuspendResumeProcess(x,x,x,x):loc_9F7025o
		adc	[eax], eax
		add	[eax], edx
		add	al, 0
		or	[eax], eax
; 
		dd 400000h, 80000000h
; 

_THREATINT_RESUME_THREAD:		; DATA XREF: EtwTiLogSuspendResumeThread(x,x,x,x)+85o
		adc	[eax], al
		add	[eax], edx
		add	al, 0
		or	[eax], al
; 
		dd 200000h, 80000000h
; 

_THREATINT_SUSPEND_THREAD:		; DATA XREF: EtwTiLogSuspendResumeThread(x,x,x,x)+78o
		sldt	word ptr [ecx]
		adc	[eax+eax], al
		or	[eax], al
; 
		dd 100000h, 80000000h
; 

_THREATINT_READVM_REMOTE:		; DATA XREF: EtwTiLogReadWriteVm:loc_8D9AE5o
		or	eax, 4100100h
		add	[esi], al
; 
		db 0
		dd 20000h, 80000000h
; 

_THREATINT_READVM_LOCAL:		; DATA XREF: EtwTiLogReadWriteVm+197o
		or	eax, [eax]
		add	[eax], edx
		add	al, 0
		push	es
; 
		db 0
		dd 10000h, 80000000h
; 

_THREATINT_SETTHREADCONTEXT_REMOTE:	; DATA XREF: EtwTiLogSetContextThread(x,x,x,x)+76o
		add	eax, 4100100h
		add	ds:400000h, al
; 
		db 0
		dd 80000000h
; 

_THREATINT_QUEUEUSERAPC_REMOTE:		; DATA XREF: EtwTiLogInsertQueueUserApc(x,x,x,x,x,x,x)+8Co
		add	al, 0
		add	[eax], edx
		add	al, 0
		add	al, 0
		add	[eax], dl
; 
		dw 0
		dd 80000000h
; 

_MITIGATION_ENFORCE_PROHIBIT_NON_MICROSOFT_BINARIES:
					; DATA XREF: EtwTimLogProhibitNonMicrosoftBinaries(x,x,x,x,x)+2B9o
		or	al, 0
		add	[eax], dl
		add	eax, [eax]
		push	es
; 
		db 0
		dd 0
		dd 80000000h
; 

_MITIGATION_AUDIT_PROHIBIT_NON_MICROSOFT_BINARIES:
					; DATA XREF: EtwTimLogProhibitNonMicrosoftBinaries(x,x,x,x,x)+2A3o
		or	eax, [eax]
		add	[eax], dl
; 
		dd 60000h, 0
		dd 80000000h
; 

_MITIGATION_ENFORCE_PROHIBIT_WIN32K_SYSTEM_CALLS:
					; DATA XREF: EtwTimLogProhibitWin32kSystemCalls(x,x)+1Bo
		or	al, [eax]
		add	[eax], dl
		add	eax, [eax]
		add	eax, 0
; 
		db 0
		dd 80000000h
; 

_MITIGATION_AUDIT_PROHIBIT_WIN32K_SYSTEM_CALLS:
					; DATA XREF: EtwTimLogProhibitWin32kSystemCalls(x,x)+11o
		or	[eax], eax
		add	[eax], dl
; 
		dd 50000h, 0
		dd 80000000h
; 

_MITIGATION_ENFORCE_PROHIBIT_REMOTE_IMAGE_MAP:
					; DATA XREF: EtwTimLogProhibitRemoteImageMap(x,x)+Ao
		or	[eax], al
		add	[eax], dl
		add	eax, [eax]
		add	eax, [eax]
; 
		dd 0
		dd 80000000h
; 

_MITIGATION_AUDIT_PROHIBIT_REMOTE_IMAGE_MAP:
					; DATA XREF: EtwTimLogProhibitRemoteImageMap(x,x)o
		pop	es
; 
		db 2 dup(0), 10h
		dd 30000h, 0
		dd 80000000h
; 

_MITIGATION_ENFORCE_PROHIBIT_LOWIL_IMAGE_MAP:
					; DATA XREF: EtwTimLogProhibitLowILImageMap(x,x,x)+23Bo
		push	es
; 
		db 2 dup(0), 10h
		dd 40003h, 0
		dd 80000000h
; 

_MITIGATION_AUDIT_PROHIBIT_LOWIL_IMAGE_MAP:
					; DATA XREF: EtwTimLogProhibitLowILImageMap(x,x,x)+225o
		add	eax, 100000h
		add	[eax+eax], al
; 
		dd 0
		dd 80000000h
; 

_MITIGATION_ENFORCE_PROHIBIT_CHILD_PROCESS_CREATION:
					; DATA XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+559o
		add	al, 0
		add	[eax], dl
		add	eax, [eax]
		add	al, [eax]
; 
		dd 0
		dd 80000000h
; 

_MITIGATION_AUDIT_PROHIBIT_CHILD_PROCESS_CREATION:
					; DATA XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+54Bo
		add	eax, [eax]
		add	[eax], dl
; 
		dd 20000h, 0
		dd 80000000h
; 

_MITIGATION_ENFORCE_PROHIBIT_DYNAMIC_CODE:
					; DATA XREF: EtwTimLogProhibitDynamicCode(x,x)+1Bo
		add	al, [eax]
		add	[eax], dl
		add	eax, [eax]
		add	[eax], eax
; 
		dd 0
		dd 80000000h
; 

_MITIGATION_AUDIT_PROHIBIT_DYNAMIC_CODE: ; DATA	XREF: EtwTimLogProhibitDynamicCode(x,x)+11o
		add	[eax], eax
		add	[eax], dl
; 
		dd 10000h, 0
		dd 80000000h
; 

_CVE_AUDIT_DETECT_KM:			; DATA XREF: SeEtwWriteKMCveEvent(x,x)+9Fo
		add	al, [eax]
		add	[eax], cl
		add	eax, [eax]
; 
		dw 0
		dd 0
		dd 40000000h
; 

_KERNEL_AUDIT_API_SETCONTEXTTHREAD:	; DATA XREF: NtSetContextThread(x,x)+BCo
		add	al, 0
; 
		dw 0
		dd 4, 2	dup(0)
; 

_LIVEDUMP_EVENT_DISCARD_DEFERRED_DATA_API_END:
					; DATA XREF: IopLiveDumpTraceInterfaceEnd(x,x,x)+34o
		cld
; 
		db 2 dup(0), 10h
		dd 50B04h, 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_DISCARD_DEFERRED_DATA_API_START:
					; DATA XREF: IopLiveDumpTraceInterfaceStart(x)+1Eo
		sti
; 
		db 2 dup(0), 10h
		dd 50A04h, 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_WRITE_DEFERRED_DUMPDATA_TO_FILE_END:
					; DATA XREF: IopLiveDumpTraceDumpFileWriteEnd(x,x,x)+28o
		int	3		; Trap to Debugger
; 
		db 2 dup(0), 10h
		dd 40D04h, 0
		dd 80000000h

;  S U B	R O U T	I N E 


_LIVEDUMP_EVENT_WRITE_DEFERRED_DUMPDATA_TO_FILE_START proc far
					; DATA XREF: IoWriteDeferredLiveDumpData(x)+2Eo
		retf
_LIVEDUMP_EVENT_WRITE_DEFERRED_DUMPDATA_TO_FILE_START endp

; 
		db 2 dup(0), 10h
		dd 40C04h, 0
		dd 80000000h

;  S U B	R O U T	I N E 


_LIVEDUMP_EVENT_WRITE_DEFERRED_DATA_API_END proc far
					; DATA XREF: IopLiveDumpTraceInterfaceEnd(x,x,x):loc_60FCCCo
		retf	0
_LIVEDUMP_EVENT_WRITE_DEFERRED_DATA_API_END endp

; 
		db 10h
		dd 40B04h, 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_WRITE_DEFERRED_DATA_API_START:
					; DATA XREF: IopLiveDumpTraceInterfaceStart(x):loc_60FD31o
		leave
; 
		db 2 dup(0), 10h
		dd 40A04h, 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_MM_DUPLICATE_MEMORY_FAILURE:
					; DATA XREF: IopLiveDumpTraceMmDuplicateMemoryFailure(x,x):loc_610001o
		test	al, 0
		add	[ecx], dl
		add	al, 22h
		add	eax, [eax]
; 
		dd 0
		dd 40000000h
; 

_LIVEDUMP_EVENT_CAPTURE_WORKFLOW_CAPTURE_MEMORY_PAGES:
					; DATA XREF: IopLiveDumpTraceCaptureMemoryPages(x)+6Eo
		cmpsd
; 
		db 2 dup(0), 11h
		dd 32104h, 0
		dd 40000000h
; 

_LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_SYSTEM_QUISCED_UNCORRAL_PROCESSORS:
					; DATA XREF: IopLiveDumpTraceUncorralProcessorsDuration(x,x,x,x,x,x,x,x,x)+4Do
		cmpsb
; 
		db 2 dup(0), 10h
		dd 32004h, 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_SYSTEM_QUISCED_CORRAL_PROCESSORS:
					; DATA XREF: IopLiveDumpTraceCorralProcessorsDuration(x,x,x,x,x,x,x,x,x)+4Do
		movsd
; 
		db 2 dup(0), 10h
		dd 31F04h, 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_SYSTEM_QUISCED_DUMP_DATA_BUFFERING:
					; DATA XREF: IopLiveDumpTraceCaptureDumpDataBufferingDuration(x)+49o
		movsb
; 
		db 2 dup(0), 10h
		dd 31E04h, 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_SYSTEM_QUISCED_GENERATE_IPT_SECONDARY_DATA:
					; DATA XREF: IopLiveDumpTraceCaptureGenerateIptSecondaryDataDuration(x,x,x)+52o
		mov	ds:4100000h, eax
		sbb	eax, 3
; 
		dw 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_SYSTEM_QUISCED_POPULATE_BITMAP_FOR_DUMP:
					; DATA XREF: IopLiveDumpTracePopulateBitmapForDumpDuration(x,x,x,x,x)+4Ao
		mov	eax, ds:4100000h
		sbb	eax, [ebx]
; 
		db 0
		dd 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_SYSTEM_QUISCED_MARK_IMPORTANT_DUMP_DATA:
					; DATA XREF: IopLiveDumpTraceMarkImportantDumpDataDuration(x,x,x)+4Ao
		mov	al, ds:4100000h
		sbb	al, [ebx]
; 
		db 0
		dd 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_SYSTEM_QUISCED_MARK_REQUIRED_DUMP_DATA:
					; DATA XREF: IopLiveDumpTraceMarkRequiredDumpDataDuration(x,x,x)+4Ao
		lahf
; 
		db 2 dup(0), 10h
		dd 31904h, 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_SYSTEM_QUISCED_CAPTURE_PROCESSOR_CONTEXT:
					; DATA XREF: IopLiveDumpTraceCaptureProcessorContextDuration(x,x,x)+4Ao
		sahf
; 
		db 2 dup(0), 10h
		dd 31804h, 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_BUFFERING_END:
					; DATA XREF: IopLiveDumpStartDumpDataBuffering(x)+2Fo
		popf
; 
		db 2 dup(0), 11h
		dd 31404h, 0
		dd 40000000h
; 

_LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_BUFFERING_START:
					; DATA XREF: IopLiveDumpStartDumpDataBuffering(x)+13o
		pushf
; 
		db 2 dup(0), 11h
		dd 31304h, 0
		dd 40000000h
; 

_LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_SYSTEM_QUIESCE_END:
					; DATA XREF: IopLiveDumpTraceSystemQuiesceEnd(x)+14o
		wait
; 
		db 2 dup(0), 11h
		dd 31204h, 0
		dd 40000000h
; 

_LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_SYSTEM_QUIESCE_START:
					; DATA XREF: IopLiveDumpTraceSystemQuiesceStart(x)+14o
		call	far ptr	311h:4110000h
; 
		db 0
		dd 0
		dd 40000000h
; 

_LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_MIRRORING_PHASE1_END:
					; DATA XREF: IopLiveDumpTraceMirroringPhase1End(x)+14o
		cdq
; 
		db 2 dup(0), 10h
		dd 31004h, 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_MIRRORING_PHASE0_END:
					; DATA XREF: IopLiveDumpTraceMirroringPhase0End(x)+14o
		cwde
; 
		db 2 dup(0), 10h
		dd 30F04h, 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_MIRRORING_START:
					; DATA XREF: IopLiveDumpTraceMirroringStart(x)+20o
		xchg	eax, edi
; 
		db 2 dup(0), 10h
		dd 30E04h, 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_SIZING_WORKFLOW_MM_DUPLICATE_MEMORY_FAILURE:
					; DATA XREF: IopLiveDumpTraceMmDuplicateMemoryFailure(x,x)+30o
		jnp	short $+2
		add	[ecx], dl
		add	al, 22h
		add	al, [eax]
; 
		dd 0
		dd 40000000h
; 

_LIVEDUMP_EVENT_SIZING_WORKFLOW_SYSTEM_QUISCED_UNCORRAL_PROCESSORS:
					; DATA XREF: IopLiveDumpTraceUncorralProcessorsDuration(x,x,x,x,x,x,x,x,x)+46o
		jp	short $+2
		add	[eax], dl
		add	al, 20h
		add	al, [eax]
; 
		dd 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_SIZING_WORKFLOW_SYSTEM_QUISCED_CORRAL_PROCESSORS:
					; DATA XREF: IopLiveDumpTraceCorralProcessorsDuration(x,x,x,x,x,x,x,x,x)+46o
		jns	short $+2
		add	[eax], dl
		add	al, 1Fh
		add	al, [eax]
; 
		dd 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_SIZING_WORKFLOW_SYSTEM_QUISCED_POPULATE_BITMAP_FOR_DUMP:
					; DATA XREF: IopLiveDumpTracePopulateBitmapForDumpDuration(x,x,x,x,x)+43o
		js	short $+2
		add	[eax], dl
		add	al, 1Bh
		add	al, [eax]
; 
		dd 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_SIZING_WORKFLOW_SYSTEM_QUISCED_MARK_IMPORTANT_DUMP_DATA:
					; DATA XREF: IopLiveDumpTraceMarkImportantDumpDataDuration(x,x,x)+43o
		ja	short $+2
		add	[eax], dl
		add	al, 1Ah
		add	al, [eax]
; 
		dd 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_SIZING_WORKFLOW_SYSTEM_QUISCED_MARK_REQUIRED_DUMP_DATA:
					; DATA XREF: IopLiveDumpTraceMarkRequiredDumpDataDuration(x,x,x)+43o
		jbe	short $+2
		add	[eax], dl
		add	al, 19h
		add	al, [eax]
; 
		dd 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_SIZING_WORKFLOW_SYSTEM_QUISCED_CAPTURE_PROCESSOR_CONTEXT:
					; DATA XREF: IopLiveDumpTraceCaptureProcessorContextDuration(x,x,x)+43o
		jnz	short $+2
		add	[eax], dl
		add	al, 18h
		add	al, [eax]
; 
		dd 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_SIZING_WORKFLOW_BUFFER_ALLOCATION_FROM_VM_MEMORY_PARTITION_FAILURE:
					; DATA XREF: IopLiveDumpTraceAllocationFromVMMemoryPartitionFailure(x,x)+3Do
		jz	short $+2
		add	[ecx], dl
		add	al, 16h
		add	al, [eax]
; 
		dd 0
		dd 40000000h
; 

_LIVEDUMP_EVENT_SIZING_WORKFLOW_OPEN_VM_MEMORY_PARTITION_FAILURE:
					; DATA XREF: IopLiveDumpTraceOpenVMMemoryPartitionFailure(x,x)+39o
		jnb	short $+2
		add	[ecx], dl
		add	al, 16h
		add	al, [eax]
; 
		dd 0
		dd 40000000h
; 

_LIVEDUMP_EVENT_ESTIMATED_AND_ALLOCATED_MEMORY_PAGES:
					; DATA XREF: IopLiveDumpTraceEstimatedAndAllocatedPageCount(x,x,x)+67o
		jno	short $+2
		add	[ecx], edx
		add	al, 15h
		add	al, [eax]
; 
		dd 0
		dd 40000000h
; 

_LIVEDUMP_EVENT_SIZING_WORKFLOW_REMOVEPAGES_CALLBACK_FAILURE:
					; DATA XREF: IopLiveDumpTraceRemovePagesCallbackFailure(x,x,x)+30o
		jo	short $+2
		add	[eax], dl
		add	al, 17h
		add	al, [eax]
; 
		dd 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_SIZING_WORKFLOW_REMOVEPAGES_CALLBACK_END:
					; DATA XREF: IopLiveDumpCallRemovePagesCallbacks(x)+250o
		outsd
; 
		db 2 dup(0), 10h
		dd 21704h, 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_SIZING_WORKFLOW_REMOVEPAGES_CALLBACK_START:
					; DATA XREF: IopLiveDumpCallRemovePagesCallbacks(x)+F6o
		outsb
; 
		db 2 dup(0), 10h
		dd 21704h, 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_SIZING_WORKFLOW_REMOVEPAGES_CALLBACKS_END:
					; DATA XREF: IopLiveDumpCallRemovePagesCallbacks(x)+27Eo
		insd
; 
		db 2 dup(0), 10h
		dd 21704h, 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_SIZING_WORKFLOW_REMOVEPAGES_CALLBACKS_START:
					; DATA XREF: IopLiveDumpCallRemovePagesCallbacks(x)+4Do
		insb
; 
		db 2 dup(0), 10h
		dd 21704h, 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_SIZING_WORKFLOW_BUFFER_ALLOCATION:
					; DATA XREF: IopLiveDumpTraceBufferAllocation(x)+ACo
		imul	eax, [eax], 1
		adc	[esi+edx], eax
		add	al, [eax]
; 
		dd 0
		dd 40000000h
; 

_LIVEDUMP_EVENT_SIZING_WORKFLOW_BUFFER_ESTIMATION:
					; DATA XREF: IopLiveDumpTraceBufferEstimation(x)+179o
		push	0
		add	[ecx], edx
		add	al, 15h
		add	al, [eax]
; 
		dd 0
		dd 40000000h
; 

_LIVEDUMP_EVENT_SIZING_WORKFLOW_SYSTEM_QUIESCE_END:
					; DATA XREF: IopLiveDumpTraceSystemQuiesceEnd(x)+Do
		imul	eax, [eax], 12041100h
		add	al, [eax]
; 
		dd 0
		dd 40000000h
; 

_LIVEDUMP_EVENT_SIZING_WORKFLOW_SYSTEM_QUIESCE_START:
					; DATA XREF: IopLiveDumpTraceSystemQuiesceStart(x)+Do
		push	4110000h
		adc	[edx], eax
; 
		db 0
		dd 0
		dd 40000000h
; 

_LIVEDUMP_EVENT_SIZING_WORKFLOW_MIRRORING_PHASE1_END:
					; DATA XREF: IopLiveDumpTraceMirroringPhase1End(x)+Do
		add	[bx+si], al
		adc	[eax+edx], al
		add	al, [eax]
; 
		dd 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_SIZING_WORKFLOW_MIRRORING_PHASE0_END:
					; DATA XREF: IopLiveDumpTraceMirroringPhase0End(x)+Do
		db	66h
		add	[eax], al
		adc	[edi+ecx], al
		add	al, [eax]
; 
		dd 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_SIZING_WORKFLOW_MIRRORING_START:
					; DATA XREF: IopLiveDumpTraceMirroringStart(x)+19o
		add	gs:[eax], al
		adc	[esi+ecx], al
		add	al, [eax]
; 
		dd 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_MEMORY_PRESSURE_ABORT:	; DATA XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+3CDo
		add	eax, 4100000h
		push	ss
		add	[eax], eax
; 
		dd 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_WRITE_DUMPDATA_TO_FILE_END:
					; DATA XREF: IopLiveDumpTraceDumpFileWriteEnd(x,x,x)+21o
		add	al, 0
		add	[eax], dl
		add	al, 0Dh
		add	[eax], eax
; 
		dd 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_WRITE_DUMPDATA_TO_FILE_START:
					; DATA XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+45Fo
		add	eax, [eax]
		add	[eax], dl
		add	al, 0Ch
		add	[eax], eax
; 
		dd 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_CAPTURE_API_END:	; DATA XREF: IopLiveDumpTraceInterfaceEnd(x,x,x)+23o
		add	al, [eax]
		add	[eax], dl
		add	al, 0Bh
		add	[eax], eax
; 
		dd 0
		dd 80000000h
; 

_LIVEDUMP_EVENT_CAPTURE_API_START:	; DATA XREF: IopLiveDumpTraceInterfaceStart(x)+Do
		add	[eax], eax
		add	[eax], dl
		add	al, 0Ah
		add	[eax], eax
; 
		dd 0
		dd 80000000h
; 

_IoMgr_DumpEncryptionFailure:		; DATA XREF: SecureDump_LogErrorEvent(x)+1Ao
		mov	bh, 4
		add	[eax], cl
		add	al, [eax]
; 
		dw 0
		dd 0
		dd 40000000h
; 

_IoMgr_LegacyFsFilterBlockedOnScm:	; DATA XREF: IopAttachDeviceToDeviceStackSafe:loc_5E7EADo
					; IopAttachDeviceToDeviceStackSafe+D42DBo
		mov	dh, 4
		add	[eax], cl
		add	al, [eax]
; 
		dw 0
		dd 0
		dd 40000000h
; 

_IoMgr_LegacyFsFilterBlockedByPolicy:	; DATA XREF: IopAttachDeviceToDeviceStackSafe+D40ABo
					; IopAttachDeviceToDeviceStackSafe+D4120o ...
		mov	ch, 4
		add	[eax], cl
		add	al, [eax]
; 
		dw 0
		dd 0
		dd 40000000h
; 

_IoMgr_MountFailed:			; DATA XREF: IopLogEventIoMgrMountFailed(x,x,x,x)+46o
					; IopLogEventIoMgrMountFailed(x,x,x,x)+87o
		add	eax, [eax]
		add	[eax], dl
		add	eax, [edx]
		add	[eax], eax
		add	[eax], eax
; 
		dw 0
		dd 80000000h
; 

_IoMgr_MountSucceeded:			; DATA XREF: IopLogEventIoMgrMountSucceeded(x,x,x)+42o
					; IopLogEventIoMgrMountSucceeded(x,x,x)+7Bo
		add	al, [eax]
		add	[eax], dl
		add	al, 2
		add	[eax], eax
		add	[eax], eax
; 
		dw 0
		dd 80000000h
; 

_IoMgr_MountBegin:			; DATA XREF: IopLogEventIoMgrMountBegin(x,x,x)+42o
					; IopLogEventIoMgrMountBegin(x,x,x)+7Bo
		add	[eax], eax
		add	[eax], dl
		add	al, 1
		add	[eax], eax
		add	[eax], eax
; 
		dw 0
		dd 80000000h
; 

_IoTrace_ActivityIdTransfer:		; DATA XREF: IoTransferActivityId(x,x)+6o
		add	al, 0
		add	[eax], dl
		add	al, 0
		add	eax, [eax]
; 
		dd 0
		dd 80000000h
; 

_IoTrace_KernelIo_ReuseIrp:		; DATA XREF: IoReuseIrp(x,x)+18Bo
					; IoReuseIrp(x,x)+1B7o	...
		add	eax, [eax]
		add	[eax], dl
		add	eax, 200h
; 
		db 3 dup(0)
		dd 80000000h
; 

_IoTrace_KernelIo_AllocateIrp:		; DATA XREF: IopInitActivityIdIrp(x)+4Eo
		add	al, [eax]
		add	[eax], dl
		add	eax, 200h
; 
		db 3 dup(0)
		dd 80000000h
; 

_IoTrace_UserInitiatedIo:		; DATA XREF: IopInitActivityIdIrp(x)+E7o
		add	[eax], eax
		add	[eax], dl
		add	al, 0
		add	[eax], eax
; 
		dd 0
		dd 80000000h
; 

_KseDsEventDevicePowerCompleted:	; DATA XREF: KsepDsEventDevicePowerCompleted(x,x,x,x)+2Do
		sbb	[eax], al
		add	[edx], edx
		add	eax, 0
		add	al, 0
; 
		db 0
		dd 20000000h
; 

_KseDsEventRequestPowerIrp:		; DATA XREF: KsepDsEventRequestPowerIrp(x,x,x,x,x,x)+31o
		pop	ss
		add	[ecx], al
		adc	al, large ds:0
		add	al, 0
; 
		db 0
		dd 20000000h
; 

_KseDsEventDevicePowerIrp:		; DATA XREF: KsepDsEventDevicePowerIrp(x,x,x,x,x,x,x)+31o
		push	ss
		add	[ecx], al
		adc	al, large ds:0
		add	al, 0
; 
		db 0
		dd 20000000h
; 

_KseDsEventSystemPowerIrp:		; DATA XREF: KsepDsEventSystemPowerIrp(x,x,x,x,x,x,x)+31o
		adc	eax, 5120100h
; 
		db 3 dup(0)
		dd 400h, 20000000h
; 

_KseDsEventStopDevice:			; DATA XREF: KsepDsEventPnpStopDevice(x,x,x,x)+2Do
		adc	al, 0
		add	[edx], edx
		add	eax, 0
		add	al, [eax]
; 
		db 0
		dd 20000000h
; 

_KseDsEventStartDevice:			; DATA XREF: KsepDsEventPnpStartDevice(x,x,x,x)+2Do
		adc	eax, [eax]
		add	[edx], edx
		add	eax, 0
		add	al, [eax]
; 
		db 0
		dd 20000000h
; 

_KseDsEventPnpIrp:			; DATA XREF: KsepDsEventPnpIrp(x,x,x,x,x)+2Do
		adc	al, [eax]
		add	[edx], edx
		add	eax, 0
		add	al, [eax]
; 
		db 0
		dd 20000000h
; 

_KseDsEventDataIrp:			; DATA XREF: KsepDsEventDataIrp(x,x,x,x,x)+2Do
		adc	[eax], eax
		add	[edx], edx
		add	eax, 0
		or	[eax], al
; 
		db 0
		dd 20000000h
; 

_KseDsEventCreateDevice:		; DATA XREF: KsepDsEventIoCreateDevice(x,x,x,x,x,x)+38o
		adc	[eax], al
		add	[edx], edx
		add	eax, 0
		add	[eax], eax
; 
		db 0
		dd 20000000h
; 

_KseDsEventStartIo:			; DATA XREF: KsepDsEventDriverStartIo(x,x,x)+2Do
		sldt	word ptr [ecx]
		adc	al, large ds:0
		or	[eax], al
; 
		db 0
		dd 20000000h
; 

_KseDsEventPoolFree:			; DATA XREF: KsepDsEventPoolFree(x,x,x)+2Do
		push	cs
		add	[ecx], al
		adc	al, large ds:0
		adc	[eax], al
; 
		db 0
		dd 20000000h
; 

_KseDsEventPoolAllocate:		; DATA XREF: KsepDsEventPoolAllocate(x,x,x,x,x)+2Do
		or	eax, 5120100h
; 
		db 3 dup(0)
		dd 1000h, 20000000h
; 

_KseDsEventAddDevice:			; DATA XREF: KsepDsEventAddDevice(x,x,x,x,x,x,x)+31o
		or	al, 0
		add	[edx], edx
		add	eax, 0
		add	[eax], eax
; 
		db 0
		dd 20000000h
; 

_KseDsEventDriverUnload:		; DATA XREF: KsepDsEventDriverUnload(x,x)+2Do
		or	eax, [eax]
		add	[edx], edx
		add	eax, 0
		add	[eax], eax
; 
		db 0
		dd 20000000h
; 

_KseDsEventDriverLoad:			; DATA XREF: KsepDsEventDriverLoad(x,x,x,x,x)+2Co
					; KsepDsEventDriverLoad(x,x,x,x,x)+72o
		or	al, [eax]
		add	[edx], edx
		add	eax, 0
		add	[eax], eax
; 
		db 0
		dd 20000000h
; 

_KseSkipDriverUnloadEventDriverUnload:	; DATA XREF: KsepSkipDriverUnloadEventDriverUnload(x,x)+2Do
		push	es
		add	[ecx], al
		adc	large ds:0, eax
		and	[eax], al
; 
		db 0
		dd 40000000h
; 

_KseSkipDriverUnloadEventDriverLoad:	; DATA XREF: KsepSkipDriverUnloadEventDriverLoad(x,x,x,x,x)+2Co
					; KsepSkipDriverUnloadEventDriverLoad(x,x,x,x,x)+72o
		add	eax, 5110100h
; 
		db 3 dup(0)
		dd 2000h, 40000000h
; 

_KseShimsApplied:			; DATA XREF: KsepEvntLogShimsApplied(x,x,x)+46o
					; KsepEvntLogShimsApplied(x,x,x)+1A1o
		add	eax, [eax]
		add	[ecx], edx
		add	al, 0
; 
		dw 0
		dd 0
		dd 40000000h
; 

_KERNEL_MEM_EVENT_MEMINFO_NODE:		; DATA XREF: EtwpLogMemNodeInfo()+DEo
		or	al, 0
		add	[eax], dl
		add	al, 0
		or	[eax], eax
		add	[eax+eax], al
; 
		db 0
		dd 80000000h
; 

_KERNEL_MEM_EVENT_WS_INSWAP_STORE_FAIL:	; DATA XREF: sub_8E618E+24o
		or	[eax], eax
		add	[eax], dl
		add	al, 0
		add	eax, 8000h
; 
		db 0
		dd 80000000h
; 

_KERNEL_MEM_EVENT_ACG:			; DATA XREF: EtwTraceMemoryAcg+166DF0o
		or	[eax], al
		add	[eax], dl
		add	al, 0
		push	es
; 
		db 0
		dd 100h, 80000000h
; 

_KERNEL_MEM_EVENT_WS_INSWAP_STOP:	; DATA XREF: EtwTraceWorkingSetSwap+14E2BBo
					; sub_8FBDF9+2Ao ...
		pop	es
; 
		db 2 dup(0), 10h
		dd 50204h, 80h,	80000000h
; 

_KERNEL_MEM_EVENT_WS_INSWAP_START:	; DATA XREF: EtwTraceWorkingSetSwap+14E27Bo
					; sub_8FBDAF+2Ao ...
		push	es
		add	[ecx], al
		adc	[ecx+eax], al
		add	eax, 8000h
; 
		db 0
		dd 80000000h
; 

_KERNEL_MEM_EVENT_WS_OUTSWAP_STOP:	; DATA XREF: EtwTraceWorkingSetSwap+14E2CBo
		add	eax, 4100100h
		add	al, [eax+eax]
		add	byte ptr [eax],	0
; 
		db 0
		dd 80000000h
; 

_KERNEL_MEM_EVENT_WS_OUTSWAP_START:	; DATA XREF: EtwTraceWorkingSetSwap+14E282o
		add	al, 0
		add	[eax], edx
		add	al, 1
		add	al, 0
		add	byte ptr [eax],	0
; 
		db 0
		dd 80000000h
; 

_KERNEL_MEM_EVENT_MEMINFO_SESSIONWS:	; DATA XREF: EtwpLogSessionWorkingSetInfo(x)+142o
		add	eax, [eax]
		add	dl, [eax]
		add	al, 0
		add	eax, [eax]
		inc	eax
; 
		db 3 dup(0)
		dd 80000000h
; 

_KERNEL_MEM_EVENT_MEMINFO_WS:		; DATA XREF: EtwpLogMemInfoWsHelper(x,x)+71o
		add	al, [eax]
		add	dl, [eax]
		add	al, 0
		add	al, [eax]
		inc	eax
; 
		db 3 dup(0)
		dd 80000000h
; 

_KERNEL_MEM_EVENT_MEMINFO:		; DATA XREF: EtwpLogMemInfo(x,x)+B1o
		add	[eax], eax
		add	[eax], edx
		add	al, 0
		add	[eax], eax
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_SmEventSQMStreamRow:			; DATA XREF: SmKmSqmAddToStream(x,x,x,x,x)+162o
		adc	eax, [eax]
; 
		dw 0
		dd 4, 0
		dd 80000h
; 

_SmEventCacheTermination:		; DATA XREF: SmKmStoreTerminateWorker(x)+2E5o
		adc	al, [eax]
		add	[ecx], edx
		add	al, 0
		adc	[eax], eax
		push	eax
; 
		db 3 dup(0)
		dd 40000000h
; 

_StEventRegionRundown:
		adc	[eax], eax
		add	[eax], edx
		add	al, 0
		adc	[eax], al
		add	byte ptr [eax],	0
; 
		db 0
		dd 80000000h
; 

_StEventRegionCompactEnd:
		adc	[eax], al
		add	[eax], edx
		add	al, 2
		lldt	word ptr [eax]
; 
		db 3 dup(0)
		dd 80000000h
; 

_StEventRegionCompactStart:
		sldt	word ptr [ecx]
		adc	[ecx+eax], al
		lldt	word ptr [eax]
; 
		db 3 dup(0)
		dd 80000000h
; 

_StEventRegionRelease:
		push	cs
		add	[ecx], al
		adc	[eax+eax], al
		push	cs
		add	[eax], dl
; 
		db 3 dup(0)
		dd 80000000h
; 

_StEventStoreEmpty:
		or	eax, 4100100h
		add	large ds:1000h,	cl
; 
		db 0
		dd 80000000h
; 

_SmEventStoreIoStats:			; DATA XREF: SmKmEtwLogStoreStats(x,x,x)+90o
		or	eax, [eax]
		add	[eax], edx
		add	al, 0
		or	eax, [eax]
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_StEventRegionWrite:
		or	[eax], eax
		add	dl, [eax]
		add	al, 0
		or	[eax], eax
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_StEventRegionEvict:
		or	[eax], al
		add	dl, [eax]
		add	al, 0
		or	[eax], al
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_StEventStorePageRundown:
		pop	es
		add	[ecx], al
		adc	[eax+eax], al
		pop	es
		add	[eax+0], al
; 
		db 2 dup(0), 80h
; 

_StEventStoreCorruption:
		push	es
		add	[ecx], al
		adc	[eax+eax], eax
		push	es
		add	[eax+0], dl
; 
		dw 0
		dd 40000000h
; 

_SmEventStoreRundown:			; DATA XREF: SmEtwEnableCallback+8D94Bo
		add	eax, 4100300h
		add	large ds:1000h,	al
; 
		db 0
		dd 80000000h
; 

_SmEventStoreDelete:			; DATA XREF: SmKmStoreDelete+14E3D9o
					; SmKmEtwLogStoreChange(x,x,x)+56o
		add	al, 0
		add	[eax], edx
		add	al, 0
		add	al, 0
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_SmEventStoreCreate:			; DATA XREF: SmKmStoreAdd+14EB46o
		add	eax, [eax]
		add	edx, [eax]
		add	al, 0
		add	eax, [eax]
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_StEventStoreRemove:
		add	al, [eax]
		add	[eax], edx
		add	al, 0
		add	al, [eax]
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_StEventStoreAdd:
		add	[eax], eax
		add	dl, [eax]
		add	al, 0
		add	[eax], eax
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KFileEvt_QueryEA:			; DATA XREF: EtwpFileProvTrace(x,x,x,x):loc_67DC3Bo
		and	al, [eax]
		add	[eax], edx
		add	al, 0
		and	al, [eax]
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KFileEvt_SetEA:			; DATA XREF: EtwpFileProvTrace(x,x,x,x):loc_67DC34o
		and	[eax], eax
		add	[eax], edx
		add	al, 0
		and	[eax], eax
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KFileEvt_QuerySecurity:		; DATA XREF: EtwpFileProvTrace(x,x,x,x):loc_67DC2Do
		and	[eax], al
		add	[eax], edx
		add	al, 0
		and	[eax], al
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KFileEvt_SetSecurity:			; DATA XREF: EtwpFileProvTrace(x,x,x,x):loc_67DC26o
		pop	ds
		add	[ecx], al
		adc	[eax+eax], al
		pop	ds
		add	[eax], ah
; 
		db 3 dup(0)
		dd 80000000h
; 

_KFileEvt_CreateNewFile:		; DATA XREF: EtwpFileProvTrace(x,x,x,x):loc_67DC0Ao
		push	ds
		add	[ecx], al
		adc	[eax+eax], al
		push	ds
; 
		db 0
		dd 1000h, 80000000h
; 

_KFileEvt_SetLink:			; DATA XREF: EtwpFileProvTrace(x,x,x,x):loc_67DBEEo
		sbb	eax, 4100100h
		add	[ebx], dl
		add	[eax], ah
; 
		db 3 dup(0)
		dd 80000000h
; 

_KFileEvt_SetLinkPath:			; DATA XREF: EtwpFileProvTrace(x,x,x,x):loc_67DC1Fo
		sbb	al, 0
		add	[eax], edx
		add	al, 0
		sbb	al, 0
		add	[eax], cl
; 
		dw 0
		dd 80000000h
; 

_KFileEvt_RenamePath:			; DATA XREF: EtwpFileProvTrace(x,x,x,x):loc_67DC18o
		sbb	eax, [eax]
		add	[eax], edx
		add	al, 0
		sbb	eax, [eax]
		add	[eax], cl
; 
		dw 0
		dd 80000000h
; 

_KFileEvt_DeletePath:			; DATA XREF: EtwpFileProvTrace(x,x,x,x):loc_67DC11o
		sbb	al, [eax]
		add	[eax], edx
		add	al, 0
		sbb	al, [eax]
		add	[eax+eax], al
; 
		db 0
		dd 80000000h
; 

_KFileEvt_DirNotify:			; DATA XREF: EtwpFileProvTrace(x,x,x,x):loc_67DC03o
		sbb	[eax], eax
		add	[eax], edx
		add	al, 0
		sbb	[eax], eax
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KFileEvt_OperationEnd:			; DATA XREF: EtwpFileProvTrace(x,x,x,x)+2Co
		sbb	[eax], al
		add	[eax], dl
		add	al, 0
		sbb	[eax], al
		pusha
; 
		db 3 dup(0)
		dd 80000000h
; 

_KFileEvt_FSCTL:			; DATA XREF: EtwpFileProvTrace(x,x,x,x):loc_67DBFCo
		pop	ss
		add	[ecx], al
		adc	[eax+eax], al
		pop	ss
		add	[eax], ah
; 
		db 3 dup(0)
		dd 80000000h
; 

_KFileEvt_QueryInformation:		; DATA XREF: EtwpFileProvTrace(x,x,x,x):loc_67DBCBo
		push	ss
		add	[ecx], al
		adc	[eax+eax], al
		push	ss
		add	[eax], ah
; 
		db 3 dup(0)
		dd 80000000h
; 

_KFileEvt_Flush:			; DATA XREF: EtwpFileProvTrace(x,x,x,x):loc_67DBF5o
		adc	eax, 4100100h
		add	large ds:2000h,	dl
; 
		db 0
		dd 80000000h
; 

_KFileEvt_DirEnum:			; DATA XREF: EtwpFileProvTrace(x,x,x,x):loc_67DBD2o
		adc	al, 0
		add	[eax], edx
		add	al, 0
		adc	al, 0
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KFileEvt_Rename:			; DATA XREF: EtwpFileProvTrace(x,x,x,x):loc_67DBE7o
		adc	eax, [eax]
		add	[eax], edx
		add	al, 0
		adc	eax, [eax]
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KFileEvt_Delete:			; DATA XREF: EtwpFileProvTrace(x,x,x,x):loc_67DBE0o
		adc	al, [eax]
		add	[eax], edx
		add	al, 0
		adc	al, [eax]
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KFileEvt_SetInformation:		; DATA XREF: EtwpFileProvTrace(x,x,x,x):loc_67DBD9o
		adc	[eax], eax
		add	[eax], edx
		add	al, 0
		adc	[eax], eax
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KFileEvt_Write:			; DATA XREF: EtwpFileProvTrace(x,x,x,x)+61o
		adc	[eax], al
		add	[eax], edx
		add	al, 0
		adc	[eax], al
		and	[edx], al
; 
		dw 0
		dd 80000000h
; 

_KFileEvt_Read:				; DATA XREF: EtwpFileProvTrace(x,x,x,x)+57o
		sldt	word ptr [ecx]
		adc	[eax+eax], al
		verr	word ptr [eax]
		add	[eax], eax
; 
		db 0
		dd 80000000h
; 

_KFileEvt_Close:			; DATA XREF: EtwpFileProvTrace(x,x,x,x):loc_67DBADo
		push	cs
		add	[ecx], al
		adc	[eax+eax], al
		push	cs
		add	[eax], ah
; 
		db 3 dup(0)
		dd 80000000h
; 

_KFileEvt_Cleanup:			; DATA XREF: EtwpFileProvTrace(x,x,x,x):loc_67DBA3o
		or	eax, 4100100h
		add	large ds:2000h,	cl
; 
		db 0
		dd 80000000h
; 

_KFileEvt_Create:			; DATA XREF: EtwpFileProvTrace(x,x,x,x):loc_67DB99o
		or	al, 0
		add	[eax], edx
		add	al, 0
		or	al, 0
		mov	al, large ds:0
; 
		db 2 dup(0), 80h
; 

_KFileEvt_NameDelete:			; DATA XREF: EtwpTraceFileName(x,x,x,x,x,x)+116o
		or	eax, [eax]
		add	[eax], dl
		add	al, 0
		or	eax, [eax]
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KFileEvt_NameCreate:			; DATA XREF: EtwpTraceFileName(x,x,x,x,x,x)+C6o
		or	al, [eax]
		add	[eax], dl
		add	al, 0
		or	al, [eax]
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_ETW_EVENT_REG_ENTRY_INFO:		; DATA XREF: EtwpTracingProvEnableCallback:loc_93945Ao
					; EtwpEventWriteRegEntry(x,x,x)+91o
		sbb	eax, [eax]
; 
		dw 0
		dd 30005h, 120h, 0
; 

_ETW_EVENT_ENABLE_INFO:			; DATA XREF: EtwpTracingProvEnableCallback+82D30o
					; EtwpTracingProvEnableCallback+82E13o	...
		sbb	al, [eax]
; 
		dw 0
		dd 90005h, 120h, 0
; 

_ETW_EVENT_GROUP_ENTRY_INFO:		; DATA XREF: EtwpTracingProvEnableCallback+82CF8o
					; EtwpTracingProvEnableCallback+82D1Co
		sbb	[eax], eax
; 
		dw 0
		dd 50005h, 900h, 0
; 

_ETW_EVENT_GUID_ENTRY_INFO:		; DATA XREF: EtwpTracingProvEnableCallback:loc_9393F3o
					; EtwpTracingProvEnableCallback+82DFFo
		sbb	[eax], al
; 
		dw 0
		dd 40005h, 120h, 0
; 

_ETW_EVENT_SAVE_PERSISTED_LOGGER_ERROR:	; DATA XREF: EtwpTraceSavePersistedLoggerStop(x,x,x,x,x,x)+26o
		pop	ss
		add	[ecx], al
		adc	[edx], al
		add	[eax], cl
		add	[eax+0], al
; 
		db 2 dup(0), 80h
; 

_ETW_EVENT_SAVE_PERSISTED_LOGGER_STOP:	; DATA XREF: EtwpTraceSavePersistedLoggerStop(x,x,x,x,x,x)+1Co
		push	ss
		add	[ecx], al
		add	[edx+eax], al
		or	[eax], al
		add	byte ptr [eax],	0
; 
		db 0
		align 8

_ETW_EVENT_SESSION_INFO:		; DATA XREF: EtwpTracingProvEnableCallback+82CB1o
					; EtwpEventWriteTemplateSession(x,x,x,x)+10Bo
		adc	al, 0
		add	[eax], eax
		add	eax, 10000200h
		add	[eax], eax
; 
		db 0
		align 8

_ETW_EVENT_USER_STACK_TRACE:		; DATA XREF: EtwpCrimsonStackWalkApc(x,x,x,x,x)+A6o
		adc	al, [eax]
; 
		dw 0
		dd 61804h, 2 dup(0)
; 

_ETW_EVENT_CHANGE_SESSION_SD:		; DATA XREF: EtwpUpdateLoggerSecurityDescriptor(x,x)+8Bo
		adc	[eax], eax
		add	[ecx], dl
		add	eax, 10000214h
; 
		db 3 dup(0)
		dd 40000000h
; 

_ETW_EVENT_MAX_FILE_SIZE_REACHED:	; DATA XREF: EtwpFlushBufferToLogfile+11E857o
					; EtwpEventWriteTemplateMaxFileSize(x,x,x,x,x,x,x,x,x,x)+58o
		add	al, 0
		add	[eax], dl
		add	ecx, [edx]
		add	[eax], eax
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_ETW_EVENT_SESSION_START_FAILED:	; DATA XREF: EtwpStartLogger:loc_911573o
		add	al, [eax]
		add	[eax], dl
		add	cl, [edx+eax]
		add	[eax], dl
; 
		db 3 dup(0)
		dd 80000000h
; 

_ETW_EVENT_BACKING_FILE_FULL:		; DATA XREF: EtwpRealtimeSaveBuffer:loc_90165Eo
					; EtwpRealtimeSaveBuffer+AB16Bo ...
		add	[eax], eax
		add	[eax], dl
		add	ecx, [edx]
		add	[eax], eax
		adc	[eax], al
; 
		dw 0
		dd 80000000h
_ETW_EVENT_WRITE_FAILED	dd 10000000h, 10A02h, 10h, 80000000h
					; DATA XREF: EtwpRealtimeSaveBuffer+AB1A3o
					; EtwpRealtimeSaveBuffer+AB1DCo ...
; 

_KDskEvt_Flush:				; DATA XREF: EtwpDiskProvTraceDisk(x,x,x,x):loc_67D9AEo
		push	cs
; 
		db 2 dup(0), 10h
		dd 4, 0
		dd 80000000h
; 

_KDskEvt_Write:				; DATA XREF: EtwpDiskProvTraceDisk(x,x,x,x)+54o
		or	eax, [eax]
		add	[eax], dl
		add	al, 0
; 
		dw 0
		dd 0
		dd 80000000h
; 

_KDskEvt_Read:				; DATA XREF: EtwpDiskProvTraceDisk(x,x,x,x):loc_67D9B5o
		or	al, [eax]
		add	[eax], dl
		add	al, 0
; 
		dw 0
		dd 0
		dd 80000000h
; 

_KNetEvt_RecvIPV6Udp:			; DATA XREF: EtwpNetProvTraceNetwork(x,x)+D1o
		cmp	eax, [eax]
		add	[eax], dl
		add	al, 2Bh
		or	eax, [eax]
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KNetEvt_SendIPV6Udp:			; DATA XREF: EtwpNetProvTraceNetwork(x,x):loc_67E139o
		cmp	al, [eax]
		add	[eax], dl
		add	al, 2Ah
		or	eax, [eax]
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KNetEvt_TcpCopyIPV6:			; DATA XREF: EtwpNetProvTraceNetwork(x,x):loc_67E10Eo
		and	al, [eax]
		add	[eax], dl
		add	al, 12h
		or	al, [eax]
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KNetEvt_ReconnectIPV6:			; DATA XREF: EtwpNetProvTraceNetwork(x,x):loc_67E107o
		and	[eax], al
		add	[eax], dl
		add	al, 10h
		or	al, [eax]
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KNetEvt_AcceptIPV6:			; DATA XREF: EtwpNetProvTraceNetwork(x,x):loc_67E100o
		pop	ds
; 
		db 2 dup(0), 10h
		dd 0A0F04h, 20h, 80000000h
; 

_KNetEvt_RetransmitIPV6:		; DATA XREF: EtwpNetProvTraceNetwork(x,x):loc_67E0F9o
		push	ds
; 
		db 2 dup(0), 10h
		dd 0A0E04h, 20h, 80000000h
; 

_KNetEvt_DisconnectIPV6:		; DATA XREF: EtwpNetProvTraceNetwork(x,x):loc_67E0F2o
		sbb	eax, 4100000h
		or	eax, 20000Ah
; 
		dw 0
		dd 80000000h
; 

_KNetEvt_ConnectIPV6:			; DATA XREF: EtwpNetProvTraceNetwork(x,x):loc_67E0EBo
		sbb	al, 0
		add	[eax], dl
		add	al, 0Ch
		or	al, [eax]
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KNetEvt_RecvIPV6:			; DATA XREF: EtwpNetProvTraceNetwork(x,x):loc_67E0E4o
		sbb	eax, [eax]
		add	[eax], dl
		add	al, 0Bh
		or	al, [eax]
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KNetEvt_SendIPV6:			; DATA XREF: EtwpNetProvTraceNetwork(x,x):loc_67E0DDo
		sbb	al, [eax]
		add	[eax], dl
		add	al, 0Ah
		or	al, [eax]
		and	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KNetEvt_FailUdp:			; DATA XREF: EtwpNetProvTraceNetwork(x,x):loc_67E140o
		xor	[eax], eax
		add	[eax], dl
		add	al, 31h
		or	eax, [eax]
		xor	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KNetEvt_RecvIPV4Udp:			; DATA XREF: EtwpNetProvTraceNetwork(x,x):loc_67E147o
		sub	eax, [eax]
		add	[eax], dl
		add	al, 2Bh
		or	eax, [eax]
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KNetEvt_SendIPV4Udp:			; DATA XREF: EtwpNetProvTraceNetwork(x,x):loc_67E115o
		sub	al, [eax]
		add	[eax], dl
		add	al, 2Ah
		or	eax, [eax]
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KNetEvt_TcpCopyIPV4:			; DATA XREF: EtwpNetProvTraceNetwork(x,x):loc_67E0D6o
		adc	al, [eax]
		add	[eax], dl
		add	al, 12h
		or	al, [eax]
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KNetEvt_Fail:				; DATA XREF: EtwpNetProvTraceNetwork(x,x):loc_67E0CFo
		adc	[eax], eax
		add	[eax], dl
		add	al, 11h
		or	al, [eax]
		xor	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KNetEvt_ReconnectIPV4:			; DATA XREF: EtwpNetProvTraceNetwork(x,x):loc_67E0C8o
		adc	[eax], al
		add	[eax], dl
		add	al, 10h
		or	al, [eax]
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KNetEvt_AcceptIPV4:			; DATA XREF: EtwpNetProvTraceNetwork(x,x):loc_67E0BEo
		sldt	word ptr [eax]
		adc	[edi+ecx], al
		or	al, [eax]
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KNetEvt_RetransmitIPV4:		; DATA XREF: EtwpNetProvTraceNetwork(x,x):loc_67E0B4o
		push	cs
; 
		db 2 dup(0), 10h
		dd 0A0E04h, 10h, 80000000h
; 

_KNetEvt_DisconnectIPV4:		; DATA XREF: EtwpNetProvTraceNetwork(x,x):loc_67E0AAo
		or	eax, 4100000h
		or	eax, 10000Ah
; 
		dw 0
		dd 80000000h
; 

_KNetEvt_ConnectIPV4:			; DATA XREF: EtwpNetProvTraceNetwork(x,x):loc_67E0A0o
		or	al, 0
		add	[eax], dl
		add	al, 0Ch
		or	al, [eax]
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KNetEvt_RecvIPV4:			; DATA XREF: EtwpNetProvTraceNetwork(x,x):loc_67E096o
		or	eax, [eax]
		add	[eax], dl
		add	al, 0Bh
		or	al, [eax]
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KNetEvt_SendIPV4:			; DATA XREF: EtwpNetProvTraceNetwork(x,x):loc_67E08Co
		or	al, [eax]
		add	[eax], dl
		add	al, 0Ah
		or	al, [eax]
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_KitFeatureIdUsedEvent:			; DATA XREF: KitLogFeatureUsage(x,x,x)+44o
					; KitLogFeatureUsage(x,x,x)+141o
		pop	es
; 
		db 3 dup(0)
		dd 70004h, 2 dup(0)
; 

_AdminlessAccessFailureLog:		; DATA XREF: EtwTraceAdminlessAccessFailure(x,x,x,x)+36Fo
					; EtwTraceLpacAccessFailure(x)+4Ao
		add	[eax], eax
		add	[eax], dl
		add	al, [eax]
		add	[eax], eax
; 
		dd 0
		dd 80000000h
; 

_REGISTRY_PERF_EVENT_HIVE_SAVE_STOP:	; DATA XREF: CmpTraceHiveSaveStop(x)+14o
		sub	eax, 4110000h
		add	al, [edi]
; 
		db 0
		dd 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_HIVE_SAVE_TREE_COPIED: ; DATA XREF: CmpTraceHiveSaveTreeCopied()+14o
		sub	eax, [eax]
		add	[ecx], dl
		add	al, 0Bh
		pop	es
; 
		db 0
		dd 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_HIVE_SAVE_FILE_COPIED: ; DATA XREF: CmpTraceHiveSaveFileCopied()+14o
		sub	al, [eax]
		add	[ecx], dl
		add	al, 0Ah
		pop	es
; 
		db 0
		dd 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_HIVE_SAVE_START:	; DATA XREF: CmpTraceHiveSaveStart(x)+15o
		sub	[eax], eax
		add	[ecx], dl
		add	al, 1
		pop	es
; 
		db 0
		dd 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_HIVE_RESTORE_STOP:	; DATA XREF: CmpTraceHiveRestoreStop(x)+14o
		sub	[eax], al
		add	[ecx], dl
		add	al, 2
		push	es
; 
		db 0
		dd 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_HIVE_RESTORE_START: ; DATA	XREF: CmpTraceHiveRestoreStart(x,x)+20o
		daa
; 
		db 2 dup(0), 11h
		dd 60104h, 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_SHUTDOWN_STOP:	; DATA XREF: CmpTraceShutdownStop()+14o
		and	al, 0
		add	[ecx], dl
		add	al, 2
		add	al, 0
; 
		dd 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_SHUTDOWN_FLUSH_STOP: ; DATA XREF: CmpTraceShutdownFlushStop()+14o
		and	eax, [eax]
		add	[ecx], dl
		add	al, 0Ch
		add	al, 0
; 
		dd 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_SHUTDOWN_FLUSH_START: ; DATA XREF:	CmpTraceShutdownFlushStart()+14o
		and	al, [eax]
		add	[ecx], dl
		add	al, 0Bh
		add	al, 0
; 
		dd 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_SHUTDOWN_RUNDOWN_COMPLETE:
					; DATA XREF: CmpTraceShutdownRundownComplete()+14o
		and	[eax], eax
		add	[ecx], dl
		add	al, 1
		add	al, 0
; 
		dd 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_SHUTDOWN_START:	; DATA XREF: CmpTraceShutdownStart()+14o
		and	[eax], al
		add	[ecx], dl
		add	al, 1
		add	al, 0
; 
		dd 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_HIVE_FLUSH_FINISH_WAIT_FOR_ACTIVE:
					; DATA XREF: CmpTraceHiveFlushFinishWaitForActive()+14o
		push	ds
; 
		db 2 dup(0), 11h
		dd 31104h, 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_HIVE_FLUSH_START_WAIT_FOR_ACTIVE:
					; DATA XREF: CmpTraceHiveFlushStartWaitForActive()+14o
		sbb	eax, 4110000h
		adc	[ebx], al
; 
		db 0
		dd 0
		dd 40000000h
; 

_REGISTRY_PERF_EVENT_HIVE_MOUNT_LOG_ENTRY_APPLIED:
					; DATA XREF: CmpTraceHiveMountLogEntryApplied(x,x)+14o
		adc	al, [eax]
		add	[ecx], dl
		add	al, 0Bh
		add	[eax], eax
; 
		dd 0
		dd 40000000h
; 

_ETW_REGISTRY_EVENT_SET_SECURITY_KEY:	; DATA XREF: EtwpRegTraceCallback(x,x,x)+311o
		sldt	word ptr [eax]
		adc	[esi+ebp], al
; 
		dw 0
		dd 4, 80000000h
; 

_ETW_REGISTRY_EVENT_QUERY_SECURITY_KEY:	; DATA XREF: EtwpRegTraceCallback(x,x,x)+31Fo
		push	cs
; 
		db 2 dup(0), 10h
		dd 2D04h, 2, 80000000h
; 

_ETW_REGISTRY_EVENT_CLOSE_KEY:		; DATA XREF: EtwpRegTraceCallback(x,x,x)+193o
		or	eax, 4100000h
		sub	al, 0
		add	[ecx], al
; 
		db 3 dup(0)
		dd 80000000h
; 

_ETW_REGISTRY_EVENT_FLUSH_KEY:		; DATA XREF: EtwpRegTraceCallback(x,x,x)+32Do
		or	al, 0
		add	[eax], dl
		add	al, 2Bh
; 
		dw 0
		dd 80h,	80000000h
; 

_ETW_REGISTRY_EVENT_SET_INFORMATION_KEY: ; DATA	XREF: EtwpRegTraceCallback(x,x,x)+277o
		or	eax, [eax]
		add	[eax], dl
		add	al, 2Ah
; 
		dw 0
		dd 40h,	80000000h
; 

_ETW_REGISTRY_EVENT_QUERY_MULTIPLE_VALUE_KEY: ;	DATA XREF: EtwpRegTraceCallback(x,x,x)+3AFo
		or	al, [eax]
		add	[eax], dl
		add	al, 29h
; 
		dw 0
		dd 20h,	80000000h
; 

_ETW_REGISTRY_EVENT_ENUMERATE_VALUE_KEY: ; DATA	XREF: EtwpRegTraceCallback(x,x,x)+1FBo
		or	[eax], eax
		add	[eax], dl
		add	al, 28h
; 
		dw 0
		dd 10h,	80000000h
; 

_ETW_REGISTRY_EVENT_ENUMERATE_KEY:	; DATA XREF: EtwpRegTraceCallback(x,x,x):loc_9F6736o
		or	[eax], al
		add	[eax], dl
		add	al, 27h
; 
		dw 0
		dd 800h, 80000000h
; 

_ETW_REGISTRY_EVENT_QUERY_VALUE_KEY:	; DATA XREF: EtwpRegTraceCallback(x,x,x)+3DBo
		pop	es
; 
		db 2 dup(0), 10h
		dd 2604h, 400h,	80000000h
; 

_ETW_REGISTRY_EVENT_DELETE_VALUE_KEY:	; DATA XREF: EtwpRegTraceCallback(x,x,x):loc_9F6690o
		push	es
; 
		db 2 dup(0), 10h
		dd 2504h, 200h,	80000000h
; 

_ETW_REGISTRY_EVENT_SET_VALUE_KEY:	; DATA XREF: EtwpRegTraceCallback(x,x,x)+BFo
		add	eax, 4100000h
		and	al, 0
; 
		db 0
		dd 100h, 80000000h
; 

_ETW_REGISTRY_EVENT_QUERY_KEY:		; DATA XREF: EtwpRegTraceCallback(x,x,x)+2C6o
		add	al, 0
		add	[eax], dl
		add	al, 23h
; 
		dw 0
		dd 8000h, 80000000h
; 

_ETW_REGISTRY_EVENT_DELETE_KEY:		; DATA XREF: EtwpRegTraceCallback(x,x,x)+129o
		add	eax, [eax]
		add	[eax], dl
		add	al, 22h
; 
		dw 0
		dd 4000h, 80000000h
; 

_ETW_REGISTRY_EVENT_OPEN_KEY:		; DATA XREF: EtwpRegTraceCallback(x,x,x)+33Eo
		add	al, [eax]
		add	[eax], dl
		add	al, 21h
; 
		dw 0
		dd 2000h, 80000000h
; 

_ETW_REGISTRY_EVENT_CREATE_KEY:		; DATA XREF: EtwpRegTraceCallback(x,x,x)+36Co
		add	[eax], eax
		add	[eax], dl
		add	al, 20h
; 
		dw 0
		dd 1000h, 80000000h
; 

_ServerSiloTerminateCallbackStop:	; DATA XREF: EtwTraceJobServerSiloMonitorCallback+80C3Co
		sbb	al, [eax]
		add	[eax], dl
		add	al, 2
		adc	eax, [eax]
		add	[eax+0], al
; 
		db 0
		dd 80000000h
; 

_ServerSiloTerminateCallbackStart:	; DATA XREF: EtwTraceJobServerSiloMonitorCallback:loc_5F955Co
		sbb	[eax], eax
		add	[eax], dl
		add	al, 1
		adc	eax, [eax]
		add	[eax+0], al
; 
		db 0
		dd 80000000h
; 

_JobServerSiloStateChange:		; DATA XREF: EtwTraceJobServerSiloStateChange(x,x)+23o
					; EtwTraceJobServerSiloStateChange(x,x)+64o
		push	ss
; 
		db 2 dup(0), 10h
		dd 130004h, 4000h, 80000000h
; 

_PsIoRateControlStop:			; DATA XREF: EtwTracePsIoRateControl:loc_73E4E0o
		adc	al, 0
		add	dl, [eax]
		add	al, 2
		adc	[eax], eax
		add	[eax], dl
; 
		dw 0
		dd 80000000h
; 

_ProcessRundown:			; DATA XREF: EtwpPsProvTraceProcess+177799o
		sldt	word ptr [ecx]
		adc	[eax+eax], al
		lldt	word ptr [eax]
; 
		db 3 dup(0)
		dd 80000000h
; 

_JobTerminate:				; DATA XREF: EtwpPsProvTraceJob(x,x,x)+31o
		push	cs
; 
		db 2 dup(0), 10h
		dd 0E0204h, 400h, 80000000h
; 

_ProcessThawEvent:			; DATA XREF: EtwTraceFreezeThawProcess(x,x)+64o
		or	al, 0
		add	[eax], edx
		add	al, 2
		or	eax, [eax]
		add	[edx], al
; 
		dw 0
		dd 80000000h
; 

_ProcessFreezeEvent:			; DATA XREF: EtwTraceFreezeThawProcess(x,x)+5Bo
		or	eax, [eax]
		add	[eax], edx
		add	al, 1
		or	eax, [eax]
		add	[edx], al
; 
		dw 0
		dd 80000000h
; 

_ThreadIoPriorityChange:		; DATA XREF: EtwpPsProvTracePriority(x,x,x,x)+31o
		or	al, [eax]
		add	[eax], dl
		add	al, 0
		or	al, [eax]
		add	[ecx], al
; 
		dw 0
		dd 80000000h
; 

_ThreadPagePriorityChange:		; DATA XREF: EtwpPsProvTracePriority(x,x,x,x):loc_67E201o
		or	[eax], eax
		add	[eax], dl
		add	al, 0
		or	[eax], eax
		add	[ecx], al
; 
		dw 0
		dd 80000000h
; 

_ThreadCpuPriorityChange:		; DATA XREF: EtwpPsProvTracePriority(x,x,x,x):loc_67E20Fo
		or	[eax], al
		add	[eax], dl
		add	al, 0
		or	[eax], al
		add	byte ptr [eax],	0
; 
		db 0
		dd 80000000h
; 

_ThreadCpuBasePriorityChange:		; DATA XREF: EtwpPsProvTracePriority(x,x,x,x):loc_67E208o
		pop	es
; 
		db 2 dup(0), 10h
		dd 70004h, 80h,	80000000h
; 

_VsmPerformanceData:			; DATA XREF: EtwpTraceSystemInitialization+1183Eo
					; EtwpTraceSystemInitialization+11884o
		pop	ss
; 
		db 3 dup(0)
		dd 90004h, 80h,	0
; 

_KernelTimeZoneBiasChange:		; DATA XREF: EtwTraceTimeZoneBiasChange(x,x)+A8o
		push	ss
; 
		db 2 dup(0), 8
		dd 80004h, 10h,	80000000h
; 

_KernelLeapSecondDataParseFailure:	; DATA XREF: EtwTraceLeapSecondDataParseFailure(x)+87o
		adc	eax, 3080000h
		add	[edi], al
		add	[eax], dl
; 
		db 3 dup(0)
		dd 80000000h
; 

_SoftBootInfo:				; DATA XREF: EtwpTraceSystemInitialization+11906o
		adc	al, [eax]
		add	[eax], cl
		add	al, 0
		add	eax, [eax]
		add	byte ptr [eax],	0
; 
		db 0
		dd 80000000h
; 

_TokenSidManagementLog:			; DATA XREF: SepLogTokenSidManagement(x,x,x,x,x)+3ABo
		adc	[eax], eax
; 
		dw 0
		align 10h
		dd 40h,	0
; 

_REG_EVENT_REORGANIZE:			; DATA XREF: CmpLogReorganizeEvent(x,x,x)+6Bo
		sldt	word ptr [eax]
		or	[eax+eax], al
		or	al, [eax]
; 
		dd 0
		dd 80000000h
; 

_AccessCheckLog:			; DATA XREF: SeLogAccessFailure+D61C7o
		push	cs
; 
		db 3 dup(0)
		dd 2, 20h, 0
; 

_KernelSystemStop:			; DATA XREF: EtwpTraceSystemShutdown()+B0o
		or	eax, 4080000h
		add	[edx], al
		add	[eax+0], al
; 
		db 2 dup(0), 80h
; 

_REG_EVENT_FLUSH_IO_FAIL:		; DATA XREF: HvpFinishPrimaryWrite+18AE14o
		push	es
; 
		db 2 dup(0), 8
		dd 2, 0
		dd 80000000h
; 

_KernelLicensingCacheCorruptionFixed:	; DATA XREF: SLUpdateLicenseDataInternal(x,x,x)+973o
		add	eax, [eax]
		add	[eax], cl
		add	al, 0
; 
		dw 0
		dd 0
		dd 80000000h
; 

_KernelLicensingCacheCorrupt:		; DATA XREF: ExInitLicenseData:loc_9079AEo
					; ExpLoadAndSortLicensingCacheDescriptors:loc_907E3Eo
		add	al, [eax]
		add	[eax], cl
		add	al, 0
; 
		dw 0
		dd 0
		dd 80000000h
; 

_WDI_SEM_EVENT_SQM_ADD_TO_STREAM:	; DATA XREF: WdipSemSqmAddToStream(x,x,x)+156o
					; WdipSemSqmEnabled()+20o
		sub	eax, 4000000h
; 
		db 3 dup(0)
		dd 0
		dd 80000h
; 

_WDI_SEM_EVENT_SQM_INCREMENT_DWORD:	; DATA XREF: WdipSemSqmEnabled()+10o
					; WdipSemSqmIncrementDword(x,x)+70o
		sub	al, 0
; 
		dw 0
		dd 4, 0
		dd 80000h
; 

_WDI_SEM_EVENT_INIT_MISCONFIG:		; DATA XREF: WdipSemLoadScenarioTable:loc_92DFF5o
					; WdipSemWriteMisconfigEvent(x,x,x)+4Eo
		sub	al, [eax]
		add	[edx], dl
		add	dl, [eax]
		or	al, [eax]
; 
		dd 0
		dd 20000000h
; 

_WDI_SEM_EVENT_INIT_PROVIDER_MAX:	; DATA XREF: WdipSemUpdateProviderTableWithEvent:loc_92E145o
					; WdipSemWriteProviderLimitExceededEvent(x)+32o
		sub	[eax], eax
		add	[edx], dl
		add	dl, [edx+ecx]
; 
		db 0
		dd 0
		dd 20000000h
; 

_WDI_SEM_EVENT_INIT_SCENARIO_END_EVENT_MAX: ; DATA XREF: WdipSemLoadNextScenario:loc_92E0F9o
		sub	[eax], al
		add	[edx], dl
		add	dl, [ebx]
		or	al, [eax]
; 
		dd 0
		dd 20000000h
; 

_WDI_SEM_EVENT_INIT_SCENARIO_CONTEXT_PROVIDER_MAX:
					; DATA XREF: WdipSemLoadNextScenario:loc_92E100o
		daa
; 
		db 2 dup(0), 12h
		dd 0A1202h, 0
		dd 20000000h
; 

_WDI_SEM_EVENT_INIT_SCENARIO_MAX:	; DATA XREF: WdipSemLoadScenarioTable:loc_92E030o
					; WdipSemLoadScenarioTable+94D35o
		add	es:[eax], al
		adc	al, [edx]
		adc	[edx], ecx
; 
		db 0
		dd 0
		dd 20000000h
; 

_WDI_SEM_EVENT_SCENARIO_INFLIGHT_MAX:	; DATA XREF: WdipSemLogInflightLimitExceededInformation(x,x,x)+40o
					; WdipSemLogInflightLimitExceededInformation(x,x,x)+A2o ...
		and	eax, [eax]
		add	[ecx], dl
		add	ecx, [edi]
		or	[eax], eax
; 
		dd 0
		dd 40000000h
; 

_WDI_SEM_EVENT_SCENARIO_TIMEOUT:	; DATA XREF: WdipSemLogTimeoutInformation(x,x,x)+8o
					; WdipSemWriteTimeoutEvent(x,x,x)+41o
		and	al, [eax]
		add	[eax], dl
		add	ecx, [ecx+ecx]
; 
		db 0
		dd 0
		dd 80000002h
aBackupcount:				; DATA XREF: .data:006B34B4o
		unicode	0, <BackupCount>,0
; 

_LogEntryChunkSizes:			; DATA XREF: MiMakeSystemRangeAvailable:loc_5A912Dr
		inc	dword ptr [eax]
; 
		dw 0
		dd 80h,	40h, 20h, 10h, 8, 4, 2,	1, 0
aRegistryMac_11:
		unicode	0, <\REGISTRY\MACHINE\SYSTEM\CONTROLSET001>,0
		align 4
aRegistryComroo:
		unicode	0, <\REGISTRY\COMROOT\CLASSES>,0
aRegistryMac_13:
		unicode	0, <\REGISTRY\MACHINE\SOFTWARE>,0
		align 4
dword_4270C4	dd 1			; DATA XREF: DbgkUserReportWorkRoutine(x)+13Fo
dword_4270C8	dd 95BABA28h, 49C9ED26h, 0B1934FB7h, 49B8E170h
					; DATA XREF: DbgkpLkmdSqmIncrementDword(x,x,x,x)+54o
dword_4270D8	dd 0A97524F6h, 4C4E064Ch, 0CC1A4BB7h, 0D70C387h
					; DATA XREF: DbgkCaptureLiveDump(x,x,x,x)+AEo
; 

_FsRtlHalfSecond:			; DATA XREF: FsRtlCreateSectionForDataScan:loc_5C9549o
		sal	byte ptr [ebx+esi*4-1],	0FFh

_Microsoft_Windows_Storage_Tiering_IoHeatLevels: ; DATA	XREF: .data:006B34ECo
		add	al, 4
		add	al, 4
		add	al, 0
; 
		dw 0
; 

_TieredStorage_HeatDelete:		; DATA XREF: FsRtlHeatLogIo(x,x,x,x,x)+36o
		add	al, 0
		add	[eax], dl
		add	al, 0
		add	al, [eax]
		and	[ecx], al
; 
		dw 0
		dd 80000000h
; 

_TieredStorage_HeatWrite:		; DATA XREF: FsRtlHeatLogIo(x,x,x,x,x)+5Co
		add	eax, [eax]
		add	[eax], dl
		add	al, 0
		add	al, [eax]
		mov	al, large ds:0
; 
		db 2 dup(0), 80h
; 

_Microsoft_Windows_Storage_Tiering_IoHeatKeywords: ; DATA XREF:	.data:006B34E8o
		adc	[eax], al
; 
		dw 0
		dd 80000000h, 60h, 80000000h, 0A0h, 80000000h, 120h, 80000000h
		dd 220h, 80000000h
; 

_TieredStorage_TierMove:		; DATA XREF: McTemplateK0xxxqqqq_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x)+68o
		add	eax, 4100000h
		add	[edx], al
		add	[eax], ah
		add	al, [eax]
; 
		db 0
		dd 80000000h
; 

_MS_StorageTiering_Provider:		; DATA XREF: FsRtlpHeatRegisterVolume(x,x,x)+EEo
		cld
		push	ebp
		or	al, 99h
		bound	esp, [esi]
		test	byte ptr [edi-49h], 0D7h
		jmp	short near ptr dword_427198
; 
		add	bh, [ecx+esi*4+3Fh]

_TieredStorage_HeatRead:		; DATA XREF: FsRtlHeatLogIo(x,x,x,x,x)+88o
		add	al, [eax]
		add	[eax], dl
		add	al, 0
		add	al, [eax]
		pusha
; 
		db 3 dup(0)
		dd 80000000h
; 

_TieredStorage_NewVolume:		; DATA XREF: McTemplateK0jq_EtwWriteTransfer(x,x,x,x,x):loc_603014o
		add	[eax], eax
		add	[eax], dl
		add	al, 0
		add	[eax], eax
		adc	[eax], al
; 
		dw 0
		dd 80000000h
; 

_HV_EVENTLOG_IOMMU_FAILED_INVALID_IOAPIC: ; DATA XREF: HvlpLogIommuEvent(x):loc_606DDDo
		xchg	eax, ebx
; 
		db 2 dup(0), 8
		dd 2, 0
		dd 80004000h
; 

_HV_EVENTLOG_GUEST_STATE_SCRUBBING:	; DATA XREF: HvlpLogGuestStateScrubbingStatus()+1FCo
		pushf
; 
		db 2 dup(0), 8
		align 8
dword_427198	dd 0			; CODE XREF: .text:0042715Aj
		dd 80004000h
; 

_HV_EVENTLOG_BAL_TOO_MANY_RS_MEMORY_RANGES:
					; DATA XREF: HvlpLogHypervisorLaunchError(x,x,x,x,x,x,x,x,x,x)+5Co
		inc	eax
; 
		db 2 dup(0), 8
		dd 2, 0
		dd 80004000h
; 

_HV_EVENTLOG_IOMMU_FAILED_RID_CONFLICT:	; DATA XREF: HvlpLogIommuEvent(x):loc_606DF1o
		xchg	eax, ecx
; 
		db 2 dup(0), 8
		dd 2, 0
		dd 80004000h
; 

_HV_EVENTLOG_PROCESSOR_STARTUP_FAILED:	; DATA XREF: HvlpLogProcessorStartupFailure(x,x,x)+3Eo
		pusha
; 
		db 2 dup(0), 8
		dd 2, 0
		dd 80004000h
; 

_HV_EVENTLOG_IOMMU_FAILED_RESERVED_DEVICE: ; DATA XREF:	HvlpLogIommuEvent(x)+4Do
		xchg	eax, ebp
; 
		db 2 dup(0), 8
		dd 2, 0
		dd 80004000h
; 

_HV_EVENTLOG_GUEST_STATE_SCRUBBING_DISABLED_CORE_SCHEDULER:
					; DATA XREF: HvlpLogGuestStateScrubbingStatus()+312o
		popf
; 
		db 2 dup(0), 8
		dd 3, 0
		dd 80004000h
; 

_HV_EVENTLOG_PROCESSOR_CPUID_VALIDATION_ERROR:
					; DATA XREF: HvlpLogProcessorStartupFailure(x,x,x)+72o
		popa
; 
		db 2 dup(0), 8
		dd 2, 0
		dd 80004000h
; 

_HV_EVENTLOG_IOMMU_INIT:		; DATA XREF: HvlpLogIommuInitStatus()+17Eo
		add	dword ptr [eax], 40800h
; 
		dw 0
		dd 0
		dd 80004000h
; 

_HV_EVENTLOG_BAL_HYPERVISOR_INIT_FAILED:
					; DATA XREF: HvlpLogHypervisorLaunchError(x,x,x,x,x,x,x,x,x,x)+48o
		aas
; 
		db 2 dup(0), 8
		dd 2, 0
		dd 80004000h
; 

_HV_EVENTLOG_IOMMU_INIT_POLICY_ENABLE:	; DATA XREF: HvlpLogIommuInitStatus()+208o
		add	byte ptr [eax],	0
		or	[ebx], al
; 
		db 3 dup(0)
		dd 0
		dd 80000000h
; 

_HV_EVENTLOG_MDS_MITIGATION_STATUS:	; DATA XREF: HvlpLogGuestStateScrubbingStatus()+2CEo
		movsd
; 
		db 2 dup(0), 8
		dd 4, 0
		dd 80004000h
; 

_HV_EVENTLOG_IOMMU_WARNING_SCOPE_CONFLICT: ; DATA XREF:	HvlpLogIommuEvent(x):loc_606DF8o
		nop
; 
		db 2 dup(0), 8
		dd 3, 0
		dd 80004000h
; 

_HvlGlobalSystemEventsGuid:		; DATA XREF: HvlpEtwRegister()+Co
		clc
		mov	esp, edi
		push	edx
		pop	esi
		cdq
		dec	esp
		inc	ebx
		test	eax, 8699191Eh
		inc	esp
		cwde
		nop

_HV_EVENTLOG_IOMMU_FAILED_NO_DEVICE_ASSIGNMENT:	; DATA XREF: HvlpLogIommuEvent(x)+5Ao
		xchg	eax, esp
; 
		db 2 dup(0), 8
		dd 2, 0
		dd 80004000h
; 

_HV_EVENTLOG_SCHEDULER_TYPE:		; DATA XREF: HvlpLogHypervisorSchedulerType()+28o
		add	al, [eax]
		add	[eax], cl
		add	al, 0
; 
		dw 0
		dd 0
		dd 80004000h
; 

_HV_EVENTLOG_IOMMU_FAILED_NO_RESOURCES:	; DATA XREF: HvlpLogIommuEvent(x):loc_606DEAo
		xchg	eax, edx
; 
		db 2 dup(0), 8
		dd 2, 0
		dd 80004000h
_Palette	db 3 dup(0)		; DATA XREF: BgkSetTextColor(x)+19o
					; BgkSolidColorFill(x,x,x,x,x)+35o
; 

loc_427293:				; CODE XREF: .text:004272EEj
		inc	dword ptr [eax]
		add	[edi+edi*8-0FF7C00h], al
		add	[esp+eax*4+84FFh], al
		inc	dword ptr [eax+eax-7B7B007Ch]
		add	bh, bh
		test	[esp+eax*4-39393901h], al
		inc	dword ptr [eax]
		add	bh, bh
		inc	dword ptr [eax]
		inc	dword ptr [eax]
		inc	dword ptr [eax]
; 
		db 3 dup(0FFh)
		dd 0FF0000FFh, 0FFFF00FFh, 0FF00FFFFh, 0FFFFFFFFh
; 

_ECP_TYPE_IO_STOP_ON_SYMLINK_FILTER_GUID:
					; DATA XREF: IopCheckAndUpdateStopOnSymlinkEcp(x,x,x)+1Ao
		push	esi
		pop	ebp
		push	cs
		xchg	eax, esp
		inc	esi
		push	ss
		cmp	al, 4Dh
		xchg	esi, [esi+6AC37E57h]
		adc	al, 66h

_GUID_ECP_IO_DEVICE_HINT:		; DATA XREF: IopCheckTopDeviceHint+12AAB6o
		xor	dh, [edi-53940CEBh]
		dec	ebp
		dec	ebp

loc_4272E8:				; CODE XREF: .text:00427321j
		mov	esi, 6412B30Ch
		nop
		loope	loc_427293

_GUID_DOCK_INTERFACE:			; DATA XREF: IopQueryDockRemovalInterface(x,x)+15o
		cmc
		outsd
		xchg	eax, ebp
		test	eax, 11D313DAh
		xchg	eax, edi
		fild	dword ptr [eax]
		mov	al, ds:2E5240C9h

_GUID_DEVICE_INVALID_ID:		; DATA XREF: PnpSetInvalidIDEvent(x):loc_980396o
		xor	ebx, [ebx-747AA85Ch]
		jnz	short near ptr loc_427355+1
		mov	al, ds:0E26C1681h
		inc	ecx
		hlt
		pop	es

_GUID_DEVINST_REMOVE_COMPLETE:		; DATA XREF: PnpSetDeviceInstanceRemovalEvent(x)+40o
		insd
		fisttp	qword ptr [esi+72h]
		xor	ebp, eax
		add	byte ptr [esi-66h], 79h
		test	al, 0F5h
		lea	edx, [eax]
		test	dl, 21h		; DATA XREF: PnpSetBlockedDriverEvent(x):loc_9801F2o
		jp	short near ptr loc_4272E8+3
		sbb	edi, edi
		mov	ds:0AA9647A6h, eax
		insd
		add	[ecx], ecx
		push	es
		sbb	byte ptr [edx+13h], 1Ch
					; DATA XREF: PnpSetPowerVetoEvent(x,x,x,x,x,x)+F4o
		mov	dl, 3
		setalc
		sbb	bl, dl
		adc	[edi-365FFF25h], edx
		inc	eax
		push	edx
		db	2Eh		; DATA XREF: PnpSetPowerVetoEvent(x,x,x,x,x,x)+E3o
		stc
		sal	esp, 0CBh
		aad	18h
		rcl	dword ptr [ecx], cl
		xchg	eax, edi
		fild	dword ptr [eax]
		mov	al, ds:2E5240C9h

_GUID_DEVICE_HIBERNATE_VETOED:		; DATA XREF: PnpSetPowerVetoEvent(x,x,x,x,x,x):loc_9804CFo
		fnstcw	word ptr [edx]
		pop	ss
		popa
		dec	edi

loc_427355:				; CODE XREF: .text:00427306j
		sbb	ebx, edx

loc_427357:				; CODE XREF: _GUID_BUS_TYPE_PCI+2j
		adc	[edi-365FFF24h], edx
		inc	eax
		push	edx
		db	2Eh, 67h	; DATA XREF: PnpSetDeviceRemovalSafe(x,x,x)+6Ao
		stc
		mov	esi, 0D2D6C58Fh
		adc	[edi-365FFF4Bh], edx
		inc	eax
		push	edx
; 
		db 2Eh
; 

_GUID_DEVICE_SURPRISE_REMOVAL:		; DATA XREF: PnpProcessQueryRemoveAndEject(x)+33Bo
		add	al, dh
		pop	edx
		into
		fld	qword ptr [eax-7257EE2Eh]
		add	[eax+4B6B69C9h], ah

_GUID_PARTITION_UNIT_INTERFACE_STANDARD: ; DATA	XREF: PnprQueryReplaceFeatures(x,x)+4Bo
					; PnprIdentifyUnits(x,x,x,x)+2Ao
		pop	ebx
		aas
		db	36h
		push	edx
		xchg	eax, ecx
		fcomp	dword ptr [ebx-516A7EBEh]
; 
		db 0C5h
		dd 3C85F6FEh

;  S U B	R O U T	I N E 


_GUID_BUS_TYPE_PCI proc	near		; DATA XREF: PAGE:off_A3FD90o
					; PAGE:00A3FDA4o
		mov	al, 0DFh
		jmp	short near ptr loc_427357+5
_GUID_BUS_TYPE_PCI endp

; 
		adc	[ebp-1A7FEE30h], dh
		add	[eax-1CBDDA37h], ah

;  S U B	R O U T	I N E 


_GUID_BUS_RESOURCE_UPDATE_INTERFACE proc near
					; DATA XREF: IopQueryBusResourceUpdateInterface(x,x)+30o
		sub	eax, 0B227D010h
		mov	edi, 0DD814164h
		fstp	tbyte ptr [eax+488B962Fh]

; void GUID_KERNEL_SOFT_RESTART_CANCEL
_GUID_KERNEL_SOFT_RESTART_CANCEL:	; DATA XREF: PipKsrCallback(x,x,x)+39o
					; PipKsrIsNotificationRequired(x,x)+10o ...
		out	37h, eax
		xlat
		xor	[ebx], ecx
		mov	word ptr [edx-60916ABAh], cs
		inc	ebx
		db	3Eh
		retn
_GUID_BUS_RESOURCE_UPDATE_INTERFACE endp

; 
		pop	eax
		sti

; void GUID_KERNEL_SOFT_RESTART_PREPARE
_GUID_KERNEL_SOFT_RESTART_PREPARE:	; DATA XREF: PipKsrCallback(x,x,x)+4Do
					; PipKsrIsNotificationRequired(x,x)+29o ...
		out	dx, eax
		cmp	eax, 0A85CDE37h
		jbe	short near ptr loc_427414+3
; 
		dd 6BF9BF8Ch, 0FD18BEAh

;  S U B	R O U T	I N E 


_GUID_RECOVERY_NVMED_PREPARE_SHUTDOWN proc near
					; DATA XREF: PipKsrCallback(x,x,x):loc_9881CEo
		jmp	far ptr	0BBDh:0E74B9770h
_GUID_RECOVERY_NVMED_PREPARE_SHUTDOWN endp

; 
		db 40h
		dd 684FB9A9h, 2ACC544Fh

;  S U B	R O U T	I N E 


_GUID_RECOVERY_PCI_PREPARE_SHUTDOWN proc near ;	DATA XREF: PipKsrCallback(x,x,x)+1Do
		fimul	word ptr [ecx-78FB6F28h]
		iret
_GUID_RECOVERY_PCI_PREPARE_SHUTDOWN endp

; 
		db 44h
		dd 85ED1581h, 0DAB2D228h

;  S U B	R O U T	I N E 


; void GUID_HWPROFILE_QUERY_CHANGE
_GUID_HWPROFILE_QUERY_CHANGE proc far	; DATA XREF: IoReportTargetDeviceChange(x,x)+2B9o
					; PnpRequestHwProfileChangeNotification(x,x,x,x)+1Fo ...
		add	[eax+3Ah], eax
		retf
_GUID_HWPROFILE_QUERY_CHANGE endp

; 
		dd 11D046F0h, 60008FB0h, 3F051397h
; 

_GUID_IO_VOLUME_CHANGE:			; DATA XREF: NtSetVolumeInformationFile(x,x,x,x,x)+355o
		dec	edx
		db	65h
		jnb	short near ptr locret_427476+1
		sub	al, [ecx-3841EE30h]
		or	[eax], al
		sub	esp, edx
		or	[edi], ebp

; void GUID_DEVCLASS_SMRDISK
_GUID_DEVCLASS_SMRDISK:			; DATA XREF: SC_DISK::Initialize(void)+15o
		and	edi, [eax+ecx*2+53h]

loc_427414:				; CODE XREF: .text:004273C6j
		punpckhbw mm0, qword ptr [ebp+1FC3AC45h]
		adc	dh, dl
		ja	short near ptr byte_42749D
; 
		db 82h
; 

; void PARTITION_SYSTEM_GUID
_PARTITION_SYSTEM_GUID:			; DATA XREF: SiValidateSystemPartition+D76A1o
					; SiFindSystemPartition(x)+68o	...
		sub	[ebx+2Ah], dh
		rcr	dword ptr [edi], 0F8h
		rcl	byte ptr [ecx],	cl

loc_427428:				; CODE XREF: .text:_GUID_IO_VOLUME_LOCKj
		mov	edx, 0C9A0004Bh
		db	3Eh
		leave

loc_42742F:				; DATA XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+226o
					; VhdiMountVhdFile(x)+142o
		cmp	eax, [eax]
; 
		db 3 dup(0)
		align 10h

_GUID_IO_VOLUME_CHANGE_SIZE:		; DATA XREF: FsRtlNotifyVolumeEventEx:loc_910445o
		mov	esi, 33A1625h
		lodsd
		icebp
		dec	ecx
; 
		dd 0BA6BF88Eh
		db 0C1h
; 
; START	OF FUNCTION CHUNK FOR _GUID_IO_VOLUME_WORM_NEAR_FULL

loc_42744D:				; CODE XREF: _GUID_IO_VOLUME_WORM_NEAR_FULL+Bj
		adc	cl, 0FDh
; END OF FUNCTION CHUNK	FOR _GUID_IO_VOLUME_WORM_NEAR_FULL

;  S U B	R O U T	I N E 


_GUID_IO_VOLUME_PREPARING_EJECT	proc near ; DATA XREF: FsRtlNotifyVolumeEventEx:loc_91043Bo
		outsb
		mov	cl, 9Eh
		mov	dword ptr [ebp+ecx+6CA84E7Ah], 0AAEE5CB2h
		mov	dh, dh

_GUID_IO_VOLUME_INFO_MAKE_COMPAT:	; CODE XREF: .text:_GUID_IO_VOLUME_DISMOUNT_FAILEDj
					; DATA XREF: FsRtlNotifyVolumeEventEx:loc_910431o
		shl	byte ptr [eax-107FC547h], cl
		iret
_GUID_IO_VOLUME_PREPARING_EJECT	endp

; 
		inc	ebp
		mov	esp, ds
		retf
; 
		db 0E0h
; 
		sub	ah, [ecx]
		sub	[esi], eax

;  S U B	R O U T	I N E 


_GUID_IO_VOLUME_FORCE_CLOSED proc near	; DATA XREF: FsRtlNotifyVolumeEventEx:loc_910427o
		dec	edi
		fcomp	dword ptr [edx]
		inc	ecx
		db	3Eh
		inc	ebx

locret_427476:				; CODE XREF: .text:00427401j
		retn	0A54Dh
_GUID_IO_VOLUME_FORCE_CLOSED endp

; 
		scasb
		dec	edx
		sub	eax, 54E62D1Ah

_GUID_IO_VOLUME_BACKGROUND_FORMAT:	; DATA XREF: FsRtlNotifyVolumeEventEx:loc_91044Fo
		xchg	bh, ah
		in	eax, 0A2h	; Interrupt Controller #2, 8259A
		int	0D5h		; used by BASIC	while in interpreter
		cmp	[eax-4Eh], al
		jecxz	short locret_4274CF
		inc	ebp
		push	es
		pop	esp
; 
		dw 7723h
; 

_GUID_IO_VOLUME_LOCK_FAILED:		; DATA XREF: FsRtlNotifyVolumeEventEx:loc_9103E4o
		adc	ch, ch
		db	2Eh
		scas	byte ptr es:[edi]
		test	al, 0Bh
		rcl	byte ptr [ecx],	cl
; 
		dd 0A000FB8Fh
		db 0C9h
byte_42749D	db 0A0h, 6Dh, 32h	; CODE XREF: .text:0042741Dj
; 

_GUID_IO_VOLUME_LOCK:			; DATA XREF: FsRtlNotifyVolumeEventEx:loc_9103DDo
		jz	short near ptr loc_427428+2
		jo	short near ptr _GUID_IO_VOLUME_UNLOCK+4
		scasd
		leave
		rcl	dword ptr [ecx], 1
; 
		dd 0A000EF8Fh, 326DA0C9h
; 

_GUID_IO_VOLUME_DISMOUNT_FAILED:	; DATA XREF: FsRtlNotifyVolumeEventEx:loc_9103D6o
		js	short near ptr _GUID_IO_VOLUME_INFO_MAKE_COMPAT+3
; 
		dw 0E3C5h
		dd 11D2105Dh, 0A000FD8Fh, 326DA0C9h

;  S U B	R O U T	I N E 


_GUID_IO_VOLUME_WORM_NEAR_FULL proc near ; DATA	XREF: FsRtlNotifyVolumeEventEx:loc_91041Do

; FUNCTION CHUNK AT 0042744D SIZE 00000003 BYTES

		cmp	bh, 0BFh
		rep fdivrp st(3), st
		ror	byte ptr [eax-51h], cl
		xchg	eax, ebp
		inc	ebp
		jg	short loc_42744D
		mov	bh, 63h

locret_4274CF:				; CODE XREF: .text:00427489j
					; DATA XREF: FsRtlNotifyVolumeEventEx:loc_910413o
		repne retf 3113h
_GUID_IO_VOLUME_WORM_NEAR_FULL endp

; 
		xchg	eax, [esi-7DBAF7ECh]
		lodsb
		retn
; 
		mov	dl, 0E5h
		sub	[edx-56h], edi

_GUID_IO_VOLUME_NEED_CHKDSK:		; DATA XREF: FsRtlNotifyVolumeEventEx:loc_910409o
		pusha
		or	[edx+30A0B79h],	ebx
		dec	esi
		lodsd
		mov	[edi], ch
		cmpsd
		mov	dh, 74h
; 
		db 8Ah
; 

_GUID_IO_VOLUME_UNLOCK:			; CODE XREF: .text:004274A2j
					; DATA XREF: FsRtlNotifyVolumeEventEx:loc_9103EBo
		push	0CB9A8C3Dh
		rcl	cl, 1
		adc	[edi-365FFF11h], ecx
		mov	al, ds:55E8326Dh ; DATA	XREF: FsRtlNotifyVolumeEventEx:loc_9103CFo
		push	0FFFFFFD1h
		pop	ecx
		adc	dl, dl
		adc	[edi-365FFF03h], ecx
; 
		db 0A0h, 6Dh, 32h
; 

_KMPnPEvt_ReenumerateDeviceTree_Queue:	; DATA XREF: PnpLogActionQueueEvent+8E5A9o
		sub	al, [ebx]
		add	[edx], dl
		add	al, 0
		sub	al, [ebx]
; 
		dd 800000h, 10000000h
; 

_KMPnPEvt_Watchdog_DelayedRemoveWorker_Stop: ; DATA XREF: PnpWatchdogEtwWrite(x,x)+18Bo
		mov	[ebx], eax
		add	ds:3840204h, dl
; 
		dd 0
		dd 2000000h
; 

_KMPnPEvt_AssignResources_Start:	; DATA XREF: PipProcessDevNodeTree+A1B00o
		push	edx
		add	eax, [eax]
		adc	al, [ecx+eax]
		push	edx
		add	eax, [eax]
		add	[eax+0], al
; 
		db 10h
; 

_KMPnPEvt_DeviceEnum_Pend:		; DATA XREF: PipEnumerateDevice+A1CFCo
		fld	qword ptr [eax]
		add	[edx], dl
		add	al, 8
		fadd	qword ptr [eax]
		and	[eax], al
		add	[eax], eax
; 
		dd 10000000h
; 

_KMPnPEvt_DeviceInstall_Requested:	; DATA XREF: PiUEventSendDeviceInstallNotification(x)+26o
		scasb
		add	[eax], eax
		adc	[eax+eax], al
; 
		dw 0
		dd 0
		dd 40000000h
; 

_KMPnPEvt_DeviceConfig_Blocked:		; DATA XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+76Fo
		xchg	eax, edx
		add	[eax], eax
		adc	[ebx], al
; 
		db 3 dup(0)
		dd 0
		dd 40000000h
; 

_KMPnPEvt_DevQuery_ProcessingStart:	; DATA XREF: PiDqObjectManagerServiceActionQueue+AE64Bo
		cmc
		add	[eax], eax
		add	[esp+ecx], al
		hlt
		add	[eax], eax
		add	[eax], ah
; 
		db 0
		align 10h

_KMPnPEvt_ConfigureDevice_Queue:	; DATA XREF: PnpLogActionQueueEvent+8E608o
		xor	[ebx], al
		add	[ebx], dl
		add	al, 0
		xor	[ebx], al
; 
		dd 80000h, 8000000h
; 

_KMPnPEvt_DeviceAction_Queue:		; DATA XREF: PnpLogActionQueueEvent+8E686o
		xor	eax, [ebx]
; 
		dw 0
		dd 3330004h, 800000h, 0
; 

_KMPnPEvt_DeviceConfig_Stop:		; DATA XREF: PiDevCfgProcessDevice(x,x,x)+749o
		cld
; 
		db 2 dup(0), 13h
		dd 0FA0204h, 80000h, 8000000h
; 

_KMPnPEvt_DevQuery_QueryStart:		; DATA XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+1F4o
		hlt
		add	[eax], eax
		add	[edx+ecx], al
		hlt
		add	[eax], eax
		add	[eax], ah
		add	[eax], eax
; 
		db 3 dup(0)
; 

_KMPnPEvt_ProcessNewDevice_Start:	; DATA XREF: sub_8E1E83+2o
		and	[ebx], al
		add	[edx], dl
		add	al, 1
		and	[ebx], al
; 
		dd 800000h, 10000000h
; 

_KMPnPEvt_DeviceAdd_Start:		; DATA XREF: McTemplateK0qhzr1z_EtwWriteTransfer(x,x,x,x,x,x,x)+8Eo
		daa
		add	eax, [eax]
		adc	al, [ecx+eax]
		daa
		add	eax, [eax]
		add	[eax+0], al
		adc	al, dh		; DATA XREF: PnprLogStartEvent(x,x)+79o
; 
		db 2 dup(0), 8
		dd 4, 0
		dd 80000000h
; 

_KMPnPEvt_CfgMgr_QueryRemove_Stop:	; DATA XREF: PiCMQueryRemove(x,x,x,x,x,x)+10Co
		rol	dword ptr [edx], 0
		add	[edx+eax], al
		rol	byte ptr [edx],	0
		add	[eax+0], al
; 
		dd 0
; 

_PNP_EVT_DP_REPLACE_FAILURE:		; DATA XREF: PnprLogFailureEvent(x,x,x)+C8o
		icebp
		add	[ecx], al
		or	[edx], al
; 
		db 3 dup(0)
		dd 0
		dd 80000000h
; 

_KMPnPEvt_Watchdog_DelayedRemoveWorker_Start: ;	DATA XREF: PnpWatchdogEtwWrite(x,x)+E9o
		mov	[ebx], al
		add	ds:3840103h, dl
; 
		dd 0
		dd 2000000h
; 

_KMPnPEvt_ConfigureDevice_Stop:		; DATA XREF: PnpLogActionQueueEvent+8E65Co
		xor	al, [ebx]
		add	[ebx], dl
		add	al, 2
		xor	[ebx], al
; 
		dd 80000h, 8000000h
; 

_KMPnPEvt_ProcessNewDevice_InstancePath:
					; DATA XREF: McTemplateK0pz_EtwWriteTransfer(x,x,x,x,x)+66o
		and	[ebx], eax
		add	[edx], dl
		add	al, 0
		and	[ebx], al
; 
		dd 800000h, 10000000h
; 

_KMPnPEvt_AssignResources_Stop:		; DATA XREF: PipProcessDevNodeTree+A1B13o
		push	ebx
		add	eax, [eax]
		adc	al, [edx+eax]
		push	edx
		add	eax, [eax]
		add	[eax+0], al
; 
		db 10h
; 

_KMPnPEvt_CfgMgr_QueryRemove_Start:	; DATA XREF: PiCMQueryRemove(x,x,x,x,x,x)+78o
		rol	byte ptr [edx],	0
		add	[ecx+eax], al
		rol	byte ptr [edx],	0
		add	[eax+0], al
; 
		dd 0
; 

_KMPnPRundownEvt_SleepStudy_ParentDevNode:
					; DATA XREF: PnpDiagRundownParentDevNodeForEachDevice(x,x)+6Do
					; PnpDiagRundownRegisterCallback(x,x,x,x,x,x,x,x,x):loc_968F3Eo
		add	eax, [eax]
		add	[eax], eax
		add	al, 0
		add	eax, [eax]
		add	[eax], eax
; 
		dw 0
		align 10h

_KMPnPEvt_DeviceDelete_Failure:		; DATA XREF: PiPnpRtlCmActionCallback+115A52o
		movsd
		add	[eax], eax
		adc	[edx], al
; 
		db 3 dup(0)
		dd 0
		dd 40000000h
; 

_KMPnPEvt_DeviceRemoval_Stop:		; DATA XREF: PnpProcessTargetDeviceEvent+6DBEDo
		inc	eax
		add	eax, [eax]
		adc	al, [edx+eax]
		db	3Eh
		add	eax, [eax]
		add	[eax+0], al
		adc	[esi+3150003h],	al ; DATA XREF:	PnpWatchdogEtwWrite(x,x)+100o
		add	[ebx+eax+0], eax
; 
		dd 2000000h
; 

_KMPnPEvt_DeviceAdd_Stop:		; DATA XREF: McTemplateK0q_EtwWriteTransfer(x,x,x,x)+2Do
		sub	[ebx], al
		add	[edx], dl
		add	al, 2
		daa
		add	eax, [eax]
		add	[eax+0], al
		adc	[edx+3100001h],	bh ; DATA XREF:	PiDevCfgLogDeviceMigrated(x,x,x)+6Eo
; 
		db 3 dup(0)
		dd 0
		dd 40000000h
; 

_KMPnPEvt_DeviceRemoval_Queue:		; DATA XREF: PnpInsertEventInQueue+E1EA3o
		db	3Eh
		add	eax, [eax]
		adc	al, [eax+eax]
		db	3Eh
		add	eax, [eax]
		add	[eax+0], al
		adc	[ecx+2100001h],	bh ; DATA XREF:	PiDevCfgLogDeviceMigrated(x,x,x)+90o
; 
		db 3 dup(0)
		dd 0
		dd 40000000h
; 

_KMPnPEvt_ProcessDeviceStart_Start:	; DATA XREF: PipProcessStartPhase2+6E330o
					; PipProcessStartPhase3+6DEBFo	...
		and	eax, [ebx]
; 
		dw 0
		dd 3230104h, 800000h, 0
; 

_KMPnPEvt_DeviceConfig_RebootRequired:	; DATA XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+653o
		xchg	eax, ebx
		add	[eax], eax
		adc	[ebx], al
; 
		db 3 dup(0)
		dd 0
		dd 40000000h
; 

_KMPnPEvt_ReenumerateDeviceOnly_Queue:	; DATA XREF: PnpLogActionQueueEvent:loc_5DD850o
		sub	eax, 4120003h
		add	ds:80000003h, ch
; 
		db 0
		dd 10000000h
; 

_KMPnPEvt_Watchdog_AddDevice_Start:	; DATA XREF: PnpWatchdogEtwWrite(x,x)+D2o
		mov	al, [ebx]
		add	ds:3840103h, dl
; 
		dd 0
		dd 2000000h
; 

_KMPnPEvt_DevQuery_ProcessingStop:	; DATA XREF: PiDqObjectManagerServiceActionQueue+AE65Eo
		test	byte ptr [ecx],	0
		add	ds:1F4h[ecx], al
		and	[eax], al
; 
		dd 0
; 

_KMPnPEvt_ProcessDeviceStart_Stop:	; DATA XREF: PipProcessStartPhase2+6E3A7o
					; PipProcessStartPhase3+6DF72o	...
		and	al, 3
; 
		dw 0
		dd 3230204h, 800000h, 0
; 

_KMPnPEvt_Watchdog_AddDevice_Stop:	; DATA XREF: PnpWatchdogEtwWrite(x,x)+174o
		mov	eax, [ebx]
		add	ds:3840204h, dl
; 
		dd 0
		dd 2000000h
; 

_KMPnPEvt_Driver_Blocked:		; DATA XREF: McTemplateK0j_EtwWriteTransfer(x,x,x,x)+1Ao
		push	ss
		add	[eax], eax
		add	[eax+eax], al
; 
		dw 0
		align 10h

_KMPnPEvt_DevQuery_QueryStop:		; DATA XREF: PiDqQueryRelease+118EF4o
		test	dword ptr [ecx], 0B040000h
		hlt
		add	[eax], eax
		add	[eax], ah
		add	[eax], eax
; 
		db 3 dup(0)
; 

_KMPnPEvt_DeviceStart_Failure:		; DATA XREF: PiDevCfgLogDeviceStarted(x)+386o
		wait
		add	[eax], eax
		adc	[edx], al
; 
		db 3 dup(0)
		dd 0
		dd 40000000h
; 

_KMPnPEvt_DeviceRemoval_Start:		; DATA XREF: PnpProcessTargetDeviceEvent+6DBC8o
		aas
		add	eax, [eax]
		adc	al, [ecx+eax]
		db	3Eh
		add	eax, [eax]
		add	[eax+0], al
; 
		db 10h
; 

_KMPnPEvt_DeviceConfig_Failure:		; DATA XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+87Co
		xchg	eax, ecx
		add	[eax], eax
		adc	[edx], al
; 
		db 3 dup(0)
		dd 0
		dd 40000000h
; 

_KMPnPEvt_DeviceStart_RebootRequired:	; DATA XREF: PiDevCfgLogDeviceStarted(x)+336o
		pushf
		add	[eax], eax
		adc	[ebx], al
; 
		db 3 dup(0)
		dd 0
		dd 40000000h
; 

_KMPnPEvt_ReenumerateDeviceTree_Stop:	; DATA XREF: PnpLogActionQueueEvent+8E5D5o
		sub	al, 3
		add	[edx], dl
		add	al, 2
		sub	al, [ebx]
; 
		dd 800000h, 10000000h
; 

_KMPnPEvt_DeviceStart_Success:		; DATA XREF: PiDevCfgLogDeviceStarted(x)+2CEo
		call	far ptr	0:4100001h
; 
		db 0
		dd 0
		dd 40000000h
; 

_KMPnPEvt_DeviceReset_Stop:		; DATA XREF: McTemplateK0hzr0qqhzr4_EtwWriteTransfer(x,x,x,x,x,x,x,x,x)+68o
		dec	ecx
		add	eax, [eax]
		adc	al, [edx+eax]
; 
		dw 0
		dd 800000h, 10000000h
; 

_KMPnPEvt_DeviceEject_Start:		; DATA XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+4Ao
		fild	word ptr [eax]
		add	[edx], dl
		add	al, 1
		fild	word ptr [eax]
; 
		dd 40000h, 10000000h
; 

_KMPnPEvt_DeviceEject_Stop:		; DATA XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+2F5o
		loopne	$+2
		add	[edx], dl
		add	al, 2
		fild	word ptr [eax]
; 
		dd 40000h, 10000000h
; 

_KMPnPEvt_DeviceDelete_Success:		; DATA XREF: PiPnpRtlCmActionCallback+115A42o
		movsb
		add	[eax], eax
		adc	[eax+eax], al
; 
		dw 0
		dd 0
		dd 40000000h
; 

_KMPnPEvt_Watchdog_DriverEntry_Stop:	; DATA XREF: PnpWatchdogEtwWrite(x,x)+15Do
		lea	eax, [ebx]
		add	ds:3840204h, dl
; 
		dd 0
		dd 2000000h
; 

_KMPnPEvt_DeviceConfig_Success:		; DATA XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+549o
		nop
		add	[eax], eax
		adc	[eax+eax], al
; 
		dw 0
		dd 0
		dd 40000000h
; 

_KMPnPEvt_Watchdog_EventWorker_Start:	; DATA XREF: PnpWatchdogEtwWrite(x,x)+117o
		test	[ebx], al
		add	ds:3840103h, dl
; 
		dd 0
		dd 2000000h
; 

_KMPnPEvt_ReenumerateDeviceOnly_Start:	; DATA XREF: PnpLogActionQueueEvent:loc_5DD862o
		add	eax, cs:[eax]
		adc	al, [ecx+eax]
		sub	eax, 80000003h
; 
		db 0
		dd 10000000h
; 

_KMPnPEvt_DeviceAction_Start:		; DATA XREF: PnpLogActionQueueEvent+8E6ABo
		xor	al, 3
; 
		dw 0
		dd 3330104h, 800000h, 0
; 

_KMPnPEvt_DeviceEject_Pend:		; DATA XREF: PnpDiagnosticTraceAppVeto(x,x,x,x)+89o
		loope	$+2
		add	[eax], cl
		add	eax, [eax]
		fild	word ptr [eax]
; 
		dd 0
		dd 80000000h
; 

_KMPnPEvt_DriverLoad_Fail:		; DATA XREF: PipCallDriverAddDeviceQueryRoutine+6D14Bo
		fild	dword ptr [eax]
		add	[eax], cl
		add	eax, [eax]
		aam	0
; 
		dd 0
		dd 80000000h
; 

_KMPnPEvt_DeviceMigrate_Success:	; DATA XREF: PiDevCfgLogDeviceMigrated(x,x,x)+46o
		mov	eax, 4100001h
; 
		db 3 dup(0)
		dd 0
		dd 40000000h
; 

_KMPnPEvt_Watchdog_EventWorker_Stop:	; DATA XREF: PnpWatchdogEtwWrite(x,x)+1B9o
		test	[ebx], eax
		add	ds:3840204h, dl
; 
		dd 0
		dd 2000000h
; 

_KMPnPEvt_ProcessNewDevice_Stop:	; DATA XREF: PiProcessNewDeviceNode+6ECC7o
		and	al, [ebx]
		add	[edx], dl
		add	al, 2
		and	[ebx], al
; 
		dd 800000h, 10000000h
; 

_KMPnPEvt_Rebalance_Stop:		; DATA XREF: PnpRebalance(x,x,x,x)+29Bo
		push	ebp
		add	eax, [eax]
		adc	al, [edx+eax]
		push	esp
		add	eax, [eax]
		add	[eax+0], al
; 
		db 10h
; 

_KMPnPEvt_ReenumerateDeviceOnly_Stop:	; DATA XREF: PnpLogActionQueueEvent:loc_5DD874o
		das
		add	eax, [eax]
		adc	al, [edx+eax]
		sub	eax, 80000003h
; 
		db 0
		dd 10000000h
; 

_KMPnPEvt_ProcessDeviceRestart_Start:	; DATA XREF: PipProcessRestartPhase1(x,x,x)+18o
					; PipProcessRestartPhase2(x)+11o
		and	eax, 4000003h
		add	ds:80000003h, esp
; 
		db 0
		align 10h

_KMPnPRundownEvt_SleepStudy_ParentPdo:	; DATA XREF: PnpDiagRundownParentPdoForEachDevice(x,x)+4Do
					; PnpDiagRundownRegisterCallback(x,x,x,x,x,x,x,x,x):loc_968F04o
		add	al, [eax]
; 
		dw 0
		dd 20004h, 1, 0
; 

_KMPnPEvt_DriverOverride_SetOverride:	; DATA XREF: McTemplateK0dzd_EtwWriteTransfer(x,x,x,x,x,x)+63o
		pop	eax
		add	al, [eax]
		adc	al, 4
		add	[eax+2], bl
; 
		dd 0
		dd 4000000h
; 

_KMPnPEvt_DeviceConfig_Start:		; DATA XREF: PiDevCfgProcessDevice(x,x,x)+71o
		cli
; 
		db 2 dup(0), 13h
		dd 0FA0104h, 80000h, 8000000h
; 

_KMPnPEvt_Watchdog_CompletionQueue_Stop: ; DATA	XREF: PnpWatchdogEtwWrite(x,x)+1A2o
		xchg	eax, [ebx]
		add	ds:3840204h, dl
; 
		dd 0
		dd 2000000h
; 

_KMPnPEvt_DeviceReset_Start:		; DATA XREF: McTemplateK0hzr0_EtwWriteTransfer(x,x,x,x,x)+24o
		dec	eax
		add	eax, [eax]
		adc	al, [ecx+eax]
; 
		dw 0
		dd 800000h, 10000000h
; 

_KMPnPEvt_Rebalance_Start:		; DATA XREF: PnpRebalance(x,x,x,x)+69o
		push	esp
		add	eax, [eax]
		adc	al, [ecx+eax]
		push	esp
		add	eax, [eax]
		add	[eax+0], al
		adc	[esi], ah	; DATA XREF: PipProcessRestartPhase1(x,x,x)+75o
					; PipProcessRestartPhase2(x)+9Eo
		add	eax, [eax]
		add	[edx+eax], al
		and	eax, 80000003h
; 
		db 0
		align 10h

_KMPnPEvt_Watchdog_DriverEntry_Start:	; DATA XREF: PnpWatchdogEtwWrite(x,x)+BBo
		mov	word ptr [ebx],	es
		add	ds:3840103h, dl
; 
		dd 0
		dd 2000000h
; 

_KMPnPEvt_ReenumerateDeviceTree_Start:	; DATA XREF: PnpLogActionQueueEvent+8E5BFo
		sub	eax, [ebx]
		add	[edx], dl
		add	al, 1
		sub	al, [ebx]
; 
		dd 800000h, 10000000h
; 

_KMPnPEvt_DeviceAction_Stop:		; DATA XREF: PnpLogActionQueueEvent+8E6E1o
		xor	eax, 4000003h
		add	dh, [ebx]
		add	eax, [eax]
		add	[eax+0], al

loc_42797F:				; DATA XREF: PnpLogActionQueueEvent+8E630o
		add	[ecx], dh
		add	eax, [eax]
		adc	eax, [ecx+eax]
		xor	[ebx], al
; 
		dd 80000h, 8000000h
; 

_PNP_EVT_DP_REPLACE_SUCCESS:		; DATA XREF: PnprLogSuccessEvent()+330o
		repne add [eax], al
		or	[eax+eax], al
; 
		dw 0
		dd 0
		dd 80000000h
aFilesystemMsfs:			; DATA XREF: .text:00404CACo
		unicode	0, <\FileSystem\Msfs>,0
		align 4
aFilesystemNpfs:			; DATA XREF: .text:00404CB4o
		unicode	0, <\FileSystem\Npfs>,0
		align 4
aFilesystemFltm:			; DATA XREF: .text:off_404CA4o
		unicode	0, <\FileSystem\FltMgr>,0
		align 10h
_IopRunTimeContextOffsets:		; DATA XREF: IopAddRunTimeTriageDataBlocks(x,x,x,x,x,x)+48o
					; IopMarkPagesForRunTimeTriageDataBlocks(x,x,x,x)+43o ...
		unicode	0, <Ĵ>
		dw 0FFFFh
; 

_CrashdmpGuid:				; DATA XREF: IopWriteTriageDumpToFirmware(x)+23o
		jb	short near ptr byte_427A4F
		sbb	eax, 0C165AF0Eh
		dec	edx
		mov	edi, 0ABF4CEA3h
		or	al, 38h
		inc	byte ptr [eax]	; DATA XREF: IopDispatchSessionNotifications(x,x,x)+13r
; 
		db 3 dup(0)
		db 1
byte_427A39	db 3 dup(0)		; CODE XREF: .text:00427A69j
		dd 2, 4, 8, 10h
		db 20h,	2 dup(0)
byte_427A4F	db 0			; CODE XREF: .text:_CrashdmpGuidj
		dd 0
; 

_GUID_EFI_VARIABLE_SERVICE:		; DATA XREF: IopOpenSystemVariableDevice(x,x,x)+61o
		icebp

loc_427A55:				; CODE XREF: .text:00427AB5j
		mov	ds:0A42E699Ah, al
		fild	word ptr [eax-46h]
		mov	esi, 0BBD2AA3Ah
		push	47h

; void loc_427A64
loc_427A64:				; DATA XREF: PipResetDevice(x,x)+C2o
		push	254D36E9h
		jecxz	short near ptr byte_427A39

loc_427A6B:				; CODE XREF: .text:00427AC9j
		adc	[edi+2B0008C1h], edi
		loope	loc_427A76
; 
		db 18h
; 

_RamdiskBootDiskGuid:			; DATA XREF: VhdInitialize+F6AAo
					; RamdiskStart(x)+DFo
		cld
		push	edi

loc_427A76:				; CODE XREF: .text:00427A71j
		mov	dl, 0D9h
		dec	esi
		push	79AB4DCBh
		add	ecx, edi

loc_427A80:				; CODE XREF: .text:00427ADDj
					; DATA XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+7Bo ...
		mov	byte ptr ds:loc_50B7F6,	al

loc_427A85:				; CODE XREF: .text:00427AB7j
		jno	short near ptr loc_427ACE+2
		xor	byte ptr [ebx-74h], 0B9h
		dec	eax
		stosb
		fxch	st(6)
		cmp	[esi+19h], bh
		lds	ebp, [esi+7]
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_StateDirectoryId:	; CODE XREF: .text:00427ACBj
					; DATA XREF: IoGetDeviceDirectory(x,x,x,x,x)+11Bo ...
		db	26h
		arpl	dx, bx
		and	dword ptr [esi-6BBF7769h], 53h
		mov	eax, ds:3B573F92h
; 
		db 29h
		dd 15h
; 

_DEVPKEY_DriverFile_SubDirectory:	; CODE XREF: .text:00427ADFj
					; DATA XREF: .text:0040504Co
		add	ebp, ebx
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_427A55+4
		jz	short loc_427A85
		inc	edi
		fstp	tbyte ptr [edx+3]

; void DEVPKEY_DeviceId_DriverInfNames
_DEVPKEY_DeviceId_DriverInfNames:	; DATA XREF: .data:006B383Co
					; DrvDbGetDeviceIdMappedProperty+AE8DBo ...
		add	al, 0EBh
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_427A6B+2
		jz	short near ptr _DEVPKEY_Device_StateDirectoryId+1
		inc	edi

loc_427ACE:				; CODE XREF: .text:loc_427A85j
					; .text:00427B2Dj
		fstp	tbyte ptr [edx+2]

_DEVPKEY_DriverFile_DriverInfName:	; DATA XREF: .text:off_405034o
		add	ebp, ebx
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_427A80+1
		jz	short near ptr _DEVPKEY_DriverFile_SubDirectory+1
		inc	edi

loc_427AE2:				; CODE XREF: .text:00427B41j
		fstp	tbyte ptr [edx+2]

_DEVPKEY_DriverPackage_SubmissionId:	; DATA XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+176o
					; PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+A28o
		shl	dword ptr [edx-5Fh], 4Dh
		mov	cl, 5Eh
		inc	eax
		inc	ecx
		movsb
		inc	esp
		push	eax
		db	64h
		leave

loc_427AF5:				; CODE XREF: .text:00427B55j
		or	dword ptr [esi+76h], 9

_DEVPKEY_DriverPackage_DriverFlightIds:	; CODE XREF: .text:00427B2Fj
					; DATA XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+15Co	...
		shl	dword ptr [edx-5Fh], 4Dh
		mov	cl, 5Eh
		inc	eax
		inc	ecx
		movsb
		inc	esp
		push	eax
		db	64h
		leave

loc_427B09:				; CODE XREF: .text:00427B69j
		or	dword ptr [esi+76h], 6

_DEVPKEY_DriverPackage_GroupIds:	; CODE XREF: .text:00427B43j
					; DATA XREF: PiDevCfgQueryDriverConfiguration(x)+413o
		shl	dword ptr [edx-5Fh], 4Dh
		mov	cl, 5Eh
		inc	eax
		inc	ecx
		movsb
		inc	esp
		push	eax
		db	64h
		leave

loc_427B1D:				; CODE XREF: .text:00427B7Dj
		or	dword ptr [esi+76h], 8

; void DEVPKEY_DriverPackage_Integrated
_DEVPKEY_DriverPackage_Integrated:	; CODE XREF: .text:00427B57j
					; DATA XREF: .data:006B3870o ...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_427ACE+3
		jz	short near ptr _DEVPKEY_DriverPackage_DriverFlightIds+1
		inc	edi

loc_427B32:				; CODE XREF: .text:00427B91j
		fstp	tbyte ptr [edx+26h]

; void DEVPKEY_DriverPackage_Primitive
_DEVPKEY_DriverPackage_Primitive:	; CODE XREF: .text:00427B6Bj
					; DATA XREF: .data:006B3874o ...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_427AE2+3
		jz	short near ptr _DEVPKEY_DriverPackage_GroupIds+1
		inc	edi

loc_427B46:				; CODE XREF: .text:00427BA5j
		fstp	tbyte ptr [edx+28h]

; void DEVPKEY_DriverPackage_ConfigurationScopes
_DEVPKEY_DriverPackage_ConfigurationScopes: ; CODE XREF: .text:00427B7Fj
					; DATA XREF: .text:00405030o ...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_427AF5+4
		jz	short near ptr _DEVPKEY_DriverPackage_Integrated+1
		inc	edi

loc_427B5A:				; CODE XREF: .text:00427BB9j
		fstp	tbyte ptr [edx+1Eh]

; void DEVPKEY_DriverPackage_DriverPackageId
_DEVPKEY_DriverPackage_DriverPackageId:	; CODE XREF: .text:00427B93j
					; DATA XREF: .data:006B386Co ...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_427B09+4
		jz	short near ptr _DEVPKEY_DriverPackage_Primitive+1
		inc	edi

loc_427B6E:				; CODE XREF: .text:00427BCDj
		fstp	tbyte ptr [edx+20h]

; void DEVPKEY_DriverPackage_FamilyId
_DEVPKEY_DriverPackage_FamilyId:	; CODE XREF: .text:00427BA7j
					; DATA XREF: .data:006B3868o ...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_427B1D+4
		jz	short near ptr _DEVPKEY_DriverPackage_ConfigurationScopes+1
		inc	edi

loc_427B82:				; CODE XREF: .text:00427BE1j
		fstp	tbyte ptr [edx+21h]

; void DEVPKEY_DriverPackage_Configurations
_DEVPKEY_DriverPackage_Configurations:	; CODE XREF: .text:00427BBBj
					; DATA XREF: .text:off_40502Co	...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_427B32+3
		jz	short near ptr _DEVPKEY_DriverPackage_DriverPackageId+1
		inc	edi

loc_427B96:				; CODE XREF: .text:00427BF5j
		fstp	tbyte ptr [edx+1Dh]

; void DEVPKEY_DriverPackage_Configurable
_DEVPKEY_DriverPackage_Configurable:	; CODE XREF: .text:00427BCFj
					; DATA XREF: .data:006B3864o ...
		add	ebx, ebp
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_427B46+3
		jz	short near ptr _DEVPKEY_DriverPackage_FamilyId+1
		inc	edi
		fstp	tbyte ptr [edx+12h]

_DEVPKEY_DriverDatabase_SoftwareRegistryPath: ;	CODE XREF: .text:00427BE3j
					; DATA XREF: .text:004050C8o ...
		add	bl, ch
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_427B5A+3
		jz	short near ptr _DEVPKEY_DriverPackage_Configurations+1
		inc	edi
		fstp	tbyte ptr [edx+16h]

_DEVPKEY_DriverDatabase_SystemPath:	; CODE XREF: .text:00427BF7j
					; DATA XREF: .text:off_405080o	...
		add	bl, ch
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_427B6E+3
		jz	short near ptr _DEVPKEY_DriverPackage_Configurable+1
		inc	edi
		fstp	tbyte ptr [edx+0Ch]

_DEVPKEY_DriverDatabase_FilePath:	; DATA XREF: .text:00405098o
					; PiDrvDbRegisterNode+9E1FBo
		add	bl, ch
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_427B82+3
		jz	short near ptr _DEVPKEY_DriverDatabase_SoftwareRegistryPath+1
		inc	edi

loc_427BE6:				; CODE XREF: .text:00427C0Cj
		fstp	tbyte ptr [edx+0Dh]

; void DEVPKEY_DriverDatabase_RegistryPath
_DEVPKEY_DriverDatabase_RegistryPath:	; DATA XREF: .text:004050B0o
					; DrvDbCreateDatabaseNode+9C7ECo ...
		add	bl, ch
		arpl	[ecx+4F7A142Ch], ax
		xchg	eax, esp
		loope	near ptr loc_427B96+3
		jz	short near ptr _DEVPKEY_DriverDatabase_SystemPath+1
		inc	edi

loc_427BFA:				; CODE XREF: .text:00427C20j
		fstp	tbyte ptr [edx+0Eh]

_DEVPKEY_DevicePanel_JointMovementPosition: ; DATA XREF: _CmUpdateDevicePanel+6EAA1o
					; _CmUpdateDevicePanel+6EAE0o ...
		pusha
		hlt
		sbb	al, 0F0h
		pop	edi
		mov	dword ptr [ebx+46h], 1598B0BFh
		loop	near ptr loc_427BE6+5
		mov	edi, 130Dh

loc_427C13:				; CODE XREF: .text:00427C34j
					; DATA XREF: _CmUpdateDevicePanel+6E972o ...
		add	[eax-0Ch], ah
		sbb	al, 0F0h
		pop	edi
		mov	dword ptr [ebx+46h], 1598B0BFh
		loop	near ptr loc_427BFA+5
		mov	edi, 0F0Dh

loc_427C27:				; CODE XREF: .text:00427C48j
					; DATA XREF: _CmUpdateDevicePanel+6E9B9o ...
		add	[eax-0Ch], ah
		sbb	al, 0F0h
		pop	edi
		mov	dword ptr [ebx+46h], 1598B0BFh
		loop	loc_427C13
		mov	edi, 100Dh

loc_427C3B:				; CODE XREF: .text:00427C5Cj
					; DATA XREF: _CmUpdateDevicePanel+6EA26o ...
		add	[eax-0Ch], ah
		sbb	al, 0F0h
		pop	edi
		mov	dword ptr [ebx+46h], 1598B0BFh
		loop	loc_427C27
		mov	edi, 110Dh

loc_427C4F:				; CODE XREF: .text:00427C70j
					; DATA XREF: _CmUpdateDevicePanel+6EA74o ...
		add	[eax-0Ch], ah
		sbb	al, 0F0h
		pop	edi
		mov	dword ptr [ebx+46h], 1598B0BFh
		loop	loc_427C3B
		mov	edi, 120Dh

loc_427C63:				; CODE XREF: .text:00427C84j
					; DATA XREF: _CmUpdateDevicePanel+6E8F4o ...
		add	[eax-0Ch], ah
		sbb	al, 0F0h
		pop	edi
		mov	dword ptr [ebx+46h], 1598B0BFh
		loop	loc_427C4F
		mov	edi, 0B0Dh

loc_427C77:				; CODE XREF: .text:00427C98j
					; DATA XREF: _CmUpdateDevicePanel+6EC16o
		add	[eax-0Ch], ah
		sbb	al, 0F0h
		pop	edi
		mov	dword ptr [ebx+46h], 1598B0BFh
		loop	loc_427C63
		mov	edi, 0C0Dh

loc_427C8B:				; CODE XREF: .text:00427CACj
					; DATA XREF: _CmUpdateDevicePanel+6EC30o
		add	[eax-0Ch], ah
		sbb	al, 0F0h
		pop	edi
		mov	dword ptr [ebx+46h], 1598B0BFh
		loop	loc_427C77
		mov	edi, 0D0Dh

loc_427C9F:				; CODE XREF: .text:00427CC0j
					; DATA XREF: _CmUpdateDevicePanel+6E930o ...
		add	[eax-0Ch], ah
		sbb	al, 0F0h
		pop	edi
		mov	dword ptr [ebx+46h], 1598B0BFh
		loop	loc_427C8B
		mov	edi, 0E0Dh

loc_427CB3:				; CODE XREF: .text:00427CD4j
					; DATA XREF: _CmUpdateDevicePanel+6E7F6o ...
		add	[eax-0Ch], ah
		sbb	al, 0F0h
		pop	edi
		mov	dword ptr [ebx+46h], 1598B0BFh
		loop	loc_427C9F
		mov	edi, 70Dh

loc_427CC7:				; CODE XREF: .text:00427CE8j
					; DATA XREF: _CmUpdateDevicePanel+6E864o ...
		add	[eax-0Ch], ah
		sbb	al, 0F0h
		pop	edi
		mov	dword ptr [ebx+46h], 1598B0BFh
		loop	loc_427CB3
		mov	edi, 80Dh

loc_427CDB:				; CODE XREF: .text:00427CFCj
					; DATA XREF: _CmUpdateDevicePanel+6E88Co ...
		add	[eax-0Ch], ah
		sbb	al, 0F0h
		pop	edi
		mov	dword ptr [ebx+46h], 1598B0BFh
		loop	loc_427CC7
		mov	edi, 90Dh

loc_427CEF:				; CODE XREF: .text:00427D10j
					; DATA XREF: _CmUpdateDevicePanel+6E8C0o ...
		add	[eax-0Ch], ah
		sbb	al, 0F0h
		pop	edi
		mov	dword ptr [ebx+46h], 1598B0BFh
		loop	loc_427CDB
		mov	edi, 0A0Dh

loc_427D03:				; CODE XREF: .text:00427D24j
					; DATA XREF: _CmUpdateDevicePanel+6E685o ...
		add	[eax-0Ch], ah
		sbb	al, 0F0h
		pop	edi
		mov	dword ptr [ebx+46h], 1598B0BFh
		loop	loc_427CEF
		mov	edi, 30Dh

loc_427D17:				; CODE XREF: .text:00427D38j
					; DATA XREF: _CmUpdateDevicePanel+6E733o ...
		add	[eax-0Ch], ah

loc_427D1A:				; CODE XREF: .text:00427D62j
		sbb	al, 0F0h
		pop	edi
		mov	dword ptr [ebx+46h], 1598B0BFh
		loop	loc_427D03
		mov	edi, 40Dh

loc_427D2B:				; CODE XREF: .text:00427D4Cj
					; DATA XREF: _CmUpdateDevicePanel+6E777o ...
		add	[eax-0Ch], ah
		sbb	al, 0F0h
		pop	edi

loc_427D31:				; CODE XREF: .text:loc_427D56j
		mov	dword ptr [ebx+46h], 1598B0BFh
		loop	loc_427D17
		mov	edi, 50Dh
		add	[eax-0Ch], ah	; DATA XREF: _CmUpdateDevicePanel+6E7C2o
					; _CmUpdateDevicePanel+6E82Co ...

loc_427D42:				; CODE XREF: .text:00427D8Aj
		sbb	al, 0F0h
		pop	edi
		mov	dword ptr [ebx+46h], 1598B0BFh
		loop	loc_427D2B
		mov	edi, 60Dh

loc_427D53:				; CODE XREF: .text:00427D74j
					; DATA XREF: _CmUpdateDevicePanel+6E524o ...
		add	[edi+57h], al

loc_427D56:				; CODE XREF: .text:00427D9Ej
		jl	short near ptr loc_427D31+2
		daa

loc_427D59:				; CODE XREF: .text:loc_427D7Ej
		and	ds:0D7FB2CA6h[ecx*2], ebx
		adc	ebx, ecx
		jnp	short near ptr loc_427D1A+1
		pop	es
; 
		db 3 dup(0)
; 

_DEVPKEY_DevicePanel_JointType:		; DATA XREF: _CmUpdateDevicePanel+6E641o
					; _CmUpdateDevicePanel+6EB10o
		pusha
		hlt

loc_427D6A:				; CODE XREF: .text:00427DB2j
		sbb	al, 0F0h
		pop	edi

loc_427D6D:				; CODE XREF: .text:loc_427D92j
		mov	dword ptr [ebx+46h], 1598B0BFh
		loop	loc_427D53
		mov	edi, 20Dh

loc_427D7B:				; DATA XREF: .text:00405004o
					; _CmGetDevicePanelMappedProperty(x,x,x,x,x,x,x,x,x)+71o
		add	[edi+57h], al

loc_427D7E:				; CODE XREF: .text:00427DC6j
		jl	short near ptr loc_427D59+2
		daa

loc_427D81:				; CODE XREF: .text:00427DA6j
		and	ds:0D7FB2CA6h[ecx*2], ebx
		adc	ebx, ecx
		jnp	short near ptr loc_427D42+1
		add	eax, [eax]
; 
		dw 0
; 

; void DEVPKEY_DevicePanel_Side
_DEVPKEY_DevicePanel_Side:		; DATA XREF: .text:0040500Co
					; _CmGetDevicePanelMappedProperty(x,x,x,x,x,x,x,x,x)+ABo
		inc	edi
		push	edi

loc_427D92:				; CODE XREF: .text:00427DDAj
		jl	short near ptr loc_427D6D+2
		daa

loc_427D95:				; CODE XREF: .text:00427DBAj
		and	ds:0D7FB2CA6h[ecx*2], ebx
		adc	ebx, ecx
		jnp	short near ptr loc_427D56+1
		add	al, 0
; 
		dw 0
; 

_DEVPKEY_DevicePanel_Width:		; DATA XREF: _CmUpdateDevicePanel+6E498o
		inc	edi
		push	edi
		jl	short near ptr loc_427D81+2
		daa

loc_427DA9:				; CODE XREF: .text:00427DCEj
		and	ds:0D7FB2CA6h[ecx*2], ebx
		adc	ebx, ecx
		jnp	short near ptr loc_427D6A+1
		add	eax, 47000000h	; DATA XREF: _CmUpdateDevicePanel+6E4CCo
		push	edi
		jl	short near ptr loc_427D95+2
		daa
		and	ds:0D7FB2CA6h[ecx*2], ebx
		adc	ebx, ecx
		jnp	short near ptr loc_427D7E+1
		push	es
; 
		db 3 dup(0)
; 

; void DEVPKEY_DevicePanel_ContainerId
_DEVPKEY_DevicePanel_ContainerId:	; DATA XREF: .text:off_404FFCo
					; _CmGetDevicePanelMappedProperty(x,x,x,x,x,x,x,x,x)+31o
		inc	edi
		push	edi
		jl	short near ptr loc_427DA9+2
		daa
		and	ds:0D7FB2CA6h[ecx*2], ebx
		adc	ebx, ecx
		jnp	short near ptr loc_427D92+1
		add	al, [eax]
; 
		dw 0
; 

_DEVPKEY_DeviceClass_LowerFilterDefaultLevel:
					; DATA XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+8Do
		or	eax, 9652D701h
		mov	bl, 0F0h
		inc	eax
		cdq
		imul	ebp, [ebx], -47h
		call	near ptr 8289F77h
; 
		db 3 dup(0)
; 

_DEVPKEY_DeviceClass_LowerFilterCache:	; DATA XREF: .data:006B382Co
					; _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x):loc_A35974o
		or	eax, 9652D701h
		mov	bl, 0F0h
		inc	eax
		cdq
		imul	ebp, [ebx], -47h
		call	near ptr 4289F8Bh
; 
		db 3 dup(0)
; 

_DEVPKEY_DeviceClass_UpperFilterLevels:	; DATA XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+6Ao
		or	eax, 9652D701h
		mov	bl, 0F0h
		inc	eax
		cdq
		imul	ebp, [ebx], -47h
		call	near ptr 5289F9Fh
; 
		db 3 dup(0)
; 

_DEVPKEY_DeviceClass_LowerFilterLevels:	; DATA XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+86o
		or	eax, 9652D701h
		mov	bl, 0F0h
		inc	eax
		cdq
		imul	ebp, [ebx], -47h
		call	near ptr 6289FB3h
; 
		db 3 dup(0)
; 

_DEVPKEY_DeviceClass_UpperFilterDefaultLevel:
					; DATA XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+71o
		or	eax, 9652D701h
		mov	bl, 0F0h
		inc	eax
		cdq
		imul	ebp, [ebx], -47h
		call	near ptr 7289FC7h
; 
		db 3 dup(0)
; 

_DEVPKEY_DeviceClass_UpperFilterCache:	; DATA XREF: .data:006B3824o
					; _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+65o
		or	eax, 9652D701h
		mov	bl, 0F0h
		inc	eax
		cdq
		imul	ebp, [ebx], -47h
		call	near ptr 3289FDBh
; 
		db 3 dup(0)
; 

_DEVPKEY_DeviceClass_ConfigFilters:	; DATA XREF: PipCallDriverAddDevice+A1A2Ao
					; PiDevCfgGetDeviceClassConfigFlags(x,x,x)+28o
		hlt
		xor	esi, [edx+ebp*2]
		db	26h
		push	esi
		call	near ptr 0DBFC27A3h
		fldlg2
		ror	byte ptr [eax+0F4Bh], cl
; 
		db 0
; 

_DEVPKEY_DeviceClass_ConfigNotifyWnfTriggers: ;	DATA XREF: PipCallDriverAddDevice+A1AB4o
					; PiDevCfgGetDeviceClassConfigFlags(x,x,x)+56o
		hlt
		xor	esi, [edx+ebp*2]
		db	26h
		push	esi
		call	near ptr 0DBFC27B7h
		fldlg2
		ror	byte ptr [eax+104Bh], cl
; 
		db 0
; 

_DEVPKEY_DeviceClass_CompatibleFeatureScores:
					; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+72Do
		hlt
		xor	esi, [edx+ebp*2]
		db	26h
		push	esi
		call	near ptr 0DBFC27CBh
		fldlg2
		ror	byte ptr [eax+0B4Bh], cl
		add	ah, dh		; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+7D2o
		xor	esi, [edx+ebp*2]
		db	26h
		push	esi
		call	near ptr 0DBFC27DFh
		fldlg2
		ror	byte ptr [eax+0E4Bh], cl
		add	ah, dh		; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+6CFo
		xor	esi, [edx+ebp*2]
		db	26h
		push	esi
		call	near ptr 0DBFC27F3h
		fldlg2
		ror	byte ptr [eax+74Bh], cl
		add	ah, dh		; DATA XREF: _CmGetInstallerClassMappedPropertyFromComposite+ADC17o

loc_427EBD:				; CODE XREF: .text:00427EDDj
		xor	esi, [edx+ebp*2]
		db	26h
		push	esi
		call	near ptr 0DBFC2807h
		fldlg2
		ror	byte ptr [eax+54Bh], cl

loc_427ECF:				; DATA XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+6Do
					; PAGEDATA:00A933E0o
		add	[ebp+30h], bh
		xchg	eax, ebx

loc_427ED3:				; CODE XREF: .text:00427EF1j
		mov	eax, ds:46D31245h
		mov	esi, 8612D867h
		jo	short near ptr loc_427EBD+2
		wait
		add	al, 0
; 
		dw 0
; 

_DEVPKEY_Device_LowerFilterLevels:	; DATA XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+89o
					; PAGEDATA:00A933ECo
		jge	short near ptr loc_427F14+2
		xchg	eax, ebx

loc_427EE7:				; CODE XREF: .text:00427F05j
		mov	eax, ds:46D31245h
		mov	esi, 8612D867h
		jo	short loc_427ED3
		wait

loc_427EF4:				; DATA XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+74o
					; PAGEDATA:00A933E4o
		add	eax, 7D000000h

loc_427EF9:				; CODE XREF: .text:00427F19j
		xor	[ebx-2CEDBA5Fh], dl
		inc	esi
		mov	esi, 8612D867h
		jo	short loc_427EE7
		wait
		push	es
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_LowerFilterDefaultLevel:
					; DATA XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+90o
					; PAGEDATA:00A933F0o
		jge	short loc_427F3E
		xchg	eax, ebx
		mov	eax, ds:46D31245h

loc_427F14:				; CODE XREF: .text:_DEVPKEY_Device_LowerFilterLevelsj
		mov	esi, 8612D867h
		jo	short near ptr loc_427EF9+2
		wait
		pop	es
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_InvalidatedDrivers:	; DATA XREF: PAGEDATA:00A933D4o
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc
		push	ds
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_UserSelectedDriverInstalled: ; DATA XREF: PAGEDATA:00A933CCo
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi

loc_427F3E:				; CODE XREF: .text:_DEVPKEY_Device_LowerFilterDefaultLevelj
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc
		pop	ss
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_PendingSoftwareInstall:	; DATA XREF: PAGEDATA:00A933D0o
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc
		sbb	[eax], al
; 
		dw 0
; 

_DEVPKEY_Device_DriverExtendedInfs:	; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1693o
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1750o ...
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc
		adc	al, 0
; 
		dw 0
; 

_DEVPKEY_Device_DriverIncludedConfigs:	; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+15F1o
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1651o ...
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc
		adc	eax, 0DD000000h	; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1B0Fo
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1B4Do
		db	65h
		mov	eax, 942E3DA8h
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc
		push	ss
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_PhysicalDeviceLocationSpatial: ; DATA XREF: _CmUpdateDevicePanel+6DB81o
		pop	ds
		sub	[ebp+53AF3CE5h], eax
		dec	eax
		scasd
		jb	short near ptr loc_427FF2+3
		and	al, 5Ah
		push	241C7h
; 
		dw 0
; 

_DEVPKEY_Device_Owners:			; DATA XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+27Ao
		db	26h
		arpl	dx, bx
		and	dword ptr [esi-6BBF7769h], 53h
		mov	eax, ds:3B573F92h
		sub	[eax], edx
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_RequestConfigurationIds: ; DATA	XREF: PiDevCfgProcessDevice(x,x,x)+129o
					; PiDevCfgRequestDriverConfigurations(x,x)+A4o	...
		db	26h
		arpl	dx, bx
		and	dword ptr [esi-6BBF7769h], 53h
		mov	eax, ds:3B573F92h
		sub	[eax+eax], ecx
; 
		dw 0
_DEVPKEY_Device_PendingConfigurationIds	db '&cڃ@S?W;)',0Bh,0
					; DATA XREF: PiDevCfgProcessDevice(x,x,x)+119o
					; PiDevCfgProcessDevice(x,x,x)+1CCo ...
		align 4

_DEVPKEY_Device_DriverNodeStrongName:	; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+93Fo
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1404o ...
		db	26h
		arpl	dx, bx
		and	dword ptr [esi-6BBF7769h], 53h

loc_427FF2:				; CODE XREF: .text:00427FA1j
		mov	eax, ds:3B573F92h
		sub	[ebx], eax
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_RollbackDriverNode:	; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1481o
					; PiDevCfgConfigureDevice(x,x,x,x,x)+156Bo
		db	26h
		arpl	dx, bx
		and	dword ptr [esi-6BBF7769h], 53h
		mov	eax, ds:3B573F92h
		sub	[eax+eax], eax
; 
		dw 0
; 

_DEVPKEY_Device_PanelRotationZ:		; DATA XREF: _CmUpdateDevicePanel+6E151o
					; _CmUpdateDevicePanel+6E1ACo ...
		xchg	bl, [esp+edi*4-685673h]
		dec	ebx
		wait
		mov	byte ptr [edi+6D3E5DE9h], 0ADh
		or	eax, 86000000h	; DATA XREF: _CmUpdateDevicePanel+6E29Ao
					; _CmUpdateDevicePanel+6E2BEo
		pushf
		mov	esp, 0FF97A98Dh
		dec	ebx
		wait
		mov	byte ptr [edi+6D3E5DE9h], 0ADh
		push	cs
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_PanelShape:		; DATA XREF: _CmUpdateDevicePanel+6E306o
					; _CmUpdateDevicePanel+6E335o
		xchg	bl, [esp+edi*4-685673h]
		dec	ebx
		wait
		mov	byte ptr [edi+6D3E5DE9h], 0ADh
		sldt	word ptr [eax]
; 
		db 0
; 

_DEVPKEY_Device_PanelVisible:		; DATA XREF: _CmUpdateDevicePanel+6E373o
					; _CmUpdateDevicePanel+6E39Ao
		xchg	bl, [esp+edi*4-685673h]
		dec	ebx
		wait
		mov	byte ptr [edi+6D3E5DE9h], 0ADh
		adc	[eax], al
; 
		dw 0
; 

_DEVPKEY_Device_PanelPositionY:		; DATA XREF: _CmUpdateDevicePanel+6DF83o
					; _CmUpdateDevicePanel+6E029o ...
		xchg	bl, [esp+edi*4-685673h]
		dec	ebx
		wait
		mov	byte ptr [edi+6D3E5DE9h], 0ADh
		or	[eax], eax
; 
		dw 0
; 

_DEVPKEY_Device_PanelPositionZ:		; DATA XREF: _CmUpdateDevicePanel+6DFB6o
					; _CmUpdateDevicePanel+6E08Bo
		xchg	bl, [esp+edi*4-685673h]
		dec	ebx
		wait
		mov	byte ptr [edi+6D3E5DE9h], 0ADh
		or	al, [eax]
; 
		dw 0
; 

_DEVPKEY_Device_PanelRotationX:		; DATA XREF: _CmUpdateDevicePanel+6E0D4o
					; _CmUpdateDevicePanel+6E17Co ...
		xchg	bl, [esp+edi*4-685673h]
		dec	ebx
		wait
		mov	byte ptr [edi+6D3E5DE9h], 0ADh
		or	eax, [eax]
; 
		dw 0
; 

_DEVPKEY_Device_PanelRotationY:		; DATA XREF: _CmUpdateDevicePanel+6E114o
					; _CmUpdateDevicePanel+6E194o ...
		xchg	bl, [esp+edi*4-685673h]
		dec	ebx
		wait
		mov	byte ptr [edi+6D3E5DE9h], 0ADh
		or	al, 0
; 
		dw 0
; 

_DEVPKEY_Device_PanelWidth:		; DATA XREF: _CmUpdateDevicePanel+6DDB3o
					; _CmUpdateDevicePanel+6DE4Ao ...
		xchg	bl, [esp+edi*4-685673h]
		dec	ebx
		wait
		mov	byte ptr [edi+6D3E5DE9h], 0ADh
		add	eax, 86000000h	; DATA XREF: _CmUpdateDevicePanel+6DDE4o
					; _CmUpdateDevicePanel+6DE7Bo ...
		pushf
		mov	esp, 0FF97A98Dh
		dec	ebx
		wait

loc_4280CD:				; CODE XREF: .text:_DEVPKEY_Device_Numa_Nodej
		mov	byte ptr [edi+6D3E5DE9h], 0ADh
		push	es
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_PanelLength:		; DATA XREF: _CmUpdateDevicePanel+6DE17o
					; _CmUpdateDevicePanel+6DEA4o ...
		xchg	bl, [esp+edi*4-685673h]
		dec	ebx
		wait

loc_4280E1:				; CODE XREF: .text:_DEVPKEY_Device_DebuggerSafej
		mov	byte ptr [edi+6D3E5DE9h], 0ADh
		pop	es
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_PanelPositionX:		; DATA XREF: _CmUpdateDevicePanel+6DF50o
					; _CmUpdateDevicePanel+6DFF6o ...
		xchg	bl, [esp+edi*4-685673h]
		dec	ebx
		wait
		mov	byte ptr [edi+6D3E5DE9h], 0ADh
		or	[eax], al
; 
		dw 0
; 

_DEVPKEY_Device_PanelGroup:		; DATA XREF: _CmUpdateDevicePanel+6DCE0o
					; _CmUpdateDevicePanel+6DD57o ...
		xchg	bl, [esp+edi*4-685673h]
		dec	ebx
		wait
		mov	byte ptr [edi+6D3E5DE9h], 0ADh
		add	eax, [eax]
; 
		dw 0
; 

_DEVPKEY_Device_PanelSide:		; DATA XREF: _CmUpdateDevicePanel+6DD09o
					; _CmUpdateDevicePanel+6DD6Fo ...
		xchg	bl, [esp+edi*4-685673h]
		dec	ebx
		wait
		mov	byte ptr [edi+6D3E5DE9h], 0ADh
		add	al, 0
; 
		dw 0
; 

_DEVPKEY_Device_ProblemStatusOverride:	; DATA XREF: _CmGetDeviceMappedPropertyFromComposite+119D62o
		lds	esp, [esi-6C05BCC0h]
		push	es
		inc	edi
		xchg	eax, edi
		sub	al, 7Bh
		or	byte ptr fs:[eax], 0A5h
		cmpsd
; 
		dd 0Dh
; 

_DEVPKEY_Device_Numa_Node:		; DATA XREF: PipCallDriverAddDevice+A18C5o
		jle	short near ptr loc_4280CD+5
		or	edx, [eax+eax*2-75h]

loc_428142:				; CODE XREF: .text:0042816Fj
		mov	esp, 6AA2A845h
		or	ecx, [ecx+3A2BD4Ch]
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_DebuggerSafe:		; DATA XREF: PipCallDriverAddDevice+A1819o
		jle	short near ptr loc_4280E1+5
		or	edx, [eax+eax*2-75h]
		mov	esp, 6AA2A845h
		or	ecx, [ecx+0CA2BD4Ch]
; 
		db 3 dup(0)
; 

_DEVPKEY_DeviceInterfaceClass_Name:	; DATA XREF: .data:off_6B3830o
					; _CmGetInterfaceClassMappedPropertyFromComposite(x,x,x,x,x,x,x,x)+71o
		cdq
		cmp	cl, al
		adc	al, 3Fh
		or	esi, [edi-5EB341BCh]
		js	short near ptr loc_428142+2
		cdq
		add	eax, 364h
; 
		db 0
; 

_DEVPKEY_Device_GenericDriverInstalled:	; DATA XREF: PAGEDATA:off_A933ACo
					; PAGEDATA:00A933C4o
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd

loc_428185:				; CODE XREF: .text:_DEVPKEY_Device_ExtendedConfigurationIdsj
		or	al, 75h
		setalc
		adc	al, [eax]
; 
		dw 0
; 

_DEVPKEY_Device_AdditionalSoftwareRequested: ; DATA XREF: PAGEDATA:00A933C8o
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd

loc_428199:				; CODE XREF: .text:_DEVPKEY_Device_ConfigurationIdj
		or	al, 75h
		setalc
		adc	eax, [eax]
; 
		dw 0
; 

_DEVPKEY_Device_DriverRank:		; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1716o
					; PiDevCfgConfigureDevice(x,x,x,x,x)+179Eo
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd

loc_4281AD:				; CODE XREF: .text:_DEVPKEY_Device_DHP_Rebalance_Policyj
		or	al, 75h
		setalc
		push	cs
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_DriverLogoLevel:	; DATA XREF: PAGEDATA:00A933C0o
		frstor	byte ptr [ebp-48h]
		test	al, 3Dh
		db	2Eh
		xchg	eax, esp
		inc	eax
		lodsd
		xchg	eax, edi
		in	eax, 93h
		cmpsd
		or	al, 75h
		setalc
		sldt	word ptr [eax]
; 
		db 0
_DEVPKEY_Device_InstallDate db '&cڃ@S?W;)d',0
					; DATA XREF: PiDevCfgProcessDevice(x,x,x)+636o
		align 4
_DEVPKEY_Device_FirstInstallDate db '&cڃ@S?W;)e',0
					; DATA XREF: PiDevCfgProcessDevice(x,x,x)+663o
					; PiDevCfgProcessDevice(x,x,x)+692o
		align 10h

_DEVPKEY_Device_ExtendedConfigurationIds:
					; DATA XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+193o
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1A97o ...
		jle	short near ptr loc_428185+1
		or	edx, [eax+eax*2-75h]
		mov	esp, 6AA2A845h
		or	ecx, [ecx+0FA2BD4Ch]
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_ConfigurationId:	; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1A49o
		jle	short near ptr loc_428199+1
		or	edx, [eax+eax*2-75h]
		mov	esp, 6AA2A845h
		or	ecx, [ecx+7A2BD4Ch]
; 
		db 3 dup(0)
; 

_DEVPKEY_Device_DHP_Rebalance_Policy:	; DATA XREF: PiRebalanceOptOut(x)+2Bo
		jle	short near ptr loc_4281AD+1
		or	edx, [eax+eax*2-75h]
		mov	esp, 6AA2A845h
		or	ecx, [ecx+2A2BD4Ch]
; 
		db 3 dup(0)
; 

_DEVPKEY_Spare_Processor_Apic_Id:	; DATA XREF: PnprIsProcessorDevice(x,x,x,x)+8Fo
		db	3Eh
		lea	ebp, [ecx]
		sahf
		jge	short near ptr aDriverenum+7
		fisttp	word ptr [ebp-7Ch]
		ja	short near ptr aVerifierext_sy+1
		pop	es
		cmpsd
		inc	eax
		push	0Fh
		add	al, [eax]
; 
		dw 0
; 

_DEVPKEY_Spare_Memory:			; DATA XREF: PnprIsMemoryDevice(x,x)+51o
		db	3Eh
		lea	ebp, [ecx]
		sahf
		jge	short near ptr aVerifierext_sy+3
		fisttp	word ptr [ebp-7Ch]
		ja	short near ptr aVerifierext_sy+15h
		pop	es
		cmpsd
		inc	eax
		push	0Fh
		add	eax, [eax]
; 
		dw 0
_unconfiguredConfigFlags dd 0FFFFFFFFh	; DATA XREF: PiDcGenerateConfigNotificationIfContainerRequiresConfiguration+854D1o
					; PiDcContainerRequiresConfiguration(x)+65o
aDriverenum:				; CODE XREF: .text:00428230j
					; DATA XREF: PiSwStopDestroy(x,x,x,x):loc_736713o ...
		unicode	0, <DRIVERENUM>,0
		align 10h
; void aVerifierext_sy
aVerifierext_sy:			; CODE XREF: .text:00428235j
					; .text:00428244j
					; DATA XREF: ...
		unicode	0, <VerifierExt.sys>,0
; 

_MiHalfSecond:				; DATA XREF: MiCreateSystemSection+920B4o
					; MiDelayFaultingThread:loc_5E1052o ...
		sal	byte ptr [ebx+esi*4-1],	0FFh

_MiOneSecond:				; DATA XREF: MiIssuePageExtendRequest(x,x,x,x)+117o
					; MiIssuePageExtendRequest(x,x,x,x):loc_632CBEo ...
		sub	byte ptr [ecx+67h], 0FFh
; 
		dd 0FFFFFFFFh
_MiNoPagesTimeout dd 0D646D900h		; DATA XREF: MiNoPagesLastChance(x,x)+121r
					; MiWaitForFreePage(x,x)+CDo
dword_4282A4	dd 0FFFFFFFFh		; DATA XREF: MiNoPagesLastChance(x,x)+119r
_MiVadPageIndices dd 2			; DATA XREF: .text:00450FFDr
					; MiVadPageTableChargeLevel(x)+45r ...
		dd 1, 0
		dd 2
_MiVadPageSizes	dd 1			; DATA XREF: NtGetWriteWatch+2E3r
					; .text:00450FF6r ...
		dd 10h,	200h, 1
; 

_MiCombineMinimumPages:			; DATA XREF: MiPopulateCombineMdls(x,x,x)+1Bo
		adc	[eax], al
; 
		dw 0
		dd 100h, 10h
_PpmPerfReductionOffsetPercent db 0	; DATA XREF: PpmPerfComputePerfReductionTolerance(x):loc_648251r
		db 1, 5, 0Ah
		dd 14h
; 

_PpmPerfReductionBoostPolicies:
		pop	edi
; 
byte_4282DD	db 4Ah			; DATA XREF: PpmPerfComputePerfReductionTolerance(x):loc_648245r
; 
		das
		adc	eax, 0

; void GUID_DEVICE_CLASS_USB_CONTROLLER
_GUID_DEVICE_CLASS_USB_CONTROLLER:	; DATA XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+40Ao
		pusha
		sahf
		cld
; 
		db 36h
		dd 11CFC465h, 45445680h, 5453h
; 

_GUID_SLEEPSTUDY_BLOCKER_TOP_LEVEL_SOC_SUBSYSTEM:
					; DATA XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+1EAo
					; PopFxInitializeSocSubsystemStaticInfo(x,x):loc_9A7D5Bo
		mov	ebx, (offset off_AABBA8+2)
; 
		db 3 dup(0)
		dd 2 dup(0)
; 

_DEVPKEY_PciDevice_DeviceType:		; DATA XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+38Fo
		xor	[esi], ebp

loc_428306:				; CODE XREF: .text:_GUID_ACDC_DISPLAY_BURST_SUPPRESSj
		mov	dl, 3Ah
		or	byte ptr fs:[esi+4Bh], 9Ah
		cmc
		test	al, 0D2h

loc_428310:				; CODE XREF: .text:0042836Dj
		fsub	st, st(3)
		db	3Eh
		bound	eax, [ecx]
; 
		db 3 dup(0)
; 

_GUID_SLEEPSTUDY_BLOCKER_PARENT_PREVETO:
					; DATA XREF: PpmIdleCaptureCsVetoAccounting(x,x,x,x)+FAo
		sub	eax, 647E8E91h
		push	esp
		movsd
		inc	eax
		mov	dh, ch
		enter	0B7Fh, 87h
; 
		dw 0EFBDh
; 

; void GUID_EM_RULE_DISABLE_DIRECTED_DRIPS_CPU_MATCH
_GUID_EM_RULE_DISABLE_DIRECTED_DRIPS_CPU_MATCH:
					; DATA XREF: PopDirectedDripsQueryEmSettings(x)+11o
		xor	cl, dl
		xor	eax, 0C391CBCh
		inc	ebp
		mov	dl, [edx+edi-375238FCh]
; 
		db 0C4h
; 

_GUID_ACDC_DISPLAY_BURST_SUPPRESS:	; DATA XREF: PopPowerSourceChangeCallback:loc_5F49B3o
		jl	short loc_428306
		cmc
		mov	ds:4FD3CE18h, eax
		test	eax, 3A3BC1D0h
		db	65h
		out	0EAh, al

_GUID_BATTERY_PERCENTAGE_REMAINING:	; DATA XREF: PopBatteryApplyCompositeState+A06C1o
		inc	ecx
		sub	byte ptr [ebp-514BA559h], 4Ch
		xchg	esp, [ebx+68B4CBEEh]

loc_428356:				; DATA XREF: ALMOSTRO:00705ECCo
					; PpmProcessSettingsFromQueryTable(x,x,x)+6Bo
		test	eax, 0F6F8E1h
		add	edx, esi
		stosd
		test	eax, 494FB745h
		or	[ecx+1Ah], ch
		inc	eax
; 
		db 0B5h
; 

; void GUID_PROCESSOR_PERF_INCREASE_HISTORY
_GUID_PROCESSOR_PERF_INCREASE_HISTORY:	; DATA XREF: ALMOSTRO:00705EC4o
					; PpmProcessSettingsFromQueryTable(x,x,x)+4Bo
		add	edi, ebp
		mov	bl, 99h
		das
		jnz	short loc_428310
		inc	esi
		cmp	bl, 77h
		xor	[ecx], al
		pop	ds

loc_428376:				; DATA XREF: ALMOSTRO:00705ED4o
					; PpmProcessSettingsFromQueryTable(x,x,x)+8Bo
		and	edx, [edx+eax*4-0Eh]
		xlat
		ja	short near ptr loc_428393+4
; 
		db 8Fh,	0CDh, 42h
		dd 45453785h, 0E89B830Ah

;  S U B	R O U T	I N E 


_GUID_SYSTEM_AWAYMODE proc near		; DATA XREF: PopSetAwayModeStatus(x)+15o
					; PopSetAwayModeStatus(x)+41o
		xor	ch, 0A7h
		cwde
		test	dword ptr [ecx], 0F9C48AAh
		inc	esp

loc_428393:				; CODE XREF: .text:0042837Bj
		xor	eax, 0C0E5292Ch
_GUID_SYSTEM_AWAYMODE endp

; [00000005 BYTES: COLLAPSED FUNCTION _GUID_ADAPTIVE_INPUT_CONTROLLER_STATE. PRESS KEYPAD "+" TO EXPAND]
		db 0F4h, 0E1h, 4Dh
; 
		cmpsd
		push	edi
		pusha
		xor	ecx, esi
		xchg	eax, edi
		imul	dl

_GUID_DISK_IDLE_TIMEOUT:		; DATA XREF: PopUpdateDiskIdleTimeoutSetting+A15E6o
		test	al, 9Bh
		jecxz	short near ptr loc_428402+2
		out	0B8h, al	; Interrupt Controller #2, 8259A
		test	byte ptr [esi-70h], 0D0h
		mov	[esi-29A74DCEh], ebp

_GUID_VIDEO_CURRENT_MONITOR_BRIGHTNESS:	; DATA XREF: PopMonitorProcessBrightnessAction(x,x)+1Eo
		mov	dl, 0FEh
		pop	dword ptr [ecx]
		sub	eax, 0B9AD46BEh
		cmp	[edx-4B3A23h], ecx

_SYSTEM_SLEEP_ETW_CHECKPOINT_GUID:	; DATA XREF: PopCheckpointSystemSleepUnsafe(x)+19o
					; PopClearSystemSleepCheckpoint+A5C22o	...
		sbb	bh, ch
		mov	ch, 0F4h
		adc	al, 2Fh
		sbb	eax, 0D8A99A45h
		cmc
		out	11h, eax
		jno	short loc_4283D9

_PopShutdownPowerOffPolicyRegName:	; DATA XREF: PopReadShutdownPolicy()+6Do
		inc	esp

loc_4283D9:				; CODE XREF: .text:004283D6j
		add	[edi+0], ch
		outsb
		add	[eax+eax+50h], dh
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		dec	edi
		add	[esi+0], ah
		db	66h
		add	[ecx+0], al
		db	66h
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		push	ebx
		add	[eax+0], ch
		jnz	short $+2
		jz	short $+2

loc_428402:				; CODE XREF: .text:004283AAj
		add	fs:[edi+0], ch
		ja	short $+2
		outsb
; 
		db 3 dup(0)
		align 10h

_PopShutdownPowerOffPolicyRegKey:	; DATA XREF: PopReadShutdownPolicy()+1Co
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		outsd
		add	[esi+0], ah
		jz	short $+2
		ja	short $+2
		popa
		add	[edx+0], dh
		add	gs:[eax+eax+50h], bl
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 730065h
		pop	esp
		add	[ebp+0], cl
		imul	eax, [eax], 720063h
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		pop	esp
		add	[edi+0], dl
		imul	eax, [eax], 64006Eh
		outsd
		add	[edi+0], dh
		jnb	short $+2
		and	[eax], al
		dec	esi
		add	[eax+eax+0], dl
; 
		db 3 dup(0)
; 

_PopUndockPolicyRegName:		; DATA XREF: PoGetLightestSystemStateForEject(x,x,x,x)+72o
		push	ebp
		add	[esi+0], ch
		add	fs:[edi+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 50h
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
; 
		dd offset loc_47FFFE+2	; DATA XREF: PopSaveHibernateEnabled()+3Ao
		dd offset loc_620069
		dw 65h
aRnateenabled:
		unicode	0, <rnateEnabled>,0
		align 4

_PopControlRegKey:			; DATA XREF: PopSaveHibernateEnabled()+10o
					; PopSetHiberFileSize(x,x)+85o	...
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+50h], bl
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
; 
		dw 0
; 

_PopHiberFileTypeRegName:		; DATA XREF: PopSetHiberFileType(x,x)+93o
		dec	eax
		add	[ecx+0], ch
		bound	eax, [eax]
		add	gs:[edx+0], dh
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		push	esp
		add	[ecx+0], bh
		jo	short $+2
		add	gs:[eax], al
		add	[eax+0], cl	; DATA XREF: PopSetHiberFileSize(x,x)+99o
		imul	eax, [eax], 650062h
		jb	short $+2
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		push	ebx
		add	[ecx+0], ch
		jp	short $+2
		add	gs:[eax+0], dl
		add	gs:[edx+0], dh
		arpl	[eax], ax
		add	gs:[esi+0], ch
		jz	short $+2
; 
		dd 0
aSystemsleepche:			; DATA XREF: PopCheckpointSystemSleepUnsafe(x):loc_7300F6o
		unicode	0, <SystemSleepCheckpoint>,0
		align 10h

_PopThermalLoggingVolatileRegKey:	; DATA XREF: PopOpenThermalLoggingKey+7E8A6o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		pop	ecx
		add	[ebx+0], dl
		push	esp
		add	[ebp+0], al
		dec	ebp
		add	[eax+eax+43h], bl
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+0], dl
		outsd
		add	[edi+0], dh
		add	gs:[edx+0], dh
		pop	esp
		add	[eax+eax+61h], cl
		add	[ebx+0], dh
		jz	short $+2
		push	esp
		add	[eax+0], ch
		add	gs:[edx+0], dh
		insd
		add	[ecx+0], ah
		insb
		add	[ebp+0], al
		jbe	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
; 
		dw 0
; 

_GUID_TRIAGEDUMP_DATA:			; DATA XREF: IopLiveDumpGenerateIptSecondaryData()+124o
		xchg	eax, ebp
		loope	near ptr a??+9
		sub	ecx, [ebp-5Ah]
		add	al, 4Fh
		mov	ds, si
		jle	short near ptr byte_42864F
		cwde
		sbb	edx, esp
; 
		db 2Ah
; 

_PopShutdownDiagnosticsScenarioGuid:	; DATA XREF: PopGracefulShutdown(x)+17Co
		lea	edx, [edi]
		cwde
		lods	dword ptr es:[esi]
		std
		scasb
		inc	eax
		popf
		cmp	al, 13h
		jno	short near ptr _GUID_EM_RULE_ALLOW_INPUT_SUPPRESSION_NOTIFICATION+1
		cmp	bl, ah
		pop	ebx
; 
		dd 0
; 

_SLEEPSTUDY_EVT_SCENARIO_BLOCKER_DATA:	; DATA XREF: PopDiagTraceSleepStudyBlockerData(x,x)+23o
					; PopDiagTraceSleepStudyBlockerData(x,x)+39o ...
		add	al, [eax]
		add	[eax], edx
		add	al, 0
		add	al, [eax]
		add	[eax], eax
; 
		dw 0
		dd 80000000h
; 

_SLEEPSTUDY_EVT_SCENARIO_BLOCKER:	; DATA XREF: PopDiagTraceSleepStudyBlocker(x,x)+1Ao
					; PopDiagTraceSleepStudyBlocker(x,x)+2Fo ...
		add	[eax], eax
		add	[eax], edx
		add	al, 0
		add	[eax], eax
		add	[eax], eax
; 
		dw 0
		dd 80000000h
a??:					; CODE XREF: .text:004285F5j
		unicode	0, <\??\>,0
		align 4
a?:
		unicode	0, <\\?\>,0
		db 0
byte_42864F	db 0			; CODE XREF: .text:004285FEj
; 

_BATTERY_EVT_BATTERY_PERCENT_REMAINING:	; DATA XREF: PopBatteryTracePercentageRemaining(x,x,x,x)+48o
					; PopBatteryTracePercentageRemaining(x,x,x,x)+95o
		or	eax, 4100000h
		add	large ds:0, cl
; 
		db 0
		dd 80000000h
; 

_BATTERY_EVT_SYSTEM_BATTERY_STATUS_RUNDOWN:
					; DATA XREF: PopBatteryTraceSystemBatteryStatus:loc_560DC2o
		add	al, [eax]
		add	[eax], dl
		add	al, 0
		add	al, [eax]
; 
		dd 0
		dd 80000000h
; 

; void GUID_EM_PEP_UPADTE_DEVICE_CONTRAINT
_GUID_EM_PEP_UPADTE_DEVICE_CONTRAINT:	; DATA XREF: PopPepInitializeVetoMasks(x,x)+F0o
		mov	byte ptr [ebx+ebp*4+5DC55637h],	42h
		mov	edi, esp
		cmp	ebp, [edi]
		jg	short near ptr loc_4286C1+1
		out	22h, eax

; void GUID_EM_RULE_ALLOW_INPUT_SUPPRESSION_NOTIFICATION
_GUID_EM_RULE_ALLOW_INPUT_SUPPRESSION_NOTIFICATION: ; CODE XREF: .text:0042860Fj
					; DATA XREF: PopReadErrataDeviceAllowedForInputSuppression()+12o
		mov	ch, 4Dh
		mov	sp, [ebp+68h]
		cmp	eax, 24909E49h
		fadd	st(5), st
; 
		db 8Fh,	5Bh, 7Eh
; 

_GUID_EM_PO_UPDATE_DEVICE_CONTRAINT_CALLBACK: ;	DATA XREF: .text:00404D44o
		popf
		int	67h		;  - LIM EMS
		mov	edi, 4BEDB8D1h
		mov	edi, 59EE1DDAh
; 
		db 63h,	0BEh, 6Bh
; 

_GUID_CONSOLE_LOCKED:			; DATA XREF: PopSessionWinlogonNotification(x,x)+DBo
		mov	edx, 79654B4Eh
		pop	es
		pusha
		dec	esi
		nop
		aam	78h
		clc
		db	64h
		dec	ecx
		test	eax, 1A09E19Dh	; DATA XREF: PoInitSystem+23866o
		jp	short near ptr loc_4286C4+1
		rcr	dword ptr [eax+4Eh], 8Eh
		sbb	[ecx], ecx

loc_4286BB:				; DATA XREF: PAGEDATA:00A934FCo
		test	ds:49335C16h, dl

loc_4286C1:				; CODE XREF: .text:0042867Cj
		add	[esi+0], ch

loc_4286C4:				; CODE XREF: .text:004286B3j
		jbe	short $+2
		popa
		add	[eax+eax+69h], ch
		add	[eax+eax+0], ah

loc_4286CF:				; DATA XREF: PAGEDATA:00A9353Co
		add	[eax+0], dl
		outsd
		add	[edi+0], dh
		add	gs:[edx+0], dh
		inc	edx
		add	[ebp+0], dh
		jz	short $+2
		jz	short $+2
		outsd
		add	[esi+0], ch
; 
		dw 0
aUserdisplaybur:			; DATA XREF: PAGEDATA:00A935DCo
		unicode	0, <UserDisplayBurst>,0
		align 4
aScmonitorpower:			; DATA XREF: PAGEDATA:00A935FCo
		unicode	0, <ScMonitorPower>,0
		align 4
aPosetsystemsta:			; DATA XREF: PAGEDATA:00A9361Co
		unicode	0, <PoSetSystemState>,0
		align 10h
aSetthreadexecu:			; DATA XREF: PAGEDATA:00A9363Co
		unicode	0, <SetThreadExecutionState>,0
aSleepbutton:				; DATA XREF: PAGEDATA:00A9355Co
		unicode	0, <SleepButton>,0
aLid:					; DATA XREF: PAGEDATA:00A9357Co
		unicode	0, <Lid>,0
aAcdcburst:				; DATA XREF: PAGEDATA:00A9359Co
		unicode	0, <AcDcBurst>,0
aRemoteconnecti:			; DATA XREF: PAGEDATA:00A935BCo
		unicode	0, <RemoteConnection>,0
		align 4
aPolicychange:				; DATA XREF: PAGEDATA:00A936DCo
		unicode	0, <PolicyChange>,0
		align 4
aBatterycountch:			; DATA XREF: PAGEDATA:00A936FCo
		unicode	0, <BatteryCountChange>,0
		align 4
aScreenoffgrace:			; DATA XREF: PAGEDATA:00A9371Co
		unicode	0, <ScreenOffGracePeriod>,0
		align 4
aScreenofftherm:			; DATA XREF: PAGEDATA:00A9373Co
		unicode	0, <ScreenOffThermal>,0
		align 4
aFullwake:				; DATA XREF: PAGEDATA:00A9365Co
		unicode	0, <FullWake>,0
		align 10h
aSessionunlock:				; DATA XREF: PAGEDATA:00A9367Co
		unicode	0, <SessionUnlock>,0
aScreenoffreque:			; DATA XREF: PAGEDATA:00A9369Co
		unicode	0, <ScreenOffRequest>,0
		align 10h
aScreenofftimeo:			; DATA XREF: PAGEDATA:00A936BCo
		unicode	0, <ScreenOffTimeout>,0
		align 4
aResumes4:				; DATA XREF: PAGEDATA:00A937DCo
		unicode	0, <ResumeS4>,0
		align 4
aTerminal:				; DATA XREF: PAGEDATA:00A937FCo
		unicode	0, <Terminal>,0
		align 4
aWinrt:					; DATA XREF: PAGEDATA:00A9381Co
		unicode	0, <WinRT>,0
aUserinput:				; DATA XREF: PAGEDATA:00A9383Co
		unicode	0, <UserInput>,0
aDynamicpartiti:			; DATA XREF: PAGEDATA:00A9375Co
		unicode	0, <DynamicPartitioning>,0
aSxtransition:				; DATA XREF: PAGEDATA:00A9377Co
		unicode	0, <SxTransition>,0
		align 10h
aSystemidle:				; DATA XREF: PAGEDATA:00A9379Co
		unicode	0, <SystemIdle>,0
		align 4
aProximity:				; DATA XREF: PAGEDATA:00A937BCo
		unicode	0, <Proximity>,0
aInputaccelerom:			; DATA XREF: PAGEDATA:00A938DCo
		unicode	0, <InputAccelerometer>,0
		align 4
aInputhid:				; DATA XREF: PAGEDATA:00A938FCo
		unicode	0, <InputHid>,0
		align 4
aInputpouserpre:			; DATA XREF: PAGEDATA:00A9391Co
		unicode	0, <InputPoUserPresent>,0
		align 10h
aInputsessionsw:			; DATA XREF: PAGEDATA:00A9393Co
		unicode	0, <InputSessionSwitch>,0
		align 4
aInputkeyboard:				; DATA XREF: PAGEDATA:00A9385Co
		unicode	0, <InputKeyboard>,0
aInputmouse:				; DATA XREF: PAGEDATA:00A9387Co
		unicode	0, <InputMouse>,0
		align 4
aInputtouch:				; DATA XREF: PAGEDATA:00A9389Co
		unicode	0, <InputTouch>,0
		align 4
aInputpen:				; DATA XREF: PAGEDATA:00A938BCo
		unicode	0, <InputPen>,0
		align 4
aSignalheycorta:			; DATA XREF: PAGEDATA:00A939DCo
		unicode	0, <SignalHeyCortana>,0
		align 4
aSignalholograp:			; DATA XREF: PAGEDATA:00A939FCo
		unicode	0, <SignalHolographicShell>,0
		align 4
aSignalfingerpr:			; DATA XREF: PAGEDATA:00A93A1Co
		unicode	0, <SignalFingerprint>,0
aDirecteddrips:				; DATA XREF: PAGEDATA:00A93A3Co
		unicode	0, <DirectedDrips>,0
aInputinitializ:			; DATA XREF: PAGEDATA:00A9395Co
		unicode	0, <InputInitialization>,0
aSignal:				; DATA XREF: PAGEDATA:00A9397Co
		unicode	0, <Signal>,0
		align 4
aSignalpwrnotif:			; DATA XREF: PAGEDATA:00A9399Co
		unicode	0, <SignalPwrNotif>,0
		align 4
aSignalmobilesh:			; DATA XREF: PAGEDATA:00A939BCo
		unicode	0, <SignalMobileShell>,0
aSleepexit:				; DATA XREF: PAGEDATA:00A93ADCo
		unicode	0, <SleepExit>,0
aAcdcdisplaybur:			; DATA XREF: PAGEDATA:00A93A5Co
		unicode	0, <AcDcDisplayBurstSuppressed>,0
		align 4
aBuiltinpanel:				; DATA XREF: PAGEDATA:00A93A7Co
		unicode	0, <BuiltinPanel>,0
		align 10h
aBatteryprecrit:			; DATA XREF: PAGEDATA:00A93A9Co
		unicode	0, <BatteryPreCritical>,0
		align 4
aBatterycount_1:			; DATA XREF: PAGEDATA:00A93ABCo
		unicode	0, <BatteryCountChangeSuppressed>,0
		align 4

_GUID_EM_PO_CALLER_MODULE_MATCH_CALLBACK:
		inc	ebp
		lahf
		fld	dword ptr [edi+eax-45B930F5h]
		mov	ebp, 6EC88119h
; 
		dw 2530h
; 

_GUID_EM_PO_CALLER_MODULE_NAME_TYPE:	; DATA XREF: .text:_PopEmEntryo
		and	cl, [ebx]
		add	byte ptr [edx],	0C6h
		popa
		mov	ch, 4Ah
		mov	eax, 0EBC1D49Dh
		sub	al, 0D0h
; 
		db 0E6h
; 

_GUID_RESUME_LOADER_SETTINGS_GROUP:	; DATA XREF: PopBcdRegenerateResumeObject(x,x,x)+EEo
		dec	ecx
		pushf
		cli
		sbb	ch, [ebx-6FB5A3EAh]
		sbb	esp, [ecx]
		sub	[edx], al

loc_428C91:				; DATA XREF: WheaPersistBadPageToBcd(x)+3Bo
		ficom	dword ptr [eax+5189B25Ch]
		pop	eax
		push	ebp
		repne dec ebx
		mov	esp, 119B28A4h
		mov	ebp, 0FA2E229h	; DATA XREF: BiIsValidObject(x,x,x)+7Bo
					; BiAddBootEntryToEfiBootManagerDisplayOrder(x,x)+17o ...
		mov	ds:9F3D06A5h, eax
		dec	esi
		mov	ch, 0F4h
		mov	al, ds:0FCD1F91Dh

loc_428CB3:				; DATA XREF: ALMOSTRO:_PpmPolicyAliasListo
		mov	edx, 720070h
		outsd
		add	[ebx+0], ah
		jz	short $+2
		push	6F007200h
		add	[eax+eax+74h], dh
		add	[eax+eax+65h], ch
		add	[ebp+0], ch
		popa
		add	[eax+0], bh
; 
		dw 0
aProcthrottlemi:			; DATA XREF: ALMOSTRO:00705E40o
		unicode	0, <procthrottlemin>,0
aPerfdecthresho:			; DATA XREF: ALMOSTRO:00705E48o
		unicode	0, <perfdecthreshold>,0
		align 4
aCpincreasetime:			; DATA XREF: ALMOSTRO:00705E70o
		unicode	0, <cpincreasetime>,0
		align 4
aPerfdectime:				; DATA XREF: ALMOSTRO:00705E78o
		unicode	0, <perfdectime>,0
aPerfinctime:				; DATA XREF: ALMOSTRO:00705E80o
		unicode	0, <perfinctime>,0
aThrottling:				; DATA XREF: ALMOSTRO:00705E88o
		unicode	0, <throttling>,0
		align 10h
aPerfincthresho:			; DATA XREF: ALMOSTRO:00705E50o
		unicode	0, <perfincthreshold>,0
		align 4
aCpmaxcores:				; DATA XREF: ALMOSTRO:00705E58o
		unicode	0, <cpmaxcores>,0
		align 4
aCpmincores:				; DATA XREF: ALMOSTRO:00705E60o
		unicode	0, <cpmincores>,0
		align 4
aCpdecreasetime:			; DATA XREF: ALMOSTRO:00705E68o
		unicode	0, <cpdecreasetime>,0
		align 4
aDistributeutil:			; DATA XREF: ALMOSTRO:00705EB0o
		unicode	0, <distributeutil>,0
		align 4
aPerfincpol:				; DATA XREF: ALMOSTRO:00705EB8o
		unicode	0, <perfincpol>,0
		align 4
aPerfincreasehi:			; DATA XREF: ALMOSTRO:00705EC0o
		unicode	0, <perfincreasehistory>,0
aPerfdecreasehi:			; DATA XREF: ALMOSTRO:00705EC8o
		unicode	0, <perfdecreasehistory>,0
aLatencyhintp_1:			; DATA XREF: ALMOSTRO:00705E90o
		unicode	0, <latencyhintperf>,0
aPerfcheck:				; DATA XREF: ALMOSTRO:00705E98o
		unicode	0, <perfcheck>,0
aCpconcurrency:				; DATA XREF: ALMOSTRO:00705EA0o
		unicode	0, <cpconcurrency>,0
aCpheadroom:				; DATA XREF: ALMOSTRO:00705EA8o
		unicode	0, <cpheadroom>,0
		align 4
aPerfcoreparkin:			; DATA XREF: ALMOSTRO:00705ED0o
		unicode	0, <perfcoreparkinghistory>,0
		align 4
aNull:					; DATA XREF: __woutput_l+692o
					; __output_l+45Bo ...
		unicode	0, <(null)>,0
		align 4
a0:					; DATA XREF: PopSqmAddToStream(x,x,x,x):loc_65D220o
					; PopSqmAddToStream(x,x,x,x):loc_65D24Fo
		unicode	0, <0>,0
dword_428F28	dd 0			; DATA XREF: PopSqmAddToStream(x,x,x,x)+105o
dword_428F2C	dd 34353170h, 4D63B561h, 7EFBA8A9h, 0D2F03956h,	0
					; DATA XREF: PopSqmAddToStream(x,x,x,x)+A8o
_SshpAccountingBucketLimits dd 0	; DATA XREF: SshpStopBlockerAccounting(x,x,x,x)+51r
dword_428F44	dd 0			; DATA XREF: SshpStopBlockerAccounting(x,x,x,x):loc_65DE1Br
dword_428F48	dd 11E1A300h		; DATA XREF: SshpStopBlockerAccounting(x,x,x,x)+65r
dword_428F4C	dd 0			; DATA XREF: SshpStopBlockerAccounting(x,x,x,x):loc_65DE2Fr
		dd 23C34600h, 0
		dd 47868C00h, 0
		dd 0B2D05E00h, 0
		dd 2 dup(0FFFFFFFFh)
aRegistryMach_5:			; DATA XREF: TtmpGetConfigOverride(x,x,x)+32o
		unicode	0, <\Registry\Machine\SYSTEM\CurrentControlSet\Control\Power>,0
		align 4
aTtmdevicecallo:			; DATA XREF: TtmpInitializeWatchdogTimeouts()+38o
		unicode	0, <TtmDeviceCalloutCrashEnabled>,0
		align 10h
aTtmdeviceassig:			; DATA XREF: .data:off_6B3644o
		unicode	0, <TtmDeviceAssignmentCallbackTimeout>,0
		align 4
aTtmdeviceclosi:			; DATA XREF: .data:006B3650o
		unicode	0, <TtmDeviceClosingTimeout>,0
aTtmdeviceinput:			; DATA XREF: .data:006B365Co
		unicode	0, <TtmDeviceInputModeChangeTimeout>,0
aTtmdevicedispl:			; DATA XREF: .data:006B3668o
		unicode	0, <TtmDeviceDisplayStateChangeTimeout>,0
		align 10h
aTtmdevicebuilt:			; DATA XREF: .data:006B3674o
		unicode	0, <TtmDeviceBuiltinPanelStateChangeTimeout>,0
aTtmdeviceprima:			; DATA XREF: .data:006B3680o
		unicode	0, <TtmDevicePrimaryDisplayVisibleStateChangeTimeout>,0
		align 4

_TtmpTerminalMapping:			; DATA XREF: TtmInit+836C3o
		add	[eax], eax
		add	al, [eax]
		add	al, [eax]
		add	al, [eax]
; 
		dd 120000h, 1F0003h
_TtmpQueueMapping dd 2 dup(20000h), 120000h, 1F0000h ; DATA XREF: TtmInit+83614o
aDfssshortterms:			; DATA XREF: ALMOSTRO:off_705EF8o
		unicode	0, <DfssShortTermSharingMS>,0
		align 4
aDfsslongtermsh:			; DATA XREF: ALMOSTRO:00705F04o
		unicode	0, <DfssLongTermSharingMS>,0
aDfssgeneration:			; DATA XREF: ALMOSTRO:00705F10o
		unicode	0, <DfssGenerationLengthMS>,0
		align 10h
aDfsslongtermfr:			; DATA XREF: ALMOSTRO:00705F1Co
		unicode	0, <DfssLongTermFraction1024>,0
		align 8

_SecondsToStartOf1980:			; DATA XREF: RtlSecondsSince1980ToTime(x,x)+Ar
					; RtlTimeToSecondsSince1980(x,x)+22r
		add	[edi], dh
		fxch7	st

loc_4292BC:				; DATA XREF: RtlSecondsSince1980ToTime(x,x)+15r
					; RtlTimeToSecondsSince1980(x,x)+28r
		add	al, [eax]
; 
		dw 0
; 

_Magic10000000:				; DATA XREF: RtlTimeToSecondsSince1970(x,x)+10r
					; RtlTimeToSecondsSince1980(x,x)+10r ...
		mov	ebp, 0D5E57A42h
		xchg	eax, esp
		mov	edi, 650053D6h
		add	[ebx+0], ah
		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 790074h
		sub	eax, 79005300h
		add	[ebx+0], dh
		jz	short $+2
		add	gs:[ebp+0], ch
		sub	eax, 61004300h
		add	[eax+0], dh
		popa
		add	[edx+0], ah
		imul	eax, [eax], 69006Ch
		jz	short $+2
		jns	short $+2
; 
		dd 2Dh
aDo:					; DATA XREF: .text:00404D74o
		unicode	0, <DO>,0
		align 4
aIu:
		unicode	0, <IU>,0
		align 10h
aSharedvmobject:			; DATA XREF: .text:00404D7Co
		unicode	0, <\SharedVmObjects>,0
		align 4
aCrc32Castagnol	db 'Crc32 Castagnoli',0 ; DATA XREF: .text:00404DA0o
		align 4
_crc32Map32_	dd 2 dup(0)
; 
		popf
		retf
; 
		dw 2E34h
		align 8
		dd 5C69973Ah, 0
		dd 725D5CA7h, 0
		dd 0B8D32E74h, 0
		dd 96E7E5E9h, 0
		dd 0E4BAB94Eh, 0
; 
		sal	dword ptr [edx-72h], cl
		retf	0
; 
		align 4
		dd 744A2A19h, 0
		dd 5A7EE184h, 0
		dd 2823BD23h, 0
		dd 61776BEh, 0
		dd 0CC99046Dh, 0
		dd 0E2ADCFF0h, 0
		dd 90F09357h, 0
; 
		retf	0C458h
; 
		db 0BEh
		align 8
		dd 0E8945432h, 0
; 
		scasd
		lahf
		mov	al, large ds:0C6h
		add	[eax], cl
		retn
; 
		dw 0B4FDh
		align 10h
		dd 9AC90895h, 0
aFzgp		db 'FzGP',0
		align 10h
aS		db '۱s~',0
		align 4
		dd 0C2EED7Ch, 0
		dd 221A26E1h, 0
		dd 9CDE7E2Bh, 0
		dd 0B2EAB5B6h, 0
		dd 0C0B7E911h, 0
		dd 0EE83228Ch, 0
		dd 240D505Fh, 0
; 
		retn	399Bh
; 
		db 0Ah
		align 8
		dd 7864C765h, 0
		dd 56500CF8h, 0
		dd 0D4C4DE95h, 0
		dd 0FAF01508h, 0
		dd 88AD49AFh, 0
		dd 0A6998232h, 0
		dd 6C17F0E1h, 0
		dd 42233B7Ch, 0
		dd 307E67DBh, 0
		dd 1E4AAC46h, 0
		dd 0A08EF48Ch, 0
		dd 8EBA3F11h, 0
		dd 0FCE763B6h, 0
		dd 0D2D3A82Bh, 0
		dd 185DDAF8h, 0
		dd 36691165h, 0
; 
		retn	344Dh
; 
		db 44h
		align 10h
		dd 6A00865Fh, 0
		dd 3C508AA7h, 0
		dd 1264413Ah, 0
		dd 60391D9Dh, 0
		dd 4E0DD600h, 0
		dd 8483A4D3h, 0
		dd 0AAB76F4Eh, 0
		dd 0D8EA33E9h, 0
		dd 0F6DEF874h, 0
		dd 481AA0BEh, 0
		dd 662E6B23h, 0
		dd 14733784h, 0
		dd 3A47FC19h, 0
; 
		retf	0C98Eh
; 
		db 0F0h
		align 10h
		dd 0DEFD4557h, 0
		dd 0ACA019F0h, 0
		dd 8294D26Dh, 0
		dd 0AC65CBDBh, 0
		dd 82510046h, 0
		dd 0F00C5CE1h, 0
		dd 0DE38977Ch, 0
		dd 14B6E5AFh, 0
		dd 3A822E32h, 0
		dd 48DF7295h, 0
		dd 66EBB908h, 0
; 
		retn	2FE1h
; 
		db 0D8h
		align 10h
		dd 0F61B2A5Fh, 0
		dd 844676F8h, 0
		dd 0AA72BD65h, 0
		dd 60FCCFB6h, 0
		dd 4EC8042Bh, 0
		dd 3C95588Ch, 0
		dd 12A19311h, 0
; 
		jmp	loc_87876C
; 
		align 10h
		dd 6AC55474h, 0
		dd 189808D3h, 0
; 
		dec	esi
		retn
; 
		dw 36ACh
		align 8
		dd 0FC22B19Dh, 0
		dd 0D2167A00h, 0
		dd 0A04B26A7h, 0
		dd 8E7FED3Ah, 0
		dd 30BBB5F0h, 0
		dd 1E8F7E6Dh, 0
; 
		retf	0D222h
; 
		db 6Ch
		align 10h
		push	edi
		jmp	near ptr dword_42D90C
; 
		align 4
		dd 88689B84h, 0
		dd 0A65C5019h, 0
		dd 0D4010CBEh, 0
		dd 0FA35C723h, 0
		dd 78A1154Eh, 0
		dd 5695DED3h, 0
		dd 24C88274h, 0
; 
		jmp	loc_4D92AE
; 
		align 4
		dd 0C0723B3Ah, 0
		dd 0EE46F0A7h, 0
		dd 9C1BAC00h, 0
		dd 0B22F679Dh, 0
; 
		push	edi
		aas
		jmp	short loc_429698
; 
		align 10h
		retf	0DFF4h
; 
		db 22h
		align 8

loc_429698:				; CODE XREF: .text:0042968Aj
		insd
		test	al, 82h
		push	eax
; 
		dd 0
		dd 7EB663F0h, 0
		dd 0B4381123h, 0
		dd 9A0CDABEh, 0
		dd 0E8518619h, 0
		dd 0C6654D84h, 0
		dd 9035417Ch, 0
		dd 0BE018AE1h, 0
		dd 0CC5CD646h, 0
		dd 0E2681DDBh, 0
		dd 28E66F08h, 0
		dd 6D2A495h, 0
		dd 748FF832h, 0
		dd 5ABB33AFh, 0
		dd 0E47F6B65h, 0
		dd 0CA4BA0F8h, 0
; 
		pop	edi
		cld
		push	ss
		mov	eax, 0
		retn	2237h
; 
		db 96h
		align 8
		dd 5CAC4511h, 0
		dd 72988E8Ch, 0
		dd 0C5D22Bh, 0
		dd 2EF119B6h, 0
		dd 5D27E147h, 0
		dd 73132ADAh, 0
		dd 14E767Dh, 0
		dd 2F7ABDE0h, 0
		dd 0E5F4CF33h, 0
; 
		scasb
		add	al, 0C0h
		retf
; 
		align 8
		dd 0B99D5809h, 0
		dd 97A99394h, 0
; 
		pop	esi
		retf
; 
		dw 296Dh
		align 10h
		retn
; 
		align 2
		dw 759h
		align 8
		dd 75045C64h, 0
		dd 5B3097F9h, 0
		dd 91BEE52Ah, 0
		dd 0BF8A2EB7h, 0
		dd 0CDD77210h, 0
		dd 0E3E3B98Dh, 0
		dd 0B5B3B575h, 0
		dd 9B877EE8h, 0
		dd 0E9DA224Fh, 0
		dd 0C7EEE9D2h, 0
		dd 0D609B01h, 0
		dd 2354509Ch, 0
		dd 51090C3Bh, 0
		dd 7F3DC7A6h, 0
		dd 0C1F99F6Ch, 0
		dd 0EFCD54F1h, 0
; 
		push	esi
		or	[eax+9Dh], dl
		add	bl, cl
		retn
; 
		dw 0B3A4h
		align 8
		dd 792AB118h, 0
		dd 571E7A85h, 0
		dd 25432622h, 0
		dd 0B77EDBFh, 0
		dd 89E33FD2h, 0
		dd 0A7D7F44Fh, 0
		dd 0D58AA8E8h, 0
		dd 0FBBE6375h, 0
		dd 313011A6h, 0
		dd 1F04DA3Bh, 0
		dd 6D59869Ch, 0
		dd 436D4D01h, 0
; 
		retf
; 
		db 15h,	0A9h, 0FDh
		align 10h
		dd 0D39DDE56h, 0
		dd 0A1C082F1h, 0
		dd 8FF4496Ch, 0
		dd 457A3BBFh, 0
		dd 6B4EF022h, 0
		dd 1913AC85h, 0
		dd 37276718h, 0
		dd 61776BE0h, 0
		dd 4F43A07Dh, 0
		dd 3D1EFCDAh, 0
		dd 132A3747h, 0
		dd 0D9A44594h, 0
		dd 0F7908E09h, 0
		dd 85CDD2AEh, 0
		dd 0ABF91933h, 0
		dd 153D41F9h, 0
		dd 3B098A64h, 0
; 
		retn
; 
		dd offset loc_4954D4+2
		align 10h
		dd 67601D5Eh, 0
		dd 0ADEE6F8Dh, 0
		dd 83DAA410h, 0
		dd 0F187F8B7h, 0
		dd 0DFB3332Ah, 0
		dd 0F1422A9Ch, 0
		dd 0DF76E101h, 0
		dd 0AD2BBDA6h, 0
		dd 831F763Bh, 0
		dd 499104E8h, 0
		dd 67A5CF75h, 0
		dd 15F893D2h, 0
		dd 3BCC584Fh, 0
		dd 85080085h, 0
		dd 0AB3CCB18h, 0
		dd 0D96197BFh, 0
		dd 0F7555C22h, 0
		dd 3DDB2EF1h, 0
		dd 13EFE56Ch, 0
; 
		retf
; 
		dd offset loc_61B2B5+4
		align 10h
		dd 4F867256h, 0
		dd 19D67EAEh, 0
		dd 37E2B533h, 0
; 
		xchg	eax, esp
		jmp	loc_42DF9D
; 
		align 10h
		dd 6B8B2209h, 0
		dd 0A10550DAh, 0
		dd 8F319B47h, 0
		dd 0FD6CC7E0h, 0
		dd 0D3580C7Dh, 0
		dd 6D9C54B7h, 0
		dd 43A89F2Ah, 0
		dd 31F5C38Dh, 0
		dd 1FC10810h, 0
; 
		retn
; 
		db 7Ah,	4Fh, 0D5h
		align 10h
		dd 0FB7BB15Eh, 0
		dd 8926EDF9h, 0
		dd 0A7122664h, 0
		dd 2586F409h, 0
		dd 0BB23F94h, 0
		dd 79EF6333h, 0
		dd 57DBA8AEh, 0
		dd 9D55DA7Dh, 0
		dd 0B36111E0h, 0
		dd 0C13C4D47h, 0
		dd 0EF0886DAh, 0
		dd 51CCDE10h, 0
		dd 7FF8158Dh, 0
		dd 0DA5492Ah, 0
		dd 239182B7h, 0
		dd 0E91FF064h, 0
		dd 0C72B3BF9h, 0
		dd 0B576675Eh, 0
; 
		retn
; 
		db 0ACh, 42h, 9Bh
		align 8
		dd 0CD12A03Bh, 0
		dd 0E3266BA6h, 0
		dd 917B3701h, 0
		dd 0BF4FFC9Ch, 0
		dd 75C18E4Fh, 0
		dd 5BF545D2h, 0
		dd 29A81975h, 0
		dd 79CD2E8h, 0
		dd 0B9588A22h, 0
		dd 976C41BFh, 0
		dd 0E5311D18h, 0
		dd 0CB05D685h, 0
		dd 18BA456h, 0
; 
		retf
; 
		db 6Fh,	0BFh, 2Fh
		align 8
		dd 5DE2336Ch, 0
		dd 73D6F8F1h, 3	dup(0)
		dd 2DAE840Fh, 0
		dd 5B5D081Eh, 0
		dd 76F38C11h, 0
		dd 0B6BA103Ch, 0
		dd 9B149433h, 0
		dd 0EDE71822h, 0
		dd 0C0499C2Dh, 0
		dd 68985689h, 0
		dd 4536D286h, 0
		dd 33C55E97h, 0
		dd 1E6BDA98h, 0
		dd 0DE2246B5h, 0
		dd 0F38CC2BAh, 0
		dd 857F4EABh, 0
; 
		movsb
		retf	0A8D1h
; 
		align 8
		dd 0D130AD12h, 0
		dd 0FC9E291Dh, 0
		dd 8A6DA50Ch, 0
; 
		add	esp, [ecx]
		retn
; 
		db 0A7h
		align 8
		dd 678ABD2Eh, 0
		dd 4A243921h, 0
		dd 3CD7B530h, 0
		dd 1179313Fh, 0
		dd 0B9A8FB9Bh, 0
		dd 94067F94h, 0
		dd 0E2F5F385h, 0
		dd 0CF5B778Ah, 0
; 
		cmpsd
		jmp	short near ptr byte_429C3D
; 
		db 0Fh
		align 10h
		dd 22BC6FA8h, 0
		dd 544FE3B9h
		db 0
byte_429C3D	db 3 dup(0)		; CODE XREF: .text:00429C29j
		dd 79E167B6h, 0
		dd 0A78D2CD5h, 0
		dd 8A23A8DAh, 0
; 
		retf
; 
		db 24h,	0D0h, 0FCh
		align 10h
		dd 0D17EA0C4h, 0
		dd 11373CE9h, 0
		dd 3C99B8E6h, 0
		dd 4A6A34F7h, 0
		dd 67C4B0F8h, 0
		dd 0CF157A5Ch, 0
		dd 0E2BBFE53h, 0
		dd 94487242h, 0
		dd 0B9E6F64Dh, 0
		dd 79AF6A60h, 0
		dd 5401EE6Fh, 0
		dd 22F2627Eh, 0
		dd 0F5CE671h, 0
		dd 76BD81C7h, 0
		dd 5B1305C8h, 0
		dd 2DE089D9h, 0
		dd offset loc_4E0DD1+5
		align 8
		dd 0C00791FBh, 0
		dd 0EDA915F4h, 0
		dd 9B5A99E5h, 0
		dd 0B6F41DEAh, 0
		dd 1E25D74Eh, 0
		dd 338B5341h, 0
		dd 4578DF50h, 0
		dd 68D65B5Fh, 0
		dd 0A89FC772h, 0
		dd 8531437Dh, 0
		dd 0F3C2CF6Ch, 0
		dd 0DE6C4B63h, 0
		dd 4AF62F5Bh, 0
		dd 6758AB54h, 0
		dd 11AB2745h, 0
		dd 3C05A34Ah, 0
		dd 0FC4C3F67h, 0
		dd 0D1E2BB68h, 0
		dd 0A7113779h, 0
		dd 8ABFB376h, 0
		dd 226E79D2h, 0
		dd 0FC0FDDDh, 0
		dd 793371CCh, 0
; 
		retn
; 
		dd offset loc_549DF5
		align 4
		dd 94D469EEh, 0
		dd 0B97AEDE1h, 0
		dd 0CF8961F0h, 0
; 
		jmp	ebp
; 
		dw 0E227h
		align 8
		dd 9BC68249h, 0
		dd 0B6680646h, 0
		dd 0C09B8A57h, 0
		dd 0ED350E58h, 0
		dd 2D7C9275h, 0
		dd 0D2167Ah, 0
		dd 76219A6Bh, 0
		dd 5B8F1E64h, 0
		dd 0F35ED4C0h, 0
		dd 0DEF050CFh, 0
		dd 0A803DCDEh, 0
		dd 85AD58D1h, 0
		dd 45E4C4FCh, 0
		dd 684A40F3h, 0
		dd 1EB9CCE2h, 0
		dd 331748EDh, 0
		dd 0ED7B038Eh, 0
		dd 0C0D58781h, 0
		dd 0B6260B90h, 0
		dd 9B888F9Fh, 0
		dd 5BC113B2h, 0
		dd 766F97BDh, 0
		dd 9C1BACh, 0
		dd 2D329FA3h, 0
		dd 85E35507h, 0
		dd 0A84DD108h, 0
		dd 0DEBE5D19h, 0
		dd 0F310D916h, 0
		dd 3359453Bh, 0
		dd 1EF7C134h, 0
		dd 68044D25h, 0
		dd 45AAC92Ah, 0
		dd 3C4BAE9Ch, 0
		dd 11E52A93h, 0
		dd 6716A682h, 0
		dd 4AB8228Dh, 0
		dd 8AF1BEA0h, 0
		dd 0A75F3AAFh, 0
		dd 0D1ACB6BEh, 0
		dd 0FC0232B1h, 0
		dd 54D3F815h, 0
		dd 797D7C1Ah, 0
		dd 0F8EF00Bh, 0
		dd 22207404h, 0
		dd 0E269E829h, 0
		dd 0CFC76C26h, 0
		dd 0B934E037h, 0
		dd 949A6438h, 0
		dd 95EC5EB6h, 0
		dd 0B842DAB9h, 0
		dd 0CEB156A8h, 0
		dd 0E31FD2A7h, 0
		dd 23564E8Ah, 0
		dd 0EF8CA85h, 0
		dd 780B4694h, 0
; 
		wait
		retn	55A5h
; 
		align 8
		dd 0FD74083Fh, 0
		dd 0D0DA8C30h, 0
		dd 0A6290021h, 0
		dd 8B87842Eh, 0
		dd 4BCE1803h, 0
		dd 66609C0Ch, 0
		dd 1093101Dh, 0
		dd 3D3D9412h, 0
		dd 44DCF3A4h, 0
		dd 697277ABh, 0
		dd 1F81FBBAh, 0
		dd 322F7FB5h, 0
		dd 0F266E398h, 0
		dd 0DFC86797h, 0
		dd 0A93BEB86h, 0
		dd 84956F89h, 0
		dd 2C44A52Dh, 0
		dd 1EA2122h, 0
		dd 7719AD33h, 0
		dd 5AB7293Ch, 0
		dd 9AFEB511h, 0
		dd 0B750311Eh, 0
		dd 0C1A3BD0Fh, 0
		dd 0EC0D3900h, 0
aCra2		db 'cra2',0
		align 10h
		dd 1FCFF66Ch, 0
		dd 693C7A7Dh, 0
		dd 4492FE72h, 0
		dd 84DB625Fh, 0
		dd 0A975E650h, 0
		dd 0DF866A41h, 0
		dd 0F228EE4Eh, 0
		dd 5AF924EAh, 0
		dd 7757A0E5h, 0
		dd 1A42CF4h, 0
		dd 2C0AA8FBh, 0
		dd 0EC4334D6h, 0
		dd 0C1EDB0D9h, 0
		dd 0B71E3CC8h, 0
		dd 9AB0B8C7h, 0
		dd 0E351DF71h, 0
		dd 0CEFF5B7Eh, 0
		dd 0B80CD76Fh, 0
; 
		pusha
		push	ebx
		mov	large ds:95h, al
		add	[ebp-31h], cl
		jmp	short loc_42A141
; 
		align 10h
aBkex		db 'BKEx',0
		align 4
		dd 0EB6C753h, 0
		dd 2318435Ch, 0
		dd 8BC989F8h, 0
		dd 0A6670DF7h, 0
		dd 0D09481E6h, 0
		dd 0FD3A05E9h, 0
		dd 3D7399C4h, 0
; 
		retf
; 
		db 1Dh,	0DDh, 10h
		align 8
		dd 662E91DAh, 0
		db 0D5h
; 

loc_42A141:				; CODE XREF: .text:0042A0EAj
		adc	eax, 4B80h
; 
		dw 0
		dd 0DF1A71EDh, 0
		dd 0F2B4F5E2h, 0
		dd 844779F3h, 0
; 
		cld
		std
		jmp	loc_42A210
; 
		align 4
		dd 69A061D1h, 0
		dd 440EE5DEh, 0
		dd 32FD69CFh, 0
		dd 1F53EDC0h, 0
		dd 0B7822764h, 0
		dd 9A2CA36Bh, 0
		dd 0ECDF2F7Ah, 0
		dd 0C171AB75h, 0
		dd 1383758h, 0
		dd 2C96B357h, 0
		dd 5A653F46h, 0
		dd 77CBBB49h, 0
		dd 0E2ADCFFh, 0
		dd 238458F0h, 0
		dd 5577D4E1h, 0
		dd 78D950EEh, 0
; 
		retn
; 
		db 0CCh, 90h, 0B8h
		dd 0
		dd 953E48CCh, 0
		dd 0E3CDC4DDh, 0
		dd 0CE6340D2h, 0
		dd 66B28A76h, 0
; 

loc_42A210:				; CODE XREF: .text:0042A162j
		jns	short loc_42A220
		sbb	al, 4Bh
; 
		dd 0
		dd 3DEF8268h, 0
; 

loc_42A220:				; CODE XREF: .text:loc_42A210j
		db	67h
		push	es
		inc	ecx
		adc	[eax], al
; 
		db 3 dup(0)
		dd 0D0089A4Ah, 0
		dd 0FDA61E45h, 0
		dd 8B559254h, 0
		dd 0A6FB165Bh, 0
		dd 78975D38h, 0
		dd 5539D937h, 0
		dd 23CA5526h, 0
		dd 0E64D129h, 0
		dd 0CE2D4D04h, 0
		dd 0E383C90Bh, 0
		dd 9570451Ah, 0
		dd 0B8DEC115h, 0
		dd 100F0BB1h, 0
		dd 3DA18FBEh, 0
		dd 4B5203AFh, 0
		dd 66FC87A0h, 0
		dd 0A6B51B8Dh, 0
		dd 8B1B9F82h, 0
		dd 0FDE81393h, 0
		dd 0D046979Ch, 0
		dd 0A9A7F02Ah, 0
		dd 84097425h, 0
		dd 0F2FAF834h, 0
		dd 0DF547C3Bh, 0
		dd 1F1DE016h, 0
		dd 32B36419h, 0
		dd 4440E808h, 0
		dd 69EE6C07h, 0
		dd 0C13FA6A3h, 0
		dd 0EC9122ACh, 0
		dd 9A62AEBDh, 0
		dd 0B7CC2AB2h, 0
		dd 7785B69Fh, 0
		dd 5A2B3290h, 0
		dd 2CD8BE81h, 0
		dd 1763A8Eh, 3 dup(0)
		dd 5E3E92A0h, 0
		dd 0BC7D2540h, 0
		dd 0E243B7E0h, 0
		dd 7D163C71h, 0
		dd 2328AED1h, 0
		dd 0C16B1931h, 0
		dd 9F558B91h, 0
		dd 0FA2C78E2h, 0
		dd 0A412EA42h, 0
		dd 46515DA2h, 0
		dd 186FCF02h, 0
		dd 873A4493h, 0
		dd 0D904D633h, 0
		dd 3B4761D3h, 0
		dd 6579F373h, 0
		dd 0F1B48735h, 0
		dd 0AF8A1595h, 0
		dd 4DC9A275h, 0
		dd 13F730D5h, 0
		dd 8CA2BB44h, 0
		dd 0D29C29E4h, 0
		dd 30DF9E04h, 0
		dd 6EE10CA4h, 0
		dd 0B98FFD7h, 0
		dd 55A66D77h, 0
		dd 0B7E5DA97h, 0
		dd 0E9DB4837h, 0
; 
		cmpsb
		retn
; 
		dw 768Eh
		align 10h
		dd 28B05106h, 0
		dd 0CAF3E6E6h, 0
		dd 94CD7446h, 0
		dd 0E685789Bh, 0
		dd 0B8BBEA3Bh, 0
		dd 5AF85DDBh, 0
		dd 4C6CF7Bh, 0
		dd 9B9344EAh, 0
		dd 0C5ADD64Ah, 0
		dd 27EE61AAh, 0
		dd 79D0F30Ah, 0
		dd 1CA90079h, 0
		dd 429792D9h, 0
		dd 0A0D42539h, 0
		dd 0FEEAB799h, 0
		dd 61BF3C08h, 0
		dd 3F81AEA8h, 0
		dd 0DDC21948h, 0
		dd 83FC8BE8h, 0
		dd 1731FFAEh, 0
		dd 490F6D0Eh, 0
		dd 0AB4CDAEEh, 0
		dd 0F572484Eh, 0
		dd 6A27C3DFh, 0
		dd 3419517Fh, 0
		dd 0D65AE69Fh, 0
		dd 8864743Fh, 0
		dd 0ED1D874Ch, 0
		dd 0B32315ECh, 0
		dd 5160A20Ch, 0
		dd 0F5E30ACh, 0
		dd 900BBB3Dh, 0
		dd 0CE35299Dh, 0
		dd 2C769E7Dh, 0
		dd 72480CDDh, 0
		dd 0C8E687C7h, 0
		dd 96D81567h, 0
		dd 749BA287h, 0
		dd 2AA53027h, 0
		dd 0B5F0BBB6h, 0
		dd 0EBCE2916h, 0
		dd 98D9EF6h, 0
		dd 57B30C56h, 0
		dd 32CAFF25h, 0
		dd 6CF46D85h, 0
		dd 8EB7DA65h, 0
		dd 0D08948C5h, 0
; 
		push	esp
		retn
; 
		dw 4FDCh
		align 10h
		dd 11E251F4h, 0
		dd 0F3A1E614h, 0
		dd 0AD9F74B4h, 0
		dd 395200F2h, 0
		dd 676C9252h, 0
		dd 852F25B2h, 0
		dd 0DB11B712h, 0
		dd 44443C83h, 0
		dd 1A7AAE23h, 0
; 
		retn
; 
		db 19h,	39h, 0F8h
		align 10h
		dd 0A6078B63h, 0
; 
		adc	[eax+7Eh], bh
		retn
; 
		align 10h
		dd 9D40EAB0h, 0
		dd 7F035D50h, 0
		dd 213DCFF0h, 0
		dd 0BE684461h, 0
		dd 0E056D6C1h, 0
		dd 2156121h, 0
		dd 5C2BF381h, 0
; 
		pop	esp
		jmp	dword ptr [ebx+2Eh]
; 
		dd 0
		dd 705D6DFCh, 0
		dd 921EDA1Ch, 0
		dd 0CC2048BCh, 0
		dd 5375C32Dh, 0
		dd 0D4B518Dh, 0
		dd 0EF08E66Dh, 0
		dd 0B13674CDh, 0
		dd 0D44F87BEh, 0
		dd 8A71151Eh, 0
		dd 6832A2FEh, 0
		dd 360C305Eh, 0
		dd 0A959BBCFh, 0
		dd 0F767296Fh, 0
		dd 15249E8Fh, 0
		dd 4B1A0C2Fh, 0
		dd 0DFD77869h, 0
		dd 81E9EAC9h, 0
		dd 63AA5D29h, 0
		dd 3D94CF89h, 0
		dd 0A2C14418h, 0
		dd 0FCFFD6B8h, 0
		dd 1EBC6158h, 0
		dd 4082F3F8h, 0
		dd 25FB008Bh, 0
		dd 7BC5922Bh, 0
; 
		retf
; 
		db 25h,	86h, 99h
		align 10h
		dd 0C7B8B76Bh, 0
		dd 58ED3CFAh, 0
		dd 6D3AE5Ah, 0
		dd 0E49019BAh, 0
		dd 0BAAE8B1Ah, 0
; 
		jg	short loc_42A7C3
		and	[eax+eax-21000000h], edx
		jmp	short loc_42A772
; 
		retf	0
; 
		align 4
		dd 285C5C3Fh, 0
		dd 7662CE9Fh, 0
; 
		push	cs
		inc	ebp
		aaa
		jmp	$+5
		scasb
		xlat

loc_42A772:				; CODE XREF: .text:0042A751j
		or	[edi+0], esi
		dec	esi
		pusha
		dec	edx
		push	ebp
; 
		dd 0
		dd 0B74F2EEh, 0
		dd 6E0D019Dh, 0
		dd 3033933Dh, 0
		dd 0D27024DDh, 0
		dd 8C4EB67Dh, 0
		dd 131B3DECh, 0
		dd 4D25AF4Ch, 0
		dd 0AF6618ACh, 0
; 
		or	al, 8Ah
		pop	eax

loc_42A7C3:				; CODE XREF: .text:0042A748j
		icebp
; 
		dd 0
		dd 6595FE4Ah, 0
		dd 3BAB6CEAh, 0
		dd 0D9E8DB0Ah, 0
		dd 87D649AAh, 0
		dd 1883C23Bh, 0
		dd 46BD509Bh, 0
		dd 0A4FEE77Bh, 0
		dd 0FAC075DBh, 0
		dd 9FB986A8h, 0
		dd 0C1871408h, 0
		dd 23C4A3E8h, 0
		dd 7DFA3148h, 0
		dd 0E2AFBAD9h, 0
		dd 0BC912879h, 0
		dd 5ED29F99h, 0
		dd 0EC0D39h, 0
		dd 72A401E4h, 0
		dd 2C9A9344h, 0
		dd 0CED924A4h, 0
		dd 90E7B604h, 0
		dd 0FB23D95h, 0
		dd 518CAF35h, 0
		dd 0B3CF18D5h, 0
		dd 0EDF18A75h, 0
		dd 88887906h, 0
		dd 0D6B6EBA6h, 0
		dd 34F55C46h, 0
		dd 6ACBCEE6h, 0
		dd 0F59E4577h, 0
		dd 0ABA0D7D7h, 0
		dd 49E36037h, 0
		dd 17DDF297h, 0
		dd 831086D1h, 0
		dd 0DD2E1471h, 0
		dd 3F6DA391h, 0
a11sa		db '11Sa',0
		align 4
		dd 0FE06BAA0h, 0
		dd 0A0382800h, 0
		dd 427B9FE0h, 0
		dd 1C450D40h, 0
		dd 793CFE33h, 0
		dd 27026C93h, 0
		dd 0C541DB73h, 0
		dd 9B7F49D3h, 0
; 
		inc	edx
		retn	42Ah
; 
		align 10h
		dd 5A1450E2h, 0
		dd 0B857E702h, 0
		dd 0E66975A2h, 0
		dd 5CC7FEB8h, 0
		dd 2F96C18h, 0
; 
		clc
		fstp	tbyte ptr [edx+0E0h]
		add	[eax+49h], bl
		test	[esi+0], bh
		leave
		retn	21D1h
; 
		align 10h
		dd 7FEF5069h, 0
		dd 9DACE789h, 0
; 
		sub	[ebp-6Eh], esi
		retn
; 
		align 8
		dd 0A6EB865Ah, 0
		dd 0F8D514FAh, 0
		dd 1A96A31Ah, 0
		dd 44A831BAh, 0
		dd 0DBFDBA2Bh, 0
; 
		mov	ebp, [eax]
		retn
; 
		db 85h
		align 8
		dd 67809F6Bh, 0
; 
		retf
; 
		db 0Dh,	0BEh, 39h
		align 8
		dd 0AD73798Dh, 0
		dd 0F34DEB2Dh, 0
		dd 110E5CCDh, 0
		dd 4F30CE6Dh, 0
		dd 0D06545FCh, 0
		dd 8E5BD75Ch, 0
		dd 6C1860BCh, 0
		dd 3226F21Ch, 0
		dd 575F016Fh, 0
		dd 96193CFh, 0
		dd 0EB22242Fh, 0
		dd 0B51CB68Fh, 0
		dd 2A493D1Eh, 0
		dd 7477AFBEh, 0
		dd 9634185Eh, 0
		dd 0C80A8AFEh, 0
		dd 0BA428623h, 0
		dd 0E47C1483h, 0
		dd 63FA363h, 0
; 
		retn
; 
		dd offset loc_580130+1
		align 4
		dd 0C754BA52h, 0
		dd 996A28F2h, 0
		dd 7B299F12h, 0
		dd 25170DB2h, 0
		dd 406EFEC1h, 0
		dd 1E506C61h, 0
		dd 0FC13DB81h, 0
		dd 0A22D4921h, 0
		dd 3D78C2B0h, 0
		dd 63465010h, 0
		dd 8105E7F0h, 0
		dd 0DF3B7550h, 0
		dd 4BF60116h, 0
		dd 15C893B6h, 0
		dd 0F78B2456h, 0
		dd 0A9B5B6F6h, 0
		dd 36E03D67h, 0
		dd 68DEAFC7h, 0
		dd 8A9D1827h, 0
		dd 0D4A38A87h, 0
		dd 0B1DA79F4h, 0
		dd 0EFE4EB54h, 0
		dd 0DA75CB4h, 0
		dd 5399CE14h, 0
		dd 0CCCC4585h, 0
		dd 92F2D725h, 0
		dd 70B160C5h, 0
		dd 2E8FF265h, 3	dup(0)
		dd 0A2158B34h, 0
		dd 41C76099h, 0
		dd 0E3D2EBADh, 0
		dd 838EC132h, 0
		dd 219B4A06h, 0
		dd 0C249A1ABh, 0
		dd 605C2A9Fh, 0
		dd 2F1F495h, 0
		dd 0A0E47FA1h, 0
		dd 4336940Ch, 0
		dd 0E1231F38h, 0
		dd 817F35A7h, 0
		dd 236ABE93h, 0
		dd 0C0B8553Eh, 0
		dd 62ADDE0Ah, 0
		dd 5E3E92Ah, 0
		dd 0A7F6621Eh, 0
		dd 442489B3h, 0
		dd 0E6310287h, 0
		dd 866D2818h, 0
		dd 2478A32Ch, 0
		dd 0C7AA4881h, 0
		dd 65BFC3B5h, 0
		dd 7121DBFh, 0
		dd 0A507968Bh, 0
		dd 46D57D26h, 0
		dd 0E4C0F612h, 0
		dd 849CDC8Dh, 0
		dd 268957B9h, 0
		dd 0C55BBC14h, 0
		dd 674E3720h, 0
		dd 0BC7D254h, 0
		dd 0A9D25960h, 0
		dd 4A00B2CDh, 0
		dd 0E81539F9h, 0
		dd 88491366h, 0
		dd 2A5C9852h, 0
		dd 0C98E73FFh, 0
; 
		retf
; 
		db 0F8h, 9Bh, 6Bh
		align 8
		dd 93626C1h, 0
		dd 0AB23ADF5h, 0
		dd 48F14658h, 0
		dd 0EAE4CD6Ch, 0
		dd 8AB8E7F3h, 0
		dd 28AD6CC7h, 0
		dd 0CB7F876Ah, 0
		dd 696A0C5Eh, 0
		dd 0E243B7Eh, 0
		dd 0AC31B04Ah, 0
		dd 4FE35BE7h, 0
		dd 0EDF6D0D3h, 0
		dd 8DAAFA4Ch, 0
		dd 2FBF7178h, 0
		dd 0CC6D9AD5h, 0
		dd 6E7811E1h, 0
		dd 0CD5CFEBh, 0
		dd 0AEC044DFh, 0
		dd 4D12AF72h, 0
		dd 0EF072446h, 0
		dd 8F5B0ED9h, 0
		dd 2D4E85EDh, 0
		dd 0CE9C6E40h, 0
		dd 6C89E574h, 0
		dd 178FA4A8h, 0
		dd 0B59A2F9Ch, 0
		dd 5648C431h, 0
		dd 0F45D4F05h, 0
		dd 9401659Ah, 0
		dd 3614EEAEh, 0
		dd 0D5C60503h, 0
		dd 77D38E37h, 0
		dd 157E503Dh, 0
		dd 0B76BDB09h, 0
		dd 54B930A4h, 0
		dd 0F6ACBB90h, 0
		dd 96F0910Fh, 0
		dd 34E51A3Bh, 0
		dd 0D737F196h, 0
		dd 75227AA2h, 0
		dd 126C4D82h, 0
		dd 0B079C6B6h, 0
		dd 53AB2D1Bh, 0
		dd 0F1BEA62Fh, 0
		dd 91E28CB0h, 0
		dd 33F70784h, 0
		dd 0D025EC29h, 0
		dd 7230671Dh, 0
		dd 109DB917h, 0
		dd 0B2883223h, 0
		dd 515AD98Eh, 0
		dd 0F34F52BAh, 0
		dd 93137825h, 0
		dd 3106F311h, 0
		dd 0D2D418BCh, 0
		dd 70C19388h, 0
		dd 1C4876FCh, 0
		dd 0BE5DFDC8h, 0
		dd 5D8F1665h, 0
		dd 0FF9A9D51h, 0
		dd 9FC6B7CEh, 0
		dd 3DD33CFAh, 0
		dd 0DE01D757h, 0
		dd 7C145C63h, 0
		dd 1EB98269h, 0
		dd 0BCAC095Dh, 0
		dd 5F7EE2F0h, 0
		dd 0FD6B69C4h, 0
		dd 9D37435Bh, 0
		dd 3F22C86Fh, 0
; 
		retn	0F023h
; 
		db 0DCh
		align 10h
		dd 7EE5A8F6h, 0
		dd 19AB9FD6h, 0
		dd 0BBBE14E2h, 0
; 
		dec	edi
		jmp	fword ptr [eax+ebx*2+0]
; 
		align 10h
		dd 0FA79747Bh, 0
		dd 9A255EE4h, 0
		dd 3830D5D0h, 0
		dd 0DBE23E7Dh, 0
		dd 79F7B549h, 0
		dd 1B5A6B43h, 0
		dd 0B94FE077h, 0
		dd 5A9D0BDAh, 0
		dd 0F88880EEh, 0
		dd 98D4AA71h, 0
		dd 3AC12145h, 0
		dd 0D913CAE8h, 0
		dd 7B0641DCh, 0
		dd 2F1F4950h, 0
		dd 8D0AC264h, 0
		dd 6ED829C9h, 0
		dd 0CCCDA2FDh, 0
		dd 0AC918862h, 0
		dd 0E840356h, 0
		dd 0ED56E8FBh, 0
		dd 4F4363CFh, 0
		dd 2DEEBDC5h, 0
		dd 8FFB36F1h, 0
		dd 6C29DD5Ch, 0
		dd 0CE3C5668h, 0
		dd 0AE607CF7h, 0
; 
		retn
; 
		db 0F7h, 75h, 0Ch
		align 8
		dd 0EFA71C6Eh, 0
		dd 4DB2975Ah, 0
		dd 2AFCA07Ah, 0
		dd 88E92B4Eh, 0
		dd 6B3BC0E3h, 0
		dd 0C92E4BD7h, 0
		dd 0A9726148h, 0
		dd 0B67EA7Ch, 0
		dd 0E8B501D1h, 0
		dd 4AA08AE5h, 0
		dd 280D54EFh, 0
; 
		fcmovnu	st, st(7)
		sbb	[edx+0], cl
		jbe	short near ptr word_42B04E
		retf	69h
; 
		align 10h
		dd 0CBDFBF42h, 0
		dd 0AB8395DDh, 0
; 
		jmp	loc_4C4653
; 
		align 4
		dd 0EA44F544h, 0
		dd 48517E70h, 0
		dd 24D89B04h
		db 2 dup(0)
word_42B04E	dw 0			; CODE XREF: .text:0042B018j
		dd 86CD1030h, 0
		dd 651FFB9Dh, 0
		dd 0C70A70A9h, 0
		dd 0A7565A36h, 0
		dd 543D102h, 0
		dd 0E6913AAFh, 0
		dd 4484B19Bh, 0
		dd 26296F91h, 0
		dd 843CE4A5h, 0
		dd 67EE0F08h, 0
		dd 0C5FB843Ch, 0
		dd 0A5A7AEA3h, 0
		dd 7B22597h, 0
		dd 0E460CE3Ah, 0
		dd 4675450Eh, 0
		dd 213B722Eh, 0
		dd 832EF91Ah, 0
		dd 60FC12B7h, 0
		dd 0C2E99983h, 0
		dd 0A2B5B31Ch, 0
		dd 0A03828h, 0
		dd 0E372D385h, 0
		dd 416758B1h, 0
		dd 23CA86BBh, 0
		dd 81DF0D8Fh, 0
		dd 620DE622h, 0
		dd 0C0186D16h, 0
		dd 0A0444789h, 0
		dd 251CCBDh, 0
		dd 0E1832710h, 0
		dd 4396AC24h, 0
		dd 3890EDF8h, 0
		dd 9A8566CCh, 0
		dd 79578D61h, 0
		dd 0DB420655h, 0
; 
		retf	1E2Ch
; 
		db 0BBh
		align 10h
		dd 190BA7FEh, 0
		dd 0FAD94C53h, 0
		dd 58CCC767h, 0
		dd 3A61196Dh, 0
		dd 98749259h, 0
		dd 7BA679F4h, 0
		dd 0D9B3F2C0h, 0
		dd 0B9EFD85Fh, 0
		dd 1BFA536Bh, 0
		dd 0F828B8C6h, 0
		dd 5A3D33F2h, 0
		dd 3D7304D2h, 0
		dd 9F668FE6h, 0
		dd 7CB4644Bh, 0
		dd 0DEA1EF7Fh, 0
		dd 0BEFDC5E0h, 0
		dd 1CE84ED4h, 0
		dd 0FF3AA579h, 0
		dd 5D2F2E4Dh, 0
		dd 3F82F047h, 0
		dd 9D977B73h, 0
		dd 7E4590DEh, 0
		dd 0DC501BEAh, 0
		dd 0BC0C3175h, 0
		dd 1E19BA41h, 0
		dd 0FDCB51ECh, 0
		dd 5FDEDAD8h, 0
		dd 33573FACh, 0
		dd 9142B498h, 0
		dd 72905F35h, 0
		dd 0D085D401h, 0
		dd 0B0D9FE9Eh, 0
		dd 12CC75AAh, 0
		dd 0F11E9E07h, 0
		dd 530B1533h, 0
		dd 31A6CB39h, 0
		dd 93B3400Dh, 0
		dd 7061ABA0h, 0
		dd 0D2742094h, 0
		dd 0B2280A0Bh, 0
		dd 103D813Fh, 0
		dd 0F3EF6A92h, 0
		dd 51FAE1A6h, 0
		dd 36B4D686h, 0
		dd 94A15DB2h, 0
		dd 7773B61Fh, 0
		dd 0D5663D2Bh, 0
		dd 0B53A17B4h, 0
		dd 172F9C80h, 0
		dd 0F4FD772Dh, 0
		dd 56E8FC19h, 0
		dd 34452213h, 0
		dd 9650A927h, 0
		dd 7582428Ah, 0
		dd 0D797C9BEh, 0
; 
		and	ebx, esp
		retf
; 
		db 0B7h
		align 10h
		dd 15DE6815h, 0
		dd 0F60C83B8h, 0
		dd 5419088Ch, 3	dup(0)
		dd 0F7DBCB25h, 0
		dd 0EA5BE0BBh, 0
		dd 1D802B9Eh, 0
		dd 0D15BB787h, 0
		dd 26807CA2h, 0
		dd 3B00573Ch, 0
		dd 0CCDB9C19h, 0
		dd 0A75B19FFh, 0
		dd 5080D2DAh, 0
		dd 4D00F944h, 0
		dd 0BADB3261h, 0
		dd 7600AE78h, 0
; 
		pop	ebp
		fild	dword ptr gs:[ecx+0]
		retn
; 
		db 4Eh,	5Bh, 9Ch
		align 10h
		dd 6B8085E6h, 0
		dd 4B5A450Fh, 0
		dd 0BC818E2Ah, 0
		dd 0A101A5B4h, 0
		dd 56DA6E91h, 0
		dd 9A01F288h, 0
		dd 6DDA39ADh, 0
		dd 705A1233h, 0
		dd 8781D916h, 0
		dd 0EC015CF0h, 0
		dd 1BDA97D5h, 0
		dd 65ABC4Bh, 0
		dd 0F181776Eh, 0
		dd 3D5AEB77h, 0
		dd 0CA812052h, 0
		dd 0D7010BCCh, 0
; 
		jmp	loc_638F05
; 
		align 4
		dd 96B48A1Eh, 0
		dd 616F413Bh, 0
		dd 7CEF6AA5h, 0
		dd 8B34A180h, 0
		dd 47EF3D99h, 0
		dd 0B034F6BCh, 0
		dd 0ADB4DD22h, 0
		dd 5A6F1607h, 0
		dd 31EF93E1h, 0
		dd 0C63458C4h, 0
		dd 0DBB4735Ah, 0
		dd 2C6FB87Fh, 0
		dd 0E0B42466h, 0
		dd 176FEF43h, 0
		dd 0AEFC4DDh, 0
		dd 0FD340FF8h, 0
		dd 0DDEECF11h, 0
		dd 2A350434h, 0
		dd 37B52FAAh, 0
		dd 0C06EE48Fh, 0
		dd 0CB57896h, 0
		dd 0FB6EB3B3h, 0
		dd 0E6EE982Dh, 0
		dd 11355308h, 0
		dd 7AB5D6EEh, 0
; 
		retf
; 
		db 1Dh,	6Eh, 8Dh
		align 8
		dd 90EE3655h, 0
		dd 6735FD70h, 0
		dd 0ABEE6169h, 0
		dd 5C35AA4Ch, 0
		dd 41B581D2h, 0
		dd 0B66E4AF7h, 0
		dd 288562CDh, 0
		dd 0DF5EA9E8h, 0
		dd 0C2DE8276h, 0
		dd 35054953h, 0
		dd 0F9DED54Ah, 0
		dd 0E051E6Fh, 0
		dd 138535F1h, 0
		dd 0E45EFED4h, 0
		dd 8FDE7B32h, 0
		dd 7805B017h, 0
		dd 65859B89h, 0
		dd 925E50ACh, 0
		dd 5E85CCB5h, 0
		dd 0A95E0790h, 0
		dd 0B4DE2C0Eh, 0
		dd 4305E72Bh, 0
; 
		retn	0DF27h
; 
		db 63h
		align 10h
		dd 9404ECE7h, 0
		dd 8984C779h, 0
		dd 7E5F0C5Ch, 0
		dd 0B2849045h, 0
		dd 455F5B60h, 0
		dd 58DF70FEh, 0
		dd 0AF04BBDBh, 0
		dd 0C4843E3Dh, 0
		dd 335FF518h, 0
		dd 2EDFDE86h, 0
		dd 0D90415A3h, 0
		dd 15DF89BAh, 0
		dd 0E204429Fh, 0
		dd 0FF846901h, 0
		dd 85FA224h, 0
		dd 0BE31E8D3h, 0
		dd 49EA23F6h, 0
		dd 546A0868h, 0
; 
		dec	ebp
		retn
; 
		dw 0A3B1h
		align 8
aT_jo		db 'T_jo',0
		align 10h
aQfS		db 'q',0
		align 4
aQ1e		db '1',0
		align 10h
		retf	0EA74h
; 
		db 72h
		align 8
		dd 196AF12Ch, 0
		dd 0EEB13A09h, 0
		dd 0F3311197h, 0
		dd 4EADAB2h, 0
		dd 0C83146ABh, 0
		dd 3FEA8D8Eh, 0
		dd 226AA610h, 0
		dd 0D5B16D35h, 0
		dd 0F56BADDCh, 0
		dd 2B066F9h, 0
		dd 1F304D67h, 0
		dd 0E8EB8642h, 0
		dd 24301A5Bh, 0
		dd 0D3EBD17Eh, 0
		dd 0CE6BFAE0h, 0
		dd 39B031C5h, 0
		dd 5230B423h, 0
		dd 0A5EB7F06h, 0
		dd 0B86B5498h, 0
		dd 4FB09FBDh, 0
		dd 836B03A4h, 0
		dd 74B0C881h, 0
		dd 6930E31Fh, 0
		dd 9EEB283Ah, 0
		dd 510AC59Ah, 0
		dd 0A6D10EBFh, 0
		dd 0BB512521h, 0
		dd 4C8AEE04h, 0
		dd 8051721Dh, 0
		dd 778AB938h, 0
		dd 6A0A92A6h, 0
		dd 9DD15983h, 0
		dd 0F651DC65h, 0
		dd 18A1740h, 0
		dd 1C0A3CDEh, 0
		dd 0EBD1F7FBh, 0
		dd 270A6BE2h, 0
		dd 0D0D1A0C7h, 0
		dd 0CD518B59h, 0
		dd 3A8A407Ch, 0
		dd 1A508095h, 0
		dd 0ED8B4BB0h, 0
		dd 0F00B602Eh, 0
		dd 7D0AB0Bh, 0
		dd 0CB0B3712h, 0
		dd 3CD0FC37h, 0
		dd 2150D7A9h, 0
		dd 0D68B1C8Ch, 0
		dd 0BD0B996Ah, 0
		dd 4AD0524Fh, 0
		dd 575079D1h, 0
		dd 0A08BB2F4h, 0
		dd 6C502EEDh, 0
		dd 9B8BE5C8h, 0
		dd 860BCE56h, 0
		dd 71D00573h, 0
		dd 0C7BE4F84h, 0
		dd 306584A1h, 0
		dd 2DE5AF3Fh, 0
		dd 0DA3E641Ah, 0
		dd 16E5F803h, 0
		dd 0E13E3326h, 0
		dd 0FCBE18B8h, 0
		dd 0B65D39Dh, 0
		dd 60E5567Bh, 0
		dd 973E9D5Eh, 0
		dd 8ABEB6C0h, 0
		dd 7D657DE5h, 0
		dd 0B1BEE1FCh, 0
		dd 46652AD9h, 0
		dd 5BE50147h, 0
		dd 0AC3ECA62h, 0
		dd 8CE40A8Bh, 0
		dd 7B3FC1AEh, 0
		dd 66BFEA30h, 0
		dd 91642115h, 0
		dd 5DBFBD0Ch, 0
		dd 0AA647629h, 0
		dd 0B7E45DB7h, 0
		dd 403F9692h, 0
		dd 2BBF1374h, 0
		dd 0DC64D851h, 0
		dd 0C1E4F3CFh, 0
		dd 363F38EAh, 0
		dd 0FAE4A4F3h, 0
		dd 0D3F6FD6h, 0
		dd 10BF4448h, 0
		dd 0E7648F6Dh, 0
		dd 798FA757h, 0
		dd 8E546C72h, 0
		dd 93D447ECh, 0
		dd 640F8CC9h, 0
		dd 0A8D410D0h, 0
		dd 5F0FDBF5h, 0
		dd 428FF06Bh, 0
		dd 0B5543B4Eh, 0
		dd 0DED4BEA8h, 0
		dd 290F758Dh, 0
		dd 348F5E13h, 0
		dd 0C3549536h, 0
; 
		das
		or	[edi+0Fh], ecx
		add	[edx], cl
		retn	0F854h
; 
		align 8
		dd 0E5D4E994h, 0
		dd 120F22B1h, 0
		dd 32D5E258h, 0
		dd 0C50E297Dh, 0
		dd 0D88E02E3h, 0
		dd 2F55C9C6h, 0
		dd 0E38E55DFh, 0
		dd 14559EFAh, 0
		dd 9D5B564h, 0
		dd 0FE0E7E41h, 0
		dd 958EFBA7h, 0
		dd 62553082h, 0
		dd 7FD51B1Ch, 0
		dd 880ED039h, 0
		dd 44D54C20h, 0
		dd 0B30E8705h, 0
		dd 0AE8EAC9Bh, 0
		dd 595567BEh, 0
		dd 0EF3B2D49h, 0
		dd 18E0E66Ch, 0
		dd 560CDF2h, 0
		dd 0F2BB06D7h, 0
		dd 3E609ACEh, 0
; 
		jmp	short loc_42BAC3
; 
		dw 0C9BBh
		align 8
		dd 0D43B7A75h, 0
		dd 23E0B150h, 0
		dd 486034B6h, 0
		dd 0BFBBFF93h, 0
		dd 0A23BD40Dh, 0
		dd 55E01F28h, 0
		dd 993B8331h, 0
		dd 6EE04814h, 0
		dd 7360638Ah, 0
; 
		scasd
		test	al, 0BBh

loc_42BAC3:				; CODE XREF: .text:0042BA70j
		test	[eax], al
; 
		db 3 dup(0)
		dd 0A4616846h, 0
		dd 53BAA363h, 0
		dd 4E3A88FDh, 0
		dd 0B9E143D8h, 0
		dd 753ADFC1h, 0
		dd 82E114E4h, 0
		dd 9F613F7Ah, 0
		dd 68BAF45Fh, 0
		dd 33A71B9h, 0
		dd 0F4E1BA9Ch, 0
		dd 0E9619102h, 0
		dd 1EBA5A27h, 0
		dd 0D261C63Eh, 0
		dd 25BA0D1Bh, 0
		dd 383A2685h, 0
		dd 0CFE1EDA0h, 3 dup(0)
		dd 15BB4109h, 0
		dd 2B768212h, 0
		dd 3ECDC31Bh, 0
		dd 56ED0424h, 0
		dd 4356452Dh, 0
; 
		xchg	bl, ss:[ebx+7Dh]
		add	[edi], bh
		mov	dword ptr [eax], 68h
		add	[eax+8], cl
		fisubr	dword ptr [ebp+0]
		inc	ecx
		dec	ecx
		popa
		mov	eax, 0
		pop	edx
		mov	ch, [esi+eax*4+0]
		push	ebx
		retf
; 
		dw 9317h
		align 8
		dd 0FB370C6Ch, 0
		dd 0EE8C4D65h, 0
		dd 0D0418E7Eh, 0
		dd 0C5FACF77h, 0
		dd 5E586661h, 0
		dd 4BE32768h, 0
		dd 752EE473h, 0
		dd 6095A57Ah, 0
		dd 8B56245h, 0
		dd 1D0E234Ch, 0
		dd 23C3E057h, 0
		dd 3678A15Eh, 0
		dd 0F3826E29h, 0
		dd 0E6392F20h, 0
		dd 0D8F4EC3Bh, 0
		dd 0CD4FAD32h, 0
		dd 0A56F6A0Dh, 0
		dd 0B0D42B04h, 0
		dd 8E19E81Fh, 0
		dd 9BA2A916h, 0
; 
		retn	0B0CCh
; 
		mov	esp, 0
		retf
; 
		db 8Dh,	0Bh, 0A9h
		align 8
		dd 97C64ED0h, 0
		dd 827D0FD9h, 0
		dd 0EA5DC8E6h, 0
		dd 0FFE689EFh, 0
		dd 0C12B4AF4h, 0
		dd 0D4900BFDh, 0
		dd 116AC48Ah, 0
		dd 4D18583h, 0
		dd 3A1C4698h, 0
		dd 2FA70791h, 0
		dd 4787C0AEh, 0
		dd 523C81A7h, 0
		dd 6CF142BCh, 0
		dd 794A03B5h, 0
		dd 0E2E8AAA3h, 0
; 
		stosb
		jmp	short near ptr word_42BD26
; 
		db 0F7h
		align 8
		dd 0C99E28B1h, 0
		dd 0DC2569B8h, 0
		dd 0B405AE87h, 0
		dd 0A1BEEF8Eh, 0
		dd 9F732C95h, 0
		dd 8AC86D9Ch, 0
		dd 4F32A2EBh, 0
		dd 5A89E3E2h, 0
		dd 644420F9h, 0
		dd 71FF61F0h
		db 2 dup(0)
word_42BD26	dw 0			; CODE XREF: .text:0042BCD1j
		dd 19DFA6CFh, 0
		dd 0C64E7C6h, 0
		dd 32A924DDh, 0
		dd 271265D4h, 0
		dd 7C8DEF75h, 0
		dd 6936AE7Ch, 0
		dd 57FB6D67h, 0
		dd 42402C6Eh, 0
; 
		push	ecx
		jmp	short loc_42BDCB
; 
		db 2Ah
		align 10h
		dd 3FDBAA58h, 0
		dd 1166943h, 0
		dd 14AD284Ah, 0
		dd 0D157E73Dh, 0
		dd 0C4ECA634h, 0
		dd 0FA21652Fh, 0
		dd 0EF9A2426h, 0
		dd 87BAE319h, 0
		dd 9201A210h, 0
		dd 0ACCC610Bh, 0
		dd 0B9772002h, 0
		db 14h,	89h, 0D5h
; 

loc_42BDCB:				; CODE XREF: .text:0042BD69j
		and	al, [eax]
; 
		db 3 dup(0)
		dd 376EC81Dh, 0
		dd 9A30B06h, 0
		dd 1C184A0Fh, 0
		dd 74388D30h, 0
		dd 6183CC39h, 0
		dd 5F4E0F22h, 0
		dd 4AF54E2Bh, 0
		dd 8F0F815Ch, 0
		dd 9AB4C055h, 0
		dd 0A479034Eh, 0
; 
		inc	edi
		inc	edx
		retn	0B1h
; 
		align 4
		dd 0D9E28578h, 0
		dd 0CC59C471h, 0
		dd 0F294076Ah, 0
		dd 0E72F4663h, 0
		dd 0C03D23B7h, 0
		dd 0D58662BEh, 0
		dd 0EB4BA1A5h, 0
		dd 0FEF0E0ACh, 0
		dd 96D02793h, 0
		dd 836B669Ah, 0
		dd 0BDA6A581h, 0
		dd 0A81DE488h, 0
; 
		jmp	fword ptr [ebx]
; 
		dw 6DE7h
		align 10h
		dd 785C6AF6h, 0
		dd 4691A9EDh, 0
		dd 532AE8E4h, 0
		dd 3B0A2FDBh, 0
		dd 2EB16ED2h, 0
		dd 107CADC9h, 0
		dd 5C7ECC0h, 0
		dd 9E6545D6h, 0
		dd 8BDE04DFh, 0
		dd 0B513C7C4h, 0
		dd 0A0A886CDh, 0
		dd 0C88841F2h, 0
		dd 0DD3300FBh, 0
		dd 0E3FEC3E0h, 0
		dd 0F64582E9h, 0
		dd 33BF4D9Eh, 0
		dd 26040C97h, 0
		dd 18C9CF8Ch, 0
		dd 0D728E85h, 0
		dd 655249BAh, 0
; 
		mov	bl, 8
		jmp	loc_42BFA7
; 
		align 4
		dd 4E24CBA8h, 0
		dd 5B9F8AA1h, 0
		dd 0F91BDEEAh, 0
		dd 0ECA09FE3h, 0
		dd 0D26D5CF8h, 0
		dd 0C7D61DF1h, 0
		dd 0AFF6DACEh, 0
		dd 0BA4D9BC7h, 0
		dd 848058DCh, 0
		dd 913B19D5h, 0
		dd 54C1D6A2h, 0
		dd 417A97ABh, 0
		dd 7FB754B0h, 0
		dd 6A0C15B9h
		db 3 dup(0)
; 

loc_42BFA7:				; CODE XREF: .text:0042BF32j
		add	[esi+22CD2h], al
; 
		db 3 dup(0)
		dd 1797938Fh, 0
		dd 295A5094h, 0
		dd 3CE1119Dh, 0
		dd 0A743B88Bh, 0
		dd 0B2F8F982h, 0
		dd 8C353A99h, 0
		dd 998E7B90h, 0
		dd 0F1AEBCAFh, 0
		dd 0E415FDA6h, 0
		dd 0DAD83EBDh, 0
		dd 0CF637FB4h, 0
; 
		retn
; 
		db 0B0h, 99h, 0Ah
		align 10h
		retf	22F1h
; 
		db 1Fh
		align 8
		dd 21EF32D1h, 0
		dd 345473D8h, 0
		dd 5C74B4E7h, 0
		dd 49CFF5EEh, 0
		dd 770236F5h, 0
		dd 62B977FCh, 0
		dd 45AB1228h, 0
		dd 50105321h, 0
		dd 6EDD903Ah, 0
		dd 7B66D133h, 0
		dd 1346160Ch, 0
		dd 6FD5705h, 0
		dd 3830941Eh, 0
		dd 2D8BD517h, 0
		dd 0E8711A60h, 0
; 
		imul	ebx, [ebx-36h],	0FDh
		add	[edx-68h], dh
		pop	es
		retn
; 
		align 10h
		dd 0D6BCD97Bh, 0
		dd 0BE9C1E44h, 0
		dd 0AB275F4Dh, 0
		dd 95EA9C56h, 0
		dd 8051DD5Fh, 0
		dd 1BF37449h, 0
		dd 0E483540h, 0
		dd 3085F65Bh, 0
		dd 253EB752h, 0
		dd 4D1E706Dh, 0
		dd 58A53164h, 0
		dd 6668F27Fh, 0
		dd 73D3B376h, 0
		dd 0B6297C01h, 0
		dd 0A3923D08h, 0
		dd 9D5FFE13h, 0
		dd 88E4BF1Ah, 0
		dd 0E0C47825h, 0
		dd 0F57F392Ch, 0
		dd 0CBB2FA37h, 0
		dd 0DE09BB3Eh, 0
		dd 8596319Fh, 0
		dd 902D7096h, 0
		dd 0AEE0B38Dh, 0
		dd 0BB5BF284h, 0
		dd 0D37B35BBh, 0
		dd 0C6C074B2h, 0
		dd 0F80DB7A9h, 0
		dd 0EDB6F6A0h, 0
		dd 284C39D7h, 0
		dd 3DF778DEh, 0
		dd 33ABBC5h, 0
		dd 1681FACCh, 0
		dd 7EA13DF3h, 0
		dd 6B1A7CFAh, 0
		dd 55D7BFE1h, 0
		dd 406CFEE8h, 0
		dd 0DBCE57FEh, 0
		dd 0CE7516F7h, 0
		dd 0F0B8D5ECh, 0
		dd 0E50394E5h, 0
		dd 8D2353DAh, 0
		dd 989812D3h, 0
		dd 0A655D1C8h, 0
		dd 0B3EE90C1h, 0
		dd 76145FB6h, 0
		dd 63AF1EBFh, 0
		dd 5D62DDA4h, 0
		dd 48D99CADh, 0
		dd 20F95B92h, 0
		dd 35421A9Bh, 0
		dd 0B8FD980h, 0
		dd 1E349889h, 0
		dd 3926FD5Dh, 0
		dd 2C9DBC54h, 0
		dd 12507F4Fh, 0
; 
		inc	esi
		db	3Eh
		jmp	short loc_42C26B
; 
		align 8
		db 79h,	0F9h, 0CBh
; 

loc_42C26B:				; CODE XREF: .text:0042C261j
		outsd
; 
		dd 0
		dd 7A70B870h, 0
		dd 44BD7B6Bh, 0
		dd 51063A62h, 0
		dd 94FCF515h, 0
		dd 8147B41Ch, 0
		dd 0BF8A7707h, 0
		dd 0AA31360Eh, 0
		dd 0C211F131h, 0
		dd 0D7AAB038h, 0
		dd 0E9677323h, 0
		dd 0FCDC322Ah, 0
		dd 677E9B3Ch, 0
		dd 72C5DA35h, 0
		dd 4C08192Eh, 0
		dd 59B35827h, 0
		dd 31939F18h, 0
		dd 2428DE11h, 0
		dd 1AE51D0Ah, 0
		dd 0F5E5C03h, 0
		dd 0CAA49374h, 0
		dd 0DF1FD27Dh, 0
		dd 0E1D21166h, 0
		dd 0F469506Fh, 0
		dd 9C499750h, 0
		dd 89F2D659h, 0
		dd 0B73F1542h, 0
		dd 0A284544Bh, 3 dup(0)
		dd 78A7608Dh, 0
		dd 0F14EC11Ah, 0
		dd 89E9A197h, 0
		dd 0E771F4C5h, 0
		dd 9FD69448h, 0
		dd 163F35DFh, 0
		dd 6E985552h, 0
		dd 0CB0F9F7Bh, 0
		dd 0B3A8FFF6h, 0
		dd 3A415E61h, 0
		dd 42E63EECh, 0
		dd 2C7E6BBEh, 0
		dd 54D90B33h, 0
		dd 0DD30AAA4h, 0
		dd 0A597CA29h, 0
		dd 93F34807h, 0
		dd 0EB54288Ah, 0
		dd 62BD891Dh, 0
		dd 1A1AE990h, 0
; 
		retn	82BCh
; 
		db 74h
		align 10h
		dd 0C25DC4Fh, 0
		dd 85CC7DD8h, 0
		dd 0FD6B1D55h, 0
		dd 58FCD77Ch, 0
		dd 205BB7F1h, 0
		dd 0A9B21666h, 0
; 
		jmp	short loc_42C498
; 
		dw 0D115h
		align 8
		dd 0BF8D23B9h, 0
		dd 0C72A4334h, 0
		dd 4EC3E2A3h, 0
		dd 3664822Eh, 0
; 
		jmp	esi
; 
		dw 220Ah
		align 10h
		dd 5AAD8672h, 0
		dd 0D34427E5h, 0
		dd 0ABE34768h, 0
		dd 0C57B123Ah, 0
		dd 0BDDC72B7h, 0
		dd 3435D320h, 0
		dd 4C92B3ADh, 0
		dd 0E9057984h, 0
		dd 91A21909h, 0
; 

loc_42C498:				; CODE XREF: .text:0042C420j
		sahf
		mov	eax, 184Bh
; 
		dw 0
		dd 60ECD813h, 0
		dd 0E748D41h, 0
		dd 76D3EDCCh, 0
		dd 0FF3A4C5Bh, 0
		dd 879D2CD6h, 0
		dd 0B1F9AEF8h, 0
		dd 0C95ECE75h, 0
		dd 40B76FE2h, 0
		dd 38100F6Fh, 0
		dd 56885A3Dh, 0
		dd 2E2F3AB0h, 0
		dd 0A7C69B27h, 0
		dd 0DF61FBAAh, 0
		dd 7AF63183h, 0
		dd 251510Eh, 0
		dd 8BB8F099h, 0
		dd 0F31F9014h, 0
		dd 9D87C546h, 0
; 
		retf
; 
		db 0A5h, 20h, 0E5h
		align 8
		dd 6CC9045Ch, 0
		dd 146E64D1h, 0
		dd 4415CDFEh, 0
		dd 3CB2AD73h, 0
		dd 0B55B0CE4h, 0
; 
		imul	ebp, [esp+edi*8-33h], 0
		cmp	edi, [ecx]
		mov	large fs:0, eax
		mov	dh, 59h
		retn
; 
		db 0DBh
		align 8
		dd 522AF821h, 0
		dd 2A8D98ACh, 0
		dd 8F1A5285h, 0
		dd 0F7BD3208h, 0
		dd 7E54939Fh, 0
		dd 6F3F312h, 0
		dd 686BA640h, 0
		dd 10CCC6CDh, 0
		dd 9925675Ah, 0
		dd 0E18207D7h, 0
		dd 0D7E685F9h, 0
		dd 0AF41E574h, 0
		dd 26A844E3h, 0
		dd 5E0F246Eh, 0
		dd 3097713Ch, 0
		dd 483011B1h, 0
		dd 0C1D9B026h, 0
		dd 0B97ED0ABh, 0
		dd 1CE91A82h, 0
		dd 644E7A0Fh, 0
		dd 0EDA7DB98h, 0
		dd 9500BB15h, 0
		dd 0FB98EE47h, 0
; 
		retf	3F8Eh
; 
		db 83h
		align 8
		dd 0AD62F5Dh, 0
		dd 72714FD0h, 0
		dd 661F2B01h, 0
		dd 1EB84B8Ch, 0
		dd 9751EA1Bh, 0
		dd 0EFF68A96h, 0
		dd 816EDFC4h, 0
		dd 0F9C9BF49h, 0
		dd 70201EDEh, 0
		dd 8877E53h, 0
		dd 0AD10B47Ah, 0
		dd 0D5B7D4F7h, 0
		dd 5C5E7560h, 0
		dd 24F915EDh, 0
		dd 4A6140BFh, 0
		dd 32C62032h, 0
		dd 0BB2F81A5h, 0
		dd 0C388E128h, 0
		dd 0F5EC6306h, 0
		dd 8D4B038Bh, 0
		dd 4A2A21Ch, 0
; 
		xchg	eax, ecx
		retn	7C05h
; 
		align 8
		retn
; 
		db 97h,	9Dh, 12h
		align 10h
		dd 6A3AF74Eh, 0
		dd 0E3D356D9h, 0
		dd 9B743654h, 0
		dd 3EE3FC7Dh, 0
		dd 46449CF0h, 0
		dd 0CFAD3D67h, 0
		dd 0B70A5DEAh, 0
		dd 0D99208B8h, 0
		dd 0A1356835h, 0
		dd 28DCC9A2h, 0
		dd 507BA92Fh, 0
		dd 882B9BFCh, 0
		dd 0F08CFB71h, 0
		dd 79655AE6h, 0
		dd 1C23A6Bh, 0
a9ozo		db '9oZo',0
		align 10h
		dd 17FD0FB4h, 0
		dd 9E14AE23h, 0
		dd 0E6B3CEAEh, 0
		dd 43240487h, 0
		dd 3B83640Ah, 0
		dd 0B26AC59Dh, 0
		dd 0CACDA510h, 0
		dd 0A455F042h, 0
		dd 0DCF290CFh, 0
		dd 551B3158h, 0
		dd 2DBC51D5h, 0
		dd 1BD8D3FBh, 0
		dd 637FB376h, 0
		dd 0EA9612E1h, 0
		dd 9231726Ch, 0
		dd 0FCA9273Eh, 0
		dd 840E47B3h, 0
		dd 0DE7E624h, 0
		dd 754086A9h, 0
		dd 0D0D74C80h, 0
		dd 0A8702C0Dh, 0
		dd 21998D9Ah, 0
		dd 593EED17h, 0
		dd 37A6B845h, 0
		dd 4F01D8C8h, 0
		dd 0C6E8795Fh, 0
		dd 0BE4F19D2h, 0
		dd 0AA217D03h, 0
		dd 0D2861D8Eh, 0
		dd 5B6FBC19h, 0
		dd 23C8DC94h, 0
		dd 4D5089C6h, 0
; 
		dec	ebx
		jmp	loc_42FE6D
; 
		align 4
		dd 0BC1E48DCh, 0
		dd 0C4B92851h, 0
		dd 612EE278h, 0
		dd 198982F5h, 0
		dd 90602362h, 0
		dd 0E8C743EFh, 0
		dd 865F16BDh, 0
		dd 0FEF87630h, 0
		dd 7711D7A7h, 0
		dd 0FB6B72Ah, 0
		dd 39D23504h, 0
		dd 41755589h, 0
		dd 0C89CF41Eh, 0
		dd 0B03B9493h, 0
		dd 0DEA3C1C1h, 0
		dd 0A604A14Ch, 0
		dd 2FED00DBh, 0
		dd 574A6056h, 0
		dd 0F2DDAA7Fh, 0
		dd 8A7ACAF2h, 0
		dd 3936B65h, 0
		dd 7B340BE8h, 0
		dd 15AC5EBAh, 0
		dd 6D0B3E37h, 0
		dd 0E4E29FA0h, 0
		dd 9C45FF2Dh, 0
		dd 0CC3E5602h, 0
		dd 0B499368Fh, 0
		dd 3D709718h, 0
		dd 45D7F795h, 0
		dd 2B4FA2C7h, 0
; 
		dec	edx
		retn	53E8h
; 
		align 8
		dd 0DA0163DDh, 0
		dd 0A2A60350h, 0
		dd 731C979h, 0
		dd 7F96A9F4h, 0
		dd 0F67F0863h, 0
		dd 8ED868EEh, 0
		dd 0E0403DBCh, 0
		dd 98E75D31h, 0
		dd 110EFCA6h, 0
		dd 69A99C2Bh, 0
		dd 5FCD1E05h, 0
		dd 276A7E88h, 0
		dd 0AE83DF1Fh, 0
		dd 0D624BF92h, 0
		dd 0B8BCEAC0h, 0
		dd 0C01B8A4Dh, 0
		dd 49F22BDAh, 0
aWku1		db 'WKU1',0
		align 4
aBF		db '~',0
		align 10h
		dd 0EC65E1F3h, 0
		dd 658C4064h, 0
; 
		jmp	locret_5FF545
; 
		align 4
		dd 73B375BBh, 0
		dd 0B141536h, 0
		dd 82FDB4A1h, 0
		dd 0FA5AD42Ch, 0
		dd 0EE34B0FDh, 0
		dd 9693D070h, 0
		dd 1F7A71E7h, 0
		dd 67DD116Ah, 0
		dd 9454438h, 0
		dd 71E224B5h, 0
		dd 0F80B8522h, 0
		dd 80ACE5AFh, 0
		dd 253B2F86h, 0
		dd 5D9C4F0Bh, 0
		dd 0D475EE9Ch, 0
		dd 0ACD28E11h, 0
		dd 0C24ADB43h, 0
		dd 0BAEDBBCEh, 0
		dd 33041A59h, 0
		dd 4BA37AD4h, 0
		dd 7DC7F8FAh, 0
		dd 5609877h, 0
		dd 8C8939E0h, 0
		dd 0F42E596Dh, 0
		dd 9AB60C3Fh, 0
		dd 0E2116CB2h, 0
		dd 6BF8CD25h, 0
		dd 135FADA8h, 0
		dd 0B6C86781h, 0
		dd 0CE6F070Ch, 0
		dd 4786A69Bh, 0
		dd 3F21C616h, 0
		dd 51B99344h, 0
		dd 291EF3C9h, 0
		dd 0A0F7525Eh, 0
		dd 0D85032D3h, 3 dup(0)
; 
		retf
; 
		db 0D0h, 0A6h, 3Dh
		align 8
		dd 7B4DA196h, 0
		dd 46EB715Dh, 0
		dd 0F69B432Ch, 0
		dd 0CB3D93E7h, 0
		dd 8DD6E2BAh, 0
		dd 0B0703271h, 0
		dd 0E8DAF0A9h, 0
		dd 0D57C2062h, 0
		dd 9397513Fh, 0
		dd 0AE3181F4h, 0
		dd 1E41B385h, 0
		dd 23E7634Eh, 0
		dd 650C1213h, 0
		dd 58AAC2D8h, 0
		dd 0D45997A3h, 0
		dd 0E9FF4768h, 0
		dd 0AF143635h, 0
		dd 92B2E6FEh, 0
		dd 22C2D48Fh, 0
		dd 1F640444h, 0
		dd 598F7519h, 0
		dd 6429A5D2h, 0
		dd 3C83670Ah, 0
		dd 125B7C1h, 0
		dd 47CEC69Ch, 0
; 
		push	edi
		push	ss
		push	7Ah
		add	[esi], ah
		and	al, 18h
		retf	0
; 
		align 10h
		dd 0F7BEF4EDh, 0
		dd 0B15585B0h, 0
		dd 8CF3557Bh, 0
		dd 0AD5F59B7h, 0
		dd 90F9897Ch, 0
		dd 0D612F821h, 0
		dd 0EBB428EAh, 0
		dd 5BC41A9Bh, 0
; 
		push	eax
		retf	6662h
; 
		align 8
		dd 2089BB0Dh, 0
		dd 1D2F6BC6h, 0
		dd 4585A91Eh, 0
		dd 782379D5h, 0
		dd 3EC80888h, 0
		dd 36ED843h, 0
		dd 0B31EEA32h, 0
		dd 8EB83AF9h, 0
		dd 0C8534BA4h, 0
		dd 0F5F59B6Fh, 0
		dd 7906CE14h, 0
		dd 44A01EDFh, 0
		dd 24B6F82h, 0
		dd 3FEDBF49h, 0
		dd 8F9D8D38h, 0
		dd 0B23B5DF3h, 0
		dd 0F4D02CAEh, 0
		dd 0C976FC65h, 0
		dd 91DC3EBDh, 0
		dd 0AC7AEE76h, 0
		dd 0EA919F2Bh, 0
		dd 0D7374FE0h, 0
		dd 67477D91h, 0
		dd 5AE1AD5Ah, 0
		dd 1C0ADC07h, 0
		dd 21AC0CCCh, 0
		dd 5F52C59Fh, 0
		dd 62F41554h, 0
		dd 241F6409h, 0
; 
		retn	0B9B4h
; 
		db 19h
		align 8
		dd 0A9C986B3h, 0
		dd 946F5678h, 0
		dd 0D2842725h, 0
		dd 0EF22F7EEh, 0
		dd 0B7883536h, 0
		dd 8A2EE5FDh, 0
		dd 0CCC594A0h, 0
		dd 0F163446Bh, 0
		dd 4113761Ah, 0
		dd 7CB5A6D1h, 0
		dd 3A5ED78Ch, 0
		dd 7F80747h, 0
		dd 8B0B523Ch, 0
		dd 0B6AD82F7h, 0
		dd 0F046F3AAh, 0
		dd 0CDE02361h, 0
		dd 7D901110h, 0
		dd 4036C1DBh, 0
		dd 6DDB086h, 0
		dd 3B7B604Dh, 0
		dd 63D1A295h, 0
		dd 5E77725Eh, 0
		dd 189C0303h, 0
		dd 253AD3C8h, 0
		dd 954AE1B9h, 0
		dd 0A8EC3172h, 0
		dd 0EE07402Fh, 0
		dd 0D3A190E4h, 0
		dd 0F20D9C28h, 0
		dd 0CFAB4CE3h, 0
		dd 89403DBEh, 0
		dd 0B4E6ED75h, 0
		dd 496DF04h, 0
		dd 39300FCFh, 0
		dd 7FDB7E92h, 0
		dd 427DAE59h, 0
		dd 1AD76C81h, 0
		dd 2771BC4Ah, 0
		dd 619ACD17h, 0
		dd 5C3C1DDCh, 0
		dd 0EC4C2FADh, 0
		dd 0D1EAFF66h, 0
		dd 97018E3Bh, 0
		dd 0AAA75EF0h, 0
		dd 26540B8Bh, 0
		dd 1BF2DB40h, 0
		dd 5D19AA1Dh, 0
		dd 60BF7AD6h, 0
		dd 0D0CF48A7h, 0
		dd 0ED69986Ch, 0
		dd 0AB82E931h, 0
		dd 962439FAh, 0
		dd 0CE8EFB22h, 0
		dd 0F3282BE9h, 0
; 
		mov	ah, 5Ah
		retn
; 
		db 0B5h
		align 10h
		dd 88658A7Fh, 0
		dd 3815B80Eh, 0
		dd 5B368C5h, 0
		dd 43581998h, 0
		dd 7EFEC953h, 0
		dd 0BEA58B3Eh, 0
		dd 83035BF5h, 0
		dd 0C5E82AA8h, 0
		dd 0F84EFA63h, 0
		dd 483EC812h, 0
		dd 759818D9h, 0
		dd 33736984h, 0
		dd 0ED5B94Fh, 0
		dd 567F7B97h, 0
		dd 6BD9AB5Ch, 0
; 
		add	edx, ebx
		xor	ch, large ds:0
		retf	940Ah
; 
		db 10h
		align 8
		dd 0A0E438BBh, 0
		dd 9D42E870h, 0
		dd 0DBA9992Dh, 0
		dd 0E60F49E6h, 0
		dd 6AFC1C9Dh, 0
		dd 575ACC56h, 0
		dd 11B1BD0Bh, 0
		dd 2C176DC0h, 0
		dd 9C675FB1h, 0
		dd 0A1C18F7Ah, 0
		dd 0E72AFE27h, 0
		dd 0DA8C2EECh, 0
		dd 8226EC34h, 0
		dd 0BF803CFFh, 0
		dd 0F96B4DA2h, 0
		dd 0C4CD9D69h, 0
		dd 74BDAF18h, 0
		dd 491B7FD3h, 0
		dd 0FF00E8Eh, 0
		dd 3256DE45h, 0
		dd 13FAD289h, 0
		dd 2E5C0242h, 0
		dd 68B7731Fh, 0
		dd 5511A3D4h, 0
		dd 0E56191A5h, 0
		dd 0D8C7416Eh, 0
		dd 9E2C3033h, 0
		dd 0A38AE0F8h, 0
		dd 0FB202220h, 0
		dd 0C686F2EBh, 0
		dd 806D83B6h, 0
; 
		jge	short near ptr byte_42D0F5
		retf
; 
		db 0BDh
		align 8
		dd 0DBB610Ch, 0
		dd 301DB1C7h, 0
		dd 76F6C09Ah, 0
		dd 4B501051h, 0
		dd 0C7A3452Ah, 0
		dd 0FA0595E1h, 0
		dd 0BCEEE4BCh, 0
		dd 81483477h, 0
		dd 31380606h, 0
		dd 0C9ED6CDh
		db 0
byte_42D0F5	db 3 dup(0)		; CODE XREF: .text:0042D0A0j
		dd 4A75A790h, 0
		dd 77D3775Bh, 0
		dd 2F79B583h, 0
		dd 12DF6548h, 0
		dd 54341415h, 0
		dd 6992C4DEh, 0
		dd 0D9E2F6AFh, 0
		dd 0E4442664h, 0
		dd 0A2AF5739h, 0
		dd 9F0987F2h, 0
		dd 0E1F74EA1h, 0
		dd 0DC519E6Ah, 0
		dd 9ABAEF37h, 0
		dd 0A71C3FFCh, 0
		dd 176C0D8Dh, 0
		dd 2ACADD46h, 0
		dd 6C21AC1Bh, 0
		dd 51877CD0h, 0
		dd 92DBE08h, 0
; 
		retn
; 
		db 6Eh,	8Bh, 34h
		align 8
		dd 72601F9Eh, 0
		dd 4FC6CF55h, 0
		dd 0FFB6FD24h, 0
		dd 0C2102DEFh, 0
		dd 84FB5CB2h, 0
		dd 0B95D8C79h, 0
		dd 35AED902h, 0
		dd 80809C9h, 0
		dd 4EE37894h, 0
		dd 7345A85Fh, 0
		dd 0C3359A2Eh, 0
		dd 0FE934AE5h, 0
		dd 0B8783BB8h, 0
		dd 85DEEB73h, 0
		dd 0DD7429ABh, 0
		dd 0E0D2F960h, 0
		dd 0A639883Dh, 0
		dd 9B9F58F6h, 0
		dd 2BEF6A87h, 0
		dd 1649BA4Ch, 0
		dd 50A2CB11h, 0
		dd 6D041BDAh, 0
		dd 4CA81716h, 0
		dd 710EC7DDh, 0
		dd 37E5B680h, 0
		dd 0A43664Bh, 0
		dd 0BA33543Ah, 0
		dd 879584F1h, 0
		dd 0C17EF5ACh, 0
		dd 0FCD82567h, 0
		dd 0A472E7BFh, 0
		dd 99D43774h, 0
		dd 0DF3F4629h, 0
		dd 0E29996E2h, 0
; 
		xchg	eax, ebx
		movsb
		jmp	loc_42D301
; 
		align 10h
aXtoo		db 'XtOo',0
		align 4
		dd 29A40505h, 0
		dd 1402D5CEh, 0
		dd 98F180B5h, 0
		dd 0A557507Eh, 0
		dd 0E3BC2123h, 0
		dd 0DE1AF1E8h, 0
; 
		cdq
		retn
; 
		dw 6E6Ah
		align 10h
		dd 53CC1352h, 0
		dd 1527620Fh, 0
		db 0C4h
; 

loc_42D301:				; CODE XREF: .text:0042D2AAj
		mov	dl, 81h
		sub	[eax], al
; 
		db 3 dup(0)
		dd 702B701Ch, 0
		dd 4D8DA0D7h, 0
		dd 0B66D18Ah, 0
		dd 36C00141h, 0
		dd 86B03330h, 0
		dd 0BB16E3FBh, 0
		dd 0FDFD92A6h, 0
		dd 0C05B426Dh, 0
_crc32Mult_	dd 800000h, 0
		dd 8000h, 0
		dd 82F63B78h, 0
		dd 6EA2D55Ch, 0
		dd 18B8EA18h, 0
		dd 510AC59Ah, 0
		dd 0B82BE955h, 0
		dd 0B8FDB1E7h, 0
		dd 88E56F72h, 0
; 
		movsb
		pusha
		retn
; 
		db 74h
		align 8
		dd 0E4172B16h, 0
		dd 0D65762Ah, 0
		dd 35D73A62h, 0
		dd 28461564h, 0
		dd 0BF455269h, 0
		dd 0E2EA32DCh, 0
		dd 0FE7740E6h, 0
		dd 0F946610Bh, 0
		dd 3C204F8Fh, 0
		dd 538586E3h, 0
		dd 59726915h, 0
		dd 734D5309h, 0
		dd 0BC1AC763h, 0
		dd 7D0722CCh, 0
		dd 0D289CABEh, 0
		dd 0E94CA9BCh, 0
		dd 5B74F3Fh, 0
		dd 0A51E1F42h, 0
		dd 40000000h, 0
		dd 20000000h, 0
		dd 8000000h, 0
		dd 800000h, 0
		dd 8000h, 0
		dd 82F63B78h, 0
		dd 6EA2D55Ch, 0
		dd 18B8EA18h, 0
		dd 510AC59Ah, 0
; 
		push	ebp
		jmp	loc_438CA1
; 
		align 4
		dd 0B8FDB1E7h, 0
		dd 88E56F72h, 0
; 
		movsb
		pusha
		retn
; 
		db 74h
		align 10h
		dd 0E4172B16h, 0
		dd 0D65762Ah, 0
		dd 35D73A62h, 0
		dd 28461564h, 0
		dd 0BF455269h, 0
		dd 0E2EA32DCh, 0
		dd 0FE7740E6h, 0
		dd 0F946610Bh, 0
		dd 3C204F8Fh, 0
		dd 538586E3h, 0
		dd 59726915h, 0
		dd 734D5309h, 0
		dd 0BC1AC763h, 0
		dd 7D0722CCh, 0
		dd 0D289CABEh, 0
		dd 0E94CA9BCh, 0
		dd 5B74F3Fh, 0
		dd 0A51E1F42h, 0
		dd 40000000h, 0
		dd 20000000h, 0
		dd 8000000h, 0
		dd 800000h, 0
		dd 8000h, 0
_crc32Map1_	dd 2 dup(0)
		dd 0F26B8303h, 0
		dd 0E13B70F7h, 0
		dd 1350F3F4h, 0
		dd 0C79A971Fh, 0
		dd 35F1141Ch, 0
		dd 26A1E7E8h, 0
; 
		jmp	short near ptr word_42D5E6
; 
		retf	0D4h
; 
		align 4
		dd 8AD958CFh, 0
		dd 78B2DBCCh, 0
		dd 6BE22838h, 0
		dd 9989AB3Bh, 0
		dd 4D43CFD0h, 0
		dd 0BF284CD3h, 0
		dd 0AC78BF27h, 0
		dd 5E133C24h, 0
		dd 105EC76Fh, 0
		dd 0E235446Ch, 0
		dd 0F165B798h, 0
		dd 30E349Bh
		db 2 dup(0)
word_42D5E6	dw 0			; CODE XREF: .text:0042D580j
		dd 0D7C45070h, 0
		dd 25AFD373h, 0
		dd 36FF2087h, 0
		dd 0C494A384h, 0
		dd 9A879FA0h, 0
		dd 68EC1CA3h, 0
		dd 7BBCEF57h, 0
		dd 89D76C54h, 0
		dd 5D1D08BFh, 0
		dd 0AF768BBCh, 0
		dd 0BC267848h, 0
		dd 4E4DFB4Bh, 0
		dd 20BD8EDEh, 0
		dd 0D2D60DDDh, 0
		dd 0C186FE29h, 0
		dd 33ED7D2Ah, 0
		dd 0E72719C1h, 0
; 
		retn	4C9Ah
; 
		db 15h
		align 8
		dd 61C6936h, 0
		dd 0F477EA35h, 0
		dd 0AA64D611h, 0
		dd 580F5512h, 0
		dd 4B5FA6E6h, 0
		dd 0B93425E5h, 0
		dd 6DFE410Eh, 0
		dd 9F95C20Dh, 0
		dd 8CC531F9h, 0
		dd 7EAEB2FAh, 0
		dd 30E349B1h, 0
		dd 0C288CAB2h, 0
		dd 0D1D83946h, 0
		dd 23B3BA45h, 0
		dd 0F779DEAEh, 0
		dd 5125DADh, 0
		dd 1642AE59h, 0
		dd 0E4292D5Ah, 0
		dd 0BA3A117Eh, 0
		dd 4851927Dh, 0
		dd 5B016189h, 0
		dd 0A96AE28Ah, 0
; 
		popa
		xchg	ah, [eax+7Dh]
		add	[edx+5], ah
		retf
; 
		db 8Fh
		align 8
		dd 9C9BF696h, 0
		dd 6EF07595h, 0
		dd 417B1DBCh, 0
		dd 0B3109EBFh, 0
		dd 0A0406D4Bh, 0
		dd 522BEE48h, 0
		dd 86E18AA3h, 0
		dd 748A09A0h, 0
		dd 67DAFA54h, 0
		dd 95B17957h, 0
		dd 0CBA24573h, 0
		dd 39C9C670h, 0
		dd 2A993584h, 0
		dd 0D8F2B687h, 0
		dd 0C38D26Ch, 0
		dd 0FE53516Fh, 0
		dd 0ED03A29Bh, 0
		dd 1F682198h, 0
		dd 5125DAD3h, 0
		dd 0A34E59D0h, 0
		dd 0B01EAA24h, 0
		dd 42752927h, 0
		dd 96BF4DCCh, 0
		dd 64D4CECFh, 0
		dd 77843D3Bh, 0
		dd 85EFBE38h, 0
		dd 0DBFC821Ch, 0
		dd 2997011Fh, 0
		dd 3AC7F2EBh, 0
		dd 0C8AC71E8h, 0
		dd 1C661503h, 0
		dd 0EE0D9600h, 0
		dd 0FD5D65F4h, 0
		dd 0F36E6F7h, 0
		dd 61C69362h, 0
		dd 93AD1061h, 0
		dd 80FDE395h, 0
		dd 72966096h, 0
		dd 0A65C047Dh, 0
		dd 5437877Eh, 0
		dd 4767748Ah, 0
		dd 0B50CF789h, 0
; 
		lodsd
		retf
; 
		dw 0EB1Fh
		align 10h
		dd 197448AEh, 0
		dd 0A24BB5Ah, 0
		dd 0F84F3859h, 0
		dd 2C855CB2h, 0
		dd 0DEEEDFB1h, 0
		dd 0CDBE2C45h, 0
		dd 3FD5AF46h, 0
		dd 7198540Dh, 0
		dd 83F3D70Eh, 0
		dd 90A324FAh, 0
		dd 62C8A7F9h, 0
		dd 0B602C312h, 0
		dd 44694011h, 0
		dd 5739B3E5h, 0
		dd 0A55230E6h, 0
; 
		retn	410Ch
; 
		db 0FBh
dword_42D90C	dd 0			; CODE XREF: .text:00429621j
		dd 92A8FC1h, 0
		dd 1A7A7C35h, 0
		dd 0E811FF36h, 0
		dd 3CDB9BDDh, 0
		dd 0CEB018DEh, 0
		dd 0DDE0EB2Ah, 0
		dd 2F8B6829h, 0
		dd 82F63B78h, 0
		dd 709DB87Bh, 0
		dd 63CD4B8Fh, 0
		dd 91A6C88Ch, 0
		dd 456CAC67h, 0
		dd 0B7072F64h, 0
		dd 0A457DC90h, 0
		dd 563C5F93h, 0
		dd 82F63B7h, 0
		dd 0FA44E0B4h, 0
		dd 0E9141340h, 0
		dd 1B7F9043h, 0
		dd 0CFB5F4A8h, 0
		dd 3DDE77ABh, 0
		dd 2E8E845Fh, 0
		dd 0DCE5075Ch, 0
		dd 92A8FC17h, 0
; 
		adc	al, 7Fh
		retn
; 
		db 60h
		align 8
		dd 73938CE0h, 0
		dd 81F80FE3h, 0
		dd 55326B08h, 0
		dd 0A759E80Bh, 0
		dd 0B4091BFFh, 0
		dd 466298FCh, 0
		dd 1871A4D8h, 0
		dd 0EA1A27DBh, 0
		dd 0F94AD42Fh, 0
		dd 0B21572Ch, 0
		dd 0DFEB33C7h, 0
		dd 2D80B0C4h, 0
		dd 3ED04330h, 0
		dd 0CCBBC033h, 0
		dd 0A24BB5A6h, 0
		dd 502036A5h, 0
		dd 4370C551h, 0
		dd 0B11B4652h, 0
		dd 65D122B9h, 0
		dd 97BAA1BAh, 0
		dd 84EA524Eh, 0
		dd 7681D14Dh, 0
		dd 2892ED69h, 0
		dd 0DAF96E6Ah, 0
		dd 0C9A99D9Eh, 0
; 
		popf
		push	ds
		retn	3Bh
; 
		align 4
		dd 0EF087A76h, 0
		dd 1D63F975h, 0
		dd 0E330A81h, 0
		dd 0FC588982h, 0
		dd 0B21572C9h, 0
; 
		retf	7EF1h
; 
		db 40h
		align 8
		dd 532E023Eh, 0
		dd 0A145813Dh, 0
		dd 758FE5D6h, 0
		dd 87E466D5h, 0
		dd 94B49521h, 0
		dd 66DF1622h, 0
		dd 38CC2A06h, 0
		dd 0CAA7A905h, 0
		dd 0D9F75AF1h, 0
		dd 2B9CD9F2h, 0
		dd 0FF56BD19h, 0
		dd 0D3D3E1Ah, 0
		dd 1E6DCDEEh, 0
		dd 0EC064EEDh, 0
		dd 0C38D26C4h, 0
		dd 31E6A5C7h, 0
		dd 22B65633h, 0
		dd 0D0DDD530h, 0
		dd 417B1DBh, 0
		dd 0F67C32D8h, 0
		dd 0E52CC12Ch, 0
		dd 1747422Fh, 0
		dd 49547E0Bh, 0
		dd 0BB3FFD08h, 0
		dd 0A86F0EFCh, 0
		dd 5A048DFFh, 0
		dd 8ECEE914h, 0
		dd 7CA56A17h, 0
		dd 6FF599E3h, 0
		dd 9D9E1AE0h, 0
		dd 0D3D3E1ABh, 0
		dd 21B862A8h, 0
		dd 32E8915Ch, 0
		dd 0C083125Fh, 0
		dd 144976B4h, 0
		dd 0E622F5B7h, 0
		dd 0F5720643h, 0
		dd 7198540h, 0
		dd 590AB964h, 0
		dd 0AB613A67h, 0
		dd 0B831C993h, 0
		dd 4A5A4A90h, 0
		dd 9E902E7Bh, 0
		dd 6CFBAD78h, 0
		dd 7FAB5E8Ch, 0
		dd 8DC0DD8Fh, 0
		dd 0E330A81Ah, 0
		dd 115B2B19h, 0
		dd 20BD8EDh, 0
		dd 0F0605BEEh, 0
		dd 24AA3F05h, 0
		dd 0D6C1BC06h, 0
		dd 0C5914FF2h, 0
		dd 37FACCF1h, 0
; 
		aad	0F0h
		jmp	loc_42DCF8
; 
		align 10h
		dd 9B8273D6h, 0
		dd 88D28022h, 0
		dd 7AB90321h, 0
; 
		retf	7367h
; 
		db 0AEh
		align 10h
		dd 5C18E4C9h, 0
		dd 4F48173Dh, 0
		dd 0BD23943Eh, 0
		dd 0F36E6F75h, 0
		dd 105EC76h, 0
		dd 12551F82h, 0
		dd 0E03E9C81h, 0
		dd 34F4F86Ah, 0
		dd 0C69F7B69h, 0
; 

loc_42DCF8:				; CODE XREF: .text:0042DC8Aj
		popf
		mov	bh, cl
		aad	0
; 
		db 3 dup(0)
		dd 27A40B9Eh, 0
		dd 79B737BAh, 0
		dd 8BDCB4B9h, 0
		dd 988C474Dh, 0
		dd 6AE7C44Eh, 0
		dd 0BE2DA0A5h, 0
		dd 4C4623A6h, 0
		dd 5F16D052h, 0
		dd 0AD7D5351h, 0
dword_42DD48	dd 0			; DATA XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+C4r
					; RtlpSysVolCreateSecurityDescriptor(x,x)+4Br ...
word_42DD4C	dw 500h			; DATA XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+BEr
					; RtlpSysVolCreateSecurityDescriptor(x,x)+53r ...
		align 10h
byte_42DD50	db 41h			; DATA XREF: RtlpBase64Encode+37r
					; RtlpBase64Encode+51r	...
		db 42h,	43h, 44h
		dd 48474645h, 4C4B4A49h, 504F4E4Dh, 54535251h, 58575655h
		dd 62615A59h, 66656463h, 6A696867h, 6E6D6C6Bh, 7271706Fh
		dd 76757473h, 7A797877h, 33323130h, 37363534h, 2F2B3938h
; 

_M_strAceEmailPrefix:			; DATA XREF: punycode_decode(x,x,x,x,x,x,x,x)+D0o
					; punycode_encode(x,x,x,x,x,x):loc_9D4A4Bo ...
		js	short $+2
		insb
		add	large ds:2D00h,	ch
; 
		db 3 dup(0)
; 

; wchar_t M_strAceIdnPrefix
_M_strAceIdnPrefix:			; DATA XREF: punycode_decode(x,x,x,x,x,x,x,x)+D9o
					; punycode_encode(x,x,x,x,x,x):loc_9D4A44o ...
		js	short $+2
		outsb
		add	large ds:2D00h,	ch
; 
		db 3 dup(0)
_GlfsrXorLookup4 dd 2 dup(0)
		dd 0C537B99Ch, 0EBBE1E42h, 0BA6E511Bh, 0F55F2F84h, 7F59E887h
		dd 1EE131C6h, 57CFA225h, 0DAAD4D38h, 92F81BB9h,	3113537Ah
		dd 0EDA1F33Eh, 2FF262BCh, 28964AA2h, 0C44C7CFEh, 0AEBD744Ah
		dd 97798963h, 6B8ACDD6h, 7CC79721h, 14D32551h, 6226A6E7h
		dd 0D1E49CCDh, 8998B8A5h, 0F972D66Fh, 4DD4C45Bh, 3C456FF3h
		dd 0A66ADA19h, 431C8774h, 0B88BEBDFh, 862B3EE8h, 5335F59Dh
_GlfsrXorLookup2 dd 2 dup(0)
		dd 0A249B4E2h, 0D62741CFh, 748158F4h, 9C4E82BDh, 0D6C8EC16h
		dd 4A69C372h, 0E832A3D8h, 1B8F3459h, 4A7B173Ah,	0CDA87596h
		dd 9CB3FB2Ch, 87C1B6E4h, 3EFA4FCEh, 51E6F72Bh, 0F3647693h
		dd 253D68A1h, 512DC271h, 0F31A296Eh, 87E52E67h,	0B973EA1Ch
		dd 25AC9A85h, 6F54ABD3h, 1B56D54Bh, 3EB25CF8h, 0B91F61A9h
		dd 0E8951D37h, 6FD78DBFh, 0A2FCDE45h, 0CD9E395Dh, 74DB9F8Ah
_GlfsrXorLookup1 dd 2 dup(0)
		dd 5217682Fh, 0BBD848F8h, 0A42EC34Dh, 559383D3h, 0F639AB62h
		dd 0EE4BCB2Bh, 784FB689h, 0AA163696h, 2A58DEA6h, 11CE7E6Eh
		dd 0DC6175C4h, 0FF85B545h, 8E761DEBh, 445DFDBDh, 0E38D5C31h
		dd 772C6C1Ch, 0B19A341Eh, 0CCF424E4h, 47A39F7Ch, 22BFEFCFh
		dd 15B4F753h, 9967A737h, 9BC2EAB8h, 0DD3A5A8Ah,	0C9D58297h
		dd 66E21272h, 3FEC29F5h, 88A9D959h, 6DFB41DAh, 337191A1h
_GlfsrXorLookup5 dd 2 dup(0)
; 
		daa
		les	ebp, [edx+ebp*2+1Ch]
		retf
; 
		dw 9E2Fh
		dd 0C7CBB84Eh, 1F4DB52Bh, 0ADA77C69h, 81627E37h, 0BEB5538Fh
		dd 2D895A45h, 0D4D997A8h, 0B3A69159h, 797EEBC1h, 32C4EF6Eh
		dd 13122FE6h, 0ACEB2472h, 5F5AA63Dh, 4931A78Ah,	3536621Ah
		dd 0D71E6C96h, 98911E73h
; 

loc_42DF7C:				; CODE XREF: .text:0042DF9Fj
		mov	eax, ds:54567C12h
; 
		db 0DAh, 0FDh, 0F2h
		dd 0C853D9BDh, 0E1EFF5B2h, 64B8FDCFh, 8B833195h, 0FA9736D3h
		dd 26244DFCh
		db 0E4h
; 

loc_42DF9D:				; CODE XREF: .text:004299D9j
		dec	eax
		cmc
		jnp	short loc_42DF7C
		mov	[eax+4Ch], ecx
		clc
		sbb	edx, 0FFFFFFE5h
; 
_GlfsrXorLookup3 dd 2 dup(0)
		dd 0C4CBBAA2h, 0BF17AF45h, 0B8B55774h, 5D2E7D8Ah, 7C7EEDD6h
		dd 0E239D2CFh, 535AAEE8h, 0A94FE937h, 9791144Ah, 16584672h
		dd 0EBEFF99Ch, 0F46194BDh, 2F24433Eh, 4B763BF8h, 0A6A77FF3h
		dd 718DF16Eh, 626CC551h, 0CE9A5E2Bh, 1E122887h,	2CA38CE4h
		dd 0DAD99225h, 93B423A1h, 0F5FDD11Bh, 0D8C21859h, 31366BB9h
		dd 67D5B71Ch, 4D48866Fh, 85EC65D3h, 89833CCDh, 3AFBCA96h
; 

_GUID_TS_INPUT_TIMEOUT:			; DATA XREF: PopSetWin32kInputTimeout(x,x)+2Ao
		mul	byte ptr [edi+22C8592h]
		inc	edx
		dec	edi
		mov	word ptr [ecx-73A08B29h], es
; 
		dw 20A9h

;  S U B	R O U T	I N E 


; void GUID_CONSOLE_VIDEO_TIMEOUT
_GUID_CONSOLE_VIDEO_TIMEOUT proc near	; DATA XREF: PopSetWin32kDisplayTimeout(x,x)+15o
					; TtmInitCurrentSession()+190o
		mov	eax, 756F5E16h
		test	[eax+eax*2], edx
		mov	dl, 9
		and	[edi-2Fh], ebx
		pop	ecx
		xlat
		fisttp	word ptr [esi+34h]
					; DATA XREF: PopSetWin32kInputTimeout(x,x):loc_9B9D0Fo
					; (emulator call)
		pop	ss
		assume ds:nothing
		xor	dword ptr [ecx+41h], 0FFFFFFABh
		fsub	dword ptr [ebx+433EEEB1h]

loc_42E057:				; DATA XREF: PopFxUpdatePlatformIdleState(x,x,x)+83o
		xor	[edi-4Ch], ecx
		les	ebx, [ebx]
		cli
		push	es
		db	2Eh
		dec	edi
		mov	bh, 8Dh
		mov	al, [ecx+ecx+24h]
		lock out dx, al

_GUID_PROCESSOR_IDLE_UPDATE:		; DATA XREF: PopFxUpdateProcessorIdleState(x,x,x)+83o
		in	eax, 9Fh
		mov	eax, ds:4F1DD600h
		dec	ecx
		popf
		inc	esi
		dec	edi
_GUID_CONSOLE_VIDEO_TIMEOUT endp

; START	OF FUNCTION CHUNK FOR _GUID_PLATFORM_IDLE_VETO

loc_42E073:				; CODE XREF: _GUID_PLATFORM_IDLE_VETO+69j
		add	al, 0E0h
		sub	[edi+67h], ebx
; END OF FUNCTION CHUNK	FOR _GUID_PLATFORM_IDLE_VETO

;  S U B	R O U T	I N E 


_GUID_PLATFORM_IDLE_VETO proc near	; DATA XREF: PopFxPlatformIdleVeto(x,x,x,x)+79o

; FUNCTION CHUNK AT 0042E073 SIZE 00000005 BYTES
; FUNCTION CHUNK AT 0042E0BC SIZE 00000007 BYTES
; FUNCTION CHUNK AT 0042E0CC SIZE 00000046 BYTES

		popf
		sbb	ebx, esp
		rcl	eax, cl
		repne sbb [ebp-4Ah], cl
		out	dx, eax
		pop	edi
		sub	al, 6

loc_42E085:				; DATA XREF: PopFxProcessorIdleVeto(x,x,x,x)+79o
		shl	byte ptr [edx+500736E0h], 0E1h
		jg	short loc_42E0CC
		mov	eax, 0F413904Eh
		push	esp
		int	4Eh		; TI Professional PC - DISK I/O
		fbstp	tbyte ptr [ebp+1] ; DATA XREF: WheapReportLiveDump(x)+34o
		sbb	eax, 42F98A1Eh
		push	edi
		inc	ebp
		pushf
		xor	edx, [esi+5Eh]
		pop	esp
		retn
_GUID_PLATFORM_IDLE_VETO endp

; 
		imul	eax
; [00000005 BYTES: COLLAPSED FUNCTION _WHEA_ERROR_PACKET_SECTION_GUID. PRESS KEYPAD "+"	TO EXPAND]
		db 0C1h, 40h, 49h
		dd 979076ABh, 0F32A403h

;  S U B	R O U T	I N E 


_DEVICE_DRIVER_NOTIFY_TYPE_GUID	proc near
					; DATA XREF: WheapInitErrorReportDeviceDriver(x,x)+1CAo
		add	edi, eax
		xor	eax, [eax]
_DEVICE_DRIVER_NOTIFY_TYPE_GUID	endp

; START	OF FUNCTION CHUNK FOR _GUID_PLATFORM_IDLE_VETO

loc_42E0BC:				; CODE XREF: _GUID_PLATFORM_IDLE_VETO+7Cj
		jo	short loc_42E0EC
		mov	[esi-67h], cl
		sub	al, 6Fh
; END OF FUNCTION CHUNK	FOR _GUID_PLATFORM_IDLE_VETO
; 
		db 26h
		dd 7ADBF3DAh
; 

; void MEMORY_ERROR_SECTION_GUID
_MEMORY_ERROR_SECTION_GUID:		; DATA XREF: WheapErrorContainsMemorySection(x)+34o
					; WheapPredictiveFailureAnalysis(x)+7Ao
		adc	al, 11h
; 
		dw 0A5BCh
; 
; START	OF FUNCTION CHUNK FOR _GUID_PLATFORM_IDLE_VETO

loc_42E0CC:				; CODE XREF: _GUID_PLATFORM_IDLE_VETO+14j
		outs	dx, dword ptr fs:[esi]
		fimul	word ptr [esi-48h]
		arpl	[esi], di
		sub	ebp, 7Ch

loc_42E0D6:				; DATA XREF: WheapAddSectionFromGenericErrorData(x,x,x,x,x,x)+6Bo
		xor	dword ptr [ecx-18EDAB18h], 0FFFFFFB9h
		rol	dword ptr [eax+49h], 0ABh
		jbe	short loc_42E073
		xchg	eax, edi

loc_42E0E4:				; DATA XREF: PopFireThermalWmiEvent(x)+33o
					; PpmWmiDispatch+8934Ao
		add	esp, [edx+esi-0C8847F1h]
		dec	eax

loc_42E0EC:				; CODE XREF: _GUID_PLATFORM_IDLE_VETO:loc_42E0BCj
		sub	byte ptr [eax+7Bh], 4Ch
		mov	ebx, esp
		cmp	[ecx], al
		jbe	short loc_42E0BC
		db	65h
		dec	ebp
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; END OF FUNCTION CHUNK	FOR _GUID_PLATFORM_IDLE_VETO
; 
		dw 0
aPolicypublishe:
		unicode	0, <PolicyPublisher>,0
aAvailableupdat:
		unicode	0, <AvailableUpdates>,0
		align 4
aUefisecureboot:
		unicode	0, <UEFISecureBootEnabled>,0
		align 8
aRegistryMach_8:
		unicode	0, <\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\Secure>
		unicode	0, <Boot>,0
aTsaProcunique:				; DATA XREF: .data:off_6B36E0o
		unicode	0, <TSA://ProcUnique>,0
		align 4
aBasenamedobjec:			; DATA XREF: SepValidateReferencedCachedHandles+1282C0o
		unicode	0, <\BaseNamedObjects>,0
aKey:
		unicode	0, <Key>,0
aFile:
		unicode	0, <File>,0
		align 10h
aName:					; DATA XREF: PAGEDATA:00A93D78o
		unicode	0, <Name>,0
		align 4
aCapes:					; DATA XREF: PAGEDATA:00A93D8Co
		unicode	0, <CAPEs>,0
aCapid:					; DATA XREF: PAGEDATA:00A93D94o
		unicode	0, <CAPID>,0
aSd:					; DATA XREF: PAGEDATA:00A93D60o
		unicode	0, <SD>,0
		align 4
aAppliesto:				; DATA XREF: PAGEDATA:00A93D58o
		unicode	0, <AppliesTo>,0
aFlags:					; DATA XREF: PAGEDATA:00A93D70o
		unicode	0, <Flags>,0
aStagedsd:				; DATA XREF: PAGEDATA:00A93D68o
		unicode	0, <StagedSD>,0
		align 10h
; void CAP_AUTHORITY
_CAP_AUTHORITY	dd 0			; DATA XREF: SepValidateCAPID(x)+26o
		dd 1100h
; 

_SddlGuidFormat:			; DATA XREF: SddlpUuidToString(x,x)+52o
		and	eax, 38003000h
		add	[eax+eax+78h], ch
		add	ds:30002500h, ch
		add	[eax+eax], dh
		js	short $+2
		sub	eax, 30002500h
		add	[eax+eax], dh
		js	short $+2
		sub	eax, 30002500h
		add	[edx], dh
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		sub	eax, 30002500h
		add	[edx], dh
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
; 
		dw 0
; 

_LegalAttributeCharEnd:			; DATA XREF: IsLegalAttributeChar2(x):loc_9E26F0r
		and	[eax], al
		and	[eax], eax
		and	al, [eax]
		add	es:[ecx], ch
		add	[eax], ch
		add	[eax+eax], bh
; 
		dw 3Eh
		dd 7C003Dh
word_42E340	dw 30h			; DATA XREF: GetPrintableOperandValue+124047r
					; GetPrintableOperandValue+124057r ...
		dw 31h
a23456789abcdef:
		unicode	0, <23456789abcdef>,0
		align 4

_LegalAttributeChar:			; DATA XREF: IsLegalAttributeChar(x):loc_9E2729r
		cmp	al, [eax]
		add	cs:[edi], ch
		add	[edi+0], bl
		inc	eax
; 
		db 3 dup(0)
_NotEncodedAttributeChar dw 23h		; DATA XREF: IsEncodedAttributeChar(x):loc_9E26CCr
		dw 24h
a_?@:
		dw 27h
		unicode	0, <*+-./:;?@[\]>
; 
		pop	esi

loc_42E38F:				; CODE XREF: .text:0042E3D5j
		add	[edi+0], bl
		pusha
		add	[ebx+0], bh
		jge	short $+2
		jle	short $+2
; 
		dw 0
dword_42E39C	dd 0D6D379DCh, 43E9C699h, 0FDF55E8Ch, 8057D68Dh
					; DATA XREF: SmFatalHeapCorruptionDumpCallback(_KBUGCHECK_CALLBACK_REASON,_KBUGCHECK_REASON_CALLBACK_RECORD *,void *,ulong)+22o
byte_42E3AC	db 7, 0BFh, 0C2h	; DATA XREF: SmFatalPageErrorDumpCallback(_KBUGCHECK_CALLBACK_REASON,_KBUGCHECK_REASON_CALLBACK_RECORD *,void *,ulong)+22o
; 

loc_42E3AF:				; CODE XREF: .text:0042E3EBj
		or	eax, 4DD5BA34h
		mov	al, ds:1E66C420h
		mov	ah, 8Ah
		test	[eax], al
; 
		db 3 dup(0)
; 

_IovMdlInvariant10Milliseconds:		; DATA XREF: MdlInvariantPostProcessing1(x,x,x)+118o
		pusha

loc_42E3C1:				; CODE XREF: .text:loc_42E3C1j
		jns	short loc_42E3C1
; 
		db 0FFh
		dd 0FFFFFFFFh
; 

_WinSqmGlobalSession:			; DATA XREF: WdipSemSqmAddToStream(x,x,x)+A0o
					; WdipSemSqmIncrementDword(x,x)+37o
		sub	[edx-12D96A46h], bh
		leave
		dec	ecx
		mov	bh, 4Fh
		xchg	eax, ebx
		mov	cl, 70h
		loope	loc_42E38F
		dec	ecx

_EtwSecondaryDumpDataGuid:		; DATA XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+Fo
		adc	[edi+1C932B88h], dh
		jl	short near ptr aRegistryMach_3+1Fh
		mov	al, 6Ch
		db	65h
		pop	esi
		int	3		; Trap to Debugger
		push	eax
		fmulp	st(4), st

_HvlpSecondaryDumpDataGuid:		; DATA XREF: HvlpHvIdentityInfoCallback(x,x,x,x)+Bo
		cmpsd
		pop	ds
		assume ds:_data
		pop	eax
		jnp	short loc_42E3AF
		cmp	dword ptr [edi], 125CA642h
		db	66h
		sti
		adc	[eax+3Dh], ah

_EtwpShortTime:				; DATA XREF: EtwpWaitForBufferReferenceCount:loc_911DBCo
		pusha

loc_42E3F9:				; CODE XREF: .text:loc_42E3F9j
		jns	short loc_42E3F9
; 
		db 0FFh
		dd 0FFFFFFFFh
dword_42E400	dd 0			; DATA XREF: EtwTiLogSetContextThread(x,x,x,x)+1F2o
					; EtwTiLogSetContextThread(x,x,x,x):loc_9F6EFEo
dword_42E404	dd 0			; DATA XREF: EtwpTiFillZeroVad(x)+Fo
dword_42E408	dd 2 dup(0)		; DATA XREF: EtwpTiFillVad(x,x)+79o
aRegistryMach_3:			; DATA XREF: .data:006B377Co
		unicode	0, <\Registry\Machine\System\CurrentControlSet\Services\IPT>,0
aEnable64bit:				; DATA XREF: .data:006B37B4o
		unicode	0, <Enable64Bit>,0
aRegistryMac_17:
		unicode	0, <\Registry\Machine\SOFTWARE\Microsoft\.NETFramework>,0
		align 10h
_HdlpsPcAnsiToUnicode dw 0C7h		; DATA XREF: HdlspPutString(x)+A5r
		align 4
aStfrxzIsquC:
		unicode	0, <>
		dw 0F4h
		dd 0F200F6h, 0F900FBh, 0D600FFh, 0A200DCh, 0A500A3h, 19220A7h
		dd 0ED00E1h, 0FA00F3h, 0D100F1h, 0BA00AAh, 231000BFh, 0BD00ACh
		dd 0A100BCh, 0BB00ABh, 25922591h, 25022593h, 25612524h
		dd 25562562h, 25632555h, 25572551h, 255C255Dh, 2510255Bh
		dd 25342514h, 251C252Ch, 253C2500h, 255F255Eh, 2554255Ah
		dd 25662569h, 25502560h, 2567256Ch, 25642568h, 25592565h
		dd 25522558h, 256B2553h, 2518256Ah, 2588250Ch, 258C2584h
		dd 25802590h, 0DF03B1h,	3C00393h, 3C303A3h, 3C400B5h, 39803A6h
		dd 3B403A9h, 3C6221Eh, 222903B5h, 0B12261h, 22642265h
		dd 23212320h, 224800F7h, 221900B0h, 221A00B7h, 0B2207Fh
		dd 0A025A0h, 40h dup(0)
; 

; void ExpSecureBootVendorGuid
_ExpSecureBootVendorGuid:		; DATA XREF: NtSetSystemEnvironmentValueEx(x,x,x,x,x)+18Bo
		mov	ebp, 5977FA9Ah
		add	esi, [edx]
		dec	ebp
		mov	ebp, 0E7F42860h
; 
		db 8Fh,	78h, 4Bh
; 

; void EfiDriverVariablesGuid
_EfiDriverVariablesGuid:		; DATA XREF: ExpIsDriverEntry(x,x)+7o
					; ExpSetDriverEntry(x,x,x)+2B5o ...
		popa
; 
		db 0DFh, 0E4h, 8Bh
; 
		retf	0D293h
; 
		db 11h
		dd 0E0000DAAh, 8C2B0398h
; 

; void EfiBootVariablesGuid
_EfiBootVariablesGuid:			; DATA XREF: ExpIsBootEntry(x,x)+7o
					; ExpSetBootEntry(x,x,x)+404o ...
		popa
; 
		db 0DFh, 0E4h, 8Bh
; 
		retf	0D293h
; 
		db 11h
		dd 0E0000DAAh, 8C2B0398h
aMissing:
		unicode	0, <Missing>,0
aRescseg	db 'RESCSEG',0          ; DATA XREF: CMFSystemThreadRoutine(x)+E0o
aRescdir	db 'RESCDIR',0          ; DATA XREF: CMFSystemThreadRoutine(x)+90o
aReschit	db 'RESCHIT',0          ; DATA XREF: CMFSystemThreadRoutine(x)+117o
; 

_EVENT_WHEA_MEMORY_OFFLINE:		; DATA XREF: WheapLogPageOfflineAttemptEvent(x,x,x,x,x,x)+5Co
		pop	ds
; 
		db 2 dup(0), 8
		dd 4, 800h, 80000000h
; 

_EVENT_WHEA_ERROR:			; DATA XREF: WheapGenerateETWEvents(x)+88o
		adc	al, 0
		add	[eax], dl
		add	al, 0
; 
		dw 0
		dd 800h, 40000000h
dword_42E778	dd 1Fh			; DATA XREF: AsiPopulateHashes(x):loc_693026r
		dd 25h,	29h, 2Bh, 2Fh, 35h, 3Bh, 3Dh, 43h, 47h,	49h, 4Fh
		dd 53h,	59h, 61h, 65h, 67h, 6Bh, 6Dh, 71h, 7Fh,	83h, 89h
		dd 8Bh,	95h, 97h, 9Dh, 0A3h, 0A7h, 0ADh, 0B3h, 0B5h, 0BFh
		dd 0C1h, 0C5h, 0C7h, 0D3h, 0DFh, 0E3h, 0E5h, 0E9h, 0EFh
		dd 0F1h, 0FBh, 101h, 107h, 10Dh, 10Fh, 115h, 119h, 11Bh
		dd 125h, 133h, 137h, 139h, 13Dh, 14Bh, 151h, 15Bh, 15Dh
		dd 161h, 167h, 16Fh, 175h, 17Bh, 17Fh, 185h, 18Dh, 191h
		dd 199h, 1A3h, 1A5h, 1AFh, 1B1h, 1B7h, 1BBh, 1C1h, 1C9h
		dd 1CDh, 1CFh, 1D3h, 1DFh, 1E7h, 1EBh, 1F3h, 1F7h, 1FDh
		dd 209h, 20Bh, 21Dh, 223h, 22Dh, 233h, 239h, 23Bh, 241h
		dd 24Bh, 251h, 257h, 259h
aAppraiser_sdb:				; DATA XREF: .text:00404EF4o
		unicode	0, <appraiser.sdb>,0
aAcres_dll:				; DATA XREF: .text:00404F14o
		unicode	0, <acres.dll>,0
aMsimain_sdb:				; DATA XREF: .text:00404ED4o
		unicode	0, <msimain.sdb>,0
aFrxmain_sdb:				; DATA XREF: .text:00404EE4o
		unicode	0, <frxmain.sdb>,0
aPcamain_sdb:				; DATA XREF: .text:00404EB4o
		unicode	0, <pcamain.sdb>,0
aDrvmain_sdb:				; DATA XREF: .text:00404EC4o
		unicode	0, <drvmain.sdb>,0
aSysmain_sdb:				; DATA XREF: .text:00404EA4o
		unicode	0, <sysmain.sdb>,0
; 

_GUID_SYSMAIN_SDB:			; DATA XREF: .data:off_6B37B8o
		adc	[ecx], edx
		adc	[ecx], edx
		adc	[ecx], edx
		adc	[ecx], edx
		adc	[ecx], edx
		adc	[ecx], edx
		adc	[ecx], edx

loc_42E9BE:				; CODE XREF: .text:0042E9DCj
		adc	[ecx], edx

_GUID_MSIMAIN_SDB:			; DATA XREF: .data:006B37C8o
		push	ss
		insd
; 
		dw 0D8FFh
; 
		cmp	ch, [edx-76h]
		inc	esi
		mov	eax, [ecx+eax+71h]
		dec	ebp
		fmul	qword ptr [ecx-16h]

_GUID_DRVMAIN_SDB:			; DATA XREF: .data:006B37D8o
		sub	[edx], ah
		stosd
		stc
		adc	dh, [ebx]
		jnb	short near ptr word_42EA22
		mov	dh, 0F9h
		xchg	eax, ebx
		insd
		jo	short near ptr loc_42E9BE+1
		adc	ch, bh
; 
		dd 0
		db 2 dup(0)
word_42E9E6	dw 0			; DATA XREF: SdbGuestHostArchsToRuntimePlatformFlag(x,x)+5Do
dword_42E9E8	dd 1			; DATA XREF: SdbGuestHostArchsToRuntimePlatformFlag(x,x)+7Br
		dd 2 dup(1), 90009h, 2,	1, 2, 90000h, 4, 0
		dd 3, 50005h, 8, 1
		db 4, 0
word_42EA22	dw 0			; CODE XREF: .text:0042E9D6j
		dd 0C000Ch, 10h, 1, 5, 0C0000h,	20h, 0
		dd 6, 0C0005h, 40h, 0
		dd 7, 0C0009h, 80h, 2 dup(0)
word_42EA64	dw 0			; DATA XREF: SdbGuestTargetPlatformFlagsToRuntimePlatformFlags(x)+45r
					; SdbGuestTargetPlatformFlagsToRuntimePlatformFlags(x)+58r
		align 4
byte_42EA68	db 1			; DATA XREF: SdbGuestTargetPlatformFlagsToRuntimePlatformFlags(x):loc_A20A5Cr
		align 4
		dd 1, 6, 2 dup(2), 9, 4, 3, 5, 8, 4, 0Ch, 10h
aDatabasetype:
		unicode	0, <DatabaseType>,0
		align 4
aDatabaseruntim:
		unicode	0, <DatabaseRuntimePlatform>,0
word_42EAE8	dw 20h			; DATA XREF: AslStringXmlSanitize(x):loc_A21F0Br
word_42EAEA	dw 7Eh			; DATA XREF: AslStringXmlSanitize(x)+3Br
		dd 0D7FF00A0h, 0FDCFE000h, 0FFFDFDE0h, 90009h, 0
_AslpCrc32Table	dd 0			; DATA XREF: AslComputeCrc32(x,x,x)+1Br
		dd 77073096h, 0EE0E612Ch, 990951BAh, 76DC419h, 706AF48Fh
		dd 0E963A535h, 9E6495A3h, 0EDB8832h, 79DCB8A4h,	0E0D5E91Eh
		dd 97D2D988h, 9B64C2Bh,	7EB17CBDh, 0E7B82D07h, 90BF1D91h
		dd 1DB71064h, 6AB020F2h, 0F3B97148h, 84BE41DEh,	1ADAD47Dh
		dd 6DDDE4EBh, 0F4D4B551h, 83D385C7h, 136C9856h,	646BA8C0h
		dd 0FD62F97Ah, 8A65C9ECh, 14015C4Fh, 63066CD9h,	0FA0F3D63h
		dd 8D080DF5h, 3B6E20C8h, 4C69105Eh, 0D56041E4h,	0A2677172h
		dd 3C03E4D1h, 4B04D447h, 0D20D85FDh, 0A50AB56Bh, 35B5A8FAh
		dd 42B2986Ch, 0DBBBC9D6h, 0ACBCF940h, 32D86CE3h, 45DF5C75h
		dd 0DCD60DCFh, 0ABD13D59h, 26D930ACh, 51DE003Ah, 0C8D75180h
		dd 0BFD06116h, 21B4F4B5h, 56B3C423h, 0CFBA9599h, 0B8BDA50Fh
		dd 2802B89Eh, 5F058808h, 0C60CD9B2h, 0B10BE924h, 2F6F7C87h
		dd 58684C11h, 0C1611DABh, 0B6662D3Dh, 76DC4190h, 1DB7106h
		dd 98D220BCh, 0EFD5102Ah, 71B18589h, 6B6B51Fh, 9FBFE4A5h
		dd 0E8B8D433h, 7807C9A2h, 0F00F934h, 9609A88Eh,	0E10E9818h
		dd 7F6A0DBBh, 86D3D2Dh,	91646C97h, 0E6635C01h, 6B6B51F4h
		dd 1C6C6162h, 856530D8h, 0F262004Eh, 6C0695EDh,	1B01A57Bh
		dd 8208F4C1h, 0F50FC457h, 65B0D9C6h, 12B7E950h,	8BBEB8EAh
		dd 0FCB9887Ch, 62DD1DDFh, 15DA2D49h, 8CD37CF3h,	0FBD44C65h
		dd 4DB26158h, 3AB551CEh, 0A3BC0074h, 0D4BB30E2h, 4ADFA541h
		dd 3DD895D7h, 0A4D1C46Dh, 0D3D6F4FBh, 4369E96Ah, 346ED9FCh
		dd 0AD678846h, 0DA60B8D0h, 44042D73h, 33031DE5h, 0AA0A4C5Fh
		dd 0DD0D7CC9h, 5005713Ch, 270241AAh, 0BE0B1010h, 0C90C2086h
		dd 5768B525h, 206F85B3h, 0B966D409h, 0CE61E49Fh, 5EDEF90Eh
		dd 29D9C998h, 0B0D09822h, 0C7D7A8B4h, 59B33D17h, 2EB40D81h
		dd 0B7BD5C3Bh, 0C0BA6CADh, 0EDB88320h, 9ABFB3B6h, 3B6E20Ch
		dd 74B1D29Ah, 0EAD54739h, 9DD277AFh, 4DB2615h, 73DC1683h
		dd 0E3630B12h, 94643B84h, 0D6D6A3Eh, 7A6A5AA8h,	0E40ECF0Bh
		dd 9309FF9Dh, 0A00AE27h, 7D079EB1h, 0F00F9344h,	8708A3D2h
		dd 1E01F268h, 6906C2FEh, 0F762575Dh, 806567CBh,	196C3671h
		dd 6E6B06E7h, 0FED41B76h, 89D32BE0h, 10DA7A5Ah,	67DD4ACCh
		dd 0F9B9DF6Fh, 8EBEEFF9h, 17B7BE43h, 60B08ED5h,	0D6D6A3E8h
		dd 0A1D1937Eh, 38D8C2C4h, 4FDFF252h, 0D1BB67F1h, 0A6BC5767h
		dd 3FB506DDh, 48B2364Bh, 0D80D2BDAh, 0AF0A1B4Ch, 36034AF6h
		dd 41047A60h, 0DF60EFC3h, 0A867DF55h, 316E8EEFh, 4669BE79h
		dd 0CB61B38Ch, 0BC66831Ah, 256FD2A0h, 5268E236h, 0CC0C7795h
		dd 0BB0B4703h, 220216B9h, 5505262Fh, 0C5BA3BBEh, 0B2BD0B28h
		dd 2BB45A92h, 5CB36A04h, 0C2D7FFA7h, 0B5D0CF31h, 2CD99E8Bh
		dd 5BDEAE1Dh, 9B64C2B0h, 0EC63F226h, 756AA39Ch,	26D930Ah
		dd 9C0906A9h, 0EB0E363Fh, 72076785h, 5005713h, 95BF4A82h
		dd 0E2B87A14h, 7BB12BAEh, 0CB61B38h, 92D28E9Bh,	0E5D5BE0Dh
		dd 7CDCEFB7h, 0BDBDF21h, 86D3D2D4h, 0F1D4E242h,	68DDB3F8h
		dd 1FDA836Eh, 81BE16CDh, 0F6B9265Bh, 6FB077E1h,	18B74777h
		dd 88085AE6h, 0FF0F6A70h, 66063BCAh, 11010B5Ch,	8F659EFFh
		dd 0F862AE69h, 616BFFD3h, 166CCF45h, 0A00AE278h, 0D70DD2EEh
		dd 4E048354h, 3903B3C2h, 0A7672661h, 0D06016F7h, 4969474Dh
		dd 3E6E77DBh, 0AED16A4Ah, 0D9D65ADCh, 40DF0B66h, 37D83BF0h
		dd 0A9BCAE53h, 0DEBB9EC5h, 47B2CF7Fh, 30B5FFE9h, 0BDBDF21Ch
		dd 0CABAC28Ah, 53B39330h, 24B4A3A6h, 0BAD03605h, 0CDD70693h
		dd 54DE5729h, 23D967BFh, 0B3667A2Eh, 0C4614AB8h, 5D681B02h
		dd 2A6F2B94h, 0B40BBE37h, 0C30C8EA1h, 5A05DF1Bh, 2D02EF8Dh
; void aTmsamvof
aTmsamvof	db 'TMSAMVOF',0         ; DATA XREF: AslpFileHasActiveMarkWrapper(x,x,x)+D6o
		align 4

_AttributeTokenIntegrityLevel_buffer:
		dec	ecx
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edi+0], ah
		jb	short $+2
		imul	eax, [eax], 790074h
		dec	esp
		add	[ebp+0], ah
		jbe	short $+2
		add	gs:[eax+eax+0],	ch
; 
		db 3 dup(0)
; 

_AttributeTokenProtectionType_buffer:
		push	esp
		add	[edx+0], dh
		jnz	short $+2
		jnb	short $+2
		jz	short $+2
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+65h], dh
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		push	esp
		add	[ecx+0], bh
		jo	short $+2
		add	gs:[eax], al
		add	[eax+0], dl
		jb	short $+2
		imul	eax, [eax], 690076h
		insb
		add	[ebp+0], ah
		add	[di+0],	ah
		jnb	short $+2
; 
		dd 0
; 

_AttributeTokenProtectionLevel_buffer:
		push	esp
		add	[edx+0], dh
		jnz	short $+2
		jnb	short $+2
		jz	short $+2
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+65h], dh
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		dec	esp
		add	[ebp+0], ah
		jbe	short $+2
		add	gs:[eax+eax+0],	ch
; 
		db 3 dup(0)

;  S U B	R O U T	I N E 


_VmbFsInterfaceTypeGuid	proc near	; DATA XREF: BiConvertNtDeviceToBootEnvironment+A1BFEo
		retn
_VmbFsInterfaceTypeGuid	endp

; 
aVVHriGh	db 'vvHGH',7,',`',0 ; DATA XREF: GxpMatchPaletteColor(x,x)+16o
		align 4
		dd 1173AAh, 227DB0h, 3387B6h, 4491BCh, 559BC2h,	66A5C8h
		dd 77AFCEh, 88B9D4h, 99C3DAh, 0AACDE0h,	0BBD7E6h, 0CCE1ECh
		dd 0DDEBF2h, 0EEF5F8h, 0FFFFFFh
aIfYouCallASupp:			; DATA XREF: BcpFindMessage:loc_AF2E61o
		unicode	0, <If you call	a support person, give them this info:>,0
		align 10h
aWeReJustCollec:			; DATA XREF: BcpFindMessage:loc_AF2E94o
		unicode	0, <We>
		dw 27h
		unicode	0, <re just collecting some error info,	and then we>
		dw 27h
		unicode	0, <ll restart for you.>,0
		align 10h
aYourDeviceRanI:			; DATA XREF: BcpFindMessage+E6Fo
		unicode	0, <Your device	ran into a problem and needs to	restart.>,0
		align 4
aStopCode:				; DATA XREF: BcpFindMessage:loc_AF2DE6o
		unicode	0, <Stop Code:>,0
		align 8
aForMoreInforma:			; DATA XREF: BcpFindMessage:loc_AF2DF0o
		unicode	0, <For	more information about this issue and possible fixes,>
		unicode	0, < visit >,0
		align 4
a1:					; DATA XREF: BcpFindMessage:loc_AF2DB4o
		unicode	0, <1>,0
aWhatFailed:				; DATA XREF: BcpFindMessage:loc_AF2DDCo
		unicode	0, <What failed:>,0
		align 4
aYouCanRestart_:			; DATA XREF: BcpFindMessage:loc_AF2DD2o
		unicode	0, <You	can restart.>,0
		align 10h
a1Complete:				; DATA XREF: BcpFindMessage:loc_AF2E8Ao
		unicode	0, <%1%	complete>,0
		align 10h
aWeReJustColl_1:			; DATA XREF: BcpFindMessage:loc_AF2DBEo
		unicode	0, <We>
		dw 27h
		unicode	0, <re just collecting some error info,	and then you can rest>
		unicode	0, <art.>,0
		align 4
aWeLlRestartFor:			; DATA XREF: BcpFindMessage:loc_AF2DC8o
		unicode	0, <We>
		dw 27h
		unicode	0, <ll restart for you.>,0
		align 4
		unicode	0, <  >,0
		align 10h
aItIsNowSafeToP:			; DATA XREF: BcpFindMessage:loc_AF2E43o
		unicode	0, <It is now safe to power off	the system.>,0
aPleaseReleaseT:			; DATA XREF: BcpFindMessage:loc_AF2E57o
		unicode	0, <Please release the power button.>,0
		align 8
aWeJustNeedAFew:			; DATA XREF: BcpFindMessage:loc_AF2E4Do
		unicode	0, <We just need a few more seconds to shut down.>,0
		align 8
aHttpsWww_windo:			; DATA XREF: BcpFindMessage:loc_AF2E04o
		unicode	0, <https://www.windows.com/stopcode>,0
		align 10h
aYourWindowsIns:			; DATA XREF: BcpFindMessage:loc_AF2DFAo
		unicode	0, <Your Windows Insider Build ran into	a problem and needs t>
		unicode	0, <o restart.>,0
aSoftwarekeypat:			; DATA XREF: .text:004050D0o
		unicode	0, <SoftwareKeyPath>,0
aKeypath:				; DATA XREF: .text:004050B8o
		unicode	0, <KeyPath>,0
aFilepath:				; DATA XREF: .text:004050A0o
		unicode	0, <FilePath>,0
		align 4
aSystempath:				; DATA XREF: .text:00405088o
		unicode	0, <SystemPath>,0
		align 4
aSubdir:				; DATA XREF: .text:00405054o
		unicode	0, <SubDir>,0
		align 4

_GUID_DEVINTERFACE_SURFACE_VIRTUAL_DRIVE: ; DATA XREF: VhdiMountVhdFile(x)+AAo
					; VhdiMountVhdFile(x)+263o
		push	eax
		setalc
		xor	al, 2Eh
		sbb	[eax-36h], ebx
		inc	edx
		test	[esi-45FCF72Dh], ch
		in	eax, 5		; DMA controller, 8237A-5.
					; channel 2 current word count

_VSMB_INTERFACE_GUID:			; DATA XREF: SbpWaitForVmbus()+2Eo
		sbb	ebp, esp
		adc	cl, [ebp-60h]
		pop	ss
		in	al, 4Ah
		mov	gs, [edx+6AFC7052h]
		mov	ebp, 0B7h
; 
		db 0
aMachinelanguag:			; DATA XREF: _IsMachineLanguageListInMutableLocation:loc_5F52CBo
		unicode	0, <MachineLanguageListMigrationState>,0
		align 10h
__real@41f0000000000000	dq 4.294967296e9 ; DATA	XREF: PropertyEval+1192BCr
					; PropertyEval+1192D5r	...
__real@4f800000	dd 4.2949673e9		; DATA XREF: PropertyEval+119221r
					; PropertyEval+11923Ar	...
		dd 53445352h, 3E8ADCC0h, 0CD140067h, 2D87E522h,	2EE113ADh
		dd 1, 726B746Eh, 706D6170h, 6264702Eh, 0
		dd 50475500h, 1000h, 2E08h, 6164722Eh, 62246174h, 6372h
		dd 3E08h, 458h,	6164722Eh, 30246174h, 72622430h, 63h, 4260h
		dd 360h, 6164722Eh, 30246174h, 72622431h, 63h, 45C0h, 198h
		dd 6164722Eh, 30246174h, 72622433h, 63h, 4758h,	0D0h, 6164722Eh
		dd 30246174h, 72622436h, 63h, 4828h, 460h, 6164722Eh, 30246174h
		dd 72622439h, 63h, 4C88h, 578h,	6164722Eh, 7A246174h, 7262247Ah
		dd 63h,	5200h, 5788h, 6164722Eh, 6174h,	0A988h,	5070h
		dd 6164722Eh, 30246174h, 30h, 0F9F8h, 14C8h, 6164722Eh
		dd 30246174h, 31h, 10EC0h, 198h, 6164722Eh, 30246174h
		dd 33h,	11058h,	8, 6164722Eh, 30246174h, 34h, 11060h, 770h
		dd 6164722Eh, 30246174h, 36h, 117D0h, 15A0h, 6164722Eh
		dd 30246174h, 37h, 12D70h, 69D0h, 6164722Eh, 30246174h
		dd 39h,	19740h,	150h, 6164722Eh, 73246174h, 74616478h
		dd 61h,	19890h,	10h, 6164722Eh,	7A246174h, 30575445h, 0
		dd 198A0h, 0B2B3h, 6164722Eh, 7A246174h, 31575445h, 0
		dd 24B53h, 753h, 6164722Eh, 7A246174h, 32575445h, 0
		dd 252A6h, 2, 6164722Eh, 7A246174h, 39575445h, 0
		dd 252A8h, 0A314h, 6164722Eh, 7A246174h, 7Ah, 2F5BCh, 1264h
		dd 6164722Eh, 7A246174h, 62647A7Ah, 67h, 30820h, 1410h
		dd 7865742Eh, 706C2474h, 746E3030h, 6170726Bh, 652E706Dh
		dd 32216578h, 72705F30h, 3769h,	31C30h,	110A00h, 7865742Eh
		dd 706C2474h, 746E3130h, 6170726Bh, 652E706Dh, 32216578h
		dd 72705F30h, 3769h, 142630h, 4AD0h, 7865742Eh,	706C2474h
		dd 746E3330h, 6170726Bh, 652E706Dh, 33216578h, 6C635F30h
		dd 746E6569h, 796C6E6Fh, 0
		dd 147100h, 0A850h, 7865742Eh, 706C2474h, 746E3430h, 6170726Bh
		dd 652E706Dh, 33216578h, 6C635F30h, 746E6569h, 796C6E6Fh
		dd 0
		dd 151950h, 7630h, 7865742Eh, 706C2474h, 746E3630h, 6170726Bh
		dd 652E706Dh, 33216578h, 79685F35h, 64697262h, 746F6F62h
		dd 0
		dd 158F80h, 0CEF0h, 7865742Eh, 706C2474h, 746E3730h, 6170726Bh
		dd 652E706Dh, 33216578h, 79685F35h, 64697262h, 746F6F62h
		dd 0
		dd 165E70h, 17F90h, 7865742Eh, 706C2474h, 746E3930h, 6170726Bh
		dd 652E706Dh, 35216578h, 6F635F30h, 6F62646Ch, 746Fh, 17DE00h
		dd 1A6D0h, 7865742Eh, 6E6D2474h, 0
		dd 1984D0h, 0AA10h, 7865742Eh, 6E6D2474h, 303024h, 1A2EE0h
		dd 2CAh, 7865742Eh, 6E6D2474h, 313024h,	1A31AAh, 532h
		dd 7865742Eh, 706E2474h, 0
		dd 1A36DCh, 46E6h, 7865742Eh, 732474h, 1A7DC2h,	0BB3h
		dd 7865742Eh, 737A2474h, 0
		dd 1A8975h, 5323Bh, 7865742Eh, 797A2474h, 0
		dd 1FBBB0h, 0A44F0h, 7865742Eh,	7A7A2474h, 0
		dd 2A00A0h, 0AE14h, 6164782Eh, 78246174h, 0
		dd 2AAEB4h, 690h, 536C6957h, 69676174h,	6546676Eh, 72757461h
		dd 73654465h, 70697263h, 73726F74h, 6D5F5F24h, 0
		dd 2AC000h, 2327h, 5341564Bh, 45444F43h, 303124h, 2AF000h
		dd 1BBh, 4C4F4F50h, 45444F43h, 30706C24h, 6B746E31h, 6D617072h
		dd 78652E70h, 30322165h, 6972705Fh, 37h, 2AF1BBh, 39h
		dd 4C4F4F50h, 45444F43h, 797A24h, 2AF1F4h, 1DBh, 4C4F4F50h
		dd 45444F43h, 7A7A24h, 2B0000h,	1200h, 7461642Eh, 72622461h
		dd 63h,	2B1200h, 2C0h, 7461642Eh, 30302461h, 63726224h
		dd 0
		dd 2B14C0h, 168h, 7461642Eh, 31302461h,	63726224h, 0
		dd 2B1628h, 890h, 7461642Eh, 39302461h,	63726224h, 0
		dd 2B1EB8h, 490h, 7461642Eh, 6B642461h,	62243030h, 6372h
		dd 2B2348h, 798h, 7461642Eh, 6B642461h,	62243130h, 6372h
		dd 2B2AE0h, 10h, 7461642Eh, 6B642461h, 62243330h, 6372h
		dd 2B2AF0h, 28h, 7461642Eh, 6B642461h, 62243630h, 6372h
		dd 2B2B18h, 88h, 7461642Eh, 6B642461h, 62243730h, 6372h
		dd 2B2BA0h, 530h, 7461642Eh, 6B642461h,	62243930h, 6372h
		dd 2B30D0h, 8, 7461642Eh, 72702461h, 62243030h,	6372h
		dd 2B30D8h, 8, 7461642Eh, 72702461h, 62243130h,	6372h
		dd 2B30E0h, 8, 7461642Eh, 72702461h, 62243330h,	6372h
		dd 2B30E8h, 8, 7461642Eh, 72702461h, 62243430h,	6372h
		dd 2B30F0h, 88h, 7461642Eh, 72702461h, 62243630h, 6372h
		dd 2B3178h, 10h, 7461642Eh, 72702461h, 62243730h, 6372h
		dd 2B3188h, 328h, 7461642Eh, 72702461h,	62243930h, 6372h
		dd 2B34B0h, 470h, 7461642Eh, 7A7A2461h,	63726224h, 0
		dd 2B3920h, 3E0h, 7461642Eh, 61h, 2B3D00h, 30h,	7461642Eh
		dd 30302461h, 0
		dd 2B3D30h, 150h, 7461642Eh, 31302461h,	0
		dd 2B3E80h, 0B0h, 7461642Eh, 36302461h,	0
		dd 2B3F30h, 8, 7461642Eh, 37302461h, 0
		dd 2B3F38h, 1B08h, 7461642Eh, 39302461h, 0
		dd 2B5A40h, 158h, 7461642Eh, 6B642461h,	3030h, 2B5B98h
		dd 40h,	7461642Eh, 6B642461h, 3130h, 2B5BD8h, 8, 7461642Eh
		dd 6B642461h, 3630h, 2B5BE0h, 10h, 7461642Eh, 6B642461h
		dd 3730h, 2B5BF0h, 668h, 7461642Eh, 6B642461h, 3930h, 2B6258h
		dd 60h,	7461642Eh, 72702461h, 3030h, 2B62B8h, 54h, 7461642Eh
		dd 72702461h, 3130h, 2B630Ch, 4, 7461642Eh, 72702461h
		dd 3430h, 2B6310h, 8, 7461642Eh, 72702461h, 3730h, 2B6318h
		dd 1A0h, 7461642Eh, 72702461h, 3930h, 2B64B8h, 5A8h, 7461642Eh
		dd 7A7A2461h, 0
		dd 2B6A60h, 17F38h, 7373622Eh, 0
		dd 2CE998h, 928h, 7373622Eh, 303024h, 2CF2C0h, 57B0h, 7373622Eh
		dd 313024h, 2D4A70h, 4,	7373622Eh, 333024h, 2D4A74h, 34h
		dd 7373622Eh, 343024h, 2D4AA8h,	1C8h, 7373622Eh, 363024h
		dd 2D4C70h, 50h, 7373622Eh, 373024h, 2D4CC0h, 24E38h, 7373622Eh
		dd 393024h, 2F9AF8h, 248h, 7373622Eh, 6C695724h, 67617453h
		dd 41676E69h, 736F6D6Ch, 5A4F5274h, 0
		dd 2F9D40h, 2C0h, 7373622Eh, 306B6424h,	30h, 2FA000h, 1BF4h
		dd 7373622Eh, 306B6424h, 31h, 2FBBF4h, 0Ch, 7373622Eh
		dd 306B6424h, 34h, 2FBC00h, 900h, 7373622Eh, 306B6424h
		dd 36h,	2FC500h, 1C0h, 7373622Eh, 306B6424h, 37h, 2FC6C0h
		dd 1218h, 7373622Eh, 306B6424h,	39h, 2FD8D8h, 288h
		db 2Eh
; 

loc_42FE6D:				; CODE XREF: .text:0042C871j
		bound	esi, [ebx+73h]
		and	al, 70h
		jb	short loc_42FEA4
		xor	[eax], al
; 
		dw 0
		dd 2FDB60h, 2B0h, 7373622Eh, 30727024h,	31h, 2FDE10h, 8
		dd 7373622Eh, 30727024h, 34h, 2FDE18h
; 

loc_42FEA4:				; CODE XREF: .text:0042FE72j
		and	[eax], al
; 
		dw 0
		dd 7373622Eh, 30727024h, 36h, 2FDE38h, 10h, 7373622Eh
		dd 30727024h, 37h, 2FDE48h, 88h, 7373622Eh, 30727024h
		dd 39h,	2FDED0h, 3518h,	7373622Eh, 7A7A24h, 302000h, 420h
		dd 6164692Eh, 35246174h, 0
		dd 302420h, 4, 6330302Eh, 6766h, 302424h, 154h,	6164692Eh
		dd 32246174h, 0
		dd 302578h, 14h, 6164692Eh, 33246174h, 0
		dd 30258Ch, 420h, 6164692Eh, 34246174h,	0
		dd 3029ACh, 1976h, 6164692Eh, 36246174h, 0
		dd 305000h, 0FC0h, 4F4D4C41h, 4F525453h, 0
		dd 305FC0h, 9058h, 4F4D4C41h, 4F525453h, 5Ah, 310000h
		dd 1, 52474643h, 44244Fh, 311000h, 40h,	48434143h, 494C4145h
		dd 4E47h, 311040h, 7704h, 48434143h, 494C4145h,	5A4E47h
		dd 319000h, 1, 544F5250h, 41544144h, 0
		dd 31A000h, 4E0h, 45474150h, 4B4Ch, 31A4E0h, 0A86h, 45474150h
		dd 6C244B4Ch, 6E313070h, 70726B74h, 2E706D61h
dword_430000	dd 21657865h		; DATA XREF: .text:00421650o
					; .text:off_5A7A84o
a20_pri7	db '20_pri7',0          ; DATA XREF: .text:0042560Co
aFp1		db 'f1',0
dword_430010	dd 21Ah, 45474150h, 6C244B4Ch, 6E343070h, 70726B74h, 2E706D61h
		dd 21657865h, 635F3033h, 6E65696Ch, 6C6E6F74h, 79h, 31B180h
		dd 846Eh, 45474150h, 6C244B4Ch,	6E363070h, 70726B74h, 2E706D61h
		dd 21657865h, 685F3533h, 69726279h, 6F6F6264h, 74h, 3235EEh
		dd 0D50h, 45474150h, 6C244B4Ch,	6E373070h, 70726B74h, 2E706D61h
		dd 21657865h, 685F3533h, 69726279h, 6F6F6264h, 74h, 32433Eh
		dd 3ADCh, 45474150h, 6C244B4Ch,	6E393070h, 70726B74h, 2E706D61h
		dd 21657865h, 635F3035h, 62646C6Fh, 746F6Fh, 327E1Ah, 94h
		dd 45474150h, 6E244B4Ch, 70h, 327EAEh, 4AEh, 45474150h
		dd 73244B4Ch, 0
		dd 32835Ch, 30A3h, 45474150h, 7A244B4Ch, 79h, 32B3FFh
		dd 5A05h, 45474150h, 7A244B4Ch,	7Ah, 330E04h, 254h, 45474150h
		dd 4F434B4Ch, 54534Eh, 332000h,	8870h, 45474150h, 0
		dd 33A870h, 52B0h, 45474150h, 30706C24h, 6B746E30h, 6D617072h
		dd 78652E70h, 30322165h, 6972705Fh, 37h, 33FB20h, 1064E6h
		dd 45474150h, 30706C24h, 6B746E31h, 6D617072h, 78652E70h
		dd 30322165h, 6972705Fh, 37h, 446006h, 35AEh, 45474150h
		dd 30706C24h, 6B746E33h, 6D617072h, 78652E70h, 30332165h
		dd 696C635Fh, 6F746E65h, 796C6Eh, 4495B4h, 112C0h, 45474150h
		dd 30706C24h, 6B746E34h, 6D617072h, 78652E70h, 30332165h
		dd 696C635Fh, 6F746E65h, 796C6Eh, 45A874h, 5CC6h, 45474150h
		dd 30706C24h, 6B746E36h, 6D617072h, 78652E70h, 35332165h
		dd 6279685Fh, 62646972h, 746F6Fh, 46053Ah, 11E56h, 45474150h
		dd 30706C24h, 6B746E37h, 6D617072h, 78652E70h, 35332165h
		dd 6279685Fh, 62646972h, 746F6Fh, 472390h, 4432Eh, 45474150h
		dd 30706C24h, 6B746E39h, 6D617072h, 78652E70h, 30352165h
		dd 6C6F635Fh, 6F6F6264h, 74h, 4B66BEh, 2E0h, 45474150h
		dd 706E24h, 4B699Eh, 13753h, 45474150h,	7324h, 4CA0F1h
		dd 190h, 45474150h, 737A24h, 4CA281h, 6F30Dh, 45474150h
		dd 797A24h, 53958Eh, 105EDAh, 45474150h, 7A7A24h, 63F468h
		dd 7C6Ch, 45474150h, 534E4F43h,	54h, 6470D4h, 1FEAh, 4741505Fh
		dd 45h,	64A000h, 1Eh, 45474150h, 6C24444Bh, 6E313070h
		dd 70726B74h, 2E706D61h, 21657865h, 705F3032h, 376972h
		dd 64A01Eh, 3EEh, 45474150h, 6C24444Bh,	6E393070h, 70726B74h
		dd 2E706D61h, 21657865h, 635F3035h, 62646C6Fh, 746F6Fh
		dd 64A40Ch, 1B4h, 45474150h, 7324444Bh,	0
		dd offset loc_64A5BE+2
		dd 540h, 45474150h, 7A24444Bh, 79h, 64AB00h, 46E5h, 45474150h
		dd 7A24444Bh, 7Ah, 650000h, 6610h, 45474150h, 43465256h
		dd 0
		dd offset loc_656610
		dd 0C8h, 45474150h, 59465256h, 30706C24h, 6B746E31h, 6D617072h
		dd 78652E70h, 30322165h, 6972705Fh, 37h, 6566D8h, 342h
		dd 45474150h, 59465256h, 30706C24h, 6B746E34h, 6D617072h
		dd 78652E70h, 30332165h, 696C635Fh, 6F746E65h, 796C6Eh
		dd 656A1Ah, 2Ah, 45474150h, 59465256h, 30706C24h, 6B746E37h
		dd 6D617072h, 78652E70h, 35332165h, 6279685Fh, 62646972h
		dd 746F6Fh, 656A44h, 12Eh, 45474150h, 59465256h, 30706C24h
		dd 6B746E39h, 6D617072h, 78652E70h, 30352165h, 6C6F635Fh
		dd 6F6F6264h, 74h, 656B72h, 1D0h, 45474150h, 59465256h
		dd 706E24h, 656D42h, 1894h, 45474150h, 59465256h, 7324h
		dd 6585D6h, 1B5h, 45474150h, 59465256h,	797A24h, 65878Bh
		dd 197ABh, 45474150h, 59465256h, 7A7A24h, 672000h, 916h
		dd 45474150h, 534C4448h, 7324h,	672916h, 1597h,	45474150h
		dd 534C4448h, 7A7A24h, 674000h,	24h, 45474150h,	58464742h
		dd 30706C24h, 6B746E31h, 6D617072h, 78652E70h, 30322165h
		dd 6972705Fh, 37h, 674024h, 48Eh, 45474150h, 58464742h
		dd 30706C24h, 6B746E36h, 6D617072h, 78652E70h, 35332165h
		dd 6279685Fh, 62646972h, 746F6Fh, 6744B2h, 295Eh, 45474150h
		dd 58464742h, 30706C24h, 6B746E37h, 6D617072h, 78652E70h
		dd 35332165h, 6279685Fh, 62646972h, 746F6Fh, 676E10h, 674h
		dd 45474150h, 58464742h, 30706C24h, 6B746E39h, 6D617072h
		dd 78652E70h, 30352165h, 6C6F635Fh, 6F6F6264h, 74h, 677484h
		dd 6CEh, 45474150h, 58464742h, 7324h, 677B52h, 0F64h, 45474150h
		dd 58464742h, 797A24h, 678AB6h,	106Bh, 45474150h, 58464742h
		dd 7A7A24h, 67A000h, 18726h, 6164652Eh,	6174h, 693000h
		dd 10B0h, 45474150h, 41544144h,	0
		dd offset loc_6940B0
		dd 6B88h, 45474150h, 41544144h,	5Ah, 69B000h, 20h, 45474150h
		dd 44444Bh, 69B020h, 0C298h, 45474150h,	5A44444Bh, 0
		dd offset dword_6A8000
		dd 4480h, 45474150h, 44465256h,	0
		dd 6AC480h, 61E0h, 45474150h, 44465256h, 5Ah, 6B3000h
		dd 836h, 54494E49h, 0
		dd 6B3836h, 10Ah, 54494E49h, 30706C24h,	6B746E31h, 6D617072h
		dd 78652E70h, 30322165h, 6972705Fh, 37h, 6B3940h, 28D1Ch
		dd 54494E49h, 30706C24h, 6B746E39h, 6D617072h, 78652E70h
		dd 30352165h, 6C6F635Fh, 6F6F6264h, 74h, 6DC65Ch, 0CAh
		dd 54494E49h, 706E24h, 6DC726h,	45D6h, 54494E49h, 7324h
		dd 6E0CFCh, 0AC91h, 54494E49h, 797A24h,	6EB98Dh, 621Fh
		dd 54494E49h, 7A7A24h, 6F1BACh,	0FEAh, 54494E49h, 58464742h
		dd 30706C24h, 6B746E39h, 6D617072h, 78652E70h, 30352165h
		dd 6C6F635Fh, 6F6F6264h, 74h, 6F2B96h, 194h, 54494E49h
		dd 58464742h, 7324h, 6F2D2Ah, 29Ch, 54494E49h, 58464742h
		dd 797A24h, 6F2FC6h, 17Ah, 54494E49h, 58464742h, 7A7A24h
		dd 6F3140h, 9B7Ch, 54494E49h, 534E4F43h, 54h, 6FD000h
		dd 40h,	54494E49h, 41544144h, 0
		dd 6FD040h, 194E8h, 54494E49h, 41544144h, 5Ah, 717000h
		dd 210h, 7273722Eh, 31302463h, 0
		dd 717210h, 32F98h, 7273722Eh, 32302463h, 17h dup(0)
		dd 20h,	3E8ADCC0h, 0CD140067h, 2D87E522h, 2EE113ADh, 4CEBFABh
		dd 76C9C3CFh, 7B42CAC6h, 17A4645Fh, 0
		db 2 dup(0)
; Exported entry 1790. PsGetJobSilo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetJobSilo(x, x)
		public _PsGetJobSilo@8
_PsGetJobSilo@8	proc near		; CODE XREF: VrpHandleIoctlUnloadDynamicallyLoadedHives+4Cp
					; VrpHandleIoctlCreateNamespaceNode+105p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_430848
		call	_PspGetJobSilo@4 ; PspGetJobSilo(x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_43084F
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		xor	eax, eax

loc_430844:				; CODE XREF: PsGetJobSilo(x,x)+27j
					; PsGetJobSilo(x,x)+2Ej
		pop	ebp
		retn	8
; 

loc_430848:				; CODE XREF: PsGetJobSilo(x,x)+Aj
		mov	eax, 0C000000Dh
		jmp	short loc_430844
; 

loc_43084F:				; CODE XREF: PsGetJobSilo(x,x)+15j
		mov	eax, 0C0000509h
		jmp	short loc_430844
_PsGetJobSilo@8	endp


;  S U B	R O U T	I N E 


; __stdcall PspGetJobSilo(x)
_PspGetJobSilo@4 proc near		; CODE XREF: PsGetJobSilo(x,x)+Cp
					; PsIsProcessInSilo(x,x)+1Dp ...
		mov	edi, edi

loc_430858:				; CODE XREF: PspGetJobSilo(x)+1Bj
		test	ecx, ecx
		jz	short loc_430868
		test	dword ptr [ecx+310h], 40000000h
		jz	short loc_43086B

loc_430868:				; CODE XREF: PspGetJobSilo(x)+4j
		mov	eax, ecx
		retn
; 

loc_43086B:				; CODE XREF: PspGetJobSilo(x)+10j
		mov	ecx, [ecx+244h]
		jmp	short loc_430858
_PspGetJobSilo@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpUpdateTimerResolution proc near	; CODE XREF: ExSetTimerResolution(x,x)+BFp
					; NtSetTimerResolution(x,x,x)+CAp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A8975 SIZE 00000085 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4], edx
		push	ebx
		mov	bl, cl
		push	esi
		push	edi
		mov	edi, offset _ExpKernelResolutionLock
		test	eax, eax
		jnz	loc_5A8975
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	bh, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, [ebp+var_4]

loc_4308A4:				; CODE XREF: ExpUpdateTimerResolution+178103j
		test	bl, bl
		jz	short loc_430921
		cmp	edx, _ExpLastRequestedTime
		jnb	loc_5A89CE
		cmp	ds:_KeMaximumIncrement,	edx
		jbe	loc_5A89CE

loc_4308C0:				; CODE XREF: ExpUpdateTimerResolution+E5j
		mov	eax, ds:_KeMinimumIncrement
		cmp	edx, eax
		jb	loc_5A89B5

loc_4308CD:				; CODE XREF: ExpUpdateTimerResolution+178146j
		cmp	edx, _ExpLastRequestedTime
		jz	loc_5A89CE
		test	ds:byte_70EFC6,	1
		mov	esi, ds:_KeTimeIncrement
		mov	_ExpLastRequestedTime, edx
		jnz	loc_5A89BF
		xor	eax, eax
		lock and [edi],	eax

loc_4308F7:				; CODE XREF: ExpUpdateTimerResolution+178155j
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		xor	edx, edx
		lea	ecx, [ebp+var_4]
		call	_ExpUpdateTimerConfiguration@12	; ExpUpdateTimerConfiguration(x,x,x)
		mov	eax, [ebp+var_4]
		cmp	esi, eax
		jz	short loc_43091A
		call	PoTraceSystemTimerResolutionUpdate
		mov	eax, [ebp+var_4]

loc_43091A:				; CODE XREF: ExpUpdateTimerResolution+9Cj
					; ExpUpdateTimerResolution+178181j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_430921:				; CODE XREF: ExpUpdateTimerResolution+32j
		cmp	_ExpKernelResolutionCount, 0
		mov	edx, ds:_KeMaximumIncrement
		mov	[ebp+var_4], edx
		jnz	loc_5A897C

loc_430937:				; CODE XREF: ExpUpdateTimerResolution+17810Fj
					; ExpUpdateTimerResolution+17811Aj
		mov	eax, _ExpTimerResolutionListHead
		mov	esi, offset _ExpTimerResolutionListHead
		jmp	short loc_430955
; 

loc_430943:				; CODE XREF: ExpUpdateTimerResolution+E3j
		test	dword ptr [eax-278h], 1000h
		jnz	loc_5A8993

loc_430953:				; CODE XREF: ExpUpdateTimerResolution+178124j
					; ExpUpdateTimerResolution+178131j ...
		mov	eax, [eax]

loc_430955:				; CODE XREF: ExpUpdateTimerResolution+CDj
		cmp	eax, esi
		jnz	short loc_430943
		jmp	loc_4308C0
ExpUpdateTimerResolution endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoTraceSystemTimerResolutionUpdate proc	near ; CODE XREF: ExpUpdateTimerResolution+9Ep

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A89FA SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	eax, ds:_KeTimeIncrement
		mov	[ebp+var_18], eax
		jz	short loc_4309A8
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_TIME_RESOLUTION_UPDATE
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5A89FA

loc_4309A5:				; CODE XREF: PoTraceSystemTimerResolutionUpdate+1780C0j
		pop	edi
		pop	esi
		pop	ebx

loc_4309A8:				; CODE XREF: PoTraceSystemTimerResolutionUpdate+21j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PoTraceSystemTimerResolutionUpdate endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpUpdateTimerConfiguration(x, x, x)
_ExpUpdateTimerConfiguration@12	proc near ; CODE XREF: ExpUpdateTimerResolution+92p
					; PAGE:007B3518p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, _KiClockTimerOwner
		and	[ebp+var_18], 0
		and	[ebp+var_10], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_20], edx
		xor	ecx, ecx
		mov	[ebp+var_24], edi
		inc	ebx
		mov	[ebp+var_1C], esi
		bts	ecx, eax
		mov	word ptr [ebp+var_14], bx
		push	ebx
		lea	eax, [ebp+var_24]
		mov	[ebp+var_C], ecx
		push	eax
		mov	edx, offset ExpUpdateTimerConfigurationWorker
		mov	word ptr [ebp+var_14+2], bx
		lea	ecx, [ebp+var_14]
		call	_KeGenericProcessorCallback@16 ; KeGenericProcessorCallback(x,x,x,x)
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_18]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_ExpUpdateTimerConfiguration@12	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpInsertTimerResolutionEntry proc near	; CODE XREF: NtSetTimerResolution(x,x,x)+F4p

arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005A8A23 SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _ExpKernelResolutionLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, _ExpTimerResolutionListHead
		mov	eax, offset _ExpTimerResolutionListHead
		add	esi, 374h
		cmp	[ecx+4], eax
		jnz	short loc_430A7E
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[ecx+4], esi
		test	ds:byte_70EFC6,	1
		mov	_ExpTimerResolutionListHead, esi
		jnz	loc_5A8A23
		xor	eax, eax
		lock and [edi],	eax

loc_430A72:				; CODE XREF: ExpInsertTimerResolutionEntry+17800Fj
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_430A7E:				; CODE XREF: ExpInsertTimerResolutionEntry+32j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

ExpUpdateTimerConfigurationWorker:	; DATA XREF: ExpUpdateTimerConfiguration(x,x,x)+44o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _ExpKernelResolutionLock
		mov	bl, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edi, [ebp+arg_4]
		and	dword ptr [edi+0Ch], 0
		cmp	dword ptr [edi], 0
		jz	short loc_430AD6
		mov	ecx, _ExpLastRequestedTime
		mov	dl, 1
		push	offset _ExpClockIntervalRequest
		call	KiSetClockInterval
		mov	esi, eax
		call	_KiSendClockInterruptToClockOwner@0 ; KiSendClockInterruptToClockOwner()
		mov	ecx, [edi]
		mov	[ecx], esi
		mov	esi, offset _ExpKernelResolutionLock

loc_430AD6:				; CODE XREF: ExpInsertTimerResolutionEntry+94j
		test	ds:byte_70EFC6,	1
		jnz	loc_5A8A32
		xor	eax, eax
		lock and [esi],	eax

loc_430AE8:				; CODE XREF: ExpInsertTimerResolutionEntry+17801Ej
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	cl, 1Fh
		call	esi
		mov	eax, [edi+4]
		test	eax, eax
		jnz	loc_5A8A41

loc_430AFD:				; CODE XREF: ExpInsertTimerResolutionEntry+178030j
		mov	eax, [edi+8]
		test	eax, eax
		jnz	short loc_430B0F

loc_430B04:				; CODE XREF: ExpInsertTimerResolutionEntry+F8j
		mov	cl, bl
		call	esi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_430B0F:				; CODE XREF: ExpInsertTimerResolutionEntry+E4j
		mov	al, [eax]
		mov	ds:_KeTimeSynchronization, al
		jmp	short loc_430B04
ExpInsertTimerResolutionEntry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSetClockInterval proc	near		; CODE XREF: ExpInsertTimerResolutionEntry+A3p
					; KiSetVirtualHeteroClockIntervalRequest(x)+42p

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A8A53 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, offset _KiClockIntervalRequests
		push	edi
		mov	[ebp+var_1], dl
		mov	edi, ecx
		cmp	byte ptr [esi+0Ch], 0
		jz	short loc_430B3B
		push	esi
		push	ebx
		call	RtlRbRemoveNode

loc_430B3B:				; CODE XREF: KiSetClockInterval+1Aj
		mov	[esi+10h], edi
		mov	ecx, dword_6FB70C
		mov	eax, _KiClockIntervalRequests
		test	cl, 1
		jz	short loc_430B54
		test	eax, eax
		jz	short loc_430B54
		xor	eax, ebx

loc_430B54:				; CODE XREF: KiSetClockInterval+34j
					; KiSetClockInterval+38j
		movzx	edx, cl
		and	edx, 1
		mov	byte ptr [ebp+arg_0], 0
		test	eax, eax
		jz	short loc_430B96

loc_430B62:				; CODE XREF: KiSetClockInterval+62j
		cmp	edi, [eax+10h]
		jb	short loc_430B7C
		mov	ecx, [eax+4]
		test	edx, edx
		jz	short loc_430B74
		test	ecx, ecx
		jz	short loc_430B92
		xor	ecx, eax

loc_430B74:				; CODE XREF: KiSetClockInterval+54j
		test	ecx, ecx
		jz	short loc_430B92

loc_430B78:				; CODE XREF: KiSetClockInterval+72j
		mov	eax, ecx
		jmp	short loc_430B62
; 

loc_430B7C:				; CODE XREF: KiSetClockInterval+4Dj
		mov	ecx, [eax]
		test	edx, edx
		jz	short loc_430B88
		test	ecx, ecx
		jz	short loc_430B8C
		xor	ecx, eax

loc_430B88:				; CODE XREF: KiSetClockInterval+68j
		test	ecx, ecx
		jnz	short loc_430B78

loc_430B8C:				; CODE XREF: KiSetClockInterval+6Cj
		mov	byte ptr [ebp+arg_0], 0
		jmp	short loc_430B96
; 

loc_430B92:				; CODE XREF: KiSetClockInterval+58j
					; KiSetClockInterval+5Ej
		mov	byte ptr [ebp+arg_0], 1

loc_430B96:				; CODE XREF: KiSetClockInterval+48j
					; KiSetClockInterval+78j
		push	esi
		push	[ebp+arg_0]
		push	eax
		push	ebx
		call	RtlRbInsertNodeEx
		mov	byte ptr [esi+0Ch], 1
		call	_KiSetClockIntervalToMinimumRequested@0	; KiSetClockIntervalToMinimumRequested()
		cmp	[ebp+var_1], 0
		mov	ebx, eax
		jz	short loc_430BB8
		mov	ds:_KePseudoHrTimeIncrement, edi

loc_430BB8:				; CODE XREF: KiSetClockInterval+98j
		mov	edx, [esi+14h]
		test	edx, edx
		jnz	loc_5A8A53

loc_430BC3:				; CODE XREF: KiSetClockInterval+177F44j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
KiSetClockInterval endp


;  S U B	R O U T	I N E 


; __stdcall PspIoRateControlInfoIsAnySet(x)
_PspIoRateControlInfoIsAnySet@4	proc near ; CODE XREF: PspSetJobIoRateControl+A8p
					; PspSetJobIoRateControlForVolume(x,x,x,x,x)+8Cp
		mov	eax, [ecx]
		or	eax, [ecx+4]
		jnz	short loc_430C2E
		mov	eax, [ecx+8]
		or	eax, [ecx+0Ch]
		jnz	short loc_430C2E
		mov	eax, [ecx+40h]
		or	eax, [ecx+44h]
		jnz	short loc_430C2E
		mov	eax, [ecx+58h]
		or	eax, [ecx+5Ch]
		jnz	short loc_430C2E
		mov	eax, [ecx+60h]
		or	eax, [ecx+64h]
		jnz	short loc_430C2E
		mov	eax, [ecx+68h]
		or	eax, [ecx+6Ch]
		jnz	short loc_430C2E
		mov	eax, [ecx+10h]
		or	eax, [ecx+14h]
		jnz	short loc_430C2E
		mov	eax, [ecx+30h]
		or	eax, [ecx+34h]
		jnz	short loc_430C2E
		mov	eax, [ecx+48h]
		or	eax, [ecx+4Ch]
		jnz	short loc_430C2E
		mov	eax, [ecx+28h]
		or	eax, [ecx+2Ch]
		jnz	short loc_430C2E
		mov	eax, [ecx+38h]
		or	eax, [ecx+3Ch]
		jnz	short loc_430C2E
		mov	eax, [ecx+50h]
		or	eax, [ecx+54h]
		jnz	short loc_430C2E
		xor	al, al
		retn
; 

loc_430C2E:				; CODE XREF: PspIoRateControlInfoIsAnySet(x)+5j
					; PspIoRateControlInfoIsAnySet(x)+Dj ...
		mov	al, 1
		retn
_PspIoRateControlInfoIsAnySet@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoStartIoRateControl(x, x, x, x, x)
_IoStartIoRateControl@20 proc near	; CODE XREF: PspIoRateEntryActivate+70p

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	eax, [ecx]
		mov	[ebp+var_84], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_80], eax
		mov	eax, [ecx+10h]
		mov	[ebp+var_6C], eax
		mov	eax, [ecx+14h]
		mov	[ebp+var_68], eax
		mov	eax, [ecx+28h]
		mov	[ebp+var_54], eax
		mov	eax, [ecx+2Ch]
		mov	[ebp+var_50], eax
		mov	eax, [ecx+58h]
		mov	[ebp+var_3C], eax
		mov	eax, [ecx+5Ch]
		mov	[ebp+var_38], eax
		mov	eax, [ecx+70h]
		mov	[ebp+var_24], eax
		mov	eax, [ecx+74h]
		mov	[ebp+var_20], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_7C], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_78], eax
		mov	eax, [ecx+30h]
		mov	[ebp+var_64], eax
		mov	eax, [ecx+34h]
		mov	[ebp+var_60], eax
		mov	eax, [ecx+38h]
		mov	[ebp+var_4C], eax
		mov	eax, [ecx+3Ch]
		mov	[ebp+var_48], eax
		mov	eax, [ecx+60h]
		mov	[ebp+var_34], eax
		mov	eax, [ecx+64h]
		mov	[ebp+var_30], eax
		mov	eax, [ecx+78h]
		mov	[ebp+var_1C], eax
		mov	eax, [ecx+7Ch]
		mov	[ebp+var_18], eax
		mov	eax, [ecx+40h]
		mov	[ebp+var_74], eax
		mov	eax, [ecx+44h]
		mov	[ebp+var_70], eax
		mov	eax, [ecx+48h]
		mov	[ebp+var_5C], eax
		mov	eax, [ecx+4Ch]
		mov	[ebp+var_58], eax
		mov	eax, [ecx+50h]
		mov	[ebp+var_44], eax
		mov	eax, [ecx+54h]
		mov	[ebp+var_40], eax
		mov	eax, [ecx+68h]
		mov	[ebp+var_2C], eax
		mov	eax, [ecx+6Ch]
		mov	[ebp+var_28], eax
		mov	eax, [ecx+80h]
		mov	[ebp+var_14], eax
		mov	eax, [ecx+84h]
		mov	ecx, [ecx+20h]
		mov	[ebp+var_10], eax
		mov	eax, ecx
		mov	ebx, [ebp+arg_8]
		shr	eax, 1
		mov	esi, [ebp+arg_0]
		and	eax, 1
		mov	edi, [ebp+arg_4]
		test	cl, 4
		jnz	short loc_430D44

loc_430D1E:				; CODE XREF: IoStartIoRateControl(x,x,x,x,x)+115j
		test	cl, 8
		jnz	short loc_430D49

loc_430D23:				; CODE XREF: IoStartIoRateControl(x,x,x,x,x)+11Aj
		push	ebx
		push	edi
		push	esi
		push	edx
		push	eax
		lea	ecx, [ebp+var_84]
		call	IopIoRateStartRateControl
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_430D44:				; CODE XREF: IoStartIoRateControl(x,x,x,x,x)+EAj
		or	eax, 2
		jmp	short loc_430D1E
; 

loc_430D49:				; CODE XREF: IoStartIoRateControl(x,x,x,x,x)+EFj
		or	eax, 4
		jmp	short loc_430D23
_IoStartIoRateControl@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopIoRateStartRateControl proc near	; CODE XREF: IoStartIoRateControl(x,x,x,x,x)+FCp

var_84		= dword	ptr -84h
var_6C		= dword	ptr -6Ch
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005A8A61 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	[ebp+var_40], ecx
		lea	edi, [ebp+var_84]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_10]
		push	8
		pop	ecx
		mov	[ebp+var_38], eax
		xor	eax, eax
		and	[ebp+var_30], eax
		rep stosd
		push	8
		pop	ecx
		lea	edi, [ebp+var_64]
		mov	[ebp+var_34], esi
		rep stosd
		mov	ecx, _IopIoRateExtensionHost
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		mov	[ebp+var_44], eax
		test	eax, eax
		jz	loc_5A8A61
		lea	eax, [ebp+var_64]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_84]
		call	IoDiskIoAttributionQuery
		mov	eax, [ebp+var_6C]
		lea	esi, [ebp+var_84]
		push	8
		pop	ecx
		push	[ebp+var_38]
		lea	edi, [ebp+var_2C]
		rep movsd
		mov	ecx, [ebp+var_4C]
		add	eax, ecx
		add	[ebp+var_1C], ecx
		lea	ecx, [ebp+var_30]
		mov	[ebp+var_14], eax
		adc	[ebp+var_18], 0
		mov	eax, [ebp+var_64]
		add	[ebp+var_2C], eax
		mov	eax, [ebp+var_60]
		adc	[ebp+var_28], eax
		mov	eax, [ebp+var_5C]
		add	[ebp+var_24], eax
		mov	eax, [ebp+var_58]
		adc	[ebp+var_20], eax
		mov	eax, [ebp+var_34]
		push	ecx
		mov	eax, [eax+0Ch]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	[ebp+var_3C]
		mov	eax, [ebp+var_44]
		push	[ebp+arg_0]
		push	0Fh
		push	[ebp+var_40]
		call	dword ptr [eax]
		mov	esi, eax
		test	esi, esi
		js	short loc_430E28
		mov	eax, [ebp+var_30]
		and	[ebp+var_30], 0
		xor	esi, esi
		mov	[ebx], eax

loc_430E28:				; CODE XREF: IopIoRateStartRateControl+CDj
		mov	ecx, _IopIoRateExtensionHost
		lea	ecx, [ecx+24h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_430E36:				; CODE XREF: IopIoRateStartRateControl+177D18j
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
IopIoRateStartRateControl endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IoStopIoRateControl(x)
_IoStopIoRateControl@4 proc near	; CODE XREF: PspIoRateEntryActivate+CEp
					; PspIoRateEntryDeactivate+10p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, _IopIoRateExtensionHost
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_430E71
		push	esi
		call	dword ptr [eax+4]
		mov	ecx, _IopIoRateExtensionHost
		pop	esi
		lea	ecx, [ecx+24h]
		jmp	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
; 

loc_430E71:				; CODE XREF: IoStopIoRateControl(x)+12j
		pop	esi
		retn
_IoStopIoRateControl@4 endp

; 
		align 8
; Exported entry 1821. PsGetSiloContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetSiloContext(x,	x, x)
		public _PsGetSiloContext@12
_PsGetSiloContext@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, ds:dword_717F7C
		test	eax, eax
		jz	short loc_430E90
		mov	ecx, [eax+308h]

loc_430E90:				; CODE XREF: PsGetSiloContext(x,x,x)+10j
		mov	eax, [ebp+arg_8]
		mov	edx, [ebp+arg_4]
		push	eax
		and	dword ptr [eax], 0
		call	_PspStorageGetObject@12	; PspStorageGetObject(x,x,x)
		pop	ebp
		retn	0Ch
_PsGetSiloContext@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspStorageGetObject(x, x, x)
_PspStorageGetObject@12	proc near	; CODE XREF: PsGetSiloContext(x,x,x)+22p
					; PAGE:009C7A26p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	PspGetStorageArrayIfPossible
		test	eax, eax
		js	short locret_430F0E
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		mov	eax, [ebp+var_8]
		push	esi
		push	edi
		lea	edi, [eax+ecx*8]
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	esi, [edi+4]
		and	esi, 0FFFFFFFEh
		jz	short loc_430EEC
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag

loc_430EEC:				; CODE XREF: PspStorageGetObject(x,x,x)+3Aj
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_430F12

loc_430EFA:				; CODE XREF: PspStorageGetObject(x,x,x)+75j
		mov	ecx, edi
		call	KeAbPostRelease
		test	esi, esi
		jz	short loc_430F1B
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		xor	eax, eax

loc_430F0C:				; CODE XREF: PspStorageGetObject(x,x,x)+7Cj
		pop	edi
		pop	esi

locret_430F0E:				; CODE XREF: PspStorageGetObject(x,x,x)+1Ej
		leave
		retn	4
; 

loc_430F12:				; CODE XREF: PspStorageGetObject(x,x,x)+54j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_430EFA
; 

loc_430F1B:				; CODE XREF: PspStorageGetObject(x,x,x)+5Fj
		mov	eax, 0C0000225h
		jmp	short loc_430F0C
_PspStorageGetObject@12	endp

; 
		align 8
; Exported entry 1884. PsReleaseSiloHardReference

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsReleaseSiloHardReference(x)
		public _PsReleaseSiloHardReference@4
_PsReleaseSiloHardReference@4 proc near	; CODE XREF: IopDeleteFileObjectExtension+FFp
					; IopCloseFileObjectExtension(x)+1Ap ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jz	short loc_430F48
		mov	ecx, [ebp+arg_0]
		call	_PspHardDereferenceSiloWorker@4	; PspHardDereferenceSiloWorker(x)
		mov	ecx, [ebp+arg_0]
		mov	edx, 486C6953h
		call	ObfDereferenceObjectWithTag

loc_430F48:				; CODE XREF: PsReleaseSiloHardReference(x)+9j
		pop	ebp
		retn	4
_PsReleaseSiloHardReference@4 endp


;  S U B	R O U T	I N E 


; __stdcall PspHardDereferenceSiloWorker(x)
_PspHardDereferenceSiloWorker@4	proc near ; CODE XREF: PsReleaseSiloHardReference(x)+Ep
					; PspEvaluateAndNotifyEmptyJob(x,x,x)+A1p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_430F9C

loc_430F55:				; CODE XREF: PspHardDereferenceSiloWorker(x)+52j
		test	dword ptr [esi+310h], 40000000h
		jz	short loc_430FA0

loc_430F61:				; CODE XREF: PspHardDereferenceSiloWorker(x)+56j
		or	eax, 0FFFFFFFFh
		lock xadd [esi+38Ch], eax
		dec	eax
		test	eax, eax
		jle	short loc_430F73
		pop	esi
		retn
; 

loc_430F73:				; CODE XREF: PspHardDereferenceSiloWorker(x)+23j
		jnz	short loc_430FA4
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag
		lea	eax, [esi+390h]
		and	dword ptr [eax], 0
		push	1
		push	eax
		mov	dword ptr [eax+8], offset _PspCompleteHardDereferenceSiloDeferred@4 ; PspCompleteHardDereferenceSiloDeferred(x)
		mov	[eax+0Ch], esi
		call	ExQueueWorkItem
		pop	esi
		retn
; 

loc_430F9C:				; CODE XREF: PspHardDereferenceSiloWorker(x)+7j
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	short loc_430F55
; 

loc_430FA0:				; CODE XREF: PspHardDereferenceSiloWorker(x)+13j
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	short loc_430F61
; 

loc_430FA4:				; CODE XREF: PspHardDereferenceSiloWorker(x):loc_430F73j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		pop	esi
		retn
_PspHardDereferenceSiloWorker@4	endp

; 
		align 10h
; Exported entry 1743. PsAcquireSiloHardReference

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsAcquireSiloHardReference
PsAcquireSiloHardReference proc	near	; CODE XREF: IopAllocateFoExtensionsOnCreate+C3p
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+AE2p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A8A6B SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	esi, esi
		jz	short loc_430FF6
		test	dword ptr [esi+310h], 40000000h
		jz	short loc_430FFE

loc_430FCA:				; CODE XREF: PsAcquireSiloHardReference+50j
		lea	edi, [esi+38Ch]
		mov	edx, [edi]
		lea	ecx, [edx+1]

loc_430FD5:				; CODE XREF: PsAcquireSiloHardReference+55j
		cmp	ecx, 1
		jbe	loc_5A8A6B
		mov	eax, edx
		lock cmpxchg [edi], ecx
		mov	ecx, eax
		cmp	ecx, edx
		jnz	short loc_431002
		mov	edx, 486C6953h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag

loc_430FF6:				; CODE XREF: PsAcquireSiloHardReference+Cj
		xor	eax, eax

loc_430FF8:				; CODE XREF: PsAcquireSiloHardReference+177ACAj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_430FFE:				; CODE XREF: PsAcquireSiloHardReference+18j
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	short loc_430FCA
; 

loc_431002:				; CODE XREF: PsAcquireSiloHardReference+38j
		mov	edx, ecx
		inc	ecx
		jmp	short loc_430FD5
PsAcquireSiloHardReference endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmQueryLayeredKey proc near		; CODE XREF: CmQueryKey+2EEp

var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_A4		= dword	ptr -0A4h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_51		= byte ptr -51h
var_50		= dword	ptr -50h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005A8A7F SIZE 0000001B BYTES
; FUNCTION CHUNK AT 005A8AA3 SIZE 0000000F BYTES
; FUNCTION CHUNK AT 005A8ACE SIZE 00000105 BYTES
; FUNCTION CHUNK AT 005A8BF2 SIZE 0000003C BYTES
; FUNCTION CHUNK AT 005A8C4D SIZE 000000A1 BYTES
; FUNCTION CHUNK AT 005A8CFF SIZE 0000003B BYTES

		push	0C4h
		push	offset dword_6A0180
		call	__SEH_prolog4_GS
		mov	[ebp+var_84], edx
		mov	esi, ecx
		mov	[ebp+var_6C], esi
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_70], ebx
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_5C], eax
		xor	eax, eax
		lea	edi, [ebp+var_80]
		stosd
		stosd
		stosd
		stosd
		push	30h		; size_t
		push	0		; int
		lea	eax, [ebp+var_50]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		lea	edi, [ebp+var_A4]
		stosd
		stosd
		stosd
		stosd
		lea	ecx, [ebp+var_80]
		call	_CmpInitializeKcbStack@4 ; CmpInitializeKcbStack(x)
		mov	[ebp+var_51], 0
		lea	ecx, [ebp+var_50] ; void *
		call	_CmpInitializeKeyNodeStack@4 ; CmpInitializeKeyNodeStack(x)
		and	[ebp+var_60], 0
		xor	edi, edi
		mov	[ebp+var_68], edi
		push	30h		; size_t
		push	edi		; int
		lea	eax, [ebp+var_D4]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, [esi+8]
		mov	[ebp+var_64], eax
		mov	edx, eax
		lea	ecx, [ebp+var_80]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_431142
		lea	ecx, [ebp+var_80]
		call	_CmpLockKcbStackShared@4 ; CmpLockKcbStackShared(x)
		mov	[ebp+var_51], 1
		mov	edi, [ebp+var_84]
		xor	edx, edx
		cmp	edi, 3
		jnz	loc_5A8ACE
		mov	edi, [ebp+var_6C]
		mov	ecx, edi
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	loc_5A8A7F

loc_4310CB:				; CODE XREF: CmQueryLayeredKey+177A7Bj
		lea	edx, [ebp+var_60]
		mov	ecx, [ebp+var_64]
		call	CmpConstructNameWithStatus
		mov	esi, eax
		test	esi, esi
		js	short loc_431142
		mov	eax, [ebp+var_60]
		movzx	esi, word ptr [eax]
		add	esi, 4
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, [ebp+var_5C]
		mov	[ecx], esi
		mov	edx, [ebp+arg_4]
		cmp	edx, 4
		jb	loc_5A8A93
		mov	ecx, eax
		movzx	eax, word ptr [ecx]
		mov	[ebx], eax
		add	edx, 0FFFFFFFCh
		movzx	eax, word ptr [ecx]
		cmp	edx, eax
		jb	short loc_43110D
		mov	edx, eax

loc_43110D:				; CODE XREF: CmQueryLayeredKey+101j
		push	edx		; size_t
		mov	eax, [ebp+var_60]
		push	dword ptr [eax+4] ; void *
		lea	eax, [ebx+4]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	esi, [ebp+arg_4]
		ja	short loc_431186
		xor	edx, edx
		mov	ecx, edi
		call	CmpIsKeyDeletedForKeyBody
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 0C000017Ch

loc_431142:				; CODE XREF: CmQueryLayeredKey+8Ej
					; CmQueryLayeredKey+D2j ...
		lea	ecx, [ebp+var_50]
		call	CmpCleanupKeyNodeStack
		mov	ecx, [ebp+var_60]
		test	ecx, ecx
		jz	short loc_43115C
		push	624E4D43h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_43115C:				; CODE XREF: CmQueryLayeredKey+147j
		cmp	[ebp+var_51], 0
		jz	short loc_43116A
		lea	ecx, [ebp+var_80]
		call	CmpUnlockKcbStack

loc_43116A:				; CODE XREF: CmQueryLayeredKey+158j
		lea	ecx, [ebp+var_80]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_431186:				; CODE XREF: CmQueryLayeredKey+122j
		mov	esi, 80000005h
		jmp	short loc_431142
CmQueryLayeredKey endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KeUpdateTotalCyclesCurrentThread(x,	x)
_KeUpdateTotalCyclesCurrentThread@8 proc near
					; CODE XREF: PsQueryTotalCycleTimeProcess(x,x)+21p
					; KeEnableProfiling(x,x,x,x,x)+87p
		mov	eax, ecx
		cli
		mov	ecx, large fs:20h
		push	edx
		mov	edx, eax
		call	_KiUpdateTotalCyclesCurrentThread@12 ; KiUpdateTotalCyclesCurrentThread(x,x,x)
		sti
		retn
_KeUpdateTotalCyclesCurrentThread@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpOriginalKeyNameParameterCleanup(x, x)
_VrpOriginalKeyNameParameterCleanup@8 proc near
					; DATA XREF: CmAllocateExtraParameter(x,x,x)+38o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_4311B6
		call	_VrpDereferenceJobContext@4 ; VrpDereferenceJobContext(x)

loc_4311B6:				; CODE XREF: VrpOriginalKeyNameParameterCleanup(x,x)+Dj
		mov	eax, [esi+0Ch]
		pop	esi
		test	eax, eax
		jz	short loc_4311C9
		push	67655256h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4311C9:				; CODE XREF: VrpOriginalKeyNameParameterCleanup(x,x)+1Aj
		pop	ebp
		retn	8
_VrpOriginalKeyNameParameterCleanup@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspStorageEmptyArrayNonReadonly	proc near ; CODE XREF: PspStorageEmptyNonReadonly+9p
					; PspStorageEmptyNonReadonly+18C6FCp

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_30		= dword	ptr -30h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A8D3A SIZE 000000B1 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 48h
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], ecx
		and	[ebp+var_18], edi
		mov	eax, edx
		mov	[ebp+var_48], eax
		mov	esi, ecx
		mov	[ebp+var_10], edi
		test	eax, eax
		jz	loc_431375

loc_431204:				; CODE XREF: PspStorageEmptyArrayNonReadonly+1A1j
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+4]
		xor	ecx, ecx
		inc	ecx
		test	al, cl
		jnz	loc_431393
		and	eax, 0FFFFFFFEh
		mov	[esi+4], ecx
		mov	[ebp+var_44], eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_431503

loc_431235:				; CODE XREF: PspStorageEmptyArrayNonReadonly+33Cj
		xor	edi, edi
		mov	[ebp+var_14], edi
		test	esi, 7FFFFFFCh
		jz	loc_431351
		mov	ecx, large fs:124h
		mov	edx, esi
		mov	eax, dword_6D07D0
		shr	edx, 15h
		mov	[ebp+var_8], ecx
		mov	[ebp+var_40], eax
		cmp	esi, eax
		jb	short loc_431284
		mov	eax, edx
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_431380
		mov	eax, [ebp+var_40]
		cmp	esi, eax
		jb	short loc_431284
		cmp	byte ptr dword_6D3994[edx], 0Bh
		jz	loc_431380

loc_431284:				; CODE XREF: PspStorageEmptyArrayNonReadonly+91j
					; PspStorageEmptyArrayNonReadonly+A7j
		or	eax, 0FFFFFFFFh

loc_431287:				; CODE XREF: PspStorageEmptyArrayNonReadonly+1C0j
		dec	word ptr [ecx+13Eh]
		mov	[ebp+var_30], eax
		nop
		inc	byte ptr [ecx+1E6h]
		nop
		mov	dl, [ecx+1E6h]
		mov	byte ptr [ebp+var_4+3],	dl
		mov	edx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[ebp+var_40], edx
		test	edx, edx
		jz	loc_43157F
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		cmp	[edx+10h], edi
		jl	loc_431595

loc_4312C9:				; CODE XREF: PspStorageEmptyArrayNonReadonly+3D1j
		mov	eax, [edx+2Ch]
		mov	edi, eax
		and	byte ptr [edx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_14], edi
		mov	[edx+2Ch], eax
		nop
		mov	ecx, [ebp+var_8]
		mov	dword ptr [edx+10h], 0
		push	30h
		sub	edx, [ecx+1E8h]
		mov	eax, edx
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		mov	ecx, [ebp+var_8]
		jnz	loc_5A8D72
		or	[ecx+1E4h], dl

loc_431315:				; CODE XREF: PspStorageEmptyArrayNonReadonly+3BCj
					; PspStorageEmptyArrayNonReadonly+177BB0j
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_40], eax
		jnz	loc_43151E

loc_43132C:				; CODE XREF: PspStorageEmptyArrayNonReadonly+38Bj
					; PspStorageEmptyArrayNonReadonly+177BD7j
		nop
		mov	ax, [ecx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ecx+13Eh], ax
		test	ax, ax
		jnz	short loc_431351
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jnz	loc_4315A4

loc_431351:				; CODE XREF: PspStorageEmptyArrayNonReadonly+72j
					; PspStorageEmptyArrayNonReadonly+175j	...
		mov	ecx, [ebp+var_44]
		test	ecx, ecx
		jnz	loc_4315AE

loc_43135C:				; CODE XREF: PspStorageEmptyArrayNonReadonly+1E4j
					; PspStorageEmptyArrayNonReadonly+330j
		mov	edi, [ebp+var_10]

loc_43135F:				; CODE XREF: PspStorageEmptyArrayNonReadonly+3ECj
		mov	eax, [ebp+var_18]
		add	esi, 8
		inc	eax
		mov	[ebp+var_C], esi
		mov	[ebp+var_18], eax
		cmp	eax, [ebp+var_48]
		jb	loc_431204

loc_431375:				; CODE XREF: PspStorageEmptyArrayNonReadonly+30j
		mov	eax, edi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_431380:				; CODE XREF: PspStorageEmptyArrayNonReadonly+9Cj
					; PspStorageEmptyArrayNonReadonly+B0j
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		jmp	loc_431287
; 

loc_431393:				; CODE XREF: PspStorageEmptyArrayNonReadonly+47j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_4313A7
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_4313A7:				; CODE XREF: PspStorageEmptyArrayNonReadonly+1D0j
		xor	edi, edi
		mov	[ebp+var_8], edi
		test	esi, 7FFFFFFCh
		jz	short loc_43135C
		mov	edx, [ebp+var_C]
		mov	ecx, edx
		mov	esi, large fs:124h
		mov	eax, dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_40], esi
		mov	[ebp+var_30], eax
		cmp	edx, eax
		jb	loc_431564
		mov	eax, ecx
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_4313F9
		mov	eax, [ebp+var_30]
		cmp	edx, eax
		jb	loc_431564
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jnz	loc_431564

loc_4313F9:				; CODE XREF: PspStorageEmptyArrayNonReadonly+211j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)

loc_431404:				; CODE XREF: PspStorageEmptyArrayNonReadonly+399j
		dec	word ptr [esi+13Eh]
		mov	[ebp+var_14], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jz	loc_43156C
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_43144A
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_43144A:				; CODE XREF: PspStorageEmptyArrayNonReadonly+272j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_8], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	loc_5A8D3A
		or	[esi+1E4h], dl

loc_431490:				; CODE XREF: PspStorageEmptyArrayNonReadonly+3A6j
					; PspStorageEmptyArrayNonReadonly+177B78j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_40], eax
		jz	short loc_4314E2
		test	edi, 8000h
		jz	short loc_4314B4
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4314B4:				; CODE XREF: PspStorageEmptyArrayNonReadonly+2DBj
		test	byte ptr [ebp+var_8+2],	1
		jnz	loc_5A8D4B

loc_4314BE:				; CODE XREF: PspStorageEmptyArrayNonReadonly+177B8Dj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4314D2
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4314D2:				; CODE XREF: PspStorageEmptyArrayNonReadonly+2F7j
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_5A8D60

loc_4314E2:				; CODE XREF: PspStorageEmptyArrayNonReadonly+2D3j
					; PspStorageEmptyArrayNonReadonly+177B9Fj
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jz	short loc_43150F

loc_4314FB:				; CODE XREF: PspStorageEmptyArrayNonReadonly+347j
					; PspStorageEmptyArrayNonReadonly+34Ej
		mov	esi, [ebp+var_C]
		jmp	loc_43135C
; 

loc_431503:				; CODE XREF: PspStorageEmptyArrayNonReadonly+61j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_431235
; 

loc_43150F:				; CODE XREF: PspStorageEmptyArrayNonReadonly+32Bj
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_4314FB
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_4314FB
; 

loc_43151E:				; CODE XREF: PspStorageEmptyArrayNonReadonly+158j
		test	edi, 8000h
		jz	short loc_431530
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [ebp+var_8]

loc_431530:				; CODE XREF: PspStorageEmptyArrayNonReadonly+356j
		test	byte ptr [ebp+var_14+2], 1
		jnz	loc_5A8D83

loc_43153A:				; CODE XREF: PspStorageEmptyArrayNonReadonly+177BC5j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_43154C
		and	edi, eax
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_43154C:				; CODE XREF: PspStorageEmptyArrayNonReadonly+373j
		test	dword ptr ds:byte_70EFC4, 200h
		mov	ecx, [ebp+var_8]
		jz	loc_43132C
		jmp	loc_5A8D98
; 

loc_431564:				; CODE XREF: PspStorageEmptyArrayNonReadonly+202j
					; PspStorageEmptyArrayNonReadonly+218j	...
		or	eax, 0FFFFFFFFh
		jmp	loc_431404
; 

loc_43156C:				; CODE XREF: PspStorageEmptyArrayNonReadonly+260j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_431490
		jmp	loc_5A8DAA
; 

loc_43157F:				; CODE XREF: PspStorageEmptyArrayNonReadonly+E3j
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_431315
		jmp	loc_5A8DB5
; 

loc_431595:				; CODE XREF: PspStorageEmptyArrayNonReadonly+F5j
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [ebp+var_40]
		jmp	loc_4312C9
; 

loc_4315A4:				; CODE XREF: PspStorageEmptyArrayNonReadonly+17Dj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_431351
; 

loc_4315AE:				; CODE XREF: PspStorageEmptyArrayNonReadonly+188j
		call	ObfDereferenceObject
		mov	edi, [ebp+var_10]
		inc	edi
		mov	[ebp+var_10], edi
		jmp	loc_43135F
PspStorageEmptyArrayNonReadonly	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoReleaseIoRateControl(x)
_IoReleaseIoRateControl@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi

loc_4315CC:				; CODE XREF: IoReleaseIoRateControl(x)+1Fj
		mov	ecx, [edi+esi*4]
		test	ecx, ecx
		jz	short loc_4315DB
		add	ecx, 10h
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_4315DB:				; CODE XREF: IoReleaseIoRateControl(x)+11j
		inc	esi
		cmp	esi, 2
		jb	short loc_4315CC
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_IoReleaseIoRateControl@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1457. MmProbeAndLockSelectedPages

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmProbeAndLockSelectedPages
MmProbeAndLockSelectedPages proc near	; CODE XREF: IopProbeAndLockSelectedPages+Fp
					; PAGE:007E1367p

var_1078	= dword	ptr -1078h
var_1074	= dword	ptr -1074h
var_1070	= dword	ptr -1070h
var_106C	= dword	ptr -106Ch
var_1068	= dword	ptr -1068h
var_1064	= dword	ptr -1064h
var_1060	= dword	ptr -1060h
var_1048	= dword	ptr -1048h
var_1040	= byte ptr -1040h
var_101C	= dword	ptr -101Ch
var_1014	= dword	ptr -1014h
var_1010	= dword	ptr -1010h
var_100C	= dword	ptr -100Ch
var_1008	= dword	ptr -1008h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005A8DEB SIZE 00000093 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, 107Ch
		call	__chkstk
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+107Ch+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	60h		; size_t
		mov	[esp+108Ch+var_1074], eax
		lea	eax, [esp+108Ch+var_1068]
		push	0		; int
		push	eax		; void *
		mov	[esp+1094h+var_1078], ebx
		call	_memset
		mov	esi, [ebp+arg_C]
		add	esp, 0Ch
		test	esi, esi
		jz	short loc_431638
		xor	esi, esi
		inc	esi

loc_431638:				; CODE XREF: MmProbeAndLockSelectedPages+47j
		mov	eax, [ebx+14h]
		lea	edi, [esp+1088h+var_1008]
		mov	ecx, eax
		and	ecx, 0FFFh
		neg	ecx
		sbb	ecx, ecx
		shr	eax, 0Ch
		neg	ecx
		add	ecx, eax
		mov	ebx, ecx
		shl	ebx, 3
		cmp	ecx, 200h
		ja	loc_5A8DC7

loc_431666:				; CODE XREF: PspStorageEmptyArrayNonReadonly+177C0Dj
		and	[esp+1088h+var_1070], 0
		lea	eax, [ebx+edi]
		push	ebx		; size_t
		push	[esp+108Ch+var_1074] ; void *
		mov	[esp+1090h+var_106C], eax
		push	edi		; void *
		call	_memcpy
		mov	eax, [edi]
		lea	ecx, [esp+1094h+var_1068]
		mov	edx, [esp+1094h+var_1078]
		add	esp, 0Ch
		push	1
		push	esi
		push	[ebp+arg_8]
		push	1
		push	eax
		call	MiProbeAndLockPrepare
		mov	esi, eax
		test	esi, esi
		js	loc_431769
		lea	ecx, [ebx+edi]
		mov	eax, edi
		mov	[esp+1088h+var_1074], eax
		cmp	edi, ecx
		jnb	loc_43175A
		mov	ebx, [esp+1088h+var_1048]

loc_4316B7:				; CODE XREF: MmProbeAndLockSelectedPages+168j
		mov	ecx, [eax]
		or	dword ptr [ebx], 0FFFFFFFFh
		mov	[esp+1088h+var_1068], ecx
		lea	eax, [ecx+1]
		mov	[esp+1088h+var_1064], eax
		mov	eax, ecx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		add	eax, 0C0000000h
		mov	[esp+1088h+var_1060], eax
		cmp	ecx, ds:_MmUserProbeAddress
		jnb	loc_5A8DEB

loc_4316E6:				; CODE XREF: MmProbeAndLockSelectedPages+177803j
		test	[esp+1088h+var_1040], 20h
		jz	short loc_4316F7
		cmp	ecx, [esp+1088h+var_1010]
		jbe	loc_5A8E05

loc_4316F7:				; CODE XREF: MmProbeAndLockSelectedPages+FFj
					; MmProbeAndLockSelectedPages+17781Dj
		lea	ecx, [esp+1088h+var_1068]
		call	MiProbeLeafFrame
		mov	esi, eax
		test	esi, esi
		js	short loc_43175A
		mov	[esp+1088h+var_1078], 10h

loc_43170E:				; CODE XREF: MmProbeAndLockSelectedPages+177854j
		lea	ecx, [esp+1088h+var_1068]
		call	_MiProbeLockFrame@4 ; MiProbeLockFrame(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_43175A
		mov	ebx, [esp+1088h+var_1048]
		xor	edx, edx
		mov	eax, [esp+1088h+var_101C]
		mov	[ebx], eax
		add	ebx, 4
		mov	eax, [esp+1088h+var_1070]
		inc	eax
		mov	[esp+1088h+var_1048], ebx
		mov	[esp+1088h+var_1070], eax
		div	[esp+1088h+var_1078]
		test	edx, edx
		jz	loc_5A8E45

loc_431745:				; CODE XREF: MmProbeAndLockSelectedPages+177864j
					; MmProbeAndLockSelectedPages+177880j
		mov	eax, [esp+1088h+var_1074]
		add	eax, 8
		mov	[esp+1088h+var_1074], eax
		cmp	eax, [esp+1088h+var_106C]
		jb	loc_4316B7

loc_43175A:				; CODE XREF: MmProbeAndLockSelectedPages+C1j
					; MmProbeAndLockSelectedPages+118j ...
		push	7
		mov	edx, esi
		lea	ecx, [esp+108Ch+var_1068]
		call	MiProbeAndLockComplete
		mov	esi, eax

loc_431769:				; CODE XREF: MmProbeAndLockSelectedPages+B0j
		lea	eax, [esp+1088h+var_1008]
		cmp	edi, eax
		jnz	loc_5A8E71

loc_431778:				; CODE XREF: MmProbeAndLockSelectedPages+17788Dj
		test	esi, esi
		js	short loc_431793
		mov	ecx, [esp+1088h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_431793:				; CODE XREF: MmProbeAndLockSelectedPages+18Ej
		push	esi

loc_431794:				; CODE XREF: PspStorageEmptyArrayNonReadonly+177C18j
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger
MmProbeAndLockSelectedPages endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiProbeAndLockComplete proc near	; CODE XREF: MmProbeAndLockSelectedPages+176p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A8E7E SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_MiUnlockProbePacketWorkingSet@4 ; MiUnlockProbePacketWorkingSet(x)
		test	byte ptr ds:_MmTrackLockedPages, 1
		mov	esi, [esi+24h]
		jnz	loc_5A8E7E

loc_4317BA:				; CODE XREF: MiProbeAndLockComplete+177708j
		test	edi, edi
		js	loc_5A8EA7

loc_4317C2:				; CODE XREF: MiProbeAndLockComplete+177719j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	4
MiProbeAndLockComplete endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepVerifyDesktopAppxImage(x, x, x, x)
_SepVerifyDesktopAppxImage@16 proc near	; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+1C1p

var_21A		= byte ptr -21Ah
var_219		= byte ptr -219h
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 21Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+21Ch+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, edx
		mov	[esp+220h+var_20C], eax
		xor	edx, edx
		push	esi
		mov	[eax], dl
		test	byte ptr [ecx+3A8h], 1
		push	edi
		mov	[esp+228h+var_218], edx
		mov	edi, edx
		mov	[esp+228h+var_210], edx
		mov	[esp+228h+var_219], dl
		jz	short loc_431814
		mov	esi, edx
		jmp	loc_431936
; 

loc_431814:				; CODE XREF: SepVerifyDesktopAppxImage(x,x,x,x)+41j
		lea	eax, [esp+228h+var_218]
		push	eax
		push	ecx
		call	_PsReferenceProcessFilePointer@8 ; PsReferenceProcessFilePointer(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_43190D
		lea	edi, [esp+228h+var_208]
		mov	[esp+228h+var_214], 200h
		push	1
		mov	eax, edi
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_43190D
		mov	ecx, [esp+228h+var_218]
		lea	eax, [esp+228h+var_214]
		push	eax
		push	200h
		mov	eax, edi
		mov	edx, 84h
		push	eax
		call	_ObQuerySecurityObject@20 ; ObQuerySecurityObject(x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_4318B1
		push	20206553h
		push	[esp+22Ch+var_214]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_43188B
		mov	esi, 0C0000017h
		jmp	loc_43190D
; 

loc_43188B:				; CODE XREF: SepVerifyDesktopAppxImage(x,x,x,x)+B5j
		push	1
		push	edi
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_43190D
		mov	ecx, [esp+228h+var_218]
		lea	eax, [esp+228h+var_214]
		push	eax
		push	[esp+22Ch+var_214]
		mov	edx, 84h
		push	edi
		call	_ObQuerySecurityObject@20 ; ObQuerySecurityObject(x,x,x,x,x)

loc_4318B1:				; CODE XREF: SepVerifyDesktopAppxImage(x,x,x,x)+9Fj
		test	eax, eax
		jns	short loc_4318B9
		xor	esi, esi
		jmp	short loc_43190D
; 

loc_4318B9:				; CODE XREF: SepVerifyDesktopAppxImage(x,x,x,x)+E9j
		test	edi, edi
		jnz	short loc_4318C4
		mov	esi, 0C000090Bh
		jmp	short loc_43190D
; 

loc_4318C4:				; CODE XREF: SepVerifyDesktopAppxImage(x,x,x,x)+F1j
		lea	eax, [esp+0Fh]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	SepVerifyDesktopAppxPackageName
		mov	bl, [ebp+arg_0]
		mov	esi, eax
		test	esi, esi
		js	short loc_4318E9
		cmp	bl, 1
		jnz	short loc_4318E9
		mov	ecx, edi
		call	_SeGetTrustLabelAce@4 ;	SeGetTrustLabelAce(x)
		jmp	short loc_4318ED
; 

loc_4318E9:				; CODE XREF: SepVerifyDesktopAppxImage(x,x,x,x)+10Fj
					; SepVerifyDesktopAppxImage(x,x,x,x)+114j
		mov	eax, [esp+228h+var_210]

loc_4318ED:				; CODE XREF: SepVerifyDesktopAppxImage(x,x,x,x)+11Dj
		cmp	[esp+228h+var_219], 1
		jnz	short loc_43190D
		cmp	bl, 1
		jnz	short loc_431902
		test	eax, eax
		jnz	short loc_431906
		mov	esi, 0C0000462h

loc_431902:				; CODE XREF: SepVerifyDesktopAppxImage(x,x,x,x)+12Dj
		test	bl, bl
		jnz	short loc_43190D

loc_431906:				; CODE XREF: SepVerifyDesktopAppxImage(x,x,x,x)+131j
		mov	eax, [esp+228h+var_20C]
		mov	byte ptr [eax],	1

loc_43190D:				; CODE XREF: SepVerifyDesktopAppxImage(x,x,x,x)+59j
					; SepVerifyDesktopAppxImage(x,x,x,x)+79j ...
		cmp	[esp+228h+var_218], 0
		jz	short loc_431922
		mov	ecx, [esp+228h+var_218]
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag

loc_431922:				; CODE XREF: SepVerifyDesktopAppxImage(x,x,x,x)+148j
		test	edi, edi
		jz	short loc_431936
		lea	eax, [esp+228h+var_208]
		cmp	edi, eax
		jz	short loc_431936
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_431936:				; CODE XREF: SepVerifyDesktopAppxImage(x,x,x,x)+45j
					; SepVerifyDesktopAppxImage(x,x,x,x)+15Aj ...
		mov	ecx, [esp+228h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_SepVerifyDesktopAppxImage@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepVerifyDesktopAppxPackageName	proc near
					; CODE XREF: SepVerifyDesktopAppxImage(x,x,x,x)+103p

var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A8EB8 SIZE 00000081 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 230h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_230], eax
		xor	ecx, ecx
		mov	[ebp+var_228], edx
		push	edi
		mov	[eax], cl
		mov	esi, ecx
		push	offset ??_C@_1BO@BOGEHPME@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAS?$AAY?$AAS?$AAA?$AAP?$AAP?$AAI?$AAD@FNODOBFM@
		lea	eax, [ebp+var_224]
		mov	[ebp+var_22C], ebx
		push	eax
		mov	[ebp+var_214], ecx
		mov	[ebp+var_218], ecx
		mov	[ebp+var_21C], 2
		mov	[ebp+var_224], ecx
		mov	[ebp+var_220], ecx
		mov	[ebp+var_210], ecx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_224]
		push	eax
		push	ebx
		call	SeSecurityAttributePresent
		test	al, al
		jz	loc_431AE7
		lea	eax, [ebp+var_210]
		push	eax		; int
		push	200h		; size_t
		lea	edi, [ebp+var_20C]
		mov	eax, edi
		push	eax		; int
		push	1		; int
		lea	eax, [ebp+var_224]
		push	eax		; int
		push	ebx		; int
		call	_SeQuerySecurityAttributesToken@24 ; SeQuerySecurityAttributesToken(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	loc_5A8EB8

loc_431A05:				; CODE XREF: SepVerifyDesktopAppxPackageName+1775A9j
		test	esi, esi
		js	loc_431AD5
		test	edi, edi
		jz	loc_5A8EFE
		call	_AuthzBasepAllocateSecurityAttributesList@0 ; AuthzBasepAllocateSecurityAttributesList()
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5A8F08
		push	edi
		lea	edx, [ebp+var_21C]
		mov	ecx, ebx
		call	AuthzBasepSetSecurityAttributesToken
		mov	esi, eax
		test	esi, esi
		js	loc_431ACE

loc_431A3C:				; CODE XREF: SepVerifyDesktopAppxPackageName+1775D1j
		mov	edx, [ebp+var_228]
		movzx	eax, word ptr [edx+2]
		mov	ecx, eax
		test	al, 4
		jz	loc_5A8F12
		test	cx, cx
		mov	ecx, [edx+10h]
		jns	short loc_431A61
		lea	eax, [ecx+edx]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_431A61:				; CODE XREF: SepVerifyDesktopAppxPackageName+106j
					; SepVerifyDesktopAppxPackageName+1775C4j
		lea	eax, [ebp+var_214]
		push	eax
		push	9
		push	ecx
		call	_RtlFindAceByType@12 ; RtlFindAceByType(x,x,x)
		mov	[ebp+var_21C], eax
		test	eax, eax
		jz	loc_5A8F19
		movzx	ecx, byte ptr [eax+9]
		lea	esi, [ebp+var_218]
		push	esi
		xor	esi, esi
		push	esi
		lea	edx, ds:8[ecx*4]
		movzx	ecx, word ptr [eax+2]
		push	esi
		sub	ecx, edx
		add	edx, 8
		sub	ecx, 8
		add	eax, edx
		push	ecx
		mov	ecx, [ebp+var_22C]
		mov	edx, ebx
		push	eax
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		call	AuthzBasepEvaluateAceCondition
		mov	esi, eax
		test	esi, esi
		js	short loc_431B05
		cmp	[ebp+var_218], 1
		jnz	short loc_431AFA

loc_431AC5:				; CODE XREF: SepVerifyDesktopAppxPackageName+1BEj
		mov	eax, [ebp+var_230]
		mov	byte ptr [eax],	1

loc_431ACE:				; CODE XREF: SepVerifyDesktopAppxPackageName+E6j
					; SepVerifyDesktopAppxPackageName+1BCj
		mov	ecx, ebx
		call	AuthzBasepFreeSecurityAttributesList

loc_431AD5:				; CODE XREF: SepVerifyDesktopAppxPackageName+B7j
					; SepVerifyDesktopAppxPackageName+1775BDj
		test	edi, edi
		jz	short loc_431AE7
		lea	eax, [ebp+var_20C]
		cmp	edi, eax
		jnz	loc_5A8F2C

loc_431AE7:				; CODE XREF: SepVerifyDesktopAppxPackageName+7Dj
					; SepVerifyDesktopAppxPackageName+187j	...
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_431AFA:				; CODE XREF: SepVerifyDesktopAppxPackageName+173j
		mov	eax, [ebp+var_21C]
		jmp	loc_5A8F19
; 

loc_431B05:				; CODE XREF: SepVerifyDesktopAppxPackageName+16Aj
					; SepVerifyDesktopAppxPackageName+1775D7j
		cmp	[ebp+var_218], 1
		jnz	short loc_431ACE
		jmp	short loc_431AC5
SepVerifyDesktopAppxPackageName	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoUpdateIrpIoAttributionHandle(x, x)
_IoUpdateIrpIoAttributionHandle@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	1
		push	eax
		call	IopSetDiskIoAttributionExtension
		pop	ebp
		retn	8
_IoUpdateIrpIoAttributionHandle@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUpdateSystemPdes proc	near		; CODE XREF: MiSyncSystemPdes+91p
					; MmInSwapProcess+1627A4p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 005A8F39 SIZE 00000054 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ecx
		mov	byte ptr [ebp+var_1], 0
		mov	ecx, ds:0C060301Ch
		lea	edx, [ebp+var_1]
		mov	[ebp+var_C], eax
		and	ecx, 0FFFFFFE0h
		push	ebx
		mov	eax, [eax+194h]
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, [eax+18h]
		mov	eax, [eax+1Ch]
		shrd	esi, eax, 0Ch
		mov	eax, ds:0C0603018h
		and	esi, 1FFFFFFh
		and	eax, 0FFFh
		mov	ebx, esi
		shld	edi, ebx, 0Ch
		push	80000000h
		or	edi, ecx
		shl	ebx, 0Ch
		mov	ecx, esi
		or	ebx, eax
		call	MiMapPageInHyperSpaceWorker
		mov	esi, [ebp+var_C]
		mov	edx, eax
		mov	ecx, esi
		mov	[ebp+var_8], eax
		call	_MiCopyTopLevelMappings@8 ; MiCopyTopLevelMappings(x,x)
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		add	ecx, 18h
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5A8F39

loc_431BAD:				; CODE XREF: MiUpdateSystemPdes+17741Ej
					; MiUpdateSystemPdes+177440j ...
		mov	[ecx+4], edi
		nop
		mov	[ecx], ebx
		test	edx, edx
		jnz	short loc_431BD5

loc_431BB7:				; CODE XREF: MiUpdateSystemPdes+AEj
		mov	dl, byte ptr [ebp+var_1]
		mov	ecx, [ebp+var_8]
		push	80000000h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		xor	edx, edx
		mov	ecx, esi
		call	_MiCopyTopLevelMappings@8 ; MiCopyTopLevelMappings(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_431BD5:				; CODE XREF: MiUpdateSystemPdes+87j
		push	edi
		push	ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	short loc_431BB7
MiUpdateSystemPdes endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1789. PsGetJobSessionId

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetJobSessionId(x)
		public _PsGetJobSessionId@4
_PsGetJobSessionId@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+0E8h]
		cmp	eax, 0FFFFFFFDh
		ja	short loc_431BFB

loc_431BF7:				; CODE XREF: PsGetJobSessionId(x)+1Aj
		pop	ebp
		retn	4
; 

loc_431BFB:				; CODE XREF: PsGetJobSessionId(x)+11j
		or	eax, 0FFFFFFFFh
		jmp	short loc_431BF7
_PsGetJobSessionId@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1788. PsGetJobServerSilo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsGetJobServerSilo
PsGetJobServerSilo proc	near		; CODE XREF: PAGE:00757C89p
					; PAGE:008D2B56p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005A8F8D SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jz	loc_5A8F8D
		push	[ebp+arg_0]
		call	_PsGetEffectiveServerSilo@4 ; PsGetEffectiveServerSilo(x)
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		xor	eax, eax

loc_431C24:				; CODE XREF: PsGetJobServerSilo+177392j
		pop	ebp
		retn	8
PsGetJobServerSilo endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpProtectPool(x, x, x)
_CmpProtectPool@12 proc	near		; CODE XREF: HvFreeHivePartial+B2p
					; HvHiveCleanup+198p ...
		push	4
		push	edx
		mov	edx, ecx
		call	ExProtectPoolEx
		retn	4
_CmpProtectPool@12 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1617. ObDereferenceObjectDeferDelete

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObDereferenceObjectDeferDelete(x)
		public _ObDereferenceObjectDeferDelete@4
_ObDereferenceObjectDeferDelete@4 proc near ; CODE XREF: PfpScenCtxScenarioSet+D4DCp
					; CmpRunDownCmRM+F5p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	746C6644h
		push	[ebp+arg_0]
		call	ObDereferenceObjectDeferDeleteWithTag
		pop	ebp
		retn	4
_ObDereferenceObjectDeferDelete@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFreePoolLookaside(x, x)
_CmpFreePoolLookaside@8	proc near	; CODE XREF: KiInsertNewDpcRuntime(x,x,x,x)+15Dp
					; DATA XREF: CmpInitializeRegistryProcess()+114o ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	8
_CmpFreePoolLookaside@8	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmSiExtendSection(x, x, x)
_CmSiExtendSection@12 proc near		; CODE XREF: HvpViewMapExtendStorage(x,x)+39p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		lea	eax, [ebp+arg_0]
		push	eax
		push	ecx
		call	_ZwExtendSection@8 ; ZwExtendSection(x,x)
		pop	ebp
		retn	8
_CmSiExtendSection@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlMergeBitMaps(x, x)
_RtlMergeBitMaps@8 proc	near		; CODE XREF: HvUnCOWReconciledPages+3Bp
					; HvUnCOWReconciledPages+4Cp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [edx]
		push	edi
		mov	edi, [ecx]
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], ecx
		cmp	edi, eax
		jb	short loc_431C98
		mov	edi, eax

loc_431C98:				; CODE XREF: RtlMergeBitMaps(x,x)+14j
		test	edi, edi
		jz	short loc_431CC0
		push	ebx
		push	esi
		xor	ebx, ebx

loc_431CA0:				; CODE XREF: RtlMergeBitMaps(x,x)+3Cj
		mov	eax, [edx+4]
		cmp	edi, 20h
		jb	short loc_431CC3
		mov	ecx, [ecx+4]
		sub	edi, 20h
		mov	eax, [eax+ebx]
		or	[ecx+ebx], eax
		add	ebx, 4

loc_431CB7:				; CODE XREF: RtlMergeBitMaps(x,x)+5Bj
		mov	ecx, [ebp+var_8]
		test	edi, edi
		jnz	short loc_431CA0
		pop	esi
		pop	ebx

loc_431CC0:				; CODE XREF: RtlMergeBitMaps(x,x)+1Aj
		pop	edi
		leave
		retn
; 

loc_431CC3:				; CODE XREF: RtlMergeBitMaps(x,x)+26j
		mov	esi, [ecx+4]
		xor	edx, edx
		mov	eax, [ebx+eax]
		inc	edx
		mov	ecx, edi
		shl	edx, cl
		dec	edx
		and	eax, edx
		mov	edx, [ebp+var_4]
		or	[esi+ebx], eax
		xor	edi, edi
		jmp	short loc_431CB7
_RtlMergeBitMaps@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpGrowDirtyVectors proc near		; CODE XREF: HvpAddBin+204p
					; HvpPerformLogFileRecovery(x,x,x,x)+10Bp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A8F9D SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		shr	edx, 9
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		mov	ebx, edx
		shr	ebx, 3
		add	ebx, 3
		lea	ecx, [edi+2Ch]
		and	ebx, 0FFFFFFFCh
		mov	eax, [ecx]
		mov	[ebp+var_4], eax
		cmp	[edi+38h], ebx
		jb	short loc_431D3F
		mov	ebx, [ebp+var_4]
		mov	esi, edx
		mov	eax, [edi+30h]
		sub	esi, ebx
		push	esi
		push	ebx
		push	ecx
		mov	[ecx], edx
		mov	[ecx+4], eax
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		mov	eax, [edi+40h]
		lea	ecx, [edi+3Ch]
		mov	edx, [ebp+var_8]
		push	esi
		push	ebx
		push	ecx
		mov	[ecx], edx
		mov	[ecx+4], eax
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		xor	esi, esi

loc_431D38:				; CODE XREF: HvpGrowDirtyVectors+11Fj
					; HvpGrowDirtyVectors+1772C4j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_431D3F:				; CODE XREF: HvpGrowDirtyVectors+29j
		push	39314D43h
		xor	esi, esi
		push	esi
		push	ebx
		call	dword ptr [edi+0Ch]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_5A8F9D
		push	39314D43h
		push	esi
		push	ebx
		call	dword ptr [edi+0Ch]
		mov	ecx, [ebp+var_C]
		mov	edx, eax
		mov	[ebp+var_14], edx
		test	edx, edx
		jz	loc_5A8FA7
		mov	eax, [ebp+var_8]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_24], eax
		sub	eax, [ebp+var_4]
		mov	[ebp+var_18], ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_10], eax
		cmp	[edi+30h], esi
		jz	short loc_431E02
		push	esi
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [edi+2Ch]
		push	eax
		call	RtlCopyBitMap
		push	[ebp+var_10]
		lea	eax, [ebp+var_1C]
		push	[ebp+var_4]
		push	eax
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)

loc_431DA7:				; CODE XREF: HvpGrowDirtyVectors+12Fj
		cmp	[edi+40h], esi
		jz	short loc_431E0F
		push	esi
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [edi+3Ch]
		push	eax
		call	RtlCopyBitMap
		push	[ebp+var_10]
		lea	eax, [ebp+var_24]
		push	[ebp+var_4]
		push	eax
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)

loc_431DC9:				; CODE XREF: HvpGrowDirtyVectors+13Ej
		mov	eax, [edi+30h]
		test	eax, eax
		jz	short loc_431DD7
		push	dword ptr [edi+38h]
		push	eax
		call	dword ptr [edi+10h]

loc_431DD7:				; CODE XREF: HvpGrowDirtyVectors+F0j
		mov	eax, [edi+40h]
		test	eax, eax
		jz	short loc_431DE5
		push	dword ptr [edi+38h]
		push	eax
		call	dword ptr [edi+10h]

loc_431DE5:				; CODE XREF: HvpGrowDirtyVectors+FEj
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_14]
		mov	[edi+2Ch], edx
		mov	[edi+30h], ecx
		mov	[edi+3Ch], edx
		mov	[edi+40h], eax
		mov	[edi+38h], ebx
		jmp	loc_431D38
; 

loc_431E02:				; CODE XREF: HvpGrowDirtyVectors+AAj
		push	ebx		; size_t
		push	esi		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_431DA7
; 

loc_431E0F:				; CODE XREF: HvpGrowDirtyVectors+CCj
		push	ebx		; size_t
		push	esi		; int
		push	[ebp+var_14]	; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_431DC9
HvpGrowDirtyVectors endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpDoFileFlush	proc near		; CODE XREF: HvLoadHive+2C9p
					; CmpFileFlushAndPurge+129p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A8FB6 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		cmp	ds:_CmpNoWrite,	0
		push	esi
		mov	esi, ecx
		jnz	short loc_431E4E
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	_ZwFlushBuffersFile@8 ;	ZwFlushBuffersFile(x,x)
		test	eax, eax
		js	loc_5A8FB6

loc_431E4B:				; CODE XREF: CmpDoFileFlush+32j
					; CmpDoFileFlush+1771ADj
		pop	esi
		leave
		retn
; 

loc_431E4E:				; CODE XREF: CmpDoFileFlush+19j
		xor	eax, eax
		jmp	short loc_431E4B
CmpDoFileFlush	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExProtectPool(x, x,	x)
_ExProtectPool@12 proc near		; CODE XREF: HvpProtectBin(x,x,x,x)+10p
					; HvpProtectBin(x,x,x,x)+28p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_0]
		push	edx
		mov	edx, ecx
		call	ExProtectPoolEx
		pop	ecx
		pop	ebp
		retn	4
_ExProtectPool@12 endp

; 
		align 10h

; __stdcall MiReplenishBitMap(x, x, x)
_MiReplenishBitMap@12:			; CODE XREF: MiInsertCachedPte(x,x,x)+1AFp
					; MiInsertCachedPte(x,x,x)+2EFp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0F0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-8], eax
		push	ebx
		push	esi
		push	edi
		push	98h
		lea	eax, [ebp-0A4h]
		mov	edi, edx
		mov	esi, ecx
		mov	[ebp-0ECh], edi
		push	0
		push	eax
		mov	[ebp-0B0h], esi
		call	_memset
		xor	eax, eax
		add	esp, 0Ch
		cmp	dword ptr [ebp+8], 1
		mov	[ebp-0D0h], eax
		mov	[ebp-0C4h], eax
		jnz	short loc_431EEA
		mov	[ebp-90h], eax
		xor	ecx, ecx
		mov	[ebp-0E4h], eax
		lea	eax, [ebp-0E4h]
		mov	dword ptr [ebp-9Ch], 21h
		lock or	[eax], ecx
		mov	eax, ds:_KiTbFlushTimeStamp
		jmp	short loc_431EF4
; 

loc_431EEA:				; CODE XREF: .text:00431EC0j
		mov	dword ptr [ebp-0C4h], 1

loc_431EF4:				; CODE XREF: .text:00431EE8j
		mov	[ebp-0E0h], eax
		lea	ebx, [ebx+0]

loc_431F00:				; CODE XREF: .text:004321E2j
		xor	ebx, ebx
		mov	[ebp-0C0h], edi

loc_431F08:				; CODE XREF: .text:004322F9j
		mov	eax, [esi+8]
		lea	esi, [eax+edi*8]
		mov	eax, [esi]
		mov	[ebp-0A8h], eax
		nop
		mov	edx, [esi+4]
		and	eax, 0F000h
		mov	[ebp-0CCh], edx
		cmp	eax, 1000h
		jnz	short loc_431F33
		mov	ecx, 1
		jmp	short loc_431F87
; 

loc_431F33:				; CODE XREF: .text:00431F2Aj
		mov	eax, [esi+8]
		mov	[ebp-0C8h], eax
		nop
		mov	edi, dword_6D0704
		mov	eax, dword_6D0700
		mov	ecx, [esi+0Ch]
		or	eax, edi
		mov	[ebp-0B8h], edi
		mov	edi, [ebp-0C0h]
		mov	[ebp-0ACh], ecx
		jz	short loc_431F87
		mov	ecx, [ebp-0C8h]
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_431F81
		mov	ecx, [ebp-0B8h]
		not	ecx
		and	ecx, [ebp-0ACh]
		jmp	short loc_431F87
; 

loc_431F81:				; CODE XREF: .text:00431F6Fj
		mov	ecx, [ebp-0ACh]

loc_431F87:				; CODE XREF: .text:00431F31j
					; .text:00431F5Fj ...
		mov	eax, dword_6D0704
		add	ebx, ecx
		mov	ecx, dword_6D0700
		mov	[ebp-0ACh], eax
		mov	eax, ecx
		or	eax, [ebp-0ACh]
		mov	[ebp-0C8h], edx
		jz	short loc_431FD6
		mov	edx, [ebp-0A8h]
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_431FCA
		mov	edx, [ebp-0ACh]
		not	edx
		and	edx, [ebp-0C8h]
		jmp	short loc_431FD0
; 

loc_431FCA:				; CODE XREF: .text:00431FB8j
		mov	edx, [ebp-0C8h]

loc_431FD0:				; CODE XREF: .text:00431FC8j
		mov	[ebp-0CCh], edx

loc_431FD6:				; CODE XREF: .text:00431FA8j
		test	edx, edx
		jz	loc_432077
		mov	eax, [ebp-0B0h]
		mov	eax, [eax+8]
		mov	ecx, [eax+edx*8]
		lea	eax, [eax+edx*8]
		mov	[ebp-0B8h], eax
		nop
		mov	eax, [eax+4]
		and	ecx, 0F000h
		mov	[ebp-0D8h], eax
		cmp	ecx, 1000h
		jnz	short loc_432012
		mov	ecx, 1
		jmp	short loc_43206C
; 

loc_432012:				; CODE XREF: .text:00432009j
		mov	ecx, [ebp-0B8h]
		mov	eax, [ecx+8]
		mov	[ebp-0A8h], eax
		nop
		mov	edi, dword_6D0704
		mov	eax, dword_6D0700
		mov	ecx, [ecx+0Ch]
		or	eax, edi
		mov	[ebp-0D8h], edi
		mov	edi, [ebp-0C0h]
		mov	[ebp-0ACh], ecx
		jz	short loc_43206C
		mov	ecx, [ebp-0A8h]
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_432066
		mov	ecx, [ebp-0D8h]
		not	ecx
		and	ecx, [ebp-0ACh]
		jmp	short loc_43206C
; 

loc_432066:				; CODE XREF: .text:00432054j
		mov	ecx, [ebp-0ACh]

loc_43206C:				; CODE XREF: .text:00432010j
					; .text:00432044j ...
		lea	eax, [edx+ecx]
		cmp	eax, edi
		jz	loc_4322E9

loc_432077:				; CODE XREF: .text:00431FD8j
		mov	edx, [ebp-0B0h]
		mov	eax, [edx]
		cmp	edi, eax
		jnb	loc_432312
		cmp	ebx, 1
		ja	short loc_4320A8
		jnz	loc_432312
		mov	eax, [edx+4]
		bt	[eax], edi
		setb	al
		test	al, al
		jz	loc_432312
		jmp	loc_432149
; 

loc_4320A8:				; CODE XREF: .text:0043208Aj
		sub	eax, edi
		cmp	eax, ebx
		jb	loc_432312
		mov	edx, [edx+4]
		lea	ecx, [ebx-1]
		add	ecx, edi
		mov	eax, edi
		mov	[ebp-0D8h], ecx
		shr	eax, 5
		shr	ecx, 5
		lea	eax, [edx+eax*4]
		lea	ecx, [edx+ecx*4]
		mov	edx, [eax]
		mov	[ebp-0A8h], edx
		or	edx, 0FFFFFFFFh
		mov	[ebp-0B8h], ecx
		cmp	eax, ecx
		jnz	short loc_4320FA
		mov	ecx, 20h
		sub	ecx, ebx
		shr	edx, cl
		mov	ecx, edi
		shl	edx, cl
		mov	eax, edx
		and	eax, [ebp-0A8h]
		jmp	short loc_432141
; 

loc_4320FA:				; CODE XREF: .text:004320E1j
		mov	ecx, edi
		shl	edx, cl
		mov	ecx, edx
		and	ecx, [ebp-0A8h]
		cmp	ecx, edx
		jnz	loc_432312
		mov	ecx, [ebp-0B8h]
		add	eax, 4
		cmp	eax, ecx
		jz	short loc_432130
		jmp	short loc_432120
; 
		align 10h

loc_432120:				; CODE XREF: .text:0043211Bj
					; .text:0043212Ej
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_432312
		add	eax, 4
		cmp	eax, ecx
		jnz	short loc_432120

loc_432130:				; CODE XREF: .text:00432119j
		mov	ecx, [ebp-0D8h]
		or	edx, 0FFFFFFFFh
		mov	eax, [eax]
		not	ecx
		shr	edx, cl
		and	eax, edx

loc_432141:				; CODE XREF: .text:004320F8j
		cmp	eax, edx
		jnz	loc_432312

loc_432149:				; CODE XREF: .text:004320A3j
		cmp	dword ptr [ebp-0C4h], 0
		jnz	loc_432201
		push	0
		shl	esi, 9
		lea	ecx, [ebp-0A4h]
		push	ebx
		mov	edx, esi
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	edx, 1
		lea	ecx, [ebp-0A4h]
		call	_MiFlushTbListEarly@8 ;	MiFlushTbListEarly(x,x)
		cmp	eax, 1
		jnz	loc_4322E1
		mov	dword ptr [ebp-0E8h], 0
		lea	eax, [ebp-0E8h]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	edx, ds:_KiTbFlushTimeStamp
		mov	ecx, [ebp-0E0h]
		push	0FFFFFFFFh
		call	_MiTbFlushTimeStampMayNeedFlush@12 ; MiTbFlushTimeStampMayNeedFlush(x,x,x)
		test	al, al
		jnz	loc_4322E1
		mov	ebx, [ebp-0C4h]

loc_4321B8:				; CODE XREF: .text:0043230Dj
		cmp	dword ptr [ebp-98h], 0
		jz	short loc_4321CC
		lea	ecx, [ebp-0A4h]
		call	MiFlushTbList

loc_4321CC:				; CODE XREF: .text:004321BFj
					; .text:00432307j
		mov	esi, [ebp-0B0h]
		inc	ebx
		mov	edi, [ebp-0ECh]
		mov	[ebp-0C4h], ebx
		cmp	ebx, 2
		jb	loc_431F00
		mov	ecx, [ebp-8]
		mov	eax, [ebp-0D0h]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_432201:				; CODE XREF: .text:00432150j
		test	ebx, ebx
		jz	short loc_43221F
		mov	ecx, ebx

loc_432207:				; CODE XREF: .text:0043221Dj
		mov	eax, ds:_ZeroPte
		mov	[esi], eax
		nop
		mov	eax, ds:dword_40F9FC
		lea	esi, [esi+8]
		mov	[esi-4], eax
		sub	ecx, 1
		jnz	short loc_432207

loc_43221F:				; CODE XREF: .text:00432203j
		mov	eax, [ebp-0B0h]
		mov	edi, ebx
		mov	edx, [ebp-0C0h]
		mov	ecx, edx
		shr	ecx, 5
		mov	eax, [eax+4]
		lea	esi, [eax+ecx*4]
		mov	ecx, edx
		and	ecx, 1Fh
		mov	[ebp-0A8h], ecx
		lea	eax, [ecx+ebx]
		cmp	eax, 20h
		ja	short loc_43226E
		cmp	ebx, 20h
		jnz	short loc_432258
		mov	dword ptr [esi], 0
		jmp	short loc_4322CF
; 

loc_432258:				; CODE XREF: .text:0043224Ej
		mov	ecx, ebx
		mov	eax, 1
		shl	eax, cl
		mov	ecx, [ebp-0A8h]
		dec	eax
		shl	eax, cl
		not	eax
		jmp	short loc_4322CC
; 

loc_43226E:				; CODE XREF: .text:00432249j
		test	ecx, ecx
		jz	short loc_43229D
		mov	edx, 20h
		mov	eax, 1
		sub	edx, ecx
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, [ebp-0A8h]
		dec	eax
		shl	eax, cl
		not	eax
		lock and [esi],	eax
		mov	edi, ebx
		sub	edi, edx
		mov	edx, [ebp-0C0h]
		add	esi, 4

loc_43229D:				; CODE XREF: .text:00432270j
		cmp	edi, 20h
		jb	short loc_4322C1
		mov	eax, edi
		shr	eax, 5
		jmp	short loc_4322B0
; 
		align 10h

loc_4322B0:				; CODE XREF: .text:004322A7j
					; .text:004322BFj
		mov	dword ptr [esi], 0
		sub	edi, 20h
		add	esi, 4
		sub	eax, 1
		jnz	short loc_4322B0

loc_4322C1:				; CODE XREF: .text:004322A0j
		test	edi, edi
		jz	short loc_4322CF
		or	eax, 0FFFFFFFFh
		mov	ecx, edi
		shl	eax, cl

loc_4322CC:				; CODE XREF: .text:0043226Cj
		lock and [esi],	eax

loc_4322CF:				; CODE XREF: .text:00432256j
					; .text:004322C3j
		mov	ecx, [ebp-0B0h]
		push	ebx
		call	MiAttemptCoalesce
		add	[ebp-0D0h], ebx

loc_4322E1:				; CODE XREF: .text:0043217Cj
					; .text:004321ACj
		mov	edx, [ebp-0CCh]
		xor	ebx, ebx

loc_4322E9:				; CODE XREF: .text:00432071j
		mov	esi, [ebp-0B0h]
		mov	edi, edx
		mov	[ebp-0C0h], edx
		test	edx, edx
		jnz	loc_431F08
		mov	ebx, [ebp-0C4h]
		test	ebx, ebx
		jnz	loc_4321CC
		jmp	loc_4321B8
; 

loc_432312:				; CODE XREF: .text:00432081j
					; .text:0043208Cj ...
		push	edi
		push	ebx
		push	esi
		push	504h
		push	0DAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dd 3 dup(0CCCCCCCCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAttemptCoalesce proc near		; CODE XREF: .text:004322D6p
					; .text:0047AD95p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 004323B1 SIZE 00000020 BYTES
; FUNCTION CHUNK AT 005A8FD0 SIZE 000000AD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_C], eax
		mov	eax, [eax+0Ch]
		push	esi
		and	al, 4
		movzx	esi, al
		neg	esi
		push	edi
		sbb	esi, esi
		mov	edi, edx
		and	esi, 0FFFFFE20h
		dec	ebx
		add	esi, 200h
		lea	edx, [esi-1]
		not	edx
		lea	ecx, [esi+edi]
		mov	eax, edx
		add	ebx, ecx
		and	eax, edi
		and	ebx, edx
		mov	ecx, eax
		mov	[ebp+var_18], eax
		sub	ebx, ecx
		mov	edi, 0
		mov	[ebp+var_4], ebx
		jz	short loc_4323A8
		mov	eax, [ebp+var_4]
		mov	ebx, 20h
		mov	edx, [ebp+var_C]
		sub	ebx, esi
		jmp	loc_5A8FD0
; 

loc_432391:				; CODE XREF: MiAttemptCoalesce+176CFDj
					; MiAttemptCoalesce+176D48j
		setz	al
		cmp	al, 1
		jz	short loc_4323B1

loc_432398:				; CODE XREF: MiAttemptCoalesce+9Fj
					; MiAttemptCoalesce+176D0Dj ...
		mov	eax, [ebp+var_4]

loc_43239B:				; CODE XREF: MiAttemptCoalesce+176CAAj
					; MiAttemptCoalesce+176CB5j
		mov	ecx, [ebp+var_18]
		add	edi, esi
		cmp	edi, eax
		jb	loc_5A8FD0

loc_4323A8:				; CODE XREF: MiAttemptCoalesce+4Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
MiAttemptCoalesce endp ; sp = -2Ch

; 
; START	OF FUNCTION CHUNK FOR MiAttemptCoalesce

loc_4323B1:				; CODE XREF: MiAttemptCoalesce+66j
		push	esi
		push	ecx
		push	edx
		call	RtlInterlockedSetClearRun
		cmp	eax, 1
		jnz	short loc_4323CC
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_C]
		push	0
		push	esi
		call	_MiReturnSystemPtes@16 ; MiReturnSystemPtes(x,x,x,x)

loc_4323CC:				; CODE XREF: MiAttemptCoalesce+8Cj
		mov	edx, [ebp+var_C]
		jmp	short loc_432398
; END OF FUNCTION CHUNK	FOR MiAttemptCoalesce
; 
		align 10h
; Exported entry 1962. RtlAreBitsClear

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlAreBitsClear(x, x, x)
		public _RtlAreBitsClear@12
_RtlAreBitsClear@12 proc near		; CODE XREF: HvGetHiveLogFileStatus+37p
					; MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+25Bp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		mov	eax, [ecx]
		cmp	edx, eax
		jnb	loc_432495
		push	esi
		mov	esi, [ebp+arg_8]
		cmp	esi, 1
		jbe	loc_432485
		sub	eax, edx
		cmp	eax, esi
		jb	loc_432499
		mov	ecx, [ecx+4]
		mov	eax, edx
		shr	eax, 5
		push	ebx
		lea	ebx, [esi-1]
		push	edi
		lea	edi, [ecx+eax*4]
		lea	eax, [ebx+edx]
		mov	ebx, [edi]
		shr	eax, 5
		lea	eax, [ecx+eax*4]
		mov	[ebp+arg_0], eax
		cmp	edi, eax
		jnz	short loc_43244A
		mov	ecx, 20h
		or	eax, 0FFFFFFFFh
		sub	ecx, esi
		shr	eax, cl
		mov	ecx, edx
		shl	eax, cl
		test	ebx, eax

loc_432440:				; CODE XREF: RtlAreBitsClear(x,x,x)+9Aj
		pop	edi
		setz	al
		pop	ebx

loc_432445:				; CODE XREF: RtlAreBitsClear(x,x,x)+BBj
		pop	esi

loc_432446:				; CODE XREF: RtlAreBitsClear(x,x,x)+B7j
		pop	ebp
		retn	0Ch
; 

loc_43244A:				; CODE XREF: RtlAreBitsClear(x,x,x)+4Cj
		or	eax, 0FFFFFFFFh
		mov	ecx, edx
		shl	eax, cl
		test	ebx, eax
		jnz	short loc_43247C
		mov	eax, [ebp+arg_0]
		add	edi, 4
		cmp	edi, eax
		jz	short loc_43246C
		nop

loc_432460:				; CODE XREF: RtlAreBitsClear(x,x,x)+8Aj
		cmp	dword ptr [edi], 0
		jnz	short loc_43247C
		add	edi, 4
		cmp	edi, eax
		jnz	short loc_432460

loc_43246C:				; CODE XREF: RtlAreBitsClear(x,x,x)+7Dj
		lea	ecx, [esi-1]
		or	eax, 0FFFFFFFFh
		add	ecx, edx
		not	ecx
		shr	eax, cl
		test	[edi], eax
		jmp	short loc_432440
; 

loc_43247C:				; CODE XREF: RtlAreBitsClear(x,x,x)+73j
					; RtlAreBitsClear(x,x,x)+83j
		pop	edi
		pop	ebx
		xor	al, al
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_432485:				; CODE XREF: RtlAreBitsClear(x,x,x)+1Cj
		jnz	short loc_432499
		mov	eax, [ecx+4]
		pop	esi
		bt	[eax], edx
		setnb	al
		pop	ebp
		retn	0Ch
; 

loc_432495:				; CODE XREF: RtlAreBitsClear(x,x,x)+Fj
		xor	al, al
		jmp	short loc_432446
; 

loc_432499:				; CODE XREF: RtlAreBitsClear(x,x,x)+26j
					; RtlAreBitsClear(x,x,x):loc_432485j
		xor	al, al
		jmp	short loc_432445
_RtlAreBitsClear@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiFlushTbListEarly(x, x)
_MiFlushTbListEarly@8 proc near		; CODE XREF: .text:00432174p
					; .text:0045881Bp ...
		mov	eax, [ecx+0Ch]
		push	esi
		mov	esi, dword_6D0748
		cmp	eax, [ecx+8]
		jnb	short loc_4324BC
		cmp	byte ptr [ecx+5], 0
		jnz	short loc_4324BC
		cmp	[ecx+10h], esi
		ja	short loc_4324BC

loc_4324B8:				; CODE XREF: MiFlushTbListEarly(x,x)+2Ej
		xor	eax, eax
		pop	esi
		retn
; 

loc_4324BC:				; CODE XREF: MiFlushTbListEarly(x,x)+Dj
					; MiFlushTbListEarly(x,x)+13j ...
		test	dl, 2
		jnz	short loc_4324D7
		cmp	esi, 400h
		jnb	short loc_4324DC

loc_4324C9:				; CODE XREF: MiFlushTbListEarly(x,x)+44j
		test	dl, 1
		jz	short loc_4324B8
		mov	byte ptr [ecx+5], 1

loc_4324D2:				; CODE XREF: MiFlushTbListEarly(x,x)+42j
		call	MiFlushTbList

loc_4324D7:				; CODE XREF: MiFlushTbListEarly(x,x)+21j
		xor	eax, eax
		inc	eax
		pop	esi
		retn
; 

loc_4324DC:				; CODE XREF: MiFlushTbListEarly(x,x)+29j
		cmp	byte ptr [ecx+5], 0
		jz	short loc_4324D2
		jmp	short loc_4324C9
_MiFlushTbListEarly@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReturnSystemPtes(x, x, x,	x)
_MiReturnSystemPtes@16 proc near	; CODE XREF: MiAttemptCoalesce+97p
					; .text:0047AD11p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	byte ptr [ebx+0Ch], 4
		mov	edi, esi
		jnz	short loc_432534

loc_4324F9:				; CODE XREF: MiReturnSystemPtes(x,x,x,x)+56j
		mov	eax, [ebx+8]
		neg	esi
		mov	ecx, esi
		lea	edx, [eax+edx*8]
		lea	eax, [ebx+30h]
		lock xadd [eax], ecx
		lea	eax, [ebx+20h]
		lock xadd [eax], esi
		mov	eax, [ebx+10h]
		mov	ecx, edx
		lea	edx, [edx+edi*8]
		shl	ecx, 9
		pop	edi
		shl	edx, 9
		cmp	[ebp+arg_4], 1
		pop	esi
		pop	ebx
		jz	short loc_43253C

loc_432528:				; CODE XREF: MiReturnSystemPtes(x,x,x,x)+5Bj
		push	0
		push	eax
		call	_MiReturnSystemVa@16 ; MiReturnSystemVa(x,x,x,x)
		pop	ebp
		retn	8
; 

loc_432534:				; CODE XREF: MiReturnSystemPtes(x,x,x,x)+13j
		shl	edi, 4
		shl	edx, 4
		jmp	short loc_4324F9
; 

loc_43253C:				; CODE XREF: MiReturnSystemPtes(x,x,x,x)+42j
		push	0Dh
		pop	eax
		jmp	short loc_432528
_MiReturnSystemPtes@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReturnSystemVa(x,	x, x, x)
_MiReturnSystemVa@16 proc near		; CODE XREF: MiReturnSystemPtes(x,x,x,x)+47p
					; MmFreePoolMemory+170p ...

var_AA		= byte ptr -0AAh
var_A9		= byte ptr -0A9h
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0ACh+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [esp+0BCh+var_A0]
		mov	ebx, edx
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		shr	edi, 9
		mov	ecx, offset loc_7FFFF8
		shr	ebx, 9
		and	edi, ecx
		and	ebx, ecx
		sub	edi, 3FFFF001h
		mov	eax, 0FFFFF000h
		sub	ebx, 3FFFFFF9h
		and	edi, eax
		and	ebx, eax
		add	esp, 0Ch
		cmp	edi, ebx
		jnb	loc_432689
		mov	eax, [ebp+arg_0]
		mov	esi, offset unk_6D3B40
		shl	ebx, 9
		shl	edi, 9
		mov	ecx, ebx
		sub	ecx, edi
		mov	[esp+0B8h+var_98], 21h
		dec	eax
		mov	[esp+0B8h+var_A4], ecx
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFFFEh
		add	eax, 2
		mov	[esp+0B8h+var_A0], eax
		xor	eax, eax
		mov	[esp+0B8h+var_9C], ax
		mov	[esp+0B8h+var_90], eax
		mov	[esp+0B8h+var_8C], eax
		mov	eax, ecx
		shr	eax, 15h
		mov	[esp+0B8h+var_A8], eax
		mov	eax, [ebp+arg_0]
		sub	eax, 1
		jz	loc_4326EC
		sub	eax, 5
		jz	loc_4326F3
		dec	eax
		sub	eax, 1
		jz	loc_4326AF
		sub	eax, 1
		jnz	loc_4326A0

loc_432612:				; CODE XREF: MiReturnSystemVa(x,x,x,x)+191j
		mov	esi, offset unk_6D3940

loc_432617:				; CODE XREF: MiReturnSystemVa(x,x,x,x)+168j
					; MiReturnSystemVa(x,x,x,x)+176j ...
		push	offset dword_6D2E64
		call	ExAcquireSpinLockExclusive
		mov	edx, [esp+0B8h+var_A8]
		mov	ecx, edi
		shr	ecx, 15h
		sub	ecx, 400h
		mov	[esp+0B8h+var_A9], al
		add	edx, ecx
		cmp	ecx, edx
		jnb	short loc_432651
		mov	eax, 80000000h

loc_43263F:				; CODE XREF: MiReturnSystemVa(x,x,x,x)+10Dj
		cmp	[ebp+arg_0], 1
		jz	short loc_4326BD

loc_432645:				; CODE XREF: MiReturnSystemVa(x,x,x,x)+183j
		or	dword_6D1BD4[ecx*4], eax

loc_43264C:				; CODE XREF: MiReturnSystemVa(x,x,x,x)+189j
		inc	ecx
		cmp	ecx, edx
		jb	short loc_43263F

loc_432651:				; CODE XREF: MiReturnSystemVa(x,x,x,x)+F6j
		push	offset dword_6D2E64
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+0B8h+var_A9]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [ebp+arg_0]
		lea	eax, [esp+0B8h+var_A0]
		push	eax
		push	1
		lea	eax, [ebx-1]
		mov	ecx, esi
		push	eax
		push	edi
		call	_MiDeleteSystemPageTables@24 ; MiDeleteSystemPageTables(x,x,x,x,x,x)
		push	[ebp+arg_0]
		mov	edx, [esp+0BCh+var_A4]
		mov	ecx, edi
		call	MiMakeSystemRangeAvailable

loc_432689:				; CODE XREF: MiReturnSystemVa(x,x,x,x)+5Dj
		mov	ecx, [esp+0B8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4326A0:				; CODE XREF: MiReturnSystemVa(x,x,x,x)+CAj
		sub	eax, 3
		jnz	short loc_4326D0
		mov	esi, offset unk_6D3740
		jmp	loc_432617
; 

loc_4326AF:				; CODE XREF: MiReturnSystemVa(x,x,x,x)+C1j
		xor	ecx, ecx
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)

loc_4326B6:				; CODE XREF: MiReturnSystemVa(x,x,x,x)+1AFj
		mov	esi, eax
		jmp	loc_432617
; 

loc_4326BD:				; CODE XREF: MiReturnSystemVa(x,x,x,x)+101j
		cmp	dword_6CF5BC[ecx*4], 1
		jz	loc_432645
		jmp	loc_43264C
; 

loc_4326D0:				; CODE XREF: MiReturnSystemVa(x,x,x,x)+161j
		sub	eax, 1
		jz	loc_432612
		sub	eax, 1
		jnz	loc_432617
		mov	esi, offset unk_6D3A40
		jmp	loc_432617
; 

loc_4326EC:				; CODE XREF: MiReturnSystemVa(x,x,x,x)+AEj
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		jmp	short loc_4326B6
; 

loc_4326F3:				; CODE XREF: MiReturnSystemVa(x,x,x,x)+B7j
		mov	esi, offset unk_6D3840
		jmp	loc_432617
_MiReturnSystemVa@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMakeSystemRangeAvailable proc	near	; CODE XREF: MiReturnSystemVa(x,x,x,x)+142p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A907D SIZE 0000017C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_14], ecx
		lea	edi, [ebp+var_2C]
		mov	ebx, edx
		stosd
		mov	[ebp+var_10], ebx
		stosd
		stosd
		mov	edi, [ebp+arg_0]
		cmp	edi, 0Dh
		jz	loc_432871

loc_432725:				; CODE XREF: MiMakeSystemRangeAvailable+176j
		mov	esi, ecx
		shr	esi, 15h
		push	offset dword_6D2E64
		lea	eax, dword_6D3994[esi]
		mov	[ebp+var_8], eax
		call	ExAcquireSpinLockExclusive
		and	[ebp+var_C], 0
		mov	byte ptr [ebp+arg_0+3],	al
		test	ebx, ebx
		jz	short loc_43279F
		mov	edx, [ebp+var_14]
		lea	ebx, unk_6CE5BC[esi*4]
		mov	esi, [ebp+var_10]
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_4], edx

loc_43275B:				; CODE XREF: MiMakeSystemRangeAvailable+9Fj
		mov	cl, [ecx]
		movzx	eax, cl
		cmp	eax, edi
		jnz	loc_5A90AA
		xor	eax, eax
		inc	eax
		cmp	edi, eax
		jz	short loc_4327B9

loc_43276F:				; CODE XREF: MiMakeSystemRangeAvailable+16Ej
		mov	ecx, [ebp+var_4]
		mov	edx, eax
		call	_MiRecycleSystemRegionVa@8 ; MiRecycleSystemRegionVa(x,x)

loc_432779:				; CODE XREF: MiMakeSystemRangeAvailable+165j
		mov	eax, [ebp+var_C]
		mov	ecx, 200000h
		mov	edx, [ebp+var_4]
		add	eax, ecx
		mov	esi, [ebp+var_10]
		add	edx, ecx
		mov	ecx, [ebp+var_8]
		add	ebx, 4
		inc	ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], ecx
		cmp	eax, esi
		jb	short loc_43275B

loc_43279F:				; CODE XREF: MiMakeSystemRangeAvailable+48j
		push	offset dword_6D2E64
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4327B9:				; CODE XREF: MiMakeSystemRangeAvailable+6Fj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, [eax+180h]
		mov	eax, edx
		shr	eax, 15h
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], eax
		mov	esi, [ecx+eax*8-1C20h]
		nop
		mov	eax, [ecx+eax*8-1C1Ch]
		push	0
		push	300h
		mov	[ebp+var_18], eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		cmp	esi, eax
		jnz	short loc_432860
		cmp	[ebp+var_18], edx
		jnz	short loc_432860
		lea	edx, [ebp+var_2C]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [ebp+var_1C]
		mov	edx, [ebp+var_20]
		mov	eax, ds:_ZeroPte
		mov	[edx+ecx*8-1C20h], eax
		mov	eax, ds:dword_40F9FC
		mov	[edx+ecx*8-1C1Ch], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5A907D
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jnz	loc_5A9095
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_2C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_2C]
		cmp	eax, ecx
		jnz	loc_5A908D

loc_432857:				; CODE XREF: MiMakeSystemRangeAvailable+17698Aj
					; MiMakeSystemRangeAvailable+1769A7j
		mov	cl, byte ptr [ebp+var_24]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_432860:				; CODE XREF: MiMakeSystemRangeAvailable+F8j
					; MiMakeSystemRangeAvailable+FDj
		sub	dword ptr [ebx], 1
		jnz	loc_432779
		xor	eax, eax
		inc	eax
		jmp	loc_43276F
; 

loc_432871:				; CODE XREF: MiMakeSystemRangeAvailable+21j
		push	9
		pop	edi
		jmp	loc_432725
MiMakeSystemRangeAvailable endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiRecycleSystemRegionVa(x, x)
_MiRecycleSystemRegionVa@8 proc	near	; CODE XREF: MiMakeSystemRangeAvailable+76p
					; MiUnlockSystemVa(x)+3Fp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	ebx, offset dword_6D2E64
		test	edi, edi
		jnz	short loc_432892
		push	ebx
		call	ExAcquireSpinLockExclusiveAtDpcLevel

loc_432892:				; CODE XREF: MiRecycleSystemRegionVa(x,x)+10j
		shr	esi, 15h
		mov	edx, 7FFFFFFFh
		mov	eax, dword_6D0BD4[esi*4]
		lea	ecx, [eax-1]
		xor	ecx, eax
		and	ecx, edx
		xor	ecx, eax
		mov	dword_6D0BD4[esi*4], ecx
		and	ecx, edx
		jz	short loc_4328C3

loc_4328B5:				; CODE XREF: MiRecycleSystemRegionVa(x,x)+6Fj
		test	edi, edi
		jnz	short loc_4328BF
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel

loc_4328BF:				; CODE XREF: MiRecycleSystemRegionVa(x,x)+3Dj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4328C3:				; CODE XREF: MiRecycleSystemRegionVa(x,x)+39j
		movzx	eax, byte ptr dword_6D3994[esi]
		mov	dword_6D0BD4[esi*4], ecx
		dec	dword_6D3D54[eax*4]
		add	dword_6D4254, 200000h
		mov	byte ptr dword_6D3994[esi], 0
		jmp	short loc_4328B5
_MiRecycleSystemRegionVa@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteSystemPageTables(x,	x, x, x, x, x)
_MiDeleteSystemPageTables@24 proc near	; CODE XREF: MiReturnSystemVa(x,x,x,x)+134p
					; MiMakeZeroedPageTablesEx+100353p

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_52		= byte ptr -52h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+6Ch+var_4], eax
		mov	eax, [ebp+arg_4]
		and	[esp+6Ch+var_60], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		push	4Ch		; size_t
		mov	[esp+7Ch+var_6C], eax
		mov	edi, edx
		lea	eax, [esp+7Ch+var_58]
		mov	[esp+7Ch+var_68], ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	al, [ebp+arg_8]
		add	esp, 0Ch
		and	al, 7
		mov	[esp+78h+var_44], ebx
		mov	ebx, [esp+78h+var_68]
		mov	ecx, ebx
		shl	al, 2
		mov	byte ptr [esp+78h+var_58+2], al
		mov	eax, 807h
		mov	word ptr [esp+78h+var_58], ax
		mov	eax, [esp+78h+var_6C]
		mov	[esp+78h+var_40], eax
		lea	eax, [esp+78h+var_64]
		mov	[esp+78h+var_64], edi
		mov	[esp+78h+var_5C], esi
		mov	[esp+78h+var_18], offset MiDeleteSystemPageTable
		mov	[esp+78h+var_14], offset _MiDeleteSystemPageTableTail@4	; MiDeleteSystemPageTableTail(x)
		mov	[esp+78h+var_10], eax
		mov	[esp+78h+var_48], ebx
		call	MiLockWorkingSetShared
		lea	ecx, [esp+78h+var_58]
		mov	[esp+78h+var_52], al
		call	MiWalkPageTables
		mov	dl, [esp+78h+var_52]
		mov	ecx, ebx
		call	MiUnlockWorkingSetShared
		mov	ecx, [esp+78h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_MiDeleteSystemPageTables@24 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpAllocateLogBuffers proc near		; CODE XREF: HvpGenerateLogEntry+99p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A91F9 SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	6F494D43h
		push	eax
		push	5
		mov	[ebp+var_1C], edx
		xor	esi, esi
		mov	[ebp+var_18], ecx
		xor	edi, edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5A90CE
		push	6F494D43h
		push	0Ch
		push	1
		inc	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5A90C4
		mov	eax, [ebp+arg_0]
		and	dword ptr [esi], 0
		mov	[esi+8], eax
		mov	eax, [ebp+var_18]
		mov	[esi+4], ebx
		xor	ebx, ebx
		mov	[eax], esi
		xor	esi, esi
		mov	eax, [ebp+var_1C]
		and	[ebp+arg_0], ebx
		mov	dword ptr [eax], 1

loc_432A15:				; CODE XREF: MiMakeSystemRangeAvailable+176AEAj
					; MiMakeSystemRangeAvailable+176AF6j
		test	ebx, ebx
		jnz	loc_5A91F9

loc_432A1D:				; CODE XREF: HvpAllocateLogBuffers+176855j
		test	esi, esi
		jnz	loc_5A9206

loc_432A25:				; CODE XREF: HvpAllocateLogBuffers+176882j
		mov	eax, [ebp+arg_0]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
HvpAllocateLogBuffers endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall HvpGenerateLogEntryHeader(size_t,int,int,int,int,int,int,char)
_HvpGenerateLogEntryHeader@32 proc near	; CODE XREF: HvpGenerateLogEntry+C7p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	[ebp+arg_14], 0
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, edx
		mov	[ebp+var_3C], ebx
		mov	edx, ecx	; size_t
		mov	[ebp+var_40], esi
		mov	eax, [ebx]
		mov	ecx, [ebp+arg_4]
		push	edi
		mov	[ebp+var_38], edx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		jnz	short loc_432AE1

loc_432A69:				; CODE XREF: HvpGenerateLogEntryHeader(x,x,x,x,x,x,x,x)+107j
		mov	eax, [ebp+arg_C]
		xor	edi, edi
		cmp	[ebp+arg_14], 0
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_2C], 454C7648h
		mov	[ebp+var_28], eax
		jnz	loc_432B3C

loc_432A8E:				; CODE XREF: HvpGenerateLogEntryHeader(x,x,x,x,x,x,x,x)+114j
		mov	eax, [edx+6Ch]
		mov	[ebp+var_20], eax
		mov	eax, [edx+20h]
		mov	[ebp+var_24], edi
		test	byte ptr [eax+90h], 1
		jz	short loc_432AAA
		mov	[ebp+var_24], 1

loc_432AAA:				; CODE XREF: HvpGenerateLogEntryHeader(x,x,x,x,x,x,x,x)+71j
		mov	eax, [edx+0C8h]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_30]
		push	eax		; int
		push	ecx		; int
		push	ecx		; int
		push	esi		; int
		push	28h
		pop	edx
		lea	ecx, [ebp+var_2C] ; int
		call	HvpCopyDataToOffsetArray
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_30]
		xor	ecx, ebp
		pop	edi
		pop	esi
		mov	[ebx], eax
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_432AE1:				; CODE XREF: HvpGenerateLogEntryHeader(x,x,x,x,x,x,x,x)+37j
		mov	ebx, [esi+4]
		mov	ecx, 80h
		mov	esi, [edx+20h]
		mov	edi, ebx
		rep movsd
		mov	eax, [edx+6Ch]
		mov	ecx, ebx
		mov	[ebx+4], eax
		mov	eax, [edx+6Ch]
		mov	[ebx+8], eax
		mov	dword ptr [ebx+1Ch], 6
		mov	eax, [edx+0C8h]
		mov	[ebx+28h], eax
		mov	dword ptr [ebx+2Ch], 1
		call	_HvpHeaderCheckSum@4 ; HvpHeaderCheckSum(x)
		mov	edx, [ebp+var_38]
		mov	esi, [ebp+var_40]
		mov	ecx, [ebp+var_44]
		mov	[ebx+1FCh], eax
		mov	eax, [ebp+var_34]
		mov	ebx, [ebp+var_3C]
		add	eax, 200h
		mov	[ebp+var_30], eax
		jmp	loc_432A69
; 

loc_432B3C:				; CODE XREF: HvpGenerateLogEntryHeader(x,x,x,x,x,x,x,x)+58j
		add	eax, 0FFFFFE00h
		mov	[ebp+var_28], eax
		jmp	loc_432A8E
_HvpGenerateLogEntryHeader@32 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpGenerateLogEntryMetadata(x, x, x, x, x, x, x)
_HvpGenerateLogEntryMetadata@28	proc near ; CODE XREF: HvpGenerateLogEntry+DFp

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_10]
		lea	eax, [ebp+arg_10]
		push	edi
		mov	edi, edx
		mov	[ebp+arg_10], esi
		mov	edx, [ebp+arg_C]
		add	ecx, 2Ch
		push	eax
		call	_HvpGenerateLogMetadata@12 ; HvpGenerateLogMetadata(x,x,x)
		push	[ebp+arg_8]	; int
		mov	edx, esi
		push	[ebp+arg_4]	; int
		shl	edx, 3		; size_t
		push	ecx		; int
		mov	ecx, [ebp+arg_C] ; int
		push	edi		; int
		call	HvpCopyDataToOffsetArray
		pop	edi
		pop	esi
		pop	ebp
		retn	14h
_HvpGenerateLogEntryMetadata@28	endp

; 
		align 10h
; Exported entry 2089. RtlFindNextForwardRunClear

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlFindNextForwardRunClear
RtlFindNextForwardRunClear proc	near	; CODE XREF: MiDeleteEmptyPageTableTail(x)+70p
					; IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+AEp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005A9233 SIZE 0000000C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		mov	edx, [ebx]
		cmp	edx, esi
		jbe	loc_5A9233
		mov	ecx, [ebx+4]
		lea	eax, [edx-1]
		shr	eax, 5
		push	edi
		lea	edi, [ecx+eax*4]
		mov	eax, esi
		shr	eax, 5
		lea	eax, [ecx+eax*4]
		cmp	eax, edi
		jz	short loc_432BD7
		mov	ebx, esi
		and	ebx, 1Fh
		mov	ecx, ds:dword_40BA68[ebx*4]
		or	ecx, [eax]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_432C3B

loc_432BD4:				; CODE XREF: RtlFindNextForwardRunClear+B5j
					; RtlFindNextForwardRunClear+BAj ...
		mov	ebx, [ebp+arg_0]

loc_432BD7:				; CODE XREF: RtlFindNextForwardRunClear+2Fj
		cmp	esi, edx
		jnb	short loc_432BEA
		mov	ecx, [ebx+4]
		mov	edi, edi

loc_432BE0:				; CODE XREF: RtlFindNextForwardRunClear+58j
		bt	[ecx], esi
		jnb	short loc_432BEA
		inc	esi
		cmp	esi, edx
		jb	short loc_432BE0

loc_432BEA:				; CODE XREF: RtlFindNextForwardRunClear+49j
					; RtlFindNextForwardRunClear+53j
		xor	ebx, ebx
		cmp	eax, edi
		jz	short loc_432C07
		mov	edx, [eax]
		mov	ecx, esi
		and	ecx, 1Fh
		mov	[ebp+arg_4], ecx
		mov	ecx, ds:dword_40BA68[ecx*4]
		not	ecx
		and	ecx, edx
		jz	short loc_432C5B

loc_432C07:				; CODE XREF: RtlFindNextForwardRunClear+5Ej
					; RtlFindNextForwardRunClear+DDj ...
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebx+esi]
		mov	edx, [ecx]
		cmp	eax, edx
		jnb	short loc_432C26
		mov	ecx, [ecx+4]

loc_432C16:				; CODE XREF: RtlFindNextForwardRunClear+94j
		bt	[ecx], eax
		jb	short loc_432C26
		cmp	ebx, 0FFFFFFFFh
		jnb	short loc_432C26
		inc	eax
		inc	ebx
		cmp	eax, edx
		jb	short loc_432C16

loc_432C26:				; CODE XREF: RtlFindNextForwardRunClear+81j
					; RtlFindNextForwardRunClear+89j ...
		mov	eax, [ebp+arg_8]
		pop	edi
		mov	[eax], esi
		cmp	ebx, 0FFFFFFFFh
		ja	short loc_432C86

loc_432C31:				; CODE XREF: RtlFindNextForwardRunClear+F9j
		mov	eax, ebx

loc_432C33:				; CODE XREF: RtlFindNextForwardRunClear+1766AAj
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_432C3B:				; CODE XREF: RtlFindNextForwardRunClear+42j
		sub	esi, ebx
		add	eax, 4
		add	esi, 20h
		cmp	eax, edi
		jnb	short loc_432BD4

loc_432C47:				; CODE XREF: RtlFindNextForwardRunClear+C4j
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_432BD4
		add	eax, 4
		add	esi, 20h
		cmp	eax, edi
		jb	short loc_432C47
		jmp	loc_432BD4
; 

loc_432C5B:				; CODE XREF: RtlFindNextForwardRunClear+75j
		mov	ebx, 20h
		sub	ebx, [ebp+arg_4]
		cmp	ebx, 0FFFFFFFFh
		jnb	short loc_432C26
		add	eax, 4
		cmp	eax, edi
		jnb	short loc_432C07
		nop

loc_432C70:				; CODE XREF: RtlFindNextForwardRunClear+F2j
		cmp	dword ptr [eax], 0
		jnz	short loc_432C07
		add	ebx, 20h
		add	eax, 4
		cmp	ebx, 0FFFFFFFFh
		jnb	short loc_432C26
		cmp	eax, edi
		jb	short loc_432C70
		jmp	short loc_432C07
; 

loc_432C86:				; CODE XREF: RtlFindNextForwardRunClear+9Fj
		or	ebx, 0FFFFFFFFh
		jmp	short loc_432C31
RtlFindNextForwardRunClear endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpDecrementAppHiveUnloadCount proc near ; CODE	XREF: CmpCompleteUnloadKey(x,x,x)+86p
					; CmpLateUnloadHiveWorker+189F8Fp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A923F SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		sub	_CmpActiveAppHiveUnloadCount, 1
		jnz	short locret_432CB3
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		cmp	_CmpActiveAppHiveUnloadEvent, ecx
		jnz	loc_5A923F

locret_432CB3:				; CODE XREF: CmpDecrementAppHiveUnloadCount+Dj
		leave
		retn
CmpDecrementAppHiveUnloadCount endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpUnblockPushLock proc	near		; CODE XREF: CmpTryToRundownHive+191p
					; ExBlockOnAddressPushLock+86p	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005A924F SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	eax, ecx
		xor	dl, dl
		mov	[ebp+var_8], eax
		mov	[ebp+var_1], dl
		xor	esi, esi
		xchg	esi, [eax]
		push	2
		pop	ebx
		test	esi, esi
		jz	short loc_432D10
		cmp	dword ptr [esi+10h], 0
		jnz	short loc_432D3B

loc_432CDE:				; CODE XREF: ExpUnblockPushLock+4Dj
					; ExpUnblockPushLock+8Fj
		cmp	esi, edi
		jz	short loc_432D35

loc_432CE2:				; CODE XREF: ExpUnblockPushLock+83j
		mov	ecx, [esi+10h]
		lea	eax, [esi+20h]
		mov	[ebp+var_C], ecx
		lock btr dword ptr [eax], 1
		jb	short loc_432CFF
		push	0
		push	1
		push	esi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [ebp+var_C]

loc_432CFF:				; CODE XREF: ExpUnblockPushLock+3Aj
		mov	esi, ecx
		test	ecx, ecx
		jnz	short loc_432CDE
		cmp	bl, 2
		jnz	short loc_432D47

loc_432D0A:				; CODE XREF: ExpUnblockPushLock+99j
		mov	eax, [ebp+var_8]
		mov	dl, [ebp+var_1]

loc_432D10:				; CODE XREF: ExpUnblockPushLock+20j
		test	edi, edi
		jnz	short loc_432D1B

loc_432D14:				; CODE XREF: ExpUnblockPushLock+67j
					; ExpUnblockPushLock+7Dj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_432D1B:				; CODE XREF: ExpUnblockPushLock+5Cj
		test	dl, dl
		jnz	short loc_432D14
		push	0
		cmp	[ebp+arg_0], dl
		jnz	loc_5A924F
		mov	edx, edi
		mov	ecx, eax
		call	ExTimedWaitForUnblockPushLock
		jmp	short loc_432D14
; 

loc_432D35:				; CODE XREF: ExpUnblockPushLock+2Aj
		mov	[ebp+var_1], 1
		jmp	short loc_432CE2
; 

loc_432D3B:				; CODE XREF: ExpUnblockPushLock+26j
		mov	cl, bl
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		jmp	short loc_432CDE
; 

loc_432D47:				; CODE XREF: ExpUnblockPushLock+52j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_432D0A
ExpUnblockPushLock endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall BiZwClose(x)
_BiZwClose@4	proc near		; CODE XREF: HvpViewMapCleanup(x)+87p
					; BiDeleteKey+52p ...
		mov	edi, edi
		push	ecx
		call	_ZwClose@4	; ZwClose(x)
		retn
_BiZwClose@4	endp

; 
		align 10h
; Exported entry  82. ExUnblockPushLockEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExUnblockPushLockEx
ExUnblockPushLockEx proc near

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A7DC2 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		xor	eax, eax
		test	edx, 0FFFFFFFCh
		jnz	loc_5A7DC2
		push	esi
		mov	[ebp+var_4], eax
		lea	edx, [ebp+var_4]
		xor	esi, esi
		lock or	[edx], esi
		pop	esi
		cmp	[ecx], eax
		jnz	loc_5A7DD0
		leave
		retn
ExUnblockPushLockEx endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTryToRundownHive proc near		; CODE XREF: CmpLateUnloadHiveWorker+8Cp

var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A9260 SIZE 000000CD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_1], 0
		lea	edi, [ebp+var_18]
		mov	[ebp+var_2], 0
		stosd
		mov	esi, ecx
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_8], esi
		mov	ebx, edx
		stosd
		stosd
		call	_CmpInitializeRollbackPacket@4 ; CmpInitializeRollbackPacket(x)
		mov	edi, [ebp+arg_0]
		mov	al, [edi]
		mov	[ebp+var_3], al

loc_432DBE:				; CODE XREF: CmpTryToRundownHive+EDj
					; CmpTryToRundownHive+183j ...
		cmp	byte ptr [edi],	0
		jz	short loc_432DC8
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_432DC8:				; CODE XREF: CmpTryToRundownHive+35j
		mov	byte ptr [edi],	0
		call	CmpAcquireShutdownRundown
		test	al, al
		jz	loc_5A9274
		cmp	dword ptr [ebx], 2
		mov	byte ptr [edi],	1
		jnz	loc_5A9260

loc_432DE4:				; CODE XREF: CmpTryToRundownHive+1764E2j
		cmp	[ebp+var_1], 0
		jz	short loc_432E38
		mov	ecx, [esi+9A0h]
		test	ecx, ecx
		jnz	loc_432E7E

loc_432DF8:				; CODE XREF: CmpTryToRundownHive+F6j
		or	eax, 0FFFFFFFFh
		lock xadd _CmpActiveHiveRundownCount, eax
		jnz	short loc_432E1D
		and	[ebp+arg_0], 0
		lea	eax, [ebp+arg_0]
		xor	ecx, ecx
		lock or	[eax], ecx
		cmp	_CmpActiveHiveRundownEvent, ecx
		jnz	loc_432F14

loc_432E1D:				; CODE XREF: CmpTryToRundownHive+77j
					; CmpTryToRundownHive+196j
		lea	ecx, [ebp+var_18]
		call	CmpCleanupRollbackPacket
		cmp	[ebp+var_3], 0
		jz	loc_5A9320

loc_432E2F:				; CODE XREF: CmpTryToRundownHive+17659Cj
		mov	al, 1

loc_432E31:				; CODE XREF: CmpTryToRundownHive+176544j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_432E38:				; CODE XREF: CmpTryToRundownHive+5Cj
		or	dword ptr [ebx+4], 40000h
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		lock inc _CmpActiveHiveRundownCount
		lea	ecx, [esi+430h]
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		lea	ecx, [esi+430h]
		call	@ExRundownCompleted@4 ;	ExRundownCompleted(x)
		mov	[ebp+var_1], 1
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		mov	cl, 1
		call	CmpLockRegistryFreezeAware
		mov	esi, [ebp+var_8]
		jmp	loc_432DBE
; 

loc_432E7E:				; CODE XREF: CmpTryToRundownHive+66j
		cmp	[ebp+var_2], 0
		jnz	loc_432DF8
		lea	edx, [ebp+var_18]
		call	CmSnapshotRMTxArray
		test	eax, eax
		js	loc_5A9274
		lea	eax, [ebp+var_18]
		mov	ecx, ebx
		push	eax
		push	0Bh
		pop	edx
		call	_CmpLogTransactionAbortedForRollbackPacket@12 ;	CmpLogTransactionAbortedForRollbackPacket(x,x,x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		cmp	[ebp+var_18], 0
		jnz	loc_5A92D5
		mov	ecx, [esi+9A0h]
		xor	dl, dl
		call	_CmCloseRmHandle@8 ; CmCloseRmHandle(x,x)
		mov	ecx, [esi+9A0h]
		mov	[ebp+arg_0], eax
		call	_CmCloseTmHandle@8 ; CmCloseTmHandle(x,x)
		mov	[ebp+var_C], eax
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_432EE5
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_432EE5:				; CODE XREF: CmpTryToRundownHive+151j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_432EF2
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_432EF2:				; CODE XREF: CmpTryToRundownHive+15Ej
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		mov	ecx, [esi+9A0h]
		mov	dl, 1
		call	_CmShutdownCmRM@8 ; CmShutdownCmRM(x,x)
		mov	cl, 1
		call	CmpLockRegistryFreezeAware
		mov	[ebp+var_2], 1
		jmp	loc_432DBE
; 

loc_432F14:				; CODE XREF: CmpTryToRundownHive+8Bj
		push	0
		xor	edx, edx
		mov	ecx, offset _CmpActiveHiveRundownEvent
		call	ExpUnblockPushLock
		jmp	loc_432E1D
CmpTryToRundownHive endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmpUnJoinClassOfTrust(x)
_CmpUnJoinClassOfTrust@4 proc near	; CODE XREF: CmpCompleteUnloadKey(x,x,x)+FBp
					; CmShutdownSystem(x)+22Ap ...
		mov	edi, edi
		push	esi
		lea	esi, [ecx+984h]
		cmp	[esi], esi
		jnz	short loc_432F37
		pop	esi
		retn
; 

loc_432F37:				; CODE XREF: CmpUnJoinClassOfTrust(x)+Bj
		call	_CmpLockHiveListExclusive@0 ; CmpLockHiveListExclusive()
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_432F55
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_432F55
		mov	[eax], ecx
		mov	[ecx+4], eax
		pop	esi
		jmp	_CmpUnlockHiveList@0 ; CmpUnlockHiveList()
; 

loc_432F55:				; CODE XREF: CmpUnJoinClassOfTrust(x)+19j
					; CmpUnJoinClassOfTrust(x)+20j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall CmSiUnmapViewOfSection(x, x, x)
_CmSiUnmapViewOfSection@12:		; CODE XREF: HvpViewMapDeleteViewTreeNode(x,x)+17p
					; CmpAddSecurityCellToCache+188D61p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	dword ptr [ebp+8]
		push	dword ptr [edx]
		call	_ZwUnmapViewOfSection@8	; ZwUnmapViewOfSection(x,x)
		pop	ebp
		retn	4
_CmpUnJoinClassOfTrust@4 endp ;	sp = -4

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmpFreePool(x)
_CmpFreePool@4	proc near		; CODE XREF: PAGE:007322A3p
					; PAGE:007322AEp ...
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
_CmpFreePool@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpDoFileRead	proc near		; CODE XREF: CmpFileRead(x,x,x,x,x)+25p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005A932D SIZE 000000D5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		xor	eax, eax
		mov	[esp+24h+var_18], 10000000h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+30h+var_8], eax
		mov	[esp+30h+var_4], eax
		lea	edx, [esp+30h+var_1C]
		mov	[esp+30h+var_10], eax
		xor	ecx, ecx
		mov	[esp+30h+var_C], eax
		inc	ecx
		mov	[esp+30h+var_1C], eax
		mov	[esp+30h+var_20], eax
		lea	eax, [esp+30h+var_20]
		push	eax
		call	_CmpCreateEvent@12 ; CmpCreateEvent(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_5A932D
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		jz	short loc_433049
		mov	eax, 10000000h

loc_432FD1:				; CODE XREF: CmpDoFileRead+CFj
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	[esp+30h+var_8], ecx
		mov	[esp+30h+var_4], edx
		cmp	ebx, eax
		ja	loc_433068
		mov	eax, ebx
		mov	[esp+30h+var_14], ebx

loc_432FEC:				; CODE XREF: CmpDoFileRead+F4j
		push	edx
		lea	ecx, [esp+34h+var_8]
		push	ecx
		push	eax
		push	[ebp+arg_4]
		lea	eax, [esp+40h+var_10]
		push	eax
		push	edx
		push	edx
		push	[esp+4Ch+var_1C]
		push	edi
		call	_ZwReadFile@36	; ZwReadFile(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 103h
		jz	loc_5A9342

loc_433015:				; CODE XREF: CmpDoFileRead+1763DDj
		test	esi, esi
		js	loc_5A935A

loc_43301D:				; CODE XREF: CmpDoFileRead+1763EBj
		mov	ecx, [esp+30h+var_14]
		sub	ebx, ecx
		mov	eax, [esp+30h+var_8]
		add	[ebp+arg_4], ecx
		add	eax, ecx
		mov	[ebp+arg_0], eax
		test	esi, esi
		js	loc_5A93CA
		cmp	[esp+30h+var_C], ecx
		jnz	loc_5A9374
		mov	eax, [esp+30h+var_18]

loc_433045:				; CODE XREF: CmpDoFileRead+1763F7j
		test	ebx, ebx
		jnz	short loc_432FD1

loc_433049:				; CODE XREF: CmpDoFileRead+52j
		xor	esi, esi

loc_43304B:				; CODE XREF: CmpDoFileRead+176485j
		mov	ecx, [esp+30h+var_20]
		call	ObfDereferenceObject
		push	[esp+30h+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_43305D:				; CODE XREF: CmpDoFileRead+1763C5j
		mov	eax, esi

loc_43305F:				; CODE XREF: CmpDoFileRead+17644Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_433068:				; CODE XREF: CmpDoFileRead+68j
		mov	[esp+30h+var_14], eax
		jmp	loc_432FEC
CmpDoFileRead	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2113. RtlGetCallersAddress

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetCallersAddress(x, x)
		public _RtlGetCallersAddress@8
_RtlGetCallersAddress@8	proc near	; CODE XREF: VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+1ABp
					; VfGetDmaAdapter(x,x,x)+21p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		xor	eax, eax
		push	eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	2
		pop	esi
		push	esi
		push	esi
		call	RtlCaptureStackBackTrace
		mov	ecx, [ebp+arg_0]
		movzx	edx, ax
		test	ecx, ecx
		jz	short loc_4330AB
		cmp	edx, 1
		sbb	eax, eax
		not	eax
		and	eax, [ebp+var_8]
		mov	[ecx], eax

loc_4330AB:				; CODE XREF: RtlGetCallersAddress(x,x)+27j
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_4330BE
		cmp	dx, si
		sbb	eax, eax
		not	eax
		and	eax, [ebp+var_4]
		mov	[ecx], eax

loc_4330BE:				; CODE XREF: RtlGetCallersAddress(x,x)+3Aj
		pop	esi
		leave
		retn	8
_RtlGetCallersAddress@8	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall HvpGenerateLogEntryDirtyData(int,int,int,int,int,int)
_HvpGenerateLogEntryDirtyData@24 proc near ; CODE XREF:	HvpGenerateLogEntry+F2p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	edi, ecx
		mov	ebx, edx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], eax
		lea	esi, [edi+2Ch]
		push	eax
		jmp	short loc_4330FE
; 

loc_4330E7:				; CODE XREF: HvpGenerateLogEntryDirtyData(x,x,x,x,x,x)+53j
		push	[ebp+arg_8]	; int
		mov	edx, [ebp+var_4] ; size_t
		push	[ebp+arg_4]	; int
		push	ecx		; int
		mov	ecx, [ebp+var_8] ; int
		push	ebx		; int
		call	HvpCopyDataToOffsetArray
		push	0
		mov	ecx, edi

loc_4330FE:				; CODE XREF: HvpGenerateLogEntryDirtyData(x,x,x,x,x,x)+21j
		lea	eax, [ebp+var_C]
		mov	edx, esi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	HvpFindNextDirtyBlock
		test	al, al
		jnz	short loc_4330E7
		push	esi
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		push	eax
		mov	ecx, esi
		call	_HvpCountSetRangesInVector@4 ; HvpCountSetRangesInVector(x)
		push	eax
		push	2
		pop	edx
		mov	ecx, edi
		call	_CmpLogDirtyVectorUse@16 ; CmpLogDirtyVectorUse(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_HvpGenerateLogEntryDirtyData@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpArmLazyWriter proc near		; CODE XREF: CmpRecheckHiveVolumePolicy(x)+94p
					; CmpEnableLazyFlush(x)+25p ...

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005A9402 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	_CmpWorkerDataInitialized, 0
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_8], ecx
		jz	loc_433207
		xor	eax, eax
		cmp	_CmpHoldLazyFlush, eax
		jnz	loc_433207
		push	esi
		push	edi
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		mov	esi, eax
		mov	edi, edx
		test	ebx, ebx
		jz	loc_43320C
		imul	eax, [ebp+var_8], 78h
		mov	ecx, (offset loc_98967E+2)
		mov	eax, dword_6B152C[eax]
		mul	ecx
		mov	ecx, [ebx+4]
		add	esi, eax
		mov	eax, [ebx]
		adc	edi, edx
		cmp	ecx, edi
		ja	short loc_43319F
		jb	short loc_43319B
		cmp	eax, esi
		jnb	short loc_43319F

loc_43319B:				; CODE XREF: CmpArmLazyWriter+5Bj
		mov	esi, eax
		mov	edi, ecx

loc_43319F:				; CODE XREF: CmpArmLazyWriter+59j
					; CmpArmLazyWriter+5Fj	...
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		imul	ebx, [ebp+var_8], 78h
		mov	[ebp+var_1], al
		lea	ecx, dword_6B1518[ebx]
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, dword_6B1520[ebx]
		mov	eax, ecx
		mov	edx, dword_6B1524[ebx]
		and	eax, 7
		cmp	eax, 3
		ja	short loc_4331E4
		sub	eax, 0
		jz	loc_43328D
		sub	eax, 1
		jnz	short loc_433230
		cmp	[ebp+arg_0], al
		jnz	loc_433279

loc_4331E4:				; CODE XREF: CmpArmLazyWriter+91j
					; CmpArmLazyWriter+FEj	...
		test	ds:byte_70EFC6,	1
		pop	edi
		pop	esi
		jnz	loc_5A9402
		xor	ecx, ecx
		lea	eax, dword_6B1518[ebx]
		lock and [eax],	ecx

loc_4331FE:				; CODE XREF: CmpArmLazyWriter+1762D6j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_433207:				; CODE XREF: CmpArmLazyWriter+14j
					; CmpArmLazyWriter+22j
		pop	ebx
		leave
		retn	4
; 

loc_43320C:				; CODE XREF: CmpArmLazyWriter+37j
		cmp	[ebp+arg_0], 0
		jnz	loc_4332C9
		imul	eax, [ebp+var_8], 78h
		mov	ecx, (offset loc_98967E+2)
		mov	eax, dword_6B152C[eax]
		mul	ecx
		add	esi, eax
		adc	edi, edx
		jmp	loc_43319F
; 

loc_433230:				; CODE XREF: CmpArmLazyWriter+9Fj
		sub	eax, 1
		jz	short loc_433247
		sub	eax, 1
		jnz	short loc_4331E4
		and	ecx, 0FFFFFFF8h
		cmp	edi, edx
		ja	short loc_4331E4
		jb	short loc_433247
		cmp	esi, ecx
		jnb	short loc_4331E4

loc_433247:				; CODE XREF: CmpArmLazyWriter+F9j
					; CmpArmLazyWriter+107j
		and	esi, 0FFFFFFFBh
		or	esi, 3
		xor	eax, eax

loc_43324F:				; CODE XREF: CmpArmLazyWriter+15Aj
		mov	dword_6B1520[ebx], esi
		mov	dword_6B1524[ebx], edi
		cmp	esi, 1
		jnz	short loc_4331E4
		cmp	edi, eax
		jnz	short loc_4331E4
		cmp	[ebp+arg_0], 0
		jz	short loc_433296
		mov	ecx, 0FECED300h
		or	edx, 0FFFFFFFFh
		mov	esi, 3E8h
		jmp	short loc_4332AB
; 

loc_433279:				; CODE XREF: CmpArmLazyWriter+A4j
		lea	eax, _CmpLazyWriterData[ebx]
		push	eax
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		test	al, al
		jz	loc_4331E4

loc_43328D:				; CODE XREF: CmpArmLazyWriter+96j
		xor	esi, esi
		inc	esi
		xor	eax, eax
		mov	edi, eax
		jmp	short loc_43324F
; 

loc_433296:				; CODE XREF: CmpArmLazyWriter+12Ej
		mov	eax, dword_6B152C[ebx]
		mov	ecx, 0FF676980h
		mov	esi, dword_6B1530[ebx]
		imul	ecx
		mov	ecx, eax

loc_4332AB:				; CODE XREF: CmpArmLazyWriter+13Dj
		lea	eax, dword_6B14E8[ebx]
		push	eax
		push	esi
		xor	eax, eax
		push	eax
		push	edx
		push	ecx
		lea	eax, _CmpLazyWriterData[ebx]
		push	eax
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)
		jmp	loc_4331E4
; 

loc_4332C9:				; CODE XREF: CmpArmLazyWriter+D6j
		push	0
		add	esi, 1312D00h
		pop	eax
		adc	edi, eax
		jmp	loc_43319F
CmpArmLazyWriter endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpFindNextDirtyRun proc near		; CODE XREF: HvpFindNextDirtyBlock+26p

var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005A9415 SIZE 00000117 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, edx
		mov	eax, ecx
		push	esi
		push	edi
		mov	[ebp+var_14], ebx
		mov	edx, [eax]
		mov	esi, [ebx]
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], esi
		cmp	esi, edx
		jnb	loc_433439
		mov	ecx, [eax+4]
		mov	ebx, esi
		lea	eax, [edx-1]
		mov	[ebp+var_4], ebx
		shr	eax, 5
		lea	edi, [ecx+eax*4]
		mov	eax, esi
		shr	eax, 5
		lea	eax, [ecx+eax*4]
		cmp	eax, edi
		jz	short loc_433339
		and	esi, 1Fh
		mov	ecx, ds:dword_40BA68[esi*4]
		or	ecx, [eax]
		cmp	ecx, 0FFFFFFFFh
		jz	loc_4333D2

loc_433339:				; CODE XREF: HvpFindNextDirtyRun+42j
					; HvpFindNextDirtyRun+FFj ...
		cmp	ebx, edx
		jnb	short loc_433350
		mov	ecx, [ebp+var_C]
		mov	ecx, [ecx+4]

loc_433343:				; CODE XREF: HvpFindNextDirtyRun+6Bj
		bt	[ecx], ebx
		jnb	short loc_43334D
		inc	ebx
		cmp	ebx, edx
		jb	short loc_433343

loc_43334D:				; CODE XREF: HvpFindNextDirtyRun+66j
		mov	[ebp+var_4], ebx

loc_433350:				; CODE XREF: HvpFindNextDirtyRun+5Bj
		xor	esi, esi
		cmp	eax, edi
		jz	short loc_43336F
		mov	edx, [eax]
		and	ebx, 1Fh
		mov	ecx, ds:dword_40BA68[ebx*4]
		not	ecx
		and	ecx, edx
		jz	loc_4333F2

loc_43336C:				; CODE XREF: HvpFindNextDirtyRun+123j
					; HvpFindNextDirtyRun+133j ...
		mov	ebx, [ebp+var_4]

loc_43336F:				; CODE XREF: HvpFindNextDirtyRun+74j
		mov	ecx, [ebp+var_C]
		lea	eax, [esi+ebx]
		mov	edx, [ecx]
		cmp	eax, edx
		jnb	short loc_433393
		mov	ecx, [ecx+4]
		mov	edi, edi

loc_433380:				; CODE XREF: HvpFindNextDirtyRun+AEj
		bt	[ecx], eax
		jb	short loc_433390
		cmp	esi, 0FFFFFFFFh
		jnb	short loc_433390
		inc	eax
		inc	esi
		cmp	eax, edx
		jb	short loc_433380

loc_433390:				; CODE XREF: HvpFindNextDirtyRun+A3j
					; HvpFindNextDirtyRun+A8j ...
		mov	ecx, [ebp+var_C]

loc_433393:				; CODE XREF: HvpFindNextDirtyRun+99j
		cmp	esi, 0FFFFFFFFh
		ja	loc_5A9415

loc_43339C:				; CODE XREF: HvpFindNextDirtyRun+176138j
		test	esi, esi
		jz	loc_43343D
		mov	eax, [ebp+var_8]
		cmp	ebx, eax
		jz	loc_5A941D
		mov	[ebp+var_8], eax

loc_4333B2:				; CODE XREF: HvpFindNextDirtyRun+17623Bj
		lea	eax, [esi+ebx]

loc_4333B5:				; CODE XREF: HvpFindNextDirtyRun+162j
					; HvpFindNextDirtyRun+176247j
		mov	ecx, [ebp+var_14]
		mov	[ecx], eax
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_8]
		mov	[eax], ecx
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx
		mov	al, 1

loc_4333C9:				; CODE XREF: HvpFindNextDirtyRun+15Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4333D2:				; CODE XREF: HvpFindNextDirtyRun+53j
		sub	ebx, esi
		add	eax, 4
		add	ebx, 20h
		mov	[ebp+var_4], ebx
		cmp	eax, edi
		jnb	loc_433339

loc_4333E5:				; CODE XREF: HvpFindNextDirtyRun+155j
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_43342D

loc_4333EA:				; CODE XREF: HvpFindNextDirtyRun+157j
		mov	[ebp+var_4], ebx
		jmp	loc_433339
; 

loc_4333F2:				; CODE XREF: HvpFindNextDirtyRun+86j
		mov	esi, 20h
		sub	esi, ebx
		cmp	esi, 0FFFFFFFFh
		jnb	short loc_433447
		add	eax, 4
		cmp	eax, edi
		jnb	loc_43336C
		lea	esp, [esp+0]

loc_433410:				; CODE XREF: HvpFindNextDirtyRun+146j
		cmp	dword ptr [eax], 0
		jnz	loc_43336C
		add	esi, 20h
		add	eax, 4
		cmp	esi, 0FFFFFFFFh
		jnb	short loc_433447
		cmp	eax, edi
		jb	short loc_433410
		jmp	loc_43336C
; 

loc_43342D:				; CODE XREF: HvpFindNextDirtyRun+108j
		add	eax, 4
		add	ebx, 20h
		cmp	eax, edi
		jb	short loc_4333E5
		jmp	short loc_4333EA
; 

loc_433439:				; CODE XREF: HvpFindNextDirtyRun+21j
					; HvpFindNextDirtyRun+176147j
		xor	al, al
		jmp	short loc_4333C9
; 

loc_43343D:				; CODE XREF: HvpFindNextDirtyRun+BEj
		mov	eax, [ebp+var_10]
		mov	ebx, eax
		jmp	loc_4333B5
; 

loc_433447:				; CODE XREF: HvpFindNextDirtyRun+11Cj
					; HvpFindNextDirtyRun+142j
		mov	ebx, [ebp+var_4]
		jmp	loc_433390
HvpFindNextDirtyRun endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1970. RtlCaptureStackBackTrace

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlCaptureStackBackTrace
RtlCaptureStackBackTrace proc near	; CODE XREF: RtlGetCallersAddress(x,x)+1Ap
					; .text:0051ED28p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005A952C SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	edi, 0FFFFh
		ja	short loc_4334B6

loc_433472:				; CODE XREF: RtlCaptureStackBackTrace+5Bj
		mov	esi, [ebp+arg_0]
		cmp	esi, 0FEh
		ja	short loc_4334B2
		inc	esi
		mov	eax, esi
		shl	eax, 8
		push	eax
		lea	eax, [esi+edi]
		push	eax
		push	[ebp+arg_8]
		call	RtlWalkFrameChain
		mov	edx, eax
		cmp	edx, esi
		jbe	short loc_4334B2
		push	ebx
		mov	ebx, [ebp+arg_C]
		xor	ecx, ecx
		test	ebx, ebx
		jnz	loc_5A952C
		mov	ecx, edx
		sub	ecx, esi

loc_4334A8:				; CODE XREF: RtlCaptureStackBackTrace+1760F2j
		mov	ax, cx
		pop	ebx

loc_4334AC:				; CODE XREF: RtlCaptureStackBackTrace+54j
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
; 

loc_4334B2:				; CODE XREF: RtlCaptureStackBackTrace+1Bj
					; RtlCaptureStackBackTrace+34j
		xor	eax, eax
		jmp	short loc_4334AC
; 

loc_4334B6:				; CODE XREF: RtlCaptureStackBackTrace+10j
		mov	edi, 0FFFFh
		jmp	short loc_433472
RtlCaptureStackBackTrace endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 2408. RtlWalkFrameChain

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlWalkFrameChain
RtlWalkFrameChain proc near		; CODE XREF: RtlCaptureStackBackTrace+2Bp
					; SepCreateTokenEx+D50B0p ...

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005A9557 SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A0260
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 7Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_40], 0
		mov	[ebp+var_44], 0
		mov	[ebp+var_1A], 0
		mov	[ebp+var_48], 0
		mov	[ebp+var_19], 0
		lea	edi, [ebp+4]
		add	edi, 0FFFFFFFCh
		mov	[ebp+var_3C], edi
		mov	[ebp+var_2C], edi
		mov	ecx, [ebp+arg_8]
		test	ecx, 0FFFF00FEh
		jnz	loc_5A9566
		mov	ebx, ecx
		shr	ebx, 8
		mov	[ebp+var_54], ebx
		and	ecx, 1
		mov	[ebp+arg_8], ecx
		jnz	loc_43376D
		mov	eax, large fs:124h
		mov	eax, [eax+24h]
		mov	[ebp+var_30], eax
		mov	eax, large fs:124h
		mov	eax, [eax+28h]
		mov	[ebp+var_34], eax
		mov	edx, [ebp+var_2C]
		cmp	[ebp+var_30], edx
		ja	loc_433868
		cmp	edx, eax
		ja	loc_433868

loc_43357D:				; CODE XREF: RtlWalkFrameChain+2A4j
					; RtlWalkFrameChain+3BAj ...
		mov	edx, large fs:124h
		mov	[ebp+var_68], edx
		mov	[ebp+var_4], 0
		mov	[ebp+var_5C], 0
		xor	eax, eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_4C], eax
		test	ecx, ecx
		jnz	loc_433779
		mov	eax, [edx+20h]
		mov	[ebp+var_28], eax

loc_4335B1:				; CODE XREF: RtlWalkFrameChain+33Dj
		mov	[ebp+var_20], eax
		mov	[ebp+var_30], edi
		mov	edx, [ebp+arg_4]
		mov	esi, [ebp+var_40]
		mov	ecx, [ebp+arg_8]

loc_4335C0:				; CODE XREF: RtlWalkFrameChain+393j
					; RtlWalkFrameChain+428j ...
		cmp	ecx, 1
		jz	loc_4336DE
		lea	edx, [eax-8Ch]

loc_4335CF:				; CODE XREF: RtlWalkFrameChain+298j
		mov	[ebp+var_44], edx

loc_4335D2:				; CODE XREF: RtlWalkFrameChain+28Cj
		mov	ebx, [ebp+var_34]
		mov	[ebp+var_70], ebx
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_58], 0
		mov	cl, 1

loc_4335E4:				; CODE XREF: RtlWalkFrameChain+179j
		mov	[ebp+var_58], esi
		cmp	esi, [ebp+arg_4]
		jnb	short loc_433655
		cmp	eax, edx
		jz	short loc_433655
		cmp	eax, ebx
		jnb	short loc_433655
		test	cl, cl
		jnz	short loc_43364B
		cmp	eax, edi
		jbe	short loc_433655

loc_4335FC:				; CODE XREF: RtlWalkFrameChain+17Dj
		mov	ecx, ebx
		sub	ecx, eax
		cmp	ecx, 8
		jb	short loc_433655
		mov	edx, [eax]
		mov	edi, [eax+4]
		cmp	[ebp+var_3C], edi
		jbe	short loc_43368D

loc_43360F:				; CODE XREF: RtlWalkFrameChain+1BFj
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jnz	short loc_43361E
		cmp	edi, ds:_MmSystemRangeStart
		jb	short loc_433658

loc_43361E:				; CODE XREF: RtlWalkFrameChain+144j
		cmp	ecx, 1
		jz	short loc_433697

loc_433623:				; CODE XREF: RtlWalkFrameChain+209j
		cmp	esi, [ebp+var_54]
		jb	short loc_433636
		mov	ecx, esi
		sub	ecx, [ebp+var_54]
		mov	ebx, [ebp+arg_0]
		mov	[ebx+ecx*4], edi
		mov	ebx, [ebp+var_70]

loc_433636:				; CODE XREF: RtlWalkFrameChain+156j
		cmp	eax, edx
		jnb	short loc_433651
		cmp	edx, ebx
		jnb	short loc_433651
		mov	eax, edx
		xor	cl, cl
		inc	esi
		mov	edi, [ebp+var_3C]
		mov	edx, [ebp+var_44]
		jmp	short loc_4335E4
; 

loc_43364B:				; CODE XREF: RtlWalkFrameChain+126j
		cmp	eax, edi
		jnb	short loc_4335FC
		jmp	short loc_433655
; 

loc_433651:				; CODE XREF: RtlWalkFrameChain+168j
					; RtlWalkFrameChain+16Cj
		inc	esi
		mov	[ebp+var_58], esi

loc_433655:				; CODE XREF: RtlWalkFrameChain+11Aj
					; RtlWalkFrameChain+11Ej ...
		mov	ecx, [ebp+arg_8]

loc_433658:				; CODE XREF: RtlWalkFrameChain+14Cj
		mov	[ebp+var_40], esi
		mov	edx, [ebp+arg_4]
		cmp	esi, edx
		jb	loc_43381F

loc_433666:				; CODE XREF: RtlWalkFrameChain+369j
					; RtlWalkFrameChain+3EDj ...
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	[ebp+var_1A], 0
		jnz	loc_433812

loc_433677:				; CODE XREF: RtlWalkFrameChain+34Aj
		mov	eax, esi

loc_433679:				; CODE XREF: RtlWalkFrameChain+176098j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_43368D:				; CODE XREF: RtlWalkFrameChain+13Dj
		cmp	edi, ebx
		jnb	loc_43360F
		jmp	short loc_433655
; 

loc_433697:				; CODE XREF: RtlWalkFrameChain+151j
		mov	ecx, large fs:124h
		mov	[ebp+var_80], ecx
		mov	ecx, [ecx+80h]
		mov	ecx, [ecx+1CCh]
		mov	[ebp+var_84], ecx
		cmp	edi, 10000h
		jb	loc_4338FD
		cmp	edi, ecx
		jnb	loc_4338FD
		mov	ecx, [ebp+var_28]
		mov	[ebp+var_20], ecx
		mov	ecx, [ebp+var_4C]
		mov	[ebp+var_24], ecx
		mov	ecx, [ebp+var_50]
		mov	[ebp+var_38], ecx
		jmp	loc_433623
; 

loc_4336DE:				; CODE XREF: RtlWalkFrameChain+F3j
		mov	ecx, [ebp+var_48]
		mov	eax, [ecx+60h]
		mov	[ebp+var_2C], eax
		mov	ecx, [ecx+68h]
		cmp	ecx, _KeI386FastSystemCallReturn
		jnz	loc_5A9575
		mov	edx, [ebp+var_5C]
		mov	[ebp+var_64], 0
		mov	[ebp+var_60], 0
		xor	edi, edi

loc_433709:				; CODE XREF: RtlWalkFrameChain+270j
		mov	[ebp+var_64], edi
		mov	[ebp+var_60], esi
		mov	[ebp+var_6C], edx
		mov	eax, [ebp+var_24]
		cmp	edi, 2
		jnb	short loc_433742
		cmp	esi, [ebp+arg_4]
		jnb	short loc_433742
		cmp	edx, eax
		jnb	short loc_433742
		cmp	edx, [ebp+var_38]
		jb	short loc_433742
		sub	eax, edx
		cmp	eax, 4
		jb	loc_5A956D
		cmp	esi, ebx
		jnb	loc_4338A2

loc_43373B:				; CODE XREF: RtlWalkFrameChain+3E1j
		add	edx, 4
		inc	esi
		inc	edi
		jmp	short loc_433709
; 

loc_433742:				; CODE XREF: RtlWalkFrameChain+248j
					; RtlWalkFrameChain+24Dj ...
		mov	[ebp+var_40], esi

loc_433745:				; CODE XREF: RtlWalkFrameChain+1760BEj
		mov	[ebp+var_34], eax
		mov	edi, [ebp+var_38]
		mov	[ebp+var_3C], edi
		mov	[ebp+var_30], edi
		xor	edx, edx
		mov	[ebp+var_44], edx
		mov	eax, [ebp+var_20]
		cmp	[eax+10h], edx
		jz	loc_4335D2
		mov	eax, [eax+8]
		mov	edx, [eax+60h]
		jmp	loc_4335CF
; 

loc_43376D:				; CODE XREF: RtlWalkFrameChain+7Bj
		mov	[ebp+var_34], 0FFFFFFFFh
		jmp	loc_43357D
; 

loc_433779:				; CODE XREF: RtlWalkFrameChain+D5j
		mov	ecx, edx
		call	_PspGetBaseTrapFrame@8 ; PspGetBaseTrapFrame(x,x)
		mov	[ebp+var_48], eax
		mov	ecx, [eax+74h]
		mov	[ebp+var_5C], ecx
		add	eax, 8Ch
		mov	[ebp+var_28], eax
		mov	esi, [edx+0A8h]
		test	esi, esi
		jz	loc_5A955F
		test	dword ptr [edx+58h], 400h
		jnz	loc_5A955F
		mov	eax, large fs:124h
		mov	[ebp+var_7C], eax
		cmp	byte ptr [eax+16Ah], 1
		jz	loc_5A955F
		call	_MmCanThreadFault@0 ; MmCanThreadFault()
		test	eax, eax
		jz	loc_5A955F
		mov	edx, [esi+8]
		mov	[ebp+var_38], edx
		mov	[ebp+var_50], edx
		mov	ecx, [esi+4]
		mov	[ebp+var_24], ecx
		mov	[ebp+var_4C], ecx
		cmp	ecx, edx
		jbe	loc_5A955F
		mov	eax, ecx
		sub	eax, edx
		jz	short loc_4337FC
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	loc_5A9557

loc_4337FC:				; CODE XREF: RtlWalkFrameChain+31Dj
					; RtlWalkFrameChain+17608Aj
		mov	eax, [ebp+var_68]
		bts	dword ptr [eax+58h], 5
		jb	short loc_43380A
		mov	[ebp+var_1A], 1

loc_43380A:				; CODE XREF: RtlWalkFrameChain+334j
		mov	eax, [ebp+var_28]
		jmp	loc_4335B1
; 

loc_433812:				; CODE XREF: RtlWalkFrameChain+1A1j
		mov	eax, [ebp+var_68]
		btr	dword ptr [eax+58h], 5
		jmp	loc_433677
; 

loc_43381F:				; CODE XREF: RtlWalkFrameChain+190j
		cmp	ecx, 1
		jz	loc_4338B6
		cmp	[ebp+var_19], 0
		jnz	loc_433914
		mov	eax, [ebp+var_20]
		test	byte ptr [eax+4], 1
		jz	loc_433666
		mov	edi, [eax+18h]
		lea	eax, [edi+0Ch]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_30], edi
		mov	eax, [ebp+var_20]
		mov	eax, [eax+1Ch]
		mov	[ebp+var_20], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_78], edi
		mov	[ebp+var_3C], edi
		mov	ebx, [ebp+var_54]
		jmp	loc_4335C0
; 

loc_433868:				; CODE XREF: RtlWalkFrameChain+9Fj
					; RtlWalkFrameChain+A7j
		mov	edx, large fs:2330h
		mov	[ebp+var_34], edx
		mov	esi, edx
		sub	esi, ds:_KeKernelStackSize
		mov	[ebp+var_30], esi
		mov	eax, [ebp+var_2C]
		test	edx, edx
		jz	short loc_433890
		cmp	esi, eax
		ja	short loc_433890
		cmp	eax, edx
		jbe	loc_43357D

loc_433890:				; CODE XREF: RtlWalkFrameChain+3B2j
					; RtlWalkFrameChain+3B6j
		add	eax, 1000h
		and	eax, 0FFFFF000h
		mov	[ebp+var_34], eax
		jmp	loc_43357D
; 

loc_4338A2:				; CODE XREF: RtlWalkFrameChain+265j
		mov	ecx, [edx]
		mov	eax, esi
		sub	eax, ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebx+eax*4], ecx
		mov	ebx, [ebp+var_54]
		jmp	loc_43373B
; 

loc_4338B6:				; CODE XREF: RtlWalkFrameChain+352j
		mov	ebx, [ebp+var_20]
		cmp	dword ptr [ebx+10h], 0
		jz	loc_433666
		mov	[ebp+var_19], 1
		xor	ecx, ecx
		mov	[ebp+arg_8], ecx
		mov	edi, [ebx+18h]
		lea	eax, [edi+0Ch]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_30], edi
		mov	ebx, [ebx+1Ch]
		mov	[ebp+var_20], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_28], ebx
		lea	eax, [ebx-8Ch]
		mov	[ebp+var_48], eax
		mov	eax, ebx
		mov	[ebp+var_78], edi
		mov	[ebp+var_3C], edi
		mov	ebx, [ebp+var_54]
		jmp	loc_4335C0
; 

loc_4338FD:				; CODE XREF: RtlWalkFrameChain+1E9j
					; RtlWalkFrameChain+1F1j
		mov	eax, [ebp+var_28]
		mov	[ebp+var_20], eax
		mov	ecx, [ebp+var_4C]
		mov	[ebp+var_24], ecx
		mov	eax, [ebp+var_50]
		mov	[ebp+var_38], eax
		jmp	loc_433655
; 

loc_433914:				; CODE XREF: RtlWalkFrameChain+35Cj
		mov	[ebp+arg_8], 1
		mov	[ebp+var_19], 0
		mov	eax, [ebp+var_48]
		mov	eax, [eax+74h]
		mov	[ebp+var_74], eax
		test	al, 3
		jnz	short loc_433968
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	short loc_43396D

loc_433936:				; CODE XREF: RtlWalkFrameChain+49Fj
		nop
		mov	al, [eax]
		mov	eax, [ebp+var_74]
		mov	eax, [eax+18h]
		mov	[ebp+var_5C], eax
		mov	esi, [ebp+var_40]
		mov	edi, [ebp+var_30]
		mov	eax, [ebp+var_28]
		mov	[ebp+var_20], eax
		mov	ecx, [ebp+var_4C]
		mov	[ebp+var_24], ecx
		mov	ecx, [ebp+var_50]
		mov	[ebp+var_38], ecx
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_3C], edi
		mov	ebx, [ebp+var_54]
		jmp	loc_4335C0
; 

loc_433968:				; CODE XREF: RtlWalkFrameChain+45Aj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_43396D:				; CODE XREF: RtlWalkFrameChain+464j
		mov	eax, ecx
		jmp	short loc_433936
RtlWalkFrameChain endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MmCanThreadFault()
_MmCanThreadFault@0 proc near		; CODE XREF: RtlWalkFrameChain+2F2p
					; .text:005286AFp ...
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_4339BD
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_4339BD
		mov	ecx, large fs:124h
		test	byte ptr [ecx+300h], 2
		jnz	short loc_4339BD
		mov	eax, [ecx+2DCh]
		cmp	eax, offset _KiExecuteDpc@4 ; KiExecuteDpc(x)
		jz	short loc_4339BD
		cmp	ds:_MmPhysicalMemoryBlock, 0
		jz	short loc_4339BD
		mov	eax, dword_6D5D40
		test	eax, eax
		jz	short loc_4339BD
		cmp	ecx, [eax+44h]
		jz	short loc_4339BD
		xor	eax, eax
		inc	eax
		retn
; 

loc_4339BD:				; CODE XREF: MmCanThreadFault()+7j
					; MmCanThreadFault()+11j ...
		xor	eax, eax
		retn
_MmCanThreadFault@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmSiProtectViewOfSection(x,	x, x, x, x, x)
_CmSiProtectViewOfSection@24 proc near	; CODE XREF: HvpViewMapMakeViewRangeWriteable(x,x,x,x,x,x)+61p
					; HvpViewMapMakeViewRangeReadOnly(x,x,x,x,x,x)+29p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_C]
		mov	eax, [ebp+arg_0]
		push	[ebp+arg_8]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+arg_0], eax
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	dword ptr [edx]
		call	_ZwProtectVirtualMemory@20 ; ZwProtectVirtualMemory(x,x,x,x,x)
		leave
		retn	10h
_CmSiProtectViewOfSection@24 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall HvpCopyDataToOffsetArray(int,size_t,int,int,int,int)
HvpCopyDataToOffsetArray proc near	; CODE XREF: HvpGenerateLogEntryHeader(x,x,x,x,x,x,x,x)+96p
					; HvpGenerateLogEntryMetadata(x,x,x,x,x,x,x)+2Ep ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005A95B9 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_C]
		and	[ebp+var_4], 0
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+arg_8]
		push	ebx
		mov	ebx, edx
		push	esi
		mov	edx, [ecx]
		mov	esi, [eax]
		mov	[ebp+var_8], edx
		test	ebx, ebx
		jz	short loc_433A60
		mov	eax, [ebp+arg_0]
		imul	ecx, edx, 0Ch
		add	eax, 8
		push	edi
		add	ecx, eax
		mov	[ebp+arg_0], ecx

loc_433A1F:				; CODE XREF: HvpCopyDataToOffsetArray+68j
		mov	edi, [ecx]
		lea	eax, [esi+ebx]
		cmp	eax, edi
		ja	short loc_433A6A
		mov	edi, ebx

loc_433A2A:				; CODE XREF: HvpCopyDataToOffsetArray+80j
		mov	eax, [ebp+var_4]
		add	eax, [ebp+var_C]
		push	edi		; size_t
		push	eax		; void *
		mov	eax, [ecx-4]
		add	eax, esi
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+arg_0]
		add	esi, edi
		add	[ebp+var_4], edi
		add	esp, 0Ch
		sub	ebx, edi
		cmp	esi, [ecx]
		jz	loc_5A95B9

loc_433A52:				; CODE XREF: HvpCopyDataToOffsetArray+175BE0j
		test	ebx, ebx
		jnz	short loc_433A1F

loc_433A56:				; CODE XREF: HvpCopyDataToOffsetArray+175BCFj
		mov	edx, [ebp+var_8]
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+arg_8]
		pop	edi

loc_433A60:				; CODE XREF: HvpCopyDataToOffsetArray+22j
		mov	[eax], esi
		pop	esi
		mov	[ecx], edx
		pop	ebx
		leave
		retn	10h
; 

loc_433A6A:				; CODE XREF: HvpCopyDataToOffsetArray+3Aj
		sub	edi, esi
		jmp	short loc_433A2A
HvpCopyDataToOffsetArray endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlFindNextForwardRunSet proc near	; CODE XREF: HvpResetPageProtection(x)+2Cp
					; CmFcpManagerDrainUsageNotifications+86p ...

var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A95D1 SIZE 0000000C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], ebx
		mov	edx, [ebx]
		cmp	edx, esi
		jbe	loc_5A95D1
		mov	ecx, [ebx+4]
		lea	eax, [edx-1]
		shr	eax, 5
		push	edi
		lea	edi, [ecx+eax*4]
		mov	eax, esi
		shr	eax, 5
		lea	eax, [ecx+eax*4]
		cmp	eax, edi
		jz	short loc_433ABD
		mov	ebx, esi
		and	ebx, 1Fh
		mov	ecx, ds:dword_40BA68[ebx*4]
		not	ecx
		and	ecx, [eax]
		jz	loc_433B56

loc_433ABA:				; CODE XREF: RtlFindNextForwardRunSet+F0j
					; RtlFindNextForwardRunSet+F9j	...
		mov	ebx, [ebp+var_4]

loc_433ABD:				; CODE XREF: RtlFindNextForwardRunSet+32j
		cmp	esi, edx
		jnb	short loc_433ACE
		mov	ecx, [ebx+4]

loc_433AC4:				; CODE XREF: RtlFindNextForwardRunSet+5Cj
		bt	[ecx], esi
		jb	short loc_433ACE
		inc	esi
		cmp	esi, edx
		jb	short loc_433AC4

loc_433ACE:				; CODE XREF: RtlFindNextForwardRunSet+4Fj
					; RtlFindNextForwardRunSet+57j
		xor	ebx, ebx
		cmp	eax, edi
		jz	short loc_433AEC
		mov	edx, [eax]
		mov	ecx, esi
		and	ecx, 1Fh
		mov	[ebp+var_8], ecx
		mov	ecx, ds:dword_40BA68[ecx*4]
		or	ecx, edx
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_433B25

loc_433AEC:				; CODE XREF: RtlFindNextForwardRunSet+62j
					; RtlFindNextForwardRunSet+C7j	...
		mov	ecx, [ebp+var_4]
		lea	eax, [ebx+esi]
		mov	edx, [ecx]
		cmp	eax, edx
		jnb	short loc_433B10
		mov	ecx, [ecx+4]
		jmp	short loc_433B00
; 
		align 10h

loc_433B00:				; CODE XREF: RtlFindNextForwardRunSet+8Bj
					; RtlFindNextForwardRunSet+9Ej
		bt	[ecx], eax
		jnb	short loc_433B10
		cmp	ebx, 0FFFFFFFFh
		jnb	short loc_433B10
		inc	eax
		inc	ebx
		cmp	eax, edx
		jb	short loc_433B00

loc_433B10:				; CODE XREF: RtlFindNextForwardRunSet+86j
					; RtlFindNextForwardRunSet+93j	...
		mov	eax, [ebp+arg_0]
		pop	edi
		mov	[eax], esi
		cmp	ebx, 0FFFFFFFFh
		ja	short loc_433B7E

loc_433B1B:				; CODE XREF: RtlFindNextForwardRunSet+111j
		mov	eax, ebx

loc_433B1D:				; CODE XREF: RtlFindNextForwardRunSet+175B68j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_433B25:				; CODE XREF: RtlFindNextForwardRunSet+7Aj
		mov	ebx, 20h
		sub	ebx, [ebp+var_8]
		cmp	ebx, 0FFFFFFFFh
		jnb	short loc_433B10
		add	eax, 4
		cmp	eax, edi
		jnb	short loc_433AEC
		lea	esp, [esp+0]

loc_433B40:				; CODE XREF: RtlFindNextForwardRunSet+E2j
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_433AEC
		add	ebx, 20h
		add	eax, 4
		cmp	ebx, 0FFFFFFFFh
		jnb	short loc_433B10
		cmp	eax, edi
		jb	short loc_433B40
		jmp	short loc_433AEC
; 

loc_433B56:				; CODE XREF: RtlFindNextForwardRunSet+44j
		sub	esi, ebx
		add	eax, 4
		add	esi, 20h
		cmp	eax, edi
		jnb	loc_433ABA

loc_433B66:				; CODE XREF: RtlFindNextForwardRunSet+107j
		cmp	dword ptr [eax], 0
		jnz	loc_433ABA
		add	eax, 4
		add	esi, 20h
		cmp	eax, edi
		jb	short loc_433B66
		jmp	loc_433ABA
; 

loc_433B7E:				; CODE XREF: RtlFindNextForwardRunSet+A9j
		or	ebx, 0FFFFFFFFh
		jmp	short loc_433B1B
RtlFindNextForwardRunSet endp

; 
		align 8
; Exported entry 2061. RtlEqualString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlEqualString(x, x, x)
		public _RtlEqualString@12
_RtlEqualString@12 proc	near		; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+F2p
					; IopGetBootDiskInformation(x,x)+359p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	dl, [ebp+arg_8]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		movzx	ecx, word ptr [esi]
		movzx	eax, word ptr [edi]
		cmp	ecx, eax
		jz	short loc_433BAC

loc_433BA3:				; CODE XREF: RtlEqualString(x,x,x)+3Ej
					; RtlEqualString(x,x,x)+6Bj
		xor	al, al

loc_433BA5:				; CODE XREF: RtlEqualString(x,x,x)+47j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_433BAC:				; CODE XREF: RtlEqualString(x,x,x)+19j
		mov	esi, [esi+4]
		add	ecx, esi
		mov	edi, [edi+4]
		mov	[ebp+arg_4], ecx
		cmp	esi, ecx
		jnb	short loc_433BCD
		test	dl, dl
		jnz	short loc_433BD1
		sub	edi, esi

loc_433BC1:				; CODE XREF: RtlEqualString(x,x,x)+43j
		mov	al, [esi]
		cmp	al, [edi+esi]
		jnz	short loc_433BA3
		inc	esi
		cmp	esi, ecx
		jb	short loc_433BC1

loc_433BCD:				; CODE XREF: RtlEqualString(x,x,x)+31j
					; RtlEqualString(x,x,x)+74j
		mov	al, 1
		jmp	short loc_433BA5
; 

loc_433BD1:				; CODE XREF: RtlEqualString(x,x,x)+35j
					; RtlEqualString(x,x,x)+72j
		mov	cl, [esi]
		mov	al, [edi]
		mov	[ebp+arg_8], cl
		mov	byte ptr [ebp+arg_0], al
		cmp	cl, al
		jz	short loc_433BF5
		push	dword ptr [ebp+arg_8]
		call	_RtlUpperChar@4	; RtlUpperChar(x)
		push	[ebp+arg_0]
		mov	bl, al
		call	_RtlUpperChar@4	; RtlUpperChar(x)
		cmp	bl, al
		jnz	short loc_433BA3

loc_433BF5:				; CODE XREF: RtlEqualString(x,x,x)+55j
		inc	esi
		inc	edi
		cmp	esi, [ebp+arg_4]
		jb	short loc_433BD1
		jmp	short loc_433BCD
_RtlEqualString@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

UpcaseUnicodeToSingleByteNHelper proc near ; CODE XREF:	RtlUpcaseUnicodeToOemN+3Fp
					; RtlUpcaseUnicodeToMultiByteN+3Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005A95DD SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	edi
		mov	edi, [ebp+arg_8]
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], ecx
		cmp	edi, edx
		jnb	loc_433CA8
		mov	ebx, edi

loc_433C1D:				; CODE XREF: UpcaseUnicodeToSingleByteNHelper+AAj
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_433C26
		mov	[eax], ebx

loc_433C26:				; CODE XREF: UpcaseUnicodeToSingleByteNHelper+22j
		xor	eax, eax
		test	ebx, ebx
		jz	short loc_433C6A
		mov	edi, [ebp+arg_C]
		push	esi

loc_433C30:				; CODE XREF: UpcaseUnicodeToSingleByteNHelper+61j
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+arg_10]
		movzx	ecx, word ptr [ecx+eax*2]
		movzx	ecx, byte ptr [ecx+edi]
		movzx	ecx, word ptr [edx+ecx*2]
		mov	dx, cx
		mov	[ebp+arg_0], ecx
		mov	word ptr [ebp+arg_0+2],	dx
		cmp	dx, 61h
		jnb	short loc_433C78

loc_433C52:				; CODE XREF: UpcaseUnicodeToSingleByteNHelper+8Aj
					; UpcaseUnicodeToSingleByteNHelper+97j	...
		movzx	ecx, dx
		mov	edx, [ebp+var_4]
		mov	cl, [ecx+edi]
		mov	[eax+edx], cl
		inc	eax
		cmp	eax, ebx
		jb	short loc_433C30
		mov	edi, [ebp+arg_8]
		mov	edx, [ebp+var_8]
		pop	esi

loc_433C6A:				; CODE XREF: UpcaseUnicodeToSingleByteNHelper+2Aj
		cmp	edi, edx
		pop	edi
		pop	ebx
		ja	short loc_433CAF
		xor	eax, eax

loc_433C72:				; CODE XREF: UpcaseUnicodeToSingleByteNHelper+B4j
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_433C78:				; CODE XREF: UpcaseUnicodeToSingleByteNHelper+50j
		cmp	dx, 7Ah
		ja	short loc_433C8C
		add	ecx, 0FFE0h
		mov	[ebp+arg_0], ecx
		mov	dx, cx
		jmp	short loc_433C52
; 

loc_433C8C:				; CODE XREF: UpcaseUnicodeToSingleByteNHelper+7Cj
		mov	ecx, ds:_Nls844UnicodeUpcaseTable
		mov	[ebp+arg_C], ecx
		test	ecx, ecx
		jz	short loc_433C52
		mov	ecx, 0C0h
		cmp	dx, cx
		jb	short loc_433C52
		jmp	loc_5A95DD
; 

loc_433CA8:				; CODE XREF: UpcaseUnicodeToSingleByteNHelper+15j
		mov	ebx, edx
		jmp	loc_433C1D
; 

loc_433CAF:				; CODE XREF: UpcaseUnicodeToSingleByteNHelper+6Ej
		mov	eax, 80000005h
		jmp	short loc_433C72
UpcaseUnicodeToSingleByteNHelper endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpDereferenceNamedObject(x)
_ObpDereferenceNamedObject@4 proc near	; CODE XREF: ObpInsertOrLocateNamedObject+312p
					; ObpInsertOrLocateNamedObject+3BCp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		mov	edx, esi
		movzx	eax, byte ptr [esi+0Eh]
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	edx, eax
		or	eax, 0FFFFFFFFh
		lock xadd [edx+0Ch], eax
		dec	eax
		jnz	short loc_433CE1
		call	ObpDeleteNameCheck

loc_433CE1:				; CODE XREF: ObpDereferenceNamedObject(x)+24j
		lea	ecx, [esi+18h]
		call	ObfDereferenceObject
		pop	esi
		leave
		retn
_ObpDereferenceNamedObject@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1760. PsDetachSiloFromCurrentThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsDetachSiloFromCurrentThread(x)
		public _PsDetachSiloFromCurrentThread@4
_PsDetachSiloFromCurrentThread@4 proc near
					; CODE XREF: ExpRefreshTimeZoneInformation(x)+158p
					; ExpTimeZoneInitSiloState(x)+D5p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, large fs:124h
		mov	eax, [ebp+arg_0]
		mov	[ecx+390h], eax
		pop	ebp
		retn	4
_PsDetachSiloFromCurrentThread@4 endp

; 
		align 10h
; Exported entry 1747. PsAttachSiloToCurrentThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsAttachSiloToCurrentThread(x)
		public _PsAttachSiloToCurrentThread@4
_PsAttachSiloToCurrentThread@4 proc near ; CODE	XREF: ExpRefreshTimeZoneInformation(x)+13Dp
					; ExpTimeZoneInitSiloState(x)+16p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, large fs:124h
		mov	ecx, [ebp+arg_0]
		mov	eax, [edx+390h]
		mov	[edx+390h], ecx
		pop	ebp
		retn	4
_PsAttachSiloToCurrentThread@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmSiUnlockViewOfSection(x, x, x, x)
_CmSiUnlockViewOfSection@16 proc near	; CODE XREF: HvpViewMapMakeViewRangeCOWByCaller+106p
					; HvpMappedViewConvertRegionFromLockedToCOWByPolicy(x,x,x,x,x,x)+66p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+arg_0], eax
		lea	eax, [ebp+arg_0]
		push	1
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	dword ptr [edx]
		call	_ZwUnlockVirtualMemory@16 ; ZwUnlockVirtualMemory(x,x,x,x)
		leave
		retn	8
_CmSiUnlockViewOfSection@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmSiPrefetchVirtualMemoryRange(x, x, x)
_CmSiPrefetchVirtualMemoryRange@12 proc	near ; CODE XREF: HvpViewMapMakeViewRangeValid+4Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		and	[ebp+arg_0], 0
		push	4
		mov	[ebp+var_4], eax
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], edx
		push	eax
		push	1
		push	0
		push	dword ptr [ecx]
		call	_ZwSetInformationVirtualMemory@24 ; ZwSetInformationVirtualMemory(x,x,x,x,x,x)
		leave
		retn	4
_CmSiPrefetchVirtualMemoryRange@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmSiMapViewOfSection(x, x, x, x, x,	x, x, x)
_CmSiMapViewOfSection@32 proc near	; CODE XREF: HvpViewMapCreateView+7Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		push	esi
		push	2
		push	[ebp+arg_C]
		lea	esi, [ebp+arg_8]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		push	2
		push	esi
		lea	esi, [ebp+var_8]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_14]
		push	esi
		push	0
		push	0
		and	dword ptr [eax], 0
		push	eax
		push	dword ptr [edx]
		push	ecx
		call	_ZwMapViewOfSection@40 ; ZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x)
		pop	esi
		leave
		retn	18h
_CmSiMapViewOfSection@32 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmSiAllocateMemory(x, x)
_CmSiAllocateMemory@8 proc near		; CODE XREF: HvpViewMapCreateView+2Ap
					; CmpVolumeContextCreate+14p
		mov	edi, edi
		push	edx
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		retn
_CmSiAllocateMemory@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpRecheckHiveVolumePolicy(x)
_CmpRecheckHiveVolumePolicy@4 proc near	; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+21Fp
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+843p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, edi
		call	_HvLockHiveFlusherExclusive@4 ;	HvLockHiveFlusherExclusive(x)
		mov	ecx, [edi+0BFCh]
		test	ecx, ecx
		jz	short loc_433E67
		call	_CmpVolumeContextMustHiveFilePagesBeKeptLocal@4	; CmpVolumeContextMustHiveFilePagesBeKeptLocal(x)
		test	al, al
		jnz	short loc_433E4C
		mov	eax, [edi+980h]
		test	al, 20h
		jnz	short loc_433E4C
		test	dword ptr [edi+64h], 8000h
		jnz	short loc_433E67
		mov	ebx, 10000h
		mov	ecx, edi
		test	eax, ebx
		jz	short loc_433E19

loc_433E12:				; CODE XREF: CmpRecheckHiveVolumePolicy(x)+7Cj
		call	_HvUnlockHiveFilePages@4 ; HvUnlockHiveFilePages(x)
		jmp	short loc_433E67
; 

loc_433E19:				; CODE XREF: CmpRecheckHiveVolumePolicy(x)+42j
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	ecx, [edi+400h]
		mov	dl, 1
		call	_CmpAdjustFileCFSafety@8 ; CmpAdjustFileCFSafety(x,x)
		mov	esi, eax
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, edi
		call	_HvLockHiveFlusherExclusive@4 ;	HvLockHiveFlusherExclusive(x)
		test	esi, esi
		js	short loc_433E67
		or	[edi+980h], ebx
		mov	ecx, edi
		jmp	short loc_433E12
; 

loc_433E4C:				; CODE XREF: CmpRecheckHiveVolumePolicy(x)+24j
					; CmpRecheckHiveVolumePolicy(x)+2Ej
		lea	ecx, [edi+0A0h]
		call	_HvViewMapContainsLockedPages@4	; HvViewMapContainsLockedPages(x)
		test	al, al
		jz	short loc_433E67
		push	0
		push	2
		xor	edx, edx
		pop	ecx
		call	CmpArmLazyWriter

loc_433E67:				; CODE XREF: CmpRecheckHiveVolumePolicy(x)+1Bj
					; CmpRecheckHiveVolumePolicy(x)+37j ...
		mov	ecx, edi
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)
		pop	edi
		pop	esi
		pop	ebx
		jmp	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
_CmpRecheckHiveVolumePolicy@4 endp


;  S U B	R O U T	I N E 


; __stdcall IovUtilWatermarkIrp(x, x)
_IovUtilWatermarkIrp@8 proc near	; CODE XREF: PopAllocateIrp+102p
					; IopSynchronousCall+5Cp ...
		cmp	_IovUtilVerifierEnabled, 0
		jnz	_VfIrpWatermark@8 ; VfIrpWatermark(x,x)
		retn
_IovUtilWatermarkIrp@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcSetValidData	proc near		; CODE XREF: CcWriteBehindInternal+431p

var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_20]
		stosd
		xor	ebx, ebx
		push	ebx
		push	ebx
		mov	esi, ecx
		mov	[ebp+var_8], ebx
		stosd
		mov	[ebp+var_4], ebx
		stosd
		stosd
		mov	eax, [edx]
		mov	[ebp+var_10], eax
		mov	eax, [edx+4]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	esi
		call	IoGetRelatedDeviceObject
		mov	edi, eax
		push	ebx
		movzx	ecx, byte ptr [edi+30h]
		push	ecx
		call	IoAllocateIrp
		mov	edx, eax
		test	edx, edx
		jz	short loc_433F3E
		mov	ecx, [edx+60h]
		lea	eax, [ebp+var_8]
		mov	[edx+28h], eax
		lea	eax, [ebp+var_20]
		mov	[edx+2Ch], eax
		mov	eax, large fs:124h
		mov	[edx+50h], eax
		lea	eax, [ebp+var_10]
		mov	dword ptr [edx+8], 42h
		mov	[edx+20h], bl
		mov	[edx+64h], esi
		mov	[edx+0Ch], eax
		mov	byte ptr [ecx-24h], 6
		mov	[ecx-0Ch], esi
		mov	[ecx-10h], edi
		mov	dword ptr [ecx-20h], 8
		mov	dword ptr [ecx-1Ch], 14h
		mov	[ecx-18h], ebx
		mov	byte ptr [ecx-13h], 1
		mov	ecx, edi
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jz	sub_5A9612

loc_433F30:				; CODE XREF: sub_5A9612+Dj
		test	esi, esi
		js	short loc_433F37
		mov	esi, [ebp+var_8]

loc_433F37:				; CODE XREF: CcSetValidData+AEj
		mov	eax, esi

loc_433F39:				; CODE XREF: CcSetValidData+BFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_433F3E:				; CODE XREF: CcSetValidData+4Bj
		mov	eax, 0C000009Ah
		jmp	short loc_433F39
CcSetValidData	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 742. IoAllocateIrp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoAllocateIrp
IoAllocateIrp	proc near		; CODE XREF: CcSetValidData+42p
					; PopAllocateIrp+E3p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005A9624 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:_IopDispatchAllocateIrp
		push	dword ptr [ebp+4]
		push	[ebp+arg_4]
		test	eax, eax
		jnz	loc_5A9624
		push	[ebp+arg_0]
		push	eax
		call	IopAllocateIrpPrivate

loc_433F6B:				; CODE XREF: IoAllocateIrp+1756E7j
					; IoAllocateIrp+1756F6j
		pop	ebp
		retn	8
IoAllocateIrp	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoGetAttachedDeviceReferenceWithTag proc near ;	CODE XREF: PopAllocateIrp+31p
					; IopSynchronousCall+2Dp ...

; FUNCTION CHUNK AT 005A9645 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	edi, ecx
		mov	esi, edx
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	bl, al

loc_433F86:				; CODE XREF: IoGetAttachedDeviceReferenceWithTag+65j
		mov	ecx, [edi+10h]
		test	ecx, ecx
		jnz	short loc_433FD3
		mov	edx, esi
		mov	ecx, edi
		call	ObfReferenceObjectWithTag
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+468h]
		jnz	loc_5A9645
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_433FDE
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_433FD7

loc_433FC4:				; CODE XREF: IoGetAttachedDeviceReferenceWithTag+7Dj
					; IoGetAttachedDeviceReferenceWithTag+1756DFj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
; 

loc_433FD3:				; CODE XREF: IoGetAttachedDeviceReferenceWithTag+1Bj
		mov	edi, ecx
		jmp	short loc_433F86
; 

loc_433FD7:				; CODE XREF: IoGetAttachedDeviceReferenceWithTag+52j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_433FDE:				; CODE XREF: IoGetAttachedDeviceReferenceWithTag+43j
		xor	edx, edx
		mov	dword ptr [esi], 0
		inc	edx
		lea	ecx, [eax+4]
		lock xor [ecx],	edx
		jmp	short loc_433FC4
IoGetAttachedDeviceReferenceWithTag endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmSiGetMemoryAllocationGranularity()
_CmSiGetMemoryAllocationGranularity@0 proc near
					; CODE XREF: HvpDetermineFinalViewReservationEnd(x,x,x,x,x,x,x)+Ep
					; HvpViewMapCreateViewsForRegion+21p ...
		mov	eax, 10000h
		retn
_CmSiGetMemoryAllocationGranularity@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmSiGetSectionLength(x, x)
_CmSiGetSectionLength@8	proc near	; CODE XREF: HvpViewMapStart(x,x,x,x,x)+51p

var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		mov	esi, edx
		stosd
		push	0
		push	10h
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_10]
		push	eax
		push	0
		push	ecx
		call	_ZwQuerySection@20 ; ZwQuerySection(x,x,x,x,x)
		test	eax, eax
		js	short loc_43402C
		mov	eax, [ebp+var_8]
		mov	[esi], eax
		mov	eax, [ebp+var_4]
		mov	[esi+4], eax
		xor	eax, eax

loc_43402C:				; CODE XREF: CmSiGetSectionLength(x,x)+27j
		pop	edi
		pop	esi
		leave
		retn
_CmSiGetSectionLength@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmSiCreateSectionForFile(x,	x, x, x, x)
_CmSiCreateSectionForFile@20 proc near	; CODE XREF: HvpViewMapStart(x,x,x,x,x)+43p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	[ebp+arg_8]
		xor	eax, eax
		mov	[ebp+var_1C], 18h
		push	4000000h
		push	[ebp+arg_0]
		mov	[ebp+var_18], eax
		push	eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	edx
		push	ecx
		mov	[ebp+var_10], 200h
		call	_ZwCreateSection@28 ; ZwCreateSection(x,x,x,x,x,x,x)
		leave
		retn	0Ch
_CmSiCreateSectionForFile@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmSiLockViewOfSection(x, x,	x, x)
_CmSiLockViewOfSection@16 proc near	; CODE XREF: HvpViewMapMakeViewRangeValid+71p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+arg_0], eax
		lea	eax, [ebp+arg_0]
		push	1
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	dword ptr [edx]
		call	_ZwLockVirtualMemory@16	; ZwLockVirtualMemory(x,x,x,x)
		leave
		retn	8
_CmSiLockViewOfSection@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvUnCOWReconciledPages proc near	; CODE XREF: CmpFlushHive+4CAp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A9654 SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], edi
		test	dword ptr [edi+64h], 20000h
		jz	loc_4342BB
		mov	eax, large fs:124h
		push	ebx
		lea	ebx, [edi+46Ch]
		push	esi
		lea	esi, [edi+44Ch]
		cmp	[edi+9C0h], eax
		jnz	short loc_4340D8
		mov	edx, esi
		mov	ecx, ebx
		call	_RtlMergeBitMaps@8 ; RtlMergeBitMaps(x,x)

loc_4340D8:				; CODE XREF: HvUnCOWReconciledPages+35j
		mov	ecx, ebx
		call	_RtlInvertBitMap@4 ; RtlInvertBitMap(x)
		lea	edx, [edi+2Ch]
		mov	ecx, ebx
		call	_RtlMergeBitMaps@8 ; RtlMergeBitMaps(x,x)
		lea	edx, [edi+3Ch]
		mov	ecx, ebx
		call	_RtlMergeBitMaps@8 ; RtlMergeBitMaps(x,x)
		mov	eax, [edi+9C0h]
		test	eax, eax
		jz	short loc_43410A
		cmp	eax, large fs:124h
		jnz	loc_5A9654

loc_43410A:				; CODE XREF: HvUnCOWReconciledPages+63j
					; HvUnCOWReconciledPages+1755C5j
		mov	ecx, [ebx]
		test	ecx, ecx
		jz	loc_4342B9
		mov	edx, [ebx+4]
		lea	eax, [ecx-1]
		shr	eax, 5
		xor	edi, edi
		lea	eax, [edx+eax*4]
		mov	[ebp+var_8], eax
		cmp	edx, eax
		jnz	loc_4342BE

loc_43412D:				; CODE XREF: HvUnCOWReconciledPages+229j
					; HvUnCOWReconciledPages+1755D5j ...
		cmp	edi, ecx
		jnb	short loc_43413D
		mov	esi, [ebx+4]

loc_434134:				; CODE XREF: HvUnCOWReconciledPages+1755EDj
		bt	[esi], edi
		jb	loc_5A9682

loc_43413D:				; CODE XREF: HvUnCOWReconciledPages+97j
					; HvUnCOWReconciledPages+1755F3j
		xor	esi, esi
		cmp	edx, eax
		jz	short loc_434178
		mov	ecx, [edx]
		mov	eax, edi
		and	eax, 1Fh
		mov	[ebp+var_4], eax
		mov	eax, ds:dword_40BA68[eax*4]
		not	eax
		and	eax, ecx
		jnz	short loc_434178
		push	20h
		pop	esi
		sub	esi, [ebp+var_4]
		cmp	esi, 0FFFFFFFFh
		jnb	short loc_434197
		mov	ecx, [ebp+var_8]
		add	edx, 4

loc_43416B:				; CODE XREF: HvUnCOWReconciledPages+23Dj
		cmp	edx, ecx
		jnb	short loc_434178
		cmp	dword ptr [edx], 0
		jz	loc_4342CC

loc_434178:				; CODE XREF: HvUnCOWReconciledPages+A9j
					; HvUnCOWReconciledPages+C0j ...
		mov	ecx, [ebx]
		lea	eax, [esi+edi]
		cmp	eax, ecx
		jnb	short loc_434194
		mov	edx, [ebx+4]

loc_434184:				; CODE XREF: HvUnCOWReconciledPages+FAj
		bt	[edx], eax
		jb	short loc_434194
		cmp	esi, 0FFFFFFFFh
		jnb	short loc_434197
		inc	eax
		inc	esi
		cmp	eax, ecx
		jb	short loc_434184

loc_434194:				; CODE XREF: HvUnCOWReconciledPages+E7j
					; HvUnCOWReconciledPages+EFj ...
		cmp	esi, 0FFFFFFFFh

loc_434197:				; CODE XREF: HvUnCOWReconciledPages+CBj
					; HvUnCOWReconciledPages+F4j ...
		ja	loc_5A9690

loc_43419D:				; CODE XREF: HvUnCOWReconciledPages+1755FBj
		test	esi, esi
		jz	loc_4342B9
		mov	eax, edi
		mov	ecx, esi
		shl	eax, 9
		shl	ecx, 9
		add	ecx, eax
		lea	edx, [eax+0FFFh]
		mov	eax, 0FFFFF000h
		and	edx, eax
		and	ecx, eax
		cmp	edx, ecx
		jz	short loc_4341D5
		sub	ecx, edx
		push	ecx
		mov	ecx, [ebp+var_C]
		lea	ecx, [ecx+0A0h]
		call	_HvpViewMapUnCOWAndSealRange@12	; HvpViewMapUnCOWAndSealRange(x,x,x)

loc_4341D5:				; CODE XREF: HvUnCOWReconciledPages+12Aj
		mov	eax, [ebx]
		add	edi, esi
		mov	[ebp+var_8], eax
		cmp	eax, edi
		jbe	loc_4342B9
		mov	ecx, [ebx+4]
		dec	eax
		shr	eax, 5
		lea	esi, [ecx+eax*4]
		mov	eax, edi
		shr	eax, 5
		mov	[ebp+var_4], esi
		lea	edx, [ecx+eax*4]
		cmp	edx, esi
		jz	short loc_43422C
		mov	esi, edi
		and	esi, 1Fh
		mov	ecx, ds:dword_40BA68[esi*4]
		or	ecx, [edx]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_43422C
		sub	edi, esi
		mov	esi, [ebp+var_4]
		add	edi, 20h
		add	edx, 4

loc_43421B:				; CODE XREF: HvUnCOWReconciledPages+192j
		cmp	edx, esi
		jnb	short loc_43422C
		cmp	dword ptr [edx], 0FFFFFFFFh
		jnz	short loc_43422C
		add	edx, 4
		add	edi, 20h
		jmp	short loc_43421B
; 

loc_43422C:				; CODE XREF: HvUnCOWReconciledPages+163j
					; HvUnCOWReconciledPages+176j ...
		mov	eax, [ebp+var_8]
		cmp	edi, eax
		jnb	short loc_434240
		mov	ecx, [ebx+4]

loc_434236:				; CODE XREF: HvUnCOWReconciledPages+1A6j
		bt	[ecx], edi
		jnb	short loc_434240
		inc	edi
		cmp	edi, eax
		jb	short loc_434236

loc_434240:				; CODE XREF: HvUnCOWReconciledPages+199j
					; HvUnCOWReconciledPages+1A1j
		xor	esi, esi
		cmp	edx, [ebp+var_4]
		jz	short loc_43425E
		mov	ecx, [edx]
		mov	eax, edi
		and	eax, 1Fh
		mov	[ebp+var_8], eax
		mov	eax, ds:dword_40BA68[eax*4]
		not	eax
		and	eax, ecx
		jz	short loc_43428B

loc_43425E:				; CODE XREF: HvUnCOWReconciledPages+1ADj
					; HvUnCOWReconciledPages+20Aj ...
		mov	edx, [ebx]
		lea	eax, [esi+edi]
		cmp	eax, edx
		jnb	loc_434194
		mov	ecx, [ebx+4]

loc_43426E:				; CODE XREF: HvUnCOWReconciledPages+1ECj
		bt	[ecx], eax
		jb	loc_434194
		cmp	esi, 0FFFFFFFFh
		jnb	loc_434197
		inc	eax
		inc	esi
		cmp	eax, edx
		jb	short loc_43426E
		jmp	loc_434194
; 

loc_43428B:				; CODE XREF: HvUnCOWReconciledPages+1C4j
		push	20h
		pop	esi
		sub	esi, [ebp+var_8]
		cmp	esi, 0FFFFFFFFh
		jnb	loc_434197
		mov	ecx, [ebp+var_4]
		add	edx, 4

loc_4342A0:				; CODE XREF: HvUnCOWReconciledPages+21Aj
		cmp	edx, ecx
		jnb	short loc_43425E
		cmp	dword ptr [edx], 0
		jnz	short loc_43425E
		add	esi, 20h
		add	edx, 4
		cmp	esi, 0FFFFFFFFh
		jb	short loc_4342A0
		jmp	loc_434197
; 

loc_4342B9:				; CODE XREF: HvUnCOWReconciledPages+76j
					; HvUnCOWReconciledPages+107j ...
		pop	esi
		pop	ebx

loc_4342BB:				; CODE XREF: HvUnCOWReconciledPages+15j
		pop	edi
		leave
		retn
; 

loc_4342BE:				; CODE XREF: HvUnCOWReconciledPages+8Fj
		cmp	dword ptr [edx], 0FFFFFFFFh
		jnz	loc_43412D
		jmp	loc_5A9662
; 

loc_4342CC:				; CODE XREF: HvUnCOWReconciledPages+DAj
		add	esi, 20h
		add	edx, 4
		cmp	esi, 0FFFFFFFFh
		jb	loc_43416B
		jmp	loc_434197
HvUnCOWReconciledPages endp


;  S U B	R O U T	I N E 


WmipUnreferenceRegEntry	proc near	; CODE XREF: .text:0067B00Bp
					; WmipForwardWmiIrp+13Fp ...

; FUNCTION CHUNK AT 005A9698 SIZE 0000000D BYTES

		or	eax, 0FFFFFFFFh
		lock xadd [ecx+18h], eax
		dec	eax
		test	eax, 0FFFFFFh
		jz	loc_5A9698
		retn
WmipUnreferenceRegEntry	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipFindRegEntryByDevice proc near	; CODE XREF: WmipForwardWmiIrp+23p
					; WmipUpdateRegistration(x)+5p	...

; FUNCTION CHUNK AT 005A96A5 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		push	edi
		push	edi
		push	edi
		push	edi
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _WmipRegistrationSpinLock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, esi
		call	_WmipDoFindRegEntryByDevice@4 ;	WmipDoFindRegEntryByDevice(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_434334
		lock inc dword ptr [esi+18h]

loc_434334:				; CODE XREF: WmipFindRegEntryByDevice+38j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _WmipRegistrationSpinLock
		jnz	loc_5A96A5
		xor	eax, eax
		lock and [ecx],	eax

loc_43434B:				; CODE XREF: WmipFindRegEntryByDevice+1753B7j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	edi
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn
WmipFindRegEntryByDevice endp


;  S U B	R O U T	I N E 


; __stdcall WmipDoFindRegEntryByDevice(x)
_WmipDoFindRegEntryByDevice@4 proc near	; CODE XREF: WmipFindRegEntryByDevice+2Fp
					; IoWMIWriteEvent+5Fp
		mov	eax, _WmipInUseRegEntryHead
		mov	edx, offset _WmipInUseRegEntryHead

loc_434370:				; CODE XREF: WmipDoFindRegEntryByDevice(x)+15j
		cmp	eax, edx
		jz	short loc_434384
		cmp	[eax+8], ecx
		jz	short loc_43437D

loc_434379:				; CODE XREF: WmipDoFindRegEntryByDevice(x)+1Bj
		mov	eax, [eax]
		jmp	short loc_434370
; 

loc_43437D:				; CODE XREF: WmipDoFindRegEntryByDevice(x)+11j
		cmp	dword ptr [eax+18h], 0
		jl	short loc_434379
		retn
; 

loc_434384:				; CODE XREF: WmipDoFindRegEntryByDevice(x)+Cj
		xor	eax, eax
		retn
_WmipDoFindRegEntryByDevice@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepCheckForCriticalAceRemoval(x, x,	x, x, x)
_SepCheckForCriticalAceRemoval@20 proc near ; CODE XREF: SeCheckForCriticalAceRemoval+3Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], ecx
		test	edi, edi
		jz	short loc_4343A2
		mov	byte ptr [edi],	0

loc_4343A2:				; CODE XREF: SepCheckForCriticalAceRemoval(x,x,x,x,x)+15j
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jz	short loc_4343AC
		mov	byte ptr [esi],	0

loc_4343AC:				; CODE XREF: SepCheckForCriticalAceRemoval(x,x,x,x,x)+1Fj
		cmp	ds:_SepAllowAllApplicationAceRemoval, 0
		jnz	short loc_4343DB
		mov	eax, large fs:124h
		push	ds:dword_A949B4
		mov	ebx, [ebp+arg_0]
		mov	ecx, ebx
		push	ds:_SeTcbPrivilege
		mov	dl, [eax+15Ah]
		call	_SeSinglePrivilegeCheckEx@16 ; SeSinglePrivilegeCheckEx(x,x,x,x)
		test	al, al
		jz	short loc_4343E2

loc_4343DB:				; CODE XREF: SepCheckForCriticalAceRemoval(x,x,x,x,x)+2Bj
					; SepCheckForCriticalAceRemoval(x,x,x,x,x)+7Ej	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_4343E2:				; CODE XREF: SepCheckForCriticalAceRemoval(x,x,x,x,x)+51j
		mov	ecx, [ebx]
		xor	eax, eax
		push	eax		; char
		push	eax		; char
		push	eax		; char
		xor	edx, edx
		push	eax		; char
		push	_SeTrustedInstallerSid ; void *
		test	ecx, ecx
		jnz	short loc_4343F9
		mov	ecx, [ebx+8]

loc_4343F9:				; CODE XREF: SepCheckForCriticalAceRemoval(x,x,x,x,x)+6Cj
		add	ecx, 0CCh
		call	SepSidInTokenSidHash
		test	al, al
		jnz	short loc_4343DB
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		push	esi
		push	edi
		call	SepHasCriticalAcesRemoved
		jmp	short loc_4343DB
_SepCheckForCriticalAceRemoval@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlUnicodeStringCat(x, x)
_RtlUnicodeStringCat@8 proc near	; CODE XREF: CmpGetSymbolicLinkTarget+8F4p
					; CmpDoWritethroughReparse(x,x,x,x,x,x,x)+1A8p	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_10], 0
		push	ebx
		push	esi
		push	edi
		push	ecx
		mov	[ebp+var_4], edx
		mov	esi, ecx
		xor	edi, edi
		xor	ebx, ebx
		call	sub_4344FE
		test	eax, eax
		js	short loc_43449E
		test	esi, esi
		jz	short loc_43444F
		movzx	edi, word ptr [esi+2]
		movzx	ebx, word ptr [esi]
		mov	ecx, [esi+4]
		shr	edi, 1
		mov	[ebp+var_10], ecx
		shr	ebx, 1

loc_43444F:				; CODE XREF: RtlUnicodeStringCat(x,x)+24j
		test	eax, eax
		js	short loc_43449E
		and	[ebp+var_C], 0
		and	[ebp+var_8], 0
		push	ecx
		mov	ecx, [ebp+var_4]
		call	sub_4344FE
		test	eax, eax
		js	short loc_4344A3
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_4344A3
		mov	edx, [ecx+4]
		movzx	ecx, word ptr [ecx]
		shr	ecx, 1

loc_434477:				; CODE XREF: RtlUnicodeStringCat(x,x)+91j
		test	eax, eax
		js	short loc_43449E
		and	[ebp+var_C], 0
		lea	eax, [ebp+var_C]
		push	ecx
		push	edx
		push	eax
		mov	eax, [ebp+var_10]
		sub	edi, ebx
		mov	edx, edi
		lea	ecx, [eax+ebx*2]
		call	sub_4344AC
		mov	ecx, [ebp+var_C]
		add	ecx, ebx
		add	ecx, ecx
		mov	[esi], cx

loc_43449E:				; CODE XREF: RtlUnicodeStringCat(x,x)+20j
					; RtlUnicodeStringCat(x,x)+39j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4344A3:				; CODE XREF: RtlUnicodeStringCat(x,x)+4Ej
					; RtlUnicodeStringCat(x,x)+55j
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		jmp	short loc_434477
_RtlUnicodeStringCat@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_4344AC	proc near		; CODE XREF: RtlUnicodeStringCat(x,x)+77p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	edi
		xor	edi, edi
		mov	eax, ecx
		mov	ecx, [ebp+arg_8]
		mov	ebx, edi
		test	edx, edx
		jz	short loc_4344F2
		push	esi
		mov	esi, [ebp+arg_4]
		sub	eax, esi
		mov	edi, eax

loc_4344C8:				; CODE XREF: sub_4344AC+2Fj
		test	ecx, ecx
		jz	short loc_4344DD
		mov	ax, [esi]
		mov	[edi+esi], ax
		add	esi, 2
		dec	ecx
		inc	ebx
		sub	edx, 1
		jnz	short loc_4344C8

loc_4344DD:				; CODE XREF: sub_4344AC+1Ej
		push	0
		pop	edi
		pop	esi
		test	edx, edx
		jz	short loc_4344F2

loc_4344E5:				; CODE XREF: sub_4344AC+48j
					; sub_4344AC+4Fj
		mov	ecx, [ebp+arg_0]
		mov	eax, edi
		pop	edi
		mov	[ecx], ebx
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_4344F2:				; CODE XREF: sub_4344AC+12j
					; sub_4344AC+37j
		test	ecx, ecx
		jz	short loc_4344E5
		mov	edi, 80000005h
		jmp	short loc_4344E5
sub_4344AC	endp

; 
		align 2

;  S U B	R O U T	I N E 


sub_4344FE	proc near		; CODE XREF: RtlUnicodeStringCat(x,x)+19p
					; RtlUnicodeStringCat(x,x)+47p	...

; FUNCTION CHUNK AT 005A96B2 SIZE 00000017 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	eax, eax
		movzx	ecx, word ptr [esi]
		test	cl, 1
		jnz	short loc_434534
		movzx	edx, word ptr [esi+2]
		test	dl, 1
		jnz	short loc_434534
		cmp	cx, dx
		ja	short loc_434534
		push	edi
		mov	edi, 0FFFEh
		cmp	dx, di
		pop	edi
		ja	short loc_434534
		cmp	[esi+4], eax
		jz	loc_5A96B2

loc_434530:				; CODE XREF: sub_4344FE+3Bj
					; sub_4344FE+1751C0j
		pop	esi
		retn	4
; 

loc_434534:				; CODE XREF: sub_4344FE+Dj
					; sub_4344FE+16j ...
		mov	eax, 0C000000Dh
		jmp	short loc_434530
sub_4344FE	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRemoveHiveFromNamespace(x, x, x)
_CmpRemoveHiveFromNamespace@12 proc near ; CODE	XREF: CmpCompleteUnloadKey(x,x,x)+69p
					; CmpLinkHiveToMaster+182DE5p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [edx+24h]
		mov	ebx, ecx
		push	edi
		mov	ecx, esi
		mov	edi, [esi+24h]
		call	CmpLockHashEntryExclusiveByKcb
		mov	ecx, edi
		call	_CmpLockKcbExclusive@4 ; CmpLockKcbExclusive(x)
		mov	ecx, esi
		call	_CmpLockKcbExclusive@4 ; CmpLockKcbExclusive(x)
		mov	ecx, [esi+10h]
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	edx, [esi+14h]
		mov	ecx, [esi+10h]
		push	1
		call	CmpFreeKeyByCell
		push	0
		push	[ebp+arg_0]
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	CmpFlushNotifiesOnKeyBodyList
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_CmpMarkKeyUnbacked@8 ;	CmpMarkKeyUnbacked(x,x)
		mov	ecx, esi
		call	_CmpDiscardKcb@4 ; CmpDiscardKcb(x)
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_CmpRemoveLayerLinkForDiscardedKcb@8 ; CmpRemoveLayerLinkForDiscardedKcb(x,x)
		test	ds:dword_70EFC8, 1000000h
		jz	short loc_4345B3
		mov	ecx, ebx
		call	_CmpLogHiveDestroyEvent@4 ; CmpLogHiveDestroyEvent(x)

loc_4345B3:				; CODE XREF: CmpRemoveHiveFromNamespace(x,x,x)+6Ej
		mov	ecx, [esi+10h]
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		mov	ecx, esi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	ecx, edi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	ecx, esi
		call	_CmpUnlockHashEntryByKcb@4 ; CmpUnlockHashEntryByKcb(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_CmpRemoveHiveFromNamespace@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAllocateTransientPoolWithTag(x, x, x)
_CmpAllocateTransientPoolWithTag@12 proc near
					; CODE XREF: CmpDoReadTxRBigLogRecord(x,x,x,x,x)+5Ap
					; CmAllocateExtraParameter(x,x,x)+Ep ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	4
_CmpAllocateTransientPoolWithTag@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmpSetRespectIoPriorityThread(x, x)
_CmpSetRespectIoPriorityThread@8 proc near ; CODE XREF:	CmpDoFileWrite+6Ap
					; CmpDoFileWrite+19Dp
		movzx	edx, dl
		shl	edx, 7
		push	esi
		mov	esi, [ecx+300h]
		xor	edx, esi
		mov	eax, esi
		and	edx, 80h
		xor	edx, esi
		shr	eax, 7
		and	al, 1
		mov	[ecx+300h], edx
		pop	esi
		retn
_CmpSetRespectIoPriorityThread@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlUnicodeStringCopy(x, x)
_RtlUnicodeStringCopy@8	proc near	; CODE XREF: SleepstudyHelperSetBlockerFriendlyName+4Ap
					; SshpCopyDataEntry(x,x,x)+3Ep	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		push	edi
		push	ecx
		mov	ebx, edx
		mov	[ebp+var_4], 0
		mov	esi, ecx
		xor	edi, edi
		call	RtlUnicodeStringValidateWorker
		test	eax, eax
		js	short loc_434697
		test	esi, esi
		jz	short loc_434652
		movzx	edi, word ptr [esi+2]
		mov	ecx, [esi+4]
		mov	[ebp+var_4], ecx
		shr	edi, 1

loc_434652:				; CODE XREF: RtlUnicodeStringCopy(x,x)+24j
		test	eax, eax
		js	short loc_434697
		push	ecx
		mov	ecx, ebx
		mov	[ebp+var_8], 0
		call	RtlUnicodeStringValidateWorker
		mov	edx, eax
		test	edx, edx
		js	short loc_43469E
		test	ebx, ebx
		jz	short loc_43469E
		movzx	eax, word ptr [ebx]
		mov	ecx, [ebx+4]
		shr	eax, 1

loc_434677:				; CODE XREF: RtlUnicodeStringCopy(x,x)+82j
		test	edx, edx
		js	short loc_43468D
		push	eax
		push	ecx
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		mov	edx, edi
		call	RtlWideCharArrayCopyWorker
		mov	edx, eax

loc_43468D:				; CODE XREF: RtlUnicodeStringCopy(x,x)+59j
		mov	eax, [ebp+var_8]
		add	eax, eax
		mov	[esi], ax
		mov	eax, edx

loc_434697:				; CODE XREF: RtlUnicodeStringCopy(x,x)+20j
					; RtlUnicodeStringCopy(x,x)+34j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_43469E:				; CODE XREF: RtlUnicodeStringCopy(x,x)+49j
					; RtlUnicodeStringCopy(x,x)+4Dj
		xor	eax, eax
		xor	ecx, ecx
		jmp	short loc_434677
_RtlUnicodeStringCopy@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 


RtlUnicodeStringValidateWorker proc near ; CODE	XREF: RtlUnicodeStringCopy(x,x)+19p
					; RtlUnicodeStringCopy(x,x)+40p ...

; FUNCTION CHUNK AT 005A96C9 SIZE 00000017 BYTES

		movzx	eax, word ptr [ecx]
		test	al, 1
		jnz	short loc_4346E0
		movzx	edx, word ptr [ecx+2]
		test	dl, 1
		jnz	short loc_4346E0
		cmp	ax, dx
		ja	short loc_4346E0
		push	esi
		mov	esi, 0FFFEh
		cmp	dx, si
		pop	esi
		ja	short loc_4346E0
		cmp	dword ptr [ecx+4], 0
		jz	loc_5A96C9

loc_4346DB:				; CODE XREF: RtlUnicodeStringValidateWorker+17502Bj
		xor	eax, eax

locret_4346DD:				; CODE XREF: RtlUnicodeStringValidateWorker+35j
		retn	4
; 

loc_4346E0:				; CODE XREF: RtlUnicodeStringValidateWorker+5j
					; RtlUnicodeStringValidateWorker+Ej ...
		mov	eax, 0C000000Dh
		jmp	short locret_4346DD
RtlUnicodeStringValidateWorker endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlWideCharArrayCopyWorker proc	near	; CODE XREF: RtlUnicodeStringCopy(x,x)+66p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005A96E0 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		mov	edx, [ebp+arg_8]
		push	edi
		xor	edi, edi
		test	esi, esi
		jz	short loc_434725
		mov	eax, [ebp+arg_4]
		sub	ebx, eax
		lea	ebx, [ebx+0]

loc_434710:				; CODE XREF: RtlWideCharArrayCopyWorker+33j
		test	edx, edx
		jz	short loc_434734
		mov	cx, [eax]
		dec	edx
		mov	[ebx+eax], cx
		inc	edi
		add	eax, 2
		sub	esi, 1
		jnz	short loc_434710

loc_434725:				; CODE XREF: RtlWideCharArrayCopyWorker+13j
		test	edx, edx
		jnz	loc_5A96E0
		mov	eax, [ebp+arg_0]
		mov	[eax], edi
		jmp	short loc_434739
; 

loc_434734:				; CODE XREF: RtlWideCharArrayCopyWorker+22j
		mov	ecx, [ebp+arg_0]
		mov	[ecx], edi

loc_434739:				; CODE XREF: RtlWideCharArrayCopyWorker+42j
		xor	eax, eax

loc_43473B:				; CODE XREF: RtlWideCharArrayCopyWorker+174FFAj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
RtlWideCharArrayCopyWorker endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAllocateTransientPoolWithQuotaTag(x, x, x)
_CmpAllocateTransientPoolWithQuotaTag@12 proc near ; CODE XREF:	PAGE:00732033p
					; PAGE:0073205Bp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		push	edx
		push	9
		call	ExAllocatePoolWithQuotaTag
		pop	ebp
		retn	4
_CmpAllocateTransientPoolWithQuotaTag@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SetFailureLocation proc	near		; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+BCp
					; CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+172p	...

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_6D		= dword	ptr -6Dh
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005A96EF SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	dword_6B2348, 5
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	ebx, edx
		mov	esi, ecx
		jbe	short loc_4347EC
		lea	eax, [ebp+var_6D]
		mov	byte ptr [ebp+var_6D], bl
		mov	[ebp+var_4C], eax
		xor	edx, edx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_74]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_78]
		push	4
		pop	ecx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_6D+1]
		push	eax
		push	6
		push	edx
		push	edx
		push	offset loc_424A33
		push	offset dword_6B2348
		mov	[ebp+var_48], edx
		mov	[ebp+var_44], 1
		mov	[ebp+var_40], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_7C], edi
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_4347EC:				; CODE XREF: SetFailureLocation+26j
		test	esi, esi
		jz	short loc_434828
		test	ebx, ebx
		jnz	loc_5A96EF
		movzx	eax, word ptr [esi+4]
		cmp	eax, 8
		jnb	short loc_434828
		mov	ecx, [ebp+arg_0]
		imul	eax, 0Ch
		mov	[eax+esi+8], ecx
		movzx	eax, word ptr [esi+4]
		mov	ecx, [ebp+arg_4]
		inc	eax
		imul	eax, 0Ch
		mov	[eax+esi], ecx
		movzx	eax, word ptr [esi+4]
		imul	eax, 0Ch
		mov	[eax+esi+10h], edi
		inc	word ptr [esi+4]

loc_434828:				; CODE XREF: SetFailureLocation+98j
					; SetFailureLocation+A9j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
SetFailureLocation endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLoadKeyCommon(x,	x, x, x, x, x, x, x, x,	x, x)
_CmpLoadKeyCommon@44 proc near		; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+656p
					; CmLoadKey+1F7p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= byte ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_20]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_8]
		push	esi
		push	edi
		mov	[ebp+var_28], eax
		lea	edi, [ebp+var_20]
		mov	eax, [ebp+arg_C]
		mov	esi, ecx
		mov	[ebp+var_40], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_3C], eax
		xor	eax, eax
		and	[ebp+var_34], eax
		and	[ebp+var_2C], eax
		or	dword ptr [esi+64h], 20h
		push	6
		pop	ecx
		rep stosd
		mov	edi, [ebp+arg_0]
		mov	eax, large fs:124h
		and	edi, 10h
		mov	[ebp+var_30], edx
		mov	[esi+9ACh], eax
		mov	[ebp+var_38], edi
		jz	short loc_4348B8
		mov	eax, [esi+980h]
		or	eax, 20h
		test	byte ptr [ebp+arg_0], 20h
		mov	[esi+980h], eax
		jz	short loc_4348B8
		or	eax, 40h
		mov	[esi+980h], eax

loc_4348B8:				; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+5Ej
					; CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+73j
		or	dword ptr [esi+980h], 1
		call	_LockShutdownShared@0 ;	LockShutdownShared()
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		mov	cl, 1
		call	CmpLockRegistryFreezeAware
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	short loc_434931
		test	edi, edi
		jnz	short loc_434931
		xor	edx, edx
		mov	ecx, eax
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jz	short loc_434900
		mov	edi, 0C000017Ch
		push	10h

loc_4348EF:				; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+E1j
					; CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+F5j ...
		push	edi
		push	1Dh
		xor	edx, edx
		mov	ecx, ebx
		call	SetFailureLocation
		jmp	loc_4349B8
; 

loc_434900:				; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+ACj
		mov	eax, [ebp+var_24]
		mov	ecx, esi
		push	[ebp+arg_10]
		mov	eax, [eax+8]
		mov	edx, [eax+10h]
		call	_CmpJoinClassOfTrust@12	; CmpJoinClassOfTrust(x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_43491D
		push	20h
		jmp	short loc_4348EF
; 

loc_43491D:				; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+DDj
		mov	edx, [ebp+var_30]
		mov	ecx, esi
		call	_CmpVEAddHiveToSIDMappingTable@8 ; CmpVEAddHiveToSIDMappingTable(x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_434931
		push	30h
		jmp	short loc_4348EF
; 

loc_434931:				; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+9Bj
					; CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+9Fj ...
		mov	eax, [ebp+var_28]
		test	eax, eax
		jz	short loc_434966
		xor	edx, edx
		mov	ecx, eax
		call	CmpPerformKeyBodyDeletionCheck
		mov	edi, eax
		test	edi, edi
		jns	short loc_43494B
		push	40h
		jmp	short loc_4348EF
; 

loc_43494B:				; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+10Bj
		mov	eax, [ebp+var_28]
		mov	eax, [eax+8]
		mov	[ebp+var_2C], eax
		test	dword ptr [eax+68h], 40000h
		jnz	short loc_434966
		mov	edi, 0C000000Dh
		push	50h
		jmp	short loc_4348EF
; 

loc_434966:				; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+FCj
					; CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+121j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	ecx, [ebp+var_30]
		lea	eax, [ebp+var_34]
		cmp	[ebp+var_38], 0
		push	ebx
		push	0
		mov	edx, [ecx+4]
		push	eax
		push	[ebp+var_2C]
		setnz	al
		push	dword ptr [ecx+10h]
		mov	ecx, [ecx+8]
		push	[ebp+var_40]
		movzx	eax, al
		push	eax
		push	200h
		push	[ebp+arg_18]
		push	esi
		call	CmpLinkHiveToMaster
		mov	edi, eax
		test	edi, edi
		jns	short loc_4349DE
		push	60h
		push	edi
		push	1Dh
		xor	edx, edx
		mov	ecx, ebx
		call	SetFailureLocation
		mov	cl, 1
		call	CmpLockRegistryFreezeAware

loc_4349B8:				; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+C1j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		lea	ecx, [ebp+var_20]
		call	CmpAttachToRegistryProcess
		mov	ecx, esi
		call	_CmpDestroyHive@4 ; CmpDestroyHive(x)
		lea	ecx, [ebp+var_20]
		call	_CmpDetachFromRegistryProcess@4	; CmpDetachFromRegistryProcess(x)
		jmp	loc_434AF9
; 

loc_4349DE:				; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+167j
		test	[ebp+arg_0], 800h
		mov	edi, [ebp+var_34]
		jz	short loc_4349F6
		mov	ecx, edi
		call	CmpReferenceKeyControlBlockUnsafe
		mov	eax, [ebp+var_3C]
		mov	[eax], edi

loc_4349F6:				; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+1AEj
		mov	cl, 1
		call	CmpLockRegistryFreezeAware
		mov	ebx, [ebp+var_38]
		test	ebx, ebx
		jz	short loc_434A1A
		mov	ecx, [esi+6D8h]
		call	CmpReferenceKeyControlBlockUnsafe
		mov	ecx, [ebp+var_3C]
		mov	eax, [esi+6D8h]
		mov	[ecx], eax

loc_434A1A:				; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+1C8j
		call	_CmpLockHiveListExclusive@0 ; CmpLockHiveListExclusive()
		mov	ecx, ds:dword_A940F4
		lea	eax, [esi+420h]
		mov	edx, offset _CmpHiveListHead
		cmp	[ecx], edx
		jz	short loc_434A39
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_434A39:				; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+1F8j
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	ds:dword_A940F4, eax
		call	_CmpUnlockHiveList@0 ; CmpUnlockHiveList()
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		lea	ecx, [ebp+var_20]
		call	CmpAttachToRegistryProcess
		mov	ecx, esi
		call	_CmpRecheckHiveVolumePolicy@4 ;	CmpRecheckHiveVolumePolicy(x)
		lea	ecx, [ebp+var_20]
		call	_CmpDetachFromRegistryProcess@4	; CmpDetachFromRegistryProcess(x)
		mov	ecx, edi
		call	CmpDereferenceKeyControlBlockUnsafe
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		test	[ebp+arg_0], 110h
		jnz	short loc_434A8C
		mov	dl, [ebp+arg_1C]
		mov	ecx, esi
		call	CmpInitCmRM
		or	dword ptr [esi+980h], 8

loc_434A8C:				; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+23Fj
		cmp	byte ptr [ebp+arg_18], 0
		jz	short loc_434AAC
		lea	ecx, [ebp+var_20]
		call	CmpAttachToRegistryProcess
		push	4
		pop	edx
		mov	ecx, esi
		call	CmpFlushHive
		lea	ecx, [ebp+var_20]
		call	_CmpDetachFromRegistryProcess@4	; CmpDetachFromRegistryProcess(x)

loc_434AAC:				; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+256j
		test	ebx, ebx
		jnz	short loc_434AB7
		mov	ecx, esi
		call	CmpAddToHiveFileList

loc_434AB7:				; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+274j
		mov	eax, [esi+9A0h]
		test	eax, eax
		jz	short loc_434ADB
		push	eax
		push	offset _CmKtmNotification@28 ; CmKtmNotification(x,x,x,x,x,x,x)
		push	dword ptr [eax+1Ch]
		call	ds:__imp__TmEnableCallbacks@12 ; TmEnableCallbacks(x,x,x)
		mov	ecx, [esi+9A0h]
		call	CmRmFinalizeRecovery

loc_434ADB:				; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+285j
		mov	ecx, esi
		call	CmpTrimHive
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		and	dword ptr [esi+64h], 0FFFFFFDFh
		and	dword ptr [esi+9ACh], 0
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		xor	edi, edi

loc_434AF9:				; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+19Fj
		call	_UnlockShutdown@0 ; UnlockShutdown()
		cmp	ds:_CmpProfileLoaded, 0
		jnz	short loc_434B1C
		cmp	_CmpWasSetupBoot, 0
		jnz	short loc_434B1C
		mov	ds:_CmpProfileLoaded, 1
		call	_CmpSetGlobalQuotaAllowed@0 ; CmpSetGlobalQuotaAllowed()

loc_434B1C:				; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+2CBj
					; CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+2D4j
		mov	ecx, [ebp+var_8]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	24h
_CmpLoadKeyCommon@44 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall RtlTimelineBitmapUpdate(x, x)
_RtlTimelineBitmapUpdate@8 proc	near	; CODE XREF: KiAccumulateCycleStats+7Bp
					; PoEnergyContextUpdateComponentPower(x,x,x,x)+C0p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi]
		cmp	edx, esi
		jbe	short loc_434B55
		mov	ecx, edx
		sub	ecx, esi
		cmp	ecx, 20h
		jnb	short loc_434B64
		mov	eax, [edi+4]
		shl	eax, cl
		or	eax, 1

loc_434B4D:				; CODE XREF: RtlTimelineBitmapUpdate(x,x)+37j
		mov	[edi], edx

loc_434B4F:				; CODE XREF: RtlTimelineBitmapUpdate(x,x)+32j
		mov	[edi+4], eax

loc_434B52:				; CODE XREF: RtlTimelineBitmapUpdate(x,x)+2Aj
		pop	edi
		pop	esi
		retn
; 

loc_434B55:				; CODE XREF: RtlTimelineBitmapUpdate(x,x)+Aj
		sub	esi, edx
		cmp	esi, 20h
		jnb	short loc_434B52
		mov	eax, [edi+4]
		bts	eax, esi
		jmp	short loc_434B4F
; 

loc_434B64:				; CODE XREF: RtlTimelineBitmapUpdate(x,x)+13j
		xor	eax, eax
		inc	eax
		jmp	short loc_434B4D
_RtlTimelineBitmapUpdate@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmpIsWriteQueueActive(x)
_CmpIsWriteQueueActive@4 proc near	; CODE XREF: CmpGenerateFlushControlData+1C8p
					; HvGetHiveLogFileStatus+E9p ...
		cmp	dword ptr [ecx], 0
		setnz	al
		retn
_CmpIsWriteQueueActive@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmEnforceWorkingSetLimit proc near	; CODE XREF: PspApplyWorkingSetLimitsToProcess+A5p
					; PspSetQuotaLimits+11F83Bp ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A972A SIZE 000000E7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[esp+48h+var_34], edx
		push	6
		xor	eax, eax
		lea	edi, [esp+4Ch+var_1C]
		xor	ebx, ebx
		pop	ecx
		rep stosd
		mov	eax, edx
		mov	[esp+48h+var_38], ebx
		mov	[esp+48h+var_28], ebx
		lea	edi, [esi+240h]
		mov	[esp+48h+var_24], ebx
		mov	[esp+48h+var_20], ebx
		and	eax, 4
		jnz	loc_5A972A

loc_434BBF:				; CODE XREF: MmEnforceWorkingSetLimit+174BC1j
		test	dl, 1
		jnz	loc_5A9738

loc_434BC8:				; CODE XREF: MmEnforceWorkingSetLimit+174BDAj
		mov	eax, large fs:124h
		xor	ecx, ecx
		inc	ecx
		mov	eax, [eax+80h]
		cmp	eax, esi
		jnz	loc_5A9751

loc_434BDF:				; CODE XREF: MmEnforceWorkingSetLimit+174BF1j
		mov	al, [edi+60h]
		mov	esi, offset unk_6D3C40
		and	al, 7
		cmp	al, 2
		jz	short loc_434BF3
		lea	esi, [edi+80h]

loc_434BF3:				; CODE XREF: MmEnforceWorkingSetLimit+79j
		push	esi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [esi+4], 0
		mov	bh, al
		and	[esp+48h+var_30], 0
		mov	eax, offset dword_6D3540
		test	ds:byte_70EFC6,	21h
		mov	[esp+48h+var_2C], eax
		jnz	loc_5A9768
		lea	edx, [esp+48h+var_30]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_434D05

loc_434C28:				; CODE XREF: MmEnforceWorkingSetLimit+19Cj
					; MmEnforceWorkingSetLimit+174C01j
		mov	edx, [esp+48h+var_34]
		mov	esi, edx
		mov	eax, [edi+60h]
		mov	cl, al
		mov	[esp+48h+var_38], eax
		and	esi, 8
		jnz	loc_5A9778

loc_434C40:				; CODE XREF: MmEnforceWorkingSetLimit+174C0Dj
		xor	eax, eax
		test	esi, esi
		setnz	al
		mov	[esp+48h+var_34], eax
		test	dl, 2
		jz	loc_5A9784
		and	cl, 0BFh
		xor	esi, esi
		mov	byte ptr [esp+48h+var_38], cl
		inc	esi

loc_434C5E:				; CODE XREF: MmEnforceWorkingSetLimit+174C16j
		test	cl, cl
		js	loc_5A978D

loc_434C66:				; CODE XREF: MmEnforceWorkingSetLimit+174C1Ej
		test	cl, 40h
		jnz	loc_5A9795

loc_434C6F:				; CODE XREF: MmEnforceWorkingSetLimit+174C26j
		test	bl, bl
		js	loc_5A979D

loc_434C77:				; CODE XREF: MmEnforceWorkingSetLimit+174C2Ej
					; MmEnforceWorkingSetLimit+174C3Dj ...
		xor	eax, eax
		test	dl, 4
		jnz	loc_5A97C5
		inc	eax

loc_434C83:				; CODE XREF: MmEnforceWorkingSetLimit+174C5Dj
		test	dl, 1
		jnz	loc_5A97D4

loc_434C8C:				; CODE XREF: MmEnforceWorkingSetLimit+174C6Bj
		test	esi, esi
		jz	short loc_434C99
		mov	ax, word ptr [esp+48h+var_38]
		mov	[edi+60h], ax

loc_434C99:				; CODE XREF: MmEnforceWorkingSetLimit+11Cj
		test	ds:byte_70EFC6,	1
		jnz	loc_5A97E2
		mov	eax, [esp+48h+var_30]
		test	eax, eax
		jnz	short loc_434CF2
		mov	edx, [esp+48h+var_2C]
		lea	eax, [esp+48h+var_30]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+48h+var_30]
		cmp	eax, ecx
		jnz	loc_5A97F3

loc_434CC8:				; CODE XREF: MmEnforceWorkingSetLimit+191j
					; MmEnforceWorkingSetLimit+174C7Cj
		mov	dl, bh
		mov	ecx, edi
		call	MiUnlockWorkingSetExclusive
		cmp	[esp+48h+var_24], 0
		jnz	loc_5A9801

loc_434CDC:				; CODE XREF: MmEnforceWorkingSetLimit+174C9Aj
		mov	ecx, [esp+48h+var_4]
		mov	eax, [esp+48h+var_20]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_434CF2:				; CODE XREF: MmEnforceWorkingSetLimit+13Aj
					; MmEnforceWorkingSetLimit+174C8Aj
		xor	esi, esi
		mov	[esp+48h+var_30], 0
		add	eax, 4
		inc	esi
		lock xor [eax],	esi
		jmp	short loc_434CC8
; 

loc_434D05:				; CODE XREF: MmEnforceWorkingSetLimit+B0j
		lea	ecx, [esp+48h+var_30]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_434C28
MmEnforceWorkingSetLimit endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall RtlInterlockedSetClearBits(x, x, x)
@RtlInterlockedSetClearBits@12 proc near
					; CODE XREF: PspApplyJobChainLimitsToProcess(x,x,x)+68p
					; PspRundownSingleProcess(x,x)+162p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ecx
		mov	ecx, [ebp+arg_0]
		push	esi
		push	edi
		not	ecx
		mov	edi, [ebx]
		mov	esi, edi

loc_434D27:				; CODE XREF: RtlInterlockedSetClearBits(x,x,x)+32j
		or	esi, edx
		and	esi, ecx
		cmp	esi, edi
		jz	short loc_434D3B
		mov	eax, edi
		lock cmpxchg [ebx], esi
		mov	esi, eax
		cmp	esi, edi
		jnz	short loc_434D44

loc_434D3B:				; CODE XREF: RtlInterlockedSetClearBits(x,x,x)+19j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_434D44:				; CODE XREF: RtlInterlockedSetClearBits(x,x,x)+25j
		mov	edi, esi
		jmp	short loc_434D27
@RtlInterlockedSetClearBits@12 endp

; 
		align 10h
; Exported entry 1926. PsUpdateComponentPower

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsUpdateComponentPower
PsUpdateComponentPower proc near	; CODE XREF: PspApplyJobChainLimitsToProcess(x,x,x)+58p
					; PspSetProcessEnergyTrackingStateCallback(x,x)+15p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005A9811 SIZE 00000078 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	ecx, [ebp+arg_0]
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	loc_434E71
		cmp	ecx, ds:_PsIdleProcess
		jz	loc_434E71

loc_434D75:				; CODE XREF: PsUpdateComponentPower+127j
		mov	edi, [ecx+3E0h]
		mov	[esp+18h+var_8], edi
		test	edi, edi
		jz	short loc_434DE9
		mov	edx, [ebp+arg_4]
		cmp	edx, 1
		jnz	short loc_434DF2
		mov	ecx, [ebp+arg_8]
		mov	eax, ecx
		mov	edx, [ebp+arg_C]
		or	eax, edx
		jz	short loc_434DE9
		lea	eax, [edi+40h]
		mov	[esp+18h+var_4], eax
		mov	edi, eax

loc_434DA0:				; CODE XREF: PsUpdateComponentPower+76j
					; PsUpdateComponentPower+7Cj
		mov	esi, [edi]
		mov	ebx, esi
		mov	eax, [edi+4]
		add	ebx, ecx
		mov	ecx, eax
		mov	[esp+18h+var_4], eax
		adc	ecx, edx
		mov	eax, esi
		mov	edx, [esp+18h+var_4]
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [ebp+arg_8]
		mov	ebx, edx
		mov	edx, [ebp+arg_C]
		cmp	eax, esi
		jnz	short loc_434DA0
		cmp	ebx, [esp+18h+var_4]
		jnz	short loc_434DA0
		mov	eax, 118h

loc_434DD3:				; CODE XREF: PsUpdateComponentPower+11Cj
					; PsUpdateComponentPower+174B34j
		mov	edi, [esp+18h+var_8]
		lea	ecx, [eax+edi]
		test	ecx, ecx
		jz	short loc_434DE9
		mov	edx, _KiTimelineBitmapTime
		call	RtlInterlockedTimelineBitmapUpdate

loc_434DE9:				; CODE XREF: PsUpdateComponentPower+31j
					; PsUpdateComponentPower+45j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_434DF2:				; CODE XREF: PsUpdateComponentPower+39j
		cmp	edx, 2
		jnz	loc_434E7C
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+arg_C]
		or	eax, ecx
		jz	short loc_434DE9
		lea	eax, [edi+48h]
		mov	[esp+18h+var_4], eax
		mov	edi, eax
		mov	edi, edi

loc_434E10:				; CODE XREF: PsUpdateComponentPower+DEj
					; PsUpdateComponentPower+E4j
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, ecx
		mov	ecx, edx
		mov	[esp+18h+var_4], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [ebp+arg_C]
		cmp	eax, esi
		jnz	short loc_434E10
		cmp	edx, [esp+18h+var_4]
		jnz	short loc_434E10
		mov	eax, [esp+18h+var_8]
		add	eax, 58h
		mov	[esp+18h+var_4], eax
		mov	edi, eax

loc_434E43:				; CODE XREF: PsUpdateComponentPower+10Fj
					; PsUpdateComponentPower+115j
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		mov	eax, esi
		add	ebx, [ebp+arg_8]
		mov	ecx, edx
		mov	[esp+18h+var_4], edx
		adc	ecx, 0
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_434E43
		cmp	edx, [esp+18h+var_4]
		jnz	short loc_434E43
		mov	eax, 120h
		jmp	loc_434DD3
; 

loc_434E71:				; CODE XREF: PsUpdateComponentPower+13j
					; PsUpdateComponentPower+1Fj
		mov	ecx, ds:_PsInitialSystemProcess
		jmp	loc_434D75
; 

loc_434E7C:				; CODE XREF: PsUpdateComponentPower+A5j
		cmp	edx, 3
		jz	loc_5A9811
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_PoEnergyContextUpdateComponentPower@16	; PoEnergyContextUpdateComponentPower(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
PsUpdateComponentPower endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlInterlockedTimelineBitmapUpdate proc	near ; CODE XREF: PsUpdateComponentPower+94p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A9889 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, edx
		mov	[ebp+var_8], ecx
		push	edi
		mov	edi, [ecx]
		mov	ecx, [ecx+4]
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], ecx
		cmp	eax, edi
		jnz	short loc_434EBF
		test	cl, 1
		jz	short loc_434EBF

loc_434EBC:				; CODE XREF: RtlInterlockedTimelineBitmapUpdate+5Fj
		pop	edi
		leave
		retn
; 

loc_434EBF:				; CODE XREF: RtlInterlockedTimelineBitmapUpdate+1Bj
					; RtlInterlockedTimelineBitmapUpdate+20j
		push	ebx
		push	esi

loc_434EC1:				; CODE XREF: RtlInterlockedTimelineBitmapUpdate+70j
		cmp	eax, edi
		jbe	loc_5A9889
		mov	edx, eax
		sub	edx, edi
		cmp	edx, 20h
		jnb	short loc_434EFB
		mov	esi, ecx
		mov	ecx, edx
		shl	esi, cl
		mov	ecx, [ebp+var_4]
		or	esi, 1

loc_434EDE:				; CODE XREF: RtlInterlockedTimelineBitmapUpdate+64j
		mov	ebx, eax

loc_434EE0:				; CODE XREF: RtlInterlockedTimelineBitmapUpdate+174A0Bj
		mov	eax, edi
		mov	edx, ecx
		nop
		mov	ecx, esi
		mov	esi, [ebp+var_8]
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, edi
		jnz	short loc_434F00
		cmp	edx, [ebp+var_4]
		jnz	short loc_434F00

loc_434EF7:				; CODE XREF: RtlInterlockedTimelineBitmapUpdate+1749F6j
					; RtlInterlockedTimelineBitmapUpdate+174A03j
		pop	esi
		pop	ebx
		jmp	short loc_434EBC
; 

loc_434EFB:				; CODE XREF: RtlInterlockedTimelineBitmapUpdate+36j
		xor	esi, esi
		inc	esi
		jmp	short loc_434EDE
; 

loc_434F00:				; CODE XREF: RtlInterlockedTimelineBitmapUpdate+56j
					; RtlInterlockedTimelineBitmapUpdate+5Bj
		mov	ecx, edx
		mov	edi, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_4], ecx
		jmp	short loc_434EC1
RtlInterlockedTimelineBitmapUpdate endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetDisableQuantumProcess(x, x)
_KeSetDisableQuantumProcess@8 proc near	; CODE XREF: PspApplyJobLimitsToProcess:loc_7521A0p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	ebx, edx
		push	edi
		mov	[ebp+var_8], ebx
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_1], al
		lea	eax, [edi+34h]
		push	eax
		mov	[ebp+var_C], eax
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		lea	ecx, [edi+64h]
		test	ebx, ebx
		jnz	short loc_434F7C
		lock btr dword ptr [ecx], 2

loc_434F3F:				; CODE XREF: KeSetDisableQuantumProcess(x,x)+75j
		setb	al
		add	edi, 2Ch
		movzx	ebx, al
		mov	esi, [edi]
		cmp	esi, edi
		jnz	short loc_434F66

loc_434F4E:				; CODE XREF: KeSetDisableQuantumProcess(x,x)+6Cj
		push	[ebp+var_C]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_434F66:				; CODE XREF: KeSetDisableQuantumProcess(x,x)+40j
		mov	edx, [ebp+var_8]

loc_434F69:				; CODE XREF: KeSetDisableQuantumProcess(x,x)+6Ej
		lea	ecx, [esi-1D4h]
		call	_KeSetDisableQuantumThread@8 ; KeSetDisableQuantumThread(x,x)
		mov	esi, [esi]
		cmp	esi, edi
		jz	short loc_434F4E
		jmp	short loc_434F69
; 

loc_434F7C:				; CODE XREF: KeSetDisableQuantumProcess(x,x)+2Cj
		lock bts dword ptr [ecx], 2
		jmp	short loc_434F3F
_KeSetDisableQuantumProcess@8 endp

; 
		align 8
; Exported entry 1801. PsGetProcessId

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessId(x)
		public _PsGetProcessId@4
_PsGetProcessId@4 proc near		; CODE XREF: EtwTraceSystemTimeChange+49p
					; PspProcessDelete+C0p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+0E4h]
		pop	ebp
		retn	4
_PsGetProcessId@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetDiskIoAttributionOnProcess(x, x)
_IoSetDiskIoAttributionOnProcess@8 proc	near ; CODE XREF: PspEstablishJobHierarchy+255p
					; PspProcessDelete+1E7p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		cmp	[edi+430h], esi
		jnz	short loc_434FB2

loc_434FAE:				; CODE XREF: IoSetDiskIoAttributionOnProcess(x,x)+5Ej
					; IoSetDiskIoAttributionOnProcess(x,x)+67j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_434FB2:				; CODE XREF: IoSetDiskIoAttributionOnProcess(x,x)+12j
		test	esi, esi
		jz	short loc_434FC4
		xor	eax, eax
		inc	eax
		lock xadd [esi+10h], eax
		inc	eax
		cmp	eax, 1
		jle	short loc_435003

loc_434FC4:				; CODE XREF: IoSetDiskIoAttributionOnProcess(x,x)+1Aj
					; IoSetDiskIoAttributionOnProcess(x,x)+6Ej
		push	ebx
		push	offset _IopDiskIoAttributionLock
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		mov	eax, [edi+430h]
		push	offset _IopDiskIoAttributionLock
		mov	[ebp+var_4], eax
		mov	[edi+430h], esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_4]
		pop	ebx
		test	eax, eax
		jz	short loc_434FAE
		mov	ecx, eax
		call	_IoDiskIoAttributionDereference@4 ; IoDiskIoAttributionDereference(x)
		jmp	short loc_434FAE
; 

loc_435003:				; CODE XREF: IoSetDiskIoAttributionOnProcess(x,x)+28j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_434FC4
_IoSetDiskIoAttributionOnProcess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStateDurationCapture(x, x, x, x)
_RtlStateDurationCapture@16 proc near	; CODE XREF: PoEnergyContextCleanup(x)+8Ap
					; PoEnergyContextCleanup(x)+E2p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		push	esi
		push	edi
		xor	esi, esi
		mov	eax, [ebx]
		mov	[edx], eax
		mov	eax, [ebx+4]
		mov	edi, eax
		mov	[edx+4], eax
		test	edi, edi
		js	short loc_435031

loc_435028:				; CODE XREF: RtlStateDurationCapture(x,x,x,x)+37j
					; RtlStateDurationCapture(x,x,x,x)+5Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_435031:				; CODE XREF: RtlStateDurationCapture(x,x,x,x)+1Cj
		mov	eax, [ebp+arg_0]
		and	edi, 7FFFFFFFh
		mov	[edx+4], edi
		mov	ecx, [ebx]
		cmp	eax, ecx
		jbe	short loc_435028
		mov	esi, eax
		mov	[edx], eax
		sub	esi, ecx
		or	ecx, 0FFFFFFFFh
		cmp	esi, ecx
		jnb	short loc_43505B
		mov	eax, esi
		not	eax
		cmp	eax, edi
		jb	short loc_43505B
		lea	ecx, [edi+esi]

loc_43505B:				; CODE XREF: RtlStateDurationCapture(x,x,x,x)+44j
					; RtlStateDurationCapture(x,x,x,x)+4Cj
		and	ecx, 7FFFFFFFh
		mov	[edx+4], ecx
		jmp	short loc_435028
_RtlStateDurationCapture@16 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpGetProcessStartKey(x)
_EtwpGetProcessStartKey@4 proc near	; CODE XREF: EtwQueryProcessTelemetryInfo+196p
					; EtwpInitStateChangeInfo+42p ...
		mov	edx, ds:0FFDF02C4h
		xor	eax, eax
		or	eax, [ecx+3E8h]
		shl	edx, 10h
		or	edx, [ecx+3ECh]
		retn
_EtwpGetProcessStartKey@4 endp


;  S U B	R O U T	I N E 


_tlgCreate1Sz_wchar_t proc near		; CODE XREF: ExLogTimeZoneInformation()+11Cp
					; PopTraceThermalZonePassiveHistogram+89947p ...

; FUNCTION CHUNK AT 005A98AA SIZE 0000000D BYTES

		mov	edi, edi
		push	ebx
		xor	ebx, ebx
		push	esi
		test	edx, edx
		jz	loc_5A98AA
		mov	esi, edx
		push	edi
		lea	edi, [esi+2]

loc_435092:				; CODE XREF: _tlgCreate1Sz_wchar_t+1Dj
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, bx
		jnz	short loc_435092
		sub	esi, edi
		sar	esi, 1
		pop	edi
		lea	esi, ds:2[esi*2]

loc_4350A9:				; CODE XREF: _tlgCreate1Sz_wchar_t+174834j
		mov	[ecx+8], esi
		pop	esi
		mov	[ecx+4], ebx
		mov	[ecx+0Ch], ebx
		mov	[ecx], edx
		pop	ebx
		retn
_tlgCreate1Sz_wchar_t endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLogProcessWorkingSetsStart proc near	; CODE XREF: .text:005167EEp

var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_AD		= dword	ptr -0ADh
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A98B7 SIZE 00000143 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0E8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, dword_6D35BC
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		test	esi, esi
		jz	short loc_4350F6
		cmp	dword ptr [esi], 5
		jbe	short loc_4350F6
		push	0
		push	1
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_5A98B7

loc_4350F6:				; CODE XREF: MiLogProcessWorkingSetsStart+24j
					; MiLogProcessWorkingSetsStart+29j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
MiLogProcessWorkingSetsStart endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLogProcessWorkingSetsStop proc near	; CODE XREF: .text:00516B30p

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A99FA SIZE 00000071 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, dword_6D35BC
		push	edi
		mov	edi, ecx
		test	esi, esi
		jz	short loc_435142
		cmp	dword ptr [esi], 5
		jbe	short loc_435142
		xor	ebx, ebx
		mov	ecx, esi
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_5A99FA

loc_435142:				; CODE XREF: MiLogProcessWorkingSetsStop+1Fj
					; MiLogProcessWorkingSetsStop+24j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
MiLogProcessWorkingSetsStop endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _tlgWriteTransfer_EtwWriteTransfer(x, x, x,	x, x, x)
__tlgWriteTransfer_EtwWriteTransfer@24 proc near ; CODE	XREF: SetFailureLocation+91p
					; EtwTelemetryCoverageReport(x)+416p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+arg_14]
		push	ebx
		push	esi
		movzx	eax, byte ptr [ecx]
		xor	ebx, ebx
		mov	esi, [ebp+arg_0]
		shl	eax, 18h
		mov	[ebp+var_10], eax
		movzx	eax, word ptr [ecx+1]
		mov	[ebp+var_C], eax
		mov	eax, [ecx+3]
		mov	[ebp+var_8], eax
		mov	eax, [ecx+7]
		add	ecx, 0Bh
		push	edx
		push	[ebp+arg_10]
		mov	[ebp+var_4], eax
		mov	eax, [esi+4]
		push	[ebp+arg_C]
		mov	[edx], eax
		push	[ebp+arg_8]
		mov	[edx+4], ebx
		mov	eax, [esi+4]
		push	ebx
		push	ebx
		push	ebx
		movzx	eax, word ptr [eax]
		mov	[edx+8], eax
		mov	dword ptr [edx+0Ch], 2
		mov	[edx+10h], ecx
		mov	[edx+14h], ebx
		movzx	eax, word ptr [ecx]
		mov	[edx+18h], eax
		mov	eax, offset __TraceLoggingMetadataEnd
		mov	dword ptr [edx+1Ch], 1
		sub	eax, offset __TraceLoggingMetadata
		mov	ecx, [esi+18h]
		lea	edx, [ebp+var_10]
		push	edx
		mov	[ebp+arg_4], eax
		mov	eax, [esi+1Ch]
		push	eax
		push	ecx
		call	EtwWriteEx
		pop	esi
		pop	ebx
		leave
		retn	18h
__tlgWriteTransfer_EtwWriteTransfer@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _tlgKeywordOn(x, x,	x)
__tlgKeywordOn@12 proc near		; CODE XREF: MiLogProcessWorkingSetsStart+31p
					; MiLogProcessWorkingSetsStop+2Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		or	eax, [ebp+arg_4]
		push	esi
		mov	esi, ecx
		jz	short loc_435221
		mov	edx, [esi+8]
		mov	eax, [esi+0Ch]
		and	edx, [ebp+arg_0]
		and	eax, [ebp+arg_4]
		or	edx, eax
		jnz	short loc_435209

loc_435202:				; CODE XREF: _tlgKeywordOn(x,x,x)+39j
					; _tlgKeywordOn(x,x,x)+3Dj
		xor	al, al

loc_435204:				; CODE XREF: _tlgKeywordOn(x,x,x)+41j
		pop	esi
		pop	ebp
		retn	8
; 

loc_435209:				; CODE XREF: _tlgKeywordOn(x,x,x)+1Ej
		mov	ecx, [esi+10h]
		mov	eax, ecx
		mov	esi, [esi+14h]
		mov	edx, esi
		and	eax, [ebp+arg_0]
		and	edx, [ebp+arg_4]
		cmp	eax, ecx
		jnz	short loc_435202
		cmp	edx, esi
		jnz	short loc_435202

loc_435221:				; CODE XREF: _tlgKeywordOn(x,x,x)+Ej
		mov	al, 1
		jmp	short loc_435204
__tlgKeywordOn@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStringCbCopyA(x,	x, x)
_RtlStringCbCopyA@12 proc near		; CODE XREF: PfpPrivSourceEnum(x,x,x)+21Dp
					; PfpPrivSourceEnum(x,x,x)+320p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		test	edx, edx
		jz	short loc_43524C
		cmp	edx, 7FFFFFFFh
		ja	short loc_43524C

loc_435239:				; CODE XREF: RtlStringCbCopyA(x,x,x)+2Bj
		test	eax, eax
		js	short loc_435253
		push	ecx
		push	[ebp+arg_0]
		push	0
		call	RtlStringCopyWorkerA

loc_435248:				; CODE XREF: RtlStringCbCopyA(x,x,x)+2Fj
					; RtlStringCbCopyA(x,x,x)+34j
		pop	ebp
		retn	4
; 

loc_43524C:				; CODE XREF: RtlStringCbCopyA(x,x,x)+9j
					; RtlStringCbCopyA(x,x,x)+11j
		mov	eax, 0C000000Dh
		jmp	short loc_435239
; 

loc_435253:				; CODE XREF: RtlStringCbCopyA(x,x,x)+15j
		test	edx, edx
		jz	short loc_435248
		mov	byte ptr [ecx],	0
		jmp	short loc_435248
_RtlStringCbCopyA@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlStringCopyWorkerA proc near		; CODE XREF: RtlStringCbCopyA(x,x,x)+1Dp
					; RtlStringCbCopyExA(x,x,x,x,x,x)+42p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		test	edx, edx
		jz	short loc_4352B2
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, 7FFFFFFEh
		sub	esi, ecx

loc_435274:				; CODE XREF: RtlStringCopyWorkerA+2Bj
		test	edi, edi
		jz	short loc_435289
		mov	bl, [esi+ecx]
		test	bl, bl
		jz	short loc_435289
		mov	[ecx], bl
		inc	ecx
		dec	edi
		inc	eax
		sub	edx, 1
		jnz	short loc_435274

loc_435289:				; CODE XREF: RtlStringCopyWorkerA+1Aj
					; RtlStringCopyWorkerA+21j
		pop	edi
		pop	esi
		pop	ebx
		test	edx, edx
		jz	short loc_4352B2

loc_435290:				; CODE XREF: RtlStringCopyWorkerA+58j
		neg	edx
		mov	byte ptr [ecx],	0
		mov	ecx, [ebp+arg_0]
		sbb	edx, edx
		and	edx, 7FFFFFFBh
		test	ecx, ecx
		jnz	short loc_4352AE

loc_4352A4:				; CODE XREF: RtlStringCopyWorkerA+54j
		lea	eax, [edx-7FFFFFFBh]
		pop	ebp
		retn	0Ch
; 

loc_4352AE:				; CODE XREF: RtlStringCopyWorkerA+46j
		mov	[ecx], eax
		jmp	short loc_4352A4
; 

loc_4352B2:				; CODE XREF: RtlStringCopyWorkerA+9j
					; RtlStringCopyWorkerA+32j
		dec	ecx
		dec	eax
		jmp	short loc_435290
RtlStringCopyWorkerA endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmStoreExistsForProcess(x)
_SmStoreExistsForProcess@4 proc	near	; CODE XREF: MmOutSwapWorkingSet+A6p
					; MiReleaseOutSwappedProcessCommit(x)+DBp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	0
		mov	[ebp+var_4], ecx
		lea	edx, [ebp+var_4]
		push	0
		mov	ecx, offset unk_718478
		call	_SmpKeyedStoreEntryGet@16 ; SmpKeyedStoreEntryGet(x,x,x,x)
		neg	eax
		sbb	eax, eax
		neg	eax
		leave
		retn
_SmStoreExistsForProcess@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmpKeyedStoreEntryGet(x, x,	x, x)
_SmpKeyedStoreEntryGet@16 proc near	; CODE XREF: SmStoreExistsForProcess(x)+15p
					; SmpKeyedStoreSetVaRanges(x,x,x,x)+42p ...

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 58h
		push	esi
		xor	eax, eax
		mov	[ebp+var_10], edx
		mov	esi, ecx
		mov	[ebp+var_28], eax
		push	edi
		mov	edi, [ebx+8]
		mov	[ebp+var_1C], esi
		cmp	[ebx+0Ch], eax
		jnz	short loc_435326
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		test	edi, edi
		jg	loc_43542B
		call	ExAcquirePushLockSharedEx

loc_435326:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+2Fj
					; SmpKeyedStoreEntryGet(x,x,x,x)+158j
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_34], edx
		test	edi, edi
		jnz	short loc_435353
		mov	edi, [esi+10h]
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_C], edi
		test	edi, edi
		jz	short loc_435348
		mov	eax, [edi+4]
		cmp	eax, [ecx]
		jz	loc_4354F5

loc_435348:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+63j
		mov	eax, [esi+14h]
		cmp	[ecx], eax
		jz	loc_4354FC

loc_435353:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+56j
		mov	edi, [esi+8]
		mov	eax, edx
		mov	ecx, edi
		shr	edi, 5
		and	ecx, 1Fh
		shl	eax, cl
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_14], eax
		mov	ecx, [ecx]
		mov	edx, ecx
		and	edx, eax
		mov	[ebp+var_8], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_24], edx
		test	edi, edi
		jz	short loc_4353DB
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	[ebp+var_54], edx
		imul	ecx, eax, 25h
		movzx	eax, dh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_24+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_24+3]
		imul	edx, ecx, 25h
		lea	ecx, [edi-1]
		add	edx, eax
		mov	eax, [esi+0Ch]
		and	ecx, edx
		mov	edx, [ebp+var_14]
		lea	edi, [eax+ecx*4]
		mov	ecx, [ebp+var_18]

loc_4353B1:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+EDj
		mov	edi, [edi]
		mov	[ebp+var_C], edi
		test	edi, 1
		jnz	short loc_4353C9
		mov	eax, [edi+4]
		and	eax, edx
		cmp	ecx, eax
		jnz	short loc_4353B1
		jmp	short loc_4353D0
; 

loc_4353C9:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+E4j
		xor	eax, eax
		mov	edi, eax
		mov	[ebp+var_C], eax

loc_4353D0:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+EFj
		test	edi, edi
		jnz	loc_4354E5
		mov	ecx, [ebp+var_8]

loc_4353DB:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+A1j
		cmp	dword ptr [ebx+8], 1
		jz	loc_4355F9
		mov	[esi+14h], ecx

loc_4353E8:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+4C2j
		xor	edi, edi
		mov	[ebp+var_C], edi

loc_4353ED:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+3B6j
		or	edx, 0FFFFFFFFh

loc_4353F0:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+21Fj
					; SmpKeyedStoreEntryGet(x,x,x,x)+229j
		cmp	dword ptr [ebx+0Ch], 0
		jnz	short loc_43541D
		cmp	dword ptr [ebx+8], 0
		jg	short loc_435435
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_435411
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_435411:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+130j
		mov	ecx, esi
		call	KeAbPostRelease

loc_435418:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+17Cj
					; SmpKeyedStoreEntryGet(x,x,x,x)+305j ...
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_43541D:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+11Cj
		mov	eax, [ebp+var_C]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_43542B:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+43j
		call	ExAcquirePushLockExclusiveEx
		jmp	loc_435326
; 

loc_435435:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+122j
		mov	eax, edx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_43544B
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh

loc_43544B:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+167j
		mov	[ebp+var_24], edi
		test	esi, 7FFFFFFCh
		jz	short loc_435418
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	[ebp+var_8], eax
		mov	eax, dword_6D07D0
		shr	ecx, 15h
		cmp	esi, eax
		mov	[ebp+var_50], eax
		mov	eax, [ebp+var_8]
		jb	loc_435506
		cmp	byte ptr dword_6D3994[ecx], 1
		jnz	loc_435506

loc_435484:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+23Aj
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_34], edx

loc_435497:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+231j
					; SmpKeyedStoreEntryGet(x,x,x,x)+240j
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	cl, [eax+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, eax
		push	edx
		mov	edx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[ebp+var_50], edx
		test	edx, edx
		jnz	short loc_43551D
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_435589
		xor	eax, eax
		push	eax
		push	[ebp+var_34]
		push	esi
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4354E5:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+FAj
		cmp	dword ptr [ebx+8], 2
		jz	loc_4356AD
		mov	[esi+10h], edi

loc_4354F2:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+3ABj
					; SmpKeyedStoreEntryGet(x,x,x,x)+4D9j ...
		or	edx, 0FFFFFFFFh

loc_4354F5:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+6Aj
		xor	edi, edi
		jmp	loc_4353F0
; 

loc_4354FC:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+75j
		xor	edi, edi
		mov	[ebp+var_C], edi
		jmp	loc_4353F0
; 

loc_435506:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+199j
					; SmpKeyedStoreEntryGet(x,x,x,x)+1A6j
		cmp	esi, [ebp+var_50]
		jb	short loc_435497
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_435484
		jmp	loc_435497
; 

loc_43551D:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+1E8j
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		xor	eax, eax
		cmp	[edx+10h], eax
		jge	short loc_435537
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [ebp+var_50]

loc_435537:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+253j
		mov	eax, [edx+2Ch]
		mov	edi, eax
		and	byte ptr [edx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_24], edi
		mov	[edx+2Ch], eax
		nop
		mov	ecx, [ebp+var_8]
		xor	eax, eax
		mov	[edx+10h], eax
		mov	[ebp+var_50], 30h
		sub	edx, [ecx+1E8h]
		mov	eax, edx
		cdq
		idiv	[ebp+var_50]
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_435693
		movzx	eax, byte ptr [ecx+1E4h]
		bts	eax, edx
		mov	[ecx+1E4h], al

loc_435589:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+1F5j
					; SmpKeyedStoreEntryGet(x,x,x,x)+3D0j
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_50], eax
		jz	short loc_4355D4
		test	edi, 8000h
		jz	short loc_4355AE
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [ebp+var_8]

loc_4355AE:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+2CAj
		test	byte ptr [ebp+var_24+2], 1
		jz	short loc_4355BC
		xor	edx, edx
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4355BC:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+2DAj
		mov	eax, 7FFFh
		test	edi, eax
		jnz	loc_435721
		mov	edi, [ebp+var_8]
		jmp	loc_43572F
; 

loc_4355D1:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+461j
					; SmpKeyedStoreEntryGet(x,x,x,x)+473j
		mov	ecx, [ebp+var_8]

loc_4355D4:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+2C2j
		nop
		add	word ptr [ecx+13Eh], 1
		jnz	loc_435418
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	loc_435418
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_435418
; 

loc_4355F9:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+107j
		mov	edi, [ebp+var_10]
		lea	edx, [esi+4]
		mov	ecx, [edx+4]
		xor	eax, eax
		mov	[ebp+var_20], eax
		add	edi, 0FFFFFFFCh
		mov	eax, ecx
		mov	[ebp+var_C], edi
		shr	eax, 5
		mov	[ebp+var_24], eax
		add	eax, eax
		mov	[ebp+var_28], 54486D73h
		mov	[ebp+var_50], edx
		mov	[ebp+var_38], ecx
		cmp	[edx], eax
		jnb	loc_435750

loc_43562C:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+4BCj
					; SmpKeyedStoreEntryGet(x,x,x,x)+4F5j ...
		mov	eax, [ebp+var_10]
		mov	esi, ecx
		and	ecx, 1Fh
		shr	esi, 5
		or	edx, 0FFFFFFFFh
		shl	edx, cl
		and	edx, [eax]
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	[ebp+var_30], edx
		imul	ecx, eax, 25h
		movzx	eax, dh
		lea	edx, [esi-1]
		mov	esi, [ebp+var_50]
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_30+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_30+3]
		imul	ecx, 25h
		add	ecx, eax
		and	edx, ecx
		mov	ecx, [esi+8]
		mov	eax, [ecx+edx*4]
		mov	[edi], eax
		mov	[ecx+edx*4], edi
		inc	dword ptr [esi]
		mov	esi, [ebp+var_1C]
		mov	ecx, [ebp+var_10]
		mov	eax, [esi+14h]
		cmp	eax, [ecx]
		jnz	loc_4354F2
		xor	edi, edi
		mov	[esi+14h], edi
		jmp	loc_4353ED
; 

loc_435693:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+29Bj
		mov	ecx, edx
		mov	al, 1
		shl	al, cl
		mov	ecx, [ebp+var_8]
		lea	esi, [ecx+222h]
		lock or	[esi], al
		mov	esi, [ebp+var_1C]
		jmp	loc_435589
; 

loc_4356AD:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+211j
		mov	esi, [esi+8]
		or	edx, 0FFFFFFFFh
		mov	ecx, esi
		shr	esi, 5
		and	ecx, 1Fh
		shl	edx, cl
		and	edx, [edi+4]
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	[ebp+var_24], edx
		imul	ecx, eax, 25h
		movzx	eax, dh
		mov	[ebp+var_58], edx
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_24+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_24+3]
		imul	edx, ecx, 25h
		lea	ecx, [esi-1]
		mov	esi, [ebp+var_1C]
		add	edx, eax
		mov	eax, [esi+0Ch]
		and	ecx, edx
		mov	edx, 80000002h
		lea	ecx, [eax+ecx*4]
		mov	eax, [edi]
		and	eax, edx
		cmp	eax, edx
		jnz	loc_4357BF
		xor	edx, edx
		mov	eax, [edx]

loc_43570B:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+447j
					; SmpKeyedStoreEntryGet(x,x,x,x)+4E9j
		mov	eax, [ecx]
		test	al, 1
		jnz	loc_4357C6
		cmp	eax, edi
		jz	loc_43579F
		mov	ecx, eax
		jmp	short loc_43570B
; 

loc_435721:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+2EBj
		and	edi, eax
		mov	edx, edi
		mov	edi, [ebp+var_8]
		mov	ecx, edi
		call	KiAbThreadUnboostCpuPriority

loc_43572F:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+2F4j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4355D1
		push	[ebp+var_50]
		mov	edx, esi
		mov	ecx, edi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4355D1
; 

loc_435750:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+34Ej
		mov	eax, [ebp+var_24]
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_20]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_4357CA
		mov	eax, [ebp+var_20]
		mov	[ebp+var_8], eax
		cmp	eax, 4
		jnb	short loc_43577A
		push	4
		pop	eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_20], eax

loc_43577A:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+497j
		lea	ecx, [ebp+var_28]
		shl	eax, 2
		push	ecx
		push	eax
		call	?SmAllocWrapper@@YGPAXKPAX@Z ; SmAllocWrapper(ulong,void *)
		mov	[ebp+var_18], eax
		test	eax, eax
		jnz	short loc_4357D2
		mov	ecx, [esi+8]
		cmp	ecx, 20h
		jnb	loc_43562C
		jmp	loc_4353E8
; 

loc_43579F:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+43Fj
		mov	eax, [edi]
		mov	[ecx], eax
		dec	dword ptr [esi+4]
		or	dword ptr [edi], 80000002h

loc_4357AC:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+4F0j
		mov	eax, [esi+10h]
		cmp	eax, edi
		jnz	loc_4354F2
		mov	[esi+10h], edx
		jmp	loc_4354F2
; 

loc_4357BF:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+429j
		xor	edx, edx
		jmp	loc_43570B
; 

loc_4357C6:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+437j
		mov	eax, [edx]
		jmp	short loc_4357AC
; 

loc_4357CA:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+48Cj
		mov	ecx, [ebp+var_38]
		jmp	loc_43562C
; 

loc_4357D2:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+4B4j
		mov	edx, [ebp+var_8]
		lea	eax, [edx-1]
		test	eax, edx
		jz	short loc_4357F0
		or	ecx, 0FFFFFFFFh
		test	edx, edx
		jz	short loc_4357E8

loc_4357E3:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+50Ej
		inc	ecx
		shr	edx, 1
		jnz	short loc_4357E3

loc_4357E8:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+509j
		xor	edx, edx
		inc	edx
		shl	edx, cl
		mov	[ebp+var_8], edx

loc_4357F0:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+502j
		mov	eax, 4000000h
		cmp	edx, eax
		jbe	short loc_4357FE
		mov	edx, eax
		mov	[ebp+var_8], edx

loc_4357FE:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+51Fj
		mov	ecx, [ebp+var_18]
		lea	eax, [esi+4]
		and	[ebp+var_14], 0
		or	eax, 1
		shl	edx, 2
		mov	[ebp+var_30], ecx
		add	ecx, edx
		shr	edx, 2
		cmp	ecx, [ebp+var_18]
		sbb	ecx, ecx
		not	ecx
		and	ecx, edx
		jbe	short loc_435831
		mov	edx, [ebp+var_30]

loc_435824:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+557j
		inc	[ebp+var_14]
		mov	[edx], eax
		lea	edx, [edx+4]
		cmp	[ebp+var_14], ecx
		jb	short loc_435824

loc_435831:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+547j
		or	[ebp+var_24], 0FFFFFFFFh
		lea	edx, [esi+4]
		mov	eax, [edx+4]
		mov	ecx, eax
		and	ecx, 1Fh
		shl	[ebp+var_24], cl
		xor	ecx, ecx
		mov	[ebp+var_14], ecx
		test	eax, 0FFFFFFE0h
		jbe	short loc_4358CB
		mov	edi, [ebp+var_8]

loc_435852:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+5EEj
		mov	edx, [edx+8]
		mov	[ebp+var_38], edx

loc_435858:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+5D9j
		mov	esi, [ebp+var_14]
		mov	ecx, [edx+esi*4]
		mov	[ebp+var_30], ecx
		test	ecx, 1
		jnz	short loc_4358B3
		mov	eax, [ecx]
		mov	[edx+esi*4], eax
		mov	edx, [ecx+4]
		and	edx, [ebp+var_24]
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	esi, [ebp+var_30]
		imul	ecx, eax, 25h
		movzx	eax, dh
		mov	[ebp+var_2C], edx
		lea	edx, [edi-1]
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_2C+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_2C+3]
		imul	ecx, 25h
		add	ecx, eax
		and	edx, ecx
		mov	ecx, [ebp+var_18]
		mov	eax, [ecx+edx*4]
		mov	[esi], eax
		mov	eax, esi
		mov	[ecx+edx*4], eax
		mov	edx, [ebp+var_38]
		jmp	short loc_435858
; 

loc_4358B3:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+58Fj
		inc	esi
		mov	[ebp+var_14], esi
		mov	esi, [ebp+var_1C]
		lea	edx, [esi+4]
		mov	eax, [edx+4]
		shr	eax, 5
		cmp	[ebp+var_14], eax
		jb	short loc_435852
		mov	edi, [ebp+var_C]

loc_4358CB:				; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+575j
		mov	eax, [edx+8]
		mov	ecx, [edx+4]
		mov	[ebp+var_38], eax
		and	ecx, 1Fh
		mov	eax, [ebp+var_18]
		mov	[edx+8], eax
		mov	eax, [ebp+var_8]
		shl	eax, 5
		or	ecx, eax
		mov	eax, [ebp+var_38]
		mov	[edx+4], ecx
		test	eax, eax
		jz	loc_43562C
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [esi+8]
		jmp	loc_43562C
_SmpKeyedStoreEntryGet@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStateDurationDelta(x, x,	x)
_RtlStateDurationDelta@12 proc near	; CODE XREF: PopEtEnergyValuesDeltaCalculate(x,x,x,x)+90p
					; PopEtEnergyValuesDeltaCalculate(x,x,x,x)+BFp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	dword ptr [ecx], 0
		and	dword ptr [ecx+4], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, edx
		mov	edx, [ebx+4]
		mov	eax, edx
		and	eax, 7FFFFFFFh
		mov	esi, [edi+4]
		and	esi, 7FFFFFFFh
		cmp	eax, esi
		ja	short loc_435942

loc_43592F:				; CODE XREF: RtlStateDurationDelta(x,x,x)+49j
		mov	eax, [edi]
		mov	edx, [ebx]
		pop	edi
		pop	esi
		pop	ebx
		cmp	eax, edx
		ja	short loc_43593C
		mov	eax, edx

loc_43593C:				; CODE XREF: RtlStateDurationDelta(x,x,x)+34j
		mov	[ecx], eax
		pop	ebp
		retn	4
; 

loc_435942:				; CODE XREF: RtlStateDurationDelta(x,x,x)+29j
		sub	edx, esi
		and	edx, 7FFFFFFFh
		mov	[ecx+4], edx
		jmp	short loc_43592F
_RtlStateDurationDelta@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsAddProcessEnergyValues proc near	; CODE XREF: PspFoldProcessAccountingIntoJob(x,x,x)+1E4p
					; PopEtEnergyTrackerUpdateAggregate(x,x,x,x)+81p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A9A6B SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [edx+40h]
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		mov	ebx, edx
		mov	[ebp+var_C], edi
		mov	esi, 3
		add	[edi+40h], eax
		lea	ecx, [edi+68h]
		mov	eax, [edx+44h]
		adc	[edi+44h], eax
		mov	eax, [edx+48h]
		add	[edi+48h], eax
		mov	eax, [edx+4Ch]
		adc	[edi+4Ch], eax
		mov	eax, [edx+50h]
		add	[edi+50h], eax
		mov	eax, [edx+54h]
		adc	[edi+54h], eax
		mov	eax, [edx+58h]
		add	[edi+58h], eax
		mov	eax, [edx+5Ch]
		adc	[edi+5Ch], eax
		mov	eax, [edx+60h]
		add	[edi+60h], eax
		mov	eax, [edx+64h]
		adc	[edi+64h], eax
		sub	ebx, edi
		jmp	short loc_4359B0
; 
		align 10h

loc_4359B0:				; CODE XREF: PsAddProcessEnergyValues+5Bj
					; PsAddProcessEnergyValues+6Ej
		lea	edx, [ebx+ecx]
		call	_RtlStateDurationAdd@8 ; RtlStateDurationAdd(x,x)
		add	ecx, 8
		sub	esi, 1
		jnz	short loc_4359B0
		lea	ecx, [edi+180h]
		mov	esi, 5
		jmp	short loc_4359D0
; 
		align 10h

loc_4359D0:				; CODE XREF: PsAddProcessEnergyValues+7Bj
					; PsAddProcessEnergyValues+8Ej
		lea	edx, [ecx+ebx]
		call	_RtlStateDurationAdd@8 ; RtlStateDurationAdd(x,x)
		add	ecx, 8
		sub	esi, 1
		jnz	short loc_4359D0
		mov	ecx, [ebp+var_8]
		mov	edx, [ecx+80h]
		cmp	edx, 0FFFFFFFFh
		jnb	loc_5A9A6B
		mov	esi, [edi+80h]
		mov	eax, edx
		not	eax
		cmp	eax, esi
		jb	loc_5A9A6B
		lea	eax, [esi+edx]

loc_435A07:				; CODE XREF: PsAddProcessEnergyValues+17411Ej
		mov	[edi+80h], eax
		mov	edx, [ecx+84h]
		cmp	edx, 0FFFFFFFFh
		jnb	loc_5A9A73
		mov	esi, [edi+84h]
		mov	eax, edx
		not	eax
		cmp	eax, esi
		jb	loc_5A9A73
		lea	eax, [edx+esi]

loc_435A31:				; CODE XREF: PsAddProcessEnergyValues+174126j
		mov	[edi+84h], eax
		mov	edx, [ecx+88h]
		cmp	edx, 0FFFFFFFFh
		jnb	loc_5A9A7B
		mov	esi, [edi+88h]
		mov	eax, edx
		not	eax
		cmp	eax, esi
		jb	loc_5A9A7B
		lea	eax, [esi+edx]

loc_435A5B:				; CODE XREF: PsAddProcessEnergyValues+17412Ej
		mov	[edi+88h], eax
		mov	edx, [ecx+1A8h]
		cmp	edx, 0FFFFFFFFh
		jnb	loc_5A9A83
		mov	esi, [edi+1A8h]
		mov	eax, edx
		not	eax
		cmp	eax, esi
		jb	loc_5A9A83
		lea	eax, [esi+edx]

loc_435A85:				; CODE XREF: PsAddProcessEnergyValues+174136j
		mov	[edi+1A8h], eax
		mov	edx, [ecx+1ACh]
		cmp	edx, 0FFFFFFFFh
		jnb	loc_5A9A8B
		mov	esi, [edi+1ACh]
		mov	eax, edx
		not	eax
		cmp	eax, esi
		jb	loc_5A9A8B
		lea	eax, [esi+edx]

loc_435AAF:				; CODE XREF: PsAddProcessEnergyValues+17413Ej
		mov	[edi+1ACh], eax
		lea	esi, [ecx+110h]
		lea	eax, [edi+114h]
		mov	edi, 0Eh

loc_435AC6:				; CODE XREF: PsAddProcessEnergyValues+19Aj
		mov	edx, [esi]
		mov	ecx, [eax-4]
		cmp	edx, ecx
		ja	loc_435B78
		sub	ecx, edx
		cmp	ecx, 20h
		jnb	short loc_435AE1
		mov	edx, [eax+ebx]
		shl	edx, cl
		or	[eax], edx

loc_435AE1:				; CODE XREF: PsAddProcessEnergyValues+188j
					; PsAddProcessEnergyValues+248j ...
		add	esi, 8
		add	eax, 8
		sub	edi, 1
		jnz	short loc_435AC6
		mov	edx, [ebp+var_8]
		lea	esi, [edi+4]
		mov	ecx, [ebp+var_C]
		add	edx, 8
		add	ecx, 90h
		mov	edi, edi

loc_435B00:				; CODE XREF: PsAddProcessEnergyValues+21Fj
		mov	eax, [edx-8]
		lea	edx, [edx+10h]
		add	[ecx-90h], eax
		mov	eax, [edx-14h]
		adc	[ecx-8Ch], eax
		mov	eax, [ecx+ebx]
		add	[ecx], eax
		mov	eax, [ecx+ebx+4]
		adc	[ecx+4], eax
		mov	eax, [edx+0B8h]
		add	[ecx+40h], eax
		mov	eax, [edx+0BCh]
		adc	[ecx+44h], eax
		mov	eax, [edx-10h]
		add	[ecx-88h], eax
		mov	eax, [edx-0Ch]
		adc	[ecx-84h], eax
		mov	eax, [edx+80h]
		add	[ecx+8], eax
		mov	eax, [edx+84h]
		adc	[ecx+0Ch], eax
		mov	eax, [edx+0C0h]
		add	[ecx+48h], eax
		mov	eax, [edx+0C4h]
		adc	[ecx+4Ch], eax
		lea	ecx, [ecx+10h]
		sub	esi, 1
		jnz	short loc_435B00
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_435B78:				; CODE XREF: PsAddProcessEnergyValues+17Dj
		mov	[ebp+var_4], edx
		sub	[ebp+var_4], ecx
		mov	ecx, [ebp+var_4]
		mov	[eax-4], edx
		cmp	ecx, 20h
		jb	short loc_435B9D
		mov	dword ptr [eax], 0
		xor	edx, edx
		mov	ecx, [eax+ebx]
		or	ecx, edx
		mov	[eax], ecx
		jmp	loc_435AE1
; 

loc_435B9D:				; CODE XREF: PsAddProcessEnergyValues+237j
		shl	dword ptr [eax], cl
		mov	ecx, [eax+ebx]
		mov	edx, [eax]
		or	ecx, edx
		mov	[eax], ecx
		jmp	loc_435AE1
PsAddProcessEnergyValues endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall RtlStateDurationAdd(x, x)
_RtlStateDurationAdd@8 proc near	; CODE XREF: PsAddProcessEnergyValues+63p
					; PsAddProcessEnergyValues+83p
		mov	eax, [edx+4]
		push	esi
		mov	esi, [ecx+4]
		add	eax, esi
		xor	eax, esi
		and	eax, 7FFFFFFFh
		xor	eax, esi
		mov	[ecx+4], eax
		mov	eax, [ecx]
		mov	edx, [edx]
		pop	esi
		cmp	eax, edx
		ja	short loc_435BCE
		mov	eax, edx

loc_435BCE:				; CODE XREF: RtlStateDurationAdd(x,x)+1Cj
		mov	[ecx], eax
		retn
_RtlStateDurationAdd@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspJobIoRateQueryHistory proc near	; CODE XREF: PspQueryRateControlHistory+8Ep

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005A9A93 SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		push	edi
		xor	edi, edi
		cmp	[esi+354h], edi
		jnz	short loc_435C0F
		lea	ecx, [esi+360h]
		test	byte ptr [ecx+4], 1
		mov	eax, [ecx]
		jz	short loc_435BFE
		test	eax, eax
		jz	short loc_435C02
		xor	eax, ecx

loc_435BFE:				; CODE XREF: PspJobIoRateQueryHistory+24j
		test	eax, eax
		jnz	short loc_435C0F

loc_435C02:				; CODE XREF: PspJobIoRateQueryHistory+28j
		mov	edi, 0C0000225h

loc_435C07:				; CODE XREF: PspJobIoRateQueryHistory+70j
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn	8
; 

loc_435C0F:				; CODE XREF: PspJobIoRateQueryHistory+16j
					; PspJobIoRateQueryHistory+2Ej
		push	ebx
		lea	ebx, [esi+35Ch]
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	ecx, [esi+378h]
		mov	[ebp+var_1], al
		test	ecx, ecx
		jnz	loc_5A9A93
		mov	edi, 0C0000225h

loc_435C32:				; CODE XREF: PspJobIoRateQueryHistory+173EF3j
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx
		jmp	short loc_435C07
PspJobIoRateQueryHistory endp

; 
		align 10h
; Exported entry 2267. RtlNumberOfSetBits

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlNumberOfSetBits(x)
		public _RtlNumberOfSetBits@4
_RtlNumberOfSetBits@4 proc near		; CODE XREF: HvpGenerateLogEntryDirtyData(x,x,x,x,x,x)+56p
					; RtlNumberOfClearBits(x)+Ap ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, [eax]
		mov	edx, 4
		mov	eax, [eax+4]
		mov	edi, ebx
		and	edi, 7
		shr	ebx, 3
		test	edi, edi
		mov	[ebp+var_C], edi
		setnz	cl
		xor	esi, esi
		add	ecx, ebx
		mov	[ebp+var_8], ecx
		mov	ecx, eax
		and	ecx, 3
		sub	edx, ecx
		cmp	edx, ebx
		jbe	short loc_435CF5
		mov	ecx, [ebp+var_8]
		xor	edi, edi
		mov	edx, ecx
		mov	[ebp+var_4], esi

loc_435C96:				; CODE XREF: RtlNumberOfSetBits(x)+BEj
		xor	ebx, ebx
		mov	[ebp+var_10], edi
		mov	[ebp+arg_0], ebx
		test	edx, edx
		jz	short loc_435CCF
		mov	edi, [ebp+var_C]
		lea	ebx, [ecx-1]

loc_435CA8:				; CODE XREF: RtlNumberOfSetBits(x)+77j
		mov	cl, [eax]
		inc	eax
		cmp	[ebp+arg_0], ebx
		jz	short loc_435CE9

loc_435CB0:				; CODE XREF: RtlNumberOfSetBits(x)+9Bj
					; RtlNumberOfSetBits(x)+A3j
		inc	[ebp+arg_0]
		movzx	ecx, cl
		not	ecx
		movzx	ecx, cl
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		add	esi, ecx
		sub	edx, 1
		jnz	short loc_435CA8
		mov	edi, [ebp+var_10]
		mov	ebx, [ebp+arg_0]

loc_435CCF:				; CODE XREF: RtlNumberOfSetBits(x)+50j
		test	edi, edi
		jnz	short loc_435D10

loc_435CD3:				; CODE XREF: RtlNumberOfSetBits(x)+113j
		mov	edi, [ebp+var_4]
		test	edi, edi
		jnz	loc_435D68

loc_435CDE:				; CODE XREF: RtlNumberOfSetBits(x)+142j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_435CE9:				; CODE XREF: RtlNumberOfSetBits(x)+5Ej
		test	edi, edi
		jz	short loc_435CB0
		and	cl, ds:byte_40BA58[edi]
		jmp	short loc_435CB0
; 

loc_435CF5:				; CODE XREF: RtlNumberOfSetBits(x)+3Aj
		sub	ebx, edx
		and	ebx, 3
		mov	[ebp+var_4], ebx
		test	edi, edi
		jnz	loc_435DAE

loc_435D05:				; CODE XREF: RtlNumberOfSetBits(x)+162j
		mov	ecx, [ebp+var_8]
		mov	edi, ecx
		sub	edi, ebx
		sub	edi, edx
		jmp	short loc_435C96
; 

loc_435D10:				; CODE XREF: RtlNumberOfSetBits(x)+81j
		dec	edi
		shr	edi, 2
		inc	edi
		lea	ebx, [ebx+edi*4]
		mov	[ebp+arg_0], ebx
		jmp	short loc_435D20
; 
		align 10h

loc_435D20:				; CODE XREF: RtlNumberOfSetBits(x)+CBj
					; RtlNumberOfSetBits(x)+111j
		mov	edx, [eax]
		add	eax, 4
		not	edx
		movzx	ecx, dl
		shr	edx, 8
		mov	bl, ds:_RtlpBitsClearTotal[ecx]
		movzx	ecx, dl
		shr	edx, 8
		mov	[ebp+var_10], edx
		shr	edx, 8
		add	bl, ds:_RtlpBitsClearTotal[ecx]
		mov	ecx, [ebp+var_10]
		movzx	ecx, cl
		mov	dl, ds:_RtlpBitsClearTotal[edx]
		add	dl, ds:_RtlpBitsClearTotal[ecx]
		add	dl, bl
		movzx	ecx, dl
		add	esi, ecx
		sub	edi, 1
		jnz	short loc_435D20
		jmp	loc_435CD3
; 

loc_435D68:				; CODE XREF: RtlNumberOfSetBits(x)+88j
		mov	edx, [ebp+var_8]
		mov	ebx, [ebp+arg_0]
		dec	edx
		mov	[ebp+var_10], edx

loc_435D72:				; CODE XREF: RtlNumberOfSetBits(x)+140j
		mov	cl, [eax]
		lea	eax, [eax+1]
		cmp	ebx, edx
		jz	short loc_435D97

loc_435D7B:				; CODE XREF: RtlNumberOfSetBits(x)+14Ej
					; RtlNumberOfSetBits(x)+15Cj
		movzx	ecx, cl
		inc	ebx
		not	ecx
		movzx	ecx, cl
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		add	esi, ecx
		sub	edi, 1
		jnz	short loc_435D72
		jmp	loc_435CDE
; 

loc_435D97:				; CODE XREF: RtlNumberOfSetBits(x)+129j
		cmp	[ebp+var_C], 0
		mov	edx, [ebp+var_10]
		jz	short loc_435D7B
		mov	edx, [ebp+var_C]
		and	cl, ds:byte_40BA58[edx]
		mov	edx, [ebp+var_10]
		jmp	short loc_435D7B
; 

loc_435DAE:				; CODE XREF: RtlNumberOfSetBits(x)+AFj
		inc	ebx
		mov	[ebp+var_4], ebx
		jmp	loc_435D05
_RtlNumberOfSetBits@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeQuerySchedulingGroupHistory proc near	; CODE XREF: PspQueryRateControlHistory+A4p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005A9ACA SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_C], 0
		xor	eax, eax
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	ebx, ecx
		stosd
		mov	esi, edx
		lea	edx, [ebp+var_18]
		mov	[ebp+var_4], ebx
		mov	ecx, offset _KiSchedulingGroupLock
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0
		mov	edi, ds:_KeNumberProcessors
		test	edi, edi
		jz	short loc_435E16
		lea	edx, [ebx+0B0h]

loc_435DFE:				; CODE XREF: KeQuerySchedulingGroupHistory+5Cj
		mov	eax, [edx]
		lea	edx, [edx+100h]
		mov	ecx, [edx-0FCh]
		or	[esi], eax
		or	[esi+4], ecx
		sub	edi, 1
		jnz	short loc_435DFE

loc_435E16:				; CODE XREF: KeQuerySchedulingGroupHistory+3Ej
		mov	edi, [ebp+arg_0]
		mov	eax, ds:_PsDfssGenerationLengthMS
		mov	[edi], eax
		lea	eax, [ebp+var_C]
		push	eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, [ebp+var_4]
		mov	ebx, eax
		push	[ebp+var_8]
		mov	eax, edx
		mov	esi, ebx
		push	[ebp+var_C]
		sub	esi, [ecx+18h]
		mov	[ebp+arg_0], eax
		sbb	eax, [ecx+1Ch]
		mov	ecx, 3E8h
		mul	ecx
		mov	edx, 3E8h
		mov	ecx, eax
		mov	eax, esi
		mul	edx
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		push	0
		push	dword ptr [edi]
		push	edx
		push	eax
		call	__aulldiv
		mov	ecx, [ebp+arg_4]
		pop	edi
		pop	esi
		mov	[ecx], eax
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+arg_0]
		mov	[ecx+18h], ebx
		mov	[ecx+1Ch], eax
		test	ds:byte_70EFC6,	1
		pop	ebx
		jnz	loc_5A9ACA
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	loc_5A9AE2
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jnz	loc_5A9ADA

loc_435EAB:				; CODE XREF: KeQuerySchedulingGroupHistory+173D1Dj
					; KeQuerySchedulingGroupHistory+173D3Aj
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn	8
KeQuerySchedulingGroupHistory endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeQueryValuesThread proc near		; CODE XREF: PsQueryStatisticsProcess+164p
					; ExpGetProcessInformation+42Cp ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005A9AF7 SIZE 00000134 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_18], 0
		mov	[ebp+var_C], edi
		mov	esi, ecx
		mov	dword ptr [edi], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bh, al
		mov	[ebp+var_1C], 0
		lea	edi, [esi+2Ch]

loc_435EF1:				; CODE XREF: KeQueryValuesThread+362j
		lock bts dword ptr [edi], 0
		jb	loc_436214
		cmp	dword ptr [esi+150h], offset _KiInitialProcess
		mov	edi, [ebp+var_C]
		jz	loc_436135
		nop

loc_435F10:				; CODE XREF: KeQueryValuesThread+199j
					; KeQueryValuesThread+1D7j ...
		mov	bl, [esi+90h]
		xor	ecx, ecx
		movzx	eax, bl
		mov	[ebp+var_4], 0
		mov	[ebp+var_8], ecx
		cmp	eax, 5
		jnz	loc_4360B6
		mov	al, [esi+54h]
		and	al, 7
		cmp	al, 1
		jnz	loc_436043

loc_435F3B:				; CODE XREF: KeQueryValuesThread+189j
					; KeQueryValuesThread+1C9j ...
		mov	eax, [esi+138h]
		mov	[edi], eax
		mov	al, [esi+90h]
		mov	edx, [esi+170h]
		cmp	al, 1
		jz	loc_436231
		cmp	al, 7
		jz	loc_436227

loc_435F5F:				; CODE XREF: KeQueryValuesThread+36Bj
					; KeQueryValuesThread+37Ej
		mov	[edi+4], edx
		mov	eax, [esi+250h]
		mov	edx, [esi+258h]
		mov	[ebp+var_14], eax
		mov	eax, [esi+254h]
		mov	[ebp+var_18], eax
		mov	eax, [esi+25Ch]
		mov	[ebp+var_10], eax
		mov	al, [esi+90h]
		cmp	al, 5
		jnz	loc_43603B
		mov	al, [esi+54h]
		and	al, 7
		cmp	al, 1
		jnz	loc_43609C

loc_435F9E:				; CODE XREF: KeQueryValuesThread+1E2j
		mov	eax, ds:_KeTickCount
		sub	eax, [esi+138h]
		cmp	byte ptr [esi+93h], 0
		jz	short loc_436031
		add	edx, eax
		mov	eax, [ebp+var_10]
		adc	eax, 0

loc_435FBA:				; CODE XREF: KeQueryValuesThread+17Ej
		mov	ecx, [ebp+var_14]
		mov	[edi+10h], ecx
		mov	ecx, [ebp+var_18]
		mov	[edi+1Ch], eax
		mov	eax, [ebp+var_4]
		mov	[edi+14h], ecx
		mov	ecx, [ebp+var_8]
		mov	[edi+18h], edx
		test	eax, eax
		jnz	loc_436144

loc_435FDA:				; CODE XREF: KeQueryValuesThread+28Ej
		test	ecx, ecx
		jnz	loc_4361B7

loc_435FE2:				; CODE XREF: KeQueryValuesThread+2FCj
		mov	al, [esi+18Bh]
		movzx	eax, al
		mov	[ebp+var_18], eax
		mov	al, [esi+87h]
		mov	[edi+0Ah], al
		cmp	bl, 5
		jnz	short loc_436009
		mov	al, [esi+54h]
		and	al, 7
		cmp	al, 4
		jz	loc_4360AA

loc_436009:				; CODE XREF: KeQueryValuesThread+13Aj
					; KeQueryValuesThread+1F1j ...
		mov	al, [esi+15Bh]
		mov	cl, bh
		mov	[edi+0Bh], al
		mov	dword ptr [esi+2Ch], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_18]
		mov	[edi+8], bl
		mov	[edi+9], al
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_436031:				; CODE XREF: KeQueryValuesThread+F0j
		add	[ebp+var_14], eax
		mov	edi, [ebp+var_C]
		adc	[ebp+var_18], 0

loc_43603B:				; CODE XREF: KeQueryValuesThread+CBj
					; KeQueryValuesThread+1DEj ...
		mov	eax, [ebp+var_10]
		jmp	loc_435FBA
; 

loc_436043:				; CODE XREF: KeQueryValuesThread+75j
		cmp	al, 3
		jb	short loc_43604F
		cmp	al, 6
		jbe	loc_435F3B

loc_43604F:				; CODE XREF: KeQueryValuesThread+185j
		mov	bl, 2

loc_436051:				; CODE XREF: KeQueryValuesThread+202j
		mov	eax, [esi+148h]
		test	eax, eax
		js	loc_435F10
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	[ebp+var_4], eax
		mov	[ebp+var_2C], ecx
		lea	edi, [eax+2224h]
		mov	[ebp+var_18], edi

loc_436075:				; CODE XREF: KeQueryValuesThread+391j
		lock bts dword ptr [edi], 0
		jb	loc_436243
		mov	eax, [ebp+var_4]
		mov	edi, [ebp+var_C]
		cmp	esi, [eax+4]
		jz	loc_435F3B
		mov	eax, [ebp+var_18]
		xor	ecx, ecx
		lock and [eax],	ecx
		jmp	loc_435F10
; 

loc_43609C:				; CODE XREF: KeQueryValuesThread+D8j
		cmp	al, 3
		jb	short loc_43603B
		cmp	al, 6
		jbe	loc_435F9E
		jmp	short loc_43603B
; 

loc_4360AA:				; CODE XREF: KeQueryValuesThread+143j
		mov	[ebp+var_18], 5
		jmp	loc_436009
; 

loc_4360B6:				; CODE XREF: KeQueryValuesThread+68j
		sub	eax, 1
		jz	loc_436153
		sub	eax, 1
		jz	short loc_436051
		sub	eax, 1
		jnz	loc_435F3B
		mov	ecx, [esi+148h]
		mov	[ebp+var_18], ecx
		test	ecx, ecx
		js	loc_435F10
		mov	eax, ds:_KiProcessorBlock[ecx*4]
		mov	[ebp+var_4], eax
		mov	[ebp+var_20], 0
		lea	edi, [eax+2224h]
		mov	[ebp+var_14], edi
		jmp	short loc_436100
; 
		align 10h

loc_436100:				; CODE XREF: KeQueryValuesThread+238j
					; KeQueryValuesThread+3D1j
		lock bts dword ptr [edi], 0
		jb	loc_436283
		mov	eax, [ebp+var_4]
		mov	edi, [ebp+var_C]
		cmp	esi, [eax+8]
		jz	loc_435F3B
		mov	al, [esi+90h]
		cmp	al, 3
		jz	loc_5A9AF7

loc_436128:				; CODE XREF: KeQueryValuesThread+173C40j
		mov	eax, [ebp+var_14]
		xor	ecx, ecx
		lock and [eax],	ecx
		jmp	loc_435F10
; 

loc_436135:				; CODE XREF: KeQueryValuesThread+49j
		mov	bl, [esi+90h]
		mov	byte ptr [edi+0Ah], 1
		jmp	loc_436009
; 

loc_436144:				; CODE XREF: KeQueryValuesThread+114j
		xor	edx, edx
		add	eax, 2224h
		lock and [eax],	edx
		jmp	loc_435FDA
; 

loc_436153:				; CODE XREF: KeQueryValuesThread+1F9j
		mov	ecx, [esi+148h]
		mov	[ebp+var_18], ecx
		test	ecx, ecx
		jns	short loc_4361C1
		mov	eax, ecx
		mov	[ebp+var_24], 0
		and	eax, 7FFFFFFFh
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	edi, [eax+4024h]
		mov	[ebp+var_8], edi
		mov	edi, edi

loc_436180:				; CODE XREF: KeQueryValuesThread+3A4j
		lock bts dword ptr [edi], 0
		jb	loc_436256
		mov	al, [esi+90h]
		mov	edi, [ebp+var_C]
		cmp	al, 1
		jnz	loc_436296
		mov	eax, [esi+148h]
		cmp	eax, [ebp+var_18]
		jnz	loc_436296
		mov	[ebp+var_4], 0
		jmp	loc_435F3B
; 

loc_4361B7:				; CODE XREF: KeQueryValuesThread+11Cj
		xor	eax, eax
		lock and [ecx],	eax
		jmp	loc_435FE2
; 

loc_4361C1:				; CODE XREF: KeQueryValuesThread+29Ej
		mov	eax, ds:_KiProcessorBlock[ecx*4]
		mov	[ebp+var_4], eax
		mov	[ebp+var_28], 0
		lea	edi, [eax+2224h]
		mov	[ebp+var_14], edi
		jmp	short loc_4361E0
; 
		align 10h

loc_4361E0:				; CODE XREF: KeQueryValuesThread+31Bj
					; KeQueryValuesThread+3BEj
		lock bts dword ptr [edi], 0
		jb	loc_436270
		mov	al, [esi+90h]
		mov	edi, [ebp+var_C]
		cmp	al, 1
		jnz	short loc_436207
		mov	eax, [esi+148h]
		cmp	eax, [ebp+var_18]
		jz	loc_435F3B

loc_436207:				; CODE XREF: KeQueryValuesThread+336j
		mov	eax, [ebp+var_14]

loc_43620A:				; CODE XREF: KeQueryValuesThread+3D9j
		xor	ecx, ecx
		lock and [eax],	ecx
		jmp	loc_435F10
; 

loc_436214:				; CODE XREF: KeQueryValuesThread+36j
					; KeQueryValuesThread+360j
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_436214
		jmp	loc_435EF1
; 

loc_436227:				; CODE XREF: KeQueryValuesThread+99j
		test	byte ptr [esi+58h], 2
		jz	loc_435F5F

loc_436231:				; CODE XREF: KeQueryValuesThread+91j
		mov	eax, ds:_KeTickCount
		sub	eax, [esi+138h]
		add	edx, eax
		jmp	loc_435F5F
; 

loc_436243:				; CODE XREF: KeQueryValuesThread+1BAj
					; KeQueryValuesThread+38Fj
		lea	ecx, [ebp+var_2C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_436243
		jmp	loc_436075
; 

loc_436256:				; CODE XREF: KeQueryValuesThread+2C5j
					; KeQueryValuesThread+3A2j
		lea	ecx, [ebp+var_24]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_436256
		jmp	loc_436180
; 
		align 10h

loc_436270:				; CODE XREF: KeQueryValuesThread+325j
					; KeQueryValuesThread+3BCj
		lea	ecx, [ebp+var_28]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_436270
		jmp	loc_4361E0
; 

loc_436283:				; CODE XREF: KeQueryValuesThread+245j
					; KeQueryValuesThread+3CFj
		lea	ecx, [ebp+var_20]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_436283
		jmp	loc_436100
; 

loc_436296:				; CODE XREF: KeQueryValuesThread+2D6j
					; KeQueryValuesThread+2E5j
		mov	eax, [ebp+var_8]
		jmp	loc_43620A
KeQueryValuesThread endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1998. RtlCopyBitMap

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlCopyBitMap
RtlCopyBitMap	proc near		; CODE XREF: HvpGrowDirtyVectors+B5p
					; HvpGrowDirtyVectors+D7p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		sub	esp, 14h
		mov	edx, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	eax, [edx]
		push	esi
		mov	esi, [ecx]
		sub	esi, ebx
		cmp	eax, esi
		ja	short loc_4362CF
		mov	esi, eax

loc_4362CF:				; CODE XREF: RtlCopyBitMap+1Bj
		test	esi, esi
		jz	loc_43635C
		push	edi
		mov	edi, [ecx+4]
		mov	eax, ebx
		shr	eax, 5
		mov	[ebp+var_8], edi
		lea	eax, [edi+eax*4]
		mov	edi, [edx+4]
		mov	[ebp+arg_8], eax
		cmp	edi, eax
		ja	loc_436379
		mov	edx, [ebp+arg_8]
		lea	eax, [esi-1]
		shr	eax, 5
		lea	eax, [edi+eax*4]
		cmp	edx, eax
		jbe	short loc_436364

loc_436304:				; CODE XREF: RtlCopyBitMap+CBj
		mov	eax, ebx
		shr	eax, 3
		mov	[ebp+var_4], eax
		test	bl, 7
		jnz	loc_5A9B0D
		mov	ebx, esi
		and	esi, 7
		shr	ebx, 3
		test	ebx, ebx
		jz	short loc_436335
		add	eax, [ebp+var_8]
		push	ebx		; size_t
		push	edi		; void *
		push	eax		; void *
		call	_memmove
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		mov	ecx, [ebp+arg_4]

loc_436335:				; CODE XREF: RtlCopyBitMap+6Fj
		test	esi, esi
		jz	short loc_43635B
		mov	edi, [ecx+4]
		mov	dl, 1
		add	edi, eax
		mov	ecx, esi
		shl	dl, cl
		add	edi, ebx
		dec	dl
		mov	al, dl
		not	al
		and	[edi], al
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+4]
		mov	al, [ebx+eax]
		and	al, dl
		or	[edi], al

loc_43635B:				; CODE XREF: RtlCopyBitMap+87j
					; KeQueryValuesThread+173CE0j ...
		pop	edi

loc_43635C:				; CODE XREF: RtlCopyBitMap+21j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_436364:				; CODE XREF: RtlCopyBitMap+52j
		push	esi
		mov	edx, ecx
		mov	ecx, [ebp+arg_0]
		push	ebx
		call	RtlpCopyBitMapTailToHead
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_436379:				; CODE XREF: RtlCopyBitMap+3Ej
		mov	edx, eax
		jmp	short loc_436304
RtlCopyBitMap	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpCopyBitMapTailToHead proc near	; CODE XREF: RtlCopyBitMap+BBp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005A9C2B SIZE 0000006E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	eax, edx
		mov	edx, ecx
		mov	ecx, [ebp+arg_0]
		mov	ebx, ecx
		push	esi
		shr	ebx, 3
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], edx
		push	edi
		test	cl, 7
		jz	loc_43648C
		mov	ebx, [ebp+arg_4]
		mov	esi, ecx
		mov	eax, [eax+4]
		mov	edi, ebx
		shr	ebx, 5
		and	edi, 1Fh
		shr	ecx, 5
		and	esi, 1Fh
		add	ecx, ebx
		mov	[ebp+var_4], edi
		push	20h
		lea	eax, [eax+ecx*4]
		mov	[ebp+var_10], eax
		mov	[ebp+arg_4], eax
		mov	[ebp+arg_0], eax
		mov	eax, [edx+4]
		xor	edx, edx
		inc	edx
		cmp	[ebp+var_4], 0
		lea	edi, [eax+ebx*4]
		pop	eax
		jz	short loc_436416
		mov	ecx, [edi]
		sub	eax, esi
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_C], eax
		cmp	ecx, eax
		ja	loc_5A9C56
		shl	edx, cl
		mov	ecx, esi
		dec	edx
		mov	eax, edx
		and	edx, [ebp+var_8]
		shl	eax, cl
		mov	ecx, [ebp+arg_4]
		not	eax
		and	eax, [ecx]
		mov	ecx, esi
		shl	edx, cl
		mov	ecx, [ebp+arg_4]

loc_43640C:				; CODE XREF: RtlpCopyBitMapTailToHead+173916j
		or	eax, edx
		xor	edx, edx
		push	20h
		mov	[ecx], eax
		inc	edx
		pop	eax

loc_436416:				; CODE XREF: RtlpCopyBitMapTailToHead+5Dj
		sub	edi, 4
		test	ebx, ebx
		jz	short loc_436485
		sub	eax, esi
		mov	[ebp+arg_4], eax
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+arg_4]
		mov	eax, [eax]
		mov	[ebp+var_C], eax
		mov	eax, edx
		shl	eax, cl
		mov	ecx, esi
		dec	eax
		shl	edx, cl
		mov	[ebp+var_8], eax
		not	eax
		mov	[ebp+var_14], eax
		lea	ecx, [edx-1]
		mov	[ebp+var_4], ecx
		not	ecx
		mov	[ebp+var_10], ecx

loc_436449:				; CODE XREF: RtlpCopyBitMapTailToHead+105j
		mov	edx, [edi]
		mov	ecx, [ebp+arg_4]
		and	edx, eax
		mov	eax, [ebp+var_10]
		and	eax, [ebp+var_C]
		shr	edx, cl
		mov	ecx, esi
		or	eax, edx
		mov	edx, [ebp+arg_0]
		mov	[edx], eax
		sub	edx, 4
		mov	eax, [edi]
		lea	edi, [edi-4]
		and	eax, [ebp+var_8]
		shl	eax, cl
		mov	ecx, [edx]
		and	ecx, [ebp+var_4]
		or	ecx, eax
		mov	[ebp+arg_0], edx
		mov	eax, [ebp+var_14]
		mov	[ebp+var_C], ecx
		mov	[edx], ecx
		sub	ebx, 1
		jnz	short loc_436449

loc_436485:				; CODE XREF: RtlpCopyBitMapTailToHead+9Dj
					; RtlpCopyBitMapTailToHead+121j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_43648C:				; CODE XREF: RtlpCopyBitMapTailToHead+20j
		mov	ecx, [ebp+arg_4]
		mov	edi, ecx
		shr	edi, 3
		and	ecx, 7
		ja	loc_5A9C2B

loc_43649D:				; CODE XREF: RtlpCopyBitMapTailToHead+1738D3j
		test	edi, edi
		jz	short loc_436485
		mov	eax, [eax+4]
		push	edi		; size_t
		push	dword ptr [edx+4] ; void *
		add	eax, ebx
		push	eax		; void *
		call	_memmove
		add	esp, 0Ch
		jmp	short loc_436485
RtlpCopyBitMapTailToHead endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2265. RtlNumberOfClearBits

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlNumberOfClearBits(x)
		public _RtlNumberOfClearBits@4
_RtlNumberOfClearBits@4	proc near	; CODE XREF: PopSaveHiberContext+341p
					; PopSaveHiberContext+B9D2p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	esi
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	ecx, [esi]
		sub	ecx, eax
		mov	eax, ecx
		pop	esi
		pop	ebp
		retn	4
_RtlNumberOfClearBits@4	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2150. RtlImageDirectoryEntryToData

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlImageDirectoryEntryToData(x, x, x, x)
		public _RtlImageDirectoryEntryToData@16
_RtlImageDirectoryEntryToData@16 proc near ; CODE XREF:	MmReplaceImportEntry(x,x)+4Ep
					; EtwpFindDebugId(x,x,x,x,x)+2Bp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	dl, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		push	esi
		push	eax
		push	[ebp+arg_C]
		xor	esi, esi
		push	[ebp+arg_8]
		mov	[ebp+var_4], esi
		call	RtlpImageDirectoryEntryToDataEx
		test	eax, eax
		js	short loc_436502
		mov	esi, [ebp+var_4]

loc_436502:				; CODE XREF: RtlImageDirectoryEntryToData(x,x,x,x)+23j
		mov	eax, esi
		pop	esi
		leave
		retn	10h
_RtlImageDirectoryEntryToData@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpImageDirectoryEntryToDataEx	proc near
					; CODE XREF: RtlImageDirectoryEntryToData(x,x,x,x)+1Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005A9C99 SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	bl, dl
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], edi
		mov	[esi], edi
		test	cl, 3
		jz	short loc_43653A
		mov	eax, ecx
		and	ecx, 0FFFFFFFCh
		and	eax, 1
		mov	[ebp+var_4], ecx
		setnz	bl
		dec	bl
		and	bl, dl

loc_43653A:				; CODE XREF: RtlpImageDirectoryEntryToDataEx+1Cj
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		push	edi
		push	ecx
		push	1
		call	RtlImageNtHeaderEx
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_436573
		movzx	eax, word ptr [ecx+18h]
		mov	edx, 10Bh
		cmp	ax, dx
		jnz	loc_5A9C99
		push	esi
		push	ecx
		push	[ebp+arg_4]
		mov	ecx, [ebp+var_4]
		mov	dl, bl
		push	[ebp+arg_0]
		call	_RtlpImageDirectoryEntryToData32@24 ; RtlpImageDirectoryEntryToData32(x,x,x,x,x,x)

loc_436573:				; CODE XREF: RtlpImageDirectoryEntryToDataEx+43j
					; RtlpImageDirectoryEntryToDataEx+1737ABj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
RtlpImageDirectoryEntryToDataEx	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpImageDirectoryEntryToData32(x, x, x, x,	x, x)
_RtlpImageDirectoryEntryToData32@24 proc near
					; CODE XREF: RtlpImageDirectoryEntryToDataEx+64p

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1], dl
		mov	ecx, [ebp+arg_8]
		movzx	edx, [ebp+arg_0]
		cmp	edx, [ecx+74h]
		jnb	short loc_4365CD
		mov	esi, [ecx+edx*8+78h]
		test	esi, esi
		jz	short loc_4365EC
		mov	ebx, ds:_MmHighestUserAddress
		cmp	edi, ebx
		jb	short loc_4365C6

loc_4365A6:				; CODE XREF: RtlpImageDirectoryEntryToData32(x,x,x,x,x,x)+51j
		cmp	[ebp+var_1], 0
		mov	eax, [ebp+arg_4]
		mov	edx, [ecx+edx*8+7Ch]
		mov	[eax], edx
		jz	short loc_4365D4

loc_4365B5:				; CODE XREF: RtlpImageDirectoryEntryToData32(x,x,x,x,x,x)+5Dj
		mov	eax, [ebp+arg_C]
		lea	ecx, [esi+edi]
		mov	[eax], ecx

loc_4365BD:				; CODE XREF: RtlpImageDirectoryEntryToData32(x,x,x,x,x,x)+6Ej
		xor	eax, eax

loc_4365BF:				; CODE XREF: RtlpImageDirectoryEntryToData32(x,x,x,x,x,x)+58j
					; RtlpImageDirectoryEntryToData32(x,x,x,x,x,x)+77j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_4365C6:				; CODE XREF: RtlpImageDirectoryEntryToData32(x,x,x,x,x,x)+2Aj
		lea	eax, [esi+edi]
		cmp	eax, ebx
		jb	short loc_4365A6

loc_4365CD:				; CODE XREF: RtlpImageDirectoryEntryToData32(x,x,x,x,x,x)+18j
					; RtlpImageDirectoryEntryToData32(x,x,x,x,x,x)+70j
		mov	eax, 0C000000Dh
		jmp	short loc_4365BF
; 

loc_4365D4:				; CODE XREF: RtlpImageDirectoryEntryToData32(x,x,x,x,x,x)+39j
		cmp	esi, [ecx+54h]
		jb	short loc_4365B5
		push	esi
		mov	edx, edi
		call	_RtlAddressInSectionTable@12 ; RtlAddressInSectionTable(x,x,x)
		mov	ecx, [ebp+arg_C]
		mov	[ecx], eax
		test	eax, eax
		jnz	short loc_4365BD
		jmp	short loc_4365CD
; 

loc_4365EC:				; CODE XREF: RtlpImageDirectoryEntryToData32(x,x,x,x,x,x)+20j
		mov	eax, 0C0000002h
		jmp	short loc_4365BF
_RtlpImageDirectoryEntryToData32@24 endp

; 
		align 4
; [00000005 BYTES: COLLAPSED FUNCTION SeQueryTokenIntegrity(x,x). PRESS	KEYPAD "+" TO EXPAND]
		align 4
		db 2 dup(0CCh)
; Exported entry  70. ExRundownCompleted

;  S U B	R O U T	I N E 


; __fastcall ExRundownCompleted(x)
		public @ExRundownCompleted@4
@ExRundownCompleted@4 proc near		; CODE XREF: CmpTryToRundownHive+D5p
					; BgkNotifyDisplayOwnershipChange+7Ap ...
		xor	eax, eax
		inc	eax
		xchg	eax, [ecx]
		retn
@ExRundownCompleted@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeSetProcess	proc near		; CODE XREF: PspRundownSingleProcess(x,x)+20Bp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A9CC4 SIZE 0000000C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_14], ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, large fs:20h
		mov	ecx, ebx
		mov	byte ptr [ebp+var_18], al
		mov	[ebp+var_C], edi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	eax, [ebx+4]
		mov	edx, 0FFFFFF7Fh
		mov	dword ptr [ebx+4], 1
		add	ebx, 8
		mov	[ebp+var_1C], eax
		mov	eax, [ebx]
		cmp	eax, ebx
		jz	short loc_436674
		push	esi

loc_436649:				; CODE XREF: KeSetProcess+6Dj
		mov	esi, eax
		mov	eax, [eax]
		mov	[ebp+var_10], eax
		mov	al, [esi+8]
		cmp	al, 1
		jnz	short loc_436696
		movzx	eax, word ptr [esi+0Ah]
		push	0
		push	eax

loc_43665E:				; CODE XREF: KeSetProcess+1736C7j
		mov	edx, esi
		mov	ecx, edi
		call	KiTryUnwaitThread
		mov	edx, 0FFFFFF7Fh

loc_43666C:				; CODE XREF: KeSetProcess+154j
		mov	eax, [ebp+var_10]
		cmp	eax, ebx
		jnz	short loc_436649
		pop	esi

loc_436674:				; CODE XREF: KeSetProcess+42j
		mov	ecx, [ebp+var_14]
		mov	[ebx+4], ebx
		mov	[ebx], ebx
		lock and [ecx],	edx
		push	[ebp+var_18]
		xor	edx, edx
		mov	ecx, edi
		push	0
		push	1
		call	KiExitDispatcher
		mov	eax, [ebp+var_1C]
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_436696:				; CODE XREF: KeSetProcess+51j
		cmp	al, 2
		jnz	loc_5A9CC4
		mov	byte ptr [esi+9], 5
		mov	edi, [esi+0Ch]
		and	dword ptr [esi], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_8], eax
		mov	eax, [eax+4]
		mov	[ebp+var_4], eax
		jz	short loc_4366DE
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_4366DE:				; CODE XREF: KeSetProcess+C3j
		mov	ecx, edi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		lea	ecx, [edi+8]
		cmp	[ecx], ecx
		jz	short loc_43670A
		mov	eax, [edi+18h]
		cmp	eax, [edi+1Ch]
		jnb	short loc_43670A
		mov	edx, [ebp+var_4]
		mov	eax, [edx+0A4h]
		cmp	eax, edi
		jnz	short loc_43673E
		cmp	byte ptr [edx+18Bh], 0Fh
		jnz	short loc_43673E

loc_43670A:				; CODE XREF: KeSetProcess+E6j
					; KeSetProcess+EEj ...
		mov	eax, [edi+4]
		mov	[ebp+var_4], eax
		inc	eax
		mov	[edi+4], eax
		lea	eax, [edi+10h]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_43675D
		cmp	[ebp+var_4], 0
		mov	[esi], eax
		mov	[esi+4], edx
		mov	[edx], esi
		mov	[eax+4], esi
		jnz	short loc_43674D
		cmp	[ecx], ecx
		jz	short loc_43674D
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		jmp	short loc_43674D
; 

loc_43673E:				; CODE XREF: KeSetProcess+FBj
					; KeSetProcess+104j
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		push	esi
		call	KiWakeQueueWaiter
		test	al, al
		jz	short loc_436762

loc_43674D:				; CODE XREF: KeSetProcess+128j
					; KeSetProcess+12Cj ...
		mov	edx, 0FFFFFF7Fh
		lock and [edi],	edx
		mov	edi, [ebp+var_C]
		jmp	loc_43666C
; 

loc_43675D:				; CODE XREF: KeSetProcess+118j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_436762:				; CODE XREF: KeSetProcess+147j
		lea	ecx, [edi+8]
		jmp	short loc_43670A
KeSetProcess	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1893. PsReturnProcessPagedPoolQuota

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsReturnProcessPagedPoolQuota(x, x)
		public _PsReturnProcessPagedPoolQuota@8
_PsReturnProcessPagedPoolQuota@8 proc near ; CODE XREF:	LpcExitProcess(x)+1Dp
					; ExpFreeHandleTable+45p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		cmp	edx, ds:_PsInitialSystemProcess
		jz	short loc_43678C
		push	[ebp+arg_4]
		mov	ecx, [edx+188h]
		push	1
		call	PspReturnQuota

loc_43678C:				; CODE XREF: PsReturnProcessPagedPoolQuota(x,x)+Ej
		pop	ebp
		retn	8
_PsReturnProcessPagedPoolQuota@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1850. PsIsProtectedProcess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsIsProtectedProcess(x)
		public _PsIsProtectedProcess@4
_PsIsProtectedProcess@4	proc near	; CODE XREF: EtwpBuildProcessEvent+64p
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1821p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		xor	cl, cl
		mov	al, [eax+3A6h]
		and	al, 7
		cmp	cl, al
		sbb	eax, eax
		neg	eax
		pop	ebp
		retn	4
_PsIsProtectedProcess@4	endp

; 
		align 8
; Exported entry 1808. PsGetProcessSectionBaseAddress

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessSectionBaseAddress(x)
		public _PsGetProcessSectionBaseAddress@4
_PsGetProcessSectionBaseAddress@4 proc near ; CODE XREF: PopEtGetProcessImageInfo+1Fp
					; EtwpQueryProcessOtherInfo+16p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+160h]
		pop	ebp
		retn	4
_PsGetProcessSectionBaseAddress@4 endp

; 
		align 10h
; Exported entry 1005. IoSetThreadHardErrorMode

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetThreadHardErrorMode(x)
		public _IoSetThreadHardErrorMode@4
_IoSetThreadHardErrorMode@4 proc near	; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+3Bp
					; FsRtlGetVirtualDiskNestingLevel+60p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		add	eax, 2FCh
		cmp	[ebp+arg_0], 0
		jnz	short loc_4367F7
		lock bts dword ptr [eax], 4

loc_4367EB:				; CODE XREF: IoSetThreadHardErrorMode(x)+2Cj
		setb	al
		test	al, al
		setz	al
		pop	ebp
		retn	4
; 

loc_4367F7:				; CODE XREF: IoSetThreadHardErrorMode(x)+14j
		lock btr dword ptr [eax], 4
		jmp	short loc_4367EB
_IoSetThreadHardErrorMode@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1851. PsIsProtectedProcessLight

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsIsProtectedProcessLight(x)
		public _PsIsProtectedProcessLight@4
_PsIsProtectedProcessLight@4 proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1829p
					; PspUpdateCreateInfo+C1p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	cl, [eax+3A6h]
		xor	eax, eax
		and	cl, 7
		cmp	cl, 1
		setz	al
		pop	ebp
		retn	4
_PsIsProtectedProcessLight@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreateNewProcessTopLevelMappings proc	near ; CODE XREF: MmCreateProcessAddressSpace+14Fp
					; MmCreateProcessAddressSpace+1BAp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005A9CD0 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, edx
		stosd
		lea	edx, [ebp+var_C]
		mov	ebx, ecx
		mov	ecx, offset dword_6D3540
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edx, esi
		mov	ecx, ebx
		call	_MiCopyTopLevelMappings@8 ; MiCopyTopLevelMappings(x,x)
		test	ds:byte_70EFC6,	1
		jnz	loc_5A9CD0
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_436888
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5A9CE0

loc_43687A:				; CODE XREF: MiCreateNewProcessTopLevelMappings+76j
					; MiCreateNewProcessTopLevelMappings+1734B9j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_436888:				; CODE XREF: MiCreateNewProcessTopLevelMappings+3Fj
					; MiCreateNewProcessTopLevelMappings+1734C6j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_43687A
MiCreateNewProcessTopLevelMappings endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCopyTopLevelMappings(x, x)
_MiCopyTopLevelMappings@8 proc near	; CODE XREF: MiUpdateSystemPdes+65p
					; MiUpdateSystemPdes+9Dp ...

var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ecx
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		test	edx, edx
		jz	loc_4369C1
		mov	ebx, dword_6D2E88
		mov	ecx, 200h
		mov	eax, dword_6D2E8C
		mov	edi, 0C0603000h
		shr	ebx, 12h
		shr	eax, 12h
		and	ebx, 3FF8h
		and	eax, 3FF8h
		mov	[ebp+var_14], ecx
		sub	ebx, 3FA00000h
		mov	[ebp+var_10], 0
		sub	eax, 3F9FFFF8h
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], eax
		mov	eax, ecx
		mov	[ebp+var_4], 27Ch
		mov	[ebp+var_18], edi

loc_436905:				; CODE XREF: MiCopyTopLevelMappings(x,x)+19Dj
		lea	esi, dword_6D3D94[eax]
		xor	ecx, ecx
		mov	eax, [ebp+var_1C]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_436930
		mov	eax, [eax+180h]
		test	eax, eax
		jz	short loc_436930
		mov	ecx, [ebp+var_4]
		lea	ecx, [eax+ecx*8]
		lea	esp, [esp+0]

loc_436930:				; CODE XREF: MiCopyTopLevelMappings(x,x)+7Aj
					; MiCopyTopLevelMappings(x,x)+84j ...
		test	ebx, ebx
		jz	short loc_436941
		cmp	edi, 0C0603018h
		jbe	short loc_4369B4

loc_43693C:				; CODE XREF: MiCopyTopLevelMappings(x,x)+11Cj
		cmp	edi, [ebp+var_8]
		jb	short loc_4369AE

loc_436941:				; CODE XREF: MiCopyTopLevelMappings(x,x)+92j
					; MiCopyTopLevelMappings(x,x)+110j
		mov	al, [esi]
		cmp	al, 1
		jz	short loc_43699E
		cmp	al, 0Bh
		jz	short loc_43699E
		mov	eax, [edi]
		nop
		mov	ebx, [edi+4]

loc_436951:				; CODE XREF: MiCopyTopLevelMappings(x,x)+10Cj
					; MiCopyTopLevelMappings(x,x)+1A6j
		mov	[edx+4], ebx
		mov	ebx, [ebp+var_C]
		mov	[edx], eax

loc_436959:				; CODE XREF: MiCopyTopLevelMappings(x,x)+112j
					; MiCopyTopLevelMappings(x,x)+11Aj
		inc	esi
		add	edi, 8
		add	edx, 8
		test	ecx, ecx
		jz	short loc_436967
		add	ecx, 8

loc_436967:				; CODE XREF: MiCopyTopLevelMappings(x,x)+C2j
		test	edx, 0FFFh
		jnz	short loc_436930
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_436984
		push	80000000h
		mov	dl, 21h
		mov	ecx, eax
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)

loc_436984:				; CODE XREF: MiCopyTopLevelMappings(x,x)+D4j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_436997
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_1C]
		push	eax
		call	MiShadowTopLevelPxes

loc_436997:				; CODE XREF: MiCopyTopLevelMappings(x,x)+E9j
					; MiCopyTopLevelMappings(x,x)+12Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_43699E:				; CODE XREF: MiCopyTopLevelMappings(x,x)+A5j
					; MiCopyTopLevelMappings(x,x)+A9j
		test	ecx, ecx
		jz	loc_436A42
		mov	eax, [ecx]
		nop
		mov	ebx, [ecx+4]
		jmp	short loc_436951
; 

loc_4369AE:				; CODE XREF: MiCopyTopLevelMappings(x,x)+9Fj
		cmp	edi, ebx
		jb	short loc_436941
		jmp	short loc_436959
; 

loc_4369B4:				; CODE XREF: MiCopyTopLevelMappings(x,x)+9Aj
		cmp	edi, 0C0602FF8h
		ja	short loc_436959
		jmp	loc_43693C
; 

loc_4369C1:				; CODE XREF: MiCopyTopLevelMappings(x,x)+12j
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_436997
		mov	eax, [eax+194h]
		xor	ebx, ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	ecx, [eax+10h]
		nop
		mov	edi, dword_6D07D0
		mov	esi, edi
		mov	eax, [eax+14h]
		shr	esi, 15h
		mov	edx, esi
		shr	edi, 12h
		and	edx, 1FFh
		and	edi, 3FF8h
		shrd	ecx, eax, 0Ch
		mov	[ebp+var_18], edx
		sub	edi, 3FA00000h
		push	80000000h
		and	ecx, 1FFFFFFh
		xor	edx, edx
		call	MiMapPageInHyperSpaceWorker
		mov	ecx, eax
		mov	eax, [ebp+var_18]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_18], 0C0600000h
		lea	edx, [ecx+eax*8]
		xor	ecx, ecx
		mov	[ebp+var_14], ecx
		lea	ecx, [esi-384h]
		mov	[ebp+var_4], ecx
		jmp	loc_436905
; 

loc_436A42:				; CODE XREF: MiCopyTopLevelMappings(x,x)+100j
		xor	eax, eax
		xor	ebx, ebx
		jmp	loc_436951
_MiCopyTopLevelMappings@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiShadowTopLevelPxes proc near		; CODE XREF: MiCopyTopLevelMappings(x,x)+F2p
					; MiReplicatePteChangeToProcess(x,x,x)+178p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A9CED SIZE 00000112 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	[esp+1Ch+var_C], edx
		push	ebx
		push	esi
		push	edi
		cmp	edx, 0C0603000h
		jb	loc_436AF2
		test	ds:_MiFlags, 0C00000h
		jz	short loc_436AF2
		mov	ecx, [ecx+304h]
		test	ecx, ecx
		jz	short loc_436AF2
		mov	eax, ds:_PsInitialSystemProcess
		test	eax, eax
		jz	short loc_436AF2
		mov	esi, [ebp+arg_0]
		lea	edi, [edx+3FA00000h]
		mov	eax, [eax+304h]
		sar	edi, 3
		mov	[esp+28h+var_10], eax
		test	esi, esi
		jz	short loc_436AF2
		sub	[esp+28h+var_10], ecx
		lea	eax, [ecx-3000h]
		lea	eax, [eax+edi*8]
		lea	ebx, [edi-400h]
		mov	[esp+28h+var_1C], eax
		mov	edi, edi

loc_436AC0:				; CODE XREF: MiShadowTopLevelPxes+A0j
		mov	eax, ebx
		mov	ecx, edi
		shr	eax, 5
		and	ecx, 1Fh
		mov	eax, dword_6D2BD4[eax*4]
		sar	eax, cl
		test	al, 1
		mov	eax, [esp+28h+var_1C]
		jnz	loc_5A9CED

loc_436ADF:				; CODE XREF: MiShadowTopLevelPxes+173397j
					; MiShadowTopLevelPxes+1733AAj
		add	[esp+28h+var_C], 8
		add	eax, 8
		inc	edi
		mov	[esp+28h+var_1C], eax
		inc	ebx
		sub	esi, 1
		jnz	short loc_436AC0

loc_436AF2:				; CODE XREF: MiShadowTopLevelPxes+18j
					; MiShadowTopLevelPxes+28j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
MiShadowTopLevelPxes endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSyncSystemPdes proc near		; CODE XREF: MmCreateProcessAddressSpace+1DFp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005A9DFF SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	ebx, ecx
		stosd
		mov	ecx, offset dword_6D3540
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		lea	esi, [ebx+0FCh]
		test	dword ptr [esi], (offset loc_7FFFFF+1)
		jnz	short loc_436B83

loc_436B2C:				; CODE XREF: MiSyncSystemPdes+96j
		mov	eax, 800h
		lock or	[esi], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5A9DFF
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_436B71
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	short loc_436B69

loc_436B5B:				; CODE XREF: MiSyncSystemPdes+85j
					; MiSyncSystemPdes+17330Ej
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_436B69:				; CODE XREF: MiSyncSystemPdes+5Dj
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_436B71:				; CODE XREF: MiSyncSystemPdes+4Aj
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_436B5B
; 

loc_436B83:				; CODE XREF: MiSyncSystemPdes+2Ej
		mov	eax, 0FF7FFFFFh
		lock and [esi],	eax
		mov	ecx, ebx
		call	MiUpdateSystemPdes
		jmp	short loc_436B2C
MiSyncSystemPdes endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInsertNewProcess proc	near		; CODE XREF: MmCreateProcessAddressSpace+141p
					; MmInitializeHandBuiltProcess+126p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005A9E0F SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, edx
		stosd
		lea	edx, [ebp+var_C]
		mov	ebx, ecx
		mov	ecx, offset dword_6D3540
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, dword_6D060C
		lea	eax, [ebx+340h]
		mov	edx, offset dword_6D0608
		cmp	[ecx], edx
		jnz	short loc_436C42
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	dword_6D060C, eax
		test	esi, esi
		jz	short loc_436BF7
		lea	ecx, [esi+10h]
		mov	edx, [ecx+4]
		lea	eax, [ebx+120h]
		cmp	[edx], ecx
		jnz	short loc_436C42
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax

loc_436BF7:				; CODE XREF: MiInsertNewProcess+47j
		test	ds:byte_70EFC6,	1
		pop	edi
		pop	esi
		pop	ebx
		jnz	loc_5A9E0F
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_436C30
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5A9E1F

loc_436C25:				; CODE XREF: MiInsertNewProcess+ACj
					; MiInsertNewProcess+173286j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn
; 

loc_436C30:				; CODE XREF: MiInsertNewProcess+78j
					; MiInsertNewProcess+173293j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_436C25
; 

loc_436C42:				; CODE XREF: MiInsertNewProcess+37j
					; MiInsertNewProcess+57j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
MiInsertNewProcess endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPaeAllocate	proc near		; CODE XREF: MmCreateProcessAddressSpace+D5p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A9E2C SIZE 00000064 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, dword_6D0620
		xor	eax, eax
		push	edi
		lea	edi, [ebp+var_18]
		mov	[ebp+var_C], ecx
		stosd
		xor	ebx, ebx
		mov	[ebp+var_8], esi
		stosd
		stosd

loc_436C69:				; CODE XREF: MiPaeAllocate+B4j
		mov	ecx, offset dword_6D0658
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jz	short loc_436CA1
		mov	ebx, eax

loc_436C79:				; CODE XREF: MiPaeAllocate+175j
		test	ebx, ebx
		jz	loc_5A9E89
		shl	esi, 5
		push	esi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	ecx, [ebp+var_C]
		xor	eax, eax
		add	esp, 0Ch
		inc	eax
		mov	[ecx+194h], ebx

loc_436C9C:				; CODE XREF: MiPaeAllocate+173243j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_436CA1:				; CODE XREF: MiPaeAllocate+2Dj
		lea	edx, [ebp+var_18]
		mov	ecx, offset dword_6D0654
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edi, dword_6D062C
		mov	eax, edi
		test	edi, edi
		jnz	short loc_436D07
		test	ds:byte_70EFC6,	1
		jnz	loc_5A9E2C
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	loc_5A9E44
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jnz	loc_5A9E3C

loc_436CE9:				; CODE XREF: MiPaeAllocate+1731EFj
					; MiPaeAllocate+173208j
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		call	MiPaeAllocatePage
		xor	ecx, ecx
		inc	ecx
		cmp	eax, ecx
		jz	loc_436C69
		jmp	loc_5A9E89
; 

loc_436D07:				; CODE XREF: MiPaeAllocate+70j
		mov	ecx, 80h
		cmp	edi, ecx
		ja	loc_5A9E55

loc_436D14:				; CODE XREF: MiPaeAllocate+17320Fj
		and	[ebp+var_4], ebx
		sub	eax, edi
		xor	esi, esi
		mov	dword_6D062C, eax
		xor	ecx, ecx
		xor	edx, edx
		test	edi, edi
		jz	short loc_436D69

loc_436D28:				; CODE XREF: MiPaeAllocate+11Fj
		mov	esi, dword_6D0630
		cmp	dword ptr [esi+4], offset dword_6D0630
		mov	eax, [esi]
		jnz	loc_436DCF
		cmp	[eax+4], esi
		jnz	loc_436DCF
		mov	dword_6D0630, eax
		mov	dword ptr [eax+4], offset dword_6D0630
		test	ecx, ecx
		jz	short loc_436DC2
		mov	[ecx], esi

loc_436D58:				; CODE XREF: MiPaeAllocate+185j
		mov	ecx, esi

loc_436D5A:				; CODE XREF: MiPaeAllocate+180j
		mov	eax, esi
		and	eax, 0FFFFF000h
		inc	dword ptr [eax+0Ch]
		inc	edx
		cmp	edx, edi
		jb	short loc_436D28

loc_436D69:				; CODE XREF: MiPaeAllocate+DEj
		test	ds:byte_70EFC6,	1
		jnz	loc_5A9E5C
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	loc_5A9E74
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jnz	loc_5A9E6C

loc_436D98:				; CODE XREF: MiPaeAllocate+17321Fj
					; MiPaeAllocate+17323Cj
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [ebp+var_4]
		test	edx, edx
		jz	short loc_436DBA
		and	dword ptr [esi], 0
		lea	eax, [edi-1]
		push	eax
		push	esi
		mov	ecx, offset dword_6D0658
		call	@InterlockedPushListSList@16 ; InterlockedPushListSList(x,x,x,x)

loc_436DBA:				; CODE XREF: MiPaeAllocate+15Ej
		mov	esi, [ebp+var_8]
		jmp	loc_436C79
; 

loc_436DC2:				; CODE XREF: MiPaeAllocate+10Cj
		test	ebx, ebx
		jnz	short loc_436DCA
		mov	ebx, esi
		jmp	short loc_436D5A
; 

loc_436DCA:				; CODE XREF: MiPaeAllocate+17Cj
		mov	[ebp+var_4], esi
		jmp	short loc_436D58
; 

loc_436DCF:				; CODE XREF: MiPaeAllocate+EFj
					; MiPaeAllocate+F8j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
MiPaeAllocate	endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsChargeProcessQuota(x, x, x)
_PsChargeProcessQuota@12 proc near	; CODE XREF: MmCreateProcessAddressSpace+9Ap

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, ecx
		cmp	edx, ds:_PsInitialSystemProcess
		jz	short loc_436DF7
		push	[ebp+arg_0]
		mov	ecx, [edx+188h]
		push	3
		call	@PspChargeQuota@16 ; PspChargeQuota(x,x,x,x)

loc_436DF3:				; CODE XREF: PsChargeProcessQuota(x,x,x)+25j
		pop	ebp
		retn	4
; 

loc_436DF7:				; CODE XREF: PsChargeProcessQuota(x,x,x)+Dj
		xor	eax, eax
		jmp	short loc_436DF3
_PsChargeProcessQuota@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PsGetDefaultWsMaximum()
_PsGetDefaultWsMaximum@0 proc near	; CODE XREF: MmCreateProcessAddressSpace+77p
		mov	eax, ds:_PspMaximumWorkingSet
		retn
_PsGetDefaultWsMaximum@0 endp

; 
		align 8
; Exported entry 2306. RtlRandomEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlRandomEx(x)
		public _RtlRandomEx@4
_RtlRandomEx@4	proc near		; CODE XREF: MmCreateProcessAddressSpace+55p
					; PopPublishAndPurgePowerRequestStats(x,x,x)+C0p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	ecx, ecx
		inc	ecx
		call	ExGenRandom
		mov	ecx, [ebp+arg_0]
		and	eax, 7FFFFFFFh
		mov	[ecx], eax
		pop	ebp
		retn	4
_RtlRandomEx@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMakePartitionActive proc near		; CODE XREF: MmCreateProcessAddressSpace+2Fp
					; MiEnablePartitionMappedWrites+8Ep ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005A9E90 SIZE 00000106 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		mov	ecx, offset dword_6D2FF0
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		test	byte ptr [esi+4], 20h
		jnz	loc_5A9EBA
		xor	edi, edi
		inc	edi
		test	ds:byte_70EFC6,	1
		jnz	loc_5A9E90
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_5A9EA8
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5A9EA0

loc_436E81:				; CODE XREF: MiMakePartitionActive+173077j
					; MiMakePartitionActive+173091j ...
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_436E8A:				; CODE XREF: MiMakePartitionActive+173160j
					; MiMakePartitionActive+17316Dj
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn
MiMakePartitionActive endp

; 
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1240. KeQueryUnbiasedInterruptTime

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeQueryUnbiasedInterruptTime
KeQueryUnbiasedInterruptTime proc near	; CODE XREF: CmpFlushHive:loc_7545B6p
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1AD4p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A7DDA SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], 0
		mov	eax, 0FFDF03B0h
		mov	[ebp+var_C], 0
		mov	edi, edi

loc_436EC0:				; CODE XREF: KeQueryUnbiasedInterruptTime+5Bj
		mov	ebx, eax

loc_436EC2:				; CODE XREF: KeQueryUnbiasedInterruptTime+61j
		mov	edi, [eax]
		mov	esi, [eax+4]
		mov	eax, 0FFDF000Ch
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], 0
		mov	edx, [eax]
		mov	eax, 0FFDF0008h
		mov	ecx, [eax]
		mov	eax, 0FFDF0010h
		cmp	edx, [eax]
		jnz	loc_5A7DDA

loc_436EEF:				; CODE XREF: KeQueryUnbiasedInterruptTime+170F5Fj
		mov	eax, [ebx]
		cmp	edi, eax
		mov	ebx, [ebx+4]
		mov	eax, 0FFDF03B0h
		jnz	short loc_436EC0
		cmp	esi, ebx
		mov	ebx, eax
		jnz	short loc_436EC2
		sub	ecx, edi
		pop	edi
		sbb	edx, esi
		mov	eax, ecx
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
KeQueryUnbiasedInterruptTime endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspUnlockProcessExclusive proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1A98p
					; PspProcessClose+7Ap ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A9F96 SIZE 0000004B BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	[ebp+var_28], edx
		add	ecx, 0E0h
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_8], ecx
		push	esi
		push	edi
		mov	[ebp+var_C], edx
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_43708C

loc_436F4E:				; CODE XREF: PspUnlockProcessExclusive+184j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	loc_437054
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		cmp	ecx, edx
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], esi
		pop	edx
		jb	short loc_436F8B
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_437065

loc_436F8B:				; CODE XREF: PspUnlockProcessExclusive+6Cj
		cmp	ecx, [ebp+var_20]
		jb	short loc_436F9D
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_437065

loc_436F9D:				; CODE XREF: PspUnlockProcessExclusive+7Ej
					; PspUnlockProcessExclusive+168j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_43707D
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_437099

loc_436FDE:				; CODE XREF: PspUnlockProcessExclusive+191j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5A9FA9
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_43702A:				; CODE XREF: PspUnlockProcessExclusive+175j
					; PspUnlockProcessExclusive+1730ABj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jnz	short loc_4370A6

loc_43703D:				; CODE XREF: PspUnlockProcessExclusive+1CFj
					; PspUnlockProcessExclusive+1730CCj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_437054
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_4370EA

loc_437054:				; CODE XREF: PspUnlockProcessExclusive+49j
					; PspUnlockProcessExclusive+136j ...
		mov	ecx, [ebp+var_28]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_437065:				; CODE XREF: PspUnlockProcessExclusive+75j
					; PspUnlockProcessExclusive+87j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_C], eax
		jmp	loc_436F9D
; 

loc_43707D:				; CODE XREF: PspUnlockProcessExclusive+B6j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_43702A
		jmp	loc_5A9F96
; 

loc_43708C:				; CODE XREF: PspUnlockProcessExclusive+38j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]
		jmp	loc_436F4E
; 

loc_437099:				; CODE XREF: PspUnlockProcessExclusive+C8j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]
		jmp	loc_436FDE
; 

loc_4370A6:				; CODE XREF: PspUnlockProcessExclusive+12Bj
		test	edi, 8000h
		jz	short loc_4370B7
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4370B7:				; CODE XREF: PspUnlockProcessExclusive+19Cj
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5A9FC0

loc_4370C1:				; CODE XREF: PspUnlockProcessExclusive+1730BAj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4370D5
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4370D5:				; CODE XREF: PspUnlockProcessExclusive+1B8j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_43703D
		jmp	loc_5A9FCF
; 

loc_4370EA:				; CODE XREF: PspUnlockProcessExclusive+13Ej
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_437054
PspUnlockProcessExclusive endp


;  S U B	R O U T	I N E 


; __stdcall PspLockProcessExclusive(x, x)
_PspLockProcessExclusive@8 proc	near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1A78p
					; PspProcessClose+51p ...
		dec	word ptr [edx+13Ch]
		nop
		add	ecx, 0E0h
		xor	edx, edx
		jmp	ExAcquirePushLockExclusiveEx
_PspLockProcessExclusive@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmSetMemoryPriorityProcess proc	near	; CODE XREF: PspComputeQuantumAndPriority(x,x,x,x,x)+2Dp
					; PAGE:007A7260p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005A9FE1 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	bl, dl
		stosd
		lea	edx, [ebp+var_C]
		mov	esi, ecx
		mov	ecx, offset dword_6D3540
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	[esi+2A2h], bl
		test	ds:byte_70EFC6,	1
		pop	edi
		pop	esi
		pop	ebx
		jnz	loc_5A9FE1
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_437171
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	short loc_437169

loc_43715E:				; CODE XREF: MmSetMemoryPriorityProcess+77j
					; MmSetMemoryPriorityProcess+172EE2j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn
; 

loc_437169:				; CODE XREF: MmSetMemoryPriorityProcess+52j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_437171:				; CODE XREF: MmSetMemoryPriorityProcess+3Fj
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_43715E
MmSetMemoryPriorityProcess endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSetIdealNodeProcessByGroup(x, x, x)
_KiSetIdealNodeProcessByGroup@12 proc near ; CODE XREF:	KeSetAffinityProcess+ACp
					; KiExtendProcessAffinity(x,x)+1Cp ...

var_C		= dword	ptr -0Ch
var_8		= word ptr -8
arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_C]
		stosd
		mov	ebx, ecx
		mov	esi, edx
		stosd
		stosd
		mov	ax, [ebp+arg_0]
		movzx	edi, ax
		mov	[ebp+var_8], ax
		mov	eax, [ebx+edi*4+48h]
		mov	dword ptr [ebp+arg_0], eax
		mov	[ebp+var_C], eax
		test	esi, esi
		jz	short loc_4371E7

loc_4371B4:				; CODE XREF: KiSetIdealNodeProcessByGroup(x,x,x)+6Dj
		mov	ax, [esi+8Ah]
		lea	edx, [ebp+var_C]
		mov	[ebx+edi*2+70h], ax
		mov	ecx, esi
		mov	eax, [esi+84h]
		and	eax, dword ptr [ebp+arg_0]
		mov	[ebp+var_C], eax
		call	_KiSelectIdealProcessorForProcess@8 ; KiSelectIdealProcessorForProcess(x,x)
		mov	[ebx+edi*2+6Eh], ax
		mov	[ebx+edi*2+6Ch], ax
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4371E7:				; CODE XREF: KiSetIdealNodeProcessByGroup(x,x,x)+2Ej
		lea	ecx, [ebp+var_C]
		call	KeSelectNodeForAffinity
		mov	esi, eax
		jmp	short loc_4371B4
_KiSetIdealNodeProcessByGroup@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSelectIdealProcessorForProcess(x,	x)
_KiSelectIdealProcessorForProcess@8 proc near
					; CODE XREF: KiSetIdealNodeProcessByGroup(x,x,x)+4Dp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [edx]
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, [esi+84h]
		mov	edi, [esi+10Ch]
		and	eax, ebx
		mov	edx, edi
		test	edx, edx
		jz	short loc_437250
		movzx	ecx, word ptr [esi+5Ah]
		or	eax, 0FFFFFFFFh
		and	ecx, 1Fh
		shl	eax, cl
		and	edx, eax

loc_437223:				; CODE XREF: KiSelectIdealProcessorForProcess(x,x)+4Ej
		btr	edx, ecx
		test	edx, edx
		jnz	short loc_43722C
		mov	edx, edi

loc_43722C:				; CODE XREF: KiSelectIdealProcessorForProcess(x,x)+34j
		and	[ebp+var_4], 0
		bsf	ecx, edx
		mov	eax, ds:_KiProcessorBlock[ecx*4]
		mov	eax, [eax+4034h]
		and	eax, ebx
		jz	short loc_437223
		bsf	eax, eax
		mov	[esi+5Ah], ax

loc_43724B:				; CODE XREF: KiSelectIdealProcessorForProcess(x,x)+5Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_437250:				; CODE XREF: KiSelectIdealProcessorForProcess(x,x)+1Fj
		bsf	eax, eax
		jmp	short loc_43724B
_KiSelectIdealProcessorForProcess@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspWriteProcessSecurityDomain proc near	; CODE XREF: PspInitializeProcessSecurity+125p
					; PspDisablePrimaryTokenExchange(x)+7Fp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005A9FF1 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ecx
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_C], eax
		add	eax, 4A0h
		push	ebx
		push	esi
		push	edi
		mov	esi, [eax]
		mov	edi, [eax+4]
		mov	edx, edi
		mov	[ebp+var_4], eax
		mov	eax, esi
		mov	[ebp+var_8], edi

loc_43727D:				; CODE XREF: PspWriteProcessSecurityDomain+76j
		nop
		mov	edi, [ebp+var_4]
		mov	ebx, [ebp+arg_0]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_8]
		cmp	eax, esi
		jnz	short loc_4372C7
		cmp	edx, edi
		jnz	short loc_4372C7
		mov	eax, [ebp+var_C]
		add	eax, 4A8h
		mov	[ebp+var_4], eax
		mov	esi, [eax]
		mov	edi, [eax+4]
		mov	eax, esi
		mov	[ebp+var_C], edi
		mov	edx, edi
		nop
		mov	ebx, [ebp+arg_0]
		mov	edi, [ebp+var_4]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_C]
		cmp	eax, esi
		jnz	short loc_4372CE
		cmp	edx, edi
		jnz	short loc_4372CE

loc_4372C0:				; CODE XREF: PspWriteProcessSecurityDomain+172DB1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4372C7:				; CODE XREF: PspWriteProcessSecurityDomain+37j
					; PspWriteProcessSecurityDomain+3Bj
		mov	esi, eax
		mov	[ebp+var_8], edx
		jmp	short loc_43727D
; 

loc_4372CE:				; CODE XREF: PspWriteProcessSecurityDomain+64j
					; PspWriteProcessSecurityDomain+68j
		mov	edi, [ebp+var_4]
		jmp	loc_5A9FF1
PspWriteProcessSecurityDomain endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLocateLowestConflictingVad proc near	; CODE XREF: MiUpdateVadBits+1Cp

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AA00C SIZE 0000004D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	[ebp+arg_0]
		mov	edi, edx
		call	_MiCheckForConflictingVad@12 ; MiCheckForConflictingVad(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_5AA00C

loc_4372F1:				; CODE XREF: MiLocateLowestConflictingVad+172D7Ej
		pop	edi
		pop	esi
		pop	ebp
		retn	4
MiLocateLowestConflictingVad endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMakeHyperRangeAccessible proc	near	; CODE XREF: MiExpandVadBitMap(x,x)+71p
					; MiExpandVadBitMapDown+B38C6p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AA059 SIZE 00000057 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		mov	eax, [eax+80h]
		mov	ecx, [ebp+arg_0]
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], eax
		mov	[ebp+var_18], edi
		mov	[ecx], edi
		lea	ecx, [eax+240h]
		mov	[ebp+var_14], edi
		mov	[ebp+var_30], edi
		call	MiLockWorkingSetShared
		mov	dl, al
		shr	esi, 9
		mov	eax, [ebp+var_8]
		mov	ebx, offset loc_7FFFF8
		shr	eax, 9
		and	esi, ebx
		add	esi, 0C0000000h
		mov	byte ptr [ebp+var_C], dl
		and	eax, ebx
		mov	[ebp+var_24], esi
		sub	eax, 40000000h
		mov	ecx, edi
		mov	[ebp+var_8], eax

loc_43735C:				; CODE XREF: MiMakeHyperRangeAccessible+1D5j
		mov	[ebp+var_10], ecx
		mov	ebx, edi
		mov	[ebp+var_2C], edi
		mov	[ebp+var_28], ebx
		cmp	esi, eax
		ja	short loc_4373B0

loc_43736B:				; CODE XREF: MiMakeHyperRangeAccessible+ADj
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_1C], esi
		push	ecx
		push	edi
		push	[ebp+var_C]
		mov	edx, eax
		mov	ecx, esi
		push	edi
		call	MiGetNextPageTable
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_437419
		mov	ebx, [ebp+var_8]

loc_43738D:				; CODE XREF: MiMakeHyperRangeAccessible+172D74j
		lea	eax, [ebp+var_30]
		mov	edx, ebx
		push	eax
		push	[ebp+var_C]
		mov	ecx, esi
		call	MiFillHyperPtes
		lea	esi, [ebx+8]

loc_4373A0:				; CODE XREF: MiMakeHyperRangeAccessible+189j
		mov	eax, [ebp+var_8]
		cmp	esi, eax
		jbe	short loc_43736B
		mov	ebx, [ebp+var_28]
		mov	ecx, [ebp+var_10]
		mov	dl, byte ptr [ebp+var_C]

loc_4373B0:				; CODE XREF: MiMakeHyperRangeAccessible+71j
		mov	esi, [ebp+var_2C]
		test	ecx, ecx
		jnz	short loc_4373BF
		test	esi, esi
		jnz	loc_437486

loc_4373BF:				; CODE XREF: MiMakeHyperRangeAccessible+BDj
		test	ebx, ebx
		jz	short loc_4373E2
		mov	ecx, [ebp+var_4]
		mov	al, [ecx+2A0h]
		and	al, 7
		cmp	al, 2
		jz	loc_5AA083
		add	ecx, 2DCh

loc_4373DC:				; CODE XREF: MiMakeHyperRangeAccessible+172D90j
		mov	eax, ebx
		lock xadd [ecx], eax

loc_4373E2:				; CODE XREF: MiMakeHyperRangeAccessible+C9j
		mov	ecx, [ebp+var_4]
		lea	ecx, [ecx+240h]
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx]
		cmp	esi, eax
		jnz	loc_5AA08D

loc_4373FD:				; CODE XREF: MiMakeHyperRangeAccessible+172D9Bj
		mov	eax, [ebp+var_14]
		cmp	ebx, eax
		jnz	loc_5AA098

loc_437408:				; CODE XREF: MiMakeHyperRangeAccessible+172DA4j
		test	edi, edi
		jnz	loc_5AA0A1

loc_437410:				; CODE XREF: MiMakeHyperRangeAccessible+172DB3j
		xor	eax, eax

loc_437412:				; CODE XREF: MiMakeHyperRangeAccessible+1AEj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_437419:				; CODE XREF: MiMakeHyperRangeAccessible+8Cj
		mov	eax, ebx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_20], eax
		cmp	ebx, esi
		jnz	loc_5AA059
		mov	edx, [ebp+var_8]
		mov	ebx, esi
		and	ebx, 0FFFFF000h
		add	ebx, 0FF8h
		cmp	ebx, edx
		jbe	short loc_43744A
		mov	ebx, edx

loc_43744A:				; CODE XREF: MiMakeHyperRangeAccessible+14Ej
		cmp	esi, ebx
		ja	short loc_437471
		mov	edi, [ebp+var_1C]

loc_437451:				; CODE XREF: MiMakeHyperRangeAccessible+172j
		mov	ecx, [esi]
		nop
		or	ecx, [esi+4]
		jz	loc_5AA071

loc_43745D:				; CODE XREF: MiMakeHyperRangeAccessible+172D86j
		add	esi, 8
		test	esi, 0FFFh
		jz	short loc_43746C
		cmp	esi, ebx
		jbe	short loc_437451

loc_43746C:				; CODE XREF: MiMakeHyperRangeAccessible+16Ej
		mov	eax, [ebp+var_20]
		xor	edi, edi

loc_437471:				; CODE XREF: MiMakeHyperRangeAccessible+154j
		mov	ecx, [ebp+var_4]
		mov	edx, eax
		lea	ecx, [ecx+240h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		jmp	loc_4373A0
; 

loc_437486:				; CODE XREF: MiMakeHyperRangeAccessible+C1j
		mov	ecx, [ebp+var_4]
		lea	ecx, [ecx+240h]
		call	MiUnlockWorkingSetShared
		lea	edx, [esi+ebx]
		mov	[ebp+var_14], ebx
		mov	ebx, [ebp+var_4]
		mov	ecx, ebx
		call	MiChargeFullProcessCommitment
		test	eax, eax
		js	loc_437412
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebx+240h]
		mov	[eax], esi
		xor	esi, esi
		inc	esi
		mov	[ebp+var_30], esi
		call	MiLockWorkingSetShared
		mov	eax, [ebp+var_8]
		mov	ecx, esi
		mov	dl, byte ptr [ebp+var_C]
		mov	esi, [ebp+var_24]
		jmp	loc_43735C
MiMakeHyperRangeAccessible endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiComputePageCommitment(x, x, x, x,	x, x)
_MiComputePageCommitment@24 proc near	; CODE XREF: .text:00451055p
					; .text:00452C04p ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		xor	eax, eax
		shr	edx, 9
		mov	[ebp+var_4], eax
		and	edx, offset loc_7FFFF8
		mov	eax, large fs:124h
		sub	edx, 40000000h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], 0
		mov	eax, [eax+80h]
		mov	[ebp+var_28], eax
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		mov	[ebp+var_24], edx
		lea	ecx, [eax+240h]
		sub	esi, 40000000h
		mov	eax, [eax+24Ch]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_0]
		push	edi
		mov	[ebp+var_34], ecx
		cmp	dword ptr [eax+20h], 0
		jge	short loc_437556
		mov	eax, 2
		mov	[ebp+var_4], eax
		mov	eax, edx
		sub	eax, esi
		sar	eax, 3
		inc	eax
		jmp	short loc_437558
; 

loc_437556:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+62j
		xor	eax, eax

loc_437558:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+74j
		mov	edi, [ebp+arg_C]
		mov	[ebp+arg_0], eax
		test	edi, edi
		jz	short loc_437568
		mov	dword ptr [edi], 0

loc_437568:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+80j
		cmp	esi, edx
		ja	loc_437796
		mov	eax, [ebp+arg_8]

loc_437573:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+2ADj
		lea	ecx, [ebp+var_C]
		push	ecx
		push	eax
		push	[ebp+arg_4]
		mov	ecx, esi
		push	0
		call	MiGetNextPageTable
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	loc_437793
		mov	ebx, eax
		mov	edx, 1
		mov	eax, [ebp+var_C]
		mov	[ebp+var_8], edx
		test	eax, eax
		jz	short loc_4375BA

loc_4375A0:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+D5j
		shr	ebx, 9
		and	ebx, offset loc_7FFFF8
		shl	edx, 9
		sub	ebx, 40000000h
		sub	eax, 1
		jnz	short loc_4375A0
		mov	[ebp+var_8], edx

loc_4375BA:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+BEj
		mov	eax, ebx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_30], eax
		lea	eax, ds:0[edx*8]
		mov	[ebp+var_2C], eax
		jmp	short loc_4375E0
; 
		align 10h

loc_4375E0:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+F6j
					; MiComputePageCommitment(x,x,x,x,x,x)+28Dj
		mov	edi, [ebx]
		mov	[ebp+var_18], 0
		mov	[ebp+var_14], 0
		nop
		mov	esi, [ebx+4]
		mov	eax, edi
		or	eax, esi
		jz	loc_437753
		nop
		mov	eax, edi
		and	eax, 3E0h
		cmp	eax, 200h
		jnz	short loc_437639
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jnz	short loc_437639
		mov	eax, edi
		and	eax, 400h
		or	eax, 0
		jz	short loc_437631
		push	esi
		push	edi
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		mov	edx, [ebp+var_8]
		test	eax, eax
		jz	short loc_437639

loc_437631:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+141j
		mov	eax, [ebp+var_4]
		or	eax, 1
		jmp	short loc_43763F
; 

loc_437639:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+12Bj
					; MiComputePageCommitment(x,x,x,x,x,x)+135j ...
		mov	eax, [ebp+var_4]
		and	eax, 0FFFFFFFEh

loc_43763F:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+157j
		mov	ecx, eax
		mov	[ebp+var_4], eax
		and	ecx, 1
		test	al, 2
		jz	short loc_437654
		test	ecx, ecx
		jz	short loc_43765B
		sub	[ebp+arg_0], edx
		jmp	short loc_43765B
; 

loc_437654:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+169j
		test	ecx, ecx
		jnz	short loc_43765B
		add	[ebp+arg_0], edx

loc_43765B:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+16Dj
					; MiComputePageCommitment(x,x,x,x,x,x)+172j ...
		cmp	[ebp+arg_C], 0
		jz	loc_437753
		mov	edx, [ebp+var_1C]
		mov	eax, [edx+88h]
		or	eax, [edx+8Ch]
		jz	loc_437753
		test	ecx, ecx
		jnz	loc_437753
		mov	eax, edi
		and	eax, 1
		or	eax, ecx
		jz	short loc_4376D5
		nop
		mov	eax, ds:_MmPfnDatabase
		shrd	edi, esi, 0Ch
		and	edi, 1FFFFFFh
		lea	ecx, ds:0[edi*8]
		sub	ecx, edi
		lea	ecx, [eax+ecx*4]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_437753
		test	dword ptr [ecx+18h], 800000h
		jnz	short loc_4376CA
		mov	eax, [ecx+4]
		test	eax, eax
		js	short loc_4376CA
		jnz	loc_437753

loc_4376CA:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+1DBj
					; MiComputePageCommitment(x,x,x,x,x,x)+1E2j
		mov	esi, [ecx+4]
		or	esi, 80000000h
		jmp	short loc_437723
; 

loc_4376D5:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+1A9j
		mov	eax, edi
		and	eax, 400h
		or	eax, 0
		jz	short loc_437753
		push	esi
		push	edi
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		test	eax, eax
		jnz	short loc_437753
		push	esi
		push	edi
		call	_MI_PROTO_FORMAT_COMBINED@8 ; MI_PROTO_FORMAT_COMBINED(x,x)
		test	al, al
		jnz	short loc_437753
		mov	eax, dword_6D0704
		mov	edx, esi
		mov	ecx, dword_6D0700
		mov	[ebp+var_14], eax
		mov	eax, ecx
		or	eax, [ebp+var_14]
		jz	short loc_437723
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_437721
		mov	esi, [ebp+var_14]
		not	esi
		and	esi, edx
		jmp	short loc_437723
; 

loc_437721:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+236j
		mov	esi, edx

loc_437723:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+1F3j
					; MiComputePageCommitment(x,x,x,x,x,x)+22Cj ...
		mov	ecx, [ebp+var_28]
		mov	edx, esi
		call	_MiLocateCloneAddress@8	; MiLocateCloneAddress(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_437753
		mov	edx, [ebp+var_1C]
		mov	eax, [edx+8Ch]
		cmp	eax, [ecx+2Ch]
		jb	short loc_437753
		ja	short loc_43774E
		mov	eax, [edx+88h]
		cmp	eax, [ecx+28h]
		jbe	short loc_437753

loc_43774E:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+261j
		mov	edi, [ebp+arg_C]
		inc	dword ptr [edi]

loc_437753:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+118j
					; MiComputePageCommitment(x,x,x,x,x,x)+17Fj ...
		mov	esi, [ebp+var_20]
		add	ebx, 8
		add	esi, [ebp+var_2C]
		mov	[ebp+var_20], esi
		test	ebx, 0FFFh
		jz	short loc_437773
		mov	edx, [ebp+var_8]
		cmp	esi, [ebp+var_24]
		jbe	loc_4375E0

loc_437773:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+285j
		mov	eax, [ebp+arg_8]
		test	al, 4
		jnz	short loc_437788
		mov	edx, [ebp+var_30]
		mov	ecx, [ebp+var_34]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	eax, [ebp+arg_8]

loc_437788:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+298j
		mov	edx, [ebp+var_24]
		cmp	esi, edx
		jbe	loc_437573

loc_437793:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+A9j
		mov	eax, [ebp+arg_0]

loc_437796:				; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+8Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_MiComputePageCommitment@24 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetNextPageTable proc	near		; CODE XREF: MiMakeHyperRangeAccessible+83p
					; MiComputePageCommitment(x,x,x,x,x,x)+9Fp ...

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4A		= byte ptr -4Ah
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005AA0B0 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	[ebp+var_5C], eax
		mov	edi, edx
		xor	eax, eax
		mov	esi, ecx
		push	4Ch		; size_t
		push	eax		; int
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_50]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		shl	esi, 9
		shl	edi, 9
		mov	eax, 861h
		test	[ebp+arg_8], 1
		mov	word ptr [ebp+var_50], ax
		jnz	loc_4378B0

loc_4377F2:				; CODE XREF: MiGetNextPageTable+119j
		test	[ebp+arg_8], 2
		jnz	loc_4378BE

loc_4377FC:				; CODE XREF: MiGetNextPageTable+12Aj
		mov	edx, 0C0000000h
		mov	ecx, esi
		cmp	esi, edx
		jnb	loc_43789F

loc_43780B:				; CODE XREF: MiGetNextPageTable+105j
					; MiGetNextPageTable+17291Bj
		cmp	ecx, dword_6D07D0
		jnb	short loc_437884

loc_437813:				; CODE XREF: MiGetNextPageTable+F2j
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		mov	ax, word ptr [ebp+var_50]
		add	ecx, 240h

loc_437829:				; CODE XREF: MiGetNextPageTable+FDj
		test	[ebp+arg_8], 4
		jnz	short loc_437837
		or	ax, 4
		mov	word ptr [ebp+var_50], ax

loc_437837:				; CODE XREF: MiGetNextPageTable+8Dj
		lea	eax, [ebp+var_58]
		mov	[ebp+var_40], ecx
		mov	[ebp+var_8], eax
		lea	ecx, [ebp+var_50]
		mov	al, byte ptr [ebp+var_50+2]
		and	al, 0E7h
		mov	[ebp+var_44], ebx
		or	al, 4
		mov	[ebp+var_C], offset _MiGetNextPageTableTail@4 ;	MiGetNextPageTableTail(x)
		mov	byte ptr [ebp+var_50+2], al
		mov	al, [ebp+arg_4]
		mov	[ebp+var_4A], al
		mov	[ebp+var_3C], esi
		mov	[ebp+var_38], edi
		call	MiWalkPageTables
		mov	ecx, [ebp+var_5C]
		mov	eax, [ebp+var_58]
		pop	edi
		pop	esi
		mov	[ecx], eax
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_54]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_437884:				; CODE XREF: MiGetNextPageTable+71j
		cmp	ecx, dword_6D2E88
		jb	short loc_437898
		cmp	ecx, dword_6D2E8C
		jbe	loc_437813

loc_437898:				; CODE XREF: MiGetNextPageTable+EAj
		mov	ecx, offset unk_6D3740
		jmp	short loc_437829
; 

loc_43789F:				; CODE XREF: MiGetNextPageTable+65j
					; MiGetNextPageTable+172915j
		cmp	ecx, 0C07FFFFFh
		ja	loc_43780B
		jmp	loc_5AA0B0
; 

loc_4378B0:				; CODE XREF: MiGetNextPageTable+4Cj
		mov	eax, 8E1h
		mov	word ptr [ebp+var_50], ax
		jmp	loc_4377F2
; 

loc_4378BE:				; CODE XREF: MiGetNextPageTable+56j
		mov	ecx, 200h
		or	ax, cx
		mov	word ptr [ebp+var_50], ax
		jmp	loc_4377FC
MiGetNextPageTable endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFillHyperPtes	proc near		; CODE XREF: MiMakeHyperRangeAccessible+A0p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005AA0C0 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		push	2
		xor	esi, esi
		mov	edi, offset loc_7FFFF8
		pop	ebx
		mov	eax, esi
		mov	[ebp+var_8], ebx

loc_4378EA:				; CODE XREF: MiFillHyperPtes+3Bj
		mov	[ebp+eax*8+var_24], ecx
		mov	[ebp+eax*8+var_20], edx
		shr	ecx, 9
		shr	edx, 9
		and	ecx, edi
		and	edx, edi
		sub	ecx, 40000000h
		sub	edx, 40000000h
		inc	eax
		cmp	eax, ebx
		jb	short loc_4378EA
		mov	eax, [ebp+arg_4]
		lea	ecx, [ebp+var_18]
		push	2
		mov	[ebp+var_4], ecx
		pop	edx

loc_437919:				; CODE XREF: MiFillHyperPtes+6Dj
		mov	edi, [ecx-4]
		mov	ebx, [ecx]
		mov	[ebp+var_C], edi
		cmp	[eax], esi
		jnz	short loc_437946
		sub	ebx, edi
		sar	ebx, 3
		inc	ebx
		add	[eax+4], ebx
		add	[eax+8], ebx

loc_437931:				; CODE XREF: MiFillHyperPtes+EAj
		sub	ecx, 8
		sub	edx, 1
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], edx
		jnz	short loc_437919
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_437946:				; CODE XREF: MiFillHyperPtes+53j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		add	eax, 240h
		mov	[ebp+var_14], eax
		cmp	edi, ebx
		ja	short loc_4379B7

loc_43795E:				; CODE XREF: MiFillHyperPtes+DFj
		mov	eax, edi
		xor	edx, edx
		shr	eax, 9
		mov	ecx, edi
		push	esi
		push	[ebp+arg_0]
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		push	esi
		mov	[ebp+var_10], eax
		call	MiMakeSystemAddressValid
		mov	esi, [ebp+arg_4]

loc_437981:				; CODE XREF: MiFillHyperPtes+1727F6j
		mov	ecx, [edi]
		nop
		or	ecx, [edi+4]
		jnz	short loc_437994
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		push	esi
		call	_MiMakeHyperPteDemandZero@12 ; MiMakeHyperPteDemandZero(x,x,x)

loc_437994:				; CODE XREF: MiFillHyperPtes+B7j
		add	edi, 8
		cmp	edi, ebx
		jbe	loc_5AA0C0

loc_43799F:				; CODE XREF: MiFillHyperPtes+1727FCj
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_14]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		push	0
		pop	esi
		cmp	edi, ebx
		jbe	short loc_43795E
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_8]

loc_4379B7:				; CODE XREF: MiFillHyperPtes+8Cj
		mov	eax, [ebp+arg_4]
		jmp	loc_437931
MiFillHyperPtes	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakeHyperPteDemandZero(x,	x, x)
_MiMakeHyperPteDemandZero@12 proc near	; CODE XREF: MiFillHyperPtes+BFp
					; MiMakeHyperRangeAccessible+172D81p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [ebx+3FA00000h]
		cmp	eax, 3FFFh
		jbe	short loc_4379FC
		cmp	ebx, edx
		jnz	short loc_437A1E

loc_4379DD:				; CODE XREF: MiMakeHyperPteDemandZero(x,x,x)+63j
		mov	edx, ebx
		push	edi
		and	edx, 0FFFFFFC0h
		xor	edi, edi

loc_4379E5:				; CODE XREF: MiMakeHyperPteDemandZero(x,x,x)+34j
		mov	ecx, [edx]
		nop
		or	ecx, [edx+4]
		jnz	short loc_4379F6
		add	edx, 8
		inc	edi
		cmp	edi, 8
		jb	short loc_4379E5

loc_4379F6:				; CODE XREF: MiMakeHyperPteDemandZero(x,x,x)+2Bj
		cmp	edi, 8
		pop	edi
		jnz	short loc_4379FF

loc_4379FC:				; CODE XREF: MiMakeHyperPteDemandZero(x,x,x)+17j
		inc	dword ptr [esi+8]

loc_4379FF:				; CODE XREF: MiMakeHyperPteDemandZero(x,x,x)+3Aj
					; MiMakeHyperPteDemandZero(x,x,x)+61j
		cmp	dword ptr [esi], 0
		jz	short loc_437A15
		push	0
		push	80h
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[ebx], eax
		mov	[ebx+4], edx

loc_437A15:				; CODE XREF: MiMakeHyperPteDemandZero(x,x,x)+42j
		inc	dword ptr [esi+4]
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_437A1E:				; CODE XREF: MiMakeHyperPteDemandZero(x,x,x)+1Bj
		test	bl, 3Fh
		jnz	short loc_4379FF
		jmp	short loc_4379DD
_MiMakeHyperPteDemandZero@12 endp

; 
		align 2
; Exported entry 1785. PsGetHostSilo

;  S U B	R O U T	I N E 


; int __cdecl MiIsSoftwareEnclave(struct _exception *)
		public _MiIsSoftwareEnclave@4
_MiIsSoftwareEnclave@4 proc near	; CODE XREF: RtlGetMultiTimePrecise+4Fp
					; SymCryptSaveXmm(x)j ...
		xor	eax, eax
		retn
_MiIsSoftwareEnclave@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiInitializeProcessPageTableCommitmentBitMaps(x)
_MiInitializeProcessPageTableCommitmentBitMaps@4 proc near
					; CODE XREF: MmInitializeProcessAddressSpace+FEp
		mov	ecx, [ecx+24Ch]
		lea	eax, [ecx+0C8h]
		mov	dword ptr [ecx+188h], 600h
		mov	[ecx+18Ch], eax
		retn
_MiInitializeProcessPageTableCommitmentBitMaps@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeWorkingSetList(x, x, x,	x)
_MiInitializeWorkingSetList@16 proc near ; CODE	XREF: MmInitializeProcessAddressSpace+E3p
					; MiInitializeSystemWorkingSetList+8Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ecx, [ebp+arg_0]
		push	edi
		mov	al, [esi+60h]
		xor	al, cl
		mov	[esi+0Ch], edx
		and	al, 7
		xor	al, [esi+60h]
		mov	[esi+60h], al
		test	ecx, ecx
		jnz	loc_437AEE
		push	4
		pop	eax
		mov	ecx, esi
		mov	[ebp+arg_4], eax
		mov	[esi-0F4h], eax
		mov	ebx, 0C0603018h
		call	MiLockWorkingSetShared
		xor	edi, edi
		mov	byte ptr [ebp+arg_0+3],	al
		push	edi
		mov	edx, ebx
		mov	ecx, esi
		call	MiLockPageTableInternal

loc_437A95:				; CODE XREF: MiInitializeWorkingSetList(x,x,x,x)+86j
		mov	ecx, [ebx]
		nop
		push	ds:dword_40F9FC
		mov	eax, [ebx+4]
		mov	edx, ebx
		push	ds:_ZeroPte
		shrd	ecx, eax, 0Ch
		push	edi
		and	ecx, 1FFFFFFh
		imul	eax, ecx, 1Ch
		mov	ecx, esi
		push	edi
		push	edi
		add	eax, ds:_MmPfnDatabase
		push	eax
		call	_MiAllocateWsle@32 ; MiAllocateWsle(x,x,x,x,x,x,x,x)
		sub	ebx, 8
		sub	[ebp+arg_4], 1
		jnz	short loc_437A95
		mov	edx, 0C0603018h
		mov	ecx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [ebp+arg_0+3]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared

loc_437AE6:				; CODE XREF: MiInitializeWorkingSetList(x,x,x,x)+C7j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
; 

loc_437AEE:				; CODE XREF: MiInitializeWorkingSetList(x,x,x,x)+20j
		xor	edi, edi
		mov	[esi+40h], edi
		mov	[esi+44h], edi
		mov	[esi+48h], edi
		mov	[esi+4Ch], edi
		cmp	ecx, 1
		jnz	short loc_437B11
		or	al, 80h
		mov	[esi+60h], al
		mov	eax, [esi+3Ch]
		add	eax, 6

loc_437B0C:				; CODE XREF: MiInitializeWorkingSetList(x,x,x,x)+CCj
		mov	[esi+50h], eax
		jmp	short loc_437AE6
; 

loc_437B11:				; CODE XREF: MiInitializeWorkingSetList(x,x,x,x)+B7j
		mov	eax, [ebp+arg_4]
		jmp	short loc_437B0C
_MiInitializeWorkingSetList@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllowWorkingSetExpansion proc	near	; CODE XREF: MmInitializeProcessAddressSpace+1BBp
					; MmInitializeProcessAddressSpace+2FDp	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005AA0D1 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		mov	ecx, offset dword_6D3540
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 1
		jz	short loc_437B97

loc_437B40:				; CODE XREF: MiAllowWorkingSetExpansion+8Cj
		xor	edx, edx
		mov	ecx, esi
		call	MiReturnWsToExpansionList
		test	ds:byte_70EFC6,	1
		pop	edi
		pop	esi
		jnz	loc_5AA0D1
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_437B85
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	short loc_437B7D

loc_437B72:				; CODE XREF: MiAllowWorkingSetExpansion+7Fj
					; MiAllowWorkingSetExpansion+1725C6j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn
; 

loc_437B7D:				; CODE XREF: MiAllowWorkingSetExpansion+5Aj
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_437B85:				; CODE XREF: MiAllowWorkingSetExpansion+47j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_437B72
; 

loc_437B97:				; CODE XREF: MiAllowWorkingSetExpansion+28j
		lea	ecx, [esi-0C0h]
		call	_MiInsertSessionWorkingSet@4 ; MiInsertSessionWorkingSet(x)
		jmp	short loc_437B40
MiAllowWorkingSetExpansion endp


;  S U B	R O U T	I N E 


MiReturnWsToExpansionList proc near	; CODE XREF: MiAllowWorkingSetExpansion+2Ep
					; MmInSwapProcess+1627ADp ...

; FUNCTION CHUNK AT 005AA0E1 SIZE 00000023 BYTES

		mov	edi, edi
		push	edi
		mov	edi, ecx
		test	edx, edx
		mov	edx, offset dword_6D5D44
		lea	eax, [edi+10h]
		jnz	loc_5AA0E1
		mov	ecx, dword_6D5D48
		cmp	[ecx], edx
		jnz	short loc_437BD8
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	dword_6D5D48, eax

loc_437BCF:				; CODE XREF: MiReturnWsToExpansionList+17255Bj
		mov	ecx, [edi+38h]
		pop	edi
		test	ecx, ecx
		jnz	short loc_437BDD
		retn
; 

loc_437BD8:				; CODE XREF: MiReturnWsToExpansionList+1Dj
					; MiReturnWsToExpansionList+172547j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_437BDD:				; CODE XREF: MiReturnWsToExpansionList+31j
		xor	edx, edx
		inc	edx
		jmp	KeSignalGate
MiReturnWsToExpansionList endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiUpdateChargedWsles(x, x)
_MiUpdateChargedWsles@8	proc near	; CODE XREF: MiComputeProcessUserVa+4Fp
					; MiDeleteVadBitmap+BCp ...
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C5C
		jz	short loc_437BFA
		lea	eax, [ecx+9Ch]

loc_437BFA:				; CODE XREF: MiUpdateChargedWsles(x,x)+Cj
		lock xadd [eax], edx
		retn
_MiUpdateChargedWsles@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiLocateVadEvent(x,	x)
_MiLocateVadEvent@8 proc near		; CODE XREF: MiAllocateNewSubAllocatedRegion+12Ep
					; MiFreeToSubAllocatedRegion+2Ap ...
		mov	eax, [ecx+24h]

loc_437C03:				; CODE XREF: MiLocateVadEvent(x,x)+Fj
		test	eax, eax
		jz	short locret_437C0C
		test	[eax+24h], edx
		jz	short loc_437C0D

locret_437C0C:				; CODE XREF: MiLocateVadEvent(x,x)+5j
		retn
; 

loc_437C0D:				; CODE XREF: MiLocateVadEvent(x,x)+Aj
		mov	eax, [eax]
		jmp	short loc_437C03
_MiLocateVadEvent@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmMapViewOfSectionEx(x, x, x, x, x,	x, x, x, x, x, x, x)
_MmMapViewOfSectionEx@48 proc near	; CODE XREF: MiMapProcessExecutable+88p
					; PspMapSystemDll+A7p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	0
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	1
		call	MiMapViewOfSectionExCommon
		pop	ebp
		retn	28h
_MmMapViewOfSectionEx@48 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteWsleRange(x, x, x, x)
_MiDeleteWsleRange@16 proc near		; CODE XREF: MiDeleteVadBitmap+A7p
					; MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+3F0p ...

var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_1C]
		push	6
		xor	eax, eax
		mov	[ebp+var_4], ebx
		pop	ecx
		rep stosd
		mov	al, [ebx+60h]
		mov	esi, offset unk_6D3C60
		mov	cl, al
		and	cl, 7
		cmp	cl, 2
		jz	short loc_437C72
		lea	esi, [ebx+0A0h]

loc_437C72:				; CODE XREF: MiDeleteWsleRange(x,x,x,x)+2Aj
		movzx	eax, al
		mov	edi, 100h
		and	eax, 7
		shr	edx, 0Ch
		add	edx, dword_6D2E68[eax*4]
		mov	eax, [ebp+arg_0]
		shl	eax, 0Ch
		dec	eax
		cmp	[ebp+arg_4], 0
		jnz	short loc_437CC9
		mov	ch, 21h
		test	cl, cl
		jnz	short loc_437CCD

loc_437C9A:				; CODE XREF: MiDeleteWsleRange(x,x,x,x)+8Bj
					; MiDeleteWsleRange(x,x,x,x)+92j
		lea	ebx, [ebp+var_1C]
		add	eax, edx
		push	ebx
		mov	ebx, [ebp+var_4]
		push	edi
		push	0
		push	eax
		push	edx
		mov	dl, ch
		mov	ecx, ebx
		call	_MiDeletePagablePteRange@28 ; MiDeletePagablePteRange(x,x,x,x,x,x,x)
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_437CBF

loc_437CB8:				; CODE XREF: MiDeleteWsleRange(x,x,x,x)+83j
					; MiDeleteWsleRange(x,x,x,x)+87j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_437CBF:				; CODE XREF: MiDeleteWsleRange(x,x,x,x)+76j
		test	byte ptr [ebx+60h], 7
		jnz	short loc_437CB8
		sub	[esi], eax
		jmp	short loc_437CB8
; 

loc_437CC9:				; CODE XREF: MiDeleteWsleRange(x,x,x,x)+52j
		mov	ch, 2
		jmp	short loc_437C9A
; 

loc_437CCD:				; CODE XREF: MiDeleteWsleRange(x,x,x,x)+58j
		mov	edi, 300h
		jmp	short loc_437C9A
_MiDeleteWsleRange@16 endp


;  S U B	R O U T	I N E 


MiHyperSpaceSize proc near		; CODE XREF: MiDeleteVadBitmap+42p

; FUNCTION CHUNK AT 005AA104 SIZE 0000000B BYTES

		mov	eax, dword_6D2E90
		test	eax, eax
		jz	loc_5AA104
		retn
MiHyperSpaceSize endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDeleteFinalPageTables	proc near	; CODE XREF: MmDeleteProcessAddressSpace+4Ap

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AA10F SIZE 00000221 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_1C]
		xor	eax, eax
		mov	[ebp+var_40], esi
		push	6
		pop	ecx
		rep stosd
		push	6
		pop	ecx
		lea	edi, [ebp+var_5C]
		xor	edx, edx
		rep stosd
		mov	eax, [esi+194h]
		mov	ecx, [eax+18h]
		mov	eax, [eax+1Ch]
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	eax, ecx, 1Ch
		mov	ecx, large fs:124h
		mov	[ebp+var_24], ecx
		mov	ecx, esi
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	KiStackAttachProcess
		xor	edx, edx
		mov	[ebp+var_34], edx

loc_437D5D:				; CODE XREF: MiDeleteFinalPageTables+AEj
		test	edx, edx
		jnz	loc_437E19
		mov	edi, 7FFE0000h

loc_437D6A:				; CODE XREF: MiDeleteFinalPageTables+13Fj
		mov	eax, edi
		shr	eax, 12h
		and	eax, 3FF8h
		mov	ecx, [eax-3FA00000h]
		nop
		mov	eax, [eax-3F9FFFFCh]
		or	ecx, eax
		jnz	loc_5AA10F

loc_437D89:				; CODE XREF: MiDeleteFinalPageTables+145j
					; MiDeleteFinalPageTables+172622j
		inc	edx
		mov	[ebp+var_34], edx
		cmp	edx, 2
		jl	short loc_437D5D
		mov	ecx, esi
		call	MiDeleteVadBitmap
		mov	eax, [ebp+var_44]
		mov	ecx, [eax+10h]
		and	ecx, 3FFFFFFFh
		cmp	ecx, 5
		jnz	loc_5AA309
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	MiDeleteProcessShadow
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		lea	eax, [esi+64h]
		lock bts dword ptr [eax], 0Ah
		mov	ecx, esi
		call	MiUnlinkProcessFromSession
		mov	ecx, [esi+18h]
		call	KeFlushProcessTb
		mov	ecx, esi
		call	MiDeletePageDirectoryPages
		add	[ebp+var_58], eax
		mov	eax, [esi+194h]
		mov	edx, [eax+18h]
		mov	eax, [eax+1Ch]
		shrd	edx, eax, 0Ch
		and	edx, 1FFFFFFh
		call	_MiDeleteTopLevelPage@8	; MiDeleteTopLevelPage(x,x)
		cmp	eax, 3
		mov	eax, [ebp+var_58]
		jz	short loc_437E2C

loc_437E06:				; CODE XREF: MiDeleteFinalPageTables+14Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_437E19:				; CODE XREF: MiDeleteFinalPageTables+7Dj
		mov	edi, dword_6D0618
		test	edi, edi
		jnz	loc_437D6A
		jmp	loc_437D89
; 

loc_437E2C:				; CODE XREF: MiDeleteFinalPageTables+122j
		inc	eax
		jmp	short loc_437E06
MiDeleteFinalPageTables	endp

; 
		align 10h

;  S U B	R O U T	I N E 


KeFlushProcessTb proc near		; CODE XREF: MiDeleteFinalPageTables+F2p
					; MiDeleteProcessShadow+1B1p ...
		mov	edi, edi
		push	ecx
		test	byte ptr ds:_HvlEnlightenments,	1
		jnz	loc_5AA325
		pop	ecx
		retn
KeFlushProcessTb endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnlinkProcessFromSession proc	near	; CODE XREF: MiDeleteFinalPageTables+EAp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005AA330 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		mov	ecx, offset dword_6D3540
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [esi+180h]
		xor	ebx, ebx
		xor	edi, edi
		inc	ebx
		test	ecx, ecx
		jz	short loc_437E98
		lea	eax, [esi+120h]
		cmp	[eax], edi
		jz	short loc_437E98
		test	[esi+2A1h], bl
		jnz	short loc_437EF5

loc_437E85:				; CODE XREF: MiUnlinkProcessFromSession+B9j
					; MiUnlinkProcessFromSession+1724F4j
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_437F02
		cmp	[ecx], eax
		jnz	short loc_437F02
		mov	[ecx], edx
		mov	[edx+4], ecx

loc_437E98:				; CODE XREF: MiUnlinkProcessFromSession+2Fj
					; MiUnlinkProcessFromSession+39j
		lea	eax, [esi+340h]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_437F02
		cmp	[ecx], eax
		jnz	short loc_437F02
		mov	[ecx], edx
		mov	[edx+4], ecx
		test	ds:byte_70EFC6,	1
		jnz	loc_5AA33B
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_437EEA
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5AA34B

loc_437EDC:				; CODE XREF: MiUnlinkProcessFromSession+B1j
					; MiUnlinkProcessFromSession+172504j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_437EEA:				; CODE XREF: MiUnlinkProcessFromSession+81j
					; MiUnlinkProcessFromSession+172511j
		mov	[ebp+var_C], edi
		add	eax, 4
		lock xor [eax],	ebx
		jmp	short loc_437EDC
; 

loc_437EF5:				; CODE XREF: MiUnlinkProcessFromSession+41j
		cmp	[ecx+1DCh], edi
		jnz	short loc_437E85
		jmp	loc_5AA330
; 

loc_437F02:				; CODE XREF: MiUnlinkProcessFromSession+4Bj
					; MiUnlinkProcessFromSession+4Fj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
MiUnlinkProcessFromSession endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDeleteProcessShadow proc near		; CODE XREF: MiDeleteFinalPageTables+D1p
					; PspDisablePrimaryTokenExchange(x)+D2p ...

var_32		= byte ptr -32h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AA358 SIZE 0000007F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		and	[esp+34h+var_4], 0
		test	ds:_MiFlags, 0C00000h
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		mov	[esp+40h+var_1C], ebx
		jz	loc_4380E7
		cmp	dword ptr [ebx+304h], 0
		jz	loc_4380E7
		lea	edi, [ebx+240h]
		mov	[esp+40h+var_18], edi
		test	edx, edx
		jz	loc_5AA358
		mov	al, [edi+60h]
		mov	esi, offset unk_6D3C40
		and	al, 7
		cmp	al, 2
		jz	short loc_437F64
		lea	esi, [edi+80h]

loc_437F64:				; CODE XREF: MiDeleteProcessShadow+54j
		push	esi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [esi+4], 0
		cmp	dword ptr [ebx+304h], 0
		mov	[esp+40h+var_31], al
		jz	loc_5AA362
		cmp	dword_6D07D0, 0C0000000h
		mov	ecx, 0C0603000h
		mov	[esp+40h+var_30], ecx
		sbb	edi, edi
		add	edi, 3
		mov	[esp+40h+var_2C], edi

loc_437F9B:				; CODE XREF: MiDeleteProcessShadow+CFj
		mov	ebx, [ecx]
		nop
		mov	edx, [ecx+4]
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	short loc_437FC9
		mov	edi, [esp+40h+var_30]

loc_437FAF:				; CODE XREF: MiDeleteProcessShadow+172495j
		test	edx, edx
		jg	short loc_437FC1
		jl	loc_5AA370
		test	ebx, ebx
		jb	loc_5AA370

loc_437FC1:				; CODE XREF: MiDeleteProcessShadow+A9j
					; MiDeleteProcessShadow+172487j ...
		mov	edi, [esp+40h+var_2C]
		mov	ecx, [esp+40h+var_30]

loc_437FC9:				; CODE XREF: MiDeleteProcessShadow+A1j
		add	ecx, 8
		sub	edi, 1
		mov	[esp+40h+var_30], ecx
		mov	[esp+40h+var_2C], edi
		jnz	short loc_437F9B
		mov	ebx, [esp+40h+var_1C]
		mov	edi, [esp+40h+var_18]

loc_437FE1:				; CODE XREF: MiDeleteProcessShadow+172455j
		and	[esp+40h+var_C], 0
		mov	eax, offset dword_6D3540
		test	ds:byte_70EFC6,	21h
		mov	[esp+40h+var_8], eax
		jnz	loc_5AA3A8
		lea	edx, [esp+40h+var_C]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_4380EE

loc_43800A:				; CODE XREF: MiDeleteProcessShadow+1EFj
					; MiDeleteProcessShadow+1724ABj
		mov	esi, [ebx+304h]
		and	[esp+40h+var_18], 0
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		mov	ecx, [esi-40000000h]
		nop
		mov	eax, [esi-3FFFFFFCh]
		mov	[esp+40h+var_28], ecx
		mov	[esp+40h+var_24], eax
		nop
		and	dword ptr [ebx+304h], 0
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		mov	eax, ecx
		mov	[esp+40h+var_1C], ecx
		shl	eax, 0Ch
		test	ds:byte_70EFC6,	1
		mov	[esp+40h+var_18], eax
		jnz	loc_5AA3B8
		mov	eax, [esp+40h+var_C]
		test	eax, eax
		jnz	loc_4380FC
		mov	edx, [esp+40h+var_8]
		lea	eax, [esp+40h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+40h+var_C]
		cmp	eax, ecx
		jnz	loc_5AA3C9

loc_438085:				; CODE XREF: MiDeleteProcessShadow+1724BCj
		xor	ebx, ebx
		inc	ebx

loc_438088:				; CODE XREF: MiDeleteProcessShadow+205j
		push	2
		mov	edx, ebx
		xor	ecx, ecx
		call	MiPaeUpdateSelfMap
		mov	al, [esp+40h+var_31]
		cmp	al, 21h
		jz	short loc_4380A4
		mov	dl, al
		mov	ecx, edi
		call	MiUnlockWorkingSetExclusive

loc_4380A4:				; CODE XREF: MiDeleteProcessShadow+191j
		push	ebx
		lea	edx, [esi-40000000h]
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		mov	ecx, [esp+44h+var_1C]
		call	KeFlushProcessTb
		mov	edx, [esp+44h+var_20]
		call	_MiDeleteTopLevelPage@8	; MiDeleteTopLevelPage(x,x)
		cmp	eax, 3
		jz	short loc_4380E7
		mov	esi, offset _MiSystemPartition
		mov	edx, ebx
		mov	ecx, esi
		call	MiReturnCommit
		mov	edx, ebx
		mov	ecx, esi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jnz	short loc_438112

loc_4380E7:				; CODE XREF: MiDeleteProcessShadow+23j
					; MiDeleteProcessShadow+30j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4380EE:				; CODE XREF: MiDeleteProcessShadow+FCj
		lea	ecx, [esp+40h+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_43800A
; 

loc_4380FC:				; CODE XREF: MiDeleteProcessShadow+15Dj
					; MiDeleteProcessShadow+1724CAj
		xor	ebx, ebx
		mov	[esp+40h+var_C], 0
		add	eax, 4
		inc	ebx
		lock xor [eax],	ebx
		jmp	loc_438088
; 

loc_438112:				; CODE XREF: MiDeleteProcessShadow+1DDj
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax
		jmp	short loc_4380E7
MiDeleteProcessShadow endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiContractPagingFiles proc near		; CODE XREF: MmDeleteProcessAddressSpace+DFp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AA3D7 SIZE 00000060 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	edi
		mov	edi, ecx
		mov	edx, [edi+1114h]
		mov	ecx, [edi+10BCh]
		call	_MiOkToShrinkPageFiles@8 ; MiOkToShrinkPageFiles(x,x)
		test	eax, eax
		jz	short loc_438175
		push	ebx
		mov	ebx, [edi+0F4Ch]
		xor	ecx, ecx
		push	esi
		test	ebx, ebx
		jz	short loc_43816B
		lea	esi, [edi+0F54h]

loc_438150:				; CODE XREF: MiContractPagingFiles+4Bj
		mov	edx, [esi]
		test	byte ptr [edx+74h], 50h
		jnz	short loc_438163
		mov	eax, [edx]
		cmp	eax, [edx+8]
		jnz	loc_5AA3D7

loc_438163:				; CODE XREF: MiContractPagingFiles+38j
					; MiContractPagingFiles+1722C6j
		inc	ecx
		add	esi, 4
		cmp	ecx, ebx
		jb	short loc_438150

loc_43816B:				; CODE XREF: MiContractPagingFiles+2Aj
					; MiContractPagingFiles+1722C0j
		cmp	ecx, ebx
		jnz	loc_5AA3E9

loc_438173:				; CODE XREF: MiContractPagingFiles+1722F5j
					; MiContractPagingFiles+172314j
		pop	esi
		pop	ebx

loc_438175:				; CODE XREF: MiContractPagingFiles+1Cj
		pop	edi
		leave
		retn
MiContractPagingFiles endp


;  S U B	R O U T	I N E 


; __stdcall MiOkToShrinkPageFiles(x, x)
_MiOkToShrinkPageFiles@8 proc near	; CODE XREF: MiContractPagingFiles+15p
					; MiAttemptPageFileReduction(x)+91p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	eax, edx
		lea	esi, [ecx+8000h]
		push	0Ah
		xor	edx, edx
		pop	edi
		div	edi
		shl	eax, 3
		cmp	esi, eax
		jnb	short loc_43819C
		cmp	esi, ecx
		jbe	short loc_43819C
		xor	eax, eax
		inc	eax

loc_438199:				; CODE XREF: MiOkToShrinkPageFiles(x,x)+26j
		pop	edi
		pop	esi
		retn
; 

loc_43819C:				; CODE XREF: MiOkToShrinkPageFiles(x,x)+18j
					; MiOkToShrinkPageFiles(x,x)+1Cj
		xor	eax, eax
		jmp	short loc_438199
_MiOkToShrinkPageFiles@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiDeleteWorkingSetList(x)
_MiDeleteWorkingSetList@4 proc near	; CODE XREF: MiDeleteSessionAddressSpace(x,x)+A9p
					; MmDeleteProcessAddressSpace+C9p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_4381BE
		test	byte ptr [esi+60h], 7
		jnz	short loc_4381BA
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4381BA:				; CODE XREF: MiDeleteWorkingSetList(x)+10j
		and	dword ptr [esi+0Ch], 0

loc_4381BE:				; CODE XREF: MiDeleteWorkingSetList(x)+Aj
		pop	esi
		retn
_MiDeleteWorkingSetList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPaeFree	proc near		; CODE XREF: MmDeleteProcessAddressSpace+B8p
					; MmCreateProcessAddressSpace+176C2Fp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AA437 SIZE 00000167 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		mov	esi, ecx
		stosd
		stosd
		stosd
		mov	eax, 80h
		cmp	word ptr dword_6D065C, ax
		jnb	loc_5AA437
		mov	edx, esi
		mov	ecx, offset dword_6D0658
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_4381F3:				; CODE XREF: MiPaeFree+172360j
					; MiPaeFree+1723D9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiPaeFree	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 330. ExCleanupAutoExpandPushLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExCleanupAutoExpandPushLock
ExCleanupAutoExpandPushLock proc near	; CODE XREF: MiDeleteProcessPhysicalPages(x)+1Ep
					; MiDeleteAweInfo(x,x)+11p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AA59E SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	ecx, [ecx+4]
		test	cl, 1
		jnz	loc_5AA59E

loc_438212:				; CODE XREF: ExCleanupAutoExpandPushLock+1723A8j
		pop	ebp
		retn	4
ExCleanupAutoExpandPushLock endp


;  S U B	R O U T	I N E 


; __stdcall MiReleaseNonPagedResources(x, x)
_MiReleaseNonPagedResources@8 proc near	; CODE XREF: MiFreeLargePageCharges(x,x)+2j
					; MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+174p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	MiReturnCommit
		mov	edx, esi
		mov	ecx, edi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jnz	short loc_438233

loc_438230:				; CODE XREF: MiReleaseNonPagedResources(x,x)+27j
		pop	edi
		pop	esi
		retn
; 

loc_438233:				; CODE XREF: MiReleaseNonPagedResources(x,x)+18j
		lea	ecx, [edi+1000h]
		lock xadd [ecx], eax
		jmp	short loc_438230
_MiReleaseNonPagedResources@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiReturnResident(x,	x)
_MiReturnResident@8 proc near		; CODE XREF: MmDeleteProcessAddressSpace+68p
					; MiRemoveVadCharges+107p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	MiReturnResavailToPrcb
		test	eax, eax
		jnz	short loc_438250
		pop	esi
		retn
; 

loc_438250:				; CODE XREF: MiReturnResident(x,x)+Cj
		lea	ecx, [esi+1000h]
		lock xadd [ecx], eax
		pop	esi
		retn
_MiReturnResident@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsReturnProcessQuota(x, x, x)
_PsReturnProcessQuota@12 proc near	; CODE XREF: MmDeleteProcessAddressSpace+56p
					; MmCleanProcessAddressSpace+1ECp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, ecx
		cmp	edx, ds:_PsInitialSystemProcess
		jz	short loc_43827B
		push	[ebp+arg_0]
		mov	ecx, [edx+188h]
		push	3
		call	PspReturnQuota

loc_43827B:				; CODE XREF: PsReturnProcessQuota(x,x,x)+Dj
		pop	ebp
		retn	4
_PsReturnProcessQuota@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnlinkWorkingSet proc	near		; CODE XREF: MiUnlinkSessionWorkingSet+2Ap
					; MiDeletePartitionResources(x)+52p ...

var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AA5AB SIZE 00000039 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		and	[esp+1Ch+var_C], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+28h+var_1C]
		mov	word ptr [esp+28h+var_10+2], 4
		stosd
		mov	esi, edx
		mov	ebx, ecx
		mov	byte ptr [esp+28h+var_10], 7
		stosd
		stosd
		xor	eax, eax
		inc	eax
		mov	byte ptr [esp+28h+var_10+1], al
		lea	eax, [esp+28h+var_8]
		mov	[esp+28h+var_4], eax
		mov	[esp+28h+var_8], eax
		test	esi, esi
		jnz	short loc_4382D3
		lea	esi, [esp+28h+var_1C]
		mov	ecx, offset dword_6D3540
		mov	edx, esi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)

loc_4382D3:				; CODE XREF: MiUnlinkWorkingSet+41j
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)

loc_4382D9:				; CODE XREF: MiUnlinkWorkingSet+129j
		test	byte ptr [ebx+61h], 0F6h
		jnz	short loc_43835A
		lea	eax, [ebx+10h]
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_438304
		mov	edx, [eax+4]
		cmp	[ecx+4], eax
		jnz	loc_4383AE
		cmp	[edx], eax
		jnz	loc_4383AE
		mov	[edx], ecx
		mov	[ecx+4], edx
		and	dword ptr [eax], 0

loc_438304:				; CODE XREF: MiUnlinkWorkingSet+66j
		mov	eax, ds:_MmBadPointer
		mov	[ebx+38h], eax
		lea	eax, [esp+28h+var_1C]
		cmp	esi, eax
		jnz	short loc_43833B
		test	ds:byte_70EFC6,	1
		jnz	loc_5AA5D5
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_438349
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_438342

loc_438336:				; CODE XREF: MiUnlinkWorkingSet+D8j
					; MiUnlinkWorkingSet+17235Fj
		mov	cl, [esi+8]
		call	edi

loc_43833B:				; CODE XREF: MiUnlinkWorkingSet+92j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_438342:				; CODE XREF: MiUnlinkWorkingSet+B4j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_438349:				; CODE XREF: MiUnlinkWorkingSet+A5j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	short loc_438336
; 

loc_43835A:				; CODE XREF: MiUnlinkWorkingSet+5Dj
		lea	eax, [esp+28h+var_10]
		mov	[ebx+38h], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5AA5AB
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5AA5C1
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5AA5BA

loc_43838B:				; CODE XREF: MiUnlinkWorkingSet+172335j
					; MiUnlinkWorkingSet+172350j
		mov	cl, [esi+8]
		call	edi
		push	ecx
		push	12h
		pop	edx
		lea	ecx, [esp+2Ch+var_10]
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		mov	edx, esi
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		jmp	loc_4382D9
; 

loc_4383AE:				; CODE XREF: MiUnlinkWorkingSet+6Ej
					; MiUnlinkWorkingSet+76j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
MiUnlinkWorkingSet endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPaeUpdateSelfMap proc	near		; CODE XREF: MiDeleteProcessShadow+186p
					; MmStealTopLevelPage+EEp

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AA5E4 SIZE 0000005E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		push	edi
		push	3
		pop	ecx
		cmp	edx, 1
		jnz	short loc_4383C8
		push	7
		pop	ecx

loc_4383C8:				; CODE XREF: MiPaeUpdateSelfMap+Fj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+194h]
		lea	edi, [eax+ecx*8]
		mov	eax, [ebp+arg_0]
		sub	eax, 0
		jz	short loc_438418
		sub	eax, 1
		jz	short loc_438418
		sub	eax, 1
		xor	esi, esi
		xor	edx, edx

loc_4383F1:				; CODE XREF: MiPaeUpdateSelfMap+86j
		push	ebx
		mov	ecx, edi
		xor	ebx, ebx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5AA5E4

loc_438403:				; CODE XREF: MiPaeUpdateSelfMap+172243j
					; MiPaeUpdateSelfMap+172261j ...
		mov	[edi+4], edx
		nop
		test	ebx, ebx
		mov	[edi], esi
		pop	ebx
		jnz	loc_5AA634

loc_438412:				; CODE XREF: MiPaeUpdateSelfMap+172289j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_438418:				; CODE XREF: MiPaeUpdateSelfMap+2Fj
					; MiPaeUpdateSelfMap+34j
		mov	ecx, [edi]
		nop
		mov	eax, [edi+4]
		and	esi, 1FFFFFFh
		xor	edx, edx
		and	ecx, 0FFFh
		shld	edx, esi, 0Ch
		and	eax, 0FFFFFFE0h
		shl	esi, 0Ch
		or	esi, ecx
		or	edx, eax
		jmp	short loc_4383F1
MiPaeUpdateSelfMap endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeForceResumeProcess(x)
_KeForceResumeProcess@4	proc near	; CODE XREF: MiReAcquireCommitFailWorker(x)+15p
					; PspTerminateProcess+BFp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		lea	ebx, [esi+2Ch]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	edi, [esi+34h]
		mov	byte ptr [ebp+var_4], al
		mov	eax, large fs:20h
		push	edi
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], edi
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		lea	eax, [esi+64h]
		mov	ecx, [eax]
		shr	ecx, 3
		and	ecx, 1
		add	ecx, [esi+98h]
		jnz	short loc_438491
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_43848C:				; CODE XREF: KeForceResumeProcess(x)+99j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_438491:				; CODE XREF: KeForceResumeProcess(x)+3Fj
		lock btr dword ptr [eax], 3
		and	dword ptr [esi+98h], 0
		mov	esi, [ebx]
		cmp	esi, ebx
		jz	short loc_4384BE
		mov	edi, [ebp+var_8]

loc_4384A6:				; CODE XREF: KeForceResumeProcess(x)+7Dj
		push	1
		lea	edx, [esi-1D4h]
		mov	ecx, edi
		call	_KiThawSingleThread@12 ; KiThawSingleThread(x,x,x)
		mov	esi, [esi]
		cmp	esi, ebx
		jnz	short loc_4384A6
		mov	edi, [ebp+var_C]

loc_4384BE:				; CODE XREF: KeForceResumeProcess(x)+65j
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		push	[ebp+var_4]
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		push	0
		push	1
		call	KiExitDispatcher
		jmp	short loc_43848C
_KeForceResumeProcess@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetProcessSchedulingGroup(x, x)
_KeSetProcessSchedulingGroup@8 proc near ; CODE	XREF: PspTerminateProcess+4Bp
					; PspSetProcessSchedulingGroup:loc_7DEA87p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	[ebp+var_C], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_1], al
		lea	eax, [edi+34h]
		push	eax
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	eax, [edi+78h]
		mov	[ebp+var_10], eax
		cmp	eax, ebx
		jnz	short loc_43851E

loc_438505:				; CODE XREF: KeSetProcessSchedulingGroup(x,x)+73j
		lea	ecx, [edi+34h]
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_10]
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_43851E:				; CODE XREF: KeSetProcessSchedulingGroup(x,x)+2Bj
		lea	eax, [edi+2Ch]
		push	esi
		mov	esi, [eax]
		cmp	esi, eax
		jz	short loc_438547
		mov	edi, eax

loc_43852A:				; CODE XREF: KeSetProcessSchedulingGroup(x,x)+6Aj
		lea	ecx, [esi-1D4h]
		mov	eax, [ecx+50h]
		cmp	eax, ebx
		jz	short loc_43853E
		mov	edx, ebx
		call	KiSetThreadSchedulingGroup

loc_43853E:				; CODE XREF: KeSetProcessSchedulingGroup(x,x)+5Dj
		mov	esi, [esi]
		cmp	esi, edi
		jnz	short loc_43852A
		mov	edi, [ebp+var_C]

loc_438547:				; CODE XREF: KeSetProcessSchedulingGroup(x,x)+4Ej
		mov	[edi+78h], ebx
		pop	esi
		jmp	short loc_438505
_KeSetProcessSchedulingGroup@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceProcessTerminate(x)
_EtwTraceProcessTerminate@4 proc near	; CODE XREF: PspTerminateProcess+42p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ecx+0E4h]
		xor	edx, edx
		and	[ebp+var_10], 0
		lea	ecx, [ebp+var_14]
		and	[ebp+var_8], 0
		inc	edx
		push	offset loc_501902
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_18]
		push	30Bh
		push	edx
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], 4
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwTraceProcessTerminate@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceKernelEvent(x, x, x, x, x)
_EtwTraceKernelEvent@20	proc near	; CODE XREF: EtwTraceProcessTerminate(x)+41p
					; CcPerfLogFlushCache+CBp ...

var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	eax, ds:_EtwpHostSiloState
		push	ebx
		push	esi
		push	edi
		mov	esi, [eax+924h]
		mov	ebx, edx
		mov	[esp+18h+var_8], ecx

loc_4385BF:				; CODE XREF: EtwTraceKernelEvent(x,x,x,x,x)+3Cj
					; EtwTraceKernelEvent(x,x,x,x,x)+4Fj ...
		bsf	edi, esi
		jz	short loc_43860C
		mov	edx, ds:_EtwpHostSiloState
		lea	eax, [esi-1]
		and	esi, eax
		mov	eax, edi
		shl	eax, 5
		lea	ecx, [edx+948h]
		add	ecx, eax
		jz	short loc_4385BF
		mov	eax, [ebp+arg_0]
		shr	eax, 1Dh
		mov	eax, [ecx+eax*4]
		and	eax, [ebp+arg_0]
		test	eax, 1FFFFFFFh
		jz	short loc_4385BF
		push	[ebp+arg_8]
		movzx	eax, byte ptr [edx+edi*2+914h]
		push	[ebp+arg_4]
		mov	ecx, [esp+20h+var_8]
		push	ebx
		push	eax
		call	EtwpLogKernelEvent
		jmp	short loc_4385BF
; 

loc_43860C:				; CODE XREF: EtwTraceKernelEvent(x,x,x,x,x)+22j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_EtwTraceKernelEvent@20	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcPerfLogFlushCache proc near		; CODE XREF: .text:004ACBEDp

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h
arg_10		= byte ptr  18h

; FUNCTION CHUNK AT 005AA642 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		and	[ebp+var_14], 0
		and	[ebp+var_10], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_40], ecx
		test	edi, edi
		jz	loc_4386E6
		lea	ebx, [edi+44h]
		mov	ecx, ebx
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_4386FE

loc_438654:				; CODE XREF: CcPerfLogFlushCache+F1j
		mov	ecx, [esi+0Ch]
		mov	[ebp+var_28], ecx
		mov	ecx, [ebx]
		mov	edx, ecx
		xor	edx, esi
		cmp	edx, 7
		jnb	loc_43871C

loc_438669:				; CODE XREF: CcPerfLogFlushCache+172033j
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [ebx], edx
		cmp	eax, ecx
		jnz	loc_5AA642

loc_43867A:				; CODE XREF: CcPerfLogFlushCache+111j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	loc_43870C
		and	[ebp+var_24], ecx
		and	[ebp+var_20], ecx

loc_43868B:				; CODE XREF: CcPerfLogFlushCache+101j
		mov	eax, [ebp+var_40]
		xor	edx, edx
		mov	[ebp+var_2C], eax
		inc	edx
		mov	eax, [edi+60h]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		mov	[ebp+var_14], eax
		cmp	[ebp+arg_8], al
		jnz	short loc_4386F7

loc_4386AA:				; CODE XREF: CcPerfLogFlushCache+E6j
		cmp	[ebp+arg_C], 0
		jnz	short loc_43872C

loc_4386B0:				; CODE XREF: CcPerfLogFlushCache+11Cj
		cmp	[ebp+arg_10], 0
		jnz	loc_5AA654

loc_4386BA:				; CODE XREF: CcPerfLogFlushCache+172044j
		and	[ebp+var_38], 0
		lea	eax, [ebp+var_2C]
		and	[ebp+var_30], 0
		lea	ecx, [ebp+var_3C]
		push	(offset	off_401900+2)
		push	1609h
		push	80020000h
		mov	[ebp+var_3C], eax
		mov	[ebp+var_34], 20h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_4386E6:				; CODE XREF: CcPerfLogFlushCache+24j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
; 

loc_4386F7:				; CODE XREF: CcPerfLogFlushCache+92j
		mov	eax, edx
		mov	[ebp+var_14], eax
		jmp	short loc_4386AA
; 

loc_4386FE:				; CODE XREF: CcPerfLogFlushCache+38j
		mov	ecx, edi
		call	_CcSlowReferenceSharedCacheMapFileObject@4 ; CcSlowReferenceSharedCacheMapFileObject(x)
		mov	esi, eax
		jmp	loc_438654
; 

loc_43870C:				; CODE XREF: CcPerfLogFlushCache+69j
		mov	eax, [ecx]
		mov	[ebp+var_24], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_20], eax
		jmp	loc_43868B
; 

loc_43871C:				; CODE XREF: CcPerfLogFlushCache+4Dj
					; CcPerfLogFlushCache+172039j
		push	746C6644h
		push	esi
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_43867A
; 

loc_43872C:				; CODE XREF: CcPerfLogFlushCache+98j
		or	eax, 2
		mov	[ebp+var_14], eax
		jmp	loc_4386B0
CcPerfLogFlushCache endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcPerfLogFlushSection proc near		; CODE XREF: .text:004ACC68p
					; .text:004ACEE5p ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005AA65F SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_38], ecx
		test	edi, edi
		jz	loc_4387E3
		lea	ebx, [edi+44h]
		mov	ecx, ebx
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5AA65F

loc_43876E:				; CODE XREF: CcPerfLogFlushSection+171F30j
		mov	ecx, [esi+0Ch]
		mov	[ebp+var_20], ecx
		mov	ecx, [ebx]
		mov	edx, ecx
		xor	edx, esi
		cmp	edx, 7
		jnb	short loc_4387F4

loc_43877F:				; CODE XREF: CcPerfLogFlushSection+171F3Cj
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [ebx], edx
		cmp	eax, ecx
		jnz	loc_5AA66D

loc_438790:				; CODE XREF: CcPerfLogFlushSection+C7j
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		test	ecx, ecx
		jz	short loc_438801
		mov	eax, [ecx]
		mov	[ebp+var_1C], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_18], eax

loc_4387A4:				; CODE XREF: CcPerfLogFlushSection+CFj
		mov	eax, [ebp+var_38]
		lea	ecx, [ebp+var_34]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_8]
		push	(offset	off_401900+2)
		mov	[ebp+var_30], edx
		mov	[ebp+var_28], edx
		xor	edx, edx
		mov	[ebp+var_10], eax
		inc	edx
		push	160Ah
		lea	eax, [ebp+var_24]
		mov	[ebp+var_2C], 18h
		push	80020000h
		mov	[ebp+var_34], eax
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_4387E3:				; CODE XREF: CcPerfLogFlushSection+1Cj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_4387F4:				; CODE XREF: CcPerfLogFlushSection+45j
					; CcPerfLogFlushSection+171F42j
		push	746C6644h
		push	esi
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	short loc_438790
; 

loc_438801:				; CODE XREF: CcPerfLogFlushSection+5Fj
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], edx
		jmp	short loc_4387A4
CcPerfLogFlushSection endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcPerfLogScheduleReadAhead(x, x, x,	x, x, x, x)
_CcPerfLogScheduleReadAhead@28 proc near ; CODE	XREF: CcScheduleReadAheadEx+3A7p
					; CcScheduleReadAheadEx+401p

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= byte ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		push	40h		; size_t
		xor	ebx, ebx
		mov	[ebp+var_60], ecx
		lea	eax, [ebp+var_5C]
		mov	edi, edx
		push	ebx		; int
		push	eax		; void *
		xor	esi, esi
		call	_memset
		add	esp, 0Ch
		test	edi, edi
		jz	short loc_43884A
		mov	eax, [edi+14h]
		mov	esi, [edi+18h]
		mov	ebx, [eax+4]
		mov	eax, [edi+0Ch]
		mov	[ebp+var_58], eax

loc_43884A:				; CODE XREF: CcPerfLogScheduleReadAhead(x,x,x,x,x,x,x)+2Fj
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	eax, [ebp+var_60]
		inc	edx
		mov	[ebp+var_5C], eax
		mov	eax, [ecx]
		mov	[ebp+var_54], eax
		mov	eax, [ecx+4]
		xor	ecx, ecx
		cmp	[ebp+arg_10], edx
		mov	[ebp+var_50], eax
		mov	eax, [ebp+arg_4]
		setz	cl
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+var_20]
		and	eax, 0FFFFFFFEh
		or	ecx, eax
		mov	[ebp+var_20], ecx
		test	esi, esi
		jz	short loc_4388B7
		mov	eax, [esi+34h]
		mov	[ebp+var_44], eax
		mov	eax, [esi+38h]
		mov	[ebp+var_3C], eax
		mov	eax, [esi+3Ch]
		mov	[ebp+var_38], eax
		mov	eax, [esi+40h]
		mov	[ebp+var_34], eax
		mov	eax, [esi+44h]
		mov	[ebp+var_30], eax
		mov	eax, [esi]
		shr	eax, 0Fh
		xor	eax, ecx
		and	eax, 2
		xor	eax, ecx
		mov	[ebp+var_20], eax
		mov	eax, [esi+30h]
		mov	[ebp+var_28], eax

loc_4388B7:				; CODE XREF: CcPerfLogScheduleReadAhead(x,x,x,x,x,x,x)+78j
		test	ebx, ebx
		jz	short loc_4388C1
		mov	eax, [ebx+60h]
		mov	[ebp+var_24], eax

loc_4388C1:				; CODE XREF: CcPerfLogScheduleReadAhead(x,x,x,x,x,x,x)+AFj
		mov	al, [ebp+arg_C]
		lea	ecx, [ebp+var_1C]
		and	[ebp+var_18], 0
		and	[ebp+var_10], 0
		push	(offset	off_401900+2)
		mov	[ebp+var_2C], al
		lea	eax, [ebp+var_5C]
		push	160Ch
		push	80020000h
		mov	[ebp+var_1C], eax
		mov	[ebp+var_14], 40h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_CcPerfLogScheduleReadAhead@28 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 227. CcScheduleReadAheadEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcScheduleReadAheadEx
CcScheduleReadAheadEx proc near		; CODE XREF: CcCopyReadEx+2E1p
					; CcCopyReadEx+330p ...

var_46		= byte ptr -46h
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005AA67F SIZE 000000B6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	esi, [ecx+18h]
		lea	edi, [esp+58h+var_C]
		stosd
		xor	ebx, ebx
		mov	[esp+58h+var_34], ebx
		mov	[esp+58h+var_3C], ebx
		stosd
		stosd
		mov	eax, [ecx+14h]
		mov	edi, [eax+4]
		mov	[esp+58h+var_30], edi
		test	edi, edi
		jz	short loc_43894A
		mov	ecx, edi
		call	CcGetPartition
		mov	[esp+58h+var_3C], eax

loc_43894A:				; CODE XREF: CcScheduleReadAheadEx+33j
		mov	eax, [ebp+arg_C]
		mov	[esp+58h+var_2C], eax
		test	eax, eax
		jnz	short loc_43895F
		mov	eax, large fs:124h
		mov	[esp+58h+var_2C], eax

loc_43895F:				; CODE XREF: CcScheduleReadAheadEx+49j
		mov	ecx, eax
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		mov	edx, eax
		test	esi, esi
		jz	loc_438A85
		test	edi, edi
		jz	loc_438A85
		mov	ecx, [edi+60h]
		xor	eax, eax
		inc	eax
		test	cl, al
		jnz	loc_438A85
		test	ecx, 2000h
		jnz	loc_438A85
		mov	eax, [ebp+arg_0]
		test	dword ptr [eax+2Ch], 100000h
		jnz	loc_438A85
		cmp	edx, 2
		jl	loc_438A85
		mov	ecx, [esp+58h+var_3C]
		mov	edx, eax
		push	ebx
		push	4
		push	ebx
		push	1000000h
		call	CcCanIWriteStreamEx
		test	al, al
		jz	loc_438A85
		mov	eax, [esp+58h+var_3C]
		test	eax, eax
		jz	short loc_4389DB
		cmp	[eax+0DCh], bl
		jnz	loc_438A85

loc_4389DB:				; CODE XREF: CcScheduleReadAheadEx+C3j
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		mov	eax, ecx
		mov	[esp+58h+var_40], ecx
		add	eax, [edx]
		mov	[esp+58h+var_28], eax
		mov	eax, ebx
		adc	eax, [edx+4]
		mov	[esp+58h+var_24], eax
		mov	eax, [esi+4]
		add	ecx, eax
		not	eax
		and	ecx, eax
		mov	eax, ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[esp+58h+var_38], ecx
		mov	[esp+58h+var_10], eax
		call	eax
		mov	[esp+58h+var_45], al
		lea	eax, [esi+50h]
		mov	ecx, eax
		mov	[esp+58h+var_14], eax
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [esi]
		mov	eax, 20000h
		test	ecx, eax
		jz	loc_438C97

loc_438A2F:				; CODE XREF: CcScheduleReadAheadEx+391j
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		call	_CcDetermineReadPattern@8 ; CcDetermineReadPattern(x,x)
		mov	[esp+58h+var_44], eax
		test	eax, eax
		jnz	short loc_438A8E
		mov	[esi+30h], ebx
		mov	[esi+40h], ebx
		mov	[esi+44h], ebx
		mov	[esi+48h], ebx
		mov	[esi+4Ch], ebx

loc_438A50:				; CODE XREF: CcScheduleReadAheadEx:loc_438A8Ej
					; CcScheduleReadAheadEx+40Ej ...
		mov	esi, [ebp+arg_0]

loc_438A53:				; CODE XREF: CcScheduleReadAheadEx+388j
		test	ds:dword_70EFD0, 20000h
		jnz	loc_438CA0

loc_438A63:				; CODE XREF: CcScheduleReadAheadEx+3ACj
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jnz	loc_5AA724
		mov	eax, [esp+58h+var_14]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_438A7B:				; CODE XREF: CcScheduleReadAheadEx+171E26j
		mov	cl, [esp+58h+var_45]

loc_438A7F:				; CODE XREF: CcScheduleReadAheadEx+171E15j
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_438A85:				; CODE XREF: CcScheduleReadAheadEx+60j
					; CcScheduleReadAheadEx+68j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_438A8E:				; CODE XREF: CcScheduleReadAheadEx+135j
		jle	short loc_438A50
		cmp	eax, 2
		jg	loc_438D15
		mov	eax, [esi+44h]
		mov	edx, [esp+58h+var_38]
		mov	ecx, [esi+40h]
		add	edx, edx
		mov	[esp+58h+var_20], eax
		xor	eax, eax
		add	edx, [esp+58h+var_40]
		adc	eax, ebx
		add	edx, [esp+58h+var_28]
		adc	eax, [esp+58h+var_24]
		cmp	eax, [esp+58h+var_20]
		jl	loc_438C8B
		jg	short loc_438ACD
		cmp	edx, ecx
		jb	loc_438C8B

loc_438ACD:				; CODE XREF: CcScheduleReadAheadEx+1B9j
		mov	eax, [esp+58h+var_28]
		mov	edx, [esp+58h+var_24]
		and	eax, 0FFFFF000h
		mov	edi, [esp+58h+var_20]
		cmp	edx, edi
		mov	edi, [esp+58h+var_30]
		mov	[esi+38h], eax
		mov	[esi+3Ch], edx
		jl	short loc_438B12
		jg	short loc_438AF2
		cmp	eax, ecx
		jb	short loc_438B12

loc_438AF2:				; CODE XREF: CcScheduleReadAheadEx+1E2j
		mov	ecx, [esp+58h+var_38]
		mov	eax, ecx
		add	eax, [esp+58h+var_28]
		sub	eax, 1
		mov	[esp+58h+var_24], eax
		xor	eax, eax
		inc	eax
		sub	ecx, eax
		not	ecx
		and	[esp+58h+var_24], ecx
		mov	ecx, [esp+58h+var_24]

loc_438B12:				; CODE XREF: CcScheduleReadAheadEx+1E0j
					; CcScheduleReadAheadEx+1E6j
		inc	dword ptr [esi+30h]
		cmp	[esp+58h+var_44], 1
		mov	eax, [esp+58h+var_38]
		mov	edx, [esi+30h]
		jz	short loc_438B28
		cmp	edx, 3
		jb	short loc_438B2A

loc_438B28:				; CODE XREF: CcScheduleReadAheadEx+217j
		add	eax, eax

loc_438B2A:				; CODE XREF: CcScheduleReadAheadEx+21Cj
		sub	ecx, [esi+38h]
		add	eax, ecx
		mov	[esp+58h+var_20], eax
		cmp	edx, 3
		jnb	loc_438CBB

loc_438B3C:				; CODE XREF: CcScheduleReadAheadEx+3B6j
					; CcScheduleReadAheadEx+453j ...
		mov	[esi+34h], eax
		mov	eax, 10000h
		mov	edx, [esi]
		test	edx, eax
		jnz	loc_438CCB
		mov	ecx, large fs:124h
		or	edx, eax
		mov	[esi], edx
		call	_PsGetPagePriorityThread@4 ; PsGetPagePriorityThread(x)
		shl	eax, 12h
		lea	edi, [esi+50h]
		xor	eax, edx
		and	eax, 1C0000h
		xor	eax, edx
		mov	[esi], eax
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jnz	loc_5AA6C4
		xor	eax, eax
		lock and [edi],	eax

loc_438B83:				; CODE XREF: CcScheduleReadAheadEx+171DC4j
		mov	cl, [esp+58h+var_45]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [esp+58h+var_3C]
		lea	edx, [esp+58h+var_34]
		call	_CcAllocateWorkQueueEntry@8 ; CcAllocateWorkQueueEntry(x,x)
		test	eax, eax
		js	loc_5AA6EE
		test	ds:dword_70EFD0, 20000h
		mov	edi, [esp+58h+var_34]
		jnz	loc_438CF3

loc_438BB6:				; CODE XREF: CcScheduleReadAheadEx+406j
		mov	eax, [esp+58h+var_30]
		test	dword ptr [eax+60h], 10000000h
		jz	short loc_438BD4
		push	[esp+58h+var_2C]
		push	[esp+5Ch+var_44]
		push	ecx
		mov	ecx, [ebp+arg_0]
		call	CcChargeThreadForReadAhead

loc_438BD4:				; CODE XREF: CcScheduleReadAheadEx+2B7j
		mov	ecx, [ebp+arg_0]
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag
		mov	ecx, [esp+58h+var_3C]
		lea	edx, [esp+58h+var_C]
		lea	ecx, [ecx+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [esp+58h+var_30]
		inc	dword ptr [eax+4]
		inc	dword ptr [eax+178h]
		or	dword ptr [eax+60h], 4000h
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jnz	loc_5AA6D3
		mov	eax, [esp+58h+var_C]
		test	eax, eax
		jnz	loc_438D6F
		mov	edx, [esp+58h+var_8]
		lea	eax, [esp+58h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+58h+var_C]
		cmp	eax, ecx
		jnz	loc_438D62

loc_438C3A:				; CODE XREF: CcScheduleReadAheadEx+171DD5j
		mov	edi, [esp+58h+var_34]

loc_438C3E:				; CODE XREF: CcScheduleReadAheadEx+472j
		mov	cl, [esp+58h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [esp+58h+var_2C]
		lea	edx, [edi+0Ch]
		xor	eax, eax
		mov	[esi+64h], edi
		inc	eax
		mov	[edi+48h], al
		mov	eax, [ebp+arg_0]
		mov	[edi+8], eax
		mov	[edx], ebx
		call	_IoReferenceIoAttributionFromThread@8 ;	IoReferenceIoAttributionFromThread(x,x)
		mov	edx, [esp+58h+var_3C]
		mov	ecx, edi
		mov	eax, [edi+4Ch]
		add	edx, 9Ch
		add	eax, 0B4h
		cmp	eax, edx
		jz	loc_5AA6E4
		call	CcPostWorkQueueRegular
		jmp	loc_438A85
; 

loc_438C8B:				; CODE XREF: CcScheduleReadAheadEx+1B3j
					; CcScheduleReadAheadEx+1BDj
		mov	esi, [ebp+arg_0]

loc_438C8E:				; CODE XREF: CcScheduleReadAheadEx+3D0j
					; CcScheduleReadAheadEx+3E7j
		mov	eax, [esp+58h+var_44]
		jmp	loc_438A53
; 

loc_438C97:				; CODE XREF: CcScheduleReadAheadEx+11Fj
		or	ecx, eax
		mov	[esi], ecx
		jmp	loc_438A2F
; 

loc_438CA0:				; CODE XREF: CcScheduleReadAheadEx+153j
		push	ebx

loc_438CA1:				; CODE XREF: .text:0042D471j
		push	eax
		push	[esp+60h+var_38]
		mov	edx, esi
		xor	ecx, ecx
		push	[esp+64h+var_40]
		push	[ebp+arg_4]
		call	_CcPerfLogScheduleReadAhead@28 ; CcPerfLogScheduleReadAhead(x,x,x,x,x,x,x)
		jmp	loc_438A63
; 

loc_438CBB:				; CODE XREF: CcScheduleReadAheadEx+22Cj
		mov	ecx, [esi+58h]
		test	ecx, ecx
		jz	loc_438B3C
		jmp	loc_5AA67F
; 

loc_438CCB:				; CODE XREF: CcScheduleReadAheadEx+23Ej
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		test	dword ptr [edi+60h], 10000000h
		lea	ebx, [eax+1]
		jz	short loc_438C8E
		push	[esp+58h+var_2C]
		push	[esp+5Ch+var_44]
		push	ecx
		mov	ecx, esi
		call	CcChargeThreadForReadAhead
		xor	eax, eax
		lea	ebx, [eax+1]
		jmp	short loc_438C8E
; 

loc_438CF3:				; CODE XREF: CcScheduleReadAheadEx+2A6j
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		inc	eax
		mov	ecx, edi
		push	eax
		push	[esp+5Ch+var_44]
		push	[esp+60h+var_38]
		push	[esp+64h+var_40]
		push	[ebp+arg_4]
		call	_CcPerfLogScheduleReadAhead@28 ; CcPerfLogScheduleReadAhead(x,x,x,x,x,x,x)
		jmp	loc_438BB6
; 

loc_438D15:				; CODE XREF: CcScheduleReadAheadEx+189j
		cmp	eax, 3
		jnz	loc_438A50
		mov	edx, [ebp+arg_4]
		mov	ecx, [edx]
		mov	edx, [edx+4]
		shld	edx, ecx, 1
		add	ecx, ecx
		sub	ecx, [esi+20h]
		sbb	edx, [esi+24h]
		js	loc_438A50
		mov	eax, ecx
		mov	[esi+3Ch], edx
		and	eax, 0FFFh
		and	ecx, 0FFFFF000h
		add	[esp+58h+var_40], eax
		mov	eax, [esp+58h+var_40]
		add	eax, 0FFFh
		mov	[esi+38h], ecx
		and	eax, 0FFFFF000h
		jmp	loc_438B3C
; 

loc_438D62:				; CODE XREF: CcScheduleReadAheadEx+32Aj
		lea	ecx, [esp+58h+var_C]
		call	KxWaitForLockChainValid
		mov	edi, [esp+58h+var_34]

loc_438D6F:				; CODE XREF: CcScheduleReadAheadEx+310j
		xor	ecx, ecx
		mov	[esp+58h+var_C], ebx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_438C3E
CcScheduleReadAheadEx endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcDetermineReadPattern(x, x)
_CcDetermineReadPattern@8 proc near	; CODE XREF: CcScheduleReadAheadEx+12Ap

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	eax, [edi+8]
		mov	eax, [eax+2Ch]
		test	al, 20h
		jnz	short loc_438DEE
		test	eax, 100000h
		jnz	short loc_438DD4
		lea	edx, [edi+28h]
		mov	ecx, ebx
		call	_CcAreOffsetsRoughlyEqual@8 ; CcAreOffsetsRoughlyEqual(x,x)
		test	al, al
		jnz	short loc_438DDA

loc_438DAD:				; CODE XREF: CcDetermineReadPattern(x,x)+65j
		mov	eax, [edi+20h]
		mov	ecx, [edi+24h]
		mov	edx, ecx
		push	esi
		mov	esi, eax
		sub	esi, [edi+10h]
		sbb	edx, [edi+14h]
		mov	[ebp+var_4], edx
		mov	edx, [ebx]
		sub	edx, eax
		mov	eax, [ebx+4]
		sbb	eax, ecx
		cmp	edx, esi
		pop	esi
		jnz	short loc_438DD4
		cmp	eax, [ebp+var_4]
		jz	short loc_438DF3

loc_438DD4:				; CODE XREF: CcDetermineReadPattern(x,x)+1Bj
					; CcDetermineReadPattern(x,x)+4Bj
		xor	eax, eax

loc_438DD6:				; CODE XREF: CcDetermineReadPattern(x,x)+6Aj
					; CcDetermineReadPattern(x,x)+6Fj
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_438DDA:				; CODE XREF: CcDetermineReadPattern(x,x)+29j
		lea	edx, [edi+20h]
		lea	ecx, [edi+18h]
		call	_CcAreOffsetsRoughlyEqual@8 ; CcAreOffsetsRoughlyEqual(x,x)
		test	al, al
		jz	short loc_438DAD
		push	2

loc_438DEB:				; CODE XREF: CcDetermineReadPattern(x,x)+73j
		pop	eax
		jmp	short loc_438DD6
; 

loc_438DEE:				; CODE XREF: CcDetermineReadPattern(x,x)+14j
		xor	eax, eax
		inc	eax
		jmp	short loc_438DD6
; 

loc_438DF3:				; CODE XREF: CcDetermineReadPattern(x,x)+50j
		push	3
		jmp	short loc_438DEB
_CcDetermineReadPattern@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CcAreOffsetsRoughlyEqual(x,	x)
_CcAreOffsetsRoughlyEqual@8 proc near	; CODE XREF: CcDetermineReadPattern(x,x)+22p
					; CcDetermineReadPattern(x,x)+5Ep
		mov	eax, [ecx+4]
		push	esi
		cmp	eax, [edx+4]
		jnz	short loc_438E18
		mov	esi, [ecx]
		mov	eax, esi
		mov	ecx, [edx]
		sub	eax, ecx
		mov	edx, 200h
		cmp	eax, edx
		jbe	short loc_438E1C
		sub	ecx, esi
		cmp	ecx, edx
		jbe	short loc_438E1C

loc_438E18:				; CODE XREF: CcAreOffsetsRoughlyEqual(x,x)+7j
		xor	al, al
		pop	esi
		retn
; 

loc_438E1C:				; CODE XREF: CcAreOffsetsRoughlyEqual(x,x)+18j
					; CcAreOffsetsRoughlyEqual(x,x)+1Ej
		mov	al, 1
		pop	esi
		retn
_CcAreOffsetsRoughlyEqual@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcChargeThreadForReadAhead proc	near	; CODE XREF: CcScheduleReadAheadEx+2C5p
					; CcScheduleReadAheadEx+3DDp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005AA735 SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+14h]
		sub	esp, 10h
		mov	edx, [ecx+18h]
		mov	eax, [eax+4]
		push	ebx
		xor	ebx, ebx
		cmp	[eax+4], ebx
		jbe	loc_5AA740
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jle	loc_438ED1
		push	esi
		push	edi
		cmp	eax, 2
		jg	loc_438F16
		mov	edi, [edx+34h]
		mov	eax, ebx
		mov	ecx, [edx+38h]
		mov	ebx, [edx+3Ch]
		add	ecx, edi
		mov	[ebp+var_C], eax
		adc	ebx, eax
		mov	[ebp+var_8], edi
		lea	eax, [edx+48h]
		mov	[ebp+var_4], ecx
		mov	edx, [eax]
		mov	esi, [eax+4]
		mov	[ebp+arg_4], eax
		mov	eax, edx
		or	eax, esi
		jnz	short loc_438ED6
		mov	edi, ecx
		mov	ecx, ebx

loc_438E80:				; CODE XREF: CcChargeThreadForReadAhead+7Cj
					; CcChargeThreadForReadAhead+81j
		mov	eax, [ebp+arg_4]
		mov	esi, [eax]
		mov	edx, [eax+4]
		mov	eax, esi
		mov	[ebp+var_10], edx
		nop
		mov	ebx, edi
		mov	edi, [ebp+arg_4]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_4]
		cmp	eax, esi
		jnz	short loc_438E80
		cmp	edx, [ebp+var_10]
		jnz	short loc_438E80

loc_438EA3:				; CODE XREF: CcChargeThreadForReadAhead+F2j
		mov	ecx, [ebp+var_C]
		xor	ebx, ebx
		mov	edi, [ebp+var_8]

loc_438EAB:				; CODE XREF: CcChargeThreadForReadAhead+100j
		mov	eax, edi
		or	eax, ecx
		jz	short loc_438ECF
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	loc_5AA735

loc_438EBC:				; CODE XREF: CcChargeThreadForReadAhead+17191Bj
		push	ebx
		push	ebx
		push	1
		push	ebx
		push	ebx
		push	ecx
		push	edi
		push	dword ptr [eax+150h]
		call	_PsUpdateDiskCounters@32 ; PsUpdateDiskCounters(x,x,x,x,x,x,x,x)

loc_438ECF:				; CODE XREF: CcChargeThreadForReadAhead+8Fj
					; CcChargeThreadForReadAhead+B8j ...
		pop	edi
		pop	esi

loc_438ED1:				; CODE XREF: CcChargeThreadForReadAhead+22j
		pop	ebx
		leave
		retn	0Ch
; 

loc_438ED6:				; CODE XREF: CcChargeThreadForReadAhead+5Aj
		cmp	ebx, esi
		jb	short loc_438ECF
		ja	short loc_438EE0
		cmp	ecx, edx
		jbe	short loc_438ECF

loc_438EE0:				; CODE XREF: CcChargeThreadForReadAhead+BAj
		mov	edi, [ebp+var_4]
		sub	ecx, edx
		mov	eax, ebx
		mov	[ebp+var_8], ecx
		sbb	eax, esi
		mov	ecx, ebx
		mov	[ebp+var_C], eax

loc_438EF1:				; CODE XREF: CcChargeThreadForReadAhead+EDj
					; CcChargeThreadForReadAhead+F4j
		mov	eax, [ebp+arg_4]
		mov	esi, [eax]
		mov	edx, [eax+4]
		mov	eax, esi
		mov	[ebp+var_10], edx
		nop
		mov	ebx, edi
		mov	edi, [ebp+arg_4]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_4]
		cmp	eax, esi
		jnz	short loc_438EF1
		cmp	edx, [ebp+var_10]
		jz	short loc_438EA3
		jmp	short loc_438EF1
; 

loc_438F16:				; CODE XREF: CcChargeThreadForReadAhead+2Dj
		cmp	eax, 3
		jnz	short loc_438ECF
		mov	edi, [edx+34h]
		mov	ecx, ebx
		jmp	short loc_438EAB
CcChargeThreadForReadAhead endp

; 
		align 10h
; Exported entry 232. CcSetDirtyPinnedData

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcSetDirtyPinnedData
CcSetDirtyPinnedData proc near		; CODE XREF: CcZeroDataInCache+E1p
					; CcReleaseByteRangeFromWrite+E054Cp ...

var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_32		= byte ptr -32h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005AA777 SIZE 000000C0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		push	esi
		xor	eax, eax
		mov	ecx, 2FDh
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[esp+40h+var_C], eax
		mov	[esp+40h+var_8], eax
		lea	edx, [ecx-3]
		mov	[esp+40h+var_4], eax
		movzx	eax, word ptr [edi]
		cmp	ax, cx
		jnz	loc_439467

loc_438F63:				; CODE XREF: CcSetDirtyPinnedData+53Aj
		mov	[esp+40h+var_14], edi
		lea	esi, [esp+40h+var_14]
		mov	[esp+40h+var_30], esi
		mov	esi, edi
		mov	[esp+40h+var_10], 0
		cmp	ax, dx
		jz	loc_439475

loc_438F82:				; CODE XREF: CcSetDirtyPinnedData+54Ej
		mov	esi, [esi+70h]
		cmp	dword ptr [esi+6Ch], 0
		mov	eax, [esi+174h]
		mov	[esp+40h+var_2C], eax
		jz	short loc_439011
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	ebx, offset dword_6CF3C0
		mov	[esp+40h+var_31], al
		jnz	loc_5AA769
		mov	[esp+40h+var_28], 0
		lock bts dword ptr [ebx], 1Fh
		jb	loc_43938D

loc_438FC6:				; CODE XREF: CcSetDirtyPinnedData+46Aj
		mov	edx, dword_6CF3C0
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_5AA777

loc_438FDE:				; CODE XREF: CcChargeThreadForReadAhead+171952j
					; CcSetDirtyPinnedData+17187Dj
		test	ds:byte_70EFC6,	1
		jnz	loc_5AA7B2
		mov	dword_6CF3C0, 0

loc_438FF5:				; CODE XREF: CcSetDirtyPinnedData+17188Cj
		mov	cl, [esp+40h+var_31]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, dword_6D4EA4
		mov	eax, [eax+4]
		cmp	[esp+40h+var_2C], eax
		jnz	loc_5AA7C1

loc_439011:				; CODE XREF: CcSetDirtyPinnedData+63j
		mov	ecx, [esi+60h]
		test	ecx, 1000000h
		jz	short loc_439033
		mov	edx, [esi+98h]
		add	edx, 58h
		mov	eax, [edx]
		and	eax, [edx+4]
		cmp	eax, 0FFFFFFFFh
		jz	loc_439459

loc_439033:				; CODE XREF: CcSetDirtyPinnedData+EAj
					; CcSetDirtyPinnedData+532j
		test	ecx, 200h
		jz	loc_4393DC
		mov	ecx, [esp+40h+var_30]
		mov	eax, [ecx]
		test	eax, eax
		jz	loc_439274
		lea	ecx, [ecx+0]

loc_439050:				; CODE XREF: CcSetDirtyPinnedData+33Ej
		add	ecx, 4
		mov	[esp+40h+var_14], eax
		mov	[esp+40h+var_30], ecx
		test	al, 1
		jnz	loc_5AA817
		mov	edi, [eax+70h]
		mov	[esp+40h+var_20], edi
		add	edi, 0B4h
		mov	edx, edi
		mov	[esp+40h+var_18], 0
		and	edx, 7FFFFFFCh
		jz	loc_5AA7D6
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jnz	loc_43927D
		mov	bl, [esi+1E4h]
		mov	[esp+40h+var_1C], 0
		test	bl, bl
		jz	loc_4393F5

loc_4390BF:				; CODE XREF: CcSetDirtyPinnedData+524j
		movzx	eax, bl
		bsf	ecx, eax
		mov	al, 1
		shl	al, cl
		not	al
		mov	[esp+40h+var_1C], ecx
		and	al, bl
		lea	ebx, [ecx+ecx*2]
		mov	[esi+1E4h], al
		shl	ebx, 4
		add	ebx, [esi+1E8h]
		jz	loc_439416
		cmp	edi, dword_6D07D0
		jb	short loc_43910C
		mov	eax, edi
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	loc_5AA7EB
		cmp	al, 0Bh
		jz	loc_5AA7EB

loc_43910C:				; CODE XREF: CcSetDirtyPinnedData+1BFj
		or	eax, 0FFFFFFFFh

loc_43910F:				; CODE XREF: CcSetDirtyPinnedData+1718C6j
		mov	[ebx+14h], eax
		nop
		mov	[ebx+10h], edx

loc_439116:				; CODE XREF: CcSetDirtyPinnedData+4EEj
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [esp+40h+var_18]
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_439150
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	loc_43939F

loc_439150:				; CODE XREF: CcSetDirtyPinnedData+212j
					; CcSetDirtyPinnedData+474j ...
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	cl, al
		mov	[esp+40h+var_31], cl
		lock btr dword ptr [edi], 0
		jnb	loc_4393A9

loc_439169:				; CODE XREF: CcSetDirtyPinnedData+486j
		test	ebx, ebx
		jz	short loc_439171
		or	byte ptr [ebx+0Eh], 1

loc_439171:				; CODE XREF: CcSetDirtyPinnedData+23Bj
		mov	eax, large fs:124h
		mov	esi, [esp+40h+var_14]
		mov	[edi+4], eax
		movzx	eax, cl
		mov	[edi+1Ch], eax
		cmp	byte ptr [esi+2], 0
		jz	loc_439295
		mov	ebx, [esp+40h+var_20]

loc_439192:				; CODE XREF: CcSetDirtyPinnedData+405j
					; CcSetDirtyPinnedData+435j
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	loc_439220
		mov	eax, [esi+20h]
		mov	ecx, [esi+24h]
		mov	[esp+40h+var_20], eax
		or	eax, ecx
		mov	[esp+40h+var_18], ecx
		mov	ecx, [edx]
		mov	edx, [edx+4]
		jz	loc_4393BB
		cmp	edx, [esp+40h+var_18]
		jg	short loc_4391CE
		jl	loc_4393BB
		cmp	ecx, [esp+40h+var_20]
		jb	loc_4393BB

loc_4391CE:				; CODE XREF: CcSetDirtyPinnedData+28Cj
					; CcSetDirtyPinnedData+499j
		mov	eax, [esi+28h]
		mov	[esp+40h+var_24], eax
		mov	eax, [esi+2Ch]
		mov	[esp+40h+var_20], eax
		mov	eax, [esp+40h+var_24]
		or	eax, [esp+40h+var_20]
		jz	short loc_4391F4
		cmp	edx, [esp+40h+var_20]
		jl	short loc_439202
		jg	short loc_4391F4
		cmp	ecx, [esp+40h+var_24]
		jbe	short loc_439202

loc_4391F4:				; CODE XREF: CcSetDirtyPinnedData+2B4j
					; CcSetDirtyPinnedData+2BCj
		mov	eax, [ebp+arg_4]
		mov	[esi+28h], ecx
		mov	[esi+2Ch], edx
		mov	ecx, [eax]
		mov	edx, [eax+4]

loc_439202:				; CODE XREF: CcSetDirtyPinnedData+2BAj
					; CcSetDirtyPinnedData+2C2j
		cmp	edx, [ebx+0A4h]
		jl	short loc_439220
		jg	short loc_439214
		cmp	ecx, [ebx+0A0h]
		jbe	short loc_439220

loc_439214:				; CODE XREF: CcSetDirtyPinnedData+2DAj
		mov	[ebx+0A0h], ecx
		mov	[ebx+0A4h], edx

loc_439220:				; CODE XREF: CcSetDirtyPinnedData+267j
					; CcSetDirtyPinnedData+2D8j ...
		mov	ecx, [esi+1Ch]
		mov	eax, [esi+18h]
		cmp	ecx, [ebx+2Ch]
		jl	short loc_43923A
		jg	loc_5AA80C
		cmp	eax, [ebx+28h]
		ja	loc_5AA80C

loc_43923A:				; CODE XREF: CcSetDirtyPinnedData+2F9j
					; CcSetDirtyPinnedData+1718E2j
		mov	bl, [edi+1Ch]
		mov	ecx, 1
		mov	dword ptr [edi+4], 0
		xor	eax, eax
		lock cmpxchg [edi], ecx
		test	eax, eax
		jnz	loc_4393CE

loc_439257:				; CODE XREF: CcSetDirtyPinnedData+4A7j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [esp+40h+var_30]
		mov	eax, [ecx]
		test	eax, eax
		jnz	loc_439050

loc_439274:				; CODE XREF: CcSetDirtyPinnedData+117j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_43927D:				; CODE XREF: CcSetDirtyPinnedData+173j
		push	0
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	edi
		push	esi
		push	192h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_439295:				; CODE XREF: CcSetDirtyPinnedData+258j
		mov	eax, [esi+4]
		mov	ecx, [ebp+arg_4]
		shr	eax, 0Ch
		mov	[esp+54h+var_38], eax
		mov	byte ptr [esi+2], 1
		test	ecx, ecx
		jz	short loc_4392C0
		mov	eax, [ecx]
		mov	[esi+20h], eax
		mov	eax, [ecx+4]
		mov	[esi+24h], eax
		mov	eax, [ecx]
		mov	[esi+28h], eax
		mov	eax, [ecx+4]
		mov	[esi+2Ch], eax

loc_4392C0:				; CODE XREF: CcSetDirtyPinnedData+378j
		mov	ecx, [esp+54h+var_40]
		lea	edx, [esp+54h+var_20]
		lea	ecx, [ecx+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ebx, [esp+20h]
		cmp	dword ptr [ebx+4Ch], 0
		jz	loc_43936A

loc_4392DE:				; CODE XREF: CcSetDirtyPinnedData+43Ej
					; CcSetDirtyPinnedData+458j
		push	[esp+54h+var_38]
		xor	edx, edx
		mov	ecx, ebx
		push	0
		call	CcChargeDirtyPages
		test	ds:byte_70EFC6,	1
		jnz	loc_5AA7FB
		mov	eax, [esp+54h+var_20]
		test	eax, eax
		jnz	loc_439430
		mov	edx, [esp+54h+var_1C]
		lea	eax, [esp+54h+var_20]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+54h+var_20]
		cmp	eax, ecx
		jnz	loc_439423

loc_439320:				; CODE XREF: CcSetDirtyPinnedData+1718D7j
		mov	esi, [esp+54h+var_28]

loc_439324:				; CODE XREF: CcSetDirtyPinnedData+513j
		mov	cl, byte ptr [esp+54h+var_18]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	dword ptr [ebx+60h], 10000000h
		jz	loc_439192
		mov	eax, [esp+54h+var_38]
		push	0
		push	1
		push	0
		push	0
		shl	eax, 0Ch
		push	eax
		mov	eax, large fs:124h
		push	0
		push	0
		mov	eax, [eax+150h]
		push	eax
		call	_PsUpdateDiskCounters@32 ; PsUpdateDiskCounters(x,x,x,x,x,x,x,x)
		mov	esi, [esp+54h+var_28]
		jmp	loc_439192
; 

loc_43936A:				; CODE XREF: CcSetDirtyPinnedData+3A8j
		test	byte ptr [ebx+60h], 2
		jnz	loc_4392DE
		mov	ecx, [esp+54h+var_40]
		xor	dl, dl
		push	0
		call	_CcScheduleLazyWriteScan@12 ; CcScheduleLazyWriteScan(x,x,x)
		mov	ecx, ebx
		call	_CcInsertIntoDirtySharedCacheMapList@4 ; CcInsertIntoDirtySharedCacheMapList(x)
		jmp	loc_4392DE
; 

loc_43938D:				; CODE XREF: CcSetDirtyPinnedData+90j
		mov	dl, al
		mov	ecx, ebx
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[esp+40h+var_28], eax
		jmp	loc_438FC6
; 

loc_43939F:				; CODE XREF: CcSetDirtyPinnedData+21Aj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_439150
; 

loc_4393A9:				; CODE XREF: CcSetDirtyPinnedData+233j
		mov	edx, ebx
		mov	ecx, edi
		call	_ExpAcquireFastMutexContended@8	; ExpAcquireFastMutexContended(x,x)
		mov	cl, [esp+40h+var_31]
		jmp	loc_439169
; 

loc_4393BB:				; CODE XREF: CcSetDirtyPinnedData+282j
					; CcSetDirtyPinnedData+28Ej ...
		mov	[esi+20h], ecx
		mov	[esi+24h], edx
		mov	edx, [ebp+arg_4]
		mov	ecx, [edx]
		mov	edx, [edx+4]
		jmp	loc_4391CE
; 

loc_4393CE:				; CODE XREF: CcSetDirtyPinnedData+321j
		mov	edx, eax
		mov	ecx, edi
		call	_ExpReleaseFastMutexContended@8	; ExpReleaseFastMutexContended(x,x)
		jmp	loc_439257
; 

loc_4393DC:				; CODE XREF: CcSetDirtyPinnedData+109j
		mov	eax, [edi+4]
		lea	edx, [edi+8]
		push	0
		push	eax
		mov	ecx, esi
		call	CcSetDirtyInMask
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4393F5:				; CODE XREF: CcSetDirtyPinnedData+189j
		cmp	byte ptr [esi+222h], 0
		lea	ecx, [esi+222h]
		jnz	short loc_439448
		xor	ebx, ebx
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_5AA7DD

loc_439416:				; CODE XREF: CcSetDirtyPinnedData+1B3j
					; CcSetDirtyPinnedData+1718B6j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	loc_439116
; 

loc_439423:				; CODE XREF: CcSetDirtyPinnedData+3EAj
		lea	ecx, [esp+54h+var_20]
		call	KxWaitForLockChainValid
		mov	esi, [esp+54h+var_28]

loc_439430:				; CODE XREF: CcSetDirtyPinnedData+3D0j
		mov	[esp+54h+var_20], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx
		jmp	loc_439324
; 

loc_439448:				; CODE XREF: CcSetDirtyPinnedData+4D2j
		xor	al, al
		xchg	al, [ecx]
		mov	bl, [esi+1E4h]
		or	bl, al
		jmp	loc_4390BF
; 

loc_439459:				; CODE XREF: CcSetDirtyPinnedData+FDj
		push	edx
		call	KeQueryTickCount
		mov	ecx, [esi+60h]
		jmp	loc_439033
; 

loc_439467:				; CODE XREF: CcSetDirtyPinnedData+2Dj
		cmp	ax, dx
		jz	loc_438F63
		jmp	loc_5AA754
; 

loc_439475:				; CODE XREF: CcSetDirtyPinnedData+4Cj
		lea	esi, [edi+10h]
		mov	[esp+40h+var_30], esi
		mov	esi, [esi]
		jmp	loc_438F82
CcSetDirtyPinnedData endp

; 
		align 10h
; Exported entry 1927. PsUpdateDiskCounters

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsUpdateDiskCounters(x, x, x, x, x,	x, x, x)
		public _PsUpdateDiskCounters@32
_PsUpdateDiskCounters@32 proc near	; CODE XREF: CcChargeThreadForReadAhead+AAp
					; CcSetDirtyPinnedData+42Cp ...

var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	esi, [esi+3D0h]
		mov	[ebp+arg_0], esi
		test	esi, esi
		jz	loc_439541
		mov	ecx, [ebp+arg_4]
		mov	eax, ecx
		mov	edx, [ebp+arg_8]
		or	eax, edx
		push	ebx
		push	edi
		jz	short loc_4394EB
		lea	esp, [esp+0]

loc_4394C0:				; CODE XREF: PsUpdateDiskCounters(x,x,x,x,x,x,x,x)+54j
					; PsUpdateDiskCounters(x,x,x,x,x,x,x,x)+59j
		mov	edi, [esi]
		mov	ebx, edi
		mov	eax, [esi+4]
		add	ebx, ecx
		mov	ecx, eax
		mov	[ebp+var_4], eax
		adc	ecx, edx
		mov	eax, edi
		mov	edx, [ebp+var_4]
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [ebp+arg_4]
		mov	ebx, edx
		mov	edx, [ebp+arg_8]
		cmp	eax, edi
		jnz	short loc_4394C0
		cmp	ebx, [ebp+var_4]
		jnz	short loc_4394C0

loc_4394EB:				; CODE XREF: PsUpdateDiskCounters(x,x,x,x,x,x,x,x)+27j
		mov	ecx, [ebp+arg_C]
		mov	eax, ecx
		mov	edx, [ebp+arg_10]
		or	eax, edx
		jnz	short loc_439548

loc_4394F7:				; CODE XREF: PsUpdateDiskCounters(x,x,x,x,x,x,x,x)+EEj
		mov	eax, [ebp+arg_14]
		test	eax, eax
		jz	short loc_43952D
		lea	ecx, [esi+10h]
		mov	[ebp+arg_8], ecx
		mov	esi, ecx

loc_439506:				; CODE XREF: PsUpdateDiskCounters(x,x,x,x,x,x,x,x)+93j
					; PsUpdateDiskCounters(x,x,x,x,x,x,x,x)+98j
		mov	edi, [esi]
		mov	ebx, edi
		mov	edx, [esi+4]
		add	ebx, eax
		mov	ecx, edx
		mov	[ebp+arg_8], edx
		adc	ecx, 0
		mov	eax, edi
		nop
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, edi
		mov	eax, [ebp+arg_14]
		jnz	short loc_439506
		cmp	edx, [ebp+arg_8]
		jnz	short loc_439506
		mov	esi, [ebp+arg_0]

loc_43952D:				; CODE XREF: PsUpdateDiskCounters(x,x,x,x,x,x,x,x)+6Cj
		mov	eax, [ebp+arg_18]
		test	eax, eax
		jnz	short loc_439583

loc_439534:				; CODE XREF: PsUpdateDiskCounters(x,x,x,x,x,x,x,x)+127j
		mov	edi, [ebp+arg_1C]
		test	edi, edi
		jnz	loc_4395BC

loc_43953F:				; CODE XREF: PsUpdateDiskCounters(x,x,x,x,x,x,x,x)+15Aj
		pop	edi
		pop	ebx

loc_439541:				; CODE XREF: PsUpdateDiskCounters(x,x,x,x,x,x,x,x)+15j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_439548:				; CODE XREF: PsUpdateDiskCounters(x,x,x,x,x,x,x,x)+65j
		lea	eax, [esi+8]
		mov	esi, eax
		lea	ecx, [ecx+0]

loc_439550:				; CODE XREF: PsUpdateDiskCounters(x,x,x,x,x,x,x,x)+E4j
					; PsUpdateDiskCounters(x,x,x,x,x,x,x,x)+E9j
		mov	edi, [esi]
		mov	ebx, edi
		mov	eax, [esi+4]
		add	ebx, ecx
		mov	ecx, eax
		mov	[ebp+arg_8], eax
		adc	ecx, edx
		mov	eax, edi
		mov	edx, [ebp+arg_8]
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [ebp+arg_C]
		mov	ebx, edx
		mov	edx, [ebp+arg_10]
		cmp	eax, edi
		jnz	short loc_439550
		cmp	ebx, [ebp+arg_8]
		jnz	short loc_439550
		mov	esi, [ebp+arg_0]
		jmp	loc_4394F7
; 

loc_439583:				; CODE XREF: PsUpdateDiskCounters(x,x,x,x,x,x,x,x)+A2j
		lea	ecx, [esi+18h]
		mov	[ebp+arg_14], ecx
		mov	esi, ecx
		jmp	short loc_439590
; 
		align 10h

loc_439590:				; CODE XREF: PsUpdateDiskCounters(x,x,x,x,x,x,x,x)+FBj
					; PsUpdateDiskCounters(x,x,x,x,x,x,x,x)+11Dj ...
		mov	edi, [esi]
		mov	ebx, edi
		mov	edx, [esi+4]
		add	ebx, eax
		mov	ecx, edx
		mov	[ebp+arg_14], edx
		adc	ecx, 0
		mov	eax, edi
		nop
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, edi
		mov	eax, [ebp+arg_18]
		jnz	short loc_439590
		cmp	edx, [ebp+arg_14]
		jnz	short loc_439590
		mov	esi, [ebp+arg_0]
		jmp	loc_439534
; 

loc_4395BC:				; CODE XREF: PsUpdateDiskCounters(x,x,x,x,x,x,x,x)+A9j
		lea	eax, [esi+20h]
		mov	[ebp+arg_14], eax

loc_4395C2:				; CODE XREF: PsUpdateDiskCounters(x,x,x,x,x,x,x,x)+155j
					; PsUpdateDiskCounters(x,x,x,x,x,x,x,x)+160j
		mov	esi, [eax]
		mov	ebx, esi
		mov	edx, [eax+4]
		add	ebx, edi
		mov	ecx, edx
		mov	[ebp+arg_18], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		mov	edi, [ebp+arg_14]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+arg_1C]
		cmp	eax, esi
		mov	eax, [ebp+arg_14]
		jnz	short loc_4395C2
		cmp	edx, [ebp+arg_18]
		jz	loc_43953F
		jmp	short loc_4395C2
_PsUpdateDiskCounters@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcPostWorkQueueRegular proc near	; CODE XREF: CcScheduleReadAheadEx+377p
					; CcLazyWriteScan:loc_4910E3p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AA837 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4], edx
		lea	edi, [ebp+var_14]
		mov	ebx, ecx
		stosd
		xor	edx, edx
		xor	ecx, ecx
		inc	edx
		test	ds:dword_70EFD0, 20000h
		mov	esi, [ebx+4Ch]
		stosd
		mov	[ebp+var_8], ecx
		stosd
		jnz	loc_439764
		mov	edi, [ebp+var_4]

loc_439628:				; CODE XREF: CcPostWorkQueueRegular+187j
		lea	ecx, [esi+80h]
		lea	edx, [ebp+var_14]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	byte ptr [ebx+48h], 3
		jz	loc_43970E

loc_439640:				; CODE XREF: CcPostWorkQueueRegular+124j
					; CcPostWorkQueueRegular+14Cj ...
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	loc_4397A2
		mov	[ebx], edi
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	[edi+4], ebx
		cmp	byte ptr [esi+0DCh], 0
		jnz	short loc_43967F
		lea	ecx, [esi+8Ch]
		mov	edx, [ecx]
		cmp	edx, ecx
		jz	short loc_43967F
		cmp	byte ptr [ebx+48h], 2
		jnz	short loc_4396C3
		mov	eax, [esi+0ECh]
		inc	eax
		cmp	eax, [esi+284h]
		jbe	short loc_4396C3

loc_43967F:				; CODE XREF: CcPostWorkQueueRegular+6Aj
					; CcPostWorkQueueRegular+76j
		mov	ebx, [ebp+var_8]

loc_439682:				; CODE XREF: CcPostWorkQueueRegular+102j
					; CcSetDirtyPinnedData+171902j
		test	ds:byte_70EFC6,	1
		jnz	loc_5AA837
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	loc_43978D
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jnz	loc_439785

loc_4396B1:				; CODE XREF: CcPostWorkQueueRegular+1ABj
					; CcPostWorkQueueRegular+171250j
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jnz	short loc_4396FB

loc_4396BE:				; CODE XREF: CcPostWorkQueueRegular+11Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4396C3:				; CODE XREF: CcPostWorkQueueRegular+7Cj
					; CcPostWorkQueueRegular+8Bj
		mov	ebx, edx
		mov	eax, [ebx]
		cmp	[ebx+4], ecx
		jnz	loc_4397A2
		cmp	[eax+4], ebx
		jnz	loc_4397A2
		mov	[ecx], eax
		mov	[eax+4], ecx
		xor	ecx, ecx
		inc	dword ptr [esi+88h]
		inc	ecx
		mov	eax, ecx
		lock xadd [esi+28Ch], eax
		inc	eax
		cmp	eax, ecx
		jg	short loc_439682
		jmp	loc_5AA82D
; 

loc_4396FB:				; CODE XREF: CcPostWorkQueueRegular+CAj
		and	dword ptr [ebx], 0
		xor	edx, edx
		push	dword ptr [esi+4]
		mov	ecx, ebx
		push	0FFFFFFFFh
		call	ExQueueWorkItemToPartition
		jmp	short loc_4396BE
; 

loc_43970E:				; CODE XREF: CcPostWorkQueueRegular+48j
		lea	eax, [esi+0A4h]
		cmp	[eax], eax
		jz	loc_439640
		mov	eax, [esi+1A8h]
		mov	ecx, [esi+198h]
		shr	eax, 2
		cmp	ecx, eax
		jnb	short loc_439744
		mov	eax, [esi+4]
		mov	eax, [eax]
		mov	eax, [eax+0FC0h]
		shr	eax, 1
		cmp	ecx, eax
		jbe	loc_439640

loc_439744:				; CODE XREF: CcPostWorkQueueRegular+13Bj
		mov	eax, [esi+284h]
		cmp	eax, [esi+84h]
		jb	loc_439640
		xor	eax, eax
		inc	eax
		mov	[esi+200h], al
		jmp	loc_439640
; 

loc_439764:				; CODE XREF: CcPostWorkQueueRegular+2Dj
		mov	al, [ebx+48h]
		cmp	al, 2
		jnz	short loc_43977E

loc_43976B:				; CODE XREF: CcPostWorkQueueRegular+18Ej
		push	edx

loc_43976C:				; CODE XREF: CcPostWorkQueueRegular+191j
		mov	edi, [ebp+var_4]
		mov	edx, ebx
		push	ecx
		mov	ecx, edi
		call	CcPerfLogWorkItemEnqueue
		jmp	loc_439628
; 

loc_43977E:				; CODE XREF: CcPostWorkQueueRegular+177j
		cmp	al, 4
		jz	short loc_43976B
		push	ecx
		jmp	short loc_43976C
; 

loc_439785:				; CODE XREF: CcPostWorkQueueRegular+B9j
		lea	ecx, [ebp+var_14]
		call	KxWaitForLockChainValid

loc_43978D:				; CODE XREF: CcPostWorkQueueRegular+A2j
		xor	ecx, ecx
		mov	[ebp+var_14], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_4396B1
; 

loc_4397A2:				; CODE XREF: CcPostWorkQueueRegular+53j
					; CcPostWorkQueueRegular+D8j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
CcPostWorkQueueRegular endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopSetDiskIoAttributionFromProcess proc	near
					; CODE XREF: IoSetDiskIoAttributionFromThread+79p
					; IoSetIoAttributionIrp(x,x,x)+2Ep

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AA847 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		mov	eax, edx
		push	esi
		mov	esi, ecx
		mov	dl, 1
		lea	ecx, [ebp+var_4]
		push	ecx
		mov	ecx, eax
		call	IopReferenceIoAttributionFromProcess
		test	eax, eax
		jns	loc_5AA847

loc_4397CC:				; CODE XREF: IopSetDiskIoAttributionFromProcess+1710B4j
					; IopSetDiskIoAttributionFromProcess+1710BCj
		pop	esi
		leave
		retn
IopSetDiskIoAttributionFromProcess endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCheckAndUpdateIoAttribution(x)
_MiCheckAndUpdateIoAttribution@4 proc near ; CODE XREF:	.text:00466182p
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+B89p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	esi, [ecx+8]
		mov	ebx, [ecx+0Ch]
		mov	ecx, dword_6D0700
		mov	eax, ecx
		mov	edx, dword_6D0704
		or	eax, edx
		jz	short loc_43980B
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_43980B
		not	edx
		and	ebx, edx

loc_43980B:				; CODE XREF: MiCheckAndUpdateIoAttribution(x)+2Bj
					; MiCheckAndUpdateIoAttribution(x)+35j
		mov	ebx, [ebx]
		mov	[ebp+var_8], ebx
		test	byte ptr [ebx+1Ch], 20h
		jnz	short loc_439824
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	_IoReferenceIoAttributionFromThread@8 ;	IoReferenceIoAttributionFromThread(x,x)
		test	eax, eax
		jns	short loc_439829

loc_439824:				; CODE XREF: MiCheckAndUpdateIoAttribution(x)+44j
					; MiCheckAndUpdateIoAttribution(x)+6Dj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_439829:				; CODE XREF: MiCheckAndUpdateIoAttribution(x)+52j
		mov	eax, [ebx+48h]
		mov	edi, [ebp+var_4]
		shl	eax, 3
		cmp	edi, eax
		jnz	short loc_43983F

loc_439836:				; CODE XREF: MiCheckAndUpdateIoAttribution(x)+A7j
		mov	ecx, edi
		call	_IoDiskIoAttributionDereference@4 ; IoDiskIoAttributionDereference(x)
		jmp	short loc_439824
; 

loc_43983F:				; CODE XREF: MiCheckAndUpdateIoAttribution(x)+64j
		lea	esi, [ebx+24h]
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		shr	edi, 3
		mov	eax, [ebp+var_8]
		push	esi
		mov	edx, [eax+48h]
		mov	ecx, edx
		and	ecx, 0E0000000h
		or	ecx, edi
		mov	edi, edx
		mov	[eax+48h], ecx
		shl	edi, 3
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	short loc_439824
		jmp	short loc_439836
_MiCheckAndUpdateIoAttribution@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoReferenceIoAttributionFromThread(x, x)
_IoReferenceIoAttributionFromThread@8 proc near	; CODE XREF: CcScheduleReadAheadEx+356p
					; MiCheckAndUpdateIoAttribution(x)+4Bp	...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	ebx, edx
		lea	edx, [ebp+var_4]
		push	edi
		mov	edi, ecx
		call	_PsGetWorkOnBehalfThread@8 ; PsGetWorkOnBehalfThread(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_4398B6
		mov	ecx, [edi+150h]

loc_43989F:				; CODE XREF: IoReferenceIoAttributionFromThread(x,x)+42j
		push	ebx
		xor	dl, dl
		call	IopReferenceIoAttributionFromProcess
		cmp	[ebp+var_4], 0
		mov	edi, eax
		jnz	short loc_4398BE

loc_4398AF:				; CODE XREF: IoReferenceIoAttributionFromThread(x,x)+4Fj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4398B6:				; CODE XREF: IoReferenceIoAttributionFromThread(x,x)+1Dj
		mov	ecx, [esi+150h]
		jmp	short loc_43989F
; 

loc_4398BE:				; CODE XREF: IoReferenceIoAttributionFromThread(x,x)+33j
		push	746C6644h
		push	esi
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	short loc_4398AF
_IoReferenceIoAttributionFromThread@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopReferenceIoAttributionFromProcess proc near
					; CODE XREF: IopSetDiskIoAttributionFromProcess+17p
					; IoReferenceIoAttributionFromThread(x,x)+28p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AA869 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		cmp	dword ptr [esi+430h], 0
		jnz	short loc_4398ED
		mov	esi, 0C0000225h

loc_4398E5:				; CODE XREF: IopReferenceIoAttributionFromProcess+73j
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4398ED:				; CODE XREF: IopReferenceIoAttributionFromProcess+12j
		push	edi
		mov	edi, offset _IopDiskIoAttributionLock
		push	edi
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	esi, [esi+430h]
		mov	bh, al
		test	esi, esi
		jz	short loc_439920
		test	bl, bl
		jnz	loc_5AA869
		xor	eax, eax
		inc	eax
		lock xadd [esi+10h], eax
		inc	eax
		cmp	eax, 1
		jle	short loc_439941

loc_43991B:				; CODE XREF: IopReferenceIoAttributionFromProcess+7Aj
		mov	eax, [ebp+arg_0]
		mov	[eax], esi

loc_439920:				; CODE XREF: IopReferenceIoAttributionFromProcess+37j
					; IopReferenceIoAttributionFromProcess+170FA5j
		push	edi
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		neg	esi
		pop	edi
		sbb	esi, esi
		and	esi, 3FFFFDDBh
		add	esi, 0C0000225h
		jmp	short loc_4398E5
; 

loc_439941:				; CODE XREF: IopReferenceIoAttributionFromProcess+4Dj
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_43991B
IopReferenceIoAttributionFromProcess endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcPerfLogWorkItemEnqueue proc near	; CODE XREF: CcPostWorkQueueRegular+182p
					; .text:0043A309p ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_7		= byte ptr -7
var_6		= byte ptr -6
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005AA876 SIZE 00000069 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		mov	esi, edx
		mov	[ebp+var_34], esi
		mov	edx, [esi+4Ch]
		stosd
		stosd
		lea	eax, [edx+94h]
		cmp	ecx, eax
		jz	loc_5AA876
		lea	eax, [edx+0B4h]
		cmp	ecx, eax
		jz	loc_439A46
		lea	eax, [edx+9Ch]
		cmp	ecx, eax
		jz	loc_439A4D
		lea	eax, [edx+0A4h]
		cmp	ecx, eax
		jnz	loc_439A60
		mov	bl, 3

loc_4399A7:				; CODE XREF: CcPerfLogWorkItemEnqueue+100j
					; CcPerfLogWorkItemEnqueue+107j ...
		mov	al, [esi+48h]
		cmp	al, 2
		jnz	short loc_439A20
		cmp	[ebp+arg_4], 0
		mov	edi, [esi+8]
		mov	[ebp+var_7], al
		jz	loc_5AA87D
		mov	eax, [edi+44h]
		and	eax, 0FFFFFFF8h

loc_4399C4:				; CODE XREF: CcPerfLogWorkItemEnqueue+E2j
		mov	eax, [eax+0Ch]
		mov	[ebp+var_C], eax

loc_4399CA:				; CODE XREF: CcPerfLogWorkItemEnqueue+113j
					; CcPerfLogWorkItemEnqueue+135j ...
		mov	al, [ebp+arg_0]
		lea	edi, [ebp+var_10]
		mov	[ebp+var_10], esi
		xor	esi, esi
		mov	[ebp+var_8], bl
		mov	[ebp+var_6], al
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		xor	edx, edx
		inc	edx
		cmp	al, 2
		jb	short loc_439A2C
		mov	[ebp+var_30], edi
		lea	ecx, [ebp+var_30]
		mov	[ebp+var_2C], esi
		mov	[ebp+var_28], 0Ch
		mov	[ebp+var_24], esi
		push	400102h

loc_439A00:				; CODE XREF: CcPerfLogWorkItemEnqueue+FCj
		push	1600h
		push	80020000h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_439A20:				; CODE XREF: CcPerfLogWorkItemEnqueue+64j
		cmp	al, 1
		jnz	short loc_439A54
		mov	[ebp+var_7], al
		mov	eax, [esi+8]
		jmp	short loc_4399C4
; 

loc_439A2C:				; CODE XREF: CcPerfLogWorkItemEnqueue+9Ej
		mov	[ebp+var_20], edi
		lea	ecx, [ebp+var_20]
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], 0Ch
		mov	[ebp+var_14], esi
		push	(offset	off_401900+2)
		jmp	short loc_439A00
; 

loc_439A46:				; CODE XREF: CcPerfLogWorkItemEnqueue+3Bj
		mov	bl, 7
		jmp	loc_4399A7
; 

loc_439A4D:				; CODE XREF: CcPerfLogWorkItemEnqueue+49j
		mov	bl, 2
		jmp	loc_4399A7
; 

loc_439A54:				; CODE XREF: CcPerfLogWorkItemEnqueue+DAj
		cmp	al, 3
		jnz	short loc_439A7B
		mov	[ebp+var_7], al
		jmp	loc_4399CA
; 

loc_439A60:				; CODE XREF: CcPerfLogWorkItemEnqueue+57j
		lea	eax, [edx+0ACh]
		cmp	ecx, eax
		jz	short loc_439AA5
		mov	edx, [edx+250h]
		cmp	ecx, edx
		jnz	short loc_439A88

loc_439A74:				; CODE XREF: CcPerfLogWorkItemEnqueue+145j
					; CcPerfLogWorkItemEnqueue+14Cj
		mov	bl, 5
		jmp	loc_4399A7
; 

loc_439A7B:				; CODE XREF: CcPerfLogWorkItemEnqueue+10Ej
		cmp	al, 4
		jnz	loc_4399CA
		jmp	loc_5AA8D6
; 

loc_439A88:				; CODE XREF: CcPerfLogWorkItemEnqueue+12Aj
		lea	eax, [edx+8]
		cmp	ecx, eax
		jz	short loc_439A74
		lea	eax, [edx+10h]
		cmp	ecx, eax
		jz	short loc_439A74
		test	ecx, ecx
		setnz	bl
		dec	bl
		and	bl, 6
		jmp	loc_4399A7
; 

loc_439AA5:				; CODE XREF: CcPerfLogWorkItemEnqueue+120j
		mov	bl, 4
		jmp	loc_4399A7
CcPerfLogWorkItemEnqueue endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSetThreadSchedulingGroup proc	near	; CODE XREF: KeSetProcessSchedulingGroup(x,x)+61p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AA8DF SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	esi
		push	edi
		xor	eax, eax
		mov	edi, edx
		mov	[ebp+var_C], eax
		mov	esi, ecx
		mov	[ebp+var_4], eax
		test	edi, edi
		jnz	short loc_439ACF
		call	KiRemoveThreadFromSchedulingGroup

loc_439ACB:				; CODE XREF: KiSetThreadSchedulingGroup+82j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_439ACF:				; CODE XREF: KiSetThreadSchedulingGroup+18j
		push	ebx
		mov	[ebp+var_8], eax
		lea	ebx, [esi+2Ch]
		mov	[ebp+var_10], eax

loc_439AD9:				; CODE XREF: KiSetThreadSchedulingGroup+170E41j
		lock bts dword ptr [ebx], 0
		jb	loc_5AA8DF
		lea	eax, [ebp+var_4]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_C]
		call	KiAcquireThreadStateLock
		mov	bl, al
		mov	[esi+50h], edi
		lock bts dword ptr [esi], 12h
		push	[ebp+var_C]
		mov	dl, bl
		mov	ecx, esi
		call	_KeUpdateThreadSchedulingProperties@12 ; KeUpdateThreadSchedulingProperties(x,x,x)
		mov	edi, [ebp+var_4]
		cmp	bl, 1
		jz	short loc_439B3C

loc_439B10:				; CODE XREF: KiSetThreadSchedulingGroup+92j
					; KiSetThreadSchedulingGroup+9Bj
		mov	ebx, [ebp+var_8]

loc_439B13:				; CODE XREF: KiSetThreadSchedulingGroup+170E68j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_439B30

loc_439B1A:				; CODE XREF: KiSetThreadSchedulingGroup+8Ej
		test	edi, edi
		jnz	short loc_439B4E

loc_439B1E:				; CODE XREF: KiSetThreadSchedulingGroup+A7j
		mov	dword ptr [esi+2Ch], 0
		test	ebx, ebx
		jnz	loc_5AA919

loc_439B2D:				; CODE XREF: KiSetThreadSchedulingGroup+170E83j
		pop	ebx
		jmp	short loc_439ACB
; 

loc_439B30:				; CODE XREF: KiSetThreadSchedulingGroup+6Cj
		xor	ecx, ecx
		add	eax, 2224h
		lock and [eax],	ecx
		jmp	short loc_439B1A
; 

loc_439B3C:				; CODE XREF: KiSetThreadSchedulingGroup+62j
		test	edi, edi
		jz	short loc_439B10
		test	dword ptr [esi+5Ch], 2000h
		jnz	short loc_439B10
		jmp	loc_5AA8F2
; 

loc_439B4E:				; CODE XREF: KiSetThreadSchedulingGroup+70j
		xor	eax, eax
		lock and [edi],	eax
		jmp	short loc_439B1E
KiSetThreadSchedulingGroup endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcPerformReadAhead proc	near		; CODE XREF: CcWorkerThread+343p

var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= byte ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 005AA934 SIZE 00000076 BYTES

		push	98h
		push	offset dword_6A08A8
		call	__SEH_prolog4
		mov	[ebp+var_40], edx
		mov	[ebp+var_48], ecx
		xor	ecx, ecx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_90], ecx
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_80], ecx
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_84], ecx
		mov	[ebp+var_88], ecx
		mov	[ebp+var_78], ecx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_68], ecx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_5C], ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		stosd
		stosd
		stosd
		mov	[ebp+ms_exc.disabled], ecx
		mov	eax, large fs:124h
		mov	[ebp+var_A0], eax
		mov	[eax+328h], ecx
		mov	eax, [edx+14h]
		mov	ecx, [eax+4]
		mov	[ebp+var_50], ecx
		mov	edi, [ecx+88h]
		mov	[ebp+var_80], edi
		mov	esi, [ecx+8Ch]
		mov	[ebp+var_7C], esi
		call	CcGetPartition
		mov	[ebp+var_5C], eax
		push	1
		push	esi
		call	dword ptr [edi+8]
		movzx	eax, al
		mov	[ebp+var_78], eax
		xor	edi, edi
		test	eax, eax
		jz	loc_439CF5

loc_439C08:				; CODE XREF: CcPerformReadAhead+340j
		mov	[ebp+var_4C], edi
		mov	esi, [ebp+var_20]

loc_439C0E:				; CODE XREF: CcPerformReadAhead+1D3j
					; CcPerformReadAhead+1DEj ...
		mov	ecx, [ebp+var_5C]
		lea	ecx, [ecx+40h]
		lea	edx, [ebp+var_34]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebp+var_40]
		mov	edx, [eax+18h]
		mov	[ebp+var_1C], edx
		mov	[ebp+var_44], edx
		test	edx, edx
		jz	short loc_439CA6
		lea	eax, [edx+50h]
		mov	[ebp+var_38], eax
		mov	ecx, eax
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, [ebp+var_1C]
		mov	esi, [edx+34h]
		xor	eax, eax
		test	esi, esi
		setz	al
		mov	[ebp+var_54], eax
		mov	eax, [edx+38h]
		mov	[ebp+var_94], eax
		mov	ecx, [edx+3Ch]
		mov	[ebp+var_64], ecx
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], esi
		cmp	esi, (offset loc_7FFFFF+1)
		ja	loc_439EEB

loc_439C6D:				; CODE XREF: CcPerformReadAhead+39Dj
		mov	[edx+34h], edi
		cmp	[ebp+var_54], 0
		jz	loc_439E0F

loc_439C7A:				; CODE XREF: CcPerformReadAhead+2CCj
		test	dword ptr [edx], 200000h
		jnz	loc_5AA934

loc_439C86:				; CODE XREF: CcPerformReadAhead+170DEBj
		test	ds:byte_70EFC6,	1
		jnz	loc_5AA946
		xor	ecx, ecx
		lea	eax, [edx+50h]
		lock and [eax],	ecx

loc_439C9B:				; CODE XREF: CcPerformReadAhead+170E04j
		mov	eax, [edx]
		shr	eax, 12h
		and	eax, 7
		mov	[ebp+var_3C], eax

loc_439CA6:				; CODE XREF: CcPerformReadAhead+D4j
		test	ds:byte_70EFC6,	1
		jnz	loc_5AA95F
		mov	ecx, [ebp+var_34]
		test	ecx, ecx
		jnz	loc_439EDA
		mov	edx, [ebp+var_30]
		lea	eax, [ebp+var_34]
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_34]
		cmp	eax, ecx
		jnz	loc_439EC7

loc_439CD3:				; CODE XREF: CcPerformReadAhead+170E14j
		mov	eax, [ebp+var_44]
		mov	[ebp+var_1C], eax
		mov	esi, [ebp+var_20]

loc_439CDC:				; CODE XREF: CcPerformReadAhead+390j
		mov	cl, [ebp+var_2C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_54], 0
		jz	short loc_439D11

loc_439CEB:				; CODE XREF: CcPerformReadAhead+1BFj
		cmp	[ebp+var_4C], 0
		jnz	loc_439E27

loc_439CF5:				; CODE XREF: CcPerformReadAhead+ACj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_439EF8
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_439D11:				; CODE XREF: CcPerformReadAhead+193j
		cmp	[ebp+var_1C], 0
		jz	short loc_439CEB
		mov	eax, [ebp+var_50]
		mov	ecx, [eax+8]
		mov	[ebp+var_64], ecx
		mov	eax, [eax+0Ch]
		mov	[ebp+var_38], eax
		cmp	[ebp+var_24], eax
		jg	loc_439C0E
		jl	short loc_439D3A
		cmp	[ebp+var_28], ecx
		jnb	loc_439C0E

loc_439D3A:				; CODE XREF: CcPerformReadAhead+1D9j
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_88], ecx
		mov	edx, esi
		xor	eax, eax
		add	edx, [ebp+var_28]
		adc	eax, [ebp+var_24]
		cmp	eax, [ebp+var_38]
		jl	short loc_439D6B
		jg	short loc_439D59
		cmp	edx, [ebp+var_64]
		jb	short loc_439D6B

loc_439D59:				; CODE XREF: CcPerformReadAhead+1FCj
		mov	esi, [ebp+var_50]
		mov	esi, [esi+8]
		sub	esi, [ebp+var_28]
		mov	[ebp+var_20], esi
		mov	[ebp+var_84], ecx

loc_439D6B:				; CODE XREF: CcPerformReadAhead+1FAj
					; CcPerformReadAhead+201j
		add	esi, 0FFFh
		and	esi, 0FFFFF000h
		mov	[ebp+var_20], esi
		mov	edx, esi
		mov	[ebp+var_58], edx
		mov	eax, [ebp+var_28]
		mov	[ebp+var_90], eax
		mov	eax, [ebp+var_24]
		mov	[ebp+var_8C], eax
		mov	[ebp+var_74], esi
		cmp	[ebp+var_68], 0
		jnz	loc_5AA96F
		mov	eax, esi
		mov	[ebp+var_1C], eax
		mov	[ebp+var_70], eax

loc_439DA6:				; CODE XREF: CcPerformReadAhead+170E2Fj
		test	ds:dword_70EFD0, 20000h
		jnz	loc_439E9B

loc_439DB6:				; CODE XREF: CcPerformReadAhead+358j
		mov	eax, [ebp+var_1C]

loc_439DB9:				; CODE XREF: CcPerformReadAhead+2B7j
		test	edx, edx
		jz	loc_439C0E
		cmp	eax, edx
		ja	loc_5AA99D

loc_439DC9:				; CODE XREF: CcPerformReadAhead+170E4Fj
		test	ds:dword_70EFD0, 20000h
		jnz	loc_439EB3

loc_439DD9:				; CODE XREF: CcPerformReadAhead+36Cj
		push	[ebp+var_24]
		push	[ebp+var_28]
		lea	eax, [ebp+var_4C]
		push	eax
		mov	eax, [ebp+var_48]
		push	dword ptr [eax+0Ch]
		push	ecx
		push	[ebp+var_3C]
		mov	eax, [ebp+var_1C]
		push	eax
		mov	ecx, [ebp+var_40]
		call	_MmPrefetchForCacheManager@36 ;	MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x)
		or	[ebp+var_60], eax
		mov	eax, [ebp+var_1C]
		mov	edx, [ebp+var_58]
		sub	edx, eax
		mov	[ebp+var_58], edx
		add	[ebp+var_28], eax
		adc	[ebp+var_24], edi
		jmp	short loc_439DB9
; 

loc_439E0F:				; CODE XREF: CcPerformReadAhead+11Ej
		mov	eax, esi
		xor	ecx, ecx
		add	eax, [ebp+var_94]
		adc	ecx, [ebp+var_64]
		mov	[edx+40h], eax
		mov	[edx+44h], ecx
		jmp	loc_439C7A
; 

loc_439E27:				; CODE XREF: CcPerformReadAhead+199j
		mov	esi, large fs:124h
		mov	[ebp+var_9C], esi
		mov	ecx, esi
		call	_PsGetPagePriorityThread@4 ; PsGetPagePriorityThread(x)
		mov	[ebp+var_38], eax
		mov	[ebp+var_98], edi
		mov	ecx, [ebp+var_4C]
		call	_MmWaitForCacheManagerPrefetch@4 ; MmWaitForCacheManagerPrefetch(x)
		mov	edx, [ebp+var_3C]
		mov	ecx, esi
		call	PsSetPagePriorityThread
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+ms_exc.disabled], ecx
		push	[ebp+var_8C]	; int
		push	[ebp+var_90]	; int
		mov	eax, [ebp+var_48]
		push	dword ptr [eax+0Ch] ; int
		push	[ebp+var_3C]	; int
		lea	eax, [ebp+var_98]
		push	eax		; int
		push	edi		; void *
		push	ecx		; int
		mov	edx, [ebp+var_74]
		mov	ecx, [ebp+var_40]
		call	CcMapAndCopyFromCache

loc_439E85:				; CODE XREF: sub_5AA9BD+5j
		mov	[ebp+ms_exc.disabled], edi
		mov	edx, [ebp+var_38]
		mov	ecx, [ebp+var_9C]
		call	PsSetPagePriorityThread
		jmp	loc_439C08
; 

loc_439E9B:				; CODE XREF: CcPerformReadAhead+25Aj
		push	ecx
		push	[ebp+var_3C]
		push	esi
		lea	edx, [ebp+var_28]
		mov	ecx, [ebp+var_48]
		call	_CcPerfLogReadAhead@20 ; CcPerfLogReadAhead(x,x,x,x,x)
		mov	edx, [ebp+var_58]
		jmp	loc_439DB6
; 

loc_439EB3:				; CODE XREF: CcPerformReadAhead+27Dj
		push	[ebp+var_3C]
		push	eax
		lea	edx, [ebp+var_28]
		mov	ecx, [ebp+var_48]
		call	_CcPerfLogReadAheadPrefetch@16 ; CcPerfLogReadAheadPrefetch(x,x,x,x)
		jmp	loc_439DD9
; 

loc_439EC7:				; CODE XREF: CcPerformReadAhead+177j
		lea	ecx, [ebp+var_34]
		call	KxWaitForLockChainValid
		mov	ecx, eax
		mov	eax, [ebp+var_44]
		mov	[ebp+var_1C], eax
		mov	esi, [ebp+var_20]

loc_439EDA:				; CODE XREF: CcPerformReadAhead+162j
		mov	[ebp+var_34], edi
		lea	eax, [ecx+4]
		xor	ecx, ecx
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_439CDC
; 

loc_439EEB:				; CODE XREF: CcPerformReadAhead+111j
		mov	esi, (offset loc_7FFFFF+1)
		mov	[ebp+var_20], esi
		jmp	loc_439C6D
CcPerformReadAhead endp


;  S U B	R O U T	I N E 


sub_439EF8	proc near		; CODE XREF: CcPerformReadAhead+1A6p
					; .text:005AA9C9j

; FUNCTION CHUNK AT 005AA9CE SIZE 00000030 BYTES

		mov	eax, large fs:124h
		mov	[ebp-0A8h], eax
		mov	eax, [eax+328h]
		add	large fs:6A4h, eax
		cmp	dword ptr [ebp-78h], 0
		jz	short loc_439F20
		push	dword ptr [ebp-7Ch]
		mov	eax, [ebp-80h]
		call	dword ptr [eax+0Ch]

loc_439F20:				; CODE XREF: sub_439EF8+1Dj
		mov	eax, [ebp-5Ch]
		add	eax, 40h
		mov	[ebp-38h], eax
		lea	edx, [ebp-34h]
		mov	ecx, eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebp-40h]
		mov	esi, [eax+18h]
		mov	[ebp-44h], esi
		test	esi, esi
		jz	short loc_439F8E
		lea	ecx, [esi+50h]
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		and	dword ptr [esi], 0FFFEFFFFh
		cmp	dword ptr [ebp-84h], 0
		jz	short loc_439F64
		mov	eax, [ebp-40h]
		test	byte ptr [eax+2Ch], 20h
		jnz	loc_43A026

loc_439F64:				; CODE XREF: sub_439EF8+5Dj
					; sub_439EF8+134j
		cmp	dword ptr [ebp-60h], 0
		jnz	short loc_439F79
		cmp	dword ptr [ebp-88h], 0
		jz	short loc_439F79
		and	dword ptr [esi], 0FFFDFFFFh

loc_439F79:				; CODE XREF: sub_439EF8+70j
					; sub_439EF8+79j
		test	ds:byte_70EFC6,	1
		jnz	loc_5AA9CE
		xor	ecx, ecx
		lea	eax, [esi+50h]
		lock and [eax],	ecx

loc_439F8E:				; CODE XREF: sub_439EF8+46j
					; sub_439EF8+170AE1j
		test	ds:byte_70EFC6,	1
		jnz	loc_5AA9DE
		mov	eax, [ebp-34h]
		test	eax, eax
		jnz	loc_43A039
		mov	edx, [ebp-30h]
		lea	eax, [ebp-34h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-34h]
		cmp	eax, ecx
		jnz	short loc_43A031

loc_439FB9:				; CODE XREF: sub_439EF8+14Dj
					; sub_439EF8+170AF1j
		mov	cl, [ebp-2Ch]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp-40h]
		call	ObfDereferenceObject
		mov	eax, [ebp-48h]
		mov	ecx, [eax+0Ch]
		test	ecx, ecx
		jnz	loc_43A060

loc_439FD8:				; CODE XREF: sub_439EF8+16Dj
		lea	edx, [ebp-34h]
		mov	ecx, [ebp-38h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		push	ecx
		mov	esi, [ebp-50h]
		mov	ecx, esi
		call	CcDecrementOpenCount
		and	dword ptr [esi+60h], 0FFFFBFFFh
		test	ds:byte_70EFC6,	1
		jnz	loc_5AA9EE
		mov	eax, [ebp-34h]
		test	eax, eax
		jnz	short loc_43A052
		mov	edx, [ebp-30h]
		lea	eax, [ebp-34h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-34h]
		cmp	eax, ecx
		jnz	short loc_43A04A

loc_43A01C:				; CODE XREF: sub_439EF8+166j
					; sub_439EF8+170B01j
		mov	cl, [ebp-2Ch]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		retn
; 

loc_43A026:				; CODE XREF: sub_439EF8+66j
		mov	[esi+40h], edi
		mov	[esi+44h], edi
		jmp	loc_439F64
; 

loc_43A031:				; CODE XREF: sub_439EF8+BFj
		lea	ecx, [ebp-34h]
		call	KxWaitForLockChainValid

loc_43A039:				; CODE XREF: sub_439EF8+A8j
		mov	[ebp-34h], edi
		add	eax, 4
		xor	ecx, ecx
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_439FB9
; 

loc_43A04A:				; CODE XREF: sub_439EF8+122j
		lea	ecx, [ebp-34h]
		call	KxWaitForLockChainValid

loc_43A052:				; CODE XREF: sub_439EF8+10Fj
		mov	[ebp-34h], edi
		add	eax, 4
		xor	ecx, ecx
		inc	ecx
		lock xor [eax],	ecx
		jmp	short loc_43A01C
; 

loc_43A060:				; CODE XREF: sub_439EF8+DAj
		call	_IoDiskIoAttributionDereference@4 ; IoDiskIoAttributionDereference(x)
		jmp	loc_439FD8
sub_439EF8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPageRead(x, x, x,	x, x, x, x)
_MiPageRead@28	proc near		; CODE XREF: MiReadImageHeaders+69p
					; MiPfExecuteReadList+A8p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	IoPageReadEx
		pop	ecx
		pop	ebp
		retn	14h
_MiPageRead@28	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiRemoveThreadFromSchedulingGroup proc near ; CODE XREF: KiSetThreadSchedulingGroup+1Ap
					; KeTerminateThread+198p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005AA9FE SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], ecx
		push	edi
		cmp	esi, eax
		jnz	short loc_43A0F4
		mov	edi, large fs:20h
		mov	[ebp+var_8], edi
		cli
		push	ecx
		mov	edx, esi
		mov	ecx, edi
		call	_KiUpdateTotalCyclesCurrentThread@12 ; KiUpdateTotalCyclesCurrentThread(x,x,x)
		sti
		and	[ebp+var_10], 0
		lea	ebx, [edi+2224h]

loc_43A0C9:				; CODE XREF: KiRemoveThreadFromSchedulingGroup+128j
		lock bts dword ptr [ebx], 0
		jb	loc_43A1A4
		lock btr dword ptr [esi], 12h
		push	edi
		mov	dl, 2
		mov	dword ptr [esi+50h], 0
		mov	ecx, esi
		call	_KeUpdateThreadSchedulingProperties@12 ; KeUpdateThreadSchedulingProperties(x,x,x)
		xor	eax, eax
		lock and [ebx],	eax

loc_43A0EF:				; CODE XREF: KiRemoveThreadFromSchedulingGroup+D5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_43A0F4:				; CODE XREF: KiRemoveThreadFromSchedulingGroup+1Dj
		mov	[ebp+var_1], cl
		lea	ebx, [esi+2Ch]
		mov	[ebp+var_14], ecx

loc_43A0FD:				; CODE XREF: KiRemoveThreadFromSchedulingGroup+170982j
		lock bts dword ptr [ebx], 0
		jb	loc_5AA9FE
		lea	eax, [ebp+var_C]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_8]
		call	KiAcquireThreadStateLock
		test	dword ptr [esi+58h], 2000h
		mov	cl, al
		mov	edi, [ebp+var_8]
		mov	[ebp+var_2], cl
		jnz	short loc_43A16E

loc_43A127:				; CODE XREF: KiRemoveThreadFromSchedulingGroup+101j
		lock btr dword ptr [esi], 12h
		lea	eax, [esi+5Ch]
		mov	dword ptr [esi+50h], 0
		test	dword ptr [eax], 800h
		jnz	short loc_43A1B7

loc_43A13E:				; CODE XREF: KiRemoveThreadFromSchedulingGroup+132j
		mov	dl, cl
		mov	ecx, esi
		push	edi
		call	_KeUpdateThreadSchedulingProperties@12 ; KeUpdateThreadSchedulingProperties(x,x,x)
		cmp	[ebp+var_1], 0
		jnz	short loc_43A18D

loc_43A14E:				; CODE XREF: KiRemoveThreadFromSchedulingGroup+118j
		test	edi, edi
		jnz	short loc_43A161

loc_43A152:				; CODE XREF: KiRemoveThreadFromSchedulingGroup+E2j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_43A1BE

loc_43A159:				; CODE XREF: KiRemoveThreadFromSchedulingGroup+139j
		mov	dword ptr [ebx], 0
		jmp	short loc_43A0EF
; 

loc_43A161:				; CODE XREF: KiRemoveThreadFromSchedulingGroup+C6j
		xor	ecx, ecx
		lea	eax, [edi+2224h]
		lock and [eax],	ecx
		jmp	short loc_43A152
; 

loc_43A16E:				; CODE XREF: KiRemoveThreadFromSchedulingGroup+9Bj
		movsx	ecx, byte ptr [esi+87h]
		mov	edx, [esi+230h]
		push	ecx
		push	esi
		mov	ecx, edi
		call	_KiRemoveThreadFromScbQueue@16 ; KiRemoveThreadFromScbQueue(x,x,x,x)
		mov	cl, [ebp+var_2]
		mov	[ebp+var_1], 1
		jmp	short loc_43A127
; 

loc_43A18D:				; CODE XREF: KiRemoveThreadFromSchedulingGroup+C2j
		movsx	eax, byte ptr [esi+87h]
		mov	edx, esi
		push	0
		push	0
		push	eax
		mov	ecx, edi
		call	_KiAddThreadToPrcbQueue@20 ; KiAddThreadToPrcbQueue(x,x,x,x,x)
		jmp	short loc_43A14E
; 

loc_43A1A4:				; CODE XREF: KiRemoveThreadFromSchedulingGroup+44j
					; KiRemoveThreadFromSchedulingGroup+126j
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_43A1A4
		jmp	loc_43A0C9
; 

loc_43A1B7:				; CODE XREF: KiRemoveThreadFromSchedulingGroup+B2j
		lock btr dword ptr [eax], 0Bh
		jmp	short loc_43A13E
; 

loc_43A1BE:				; CODE XREF: KiRemoveThreadFromSchedulingGroup+CDj
		xor	ecx, ecx
		lock and [eax],	ecx
		jmp	short loc_43A159
KiRemoveThreadFromSchedulingGroup endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeUpdateThreadSchedulingProperties(x, x, x)
_KeUpdateThreadSchedulingProperties@12 proc near ; CODE	XREF: KiSetThreadSchedulingGroup+57p
					; KiRemoveThreadFromSchedulingGroup+5Bp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		push	edi
		mov	edx, esi
		xor	ecx, ecx
		call	_KiUpdateSharedReadyQueueAffinityThread@8 ; KiUpdateSharedReadyQueueAffinityThread(x,x)
		mov	edi, [ebp+arg_0]
		cmp	bl, 2
		jz	short loc_43A1EF

loc_43A1E3:				; CODE XREF: KeUpdateThreadSchedulingProperties(x,x,x)+2Dj
		cmp	bl, 3
		jz	short loc_43A1F5

loc_43A1E8:				; CODE XREF: KeUpdateThreadSchedulingProperties(x,x,x)+43j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_43A1EF:				; CODE XREF: KeUpdateThreadSchedulingProperties(x,x,x)+1Bj
		cmp	dword ptr [edi+8], 0
		jnz	short loc_43A1E3

loc_43A1F5:				; CODE XREF: KeUpdateThreadSchedulingProperties(x,x,x)+20j
		test	byte ptr [esi+2], 4
		jnz	short loc_43A20B

loc_43A1FB:				; CODE XREF: KeUpdateThreadSchedulingProperties(x,x,x)+54j
		mov	cl, [esi+87h]

loc_43A201:				; CODE XREF: KeUpdateThreadSchedulingProperties(x,x,x)+52j
		mov	eax, [edi+33Ch]
		mov	[eax], cl
		jmp	short loc_43A1E8
; 

loc_43A20B:				; CODE XREF: KeUpdateThreadSchedulingProperties(x,x,x)+33j
		mov	edx, edi
		mov	ecx, esi
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	short loc_43A201
		jmp	short loc_43A1FB
_KeUpdateThreadSchedulingProperties@12 endp

; 

CcPostWorkQueueCachemapUninit:		; CODE XREF: CcLazyWriteScan+446p
					; CcQueueLazyWriteScanThread:loc_56E31Bp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp-4], edx
		lea	edi, [ebp-10h]
		mov	ebx, ecx
		stosd
		xor	esi, esi
		stosd
		stosd
		xor	eax, eax
		mov	edi, [ebx+4Ch]
		inc	eax
		test	ds:dword_70EFD0, 20000h
		jnz	loc_43A301

loc_43A24C:				; CODE XREF: .text:0043A30Ej
		lea	ecx, [edi+80h]
		lea	edx, [ebp-10h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebp-4]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_43A32A
		mov	[ebx], eax
		mov	[ebx+4], ecx
		mov	[ecx], ebx
		mov	[eax+4], ebx
		lea	eax, [edi+0CCh]
		mov	ecx, [eax]
		cmp	ecx, eax
		jnz	short loc_43A2BE
		xor	ebx, ebx
		inc	ebx

loc_43A281:				; CODE XREF: .text:0043A2E7j
					; .text:005AAA16j
		test	ds:byte_70EFC6,	1
		jnz	loc_5AAA1B
		mov	eax, [ebp-10h]
		test	eax, eax
		jnz	loc_43A31B
		mov	edx, [ebp-0Ch]
		lea	eax, [ebp-10h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-10h]
		cmp	eax, ecx
		jnz	short loc_43A313

loc_43A2AC:				; CODE XREF: .text:0043A328j
					; .text:005AAA26j
		mov	cl, [ebp-8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jnz	short loc_43A2EE

loc_43A2B9:				; CODE XREF: .text:0043A2FFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_43A2BE:				; CODE XREF: .text:0043A27Cj
		mov	esi, ecx
		mov	ecx, [esi]
		cmp	[esi+4], eax
		jnz	short loc_43A32A
		cmp	[ecx+4], esi
		jnz	short loc_43A32A
		mov	[eax], ecx
		xor	ebx, ebx
		mov	[ecx+4], eax
		inc	ebx
		inc	dword ptr [edi+0D4h]
		mov	eax, ebx
		lock xadd [edi+28Ch], eax
		inc	eax
		cmp	eax, ebx
		jg	short loc_43A281
		jmp	loc_5AAA11
; 

loc_43A2EE:				; CODE XREF: .text:0043A2B7j
		and	dword ptr [esi], 0
		xor	edx, edx
		push	dword ptr [edi+4]
		mov	ecx, esi
		push	0FFFFFFFFh
		call	ExQueueWorkItemToPartition
		jmp	short loc_43A2B9
; 

loc_43A301:				; CODE XREF: .text:0043A246j
		mov	ecx, [ebp-4]
		mov	edx, ebx
		push	eax
		push	0
		call	CcPerfLogWorkItemEnqueue
		jmp	loc_43A24C
; 

loc_43A313:				; CODE XREF: .text:0043A2AAj
		lea	ecx, [ebp-10h]
		call	KxWaitForLockChainValid

loc_43A31B:				; CODE XREF: .text:0043A293j
		mov	dword ptr [ebp-10h], 0
		add	eax, 4
		lock xor [eax],	ebx
		jmp	short loc_43A2AC
; 

loc_43A32A:				; CODE XREF: .text:0043A262j
					; .text:0043A2C5j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1394. MmDoesFileHaveUserWritableReferences

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmDoesFileHaveUserWritableReferences
MmDoesFileHaveUserWritableReferences proc near
					; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+280p
					; LdrpGetResourceFileName+39Bp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AAA2B SIZE 00000083 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)

loc_43A354:				; CODE XREF: MmDoesFileHaveUserWritableReferences+170748j
		mov	cl, 2
		mov	esi, offset dword_6CF3C0
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [ebp+arg_0+3],	al
		jnz	loc_5AAA2B
		mov	[ebp+var_4], 0
		lock bts dword ptr [esi], 1Fh
		jb	loc_43A410

loc_43A383:				; CODE XREF: MmDoesFileHaveUserWritableReferences+DCj
		mov	edx, dword_6CF3C0
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_5AAA39

loc_43A39B:				; CODE XREF: MmDoesFileHaveUserWritableReferences+1706F4j
					; MmDoesFileHaveUserWritableReferences+17072Ej
		mov	esi, [ebx]
		test	esi, esi
		jz	short loc_43A3FD
		lea	edi, [esi+24h]
		push	edi
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		test	eax, eax
		jz	loc_5AAA73
		test	ds:byte_70EFC6,	1
		jnz	loc_5AAA8D
		mov	dword_6CF3C0, 0

loc_43A3C9:				; CODE XREF: MmDoesFileHaveUserWritableReferences+17075Aj
		mov	ecx, esi
		call	MiDoesControlAreaHaveUserWritableReferences
		test	eax, eax
		jnz	short loc_43A421
		xor	esi, esi

loc_43A3D6:				; CODE XREF: MmDoesFileHaveUserWritableReferences+E6j
		test	ds:byte_70EFC6,	1
		jnz	loc_5AAA9F
		mov	dword ptr [edi], 0

loc_43A3E9:				; CODE XREF: MmDoesFileHaveUserWritableReferences+170769j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi

loc_43A3F4:				; CODE XREF: MmDoesFileHaveUserWritableReferences+CEj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_43A3FD:				; CODE XREF: MmDoesFileHaveUserWritableReferences+5Fj
		push	offset dword_6CF3C0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		call	edi
		xor	eax, eax
		jmp	short loc_43A3F4
; 

loc_43A410:				; CODE XREF: MmDoesFileHaveUserWritableReferences+3Dj
		mov	dl, al
		mov	ecx, esi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[ebp+var_4], eax
		jmp	loc_43A383
; 

loc_43A421:				; CODE XREF: MmDoesFileHaveUserWritableReferences+92j
		mov	esi, 1
		jmp	short loc_43A3D6
MmDoesFileHaveUserWritableReferences endp


;  S U B	R O U T	I N E 


MiDoesControlAreaHaveUserWritableReferences proc near
					; CODE XREF: MmDoesFileHaveUserWritableReferences+8Bp
					; MiComputeFlushRange(x,x,x,x,x):loc_4A259Ep

; FUNCTION CHUNK AT 005AAAAE SIZE 00000020 BYTES

		mov	eax, [ecx+34h]
		test	eax, eax
		jnz	short locret_43A448
		mov	edx, [ecx+40h]
		push	esi
		mov	esi, [ecx+44h]
		test	esi, esi
		jnz	loc_5AAAAE
		cmp	edx, 1
		ja	loc_5AAAAE

loc_43A447:				; CODE XREF: MiDoesControlAreaHaveUserWritableReferences+17069Bj
		pop	esi

locret_43A448:				; CODE XREF: MiDoesControlAreaHaveUserWritableReferences+5j
		retn
MiDoesControlAreaHaveUserWritableReferences endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDereferenceControlAreaPfnList	proc near ; CODE XREF: MiDeleteTransitionPte+1A1p
					; MiRestoreTransitionPte(x,x)+3C5p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005AAACE SIZE 00000047 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	eax, edx
		push	edi
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], esi
		test	byte ptr [esi+1Ch], 20h
		jnz	loc_43A502
		cmp	dword ptr [esi+20h], 0
		jz	loc_43A502
		mov	edi, eax

loc_43A47B:				; CODE XREF: MiDereferenceControlAreaPfnList+B4j
		test	[ebp+arg_4], 2
		lea	ebx, [esi+24h]
		mov	[ebp+var_14], ebx
		jz	loc_5AAADD
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_1], 21h
		jnz	loc_5AAACE
		mov	[ebp+var_8], 0
		lock bts dword ptr [ebx], 1Fh
		jb	loc_43A5F9

loc_43A4AE:				; CODE XREF: MiDereferenceControlAreaPfnList+1B6j
		mov	edx, [ebx]
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_43A610

loc_43A4C2:				; CODE XREF: MiDereferenceControlAreaPfnList+1E0j
					; MiDereferenceControlAreaPfnList+170688j ...
		test	edi, edi
		jz	short loc_43A4CC
		add	dword ptr [edi+40h], 0FFFFFFFFh
		jz	short loc_43A509

loc_43A4CC:				; CODE XREF: MiDereferenceControlAreaPfnList+74j
					; MiDereferenceControlAreaPfnList+BDj ...
		dec	dword ptr [esi+10h]
		test	[ebp+arg_4], 1
		mov	eax, [esi+10h]
		jz	short loc_43A4DC
		test	eax, eax
		jz	short loc_43A52E

loc_43A4DC:				; CODE XREF: MiDereferenceControlAreaPfnList+86j
					; MiDereferenceControlAreaPfnList+E2j ...
		cmp	[ebp+var_1], 21h
		jnz	loc_5AAB01
		test	ds:byte_70EFC6,	1
		jnz	loc_5AAAF2
		mov	dword ptr [ebx], 0

loc_43A4F9:				; CODE XREF: MiDereferenceControlAreaPfnList+1706ACj
					; MiDereferenceControlAreaPfnList+1706C0j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_43A502:				; CODE XREF: MiDereferenceControlAreaPfnList+19j
					; MiDereferenceControlAreaPfnList+23j
		xor	edi, edi
		jmp	loc_43A47B
; 

loc_43A509:				; CODE XREF: MiDereferenceControlAreaPfnList+7Aj
		cmp	dword ptr [edi+3Ch], 0
		jnz	short loc_43A4CC
		mov	eax, [ebp+var_C]
		test	byte ptr [eax+12h], 1
		jnz	short loc_43A4CC
		test	byte ptr [edi+12h], 8
		jz	short loc_43A4CC
		mov	ecx, edi
		call	_MiRemoveUnusedSubsection@4 ; MiRemoveUnusedSubsection(x)
		mov	ecx, edi
		call	_MiInsertUnusedSubsection@8 ; MiInsertUnusedSubsection(x,x)
		jmp	short loc_43A4CC
; 

loc_43A52E:				; CODE XREF: MiDereferenceControlAreaPfnList+8Aj
		cmp	dword ptr [esi+14h], 0
		jnz	short loc_43A4DC
		cmp	dword ptr [esi+0Ch], 0
		jnz	short loc_43A4DC
		mov	eax, [esi+1Ch]
		test	eax, 101h
		jnz	short loc_43A4DC
		or	eax, 1
		mov	ecx, esi
		mov	[esi+1Ch], eax
		call	_MiClearFilePointer@4 ;	MiClearFilePointer(x)
		mov	ecx, esi
		call	_MiRemoveUnusedSegment@4 ; MiRemoveUnusedSegment(x)
		jmp	short loc_43A560
; 
		align 10h

loc_43A560:				; CODE XREF: MiDereferenceControlAreaPfnList+108j
					; MiDereferenceControlAreaPfnList+137j	...
		mov	edi, dword_6D5188
		mov	esi, offset dword_6D5188
		mov	edx, dword_6D518C
		mov	ebx, edi
		add	ebx, 1
		mov	dword ptr [ebp+arg_4], edx
		mov	ecx, edx
		mov	eax, edi
		adc	ecx, 0
		nop
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, edi
		jnz	short loc_43A560
		cmp	edx, dword ptr [ebp+arg_4]
		jnz	short loc_43A560
		push	offset unk_6D5180
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	ecx, dword_6D5210
		mov	esi, [ebp+var_10]
		cmp	dword ptr [ecx], offset	unk_6D520C
		lea	eax, [esi+4]
		jnz	loc_5AAAEB
		mov	dword ptr [eax], offset	unk_6D520C
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	dword_6D5210, eax
		or	dword ptr [esi+1Ch], 8000000h
		push	offset unk_6D5180
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		push	0
		push	ecx
		push	1
		xor	edx, edx
		mov	ecx, offset unk_6D51F8
		call	KeReleaseSemaphoreEx
		mov	edx, offset dword_6D5188
		mov	ecx, offset _MiSystemPartition
		call	MiDecrementControlAreaCount
		mov	ebx, [ebp+var_14]
		jmp	loc_43A4DC
; 

loc_43A5F9:				; CODE XREF: MiDereferenceControlAreaPfnList+58j
		or	dl, 0FFh
		mov	ecx, ebx
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[ebp+var_8], eax
		jmp	loc_43A4AE
; 
		jmp	short loc_43A610
; 
		align 10h

loc_43A610:				; CODE XREF: MiDereferenceControlAreaPfnList+6Cj
					; MiDereferenceControlAreaPfnList+1BBj	...
		test	edx, 40000000h
		jz	short loc_43A635

loc_43A618:				; CODE XREF: MiDereferenceControlAreaPfnList+1F5j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [ebx]

loc_43A622:				; CODE XREF: MiDereferenceControlAreaPfnList+1F7j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_43A610
		jmp	loc_43A4C2
; 

loc_43A635:				; CODE XREF: MiDereferenceControlAreaPfnList+1C6j
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jz	short loc_43A618
		jmp	short loc_43A622
MiDereferenceControlAreaPfnList	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiClearFilePointer(x)
_MiClearFilePointer@4 proc near		; CODE XREF: MiDereferenceControlAreaPfnList+FCp
					; MiCheckControlArea+1F0p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, 80000h
		mov	eax, [edi+1Ch]
		test	eax, ecx
		jnz	short loc_43A685
		mov	esi, [edi+20h]
		or	eax, ecx
		mov	ebx, offset dword_6CF3C0
		mov	[edi+1Ch], eax
		push	ebx
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		and	esi, 0FFFFFFF8h
		test	byte ptr [edi+1Ch], 20h
		mov	eax, [esi+14h]
		jnz	short loc_43A689
		and	dword ptr [eax], 0

loc_43A67F:				; CODE XREF: MiClearFilePointer(x)+43j
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel

loc_43A685:				; CODE XREF: MiClearFilePointer(x)+11j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_43A689:				; CODE XREF: MiClearFilePointer(x)+30j
		and	dword ptr [eax+8], 0
		jmp	short loc_43A67F
_MiClearFilePointer@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWaitForSpinLockExclusiveAndAcquire proc near	; CODE XREF: CcSetDirtyPinnedData+461p
					; MmDoesFileHaveUserWritableReferences+D4p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AAB15 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	bl, dl
		xor	esi, esi
		mov	edx, ecx
		push	edi
		mov	[ebp+var_4], edx

loc_43A6A2:				; CODE XREF: ExpWaitForSpinLockExclusiveAndAcquire+46j
		mov	edi, [edx]
		test	edi, edi
		jns	short loc_43A6D1

loc_43A6A8:				; CODE XREF: ExpWaitForSpinLockExclusiveAndAcquire+3Fj
		test	edi, 40000000h
		jz	short loc_43A6FD

loc_43A6B0:				; CODE XREF: ExpWaitForSpinLockExclusiveAndAcquire+7Dj
		cmp	bl, 0FFh
		jnz	short loc_43A6E1

loc_43A6B5:				; CODE XREF: ExpWaitForSpinLockExclusiveAndAcquire+5Cj
		inc	esi
		test	ds:_HvlLongSpinCountMask, esi
		jz	loc_5AAB15

loc_43A6C2:				; CODE XREF: ExpWaitForSpinLockExclusiveAndAcquire+17048Cj
		pause

loc_43A6C4:				; CODE XREF: ExpWaitForSpinLockExclusiveAndAcquire+17049Bj
		cmp	bl, 0FFh
		jnz	short loc_43A6EE

loc_43A6C9:				; CODE XREF: ExpWaitForSpinLockExclusiveAndAcquire+6Bj
		mov	eax, [edx]

loc_43A6CB:				; CODE XREF: ExpWaitForSpinLockExclusiveAndAcquire+7Fj
		mov	edi, eax
		test	eax, eax
		js	short loc_43A6A8

loc_43A6D1:				; CODE XREF: ExpWaitForSpinLockExclusiveAndAcquire+16j
		lock bts dword ptr [edx], 1Fh
		jb	short loc_43A6A2
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_43A6E1:				; CODE XREF: ExpWaitForSpinLockExclusiveAndAcquire+23j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [ebp+var_4]
		jmp	short loc_43A6B5
; 

loc_43A6EE:				; CODE XREF: ExpWaitForSpinLockExclusiveAndAcquire+37j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edx, [ebp+var_4]
		mov	bl, al
		jmp	short loc_43A6C9
; 

loc_43A6FD:				; CODE XREF: ExpWaitForSpinLockExclusiveAndAcquire+1Ej
		mov	ecx, edi
		mov	eax, edi
		or	ecx, 40000000h
		lock cmpxchg [edx], ecx
		cmp	eax, edi
		jz	short loc_43A6B0
		jmp	short loc_43A6CB
ExpWaitForSpinLockExclusiveAndAcquire endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializePageAccessLogging proc near	; CODE XREF: MiGetCcAccessLog(x,x)+B3p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AAB30 SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, edx
		xor	edx, edx
		lea	eax, [esi+38h]
		mov	[esi+4], edx
		mov	[esi+20h], eax
		mov	eax, [ebp+arg_0]
		add	eax, 0FFFFFFFCh
		add	eax, esi
		mov	[eax], edx
		mov	[esi+28h], eax
		add	eax, 0FFFFFFFCh
		mov	[esi+24h], eax
		mov	[esi], edx
		mov	[esi+30h], edx
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		jb	loc_5AAB30
		mov	[esi+2Ch], edx

loc_43A74F:				; CODE XREF: MiInitializePageAccessLogging+17042Bj
					; MiInitializePageAccessLogging+170440j
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], edx
		push	eax
		mov	[ebp+var_4], edx
		call	KeQueryTickCount
		mov	eax, [ebp+var_8]
		mov	[esi+10h], eax
		mov	eax, [ebp+var_4]
		mov	[esi+14h], eax
		pop	esi
		leave
		retn	4
MiInitializePageAccessLogging endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry  10. ExAcquireAutoExpandPushLockShared

;  S U B	R O U T	I N E 


		public ExAcquireAutoExpandPushLockShared
ExAcquireAutoExpandPushLockShared proc near ; CODE XREF: MiLockAwePagesShared(x,x)+Dj
					; MiLockAweVadsShared(x)+23p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AAB57 SIZE 00000047 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, edx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		test	eax, 0FFFFFFFCh
		jnz	loc_5AAB57
		and	eax, 2
		mov	[ebp-14h], eax
		jnz	loc_43A890
		mov	eax, esi
		mov	[ebp-10h], edi
		and	eax, 7FFFFFFCh
		mov	[ebp-0Ch], eax
		jz	loc_5AAB67
		mov	edi, large fs:124h
		dec	word ptr [edi+13Eh]
		nop
		inc	byte ptr [edi+1E6h]
		nop
		cmp	byte ptr [edi+1E6h], 1
		jnz	loc_43A8CA
		mov	cl, [edi+1E4h]
		mov	dword ptr [ebp-8], 0
		test	cl, cl
		jz	loc_43A8E9

loc_43A805:				; CODE XREF: ExAcquireAutoExpandPushLockShared+1B4j
		movzx	eax, cl
		bsf	ecx, eax
		btr	eax, ecx
		mov	[ebp-8], ecx
		mov	[edi+1E4h], al
		lea	edx, [ecx+ecx*2]
		shl	edx, 4
		add	edx, [edi+1E8h]
		mov	[ebp-4], edx
		jz	loc_43A90F
		mov	ecx, dword_6D07D0
		mov	eax, esi
		shr	eax, 15h
		cmp	esi, ecx
		jb	short loc_43A859
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_5AAB7C
		cmp	esi, ecx
		jb	short loc_43A859
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_5AAB7C

loc_43A859:				; CODE XREF: ExAcquireAutoExpandPushLockShared+B9j
					; ExAcquireAutoExpandPushLockShared+CAj
		or	eax, 0FFFFFFFFh

loc_43A85C:				; CODE XREF: ExAcquireAutoExpandPushLockShared+170407j
		mov	[edx+14h], eax
		nop
		mov	eax, [ebp-0Ch]
		mov	[edx+10h], eax

loc_43A866:				; CODE XREF: ExAcquireAutoExpandPushLockShared+197j
		nop
		dec	byte ptr [edi+1E6h]
		lea	eax, [ebp-10h]
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [edi+13Eh], 1
		jnz	short loc_43A88D
		nop
		add	edi, 70h
		cmp	[edi], edi
		jnz	short loc_43A8E2

loc_43A88D:				; CODE XREF: ExAcquireAutoExpandPushLockShared+103j
					; ExAcquireAutoExpandPushLockShared+167j
		mov	edi, [ebp-4]

loc_43A890:				; CODE XREF: ExAcquireAutoExpandPushLockShared+34j
					; ExAcquireAutoExpandPushLockShared+1703E9j
		mov	ecx, [esi+4]
		test	cl, 1
		jnz	loc_5AAB8C
		mov	ecx, 11h
		xor	eax, eax
		lock cmpxchg [esi], ecx
		test	eax, eax
		jnz	short loc_43A91C

loc_43A8AB:				; CODE XREF: ExAcquireAutoExpandPushLockShared+1A6j
		or	esi, 1

loc_43A8AE:				; CODE XREF: ExAcquireAutoExpandPushLockShared+170419j
		cmp	dword ptr [ebp-14h], 0
		jnz	short loc_43A8B7
		or	esi, 2

loc_43A8B7:				; CODE XREF: ExAcquireAutoExpandPushLockShared+132j
		test	edi, edi
		jz	short loc_43A8BF
		or	byte ptr [edi+0Eh], 1

loc_43A8BF:				; CODE XREF: ExAcquireAutoExpandPushLockShared+139j
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_43A8CA:				; CODE XREF: ExAcquireAutoExpandPushLockShared+6Aj
		push	0
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	esi
		push	edi
		push	192h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_43A8E2:				; CODE XREF: ExAcquireAutoExpandPushLockShared+10Bj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_43A88D
; 

loc_43A8E9:				; CODE XREF: ExAcquireAutoExpandPushLockShared+7Fj
		cmp	byte ptr [edi+222h], 0
		lea	ecx, [edi+222h]
		jnz	short loc_43A928
		test	dword ptr ds:byte_70EFC4, 200h
		mov	dword ptr [ebp-4], 0
		jnz	loc_5AAB6E

loc_43A90F:				; CODE XREF: ExAcquireAutoExpandPushLockShared+A6j
					; ExAcquireAutoExpandPushLockShared+1703F7j
		lea	eax, [edi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	loc_43A866
; 

loc_43A91C:				; CODE XREF: ExAcquireAutoExpandPushLockShared+129j
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockSharedEx
		jmp	short loc_43A8AB
; 

loc_43A928:				; CODE XREF: ExAcquireAutoExpandPushLockShared+176j
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [edi+1E4h]
		or	cl, al
		jmp	loc_43A805
ExAcquireAutoExpandPushLockShared endp

; 
		align 10h
; Exported entry 1203. KeLeaveGuardedRegion

;  S U B	R O U T	I N E 


; __stdcall KeLeaveGuardedRegion()
		public _KeLeaveGuardedRegion@0
_KeLeaveGuardedRegion@0	proc near	; CODE XREF: ObCreateObjectTypeEx+3D7p
					; sub_A1D230+8Fp ...
		mov	eax, large fs:124h
		nop
		add	word ptr [eax+13Eh], 1
		jnz	short locret_43A95D
		nop
		add	eax, 70h
		cmp	[eax], eax
		jnz	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

locret_43A95D:				; CODE XREF: KeLeaveGuardedRegion()+Fj
		retn
_KeLeaveGuardedRegion@0	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1328. KiCheckForKernelApcDelivery

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiCheckForKernelApcDelivery()
		public _KiCheckForKernelApcDelivery@0
_KiCheckForKernelApcDelivery@0 proc near ; CODE	XREF: PspStorageEmptyArrayNonReadonly+349p
					; PspStorageEmptyArrayNonReadonly:loc_4315A4p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	cl, 1
		test	al, al
		jnz	short loc_43A994
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		xor	cl, cl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_43A990:				; CODE XREF: KiCheckForKernelApcDelivery()+43j
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_43A994:				; CODE XREF: KiCheckForKernelApcDelivery()+12j
		mov	eax, large fs:124h
		mov	byte ptr [eax+85h], 1
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)
		jmp	short loc_43A990
_KiCheckForKernelApcDelivery@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiHandleCollidedFault(x, x,	x, x, x, x)
_MiHandleCollidedFault@24 proc near	; CODE XREF: .text:0045E35Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], ecx
		call	MiAllowReadInProgress
		mov	esi, eax
		test	esi, esi
		jns	short loc_43A9F1
		mov	ecx, [ebp+arg_4]
		mov	eax, 7FFFFFFFh
		add	ecx, 10h
		lock and [ecx],	eax
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_43A9E2
		mov	dl, 21h
		call	MiUnlockProtoPoolPage

loc_43A9E2:				; CODE XREF: MiHandleCollidedFault(x,x,x,x,x,x)+2Fj
		mov	eax, [ebp+arg_C]
		and	dword ptr [eax], 0

loc_43A9E8:				; CODE XREF: MiHandleCollidedFault(x,x,x,x,x,x)+99j
					; MiHandleCollidedFault(x,x,x,x,x,x)+C9j ...
		mov	eax, esi

loc_43A9EA:				; CODE XREF: MiHandleCollidedFault(x,x,x,x,x,x)+67j
					; MiHandleCollidedFault(x,x,x,x,x,x)+102j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_43A9F1:				; CODE XREF: MiHandleCollidedFault(x,x,x,x,x,x)+1Aj
		mov	ebx, [ebp+arg_4]
		mov	esi, [ebp+arg_C]
		mov	edi, [ebp+arg_0]
		mov	edx, [ebp+var_4]
		mov	eax, [ebx]
		push	esi
		push	[ebp+arg_8]
		sub	eax, 10h
		push	ebx
		push	eax
		push	edi
		call	_MiIssueFlowThroughFault@28 ; MiIssueFlowThroughFault(x,x,x,x,x,x,x)
		cmp	dword ptr [esi], 1
		jz	short loc_43A9EA
		mov	ecx, ebx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_43AA28
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	_MiObtainProtoReference@8 ; MiObtainProtoReference(x,x)

loc_43AA28:				; CODE XREF: MiHandleCollidedFault(x,x,x,x,x,x)+72j
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+arg_4]
		and	[ebp+arg_4], 0
		mov	edx, ebx
		push	eax
		push	2
		push	edi
		call	MiWaitForCollidedFaultComplete
		cmp	[ebp+arg_4], 1
		mov	esi, eax
		jz	short loc_43A9E8
		mov	ecx, 7FFFFFFFh
		test	edi, edi
		jz	short loc_43AA67
		mov	ecx, edi
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		mov	ecx, edi
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_43AA67:				; CODE XREF: MiHandleCollidedFault(x,x,x,x,x,x)+A2j
		test	esi, esi
		jz	short loc_43AA87
		lea	eax, [ebx+10h]
		lock and [eax],	ecx
		test	edi, edi
		jz	loc_43A9E8
		mov	dl, 21h
		mov	ecx, edi
		call	MiUnlockProtoPoolPage
		jmp	loc_43A9E8
; 

loc_43AA87:				; CODE XREF: MiHandleCollidedFault(x,x,x,x,x,x)+BFj
		push	3
		pop	edx
		mov	ecx, ebx
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	al, [ebx+16h]
		and	al, 0FEh
		or	al, 6
		mov	[ebx+16h], al
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		xor	eax, eax
		jmp	loc_43A9EA
_MiHandleCollidedFault@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIssueFlowThroughFault(x, x, x, x,	x, x, x)
_MiIssueFlowThroughFault@28 proc near	; CODE XREF: MiHandleCollidedFault(x,x,x,x,x,x)+5Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_10]
		push	ebx
		push	esi
		mov	esi, large fs:124h
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_C], edx
		xor	dl, dl
		mov	[ebp+var_8], ecx
		mov	dword ptr [eax], 2
		mov	ebx, [edi+78h]
		mov	[ebp+var_1], dl
		test	bl, bl
		jns	short loc_43AAF1
		mov	ecx, esi
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		cmp	eax, 2
		jge	short loc_43AB1C
		mov	dl, [ebp+var_1]

loc_43AAF1:				; CODE XREF: MiIssueFlowThroughFault(x,x,x,x,x,x,x)+2Ej
		cmp	esi, [edi+58h]
		jz	short loc_43AB1C
		test	dword ptr [esi+58h], 8000h
		jnz	short loc_43AB1C
		mov	eax, [esi+150h]
		cmp	dword ptr [eax+3D8h], 0
		jz	short loc_43AB1E
		cmp	dword ptr [edi+98h], 0
		jnz	short loc_43AB1C
		test	bl, 8
		jz	short loc_43AB1E

loc_43AB1C:				; CODE XREF: MiIssueFlowThroughFault(x,x,x,x,x,x,x)+3Aj
					; MiIssueFlowThroughFault(x,x,x,x,x,x,x)+42j ...
		mov	dl, 1

loc_43AB1E:				; CODE XREF: MiIssueFlowThroughFault(x,x,x,x,x,x,x)+5Aj
					; MiIssueFlowThroughFault(x,x,x,x,x,x,x)+68j
		mov	ecx, [ebp+arg_8]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_43AB8C
		mov	eax, [ecx+8]
		mov	edi, 400h
		and	eax, edi
		or	eax, 0
		jz	short loc_43AB8C
		cmp	dword ptr [esi+13Ch], 0
		jnz	short loc_43AB5E
		test	[esi+58h], edi
		mov	esi, [ebp+var_8]
		jnz	short loc_43AB61
		cmp	byte ptr [esi+1Ch], 0
		jnz	short loc_43AB61
		cmp	dl, 1
		jz	short loc_43AB61

loc_43AB55:				; CODE XREF: MiIssueFlowThroughFault(x,x,x,x,x,x,x)+B2j
					; MiIssueFlowThroughFault(x,x,x,x,x,x,x)+EBj ...
		xor	eax, eax

loc_43AB57:				; CODE XREF: MiIssueFlowThroughFault(x,x,x,x,x,x,x)+D8j
					; MiIssueFlowThroughFault(x,x,x,x,x,x,x)+117j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_43AB5E:				; CODE XREF: MiIssueFlowThroughFault(x,x,x,x,x,x,x)+8Ej
		mov	esi, [ebp+var_8]

loc_43AB61:				; CODE XREF: MiIssueFlowThroughFault(x,x,x,x,x,x,x)+96j
					; MiIssueFlowThroughFault(x,x,x,x,x,x,x)+9Cj ...
		test	bl, 20h
		jnz	short loc_43AB55
		mov	edx, 7FFFFFFFh
		lea	eax, [ecx+10h]
		lock and [eax],	edx
		mov	eax, [ebp+arg_10]
		mov	ecx, esi
		push	[ebp+arg_C]
		mov	edx, [ebp+var_C]
		push	[ebp+arg_0]
		mov	dword ptr [eax], 1
		call	MiResolveMappedFileFault
		jmp	short loc_43AB57
; 

loc_43AB8C:				; CODE XREF: MiIssueFlowThroughFault(x,x,x,x,x,x,x)+76j
					; MiIssueFlowThroughFault(x,x,x,x,x,x,x)+85j
		cmp	byte ptr [esi+30Ah], 1
		jnb	short loc_43AB9F
		test	bl, 8
		jnz	short loc_43AB9F
		cmp	dl, 1
		jnz	short loc_43AB55

loc_43AB9F:				; CODE XREF: MiIssueFlowThroughFault(x,x,x,x,x,x,x)+E1j
					; MiIssueFlowThroughFault(x,x,x,x,x,x,x)+E6j
		test	bl, 20h
		jnz	short loc_43AB55
		mov	edx, 7FFFFFFFh
		lea	eax, [ecx+10h]
		lock and [eax],	edx
		mov	eax, [ebp+arg_10]
		push	[ebp+arg_C]
		mov	edx, [ebp+var_C]
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_8]
		mov	dword ptr [eax], 1
		call	MiResolvePageFileFault
		jmp	short loc_43AB57
_MiIssueFlowThroughFault@28 endp

; 
		align 4

;  S U B	R O U T	I N E 


MiAllowReadInProgress proc near		; CODE XREF: MiHandleCollidedFault(x,x,x,x,x,x)+11p

; FUNCTION CHUNK AT 005AAB9E SIZE 0000001C BYTES

		mov	eax, large fs:124h
		mov	edx, [ecx+8]
		test	byte ptr [eax+304h], 4
		jnz	short loc_43ABF9
		test	dl, 1
		jnz	loc_5AAB9E

loc_43ABE7:				; CODE XREF: MiAllowReadInProgress+16FFD8j
					; MiAllowReadInProgress+16FFE2j
		mov	al, [ecx+1Dh]
		and	al, 8
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 0C0000434h
		retn
; 

loc_43ABF9:				; CODE XREF: MiAllowReadInProgress+10j
		mov	eax, 0C00000A1h
		retn
MiAllowReadInProgress endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiWaitForCollidedFaultComplete proc near ; CODE	XREF: MiHandleCollidedFault(x,x,x,x,x,x)+8Ep
					; .text:0047888Ep ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005AABBA SIZE 00000073 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_C], ecx
		mov	ecx, [edi+4]
		or	ecx, 80000000h
		mov	[ebp+var_10], ecx
		mov	eax, [ecx]
		nop
		mov	esi, [ecx+4]
		mov	ecx, [ebp+arg_8]
		mov	ebx, [edi]
		mov	[ebp+var_1C], eax
		sub	ebx, 10h
		mov	[ebp+var_18], esi
		mov	eax, [ecx]
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_8], ebx
		test	eax, eax
		jnz	loc_5AABDA
		push	2
		pop	edx
		mov	ecx, edi
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		mov	ecx, [ebp+arg_8]
		test	eax, eax
		jz	loc_5AABBA
		mov	eax, [ecx]

loc_43AC57:				; CODE XREF: MiWaitForCollidedFaultComplete+16FFC3j
		test	eax, eax
		jnz	loc_5AABDA
		test	esi, esi
		jz	short loc_43AC72
		mov	eax, 7FFFh
		cmp	[esi+14h], ax
		jnb	loc_5AABC8

loc_43AC72:				; CODE XREF: MiWaitForCollidedFaultComplete+61j
					; MiWaitForCollidedFaultComplete+16FFDDj ...
		mov	ecx, 7FFFFFFFh

loc_43AC77:				; CODE XREF: MiWaitForCollidedFaultComplete+170004j
		lock inc dword ptr [ebx+68h]
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		test	esi, esi
		jz	loc_43ADA4
		mov	dl, byte ptr [ebp+arg_4]
		mov	ecx, esi
		call	MiUnlockProtoPoolPage

loc_43AC93:				; CODE XREF: MiWaitForCollidedFaultComplete+1ADj
		mov	eax, [ebp+var_C]
		and	[ebp+arg_4], 0
		cmp	dword ptr [eax+14h], 0
		jz	short loc_43ACAF
		push	0
		mov	dl, 21h
		lea	ecx, [eax+14h]
		call	_MiReleaseFaultState@12	; MiReleaseFaultState(x,x,x)
		mov	[ebp+arg_4], eax

loc_43ACAF:				; CODE XREF: MiWaitForCollidedFaultComplete+9Ej
		cmp	dword ptr [ebx+84h], 0
		jnz	loc_43AD68
		xor	ebx, ebx

loc_43ACBE:				; CODE XREF: MiWaitForCollidedFaultComplete+177j
					; MiWaitForCollidedFaultComplete+184j
		mov	eax, [ebp+var_8]
		push	0
		push	0
		push	0
		push	9
		add	eax, 20h
		push	eax
		call	KeWaitForSingleObject
		test	ebx, ebx
		jnz	loc_43AD89

loc_43ACDA:				; CODE XREF: MiWaitForCollidedFaultComplete+19Fj
		mov	ecx, [ebp+var_8]
		call	_MiFreeInPageSupportBlock@4 ; MiFreeInPageSupportBlock(x)
		mov	ebx, [ebp+var_C]
		lea	ecx, [ebx+14h]
		cmp	dword ptr [ecx], 0
		jz	short loc_43ACF5
		mov	edx, [ebp+arg_4]
		call	MiRelockFaultState

loc_43ACF5:				; CODE XREF: MiWaitForCollidedFaultComplete+EBj
		mov	eax, [ebp+arg_8]
		cmp	dword ptr [eax], 1
		jz	short loc_43AD61
		test	esi, esi
		jz	loc_43ADB2
		lea	edx, [ebp+arg_4]
		mov	ecx, esi
		call	_MiRelockProtoPoolPage@8 ; MiRelockProtoPoolPage(x,x)
		and	[ebp+arg_8], 0
		lea	esi, [edi+10h]

loc_43AD16:				; CODE XREF: MiWaitForCollidedFaultComplete+1CDj
		lock bts dword ptr [esi], 1Fh
		jb	loc_43ADC1

loc_43AD21:				; CODE XREF: MiWaitForCollidedFaultComplete+1BCj
		test	dword ptr [esi], 40000000h
		jnz	loc_5AAC09
		mov	edx, [ebx]
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_10]
		mov	ecx, ebx
		call	_MiIsFaultPteIntact@16 ; MiIsFaultPteIntact(x,x,x,x)
		test	eax, eax
		jz	short loc_43AD5A
		push	0
		push	ecx
		mov	ecx, [ebx]
		mov	edx, edi
		call	_MiImagePageOk@16 ; MiImagePageOk(x,x,x,x)
		test	eax, eax
		jz	short loc_43AD5A
		xor	eax, eax

loc_43AD53:				; CODE XREF: MiWaitForCollidedFaultComplete+166j
					; MiWaitForCollidedFaultComplete+170028j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_43AD5A:				; CODE XREF: MiWaitForCollidedFaultComplete+13Fj
					; MiWaitForCollidedFaultComplete+14Fj
		mov	ecx, edi
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)

loc_43AD61:				; CODE XREF: MiWaitForCollidedFaultComplete+FBj
		mov	eax, 0C0000434h
		jmp	short loc_43AD53
; 

loc_43AD68:				; CODE XREF: MiWaitForCollidedFaultComplete+B6j
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_43ACBE
		mov	ecx, ebx
		call	_KeAbPreWait@4	; KeAbPreWait(x)
		jmp	loc_43ACBE
; 

loc_43AD89:				; CODE XREF: MiWaitForCollidedFaultComplete+D4j
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		push	0
		call	KeAbPreAcquire
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		call	KeAbPostReleaseEx
		jmp	loc_43ACDA
; 

loc_43ADA4:				; CODE XREF: MiWaitForCollidedFaultComplete+83j
		mov	cl, byte ptr [ebp+arg_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_43AC93
; 

loc_43ADB2:				; CODE XREF: MiWaitForCollidedFaultComplete+FFj
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		lea	esi, [edi+10h]
		jmp	loc_43AD21
; 

loc_43ADC1:				; CODE XREF: MiWaitForCollidedFaultComplete+11Bj
					; MiWaitForCollidedFaultComplete+1D3j
		lea	ecx, [ebp+arg_8]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jns	loc_43AD16
		jmp	short loc_43ADC1
MiWaitForCollidedFaultComplete endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRelockProtoPoolPage(x, x)
_MiRelockProtoPoolPage@8 proc near	; CODE XREF: MiWaitForCollidedFaultComplete+10Ap
					; MiFinishHardFault(x,x,x,x)+189p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		test	edi, edi
		jnz	short loc_43AE10
		and	[ebp+var_4], edx
		lea	edi, [esi+10h]
		mov	bl, 21h

loc_43ADEF:				; CODE XREF: MiRelockProtoPoolPage(x,x)+51j
		lock bts dword ptr [edi], 1Fh
		jb	short loc_43AE1B

loc_43ADF6:				; CODE XREF: MiRelockProtoPoolPage(x,x)+43j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		mov	dl, bl
		mov	ecx, esi
		call	_MiLockOwnedProtoPage@8	; MiLockOwnedProtoPage(x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_43AE10:				; CODE XREF: MiRelockProtoPoolPage(x,x)+Fj
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	bl, al
		mov	[edi], bl
		jmp	short loc_43ADF6
; 

loc_43AE1B:				; CODE XREF: MiRelockProtoPoolPage(x,x)+1Ej
					; MiRelockProtoPoolPage(x,x)+53j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jns	short loc_43ADEF
		jmp	short loc_43AE1B
_MiRelockProtoPoolPage@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeAbPostReleaseEx proc near		; CODE XREF: MiWaitForCollidedFaultComplete+19Ap
					; MiDeleteVad(x,x,x)+8B0p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AAC2D SIZE 0000004E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		mov	[ebp+var_4], edx
		mov	[ebp+var_C], ecx
		push	ebx
		push	esi
		push	edi
		test	dl, 1
		jnz	loc_5AAC2D
		movzx	eax, byte ptr [edx+0Ch]
		mov	edi, edx
		shl	eax, 3
		sub	edi, eax

loc_43AE55:				; CODE XREF: KeAbPostReleaseEx+16FE26j
		dec	word ptr [edi+13Eh]
		nop
		inc	byte ptr [edi+1E6h]
		nop
		mov	bl, [edi+1E6h]
		lea	eax, [ebp+var_8]
		and	byte ptr [edx+0Eh], 0FEh
		mov	ecx, edx
		push	eax
		call	_KeAbEntryFree@12 ; KeAbEntryFree(x,x,x)
		mov	eax, [ebp+var_4]
		sub	eax, [edi+1E8h]
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		mov	edx, eax
		cmp	bl, 1
		jnz	loc_5AAC67
		movzx	ecx, byte ptr [edi+1E4h]
		bts	ecx, edx
		mov	[edi+1E4h], cl

loc_43AEA3:				; CODE XREF: KeAbPostReleaseEx+16FE4Aj
		nop
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		dec	byte ptr [edi+1E6h]
		mov	ecx, edi
		push	eax
		call	KiAbThreadRemoveBoosts
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
KeAbPostReleaseEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpQueueIoCompletionPort(x, x, x,	x)
_AlpcpQueueIoCompletionPort@16 proc near ; CODE	XREF: AlpcpSignal+13Ap
					; AlpcpSignalPortAndUnlock+12p	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_1		= byte ptr -1
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_1], dl
		lea	edi, [ebp+var_10]
		mov	ebx, ecx
		stosd
		lea	edx, [ebp+var_10]
		mov	esi, [ebx+18h]
		mov	ecx, esi
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [esi+8]
		cmp	eax, [esi+4]
		jnb	loc_43AFAD
		mov	edi, [esi+18h]
		test	edi, edi
		jz	short loc_43AF04
		mov	eax, [edi]
		mov	[esi+18h], eax
		mov	eax, [esi+8]

loc_43AF04:				; CODE XREF: AlpcpQueueIoCompletionPort(x,x,x,x)+36j
		mov	edi, [edi+4]
		inc	eax
		mov	[esi+8], eax

loc_43AF0B:				; CODE XREF: AlpcpQueueIoCompletionPort(x,x,x,x)+F4j
					; AlpcpQueueIoCompletionPort(x,x,x,x)+FCj
		test	ds:byte_70EFC6,	1
		jz	short loc_43AF70
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_43AF1F:				; CODE XREF: AlpcpQueueIoCompletionPort(x,x,x,x)+C4j
					; AlpcpQueueIoCompletionPort(x,x,x,x)+DBj
		mov	cl, [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+arg_0], 0
		jz	short loc_43AF49
		push	11h
		lea	esi, [ebx+0D0h]
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_43AFA4

loc_43AF42:				; CODE XREF: AlpcpQueueIoCompletionPort(x,x,x,x)+E7j
		mov	ecx, esi
		call	KeAbPostRelease

loc_43AF49:				; CODE XREF: AlpcpQueueIoCompletionPort(x,x,x,x)+68j
		test	edi, edi
		jz	short loc_43AF69
		push	[ebp+arg_4]
		mov	edx, [ebx+14h]
		xor	eax, eax
		cmp	[ebp+var_1], al
		mov	ecx, [ebx+10h]
		push	edi
		push	eax
		push	eax
		push	eax
		setz	al
		dec	eax
		push	eax
		call	IoSetIoCompletionEx2

loc_43AF69:				; CODE XREF: AlpcpQueueIoCompletionPort(x,x,x,x)+87j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_43AF70:				; CODE XREF: AlpcpQueueIoCompletionPort(x,x,x,x)+4Ej
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_43AF8F
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jz	short loc_43AF1F
		call	KxWaitForLockChainValid

loc_43AF8F:				; CODE XREF: AlpcpQueueIoCompletionPort(x,x,x,x)+B1j
		xor	ecx, ecx
		mov	[ebp+var_10], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_43AF1F
; 

loc_43AFA4:				; CODE XREF: AlpcpQueueIoCompletionPort(x,x,x,x)+7Cj
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_43AF42
; 

loc_43AFAD:				; CODE XREF: AlpcpQueueIoCompletionPort(x,x,x,x)+2Bj
		xor	edi, edi
		cmp	[ebp+var_1], 0
		jnz	short loc_43AFBD
		inc	dword ptr [esi+0Ch]
		jmp	loc_43AF0B
; 

loc_43AFBD:				; CODE XREF: AlpcpQueueIoCompletionPort(x,x,x,x)+EFj
		inc	dword ptr [esi+10h]
		jmp	loc_43AF0B
_AlpcpQueueIoCompletionPort@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpWaitForLateUnloadWorker()
_CmpWaitForLateUnloadWorker@0 proc near	; CODE XREF: CmpDeleteKeyObject+159p

var_2		= byte ptr -2
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, offset _CmpWorkerEngineLock

loc_43AFD4:				; CODE XREF: CmpWaitForLateUnloadWorker()+42j
		mov	ecx, esi
		call	ExAcquireFastMutex
		mov	al, _CmpWorkerEngineWorkItemActive
		mov	ecx, esi
		mov	byte ptr [ebp+var_1], al
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		cmp	byte ptr [ebp+var_1], 0
		jnz	short loc_43AFF3
		pop	esi
		leave
		retn
; 

loc_43AFF3:				; CODE XREF: CmpWaitForLateUnloadWorker()+26j
		push	0
		push	1
		lea	eax, [ebp+var_1]
		mov	edx, offset _CmpWorkerEngineWorkItemActive
		push	eax
		mov	ecx, offset _CmpWorkerEngineFinishedEvent
		call	ExBlockOnAddressPushLock
		jmp	short loc_43AFD4
_CmpWaitForLateUnloadWorker@0 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry  36. ExBlockOnAddressPushLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExBlockOnAddressPushLock
ExBlockOnAddressPushLock proc near	; CODE XREF: CmpWaitForLateUnloadWorker()+3Dp
					; RtlpCSparseBitmapWaitOnAddress(x,x,x,x)+1Ep ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005AAC7B SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		xor	edi, edi
		mov	[esp+54h+var_38], ecx
		lea	eax, [esp+54h+var_30]
		mov	esi, edx
		push	edi		; int
		push	eax		; void *
		mov	[esp+5Ch+var_34], esi
		call	_memset
		mov	ecx, [esp+5Ch+var_38]
		lea	edx, [esp+5Ch+var_30]
		add	esp, 0Ch
		call	@ExBlockPushLock@8 ; ExBlockPushLock(x,x)
		mov	eax, [ebp+arg_4]
		sub	eax, 1
		jnz	short loc_43B077
		mov	eax, [ebp+arg_0]
		mov	cl, [esi]
		cmp	cl, [eax]

loc_43B058:				; CODE XREF: ExBlockOnAddressPushLock+7Bj
					; ExBlockOnAddressPushLock+B3j	...
		jnz	short loc_43B08F
		push	[ebp+arg_8]
		mov	ecx, [esp+54h+var_38]
		lea	edx, [esp+54h+var_30]
		call	ExTimedWaitForUnblockPushLock
		mov	edi, eax

loc_43B06C:				; CODE XREF: ExBlockOnAddressPushLock+8Bj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_43B077:				; CODE XREF: ExBlockOnAddressPushLock+3Dj
		sub	eax, 1
		jz	loc_5AAC7B
		dec	eax
		sub	eax, 1
		jnz	short loc_43B09F
		mov	eax, [ebp+arg_0]
		mov	ecx, [esi]
		cmp	ecx, [eax]
		jmp	short loc_43B058
; 

loc_43B08F:				; CODE XREF: ExBlockOnAddressPushLock:loc_43B058j
					; ExBlockOnAddressPushLock+90j	...
		mov	ecx, [esp+50h+var_38]
		lea	edx, [esp+50h+var_30]
		push	edi
		call	ExpUnblockPushLock
		jmp	short loc_43B06C
; 

loc_43B09F:				; CODE XREF: ExBlockOnAddressPushLock+72j
		sub	eax, 4
		jnz	short loc_43B08F
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+4]
		mov	edx, ecx
		mov	esi, [eax]
		mov	eax, esi
		nop
		mov	ebx, esi
		mov	esi, [esp+50h+var_34]
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [ebp+arg_0]
		cmp	eax, [ecx]
		jnz	short loc_43B08F
		cmp	edx, [ecx+4]
		jmp	short loc_43B058
ExBlockOnAddressPushLock endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry  37. ExBlockPushLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExBlockPushLock(x,	x)
		public @ExBlockPushLock@8
@ExBlockPushLock@8 proc	near		; CODE XREF: ExBlockOnAddressPushLock+32p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	edi, ebx
		mov	dword ptr [ebx+20h], 2
		mov	esi, [ecx]
		mov	eax, esi
		mov	[ebx+10h], esi
		lock cmpxchg [ecx], edi
		cmp	eax, esi
		jnz	short loc_43B0F4

loc_43B0EF:				; CODE XREF: ExBlockPushLock(x,x)+37j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_43B0F4:				; CODE XREF: ExBlockPushLock(x,x)+21j
		mov	esi, ecx

loc_43B0F6:				; CODE XREF: ExBlockPushLock(x,x)+39j
		mov	ecx, eax
		mov	[ebx+10h], eax
		mov	edx, ebx
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jz	short loc_43B0EF
		jmp	short loc_43B0F6
@ExBlockPushLock@8 endp

; 
		align 10h
; Exported entry 465. FsRtlAcquireHeaderMutex

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlAcquireHeaderMutex(x, x)
		public _FsRtlAcquireHeaderMutex@8
_FsRtlAcquireHeaderMutex@8 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax+0Ch]
		push	0
		mov	edi, [eax+28h]
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	cl, 1
		mov	esi, eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		lock btr dword ptr [edi], 0
		jnb	short loc_43B16B

loc_43B140:				; CODE XREF: FsRtlAcquireHeaderMutex(x,x)+64j
		test	esi, esi
		jz	short loc_43B148
		or	byte ptr [esi+0Eh], 1

loc_43B148:				; CODE XREF: FsRtlAcquireHeaderMutex(x,x)+32j
		mov	eax, large fs:124h
		cmp	[ebp+arg_4], 0
		mov	[edi+4], eax
		movzx	eax, bl
		mov	[edi+1Ch], eax
		jz	short loc_43B163
		mov	eax, [ebp+arg_4]
		lock inc dword ptr [eax]

loc_43B163:				; CODE XREF: FsRtlAcquireHeaderMutex(x,x)+4Bj
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
; 

loc_43B16B:				; CODE XREF: FsRtlAcquireHeaderMutex(x,x)+2Ej
		mov	edx, esi
		mov	ecx, edi
		call	_ExpAcquireFastMutexContended@8	; ExpAcquireFastMutexContended(x,x)
		jmp	short loc_43B140
_FsRtlAcquireHeaderMutex@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpAcquireFastMutexContended(x, x)
_ExpAcquireFastMutexContended@8	proc near ; CODE XREF: CcSetDirtyPinnedData+47Dp
					; FsRtlAcquireHeaderMutex(x,x)+5Fp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	ebx, ebx
		push	4
		pop	eax
		mov	edi, edx
		mov	[ebp+var_4], eax
		inc	dword ptr [esi+8]
		inc	ebx

loc_43B18F:				; CODE XREF: ExpAcquireFastMutexContended(x,x)+66j
					; ExpAcquireFastMutexContended(x,x)+78j
		mov	edx, [esi]

loc_43B191:				; CODE XREF: ExpAcquireFastMutexContended(x,x)+7Fj
		test	dl, 1
		jz	short loc_43B1A9
		mov	ecx, edx
		mov	eax, edx
		xor	ecx, ebx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_43B1F0
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_43B1A9:				; CODE XREF: ExpAcquireFastMutexContended(x,x)+1Ej
		lea	ecx, [eax+edx]
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_43B1F0
		test	edi, edi
		jz	short loc_43B1C1
		mov	ecx, edi
		call	_KeAbPreWait@4	; KeAbPreWait(x)

loc_43B1C1:				; CODE XREF: ExpAcquireFastMutexContended(x,x)+42j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	22h
		lea	eax, [esi+0Ch]
		push	eax
		call	KeWaitForSingleObject
		push	3
		pop	ebx
		push	2
		pop	eax
		mov	[ebp+var_4], eax
		test	edi, edi
		jz	short loc_43B18F
		push	0
		mov	edx, edi
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	edi, eax
		mov	eax, [ebp+var_4]
		jmp	short loc_43B18F
; 

loc_43B1F0:				; CODE XREF: ExpAcquireFastMutexContended(x,x)+2Cj
					; ExpAcquireFastMutexContended(x,x)+3Ej
		mov	edx, eax
		mov	eax, [ebp+var_4]
		jmp	short loc_43B191
_ExpAcquireFastMutexContended@8	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry  72. ExTimedWaitForUnblockPushLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExTimedWaitForUnblockPushLock
ExTimedWaitForUnblockPushLock proc near	; CODE XREF: ExpUnblockPushLock+78p
					; ExBlockOnAddressPushLock+53p	...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AAC8C SIZE 0000007E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_1C], ecx
		push	esi
		mov	ebx, edx
		push	esi
		push	ebx
		mov	[ebp+var_8], ebx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	ecx, _ExpSpinCycleCount
		lea	edi, [ebx+20h]
		xor	eax, eax
		mov	[ebp+var_4], ecx
		inc	eax
		cmp	ds:0FFDF036Ah, ax
		jbe	short loc_43B262
		test	edi, edi
		jz	short loc_43B242
		cmp	byte ptr ds:0FFDF0297h,	0
		jnz	loc_5AAC8C

loc_43B242:				; CODE XREF: ExTimedWaitForUnblockPushLock+37j
		movzx	ecx, word ptr ds:0FFDF02D6h
		xor	edx, edx
		mov	eax, [ebp+var_4]
		div	ecx
		mov	edx, esi

loc_43B252:				; CODE XREF: ExTimedWaitForUnblockPushLock+64j
		mov	ecx, [edi]
		test	cl, 2
		jz	short loc_43B289
		cmp	edx, eax
		jz	short loc_43B262
		pause
		inc	edx
		jmp	short loc_43B252
; 

loc_43B262:				; CODE XREF: ExTimedWaitForUnblockPushLock+33j
					; ExTimedWaitForUnblockPushLock+5Fj ...
		lock btr dword ptr [edi], 1
		jnb	short loc_43B280
		push	[ebp+arg_0]
		push	esi
		push	esi
		push	1Ch
		push	ebx
		call	KeWaitForSingleObject
		mov	esi, eax
		test	esi, esi
		jnz	loc_5AACF9

loc_43B280:				; CODE XREF: ExTimedWaitForUnblockPushLock+6Bj
					; ExTimedWaitForUnblockPushLock+16FB09j
		mov	eax, esi

loc_43B282:				; CODE XREF: ExTimedWaitForUnblockPushLock+8Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_43B289:				; CODE XREF: ExTimedWaitForUnblockPushLock+5Bj
					; ExTimedWaitForUnblockPushLock+16FAB2j
		xor	eax, eax
		jmp	short loc_43B282
ExTimedWaitForUnblockPushLock endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry  86. ExfAcquirePushLockExclusive

;  S U B	R O U T	I N E 


; __fastcall ExfAcquirePushLockExclusive(x)
		public @ExfAcquirePushLockExclusive@4
@ExfAcquirePushLockExclusive@4 proc near ; CODE	XREF: MiUnloadSystemImage+14B581p
					; MiUnloadSystemImage+14B729p ...
		mov	edi, edi
		push	ecx
		xor	edx, edx
		call	ExfAcquirePushLockExclusiveEx
		retn
@ExfAcquirePushLockExclusive@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry  87. ExfAcquirePushLockShared

;  S U B	R O U T	I N E 


; __fastcall ExfAcquirePushLockShared(x)
		public @ExfAcquirePushLockShared@4
@ExfAcquirePushLockShared@4 proc near	; CODE XREF: ExpCovQueryInformation(x,x,x):loc_A0DDCDp
		mov	edi, edi
		push	ecx
		xor	edx, edx
		call	ExfAcquirePushLockSharedEx
		retn
@ExfAcquirePushLockShared@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExfAcquirePushLockSharedEx proc	near	; CODE XREF: ExAcquireAutoExpandPushLockShared+1A1p
					; ExfAcquirePushLockShared(x)+5p ...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AAD0A SIZE 00000085 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		sub	esp, 54h
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		lea	eax, [esp+64h+var_30]
		mov	[esp+64h+var_50], edx
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		mov	edx, [edi]
		add	esp, 0Ch
		mov	[esp+60h+var_3C], 0

loc_43B2DF:				; CODE XREF: ExfAcquirePushLockSharedEx+167j
		mov	esi, edx
		mov	[esp+60h+var_40], edx
		shr	esi, 1
		and	esi, 1
		test	dl, 1
		jnz	short loc_43B312

loc_43B2EF:				; CODE XREF: ExfAcquirePushLockSharedEx+6Cj
		mov	ecx, edx
		or	ecx, 1
		test	esi, esi
		jnz	short loc_43B2FB
		add	ecx, 10h

loc_43B2FB:				; CODE XREF: ExfAcquirePushLockSharedEx+46j
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	loc_43B41C
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_43B312:				; CODE XREF: ExfAcquirePushLockSharedEx+3Dj
		test	esi, esi
		jnz	short loc_43B31E
		test	edx, 0FFFFFFF0h
		ja	short loc_43B2EF

loc_43B31E:				; CODE XREF: ExfAcquirePushLockSharedEx+64j
		mov	eax, [esp+60h+var_50]
		test	eax, eax
		jz	short loc_43B335
		mov	ecx, eax
		call	_KeAbPreWait@4	; KeAbPreWait(x)
		mov	edx, [esp+60h+var_40]
		mov	eax, [esp+60h+var_50]

loc_43B335:				; CODE XREF: ExfAcquirePushLockSharedEx+74j
		mov	[esp+60h+var_C], eax
		mov	[esp+60h+var_10], 2
		mov	[esp+60h+var_18], 0
		mov	byte ptr [esp+60h+var_44], 0
		test	esi, esi
		jnz	loc_43B42B
		lea	eax, [esp+60h+var_30]
		mov	[esp+60h+var_14], 0FFFFFFFEh
		mov	ecx, eax
		mov	[esp+60h+var_1C], eax
		or	ecx, 3

loc_43B36B:				; CODE XREF: ExfAcquirePushLockSharedEx+1B2j
		mov	esi, ecx
		mov	eax, edx
		lock cmpxchg [edi], esi
		mov	esi, eax
		cmp	esi, edx
		jnz	short loc_43B3F1
		cmp	byte ptr [esp+60h+var_44], 0
		jnz	loc_43B467

loc_43B384:				; CODE XREF: ExfAcquirePushLockSharedEx+1BFj
		push	0
		push	1
		lea	eax, [esp+68h+var_30]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		cmp	word ptr ds:0FFDF036Ah,	1
		mov	eax, _ExpSpinCycleCount
		mov	[esp+60h+var_4C], eax
		jbe	short loc_43B3D2
		cmp	byte ptr ds:0FFDF0297h,	0
		jnz	loc_5AAD0A
		movzx	ecx, word ptr ds:0FFDF02D6h
		xor	edx, edx
		div	ecx
		xor	edx, edx
		nop

loc_43B3C0:				; CODE XREF: ExfAcquirePushLockSharedEx+120j
		mov	ecx, [esp+60h+var_10]
		test	cl, 2
		jz	short loc_43B3D2
		cmp	edx, eax
		jz	short loc_43B3D2
		pause
		inc	edx
		jmp	short loc_43B3C0
; 

loc_43B3D2:				; CODE XREF: ExfAcquirePushLockSharedEx+F3j
					; ExfAcquirePushLockSharedEx+117j ...
		lea	eax, [esp+60h+var_10]
		lock btr dword ptr [eax], 1
		jnb	short loc_43B3FD
		push	0
		push	0
		push	0
		push	1Ch
		lea	eax, [esp+70h+var_30]
		push	eax
		call	KeWaitForSingleObject
		jmp	short loc_43B3FD
; 

loc_43B3F1:				; CODE XREF: ExfAcquirePushLockSharedEx+C7j
					; ExfAcquirePushLockSharedEx+172j ...
		lea	eax, [esp+60h+var_3C]
		push	eax
		call	_RtlBackoff@4	; RtlBackoff(x)
		mov	esi, [edi]

loc_43B3FD:				; CODE XREF: ExfAcquirePushLockSharedEx+12Bj
					; ExfAcquirePushLockSharedEx+13Fj
		mov	eax, [esp+60h+var_50]
		test	eax, eax
		jz	short loc_43B415
		mov	ecx, [ebp+arg_0]
		mov	edx, eax
		push	0
		call	KeAbPreAcquire
		mov	[esp+60h+var_50], eax

loc_43B415:				; CODE XREF: ExfAcquirePushLockSharedEx+153j
		mov	edx, esi
		jmp	loc_43B2DF
; 

loc_43B41C:				; CODE XREF: ExfAcquirePushLockSharedEx+53j
		mov	ecx, [esp+60h+var_50]
		test	ecx, ecx
		jz	short loc_43B3F1
		call	_KeAbPreWait@4	; KeAbPreWait(x)
		jmp	short loc_43B3F1
; 

loc_43B42B:				; CODE XREF: ExfAcquirePushLockSharedEx+A0j
		mov	eax, edx
		mov	[esp+60h+var_1C], 0
		and	eax, 0FFFFFFF0h
		mov	[esp+60h+var_14], 0FFFFFFFFh
		mov	[esp+60h+var_20], eax
		mov	ecx, edx
		and	ecx, 8
		lea	eax, [esp+60h+var_30]
		or	ecx, eax
		mov	eax, edx
		shr	eax, 2
		or	ecx, 7
		not	al
		and	eax, 0FFFFFF01h
		mov	[esp+60h+var_44], eax
		jmp	loc_43B36B
; 

loc_43B467:				; CODE XREF: ExfAcquirePushLockSharedEx+CEj
		push	ecx
		mov	ecx, edi
		call	@ExpOptimizePushLockList@8 ; ExpOptimizePushLockList(x,x)
		jmp	loc_43B384
ExfAcquirePushLockSharedEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExfAcquirePushLockExclusiveEx proc near	; CODE XREF: ExfAcquirePushLockExclusive(x)+5p
					; ExAcquireAutoExpandPushLockExclusive+48p ...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A7E04 SIZE 00000085 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		sub	esp, 54h
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		lea	eax, [esp+64h+var_30]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		mov	edi, edx
		mov	[esp+6Ch+var_48], esi
		call	_memset
		mov	ecx, [esi]
		add	esp, 0Ch
		mov	[esp+60h+var_3C], 0

loc_43B4B1:				; CODE XREF: ExfAcquirePushLockExclusiveEx+108j
		mov	[esp+60h+var_4C], ecx
		test	cl, 1
		jnz	short loc_43B4D4
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jnz	loc_43B664
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_43B4D4:				; CODE XREF: ExfAcquirePushLockExclusiveEx+38j
		test	edi, edi
		jz	short loc_43B4F8
		mov	al, [edi+10h]
		or	al, 2
		mov	[edi+10h], al
		nop
		cmp	dword ptr [edi+10h], 0
		jl	loc_43B680

loc_43B4EB:				; CODE XREF: ExfAcquirePushLockExclusiveEx+20Bj
		or	byte ptr [edi+0Dh], 1
		nop
		mov	al, [edi+10h]
		and	al, 0FDh
		mov	[edi+10h], al

loc_43B4F8:				; CODE XREF: ExfAcquirePushLockExclusiveEx+56j
		mov	[esp+60h+var_C], edi
		mov	[esp+60h+var_10], 3
		mov	[esp+60h+var_18], 0
		mov	byte ptr [esp+60h+var_44], 0
		test	cl, 2
		jnz	loc_43B61D
		lea	eax, [esp+60h+var_30]
		mov	edx, 1
		mov	[esp+60h+var_1C], eax
		lea	esi, [esp+60h+var_30]
		mov	eax, ecx
		shr	eax, 4
		cmp	edx, eax
		mov	[esp+60h+var_14], eax
		sbb	edx, edx
		and	edx, 8
		add	edx, 3
		or	edx, esi
		test	eax, eax
		jnz	short loc_43B54C
		mov	[esp+60h+var_14], 0FFFFFFFEh

loc_43B54C:				; CODE XREF: ExfAcquirePushLockExclusiveEx+C2j
					; ExfAcquirePushLockExclusiveEx+1D4j
		mov	eax, ecx
		mov	esi, edx
		mov	ecx, [esp+60h+var_48]
		lock cmpxchg [ecx], esi
		mov	esi, eax
		cmp	esi, [esp+60h+var_4C]
		jz	short loc_43B58D
		lea	eax, [esp+60h+var_3C]
		push	eax
		call	_RtlBackoff@4	; RtlBackoff(x)
		mov	eax, [esp+60h+var_48]
		mov	esi, [eax]

loc_43B570:				; CODE XREF: ExfAcquirePushLockExclusiveEx+180j
					; ExfAcquirePushLockExclusiveEx+198j ...
		test	edi, edi
		jz	short loc_43B582
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		push	0
		call	KeAbPreAcquire
		mov	edi, eax

loc_43B582:				; CODE XREF: ExfAcquirePushLockExclusiveEx+F2j
		mov	ecx, esi
		mov	esi, [esp+60h+var_48]
		jmp	loc_43B4B1
; 

loc_43B58D:				; CODE XREF: ExfAcquirePushLockExclusiveEx+DEj
		cmp	byte ptr [esp+60h+var_44], 0
		jnz	loc_43B659

loc_43B598:				; CODE XREF: ExfAcquirePushLockExclusiveEx+1DFj
		lea	eax, [esp+60h+var_28]
		mov	word ptr [esp+60h+var_30], 1
		mov	[esp+60h+var_24], eax
		mov	[esp+60h+var_28], eax
		mov	eax, _ExpSpinCycleCount
		mov	byte ptr [esp+60h+var_30+2], 4
		mov	[esp+60h+var_2C], 0
		cmp	word ptr ds:0FFDF036Ah,	1
		mov	[esp+60h+var_50], eax
		jbe	short loc_43B5F7
		cmp	byte ptr ds:0FFDF0297h,	0
		jnz	loc_5A7E04
		movzx	ecx, word ptr ds:0FFDF02D6h
		xor	edx, edx
		div	ecx
		xor	ecx, ecx

loc_43B5E5:				; CODE XREF: ExfAcquirePushLockExclusiveEx+175j
		mov	edx, [esp+60h+var_10]
		test	dl, 2
		jz	short loc_43B5F7
		cmp	ecx, eax
		jz	short loc_43B5F7
		pause
		inc	ecx
		jmp	short loc_43B5E5
; 

loc_43B5F7:				; CODE XREF: ExfAcquirePushLockExclusiveEx+149j
					; ExfAcquirePushLockExclusiveEx+16Cj ...
		lea	eax, [esp+60h+var_10]
		lock btr dword ptr [eax], 1
		jnb	loc_43B570
		push	0
		push	0
		push	0
		push	1Ch
		lea	eax, [esp+70h+var_30]
		push	eax
		call	KeWaitForSingleObject
		jmp	loc_43B570
; 

loc_43B61D:				; CODE XREF: ExfAcquirePushLockExclusiveEx+94j
		mov	eax, ecx
		mov	[esp+60h+var_1C], 0
		and	eax, 0FFFFFFF0h
		mov	[esp+60h+var_14], 0FFFFFFFFh
		mov	[esp+60h+var_20], eax
		mov	edx, ecx
		and	edx, 8
		lea	eax, [esp+60h+var_30]
		or	edx, eax
		mov	eax, ecx
		shr	eax, 2
		or	edx, 7
		not	al
		and	eax, 0FFFFFF01h
		mov	[esp+60h+var_44], eax
		jmp	loc_43B54C
; 

loc_43B659:				; CODE XREF: ExfAcquirePushLockExclusiveEx+112j
		push	edx
		call	@ExpOptimizePushLockList@8 ; ExpOptimizePushLockList(x,x)
		jmp	loc_43B598
; 

loc_43B664:				; CODE XREF: ExfAcquirePushLockExclusiveEx+45j
		test	edi, edi
		jz	short loc_43B66F
		mov	ecx, edi
		call	_KeAbPreWait@4	; KeAbPreWait(x)

loc_43B66F:				; CODE XREF: ExfAcquirePushLockExclusiveEx+1E6j
		lea	eax, [esp+60h+var_3C]
		push	eax
		call	_RtlBackoff@4	; RtlBackoff(x)
		mov	esi, [esi]
		jmp	loc_43B570
; 

loc_43B680:				; CODE XREF: ExfAcquirePushLockExclusiveEx+65j
		mov	ecx, edi
		call	KiAbEntryRemoveFromTree
		mov	ecx, [esp+60h+var_4C]
		jmp	loc_43B4EB
ExfAcquirePushLockExclusiveEx endp


;  S U B	R O U T	I N E 


; __stdcall KeAbPreWait(x)
_KeAbPreWait@4	proc near		; CODE XREF: MiWaitForCollidedFaultComplete+17Fp
					; ExpAcquireFastMutexContended(x,x)+46p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	al, [esi+10h]
		or	al, 2
		mov	[esi+10h], al
		nop
		cmp	dword ptr [esi+10h], 0
		jl	short loc_43B6B3

loc_43B6A4:				; CODE XREF: KeAbPreWait(x)+28j
		or	byte ptr [esi+0Dh], 1
		nop
		mov	al, [esi+10h]
		and	al, 0FDh
		mov	[esi+10h], al
		pop	esi
		retn
; 

loc_43B6B3:				; CODE XREF: KeAbPreWait(x)+12j
		call	KiAbEntryRemoveFromTree
		jmp	short loc_43B6A4
_KeAbPreWait@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlBackoff(x)
_RtlBackoff@4	proc near		; CODE XREF: ExfAcquirePushLockSharedEx+146p
					; ExfAcquirePushLockExclusiveEx+E5p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, [eax]
		test	esi, esi
		jnz	short loc_43B71E
		cmp	ds:_KeNumberProcessors,	1
		jz	short loc_43B719
		mov	esi, 40h

loc_43B6DD:				; CODE XREF: RtlBackoff(x)+64j
					; RtlBackoff(x)+68j
		mov	[eax], esi
		lea	ecx, [esi-1]
		rdtsc
		and	eax, ecx
		mov	[ebp+arg_0], 0
		movzx	ecx, word ptr ds:0FFDF02D6h
		add	esi, eax
		xor	edx, edx
		lea	eax, [esi+esi*4]
		add	eax, eax
		div	ecx
		test	eax, eax
		jz	short loc_43B719

loc_43B703:				; CODE XREF: RtlBackoff(x)+57j
		mov	ecx, [ebp+arg_0]
		mov	ecx, [ebp+arg_0]
		mov	ecx, [ebp+arg_0]
		pause
		mov	ecx, [ebp+arg_0]
		inc	ecx
		mov	[ebp+arg_0], ecx
		cmp	ecx, eax
		jb	short loc_43B703

loc_43B719:				; CODE XREF: RtlBackoff(x)+16j
					; RtlBackoff(x)+41j
		pop	esi
		pop	ebp
		retn	4
; 

loc_43B71E:				; CODE XREF: RtlBackoff(x)+Dj
		cmp	esi, 1FFFh
		jnb	short loc_43B6DD
		add	esi, esi
		jmp	short loc_43B6DD
_RtlBackoff@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExpOptimizePushLockList(x,	x)
@ExpOptimizePushLockList@8 proc	near	; CODE XREF: ExfAcquirePushLockSharedEx+1BAp
					; ExfAcquirePushLockExclusiveEx+1DAp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, ecx
		test	dl, 1
		jz	short loc_43B777

loc_43B73B:				; CODE XREF: ExpOptimizePushLockList(x,x)+4Bj
		mov	esi, edx
		and	esi, 0FFFFFFF0h
		mov	ecx, esi
		cmp	dword ptr [esi+14h], 0
		jnz	short loc_43B75E

loc_43B748:				; CODE XREF: ExpOptimizePushLockList(x,x)+2Bj
		mov	eax, ecx
		mov	ecx, [ecx+10h]
		mov	[ecx+18h], eax
		mov	eax, [ecx+14h]
		test	eax, eax
		jz	short loc_43B748
		cmp	ecx, esi
		jz	short loc_43B75E
		mov	[esi+14h], eax

loc_43B75E:				; CODE XREF: ExpOptimizePushLockList(x,x)+1Cj
					; ExpOptimizePushLockList(x,x)+2Fj
		lea	ecx, [edx-4]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_43B771

loc_43B76B:				; CODE XREF: ExpOptimizePushLockList(x,x)+55j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_43B771:				; CODE XREF: ExpOptimizePushLockList(x,x)+3Fj
		mov	edx, eax
		test	al, 1
		jnz	short loc_43B73B

loc_43B777:				; CODE XREF: ExpOptimizePushLockList(x,x)+Fj
		push	edx
		mov	ecx, edi
		call	@ExpWakePushLock@8 ; ExpWakePushLock(x,x)
		jmp	short loc_43B76B
@ExpOptimizePushLockList@8 endp

; 
		align 10h
; Exported entry 646. FsRtlReleaseEofLock

		public FsRtlReleaseEofLock
FsRtlReleaseEofLock:
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		sub	esp, 48h
		push	esi
		lea	eax, [esp+44h]
		mov	dword ptr [esp+24h], 0
		mov	[esp+48h], eax
		mov	[esp+44h], eax
		mov	eax, [ebp+0Ch]
		push	edi
		mov	edi, [ebp+8]
		mov	[esp+24h], eax
		mov	dword ptr [esp+20h], 0
		mov	dword ptr [esp+44h], 0
		mov	eax, [edi+0Ch]
		mov	edx, [eax+28h]
		mov	eax, edx
		and	eax, 7FFFFFFCh
		mov	[esp+18h], edx
		mov	[esp+40h], eax
		jz	loc_5AAD8F
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jnz	loc_43B9AD
		mov	cl, [esi+1E4h]
		mov	dword ptr [esp+2Ch], 0
		test	cl, cl
		jz	loc_5AAD96

loc_43B81F:				; CODE XREF: .text:005AADB1j
		movzx	eax, cl
		bsf	ecx, eax
		btr	eax, ecx
		mov	[esp+2Ch], ecx
		mov	[esi+1E4h], al
		lea	ecx, [ecx+ecx*2]
		shl	ecx, 4
		add	ecx, [esi+1E8h]
		mov	[esp+1Ch], ecx
		jz	loc_5AADD5
		mov	ecx, dword_6D07D0
		mov	eax, edx
		shr	eax, 15h
		cmp	edx, ecx
		mov	[esp+30h], ecx
		mov	ecx, [esp+1Ch]
		jb	short loc_43B86C
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_5AADE2

loc_43B86C:				; CODE XREF: .text:0043B85Dj
		cmp	edx, [esp+30h]
		jb	short loc_43B87F
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_5AADE2

loc_43B87F:				; CODE XREF: .text:0043B870j
		or	eax, 0FFFFFFFFh

loc_43B882:				; CODE XREF: .text:005AADF1j
		mov	[ecx+14h], eax
		nop
		mov	eax, [esp+40h]
		mov	[ecx+10h], eax

loc_43B88D:				; CODE XREF: .text:005AADDDj
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [esp+44h]
		push	eax
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_43B8B7
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	loc_43BABA

loc_43B8B7:				; CODE XREF: .text:0043B8A9j
					; .text:0043BABFj
		mov	esi, [esp+1Ch]

loc_43B8BB:				; CODE XREF: .text:005AAD91j
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [esp+18h]
		mov	dl, al
		mov	[esp+17h], dl
		lock btr dword ptr [ecx], 0
		jnb	loc_43BAA6

loc_43B8D8:				; CODE XREF: .text:0043BAB5j
		test	esi, esi
		jz	short loc_43B8E0
		or	byte ptr [esi+0Eh], 1

loc_43B8E0:				; CODE XREF: .text:0043B8DAj
		mov	eax, large fs:124h
		cmp	dword ptr [esp+24h], 0
		mov	[ecx+4], eax
		movzx	eax, dl
		mov	[ecx+1Ch], eax
		jz	short loc_43B8FD
		mov	eax, [esp+24h]
		lock inc dword ptr [eax]

loc_43B8FD:				; CODE XREF: .text:0043B8F4j
		mov	eax, 0FFFFh
		add	[edi+16h], ax
		jnz	loc_5AADF6
		cmp	byte ptr [edi+14h], 0
		mov	eax, [edi+0Ch]
		mov	edx, [eax+24h]
		mov	esi, [eax+20h]
		mov	[esp+18h], edx
		jnz	loc_43BB2F

loc_43B923:				; CODE XREF: .text:0043BB40j
		mov	ecx, [edi+4]
		lea	eax, [edi+4]
		cmp	ecx, eax
		jnz	loc_43B9C8

loc_43B931:				; CODE XREF: .text:0043BA5Cj
		mov	edx, [esp+20h]
		mov	ecx, 1
		test	edx, edx
		jnz	loc_43BA67
		xor	eax, eax
		mov	[edi], edx
		mov	[edi+16h], ax

loc_43B94A:				; CODE XREF: .text:0043BA73j
		mov	[edi+10h], eax
		mov	eax, [ebp+0Ch]
		mov	[esp+24h], eax
		cmp	dword ptr [esp+24h], 0
		jz	short loc_43B962
		mov	eax, [esp+24h]
		lock inc dword ptr [eax]

loc_43B962:				; CODE XREF: .text:0043B959j
		mov	eax, [edi+0Ch]
		mov	esi, [eax+28h]
		mov	al, [esi+1Ch]
		mov	[esp+17h], al
		xor	eax, eax
		mov	dword ptr [esi+4], 0
		lock cmpxchg [esi], ecx
		test	eax, eax
		jnz	loc_43BAC4

loc_43B984:				; CODE XREF: .text:0043BACDj
		mov	cl, [esp+17h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, esi
		call	KeAbPostRelease
		mov	esi, [esp+48h]
		lea	eax, [esp+48h]
		cmp	esi, eax
		jnz	loc_43BA78

loc_43B9A5:				; CODE XREF: .text:0043BA9Ej
					; .text:005AAE16j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_43B9AD:				; CODE XREF: .text:0043B803j
		push	0
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	dword ptr [esp+20h]
		push	esi
		push	192h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_43B9C8:				; CODE XREF: .text:0043B92Bj
					; .text:0043BA62j
		mov	eax, ecx
		mov	ecx, [ecx]
		mov	[esp+1Ch], eax
		mov	edx, [eax+18h]
		mov	eax, [eax+1Ch]
		test	eax, eax
		mov	[esp+24h], edx
		mov	edx, [esp+18h]
		mov	[esp+44h], eax
		lea	eax, [edi+4]
		jl	short loc_43B9FA
		jg	loc_43BAD2
		cmp	dword ptr [esp+24h], 0
		jnb	loc_43BAD2

loc_43B9FA:				; CODE XREF: .text:0043B9E7j
					; .text:0043BAD6j ...
		cmp	dword ptr [esp+20h], 0
		jnz	short loc_43BA5A
		mov	edx, [esp+1Ch]
		cmp	[ecx+4], edx
		jnz	loc_43BB45
		mov	eax, edx
		mov	edx, [eax+4]
		mov	[esp+44h], edx
		cmp	[edx], eax
		jnz	loc_43BB45
		mov	eax, edx
		lea	edx, [esp+48h]
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	eax, [esp+48h]
		mov	[esp+24h], eax
		cmp	[eax+4], edx
		jnz	loc_43BB45
		mov	edx, [esp+1Ch]
		mov	[esp+20h], edx
		mov	[edx], eax
		lea	eax, [esp+48h]
		mov	[edx+4], eax
		mov	eax, [esp+24h]
		mov	[eax+4], edx
		mov	[esp+48h], edx

loc_43BA57:				; CODE XREF: .text:0043BB2Aj
		lea	eax, [edi+4]

loc_43BA5A:				; CODE XREF: .text:0043B9FFj
		cmp	ecx, eax
		jz	loc_43B931
		jmp	loc_43B9C8
; 

loc_43BA67:				; CODE XREF: .text:0043B93Cj
		mov	eax, [edx+20h]
		mov	[edi], eax
		mov	[edi+16h], cx
		mov	eax, [edx+24h]
		jmp	loc_43B94A
; 

loc_43BA78:				; CODE XREF: .text:0043B99Fj
					; .text:0043BAA4j
		mov	ecx, esi
		xor	edx, edx
		mov	esi, [esi]
		push	0
		push	1
		mov	eax, [ecx+24h]
		add	ecx, 8
		mov	[esp+30h], eax
		lea	eax, [esp+30h]
		push	0
		push	eax
		call	KeSetEventBoostPriorityEx
		lea	eax, [esp+48h]
		cmp	esi, eax
		jz	loc_43B9A5
		jmp	short loc_43BA78
; 

loc_43BAA6:				; CODE XREF: .text:0043B8D2j
		mov	edx, esi
		call	_ExpAcquireFastMutexContended@8	; ExpAcquireFastMutexContended(x,x)
		mov	ecx, [esp+18h]
		mov	dl, [esp+17h]
		jmp	loc_43B8D8
; 

loc_43BABA:				; CODE XREF: .text:0043B8B1j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_43B8B7
; 

loc_43BAC4:				; CODE XREF: .text:0043B97Ej
		mov	edx, eax
		mov	ecx, esi
		call	_ExpReleaseFastMutexContended@8	; ExpReleaseFastMutexContended(x,x)
		jmp	loc_43B984
; 

loc_43BAD2:				; CODE XREF: .text:0043B9E9j
					; .text:0043B9F4j
		cmp	[esp+44h], edx
		jg	loc_43B9FA
		jl	short loc_43BAE8
		cmp	[esp+24h], esi
		ja	loc_43B9FA

loc_43BAE8:				; CODE XREF: .text:0043BADCj
		mov	eax, [esp+1Ch]
		cmp	[ecx+4], eax
		jnz	short loc_43BB45
		mov	edx, eax
		mov	eax, [edx+4]
		mov	[esp+44h], eax
		cmp	[eax], edx
		jnz	short loc_43BB45
		mov	edx, eax
		lea	eax, [esp+48h]
		mov	[edx], ecx
		mov	[ecx+4], edx
		mov	edx, [esp+4Ch]
		mov	[esp+44h], edx
		cmp	[edx], eax
		jnz	short loc_43BB45
		mov	edx, eax
		mov	eax, [esp+1Ch]
		mov	[eax], edx
		mov	edx, [esp+44h]
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[esp+4Ch], eax
		jmp	loc_43BA57
; 

loc_43BB2F:				; CODE XREF: .text:0043B91Dj
		mov	ecx, [edi]
		mov	dl, 1
		push	0
		push	0
		call	PsBoostThreadIoEx
		mov	byte ptr [edi+14h], 0
		jmp	loc_43B923
; 

loc_43BB45:				; CODE XREF: .text:0043BA08j
					; .text:0043BA19j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 5 dup(0CCCCCCCCh)
; Exported entry 649. FsRtlReleaseHeaderMutex

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlReleaseHeaderMutex(x, x)
		public _FsRtlReleaseHeaderMutex@8
_FsRtlReleaseHeaderMutex@8 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		push	ebx
		push	esi
		jz	short loc_43BB73
		mov	eax, [ebp+arg_4]
		lock inc dword ptr [eax]

loc_43BB73:				; CODE XREF: FsRtlReleaseHeaderMutex(x,x)+Bj
		mov	eax, [ebp+arg_0]
		mov	ecx, 1
		mov	esi, [eax+0Ch]
		xor	eax, eax
		mov	esi, [esi+28h]
		mov	bl, [esi+1Ch]
		mov	dword ptr [esi+4], 0
		lock cmpxchg [esi], ecx
		test	eax, eax
		jnz	short loc_43BBAA

loc_43BB95:				; CODE XREF: FsRtlReleaseHeaderMutex(x,x)+53j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, esi
		call	KeAbPostRelease
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_43BBAA:				; CODE XREF: FsRtlReleaseHeaderMutex(x,x)+33j
		mov	edx, eax
		mov	ecx, esi
		call	_ExpReleaseFastMutexContended@8	; ExpReleaseFastMutexContended(x,x)
		jmp	short loc_43BB95
_FsRtlReleaseHeaderMutex@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpReleaseFastMutexContended(x, x)
_ExpReleaseFastMutexContended@8	proc near ; CODE XREF: CcSetDirtyPinnedData+4A2p
					; .text:0043BAC8p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi

loc_43BBBF:				; CODE XREF: ExpReleaseFastMutexContended(x,x)+4Ej
		mov	esi, edx
		lea	edi, [edx+1]
		and	esi, 2
		jnz	short loc_43BBCC
		lea	edi, [edx-1]

loc_43BBCC:				; CODE XREF: ExpReleaseFastMutexContended(x,x)+11j
		mov	eax, edx
		lock cmpxchg [ecx], edi
		cmp	eax, edx
		jnz	short loc_43BC02
		test	esi, esi
		jnz	short loc_43BBFE
		mov	eax, large fs:124h
		lea	edx, [ebp+var_8]
		push	1
		push	1
		push	ecx
		movsx	eax, byte ptr [eax+87h]
		add	ecx, 0Ch
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	eax
		call	KeSetEventBoostPriorityEx

loc_43BBFE:				; CODE XREF: ExpReleaseFastMutexContended(x,x)+22j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_43BC02:				; CODE XREF: ExpReleaseFastMutexContended(x,x)+1Ej
		mov	edx, eax
		jmp	short loc_43BBBF
_ExpReleaseFastMutexContended@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeSetEventBoostPriorityEx proc near	; CODE XREF: .text:0043BA93p
					; ExpReleaseFastMutexContended(x,x)+43p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005AAE1B SIZE 00000101 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_20], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, large fs:20h
		mov	ecx, edi
		mov	byte ptr [ebp+var_28], al
		mov	[ebp+var_C], esi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		xor	ebx, ebx
		mov	[ebp+var_10], 0FFFFFF7Fh
		inc	ebx
		lea	edx, [edi+8]
		mov	ecx, [edx]
		xor	eax, eax
		mov	[edi+4], ebx
		mov	[ebp+var_8], eax

loc_43BC4A:				; CODE XREF: KeSetEventBoostPriorityEx+14Fj
		cmp	ecx, edx
		jnz	short loc_43BCA2

loc_43BC4E:				; CODE XREF: KeSetEventBoostPriorityEx+104j
		mov	ecx, [ebp+var_10]

loc_43BC51:				; CODE XREF: KeSetEventBoostPriorityEx+16F2E4j
		cmp	[ebp+var_1C], 0
		jz	loc_43BD0F
		test	eax, eax
		setnle	[ebp+var_1]

loc_43BC61:				; CODE XREF: KeSetEventBoostPriorityEx+10Dj
		lock and [edi],	ecx
		test	[ebp+arg_C], 1
		jz	loc_43BD18
		mov	eax, [ebp+arg_0]
		mov	esi, [eax]
		test	esi, esi
		jz	short loc_43BC84
		mov	edx, [ebp+var_C]
		mov	edx, [edx+3B1Ch]
		test	edx, edx
		jnz	short loc_43BCB6

loc_43BC84:				; CODE XREF: KeSetEventBoostPriorityEx+6Fj
					; KeSetEventBoostPriorityEx+C0j ...
		mov	al, [ebp+arg_8]
		mov	esi, [ebp+var_C]

loc_43BC8A:				; CODE XREF: KeSetEventBoostPriorityEx+140j
		push	[ebp+var_28]
		movsx	eax, al
		xor	edx, edx
		push	eax
		push	ebx
		mov	ecx, esi
		call	KiExitDispatcher
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_43BCA2:				; CODE XREF: KeSetEventBoostPriorityEx+46j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	[ebp+var_24], eax
		mov	ecx, [esi+4]
		cmp	[eax+4], esi
		jz	short loc_43BCD4

loc_43BCB1:				; CODE XREF: KeSetEventBoostPriorityEx+D0j
					; KeSetEventBoostPriorityEx+16F2ADj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_43BCB6:				; CODE XREF: KeSetEventBoostPriorityEx+7Cj
		mov	ecx, [ebp+arg_4]
		add	edx, 0FFFFFF64h
		call	KiAbFindWakeupLockEntry
		test	eax, eax
		jz	short loc_43BC84
		push	ebx
		mov	edx, eax
		mov	ecx, esi
		call	KiAbApplyWakeupBoost
		jmp	short loc_43BC84
; 

loc_43BCD4:				; CODE XREF: KeSetEventBoostPriorityEx+A9j
		cmp	[ecx], esi
		jnz	short loc_43BCB1
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	al, [esi+8]
		cmp	al, 1
		jnz	loc_5AAE1B
		push	[ebp+var_1C]
		movzx	eax, word ptr [esi+0Ah]
		mov	edx, esi
		mov	esi, [ebp+var_C]
		mov	ecx, esi
		push	eax
		call	KiTryUnwaitThread
		test	al, al
		mov	eax, [ebp+var_8]
		jz	short loc_43BD4F
		sub	dword ptr [edi+4], 1
		jnz	short loc_43BD4F
		inc	eax
		jmp	loc_43BC4E
; 

loc_43BD0F:				; CODE XREF: KeSetEventBoostPriorityEx+4Fj
		mov	[ebp+var_1], 0
		jmp	loc_43BC61
; 

loc_43BD18:				; CODE XREF: KeSetEventBoostPriorityEx+62j
		mov	edx, [esi+4]
		mov	ecx, esi
		call	KiRemoveBoostThread
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_43BD34
		cmp	dword ptr [ecx], 0
		jz	short loc_43BD5A
		mov	cl, [ecx]
		cmp	cl, al
		jg	short loc_43BD4B

loc_43BD34:				; CODE XREF: KeSetEventBoostPriorityEx+121j
					; KeSetEventBoostPriorityEx+147j
		mov	cl, [ebp+var_1]

loc_43BD37:				; CODE XREF: KeSetEventBoostPriorityEx+156j
		test	cl, cl
		jnz	short loc_43BD3E
		mov	al, [ebp+arg_8]

loc_43BD3E:				; CODE XREF: KeSetEventBoostPriorityEx+133j
		xor	ebx, ebx
		test	cl, cl
		setnz	bl
		inc	ebx
		jmp	loc_43BC8A
; 

loc_43BD4B:				; CODE XREF: KeSetEventBoostPriorityEx+12Cj
		mov	al, cl
		jmp	short loc_43BD34
; 

loc_43BD4F:				; CODE XREF: KeSetEventBoostPriorityEx+FBj
					; KeSetEventBoostPriorityEx+101j ...
		mov	ecx, [ebp+var_24]
		lea	edx, [edi+8]
		jmp	loc_43BC4A
; 

loc_43BD5A:				; CODE XREF: KeSetEventBoostPriorityEx+126j
		xor	cl, cl
		jmp	short loc_43BD37
KeSetEventBoostPriorityEx endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry  95. ExfReleasePushLock

;  S U B	R O U T	I N E 


; __fastcall ExfReleasePushLock(x)
		public @ExfReleasePushLock@4
@ExfReleasePushLock@4 proc near		; CODE XREF: ExReleasePushLockEx+204p
					; MiUnloadSystemImage+14B6B5p ...
		mov	eax, [ecx]
		test	al, 2
		jnz	short loc_43BD7F
		cmp	eax, 10h
		jb	@ExfReleasePushLockExclusive@4 ; ExfReleasePushLockExclusive(x)

loc_43BD7F:				; CODE XREF: ExfReleasePushLock(x)+4j
		jmp	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
@ExfReleasePushLock@4 endp

; 
		align 10h
; Exported entry  97. ExfReleasePushLockShared

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExfReleasePushLockShared(x)
		public @ExfReleasePushLockShared@4
@ExfReleasePushLockShared@4 proc near	; CODE XREF: PspStorageGetObject(x,x,x)+70p
					; SmpKeyedStoreEntryGet(x,x,x,x)+134p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		mov	edx, [esi]
		test	dl, 2
		jnz	short loc_43BDC0

loc_43BDA0:				; CODE XREF: ExfReleasePushLockShared(x)+71j
		mov	ecx, edx
		lea	eax, [edx-10h]
		and	ecx, 0FFFFFFF0h
		sub	ecx, 10h
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_43BDFD

loc_43BDBB:				; CODE XREF: ExfReleasePushLockShared(x)+61j
					; ExfReleasePushLockShared(x)+6Bj ...
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_43BDC0:				; CODE XREF: ExfReleasePushLockShared(x)+Ej
					; ExfReleasePushLockShared(x)+73j
		test	dl, 8
		jnz	short loc_43BE05
		or	eax, 0FFFFFFFFh

loc_43BDC8:				; CODE XREF: ExfReleasePushLockShared(x)+9Dj
		push	ebx
		mov	[ebp+var_4], eax
		push	edi
		lea	ecx, [ecx+0]

loc_43BDD0:				; CODE XREF: ExfReleasePushLockShared(x)+A4j
		mov	ebx, edx
		and	ebx, 6
		cmp	ebx, 2
		jnz	short loc_43BDDD
		add	eax, 4

loc_43BDDD:				; CODE XREF: ExfReleasePushLockShared(x)+48j
		lea	ecx, [eax+edx]
		mov	eax, edx
		mov	edi, ecx
		lock cmpxchg [esi], edi
		cmp	eax, edx
		jnz	short loc_43BE2F
		pop	edi
		cmp	ebx, 2
		pop	ebx
		jnz	short loc_43BDBB
		push	ecx
		mov	ecx, esi
		call	@ExpWakePushLock@8 ; ExpWakePushLock(x,x)
		jmp	short loc_43BDBB
; 

loc_43BDFD:				; CODE XREF: ExfReleasePushLockShared(x)+29j
		mov	edx, eax
		test	al, 2
		jz	short loc_43BDA0
		jmp	short loc_43BDC0
; 

loc_43BE05:				; CODE XREF: ExfReleasePushLockShared(x)+33j
		mov	eax, edx
		and	eax, 0FFFFFFF0h
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jnz	short loc_43BE1B

loc_43BE11:				; CODE XREF: ExfReleasePushLockShared(x)+89j
		mov	eax, [eax+10h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	short loc_43BE11

loc_43BE1B:				; CODE XREF: ExfReleasePushLockShared(x)+7Fj
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+1Ch], eax
		dec	eax
		test	eax, eax
		jg	short loc_43BDBB
		mov	eax, 0FFFFFFF7h
		jmp	short loc_43BDC8
; 

loc_43BE2F:				; CODE XREF: ExfReleasePushLockShared(x)+5Aj
		mov	edx, eax
		mov	eax, [ebp+var_4]
		jmp	short loc_43BDD0
@ExfReleasePushLockShared@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry  96. ExfReleasePushLockExclusive

;  S U B	R O U T	I N E 


; __fastcall ExfReleasePushLockExclusive(x)
		public @ExfReleasePushLockExclusive@4
@ExfReleasePushLockExclusive@4 proc near ; CODE	XREF: ExfReleasePushLock(x)+9j
					; ExfAcquireReleasePushLockExclusive(x)+26p
		xor	eax, eax
		xor	edx, edx
		push	edi
		mov	edi, ecx
		inc	eax
		lock cmpxchg [edi], edx
		mov	edx, eax
		cmp	edx, 1
		jnz	short loc_43BE51

loc_43BE4F:				; CODE XREF: ExfReleasePushLockExclusive(x)+3Ej
		pop	edi
		retn
; 

loc_43BE51:				; CODE XREF: ExfReleasePushLockExclusive(x)+11j
		push	ebx
		push	esi

loc_43BE53:				; CODE XREF: ExfReleasePushLockExclusive(x)+4Cj
		mov	ebx, edx
		xor	ecx, ecx
		and	ebx, 6
		mov	eax, edx
		cmp	ebx, 2
		setz	cl
		lea	ecx, ds:0FFFFFFFFh[ecx*4]
		add	ecx, edx
		mov	esi, ecx
		lock cmpxchg [edi], esi
		cmp	eax, edx
		jnz	short loc_43BE86
		pop	esi
		cmp	ebx, 2
		pop	ebx
		jnz	short loc_43BE4F
		push	ecx
		mov	ecx, edi
		call	@ExpWakePushLock@8 ; ExpWakePushLock(x,x)
		pop	edi
		retn
; 

loc_43BE86:				; CODE XREF: ExfReleasePushLockExclusive(x)+37j
		mov	edx, eax
		jmp	short loc_43BE53
@ExfReleasePushLockExclusive@4 endp

; 
		align 10h
; Exported entry  99. ExfTryToWakePushLock

;  S U B	R O U T	I N E 


; __fastcall ExfTryToWakePushLock(x)
		public @ExfTryToWakePushLock@4
@ExfTryToWakePushLock@4	proc near	; CODE XREF: PspStorageEmptyArrayNonReadonly+1D4p
					; PspStorageEmptyArrayNonReadonly+337p	...
		mov	edi, edi
		push	edi
		mov	edi, ecx
		mov	edx, [edi]
		test	dl, 5
		jnz	short loc_43BEBA
		test	dl, 2
		jz	short loc_43BEBA
		push	esi
		lea	esi, [edx+4]
		mov	eax, edx
		mov	ecx, esi
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_43BEB9
		push	esi
		mov	ecx, edi
		call	@ExpWakePushLock@8 ; ExpWakePushLock(x,x)

loc_43BEB9:				; CODE XREF: ExfTryToWakePushLock(x)+1Fj
		pop	esi

loc_43BEBA:				; CODE XREF: ExfTryToWakePushLock(x)+Aj
					; ExfTryToWakePushLock(x)+Fj
		pop	edi
		retn
@ExfTryToWakePushLock@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExpWakePushLock(x,	x)
@ExpWakePushLock@8 proc	near		; CODE XREF: ExpOptimizePushLockList(x,x)+50p
					; ExfReleasePushLockShared(x)+66p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	edi, 1

loc_43BED2:				; CODE XREF: ExpWakePushLock(x,x)+CEj
		test	dl, 1
		jnz	loc_43BF93

loc_43BEDB:				; CODE XREF: ExpWakePushLock(x,x)+E4j
		mov	ecx, edx
		and	ecx, 0FFFFFFF0h
		mov	[ebp+arg_0], ecx
		mov	esi, [ecx+14h]
		test	esi, esi
		jz	loc_43BFAC

loc_43BEEE:				; CODE XREF: ExpWakePushLock(x,x)+10Aj
					; ExpWakePushLock(x,x)+113j
		test	byte ptr [esi+20h], 1
		jz	short loc_43BEFB
		mov	eax, [esi+18h]
		test	eax, eax
		jnz	short loc_43BF40

loc_43BEFB:				; CODE XREF: ExpWakePushLock(x,x)+32j
		xor	ecx, ecx
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	loc_43BF8C

loc_43BF0B:				; CODE XREF: ExpWakePushLock(x,x)+94j
		cmp	dword ptr [esi+18h], 0
		mov	bl, 2
		jnz	short loc_43BF76

loc_43BF13:				; CODE XREF: ExpWakePushLock(x,x)+C0j
		test	edi, edi
		jz	short loc_43BF56

loc_43BF17:				; CODE XREF: ExpWakePushLock(x,x)+72j
					; ExpWakePushLock(x,x)+9Bj ...
		mov	edi, [esi+18h]
		lea	eax, [esi+20h]
		lock btr dword ptr [eax], 1
		jb	short loc_43BF2E
		push	0
		push	0
		push	esi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_43BF2E:				; CODE XREF: ExpWakePushLock(x,x)+62j
		mov	esi, edi
		test	edi, edi
		jnz	short loc_43BF17
		cmp	bl, 2
		jnz	short loc_43BF82

loc_43BF39:				; CODE XREF: ExpWakePushLock(x,x)+CAj
					; ExpWakePushLock(x,x)+DEj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_43BF40:				; CODE XREF: ExpWakePushLock(x,x)+39j
		mov	[ecx+14h], eax
		mov	eax, 0FFFFFFFBh
		mov	dword ptr [esi+18h], 0
		lock and [ebx],	eax
		xor	edi, edi
		jmp	short loc_43BF0B
; 

loc_43BF56:				; CODE XREF: ExpWakePushLock(x,x)+55j
		mov	edx, [esi+24h]
		test	edx, edx
		jz	short loc_43BF17
		mov	eax, large fs:124h
		push	0
		movsx	ecx, byte ptr [eax+87h]
		mov	eax, [edx+10h]
		call	KiAbApplyWakeupBoost
		jmp	short loc_43BF17
; 

loc_43BF76:				; CODE XREF: ExpWakePushLock(x,x)+51j
		mov	cl, bl
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		jmp	short loc_43BF13
; 

loc_43BF82:				; CODE XREF: ExpWakePushLock(x,x)+77j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_43BF39
; 

loc_43BF8C:				; CODE XREF: ExpWakePushLock(x,x)+45j
		mov	edx, eax
		jmp	loc_43BED2
; 

loc_43BF93:				; CODE XREF: ExpWakePushLock(x,x)+15j
					; ExpWakePushLock(x,x)+EAj
		lea	ecx, [edx-4]
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jz	short loc_43BF39
		mov	edx, eax
		test	al, 1
		jz	loc_43BEDB
		jmp	short loc_43BF93
; 

loc_43BFAC:				; CODE XREF: ExpWakePushLock(x,x)+28j
		mov	edi, [ebp+arg_0]
		nop

loc_43BFB0:				; CODE XREF: ExpWakePushLock(x,x)+FDj
		mov	eax, edi
		mov	edi, [edi+10h]
		mov	[edi+18h], eax
		mov	esi, [edi+14h]
		test	esi, esi
		jz	short loc_43BFB0
		mov	[ebp+arg_0], edi
		mov	edi, 1
		cmp	[ebp+arg_0], ecx
		jz	loc_43BEEE
		mov	[ecx+14h], esi
		jmp	loc_43BEEE
@ExpWakePushLock@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAbApplyWakeupBoost proc near		; CODE XREF: KeSetEventBoostPriorityEx+C7p
					; ExpWakePushLock(x,x)+AFp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AAF1C SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	[ebp+var_18], edi
		test	byte ptr [edi+0Fh], 1
		jz	short loc_43BFF9
		cmp	dword ptr [edi+20h], 0
		jz	loc_43C0FA

loc_43BFF9:				; CODE XREF: KiAbApplyWakeupBoost+15j
		movzx	eax, byte ptr [edi+0Ch]
		and	[ebp+var_8], 0
		push	esi
		shl	eax, 3
		mov	esi, edi
		mov	byte ptr [ebp+var_4], 20h
		sub	esi, eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+var_20], al
		mov	byte ptr [ebp+var_C], bl
		cmp	bl, 0Fh
		jg	loc_43C114

loc_43C022:				; CODE XREF: KiAbApplyWakeupBoost+141j
		cmp	[esi+15Bh], bl
		jge	loc_43C0D1
		movsx	eax, bl
		xor	edx, edx
		mov	[ebp+var_14], eax
		inc	edx
		dec	eax
		mov	ecx, eax
		mov	[ebp+var_1C], eax
		movzx	eax, word ptr [edi+2Ch]
		shl	edx, cl
		and	edx, eax
		test	edx, 7FFFh
		jnz	loc_43C0D1
		mov	al, [esi+87h]
		lea	edi, [esi+2Ch]
		and	[ebp+var_10], 0
		mov	byte ptr [ebp+var_4], al

loc_43C061:				; CODE XREF: KiAbApplyWakeupBoost+9Ej
		lock bts dword ptr [edi], 0
		jnb	short loc_43C078

loc_43C068:				; CODE XREF: KiAbApplyWakeupBoost+9Cj
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_43C068
		jmp	short loc_43C061
; 

loc_43C078:				; CODE XREF: KiAbApplyWakeupBoost+8Ej
		mov	ecx, [ebp+var_14]
		mov	edi, [ebp+var_18]
		mov	al, [ecx+esi+1F4h]
		cmp	al, 0FFh
		jz	loc_5AAF1C
		inc	al
		mov	[ecx+esi+1F4h],	al
		mov	eax, [esi+214h]
		bts	eax, ecx
		mov	[esi+214h], eax
		cmp	[esi+87h], bl
		jl	short loc_43C100

loc_43C0AD:				; CODE XREF: KiAbApplyWakeupBoost+133j
		mov	edx, [ebp+var_1C]
		mov	ebx, 7FFFh
		mov	dword ptr [esi+2Ch], 0
		movzx	eax, word ptr [edi+2Ch]
		mov	ecx, eax
		and	ecx, ebx
		bts	ecx, edx
		xor	ecx, eax
		and	ecx, ebx
		xor	ecx, eax
		mov	[edi+2Ch], cx

loc_43C0D1:				; CODE XREF: KiAbApplyWakeupBoost+50j
					; KiAbApplyWakeupBoost+73j
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_5AAF2C

loc_43C0E1:				; CODE XREF: KiAbApplyWakeupBoost+16EF58j
					; KiAbApplyWakeupBoost+16EF83j
		cmp	[ebp+arg_0], 0
		lea	edx, [ebp+var_8]
		mov	ecx, large fs:20h
		pop	esi
		jnz	short loc_43C10D
		push	[ebp+var_20]
		call	@KiProcessDeferredReadyList@12 ; KiProcessDeferredReadyList(x,x,x)

loc_43C0FA:				; CODE XREF: KiAbApplyWakeupBoost+1Bj
					; KiAbApplyWakeupBoost+13Aj
		pop	edi
		pop	ebx
		leave
		retn	4
; 

loc_43C100:				; CODE XREF: KiAbApplyWakeupBoost+D3j
		push	ecx
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	KiSetPriorityThread
		jmp	short loc_43C0AD
; 

loc_43C10D:				; CODE XREF: KiAbApplyWakeupBoost+118j
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		jmp	short loc_43C0FA
; 

loc_43C114:				; CODE XREF: KiAbApplyWakeupBoost+44j
		mov	bl, 0Fh
		mov	byte ptr [ebp+var_C], bl
		jmp	loc_43C022
KiAbApplyWakeupBoost endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAbFindWakeupLockEntry	proc near	; CODE XREF: KeSetEventBoostPriorityEx+B9p
					; KeReleaseMutant+CFE8Fp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

; FUNCTION CHUNK AT 005AAF60 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	eax, edx
		mov	esi, ecx
		push	edi
		mov	ecx, eax
		mov	[esp+28h+var_14], eax
		xor	edi, edi
		call	_KeAbThreadAreAllEntriesFree@4 ; KeAbThreadAreAllEntriesFree(x)
		test	eax, eax
		jnz	loc_43C1EB
		mov	eax, esi
		mov	ecx, esi
		and	eax, 7FFFFFFCh
		mov	[esp+28h+var_18], eax
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		test	eax, eax
		jnz	loc_5AAF60
		or	[esp+28h+var_10], 0FFFFFFFFh

loc_43C164:				; CODE XREF: KiAbFindWakeupLockEntry+16EE58j
		mov	edx, [esp+28h+var_14]
		mov	cl, [edx+1E4h]
		mov	al, [edx+222h]
		movsx	esi, al
		movsx	eax, cl
		or	esi, eax
		xor	esi, 3Fh
		bsr	eax, esi
		jz	short loc_43C1DB
		mov	ecx, [esp+28h+var_18]

loc_43C188:				; CODE XREF: KiAbFindWakeupLockEntry+C9j
		btr	esi, eax
		imul	eax, 30h
		add	eax, [edx+1E8h]
		mov	[esp+28h+var_8], eax
		add	eax, 10h
		mov	[esp+28h+var_C], eax
		mov	eax, [eax]
		and	eax, 7FFFFFFCh
		cmp	eax, ecx
		jnz	short loc_43C1E4
		xor	eax, eax
		xor	edx, edx
		nop
		mov	edi, [esp+28h+var_C]
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [esp+28h+var_8]
		push	0
		pop	edi
		test	byte ptr [ecx+0Dh], 1
		jz	short loc_43C1EF
		and	eax, 7FFFFFFCh
		cmp	eax, [esp+28h+var_18]
		jnz	short loc_43C1EF
		cmp	edx, [esp+28h+var_10]
		jnz	short loc_43C1EF
		mov	edi, ecx

loc_43C1DB:				; CODE XREF: KiAbFindWakeupLockEntry+64j
					; KiAbFindWakeupLockEntry+CBj
		mov	eax, edi

loc_43C1DD:				; CODE XREF: KiAbFindWakeupLockEntry+CFj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_43C1E4:				; CODE XREF: KiAbFindWakeupLockEntry+8Aj
					; KiAbFindWakeupLockEntry+D9j
		bsr	eax, esi
		jnz	short loc_43C188
		jmp	short loc_43C1DB
; 

loc_43C1EB:				; CODE XREF: KiAbFindWakeupLockEntry+21j
		xor	eax, eax
		jmp	short loc_43C1DD
; 

loc_43C1EF:				; CODE XREF: KiAbFindWakeupLockEntry+A8j
					; KiAbFindWakeupLockEntry+B3j ...
		mov	ecx, [esp+28h+var_18]
		mov	edx, [esp+28h+var_14]
		jmp	short loc_43C1E4
KiAbFindWakeupLockEntry	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcAsyncReadPrefetch proc near		; CODE XREF: CcAsyncReadWorker+213p
					; CcAsyncReadWorkerThread(x)+301p

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 005AAFB4 SIZE 0000005F BYTES

		push	50h
		push	offset dword_6A08D0
		call	__SEH_prolog4
		mov	[ebp+var_2C], ecx
		xor	eax, eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_4C], eax
		mov	esi, [ecx+8]
		mov	edi, [ecx+18h]
		mov	eax, [ecx+10h]
		mov	[ebp+var_48], eax
		mov	eax, [ecx+14h]
		mov	[ebp+var_44], eax
		mov	ebx, [ecx+1Ch]
		mov	eax, [ecx+20h]
		mov	[ebp+var_24], eax
		mov	eax, [ecx+24h]
		mov	[ebp+var_38], eax
		mov	edx, [ecx+28h]
		mov	eax, [ecx+34h]
		mov	[ebp+var_28], eax
		mov	al, [ecx+40h]
		mov	byte ptr [ebp+var_20], al
		mov	eax, [ecx+38h]
		mov	[ebp+var_3C], eax
		mov	eax, [ecx+3Ch]
		mov	[ebp+var_34], eax
		mov	eax, 817h
		test	[edx+6], ax
		jnz	short loc_43C274
		and	[ebp+ms_exc.disabled], 0
		push	1
		push	[ebp+var_20]
		push	[ebp+var_28]
		push	edx
		call	MmProbeAndLockProcessPages
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_43C274:				; CODE XREF: CcAsyncReadPrefetch+5Fj
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, large fs:124h
		mov	[ebp+var_2C], eax
		xor	edx, edx
		mov	[eax+328h], edx
		mov	eax, [ebp+var_24]
		mov	[eax], edx
		mov	[ebp+var_20], ebx
		mov	eax, [ebp+var_44]
		cmp	eax, [esi+0Ch]
		jl	short loc_43C2AE
		jg	loc_43C342
		mov	eax, [ebp+var_48]
		cmp	eax, [esi+8]
		jnb	loc_43C342

loc_43C2AE:				; CODE XREF: CcAsyncReadPrefetch+A0j
		mov	eax, large fs:124h
		mov	[ebp+var_28], eax
		mov	dword ptr [eax+2D4h], 7
		mov	ecx, ebx
		xor	eax, eax
		add	ecx, [ebp+var_48]
		adc	eax, [ebp+var_44]
		cmp	eax, [esi+0Ch]
		jl	short loc_43C2DF
		jg	loc_5AAFB4
		cmp	ecx, [esi+8]
		ja	loc_5AAFB4

loc_43C2DF:				; CODE XREF: CcAsyncReadPrefetch+D4j
					; CcAsyncReadPrefetch+16EDC3j
		mov	edx, [ebp+var_48]
		and	edx, 0FFFFF000h
		mov	[ebp+var_58], edx
		mov	esi, [ebp+var_44]
		mov	[ebp+var_54], esi
		mov	ecx, [ebp+var_20]
		xor	eax, eax
		add	ecx, [ebp+var_48]
		adc	eax, esi
		add	ecx, 0FFFh
		adc	eax, 0
		and	ecx, 0FFFFF000h
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], eax
		sub	ecx, edx
		sbb	eax, esi
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], eax
		push	esi
		push	edx
		push	[ebp+var_24]
		push	[ebp+var_34]
		push	ecx
		push	[ebp+var_38]
		push	ecx
		mov	ecx, edi
		call	_MmPrefetchForCacheManager@36 ;	MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_1C], eax
		mov	eax, large fs:124h
		mov	[ebp+var_40], eax
		xor	edx, edx
		mov	[eax+2D4h], edx

loc_43C342:				; CODE XREF: CcAsyncReadPrefetch+A2j
					; CcAsyncReadPrefetch+AEj
		cmp	[ebp+var_1C], 0
		jz	loc_5AAFC2
		mov	eax, _CcNumberAsyncReadPrefetches
		mov	ecx, dword_6CE9CC
		add	eax, 1
		adc	ecx, edx
		mov	_CcNumberAsyncReadPrefetches, eax
		mov	dword_6CE9CC, ecx

loc_43C367:				; CODE XREF: CcAsyncReadPrefetch+16EDE3j
		mov	esi, [edi+18h]
		cmp	_CcEnableReadAheadInAsyncRead, 0
		jnz	loc_5AAFE2

loc_43C377:				; CODE XREF: CcAsyncReadPrefetch+16EDECj
					; CcAsyncReadPrefetch+16EE00j ...
		test	esi, esi
		jz	short loc_43C386
		push	ebx
		lea	edx, [ebp+var_48]
		mov	ecx, edi
		call	_CcUpdateReadHistory@12	; CcUpdateReadHistory(x,x,x)

loc_43C386:				; CODE XREF: CcAsyncReadPrefetch+17Fj
					; CcAsyncReadPrefetch+16EDF4j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	nullsub_1
		mov	al, 1

loc_43C394:				; CODE XREF: sub_5AAF89+26j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
CcAsyncReadPrefetch endp

; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcUpdateReadHistory(x, x, x)
_CcUpdateReadHistory@12	proc near	; CODE XREF: CcAsyncReadPrefetch+187p
					; sub_76314E+30p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, [ecx+14h]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+18h]
		mov	eax, [eax+4]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], edi
		lea	eax, [edi+20h]
		mov	[ebp+var_8], edx
		mov	ebx, [eax]
		mov	[ebp+var_10], eax
		mov	eax, [eax+4]
		mov	[ebp+var_14], eax
		lea	eax, [edi+10h]
		mov	[ebp+var_4], ebx
		mov	edi, eax

loc_43C3D9:				; CODE XREF: CcUpdateReadHistory(x,x,x)+4Cj
					; CcUpdateReadHistory(x,x,x)+51j
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp+var_C], ecx
		nop
		mov	ecx, [ebp+var_14]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [ebp+var_4]
		cmp	eax, esi
		jnz	short loc_43C3D9
		cmp	edx, [ebp+var_C]
		jnz	short loc_43C3D9
		mov	edi, [ebp+var_18]
		lea	eax, [edi+28h]
		add	edi, 18h
		mov	ebx, [eax]
		mov	[ebp+var_C], eax
		mov	eax, [eax+4]
		mov	[ebp+var_4], ebx
		mov	[ebp+var_18], eax
		mov	[ebp+var_20], edi

loc_43C413:				; CODE XREF: CcUpdateReadHistory(x,x,x)+86j
					; CcUpdateReadHistory(x,x,x)+8Bj
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp+var_14], ecx
		nop
		mov	ecx, [ebp+var_18]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [ebp+var_4]
		cmp	eax, esi
		jnz	short loc_43C413
		cmp	edx, [ebp+var_14]
		jnz	short loc_43C413
		mov	edi, [ebp+var_8]
		mov	ebx, [edi]
		mov	eax, [edi+4]
		mov	edi, [ebp+var_10]
		mov	[ebp+var_4], ebx
		mov	[ebp+var_18], eax

loc_43C444:				; CODE XREF: CcUpdateReadHistory(x,x,x)+B7j
					; CcUpdateReadHistory(x,x,x)+BCj
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp+var_14], ecx
		nop
		mov	ecx, [ebp+var_18]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [ebp+var_4]
		cmp	eax, esi
		jnz	short loc_43C444
		cmp	edx, [ebp+var_14]
		jnz	short loc_43C444
		mov	edi, [ebp+var_8]
		xor	eax, eax
		mov	ecx, [ebp+arg_0]
		add	ecx, [edi]
		mov	[ebp+arg_0], ecx
		adc	eax, [edi+4]
		mov	[ebp+var_8], eax
		mov	edi, eax

loc_43C479:				; CODE XREF: CcUpdateReadHistory(x,x,x)+F4j
					; CcUpdateReadHistory(x,x,x)+F9j
		mov	eax, [ebp+var_C]
		mov	esi, [eax]
		mov	edx, [eax+4]
		mov	eax, esi
		mov	[ebp+var_18], edx
		nop
		mov	ebx, ecx
		mov	ecx, edi
		mov	edi, [ebp+var_C]
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [ebp+arg_0]
		mov	edi, [ebp+var_8]
		cmp	eax, esi
		jnz	short loc_43C479
		cmp	edx, [ebp+var_18]
		jnz	short loc_43C479
		mov	ecx, [ebp+var_1C]
		mov	edx, 200000h
		test	[ecx+60h], edx
		jz	short loc_43C4C5
		mov	esi, [ebp+var_20]
		mov	eax, [ebp+var_10]
		mov	esi, [esi]
		mov	eax, [eax]
		shr	esi, 0Ch
		shr	eax, 0Ch
		sub	eax, esi
		cmp	eax, 1
		ja	short loc_43C4CC

loc_43C4C5:				; CODE XREF: CcUpdateReadHistory(x,x,x)+106j
					; CcUpdateReadHistory(x,x,x)+12Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_43C4CC:				; CODE XREF: CcUpdateReadHistory(x,x,x)+11Dj
		push	0
		call	CcUpdateSharedCacheMapFlag
		jmp	short loc_43C4C5
_CcUpdateReadHistory@12	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 183. CcAsyncCopyRead

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcAsyncCopyRead
CcAsyncCopyRead	proc near

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 005AB018 SIZE 000000B6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		mov	eax, [ecx+14h]
		mov	esi, [eax+4]
		mov	eax, [ecx+18h]
		mov	ecx, esi
		mov	[ebp+var_C], eax
		call	CcGetPartition
		mov	ebx, [ebp+arg_4]
		xor	ecx, ecx
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		mov	edx, eax
		add	edx, [ebx]
		adc	ecx, [ebx+4]
		cmp	ecx, [esi+0Ch]
		jl	short loc_43C52D
		jg	loc_5AB0A1
		cmp	edx, [esi+8]
		ja	loc_5AB0A1

loc_43C52D:				; CODE XREF: CcAsyncCopyRead+42j
		cmp	[ebp+arg_10], 0
		jz	loc_5AB018
		cmp	_CcEnableReadAheadInAsyncRead, 0
		mov	edi, [ebp+arg_18]
		jnz	loc_5AB032

loc_43C547:				; CODE XREF: CcAsyncCopyRead+16EB61j
					; CcAsyncCopyRead+16EB72j
		push	73416343h
		push	4
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5AB051
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_4]
		and	dword ptr [ebx], 0
		call	_CcAllocateWorkQueueEntry@8 ; CcAllocateWorkQueueEntry(x,x)
		mov	[ebp+arg_10], eax
		test	eax, eax
		js	loc_5AB01F
		test	edi, edi
		jz	loc_5AB058

loc_43C583:				; CODE XREF: CcAsyncCopyRead+16EB85j
		mov	ecx, [edi+150h]
		xor	edx, edx
		push	edx
		push	edx
		xor	eax, eax
		inc	eax
		push	eax
		mov	eax, [ebp+arg_8]
		push	edx
		push	edx
		add	eax, 0FFFh
		push	edx
		and	eax, 0FFFFF000h
		push	eax
		push	ecx
		call	_PsUpdateDiskCounters@32 ; PsUpdateDiskCounters(x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_18]
		lea	ecx, [ecx+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		inc	dword ptr [esi+4]
		inc	dword ptr [esi+178h]
		test	ds:byte_70EFC6,	1
		jnz	loc_5AB064
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	loc_5AB07C
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jnz	loc_5AB074

loc_43C5EE:				; CODE XREF: CcAsyncCopyRead+16EB95j
					; CcAsyncCopyRead+16EBB2j
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lock inc dword ptr [esi+170h]
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]
		mov	byte ptr [edx+48h], 5
		mov	[edx+8], esi
		mov	esi, [ebp+arg_1C]
		mov	[edx+18h], eax
		mov	eax, [ecx]
		mov	[edx+10h], eax
		mov	eax, [ecx+4]
		mov	ecx, edi
		mov	[edx+14h], eax
		mov	eax, [ebp+arg_8]
		mov	[edx+1Ch], eax
		mov	[edx+20h], ebx
		mov	eax, [esi+8]
		mov	[edx+28h], eax
		mov	eax, [ebp+arg_14]
		mov	[edx+2Ch], eax
		mov	[edx+30h], esi
		call	_PsGetPagePriorityThread@4 ; PsGetPagePriorityThread(x)
		mov	[edx+24h], eax
		mov	ecx, edi
		mov	eax, large fs:124h
		mov	ebx, [ebp+var_4]
		mov	eax, [eax+80h]
		mov	[ebx+34h], eax
		lea	edx, [ebx+3Ch]
		mov	[ebx+38h], edi
		mov	al, [esi+0Ch]
		mov	[ebx+40h], al
		mov	eax, [esi+10h]
		mov	[ebx+44h], eax
		and	dword ptr [edx], 0
		call	_IoReferenceIoAttributionFromThread@8 ;	IoReferenceIoAttributionFromThread(x,x)
		mov	ecx, [esi+10h]
		cmp	ecx, _CcMaxNestingLevel
		ja	loc_5AB091
		mov	eax, [ebp+var_8]
		mov	edx, [eax+250h]
		lea	edx, [edx+ecx*8]
		mov	ecx, ebx
		call	CcPostWorkQueueAsyncRead
		pop	edi
		xor	eax, eax
		pop	esi
		inc	eax
		pop	ebx
		leave
		retn	20h
CcAsyncCopyRead	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcPostWorkQueueAsyncRead proc near	; CODE XREF: CcAsyncCopyRead+1B2p
					; CcAsyncReadWorker+17Ap ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005AB0CE SIZE 000000A8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		test	ds:dword_70EFD0, 20000h
		mov	eax, edx
		push	edi
		mov	[ebp+var_10], eax
		mov	ecx, [esi+44h]
		mov	edi, [esi+4Ch]
		mov	[ebp+var_C], ebx
		mov	[ebp+var_1], bl
		mov	[ebp+var_8], ecx
		jnz	loc_43C826

loc_43C6CF:				; CODE XREF: CcPostWorkQueueAsyncRead+19Aj
		cmp	byte ptr [esi+48h], 5
		jnz	loc_43C75D
		lea	ecx, [edi+260h]
		xor	edx, edx
		xor	bl, bl
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_10]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_43C83B
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		mov	eax, [edi+254h]
		mov	esi, [ebp+var_8]
		lea	eax, [eax+esi*8]
		cmp	[eax], eax
		jnz	loc_5AB0B7

loc_43C714:				; CODE XREF: CcAsyncCopyRead+16EBE7j
		push	0
		mov	eax, esi
		shl	eax, 4
		add	eax, [edi+258h]
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_43C729:				; CODE XREF: CcAsyncCopyRead+16EBEFj
		xor	edx, edx
		lea	ecx, [edi+260h]
		call	ExReleasePushLockEx
		test	bl, bl
		jnz	short loc_43C758
		push	esi
		lea	edx, [ebp+var_C]
		mov	ecx, edi
		call	CcShouldSpinAsyncReadWorkerThread
		mov	ebx, [ebp+var_C]
		test	al, al
		jnz	loc_5AB0CE

loc_43C750:				; CODE XREF: CcPostWorkQueueAsyncRead+185j
					; CcPostWorkQueueAsyncRead+16EA4Aj
		test	ebx, ebx
		jnz	loc_5AB160

loc_43C758:				; CODE XREF: CcPostWorkQueueAsyncRead+9Cj
					; CcPostWorkQueueAsyncRead+F1j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_43C75D:				; CODE XREF: CcPostWorkQueueAsyncRead+37j
		mov	eax, [edi+254h]
		mov	edx, ecx
		shl	edx, 3
		add	eax, edx
		mov	[ebp+var_10], edx
		cmp	[eax], eax
		jnz	loc_5AB0EB
		mov	eax, [edi+24Ch]
		mov	eax, [eax+ecx*4]
		cmp	eax, _CcMaxNumberCompleteAsyncReadExWorkItems
		jnb	loc_5AB0EB

loc_43C78A:				; CODE XREF: CcPostWorkQueueAsyncRead+16EAA3j
		cmp	[ebp+var_1], bl
		jnz	short loc_43C758
		push	71576343h
		push	24h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_5AB144
		and	[eax], ebx
		lea	ecx, [edi+260h]
		mov	[eax+1Ch], esi
		xor	edx, edx
		mov	esi, [ebp+var_8]
		mov	dword ptr [eax+10h], 4
		mov	[eax+20h], edi
		mov	[eax+14h], esi
		mov	dword ptr [eax+8], offset CcCompleteAsyncReadWorker
		mov	[eax+0Ch], eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+24Ch]
		mov	ecx, [ebp+var_C]
		mov	eax, [eax+esi*4]
		mov	[ecx+18h], eax
		mov	eax, [edi+24Ch]
		inc	dword ptr [eax+esi*4]
		xor	eax, eax
		inc	eax
		lock xadd [edi+28Ch], eax
		inc	eax
		cmp	eax, 1
		jle	short loc_43C840

loc_43C800:				; CODE XREF: CcPostWorkQueueAsyncRead+1A9j
		xor	edx, edx
		lea	ecx, [edi+260h]
		call	ExReleasePushLockEx
		mov	eax, [ebp+var_C]
		mov	ecx, eax
		and	[eax], ebx
		push	dword ptr [edi+4]
		push	0FFFFFFFFh
		push	2Eh
		pop	edx
		call	ExQueueWorkItemToPartition
		jmp	loc_43C750
; 

loc_43C826:				; CODE XREF: CcPostWorkQueueAsyncRead+2Dj
		push	0
		push	0
		mov	edx, esi
		mov	ecx, eax
		call	CcPerfLogWorkItemEnqueue
		mov	ecx, [ebp+var_8]
		jmp	loc_43C6CF
; 

loc_43C83B:				; CODE XREF: CcPostWorkQueueAsyncRead+54j
					; CcPostWorkQueueAsyncRead+16EA82j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_43C840:				; CODE XREF: CcPostWorkQueueAsyncRead+162j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_43C800
CcPostWorkQueueAsyncRead endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcShouldSpinAsyncReadWorkerThread proc near ; CODE XREF: CcPostWorkQueueAsyncRead+A4p
					; CcAsyncReadWorker+854B1p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AB176 SIZE 0000008D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ecx+244h]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, edx
		imul	edx, edi, 194h
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		inc	ebx
		lea	edi, [eax+edi*8]
		xor	eax, eax
		add	edx, [ecx+25Ch]
		mov	ecx, _CcMaxAsyncReadWorkerThreads
		test	ecx, ecx
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+var_4]
		jz	loc_5AB183

loc_43C888:				; CODE XREF: CcShouldSpinAsyncReadWorkerThread+16E932j
		mov	ecx, [edx+eax*4]
		cmp	ecx, 0FFFFFFFFh
		jz	loc_5AB176
		cmp	ecx, 3Fh
		jnb	loc_5AB176
		xor	bl, bl

loc_43C89F:				; CODE XREF: CcShouldSpinAsyncReadWorkerThread+16E93Dj
					; CcShouldSpinAsyncReadWorkerThread+16E9A9j ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
CcShouldSpinAsyncReadWorkerThread endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiQueuePageAccessLog(x)
_MiQueuePageAccessLog@4	proc near	; CODE XREF: MiTrimOrAgeWorkingSet+3CDp
					; MiReturnCcAccessLog(x,x)+3Aj	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		lea	eax, [ebp+var_8]
		xor	esi, esi
		push	eax
		mov	edi, ecx
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		call	KeQueryTickCount
		mov	eax, [ebp+var_8]
		mov	ecx, offset unk_6FB608
		mov	[edi+18h], eax
		mov	eax, [ebp+var_4]
		mov	[edi+1Ch], eax
		mov	eax, dword_6FB628
		mov	[edi+8], eax
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_43C941
		push	ebx
		movzx	ebx, word_6FB624
		cmp	ebx, dword_6FB61C
		jnb	short loc_43C933
		mov	edx, edi
		mov	ecx, offset unk_6FB620
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		cmp	ebx, 8
		jnb	short loc_43C91D

loc_43C907:				; CODE XREF: MiQueuePageAccessLog(x)+7Bj
					; MiQueuePageAccessLog(x)+89j
		xor	esi, esi
		inc	esi

loc_43C90A:				; CODE XREF: MiQueuePageAccessLog(x)+97j
		mov	ecx, offset unk_6FB608
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		pop	ebx
		test	esi, esi
		jz	short loc_43C941

loc_43C919:				; CODE XREF: MiQueuePageAccessLog(x)+A2j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_43C91D:				; CODE XREF: MiQueuePageAccessLog(x)+5Dj
		cmp	dword_6FB610, esi
		jnz	short loc_43C907
		push	esi
		push	esi
		push	offset unk_6FB60C
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_43C907
; 

loc_43C933:				; CODE XREF: MiQueuePageAccessLog(x)+4Cj
		push	64h
		pop	eax
		mov	ecx, offset unk_6D4480
		lock xadd [ecx], eax
		jmp	short loc_43C90A
; 

loc_43C941:				; CODE XREF: MiQueuePageAccessLog(x)+3Cj
					; MiQueuePageAccessLog(x)+6Fj
		mov	dl, 1
		mov	ecx, edi
		call	_MmFreeAccessPfnBuffer@8 ; MmFreeAccessPfnBuffer(x,x)
		jmp	short loc_43C919
_MiQueuePageAccessLog@4	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 417. ExReleaseCacheAwarePushLockExclusive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExReleaseCacheAwarePushLockExclusive(x)
		public _ExReleaseCacheAwarePushLockExclusive@4
_ExReleaseCacheAwarePushLockExclusive@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, esi
		lea	ebx, [esi+80h]
		cmp	esi, ebx
		jnb	short loc_43C984

loc_43C969:				; CODE XREF: ExReleaseCacheAwarePushLockExclusive(x)+30j
		mov	ecx, [edi]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_43C97D
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_43C97D:				; CODE XREF: ExReleaseCacheAwarePushLockExclusive(x)+24j
		add	edi, 4
		cmp	edi, ebx
		jb	short loc_43C969

loc_43C984:				; CODE XREF: ExReleaseCacheAwarePushLockExclusive(x)+15j
		mov	ecx, esi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_ExReleaseCacheAwarePushLockExclusive@4	endp

; 
		align 10h
; Exported entry 122. KeAcquireGuardedMutex

;  S U B	R O U T	I N E 


; __fastcall KeAcquireGuardedMutex(x)
		public @KeAcquireGuardedMutex@4
@KeAcquireGuardedMutex@4 proc near	; CODE XREF: PopGracefulShutdown(x)+81p
					; PnpNotifyTargetDeviceChange+6Dp ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	0
		xor	edx, edx
		mov	edi, ecx
		call	KeAbPreAcquire
		mov	cl, 1
		mov	esi, eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		lock btr dword ptr [edi], 0
		jnb	short loc_43C9DE

loc_43C9C3:				; CODE XREF: KeAcquireGuardedMutex(x)+47j
		test	esi, esi
		jz	short loc_43C9CB
		or	byte ptr [esi+0Eh], 1

loc_43C9CB:				; CODE XREF: KeAcquireGuardedMutex(x)+25j
		mov	eax, large fs:124h
		mov	[edi+4], eax
		movzx	eax, bl
		mov	[edi+1Ch], eax
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_43C9DE:				; CODE XREF: KeAcquireGuardedMutex(x)+21j
		mov	edx, esi
		mov	ecx, edi
		call	_ExpAcquireFastMutexContended@8	; ExpAcquireFastMutexContended(x,x)
		jmp	short loc_43C9C3
@KeAcquireGuardedMutex@4 endp

; 
		align 10h
; Exported entry  57. ExReleaseFastMutex
; Exported entry 105. ExiReleaseFastMutex
; Exported entry 136. KeReleaseGuardedMutex

;  S U B	R O U T	I N E 


; __fastcall ExReleaseFastMutex(x)
		public @ExReleaseFastMutex@4
@ExReleaseFastMutex@4 proc near		; CODE XREF: CmpWaitForLateUnloadWorker()+1Dp
					; RawCompletionRoutine+5Dp ...
		mov	edi, edi	; ExReleaseFastMutex
					; ExiReleaseFastMutex
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		mov	ecx, 1
		mov	bl, [esi+1Ch]
		mov	dword ptr [esi+4], 0
		lock cmpxchg [esi], ecx
		test	eax, eax
		jnz	short loc_43CA23

loc_43CA10:				; CODE XREF: ExReleaseFastMutex(x)+3Cj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, esi
		call	KeAbPostRelease
		pop	esi
		pop	ebx
		pop	ecx
		retn
; 

loc_43CA23:				; CODE XREF: ExReleaseFastMutex(x)+1Ej
		mov	edx, eax
		mov	ecx, esi
		call	_ExpReleaseFastMutexContended@8	; ExpReleaseFastMutexContended(x,x)
		jmp	short loc_43CA10
@ExReleaseFastMutex@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopDeepSleepEnabled()
_PopDeepSleepEnabled@0 proc near	; CODE XREF: PopCheckResiliencyScenarios:loc_7637B3p
					; PopEnforceDeepSleep+2Dp ...
		cmp	_PopDeepSleepIsEnabled,	0
		setnz	al
		retn
_PopDeepSleepEnabled@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopHandleSystemRequiredPowerRequestsUpdate proc	near
					; CODE XREF: PopHandleConvergedPowerRequestUpdate(x,x)+58j

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005AB203 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	ebx, ecx
		stosd
		stosd
		stosd
		xor	edi, edi
		inc	edi
		cmp	ebx, edi
		jnz	short loc_43CAD2
		mov	esi, edi

loc_43CA58:				; CODE XREF: PopHandleSystemRequiredPowerRequestsUpdate+A0j
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		lea	edx, [ebp+var_C]
		mov	ecx, offset _PopPowerRequestSpinLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, _PopPowerRequestAttributes[ebx*8]
		test	eax, eax
		mov	eax, dword_6C22C4
		jle	short loc_43CACC
		or	eax, esi

loc_43CA7C:				; CODE XREF: PopHandleSystemRequiredPowerRequestsUpdate+96j
		mov	dword_6C22C4, eax
		test	eax, eax
		jz	short loc_43CADF

loc_43CA85:				; CODE XREF: PopHandleSystemRequiredPowerRequestsUpdate+AFj
		test	ds:byte_70EFC6,	1
		jnz	loc_5AB203
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_5AB21B
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5AB213

loc_43CAB4:				; CODE XREF: PopHandleSystemRequiredPowerRequestsUpdate+16E7D4j
					; PopHandleSystemRequiredPowerRequestsUpdate+16E7EEj
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		call	PopCheckResiliencyScenarios
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_43CAC7:				; CODE XREF: PopHandleSystemRequiredPowerRequestsUpdate+9Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_43CACC:				; CODE XREF: PopHandleSystemRequiredPowerRequestsUpdate+3Ej
		not	esi
		and	eax, esi
		jmp	short loc_43CA7C
; 

loc_43CAD2:				; CODE XREF: PopHandleSystemRequiredPowerRequestsUpdate+1Aj
		cmp	ebx, 3
		jnz	short loc_43CAC7
		push	2
		pop	esi
		jmp	loc_43CA58
; 

loc_43CADF:				; CODE XREF: PopHandleSystemRequiredPowerRequestsUpdate+49j
		mov	eax, dword_6C22A8
		mov	dword_6C22E0, eax
		jmp	short loc_43CA85
PopHandleSystemRequiredPowerRequestsUpdate endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopCheckForWork	proc near		; CODE XREF: PopSetNotificationWork(x)+1Cj
					; PopCheckForIdleness(x,x,x,x)+1DDp ...

; FUNCTION CHUNK AT 005AB22D SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, _PopWorkerStatus
		test	_PopWorkerPending, eax
		jnz	short loc_43CB00

loc_43CAFE:				; CODE XREF: PopCheckForWork+20j
		pop	ebp
		retn
; 

loc_43CB00:				; CODE XREF: PopCheckForWork+10j
		mov	eax, large fs:124h
		cmp	_PopPolicyLockThread, eax
		jz	short loc_43CAFE
		push	ebx
		push	esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _PopWorkerSpinLock
		mov	bl, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, _PopWorkerStatus
		test	ecx, ecx
		jns	short loc_43CB46
		push	1
		and	ecx, 7FFFFFFFh
		push	offset _PopPolicyWorker
		mov	_PopWorkerStatus, ecx
		call	ExQueueWorkItem

loc_43CB46:				; CODE XREF: PopCheckForWork+40j
		test	ds:byte_70EFC6,	1
		jnz	loc_5AB22D
		xor	eax, eax
		lock and [esi],	eax

loc_43CB58:				; CODE XREF: PopCheckForWork+16E74Bj
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
PopCheckForWork	endp

; 
		align 8
; Exported entry 965. IoReportTargetDeviceChangeAsynchronous

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoReportTargetDeviceChangeAsynchronous
IoReportTargetDeviceChangeAsynchronous proc near ; CODE	XREF: .text:005DD7D2p
					; FsRtlNotifyVolumeEventEx+4Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005AB23C SIZE 00000198 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		test	esi, esi
		jz	loc_5AB39C
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_5AB2C1
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_5AB2C1
		mov	ebx, [ebp+arg_4]
		mov	eax, (offset loc_4055E5+3)
		lea	edi, [ebx+4]
		cmp	edi, eax
		jz	loc_43CC35
		push	10h		; Length
		push	eax		; Source2
		push	edi		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		sub	eax, 10h
		neg	eax
		sbb	eax, eax
		add	eax, 1
		jnz	short loc_43CC35
		mov	eax, offset _GUID_TARGET_DEVICE_REMOVE_CANCELLED
		cmp	edi, eax
		jz	short loc_43CC35
		push	10h		; Length
		push	eax		; Source2
		push	edi		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 10h
		jz	short loc_43CC35
		mov	eax, offset _GUID_TARGET_DEVICE_REMOVE_COMPLETE
		cmp	edi, eax
		jz	short loc_43CC35
		push	10h		; Length
		push	eax		; Source2
		push	edi		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 10h
		jz	short loc_43CC35
		movzx	eax, word ptr [ebx+2]
		push	1Ch
		pop	edx
		cmp	ax, dx
		jb	short loc_43CC35
		mov	ecx, [ebx+18h]
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_5AB23C

loc_43CC0D:				; CODE XREF: IoReportTargetDeviceChangeAsynchronous+16E6DEj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jz	loc_5AB24B
		push	ebx		; void *
		push	[ebp+arg_C]	; int
		xor	edx, edx
		mov	ecx, esi
		push	[ebp+arg_8]	; int
		push	0		; int
		call	PnpSetCustomTargetEvent

loc_43CC2D:				; CODE XREF: IoReportTargetDeviceChangeAsynchronous+D2j
					; IoReportTargetDeviceChangeAsynchronous+16E74Aj ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	10h
; 

loc_43CC35:				; CODE XREF: IoReportTargetDeviceChangeAsynchronous+44j
					; IoReportTargetDeviceChangeAsynchronous+5Dj ...
		mov	eax, 0C0000010h
		jmp	short loc_43CC2D
IoReportTargetDeviceChangeAsynchronous endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 133. KeInitializeGuardedMutex

;  S U B	R O U T	I N E 


; __fastcall KeInitializeGuardedMutex(x)
		public @KeInitializeGuardedMutex@4
@KeInitializeGuardedMutex@4 proc near	; CODE XREF: PAGE:00763BB8p
					; PiUEventInitClientRegistrationContext+78p ...
		xor	eax, eax
		xor	edx, edx
		push	eax
		inc	edx
		mov	[ecx+4], eax
		mov	[ecx+8], eax
		lea	eax, [ecx+0Ch]
		push	edx
		push	eax
		mov	[ecx], edx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		retn
@KeInitializeGuardedMutex@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PiUEventShouldQueueEvent(x)
_PiUEventShouldQueueEvent@4 proc near	; CODE XREF: PAGE:00763B57p
		xor	edx, edx
		inc	edx
		cmp	_PiUEventBroadcastSubscriberPresent, 0
		jz	short loc_43CC6B

loc_43CC68:				; CODE XREF: PiUEventShouldQueueEvent(x):loc_43CC8Fj
					; PiUEventShouldQueueEvent(x)+38j ...
		mov	al, dl
		retn
; 

loc_43CC6B:				; CODE XREF: PiUEventShouldQueueEvent(x)+Aj
		mov	eax, [ecx+58h]
		cmp	eax, edx
		jz	short loc_43CCAB
		cmp	eax, 2
		jz	short loc_43CCA2
		cmp	eax, 4
		jz	short loc_43CC96
		cmp	eax, 3
		jz	short loc_43CCAB
		cmp	eax, 9
		jnz	short loc_43CC8F
		cmp	_PiUEventDevInstancePropertyClientCount, 0
		jmp	short loc_43CC9D
; 

loc_43CC8F:				; CODE XREF: PiUEventShouldQueueEvent(x)+28j
		jle	short loc_43CC68
		cmp	eax, 0Bh
		jg	short loc_43CC68

loc_43CC96:				; CODE XREF: PiUEventShouldQueueEvent(x)+1Ej
		cmp	_PiUEventDevInstanceClientCount, 0

loc_43CC9D:				; CODE XREF: PiUEventShouldQueueEvent(x)+31j
					; PiUEventShouldQueueEvent(x)+4Dj ...
		setnbe	dl
		jmp	short loc_43CC68
; 

loc_43CCA2:				; CODE XREF: PiUEventShouldQueueEvent(x)+19j
		cmp	_PiUEventDevInterfaceClientCount, 0
		jmp	short loc_43CC9D
; 

loc_43CCAB:				; CODE XREF: PiUEventShouldQueueEvent(x)+14j
					; PiUEventShouldQueueEvent(x)+23j
		cmp	_PiUEventDevHandleClientCount, 0
		jmp	short loc_43CC9D
_PiUEventShouldQueueEvent@4 endp


;  S U B	R O U T	I N E 


; __stdcall PnpFreeWatchdog(x)
_PnpFreeWatchdog@4 proc	near		; CODE XREF: PAGE:00763EB8p
					; PnpCallDriverEntry(x,x)+40p ...
		push	57647050h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
_PnpFreeWatchdog@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdtpArmTimer(x, x)
_WdtpArmTimer@8	proc near		; CODE XREF: PnpEnableWatchdog(x,x)+2Ap
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, edx
		mov	edx, 2710h
		mul	edx
		push	esi
		xor	esi, esi
		neg	eax
		push	esi
		push	esi
		push	esi
		adc	edx, esi
		neg	edx
		push	edx
		push	eax
		push	dword ptr [ecx+20h]
		call	ExSetTimer
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_WdtpArmTimer@8	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 343. ExDeleteTimer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExDeleteTimer
ExDeleteTimer	proc near		; CODE XREF: PnpCancelWatchdog+14p
					; NtQueryPerformanceCounter+126p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	ExpCheckForFreedEnhancedTimer
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jnz	loc_5AB3AC

loc_43CD10:				; CODE XREF: IoReportTargetDeviceChangeAsynchronous+16E867j
		mov	dl, [ebp+arg_4]
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_8]
		mov	ecx, esi
		mov	[ebp+var_8], offset _ExpFinalizeTimerDeletion@4	; ExpFinalizeTimerDeletion(x)
		mov	[ebp+var_4], esi
		call	KeDisableTimer2
		pop	esi
		leave
		retn	10h
ExDeleteTimer	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 434. ExSetTimer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExSetTimer
ExSetTimer	proc near		; CODE XREF: WdtpArmTimer(x,x)+23p
					; RtlpHpScheduleCompaction(x)+89p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005AB3D4 SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		test	ebx, ebx
		jl	short loc_43CD5C
		jg	loc_5AB3D4
		test	edi, edi
		jnz	loc_5AB3D4

loc_43CD5C:				; CODE XREF: ExSetTimer+16j
		mov	edx, [ebp+arg_0]

loc_43CD5F:				; CODE XREF: ExSetTimer+16E6A5j
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jg	short loc_43CD77
		mov	eax, [ebp+arg_C]
		jl	loc_5AB405
		test	eax, eax
		jb	loc_5AB405

loc_43CD77:				; CODE XREF: ExSetTimer+2Ej
		mov	esi, [ebp+arg_14]
		test	esi, esi
		jz	short loc_43CD8D
		mov	ecx, esi
		call	_ExpTimerSetParametersAreValid@4 ; ExpTimerSetParametersAreValid(x)
		test	al, al
		jz	loc_5AB3F4

loc_43CD8D:				; CODE XREF: ExSetTimer+46j
		mov	ecx, edx
		call	ExpCheckForFreedEnhancedTimer
		push	esi
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	ebx
		push	edi
		push	[ebp+arg_0]
		call	KeSetTimer2
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
ExSetTimer	endp


;  S U B	R O U T	I N E 


ExpCheckForFreedEnhancedTimer proc near	; CODE XREF: ExDeleteTimer+Ep
					; ExSetTimer+59p ...

; FUNCTION CHUNK AT 005AB418 SIZE 0000002C BYTES

		mov	al, [ecx+60h]
		cmp	al, ds:_ExpTimerFreedCookie
		jnz	loc_5AB418
		retn
ExpCheckForFreedEnhancedTimer endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpAllocateWatchdog proc near		; CODE XREF: PnpEnableWatchdog(x,x)+9p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_14], 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, 57647050h
		push	ebx
		push	18h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_43CE24
		push	6
		xor	eax, eax
		mov	[ebp+var_18], esi
		pop	ecx
		mov	edi, esi
		mov	[ebp+var_10], offset _PnpWatchdogWorkItem@4 ; PnpWatchdogWorkItem(x)
		rep stosd
		mov	eax, _PnpWatchdogTimeoutFirstChance
		xor	cl, cl
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], offset _PnpWatchdogBugcheck@4 ; PnpWatchdogBugcheck(x)
		call	_PnpQueryWatchdogTimeout@4 ; PnpQueryWatchdogTimeout(x)
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_8], eax
		call	PnpWatchdogTimerAllocate
		mov	[esi+8], eax
		test	eax, eax
		jz	loc_5AB436

loc_43CE24:				; CODE XREF: PnpAllocateWatchdog+25j
					; ExpCheckForFreedEnhancedTimer+16E691j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
PnpAllocateWatchdog endp

; 
		align 10h
; Exported entry 328. ExAllocateTimer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExAllocateTimer
ExAllocateTimer	proc near		; CODE XREF: WdtpAllocateTimer+35p
					; CreateTlgAggregateSession+BEp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= word ptr  14h
arg_E		= word ptr  16h

; FUNCTION CHUNK AT 0043CE78 SIZE 00000084 BYTES
; FUNCTION CHUNK AT 0043D013 SIZE 00000007 BYTES
; FUNCTION CHUNK AT 005AB444 SIZE 0000004B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_8], 2
		jnz	loc_5AB444
		push	dword ptr [ebp+arg_8]
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ExAllocateTimerInternal2
		pop	ebp
		retn	0Ch
ExAllocateTimer	endp ; sp = -10h

; 
		align 8
; Exported entry   4.

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExAllocateTimerInternal2
ExAllocateTimerInternal2 proc near	; CODE XREF: ExAllocateTimer+1Ap
					; ExpHeapGCInitialization()+10p ...

arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_C]
		mov	ecx, edi
		call	_ExpExTimerAttributesAreValid@4	; ExpExTimerAttributesAreValid(x)
		test	al, al
		jz	loc_5AB476
		jmp	loc_5AB458
ExAllocateTimerInternal2 endp

; 
; START	OF FUNCTION CHUNK FOR ExAllocateTimer

loc_43CE78:				; CODE XREF: ExAllocateTimer+16E640j
		mov	eax, large fs:20h
		xor	ebx, ebx
		push	ebx
		mov	ecx, 200h
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	6D547845h
		push	68h
		pop	edx
		call	ExpAllocatePoolWithTagFromNode
		mov	esi, eax
		test	esi, esi
		jz	short loc_43CED1
		mov	edx, [ebp+arg_0]
		push	edi
		cmp	[ebp+var_4], ebx
		jnz	short loc_43CEDA
		push	[ebp+arg_4]
		mov	ecx, esi
		mov	[esi+2], bx
		call	_KiInitializeTimer2@16 ; KiInitializeTimer2(x,x,x,x)

loc_43CEC3:				; CODE XREF: ExAllocateTimer+CAj
		mov	al, ds:_ExpTimerFreedCookie
		mov	[esi+58h], ebx
		mov	[esi+5Ch], ebx
		mov	[esi+60h], al

loc_43CED1:				; CODE XREF: ExAllocateTimer+7Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_43CEDA:				; CODE XREF: ExAllocateTimer+83j
		mov	eax, dword ptr [ebp+arg_8]
		mov	cx, [eax]
		mov	[ebp+arg_C], cx
		mov	cx, [eax+2]
		lea	eax, [ebp+arg_C]
		push	eax
		push	[ebp+arg_4]
		mov	[ebp+arg_E], cx
		mov	ecx, esi
		call	_KeInitializeIRTimer@20	; KeInitializeIRTimer(x,x,x,x,x)
		jmp	short loc_43CEC3
; END OF FUNCTION CHUNK	FOR ExAllocateTimer

;  S U B	R O U T	I N E 


; __stdcall PnpQueryWatchdogTimeout(x)
_PnpQueryWatchdogTimeout@4 proc	near	; CODE XREF: PnpAllocateWatchdog+4Bp
		test	cl, cl
		jnz	short loc_43CF13
		call	_PnpIsWatchdogBugcheckEnabled@0	; PnpIsWatchdogBugcheckEnabled()
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, _PnpWatchdogTimeoutSecondChance
		retn
; 

loc_43CF13:				; CODE XREF: PnpQueryWatchdogTimeout(x)+2j
		mov	eax, _PnpWatchdogTimeoutFirstChance
		retn
_PnpQueryWatchdogTimeout@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PnpIsWatchdogBugcheckEnabled()
_PnpIsWatchdogBugcheckEnabled@0	proc near ; CODE XREF: PnpQueryWatchdogTimeout(x)+4p
		xor	al, al
		cmp	byte ptr ds:dword_7051D4, al
		jnz	short loc_43CF34
		cmp	_PnpSetupOOBEInProgress, al
		jnz	short loc_43CF45
		cmp	_PnpSetupInProgress, al
		jnz	short loc_43CF45

loc_43CF34:				; CODE XREF: PnpIsWatchdogBugcheckEnabled()+8j
					; PnpIsWatchdogBugcheckEnabled()+2Dj
		mov	ecx, _PnpWatchdogBugcheckConfig
		sub	ecx, 0
		jz	short loc_43CF4C
		sub	ecx, 1
		jz	short loc_43CF49
		retn
; 

loc_43CF45:				; CODE XREF: PnpIsWatchdogBugcheckEnabled()+10j
					; PnpIsWatchdogBugcheckEnabled()+18j
		mov	al, 1
		jmp	short loc_43CF34
; 

loc_43CF49:				; CODE XREF: PnpIsWatchdogBugcheckEnabled()+28j
		mov	al, 1
		retn
; 

loc_43CF4C:				; CODE XREF: PnpIsWatchdogBugcheckEnabled()+23j
		xor	al, al
		retn
_PnpIsWatchdogBugcheckEnabled@0	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopSetWatchdog	proc near		; CODE XREF: PopPowerInformationInternal+14Fp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 0043D01A SIZE 00000168 BYTES
; FUNCTION CHUNK AT 005AB48F SIZE 000000AC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_8], edx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], esi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_2], bl
		mov	[ebp+var_18], ebx
		push	edi
		mov	edi, 44574F50h
		test	esi, esi
		jz	loc_43D0B7
		mov	edi, ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		call	edi
		mov	ebx, offset _PopWatchdogLock
		mov	[ebp+var_1], al
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)

loc_43CF95:				; CODE XREF: PopSetWatchdog+1FCj
		cmp	dword ptr [esi+8], 44574F50h
		jnz	loc_5AB48F
		mov	eax, [ebp+var_8]
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_43D01A

loc_43CFAB:				; CODE XREF: PopSetWatchdog+CEj
		cmp	dword ptr [esi+8Ch], 19Ch
		jz	loc_5AB496

loc_43CFBB:				; CODE XREF: PopSetWatchdog+16E54Fj
					; PopSetWatchdog+16E57Ej
		lea	ecx, [esi+20h]
		mov	byte ptr [esi+80h], 0
		push	ecx
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		test	al, al
		jnz	loc_43D0A7

loc_43CFD3:				; CODE XREF: PopSetWatchdog+162j
		cmp	dword ptr [esi+14h], 0
		jz	loc_5AB4D3

loc_43CFDD:				; CODE XREF: PopSetWatchdog+16E5C1j
		cmp	[ebp+arg_0], 0
		jnz	loc_43D151

loc_43CFE7:				; CODE XREF: PopSetWatchdog+141j
					; PopSetWatchdog+152j ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5AB516
		xor	ecx, ecx
		mov	eax, offset _PopWatchdogLock
		lock and [eax],	ecx

loc_43CFFE:				; CODE XREF: PopSetWatchdog+16E5D3j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_2], 0
		jnz	loc_5AB528

loc_43D011:				; CODE XREF: PopSetWatchdog+16E5E6j
		mov	eax, esi
PopSetWatchdog	endp

; START	OF FUNCTION CHUNK FOR ExAllocateTimer

loc_43D013:				; CODE XREF: ExAllocateTimer+16E65Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; END OF FUNCTION CHUNK	FOR ExAllocateTimer
; 
; START	OF FUNCTION CHUNK FOR PopSetWatchdog

loc_43D01A:				; CODE XREF: PopSetWatchdog+59j
		cmp	[ebp+arg_0], 0
		jnz	short loc_43CFAB
		mov	ecx, 2710h
		lea	edi, [esi+84h]
		mov	esi, [ebp+var_8]
		mul	ecx
		push	0Ah
		pop	ecx
		rep movsd
		mov	dword ptr [ebp+arg_0], eax
		mov	ebx, edx
		call	KeQueryInterruptTime
		mov	esi, [ebp+var_C]
		mov	[esi+0B4h], edx
		mov	edx, dword ptr [ebp+arg_0]
		mov	ecx, edx
		add	ecx, eax
		mov	[esi+0B0h], eax
		mov	eax, ebx
		mov	[esi+78h], ecx
		adc	eax, [esi+0B4h]
		lea	ecx, [esi+20h]
		neg	edx
		mov	[esi+7Ch], eax
		mov	eax, large fs:124h
		adc	ebx, 0
		mov	[esi+0B8h], eax
		neg	ebx
		mov	byte ptr [esi+80h], 1
		push	ebx
		push	edx
		lea	eax, [esi+48h]
		xor	edx, edx
		push	eax
		push	0
		call	KiSetTimerEx
		test	al, al
		jnz	loc_43CFE7
		mov	ecx, esi
		mov	byte ptr [esi+0Ch], 1
		call	_PopUpdateWatchdogNoWorkersEvent@4 ; PopUpdateWatchdogNoWorkersEvent(x)
		jmp	loc_43CFE7
; 

loc_43D0A7:				; CODE XREF: PopSetWatchdog+7Dj
		mov	ecx, esi
		mov	byte ptr [esi+0Ch], 0
		call	_PopUpdateWatchdogNoWorkersEvent@4 ; PopUpdateWatchdogNoWorkersEvent(x)
		jmp	loc_43CFD3
; 

loc_43D0B7:				; CODE XREF: PopSetWatchdog+28j
		push	edi
		push	0C0h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_C], eax
		test	esi, esi
		jz	loc_5AB488
		push	0C0h		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+8], edi
		lea	eax, [esi+10h]
		push	1
		push	ebx
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	ebx
		lea	eax, [esi+20h]
		push	eax
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	esi
		push	offset _PopWatchdogDpc@16 ; PopWatchdogDpc(x,x,x,x)
		lea	eax, [esi+48h]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	edi, ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	dword ptr [esi+70h], offset _PopWatchdogWorker@4 ; PopWatchdogWorker(x)
		mov	[esi+74h], esi
		mov	[esi+68h], ebx
		call	edi
		mov	ebx, offset _PopWatchdogLock
		mov	[ebp+var_1], al
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, _PopWatchdogList
		mov	ecx, offset _PopWatchdogList
		cmp	[eax+4], ecx
		jnz	short loc_43D17D
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[eax+4], esi
		mov	_PopWatchdogList, esi
		jmp	loc_43CF95
; 

loc_43D151:				; CODE XREF: PopSetWatchdog+91j
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	short loc_43D17D
		cmp	[eax], esi
		jnz	short loc_43D17D
		mov	[eax], ecx
		push	44574F50h
		mov	[ecx+4], eax
		push	esi
		mov	dword ptr [esi+8], 4F4E4F4Eh
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi
		jmp	loc_43CFE7
; 

loc_43D17D:				; CODE XREF: PopSetWatchdog+1ECj
					; PopSetWatchdog+209j ...
		push	3

loc_43D17F:				; CODE XREF: PopSetWatchdog+16E541j
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
; END OF FUNCTION CHUNK	FOR PopSetWatchdog ; AL	= character to display
; 
		dw 0CCCCh
		align 8
; Exported entry 399. ExNotifyCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExNotifyCallback(x,	x, x)
		public _ExNotifyCallback@12
_ExNotifyCallback@12 proc near		; CODE XREF: IopSessionChangeWorker(x)+12p
					; PopUnlockAfterSleepWorker(x)+23p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	[ebp+arg_8]
		call	ExNotifyWithProcessing
		pop	ecx
		pop	ebp
		retn	0Ch
_ExNotifyCallback@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExNotifyWithProcessing proc near	; CODE XREF: ExNotifyCallback(x,x,x)+11p
					; PoNotifySystemTimeSet(x,x,x)+4Bp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005AB53B SIZE 00000080 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		push	edi
		test	esi, esi
		jz	loc_43D286
		lea	edi, [esi+8]
		cmp	[edi], edi
		jz	loc_43D286
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ebx, [esi+4]
		mov	[ebp+var_1], al
		mov	ecx, ebx
		mov	[ebp+var_C], ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	al, [ebp+var_1]
		mov	esi, [edi]
		cmp	al, 2
		jz	loc_5AB53B
		jmp	short loc_43D267
; 

loc_43D1EC:				; CODE XREF: ExNotifyWithProcessing+C5j
		cmp	byte ptr [esi+18h], 0
		jnz	short loc_43D265
		inc	dword ptr [esi+14h]
		test	ds:byte_70EFC6,	1
		jnz	loc_5AB581
		xor	ecx, ecx
		lock and [ebx],	ecx

loc_43D207:				; CODE XREF: ExNotifyWithProcessing+16E3EAj
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	[ebp+arg_4]
		mov	edx, [esi+10h]
		xor	ecx, ecx
		push	[ebp+arg_0]
		inc	ecx
		push	[ebp+var_8]
		call	_ExpCallProcessing@20 ;	ExpCallProcessing(x,x,x,x,x)
		push	[ebp+arg_0]
		push	[ebp+var_8]
		push	dword ptr [esi+10h]
		call	dword ptr [esi+0Ch]
		push	[ebp+arg_4]
		mov	edx, [esi+10h]
		xor	ecx, ecx
		push	[ebp+arg_0]
		push	[ebp+var_8]
		call	_ExpCallProcessing@20 ;	ExpCallProcessing(x,x,x,x,x)
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, ebx
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		dec	dword ptr [esi+14h]
		cmp	byte ptr [esi+18h], 0
		mov	eax, [esi+14h]
		jnz	loc_5AB593

loc_43D262:				; CODE XREF: ExNotifyWithProcessing+16E3F1j
					; ExNotifyWithProcessing+16E403j
		mov	al, [ebp+var_1]

loc_43D265:				; CODE XREF: ExNotifyWithProcessing+4Cj
		mov	esi, [esi]

loc_43D267:				; CODE XREF: ExNotifyWithProcessing+46j
		cmp	esi, edi
		jnz	short loc_43D1EC

loc_43D26B:				; CODE XREF: ExNotifyWithProcessing+16E399j
					; ExNotifyWithProcessing+16E3D8j
		test	ds:byte_70EFC6,	1
		jnz	loc_5AB5AC
		xor	eax, eax
		lock and [ebx],	eax

loc_43D27D:				; CODE XREF: ExNotifyWithProcessing+16E412j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_43D286:				; CODE XREF: ExNotifyWithProcessing+12j
					; ExNotifyWithProcessing+1Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
ExNotifyWithProcessing endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCallProcessing(x, x, x, x, x)
_ExpCallProcessing@20 proc near		; CODE XREF: ExNotifyWithProcessing+7Ap
					; ExNotifyWithProcessing+99p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jnz	short loc_43D29E

loc_43D29A:				; CODE XREF: ExpCallProcessing(x,x,x,x,x)+18j
					; ExpCallProcessing(x,x,x,x,x)+29j
		pop	ebp
		retn	0Ch
; 

loc_43D29E:				; CODE XREF: ExpCallProcessing(x,x,x,x,x)+Aj
		test	ecx, ecx
		jz	short loc_43D2B9
		mov	ecx, [eax]

loc_43D2A4:				; CODE XREF: ExpCallProcessing(x,x,x,x,x)+2Ej
		test	ecx, ecx
		jz	short loc_43D29A
		push	dword ptr [eax+0Ch]
		push	dword ptr [eax+8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		call	ecx
		jmp	short loc_43D29A
; 

loc_43D2B9:				; CODE XREF: ExpCallProcessing(x,x,x,x,x)+12j
		mov	ecx, [eax+4]
		jmp	short loc_43D2A4
_ExpCallProcessing@20 endp


;  S U B	R O U T	I N E 


; __stdcall PopUmpoMessageCallback(x, x, x)
_PopUmpoMessageCallback@12 proc	near	; DATA XREF: PopUmpoInitializeChannel+16Fo
		call	PopUmpoProcessMessages
		retn	0Ch
_PopUmpoMessageCallback@12 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 176. AlpcGetMessageAttribute

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcGetMessageAttribute(x, x)
		public _AlpcGetMessageAttribute@8
_AlpcGetMessageAttribute@8 proc	near	; CODE XREF: PopUmpoSendPowerMessage+109p
					; PopUmpoProcessMessages+C2p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		mov	edx, [esi]
		test	edx, ecx
		jz	short loc_43D2F7
		lea	eax, [ecx-1]
		test	eax, ecx
		jnz	short loc_43D2F7
		imul	eax, ecx, -2
		and	eax, edx
		push	eax
		call	_AlpcGetHeaderSize@4 ; AlpcGetHeaderSize(x)
		add	eax, esi

loc_43D2F2:				; CODE XREF: AlpcGetMessageAttribute(x,x)+2Dj
		pop	esi
		pop	ebp
		retn	8
; 

loc_43D2F7:				; CODE XREF: AlpcGetMessageAttribute(x,x)+10j
					; AlpcGetMessageAttribute(x,x)+17j
		xor	eax, eax
		jmp	short loc_43D2F2
_AlpcGetMessageAttribute@8 endp

; 
		align 10h
; Exported entry 177. AlpcInitializeMessageAttribute

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcInitializeMessageAttribute(x, x, x, x)
		public _AlpcInitializeMessageAttribute@16
_AlpcInitializeMessageAttribute@16 proc	near ; CODE XREF: PopUmpoProcessMessages+6Ap
					; PopUmpoProcessMessages+DDp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	esi
		call	_AlpcGetHeaderSize@4 ; AlpcGetHeaderSize(x)
		mov	ecx, [ebp+arg_C]
		mov	[ecx], eax
		cmp	eax, [ebp+arg_8]
		ja	short loc_43D32D
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_43D326
		and	dword ptr [eax+4], 0
		mov	[eax], esi

loc_43D326:				; CODE XREF: AlpcInitializeMessageAttribute(x,x,x,x)+1Ej
		xor	eax, eax

loc_43D328:				; CODE XREF: AlpcInitializeMessageAttribute(x,x,x,x)+32j
		pop	esi
		pop	ebp
		retn	10h
; 

loc_43D32D:				; CODE XREF: AlpcInitializeMessageAttribute(x,x,x,x)+17j
		mov	eax, 0C0000023h
		jmp	short loc_43D328
_AlpcInitializeMessageAttribute@16 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 175. AlpcGetHeaderSize

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcGetHeaderSize(x)
		public _AlpcGetHeaderSize@4
_AlpcGetHeaderSize@4 proc near		; CODE XREF: AlpcGetMessageAttribute(x,x)+1Fp
					; AlpcInitializeMessageAttribute(x,x,x,x)+Ap ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, ecx
		sar	eax, 1Fh
		and	eax, 0Ch
		add	eax, 8
		test	ecx, 40000000h
		jnz	short loc_43D393

loc_43D355:				; CODE XREF: AlpcGetHeaderSize(x)+5Cj
		test	ecx, 20000000h
		jz	short loc_43D360
		add	eax, 14h

loc_43D360:				; CODE XREF: AlpcGetHeaderSize(x)+21j
		test	ecx, 10000000h
		jnz	short loc_43D384

loc_43D368:				; CODE XREF: AlpcGetHeaderSize(x)+4Dj
		test	ecx, 8000000h
		jnz	short loc_43D389

loc_43D370:				; CODE XREF: AlpcGetHeaderSize(x)+52j
		test	ecx, 4000000h
		jnz	short loc_43D398

loc_43D378:				; CODE XREF: AlpcGetHeaderSize(x)+61j
		test	ecx, 2000000h
		jnz	short loc_43D38E

loc_43D380:				; CODE XREF: AlpcGetHeaderSize(x)+57j
		pop	ebp
		retn	4
; 

loc_43D384:				; CODE XREF: AlpcGetHeaderSize(x)+2Cj
		add	eax, 10h
		jmp	short loc_43D368
; 

loc_43D389:				; CODE XREF: AlpcGetHeaderSize(x)+34j
		add	eax, 18h
		jmp	short loc_43D370
; 

loc_43D38E:				; CODE XREF: AlpcGetHeaderSize(x)+44j
		add	eax, 8
		jmp	short loc_43D380
; 

loc_43D393:				; CODE XREF: AlpcGetHeaderSize(x)+19j
		add	eax, 10h
		jmp	short loc_43D355
; 

loc_43D398:				; CODE XREF: AlpcGetHeaderSize(x)+3Cj
		add	eax, 4
		jmp	short loc_43D378
_AlpcGetHeaderSize@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopIncrementPowerSettingPendingUpdates proc near ; CODE	XREF: PopSetPowerSettingValue+46p
					; PopSetPowerSettingValue+1F6p	...

; FUNCTION CHUNK AT 005AB5BB SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	bl, cl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _PopPendingPowerSettingUpdateLock
		mov	bh, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lock inc _PopPendingPowerSettingUpdates
		test	bl, bl
		jnz	short loc_43D404

loc_43D3C6:				; CODE XREF: PopIncrementPowerSettingPendingUpdates+6Cj
		cmp	_PopPendingPowerSettingUpdates,	1
		jnz	short loc_43D3E7
		call	KeQueryInterruptTime
		push	3
		pop	ecx
		mov	_PopPendingPowerSettingUpdateTime, eax
		mov	dword_6C2174, edx
		call	PopDeepSleepSetDisengageReason

loc_43D3E7:				; CODE XREF: PopIncrementPowerSettingPendingUpdates+2Fj
		test	ds:byte_70EFC6,	1
		jnz	loc_5AB5BB
		xor	eax, eax
		lock and [esi],	eax

loc_43D3F9:				; CODE XREF: PopIncrementPowerSettingPendingUpdates+16E227j
		mov	cl, bh
		pop	esi
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_43D404:				; CODE XREF: PopIncrementPowerSettingPendingUpdates+26j
		inc	_PopPendingPowerSettingUpdatesQueued
		jmp	short loc_43D3C6
PopIncrementPowerSettingPendingUpdates endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDecrementPowerSettingPendingUpdates proc near ; CODE	XREF: PopSetPowerSettingValue+FAp
					; PopDispatchPowerSettingCallbacks+11p	...

; FUNCTION CHUNK AT 005AB5CA SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	bl, cl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _PopPendingPowerSettingUpdateLock
		mov	bh, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		xor	edx, edx
		test	bl, bl
		jnz	short loc_43D46F
		lock dec _PopPendingPowerSettingUpdates

loc_43D436:				; CODE XREF: PopDecrementPowerSettingPendingUpdates+79j
		cmp	_PopPendingPowerSettingUpdates,	edx
		jnz	short loc_43D452
		push	3
		pop	ecx
		mov	_PopPendingPowerSettingUpdateTime, edx
		mov	dword_6C2174, edx
		call	PopDeepSleepClearDisengageReason

loc_43D452:				; CODE XREF: PopDecrementPowerSettingPendingUpdates+30j
		test	ds:byte_70EFC6,	1
		jnz	loc_5AB5CA
		xor	eax, eax
		lock and [esi],	eax

loc_43D464:				; CODE XREF: PopDecrementPowerSettingPendingUpdates+16E1C8j
		mov	cl, bh
		pop	esi
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_43D46F:				; CODE XREF: PopDecrementPowerSettingPendingUpdates+21j
		mov	eax, _PopPendingPowerSettingUpdatesQueued
		mov	ecx, offset _PopPendingPowerSettingUpdates
		neg	eax
		lock xadd [ecx], eax
		mov	_PopPendingPowerSettingUpdatesQueued, edx
		jmp	short loc_43D436
PopDecrementPowerSettingPendingUpdates endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDeepSleepSetDisengageReason proc near
					; CODE XREF: PopIncrementPowerSettingPendingUpdates+44p
					; PopSetPowerActionState(x)+18p ...

; FUNCTION CHUNK AT 005AB5D9 SIZE 00000047 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopDeepSleepDisengageReasonLock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edi, _PopDeepSleepDisengageReasonMask
		mov	edx, edi
		bts	edx, esi
		mov	_PopDeepSleepDisengageReasonMask, edx
		cmp	edi, edx
		jz	short loc_43D4D2
		mov	ecx, esi
		call	PopDiagTraceSetDeepSleepConstraint
		mov	dl, 1
		mov	ecx, esi
		call	PopDeepSleepResiliencyPhaseAccountingUpdate
		test	edi, edi
		jz	loc_5AB5D9

loc_43D4D2:				; CODE XREF: PopDeepSleepSetDisengageReason+30j
					; PopDeepSleepSetDisengageReason+16E16Dj ...
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopDeepSleepDisengageReasonLock
		jnz	loc_5AB613
		xor	eax, eax
		lock and [ecx],	eax

loc_43D4E9:				; CODE XREF: PopDeepSleepSetDisengageReason+16E193j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn
PopDeepSleepSetDisengageReason endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDeepSleepClearDisengageReason proc near
					; CODE XREF: PopDecrementPowerSettingPendingUpdates+41p
					; PopSetPowerActionState(x):loc_553011p ...

; FUNCTION CHUNK AT 005AB620 SIZE 00000047 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		inc	esi
		mov	edi, ecx
		shl	esi, cl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopDeepSleepDisengageReasonLock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, _PopDeepSleepDisengageReasonMask
		not	esi
		and	esi, ecx
		mov	_PopDeepSleepDisengageReasonMask, esi
		cmp	ecx, esi
		jz	short loc_43D54B
		mov	ecx, edi
		call	PopDiagTraceClearDeepSleepConstraint
		xor	dl, dl
		mov	ecx, edi
		call	PopDeepSleepResiliencyPhaseAccountingUpdate
		cmp	_PopDeepSleepDisengageReasonMask, 0
		jz	loc_5AB620

loc_43D54B:				; CODE XREF: PopDeepSleepClearDisengageReason+34j
					; PopDeepSleepClearDisengageReason+16E144j ...
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopDeepSleepDisengageReasonLock
		jnz	loc_5AB65A
		xor	eax, eax
		lock and [ecx],	eax

loc_43D562:				; CODE XREF: PopDeepSleepClearDisengageReason+16E16Aj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn
PopDeepSleepClearDisengageReason endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDeepSleepResiliencyPhaseAccountingUpdate proc near
					; CODE XREF: PopDeepSleepSetDisengageReason+3Dp
					; PopDeepSleepClearDisengageReason+41p

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005AB667 SIZE 000000BF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_1], dl
		push	edi
		inc	ebx
		mov	edi, ecx
		xor	esi, esi
		shl	ebx, cl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopCsResiliencyStatsLock
		mov	[ebp+var_2], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, dword_6C23FC
		mov	[ebp+var_8], eax
		test	ebx, eax
		jnz	loc_5AB667

loc_43D5AA:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingUpdate+16E169j
					; PopDeepSleepResiliencyPhaseAccountingUpdate+16E1A4j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopCsResiliencyStatsLock
		jnz	loc_5AB719
		xor	eax, eax
		lock and [ecx],	eax

loc_43D5C1:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingUpdate+16E1B1j
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PopDeepSleepResiliencyPhaseAccountingUpdate endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceClearDeepSleepConstraint proc near
					; CODE XREF: PopDeepSleepClearDisengageReason+38p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AB726 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_18], ecx
		jz	short loc_43D615
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, (offset _GUID_DISK_POWERDOWN_TIMEOUT+10h)
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5AB726

loc_43D612:				; CODE XREF: PopDiagTraceClearDeepSleepConstraint+16E17Aj
		pop	edi
		pop	esi
		pop	ebx

loc_43D615:				; CODE XREF: PopDiagTraceClearDeepSleepConstraint+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopDiagTraceClearDeepSleepConstraint endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceSetDeepSleepConstraint proc	near ; CODE XREF: PopDeepSleepSetDisengageReason+34p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AB74F SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_18], ecx
		jz	short loc_43D667
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_DEEP_SLEEP_SET_CONSTRAINT
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5AB74F

loc_43D664:				; CODE XREF: PopDiagTraceSetDeepSleepConstraint+16E151j
		pop	edi
		pop	esi
		pop	ebx

loc_43D667:				; CODE XREF: PopDiagTraceSetDeepSleepConstraint+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopDiagTraceSetDeepSleepConstraint endp

; 
		align 4

;  S U B	R O U T	I N E 


PpmInfoApplyMinMaxConstraint proc near	; CODE XREF: PpmInfoWriteData+40p
					; PpmInfoWriteData+59p	...

; FUNCTION CHUNK AT 005AB778 SIZE 00000013 BYTES

		mov	eax, [edx+8]
		cmp	ecx, eax
		jb	short loc_43D68B
		push	esi
		mov	esi, [edx+0Ch]
		cmp	ecx, esi
		ja	loc_5AB778

loc_43D687:				; CODE XREF: PpmInfoApplyMinMaxConstraint+16E10Aj
					; PpmInfoApplyMinMaxConstraint+16E112j
		pop	esi

loc_43D688:				; CODE XREF: PpmInfoApplyMinMaxConstraint+19j
		mov	eax, ecx
		retn
; 

loc_43D68B:				; CODE XREF: PpmInfoApplyMinMaxConstraint+5j
		mov	ecx, eax
		jmp	short loc_43D688
PpmInfoApplyMinMaxConstraint endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 166. PoNotifyVSyncChange

;  S U B	R O U T	I N E 


; __fastcall PoNotifyVSyncChange(x)
		public @PoNotifyVSyncChange@4
@PoNotifyVSyncChange@4 proc near
		mov	edi, edi
		push	ebx
		push	esi
		mov	bl, cl
		mov	esi, offset _PopFxSystemLatencyLock
		mov	ecx, esi
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		mov	_PopFxVSyncEnabled, bl
		call	PoFxSendSystemLatencyUpdate
		mov	ecx, esi
		pop	esi
		pop	ebx
		jmp	_PpmReleaseLock@4 ; PpmReleaseLock(x)
@PoNotifyVSyncChange@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoFxSendSystemLatencyUpdate proc near	; CODE XREF: PoNotifyVSyncChange(x)+18p
					; PopDeepSleepEvaluateCallback(x)+93p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AB78B SIZE 0000005E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		cmp	byte_6C2E34, 0
		push	ebx
		push	esi
		jnz	loc_5AB78B

loc_43D6D3:				; CODE XREF: PoFxSendSystemLatencyUpdate+16E0EAj
		call	_PopFxGetLatencyLimitWithoutResiliency@0 ; PopFxGetLatencyLimitWithoutResiliency()
		mov	esi, eax

loc_43D6DA:				; CODE XREF: PoFxSendSystemLatencyUpdate+16E0F6j
		mov	eax, _PopFxSystemLatencyLimit
		cmp	esi, eax
		jz	short loc_43D71E
		call	@PpmGetExitSamplingCountdown@0 ; PpmGetExitSamplingCountdown()
		test	eax, eax
		jnz	loc_5AB7B5
		xor	bl, bl

loc_43D6F2:				; CODE XREF: PoFxSendSystemLatencyUpdate+16E104j
					; PoFxSendSystemLatencyUpdate+16E11Ej
		mov	edx, esi
		xor	cl, cl
		call	PopDiagTraceSystemLatencyUpdate
		push	0
		push	esi
		mov	_PopFxSystemLatencyHint, esi
		call	PoFxSystemLatencyNotify
		mov	bh, al
		call	_PpmIdleUsingStateSelection@0 ;	PpmIdleUsingStateSelection()
		test	al, al
		jnz	short loc_43D724
		test	bh, bh
		jnz	short loc_43D724

loc_43D718:				; CODE XREF: PoFxSendSystemLatencyUpdate+6Cj
					; PoFxSendSystemLatencyUpdate+16E12Aj
		mov	_PopFxSystemLatencyLimit, esi

loc_43D71E:				; CODE XREF: PoFxSendSystemLatencyUpdate+27j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_43D724:				; CODE XREF: PoFxSendSystemLatencyUpdate+58j
					; PoFxSendSystemLatencyUpdate+5Cj
		test	bl, bl
		jz	short loc_43D718
		jmp	loc_5AB7DD
PoFxSendSystemLatencyUpdate endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopFxGetLatencyLimitWithoutResiliency()
_PopFxGetLatencyLimitWithoutResiliency@0 proc near
					; CODE XREF: PoFxSendSystemLatencyUpdate:loc_43D6D3p
		cmp	byte_6C2D4E, 0
		jnz	short loc_43D754
		cmp	ds:_PpmDisableVsyncLatencyUpdate, 0
		jnz	short loc_43D74E
		cmp	_PopFxVSyncEnabled, 0
		mov	eax, ds:dword_7054E4
		jnz	short locret_43D753

loc_43D74E:				; CODE XREF: PopFxGetLatencyLimitWithoutResiliency()+10j
		mov	eax, ds:_PpmLatencyToleranceLimit

locret_43D753:				; CODE XREF: PopFxGetLatencyLimitWithoutResiliency()+1Ej
		retn
; 

loc_43D754:				; CODE XREF: PopFxGetLatencyLimitWithoutResiliency()+7j
		mov	eax, ds:dword_7054E8
		retn
_PopFxGetLatencyLimitWithoutResiliency@0 endp


;  S U B	R O U T	I N E 


; __stdcall PpmIdleUsingStateSelection()
_PpmIdleUsingStateSelection@0 proc near	; CODE XREF: PoFxSendSystemLatencyUpdate+51p
		mov	eax, large fs:124h
		push	ebx
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PpmIdlePolicyLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	eax, large fs:20h
		mov	eax, [eax+3D70h]
		test	eax, eax
		jz	short loc_43D7AA
		cmp	byte ptr [eax],	1
		setz	bl

loc_43D78E:				; CODE XREF: PpmIdleUsingStateSelection()+52j
		cmp	dword_6C2ADC, 0
		jnz	short loc_43D7AE

loc_43D797:				; CODE XREF: PpmIdleUsingStateSelection()+5Bj
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	esi
		mov	al, bl
		pop	ebx
		retn
; 

loc_43D7AA:				; CODE XREF: PpmIdleUsingStateSelection()+2Cj
		xor	bl, bl
		jmp	short loc_43D78E
; 

loc_43D7AE:				; CODE XREF: PpmIdleUsingStateSelection()+3Bj
		and	dword_6C2ADC, 0
		jmp	short loc_43D797
_PpmIdleUsingStateSelection@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoFxSystemLatencyNotify	proc near	; CODE XREF: PoFxSendSystemLatencyUpdate+4Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005AB7E9 SIZE 00000047 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	bl, bl
		dec	word ptr [eax+13Ch]
		push	edi
		nop
		mov	edi, offset _PopFxPluginLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	esi, _PopFxPluginList
		cmp	esi, offset _PopFxPluginList
		jnz	short loc_43D821

loc_43D7EE:				; CODE XREF: PoFxSystemLatencyNotify+16E073j
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_43D818

loc_43D7FC:				; CODE XREF: PoFxSystemLatencyNotify+67j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	8
; 

loc_43D818:				; CODE XREF: PoFxSystemLatencyNotify+42j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_43D7FC
; 

loc_43D821:				; CODE XREF: PoFxSystemLatencyNotify+34j
		mov	edi, [ebp+arg_4]
		jmp	loc_5AB7E9
PoFxSystemLatencyNotify	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceSystemLatencyUpdate	proc near ; CODE XREF: PoFxSendSystemLatencyUpdate+3Cp
					; PopDiagTraceControlCallback+53p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AB830 SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		push	ebx
		mov	[ebp+var_18], edx
		mov	bl, cl
		jz	short loc_43D873
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		test	bl, bl
		jnz	short loc_43D880
		push	offset _POP_ETW_EVENT_SYSTEM_LATENCY_UPDATE

loc_43D862:				; CODE XREF: PopDiagTraceSystemLatencyUpdate+5Bj
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5AB830

loc_43D871:				; CODE XREF: PopDiagTraceSystemLatencyUpdate+16E039j
		pop	edi
		pop	esi

loc_43D873:				; CODE XREF: PopDiagTraceSystemLatencyUpdate+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_43D880:				; CODE XREF: PopDiagTraceSystemLatencyUpdate+31j
		push	offset _POP_ETW_EVENT_SYSTEM_LATENCY_RUNDOWN
		jmp	short loc_43D862
PopDiagTraceSystemLatencyUpdate	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __fastcall PpmGetExitSamplingCountdown()
@PpmGetExitSamplingCountdown@0 proc near ; CODE	XREF: PoFxSendSystemLatencyUpdate+29p
					; PpmPrepareExitLatencyTrace(x):loc_64CAFFp
		mov	ecx, _PpmExitLatencySamplingPercentage
		xor	eax, eax
		cmp	ecx, 64h
		ja	short loc_43D89A

loc_43D895:				; CODE XREF: PpmGetExitSamplingCountdown()+15j
		test	ecx, ecx
		jnz	short loc_43D89F
		retn
; 

loc_43D89A:				; CODE XREF: PpmGetExitSamplingCountdown()+Bj
		push	64h
		pop	ecx
		jmp	short loc_43D895
; 

loc_43D89F:				; CODE XREF: PpmGetExitSamplingCountdown()+Fj
		push	64h
		pop	eax
		xor	edx, edx
		div	ecx
		retn
@PpmGetExitSamplingCountdown@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PpmAcquireLock(x)
_PpmAcquireLock@4 proc near		; CODE XREF: PoNotifyVSyncChange(x)+Dp
					; PpmMediaBufferingWorker+95p ...
		mov	eax, large fs:124h
		push	esi
		mov	esi, ecx
		dec	word ptr [eax+13Eh]
		nop
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esi+4]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, large fs:124h
		mov	[esi], eax
		pop	esi
		retn
_PpmAcquireLock@4 endp

; 
		align 8
; Exported entry 1976. RtlCheckTokenMembership

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCheckTokenMembership(x, x, x)
		public _RtlCheckTokenMembership@12
_RtlCheckTokenMembership@12 proc near	; CODE XREF: PopPowerInformationInternal+2BCp
					; ExCheckFullProcessInformationAccess+3Ap ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_RtlCheckTokenMembershipEx@16 ;	RtlCheckTokenMembershipEx(x,x,x,x)
		pop	ebp
		retn	0Ch
_RtlCheckTokenMembership@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1977. RtlCheckTokenMembershipEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCheckTokenMembershipEx(x, x, x, x)
		public _RtlCheckTokenMembershipEx@16
_RtlCheckTokenMembershipEx@16 proc near	; CODE XREF: RtlCheckTokenMembership(x,x,x)+10p
					; ExpUmdfSidCheck()+1Cp ...

var_1DE		= byte ptr -1DEh
var_1DD		= byte ptr -1DDh
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= byte ptr -17Ch
var_17B		= byte ptr -17Bh
var_178		= dword	ptr -178h
var_130		= dword	ptr -130h
var_3C		= dword	ptr -3Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1E4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1E4h+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		xor	edi, edi
		mov	[esp+1F0h+var_1D4], eax
		push	44h		; size_t
		lea	eax, [esp+1F4h+var_178]
		mov	[esp+1F4h+var_1DC], esi
		push	edi		; int
		push	eax		; void *
		mov	[esp+1FCh+var_1C4], ebx
		mov	[esp+1FCh+var_1C8], edi
		mov	[esp+1FCh+var_1CC], edi
		call	_memset
		push	0ECh		; size_t
		lea	eax, [esp+200h+var_130]
		push	edi		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		lea	edi, [esp+208h+var_1B0]
		add	esp, 18h
		xor	edx, edx
		mov	[esp+1F0h+var_1D8], edx
		mov	[esp+1F0h+var_1D0], edx
		mov	[ebx], dl
		push	6
		pop	ecx
		rep stosd
		lea	edi, [esp+1F0h+var_184]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+1F0h+var_198]
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		test	[ebp+arg_8], 0FFFFFFFCh
		lea	edi, [esp+1F0h+var_1C0]
		stosd
		stosd
		stosd
		stosd
		jz	short loc_43D99D
		mov	eax, 0C000000Dh
		jmp	loc_43DBE1
; 

loc_43D99D:				; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+9Bj
		mov	[esp+1F0h+var_1DD], dl
		push	2
		pop	ecx
		test	esi, esi
		jz	short loc_43DA11
		lea	eax, [esp+1F0h+var_184]
		mov	[esp+1F0h+var_1B0], 18h
		mov	[esp+1F0h+var_19C], eax
		xor	ebx, ebx
		lea	eax, [esp+1F0h+var_1D8]
		mov	[esp+1F0h+var_1AC], edx
		push	eax
		push	ecx
		push	edx
		lea	eax, [esp+1FCh+var_1B0]
		mov	[esp+1FCh+var_1A4], 200h
		push	eax
		push	8
		inc	ebx
		mov	[esp+204h+var_1A8], edx
		push	esi
		mov	[esp+208h+var_1A0], edx
		mov	[esp+208h+var_184], 0Ch
		mov	[esp+208h+var_180], ecx
		mov	[esp+208h+var_17C], bl
		mov	[esp+208h+var_17B], dl
		call	_ZwDuplicateToken@24 ; ZwDuplicateToken(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_43DBC7
		xor	edi, edi
		jmp	short loc_43DA24
; 

loc_43DA11:				; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+B0j
		lea	eax, [esp+1F0h+var_1C0]
		push	eax
		call	SeCaptureSubjectContext
		xor	ebx, ebx
		mov	edi, esi
		inc	ebx
		mov	[esp+1F0h+var_1DD], bl

loc_43DA24:				; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+119j
		push	ebx
		lea	eax, [esp+1F4h+var_198]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, [esp+1F0h+var_1D4]
		lea	eax, [esp+1F0h+var_198]
		push	0
		push	esi
		push	eax
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		push	0
		push	esi
		lea	eax, [esp+1F8h+var_198]
		push	eax
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		push	2		; int
		push	0ECh		; size_t
		lea	eax, [esp+1F8h+var_130]
		push	eax		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		push	esi
		push	ebx
		push	2
		pop	esi
		push	esi
		lea	eax, [esp+1FCh+var_130]
		push	eax
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		test	byte ptr [ebp+arg_8], 3
		jz	short loc_43DAA6
		push	ebx
		push	esi
		push	esi
		lea	eax, [esp+1FCh+var_178]
		push	offset _RtlpAppPackageAuthority
		push	eax
		call	_RtlInitializeSidEx
		add	esp, 14h
		lea	eax, [esp+1F0h+var_178]
		push	eax
		push	ebx
		push	esi
		lea	eax, [esp+1FCh+var_130]
		push	eax
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)

loc_43DAA6:				; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+182j
		test	byte ptr [ebp+arg_8], 2
		jz	short loc_43DAD8
		push	esi
		push	esi
		push	esi
		lea	eax, [esp+1FCh+var_178]
		push	offset _RtlpAppPackageAuthority
		push	eax
		call	_RtlInitializeSidEx
		add	esp, 14h
		lea	eax, [esp+1F0h+var_178]
		push	eax
		push	ebx
		push	esi
		lea	eax, [esp+1FCh+var_130]
		push	eax
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)

loc_43DAD8:				; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+1B4j
		xor	esi, esi
		lea	eax, [esp+1F0h+var_130]
		push	esi
		push	eax
		push	ebx
		lea	eax, [esp+1FCh+var_198]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		cmp	[esp+1F0h+var_1DD], 0
		lea	eax, [esp+1F0h+var_3C]
		mov	[esp+1F0h+var_1D0], eax
		jnz	short loc_43DB46
		mov	eax, large fs:124h
		lea	ecx, [esp+1F0h+var_1DC]
		push	esi
		push	ecx
		push	esi
		mov	eax, [eax+80h]
		mov	[esp+1FCh+var_1DC], esi
		mov	eax, [eax+0E4h]
		mov	[esp+1FCh+var_1B4], eax
		mov	eax, ds:_SeTokenObjectType
		push	eax
		push	8
		push	[esp+204h+var_1D8]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [esp+1F0h+var_1DC]
		mov	[esp+1F0h+var_1B8], eax
		test	esi, esi
		js	loc_43DBCF
		xor	esi, esi

loc_43DB46:				; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+208j
		mov	eax, large fs:124h
		lea	ecx, [esp+1F0h+var_198]
		push	esi
		xor	edx, edx
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+1F4h+var_1D4], al
		lea	eax, [esp+1F4h+var_1CC]
		push	eax
		lea	eax, [esp+1F8h+var_1C8]
		push	eax
		push	[esp+1FCh+var_1D4]
		lea	eax, [esp+200h+var_1D0]
		push	offset _RtlpCheckTokenMembershipGenericMapping
		push	eax
		push	esi
		push	ebx
		push	esi
		lea	eax, [esp+214h+var_1C0]
		push	eax
		call	SeAccessCheckWithHintWithAdminlessChecks
		mov	al, [esp+1F0h+var_1DD]
		test	al, al
		jnz	short loc_43DB97
		mov	ecx, [esp+1F0h+var_1B8]
		call	ObfDereferenceObject
		mov	al, [esp+1F0h+var_1DD]

loc_43DB97:				; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+292j
		mov	ecx, [esp+1F0h+var_1CC]
		test	ecx, ecx
		jnz	short loc_43DBAD
		cmp	[esp+1F0h+var_1C8], ebx
		jnz	short loc_43DBB5
		mov	ecx, [esp+1F0h+var_1C4]
		mov	[ecx], bl
		jmp	short loc_43DBB7
; 

loc_43DBAD:				; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+2A7j
		cmp	ecx, 0C0000022h
		jz	short loc_43DBB7

loc_43DBB5:				; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+2ADj
		mov	esi, ecx

loc_43DBB7:				; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+2B5j
					; RtlCheckTokenMembershipEx(x,x,x,x)+2BDj
		test	al, al
		jz	short loc_43DBCF
		lea	eax, [esp+1F0h+var_1C0]
		push	eax
		call	SeReleaseSubjectContext
		jmp	short loc_43DBCB
; 

loc_43DBC7:				; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+111j
		mov	edi, [esp+1F0h+var_1DC]

loc_43DBCB:				; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+2CFj
		test	edi, edi
		jnz	short loc_43DBDF

loc_43DBCF:				; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+248j
					; RtlCheckTokenMembershipEx(x,x,x,x)+2C3j
		cmp	[esp+1F0h+var_1D8], 0
		jz	short loc_43DBDF
		push	[esp+1F0h+var_1D8]
		call	_ZwClose@4	; ZwClose(x)

loc_43DBDF:				; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+2D7j
					; RtlCheckTokenMembershipEx(x,x,x,x)+2DEj
		mov	eax, esi

loc_43DBE1:				; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+A2j
		mov	ecx, [esp+1F0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_RtlCheckTokenMembershipEx@16 endp


;  S U B	R O U T	I N E 


; __stdcall PopUpdateWatchdogNoWorkersEvent(x)
_PopUpdateWatchdogNoWorkersEvent@4 proc	near ; CODE XREF: PopSetWatchdog+14Dp
					; PopSetWatchdog+15Dp ...
		cmp	byte ptr [ecx+0Ch], 0
		jnz	short loc_43DC12
		cmp	byte ptr [ecx+0Dh], 0
		jnz	short loc_43DC12
		push	0
		push	0
		lea	eax, [ecx+10h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		retn
; 

loc_43DC12:				; CODE XREF: PopUpdateWatchdogNoWorkersEvent(x)+4j
					; PopUpdateWatchdogNoWorkersEvent(x)+Aj
		lea	eax, [ecx+10h]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		retn
_PopUpdateWatchdogNoWorkersEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoGetPerfStateAndParkingInfo proc near	; CODE XREF: PAGE:0077E504p
					; ExpQueryProcessorInformationCounters+16F457p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005AB868 SIZE 00000080 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		mov	eax, [ebp+arg_0]
		and	[esp+24h+var_1C], 0
		push	ebx
		push	esi
		push	edi
		mov	[esp+30h+var_20], eax
		mov	ebx, edx
		mov	eax, [ebp+arg_4]
		mov	edx, ecx
		push	8
		mov	[esp+34h+var_18], eax
		mov	edi, ebx
		pop	ecx
		xor	eax, eax
		mov	[esp+30h+var_14], edx
		rep stosd
		push	edx
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		mov	ecx, eax
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	edi, eax
		lea	ecx, [ebx+8]
		lea	eax, [ebx+18h]
		push	eax
		push	ebx
		mov	esi, [edi+3EA0h]
		lea	eax, [esp+38h+var_1C]
		push	ecx
		push	eax
		lea	edx, [ebx+4]
		mov	ecx, edi
		call	PpmPerfGetCurrentState
		xor	edx, edx
		inc	edx
		test	esi, esi
		jz	loc_5AB868
		mov	eax, [esi+54h]
		mov	[esp+30h+var_24], eax
		mov	eax, [esi+98h]
		mov	[ebx+0Ch], eax
		mov	ecx, [esi+90h]
		mov	eax, [esi+94h]
		cmp	ecx, eax
		jb	short loc_43DCB3
		mov	ecx, eax

loc_43DCB3:				; CODE XREF: PoGetPerfStateAndParkingInfo+93j
		mov	[ebx+10h], ecx
		mov	eax, [esi+58h]
		cmp	eax, [esi+60h]
		jz	short loc_43DCC1
		mov	[ebx+1Ch], dl

loc_43DCC1:				; CODE XREF: PoGetPerfStateAndParkingInfo+A0j
		cmp	ecx, 64h
		jb	short loc_43DD18

loc_43DCC6:				; CODE XREF: PoGetPerfStateAndParkingInfo+FFj
		imul	eax, [esp+30h+var_1C], 64h
		xor	edx, edx
		div	dword ptr [esi+54h]
		mov	esi, [esp+30h+var_24]

loc_43DCD4:				; CODE XREF: PoGetPerfStateAndParkingInfo+16DC59j
		mov	ecx, [esp+30h+var_18]
		mov	[ebx+14h], eax
		mov	al, [edi+3ED4h]
		mov	[ebx+1Dh], al
		test	ecx, ecx
		jz	short loc_43DCF9
		mov	eax, [edi+3ED8h]
		mov	[ecx], eax
		mov	eax, [edi+3EDCh]
		mov	[ecx+4], eax

loc_43DCF9:				; CODE XREF: PoGetPerfStateAndParkingInfo+CAj
		cmp	[esp+30h+var_20], 0
		jnz	loc_5AB87A

loc_43DD04:				; CODE XREF: PoGetPerfStateAndParkingInfo+16DC7Fj
					; PoGetPerfStateAndParkingInfo+16DCC7j
		mov	ecx, [esp+30h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_43DD18:				; CODE XREF: PoGetPerfStateAndParkingInfo+A8j
		or	[ebx+18h], edx
		jmp	short loc_43DCC6
PoGetPerfStateAndParkingInfo endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmPerfGetCurrentState proc near	; CODE XREF: PoGetPerfStateAndParkingInfo+65p
					; PpmTracePerfIdleRundown(x,x,x)+37p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005AB8E8 SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ecx+3EA4h]
		push	edi
		mov	edi, [ecx+3EA0h]
		test	edi, edi
		jz	loc_5AB8E8
		test	esi, esi
		jz	loc_5AB8E8
		mov	ebx, [esi+38h]
		mov	eax, [edi+88h]
		cmp	ebx, eax
		jb	short loc_43DD52
		mov	ebx, eax

loc_43DD52:				; CODE XREF: PpmPerfGetCurrentState+30j
		test	edx, edx
		jz	short loc_43DD5B
		mov	eax, [esi+3Ch]
		mov	[edx], eax

loc_43DD5B:				; CODE XREF: PpmPerfGetCurrentState+36j
		cmp	[ebp+arg_0], 0
		mov	[ebp+var_4], 64h
		jz	short loc_43DD7C
		mov	eax, [edi+54h]
		xor	edx, edx
		imul	eax, [edi+88h]
		div	[ebp+var_4]
		mov	edx, [ebp+arg_0]
		mov	[edx], eax

loc_43DD7C:				; CODE XREF: PpmPerfGetCurrentState+48j
		mov	edx, [ebp+arg_8]
		test	edx, edx
		jnz	short loc_43DD98

loc_43DD83:				; CODE XREF: PpmPerfGetCurrentState+85j
		mov	edx, [ebp+arg_C]
		test	edx, edx
		jnz	short loc_43DDA5

loc_43DD8A:				; CODE XREF: PpmPerfGetCurrentState+92j
					; PpmPerfGetCurrentState+99j ...
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jnz	short loc_43DDB9

loc_43DD91:				; CODE XREF: PpmPerfGetCurrentState+A4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_43DD98:				; CODE XREF: PpmPerfGetCurrentState+63j
		xor	eax, eax
		cmp	ebx, [edi+5Ch]
		setb	al
		inc	eax
		mov	[edx], eax
		jmp	short loc_43DD83
; 

loc_43DDA5:				; CODE XREF: PpmPerfGetCurrentState+6Aj
		mov	eax, [esi+10h]
		push	64h
		pop	ebx
		mov	[edx], eax
		cmp	[esi+0Ch], ebx
		jnb	short loc_43DD8A
		or	eax, 4
		mov	[edx], eax
		jmp	short loc_43DD8A
; 

loc_43DDB9:				; CODE XREF: PpmPerfGetCurrentState+71j
		mov	dl, 1
		call	_PpmPerfGetCurrentFrequency@8 ;	PpmPerfGetCurrentFrequency(x,x)
		mov	[esi], eax
		jmp	short loc_43DD91
PpmPerfGetCurrentState endp


;  S U B	R O U T	I N E 


; __stdcall PpmPerfGetCurrentFrequency(x, x)
_PpmPerfGetCurrentFrequency@8 proc near	; CODE XREF: PpmPerfGetCurrentState+9Dp
					; PoGetFrequencyBucket(x)+2p
		mov	eax, [ecx+3EA4h]
		push	esi
		mov	esi, [ecx+3EA0h]
		test	esi, esi
		jz	short loc_43DDFB
		test	eax, eax
		jz	short loc_43DDFB
		cmp	byte ptr [eax+54h], 0
		jnz	short loc_43DDF6
		mov	eax, [eax+38h]
		mov	dl, 1

loc_43DDE4:				; CODE XREF: PpmPerfGetCurrentFrequency(x,x)+35j
		test	dl, dl
		jz	short loc_43DDF4
		mov	ecx, [esi+88h]
		cmp	eax, ecx
		jb	short loc_43DDF4
		mov	eax, ecx

loc_43DDF4:				; CODE XREF: PpmPerfGetCurrentFrequency(x,x)+22j
					; PpmPerfGetCurrentFrequency(x,x)+2Cj
		pop	esi
		retn
; 

loc_43DDF6:				; CODE XREF: PpmPerfGetCurrentFrequency(x,x)+19j
		mov	eax, [eax+64h]
		jmp	short loc_43DDE4
; 

loc_43DDFB:				; CODE XREF: PpmPerfGetCurrentFrequency(x,x)+Fj
					; PpmPerfGetCurrentFrequency(x,x)+13j
		push	64h
		pop	eax
		pop	esi
		retn
_PpmPerfGetCurrentFrequency@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RawCompletionRoutine proc near		; DATA XREF: RawReadWriteDeviceControl+51o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005AB920 SIZE 00000043 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, [edx+60h]
		xor	ebx, ebx
		mov	al, [edi]
		cmp	al, 3
		jz	loc_5AB920
		cmp	al, 4
		jz	loc_5AB920

loc_43DE22:				; CODE XREF: RawCompletionRoutine+16DB25j
					; RawCompletionRoutine+16DB2Fj	...
		cmp	[edx+21h], bl
		jnz	short loc_43DE64

loc_43DE27:				; CODE XREF: RawCompletionRoutine+6Bj
		mov	esi, [ebp+arg_8]
		mov	ecx, esi
		mov	edx, [edi+18h]
		call	_RawEndOperation@8 ; RawEndOperation(x,x)
		cmp	byte ptr [edi],	1Bh
		jz	short loc_43DE42

loc_43DE39:				; CODE XREF: RawCompletionRoutine+62j
					; RawCompletionRoutine+16DB58j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_43DE42:				; CODE XREF: RawCompletionRoutine+37j
		lea	edi, [esi+0A0h]
		mov	ecx, edi
		call	ExAcquireFastMutex
		dec	dword ptr [esi+50h]
		cmp	[esi+4Ch], ebx
		jz	loc_5AB94C

loc_43DE5B:				; CODE XREF: RawCompletionRoutine+16DB5Ej
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	short loc_43DE39
; 

loc_43DE64:				; CODE XREF: RawCompletionRoutine+25j
		mov	eax, [edx+60h]
		or	byte ptr [eax+3], 1
		jmp	short loc_43DE27
RawCompletionRoutine endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall RawEndOperation(x, x)
_RawEndOperation@8 proc	near		; CODE XREF: RawCompletionRoutine+2Fp
					; RawQueryFsVolumeInfo(x,x,x,x)+37p ...
		mov	eax, [ecx+94h]
		test	eax, eax
		jnz	short loc_43DE86

loc_43DE78:				; CODE XREF: RawEndOperation(x,x)+1Aj
		mov	ecx, [ecx+9Ch]
		xor	edx, edx
		inc	edx
		jmp	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
; 

loc_43DE86:				; CODE XREF: RawEndOperation(x,x)+8j
		cmp	edx, eax
		jnz	short loc_43DE78
		retn
_RawEndOperation@8 endp

; 
		align 10h
; Exported entry  68. ExReleaseRundownProtectionCacheAwareEx

;  S U B	R O U T	I N E 


; __fastcall ExReleaseRundownProtectionCacheAwareEx(x, x)
		public @ExReleaseRundownProtectionCacheAwareEx@8
@ExReleaseRundownProtectionCacheAwareEx@8 proc near ; CODE XREF: RawEndOperation(x,x)+13j
					; EtwpTraceMessageVa+3D8p ...
		movzx	eax, large byte	ptr fs:51h
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		xor	edx, edx
		div	dword ptr [esi+0Ch]
		imul	edx, [esi+8]
		add	edx, [esi]
		lea	ebx, [ebx+0]

loc_43DEB0:				; CODE XREF: ExReleaseRundownProtectionCacheAwareEx(x,x)+36j
					; ExReleaseRundownProtectionCacheAwareEx(x,x)+61j
		mov	ebx, [edx]
		test	bl, 1
		jnz	short loc_43DECC
		lea	eax, [edi+edi]
		mov	ecx, ebx
		sub	ecx, eax
		mov	eax, ebx
		lock cmpxchg [edx], ecx
		cmp	eax, ebx
		jnz	short loc_43DEB0

loc_43DEC8:				; CODE XREF: ExReleaseRundownProtectionCacheAwareEx(x,x)+4Ej
					; ExReleaseRundownProtectionCacheAwareEx(x,x)+5Dj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_43DECC:				; CODE XREF: ExReleaseRundownProtectionCacheAwareEx(x,x)+25j
		cmp	ebx, 1
		jz	short loc_43DEEF
		mov	eax, edi
		and	ebx, 0FFFFFFFEh
		neg	eax
		lock xadd [ebx], eax
		cmp	eax, edi
		jnz	short loc_43DEC8
		push	0
		push	0
		lea	eax, [ebx+4]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_43DEC8
; 

loc_43DEEF:				; CODE XREF: ExReleaseRundownProtectionCacheAwareEx(x,x)+3Fj
		mov	edx, [esi]
		jmp	short loc_43DEB0
@ExReleaseRundownProtectionCacheAwareEx@8 endp

; 
		align 4

RawInitiateDeleteVolume:		; CODE XREF: RawCompletionRoutine+16DB51p
					; RawVerifyVolume(x,x)+151p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, edx
		test	byte ptr [esi+48h], 4
		jnz	loc_5ABA49
		push	9
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[ebp-4], al
		test	edi, edi
		jnz	short loc_43DF3E
		mov	eax, [esi+8Ch]
		mov	eax, [eax+14h]
		add	eax, [esi+4Ch]
		cmp	eax, [ebp+8]
		jz	short loc_43DF3E
		push	dword ptr [ebp-4]

loc_43DF30:				; CODE XREF: .text:005ABA69j
		call	IoReleaseVpbSpinLock

loc_43DF35:				; CODE XREF: .text:0043DFB5j
					; .text:005ABA44j ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
; 

loc_43DF3E:				; CODE XREF: .text:0043DF1Aj
					; .text:0043DF2Bj
		mov	ecx, [esi+8Ch]
		lea	edi, [esi+80h]
		mov	eax, [ecx+14h]
		add	eax, [esi+50h]
		jnz	loc_5AB963
		push	dword ptr [ebp-4]
		mov	eax, 0FFFEh
		and	[ecx+4], ax
		mov	eax, [esi+8Ch]
		mov	[eax+8], ebx
		call	IoReleaseVpbSpinLock
		mov	ebx, offset _RawGlobalLock
		mov	ecx, ebx
		call	ExAcquireFastMutex
		mov	ecx, [edi]
		cmp	[ecx+4], edi
		jnz	short loc_43DFBA
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	short loc_43DFBA
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	ecx, ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		or	dword ptr [esi+48h], 2

loc_43DF9A:				; CODE XREF: .text:005ABAA8j
		lea	ecx, [esi+0A0h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, esi
		call	RawCleanupVcb
		mov	ecx, esi
		call	_RawDeleteVcb@4	; RawDeleteVcb(x)
		mov	bl, 1
		jmp	loc_43DF35
; 

loc_43DFBA:				; CODE XREF: .text:0043DF81j
					; .text:0043DF88j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		dd 2 dup(0CCCCCCCCh)
; Exported entry 951. IoReleaseVpbSpinLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoReleaseVpbSpinLock
IoReleaseVpbSpinLock proc near		; CODE XREF: .text:loc_43DF30p
					; .text:0043DF6Bp ...

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005ABAAD SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		push	esi
		lea	esi, [eax+460h]
		jnz	loc_5ABAAD
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_43E00A
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_43E01B

loc_43DFFC:				; CODE XREF: IoReleaseVpbSpinLock+51j
					; IoReleaseVpbSpinLock+16DAEFj
		mov	cl, [ebp+arg_0]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		pop	ebp
		retn	4
; 

loc_43E00A:				; CODE XREF: IoReleaseVpbSpinLock+23j
					; IoReleaseVpbSpinLock+5Aj
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_43DFFC
; 

loc_43E01B:				; CODE XREF: IoReleaseVpbSpinLock+32j
		mov	ecx, esi
		call	KxWaitForLockChainValid
		jmp	short loc_43E00A
IoReleaseVpbSpinLock endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 735. IoAcquireVpbSpinLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoAcquireVpbSpinLock(x)
		public _IoAcquireVpbSpinLock@4
_IoAcquireVpbSpinLock@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	9
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, [ebp+arg_0]
		mov	[ecx], al
		pop	ebp
		retn	4
_IoAcquireVpbSpinLock@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnActivateTrace proc near		; CODE XREF: PfSnBeginTrace+1B5p

; FUNCTION CHUNK AT 005ABABC SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, offset unk_6D492C
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_5ABABC
		or	word ptr [edi+152h], 2
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset dword_6D4958
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [edi+100h]
		mov	edx, edi
		call	_PfSnAddProcessTrace@8 ; PfSnAddProcessTrace(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_43E0AF
		mov	ecx, dword_6D4954
		lea	eax, [edi+4]
		mov	edx, offset _PfSnGlobals
		cmp	[ecx], edx
		jnz	short loc_43E0D5
		inc	_PfSnNumActiveTraces
		xor	esi, esi
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	dword_6D4954, eax

loc_43E0AF:				; CODE XREF: PfSnActivateTrace+47j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset dword_6D4958
		jnz	loc_5ABAC6
		xor	eax, eax
		lock and [ecx],	eax

loc_43E0C6:				; CODE XREF: PfSnActivateTrace+16DA8Ej
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx

loc_43E0CF:				; CODE XREF: PfSnActivateTrace+16DA81j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn
; 

loc_43E0D5:				; CODE XREF: PfSnActivateTrace+59j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
PfSnActivateTrace endp			; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall PfSnAddProcessTrace(x, x)
_PfSnAddProcessTrace@8 proc near	; CODE XREF: PfSnActivateTrace+3Ep
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		test	dword ptr [edi+1E8h], 0FFFFFFF8h
		jnz	short loc_43E114
		push	8
		lea	ecx, [esi+104h]
		pop	edx
		call	ExAcquireRundownProtectionEx
		test	al, al
		jz	short loc_43E11B
		lea	eax, [esi+7]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		xor	eax, eax
		mov	[edi+1E8h], esi

loc_43E111:				; CODE XREF: PfSnAddProcessTrace(x,x)+3Fj
					; PfSnAddProcessTrace(x,x)+46j
		pop	edi
		pop	esi
		retn
; 

loc_43E114:				; CODE XREF: PfSnAddProcessTrace(x,x)+12j
		mov	eax, 0C0000021h
		jmp	short loc_43E111
; 

loc_43E11B:				; CODE XREF: PfSnAddProcessTrace(x,x)+24j
		mov	eax, 0C0000189h
		jmp	short loc_43E111
_PfSnAddProcessTrace@8 endp


;  S U B	R O U T	I N E 


; __stdcall PfSnTraceBufferAllocate()
_PfSnTraceBufferAllocate@0 proc	near	; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+612p
					; PfSnTraceGetLogEntry+6Ap ...
		mov	edi, edi
		push	esi
		push	edi
		push	42506343h
		mov	edi, 11000h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_43E159
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [esi+0Ch], 21FEh
		mov	eax, esi

loc_43E156:				; CODE XREF: PfSnTraceBufferAllocate()+39j
		pop	edi
		pop	esi
		retn
; 

loc_43E159:				; CODE XREF: PfSnTraceBufferAllocate()+1Dj
		xor	eax, eax
		jmp	short loc_43E156
_PfSnTraceBufferAllocate@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxProcessWorkPool proc near		; CODE XREF: PfSnBeginTrace:loc_767984p
					; PopFxEmergencyWorker(x)+19p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005ABAD3 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		and	[esp+14h+var_8], 0
		and	[esp+14h+var_4], 0
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, edx
		inc	edi
		mov	esi, ecx
		mov	edx, edi
		mov	[esp+20h+var_14], edx
		cmp	ebx, 0FFFFFFFFh
		jz	loc_43E27E
		mov	[esi+ebx*4+90h], eax

loc_43E199:				; CODE XREF: PopFxProcessWorkPool+12Cj
		xor	eax, eax
		lea	ecx, [esi+10h]

loc_43E19E:				; CODE XREF: PopFxProcessWorkPool+4Bj
		mov	[esp+eax*4+20h+var_8], ecx
		inc	eax
		add	ecx, 14h
		cmp	eax, 2
		jb	short loc_43E19E

loc_43E1AB:				; CODE XREF: PopFxProcessWorkPool+10Bj
					; PopFxProcessWorkPool+11Bj
		and	[esp+20h+var_10], 0
		lea	eax, [esp+20h+var_10]
		and	[esp+20h+var_C], 0
		push	eax
		imul	eax, edx, 14h
		push	0
		push	0
		push	0
		add	eax, 10h
		add	eax, esi
		push	eax
		call	KeWaitForSingleObject
		cmp	eax, 102h
		jnz	short loc_43E229
		cmp	ebx, 0FFFFFFFFh
		jz	loc_43E26E
		or	[esp+20h+var_C], 0FFFFFFFFh
		lea	eax, [esp+20h+var_10]
		mov	[esp+20h+var_10], 0FFFF3CB0h

loc_43E1EF:				; CODE XREF: PopFxProcessWorkPool+112j
		push	0
		push	eax
		push	0
		push	0
		push	0
		push	edi
		lea	eax, [esp+38h+var_8]
		push	eax
		push	2
		pop	eax
		push	eax
		call	KeWaitForMultipleObjects
		cmp	eax, 102h
		jnz	short loc_43E22D
		and	dword ptr [esi+ebx*4+90h], 0
		lea	eax, [esi+38h]
		mov	ecx, ebx
		shl	edi, cl
		not	edi
		lock and [eax],	edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_43E229:				; CODE XREF: PopFxProcessWorkPool+75j
		mov	eax, [esp+20h+var_14]

loc_43E22D:				; CODE XREF: PopFxProcessWorkPool+AEj
		sub	eax, 0
		jz	loc_5ABAD3
		sub	eax, 1
		jnz	short loc_43E242
		mov	ecx, [esi]
		call	PopFxDispatchPluginWorkOnce

loc_43E242:				; CODE XREF: PopFxProcessWorkPool+DBj
					; PopFxProcessWorkPool+16D98Dj
		cmp	ebx, 0FFFFFFFFh
		jnz	short loc_43E275
		lea	edx, [esi+38h]
		xor	edi, edi
		mov	eax, [edx]

loc_43E24E:				; CODE XREF: PopFxProcessWorkPool+F8j
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_43E24E
		push	1
		pop	edi
		test	eax, eax
		jz	loc_5ABAF0
		xor	edx, edx

loc_43E265:				; CODE XREF: PopFxProcessWorkPool+16D99Dj
		mov	[esp+20h+var_14], edx
		jmp	loc_43E1AB
; 

loc_43E26E:				; CODE XREF: PopFxProcessWorkPool+7Aj
		xor	eax, eax
		jmp	loc_43E1EF
; 

loc_43E275:				; CODE XREF: PopFxProcessWorkPool+E7j
		mov	edx, [esp+20h+var_14]
		jmp	loc_43E1AB
; 

loc_43E27E:				; CODE XREF: PopFxProcessWorkPool+2Ej
		xor	edx, edx
		mov	[esi+8Ch], eax
		mov	[esp+20h+var_14], edx
		jmp	loc_43E199
PopFxProcessWorkPool endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxDispatchPluginWorkOnce proc near	; CODE XREF: PopFxProcessWorkPool+DFp

var_B0		= dword	ptr -0B0h
var_A8		= dword	ptr -0A8h
var_80		= dword	ptr -80h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_44		= dword	ptr -44h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005ABB00 SIZE 00000074 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B4h
		push	ebx
		push	esi
		push	edi
		push	68h		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_B0]
		push	ebx		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_24], ebx
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_20], ebx
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_A8]
		push	ebx
		push	eax
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], esi
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		lea	eax, [ebp+var_B0]
		push	eax
		push	offset _PopFxWorkOrderWatchdog@16 ; PopFxWorkOrderWatchdog(x,x,x,x)
		lea	eax, [ebp+var_80]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	edx, _PopFxWatchdogWorkOrderTimeout
		lea	ecx, [ebp+var_24]
		call	PopFxEnableWorkOrderWatchdog
		push	8
		xor	eax, eax
		mov	[ebp+var_4], ebx
		mov	byte ptr [ebp+var_4], bl
		lea	edi, [ebp+var_44]
		pop	ecx
		rep stosd
		lea	eax, [ebp+var_44]
		mov	[ebp+var_8], eax
		test	esi, esi
		jnz	loc_5ABB00
		mov	ecx, eax
		call	PopPepWork
		test	al, al

loc_43E32C:				; CODE XREF: PopFxDispatchPluginWorkOnce+16D886j
		jz	short loc_43E36C

loc_43E32E:				; CODE XREF: PopFxDispatchPluginWorkOnce+16D8ABj
					; PopFxDispatchPluginWorkOnce+16D8B5j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _PopWorkOrderLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	ds:byte_70EFC6,	1
		lea	eax, [ebp+var_44]
		mov	[ebp+var_5C], eax
		jnz	loc_5ABB65
		xor	eax, eax
		lock and [edi],	eax

loc_43E35A:				; CODE XREF: PopFxDispatchPluginWorkOnce+16D8DFj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	edx, [ebp+var_44]
		mov	ecx, esi
		call	PopFxProcessWork

loc_43E36C:				; CODE XREF: PopFxDispatchPluginWorkOnce:loc_43E32Cj
					; PopFxDispatchPluginWorkOnce+16D8A1j
		lea	ecx, [ebp+var_B0]
		call	PopFxDisableWorkOrderWatchdog
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PopFxDispatchPluginWorkOnce endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxDisableWorkOrderWatchdog proc near	; CODE XREF: PopFxDispatchPluginWorkOnce+E2p
					; PopFxCompleteDirectedPowerTransition(x,x)+50p

; FUNCTION CHUNK AT 005ABB74 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_43E3F0
		lea	eax, [esi+8]
		push	eax
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		test	al, al
		jz	loc_5ABB74
		push	ebx
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopWorkOrderLock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		and	dword ptr [esi+60h], 0
		and	dword ptr [esi+54h], 0
		mov	edi, [esi]
		mov	edx, [esi+4]
		cmp	[edi+4], esi
		jnz	short loc_43E3EB
		cmp	[edx], esi
		jnz	short loc_43E3EB
		mov	[edx], edi
		mov	ecx, offset _PopWorkOrderLock
		mov	[edi+4], edx
		test	ds:byte_70EFC6,	1
		jnz	loc_5ABB85
		xor	eax, eax
		lock and [ecx],	eax

loc_43E3DF:				; CODE XREF: PopFxDisableWorkOrderWatchdog+16D811j
		pop	edi
		mov	cl, bl
		pop	ebx
		pop	esi
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_43E3EB:				; CODE XREF: PopFxDisableWorkOrderWatchdog+41j
					; PopFxDisableWorkOrderWatchdog+45j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_43E3F0:				; CODE XREF: PopFxDisableWorkOrderWatchdog+Aj
		pop	esi
		pop	ebp
		retn
PopFxDisableWorkOrderWatchdog endp ; sp	= -8

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxEnableWorkOrderWatchdog proc near	; CODE XREF: PopFxDispatchPluginWorkOnce+70p
					; PopFxHandleDirectedPowerTransition(x)+43p

; FUNCTION CHUNK AT 005ABB92 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	edi
		mov	edi, [ecx+18h]
		mov	ebx, edx
		test	edi, edi
		jz	loc_43E4A2
		mov	eax, large fs:124h
		mov	[edi+60h], eax
		test	ebx, ebx
		jz	loc_43E4A2
		push	esi
		push	0FFFFFFFFh
		push	0FFFFD8F0h
		push	0
		push	ebx
		call	__allmul
		mov	esi, eax
		mov	ecx, edx
		lea	eax, [edi+30h]
		xor	edx, edx
		push	eax
		push	0Ah
		mov	eax, ebx
		pop	ebx
		div	ebx
		push	eax
		push	0
		push	ecx
		push	esi
		lea	eax, [edi+8]
		push	eax
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)
		call	KeQueryInterruptTime
		and	dword ptr [edi+54h], 0
		mov	[edi+58h], eax
		mov	[edi+5Ch], edx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _PopWorkOrderLock
		mov	bl, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, dword_6C3B14
		mov	eax, offset _PopWorkOrderList
		cmp	[ecx], eax
		jnz	short loc_43E4A8
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		test	ds:byte_70EFC6,	1
		mov	dword_6C3B14, edi
		jnz	loc_5ABB92
		xor	eax, eax
		lock and [esi],	eax

loc_43E499:				; CODE XREF: PopFxEnableWorkOrderWatchdog+16D7A8j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi

loc_43E4A2:				; CODE XREF: PopFxEnableWorkOrderWatchdog+Ej
					; PopFxEnableWorkOrderWatchdog+1Fj
		mov	eax, edi
		pop	edi
		pop	ebx
		pop	ebp
		retn
; 

loc_43E4A8:				; CODE XREF: PopFxEnableWorkOrderWatchdog+84j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PopFxEnableWorkOrderWatchdog endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopExecuteOnTargetProcessors(x, x, x, x)
_PopExecuteOnTargetProcessors@16 proc near ; CODE XREF:	PoGetIdleTimes(x,x,x)+D2p
					; PpmCheckResetProcessors(x)+12p ...

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= word ptr -4Ch
var_4A		= word ptr -4Ah
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		push	ebx
		push	esi
		push	edi
		push	8
		xor	eax, eax
		lea	edi, [esp+64h+var_20]
		mov	esi, ecx
		mov	[esp+64h+var_4A], ax
		pop	ecx
		rep stosd
		lea	edi, [esp+60h+var_48]
		mov	ebx, edx
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esp+60h+var_48]
		xor	edi, edi
		push	edi
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	eax, eax
		lea	edx, [esp+60h+var_38]
		mov	[esp+60h+var_4C], ax
		lea	ecx, [esp+60h+var_20]
		mov	eax, [esi+8]
		mov	[esp+60h+var_50], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+60h+var_34], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+60h+var_30], eax
		lea	eax, [esp+60h+var_54]
		mov	[esp+60h+var_28], eax
		lea	eax, [esp+60h+var_48]
		mov	[esp+60h+var_54], esi
		mov	[esp+60h+var_38], ebx
		mov	[esp+60h+var_24], edi
		mov	[esp+60h+var_2C], eax
		call	_PopQueueTargetDpc@8 ; PopQueueTargetDpc(x,x)
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [esp+70h+var_48]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esp+60h+var_24]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_PopExecuteOnTargetProcessors@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopExecuteProcessorCallback(x, x, x, x)
_PopExecuteProcessorCallback@16	proc near ; DATA XREF: PopQueueTargetDpc(x,x)+23o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:20h
		push	esi
		mov	esi, [ebp+arg_4]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	eax
		call	dword ptr [esi]
		test	eax, eax
		js	short loc_43E573

loc_43E564:				; CODE XREF: PopExecuteProcessorCallback(x,x,x,x)+2Ej
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_PopQueueTargetDpc@8 ; PopQueueTargetDpc(x,x)
		pop	esi
		pop	ebp
		retn	10h
; 

loc_43E573:				; CODE XREF: PopExecuteProcessorCallback(x,x,x,x)+1Aj
		mov	[esi+14h], eax
		jmp	short loc_43E564
_PopExecuteProcessorCallback@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopQueueTargetDpc(x, x)
_PopQueueTargetDpc@8 proc near		; CODE XREF: PopExecuteOnTargetProcessors(x,x,x,x)+79p
					; PopExecuteProcessorCallback(x,x,x,x)+21p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		lea	eax, [ebp+var_4]
		xor	ebx, ebx
		mov	esi, ecx
		mov	[ebp+var_4], ebx
		push	dword ptr [edi+10h]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		js	short loc_43E5C8
		push	edi
		push	offset _PopExecuteProcessorCallback@16 ; PopExecuteProcessorCallback(x,x,x,x)
		push	esi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	byte ptr [esi+1], 3
		mov	eax, [esi+1Ch]
		test	eax, eax
		jnz	short loc_43E5BB
		mov	eax, [ebp+var_4]
		add	eax, 20h
		mov	[esi+2], ax

loc_43E5BB:				; CODE XREF: PopQueueTargetDpc(x,x)+37j
		push	ebx
		push	ebx
		push	esi
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)

loc_43E5C3:				; CODE XREF: PopQueueTargetDpc(x,x)+5Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_43E5C8:				; CODE XREF: PopQueueTargetDpc(x,x)+20j
		push	ebx
		push	ebx
		push	dword ptr [edi+0Ch]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_43E5C3
_PopQueueTargetDpc@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1167. KeInitializeDpc

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeDpc(x, x, x)
		public _KeInitializeDpc@12
_KeInitializeDpc@12 proc near		; CODE XREF: PopSetWatchdog+1B6p
					; PopFxDispatchPluginWorkOnce+62p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		and	dword ptr [ecx+1Ch], 0
		and	dword ptr [ecx+8], 0
		mov	[ecx+0Ch], eax
		mov	eax, [ebp+arg_8]
		mov	dword ptr [ecx], 113h
		mov	[ecx+10h], eax
		pop	ebp
		retn	0Ch
_KeInitializeDpc@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoGetIdleTimes(x, x, x)
_PoGetIdleTimes@12 proc	near		; CODE XREF: ExpQueryProcessorInformationCounters+6Ap
					; PAGE:0077E1CEp ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_14], eax
		lea	edi, [ebp+var_10]
		xor	eax, eax
		mov	[ebp+var_18], edx
		stosd
		push	ecx
		mov	[ebp+var_1C], ecx
		stosd
		stosd
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		mov	ecx, eax
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, large fs:124h
		mov	esi, eax
		dec	word ptr [ecx+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExAcquirePushLockSharedEx
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	[ebp+var_14]	; int
		mov	edi, [ebp+var_18]
		mov	bl, al
		push	edi		; void *
		push	esi		; int
		call	PopGetIdleTimesCallback
		mov	cl, bl
		mov	esi, eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	ebx, ebx
		test	esi, esi
		js	short loc_43E6A4

loc_43E67A:				; CODE XREF: PoGetIdleTimes(x,x,x)+D7j
		cmp	dword_6C2ADC, ebx
		jnz	short loc_43E6D9

loc_43E682:				; CODE XREF: PoGetIdleTimes(x,x,x)+DFj
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_43E6A4:				; CODE XREF: PoGetIdleTimes(x,x,x)+78j
		push	[ebp+var_1C]
		xor	eax, eax
		mov	[ebp+var_C], ebx
		inc	eax
		mov	[ebp+var_8], ebx
		mov	word ptr [ebp+var_10], ax
		mov	word ptr [ebp+var_10+2], ax
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		mov	ecx, [ebp+var_8]
		mov	edx, offset PopGetIdleTimesCallback
		push	[ebp+var_14]
		bts	ecx, eax
		mov	[ebp+var_8], ecx
		lea	ecx, [ebp+var_10]
		push	edi
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)
		jmp	short loc_43E67A
; 

loc_43E6D9:				; CODE XREF: PoGetIdleTimes(x,x,x)+80j
		mov	dword_6C2ADC, ebx
		jmp	short loc_43E682
_PoGetIdleTimes@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1157. KeGetProcessorIndexFromNumber

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeGetProcessorIndexFromNumber(x)
		public _KeGetProcessorIndexFromNumber@4
_KeGetProcessorIndexFromNumber@4 proc near ; CODE XREF:	PoGetPerfStateAndParkingInfo+3Ep
					; PoGetIdleTimes(x,x,x)+2Ap ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		cmp	byte ptr [ecx+3], 0
		jnz	short loc_43E70E
		cmp	word ptr [ecx],	0
		jnz	short loc_43E70E
		movzx	eax, byte ptr [ecx+2]
		cmp	eax, ds:_KeNumberProcessors
		jnb	short loc_43E70E
		movzx	eax, byte ptr [ecx+2]

loc_43E70A:				; CODE XREF: KeGetProcessorIndexFromNumber(x)+2Bj
		pop	ebp
		retn	4
; 

loc_43E70E:				; CODE XREF: KeGetProcessorIndexFromNumber(x)+Cj
					; KeGetProcessorIndexFromNumber(x)+12j	...
		or	eax, 0FFFFFFFFh
		jmp	short loc_43E70A
_KeGetProcessorIndexFromNumber@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopGetIdleTimesCallback(int,void *,int)
PopGetIdleTimesCallback	proc near	; CODE XREF: PoGetIdleTimes(x,x,x)+65p
					; DATA XREF: PoGetIdleTimes(x,x,x)+C0o

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005ABBA1 SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, large fs:20h
		xor	ecx, ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		cmp	eax, ebx
		push	esi
		setnz	cl
		push	edi
		xor	edi, edi
		mov	[esp+50h+var_10], ecx
		mov	[esp+50h+var_C], edi
		lea	eax, [ebx+3D88h]
		mov	[esp+50h+var_2C], eax
		mov	[esp+50h+var_18], edi
		mov	[esp+50h+var_4], edi
		mov	[esp+50h+var_8], edi
		test	ecx, ecx
		jz	short loc_43E79C

loc_43E756:				; CODE XREF: PopGetIdleTimesCallback+16D491j
		mov	esi, [eax]
		mov	edi, [eax+4]
		mov	eax, esi
		mov	[esp+50h+var_C], esi
		mov	edx, edi
		mov	[esp+50h+var_18], edi
		nop
		mov	ecx, edi
		mov	ebx, esi
		mov	edi, [esp+50h+var_2C]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, ecx
		cmp	eax, esi
		jnz	loc_5ABBA1
		cmp	edx, edi
		jnz	loc_5ABBA1
		mov	eax, esi
		push	0
		or	eax, edi
		pop	edi
		jnz	short loc_43E799

loc_43E78F:				; CODE XREF: PopGetIdleTimesCallback+2D6j
					; PopGetIdleTimesCallback+2E4j
		mov	edi, 0C0000001h
		jmp	loc_43E9A3
; 

loc_43E799:				; CODE XREF: PopGetIdleTimesCallback+79j
		mov	ebx, [ebp+arg_0]

loc_43E79C:				; CODE XREF: PopGetIdleTimesCallback+40j
		mov	eax, [ebx+3D74h]
		mov	[esp+50h+var_24], eax
		mov	eax, [ebx+3D70h]
		push	edi
		mov	[esp+54h+var_3C], eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, [ebx+0Ch]
		mov	esi, [ebp+arg_4]
		mov	[esp+54h+var_3C], eax
		mov	[esp+54h+var_2C], edx
		mov	ecx, [ecx+194h]
		mov	[esp+54h+var_44], ecx
		mov	ecx, [ebx+4A4h]
		mov	[esp+54h+var_18], ecx
		test	esi, esi
		jz	loc_43E912
		push	30h		; size_t
		push	edi		; int
		push	esi		; void *
		call	_memset
		mov	ecx, [esp+60h+var_28]
		add	esp, 0Ch
		test	ecx, ecx
		jz	loc_43E90A
		cmp	[esp+54h+var_40], 0
		jz	loc_43E90A
		lea	eax, [ecx+34h]
		mov	edx, edi
		mov	[esp+54h+var_20], eax
		mov	eax, [esp+54h+var_40]
		add	eax, 10Ch
		mov	[esp+54h+var_24], eax

loc_43E81A:				; CODE XREF: PopGetIdleTimesCallback+1CBj
		mov	eax, [ecx]
		mov	ecx, [esp+54h+var_40]
		mov	[esp+54h+var_34], edx
		mov	ecx, [ecx+20h]
		cmp	eax, ecx
		jb	short loc_43E82D
		mov	eax, ecx

loc_43E82D:				; CODE XREF: PopGetIdleTimesCallback+115j
		cmp	edx, eax
		jnb	loc_43E8E4
		mov	ecx, [esp+54h+var_24]
		call	PpmIdleGetCIndexForState
		sub	eax, 1
		jz	loc_43E9AE
		sub	eax, 1
		jnz	loc_5ABBAA
		lea	ecx, [esi+24h]
		lea	eax, [esi+10h]

loc_43E856:				; CODE XREF: PopGetIdleTimesCallback+2A0j
					; PopGetIdleTimesCallback+16D4AEj
		mov	[esp+54h+var_38], eax

loc_43E85A:				; CODE XREF: PopGetIdleTimesCallback+16D4A3j
		mov	ebx, [esp+54h+var_40]
		cmp	edx, [ebx+14h]
		mov	ebx, [ebp+arg_0]
		jnz	short loc_43E872
		mov	edx, [esp+54h+var_34]
		mov	[esp+54h+var_C], eax
		mov	[esp+54h+var_8], ecx

loc_43E872:				; CODE XREF: PopGetIdleTimesCallback+150j
		test	ecx, ecx
		jz	short loc_43E8CD
		test	eax, eax
		jz	short loc_43E8CD
		mov	edx, [esp+54h+var_20]
		mov	esi, [esp+54h+var_40]
		mov	eax, [edx+4]
		add	eax, [edx]
		add	[ecx], eax
		mov	eax, [esp+54h+var_34]
		mov	ecx, [edx-0Ch]
		cmp	[esi+14h], eax
		mov	edx, [edx-8]
		mov	esi, [ebp+arg_4]
		jnz	short loc_43E8A7
		add	ecx, [ebx+3D78h]
		adc	edx, [ebx+3D7Ch]

loc_43E8A7:				; CODE XREF: PopGetIdleTimesCallback+185j
		push	edi
		push	(offset	loc_98967E+2)
		push	ds:dword_70ED2C
		push	ds:_PopQpcFrequency
		push	edx
		push	ecx
		call	PpmConvertTime
		mov	ecx, [esp+54h+var_38]
		add	[ecx], eax
		adc	[ecx+4], edx
		mov	edx, [esp+54h+var_34]

loc_43E8CD:				; CODE XREF: PopGetIdleTimesCallback+160j
					; PopGetIdleTimesCallback+164j
		add	[esp+54h+var_24], 44h
		inc	edx
		add	[esp+54h+var_20], 3E8h
		mov	ecx, [esp+54h+var_28]
		jmp	loc_43E81A
; 

loc_43E8E4:				; CODE XREF: PopGetIdleTimesCallback+11Bj
		mov	eax, [esp+54h+var_28]
		push	edi
		push	(offset	loc_98967E+2)
		push	ds:dword_70ED2C
		push	ds:_PopQpcFrequency
		push	dword ptr [eax+1Ch]
		push	dword ptr [eax+18h]
		call	PpmConvertTime
		mov	[esi], eax
		mov	[esi+4], edx

loc_43E90A:				; CODE XREF: PopGetIdleTimesCallback+DFj
					; PopGetIdleTimesCallback+EAj
		mov	eax, [esp+54h+var_3C]
		mov	edx, [esp+54h+var_2C]

loc_43E912:				; CODE XREF: PopGetIdleTimesCallback+C7j
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		jz	short loc_43E956
		cmp	[esp+54h+var_14], 0
		jnz	short loc_43E92A
		mov	ecx, [ebp+arg_0]
		push	edx
		push	eax
		call	_PpmContinueActiveTimeAccumulation@12 ;	PpmContinueActiveTimeAccumulation(x,x,x)

loc_43E92A:				; CODE XREF: PopGetIdleTimesCallback+20Aj
		mov	eax, [ebp+arg_0]
		push	edi
		push	(offset	loc_98967E+2)
		push	ds:dword_70ED2C
		push	ds:_PopQpcFrequency
		push	dword ptr [eax+3E2Ch]
		push	dword ptr [eax+3E28h]
		call	PpmConvertTime
		mov	[ebx+8], eax
		mov	[ebx+0Ch], edx

loc_43E956:				; CODE XREF: PopGetIdleTimesCallback+203j
		cmp	[esp+54h+var_14], 0
		jnz	short loc_43E9B9

loc_43E95D:				; CODE XREF: PopGetIdleTimesCallback+343j
		mov	ecx, [esp+54h+var_44]

loc_43E961:				; CODE XREF: PopGetIdleTimesCallback+36Aj
		test	esi, esi
		jz	short loc_43E992
		cmp	[esp+54h+var_28], 0
		jz	loc_5ABBC7
		cmp	[esp+54h+var_40], 0
		jz	loc_5ABBC7
		mov	ecx, [esi+18h]
		add	ecx, [esi+10h]
		mov	eax, [esi+1Ch]
		adc	eax, [esi+14h]
		add	ecx, [esi+8]
		adc	eax, [esi+0Ch]
		add	[esi], ecx
		adc	[esi+4], eax

loc_43E992:				; CODE XREF: PopGetIdleTimesCallback+24Fj
					; PopGetIdleTimesCallback+16D4BFj
		test	ebx, ebx
		jz	short loc_43E9A3
		mov	ecx, [esp+54h+var_44]
		mov	eax, [esp+54h+var_18]
		mov	[ebx], ecx
		mov	[ebx+4], eax

loc_43E9A3:				; CODE XREF: PopGetIdleTimesCallback+80j
					; PopGetIdleTimesCallback+280j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_43E9AE:				; CODE XREF: PopGetIdleTimesCallback+12Dj
		lea	ecx, [esi+20h]
		lea	eax, [esi+8]
		jmp	loc_43E856
; 

loc_43E9B9:				; CODE XREF: PopGetIdleTimesCallback+247j
		mov	esi, [esp+54h+var_30]

loc_43E9BD:				; CODE XREF: PopGetIdleTimesCallback+2C7j
					; PopGetIdleTimesCallback+2CBj
		mov	ebx, [esi]
		mov	eax, ebx
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[esp+54h+var_14], ebx
		mov	[esp+54h+var_20], ecx
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, edx
		mov	edx, [esp+54h+var_14]
		cmp	eax, edx
		jnz	short loc_43E9BD
		cmp	ebx, ecx
		jnz	short loc_43E9BD
		mov	ecx, [esp+54h+var_10]
		mov	esi, [ebp+arg_4]
		cmp	ecx, edx
		jnz	loc_43E78F
		mov	eax, [esp+54h+var_1C]
		cmp	eax, [esp+54h+var_20]
		jnz	loc_43E78F
		mov	ebx, [esp+54h+var_2C]
		cmp	ebx, eax
		jb	short loc_43EA54
		mov	edx, [esp+54h+var_3C]
		ja	short loc_43EA10
		cmp	edx, ecx
		jbe	short loc_43EA54

loc_43EA10:				; CODE XREF: PopGetIdleTimesCallback+2F6j
		push	edi
		push	(offset	loc_98967E+2)
		push	ds:dword_70ED2C
		sub	edx, ecx
		push	ds:_PopQpcFrequency
		sbb	ebx, eax
		push	ebx
		push	edx
		call	PpmConvertTime
		mov	ecx, [esp+54h+var_C]
		test	ecx, ecx
		jz	short loc_43EA44
		mov	ebx, [esp+54h+var_8]
		test	ebx, ebx
		jz	short loc_43EA44
		inc	dword ptr [ebx]
		add	[ecx], eax
		adc	[ecx+4], edx

loc_43EA44:				; CODE XREF: PopGetIdleTimesCallback+31Fj
					; PopGetIdleTimesCallback+327j
		mov	ecx, ds:_KeMaximumIncrement
		cmp	edx, edi
		jb	short loc_43EA54
		ja	short loc_43EA5C
		cmp	eax, ecx
		ja	short loc_43EA5C

loc_43EA54:				; CODE XREF: PopGetIdleTimesCallback+2F0j
					; PopGetIdleTimesCallback+2FAj	...
		mov	ebx, [ebp+arg_8]
		jmp	loc_43E95D
; 

loc_43EA5C:				; CODE XREF: PopGetIdleTimesCallback+33Aj
					; PopGetIdleTimesCallback+33Ej
		push	edi
		push	ecx
		push	edx
		push	eax
		call	__aulldiv
		mov	ecx, [esp+54h+var_44]
		mov	edx, [esp+54h+var_18]
		dec	ecx
		mov	ebx, [ebp+arg_8]
		add	ecx, eax
		dec	edx
		mov	[esp+54h+var_44], ecx
		add	edx, eax
		mov	[esp+54h+var_18], edx
		jmp	loc_43E961
PopGetIdleTimesCallback	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmConvertTime	proc near		; CODE XREF: PopGetIdleTimesCallback+1A7p
					; PopGetIdleTimesCallback+1ECp	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005ABBD8 SIZE 00000057 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, ebx
		push	esi
		mov	esi, [ebp+arg_4]
		or	eax, esi
		jz	short loc_43EABA
		push	edi
		mov	edi, [ebp+arg_8]
		mov	eax, edi
		or	eax, [ebp+arg_C]
		jz	short loc_43EAB9
		mov	eax, [ebp+arg_14]
		cmp	edi, [ebp+arg_10]
		jnz	short loc_43EAC4
		cmp	[ebp+arg_C], eax
		jnz	short loc_43EAC4

loc_43EAB9:				; CODE XREF: PpmConvertTime+26j
					; PpmConvertTime+69j ...
		pop	edi

loc_43EABA:				; CODE XREF: PpmConvertTime+1Bj
		mov	edx, esi
		mov	eax, ebx
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_43EAC4:				; CODE XREF: PpmConvertTime+2Ej
					; PpmConvertTime+33j
		push	eax
		push	[ebp+arg_10]
		lea	ecx, [ebp+var_8]
		push	esi
		push	ebx
		call	_RtlULongLongMult@20 ; RtlULongLongMult(x,x,x,x,x)
		push	[ebp+arg_C]
		push	edi
		test	eax, eax
		js	loc_5ABBD8
		push	[ebp+var_4]
		push	[ebp+var_8]
		call	__aulldiv
		mov	ebx, eax
		mov	esi, edx
		jmp	short loc_43EAB9
PpmConvertTime	endp

; 
		align 10h

;  S U B	R O U T	I N E 


PpmIdleGetCIndexForState proc near	; CODE XREF: PopGetIdleTimesCallback+125p

; FUNCTION CHUNK AT 005ABC2F SIZE 00000014 BYTES

		movzx	eax, byte ptr [ecx+3Ch]
		sub	eax, 0
		jz	loc_5ABC2F
		sub	eax, 1
		jz	short loc_43EB0B
		sub	eax, 1
		jnz	short loc_43EB0F
		push	2
		pop	eax
		retn
; 

loc_43EB0B:				; CODE XREF: PpmIdleGetCIndexForState+10j
		xor	eax, eax
		inc	eax
		retn
; 

loc_43EB0F:				; CODE XREF: PpmIdleGetCIndexForState+15j
					; PpmIdleGetCIndexForState+16D143j
		push	3
		pop	eax
		retn
PpmIdleGetCIndexForState endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmContinueActiveTimeAccumulation(x, x, x)
_PpmContinueActiveTimeAccumulation@12 proc near	; CODE XREF: PopGetIdleTimesCallback+211p
					; PpmPerfApplyProcessorState+7Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	esi
		push	[ebp+arg_4]
		mov	dl, 1
		mov	esi, ecx
		push	[ebp+arg_0]
		call	PpmUpdateTimeAccumulation
		xor	eax, eax
		xor	dl, dl
		push	eax
		push	eax
		push	eax
		mov	ecx, esi
		call	PpmUpdatePerformanceFeedback
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
_PpmContinueActiveTimeAccumulation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmUpdateTimeAccumulation proc near	; CODE XREF: PpmContinueActiveTimeAccumulation(x,x,x)+14p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005ABC43 SIZE 0000006D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1], dl
		xor	ebx, ebx
		mov	[ebp+var_28], edi
		rdtsc
		mov	ecx, ebx
		mov	[ebp+var_14], eax
		mov	esi, [edi+3D54h]
		and	esi, 4
		mov	[ebp+var_18], edx
		or	ecx, esi
		jnz	loc_5ABC43
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_20], ebx

loc_43EB78:				; CODE XREF: PpmUpdateTimeAccumulation+16D10Ej
		cmp	[ebp+var_1], bl
		jz	loc_43EC59
		mov	eax, [ebp+arg_0]
		lea	ecx, [edi+3DE0h]
		sub	eax, [edi+3DD0h]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_4]
		sbb	eax, [edi+3DD4h]
		mov	edi, [ebp+var_10]
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], ecx

loc_43EBA5:				; CODE XREF: PpmUpdateTimeAccumulation+88j
					; PpmUpdateTimeAccumulation+8Dj
		mov	esi, [ecx]
		mov	ebx, esi
		mov	edx, [ecx+4]
		add	ebx, edi
		mov	ecx, edx
		mov	[ebp+var_24], edx
		adc	ecx, eax
		mov	eax, esi
		nop
		mov	edi, [ebp+var_8]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_10]
		cmp	eax, esi
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		jnz	short loc_43EBA5
		cmp	edx, [ebp+var_24]
		jnz	short loc_43EBA5
		mov	edi, [ebp+var_28]
		xor	ebx, ebx
		mov	esi, [ebp+var_14]
		mov	eax, ebx
		mov	ecx, [edi+3D54h]
		and	ecx, 4
		or	eax, ecx
		jnz	loc_5ABC55

loc_43EBEC:				; CODE XREF: PpmUpdateTimeAccumulation+11Aj
					; PpmUpdateTimeAccumulation+16D152j
		cmp	[ebp+var_1], 0
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+var_18]
		mov	[edi+3DD0h], eax
		mov	eax, [ebp+arg_4]
		mov	[edi+3DD4h], eax
		jz	short loc_43EC35
		mov	ecx, [edi+3DBCh]
		mov	eax, [edi+3DB8h]
		mov	[ebp+arg_4], ecx
		cmp	edx, ecx
		ja	short loc_43EC20
		jb	short loc_43EC35
		cmp	esi, eax
		jbe	short loc_43EC35

loc_43EC20:				; CODE XREF: PpmUpdateTimeAccumulation+D6j
		mov	ecx, esi
		sub	ecx, eax
		mov	eax, edx
		sbb	eax, [ebp+arg_4]
		add	[edi+3DC0h], ecx
		adc	[edi+3DC4h], eax

loc_43EC35:				; CODE XREF: PpmUpdateTimeAccumulation+C3j
					; PpmUpdateTimeAccumulation+D8j ...
		mov	[edi+3DB8h], esi
		mov	[edi+3DBCh], edx
		mov	eax, [edi+3D54h]
		and	eax, 4
		or	ebx, eax
		jnz	loc_5ABC99

loc_43EC52:				; CODE XREF: PpmUpdateTimeAccumulation+16D169j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_43EC59:				; CODE XREF: PpmUpdateTimeAccumulation+39j
		mov	esi, [ebp+var_14]
		jmp	short loc_43EBEC
PpmUpdateTimeAccumulation endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1224. KeQueryHighestNodeNumber

;  S U B	R O U T	I N E 


; __stdcall KeQueryHighestNodeNumber()
		public _KeQueryHighestNodeNumber@0
_KeQueryHighestNodeNumber@0 proc near	; CODE XREF: ExpQueryNumaProcessorMap+1Fp
					; IoGetDeviceNumaNode(x,x):loc_8B53F2p	...
		mov	ax, ds:_KeNumberNodes
		dec	ax
		retn
_KeQueryHighestNodeNumber@0 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1231. KeQueryNodeActiveAffinity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryNodeActiveAffinity(x, x, x)
		public _KeQueryNodeActiveAffinity@12
_KeQueryNodeActiveAffinity@12 proc near	; CODE XREF: MiCreateColorAnchors(x,x)+3Bp
					; MiGetClosestNodeWithProcessors+13p ...

arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_43EC87
		push	edi
		mov	edi, ecx
		xor	eax, eax
		stosd
		stosd
		stosd
		pop	edi

loc_43EC87:				; CODE XREF: KeQueryNodeActiveAffinity(x,x,x)+Aj
		push	esi
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jnz	short loc_43ECCB

loc_43EC8F:				; CODE XREF: KeQueryNodeActiveAffinity(x,x,x)+5Ej
		mov	ax, [ebp+arg_0]
		cmp	ax, ds:_KeNumberNodes
		jnb	short loc_43ECC6
		movzx	eax, ax
		push	ebx
		lfence	eax
		mov	ebx, ds:_KeNodeBlock[eax*4]
		test	ecx, ecx
		jz	short loc_43ECC1
		mov	ax, [ebx+88h]
		mov	[ecx+4], ax
		mov	eax, [ebx+84h]
		mov	[ecx], eax

loc_43ECC1:				; CODE XREF: KeQueryNodeActiveAffinity(x,x,x)+3Aj
		test	esi, esi
		jnz	short loc_43ECD2

loc_43ECC5:				; CODE XREF: KeQueryNodeActiveAffinity(x,x,x)+9Cj
		pop	ebx

loc_43ECC6:				; CODE XREF: KeQueryNodeActiveAffinity(x,x,x)+28j
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_43ECCB:				; CODE XREF: KeQueryNodeActiveAffinity(x,x,x)+1Bj
		xor	eax, eax
		mov	[esi], ax
		jmp	short loc_43EC8F
; 

loc_43ECD2:				; CODE XREF: KeQueryNodeActiveAffinity(x,x,x)+51j
		mov	ebx, [ebx+84h]
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		movzx	eax, cl
		mov	[esi], ax
		jmp	short loc_43ECC5
_KeQueryNodeActiveAffinity@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsInsertVirtualizedTimer proc near	; CODE XREF: .text:005F2B83p
					; NtCreateTimer+186p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005ABCB0 SIZE 00000050 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		push	ebx
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], edi
		mov	eax, [ebx+0FCh]
		test	eax, 40000008h
		jnz	loc_43EDD0
		push	esi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_1], al
		test	esi, esi
		jz	short loc_43ED66
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [ebx+454h]
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)

loc_43ED66:				; CODE XREF: PsInsertVirtualizedTimer+39j
		lea	eax, [ebx+458h]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_43EDD6
		cmp	[ebp+arg_4], 0
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi
		jnz	loc_5ABCB0

loc_43ED87:				; CODE XREF: PsInsertVirtualizedTimer+16CFCDj
		mov	edx, 54567350h
		mov	ecx, ebx
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+arg_8]
		mov	[eax], ebx
		test	esi, esi
		jz	short loc_43EDCF
		test	ds:byte_70EFC6,	1
		jnz	loc_5ABCE2
		xor	eax, eax
		lock and [esi],	eax

loc_43EDAE:				; CODE XREF: PsInsertVirtualizedTimer+16CFDCj
		add	ebx, 454h
		test	ds:byte_70EFC6,	1
		jnz	loc_5ABCF1
		xor	eax, eax
		lock and [ebx],	eax

loc_43EDC6:				; CODE XREF: PsInsertVirtualizedTimer+16CFEBj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_43EDCF:				; CODE XREF: PsInsertVirtualizedTimer+8Aj
		pop	esi

loc_43EDD0:				; CODE XREF: PsInsertVirtualizedTimer+24j
		pop	edi
		pop	ebx
		leave
		retn	0Ch
; 

loc_43EDD6:				; CODE XREF: PsInsertVirtualizedTimer+61j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PsInsertVirtualizedTimer endp


;  S U B	R O U T	I N E 


; __stdcall RawBeginOperation(x, x)
_RawBeginOperation@8 proc near		; CODE XREF: RawQueryFsVolumeInfo(x,x,x,x)+Bp
					; RawReadWriteDeviceControl+16p ...
		xor	eax, eax
		push	esi
		mov	esi, [ecx+94h]
		inc	eax
		test	esi, esi
		jnz	short loc_43EDF8

loc_43EDEA:				; CODE XREF: RawBeginOperation(x,x)+1Ej
		mov	ecx, [ecx+9Ch]
		mov	edx, eax
		pop	esi
		jmp	@ExAcquireRundownProtectionCacheAwareEx@8 ; ExAcquireRundownProtectionCacheAwareEx(x,x)
; 

loc_43EDF8:				; CODE XREF: RawBeginOperation(x,x)+Cj
		cmp	edx, esi
		jnz	short loc_43EDEA
		pop	esi
		retn
_RawBeginOperation@8 endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry  34. ExAcquireRundownProtectionCacheAwareEx

;  S U B	R O U T	I N E 


; __fastcall ExAcquireRundownProtectionCacheAwareEx(x, x)
		public @ExAcquireRundownProtectionCacheAwareEx@8
@ExAcquireRundownProtectionCacheAwareEx@8 proc near ; CODE XREF: RawBeginOperation(x,x)+17j
					; EtwpOpenLogger(x,x,x,x)+32p ...
		movzx	eax, large byte	ptr fs:51h
		push	ebx
		push	esi
		mov	esi, edx
		xor	edx, edx
		div	dword ptr [ecx+0Ch]
		imul	edx, [ecx+8]
		add	edx, [ecx]
		mov	ebx, [edx]
		test	bl, 1
		jnz	short loc_43EE42
		mov	edi, edi

loc_43EE30:				; CODE XREF: ExAcquireRundownProtectionCacheAwareEx(x,x)+3Aj
		lea	ecx, [ebx+esi*2]
		mov	eax, ebx
		lock cmpxchg [edx], ecx
		cmp	eax, ebx
		jnz	short loc_43EE46
		mov	al, 1

loc_43EE3F:				; CODE XREF: ExAcquireRundownProtectionCacheAwareEx(x,x)+34j
		pop	esi
		pop	ebx
		retn
; 

loc_43EE42:				; CODE XREF: ExAcquireRundownProtectionCacheAwareEx(x,x)+1Cj
					; ExAcquireRundownProtectionCacheAwareEx(x,x)+3Cj
		xor	al, al
		jmp	short loc_43EE3F
; 

loc_43EE46:				; CODE XREF: ExAcquireRundownProtectionCacheAwareEx(x,x)+2Bj
		mov	ebx, eax
		test	al, 1
		jz	short loc_43EE30
		jmp	short loc_43EE42
@ExAcquireRundownProtectionCacheAwareEx@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry  35. ExAcquireRundownProtectionEx

;  S U B	R O U T	I N E 


		public ExAcquireRundownProtectionEx
ExAcquireRundownProtectionEx proc near	; CODE XREF: PfSnAddProcessTrace(x,x)+1Dp
					; ExReferenceCallBackBlock+52p	...

; FUNCTION CHUNK AT 005ABD00 SIZE 0000000F BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	edx, [esi]
		test	dl, 1
		jnz	short loc_43EE79

loc_43EE63:				; CODE XREF: ExAcquireRundownProtectionEx+16CEB0j
		lea	ecx, [edx+edi*2]
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	loc_5ABD00
		mov	al, 1

loc_43EE76:				; CODE XREF: ExAcquireRundownProtectionEx+27j
		pop	edi
		pop	esi
		retn
; 

loc_43EE79:				; CODE XREF: ExAcquireRundownProtectionEx+Dj
					; ExAcquireRundownProtectionEx+16CEB6j
		xor	al, al
		jmp	short loc_43EE76
ExAcquireRundownProtectionEx endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1233. KeQueryPriorityThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryPriorityThread(x)
		public _KeQueryPriorityThread@4
_KeQueryPriorityThread@4 proc near	; CODE XREF: PfSnPrefetchScenario+50p
					; PfSnPrefetchSections+AFp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	dword ptr [eax+150h], offset _KiInitialProcess
		jz	short loc_43EEA1
		movsx	eax, byte ptr [eax+87h]

loc_43EE9D:				; CODE XREF: KeQueryPriorityThread(x)+22j
		pop	ebp
		retn	4
; 

loc_43EEA1:				; CODE XREF: KeQueryPriorityThread(x)+12j
		xor	eax, eax
		inc	eax
		jmp	short loc_43EE9D
_KeQueryPriorityThread@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmDecompressBuffer proc	near		; CODE XREF: PfSnGetPrefetchInstructions+1C8p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005ABD0F SIZE 00000082 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_14], eax
		push	esi
		push	edi
		mov	edi, ebx
		mov	[ebp+var_1C], edi
		cmp	edx, 8
		jb	loc_5ABD55
		mov	ecx, [ebx]
		sub	edx, 8
		mov	eax, ecx
		mov	[ebp+var_8], edx
		and	eax, 0FFFFFFh
		cmp	eax, (offset loc_4D414C+1)
		jnz	loc_5ABD0F
		test	ecx, ecx
		js	loc_5ABD19
		add	ebx, 8
		mov	[ebp+var_C], ebx

loc_43EEF7:				; CODE XREF: SmDecompressBuffer+16CEA9j
		mov	eax, [ebp+arg_8]
		mov	edi, [edi+4]
		test	eax, eax
		jz	short loc_43EF09
		cmp	edi, [eax]
		ja	loc_5ABD5F

loc_43EF09:				; CODE XREF: SmDecompressBuffer+59j
		mov	eax, [ebp+arg_C]
		push	edi
		call	dword ptr [eax]
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5ABD69
		mov	eax, [ebp+var_1C]
		mov	al, [eax+3]
		and	al, 7Fh
		movzx	eax, al
		mov	[ebp+arg_8], eax
		test	ax, ax
		jz	loc_5ABD73
		lea	ecx, [ebp+var_4]
		push	ecx
		lea	ecx, [ebp+var_20]
		push	ecx
		push	eax
		call	_RtlGetCompressionWorkSpaceSize@12 ; RtlGetCompressionWorkSpaceSize(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_43EF87
		cmp	[ebp+var_4], 0
		jbe	short loc_43EFA9
		mov	eax, [ebp+arg_C]
		push	[ebp+var_4]
		call	dword ptr [eax]
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	short loc_43EFA2

loc_43EF59:				; CODE XREF: SmDecompressBuffer+106j
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_8]
		push	[ebp+var_C]
		push	edi
		push	ebx
		push	[ebp+arg_8]
		call	_RtlDecompressBufferEx@28 ; RtlDecompressBufferEx(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_43EF87
		cmp	edi, [ebp+var_10]
		jnz	short loc_43EFAE

loc_43EF79:				; CODE XREF: SmDecompressBuffer+16CEE6j
		mov	eax, [ebp+arg_0]
		mov	[eax], ebx
		xor	ebx, ebx
		mov	eax, [ebp+arg_4]
		xor	esi, esi
		mov	[eax], edi

loc_43EF87:				; CODE XREF: SmDecompressBuffer+9Cj
					; SmDecompressBuffer+CCj ...
		test	ebx, ebx
		jnz	short loc_43EFB5
		mov	ebx, [ebp+arg_C]

loc_43EF8E:				; CODE XREF: SmDecompressBuffer+116j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_43EF99
		push	eax
		call	dword ptr [ebx+4]

loc_43EF99:				; CODE XREF: SmDecompressBuffer+EDj
					; SmDecompressBuffer+16CE6Ej ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_43EFA2:				; CODE XREF: SmDecompressBuffer+B1j
		mov	esi, 0C000009Ah
		jmp	short loc_43EF87
; 

loc_43EFA9:				; CODE XREF: SmDecompressBuffer+A2j
		mov	eax, [ebp+var_14]
		jmp	short loc_43EF59
; 

loc_43EFAE:				; CODE XREF: SmDecompressBuffer+D1j
					; SmDecompressBuffer+16CED0j
		mov	esi, 0C0000242h
		jmp	short loc_43EF87
; 

loc_43EFB5:				; CODE XREF: SmDecompressBuffer+E3j
		push	ebx
		mov	ebx, [ebp+arg_C]
		call	dword ptr [ebx+4]
		jmp	short loc_43EF8E
SmDecompressBuffer endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2024. RtlDecompressBufferEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlDecompressBufferEx(x, x,	x, x, x, x, x)
		public _RtlDecompressBufferEx@28
_RtlDecompressBufferEx@28 proc near	; CODE XREF: SmDecompressBuffer+C3p
					; ST_STORE_SM_TRAITS___StDmSinglePageCopy+13Bp	...

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, [ebp+arg_0]
		test	ax, ax
		jz	short loc_43F002
		cmp	eax, 1
		jz	short loc_43F002
		cmp	eax, 4
		ja	short loc_43EFFB
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	0
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	ds:_RtlDecompressBufferProcs[eax*4]

loc_43EFF7:				; CODE XREF: RtlDecompressBufferEx(x,x,x,x,x,x,x)+3Cj
					; RtlDecompressBufferEx(x,x,x,x,x,x,x)+43j
		pop	ebp
		retn	1Ch
; 

loc_43EFFB:				; CODE XREF: RtlDecompressBufferEx(x,x,x,x,x,x,x)+16j
		mov	eax, 0C000025Fh
		jmp	short loc_43EFF7
; 

loc_43F002:				; CODE XREF: RtlDecompressBufferEx(x,x,x,x,x,x,x)+Cj
					; RtlDecompressBufferEx(x,x,x,x,x,x,x)+11j
		mov	eax, 0C000000Dh
		jmp	short loc_43EFF7
_RtlDecompressBufferEx@28 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlDecompressBufferXpressHuff proc near	; DATA XREF: .text:00403FACo

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005ABD91 SIZE 0000008D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_18]
		sub	esp, 10h
		test	eax, eax
		jz	loc_5ABD91
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+arg_8]
		add	edx, ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		lea	esi, [eax+3]
		mov	[ebp+arg_18], edx
		and	esi, 0FFFFFFFCh
		add	[ebp+arg_4], ebx
		push	edi
		mov	[ebp+var_C], esi
		mov	edi, ebx

loc_43F042:				; CODE XREF: RtlDecompressBufferXpressHuff+3FAj
		mov	eax, edx
		sub	eax, ecx
		cmp	eax, 104h
		jl	loc_43F2AB
		mov	edx, ecx
		mov	ecx, esi
		call	XpressBuildHuffmanDecodingTable
		test	eax, eax
		jnz	loc_43F4AB
		mov	ecx, [ebp+arg_8]
		lea	ebx, [eax+10h]
		movzx	eax, word ptr [ecx+102h]
		movzx	esi, word ptr [ecx+100h]
		add	ecx, 104h
		shl	esi, 10h
		add	esi, eax
		mov	[ebp+arg_8], ecx
		mov	eax, [ebp+arg_4]
		lea	ecx, [edi+10000h]
		mov	[ebp+arg_C], ecx
		cmp	ecx, eax
		jbe	short loc_43F099
		mov	ecx, eax
		mov	[ebp+arg_C], eax

loc_43F099:				; CODE XREF: RtlDecompressBufferXpressHuff+82j
		lea	eax, [ecx-0BCh]
		cmp	edi, eax
		jnb	loc_43F2EA

loc_43F0A7:				; CODE XREF: RtlDecompressBufferXpressHuff+D4j
					; RtlDecompressBufferXpressHuff+18Bj ...
		mov	edx, [ebp+var_C]
		mov	eax, esi
		shr	eax, 16h
		movzx	eax, word ptr [edx+eax*2+420h]
		test	ax, ax
		jle	loc_43F218
		mov	ecx, eax
		and	ecx, 0Fh
		shl	esi, cl
		sub	ebx, ecx

loc_43F0C9:				; CODE XREF: RtlDecompressBufferXpressHuff+229j
		sar	ax, 4
		mov	ecx, 100h
		sub	ax, cx
		movzx	edx, ax
		test	ebx, ebx
		js	short loc_43F0E6

loc_43F0DC:				; CODE XREF: RtlDecompressBufferXpressHuff+107j
		test	dx, dx
		jns	short loc_43F119
		mov	[edi], dl
		inc	edi
		jmp	short loc_43F0A7
; 

loc_43F0E6:				; CODE XREF: RtlDecompressBufferXpressHuff+CAj
		mov	eax, [ebp+arg_C]
		add	eax, 0FFFFFF44h
		cmp	edi, eax
		jnb	loc_43F2C7
		mov	ecx, [ebp+arg_8]
		lea	eax, [ecx+1]
		cmp	eax, [ebp+arg_18]
		jnb	loc_43F4AB
		movzx	eax, word ptr [ecx]
		mov	ecx, ebx
		add	[ebp+arg_8], 2
		neg	ecx
		shl	eax, cl
		add	esi, eax
		add	ebx, 10h
		jmp	short loc_43F0DC
; 

loc_43F119:				; CODE XREF: RtlDecompressBufferXpressHuff+CFj
		jz	loc_43F446

loc_43F11F:				; CODE XREF: RtlDecompressBufferXpressHuff+43Cj
					; RtlDecompressBufferXpressHuff+16CD94j
		movsx	ecx, dx
		mov	eax, ecx
		cdq
		and	edx, 0Fh
		add	eax, edx
		sar	eax, 4
		mov	[ebp+var_4], eax
		and	ecx, 8000000Fh
		jns	short loc_43F13D
		dec	ecx
		or	ecx, 0FFFFFFF0h
		inc	ecx

loc_43F13D:				; CODE XREF: RtlDecompressBufferXpressHuff+126j
		cmp	ecx, 0Fh
		jz	loc_43F241

loc_43F146:				; CODE XREF: RtlDecompressBufferXpressHuff+253j
		mov	[ebp+var_10], ecx
		mov	edx, esi
		add	ecx, 3
		mov	[ebp+var_8], ecx
		mov	ecx, 1Fh
		sub	ecx, eax
		mov	eax, 1
		shr	edx, cl
		mov	ecx, [ebp+var_4]
		shr	edx, 1
		shl	eax, cl
		shl	esi, cl
		add	edx, eax
		sub	ebx, ecx
		mov	[ebp+var_4], esi
		js	short loc_43F1A0

loc_43F171:				; CODE XREF: RtlDecompressBufferXpressHuff+1C4j
		mov	ecx, edi
		sub	ecx, edx
		cmp	ecx, [ebp+arg_0]
		jb	loc_43F4AB
		cmp	edx, 4
		jb	loc_43F268
		mov	edx, [ebp+var_8]

loc_43F18A:				; CODE XREF: RtlDecompressBufferXpressHuff+290j
		mov	eax, [ecx]
		mov	[edi], eax
		mov	eax, [ecx+4]
		mov	[edi+4], eax
		cmp	edx, 9
		jnb	short loc_43F1D6

loc_43F199:				; CODE XREF: RtlDecompressBufferXpressHuff+1FBj
		add	edi, edx
		jmp	loc_43F0A7
; 

loc_43F1A0:				; CODE XREF: RtlDecompressBufferXpressHuff+15Fj
		mov	eax, [ebp+arg_C]
		add	eax, 0FFFFFF44h
		cmp	edi, eax
		jnb	loc_43F3AE
		mov	ecx, [ebp+arg_8]
		lea	eax, [ecx+1]
		cmp	eax, [ebp+arg_18]
		jnb	loc_43F4AB
		movzx	eax, word ptr [ecx]
		mov	ecx, ebx
		add	[ebp+arg_8], 2
		neg	ecx
		shl	eax, cl
		add	esi, eax
		add	ebx, 10h
		mov	[ebp+var_4], esi
		jmp	short loc_43F171
; 

loc_43F1D6:				; CODE XREF: RtlDecompressBufferXpressHuff+187j
		add	edi, 8
		add	ecx, 8
		sub	edx, 8

loc_43F1DF:				; CODE XREF: RtlDecompressBufferXpressHuff+206j
		mov	eax, [ebp+arg_C]
		add	eax, 0FFFFFF44h
		mov	[ebp+var_10], ecx
		cmp	edi, eax
		jnb	loc_43F489
		mov	eax, [ecx]
		mov	[edi], eax
		mov	eax, [ecx+4]
		mov	[edi+4], eax
		mov	eax, [ecx+8]
		mov	[edi+8], eax
		mov	eax, [ecx+0Ch]
		mov	[edi+0Ch], eax
		cmp	edx, 11h
		jb	short loc_43F199
		add	edi, 10h
		add	ecx, 10h
		sub	edx, 10h
		jmp	short loc_43F1DF
; 

loc_43F218:				; CODE XREF: RtlDecompressBufferXpressHuff+AAj
		shl	esi, 0Ah
		sub	ebx, 0Ah
		mov	edi, edi

loc_43F220:				; CODE XREF: RtlDecompressBufferXpressHuff+22Fj
		mov	ecx, esi
		dec	ebx
		shr	ecx, 1Fh
		add	esi, esi
		sub	ecx, eax
		movzx	eax, cx
		cwde
		movzx	eax, word ptr [edx+eax*2+0C20h]
		test	ax, ax
		jg	loc_43F0C9
		jmp	short loc_43F220
; 

loc_43F241:				; CODE XREF: RtlDecompressBufferXpressHuff+130j
		mov	edx, [ebp+arg_8]
		cmp	edx, [ebp+arg_18]
		jnb	loc_43F4AB
		movzx	ecx, byte ptr [edx]
		inc	edx
		mov	[ebp+arg_8], edx
		cmp	ecx, 0FFh
		jz	loc_43F457

loc_43F260:				; CODE XREF: RtlDecompressBufferXpressHuff+474j
		add	ecx, 0Fh
		jmp	loc_43F146
; 

loc_43F268:				; CODE XREF: RtlDecompressBufferXpressHuff+171j
		movzx	eax, byte ptr [ecx]
		mov	[edi], al
		sub	edx, 1
		jz	short loc_43F288
		movzx	eax, byte ptr [ecx+1]
		mov	[edi+1], al
		sub	edx, 1
		jz	loc_43F436
		movzx	eax, byte ptr [ecx+2]
		jmp	short loc_43F291
; 

loc_43F288:				; CODE XREF: RtlDecompressBufferXpressHuff+260j
		movzx	eax, byte ptr [ecx]
		mov	[edi+1], al
		movzx	eax, byte ptr [ecx]

loc_43F291:				; CODE XREF: RtlDecompressBufferXpressHuff+276j
		mov	edx, [ebp+var_10]
		mov	[edi+2], al
		mov	eax, 3

loc_43F29C:				; CODE XREF: RtlDecompressBufferXpressHuff+431j
		add	edi, eax
		test	edx, edx
		jnz	loc_43F18A
		jmp	loc_43F0A7
; 

loc_43F2AB:				; CODE XREF: RtlDecompressBufferXpressHuff+3Bj
		cmp	edi, [ebp+arg_4]
		jnz	loc_43F4AB

loc_43F2B4:				; CODE XREF: RtlDecompressBufferXpressHuff+16CD8Ej
					; RtlDecompressBufferXpressHuff+16CDB5j
		mov	eax, [ebp+arg_14]
		sub	edi, [ebp+arg_0]
		mov	[eax], edi
		xor	eax, eax

loc_43F2BE:				; CODE XREF: RtlDecompressBufferXpressHuff+4A0j
		pop	edi
		pop	esi
		pop	ebx

loc_43F2C1:				; CODE XREF: RtlDecompressBufferXpressHuff+16CD86j
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_43F2C7:				; CODE XREF: RtlDecompressBufferXpressHuff+E0j
					; RtlDecompressBufferXpressHuff+315j
		mov	ecx, [ebp+arg_8]
		lea	eax, [ecx+1]
		cmp	eax, [ebp+arg_18]
		jnb	loc_43F4AB
		movzx	eax, word ptr [ecx]
		mov	ecx, ebx
		add	[ebp+arg_8], 2
		neg	ecx
		shl	eax, cl
		add	esi, eax
		add	ebx, 10h
		jmp	short loc_43F327
; 

loc_43F2EA:				; CODE XREF: RtlDecompressBufferXpressHuff+91j
					; RtlDecompressBufferXpressHuff+322j
		cmp	edi, ecx
		jnb	loc_43F401
		mov	ecx, [ebp+var_C]
		mov	eax, esi
		shr	eax, 16h
		movzx	edx, word ptr [ecx+eax*2+420h]
		test	dx, dx
		jle	loc_43F3D4
		mov	ecx, edx
		and	ecx, 0Fh
		shl	esi, cl
		sub	ebx, ecx

loc_43F314:				; CODE XREF: RtlDecompressBufferXpressHuff+3E9j
		sar	dx, 4
		mov	eax, 100h
		sub	dx, ax
		movzx	edx, dx
		test	ebx, ebx
		js	short loc_43F2C7

loc_43F327:				; CODE XREF: RtlDecompressBufferXpressHuff+2D8j
		test	dx, dx
		jns	short loc_43F334
		mov	[edi], dl
		inc	edi

loc_43F32F:				; CODE XREF: RtlDecompressBufferXpressHuff+39Cj
		mov	ecx, [ebp+arg_C]
		jmp	short loc_43F2EA
; 

loc_43F334:				; CODE XREF: RtlDecompressBufferXpressHuff+31Aj
		jz	loc_43F49A

loc_43F33A:				; CODE XREF: RtlDecompressBufferXpressHuff+490j
					; RtlDecompressBufferXpressHuff+16CDBBj
		movsx	ecx, dx
		mov	eax, ecx
		cdq
		and	edx, 0Fh
		add	eax, edx
		sar	eax, 4
		mov	[ebp+var_10], eax
		and	ecx, 8000000Fh
		jns	short loc_43F358
		dec	ecx
		or	ecx, 0FFFFFFF0h
		inc	ecx

loc_43F358:				; CODE XREF: RtlDecompressBufferXpressHuff+341j
		cmp	ecx, 0Fh
		jz	loc_43F40F

loc_43F361:				; CODE XREF: RtlDecompressBufferXpressHuff+421j
		add	ecx, 3
		mov	edx, esi
		mov	[ebp+var_8], ecx
		mov	ecx, 1Fh
		sub	ecx, eax
		mov	eax, 1
		shr	edx, cl
		mov	ecx, [ebp+var_10]
		shr	edx, 1
		shl	eax, cl
		shl	esi, cl
		add	edx, eax
		sub	ebx, ecx
		mov	[ebp+var_4], esi
		js	short loc_43F3AE

loc_43F389:				; CODE XREF: RtlDecompressBufferXpressHuff+3C2j
		mov	esi, edi
		sub	esi, edx
		cmp	esi, [ebp+arg_0]
		jb	loc_43F4AB
		mov	ecx, [ebp+var_8]
		lea	eax, [ecx+edi]
		cmp	eax, [ebp+arg_4]
		ja	loc_43F4AB

loc_43F3A5:				; CODE XREF: RtlDecompressBufferXpressHuff+485j
		rep movsb
		mov	esi, [ebp+var_4]
		mov	edi, eax
		jmp	short loc_43F32F
; 

loc_43F3AE:				; CODE XREF: RtlDecompressBufferXpressHuff+19Aj
					; RtlDecompressBufferXpressHuff+377j
		mov	ecx, [ebp+arg_8]
		lea	eax, [ecx+1]
		cmp	eax, [ebp+arg_18]
		jnb	loc_43F4AB
		movzx	eax, word ptr [ecx]
		mov	ecx, ebx
		add	[ebp+arg_8], 2
		neg	ecx
		shl	eax, cl
		add	esi, eax
		add	ebx, 10h
		mov	[ebp+var_4], esi
		jmp	short loc_43F389
; 

loc_43F3D4:				; CODE XREF: RtlDecompressBufferXpressHuff+2F5j
		shl	esi, 0Ah
		sub	ebx, 0Ah
		lea	ebx, [ebx+0]

loc_43F3E0:				; CODE XREF: RtlDecompressBufferXpressHuff+3EFj
		mov	eax, esi
		dec	ebx
		shr	eax, 1Fh
		add	esi, esi
		sub	eax, edx
		movzx	eax, ax
		cwde
		movzx	edx, word ptr [ecx+eax*2+0C20h]
		test	dx, dx
		jg	loc_43F314
		jmp	short loc_43F3E0
; 

loc_43F401:				; CODE XREF: RtlDecompressBufferXpressHuff+2DCj
		mov	ecx, [ebp+arg_8]
		mov	esi, [ebp+var_C]
		mov	edx, [ebp+arg_18]
		jmp	loc_43F042
; 

loc_43F40F:				; CODE XREF: RtlDecompressBufferXpressHuff+34Bj
		mov	edx, [ebp+arg_8]
		cmp	edx, [ebp+arg_18]
		jnb	loc_43F4AB
		movzx	ecx, byte ptr [edx]
		inc	edx
		mov	[ebp+arg_8], edx
		cmp	ecx, 0FFh
		jz	loc_5ABDD0

loc_43F42E:				; CODE XREF: RtlDecompressBufferXpressHuff+16CE09j
		add	ecx, 0Fh
		jmp	loc_43F361
; 

loc_43F436:				; CODE XREF: RtlDecompressBufferXpressHuff+26Cj
		mov	edx, [ebp+var_8]
		mov	eax, 2
		sub	edx, 2
		jmp	loc_43F29C
; 

loc_43F446:				; CODE XREF: RtlDecompressBufferXpressHuff:loc_43F119j
		mov	ecx, [ebp+arg_8]
		cmp	ecx, [ebp+arg_18]
		jb	loc_43F11F
		jmp	loc_5ABD9B
; 

loc_43F457:				; CODE XREF: RtlDecompressBufferXpressHuff+24Aj
		lea	eax, [edx+1]
		cmp	eax, [ebp+arg_18]
		jnb	short loc_43F4AB
		movzx	ecx, word ptr [edx]
		add	edx, 2
		mov	[ebp+arg_8], edx
		test	ecx, ecx
		jz	loc_5ABDA9

loc_43F470:				; CODE XREF: RtlDecompressBufferXpressHuff+16CDADj
		cmp	ecx, 0Fh
		jb	short loc_43F4AB
		lea	eax, [edi+3]
		add	eax, ecx
		cmp	eax, edi
		jb	short loc_43F4AB
		mov	eax, [ebp+var_4]
		sub	ecx, 0Fh
		jmp	loc_43F260
; 

loc_43F489:				; CODE XREF: RtlDecompressBufferXpressHuff+1DCj
		lea	eax, [edx+edi]
		cmp	eax, [ebp+arg_4]
		ja	short loc_43F4AB
		mov	esi, ecx
		mov	ecx, edx
		jmp	loc_43F3A5
; 

loc_43F49A:				; CODE XREF: RtlDecompressBufferXpressHuff:loc_43F334j
		mov	ecx, [ebp+arg_8]
		cmp	ecx, [ebp+arg_18]
		jb	loc_43F33A
		jmp	loc_5ABDC2
; 

loc_43F4AB:				; CODE XREF: RtlDecompressBufferXpressHuff+4Cj
					; RtlDecompressBufferXpressHuff+EFj ...
		mov	eax, 0C0000242h
		jmp	loc_43F2BE
RtlDecompressBufferXpressHuff endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

XpressBuildHuffmanDecodingTable	proc near ; CODE XREF: RtlDecompressBufferXpressHuff+45p
					; RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+84p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005ABE1E SIZE 0000004F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ecx
		mov	ecx, 8
		push	ebx
		push	esi
		push	edi
		lea	edi, [eax+400h]
		mov	[ebp+var_4], eax
		mov	eax, 2000200h
		mov	ebx, edx
		rep stosd
		xor	eax, eax
		xor	esi, esi
		jmp	short loc_43F4F0
; 
		align 10h

loc_43F4F0:				; CODE XREF: XpressBuildHuffmanDecodingTable+28j
					; XpressBuildHuffmanDecodingTable+8Bj
		mov	cl, [eax+ebx]
		movzx	edx, cl
		and	edx, 0Fh
		jz	short loc_43F518
		mov	edi, [ebp+var_4]
		mov	cx, [edi+edx*2+400h]
		mov	[edi+eax*4], cx
		lea	ecx, [esi+esi]
		mov	[edi+edx*2+400h], cx
		mov	cl, [eax+ebx]

loc_43F518:				; CODE XREF: XpressBuildHuffmanDecodingTable+39j
		movzx	edx, cl
		shr	edx, 4
		test	edx, edx
		jz	short loc_43F541
		mov	edi, [ebp+var_4]
		mov	cx, [edi+edx*2+400h]
		mov	[edi+eax*4+2], cx
		lea	eax, ds:1[esi*2]
		mov	[edi+edx*2+400h], ax

loc_43F541:				; CODE XREF: XpressBuildHuffmanDecodingTable+60j
		lea	eax, [esi+1]
		mov	esi, eax
		cmp	eax, 100h
		jb	short loc_43F4F0
		mov	edi, [ebp+var_4]
		mov	ecx, 0FFFFFC00h
		mov	esi, 400h
		mov	[ebp+var_8], 0Fh
		xor	ebx, ebx
		lea	eax, [edi+41Eh]
		lea	edx, [ecx+1]
		mov	[ebp+var_C], eax
		nop

loc_43F570:				; CODE XREF: XpressBuildHuffmanDecodingTable+EFj
		cmp	dx, cx
		jl	loc_43F79F

loc_43F579:				; CODE XREF: XpressBuildHuffmanDecodingTable+2FFj
		jz	loc_5ABE63
		lea	eax, [ecx+1]
		movzx	edx, ax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_10], edx
		movzx	ecx, word ptr [eax]
		cmp	ecx, 200h
		jnz	loc_43F735

loc_43F59A:				; CODE XREF: XpressBuildHuffmanDecodingTable+29Fj
		sub	[ebp+var_C], 2
		mov	eax, esi
		neg	eax
		movzx	ecx, ax
		mov	eax, [ebp+var_8]
		dec	eax
		mov	[ebp+var_8], eax
		cmp	eax, 0Ah
		ja	short loc_43F570
		mov	esi, 3FFh
		cmp	dx, cx
		jge	short loc_43F5D0
		lea	eax, [edi+0C1Eh]

loc_43F5C1:				; CODE XREF: XpressBuildHuffmanDecodingTable+10Ej
		mov	[eax], dx
		lea	eax, [eax-2]
		add	edx, 2
		dec	esi
		cmp	dx, cx
		jl	short loc_43F5C1

loc_43F5D0:				; CODE XREF: XpressBuildHuffmanDecodingTable+F9j
		jz	loc_5ABE63
		xor	ecx, ecx
		add	edi, 414h
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edi
		lea	edx, [ecx+0Ah]
		jmp	short loc_43F5F0
; 
		align 10h

loc_43F5F0:				; CODE XREF: XpressBuildHuffmanDecodingTable+127j
					; XpressBuildHuffmanDecodingTable+1B0j
		movzx	edi, word ptr [edi]
		cmp	edi, 200h
		jz	loc_43F72D
		nop

loc_43F600:				; CODE XREF: XpressBuildHuffmanDecodingTable+1A0j
		mov	eax, edi
		shl	eax, 4
		add	eax, edx
		movzx	ebx, ax
		test	ecx, ecx
		jnz	loc_5ABE63
		mov	ecx, 0Ah
		lea	eax, [esi+1]
		sub	ecx, edx
		shl	eax, cl
		cmp	eax, 400h
		ja	loc_5ABE63
		mov	eax, esi
		shl	eax, cl
		jmp	ds:off_43F850[ecx*4]

loc_43F634:				; DATA XREF: .text:0043F854o
		mov	ecx, [ebp+var_4]

loc_43F637:				; CODE XREF: XpressBuildHuffmanDecodingTable+1DFj
		mov	[ecx+eax*2+422h], bx

loc_43F63F:				; CODE XREF: XpressBuildHuffmanDecodingTable+1CAj
		mov	[ecx+eax*2+420h], bx

loc_43F647:				; CODE XREF: XpressBuildHuffmanDecodingTable+238j
					; XpressBuildHuffmanDecodingTable+268j	...
		test	esi, esi
		jz	loc_43F764
		mov	ecx, [ebp+var_C]

loc_43F652:				; CODE XREF: XpressBuildHuffmanDecodingTable+2ACj
		mov	eax, [ebp+var_4]
		dec	esi
		movzx	edi, word ptr [eax+edi*2]
		cmp	edi, 200h
		jnz	short loc_43F600

loc_43F662:				; CODE XREF: XpressBuildHuffmanDecodingTable+270j
		mov	edi, [ebp+var_8]
		sub	edi, 2
		shr	esi, 1
		mov	[ebp+var_8], edi
		sub	edx, 1
		jnz	loc_43F5F0
		test	ecx, ecx
		jz	loc_5ABE1E

loc_43F67E:				; CODE XREF: XpressBuildHuffmanDecodingTable+16C99Ej
		xor	eax, eax

loc_43F680:				; CODE XREF: XpressBuildHuffmanDecodingTable+16C9A8j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_43F687:				; CODE XREF: XpressBuildHuffmanDecodingTable+16Dj
					; DATA XREF: .text:off_43F850o
		mov	ecx, [ebp+var_4]
		jmp	short loc_43F63F
; 

loc_43F68C:				; CODE XREF: XpressBuildHuffmanDecodingTable+16Dj
					; DATA XREF: .text:0043F858o
		mov	ecx, [ebp+var_4]

loc_43F68F:				; CODE XREF: XpressBuildHuffmanDecodingTable+204j
		mov	[ecx+eax*2+426h], bx
		mov	[ecx+eax*2+424h], bx
		jmp	short loc_43F637
; 

loc_43F6A1:				; CODE XREF: XpressBuildHuffmanDecodingTable+16Dj
					; DATA XREF: .text:0043F85Co
		mov	ecx, [ebp+var_4]
		mov	[ecx+eax*2+42Eh], bx
		mov	[ecx+eax*2+42Ch], bx
		mov	[ecx+eax*2+42Ah], bx
		mov	[ecx+eax*2+428h], bx
		jmp	short loc_43F68F
; 

loc_43F6C6:				; CODE XREF: XpressBuildHuffmanDecodingTable+16Dj
					; DATA XREF: .text:0043F860o
		mov	ecx, [ebp+var_4]
		add	ecx, 422h
		lea	eax, [ecx+eax*2]
		mov	ecx, 4
		jmp	short loc_43F6E0
; 
		align 10h

loc_43F6E0:				; CODE XREF: XpressBuildHuffmanDecodingTable+217j
					; XpressBuildHuffmanDecodingTable+236j
		mov	[eax-2], bx
		lea	eax, [eax+8]
		mov	[eax-8], bx
		mov	[eax-6], bx
		mov	[eax-4], bx
		sub	ecx, 1
		jnz	short loc_43F6E0
		jmp	loc_43F647
; 

loc_43F6FD:				; CODE XREF: XpressBuildHuffmanDecodingTable+16Dj
					; DATA XREF: .text:0043F864o
		mov	ecx, [ebp+var_4]
		add	ecx, 422h
		lea	eax, [ecx+eax*2]
		mov	ecx, 8
		mov	edi, edi

loc_43F710:				; CODE XREF: XpressBuildHuffmanDecodingTable+266j
		mov	[eax-2], bx
		lea	eax, [eax+8]
		mov	[eax-8], bx
		mov	[eax-6], bx
		mov	[eax-4], bx
		sub	ecx, 1
		jnz	short loc_43F710
		jmp	loc_43F647
; 

loc_43F72D:				; CODE XREF: XpressBuildHuffmanDecodingTable+139j
		mov	eax, [ebp+var_4]
		jmp	loc_43F662
; 

loc_43F735:				; CODE XREF: XpressBuildHuffmanDecodingTable+D4j
		lea	edx, [edi+0C20h]
		lea	edx, [edx+esi*2]
		mov	edi, edi

loc_43F740:				; CODE XREF: XpressBuildHuffmanDecodingTable+29Aj
		mov	eax, ecx
		lea	edx, [edx-2]
		shl	eax, 4
		dec	esi
		add	eax, [ebp+var_8]
		mov	[edx+2], ax
		movzx	ecx, word ptr [edi+ecx*2]
		cmp	ecx, 200h
		jnz	short loc_43F740
		mov	edx, [ebp+var_10]
		jmp	loc_43F59A
; 

loc_43F764:				; CODE XREF: XpressBuildHuffmanDecodingTable+189j
		mov	ecx, 1
		mov	[ebp+var_C], ecx
		jmp	loc_43F652
; 

loc_43F771:				; CODE XREF: XpressBuildHuffmanDecodingTable+16Dj
					; DATA XREF: .text:0043F868o
		mov	ecx, [ebp+var_4]
		add	ecx, 422h
		lea	eax, [ecx+eax*2]
		mov	ecx, 10h

loc_43F782:				; CODE XREF: XpressBuildHuffmanDecodingTable+2D8j
		mov	[eax-2], bx
		lea	eax, [eax+8]
		mov	[eax-8], bx
		mov	[eax-6], bx
		mov	[eax-4], bx
		sub	ecx, 1
		jnz	short loc_43F782
		jmp	loc_43F647
; 

loc_43F79F:				; CODE XREF: XpressBuildHuffmanDecodingTable+B3j
		lea	eax, [edi+0C20h]
		lea	eax, [eax+esi*2]
		jmp	short loc_43F7B0
; 
		align 10h

loc_43F7B0:				; CODE XREF: XpressBuildHuffmanDecodingTable+2E8j
					; XpressBuildHuffmanDecodingTable+2FDj
		mov	[eax], dx
		lea	eax, [eax-2]
		add	edx, 2
		dec	esi
		cmp	dx, cx
		jl	short loc_43F7B0
		jmp	loc_43F579
; 

loc_43F7C4:				; CODE XREF: XpressBuildHuffmanDecodingTable+16Dj
					; DATA XREF: .text:0043F86Co
		mov	ecx, [ebp+var_4]
		add	ecx, 422h
		lea	eax, [ecx+eax*2]
		mov	ecx, 20h

loc_43F7D5:				; CODE XREF: XpressBuildHuffmanDecodingTable+32Bj
		mov	[eax-2], bx
		lea	eax, [eax+8]
		mov	[eax-8], bx
		mov	[eax-6], bx
		mov	[eax-4], bx
		sub	ecx, 1
		jnz	short loc_43F7D5
		jmp	loc_43F647
; 

loc_43F7F2:				; CODE XREF: XpressBuildHuffmanDecodingTable+16Dj
					; DATA XREF: .text:0043F870o
		mov	ecx, [ebp+var_4]
		add	ecx, 422h
		lea	eax, [ecx+eax*2]
		mov	ecx, 40h

loc_43F803:				; CODE XREF: XpressBuildHuffmanDecodingTable+359j
		mov	[eax-2], bx
		lea	eax, [eax+8]
		mov	[eax-8], bx
		mov	[eax-6], bx
		mov	[eax-4], bx
		sub	ecx, 1
		jnz	short loc_43F803
		jmp	loc_43F647
; 

loc_43F820:				; CODE XREF: XpressBuildHuffmanDecodingTable+16Dj
					; DATA XREF: .text:0043F874o
		mov	ecx, [ebp+var_4]
		add	ecx, 422h
		lea	eax, [ecx+eax*2]
		mov	ecx, 80h

loc_43F831:				; CODE XREF: XpressBuildHuffmanDecodingTable+387j
		mov	[eax-2], bx
		lea	eax, [eax+8]
		mov	[eax-8], bx
		mov	[eax-6], bx
		mov	[eax-4], bx
		sub	ecx, 1
		jnz	short loc_43F831
		jmp	loc_43F647
XpressBuildHuffmanDecodingTable	endp

; 
		align 10h
off_43F850	dd offset loc_43F687	; DATA XREF: XpressBuildHuffmanDecodingTable+16Dr
		dd offset loc_43F634
		dd offset loc_43F68C
		dd offset loc_43F6A1
		dd offset loc_43F6C6
		dd offset loc_43F6FD
		dd offset loc_43F771
		dd offset loc_43F7C4
		dd offset loc_43F7F2
		dd offset loc_43F820
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2114. RtlGetCompressionWorkSpaceSize

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetCompressionWorkSpaceSize(x, x, x)
		public _RtlGetCompressionWorkSpaceSize@12
_RtlGetCompressionWorkSpaceSize@12 proc	near ; CODE XREF: SmDecompressBuffer+93p
					; ST_STORE_SM_TRAITS___StStart+18Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		movzx	eax, cl
		test	cl, cl
		jz	short loc_43F8B6
		cmp	eax, 1
		jz	short loc_43F8B6
		cmp	eax, 4
		ja	short loc_43F8AF
		push	[ebp+arg_8]
		and	ecx, 0FF00h
		push	[ebp+arg_4]
		push	ecx
		call	ds:_RtlWorkSpaceProcs[eax*4]

loc_43F8AB:				; CODE XREF: RtlGetCompressionWorkSpaceSize(x,x,x)+36j
					; RtlGetCompressionWorkSpaceSize(x,x,x)+3Dj
		pop	ebp
		retn	0Ch
; 

loc_43F8AF:				; CODE XREF: RtlGetCompressionWorkSpaceSize(x,x,x)+17j
		mov	eax, 0C000025Fh
		jmp	short loc_43F8AB
; 

loc_43F8B6:				; CODE XREF: RtlGetCompressionWorkSpaceSize(x,x,x)+Dj
					; RtlGetCompressionWorkSpaceSize(x,x,x)+12j
		mov	eax, 0C000000Dh
		jmp	short loc_43F8AB
_RtlGetCompressionWorkSpaceSize@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCompressWorkSpaceSizeXpressHuff(x, x, x)
_RtlCompressWorkSpaceSizeXpressHuff@12 proc near ; DATA	XREF: .text:00403FC0o

arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ax, [ebp+arg_0]
		test	ax, ax
		jnz	short loc_43F8E6
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 1E2B7h
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 1425h
		xor	eax, eax

loc_43F8E2:				; CODE XREF: RtlCompressWorkSpaceSizeXpressHuff(x,x,x)+4Dj
		pop	ebp
		retn	0Ch
; 

loc_43F8E6:				; CODE XREF: RtlCompressWorkSpaceSizeXpressHuff(x,x,x)+Cj
		mov	ecx, 100h
		cmp	ax, cx
		jnz	short loc_43F908
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 0B6B27h
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 1425h
		xor	eax, eax
		pop	ebp
		retn	0Ch
; 

loc_43F908:				; CODE XREF: RtlCompressWorkSpaceSizeXpressHuff(x,x,x)+2Ej
		mov	eax, 0C00000BBh
		jmp	short loc_43F8E2
_RtlCompressWorkSpaceSizeXpressHuff@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiRecomputeGroupSchedulingRank(x, x, x)
_KiRecomputeGroupSchedulingRank@12 proc	near ; CODE XREF: KiUpdateGroupSchedulingRank+E7p
					; KiGroupSchedulingQuantumEnd+192p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_KiChargeSchedulingGroupCycleTime@8 ; KiChargeSchedulingGroupCycleTime(x,x)
		mov	ecx, [esi+8]
		mov	eax, ds:dword_705144
		inc	dword ptr [edi+60h]
		mul	ecx
		mov	esi, eax
		mov	eax, ds:_KiCycleDivisorShortTerm
		mul	ecx
		mov	ecx, [edi+64h]
		add	esi, edx
		shrd	eax, esi, 7
		shr	esi, 7
		add	[edi+18h], eax
		mov	ebx, [edi+18h]
		adc	[edi+1Ch], esi
		mov	[ebp+var_4], eax
		mov	eax, [edi+1Ch]
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], eax
		test	ecx, ecx
		jz	short loc_43F96B
		lock inc dword ptr [ecx]
		mov	eax, [edi+1Ch]
		mov	ebx, [edi+18h]
		mov	[ebp+var_8], eax

loc_43F96B:				; CODE XREF: KiRecomputeGroupSchedulingRank(x,x,x)+4Dj
		mov	edx, [edi+4]
		mov	ecx, [edi]
		cmp	edx, eax
		jb	short loc_43F97A
		ja	short loc_43F995
		cmp	ecx, ebx
		ja	short loc_43F995

loc_43F97A:				; CODE XREF: KiRecomputeGroupSchedulingRank(x,x,x)+62j
					; KiRecomputeGroupSchedulingRank(x,x,x)+B7j ...
		test	byte ptr [edi+5Ch], 1
		jnz	short loc_43F987

loc_43F980:				; CODE XREF: KiRecomputeGroupSchedulingRank(x,x,x)+83j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_43F987:				; CODE XREF: KiRecomputeGroupSchedulingRank(x,x,x)+6Ej
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		push	1
		call	KiResortScbQueue
		jmp	short loc_43F980
; 

loc_43F995:				; CODE XREF: KiRecomputeGroupSchedulingRank(x,x,x)+64j
					; KiRecomputeGroupSchedulingRank(x,x,x)+68j
		push	esi
		push	[ebp+var_4]
		sub	ecx, ebx
		sbb	edx, eax
		push	edx
		push	ecx
		call	_KiGetIntervalDelta@16 ; KiGetIntervalDelta(x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_C]
		add	[edi+60h], esi
		mul	esi
		mov	ecx, eax
		mov	eax, [ebp+var_4]
		mul	esi
		add	ecx, edx
		add	eax, ebx
		mov	[edi+18h], eax
		adc	ecx, [ebp+var_8]
		mov	eax, [edi+64h]
		mov	[edi+1Ch], ecx
		test	eax, eax
		jz	short loc_43F97A
		lock xadd [eax], esi
		jmp	short loc_43F97A
_KiRecomputeGroupSchedulingRank@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnDeactivateTrace proc near		; CODE XREF: PfSnEndTrace+2Cp

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005ABE6D SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ebx, ecx
		call	edi
		mov	esi, offset dword_6D4958
		mov	[ebp+var_1], al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	ds:byte_70EFC6,	1
		jnz	loc_5ABE6D
		xor	eax, eax
		lock and [esi],	eax

loc_43FA04:				; CODE XREF: PfSnDeactivateTrace+16C4A7j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebx+100h]
		call	PfSnRemoveProcessTrace
		lea	esi, [ebx+104h]
		mov	ecx, esi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, ebx
		call	PfSnCancelTraceTimer
		mov	ecx, esi
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		call	edi
		mov	edi, offset dword_6D4958
		mov	[ebp+var_1], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	ecx, [ebx+4]
		mov	esi, [ecx]
		mov	edx, [ecx+4]
		cmp	[esi+4], ecx
		jnz	short loc_43FA82
		cmp	[edx], ecx
		jnz	short loc_43FA82
		dec	_PfSnNumActiveTraces
		mov	[edx], esi
		mov	[esi+4], edx
		test	ds:byte_70EFC6,	1
		jnz	loc_5ABE7C
		xor	eax, eax
		lock and [edi],	eax

loc_43FA72:				; CODE XREF: PfSnDeactivateTrace+16C4B6j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
; 

loc_43FA82:				; CODE XREF: PfSnDeactivateTrace+7Fj
					; PfSnDeactivateTrace+83j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PfSnDeactivateTrace endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnCancelTraceTimer proc near		; CODE XREF: PfSnDeactivateTrace+57p

; FUNCTION CHUNK AT 005ABE8B SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	bl, bl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	edi, [esi+0B8h]
		mov	bh, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		or	dword ptr [esi+0BCh], 2
		lea	ecx, [esi+68h]
		push	ecx
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		test	al, al
		jz	short loc_43FABF
		inc	bl

loc_43FABF:				; CODE XREF: PfSnCancelTraceTimer+33j
		test	ds:byte_70EFC6,	1
		jnz	loc_5ABE8B
		xor	eax, eax
		lock and [edi],	eax

loc_43FAD1:				; CODE XREF: PfSnCancelTraceTimer+16C40Dj
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bl, bl
		jz	short loc_43FAE8
		lea	ecx, [esi+104h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_43FAE8:				; CODE XREF: PfSnCancelTraceTimer+53j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn
PfSnCancelTraceTimer endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnRemoveProcessTrace proc near	; CODE XREF: PfSnDeactivateTrace+43p

; FUNCTION CHUNK AT 005ABE9A SIZE 0000004F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		lea	eax, [ecx+1E8h]
		xchg	esi, [eax]
		mov	edi, esi
		and	edi, 0FFFFFFF8h
		and	esi, 7
		jbe	short loc_43FB32
		lea	ebx, [edi+104h]
		mov	edx, [ebx]
		test	dl, 1
		jnz	loc_5ABEA7
		lea	eax, [esi+esi]

loc_43FB20:				; CODE XREF: PfSnRemoveProcessTrace+16C3B1j
		mov	ecx, edx
		sub	ecx, eax
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	loc_5ABE9A

loc_43FB32:				; CODE XREF: PfSnRemoveProcessTrace+1Aj
					; PfSnRemoveProcessTrace+16C3C4j ...
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset dword_6D4958
		mov	bl, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	ds:byte_70EFC6,	1
		jnz	loc_5ABEDA
		xor	eax, eax
		lock and [esi],	eax

loc_43FB58:				; CODE XREF: PfSnRemoveProcessTrace+16C3F4j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
PfSnRemoveProcessTrace endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PfpIsProcessInfoPresent(x)
_PfpIsProcessInfoPresent@4 proc	near	; CODE XREF: PfpCopyEvent+162p
		cmp	dword ptr [ecx+0E4h], 0
		jz	short loc_43FB83
		mov	eax, [ecx+100h]
		or	eax, [ecx+104h]
		jz	short loc_43FB83
		xor	eax, eax
		inc	eax
		retn
; 

loc_43FB83:				; CODE XREF: PfpIsProcessInfoPresent(x)+7j
					; PfpIsProcessInfoPresent(x)+15j
		xor	eax, eax
		retn
_PfpIsProcessInfoPresent@4 endp


;  S U B	R O U T	I N E 


; __stdcall MmFreeAccessPfnBuffer(x, x)
_MmFreeAccessPfnBuffer@8 proc near	; CODE XREF: MiQueuePageAccessLog(x)+9Dp
					; MiEmptyPageAccessLog+440p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	dword ptr [esi+4], 0
		jnz	short loc_43FBA2
		mov	ecx, [esi+2Ch]
		cmp	ecx, 1
		jbe	short loc_43FBA2
		test	dl, dl
		jnz	short loc_43FBAC
		call	ObfDereferenceObject

loc_43FBA2:				; CODE XREF: MmFreeAccessPfnBuffer(x,x)+9j
					; MmFreeAccessPfnBuffer(x,x)+11j ...
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
; 

loc_43FBAC:				; CODE XREF: MmFreeAccessPfnBuffer(x,x)+15j
		push	746C6644h
		push	ecx
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	short loc_43FBA2
_MmFreeAccessPfnBuffer@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


PfFbBufferListFlushStandby proc	near	; CODE XREF: PfSnEndTrace+B6p
					; PfpFlushEventBuffers+15p ...

; FUNCTION CHUNK AT 005ABEE9 SIZE 00000019 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_43FBFF
		push	edi
		lea	ecx, [esi+10h]
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_43FBE0

loc_43FBD7:				; CODE XREF: PfFbBufferListFlushStandby+43j
		pop	edi
		mov	ecx, esi
		pop	esi
		jmp	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
; 

loc_43FBE0:				; CODE XREF: PfFbBufferListFlushStandby+1Bj
		push	ebx

loc_43FBE1:				; CODE XREF: PfFbBufferListFlushStandby+40j
		mov	ebx, edi
		mov	ecx, esi
		mov	edi, [edi]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_5ABEE9
		push	ebx
		call	dword ptr [esi+3Ch]

loc_43FBF8:				; CODE XREF: PfFbBufferListFlushStandby+16C343j
		test	edi, edi
		jnz	short loc_43FBE1
		pop	ebx
		jmp	short loc_43FBD7
; 

loc_43FBFF:				; CODE XREF: PfFbBufferListFlushStandby+Cj
		pop	esi
		retn
PfFbBufferListFlushStandby endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfFbBufferListInsertInFree proc	near	; CODE XREF: PfFbBufferListAllocate+76p
					; PfFbBufferListFlushStandby+16C33Ep ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005ABF02 SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, edx
		test	al, 1
		jnz	loc_5ABF02

loc_43FC19:				; CODE XREF: PfFbBufferListInsertInFree+16C333j
		mov	edx, [ebp+arg_0]
		add	edx, esi
		mov	[esi+4], ebx
		mov	[esi+0Ch], edx
		mov	ecx, [ebx+2Ch]
		and	dword ptr [esi+10h], 0
		add	ecx, esi
		sub	edx, ecx
		mov	[esi+8], ecx
		push	edx		; size_t
		push	0		; int
		push	ecx		; void *
		mov	[esi+14h], eax
		call	_memset
		add	esp, 0Ch
		lea	ecx, [ebx+8]
		mov	edx, esi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_43FC4B:				; CODE XREF: PfFbBufferListInsertInFree+16C32Cj
		cmp	[ebp+arg_8], 0
		jz	short loc_43FC58
		mov	ecx, ebx
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_43FC58:				; CODE XREF: PfFbBufferListInsertInFree+4Dj
		pop	esi
		pop	ebx
		leave
		retn	0Ch
PfFbBufferListInsertInFree endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfpEventHandleFullBuffer(x)
_PfpEventHandleFullBuffer@4 proc near	; DATA XREF: PfTInitialize+1C3o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	PfTFullEventListAdd
		cmp	dword_6FB610, 0
		jnz	short loc_43FC8E
		mov	ecx, ds:_KeNumberProcessors
		movzx	eax, word_6D43D4
		add	ecx, 2
		and	ecx, 7FFFFFFFh
		cmp	eax, ecx
		jnb	short loc_43FC92

loc_43FC8E:				; CODE XREF: PfpEventHandleFullBuffer(x)+14j
					; PfpEventHandleFullBuffer(x)+42j
		pop	ebp
		retn	4
; 

loc_43FC92:				; CODE XREF: PfpEventHandleFullBuffer(x)+2Ej
		push	0
		push	0
		push	offset unk_6FB60C
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_43FC8E
_PfpEventHandleFullBuffer@4 endp


;  S U B	R O U T	I N E 


PfTFullEventListAdd proc near		; CODE XREF: PfpEventHandleFullBuffer(x)+8p
					; PfpFlushEventBuffers+16DA08p	...

; FUNCTION CHUNK AT 005ABF3A SIZE 0000002B BYTES

		mov	edi, edi
		push	esi
		mov	edx, ecx
		mov	esi, offset unk_6D43D0
		mov	ecx, esi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_43FCB3:				; CODE XREF: PfTFullEventListAdd+16C2BEj
		movzx	eax, word_6D43D4
		cmp	eax, dword_6D43D8
		ja	loc_5ABF3A

loc_43FCC6:				; CODE XREF: PfTFullEventListAdd+16C2A1j
		pop	esi
		retn
PfTFullEventListAdd endp


;  S U B	R O U T	I N E 


; __stdcall PfpFillProcessInfo(x, x)
_PfpFillProcessInfo@8 proc near		; CODE XREF: PfpCopyEvent+170p
					; PfpLogPageAccess+4D8p
		mov	edi, edi
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	edi, [ecx]
		and	edi, 0FFFFFFF9h
		or	edi, 1
		mov	[ecx], edi
		and	edi, 7
		mov	esi, [ebx+100h]
		mov	eax, esi
		mov	edx, [ebx+104h]
		and	eax, 0E0000007h
		xor	edx, [ebx+0E4h]
		shl	edx, 3
		xor	edx, eax
		mov	eax, esi
		shl	eax, 3
		and	edx, 0FFFFFFF8h
		xor	edx, eax
		or	edx, edi
		mov	[ecx], edx
		mov	eax, [ebx+1DCh]
		pop	edi
		mov	[ecx+0Ch], eax
		mov	eax, [ebx+0E4h]
		pop	esi
		mov	[ecx+4], ebx
		mov	[ecx+8], eax
		pop	ebx
		retn
_PfpFillProcessInfo@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiResortScbQueue proc near		; CODE XREF: KiRecomputeGroupSchedulingRank(x,x,x)+7Ep
					; KiInsertNonMaxOverQuotaScb(x,x,x)+34p ...

var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005ABF65 SIZE 0000005C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	[ebp+arg_0], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	[ebp+var_4], esi
		lea	edx, [edi+50h]
		jnz	short loc_43FD71
		mov	ecx, [edx]
		xor	ebx, ebx
		test	ecx, ecx
		jnz	short loc_43FD57
		mov	ecx, [edx+8]

loc_43FD46:				; CODE XREF: KiResortScbQueue+33j
		and	ecx, 0FFFFFFFCh
		jz	short loc_43FD66
		cmp	[ecx+4], edx
		jz	short loc_43FD66
		mov	edx, ecx
		mov	ecx, [ecx+8]
		jmp	short loc_43FD46
; 

loc_43FD57:				; CODE XREF: KiResortScbQueue+1Fj
		cmp	[ecx+4], ebx
		jz	short loc_43FD66

loc_43FD5C:				; CODE XREF: KiResortScbQueue+42j
		mov	eax, [ecx+4]
		mov	ecx, eax
		cmp	[eax+4], ebx
		jnz	short loc_43FD5C

loc_43FD66:				; CODE XREF: KiResortScbQueue+27j
					; KiResortScbQueue+2Cj	...
		test	ecx, ecx
		jnz	short loc_43FDE9

loc_43FD6A:				; CODE XREF: KiResortScbQueue+7Bj
					; KiResortScbQueue+ADj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_43FD71:				; CODE XREF: KiResortScbQueue+17j
		mov	esi, [edx+4]
		test	esi, esi
		jnz	short loc_43FD8B
		mov	esi, [edx+8]

loc_43FD7B:				; CODE XREF: KiResortScbQueue+67j
		and	esi, 0FFFFFFFCh
		jz	short loc_43FD9B
		cmp	[esi], edx
		jz	short loc_43FD9B
		mov	edx, esi
		mov	esi, [esi+8]
		jmp	short loc_43FD7B
; 

loc_43FD8B:				; CODE XREF: KiResortScbQueue+54j
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_43FD9B

loc_43FD91:				; CODE XREF: KiResortScbQueue+77j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_43FD91

loc_43FD9B:				; CODE XREF: KiResortScbQueue+5Cj
					; KiResortScbQueue+60j	...
		test	esi, esi
		jz	short loc_43FD6A
		mov	ecx, [edi+60h]
		xor	ebx, ebx
		mov	eax, ecx
		sub	eax, [esi+10h]
		jnz	short loc_43FDCD
		movzx	eax, word ptr [edi+5Eh]
		test	ax, ax
		jz	loc_5ABF65
		movzx	ecx, word ptr [esi+0Eh]
		bsr	edx, eax
		mov	eax, ebx
		test	cx, cx
		jz	short loc_43FDCB
		mov	eax, ecx
		bsr	eax, eax

loc_43FDCB:				; CODE XREF: KiResortScbQueue+A2j
		sub	eax, edx

loc_43FDCD:				; CODE XREF: KiResortScbQueue+87j
					; KiResortScbQueue+16C26Cj
		test	eax, eax
		jle	short loc_43FD6A

loc_43FDD1:				; CODE XREF: KiResortScbQueue+16C253j
					; KiResortScbQueue+16C264j
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		push	ebx
		call	KiRemoveSchedulingGroupQueue
		mov	ecx, [ebp+var_4]

loc_43FDDF:				; CODE XREF: KiResortScbQueue+107j
		push	ebx
		mov	edx, edi
		call	KiInsertSchedulingGroupQueue
		jmp	short loc_43FD6A
; 

loc_43FDE9:				; CODE XREF: KiResortScbQueue+46j
		mov	edx, [edi+60h]
		mov	eax, edx
		sub	eax, [ecx+10h]
		jnz	short loc_43FE15
		movzx	eax, word ptr [edi+5Eh]
		test	ax, ax
		jz	loc_5ABF93
		movzx	ecx, word ptr [ecx+0Eh]
		bsr	edx, eax
		mov	eax, ebx
		test	cx, cx
		jz	short loc_43FE13
		mov	eax, ecx
		bsr	eax, eax

loc_43FE13:				; CODE XREF: KiResortScbQueue+EAj
		sub	eax, edx

loc_43FE15:				; CODE XREF: KiResortScbQueue+CFj
					; KiResortScbQueue+16C29Aj
		test	eax, eax
		jns	loc_43FD6A

loc_43FE1D:				; CODE XREF: KiResortScbQueue+16C27Bj
					; KiResortScbQueue+16C28Cj
		push	ebx
		mov	edx, edi
		mov	ecx, esi
		call	KiRemoveSchedulingGroupQueue
		mov	ecx, esi
		jmp	short loc_43FDDF
KiResortScbQueue endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAbThreadUnboostCpuPriority proc near	; CODE XREF: PspStorageEmptyArrayNonReadonly+2FFp
					; PspStorageEmptyArrayNonReadonly+379p	...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005A7E89 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_18], esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		bsf	ebx, edi
		mov	[ebp+var_1], al
		mov	[ebp+var_8], ebx
		jz	loc_43FEFF
		lea	ecx, [esi+2Ch]
		mov	[ebp+var_10], ecx

loc_43FE5D:				; CODE XREF: KiAbThreadUnboostCpuPriority+CDj
		mov	esi, [ebp+var_10]
		inc	bl
		and	[ebp+var_14], 0

loc_43FE66:				; CODE XREF: KiAbThreadUnboostCpuPriority+4Fj
		lock bts dword ptr [esi], 0
		jnb	short loc_43FE7D

loc_43FE6D:				; CODE XREF: KiAbThreadUnboostCpuPriority+4Dj
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_43FE6D
		jmp	short loc_43FE66
; 

loc_43FE7D:				; CODE XREF: KiAbThreadUnboostCpuPriority+3Fj
		mov	esi, [ebp+var_18]
		movsx	ecx, bl
		mov	al, [ecx+esi+1F4h]
		test	al, al
		jz	loc_5A7E89
		sub	al, 1
		mov	[ecx+esi+1F4h],	al
		jnz	short loc_43FEE7
		mov	edx, [esi+214h]
		xor	eax, eax
		inc	eax
		btc	edx, ecx
		shl	eax, cl
		mov	[esi+214h], edx
		cmp	edx, eax
		jnb	short loc_43FEE7
		mov	dl, [esi+87h]
		cmp	dl, 10h
		jge	short loc_43FEE7
		mov	al, [esi+15Ch]
		mov	cl, al
		and	al, 0Fh
		shr	cl, 4
		add	cl, al
		add	cl, [esi+15Bh]
		cmp	cl, dl
		jge	short loc_43FEE7
		movsx	eax, cl
		lea	edx, [ebp+var_C]
		push	eax
		mov	ecx, esi
		call	KiSetPriorityThread

loc_43FEE7:				; CODE XREF: KiAbThreadUnboostCpuPriority+6Fj
					; KiAbThreadUnboostCpuPriority+87j ...
		lea	eax, [edi-1]
		mov	dword ptr [esi+2Ch], 0
		and	edi, eax
		bsf	ebx, edi
		mov	[ebp+var_8], ebx
		jnz	loc_43FE5D

loc_43FEFF:				; CODE XREF: KiAbThreadUnboostCpuPriority+25j
		mov	esi, large fs:20h
		lea	edx, [ebp+var_C]
		mov	ecx, esi
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		mov	dl, [ebp+var_1]
		mov	ecx, esi
		call	KiCheckForThreadDispatch
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
KiAbThreadUnboostCpuPriority endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1278. KeRevertToUserGroupAffinityThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeRevertToUserGroupAffinityThread
KeRevertToUserGroupAffinityThread proc near
					; CODE XREF: KeGenericProcessorCallback(x,x,x,x)+106p
					; MiSetIdealProcessorThread(x,x,x)+6Dp	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005ABFC1 SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		push	esi
		mov	esi, large fs:124h
		test	byte ptr [esi+58h], 8
		jz	loc_43FFF1
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		call	_KiVerifyReservedFieldGroupAffinity@4 ;	KiVerifyReservedFieldGroupAffinity(x)
		test	eax, eax
		jz	loc_43FFF0
		cmp	dword ptr [edi], 0
		jnz	loc_43FFF6

loc_43FF5E:				; CODE XREF: KeRevertToUserGroupAffinityThread+EDj
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, large fs:20h
		lea	ebx, [esi+2Ch]
		and	[ebp+var_8], 0
		mov	byte ptr [ebp+var_10], al
		mov	[ebp+arg_0], ecx

loc_43FF79:				; CODE XREF: KeRevertToUserGroupAffinityThread+16C0ABj
		lock bts dword ptr [ebx], 0
		jb	loc_5ABFC1
		cmp	dword ptr [edi], 0
		mov	eax, [esi+16Ch]
		mov	[ebp+var_C], eax
		jnz	loc_440019
		mov	eax, [esi+88h]
		lea	edi, [esi+154h]
		and	dword ptr [esi+58h], 0FFFFFFF7h

loc_43FFA6:				; CODE XREF: KeRevertToUserGroupAffinityThread+F8j
		lea	ecx, [ebp+var_4]
		mov	edx, edi
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	eax
		call	_KiSetSystemAffinityThread@16 ;	KiSetSystemAffinityThread(x,x,x,x)
		mov	eax, [esi+16Ch]
		mov	dword ptr [ebx], 0
		test	ds:dword_70EFD0, 8000000h
		pop	ebx
		jnz	loc_5ABFD4

loc_43FFD2:				; CODE XREF: KeRevertToUserGroupAffinityThread+16C0C0j
		test	dword ptr ds:byte_70EFC4, 1000h
		jnz	loc_5ABFE9

loc_43FFE2:				; CODE XREF: KeRevertToUserGroupAffinityThread+16C0CEj
		push	[ebp+var_10]
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_4]
		call	@KiProcessDeferredReadyList@12 ; KiProcessDeferredReadyList(x,x,x)

loc_43FFF0:				; CODE XREF: KeRevertToUserGroupAffinityThread+2Bj
					; KeRevertToUserGroupAffinityThread+E2j ...
		pop	edi

loc_43FFF1:				; CODE XREF: KeRevertToUserGroupAffinityThread+18j
		pop	esi
		leave
		retn	4
; 

loc_43FFF6:				; CODE XREF: KeRevertToUserGroupAffinityThread+34j
		mov	ax, word ptr ds:_KeActiveProcessors
		movzx	ecx, word ptr [edi+4]

loc_440000:				; DATA XREF: .text:00421889o
					; .text:off_5A50B0o ...
		movzx	eax, ax
		cmp	cx, ax
		jnb	short loc_43FFF0
		mov	eax, ds:dword_70E328[ecx*4]
		and	[edi], eax
		jnz	loc_43FF5E
		jmp	short loc_43FFF0
; 

loc_440019:				; CODE XREF: KeRevertToUserGroupAffinityThread+6Cj
		push	20h
		pop	eax
		jmp	short loc_43FFA6
KeRevertToUserGroupAffinityThread endp


;  S U B	R O U T	I N E 


; __stdcall PfTFreeTraceDump(x)
_PfTFreeTraceDump@4 proc near		; CODE XREF: PfGetCompletedTrace+168p
					; PAGE:008D8A5Dp ...
		cmp	dword ptr [ecx+14h], 1
		jz	_PfpRepurposeNameLoggingTrace@4	; PfpRepurposeNameLoggingTrace(x)
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
_PfTFreeTraceDump@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSchedulerApc	proc near		; DATA XREF: PAGELK:0071A606o

var_76		= byte ptr -76h
var_75		= byte ptr -75h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005ABFF7 SIZE 0000010F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		mov	eax, ___security_cookie

loc_440042:				; DATA XREF: .text:00401198o
					; .text:004011A8o
		xor	eax, esp
		mov	[esp+7Ch+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [esp+84h+var_58]
		push	edi
		push	50h		; size_t

loc_440054:				; DATA XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x):loc_9E42BBo
		push	0		; int
		push	eax		; void *
		call	_memset

loc_44005C:				; DATA XREF: .text:??_C@_1CA@KMFLJPPI@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAU?$AAn?$AAk?$AAn?$AAo?$AAw?$AAn@FNODOBFM@o
		and	[esp+94h+var_6C], 0
		lea	ebx, [esi+5Ch]
		mov	ecx, [ebx]
		add	esp, 0Ch
		and	ecx, 8000h
		test	dword ptr [ebx], 400h
		mov	[esp+88h+var_70], ecx
		jnz	loc_44014B

loc_44007F:				; CODE XREF: KiSchedulerApc+11Bj
					; KiSchedulerApc+1B5j
		cmp	dword ptr [esi+1C8h], 0
		jz	loc_4401EC

loc_44008C:				; CODE XREF: KiSchedulerApc+1BCj
					; KiSchedulerApc+212j ...
		and	dword ptr [esi+58h], 0FFFBFFFFh
		cmp	[esp+88h+var_70], 0
		jnz	short loc_4400B1

loc_44009A:				; CODE XREF: KiSchedulerApc+114j
		mov	ecx, [esp+88h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4400B1:				; CODE XREF: KiSchedulerApc+66j
		lea	edx, [esp+88h+var_6C]
		mov	ecx, esi
		call	KiIsProcessTerminationRequested
		test	al, al
		jnz	loc_5AC0C5

loc_4400C4:				; CODE XREF: KiSchedulerApc+16C0BAj
		lea	edi, [esi+190h]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [esp+88h+var_74], al
		lea	ebx, [esi+2Ch]
		mov	eax, large fs:20h
		and	[esp+88h+var_5C], 0
		mov	[esp+88h+var_70], eax

loc_4400E6:				; CODE XREF: KiSchedulerApc+2F8j
		lock bts dword ptr [ebx], 0
		jb	loc_44031B
		test	dword ptr [esi+58h], 4000h
		jz	loc_5AC0FD
		cmp	byte ptr [edi+2Eh], 0
		mov	dword ptr [edi+14h], offset KiSchedulerApcTerminate
		mov	byte ptr [edi+2Dh], 1
		jnz	loc_5AC0F1

loc_440113:				; CODE XREF: KiSchedulerApc+16C0C6j
		mov	ecx, edi
		mov	byte ptr [edi+2Eh], 1
		call	KiInsertQueueApc
		push	[esp+88h+var_74]
		mov	esi, [esp+8Ch+var_70]
		mov	edx, edi
		mov	ecx, esi
		call	_KiSignalThreadForApc@12 ; KiSignalThreadForApc(x,x,x)

loc_44012F:				; CODE XREF: KiSchedulerApc+16C0CFj
		push	[esp+88h+var_74]
		xor	edx, edx
		mov	dword ptr [ebx], 0
		push	0
		push	1
		mov	ecx, esi
		call	KiExitDispatcher
		jmp	loc_44009A
; 

loc_44014B:				; CODE XREF: KiSchedulerApc+47j
		test	ecx, ecx
		jnz	loc_44007F
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[esp+88h+var_75], al
		lock btr dword ptr [ebx], 0Ah
		xor	edx, edx
		mov	ecx, esi
		call	KiAbProcessContextSwitch
		mov	ebx, large fs:20h
		and	[esp+88h+var_68], 0
		lea	edi, [ebx+2224h]
		mov	[esp+88h+var_74], edi

loc_440181:				; CODE XREF: KiSchedulerApc+2B7j
		lock bts dword ptr [edi], 0
		jb	loc_4402DA
		mov	edi, [ebx+8]
		test	edi, edi
		jnz	loc_44024F
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	KiSelectReadyThreadEx
		mov	edi, eax
		test	edi, edi
		jnz	loc_44024F
		test	dword ptr [esi+5Ch], 200h
		jnz	short loc_4401D0
		mov	ecx, [esi+50h]
		test	ecx, ecx
		jz	short loc_4401D0
		add	ecx, [ebx+3B34h]
		jz	short loc_4401D0
		call	_KiCheckForMaxOverQuotaScb@4 ; KiCheckForMaxOverQuotaScb(x)
		test	al, al
		jnz	loc_5ABFF7

loc_4401D0:				; CODE XREF: KiSchedulerApc+180j
					; KiSchedulerApc+187j ...
		mov	eax, [esp+88h+var_74]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_4401D9:				; CODE XREF: KiSchedulerApc+28Cj
					; KiSchedulerApc+16BFF5j
		mov	cl, [esp+88h+var_75]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [esp+88h+var_70]
		jmp	loc_44007F
; 

loc_4401EC:				; CODE XREF: KiSchedulerApc+54j
		test	ecx, ecx
		jnz	loc_44008C
		mov	eax, [esi+58h]
		shr	eax, 12h
		and	al, 1
		mov	byte ptr [esp+88h+var_74], al
		jnz	short loc_44020D
		mov	eax, [esi+6Ch]
		test	eax, eax
		jnz	loc_4402EE

loc_44020D:				; CODE XREF: KiSchedulerApc+1CEj
					; KiSchedulerApc+2D7j
		mov	bl, [esi+86h]
		shr	bl, 1
		and	bl, 1
		jnz	loc_5AC02C

loc_44021E:				; CODE XREF: KiSchedulerApc+16C034j
		or	dword ptr [esi+58h], 80000h
		lea	eax, [esi+1C4h]
		push	0
		push	0
		push	[esp+90h+var_74]
		push	5
		push	eax
		call	KeWaitForSingleObject
		and	dword ptr [esi+58h], 0FFF7FFFFh
		test	bl, bl
		jz	loc_44008C
		jmp	loc_5AC07C
; 

loc_44024F:				; CODE XREF: KiSchedulerApc+15Fj
					; KiSchedulerApc+173j ...
		and	dword ptr [ebx+8], 0
		cli
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	KiEndThreadCycleAccumulation
		sti
		test	byte ptr [edi+2], 4
		jnz	short loc_4402C9

loc_440266:				; CODE XREF: KiSchedulerApc+2A6j
		mov	cl, [edi+87h]

loc_44026C:				; CODE XREF: KiSchedulerApc+2A4j
		mov	eax, [ebx+33Ch]
		mov	[eax], cl
		mov	[ebx+4], edi
		mov	al, [edi+90h]
		cmp	al, 1
		jnz	short loc_440292
		mov	eax, ds:_KeTickCount
		sub	eax, [edi+138h]
		add	[edi+170h], eax

loc_440292:				; CODE XREF: KiSchedulerApc+24Dj
		mov	byte ptr [edi+90h], 2
		mov	edx, esi
		mov	ecx, ebx
		mov	byte ptr [esi+18Bh], 26h
		mov	byte ptr [esi+92h], 0
		call	KiQueueReadyThread
		xor	ebx, ebx
		mov	edx, edi
		push	ebx
		mov	ecx, esi
		call	@KiSwapContext@12 ; KiSwapContext(x,x,x)
		test	al, al
		jz	loc_4401D9
		jmp	loc_5AC013
; 

loc_4402C9:				; CODE XREF: KiSchedulerApc+232j
		mov	edx, ebx
		mov	ecx, edi
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	short loc_44026C
		jmp	short loc_440266
; 

loc_4402DA:				; CODE XREF: KiSchedulerApc+154j
					; KiSchedulerApc+2B5j
		lea	ecx, [esp+88h+var_68]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_4402DA
		jmp	loc_440181
; 

loc_4402EE:				; CODE XREF: KiSchedulerApc+1D5j
		dec	word ptr [esi+13Eh]
		nop
		test	byte ptr [eax+6Ch], 1
		jz	short loc_44030E

loc_4402FC:				; CODE XREF: KiSchedulerApc+2E3j
		mov	al, 1

loc_4402FE:				; CODE XREF: KiSchedulerApc+2E7j
		mov	ecx, esi
		mov	byte ptr [esp+88h+var_74], al
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_44020D
; 

loc_44030E:				; CODE XREF: KiSchedulerApc+2C8j
		test	dword ptr [eax+70h], 20000h
		jnz	short loc_4402FC
		xor	al, al
		jmp	short loc_4402FE
; 

loc_44031B:				; CODE XREF: KiSchedulerApc+B9j
					; KiSchedulerApc+2F6j
		lea	ecx, [esp+88h+var_5C]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_44031B
		jmp	loc_4400E6
KiSchedulerApc	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiIsProcessTerminationRequested	proc near ; CODE XREF: KiSchedulerApc+85p
					; KiSchedulerApcTerminate+1Ap

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AC106 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ecx+5Ch]
		mov	[ebp+var_10], 0C000012Dh
		mov	[ebp+var_C], 0C0000724h
		mov	[ebp+var_8], 0C0000725h
		and	eax, 0C0000h
		jnz	loc_5AC106
		xor	al, al

loc_440367:				; CODE XREF: KiIsProcessTerminationRequested+16BDE1j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
KiIsProcessTerminationRequested	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiFindReadyThread proc near		; CODE XREF: KiSearchForNewThreadOnProcessor+123p
					; KiSearchForNewThreadOnProcessor+300p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005AC116 SIZE 00000059 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	[ebp+var_20], edx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		test	edx, edx
		jz	loc_4404AE
		add	edx, 3BE0h

loc_4403A9:				; CODE XREF: KiFindReadyThread+131j
		mov	eax, [ecx+3C8h]
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_C], edx
		mov	[ebp+var_10], 40h
		mov	[ebp+var_18], eax
		nop

loc_4403C0:				; CODE XREF: KiFindReadyThread+165j
		mov	edi, [ebp+var_C]
		bsr	eax, esi
		mov	edx, [edi+eax*8]
		mov	[ebp+var_8], eax
		btc	esi, eax
		lea	eax, [edi+eax*8]
		mov	[ebp+var_14], edx
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_1C], eax
		jmp	short loc_4403E0
; 
		align 10h

loc_4403E0:				; CODE XREF: KiFindReadyThread+5Bj
					; KiFindReadyThread+172j
		mov	eax, [edx+0C8h]
		lea	ebx, [edx-9Ch]
		mov	[ebp+arg_4], eax
		movzx	eax, byte ptr [ebx+61h]
		cmp	eax, 5
		jnb	loc_5AC116

loc_4403FC:				; CODE XREF: KiFindReadyThread+16BDA4j
		test	eax, eax
		jnz	loc_5AC129
		mov	eax, [ebp+arg_4]

loc_440407:				; CODE XREF: KiFindReadyThread+16BDC5j
		test	[ebp+var_18], eax
		jnz	short loc_440434

loc_44040C:				; CODE XREF: KiFindReadyThread+15Ej
		mov	ebx, [ebp+var_10]
		mov	edx, [edx]
		dec	ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], edx
		cmp	edx, [ebp+var_1C]
		jnz	loc_4404F0

loc_440421:				; CODE XREF: KiFindReadyThread+178j
		test	esi, esi
		jnz	loc_4404E3

loc_440429:				; CODE XREF: KiFindReadyThread+16Bj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_440434:				; CODE XREF: KiFindReadyThread+8Aj
		mov	eax, [ebx+50h]
		test	eax, eax
		jnz	loc_4404C0

loc_44043F:				; CODE XREF: KiFindReadyThread+146j
					; KiFindReadyThread+155j
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jnz	short loc_4404B6
		mov	ecx, [ebx+9Ch]
		lea	edx, [ebx+9Ch]
		mov	eax, [edx+4]
		cmp	[ecx+4], edx
		jnz	loc_5AC14A
		cmp	[eax], edx
		jnz	loc_5AC14A
		mov	[eax], ecx
		mov	[ecx+4], eax
		cmp	eax, ecx
		jnz	short loc_44047B
		mov	ecx, [edi+4]
		mov	eax, [ebp+var_8]
		btc	ecx, eax
		mov	[edi+4], ecx

loc_44047B:				; CODE XREF: KiFindReadyThread+EDj
		dec	dword ptr [edi+134h]
		mov	ecx, [ebx+39Ch]
		sub	[edi+138h], ecx
		sbb	dword ptr [edi+13Ch], 0

loc_440494:				; CODE XREF: KiFindReadyThread+13Ej
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		mov	ecx, [ecx+3CCh]
		mov	[ebx+148h], ecx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4404AE:				; CODE XREF: KiFindReadyThread+1Dj
		lea	edx, [edi+8]
		jmp	loc_4403A9
; 

loc_4404B6:				; CODE XREF: KiFindReadyThread+C4j
		push	[ebp+var_8]
		call	_KiRemoveThreadFromReadyQueue@12 ; KiRemoveThreadFromReadyQueue(x,x,x)
		jmp	short loc_440494
; 

loc_4404C0:				; CODE XREF: KiFindReadyThread+B9j
		add	eax, [ecx+3B34h]
		jz	loc_44043F
		mov	ecx, eax
		call	_KiCheckForMaxOverQuotaScb@4 ; KiCheckForMaxOverQuotaScb(x)
		test	al, al
		jz	loc_44043F
		mov	ecx, [ebp+var_4]
		jmp	loc_44040C
; 

loc_4404E3:				; CODE XREF: KiFindReadyThread+A3j
		test	ebx, ebx
		jnz	loc_4403C0
		jmp	loc_440429
; 

loc_4404F0:				; CODE XREF: KiFindReadyThread+9Bj
		test	ebx, ebx
		jnz	loc_4403E0
		jmp	loc_440421
KiFindReadyThread endp

; 
		align 2

; __stdcall KiRemoveThreadFromReadyQueue(x, x, x)
_KiRemoveThreadFromReadyQueue@12:	; CODE XREF: KiFindReadyThread+139p
					; KiRemoveThreadFromAnyReadyQueue(x,x,x,x)+30p	...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [edx+4]
		push	esi
		mov	esi, ecx
		mov	ecx, [edx]
		cmp	[ecx+4], edx
		jnz	short loc_44054D
		cmp	[eax], edx
		jnz	short loc_44054D
		mov	[eax], ecx
		mov	[ecx+4], eax
		cmp	eax, ecx
		jnz	short loc_44052F
		mov	ecx, [esi+3B20h]
		mov	eax, [ebp+8]
		btc	ecx, eax
		mov	[esi+3B20h], ecx

loc_44052F:				; CODE XREF: .text:0044051Bj
		dec	dword ptr [esi+3B38h]
		mov	eax, [edx+300h]
		sub	[esi+3B88h], eax
		sbb	dword ptr [esi+3B8Ch], 0
		pop	esi
		pop	ebp
		retn	4
; 

loc_44054D:				; CODE XREF: .text:0044050Ej
					; .text:00440512j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dw 0CCCCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiAddThreadToReadyQueue(x, x, x, x,	x)
_KiAddThreadToReadyQueue@20 proc near	; CODE XREF: KiDeferredReadySingleThread+704p
					; KiSelectNextThread+16ABB6p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	byte ptr [ebp+arg_4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		jnz	short loc_440580
		mov	eax, ds:_KeTickCount
		mov	[esi+138h], eax

loc_440580:				; CODE XREF: KiAddThreadToReadyQueue(x,x,x,x,x)+13j
		test	edi, edi
		jnz	short loc_44058B
		mov	edi, [esi+50h]
		test	edi, edi
		jnz	short loc_4405F3

loc_44058B:				; CODE XREF: KiAddThreadToReadyQueue(x,x,x,x,x)+22j
					; KiAddThreadToReadyQueue(x,x,x,x,x)+99j
		mov	eax, [ebx+4DCh]
		test	eax, eax
		jnz	short loc_4405FB

loc_440595:				; CODE XREF: KiAddThreadToReadyQueue(x,x,x,x,x)+9Fj
		mov	byte ptr [esi+90h], 1
		mov	byte ptr [ebp+arg_4], 0
		test	edi, edi
		jnz	short loc_4405C2

loc_4405A4:				; CODE XREF: KiAddThreadToReadyQueue(x,x,x,x,x)+69j
					; KiAddThreadToReadyQueue(x,x,x,x,x)+7Dj
		push	[ebp+arg_4]
		movsx	eax, byte ptr [esi+87h]
		mov	edx, esi
		push	[ebp+arg_8]
		mov	ecx, ebx
		push	eax
		call	_KiAddThreadToPrcbQueue@20 ; KiAddThreadToPrcbQueue(x,x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_4405C2:				; CODE XREF: KiAddThreadToReadyQueue(x,x,x,x,x)+42j
		test	dword ptr [esi+5Ch], 0C00h
		jnz	short loc_4405A4
		lea	eax, [ebp+arg_4]
		mov	edx, edi
		push	eax
		push	0
		push	ecx
		mov	ecx, esi
		call	_KiGetThreadEffectiveRankNonZero@20 ; KiGetThreadEffectiveRankNonZero(x,x,x,x,x)
		test	eax, eax
		jz	short loc_4405A4
		push	[ebp+arg_8]
		mov	edx, edi
		mov	ecx, ebx
		push	esi
		call	KiAddThreadToScbQueue
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_4405F3:				; CODE XREF: KiAddThreadToReadyQueue(x,x,x,x,x)+29j
		add	edi, [ebx+3B34h]
		jmp	short loc_44058B
; 

loc_4405FB:				; CODE XREF: KiAddThreadToReadyQueue(x,x,x,x,x)+33j
		mov	byte ptr [eax+10h], 0
		jmp	short loc_440595
_KiAddThreadToReadyQueue@20 endp

; 
		align 10h

; __stdcall KiAddThreadToPrcbQueue(x, x, x, x, x)
_KiAddThreadToPrcbQueue@20:		; CODE XREF: KiRemoveThreadFromSchedulingGroup+113p
					; KiAddThreadToReadyQueue(x,x,x,x,x)+56p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp-4], ecx
		mov	edx, [ecx+4020h]
		push	esi
		push	edi
		test	dword ptr [ebx+5Ch], 2000h
		jz	loc_4406E7
		test	edx, edx
		jz	loc_4406E7
		mov	eax, [ebx+164h]
		and	eax, edx
		cmp	byte ptr [ebp+10h], 0
		jnz	loc_4406E7
		cmp	eax, edx
		jnz	loc_4406E7
		mov	edi, [ebp+8]
		mov	esi, [ecx+4024h]
		inc	edi
		mov	dword ptr [ebp+10h], 0
		lea	edi, [esi+edi*8]
		jmp	short loc_440670
; 
		align 10h

loc_440670:				; CODE XREF: .text:00440667j
					; .text:00440772j
		lock bts dword ptr [esi], 0
		jb	loc_440764
		cmp	dword ptr [ebp+0Ch], 0
		lea	eax, [ebx+9Ch]
		jnz	loc_440741
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	loc_440791
		mov	edx, [ebp+8]
		mov	[eax], edi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[edi+4], eax

loc_4406A3:				; CODE XREF: .text:0044075Fj
		mov	eax, [esi+4]
		bts	eax, edx
		mov	[esi+4], eax
		mov	eax, [ebx+148h]
		or	eax, 80000000h
		mov	[ebx+148h], eax
		inc	dword ptr [esi+134h]
		mov	eax, [ebx+44h]
		mov	[ebx+39Ch], eax
		add	[esi+138h], eax
		adc	dword ptr [esi+13Ch], 0
		xor	eax, eax
		lock and [esi],	eax

loc_4406DE:				; CODE XREF: .text:0044073Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4406E7:				; CODE XREF: .text:0044062Bj
					; .text:00440633j ...
		cmp	dword ptr [ebp+0Ch], 0
		lea	eax, [ebx+9Ch]
		mov	edx, [ebp+8]
		lea	esi, [edx+77Ch]
		lea	esi, [ecx+esi*8]
		jnz	short loc_440777
		mov	edi, [esi+4]
		cmp	[edi], esi
		jnz	loc_440791
		mov	[eax], esi
		mov	[eax+4], edi
		mov	[edi], eax
		mov	[esi+4], eax

loc_440714:				; CODE XREF: .text:0044078Fj
		mov	eax, [ecx+3B20h]
		inc	dword ptr [ecx+3B38h]
		bts	eax, edx
		mov	[ecx+3B20h], eax
		mov	eax, [ebx+44h]
		mov	[ebx+39Ch], eax
		add	[ecx+3B88h], eax
		adc	dword ptr [ecx+3B8Ch], 0
		jmp	short loc_4406DE
; 

loc_440741:				; CODE XREF: .text:00440685j
		mov	ecx, [edi]
		cmp	[ecx+4], edi
		jnz	short loc_440791
		mov	edx, [ebp+8]
		mov	[eax], ecx
		mov	[eax+4], edi
		mov	[ecx+4], eax
		mov	[edi], eax
		mov	eax, [ebp-4]
		btr	[eax+3B24h], edx
		jmp	loc_4406A3
; 

loc_440764:				; CODE XREF: .text:00440675j
					; .text:00440770j
		lea	ecx, [ebp+10h]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_440764
		jmp	loc_440670
; 

loc_440777:				; CODE XREF: .text:004406FDj
		mov	edi, [esi]
		cmp	[edi+4], esi
		jnz	short loc_440791
		mov	[eax], edi
		mov	[eax+4], esi
		mov	[edi+4], eax
		mov	[esi], eax
		bts	[ecx+3B24h], edx
		jmp	short loc_440714
; 

loc_440791:				; CODE XREF: .text:00440690j
					; .text:00440704j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 2 dup(0CCCCCCCCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiQueueReadyThread proc	near		; CODE XREF: KiSchedulerApc+279p
					; KiQuantumEnd+4F6p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 005AC16F SIZE 00000057 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_24], 0
		push	edi
		mov	edi, ecx
		mov	[ebp+var_20], 0
		mov	[ebp+var_14], edi
		mov	ebx, [esi+34h]
		mov	ecx, [esi+30h]
		movzx	eax, byte ptr [esi+15Dh]
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], ebx
		mov	[ebp+var_10], ecx
		cmp	ebx, [esi+38h]
		jnz	loc_5AC151

loc_4407DF:				; CODE XREF: KiFindReadyThread+16BDEAj
		mov	eax, ds:_KiCpuSetSequence
		cmp	[esi+160h], eax
		jnz	loc_440ACB

loc_4407F0:				; CODE XREF: KiQueueReadyThread+32Fj
		cmp	ebx, [esi+1Ch]
		jb	short loc_440804
		ja	loc_440AD5
		cmp	ecx, [esi+18h]
		jnb	loc_440AD5

loc_440804:				; CODE XREF: KiQueueReadyThread+53j
					; KiQueueReadyThread+3BFj ...
		push	1
		mov	edx, edi
		mov	ecx, esi
		call	KiUpdateGroupSchedulingRank
		movsx	eax, byte ptr [esi+87h]
		xor	edx, edx
		cmp	eax, ds:_KiRebalanceMinPriority
		jl	loc_440A92

loc_440824:				; CODE XREF: KiQueueReadyThread+2FFj
		mov	ecx, [esi+50h]
		test	ecx, ecx
		jnz	loc_4409CD

loc_44082F:				; CODE XREF: KiQueueReadyThread+233j
					; KiQueueReadyThread+240j
		mov	eax, [edi+338h]
		mov	edx, [eax]
		and	edx, [esi+164h]

loc_44083D:				; CODE XREF: KiQueueReadyThread+246j
					; KiQueueReadyThread+2F9j
		test	dword ptr [esi+5Ch], 1000h
		lea	ecx, [esi+5Ch]
		jnz	loc_44096E
		test	edx, edx
		jnz	loc_44096E
		mov	[esi+15Dh], dl
		mov	eax, ds:_KeTickCount
		mov	[esi+138h], eax
		mov	ebx, [esi+50h]
		test	ebx, ebx
		jnz	loc_440A22

loc_440871:				; CODE XREF: KiQueueReadyThread+288j
		mov	eax, [edi+4DCh]
		test	eax, eax
		jnz	loc_5AC1B3

loc_44087F:				; CODE XREF: KiQueueReadyThread+16BA17j
		mov	byte ptr [esi+90h], 1
		mov	byte ptr [ebp+var_1], 0
		test	ebx, ebx
		jnz	loc_4409EB

loc_440892:				; CODE XREF: KiQueueReadyThread+251j
					; KiQueueReadyThread+269j
		test	dword ptr [esi+5Ch], 2000h
		movsx	edx, byte ptr [esi+87h]
		mov	ecx, [edi+4020h]
		mov	[ebp+var_10], edx
		jz	loc_440A2D
		test	ecx, ecx
		jz	loc_440A2D
		mov	eax, [esi+164h]
		and	eax, ecx
		cmp	eax, ecx
		jnz	loc_440A2D
		cmp	byte ptr [ebp+var_1], 0
		jnz	loc_440A2D
		mov	ebx, [edi+4024h]
		mov	[ebp+var_1C], 0
		mov	edi, edi

loc_4408E0:				; CODE XREF: KiQueueReadyThread+3DCj
		lock bts dword ptr [ebx], 0
		jb	loc_440B70
		cmp	[ebp+var_8], 0
		lea	ecx, [esi+9Ch]
		mov	edx, [ebp+var_10]
		jz	loc_440AA4
		inc	edx
		lea	eax, [ebx+edx*8]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_440BA8
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[edx+4], ecx
		mov	edx, [ebp+var_10]
		mov	[eax], ecx
		btr	[edi+3B24h], edx

loc_440921:				; CODE XREF: KiQueueReadyThread+326j
		mov	eax, [ebx+4]
		bts	eax, edx
		mov	[ebx+4], eax
		mov	eax, [esi+148h]
		or	eax, 80000000h
		mov	[esi+148h], eax
		inc	dword ptr [ebx+134h]
		mov	eax, [esi+44h]
		mov	[esi+39Ch], eax
		add	[ebx+138h], eax
		adc	dword ptr [ebx+13Ch], 0
		xor	eax, eax
		lock and [ebx],	eax

loc_44095C:				; CODE XREF: KiQueueReadyThread+27Dj
					; KiQueueReadyThread+2EDj
		xor	ecx, ecx
		lea	eax, [edi+2224h]
		lock and [eax],	ecx

loc_440967:				; CODE XREF: KiQueueReadyThread+214j
					; KiQueueReadyThread+21Cj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_44096E:				; CODE XREF: KiQueueReadyThread+A7j
					; KiQueueReadyThread+AFj
		cmp	dword ptr [edi+8], 0
		jnz	loc_5AC1BC
		xor	ebx, ebx

loc_44097A:				; CODE XREF: KiQueueReadyThread+16BA21j
		mov	ecx, esi
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		xor	ecx, ecx
		lea	eax, [edi+2224h]
		lock and [eax],	ecx
		lea	eax, [esi+5Ch]
		lock btr dword ptr [eax], 0Ch
		mov	eax, [ebp+var_8]
		lea	edx, [ebp+var_20]
		mov	[esi+15Dh], al
		add	esi, 9Ch
		mov	[ebp+var_20], esi
		mov	[esi], ecx
		mov	ecx, edi
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		test	ebx, ebx
		jnz	short loc_440967
		mov	eax, [edi+4]
		cmp	eax, [edi+0Ch]
		jz	short loc_440967
		cmp	[edi+8], ebx
		jz	short loc_440967
		mov	cl, 2
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)
		jmp	short loc_440967
; 

loc_4409CD:				; CODE XREF: KiQueueReadyThread+89j
		add	ecx, [edi+3B34h]
		jz	loc_44082F
		call	_KiCheckForMaxOverQuotaScb@4 ; KiCheckForMaxOverQuotaScb(x)
		test	al, al
		jz	loc_44082F
		jmp	loc_44083D
; 

loc_4409EB:				; CODE XREF: KiQueueReadyThread+ECj
		test	dword ptr [ecx], 0C00h
		jnz	loc_440892
		lea	eax, [ebp+var_1]
		mov	edx, ebx
		push	eax
		push	0
		push	ecx
		mov	ecx, esi
		call	_KiGetThreadEffectiveRankNonZero@20 ; KiGetThreadEffectiveRankNonZero(x,x,x,x,x)
		test	eax, eax
		jz	loc_440892
		mov	eax, [ebp+var_8]
		mov	edx, ebx
		push	eax
		push	esi
		mov	ecx, edi
		call	KiAddThreadToScbQueue
		jmp	loc_44095C
; 

loc_440A22:				; CODE XREF: KiQueueReadyThread+CBj
		add	ebx, [edi+3B34h]
		jmp	loc_440871
; 

loc_440A2D:				; CODE XREF: KiQueueReadyThread+109j
					; KiQueueReadyThread+111j ...
		cmp	[ebp+var_8], 0
		lea	ecx, [edx+77Ch]
		lea	ebx, [esi+9Ch]
		lea	ecx, [edi+ecx*8]
		jz	loc_440B84
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	loc_440BA8
		mov	[ebx], eax
		mov	[ebx+4], ecx
		mov	[eax+4], ebx
		mov	[ecx], ebx
		bts	[edi+3B24h], edx

loc_440A62:				; CODE XREF: KiQueueReadyThread+3F5j
		mov	eax, [edi+3B20h]
		inc	dword ptr [edi+3B38h]
		bts	eax, edx
		mov	[edi+3B20h], eax
		mov	eax, [esi+44h]
		mov	[esi+39Ch], eax
		add	[edi+3B88h], eax
		adc	dword ptr [edi+3B8Ch], 0
		jmp	loc_44095C
; 

loc_440A92:				; CODE XREF: KiQueueReadyThread+7Ej
		test	byte ptr [edi+2238h], 2
		jz	loc_44083D
		jmp	loc_440824
; 

loc_440AA4:				; CODE XREF: KiQueueReadyThread+158j
		lea	eax, [edx+1]
		mov	edi, [ebx+eax*8+4]
		lea	eax, [ebx+eax*8]
		mov	[ebp+var_18], edi
		cmp	[edi], eax
		jnz	loc_440BA8
		mov	[ecx+4], edi
		mov	[ecx], eax
		mov	[edi], ecx
		mov	edi, [ebp+var_14]
		mov	[eax+4], ecx
		jmp	loc_440921
; 

loc_440ACB:				; CODE XREF: KiQueueReadyThread+4Aj
		test	byte ptr [esi+58h], 8
		jnz	loc_4407F0

loc_440AD5:				; CODE XREF: KiQueueReadyThread+55j
					; KiQueueReadyThread+5Ej
		xor	edx, edx
		mov	ecx, esi
		call	_KiTryToAcquireThreadLock@8 ; KiTryToAcquireThreadLock(x,x)
		test	al, al
		jz	loc_5AC1A6
		mov	eax, [esi+16Ch]
		mov	[ebp+var_18], eax
		cmp	ebx, [esi+1Ch]
		jb	short loc_440B3D
		ja	short loc_440AFE
		mov	eax, [ebp+var_10]
		cmp	eax, [esi+18h]
		jb	short loc_440B3D

loc_440AFE:				; CODE XREF: KiQueueReadyThread+354j
		mov	dl, 1
		call	KiComputeNewPriority
		movsx	ebx, al
		mov	ecx, esi
		push	1
		mov	dl, bl
		call	KiAbProcessThreadPriorityModification
		movzx	edx, byte ptr [esi+193h]
		mov	ecx, esi
		push	0
		push	[ebp+var_C]
		mov	[esi+87h], bl
		push	[ebp+var_10]
		call	_KiComputeQuantumTargetThread@20 ; KiComputeQuantumTargetThread(x,x,x,x,x)
		mov	ecx, esi
		call	_KiTryScheduleNextForegroundBoost@4 ; KiTryScheduleNextForegroundBoost(x)
		mov	[ebp+var_8], 0

loc_440B3D:				; CODE XREF: KiQueueReadyThread+352j
					; KiQueueReadyThread+35Cj
		mov	ecx, esi
		call	_KiCheckThreadAffinity@4 ; KiCheckThreadAffinity(x)
		test	eax, eax
		jz	short loc_440B9A

loc_440B48:				; CODE XREF: KiQueueReadyThread+401j
					; KiQueueReadyThread+16B9DEj ...
		mov	eax, [esi+16Ch]
		mov	dword ptr [esi+2Ch], 0
		test	ds:dword_70EFD0, 8000000h
		jz	loc_440804
		jmp	loc_5AC191
; 
		align 10h

loc_440B70:				; CODE XREF: KiQueueReadyThread+145j
					; KiQueueReadyThread+3E2j
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jz	loc_4408E0
		jmp	short loc_440B70
; 

loc_440B84:				; CODE XREF: KiQueueReadyThread+2A0j
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	short loc_440BA8
		mov	[ebx], ecx
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	[ecx+4], ebx
		jmp	loc_440A62
; 

loc_440B9A:				; CODE XREF: KiQueueReadyThread+3A6j
		call	KiComputeThreadAffinity
		test	eax, eax
		jz	short loc_440B48
		jmp	loc_5AC16F
; 

loc_440BA8:				; CODE XREF: KiQueueReadyThread+167j
					; KiQueueReadyThread+2ABj ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
KiQueueReadyThread endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiUpdateGroupSchedulingRank proc near	; CODE XREF: KiQueueReadyThread+6Ap

var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005AC1C6 SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	[ebp+var_C], edi
		mov	esi, [edi+50h]
		mov	[ebp+var_8], esi
		test	esi, esi
		jnz	short loc_440BD5

loc_440BCC:				; CODE XREF: KiUpdateGroupSchedulingRank+2Dj
					; KiUpdateGroupSchedulingRank+6Ej ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_440BD5:				; CODE XREF: KiUpdateGroupSchedulingRank+1Aj
		add	esi, [ebx+3B34h]
		test	esi, esi
		jz	short loc_440BCC
		mov	edi, [ebp+var_8]
		mov	[ebp+var_4], 0
		lea	esp, [esp+0]

loc_440BF0:				; CODE XREF: KiUpdateGroupSchedulingRank+16B638j
		test	byte ptr [esi+5Ch], 4
		jnz	short loc_440C62
		push	esi
		mov	edx, ebx
		mov	ecx, edi
		call	KiComputeGroupSchedulingRank

loc_440C00:				; CODE XREF: KiUpdateGroupSchedulingRank+C9j
					; KiUpdateGroupSchedulingRank+D2j ...
		mov	eax, [ebp+var_4]
		add	eax, [esi+60h]
		mov	esi, [esi+0F4h]
		mov	[ebp+var_4], eax
		test	esi, esi
		jnz	loc_5AC1E0
		cmp	[ebp+arg_0], 0
		mov	edi, [ebp+var_C]
		jz	short loc_440BCC
		mov	ecx, [edi+5Ch]
		lea	edx, [edi+5Ch]
		test	ecx, 200h
		jnz	short loc_440BCC
		cmp	byte ptr [edi+87h], 10h
		jge	short loc_440BCC
		cmp	[edi+13Ch], esi
		jnz	short loc_440C48
		cmp	byte ptr [edi+92h], 1
		jnz	short loc_440BCC

loc_440C48:				; CODE XREF: KiUpdateGroupSchedulingRank+8Dj
		test	eax, eax
		jz	short loc_440BCC
		test	ecx, 0C00h
		jnz	loc_440BCC
		lock bts dword ptr [edx], 0Bh
		jmp	loc_440BCC
; 

loc_440C62:				; CODE XREF: KiUpdateGroupSchedulingRank+44j
		mov	edx, edi
		mov	ecx, esi
		call	KiCheckMaxOverQuotaTransition
		test	al, al
		jnz	loc_5AC1C6
		mov	eax, [esi+4]
		cmp	eax, [esi+1Ch]
		jb	short loc_440C00
		ja	short loc_440C88
		mov	eax, [esi]
		cmp	eax, [esi+18h]
		jb	loc_440C00

loc_440C88:				; CODE XREF: KiUpdateGroupSchedulingRank+CBj
		test	byte ptr [esi+5Ch], 2
		jnz	loc_440C00
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	_KiRecomputeGroupSchedulingRank@12 ; KiRecomputeGroupSchedulingRank(x,x,x)
		jmp	loc_440C00
KiUpdateGroupSchedulingRank endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiCheckForMaxOverQuotaScb(x)
_KiCheckForMaxOverQuotaScb@4 proc near	; CODE XREF: KiSchedulerApc+191p
					; KiFindReadyThread+14Ep ...
		mov	edi, edi

loc_440CA4:				; CODE XREF: KiCheckForMaxOverQuotaScb(x)+10j
		test	byte ptr [ecx+5Ch], 2
		jnz	short loc_440CB7
		mov	ecx, [ecx+0F4h]
		test	ecx, ecx
		jnz	short loc_440CA4
		xor	al, al
		retn
; 

loc_440CB7:				; CODE XREF: KiCheckForMaxOverQuotaScb(x)+6j
		mov	al, 1
		retn
_KiCheckForMaxOverQuotaScb@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiComputeGroupSchedulingRank proc near	; CODE XREF: KiUpdateGroupSchedulingRank+4Bp
					; KiGroupSchedulingQuantumEnd+BEp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AC1ED SIZE 0000016C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		mov	[ebp+var_10], edi
		mov	bl, [esi+5Ch]
		mov	bh, bl
		test	bl, 12h
		jnz	loc_440D8F
		mov	edx, [esi+28h]
		mov	eax, [esi]
		mov	ecx, [esi+4]
		mov	[ebp+var_C], edx
		mov	edx, [esi+2Ch]
		mov	[esi+28h], eax
		mov	[esi+2Ch], ecx
		mov	esi, [ebp+var_C]
		sub	esi, eax
		lea	eax, [edi+30h]
		mov	[ebp+var_C], esi
		sbb	edx, ecx
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], edx
		jmp	short loc_440D10
; 
		align 10h

loc_440D10:				; CODE XREF: KiComputeGroupSchedulingRank+4Bj
					; KiComputeGroupSchedulingRank+7Dj ...
		mov	edi, [eax]
		mov	ebx, esi
		mov	eax, [eax+4]
		add	ebx, edi
		mov	ecx, edx
		mov	[ebp+var_1C], eax
		mov	edx, [ebp+var_1C]
		adc	ecx, eax
		mov	[ebp+var_20], ebx
		mov	eax, edi
		nop
		mov	esi, [ebp+var_14]
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [ebp+var_C]
		mov	ebx, edx
		mov	edx, [ebp+var_18]
		cmp	eax, edi
		mov	eax, [ebp+var_14]
		jnz	short loc_440D10
		cmp	ebx, [ebp+var_1C]
		jnz	short loc_440D10
		mov	esi, [ebp+arg_0]
		test	ecx, ecx
		jg	short loc_440D5B
		jl	loc_5AC1ED
		cmp	[ebp+var_20], 0
		jbe	loc_5AC1ED

loc_440D5B:				; CODE XREF: KiComputeGroupSchedulingRank+89j
		mov	[ebp+var_1], 0

loc_440D5F:				; CODE XREF: KiComputeGroupSchedulingRank+16B531j
		mov	edi, [ebp+var_10]
		cmp	dword ptr [edi+24h], 0
		lea	eax, [edi+20h]
		mov	[ebp+var_14], eax
		jl	short loc_440D7D
		jg	loc_5AC1F6
		cmp	dword ptr [eax], 0
		ja	loc_5AC1F6

loc_440D7D:				; CODE XREF: KiComputeGroupSchedulingRank+ACj
					; KiComputeGroupSchedulingRank+16B581j	...
		cmp	[ebp+var_1], 0
		mov	bl, [esi+5Ch]
		mov	edx, [ebp+var_8]
		jnz	loc_5AC25E
		mov	bh, bl

loc_440D8F:				; CODE XREF: KiComputeGroupSchedulingRank+1Ej
		mov	[ebp+var_1], 0

loc_440D93:				; CODE XREF: KiComputeGroupSchedulingRank+16B5AAj
		mov	eax, [esi+0Ch]
		mov	ecx, [esi+8]
		mov	[ebp+var_10], eax
		mov	eax, [esi+4]
		mov	[ebp+var_20], ecx
		cmp	eax, [ebp+var_10]
		jb	short loc_440DAF
		ja	short loc_440E07
		mov	eax, [esi]
		cmp	eax, ecx
		jnb	short loc_440E07

loc_440DAF:				; CODE XREF: KiComputeGroupSchedulingRank+E5j
		mov	byte ptr [ebp+arg_0+3],	0

loc_440DB3:				; CODE XREF: KiComputeGroupSchedulingRank+14Bj
		cmp	ecx, [esi+10h]
		jnz	short loc_440E0D
		mov	eax, [ebp+var_10]
		cmp	eax, [esi+14h]
		jnz	short loc_440E0D
		xor	ah, ah

loc_440DC2:				; CODE XREF: KiComputeGroupSchedulingRank+14Fj
		mov	ch, byte ptr [ebp+arg_0+3]
		mov	al, bl
		and	al, 10h
		jnz	short loc_440DFE

loc_440DCB:				; CODE XREF: KiComputeGroupSchedulingRank+140j
		mov	cl, bh
		test	al, al
		jnz	short loc_440DE2
		cmp	[ebp+var_1], al
		jnz	loc_5AC279
		test	ah, ah
		jnz	loc_5AC26F

loc_440DE2:				; CODE XREF: KiComputeGroupSchedulingRank+10Fj
					; KiComputeGroupSchedulingRank+16B5B3j	...
		test	cl, 1
		jnz	loc_5AC30C

loc_440DEB:				; CODE XREF: KiComputeGroupSchedulingRank+16B667j
		test	byte ptr [esi+5Ch], 4
		pop	edi
		pop	esi
		pop	ebx
		jnz	loc_5AC32C

loc_440DF8:				; CODE XREF: KiComputeGroupSchedulingRank+16B673j
					; KiComputeGroupSchedulingRank+16B694j
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_440DFE:				; CODE XREF: KiComputeGroupSchedulingRank+109j
		test	ch, ch
		jz	short loc_440DCB
		jmp	loc_5AC279
; 

loc_440E07:				; CODE XREF: KiComputeGroupSchedulingRank+E7j
					; KiComputeGroupSchedulingRank+EDj
		mov	byte ptr [ebp+arg_0+3],	1
		jmp	short loc_440DB3
; 

loc_440E0D:				; CODE XREF: KiComputeGroupSchedulingRank+F6j
					; KiComputeGroupSchedulingRank+FEj
		mov	ah, 1
		jmp	short loc_440DC2
KiComputeGroupSchedulingRank endp

; 
		align 2

;  S U B	R O U T	I N E 


KiCheckMaxOverQuotaTransition proc near	; CODE XREF: KiUpdateGroupSchedulingRank+B6p
					; KiGroupSchedulingQuantumEnd+166p ...

; FUNCTION CHUNK AT 005AC359 SIZE 00000019 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, edx
		test	byte ptr [esi+5Ch], 12h
		jz	loc_5AC359

loc_440E23:				; CODE XREF: KiCheckMaxOverQuotaTransition+16B552j
		xor	al, al
		pop	esi
		retn
KiCheckMaxOverQuotaTransition endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KiTryToAcquireThreadLock(x,	x)
_KiTryToAcquireThreadLock@8 proc near	; CODE XREF: KiQueueReadyThread+339p
					; KiUpdateGlobalCpuSetConfiguration+51p ...
		lea	eax, [ecx+2Ch]
		lock bts dword ptr [eax], 0
		jb	short loc_440E39
		test	edx, edx
		jnz	short loc_440E3C

loc_440E36:				; CODE XREF: KiTryToAcquireThreadLock(x,x)+17j
		mov	al, 1
		retn
; 

loc_440E39:				; CODE XREF: KiTryToAcquireThreadLock(x,x)+8j
		xor	al, al
		retn
; 

loc_440E3C:				; CODE XREF: KiTryToAcquireThreadLock(x,x)+Cj
		mov	byte ptr [edx],	1
		jmp	short loc_440E36
_KiTryToAcquireThreadLock@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiCheckThreadAffinity(x)
_KiCheckThreadAffinity@4 proc near	; CODE XREF: KiQueueReadyThread+39Fp
					; KiSearchForNewThread+F1p ...
		mov	eax, ds:_KiCpuSetSequence
		cmp	[ecx+160h], eax
		jnz	short loc_440E53

loc_440E4F:				; CODE XREF: KiCheckThreadAffinity(x)+15j
		xor	eax, eax
		inc	eax
		retn
; 

loc_440E53:				; CODE XREF: KiCheckThreadAffinity(x)+Bj
		test	byte ptr [ecx+58h], 8
		jnz	short loc_440E4F
		xor	eax, eax
		retn
_KiCheckThreadAffinity@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAddThreadToScbQueue proc near		; CODE XREF: KiAddThreadToReadyQueue(x,x,x,x,x)+87p
					; KiQueueReadyThread+278p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005AC372 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], ecx
		mov	edx, [ebp+arg_0]
		push	edi
		movsx	ebx, byte ptr [edx+87h]

loc_440E74:				; CODE XREF: KiAddThreadToScbQueue+16B526j
		cmp	dword ptr [esi+60h], 0
		jz	loc_5AC372

loc_440E7E:				; CODE XREF: KiAddThreadToScbQueue+16B51Ej
		lea	ecx, ds:6Ch[ebx*8]
		add	ecx, esi
		lea	eax, [edx+9Ch]
		cmp	[ebp+arg_4], 0
		jz	short loc_440ECF
		mov	edi, [ecx]
		cmp	[edi+4], ecx
		jnz	short loc_440EE2
		mov	[eax], edi
		mov	[eax+4], ecx
		mov	[edi+4], eax
		mov	[ecx], eax

loc_440EA4:				; CODE XREF: KiAddThreadToScbQueue+84j
		or	dword ptr [edx+58h], 2000h
		mov	ecx, esi
		mov	[edx+230h], esi
		movzx	eax, word ptr [esi+5Eh]
		mov	edx, [ebp+var_4]
		bts	eax, ebx
		push	1
		mov	[esi+5Eh], ax
		call	_KiInsertNonMaxOverQuotaScb@12 ; KiInsertNonMaxOverQuotaScb(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_440ECF:				; CODE XREF: KiAddThreadToScbQueue+35j
		mov	edi, [ecx+4]
		cmp	[edi], ecx
		jnz	short loc_440EE2
		mov	[eax], ecx
		mov	[eax+4], edi
		mov	[edi], eax
		mov	[ecx+4], eax
		jmp	short loc_440EA4
; 

loc_440EE2:				; CODE XREF: KiAddThreadToScbQueue+3Cj
					; KiAddThreadToScbQueue+78j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
KiAddThreadToScbQueue endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInsertNonMaxOverQuotaScb(x, x, x)
_KiInsertNonMaxOverQuotaScb@12 proc near ; CODE	XREF: KiAddThreadToScbQueue+67p
					; KiTransitionSchedulingGroupGeneration+2CFp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx

loc_440EF3:				; CODE XREF: KiInsertNonMaxOverQuotaScb(x,x,x)+2Aj
		mov	al, [esi+5Ch]
		test	al, 2
		jnz	short loc_440F14
		mov	edx, esi
		mov	ecx, edi
		test	al, 1
		jnz	short loc_440F1A
		push	[ebp+arg_0]
		call	KiInsertSchedulingGroupQueue

loc_440F0A:				; CODE XREF: KiInsertNonMaxOverQuotaScb(x,x,x)+39j
		mov	esi, [esi+0F4h]
		test	esi, esi
		jnz	short loc_440EF3

loc_440F14:				; CODE XREF: KiInsertNonMaxOverQuotaScb(x,x,x)+10j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_440F1A:				; CODE XREF: KiInsertNonMaxOverQuotaScb(x,x,x)+18j
		push	0
		call	KiResortScbQueue
		jmp	short loc_440F0A
_KiInsertNonMaxOverQuotaScb@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiInsertSchedulingGroupQueue proc near	; CODE XREF: KiResortScbQueue+C0p
					; KiInsertNonMaxOverQuotaScb(x,x,x)+1Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005AC387 SIZE 0000000B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, edx
		or	byte ptr [esi+5Ch], 1
		mov	edx, [esi+0F4h]
		test	edx, edx
		jnz	loc_5AC387
		lea	edx, [ecx+3CE8h]

loc_440F47:				; CODE XREF: KiInsertSchedulingGroupQueue+16B469j
		test	byte ptr [edx+4], 1
		mov	ecx, [edx]
		jz	short loc_440F55
		test	ecx, ecx
		jz	short loc_440F55
		xor	ecx, edx

loc_440F55:				; CODE XREF: KiInsertSchedulingGroupQueue+29j
					; KiInsertSchedulingGroupQueue+2Dj
		push	edi
		movzx	edi, byte ptr [edx+4]
		and	edi, 1
		mov	byte ptr [ebp+var_4], 0
		test	ecx, ecx
		jz	loc_440FEF
		push	ebx
		mov	ebx, [esi+60h]
		mov	[ebp+var_C], ebx

loc_440F70:				; CODE XREF: KiInsertSchedulingGroupQueue+ACj
		and	[ebp+var_8], 0
		mov	eax, ebx
		sub	eax, [ecx+10h]
		jnz	short loc_440FB9
		movzx	eax, word ptr [esi+5Eh]
		test	ax, ax
		jnz	short loc_440FD2
		test	ebx, ebx
		jnz	loc_441014
		mov	eax, [esi+4]
		cmp	eax, [ecx-4Ch]
		jb	short loc_440F9D
		ja	short loc_440FBD
		mov	eax, [esi]
		cmp	eax, [ecx-50h]
		ja	short loc_440FBD

loc_440F9D:				; CODE XREF: KiInsertSchedulingGroupQueue+6Ej
					; KiInsertSchedulingGroupQueue+97j
		mov	eax, [ecx]
		test	edi, edi
		jz	short loc_440FA9
		test	eax, eax
		jz	short loc_440FAD
		xor	eax, ecx

loc_440FA9:				; CODE XREF: KiInsertSchedulingGroupQueue+7Dj
		test	eax, eax
		jnz	short loc_440FCE

loc_440FAD:				; CODE XREF: KiInsertSchedulingGroupQueue+81j
		mov	byte ptr [ebp+var_4], 0
		jmp	short loc_440FEE
; 

loc_440FB3:				; CODE XREF: KiInsertSchedulingGroupQueue+BDj
					; KiInsertSchedulingGroupQueue+C4j
		sub	eax, [ebp+var_8]
		mov	ebx, [ebp+var_C]

loc_440FB9:				; CODE XREF: KiInsertSchedulingGroupQueue+55j
					; KiInsertSchedulingGroupQueue+F3j
		test	eax, eax
		js	short loc_440F9D

loc_440FBD:				; CODE XREF: KiInsertSchedulingGroupQueue+70j
					; KiInsertSchedulingGroupQueue+77j
		mov	eax, [ecx+4]
		test	edi, edi
		jz	short loc_440FCA
		test	eax, eax
		jz	short loc_440FEA
		xor	eax, ecx

loc_440FCA:				; CODE XREF: KiInsertSchedulingGroupQueue+9Ej
		test	eax, eax
		jz	short loc_440FEA

loc_440FCE:				; CODE XREF: KiInsertSchedulingGroupQueue+87j
		mov	ecx, eax
		jmp	short loc_440F70
; 

loc_440FD2:				; CODE XREF: KiInsertSchedulingGroupQueue+5Ej
		movzx	ebx, word ptr [ecx+0Eh]
		bsr	eax, eax
		mov	[ebp+var_8], eax
		xor	eax, eax
		test	bx, bx
		jz	short loc_440FB3
		mov	eax, ebx
		bsr	eax, eax
		jmp	short loc_440FB3
; 

loc_440FEA:				; CODE XREF: KiInsertSchedulingGroupQueue+A2j
					; KiInsertSchedulingGroupQueue+A8j
		mov	byte ptr [ebp+var_4], 1

loc_440FEE:				; CODE XREF: KiInsertSchedulingGroupQueue+8Dj
		pop	ebx

loc_440FEF:				; CODE XREF: KiInsertSchedulingGroupQueue+3Fj
		lea	eax, [esi+50h]
		push	eax
		push	[ebp+var_4]
		push	ecx
		push	edx
		call	RtlRbInsertNodeEx
		cmp	[ebp+arg_0], 0
		pop	edi
		jz	short loc_44100F
		call	KeQueryInterruptTime
		mov	[esi+40h], eax
		mov	[esi+44h], edx

loc_44100F:				; CODE XREF: KiInsertSchedulingGroupQueue+DEj
		pop	esi
		leave
		retn	4
; 

loc_441014:				; CODE XREF: KiInsertSchedulingGroupQueue+62j
		xor	eax, eax
		inc	eax
		jmp	short loc_440FB9
KiInsertSchedulingGroupQueue endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MmGetDefaultPagePriority()
_MmGetDefaultPagePriority@0 proc near	; CODE XREF: PfTAccessTracingCleanup(x,x,x)+31p
					; PfTAccessTracingStart(x,x,x)+37p ...
		push	5
		pop	eax
		retn
_MmGetDefaultPagePriority@0 endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 154. KiBeginThreadAccountingPeriod

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KiBeginThreadAccountingPeriod
KiBeginThreadAccountingPeriod proc near	; CODE XREF: V86_kira_a+78Bp
					; V86_kira_a+802p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005AC392 SIZE 0000004A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_C], edx
		mov	esi, ecx
		mov	[ebp+var_14], esi
		test	ebx, ebx
		jz	loc_44112E
		mov	[ebp+var_1], 1

loc_441050:				; CODE XREF: KiBeginThreadAccountingPeriod+10Cj
		mov	dl, [ebx+2]
		mov	[ebp+var_2], dl
		test	dl, 10h
		jnz	loc_5AC392

loc_44105F:				; CODE XREF: KiBeginThreadAccountingPeriod+16B37Dj
		test	dl, 20h
		jz	loc_4410FF
		mov	edx, [esi+3EA0h]
		mov	eax, [esi+3EA4h]
		test	edx, edx
		jz	loc_441182
		test	eax, eax
		jz	loc_441182
		cmp	byte ptr [eax+54h], 0
		jnz	loc_5AC3B2
		mov	ecx, [eax+38h]
		mov	eax, [edx+88h]
		cmp	ecx, eax
		jb	short loc_44109D
		mov	ecx, eax

loc_44109D:				; CODE XREF: KiBeginThreadAccountingPeriod+69j
					; KiBeginThreadAccountingPeriod+157j ...
		cmp	ecx, 4Bh
		jb	loc_44119F
		mov	edx, 3

loc_4410AB:				; CODE XREF: KiBeginThreadAccountingPeriod+179j
		movzx	eax, byte ptr [esi+3ED0h]
		push	edi
		lea	eax, [eax+edx*2]
		lea	eax, [eax+773h]
		lea	eax, [esi+eax*8]
		mov	esi, eax
		mov	[ebp+var_8], eax
		mov	ebx, [esi]
		add	ebx, [ebp+arg_0]
		mov	eax, [esi+4]
		adc	eax, [ebp+arg_4]
		mov	[ebp+var_8], ebx
		mov	[ebp+arg_4], eax

loc_4410D5:				; CODE XREF: KiBeginThreadAccountingPeriod+BEj
					; KiBeginThreadAccountingPeriod+C3j
		mov	edi, [esi]
		mov	eax, edi
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[ebp+var_10], ecx
		nop
		mov	ecx, [ebp+arg_4]
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, [ebp+var_8]
		cmp	eax, edi
		jnz	short loc_4410D5
		cmp	edx, [ebp+var_10]
		jnz	short loc_4410D5
		mov	esi, [ebp+var_14]
		mov	ebx, [ebp+var_C]
		mov	dl, [ebp+var_2]
		pop	edi

loc_4410FF:				; CODE XREF: KiBeginThreadAccountingPeriod+32j
		cmp	[ebp+var_1], 0
		mov	byte ptr [esi+11h], 0
		jz	short loc_441141
		test	dl, 36h
		jz	loc_5AC3C8
		cmp	dword ptr [ebx+0F4h], 0
		jnz	loc_5AC3BA

loc_44111F:				; CODE XREF: KiBeginThreadAccountingPeriod+16B393j
		sti
		test	byte ptr [ebx+2], 4
		jnz	short loc_44114B

loc_441126:				; CODE XREF: KiBeginThreadAccountingPeriod+114j
					; KiBeginThreadAccountingPeriod+12Aj ...
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_44112E:				; CODE XREF: KiBeginThreadAccountingPeriod+16j
		mov	ebx, large fs:124h
		mov	[ebp+var_C], ebx
		mov	[ebp+var_1], 0
		jmp	loc_441050
; 

loc_441141:				; CODE XREF: KiBeginThreadAccountingPeriod+D7j
		test	dl, 2
		jz	short loc_441126
		jmp	loc_5AC3CE
; 

loc_44114B:				; CODE XREF: KiBeginThreadAccountingPeriod+F4j
		mov	eax, [ebx+5Ch]
		test	eax, 800h
		jnz	short loc_44118C
		test	eax, 600h
		jnz	short loc_441126
		mov	eax, [ebx+50h]
		test	eax, eax
		jz	short loc_441126
		add	eax, [esi+3B34h]
		jz	short loc_441126
		jmp	short loc_441170
; 
		align 10h

loc_441170:				; CODE XREF: KiBeginThreadAccountingPeriod+13Bj
					; KiBeginThreadAccountingPeriod+150j
		test	byte ptr [eax+5Ch], 2
		jnz	short loc_44118C
		mov	eax, [eax+0F4h]
		test	eax, eax
		jz	short loc_441126
		jmp	short loc_441170
; 

loc_441182:				; CODE XREF: KiBeginThreadAccountingPeriod+46j
					; KiBeginThreadAccountingPeriod+4Ej
		mov	ecx, 64h
		jmp	loc_44109D
; 

loc_44118C:				; CODE XREF: KiBeginThreadAccountingPeriod+123j
					; KiBeginThreadAccountingPeriod+144j
		push	1
		mov	edx, ebx
		mov	ecx, esi
		call	_KiInsertDeferredPreemptionApc@12 ; KiInsertDeferredPreemptionApc(x,x,x)
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_44119F:				; CODE XREF: KiBeginThreadAccountingPeriod+70j
		mov	eax, 51EB851Fh
		mul	ecx
		shr	edx, 3
		jmp	loc_4410AB
KiBeginThreadAccountingPeriod endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInsertDeferredPreemptionApc(x, x,	x)
_KiInsertDeferredPreemptionApc@12 proc near ; CODE XREF: KiBeginThreadAccountingPeriod+162p
					; KiDeferGroupSchedulingPreemption(x,x)+10Bp ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		lea	edx, [esi+5Ch]
		jnz	short loc_44121E
		test	dword ptr [edx], 400h
		jnz	short loc_441218

loc_4411CA:				; CODE XREF: KiInsertDeferredPreemptionApc(x,x,x)+75j
		push	edi
		lock bts dword ptr [edx], 0Ah
		and	dword ptr [ebp+arg_0], 0
		lea	edi, [esi+2Ch]

loc_4411D7:				; CODE XREF: KiInsertDeferredPreemptionApc(x,x,x)+85j
		lock bts dword ptr [edi], 0
		jb	short loc_441225
		cmp	byte ptr [esi+1BEh], 0
		jnz	short loc_441211
		test	dword ptr [esi+58h], 4000h
		jz	short loc_441211
		lea	ecx, [esi+190h]
		mov	byte ptr [esi+1BEh], 1
		call	KiInsertQueueApc
		push	2
		lea	edx, [esi+190h]
		mov	ecx, ebx
		call	_KiSignalThreadForApc@12 ; KiSignalThreadForApc(x,x,x)

loc_441211:				; CODE XREF: KiInsertDeferredPreemptionApc(x,x,x)+37j
					; KiInsertDeferredPreemptionApc(x,x,x)+40j
		mov	dword ptr [edi], 0
		pop	edi

loc_441218:				; CODE XREF: KiInsertDeferredPreemptionApc(x,x,x)+1Aj
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_44121E:				; CODE XREF: KiInsertDeferredPreemptionApc(x,x,x)+12j
		lock btr dword ptr [edx], 0Bh
		jmp	short loc_4411CA
; 

loc_441225:				; CODE XREF: KiInsertDeferredPreemptionApc(x,x,x)+2Ej
					; KiInsertDeferredPreemptionApc(x,x,x)+83j
		lea	ecx, [ebp+arg_0]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_441225
		jmp	short loc_4411D7
_KiInsertDeferredPreemptionApc@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspProcessUnbindVirtualizedTimers proc near ; CODE XREF: PspExitProcess+A1p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AC3DC SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		test	byte ptr [esi+64h], 10h
		jnz	short loc_441249

loc_441246:				; CODE XREF: PspProcessUnbindVirtualizedTimers+88j
		pop	esi
		leave
		retn
; 

loc_441249:				; CODE XREF: PspProcessUnbindVirtualizedTimers+Ej
		push	ebx
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	edi, [esi+454h]
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		call	KeQueryInterruptTime
		mov	[ebp+var_4], eax
		add	esi, 458h
		mov	[ebp+var_8], edx

loc_441271:				; CODE XREF: PspProcessUnbindVirtualizedTimers+6Aj
		mov	ecx, [esi]
		cmp	ecx, esi
		jz	short loc_4412A2
		mov	eax, [ecx]
		cmp	[ecx+4], esi
		jnz	short loc_4412C0
		cmp	[eax+4], ecx
		jnz	short loc_4412C0
		push	edx
		push	[ebp+var_4]
		mov	[esi], eax
		mov	[eax+4], esi
		call	ExRemoveVirtualizedTimer
		mov	edx, 54567350h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag
		mov	edx, [ebp+var_8]
		jmp	short loc_441271
; 

loc_4412A2:				; CODE XREF: PspProcessUnbindVirtualizedTimers+3Fj
		test	ds:byte_70EFC6,	1
		jnz	loc_5AC3DC
		xor	eax, eax
		lock and [edi],	eax

loc_4412B4:				; CODE XREF: PspProcessUnbindVirtualizedTimers+16B1B0j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	ebx
		jmp	short loc_441246
; 

loc_4412C0:				; CODE XREF: PspProcessUnbindVirtualizedTimers+46j
					; PspProcessUnbindVirtualizedTimers+4Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PspProcessUnbindVirtualizedTimers endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpLogApplicationEvent proc near	; CODE XREF: PfProcessExitNotification(x)+9p
					; PfCalculateProcessHash+117p

var_80C		= dword	ptr -80Ch
var_808		= dword	ptr -808h
var_804		= dword	ptr -804h
var_800		= dword	ptr -800h
var_7FC		= dword	ptr -7FCh
var_7F8		= dword	ptr -7F8h
var_7F4		= dword	ptr -7F4h
var_7F0		= dword	ptr -7F0h
var_7EC		= dword	ptr -7ECh
var_7E8		= dword	ptr -7E8h
var_7E4		= dword	ptr -7E4h
var_7E0		= word ptr -7E0h
var_7DE		= dword	ptr -7DEh
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_80C], ebx
		mov	[ebp+var_808], ebx
		call	_PFP_CAN_DO_ACCESS_LOGGING@0 ; PFP_CAN_DO_ACCESS_LOGGING()
		test	eax, eax
		jz	loc_441459
		mov	[ebp+var_8], ebx
		cmp	[ebp+arg_0], bl
		jz	short loc_441377
		mov	eax, [esi+0E4h]
		mov	ecx, [esi+104h]
		mov	edx, [esi+100h]
		xor	ecx, eax
		xor	ecx, edx
		mov	[ebp+var_7FC], eax
		mov	eax, [esi+1DCh]
		and	ecx, 1FFFFFFFh
		push	0Eh
		shr	edx, 3
		mov	[ebp+var_804], esi
		and	edx, 1C000000h
		pop	esi
		xor	ecx, edx
		mov	[ebp+var_7F8], eax
		push	10h
		mov	[ebp+var_800], ecx
		pop	ebx

loc_441350:				; CODE XREF: PfpLogApplicationEvent+18Ej
		push	ebx		; size_t
		lea	eax, [ebp+var_804]
		push	eax		; void *
		call	_PFP_GET_CURRENT_TIME@0	; PFP_GET_CURRENT_TIME()
		mov	edx, eax
		mov	ecx, esi
		call	PfLogEvent

loc_441366:				; CODE XREF: PfpLogApplicationEvent+198j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_441377:				; CODE XREF: PfpLogApplicationEvent+3Dj
		test	edi, edi
		jz	sub_5AC3EB

loc_44137F:				; CODE XREF: sub_5AC3EB+13j
		mov	ecx, [esi+104h]
		xor	eax, eax
		mov	edx, [esi+100h]
		mov	word ptr [ebp+var_7DE],	ax
		mov	eax, [esi+0E4h]
		xor	ecx, eax
		xor	ecx, edx
		mov	[ebp+var_7F4], eax
		mov	eax, [esi+1DCh]
		and	ecx, 1FFFFFFFh
		shr	edx, 3
		and	edx, 1C000000h
		mov	[ebp+var_7E4], ebx
		xor	ecx, edx
		mov	[ebp+var_7E8], esi
		mov	[ebp+var_7F0], ecx
		mov	ecx, esi
		mov	[ebp+var_7F8], eax
		call	_MmGetDirectoryFrameFromProcess@4 ; MmGetDirectoryFrameFromProcess(x)
		movzx	ecx, word ptr [edi]
		mov	ebx, 7D8h
		mov	[ebp+var_7EC], eax
		cmp	ecx, ebx
		ja	short loc_4413EE
		mov	ebx, ecx

loc_4413EE:				; CODE XREF: PfpLogApplicationEvent+124j
		mov	eax, ebx
		shr	eax, 1
		mov	[ebp+var_7E0], ax
		mov	eax, [edi+4]
		sub	eax, ebx
		add	eax, ecx
		push	ebx		; size_t
		push	eax		; void *
		lea	eax, [ebp+var_7DE]
		push	eax		; void *
		call	_memcpy
		movzx	eax, [ebp+var_7E0]
		xor	ecx, ecx
		add	esp, 0Ch
		mov	word ptr [ebp+eax*2+var_7DE], cx
		mov	ecx, esi
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		lea	edx, [eax+1]
		neg	edx
		sbb	edx, edx
		and	edx, eax
		mov	[ebp+var_804], edx
		call	_MmGetSessionGlobalVA@4	; MmGetSessionGlobalVA(x)
		xor	esi, esi
		mov	[ebp+var_800], eax
		mov	eax, ds:_PsIdleProcess
		inc	esi
		mov	[ebp+var_7FC], eax
		add	ebx, 28h
		jmp	loc_441350
; 

loc_441459:				; CODE XREF: PfpLogApplicationEvent+31j
		mov	eax, 0C00000BBh
		jmp	loc_441366
PfpLogApplicationEvent endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PFP_CAN_DO_ACCESS_LOGGING()
_PFP_CAN_DO_ACCESS_LOGGING@0 proc near	; CODE XREF: PfpLogApplicationEvent+2Ap
					; PfpScenCtxPrefetchWait+21p ...
		mov	eax, dword_6D43EC
		cmp	eax, dword_6D43F0
		sbb	eax, eax
		neg	eax
		retn
_PFP_CAN_DO_ACCESS_LOGGING@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSynchronizeAddressPolicy(x)
_KeSynchronizeAddressPolicy@4 proc near	; CODE XREF: PspDisablePrimaryTokenExchange(x)+B3p

var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	esi
		mov	esi, ecx
		cmp	byte ptr [esi+74h], 1
		jnz	loc_441518
		push	ebx
		push	edi
		call	ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()
		mov	[ebp+var_1], al
		lea	edi, [ebp+var_14]
		mov	eax, large fs:20h
		add	esi, 58h
		mov	[ebp+var_8], eax
		mov	eax, [eax+3CCh]
		movsd
		movsd
		movsd
		mov	ebx, [ebp+var_C]
		btr	ebx, eax
		mov	[ebp+var_C], ebx
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	bl, ds:_RtlpBitsClearTotal[ecx]
		add	bl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, large fs:124h
		add	bl, dl
		mov	eax, [eax+80h]
		cmp	byte ptr [eax+74h], 1
		jnz	short loc_441509
		mov	eax, large fs:500Ch
		test	al, 2
		jnz	short loc_441509
		xor	ecx, ecx
		inc	ecx
		call	_KiSetAddressPolicy@4 ;	KiSetAddressPolicy(x)

loc_441509:				; CODE XREF: KeSynchronizeAddressPolicy(x)+81j
					; KeSynchronizeAddressPolicy(x)+8Bj
		pop	edi
		test	bl, bl
		pop	ebx
		jnz	short loc_44151B

loc_44150F:				; CODE XREF: KeSynchronizeAddressPolicy(x)+CDj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_441518:				; CODE XREF: KeSynchronizeAddressPolicy(x)+Fj
		pop	esi
		leave
		retn
; 

loc_44151B:				; CODE XREF: KeSynchronizeAddressPolicy(x)+99j
		push	0
		push	0
		push	1
		push	offset _KiSynchronizeAddressPolicyTarget@16 ; KiSynchronizeAddressPolicyTarget(x,x,x,x)
		lea	edx, [ebp+var_14]
		xor	ecx, ecx
		call	_KiIpiSendPacket@24 ; KiIpiSendPacket(x,x,x,x,x,x)
		mov	ecx, [ebp+var_8]
		jmp	short loc_441537
; 

loc_441535:				; CODE XREF: KeSynchronizeAddressPolicy(x)+CBj
		pause

loc_441537:				; CODE XREF: KeSynchronizeAddressPolicy(x)+BFj
		mov	eax, [ecx+2120h]
		test	eax, eax
		jnz	short loc_441535
		jmp	short loc_44150F
_KeSynchronizeAddressPolicy@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KeKvaShadowingActive()
_KeKvaShadowingActive@0	proc near	; CODE XREF: PspDisablePrimaryTokenExchange(x):loc_76F639p
					; PsCreateMinimalProcess+F9p ...
		mov	eax, ds:_KiKvaShadowMode
		retn
_KeKvaShadowingActive@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSelectThreadFromSchedulingGroup(x, x, x)
_KiSelectThreadFromSchedulingGroup@12 proc near	; CODE XREF: KiSelectLowestRankedThread+47p
					; KiChooseLowestRankedThread+B2p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		movzx	eax, word ptr [edx+5Eh]
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	cl, [ebp+arg_0]
		shr	eax, cl
		test	eax, eax
		jz	short loc_44157C
		bsr	ecx, eax
		add	ecx, dword ptr [ebp+arg_0]
		push	ecx
		mov	esi, [edx+ecx*8+6Ch]
		mov	ecx, edi
		sub	esi, 9Ch
		push	esi
		call	_KiRemoveThreadFromScbQueue@16 ; KiRemoveThreadFromScbQueue(x,x,x,x)

loc_44157C:				; CODE XREF: KiSelectThreadFromSchedulingGroup(x,x,x)+17j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	4
_KiSelectThreadFromSchedulingGroup@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiFlushQueuedDpcsWorker	proc near	; DATA XREF: KeFlushQueuedDpcs+6Fo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+21ECh]
		mov	eax, [eax+2204h]
		or	eax, ecx
		jnz	sub_5AC403

loc_4415A0:				; CODE XREF: sub_5AC403+1Cj
		pop	ebp
		retn	8
KiFlushQueuedDpcsWorker	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeGenericProcessorCallback(x, x, x,	x)
_KeGenericProcessorCallback@16 proc near ; CODE	XREF: ExpUpdateTimerConfiguration(x,x,x)+50p
					; KeFlushQueuedDpcs+77p ...

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= word ptr -48h
var_46		= word ptr -46h
var_44		= dword	ptr -44h
var_40		= word ptr -40h
var_3E		= dword	ptr -3Eh
var_3A		= word ptr -3Ah
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_30], eax
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_44]
		mov	[ebp+var_34], edx
		stosd
		xor	ebx, ebx
		inc	ebx
		mov	[ebp+var_24], ecx
		xor	edx, edx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_46], ax
		lea	edi, [ebp+var_1C]
		stosd
		stosd
		stosd
		test	ecx, ecx
		jz	loc_4416EB

loc_4415EE:				; CODE XREF: KeGenericProcessorCallback(x,x,x,x)+15Bj
		mov	ebx, [ebp+arg_4]
		lea	ecx, [ebp+var_1C]
		mov	edi, large fs:124h
		mov	esi, edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_3E], edx
		mov	[ebp+var_3A], dx
		mov	[ebp+var_38], edi
		test	ebx, ebx
		jz	short loc_441625
		test	bl, 2
		jz	loc_4416D1
		push	1Eh
		push	edi
		call	KeSetPriorityThread
		mov	[ebp+var_2C], eax

loc_441625:				; CODE XREF: KeGenericProcessorCallback(x,x,x,x)+6Bj
					; KeGenericProcessorCallback(x,x,x,x)+137j
		mov	ebx, [ebp+var_34]
		xor	eax, eax
		mov	edi, [ebp+var_30]
		mov	[ebp+var_48], ax
		mov	eax, [ebp+var_24]
		mov	edx, [eax+8]
		mov	[ebp+var_4C], edx
		mov	[ebp+var_50], eax

loc_44163D:				; CODE XREF: KeGenericProcessorCallback(x,x,x,x)+D8j
		and	[ebp+var_54], 0
		test	edx, edx
		jz	short loc_44167E
		push	[ebp+var_28]
		bsf	eax, edx
		movzx	ecx, al
		xor	eax, eax
		mov	[ebp+var_40], ax
		btr	edx, ecx
		inc	eax
		mov	[ebp+var_4C], edx
		shl	eax, cl
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_44]
		push	eax
		call	KeSetSystemGroupAffinityThread
		mov	esi, large fs:20h
		push	edi
		push	esi
		call	ebx
		mov	edx, [ebp+var_4C]
		xor	ecx, ecx
		mov	[ebp+var_28], ecx
		jmp	short loc_44163D
; 

loc_44167E:				; CODE XREF: KeGenericProcessorCallback(x,x,x,x)+9Fj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ebx, [ebp+arg_4]
		mov	edi, [ebp+var_38]
		mov	[ebp+var_1D], al
		mov	byte ptr [esi+223Ah], 1
		test	ebx, ebx
		jz	short loc_4416A6
		test	bl, 2
		jz	short loc_4416E0
		push	[ebp+var_2C]
		push	edi
		call	KeSetPriorityThread

loc_4416A6:				; CODE XREF: KeGenericProcessorCallback(x,x,x,x)+F2j
					; KeGenericProcessorCallback(x,x,x,x)+145j
		lea	eax, [ebp+var_1C]
		push	eax
		call	KeRevertToUserGroupAffinityThread
		mov	dl, [ebp+var_1D]
		mov	ecx, esi
		mov	byte ptr [esi+223Ah], 0
		call	KiCheckForThreadDispatch
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_4416D1:				; CODE XREF: KeGenericProcessorCallback(x,x,x,x)+70j
		push	0Fh
		pop	edx
		mov	ecx, edi
		call	KeSetPriorityBoost
		jmp	loc_441625
; 

loc_4416E0:				; CODE XREF: KeGenericProcessorCallback(x,x,x,x)+F7j
		mov	edx, edi
		mov	ecx, esi
		call	KiRemoveBoostThread
		jmp	short loc_4416A6
; 

loc_4416EB:				; CODE XREF: KeGenericProcessorCallback(x,x,x,x)+44j
		lea	eax, [ebp+var_10]
		mov	word ptr [ebp+var_10], bx
		mov	[ebp+var_24], eax
		mov	word ptr [ebp+var_10+2], bx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ebx
		jmp	loc_4415EE
_KeGenericProcessorCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiGroupSchedulingMoveThread proc near	; CODE XREF: KiSearchForNewThreadOnProcessor+149p
					; KiGroupSchedulingMoveThread+16AD5Ep

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AC424 SIZE 00000089 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], ecx
		mov	eax, [esi+4]
		test	al, 1
		jnz	short loc_441732
		mov	esi, eax

loc_441725:				; CODE XREF: KiGroupSchedulingMoveThread+38j
		test	esi, esi
		jnz	short loc_44173E

loc_441729:				; CODE XREF: KiGroupSchedulingMoveThread+31j
					; KiGroupSchedulingMoveThread+16AD98j
		xor	eax, eax

loc_44172B:				; CODE XREF: KiGroupSchedulingMoveThread+9Ej
					; KiGroupSchedulingMoveThread+16AD65j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_441732:				; CODE XREF: KiGroupSchedulingMoveThread+1Dj
		cmp	eax, 1
		jz	short loc_441729
		or	esi, 1
		xor	esi, eax
		jmp	short loc_441725
; 

loc_44173E:				; CODE XREF: KiGroupSchedulingMoveThread+23j
					; KiGroupSchedulingMoveThread+16ADA4j
		lea	ebx, [esi-50h]
		movzx	edi, word ptr [ebx+5Eh]
		test	edi, edi
		jz	loc_5AC446

loc_44174D:				; CODE XREF: KiGroupSchedulingMoveThread+16AD39j
		bsr	eax, edi
		mov	[ebp+var_4], eax
		lea	eax, ds:6Ch[eax*8]
		add	eax, ebx
		mov	[ebp+var_10], eax
		mov	eax, [eax]
		mov	[ebp+arg_0], eax

loc_441764:				; CODE XREF: KiGroupSchedulingMoveThread+16AD2Bj
		add	eax, 0FFFFFF64h
		mov	[ebp+var_14], eax
		lea	edx, [eax+164h]
		call	_KiPrcbInGroupAffinity@8 ; KiPrcbInGroupAffinity(x,x)
		test	eax, eax
		jz	loc_5AC424
		mov	eax, [ebp+var_4]
		mov	edx, ebx
		mov	esi, [ebp+var_14]
		mov	ecx, [ebp+var_8]
		push	eax
		push	esi
		call	_KiRemoveThreadFromScbQueue@16 ; KiRemoveThreadFromScbQueue(x,x,x,x)
		mov	eax, [ebp+var_C]
		mov	ecx, [eax+3CCh]
		mov	eax, esi
		mov	[esi+148h], ecx
		jmp	short loc_44172B
KiGroupSchedulingMoveThread endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiRemoveThreadFromScbQueue(x, x, x,	x)
_KiRemoveThreadFromScbQueue@16 proc near ; CODE	XREF: KiRemoveThreadFromSchedulingGroup+F5p
					; KiSelectThreadFromSchedulingGroup(x,x,x)+2Dp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		lea	ecx, [esi+9Ch]
		mov	edi, [ecx]
		mov	eax, [ecx+4]
		cmp	[edi+4], ecx
		jnz	short loc_441832
		cmp	[eax], ecx
		jnz	short loc_441832
		mov	[eax], edi
		mov	[edi+4], eax
		cmp	eax, edi
		jnz	short loc_441812
		movzx	ecx, word ptr [edx+5Eh]
		mov	eax, [ebp+arg_4]
		btc	ecx, eax
		movzx	eax, cx
		mov	ecx, eax
		mov	[edx+5Eh], ax
		mov	al, [edx+5Ch]
		test	al, 2
		jnz	short loc_441812
		test	al, 1
		jz	short loc_441812
		test	cx, cx
		jnz	short loc_441827
		lea	ecx, [edx+0ECh]
		test	byte ptr [ecx+4], 1
		mov	eax, [ecx]
		jz	short loc_441805
		test	eax, eax
		jz	short loc_441809
		xor	eax, ecx

loc_441805:				; CODE XREF: KiRemoveThreadFromScbQueue(x,x,x,x)+59j
		test	eax, eax
		jnz	short loc_441827

loc_441809:				; CODE XREF: KiRemoveThreadFromScbQueue(x,x,x,x)+5Dj
		push	1
		mov	ecx, ebx
		call	KiRemoveSchedulingGroupQueue

loc_441812:				; CODE XREF: KiRemoveThreadFromScbQueue(x,x,x,x)+28j
					; KiRemoveThreadFromScbQueue(x,x,x,x)+42j ...
		and	dword ptr [esi+58h], 0FFFFDFFFh
		and	dword ptr [esi+230h], 0
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_441827:				; CODE XREF: KiRemoveThreadFromScbQueue(x,x,x,x)+4Bj
					; KiRemoveThreadFromScbQueue(x,x,x,x)+63j
		push	1
		mov	ecx, ebx
		call	KiResortScbQueue
		jmp	short loc_441812
; 

loc_441832:				; CODE XREF: KiRemoveThreadFromScbQueue(x,x,x,x)+1Bj
					; KiRemoveThreadFromScbQueue(x,x,x,x)+1Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_KiRemoveThreadFromScbQueue@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiRemoveSchedulingGroupQueue proc near	; CODE XREF: KiResortScbQueue+B5p
					; KiResortScbQueue+100p ...

var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005AC4AD SIZE 00000039 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_4], ecx

loc_441846:				; CODE XREF: KiRemoveSchedulingGroupQueue+16ACA3j
		lea	edi, [esi+0F4h]
		mov	eax, [edi]
		lea	ebx, [eax+0ECh]
		test	eax, eax
		jnz	short loc_44185E
		lea	ebx, [ecx+3CE8h]

loc_44185E:				; CODE XREF: KiRemoveSchedulingGroupQueue+1Ej
		cmp	[ebp+arg_0], 0
		jz	short loc_441875
		call	KeQueryInterruptTime
		sub	eax, [esi+40h]
		sbb	edx, [esi+44h]
		add	[esi+38h], eax
		adc	[esi+3Ch], edx

loc_441875:				; CODE XREF: KiRemoveSchedulingGroupQueue+2Aj
		and	byte ptr [esi+5Ch], 0FEh
		lea	eax, [esi+50h]
		push	eax
		push	ebx
		call	RtlRbRemoveNode
		mov	esi, [edi]
		test	esi, esi
		jnz	loc_5AC4AD

loc_44188D:				; CODE XREF: KiRemoveSchedulingGroupQueue+16AC79j
					; KiRemoveSchedulingGroupQueue+16AC95j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
KiRemoveSchedulingGroupQueue endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiIdleSchedule	proc near		; CODE XREF: KiIdleLoop()+115p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AC4E6 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_4], ebx
		lea	edi, [esi+2224h]

loc_4418AA:				; CODE XREF: KiIdleSchedule+79j
		lock bts dword ptr [edi], 0
		jb	short loc_4418FF
		mov	[esi+223Bh], bl
		mov	edx, [esi+0Ch]
		cmp	[esi+8], edx
		jz	short loc_44190F

loc_4418BF:				; CODE XREF: KiIdleSchedule+7Ej
		cli
		push	ebx
		mov	ecx, esi
		call	KiEndThreadCycleAccumulation
		sti
		mov	dl, 1
		mov	ecx, esi
		call	KiSearchForNewThread
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_4418F8
		cmp	ds:_KeHeteroSystem, eax
		jnz	loc_5AC4E6

loc_4418E4:				; CODE XREF: KiIdleSchedule+16AC59j
					; KiIdleSchedule+16AC66j
		mov	edx, [esi+0Ch]
		cli
		push	ecx
		mov	ecx, esi
		call	KiStartThreadCycleAccumulation
		sti

loc_4418F1:				; CODE XREF: KiIdleSchedule+69j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_4418F8:				; CODE XREF: KiIdleSchedule+42j
		xor	eax, eax
		lock and [edi],	eax
		jmp	short loc_4418F1
; 

loc_4418FF:				; CODE XREF: KiIdleSchedule+1Bj
					; KiIdleSchedule+77j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_4418FF
		jmp	short loc_4418AA
; 

loc_44190F:				; CODE XREF: KiIdleSchedule+29j
		mov	[esi+8], ebx
		jmp	short loc_4418BF
KiIdleSchedule	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSearchForNewThread proc near		; CODE XREF: KiIdleSchedule+39p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AC4FF SIZE 00000112 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], 0
		push	edi
		mov	bl, dl
		mov	edi, [esi+8]
		test	edi, edi
		jnz	loc_4419EC

loc_441941:				; CODE XREF: KiSearchForNewThread+16AC32j
		mov	edx, esi
		mov	ecx, 1
		call	KiSelectReadyThread
		mov	edi, eax
		test	edi, edi
		jnz	loc_441A0F
		mov	ecx, esi
		call	KiSelectLowestRankedThread
		mov	edi, eax
		test	edi, edi
		jnz	loc_441A0F
		mov	edx, esi
		xor	ecx, ecx
		call	KiSelectReadyThread
		mov	edi, eax
		test	edi, edi
		jnz	loc_441A0F
		mov	al, [esi+2238h]
		cmp	al, 7
		jz	loc_5AC56D

loc_441989:				; CODE XREF: KiSearchForNewThread+16AC52j
		test	bl, bl
		jz	loc_5AC577

loc_441991:				; CODE XREF: KiSearchForNewThread+16AC91j
		test	al, 2
		jnz	loc_5AC5B6
		xor	ecx, ecx

loc_44199B:				; CODE XREF: KiSearchForNewThread+16AC9Bj
		xor	edx, edx
		lea	eax, [esi+2224h]
		lock and [eax],	edx
		test	ecx, ecx
		jnz	loc_5AC5C0

loc_4419AE:				; CODE XREF: KiSearchForNewThread+16ACA8j
		mov	ebx, [esi+338h]
		movzx	eax, word ptr [ebx+8Ah]
		mov	edi, [ebx+80h]
		mov	[ebp+var_8], eax

loc_4419C4:				; CODE XREF: KiSearchForNewThread+16ACD5j
		mov	edx, ebx
		mov	ecx, esi
		call	@KiSearchForNewThreadOnNode@8 ;	KiSearchForNewThreadOnNode(x,x)
		test	eax, eax
		jnz	short loc_4419E5
		movzx	eax, word ptr [ebx+8Ah]
		btr	edi, eax
		test	edi, edi
		jnz	loc_5AC5CD

loc_4419E3:				; CODE XREF: KiSearchForNewThread+16ACA2j
					; KiSearchForNewThread+16ACBDj
		xor	eax, eax

loc_4419E5:				; CODE XREF: KiSearchForNewThread+AFj
					; KiSearchForNewThread+EDj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4419EC:				; CODE XREF: KiSearchForNewThread+1Bj
					; KiSearchForNewThread+16AC38j
		mov	dword ptr [esi+8], 0
		mov	[esi+4], edi
		mov	al, [edi+90h]
		cmp	al, 1
		jz	loc_5AC5FA

loc_441A04:				; CODE XREF: KiSearchForNewThread+16ACECj
		mov	byte ptr [edi+90h], 2

loc_441A0B:				; CODE XREF: KiSearchForNewThread+139j
		mov	eax, edi
		jmp	short loc_4419E5
; 

loc_441A0F:				; CODE XREF: KiSearchForNewThread+31j
					; KiSearchForNewThread+42j ...
		mov	ecx, edi
		call	_KiCheckThreadAffinity@4 ; KiCheckThreadAffinity(x)
		test	eax, eax
		jz	loc_5AC4FF
		test	byte ptr [edi+2], 4
		jnz	short loc_441A6D

loc_441A24:				; CODE XREF: KiSearchForNewThread+15Cj
		mov	cl, [edi+87h]

loc_441A2A:				; CODE XREF: KiSearchForNewThread+15Aj
		mov	eax, [esi+33Ch]
		mov	[eax], cl
		mov	[esi+4], edi
		mov	al, [edi+90h]
		cmp	al, 1
		jnz	short loc_441A50
		mov	eax, ds:_KeTickCount
		sub	eax, [edi+138h]
		add	[edi+170h], eax

loc_441A50:				; CODE XREF: KiSearchForNewThread+11Dj
		mov	byte ptr [edi+90h], 2
		test	bl, bl
		jz	short loc_441A0B
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	KiSetProcessorIdle
		mov	eax, edi
		jmp	loc_4419E5
; 

loc_441A6D:				; CODE XREF: KiSearchForNewThread+102j
		mov	edx, esi
		mov	ecx, edi
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	short loc_441A2A
		jmp	short loc_441A24
KiSearchForNewThread endp

; 
		align 10h

;  S U B	R O U T	I N E 


KiSelectNextThread proc	near		; CODE XREF: KiSetSystemAffinityThread(x,x,x,x)+C6p
					; KiQuantumEnd+527p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AC611 SIZE 0000002F BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		lea	esp, [esp+0]

loc_441A90:				; CODE XREF: KiSelectNextThread+16ABA8j
		mov	edx, edi
		mov	ecx, 1
		call	KiSelectReadyThread
		mov	esi, eax
		test	esi, esi
		jnz	short loc_441B10
		mov	ecx, edi
		call	KiSelectLowestRankedThread
		mov	esi, eax
		test	esi, esi
		jnz	short loc_441B10
		mov	edx, edi
		xor	ecx, ecx
		call	KiSelectReadyThread
		mov	esi, eax
		test	esi, esi
		jnz	short loc_441B10

loc_441ABE:				; CODE XREF: KiSelectNextThread+16ABBBj
		mov	esi, [edi+0Ch]
		mov	edx, 1
		push	1
		mov	ecx, edi
		call	KiSetProcessorIdle

loc_441ACF:				; CODE XREF: KiSelectNextThread+99j
		test	byte ptr [esi+2], 4
		jnz	short loc_441B33

loc_441AD5:				; CODE XREF: KiSelectNextThread+C2j
		mov	cl, [esi+87h]

loc_441ADB:				; CODE XREF: KiSelectNextThread+C0j
		mov	eax, [edi+33Ch]
		mov	[eax], cl
		mov	ecx, [edi+4DCh]
		mov	eax, [edi+0Ch]
		mov	[edi+8], esi
		test	ecx, ecx
		jz	short loc_441AFB
		cmp	esi, eax
		setz	al
		mov	[ecx+10h], al

loc_441AFB:				; CODE XREF: KiSelectNextThread+71j
		mov	al, [esi+90h]
		cmp	al, 1
		jz	short loc_441B20

loc_441B05:				; CODE XREF: KiSelectNextThread+B1j
		pop	edi
		mov	byte ptr [esi+90h], 3
		pop	esi
		pop	ebx
		retn
; 

loc_441B10:				; CODE XREF: KiSelectNextThread+20j
					; KiSelectNextThread+2Dj ...
		mov	ecx, esi
		call	_KiCheckThreadAffinity@4 ; KiCheckThreadAffinity(x)
		test	eax, eax
		jnz	short loc_441ACF
		jmp	loc_5AC611
; 

loc_441B20:				; CODE XREF: KiSelectNextThread+83j
		mov	eax, ds:_KeTickCount
		sub	eax, [esi+138h]
		add	[esi+170h], eax
		jmp	short loc_441B05
; 

loc_441B33:				; CODE XREF: KiSelectNextThread+53j
		mov	edx, edi
		mov	ecx, esi
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	short loc_441ADB
		jmp	short loc_441AD5
KiSelectNextThread endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSelectLowestRankedThread proc	near	; CODE XREF: KiSearchForNewThread+39p
					; KiSelectNextThread+24p ...

; FUNCTION CHUNK AT 005AC640 SIZE 000000B6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	ds:_KiPerfIsoEnabled, 0
		push	esi
		mov	esi, ecx
		jnz	loc_5AC640

loc_441B5A:				; CODE XREF: KiSelectLowestRankedThread+16AB49j
					; KiSelectLowestRankedThread+16AB5Ej ...
		lea	eax, [esi+3CE8h]
		xor	edx, edx
		mov	ecx, [eax+4]
		test	cl, 1
		jnz	short loc_441B75
		mov	eax, ecx

loc_441B6C:				; CODE XREF: KiSelectLowestRankedThread+3Bj
		test	eax, eax
		jnz	short loc_441B81

loc_441B70:				; CODE XREF: KiSelectLowestRankedThread+34j
					; KiSelectLowestRankedThread+57j
		mov	eax, edx

loc_441B72:				; CODE XREF: KiSelectLowestRankedThread+16AB80j
		pop	esi
		leave
		retn
; 

loc_441B75:				; CODE XREF: KiSelectLowestRankedThread+24j
		cmp	ecx, 1
		jz	short loc_441B70
		or	eax, 1
		xor	eax, ecx
		jmp	short loc_441B6C
; 

loc_441B81:				; CODE XREF: KiSelectLowestRankedThread+2Aj
		push	edi

loc_441B82:				; CODE XREF: KiSelectLowestRankedThread+16ABA7j
		lea	edi, [eax-50h]
		mov	ecx, esi
		push	0
		mov	edx, edi
		call	_KiSelectThreadFromSchedulingGroup@12 ;	KiSelectThreadFromSchedulingGroup(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_5AC6C9

loc_441B9A:				; CODE XREF: KiSelectLowestRankedThread+16AB96j
					; KiSelectLowestRankedThread+16ABADj
		pop	edi
		jmp	short loc_441B70
KiSelectLowestRankedThread endp

; 
		align 2

KiSetProcessorIdle:			; CODE XREF: KiSearchForNewThread+141p
					; KiSelectNextThread+4Ap ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi+338h]
		movzx	ecx, byte ptr [esi+2238h]
		test	edx, edx
		jz	short loc_441C36
		mov	eax, [esi+4DCh]
		test	eax, eax
		jnz	loc_5AC6F6

loc_441BC6:				; CODE XREF: .text:005AC6FAj
		mov	al, [ebp+8]
		mov	[esi+223Bh], al
		test	cl, 1
		jz	short loc_441C1A
		sub	ecx, 1
		mov	[esi+2238h], cl
		jnz	short loc_441BEA
		movzx	eax, byte ptr [esi+3C4h]
		lock bts [edi],	eax

loc_441BEA:				; CODE XREF: .text:00441BDDj
		movzx	eax, byte ptr [esi+3C4h]
		lea	edx, [edi+0Ch]
		lock bts [edx],	eax
		mov	ecx, [esi+402Ch]
		mov	eax, [edx]
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_441C20
		lea	eax, [edi+4]

loc_441C09:				; CODE XREF: .text:00441C34j
		lock or	[eax], ecx

loc_441C0C:				; CODE XREF: .text:00441C2Fj
		movzx	ecx, byte ptr [esi+3C4h]
		lea	eax, [edi+8]
		lock btr [eax],	ecx

loc_441C1A:				; CODE XREF: .text:00441BD2j
					; .text:00441C95j ...
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_441C20:				; CODE XREF: .text:00441C04j
		mov	ecx, [edx]
		not	ecx
		and	ecx, [esi+402Ch]
		lea	eax, [ecx-1]
		test	eax, ecx
		jnz	short loc_441C0C
		lea	eax, [edi+8]
		jmp	short loc_441C09
; 

loc_441C36:				; CODE XREF: .text:00441BB6j
		mov	byte ptr [esi+223Bh], 0
		test	cl, 1
		jnz	short loc_441CA7
		lea	eax, [ecx+1]
		mov	[esi+2238h], al
		cmp	eax, 1
		jnz	short loc_441C5B
		movzx	eax, byte ptr [esi+3C4h]
		lock btr [edi],	eax

loc_441C5B:				; CODE XREF: .text:00441C4Ej
		movzx	eax, byte ptr [esi+3C4h]
		lea	edx, [edi+0Ch]
		lock btr [edx],	eax
		mov	ecx, [esi+402Ch]
		lea	eax, [edi+4]
		not	ecx
		lock and [eax],	ecx
		mov	eax, [esi+402Ch]
		add	edi, 8
		not	eax
		lock and [edi],	eax
		mov	eax, [edx]
		not	eax
		and	eax, [esi+402Ch]
		cmp	eax, [esi+3C8h]
		jnz	short loc_441C1A
		movzx	eax, byte ptr [esi+3C4h]
		lock bts [edi],	eax
		jmp	loc_441C1A
; 

loc_441CA7:				; CODE XREF: .text:00441C40j
		push	21h
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 0CCCCCCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiSearchForNewThreadOnNode(x, x)
@KiSearchForNewThreadOnNode@8 proc near	; CODE XREF: KiSearchForNewThread+A8p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ecx+338h]
		push	ebx
		push	esi
		movzx	esi, byte ptr [ecx+3C4h]
		mov	[ebp+var_10], edx
		push	edi
		mov	edi, [edx+84h]
		mov	ebx, edi
		mov	edx, [edx+90h]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], edx
		cmp	[ebp+var_10], eax
		jnz	short loc_441D05
		xor	edx, [ecx+4020h]
		xor	edi, [ecx+3C8h]
		test	ds:_KiCacheAwareScheduling, 2
		mov	[ebp+var_8], edx
		jz	short loc_441D05
		and	ebx, [ecx+4034h]

loc_441D05:				; CODE XREF: KiSearchForNewThreadOnNode(x,x)+35j
					; KiSearchForNewThreadOnNode(x,x)+4Dj
		mov	eax, [ebp+var_10]
		mov	eax, [eax+0Ch]
		not	eax
		and	edi, eax
		nop

loc_441D10:				; CODE XREF: KiSearchForNewThreadOnNode(x,x)+112j
		test	edi, edi
		jz	loc_441DC7

loc_441D18:				; CODE XREF: KiSearchForNewThreadOnNode(x,x)+119j
		mov	eax, ebx
		and	eax, edx
		jz	short loc_441D6F
		mov	ecx, esi
		ror	eax, cl
		mov	[ebp+var_C], eax

loc_441D25:				; CODE XREF: KiSearchForNewThreadOnNode(x,x)+BDj
		bsf	eax, eax
		mov	ecx, [ebp+var_4]
		add	eax, esi
		mov	[ebp+var_18], 0
		and	eax, 1Fh
		mov	esi, ds:_KiProcessorBlock[eax*4]
		mov	edx, [esi+4020h]
		not	edx
		and	[ebp+var_8], edx
		mov	eax, edx
		ror	eax, cl
		xor	edx, edx
		and	[ebp+var_C], eax
		mov	eax, [esi+4024h]
		mov	ecx, [ebp+var_14]
		push	eax
		call	KiSearchForNewThreadOnProcessor
		test	eax, eax
		jnz	short loc_441DD1
		mov	eax, [ebp+var_C]
		mov	esi, [ebp+var_4]
		test	eax, eax
		jnz	short loc_441D25

loc_441D6F:				; CODE XREF: KiSearchForNewThreadOnNode(x,x)+6Cj
		mov	esi, ebx
		and	esi, edi
		jz	short loc_441DAF
		mov	ecx, [ebp+var_4]
		ror	esi, cl
		lea	ebx, [ebx+0]

loc_441D80:				; CODE XREF: KiSearchForNewThreadOnNode(x,x)+FDj
		bsf	eax, esi
		push	0
		mov	[ebp+var_C], 0
		btc	esi, eax
		lea	edx, [eax+ecx]
		mov	ecx, [ebp+var_14]
		and	edx, 1Fh
		mov	edx, ds:_KiProcessorBlock[edx*4]
		call	KiSearchForNewThreadOnProcessor
		test	eax, eax
		jnz	short loc_441DD1
		mov	ecx, [ebp+var_4]
		test	esi, esi
		jnz	short loc_441D80

loc_441DAF:				; CODE XREF: KiSearchForNewThreadOnNode(x,x)+C3j
		mov	eax, [ebp+var_10]
		not	ebx
		mov	edx, [ebp+var_8]
		and	edi, ebx
		mov	esi, [ebp+var_4]
		mov	ebx, [eax+84h]
		jmp	loc_441D10
; 

loc_441DC7:				; CODE XREF: KiSearchForNewThreadOnNode(x,x)+62j
		test	edx, edx
		jnz	loc_441D18
		xor	eax, eax

loc_441DD1:				; CODE XREF: KiSearchForNewThreadOnNode(x,x)+B3j
					; KiSearchForNewThreadOnNode(x,x)+F6j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
@KiSearchForNewThreadOnNode@8 endp


;  S U B	R O U T	I N E 


; __stdcall KiVerifyReservedFieldGroupAffinity(x)
_KiVerifyReservedFieldGroupAffinity@4 proc near
					; CODE XREF: KeRevertToUserGroupAffinityThread+24p
					; KeSetSystemGroupAffinityThread+41p ...
		mov	ax, [ecx+0Ah]
		or	ax, [ecx+8]
		or	ax, [ecx+6]
		push	0
		pop	eax
		setz	al
		retn
_KiVerifyReservedFieldGroupAffinity@4 endp

; 
		align 10h
; Exported entry 1301. KeSetSystemGroupAffinityThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeSetSystemGroupAffinityThread
KeSetSystemGroupAffinityThread proc near
					; CODE XREF: KeGenericProcessorCallback(x,x,x,x)+C0p
					; MiSetIdealProcessorThread(x,x,x)+64p	...

var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005AC6FF SIZE 0000003D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		and	[ebp+var_4], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_20]
		stosd
		stosd
		stosd
		mov	edi, [ebp+arg_0]
		mov	ax, word ptr ds:_KeActiveProcessors
		movzx	eax, ax
		movzx	ecx, word ptr [edi+4]
		cmp	cx, ax
		jnb	loc_5AC6FF
		mov	eax, ds:dword_70E328[ecx*4]
		test	[edi], eax
		jz	loc_5AC6FF
		mov	ecx, edi
		call	_KiVerifyReservedFieldGroupAffinity@4 ;	KiVerifyReservedFieldGroupAffinity(x)
		test	eax, eax
		jz	loc_5AC6FF
		movzx	eax, word ptr [edi+4]
		mov	byte ptr [ebp+arg_0+3],	1
		mov	eax, ds:dword_70E328[eax*4]
		and	[edi], eax

loc_441E4F:				; CODE XREF: KeSetSystemGroupAffinityThread+16A913j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, large fs:20h
		and	[ebp+var_C], 0
		mov	byte ptr [ebp+var_14], al
		mov	[ebp+var_8], ecx
		mov	esi, [ecx+4]
		lea	ebx, [esi+2Ch]

loc_441E6C:				; CODE XREF: KeSetSystemGroupAffinityThread+16A926j
		lock bts dword ptr [ebx], 0
		jb	loc_5AC708
		mov	eax, [esi+58h]
		mov	ecx, [esi+16Ch]
		mov	[ebp+var_10], ecx
		test	al, 8
		jz	short loc_441F04
		mov	ax, [esi+168h]
		mov	[ebp+var_1C], ax
		mov	eax, [esi+164h]
		mov	[ebp+var_20], eax

loc_441E9B:				; CODE XREF: KeSetSystemGroupAffinityThread+11Aj
		cmp	byte ptr [ebp+arg_0+3],	0
		jz	short loc_441EB4
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	20h
		mov	edx, edi
		call	_KiSetSystemAffinityThread@16 ;	KiSetSystemAffinityThread(x,x,x,x)
		mov	ecx, [ebp+var_10]

loc_441EB4:				; CODE XREF: KeSetSystemGroupAffinityThread+AFj
		mov	eax, [esi+16Ch]
		mov	dword ptr [ebx], 0
		test	ds:dword_70EFD0, 8000000h
		jnz	loc_5AC71B

loc_441ED0:				; CODE XREF: KeSetSystemGroupAffinityThread+16A939j
		test	dword ptr ds:byte_70EFC4, 1000h
		jnz	loc_5AC72E

loc_441EE0:				; CODE XREF: KeSetSystemGroupAffinityThread+16A947j
		push	[ebp+var_14]
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_4]
		call	@KiProcessDeferredReadyList@12 ; KiProcessDeferredReadyList(x,x,x)
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	short loc_441EFC

loc_441EF5:				; CODE XREF: KeSetSystemGroupAffinityThread+112j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_441EFC:				; CODE XREF: KeSetSystemGroupAffinityThread+103j
		lea	esi, [ebp+var_20]
		movsd
		movsd
		movsd
		jmp	short loc_441EF5
; 

loc_441F04:				; CODE XREF: KeSetSystemGroupAffinityThread+95j
		or	eax, 8
		mov	[esi+58h], eax
		jmp	short loc_441E9B
KeSetSystemGroupAffinityThread endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpDeleteWorkerFactory(x)
_ExpDeleteWorkerFactory@4 proc near	; DATA XREF: ExpWorkerFactoryInitialization+102o

var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		mov	edi, [ebp+arg_0]
		mov	ecx, [edi+4]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [edi+4]
		lea	ecx, [ebp+var_C]
		mov	byte ptr [eax+16h], 1
		mov	eax, [edi+4]
		mov	esi, [eax+4]
		mov	bl, [eax+14h]
		call	KeReleaseInStackQueuedSpinLock
		mov	ecx, [edi+14h]
		mov	edx, 66577845h
		call	ObfDereferenceObjectWithTag
		push	0
		push	dword ptr [edi+10h]
		call	ObCloseHandle
		mov	ecx, esi
		call	ObfDereferenceObject
		test	bl, bl
		jnz	short loc_441F7C
		mov	eax, [edi+4]
		push	dword ptr [eax+8]
		call	_IoFreeMiniCompletionPacket@4 ;	IoFreeMiniCompletionPacket(x)
		push	0
		push	dword ptr [edi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_441F7C:				; CODE XREF: ExpDeleteWorkerFactory(x)+59j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ExpDeleteWorkerFactory@4 endp

; 
		align 4
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWorkerFactoryCreateThread proc near	; CODE XREF: ExpWorkerFactoryCheckCreate+158p
					; .text:0052A4AFp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AC73C SIZE 000000D5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		xor	eax, eax
		xor	ebx, ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_24]
		mov	[ebp+var_18], ebx
		stosd
		mov	esi, ecx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_4], ebx
		stosd
		stosd
		mov	eax, [esi+68h]
		mov	edi, 80h
		and	eax, 800h
		or	eax, edi
		shr	eax, 7
		mov	[ebp+var_8], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [esi+30h]
		mov	ecx, eax
		mov	[ebp+var_10], eax
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_4420AC
		mov	ecx, [esi+4]
		lea	edx, [ebp+var_24]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [esi+4]
		cmp	[eax+15h], bl
		jnz	loc_5AC73C
		inc	dword ptr [esi+58h]
		xor	edi, edi
		mov	eax, [esi+68h]
		inc	edi
		test	ds:byte_70EFC6,	1
		mov	[ebp+var_C], eax
		jnz	loc_5AC78B
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	loc_442165
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jnz	loc_44215D

loc_442030:				; CODE XREF: ExpWorkerFactoryCreateThread+1E8j
					; ExpWorkerFactoryCreateThread+16A810j
		mov	cl, [ebp+var_1C]
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	ebx
		lea	eax, [ebp+var_18]
		xor	edx, edx
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	ecx
		push	dword ptr [esi+1Ch]
		mov	ecx, [esi+10h]
		push	dword ptr [esi+18h]
		push	0
		push	[ebp+var_8]
		call	RtlpCreateUserThreadEx
		mov	edi, eax
		mov	[esi+70h], edi
		test	edi, edi
		js	loc_442106
		mov	edi, 8000h
		test	[ebp+var_C], edi
		jz	short loc_4420BF

loc_442076:				; CODE XREF: ExpWorkerFactoryCreateThread+17Bj
		mov	ebx, [ebp+var_4]
		lea	eax, [esi+6Ch]
		cmp	dword ptr [eax], 0
		jnz	loc_44214D

loc_442085:				; CODE XREF: ExpWorkerFactoryCreateThread+1D2j
		test	dword ptr [esi+68h], 4000h
		jnz	loc_5AC7C8

loc_442092:				; CODE XREF: ExpWorkerFactoryCreateThread+16A859j
		push	0
		push	ebx
		call	_ZwResumeThread@8 ; ZwResumeThread(x,x)
		push	0
		push	ebx
		mov	edi, eax
		call	ObCloseHandle

loc_4420A4:				; CODE XREF: ExpWorkerFactoryCreateThread+1C2j
					; ExpWorkerFactoryCreateThread+16A800j
		mov	ecx, [ebp+var_10]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_4420AC:				; CODE XREF: ExpWorkerFactoryCreateThread+52j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4420BF:				; CODE XREF: ExpWorkerFactoryCreateThread+EEj
		mov	ecx, [esi+4]
		lea	edx, [ebp+var_24]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		or	[esi+68h], edi
		test	ds:byte_70EFC6,	1
		jnz	loc_5AC79B
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	loc_5AC7B3
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jnz	loc_5AC7AB

loc_4420FC:				; CODE XREF: ExpWorkerFactoryCreateThread+16A820j
					; ExpWorkerFactoryCreateThread+16A83Dj
		mov	cl, [ebp+var_1C]
		call	ebx
		jmp	loc_442076
; 

loc_442106:				; CODE XREF: ExpWorkerFactoryCreateThread+E0j
		mov	ecx, [esi+4]
		lea	edx, [ebp+var_24]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		dec	dword ptr [esi+58h]
		test	ds:byte_70EFC6,	1
		jnz	loc_5AC7E4
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	loc_5AC7FC
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jnz	loc_5AC7F4

loc_442143:				; CODE XREF: ExpWorkerFactoryCreateThread+16A869j
					; ExpWorkerFactoryCreateThread+16A886j
		mov	cl, [ebp+var_1C]
		call	ebx
		jmp	loc_4420A4
; 

loc_44214D:				; CODE XREF: ExpWorkerFactoryCreateThread+F9j
		push	4
		push	eax
		push	3
		push	ebx
		call	_ZwSetInformationThread@16 ; ZwSetInformationThread(x,x,x,x)
		jmp	loc_442085
; 

loc_44215D:				; CODE XREF: ExpWorkerFactoryCreateThread+A4j
		lea	ecx, [ebp+var_24]
		call	KxWaitForLockChainValid

loc_442165:				; CODE XREF: ExpWorkerFactoryCreateThread+8Dj
		mov	[ebp+var_24], ebx
		add	eax, 4
		lock xor [eax],	edi
		jmp	loc_442030
ExpWorkerFactoryCreateThread endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall AlpcpDeferredFreeCompletionPacketLookaside(x)
_AlpcpDeferredFreeCompletionPacketLookaside@4 proc near
					; CODE XREF: AlpcpLookasidePacketCallbackRoutine+11Ap
					; AlpcpFreeCompletionPacketLookaside(x)+4Ap
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		cmp	[esi+4], edi
		jbe	short loc_442196
		push	ebx
		lea	ebx, [esi+28h]

loc_442185:				; CODE XREF: AlpcpDeferredFreeCompletionPacketLookaside(x)+1Fj
		push	dword ptr [ebx]
		call	_IoFreeMiniCompletionPacket@4 ;	IoFreeMiniCompletionPacket(x)
		inc	edi
		lea	ebx, [ebx+0Ch]
		cmp	edi, [esi+4]
		jb	short loc_442185
		pop	ebx

loc_442196:				; CODE XREF: AlpcpDeferredFreeCompletionPacketLookaside(x)+Bj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
_AlpcpDeferredFreeCompletionPacketLookaside@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiProcessPendingForegroundBoosts proc near ; DATA XREF:	KiCompleteKernelInit+101o

var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AC811 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+28h+var_10]
		stosd
		xor	esi, esi
		and	[esp+28h+var_18], esi
		xor	ebx, ebx
		mov	ecx, offset dword_6CB2C0
		mov	[esp+28h+var_19], bl
		stosd
		stosd
		stosd
		mov	edi, ds:_KeTickCount
		mov	[esp+28h+var_14], edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, dword_6CB2B8
		jmp	short loc_4421EA
; 

loc_4421E2:				; CODE XREF: KiProcessPendingForegroundBoosts+60j
		cmp	ecx, ebx
		ja	loc_5AC811

loc_4421EA:				; CODE XREF: KiProcessPendingForegroundBoosts+3Ej
					; KiProcessPendingForegroundBoosts+8Ej	...
		mov	eax, offset dword_6CB2B8
		cmp	edx, eax
		jz	short loc_442232
		mov	eax, edx
		mov	ecx, edi
		mov	edx, [edx]
		sub	ecx, [eax-4]
		cmp	ecx, ds:_KiForegroundBoostTicks
		jb	short loc_4421E2
		mov	edi, [eax]
		mov	ecx, [eax+4]
		cmp	[edi+4], eax
		jnz	loc_442305
		cmp	[ecx], eax
		jnz	loc_442305
		mov	[ecx], edi
		mov	[edi+4], ecx
		and	dword ptr [eax+4], 0
		mov	[eax], esi
		mov	esi, eax
		lock inc word ptr [eax-8]
		mov	edi, [esp+28h+var_14]
		jmp	short loc_4421EA
; 

loc_442232:				; CODE XREF: KiProcessPendingForegroundBoosts+4Fj
		cmp	dword_6CB2B8, eax
		jnz	short loc_4422B1

loc_44223A:				; CODE XREF: KiProcessPendingForegroundBoosts+114j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset dword_6CB2C0
		jnz	loc_5AC818
		xor	eax, eax
		lock and [ecx],	eax

loc_442251:				; CODE XREF: KiProcessPendingForegroundBoosts+16A67Ej
		cmp	[esp+28h+var_19], 0
		jnz	short loc_4422B8

loc_442258:				; CODE XREF: KiProcessPendingForegroundBoosts+F4j
					; KiProcessPendingForegroundBoosts+14Aj
		test	esi, esi
		jz	short loc_442298
		mov	edi, esi
		test	esi, esi
		jz	short loc_442264
		mov	esi, [esi]

loc_442264:				; CODE XREF: KiProcessPendingForegroundBoosts+BEj
		and	[esp+28h+var_14], 0
		lea	ebx, [edi-1FCh]
		mov	dword ptr [edi], 1

loc_442275:				; CODE XREF: KiProcessPendingForegroundBoosts+15Ej
		lock bts dword ptr [ebx], 0
		jb	short loc_4422F1
		lea	edx, [esp+28h+var_18]
		lea	ecx, [edi-228h]
		call	KiApplyForegroundBoostThread
		mov	dword ptr [ebx], 0
		lock dec word ptr [edi-8]
		jmp	short loc_442258
; 

loc_442298:				; CODE XREF: KiProcessPendingForegroundBoosts+B8j
		mov	ecx, large fs:20h
		lea	edx, [esp+28h+var_18]
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4422B1:				; CODE XREF: KiProcessPendingForegroundBoosts+96j
		mov	[esp+28h+var_19], 1
		jmp	short loc_44223A
; 

loc_4422B8:				; CODE XREF: KiProcessPendingForegroundBoosts+B4j
		mov	eax, ds:_KiForegroundBoostTicks
		or	[esp+28h+var_8], 0FFFFFFFFh
		sub	eax, ebx
		or	[esp+28h+var_4], 0FFFFFFFFh
		xor	ebx, ebx
		push	0FFFFFFFFh
		push	0FFFDB610h
		push	ebx
		push	eax
		call	__allmul
		lea	ecx, [esp+28h+var_10]
		push	ecx
		push	ebx
		push	ebx
		push	edx
		push	eax
		push	offset _KiForegroundState
		call	KeSetTimer2
		jmp	loc_442258
; 

loc_4422F1:				; CODE XREF: KiProcessPendingForegroundBoosts+D8j
					; KiProcessPendingForegroundBoosts+15Cj
		lea	ecx, [esp+28h+var_14]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_4422F1
		jmp	loc_442275
; 

loc_442305:				; CODE XREF: KiProcessPendingForegroundBoosts+6Aj
					; KiProcessPendingForegroundBoosts+72j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
KiProcessPendingForegroundBoosts endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiApplyForegroundBoostThread proc near	; CODE XREF: KiProcessPendingForegroundBoosts+E4p
					; KeSetPriorityAndQuantumProcess+22Bp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 004423C5 SIZE 000001E3 BYTES
; FUNCTION CHUNK AT 005AC825 SIZE 00000081 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_C]
		mov	[ebp+var_18], edx
		xor	ebx, ebx
		lea	edx, [ebp+var_8]
		push	eax
		mov	edi, ecx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], ebx
		call	KiAcquireThreadStateLock
		mov	ch, al
		cmp	ch, 2
		jz	short loc_442359
		cmp	ch, 1
		jz	short loc_442359
		cmp	ch, 3
		jz	short loc_442359
		cmp	ch, 7
		jz	short loc_442359

loc_442344:				; CODE XREF: KiApplyForegroundBoostThread+5Fj
		mov	esi, [ebp+var_8]

loc_442347:				; CODE XREF: KiApplyForegroundBoostThread+9Ej
		test	esi, esi
		jnz	short loc_4423AA

loc_44234B:				; CODE XREF: KiApplyForegroundBoostThread+ABj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_4423BE

loc_442352:				; CODE XREF: KiApplyForegroundBoostThread+9Cj
					; KiApplyForegroundBoostThread+B9j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_442359:				; CODE XREF: KiApplyForegroundBoostThread+29j
					; KiApplyForegroundBoostThread+2Ej ...
		mov	eax, [edi+150h]
		mov	dl, bl
		mov	al, [eax+2A2h]
		cmp	al, 2
		jnz	short loc_442344
		cmp	[edi+15Ch], dl
		jnz	short loc_44239F
		test	byte ptr [edi+5Ch], 8
		jnz	short loc_44239F
		mov	ah, [edi+87h]
		test	ah, ah
		jle	short loc_44239F
		mov	cl, [edi+15Bh]
		add	cl, byte ptr ds:_PsPrioritySeparation
		mov	[ebp+var_1], cl
		cmp	cl, 10h
		jge	short loc_4423B7

loc_442397:				; CODE XREF: KiApplyForegroundBoostThread+B2j
		cmp	cl, ah
		jg	loc_5AC825

loc_44239F:				; CODE XREF: KiApplyForegroundBoostThread+67j
					; KiApplyForegroundBoostThread+6Dj ...
		mov	esi, [ebp+var_8]

loc_4423A2:				; CODE XREF: KiApplyForegroundBoostThread+E7j
		mov	bl, dl
		test	dl, dl
		jnz	short loc_442352
		jmp	short loc_442347
; 

loc_4423AA:				; CODE XREF: KiApplyForegroundBoostThread+3Fj
		xor	ecx, ecx
		lea	eax, [esi+2224h]
		lock and [eax],	ecx
		jmp	short loc_44234B
; 

loc_4423B7:				; CODE XREF: KiApplyForegroundBoostThread+8Bj
		mov	cl, 0Fh
		mov	[ebp+var_1], cl
		jmp	short loc_442397
; 

loc_4423BE:				; CODE XREF: KiApplyForegroundBoostThread+46j
		xor	ecx, ecx
		lock and [eax],	ecx
		jmp	short loc_442352
KiApplyForegroundBoostThread endp

; 
; START	OF FUNCTION CHUNK FOR KiApplyForegroundBoostThread

loc_4423C5:				; CODE XREF: KiApplyForegroundBoostThread+11Bj
					; KiApplyForegroundBoostThread+12Bj ...
		xor	ebx, ebx

loc_4423C7:				; CODE XREF: KiApplyForegroundBoostThread+267j
		mov	edx, edi
		xor	ecx, ecx
		call	_KiUpdateSharedReadyQueueAffinityThread@8 ; KiUpdateSharedReadyQueueAffinityThread(x,x)
		test	esi, esi
		jz	short loc_4423DF
		xor	ecx, ecx
		lea	eax, [esi+2224h]
		lock and [eax],	ecx

loc_4423DF:				; CODE XREF: KiApplyForegroundBoostThread+C8j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_4423EB
		xor	ecx, ecx
		lock and [eax],	ecx

loc_4423EB:				; CODE XREF: KiApplyForegroundBoostThread+DAj
		test	bl, bl
		jnz	short loc_4423F3

loc_4423EF:				; CODE XREF: KiApplyForegroundBoostThread+FDj
					; KiApplyForegroundBoostThread+106j
		mov	dl, 1
		jmp	short loc_4423A2
; 

loc_4423F3:				; CODE XREF: KiApplyForegroundBoostThread+E3j
		mov	al, large fs:51h
		mov	esi, [ebp+var_8]
		movzx	eax, al
		mov	ecx, [esi+3CCh]
		cmp	eax, ecx
		jz	short loc_4423EF
		mov	dl, 2
		call	_KiSendSoftwareInterrupt@8 ; KiSendSoftwareInterrupt(x,x)
		jmp	short loc_4423EF
; 

loc_442412:				; CODE XREF: KiApplyForegroundBoostThread+16A549j
		mov	esi, [ebp+var_8]
		mov	ecx, esi
		push	edx
		mov	edx, edi
		call	_KiUpdateThreadPriority@16 ; KiUpdateThreadPriority(x,x,x,x)
		mov	edx, [ebp+var_10]
		cmp	edx, [ebp+var_14]
		jge	short loc_4423C5
		push	ebx
		mov	edx, edi
		mov	ecx, esi
		call	KiSelectReadyThreadEx
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_4423C5
		test	byte ptr [ebx+2], 4
		jnz	short loc_442498

loc_44243D:				; CODE XREF: KiApplyForegroundBoostThread+19Dj
		mov	cl, [ebx+87h]

loc_442443:				; CODE XREF: KiApplyForegroundBoostThread+19Bj
		mov	eax, [esi+33Ch]
		mov	[eax], cl
		cmp	ebx, [esi+0Ch]
		mov	eax, [esi+4DCh]
		setz	cl
		mov	[esi+8], ebx
		test	eax, eax
		jnz	short loc_4424B7

loc_44245E:				; CODE XREF: KiApplyForegroundBoostThread+1B0j
		mov	al, [ebx+90h]
		cmp	al, 1
		jnz	short loc_442479
		mov	eax, ds:_KeTickCount
		sub	eax, [ebx+138h]
		add	[ebx+170h], eax

loc_442479:				; CODE XREF: KiApplyForegroundBoostThread+15Cj
		mov	ecx, edi
		mov	byte ptr [ebx+90h], 3
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		mov	edx, [ebp+var_18]
		lea	ecx, [edi+9Ch]
		mov	eax, [edx]
		mov	[ecx], eax
		mov	[edx], ecx
		jmp	short loc_4424AF
; 

loc_442498:				; CODE XREF: KiApplyForegroundBoostThread+131j
		mov	edx, esi
		mov	ecx, ebx
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	short loc_442443
		jmp	short loc_44243D
; 

loc_4424A9:				; CODE XREF: KiApplyForegroundBoostThread+1F4j
		mov	al, [edi+90h]

loc_4424AF:				; CODE XREF: KiApplyForegroundBoostThread+18Cj
					; KiApplyForegroundBoostThread+16A561j
		mov	esi, [ebp+var_8]
		jmp	loc_4423C5
; 

loc_4424B7:				; CODE XREF: KiApplyForegroundBoostThread+152j
		mov	[eax+10h], cl
		jmp	short loc_44245E
; 

loc_4424BC:				; CODE XREF: KiApplyForegroundBoostThread+16A53Ej
		mov	esi, [ebp+var_8]
		mov	ecx, esi
		lea	eax, [esi+8]
		mov	[ebp+var_1C], eax
		mov	eax, [eax]
		test	eax, eax
		mov	[ebp+var_18], eax
		setz	al
		movzx	eax, al
		push	eax
		push	edx
		mov	edx, edi
		call	_KiUpdateThreadPriority@16 ; KiUpdateThreadPriority(x,x,x,x)
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_14]
		mov	eax, [ebp+var_18]
		cmp	edx, ecx
		jge	short loc_4424F0
		test	eax, eax
		jz	short loc_442500
		cmp	edx, ecx

loc_4424F0:				; CODE XREF: KiApplyForegroundBoostThread+1DEj
		jle	loc_4423C5
		test	eax, eax
		jnz	loc_4423C5
		jmp	short loc_4424A9
; 

loc_442500:				; CODE XREF: KiApplyForegroundBoostThread+1E2j
		mov	al, [edi+90h]
		mov	esi, [ebp+var_8]
		cmp	al, 2
		jnz	short loc_442576
		push	ebx
		mov	edx, edi
		mov	ecx, esi
		call	KiSelectReadyThreadEx
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_4423C5
		test	byte ptr [ebx+2], 4
		jnz	short loc_442592

loc_442527:				; CODE XREF: KiApplyForegroundBoostThread+297j
		mov	cl, [ebx+87h]

loc_44252D:				; CODE XREF: KiApplyForegroundBoostThread+295j
		mov	eax, [esi+33Ch]
		mov	[eax], cl
		mov	eax, [ebp+var_1C]
		cmp	ebx, [esi+0Ch]
		setz	cl
		mov	[eax], ebx
		mov	eax, [esi+4DCh]
		test	eax, eax
		jnz	short loc_4425A3

loc_44254A:				; CODE XREF: KiApplyForegroundBoostThread+29Cj
		mov	al, [ebx+90h]
		cmp	al, 1
		jnz	short loc_442565
		mov	eax, ds:_KeTickCount
		sub	eax, [ebx+138h]
		add	[ebx+170h], eax

loc_442565:				; CODE XREF: KiApplyForegroundBoostThread+248j
		mov	esi, [ebp+var_8]
		mov	byte ptr [ebx+90h], 3
		mov	bl, 1
		jmp	loc_4423C7
; 

loc_442576:				; CODE XREF: KiApplyForegroundBoostThread+201j
		mov	eax, [esi+3B20h]
		lea	ecx, [edx+1]
		shr	eax, cl
		test	eax, eax
		jz	loc_4423C5
		or	byte ptr [edi+54h], 10h
		jmp	loc_4423C5
; 

loc_442592:				; CODE XREF: KiApplyForegroundBoostThread+21Bj
		mov	edx, esi
		mov	ecx, ebx
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	short loc_44252D
		jmp	short loc_442527
; 

loc_4425A3:				; CODE XREF: KiApplyForegroundBoostThread+23Ej
		mov	[eax+10h], cl
		jmp	short loc_44254A
; END OF FUNCTION CHUNK	FOR KiApplyForegroundBoostThread

;  S U B	R O U T	I N E 


KiShouldScanSharedReadyQueue proc near	; CODE XREF: KiQuantumEnd+272p
					; KiUpdateRunTime+C6p

; FUNCTION CHUNK AT 005AC8A6 SIZE 00000012 BYTES

		cmp	dword ptr [ecx+4028h], 0
		jnz	short loc_4425C1
		test	byte ptr [ecx+2238h], 2
		jnz	loc_5AC8A6

loc_4425BE:				; CODE XREF: KiShouldScanSharedReadyQueue+16A30Bj
		xor	eax, eax
		retn
; 

loc_4425C1:				; CODE XREF: KiShouldScanSharedReadyQueue+7j
					; KiShouldScanSharedReadyQueue+16A305j
		xor	eax, eax
		inc	eax
		retn
KiShouldScanSharedReadyQueue endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSetSystemAffinityThread(x, x, x, x)
_KiSetSystemAffinityThread@16 proc near	; CODE XREF: KeRevertToUserGroupAffinityThread+8Cp
					; KeSetSystemGroupAffinityThread+BCp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ax, [edx+4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+4]
		lea	ecx, [esi+164h]
		mov	[ecx+4], ax
		mov	eax, [edx]
		mov	[ecx], eax
		cmp	ebx, 20h
		jb	loc_44269D
		mov	eax, [esi+16Ch]
		mov	ebx, ds:_KiProcessorBlock[eax*4]
		mov	ecx, ebx
		call	_KiPrcbInGroupAffinity@8 ; KiPrcbInGroupAffinity(x,x)
		test	eax, eax
		jnz	short loc_44263B
		mov	ebx, [ebx+338h]
		mov	ax, [edx+4]
		mov	ecx, [edx]
		cmp	ax, [ebx+88h]
		jnz	short loc_44262B
		mov	eax, [ebx+84h]
		and	eax, ecx
		jz	short loc_44262B
		mov	ecx, eax

loc_44262B:				; CODE XREF: KiSetSystemAffinityThread(x,x,x,x)+57j
					; KiSetSystemAffinityThread(x,x,x,x)+61j
		bsr	eax, ecx
		mov	[esi+16Ch], eax
		mov	ebx, ds:_KiProcessorBlock[eax*4]

loc_44263B:				; CODE XREF: KiSetSystemAffinityThread(x,x,x,x)+42j
					; KiSetSystemAffinityThread(x,x,x,x)+E4j
		test	byte ptr [esi+58h], 8
		jz	short loc_4426AC

loc_442641:				; CODE XREF: KiSetSystemAffinityThread(x,x,x,x)+EFj
		mov	edx, esi
		mov	ecx, ebx
		call	_KiUpdateSharedReadyQueueAffinityThread@8 ; KiUpdateSharedReadyQueueAffinityThread(x,x)
		mov	ecx, esi
		call	KiUpdateNodeAffinitizedFlag

loc_442651:				; CODE XREF: KiSetSystemAffinityThread(x,x,x,x)+F1j
		lea	edx, [esi+164h]
		mov	ecx, edi
		call	_KiPrcbInGroupAffinity@8 ; KiPrcbInGroupAffinity(x,x)
		test	eax, eax
		jnz	short loc_442696
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 0Ch
		cmp	dword ptr [edi+8], 0
		jnz	short loc_442696
		and	[ebp+arg_0], 0
		lea	esi, [edi+2224h]

loc_44267A:				; CODE XREF: KiSetSystemAffinityThread(x,x,x,x)+101j
		lock bts dword ptr [esi], 0
		jb	short loc_4426B9
		cmp	dword ptr [edi+8], 0
		jnz	short loc_442691
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		call	KiSelectNextThread

loc_442691:				; CODE XREF: KiSetSystemAffinityThread(x,x,x,x)+BFj
		xor	eax, eax
		lock and [esi],	eax

loc_442696:				; CODE XREF: KiSetSystemAffinityThread(x,x,x,x)+9Aj
					; KiSetSystemAffinityThread(x,x,x,x)+A8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_44269D:				; CODE XREF: KiSetSystemAffinityThread(x,x,x,x)+26j
		mov	[esi+16Ch], ebx
		mov	ebx, ds:_KiProcessorBlock[ebx*4]
		jmp	short loc_44263B
; 

loc_4426AC:				; CODE XREF: KiSetSystemAffinityThread(x,x,x,x)+79j
		mov	ecx, esi
		call	KiComputeThreadAffinity
		test	eax, eax
		jz	short loc_442641
		jmp	short loc_442651
; 

loc_4426B9:				; CODE XREF: KiSetSystemAffinityThread(x,x,x,x)+B9j
					; KiSetSystemAffinityThread(x,x,x,x)+FFj
		lea	ecx, [ebp+arg_0]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_4426B9
		jmp	short loc_44267A
_KiSetSystemAffinityThread@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiDeferGroupSchedulingPreemption(x, x)
@KiDeferGroupSchedulingPreemption@8 proc near ;	CODE XREF: KiDispatchInterrupt(x)+139p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	eax, [esi+50h]
		test	eax, eax
		jz	short loc_442747
		xor	eax, eax
		cmp	[esi+13Ch], eax
		jz	short loc_44274E

loc_4426EA:				; CODE XREF: KiDeferGroupSchedulingPreemption(x,x)+8Dj
		mov	[ebp+var_4], eax
		lea	ebx, [edi+2224h]
		mov	byte ptr [ebp+var_8], al
		mov	[ebp+var_10], eax

loc_4426F9:				; CODE XREF: KiDeferGroupSchedulingPreemption(x,x)+132j
		lock bts dword ptr [ebx], 0
		jb	loc_4427EE
		mov	eax, [esi+50h]
		mov	ebx, [edi+8]
		test	eax, eax
		jz	short loc_44273C
		cmp	ebx, [edi+0Ch]
		jz	short loc_44273C
		lea	edx, [esi+164h]
		mov	ecx, edi
		call	_KiPrcbInGroupAffinity@8 ; KiPrcbInGroupAffinity(x,x)
		test	eax, eax
		jz	short loc_44273C
		mov	eax, [ebx+50h]
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	short loc_442759

loc_44272E:				; CODE XREF: KiDeferGroupSchedulingPreemption(x,x)+98j
					; KiDeferGroupSchedulingPreemption(x,x)+AFj
		mov	cl, [ebx+87h]
		cmp	cl, [esi+87h]
		jle	short loc_44277B

loc_44273C:				; CODE XREF: KiDeferGroupSchedulingPreemption(x,x)+42j
					; KiDeferGroupSchedulingPreemption(x,x)+47j ...
		xor	eax, eax
		lea	ecx, [edi+2224h]
		lock and [ecx],	eax

loc_442747:				; CODE XREF: KiDeferGroupSchedulingPreemption(x,x)+14j
					; KiDeferGroupSchedulingPreemption(x,x)+8Bj
		xor	al, al

loc_442749:				; CODE XREF: KiDeferGroupSchedulingPreemption(x,x)+112j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_44274E:				; CODE XREF: KiDeferGroupSchedulingPreemption(x,x)+1Ej
		cmp	byte ptr [esi+92h], 1
		jnz	short loc_442747
		jmp	short loc_4426EA
; 

loc_442759:				; CODE XREF: KiDeferGroupSchedulingPreemption(x,x)+62j
		add	eax, [edi+3B34h]
		mov	[ebp+var_C], eax
		jz	short loc_44272E
		lea	ecx, [ebp+var_8]
		mov	edx, eax
		push	ecx
		push	1
		push	ecx
		mov	ecx, ebx
		call	_KiGetThreadEffectiveRankNonZero@20 ; KiGetThreadEffectiveRankNonZero(x,x,x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_44272E

loc_44277B:				; CODE XREF: KiDeferGroupSchedulingPreemption(x,x)+70j
		and	dword ptr [edi+8], 0
		test	byte ptr [esi+2], 4
		jz	short loc_442794
		mov	edx, edi
		mov	ecx, esi
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	short loc_44279A

loc_442794:				; CODE XREF: KiDeferGroupSchedulingPreemption(x,x)+B9j
		mov	cl, [esi+87h]

loc_44279A:				; CODE XREF: KiDeferGroupSchedulingPreemption(x,x)+C8j
		cmp	[ebp+var_4], 0
		mov	eax, [edi+33Ch]
		mov	[eax], cl
		mov	ecx, edi
		mov	byte ptr [ebx+90h], 1
		jnz	short loc_4427E1
		push	[ebp+var_8]
		movsx	eax, byte ptr [ebx+87h]
		mov	edx, ebx
		push	1
		push	eax
		call	_KiAddThreadToPrcbQueue@20 ; KiAddThreadToPrcbQueue(x,x,x,x,x)

loc_4427C5:				; CODE XREF: KiDeferGroupSchedulingPreemption(x,x)+122j
		xor	edx, edx
		lea	ecx, [edi+2224h]
		lock and [ecx],	edx
		push	edx
		mov	edx, esi
		mov	ecx, edi
		call	_KiInsertDeferredPreemptionApc@12 ; KiInsertDeferredPreemptionApc(x,x,x)
		mov	al, 1
		jmp	loc_442749
; 

loc_4427E1:				; CODE XREF: KiDeferGroupSchedulingPreemption(x,x)+E5j
		mov	edx, [ebp+var_C]
		push	1
		push	ebx
		call	KiAddThreadToScbQueue
		jmp	short loc_4427C5
; 

loc_4427EE:				; CODE XREF: KiDeferGroupSchedulingPreemption(x,x)+34j
					; KiDeferGroupSchedulingPreemption(x,x)+130j
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_4427EE
		jmp	loc_4426F9
@KiDeferGroupSchedulingPreemption@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiPrcbInGroupAffinity(x, x)
_KiPrcbInGroupAffinity@8 proc near	; CODE XREF: KiGroupSchedulingMoveThread+6Ep
					; KiSetSystemAffinityThread(x,x,x,x)+3Bp ...
		movzx	eax, byte ptr [ecx+3C5h]
		cmp	ax, [edx+4]
		jnz	short loc_44281D
		mov	eax, [ecx+3C8h]
		test	[edx], eax
		jz	short loc_44281D
		xor	eax, eax
		inc	eax
		retn
; 

loc_44281D:				; CODE XREF: KiPrcbInGroupAffinity(x,x)+Bj
					; KiPrcbInGroupAffinity(x,x)+15j
		xor	eax, eax
		retn
_KiPrcbInGroupAffinity@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsQueryThreadStartAddress(x, x)
_PsQueryThreadStartAddress@8 proc near	; CODE XREF: .text:00449020p
					; MiZeroInParallelWorker(x)+52p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		test	dword ptr [esi+58h], 400h
		jnz	short loc_442868
		test	edx, edx
		jz	short loc_442868
		mov	eax, [esi+304h]
		test	al, 8
		jnz	short loc_442870
		mov	ecx, [esi+298h]
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		xor	edx, edx
		lock or	[eax], edx
		mov	eax, [esi+304h]
		and	al, 8
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, ecx

loc_442865:				; CODE XREF: PsQueryThreadStartAddress(x,x)+4Ej
					; PsQueryThreadStartAddress(x,x)+52j
		pop	esi
		leave
		retn
; 

loc_442868:				; CODE XREF: PsQueryThreadStartAddress(x,x)+10j
					; PsQueryThreadStartAddress(x,x)+14j
		mov	eax, [esi+2DCh]
		jmp	short loc_442865
; 

loc_442870:				; CODE XREF: PsQueryThreadStartAddress(x,x)+1Ej
		xor	eax, eax
		jmp	short loc_442865
_PsQueryThreadStartAddress@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1780. PsGetCurrentThreadTeb

;  S U B	R O U T	I N E 


; __stdcall PsGetCurrentThreadTeb()
		public _PsGetCurrentThreadTeb@0
_PsGetCurrentThreadTeb@0 proc near	; CODE XREF: EtwTraceThread:loc_76DDA9p
					; EtwpPsProvTraceThread+24Ep
		mov	eax, large fs:124h
		test	dword ptr [eax+58h], 400h
		jnz	short loc_442899
		cmp	byte ptr [eax+16Ah], 1
		jz	short loc_442899
		mov	eax, [eax+0A8h]
		retn
; 

loc_442899:				; CODE XREF: PsGetCurrentThreadTeb()+Dj
					; PsGetCurrentThreadTeb()+16j
		xor	eax, eax
		retn
_PsGetCurrentThreadTeb@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeSetPriorityAndQuantumProcess proc near ; CODE	XREF: PspSetProcessPriorityByClass(x,x)+34p
					; PAGE:007A7257p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005AC8B8 SIZE 0000023A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		xor	edx, edx
		push	edi
		mov	[ebp+var_8], edx
		movsx	eax, byte ptr [esi+68h]
		cmp	eax, ebx
		jnz	short loc_4428CD
		mov	ecx, [ebp+arg_4]
		cmp	ecx, [ebp+arg_8]
		jz	loc_442AF5
		cmp	ebx, 10h
		jge	loc_442AF5

loc_4428CD:				; CODE XREF: KeSetPriorityAndQuantumProcess+1Aj
		cmp	esi, offset _KiInitialProcess
		jz	loc_442AAB
		test	ebx, ebx
		jz	loc_5AC8B8

loc_4428E1:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A01Fj
		mov	eax, dword ptr ds:byte_70EFC4
		and	eax, 2000h
		mov	[ebp+var_2C], edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_2], dl
		mov	[ebp+var_1], dl
		mov	[ebp+var_1C], edx
		mov	[ebp+var_3C], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+var_50], al
		mov	eax, large fs:20h
		mov	[ebp+var_20], eax
		mov	eax, [eax+4]
		mov	[ebp+var_38], eax
		lea	eax, [esi+34h]
		push	eax
		mov	[ebp+var_4C], eax
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	al, [ebp+arg_0]
		test	al, al
		jz	short loc_44292E
		mov	[esi+69h], al

loc_44292E:				; CODE XREF: KeSetPriorityAndQuantumProcess+8Dj
		movsx	eax, byte ptr [esi+68h]
		mov	edi, ebx
		sub	edi, eax
		mov	[ebp+var_24], eax
		mov	cl, 1
		mov	[esi+68h], bl
		mov	[ebp+var_34], edi
		call	_KeFlushProcessWriteBuffers@4 ;	KeFlushProcessWriteBuffers(x)
		lea	ecx, [esi+2Ch]
		mov	eax, [ecx]
		mov	[ebp+var_40], ecx
		mov	[ebp+var_10], eax
		cmp	eax, ecx
		jz	loc_442A92
		cmp	ebx, 10h
		jge	loc_5AC8C0

loc_442962:				; CODE XREF: KeSetPriorityAndQuantumProcess+1F0j
		lea	esi, [eax-1D4h]
		mov	al, [ebp+arg_0]
		test	al, al
		jz	short loc_442975
		mov	[esi+193h], al

loc_442975:				; CODE XREF: KeSetPriorityAndQuantumProcess+D1j
		and	[ebp+var_48], 0
		lea	ebx, [esi+2Ch]

loc_44297C:				; CODE XREF: KeSetPriorityAndQuantumProcess+29Aj
		lock bts dword ptr [ebx], 0
		jb	loc_442B28
		movsx	edi, byte ptr [esi+15Bh]
		mov	ecx, [ebp+var_24]
		cmp	edi, ecx
		jg	loc_442AD1

loc_442999:				; CODE XREF: KeSetPriorityAndQuantumProcess+238j
		mov	eax, [ebp+var_34]
		add	eax, edi
		mov	[ebp+var_8], eax
		cmp	eax, 10h
		jge	loc_5ACA5B
		test	eax, eax
		jle	loc_5ACA67

loc_4429B2:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A1C6j
					; KeSetPriorityAndQuantumProcess+16A1D2j
		mov	al, [esi+18Dh]
		test	al, al
		jnz	loc_442AE2

loc_4429C0:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A1D9j
		js	loc_5ACA87

loc_4429C6:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A1E6j
					; KeSetPriorityAndQuantumProcess+16A1F2j
		mov	ebx, [ebp+var_38]
		cmp	esi, ebx
		jz	loc_442B07
		and	[ebp+var_30], 0
		and	[ebp+var_2C], 0
		jmp	short loc_4429DD
; 

loc_4429DB:				; CODE XREF: KeSetPriorityAndQuantumProcess+14Aj
		pause

loc_4429DD:				; CODE XREF: KeSetPriorityAndQuantumProcess+13Dj
		mov	edx, [esi+34h]
		mov	ecx, [esi+30h]
		cmp	edx, [esi+38h]
		jnz	short loc_4429DB

loc_4429E8:				; CODE XREF: KeSetPriorityAndQuantumProcess+287j
					; KeSetPriorityAndQuantumProcess+16A1FDj
		cmp	esi, ebx
		setnz	al
		movzx	eax, al
		push	eax
		push	edx
		movzx	edx, byte ptr [esi+193h]
		push	ecx
		mov	ecx, esi
		call	_KiComputeQuantumTargetThread@20 ; KiComputeQuantumTargetThread(x,x,x,x,x)
		cmp	[ebp+arg_8], 0
		jnz	loc_442AB2

loc_442A0B:				; CODE XREF: KeSetPriorityAndQuantumProcess+221j
		push	[ebp+arg_4]
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	_KiSetBasePriorityAndClearDecrement@12 ; KiSetBasePriorityAndClearDecrement(x,x,x)
		mov	[ebp+var_C], eax
		mov	bl, 1

loc_442A1D:				; CODE XREF: KeSetPriorityAndQuantumProcess+21Bj
		xor	al, al
		cmp	[ebp+arg_8], 0
		jnz	loc_442AC2

loc_442A29:				; CODE XREF: KeSetPriorityAndQuantumProcess+230j
		test	bl, bl
		jz	short loc_442A70
		test	al, al
		jnz	short loc_442A5A
		movsx	eax, byte ptr [esi+87h]
		lea	edx, [ebp+var_1C]
		push	[ebp+var_C]
		mov	ecx, esi
		mov	[ebp+var_14], eax
		call	KiSetPriorityThread
		test	al, al
		jz	short loc_442A5A
		movsx	eax, byte ptr [esi+87h]
		mov	[ebp+var_1], 1
		mov	[ebp+var_C], eax

loc_442A5A:				; CODE XREF: KeSetPriorityAndQuantumProcess+193j
					; KeSetPriorityAndQuantumProcess+1AEj
		mov	ecx, [esi+0A4h]
		test	ecx, ecx
		jz	short loc_442A70
		mov	al, [ecx]
		and	al, 7Fh
		cmp	al, 15h
		jz	loc_5ACA9E

loc_442A70:				; CODE XREF: KeSetPriorityAndQuantumProcess+18Fj
					; KeSetPriorityAndQuantumProcess+1C6j
		mov	dword ptr [esi+2Ch], 0

loc_442A77:				; CODE XREF: KeSetPriorityAndQuantumProcess+257j
					; KeSetPriorityAndQuantumProcess+16A209j
		cmp	[ebp+var_3C], 0
		jnz	loc_5ACAAA

loc_442A81:				; CODE XREF: KeSetPriorityAndQuantumProcess+244j
					; KeSetPriorityAndQuantumProcess+16A22Ej ...
		mov	eax, [ebp+var_10]
		mov	eax, [eax]
		mov	[ebp+var_10], eax
		cmp	eax, [ebp+var_40]
		jnz	loc_442962

loc_442A92:				; CODE XREF: KeSetPriorityAndQuantumProcess+B7j
					; KeSetPriorityAndQuantumProcess+16A1BAj
		push	[ebp+var_4C]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		push	[ebp+var_50]
		mov	ecx, [ebp+var_20]
		lea	edx, [ebp+var_1C]
		call	@KiProcessDeferredReadyList@12 ; KiProcessDeferredReadyList(x,x,x)
		mov	eax, [ebp+var_24]

loc_442AAB:				; CODE XREF: KeSetPriorityAndQuantumProcess+37j
					; KeSetPriorityAndQuantumProcess+269j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_442AB2:				; CODE XREF: KeSetPriorityAndQuantumProcess+169j
		xor	bl, bl
		cmp	[ebp+var_8], edi
		jz	loc_442A1D
		jmp	loc_442A0B
; 

loc_442AC2:				; CODE XREF: KeSetPriorityAndQuantumProcess+187j
		lea	edx, [ebp+var_1C]
		mov	ecx, esi
		call	KiApplyForegroundBoostThread
		jmp	loc_442A29
; 

loc_442AD1:				; CODE XREF: KeSetPriorityAndQuantumProcess+F7j
		cmp	edi, 10h
		jl	loc_442999
		mov	dword ptr [ebx], 0
		jmp	short loc_442A81
; 

loc_442AE2:				; CODE XREF: KeSetPriorityAndQuantumProcess+11Ej
		cmp	ecx, 10h
		jge	loc_5ACA73
		mov	dword ptr [ebx], 0
		xor	bl, bl
		jmp	short loc_442A77
; 

loc_442AF5:				; CODE XREF: KeSetPriorityAndQuantumProcess+22j
					; KeSetPriorityAndQuantumProcess+2Bj
		mov	dl, [ebp+arg_0]
		test	dl, dl
		jz	short loc_442B03
		mov	ecx, esi
		call	_KeSetQuantumProcess@8 ; KeSetQuantumProcess(x,x)

loc_442B03:				; CODE XREF: KeSetPriorityAndQuantumProcess+25Ej
		mov	eax, ebx
		jmp	short loc_442AAB
; 

loc_442B07:				; CODE XREF: KeSetPriorityAndQuantumProcess+12Fj
		mov	eax, [ebp+var_20]
		cmp	byte ptr [eax+11h], 0
		jnz	loc_5ACA93
		cli
		push	0
		mov	edx, esi
		mov	ecx, eax
		call	_KiUpdateTotalCyclesCurrentThread@12 ; KiUpdateTotalCyclesCurrentThread(x,x,x)
		mov	ecx, eax
		sti
		jmp	loc_4429E8
; 

loc_442B28:				; CODE XREF: KeSetPriorityAndQuantumProcess+E5j
					; KeSetPriorityAndQuantumProcess+298j
		lea	ecx, [ebp+var_48]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_442B28
		jmp	loc_44297C
KeSetPriorityAndQuantumProcess endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KeI386GetExceptionChainTerminator()
_KeI386GetExceptionChainTerminator@0 proc near ; CODE XREF: PspUserThreadStartup+1Bp
					; VdmSwapContexts(x,x,x)+1F4p
		mov	eax, ds:_KiI386ExceptionChainTerminator
		retn
_KeI386GetExceptionChainTerminator@0 endp

; 
		align 8
; Exported entry 1158. KeGetProcessorNumberFromIndex

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeGetProcessorNumberFromIndex(x, x)
		public _KeGetProcessorNumberFromIndex@8
_KeGetProcessorNumberFromIndex@8 proc near ; CODE XREF:	IoGetAffinityInterrupt(x,x)+15p
					; KiIntSteerDisable+89536p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_442B63
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 0

loc_442B5D:				; CODE XREF: KeGetProcessorNumberFromIndex(x,x)+40j
		xor	eax, eax

loc_442B5F:				; CODE XREF: KeGetProcessorNumberFromIndex(x,x)+47j
		pop	ebp
		retn	8
; 

loc_442B63:				; CODE XREF: KeGetProcessorNumberFromIndex(x,x)+Aj
		cmp	eax, 20h
		jnb	short loc_442B8A
		mov	edx, ds:_KiProcessorIndexToNumberMappingTable[eax*4]
		test	edx, edx
		jz	short loc_442B8A
		mov	ecx, [ebp+arg_4]
		mov	eax, edx
		shr	eax, 6
		and	dl, 3Fh
		mov	byte ptr [ecx+3], 0
		mov	[ecx], ax
		mov	[ecx+2], dl
		jmp	short loc_442B5D
; 

loc_442B8A:				; CODE XREF: KeGetProcessorNumberFromIndex(x,x)+1Ej
					; KeGetProcessorNumberFromIndex(x,x)+29j
		mov	eax, 0C000000Dh
		jmp	short loc_442B5F
_KeGetProcessorNumberFromIndex@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PspGetBaseTrapFrame(x, x)
_PspGetBaseTrapFrame@8 proc near	; CODE XREF: RtlWalkFrameChain+2ABp
					; PsGetBaseTrapFrame(x,x)j ...
		mov	eax, [ecx+20h]

loc_442B95:				; CODE XREF: PspGetBaseTrapFrame(x,x)+12j
		test	byte ptr [eax+4], 1
		jnz	short loc_442BA1
		add	eax, 0FFFFFF74h
		retn
; 

loc_442BA1:				; CODE XREF: PspGetBaseTrapFrame(x,x)+7j
		mov	eax, [eax+1Ch]
		jmp	short loc_442B95
_PspGetBaseTrapFrame@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1296. KeSetPriorityThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeSetPriorityThread
KeSetPriorityThread proc near		; CODE XREF: KeGenericProcessorCallback(x,x,x,x)+79p
					; KeGenericProcessorCallback(x,x,x,x)+FDp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005ACAF2 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	esi
		mov	esi, [ebp+arg_0]
		cmp	dword ptr [esi+150h], offset _KiInitialProcess
		jz	loc_442CD4
		push	ebx
		xor	ebx, ebx
		and	[ebp+var_8], ebx
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+var_14], al
		lea	edi, [esi+2Ch]
		mov	eax, large fs:20h
		and	[ebp+var_10], ebx
		mov	[ebp+var_C], eax
		mov	eax, [eax+4]
		mov	[ebp+var_4], eax

loc_442BED:				; CODE XREF: KeSetPriorityThread+123j
		lock bts dword ptr [edi], 0
		jb	loc_442CC1
		movsx	eax, byte ptr [esi+87h]
		xor	edx, edx
		push	0
		mov	ecx, esi
		mov	[ebp+arg_0], eax
		call	_KiSetBasePriorityAndClearDecrement@12 ; KiSetBasePriorityAndClearDecrement(x,x,x)
		movsx	eax, byte ptr [esi+87h]
		mov	edi, [ebp+arg_4]
		cmp	edi, eax
		jz	short loc_442C81
		cmp	esi, [ebp+var_4]
		jnz	loc_442CB2
		mov	eax, [ebp+var_C]
		cmp	[eax+11h], bl
		jnz	loc_5ACAF2
		cli
		push	0
		mov	edx, esi
		mov	ecx, eax
		call	_KiUpdateTotalCyclesCurrentThread@12 ; KiUpdateTotalCyclesCurrentThread(x,x,x)
		mov	ecx, eax
		sti

loc_442C3F:				; CODE XREF: KeSetPriorityThread+10Fj
					; KeSetPriorityThread+169F4Cj
		cmp	esi, [ebp+var_4]
		setnz	al
		movzx	eax, al
		push	eax
		push	edx
		movzx	edx, byte ptr [esi+193h]
		push	ecx
		mov	ecx, esi
		call	_KiComputeQuantumTargetThread@20 ; KiComputeQuantumTargetThread(x,x,x,x,x)
		mov	al, [esi+15Bh]
		test	al, al
		jz	short loc_442C67
		test	edi, edi
		jz	short loc_442CD9

loc_442C67:				; CODE XREF: KeSetPriorityThread+B5j
					; KeSetPriorityThread+130j
		cmp	al, 10h
		jge	short loc_442CDE

loc_442C6B:				; CODE XREF: KeSetPriorityThread+137j
		push	edi
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	KiSetPriorityThread
		test	al, al
		jz	short loc_442C81
		movsx	ebx, byte ptr [esi+87h]

loc_442C81:				; CODE XREF: KeSetPriorityThread+6Dj
					; KeSetPriorityThread+CCj ...
		push	[ebp+var_14]
		mov	ecx, [ebp+var_C]
		lea	edx, [ebp+var_8]
		mov	dword ptr [esi+2Ch], 0
		call	@KiProcessDeferredReadyList@12 ; KiProcessDeferredReadyList(x,x,x)
		test	dword ptr ds:byte_70EFC4, 2000h
		mov	edi, [ebp+arg_0]
		jnz	loc_5ACAFD

loc_442CA9:				; CODE XREF: KeSetPriorityThread+169F53j
					; KeSetPriorityThread+169F69j
		mov	eax, edi
		pop	edi
		pop	ebx

loc_442CAD:				; CODE XREF: KeSetPriorityThread+12Bj
		pop	esi
		leave
		retn	8
; 

loc_442CB2:				; CODE XREF: KeSetPriorityThread+72j
					; KeSetPriorityThread+113j
		mov	edx, [esi+34h]
		mov	ecx, [esi+30h]
		cmp	edx, [esi+38h]
		jz	short loc_442C3F
		pause
		jmp	short loc_442CB2
; 

loc_442CC1:				; CODE XREF: KeSetPriorityThread+46j
					; KeSetPriorityThread+121j
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_442CC1
		jmp	loc_442BED
; 

loc_442CD4:				; CODE XREF: KeSetPriorityThread+16j
		xor	eax, eax
		inc	eax
		jmp	short loc_442CAD
; 

loc_442CD9:				; CODE XREF: KeSetPriorityThread+B9j
		xor	edi, edi
		inc	edi
		jmp	short loc_442C67
; 

loc_442CDE:				; CODE XREF: KeSetPriorityThread+BDj
		cmp	edi, 10h
		jl	short loc_442C81
		jmp	short loc_442C6B
KeSetPriorityThread endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSetBasePriorityAndClearDecrement(x, x, x)
_KiSetBasePriorityAndClearDecrement@12 proc near
					; CODE XREF: KeSetPriorityAndQuantumProcess+177p
					; KeSetPriorityThread+5Cp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		xor	edi, edi
		mov	esi, ecx
		test	ebx, ebx
		jz	short loc_442D0A
		mov	dl, [ebx]
		push	edi
		call	KiAbProcessThreadPriorityModification
		mov	al, [ebx]
		mov	[esi+15Bh], al
		mov	edi, [ebx]

loc_442D0A:				; CODE XREF: KiSetBasePriorityAndClearDecrement(x,x,x)+10j
		mov	al, [esi+15Ch]
		test	al, al
		jnz	short loc_442D1D

loc_442D14:				; CODE XREF: KiSetBasePriorityAndClearDecrement(x,x,x)+6Aj
					; KiSetBasePriorityAndClearDecrement(x,x,x)+73j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_442D1D:				; CODE XREF: KiSetBasePriorityAndClearDecrement(x,x,x)+2Cj
		test	al, 0Fh
		jz	short loc_442D2C
		mov	eax, ds:_KeTickCount
		mov	[esi+224h], eax

loc_442D2C:				; CODE XREF: KiSetBasePriorityAndClearDecrement(x,x,x)+39j
		cmp	[ebp+arg_0], 0
		jz	short loc_442D52
		mov	dl, [esi+15Ch]
		movsx	edi, byte ptr [esi+87h]
		movzx	ecx, dl
		and	ecx, 0Fh
		sub	edi, ecx
		and	dl, 0F0h
		mov	[esi+15Ch], dl
		jmp	short loc_442D14
; 

loc_442D52:				; CODE XREF: KiSetBasePriorityAndClearDecrement(x,x,x)+4Aj
		mov	byte ptr [esi+15Ch], 0
		jmp	short loc_442D14
_KiSetBasePriorityAndClearDecrement@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeReadyThread(x)
_KeReadyThread@4 proc near		; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+7A2p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi+80h]
		mov	eax, [edi+7Ch]
		test	al, 7
		jnz	short loc_442D7E

loc_442D73:				; CODE XREF: KeReadyThread(x)+3Bj
		mov	ecx, esi
		call	KiFastReadyThread

loc_442D7A:				; CODE XREF: KeReadyThread(x)+39j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_442D7E:				; CODE XREF: KeReadyThread(x)+15j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+var_4], al
		mov	edx, edi
		push	[ebp+var_4]
		mov	ecx, esi
		call	@KiInSwapSingleProcess@12 ; KiInSwapSingleProcess(x,x,x)
		test	al, al
		jnz	short loc_442D7A
		jmp	short loc_442D73
_KeReadyThread@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeStartThread	proc near		; CODE XREF: KiInitializeIdleThread(x,x,x,x)+2Ep
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+23Ep

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= word ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005ACB1A SIZE 00000070 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		mov	ebx, edx
		mov	esi, ecx
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_28], eax
		cmp	[ebp+arg_0], eax
		jnz	short loc_442DD0
		test	ebx, ebx
		jnz	loc_5ACB1A

loc_442DD0:				; CODE XREF: KeStartThread+2Cj
					; KeStartThread+169D82j
		mov	ecx, ebx
		mov	[ebp+var_11], 1
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_442DDC:				; CODE XREF: KeStartThread+169D97j
		mov	[ebp+var_18], eax
		movzx	eax, cx
		mov	[ebp+var_30], eax
		mov	eax, large fs:124h
		mov	edi, [esi+80h]
		mov	[ebp+var_20], eax
		mov	eax, [edi+64h]
		shl	eax, 2
		xor	eax, [esi+5Ch]
		and	eax, 8
		xor	[esi+5Ch], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_19], al
		lea	eax, [edi+34h]
		push	eax
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	cl, [edi+68h]
		mov	[esi+15Bh], cl
		mov	[esi+87h], cl
		test	ebx, ebx
		jnz	loc_443069
		mov	eax, [ebp+var_20]
		cmp	edi, [eax+150h]
		jnz	loc_442FE2
		movzx	eax, word ptr [eax+158h]
		mov	[ebp+var_C], ax
		mov	eax, [edi+eax*4+48h]
		mov	[ebp+var_10], eax

loc_442E4D:				; CODE XREF: KeStartThread+255j
		lea	ebx, [ebp+var_10]

loc_442E50:				; CODE XREF: KeStartThread+2EEj
					; KeStartThread+169DA6j
		mov	ax, [ebx+4]
		mov	ecx, esi
		mov	[esi+168h], ax
		mov	eax, [ebx]
		mov	[esi+164h], eax
		mov	ax, [ebx+4]
		mov	[esi+158h], ax
		mov	eax, [ebx]
		mov	[esi+154h], eax
		call	KiUpdateNodeAffinitizedFlag
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	loc_44305F
		mov	ecx, [ebp+var_18]
		test	ecx, ecx
		jnz	loc_5ACB45
		movzx	ecx, word ptr [ebx+4]
		movzx	eax, word ptr [edi+ecx*2+70h]
		movzx	edx, word ptr [edi+ecx*2+6Ch]
		mov	eax, ds:_KeNodeBlock[eax*4]
		mov	[ebp+var_18], eax
		movzx	eax, word ptr [edi+ecx*2+6Eh]
		mov	ecx, [ebp+var_18]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_28], eax

loc_442EBC:				; CODE XREF: KeStartThread+169DB1j
		mov	eax, [ecx+84h]
		and	[ebx], eax
		push	[ebp+var_28]
		movzx	eax, dx
		mov	edx, ebx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_2C]
		push	eax
		call	_KeSelectIdealProcessor@16 ; KeSelectIdealProcessor(x,x,x,x)
		cmp	[ebp+var_11], 0
		movzx	edx, ax
		mov	[ebp+var_18], edx
		jz	short loc_442EF1
		movzx	ecx, word ptr [ebx+4]
		mov	ax, word ptr [ebp+var_2C]
		mov	[edi+ecx*2+6Ch], ax

loc_442EF1:				; CODE XREF: KeStartThread+148j
					; KeStartThread+2CAj
		mov	[esi+88h], edx
		xor	ecx, ecx
		mov	[esi+16Ch], edx
		mov	eax, [edi+64h]
		mov	ebx, ds:_KiProcessorBlock[edx*4]
		shl	eax, 6
		xor	eax, [esi+5Ch]
		push	ecx
		and	eax, 100h
		xor	[esi+5Ch], eax
		mov	al, [edi+69h]
		push	ecx
		push	ecx
		movzx	edx, al
		mov	ecx, esi
		mov	[esi+193h], al
		call	_KiComputeQuantumTargetThread@20 ; KiComputeQuantumTargetThread(x,x,x,x,x)
		mov	ecx, edi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		lea	ecx, [edi+2Ch]
		mov	edx, [ecx+4]
		lea	eax, [esi+1D4h]
		cmp	[edx], ecx
		jnz	loc_4430B2
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		test	byte ptr [edi+64h], 8
		jnz	loc_443093

loc_442F64:				; CODE XREF: KeStartThread+307j
		mov	eax, [edi+78h]
		mov	[esi+50h], eax
		cmp	dword ptr [edi+78h], 0
		jnz	loc_443055

loc_442F74:				; CODE XREF: KeStartThread+2C0j
		mov	edx, esi
		mov	ecx, ebx
		call	_KiUpdateSharedReadyQueueAffinityThread@8 ; KiUpdateSharedReadyQueueAffinityThread(x,x)
		mov	eax, [esi+150h]
		mov	al, [eax+2A2h]
		cmp	al, 2
		jz	short loc_442FF4

loc_442F8D:				; CODE XREF: KeStartThread+261j
					; KeStartThread+267j ...
		test	dword ptr [esi+58h], 400h
		jnz	short loc_442FA2
		mov	eax, [edi+0ACh]
		mov	[esi+240h], eax

loc_442FA2:				; CODE XREF: KeStartThread+1FAj
		lea	eax, [edi+34h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_19]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ds:dword_70EFD0, 8000000h
		mov	ebx, [ebp+var_18]
		jnz	loc_5ACB57

loc_442FC7:				; CODE XREF: KeStartThread+169DD6j
					; KeStartThread+169DEBj
		push	8
		lea	eax, [edi+7Ch]
		pop	ecx
		lock xadd [eax], ecx
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_442FE2:				; CODE XREF: KeStartThread+9Bj
		lea	eax, [edi+40h]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_KeFirstGroupAffinityEx@8 ; KeFirstGroupAffinityEx(x,x)
		jmp	loc_442E4D
; 

loc_442FF4:				; CODE XREF: KeStartThread+1F1j
		cmp	byte ptr [esi+15Ch], 0
		jnz	short loc_442F8D
		test	byte ptr [esi+5Ch], 8
		jnz	short loc_442F8D
		mov	cl, [esi+87h]
		test	cl, cl
		jle	short loc_442F8D
		mov	bl, [esi+15Bh]
		add	bl, byte ptr ds:_PsPrioritySeparation
		cmp	bl, 10h
		jge	loc_5ACB50

loc_443022:				; CODE XREF: KeStartThread+169DB8j
		cmp	bl, cl
		jle	loc_442F8D
		mov	al, bl
		mov	dl, bl
		sub	al, cl
		mov	ecx, esi
		and	al, 0Fh
		push	1
		mov	[esi+15Ch], al
		call	KiAbProcessThreadPriorityModification
		mov	edx, esi
		mov	[esi+87h], bl
		xor	ecx, ecx
		call	_KiUpdateSharedReadyQueueAffinityThread@8 ; KiUpdateSharedReadyQueueAffinityThread(x,x)
		jmp	loc_442F8D
; 

loc_443055:				; CODE XREF: KeStartThread+1D4j
		lock bts dword ptr [esi], 12h
		jmp	loc_442F74
; 

loc_44305F:				; CODE XREF: KeStartThread+E8j
		mov	edx, [eax]
		mov	[ebp+var_18], edx
		jmp	loc_442EF1
; 

loc_443069:				; CODE XREF: KeStartThread+8Cj
		movzx	eax, word ptr [ebx+4]
		mov	[ebp+var_20], eax
		movzx	eax, ax
		mov	edx, [edi+eax*4+48h]
		test	edx, edx
		jz	short loc_4430A6
		mov	ecx, [ebx]
		mov	eax, ecx
		and	eax, edx
		cmp	eax, ecx
		jnz	short loc_4430A6

loc_443085:				; CODE XREF: KeStartThread+316j
		cmp	dword ptr [ebx], 0
		jnz	loc_442E50
		jmp	loc_5ACB36
; 

loc_443093:				; CODE XREF: KeStartThread+1C4j
		mov	ecx, large fs:20h
		mov	edx, esi
		call	_KiFreezeSingleThread@8	; KiFreezeSingleThread(x,x)
		jmp	loc_442F64
; 

loc_4430A6:				; CODE XREF: KeStartThread+2DFj
					; KeStartThread+2E9j
		mov	edx, [ebp+var_20]
		mov	ecx, edi
		call	_KiExtendProcessAffinity@8 ; KiExtendProcessAffinity(x,x)
		jmp	short loc_443085
; 

loc_4430B2:				; CODE XREF: KeStartThread+1A8j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
KeStartThread	endp


;  S U B	R O U T	I N E 


; __stdcall KiUpdateSharedReadyQueueAffinityThread(x, x)
_KiUpdateSharedReadyQueueAffinityThread@8 proc near
					; CODE XREF: KeUpdateThreadSchedulingProperties(x,x,x)+10p
					; KiApplyForegroundBoostThread+C1p ...
		mov	edi, edi
		push	esi
		lea	esi, [edx+5Ch]
		call	_KiComputeSharedReadyQueueAffinityThread@8 ; KiComputeSharedReadyQueueAffinityThread(x,x)
		mov	ecx, [esi]
		shr	ecx, 0Dh
		and	ecx, 1
		cmp	al, cl
		jz	short loc_4430D7
		mov	eax, 2000h
		lock xor [esi],	eax

loc_4430D7:				; CODE XREF: KiUpdateSharedReadyQueueAffinityThread(x,x)+15j
		pop	esi
		retn
_KiUpdateSharedReadyQueueAffinityThread@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiQuantumEnd	proc near		; CODE XREF: KiDispatchInterrupt(x)+162p
					; KiIdleLoop()+51p

var_84		= dword	ptr -84h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005ACB8A SIZE 000003E9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 78h
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:20h
		mov	[ebp+var_C], 0
		mov	byte ptr [ebp+var_20], 0
		mov	[ebp+var_8], edi
		mov	esi, [edi+4]
		mov	[ebp+var_1C], esi
		cmp	esi, [edi+0Ch]
		jz	loc_443246
		mov	ebx, [esi+34h]
		mov	eax, [esi+30h]
		mov	[ebp+var_64], 0
		mov	[ebp+var_60], 0
		mov	[ebp+var_18], eax
		cmp	ebx, [esi+38h]
		jnz	loc_5ACB8A

loc_44312F:				; CODE XREF: KiQuantumEnd+169ABAj
		cmp	ebx, [esi+1Ch]
		ja	short loc_443143
		jb	loc_4432E1
		cmp	eax, [esi+18h]
		jb	loc_4432E1

loc_443143:				; CODE XREF: KiQuantumEnd+52j
					; KiQuantumEnd+20Bj
		lea	edi, [esi+2Ch]
		mov	[ebp+var_38], 0
		lea	ecx, [ecx+0]

loc_443150:				; CODE XREF: KiQuantumEnd+61Ej
		lock bts dword ptr [edi], 0
		jb	loc_4436F0
		mov	edi, [ebp+var_8]
		cmp	ebx, [esi+1Ch]
		jb	loc_44322C
		mov	eax, [ebp+var_18]
		ja	short loc_443175
		cmp	eax, [esi+18h]
		jb	loc_44322C

loc_443175:				; CODE XREF: KiQuantumEnd+8Aj
		test	dword ptr [esi+5Ch], 100h
		jnz	loc_5ACB9F

loc_443182:				; CODE XREF: KiQuantumEnd+169AC6j
		mov	dl, 1
		mov	ecx, esi
		call	KiComputeNewPriority
		lea	ecx, [edi+2224h]
		mov	[ebp+var_1], al
		mov	[ebp+var_3C], 0
		mov	edi, ecx
		lea	ecx, [ecx+0]

loc_4431A0:				; CODE XREF: KiQuantumEnd+5F1j
		lock bts dword ptr [edi], 0
		jb	loc_4436C3
		mov	edi, [ebp+var_8]
		mov	edx, esi
		mov	ecx, edi
		cmp	dword ptr [edi+8], 0
		setz	al
		movzx	eax, al
		push	eax
		movsx	eax, [ebp+var_1]
		push	eax
		call	_KiUpdateThreadPriority@16 ; KiUpdateThreadPriority(x,x,x,x)
		xor	eax, eax
		lea	ecx, [edi+2224h]
		lock and [ecx],	eax
		movzx	eax, byte ptr [esi+193h]
		mov	ecx, esi
		mov	[ebp+var_34], eax
		mov	byte ptr [ebp+var_20], 1
		call	_KiTryScheduleNextForegroundBoost@4 ; KiTryScheduleNextForegroundBoost(x)
		mov	eax, [ebp+var_18]
		mov	edx, [ebp+var_34]

loc_4431ED:				; CODE XREF: KiQuantumEnd+169AD1j
		push	0
		push	ebx
		push	eax
		mov	ecx, esi
		call	_KiComputeQuantumTargetThread@20 ; KiComputeQuantumTargetThread(x,x,x,x,x)
		mov	eax, [edi+3C8h]
		cmp	eax, [edi+402Ch]
		jz	short loc_44322C
		btr	dword ptr [esi+58h], 7
		jb	short loc_44322C
		mov	eax, [edi+338h]
		mov	ecx, [edi+402Ch]
		mov	eax, [eax+0Ch]
		or	eax, [edi+3C8h]
		and	eax, ecx
		cmp	eax, ecx
		jnz	loc_443315

loc_44322C:				; CODE XREF: KiQuantumEnd+81j
					; KiQuantumEnd+8Fj ...
		push	1
		mov	edx, edi
		mov	ecx, esi
		call	_KiCheckPreferredHeteroProcessor@12 ; KiCheckPreferredHeteroProcessor(x,x,x)
		test	eax, eax
		jnz	loc_5ACBB6

loc_44323F:				; CODE XREF: KiQuantumEnd+169ADEj
		mov	dword ptr [esi+2Ch], 0

loc_443246:				; CODE XREF: KiQuantumEnd+29j
					; KiQuantumEnd+205j
		mov	edx, ds:_KeTickCount
		xor	bl, bl
		mov	eax, [edi+2250h]
		sub	eax, edx
		mov	[ebp+var_60], edx
		js	loc_44334E

loc_44325F:				; CODE XREF: KiQuantumEnd+279j
					; KiQuantumEnd+290j ...
		cmp	ds:_KiGroupSchedulingEnabled, 0
		jz	loc_4432F0
		lea	eax, [ebp+var_C]
		mov	edx, esi
		push	eax
		push	[ebp+var_20]
		mov	ecx, edi
		call	KiGroupSchedulingQuantumEnd

loc_44327C:				; CODE XREF: KiQuantumEnd+230j
		test	bl, bl
		jnz	loc_443485

loc_443284:				; CODE XREF: KiQuantumEnd+3BDj
					; KiQuantumEnd+49Dj ...
		mov	ebx, [edi+8]
		test	ebx, ebx
		jnz	loc_44364A
		cmp	byte ptr [ebp+var_20], bl
		jnz	short loc_4432C8

loc_443294:				; CODE XREF: KiQuantumEnd+1FAj
		test	dword ptr [esi+5Ch], 1000h
		lea	eax, [esi+5Ch]
		jnz	loc_4435F9

loc_4432A4:				; CODE XREF: KiQuantumEnd+531j
					; KiQuantumEnd+53Aj ...
		cmp	[ebp+var_C], 0
		jnz	loc_5ACECA
		test	ebx, ebx
		jnz	loc_443582

loc_4432B6:				; CODE XREF: KiQuantumEnd+4A5j
		xor	ecx, ecx
		lea	eax, [edi+2224h]
		lock and [eax],	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4432C8:				; CODE XREF: KiQuantumEnd+1B2j
		movsx	ecx, byte ptr [esi+87h]
		mov	edx, edi
		call	KiSelectReadyThread
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_443294
		jmp	loc_443617
; 

loc_4432E1:				; CODE XREF: KiQuantumEnd+54j
					; KiQuantumEnd+5Dj
		cmp	byte ptr [esi+61h], 0
		jz	loc_443246
		jmp	loc_443143
; 

loc_4432F0:				; CODE XREF: KiQuantumEnd+186j
		lea	eax, [edi+2224h]
		mov	[ebp+var_5C], 0
		mov	[ebp+var_4C], eax
		mov	edi, eax

loc_443302:				; CODE XREF: KiQuantumEnd+5DEj
		lock bts dword ptr [edi], 0
		jb	loc_4436B0
		mov	edi, [ebp+var_8]
		jmp	loc_44327C
; 

loc_443315:				; CODE XREF: KiQuantumEnd+146j
		mov	eax, [esi+16Ch]
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	eax, [eax+338h]
		mov	ecx, [eax+48h]
		and	ecx, [eax+4]
		test	[esi+164h], ecx
		jz	loc_44322C
		or	dword ptr [esi+58h], 80h
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 0Ch
		jmp	loc_44322C
; 

loc_44334E:				; CODE XREF: KiQuantumEnd+179j
		mov	ecx, edi
		mov	bl, 1
		call	KiShouldScanSharedReadyQueue
		test	eax, eax
		jz	loc_44325F
		mov	eax, [edi+4024h]
		mov	[ebp+var_14], eax
		mov	eax, [eax+4]
		test	eax, 7FFEh
		jz	loc_44325F
		mov	edi, [ebp+var_14]
		mov	[ebp+var_40], 0
		movzx	eax, byte ptr [edi+12Ah]
		mov	[ebp+var_24], eax
		lea	ebx, [ebx+0]

loc_443390:				; CODE XREF: KiQuantumEnd+169AF1j
		lock bts dword ptr [edi], 0
		jb	loc_5ACBC3
		mov	edx, [edi+4]
		mov	edi, [ebp+var_8]
		and	edx, 7FFEh
		jz	loc_5ACBD6
		mov	eax, ds:_KeTickCount
		mov	esi, 10h
		mov	ecx, [ebp+var_24]
		mov	edi, [ebp+var_14]
		mov	[ebp+var_18], 0
		mov	[ebp+var_10], 0Ah
		mov	[ebp+var_28], eax
		ror	edx, cl

loc_4433D0:				; CODE XREF: KiQuantumEnd+5B0j
		mov	ecx, [ebp+var_24]
		bsf	eax, edx
		mov	[ebp+var_44], 0
		btc	edx, eax
		mov	[ebp+var_44], eax
		add	ecx, eax
		mov	[ebp+var_4C], edx
		mov	edx, [ebp+var_10]
		and	ecx, 1Fh
		mov	[ebp+var_34], ecx
		lea	eax, [ecx+1]
		lea	eax, [edi+eax*8]
		mov	[ebp+var_48], eax
		mov	eax, [eax]
		lea	esp, [esp+0]

loc_443400:				; CODE XREF: KiQuantumEnd+583j
		lea	edi, [eax-9Ch]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+var_28]
		sub	eax, [edi+138h]
		sub	eax, 12Ch
		mov	[ebp+var_30], edi
		mov	edi, [ebp+var_14]
		test	eax, eax
		jg	loc_5ACBE8

loc_443427:				; CODE XREF: KiQuantumEnd+169B32j
		mov	eax, [ebp+var_2C]
		dec	esi
		cmp	eax, [ebp+var_48]
		jnz	loc_443659

loc_443434:				; CODE XREF: KiQuantumEnd+57Bj
					; KiQuantumEnd+589j
		mov	edx, [ebp+var_4C]
		mov	eax, [ebp+var_10]
		mov	[ebp+var_48], esi
		test	edx, edx
		jnz	loc_443686

loc_443445:				; CODE XREF: KiQuantumEnd+5A8j
					; KiQuantumEnd+5B6j
		xor	edx, edx
		lock and [edi],	edx
		mov	edx, [ebp+var_18]
		mov	esi, [ebp+var_1C]
		mov	edi, [ebp+var_8]
		test	edx, edx
		jnz	loc_5ACC17
		jmp	short loc_443460
; 
		align 10h

loc_443460:				; CODE XREF: KiQuantumEnd+37Bj
					; KiQuantumEnd+169C16j
		cmp	[ebp+var_48], 0
		jz	loc_5ACD0E
		test	eax, eax
		jz	loc_5ACD0E

loc_443472:				; CODE XREF: KiQuantumEnd+169C38j
		mov	ecx, 1

loc_443477:				; CODE XREF: KiQuantumEnd+169C32j
		mov	eax, [ebp+var_14]

loc_44347A:				; CODE XREF: KiQuantumEnd+169B03j
		mov	[eax+12Ah], cl
		jmp	loc_44325F
; 

loc_443485:				; CODE XREF: KiQuantumEnd+19Ej
		mov	eax, [ebp+var_60]
		mov	ebx, [edi+3B20h]
		add	eax, 4Bh
		mov	[edi+2250h], eax
		and	ebx, 7FFEh
		jz	loc_443284
		mov	ecx, [edi+3B18h]
		lea	eax, [edi+3BE0h]
		mov	[ebp+var_34], eax
		mov	edx, 10h
		mov	eax, ds:_KeTickCount
		mov	[ebp+var_48], ecx
		mov	[ebp+var_18], 0
		mov	[ebp+var_14], 0Ah
		mov	[ebp+var_24], edx
		mov	[ebp+var_30], eax
		ror	ebx, cl
		jmp	short loc_4434E0
; 
		align 10h

loc_4434E0:				; CODE XREF: KiQuantumEnd+3F5j
					; KiQuantumEnd+603j
		bsf	eax, ebx
		mov	[ebp+var_68], 0
		btc	ebx, eax
		mov	[ebp+var_68], eax
		mov	[ebp+var_4C], ebx
		lea	esi, [eax+ecx]
		mov	eax, [ebp+var_34]
		and	esi, 1Fh
		mov	ebx, [eax+esi*8]
		lea	eax, [eax+esi*8]
		mov	[ebp+var_28], esi
		jmp	short loc_443510
; 
		align 10h

loc_443510:				; CODE XREF: KiQuantumEnd+425j
					; KiQuantumEnd+5C5j
		mov	eax, [ebp+var_30]
		lea	ecx, [ebx-9Ch]
		sub	eax, [ecx+138h]
		mov	ebx, [ebx]
		sub	eax, 12Ch
		mov	[ebp+var_60], ecx
		test	eax, eax
		jg	loc_5ACD1D
		mov	eax, [ebp+var_14]

loc_443534:				; CODE XREF: KiQuantumEnd+169C65j
		mov	edi, [ebp+var_34]
		dec	edx
		mov	[ebp+var_24], edx
		lea	ecx, [edi+esi*8]
		mov	edi, [ebp+var_8]
		cmp	ebx, ecx
		jnz	loc_44369B

loc_443549:				; CODE XREF: KiQuantumEnd+5BDj
					; KiQuantumEnd+5CBj
		mov	ebx, [ebp+var_4C]
		test	ebx, ebx
		jnz	loc_4436D6

loc_443554:				; CODE XREF: KiQuantumEnd+5F8j
					; KiQuantumEnd+609j
		mov	ecx, [ebp+var_18]
		mov	esi, [ebp+var_1C]
		test	ecx, ecx
		jnz	loc_5ACD4A

loc_443562:				; CODE XREF: KiQuantumEnd+169D62j
		test	edx, edx
		jz	loc_5ACE6A
		test	eax, eax
		jz	loc_5ACE6A

loc_443572:				; CODE XREF: KiQuantumEnd+169D97j
		mov	eax, 1

loc_443577:				; CODE XREF: KiQuantumEnd+169D91j
		mov	[edi+3B18h], eax
		jmp	loc_443284
; 

loc_443582:				; CODE XREF: KiQuantumEnd+1D0j
		cmp	esi, [edi+0Ch]
		jz	loc_4432B6
		mov	dword ptr [edi+8], 0
		cli
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	KiEndThreadCycleAccumulation
		sti
		test	byte ptr [ebx+2], 4
		jnz	loc_44366E

loc_4435A9:				; CODE XREF: KiQuantumEnd+5A1j
		mov	cl, [ebx+87h]

loc_4435AF:				; CODE XREF: KiQuantumEnd+59Bj
		mov	eax, [edi+33Ch]
		mov	[eax], cl
		mov	[edi+4], ebx
		mov	al, [ebx+90h]
		cmp	al, 1
		jz	short loc_443634

loc_4435C4:				; CODE XREF: KiQuantumEnd+565j
		mov	byte ptr [ebx+90h], 2
		mov	edx, esi
		mov	ecx, edi
		mov	byte ptr [esi+18Bh], 1Eh
		call	KiQueueReadyThread
		mov	edx, 1
		mov	ecx, esi
		call	KiAbProcessContextSwitch
		push	1
		mov	edx, ebx
		mov	ecx, esi
		call	@KiSwapContext@12 ; KiSwapContext(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4435F9:				; CODE XREF: KiQuantumEnd+1BEj
		cmp	esi, [edi+0Ch]
		jz	loc_443703
		lea	edx, [ebp+var_C]
		mov	ecx, edi
		call	KiSelectNextThread
		mov	ebx, [edi+8]

loc_44360F:				; CODE XREF: KiQuantumEnd+56Ej
					; KiQuantumEnd+577j
		test	ebx, ebx
		jz	loc_4432A4

loc_443617:				; CODE XREF: KiQuantumEnd+1FCj
		cmp	ebx, [edi+0Ch]
		jz	loc_4432A4
		mov	ecx, ebx
		call	_KiCheckThreadAffinity@4 ; KiCheckThreadAffinity(x)
		test	eax, eax
		jnz	loc_4432A4
		jmp	loc_5ACE7C
; 

loc_443634:				; CODE XREF: KiQuantumEnd+4E2j
		mov	eax, ds:_KeTickCount
		sub	eax, [ebx+138h]
		add	[ebx+170h], eax
		jmp	loc_4435C4
; 

loc_44364A:				; CODE XREF: KiQuantumEnd+1A9j
		cmp	byte ptr [ebp+var_20], 0
		jz	short loc_44360F
		mov	byte ptr [esi+15Dh], 0
		jmp	short loc_44360F
; 

loc_443659:				; CODE XREF: KiQuantumEnd+34Ej
		test	edx, edx
		jz	loc_443434
		test	esi, esi
		jnz	loc_443400
		jmp	loc_443434
; 

loc_44366E:				; CODE XREF: KiQuantumEnd+4C3j
		mov	edx, edi
		mov	ecx, ebx
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	loc_4435AF
		jmp	loc_4435A9
; 

loc_443686:				; CODE XREF: KiQuantumEnd+35Fj
		test	eax, eax
		jz	loc_443445
		test	esi, esi
		jnz	loc_4433D0
		jmp	loc_443445
; 

loc_44369B:				; CODE XREF: KiQuantumEnd+463j
		test	eax, eax
		jz	loc_443549
		test	edx, edx
		jnz	loc_443510
		jmp	loc_443549
; 

loc_4436B0:				; CODE XREF: KiQuantumEnd+227j
					; KiQuantumEnd+5DCj
		lea	ecx, [ebp+var_5C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_4436B0
		jmp	loc_443302
; 

loc_4436C3:				; CODE XREF: KiQuantumEnd+C5j
					; KiQuantumEnd+5EFj
		lea	ecx, [ebp+var_3C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_4436C3
		jmp	loc_4431A0
; 

loc_4436D6:				; CODE XREF: KiQuantumEnd+46Ej
		test	eax, eax
		jz	loc_443554
		mov	ecx, [ebp+var_48]
		test	edx, edx
		jnz	loc_4434E0
		jmp	loc_443554
; 
		align 10h

loc_4436F0:				; CODE XREF: KiQuantumEnd+75j
					; KiQuantumEnd+61Cj
		lea	ecx, [ebp+var_38]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_4436F0
		jmp	loc_443150
; 

loc_443703:				; CODE XREF: KiQuantumEnd+51Cj
		lock btr dword ptr [eax], 0Ch
		jmp	loc_4432A4
KiQuantumEnd	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiGroupSchedulingQuantumEnd proc near	; CODE XREF: KiQuantumEnd+197p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005ACF73 SIZE 00000155 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		xor	ecx, ecx
		push	edi
		mov	edi, ds:dword_7186C4
		mov	dh, cl
		mov	dl, cl
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ecx
		mov	byte ptr [ebp+var_14], cl
		mov	[ebp+var_3], cl
		mov	[ebp+var_18], ecx
		mov	ecx, ds:_KeTickCount
		mov	[ebp+var_2], dh
		mov	[ebp+var_1], dl
		mov	[ebp+var_C], ecx

loc_443748:				; CODE XREF: KiGroupSchedulingQuantumEnd+16987Bj
		cmp	edi, ds:dword_7186C8
		jnz	loc_5ACF73
		and	[ebp+var_1C], 0
		lea	ebx, [esi+2224h]

loc_44375E:				; CODE XREF: KiGroupSchedulingQuantumEnd+24Cj
		lock bts dword ptr [ebx], 0
		jb	loc_44394C
		mov	eax, [esi+8]
		xor	ebx, ebx
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	loc_443913

loc_443779:				; CODE XREF: KiGroupSchedulingQuantumEnd+20Aj
					; KiGroupSchedulingQuantumEnd+216j
		cmp	edi, [esi+3D6Ch]
		jb	short loc_44378E
		mov	ecx, [ebp+var_C]
		ja	short loc_4437A4
		cmp	ecx, [esi+3D68h]
		ja	short loc_4437A4

loc_44378E:				; CODE XREF: KiGroupSchedulingQuantumEnd+71j
		mov	edi, [ebp+var_8]
		mov	edi, [edi+50h]
		mov	eax, edi
		mov	[ebp+var_C], eax
		test	edi, edi
		jnz	short loc_4437B1

loc_44379D:				; CODE XREF: KiGroupSchedulingQuantumEnd+A1j
					; KiGroupSchedulingQuantumEnd+ABj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4437A4:				; CODE XREF: KiGroupSchedulingQuantumEnd+76j
					; KiGroupSchedulingQuantumEnd+7Ej
		push	edi
		push	ecx
		xor	dl, dl
		mov	ecx, esi
		call	KiGroupSchedulingGenerationEnd
		jmp	short loc_44379D
; 

loc_4437B1:				; CODE XREF: KiGroupSchedulingQuantumEnd+8Dj
		add	edi, [esi+3B34h]
		test	edi, edi
		jz	short loc_44379D

loc_4437BB:				; CODE XREF: KiGroupSchedulingQuantumEnd+1698BFj
		mov	cl, [edi+5Ch]
		test	cl, 4
		jnz	loc_44386B
		push	edi
		mov	edx, esi
		mov	ecx, eax
		call	KiComputeGroupSchedulingRank
		test	byte ptr [edi+5Ch], 4
		jnz	loc_5ACF8E
		mov	dh, [ebp+var_2]

loc_4437DE:				; CODE XREF: KiGroupSchedulingQuantumEnd+222j
		mov	dl, [ebp+var_1]

loc_4437E1:				; CODE XREF: KiGroupSchedulingQuantumEnd+1A9j
					; KiGroupSchedulingQuantumEnd+22Dj ...
		mov	edi, [edi+0F4h]
		test	edi, edi
		jnz	loc_5ACFC2
		mov	edi, [ebp+var_8]
		mov	ecx, [edi+50h]
		mov	[ebp+arg_0], ecx
		test	ecx, ecx
		jz	short loc_443805
		add	ecx, [esi+3B34h]
		mov	[ebp+arg_0], ecx

loc_443805:				; CODE XREF: KiGroupSchedulingQuantumEnd+ECj
		mov	eax, [ebp+var_10]
		test	dl, dl
		jnz	loc_4438BC

loc_443810:				; CODE XREF: KiGroupSchedulingQuantumEnd+1B0j
		test	dh, dh
		jnz	loc_4439B6

loc_443818:				; CODE XREF: KiGroupSchedulingQuantumEnd+1E1j
					; KiGroupSchedulingQuantumEnd+2AAj ...
		test	ecx, ecx
		jz	short loc_44379D
		xor	edx, edx
		cmp	[edi+13Ch], edx
		jz	loc_4438F4

loc_44382A:				; CODE XREF: KiGroupSchedulingQuantumEnd+1EDj
		test	dword ptr [edi+5Ch], 0C00h
		jnz	loc_44379D
		xor	eax, eax
		lea	ebx, [esi+2224h]
		lock and [ebx],	eax
		push	edx
		mov	edx, edi
		mov	ecx, esi
		call	_KiInsertDeferredPreemptionApc@12 ; KiInsertDeferredPreemptionApc(x,x,x)
		and	[ebp+var_20], 0

loc_443850:				; CODE XREF: KiGroupSchedulingQuantumEnd+15Bj
		lock bts dword ptr [ebx], 0
		jnb	loc_44379D

loc_44385B:				; CODE XREF: KiGroupSchedulingQuantumEnd+159j
		lea	ecx, [ebp+var_20]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_44385B
		jmp	short loc_443850
; 

loc_44386B:				; CODE XREF: KiGroupSchedulingQuantumEnd+B3j
		test	cl, 2
		jnz	short loc_4438AD
		mov	edx, eax
		mov	ecx, edi
		call	KiCheckMaxOverQuotaTransition
		test	al, al
		jnz	loc_5ACFA8
		mov	eax, [edi+4]
		cmp	eax, [edi+1Ch]
		ja	short loc_44389A
		jb	loc_443929
		mov	eax, [edi]
		cmp	eax, [edi+18h]
		jb	loc_443929

loc_44389A:				; CODE XREF: KiGroupSchedulingQuantumEnd+179j
		mov	ecx, [ebp+var_C]
		mov	edx, edi
		push	esi
		call	_KiRecomputeGroupSchedulingRank@12 ; KiRecomputeGroupSchedulingRank(x,x,x)
		cmp	ebx, edi
		jz	loc_443A0A

loc_4438AD:				; CODE XREF: KiGroupSchedulingQuantumEnd+160j
					; KiGroupSchedulingQuantumEnd+300j ...
		mov	dl, 1
		mov	dh, dl
		mov	[ebp+var_1], dl
		mov	[ebp+var_2], dh
		jmp	loc_4437E1
; 

loc_4438BC:				; CODE XREF: KiGroupSchedulingQuantumEnd+FCj
		test	eax, eax
		jnz	loc_443810
		push	eax
		push	1
		push	ecx
		mov	edx, ecx
		mov	ecx, edi
		call	_KiGetThreadEffectiveRankNonZero@20 ; KiGetThreadEffectiveRankNonZero(x,x,x,x,x)
		movsx	ecx, byte ptr [edi+87h]
		test	eax, eax
		jnz	short loc_443940
		mov	edx, esi
		call	KiSelectReadyThread

loc_4438E3:				; CODE XREF: KiGroupSchedulingQuantumEnd+23Cj
		mov	edi, eax
		test	edi, edi
		jnz	short loc_44395F

loc_4438E9:				; CODE XREF: KiGroupSchedulingQuantumEnd+2A3j
					; KiGroupSchedulingQuantumEnd+2D9j ...
		mov	ecx, [ebp+arg_0]
		mov	edi, [ebp+var_8]
		jmp	loc_443818
; 

loc_4438F4:				; CODE XREF: KiGroupSchedulingQuantumEnd+116j
		cmp	byte ptr [edi+92h], 1
		jz	loc_44382A
		call	_KiCheckForMaxOverQuotaScb@4 ; KiCheckForMaxOverQuotaScb(x)
		test	al, al
		jz	loc_44379D
		jmp	loc_5AD0B0
; 

loc_443913:				; CODE XREF: KiGroupSchedulingQuantumEnd+65j
		mov	ebx, [eax+50h]
		test	ebx, ebx
		jz	loc_443779
		add	ebx, [esi+3B34h]
		jmp	loc_443779
; 

loc_443929:				; CODE XREF: KiGroupSchedulingQuantumEnd+17Bj
					; KiGroupSchedulingQuantumEnd+186j
		cmp	byte ptr [ebp+arg_0], 0
		mov	dh, [ebp+var_2]
		jz	loc_4437DE
		mov	dl, 1
		mov	[ebp+var_1], dl
		jmp	loc_4437E1
; 

loc_443940:				; CODE XREF: KiGroupSchedulingQuantumEnd+1CCj
		push	ecx
		mov	edx, edi
		mov	ecx, esi
		call	KiChooseLowestRankedThread
		jmp	short loc_4438E3
; 

loc_44394C:				; CODE XREF: KiGroupSchedulingQuantumEnd+55j
					; KiGroupSchedulingQuantumEnd+24Aj
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_44394C
		jmp	loc_44375E
; 

loc_44395F:				; CODE XREF: KiGroupSchedulingQuantumEnd+1D9j
		test	byte ptr [edi+2], 4
		jnz	loc_4439F2

loc_443969:				; CODE XREF: KiGroupSchedulingQuantumEnd+2F7j
		mov	cl, [edi+87h]

loc_44396F:				; CODE XREF: KiGroupSchedulingQuantumEnd+2F1j
		mov	eax, [esi+33Ch]
		mov	[eax], cl
		mov	ecx, [esi+4DCh]
		mov	eax, [esi+0Ch]
		mov	[esi+8], edi
		test	ecx, ecx
		jz	short loc_44398F
		cmp	edi, eax
		setz	al
		mov	[ecx+10h], al

loc_44398F:				; CODE XREF: KiGroupSchedulingQuantumEnd+277j
		mov	al, [edi+90h]
		cmp	al, 1
		jnz	short loc_4439AA
		mov	eax, ds:_KeTickCount
		sub	eax, [edi+138h]
		add	[edi+170h], eax

loc_4439AA:				; CODE XREF: KiGroupSchedulingQuantumEnd+289j
		mov	byte ptr [edi+90h], 3
		jmp	loc_4438E9
; 

loc_4439B6:				; CODE XREF: KiGroupSchedulingQuantumEnd+104j
		test	eax, eax
		jz	loc_443818
		test	ebx, ebx
		jz	loc_443818
		cmp	ebx, ecx
		jnz	loc_5ACFD2

loc_4439CE:				; CODE XREF: KiGroupSchedulingQuantumEnd+1698D4j
					; KiGroupSchedulingQuantumEnd+1698E4j
		mov	ebx, [ebp+var_10]
		mov	ecx, esi
		mov	edx, ebx
		movsx	eax, byte ptr [ebx+87h]
		inc	eax
		push	eax
		call	KiChooseLowestRankedThread
		mov	edi, eax
		test	edi, edi
		jz	loc_4438E9
		jmp	loc_5ACFF7
; 

loc_4439F2:				; CODE XREF: KiGroupSchedulingQuantumEnd+255j
		mov	edx, esi
		mov	ecx, edi
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	loc_44396F
		jmp	loc_443969
; 

loc_443A0A:				; CODE XREF: KiGroupSchedulingQuantumEnd+199j
		mov	[ebp+var_3], 1
		jmp	loc_4438AD
KiGroupSchedulingQuantumEnd endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiComputeQuantumTargetThread(x, x, x, x, x)
_KiComputeQuantumTargetThread@20 proc near ; CODE XREF:	KiQueueReadyThread+38Ap
					; KeSetPriorityAndQuantumProcess+160p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, ds:_KiCyclesPerClockQuantum
		mov	esi, ecx
		imul	edi, edx
		xor	ecx, ecx
		lea	eax, [esi+5Ch]
		add	edi, [ebp+arg_0]
		mov	[ebp+var_4], edi
		adc	ecx, [ebp+arg_4]
		test	byte ptr [eax],	20h
		jnz	short loc_443A78

loc_443A3A:				; CODE XREF: KiComputeQuantumTargetThread(x,x,x,x,x)+69j
		cmp	[ebp+arg_8], 0
		lea	eax, [esi+18h]
		mov	[ebp+arg_4], eax
		jnz	short loc_443A51
		mov	[eax], edi
		mov	[eax+4], ecx

loc_443A4B:				; CODE XREF: KiComputeQuantumTargetThread(x,x,x,x,x)+62j
		pop	edi
		pop	esi
		leave
		retn	0Ch
; 

loc_443A51:				; CODE XREF: KiComputeQuantumTargetThread(x,x,x,x,x)+30j
		push	ebx

loc_443A52:				; CODE XREF: KiComputeQuantumTargetThread(x,x,x,x,x)+5Aj
					; KiComputeQuantumTargetThread(x,x,x,x,x)+5Fj
		mov	esi, [eax]
		mov	edx, [eax+4]
		mov	eax, esi
		mov	dword ptr [ebp+arg_8], edx
		nop
		mov	ebx, edi
		mov	edi, [ebp+arg_4]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_4]
		cmp	eax, esi
		mov	eax, [ebp+arg_4]
		jnz	short loc_443A52
		cmp	edx, dword ptr [ebp+arg_8]
		jnz	short loc_443A52
		pop	ebx
		jmp	short loc_443A4B
; 

loc_443A78:				; CODE XREF: KiComputeQuantumTargetThread(x,x,x,x,x)+24j
		lock btr dword ptr [eax], 5
		jmp	short loc_443A3A
_KiComputeQuantumTargetThread@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KiTryScheduleNextForegroundBoost(x)
_KiTryScheduleNextForegroundBoost@4 proc near ;	CODE XREF: KiQueueReadyThread+391p
					; KiQuantumEnd+102p ...
		mov	al, ds:_KiForegrounBoostVelocityFlag
		test	al, al
		jnz	short locret_443A99
		mov	eax, [ecx+150h]
		mov	al, [eax+2A2h]
		cmp	al, 2
		jz	short loc_443A9A

locret_443A99:				; CODE XREF: KiTryScheduleNextForegroundBoost(x)+7j
					; KiTryScheduleNextForegroundBoost(x)+22j ...
		retn
; 

loc_443A9A:				; CODE XREF: KiTryScheduleNextForegroundBoost(x)+17j
		mov	al, [ecx+87h]
		cmp	al, 10h
		jge	short locret_443A99
		test	byte ptr [ecx+5Ch], 8
		jnz	short locret_443A99
		test	al, al
		jg	KiScheduleNextForegroundBoost
		retn
_KiTryScheduleNextForegroundBoost@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiUpdateThreadPriority(x, x, x, x)
_KiUpdateThreadPriority@16 proc	near	; CODE XREF: KiApplyForegroundBoostThread+110p
					; KiApplyForegroundBoostThread+1CEp ...

arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	bl, [ebp+arg_0]
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		push	1
		mov	dl, bl
		mov	ecx, esi
		call	KiAbProcessThreadPriorityModification
		cmp	[ebp+arg_4], 0
		mov	[esi+87h], bl
		jz	short loc_443AE8
		test	byte ptr [esi+2], 4
		jnz	short loc_443AEF

loc_443AE0:				; CODE XREF: KiUpdateThreadPriority(x,x,x,x)+48j
					; KiUpdateThreadPriority(x,x,x,x)+50j
		mov	eax, [edi+33Ch]
		mov	[eax], bl

loc_443AE8:				; CODE XREF: KiUpdateThreadPriority(x,x,x,x)+24j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_443AEF:				; CODE XREF: KiUpdateThreadPriority(x,x,x,x)+2Aj
		mov	edx, edi
		mov	ecx, esi
		call	KiIsThreadRankNonZero
		mov	bl, 1
		test	al, al
		jnz	short loc_443AE0
		mov	bl, [esi+87h]
		jmp	short loc_443AE0
_KiUpdateThreadPriority@16 endp

; 
		align 10h
; Exported entry 1286. KeSetBasePriorityThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeSetBasePriorityThread
KeSetBasePriorityThread	proc near	; CODE XREF: NtSetInformationThread+3C3p
					; PfTLoggingWorker+45p	...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005AD0C8 SIZE 0000006D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [esi+150h]
		cmp	edi, offset _KiInitialProcess
		jz	loc_5AD0C8
		mov	[ebp+var_C], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_1], al
		lea	ecx, [esi+2Ch]
		mov	eax, large fs:20h
		mov	esi, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_1C], 0
		mov	eax, [eax+4]
		mov	[ebp+var_24], eax
		mov	edi, edi

loc_443B60:				; CODE XREF: KeSetBasePriorityThread+22Fj
		lock bts dword ptr [esi], 0
		jb	loc_443D31
		mov	esi, [ebp+arg_0]
		movsx	eax, byte ptr [edi+68h]
		movsx	ecx, byte ptr [esi+15Bh]
		mov	[ebp+var_14], ecx
		sub	ecx, eax
		mov	al, [esi+18Dh]
		mov	[ebp+var_18], ecx
		test	al, al
		jnz	loc_443D44

loc_443B8F:				; CODE XREF: KeSetBasePriorityThread+23Dj
		mov	eax, ebx
		mov	byte ptr [esi+18Dh], 0
		cdq
		xor	cl, cl
		xor	eax, edx
		sub	eax, edx
		cmp	eax, 10h
		jge	loc_443CED

loc_443BA8:				; CODE XREF: KeSetBasePriorityThread+1EFj
		mov	al, [edi+68h]
		movsx	ebx, al
		add	ebx, [ebp+arg_4]
		cmp	al, 10h
		jge	loc_5AD0CF
		cmp	ebx, 10h
		jge	loc_443D0C
		test	ebx, ebx
		jle	loc_443D75

loc_443BCA:				; CODE XREF: KeSetBasePriorityThread+201j
					; KeSetBasePriorityThread+26Aj
		test	cl, cl
		jnz	loc_443D04
		xor	dl, dl
		mov	ecx, esi
		call	KiComputeNewPriority
		movsx	ecx, al
		mov	eax, ebx
		sub	eax, [ebp+var_14]
		add	eax, ecx
		mov	[ebp+var_8], eax
		cmp	eax, 10h
		jge	loc_5AD0ED
		test	eax, eax
		jle	loc_5AD0F9

loc_443BF9:				; CODE XREF: KeSetBasePriorityThread+1F7j
					; KeSetBasePriorityThread+1695D8j ...
		push	0
		mov	dl, bl
		mov	ecx, esi
		call	KiAbProcessThreadPriorityModification
		mov	al, [esi+15Ch]
		mov	[esi+15Bh], bl
		test	al, al
		jnz	loc_443D16

loc_443C18:				; CODE XREF: KeSetBasePriorityThread+21Cj
		movsx	eax, byte ptr [esi+87h]
		cmp	[ebp+var_8], eax
		jnz	short loc_443C76
		mov	edi, [ebp+var_10]

loc_443C27:				; CODE XREF: KeSetBasePriorityThread+1A9j
		mov	ecx, [esi+0A4h]
		test	ecx, ecx
		jnz	short loc_443C69

loc_443C31:				; CODE XREF: KeSetBasePriorityThread+15Fj
		mov	dword ptr [esi+2Ch], 0

loc_443C38:				; CODE XREF: KeSetBasePriorityThread+169607j
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jnz	loc_443D52

loc_443C43:				; CODE XREF: KeSetBasePriorityThread+25Dj
		mov	dl, [ebp+var_1]
		mov	ecx, edi
		call	KiCheckForThreadDispatch
		test	dword ptr ds:byte_70EFC4, 2000h
		jnz	loc_5AD11C

loc_443C5D:				; CODE XREF: KeSetBasePriorityThread+169620j
		mov	eax, [ebp+var_18]

loc_443C60:				; CODE XREF: KeSetBasePriorityThread+1695BAj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_443C69:				; CODE XREF: KeSetBasePriorityThread+11Fj
		mov	al, [ecx]
		and	al, 7Fh
		cmp	al, 15h
		jnz	short loc_443C31
		jmp	loc_5AD110
; 

loc_443C76:				; CODE XREF: KeSetBasePriorityThread+112j
		cmp	esi, [ebp+var_24]
		jnz	short loc_443CBE
		mov	edi, [ebp+var_10]
		cmp	byte ptr [edi+11h], 0
		jnz	loc_5AD105
		cli
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	_KiUpdateTotalCyclesCurrentThread@12 ; KiUpdateTotalCyclesCurrentThread(x,x,x)
		sti

loc_443C95:				; CODE XREF: KeSetBasePriorityThread+1695FBj
		mov	byte ptr [ebp+arg_0], 0

loc_443C99:				; CODE XREF: KeSetBasePriorityThread+1DBj
		push	[ebp+arg_0]
		mov	ecx, esi
		push	edx
		movzx	edx, byte ptr [esi+193h]
		push	eax
		call	_KiComputeQuantumTargetThread@20 ; KiComputeQuantumTargetThread(x,x,x,x,x)
		push	[ebp+var_8]
		lea	edx, [ebp+var_C]
		mov	ecx, esi
		call	KiSetPriorityThread
		jmp	loc_443C27
; 

loc_443CBE:				; CODE XREF: KeSetBasePriorityThread+169j
		mov	edx, [esi+34h]
		mov	eax, [esi+30h]
		mov	[ebp+var_28], 0
		mov	[ebp+var_24], 0
		cmp	edx, [esi+38h]
		jz	short loc_443CE4

loc_443CD7:				; CODE XREF: KeSetBasePriorityThread+1D2j
		pause
		mov	edx, [esi+34h]
		mov	eax, [esi+30h]
		cmp	edx, [esi+38h]
		jnz	short loc_443CD7

loc_443CE4:				; CODE XREF: KeSetBasePriorityThread+1C5j
		mov	edi, [ebp+var_10]
		mov	byte ptr [ebp+arg_0], 1
		jmp	short loc_443C99
; 

loc_443CED:				; CODE XREF: KeSetBasePriorityThread+92j
		test	ebx, ebx
		setnle	cl
		lea	ecx, ds:0FFFFFFFFh[ecx*2]
		mov	[esi+18Dh], cl
		jmp	loc_443BA8
; 

loc_443D04:				; CODE XREF: KeSetBasePriorityThread+BCj
		mov	[ebp+var_8], ebx
		jmp	loc_443BF9
; 

loc_443D0C:				; CODE XREF: KeSetBasePriorityThread+ACj
		mov	ebx, 0Fh
		jmp	loc_443BCA
; 

loc_443D16:				; CODE XREF: KeSetBasePriorityThread+102j
		test	al, 0Fh
		jz	short loc_443D25
		mov	eax, ds:_KeTickCount
		mov	[esi+224h], eax

loc_443D25:				; CODE XREF: KeSetBasePriorityThread+208j
		mov	byte ptr [esi+15Ch], 0
		jmp	loc_443C18
; 

loc_443D31:				; CODE XREF: KeSetBasePriorityThread+55j
					; KeSetBasePriorityThread+22Dj
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_443D31
		jmp	loc_443B60
; 

loc_443D44:				; CODE XREF: KeSetBasePriorityThread+79j
		movsx	eax, al
		shl	eax, 4
		mov	[ebp+var_18], eax
		jmp	loc_443B8F
; 

loc_443D52:				; CODE XREF: KeSetBasePriorityThread+12Dj
					; KeSetBasePriorityThread+263j
		mov	eax, [ecx]
		lea	edx, [ecx-9Ch]
		mov	[ebp+var_C], eax
		mov	ecx, edi
		lea	eax, [ebp+var_C]
		push	eax
		call	KiDeferredReadySingleThread
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jz	loc_443C43
		jmp	short loc_443D52
; 

loc_443D75:				; CODE XREF: KeSetBasePriorityThread+B4j
		mov	ebx, 1
		jmp	loc_443BCA
KeSetBasePriorityThread	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiComputeNewPriority proc near		; CODE XREF: KiQueueReadyThread+360p
					; KiQuantumEnd+A6p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AD135 SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	bl, [ecx+87h]
		mov	dh, dl
		cmp	bl, 10h
		jge	short loc_443DD6
		mov	al, ds:_KiForegrounBoostVelocityFlag
		test	al, al
		jnz	loc_5AD135

loc_443DA1:				; CODE XREF: KiComputeNewPriority+1693BCj
		mov	dl, [ecx+15Ch]
		mov	ah, dl
		mov	al, dl
		shr	al, 4
		and	ah, 0Fh
		add	al, ah
		add	al, dh
		sub	bl, al
		mov	al, [ecx+15Bh]
		cmp	bl, al
		jl	short loc_443DDD

loc_443DC1:				; CODE XREF: KiComputeNewPriority+5Fj
		test	dl, dl
		jnz	short loc_443DE1

loc_443DC5:				; CODE XREF: KiComputeNewPriority+77j
					; KiComputeNewPriority+1693E8j
		mov	eax, [ecx+214h]
		mov	[ebp+var_4], 0
		test	eax, eax
		jnz	short loc_443DF9

loc_443DD6:				; CODE XREF: KiComputeNewPriority+12j
					; KiComputeNewPriority+81j ...
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_443DDD:				; CODE XREF: KiComputeNewPriority+3Fj
		mov	bl, al
		jmp	short loc_443DC1
; 

loc_443DE1:				; CODE XREF: KiComputeNewPriority+43j
		test	ah, ah
		jz	short loc_443DF0
		mov	eax, ds:_KeTickCount
		mov	[ecx+224h], eax

loc_443DF0:				; CODE XREF: KiComputeNewPriority+63j
		mov	byte ptr [ecx+15Ch], 0
		jmp	short loc_443DC5
; 

loc_443DF9:				; CODE XREF: KiComputeNewPriority+54j
		bsr	ecx, eax
		movsx	eax, bl
		cmp	eax, ecx
		jge	short loc_443DD6
		mov	bl, cl
		jmp	short loc_443DD6
KiComputeNewPriority endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiGroupSchedulingGenerationEnd proc near ; CODE	XREF: KiGroupSchedulingQuantumEnd+9Cp
					; KeTransitionProcessorParkState(x,x)+380p

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005AD16D SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	al, dl
		mov	[ebp+var_1], al
		mov	ecx, [esi+0Ch]
		mov	ebx, [esi+4]
		mov	[ebp+var_8], ecx
		test	al, al
		jnz	short loc_443E35
		cli
		push	0
		mov	edx, ebx
		mov	ecx, esi
		call	KiEndThreadCycleAccumulation
		sti
		mov	al, [ebp+var_1]

loc_443E35:				; CODE XREF: KiGroupSchedulingGenerationEnd+1Bj
		push	[ebp+arg_4]
		mov	dl, al
		mov	ecx, esi
		push	[ebp+arg_0]
		call	KiTransitionSchedulingGroupGeneration
		cmp	[ebp+var_1], 0
		jnz	short loc_443E94
		push	edi
		mov	edi, [esi+8]
		xor	eax, eax
		mov	[ebp+arg_4], eax
		test	edi, edi
		jnz	short loc_443EC5

loc_443E57:				; CODE XREF: KiGroupSchedulingGenerationEnd+10Aj
		cmp	edi, [esi+0Ch]
		jz	short loc_443E7F
		cmp	ebx, [ebp+var_8]
		jz	short loc_443EC1
		movsx	ecx, byte ptr [ebx+87h]
		inc	ecx
		cmp	ecx, 1Fh
		jg	short loc_443E7F

loc_443E6E:				; CODE XREF: KiGroupSchedulingGenerationEnd+BBj
		mov	edx, esi
		call	KiSelectReadyThread
		mov	edi, eax
		test	edi, edi
		jnz	loc_443F17

loc_443E7F:				; CODE XREF: KiGroupSchedulingGenerationEnd+52j
					; KiGroupSchedulingGenerationEnd+64j ...
		mov	eax, [ebp+arg_4]

loc_443E82:				; CODE XREF: KiGroupSchedulingGenerationEnd+15Fj
		pop	edi
		cmp	ebx, [ebp+var_8]
		jz	short loc_443E9A

loc_443E88:				; CODE XREF: KiGroupSchedulingGenerationEnd+B2j
					; KiGroupSchedulingGenerationEnd+174j
		cli
		push	ecx
		mov	edx, ebx
		mov	ecx, esi
		call	KiStartThreadCycleAccumulation
		sti

loc_443E94:				; CODE XREF: KiGroupSchedulingGenerationEnd+40j
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_443E9A:				; CODE XREF: KiGroupSchedulingGenerationEnd+7Ej
		test	eax, eax
		jg	loc_443F98
		js	loc_5AD16D

loc_443EA8:				; CODE XREF: KiGroupSchedulingGenerationEnd+197j
					; KiGroupSchedulingGenerationEnd+1A9j ...
		mov	eax, [esi+8]
		test	eax, eax
		jnz	loc_443F6C

loc_443EB3:				; CODE XREF: KiGroupSchedulingGenerationEnd+167j
		test	byte ptr [esi+2238h], 1
		jz	short loc_443E88

loc_443EBC:				; CODE XREF: KiGroupSchedulingGenerationEnd+17Aj
		push	1Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_443EC1:				; CODE XREF: KiGroupSchedulingGenerationEnd+57j
		xor	ecx, ecx
		jmp	short loc_443E6E
; 

loc_443EC5:				; CODE XREF: KiGroupSchedulingGenerationEnd+4Dj
		cmp	edi, [esi+0Ch]
		jz	short loc_443E7F
		and	[esi+8], eax
		test	byte ptr [ebx+2], 4
		jnz	loc_443FB6

loc_443ED7:				; CODE XREF: KiGroupSchedulingGenerationEnd+1C1j
		mov	cl, [ebx+87h]

loc_443EDD:				; CODE XREF: KiGroupSchedulingGenerationEnd+1BBj
		mov	eax, [esi+33Ch]
		mov	edx, edi
		push	0
		push	1
		mov	[eax], cl
		mov	ecx, esi
		mov	byte ptr [edi+90h], 1
		mov	eax, ds:_KeTickCount
		mov	[edi+138h], eax
		movsx	eax, byte ptr [edi+87h]
		push	eax
		call	_KiAddThreadToPrcbQueue@20 ; KiAddThreadToPrcbQueue(x,x,x,x,x)
		xor	eax, eax
		inc	eax
		mov	[ebp+arg_4], eax
		jmp	loc_443E57
; 

loc_443F17:				; CODE XREF: KiGroupSchedulingGenerationEnd+71j
		test	byte ptr [edi+2], 4
		jnz	short loc_443F87

loc_443F1D:				; CODE XREF: KiGroupSchedulingGenerationEnd+18Ej
		mov	cl, [edi+87h]

loc_443F23:				; CODE XREF: KiGroupSchedulingGenerationEnd+18Cj
		mov	eax, [esi+33Ch]
		mov	[eax], cl
		cmp	edi, [esi+0Ch]
		mov	eax, [esi+4DCh]
		setz	cl
		mov	[esi+8], edi
		test	eax, eax
		jz	short loc_443F41
		mov	[eax+10h], cl

loc_443F41:				; CODE XREF: KiGroupSchedulingGenerationEnd+134j
		mov	al, [edi+90h]
		cmp	al, 1
		jnz	short loc_443F5C
		mov	eax, ds:_KeTickCount
		sub	eax, [edi+138h]
		add	[edi+170h], eax

loc_443F5C:				; CODE XREF: KiGroupSchedulingGenerationEnd+141j
		mov	eax, [ebp+arg_4]
		mov	byte ptr [edi+90h], 3
		dec	eax
		jmp	loc_443E82
; 

loc_443F6C:				; CODE XREF: KiGroupSchedulingGenerationEnd+A5j
		cmp	eax, [esi+0Ch]
		jz	loc_443EB3
		test	byte ptr [esi+2238h], 1
		jnz	loc_443E88
		jmp	loc_443EBC
; 

loc_443F87:				; CODE XREF: KiGroupSchedulingGenerationEnd+113j
		mov	edx, esi
		mov	ecx, edi
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	short loc_443F23
		jmp	short loc_443F1D
; 

loc_443F98:				; CODE XREF: KiGroupSchedulingGenerationEnd+94j
		test	byte ptr [esi+2238h], 1
		jz	loc_443EA8
		xor	edx, edx
		push	1
		inc	edx

loc_443FAA:				; CODE XREF: KiGroupSchedulingGenerationEnd+169376j
		mov	ecx, esi
		call	KiSetProcessorIdle
		jmp	loc_443EA8
; 

loc_443FB6:				; CODE XREF: KiGroupSchedulingGenerationEnd+C9j
		mov	edx, esi
		mov	ecx, ebx
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	loc_443EDD
		jmp	loc_443ED7
KiGroupSchedulingGenerationEnd endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiTransitionSchedulingGroupGeneration proc near
					; CODE XREF: KiGroupSchedulingGenerationEnd+37p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005AD183 SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1], dl
		mov	ebx, 1
		mov	[ebp+var_8], edi
		mov	[ebp+var_20], ebx
		mov	ecx, [edi+3D6Ch]
		mov	eax, [edi+3D68h]
		mov	[ebp+var_1C], ecx
		cmp	[ebp+arg_4], ecx
		jb	short loc_444035
		mov	esi, [ebp+arg_0]
		ja	short loc_444008
		cmp	esi, eax
		jbe	short loc_444035

loc_444008:				; CODE XREF: KiTransitionSchedulingGroupGeneration+32j
		mov	ecx, ds:_KiGenerationTicks
		mov	edx, ecx
		sub	edx, eax
		mov	eax, 0
		push	0
		sbb	eax, [ebp+var_1C]
		add	edx, esi
		push	ecx
		adc	eax, [ebp+arg_4]
		add	edx, 0FFFFFFFFh
		adc	eax, 0FFFFFFFFh
		push	eax
		push	edx
		call	__aulldiv
		lea	ebx, [eax+1]
		mov	[ebp+var_20], ebx

loc_444035:				; CODE XREF: KiTransitionSchedulingGroupGeneration+2Dj
					; KiTransitionSchedulingGroupGeneration+36j
		mov	ecx, _KiGenerationEndTick
		mov	[edi+3D68h], ecx
		mov	ecx, dword_6CB3E4
		mov	[edi+3D6Ch], ecx
		mov	dword ptr [edi+3CE8h], 0
		mov	dword ptr [edi+3CECh], 0
		mov	eax, [edi+8]
		mov	byte ptr [ebp+arg_4+3],	0
		mov	[ebp+var_18], eax
		test	eax, eax
		jnz	short loc_444075
		mov	eax, [edi+4]
		mov	[ebp+var_18], eax

loc_444075:				; CODE XREF: KiTransitionSchedulingGroupGeneration+9Dj
		mov	eax, [eax+50h]
		mov	[ebp+var_14], eax
		test	eax, eax
		jnz	loc_444300

loc_444083:				; CODE XREF: KiTransitionSchedulingGroupGeneration+339j
		mov	eax, [edi+3CF0h]
		lea	ecx, [edi+3CF0h]
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_1C], eax
		cmp	eax, ecx
		jz	loc_4441CB
		lea	ecx, [ecx+0]

loc_4440A0:				; CODE XREF: KiTransitionSchedulingGroupGeneration+1EFj
		lea	esi, [eax-48h]
		mov	[ebp+var_10], esi
		cmp	ebx, 40h
		jnb	loc_44433C
		mov	eax, [esi+30h]
		mov	ecx, ebx
		mov	edx, [esi+34h]
		call	__allshl

loc_4440BC:				; CODE XREF: KiTransitionSchedulingGroupGeneration+370j
		test	byte ptr [esi+5Ch], 4
		jnz	loc_44427B

loc_4440C6:				; CODE XREF: KiTransitionSchedulingGroupGeneration+2AEj
		mov	[esi+30h], eax
		mov	ebx, esi
		mov	[esi+34h], edx
		mov	edx, esi
		sub	ebx, [edi+3B34h]
		mov	ecx, ebx
		mov	[ebp+var_2C], ebx
		call	_KiChargeSchedulingGroupCycleTime@8 ; KiChargeSchedulingGroupCycleTime(x,x)
		cmp	[ebp+var_1], 0
		jnz	short loc_4440F3
		cmp	byte ptr [edi+3D0h], 0
		jnz	loc_4441E1

loc_4440F3:				; CODE XREF: KiTransitionSchedulingGroupGeneration+114j
					; KiTransitionSchedulingGroupGeneration+215j ...
		mov	eax, [esi+8]
		cmp	eax, [esi+10h]
		jnz	loc_4442AD
		mov	eax, [esi+0Ch]
		cmp	eax, [esi+14h]
		jnz	loc_4442AD

loc_44410B:				; CODE XREF: KiTransitionSchedulingGroupGeneration+32Bj
		mov	edx, [esi+64h]
		mov	dword ptr [esi], 0
		mov	dword ptr [esi+4], 0
		mov	dword ptr [esi+28h], 0
		mov	dword ptr [esi+2Ch], 0
		test	edx, edx
		jz	short loc_444148
		movzx	ecx, byte ptr [esi+5Ch]
		shr	ecx, 3
		and	ecx, 1
		sub	ecx, [esi+60h]
		mov	eax, ecx
		lock xadd [edx], eax
		add	eax, ecx
		js	loc_5AD183

loc_444148:				; CODE XREF: KiTransitionSchedulingGroupGeneration+15Bj
					; KiTransitionSchedulingGroupGeneration+1691BCj
		mov	cl, [esi+5Ch]
		lea	edi, [esi+50h]
		movzx	eax, cl
		and	cl, 0FCh
		shr	eax, 3
		and	eax, 1
		mov	dword ptr [esi+18h], 0
		mov	[esi+60h], eax
		xor	eax, eax
		mov	dword ptr [esi+1Ch], 0
		mov	[esi+5Ch], cl
		stosd
		stosd
		stosd
		mov	dword ptr [esi+0ECh], 0
		mov	dword ptr [esi+0F0h], 0
		mov	eax, [esi+60h]
		test	eax, eax
		jnz	loc_444283

loc_444192:				; CODE XREF: KiTransitionSchedulingGroupGeneration+1691C9j
		and	byte ptr [esi+5Ch], 0FBh
		cmp	esi, [ebp+var_14]
		jz	loc_44430E

loc_44419F:				; CODE XREF: KiTransitionSchedulingGroupGeneration+1691C3j
		mov	edi, [ebp+var_8]

loc_4441A2:				; CODE XREF: KiTransitionSchedulingGroupGeneration+367j
		push	0
		push	edi
		xor	edx, edx
		mov	ecx, esi
		call	KiMoveScbThreadsToNewReadylist

loc_4441AE:				; CODE XREF: KiTransitionSchedulingGroupGeneration+2C2j
					; KiTransitionSchedulingGroupGeneration+2D8j
		mov	eax, [ebp+var_1C]
		mov	edi, [ebp+var_8]
		mov	ebx, [ebp+var_20]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		cmp	eax, [ebp+var_3C]
		jnz	loc_4440A0
		cmp	byte ptr [ebp+arg_4+3],	0
		jnz	short loc_4441D8

loc_4441CB:				; CODE XREF: KiTransitionSchedulingGroupGeneration+C7j
		cmp	byte ptr [edi+2254h], 0
		jnz	loc_5AD19E

loc_4441D8:				; CODE XREF: KiTransitionSchedulingGroupGeneration+1F9j
					; KiTransitionSchedulingGroupGeneration+1691E6j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4441E1:				; CODE XREF: KiTransitionSchedulingGroupGeneration+11Dj
		test	byte ptr [esi+5Ch], 10h
		jnz	loc_4440F3
		mov	eax, [ebx+28h]
		lea	esi, [ebx+30h]
		mov	ecx, [ebx+2Ch]
		mov	[ebp+var_C], eax
		mov	[ebp+var_24], ecx
		mov	[ebp+var_38], esi
		lea	ecx, [ecx+0]

loc_444200:				; CODE XREF: KiTransitionSchedulingGroupGeneration+253j
					; KiTransitionSchedulingGroupGeneration+258j
		mov	edi, [esi]
		mov	ebx, edi
		mov	edx, [esi+4]
		add	ebx, eax
		mov	ecx, edx
		mov	[ebp+var_28], edx
		adc	ecx, [ebp+var_24]
		mov	eax, edi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ecx
		nop
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, edi
		mov	eax, [ebp+var_C]
		jnz	short loc_444200
		cmp	edx, [ebp+var_28]
		jnz	short loc_444200
		mov	eax, [ebp+var_2C]
		mov	esi, [ebp+var_10]
		mov	ecx, [eax+28h]
		mov	eax, [eax+2Ch]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_2C], eax
		cmp	[ebp+var_30], eax
		jg	short loc_444250
		jl	loc_4440F3
		cmp	[ebp+var_34], ecx
		jbe	loc_4440F3

loc_444250:				; CODE XREF: KiTransitionSchedulingGroupGeneration+26Fj
		mov	esi, [ebp+var_38]

loc_444253:				; CODE XREF: KiTransitionSchedulingGroupGeneration+29Cj
					; KiTransitionSchedulingGroupGeneration+2A1j
		mov	edi, [esi]
		mov	eax, edi
		mov	edx, [esi+4]
		mov	[ebp+var_38], edx
		nop
		mov	ebx, ecx
		mov	ecx, [ebp+var_2C]
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [ebp+var_C]
		cmp	eax, edi
		jnz	short loc_444253
		cmp	edx, [ebp+var_38]
		jnz	short loc_444253
		mov	esi, [ebp+var_10]
		jmp	loc_4440F3
; 

loc_44427B:				; CODE XREF: KiTransitionSchedulingGroupGeneration+F0j
		or	eax, 1
		jmp	loc_4440C6
; 

loc_444283:				; CODE XREF: KiTransitionSchedulingGroupGeneration+1BCj
		cmp	[ebp+var_1], 0
		jnz	loc_5AD191
		cmp	word ptr [esi+5Eh], 0
		jz	loc_4441AE
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		push	0
		call	_KiInsertNonMaxOverQuotaScb@12 ; KiInsertNonMaxOverQuotaScb(x,x,x)
		mov	byte ptr [ebp+arg_4+3],	1
		jmp	loc_4441AE
; 

loc_4442AD:				; CODE XREF: KiTransitionSchedulingGroupGeneration+129j
					; KiTransitionSchedulingGroupGeneration+135j
		mov	eax, ds:_KiGroupSchedulingNumerator
		mov	ecx, 400h
		sub	ecx, eax
		mov	[ebp+var_10], eax
		mov	eax, [esi+24h]
		mul	ecx
		mov	edi, eax
		mov	eax, [esi+20h]
		mul	ecx
		mov	ebx, eax
		add	edi, edx
		mov	eax, [esi+4]
		shrd	ebx, edi, 0Ah
		shr	edi, 0Ah
		mov	[ebp+var_38], edi
		mov	edi, [esi]
		shrd	edi, eax, 0Ah
		shr	eax, 0Ah
		mul	[ebp+var_10]
		mov	ecx, eax
		mov	eax, edi
		mul	[ebp+var_10]
		add	ecx, edx
		add	ebx, eax
		mov	eax, [ebp+var_38]
		adc	eax, ecx
		mov	[esi+20h], ebx
		mov	[esi+24h], eax
		jmp	loc_44410B
; 

loc_444300:				; CODE XREF: KiTransitionSchedulingGroupGeneration+ADj
		add	eax, [edi+3B34h]
		mov	[ebp+var_14], eax
		jmp	loc_444083
; 

loc_44430E:				; CODE XREF: KiTransitionSchedulingGroupGeneration+1C9j
		mov	ebx, [ebp+var_18]
		mov	edi, [ebp+var_8]
		test	byte ptr [ebx+2], 4
		jz	short loc_444329
		mov	edx, edi
		mov	ecx, ebx
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	short loc_44432F

loc_444329:				; CODE XREF: KiTransitionSchedulingGroupGeneration+348j
		mov	cl, [ebx+87h]

loc_44432F:				; CODE XREF: KiTransitionSchedulingGroupGeneration+357j
		mov	eax, [edi+33Ch]
		mov	[eax], cl
		jmp	loc_4441A2
; 

loc_44433C:				; CODE XREF: KiTransitionSchedulingGroupGeneration+D9j
		xor	eax, eax
		xor	edx, edx
		jmp	loc_4440BC
KiTransitionSchedulingGroupGeneration endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiChargeSchedulingGroupCycleTime(x,	x)
_KiChargeSchedulingGroupCycleTime@8 proc near
					; CODE XREF: KiRecomputeGroupSchedulingRank(x,x,x)+Fp
					; KiTransitionSchedulingGroupGeneration+10Bp ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [edx]
		push	ebx
		mov	ebx, [edx+28h]
		push	esi
		mov	esi, [edx+4]
		sub	ebx, eax
		push	edi
		mov	edi, [edx+2Ch]
		mov	[edx+28h], eax
		sbb	edi, esi
		lea	eax, [ecx+30h]
		mov	[ebp+var_14], ecx
		mov	[edx+2Ch], esi
		mov	[ebp+var_C], ebx
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], eax
		nop

loc_444380:				; CODE XREF: KiChargeSchedulingGroupCycleTime(x,x)+57j
					; KiChargeSchedulingGroupCycleTime(x,x)+5Cj
		mov	esi, [eax]
		add	ebx, esi
		mov	edx, [eax+4]
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_1C], edx
		adc	ecx, edx
		mov	[ebp+var_18], ebx
		nop
		mov	edi, [ebp+var_8]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_18]
		cmp	eax, esi
		mov	eax, [ebp+var_8]
		mov	ebx, [ebp+var_C]
		jnz	short loc_444380
		cmp	edx, [ebp+var_1C]
		jnz	short loc_444380
		test	ecx, ecx
		jg	short loc_4443D7
		jl	short loc_4443B8
		test	edi, edi
		jnz	short loc_4443D7

loc_4443B8:				; CODE XREF: KiChargeSchedulingGroupCycleTime(x,x)+62j
		mov	al, 1

loc_4443BA:				; CODE XREF: KiChargeSchedulingGroupCycleTime(x,x)+89j
		mov	esi, [ebp+var_14]
		add	esi, 20h
		mov	[ebp+var_1], al
		cmp	dword ptr [esi+4], 0
		jl	short loc_4443D0
		jg	short loc_4443E0
		cmp	dword ptr [esi], 0
		ja	short loc_4443E0

loc_4443D0:				; CODE XREF: KiChargeSchedulingGroupCycleTime(x,x)+77j
					; KiChargeSchedulingGroupCycleTime(x,x)+CCj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4443D7:				; CODE XREF: KiChargeSchedulingGroupCycleTime(x,x)+60j
					; KiChargeSchedulingGroupCycleTime(x,x)+66j
		xor	al, al
		jmp	short loc_4443BA
; 
		jmp	short loc_4443E0
; 
		align 10h

loc_4443E0:				; CODE XREF: KiChargeSchedulingGroupCycleTime(x,x)+79j
					; KiChargeSchedulingGroupCycleTime(x,x)+7Ej ...
		mov	edi, [esi]
		mov	ecx, [ebp+var_C]
		mov	edx, [esi+4]
		add	ecx, edi
		mov	eax, [ebp+var_10]
		adc	eax, edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_1C], eax
		mov	eax, edi
		mov	[ebp+var_8], ecx
		nop
		mov	ebx, ecx
		mov	ecx, [ebp+var_1C]
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, edi
		jnz	short loc_4443E0
		cmp	edx, [ebp+var_18]
		jnz	short loc_4443E0
		test	ecx, ecx
		jg	short loc_444419
		jl	short loc_44441E
		cmp	[ebp+var_8], 0
		jbe	short loc_44441E

loc_444419:				; CODE XREF: KiChargeSchedulingGroupCycleTime(x,x)+BFj
					; KiChargeSchedulingGroupCycleTime(x,x)+DAj ...
		mov	al, [ebp+var_1]
		jmp	short loc_4443D0
; 

loc_44441E:				; CODE XREF: KiChargeSchedulingGroupCycleTime(x,x)+C1j
					; KiChargeSchedulingGroupCycleTime(x,x)+C7j
		mov	eax, [ebp+var_14]
		xor	ecx, ecx
		add	eax, 40h
		xchg	ecx, [eax]
		test	ecx, ecx
		jz	short loc_444419
		push	0
		push	0
		push	ecx
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)
		jmp	short loc_444419
_KiChargeSchedulingGroupCycleTime@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiMoveScbThreadsToNewReadylist proc near
					; CODE XREF: KiTransitionSchedulingGroupGeneration+1D9p
					; KiResetScb(x,x)+6Dp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005AD1BB SIZE 000000B8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_14], edx
		mov	[ebp+var_20], eax
		mov	ebx, ecx
		mov	byte ptr [ebp+var_C], al
		mov	[ebp+var_10], eax
		mov	[ebp+var_2], al
		movzx	ecx, word ptr [ebx+5Eh]
		mov	[ebp+var_3], al
		mov	[ebp+var_1], al
		mov	eax, ecx
		mov	[ebp+var_8], ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_0]
		test	edx, edx
		jnz	loc_5AD1BB
		test	edi, edi
		jz	loc_5AD1CE
		mov	[ebp+var_3], 1

loc_44447F:				; CODE XREF: KiMoveScbThreadsToNewReadylist+168D91j
					; KiMoveScbThreadsToNewReadylist+168D98j ...
		test	eax, eax
		jnz	short loc_444490

loc_444483:				; CODE XREF: KiMoveScbThreadsToNewReadylist+E4j
		pop	edi
		xor	eax, eax
		pop	esi
		mov	[ebx+5Eh], ax
		pop	ebx
		leave
		retn	8
; 

loc_444490:				; CODE XREF: KiMoveScbThreadsToNewReadylist+49j
					; KiMoveScbThreadsToNewReadylist+EDj
		bsr	ecx, eax
		lea	esi, [ebx+6Ch]
		btc	eax, ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_20], eax
		lea	esi, [esi+ecx*8]
		mov	cl, [ebp+var_1]
		mov	ebx, [esi]

loc_4444A7:				; CODE XREF: KiMoveScbThreadsToNewReadylist+CDj
		mov	[ebp+var_18], ebx
		lea	edi, [ebx-9Ch]
		test	cl, cl
		jnz	short loc_44452A
		and	dword ptr [edi+58h], 0FFFFDFFFh
		xor	eax, eax

loc_4444BD:				; CODE XREF: KiMoveScbThreadsToNewReadylist+F4j
		cmp	[ebp+var_2], 0
		mov	[edi+230h], eax
		mov	ebx, [ebx]
		jnz	loc_5AD1DF
		cmp	[ebp+var_3], 0
		jz	short loc_444503
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		push	eax
		push	0
		push	ecx
		mov	ecx, edi
		call	_KiGetThreadEffectiveRankNonZero@20 ; KiGetThreadEffectiveRankNonZero(x,x,x,x,x)
		push	[ebp+var_C]
		movsx	eax, byte ptr [edi+87h]
		mov	edx, edi
		mov	ecx, [ebp+arg_0]
		push	0
		push	eax
		call	_KiAddThreadToPrcbQueue@20 ; KiAddThreadToPrcbQueue(x,x,x,x,x)
		mov	edx, [ebp+var_14]

loc_444500:				; CODE XREF: KiMoveScbThreadsToNewReadylist+168DBAj
		mov	cl, [ebp+var_1]

loc_444503:				; CODE XREF: KiMoveScbThreadsToNewReadylist+9Bj
		cmp	ebx, esi
		jnz	short loc_4444A7
		test	cl, cl
		jnz	loc_5AD1F7

loc_44450F:				; CODE XREF: KiMoveScbThreadsToNewReadylist+168E04j
		mov	eax, [ebp+var_20]
		mov	ebx, [ebp+var_8]
		mov	[esi+4], esi
		mov	[esi], esi
		test	eax, eax
		jz	loc_444483
		mov	edx, [ebp+var_14]
		jmp	loc_444490
; 

loc_44452A:				; CODE XREF: KiMoveScbThreadsToNewReadylist+7Aj
		mov	eax, edx
		jmp	short loc_4444BD
KiMoveScbThreadsToNewReadylist endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiGetIntervalDelta(x, x, x,	x)
_KiGetIntervalDelta@16 proc near	; CODE XREF: KiRecomputeGroupSchedulingRank(x,x,x)+8Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		add	ecx, [ebp+arg_8]
		push	[ebp+arg_C]
		mov	eax, [ebp+arg_4]
		adc	eax, [ebp+arg_C]
		add	ecx, 0FFFFFFFFh
		push	[ebp+arg_8]
		adc	eax, 0FFFFFFFFh
		push	eax
		push	ecx
		call	__aulldiv
		pop	ebp
		retn	10h
_KiGetIntervalDelta@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiUpdateNodeAffinitizedFlag proc near	; CODE XREF: KiSetSystemAffinityThread(x,x,x,x)+86p
					; KeStartThread+DEp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		xor	ecx, ecx
		push	esi
		push	edi
		inc	ecx
		movzx	eax, word ptr [ebx+168h]
		mov	edi, [ebx+164h]
		mov	eax, ds:dword_70E328[eax*4]
		cmp	edi, eax
		jnz	short loc_444590

loc_44457C:				; CODE XREF: KiMoveScbThreadsToNewReadylist+168E36j
		mov	edx, ecx

loc_44457E:				; CODE XREF: KiUpdateNodeAffinitizedFlag+43j
					; KiMoveScbThreadsToNewReadylist+168E2Aj
		movzx	eax, byte ptr [ebx+2]
		shr	eax, 3
		and	eax, ecx
		cmp	edx, eax
		jz	short loc_4445A0

loc_44458B:				; CODE XREF: KiUpdateNodeAffinitizedFlag+52j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_444590:				; CODE XREF: KiUpdateNodeAffinitizedFlag+24j
		xor	edx, edx
		cmp	ds:_KeNumberNodes, cx
		jbe	short loc_44457E
		jmp	loc_5AD246
; 

loc_4445A0:				; CODE XREF: KiUpdateNodeAffinitizedFlag+33j
		mov	eax, 80000h
		lock xor [ebx],	eax
		jmp	short loc_44458B
KiUpdateNodeAffinitizedFlag endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiFastReadyThread proc near		; CODE XREF: KeReadyThread(x)+19p
					; KiInSwapKernelStacks(x)+57p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005AD273 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	dword ptr ds:byte_70EFC4, 200h
		mov	[ebp+var_1], al
		jnz	loc_5AD273

loc_4445D0:				; CODE XREF: KiFastReadyThread+168CE0j
		mov	ebx, large fs:20h
		lea	edi, [esi+2Ch]
		and	[ebp+var_8], 0

loc_4445DE:				; CODE XREF: KiFastReadyThread+79j
		lock bts dword ptr [edi], 0
		jb	short loc_444617
		mov	ecx, esi
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		lea	eax, [esi+9Ch]
		mov	dword ptr [edi], 0
		and	dword ptr [eax], 0
		lea	edx, [ebp+var_C]
		mov	ecx, ebx
		mov	[ebp+var_C], eax
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		mov	dl, [ebp+var_1]
		mov	ecx, ebx
		call	KiCheckForThreadDispatch
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_444617:				; CODE XREF: KiFastReadyThread+39j
					; KiFastReadyThread+7Bj
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_4445DE
		jmp	short loc_444617
KiFastReadyThread endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiFastExitThreadWait(x, x, x)
_KiFastExitThreadWait@12 proc near	; CODE XREF: KeRemovePriQueue+1F0p
					; KeDelayExecutionThread(x,x,x)+F1p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		xor	ecx, ecx
		mov	byte ptr [edi+90h], 2
		lock or	[eax], ecx
		lea	esi, [edi+2Ch]
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_444665

loc_444652:				; CODE XREF: KiFastExitThreadWait(x,x,x)+5Dj
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, ebx
		call	KiExitThreadWait
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_444665:				; CODE XREF: KiFastExitThreadWait(x,x,x)+28j
		and	[ebp+var_8], ecx

loc_444668:				; CODE XREF: KiFastExitThreadWait(x,x,x)+55j
		lock bts dword ptr [esi], 0
		jnb	short loc_44467F

loc_44466F:				; CODE XREF: KiFastExitThreadWait(x,x,x)+53j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_44466F
		jmp	short loc_444668
; 

loc_44467F:				; CODE XREF: KiFastExitThreadWait(x,x,x)+45j
		mov	dword ptr [esi], 0
		jmp	short loc_444652
_KiFastExitThreadWait@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiExitThreadWait proc near		; CODE XREF: KiFastExitThreadWait(x,x,x)+31p
					; KiCommitThreadWait+4A5p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005AD28F SIZE 00000059 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	dl, [esi+92h]
		mov	al, [esi+54h]
		mov	byte ptr [ebp+var_C], dl
		test	al, 38h
		jnz	short loc_4446C1
		cmp	[ebp+arg_0], 0
		jz	short loc_4446B7
		call	KiCheckForThreadDispatch

loc_4446B1:				; CODE XREF: KiExitThreadWait+37j
					; KiExitThreadWait+168C4Bj
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_4446B7:				; CODE XREF: KiExitThreadWait+22j
		mov	cl, dl

loc_4446B9:				; CODE XREF: KiExitThreadWait+54j
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_4446B1
; 

loc_4446C1:				; CODE XREF: KiExitThreadWait+1Cj
		test	al, 18h
		jnz	loc_5AD28F
		mov	dl, 1
		call	KiCheckForThreadDispatch
		xor	esi, esi
		push	esi
		push	esi
		push	esi
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		xor	cl, cl
		jmp	short loc_4446B9
KiExitThreadWait endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiCheckForThreadDispatch proc near	; CODE XREF: KiAbThreadUnboostCpuPriority+E9p
					; KeGenericProcessorCallback(x,x,x,x)+117p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A7EB3 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	[esp+14h+var_10], edx
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	eax, [ebx+8]
		cmp	dl, 2
		jnb	short loc_444720
		mov	edi, [ebx+4]
		mov	[esp+20h+var_4], edi
		test	eax, eax
		jnz	short loc_444738
		test	byte ptr [edi+58h], 40h
		jnz	loc_5A7EB3

loc_44470F:				; CODE XREF: KiCheckForThreadDispatch+DBj
					; KiCheckForThreadDispatch+F5j
		mov	cl, byte ptr [esp+20h+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_444719:				; CODE XREF: KiCheckForThreadDispatch+44j
					; KiCheckForThreadDispatch+4Ej	...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_444720:				; CODE XREF: KiCheckForThreadDispatch+1Aj
		test	eax, eax
		jz	short loc_444719
		mov	al, [ebx+223Ah]
		test	al, al
		jnz	short loc_444719
		mov	cl, 2
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)
		jmp	short loc_444719
; 

loc_444738:				; CODE XREF: KiCheckForThreadDispatch+25j
		xor	edx, edx
		mov	ecx, edi
		call	KiAbProcessContextSwitch
		xor	esi, esi
		lea	edi, [ebx+2224h]
		mov	[esp+20h+var_8], esi

loc_44474D:				; CODE XREF: KiCheckForThreadDispatch+109j
		lock bts dword ptr [edi], 0
		jb	loc_4447D8
		mov	edx, [ebx+8]
		mov	[esp+20h+var_C], edx
		mov	[ebx+8], esi
		cli
		mov	edi, [esp+20h+var_4]
		mov	ecx, ebx
		push	esi
		mov	edx, edi
		call	KiEndThreadCycleAccumulation
		sti
		mov	ecx, [esp+20h+var_C]
		mov	[ebx+4], ecx
		mov	al, [ecx+90h]
		cmp	al, 1
		jz	loc_5A7E9D

loc_444787:				; CODE XREF: KiAbThreadUnboostCpuPriority+168082j
		mov	eax, [esp+20h+var_10]
		mov	edx, edi
		mov	byte ptr [ecx+90h], 2
		mov	ecx, ebx
		mov	byte ptr [edi+18Bh], 20h
		mov	[edi+92h], al
		call	KiQueueReadyThread
		push	[esp+20h+var_10]
		mov	edx, [esp+24h+var_C]
		mov	ecx, edi
		call	@KiSwapContext@12 ; KiSwapContext(x,x,x)
		test	al, al
		jz	loc_44470F
		mov	cl, 1
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4447C7:				; CODE XREF: KiCheckForThreadDispatch+1637DFj
		and	dword ptr [edi+58h], 0FFFFFFBFh
		push	esi
		push	esi
		push	esi
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		jmp	loc_44470F
; 

loc_4447D8:				; CODE XREF: KiCheckForThreadDispatch+74j
					; KiCheckForThreadDispatch+107j
		lea	ecx, [esp+20h+var_8]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_4447D8
		jmp	loc_44474D
KiCheckForThreadDispatch endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSelectIdealProcessor(x, x, x, x)
_KeSelectIdealProcessor@16 proc	near	; CODE XREF: KeStartThread+139p
					; KiSetAffinityThread+ABp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	esi
		push	edi
		mov	edi, ecx
		jz	loc_44488B

loc_4447FF:				; CODE XREF: KeSelectIdealProcessor(x,x,x,x)+A5j
		mov	esi, [edi+84h]
		and	esi, [edx]
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_444871
		test	ds:_KiCacheAwareScheduling, 4
		jz	short loc_444871
		mov	eax, [eax]
		push	ebx
		mov	ebx, ds:_KiProcessorBlock[eax*4]
		cmp	[ebx+338h], edi
		jnz	short loc_444870
		mov	ebx, [ebx+4034h]
		mov	eax, ebx
		and	eax, esi
		mov	[ebp+arg_4], eax
		jz	short loc_444870
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		cmp	cl, 2
		jb	short loc_444870
		mov	esi, [ebp+arg_4]

loc_444870:				; CODE XREF: KeSelectIdealProcessor(x,x,x,x)+3Bj
					; KeSelectIdealProcessor(x,x,x,x)+4Aj ...
		pop	ebx

loc_444871:				; CODE XREF: KeSelectIdealProcessor(x,x,x,x)+20j
					; KeSelectIdealProcessor(x,x,x,x)+29j
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, edi
		mov	dx, [esi]
		call	KiSelectIdealProcessor
		movzx	eax, ax
		pop	edi
		mov	[esi], ax
		pop	esi
		pop	ebp
		retn	8
; 

loc_44488B:				; CODE XREF: KeSelectIdealProcessor(x,x,x,x)+Dj
		lea	eax, [edi+58h]
		mov	[ebp+arg_0], eax
		jmp	loc_4447FF
_KeSelectIdealProcessor@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSelectIdealProcessor proc near	; CODE XREF: KeSelectIdealProcessor(x,x,x,x)+8Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AD2E8 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		push	edi
		movzx	edi, word ptr [ebx+9Ch]
		movzx	eax, word ptr [ebx+0A0h]
		cmp	di, ax
		jz	loc_444948
		mov	ecx, edi
		push	esi
		mov	esi, eax
		movzx	eax, dx
		sub	eax, ecx
		sub	esi, ecx
		inc	esi
		cdq
		idiv	esi
		add	edx, edi
		xor	edi, edi
		movzx	ecx, dx
		inc	edi
		mov	edx, [ebx+84h]
		shl	edi, cl
		mov	[ebp+var_8], edx
		test	edx, edi
		jz	loc_5AD2E8

loc_4448E4:				; CODE XREF: KiSelectIdealProcessor+168A67j
		mov	eax, edx
		not	eax
		mov	[ebp+var_4], eax
		mov	esi, eax
		mov	eax, [ebx+94h]
		mov	edx, eax
		mov	[ebp+var_C], eax

loc_4448F8:				; CODE XREF: KiSelectIdealProcessor+8Dj
		mov	ecx, esi
		not	ecx
		and	ecx, edx
		test	edi, ecx
		jz	short loc_44491F
		mov	ebx, [ebp+arg_0]
		mov	eax, edi
		neg	eax
		not	edi
		and	eax, edi
		and	ecx, eax
		test	ecx, ebx
		jz	short loc_444925

loc_444913:				; CODE XREF: KiSelectIdealProcessor+A7j
		and	ecx, ebx
		bsf	eax, ecx
		pop	esi

loc_444919:				; CODE XREF: KiSelectIdealProcessor+B5j
		pop	edi
		pop	ebx
		leave
		retn	4
; 

loc_44491F:				; CODE XREF: KiSelectIdealProcessor+6Aj
		or	esi, edx
		add	edx, edx
		jmp	short loc_4448F8
; 

loc_444925:				; CODE XREF: KiSelectIdealProcessor+7Bj
		mov	edi, [ebp+var_4]

loc_444928:				; CODE XREF: KiSelectIdealProcessor+A9j
		or	esi, edx
		add	edx, edx
		mov	eax, esi
		not	eax
		test	[ebp+var_8], eax
		jz	short loc_444941

loc_444935:				; CODE XREF: KiSelectIdealProcessor+B0j
		mov	ecx, esi
		not	ecx
		and	ecx, edx
		test	ecx, ebx
		jnz	short loc_444913
		jmp	short loc_444928
; 

loc_444941:				; CODE XREF: KiSelectIdealProcessor+9Dj
		mov	edx, [ebp+var_C]
		mov	esi, edi
		jmp	short loc_444935
; 

loc_444948:				; CODE XREF: KiSelectIdealProcessor+1Dj
		mov	ax, di
		jmp	short loc_444919
KiSelectIdealProcessor endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiUpdateTotalCyclesCurrentThread(x,	x, x)
_KiUpdateTotalCyclesCurrentThread@12 proc near
					; CODE XREF: KeUpdateTotalCyclesCurrentThread(x,x)+Dp
					; KiRemoveThreadFromSchedulingGroup+2Fp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_0]
		mov	eax, ecx
		mov	ebx, edx
		mov	[ebp+var_4], eax
		call	KiEndThreadCycleAccumulation
		mov	edi, edx
		mov	esi, eax
		push	ecx
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		call	KiStartThreadCycleAccumulation
		mov	edx, edi
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KiUpdateTotalCyclesCurrentThread@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiInitializeContextThread proc near	; CODE XREF: PAGELK:0071A702p

var_2E8		= dword	ptr -2E8h
var_2E4		= dword	ptr -2E4h
var_2E0		= dword	ptr -2E0h
var_2DC		= dword	ptr -2DCh
var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_204		= dword	ptr -204h
var_200		= word ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005AD302 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2E8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_2E4], edx
		mov	edx, [ebp+arg_8]
		push	edi
		xor	edi, edi
		mov	[ebp+var_2DC], esi
		mov	eax, [esi+20h]
		mov	ebx, eax
		sub	ebx, ds:_KiXSaveAreaLength
		and	ebx, 0FFFFFFC0h
		mov	[ebp+var_2D4], edx
		mov	[ebp+var_2E8], eax
		lea	ecx, [ebx-20h]
		test	edx, edx
		jz	loc_444C09
		lea	esi, [ecx-8Ch]
		sub	eax, esi
		push	eax		; size_t
		push	edi		; int
		push	esi		; void *
		call	_memset
		mov	dword ptr [esi+8], 0BADB0D00h
		mov	eax, 27Fh
		mov	[ebx], ax
		add	esp, 0Ch
		mov	dword ptr [ebx+18h], 1F80h
		mov	eax, ds:_KeFeatureBits
		and	eax, 400000h
		or	eax, edi
		jz	short loc_444A17
		mov	dword ptr [ebx+200h], 1
		mov	[ebx+204h], edi

loc_444A17:				; CODE XREF: KiInitializeContextThread+85j
		mov	ecx, ds:0FFDF03D8h
		mov	edx, [ebp+var_2DC]
		or	ecx, 3
		mov	eax, ds:0FFDF03DCh
		mov	[edx+23Ch], eax
		mov	eax, esi
		mov	[edx+238h], ecx
		and	eax, 0FFFFFFF0h
		mov	ecx, 80h
		mov	byte ptr [esi+0Fh], 1
		push	ecx		; size_t
		sub	eax, ecx
		mov	dword ptr [esi+48h], 1F80h
		push	edi		; int
		push	eax		; void *
		mov	[ebp+var_2D8], eax
		call	_memset
		mov	esi, [ebp+var_2D4]
		lea	edi, [ebp+var_2D0]
		mov	eax, 27Fh
		xor	edx, edx
		mov	ecx, 0B3h
		add	esp, 0Ch
		rep movsd
		mov	esi, [ebp+var_2D0]
		mov	ecx, 10020h
		mov	[ebp+var_2B4], eax
		mov	edi, 10008h
		mov	[ebp+var_204], eax
		xor	eax, eax
		mov	[ebp+var_200], ax
		mov	eax, esi
		and	eax, ecx
		mov	[ebp+var_2B0], edx
		cmp	eax, ecx
		mov	[ebp+var_2AC], 0FFFFh
		mov	eax, esi
		mov	[ebp+var_2A8], edx
		setnz	cl
		mov	[ebp+var_2A4], edx
		and	eax, edi
		mov	[ebp+var_2A0], edx
		cmp	eax, edi
		mov	[ebp+var_29C], edx
		mov	[ebp+var_1FC], edx
		setnz	al
		mov	[ebp+var_1F8], edx
		mov	[ebp+var_1F4], edx
		mov	[ebp+var_1F0], edx
		mov	[ebp+var_1EC], 1F80h
		test	cl, al
		jnz	short loc_444B16
		push	ebx
		push	edx
		push	edx
		mov	edx, esi
		lea	ecx, [ebp+var_2D0]
		and	edx, 10028h
		call	KiContextToNpxFrame
		xor	edx, edx

loc_444B16:				; CODE XREF: KiInitializeContextThread+17Cj
		mov	eax, [ebp+var_2D8]
		and	esi, 6
		add	eax, 0FFFFFFF8h
		or	esi, 10001h
		mov	[ebp+var_2D4], eax
		add	eax, 0FFFFFFF4h
		push	1
		push	esi
		mov	[ebp+var_2E0], eax
		lea	esi, [ebx-0ACh]
		lea	eax, [ebp+var_2D0]
		push	eax
		push	edx
		push	esi
		call	KeContextToKframes
		or	dword ptr [esi+78h], 3
		mov	dl, 1
		or	dword ptr [esi+34h], 3
		or	dword ptr [esi+30h], 3
		xor	edi, edi
		mov	eax, [ebp+var_2D8]
		mov	[esi+28h], edi
		mov	dword ptr [eax-4], 1
		mov	eax, ds:_KiI386ExceptionChainTerminator
		mov	[esi+4Ch], eax
		mov	eax, [ebp+var_2E0]
		mov	byte ptr [esi+44h], 0FFh

loc_444B80:				; CODE XREF: KiInitializeContextThread+2FFj
		mov	ecx, [ebp+var_2DC]
		lea	edi, [eax-0Ch]
		mov	eax, [ebp+arg_4]
		mov	[ecx+15Ah], dl
		mov	edx, [ebp+var_2D4]
		mov	[edx], eax
		mov	eax, [ebp+arg_0]
		mov	[edx-4], eax
		mov	eax, [ebp+var_2E4]
		mov	[edx-8], eax
		mov	[edx-0Ch], esi
		mov	dword ptr [edi+8], offset _KiThreadStartup@4 ; KiThreadStartup(x)
		mov	dword ptr [edi+4], 1
		mov	eax, ds:_KiI386ExceptionChainTerminator
		mov	[edi], eax
		mov	eax, ds:0FFDF03D8h
		or	eax, ds:0FFDF03DCh
		jz	short loc_444BDB
		test	byte ptr ds:0FFDF03ECh,	2
		jnz	loc_5AD302

loc_444BDB:				; CODE XREF: KiInitializeContextThread+24Cj
					; KiInitializeContextThread+168996j
		mov	eax, [ebp+var_2E8]
		lea	edx, [ebx-20h]
		mov	[edx], eax
		sub	eax, ds:_KeKernelStackSize
		mov	[ebx-1Ch], eax
		mov	[ecx+48h], edi
		mov	[ecx+4Ch], ebx
		mov	[ecx+20h], edx
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_444C09:				; CODE XREF: KiInitializeContextThread+4Aj
		sub	eax, ecx
		push	eax		; size_t
		push	edi		; int
		push	ecx		; void *
		call	_memset
		mov	eax, 27Fh
		mov	edi, 1F80h
		mov	[ebx], ax
		xor	edx, edx
		mov	[ebx+18h], edi
		add	esp, 0Ch
		mov	eax, ds:_KeFeatureBits
		and	eax, 400000h
		or	eax, edx
		jz	short loc_444C46
		mov	dword ptr [ebx+200h], 1
		mov	[ebx+204h], edx

loc_444C46:				; CODE XREF: KiInitializeContextThread+2B4j
		mov	ecx, ds:0FFDF03D8h
		mov	eax, ds:0FFDF03DCh
		or	ecx, 3
		mov	[esi+23Ch], eax
		mov	[esi+238h], ecx
		lea	esi, [ebx-0ACh]
		lea	eax, [esi+68h]
		mov	[esi+70h], edx
		mov	[ebp+var_2D4], eax
		add	eax, 0FFFFFFF4h
		mov	byte ptr [esi+0Fh], 2
		mov	[esi+48h], edi
		mov	[esi+6Ch], edx
		jmp	loc_444B80
KiInitializeContextThread endp


;  S U B	R O U T	I N E 


; __stdcall KeAbInitializeThreadState(x)
_KeAbInitializeThreadState@4 proc near	; CODE XREF: PAGELK:0071A6E3p
		lea	eax, [ecx+3B8h]
		push	esi
		mov	[ecx+1E8h], eax
		xor	esi, esi

loc_444C93:				; CODE XREF: KeAbInitializeThreadState(x)+2Aj
		mov	edx, [ecx+1E8h]
		add	edx, esi
		add	esi, 30h
		mov	eax, edx
		sub	eax, ecx
		shr	eax, 3
		mov	[edx+0Ch], al
		cmp	esi, 120h
		jb	short loc_444C93
		xor	eax, eax
		mov	byte ptr [ecx+1E4h], 3Fh
		inc	eax
		or	[ecx+58h], eax
		mov	[ecx+1ECh], eax
		mov	[ecx+1F0h], eax
		pop	esi
		retn
_KeAbInitializeThreadState@4 endp

; 
		align 10h
; Exported entry 1164. KeInitializeApc

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeApc(x, x, x, x,	x, x, x, x)
		public _KeInitializeApc@32
_KeInitializeApc@32 proc near		; CODE XREF: MiStoreModifiedWriteDereference(x)+3Ep
					; .text:00522DA5p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= byte ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		mov	byte ptr [edx],	12h
		mov	byte ptr [edx+2], 30h
		cmp	eax, 2
		jz	short loc_444D27

loc_444CEA:				; CODE XREF: KeInitializeApc(x,x,x,x,x,x,x,x)+5Dj
		mov	[edx+2Ch], al
		mov	eax, [ebp+arg_C]
		mov	[edx+14h], eax
		mov	eax, [ebp+arg_10]
		mov	[edx+18h], eax
		mov	eax, [ebp+arg_14]
		mov	[edx+8], ecx
		mov	ecx, eax
		neg	ecx
		mov	[edx+1Ch], eax
		sbb	ecx, ecx
		and	ecx, [ebp+arg_1C]
		test	eax, eax
		setz	al
		dec	al
		and	al, [ebp+arg_18]
		mov	[edx+2Dh], al
		mov	[edx+20h], ecx
		mov	byte ptr [edx+2Eh], 0
		mov	byte ptr [edx+1], 0
		pop	ebp
		retn	20h
; 

loc_444D27:				; CODE XREF: KeInitializeApc(x,x,x,x,x,x,x,x)+18j
		mov	al, [ecx+16Ah]
		jmp	short loc_444CEA
_KeInitializeApc@32 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1182. KeInitializeTimerEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeTimerEx(x, x)
		public _KeInitializeTimerEx@8
_KeInitializeTimerEx@8 proc near	; CODE XREF: PopSetWatchdog+1A7p
					; PopFxDispatchPluginWorkOnce+4Dp ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	al, [ebp+arg_4]
		add	al, 8
		mov	[ecx], edx
		mov	[ecx], al
		lea	eax, [ecx+8]
		mov	[ecx+4], edx
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[ecx+10h], edx
		mov	[ecx+14h], edx
		mov	[ecx+24h], edx
		pop	ebp
		retn	8
_KeInitializeTimerEx@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry  83. ExWaitForRundownProtectionRelease

;  S U B	R O U T	I N E 


; __fastcall ExWaitForRundownProtectionRelease(x)
		public @ExWaitForRundownProtectionRelease@4
@ExWaitForRundownProtectionRelease@4 proc near ; CODE XREF: CmpTryToRundownHive+CAp
					; PfSnDeactivateTrace+5Ep ...
		xor	edx, edx
		xor	eax, eax
		inc	edx
		lock cmpxchg [ecx], edx
		test	eax, eax
		jnz	short loc_444D72

locret_444D71:				; CODE XREF: ExWaitForRundownProtectionRelease(x)+11j
		retn
; 

loc_444D72:				; CODE XREF: ExWaitForRundownProtectionRelease(x)+Bj
		cmp	eax, 1
		jz	short locret_444D71
		mov	edx, eax
		jmp	ExfWaitForRundownProtectionRelease
@ExWaitForRundownProtectionRelease@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeTerminateThread proc near		; CODE XREF: PspExitThread+2D8p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AD31B SIZE 00000052 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	KiCheckIfStackExpandCalloutActive
		mov	edx, [esi+0F4h]
		test	edx, edx
		jnz	loc_5AD31B

loc_444D9E:				; CODE XREF: KeTerminateThread+1685A7j
		mov	edi, [esi+150h]
		mov	byte ptr [esi+18Bh], 16h
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ebx, [edi+34h]
		push	ebx
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	ecx, edi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		lea	eax, [esi+1D4h]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_444F8A
		cmp	[ecx], eax
		jnz	loc_444F8A
		mov	[ecx], edx
		mov	eax, 0FFFFFF7Fh
		mov	[edx+4], ecx
		lock and [edi],	eax
		cmp	dword ptr [esi+50h], 0
		jnz	loc_444F14

loc_444DF4:				; CODE XREF: KeTerminateThread+19Dj
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	edx, [esi+0A4h]
		test	edx, edx
		jz	short loc_444E12
		lea	eax, [esi+140h]
		mov	ecx, esi
		push	eax
		call	KiActivateWaiterQueueWithNoLocks

loc_444E12:				; CODE XREF: KeTerminateThread+84j
		mov	ebx, large fs:20h
		mov	ecx, esi
		mov	[ebp+var_C], ebx
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		lea	eax, [esi+8]
		mov	dword ptr [esi+4], 1
		mov	ecx, [eax]
		xor	edx, edx

loc_444E31:				; CODE XREF: KeTerminateThread+174j
		cmp	ecx, eax
		jnz	loc_444ECC
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		mov	byte ptr [esi+90h], 4
		cmp	[ebx+3B1Ch], edx
		jnz	loc_444EF7

loc_444E59:				; CODE XREF: KeTerminateThread+185j
		mov	eax, _PsReaperListHead
		lea	edi, [esi+29Ch]

loc_444E64:				; CODE XREF: KeTerminateThread+F7j
		mov	[edi], eax
		mov	edx, eax
		mov	ecx, edi
		mov	ebx, offset _PsReaperListHead
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	short loc_444E64
		test	eax, eax
		jnz	short loc_444EBE
		push	0FFFFFFFFh
		push	2
		pop	edx
		mov	ecx, offset _PsReaperWorkItem
		call	_ExQueueWorkItemEx@12 ;	ExQueueWorkItemEx(x,x,x)
		test	al, al
		jz	loc_5AD32A

loc_444E92:				; CODE XREF: KeTerminateThread+147j
					; KeTerminateThread+1685B6j ...
		and	[ebp+var_14], 0
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ebx, [ebp+var_C]
		lea	edi, [esi+2Ch]
		mov	eax, [edi]
		test	eax, eax
		jnz	loc_444FE5

loc_444EAE:				; CODE XREF: KeTerminateThread+287j
		push	0
		mov	edx, ebx
		mov	ecx, esi
		call	KiSwapThread
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_444EBE:				; CODE XREF: KeTerminateThread+FBj
		cmp	dword_6BEECC, 0
		jz	short loc_444E92
		jmp	loc_5AD339
; 

loc_444ECC:				; CODE XREF: KeTerminateThread+B5j
		mov	edi, ecx
		mov	ecx, [ecx]
		mov	[ebp+var_10], ecx
		mov	al, [edi+8]
		cmp	al, 1
		jnz	short loc_444F08
		movzx	eax, word ptr [edi+0Ah]
		push	edx
		push	eax

loc_444EE0:				; CODE XREF: KeTerminateThread+194j
		mov	edx, edi
		mov	ecx, ebx
		call	KiTryUnwaitThread

loc_444EE9:				; CODE XREF: KeTerminateThread+242j
		mov	ecx, [ebp+var_10]
		lea	eax, [esi+8]
		push	0
		pop	edx
		jmp	loc_444E31
; 

loc_444EF7:				; CODE XREF: KeTerminateThread+D5j
		push	edx
		push	edx
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	KiProcessThreadWaitList
		jmp	loc_444E59
; 

loc_444F08:				; CODE XREF: KeTerminateThread+15Aj
		cmp	al, 2
		jz	short loc_444F20
		push	edx
		push	100h
		jmp	short loc_444EE0
; 

loc_444F14:				; CODE XREF: KeTerminateThread+70j
		mov	ecx, esi
		call	KiRemoveThreadFromSchedulingGroup
		jmp	loc_444DF4
; 

loc_444F20:				; CODE XREF: KeTerminateThread+18Cj
		mov	byte ptr [edi+9], 5
		mov	ebx, [edi+0Ch]
		mov	[edi], edx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_8], eax
		mov	eax, [eax+4]
		mov	[ebp+var_4], eax
		jnz	short loc_444F8F

loc_444F4A:				; CODE XREF: KeTerminateThread+226j
		mov	ecx, ebx
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		lea	ecx, [ebx+8]
		cmp	[ecx], ecx
		jz	short loc_444F76
		mov	eax, [ebx+18h]
		cmp	eax, [ebx+1Ch]
		jnb	short loc_444F76
		mov	edx, [ebp+var_4]
		mov	eax, [edx+0A4h]
		cmp	eax, ebx
		jnz	short loc_444FA6
		cmp	byte ptr [edx+18Bh], 0Fh
		jnz	short loc_444FA6

loc_444F76:				; CODE XREF: KeTerminateThread+1D8j
					; KeTerminateThread+1E0j ...
		mov	eax, [ebx+4]
		mov	[ebp+var_4], eax
		inc	eax
		mov	[ebx+4], eax
		lea	eax, [ebx+10h]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jz	short loc_444FC5

loc_444F8A:				; CODE XREF: KeTerminateThread+51j
					; KeTerminateThread+59j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_444F8F:				; CODE XREF: KeTerminateThread+1CAj
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)
		jmp	short loc_444F4A
; 

loc_444FA6:				; CODE XREF: KeTerminateThread+1EDj
					; KeTerminateThread+1F6j
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		push	edi
		call	KiWakeQueueWaiter
		test	al, al
		jz	short loc_44500A

loc_444FB5:				; CODE XREF: KeTerminateThread+255j
					; KeTerminateThread+259j ...
		mov	eax, 0FFFFFF7Fh
		lock and [ebx],	eax
		mov	ebx, [ebp+var_C]
		jmp	loc_444EE9
; 

loc_444FC5:				; CODE XREF: KeTerminateThread+20Aj
		cmp	[ebp+var_4], 0
		mov	[edi], eax
		mov	[edi+4], edx
		mov	[edx], edi
		mov	[eax+4], edi
		jnz	short loc_444FB5
		cmp	[ecx], ecx
		jz	short loc_444FB5
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		jmp	short loc_444FB5
; 

loc_444FE5:				; CODE XREF: KeTerminateThread+12Aj
		and	[ebp+var_18], ecx

loc_444FE8:				; CODE XREF: KeTerminateThread+27Fj
		lock bts dword ptr [edi], 0
		jnb	short loc_444FFF

loc_444FEF:				; CODE XREF: KeTerminateThread+27Dj
		lea	ecx, [ebp+var_18]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_444FEF
		jmp	short loc_444FE8
; 

loc_444FFF:				; CODE XREF: KeTerminateThread+26Fj
		mov	dword ptr [edi], 0
		jmp	loc_444EAE
; 

loc_44500A:				; CODE XREF: KeTerminateThread+235j
		lea	ecx, [ebx+8]
		jmp	loc_444F76
KeTerminateThread endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiFlushQueueApc	proc near		; CODE XREF: KeRundownApcQueues+2Dp
					; KeRundownApcQueues+3Cp

var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005AD36D SIZE 0000010F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	al, dl
		mov	[ebp+var_2], al
		push	esi
		mov	esi, ecx
		push	edi
		cmp	al, 1
		jnz	short loc_445062
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[ebp+var_8], 0
		lea	edi, [esi+2Ch]
		mov	[ebp+var_1], al

loc_445037:				; CODE XREF: KiFlushQueueApc+168369j
		lock bts dword ptr [edi], 0
		jb	loc_5AD36D
		lea	eax, [esi+78h]
		cmp	[eax], eax
		jnz	loc_5AD3A7
		mov	cl, [ebp+var_1]
		mov	dword ptr [edi], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_44505C:				; CODE XREF: KiFlushQueueApc+5Bj
		xor	eax, eax

loc_44505E:				; CODE XREF: KiFlushQueueApc+1683DCj
		pop	edi
		pop	esi
		leave
		retn
; 

loc_445062:				; CODE XREF: KiFlushQueueApc+13j
		movsx	eax, al
		add	eax, 0Eh
		lea	eax, [esi+eax*8]
		cmp	[eax], eax
		jz	short loc_44505C
		jmp	loc_5AD380
KiFlushQueueApc	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiComputeThreadAffinity	proc near	; CODE XREF: KiQueueReadyThread:loc_440B9Ap
					; KiSetSystemAffinityThread(x,x,x,x)+E8p ...

var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AD47C SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_20]
		stosd
		mov	esi, ecx
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		test	byte ptr [esi+58h], 8
		stosd
		stosd
		jnz	loc_5AD47C

loc_445098:				; CODE XREF: KiComputeThreadAffinity+71j
		mov	ecx, offset _KiCpuSetSequence
		call	_RtlBeginReadTickLock@4	; RtlBeginReadTickLock(x)
		mov	ebx, [esi+154h]
		mov	edi, eax
		mov	[ebp+var_8], edi
		mov	[ebp+var_10], edx
		lea	eax, [ebx-1]
		test	eax, ebx
		jz	short loc_4450C4
		mov	ecx, esi
		call	KiComputeCpuSetAffinity
		mov	ecx, ebx
		and	ecx, eax
		jnz	short loc_4450F4

loc_4450C4:				; CODE XREF: KiComputeThreadAffinity+41j
					; KiComputeThreadAffinity+82j
		lea	ecx, [esi+164h]
		cmp	[ecx], ebx
		jnz	loc_5AD3F8
		mov	ebx, [ebp+var_4]

loc_4450D5:				; CODE XREF: KiFlushQueueApc+168465j
		push	[ebp+var_10]
		mov	ecx, offset _KiCpuSetSequence
		push	edi
		call	_RtlTryEndReadTickLock@12 ; RtlTryEndReadTickLock(x,x,x)
		test	eax, eax
		jz	short loc_445098

loc_4450E7:				; CODE XREF: KiComputeThreadAffinity+168414j
		mov	[esi+160h], edi
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4450F4:				; CODE XREF: KiComputeThreadAffinity+4Ej
		mov	ebx, ecx
		jmp	short loc_4450C4
KiComputeThreadAffinity	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1236. KeQuerySystemTimePrecise

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQuerySystemTimePrecise(x)
		public _KeQuerySystemTimePrecise@4
_KeQuerySystemTimePrecise@4 proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1AB7p
					; PspUserThreadStartup+F5p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	RtlGetSystemTimePrecise
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	[ecx+4], edx
		pop	ebp
		retn	4
_KeQuerySystemTimePrecise@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlGetSystemTimePrecise	proc near	; CODE XREF: KeQuerySystemTimePrecise(x)+5p
					; EtwGetKernelTraceTimestampSilo:loc_447E39p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005AD48D SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	edi, 0FFDF0340h

loc_445130:				; CODE XREF: RtlGetSystemTimePrecise+DFj
		mov	ecx, edi
		mov	ebx, 0FFDF0348h
		call	_RtlBeginReadTickLock@4	; RtlBeginReadTickLock(x)
		mov	esi, eax
		mov	[ebp+var_14], edx
		mov	eax, [ebx]
		mov	ecx, 0FFDF0358h
		mov	[ebp+var_8], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_1C], eax
		mov	eax, [ecx]
		mov	[ebp+var_C], eax
		mov	eax, [ecx+4]
		mov	ecx, 0FFDF0014h
		mov	[ebp+var_10], eax
		mov	eax, 0FFDF0368h
		push	0
		mov	al, [eax]
		mov	[ebp+var_1], al
		mov	eax, [ecx]
		mov	[ebp+var_20], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_24], eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, eax
		mov	ebx, edx
		mov	eax, [edi]
		mov	edx, [edi+4]
		cmp	eax, esi
		jnz	short loc_4451FD
		cmp	edx, [ebp+var_14]
		jnz	short loc_4451FD
		mov	edx, [ebp+var_1C]
		mov	edi, 0
		cmp	ebx, edx
		jb	short loc_4451EA
		mov	eax, [ebp+var_8]
		ja	short loc_4451A5
		cmp	ecx, eax
		jbe	short loc_4451EA

loc_4451A5:				; CODE XREF: RtlGetSystemTimePrecise+7Fj
		sub	ecx, eax
		mov	al, [ebp+var_1]
		sbb	ebx, edx
		sub	ecx, 1
		sbb	ebx, edi
		test	al, al
		jz	short loc_4451C7
		movsx	esi, al
		mov	edx, ebx
		mov	eax, ecx
		mov	ecx, esi
		call	__allshl
		mov	ecx, eax
		mov	ebx, edx

loc_4451C7:				; CODE XREF: RtlGetSystemTimePrecise+93j
		mov	eax, [ebp+var_10]
		mul	ecx
		mov	edi, edx
		mov	esi, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_1C], edi
		test	ebx, ebx
		jnz	loc_5AD48D
		mul	ecx
		xor	edi, edi
		add	edx, esi
		mov	[ebp+var_18], eax
		adc	edi, [ebp+var_1C]

loc_4451EA:				; CODE XREF: RtlGetSystemTimePrecise+7Aj
					; RtlGetSystemTimePrecise+83j
		xor	ecx, ecx

loc_4451EC:				; CODE XREF: RtlGetSystemTimePrecise+16839Fj
		add	edi, [ebp+var_20]
		mov	eax, edi
		adc	ecx, [ebp+var_24]
		pop	edi
		pop	esi
		mov	edx, ecx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4451FD:				; CODE XREF: RtlGetSystemTimePrecise+69j
					; RtlGetSystemTimePrecise+6Ej
		pause
		jmp	loc_445130
RtlGetSystemTimePrecise	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlTryEndReadTickLock(x, x,	x)
_RtlTryEndReadTickLock@12 proc near	; CODE XREF: KiComputeThreadAffinity+6Ap
					; RtlGetMultiTimePrecise+152p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		cmp	eax, [ebp+arg_0]
		jnz	short loc_44521F
		cmp	ecx, [ebp+arg_4]
		jnz	short loc_44521F
		xor	eax, eax
		inc	eax

loc_44521B:				; CODE XREF: RtlTryEndReadTickLock(x,x,x)+1Dj
		pop	ebp
		retn	8
; 

loc_44521F:				; CODE XREF: RtlTryEndReadTickLock(x,x,x)+Dj
					; RtlTryEndReadTickLock(x,x,x)+12j
		xor	eax, eax
		jmp	short loc_44521B
_RtlTryEndReadTickLock@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall RtlBeginReadTickLock(x)
_RtlBeginReadTickLock@4	proc near	; CODE XREF: KiComputeThreadAffinity+29p
					; RtlGetSystemTimePrecise+17p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edx, [esi]
		mov	eax, edx
		and	eax, 1
		or	eax, 0

loc_445234:				; CODE XREF: RtlBeginReadTickLock(x)+28j
		mov	edi, [esi+4]
		jnz	short loc_445240
		mov	eax, edx
		mov	edx, edi
		pop	edi
		pop	esi
		retn
; 

loc_445240:				; CODE XREF: RtlBeginReadTickLock(x)+13j
		pause
		mov	edx, [esi]
		mov	ecx, edx
		and	ecx, 1
		or	ecx, 0
		jmp	short loc_445234
_RtlBeginReadTickLock@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiComputeCpuSetAffinity	proc near	; CODE XREF: KiComputeThreadAffinity+45p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AD4C4 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	eax, [ebx+300h]
		inc	edi
		mov	esi, [ebx+150h]
		shr	eax, 0Bh
		and	eax, edi
		mov	edx, ds:_KiSystemAllowedCpuSets[eax*4]
		or	edx, ds:_KiSystemAllowedCpuSets
		test	dword ptr [esi+0F8h], 8000000h
		jnz	loc_5AD4C4

loc_44528A:				; CODE XREF: KiComputeCpuSetAffinity+16827Ej
		mov	ecx, [esi+428h]
		or	ecx, edx

loc_445292:				; CODE XREF: KiComputeCpuSetAffinity+168288j
		test	ecx, ecx
		jz	short loc_4452B6
		mov	eax, [ebx+38Ch]
		test	eax, eax
		jnz	short loc_4452BD
		mov	eax, [esi+42Ch]
		test	eax, eax
		jnz	short loc_4452BD
		cmp	ds:_KiRestrictedSystemCpuSetsActive, eax
		jnz	short loc_4452EC
		test	edi, edi
		jz	short loc_4452EC

loc_4452B6:				; CODE XREF: KiComputeCpuSetAffinity+46j
		xor	eax, eax

loc_4452B8:				; CODE XREF: KiComputeCpuSetAffinity+9Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4452BD:				; CODE XREF: KiComputeCpuSetAffinity+50j
					; KiComputeCpuSetAffinity+5Aj ...
		and	eax, ecx
		jz	short loc_4452F0

loc_4452C1:				; CODE XREF: KiComputeCpuSetAffinity+A4j
		mov	ecx, ds:_KiNonParkedCpuSets
		and	ecx, eax
		jz	short loc_4452CD
		mov	eax, ecx

loc_4452CD:				; CODE XREF: KiComputeCpuSetAffinity+7Bj
		xor	esi, esi
		jmp	short loc_4452E4
; 

loc_4452D1:				; CODE XREF: KiComputeCpuSetAffinity+98j
		mov	ecx, ds:_KiCpuSetAffinities
		and	[ebp+var_4], 0
		bsf	edx, eax
		or	esi, [ecx+edx*4]
		btr	eax, edx

loc_4452E4:				; CODE XREF: KiComputeCpuSetAffinity+81j
		test	eax, eax
		jnz	short loc_4452D1
		mov	eax, esi
		jmp	short loc_4452B8
; 

loc_4452EC:				; CODE XREF: KiComputeCpuSetAffinity+62j
					; KiComputeCpuSetAffinity+66j
		mov	eax, edx
		jmp	short loc_4452BD
; 

loc_4452F0:				; CODE XREF: KiComputeCpuSetAffinity+71j
		mov	eax, ecx
		jmp	short loc_4452C1
KiComputeCpuSetAffinity	endp


;  S U B	R O U T	I N E 


; __stdcall KeQuerySystemTimeUnsafe()
_KeQuerySystemTimeUnsafe@0 proc	near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x):loc_75FC8Fp
					; PspAllocateThread+273p ...
		mov	edx, 0FFDF0014h
		mov	eax, [edx]
		mov	edx, [edx+4]
		retn
_KeQuerySystemTimeUnsafe@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExTimerRundown	proc near		; CODE XREF: PspExitThread+235p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005AD4DB SIZE 000000B6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	[ebp+var_8], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	esi, [edi+2A0h]
		mov	bl, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	ecx, [edi+2A4h]
		mov	[ebp+var_C], ecx

loc_445333:				; CODE XREF: ExTimerRundown+16827Dj
		mov	eax, [ecx]
		cmp	eax, ecx
		jnz	loc_5AD4DB
		test	ds:byte_70EFC6,	1
		jnz	loc_5AD582
		xor	eax, eax
		lock and [esi],	eax

loc_44534F:				; CODE XREF: ExTimerRundown+16828Cj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
ExTimerRundown	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeForceResumeThread(x)
_KeForceResumeThread@4 proc near	; CODE XREF: KeRequestTerminationThread+98p
					; NtTerminateProcess+B2p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ebx, large fs:20h
		lea	ecx, [edi+1C4h]
		mov	byte ptr [ebp+var_4], al
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		movsx	eax, byte ptr [edi+18Ch]
		lea	ecx, [edi+5Ch]
		mov	esi, [ecx]
		shr	esi, 0Eh
		and	esi, 1
		add	esi, eax
		jnz	short loc_4453C8

loc_445398:				; CODE XREF: KeForceResumeThread(x)+78j
		push	1
		mov	edx, ebx
		mov	ecx, edi
		call	KiResumeThread
		mov	ecx, 0FFFFFF7Fh
		lea	eax, [edi+1C4h]
		lock and [eax],	ecx
		push	[ebp+var_4]
		xor	edx, edx
		mov	ecx, ebx
		push	0
		push	1
		call	KiExitDispatcher
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4453C8:				; CODE XREF: KeForceResumeThread(x)+3Aj
		lock btr dword ptr [ecx], 0Eh
		mov	byte ptr [edi+18Ch], 0
		jmp	short loc_445398
_KeForceResumeThread@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiResumeThread	proc near		; CODE XREF: KeForceResumeThread(x)+42p
					; KeResumeThread(x)+4Cp ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005AD591 SIZE 00000113 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_8], 0
		and	[ebp+var_10], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		mov	[ebp+var_1C], esi
		lea	edi, [esi+2Ch]
		mov	dword ptr [esi+1C8h], 1
		mov	[ebp+var_14], edi

loc_445401:				; CODE XREF: KiResumeThread+203j
		lock bts dword ptr [edi], 0
		jb	loc_4455CB
		cmp	byte ptr [esi+90h], 5
		mov	bl, [ebp+arg_0]
		jz	short loc_44546A

loc_445418:				; CODE XREF: KiResumeThread+9Dj
					; KiResumeThread+1B1j
		test	bl, bl
		mov	ebx, [ebp+var_4]
		jz	short loc_445437
		mov	eax, [esi+5Ch]
		test	eax, 8000h
		jz	short loc_445459
		mov	al, [esi+90h]
		cmp	al, 5
		jz	loc_4455B6

loc_445437:				; CODE XREF: KiResumeThread+47j
					; KiResumeThread+92j ...
		mov	dword ptr [edi], 0
		lea	edi, [esi+1CCh]
		mov	eax, [edi]

loc_445445:				; CODE XREF: KiResumeThread+1DBj
		cmp	eax, edi
		jnz	loc_44558C
		mov	[edi+4], edi
		mov	[edi], edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_445459:				; CODE XREF: KiResumeThread+51j
		push	2
		lea	edx, [esi+190h]
		mov	ecx, ebx
		call	_KiSignalThreadForApc@12 ; KiSignalThreadForApc(x,x,x)
		jmp	short loc_445437
; 

loc_44546A:				; CODE XREF: KiResumeThread+40j
		mov	cl, [esi+54h]
		mov	al, cl
		and	al, 7
		cmp	al, 4
		jnz	short loc_445418
		test	bl, bl
		jnz	loc_44557D
		and	cl, 0FDh
		xor	bh, bh
		or	cl, 5
		mov	[esi+54h], cl
		mov	dword ptr [edi], 0
		movzx	eax, byte ptr [esi+16Bh]
		mov	dword ptr [ebp+arg_0], eax
		test	eax, eax
		jz	short loc_445504
		mov	ecx, dword ptr [ebp+arg_0]
		xor	eax, eax

loc_4454A1:				; CODE XREF: KiResumeThread+12Cj
		imul	edi, eax, 18h
		add	edi, [esi+98h]
		cmp	byte ptr [edi+9], 6
		jnz	short loc_4454FB
		mov	ecx, [edi+10h]
		mov	byte ptr [edi+9], 4
		mov	[ebp+var_C], ecx
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	ecx, [ebp+var_C]
		cmp	dword ptr [ecx+4], 0
		jg	loc_44565E
		mov	al, [ecx]
		and	al, 7Fh
		cmp	al, 2
		jz	loc_44565E
		lea	eax, [ecx+8]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_44567A
		mov	[edi], eax
		mov	[edi+4], edx
		mov	[edx], edi
		mov	[eax+4], edi
		mov	eax, 0FFFFFF7Fh
		lock and [ecx],	eax
		mov	ecx, dword ptr [ebp+arg_0]

loc_4454FB:				; CODE XREF: KiResumeThread+D8j
		inc	bh
		movzx	eax, bh
		cmp	eax, ecx
		jb	short loc_4454A1

loc_445504:				; CODE XREF: KiResumeThread+C4j
					; KiResumeThread+296j
		xor	edi, edi
		test	dword ptr [esi+58h], 20000h
		jnz	loc_4455DE

loc_445513:				; CODE XREF: KiResumeThread+20Cj
					; KiResumeThread+26Fj ...
		and	[ebp+var_18], 0
		mov	esi, [ebp+var_14]

loc_44551A:				; CODE XREF: KiResumeThread+1681EAj
		lock bts dword ptr [esi], 0
		jb	loc_5AD5B2
		mov	esi, [ebp+var_1C]
		shl	edi, 9
		mov	ecx, [esi+58h]
		mov	al, [esi+54h]
		and	ecx, 0FFFFFDFFh
		or	ecx, edi
		and	al, 0E7h
		and	ecx, 0FFFDFFFFh
		mov	[esi+58h], ecx
		cmp	al, 5
		jnz	loc_5AD5C5
		movzx	eax, byte ptr [esi+93h]
		shr	ecx, 4
		and	cl, 1
		push	0
		mov	dl, cl
		mov	ecx, esi
		push	eax
		call	KiTestForAlertPending
		test	eax, eax
		jnz	loc_5AD5C5
		cmp	byte ptr [esi+18Bh], 25h
		jz	loc_44564A

loc_44557A:				; CODE XREF: KiResumeThread+1681F1j
		lea	edi, [esi+2Ch]

loc_44557D:				; CODE XREF: KiResumeThread+A1j
					; KiResumeThread+27Bj ...
		mov	al, [esi+54h]
		and	al, 0F9h
		or	al, 1
		mov	[esi+54h], al
		jmp	loc_445418
; 

loc_44558C:				; CODE XREF: KiResumeThread+71j
		mov	esi, eax
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		mov	al, [esi+8]
		cmp	al, 1
		jnz	loc_5AD5CC
		movzx	eax, word ptr [esi+0Ah]
		push	0
		push	eax

loc_4455A5:				; CODE XREF: KiResumeThread+1682C9j
		mov	edx, esi
		mov	ecx, ebx
		call	KiTryUnwaitThread

loc_4455AE:				; CODE XREF: KiResumeThread+1682BDj
		mov	eax, [ebp+var_1C]
		jmp	loc_445445
; 

loc_4455B6:				; CODE XREF: KiResumeThread+5Bj
		push	0
		push	100h
		mov	edx, esi
		mov	ecx, ebx
		call	KiSignalThread
		jmp	loc_445437
; 

loc_4455CB:				; CODE XREF: KiResumeThread+30j
					; KiResumeThread+201j
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_4455CB
		jmp	loc_445401
; 

loc_4455DE:				; CODE XREF: KiResumeThread+137j
		xor	edi, edi
		test	bl, bl
		jnz	loc_445513
		push	dword ptr [esi+0CCh]
		lea	edi, [esi+0B8h]
		xor	dl, dl
		push	dword ptr [esi+0C8h]
		or	dword ptr [edi], 40000080h
		lea	eax, [ebp+var_8]
		push	eax
		mov	ecx, edi
		call	KiComputeDueTime
		test	eax, eax
		jz	short loc_445671
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		push	0
		push	[ebp+var_8]
		push	0
		call	KiInsertTimerTable
		test	al, al
		jz	loc_5AD5A1
		test	ds:dword_70EFC8, 20000h
		jnz	loc_5AD591
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax

loc_445642:				; CODE XREF: KiResumeThread+1681C6j
					; KiResumeThread+1681D7j
		xor	edi, edi
		inc	edi
		jmp	loc_445513
; 

loc_44564A:				; CODE XREF: KiResumeThread+19Ej
		test	byte ptr [esi+5Ch], 10h
		lea	edi, [esi+2Ch]
		jz	loc_44557D
		mov	bl, 1
		jmp	loc_44557D
; 

loc_44565E:				; CODE XREF: KiResumeThread+F0j
					; KiResumeThread+FCj
		mov	eax, 0FFFFFF7Fh
		lock and [ecx],	eax
		mov	byte ptr [edi+9], 5
		mov	bl, 1
		jmp	loc_445504
; 

loc_445671:				; CODE XREF: KiResumeThread+239j
		mov	bl, 1
		xor	edi, edi
		jmp	loc_445513
; 

loc_44567A:				; CODE XREF: KiResumeThread+10Aj
					; KiResumeThread+16828Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
KiResumeThread	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiAcquireReleaseThreadLock(x)
_KiAcquireReleaseThreadLock@4 proc near	; CODE XREF: KeRundownApcQueues+16p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[ebp+var_4], 0
		mov	bl, al
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		lock or	[eax], ecx
		add	esi, 2Ch
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_4456B4

loc_4456A8:				; CODE XREF: KiAcquireReleaseThreadLock(x)+54j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4456B4:				; CODE XREF: KiAcquireReleaseThreadLock(x)+26j
		and	[ebp+var_8], ecx

loc_4456B7:				; CODE XREF: KiAcquireReleaseThreadLock(x)+4Cj
		lock bts dword ptr [esi], 0
		jnb	short loc_4456CE

loc_4456BE:				; CODE XREF: KiAcquireReleaseThreadLock(x)+4Aj
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_4456BE
		jmp	short loc_4456B7
; 

loc_4456CE:				; CODE XREF: KiAcquireReleaseThreadLock(x)+3Cj
		mov	dword ptr [esi], 0
		jmp	short loc_4456A8
_KiAcquireReleaseThreadLock@4 endp


;  S U B	R O U T	I N E 


KiCheckIfStackExpandCalloutActive proc near ; CODE XREF: KeTerminateThread+Dp

; FUNCTION CHUNK AT 005AD6A4 SIZE 0000003B BYTES

		test	dword ptr [ecx+58h], 1000h
		jnz	loc_5AD6A4
		retn
KiCheckIfStackExpandCalloutActive endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiRundownMutants proc near		; CODE XREF: PspExitThread+248p

var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AD6DF SIZE 00000259 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	80h		; size_t
		xor	esi, esi
		lea	eax, [ebp+var_88]
		mov	ebx, ecx
		push	esi		; int
		push	eax		; void *
		mov	[ebp+var_A0], ebx
		call	_memset
		lea	edi, [ebx+1DCh]
		mov	[ebp+var_C0], esi
		add	esp, 0Ch
		mov	[ebp+var_A8], edi
		cmp	[edi], edi
		jnz	short loc_445740

loc_445731:				; CODE XREF: KiRundownMutants+167j
					; KiRundownMutants+16824Fj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_445740:				; CODE XREF: KiRundownMutants+4Bj
		mov	[ebp+var_90], esi
		mov	[ebp+var_A4], esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+var_B4], al
		mov	eax, large fs:20h
		mov	[ebp+var_98], eax
		mov	eax, ebx
		add	eax, 2Ch
		mov	[ebp+var_94], eax

loc_44576F:				; CODE XREF: KiRundownMutants+13Bj
					; KiCheckIfStackExpandCalloutActive+168004j
		mov	ebx, [ebp+var_94]
		mov	[ebp+var_B8], esi

loc_44577B:				; CODE XREF: KiRundownMutants+16800Cj
		lock bts dword ptr [ebx], 0
		jb	loc_5AD6DF
		mov	eax, [edi]
		mov	ebx, [ebp+var_90]
		mov	[ebp+var_8C], eax
		cmp	eax, edi
		jz	loc_44582A
		lea	edi, [eax-10h]
		cmp	byte ptr [edi+1Dh], 0
		jnz	loc_5AD90F
		lock bts dword ptr [edi], 7
		jb	loc_5AD6F5
		mov	ebx, [ebp+var_94]

loc_4457BA:				; CODE XREF: KiRundownMutants+168087j
		lea	eax, [edi+10h]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_445868
		cmp	[ecx], eax
		jnz	loc_445868
		mov	[ecx], edx
		mov	[edx+4], ecx
		lea	ecx, [edi+8]
		mov	[ebx], esi
		or	byte ptr [edi+1Ch], 1
		mov	eax, [ecx]
		mov	dword ptr [edi+4], 1
		mov	[edi+18h], esi

loc_4457ED:				; CODE XREF: KiRundownMutants+1CDj
		cmp	eax, ecx
		jnz	short loc_445856

loc_4457F1:				; CODE XREF: KiRundownMutants+1BEj
		mov	eax, 0FFFFFF7Fh

loc_4457F6:				; CODE XREF: KiRundownMutants+1681BEj
		test	byte ptr [edi+1Ch], 2
		mov	ebx, [ebp+var_90]
		jnz	loc_5AD8C5

loc_445806:				; CODE XREF: KiRundownMutants+1681EFj
		lock and [edi],	eax
		mov	eax, [ebp+var_A4]
		mov	edi, [ebp+var_A8]
		inc	eax
		mov	[ebp+var_A4], eax
		cmp	eax, 20h
		jnz	loc_44576F
		jmp	loc_5AD8D8
; 

loc_44582A:				; CODE XREF: KiRundownMutants+B2j
		push	[ebp+var_B4]
		mov	eax, [ebp+var_94]
		xor	edx, edx
		mov	ecx, [ebp+var_98]
		push	1
		push	1
		mov	[eax], esi
		call	KiExitDispatcher
		test	ebx, ebx
		jz	loc_445731
		jmp	loc_5AD922
; 

loc_445856:				; CODE XREF: KiRundownMutants+10Bj
		mov	ebx, eax
		mov	eax, [eax]
		mov	[ebp+var_C4], eax
		mov	ecx, [ebx+4]
		cmp	[eax+4], ebx
		jz	short loc_44586D

loc_445868:				; CODE XREF: KiRundownMutants+E1j
					; KiRundownMutants+E9j	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_44586D:				; CODE XREF: KiRundownMutants+182j
		cmp	[ecx], ebx
		jnz	short loc_445868
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	al, [ebx+8]
		cmp	al, 1
		jnz	loc_5AD784
		mov	ecx, [ebp+var_98]
		lea	eax, [ebp+var_C0]
		push	eax
		movzx	eax, word ptr [ebx+0Ah]
		mov	edx, ebx
		push	eax
		call	KiTryUnwaitThread
		test	al, al
		jz	short loc_4458A8
		sub	dword ptr [edi+4], 1
		jz	loc_4457F1

loc_4458A8:				; CODE XREF: KiRundownMutants+1B8j
					; KiRundownMutants+1681C4j ...
		mov	eax, [ebp+var_C4]
		lea	ecx, [edi+8]
		jmp	loc_4457ED
KiRundownMutants endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1177. KeInitializeSemaphore

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeSemaphore(x, x,	x)
		public _KeInitializeSemaphore@12
_KeInitializeSemaphore@12 proc near	; CODE XREF: PopWakeDeviceList+51p
					; PopWakeDeviceList+5Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		mov	[ecx+4], eax
		lea	eax, [ecx+8]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [ebp+arg_8]
		mov	byte ptr [ecx],	5
		mov	byte ptr [ecx+2], 5
		mov	[ecx+10h], eax
		pop	ebp
		retn	0Ch
_KeInitializeSemaphore@12 endp

; 
		align 8
; Exported entry  39. ExInitializeRundownProtection

;  S U B	R O U T	I N E 


; __fastcall ExInitializeRundownProtection(x)
		public @ExInitializeRundownProtection@4
@ExInitializeRundownProtection@4 proc near
					; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxInitialize(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT	*)+3Ep
					; IoRegisterPriorityCallback+3Dp ...
		and	dword ptr [ecx], 0
		retn
@ExInitializeRundownProtection@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1228. KeQueryMaximumGroupCount

;  S U B	R O U T	I N E 


; __stdcall KeQueryMaximumGroupCount()
		public _KeQueryMaximumGroupCount@0
_KeQueryMaximumGroupCount@0 proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x):loc_75E4C0p
					; PspAllocateThread+143p
		mov	ax, ds:_KiMaximumGroups
		retn
_KeQueryMaximumGroupCount@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiRaiseException(x,	x, x, x, x)
_KiRaiseException@20 proc near		; CODE XREF: NtRaiseException(x,x,x)+89p

var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_5C		= dword	ptr -5Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	88h
		push	offset dword_6A0D70
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_8C], eax
		mov	[ebp+var_70], eax
		mov	esi, [ebp+arg_4]
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_84], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_98], eax
		xor	ebx, ebx
		mov	[ebp+var_7C], ebx
		push	50h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_6C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_78], ebx
		mov	eax, large fs:124h
		mov	bh, [eax+15Ah]
		mov	byte ptr [ebp+var_80], bh
		test	bh, bh
		jz	loc_445A5C
		and	[ebp+ms_exc.disabled], 0
		mov	eax, esi
		mov	ecx, ds:_MmUserProbeAddress
		cmp	esi, ecx
		jb	short loc_44596A
		mov	eax, ecx

loc_44596A:				; CODE XREF: KiRaiseException(x,x,x,x,x)+6Cj
		nop
		mov	eax, [eax]
		mov	[ebp+var_74], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	dl, bh
		lea	ecx, [ebp+var_74]
		call	RtlpSanitizeContextFlags
		test	eax, eax
		js	loc_445AF0
		lea	edx, [ebp+var_78]
		mov	ecx, [ebp+var_74]
		call	_RtlGetExtendedContextLength@8 ; RtlGetExtendedContextLength(x,x)
		test	eax, eax
		js	loc_445AF0
		mov	eax, [ebp+var_78]
		call	__alloca_probe_16
		mov	[ebp+ms_exc.old_esp], esp
		mov	ecx, esp
		lea	eax, [ebp+var_7C]
		push	eax
		mov	edx, [ebp+var_74]
		call	_RtlInitializeExtendedContext@12 ; RtlInitializeExtendedContext(x,x,x)
		test	eax, eax
		js	loc_445AF0
		mov	eax, [ebp+var_7C]
		lea	edi, [eax-2CCh]
		push	0
		push	esi
		push	[ebp+var_74]
		push	eax
		mov	dl, 1
		call	RtlpReadExtendedContext
		test	eax, eax
		js	loc_445AF0
		mov	esi, edi
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_70]
		add	eax, 10h
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_4459F7
		mov	eax, ecx

loc_4459F7:				; CODE XREF: KiRaiseException(x,x,x,x,x)+F9j
		nop
		mov	eax, [eax]
		mov	[ebp+var_88], eax
		mov	edi, eax
		cmp	edi, 0Fh
		jbe	short loc_445A18
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000000Dh
		jmp	loc_445AF0
; 

loc_445A18:				; CODE XREF: KiRaiseException(x,x,x,x,x)+10Bj
		lea	eax, ds:14h[edi*4]
		mov	[ebp+var_78], eax
		mov	ecx, [ebp+var_8C]
		add	ecx, eax
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		ja	short loc_445A39
		cmp	ecx, [ebp+var_70]
		jnb	short loc_445A3C

loc_445A39:				; CODE XREF: KiRaiseException(x,x,x,x,x)+138j
		mov	byte ptr [edx],	0

loc_445A3C:				; CODE XREF: KiRaiseException(x,x,x,x,x)+13Dj
		push	eax		; size_t
		push	[ebp+var_70]	; void *
		lea	eax, [ebp+var_6C]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_70], eax
		mov	[ebp+var_5C], edi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_445A5C:				; CODE XREF: KiRaiseException(x,x,x,x,x)+58j
		mov	edi, large fs:124h
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, al
		cmp	bl, 1
		jnb	short loc_445A78
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)

loc_445A78:				; CODE XREF: KiRaiseException(x,x,x,x,x)+174j
		push	[ebp+var_80]
		push	dword ptr [esi]
		push	esi
		push	[ebp+var_84]
		mov	esi, [ebp+var_98]
		push	esi
		call	KeContextToKframes
		cmp	bl, 1
		jnb	short loc_445A9D
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_445A9D:				; CODE XREF: KiRaiseException(x,x,x,x,x)+199j
		mov	eax, [ebp+var_70]
		and	dword ptr [eax], 0EFFFFFFFh
		push	[ebp+arg_10]
		push	[ebp+var_80]
		push	esi
		push	[ebp+var_84]
		push	eax
		call	KiDispatchException
		test	bh, bh
		jz	short loc_445AEE
		cmp	byte ptr [edi+2], 0
		jge	short loc_445AEE
		mov	eax, [edi+150h]
		mov	eax, [eax+3DCh]
		cmp	[esi+68h], eax
		jz	short loc_445AEE
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		push	0
		push	esi
		call	KiSetupForInstrumentationReturn
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_445AEE:				; CODE XREF: KiRaiseException(x,x,x,x,x)+1C1j
					; KiRaiseException(x,x,x,x,x)+1C7j ...
		xor	eax, eax

loc_445AF0:				; CODE XREF: KiRaiseException(x,x,x,x,x)+89j
					; KiRaiseException(x,x,x,x,x)+9Cj ...
		lea	esp, [ebp-0A8h]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_KiRaiseException@20 endp


;  S U B	R O U T	I N E 


sub_445B08	proc near		; DATA XREF: .text:006A0D90o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-90h], eax
		xor	eax, eax
		inc	eax
		retn
sub_445B08	endp


;  S U B	R O U T	I N E 


sub_445B19	proc near		; DATA XREF: .text:006A0D94o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-90h]
		jmp	short loc_445AF0
sub_445B19	endp

; 

loc_445B2B:				; DATA XREF: .text:006A0D84o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-94h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_445B3C:				; DATA XREF: .text:006A0D88o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-94h]
		jmp	short loc_445AF0

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiContinuePreviousModeUser proc	near	; CODE XREF: KiContinue+AEp

var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005AD938 SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_C], 0
		and	[ebp+var_10], 0
		mov	eax, ds:_MmUserProbeAddress
		push	ebx
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		cmp	edi, eax
		jnb	loc_5AD938

loc_445B7B:				; CODE XREF: KiContinuePreviousModeUser+167DECj
		nop
		mov	eax, [ecx]
		mov	dl, 1
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_8], eax
		call	RtlpSanitizeContextFlags
		test	eax, eax
		js	short loc_445C02
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_10]
		call	_RtlGetExtendedContextLength@8 ; RtlGetExtendedContextLength(x,x)
		test	eax, eax
		js	short loc_445C02
		mov	eax, [ebp+var_10]
		call	__alloca_probe_16
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		mov	ecx, esp
		push	eax
		call	_RtlInitializeExtendedContext@12 ; RtlInitializeExtendedContext(x,x,x)
		test	eax, eax
		js	short loc_445C02
		push	0
		push	edi
		push	[ebp+var_8]
		mov	dl, 1
		push	[ebp+var_C]
		call	RtlpReadExtendedContext
		test	eax, eax
		js	short loc_445C02
		mov	ecx, [ebp+var_C]
		call	_RtlLocateLegacyContext@8 ; RtlLocateLegacyContext(x,x)
		mov	ecx, [ebp+arg_4]
		mov	edi, eax
		sub	esp, 0Ch
		mov	edx, edi
		call	_KeVerifyContextRecord@20 ; KeVerifyContextRecord(x,x,x,x,x)
		test	eax, eax
		js	short loc_445C02
		push	1
		push	[ebp+var_8]
		push	edi
		push	ebx
		push	[ebp+arg_0]
		call	KeContextToKframes
		push	0
		push	[ebp+arg_0]
		call	KiSetupForInstrumentationReturn
		xor	eax, eax

loc_445C02:				; CODE XREF: KiContinuePreviousModeUser+3Fj
					; KiContinuePreviousModeUser+4Ej ...
		lea	esp, [ebp-18h]
		pop	edi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
KiContinuePreviousModeUser endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSetupForInstrumentationReturn	proc near ; CODE XREF: KiRaiseException(x,x,x,x,x)+1E7p
					; KiContinuePreviousModeUser+ADp ...

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005AD93F SIZE 0000008C BYTES
; FUNCTION CHUNK AT 005AD9D2 SIZE 0000001F BYTES

		push	0Ch
		push	offset dword_6A0D98
		call	__SEH_prolog4
		mov	edi, large fs:124h
		mov	esi, [ebp+arg_0]
		test	dword ptr [esi+70h], 20000h
		jnz	short loc_445C3F
		cmp	byte ptr [edi+2], 0
		jl	loc_5AD93F

loc_445C3F:				; CODE XREF: KiSetupForInstrumentationReturn+1Dj
					; KiSetupForInstrumentationReturn+167D37j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
KiSetupForInstrumentationReturn	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiContinue	proc near		; CODE XREF: NtContinue(x,x)+7Bp

var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A0DB8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, al
		mov	[ebp-19h], bl
		cmp	bl, 1
		jnb	short loc_445CAD
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)

loc_445CAD:				; CODE XREF: KiContinue+43j
		mov	[ebp+var_20], 0
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jnz	short loc_445CFD
		push	0
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx]
		push	eax
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_8]
		call	KeContextToKframes
		mov	esi, [ebp+var_20]

loc_445CDA:				; CODE XREF: KiContinue+BFj
					; sub_5ADA01+13j
		cmp	bl, 1
		jnb	short loc_445CE7
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_445CE7:				; CODE XREF: KiContinue+7Dj
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_445CFD:				; CODE XREF: KiContinue+61j
		mov	[ebp+var_4], 0
		push	eax
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	KiContinuePreviousModeUser
		mov	esi, eax
		mov	[ebp+var_20], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_445CDA
KiContinue	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeContextToKframes proc	near		; CODE XREF: KiInitializeContextThread+1C9p
					; KiRaiseException(x,x,x,x,x)+191p ...

var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_7		= byte ptr -7
var_6		= byte ptr -6
var_5		= byte ptr -5
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

; FUNCTION CHUNK AT 005ADA19 SIZE 000000DB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	loc_5ADA19
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	cl, al
		mov	[ebp+var_7], cl
		cmp	cl, 1
		jb	loc_4460A6

loc_445D69:				; CODE XREF: KeContextToKframes+381j
					; KeContextToKframes+167CEDj
		mov	esi, [ebp+arg_C]
		mov	eax, esi
		mov	ebx, [ebp+arg_0]
		and	eax, 10001h
		cmp	eax, 10001h
		jnz	loc_445E4C
		mov	edx, [edi+0C0h]
		mov	ecx, edx
		test	edx, 20000h
		jnz	loc_5ADA22

loc_445D95:				; CODE XREF: KeContextToKframes+167D08j
					; KeContextToKframes+167D1Aj
		mov	eax, [ebx+70h]
		xor	eax, ecx
		test	eax, 20000h
		jnz	loc_5ADA4F
		mov	[ebp+var_5], 0

loc_445DA9:				; CODE XREF: KeContextToKframes+167D23j
		cmp	[ebp+arg_10], 0
		jnz	loc_446052
		and	ecx, 3F0FD7h

loc_445DB9:				; CODE XREF: KeContextToKframes+32Ej
		mov	[ebx+70h], ecx
		mov	edx, ecx
		mov	eax, [edi+0B4h]
		and	edx, 20000h
		mov	[ebx+60h], eax
		mov	eax, [edi+0B8h]
		mov	[ebx+68h], eax
		mov	[ebp+var_10], edx
		mov	edx, [edi+0BCh]
		jnz	loc_5ADA58
		and	edx, 0FFFCh
		cmp	[ebp+arg_10], 0
		mov	eax, edx
		jnz	loc_446063

loc_445DF7:				; CODE XREF: KeContextToKframes+336j
		cmp	[ebp+arg_10], 0
		mov	edx, eax
		mov	[ebx+6Ch], eax
		jnz	loc_44606B

loc_445E06:				; CODE XREF: KeContextToKframes+33Ej
					; KeContextToKframes+167D2Bj ...
		cmp	[ebp+var_10], 0
		movzx	eax, word ptr [edi+0C8h]
		jnz	short loc_445E1B
		test	dl, 1
		jz	short loc_445E1E
		or	eax, 3

loc_445E1B:				; CODE XREF: KeContextToKframes+E1j
		mov	[ebx+78h], eax

loc_445E1E:				; CODE XREF: KeContextToKframes+E6j
		mov	eax, [edi+0C4h]
		bt	ecx, 11h
		mov	[ebp+var_10], eax
		setnb	cl
		test	dl, 1
		setz	al
		test	cl, al
		jnz	loc_446010
		mov	eax, [ebp+var_10]
		mov	[ebx+74h], eax

loc_445E42:				; CODE XREF: KeContextToKframes+307j
					; KeContextToKframes+31Dj
		cmp	[ebp+var_5], 0
		jnz	loc_5ADA87

loc_445E4C:				; CODE XREF: KeContextToKframes+4Bj
					; KeContextToKframes+167D5Dj
		mov	eax, esi
		and	eax, 10004h
		cmp	eax, 10004h
		jnz	short loc_445E9E
		test	dword ptr [ebx+70h], 20000h
		jnz	loc_5ADA92
		test	byte ptr [ebx+6Ch], 1
		jnz	loc_446079
		mov	eax, [edi+90h]
		and	eax, 0FFFCh
		cmp	[ebp+arg_10], 0
		jnz	loc_5ADAC4

loc_445E86:				; CODE XREF: KeContextToKframes+167D97j
		mov	[ebx+50h], eax
		mov	dword ptr [ebx+30h], 23h
		mov	dword ptr [ebx+34h], 23h
		mov	dword ptr [ebx+2Ch], 0

loc_445E9E:				; CODE XREF: KeContextToKframes+128j
					; KeContextToKframes+371j ...
		mov	eax, esi
		and	eax, 10002h
		cmp	eax, 10002h
		jnz	short loc_445EE8
		cmp	byte ptr [ebx+0Fh], 2
		mov	eax, [edi+9Ch]
		mov	[ebx+54h], eax
		mov	eax, [edi+0A0h]
		mov	[ebx+58h], eax
		mov	eax, [edi+0A4h]
		mov	[ebx+5Ch], eax
		jz	short loc_445EE8
		mov	eax, [edi+0ACh]
		mov	[ebx+3Ch], eax
		mov	eax, [edi+0A8h]
		mov	[ebx+38h], eax
		mov	eax, [edi+0B0h]
		mov	[ebx+40h], eax

loc_445EE8:				; CODE XREF: KeContextToKframes+17Aj
					; KeContextToKframes+19Bj
		mov	eax, esi
		mov	edi, esi
		and	eax, 10020h
		and	edi, 10040h
		cmp	eax, 10020h
		mov	eax, esi
		setnz	cl
		and	eax, 10008h
		cmp	eax, 10008h
		lea	edx, [edi-10040h]
		setnz	al
		and	cl, al
		neg	edx
		sbb	dl, dl
		test	dl, cl
		jnz	loc_445FDD
		mov	ecx, large fs:124h
		test	byte ptr [ebx+6Ch], 1
		jnz	loc_446158
		test	dword ptr [ebx+70h], 20000h
		jnz	loc_446158

loc_445F40:				; CODE XREF: KeContextToKframes+432j
		mov	ecx, ds:0FFDF03E0h
		mov	edx, ds:0FFDF03E4h
		and	ecx, 0FFFFFFFCh
		cmp	edi, 10040h
		mov	edi, [ebp+arg_8]
		jz	loc_446180

loc_445F5E:				; CODE XREF: KeContextToKframes+454j
					; KeContextToKframes+46Dj
		mov	eax, ds:0FFDF03E0h
		and	eax, 3
		mov	[ebp+var_10], eax
		mov	eax, 210h
		call	__alloca_probe_16
		lea	eax, [esp+1Ch+var_10+3]
		and	eax, 0FFFFFFF0h
		mov	[ebp+var_C], eax
		nop
		fxsave	dword ptr [eax]
		nop
		mov	ecx, [ebp+var_10]
		xor	edx, edx
		mov	[ebp+var_5], 1

loc_445F8B:				; CODE XREF: KeContextToKframes+44Bj
		push	eax
		push	edx
		push	ecx
		mov	edx, esi
		mov	ecx, edi
		call	KiContextToNpxFrame
		mov	edx, [ebp+var_C]
		test	al, al
		jz	short loc_445FC7
		cmp	byte ptr [ebx+0Fh], 2
		mov	eax, [edx+18h]
		mov	[ebx+48h], eax
		jz	short loc_445FC7
		mov	edi, ebx
		and	edi, 0FFFFFFF0h
		sub	edi, 80h
		jz	short loc_445FC7
		lea	esi, [edx+0A0h]
		mov	ecx, 20h
		rep movsd
		mov	esi, [ebp+arg_C]

loc_445FC7:				; CODE XREF: KeContextToKframes+26Cj
					; KeContextToKframes+278j ...
		cmp	[ebp+var_5], 0
		jz	short loc_445FDD
		stmxcsr	[ebp+var_10]
		mov	eax, [ebp+var_10]
		push	edx
		mov	[edx+18h], eax
		call	_KiFxstateRestore@4 ; KiFxstateRestore(x)

loc_445FDD:				; CODE XREF: KeContextToKframes+1ECj
					; KeContextToKframes+29Bj
		and	esi, 10010h
		cmp	esi, 10010h
		jz	loc_4460C3

loc_445FEF:				; CODE XREF: KeContextToKframes+407j
					; KeContextToKframes+413j ...
		mov	al, [ebp+var_7]
		cmp	al, 1
		jb	loc_4460B6

loc_445FFA:				; CODE XREF: KeContextToKframes+38Ej
		lea	esp, [ebp-1Ch]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_446010:				; CODE XREF: KeContextToKframes+106j
		mov	ecx, edx
		and	ecx, 0FFF9h
		jz	loc_5ADA71
		lea	eax, [ebx+74h]

loc_446021:				; CODE XREF: KeContextToKframes+167D44j
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_10]
		cmp	eax, [ebp+var_C]
		jb	loc_5ADA79
		test	ecx, ecx
		jz	short loc_44604A
		cmp	[ebp+var_C], eax
		jz	loc_445E42
		mov	[ebx+0Ch], dx
		and	edx, 0FFFF0006h
		mov	[ebx+6Ch], edx

loc_44604A:				; CODE XREF: KeContextToKframes+302j
		mov	[ebx+10h], eax
		jmp	loc_445E42
; 

loc_446052:				; CODE XREF: KeContextToKframes+7Dj
		and	ecx, 3F4DD7h
		or	ecx, 200h
		jmp	loc_445DB9
; 

loc_446063:				; CODE XREF: KeContextToKframes+C1j
		or	eax, 3
		jmp	loc_445DF7
; 

loc_44606B:				; CODE XREF: KeContextToKframes+D0j
		cmp	eax, 8
		jnb	loc_445E06
		jmp	loc_5ADA60
; 

loc_446079:				; CODE XREF: KeContextToKframes+13Bj
		movzx	eax, word ptr [edi+90h]
		mov	[ebx+50h], eax
		movzx	eax, word ptr [edi+94h]
		mov	[ebx+30h], eax
		movzx	eax, word ptr [edi+98h]
		mov	[ebx+34h], eax
		movzx	eax, word ptr [edi+8Ch]
		mov	[ebx+2Ch], eax
		jmp	loc_445E9E
; 

loc_4460A6:				; CODE XREF: KeContextToKframes+33j
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_7], al
		jmp	loc_445D69
; 

loc_4460B6:				; CODE XREF: KeContextToKframes+2C4j
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_445FFA
; 

loc_4460C3:				; CODE XREF: KeContextToKframes+2B9j
		mov	edi, large fs:124h
		mov	edx, [ebp+arg_8]
		mov	al, [edi+3]
		and	al, 0DFh
		mov	[ebp+var_5], al
		xor	al, al
		mov	[ebp+var_C], eax
		xor	esi, esi
		mov	[ebp+var_6], al
		nop

loc_4460E0:				; CODE XREF: KeContextToKframes+3DBj
		mov	eax, ds:_KiDebugRegisterContextOffsets[esi*4]
		mov	ecx, [edx+eax]
		cmp	ecx, ds:_MmHighestUserAddress
		ja	short loc_44614E

loc_4460F2:				; CODE XREF: KeContextToKframes+422j
					; KeContextToKframes+426j
		mov	eax, ds:_KiDebugRegisterTrapOffsets[esi*4]
		test	ecx, ecx
		mov	[ebx+eax], ecx
		mov	ecx, [ebp+var_C]
		jnz	loc_5ADACC

loc_446107:				; CODE XREF: KeContextToKframes+167DA8j
		inc	esi
		cmp	esi, 3
		jbe	short loc_4460E0
		mov	eax, [edx+14h]
		and	eax, 0E00Fh
		mov	[ebx+24h], eax
		jnz	loc_5ADADD

loc_44611E:				; CODE XREF: KeContextToKframes+167DB3j
		mov	eax, [edx+18h]
		lea	ecx, [ebx+28h]
		and	eax, 0FFFF0155h
		lea	edx, [ebp+var_6]
		mov	[ecx], eax
		call	KiRecordDr7
		cmp	[ebp+arg_10], 0
		jz	loc_445FEF
		mov	dl, [ebp+var_6]
		cmp	[ebp+var_5], dl
		jz	loc_445FEF
		jmp	loc_5ADAE8
; 

loc_44614E:				; CODE XREF: KeContextToKframes+3C0j
		cmp	[ebp+arg_10], 0
		jz	short loc_4460F2
		xor	ecx, ecx
		jmp	short loc_4460F2
; 

loc_446158:				; CODE XREF: KeContextToKframes+1FDj
					; KeContextToKframes+20Aj
		call	KiGetAllocatedXSaveArea
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_445F40
		mov	ecx, ds:0FFDF03E0h
		mov	edx, ds:0FFDF03E4h
		mov	edi, [ebp+arg_8]
		mov	[ebp+var_5], 0
		jmp	loc_445F8B
; 

loc_446180:				; CODE XREF: KeContextToKframes+228j
		mov	eax, ecx
		or	eax, edx
		jz	loc_445F5E
		push	edx
		push	ecx
		lea	ecx, [edi+0CCh]
		add	ecx, [edi+2DCh]
		call	_RtlXRestore@12	; RtlXRestore(x,x,x)
		jmp	loc_445F5E
KeContextToKframes endp


;  S U B	R O U T	I N E 


; __stdcall KeVerifyContextRecord(x, x,	x, x, x)
_KeVerifyContextRecord@20 proc near	; CODE XREF: KiContinuePreviousModeUser+90p
					; PspSetContextThreadInternal+1696FCp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+150h]
		test	byte ptr [eax+64h], 20h
		jz	short loc_4461D5
		mov	eax, [edx]
		mov	ecx, 10001h
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_4461D5
		mov	ecx, [edx+0C4h]
		mov	edx, [esi+0A8h]
		call	RtlGuardIsValidStackPointer
		test	eax, eax
		jz	short loc_4461DB

loc_4461D5:				; CODE XREF: KeVerifyContextRecord(x,x,x,x,x)+Fj
					; KeVerifyContextRecord(x,x,x,x,x)+1Cj
		xor	eax, eax

loc_4461D7:				; CODE XREF: KeVerifyContextRecord(x,x,x,x,x)+3Ej
		pop	esi
		retn	0Ch
; 

loc_4461DB:				; CODE XREF: KeVerifyContextRecord(x,x,x,x,x)+31j
		mov	eax, 0C000000Dh
		jmp	short loc_4461D7
_KeVerifyContextRecord@20 endp


;  S U B	R O U T	I N E 


; __stdcall RtlLocateLegacyContext(x, x)
_RtlLocateLegacyContext@8 proc near	; CODE XREF: KiContinuePreviousModeUser+81p
		mov	edi, edi
		push	esi
		mov	esi, [ecx+8]
		push	edi
		mov	edi, [ecx]
		cmp	edi, esi
		jg	short loc_446203
		mov	edx, [ecx+0Ch]
		mov	eax, [ecx+4]
		add	edx, esi
		add	eax, edi
		cmp	eax, edx
		jl	short loc_446203
		lea	eax, [esi+ecx]

loc_446200:				; CODE XREF: RtlLocateLegacyContext(x,x)+23j
		pop	edi
		pop	esi
		retn
; 

loc_446203:				; CODE XREF: RtlLocateLegacyContext(x,x)+Bj
					; RtlLocateLegacyContext(x,x)+19j
		xor	eax, eax
		jmp	short loc_446200
_RtlLocateLegacyContext@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiRecordDr7	proc near		; CODE XREF: KeContextToKframes+3FEp
					; VdmOpcodeSetDrx+A4p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005ADAF4 SIZE 0000004B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		test	esi, esi
		jz	loc_5ADAF4
		mov	bl, [esi]

loc_44621C:				; CODE XREF: KiRecordDr7+1678F8j
		xor	eax, eax
		mov	dl, bl
		mov	[ebp+var_4], eax
		cmp	[ecx], eax
		jnz	loc_5ADB13
		and	dl, 7Fh
		test	dl, 4Fh
		jnz	loc_5ADB05

loc_446237:				; CODE XREF: KiRecordDr7+167906j
					; KiRecordDr7+167919j
		test	esi, esi
		jz	loc_5ADB26
		mov	[esi], dl

loc_446241:				; CODE XREF: KiRecordDr7+167920j
					; KiRecordDr7+167932j
		mov	al, byte ptr [ebp+var_4]
		pop	esi
		pop	ebx
		leave
		retn
KiRecordDr7	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2079. RtlFindClearBitsAndSet

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlFindClearBitsAndSet
RtlFindClearBitsAndSet proc near	; CODE XREF: RtlpHpFixedVsAllocate+4Ep
					; BgpFwReserveAllocate+1Ap ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005ADB3F SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [eax]
		cmp	[ebp+arg_8], esi
		push	edi
		mov	edi, [eax+4]
		sbb	ecx, ecx
		and	ecx, [ebp+arg_8]
		lea	ebx, [esi-1]
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], edi
		test	edx, edx
		jz	loc_5ADB3F

loc_446280:				; CODE XREF: RtlFindClearBitsAndSet+19Bj
		and	[ebp+var_18], 0
		mov	eax, ebx
		sub	eax, ecx
		inc	eax
		cmp	eax, edx
		jb	loc_446576
		mov	eax, ebx
		and	ecx, 1Fh
		sub	eax, edx
		xor	edx, edx
		inc	eax
		inc	edx
		mov	[ebp+var_14], eax
		shr	eax, 5
		shl	edx, cl
		dec	edx
		lea	eax, [edi+eax*4]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_C]
		shr	eax, 5
		lea	esi, [edi+eax*4]
		mov	edi, [esi]
		or	edi, edx
		mov	edx, [ebp+arg_4]
		cmp	edx, 3Fh
		ja	loc_4464AE
		cmp	edx, 20h
		jnb	loc_4463EE
		cmp	edx, 1
		ja	short loc_446323
		cmp	edi, 0FFFFFFFFh
		jz	loc_446383

loc_4462DB:				; CODE XREF: RtlFindClearBitsAndSet+146j
		not	edi
		mov	ecx, esi
		bsf	eax, edi
		mov	edi, [ebp+var_4]
		sub	ecx, edi
		sar	ecx, 2
		shl	ecx, 5
		add	ecx, eax

loc_4462EF:				; CODE XREF: RtlFindClearBitsAndSet+130j
		cmp	ecx, [ebp+var_14]
		ja	loc_44656E

loc_4462F8:				; CODE XREF: RtlFindClearBitsAndSet+1D1j
					; RtlFindClearBitsAndSet+1F5j
		cmp	ecx, 0FFFFFFFFh
		jz	loc_44644E

loc_446301:				; CODE XREF: RtlFindClearBitsAndSet+182j
		mov	edx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]

loc_446307:				; CODE XREF: RtlFindClearBitsAndSet+1678F4j
		mov	[ebp+var_C], ecx
		pop	edi
		pop	esi
		pop	ebx
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_44631D
		push	edx
		push	ecx
		push	eax
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		mov	ecx, [ebp+var_C]

loc_44631D:				; CODE XREF: RtlFindClearBitsAndSet+C2j
		mov	eax, ecx
		leave
		retn	0Ch
; 

loc_446323:				; CODE XREF: RtlFindClearBitsAndSet+82j
		mov	eax, [ebp+var_4]
		xor	ecx, ecx
		shr	ebx, 5
		lea	eax, [eax+ebx*4]
		mov	[ebp+var_18], eax

loc_446331:				; CODE XREF: RtlFindClearBitsAndSet+16Ej
		cmp	edi, 0FFFFFFFFh
		jz	loc_44646C

loc_44633A:				; CODE XREF: RtlFindClearBitsAndSet+235j
		and	[ebp+var_2C], 0
		bsf	eax, edi
		jz	loc_446499

loc_446347:				; CODE XREF: RtlFindClearBitsAndSet+24Ej
		add	eax, ecx
		cmp	eax, edx
		jnb	loc_446492
		mov	ebx, [ebp+arg_4]
		mov	edx, edi
		not	edx

loc_446358:				; CODE XREF: RtlFindClearBitsAndSet+11Bj
		mov	ecx, ebx
		mov	eax, edx
		shr	ecx, 1
		shr	eax, cl
		and	edx, eax
		jz	short loc_446399
		sub	ebx, ecx
		cmp	ebx, 1
		ja	short loc_446358
		bsf	ecx, edx
		mov	edx, [ebp+arg_4]

loc_446371:				; CODE XREF: RtlFindClearBitsAndSet+246j
		mov	edi, [ebp+var_4]
		sub	esi, edi
		sar	esi, 2
		shl	esi, 5
		add	ecx, esi
		jmp	loc_4462EF
; 

loc_446383:				; CODE XREF: RtlFindClearBitsAndSet+87j
		mov	eax, [ebp+var_10]

loc_446386:				; CODE XREF: RtlFindClearBitsAndSet+144j
		add	esi, 4
		cmp	esi, eax
		ja	short loc_4463C3
		mov	edi, [esi]
		cmp	edi, 0FFFFFFFFh
		jz	short loc_446386
		jmp	loc_4462DB
; 

loc_446399:				; CODE XREF: RtlFindClearBitsAndSet+114j
		cmp	esi, [ebp+var_18]
		jz	loc_446448
		and	[ebp+var_30], 0
		bsr	eax, edi
		jz	loc_5ADB4F
		push	1Fh
		pop	ecx
		sub	ecx, eax

loc_4463B4:				; CODE XREF: RtlFindClearBitsAndSet+167904j
		mov	edx, [ebp+arg_4]
		add	esi, 4
		mov	edi, [esi]
		jmp	loc_446331
; 

loc_4463C1:				; CODE XREF: RtlFindClearBitsAndSet+210j
		mov	edx, ebx

loc_4463C3:				; CODE XREF: RtlFindClearBitsAndSet+13Dj
					; RtlFindClearBitsAndSet+226j ...
		mov	edi, [ebp+var_4]
		or	ecx, 0FFFFFFFFh

loc_4463C9:				; CODE XREF: RtlFindClearBitsAndSet+203j
					; RtlFindClearBitsAndSet+23Fj ...
		mov	esi, [ebp+var_8]

loc_4463CC:				; CODE XREF: RtlFindClearBitsAndSet+32Bj
		cmp	[ebp+var_C], 0
		jz	loc_446301
		mov	ebx, [ebp+arg_8]
		add	ebx, edx
		cmp	ebx, esi
		ja	loc_446567

loc_4463E3:				; CODE XREF: RtlFindClearBitsAndSet+31Bj
		dec	ebx
		xor	ecx, ecx
		mov	[ebp+var_C], ecx
		jmp	loc_446280
; 

loc_4463EE:				; CODE XREF: RtlFindClearBitsAndSet+79j
		mov	ebx, edx

loc_4463F0:				; CODE XREF: RtlFindClearBitsAndSet+1F0j
		test	edi, edi

loc_4463F2:				; CODE XREF: RtlFindClearBitsAndSet+2FCj
		js	short loc_446456

loc_4463F4:				; CODE XREF: RtlFindClearBitsAndSet+21Cj
		and	[ebp+var_24], 0
		bsr	eax, edi
		jz	loc_4464A1
		push	1Fh
		pop	edx
		sub	edx, eax

loc_446406:				; CODE XREF: RtlFindClearBitsAndSet+256j
		mov	edi, [ebp+var_4]
		mov	ecx, esi
		sub	ecx, edi
		sar	ecx, 2
		inc	ecx
		shl	ecx, 5
		sub	ecx, edx
		cmp	ecx, [ebp+var_14]
		ja	short loc_446488
		mov	eax, ebx
		sub	eax, edx
		jz	loc_4462F8
		add	esi, 4
		mov	edi, [esi]
		cmp	eax, 20h
		jnb	loc_446548

loc_446433:				; CODE XREF: RtlFindClearBitsAndSet+310j
		and	[ebp+var_28], 0
		bsf	edx, edi
		jz	short loc_4464A9

loc_44643C:				; CODE XREF: RtlFindClearBitsAndSet+25Ej
		cmp	edx, eax
		jb	short loc_4463F0

loc_446440:				; CODE XREF: RtlFindClearBitsAndSet+2DCj
					; RtlFindClearBitsAndSet+2F2j ...
		mov	edi, [ebp+var_4]
		jmp	loc_4462F8
; 

loc_446448:				; CODE XREF: RtlFindClearBitsAndSet+14Ej
		mov	edi, [ebp+var_4]
		or	ecx, 0FFFFFFFFh

loc_44644E:				; CODE XREF: RtlFindClearBitsAndSet+ADj
		mov	edx, [ebp+arg_4]
		jmp	loc_4463C9
; 

loc_446456:				; CODE XREF: RtlFindClearBitsAndSet:loc_4463F2j
		mov	eax, [ebp+var_10]

loc_446459:				; CODE XREF: RtlFindClearBitsAndSet+21Aj
		add	esi, 4
		cmp	esi, eax
		ja	loc_4463C1
		mov	edi, [esi]
		test	edi, edi
		js	short loc_446459
		jmp	short loc_4463F4
; 

loc_44646C:				; CODE XREF: RtlFindClearBitsAndSet+E6j
		mov	eax, [ebp+var_10]

loc_44646F:				; CODE XREF: RtlFindClearBitsAndSet+231j
		add	esi, 4
		cmp	esi, eax
		ja	loc_4463C3
		mov	edi, [esi]
		cmp	edi, 0FFFFFFFFh
		jz	short loc_44646F
		xor	ecx, ecx
		jmp	loc_44633A
; 

loc_446488:				; CODE XREF: RtlFindClearBitsAndSet+1CBj
		or	ecx, 0FFFFFFFFh
		mov	edx, ebx
		jmp	loc_4463C9
; 

loc_446492:				; CODE XREF: RtlFindClearBitsAndSet+FDj
		neg	ecx
		jmp	loc_446371
; 

loc_446499:				; CODE XREF: RtlFindClearBitsAndSet+F3j
		push	20h
		pop	eax
		jmp	loc_446347
; 

loc_4464A1:				; CODE XREF: RtlFindClearBitsAndSet+1ADj
		push	20h
		pop	edx
		jmp	loc_446406
; 

loc_4464A9:				; CODE XREF: RtlFindClearBitsAndSet+1ECj
		push	20h
		pop	edx
		jmp	short loc_44643C
; 

loc_4464AE:				; CODE XREF: RtlFindClearBitsAndSet+70j
		test	byte ptr [ebp+var_14], 1Fh
		mov	ebx, [ebp+var_10]
		jz	short loc_4464BA
		add	ebx, 4

loc_4464BA:				; CODE XREF: RtlFindClearBitsAndSet+267j
		test	edi, edi
		jz	loc_446563
		add	esi, 4
		cmp	dword ptr [esi], 0
		jnz	short loc_4464D6
		and	[ebp+var_10], 0
		bsr	ecx, edi
		jmp	short loc_4464F0
; 

loc_4464D3:				; CODE XREF: RtlFindClearBitsAndSet+2D7j
					; RtlFindClearBitsAndSet+2F8j
		mov	edx, [ebp+arg_4]

loc_4464D6:				; CODE XREF: RtlFindClearBitsAndSet+27Aj
					; RtlFindClearBitsAndSet+296j
		cmp	esi, ebx
		ja	loc_4463C3
		add	esi, 4
		cmp	dword ptr [esi], 0
		jnz	short loc_4464D6
		mov	eax, [esi-4]
		and	[ebp+var_1C], 0
		bsr	ecx, eax

loc_4464F0:				; CODE XREF: RtlFindClearBitsAndSet+283j
		jz	loc_5ADB47
		push	1Fh
		pop	eax
		sub	eax, ecx

loc_4464FB:				; CODE XREF: RtlFindClearBitsAndSet+317j
					; RtlFindClearBitsAndSet+1678FCj
		mov	edi, [ebp+var_4]
		mov	ecx, esi
		sub	ecx, edi
		sar	ecx, 2
		shl	ecx, 5
		sub	ecx, eax
		cmp	ecx, [ebp+var_14]
		ja	short loc_44656E
		sub	edx, eax
		mov	eax, edx
		shr	eax, 5
		lea	edi, [esi+eax*4]

loc_446519:				; CODE XREF: RtlFindClearBitsAndSet+2D5j
		add	esi, 4
		cmp	esi, edi
		jz	short loc_446527
		cmp	dword ptr [esi], 0
		jz	short loc_446519
		jmp	short loc_4464D3
; 

loc_446527:				; CODE XREF: RtlFindClearBitsAndSet+2D0j
		and	edx, 1Fh
		jz	loc_446440
		mov	eax, [esi]
		and	[ebp+var_20], 0
		bsf	eax, eax
		jnz	short loc_44653E
		push	20h
		pop	eax

loc_44653E:				; CODE XREF: RtlFindClearBitsAndSet+2EBj
		cmp	eax, edx
		jnb	loc_446440
		jmp	short loc_4464D3
; 

loc_446548:				; CODE XREF: RtlFindClearBitsAndSet+1DFj
		test	edi, edi
		jnz	loc_4463F2
		sub	eax, 20h
		jz	loc_446440
		add	esi, 4
		mov	edi, [esi]
		jmp	loc_446433
; 

loc_446563:				; CODE XREF: RtlFindClearBitsAndSet+26Ej
		xor	eax, eax
		jmp	short loc_4464FB
; 

loc_446567:				; CODE XREF: RtlFindClearBitsAndSet+18Fj
		mov	ebx, esi
		jmp	loc_4463E3
; 

loc_44656E:				; CODE XREF: RtlFindClearBitsAndSet+A4j
					; RtlFindClearBitsAndSet+2BFj
		or	ecx, 0FFFFFFFFh
		jmp	loc_4463C9
; 

loc_446576:				; CODE XREF: RtlFindClearBitsAndSet+3Dj
		or	ecx, 0FFFFFFFFh
		jmp	loc_4463CC
RtlFindClearBitsAndSet endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeResumeThread(x)
_KeResumeThread@4 proc near		; CODE XREF: KeAlertResumeThread(x)+18p
					; PsResumeThread+Cp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, large fs:20h
		lea	ecx, [esi+1C4h]
		mov	byte ptr [ebp+var_4], al
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	al, [esi+18Ch]
		movsx	ebx, al
		test	al, al
		jz	short loc_4465CF
		sub	al, 1
		mov	[esi+18Ch], al
		jnz	short loc_4465CF
		test	dword ptr [esi+5Ch], 4000h
		jnz	short loc_4465CF
		push	0
		mov	edx, edi
		mov	ecx, esi
		call	KiResumeThread

loc_4465CF:				; CODE XREF: KeResumeThread(x)+31j
					; KeResumeThread(x)+3Bj ...
		mov	ecx, 0FFFFFF7Fh
		lea	eax, [esi+1C4h]
		lock and [eax],	ecx
		push	[ebp+var_4]
		xor	edx, edx
		mov	ecx, edi
		push	0
		push	1
		call	KiExitDispatcher
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_KeResumeThread@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExQueueWorkItemEx(x, x, x)
_ExQueueWorkItemEx@12 proc near		; CODE XREF: KeTerminateThread+107p
					; PopFxResidentTimeoutDpcRoutine(x,x,x,x)+Ap ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	ExpValidateWorkItem
		cmp	esi, 7
		jnb	short loc_44662B
		mov	esi, ds:_ExpBuiltinPriorities[esi*4]

loc_446610:				; CODE XREF: ExQueueWorkItemEx(x,x,x)+3Aj
		mov	eax, ds:_PspSystemPartition
		mov	edx, edi
		push	0
		push	[ebp+arg_0]
		mov	ecx, [eax+8]
		push	esi
		call	ExpQueueWorkItem
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_44662B:				; CODE XREF: ExQueueWorkItemEx(x,x,x)+13j
		add	esi, 0FFFFFFE0h
		jmp	short loc_446610
_ExQueueWorkItemEx@12 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1181. KeInitializeTimer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeTimer(x)
		public _KeInitializeTimer@4
_KeInitializeTimer@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_0]
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		pop	ebp
		retn	4
_KeInitializeTimer@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeSuspendThread	proc near		; CODE XREF: PAGELK:0071FA02p
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+3BAp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005ADB57 SIZE 0000003E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bl, al
		lea	edi, [esi+1C4h]
		mov	eax, large fs:20h
		mov	ecx, edi
		mov	byte ptr [ebp+var_8], bl
		mov	[ebp+var_4], eax
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	cl, [esi+18Ch]
		movsx	eax, cl
		mov	[ebp+var_C], eax
		cmp	eax, 7Fh
		jz	loc_5ADB57
		mov	ebx, [ebp+var_4]
		inc	cl
		mov	[esi+18Ch], cl
		mov	edx, ebx
		mov	ecx, esi
		call	KiSuspendThread
		test	al, al
		jz	short loc_4466C5

loc_4466A5:				; CODE XREF: KeSuspendThread+81j
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		push	[ebp+var_8]
		xor	edx, edx
		mov	ecx, ebx
		push	0
		push	1
		call	KiExitDispatcher
		mov	eax, [ebp+var_C]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4466C5:				; CODE XREF: KeSuspendThread+59j
		dec	byte ptr [esi+18Ch]
		jmp	short loc_4466A5
KeSuspendThread	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSuspendThread	proc near		; CODE XREF: KeSuspendThread+52p
					; KiFreezeSingleThread(x,x)+22p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

; FUNCTION CHUNK AT 005ADB95 SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		and	[ebp+var_20], 0
		and	[ebp+var_1C], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_10], edx
		push	edi
		xor	bl, bl
		and	[ebp+var_14], 0
		lea	edi, [esi+2Ch]
		mov	[ebp+var_C], edi

loc_4466F2:				; CODE XREF: KiSuspendThread+23Aj
		lock bts dword ptr [edi], 0
		jb	loc_4468FA
		test	dword ptr [esi+58h], 4000h
		jz	short loc_44675E
		xor	ebx, ebx
		inc	ebx
		cmp	dword ptr [esi+1C8h], 0
		jz	short loc_44675E
		and	dword ptr [esi+1C8h], 0
		lea	edi, [esi+190h]
		xor	cl, cl
		cmp	[esi+1BEh], cl
		jnz	short loc_446738
		mov	ecx, edi
		mov	[esi+1BEh], bl
		call	KiInsertQueueApc
		mov	cl, bl

loc_446738:				; CODE XREF: KiSuspendThread+59j
		cmp	ds:_KiDisableLightWeightSuspend, 0
		jnz	short loc_44674B
		mov	al, [esi+90h]
		cmp	al, 5
		jz	short loc_44676B

loc_44674B:				; CODE XREF: KiSuspendThread+71j
					; KiSuspendThread+A4j ...
		test	cl, cl
		jz	short loc_44675B
		mov	ecx, [ebp+var_10]
		mov	edx, edi
		push	2
		call	_KiSignalThreadForApc@12 ; KiSignalThreadForApc(x,x,x)

loc_44675B:				; CODE XREF: KiSuspendThread+7Fj
		mov	edi, [ebp+var_C]

loc_44675E:				; CODE XREF: KiSuspendThread+36j
					; KiSuspendThread+42j ...
		mov	dword ptr [edi], 0
		mov	al, bl
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_44676B:				; CODE XREF: KiSuspendThread+7Bj
		mov	al, [esi+54h]
		and	al, 7
		cmp	al, bl
		jnz	short loc_44674B
		cmp	dword ptr [esi+13Ch], 0
		jnz	short loc_44674B
		cmp	byte ptr [esi+92h], 0
		jnz	short loc_44674B
		cmp	byte ptr [esi+84h], 0
		jnz	short loc_44674B
		cmp	byte ptr [esi+16Ah], 0
		jnz	short loc_44674B
		mov	eax, [esi+98h]
		mov	al, [eax+9]
		cmp	al, 5
		jz	short loc_4467B0
		mov	eax, [esi+98h]
		cmp	[eax+8], bl
		jnz	short loc_44674B

loc_4467B0:				; CODE XREF: KiSuspendThread+D5j
		movsx	eax, byte ptr [esi+93h]
		shl	eax, 12h
		xor	eax, [esi+58h]
		and	eax, 40000h
		mov	byte ptr [esi+54h], 3
		xor	[esi+58h], eax
		mov	[esi+85h], bl
		mov	dword ptr [esi+2Ch], 0
		movzx	eax, byte ptr [esi+16Bh]
		mov	ecx, [esi+98h]
		imul	eax, 18h
		lea	edi, [ecx+9]
		add	eax, ecx
		mov	[ebp+var_8], eax
		mov	ecx, eax

loc_4467F0:				; CODE XREF: KiSuspendThread+16Fj
		mov	al, [edi]
		cmp	al, 5
		jnb	short loc_446835
		mov	eax, [edi+7]
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		cmp	byte ptr [edi],	4
		jnz	short loc_446824
		mov	ecx, [edi-9]
		lea	edx, [edi-9]
		mov	eax, [edi-5]
		cmp	[ecx+4], edx
		jz	short loc_44681B

loc_446816:				; CODE XREF: KiSuspendThread+14Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_44681B:				; CODE XREF: KiSuspendThread+146j
		cmp	[eax], edx
		jnz	short loc_446816
		mov	[eax], ecx
		mov	[ecx+4], eax

loc_446824:				; CODE XREF: KiSuspendThread+138j
		mov	eax, [ebp+var_C]
		mov	ecx, 0FFFFFF7Fh
		lock and [eax],	ecx
		mov	ecx, [ebp+var_8]
		mov	byte ptr [edi],	6

loc_446835:				; CODE XREF: KiSuspendThread+126j
		add	edi, 18h
		lea	eax, [edi-9]
		cmp	eax, ecx
		jnz	short loc_4467F0
		test	dword ptr [esi+58h], 200h
		jnz	short loc_4468A6

loc_446848:				; CODE XREF: KiSuspendThread+227j
					; KiSuspendThread+24Cj	...
		lea	eax, [esi+5Ch]
		test	dword ptr [eax], 4000h
		jz	short loc_446865
		lock bts dword ptr [eax], 14h
		jb	short loc_446865
		mov	ecx, [esi+80h]
		call	@KiDecrementProcessStackCount@4	; KiDecrementProcessStackCount(x)

loc_446865:				; CODE XREF: KiSuspendThread+183j
					; KiSuspendThread+18Aj
		and	[ebp+var_18], 0
		lea	edi, [esi+2Ch]

loc_44686C:				; CODE XREF: KiSuspendThread+1674F5j
		lock bts dword ptr [edi], 0
		jb	loc_5ADBB5
		mov	ecx, [esi+58h]
		mov	eax, ecx
		and	eax, 200h
		and	ecx, 0FFFDFDFFh
		shl	eax, 8
		or	eax, ecx
		mov	[esi+58h], eax
		mov	al, [esi+54h]
		and	al, 0FCh
		or	al, 4
		mov	[esi+54h], al
		test	al, 20h
		jz	loc_44675E
		jmp	loc_5ADBC8
; 

loc_4468A6:				; CODE XREF: KiSuspendThread+178j
		call	KeQueryInterruptTime
		mov	[ebp+var_C], edx
		lea	edi, [esi+0B8h]
		mov	dl, bl
		mov	[ebp+var_8], eax
		mov	ecx, edi
		call	KiCancelTimer
		test	al, al
		jz	loc_5ADB72
		mov	eax, [edi+14h]
		mov	ecx, [ebp+var_C]
		mov	edx, [edi+10h]
		mov	[ebp+var_18], eax
		cmp	eax, ecx
		ja	short loc_44690D
		jb	short loc_446912
		mov	eax, [ebp+var_8]
		cmp	edx, eax
		jbe	short loc_446912

loc_4468E1:				; CODE XREF: KiSuspendThread+242j
		test	[edi+1], bl
		jnz	loc_5ADB95
		sub	eax, edx
		mov	[edi+10h], eax
		sbb	ecx, [ebp+var_18]
		mov	[edi+14h], ecx
		jmp	loc_446848
; 

loc_4468FA:				; CODE XREF: KiSuspendThread+29j
					; KiSuspendThread+238j
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_4468FA
		jmp	loc_4466F2
; 

loc_44690D:				; CODE XREF: KiSuspendThread+208j
		mov	eax, [ebp+var_8]
		jmp	short loc_4468E1
; 

loc_446912:				; CODE XREF: KiSuspendThread+20Aj
					; KiSuspendThread+211j
		and	dword ptr [edi+10h], 0
		and	dword ptr [edi+14h], 0
		jmp	loc_446848
KiSuspendThread	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1188. KeInsertQueueApc

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeInsertQueueApc
KeInsertQueueApc proc near		; CODE XREF: MiStoreModifiedWriteDereference(x)+47p
					; .text:00522DB3p ...

var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005ADBDE SIZE 0000006B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		push	0
		push	3000h
		push	0
		push	dword_6BC124
		push	_EtwThreatIntProvRegHandle
		call	EtwProviderEnabled
		mov	esi, [ebp+arg_0]
		mov	bl, al
		mov	dl, [esi+2Dh]
		mov	eax, [esi+20h]
		test	dl, dl
		mov	[esp+28h+var_8], eax
		mov	eax, [esi+1Ch]
		setnz	cl
		cmp	dword ptr [esi+14h], offset _KeSpecialUserApcKernelRoutine@20 ;	KeSpecialUserApcKernelRoutine(x,x,x,x,x)
		mov	[esp+28h+var_4], eax
		mov	byte ptr [esp+28h+var_C], cl
		jz	loc_5ADBDE

loc_446978:				; CODE XREF: KeInsertQueueApc+1672BCj
		xor	cl, cl

loc_44697A:				; CODE XREF: KeInsertQueueApc+1672C4j
		mov	edi, [esi+8]
		mov	eax, large fs:124h
		test	dl, dl
		jnz	loc_446A57
		mov	eax, [eax+80h]

loc_446991:				; CODE XREF: KeInsertQueueApc+139j
		cmp	eax, [edi+150h]
		setnz	al
		test	bl, bl
		jz	short loc_4469A6
		test	al, al
		jnz	loc_446A42

loc_4469A6:				; CODE XREF: KeInsertQueueApc+78j
					; KeInsertQueueApc+128j
		mov	[esp+28h+var_19], 0

loc_4469AB:				; CODE XREF: KeInsertQueueApc+1672DAj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [esp+28h+var_14], al
		lea	ebx, [edi+2Ch]
		mov	eax, large fs:20h
		and	[esp+28h+var_10], 0
		mov	[esp+28h+var_18], eax

loc_4469C7:				; CODE XREF: KeInsertQueueApc+14Dj
		lock bts dword ptr [ebx], 0
		jb	loc_446A62
		test	dword ptr [edi+58h], 4000h
		jz	loc_5ADC03
		cmp	byte ptr [esi+2Eh], 0
		jnz	loc_5ADC03
		mov	eax, [ebp+arg_4]
		mov	ecx, esi
		mov	[esi+24h], eax
		mov	eax, [ebp+arg_8]
		mov	byte ptr [esi+2Eh], 1
		mov	[esi+28h], eax
		call	KiInsertQueueApc
		push	[esp+28h+var_14]
		mov	edx, esi
		mov	esi, [esp+2Ch+var_18]
		mov	ecx, esi
		call	_KiSignalThreadForApc@12 ; KiSignalThreadForApc(x,x,x)
		mov	bl, 1

loc_446A13:				; CODE XREF: KeInsertQueueApc+1672E5j
		push	[esp+28h+var_14]
		xor	edx, edx
		mov	dword ptr [edi+2Ch], 0
		push	[ebp+arg_C]
		mov	ecx, esi
		push	1
		call	KiExitDispatcher
		cmp	[esp+28h+var_19], 0
		jnz	loc_5ADC0E

loc_446A37:				; CODE XREF: KeInsertQueueApc+167320j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_446A42:				; CODE XREF: KeInsertQueueApc+7Cj
		test	dl, dl
		jnz	loc_5ADBED
		test	cl, cl
		jz	loc_4469A6
		jmp	loc_5ADBED
; 

loc_446A57:				; CODE XREF: KeInsertQueueApc+61j
		mov	eax, [eax+150h]
		jmp	loc_446991
; 

loc_446A62:				; CODE XREF: KeInsertQueueApc+A8j
					; KeInsertQueueApc+14Bj
		lea	ecx, [esp+28h+var_10]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_446A62
		jmp	loc_4469C7
KeInsertQueueApc endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSignalThreadForApc(x, x, x)
_KiSignalThreadForApc@12 proc near	; CODE XREF: KiSchedulerApc+F8p
					; KiInsertDeferredPreemptionApc(x,x,x)+5Ep ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		movsx	eax, byte ptr [edx+2Ch]
		push	ebx
		mov	bl, [edx+2Dh]
		push	esi
		push	edi
		mov	edi, [edx+8]
		mov	[ebp+var_4], ecx
		movzx	esi, byte ptr [edi+16Ah]
		cmp	eax, esi
		jnz	short loc_446AB9
		cmp	edi, [ecx+4]
		jnz	short loc_446AC0
		test	bl, bl
		jnz	short loc_446AB9
		mov	ecx, [edx+1Ch]
		xor	eax, eax
		cmp	[edi+13Ch], eax
		jz	loc_446B57
		test	ecx, ecx
		jz	loc_446B4A

loc_446AB9:				; CODE XREF: KiSignalThreadForApc(x,x,x)+1Fj
					; KiSignalThreadForApc(x,x,x)+28j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_446AC0:				; CODE XREF: KiSignalThreadForApc(x,x,x)+24j
		test	bl, bl
		jnz	loc_446B71
		xor	eax, eax
		mov	byte ptr [edi+85h], 1
		mov	[ebp+arg_0], eax
		lea	esi, [ebp+arg_0]
		xor	ebx, ebx
		lock or	[esi], ebx
		mov	bl, [edi+90h]
		cmp	bl, 2
		jz	short loc_446B26
		cmp	bl, 5
		jnz	short loc_446AB9
		cmp	[edi+92h], al
		jnz	short loc_446AB9
		cmp	[edi+13Eh], ax
		jnz	short loc_446AB9
		cmp	[edx+1Ch], eax
		jz	short loc_446B13
		cmp	[edi+13Ch], ax
		jnz	short loc_446AB9
		cmp	[edi+84h], al
		jnz	short loc_446AB9

loc_446B13:				; CODE XREF: KiSignalThreadForApc(x,x,x)+8Aj
		push	eax
		push	100h
		mov	edx, edi
		call	KiSignalThread
		or	byte ptr [edi+54h], 20h
		jmp	short loc_446AB9
; 

loc_446B26:				; CODE XREF: KiSignalThreadForApc(x,x,x)+6Fj
		mov	ecx, [edi+148h]
		movzx	eax, large byte	ptr fs:51h
		and	ecx, 7FFFFFFFh
		cmp	eax, ecx
		jz	short loc_446B64
		mov	dl, 1
		call	_KiSendSoftwareInterrupt@8 ; KiSendSoftwareInterrupt(x,x)
		jmp	loc_446AB9
; 

loc_446B4A:				; CODE XREF: KiSignalThreadForApc(x,x,x)+3Dj
		cmp	[edi+13Eh], ax
		jnz	loc_446AB9

loc_446B57:				; CODE XREF: KiSignalThreadForApc(x,x,x)+35j
		cmp	byte ptr [ebp+arg_0], 1
		mov	byte ptr [edi+85h], 1
		jb	short loc_446BE1

loc_446B64:				; CODE XREF: KiSignalThreadForApc(x,x,x)+C6j
		mov	cl, 1
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)
		jmp	loc_446AB9
; 

loc_446B71:				; CODE XREF: KiSignalThreadForApc(x,x,x)+4Cj
		mov	al, [edi+90h]
		cmp	al, 5
		jnz	loc_446AB9
		cmp	byte ptr [edi+93h], 1
		jnz	loc_446AB9
		mov	cl, [edi+54h]
		mov	al, cl
		and	al, 7
		cmp	al, 4
		jz	loc_446AB9
		cmp	al, 3
		jz	loc_446AB9
		test	byte ptr [edi+58h], 10h
		jnz	short loc_446BB6
		test	byte ptr [edi+86h], 2
		jz	loc_446AB9

loc_446BB6:				; CODE XREF: KiSignalThreadForApc(x,x,x)+131j
		or	cl, 40h
		mov	edx, edi
		push	0
		mov	[edi+54h], cl
		mov	ecx, [ebp+var_4]
		push	0C0h
		call	KiSignalThread
		test	al, al
		jz	loc_446AB9
		or	byte ptr [edi+86h], 2
		jmp	loc_446AB9
; 

loc_446BE1:				; CODE XREF: KiSignalThreadForApc(x,x,x)+ECj
		or	dword ptr [edi+58h], 40h
		jmp	loc_446AB9
_KiSignalThreadForApc@12 endp


;  S U B	R O U T	I N E 


KiInsertQueueApc proc near		; CODE XREF: KiSchedulerApc+E7p
					; KiInsertDeferredPreemptionApc(x,x,x)+4Fp ...

; FUNCTION CHUNK AT 005ADC49 SIZE 0000001C BYTES

		cmp	byte ptr [ecx+2Ch], 0
		mov	edx, [ecx+8]
		jnz	short loc_446C00
		cmp	byte ptr [edx+16Ah], 0
		jnz	loc_446C8E

loc_446C00:				; CODE XREF: KiInsertQueueApc+7j
		mov	al, [edx+16Ah]
		push	70h
		mov	[ecx+2Ch], al
		pop	eax

loc_446C0C:				; CODE XREF: KiInsertQueueApc+A9j
		cmp	dword ptr [ecx+1Ch], 0
		push	esi
		lea	esi, [eax+edx]
		mov	al, [ecx+2Dh]
		push	edi
		jz	short loc_446C69
		test	al, al
		jnz	short loc_446C3B

loc_446C1E:				; CODE XREF: KiInsertQueueApc+9Dj
		movsx	eax, al
		add	ecx, 0Ch
		lea	eax, [esi+eax*8]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_446C98
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx

loc_446C38:				; CODE XREF: KiInsertQueueApc+7Dj
		pop	edi
		pop	esi
		retn
; 

loc_446C3B:				; CODE XREF: KiInsertQueueApc+32j
		mov	edi, [ecx+14h]
		cmp	edi, offset KiSchedulerApcTerminate
		jnz	short loc_446C81
		or	byte ptr [edx+86h], 2
		movsx	eax, al
		lea	eax, [esi+eax*8]

loc_446C53:				; CODE XREF: KiInsertQueueApc+8Aj
					; KiInsertQueueApc+90j	...
		mov	edx, [eax]
		add	ecx, 0Ch
		cmp	[edx+4], eax
		jnz	short loc_446C98
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[edx+4], ecx
		mov	[eax], ecx
		jmp	short loc_446C38
; 

loc_446C69:				; CODE XREF: KiInsertQueueApc+2Ej
		movsx	eax, al
		lea	edx, [esi+eax*8]
		mov	eax, [edx+4]

loc_446C72:				; CODE XREF: KiInsertQueueApc+95j
		cmp	eax, edx
		jz	short loc_446C53
		cmp	dword ptr [eax+10h], 0
		jz	short loc_446C53
		mov	eax, [eax+4]
		jmp	short loc_446C72
; 

loc_446C81:				; CODE XREF: KiInsertQueueApc+5Aj
		cmp	edi, offset _KeSpecialUserApcKernelRoutine@20 ;	KeSpecialUserApcKernelRoutine(x,x,x,x,x)
		jnz	short loc_446C1E
		jmp	loc_5ADC49
; 

loc_446C8E:				; CODE XREF: KiInsertQueueApc+10j
		mov	eax, 174h
		jmp	loc_446C0C
; 

loc_446C98:				; CODE XREF: KiInsertQueueApc+42j
					; KiInsertQueueApc+71j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall EtwpTiFillProcessIdentity(x, x, x)
_EtwpTiFillProcessIdentity@12:		; CODE XREF: EtwTiLogInsertQueueUserApc(x,x,x,x,x,x,x)+D2p
					; EtwTiLogInsertQueueUserApc(x,x,x,x,x,x,x)+12Bp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		push	8
		pop	ebx
		lea	eax, [esi+0E4h]
		mov	[edi], eax
		lea	eax, [esi+100h]
		mov	[edi+10h], eax
		xor	eax, eax
		mov	[edi+4], ecx
		mov	[edi+0Ch], ecx
		mov	[edi+14h], ecx
		mov	[edi+1Ch], ecx
		mov	ecx, [ebp+8]
		mov	[edi+18h], ebx
		mov	dword ptr [edi+8], 4
		or	eax, [esi+3E8h]
		mov	edx, ds:0FFDF02C4h
		shl	edx, 10h
		or	edx, [esi+3ECh]
		mov	[ecx], eax
		lea	eax, [esi+3A4h]
		mov	[ecx+4], edx
		xor	edx, edx
		mov	[edi+30h], eax
		lea	eax, [esi+3A5h]
		mov	[edi+20h], ecx
		xor	ecx, ecx
		mov	[edi+40h], eax
		inc	ecx
		lea	eax, [esi+3A6h]
		mov	[edi+28h], ebx
		push	6
		mov	[edi+50h], eax
		pop	eax
		mov	[edi+24h], edx
		mov	[edi+2Ch], edx
		mov	[edi+34h], edx
		mov	[edi+38h], ecx
		mov	[edi+3Ch], edx
		mov	[edi+44h], edx
		mov	[edi+48h], ecx
		mov	[edi+4Ch], edx
		mov	[edi+54h], edx
		mov	[edi+58h], ecx
		mov	[edi+5Ch], edx
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
KiInsertQueueApc endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall EtwpTiFillThreadIdentity(x,	x)
_EtwpTiFillThreadIdentity@8 proc near	; CODE XREF: EtwTiLogMapExecView+B1p
					; EtwTiLogReadWriteVm+F3p ...
		mov	edi, edi
		push	esi
		lea	eax, [edx+2B0h]
		mov	dword ptr [ecx+8], 4
		mov	[ecx], eax
		xor	esi, esi
		lea	eax, [edx+280h]
		mov	[ecx+4], esi
		push	2
		mov	[ecx+10h], eax
		pop	eax
		mov	[ecx+0Ch], esi
		mov	[ecx+14h], esi
		mov	[ecx+1Ch], esi
		mov	dword ptr [ecx+18h], 8
		pop	esi
		retn
_EtwpTiFillThreadIdentity@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAllowProtectionChange(x, x, x, x,	x, x)
_MiAllowProtectionChange@24 proc near	; CODE XREF: MiResetVirtualMemory+D20C5p
					; MmProtectVirtualMemory+3F6p ...

var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[esp+2Ch+var_4], edx
		test	[ebp+arg_4], 2
		mov	ebx, ecx
		push	edi
		mov	[esp+30h+var_18], esi
		mov	[esp+30h+var_8], esi
		mov	[esp+30h+var_1C], esi
		mov	[esp+30h+var_10], esi
		mov	[esp+30h+var_C], esi
		jz	short loc_446DD1
		mov	eax, [ebp+arg_0]
		mov	ecx, 0C00h
		mov	edx, [eax+1Ch]
		mov	eax, edx
		and	eax, ecx
		cmp	eax, ecx
		setz	cl
		test	edx, 380h
		setnz	al
		test	cl, al
		jnz	loc_446E83

loc_446DD1:				; CODE XREF: MiAllowProtectionChange(x,x,x,x,x,x)+2Ej
		lea	ecx, [ebx+240h]
		mov	edi, esi
		call	MiLockWorkingSetShared
		mov	byte ptr [esp+30h+var_14], al
		mov	eax, [ebp+arg_8]
		cmp	eax, [ebp+arg_C]
		ja	short loc_446E5A
		test	[ebp+arg_4], 2
		setnz	[esp+30h+var_1D]

loc_446DF3:				; CODE XREF: MiAllowProtectionChange(x,x,x,x,x,x)+D7j
		mov	edx, [ebp+arg_C]
		lea	ecx, [esp+30h+var_10]
		push	ecx
		lea	ecx, [esp+34h+var_18]
		push	ecx
		lea	ecx, [esp+38h+var_C]
		push	ecx
		lea	ecx, [esp+3Ch+var_8]
		push	ecx
		lea	ecx, [esp+40h+var_1C]
		push	ecx
		push	esi
		push	[ebp+arg_0]
		mov	ecx, eax
		push	[esp+4Ch+var_14]
		call	_MiQueryAddressState@40	; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [esp+30h+var_1C]
		inc	ecx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, [esp+30h+var_1C]
		test	cl, 2
		mov	[esp+30h+var_1C], ecx
		setz	al
		test	[esp+30h+var_1D], al
		jnz	short loc_446E57
		test	cl, 2
		setnz	cl
		test	[ebp+arg_4], 4
		setnz	al
		test	cl, al
		jnz	short loc_446E57
		mov	eax, [esp+30h+var_18]
		cmp	eax, [ebp+arg_C]
		jbe	short loc_446DF3
		jmp	short loc_446E5A
; 

loc_446E57:				; CODE XREF: MiAllowProtectionChange(x,x,x,x,x,x)+BDj
					; MiAllowProtectionChange(x,x,x,x,x,x)+CEj
		xor	edi, edi
		inc	edi

loc_446E5A:				; CODE XREF: MiAllowProtectionChange(x,x,x,x,x,x)+6Cj
					; MiAllowProtectionChange(x,x,x,x,x,x)+D9j
		mov	dl, byte ptr [esp+30h+var_14]
		lea	ecx, [ebx+240h]
		call	MiUnlockWorkingSetShared
		test	edi, edi
		jz	short loc_446E78
		mov	ecx, [esp+30h+var_4]
		call	MiArbitraryCodeBlocked
		mov	esi, eax

loc_446E78:				; CODE XREF: MiAllowProtectionChange(x,x,x,x,x,x)+EFj
		mov	eax, esi

loc_446E7A:				; CODE XREF: MiAllowProtectionChange(x,x,x,x,x,x)+10Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_446E83:				; CODE XREF: MiAllowProtectionChange(x,x,x,x,x,x)+4Fj
		mov	eax, 0C0000045h
		jmp	short loc_446E7A
_MiAllowProtectionChange@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTraceMemoryAcg proc near		; CODE XREF: MiArbitraryCodeBlocked+2Ep
					; MiArbitraryCodeBlocked+1672E5p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005ADC65 SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, dword_6BC304
		xor	ebx, ebx
		push	edi
		mov	edi, _EtwpMemoryProvRegHandle
		push	ebx
		push	100h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_18], ecx
		call	EtwProviderEnabled
		test	al, al
		jnz	loc_5ADC65

loc_446EC6:				; CODE XREF: EtwTraceMemoryAcg+166E06j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
EtwTraceMemoryAcg endp

; 
		align 10h
; Exported entry 1602. NtTraceEvent

		public NtTraceEvent
NtTraceEvent:				; DATA XREF: .text:00580BFCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A0E68
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 100h
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		mov	[ebp-1Ch], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	ecx, [ebp+8]
		mov	[ebp-70h], ecx
		mov	ebx, [ebp+14h]
		mov	edi, [ebp+0Ch]
		mov	eax, edi
		and	eax, 0FF00h
		cmp	eax, 300h
		jnz	loc_447136
		mov	dword ptr [ebp-4], 0
		mov	eax, large fs:124h
		mov	[ebp-7Ch], eax
		mov	al, [eax+15Ah]
		mov	[ebp-91h], al
		test	al, al
		jz	short loc_446F7B
		test	bl, 3
		jnz	loc_4474E8
		lea	eax, [ebx+78h]
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	loc_5AE094
		cmp	eax, ebx
		jb	loc_5AE094

loc_446F7B:				; CODE XREF: .text:00446F57j
					; .text:005AE097j
		mov	eax, [ebx+58h]
		mov	[ebp-84h], eax
		mov	[ebp-110h], eax
		mov	eax, [ebx+54h]
		mov	[ebp-8Ch], eax
		mov	[ebp-0F8h], eax
		movzx	eax, word ptr [ebx+52h]
		cdq
		mov	[ebp-0C0h], eax
		mov	[ebp-0BCh], edx
		mov	eax, [ebx+70h]
		mov	[ebp-74h], eax
		mov	[ebp-0FCh], eax
		mov	eax, [ebx+30h]
		mov	[ebp-80h], eax
		mov	[ebp-10Ch], eax
		mov	eax, [ebx+34h]
		mov	[ebp-7Ch], eax
		mov	[ebp-108h], eax
		mov	al, [ebx+2Ch]
		mov	[ebp-88h], al
		mov	dword ptr [ebp-78h], 0
		cmp	byte ptr [ebx+50h], 0
		jnz	loc_5AE09C

loc_446FE8:				; CODE XREF: .text:005AE0A2j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, ds:_EtwpRegistrationObjectType
		mov	dword ptr [ebp-6Ch], 0
		push	0
		lea	edx, [ebp-6Ch]
		push	edx
		push	1
		push	eax
		push	800h
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	[ebp-64h], eax
		test	eax, eax
		js	loc_447118
		mov	dword ptr [ebp-0B0h], 0
		mov	dword ptr [ebp-0ACh], 0
		mov	esi, [ebp-6Ch]
		mov	eax, [esi+10h]
		mov	[ebp-70h], eax
		mov	eax, [esi+14h]
		mov	[ebp-68h], eax
		mov	ecx, 8
		xor	eax, eax
		lea	edi, [ebp-3Ch]
		rep stosd
		mov	ecx, [esi+38h]
		lea	eax, [ecx+10h]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	[ebp-6Ch], ecx
		mov	dl, [esi+34h]
		mov	edi, [ebp-70h]
		test	dl, dl
		jz	short loc_4470AF
		lea	eax, [ebp-0B0h]
		push	eax
		push	ecx
		movzx	eax, word ptr [esi+32h]
		push	eax
		push	0
		lea	eax, [ebp-3Ch]
		push	eax
		push	dword ptr [ebp-84h]
		push	dword ptr [ebp-8Ch]
		push	dword ptr [ebp-7Ch]
		push	dword ptr [ebp-80h]
		push	dword ptr [ebp-88h]
		push	dword ptr [ebp-78h]
		push	ebx
		push	dword ptr [ebp-74h]
		push	dword ptr [ebp-0BCh]
		push	dword ptr [ebp-0C0h]
		push	0
		mov	ecx, edi
		call	_EtwpWriteUserEvent@72 ; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	[ebp-64h], eax
		mov	ecx, [ebp-6Ch]

loc_4470AF:				; CODE XREF: .text:00447060j
		mov	dl, [esi+35h]
		test	dl, dl
		jz	short loc_447101
		lea	eax, [ebp-0B0h]
		push	eax
		push	ecx
		movzx	eax, word ptr [esi+32h]
		push	eax
		push	dword ptr [ebp-68h]
		lea	eax, [ebp-3Ch]
		push	eax
		push	dword ptr [ebp-84h]
		push	dword ptr [ebp-8Ch]
		push	dword ptr [ebp-7Ch]
		push	dword ptr [ebp-80h]
		push	dword ptr [ebp-88h]
		push	dword ptr [ebp-78h]
		push	ebx
		push	dword ptr [ebp-74h]
		push	dword ptr [ebp-0BCh]
		push	dword ptr [ebp-0C0h]
		push	0
		mov	ecx, edi
		call	_EtwpWriteUserEvent@72 ; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	[ebp-64h], eax

loc_447101:				; CODE XREF: .text:004470B4j
		cmp	dword ptr [edi+168h], 0
		jnz	loc_5AE0A7

loc_44710E:				; CODE XREF: .text:005AE10Bj
					; .text:005AE162j
		mov	ecx, esi
		call	ObfDereferenceObject

loc_447115:				; CODE XREF: .text:004474CFj
					; .text:005ADEBFj
		mov	eax, [ebp-64h]

loc_447118:				; CODE XREF: .text:00447014j
					; .text:0044722Fj ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-1Ch]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_447136:				; CODE XREF: .text:00446F33j
		cmp	eax, 200h
		jnz	loc_447234
		mov	eax, ecx
		cdq
		mov	[ebp-90h], eax
		mov	[ebp-8Ch], edx
		cmp	dword ptr [ebp+10h], 28h
		jnz	loc_5AE02C
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		cmp	al, 1
		jnz	loc_5AE036
		mov	[ebp-64h], ebx
		mov	dword ptr [ebp-4], 2
		mov	eax, [ebp-64h]
		test	al, 3
		jnz	loc_4474E3
		mov	eax, [ebp-64h]
		add	eax, 28h
		cmp	eax, ds:_MmUserProbeAddress
		ja	loc_5AE040
		mov	eax, [ebp-64h]
		add	eax, 28h
		cmp	eax, [ebp-64h]
		jb	loc_5AE040

loc_4471A4:				; CODE XREF: .text:005AE048j
		mov	eax, [ebp-64h]
		mov	eax, [eax+18h]
		mov	[ebp-98h], eax
		mov	eax, [ebp-64h]
		mov	eax, [eax+20h]
		mov	[ebp-0A8h], eax
		mov	eax, [ebp-64h]
		mov	eax, [eax+1Ch]
		mov	[ebp-80h], eax
		cmp	eax, 10000h
		ja	loc_5AE04D
		mov	ecx, [ebp-0A8h]
		test	eax, eax
		jz	short loc_4471F3
		lea	edx, [ecx+eax]
		mov	esi, ds:_MmUserProbeAddress
		cmp	edx, esi
		ja	loc_5AE064
		cmp	edx, ecx
		jb	loc_5AE064

loc_4471F3:				; CODE XREF: .text:004471D8j
					; .text:005AE067j
		or	dword ptr [ebp-98h], 40h
		mov	[ebp-8Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	1
		push	ecx
		mov	eax, [ebp-64h]
		movzx	eax, word ptr [eax+4]
		push	eax
		mov	edx, [ebp-64h]
		add	edx, 8
		push	dword ptr [ebp-8Ch]
		push	dword ptr [ebp-90h]
		mov	ecx, [ebp-98h]
		call	EtwpTraceMessageVa
		jmp	loc_447118
; 

loc_447234:				; CODE XREF: .text:0044713Bj
		cmp	eax, 600h
		ja	loc_44732A
		jz	loc_5ADE15
		cmp	eax, 100h
		jz	loc_5ADDE6
		cmp	eax, 400h
		jz	loc_5ADCCF
		cmp	eax, 500h
		jnz	loc_5AE02C
		mov	eax, large fs:124h
		mov	esi, [eax+2ACh]
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	edx, [eax+1F0h]
		cmp	[edx+8A8h], esi
		jnz	loc_5ADC95
		mov	dword ptr [ebp-4], 3
		test	bl, 3
		jnz	loc_4474D4
		lea	eax, [ebx+78h]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	loc_5ADC9F
		cmp	eax, ebx
		jb	loc_5ADC9F

loc_4472B2:				; CODE XREF: .text:005ADCA2j
		mov	ecx, [ebx+58h]
		mov	[ebp-0E4h], ecx
		mov	esi, [ebx+54h]
		mov	[ebp-0E8h], esi
		mov	edi, [ebx+70h]
		mov	[ebp-0ECh], edi
		mov	eax, [ebx+30h]
		mov	[ebp-6Ch], eax
		mov	[ebp-104h], eax
		mov	eax, [ebx+34h]
		mov	[ebp-68h], eax
		mov	[ebp-100h], eax
		mov	al, [ebx+2Ch]
		mov	[ebp-0DCh], al
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	0
		push	0
		push	0
		push	0
		push	0
		push	ecx
		push	esi
		push	dword ptr [ebp-68h]
		push	dword ptr [ebp-6Ch]
		push	dword ptr [ebp-0DCh]
		push	0
		push	ebx
		push	edi
		push	0
		push	0
		push	0
		lea	ecx, [edx+10h]
		mov	dl, [edx+8A0h]
		call	_EtwpWriteUserEvent@72 ; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		jmp	loc_447118
; 

loc_44732A:				; CODE XREF: .text:00447239j
		cmp	eax, 700h
		jnz	loc_5ADEC4
		xor	eax, eax
		lea	edi, [ebp-4Ch]
		stosd
		stosd
		stosd
		stosd
		test	ecx, ecx
		jz	loc_5AE02C
		mov	dword ptr [ebp-4], 4
		test	bl, 3
		jnz	loc_4474D9
		lea	eax, [ebx+78h]
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	loc_5ADF43
		cmp	eax, ebx
		jb	loc_5ADF43

loc_44736F:				; CODE XREF: .text:005ADF46j
		test	cl, 3
		jnz	loc_4474DE
		lea	eax, [ecx+10h]
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	loc_5ADF4B
		cmp	eax, ecx
		jb	loc_5ADF4B

loc_447391:				; CODE XREF: .text:005ADF4Ej
		mov	eax, [ebx+58h]
		mov	[ebp-0C4h], eax
		mov	eax, [ebx+54h]
		mov	[ebp-9Ch], eax
		mov	eax, [ebx+70h]
		mov	[ebp-0A4h], eax
		mov	eax, [ebx+30h]
		mov	[ebp-0B8h], eax
		mov	eax, [ebx+34h]
		mov	[ebp-0B4h], eax
		mov	al, [ebx+2Ch]
		mov	[ebp-0A0h], al
		mov	eax, [ecx]
		mov	[ebp-4Ch], eax
		mov	eax, [ecx+4]
		mov	[ebp-48h], eax
		mov	eax, [ecx+8]
		mov	[ebp-44h], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp-40h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, [eax+1F0h]
		push	0
		lea	edx, [ebp-4Ch]
		call	_EtwpFindGuidEntryByGuid@12 ; EtwpFindGuidEntryByGuid(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5ADF5A
		cmp	dword ptr [esi+40h], 0
		jz	loc_5ADF53
		push	0
		mov	edx, 800h
		mov	ecx, [esi+2Ch]
		call	_EtwpAccessCheck@12 ; EtwpAccessCheck(x,x,x)
		mov	[ebp-64h], eax
		test	eax, eax
		js	loc_4474C8
		mov	byte ptr [ebp-5Dh], 0
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	edx, edx
		lea	ecx, [esi+16Ch]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+170h], eax
		lea	eax, [ebp-5Dh]
		push	eax
		push	1
		push	0
		xor	dl, dl
		mov	ecx, esi
		call	EtwpUpdateEnableMask
		mov	dword ptr [esi+170h], 0
		xor	edx, edx
		lea	ecx, [esi+16Ch]
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	0
		push	0
		push	0
		push	0
		push	0
		push	dword ptr [ebp-0C4h]
		push	dword ptr [ebp-9Ch]
		push	dword ptr [ebp-0B4h]
		push	dword ptr [ebp-0B8h]
		push	dword ptr [ebp-0A0h]
		push	0
		push	ebx
		push	dword ptr [ebp-0A4h]
		push	0
		push	0
		push	0
		mov	dl, [ebp-5Dh]
		mov	ecx, esi
		call	_EtwpWriteUserEvent@72 ; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	[ebp-64h], eax
		cmp	dword ptr [esi+168h], 0
		jnz	loc_5ADF64

loc_4474C8:				; CODE XREF: .text:00447422j
					; .text:005ADFFFj
		mov	ecx, esi
		call	EtwpUnreferenceGuidEntry
		jmp	loc_447115
; 

loc_4474D4:				; CODE XREF: .text:00447293j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_4474D9:				; CODE XREF: .text:00447350j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_4474DE:				; CODE XREF: .text:00447372j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_4474E3:				; CODE XREF: .text:0044717Dj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_4474E8:				; CODE XREF: .text:00446F5Cj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		db 3 dup(0CCh)
		db 2 dup(0CCh)
; Exported entry 289. EtwProviderEnabled

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public EtwProviderEnabled
EtwProviderEnabled proc	near		; CODE XREF: KeInsertQueueApc+23p
					; EtwTraceMemoryAcg+2Fp ...

arg_0		= dword	ptr  8
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005AE18F SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_447530
		mov	ecx, [esi+10h]
		push	ebx
		push	[ebp+arg_10]
		mov	bl, [ebp+arg_8]
		add	ecx, 40h
		push	[ebp+arg_C]
		mov	dl, bl
		call	_EtwpLevelKeywordEnabled@16 ; EtwpLevelKeywordEnabled(x,x,x,x)
		test	al, al
		jz	short loc_447522

loc_44751A:				; CODE XREF: EtwProviderEnabled+166CB2j
		mov	al, 1

loc_44751C:				; CODE XREF: EtwProviderEnabled+3Cj
		pop	ebx

loc_44751D:				; CODE XREF: EtwProviderEnabled+40j
		pop	esi
		pop	ebp
		retn	14h
; 

loc_447522:				; CODE XREF: EtwProviderEnabled+26j
		cmp	byte ptr [esi+35h], 0
		jnz	loc_5AE18F

loc_44752C:				; CODE XREF: EtwProviderEnabled+166CB8j
		xor	al, al
		jmp	short loc_44751C
; 

loc_447530:				; CODE XREF: EtwProviderEnabled+Bj
		xor	al, al
		jmp	short loc_44751D
EtwProviderEnabled endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpLevelKeywordEnabled(x, x, x, x)
_EtwpLevelKeywordEnabled@16 proc near	; CODE XREF: EtwProviderEnabled+1Fp
					; PpmPerfSnapDeliveredPerformance+3A9p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dword ptr [ecx], 0
		push	ebx
		push	esi
		push	edi
		jz	short loc_447574
		mov	al, [ecx+4]
		cmp	dl, al
		ja	short loc_44759C

loc_447554:				; CODE XREF: EtwpLevelKeywordEnabled(x,x,x,x)+60j
		test	byte ptr [ecx+8], 40h
		mov	esi, [ebp+arg_4]
		mov	edi, [ebp+arg_0]
		jz	short loc_447566
		mov	eax, edi
		or	eax, esi
		jz	short loc_447593

loc_447566:				; CODE XREF: EtwpLevelKeywordEnabled(x,x,x,x)+1Ej
		mov	edx, [ecx+10h]
		mov	eax, [ecx+14h]
		and	edx, edi
		and	eax, esi
		or	edx, eax
		jnz	short loc_44757D

loc_447574:				; CODE XREF: EtwpLevelKeywordEnabled(x,x,x,x)+Bj
					; EtwpLevelKeywordEnabled(x,x,x,x)+4Dj	...
		pop	edi
		pop	esi
		xor	al, al
		pop	ebx
		pop	ebp
		retn	8
; 

loc_44757D:				; CODE XREF: EtwpLevelKeywordEnabled(x,x,x,x)+32j
		mov	edx, [ecx+18h]
		mov	eax, edx
		mov	ebx, [ecx+1Ch]
		and	eax, edi
		mov	ecx, ebx
		and	ecx, esi
		cmp	eax, edx
		jnz	short loc_447574
		cmp	ecx, ebx
		jnz	short loc_447574

loc_447593:				; CODE XREF: EtwpLevelKeywordEnabled(x,x,x,x)+24j
		pop	edi
		pop	esi
		mov	al, 1
		pop	ebx
		pop	ebp
		retn	8
; 

loc_44759C:				; CODE XREF: EtwpLevelKeywordEnabled(x,x,x,x)+12j
		test	al, al
		jnz	short loc_447574
		jmp	short loc_447554
_EtwpLevelKeywordEnabled@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DecodeProviderTraits proc near		; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1B2p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ecx
		test	eax, eax
		jz	short loc_4475C5
		test	dl, dl
		jnz	short loc_4475CB
		movzx	edx, word ptr [eax]
		xor	ecx, ecx

loc_4475B6:				; CODE XREF: DecodeProviderTraits+27j
					; DecodeProviderTraits+2Ej
		mov	eax, [ebp+arg_0]
		mov	[eax], dx
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		pop	ebp
		retn	8
; 

loc_4475C5:				; CODE XREF: DecodeProviderTraits+9j
		xor	ecx, ecx
		mov	edx, ecx
		jmp	short loc_4475B6
; 

loc_4475CB:				; CODE XREF: DecodeProviderTraits+Dj
		lea	ecx, [eax+6]
		xor	edx, edx
		jmp	short loc_4475B6
DecodeProviderTraits endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpTraceMessageVa proc	near		; CODE XREF: .text:0044722Ap
					; _WmiTraceMessage+1Ap	...

var_A4		= dword	ptr -0A4h
var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_36		= byte ptr -36h
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

; FUNCTION CHUNK AT 005AE1AF SIZE 000000EE BYTES
; FUNCTION CHUNK AT 005AE2CB SIZE 00000048 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A0EE0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_44], edx
		mov	[ebp+var_4C], ecx
		mov	ebx, [ebp+arg_C]
		mov	cl, [ebp+arg_10]
		mov	[ebp+var_2D], cl
		mov	byte ptr [ebp+var_40], cl
		xor	eax, eax
		lea	edi, [ebp+var_A4]
		stosd
		stosd
		stosd
		mov	[ebp+var_64], 0
		mov	[ebp+var_36], 0
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_70], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_7C], eax
		mov	[ebp+var_78], eax
		mov	[ebp+var_35], al
		xor	esi, esi
		mov	[ebp+var_54], esi
		mov	[ebp+var_6C], esi
		test	cl, cl
		jz	loc_4479F3
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	edi, [eax+1F0h]

loc_447678:				; CODE XREF: EtwpTraceMessageVa+419j
		mov	[ebp+var_68], edi
		mov	[ebp+var_48], edi
		movzx	eax, [ebp+arg_0]
		mov	[ebp+var_98], eax
		cmp	eax, [edi+8]
		jnb	loc_447A0E
		lea	ecx, [ebp+var_36]
		push	ecx
		push	[ebp+var_40]
		mov	edx, edi
		mov	ecx, eax
		call	_EtwpOpenLogger@16 ; EtwpOpenLogger(x,x,x,x)
		mov	[ebp+var_58], eax
		test	eax, eax
		jz	loc_447A0E
		mov	eax, [eax+0Ch]
		test	al, al
		js	loc_5AE1AF
		cmp	[ebp+var_2D], 0
		jz	loc_4479FE

loc_4476C1:				; CODE XREF: EtwpTraceMessageVa+423j
		mov	[ebp+var_4], esi
		mov	[ebp+var_5C], 0
		mov	edx, [ebp+var_4C]
		and	dl, 40h
		mov	[ebp+var_2D], dl
		mov	[ebp+var_35], dl
		jz	short loc_4476E4
		mov	esi, [ebp+arg_4]
		add	esi, ebx
		mov	[ebp+var_54], esi
		mov	[ebp+var_6C], esi

loc_4476E4:				; CODE XREF: EtwpTraceMessageVa+F7j
		xor	edi, edi
		mov	[ebp+var_50], edi
		mov	[ebp+var_64], edi
		mov	eax, ebx
		mov	[ebp+var_5C], eax

loc_4476F1:				; CODE XREF: EtwpTraceMessageVa+13Dj
					; EtwpTraceMessageVa+149j
		lea	ecx, [eax+4]
		test	dl, dl
		jz	loc_4479EC
		cmp	ecx, esi
		ja	loc_5AE1C9
		add	eax, 4
		mov	ecx, eax

loc_447709:				; CODE XREF: EtwpTraceMessageVa+40Ej
		mov	[ebp+var_5C], eax
		cmp	dword ptr [ecx-4], 0
		jz	short loc_447730
		add	eax, 4
		mov	[ebp+var_5C], eax
		mov	ecx, [eax-4]
		test	ecx, ecx
		jz	short loc_4476F1
		add	edi, ecx
		mov	[ebp+var_50], edi
		mov	[ebp+var_64], edi
		cmp	edi, ecx
		jnb	short loc_4476F1
		jmp	loc_5AE2FC
; 

loc_447730:				; CODE XREF: EtwpTraceMessageVa+130j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+var_58]
		cmp	dword ptr [eax+0C0h], 0
		mov	eax, [ebp+var_4C]
		jnz	short loc_44774C
		and	eax, 0FFFFFFFEh
		mov	[ebp+var_4C], eax

loc_44774C:				; CODE XREF: EtwpTraceMessageVa+164j
		mov	ecx, eax
		and	ecx, 1
		mov	[ebp+var_80], ecx
		jnz	loc_5AE1E0
		mov	[ebp+var_40], 0

loc_447761:				; CODE XREF: EtwpTraceMessageVa+166C07j
		mov	ecx, eax
		and	ecx, 2
		mov	[ebp+var_88], ecx
		jz	loc_5AE1EC
		mov	esi, 10h

loc_447777:				; CODE XREF: EtwpTraceMessageVa+166C0Ej
		mov	ecx, eax
		and	ecx, 4
		mov	[ebp+var_84], ecx
		jnz	loc_5AE1F3
		xor	edx, edx

loc_44778A:				; CODE XREF: EtwpTraceMessageVa+166C18j
		test	al, 18h
		jz	loc_5AE1FD
		mov	ecx, 8

loc_447797:				; CODE XREF: EtwpTraceMessageVa+166C1Fj
		and	eax, 20h
		mov	[ebp+var_74], eax
		jz	loc_5AE204
		mov	eax, 8

loc_4477A8:				; CODE XREF: EtwpTraceMessageVa+166C26j
		add	eax, 8
		add	eax, ecx
		add	eax, edx
		add	eax, esi
		add	eax, [ebp+var_40]
		add	eax, edi
		mov	[ebp+var_40], eax
		cmp	edi, eax
		ja	loc_5AE20B
		push	0
		lea	ecx, [ebp+var_7C]
		push	ecx
		lea	ecx, [ebp+var_A4]
		push	ecx
		mov	edx, eax
		mov	ecx, [ebp+var_58]
		call	EtwpReserveTraceBuffer
		mov	esi, eax
		xor	edx, edx
		mov	ecx, [ebp+var_58]
		mov	eax, [ecx+0C0h]
		test	eax, eax
		jnz	loc_5AE21B

loc_4477ED:				; CODE XREF: EtwpTraceMessageVa+166C45j
		mov	eax, [ebp+var_40]
		test	esi, esi
		jz	loc_5AE22A
		mov	dword ptr [esi], 90000000h
		mov	[esi], ax
		mov	ax, [ebp+arg_8]
		mov	[esi+4], ax
		mov	ecx, [ebp+var_4C]
		mov	eax, ecx
		and	eax, 3Fh
		or	eax, 40h
		mov	[esi+6], ax
		mov	[ebp+var_4], 1
		mov	eax, [ebp+var_44]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+var_44]
		mov	eax, [eax+4]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_44]
		mov	eax, [eax+8]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_44]
		mov	eax, [eax+0Ch]
		mov	[ebp+var_20], eax
		add	esi, 8
		mov	[ebp+var_3C], esi
		cmp	[ebp+var_80], 0
		jnz	loc_5AE254

loc_447852:				; CODE XREF: EtwpTraceMessageVa+166C7Cj
		cmp	[ebp+var_84], 0
		jnz	loc_5AE261
		cmp	[ebp+var_88], 0
		jz	short loc_447887
		mov	edx, [ebp+var_44]
		mov	eax, [edx]
		mov	[esi], eax
		mov	eax, [edx+4]
		mov	[esi+4], eax
		mov	eax, [edx+8]
		mov	[esi+8], eax
		mov	eax, [edx+0Ch]
		mov	[esi+0Ch], eax
		add	esi, 10h

loc_447884:				; CODE XREF: EtwpTraceMessageVa+166C8Bj
		mov	[ebp+var_3C], esi

loc_447887:				; CODE XREF: EtwpTraceMessageVa+286j
		test	cl, 8
		jz	short loc_44789D
		mov	eax, [ebp+var_78]
		mov	[esi+4], eax
		mov	eax, [ebp+var_7C]
		mov	[esi], eax
		add	esi, 8
		mov	[ebp+var_3C], esi

loc_44789D:				; CODE XREF: EtwpTraceMessageVa+2AAj
		cmp	[ebp+var_74], 0
		jz	loc_5AE270
		mov	ecx, large fs:124h
		mov	[ebp+var_74], ecx
		mov	eax, [ecx+2B0h]
		mov	esi, [ebp+var_3C]
		mov	[esi], eax
		add	esi, 4
		mov	[ebp+var_3C], esi
		mov	eax, [ecx+2ACh]
		mov	[esi], eax
		add	esi, 4
		mov	[ebp+var_3C], esi
		mov	edi, [ebp+var_64]
		mov	[ebp+var_50], edi
		mov	eax, [ebp+var_34]
		mov	[ebp+var_70], eax
		mov	cl, [ebp+var_35]
		mov	[ebp+var_2D], cl
		mov	edx, [ebp+var_6C]
		mov	[ebp+var_54], edx

loc_4478E8:				; CODE XREF: EtwpTraceMessageVa+166C96j
		mov	[ebp+var_60], 0
		mov	[ebp+var_8C], edi
		mov	[ebp+var_60], ebx
		jmp	short loc_447900
; 
		align 10h

loc_447900:				; CODE XREF: EtwpTraceMessageVa+318j
					; EtwpTraceMessageVa+390j
		add	ebx, 4
		mov	[ebp+var_60], ebx
		mov	eax, [ebx-4]
		test	eax, eax
		jz	short loc_447972
		test	cl, cl
		jz	short loc_447919
		cmp	ebx, edx
		jnb	loc_5AE27B

loc_447919:				; CODE XREF: EtwpTraceMessageVa+32Fj
		add	ebx, 4
		mov	[ebp+var_60], ebx
		mov	edi, [ebx-4]
		test	edi, edi
		jz	short loc_44796D
		cmp	edi, [ebp+var_50]
		ja	loc_5AE288
		test	cl, cl
		jz	short loc_44794C
		lea	ecx, [edi+eax]
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		ja	loc_5AE295
		cmp	ecx, eax
		jb	loc_5AE295

loc_44794C:				; CODE XREF: EtwpTraceMessageVa+351j
					; EtwpTraceMessageVa+166CB8j
		push	edi		; size_t
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_50]
		sub	eax, edi
		mov	[ebp+var_50], eax
		mov	[ebp+var_8C], eax
		add	esi, edi
		mov	[ebp+var_3C], esi
		mov	cl, [ebp+var_2D]

loc_44796D:				; CODE XREF: EtwpTraceMessageVa+344j
		mov	edx, [ebp+var_54]
		jmp	short loc_447900
; 

loc_447972:				; CODE XREF: EtwpTraceMessageVa+32Bj
		mov	esi, [ebp+var_70]

loc_447975:				; CODE XREF: EtwpTraceMessageVa+166CA3j
					; EtwpTraceMessageVa+166CB0j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	edi, [ebp+var_48]

loc_44797F:				; CODE XREF: sub_5AE2B0+16j
		test	esi, esi
		js	short loc_447993
		mov	eax, [ebp+var_58]
		test	dword ptr [eax+0Ch], 80000h
		jnz	loc_5AE2CB

loc_447993:				; CODE XREF: EtwpTraceMessageVa+3A1j
					; EtwpTraceMessageVa+166D04j ...
		lea	ecx, [ebp+var_A4]
		call	_EtwpReleaseTraceBuffer@4 ; EtwpReleaseTraceBuffer(x)

loc_44799E:				; CODE XREF: EtwpTraceMessageVa+166BD7j
					; EtwpTraceMessageVa+166BE4j ...
		cmp	[ebp+var_36], 0
		jz	short loc_4479CC
		mov	ecx, [edi+188h]
		mov	edx, 1
		mov	eax, [ebp+var_98]
		mov	ecx, [ecx+eax*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	esi, [ebp+var_34]

loc_4479CC:				; CODE XREF: EtwpTraceMessageVa+3C2j
					; EtwpTraceMessageVa+433j
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_4479EC:				; CODE XREF: EtwpTraceMessageVa+116j
		mov	eax, ecx
		jmp	loc_447709
; 

loc_4479F3:				; CODE XREF: EtwpTraceMessageVa+87j
		mov	edi, ds:_EtwpHostSiloState
		jmp	loc_447678
; 

loc_4479FE:				; CODE XREF: EtwpTraceMessageVa+DBj
		test	eax, 1000000h
		jz	loc_4476C1
		jmp	loc_5AE1BC
; 

loc_447A0E:				; CODE XREF: EtwpTraceMessageVa+ABj
					; EtwpTraceMessageVa+C6j
		mov	esi, 0C0000008h
		jmp	short loc_4479CC
EtwpTraceMessageVa endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpOpenLogger(x, x, x, x)
_EtwpOpenLogger@16 proc	near		; CODE XREF: EtwpTraceMessageVa+BCp
					; EtwpLogSystemEventUnsafe+30p	...

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 1
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		mov	byte ptr [esi],	0
		jnz	short loc_447A68

loc_447A2E:				; CODE XREF: EtwpOpenLogger(x,x,x,x)+65j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [edi+188h]
		xor	edx, edx
		inc	edx
		mov	ecx, [ecx+ebx*4]
		call	@ExAcquireRundownProtectionCacheAwareEx@8 ; ExAcquireRundownProtectionCacheAwareEx(x,x)
		test	al, al
		jz	short loc_447A8E
		mov	byte ptr [esi],	1

loc_447A54:				; CODE XREF: EtwpOpenLogger(x,x,x,x)+59j
					; EtwpOpenLogger(x,x,x,x)+63j
		mov	eax, [edi+18Ch]
		mov	eax, [eax+ebx*4]
		test	al, 1
		jnz	short loc_447A7D

loc_447A61:				; CODE XREF: EtwpOpenLogger(x,x,x,x)+76j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_447A68:				; CODE XREF: EtwpOpenLogger(x,x,x,x)+16j
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_447A54
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_447A54
		jmp	short loc_447A2E
; 

loc_447A7D:				; CODE XREF: EtwpOpenLogger(x,x,x,x)+49j
		movzx	eax, byte ptr [esi]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	_EtwpCloseLogger@12 ; EtwpCloseLogger(x,x,x)

loc_447A8A:				; CODE XREF: EtwpOpenLogger(x,x,x,x)+7Dj
		xor	eax, eax
		jmp	short loc_447A61
; 

loc_447A8E:				; CODE XREF: EtwpOpenLogger(x,x,x,x)+39j
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	short loc_447A8A
_EtwpOpenLogger@16 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall EtwpReleaseTraceBuffer(x)
_EtwpReleaseTraceBuffer@4 proc near	; CODE XREF: EtwpTraceMessageVa+3B9p
					; EtwpLogSystemEventUnsafe+111p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	ebx, [esi+4]
		mov	edi, [esi]
		mov	edx, [ebx]
		mov	eax, edx

loc_447AA6:				; CODE XREF: EtwpReleaseTraceBuffer(x)+34j
		xor	eax, edi
		cmp	eax, 7
		jnb	short loc_447ABE
		lea	ecx, [edx+1]
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	short loc_447AC8

loc_447ABA:				; CODE XREF: EtwpReleaseTraceBuffer(x)+30j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_447ABE:				; CODE XREF: EtwpReleaseTraceBuffer(x)+15j
		mov	eax, [esi]
		add	eax, 0Ch
		lock dec dword ptr [eax]
		jmp	short loc_447ABA
; 

loc_447AC8:				; CODE XREF: EtwpReleaseTraceBuffer(x)+22j
		mov	edx, eax
		jmp	short loc_447AA6
_EtwpReleaseTraceBuffer@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpIsEventNameFilterEnabled proc near	; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3ABp

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005AE341 SIZE 0000008E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+160h]
		push	esi
		test	eax, eax
		jnz	loc_5AE341

loc_447AE0:				; CODE XREF: EtwpIsEventNameFilterEnabled+16688Bj
					; EtwpIsEventNameFilterEnabled+16689Fj	...
		xor	al, al

loc_447AE2:				; CODE XREF: EtwpIsEventNameFilterEnabled+1668FEj
		pop	esi
		pop	ebp
		retn	10h
EtwpIsEventNameFilterEnabled endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall RtlpReferenceAtom(x, x)
_RtlpReferenceAtom@8 proc near		; CODE XREF: RtlAddAtomToAtomTableEx+7Cp
		mov	edi, edi
		push	esi
		xor	esi, esi
		lea	eax, [ecx+8]
		inc	esi
		push	edi
		mov	edi, 0FFFFh
		cmp	edx, eax
		jnz	short loc_447B0C

loc_447AFB:				; CODE XREF: RtlpReferenceAtom(x,x)+29j
					; RtlpReferenceAtom(x,x)+39j ...
		movzx	eax, word ptr [edx+0Ch]
		cmp	ax, di
		jz	short loc_447B29
		inc	eax
		mov	[edx+0Ch], ax

loc_447B09:				; CODE XREF: RtlpReferenceAtom(x,x)+45j
		pop	edi
		pop	esi
		retn
; 

loc_447B0C:				; CODE XREF: RtlpReferenceAtom(x,x)+11j
		cmp	word ptr [edx+0Ch], 0
		jnz	short loc_447AFB
		movzx	eax, word ptr [ecx+14h]
		cmp	ax, di
		jz	short loc_447B23
		inc	eax
		mov	[ecx+14h], ax
		jmp	short loc_447AFB
; 

loc_447B23:				; CODE XREF: RtlpReferenceAtom(x,x)+32j
		or	[ecx+16h], si
		jmp	short loc_447AFB
; 

loc_447B29:				; CODE XREF: RtlpReferenceAtom(x,x)+1Aj
		or	[edx+0Eh], si
		jmp	short loc_447B09
_RtlpReferenceAtom@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1946. RtlAddAtomToAtomTableEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlAddAtomToAtomTableEx
RtlAddAtomToAtomTableEx	proc near	; CODE XREF: NtAddAtomEx+10Fp
					; RtlAddAtomToAtomTable(x,x,x)+10p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005AE3CF SIZE 0000004C BYTES

		push	24h
		push	offset dword_6A0F28
		call	__SEH_prolog4
		xor	edi, edi
		mov	[ebp+var_2C], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], edi
		mov	ecx, [ebp+arg_0]
		call	_RtlpLockAtomTable@4 ; RtlpLockAtomTable(x)
		test	al, al
		jz	loc_5AE3CF
		mov	[ebp+ms_exc.disabled], edi
		lea	eax, [ebp+var_28]
		push	eax
		mov	ebx, [ebp+arg_4]
		push	ebx
		call	RtlGetIntegerAtom
		test	al, al
		jnz	loc_447C6F
		cmp	[ebx], di
		jz	loc_5AE3E8
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		push	edi
		mov	edx, ebx
		mov	ecx, [ebp+arg_0]
		call	RtlpHashStringToAtom
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	short loc_447BC8
		mov	ecx, [ebp+var_2C]
		test	ecx, ecx
		jz	short loc_447BEB
		mov	edx, [ebp+var_24]
		call	_RtlpReferenceAtom@8 ; RtlpReferenceAtom(x,x)
		mov	edx, [ebp+arg_8]
		test	edx, edx
		jz	short loc_447BC3
		mov	ax, [ecx+6]
		mov	[edx], ax

loc_447BC3:				; CODE XREF: RtlAddAtomToAtomTableEx+86j
		mov	esi, edi

loc_447BC5:				; CODE XREF: RtlAddAtomToAtomTableEx+136j
					; RtlAddAtomToAtomTableEx+1668B9j ...
		mov	[ebp+var_1C], esi

loc_447BC8:				; CODE XREF: RtlAddAtomToAtomTableEx+70j
					; RtlAddAtomToAtomTableEx+DEj ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+arg_0]
		call	_RtlpUnlockAtomTable@4 ; RtlpUnlockAtomTable(x)
		mov	eax, esi

loc_447BD9:				; CODE XREF: RtlAddAtomToAtomTableEx+1668A0j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_447BEB:				; CODE XREF: RtlAddAtomToAtomTableEx+77j
		cmp	[ebp+var_30], 0
		jz	loc_5AE411
		mov	esi, 0C0000017h
		mov	[ebp+var_1C], esi
		push	[ebp+arg_C]
		lea	edx, [ebp+var_24]
		mov	ecx, [ebp+var_20]
		call	RtlpAllocateAtomTableEntry
		mov	edi, eax
		mov	[ebp+var_2C], edi
		test	edi, edi
		jz	short loc_447BC8
		push	[ebp+var_20]	; size_t
		push	ebx		; void *
		lea	ecx, [edi+1Ah]
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_20]
		shr	eax, 1
		mov	[edi+18h], al
		movzx	eax, al
		xor	ecx, ecx
		mov	[edi+eax*2+1Ah], cx
		mov	edx, edi
		mov	ecx, [ebp+arg_0]
		call	RtlpInsertStringAtom
		test	al, al
		jz	loc_5AE3F2
		mov	eax, 0C000h
		or	ax, [edi+4]
		mov	[edi+6], ax
		mov	eax, [ebp+var_30]
		mov	[eax], edi
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_447C68
		mov	ax, [edi+6]
		mov	[ecx], ax

loc_447C68:				; CODE XREF: RtlAddAtomToAtomTableEx+12Bj
		xor	esi, esi
		jmp	loc_447BC5
; 

loc_447C6F:				; CODE XREF: RtlAddAtomToAtomTableEx+3Fj
		mov	ecx, 0C000h
		mov	eax, [ebp+var_28]
		cmp	ax, cx
		jnb	loc_5AE3D9
		mov	esi, edi

loc_447C82:				; CODE XREF: RtlAddAtomToAtomTableEx+1668AFj
		mov	[ebp+var_1C], esi
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	loc_447BC8
		mov	[ecx], ax
		jmp	loc_447BC8
RtlAddAtomToAtomTableEx	endp


;  S U B	R O U T	I N E 


; __stdcall MiDereferenceControlAreaFile(x, x)
_MiDereferenceControlAreaFile@8	proc near ; CODE XREF: MiUnmapViewOfSection+21Bp
					; MiUnmapVad+55p ...
		mov	edi, edi
		push	esi
		push	edi
		lea	edi, [ecx+20h]
		mov	esi, edx
		mov	ecx, [edi]
		mov	eax, ecx

loc_447CA5:				; CODE XREF: MiDereferenceControlAreaFile(x,x)+33j
		xor	eax, esi
		cmp	eax, 7
		jnb	short loc_447CBC
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jnz	short loc_447CC9

loc_447CB9:				; CODE XREF: MiDereferenceControlAreaFile(x,x)+2Fj
		pop	edi
		pop	esi
		retn
; 

loc_447CBC:				; CODE XREF: MiDereferenceControlAreaFile(x,x)+12j
		push	746C6644h
		push	esi
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	short loc_447CB9
; 

loc_447CC9:				; CODE XREF: MiDereferenceControlAreaFile(x,x)+1Fj
		mov	ecx, eax
		jmp	short loc_447CA5
_MiDereferenceControlAreaFile@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MmGetSessionId(x)
_MmGetSessionId@4 proc near		; CODE XREF: PspBindProcessSessionToJob+11p
					; PAGE:0075B4DEp ...
		mov	eax, [ecx+180h]
		test	eax, eax
		jz	short loc_447CF3
		test	dword ptr [ecx+3A8h], 1000h
		jnz	short loc_447CF3
		mov	eax, [eax+8]

loc_447CE9:				; CODE XREF: MmGetSessionId(x)+26j
		lea	ecx, [eax+1]
		neg	ecx
		sbb	ecx, ecx
		and	eax, ecx
		retn
; 

loc_447CF3:				; CODE XREF: MmGetSessionId(x)+8j
					; MmGetSessionId(x)+14j
		or	eax, 0FFFFFFFFh
		jmp	short loc_447CE9
_MmGetSessionId@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpLookupLowBox(x,	x, x)
_RtlpLookupLowBox@12 proc near		; CODE XREF: RtlQueryAtomInAtomTable+7Fp
					; RtlPinAtomInAtomTable+5Ap ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr [ecx+10h], 1
		push	esi
		push	edi
		mov	edi, edx
		jz	short loc_447D18
		xor	ecx, ecx

loc_447D09:				; CODE XREF: RtlpLookupLowBox(x,x,x)+27j
		lea	esi, [edi+8]
		test	ecx, ecx
		jnz	short loc_447D21

loc_447D10:				; CODE XREF: RtlpLookupLowBox(x,x,x)+4Bj
		mov	eax, esi

loc_447D12:				; CODE XREF: RtlpLookupLowBox(x,x,x)+32j
					; RtlpLookupLowBox(x,x,x)+45j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_447D18:				; CODE XREF: RtlpLookupLowBox(x,x,x)+Dj
		call	RtlpQueryLowBoxId
		mov	ecx, eax
		jmp	short loc_447D09
; 

loc_447D21:				; CODE XREF: RtlpLookupLowBox(x,x,x)+16j
		mov	eax, [esi]

loc_447D23:				; CODE XREF: RtlpLookupLowBox(x,x,x)+36j
		cmp	eax, esi
		jz	short loc_447D30
		cmp	[eax+8], ecx
		jz	short loc_447D12
		mov	eax, [eax]
		jmp	short loc_447D23
; 

loc_447D30:				; CODE XREF: RtlpLookupLowBox(x,x,x)+2Dj
		mov	ecx, edi
		call	_RtlpAllowsLowBoxAccess@4 ; RtlpAllowsLowBoxAccess(x)
		test	al, al
		jnz	short loc_447D3F

loc_447D3B:				; CODE XREF: RtlpLookupLowBox(x,x,x)+4Dj
		xor	eax, eax
		jmp	short loc_447D12
; 

loc_447D3F:				; CODE XREF: RtlpLookupLowBox(x,x,x)+41j
		cmp	[ebp+arg_0], 0
		jz	short loc_447D10
		jmp	short loc_447D3B
_RtlpLookupLowBox@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __fastcall EtwGetKernelTraceTimestamp(x, x)
@EtwGetKernelTraceTimestamp@8 proc near	; CODE XREF: KiChainedDispatch()+FEp
					; KiChainedDispatch()+124p ...
		push	0
		call	EtwGetKernelTraceTimestampSilo
		retn
@EtwGetKernelTraceTimestamp@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwGetKernelTraceTimestampSilo proc near ; CODE	XREF: EtwGetKernelTraceTimestamp(x,x)+2p
					; PfHardFaultRecord+54p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AE434 SIZE 00000041 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		mov	ecx, [ebp+arg_0]
		xor	ebx, ebx
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], 0
		test	ecx, ecx
		jnz	loc_5AE434
		mov	ecx, offset _PspHostSiloGlobals

loc_447D7B:				; CODE XREF: EtwGetKernelTraceTimestampSilo+1666EAj
		mov	ecx, [ecx+1F0h]
		push	edi
		test	ecx, ecx
		jz	loc_447E22
		mov	edx, [ecx+924h]
		bsf	edi, edx
		jz	short loc_447DD4

loc_447D95:				; CODE XREF: EtwGetKernelTraceTimestampSilo+7Fj
		lea	eax, [edx-1]
		and	edx, eax
		mov	eax, edi
		shl	eax, 5
		add	eax, 948h
		add	eax, ecx
		mov	[ebp+arg_0], eax
		jz	short loc_447DCC
		mov	eax, [ebp+var_4]
		mov	esi, [ebp+arg_0]
		shr	eax, 1Dh
		mov	eax, [esi+eax*4]
		and	eax, [ebp+var_4]
		test	eax, 1FFFFFFFh
		jz	short loc_447DCC
		movzx	eax, byte ptr [ecx+edi*2+915h]
		bts	ebx, eax

loc_447DCC:				; CODE XREF: EtwGetKernelTraceTimestampSilo+59j
					; EtwGetKernelTraceTimestampSilo+6Fj
		bsf	edi, edx
		jnz	short loc_447D95
		mov	esi, [ebp+var_8]

loc_447DD4:				; CODE XREF: EtwGetKernelTraceTimestampSilo+43j
					; EtwGetKernelTraceTimestampSilo+D7j
		pop	edi
		test	bl, 2
		jnz	loc_5AE43F
		xor	eax, eax
		xor	edx, edx

loc_447DE2:				; CODE XREF: EtwGetKernelTraceTimestampSilo+1666F7j
		mov	[esi], eax
		mov	[esi+4], edx
		test	bl, 4
		jnz	short loc_447E39
		xor	eax, eax
		xor	edx, edx

loc_447DF0:				; CODE XREF: EtwGetKernelTraceTimestampSilo+EEj
		mov	[esi+8], eax
		mov	[esi+0Ch], edx
		test	bl, 8
		jz	short loc_447E29
		rdtsc
		mov	[esi+10h], eax
		mov	[esi+14h], edx

loc_447E03:				; CODE XREF: EtwGetKernelTraceTimestampSilo+E7j
		test	bl, 10h
		jnz	loc_5AE44C
		mov	dword ptr [esi+18h], 0
		mov	dword ptr [esi+1Ch], 0

loc_447E1A:				; CODE XREF: EtwGetKernelTraceTimestampSilo+166720j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_447E22:				; CODE XREF: EtwGetKernelTraceTimestampSilo+34j
		mov	ebx, 1Eh
		jmp	short loc_447DD4
; 

loc_447E29:				; CODE XREF: EtwGetKernelTraceTimestampSilo+A9j
		mov	dword ptr [esi+10h], 0
		mov	dword ptr [esi+14h], 0
		jmp	short loc_447E03
; 

loc_447E39:				; CODE XREF: EtwGetKernelTraceTimestampSilo+9Aj
		call	RtlGetSystemTimePrecise
		jmp	short loc_447DF0
EtwGetKernelTraceTimestampSilo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfHardFaultRecord proc near		; CODE XREF: MiIssueHardFault(x,x)+1C6p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005AE475 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		push	esi
		mov	esi, ecx
		mov	ecx, [ebp+arg_8]
		push	edi
		xor	edi, edi
		mov	[esi+20h], eax
		mov	eax, [ebp+arg_10]
		mov	[esi+24h], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+28h], eax
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+0Ch]
		mov	[esi+2Ch], eax
		mov	eax, [ecx+2B0h]
		mov	[esi+34h], edx
		mov	edx, 2000h
		mov	[esi+30h], eax
		test	ds:_PerfGlobalGroupMask, edx
		jz	loc_5AE475
		mov	eax, [ecx+150h]
		mov	ecx, esi
		push	dword ptr [eax+3A0h]
		call	EtwGetKernelTraceTimestampSilo

loc_447E99:				; CODE XREF: PfHardFaultRecord+166640j
		add	esi, 38h
		test	byte_6FB62C, 1
		jnz	short loc_447EB0
		mov	[esi], edi
		mov	[esi+4], edi

loc_447EAA:				; CODE XREF: PfHardFaultRecord+76j
		pop	edi
		pop	esi
		pop	ebp
		retn	14h
; 

loc_447EB0:				; CODE XREF: PfHardFaultRecord+63j
		push	esi
		call	KeQueryTickCount
		jmp	short loc_447EAA
PfHardFaultRecord endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfHardFaultLog	proc near		; CODE XREF: .text:0044926Ep

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AE485 SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		mov	ebx, [eax+150h]
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ecx
		mov	eax, [esi]
		or	eax, [esi+4]
		mov	[ebp+var_4], ecx
		jnz	loc_5AE485
		mov	eax, [esi+8]
		or	eax, [esi+0Ch]
		jnz	loc_5AE485

loc_447EF2:				; CODE XREF: PfHardFaultLog+166603j
		mov	eax, [esi+38h]
		or	eax, [esi+3Ch]
		jnz	short loc_447EFF

loc_447EFA:				; CODE XREF: PfHardFaultLog+4Aj
					; PfHardFaultLog+C6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_447EFF:				; CODE XREF: PfHardFaultLog+40j
		cmp	edi, 2
		jz	short loc_447EFA
		lea	eax, [ebp+var_8]
		push	eax
		call	KeQueryTickCount
		mov	edx, [ebp+var_8]
		mov	ecx, edx
		sub	ecx, [esi+38h]
		mov	eax, [ebp+var_4]
		sbb	eax, [esi+3Ch]
		mov	[esi+3Ch], eax
		mov	eax, ecx
		add	eax, eax
		mov	[esi+38h], ecx
		mov	ecx, [esi+20h]
		mov	[ebp+var_20], eax
		mov	eax, dword_6FB628
		mov	[ebp+var_1C], eax
		mov	eax, [esi+2Ch]
		mov	[ebp+var_10], eax
		mov	eax, [esi+24h]
		shrd	ecx, eax, 9
		mov	eax, [ebx+104h]
		xor	eax, [ebx+0E4h]
		mov	[ebp+var_18], ecx
		mov	ecx, [ebx+100h]
		xor	eax, ecx
		shr	ecx, 3
		and	eax, 1FFFFFFFh
		and	ecx, 1C000000h
		xor	eax, ecx
		mov	[ebp+var_C], eax
		mov	eax, [esi+28h]
		push	18h		; size_t
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_20]
		push	eax		; void *
		push	1Dh
		pop	ecx
		call	PfLogEvent
		jmp	loc_447EFA
PfHardFaultLog	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiComputeImagePteIndex proc near	; CODE XREF: MiReferenceInPageFile+84p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00447FFB SIZE 00000012 BYTES
; FUNCTION CHUNK AT 005AE4C0 SIZE 00000048 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ecx+8]
		push	ebx
		push	esi
		mov	esi, [ecx+4]
		push	edi
		mov	edi, [ecx+0Ch]
		or	esi, 80000000h
		mov	ecx, dword_6D0700
		mov	[ebp+var_4], eax
		mov	eax, ecx
		mov	[ebp+var_8], edx
		mov	edx, dword_6D0704
		or	eax, edx
		push	0
		pop	ebx
		jz	short loc_447FCB
		mov	eax, [ebp+var_4]
		and	eax, 10h
		or	eax, ebx
		jnz	short loc_447FCB
		not	ecx
		not	edx
		and	[ebp+var_4], ecx
		and	edi, edx

loc_447FCB:				; CODE XREF: MiComputeImagePteIndex+32j
					; MiComputeImagePteIndex+3Cj
		test	byte ptr [edi+12h], 2
		mov	edx, [edi]
		mov	[ebp+var_4], edx
		jnz	loc_5AE4C0

loc_447FDA:				; CODE XREF: MiComputeImagePteIndex+166543j
		test	byte ptr [edx+1Ch], 20h
		jz	short loc_447FEB
		mov	ecx, [edi+0Ch]
		test	ecx, ecx
		jnz	loc_5AE4E3

loc_447FEB:				; CODE XREF: MiComputeImagePteIndex+5Aj
					; MiComputeImagePteIndex+79j
		mov	eax, [edx+54h]

loc_447FEE:				; CODE XREF: MiComputeImagePteIndex+87j
		sub	esi, eax
		sar	esi, 3
		pop	edi
		lea	eax, [ebx+esi]
		pop	esi
		pop	ebx
		leave
		retn
MiComputeImagePteIndex endp

; 
; START	OF FUNCTION CHUNK FOR MiComputeImagePteIndex

loc_447FFB:				; CODE XREF: MiComputeImagePteIndex+16655Aj
					; MiComputeImagePteIndex+166577j ...
		test	ecx, ecx
		jz	short loc_447FEB
		mov	ebx, [edi+4]
		sub	ebx, [edx+54h]
		mov	eax, [ecx+24h]
		sar	ebx, 3
		jmp	short loc_447FEE
; END OF FUNCTION CHUNK	FOR MiComputeImagePteIndex
; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIssueHardFault(x,	x)
_MiIssueHardFault@8 proc near		; CODE XREF: MiInPagePageTable+39Cp
					; MmAccessFault+417p

var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_D		= byte ptr -0Dh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_30], 0
		mov	eax, ecx
		mov	[ebp+var_2C], 0
		push	esi
		push	edi
		mov	ecx, [ebx+80h]
		xor	esi, esi
		mov	edi, [ebx+58h]
		mov	[ebp+var_28], ecx
		mov	ecx, [eax]
		mov	[ebp+var_14], eax
		mov	[ebp+var_20], edi
		mov	[ebx+88h], ecx
		call	_MiGetSessionIdForVa@4 ; MiGetSessionIdForVa(x)
		mov	edx, eax
		mov	ecx, ebx
		call	MiReferenceInPageFile
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_14]
		add	eax, 14h
		mov	[ebp+var_1C], eax
		mov	ecx, [eax]
		mov	[ebp+var_C], ecx
		mov	ecx, [eax+0Ch]
		mov	[ebp+var_18], ecx
		mov	ecx, eax
		call	MiUnlockFaultPageTable
		mov	eax, [ebp+var_1C]
		mov	dl, 1
		mov	cl, [eax+8]
		mov	[ebp+var_D], cl
		mov	ecx, [ebp+var_C]
		test	[eax+9], dl
		jz	short loc_448099
		call	MiUnlockWorkingSetExclusive
		jmp	short loc_44809E
; 

loc_448099:				; CODE XREF: MiIssueHardFault(x,x)+80j
		call	MiUnlockWorkingSetShared

loc_44809E:				; CODE XREF: MiIssueHardFault(x,x)+87j
		mov	ecx, [ebp+var_14]
		mov	eax, [ecx+8]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_4480BF
		mov	esi, [ebp+var_28]
		mov	[ebx+7Ch], eax
		mov	esi, [esi+1Ch]
		shr	esi, 5
		and	esi, 1
		jmp	short loc_4480C8
; 

loc_4480BF:				; CODE XREF: MiIssueHardFault(x,x)+9Cj
		mov	eax, [ebx+7Ch]
		mov	eax, [eax+1Ch]
		mov	[ebx+7Ch], eax

loc_4480C8:				; CODE XREF: MiIssueHardFault(x,x)+ADj
		mov	eax, [ecx+8]
		test	al, 1
		jz	short loc_4480D7
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	1
		jz	short loc_4480DD

loc_4480D7:				; CODE XREF: MiIssueHardFault(x,x)+BDj
		inc	byte ptr [edi+30Ah]

loc_4480DD:				; CODE XREF: MiIssueHardFault(x,x)+C5j
		mov	eax, [ecx+14h]
		test	byte ptr [eax+60h], 7
		jnz	short loc_4480EF
		dec	word ptr [edi+13Ch]
		jmp	short loc_4480F6
; 

loc_4480EF:				; CODE XREF: MiIssueHardFault(x,x)+D4j
		dec	word ptr [edi+13Eh]

loc_4480F6:				; CODE XREF: MiIssueHardFault(x,x)+DDj
		nop
		mov	cl, [ebp+var_D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebx+0BCh]
		mov	edx, ecx
		and	edx, 0FFFh
		mov	[ebp+var_8], ecx
		test	dword ptr [ebx+78h], 20000h
		mov	eax, ecx
		jz	short loc_448159
		xor	eax, eax
		test	edx, edx
		setnz	al
		shr	ecx, 0Ch
		add	eax, ecx
		mov	ecx, [ebx+eax*4+0C0h]
		mov	eax, ds:_MmPfnDatabase
		lea	edx, ds:0[ecx*8]
		sub	edx, ecx
		movzx	eax, byte ptr [eax+edx*4+16h]
		mov	edx, 3
		shr	eax, 6
		push	eax
		call	MiZeroPhysicalPage
		mov	eax, [ebx+0BCh]
		mov	[ebp+var_8], eax

loc_448159:				; CODE XREF: MiIssueHardFault(x,x)+10Aj
		mov	[ebx+70h], eax
		cmp	dword ptr [ebx+14h], 0
		mov	[ebp+var_24], 0
		jnz	loc_448230
		mov	ecx, [ebx+78h]
		mov	eax, ecx
		and	eax, 200008h
		cmp	eax, 200008h
		jnz	short loc_44818A
		test	ecx, 100h
		jz	loc_448235

loc_44818A:				; CODE XREF: MiIssueHardFault(x,x)+16Cj
		test	ds:_PerfGlobalGroupMask, 2000h
		jnz	short loc_44819F
		test	byte_6FB62C, 1
		jz	short loc_4481DE

loc_44819F:				; CODE XREF: MiIssueHardFault(x,x)+184j
		test	ecx, 100h
		jnz	short loc_4481DE
		test	cl, 8
		jnz	short loc_4481DE
		mov	eax, 40h
		call	__alloca_probe_16
		mov	eax, [ebx+3Ch]
		mov	edi, esp
		mov	ecx, [ebx+38h]
		mov	edx, [ebp+var_8]
		push	eax
		mov	eax, [ebx+7Ch]
		push	ecx
		push	[ebp+var_20]
		mov	ecx, edi
		mov	[ebp+var_24], edi
		push	eax
		mov	eax, [ebx+88h]
		push	eax
		call	PfHardFaultRecord
		mov	edi, [ebp+var_20]

loc_4481DE:				; CODE XREF: MiIssueHardFault(x,x)+18Dj
					; MiIssueHardFault(x,x)+195j ...
		mov	eax, [ebp+var_1C]
		mov	ecx, [eax]
		mov	al, [ecx+63h]
		and	al, 60h
		cmp	al, 60h
		jnz	short loc_448218
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		jnz	short loc_4481FC
		mov	ecx, offset unk_6D3C54
		jmp	short loc_448202
; 

loc_4481FC:				; CODE XREF: MiIssueHardFault(x,x)+1E3j
		add	ecx, 94h

loc_448202:				; CODE XREF: MiIssueHardFault(x,x)+1EAj
		cmp	dword ptr [ecx], 0
		jnz	short loc_448218
		mov	ecx, ds:_PsInitialSystemProcess
		lea	eax, [ebx+40h]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess

loc_448218:				; CODE XREF: MiIssueHardFault(x,x)+1DAj
					; MiIssueHardFault(x,x)+1F5j
		mov	eax, [ebp+var_14]
		or	esi, 2
		mov	edx, esi
		mov	ecx, ebx
		and	edx, 1
		mov	eax, [eax+8]
		push	eax
		call	MiIssueHardFaultIo
		jmp	short loc_448235
; 

loc_448230:				; CODE XREF: MiIssueHardFault(x,x)+157j
		mov	esi, 2

loc_448235:				; CODE XREF: MiIssueHardFault(x,x)+174j
					; MiIssueHardFault(x,x)+21Ej
		mov	ecx, [ebp+var_14]
		mov	ecx, [ecx+8]
		test	cl, 1
		jz	loc_44830E
		and	ecx, 0FFFFFFFEh
		cmp	byte ptr [ecx],	1
		jnz	loc_44830E
		mov	eax, [ebp+var_1C]
		mov	eax, [eax]
		mov	dl, [eax+60h]
		mov	al, dl
		and	al, 7
		cmp	al, 2
		jb	short loc_448273
		movzx	eax, dl
		lea	eax, ds:0FFFFFFFEh[eax*2]
		xor	eax, [ebx+78h]
		and	eax, 6
		xor	[ebx+78h], eax

loc_448273:				; CODE XREF: MiIssueHardFault(x,x)+24Ej
		cmp	esi, 2
		jb	short loc_44828E
		mov	eax, [ecx+18h]
		add	ecx, 14h
		cmp	[eax], ecx
		jnz	short loc_448298
		mov	[ebx], ecx
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	[ecx+4], ebx
		jmp	short loc_4482AF
; 

loc_44828E:				; CODE XREF: MiIssueHardFault(x,x)+266j
		mov	edx, [ecx+20h]
		lea	eax, [ecx+1Ch]
		cmp	[edx], eax
		jz	short loc_44829F

loc_448298:				; CODE XREF: MiIssueHardFault(x,x)+270j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_44829F:				; CODE XREF: MiIssueHardFault(x,x)+286j
		mov	[ebx], eax
		mov	[ebx+4], edx
		mov	[edx], ebx
		mov	[eax+4], ebx
		mov	eax, [ebx+70h]
		add	[ecx+24h], eax

loc_4482AF:				; CODE XREF: MiIssueHardFault(x,x)+27Cj
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ebx, [ebp+var_1C]
		mov	ecx, edi
		mov	eax, [ebx]
		test	byte ptr [eax+60h], 7
		jnz	short loc_4482E9
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	edx, [ebp+var_18]
		mov	ecx, ebx
		call	MiRelockFaultState
		xor	eax, eax
		lea	esp, [ebp-48h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4482E9:				; CODE XREF: MiIssueHardFault(x,x)+2B2j
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edx, [ebp+var_18]
		mov	ecx, ebx
		call	MiRelockFaultState
		xor	eax, eax
		lea	esp, [ebp-48h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_44830E:				; CODE XREF: MiIssueHardFault(x,x)+22Ej
					; MiIssueHardFault(x,x)+23Aj
		mov	edi, [ebx+94h]
		mov	esi, [ebx+8Ch]
		mov	[ebp+var_8], edi
		test	dword ptr [edi+18h], 800000h
		jnz	short loc_44833A
		mov	eax, [edi+4]
		test	eax, eax
		js	short loc_44833A
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, edi
		mov	edi, eax
		mov	[ebp+var_8], eax

loc_44833A:				; CODE XREF: MiIssueHardFault(x,x)+314j
					; MiIssueHardFault(x,x)+31Bj
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_24]
		push	eax
		mov	edx, ebx
		call	_MiWaitForInPageComplete@12 ; MiWaitForInPageComplete(x,x,x)
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_30]
		push	eax
		push	ebx
		mov	ebx, [ebp+var_14]
		mov	ecx, ebx
		call	_MiFinishHardFault@16 ;	MiFinishHardFault(x,x,x,x)
		mov	ecx, [ebp+var_24]
		mov	[ebp+var_38], ecx
		mov	ecx, [ebp+var_20]
		mov	[ebp+var_34], eax
		dec	byte ptr [ecx+30Ah]
		test	eax, eax
		jnz	loc_448584
		test	edi, edi
		jnz	short loc_44839D
		mov	edx, [ebp+var_30]
		nop
		mov	eax, [ebp+var_2C]
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	edi, [eax+ecx*4]
		mov	[ebp+var_8], edi

loc_44839D:				; CODE XREF: MiIssueHardFault(x,x)+366j
		mov	edx, [ebx+4]
		mov	ecx, edi
		and	edx, 2
		mov	[ebp+var_28], edx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4483E6
		push	[ebp+var_2C]
		mov	esi, [ebx]
		mov	ecx, ebx
		push	[ebp+var_30]
		shr	esi, 9
		push	[ebp+var_C]
		and	esi, offset loc_7FFFF8
		push	0
		sub	esi, 40000000h
		call	_MiCompleteProtoPteFault@24 ; MiCompleteProtoPteFault(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_448582
		mov	edi, [ebp+var_1C]
		jmp	loc_44854E
; 

loc_4483E6:				; CODE XREF: MiIssueHardFault(x,x)+39Fj
		mov	eax, [ebp+var_C]
		mov	ecx, eax
		and	ecx, 1
		mov	[ebp+var_18], ecx
		jz	short loc_448413
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	4
		jnz	short loc_448413
		mov	ecx, [esi]
		nop
		mov	eax, [esi+4]
		and	ecx, 0FFFFFC9Fh
		or	ecx, 80h
		mov	[esi], ecx
		nop
		mov	[esi+4], eax

loc_448413:				; CODE XREF: MiIssueHardFault(x,x)+3E1j
					; MiIssueHardFault(x,x)+3E9j
		mov	ecx, esi
		call	_MiMakeTransitionPteValid@4 ; MiMakeTransitionPteValid(x)
		cmp	[ebp+var_28], 0
		mov	ebx, eax
		mov	edi, edx
		jz	short loc_448465
		mov	eax, [ebp+var_14]
		push	edi
		push	ebx
		mov	ecx, [eax]
		call	_MiOkToSetPteDirtyForNotValidFault@12 ;	MiOkToSetPteDirtyForNotValidFault(x,x,x)
		test	eax, eax
		jz	short loc_448465
		mov	eax, ebx
		and	eax, 800h
		or	eax, 0
		mov	eax, [ebp+var_8]
		jz	short loc_448468
		or	ebx, 42h
		test	byte ptr [eax+16h], 10h
		jnz	short loc_448468
		lea	ecx, [eax+8]
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		test	eax, eax
		jz	short loc_448465
		mov	ecx, [ebp+var_8]
		mov	edx, 1
		call	MiLockPageAndSetDirty

loc_448465:				; CODE XREF: MiIssueHardFault(x,x)+412j
					; MiIssueHardFault(x,x)+422j ...
		mov	eax, [ebp+var_8]

loc_448468:				; CODE XREF: MiIssueHardFault(x,x)+431j
					; MiIssueHardFault(x,x)+43Aj
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+var_18]
		and	ecx, 0FFFFFFFEh
		test	edx, edx
		jz	loc_448502
		cmp	byte ptr [ecx],	4
		jnz	short loc_4484F6
		mov	ecx, esi
		xor	edx, edx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_4484CC
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_4484A4
		cmp	byte ptr word_6D07B8+1,	0
		mov	edx, 1
		jnz	short loc_4484CC
		jmp	short loc_4484BC
; 

loc_4484A4:				; CODE XREF: MiIssueHardFault(x,x)+482j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_4484CC

loc_4484BC:				; CODE XREF: MiIssueHardFault(x,x)+492j
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	short loc_4484CC
		or	edi, 80000000h

loc_4484CC:				; CODE XREF: MiIssueHardFault(x,x)+479j
					; MiIssueHardFault(x,x)+490j ...
		mov	[esi+4], edi
		nop
		mov	[esi], ebx
		test	edx, edx
		jz	short loc_4484DD
		push	edi
		push	ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_4484DD:				; CODE XREF: MiIssueHardFault(x,x)+4C4j
		mov	eax, 114h
		lea	esp, [ebp-48h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4484F6:				; CODE XREF: MiIssueHardFault(x,x)+46Cj
		test	edx, edx
		jz	short loc_448502
		cmp	byte ptr [ecx],	5
		mov	[ebp+var_C], ecx
		jz	short loc_448509

loc_448502:				; CODE XREF: MiIssueHardFault(x,x)+463j
					; MiIssueHardFault(x,x)+4E8j
		mov	[ebp+var_C], 0

loc_448509:				; CODE XREF: MiIssueHardFault(x,x)+4F0j
		mov	[ebp+var_18], 0
		test	edx, edx
		jz	short loc_44851E
		cmp	byte ptr [ecx],	3
		mov	ecx, 1
		jz	short loc_448521

loc_44851E:				; CODE XREF: MiIssueHardFault(x,x)+502j
		mov	ecx, [ebp+var_18]

loc_448521:				; CODE XREF: MiIssueHardFault(x,x)+50Cj
		push	edi
		mov	edi, [ebp+var_1C]
		mov	edx, esi
		push	ebx
		push	[ebp+var_C]
		push	ecx
		mov	ecx, [edi]
		push	0
		push	eax
		call	_MiAllocateWsle@32 ; MiAllocateWsle(x,x,x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_44854B
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		mov	ebx, 0C0000017h
		jmp	short loc_448582
; 

loc_44854B:				; CODE XREF: MiIssueHardFault(x,x)+528j
		mov	ebx, [ebp+var_34]

loc_44854E:				; CODE XREF: MiIssueHardFault(x,x)+3D1j
		cmp	dword_6D3154, 0
		jz	short loc_448579
		cmp	[ebp+var_38], 2
		jz	short loc_448579
		mov	ecx, [ebp+var_20]
		call	_MiGetEffectivePagePriorityThread@4 ; MiGetEffectivePagePriorityThread(x)
		cmp	eax, dword_6D3158
		jb	short loc_448579
		mov	ecx, [edi]
		or	esi, 1
		mov	edx, esi
		call	_MiLogPageAccess@8 ; MiLogPageAccess(x,x)

loc_448579:				; CODE XREF: MiIssueHardFault(x,x)+545j
					; MiIssueHardFault(x,x)+54Bj ...
		test	ebx, ebx
		jnz	short loc_448582
		mov	ebx, 114h

loc_448582:				; CODE XREF: MiIssueHardFault(x,x)+3C8j
					; MiIssueHardFault(x,x)+539j ...
		mov	eax, ebx

loc_448584:				; CODE XREF: MiIssueHardFault(x,x)+35Ej
		lea	esp, [ebp-48h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_MiIssueHardFault@8 endp


;  S U B	R O U T	I N E 


; __stdcall MmGetMinWsPagePriority()
_MmGetMinWsPagePriority@0 proc near	; CODE XREF: PAGE:0075B348p
					; PspWritePebAffinityInfo:loc_75B9D9p ...
		xor	eax, eax
		inc	eax
		retn
_MmGetMinWsPagePriority@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

UNLOCK_ADDRESS_SPACE_UNORDERED proc near ; CODE	XREF: MiMapViewOfImageSection+57Dp
					; MiReserveUserMemory+363p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AE508 SIZE 0000004B BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ecx
		lea	ecx, [edx+134h]
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_28], eax
		push	esi
		push	edi
		and	byte ptr [eax+304h], 0FEh
		mov	eax, edx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_44871D

loc_4485E3:				; CODE XREF: UNLOCK_ADDRESS_SPACE_UNORDERED+189j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	loc_4486E5
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		cmp	ecx, edx
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], esi
		pop	edx
		jb	short loc_448620
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_4486F6

loc_448620:				; CODE XREF: UNLOCK_ADDRESS_SPACE_UNORDERED+75j
		cmp	ecx, [ebp+var_20]
		jb	short loc_448632
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_4486F6

loc_448632:				; CODE XREF: UNLOCK_ADDRESS_SPACE_UNORDERED+87j
					; UNLOCK_ADDRESS_SPACE_UNORDERED+16Dj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_44870E
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_44872A

loc_448673:				; CODE XREF: UNLOCK_ADDRESS_SPACE_UNORDERED+196j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5AE51B
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_4486BF:				; CODE XREF: UNLOCK_ADDRESS_SPACE_UNORDERED+17Aj
					; UNLOCK_ADDRESS_SPACE_UNORDERED+165F91j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jnz	short loc_44873E

loc_4486D2:				; CODE XREF: UNLOCK_ADDRESS_SPACE_UNORDERED+1D2j
					; UNLOCK_ADDRESS_SPACE_UNORDERED+165FB2j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_4486E5
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	short loc_448737

loc_4486E5:				; CODE XREF: UNLOCK_ADDRESS_SPACE_UNORDERED+52j
					; UNLOCK_ADDRESS_SPACE_UNORDERED+13Fj ...
		mov	ecx, [ebp+var_28]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4486F6:				; CODE XREF: UNLOCK_ADDRESS_SPACE_UNORDERED+7Ej
					; UNLOCK_ADDRESS_SPACE_UNORDERED+90j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_C], eax
		jmp	loc_448632
; 

loc_44870E:				; CODE XREF: UNLOCK_ADDRESS_SPACE_UNORDERED+BFj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_4486BF
		jmp	loc_5AE508
; 

loc_44871D:				; CODE XREF: UNLOCK_ADDRESS_SPACE_UNORDERED+41j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]
		jmp	loc_4485E3
; 

loc_44872A:				; CODE XREF: UNLOCK_ADDRESS_SPACE_UNORDERED+D1j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]
		jmp	loc_448673
; 

loc_448737:				; CODE XREF: UNLOCK_ADDRESS_SPACE_UNORDERED+147j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_4486E5
; 

loc_44873E:				; CODE XREF: UNLOCK_ADDRESS_SPACE_UNORDERED+134j
		test	edi, 8000h
		jnz	short loc_448779

loc_448746:				; CODE XREF: UNLOCK_ADDRESS_SPACE_UNORDERED+1E6j
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5AE532

loc_448750:				; CODE XREF: UNLOCK_ADDRESS_SPACE_UNORDERED+165FA0j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_448764
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_448764:				; CODE XREF: UNLOCK_ADDRESS_SPACE_UNORDERED+1BBj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4486D2
		jmp	loc_5AE541
; 

loc_448779:				; CODE XREF: UNLOCK_ADDRESS_SPACE_UNORDERED+1A8j
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	short loc_448746
UNLOCK_ADDRESS_SPACE_UNORDERED endp


;  S U B	R O U T	I N E 


; __stdcall MiIsProcessCfgEnabled()
_MiIsProcessCfgEnabled@0 proc near	; CODE XREF: MiIsProcessCfgExportSuppressionEnabled()p
					; MiMapViewOfImageSection:loc_77759Dp ...
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, [eax+24Ch]
		xor	eax, eax
		cmp	[ecx+0BCh], eax
		setnz	al
		retn
_MiIsProcessCfgEnabled@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCheckForConflictingVadExistence(x, x, x)
_MiCheckForConflictingVadExistence@12 proc near	; CODE XREF: MiIsVaRangeAvailable+26p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		call	_MiCheckForConflictingVad@12 ; MiCheckForConflictingVad(x,x,x)
		neg	eax
		sbb	eax, eax
		neg	eax
		pop	ebp
		retn	4
_MiCheckForConflictingVadExistence@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCheckForConflictingVad(x,	x, x)
_MiCheckForConflictingVad@12 proc near	; CODE XREF: MiLocateLowestConflictingVad+Cp
					; MiCheckForConflictingVadExistence(x,x,x)+8p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+350h]
		push	esi
		mov	esi, [ebp+arg_0]
		shr	edx, 0Ch
		shr	esi, 0Ch
		test	eax, eax
		jz	short loc_4487EB
		lea	esp, [esp+0]

loc_4487E0:				; CODE XREF: MiCheckForConflictingVad(x,x,x)+29j
		cmp	esi, [eax+0Ch]
		jnb	short loc_4487F2
		mov	eax, [eax]

loc_4487E7:				; CODE XREF: MiCheckForConflictingVad(x,x,x)+3Aj
		test	eax, eax
		jnz	short loc_4487E0

loc_4487EB:				; CODE XREF: MiCheckForConflictingVad(x,x,x)+17j
					; MiCheckForConflictingVad(x,x,x)+3Ej
		xor	eax, eax

loc_4487ED:				; CODE XREF: MiCheckForConflictingVad(x,x,x)+40j
		pop	esi
		pop	ebp
		retn	4
; 

loc_4487F2:				; CODE XREF: MiCheckForConflictingVad(x,x,x)+23j
		cmp	edx, [eax+10h]
		jbe	short loc_4487FC
		mov	eax, [eax+4]
		jmp	short loc_4487E7
; 

loc_4487FC:				; CODE XREF: MiCheckForConflictingVad(x,x,x)+35j
		test	eax, eax
		jz	short loc_4487EB
		jmp	short loc_4487ED
_MiCheckForConflictingVad@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceImageUnload(x, x, x, x, x,	x, x, x, x, x)
_EtwpTraceImageUnload@40 proc near	; CODE XREF: EtwpTraceImageUnloadApc+9Cp
					; EtwpCancelTraceImageUnloadApc(x)+9Ap	...

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= byte ptr -54h
var_53		= byte ptr -53h
var_52		= word ptr -52h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_3C], 0
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	ecx, [ebp+arg_18]
		mov	[ebp+var_6C], ecx
		test	edi, edi
		jz	loc_448917
		movzx	edx, word ptr [edi]
		test	dx, dx
		jz	loc_448917
		mov	ecx, [edi+4]
		test	ecx, ecx
		jz	loc_448917
		test	ebx, ebx
		jz	loc_44894A
		mov	esi, [ebx+0E4h]

loc_448855:				; CODE XREF: EtwpTraceImageUnload(x,x,x,x,x,x,x,x,x,x)+14Aj
		mov	[ebp+var_68], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_64], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_5C], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_58], eax
		mov	al, [ebp+arg_10]
		mov	[ebp+var_54], al
		mov	al, [ebp+arg_14]
		mov	[ebp+var_53], al
		xor	eax, eax
		mov	[ebp+var_52], ax
		mov	eax, [ebp+var_6C]
		mov	[ebp+var_50], eax
		xor	eax, eax
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], eax
		mov	eax, ds:_EtwpHostSiloState
		mov	[ebp+var_60], esi
		add	eax, 0A48h
		jz	short loc_4488A8
		test	byte ptr [eax],	4
		jnz	loc_448928

loc_4488A8:				; CODE XREF: EtwpTraceImageUnload(x,x,x,x,x,x,x,x,x,x)+9Bj
		xor	al, al

loc_4488AA:				; CODE XREF: EtwpTraceImageUnload(x,x,x,x,x,x,x,x,x,x)+128j
		mov	esi, [ebp+arg_1C]
		test	al, al
		jnz	short loc_44892F

loc_4488B1:				; CODE XREF: EtwpTraceImageUnload(x,x,x,x,x,x,x,x,x,x)+143j
		and	[ebp+var_34], 0
		lea	eax, [ebp+var_68]
		and	[ebp+var_2C], 0
		mov	[ebp+var_28], ecx
		xor	ecx, ecx
		neg	esi
		mov	[ebp+var_38], eax
		movzx	eax, dx
		sbb	esi, esi
		mov	[ebp+var_30], 2Ch
		and	esi, 1000000h
		mov	[ebp+var_24], ecx
		add	esi, (offset off_401900+3)
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], offset _EtwpNull
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], 2
		mov	[ebp+var_C], ecx
		push	esi
		push	1402h
		push	4
		push	3
		test	ebx, ebx
		jz	short loc_448951
		mov	ecx, [ebx+3A0h]
		lea	edx, [ebp+var_38]
		call	EtwTraceSiloKernelEvent

loc_448917:				; CODE XREF: EtwpTraceImageUnload(x,x,x,x,x,x,x,x,x,x)+28j
					; EtwpTraceImageUnload(x,x,x,x,x,x,x,x,x,x)+34j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	20h
; 

loc_448928:				; CODE XREF: EtwpTraceImageUnload(x,x,x,x,x,x,x,x,x,x)+A0j
		mov	al, 1
		jmp	loc_4488AA
; 

loc_44892F:				; CODE XREF: EtwpTraceImageUnload(x,x,x,x,x,x,x,x,x,x)+ADj
		push	esi
		push	1402h
		lea	edx, [ebp+var_68]
		mov	ecx, edi
		call	_EtwpPsProvTraceImage@16 ; EtwpPsProvTraceImage(x,x,x,x)
		mov	ecx, [edi+4]
		movzx	edx, word ptr [edi]
		jmp	loc_4488B1
; 

loc_44894A:				; CODE XREF: EtwpTraceImageUnload(x,x,x,x,x,x,x,x,x,x)+47j
		xor	esi, esi
		jmp	loc_448855
; 

loc_448951:				; CODE XREF: EtwpTraceImageUnload(x,x,x,x,x,x,x,x,x,x)+105j
		pop	edx
		lea	ecx, [ebp+var_38]
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	short loc_448917
_EtwpTraceImageUnload@40 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExReferenceCallBackBlock proc near	; CODE XREF: IoBoostThreadIoPriority+D2p
					; IoUnregisterPriorityCallback(x)+36p ...

var_1		= byte ptr -1

; FUNCTION CHUNK AT 005AE553 SIZE 00000064 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, [esi]
		test	bl, 7
		jnz	short loc_448996

loc_448973:				; CODE XREF: ExReferenceCallBackBlock+41j
					; ExReferenceCallBackBlock+49j
		test	ebx, ebx
		jnz	short loc_44897F

loc_448977:				; CODE XREF: ExReferenceCallBackBlock+C9j
		xor	eax, eax
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_44897F:				; CODE XREF: ExReferenceCallBackBlock+15j
		mov	eax, ebx
		and	eax, 7
		jz	short loc_4489EF
		and	ebx, 0FFFFFFF8h
		cmp	eax, 1
		jz	short loc_4489AB

loc_44898E:				; CODE XREF: ExReferenceCallBackBlock+59j
					; ExReferenceCallBackBlock+88j	...
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_448996:				; CODE XREF: ExReferenceCallBackBlock+11j
					; ExReferenceCallBackBlock+47j
		lea	edx, [ebx-1]
		mov	eax, ebx
		lock cmpxchg [esi], edx
		cmp	eax, ebx
		jz	short loc_448973
		mov	ebx, eax
		test	al, 7
		jnz	short loc_448996
		jmp	short loc_448973
; 

loc_4489AB:				; CODE XREF: ExReferenceCallBackBlock+2Cj
		mov	edx, 7
		mov	ecx, ebx
		call	ExAcquireRundownProtectionEx
		test	al, al
		jz	short loc_44898E
		mov	ecx, [esi]
		mov	eax, ecx
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		ja	loc_5AE564
		mov	edi, edi

loc_4489D0:				; CODE XREF: ExReferenceCallBackBlock+165BFEj
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	ebx, eax
		jnz	loc_5AE564
		lea	edx, [ecx+7]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jz	short loc_44898E
		jmp	loc_5AE553
; 

loc_4489EF:				; CODE XREF: ExReferenceCallBackBlock+24j
		push	offset _ExpCallBackFlush
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	ebx, [esi]
		mov	[ebp+var_1], al
		and	ebx, 0FFFFFFF8h
		jz	short loc_448A0E
		mov	ecx, ebx
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_448A2E

loc_448A0E:				; CODE XREF: ExReferenceCallBackBlock+A1j
					; ExReferenceCallBackBlock+D0j
		push	offset _ExpCallBackFlush
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jnz	loc_44898E
		jmp	loc_448977
; 

loc_448A2E:				; CODE XREF: ExReferenceCallBackBlock+ACj
		xor	ebx, ebx
		jmp	short loc_448A0E
ExReferenceCallBackBlock endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall ExDereferenceCallBackBlock(x, x)
_ExDereferenceCallBackBlock@8 proc near	; CODE XREF: ExCallCallBack(x,x,x)+27p
					; PspCallProcessNotifyRoutines+1B1p ...
		mov	edi, edi
		push	esi
		mov	esi, [ecx]
		mov	eax, esi
		push	edi
		mov	edi, edx
		xor	eax, edi
		cmp	eax, 7
		jnb	short loc_448A61

loc_448A51:				; CODE XREF: ExDereferenceCallBackBlock(x,x)+31j
		lea	edx, [esi+1]
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_448A6A
		pop	edi
		pop	esi
		retn
; 

loc_448A61:				; CODE XREF: ExDereferenceCallBackBlock(x,x)+Fj
					; ExDereferenceCallBackBlock(x,x)+33j
		mov	ecx, edi
		pop	edi
		pop	esi
		jmp	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
; 

loc_448A6A:				; CODE XREF: ExDereferenceCallBackBlock(x,x)+1Cj
		mov	esi, eax
		xor	eax, edi
		cmp	eax, 7
		jb	short loc_448A51
		jmp	short loc_448A61
_ExDereferenceCallBackBlock@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MmSessionGetWin32Callouts()
_MmSessionGetWin32Callouts@0 proc near	; CODE XREF: PsInvokeWin32Callout+19p
					; ExCallSessionCallBack+5Ap ...
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		mov	eax, [eax+1DCh]
		test	eax, eax
		jz	short loc_448A9C
		cmp	eax, 1
		mov	eax, offset _PsWin32CallBack
		jnz	short locret_448AA1

loc_448A9C:				; CODE XREF: MmSessionGetWin32Callouts()+1Aj
		mov	eax, offset _PsWin32NullCallBack

locret_448AA1:				; CODE XREF: MmSessionGetWin32Callouts()+24j
		retn
_MmSessionGetWin32Callouts@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpLookupOrCreateLowBox proc near	; CODE XREF: RtlpHashStringToAtom+CFp

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005AE5B7 SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr [ecx+10h], 1
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		jnz	short loc_448AC9
		call	RtlpQueryLowBoxId
		mov	ebx, eax

loc_448AB9:				; CODE XREF: RtlpLookupOrCreateLowBox+29j
		lea	esi, [edi+8]
		test	ebx, ebx
		jnz	short loc_448ACD
		mov	eax, esi

loc_448AC2:				; CODE XREF: RtlpLookupOrCreateLowBox+3Ej
					; RtlpLookupOrCreateLowBox+47j	...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_448AC9:				; CODE XREF: RtlpLookupOrCreateLowBox+Ej
		xor	ebx, ebx
		jmp	short loc_448AB9
; 

loc_448ACD:				; CODE XREF: RtlpLookupOrCreateLowBox+1Cj
		mov	eax, [esi]

loc_448ACF:				; CODE XREF: RtlpLookupOrCreateLowBox+38j
		cmp	eax, esi
		jz	short loc_448B09
		cmp	[eax+8], ebx
		jz	short loc_448ADC
		mov	eax, [eax]
		jmp	short loc_448ACF
; 

loc_448ADC:				; CODE XREF: RtlpLookupOrCreateLowBox+34j
		cmp	[ebp+arg_0], 0
		jz	short loc_448AC2
		movzx	edx, word ptr [eax+0Eh]
		test	dl, 4
		jnz	short loc_448AC2
		movzx	ecx, word ptr [eax+0Ch]
		mov	esi, 0FFFFh
		cmp	cx, si
		jz	short loc_448B65
		inc	ecx
		mov	[eax+0Ch], cx
		mov	ecx, edx

loc_448B00:				; CODE XREF: RtlpLookupOrCreateLowBox+C9j
		or	ecx, 4
		mov	[eax+0Eh], cx
		jmp	short loc_448AC2
; 

loc_448B09:				; CODE XREF: RtlpLookupOrCreateLowBox+2Fj
		push	10h
		mov	edx, 4C6D7441h
		pop	ecx
		call	RtlpAllocateAtom
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_5AE5B7
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_448B6D
		mov	[ecx], eax
		mov	[ecx+4], esi
		mov	[eax+4], ecx
		xor	eax, eax
		mov	[esi], ecx
		mov	[ecx+0Ch], eax
		mov	[ecx+8], ebx
		cmp	[ebp+arg_0], al
		jnz	short loc_448B42

loc_448B3E:				; CODE XREF: RtlpLookupOrCreateLowBox+C1j
					; RtlpLookupOrCreateLowBox+D4j
		mov	eax, ecx
		jmp	short loc_448AC2
; 

loc_448B42:				; CODE XREF: RtlpLookupOrCreateLowBox+9Aj
		xor	esi, esi
		mov	edx, 0FFFFh
		push	4
		inc	esi
		pop	eax
		mov	[ecx+0Ch], si
		mov	[ecx+0Eh], ax
		movzx	eax, word ptr [edi+14h]
		cmp	ax, dx
		jz	short loc_448B72
		inc	eax
		mov	[edi+14h], ax
		jmp	short loc_448B3E
; 

loc_448B65:				; CODE XREF: RtlpLookupOrCreateLowBox+55j
		or	edx, 1
		movzx	ecx, dx
		jmp	short loc_448B00
; 

loc_448B6D:				; CODE XREF: RtlpLookupOrCreateLowBox+83j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_448B72:				; CODE XREF: RtlpLookupOrCreateLowBox+BAj
		or	[edi+16h], si
		jmp	short loc_448B3E
RtlpLookupOrCreateLowBox endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpQueryLowBoxId proc near		; CODE XREF: RtlpLookupLowBox(x,x,x):loc_447D18p
					; RtlpLookupOrCreateLowBox+10p	...

var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AE5BE SIZE 0000004D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	ecx, large fs:124h
		lea	eax, [esp+14h+var_C]
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	edx, [esp+1Ch+var_10]
		push	edi
		push	ebx
		push	eax
		lea	eax, [esp+17h]
		mov	[esp+28h+var_10], ebx
		push	eax
		mov	[esp+2Ch+var_11], bl
		mov	[esp+2Ch+var_C], ebx
		mov	[esp+2Ch+var_8], ebx
		call	PsReferenceEffectiveToken
		mov	edi, [esp+20h+var_10]
		mov	esi, eax
		cmp	edi, 2
		jz	short loc_448BE6

loc_448BBE:				; CODE XREF: RtlpQueryLowBoxId+73j
					; RtlpQueryLowBoxId+165A7Ej ...
		lea	eax, [esp+20h+var_4]
		mov	[esp+20h+var_4], ebx
		push	eax
		push	20h
		push	esi
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		cmp	edi, 1
		jnz	short loc_448BF2

loc_448BD4:				; CODE XREF: RtlpQueryLowBoxId+7Cj
		mov	ecx, esi
		call	ObfDereferenceObject

loc_448BDB:				; CODE XREF: RtlpQueryLowBoxId+7Ej
		mov	eax, [esp+20h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_448BE6:				; CODE XREF: RtlpQueryLowBoxId+44j
		cmp	[esp+20h+var_C], 2
		jge	short loc_448BBE
		jmp	loc_5AE5BE
; 

loc_448BF2:				; CODE XREF: RtlpQueryLowBoxId+5Aj
		test	esi, esi
		jnz	short loc_448BD4
		jmp	short loc_448BDB
RtlpQueryLowBoxId endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2151. RtlImageNtHeader

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlImageNtHeader(x)
		public _RtlImageNtHeader@4
_RtlImageNtHeader@4 proc near		; CODE XREF: MiLockPagableImageSection+82p
					; LdrpGetImageSize+18p	...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		push	ecx
		push	[ebp+arg_0]
		mov	[ebp+var_4], ecx
		push	1
		call	RtlImageNtHeaderEx
		mov	eax, [ebp+var_4]
		leave
		retn	4
_RtlImageNtHeader@4 endp

; 
		dd 4 dup(0CCCCCCCCh)
; Exported entry 2152. RtlImageNtHeaderEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlImageNtHeaderEx
RtlImageNtHeaderEx proc	near		; CODE XREF: RtlpImageDirectoryEntryToDataEx+39p
					; RtlImageNtHeader(x)+16p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005AE60B SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_10]
		push	ebx
		push	esi
		test	edx, edx
		jz	loc_5AE60B
		mov	ecx, [ebp+arg_0]
		mov	dword ptr [edx], 0
		test	ecx, 0FFFFFFFEh
		jnz	loc_5AE60B
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	loc_5AE60B
		cmp	eax, 0FFFFFFFFh
		jz	loc_5AE60B
		test	cl, 1
		jz	short loc_448CB3
		xor	bl, bl

loc_448C72:				; CODE XREF: RtlImageNtHeaderEx+89j
					; RtlImageNtHeaderEx+91j
		mov	ecx, 5A4Dh
		cmp	[eax], cx
		jnz	short loc_448CEB
		mov	ecx, [eax+3Ch]
		test	bl, bl
		jnz	short loc_448CC5

loc_448C83:				; CODE XREF: RtlImageNtHeaderEx+B2j
					; RtlImageNtHeaderEx+B9j
		add	ecx, eax
		cmp	ecx, eax
		jb	short loc_448CEB
		mov	esi, ds:_MmHighestUserAddress
		cmp	eax, esi
		jnb	short loc_448CA1
		cmp	ecx, esi
		jnb	short loc_448CEB
		lea	eax, [ecx+0F8h]
		cmp	eax, esi
		jnb	short loc_448CEB

loc_448CA1:				; CODE XREF: RtlImageNtHeaderEx+61j
		cmp	dword ptr [ecx], 4550h
		jnz	short loc_448CEB
		xor	eax, eax
		mov	[edx], ecx

loc_448CAD:				; CODE XREF: RtlImageNtHeaderEx+1659E0j
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
; 

loc_448CB3:				; CODE XREF: RtlImageNtHeaderEx+3Ej
		cmp	[ebp+arg_C], 0
		mov	bl, 1
		ja	short loc_448C72
		jb	short loc_448CEB
		cmp	[ebp+arg_8], 40h
		jnb	short loc_448C72
		jmp	short loc_448CEB
; 

loc_448CC5:				; CODE XREF: RtlImageNtHeaderEx+51j
		xor	esi, esi
		cmp	esi, [ebp+arg_C]
		jb	short loc_448CD3
		ja	short loc_448CEB
		cmp	ecx, [ebp+arg_8]
		jnb	short loc_448CEB

loc_448CD3:				; CODE XREF: RtlImageNtHeaderEx+9Aj
		cmp	ecx, 0FFFFFFE7h
		jnb	short loc_448CEB
		push	edi
		xor	edi, edi
		lea	esi, [ecx+18h]
		cmp	edi, [ebp+arg_C]
		pop	edi
		jb	short loc_448C83
		ja	short loc_448CEB
		cmp	esi, [ebp+arg_8]
		jb	short loc_448C83

loc_448CEB:				; CODE XREF: RtlImageNtHeaderEx+4Aj
					; RtlImageNtHeaderEx+57j ...
		pop	esi
		mov	eax, 0C000007Bh
		pop	ebx
		pop	ebp
		retn	14h
RtlImageNtHeaderEx endp

; 
		align 10h
; Exported entry 1102. KeAreAllApcsDisabled

;  S U B	R O U T	I N E 


; __stdcall KeAreAllApcsDisabled()
		public _KeAreAllApcsDisabled@0
_KeAreAllApcsDisabled@0	proc near	; CODE XREF: EtwpTraceImageUnloadApc+1Cp
					; PnpIsSafeToExamineUserModeTeb():loc_541C00p ...
		mov	eax, large fs:124h
		cmp	word ptr [eax+13Eh], 0
		jnz	short loc_448D26
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_448D26
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 1
		jnb	short loc_448D26
		xor	al, al
		retn
; 

loc_448D26:				; CODE XREF: KeAreAllApcsDisabled()+Ej
					; KeAreAllApcsDisabled()+17j ...
		mov	al, 1
		retn
_KeAreAllApcsDisabled@0	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiUnlockVadShared(x, x)
_MiUnlockVadShared@8 proc near		; CODE XREF: MiReferenceCfgVad(x,x,x)+54p
					; MmEnumerateAddressSpaceAndReferenceImages+1D0p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, 11h
		push	edi
		lea	edi, [edx+18h]
		xor	edx, edx
		and	byte ptr [esi+305h], 0BFh
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_448D74

loc_448D50:				; CODE XREF: MiUnlockVadShared(x,x)+4Bj
		mov	ecx, edi
		call	KeAbPostRelease
		nop
		add	word ptr [esi+13Eh], 1
		jz	short loc_448D65

loc_448D62:				; CODE XREF: MiUnlockVadShared(x,x)+3Bj
		pop	edi
		pop	esi
		retn
; 

loc_448D65:				; CODE XREF: MiUnlockVadShared(x,x)+30j
		nop
		add	esi, 70h
		cmp	[esi], esi
		jz	short loc_448D62
		pop	edi
		pop	esi
		jmp	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
; 

loc_448D74:				; CODE XREF: MiUnlockVadShared(x,x)+1Ej
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_448D50
_MiUnlockVadShared@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReferenceInPageFile proc near		; CODE XREF: MiIssueHardFault(x,x)+4Cp
					; MiPfExecuteReadList+52p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AE615 SIZE 0000004A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edi
		mov	ebx, [edi+80h]
		mov	[ebp+var_8], ebx
		test	ebx, ebx
		jz	loc_448E3D
		mov	ecx, ebx
		call	MiReferenceControlAreaFile
		test	byte ptr [ebx+1Ch], 20h
		mov	[ebp+var_14], eax
		jz	short loc_448E2E
		lea	edi, [ebx+40h]

loc_448DB5:				; CODE XREF: MiReferenceInPageFile+52j
					; MiReferenceInPageFile+57j
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[ebp+var_4], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_448DB5
		cmp	edx, [ebp+var_4]
		jnz	short loc_448DB5
		mov	edi, [ebp+var_C]
		mov	ebx, [ebp+var_8]
		mov	eax, [edi+98h]
		mov	esi, [ebx+38h]
		test	eax, eax
		jnz	short loc_448DF0
		lea	eax, [edi+0A8h]

loc_448DF0:				; CODE XREF: MiReferenceInPageFile+6Aj
		imul	eax, [eax+1Ch],	1Ch
		mov	edx, [ebp+var_10]
		add	eax, ds:_MmPfnDatabase
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	MiComputeImagePteIndex
		mov	[edi+74h], eax
		cmp	dword ptr [esi+10h], 0
		jz	short loc_448E35
		mov	esi, [edi+78h]
		or	esi, 10000h
		mov	[edi+78h], esi
		test	ds:_MiFlags, 40000h
		jnz	loc_5AE615
		jmp	short loc_448E35
; 

loc_448E2E:				; CODE XREF: MiReferenceInPageFile+32j
		and	dword ptr [edi+80h], 0

loc_448E35:				; CODE XREF: MiReferenceInPageFile+90j
					; MiReferenceInPageFile+AEj ...
		mov	eax, [ebp+var_14]

loc_448E38:				; CODE XREF: MiReferenceInPageFile+C1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_448E3D:				; CODE XREF: MiReferenceInPageFile+1Ej
		xor	eax, eax
		jmp	short loc_448E38
MiReferenceInPageFile endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReferenceControlAreaFile proc	near	; CODE XREF: MiReferenceInPageFile+26p
					; MiFlushSectionInternal+C3p ...

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005AE65F SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	edx, [ebx+20h]
		push	esi
		push	edi
		lea	edi, [ebx+20h]
		test	dl, 7
		jz	short loc_448E77

loc_448E66:				; CODE XREF: MiReferenceControlAreaFile+B0j
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	loc_448EFC

loc_448E77:				; CODE XREF: MiReferenceControlAreaFile+14j
					; MiReferenceControlAreaFile+B6j
		mov	esi, edx
		and	edx, 7
		and	esi, 0FFFFFFF8h
		cmp	edx, 1
		jbe	short loc_448E91

loc_448E84:				; CODE XREF: MiReferenceControlAreaFile+75j
					; MiReferenceControlAreaFile+C8j
		test	esi, esi
		jz	short loc_448ECC

loc_448E88:				; CODE XREF: MiReferenceControlAreaFile+AAj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_448E91:				; CODE XREF: MiReferenceControlAreaFile+32j
		test	edx, edx
		jz	short loc_448ECC
		push	ecx
		mov	edx, 7
		mov	ecx, esi
		call	ObReferenceObjectExWithTag
		mov	ecx, [edi]
		mov	eax, ecx
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		ja	short loc_448F0B

loc_448EB1:				; CODE XREF: MiReferenceControlAreaFile+16581Aj
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	esi, eax
		jnz	short loc_448F0B
		lea	edx, [ecx+7]
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jz	short loc_448E84
		jmp	loc_5AE65F
; 

loc_448ECC:				; CODE XREF: MiReferenceControlAreaFile+36j
					; MiReferenceControlAreaFile+43j
		add	ebx, 24h
		push	ebx
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	esi, [edi]
		mov	[ebp+var_1], al
		and	esi, 0FFFFFFF8h
		jz	short loc_448EEB
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag

loc_448EEB:				; CODE XREF: MiReferenceControlAreaFile+8Dj
		push	ebx
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_448E88
; 

loc_448EFC:				; CODE XREF: MiReferenceControlAreaFile+21j
		mov	edx, eax
		test	al, 7
		jnz	loc_448E66
		jmp	loc_448E77
; 

loc_448F0B:				; CODE XREF: MiReferenceControlAreaFile+5Fj
					; MiReferenceControlAreaFile+68j ...
		push	ecx
		mov	edx, 7
		mov	ecx, esi
		call	ObDereferenceObjectExWithTag
		jmp	loc_448E84
MiReferenceControlAreaFile endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiGetSessionIdForVa(x)
_MiGetSessionIdForVa@4 proc near	; CODE XREF: MiIssueHardFault(x,x)+43p
					; MiCopyDataPageToImagePage+45p ...
		cmp	ecx, dword_6D07D0
		jnb	short loc_448F38

loc_448F26:				; CODE XREF: MiGetSessionIdForVa(x)+25j
					; MiGetSessionIdForVa(x)+29j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		jmp	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
; 

loc_448F38:				; CODE XREF: MiGetSessionIdForVa(x)+6j
		shr	ecx, 15h
		mov	al, byte ptr dword_6D3994[ecx]
		cmp	al, 1
		jz	short loc_448F26
		cmp	al, 0Bh
		jz	short loc_448F26
		or	eax, 0FFFFFFFFh
		retn
_MiGetSessionIdForVa@4 endp

; 
		align 10h

; __stdcall MiWaitForInPageComplete(x, x, x)
_MiWaitForInPageComplete@12:		; CODE XREF: MiIssueHardFault(x,x)+333p
					; MiPfCompleteInPageSupport+59p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	byte ptr [esp+13h], 0
		mov	esi, ecx
		mov	[esp+44h], edi
		mov	[esp+30h], esi
		mov	dword ptr [esp+20h], 0
		mov	eax, [edi+8Ch]
		mov	ebx, [esi+14h]
		mov	ecx, [edi+94h]
		mov	[esp+48h], eax
		mov	eax, [edi+88h]
		mov	[esp+18h], eax
		lea	eax, [edi+0A8h]
		mov	[esp+24h], eax
		mov	eax, [edi+98h]
		mov	[esp+40h], ebx
		mov	[esp+1Ch], ecx
		test	eax, eax
		jz	short loc_448FB4
		mov	[esp+24h], eax

loc_448FB4:				; CODE XREF: .text:00448FAEj
		mov	dword ptr [esp+28h], 0FFFFFFFFh
		test	dword ptr [ecx+18h], (offset loc_7FFFFF+1)
		jnz	loc_44908B
		mov	eax, [ecx+4]
		test	eax, eax
		js	loc_44908B
		jz	loc_44908B
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		mov	[esp+34h], eax
		cmp	eax, dword_6D07B0
		jnb	loc_44908B
		mov	esi, [esi+24h]
		xor	edx, edx
		mov	ecx, large fs:124h
		shl	esi, 0Bh
		not	esi
		and	esi, 20000h
		or	esi, 40000000h
		call	_PsQueryThreadStartAddress@8 ; PsQueryThreadStartAddress(x,x)
		cmp	eax, offset _KeSwapProcessOrStack@4 ; KeSwapProcessOrStack(x)
		jnz	short loc_44902F
		or	esi, 8

loc_44902F:				; CODE XREF: .text:0044902Aj
		mov	ecx, [esp+1Ch]
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiSearchNumaNodeTable
		mov	edx, [esp+34h]
		lea	ecx, [esp+28h]
		push	ecx
		push	0
		mov	eax, [eax+4]
		inc	edx
		push	esi
		push	80000000h
		push	eax
		mov	eax, [esp+30h]
		mov	ecx, offset _MiSystemPartition
		movzx	eax, byte ptr [eax+16h]
		shr	eax, 6
		push	eax
		mov	eax, dword_6D07B0
		push	1
		push	0
		push	eax
		call	_MiFindContiguousPages@44 ; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, [esp+30h]

loc_44908B:				; CODE XREF: .text:00448FC3j
					; .text:00448FCEj ...
		mov	edx, [esi+8]
		test	dl, 1
		jz	short loc_4490A7
		and	edx, 0FFFFFFFEh
		cmp	byte ptr [edx],	2
		jnz	short loc_4490A7
		test	ebx, ebx
		jz	short loc_4490A7
		push	ebx
		mov	ecx, edi
		call	_MiPrefetchRestOfCluster@12 ; MiPrefetchRestOfCluster(x,x,x)

loc_4490A7:				; CODE XREF: .text:00449091j
					; .text:00449099j ...
		push	0
		push	0
		push	0
		push	9
		lea	eax, [edi+10h]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [edi+0A0h]
		or	eax, [edi+0A4h]
		jnz	loc_44952E
		test	ebx, ebx
		jz	short loc_4490FC
		mov	al, [ebx+63h]
		and	al, 60h
		cmp	al, 60h
		jnz	short loc_4490FC
		mov	al, [ebx+60h]
		and	al, 7
		cmp	al, 2
		jnz	short loc_4490E7
		mov	ebx, offset unk_6D3C54
		jmp	short loc_4490ED
; 

loc_4490E7:				; CODE XREF: .text:004490DEj
		add	ebx, 94h

loc_4490ED:				; CODE XREF: .text:004490E5j
		cmp	dword ptr [ebx], 0
		jnz	short loc_4490FC
		lea	ecx, [edi+40h]
		xor	edx, edx
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_4490FC:				; CODE XREF: .text:004490CCj
					; .text:004490D5j ...
		mov	esi, [esp+24h]
		mov	eax, 200h
		test	[esi+6], ax
		jz	short loc_449120
		mov	ecx, esi
		call	_MiRetardMdl@4	; MiRetardMdl(x)
		mov	dword ptr [edi+30h], 0C000009Ah
		mov	dword ptr [edi+34h], 0

loc_449120:				; CODE XREF: .text:00449109j
		mov	edx, [edi+78h]
		test	dl, 10h
		jz	short loc_449132
		mov	ecx, edi
		call	_MiFlowThroughRemoveNode@4 ; MiFlowThroughRemoveNode(x)
		mov	edx, [edi+78h]

loc_449132:				; CODE XREF: .text:00449126j
		mov	eax, [edi+70h]
		mov	ecx, [esi+10h]
		add	ecx, [esi+18h]
		mov	[esp+2Ch], eax
		and	ecx, 0FFFh
		mov	eax, [esi+14h]
		add	eax, 0FFFh
		mov	dword ptr [esp+14h], 0
		add	eax, ecx
		shr	eax, 0Ch
		add	eax, 6
		lea	eax, [esi+eax*4]
		mov	[esp+30h], eax
		test	edx, 100h
		jz	short loc_449177
		lea	edx, [esp+20h]
		mov	ecx, edi
		call	MiStoreFaultComplete

loc_449177:				; CODE XREF: .text:0044916Aj
		cmp	dword ptr [edi+80h], 0
		mov	eax, [edi+30h]
		jz	short loc_4491F5
		test	eax, eax
		js	short loc_4491A0
		mov	ecx, edi
		call	MiValidateInPage
		mov	[esp+14h], eax
		cmp	eax, 0C0000434h
		jnz	short loc_4491A0
		or	dword ptr [edi+78h], 100000h

loc_4491A0:				; CODE XREF: .text:00449185j
					; .text:00449197j
		mov	eax, [edi+80h]
		mov	[esp+3Ch], eax
		lea	esi, [eax+40h]
		lea	ecx, [ecx+0]

loc_4491B0:				; CODE XREF: .text:004491D2j
					; .text:004491DAj
		mov	eax, [esi]
		mov	ebx, eax
		mov	edx, [esi+4]
		sub	ebx, 1
		mov	ecx, edx
		mov	[esp+34h], eax
		mov	[esp+38h], edx
		sbb	ecx, 0
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [esp+34h]
		cmp	eax, ecx
		jnz	short loc_4491B0
		mov	eax, [esp+38h]
		cmp	edx, eax
		jnz	short loc_4491B0
		mov	esi, [esp+24h]
		add	ecx, 0FFFFFFFFh
		adc	eax, 0FFFFFFFFh
		or	ecx, eax
		jnz	short loc_44920D
		mov	ecx, [esp+3Ch]
		call	MiDeleteControlArea
		jmp	short loc_44920D
; 

loc_4491F5:				; CODE XREF: .text:00449181j
		test	eax, eax
		js	short loc_44920D
		test	dword ptr [edi+78h], 400000h
		jz	short loc_44920D
		mov	ecx, edi
		call	MiValidatePagefilePageHash
		mov	[esp+14h], eax

loc_44920D:				; CODE XREF: .text:004491E8j
					; .text:004491F3j ...
		mov	edx, [esp+20h]
		mov	ebx, [edi+30h]
		and	edx, 1
		mov	[esp+24h], edx
		jnz	short loc_449254
		mov	eax, [esp+2Ch]
		mov	ecx, eax
		inc	large dword ptr	fs:3E30h
		and	ecx, 0FFFh
		neg	ecx
		sbb	ecx, ecx
		shr	eax, 0Ch
		neg	ecx
		add	ecx, eax
		mov	eax, [esp+40h]
		add	large fs:3E2Ch,	ecx
		test	eax, eax
		jz	short loc_449254
		test	byte ptr [edi+78h], 8
		jnz	short loc_449254
		lock inc dword ptr [eax+58h]

loc_449254:				; CODE XREF: .text:0044921Bj
					; .text:00449248j ...
		mov	ecx, [ebp+8]
		lea	eax, [edx+edx]
		mov	[esp+3Ch], eax
		mov	edx, [ecx]
		mov	[esp+40h], edx
		test	edx, edx
		jz	short loc_44927A
		mov	ecx, [esp+40h]
		mov	edx, eax
		call	PfHardFaultLog
		mov	eax, [esp+3Ch]
		mov	ecx, [ebp+8]

loc_44927A:				; CODE XREF: .text:00449266j
		test	byte ptr [esi+6], 1
		mov	[ecx], eax
		jz	short loc_44928C
		mov	eax, [esi+0Ch]
		push	esi
		push	eax
		call	MmUnmapLockedPages

loc_44928C:				; CODE XREF: .text:00449280j
		mov	dword ptr [esp+34h], 0
		mov	dword ptr [edi+74h], 0FFFFFFFFh
		test	ebx, ebx
		js	loc_449380
		mov	edx, [edi+34h]
		mov	eax, [esp+2Ch]
		cmp	edx, eax
		jz	loc_44936B
		test	edx, edx
		jnz	short loc_4492C6
		test	byte ptr [edi+78h], 8
		jz	short loc_4492C6
		mov	ebx, 0C0000017h
		jmp	loc_44936B
; 

loc_4492C6:				; CODE XREF: .text:004492B4j
					; .text:004492BAj
		test	dword ptr [edi+78h], 200000h
		jz	short loc_4492DA
		cmp	dword ptr [esp+24h], 0
		jz	loc_44954A

loc_4492DA:				; CODE XREF: .text:004492CDj
		mov	ecx, [esi+10h]
		add	ecx, [esi+18h]
		and	ecx, 0FFFh
		sub	ecx, eax
		mov	eax, [esi+14h]
		add	ecx, 0FFFh
		add	ecx, edx
		add	eax, ecx
		shr	eax, 0Ch
		and	edx, 0FFFh
		mov	[esp+40h], edx
		lea	ecx, ds:18h[eax*4]
		lea	eax, [ecx+esi]
		mov	[esp+38h], ecx
		mov	[esp+3Ch], eax
		jz	short loc_449358
		mov	ecx, [eax]
		lea	edx, [esp+13h]
		push	80000000h
		call	MiMapPageInHyperSpaceWorker
		mov	ecx, [esp+40h]
		lea	esi, [ecx+eax]
		mov	eax, 1000h
		sub	eax, ecx
		push	eax
		push	0
		push	esi
		call	_memset
		mov	dl, [esp+1Fh]
		add	esp, 0Ch
		mov	ecx, esi
		push	80000000h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		mov	eax, [esp+3Ch]
		mov	ecx, [esp+38h]

loc_449358:				; CODE XREF: .text:00449314j
		add	eax, 4
		cmp	eax, [esp+30h]
		ja	short loc_44936B
		lea	eax, [ecx-1Ch]
		sar	eax, 2
		inc	eax
		mov	[edi+74h], eax

loc_44936B:				; CODE XREF: .text:004492ACj
					; .text:004492C1j ...
		mov	esi, [esp+14h]
		cmp	esi, 0C000003Fh
		jz	loc_44943F
		jmp	loc_449481
; 

loc_449380:				; CODE XREF: .text:0044929Dj
		cmp	ebx, 0C0000011h
		jnz	short loc_4493F6
		test	dword ptr [edi+78h], 200000h
		jnz	loc_449559
		mov	eax, [esp+30h]
		add	esi, 1Ch
		sub	eax, esi
		mov	ebx, 1
		add	eax, 4
		shr	eax, 2
		cmp	[esp+30h], esi
		sbb	ecx, ecx
		not	ecx
		and	ecx, eax
		mov	[esp+40h], ecx
		cmp	ecx, ebx
		jb	short loc_4493EF
		mov	edi, ecx
		lea	ecx, [ecx+0]

loc_4493C0:				; CODE XREF: .text:004493E9j
		mov	ecx, [esi]
		mov	eax, ds:_MmPfnDatabase
		lea	edx, ds:0[ecx*8]
		sub	edx, ecx
		movzx	eax, byte ptr [eax+edx*4+16h]
		mov	edx, 3
		shr	eax, 6
		push	eax
		call	MiZeroPhysicalPage
		inc	ebx
		lea	esi, [esi+4]
		cmp	ebx, edi
		jbe	short loc_4493C0
		mov	edi, [esp+44h]

loc_4493EF:				; CODE XREF: .text:004493B9j
		xor	ebx, ebx
		jmp	loc_449481
; 

loc_4493F6:				; CODE XREF: .text:00449386j
		cmp	ebx, 80000016h
		jz	loc_449481
		mov	edx, [esi+14h]
		mov	ecx, ebx
		call	_MiIsRetryIoStatus@8 ; MiIsRetryIoStatus(x,x)
		mov	[esp+34h], eax
		test	eax, eax
		jz	short loc_449435
		cmp	dword_6D348C, 0
		jnz	short loc_449435
		cmp	dword ptr [esp+24h], 0
		jz	short loc_44942B
		test	byte ptr [esp+20h], 2
		jz	short loc_449435

loc_44942B:				; CODE XREF: .text:00449422j
		mov	dword_6D348C, 20h

loc_449435:				; CODE XREF: .text:00449412j
					; .text:0044941Bj ...
		test	byte ptr [edi+78h], 8
		jnz	short loc_44947C
		mov	esi, [esp+14h]

loc_44943F:				; CODE XREF: .text:00449375j
		mov	ecx, [esp+18h]
		cmp	ecx, ds:_MmHighestUserAddress
		jbe	short loc_449481
		cmp	ecx, dword_6D07D0
		jb	short loc_449461
		mov	eax, ecx
		shr	eax, 15h
		cmp	byte ptr dword_6D3994[eax], 8
		jz	short loc_449481

loc_449461:				; CODE XREF: .text:00449451j
		call	_MiExceptionForMappedVa@4 ; MiExceptionForMappedVa(x)
		test	eax, eax
		jnz	short loc_449481
		cmp	[esp+34h], eax
		jz	loc_44956C
		cmp	esi, 0C000003Fh
		jz	short loc_449481

loc_44947C:				; CODE XREF: .text:00449439j
		mov	ebx, 0C0000017h

loc_449481:				; CODE XREF: .text:0044937Bj
					; .text:004493F1j ...
		mov	ecx, [esp+28h]
		cmp	ecx, 0FFFFFFFFh
		jz	loc_449516
		mov	esi, [esp+1Ch]
		mov	eax, 92492493h
		sub	esi, ds:_MmPfnDatabase
		imul	esi
		push	1
		push	0
		lea	eax, [esi+edx]
		sar	eax, 4
		mov	edx, eax
		shr	edx, 1Fh
		add	edx, eax
		call	_MiCopyPage@16	; MiCopyPage(x,x,x,x)
		mov	eax, [esp+28h]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	esi, [eax+ecx*4]
		mov	eax, ds:_ZeroPte
		lea	ecx, [esi+8]
		mov	[ecx], eax
		mov	eax, ds:dword_40F9FC
		mov	[ecx+4], eax
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		mov	eax, [esi+18h]
		and	eax, 70000000h
		cmp	eax, 30000000h
		jnz	short loc_449518
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [esp+1Ch]
		mov	edx, 7FFFFFFFh
		mov	ecx, [ecx+4]
		mov	[esi+4], ecx
		lea	ecx, [esi+10h]
		lock and [ecx],	edx
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_449518
; 

loc_449516:				; CODE XREF: .text:00449488j
		xor	esi, esi

loc_449518:				; CODE XREF: .text:004494EEj
					; .text:00449514j
		mov	eax, [esp+20h]
		mov	[edi+40h], esi
		mov	[edi+30h], ebx
		mov	[edi+44h], eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_44952E:				; CODE XREF: .text:004490C4j
		mov	ecx, [edi+0A0h]
		mov	eax, [edi+0A4h]
		push	0
		push	ecx
		push	edi
		push	61947h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_44954A:				; CODE XREF: .text:004492D4j
		push	dword ptr [esp+18h]
		push	edi
		push	edx
		push	4
		push	7Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_449559:				; CODE XREF: .text:0044938Fj
		push	dword ptr [esp+18h]
		push	edi
		push	0C0000011h
		push	3
		push	7Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_44956C:				; CODE XREF: .text:0044946Ej
		mov	edi, [esp+48h]
		mov	ecx, edi
		call	MmIsAddressValidEx
		cmp	al, 1
		jnz	short loc_449580
		mov	esi, [edi]
		nop
		jmp	short loc_44958B
; 

loc_449580:				; CODE XREF: .text:00449579j
		or	esi, 0FFFFFFFFh
		mov	dword ptr [esp+4Ch], 0

loc_44958B:				; CODE XREF: .text:0044957Ej
		mov	ecx, 1
		call	_MiFlushAllFilesystemPages@4 ; MiFlushAllFilesystemPages(x)
		mov	eax, [esp+14h]
		test	eax, eax
		jns	short loc_44959F
		mov	ebx, eax

loc_44959F:				; CODE XREF: .text:0044959Bj
		push	dword ptr [esp+18h]
		push	esi
		push	ebx
		push	edi
		push	7Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 3 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIsCfgBitMapPageShared(x, x)
_MiIsCfgBitMapPageShared@8 proc	near	; CODE XREF: MiMarkSharedImageCfgBits+D4p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_59		= byte ptr -59h
var_58		= dword	ptr -58h
var_52		= byte ptr -52h
var_51		= dword	ptr -51h
var_4D		= byte ptr -4Dh
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_60], ecx
		mov	eax, [eax+80h]
		shr	esi, 9
		add	eax, 240h
		and	esi, offset loc_7FFFF8
		mov	[ebp+var_68], edx
		push	edi
		mov	ecx, eax
		mov	[ebp+var_6C], eax
		sub	esi, 40000000h
		call	MiLockWorkingSetShared
		mov	edx, esi
		mov	[ebp+var_59], al
		shl	edx, 9
		mov	[ebp+var_78], 0
		mov	eax, edx
		mov	[ebp+var_74], 0
		mov	[ebp+var_58+2],	0
		mov	[ebp+var_51], 0
		mov	[ebp+var_4D], 0
		mov	[ebp+var_3C], 0
		mov	[ebp+var_38], 0
		mov	[ebp+var_34], 0
		mov	[ebp+var_30], 0
		mov	[ebp+var_2C], 0
		mov	[ebp+var_28], 0
		mov	[ebp+var_24], 0
		mov	[ebp+var_20], 0
		mov	[ebp+var_1C], 0
		mov	[ebp+var_18], 0
		cmp	edx, 0C0000000h
		jb	short loc_449681
		nop

loc_449670:				; CODE XREF: MiIsCfgBitMapPageShared(x,x)+CFj
		cmp	eax, 0C07FFFFFh
		ja	short loc_449681
		shl	eax, 9
		cmp	eax, 0C0000000h
		jnb	short loc_449670

loc_449681:				; CODE XREF: MiIsCfgBitMapPageShared(x,x)+BDj
					; MiIsCfgBitMapPageShared(x,x)+C5j
		cmp	eax, dword_6D07D0
		jb	short loc_4496A7
		cmp	eax, dword_6D2E88
		jb	short loc_449699
		cmp	eax, dword_6D2E8C
		jbe	short loc_4496A7

loc_449699:				; CODE XREF: MiIsCfgBitMapPageShared(x,x)+DFj
		mov	ecx, 1
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	ecx, eax
		jmp	short loc_4496B9
; 

loc_4496A7:				; CODE XREF: MiIsCfgBitMapPageShared(x,x)+D7j
					; MiIsCfgBitMapPageShared(x,x)+E7j
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		add	ecx, 240h

loc_4496B9:				; CODE XREF: MiIsCfgBitMapPageShared(x,x)+F5j
		mov	eax, 865h
		mov	[ebp+var_48], ecx
		mov	word ptr [ebp+var_58], ax
		lea	ecx, [ebp+var_58]
		lea	eax, [ebp+var_78]
		mov	[ebp+var_4C], 0
		mov	[ebp+var_10], eax
		mov	al, byte ptr [ebp+var_58+2]
		and	al, 0E7h
		mov	[ebp+var_14], offset _MiGetNextPageTableTail@4 ; MiGetNextPageTableTail(x)
		or	al, 4
		mov	[ebp+var_44], edx
		mov	byte ptr [ebp+var_58+2], al
		mov	al, [ebp+var_59]
		mov	[ebp+var_52], al
		mov	[ebp+var_40], edx
		call	MiWalkPageTables
		cmp	esi, [ebp+var_74]
		jz	short loc_449706
		mov	edi, 3
		jmp	loc_449828
; 

loc_449706:				; CODE XREF: MiIsCfgBitMapPageShared(x,x)+14Aj
		mov	edi, [esi]
		mov	ebx, esi
		shr	ebx, 9
		and	ebx, offset loc_7FFFF8
		nop
		mov	esi, [esi+4]
		mov	eax, edi
		or	eax, esi
		jnz	short loc_449725
		lea	edi, [eax+2]
		jmp	loc_4497CD
; 

loc_449725:				; CODE XREF: MiIsCfgBitMapPageShared(x,x)+16Bj
		mov	edx, [ebp+var_60]
		lea	eax, [ebp+var_7C]
		mov	ecx, [ebp+var_68]
		push	eax
		push	0
		shr	edx, 0Ch
		call	MiGetProtoPteAddress
		mov	ecx, edi
		mov	edx, eax
		and	ecx, 1
		mov	[ebp+var_68], edx
		or	ecx, 0
		jz	short loc_449780
		nop
		mov	eax, ds:_MmPfnDatabase
		shrd	edi, esi, 0Ch
		and	edi, 1FFFFFFh
		lea	ecx, ds:0[edi*8]
		sub	ecx, edi
		lea	ecx, [eax+ecx*4]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4497CB
		mov	eax, [ecx+4]
		or	eax, 80000000h
		cmp	eax, edx
		jnz	short loc_4497CB
		mov	edi, 1
		jmp	short loc_4497CD
; 

loc_449780:				; CODE XREF: MiIsCfgBitMapPageShared(x,x)+196j
		mov	eax, edi
		and	eax, 400h
		or	eax, 0
		jz	short loc_4497CB
		push	esi
		push	edi
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		test	eax, eax
		jnz	short loc_4497C4
		mov	eax, dword_6D0704
		mov	edx, esi
		mov	ecx, dword_6D0700
		mov	[ebp+var_64], eax
		mov	eax, ecx
		or	eax, [ebp+var_64]
		jz	short loc_4497BF
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4497BF
		mov	esi, [ebp+var_64]
		not	esi
		and	esi, edx

loc_4497BF:				; CODE XREF: MiIsCfgBitMapPageShared(x,x)+1FCj
					; MiIsCfgBitMapPageShared(x,x)+206j
		cmp	[ebp+var_68], esi
		jnz	short loc_4497CB

loc_4497C4:				; CODE XREF: MiIsCfgBitMapPageShared(x,x)+1E5j
		mov	edi, 1
		jmp	short loc_4497CD
; 

loc_4497CB:				; CODE XREF: MiIsCfgBitMapPageShared(x,x)+1BBj
					; MiIsCfgBitMapPageShared(x,x)+1C7j ...
		xor	edi, edi

loc_4497CD:				; CODE XREF: MiIsCfgBitMapPageShared(x,x)+170j
					; MiIsCfgBitMapPageShared(x,x)+1CEj ...
		mov	[ebp+var_60], edi
		mov	ecx, [ebp+var_6C]
		lea	eax, [ebp+var_64]
		push	eax
		lea	edx, [ebx-40000000h]
		mov	[ebp+var_64], 0
		call	MiGetPageTableLockBuffer
		mov	esi, eax
		mov	ebx, 2
		mov	[ebp+var_68], esi
		mov	edx, [esi]
		mov	eax, [ebp+var_64]
		mov	ecx, eax
		shl	ebx, cl
		mov	ecx, edx
		btr	ecx, eax
		not	ebx
		and	ecx, ebx
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	short loc_449828
		mov	edi, [ebp+var_64]
		mov	ecx, esi

loc_449814:				; CODE XREF: MiIsCfgBitMapPageShared(x,x)+273j
		mov	edx, eax
		mov	esi, eax
		btr	edx, edi
		and	edx, ebx
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_449814
		mov	edi, [ebp+var_60]

loc_449828:				; CODE XREF: MiIsCfgBitMapPageShared(x,x)+151j
					; MiIsCfgBitMapPageShared(x,x)+25Dj
		mov	dl, [ebp+var_59]
		mov	ecx, [ebp+var_6C]
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_MiIsCfgBitMapPageShared@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetControlAreaLoadConfig(x)
_MiGetControlAreaLoadConfig@4 proc near	; CODE XREF: MiAllowImageMap(x,x,x,x)+65p
					; MiMarkSharedImageCfgBits+47p	...
		mov	eax, [ecx+38h]
		mov	eax, [eax+10h]
		test	eax, eax
		jz	short loc_449854
		add	eax, 28h
		retn
; 

loc_449854:				; CODE XREF: MiGetControlAreaLoadConfig(x)+8j
		xor	eax, eax
		retn
_MiGetControlAreaLoadConfig@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiIssueHardFaultIo proc	near		; CODE XREF: MiIssueHardFault(x,x)+219p
					; MiPfIssueCoalesceCandidates+27p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AE675 SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edi
		mov	eax, [edi+78h]
		test	eax, 100h
		jnz	loc_449909
		mov	esi, eax
		shr	esi, 1
		and	esi, 4
		test	eax, 40000h
		jz	short loc_449886
		or	esi, 1

loc_449886:				; CODE XREF: MiIssueHardFaultIo+29j
		push	0
		pop	ebx
		and	eax, 8
		jnz	short loc_449904
		mov	ecx, [edi+88h]
		cmp	ecx, dword_6D07D0
		jnb	short loc_4498F8
		mov	ecx, ebx

loc_44989E:				; CODE XREF: MiIssueHardFaultIo+AAj
		test	edx, edx
		jnz	short loc_4498A7
		cmp	ecx, 8
		jz	short loc_449904

loc_4498A7:				; CODE XREF: MiIssueHardFaultIo+48j
					; MiIssueHardFaultIo+AFj
		test	eax, eax
		jnz	short loc_4498C9
		mov	eax, large fs:124h
		mov	eax, [eax+150h]
		add	eax, 3D8h
		mov	[ebp+arg_0], eax
		mov	edx, [eax]
		test	edx, edx
		jnz	loc_5AE675

loc_4498C9:				; CODE XREF: MiIssueHardFaultIo+51j
					; MiIssueHardFaultIo+164E36j ...
		mov	ecx, [edi+7Ch]
		lea	eax, [edi+30h]
		push	ebx
		push	esi
		push	eax
		lea	edx, [edi+10h]
		push	edx
		lea	eax, [edi+38h]
		push	eax
		lea	edx, [edi+0A8h]
		call	IoPageReadEx

loc_4498E5:				; CODE XREF: MiIssueHardFaultIo+E0j
		mov	esi, eax
		test	esi, esi
		js	loc_5AE69B

loc_4498EF:				; CODE XREF: MiIssueHardFaultIo+164E54j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4498F8:				; CODE XREF: MiIssueHardFaultIo+42j
		shr	ecx, 15h
		movzx	ecx, byte ptr dword_6D3994[ecx]
		jmp	short loc_44989E
; 

loc_449904:				; CODE XREF: MiIssueHardFaultIo+34j
					; MiIssueHardFaultIo+4Dj
		or	esi, 2
		jmp	short loc_4498A7
; 

loc_449909:				; CODE XREF: MiIssueHardFaultIo+17j
		lea	esi, [edi+0A8h]
		test	al, 8
		jnz	short loc_449950

loc_449913:				; CODE XREF: MiIssueHardFaultIo+FBj
		mov	eax, [ebp+arg_0]
		test	al, 1
		jnz	short loc_44993A

loc_44991A:				; CODE XREF: MiIssueHardFaultIo+E8j
					; MiIssueHardFaultIo+F1j ...
		xor	ebx, ebx
		lea	ecx, [edi+38h]
		lea	edx, [ebp+arg_0]
		mov	[ebp+arg_0], ebx
		call	?SmKeyConvert@@YGJPAT_MM_STORE_KEY@@PAT_SM_PAGE_KEY@@@Z	; SmKeyConvert(_MM_STORE_KEY *,_SM_PAGE_KEY *)
		lea	eax, [edi+30h]
		push	eax
		lea	ecx, [edi+10h]
		push	ecx
		push	esi
		call	SMKM_STORE_MGR_SM_TRAITS___SmPageRead
		jmp	short loc_4498E5
; 

loc_44993A:				; CODE XREF: MiIssueHardFaultIo+C0j
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	1
		jnz	short loc_44991A
		test	dword ptr [eax+28h], 800h
		jz	short loc_44991A
		or	esi, 2
		jmp	short loc_44991A
; 

loc_449950:				; CODE XREF: MiIssueHardFaultIo+B9j
		or	esi, 1
		jmp	short loc_449913
MiIssueHardFaultIo endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiAcquireKobjectLockSafe(x)
_KiAcquireKobjectLockSafe@4 proc near	; CODE XREF: KeSetProcess+24p
					; KeSetProcess+DCp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], 0
		lock bts dword ptr [esi], 7
		jb	short loc_449980

loc_449977:				; CODE XREF: KiAcquireKobjectLockSafe(x)+33j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 
		align 10h

loc_449980:				; CODE XREF: KiAcquireKobjectLockSafe(x)+15j
					; KiAcquireKobjectLockSafe(x)+2Cj ...
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	al, al
		js	short loc_449980
		lock bts dword ptr [esi], 7
		jnb	short loc_449977
		jmp	short loc_449980
_KiAcquireKobjectLockSafe@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtGetWriteWatch	proc near		; DATA XREF: .text:00580FF0o

var_5B8		= dword	ptr -5B8h
var_590		= dword	ptr -590h
var_58C		= dword	ptr -58Ch
var_588		= dword	ptr -588h
var_584		= dword	ptr -584h
var_580		= dword	ptr -580h
var_57C		= dword	ptr -57Ch
var_578		= dword	ptr -578h
var_574		= dword	ptr -574h
var_570		= dword	ptr -570h
var_56C		= dword	ptr -56Ch
var_568		= dword	ptr -568h
var_564		= dword	ptr -564h
var_560		= dword	ptr -560h
var_55C		= dword	ptr -55Ch
var_558		= dword	ptr -558h
var_554		= dword	ptr -554h
var_550		= dword	ptr -550h
var_548		= dword	ptr -548h
var_544		= dword	ptr -544h
var_540		= dword	ptr -540h
var_53C		= dword	ptr -53Ch
var_538		= dword	ptr -538h
var_534		= dword	ptr -534h
var_530		= dword	ptr -530h
var_52C		= dword	ptr -52Ch
var_528		= dword	ptr -528h
var_524		= dword	ptr -524h
var_520		= dword	ptr -520h
var_519		= byte ptr -519h
var_518		= dword	ptr -518h
var_512		= byte ptr -512h
var_50C		= dword	ptr -50Ch
var_508		= dword	ptr -508h
var_504		= dword	ptr -504h
var_500		= dword	ptr -500h
var_4D4		= dword	ptr -4D4h
var_4D0		= dword	ptr -4D0h
var_4CC		= dword	ptr -4CCh
var_4C8		= word ptr -4C8h
var_4C4		= dword	ptr -4C4h
var_4BC		= dword	ptr -4BCh
var_4B8		= dword	ptr -4B8h
var_434		= dword	ptr -434h
var_41C		= dword	ptr -41Ch
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005AE6B1 SIZE 000003C4 BYTES
; FUNCTION CHUNK AT 005AEA98 SIZE 0000000B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1058
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 58Ch
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_57C], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_534], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_52C], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_580], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_570], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_584], eax
		mov	[ebp+var_56C], 0
		mov	[ebp+var_520], 0
		mov	ecx, 6
		xor	eax, eax
		lea	edi, [ebp+var_434]
		rep stosd
		push	98h		; size_t
		push	eax		; int
		lea	eax, [ebp+var_4CC]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_4CC], 1
		mov	[ebp+var_4C8], 0
		mov	[ebp+var_4BC], 0
		mov	[ebp+var_4C4], 21h
		mov	[ebp+var_4B8], 0
		test	[ebp+arg_4], 0FFFFFFFEh
		jnz	loc_5AE6B1
		mov	eax, large fs:124h
		mov	esi, [eax+80h]
		mov	[ebp+var_544], esi
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_548],	al
		mov	[ebp+var_4], 0
		mov	edi, [ebp+var_534]
		test	al, al
		jz	loc_5AE6FC
		mov	eax, ds:_MmHighestUserAddress
		cmp	edi, eax
		ja	loc_5AE6BB
		sub	eax, edi
		inc	eax
		cmp	eax, [ebp+var_52C]
		jb	loc_5AE6CC
		mov	edx, [ebp+var_570]
		mov	ecx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_5AE6DD

loc_449AEB:				; CODE XREF: NtGetWriteWatch+164D3Fj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, [edx]
		mov	[ebp+var_568], eax
		test	eax, eax
		jz	loc_5AE6E4
		cmp	eax, 3FFFFFFFh
		ja	loc_5AE6E4
		push	4
		shl	eax, 2
		push	eax
		push	[ebp+var_580]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	ecx, [ebp+var_584]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_5AE6F5

loc_449B2E:				; CODE XREF: NtGetWriteWatch+164D57j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, [ebp+var_568]

loc_449B38:				; CODE XREF: NtGetWriteWatch+164D6Aj
		mov	[ebp+var_4], 0FFFFFFFEh
		lea	edx, [ebp+var_41C]
		mov	[ebp+var_55C], edx
		lea	ecx, ds:0[eax*4]
		cmp	eax, 100h
		ja	loc_44A331

loc_449B5D:				; CODE XREF: NtGetWriteWatch+9A9j
		mov	[ebp+var_558], 1
		mov	[ebp+var_53C], 0
		mov	[ebp+var_564], edx
		mov	[ebp+var_550], 0
		mov	[ebp+var_524], 0
		mov	ecx, [ebp+var_57C]
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_5AE719
		mov	[ebp+var_56C], esi

loc_449BA0:				; CODE XREF: NtGetWriteWatch+164DB1j
		mov	[ebp+var_554], 0
		mov	eax, [ebp+var_52C]
		dec	eax
		add	eax, edi
		mov	[ebp+var_528], eax
		cmp	edi, eax
		ja	loc_5AE756
		cmp	[ebp+var_544], esi
		jnz	loc_5AE760

loc_449BCD:				; CODE XREF: NtGetWriteWatch+164DE0j
		lea	ecx, [esi+240h]
		mov	[ebp+var_540], ecx
		mov	esi, edi
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_544], eax
		lea	eax, [ebp+var_520]
		push	eax
		xor	edx, edx
		mov	ecx, edi
		call	MiObtainReferencedVadEx
		mov	ecx, eax
		mov	[ebp+var_534], ecx
		test	ecx, ecx
		jz	loc_5AE785
		mov	[ebp+var_550], ecx
		lea	eax, [ecx+1Ch]
		mov	[ebp+var_560], eax
		mov	edx, [eax]
		mov	eax, edx
		and	eax, 300000h
		cmp	eax, 300000h
		jnz	loc_44A044
		mov	eax, [ecx+10h]
		shl	eax, 0Ch
		or	eax, 0FFFh
		cmp	[ebp+var_528], eax
		ja	loc_44A044
		call	_MiGetVadMandatoryPageSize@4 ; MiGetVadMandatoryPageSize(x)
		mov	[ebp+var_558], eax
		cmp	eax, 1
		ja	loc_5AE79C

loc_449C6B:				; CODE XREF: NtGetWriteWatch+164E16j
		mov	eax, edx
		and	eax, offset loc_500000
		cmp	eax, offset loc_500000
		jnz	loc_44A284
		shr	edx, 12h
		and	edx, 3
		mov	eax, ds:_MiVadPageSizes[edx*4]
		sub	eax, 10h
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFFF1h
		add	eax, 10h
		mov	[ebp+var_52C], eax

loc_449C9D:				; CODE XREF: NtGetWriteWatch+8EEj
		mov	ecx, [ebp+var_534]
		mov	eax, [ecx+24h]
		mov	[ebp+var_578], eax
		test	eax, eax
		jz	short loc_449CBA

loc_449CB0:				; CODE XREF: NtGetWriteWatch+164E30j
		test	byte ptr [eax+24h], 4
		jz	loc_5AE7C6

loc_449CBA:				; CODE XREF: NtGetWriteWatch+30Ej
					; NtGetWriteWatch+164E36j
		shr	edi, 0Ch
		sub	edi, [ecx+0Ch]
		call	_MiGetVadMandatoryPageSize@4 ; MiGetVadMandatoryPageSize(x)
		mov	ecx, eax
		mov	eax, edi
		xor	edx, edx
		div	ecx
		mov	[ebp+var_530], eax
		mov	ecx, [ebp+var_540]
		call	MiLockWorkingSetShared
		mov	[ebp+var_519], al
		mov	edi, [ebp+var_544]
		cmp	esi, edi
		ja	loc_44A000
		mov	eax, edi
		shl	eax, 9
		mov	[ebp+var_574], eax
		lea	ecx, [ecx+0]

loc_449D00:				; CODE XREF: NtGetWriteWatch+65Aj
		cmp	[ebp+var_53C], 0
		jnz	loc_44A361

loc_449D0D:				; CODE XREF: NtGetWriteWatch+9E7j
		mov	ecx, [ebp+var_540]
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		jz	loc_5AE7DB
		lea	eax, [ecx+80h]

loc_449D26:				; CODE XREF: NtGetWriteWatch+164E40j
		mov	eax, [eax]
		test	eax, 40000000h
		jnz	loc_44A3D9
		call	KeShouldYieldProcessor
		test	eax, eax
		jnz	loc_44A3D3

loc_449D40:				; CODE XREF: NtGetWriteWatch+A4Fj
		mov	[ebp+var_58C], 0
		mov	[ebp+var_588], 0
		push	4Ch		; size_t
		push	0		; int
		lea	eax, [ebp+var_518]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	edx, esi
		shl	edx, 9
		mov	eax, 8E1h
		mov	word ptr [ebp+var_518],	ax
		mov	eax, edx
		cmp	edx, 0C0000000h
		jnb	loc_5AE7E5

loc_449D86:				; CODE XREF: NtGetWriteWatch+164E4Aj
					; NtGetWriteWatch+164E5Aj
		cmp	eax, dword_6D07D0
		jnb	loc_5AE7FF

loc_449D92:				; CODE XREF: NtGetWriteWatch+164E6Dj
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		add	ecx, 240h

loc_449DA4:				; CODE XREF: NtGetWriteWatch+164E7Fj
		mov	eax, 8E5h
		mov	word ptr [ebp+var_518],	ax
		mov	[ebp+var_50C], 0
		lea	eax, [ebp+var_58C]
		mov	[ebp+var_4D0], eax
		mov	al, byte ptr [ebp+var_518+2]
		and	al, 0E7h
		or	al, 4
		mov	byte ptr [ebp+var_518+2], al
		mov	[ebp+var_4D4], offset _MiGetNextPageTableTail@4	; MiGetNextPageTableTail(x)
		mov	[ebp+var_508], ecx
		mov	al, [ebp+var_519]
		mov	[ebp+var_512], al
		mov	[ebp+var_504], edx
		mov	eax, [ebp+var_574]
		mov	[ebp+var_500], eax
		lea	ecx, [ebp+var_518]
		call	MiWalkPageTables
		mov	eax, [ebp+var_588]
		test	eax, eax
		jz	loc_44A444
		mov	ecx, eax
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		mov	[ebp+var_53C], ecx

loc_449E34:				; CODE XREF: NtGetWriteWatch+AA7j
		sub	eax, esi
		sar	eax, 3
		xor	edx, edx
		div	[ebp+var_558]
		mov	edi, eax
		or	[ebp+var_524], 4
		mov	ecx, [ebp+var_534]
		call	MiLockVadCore
		test	edi, edi
		jnz	loc_44A3F4

loc_449E5D:				; CODE XREF: NtGetWriteWatch+A9Fj
		mov	ecx, [ebp+var_544]
		cmp	esi, ecx
		ja	loc_44A000
		mov	edi, ecx
		mov	[ebp+var_520], edi
		mov	eax, [ebp+var_58C]
		test	eax, eax
		jnz	loc_5AE87A
		mov	ecx, [ebp+var_52C]

loc_449E87:				; CODE XREF: NtGetWriteWatch+164F9Bj
		mov	eax, ecx
		xor	edx, edx
		div	[ebp+var_558]
		mov	[ebp+var_528], eax
		cmp	esi, edi
		ja	loc_449F98
		mov	eax, [ebp+var_524]
		jmp	short loc_449EB0
; 
		align 10h

loc_449EB0:				; CODE XREF: NtGetWriteWatch+505j
					; NtGetWriteWatch+5F2j
		mov	edi, esi
		mov	[ebp+var_590], edi
		cmp	esi, 0C0000000h
		jb	short loc_449ED9

loc_449EC0:				; CODE XREF: NtGetWriteWatch+537j
		cmp	edi, 0C07FFFFFh
		ja	short loc_449ED9
		shl	edi, 9
		mov	[ebp+var_590], edi
		cmp	edi, 0C0000000h
		jnb	short loc_449EC0

loc_449ED9:				; CODE XREF: NtGetWriteWatch+51Ej
					; NtGetWriteWatch+526j
		and	eax, 0FFFFFFFDh
		mov	[ebp+var_524], eax
		mov	[ebp+var_538], esi
		mov	eax, [ebp+var_578]
		mov	ecx, [eax+8]
		mov	[ebp+var_548], ecx
		mov	edx, [ebp+var_530]
		shr	edx, 5
		mov	ecx, [ebp+var_530]
		and	ecx, 1Fh
		mov	eax, [ebp+var_548]
		mov	edx, [eax+edx*4]
		sar	edx, cl
		test	dl, 1
		mov	eax, [ebp+var_524]
		jnz	loc_5AE940
		xor	edi, edi
		mov	ecx, esi

loc_449F27:				; CODE XREF: NtGetWriteWatch+5BFj
		mov	edx, [ecx]
		nop
		mov	ecx, [ecx+4]
		mov	[ebp+var_548], ecx
		mov	ecx, edx
		and	ecx, 1
		or	ecx, 0
		jz	short loc_449F49
		and	edx, 42h
		or	edx, 0
		jnz	loc_44A293

loc_449F49:				; CODE XREF: NtGetWriteWatch+59Bj
					; NtGetWriteWatch+91Dj
		mov	ecx, [ebp+var_538]
		add	ecx, 8
		mov	[ebp+var_538], ecx
		inc	edi
		cmp	edi, [ebp+var_52C]
		jb	short loc_449F27

loc_449F61:				; CODE XREF: NtGetWriteWatch+900j
		mov	edi, [ebp+var_590]

loc_449F67:				; CODE XREF: NtGetWriteWatch+164FADj
					; NtGetWriteWatch+165028j
		test	al, 2
		jnz	loc_44A2C2

loc_449F6F:				; CODE XREF: NtGetWriteWatch+92Aj
					; NtGetWriteWatch+979j
		mov	edx, [ebp+var_528]
		add	[ebp+var_530], edx
		mov	ecx, [ebp+var_52C]
		lea	esi, [esi+ecx*8]
		test	esi, 0FFFh
		jz	short loc_449F98
		cmp	esi, [ebp+var_520]
		jbe	loc_449EB0

loc_449F98:				; CODE XREF: NtGetWriteWatch+4F9j
					; NtGetWriteWatch+5EAj
		mov	edi, [ebp+var_560]
		mov	edx, [edi]
		mov	ecx, edx
		and	ecx, 0FFFFFFFCh
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	loc_5AE9CD

loc_449FB3:				; CODE XREF: NtGetWriteWatch+16503Cj
		mov	cl, 2
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		and	[ebp+var_524], 0FFFFFFFBh
		cmp	esi, 0C0000000h
		jb	short loc_449FE3
		lea	ebx, [ebx+0]

loc_449FD0:				; CODE XREF: NtGetWriteWatch+641j
		cmp	esi, 0C07FFFFFh
		ja	short loc_449FE3
		shl	esi, 9
		cmp	esi, 0C0000000h
		jnb	short loc_449FD0

loc_449FE3:				; CODE XREF: NtGetWriteWatch+628j
					; NtGetWriteWatch+636j
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		mov	edi, [ebp+var_544]
		cmp	esi, edi
		jbe	loc_449D00

loc_44A000:				; CODE XREF: NtGetWriteWatch+34Cj
					; NtGetWriteWatch+4C5j	...
		lea	ecx, [ebp+var_4CC]
		call	MiFlushTbList
		test	byte ptr [ebp+var_524],	4
		jnz	loc_44A38C

loc_44A018:				; CODE XREF: NtGetWriteWatch+9F9j
		mov	eax, [ebp+var_53C]
		test	eax, eax
		jz	short loc_44A02F
		mov	edx, eax
		mov	ecx, [ebp+var_540]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_44A02F:				; CODE XREF: NtGetWriteWatch+680j
		mov	dl, [ebp+var_519]
		mov	ecx, [ebp+var_540]
		call	MiUnlockWorkingSetShared
		xor	esi, esi
		jmp	short loc_44A049
; 

loc_44A044:				; CODE XREF: NtGetWriteWatch+29Aj
					; NtGetWriteWatch+2B1j	...
		mov	esi, 0C00000EFh

loc_44A049:				; CODE XREF: NtGetWriteWatch+6A2j
					; NtGetWriteWatch+164DBBj ...
		mov	[ebp+var_520], esi

loc_44A04F:				; CODE XREF: NtGetWriteWatch+164DF1j
		mov	edi, [ebp+var_550]
		test	edi, edi
		jz	loc_44A1E3
		mov	ecx, edi
		call	_MiDereferenceVad@4 ; MiDereferenceVad(x)
		mov	[ebp+var_544], eax
		mov	eax, large fs:124h
		mov	[ebp+var_534], eax
		and	byte ptr [eax+304h], 7Fh
		add	edi, 18h
		or	ecx, 0FFFFFFFFh
		lock xadd [edi], ecx
		and	cl, 6
		cmp	cl, 2
		jz	loc_44A3B7

loc_44A093:				; CODE XREF: NtGetWriteWatch+A1Ej
		mov	[ebp+var_528], 0
		test	edi, 7FFFFFFCh
		jz	loc_5AEA36
		mov	esi, large fs:124h
		mov	[ebp+var_574], esi
		mov	eax, edi
		shr	eax, 15h
		mov	ecx, dword_6D07D0
		cmp	edi, ecx
		jb	loc_5AE9E1
		movzx	edx, byte ptr dword_6D3994[eax]

loc_44A0D0:				; CODE XREF: NtGetWriteWatch+165043j
		cmp	edx, 1
		jz	loc_44A321
		cmp	edi, ecx
		jb	short loc_44A0EA
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_44A321

loc_44A0EA:				; CODE XREF: NtGetWriteWatch+73Bj
		or	eax, 0FFFFFFFFh

loc_44A0ED:				; CODE XREF: NtGetWriteWatch+98Cj
		mov	[ebp+var_548], eax
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	[ebp+var_519], cl
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_560], ecx
		test	ecx, ecx
		jz	loc_44A39E
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	dword ptr [ecx+10h], 0
		jl	loc_44A3C3

loc_44A13B:				; CODE XREF: NtGetWriteWatch+A2Ej
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	edi, 1FFFFh
		mov	[ebp+var_528], edi
		and	eax, 0FFFE0000h
		mov	[ecx+2Ch], eax
		and	byte ptr [ecx+0Dh], 0FEh
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, 2AAAAAABh
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		mov	al, 1
		shl	al, cl
		cmp	[ebp+var_519], 1
		jnz	loc_5AE9FC
		or	[esi+1E4h], al

loc_44A18E:				; CODE XREF: NtGetWriteWatch+A12j
					; NtGetWriteWatch+16506Bj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_560], eax
		jnz	loc_44A456
		mov	edi, [ebp+var_550]

loc_44A1AE:				; CODE XREF: NtGetWriteWatch+AF2j
					; NtGetWriteWatch+165091j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_44A1C5
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_44A44C

loc_44A1C5:				; CODE XREF: NtGetWriteWatch+817j
					; NtGetWriteWatch+AB1j	...
		mov	ecx, [ebp+var_534]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		cmp	[ebp+var_544], 1
		jz	loc_5AEA41

loc_44A1DD:				; CODE XREF: NtGetWriteWatch+1650A9j
		mov	esi, [ebp+var_520]

loc_44A1E3:				; CODE XREF: NtGetWriteWatch+6B7j
		test	byte ptr [ebp+var_524],	1
		jnz	loc_5AEA4E

loc_44A1F0:				; CODE XREF: NtGetWriteWatch+1650BBj
		cmp	[ebp+var_57C], 0FFFFFFFFh
		jnz	loc_5AEA60

loc_44A1FD:				; CODE XREF: NtGetWriteWatch+1650D0j
		test	esi, esi
		jnz	loc_5AEA98
		mov	[ebp+var_4], 1
		mov	ecx, [ebp+var_580]
		mov	edi, [ebp+var_55C]
		test	ecx, ecx
		jz	short loc_44A23E
		mov	eax, [ebp+var_554]
		shl	eax, 2
		push	eax		; size_t
		push	edi		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_570]
		mov	ecx, [ebp+var_554]
		mov	[eax], ecx

loc_44A23E:				; CODE XREF: NtGetWriteWatch+87Aj
		mov	eax, [ebp+var_558]
		shl	eax, 0Ch
		mov	ecx, [ebp+var_584]
		mov	[ecx], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_44A256:				; CODE XREF: NtGetWriteWatch+1650FEj
		lea	eax, [ebp+var_41C]
		cmp	edi, eax
		jnz	loc_44A354

loc_44A264:				; CODE XREF: NtGetWriteWatch+9BCj
		mov	eax, esi

loc_44A266:				; CODE XREF: NtGetWriteWatch+164D16j
					; NtGetWriteWatch+164D27j ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_44A284:				; CODE XREF: NtGetWriteWatch+2D7j
		mov	[ebp+var_52C], 1
		jmp	loc_449C9D
; 

loc_44A293:				; CODE XREF: NtGetWriteWatch+5A3j
		or	eax, 2
		mov	[ebp+var_524], eax
		test	byte ptr [ebp+arg_4], 1
		jz	loc_449F61
		lea	edx, [ebp+var_4CC]
		mov	ecx, [ebp+var_538]
		call	MiMakePteClean
		mov	eax, [ebp+var_524]
		jmp	loc_449F49
; 

loc_44A2C2:				; CODE XREF: NtGetWriteWatch+5C9j
		xor	edx, edx
		cmp	[ebp+var_528], edx
		jbe	loc_449F6F
		mov	ecx, [ebp+var_558]
		shl	ecx, 0Ch
		lea	esp, [esp+0]

loc_44A2E0:				; CODE XREF: NtGetWriteWatch+97Fj
		mov	eax, [ebp+var_564]
		mov	[eax], edi
		add	eax, 4
		mov	[ebp+var_564], eax
		mov	eax, [ebp+var_554]
		inc	eax
		mov	[ebp+var_554], eax
		cmp	eax, [ebp+var_568]
		mov	eax, [ebp+var_524]
		jz	loc_44A000
		inc	edx
		add	edi, ecx
		cmp	edx, [ebp+var_528]
		jnb	loc_449F6F
		jmp	short loc_44A2E0
; 

loc_44A321:				; CODE XREF: NtGetWriteWatch+733j
					; NtGetWriteWatch+744j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	loc_44A0ED
; 

loc_44A331:				; CODE XREF: NtGetWriteWatch+1B7j
		push	0
		push	41h
		mov	edx, 63476D4Dh
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edx, eax
		mov	[ebp+var_55C], edx
		test	edx, edx
		jnz	loc_449B5D
		jmp	loc_5AE70F
; 

loc_44A354:				; CODE XREF: NtGetWriteWatch+8BEj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_44A264
; 

loc_44A361:				; CODE XREF: NtGetWriteWatch+367j
		lea	ecx, [ebp+var_4CC]
		call	MiFlushTbList
		mov	edx, [ebp+var_53C]
		mov	ecx, [ebp+var_540]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	[ebp+var_53C], 0
		jmp	loc_449D0D
; 

loc_44A38C:				; CODE XREF: NtGetWriteWatch+672j
		mov	dl, 2
		mov	ecx, [ebp+var_534]
		call	MiUnlockVadCore
		jmp	loc_44A018
; 

loc_44A39E:				; CODE XREF: NtGetWriteWatch+782j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jz	loc_5AE9E8
		mov	edi, [ebp+var_528]
		jmp	loc_44A18E
; 

loc_44A3B7:				; CODE XREF: NtGetWriteWatch+6EDj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_44A093
; 

loc_44A3C3:				; CODE XREF: NtGetWriteWatch+795j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_560]
		jmp	loc_44A13B
; 

loc_44A3D3:				; CODE XREF: NtGetWriteWatch+39Aj
		mov	ecx, [ebp+var_540]

loc_44A3D9:				; CODE XREF: NtGetWriteWatch+38Dj
		mov	dl, [ebp+var_519]
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_540]
		call	MiLockWorkingSetShared
		jmp	loc_449D40
; 

loc_44A3F4:				; CODE XREF: NtGetWriteWatch+4B7j
		mov	ecx, [ebp+var_530]
		lea	ebx, [ebx+0]

loc_44A400:				; CODE XREF: NtGetWriteWatch+A9Dj
		mov	eax, [ebp+var_578]
		mov	edx, [eax+8]
		mov	[ebp+var_548], edx
		mov	eax, ecx
		shr	eax, 5
		and	ecx, 1Fh
		mov	eax, [edx+eax*4]
		sar	eax, cl
		test	al, 1
		jnz	loc_5AE824

loc_44A424:				; CODE XREF: NtGetWriteWatch+164ED5j
		mov	ecx, [ebp+var_530]
		inc	ecx
		mov	[ebp+var_530], ecx
		mov	eax, [ebp+var_558]
		lea	esi, [esi+eax*8]
		sub	edi, 1
		jnz	short loc_44A400
		jmp	loc_449E5D
; 

loc_44A444:				; CODE XREF: NtGetWriteWatch+477j
		lea	eax, [edi+8]
		jmp	loc_449E34
; 

loc_44A44C:				; CODE XREF: NtGetWriteWatch+81Fj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_44A1C5
; 

loc_44A456:				; CODE XREF: NtGetWriteWatch+802j
		test	edi, 8000h
		jnz	short loc_44A49D

loc_44A45E:				; CODE XREF: NtGetWriteWatch+B06j
		test	byte ptr [ebp+var_528+2], 1
		jnz	loc_5AEA10

loc_44A46B:				; CODE XREF: NtGetWriteWatch+16507Cj
		test	edi, 7FFFh
		jz	short loc_44A482
		and	edi, 7FFFh
		mov	edx, edi
		mov	ecx, esi
		call	KiAbThreadUnboostCpuPriority

loc_44A482:				; CODE XREF: NtGetWriteWatch+AD1j
		mov	edi, [ebp+var_550]
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_44A1AE
		jmp	loc_5AEA21
; 

loc_44A49D:				; CODE XREF: NtGetWriteWatch+ABCj
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	short loc_44A45E
NtGetWriteWatch	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockVadCore	proc near		; CODE XREF: NtGetWriteWatch+4B0p
					; MiCaptureWriteWatchDirtyBit(x,x,x)+65p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AEACB SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		add	esi, 1Ch
		mov	bl, al
		mov	edx, [esi]

loc_44A4C1:				; CODE XREF: MiLockVadCore+3Cj
					; MiLockVadCore+16464Bj
		test	dl, 1
		jnz	loc_5AEACB
		mov	ecx, edx
		mov	eax, edx
		and	ecx, 0FFFFFFFDh
		or	ecx, 1
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_44A4E2
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_44A4E2:				; CODE XREF: MiLockVadCore+32j
					; MiLockVadCore+164633j
		mov	edx, eax
		jmp	short loc_44A4C1
MiLockVadCore	endp


;  S U B	R O U T	I N E 


; __stdcall MiDereferenceVad(x)
_MiDereferenceVad@4 proc near		; CODE XREF: NtGetWriteWatch+6BFp
					; MiUnlockAndDereferenceNestedVad(x)+6p ...
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+14h], eax
		dec	eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_44A501
		test	eax, eax
		jnz	short loc_44A4FE
		test	byte ptr [ecx+1Ch], 4
		jnz	short loc_44A506

loc_44A4FE:				; CODE XREF: MiDereferenceVad(x)+10j
		xor	eax, eax
		retn
; 

loc_44A501:				; CODE XREF: MiDereferenceVad(x)+Cj
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_44A506:				; CODE XREF: MiDereferenceVad(x)+16j
		xor	eax, eax
		inc	eax
		retn
_MiDereferenceVad@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMakePteClean	proc near		; CODE XREF: NtGetWriteWatch+912p
					; NtGetWriteWatch+165005p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AEAF8 SIZE 0000006C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, edx
		mov	[esp+1Ch+var_14], ecx
		push	edi
		mov	edi, [ecx]
		mov	[esp+20h+var_C], esi
		nop
		mov	ebx, [ecx+4]
		mov	edx, ecx
		and	edi, 0FFFFFFBDh
		shl	edx, 9
		xor	eax, eax
		mov	[esp+20h+var_8], edi
		mov	[esp+20h+var_4], ebx
		cmp	edx, 0C0000000h
		jnb	loc_5AEAF8

loc_44A546:				; CODE XREF: MiMakePteClean+164608j
		nop
		mov	[ecx], edi
		push	0
		mov	[ecx+4], ebx
		mov	ecx, esi
		push	1
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)

loc_44A557:				; CODE XREF: MiMakePteClean+164655j
		nop
		shrd	edi, ebx, 0Ch
		xor	edx, edx
		and	edi, 1FFFFFFh
		inc	edx
		imul	ecx, edi, 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	MiLockPageAndSetDirty
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
MiMakePteClean	endp

; 
		align 10h

; __stdcall MiDeleteValidSystemPage(x, x, x, x)
_MiDeleteValidSystemPage@16:		; CODE XREF: MiTerminateWsleCluster+651p
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+425p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ds:_ZeroPte
		push	ebx
		mov	ebx, edx
		mov	[ebp-0Ch], eax
		mov	eax, ds:dword_40F9FC
		push	esi
		push	edi
		mov	esi, [ebx]
		mov	[ebp-8], ebx
		mov	[ebp-10h], eax
		mov	dword ptr [ebp-18h], 0
		mov	dword ptr [ebp-28h], 0
		mov	dword ptr [ebp-24h], 0
		mov	[ebp-4], esi
		nop
		mov	eax, [ebx+4]
		mov	[ebp-30h], esi
		mov	[ebp-2Ch], eax
		nop
		mov	edx, ds:_MmPfnDatabase
		mov	ecx, esi
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		lea	eax, ds:0[ecx*8]
		sub	eax, ecx
		lea	edi, [edx+eax*4]
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_44A713
		test	dword ptr [edi+18h], 800000h
		jnz	short loc_44A60C
		mov	eax, [edi+4]
		test	eax, eax
		js	short loc_44A60C
		jz	short loc_44A60C
		or	eax, 80000000h
		mov	[ebp-18h], eax

loc_44A60C:				; CODE XREF: .text:0044A5F9j
					; .text:0044A600j ...
		mov	eax, ebx
		mov	dword ptr [ebp-28h], 0
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	dword ptr [ebp-24h], 0
		mov	edx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	[ebp-38h], edx
		mov	[ebp-34h], eax
		nop
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		lea	esi, [edi+10h]
		and	edx, 1FFFFFFh
		mov	dword ptr [ebp-1Ch], 0
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	eax, [eax+ecx*4]
		mov	[ebp-14h], eax
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_44A67C

loc_44A667:				; CODE XREF: .text:0044A673j
					; .text:0044A67Aj
		lea	ecx, [ebp-1Ch]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_44A667
		lock bts dword ptr [esi], 1Fh
		jb	short loc_44A667

loc_44A67C:				; CODE XREF: .text:0044A665j
		mov	edx, [ebp-4]
		mov	eax, edx
		and	eax, 42h
		or	eax, 0
		jz	short loc_44A699
		mov	ecx, edi
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		mov	[ebp-10h], edx
		mov	edx, [ebp-4]
		mov	[ebp-0Ch], eax

loc_44A699:				; CODE XREF: .text:0044A687j
		mov	ebx, [edi+8]
		mov	ecx, ebx
		mov	eax, [edi+0Ch]
		and	ecx, 400h
		or	ecx, 0
		mov	[ebp-4], eax
		jz	short loc_44A705
		and	edx, 200h
		or	edx, 0
		jnz	short loc_44A705
		mov	ecx, dword_6D0700
		mov	eax, ecx
		mov	edx, dword_6D0704
		or	eax, edx
		jz	short loc_44A6DF
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		mov	eax, [ebp-4]
		jnz	short loc_44A6E2
		not	edx
		and	eax, edx
		jmp	short loc_44A6E2
; 

loc_44A6DF:				; CODE XREF: .text:0044A6CAj
		mov	eax, [ebp-4]

loc_44A6E2:				; CODE XREF: .text:0044A6D7j
					; .text:0044A6DDj
		mov	eax, [eax]
		mov	ebx, [ebp-8]
		mov	eax, [eax+1Ch]
		and	eax, 820h
		cmp	eax, 820h
		jnz	loc_44A7DE
		mov	eax, [ebp+0Ch]
		inc	dword ptr [eax+0Ch]
		jmp	loc_44A7DE
; 

loc_44A705:				; CODE XREF: .text:0044A6ADj
					; .text:0044A6B8j
		mov	eax, [ebp+0Ch]
		mov	ebx, [ebp-8]
		inc	dword ptr [eax+0Ch]
		jmp	loc_44A7DE
; 

loc_44A713:				; CODE XREF: .text:0044A5ECj
		cmp	edi, dword_6D34E0
		jnz	short loc_44A734
		mov	eax, ds:_ZeroPte
		mov	[ebx], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[ebx+4], eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_44A734:				; CODE XREF: .text:0044A719j
		mov	ecx, [edi+4]
		mov	eax, ecx
		or	eax, 80000000h
		cmp	eax, ebx
		jnz	loc_44A885
		mov	ecx, [edi+18h]
		lea	esi, [edi+10h]
		and	ecx, offset loc_7FFFFF
		mov	dword ptr [ebp-20h], 0
		lea	eax, ds:0[ecx*8]
		sub	eax, ecx
		lea	eax, [edx+eax*4]
		mov	[ebp-14h], eax
		mov	eax, [ebp+0Ch]
		inc	dword ptr [eax+0Ch]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_44A78A

loc_44A775:				; CODE XREF: .text:0044A781j
					; .text:0044A788j
		lea	ecx, [ebp-20h]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_44A775
		lock bts dword ptr [esi], 1Fh
		jb	short loc_44A775

loc_44A78A:				; CODE XREF: .text:0044A773j
		mov	eax, [edi+18h]
		or	dword ptr [esi], 40000000h
		and	eax, 70000000h
		cmp	eax, 20000000h
		jnz	short loc_44A7B3
		mov	ecx, edi
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		and	dword ptr [edi+18h], 8FFFFFFFh
		mov	[ebp-0Ch], eax
		mov	[ebp-10h], edx

loc_44A7B3:				; CODE XREF: .text:0044A79Dj
		mov	eax, [ebp+8]
		test	al, 4
		jz	short loc_44A7E1
		mov	ecx, edi
		call	_MiIsPfnSystemCharged@4	; MiIsPfnSystemCharged(x)
		test	eax, eax
		jz	short loc_44A7DE
		mov	edx, dword_6CF578
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_44A7D7
		dec	dword ptr [edx+74h]

loc_44A7D7:				; CODE XREF: .text:0044A7D2j
		dec	dword ptr [edx+78h]
		and	byte ptr [edi+17h], 0DFh

loc_44A7DE:				; CODE XREF: .text:0044A6F4j
					; .text:0044A700j ...
		mov	eax, [ebp+8]

loc_44A7E1:				; CODE XREF: .text:0044A7B8j
		test	al, 10h
		jz	short loc_44A7E9
		and	byte ptr [edi+17h], 0F7h

loc_44A7E9:				; CODE XREF: .text:0044A7E3j
		mov	eax, ds:_ZeroPte
		mov	[ebx], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	ecx, edi
		mov	[ebx+4], eax
		call	MiDecrementShareCount
		mov	edi, eax
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	ebx, [ebp-14h]
		mov	dword ptr [ebp-24h], 0
		lea	esi, [ebx+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_44A835
		mov	edi, edi

loc_44A820:				; CODE XREF: .text:0044A82Cj
					; .text:0044A833j
		lea	ecx, [ebp-24h]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_44A820
		lock bts dword ptr [esi], 1Fh
		jb	short loc_44A820

loc_44A835:				; CODE XREF: .text:0044A81Cj
		mov	ecx, ebx
		call	MiDecrementShareCount
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	ecx, [ebp-0Ch]
		mov	eax, ecx
		mov	edx, [ebp-10h]
		or	eax, edx
		jz	short loc_44A861
		push	edx
		push	ecx
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo

loc_44A861:				; CODE XREF: .text:0044A84Ej
		mov	eax, [ebp-18h]
		test	eax, eax
		jz	short loc_44A871
		mov	edx, eax
		call	_MiDecrementCombinedPte@8 ; MiDecrementCombinedPte(x,x)
		mov	edi, eax

loc_44A871:				; CODE XREF: .text:0044A866j
		cmp	edi, 3
		jnz	short loc_44A87C
		mov	eax, [ebp+0Ch]
		inc	dword ptr [eax+4]

loc_44A87C:				; CODE XREF: .text:0044A874j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_44A885:				; CODE XREF: .text:0044A740j
		push	ecx
		push	esi
		push	ebx
		push	404h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreePagesFromMdl(x, x)
_MiFreePagesFromMdl@8 proc near		; CODE XREF: MmFreePagesFromMdl(x)+Ap
					; MmFreePagesFromMdlEx+27p ...

var_2A		= byte ptr -2Ah
var_29		= dword	ptr -29h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		and	[esp+2Ch+var_18], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+38h+var_10], edx
		xor	ecx, ecx
		mov	[esp+38h+var_C], edi
		inc	ecx
		mov	byte ptr [esp+38h+var_29], 0
		mov	[esp+38h+var_14], ecx
		movzx	eax, word ptr [edi+6]
		test	eax, 200h
		jz	short loc_44A8DD
		and	edx, 0FFFFFFFEh
		mov	ecx, edi
		mov	[esp+38h+var_10], edx
		call	_MiRetardMdl@4	; MiRetardMdl(x)
		jmp	loc_44A977
; 

loc_44A8DD:				; CODE XREF: MiFreePagesFromMdl(x,x)+32j
		test	dl, 1
		jz	loc_44A977
		test	al, 1
		jz	short loc_44A8F2
		mov	edx, [edi+14h]
		mov	ecx, [edi+0Ch]
		jmp	short loc_44A90F
; 

loc_44A8F2:				; CODE XREF: MiFreePagesFromMdl(x,x)+52j
		push	40000020h
		push	0
		push	0
		push	ecx
		push	0
		push	edi
		call	MmMapLockedPagesSpecifyCache
		mov	ecx, [edi+14h]
		test	eax, eax
		jz	short loc_44A917
		mov	edx, ecx
		mov	ecx, eax

loc_44A90F:				; CODE XREF: MiFreePagesFromMdl(x,x)+5Aj
		call	_KeZeroPages	; KiZeroPages(x,x)
		jmp	short loc_44A977
; 

loc_44A917:				; CODE XREF: MiFreePagesFromMdl(x,x)+73j
		lea	eax, [edi+1Ch]
		mov	[esp+38h+var_8], eax
		lea	ebx, [ecx+0FFFh]
		mov	eax, [edi+18h]
		add	eax, [edi+10h]
		and	eax, 0FFFh
		add	ebx, eax
		shr	ebx, 0Ch
		test	ebx, ebx
		jz	short loc_44A977
		mov	edi, [esp+38h+var_8]

loc_44A93C:				; CODE XREF: MiFreePagesFromMdl(x,x)+DBj
		mov	ecx, [edi]
		lea	edx, [esp+38h+var_29]
		push	80000000h
		call	MiMapPageInHyperSpaceWorker
		mov	esi, eax
		mov	edx, 1000h
		mov	ecx, esi
		call	_KeZeroPages	; KiZeroPages(x,x)
		mov	dl, byte ptr [esp+38h+var_29]
		mov	ecx, esi
		push	80000000h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		lea	edi, [edi+4]
		sub	ebx, 1
		jnz	short loc_44A93C
		mov	edi, [esp+38h+var_C]

loc_44A977:				; CODE XREF: MiFreePagesFromMdl(x,x)+42j
					; MiFreePagesFromMdl(x,x)+4Aj ...
		movzx	eax, word ptr [edi+6]
		mov	ecx, eax
		test	al, 1
		jz	short loc_44A98E
		push	edi
		push	dword ptr [edi+0Ch]
		call	MmUnmapLockedPages
		movzx	ecx, word ptr [edi+6]

loc_44A98E:				; CODE XREF: MiFreePagesFromMdl(x,x)+E9j
		test	ecx, 801h
		jnz	loc_44ABC8
		mov	ecx, [edi+18h]
		lea	edx, [edi+1Ch]
		add	ecx, [edi+10h]
		xor	esi, esi
		and	ecx, 0FFFh
		mov	[esp+38h+var_1C], edx
		add	ecx, 0FFFh
		add	ecx, [edi+14h]
		shr	ecx, 0Ch
		test	ds:byte_70EFC4,	1
		mov	[esp+38h+var_20], ecx
		jz	short loc_44A9DD
		push	ecx
		mov	edx, 279h
		lea	ecx, [edi+1Ch]
		call	_MiLogMdlRangeEvent@12 ; MiLogMdlRangeEvent(x,x,x)
		mov	ecx, [esp+38h+var_20]
		lea	edx, [edi+1Ch]

loc_44A9DD:				; CODE XREF: MiFreePagesFromMdl(x,x)+130j
		xor	ebx, ebx
		mov	[esp+38h+var_29+1], 1
		test	ecx, ecx
		jz	loc_44AB8D

loc_44A9EF:				; CODE XREF: MiFreePagesFromMdl(x,x)+2D9j
		mov	eax, [edx]
		mov	[esp+38h+var_C], eax
		imul	eax, 1Ch
		mov	[esp+38h+var_4], edx
		add	eax, ds:_MmPfnDatabase
		mov	[esp+38h+var_24], eax
		mov	eax, [eax+18h]
		mov	[esp+38h+var_8], eax
		and	eax, offset loc_7FFFFF
		cmp	eax, 7FFFFDh
		jnz	loc_44AB80
		mov	eax, [esp+38h+var_8]
		and	eax, 70000000h
		cmp	eax, 30000000h
		jnz	short loc_44AA63
		mov	ecx, [esp+38h+var_24]
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [esp+38h+var_24]
		mov	edx, 7FFFFFFFh
		and	dword ptr [ecx+18h], 8FFFFFFFh
		add	ecx, 10h
		lock and [ecx],	edx
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lock dec dword_6D07B4
		mov	edx, [esp+38h+var_1C]
		mov	ecx, [esp+38h+var_20]

loc_44AA63:				; CODE XREF: MiFreePagesFromMdl(x,x)+195j
		test	ebx, ebx
		jnz	short loc_44AA74
		mov	[esp+38h+var_18], offset _MiSystemPartition
		jmp	loc_44AB4B
; 

loc_44AA74:				; CODE XREF: MiFreePagesFromMdl(x,x)+1CFj
		and	[esp+38h+var_8], 0
		cmp	[esp+38h+var_18], offset _MiSystemPartition
		jz	short loc_44AAA1
		mov	[esp+38h+var_8], 1

loc_44AA8B:				; CODE XREF: MiFreePagesFromMdl(x,x)+21Aj
					; MiFreePagesFromMdl(x,x)+22Bj	...
		mov	eax, [esp+38h+var_29+1]

loc_44AA8F:				; CODE XREF: MiFreePagesFromMdl(x,x)+26Dj
		cmp	eax, 1
		jnz	short loc_44AB09
		mov	eax, ebx
		mov	ecx, edx
		shl	eax, 2
		sub	ecx, eax
		mov	ecx, [ecx]
		jmp	short loc_44AB0C
; 

loc_44AAA1:				; CODE XREF: MiFreePagesFromMdl(x,x)+1EBj
		mov	ecx, [esp+38h+var_24]
		call	MiIsPfnEnclave
		mov	edx, [esp+38h+var_1C]
		test	eax, eax
		jnz	short loc_44AA8B
		mov	eax, [esp+38h+var_24]
		movzx	eax, byte ptr [eax+16h]
		shr	eax, 6
		cmp	eax, [esp+38h+var_14]
		jnz	short loc_44AA8B
		mov	ecx, [edx-4]
		mov	eax, [edx]
		mov	[esp+38h+var_C], eax
		lea	eax, [ecx+1]
		cmp	[esp+38h+var_C], eax
		jnz	short loc_44AAEF
		cmp	ebx, 1
		jz	short loc_44AAE1
		cmp	[esp+38h+var_29+1], 1
		jnz	short loc_44AB09

loc_44AAE1:				; CODE XREF: MiFreePagesFromMdl(x,x)+242j
		xor	eax, eax
		inc	eax

loc_44AAE4:				; CODE XREF: MiFreePagesFromMdl(x,x)+271j
		mov	ecx, [esp+38h+var_20]
		inc	ebx
		mov	[esp+38h+var_29+1], eax
		jmp	short loc_44AB61
; 

loc_44AAEF:				; CODE XREF: MiFreePagesFromMdl(x,x)+23Dj
		lea	eax, [ecx-1]
		cmp	[esp+38h+var_C], eax
		jnz	short loc_44AA8B
		cmp	ebx, 1
		jz	short loc_44AB05
		mov	eax, [esp+38h+var_29+1]
		test	eax, eax
		jnz	short loc_44AA8F

loc_44AB05:				; CODE XREF: MiFreePagesFromMdl(x,x)+265j
		xor	eax, eax
		jmp	short loc_44AAE4
; 

loc_44AB09:				; CODE XREF: MiFreePagesFromMdl(x,x)+1FCj
					; MiFreePagesFromMdl(x,x)+249j
		mov	ecx, [edx-4]

loc_44AB0C:				; CODE XREF: MiFreePagesFromMdl(x,x)+209j
		push	[esp+38h+var_10]
		mov	edx, ebx
		call	_MiFreeMdlPageRun@12 ; MiFreeMdlPageRun(x,x,x)
		add	esi, eax
		cmp	[esp+38h+var_8], 0
		jz	short loc_44AB43
		test	esi, esi
		jz	short loc_44AB3B
		cmp	[esp+38h+var_18], offset _MiSystemPartition
		jnz	short loc_44AB39
		neg	esi
		mov	eax, offset dword_6D3620
		lock xadd [eax], esi

loc_44AB39:				; CODE XREF: MiFreePagesFromMdl(x,x)+296j
		xor	esi, esi

loc_44AB3B:				; CODE XREF: MiFreePagesFromMdl(x,x)+28Cj
		mov	[esp+38h+var_18], offset _MiSystemPartition

loc_44AB43:				; CODE XREF: MiFreePagesFromMdl(x,x)+288j
		mov	edx, [esp+38h+var_1C]
		mov	ecx, [esp+38h+var_20]

loc_44AB4B:				; CODE XREF: MiFreePagesFromMdl(x,x)+1D9j
		mov	eax, [esp+38h+var_24]
		xor	ebx, ebx
		inc	ebx
		movzx	eax, byte ptr [eax+16h]
		shr	eax, 6
		mov	[esp+38h+var_14], eax
		mov	eax, [esp+38h+var_29+1]

loc_44AB61:				; CODE XREF: MiFreePagesFromMdl(x,x)+257j
		dec	ecx
		add	edx, 4
		mov	[esp+38h+var_20], ecx
		mov	[esp+38h+var_1C], edx
		test	ecx, ecx
		jnz	loc_44A9EF
		cmp	eax, 1
		jz	short loc_44AB8D
		mov	ecx, [esp+38h+var_4]
		jmp	short loc_44AB96
; 

loc_44AB80:				; CODE XREF: MiFreePagesFromMdl(x,x)+181j
		push	[esp+38h+var_C]
		push	edx
		push	edi
		push	1236h
		jmp	short loc_44ABD4
; 

loc_44AB8D:				; CODE XREF: MiFreePagesFromMdl(x,x)+153j
					; MiFreePagesFromMdl(x,x)+2E2j
		mov	eax, ebx
		mov	ecx, edx
		shl	eax, 2
		sub	ecx, eax

loc_44AB96:				; CODE XREF: MiFreePagesFromMdl(x,x)+2E8j
		push	[esp+38h+var_10]
		mov	ecx, [ecx]
		mov	edx, ebx
		call	_MiFreeMdlPageRun@12 ; MiFreeMdlPageRun(x,x,x)
		add	esi, eax
		jz	short loc_44ABBC
		cmp	[esp+38h+var_18], offset _MiSystemPartition
		jnz	short loc_44ABBC
		neg	esi
		mov	eax, offset dword_6D3620
		lock xadd [eax], esi

loc_44ABBC:				; CODE XREF: MiFreePagesFromMdl(x,x)+30Fj
					; MiFreePagesFromMdl(x,x)+319j
		and	word ptr [edi+6], 0FFFDh
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_44ABC8:				; CODE XREF: MiFreePagesFromMdl(x,x)+FEj
		push	0
		movsx	eax, cx
		push	eax
		push	edi
		push	1238h

loc_44ABD4:				; CODE XREF: MiFreePagesFromMdl(x,x)+2F5j
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_MiFreePagesFromMdl@8 endp


;  S U B	R O U T	I N E 


MiIsPfnEnclave	proc near		; CODE XREF: MiFreePagesFromMdl(x,x)+20Fp
					; MiFreeSmallPageFromMdl(x,x):loc_44AD38p ...

; FUNCTION CHUNK AT 005AEB64 SIZE 00000052 BYTES

		mov	edi, edi
		push	esi
		mov	esi, dword_6D3580
		test	esi, esi
		jnz	loc_5AEB64

loc_44ABED:				; CODE XREF: MiIsPfnEnclave+163F95j
					; MiIsPfnEnclave+163FC8j ...
		xor	eax, eax
		pop	esi
		retn
MiIsPfnEnclave	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeMdlPageRun(x,	x, x)
_MiFreeMdlPageRun@12 proc near		; CODE XREF: MiFreePagesFromMdl(x,x)+27Cp
					; MiFreePagesFromMdl(x,x)+308p	...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_0]
		or	[ebp+var_C], 0FFFFFFFFh
		and	eax, 1
		push	ebx
		push	esi
		add	eax, 6
		mov	esi, edx
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], eax
		mov	ebx, ecx
		mov	[ebp+var_4], edi
		jmp	loc_44ACB0
; 

loc_44AC1B:				; CODE XREF: MiFreeMdlPageRun(x,x,x)+C0j
		test	bl, 0Fh
		jnz	short loc_44AC76
		xor	edi, edi
		xor	eax, eax
		mov	[ebp+var_8], eax

loc_44AC27:				; CODE XREF: MiFreeMdlPageRun(x,x,x)+63j
		mov	ecx, ds:_MiLargePageSizes[eax]
		mov	[ebp+var_14], ecx
		lea	eax, [ecx-1]
		test	eax, ebx
		jnz	short loc_44AC48
		cmp	esi, ecx
		jb	short loc_44AC48
		mov	edx, edi
		mov	ecx, ebx
		call	_MiResidentPageDangleFree@8 ; MiResidentPageDangleFree(x,x)
		test	eax, eax
		jnz	short loc_44AC59

loc_44AC48:				; CODE XREF: MiFreeMdlPageRun(x,x,x)+43j
					; MiFreeMdlPageRun(x,x,x)+47j
		mov	eax, [ebp+var_8]
		inc	edi
		add	eax, 4
		mov	[ebp+var_8], eax
		cmp	eax, 8
		jb	short loc_44AC27
		jmp	short loc_44AC73
; 

loc_44AC59:				; CODE XREF: MiFreeMdlPageRun(x,x,x)+54j
		push	[ebp+var_10]
		mov	edx, edi
		mov	ecx, ebx
		call	_MiFreeLargePageMemory@12 ; MiFreeLargePageMemory(x,x,x)
		add	[ebp+var_4], eax
		add	ebx, [ebp+var_14]
		sub	esi, [ebp+var_14]
		cmp	edi, 2
		jb	short loc_44ACAD

loc_44AC73:				; CODE XREF: MiFreeMdlPageRun(x,x,x)+65j
		mov	edi, [ebp+var_4]

loc_44AC76:				; CODE XREF: MiFreeMdlPageRun(x,x,x)+2Cj
		mov	eax, ebx
		and	eax, 0FFFFFE00h
		cmp	[ebp+var_C], eax
		jz	short loc_44AC9A
		push	0
		push	0
		push	200h
		mov	edx, eax
		mov	[ebp+var_C], eax
		mov	ecx, offset _MiSystemPartition
		call	MiUpdateLargePageBitMap

loc_44AC9A:				; CODE XREF: MiFreeMdlPageRun(x,x,x)+8Ej
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	_MiFreeSmallPageFromMdl@8 ; MiFreeSmallPageFromMdl(x,x)
		add	edi, eax
		inc	ebx
		mov	[ebp+var_4], edi
		dec	esi
		jmp	short loc_44ACB0
; 

loc_44ACAD:				; CODE XREF: MiFreeMdlPageRun(x,x,x)+7Fj
		mov	edi, [ebp+var_4]

loc_44ACB0:				; CODE XREF: MiFreeMdlPageRun(x,x,x)+24j
					; MiFreeMdlPageRun(x,x,x)+B9j
		test	esi, esi
		jnz	loc_44AC1B
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiFreeMdlPageRun@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeSmallPageFromMdl(x, x)
_MiFreeSmallPageFromMdl@8 proc near	; CODE XREF: MiFreeMdlPageRun(x,x,x)+ADp

var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	eax, ecx
		mov	[ebp+var_C], edx
		push	esi
		imul	esi, eax, 1Ch
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_10], eax
		inc	ebx
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		mov	[ebp+var_8], esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	[ebp+var_1], al
		lea	edi, [ebp+var_1C]
		xor	eax, eax
		stosd
		stosd
		stosd
		mov	eax, 0FFFEh
		lea	edi, [esi+10h]
		and	dword ptr [edi], 0C0000000h
		add	[esi+14h], ax
		jnz	short loc_44AD58
		mov	ecx, esi
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jz	short loc_44AD19
		xor	esi, esi
		jmp	short loc_44AD29
; 

loc_44AD19:				; CODE XREF: MiFreeSmallPageFromMdl(x,x)+51j
		mov	al, [esi+17h]
		and	al, 40h
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		not	esi
		and	esi, ebx

loc_44AD29:				; CODE XREF: MiFreeSmallPageFromMdl(x,x)+55j
		test	byte ptr [ebp+var_C], 1
		mov	ecx, [ebp+var_8]
		jz	short loc_44AD38
		and	byte ptr [ecx+16h], 0EFh
		jmp	short loc_44AD4C
; 

loc_44AD38:				; CODE XREF: MiFreeSmallPageFromMdl(x,x)+6Ej
		call	MiIsPfnEnclave
		mov	ebx, eax
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 0FEh
		add	ebx, 2

loc_44AD4C:				; CODE XREF: MiFreeSmallPageFromMdl(x,x)+74j
		mov	ecx, [ebp+var_10]
		mov	edx, ebx
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		jmp	short loc_44AD64
; 

loc_44AD58:				; CODE XREF: MiFreeSmallPageFromMdl(x,x)+46j
		or	byte ptr [esi+16h], 7
		or	dword ptr [edi], 40000000h
		xor	esi, esi

loc_44AD64:				; CODE XREF: MiFreeSmallPageFromMdl(x,x)+94j
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_44AD85
		mov	edx, esi
		mov	ecx, offset _MiSystemPartition
		call	_MiFreeLargePageCharges@8 ; MiFreeLargePageCharges(x,x)

loc_44AD85:				; CODE XREF: MiFreeSmallPageFromMdl(x,x)+B5j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_MiFreeSmallPageFromMdl@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSplitPrivatePage(x, x, x)
_MiSplitPrivatePage@12 proc near	; CODE XREF: MiCopyToCfgBitMap+FAp

var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_52		= byte ptr -52h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0B4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0B4h+var_4], eax
		push	ebx
		push	esi
		mov	esi, edx
		mov	edx, ecx
		mov	ecx, large fs:124h
		push	edi
		mov	[esp+0C0h+var_90], ecx
		mov	[esp+0C0h+var_94], esi
		mov	edi, [ecx+80h]
		mov	ecx, esi
		mov	[esp+0C0h+var_A4], edx
		mov	[esp+0C0h+var_B4], edi
		call	_MiVadPureReserve@4 ; MiVadPureReserve(x)
		mov	ecx, [esi+2Ch]
		mov	ebx, edx
		shr	ebx, 9
		mov	edx, 1
		and	ebx, offset loc_7FFFF8
		mov	[esp+0C0h+var_6C], ecx
		sub	ebx, 40000000h
		mov	[esp+0C0h+var_80], eax
		mov	ecx, edi
		mov	[esp+0C0h+var_B0], ebx
		call	MiChargeFullProcessCommitment
		mov	esi, [esi+1Ch]
		xor	edi, edi
		mov	ecx, [esp+0C0h+var_B4]
		mov	[esp+0C0h+var_A8], eax
		xor	eax, eax
		shr	esi, 0Ch
		mov	[esp+0C0h+var_A0], edi
		and	esi, 3Fh
		lea	ecx, [ecx+240h]
		mov	[esp+0C0h+var_8C], edi
		mov	[esp+0C0h+var_7C], eax
		call	MiLockWorkingSetShared
		mov	byte ptr [esp+0C0h+var_AC], al

loc_44AE33:				; CODE XREF: MiSplitPrivatePage(x,x,x)+3D3j
					; MiSplitPrivatePage(x,x,x)+46Ej ...
		cmp	[esp+0C0h+var_80], 0
		jz	loc_44AFCF
		push	4Ch		; size_t
		lea	eax, [esp+0C4h+var_58]
		mov	[esp+0C4h+var_68], 0
		push	0		; int
		push	eax		; void *
		mov	[esp+0CCh+var_64], 0
		call	_memset
		mov	edx, ebx
		mov	eax, 861h
		shl	edx, 9
		add	esp, 0Ch
		mov	word ptr [esp+0C0h+var_58], ax
		mov	eax, edx
		cmp	edx, 0C0000000h
		jb	short loc_44AE89

loc_44AE78:				; CODE XREF: MiSplitPrivatePage(x,x,x)+F7j
		cmp	eax, 0C07FFFFFh
		ja	short loc_44AE89
		shl	eax, 9
		cmp	eax, 0C0000000h
		jnb	short loc_44AE78

loc_44AE89:				; CODE XREF: MiSplitPrivatePage(x,x,x)+E6j
					; MiSplitPrivatePage(x,x,x)+EDj
		cmp	eax, dword_6D07D0
		jb	short loc_44AEAF
		cmp	eax, dword_6D2E88
		jb	short loc_44AEA1
		cmp	eax, dword_6D2E8C
		jbe	short loc_44AEAF

loc_44AEA1:				; CODE XREF: MiSplitPrivatePage(x,x,x)+107j
		mov	ecx, 1
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	ecx, eax
		jmp	short loc_44AEC1
; 

loc_44AEAF:				; CODE XREF: MiSplitPrivatePage(x,x,x)+FFj
					; MiSplitPrivatePage(x,x,x)+10Fj
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		add	ecx, 240h

loc_44AEC1:				; CODE XREF: MiSplitPrivatePage(x,x,x)+11Dj
		mov	eax, 865h
		mov	[esp+0C0h+var_48], ecx
		mov	word ptr [esp+0C0h+var_58], ax
		lea	ecx, [esp+0C0h+var_58]
		lea	eax, [esp+0C0h+var_68]
		mov	[esp+0C0h+var_4C], 0
		mov	[esp+0C0h+var_10], eax
		mov	al, byte ptr [esp+0C0h+var_58+2]
		and	al, 0E7h
		mov	[esp+0C0h+var_14], offset _MiGetNextPageTableTail@4 ; MiGetNextPageTableTail(x)
		or	al, 4
		mov	[esp+0C0h+var_44], edx
		mov	byte ptr [esp+0C0h+var_58+2], al
		mov	al, byte ptr [esp+0C0h+var_AC]
		mov	[esp+0C0h+var_52], al
		mov	[esp+0C0h+var_40], edx
		call	MiWalkPageTables
		mov	eax, [esp+0C0h+var_64]
		test	eax, eax
		jz	short loc_44AF2E
		mov	edi, eax
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h

loc_44AF2E:				; CODE XREF: MiSplitPrivatePage(x,x,x)+18Bj
		cmp	ebx, eax
		jz	loc_44AFDF
		test	edi, edi
		jz	short loc_44AF4D
		mov	edx, edi
		mov	edi, [esp+0C0h+var_B4]
		lea	ecx, [edi+240h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		jmp	short loc_44AF51
; 

loc_44AF4D:				; CODE XREF: MiSplitPrivatePage(x,x,x)+1A8j
		mov	edi, [esp+0C0h+var_B4]

loc_44AF51:				; CODE XREF: MiSplitPrivatePage(x,x,x)+1BBj
		mov	dl, byte ptr [esp+0C0h+var_AC]
		lea	ecx, [edi+240h]
		call	MiUnlockWorkingSetShared
		mov	eax, [esp+0C0h+var_A8]
		test	eax, eax
		js	loc_44B375
		mov	eax, [esp+0C0h+var_90]
		mov	[esp+0C0h+var_7C], 1
		dec	word ptr [eax+13Eh]
		nop
		add	edi, 138h
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esp+0C0h+var_A4]
		mov	edx, eax
		mov	ecx, [esp+0C0h+var_94]
		push	eax
		call	_MiCommitPageTablesForVad@12 ; MiCommitPageTablesForVad(x,x,x)
		mov	[esp+0C0h+var_88], eax
		test	eax, eax
		js	loc_44B21C
		mov	ecx, [esp+0C0h+var_B4]
		mov	edi, ebx
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h
		lea	ecx, [ecx+240h]
		call	MiLockWorkingSetShared
		mov	byte ptr [esp+0C0h+var_AC], al

loc_44AFCF:				; CODE XREF: MiSplitPrivatePage(x,x,x)+A8j
		push	0
		push	[esp+0C4h+var_AC]
		xor	edx, edx
		mov	ecx, ebx
		push	esi
		call	MiMakeSystemAddressValid

loc_44AFDF:				; CODE XREF: MiSplitPrivatePage(x,x,x)+1A0j
		mov	edx, [esp+0C0h+var_A4]
		lea	eax, [esp+0C0h+var_6C]
		mov	ecx, [esp+0C0h+var_94]
		push	eax
		push	0
		shr	edx, 0Ch
		call	MiGetProtoPteAddress
		mov	ebx, [ebx]
		mov	[esp+0C0h+var_9C], eax
		nop
		mov	edx, [esp+0C0h+var_B0]
		mov	ecx, ebx
		mov	edx, [edx+4]
		or	ecx, edx
		mov	[esp+0C0h+var_98], edx
		jnz	loc_44B0A4
		cmp	[esp+0C0h+var_A8], ecx
		jl	loc_44B270
		mov	eax, large fs:124h
		mov	edx, 1
		mov	ecx, [esp+0C0h+var_A4]
		shr	ecx, 15h
		add	ecx, 0C8h
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		lea	ecx, [eax+ecx*2]
		call	_MiIncreaseUsedPtesCount@8 ; MiIncreaseUsedPtesCount(x,x)
		cmp	[esp+0C0h+var_80], 0
		jz	short loc_44B082
		mov	eax, [esp+0C0h+var_9C]
		test	eax, eax
		jz	loc_44B2B3
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	ecx, [eax-40000000h]
		nop
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jnz	short loc_44B082
		and	ecx, 3E0h
		or	ecx, eax
		jz	loc_44B2B3

loc_44B082:				; CODE XREF: MiSplitPrivatePage(x,x,x)+2BDj
					; MiSplitPrivatePage(x,x,x)+2E2j
		mov	ecx, 1
		call	_MiMakePrototypePteVadLookup@4 ; MiMakePrototypePteVadLookup(x)
		mov	ebx, eax
		mov	[esp+0C0h+var_5C], edx
		mov	eax, [esp+0C0h+var_B0]
		mov	[esp+0C0h+var_60], ebx
		mov	[esp+0C0h+var_98], edx
		mov	[eax], ebx
		nop
		mov	[eax+4], edx

loc_44B0A4:				; CODE XREF: MiSplitPrivatePage(x,x,x)+27Cj
		mov	ecx, ebx
		and	ecx, 1
		or	ecx, 0
		jz	loc_44B168
		nop
		mov	eax, ds:_MmPfnDatabase
		shrd	ebx, edx, 0Ch
		and	ebx, 1FFFFFFh
		lea	ecx, ds:0[ebx*8]
		sub	ecx, ebx
		lea	ecx, [eax+ecx*4]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_44B304
		mov	eax, [ecx+4]
		or	eax, 80000000h
		cmp	eax, [esp+0C0h+var_9C]
		jnz	loc_44B304
		cmp	[esp+0C0h+var_A8], 0
		jl	loc_44B270
		mov	ebx, [esp+0C0h+var_B0]
		mov	edx, ebx
		mov	ecx, [esp+0C0h+var_A4]
		push	0
		push	0FFFFFFFFh
		call	_MiCopyOnWrite@16 ; MiCopyOnWrite(x,x,x,x)
		mov	[esp+0C0h+var_88], eax
		test	eax, eax
		jns	loc_44B2BF
		test	edi, edi
		jz	short loc_44B12E
		mov	ecx, [esp+0C0h+var_B4]
		mov	edx, edi
		lea	ecx, [ecx+240h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		xor	edi, edi

loc_44B12E:				; CODE XREF: MiSplitPrivatePage(x,x,x)+389j
		mov	ecx, [esp+0C0h+var_B4]
		mov	dl, byte ptr [esp+0C0h+var_AC]
		lea	ecx, [ecx+240h]
		call	MiUnlockWorkingSetShared
		mov	ecx, [esp+0C0h+var_B4]
		mov	edx, [esp+0C0h+var_88]
		lea	ecx, [ecx+240h]
		call	MiCopyOnWriteCheckConditions
		mov	ecx, [esp+0C0h+var_B4]
		lea	ecx, [ecx+240h]
		call	MiLockWorkingSetShared
		jmp	loc_44AE33
; 

loc_44B168:				; CODE XREF: MiSplitPrivatePage(x,x,x)+31Cj
		mov	eax, ebx
		and	eax, 400h
		or	eax, 0
		jz	loc_44B304
		push	edx
		push	ebx
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		test	eax, eax
		jnz	short loc_44B1CE
		mov	eax, dword_6D0704
		mov	edx, dword_6D0700
		mov	ecx, [esp+0C0h+var_98]
		mov	[esp+0C0h+var_78], eax
		mov	eax, edx
		or	eax, [esp+0C0h+var_78]
		mov	[esp+0C0h+var_88], ecx
		jz	short loc_44B1C4
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_44B1C0
		mov	ecx, [esp+0C0h+var_78]
		not	edx
		and	edx, ebx
		not	ecx
		and	ecx, [esp+0C0h+var_88]
		mov	[esp+0C0h+var_78], edx
		jmp	short loc_44B1C4
; 

loc_44B1C0:				; CODE XREF: MiSplitPrivatePage(x,x,x)+41Aj
		mov	[esp+0C0h+var_78], ebx

loc_44B1C4:				; CODE XREF: MiSplitPrivatePage(x,x,x)+410j
					; MiSplitPrivatePage(x,x,x)+42Ej
		cmp	ecx, [esp+0C0h+var_9C]
		jnz	loc_44B304

loc_44B1CE:				; CODE XREF: MiSplitPrivatePage(x,x,x)+3F1j
		push	[esp+0C0h+var_AC]
		mov	ecx, [esp+0C4h+var_B0]
		mov	edx, 18h
		call	MiMakeProtoLeafValid
		test	eax, eax
		jns	short loc_44B1F8
		mov	ecx, [esp+0C0h+var_B0]
		mov	eax, [ecx]
		nop
		mov	ecx, [ecx+4]
		cmp	ebx, eax
		jnz	short loc_44B1F8
		cmp	[esp+0C0h+var_98], ecx
		jz	short loc_44B269

loc_44B1F8:				; CODE XREF: MiSplitPrivatePage(x,x,x)+452j
					; MiSplitPrivatePage(x,x,x)+460j
		mov	ebx, [esp+0C0h+var_B0]
		test	edi, edi
		jz	loc_44AE33
		mov	ecx, [esp+0C0h+var_B4]
		mov	edx, edi
		lea	ecx, [ecx+240h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		xor	edi, edi
		jmp	loc_44AE33
; 

loc_44B21C:				; CODE XREF: MiSplitPrivatePage(x,x,x)+215j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_44B230
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_44B230:				; CODE XREF: MiSplitPrivatePage(x,x,x)+497j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [esp+0C0h+var_90]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [esp+0C0h+var_B4]
		mov	edx, 1
		call	_MiReturnFullProcessCommitment@8 ; MiReturnFullProcessCommitment(x,x)
		mov	eax, [esp+0C0h+var_88]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+0B4h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_44B269:				; CODE XREF: MiSplitPrivatePage(x,x,x)+466j
		cmp	[esp+0C0h+var_A8], 0
		jge	short loc_44B2B3

loc_44B270:				; CODE XREF: MiSplitPrivatePage(x,x,x)+286j
					; MiSplitPrivatePage(x,x,x)+362j
		test	edi, edi
		jz	short loc_44B285
		mov	ecx, [esp+0C0h+var_B4]
		mov	edx, edi
		lea	ecx, [ecx+240h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_44B285:				; CODE XREF: MiSplitPrivatePage(x,x,x)+4E2j
		mov	ecx, [esp+0C0h+var_B4]
		mov	dl, byte ptr [esp+0C0h+var_AC]
		lea	ecx, [ecx+240h]
		call	MiUnlockWorkingSetShared
		mov	eax, [esp+0C0h+var_A8]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+0B4h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_44B2B3:				; CODE XREF: MiSplitPrivatePage(x,x,x)+2C5j
					; MiSplitPrivatePage(x,x,x)+2ECj ...
		mov	ebx, [esp+0C0h+var_B0]
		mov	[esp+0C0h+var_A0], 1

loc_44B2BF:				; CODE XREF: MiSplitPrivatePage(x,x,x)+381j
		mov	edx, [esp+0C0h+var_94]
		mov	[esp+0C0h+var_8C], 1
		mov	eax, [edx+20h]
		lea	ecx, [eax+1]
		xor	ecx, eax
		and	ecx, 7FFFFFFFh
		xor	ecx, eax
		cmp	[esp+0C0h+var_A0], 1
		mov	[edx+20h], ecx
		jnz	short loc_44B304
		push	0
		push	20h
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[esp+0C0h+var_60], eax
		mov	[esp+0C0h+var_5C], edx
		mov	[ebx], eax
		nop
		mov	[ebx+4], edx
		mov	[esp+0C0h+var_8C], 1

loc_44B304:				; CODE XREF: MiSplitPrivatePage(x,x,x)+345j
					; MiSplitPrivatePage(x,x,x)+357j ...
		mov	ebx, [esp+0C0h+var_B4]
		test	edi, edi
		jz	short loc_44B319
		mov	edx, edi
		lea	ecx, [ebx+240h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_44B319:				; CODE XREF: MiSplitPrivatePage(x,x,x)+57Aj
		mov	dl, byte ptr [esp+0C0h+var_AC]
		lea	ecx, [ebx+240h]
		call	MiUnlockWorkingSetShared
		cmp	[esp+0C0h+var_7C], 1
		jnz	short loc_44B359
		lea	esi, [ebx+138h]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_44B349
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_44B349:				; CODE XREF: MiSplitPrivatePage(x,x,x)+5B0j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [esp+0C0h+var_90]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_44B359:				; CODE XREF: MiSplitPrivatePage(x,x,x)+59Dj
		cmp	[esp+0C0h+var_8C], 0
		jnz	short loc_44B373
		cmp	[esp+0C0h+var_A8], 0
		jl	short loc_44B373
		mov	edx, 1
		mov	ecx, ebx
		call	_MiReturnFullProcessCommitment@8 ; MiReturnFullProcessCommitment(x,x)

loc_44B373:				; CODE XREF: MiSplitPrivatePage(x,x,x)+5CEj
					; MiSplitPrivatePage(x,x,x)+5D5j
		xor	eax, eax

loc_44B375:				; CODE XREF: MiSplitPrivatePage(x,x,x)+1D6j
		mov	ecx, [esp+0C0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_MiSplitPrivatePage@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	MiCopyToUserVa(void *,size_t)
_MiCopyToUserVa@16 proc	near		; CODE XREF: MiCopyToCfgBitMap+114p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A10A0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 40h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_30], ecx
		mov	eax, large fs:124h
		mov	edi, [eax+80h]
		mov	[ebp+var_38], edi
		mov	[ebp+var_3C], edi
		add	edi, 240h
		mov	[ebp+var_2C], edi
		mov	ebx, ecx
		shr	ebx, 9
		and	ebx, offset loc_7FFFF8
		sub	ebx, 40000000h
		mov	[ebp+var_24], ebx
		xor	eax, eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_4], eax
		mov	al, [ecx]
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	esi, [edx+1Ch]
		shr	esi, 0Ch
		and	esi, 3Fh
		mov	ecx, edi
		call	MiLockWorkingSetShared

loc_44B418:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+F5j
					; MiCopyToUserVa(x,x,x,x)+1E8j
		mov	byte ptr [ebp+var_1C], al
		jmp	short loc_44B420
; 
		align 10h

loc_44B420:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+8Bj
					; MiCopyToUserVa(x,x,x,x)+267j
		mov	eax, ebx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_28], eax
		push	0
		push	[ebp+var_1C]
		push	esi
		xor	edx, edx
		mov	ecx, ebx
		call	MiMakeSystemAddressValid
		mov	ebx, [ebx]
		nop
		mov	eax, [ebp+var_24]
		mov	ecx, [eax+4]
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jnz	short loc_44B4AC
		mov	edx, [ebp+var_28]
		mov	ecx, edi
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)
		mov	dl, byte ptr [ebp+var_1C]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		mov	[ebp+var_4], 1
		mov	eax, [ebp+var_30]
		mov	al, [eax]
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ecx, edi
		call	MiLockWorkingSetShared
		mov	ebx, [ebp+var_24]
		jmp	short loc_44B418
; 

loc_44B487:				; DATA XREF: .text:006A10C0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44h], eax
		mov	eax, 1
		retn
; 

loc_44B497:				; DATA XREF: .text:006A10C4o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-44h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-3Ch]
		jmp	loc_44B74B
; 

loc_44B4AC:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+C2j
		nop
		shrd	ebx, ecx, 0Ch
		and	ebx, 1FFFFFFh
		lea	ecx, ds:0[ebx*8]
		sub	ecx, ebx
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, [eax+ecx*4]
		mov	[ebp+var_34], ecx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_44B5FC
		xor	edi, edi
		test	dword ptr [ecx+18h], 800000h
		jnz	short loc_44B4F0
		mov	eax, [ecx+4]
		test	eax, eax
		js	short loc_44B4F0
		jnz	loc_44B57F

loc_44B4F0:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+151j
					; MiCopyToUserVa(x,x,x,x)+158j
		mov	ebx, [ebp+var_38]
		cmp	[ebx+148h], edi
		jz	loc_44B57F
		mov	edx, [ecx+4]
		or	edx, 80000000h
		mov	ecx, ebx
		call	_MiLocateCloneAddress@8	; MiLocateCloneAddress(x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_44B57F
		mov	ecx, [ebx+24Ch]
		mov	eax, [ecx+8Ch]
		cmp	eax, [edi+2Ch]
		jb	short loc_44B57D
		ja	short loc_44B533
		mov	eax, [ecx+88h]
		cmp	eax, [edi+28h]
		jbe	short loc_44B57D

loc_44B533:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+196j
		cmp	[ebp+var_20], 0
		jnz	short loc_44B57F
		mov	edx, [ebp+var_28]
		mov	edi, [ebp+var_2C]
		mov	ecx, edi
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)
		mov	dl, byte ptr [ebp+var_1C]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		mov	edx, 1
		mov	ecx, ebx
		call	MiChargeFullProcessCommitment
		mov	[ebp+var_34], eax
		test	eax, eax
		js	loc_44B748
		mov	[ebp+var_20], 1
		mov	ecx, edi
		call	MiLockWorkingSetShared
		mov	ebx, [ebp+var_24]
		jmp	loc_44B418
; 

loc_44B57D:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+194j
					; MiCopyToUserVa(x,x,x,x)+1A1j
		xor	edi, edi

loc_44B57F:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+15Aj
					; MiCopyToUserVa(x,x,x,x)+169j	...
		push	0
		push	0FFFFFFFFh
		mov	ebx, [ebp+var_24]
		mov	edx, ebx
		mov	ecx, [ebp+var_30]
		call	_MiCopyOnWrite@16 ; MiCopyOnWrite(x,x,x,x)
		mov	[ebp+var_34], eax
		test	eax, eax
		js	short loc_44B5CF
		mov	ebx, [ebx]
		nop
		mov	eax, [ebp+var_24]
		mov	eax, [eax+4]
		nop
		shrd	ebx, eax, 0Ch
		and	ebx, 1FFFFFFh
		lea	ecx, ds:0[ebx*8]
		sub	ecx, ebx
		mov	eax, ds:_MmPfnDatabase
		lea	eax, [eax+ecx*4]
		mov	[ebp+var_34], eax
		neg	edi
		sbb	edi, edi
		not	edi
		and	edi, [ebp+var_20]
		mov	esi, edi
		mov	edi, [ebp+var_2C]
		jmp	short loc_44B5FF
; 

loc_44B5CF:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+205j
		mov	edx, [ebp+var_28]
		mov	edi, [ebp+var_2C]
		mov	ecx, edi
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)
		mov	dl, byte ptr [ebp+var_1C]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		mov	edx, [ebp+var_34]
		mov	ecx, edi
		call	MiCopyOnWriteCheckConditions
		mov	ecx, edi
		call	MiLockWorkingSetShared
		jmp	loc_44B420
; 

loc_44B5FC:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+142j
		mov	esi, [ebp+var_20]

loc_44B5FF:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+23Dj
		mov	ecx, 1
		call	_MiReserveLowPrioritySystemPtes@4 ; MiReserveLowPrioritySystemPtes(x)
		mov	[ebp+var_20], eax
		test	eax, eax
		jnz	short loc_44B625
		push	80000000h
		xor	edx, edx
		mov	ecx, ebx
		call	MiMapPageInHyperSpaceWorker
		mov	ebx, eax
		jmp	loc_44B6C2
; 

loc_44B625:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+27Ej
		mov	ecx, eax
		shl	ecx, 9
		mov	[ebp+var_24], ecx
		push	0A0000004h
		mov	edx, ebx
		mov	ecx, eax
		call	MiMakeValidPte
		mov	ebx, eax
		mov	[ebp+var_3C], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], edx
		mov	ecx, [ebp+var_20]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_44B6AC
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_44B684
		mov	eax, 1
		mov	[ebp+var_2C], eax
		cmp	byte ptr word_6D07B8+1,	0
		jnz	short loc_44B6AE
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		mov	eax, [ebp+var_2C]
		jz	short loc_44B6AE
		or	edx, 80000000h
		jmp	short loc_44B6AE
; 

loc_44B684:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+2CCj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_44B6AC
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	short loc_44B6AC
		or	edx, 80000000h

loc_44B6AC:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+2C3j
					; MiCopyToUserVa(x,x,x,x)+30Aj	...
		xor	eax, eax

loc_44B6AE:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+2DDj
					; MiCopyToUserVa(x,x,x,x)+2EAj	...
		mov	[ecx+4], edx
		nop
		mov	[ecx], ebx
		test	eax, eax
		jz	short loc_44B6BF
		push	edx
		push	ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_44B6BF:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+326j
		mov	ebx, [ebp+var_24]

loc_44B6C2:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+290j
		push	[ebp+arg_4]	; size_t
		push	[ebp+arg_0]	; void *
		mov	eax, [ebp+var_30]
		and	eax, 0FFFh
		add	eax, ebx
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edx, [ebp+var_20]
		test	edx, edx
		jnz	short loc_44B6F2
		push	80000000h
		mov	dl, 21h
		mov	ecx, ebx
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		jmp	short loc_44B6FE
; 

loc_44B6F2:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+350j
		push	1
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_44B6FE:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+360j
		mov	edx, 1
		mov	ecx, [ebp+var_34]
		call	MiLockPageAndSetDirty
		mov	edx, [ebp+var_28]
		mov	ecx, edi
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)
		mov	dl, byte ptr [ebp+var_1C]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		xor	edi, edi
		mov	ebx, [ebp+var_38]
		jmp	short loc_44B74E
; 

loc_44B726:				; DATA XREF: .text:006A10B4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-48h], eax
		mov	eax, 1
		retn
; 

loc_44B736:				; DATA XREF: .text:006A10B8o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-48h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-3Ch]
		jmp	short loc_44B74B
; 

loc_44B748:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+1D1j
		mov	edi, [ebp+var_34]

loc_44B74B:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+117j
					; MiCopyToUserVa(x,x,x,x)+3B6j
		mov	esi, [ebp+var_20]

loc_44B74E:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+394j
		test	esi, esi
		jz	short loc_44B75E
		mov	edx, 1
		mov	ecx, ebx
		call	_MiReturnFullProcessCommitment@8 ; MiReturnFullProcessCommitment(x,x)

loc_44B75E:				; CODE XREF: MiCopyToUserVa(x,x,x,x)+3C0j
		mov	eax, edi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_MiCopyToUserVa@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockPageAndSetDirty proc near		; CODE XREF: MiIssueHardFault(x,x)+450p
					; MiMakePteClean+64p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AEBB6 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		xor	edi, edi
		mov	[esp+18h+var_4], ebx
		lea	esi, [ebx+10h]
		cmp	edx, 1
		jnz	short loc_44B7E6
		mov	bl, 21h
		mov	[esp+18h+var_8], edi

loc_44B798:				; CODE XREF: MiLockPageAndSetDirty+163451j
		lock bts dword ptr [esi], 1Fh
		jb	loc_5AEBB6

loc_44B7A3:				; CODE XREF: MiLockPageAndSetDirty+79j
		mov	ecx, [esp+18h+var_4]
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		mov	ecx, eax
		mov	[esp+18h+var_4], eax
		or	ecx, edx
		jnz	short loc_44B7CE

loc_44B7B6:				; CODE XREF: MiLockPageAndSetDirty+5Fj
		mov	ecx, 7FFFFFFFh
		lock and [esi],	ecx
		or	eax, edx
		jnz	short loc_44B7D5

loc_44B7C2:				; CODE XREF: MiLockPageAndSetDirty+70j
		cmp	bl, 21h
		jnz	short loc_44B7EF

loc_44B7C7:				; CODE XREF: MiLockPageAndSetDirty+83j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_44B7CE:				; CODE XREF: MiLockPageAndSetDirty+40j
		mov	edi, offset _MiSystemPartition
		jmp	short loc_44B7B6
; 

loc_44B7D5:				; CODE XREF: MiLockPageAndSetDirty+4Cj
		push	edx
		push	[esp+1Ch+var_4]
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	MiReleasePageFileInfo
		jmp	short loc_44B7C2
; 

loc_44B7E6:				; CODE XREF: MiLockPageAndSetDirty+1Cj
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	bl, al
		jmp	short loc_44B7A3
; 

loc_44B7EF:				; CODE XREF: MiLockPageAndSetDirty+51j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_44B7C7
MiLockPageAndSetDirty endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiCaptureDirtyBitToPfn(x)
_MiCaptureDirtyBitToPfn@4 proc near	; CODE XREF: .text:0044A68Bp
					; .text:0044A7A1p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	ecx, esi
		mov	bl, [edi+16h]
		test	bl, 10h
		jz	short loc_44B815

loc_44B80D:				; CODE XREF: MiCaptureDirtyBitToPfn(x)+47j
		pop	edi
		mov	eax, esi
		mov	edx, ecx
		pop	esi
		pop	ebx
		retn
; 

loc_44B815:				; CODE XREF: MiCaptureDirtyBitToPfn(x)+11j
		mov	eax, [edi+8]
		mov	dl, bl
		and	eax, 400h
		or	eax, esi
		jnz	short loc_44B83B
		test	bl, 8
		jnz	short loc_44B83B
		xor	edx, edx
		lea	ecx, [edi+8]
		push	esi
		inc	edx
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	ecx, edx
		mov	esi, eax
		mov	dl, [edi+16h]

loc_44B83B:				; CODE XREF: MiCaptureDirtyBitToPfn(x)+27j
					; MiCaptureDirtyBitToPfn(x)+2Cj
		or	dl, 10h
		mov	[edi+16h], dl
		jmp	short loc_44B80D
_MiCaptureDirtyBitToPfn@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiTimerExpiration proc near		; CODE XREF: KiRetireDpcList+553p
					; KiTimerExpirationDpc+D3p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005AEBCA SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	[ebp+var_3C], eax
		mov	ebx, ecx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_2C], edx
		cmp	ds:_KiSerializeTimerExpiration,	0
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		stosd
		jz	loc_5AEBCA
		cmp	byte ptr [ebx+3D0h], 0
		jz	loc_44B98C
		mov	eax, ds:_KiProcessorBlock

loc_44B898:				; CODE XREF: KiTimerExpiration+16337Cj
		add	eax, 2260h
		mov	[ebp+var_40], eax
		jz	loc_44B98C
		mov	eax, [ebx+47B0h]
		mov	edi, [ebp+arg_0]
		push	0
		lea	esi, [eax+46Bh]
		inc	eax
		shl	esi, 4
		and	eax, 0Fh
		add	esi, ebx
		mov	[ebx+47B0h], eax
		mov	eax, [ebp+arg_4]
		mov	[esi], edi
		mov	[esi+4], eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	[esi+8], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+0Ch], edx
		mov	esi, edi
		mov	edx, eax
		shrd	esi, edx, 12h
		shr	edx, 12h
		test	ds:dword_70EFC8, 20000h
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], edx
		jnz	loc_5AEBD1

loc_44B8FE:				; CODE XREF: KiTimerExpiration+1633C5j
		mov	edi, [ebp+var_2C]
		xor	eax, eax
		sub	esi, edi
		mov	[ebp+var_30], 0
		inc	esi
		cmp	esi, 100h
		ja	loc_44B99F

loc_44B919:				; CODE XREF: KiTimerExpiration+17Aj
		mov	eax, [ebp+arg_0]
		mov	ecx, esi
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_30], eax
		mov	eax, 100h
		sub	eax, esi
		mov	[ebp+var_34], ecx
		mov	[ebp+var_2C], edx
		cmp	eax, 18h
		jbe	short loc_44B93B
		mov	eax, 18h

loc_44B93B:				; CODE XREF: KiTimerExpiration+E4j
					; KiTimerExpiration+19Aj
		push	[ebp+var_3C]
		push	ecx
		push	edx
		push	[ebp+var_30]
		mov	edx, [ebp+var_40]
		push	eax
		push	ecx
		push	edi
		mov	ecx, ebx
		call	KiExpireTimerTable
		add	edi, [ebp+var_34]
		mov	eax, [ebp+var_2C]
		sub	esi, [ebp+var_34]
		jnz	short loc_44B9C4
		test	byte ptr [ebx+223Ch], 8
		jnz	short loc_44B98C
		mov	eax, [ebx+2248h]
		mov	dword ptr [ebx+2244h], 0
		mov	ecx, ds:_KeTimeIncrement
		cmp	eax, ecx
		jnb	loc_5AEC1A
		mov	dword ptr [ebx+2248h], 0

loc_44B98C:				; CODE XREF: KiTimerExpiration+3Dj
					; KiTimerExpiration+50j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_44B99F:				; CODE XREF: KiTimerExpiration+C3j
		mov	ecx, [ebp+var_38]
		add	ecx, 1
		adc	edx, eax
		mov	eax, esi
		shld	edx, ecx, 12h
		mov	[ebp+var_2C], edx
		mov	edx, 40000h
		mul	edx
		shl	ecx, 12h
		sub	ecx, eax
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_30], ecx
		sbb	eax, edx

loc_44B9C4:				; CODE XREF: KiTimerExpiration+109j
		cmp	esi, 100h
		jbe	loc_44B919
		add	[ebp+var_30], 4000000h
		mov	ecx, 100h
		mov	[ebp+var_34], ecx
		adc	eax, 0
		mov	[ebp+var_2C], eax
		xor	eax, eax
		mov	edx, [ebp+var_2C]
		jmp	loc_44B93B
KiTimerExpiration endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiExpireTimerTable proc	near		; CODE XREF: KiTimerExpiration+FBp

var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005AEC27 SIZE 00000096 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, edx
		mov	byte ptr [ebp+arg_0+3],	0C0h
		mov	edx, ecx
		mov	[ebp+var_4], esi
		mov	ecx, [ebp+arg_4]
		dec	ecx
		mov	[ebp+var_14], edx
		add	ecx, ebx
		mov	[ebp+arg_4], 1
		add	eax, ecx
		mov	[ebp+var_18], ecx
		xor	ecx, ecx
		mov	[ebp+var_20], eax
		dec	ebx
		mov	[ebp+var_C], ecx
		push	edi
		cmp	ds:_KiSerializeTimerExpiration,	ecx
		jz	loc_5AEC27

loc_44BA36:				; CODE XREF: KiExpireTimerTable+D4j
					; KiExpireTimerTable+163244j
		inc	ebx
		movzx	edx, bl
		mov	[ebp+arg_8], edx
		lea	eax, [edx+edx*2]
		lea	edi, [esi+eax*8]
		cmp	ecx, [ebp+var_18]
		ja	loc_5AEC39

loc_44BA4C:				; CODE XREF: KiExpireTimerTable+163255j
					; KiExpireTimerTable+163267j
		lea	esi, [edi+44h]
		cmp	esi, [esi]
		jz	short loc_44BAB4

loc_44BA53:				; CODE XREF: KiExpireTimerTable+1632A4j
		mov	[ebp+var_10], 0
		lea	esi, [edi+40h]
		lea	ecx, [ecx+0]

loc_44BA60:				; CODE XREF: KiExpireTimerTable+1DEj
		lock bts dword ptr [esi], 0
		jb	loc_44BBC0
		mov	eax, [ebp+var_4]
		lea	esi, [edi+44h]
		mov	ecx, [ebp+arg_4]
		lea	eax, [eax+ecx*4]
		mov	[ebp+var_8], eax
		lea	ebx, [ebx+0]

loc_44BA80:				; CODE XREF: KiExpireTimerTable+15Bj
		mov	ecx, [esi]
		cmp	esi, ecx
		jz	short loc_44BAA9
		mov	eax, [ecx-4]
		add	ecx, 0FFFFFFE8h
		cmp	eax, [ebp+arg_10]
		ja	short loc_44BA9B
		jb	short loc_44BAC9
		mov	eax, [ecx+10h]
		cmp	eax, [ebp+arg_C]
		jbe	short loc_44BAC9

loc_44BA9B:				; CODE XREF: KiExpireTimerTable+9Fj
		cli
		mov	eax, [ecx+10h]
		mov	[edi+50h], eax
		mov	eax, [ecx+14h]
		mov	[edi+54h], eax
		sti

loc_44BAA9:				; CODE XREF: KiExpireTimerTable+94j
		xor	ecx, ecx
		lea	eax, [edi+40h]
		lock and [eax],	ecx

loc_44BAB1:				; CODE XREF: KiExpireTimerTable+1632AAj
		mov	ecx, [ebp+var_C]

loc_44BAB4:				; CODE XREF: KiExpireTimerTable+61j
		inc	ecx
		mov	[ebp+var_C], ecx

loc_44BAB8:				; CODE XREF: KiExpireTimerTable+16324Fj
					; KiExpireTimerTable+163261j
		cmp	ebx, [ebp+var_20]
		jz	loc_44BB56
		mov	esi, [ebp+var_4]
		jmp	loc_44BA36
; 

loc_44BAC9:				; CODE XREF: KiExpireTimerTable+A1j
					; KiExpireTimerTable+A9j
		mov	dl, byte ptr [ebp+arg_0+3]
		mov	eax, [ebp+arg_4]
		and	dl, 0FEh
		mov	byte ptr [ebp+arg_0+3],	dl
		cmp	eax, 1
		ja	short loc_44BAE1
		and	al, 1
		or	dl, al
		mov	byte ptr [ebp+arg_0+3],	dl

loc_44BAE1:				; CODE XREF: KiExpireTimerTable+E8j
		mov	al, [ecx+3]
		xor	al, dl
		mov	[ebp+var_30], 0
		mov	byte ptr [ebp+var_30+3], al
		mov	eax, [ebp+var_30]
		lock xor [ecx],	eax
		mov	eax, [ebp+var_8]
		mov	edx, ecx
		xchg	edx, [eax]
		mov	eax, [ecx+18h]
		mov	[ebp+var_10], eax
		mov	esi, [ebp+var_10]
		mov	eax, [ecx+1Ch]
		mov	[ebp+var_1C], edx
		lea	edx, [ecx+18h]
		cmp	[esi+4], edx
		jnz	loc_5AECAF
		lea	esi, [ecx+18h]
		cmp	[eax], esi
		lea	esi, [edi+44h]
		jnz	loc_5AECAF
		mov	edx, [ebp+var_10]
		cmp	eax, edx
		mov	[eax], edx
		mov	[edx+4], eax
		mov	edx, [ebp+arg_8]
		jz	short loc_44BB76

loc_44BB35:				; CODE XREF: KiExpireTimerTable+1C7j
		inc	[ebp+arg_4]
		add	[ebp+var_8], 4
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	loc_5AEC9F
		cmp	[ebp+arg_4], 10h
		jnz	loc_44BA80
		jmp	loc_5AEC73
; 

loc_44BB56:				; CODE XREF: KiExpireTimerTable+CBj
		mov	eax, [ebp+arg_4]
		cmp	eax, 1
		jbe	short loc_44BB6D
		mov	edx, [ebp+arg_18]
		mov	ecx, [ebp+var_14]
		push	eax
		push	[ebp+var_4]
		call	KiProcessExpiredTimerList

loc_44BB6D:				; CODE XREF: KiExpireTimerTable+16Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_44BB76:				; CODE XREF: KiExpireTimerTable+143j
		mov	eax, [ebp+var_4]
		mov	dword ptr [edi+54h], 0FFFFFFFFh
		cmp	ds:_KiSerializeTimerExpiration,	0
		movzx	eax, byte ptr [eax-1E9Bh]
		mov	esi, ds:dword_70E644[eax*8]
		jz	loc_5AEC5C
		mov	eax, edx
		and	eax, 1Fh
		mov	[ebp+var_10], eax
		mov	eax, edx
		shr	eax, 5
		shl	eax, 2

loc_44BBAB:				; CODE XREF: KiExpireTimerTable+16327Ej
		add	eax, esi
		mov	esi, [ebp+var_10]
		lock btr [eax],	esi
		lea	esi, [edi+44h]
		jmp	loc_44BB35
; 
		align 10h

loc_44BBC0:				; CODE XREF: KiExpireTimerTable+75j
					; KiExpireTimerTable+1DCj
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_44BBC0
		jmp	loc_44BA60
KiExpireTimerTable endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiProcessExpiredTimerList proc near	; CODE XREF: KiExpireTimerTable+178p
					; KiExpireTimerTable+163296p

var_7C		= dword	ptr -7Ch
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_51		= byte ptr -51h
var_50		= dword	ptr -50h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005AECBD SIZE 000001A5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		mov	[ebp+var_58], ecx
		mov	ecx, 6
		push	esi
		push	edi
		lea	edi, [ebp+var_20]
		mov	[ebp+var_64], 0
		rep stosd
		mov	ecx, 8
		mov	[ebp+var_5C], edx
		lea	edi, [ebp+var_50]
		rep stosd
		mov	eax, dword ptr ds:byte_70EFC4
		mov	edi, 1
		mov	ecx, [ebp+var_58]
		and	eax, 80h
		test	ds:dword_70EFC8, 20000h
		mov	[ebp+var_68], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_70], eax
		mov	eax, [eax+13Ch]
		mov	[ebp+var_74], eax
		jnz	loc_5AECB6
		xor	al, al

loc_44BC51:				; CODE XREF: KiExpireTimerTable+1632C8j
		mov	[ebp+var_51], al
		add	ebx, 4

loc_44BC57:				; CODE XREF: KiProcessExpiredTimerList+F5j
		xor	esi, esi
		xchg	esi, [ebx]
		inc	edi
		add	ebx, 4
		test	esi, esi
		jz	short loc_44BCA3
		mov	[ebp+var_6C], 0
		lock bts dword ptr [esi], 7
		jb	loc_5AECBD

loc_44BC75:				; CODE XREF: KiProcessExpiredTimerList+1630FBj
		test	al, al
		jnz	loc_5AECE0

loc_44BC7D:				; CODE XREF: KiProcessExpiredTimerList+163119j
					; KiProcessExpiredTimerList+163125j
		lea	eax, [edx+8]
		mov	edx, esi
		push	eax
		call	KiTimerWaitTest
		cmp	[ebp+var_51], 0
		mov	[ebp+var_60], eax
		jnz	loc_5AED0A

loc_44BC95:				; CODE XREF: KiProcessExpiredTimerList+163170j
		mov	ecx, [ebp+var_58]
		test	eax, eax
		jnz	loc_5AED55

loc_44BCA0:				; CODE XREF: KiProcessExpiredTimerList+163211j
					; KiProcessExpiredTimerList+163238j
		mov	edx, [ebp+var_5C]

loc_44BCA3:				; CODE XREF: KiProcessExpiredTimerList+81j
		cmp	edi, [ebp+arg_4]
		jb	short loc_44BCD2
		cmp	dword ptr [ecx+3B1Ch], 0
		jz	short loc_44BCBF
		push	2
		push	0
		mov	edx, 1
		call	KiProcessThreadWaitList

loc_44BCBF:				; CODE XREF: KiProcessExpiredTimerList+CFj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_44BCD2:				; CODE XREF: KiProcessExpiredTimerList+C6j
		mov	al, [ebp+var_51]
		jmp	short loc_44BC57
KiProcessExpiredTimerList endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiTimerWaitTest	proc near		; CODE XREF: KiProcessExpiredTimerList+A3p
					; KiCommitThreadWait+596p ...

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AEE62 SIZE 00000094 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[esp+60h+var_50], ecx
		xor	eax, eax
		mov	[esp+60h+var_2C], edi
		mov	[esp+60h+var_10], eax
		or	bh, 0FFh
		mov	[esp+60h+var_C], eax
		mov	bl, [edi]
		mov	esi, [edi+20h]
		and	bl, 7Fh
		mov	[esp+60h+var_8], eax
		mov	[esp+60h+var_4], eax
		mov	eax, [edi+24h]
		mov	[esp+60h+var_18], 0
		mov	[esp+60h+var_14], 0
		mov	[esp+60h+var_20], 0
		mov	[esp+60h+var_1C], 0
		mov	[esp+60h+var_4C], esi
		mov	byte ptr [esp+60h+var_28], bh
		test	eax, eax
		jnz	loc_44BE10

loc_44BD48:				; CODE XREF: KiTimerWaitTest+208j
		mov	eax, [edi+8]
		lea	esi, [edi+8]
		mov	dword ptr [edi+4], 1
		cmp	bl, 8
		jnz	loc_44BDE3
		cmp	eax, esi
		jz	short loc_44BD93

loc_44BD62:				; CODE XREF: KiTimerWaitTest+B1j
		mov	ecx, eax
		mov	eax, [eax]
		mov	[esp+60h+var_40], eax
		mov	[esp+60h+var_48], ecx
		mov	al, [ecx+8]
		cmp	al, 1
		jnz	loc_44BF09
		movzx	eax, word ptr [ecx+0Ah]
		push	0
		push	eax

loc_44BD80:				; CODE XREF: KiTimerWaitTest+1631D9j
		mov	edx, ecx
		mov	ecx, [esp+68h+var_50]
		call	KiTryUnwaitThread

loc_44BD8B:				; CODE XREF: KiTimerWaitTest+2D6j
		mov	eax, [esp+60h+var_40]
		cmp	eax, esi
		jnz	short loc_44BD62

loc_44BD93:				; CODE XREF: KiTimerWaitTest+80j
		mov	[esi+4], esi
		mov	[esi], esi

loc_44BD98:				; CODE XREF: KiTimerWaitTest+105j
					; KiTimerWaitTest+321j	...
		mov	esi, [esp+60h+var_4C]
		test	esi, esi
		jnz	short loc_44BDBB
		movzx	eax, bh
		shl	eax, 18h
		or	eax, 80h
		not	eax
		lock and [edi],	eax
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_44BDBB:				; CODE XREF: KiTimerWaitTest+BEj
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jz	loc_44C07C

loc_44BDC6:				; CODE XREF: KiTimerWaitTest+3CAj
					; KiTimerWaitTest+163211j
		push	[esp+60h+var_28]
		mov	eax, [ebx+4]
		mov	ecx, esi
		mov	edx, [ebx]
		push	edi
		push	eax
		call	KiInsertQueueDpc
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_44BDE3:				; CODE XREF: KiTimerWaitTest+78j
		cmp	eax, esi
		jz	short loc_44BD98

loc_44BDE7:				; CODE XREF: KiTimerWaitTest+1631CDj
		mov	esi, [eax]
		mov	edx, eax
		mov	[esp+60h+var_44], edx
		mov	[esp+60h+var_38], esi
		mov	[esp+60h+var_40], esi
		mov	eax, [edx+4]
		mov	[esp+60h+var_48], eax
		mov	eax, esi
		cmp	[eax+4], edx
		jz	loc_44BFCA

loc_44BE09:				; CODE XREF: KiTimerWaitTest+2F0j
					; KiTimerWaitTest+354j	...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_44BE10:				; CODE XREF: KiTimerWaitTest+62j
		mov	cl, [ecx+223Ah]
		mov	edx, 0FFFFD8F0h
		imul	edx
		xor	bh, bh
		mov	byte ptr [esp+60h+var_28], bh
		mov	[esp+60h+var_54], eax
		mov	[esp+60h+var_48], edx
		test	cl, cl
		jnz	loc_44C1CA

loc_44BE33:				; CODE XREF: KiTimerWaitTest+515j
		mov	edx, ds:0FFDF000Ch
		mov	eax, ds:0FFDF0008h
		mov	[esp+60h+var_24], 0
		mov	[esp+60h+var_40], eax
		cmp	edx, ds:0FFDF0010h
		jnz	loc_5AEE62

loc_44BE56:				; CODE XREF: KiTimerWaitTest+1631ACj
		mov	ecx, eax
		mov	eax, edx
		sub	ecx, [edi+10h]
		sbb	eax, [edi+14h]
		add	ecx, [esp+60h+var_54]
		adc	eax, [esp+60h+var_48]
		mov	[esp+60h+var_34], eax
		js	short loc_44BE7C
		jg	loc_44BFBB
		test	ecx, ecx
		jnb	loc_44BFBB

loc_44BE7C:				; CODE XREF: KiTimerWaitTest+18Cj
					; KiTimerWaitTest+2E5j
		mov	eax, [edi]
		xor	edx, edx
		mov	ecx, eax
		mov	[esp+60h+var_44], edx
		sar	ecx, 8
		mov	[esp+60h+var_40], edx
		mov	[esp+60h+var_10], eax
		cmp	cl, 4
		jnb	short loc_44BEED

loc_44BE96:				; CODE XREF: KiTimerWaitTest+227j
		and	cl, 0FEh
		mov	byte ptr [esp+60h+var_10+3], 40h
		mov	byte ptr [esp+60h+var_10+1], cl

loc_44BEA2:				; CODE XREF: KiTimerWaitTest+202j
		mov	eax, [esp+60h+var_54]
		sub	[edi+10h], eax
		mov	ecx, [edi+10h]
		mov	eax, [esp+60h+var_48]
		sbb	[edi+14h], eax
		add	ecx, edx
		mov	eax, [edi+14h]
		mov	edx, edi
		adc	eax, [esp+60h+var_40]
		shrd	ecx, eax, 12h
		push	0
		movzx	ecx, cl
		mov	byte ptr [esp+64h+var_10+2], cl
		mov	eax, [esp+64h+var_10]
		push	ecx
		mov	ecx, [esp+68h+var_50]
		push	esi
		mov	[edi], eax
		call	KiInsertTimerTable
		mov	edx, [esp+60h+var_44]
		test	al, al
		jz	short loc_44BEA2
		mov	ecx, [esp+60h+var_50]
		jmp	loc_44BD48
; 

loc_44BEED:				; CODE XREF: KiTimerWaitTest+1B4j
		movzx	eax, cl
		cdq
		mov	edx, eax
		xor	eax, eax
		and	edx, 0FFFFFFFCh
		shld	eax, edx, 10h
		shl	edx, 10h
		mov	[esp+60h+var_40], eax
		mov	[esp+60h+var_44], edx
		jmp	short loc_44BE96
; 

loc_44BF09:				; CODE XREF: KiTimerWaitTest+93j
		cmp	al, 2
		jnz	loc_5AEEB2
		mov	byte ptr [ecx+9], 5
		mov	eax, [ecx+0Ch]
		mov	[esp+60h+var_54], eax
		add	eax, 8
		mov	dword ptr [ecx], 0
		mov	[esp+60h+var_38], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[esp+60h+var_3C], eax
		mov	eax, [eax+4]
		mov	[esp+60h+var_44], eax
		jz	short loc_44BF64
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	edx, [esp+60h+var_48]
		mov	ecx, [esp+60h+var_44]
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_44BF64:				; CODE XREF: KiTimerWaitTest+26Aj
		mov	ecx, [esp+60h+var_54]
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	edx, [esp+60h+var_38]
		mov	ecx, [esp+60h+var_54]
		cmp	[edx], edx
		jz	loc_44C01D
		mov	eax, [ecx+18h]
		cmp	eax, [ecx+1Ch]
		jnb	loc_44C01D
		mov	eax, [esp+60h+var_44]
		mov	eax, [eax+0A4h]
		cmp	eax, ecx
		jz	short loc_44C00C

loc_44BF97:				; CODE XREF: KiTimerWaitTest+337j
		push	[esp+60h+var_48]
		mov	edx, ecx
		mov	ecx, [esp+64h+var_3C]
		call	KiWakeQueueWaiter
		mov	ecx, [esp+60h+var_54]
		test	al, al
		jz	short loc_44C01D

loc_44BFAE:				; CODE XREF: KiTimerWaitTest+37Aj
					; KiTimerWaitTest+382j	...
		mov	eax, 0FFFFFF7Fh
		lock and [ecx],	eax
		jmp	loc_44BD8B
; 

loc_44BFBB:				; CODE XREF: KiTimerWaitTest+18Ej
					; KiTimerWaitTest+196j
		mov	eax, [esp+60h+var_40]
		mov	[edi+10h], eax
		mov	[edi+14h], edx
		jmp	loc_44BE7C
; 

loc_44BFCA:				; CODE XREF: KiTimerWaitTest+123j
		mov	esi, [esp+60h+var_48]
		cmp	[esi], edx
		jnz	loc_44BE09
		mov	[esi], eax
		mov	[eax+4], esi
		lea	esi, [edi+8]
		mov	al, [edx+8]
		cmp	al, 1
		jnz	loc_44C0B5
		movzx	eax, word ptr [edx+0Ah]
		push	0
		push	eax
		call	KiTryUnwaitThread
		test	al, al
		jz	loc_5AEE9D
		add	dword ptr [edi+4], 0FFFFFFFFh
		jz	loc_44BD98
		jmp	loc_5AEE9D
; 

loc_44C00C:				; CODE XREF: KiTimerWaitTest+2B5j
		mov	eax, [esp+60h+var_44]
		cmp	byte ptr [eax+18Bh], 0Fh
		jnz	loc_44BF97

loc_44C01D:				; CODE XREF: KiTimerWaitTest+297j
					; KiTimerWaitTest+2A3j	...
		mov	eax, [ecx+4]
		mov	[esp+60h+var_44], eax
		inc	eax
		mov	[ecx+4], eax
		lea	eax, [ecx+10h]
		mov	esi, [eax+4]
		mov	[esp+60h+var_38], esi
		cmp	[esi], eax
		jnz	loc_44BE09
		cmp	[esp+60h+var_44], 0
		lea	esi, [ecx+10h]
		mov	eax, [esp+60h+var_48]
		mov	edx, [esp+60h+var_38]
		mov	[eax], esi
		lea	esi, [edi+8]
		mov	[eax+4], edx
		mov	[edx], eax
		lea	edx, [ecx+8]
		mov	[ecx+14h], eax
		jnz	loc_44BFAE
		cmp	[edx], edx
		jz	loc_44BFAE
		mov	edx, ecx
		mov	ecx, [esp+60h+var_3C]
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		mov	ecx, [esp+60h+var_54]
		jmp	loc_44BFAE
; 

loc_44C07C:				; CODE XREF: KiTimerWaitTest+E0j
		mov	ecx, 0FFDF0018h
		mov	[esp+60h+var_20], 0
		mov	eax, 0FFDF0014h
		lea	ebx, [esp+60h+var_18]
		mov	[ebp+arg_0], ebx
		mov	ecx, [ecx]
		mov	eax, [eax]
		mov	[esp+60h+var_18], eax
		mov	eax, 0FFDF001Ch
		mov	[esp+60h+var_14], ecx
		mov	eax, [eax]
		cmp	ecx, eax
		jz	loc_44BDC6
		jmp	loc_5AEEBE
; 

loc_44C0B5:				; CODE XREF: KiTimerWaitTest+303j
		cmp	al, 2
		jnz	loc_5AEE91
		mov	byte ptr [edx+9], 5
		mov	eax, [edx+0Ch]
		mov	[esp+60h+var_54], eax
		add	eax, 8
		mov	dword ptr [edx], 0
		mov	[esp+60h+var_3C], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[esp+60h+var_38], eax
		mov	eax, [eax+4]
		mov	[esp+60h+var_48], eax
		jz	short loc_44C110
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	edx, [esp+60h+var_44]
		mov	ecx, [esp+60h+var_48]
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_44C110:				; CODE XREF: KiTimerWaitTest+416j
		mov	ecx, [esp+60h+var_54]
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	edx, [esp+60h+var_3C]
		mov	ecx, [esp+60h+var_54]
		cmp	[edx], edx
		jz	short loc_44C176
		mov	eax, [ecx+18h]
		cmp	eax, [ecx+1Ch]
		jnb	short loc_44C176
		mov	eax, [esp+60h+var_48]
		mov	eax, [eax+0A4h]
		cmp	eax, ecx
		jz	short loc_44C169

loc_44C13B:				; CODE XREF: KiTimerWaitTest+494j
		push	[esp+60h+var_44]
		mov	edx, ecx
		mov	ecx, [esp+64h+var_38]
		call	KiWakeQueueWaiter
		mov	ecx, [esp+60h+var_54]
		test	al, al
		jz	short loc_44C176

loc_44C152:				; CODE XREF: KiTimerWaitTest+4D3j
					; KiTimerWaitTest+4D7j	...
		mov	eax, 0FFFFFF7Fh
		lock and [ecx],	eax
		add	dword ptr [edi+4], 0FFFFFFFFh
		jz	loc_44BD98
		jmp	loc_5AEE9D
; 

loc_44C169:				; CODE XREF: KiTimerWaitTest+459j
		mov	eax, [esp+60h+var_48]
		cmp	byte ptr [eax+18Bh], 0Fh
		jnz	short loc_44C13B

loc_44C176:				; CODE XREF: KiTimerWaitTest+443j
					; KiTimerWaitTest+44Bj	...
		mov	eax, [ecx+4]
		mov	[esp+60h+var_48], eax
		inc	eax
		mov	[ecx+4], eax
		lea	eax, [ecx+10h]
		mov	esi, [eax+4]
		mov	[esp+60h+var_3C], esi
		cmp	[esi], eax
		jnz	loc_44BE09
		cmp	[esp+60h+var_48], 0
		lea	esi, [ecx+10h]
		mov	eax, [esp+60h+var_44]
		mov	edx, [esp+60h+var_3C]
		mov	[eax], esi
		lea	esi, [edi+8]
		mov	[eax+4], edx
		mov	[edx], eax
		lea	edx, [ecx+8]
		mov	[ecx+14h], eax
		jnz	short loc_44C152
		cmp	[edx], edx
		jz	short loc_44C152
		mov	edx, ecx
		mov	ecx, [esp+60h+var_38]
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		mov	ecx, [esp+60h+var_54]
		jmp	short loc_44C152
; 

loc_44C1CA:				; CODE XREF: KiTimerWaitTest+14Dj
		mov	ecx, [esp+60h+var_50]
		inc	dword ptr [ecx+2244h]
		cmp	dword ptr [ecx+2244h], 0BB8h
		jnb	loc_5AEE2F

loc_44C1E4:				; CODE XREF: KiProcessExpiredTimerList+163268j
					; KiProcessExpiredTimerList+16327Dj
		mov	eax, [ecx+2248h]
		sub	[esp+60h+var_54], eax
		sbb	edx, 0
		mov	[esp+60h+var_48], edx
		jmp	loc_44BE33
KiTimerWaitTest	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiWaitForContextSwap(x)
_KiWaitForContextSwap@4	proc near	; CODE XREF: KiOutSwapKernelStacks+11Dp
					; KeDeleteThread+9p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx
		jmp	short loc_44C211
; 

loc_44C209:				; CODE XREF: KiWaitForContextSwap(x)+1Cj
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx

loc_44C211:				; CODE XREF: KiWaitForContextSwap(x)+Dj
		mov	al, [esi+55h]
		test	al, al
		jnz	short loc_44C209
		pop	esi
		leave
		retn
_KiWaitForContextSwap@4	endp

; 
		align 10h
; Exported entry 972. IoRetrievePriorityInfo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoRetrievePriorityInfo(x, x, x, x)
		public _IoRetrievePriorityInfo@16
_IoRetrievePriorityInfo@16 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	dword ptr [ebx+0Ch], 2
		test	eax, eax
		jz	short loc_44C249
		test	dword ptr [eax+8], 0E0000h
		jnz	loc_44C38E

loc_44C249:				; CODE XREF: IoRetrievePriorityInfo(x,x,x,x)+1Aj
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	loc_44C2EC
		mov	eax, [eax+7Ch]
		test	eax, eax
		jnz	loc_44C2E1
		test	esi, esi
		jz	loc_44C39B
		mov	ecx, [esi+2FCh]
		mov	eax, [esi+150h]
		shr	ecx, 9
		and	ecx, 7
		test	dword ptr [eax+0FCh], 100000h
		jnz	loc_44C387

loc_44C289:				; CODE XREF: IoRetrievePriorityInfo(x,x,x,x)+169j
		cmp	ecx, 2
		jb	short loc_44C2FF

loc_44C28E:				; CODE XREF: IoRetrievePriorityInfo(x,x,x,x)+DDj
					; IoRetrievePriorityInfo(x,x,x,x)+E7j ...
		mov	[ebx+0Ch], ecx
		test	esi, esi
		jz	loc_44C39B
		cmp	byte ptr [esi+87h], 10h
		jge	short loc_44C2A9
		mov	eax, [esi+50h]
		test	eax, eax
		jnz	short loc_44C320

loc_44C2A9:				; CODE XREF: IoRetrievePriorityInfo(x,x,x,x)+80j
					; IoRetrievePriorityInfo(x,x,x,x)+144j
		movsx	eax, byte ptr [esi+15Bh]

loc_44C2B0:				; CODE XREF: IoRetrievePriorityInfo(x,x,x,x)+14Fj
		mov	[ebx+4], eax
		mov	ecx, [esi+2FCh]
		mov	eax, [esi+150h]
		shr	ecx, 0Ch
		and	ecx, 7
		test	dword ptr [eax+0FCh], 100000h
		jnz	loc_44C374

loc_44C2D5:				; CODE XREF: IoRetrievePriorityInfo(x,x,x,x)+157j
					; IoRetrievePriorityInfo(x,x,x,x)+162j
		mov	[ebx+8], ecx

loc_44C2D8:				; CODE XREF: IoRetrievePriorityInfo(x,x,x,x)+189j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_44C2E1:				; CODE XREF: IoRetrievePriorityInfo(x,x,x,x)+39j
		mov	ecx, [eax+28h]
		test	ecx, ecx
		jnz	loc_44C3AE

loc_44C2EC:				; CODE XREF: IoRetrievePriorityInfo(x,x,x,x)+2Ej
		test	esi, esi
		jz	loc_44C39B
		mov	ecx, esi
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		mov	ecx, eax
		jmp	short loc_44C28E
; 

loc_44C2FF:				; CODE XREF: IoRetrievePriorityInfo(x,x,x,x)+6Cj
		mov	eax, large fs:124h
		cmp	esi, eax
		jnz	short loc_44C28E
		cmp	dword ptr [esi+32Ch], 0
		jz	loc_44C28E
		mov	ecx, 2
		jmp	loc_44C28E
; 

loc_44C320:				; CODE XREF: IoRetrievePriorityInfo(x,x,x,x)+87j
		xor	edi, edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edx, large fs:20h
		mov	ecx, [esi+50h]
		test	ecx, ecx
		jz	short loc_44C356
		add	ecx, [edx+3B34h]
		test	ecx, ecx
		jz	short loc_44C356

loc_44C340:				; CODE XREF: IoRetrievePriorityInfo(x,x,x,x)+134j
		movzx	edi, byte ptr [ecx+5Ch]
		shr	edi, 3
		and	edi, 1
		jnz	short loc_44C356
		mov	ecx, [ecx+0F4h]
		test	ecx, ecx
		jnz	short loc_44C340

loc_44C356:				; CODE XREF: IoRetrievePriorityInfo(x,x,x,x)+114j
					; IoRetrievePriorityInfo(x,x,x,x)+11Ej	...
		cmp	al, 2
		jnb	short loc_44C362
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_44C362:				; CODE XREF: IoRetrievePriorityInfo(x,x,x,x)+138j
		test	edi, edi
		jz	loc_44C2A9
		mov	eax, 1
		jmp	loc_44C2B0
; 

loc_44C374:				; CODE XREF: IoRetrievePriorityInfo(x,x,x,x)+AFj
		cmp	ecx, 2
		jb	loc_44C2D5
		mov	ecx, 2
		jmp	loc_44C2D5
; 

loc_44C387:				; CODE XREF: IoRetrievePriorityInfo(x,x,x,x)+63j
		xor	ecx, ecx
		jmp	loc_44C289
; 

loc_44C38E:				; CODE XREF: IoRetrievePriorityInfo(x,x,x,x)+23j
		push	eax
		call	_IoGetIoPriorityHint@4 ; IoGetIoPriorityHint(x)
		mov	ecx, eax
		jmp	loc_44C28E
; 

loc_44C39B:				; CODE XREF: IoRetrievePriorityInfo(x,x,x,x)+41j
					; IoRetrievePriorityInfo(x,x,x,x)+73j ...
		mov	dword ptr [ebx+4], 0FFFFFFFFh
		mov	dword ptr [ebx+8], 0FFFFFFFFh
		jmp	loc_44C2D8
; 

loc_44C3AE:				; CODE XREF: IoRetrievePriorityInfo(x,x,x,x)+C6j
		dec	ecx
		jmp	loc_44C28E
_IoRetrievePriorityInfo@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpGetPoolTagInfoTarget	proc near	; DATA XREF: ExGetPoolTagInfo+86o

var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005AEEF6 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_4], 0
		mov	eax, edi
		lock xadd [ebx], eax
		dec	eax
		mov	esi, eax
		not	esi
		and	esi, 80000000h
		test	eax, 7FFFFFFFh
		jnz	loc_44C505
		mov	eax, [ebx+4]
		mov	edi, [ebp+arg_4]
		or	eax, esi
		mov	[ebx], eax
		mov	eax, [edi+4]
		lea	eax, [eax+eax*2]
		shl	eax, 4
		push	eax		; size_t
		mov	eax, _ExPoolTagTables
		push	eax		; void *
		mov	eax, [edi]
		push	eax		; void *
		call	_memcpy
		mov	eax, [edi+4]
		add	esp, 0Ch
		mov	ebx, [ebp+arg_4]
		lea	esi, [eax+eax*2]
		shl	esi, 4
		add	esi, [edi]
		mov	edi, 4
		lea	esp, [esp+0]

loc_44C430:				; CODE XREF: ExpGetPoolTagInfoTarget+83j
		mov	edx, _ExPoolTagTables[edi]
		test	edx, edx
		jnz	short loc_44C4AC

loc_44C43A:				; CODE XREF: ExpGetPoolTagInfoTarget+F0j
					; ExpGetPoolTagInfoTarget+102j
		add	edi, 4
		cmp	edi, 80h
		jb	short loc_44C430
		mov	ecx, ebx
		mov	ebx, [ebp+arg_C]
		mov	eax, [ecx+0Ch]
		test	eax, eax
		jnz	loc_5AEEF6

loc_44C455:				; CODE XREF: ExpGetPoolTagInfoTarget+162B4Fj
		or	edi, 0FFFFFFFFh

loc_44C458:				; CODE XREF: ExpGetPoolTagInfoTarget+14Ej
					; ExpGetPoolTagInfoTarget+167j
		lock xadd [ebx], edi
		dec	edi
		mov	esi, edi
		not	esi
		and	esi, 80000000h
		test	edi, 7FFFFFFFh
		jz	short loc_44C496
		mov	eax, [ebx]
		and	eax, 80000000h
		mov	[ebp+var_8], 0
		cmp	eax, esi
		jz	short loc_44C49D

loc_44C481:				; CODE XREF: ExpGetPoolTagInfoTarget+D2j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		and	eax, 80000000h
		cmp	eax, esi
		jnz	short loc_44C481
		jmp	short loc_44C49D
; 

loc_44C496:				; CODE XREF: ExpGetPoolTagInfoTarget+ADj
		mov	eax, [ebx+4]
		or	eax, esi
		mov	[ebx], eax

loc_44C49D:				; CODE XREF: ExpGetPoolTagInfoTarget+BFj
					; ExpGetPoolTagInfoTarget+D4j
		mov	eax, [ebp+arg_8]
		lock dec dword ptr [eax]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_44C4AC:				; CODE XREF: ExpGetPoolTagInfoTarget+78j
		mov	eax, [ebx]
		cmp	eax, esi
		jz	short loc_44C43A

loc_44C4B2:				; CODE XREF: ExpGetPoolTagInfoTarget+100j
		mov	ecx, [edx]
		test	ecx, ecx
		jnz	short loc_44C4C7

loc_44C4B8:				; CODE XREF: ExpGetPoolTagInfoTarget+143j
		add	eax, 30h
		add	edx, 30h
		cmp	eax, esi
		jnz	short loc_44C4B2
		jmp	loc_44C43A
; 

loc_44C4C7:				; CODE XREF: ExpGetPoolTagInfoTarget+F6j
		mov	ecx, [edx+8]
		add	[eax+8], ecx
		mov	ecx, [edx+0Ch]
		adc	[eax+0Ch], ecx
		mov	ecx, [edx+10h]
		add	[eax+10h], ecx
		mov	ecx, [edx+14h]
		adc	[eax+14h], ecx
		mov	ecx, [edx+4]
		add	[eax+4], ecx
		mov	ecx, [edx+20h]
		add	[eax+20h], ecx
		mov	ecx, [edx+24h]
		adc	[eax+24h], ecx
		mov	ecx, [edx+28h]
		add	[eax+28h], ecx
		mov	ecx, [edx+2Ch]
		adc	[eax+2Ch], ecx
		mov	ecx, [edx+18h]
		add	[eax+18h], ecx
		jmp	short loc_44C4B8
; 

loc_44C505:				; CODE XREF: ExpGetPoolTagInfoTarget+2Ej
		mov	eax, [ebx]
		and	eax, 80000000h
		cmp	eax, esi
		jz	loc_44C458

loc_44C514:				; CODE XREF: ExpGetPoolTagInfoTarget+165j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		and	eax, 80000000h
		cmp	eax, esi
		jnz	short loc_44C514
		jmp	loc_44C458
ExpGetPoolTagInfoTarget	endp


;  S U B	R O U T	I N E 


KiAbThreadGetIoQoSPriority proc	near	; CODE XREF: KiAbTryIncrementIoWaiterCounts(x,x)+6Fp
					; KiAbSetMinimumThreadPriority+39p

; FUNCTION CHUNK AT 005AEF14 SIZE 00000010 BYTES

		cmp	dword ptr [ecx+334h], 0
		jnz	loc_5AEF14

loc_44C539:				; CODE XREF: KiAbThreadGetIoQoSPriority+1629EFj
		xor	eax, eax
		inc	eax
		retn
KiAbThreadGetIoQoSPriority endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KiAbTryIncrementIoWaiterCounts(x, x)
_KiAbTryIncrementIoWaiterCounts@8 proc near ; CODE XREF: KiAbProcessThreadLocks+F9p
					; KiAbProcessContextSwitch+1D6p ...
		test	byte ptr [ecx+0Dh], 1
		push	ebx
		push	edi
		mov	ebx, edx
		jz	short loc_44C558
		mov	dl, [ecx+0Fh]
		lea	edi, [ecx+0Fh]
		mov	al, dl
		and	al, 6
		cmp	al, 6
		jnz	short loc_44C55D

loc_44C558:				; CODE XREF: KiAbTryIncrementIoWaiterCounts(x,x)+8j
		pop	edi
		xor	eax, eax
		pop	ebx
		retn
; 

loc_44C55D:				; CODE XREF: KiAbTryIncrementIoWaiterCounts(x,x)+16j
		movzx	eax, byte ptr [ecx+0Ch]
		shl	eax, 3
		push	esi
		sub	ecx, eax
		xor	esi, esi
		test	dl, 2
		jnz	short loc_44C5AA
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		cmp	eax, 2
		jl	short loc_44C5E4

loc_44C578:				; CODE XREF: KiAbTryIncrementIoWaiterCounts(x,x)+ACj
		movzx	eax, word ptr [ebx+2Eh]
		lea	edx, [eax+2]
		xor	edx, eax
		and	edx, 1FEh
		xor	edx, eax
		mov	[ebx+2Eh], dx
		mov	edx, 1FEh
		mov	al, [edi]
		or	al, 2
		mov	[edi], al
		mov	ax, [ebx+2Eh]
		and	ax, dx
		cmp	ax, 2
		jnz	short loc_44C5AA
		mov	esi, 1

loc_44C5AA:				; CODE XREF: KiAbTryIncrementIoWaiterCounts(x,x)+2Cj
					; KiAbTryIncrementIoWaiterCounts(x,x)+63j ...
		test	byte ptr [edi],	4
		jnz	short loc_44C5DE
		call	KiAbThreadGetIoQoSPriority
		cmp	eax, 1
		jl	short loc_44C5DE
		add	word ptr [ebx+2Eh], 200h
		mov	al, [edi]
		or	al, 4
		mov	[edi], al
		mov	eax, 0FE00h
		mov	cx, [ebx+2Eh]
		and	cx, ax
		mov	eax, 200h
		cmp	cx, ax
		jnz	short loc_44C5DE
		or	esi, 2

loc_44C5DE:				; CODE XREF: KiAbTryIncrementIoWaiterCounts(x,x)+6Dj
					; KiAbTryIncrementIoWaiterCounts(x,x)+77j ...
		mov	eax, esi
		pop	esi
		pop	edi
		pop	ebx
		retn
; 

loc_44C5E4:				; CODE XREF: KiAbTryIncrementIoWaiterCounts(x,x)+36j
		cmp	[ecx+32Ch], esi
		jz	short loc_44C5AA
		jmp	short loc_44C578
_KiAbTryIncrementIoWaiterCounts@8 endp

; 
		align 10h

KiInSwapProcesses:			; CODE XREF: KeSwapProcessOrStack(x):loc_56890Bp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx

loc_44C5FB:				; CODE XREF: .text:0044C66Cj
		lea	edi, [esi-54h]
		mov	ecx, 6
		mov	esi, [esi]
		lea	eax, [edi+7Ch]
		lock xor [eax],	ecx
		mov	ecx, edi
		call	MmInSwapProcess
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bl, al
		mov	dword ptr [ebp-4], 0
		lock bts dword ptr [edi], 7
		jb	short loc_44C675

loc_44C628:				; CODE XREF: .text:0044C688j
		mov	ecx, [edi+4Ch]
		lea	eax, [edi+4Ch]
		cmp	ecx, eax
		jz	short loc_44C68C
		cmp	[ecx+4], eax
		jnz	short loc_44C690
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_44C690
		mov	[edx], ecx
		mov	[ecx+4], edx
		mov	[eax+4], eax
		mov	[eax], eax

loc_44C648:				; CODE XREF: .text:0044C68Ej
		lea	eax, [edi+7Ch]
		mov	edx, 4
		lock xor [eax],	edx
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		test	ecx, ecx
		jz	loc_5AEF24
		mov	dl, bl
		call	KiReadyOutSwappedThreads

loc_44C66A:				; CODE XREF: .text:005AEF2Cj
		test	esi, esi
		jnz	short loc_44C5FB
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_44C675:				; CODE XREF: .text:0044C626j
					; .text:0044C681j ...
		lea	ecx, [ebp-4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	al, al
		js	short loc_44C675
		lock bts dword ptr [edi], 7
		jnb	short loc_44C628
		jmp	short loc_44C675
; 

loc_44C68C:				; CODE XREF: .text:0044C630j
		xor	ecx, ecx
		jmp	short loc_44C648
; 

loc_44C690:				; CODE XREF: .text:0044C635j
					; .text:0044C63Cj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiReadyOutSwappedThreads proc near	; CODE XREF: .text:0044C665p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AEF31 SIZE 0000007D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	eax, ecx
		mov	[esp+1Ch+var_8], edx
		push	edi
		mov	edi, large fs:20h
		mov	esi, eax
		mov	[esp+20h+var_14], eax
		mov	[esp+20h+var_10], edi
		jmp	short loc_44C6D0
; 
		align 10h

loc_44C6D0:				; CODE XREF: KiReadyOutSwappedThreads+25j
					; KiReadyOutSwappedThreads+78j
		lea	ebx, [esi-9Ch]
		mov	[esp+20h+var_C], 0
		mov	esi, [esi]
		lea	edi, [ebx+2Ch]

loc_44C6E3:				; CODE XREF: KiReadyOutSwappedThreads+BFj
		lock bts dword ptr [edi], 0
		jb	short loc_44C750
		mov	ecx, ebx
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		mov	dword ptr [edi], 0
		test	dword ptr ds:byte_70EFC4, 200h
		mov	edi, [esp+20h+var_10]
		jnz	loc_5AEF31

loc_44C70B:				; CODE XREF: KiReadyOutSwappedThreads+1628A8j
		mov	edx, ebx
		mov	ecx, edi
		call	KiReadyThread
		cmp	esi, [esp+20h+var_14]
		jnz	short loc_44C6D0
		mov	ebx, [esp+20h+var_8]
		cmp	bl, 2
		jnb	loc_5AEF89
		cmp	dword ptr [edi+8], 0
		mov	eax, [edi+4]
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[esp+20h+var_14], eax
		jnz	short loc_44C761
		test	byte ptr [eax+58h], 40h
		jnz	loc_5AEF6D

loc_44C744:				; CODE XREF: KiReadyOutSwappedThreads+15Cj
					; KiReadyOutSwappedThreads+1628E4j
		mov	cl, bl
		call	esi

loc_44C748:				; CODE XREF: KiReadyOutSwappedThreads+1628EDj
					; KiReadyOutSwappedThreads+1628FBj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 
		align 10h

loc_44C750:				; CODE XREF: KiReadyOutSwappedThreads+48j
					; KiReadyOutSwappedThreads+BDj
		lea	ecx, [esp+20h+var_C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_44C750
		jmp	short loc_44C6E3
; 

loc_44C761:				; CODE XREF: KiReadyOutSwappedThreads+98j
		xor	edx, edx
		mov	ecx, eax
		call	KiAbProcessContextSwitch
		lea	esi, [edi+2224h]
		mov	[esp+20h+var_4], 0

loc_44C778:				; CODE XREF: KiReadyOutSwappedThreads+EFj
		lock bts dword ptr [esi], 0
		jnb	short loc_44C791
		nop

loc_44C780:				; CODE XREF: KiReadyOutSwappedThreads+EDj
		lea	ecx, [esp+20h+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_44C780
		jmp	short loc_44C778
; 

loc_44C791:				; CODE XREF: KiReadyOutSwappedThreads+DDj
		mov	edx, [edi+8]
		mov	[esp+20h+var_10], edx
		mov	dword ptr [edi+8], 0
		cli
		mov	edx, [esp+20h+var_14]
		mov	ecx, edi
		push	0
		call	KiEndThreadCycleAccumulation
		sti
		mov	ecx, [esp+20h+var_10]
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[edi+4], ecx
		mov	al, [ecx+90h]
		cmp	al, 1
		jz	loc_5AEF4D

loc_44C7C9:				; CODE XREF: KiReadyOutSwappedThreads+1628BEj
		mov	eax, [esp+20h+var_14]
		mov	edx, eax
		mov	byte ptr [ecx+90h], 2
		mov	ecx, edi
		mov	byte ptr [eax+18Bh], 20h
		mov	[eax+92h], bl
		call	KiQueueReadyThread
		mov	edi, [esp+20h+var_14]
		mov	ecx, edi
		mov	edx, [esp+20h+var_10]
		push	ebx
		call	@KiSwapContext@12 ; KiSwapContext(x,x,x)
		test	al, al
		jz	loc_44C744
		jmp	loc_5AEF63
KiReadyOutSwappedThreads endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiProcessThreadWaitList	proc near	; CODE XREF: KeTerminateThread+180p
					; KiProcessExpiredTimerList+DAp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005AEFAE SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, ecx
		mov	[esp+14h+var_C], edx
		push	ebx
		push	esi
		push	edi
		mov	ecx, [eax+3B1Ch]
		mov	[esp+20h+var_8], eax
		mov	dword ptr [eax+3B1Ch], 0
		jmp	short loc_44C840
; 
		align 10h

loc_44C840:				; CODE XREF: KiProcessThreadWaitList+28j
					; KiProcessThreadWaitList+CCj
		movzx	eax, byte ptr [ecx+0CFh]
		lea	ebx, [ecx-9Ch]
		mov	esi, [ebx+98h]
		mov	ecx, [ecx]
		mov	[esp+20h+var_4], ecx
		lea	eax, [eax+eax*2]
		lea	edi, [esi+eax*8]
		nop

loc_44C860:				; CODE XREF: KiProcessThreadWaitList+96j
		mov	al, [esi+9]
		cmp	al, 5
		jnb	short loc_44C8A1
		mov	eax, [esi+10h]
		mov	ecx, eax
		mov	[esp+20h+var_10], eax
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		cmp	byte ptr [esi+9], 4
		jnz	short loc_44C895
		mov	eax, [esi]
		cmp	[eax+4], esi
		jz	short loc_44C889

loc_44C882:				; CODE XREF: KiProcessThreadWaitList+7Ej
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_44C889:				; CODE XREF: KiProcessThreadWaitList+70j
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_44C882
		mov	[ecx], eax
		mov	[eax+4], ecx

loc_44C895:				; CODE XREF: KiProcessThreadWaitList+69j
		mov	eax, [esp+20h+var_10]
		mov	ecx, 0FFFFFF7Fh
		lock and [eax],	ecx

loc_44C8A1:				; CODE XREF: KiProcessThreadWaitList+55j
		add	esi, 18h
		cmp	esi, edi
		jnz	short loc_44C860
		mov	al, [ebp+arg_0]
		mov	edx, [esp+20h+var_C]
		mov	[ebx+15Eh], dl
		mov	[ebx+15Fh], al
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_5AEFAE

loc_44C8CB:				; CODE XREF: KiProcessThreadWaitList+1627A9j
		mov	ecx, [esp+20h+var_8]
		mov	edx, ebx
		call	KiReadyThread
		mov	ecx, [esp+20h+var_4]
		test	ecx, ecx
		jnz	loc_44C840
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
KiProcessThreadWaitList	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiOutSwapProcesses proc	near		; CODE XREF: KeSwapProcessOrStack(x)+5Fp

var_26		= byte ptr -26h
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AEFBE SIZE 000001AC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx

loc_44C900:				; CODE XREF: KiOutSwapProcesses+14Dj
		lea	edi, [esi-54h]
		mov	esi, [esi]
		mov	[esp+38h+var_1C], esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	dl, al
		mov	[esp+38h+var_14], 0
		mov	byte ptr [esp+38h+var_20], dl
		lock bts dword ptr [edi], 7
		jb	loc_44CB11

loc_44C928:				; CODE XREF: KiOutSwapProcesses+23Bj
		mov	ecx, [edi+4Ch]
		lea	ebx, [edi+4Ch]
		mov	eax, [edi+7Ch]
		mov	[esp+38h+var_18], ecx
		cmp	ecx, ebx
		jz	loc_44CA4A
		mov	ecx, eax
		and	ecx, 7
		cmp	cl, 6
		jz	loc_44CA4A
		mov	ecx, [ebx]
		mov	eax, [ebx+4]
		cmp	[ecx+4], ebx
		jnz	loc_5AF13B
		cmp	[eax], ebx
		jnz	loc_5AF13B
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	eax, 3
		mov	[ebx+4], ebx
		lea	ecx, [edi+7Ch]
		mov	[ebx], ebx
		lock xor [ecx],	eax
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		mov	eax, large fs:20h
		mov	[esp+38h+var_24], eax
		mov	eax, [esp+38h+var_18]
		mov	esi, [esp+38h+var_24]

loc_44C990:				; CODE XREF: KiOutSwapProcesses+111j
		lea	ebx, [eax-9Ch]
		mov	[esp+38h+var_10], 0
		mov	eax, [eax]
		lea	edi, [ebx+2Ch]
		mov	[esp+38h+var_C], eax
		jmp	short loc_44C9B0
; 
		align 10h

loc_44C9B0:				; CODE XREF: KiOutSwapProcesses+B7j
					; KiOutSwapProcesses+1626DDj
		lock bts dword ptr [edi], 0
		jb	loc_5AEFBE
		mov	al, [ebx+90h]
		cmp	al, 1
		jz	loc_5AEFD2
		cmp	al, 5
		jz	loc_5AEFDB

loc_44C9D1:				; CODE XREF: KiOutSwapProcesses+1626E6j
					; KiOutSwapProcesses+16270Cj ...
		mov	byte ptr [ebx+90h], 7
		mov	dword ptr [edi], 0
		test	dword ptr ds:byte_70EFC4, 200h
		mov	edi, [esp+38h+var_18]
		jnz	loc_5AF013

loc_44C9F2:				; CODE XREF: KiOutSwapProcesses+16273Aj
		mov	edx, ebx
		mov	ecx, esi
		call	KiReadyThread
		mov	eax, [esp+38h+var_C]
		cmp	eax, edi
		jnz	short loc_44C990
		mov	bl, byte ptr [esp+38h+var_20]
		mov	esi, [esp+38h+var_1C]
		cmp	bl, 2
		jnb	loc_5AF112
		mov	edi, [esp+38h+var_24]
		cmp	dword ptr [edi+8], 0
		mov	eax, [edi+4]
		mov	[esp+38h+var_24], eax
		jnz	loc_5AF02F
		test	byte ptr [eax+58h], 40h
		jnz	loc_5AF0F2

loc_44CA33:				; CODE XREF: KiOutSwapProcesses+1627DAj
					; KiOutSwapProcesses+16281Dj
		mov	cl, bl

loc_44CA35:				; CODE XREF: KiOutSwapProcesses+1BAj
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_44CA3B:				; CODE XREF: KiOutSwapProcesses+16282Aj
					; KiOutSwapProcesses+162838j ...
		test	esi, esi
		jnz	loc_44C900
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_44CA4A:				; CODE XREF: KiOutSwapProcesses+47j
					; KiOutSwapProcesses+55j
		xor	eax, 0FFFFFFFDh
		lea	ecx, [edi+7Ch]
		and	eax, 7
		lock xor [ecx],	eax
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, edi
		call	MmOutSwapProcess
		mov	[esp+38h+var_25], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[esp+38h+var_4], 0
		lock bts dword ptr [edi], 7
		jb	short loc_44CAF5

loc_44CA87:				; CODE XREF: KiOutSwapProcesses+219j
		cmp	[ebx], ebx
		jnz	short loc_44CAAC
		mov	dl, [esp+38h+var_25]
		mov	ecx, 4

loc_44CA94:				; CODE XREF: KiOutSwapProcesses+1E5j
		lea	eax, [edi+7Ch]
		lock xor [eax],	ecx
		mov	ebx, 0FFFFFF7Fh
		lock and [edi],	ebx
		test	dl, dl
		jnz	short loc_44CAD7

loc_44CAA6:				; CODE XREF: KiOutSwapProcesses+203j
		mov	cl, byte ptr [esp+38h+var_20]
		jmp	short loc_44CA35
; 

loc_44CAAC:				; CODE XREF: KiOutSwapProcesses+199j
		mov	eax, _KiProcessInSwapListHead

loc_44CAB1:				; CODE XREF: KiOutSwapProcesses+1D4j
		mov	[edi+54h], eax
		lea	ecx, [edi+54h]
		mov	edx, eax
		mov	esi, offset _KiProcessInSwapListHead
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_44CAB1
		mov	esi, [esp+38h+var_1C]
		test	eax, eax
		jnz	short loc_44CB30
		mov	dl, 1

loc_44CAD0:				; CODE XREF: KiOutSwapProcesses+244j
		mov	ecx, 7
		jmp	short loc_44CA94
; 

loc_44CAD7:				; CODE XREF: KiOutSwapProcesses+1B4j
		mov	ecx, offset _KiSwapEvent
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	dword_6CB334, 1
		mov	eax, offset _KiSwapEvent
		lock and [eax],	ebx
		jmp	short loc_44CAA6
; 

loc_44CAF5:				; CODE XREF: KiOutSwapProcesses+195j
					; KiOutSwapProcesses+212j ...
		lea	ecx, [esp+38h+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	al, al
		js	short loc_44CAF5
		lock bts dword ptr [edi], 7
		jnb	loc_44CA87
		jmp	short loc_44CAF5
; 

loc_44CB11:				; CODE XREF: KiOutSwapProcesses+32j
					; KiOutSwapProcesses+22Ej ...
		lea	ecx, [esp+38h+var_14]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	al, al
		js	short loc_44CB11
		lock bts dword ptr [edi], 7
		jb	short loc_44CB11
		mov	dl, byte ptr [esp+38h+var_20]
		jmp	loc_44C928
; 

loc_44CB30:				; CODE XREF: KiOutSwapProcesses+1DCj
		mov	dl, [esp+38h+var_25]
		jmp	short loc_44CAD0
KiOutSwapProcesses endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiReadyThread	proc near		; CODE XREF: KiReadyOutSwappedThreads+6Fp
					; KiProcessThreadWaitList+C1p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		mov	eax, [esi+5Ch]
		push	edi
		lea	edi, [esi+5Ch]
		test	eax, 20000h
		jz	short loc_44CBA6
		test	eax, 100000h
		jnz	loc_44CC13

loc_44CB65:				; CODE XREF: KiReadyThread+ECj
					; KiOutSwapProcesses+162875j
		lea	eax, [esi+9Ch]
		mov	[ebp+var_4], 0
		mov	dword ptr [eax], 0
		jmp	short loc_44CB80
; 
		align 10h

loc_44CB80:				; CODE XREF: KiReadyThread+38j
					; KiReadyThread+64j
		lea	ecx, [ebp+var_4]
		push	ecx
		lea	edx, [eax-9Ch]
		mov	ecx, ebx
		call	KiDeferredReadySingleThread
		mov	eax, [ebp+var_4]
		test	eax, eax
		jnz	short loc_44CB9F

loc_44CB98:				; CODE XREF: KiReadyThread+BDj
					; KiReadyThread+100j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_44CB9F:				; CODE XREF: KiReadyThread+56j
		mov	ecx, [eax]
		mov	[ebp+var_4], ecx
		jmp	short loc_44CB80
; 

loc_44CBA6:				; CODE XREF: KiReadyThread+18j
		mov	ebx, [esi+80h]
		mov	ecx, ebx
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	eax, [ebx+7Ch]
		lea	ecx, [ebx+7Ch]
		test	al, 7
		jnz	short loc_44CC37
		mov	eax, 8
		lock xadd [ecx], eax
		mov	eax, 0FFFFFF7Fh
		lock and [ebx],	eax
		lock btr dword ptr [edi], 14h
		mov	byte ptr [esi+90h], 6
		mov	eax, _KiStackInSwapListHead
		nop

loc_44CBE0:				; CODE XREF: KiReadyThread+B9j
		mov	[esi+9Ch], eax
		lea	ecx, [esi+9Ch]
		mov	edx, eax
		mov	edi, offset _KiStackInSwapListHead
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_44CBE0
		test	eax, eax
		jnz	short loc_44CB98
		push	eax
		push	0Ah
		push	offset _KiSwapEvent
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_44CC13:				; CODE XREF: KiReadyThread+1Fj
		lock btr dword ptr [edi], 14h
		mov	ecx, [esi+80h]
		mov	eax, 8
		add	ecx, 7Ch
		lock xadd [ecx], eax
		test	al, 7
		jz	loc_44CB65
		jmp	loc_5AF142
; 

loc_44CC37:				; CODE XREF: KiReadyThread+7Bj
		mov	edx, ebx

loc_44CC39:				; CODE XREF: KiOutSwapProcesses+162868j
		mov	ecx, esi
		call	KiRequestProcessInSwap
		jmp	loc_44CB98
KiReadyThread	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmOutSwapProcess proc near		; CODE XREF: KiOutSwapProcesses+178p

var_34		= byte ptr -34h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 005AF16A SIZE 0000033E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_31], 0
		lea	edi, [ebp+var_24]
		mov	byte ptr [ebp+var_1], 0
		stosd
		mov	ebx, ecx
		mov	esi, offset unk_6D3C40
		stosd
		stosd
		mov	al, [ebx+2A0h]
		and	al, 7
		cmp	al, 2
		jz	short loc_44CC7A
		lea	esi, [ebx+2C0h]

loc_44CC7A:				; CODE XREF: MmOutSwapProcess+2Cj
		push	40h
		lea	eax, [ebx+0FCh]
		pop	ecx
		lock or	[eax], ecx
		mov	cl, [ebx+2A3h]
		mov	al, cl
		and	al, 60h
		cmp	al, 20h
		jz	short loc_44CCB2
		and	cl, 60h
		cmp	cl, 40h
		jz	loc_5AF16A

loc_44CCA0:				; CODE XREF: MmOutSwapProcess+73j
					; MmOutSwapProcess+16252Bj ...
		cmp	dword ptr [ebx+288h], 4
		jz	loc_5AF183

loc_44CCAD:				; CODE XREF: MmOutSwapProcess+162544j
					; MmOutSwapProcess+16280Aj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_44CCB2:				; CODE XREF: MmOutSwapProcess+4Cj
		mov	ecx, ebx
		call	_MiReleaseOutSwappedProcessCommit@4 ; MiReleaseOutSwappedProcessCommit(x)
		jmp	short loc_44CCA0
MmOutSwapProcess endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoSetIoCompletionEx2 proc near		; CODE XREF: AlpcpQueueIoCompletionPort(x,x,x,x)+A0p
					; ExpWorkerFactoryCompletionPacketRoutine+D8p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_F		= byte ptr  17h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005AF4A8 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_14]
		mov	eax, edx
		push	esi
		push	edi
		mov	edi, [ebp+arg_10]
		mov	esi, ecx
		mov	[ebp+var_4], eax
		test	edi, edi
		jz	loc_44CDE7
		mov	[edi+0Ch], eax
		mov	eax, [ebp+arg_0]
		mov	[edi+10h], eax
		mov	eax, [ebp+arg_4]
		mov	[edi+14h], eax
		mov	eax, [ebp+arg_8]
		mov	[edi+18h], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+arg_8], al
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+arg_4], eax
		mov	ecx, [eax+4]
		mov	[ebp+arg_0], ecx
		jnz	loc_5AF4B2

loc_44CD1B:				; CODE XREF: IoSetIoCompletionEx2+162808j
		mov	eax, [ecx+36Ch]
		test	eax, eax
		jnz	short loc_44CD27
		mov	eax, ecx

loc_44CD27:				; CODE XREF: IoSetIoCompletionEx2+63j
		test	bl, bl
		jz	short loc_44CD3B
		mov	eax, [eax+150h]
		mov	al, [eax+2A2h]
		cmp	al, 2
		jz	short loc_44CDA1

loc_44CD3B:				; CODE XREF: IoSetIoCompletionEx2+69j
		mov	[ebp+arg_F], 0

loc_44CD3F:				; CODE XREF: IoSetIoCompletionEx2+E5j
		mov	ecx, esi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		lea	ecx, [esi+8]
		cmp	[ecx], ecx
		jz	short loc_44CDB3
		mov	eax, [esi+18h]
		cmp	eax, [esi+1Ch]
		jnb	loc_44CE2F

loc_44CD59:				; CODE XREF: IoSetIoCompletionEx2+179j
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+0A4h]
		cmp	eax, esi
		jz	short loc_44CDA7

loc_44CD66:				; CODE XREF: IoSetIoCompletionEx2+EEj
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		push	edi
		call	KiWakeQueueWaiter
		test	al, al
		jz	short loc_44CDB0

loc_44CD75:				; CODE XREF: IoSetIoCompletionEx2+115j
					; IoSetIoCompletionEx2+119j ...
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		movzx	edx, bl
		neg	edx
		push	0
		sbb	edx, edx
		push	1
		and	edx, 3
		call	KiExitDispatcher
		xor	eax, eax

loc_44CD98:				; CODE XREF: IoSetIoCompletionEx2+1627EDj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_44CDA1:				; CODE XREF: IoSetIoCompletionEx2+79j
		mov	[ebp+arg_F], 1
		jmp	short loc_44CD3F
; 

loc_44CDA7:				; CODE XREF: IoSetIoCompletionEx2+A4j
		cmp	byte ptr [ecx+18Bh], 0Fh
		jnz	short loc_44CD66

loc_44CDB0:				; CODE XREF: IoSetIoCompletionEx2+B3j
		lea	ecx, [esi+8]

loc_44CDB3:				; CODE XREF: IoSetIoCompletionEx2+8Bj
					; IoSetIoCompletionEx2+173j
		mov	eax, [esi+4]
		mov	[ebp+14h], eax
		inc	eax
		mov	[esi+4], eax
		lea	eax, [esi+10h]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_44CE28
		cmp	dword ptr [ebp+14h], 0
		mov	[edi], eax
		mov	[edi+4], edx
		mov	[edx], edi
		mov	[eax+4], edi
		jnz	short loc_44CD75
		cmp	[ecx], ecx
		jz	short loc_44CD75
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		jmp	short loc_44CD75
; 

loc_44CDE7:				; CODE XREF: IoSetIoCompletionEx2+18j
		mov	dl, [ebp+arg_C]
		mov	cl, 1
		call	IopAllocateMiniCompletionPacket
		mov	edx, eax
		test	edx, edx
		jz	loc_5AF4A8
		mov	eax, [ebp+var_4]
		mov	ecx, esi
		mov	[edx+0Ch], eax
		mov	eax, [ebp+arg_0]
		mov	[edx+10h], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	[edx+14h], eax
		mov	eax, [ebp+arg_8]
		push	0
		mov	[edx+18h], eax
		call	KeInsertQueueEx
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_44CE28:				; CODE XREF: IoSetIoCompletionEx2+105j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_44CE2F:				; CODE XREF: IoSetIoCompletionEx2+93j
		cmp	[ebp+arg_F], 0
		jz	loc_44CDB3
		jmp	loc_44CD59
IoSetIoCompletionEx2 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KiEnterDeferredReadyState(x)
_KiEnterDeferredReadyState@4 proc near	; CODE XREF: KiQueueReadyThread+1DCp
					; KiApplyForegroundBoostThread+178p ...
		mov	al, [ecx+90h]
		cmp	al, 1
		jz	short loc_44CE77
		cmp	al, 5
		jnz	short loc_44CE6F
		mov	eax, ds:_KeTickCount
		sub	eax, [ecx+138h]
		cmp	byte ptr [ecx+93h], 0
		jz	short loc_44CE83
		add	[ecx+258h], eax
		adc	dword ptr [ecx+25Ch], 0

loc_44CE6F:				; CODE XREF: KiEnterDeferredReadyState(x)+Cj
		mov	byte ptr [ecx+90h], 7
		retn
; 

loc_44CE77:				; CODE XREF: KiEnterDeferredReadyState(x)+8j
		or	dword ptr [ecx+58h], 2
		mov	byte ptr [ecx+90h], 7
		retn
; 

loc_44CE83:				; CODE XREF: KiEnterDeferredReadyState(x)+20j
		add	[ecx+250h], eax
		adc	dword ptr [ecx+254h], 0
		mov	byte ptr [ecx+90h], 7
		retn
_KiEnterDeferredReadyState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmInSwapProcess	proc near		; CODE XREF: .text:0044C60Dp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 005AF4CD SIZE 000001EF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	byte ptr [ebp+var_1], 0
		lea	edi, [ebp+var_24]
		mov	ebx, ecx
		stosd
		lea	esi, [ebx+0FCh]
		test	byte ptr [esi],	80h
		stosd
		stosd
		lea	edi, [ebx+240h]
		jnz	loc_5AF4CD

loc_44CEC6:				; CODE XREF: MmInSwapProcess+162812j
					; MmInSwapProcess+16281Fj
		push	0FFFFFFBFh
		pop	eax
		lock and [esi],	eax
		mov	al, [edi+63h]
		and	al, 60h
		cmp	al, 40h
		jz	short loc_44CEDA

loc_44CED5:				; CODE XREF: MmInSwapProcess+49j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_44CEDA:				; CODE XREF: MmInSwapProcess+3Bj
		mov	ecx, ebx
		call	_MiReAcquireOutSwappedProcessCommit@4 ;	MiReAcquireOutSwappedProcessCommit(x)
		jmp	short loc_44CED5
MmInSwapProcess	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiGetEffectivePagePriorityThread(x)
_MiGetEffectivePagePriorityThread@4 proc near ;	CODE XREF: MiIssueHardFault(x,x)+550p
					; .text:0047866Dp ...
		mov	eax, [ecx+304h]
		test	eax, 100h
		jz	_PsGetPagePriorityThread@4 ; PsGetPagePriorityThread(x)
		shr	eax, 9
		and	eax, 7
		retn
_MiGetEffectivePagePriorityThread@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLockPageInline(x)
_MiLockPageInline@4 proc near		; CODE XREF: MiWaitForCollidedFaultComplete+1B4p
					; MiRelockProtoPoolPage(x,x):loc_43AE10p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		mov	[ebp+var_4], 0
		add	esi, 10h
		lock bts dword ptr [esi], 1Fh
		jb	short loc_44CF30

loc_44CF25:				; CODE XREF: MiLockPageInline(x)+43j
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 
		align 10h

loc_44CF30:				; CODE XREF: MiLockPageInline(x)+23j
					; MiLockPageInline(x)+3Cj ...
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_44CF30
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_44CF25
		jmp	short loc_44CF30
_MiLockPageInline@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


KeYieldProcessorEx proc	near		; CODE XREF: KeQueryValuesThread+357p
					; KeQueryValuesThread+386p ...

; FUNCTION CHUNK AT 005A7EC2 SIZE 00000014 BYTES

		inc	dword ptr [ecx]
		mov	eax, [ecx]
		test	ds:_HvlLongSpinCountMask, eax
		jz	loc_5A7EC2

loc_44CF60:				; CODE XREF: KeYieldProcessorEx+15AF79j
		pause
		retn
KeYieldProcessorEx endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCompleteIrpInFileObjectList(x, x, x)
_IopCompleteIrpInFileObjectList@12 proc	near ; CODE XREF: .text:005249D5p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx
		cmp	byte ptr [esi+21h], 0
		jnz	short loc_44CF96
		mov	ecx, [esi+18h]
		mov	eax, ecx
		push	edi
		mov	edi, 0C0000000h
		and	eax, edi
		cmp	eax, edi
		pop	edi
		jz	short loc_44CFB1
		test	dword ptr [edx+2Ch], 2000000h
		jz	short loc_44CF96
		test	ecx, ecx
		jns	short loc_44CFB1

loc_44CF96:				; CODE XREF: IopCompleteIrpInFileObjectList(x,x,x)+11j
					; IopCompleteIrpInFileObjectList(x,x,x)+2Cj
		cmp	dword ptr [edx+6Ch], 0
		mov	ecx, esi
		jz	short loc_44CFA8
		push	[ebp+arg_0]
		call	IopInsertIrpInCompletionQueue
		jmp	short loc_44CFCE
; 

loc_44CFA8:				; CODE XREF: IopCompleteIrpInFileObjectList(x,x,x)+38j
		call	_IopDoesCompletionNeedsApc@4 ; IopDoesCompletionNeedsApc(x)
		test	al, al
		jz	short loc_44CFB5

loc_44CFB1:				; CODE XREF: IopCompleteIrpInFileObjectList(x,x,x)+23j
					; IopCompleteIrpInFileObjectList(x,x,x)+30j
		xor	al, al
		jmp	short loc_44CFD0
; 

loc_44CFB5:				; CODE XREF: IopCompleteIrpInFileObjectList(x,x,x)+4Bj
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [esi+64h]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [esi+40h]
		push	eax
		call	_IopCompleteRequest@20 ; IopCompleteRequest(x,x,x,x,x)

loc_44CFCE:				; CODE XREF: IopCompleteIrpInFileObjectList(x,x,x)+42j
		mov	al, 1

loc_44CFD0:				; CODE XREF: IopCompleteIrpInFileObjectList(x,x,x)+4Fj
		pop	esi
		leave
		retn	4
_IopCompleteIrpInFileObjectList@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopInsertIrpInCompletionQueue proc near	; CODE XREF: IopCompleteIrpInFileObjectList(x,x,x)+3Dp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= byte ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005AF6BC SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_1], 0
		lea	edi, [ebp+var_1C]
		mov	ebx, ecx
		stosd
		stosd
		stosd
		mov	eax, [edx+6Ch]
		mov	esi, [eax]
		mov	eax, [eax+4]
		mov	[ebx+40h], eax
		mov	dword ptr [ebx+60h], 0
		lea	edi, [esi+28h]
		mov	[ebp+var_1C], 0
		mov	[ebp+var_18], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_14], al
		jnz	loc_5AF6BC
		lea	edx, [ebp+var_1C]
		xchg	edx, [edi]
		test	edx, edx
		jnz	loc_44D1B1

loc_44D03B:				; CODE XREF: IopInsertIrpInCompletionQueue+1D9j
					; IopInsertIrpInCompletionQueue+1626E6j
		or	dword ptr [ebx+8], 10000h
		cmp	byte ptr [esi+2Ch], 0
		jnz	loc_44D199
		movsx	eax, [ebp+arg_0]
		lea	edi, [esi+8]
		mov	dword ptr [ebp+arg_0], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+var_10], al
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_8], eax
		mov	eax, [eax+4]
		mov	[ebp+var_C], eax
		jnz	loc_5AF6CB

loc_44D07E:				; CODE XREF: IopInsertIrpInCompletionQueue+162701j
		cmp	dword ptr [ebp+arg_0], 0
		jnz	loc_44D12B

loc_44D088:				; CODE XREF: IopInsertIrpInCompletionQueue+14Fj
					; IopInsertIrpInCompletionQueue+15Cj
		mov	ecx, esi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		cmp	[edi], edi
		jz	loc_44D141
		mov	eax, [esi+18h]
		cmp	eax, [esi+1Ch]
		jnb	loc_44D141
		mov	ecx, [ebp+var_C]
		mov	eax, [ecx+0A4h]
		cmp	eax, esi
		jz	loc_44D183

loc_44D0B4:				; CODE XREF: IopInsertIrpInCompletionQueue+1AAj
		mov	ecx, [ebp+var_8]
		lea	eax, [ebx+58h]
		push	eax
		mov	edx, esi
		call	KiWakeQueueWaiter
		test	al, al
		jz	short loc_44D141

loc_44D0C6:				; CODE XREF: IopInsertIrpInCompletionQueue+186j
					; IopInsertIrpInCompletionQueue+18Ej ...
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		push	[ebp+var_10]
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		push	dword ptr [ebp+arg_0]
		push	1
		call	KiExitDispatcher

loc_44D0E0:				; CODE XREF: IopInsertIrpInCompletionQueue+1BDj
		test	ds:byte_70EFC6,	1
		jnz	loc_5AF6E6
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	loc_44D1C6
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jnz	loc_44D1BE

loc_44D10F:				; CODE XREF: IopInsertIrpInCompletionQueue+1F8j
					; IopInsertIrpInCompletionQueue+162711j
		mov	cl, [ebp+var_14]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_1], 0
		jnz	loc_44D1A2

loc_44D122:				; CODE XREF: IopInsertIrpInCompletionQueue+1CCj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_44D12B:				; CODE XREF: IopInsertIrpInCompletionQueue+A2j
		test	byte ptr [esi+1], 2
		jz	loc_44D088
		mov	dword ptr [ebp+arg_0], 0
		jmp	loc_44D088
; 

loc_44D141:				; CODE XREF: IopInsertIrpInCompletionQueue+B1j
					; IopInsertIrpInCompletionQueue+BDj ...
		mov	eax, [esi+4]
		lea	ecx, [esi+10h]
		mov	[ebp+var_C], eax
		inc	eax
		mov	[esi+4], eax
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_44D192
		cmp	[ebp+var_C], 0
		lea	eax, [ebx+58h]
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		jnz	loc_44D0C6
		cmp	[edi], edi
		jz	loc_44D0C6
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		jmp	loc_44D0C6
; 

loc_44D183:				; CODE XREF: IopInsertIrpInCompletionQueue+CEj
		cmp	byte ptr [ecx+18Bh], 0Fh
		jnz	loc_44D0B4
		jmp	short loc_44D141
; 

loc_44D192:				; CODE XREF: IopInsertIrpInCompletionQueue+173j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_44D199:				; CODE XREF: IopInsertIrpInCompletionQueue+66j
		mov	[ebp+var_1], 1
		jmp	loc_44D0E0
; 

loc_44D1A2:				; CODE XREF: IopInsertIrpInCompletionQueue+13Cj
		mov	edx, [ebx+64h]
		mov	ecx, ebx
		call	IopDropIrp
		jmp	loc_44D122
; 

loc_44D1B1:				; CODE XREF: IopInsertIrpInCompletionQueue+55j
		lea	ecx, [ebp+var_1C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_44D03B
; 

loc_44D1BE:				; CODE XREF: IopInsertIrpInCompletionQueue+129j
		lea	ecx, [ebp+var_1C]
		call	KxWaitForLockChainValid

loc_44D1C6:				; CODE XREF: IopInsertIrpInCompletionQueue+112j
		mov	[ebp+var_1C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_44D10F
IopInsertIrpInCompletionQueue endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAssignNonPagedPoolPte(x, x)
_MiAssignNonPagedPoolPte@8 proc	near	; CODE XREF: MiFillPoolCommitPageTable+FCp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	esi, edi
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		push	0
		sub	esi, 40000000h
		push	80h
		mov	[ebp+var_C], esi
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		movzx	ecx, word ptr [ebx+2Eh]
		shr	ecx, 3
		and	ecx, 1Fh
		mov	[ebp+var_20], edx
		or	ecx, 0A0000000h
		mov	[ebp+var_1C], eax
		push	ecx
		xor	edx, edx
		mov	ecx, esi
		call	MiMakeValidPte
		mov	ecx, esi
		mov	[ebp+var_28], edx
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		mov	[ebp+var_24], eax
		mov	[ebp+var_18], 0
		mov	[ebp+var_14], 0
		mov	edx, [ecx-40000000h]
		nop
		mov	eax, [ecx-3FFFFFFCh]
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], eax
		nop
		shrd	edx, eax, 0Ch
		and	edx, 1FFFFFFh
		mov	[ebp+var_14], edx
		nop
		mov	ecx, ebx
		mov	eax, 100h
		mov	ebx, [ecx+8]
		test	[ecx+2Eh], ax
		jnz	loc_44D377
		mov	eax, [ebx]
		mov	[ecx+8], eax
		mov	ecx, ebx
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		mov	ecx, [ebx+18h]
		sar	edx, 4
		mov	edi, edx
		shr	edi, 1Fh
		add	edi, edx
		test	byte ptr [ebx+17h], 10h
		jz	short loc_44D2B6
		mov	[ebp+var_8], 0
		jmp	short loc_44D2CF
; 

loc_44D2B6:				; CODE XREF: MiAssignNonPagedPoolPte(x,x)+CBj
		mov	eax, [ebp+var_1C]
		and	ecx, 7FFFFFFFh
		mov	[ebx+8], eax
		mov	eax, [ebp+var_20]
		mov	[ebx+0Ch], eax
		mov	[ebp+var_8], 1

loc_44D2CF:				; CODE XREF: MiAssignNonPagedPoolPte(x,x)+D4j
		mov	eax, ecx
		xor	eax, [ebp+var_14]
		and	eax, offset loc_7FFFFF
		xor	eax, ecx
		mov	cl, 2
		mov	[ebx+18h], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_1], al
		lea	esi, [ebx+10h]
		mov	[ebp+var_20], 0
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_44D315
		lea	ebx, [ebx+0]

loc_44D300:				; CODE XREF: MiAssignNonPagedPoolPte(x,x)+12Cj
					; MiAssignNonPagedPoolPte(x,x)+133j
		lea	ecx, [ebp+var_20]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_44D300
		lock bts dword ptr [esi], 1Fh
		jb	short loc_44D300

loc_44D315:				; CODE XREF: MiAssignNonPagedPoolPte(x,x)+118j
		mov	cl, [ebx+16h]
		mov	edx, 1
		and	dword ptr [ebx+18h], 7FFFFFFFh
		mov	al, cl
		and	al, 0C0h
		mov	dword ptr [ebx], 0
		cmp	al, 40h
		jz	short loc_44D342
		push	edx
		mov	ecx, ebx
		call	MiChangePageAttribute
		mov	cl, [ebx+16h]
		mov	edx, 1

loc_44D342:				; CODE XREF: MiAssignNonPagedPoolPte(x,x)+150j
		mov	eax, [esi]
		and	cl, 0FEh
		and	eax, 0C0000001h
		mov	[ebx+14h], dx
		or	eax, 1
		or	cl, 6
		mov	[esi], eax
		mov	eax, [ebp+var_C]
		mov	[ebx+4], eax
		mov	eax, 7FFFFFFFh
		mov	[ebx+16h], cl
		lock and [esi],	eax
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp+var_C]
		jmp	short loc_44D386
; 

loc_44D377:				; CODE XREF: MiAssignNonPagedPoolPte(x,x)+9Ej
		sub	edi, [ecx]
		shr	edi, 0Ch
		mov	[ebp+var_8], 1
		mov	edi, [ebx+edi*4]

loc_44D386:				; CODE XREF: MiAssignNonPagedPoolPte(x,x)+195j
		mov	ecx, [ebp+var_28]
		and	edi, 1FFFFFFh
		mov	eax, [ebp+var_24]
		xor	edx, edx
		shld	edx, edi, 0Ch
		and	ecx, 0FFFFFFE0h
		and	eax, 0FFFh
		shl	edi, 0Ch
		or	edx, ecx
		mov	ecx, esi
		or	edi, eax
		xor	ebx, ebx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_44D3F5
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_44D3CD
		cmp	byte ptr word_6D07B8+1,	0
		mov	ebx, 1
		jnz	short loc_44D3F5
		jmp	short loc_44D3E5
; 

loc_44D3CD:				; CODE XREF: MiAssignNonPagedPoolPte(x,x)+1DBj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_44D3F5

loc_44D3E5:				; CODE XREF: MiAssignNonPagedPoolPte(x,x)+1EBj
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	short loc_44D3F5
		or	edx, 80000000h

loc_44D3F5:				; CODE XREF: MiAssignNonPagedPoolPte(x,x)+1D2j
					; MiAssignNonPagedPoolPte(x,x)+1E9j ...
		mov	[esi+4], edx
		nop
		mov	[esi], edi
		test	ebx, ebx
		jz	short loc_44D408
		push	edx
		push	edi
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_44D408:				; CODE XREF: MiAssignNonPagedPoolPte(x,x)+21Dj
		mov	eax, [ebp+var_14]
		mov	[ebp+var_1C], 0
		lea	esi, ds:0[eax*8]
		sub	esi, eax
		mov	eax, ds:_MmPfnDatabase
		add	eax, 10h
		lea	esi, [eax+esi*4]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_44D445
		lea	ecx, [ecx+0]

loc_44D430:				; CODE XREF: MiAssignNonPagedPoolPte(x,x)+25Cj
					; MiAssignNonPagedPoolPte(x,x)+263j
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_44D430
		lock bts dword ptr [esi], 1Fh
		jb	short loc_44D430

loc_44D445:				; CODE XREF: MiAssignNonPagedPoolPte(x,x)+24Bj
		mov	ecx, [esi]
		mov	eax, 7FFFFFFFh
		lea	edx, [ecx+1]
		xor	edx, ecx
		and	edx, 3FFFFFFFh
		xor	edx, ecx
		mov	[esi], edx
		lock and [esi],	eax
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiAssignNonPagedPoolPte@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMakeSystemAddressValid proc near	; CODE XREF: MiFillHyperPtes+A9p
					; MiSplitPrivatePage(x,x,x)+24Ap ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005AF6F6 SIZE 000000ED BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ecx, [eax+80h]
		mov	eax, [ebp+arg_8]
		mov	[esp+3Ch+var_28], esi
		mov	[esp+3Ch+var_C], ecx
		push	edi
		mov	edi, edx
		mov	[esp+40h+var_20], edi
		test	al, 4
		jnz	loc_44D7D2
		lea	ebx, [ecx+240h]

loc_44D4AB:				; CODE XREF: MiMakeSystemAddressValid+367j
		and	eax, 1
		mov	[esp+40h+var_2C], ebx
		mov	[ebp+arg_8], eax

loc_44D4B5:				; CODE XREF: MiMakeSystemAddressValid+2BAj
					; MiMakeSystemAddressValid+16234Aj
		test	eax, eax
		jnz	loc_44D6B5
		mov	eax, esi
		mov	[esp+40h+var_24], 0C0603018h
		shr	eax, 9
		mov	ecx, 6
		and	eax, offset loc_7FFFF8
		mov	[esp+40h+var_18], 0
		mov	[esp+40h+var_10], eax
		add	eax, 0C0000000h
		mov	[esp+40h+var_8], eax
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[esp+40h+var_34], ecx
		sub	eax, 40000000h
		mov	[esp+40h+var_4], eax
		mov	al, [ebx+60h]
		and	al, 7
		cmp	al, 2
		jnb	loc_44D7DC
		test	al, al
		jnz	loc_5AF70D
		mov	edi, [ebx+0Ch]
		add	edi, 0F10h

loc_44D51C:				; CODE XREF: MiMakeSystemAddressValid+381j
					; MiMakeSystemAddressValid+162298j ...
		mov	esi, [edi]

loc_44D51E:				; CODE XREF: MiMakeSystemAddressValid+2E2j
					; MiMakeSystemAddressValid+35Dj
		mov	edx, 2
		shl	edx, cl

loc_44D525:				; CODE XREF: MiMakeSystemAddressValid+44Bj
		mov	eax, esi
		shr	eax, cl
		test	al, 1
		jnz	loc_44D72F
		mov	eax, [esp+40h+var_34]
		mov	ecx, esi
		bts	ecx, eax
		mov	eax, edx
		not	eax
		and	ecx, eax
		mov	eax, esi
		lock cmpxchg [edi], ecx
		cmp	eax, esi
		jnz	loc_44D8B5
		mov	esi, [esp+40h+var_24]
		mov	eax, 1

loc_44D557:				; CODE XREF: MiMakeSystemAddressValid+22Aj
		mov	edi, [esp+eax*4+40h+var_8]
		mov	[esp+40h+var_1C], eax
		mov	[esp+40h+var_30], edi
		mov	ecx, [edi]
		nop
		mov	edx, [edi+4]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_44D69F
		mov	eax, ecx
		and	eax, 80h
		or	eax, 0
		jnz	loc_44D69F
		mov	eax, ecx
		and	eax, 20h
		or	eax, 0
		jz	loc_44D8CE

loc_44D595:				; CODE XREF: MiMakeSystemAddressValid+469j
		cmp	edi, esi
		jz	loc_44D691
		mov	al, [ebx+60h]
		lea	ecx, [edi+3FA00000h]
		sar	ecx, 3
		and	al, 7
		add	ecx, ecx
		mov	[esp+40h+var_14], 0
		mov	esi, ecx
		and	esi, 1Fh
		cmp	al, 2
		jnb	loc_44D784
		shr	ecx, 5
		test	al, al
		jnz	loc_5AF73B
		mov	eax, [ebx+0Ch]
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h

loc_44D5D8:				; CODE XREF: MiMakeSystemAddressValid+336j
					; MiMakeSystemAddressValid+1622D1j
		mov	[esp+40h+var_34], eax

loc_44D5DC:				; CODE XREF: MiMakeSystemAddressValid+1622C6j
		mov	ebx, [esp+40h+var_34]
		mov	ebx, [ebx]

loc_44D5E2:				; CODE XREF: MiMakeSystemAddressValid+3B1j
					; MiMakeSystemAddressValid+3D5j ...
		mov	ecx, esi
		mov	edx, 2
		shl	edx, cl
		jmp	short loc_44D5F0
; 
		align 10h

loc_44D5F0:				; CODE XREF: MiMakeSystemAddressValid+17Bj
					; MiMakeSystemAddressValid+459j
		mov	eax, ebx
		mov	ecx, esi
		shr	eax, cl
		test	al, 1
		jnz	loc_44D7F6
		mov	edi, [esp+40h+var_34]
		mov	ecx, ebx
		mov	eax, edx
		bts	ecx, esi
		not	eax
		and	ecx, eax
		mov	eax, ebx
		lock cmpxchg [edi], ecx
		cmp	eax, ebx
		jnz	loc_44D8C7
		mov	edx, [esp+40h+var_24]
		mov	ebx, [esp+40h+var_2C]
		lea	eax, [edx+3FA00000h]
		mov	cl, [ebx+60h]
		sar	eax, 3
		and	cl, 7
		add	eax, eax
		mov	esi, eax
		and	esi, 1Fh
		cmp	cl, 2
		jnb	loc_44D757
		shr	eax, 5
		test	cl, cl
		jnz	loc_5AF76D
		mov	ecx, [ebx+0Ch]
		add	ecx, 0D90h
		lea	eax, [ecx+eax*4]

loc_44D659:				; CODE XREF: MiMakeSystemAddressValid+30Fj
					; MiMakeSystemAddressValid+162303j
		mov	[esp+40h+var_34], eax

loc_44D65D:				; CODE XREF: MiMakeSystemAddressValid+1622F8j
		mov	edx, [eax]
		mov	ecx, esi
		mov	edi, [esp+40h+var_34]
		mov	ebx, 2
		shl	ebx, cl
		mov	eax, edx
		mov	ecx, edx
		not	ebx
		btr	ecx, esi
		and	ecx, ebx
		lock cmpxchg [edi], ecx
		mov	edi, [esp+40h+var_30]
		cmp	eax, edx
		jnz	loc_44D890

loc_44D687:				; CODE XREF: MiMakeSystemAddressValid+439j
		mov	ebx, [esp+40h+var_2C]
		mov	esi, edi
		mov	[esp+40h+var_24], esi

loc_44D691:				; CODE XREF: MiMakeSystemAddressValid+127j
		mov	eax, [esp+40h+var_1C]
		test	eax, eax
		jz	short loc_44D69F
		dec	eax
		jmp	loc_44D557
; 

loc_44D69F:				; CODE XREF: MiMakeSystemAddressValid+101j
					; MiMakeSystemAddressValid+111j ...
		mov	eax, [esp+40h+var_10]
		add	eax, 0C0000000h
		cmp	esi, eax
		jnz	short loc_44D6C2

loc_44D6AC:				; CODE XREF: MiMakeSystemAddressValid+24Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_44D6B5:				; CODE XREF: MiMakeSystemAddressValid+47j
		mov	ecx, esi
		call	MmIsAddressValidEx
		test	al, al
		jnz	short loc_44D6AC
		jmp	short loc_44D6D3
; 

loc_44D6C2:				; CODE XREF: MiMakeSystemAddressValid+23Aj
		mov	edx, esi
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	esi, [esp+40h+var_28]
		mov	edi, [esp+40h+var_20]

loc_44D6D3:				; CODE XREF: MiMakeSystemAddressValid+250j
		test	edi, edi
		jnz	loc_5AF778

loc_44D6DB:				; CODE XREF: MiMakeSystemAddressValid+16230Fj
		mov	edi, [ebp+arg_8]
		mov	ecx, ebx
		mov	dl, [ebp+arg_4]
		test	edi, edi
		jnz	loc_5AF784
		call	MiUnlockWorkingSetShared

loc_44D6F0:				; CODE XREF: MiMakeSystemAddressValid+162319j
		mov	eax, [ebp+arg_0]
		push	0
		push	0
		shl	eax, 19h
		push	esi
		or	eax, 1000002h
		push	eax
		call	MmAccessFault
		mov	esi, eax
		test	esi, esi
		js	loc_5AF7BF
		test	edi, edi
		jnz	loc_5AF78E
		mov	ecx, ebx
		call	MiLockWorkingSetShared
		mov	eax, [ebp+arg_8]
		mov	esi, [esp+40h+var_28]
		mov	edi, [esp+40h+var_20]
		jmp	loc_44D4B5
; 

loc_44D72F:				; CODE XREF: MiMakeSystemAddressValid+BBj
		test	al, 2
		jnz	short loc_44D7AB
		mov	edx, 2
		mov	eax, esi
		shl	edx, cl
		or	edx, esi
		mov	ecx, edx
		lock cmpxchg [edi], ecx
		cmp	eax, esi
		jnz	loc_44D8AE
		mov	ecx, [esp+40h+var_34]
		mov	esi, edx
		jmp	loc_44D51E
; 

loc_44D757:				; CODE XREF: MiMakeSystemAddressValid+1CCj
		cmp	edx, 0C0603018h
		jnz	loc_44D86F

loc_44D763:				; CODE XREF: MiMakeSystemAddressValid+415j
		cmp	cl, 7
		jz	loc_5AF746
		cmp	cl, 5
		jz	loc_5AF750

loc_44D775:				; CODE XREF: MiMakeSystemAddressValid+409j
					; MiMakeSystemAddressValid+41Bj
		shr	eax, 5
		lea	eax, unk_6D2C54[eax*4]
		jmp	loc_44D659
; 

loc_44D784:				; CODE XREF: MiMakeSystemAddressValid+14Cj
		cmp	edi, 0C0603018h
		jz	loc_44D85A
		cmp	edi, 0C0603010h
		jz	loc_44D84A

loc_44D79C:				; CODE XREF: MiMakeSystemAddressValid+3E4j
					; MiMakeSystemAddressValid+3F4j
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]
		jmp	loc_44D5D8
; 

loc_44D7AB:				; CODE XREF: MiMakeSystemAddressValid+2C1j
		mov	ebx, [esp+40h+var_34]
		nop

loc_44D7B0:				; CODE XREF: MiMakeSystemAddressValid+353j
		lea	ecx, [esp+40h+var_18]
		call	KeYieldProcessorEx
		mov	esi, [edi]
		mov	ecx, ebx
		mov	eax, esi
		shr	eax, cl
		test	al, 1
		jnz	short loc_44D7B0
		mov	ebx, [esp+40h+var_2C]

loc_44D7C9:				; CODE XREF: MiMakeSystemAddressValid+440j
		mov	ecx, [esp+40h+var_34]
		jmp	loc_44D51E
; 

loc_44D7D2:				; CODE XREF: MiMakeSystemAddressValid+2Fj
		mov	ebx, offset unk_6D3840
		jmp	loc_44D4AB
; 

loc_44D7DC:				; CODE XREF: MiMakeSystemAddressValid+95j
		cmp	al, 7
		jz	loc_5AF6F6
		cmp	al, 5
		jz	loc_5AF6FD
		mov	edi, offset unk_6D2DD4
		jmp	loc_44D51C
; 

loc_44D7F6:				; CODE XREF: MiMakeSystemAddressValid+188j
		test	al, 2
		jnz	short loc_44D826
		mov	edx, [esp+40h+var_34]
		mov	ecx, esi
		mov	eax, 2
		shl	eax, cl
		or	eax, ebx
		mov	[esp+40h+var_18], eax
		mov	ecx, eax
		mov	eax, ebx
		lock cmpxchg [edx], ecx
		cmp	eax, ebx
		jnz	loc_44D8C0
		mov	ebx, [esp+40h+var_18]
		jmp	loc_44D5E2
; 

loc_44D826:				; CODE XREF: MiMakeSystemAddressValid+388j
		mov	edi, [esp+40h+var_34]
		lea	ebx, [ebx+0]

loc_44D830:				; CODE XREF: MiMakeSystemAddressValid+3D3j
		lea	ecx, [esp+40h+var_14]
		call	KeYieldProcessorEx
		mov	ebx, [edi]
		mov	ecx, esi
		mov	eax, ebx
		shr	eax, cl
		test	al, 1
		jnz	short loc_44D830
		jmp	loc_44D5E2
; 

loc_44D84A:				; CODE XREF: MiMakeSystemAddressValid+326j
		cmp	dword_6D07D0, 0C0000000h
		jnb	loc_44D79C

loc_44D85A:				; CODE XREF: MiMakeSystemAddressValid+31Aj
		cmp	al, 7
		jz	loc_5AF718
		cmp	al, 5
		jnz	loc_44D79C
		jmp	loc_5AF722
; 

loc_44D86F:				; CODE XREF: MiMakeSystemAddressValid+2EDj
		cmp	dword_6D07D0, 0C0000000h
		jnb	loc_44D775
		cmp	edx, 0C0603010h
		jz	loc_44D763
		jmp	loc_44D775
; 

loc_44D890:				; CODE XREF: MiMakeSystemAddressValid+211j
		mov	edi, [esp+40h+var_34]

loc_44D894:				; CODE XREF: MiMakeSystemAddressValid+433j
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, esi
		and	ecx, ebx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_44D894
		mov	edi, [esp+40h+var_30]
		jmp	loc_44D687
; 

loc_44D8AE:				; CODE XREF: MiMakeSystemAddressValid+2D6j
		mov	esi, eax
		jmp	loc_44D7C9
; 

loc_44D8B5:				; CODE XREF: MiMakeSystemAddressValid+D8j
		mov	ecx, [esp+40h+var_34]
		mov	esi, eax
		jmp	loc_44D525
; 

loc_44D8C0:				; CODE XREF: MiMakeSystemAddressValid+3A7j
		mov	ebx, eax
		jmp	loc_44D5E2
; 

loc_44D8C7:				; CODE XREF: MiMakeSystemAddressValid+1A5j
		mov	ebx, eax
		jmp	loc_44D5F0
; 

loc_44D8CE:				; CODE XREF: MiMakeSystemAddressValid+11Fj
		push	edx
		push	ecx
		push	1
		mov	edx, edi
		call	MiPerformSafePdeWrite
		jmp	loc_44D595
MiMakeSystemAddressValid endp


;  S U B	R O U T	I N E 


; __stdcall MiGetInPageSupportBlock(x)
_MiGetInPageSupportBlock@4 proc	near	; CODE XREF: MiMigratePfn(x,x,x,x)+311p
					; MiPfPutPagesInTransition+15Ep ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	edi, ebx
		not	edi
		and	edi, 1
		lea	ecx, dword_6D3490[edi*8]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_44D90D

loc_44D8FE:				; CODE XREF: MiGetInPageSupportBlock(x)+3Fj
					; MiGetInPageSupportBlock(x)+54j
		mov	edx, ebx
		mov	ecx, esi	; void *
		call	_MiInitializeInPageSupport@8 ; MiInitializeInPageSupport(x,x)

loc_44D907:				; CODE XREF: MiGetInPageSupportBlock(x)+56j
		mov	eax, esi

loc_44D909:				; CODE XREF: MiGetInPageSupportBlock(x)+5Aj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_44D90D:				; CODE XREF: MiGetInPageSupportBlock(x)+1Ej
		lea	ecx, dword_6D34A0[edi*8]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_44D8FE
		test	bl, 4
		jnz	short loc_44D936
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	_MiAllocateInPageSupportBlock@8	; MiAllocateInPageSupportBlock(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_44D8FE
		jmp	short loc_44D907
; 

loc_44D936:				; CODE XREF: MiGetInPageSupportBlock(x)+44j
		xor	eax, eax
		jmp	short loc_44D909
_MiGetInPageSupportBlock@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; int __fastcall MiInitializeInPageSupport(void	*)
_MiInitializeInPageSupport@8 proc near	; CODE XREF: MiGetInPageSupportBlock(x)+24p
					; .text:0055018Ap ...
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		push	0A8h		; size_t
		mov	esi, ecx
		mov	ebx, edx
		push	0		; int
		push	esi		; void *
		call	_memset
		lea	eax, [esi+18h]
		mov	word ptr [esi+11h], 400h
		mov	[eax+4], eax
		add	esp, 0Ch
		mov	[eax], eax
		lea	eax, [esi+28h]
		mov	dword ptr [esi+14h], 0
		mov	word ptr [esi+20h], 0
		mov	byte ptr [esi+22h], 4
		mov	dword ptr [esi+24h], 0
		mov	[eax+4], eax
		mov	[eax], eax
		test	bl, 1
		jnz	loc_44DA19

loc_44D990:				; CODE XREF: MiInitializeInPageSupport(x,x)+DDj
		mov	ecx, large fs:124h
		lea	eax, [esi+8]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	dword ptr [esi+68h], 1
		mov	[esi+58h], ecx
		mov	eax, [ecx+304h]
		test	eax, 100h
		jnz	short loc_44DA11
		call	_PsGetPagePriorityThread@4 ; PsGetPagePriorityThread(x)

loc_44D9BB:				; CODE XREF: MiInitializeInPageSupport(x,x)+D7j
		mov	edx, [esi+78h]
		cmp	eax, 5
		ja	short loc_44DA26
		or	edx, 80000h
		test	eax, eax
		jz	short loc_44DA22
		lea	ecx, [eax-1]

loc_44D9D0:				; CODE XREF: MiInitializeInPageSupport(x,x)+E4j
					; MiInitializeInPageSupport(x,x)+EDj
		movzx	ecx, cl
		and	edx, 0FFFF81FFh
		and	ecx, 7
		movzx	eax, al
		shl	ecx, 3
		and	eax, 7
		or	ecx, eax
		shl	ecx, 9
		or	ecx, edx
		mov	[esi+78h], ecx
		test	bl, 2
		jz	short loc_44DA0D
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	[esi+84h], eax
		test	eax, eax
		jz	short loc_44DA0D
		or	byte ptr [eax+0Eh], 1

loc_44DA0D:				; CODE XREF: MiInitializeInPageSupport(x,x)+B2j
					; MiInitializeInPageSupport(x,x)+C7j
		pop	esi
		pop	ebx
		pop	ecx
		retn
; 

loc_44DA11:				; CODE XREF: MiInitializeInPageSupport(x,x)+74j
		shr	eax, 9
		and	eax, 7
		jmp	short loc_44D9BB
; 

loc_44DA19:				; CODE XREF: MiInitializeInPageSupport(x,x)+4Aj
		or	dword ptr [esi+78h], 40h
		jmp	loc_44D990
; 

loc_44DA22:				; CODE XREF: MiInitializeInPageSupport(x,x)+8Bj
		xor	ecx, ecx
		jmp	short loc_44D9D0
; 

loc_44DA26:				; CODE XREF: MiInitializeInPageSupport(x,x)+81j
		mov	eax, 5
		mov	ecx, eax
		jmp	short loc_44D9D0
_MiInitializeInPageSupport@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiWakeOtherQueueWaiters(x,	x)
@KiWakeOtherQueueWaiters@8 proc	near	; CODE XREF: KeSetProcess+133p
					; KeTerminateThread+260p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_14], ecx
		push	esi
		push	edi
		mov	[ebp+var_C], ebx
		mov	edi, [ebx+0Ch]

loc_44DA46:				; CODE XREF: KiWakeOtherQueueWaiters(x,x)+93j
		mov	esi, edi
		mov	edi, [edi+4]
		mov	al, [esi+8]
		cmp	al, 2
		jz	short loc_44DACC
		cmp	al, 1
		jnz	short loc_44DAC5
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_44DB00
		cmp	[edi], esi
		jnz	loc_44DB00
		mov	[edi], eax
		mov	[eax+4], edi
		mov	ecx, [esi+0Ch]
		movzx	edx, word ptr [esi+0Ah]
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], ecx
		lea	ebx, [ecx+2Ch]
		mov	[ebp+var_4], 0
		mov	[ebp+var_18], ebx

loc_44DA88:				; CODE XREF: KiWakeOtherQueueWaiters(x,x)+CEj
		lock bts dword ptr [ebx], 0
		jb	short loc_44DAF0
		mov	ecx, [ebp+var_8]
		mov	ebx, [ebp+var_C]
		mov	al, [ecx+90h]
		cmp	al, 5
		jnz	short loc_44DAAD
		push	esi
		push	[ebp+var_10]
		mov	edx, ecx
		mov	ecx, [ebp+var_14]
		call	KiSignalThread

loc_44DAAD:				; CODE XREF: KiWakeOtherQueueWaiters(x,x)+6Dj
		mov	eax, [ebp+var_18]
		mov	dword ptr [eax], 0
		mov	al, [esi+9]
		inc	al
		mov	[esi+9], al

loc_44DABE:				; CODE XREF: KiWakeOtherQueueWaiters(x,x)+BAj
		lea	eax, [ebx+8]
		cmp	edi, eax
		jnz	short loc_44DA46

loc_44DAC5:				; CODE XREF: KiWakeOtherQueueWaiters(x,x)+24j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_44DACC:				; CODE XREF: KiWakeOtherQueueWaiters(x,x)+20j
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_44DB00
		cmp	[edi], esi
		jnz	short loc_44DB00
		mov	[edi], eax
		mov	edx, esi
		mov	[eax+4], edi
		mov	byte ptr [esi+9], 5
		mov	ecx, [esi+0Ch]
		call	KiInsertQueueInternal
		jmp	short loc_44DABE
; 
		align 10h

loc_44DAF0:				; CODE XREF: KiWakeOtherQueueWaiters(x,x)+5Dj
					; KiWakeOtherQueueWaiters(x,x)+CCj
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_44DAF0
		jmp	short loc_44DA88
; 

loc_44DB00:				; CODE XREF: KiWakeOtherQueueWaiters(x,x)+2Bj
					; KiWakeOtherQueueWaiters(x,x)+33j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
@KiWakeOtherQueueWaiters@8 endp


;  S U B	R O U T	I N E 


ExpValidateWorkItem proc near		; CODE XREF: ExQueueWorkItemEx(x,x,x)+Bp
					; ExQueueWorkItem+Ep ...

; FUNCTION CHUNK AT 005AF7E3 SIZE 00000033 BYTES

		mov	edi, edi
		push	esi
		xor	esi, esi
		cmp	[ecx], esi
		jnz	loc_5AF7DC
		cmp	edx, 7
		jge	short loc_44DB30

loc_44DB1A:				; CODE XREF: ExpValidateWorkItem+2Bj
		cmp	edx, 40h
		jge	short loc_44DB35
		mov	eax, [ecx+8]
		cmp	eax, ds:_MmUserProbeAddress
		jbe	loc_5AF7E3
		pop	esi
		retn
; 

loc_44DB30:				; CODE XREF: ExpValidateWorkItem+10j
		cmp	edx, 20h
		jge	short loc_44DB1A

loc_44DB35:				; CODE XREF: ExpValidateWorkItem+15j
		push	esi
		push	edx
		push	ecx
		push	6
		jmp	loc_5AF7E8
ExpValidateWorkItem endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 404. ExQueueWorkItem

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExQueueWorkItem
ExQueueWorkItem	proc near		; CODE XREF: PspHardDereferenceSiloWorker(x)+49p
					; PopCheckForWork+55p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		mov	edx, esi
		call	ExpValidateWorkItem
		cmp	esi, 7
		jnb	short loc_44DB85
		mov	edx, ds:_ExpBuiltinPriorities[esi*4]

loc_44DB63:				; CODE XREF: ExQueueWorkItem+44j
		mov	eax, ds:_PspSystemPartition
		push	0
		push	0FFFFFFFFh
		push	edx
		mov	ecx, [eax+8]
		mov	edx, [ebp+arg_0]
		call	ExpQueueWorkItem
		test	al, al
		jz	loc_5AF7F3
		pop	esi
		pop	ebp
		retn	8
; 

loc_44DB85:				; CODE XREF: ExQueueWorkItem+16j
		lea	edx, [esi-20h]
		jmp	short loc_44DB63
ExQueueWorkItem	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetPageForWriteCluster(x,	x, x, x, x, x, x, x)
_MiGetPageForWriteCluster@32 proc near	; CODE XREF: MiBuildReservationCluster(x,x,x,x)+6DBp

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+arg_10]
		push	esi
		push	edi
		mov	edi, [ebp+arg_14]
		push	edi
		push	ebx
		mov	dword ptr [eax], 1
		lea	eax, [ebp-1]
		push	eax
		push	[ebp+arg_4]
		mov	[ebp+var_8], ecx
		push	[ebp+arg_0]
		mov	[ebp+var_1], 0
		call	_MiCheckPteForWriteCluster@28 ;	MiCheckPteForWriteCluster(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_44DC5D
		mov	eax, [ebp+arg_8]
		mov	eax, [eax]
		mov	[ebp+arg_C], eax
		cmp	eax, 1Fh
		ja	loc_44DC88
		mov	edx, dword_6D0700
		mov	ecx, edi
		mov	esi, dword_6D0704
		mov	eax, edx
		or	eax, esi
		jz	short loc_44DC01
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_44DC01
		mov	ecx, esi
		not	ecx
		and	ecx, edi

loc_44DC01:				; CODE XREF: MiGetPageForWriteCluster(x,x,x,x,x,x,x,x)+5Fj
					; MiGetPageForWriteCluster(x,x,x,x,x,x,x,x)+69j
		mov	eax, edx
		or	eax, esi
		jz	short loc_44DC15
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_44DC15
		not	esi
		and	edi, esi

loc_44DC15:				; CODE XREF: MiGetPageForWriteCluster(x,x,x,x,x,x,x,x)+75j
					; MiGetPageForWriteCluster(x,x,x,x,x,x,x,x)+7Fj
		mov	eax, [ebp+var_8]
		and	edi, 1Fh
		shr	ecx, 5
		mov	eax, [eax+4]
		mov	eax, [eax+ecx*4]
		mov	ecx, edi
		sar	eax, cl
		test	al, 1
		jnz	short loc_44DC88
		mov	eax, [ebp+arg_C]
		mov	esi, dword_6D34E0
		inc	eax

loc_44DC36:				; CODE XREF: MiGetPageForWriteCluster(x,x,x,x,x,x,x,x)+F6j
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		mov	eax, 92492493h
		sub	esi, ds:_MmPfnDatabase
		imul	esi
		add	edx, esi
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_44DC5D:				; CODE XREF: MiGetPageForWriteCluster(x,x,x,x,x,x,x,x)+36j
		xor	edx, edx
		mov	ecx, esi
		call	MiReferencePageForModifiedWrite
		mov	ebx, [ebp+arg_C]
		mov	ecx, 7FFFFFFFh
		mov	[ebx], eax
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	dword ptr [ebx], 0
		jz	short loc_44DC88
		xor	eax, eax
		jmp	short loc_44DC36
; 

loc_44DC88:				; CODE XREF: MiGetPageForWriteCluster(x,x,x,x,x,x,x,x)+47j
					; MiGetPageForWriteCluster(x,x,x,x,x,x,x,x)+9Aj ...
		pop	edi
		pop	esi
		or	eax, 0FFFFFFFFh
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
_MiGetPageForWriteCluster@32 endp


;  S U B	R O U T	I N E 


; __stdcall MiIncreaseUsedPtesCount(x, x)
_MiIncreaseUsedPtesCount@8 proc	near	; CODE XREF: MiSplitPrivatePage(x,x,x)+2B3p
					; .text:00451990p ...
		mov	eax, large fs:124h
		push	esi
		mov	eax, [eax+80h]
		mov	esi, [eax+24Ch]
		add	[ecx], dx
		add	esi, 18h
		lea	eax, [esi+178h]
		cmp	ecx, eax
		jb	short loc_44DCDF
		lea	eax, [esi+0D78h]
		cmp	edx, 1
		ja	short loc_44DCDF
		cmp	ecx, eax
		jnb	short loc_44DCDF
		sub	ecx, esi
		sub	ecx, 178h
		sar	ecx, 1
		sub	ecx, 40000h
		shl	ecx, 0Ch
		pop	esi
		jmp	MmIsAddressValidEx
; 

loc_44DCDF:				; CODE XREF: MiIncreaseUsedPtesCount(x,x)+21j
					; MiIncreaseUsedPtesCount(x,x)+2Cj ...
		pop	esi
		retn
_MiIncreaseUsedPtesCount@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiWakeQueueWaiter proc near		; CODE XREF: KeSetProcess+140p
					; KeTerminateThread+22Ep ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A7ED6 SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	esi, [edx+8]
		lea	ebx, [edx+8]
		push	edi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ebx

loc_44DD07:				; CODE XREF: KiWakeQueueWaiter+B2j
		mov	edi, esi
		mov	esi, [esi]
		cmp	byte ptr [edi+8], 3
		jnz	short loc_44DD89
		mov	eax, [edi+4]
		cmp	[esi+4], edi
		jnz	loc_5A7ED6
		cmp	[eax], edi
		jnz	loc_5A7ED6
		mov	[eax], esi
		xor	dl, dl
		mov	[esi+4], eax
		mov	ecx, [edi+0Ch]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_1], dl
		mov	[ebp+var_8], 0
		lea	ebx, [ecx+2Ch]
		mov	[ebp+var_18], ebx

loc_44DD42:				; CODE XREF: KiWakeQueueWaiter+ACj
		lock bts dword ptr [ebx], 0
		jb	short loc_44DD90
		mov	ecx, [ebp+var_C]
		mov	ebx, [ebp+var_10]
		mov	al, [ecx+90h]
		cmp	al, 5
		jnz	short loc_44DDAA
		push	edi
		push	[ebp+arg_0]
		mov	edx, ecx
		mov	ecx, [ebp+var_14]
		call	KiSignalThread
		mov	dl, al

loc_44DD69:				; CODE XREF: KiWakeQueueWaiter+BDj
		mov	ecx, [ebp+var_18]
		mov	dword ptr [ecx], 0
		mov	cl, [edi+9]
		inc	cl
		mov	[edi+9], cl
		test	dl, dl
		jz	short loc_44DDA0
		mov	al, 1

loc_44DD80:				; CODE XREF: KiWakeQueueWaiter+9Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_44DD89:				; CODE XREF: KiWakeQueueWaiter+1Fj
					; KiWakeQueueWaiter+B8j
		xor	al, al
		jmp	short loc_44DD80
; 
		align 10h

loc_44DD90:				; CODE XREF: KiWakeQueueWaiter+57j
					; KiWakeQueueWaiter+AEj
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_44DD42
		jmp	short loc_44DD90
; 

loc_44DDA0:				; CODE XREF: KiWakeQueueWaiter+8Cj
		cmp	esi, ebx
		jnz	loc_44DD07
		jmp	short loc_44DD89
; 

loc_44DDAA:				; CODE XREF: KiWakeQueueWaiter+67j
		mov	dl, [ebp+var_1]
		jmp	short loc_44DD69
KiWakeQueueWaiter endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiTryUnwaitThreadWithPriority proc near	; CODE XREF: .text:0044E8A6p
					; KiWakePriQueueWaiter(x,x,x,x)+2Ep

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edi
		xor	bl, bl
		mov	[ebp+var_4], 0
		mov	esi, [edi+0Ch]
		lea	edi, [esi+2Ch]

loc_44DDD2:				; CODE XREF: KiTryUnwaitThreadWithPriority+133j
		lock bts dword ptr [edi], 0
		jb	loc_44DED7
		mov	al, [esi+90h]
		mov	edi, [ebp+var_8]
		cmp	al, 5
		jnz	short loc_44DE47
		mov	ecx, [esi+14Ch]
		mov	ebx, [ebp+arg_4]
		movzx	edx, cl
		cmp	edx, ebx
		jnz	loc_44DEAB

loc_44DDFE:				; CODE XREF: KiTryUnwaitThreadWithPriority+10Ej
		mov	ecx, [ebp+var_C]
		mov	edx, esi
		push	edi
		push	[ebp+arg_0]
		call	KiSignalThread
		mov	byte ptr [ebp+arg_0+3],	al
		test	al, al
		jz	short loc_44DE44
		push	0
		mov	dl, bl
		mov	byte ptr [esi+18Dh], 0
		mov	ecx, esi
		call	KiAbProcessThreadPriorityModification
		mov	al, [esi+15Ch]
		mov	[esi+15Bh], bl
		test	al, al
		jnz	loc_44DEC3

loc_44DE39:				; CODE XREF: KiTryUnwaitThreadWithPriority+122j
		movsx	eax, byte ptr [esi+87h]
		cmp	ebx, eax
		jnz	short loc_44DE61

loc_44DE44:				; CODE XREF: KiTryUnwaitThreadWithPriority+61j
					; KiTryUnwaitThreadWithPriority+F9j
		mov	bl, byte ptr [ebp+arg_0+3]

loc_44DE47:				; CODE XREF: KiTryUnwaitThreadWithPriority+38j
		mov	dword ptr [esi+2Ch], 0
		mov	al, [edi+9]
		inc	al
		mov	[edi+9], al
		mov	al, bl
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_44DE61:				; CODE XREF: KiTryUnwaitThreadWithPriority+92j
		mov	eax, [esi+34h]
		mov	ecx, [esi+30h]
		mov	[ebp+var_10], 0
		mov	[ebp+var_C], 0
		cmp	eax, [esi+38h]
		jz	short loc_44DE8D
		lea	ebx, [ebx+0]

loc_44DE80:				; CODE XREF: KiTryUnwaitThreadWithPriority+DBj
		pause
		mov	eax, [esi+34h]
		mov	ecx, [esi+30h]
		cmp	eax, [esi+38h]
		jnz	short loc_44DE80

loc_44DE8D:				; CODE XREF: KiTryUnwaitThreadWithPriority+C8j
		movzx	edx, byte ptr [esi+193h]
		push	1
		push	eax
		push	ecx
		mov	ecx, esi
		call	_KiComputeQuantumTargetThread@20 ; KiComputeQuantumTargetThread(x,x,x,x,x)
		push	ebx
		xor	edx, edx
		mov	ecx, esi
		call	KiSetPriorityThread
		jmp	short loc_44DE44
; 

loc_44DEAB:				; CODE XREF: KiTryUnwaitThreadWithPriority+48j
		and	ecx, 100h
		jz	short loc_44DEEB

loc_44DEB3:				; CODE XREF: KiTryUnwaitThreadWithPriority+151j
		movzx	eax, bl
		or	eax, ecx
		mov	[esi+14Ch], eax
		jmp	loc_44DDFE
; 

loc_44DEC3:				; CODE XREF: KiTryUnwaitThreadWithPriority+83j
		test	al, 0Fh
		jnz	loc_5AF806

loc_44DECB:				; CODE XREF: ExpValidateWorkItem+161D09j
		mov	byte ptr [esi+15Ch], 0
		jmp	loc_44DE39
; 

loc_44DED7:				; CODE XREF: KiTryUnwaitThreadWithPriority+27j
					; KiTryUnwaitThreadWithPriority+139j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jz	loc_44DDD2
		jmp	short loc_44DED7
; 

loc_44DEEB:				; CODE XREF: KiTryUnwaitThreadWithPriority+101j
		mov	eax, [esi+0A4h]
		lock dec dword ptr [eax+edx*4+110h]
		lock inc dword ptr [eax+ebx*4+110h]
		jmp	short loc_44DEB3
KiTryUnwaitThreadWithPriority endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtReleaseWorkerFactoryWorker proc near	; DATA XREF: .text:00580D88o

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AF816 SIZE 00000095 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		xor	eax, eax
		lea	ecx, [esp+28h+var_20]
		push	esi
		mov	[esp+2Ch+var_C], eax
		mov	[esp+2Ch+var_8], eax
		mov	[esp+2Ch+var_4], eax
		mov	eax, large fs:124h
		push	edi
		push	0
		push	ecx
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+38h+var_14], al
		push	[esp+38h+var_14]
		mov	eax, ds:_ExpWorkerFactoryObjectType
		push	eax
		push	1
		push	[ebp+arg_0]
		mov	[esp+48h+var_20], 0
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	loc_44E0F3
		mov	edi, [esp+30h+var_20]
		mov	ebx, [edi+4]
		lea	esi, [edi+4]
		mov	[esp+30h+var_8], ebx
		mov	[esp+30h+var_C], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [esp+30h+var_4], al
		jnz	loc_5AF816
		lea	edx, [esp+30h+var_C]
		xchg	edx, [ebx]
		test	edx, edx
		jnz	loc_44E14A

loc_44DFA2:				; CODE XREF: NtReleaseWorkerFactoryWorker+243j
					; NtReleaseWorkerFactoryWorker+161911j
		mov	ecx, [esi]
		xor	bl, bl
		cmp	[ecx+15h], bl
		jnz	loc_5AF826
		mov	eax, [ecx+0Ch]
		cmp	eax, 0FFFFFFFFh
		jz	loc_5AF833
		inc	eax
		mov	[ecx+0Ch], eax
		mov	eax, [esi]
		cmp	[eax+14h], bl
		jnz	short loc_44DFCC
		mov	byte ptr [eax+14h], 1
		mov	bl, 1

loc_44DFCC:				; CODE XREF: NtReleaseWorkerFactoryWorker+B4j
		mov	[esp+30h+var_18], 0
		test	bl, bl
		jz	short loc_44DFE5
		test	dword ptr [edi+68h], 200h
		jnz	loc_44E13E

loc_44DFE5:				; CODE XREF: NtReleaseWorkerFactoryWorker+C6j
					; NtReleaseWorkerFactoryWorker+235j ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5AF840
		mov	eax, [esp+30h+var_C]
		test	eax, eax
		jnz	loc_44E165
		mov	edx, [esp+30h+var_8]
		lea	eax, [esp+30h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+30h+var_C]
		cmp	eax, ecx
		jnz	loc_44E158

loc_44E018:				; CODE XREF: NtReleaseWorkerFactoryWorker+16193Cj
		mov	edi, [esp+30h+var_20]

loc_44E01C:				; CODE XREF: NtReleaseWorkerFactoryWorker+268j
		mov	cl, byte ptr [esp+30h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bl, bl
		jz	loc_44E0E3
		mov	esi, [esi]
		mov	ebx, [esi+8]
		mov	esi, [esi+4]
		test	ebx, ebx
		jz	loc_5AF851
		mov	dword ptr [ebx+0Ch], 0
		lea	edi, [esi+8]
		mov	dword ptr [ebx+10h], 0
		mov	dword ptr [ebx+14h], 0
		mov	dword ptr [ebx+18h], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [esp+30h+var_10], al
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[esp+30h+var_1C], eax
		mov	eax, [eax+4]
		mov	[esp+30h+var_14], eax
		jnz	loc_5AF890

loc_44E088:				; CODE XREF: NtReleaseWorkerFactoryWorker+161996j
		mov	ecx, esi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		cmp	[edi], edi
		jz	short loc_44E105
		mov	eax, [esi+18h]
		cmp	eax, [esi+1Ch]
		jnb	short loc_44E105
		mov	ecx, [esp+30h+var_14]
		mov	eax, [ecx+0A4h]
		cmp	eax, esi
		jz	short loc_44E0FC

loc_44E0A9:				; CODE XREF: NtReleaseWorkerFactoryWorker+1F3j
		mov	ecx, [esp+30h+var_1C]
		mov	edx, esi
		push	ebx
		call	KiWakeQueueWaiter
		test	al, al
		jz	short loc_44E105

loc_44E0B9:				; CODE XREF: NtReleaseWorkerFactoryWorker+214j
					; NtReleaseWorkerFactoryWorker+218j ...
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		push	[esp+30h+var_10]
		mov	ecx, [esp+34h+var_1C]
		xor	edx, edx
		push	0
		push	1
		call	KiExitDispatcher
		mov	edi, [esp+30h+var_20]

loc_44E0D8:				; CODE XREF: NtReleaseWorkerFactoryWorker+16194Cj
					; NtReleaseWorkerFactoryWorker+16197Bj
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	ExpWorkerFactoryCheckCreate

loc_44E0E3:				; CODE XREF: NtReleaseWorkerFactoryWorker+118j
		mov	edx, 746C6644h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, [esp+30h+var_18]

loc_44E0F3:				; CODE XREF: NtReleaseWorkerFactoryWorker+51j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_44E0FC:				; CODE XREF: NtReleaseWorkerFactoryWorker+197j
		cmp	byte ptr [ecx+18Bh], 0Fh
		jnz	short loc_44E0A9

loc_44E105:				; CODE XREF: NtReleaseWorkerFactoryWorker+181j
					; NtReleaseWorkerFactoryWorker+189j ...
		mov	edx, [esi+4]
		lea	eax, [edx+1]
		mov	[esi+4], eax
		lea	eax, [esi+10h]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_44E137
		mov	[ebx], eax
		mov	[ebx+4], ecx
		mov	[ecx], ebx
		mov	[eax+4], ebx
		test	edx, edx
		jnz	short loc_44E0B9
		cmp	[edi], edi
		jz	short loc_44E0B9
		mov	ecx, [esp+30h+var_1C]
		mov	edx, esi
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		jmp	short loc_44E0B9
; 

loc_44E137:				; CODE XREF: NtReleaseWorkerFactoryWorker+206j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_44E13E:				; CODE XREF: NtReleaseWorkerFactoryWorker+CFj
		mov	ecx, edi
		call	_ExpLeaveWorkerFactoryAwayMode@4 ; ExpLeaveWorkerFactoryAwayMode(x)
		jmp	loc_44DFE5
; 

loc_44E14A:				; CODE XREF: NtReleaseWorkerFactoryWorker+8Cj
		lea	ecx, [esp+30h+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_44DFA2
; 

loc_44E158:				; CODE XREF: NtReleaseWorkerFactoryWorker+102j
		lea	ecx, [esp+30h+var_C]
		call	KxWaitForLockChainValid
		mov	edi, [esp+30h+var_20]

loc_44E165:				; CODE XREF: NtReleaseWorkerFactoryWorker+E8j
		mov	[esp+30h+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_44E01C
NtReleaseWorkerFactoryWorker endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWorkerFactoryCheckCreate proc near	; CODE XREF: NtReleaseWorkerFactoryWorker+1CEp
					; ExpWorkerFactoryDeferredThreadCreation()+46p	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AF8AB SIZE 000000BD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	eax, eax
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		test	edi, edi
		jnz	short loc_44E1CC
		mov	ebx, [esi+4]
		lea	edi, [ebp+var_10]
		mov	[ebp+var_C], ebx
		mov	[ebp+var_10], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [ebp+var_8], al
		jnz	loc_5AF8AB
		mov	edx, edi
		xchg	edx, [ebx]
		test	edx, edx
		jnz	loc_44E408

loc_44E1CC:				; CODE XREF: ExpWorkerFactoryCheckCreate+1Cj
					; ExpWorkerFactoryCheckCreate+290j ...
		mov	bl, byte ptr [ebp+arg_0]
		test	bl, bl
		jnz	loc_44E415

loc_44E1D7:				; CODE XREF: ExpWorkerFactoryCheckCreate+2A6j
					; ExpWorkerFactoryCheckCreate+2B2j
		cmp	dword ptr [esi+60h], 0
		jnz	short loc_44E1EE
		mov	eax, [esi+50h]
		cmp	eax, [esi+4Ch]
		jnb	short loc_44E1EE
		mov	ecx, [esi+4]
		cmp	dword ptr [ecx+10h], 0
		jbe	short loc_44E231

loc_44E1EE:				; CODE XREF: ExpWorkerFactoryCheckCreate+5Bj
					; ExpWorkerFactoryCheckCreate+63j ...
		and	dword ptr [esi+68h], 0FFFFCE0Fh
		test	ds:byte_70EFC6,	1
		jnz	loc_5AF959
		mov	eax, [edi]
		test	eax, eax
		jnz	loc_44E330
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jnz	loc_44E329

loc_44E21F:				; CODE XREF: ExpWorkerFactoryCheckCreate+1A3j
					; ExpWorkerFactoryCheckCreate+1C1j ...
		mov	cl, [edi+8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_44E228:				; CODE XREF: ExpWorkerFactoryCheckCreate+162j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_44E231:				; CODE XREF: ExpWorkerFactoryCheckCreate+6Cj
		mov	edx, [ecx+4]
		cmp	dword ptr [edx+4], 0
		jz	loc_44E346

loc_44E23E:				; CODE XREF: ExpWorkerFactoryCheckCreate+1D0j
		lea	ecx, [esi+68h]
		mov	[ebp+arg_0], ecx
		test	bl, bl
		jnz	loc_44E475
		mov	[ebp+arg_0], ecx

loc_44E24F:				; CODE XREF: ExpWorkerFactoryCheckCreate+2FBj
		mov	eax, [edx+18h]
		cmp	eax, ds:_KeNumberProcessors
		jnb	loc_44E498

loc_44E25E:				; CODE XREF: ExpWorkerFactoryCheckCreate+301j
		test	bl, bl
		jnz	loc_44E486

loc_44E266:				; CODE XREF: ExpWorkerFactoryCheckCreate+30Dj
		mov	ecx, esi
		call	_ExpCheckThreadHistory@4 ; ExpCheckThreadHistory(x)
		test	al, al
		jnz	loc_44E371

loc_44E275:				; CODE XREF: ExpWorkerFactoryCheckCreate+313j
		test	bl, bl
		jnz	loc_44E4CD

loc_44E27D:				; CODE XREF: ExpWorkerFactoryCheckCreate+35Aj
		mov	eax, [esi+5Ch]
		test	eax, eax
		jnz	loc_44E355

loc_44E288:				; CODE XREF: ExpWorkerFactoryCheckCreate+1D8j
					; ExpWorkerFactoryCheckCreate+360j
		mov	eax, [esi+68h]
		lea	ebx, [esi+68h]
		test	eax, 200h
		jnz	loc_44E363

loc_44E299:				; CODE XREF: ExpWorkerFactoryCheckCreate+1ECj
		inc	dword ptr [esi+60h]
		and	eax, 0FFFFCE0Fh
		mov	[ebx], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5AF91E
		mov	eax, [edi]
		test	eax, eax
		jnz	loc_44E506
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jnz	loc_44E4FF

loc_44E2CD:				; CODE XREF: ExpWorkerFactoryCheckCreate+397j
					; ExpWorkerFactoryCheckCreate+1617A8j
		mov	cl, [edi+8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, esi
		call	ExpWorkerFactoryCreateThread
		mov	[ebp+arg_0], eax
		test	eax, eax
		jns	loc_44E228
		mov	ecx, [esi+4]
		mov	edx, edi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		dec	dword ptr [esi+60h]
		mov	eax, [ebp+arg_0]
		cmp	eax, 0C000010Ah
		jnz	loc_44E51C

loc_44E303:				; CODE XREF: ExpWorkerFactoryCheckCreate+2D0j
					; ExpWorkerFactoryCheckCreate+2D8j ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5AF959

loc_44E310:				; CODE XREF: ExpWorkerFactoryCheckCreate+2BFj
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_44E330
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jz	loc_44E21F

loc_44E329:				; CODE XREF: ExpWorkerFactoryCheckCreate+99j
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_44E330:				; CODE XREF: ExpWorkerFactoryCheckCreate+86j
					; ExpWorkerFactoryCheckCreate+194j
		mov	dword ptr [edi], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_44E21F
; 

loc_44E346:				; CODE XREF: ExpWorkerFactoryCheckCreate+B8j
		cmp	dword ptr [ecx+0Ch], 0
		jbe	loc_44E1EE
		jmp	loc_44E23E
; 

loc_44E355:				; CODE XREF: ExpWorkerFactoryCheckCreate+102j
		cmp	[esi+50h], eax
		jbe	loc_44E288
		jmp	loc_5AF8BA
; 

loc_44E363:				; CODE XREF: ExpWorkerFactoryCheckCreate+113j
		mov	ecx, esi
		call	_ExpLeaveWorkerFactoryAwayMode@4 ; ExpLeaveWorkerFactoryAwayMode(x)
		mov	eax, [ebx]
		jmp	loc_44E299
; 

loc_44E371:				; CODE XREF: ExpWorkerFactoryCheckCreate+EFj
		lea	ecx, [esi+68h]
		mov	[ebp+arg_0], ecx
		mov	ecx, [ecx]
		test	cl, 30h
		jnz	loc_44E44A
		mov	ebx, [ebp+arg_0]
		and	ecx, 0FFFFFFDFh
		or	ecx, 10h
		mov	[ebp+var_4], 3
		mov	[ebx], ecx

loc_44E394:				; CODE XREF: ExpWorkerFactoryCheckCreate+2F0j
					; ExpWorkerFactoryCheckCreate+348j ...
		mov	byte ptr [ebp+arg_0+3],	0
		test	cl, 8
		jnz	short loc_44E3A6
		or	ecx, 8
		mov	byte ptr [ebp+arg_0+3],	1
		mov	[ebx], ecx

loc_44E3A6:				; CODE XREF: ExpWorkerFactoryCheckCreate+21Bj
		test	ds:byte_70EFC6,	1
		jnz	loc_5AF92D
		mov	eax, [edi]
		test	eax, eax
		jnz	loc_5AF943
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jnz	loc_5AF93C

loc_44E3D0:				; CODE XREF: ExpWorkerFactoryCheckCreate+1617B7j
					; ExpWorkerFactoryCheckCreate+1617D4j
		mov	cl, [edi+8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	byte ptr [ebp+arg_0+3],	0
		jz	short loc_44E3F7
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	edx, esi
		mov	ecx, offset _ExpWorkerFactoryThreadCreationList
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_44E3F7:				; CODE XREF: ExpWorkerFactoryCheckCreate+25Dj
		mov	ecx, [ebp+var_4]
		call	ExpSetWorkerFactoryDeferredCreateTimer
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_44E408:				; CODE XREF: ExpWorkerFactoryCheckCreate+46j
		lea	ecx, [ebp+var_10]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_44E1CC
; 

loc_44E415:				; CODE XREF: ExpWorkerFactoryCheckCreate+51j
		mov	ecx, [esi+68h]
		mov	eax, ecx
		shr	eax, 6
		or	eax, ecx
		shr	eax, 2
		or	eax, ecx
		test	al, 30h
		jnz	loc_44E1D7
		test	ecx, 100h
		jnz	loc_44E1D7
		test	ds:byte_70EFC6,	1
		jz	loc_44E310
		jmp	loc_5AF959
; 

loc_44E44A:				; CODE XREF: ExpWorkerFactoryCheckCreate+1FCj
		mov	eax, ecx
		and	al, 30h
		cmp	al, 10h
		jnz	loc_44E303
		test	bl, bl
		jz	loc_44E303
		mov	ebx, [ebp+arg_0]
		and	ecx, 0FFFFFFEFh
		or	ecx, 20h
		mov	[ebp+var_4], 2
		mov	[ebx], ecx
		jmp	loc_44E394
; 

loc_44E475:				; CODE XREF: ExpWorkerFactoryCheckCreate+C6j
		mov	eax, [ecx]
		and	al, 0C0h
		cmp	al, 80h
		jnz	loc_44E24F
		jmp	loc_44E25E
; 

loc_44E486:				; CODE XREF: ExpWorkerFactoryCheckCreate+E0j
		mov	eax, [esi+68h]
		and	al, 30h
		cmp	al, 20h
		jnz	loc_44E266
		jmp	loc_44E275
; 

loc_44E498:				; CODE XREF: ExpWorkerFactoryCheckCreate+D8j
		mov	ecx, [ecx]
		test	cl, 0C0h
		jz	short loc_44E4E5
		mov	eax, ecx
		and	al, 0C0h
		cmp	al, 40h
		jnz	loc_44E303
		test	bl, bl
		jz	loc_44E303
		mov	ebx, [ebp+arg_0]
		and	ecx, 0FFFFFFBFh
		or	ecx, 80h
		mov	[ebp+var_4], 2
		mov	[ebx], ecx
		jmp	loc_44E394
; 

loc_44E4CD:				; CODE XREF: ExpWorkerFactoryCheckCreate+F7j
		mov	eax, [esi+68h]
		and	eax, 3000h
		cmp	eax, 2000h
		jnz	loc_44E27D
		jmp	loc_44E288
; 

loc_44E4E5:				; CODE XREF: ExpWorkerFactoryCheckCreate+31Dj
		mov	ebx, [ebp+arg_0]
		and	ecx, 0FFFFFF7Fh
		or	ecx, 40h
		mov	[ebp+var_4], 3
		mov	[ebx], ecx
		jmp	loc_44E394
; 

loc_44E4FF:				; CODE XREF: ExpWorkerFactoryCheckCreate+147j
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_44E506:				; CODE XREF: ExpWorkerFactoryCheckCreate+134j
		mov	dword ptr [edi], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_44E2CD
; 

loc_44E51C:				; CODE XREF: ExpWorkerFactoryCheckCreate+17Dj
		cmp	eax, 0C000000Ah
		jz	loc_44E303
		cmp	eax, 0C00000F2h
		jz	loc_44E303
		cmp	eax, 0C0000001h
		jz	loc_44E303
		or	dword ptr [ebx], 100h
		mov	ecx, [ebx]
		mov	[ebp+var_4], 1
		jmp	loc_44E394
ExpWorkerFactoryCheckCreate endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSignalThread	proc near		; CODE XREF: KiResumeThread+1EBp
					; KiSignalThreadForApc(x,x,x)+A5p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005A7F02 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		xor	al, al
		push	edi
		mov	edi, ecx
		mov	cl, [esi+54h]
		movzx	edx, cl
		and	edx, 7
		cmp	edx, 1
		jnz	loc_44E68D

loc_44E57F:				; CODE XREF: KiSignalThread+130j
		mov	ecx, [esi+0A4h]
		test	ecx, ecx
		jz	short loc_44E599
		mov	al, [ecx]
		and	al, 7Fh
		cmp	al, 15h
		jz	loc_44E673
		lock inc dword ptr [ecx+18h]

loc_44E599:				; CODE XREF: KiSignalThread+27j
					; KiSignalThread+128j
		mov	eax, [esi+1B4h]
		test	eax, eax
		jz	short loc_44E5FB
		push	ebx
		lea	ebx, [eax+3B28h]
		mov	[ebp+arg_4], 0

loc_44E5B1:				; CODE XREF: KiSignalThread+174j
		lock bts dword ptr [ebx], 0
		jb	loc_44E6C8
		mov	eax, [esi+1B4h]
		test	eax, eax
		jz	short loc_44E5F5
		mov	edx, [esi+9Ch]
		lea	eax, [esi+9Ch]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_5A7F02
		cmp	[ecx], eax
		jnz	loc_5A7F02
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	dword ptr [esi+1B4h], 0

loc_44E5F5:				; CODE XREF: KiSignalThread+64j
		xor	eax, eax
		lock and [ebx],	eax
		pop	ebx

loc_44E5FB:				; CODE XREF: KiSignalThread+41j
		mov	al, [esi+90h]
		cmp	al, 1
		jz	loc_5A7F09
		cmp	al, 5
		jnz	short loc_44E62E
		mov	eax, ds:_KeTickCount
		sub	eax, [esi+138h]
		cmp	byte ptr [esi+93h], 0
		jz	short loc_44E664
		add	[esi+258h], eax
		adc	dword ptr [esi+25Ch], 0

loc_44E62E:				; CODE XREF: KiSignalThread+ABj
					; KiSignalThread+111j ...
		mov	byte ptr [esi+90h], 7
		lea	ecx, [esi+9Ch]
		mov	eax, [edi+3B1Ch]
		mov	[ecx], eax
		mov	eax, [ebp+arg_0]
		mov	[edi+3B1Ch], ecx
		mov	[esi+94h], eax
		mov	al, 1
		mov	dword ptr [esi+248h], 0

loc_44E65E:				; CODE XREF: KiSignalThread+13Bj
					; KiWakeQueueWaiter+15A1FBj ...
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_44E664:				; CODE XREF: KiSignalThread+BFj
		add	[esi+250h], eax
		adc	dword ptr [esi+254h], 0
		jmp	short loc_44E62E
; 

loc_44E673:				; CODE XREF: KiSignalThread+2Fj
		movzx	eax, byte ptr [esi+14Ch]
		mov	[esi+14Ch], eax
		lock inc dword ptr [ecx+eax*4+110h]
		jmp	loc_44E599
; 

loc_44E68D:				; CODE XREF: KiSignalThread+19j
		cmp	edx, 4
		jz	loc_44E57F
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_44E65E
		test	edx, edx
		jnz	loc_5A7EDD
		mov	eax, [ebp+arg_0]
		and	cl, 0FAh
		or	cl, 2
		mov	[esi+54h], cl
		mov	[esi+94h], eax
		mov	al, 1
		mov	[esi+248h], edx
		mov	[edi+9], dl
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_44E6C8:				; CODE XREF: KiSignalThread+56j
					; KiSignalThread+17Aj
		lea	ecx, [ebp+arg_4]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jz	loc_44E5B1
		jmp	short loc_44E6C8
KiSignalThread	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpIsPoolReadyForWork(x, x,	x)
_ExpIsPoolReadyForWork@12 proc near	; CODE XREF: .text:0044E7CFp
					; ExpTryQueueWorkItem+80p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		test	edx, edx
		jz	short loc_44E74D
		movzx	ecx, word ptr [edx+8Ah]
		mov	eax, [esi+8]
		mov	eax, [eax+ecx*4]
		mov	eax, [eax+0A8h]
		test	eax, eax
		jz	short loc_44E74D
		cmp	eax, 1
		jz	short loc_44E74D
		mov	eax, [esi+4]
		mov	ecx, [eax+ecx*4]
		mov	eax, [ebp+arg_0]
		shl	eax, 2
		mov	edx, [ecx+eax]
		test	dl, 1
		jnz	short loc_44E74D
		test	edx, edx
		jz	short loc_44E74D
		mov	ecx, [edx+1ACh]
		mov	eax, ecx
		and	eax, 3FFFh
		test	ecx, 4000h
		jnz	short loc_44E74A

loc_44E735:				; CODE XREF: ExpIsPoolReadyForWork(x,x,x)+6Bj
		mov	ecx, [edx+1B0h]
		add	ecx, ecx
		sar	ecx, 1
		cmp	eax, ecx
		jl	short loc_44E74D
		mov	al, 1

loc_44E745:				; CODE XREF: ExpIsPoolReadyForWork(x,x,x)+6Fj
		pop	esi
		pop	ebp
		retn	4
; 

loc_44E74A:				; CODE XREF: ExpIsPoolReadyForWork(x,x,x)+53j
		dec	eax
		jmp	short loc_44E735
; 

loc_44E74D:				; CODE XREF: ExpIsPoolReadyForWork(x,x,x)+Aj
					; ExpIsPoolReadyForWork(x,x,x)+21j ...
		xor	al, al
		jmp	short loc_44E745
_ExpIsPoolReadyForWork@12 endp

; 
		align 10h

ExpQueueWorkItem:			; CODE XREF: ExQueueWorkItemEx(x,x,x)+2Cp
					; ExQueueWorkItem+2Fp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	[ebp-0Ch], edx
		xor	bl, bl
		mov	[ebp-8], ecx
		mov	dword ptr [ebp-14h], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, [ebp+0Ch]
		mov	[ebp-1], al
		mov	eax, large fs:20h
		mov	edx, [eax+338h]
		movzx	eax, ds:_KeNumberNodes
		cmp	esi, eax
		jb	short loc_44E7A3
		movzx	esi, word ptr [edx+8Ah]

loc_44E7A3:				; CODE XREF: .text:0044E79Aj
		mov	ecx, esi
		cmp	esi, eax
		jnb	loc_44E8E3
		push	edi
		mov	edi, [ebp+10h]

loc_44E7B1:				; CODE XREF: .text:005AF987j
		movzx	ecx, cx
		mov	edx, ds:_KeNodeBlock[ecx*4]
		mov	[ebp+10h], edx
		call	_KeIsNodeInitialized@4 ; KeIsNodeInitialized(x)
		test	al, al
		jz	loc_5AF968

loc_44E7CB:				; CODE XREF: .text:005AF96Dj
		mov	ecx, [ebp-8]
		push	edi
		call	_ExpIsPoolReadyForWork@12 ; ExpIsPoolReadyForWork(x,x,x)
		test	al, al
		jz	loc_5AF972
		mov	eax, [ebp+10h]
		movzx	ecx, word ptr [eax+8Ah]
		mov	eax, [ebp-8]
		mov	eax, [eax+4]
		mov	ecx, [eax+ecx*4]
		lea	eax, ds:0[edi*4]
		mov	ebx, [ecx+eax]
		mov	[ebp+0Ch], ebx
		test	bl, 1
		jnz	loc_5AF992

loc_44E805:				; CODE XREF: .text:005AF997j
		lea	edi, [ebx+8]
		mov	[ebp-1Ch], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp-20h], al
		mov	eax, large fs:20h
		mov	[ebp-10h], eax
		mov	dword ptr [ebp-18h], 0
		mov	esi, [eax+4]
		lock bts dword ptr [ebx], 7
		jb	loc_44E930

loc_44E832:				; CODE XREF: .text:0044E943j
		cmp	[edi], edi
		jz	loc_44E903
		mov	eax, [esi+0A4h]
		cmp	eax, ebx
		jz	loc_44E8F6

loc_44E848:				; CODE XREF: .text:0044E8FDj
		mov	edi, [ebp+8]
		lea	esi, [ebx+190h]
		mov	eax, 20h
		xor	edx, edx

loc_44E858:				; CODE XREF: .text:0044E871j
		mov	ecx, [esi-4]
		lea	esi, [esi-4]
		add	edx, ecx
		dec	eax
		mov	ecx, [ebx+190h]
		cmp	edx, ecx
		jnb	loc_44E908
		cmp	eax, edi
		jg	short loc_44E858
		cmp	edx, ecx
		jnb	loc_44E908
		mov	ebx, [ebp-1Ch]
		mov	esi, [ebx]

loc_44E880:				; CODE XREF: .text:005AF99Ej
		mov	eax, [esi]
		mov	edx, esi
		mov	esi, eax
		mov	ecx, [edx+4]
		cmp	[eax+4], edx
		jnz	loc_44E970
		cmp	[ecx], edx
		jnz	loc_44E970
		mov	[ecx], eax
		push	edi
		push	dword ptr [ebp-0Ch]
		mov	[eax+4], ecx
		mov	ecx, [ebp-10h]
		call	KiTryUnwaitThreadWithPriority
		test	al, al
		jz	loc_5AF99C
		mov	ebx, [ebp+0Ch]

loc_44E8B6:				; CODE XREF: .text:0044E929j
		mov	eax, 0FFFFFF7Fh
		lock and [ebx],	eax
		push	dword ptr [ebp-20h]
		mov	ecx, [ebp-10h]
		xor	edx, edx
		push	0
		push	1
		call	KiExitDispatcher
		mov	edx, [ebx+1B4h]
		mov	ecx, ebx
		call	_ExpNewThreadNecessary@8 ; ExpNewThreadNecessary(x,x)
		test	al, al
		jnz	short loc_44E94B

loc_44E8E0:				; CODE XREF: .text:0044E96Bj
		mov	bl, 1

loc_44E8E2:				; CODE XREF: .text:005AF98Dj
		pop	edi

loc_44E8E3:				; CODE XREF: .text:0044E7A7j
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_44E8F6:				; CODE XREF: .text:0044E842j
		cmp	byte ptr [esi+18Bh], 0Fh
		jnz	loc_44E848

loc_44E903:				; CODE XREF: .text:0044E834j
		mov	edi, [ebp+8]
		jmp	short loc_44E90B
; 

loc_44E908:				; CODE XREF: .text:0044E869j
					; .text:0044E875j ...
		mov	ebx, [ebp+0Ch]

loc_44E90B:				; CODE XREF: .text:0044E906j
		inc	dword ptr [ebx+4]
		lea	eax, [edi+2]
		mov	ecx, [ebx+eax*8+4]
		lea	eax, [ebx+eax*8]
		cmp	[ecx], eax
		jnz	short loc_44E970
		mov	edx, [ebp-0Ch]
		mov	[edx], eax
		mov	[edx+4], ecx
		mov	[ecx], edx
		mov	[eax+4], edx
		jmp	short loc_44E8B6
; 
		jmp	short loc_44E930
; 
		align 10h

loc_44E930:				; CODE XREF: .text:0044E82Cj
					; .text:0044E92Bj ...
		lea	ecx, [ebp-18h]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	al, al
		js	short loc_44E930
		lock bts dword ptr [ebx], 7
		jnb	loc_44E832
		jmp	short loc_44E930
; 

loc_44E94B:				; CODE XREF: .text:0044E8DEj
		mov	eax, [ebp+10h]
		push	0
		push	0
		movzx	ecx, word ptr [eax+8Ah]
		mov	eax, [ebp-8]
		mov	eax, [eax+8]
		mov	eax, [eax+ecx*4]
		add	eax, 8
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_44E8E0
; 

loc_44E970:				; CODE XREF: .text:0044E88Cj
					; .text:0044E894j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFillPoolCommitPageTable proc near	; CODE XREF: MiCommitPoolMemory+88p

var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005AF9A9 SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	[ebp+var_8], esi
		test	byte ptr [esi+2Eh], 4
		jnz	loc_44EA64
		mov	edi, [esi+10h]
		xor	ebx, ebx
		test	edi, edi
		jz	loc_44EA64
		mov	eax, ds:__imp_@KfRaiseIrql@4 ; KfRaiseIrql(x)
		mov	[ebp+var_1C], eax
		nop

loc_44E9B0:				; CODE XREF: MiFillPoolCommitPageTable+DEj
		mov	ecx, [esi+24h]
		test	ecx, ecx
		jz	loc_44EACC
		mov	eax, edi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	eax, ecx
		jnz	loc_44EABB
		test	ecx, ecx
		jz	loc_44EACC

loc_44E9DA:				; CODE XREF: MiFillPoolCommitPageTable+157j
		mov	edx, [edi]
		nop
		mov	ecx, [edi+4]
		mov	eax, edx
		or	eax, ecx
		jz	loc_5AF9A9
		mov	esi, dword_6D0704
		mov	eax, dword_6D0700
		mov	[ebp+var_14], esi
		or	eax, esi
		mov	esi, [ebp+var_8]
		mov	[ebp+var_4], ecx
		jz	short loc_44EA0C
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jz	short loc_44EA6B

loc_44EA0C:				; CODE XREF: MiFillPoolCommitPageTable+80j
					; MiFillPoolCommitPageTable+F3j
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_44EAE2
		xor	ecx, ecx

loc_44EA17:				; CODE XREF: MiFillPoolCommitPageTable+169j
		mov	[esi+10h], ecx
		movzx	eax, word ptr [esi+2Eh]
		mov	ecx, eax
		test	al, 1
		jnz	loc_5AF9B3
		test	cl, 2
		jz	short loc_44EA75
		shr	ecx, 3
		and	ecx, 1Fh
		mov	eax, ecx
		cdq
		shld	edx, eax, 5
		shl	eax, 5
		push	edx
		push	eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[edi], eax
		nop
		mov	[edi+4], edx

loc_44EA4A:				; CODE XREF: MiFillPoolCommitPageTable+103j
		inc	dword ptr [esi+0Ch]

loc_44EA4D:				; CODE XREF: MiFillPoolCommitPageTable+105j
					; MiFillPoolCommitPageTable+161043j
		inc	ebx
		cmp	dword ptr [esi+10h], 0
		jz	short loc_44EA59
		test	bl, 0Fh
		jz	short loc_44EA87

loc_44EA59:				; CODE XREF: MiFillPoolCommitPageTable+D2j
					; MiFillPoolCommitPageTable+10Bj ...
		mov	edi, [esi+10h]
		test	edi, edi
		jnz	loc_44E9B0

loc_44EA64:				; CODE XREF: MiFillPoolCommitPageTable+14j
					; MiFillPoolCommitPageTable+21j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_44EA6B:				; CODE XREF: MiFillPoolCommitPageTable+8Aj
		mov	ecx, [ebp+var_14]
		not	ecx
		and	ecx, [ebp+var_4]
		jmp	short loc_44EA0C
; 

loc_44EA75:				; CODE XREF: MiFillPoolCommitPageTable+ABj
		shl	edi, 9
		mov	ecx, esi
		mov	edx, edi
		call	_MiAssignNonPagedPoolPte@8 ; MiAssignNonPagedPoolPte(x,x)
		test	eax, eax
		jnz	short loc_44EA4A
		jmp	short loc_44EA4D
; 

loc_44EA87:				; CODE XREF: MiFillPoolCommitPageTable+D7j
		cmp	byte ptr [esi+2Ch], 2
		jnb	short loc_44EA59
		mov	ecx, [esi+1Ch]
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_44EAA2
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	short loc_44EA59

loc_44EAA2:				; CODE XREF: MiFillPoolCommitPageTable+117j
		mov	ecx, esi
		call	_MiUnlockPoolCommitWs@4	; MiUnlockPoolCommitWs(x)
		mov	cl, 2
		call	[ebp+var_1C]
		mov	ecx, [esi+1Ch]
		mov	[esi+2Ch], al
		call	MiLockWorkingSetShared
		jmp	short loc_44EA59
; 

loc_44EABB:				; CODE XREF: MiFillPoolCommitPageTable+4Cj
		mov	edx, ecx
		mov	ecx, [esi+1Ch]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dword ptr [esi+24h], 0

loc_44EACC:				; CODE XREF: MiFillPoolCommitPageTable+35j
					; MiFillPoolCommitPageTable+54j
		mov	edx, edi
		mov	ecx, esi
		call	MiLockPoolCommitPageTable
		test	eax, eax
		jnz	loc_44E9DA
		jmp	loc_5AF9C8
; 

loc_44EAE2:				; CODE XREF: MiFillPoolCommitPageTable+8Fj
					; MiFillPoolCommitPageTable+16102Ej
		lea	ecx, ds:0C0400000h[ecx*8]
		jmp	loc_44EA17
MiFillPoolCommitPageTable endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiCheckDueTimeExpired proc near		; CODE XREF: KeRemovePriQueue+B8p
					; KeDelayExecutionThread(x,x,x)+90p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		push	esi
		push	edi
		mov	edi, ecx
		cmp	edx, 2
		jz	short loc_44EB14
		test	edx, edx
		jnz	short loc_44EB4D

loc_44EB0B:				; CODE XREF: KiCheckDueTimeExpired+55j
					; KiCheckDueTimeExpired+5Bj
		xor	eax, eax

loc_44EB0D:				; CODE XREF: KiCheckDueTimeExpired+6Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_44EB14:				; CODE XREF: KiCheckDueTimeExpired+17j
		xor	cl, cl
		call	KiQueryUnbiasedInterruptTime
		push	0
		push	[ebp+arg_4]
		mov	ebx, eax
		mov	esi, edx
		push	[ebp+arg_0]
		sub	ebx, [edi+0B0h]
		mov	ecx, edi
		push	2
		sbb	esi, [edi+0B4h]
		pop	edx
		call	KiGetDueTimeWithThreadTimerDelay
		mov	edi, eax
		mov	ecx, edx

loc_44EB41:				; CODE XREF: KiCheckDueTimeExpired+88j
					; MiFillPoolCommitPageTable+16107Fj
		cmp	esi, ecx
		jb	short loc_44EB0B
		ja	short loc_44EB59
		cmp	ebx, edi
		jbe	short loc_44EB0B
		jmp	short loc_44EB59
; 

loc_44EB4D:				; CODE XREF: KiCheckDueTimeExpired+1Bj
		mov	edi, [ebp+arg_0]
		mov	eax, edi
		mov	ecx, [ebp+arg_4]
		or	eax, ecx
		jnz	short loc_44EB5E

loc_44EB59:				; CODE XREF: KiCheckDueTimeExpired+57j
					; KiCheckDueTimeExpired+5Dj
		xor	eax, eax
		inc	eax
		jmp	short loc_44EB0D
; 

loc_44EB5E:				; CODE XREF: KiCheckDueTimeExpired+69j
		mov	eax, 0FFDF0018h
		mov	[ebp+var_4], ebx
		mov	esi, [eax]
		add	eax, 0FFFFFFFCh
		mov	ebx, [eax]
		mov	eax, 0FFDF001Ch
		mov	eax, [eax]
		cmp	esi, eax
		jz	short loc_44EB41
		jmp	loc_5AF9DA
KiCheckDueTimeExpired endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall ExpNewThreadNecessary(x, x)
_ExpNewThreadNecessary@8 proc near	; CODE XREF: .text:0044E8D7p
					; ExpWorkerThread+C5p ...
		mov	edi, edi
		push	esi
		mov	esi, [ecx+1ACh]
		mov	eax, [ecx+1B0h]
		add	eax, eax
		sar	eax, 1
		cmp	esi, eax
		jl	short loc_44EBB6
		cmp	esi, edx
		jge	short loc_44EBA2
		lea	eax, [ecx+8]
		cmp	[eax], eax
		jz	short loc_44EBA6

loc_44EBA2:				; CODE XREF: ExpNewThreadNecessary(x,x)+19j
					; ExpNewThreadNecessary(x,x)+34j
		xor	al, al
		pop	esi
		retn
; 

loc_44EBA6:				; CODE XREF: ExpNewThreadNecessary(x,x)+20j
		cmp	dword ptr [ecx+4], 0
		jnz	short loc_44EBB6
		mov	eax, [ecx+1B0h]
		test	eax, eax
		jns	short loc_44EBA2

loc_44EBB6:				; CODE XREF: ExpNewThreadNecessary(x,x)+15j
					; ExpNewThreadNecessary(x,x)+2Aj
		mov	al, 1
		pop	esi
		retn
_ExpNewThreadNecessary@8 endp

; 
		align 10h
; Exported entry 1195. KeIsAttachedProcess

;  S U B	R O U T	I N E 


; __stdcall KeIsAttachedProcess()
		public _KeIsAttachedProcess@0
_KeIsAttachedProcess@0 proc near	; CODE XREF: PnpIsSafeToExamineUserModeTeb()p
					; IopCopyCompleteReadIrp(x,x,x)+7Fp ...
		mov	eax, large fs:124h
		cmp	byte ptr [eax+16Ah], 1
		setz	al
		retn
_KeIsAttachedProcess@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PsGetIoPriorityThread(x)
_PsGetIoPriorityThread@4 proc near	; CODE XREF: CcScheduleReadAheadEx+57p
					; MiIssueFlowThroughFault(x,x,x,x,x,x,x)+32p ...
		mov	eax, [ecx+2FCh]
		mov	edx, [ecx+150h]
		shr	eax, 9
		and	eax, 7
		test	dword ptr [edx+0FCh], 100000h
		jnz	short loc_44EC1C

loc_44EBFE:				; CODE XREF: PsGetIoPriorityThread(x)+3Ej
		cmp	eax, 2
		jb	short loc_44EC04

locret_44EC03:				; CODE XREF: PsGetIoPriorityThread(x)+2Bj
					; PsGetIoPriorityThread(x)+34j
		retn
; 

loc_44EC04:				; CODE XREF: PsGetIoPriorityThread(x)+21j
		cmp	ecx, large fs:124h
		jnz	short locret_44EC03
		cmp	dword ptr [ecx+32Ch], 0
		jz	short locret_44EC03
		mov	eax, 2
		retn
; 

loc_44EC1C:				; CODE XREF: PsGetIoPriorityThread(x)+1Cj
		xor	eax, eax
		jmp	short loc_44EBFE
_PsGetIoPriorityThread@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWorkerThread	proc near		; DATA XREF: ExpCreateWorkerThread+40o

var_44		= dword	ptr -44h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= byte ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AFA04 SIZE 000001CB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		lea	edx, [ebp+var_38]
		mov	[ebp+var_24], eax
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, large fs:124h
		push	edi
		lea	edi, [ebp+var_10]
		mov	[ebp+var_19], 1
		stosd
		mov	[ebp+var_38], 0
		mov	[ebp+var_34], 0
		mov	[ebp+var_20], edx
		stosd
		stosd
		mov	edi, [ebp+var_24]
		mov	eax, [edi+1A0h]
		mov	[ebp+var_28], eax
		mov	eax, [edi+19Ch]
		mov	[ebp+var_30], eax
		mov	eax, [esi+300h]
		test	al, 1
		jnz	loc_5AFA04

loc_44EC85:				; CODE XREF: ExpWorkerThread+160DEBj
		or	eax, 1
		mov	[ebp+var_2C], 0
		mov	[esi+300h], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_2C]
		lock or	[eax], ecx
		cmp	_ExpWorkersCanSwap, cl
		jz	loc_44EF11
		lea	esp, [esp+0]

loc_44ECB0:				; CODE XREF: ExpWorkerThread+1D0j
					; ExpWorkerThread+1F9j	...
		push	edx
		push	ecx
		mov	ecx, edi
		call	KeRemovePriQueue
		cmp	[ebp+var_19], 0
		mov	ebx, eax
		jnz	loc_44EEB2
		cmp	ebx, 102h
		jz	loc_44EDFB

loc_44ECD1:				; CODE XREF: ExpWorkerThread+2C1j
		cmp	ebx, 80h
		jz	loc_44EDFB
		mov	edx, [edi+1B4h]
		mov	ecx, edi
		call	_ExpNewThreadNecessary@8 ; ExpNewThreadNecessary(x,x)
		test	al, al
		jnz	loc_44EEEC

loc_44ECF2:				; CODE XREF: ExpWorkerThread+2ECj
		lock inc dword ptr [edi+1A4h]
		test	ds:dword_70EFC8, 8000000h
		mov	eax, [ebx+8]
		mov	ecx, [ebx+0Ch]
		mov	dword ptr [ebp+var_14],	eax
		mov	[ebp+var_18], ecx
		jnz	loc_5AFA10
		push	ecx
		call	eax

loc_44ED18:				; CODE XREF: ExpWorkerThread+160E0Fj
		lea	eax, [esi+1DCh]
		cmp	[eax], eax
		jnz	loc_5AFB92
		mov	eax, [esi+13Ch]
		test	eax, eax
		jnz	loc_5AFB7D
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	al, al
		jnz	loc_5AFB62
		mov	eax, [esi+2FCh]
		test	al, 8
		jnz	loc_5AFB4F
		mov	eax, large fs:124h
		cmp	byte ptr [eax+16Ah], 1
		jz	loc_5AFB31
		mov	eax, [esi+390h]
		cmp	eax, 0FFFFFFFDh
		jnz	loc_5AFB1E
		mov	ecx, esi
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		cmp	eax, 2
		jnz	loc_5AFB07
		call	_PsGetPagePriorityThread@4 ; PsGetPagePriorityThread(x)
		cmp	eax, 5
		jnz	loc_5AFAEE
		mov	eax, [esi+304h]
		test	eax, 100h
		jnz	loc_5AFAD6
		mov	eax, [esi+300h]
		shr	eax, 0Bh
		and	eax, 1
		jnz	loc_5AFAC4
		test	byte ptr [esi+58h], 8
		jnz	loc_5AFA34

loc_44EDBD:				; CODE XREF: ExpWorkerThread+160E40j
		mov	ecx, [ebp+var_28]
		mov	ax, [esi+158h]
		cmp	ax, [ecx+88h]
		jnz	loc_5AFA65
		mov	eax, [esi+154h]
		cmp	eax, [ecx+84h]
		jnz	loc_5AFA65

loc_44EDE6:				; CODE XREF: ExpWorkerThread+160E62j
		cmp	dword ptr [esi+35Ch], 0
		mov	edx, [ebp+var_20]
		jz	loc_44ECB0
		jmp	loc_5AFA87
; 

loc_44EDFB:				; CODE XREF: ExpWorkerThread+ABj
					; ExpWorkerThread+B7j
		mov	eax, [edi+1ACh]
		lea	ecx, [edi+1ACh]
		test	eax, 8000h
		jnz	short loc_44EE29
		mov	edx, [ebp+var_20]
		lea	eax, [esi+2CCh]
		cmp	[eax], eax
		jnz	loc_44ECB0
		cmp	dword ptr [edi+4], 0
		jnz	loc_44ECB0

loc_44EE29:				; CODE XREF: ExpWorkerThread+1ECj
		mov	ebx, [ecx]
		jmp	short loc_44EE30
; 
		align 10h

loc_44EE30:				; CODE XREF: ExpWorkerThread+20Bj
					; ExpWorkerThread+24Bj
		mov	eax, [edi+1B0h]
		mov	edx, ebx
		and	edx, 3FFFh
		mov	[ebp+var_18], ebx
		add	eax, eax
		dec	edx
		sar	eax, 1
		cmp	edx, eax
		jl	loc_5AFAB7

loc_44EE4E:				; CODE XREF: ExpWorkerThread+160E9Fj
		mov	ecx, ebx
		mov	eax, ebx
		and	ecx, 0FFFFC000h
		lea	ebx, [edi+1ACh]
		or	edx, ecx
		mov	ecx, edx
		lock cmpxchg [ebx], ecx
		mov	ebx, eax
		cmp	ebx, [ebp+var_18]
		jnz	short loc_44EE30
		cmp	edx, 8000h
		jz	loc_5AFBA2
		xor	bl, bl

loc_44EE7B:				; CODE XREF: ExpWorkerThread+160F84j
		lea	eax, [esi+2CCh]
		cmp	[eax], eax
		jnz	loc_5AFBA9
		and	dword ptr [esi+300h], 0FFFFFFFEh
		push	1
		call	_KeSetKernelStackSwapEnable@4 ;	KeSetKernelStackSwapEnable(x)
		test	bl, bl
		jnz	loc_5AFBBA

loc_44EE9F:				; CODE XREF: ExpWorkerThread+160FAAj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_44EEB2:				; CODE XREF: ExpWorkerThread+9Fj
		mov	ecx, [edi+1B0h]
		lea	eax, [edi+1ACh]
		and	ecx, 7FFFFFFFh
		mov	[ebp+var_19], 0
		mov	[edi+1B0h], ecx
		mov	ecx, 0FFFFBFFFh
		lock and [eax],	ecx
		xor	edx, edx
		mov	[ebp+var_20], edx
		cmp	ebx, 102h
		jnz	loc_44ECD1
		jmp	loc_44ECB0
; 

loc_44EEEC:				; CODE XREF: ExpWorkerThread+CCj
		mov	eax, [ebp+var_28]
		push	0
		push	0
		movzx	ecx, word ptr [eax+8Ah]
		mov	eax, [ebp+var_30]
		mov	eax, [eax+8]
		mov	eax, [eax+ecx*4]
		add	eax, 8
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_44ECF2
; 

loc_44EF11:				; CODE XREF: ExpWorkerThread+83j
		push	0
		call	_KeSetKernelStackSwapEnable@4 ;	KeSetKernelStackSwapEnable(x)
		lea	edx, [ebp+var_38]
		jmp	loc_44ECB0
ExpWorkerThread	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeRemovePriQueue proc near		; CODE XREF: ExpWorkerThread+94p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005AFBCF SIZE 000000C3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_8]
		push	ebx
		push	esi
		mov	esi, large fs:124h
		push	edi
		push	eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_1C], 0
		push	eax
		mov	edi, ecx
		mov	[ebp+var_18], 0
		push	0
		mov	ecx, esi
		mov	[ebp+var_4], 0
		mov	[ebp+var_8], 0
		lea	ebx, [esi+0E0h]
		call	_KiCheckWaitNext@20 ; KiCheckWaitNext(x,x,x,x,x)
		lea	ebx, [ebx+0]

loc_44EF70:				; CODE XREF: KeRemovePriQueue+2AAj
		push	0
		push	0Fh
		xor	dl, dl
		mov	ecx, esi
		call	KiBeginThreadWait
		test	eax, eax
		jnz	loc_44F070
		mov	eax, [esi+0A4h]
		cmp	edi, eax
		jnz	loc_44F1CF

loc_44EF93:				; CODE XREF: KeRemovePriQueue+2B9j
		mov	byte ptr [ebx+8], 3
		mov	eax, 80h
		mov	byte ptr [ebx+9], 4
		mov	[ebx+0Ah], ax
		mov	[ebx+10h], edi
		mov	[ebp+arg_4], 0
		lock bts dword ptr [edi], 7
		jb	loc_44F11C

loc_44EFB9:				; CODE XREF: KeRemovePriQueue+21Aj
		cmp	dword ptr [edi+4], 0
		jnz	loc_44F079

loc_44EFC3:				; CODE XREF: KeRemovePriQueue+229j
		test	byte ptr [edi+1], 1
		jnz	loc_5AFC18
		push	[ebp+var_18]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		push	[ebp+var_1C]
		call	KiCheckDueTimeExpired
		test	eax, eax
		jnz	loc_44F1DE
		lea	ebx, [esi+2Ch]
		mov	[ebp+var_10], eax
		jmp	short loc_44EFF0
; 
		align 10h

loc_44EFF0:				; CODE XREF: KeRemovePriQueue+CBj
					; KeRemovePriQueue+160CE8j
		lock bts dword ptr [ebx], 0
		jb	loc_5AFBFA
		movzx	ecx, byte ptr [esi+14Ch]
		mov	eax, ecx
		or	eax, 100h
		mov	[esi+14Ch], eax
		lock dec dword ptr [edi+ecx*4+110h]
		mov	dword ptr [ebx], 0
		lea	eax, [edi+8]
		mov	ecx, [eax]
		lea	ebx, [esi+0E0h]
		cmp	[ecx+4], eax
		jnz	loc_5AFC76
		mov	[ebx+4], eax
		mov	[ebx], ecx
		mov	[ecx+4], ebx
		mov	[eax], ebx
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		push	0
		push	[ebp+var_18]
		mov	edx, ebx
		mov	byte ptr [esi+16Bh], 1
		push	[ebp+var_1C]
		mov	ecx, esi
		push	[ebp+var_8]
		call	KiCommitThreadWait
		mov	byte ptr [esi+18Bh], 0
		cmp	eax, 100h
		jz	loc_44F1BE

loc_44F070:				; CODE XREF: KeRemovePriQueue+5Fj
					; KeRemovePriQueue+1F7j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_44F079:				; CODE XREF: KeRemovePriQueue+9Dj
		lea	ebx, [esi+2Ch]
		mov	[ebp+var_C], 0

loc_44F083:				; CODE XREF: KeRemovePriQueue+160CD5j
		lock bts dword ptr [ebx], 0
		jb	loc_5AFBE7
		movzx	eax, byte ptr [esi+14Ch]
		lea	edx, [ebp+var_4]
		push	eax
		mov	ecx, edi
		call	KiAttemptFastRemovePriQueue
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	loc_44F142
		mov	ecx, [esi+14Ch]
		mov	ebx, [ebp+var_4]
		movzx	edx, cl
		cmp	edx, ebx
		jnz	loc_44F18D

loc_44F0BF:				; CODE XREF: KeRemovePriQueue+299j
		push	0
		lea	edx, [ebp+var_4]
		mov	byte ptr [esi+18Dh], 0
		mov	ecx, esi
		call	_KiSetBasePriorityAndClearDecrement@12 ; KiSetBasePriorityAndClearDecrement(x,x,x)
		movsx	eax, byte ptr [esi+87h]
		cmp	ebx, eax
		jnz	short loc_44F14E

loc_44F0DD:				; CODE XREF: KeRemovePriQueue+268j
		mov	ebx, [ebp+arg_4]
		mov	dword ptr [esi+2Ch], 0

loc_44F0E7:				; CODE XREF: KeRemovePriQueue+2C3j
					; KeRemovePriQueue+160D41j
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		mov	edi, large fs:20h
		mov	byte ptr [esi+18Bh], 0
		cmp	dword ptr [edi+3B1Ch], 0
		jnz	loc_5AFC7D

loc_44F10A:				; CODE XREF: KeRemovePriQueue+160D6Dj
		push	1
		mov	edx, esi
		mov	ecx, edi
		call	_KiFastExitThreadWait@12 ; KiFastExitThreadWait(x,x,x)
		mov	eax, ebx
		jmp	loc_44F070
; 

loc_44F11C:				; CODE XREF: KeRemovePriQueue+93j
		mov	ebx, [ebp+arg_4]
		nop

loc_44F120:				; CODE XREF: KeRemovePriQueue+213j
					; KeRemovePriQueue+220j
		inc	ebx
		test	ds:_HvlLongSpinCountMask, ebx
		jz	loc_5AFBCF

loc_44F12D:				; CODE XREF: KeRemovePriQueue+160CB6j
		pause

loc_44F12F:				; CODE XREF: KeRemovePriQueue+160CC2j
		mov	eax, [edi]
		test	al, al
		js	short loc_44F120
		lock bts dword ptr [edi], 7
		jnb	loc_44EFB9
		jmp	short loc_44F120
; 

loc_44F142:				; CODE XREF: KeRemovePriQueue+185j
		mov	dword ptr [esi+2Ch], 0
		jmp	loc_44EFC3
; 

loc_44F14E:				; CODE XREF: KeRemovePriQueue+1BBj
		mov	ecx, large fs:20h
		cmp	byte ptr [ecx+11h], 0
		jnz	loc_5AFC0D
		cli
		push	0
		mov	edx, esi
		call	_KiUpdateTotalCyclesCurrentThread@12 ; KiUpdateTotalCyclesCurrentThread(x,x,x)
		sti

loc_44F16A:				; CODE XREF: KeRemovePriQueue+160CF3j
		push	0
		push	edx
		movzx	edx, byte ptr [esi+193h]
		mov	ecx, esi
		push	eax
		call	_KiComputeQuantumTargetThread@20 ; KiComputeQuantumTargetThread(x,x,x,x,x)
		push	[ebp+var_4]
		xor	edx, edx
		mov	ecx, esi
		call	KiSetPriorityThread
		jmp	loc_44F0DD
; 

loc_44F18D:				; CODE XREF: KeRemovePriQueue+199j
		and	ecx, 100h
		jnz	short loc_44F1AE
		mov	eax, [esi+0A4h]
		lock dec dword ptr [eax+edx*4+110h]
		mov	ebx, [ebp+var_4]
		lock inc dword ptr [eax+ebx*4+110h]

loc_44F1AE:				; CODE XREF: KeRemovePriQueue+273j
		movzx	eax, bl
		or	eax, ecx
		mov	[esi+14Ch], eax
		jmp	loc_44F0BF
; 

loc_44F1BE:				; CODE XREF: KeRemovePriQueue+14Aj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[esi+92h], al
		jmp	loc_44EF70
; 

loc_44F1CF:				; CODE XREF: KeRemovePriQueue+6Dj
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	KiSwitchPriQueue
		jmp	loc_44EF93
; 

loc_44F1DE:				; CODE XREF: KeRemovePriQueue+BFj
		mov	ebx, 102h
		jmp	loc_44F0E7
KeRemovePriQueue endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiBeginThreadWait proc near		; CODE XREF: KeRemovePriQueue+58p
					; KeDelayExecutionThread(x,x,x)+79p ...

var_10		= dword	ptr -10h
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005AFC92 SIZE 00000061 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	bl, [ebp+arg_4]
		mov	bh, dl
		push	esi
		mov	esi, ecx
		push	edi
		mov	dl, [esi+92h]
		lea	edi, [esi+2Ch]
		mov	[ebp+var_1], dl
		lea	esp, [esp+0]

loc_44F210:				; CODE XREF: KiBeginThreadWait+160AE1j
		and	dword ptr [esi+58h], 0FFFFFFEFh
		mov	byte ptr [esi+54h], 0
		mov	[esi+93h], bh
		test	bl, bl
		jnz	short loc_44F284

loc_44F222:				; CODE XREF: KiBeginThreadWait+98j
		mov	dword ptr [ebp+arg_4], 0
		lea	esp, [esp+0]

loc_44F230:				; CODE XREF: KiBeginThreadWait+FEj
		lock bts dword ptr [edi], 0
		jb	loc_44F2E0
		cmp	byte ptr [esi+85h], 0
		mov	dl, [ebp+var_1]
		jnz	loc_5AFC92

loc_44F24B:				; CODE XREF: KiBeginThreadWait+160AAAj
					; KiBeginThreadWait+160AB3j
		test	bl, bl
		jnz	short loc_44F28A
		test	byte ptr [esi+86h], 2
		jnz	short loc_44F2AE

loc_44F258:				; CODE XREF: KiBeginThreadWait+B7j
					; KiBeginThreadWait+C0j
		mov	al, [ebp+arg_0]
		mov	byte ptr [esi+90h], 5
		mov	[esi+18Bh], al
		mov	eax, ds:_KeTickCount
		mov	[esi+138h], eax
		xor	eax, eax
		mov	dword ptr [edi], 0
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_44F284:				; CODE XREF: KiBeginThreadWait+30j
		or	dword ptr [esi+58h], 10h
		jmp	short loc_44F222
; 

loc_44F28A:				; CODE XREF: KiBeginThreadWait+5Dj
		movsx	eax, bh
		cmp	byte ptr [eax+esi+56h],	0
		jnz	loc_5AFCD6
		test	bh, bh
		jz	short loc_44F2A3
		lea	eax, [esi+78h]
		cmp	[eax], eax
		jnz	short loc_44F2D4

loc_44F2A3:				; CODE XREF: KiBeginThreadWait+AAj
		cmp	byte ptr [esi+56h], 0
		jz	short loc_44F258
		jmp	loc_5AFCE5
; 

loc_44F2AE:				; CODE XREF: KiBeginThreadWait+66j
		test	bh, bh
		jz	short loc_44F258

loc_44F2B2:				; CODE XREF: KiBeginThreadWait+EBj
		mov	esi, 0C0h

loc_44F2B7:				; CODE XREF: KiBeginThreadWait+160AF0j
					; KiBeginThreadWait+160AFEj
		mov	dword ptr [edi], 0
		mov	ecx, large fs:20h
		call	KiCheckForThreadDispatch
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_44F2D4:				; CODE XREF: KiBeginThreadWait+B1j
		or	byte ptr [esi+86h], 2
		jmp	short loc_44F2B2
; 
		align 10h

loc_44F2E0:				; CODE XREF: KiBeginThreadWait+45j
					; KiBeginThreadWait+FCj
		lea	ecx, [ebp+arg_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_44F2E0
		jmp	loc_44F230
KiBeginThreadWait endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiCheckWaitNext(x, x, x, x,	x)
_KiCheckWaitNext@20 proc near		; CODE XREF: KeRemovePriQueue+45p
					; KeDelayExecutionThread(x,x,x)+65p ...

var_8		= dword	ptr -8
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		btr	dword ptr [esi+58h], 2
		setb	bl
		test	bl, bl
		jnz	short loc_44F327
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[esi+92h], al

loc_44F327:				; CODE XREF: KiCheckWaitNext(x,x,x,x,x)+19j
		test	edi, edi
		jnz	short loc_44F33B
		mov	ecx, [ebp+arg_8]
		mov	[ecx], edi

loc_44F330:				; CODE XREF: KiCheckWaitNext(x,x,x,x,x)+B3j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_44F33B:				; CODE XREF: KiCheckWaitNext(x,x,x,x,x)+29j
		cmp	dword ptr [edi+4], 0
		jge	short loc_44F39D
		cmp	[ebp+arg_0], 0
		jz	short loc_44F3B8
		lea	ecx, [ebp+var_8]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	ecx, 0FFDF03B0h
		mov	edx, [ebp+arg_4]
		mov	eax, [ecx]
		mov	edx, [edx]
		mov	ecx, [ecx+4]
		sub	edx, eax
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+4]
		sbb	eax, ecx
		mov	ecx, [ebp+arg_4]

loc_44F373:				; CODE XREF: KiCheckWaitNext(x,x,x,x,x)+CCj
		sub	edx, [esi+0B0h]
		sbb	eax, [esi+0B4h]
		sub	edx, [edi]
		mov	[ecx], edx
		sbb	eax, [edi+4]
		mov	[ecx+4], eax
		mov	eax, [ebp+arg_8]
		pop	edi
		pop	esi
		mov	dword ptr [eax], 2
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_44F39D:				; CODE XREF: KiCheckWaitNext(x,x,x,x,x)+3Fj
		mov	ecx, [ebp+arg_4]
		mov	eax, [edi]
		mov	[ecx], eax
		mov	eax, [edi+4]
		mov	[ecx+4], eax
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 1
		jmp	loc_44F330
; 

loc_44F3B8:				; CODE XREF: KiCheckWaitNext(x,x,x,x,x)+45j
		xor	cl, cl
		call	KiQueryUnbiasedInterruptTime
		mov	ecx, [ebp+arg_4]
		mov	[ecx+4], edx
		mov	edx, eax
		mov	[ecx], eax
		mov	eax, [ecx+4]
		jmp	short loc_44F373
_KiCheckWaitNext@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiBuildMdlForMappedFileFault(x, x, x, x, x,	x, x, x, x, x)
_MiBuildMdlForMappedFileFault@40 proc near ; CODE XREF:	MiResolveMappedFileFault+39Ap

var_A8		= dword	ptr -0A8h
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_84], esi
		mov	[ebp+var_80], ecx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_7C], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_88], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_64], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_54], eax
		mov	eax, [ecx+60h]
		xor	ebx, ebx
		mov	[ebp+var_74], eax
		mov	eax, [ecx+8Ch]
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_6C], ebx
		mov	ebx, [ecx+64h]
		push	eax
		mov	[ebp+var_68], ebx
		mov	[ebp+var_50], 200h
		call	_RtlSetAllBits@4 ; RtlSetAllBits(x)
		xor	ecx, ecx
		mov	eax, esi
		xor	edi, edi
		mov	[ebp+var_8C], ecx
		cmp	eax, [ebp+arg_0]
		ja	short loc_44F4C9
		mov	edx, [ebp+var_74]

loc_44F491:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+F7j
		mov	eax, [esi]
		nop
		mov	ecx, [esi+4]
		cmp	eax, edx
		jnz	short loc_44F4C1
		cmp	ecx, ebx
		jnz	short loc_44F4C1
		mov	edx, esi
		shr	edx, 3
		and	edx, 1FFh
		mov	ecx, edx
		and	edx, 7
		shr	ecx, 3
		add	ecx, [ebp+var_4C]
		movsx	eax, byte ptr [ecx]
		btr	eax, edx
		mov	edx, [ebp+var_74]
		mov	[ecx], al
		inc	edi

loc_44F4C1:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+C9j
					; MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+CDj
		add	esi, 8
		cmp	esi, [ebp+arg_0]
		jbe	short loc_44F491

loc_44F4C9:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+BCj
		mov	eax, [ebp+arg_8]
		mov	esi, edi
		cmp	edi, eax
		jbe	short loc_44F4D4
		mov	esi, eax

loc_44F4D4:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+100j
		mov	eax, [ebp+var_7C]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_44F50B
		lea	ecx, ds:0[eax*8]
		mov	edx, offset loc_7FFFFF
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		push	0
		lea	ebx, [eax+ecx*4]
		mov	ecx, ebx
		mov	[ebp+var_60], ebx
		call	_MiSetPfnBlink@12 ; MiSetPfnBlink(x,x,x)
		mov	[ebp+var_70], ebx
		mov	ecx, 1
		mov	ebx, [ebp+var_68]
		jmp	short loc_44F50D
; 

loc_44F50B:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+10Aj
		xor	ecx, ecx

loc_44F50D:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+139j
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_5C], ecx
		cmp	ecx, esi
		jz	loc_44F5AD
		mov	ecx, [ebp+var_74]
		mov	eax, ecx
		and	eax, 400h
		or	eax, 0
		jz	short loc_44F52E
		mov	eax, ecx
		jmp	short loc_44F583
; 

loc_44F52E:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+158j
		mov	eax, dword_6D0700
		mov	edx, ecx
		mov	ecx, dword_6D0704
		mov	[ebp+var_7C], eax
		or	eax, ecx
		jz	short loc_44F55B
		mov	edx, [ebp+var_74]
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_44F55B
		mov	edx, [ebp+var_7C]
		not	ecx
		not	edx
		and	edx, [ebp+var_74]
		and	ebx, ecx

loc_44F55B:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+170j
					; MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+17Dj
		mov	eax, ds:_MmPfnDatabase
		shrd	edx, ebx, 0Ch
		and	edx, 3FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		mov	ebx, [eax+ecx*4+0Ch]
		lea	ecx, [eax+ecx*4]
		mov	eax, [ecx+8]
		mov	[ebp+var_8C], ecx

loc_44F583:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+15Cj
		push	ebx
		push	eax
		push	[ebp+var_54]
		mov	edx, esi
		lea	ecx, [ebp+var_70]
		push	[ebp+var_80]
		push	[ebp+var_64]
		push	[ebp+var_88]
		push	[ebp+var_58]
		call	MiGetHardFaultPages
		mov	ecx, [ebp+var_6C]
		mov	ebx, [ebp+var_70]
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_60], ebx

loc_44F5AD:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+145j
		cmp	ecx, edi
		jz	short loc_44F618
		test	ecx, ecx
		jnz	short loc_44F5E1
		mov	ecx, [ebp+var_88]
		test	ecx, ecx
		jz	short loc_44F5CC
		mov	eax, [ebp+var_64]
		cmp	dword ptr [eax+38h], 0
		jnz	short loc_44F5CC
		mov	byte ptr [ecx+1], 2

loc_44F5CC:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+1EDj
					; MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+1F6j
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_44F5E1:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+1E3j
		mov	esi, [ebp+var_90]
		mov	eax, edi
		shr	esi, 3
		sub	eax, ecx
		and	esi, 1FFh
		lea	ecx, [ebp+var_50]
		push	eax
		mov	edx, esi
		call	MiReduceMappedFileReadBehind
		mov	ecx, [ebp+var_5C]
		sub	edi, eax
		cmp	ecx, edi
		jz	short loc_44F618
		sub	edi, ecx
		mov	edx, esi
		push	edi
		lea	ecx, [ebp+var_50]
		call	_MiReduceMappedFileReadAhead@12	; MiReduceMappedFileReadAhead(x,x,x)
		mov	ecx, [ebp+var_5C]

loc_44F618:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+1DFj
					; MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+236j
		mov	[ebp+var_98], ecx
		mov	ecx, [ebp+arg_10]
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		mov	ebx, [ebp+var_50]
		xor	esi, esi
		mov	[ebp+var_94], eax
		mov	eax, [ebp+var_80]
		mov	[ebp+var_64], esi
		lea	edx, [eax+0C4h]
		mov	[ebp+var_58], edx
		test	ebx, ebx
		jz	loc_44F905
		and	[ebp+var_84], 0FFFFF000h

loc_44F652:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+529j
		mov	edi, esi
		mov	[ebp+var_68], edi
		cmp	ebx, esi
		ja	short loc_44F665
		xor	esi, esi
		mov	[ebp+var_78], esi
		jmp	loc_44F766
; 

loc_44F665:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+289j
		mov	ecx, [ebp+var_4C]
		lea	eax, [ebx-1]
		shr	eax, 5
		lea	edx, [ecx+eax*4]
		mov	eax, esi
		shr	eax, 5
		mov	[ebp+var_54], edx
		lea	eax, [ecx+eax*4]
		cmp	eax, edx
		jz	short loc_44F6B8
		and	esi, 1Fh
		mov	edx, ds:dword_40BA68[esi*4]
		or	edx, [eax]
		cmp	edx, 0FFFFFFFFh
		mov	edx, [ebp+var_54]
		jnz	short loc_44F6B8
		mov	edi, [ebp+var_64]
		add	eax, 4
		sub	edi, esi
		add	edi, 20h
		mov	[ebp+var_68], edi
		cmp	eax, edx
		jnb	short loc_44F6B8

loc_44F6A6:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+2E3j
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_44F6B5
		add	eax, 4
		add	edi, 20h
		cmp	eax, edx
		jb	short loc_44F6A6

loc_44F6B5:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+2D9j
		mov	[ebp+var_68], edi

loc_44F6B8:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+2AEj
					; MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+2C2j ...
		cmp	edi, ebx
		jnb	short loc_44F6D3
		lea	esp, [esp+0]

loc_44F6C0:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+301j
		mov	ecx, [ebp+var_4C]
		bt	[ecx], edi
		mov	ebx, [ebp+var_50]
		jnb	short loc_44F6D3
		inc	edi
		mov	[ebp+var_68], edi
		cmp	edi, ebx
		jb	short loc_44F6C0

loc_44F6D3:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+2EAj
					; MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+2F9j
		xor	esi, esi
		mov	[ebp+var_78], esi
		cmp	eax, edx
		jz	short loc_44F73A
		mov	edx, [eax]
		mov	ebx, edi
		and	ebx, 1Fh
		mov	ecx, ds:dword_40BA68[ebx*4]
		not	ecx
		test	ecx, edx
		jnz	short loc_44F72B
		mov	esi, 20h
		sub	esi, ebx
		mov	[ebp+var_78], esi
		cmp	esi, 0FFFFFFFFh
		jnb	loc_44F7D8
		mov	ecx, [ebp+var_54]
		add	eax, 4
		cmp	eax, ecx
		jnb	short loc_44F72B
		lea	ecx, [ecx+0]

loc_44F710:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+359j
		cmp	dword ptr [eax], 0
		jnz	short loc_44F72B
		add	esi, 20h
		add	eax, 4
		mov	[ebp+var_78], esi
		cmp	esi, 0FFFFFFFFh
		jnb	loc_44F7D8
		cmp	eax, ecx
		jb	short loc_44F710

loc_44F72B:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+31Ej
					; MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+33Bj ...
		mov	ebx, [ebp+var_70]
		mov	eax, [ebp+var_6C]
		mov	[ebp+var_60], ebx
		mov	ebx, [ebp+var_50]
		mov	[ebp+var_5C], eax

loc_44F73A:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+30Aj
		lea	ecx, [esi+edi]
		cmp	ecx, ebx
		jnb	short loc_44F758

loc_44F741:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+383j
		mov	eax, [ebp+var_4C]
		bt	[eax], ecx
		jb	short loc_44F755
		cmp	esi, 0FFFFFFFFh
		jnb	short loc_44F755
		inc	ecx
		inc	esi
		cmp	ecx, [ebp+var_50]
		jb	short loc_44F741

loc_44F755:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+377j
					; MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+37Cj
		mov	[ebp+var_78], esi

loc_44F758:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+36Fj
					; MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+414j
		cmp	esi, 0FFFFFFFFh
		jbe	short loc_44F763
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_78], esi

loc_44F763:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+38Bj
		mov	edx, [ebp+var_58]

loc_44F766:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+290j
		mov	eax, [ebp+var_64]
		test	eax, eax
		jz	short loc_44F78F
		mov	ecx, edi
		sub	ecx, eax
		jz	short loc_44F785

loc_44F773:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+3B0j
		mov	eax, dword_6D34EC
		mov	[edx], eax
		add	edx, 4
		sub	ecx, 1
		jnz	short loc_44F773
		mov	[ebp+var_58], edx

loc_44F785:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+3A1j
		mov	eax, [ebp+var_80]
		or	dword ptr [eax+78h], 20000h

loc_44F78F:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+39Bj
		mov	eax, [ebp+var_84]
		push	esi
		push	edi
		lea	eax, [eax+edi*8]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_50]
		push	eax
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		test	esi, esi
		jz	loc_44F8E6
		mov	eax, [ebp+var_74]
		mov	edi, [ebp+var_60]
		and	eax, 400h
		mov	[ebp+var_7C], esi
		mov	esi, [ebp+var_58]
		mov	[ebp+var_64], eax

loc_44F7C2:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+504j
		nop
		mov	eax, [edi+10h]
		mov	ebx, edi
		and	eax, offset loc_7FFFFF
		cmp	eax, offset loc_7FFFFF
		jnz	short loc_44F7E9
		xor	edi, edi
		jmp	short loc_44F7FA
; 

loc_44F7D8:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+32Dj
					; MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+351j
		mov	eax, [ebp+var_6C]
		mov	ebx, [ebp+var_70]
		mov	[ebp+var_5C], eax
		mov	[ebp+var_60], ebx
		jmp	loc_44F758
; 

loc_44F7E9:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+402j
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	edi, [eax+ecx*4]

loc_44F7FA:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+406j
		mov	eax, [ebp+var_5C]
		mov	ecx, ebx
		sub	ecx, ds:_MmPfnDatabase
		dec	eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_6C], eax
		mov	eax, 92492493h
		imul	ecx
		mov	[ebp+var_70], edi
		add	edx, ecx
		mov	ecx, [ebp+var_54]
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		mov	[esi], eax
		add	esi, 4
		mov	edx, [ecx]
		mov	[ebp+var_60], eax
		nop
		mov	eax, [ecx+4]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+var_64]
		or	eax, 0
		jz	short loc_44F846
		mov	eax, [ebp+var_58]
		mov	[ebx+8], edx
		jmp	short loc_44F855
; 

loc_44F846:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+46Cj
		mov	edx, [ebp+var_8C]
		mov	eax, [edx+8]
		mov	[ebx+8], eax
		mov	eax, [edx+0Ch]

loc_44F855:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+474j
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+var_88]
		test	eax, eax
		jz	short loc_44F86C
		mov	ecx, eax
		call	_MiAdvanceFaultList@4 ;	MiAdvanceFaultList(x)
		mov	ecx, [ebp+var_54]

loc_44F86C:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+490j
		push	[ebp+var_94]
		mov	edx, [ebp+var_80]
		xor	eax, eax
		cmp	ecx, [ebp+var_90]
		setz	al
		push	eax
		push	ecx
		mov	ecx, ebx
		call	_MiInitializeHardFaultPfn@20 ; MiInitializeHardFaultPfn(x,x,x,x,x)
		mov	eax, [ebp+var_64]
		or	eax, 0
		jz	short loc_44F8C7
		mov	edx, [ebp+var_60]
		xor	ecx, ecx
		mov	eax, [ebp+arg_10]
		and	edx, 3FFFFFFh
		shld	ecx, edx, 7
		and	eax, 1Fh
		shl	edx, 7
		or	eax, 40h
		or	edx, eax
		shld	ecx, edx, 5
		shl	edx, 5
		push	ecx
		push	edx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [ebp+var_54]
		mov	[ecx], eax
		nop
		mov	[ecx+4], edx
		jmp	short loc_44F8CA
; 

loc_44F8C7:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+4BFj
		mov	ecx, [ebp+var_54]

loc_44F8CA:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+4F5j
		add	ecx, 8
		sub	[ebp+var_7C], 1
		mov	[ebp+var_54], ecx
		jnz	loc_44F7C2
		mov	[ebp+var_58], esi
		mov	esi, [ebp+var_78]
		mov	[ebp+var_60], edi
		mov	edi, [ebp+var_68]

loc_44F8E6:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+3D8j
		cmp	[ebp+var_5C], 0
		jz	short loc_44F8FF
		mov	ebx, [ebp+var_50]
		add	esi, edi
		mov	edx, [ebp+var_58]
		mov	[ebp+var_64], esi
		cmp	esi, ebx
		jnz	loc_44F652

loc_44F8FF:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+51Aj
		mov	edx, [ebp+var_58]
		mov	eax, [ebp+var_80]

loc_44F905:				; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+272j
		mov	ecx, [ebp+var_4]
		sub	edx, eax
		sub	edx, 0C4h
		xor	ecx, ebp
		sar	edx, 2
		pop	edi
		shl	edx, 0Ch
		pop	esi
		mov	[eax+70h], edx
		mov	eax, [ebp+var_98]
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	20h
_MiBuildMdlForMappedFileFault@40 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeHardFaultPfn(x,	x, x, x, x)
_MiInitializeHardFaultPfn@20 proc near	; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+4B4p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_0]
		push	ebx
		shr	eax, 9
		mov	ebx, edx
		and	eax, offset loc_7FFFF8
		mov	[ebp+var_10], 0
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], 0
		mov	edx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], eax
		nop
		shrd	edx, eax, 0Ch
		mov	[ebp+var_4], 0
		lea	esi, [edi+10h]
		mov	[ebp+var_C], edx
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_44F99C

loc_44F984:				; CODE XREF: MiInitializeHardFaultPfn(x,x,x,x,x)+60j
					; MiInitializeHardFaultPfn(x,x,x,x,x)+67j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_44F984
		lock bts dword ptr [esi], 1Fh
		jb	short loc_44F984
		mov	edx, [ebp+var_C]

loc_44F99C:				; CODE XREF: MiInitializeHardFaultPfn(x,x,x,x,x)+52j
		and	dword ptr [esi], 0FF800000h
		mov	eax, 1
		or	dword ptr [edi+18h], 80000000h
		mov	ecx, ebx
		mov	[edi+14h], ax
		mov	al, [edi+16h]
		or	al, 20h
		neg	ecx
		mov	[edi+16h], al
		lea	eax, [ebx+10h]
		sbb	ecx, ecx
		and	ecx, eax
		mov	[edi], ecx
		mov	cl, [edi+17h]
		mov	eax, [ebx+78h]
		and	cl, 0F8h
		cmp	[ebp+arg_4], 0
		jz	short loc_44F9DB
		shr	eax, 9
		jmp	short loc_44F9DE
; 

loc_44F9DB:				; CODE XREF: MiInitializeHardFaultPfn(x,x,x,x,x)+A4j
		shr	eax, 0Ch

loc_44F9DE:				; CODE XREF: MiInitializeHardFaultPfn(x,x,x,x,x)+A9j
		and	al, 7
		or	al, cl
		mov	[edi+17h], al
		mov	eax, [edi+18h]
		xor	eax, edx
		mov	edx, [ebp+arg_8]
		and	eax, offset loc_7FFFFF
		xor	[edi+18h], eax
		mov	eax, [ebp+arg_0]
		mov	[edi+4], eax
		mov	al, [edi+16h]
		and	al, 0FAh
		or	al, 2
		mov	[edi+16h], al
		movzx	eax, byte ptr [edi+16h]
		shr	eax, 6
		cmp	eax, edx
		jz	short loc_44FA19
		push	1
		mov	ecx, edi
		call	MiChangePageAttribute

loc_44FA19:				; CODE XREF: MiInitializeHardFaultPfn(x,x,x,x,x)+DEj
		and	dword ptr [esi], 0C0000000h
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_MiInitializeHardFaultPfn@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiComputeFaultNode proc	near		; CODE XREF: MiCopyOnWrite(x,x,x,x)+2B3p
					; MiMigratePfn(x,x,x,x)+B6p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AFCF3 SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	esi
		mov	esi, [ecx+4]
		shr	esi, 19h
		push	edi
		mov	edi, edx
		test	esi, esi
		jnz	short loc_44FAAF
		mov	edx, [ebp+arg_0]
		push	ebx
		mov	ebx, [ecx+8]
		mov	edx, [edx]
		test	bl, 1
		jnz	short loc_44FAC6
		xor	ebx, ebx

loc_44FA56:				; CODE XREF: MiComputeFaultNode+A5j
					; MiComputeFaultNode+B0j
		mov	eax, [ecx+14h]
		test	byte ptr [eax+60h], 7
		jnz	short loc_44FAAE
		mov	eax, large fs:124h
		mov	[ebp+var_4], eax
		mov	eax, [eax+80h]
		mov	[ebp+var_8], eax
		mov	eax, [eax+24Ch]
		test	edx, edx
		jnz	short loc_44FAF8
		mov	ecx, [ecx]
		cmp	ecx, 0C0000000h
		jnb	loc_5AFD16

loc_44FA89:				; CODE XREF: MiComputeFaultNode+1602F2j
		test	ebx, ebx
		jnz	short loc_44FAE8
		cmp	[eax+0B0h], ebx
		jnz	short loc_44FAE8
		cmp	[eax+0B4h], ebx
		jnz	short loc_44FAE8
		cmp	byte ptr [eax+84h], 1
		jz	short loc_44FAE8

loc_44FAA6:				; CODE XREF: MiComputeFaultNode+C6j
					; MiComputeFaultNode+DAj ...
		test	edi, edi
		jnz	short loc_44FAB9

loc_44FAAA:				; CODE XREF: MiComputeFaultNode+92j
		test	ebx, ebx
		jnz	short loc_44FB13

loc_44FAAE:				; CODE XREF: MiComputeFaultNode+2Dj
					; MiComputeFaultNode+94j ...
		pop	ebx

loc_44FAAF:				; CODE XREF: MiComputeFaultNode+14j
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_44FAB9:				; CODE XREF: MiComputeFaultNode+78j
		mov	esi, [edi+1Ch]
		shr	esi, 14h
		and	esi, 3Fh
		jz	short loc_44FAAA
		jmp	short loc_44FAAE
; 

loc_44FAC6:				; CODE XREF: MiComputeFaultNode+22j
		and	ebx, 0FFFFFFFEh
		mov	al, [ebx]
		cmp	al, 4
		jz	loc_5AFCF3
		cmp	al, 2
		jnz	loc_44FA56
		mov	esi, [ebx+14h]

loc_44FADE:				; CODE XREF: MiComputeFaultNode+1602E1j
		test	esi, esi
		jz	loc_44FA56
		jmp	short loc_44FAAE
; 

loc_44FAE8:				; CODE XREF: MiComputeFaultNode+5Bj
					; MiComputeFaultNode+63j ...
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	edx, eax
		mov	eax, [ebp+arg_0]
		mov	[eax], edx
		test	edx, edx
		jz	short loc_44FAA6

loc_44FAF8:				; CODE XREF: MiComputeFaultNode+49j
		mov	eax, [edx+1Ch]
		mov	esi, eax
		shr	esi, 0Ch
		and	esi, 3Fh
		jnz	short loc_44FAAE
		test	eax, 100000h
		jnz	short loc_44FAA6
		mov	eax, [edx+2Ch]
		mov	edi, [eax]
		jmp	short loc_44FAA6
; 

loc_44FB13:				; CODE XREF: MiComputeFaultNode+7Cj
		mov	eax, [ebp+var_4]
		cmp	byte ptr [eax+16Ah], 1
		jnz	short loc_44FAAE
		movzx	eax, word ptr [eax+168h]
		mov	ecx, [ebp+var_8]
		movzx	esi, word ptr [ecx+eax*2+70h]
		inc	esi
		jmp	loc_44FAAE
MiComputeFaultNode endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmIsAddressValidEx proc	near		; CODE XREF: .text:00449572p
					; MiMakeSystemAddressValid+247p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AFD27 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		mov	esi, ecx
		mov	eax, 2
		mov	edx, esi
		shr	edx, 9
		and	edx, offset loc_7FFFF8
		sub	edx, 40000000h
		mov	[ebp+var_8], edx
		shr	edx, 9
		and	edx, offset loc_7FFFF8
		sub	edx, 40000000h
		mov	[ebp+var_4], edx

loc_44FB76:				; CODE XREF: MmIsAddressValidEx+55j
		mov	ecx, [ebp+eax*4+var_C]
		dec	eax
		mov	edx, [ecx]
		nop
		mov	ecx, edx
		and	ecx, 1
		or	ecx, 0
		jz	short loc_44FB9E
		and	edx, 80h
		or	edx, 0
		jnz	short loc_44FBA2
		test	eax, eax
		jnz	short loc_44FB76

loc_44FB97:				; CODE XREF: MmIsAddressValidEx+68j
					; MmIsAddressValidEx+1601F3j
		mov	al, 1

loc_44FB99:				; CODE XREF: MmIsAddressValidEx+60j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_44FB9E:				; CODE XREF: MmIsAddressValidEx+46j
					; MmIsAddressValidEx+1601EDj
		xor	al, al
		jmp	short loc_44FB99
; 

loc_44FBA2:				; CODE XREF: MmIsAddressValidEx+51j
		cmp	esi, 0C0000000h
		jb	short loc_44FB97
		jmp	loc_5AFD27
MmIsAddressValidEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetWsleProtection(x, x)
_MiGetWsleProtection@8 proc near	; CODE XREF: MiCopyOnWrite(x,x,x,x)+385p
					; .text:00474D25p ...

var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		nop
		movzx	eax, [ebp+arg_0]
		shr	eax, 4
		and	eax, 7
		jz	short loc_44FBF7
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		push	esi
		mov	esi, [ecx-40000000h]
		mov	edx, esi
		mov	ecx, [ecx-3FFFFFFCh]
		and	edx, 10h
		mov	[ebp+var_4], ecx
		mov	ecx, edx
		or	ecx, 0
		jnz	short loc_44FBF1
		and	esi, 8
		or	esi, ecx
		jnz	short loc_44FBFD

loc_44FBF1:				; CODE XREF: MiGetWsleProtection(x,x)+38j
		or	edx, 0
		jnz	short loc_44FC02

loc_44FBF6:				; CODE XREF: MiGetWsleProtection(x,x)+50j
					; MiGetWsleProtection(x,x)+55j
		pop	esi

loc_44FBF7:				; CODE XREF: MiGetWsleProtection(x,x)+13j
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_44FBFD:				; CODE XREF: MiGetWsleProtection(x,x)+3Fj
		or	eax, 18h
		jmp	short loc_44FBF6
; 

loc_44FC02:				; CODE XREF: MiGetWsleProtection(x,x)+44j
		or	eax, 8
		jmp	short loc_44FBF6
_MiGetWsleProtection@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCopyOnWrite(x, x,	x, x)
_MiCopyOnWrite@16 proc near		; CODE XREF: MiSplitPrivatePage(x,x,x)+376p
					; MiCopyToUserVa(x,x,x,x)+1FBp	...

var_194		= dword	ptr -194h
var_188		= dword	ptr -188h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 17Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+17Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [esp+18Ch+var_A0]
		mov	[esp+18Ch+var_16C], ecx
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	[esp+194h+var_160], esi
		call	_memset
		mov	ebx, [esi]
		xor	eax, eax
		xor	edx, edx
		mov	[esp+194h+var_110], eax
		add	esp, 0Ch
		mov	[esp+188h+var_10C], eax
		mov	[esp+188h+var_108], eax
		mov	[esp+188h+var_104], eax
		mov	[esp+188h+var_100], eax
		mov	[esp+188h+var_FC], eax
		mov	[esp+188h+var_168], edx
		mov	[esp+188h+var_158], eax
		mov	[esp+188h+var_154], eax
		nop
		mov	eax, [esi+4]
		mov	[esp+188h+var_158], ebx
		mov	[esp+188h+var_154], eax
		nop
		mov	esi, ebx
		mov	[esp+188h+var_140], edx
		shrd	esi, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	esi, 1FFFFFFh
		mov	[esp+188h+var_118], esi
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		xor	esi, esi
		lea	ecx, [eax+ecx*4]
		mov	eax, ebx
		and	eax, 200h
		mov	[esp+188h+var_178], ecx
		or	eax, esi
		jnz	short loc_44FCD5
		mov	edx, 1
		mov	[esp+188h+var_168], edx

loc_44FCD5:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+BAj
		mov	edi, [ecx+4]
		mov	eax, edi
		or	eax, 80000000h
		mov	[esp+188h+var_134], eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[esp+188h+var_13C], eax
		mov	eax, [esp+188h+var_16C]
		cmp	eax, dword_6D07D0
		jb	loc_44FDF5
		shr	eax, 15h
		mov	cl, byte ptr dword_6D3994[eax]
		movzx	eax, cl
		cmp	eax, 1
		jz	loc_44FDBB
		cmp	eax, 0Bh
		jz	loc_44FDBB
		cmp	eax, 0Ch
		jnz	short loc_44FD5E
		mov	eax, [esp+188h+var_178]
		mov	ebx, offset unk_6D3740
		mov	[esp+188h+var_174], esi
		mov	[esp+188h+var_164], ebx
		test	dword ptr [eax+18h], 800000h
		jnz	loc_44FED4
		test	edi, edi
		js	loc_44FED4
		jz	loc_44FED4
		or	edx, 2
		mov	[esp+188h+var_168], edx
		jmp	loc_44FED4
; 

loc_44FD5E:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+114j
		cmp	eax, 9
		jz	loc_45073A
		cmp	eax, 0Eh
		jz	loc_45073A
		cmp	eax, 6
		jnz	short loc_44FDB0
		lea	ecx, [eax-4]
		mov	[esp+188h+var_174], esi
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	[esp+188h+var_164], eax
		or	edx, 2
		mov	eax, [esp+188h+var_178]
		mov	[esp+188h+var_168], edx
		test	dword ptr [eax+18h], 800000h
		jnz	loc_450714
		test	edi, edi
		js	loc_450714
		jz	loc_450714
		jmp	loc_44FED0
; 

loc_44FDB0:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+163j
		cmp	cl, 5
		jz	loc_450727
		jmp	short loc_44FDED
; 

loc_44FDBB:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+102j
					; MiCopyOnWrite(x,x,x,x)+10Bj
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		mov	ebx, eax
		mov	eax, [esp+184h+var_174]
		mov	[esp+184h+var_160], ebx
		test	dword ptr [eax+18h], 800000h
		jnz	short loc_44FDE0
		test	edi, edi
		js	short loc_44FDE0
		jz	short loc_44FDE0
		or	edx, 2
		mov	[esp+184h+var_164], edx

loc_44FDE0:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+1C1j
					; MiCopyOnWrite(x,x,x,x)+1C5j ...
		mov	[esp+184h+var_170], 2
		jmp	loc_44FED4
; 

loc_44FDED:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+1A9j
		mov	ecx, [esp+188h+var_178]
		mov	eax, [esp+188h+var_16C]

loc_44FDF5:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+EDj
		mov	ebx, [esp+188h+var_13C]
		cmp	[ebx+140h], esi
		jz	short loc_44FE1D
		mov	eax, 0C0000434h
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+17Ch+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_44FE1D:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+1EFj
		add	ebx, 240h
		mov	[esp+188h+var_174], 1
		test	dword ptr [ecx+18h], 800000h
		mov	[esp+188h+var_164], ebx
		jnz	short loc_44FE45
		test	edi, edi
		js	short loc_44FE45
		jz	short loc_44FE45
		or	edx, 2
		mov	[esp+188h+var_168], edx

loc_44FE45:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+226j
					; MiCopyOnWrite(x,x,x,x)+22Aj ...
		mov	[esp+188h+var_F8], eax
		lea	ecx, [esp+188h+var_F8]
		lea	eax, [esp+188h+var_140]
		mov	[esp+188h+var_F4], esi
		push	eax
		xor	edx, edx
		mov	[esp+18Ch+var_F0], esi
		mov	[esp+18Ch+var_EC], esi
		mov	[esp+18Ch+var_E8], esi
		mov	[esp+18Ch+var_E0], esi
		mov	[esp+18Ch+var_DC], esi
		mov	[esp+18Ch+var_D8], esi
		mov	[esp+18Ch+var_D4], esi
		mov	[esp+18Ch+var_D0], esi
		mov	[esp+18Ch+var_CC], esi
		mov	[esp+18Ch+var_C8], esi
		mov	[esp+18Ch+var_C4], esi
		mov	[esp+18Ch+var_C0], esi
		mov	[esp+18Ch+var_BC], esi
		mov	[esp+18Ch+var_E4], ebx
		call	MiComputeFaultNode
		mov	esi, eax
		mov	eax, [esp+188h+var_178]
		jmp	short loc_44FED4
; 

loc_44FED0:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+19Bj
		mov	ebx, [esp+188h+var_164]

loc_44FED4:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+12Ej
					; MiCopyOnWrite(x,x,x,x)+136j ...
		mov	eax, [eax]
		xor	ecx, ecx
		and	eax, 1
		mov	[esp+188h+var_15C], ecx
		mov	ecx, [esp+188h+var_16C]
		mov	[esp+188h+var_120], eax
		movzx	eax, byte ptr [ebx+60h]
		and	eax, 7
		shr	ecx, 0Ch
		mov	[esp+188h+var_130], ecx
		mov	edi, dword_6D2E68[eax*4]
		add	edi, ecx
		mov	ecx, edi
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_44FF0D
		mov	bl, [edi]
		jmp	short loc_44FF0F
; 

loc_44FF0D:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+2F7j
		mov	bl, 0Ah

loc_44FF0F:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+2FBj
		mov	eax, [ebp+arg_4]
		and	eax, 1
		mov	byte ptr [esp+188h+var_170], bl
		mov	[esp+188h+var_138], eax
		jnz	short loc_44FF56
		mov	al, bl
		and	al, 0Fh
		cmp	al, 0Ah
		jz	short loc_44FF56
		cmp	al, 9
		mov	eax, [esp+188h+var_174]
		jnz	short loc_44FF3B
		and	bl, 0FAh
		or	bl, 0Ah
		mov	byte ptr [esp+188h+var_170], bl
		jmp	short loc_44FF5A
; 

loc_44FF3B:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+31Dj
		cmp	eax, 1
		jz	short loc_44FF5A
		mov	edi, [esp+188h+var_178]
		test	byte ptr [edi+17h], 8
		jz	short loc_44FF5E
		and	bl, 0FAh
		or	bl, 0Ah
		mov	byte ptr [esp+188h+var_170], bl
		jmp	short loc_44FF5E
; 

loc_44FF56:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+30Dj
					; MiCopyOnWrite(x,x,x,x)+315j
		mov	eax, [esp+188h+var_174]

loc_44FF5A:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+329j
					; MiCopyOnWrite(x,x,x,x)+32Ej
		mov	edi, [esp+188h+var_178]

loc_44FF5E:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+338j
					; MiCopyOnWrite(x,x,x,x)+344j
		and	bl, 0Fh
		cmp	bl, 0Ah
		jz	short loc_44FFA0
		cmp	bl, 8
		jnz	short loc_44FF8D
		cmp	eax, 2
		jz	short loc_44FF8D
		mov	eax, [edi+8]
		and	eax, 400h
		mov	[esp+188h+var_15C], 1
		or	eax, 0
		jz	short loc_44FF8D
		mov	[esp+188h+var_15C], 2

loc_44FF8D:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+359j
					; MiCopyOnWrite(x,x,x,x)+35Ej ...
		push	[esp+188h+var_170]
		mov	ecx, [esp+18Ch+var_16C]
		call	_MiGetWsleProtection@8 ; MiGetWsleProtection(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_44FFAE

loc_44FFA0:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+354j
		mov	ecx, [edi+8]
		nop
		mov	eax, [edi+0Ch]
		shrd	ecx, eax, 5
		and	ecx, 1Fh

loc_44FFAE:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+38Ej
		mov	eax, ds:_MmMakeProtectNotWriteCopy[ecx*4]
		mov	ecx, 1
		mov	edi, [ebp+arg_0]
		mov	[esp+188h+var_170], eax
		cmp	edi, 0FFFFFFFFh
		jnz	loc_450068
		test	esi, esi
		jz	short loc_44FFE7
		mov	edi, large fs:20h
		lea	edx, [esi-1]
		mov	cl, byte_6D068C
		shl	edx, cl
		mov	ecx, 1
		jmp	short loc_450000
; 

loc_44FFE7:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+3BCj
		mov	eax, large fs:124h
		mov	eax, [eax+16Ch]
		mov	edi, ds:_KiProcessorBlock[eax*4]
		mov	edx, [edi+4C8h]

loc_450000:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+3D5j
					; DATA XREF: .text:0041D490o ...
		mov	esi, ecx

loc_450002:				; DATA XREF: .text:00409B1Co
		mov	cl, byte_6D068D
		shl	esi, cl
		mov	ecx, [esp+188h+var_164]
		dec	esi
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		jnb	short loc_45001C
		mov	edi, ecx
		jmp	short loc_450022
; 

loc_45001C:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+406j
		add	edi, 4BCh

loc_450022:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+40Aj
		mov	eax, 1
		lock xadd [edi], eax
		inc	eax
		dec	eax
		mov	ecx, offset _MiSystemPartition
		and	eax, esi
		or	edx, eax
		push	0
		call	MiGetPage
		mov	edi, eax
		mov	[ebp+arg_0], edi
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_450063
		mov	eax, 0C0000017h
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+17Ch+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_450063:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+435j
		mov	ecx, 1

loc_450068:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+3B4j
		mov	eax, [esp+188h+var_15C]
		cmp	eax, 1
		jb	short loc_4500B7
		cmp	eax, 2
		jb	short loc_450090
		mov	edx, ecx
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit
		cmp	[esp+188h+var_174], 1
		jnz	short loc_450090
		lock dec dword_6D5F60

loc_450090:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+464j
					; MiCopyOnWrite(x,x,x,x)+477j
		mov	eax, [esp+188h+var_178]
		mov	edx, 1
		mov	eax, [eax+18h]
		and	eax, offset loc_7FFFFF
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, [eax+ecx*4]
		call	_MiUnlockPageTableCharges@8 ; MiUnlockPageTableCharges(x,x)

loc_4500B7:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+45Fj
		mov	edx, [esp+188h+var_170]
		cmp	edx, 18h
		jnz	short loc_450116
		mov	eax, [esp+188h+var_140]
		mov	[esp+188h+var_170], 1
		test	eax, eax
		jnz	short loc_4500E1
		mov	ecx, [esp+188h+var_16C]
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	[esp+188h+var_140], eax
		test	eax, eax
		jz	short loc_450112

loc_4500E1:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+4BEj
		mov	eax, [eax+1Ch]
		shr	eax, 7
		and	eax, 1Fh
		mov	ecx, eax
		shr	ecx, 3
		cmp	ecx, 3
		jnz	short loc_450105
		test	al, 7
		jz	short loc_450105
		mov	[esp+188h+var_170], 19h
		lea	edx, [ecx+16h]
		jmp	short loc_450116
; 

loc_450105:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+4E2j
					; MiCopyOnWrite(x,x,x,x)+4E6j
		cmp	ecx, 1
		jnz	short loc_450112
		mov	[esp+188h+var_170], 9

loc_450112:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+4CFj
					; MiCopyOnWrite(x,x,x,x)+4F8j
		mov	edx, [esp+188h+var_170]

loc_450116:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+4AEj
					; MiCopyOnWrite(x,x,x,x)+4F3j
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[edi*8]
		sub	ecx, edi
		lea	esi, [eax+ecx*4]
		mov	ecx, edx
		and	ecx, 1Fh
		mov	[esp+188h+var_11C], esi
		xor	eax, eax
		shld	eax, ecx, 5
		shl	ecx, 5
		push	eax
		push	ecx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[esi+8], eax
		mov	[esi+0Ch], edx
		cmp	bl, 0Ah
		jz	loc_450240
		mov	edi, [esp+188h+var_164]
		mov	[esp+188h+var_144], 0
		mov	al, [edi+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C80
		jz	short loc_45016F
		lea	eax, [edi+0C0h]

loc_45016F:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+557j
		test	ds:byte_70EFC6,	21h
		mov	[esp+188h+var_148], eax
		mov	[esp+188h+var_14C], 0
		jz	short loc_450191
		mov	edx, eax
		lea	ecx, [esp+188h+var_14C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4501A4
; 

loc_450191:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+572j
		lea	edx, [esp+188h+var_14C]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_4501A4
		lea	ecx, [esp+188h+var_14C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_4501A4:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+57Fj
					; MiCopyOnWrite(x,x,x,x)+589j
		mov	ebx, [esp+188h+var_16C]
		inc	dword ptr [edi+4Ch]
		lea	eax, [ebx+40000000h]
		cmp	eax, offset loc_7FFFFF
		jbe	short loc_4501BB
		inc	dword ptr [edi+44h]

loc_4501BB:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+5A6j
		test	ds:byte_70EFC6,	1
		jz	short loc_4501D2
		mov	edx, [ebp+4]
		lea	ecx, [esp+188h+var_14C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_450208
; 

loc_4501D2:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+5B2j
		mov	eax, [esp+188h+var_14C]
		test	eax, eax
		jnz	short loc_4501F5
		mov	edx, [esp+188h+var_148]
		lea	eax, [esp+188h+var_14C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+188h+var_14C]
		cmp	eax, ecx
		jz	short loc_450208
		call	KxWaitForLockChainValid

loc_4501F5:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+5C8j
		mov	[esp+188h+var_14C], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_450208:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+5C0j
					; MiCopyOnWrite(x,x,x,x)+5DEj
		movzx	eax, byte ptr [edi+60h]
		and	eax, 7
		mov	edx, dword_6D2E68[eax*4]
		add	edx, [esp+188h+var_130]
		mov	al, [edx]
		mov	cl, al
		and	cl, 0Fh
		cmp	cl, 0Ah
		jz	loc_45074D
		mov	ecx, [esp+188h+var_160]
		and	al, 8Fh
		mov	[edx], al
		mov	eax, [ecx]
		nop
		mov	ecx, [ecx+4]
		mov	[esp+188h+var_158], eax
		mov	[esp+188h+var_154], ecx

loc_450240:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+539j
		mov	eax, 1
		mov	[esp+188h+var_130], 0
		mov	[esi+14h], ax
		mov	eax, [esp+188h+var_160]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[esp+188h+var_12C], 0
		mov	ecx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	[esp+188h+var_B8], ecx
		mov	[esp+188h+var_B4], eax
		nop
		shrd	ecx, eax, 0Ch
		xor	ecx, [esi+18h]
		and	ecx, offset loc_7FFFFF
		xor	[esi+18h], ecx
		mov	ecx, large fs:124h
		mov	eax, [ecx+304h]
		test	eax, 100h
		jz	short loc_4502AD
		shr	eax, 9
		and	eax, 7
		jmp	short loc_4502B2
; 

loc_4502AD:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+693j
		call	_PsGetPagePriorityThread@4 ; PsGetPagePriorityThread(x)

loc_4502B2:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+69Bj
		test	dword ptr ds:byte_70EFC4, 8000001h
		mov	[esp+188h+var_15C], eax
		jz	short loc_4502C7
		or	[esp+188h+var_168], 4

loc_4502C7:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+6B0j
		mov	[esp+188h+var_124], 0
		lea	edi, [esi+10h]
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_4502F5
		lea	esp, [esp+0]

loc_4502E0:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+6DCj
					; MiCopyOnWrite(x,x,x,x)+6E3j
		lea	ecx, [esp+188h+var_124]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_4502E0
		lock bts dword ptr [edi], 1Fh
		jb	short loc_4502E0

loc_4502F5:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+6C7j
		cmp	[esp+188h+var_120], 0
		jz	short loc_450303
		mov	eax, [esi]
		or	eax, 1
		mov	[esi], eax

loc_450303:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+6EAj
		mov	al, [esi+16h]
		or	al, 10h
		cmp	[esp+188h+var_174], 0
		mov	[esi+16h], al
		mov	eax, [esp+188h+var_178]
		jnz	short loc_450329
		test	byte ptr [eax+17h], 8
		jz	short loc_450329
		cmp	[esp+188h+var_138], 0
		jnz	short loc_450329
		or	byte ptr [esi+17h], 8
		jmp	short loc_45032D
; 

loc_450329:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+704j
					; MiCopyOnWrite(x,x,x,x)+70Aj ...
		and	byte ptr [esi+17h], 0F7h

loc_45032D:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+717j
		movzx	ebx, byte ptr [eax+16h]
		mov	cl, [esi+16h]
		mov	dl, [esi+17h]
		movzx	eax, cl
		shr	ebx, 6
		shr	eax, 6
		cmp	eax, ebx
		jz	short loc_450355
		push	1
		mov	edx, ebx
		mov	ecx, esi
		call	MiChangePageAttribute
		mov	dl, [esi+17h]
		mov	cl, [esi+16h]

loc_450355:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+732j
		mov	eax, [edi]
		and	cl, 0FEh
		and	eax, 0C0000001h
		or	cl, 6
		or	eax, 1
		mov	[edi], eax
		mov	al, dl
		xor	al, byte ptr [esp+188h+var_15C]
		and	al, 7
		xor	al, dl
		mov	[esi+17h], al
		mov	eax, [esp+188h+var_160]
		mov	[esi+4], eax
		mov	[esi+16h], cl
		mov	esi, [esp+188h+var_168]
		cmp	esi, 4
		jb	short loc_450394
		mov	ecx, [esp+188h+var_11C]
		lea	edx, [esp+188h+var_110]
		call	_MiIdentifyPfn@8 ; MiIdentifyPfn(x,x)

loc_450394:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+775j
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		cmp	esi, 4
		jb	short loc_4503F5
		or	[esp+188h+var_100], 8
		lea	eax, [esp+188h+var_110]
		push	11401B02h
		push	282h
		push	28000001h
		mov	edx, 1
		mov	[esp+194h+var_B0], eax
		lea	ecx, [esp+194h+var_B0]
		mov	[esp+194h+var_AC], 0
		mov	[esp+194h+var_A8], 18h
		mov	[esp+194h+var_A4], 0
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_4503F5:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+78Fj
		inc	large dword ptr	fs:3E1Ch
		mov	ebx, 1
		test	byte ptr [esp+188h+var_170], 2
		jnz	short loc_45040F
		mov	ebx, 9
		jmp	short loc_45043F
; 

loc_45040F:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+7F6j
		test	ds:_MiFlags, 40000h
		jnz	short loc_45043F
		test	byte ptr ds:_MiFlags+2,	bl
		jz	short loc_45043F
		mov	eax, [esp+188h+var_16C]
		cmp	eax, dword_6D07D0
		jb	short loc_45043F
		test	byte ptr [ebp+arg_4], 2
		mov	ebx, 11h
		jz	short loc_45043F
		mov	ebx, 31h

loc_45043F:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+7FDj
					; MiCopyOnWrite(x,x,x,x)+809j ...
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		mov	edx, [esp+188h+var_118]
		push	ebx
		push	0
		call	_MiCopyPage@16	; MiCopyPage(x,x,x,x)
		cmp	dword_6D3154, 0
		jz	short loc_450472
		mov	eax, [esp+190h+var_164]
		cmp	eax, dword_6D3158
		jb	short loc_450472
		mov	edx, [esp+190h+var_168]
		mov	ecx, [esp+190h+var_16C]
		call	_MiLogPageAccess@8 ; MiLogPageAccess(x,x)

loc_450472:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+847j
					; MiCopyOnWrite(x,x,x,x)+853j
		test	byte ptr [esp+190h+var_170], 1
		mov	edx, [esp+190h+var_15C]
		jnz	short loc_4504B5
		mov	ecx, edx
		xor	eax, eax
		and	ecx, 80000000h
		or	eax, ecx
		jnz	short loc_4504A2
		cmp	[esp+190h+var_17C], 1
		jnz	short loc_4504A2
		mov	eax, [esp+190h+var_160]
		and	eax, 0FFFFFDFFh
		or	eax, 820h
		jmp	short loc_4504B9
; 

loc_4504A2:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+879j
					; MiCopyOnWrite(x,x,x,x)+880j
		mov	eax, [esp+190h+var_160]
		or	eax, 42h
		and	eax, 0FFFFFDFFh
		or	eax, 820h
		jmp	short loc_4504B9
; 

loc_4504B5:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+86Bj
		mov	eax, [esp+190h+var_160]

loc_4504B9:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+890j
					; MiCopyOnWrite(x,x,x,x)+8A3j
		and	edi, 1FFFFFFh
		mov	word ptr [esp+190h+var_A4], 0
		xor	esi, esi
		mov	[esp+190h+var_98], 0
		shld	esi, edi, 0Ch
		and	edx, 0FFFFFFE0h
		mov	[esp+190h+var_A0], 21h
		or	esi, edx
		shl	edi, 0Ch
		mov	edx, [esp+190h+var_174]
		lea	ecx, [esp+190h+var_A8]
		and	eax, 0FFFh
		mov	[esp+190h+var_15C], esi
		or	edi, eax
		mov	[esp+190h+var_94], 0
		mov	eax, [esp+190h+var_17C]
		and	edx, 0FFFFF000h
		push	0
		push	1
		mov	[esp+198h+var_160], edi
		mov	[esp+198h+var_A8], eax
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		test	bl, 20h
		jnz	loc_4505EE
		mov	eax, edi
		and	eax, 42h
		or	eax, 0
		jz	loc_4505EE
		mov	ebx, [esp+190h+var_168]
		mov	eax, edi
		and	eax, 0FFFFFFFEh
		or	eax, 400h
		mov	[ebx], eax
		nop
		lea	ecx, [esp+190h+var_A8]
		mov	[ebx+4], esi
		call	MiFlushTbList
		xor	edx, edx
		cmp	dword_6D07D0, 0C0000000h
		sbb	eax, eax
		and	eax, 0FFFFFFF8h
		add	eax, 0C0603018h
		cmp	ebx, 0C0603000h
		jb	short loc_4505D9
		cmp	ebx, eax
		jnb	short loc_4505D9
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_4505A7
		cmp	byte ptr word_6D07B8+1,	0
		mov	edx, 1
		jnz	short loc_4505D9
		mov	eax, edi
		and	eax, edx
		or	eax, 0
		jz	short loc_4505D9
		jmp	short loc_4505D3
; 

loc_4505A7:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+97Cj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_4505D9
		mov	ecx, [esp+190h+var_160]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_4505D9
		mov	esi, [esp+190h+var_15C]
		mov	edi, ecx

loc_4505D3:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+995j
		or	esi, 80000000h

loc_4505D9:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+96Fj
					; MiCopyOnWrite(x,x,x,x)+973j ...
		mov	[ebx+4], esi
		nop
		mov	[ebx], edi
		test	edx, edx
		jz	short loc_450605
		push	esi
		push	edi
		mov	ecx, ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	short loc_450605
; 

loc_4505EE:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+91Fj
					; MiCopyOnWrite(x,x,x,x)+92Dj
		mov	ecx, [esp+190h+var_168]
		push	esi
		push	edi
		call	MI_INTERLOCKED_EXCHANGE_PTE
		lea	ecx, [esp+190h+var_A8]
		call	MiFlushTbList

loc_450605:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+9D1j
					; MiCopyOnWrite(x,x,x,x)+9DCj
		mov	edi, [esp+190h+var_17C]
		cmp	edi, 1
		jnz	short loc_45061D
		mov	eax, [esp+190h+var_144]
		mov	ecx, edi
		add	eax, 14Ch
		lock xadd [eax], ecx

loc_45061D:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+9FCj
		mov	ebx, [esp+190h+var_180]
		mov	[esp+190h+var_11C], 0
		lea	esi, [ebx+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_450648

loc_450633:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+A2Fj
					; MiCopyOnWrite(x,x,x,x)+A36j
		lea	ecx, [esp+190h+var_11C]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_450633
		lock bts dword ptr [esi], 1Fh
		jb	short loc_450633

loc_450648:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+A21j
		test	edi, edi
		jnz	short loc_45065E
		cmp	[esp+190h+var_140], edi
		jnz	short loc_45065E
		mov	al, [ebx+17h]
		test	al, 8
		jz	short loc_45065E
		and	al, 0F7h
		mov	[ebx+17h], al

loc_45065E:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+A3Aj
					; MiCopyOnWrite(x,x,x,x)+A40j ...
		mov	al, [ebx+16h]
		and	al, 7
		cmp	al, 6
		jnz	loc_45075C
		mov	ecx, [esi]
		mov	edx, ecx
		and	edx, 3FFFFFFFh
		mov	eax, ecx
		dec	edx
		xor	eax, edx
		and	eax, 3FFFFFFFh
		xor	eax, ecx
		mov	[esi], eax
		test	edx, edx
		jnz	short loc_45068E
		mov	ecx, ebx
		call	_MiPfnShareCountIsZero@8 ; MiPfnShareCountIsZero(x,x)

loc_45068E:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+A75j
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		test	byte ptr [esp+190h+var_170], 2
		jz	short loc_4506A8
		mov	edx, [esp+190h+var_13C]
		call	_MiDecrementCombinedPte@8 ; MiDecrementCombinedPte(x,x)
		jmp	short loc_4506E7
; 

loc_4506A8:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+A8Bj
		mov	eax, [esp+190h+var_16C]
		test	byte ptr [eax+60h], 7
		jnz	short loc_4506FB
		mov	edx, [esp+190h+var_144]
		mov	ecx, [edx+148h]
		test	ecx, ecx
		jz	short loc_4506FB
		mov	eax, [esp+190h+var_13C]

loc_4506C4:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+AC7j
		cmp	eax, [ecx+10h]
		ja	short loc_4506D2
		cmp	eax, [ecx+0Ch]
		jnb	short loc_4506DB
		mov	ecx, [ecx]
		jmp	short loc_4506D5
; 

loc_4506D2:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+AB7j
		mov	ecx, [ecx+4]

loc_4506D5:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+AC0j
		test	ecx, ecx
		jnz	short loc_4506C4
		jmp	short loc_4506FB
; 

loc_4506DB:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+ABCj
		test	ecx, ecx
		jz	short loc_4506FB
		push	edx
		mov	edx, eax
		call	MiDecrementCloneBlockReference

loc_4506E7:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+A96j
		cmp	eax, 3
		jnz	short loc_4506FB
		push	4
		lea	edx, [eax-2]
		mov	ecx, offset _MiSystemPartition
		call	MiChargeCommit

loc_4506FB:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+AA0j
					; MiCopyOnWrite(x,x,x,x)+AAEj ...
		mov	ecx, [esp+190h+var_C]
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_450714:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+187j
					; MiCopyOnWrite(x,x,x,x)+18Fj ...
		push	0
		push	ebx
		push	[esp+190h+var_16C]
		push	3300h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_450727:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+1A3j
		push	1
		push	ebx
		push	[esp+1A4h+var_180]
		push	3300h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_45073A:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+151j
					; MiCopyOnWrite(x,x,x,x)+15Aj
		push	2
		push	ebx
		push	[esp+1B8h+var_194]
		push	3300h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_45074D:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+614j
		push	edx
		push	edi
		push	ebx
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_45075C:				; CODE XREF: MiCopyOnWrite(x,x,x,x)+A55j
		mov	ecx, ebx
		call	_MiBadShareCount@4 ; MiBadShareCount(x)
		int	3		; Trap to Debugger
_MiCopyOnWrite@16 endp


;  S U B	R O U T	I N E 


; __stdcall PsGetPagePriorityThread(x)
_PsGetPagePriorityThread@4 proc	near	; CODE XREF: CcScheduleReadAheadEx+24Fp
					; CcPerformReadAhead+2E0p ...
		mov	eax, [ecx+2FCh]
		mov	ecx, [ecx+150h]
		shr	eax, 0Ch
		and	eax, 7
		test	dword ptr [ecx+0FCh], 100000h
		jnz	short loc_450783

locret_450782:				; CODE XREF: PsGetPagePriorityThread(x)+22j
		retn
; 

loc_450783:				; CODE XREF: PsGetPagePriorityThread(x)+1Cj
		cmp	eax, 2
		jb	short locret_450782
		push	2
		pop	eax
		retn
_PsGetPagePriorityThread@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCheckPteForWriteCluster(x, x, x, x, x, x,	x)
_MiCheckPteForWriteCluster@28 proc near	; CODE XREF: MiGetPageForWriteCluster(x,x,x,x,x,x,x,x)+2Dp
					; MiBuildReservationCluster(x,x,x,x)+48Ep

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	eax, edx
		mov	[ebp+var_4], ecx
		mov	edx, esi
		push	edi
		mov	ecx, eax
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		test	eax, eax
		jnz	short loc_4507B9

loc_4507AE:				; CODE XREF: MiCheckPteForWriteCluster(x,x,x,x,x,x,x)+F0j
		xor	eax, eax

loc_4507B0:				; CODE XREF: MiCheckPteForWriteCluster(x,x,x,x,x,x,x)+D7j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_4507B9:				; CODE XREF: MiCheckPteForWriteCluster(x,x,x,x,x,x,x)+1Cj
		mov	ecx, [eax+4]
		or	ecx, 80000000h
		cmp	[ebp+arg_0], ecx
		jnz	loc_45086D
		mov	ecx, [eax+18h]
		and	ecx, offset loc_7FFFFF
		cmp	[ebp+arg_4], ecx
		jnz	loc_45086D
		mov	cl, [eax+16h]
		and	cl, 7
		cmp	cl, 3
		jnz	loc_45086D
		cmp	word ptr [eax+14h], 0
		jnz	short loc_45086D
		mov	ecx, [eax+8]
		mov	edx, [ebp+arg_C]
		and	ecx, 0FFFFFC1Fh
		mov	ebx, [eax+0Ch]
		cmp	ecx, edx
		jnz	short loc_45086D
		mov	edi, [ebp+arg_10]
		cmp	ebx, edi
		jnz	short loc_45086D
		mov	ecx, dword_6D0700
		mov	ebx, edi
		mov	esi, dword_6D0704
		mov	[ebp+arg_4], ecx
		or	ecx, esi
		mov	[ebp+arg_0], esi
		mov	esi, [ebp+arg_8]
		jz	short loc_450839
		mov	ecx, edx
		and	ecx, 10h
		or	ecx, 0
		jnz	short loc_450839
		mov	ebx, [ebp+arg_0]
		not	ebx
		and	ebx, edi

loc_450839:				; CODE XREF: MiCheckPteForWriteCluster(x,x,x,x,x,x,x)+96j
					; MiCheckPteForWriteCluster(x,x,x,x,x,x,x)+A0j
		mov	ecx, [ebp+arg_4]
		or	ecx, [ebp+arg_0]
		jz	short loc_450851
		mov	ecx, edx
		and	ecx, 10h
		or	ecx, 0
		jnz	short loc_450851
		not	[ebp+arg_0]
		and	edi, [ebp+arg_0]

loc_450851:				; CODE XREF: MiCheckPteForWriteCluster(x,x,x,x,x,x,x)+AFj
					; MiCheckPteForWriteCluster(x,x,x,x,x,x,x)+B9j
		mov	edx, [ebp+var_4]
		and	edi, 1Fh
		shr	ebx, 5
		mov	ecx, edi
		mov	edx, [edx+4]
		mov	edx, [edx+ebx*4]
		sar	edx, cl
		test	dl, 1
		jz	loc_4507B0

loc_45086D:				; CODE XREF: MiCheckPteForWriteCluster(x,x,x,x,x,x,x)+35j
					; MiCheckPteForWriteCluster(x,x,x,x,x,x,x)+47j	...
		mov	cl, [esi]
		add	eax, 10h
		mov	edx, 7FFFFFFFh
		lock and [eax],	edx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4507AE
_MiCheckPteForWriteCluster@28 endp

; 
		align 10h

; __stdcall MiLockTransitionLeafPage(x,	x)
_MiLockTransitionLeafPage@8:		; CODE XREF: MiCheckPteForWriteCluster(x,x,x,x,x,x,x)+15p
					; .text:00459359p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 20h
		push	esi
		push	edi
		mov	edi, edx
		mov	eax, ecx
		mov	[esp+14h], edi
		mov	[esp+0Ch], eax
		lea	esp, [esp+0]

loc_4508B0:				; CODE XREF: .text:004508FDj
					; .text:00450925j ...
		mov	esi, [eax]
		mov	[esp+24h], esi
		nop
		mov	eax, [eax+4]
		mov	[esp+10h], eax
		cmp	edi, 1
		jbe	short loc_4508E1
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jnz	loc_450A0F
		mov	eax, esi
		and	eax, 400h
		or	eax, 0
		jnz	loc_450A0F

loc_4508E1:				; CODE XREF: .text:004508C1j
		mov	eax, esi
		and	eax, 800h
		or	eax, 0
		jz	loc_450A0F
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		mov	eax, [esp+0Ch]
		jnz	short loc_4508B0
		mov	eax, esi
		or	eax, [esp+10h]
		jz	short loc_450927
		mov	ecx, dword_6D0700
		mov	eax, ecx
		mov	edx, dword_6D0704
		or	eax, edx
		jz	short loc_450927
		and	edx, [esp+10h]
		and	ecx, esi
		or	ecx, edx
		mov	eax, [esp+0Ch]
		jz	short loc_4508B0

loc_450927:				; CODE XREF: .text:00450905j
					; .text:00450917j
		mov	eax, dword_6D0700
		mov	edx, esi
		mov	edi, dword_6D0704
		mov	ecx, [esp+10h]
		mov	[esp+1Ch], eax
		or	eax, edi
		mov	[esp+20h], edi
		mov	edi, ecx
		jz	short loc_450966
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_450962
		mov	esi, [esp+1Ch]
		mov	ecx, [esp+20h]
		not	esi
		not	ecx
		and	esi, edx
		and	ecx, edi
		jmp	short loc_450966
; 

loc_450962:				; CODE XREF: .text:0045094Ej
		mov	esi, edx
		mov	ecx, edi

loc_450966:				; CODE XREF: .text:00450944j
					; .text:00450960j
		mov	edi, [esp+14h]
		mov	eax, [esp+0Ch]
		shrd	esi, ecx, 0Ch
		and	esi, 3FFFFFFh
		cmp	esi, dword_6D07B0
		ja	loc_4508B0
		mov	eax, dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		mov	eax, [esp+0Ch]
		jz	loc_4508B0
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		lea	eax, [eax+ecx*4]
		mov	[esp+18h], eax
		lea	esi, [eax+10h]
		cmp	edi, 1
		jbe	short loc_4509FE
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esp+0Bh], al
		mov	dword ptr [esp+20h], 0
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_4509FA
		lea	ecx, [ecx+0]

loc_4509E0:				; CODE XREF: .text:004509EDj
					; .text:004509F4j
		lea	ecx, [esp+20h]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_4509E0
		lock bts dword ptr [esi], 1Fh
		jb	short loc_4509E0
		mov	al, [esp+0Bh]

loc_4509FA:				; CODE XREF: .text:004509DBj
		mov	[edi], al
		jmp	short loc_450A39
; 

loc_4509FE:				; CODE XREF: .text:004509C0j
		lock bts dword ptr [esi], 1Fh
		setb	al
		cmp	edi, 1
		jnz	short loc_450A17
		test	al, al
		jz	short loc_450A39

loc_450A0F:				; CODE XREF: .text:004508CBj
					; .text:004508DBj ...
		xor	eax, eax
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_450A17:				; CODE XREF: .text:00450A09j
		mov	dword ptr [esp+1Ch], 0
		test	al, al
		jz	short loc_450A39

loc_450A23:				; CODE XREF: .text:00450A30j
					; .text:00450A37j
		lea	ecx, [esp+1Ch]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_450A23
		lock bts dword ptr [esi], 1Fh
		jb	short loc_450A23

loc_450A39:				; CODE XREF: .text:004509FCj
					; .text:00450A0Dj ...
		mov	ecx, [esp+0Ch]
		mov	eax, [ecx]
		nop
		mov	edx, [esp+24h]
		mov	ecx, [ecx+4]
		cmp	eax, edx
		jnz	short loc_450A51
		cmp	ecx, [esp+10h]
		jz	short loc_450A7B

loc_450A51:				; CODE XREF: .text:00450A49j
		mov	eax, 7FFFFFFFh
		cmp	edi, 1
		jbe	short loc_450A6F
		mov	cl, [edi]
		lock and [esi],	eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esp+0Ch]
		jmp	loc_4508B0
; 

loc_450A6F:				; CODE XREF: .text:00450A59j
		lock and [esi],	eax
		mov	eax, [esp+0Ch]
		jmp	loc_4508B0
; 

loc_450A7B:				; CODE XREF: .text:00450A4Fj
		cmp	edi, 1
		mov	edi, [esp+18h]
		ja	short loc_450A9F
		mov	ecx, [edi+4]
		mov	eax, ecx
		mov	esi, [esp+0Ch]
		or	eax, 80000000h
		cmp	eax, esi
		jz	short loc_450A9F
		test	dword ptr [edi+18h], (offset loc_7FFFFF+1)
		jz	short loc_450AA7

loc_450A9F:				; CODE XREF: .text:00450A82j
					; .text:00450A94j
		mov	eax, edi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_450AA7:				; CODE XREF: .text:00450A9Dj
		push	ecx
		push	edx
		push	esi
		push	411h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCountSharedPages(x, x, x)
_MiCountSharedPages@12 proc near	; CODE XREF: .text:00452C4Ap
					; MiDeletePartialVad+DD4CCp ...

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5D		= byte ptr -5Dh
var_5C		= dword	ptr -5Ch
var_56		= byte ptr -56h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 98h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, large fs:124h
		mov	[ebp+var_6C], ecx
		push	ebx
		push	esi
		mov	ecx, [eax+80h]
		xor	ebx, ebx
		mov	al, [ecx+2A0h]
		add	ecx, 240h
		and	al, 7
		mov	[ebp+var_7C], ecx
		mov	esi, edx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_74], edi
		cmp	al, 4
		jbe	short loc_450B17
		cmp	al, 5
		jz	short loc_450B17
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_5D], al
		jmp	short loc_450B72
; 

loc_450B17:				; CODE XREF: MiCountSharedPages(x,x,x)+44j
					; MiCountSharedPages(x,x,x)+48j
		mov	edi, offset unk_6D3C40
		cmp	al, 2
		jz	short loc_450B26
		lea	edi, [ecx+80h]

loc_450B26:				; CODE XREF: MiCountSharedPages(x,x,x)+5Ej
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_5D], al
		jz	short loc_450B45
		mov	dl, al
		mov	ecx, edi
		call	@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)
		jmp	short loc_450B64
; 

loc_450B45:				; CODE XREF: MiCountSharedPages(x,x,x)+78j
		mov	edx, [edi]
		and	edx, 7FFFFFFFh
		mov	eax, edx
		lea	ecx, [edx+1]
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_450B64
		mov	dl, [ebp+var_5D]
		mov	ecx, edi
		call	ExpWaitForSpinLockSharedAndAcquire

loc_450B64:				; CODE XREF: MiCountSharedPages(x,x,x)+83j
					; MiCountSharedPages(x,x,x)+98j
		add	edi, 4
		cmp	[edi], ebx
		jz	short loc_450B6F
		xor	eax, eax
		xchg	eax, [edi]

loc_450B6F:				; CODE XREF: MiCountSharedPages(x,x,x)+A9j
		mov	edi, [ebp+var_74]

loc_450B72:				; CODE XREF: MiCountSharedPages(x,x,x)+55j
		cmp	esi, edi
		ja	loc_450EC9
		mov	eax, edi
		shl	eax, 9
		mov	[ebp+var_90], eax
		lea	eax, [edi+8]
		mov	[ebp+var_84], eax
		mov	edi, 861h
		jmp	short loc_450BA0
; 
		align 10h

loc_450BA0:				; CODE XREF: MiCountSharedPages(x,x,x)+D3j
					; MiCountSharedPages(x,x,x)+3F2j
		push	4Ch		; size_t
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_98], 0
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_94], 0
		call	_memset
		mov	edx, esi
		mov	word ptr [ebp+var_5C], di
		shl	edx, 9
		add	esp, 0Ch
		mov	eax, edx
		cmp	edx, 0C0000000h
		jb	short loc_450BE8

loc_450BD7:				; CODE XREF: MiCountSharedPages(x,x,x)+126j
		cmp	eax, 0C07FFFFFh
		ja	short loc_450BE8
		shl	eax, 9
		cmp	eax, 0C0000000h
		jnb	short loc_450BD7

loc_450BE8:				; CODE XREF: MiCountSharedPages(x,x,x)+115j
					; MiCountSharedPages(x,x,x)+11Cj
		cmp	eax, dword_6D07D0
		jb	short loc_450C0E
		cmp	eax, dword_6D2E88
		jb	short loc_450C00
		cmp	eax, dword_6D2E8C
		jbe	short loc_450C0E

loc_450C00:				; CODE XREF: MiCountSharedPages(x,x,x)+136j
		mov	ecx, 1
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	ecx, eax
		jmp	short loc_450C20
; 

loc_450C0E:				; CODE XREF: MiCountSharedPages(x,x,x)+12Ej
					; MiCountSharedPages(x,x,x)+13Ej
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		add	ecx, 240h

loc_450C20:				; CODE XREF: MiCountSharedPages(x,x,x)+14Cj
		mov	eax, 865h
		mov	[ebp+var_4C], ecx
		mov	word ptr [ebp+var_5C], ax
		lea	ecx, [ebp+var_5C]
		lea	eax, [ebp+var_98]
		mov	[ebp+var_50], 0
		mov	[ebp+var_14], eax
		mov	al, byte ptr [ebp+var_5C+2]
		and	al, 0E7h
		mov	[ebp+var_18], offset _MiGetNextPageTableTail@4 ; MiGetNextPageTableTail(x)
		or	al, 4
		mov	[ebp+var_48], edx
		mov	byte ptr [ebp+var_5C+2], al
		mov	al, [ebp+var_5D]
		mov	[ebp+var_56], al
		mov	eax, [ebp+var_90]
		mov	[ebp+var_44], eax
		call	MiWalkPageTables
		mov	edi, [ebp+var_94]
		test	edi, edi
		jnz	short loc_450C7C
		mov	[ebp+var_78], edi
		mov	edi, [ebp+var_84]
		jmp	short loc_450C90
; 

loc_450C7C:				; CODE XREF: MiCountSharedPages(x,x,x)+1AFj
		mov	edx, edi
		shr	edx, 9
		and	edx, offset loc_7FFFF8
		sub	edx, 40000000h
		mov	[ebp+var_78], edx

loc_450C90:				; CODE XREF: MiCountSharedPages(x,x,x)+1BAj
		mov	eax, [ebp+var_6C]
		mov	eax, [eax+1Ch]
		mov	ecx, eax
		and	al, 70h
		shr	ecx, 7
		cmp	al, 20h
		jnz	short loc_450CC9
		mov	eax, ecx
		and	al, 1Fh
		cmp	al, 1
		jz	short loc_450CC9
		cmp	esi, edi
		jnb	short loc_450CDC
		lea	ecx, [ecx+0]

loc_450CB0:				; CODE XREF: MiCountSharedPages(x,x,x)+205j
		mov	ecx, [ebp+var_6C]
		mov	edx, esi
		call	_MiPteNeedsCommitCharge@8 ; MiPteNeedsCommitCharge(x,x)
		cmp	eax, 1
		jnz	short loc_450CC0
		inc	ebx

loc_450CC0:				; CODE XREF: MiCountSharedPages(x,x,x)+1FDj
		add	esi, 8
		cmp	esi, edi
		jb	short loc_450CB0
		jmp	short loc_450CDC
; 

loc_450CC9:				; CODE XREF: MiCountSharedPages(x,x,x)+1DFj
					; MiCountSharedPages(x,x,x)+1E7j
		and	ecx, 5
		cmp	cl, 5
		jz	short loc_450CDA
		mov	eax, edi
		sub	eax, esi
		sar	eax, 3
		add	ebx, eax

loc_450CDA:				; CODE XREF: MiCountSharedPages(x,x,x)+20Fj
		mov	esi, edi

loc_450CDC:				; CODE XREF: MiCountSharedPages(x,x,x)+1EBj
					; MiCountSharedPages(x,x,x)+207j
		cmp	esi, [ebp+var_84]
		jz	loc_450EBA
		mov	edx, esi
		shl	edx, 9
		mov	[ebp+var_68], edx

loc_450CF0:				; CODE XREF: MiCountSharedPages(x,x,x)+378j
		mov	edi, [esi]
		mov	[ebp+var_8C], 0
		mov	[ebp+var_88], 0
		nop
		mov	ecx, [esi+4]
		mov	eax, edi
		or	eax, ecx
		mov	[ebp+var_64], ecx
		jnz	short loc_450D2B
		mov	ecx, [ebp+var_6C]
		mov	edx, esi
		call	_MiPteNeedsCommitCharge@8 ; MiPteNeedsCommitCharge(x,x)
		cmp	eax, 1
		jnz	loc_450E20
		jmp	loc_450E1F
; 

loc_450D2B:				; CODE XREF: MiCountSharedPages(x,x,x)+251j
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		mov	eax, edi
		jz	short loc_450D97
		and	eax, 200h
		or	eax, 0
		jnz	loc_450E20
		nop
		mov	eax, ds:_MmPfnDatabase
		shrd	edi, ecx, 0Ch
		and	edi, 1FFFFFFh
		lea	ecx, ds:0[edi*8]
		sub	ecx, edi
		lea	edi, [eax+ecx*4]
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_450E20
		mov	ecx, [ebp+var_6C]
		lea	eax, [ebp+var_80]
		push	eax
		push	0
		shr	edx, 0Ch
		call	MiGetProtoPteAddress
		mov	ecx, [edi+4]
		or	ecx, 80000000h
		cmp	ecx, eax
		jnz	loc_450E20
		jmp	loc_450E1F
; 

loc_450D97:				; CODE XREF: MiCountSharedPages(x,x,x)+275j
		and	eax, 400h
		or	eax, 0
		jz	short loc_450E20
		push	ecx
		push	edi
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		test	eax, eax
		jnz	short loc_450E11
		mov	eax, dword_6D0704
		mov	ecx, dword_6D0700
		mov	edx, [ebp+var_64]
		mov	[ebp+var_70], eax
		mov	eax, ecx
		or	eax, [ebp+var_70]
		jz	short loc_450DDD
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_450DDA
		mov	eax, [ebp+var_70]
		not	eax
		and	eax, edx
		mov	[ebp+var_64], eax
		jmp	short loc_450DDD
; 

loc_450DDA:				; CODE XREF: MiCountSharedPages(x,x,x)+30Cj
		mov	[ebp+var_64], edx

loc_450DDD:				; CODE XREF: MiCountSharedPages(x,x,x)+302j
					; MiCountSharedPages(x,x,x)+318j
		mov	edx, [ebp+var_68]
		lea	eax, [ebp+var_80]
		mov	edi, [ebp+var_6C]
		mov	ecx, edi
		push	eax
		push	0
		shr	edx, 0Ch
		call	MiGetProtoPteAddress
		cmp	[ebp+var_64], eax
		jnz	short loc_450E20
		mov	eax, [edi+1Ch]
		and	al, 70h
		cmp	al, 20h
		jnz	short loc_450E1F
		mov	edx, esi
		mov	ecx, edi
		call	_MiPteNeedsCommitCharge@8 ; MiPteNeedsCommitCharge(x,x)
		cmp	eax, 1
		jnz	short loc_450E20
		jmp	short loc_450E1F
; 

loc_450E11:				; CODE XREF: MiCountSharedPages(x,x,x)+2EAj
		and	edi, 0A0h
		cmp	edi, 0A0h
		jz	short loc_450E20

loc_450E1F:				; CODE XREF: MiCountSharedPages(x,x,x)+266j
					; MiCountSharedPages(x,x,x)+2D2j ...
		inc	ebx

loc_450E20:				; CODE XREF: MiCountSharedPages(x,x,x)+260j
					; MiCountSharedPages(x,x,x)+27Fj ...
		add	[ebp+var_68], 1000h
		add	esi, 8
		test	esi, 0FFFh
		jz	short loc_450E3E
		mov	edx, [ebp+var_68]
		cmp	esi, [ebp+var_74]
		jbe	loc_450CF0

loc_450E3E:				; CODE XREF: MiCountSharedPages(x,x,x)+370j
		mov	edx, [ebp+var_78]
		lea	eax, [ebp+var_68]
		mov	ecx, [ebp+var_7C]
		push	eax
		mov	[ebp+var_64], ebx
		mov	[ebp+var_88], esi
		mov	[ebp+var_68], 0
		call	MiGetPageTableLockBuffer
		mov	[ebp+var_70], eax
		mov	edi, 2
		mov	edx, [eax]
		mov	eax, [ebp+var_68]
		mov	ecx, eax
		shl	edi, cl
		mov	ecx, edx
		not	edi
		btr	ecx, eax
		mov	[ebp+var_80], edi
		and	ecx, edi
		mov	edi, [ebp+var_70]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		mov	edi, [ebp+var_80]
		cmp	eax, edx
		jz	short loc_450EAA
		mov	esi, [ebp+var_70]
		mov	ebx, [ebp+var_68]

loc_450E90:				; CODE XREF: MiCountSharedPages(x,x,x)+3DFj
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, ebx
		and	ecx, edi
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_450E90
		mov	esi, [ebp+var_88]
		mov	ebx, [ebp+var_64]

loc_450EAA:				; CODE XREF: MiCountSharedPages(x,x,x)+3C8j
		mov	edi, 861h
		cmp	esi, [ebp+var_74]
		jbe	loc_450BA0
		jmp	short loc_450EC9
; 

loc_450EBA:				; CODE XREF: MiCountSharedPages(x,x,x)+222j
		mov	edx, [ebp+var_78]
		test	edx, edx
		jz	short loc_450EC9
		mov	ecx, [ebp+var_7C]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_450EC9:				; CODE XREF: MiCountSharedPages(x,x,x)+B4j
					; MiCountSharedPages(x,x,x)+3F8j ...
		mov	dl, [ebp+var_5D]
		mov	ecx, [ebp+var_7C]
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_8]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_MiCountSharedPages@12 endp

; 
		align 10h

; __stdcall MiProtectPrivateMemory(x, x, x, x, x, x, x,	x)
_MiProtectPrivateMemory@32:		; CODE XREF: MmProtectVirtualMemory+3BDp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 110h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+10Ch], eax
		mov	eax, [ebp+18h]
		push	esi
		mov	esi, [ebp+8]
		push	edi
		mov	[esp+0Ch], eax
		mov	edi, edx
		mov	eax, [ebp+1Ch]
		push	98h
		mov	[esp+74h], eax
		lea	eax, [esp+7Ch]
		push	0
		push	eax
		mov	[esp+28h], ecx
		mov	[esp+1Ch], esi
		mov	dword ptr [esp+60h], 0
		mov	dword ptr [esp+78h], 0
		mov	dword ptr [esp+64h], 0
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		mov	dword ptr [esp+78h], 1
		mov	word ptr [esp+7Ch], 0
		mov	dword ptr [esp+88h], 0
		mov	dword ptr [esp+80h], 21h
		mov	dword ptr [esp+8Ch], 0
		mov	eax, [eax+80h]
		mov	[esp+20h], eax
		mov	dword ptr [esp+44h], 0
		mov	dword ptr [esp+50h], 1
		lea	ecx, [eax+240h]
		mov	dword ptr [esp+8], 2
		mov	eax, edi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[esp+14h], eax
		mov	eax, esi
		mov	esi, [esp+1Ch]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	esi, [esi+1Ch]
		mov	[esp+38h], eax
		mov	eax, esi
		and	eax, offset loc_500000
		cmp	eax, offset loc_500000
		jnz	short loc_45101F
		mov	eax, esi
		shr	eax, 12h
		and	eax, 3
		mov	edx, ds:_MiVadPageSizes[eax*4]
		mov	eax, ds:_MiVadPageIndices[eax*4]
		mov	[esp+40h], edx
		sub	edx, 10h
		neg	edx
		mov	[esp+8], eax
		sbb	edx, edx
		and	edx, 0FFFFFFF1h
		add	edx, 10h
		mov	[esp+50h], edx
		jmp	short loc_451027
; 

loc_45101F:				; CODE XREF: .text:00450FECj
		mov	dword ptr [esp+40h], 1

loc_451027:				; CODE XREF: .text:0045101Dj
		shr	esi, 0Ch
		xor	eax, eax
		and	esi, 3Fh
		mov	[esp+28h], eax
		mov	[esp+5Ch], esi
		call	MiLockWorkingSetShared
		mov	edx, [esp+10h]
		mov	ecx, edi
		mov	[esp+2Ch], al
		lea	eax, [esp+44h]
		push	eax
		push	0
		push	dword ptr [esp+34h]
		push	dword ptr [esp+28h]
		call	_MiComputePageCommitment@24 ; MiComputePageCommitment(x,x,x,x,x,x)
		mov	edx, [esp+38h]
		sub	edx, [esp+14h]
		sar	edx, 3
		inc	edx
		cmp	eax, edx
		jz	short loc_451098
		mov	ecx, [esp+20h]
		mov	dl, [esp+2Ch]
		lea	ecx, [ecx+240h]
		call	MiUnlockWorkingSetShared
		mov	eax, 0C000002Dh
		pop	edi
		pop	esi
		mov	ecx, [esp+10Ch]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_451098:				; CODE XREF: .text:00451068j
		mov	edi, [esp+44h]
		test	edi, edi
		jz	short loc_4510D7
		mov	ecx, [esp+20h]
		mov	dl, [esp+2Ch]
		lea	ecx, [ecx+240h]
		call	MiUnlockWorkingSetShared
		mov	edx, edi
		mov	edi, [esp+20h]
		mov	ecx, edi
		call	MiChargeFullProcessCommitment
		test	eax, eax
		js	loc_451A6D
		lea	ecx, [edi+240h]
		call	MiLockWorkingSetShared
		mov	[esp+2Ch], al

loc_4510D7:				; CODE XREF: .text:0045109Ej
		mov	ecx, [esp+8]
		mov	edi, [esp+14h]
		mov	[esp+24h], edi
		test	ecx, ecx
		jnz	short loc_45111D
		mov	eax, 1
		sub	eax, ecx
		mov	ecx, [esp+38h]

loc_4510F2:				; CODE XREF: .text:00451113j
		shr	edi, 9
		shr	ecx, 9
		and	edi, offset loc_7FFFF8
		and	ecx, offset loc_7FFFF8
		sub	edi, 40000000h
		sub	ecx, 40000000h
		sub	eax, 1
		jnz	short loc_4510F2
		mov	[esp+38h], ecx
		mov	[esp+24h], edi

loc_45111D:				; CODE XREF: .text:004510E5j
		mov	eax, edi
		xor	edx, edx
		shr	eax, 9
		mov	ecx, edi
		push	0
		push	dword ptr [esp+30h]
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		push	esi
		mov	[esp+48h], eax
		call	MiMakeSystemAddressValid
		mov	ecx, [edi]
		nop
		or	ecx, [edi+4]
		jz	loc_4511CB
		lea	esp, [esp+0]

loc_451150:				; CODE XREF: .text:004511C9j
		mov	ecx, [esp+1Ch]
		lea	eax, [esp+6Ch]
		push	eax
		lea	eax, [esp+5Ch]
		mov	edx, edi
		push	eax
		lea	eax, [esp+5Ch]
		push	eax
		call	_MiGetPageProtection@20	; MiGetPageProtection(x,x,x,x,x)
		cmp	dword ptr [esp+54h], 0
		jz	loc_451357
		mov	ecx, [esp+20h]
		mov	edx, [esp+3Ch]
		lea	ecx, [ecx+240h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	ecx, [esp+20h]
		mov	dl, [esp+2Ch]
		lea	ecx, [ecx+240h]
		call	MiUnlockWorkingSetShared
		mov	ecx, [esp+54h]
		call	MiFaultInPagedPool
		mov	ecx, [esp+20h]
		lea	ecx, [ecx+240h]
		call	MiLockWorkingSetShared
		push	0
		push	dword ptr [esp+30h]
		xor	edx, edx
		mov	ecx, edi
		push	esi
		call	MiMakeSystemAddressValid
		mov	ecx, [edi]
		nop
		or	ecx, [edi+4]
		jnz	short loc_451150

loc_4511CB:				; CODE XREF: .text:00451146j
		mov	ecx, [esp+1Ch]
		mov	eax, [ecx+1Ch]
		shr	eax, 7
		and	eax, 1Fh
		mov	eax, ds:_MmProtectToValue[eax*4]
		mov	[esp+10h], eax
		call	MI_GET_GRAPHICS_PROTECTION_FROM_VAD
		mov	ecx, eax
		xor	edx, edx
		mov	eax, [esp+10h]
		mov	[esp+58h], ecx

loc_4511F4:				; CODE XREF: .text:0045136Bj
		or	eax, ecx
		mov	ecx, [esp+0Ch]
		mov	[ecx], eax
		cmp	edi, [esp+38h]
		ja	loc_451A29

loc_451206:				; CODE XREF: .text:00451A23j
		test	edi, 0FFFh
		jz	short loc_451217
		cmp	edx, 1
		jnz	loc_4512A2

loc_451217:				; CODE XREF: .text:0045120Cj
		xor	eax, eax
		mov	[esp+28h], eax
		cmp	[esp+3Ch], eax
		jz	short loc_45123F
		lea	ecx, [esp+78h]
		call	MiFlushTbList
		mov	ecx, [esp+20h]
		mov	edx, [esp+3Ch]
		lea	ecx, [ecx+240h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_45123F:				; CODE XREF: .text:00451221j
		mov	ecx, [esp+20h]
		lea	ecx, [ecx+240h]
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_45125B
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	short loc_45127D

loc_45125B:				; CODE XREF: .text:00451250j
		mov	ecx, [esp+20h]
		mov	dl, [esp+2Ch]
		lea	ecx, [ecx+240h]
		call	MiUnlockWorkingSetShared
		mov	ecx, [esp+20h]
		lea	ecx, [ecx+240h]
		call	MiLockWorkingSetShared

loc_45127D:				; CODE XREF: .text:00451259j
		mov	eax, edi
		lea	edx, [esp+78h]
		shr	eax, 9
		mov	ecx, edi
		push	0
		push	dword ptr [esp+30h]
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		push	esi
		mov	[esp+48h], eax
		call	MiMakeSystemAddressValid

loc_4512A2:				; CODE XREF: .text:00451211j
		mov	edx, [edi]
		mov	dword ptr [esp+30h], 0
		mov	dword ptr [esp+34h], 0
		mov	[esp+8], edx
		nop
		mov	ecx, [edi+4]
		mov	eax, edx
		and	eax, 1
		mov	[esp+30h], ecx
		or	eax, 0
		mov	[esp+60h], edx
		mov	[esp+64h], ecx
		jz	loc_45142D
		nop
		mov	eax, ds:_MmPfnDatabase
		shrd	edx, ecx, 0Ch
		and	edx, 1FFFFFFh
		mov	[esp+8], edx
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	ecx, [eax+ecx*4]
		mov	eax, [esp+1Ch]
		mov	[esp+10h], ecx
		mov	eax, [eax+1Ch]
		and	al, 70h
		cmp	al, 40h
		jnz	short loc_45131B
		mov	ecx, edi
		call	_MiRotatedToFrameBuffer@4 ; MiRotatedToFrameBuffer(x)
		cmp	eax, 1
		jz	loc_4513F9
		mov	ecx, [esp+10h]

loc_45131B:				; CODE XREF: .text:00451305j
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_451399
		lea	ecx, [esp+78h]
		call	MiFlushTbList
		mov	ecx, [esp+20h]
		mov	dl, [esp+2Ch]
		push	edi
		lea	ecx, [ecx+240h]
		call	_MiMakeProtoPrivate@12 ; MiMakeProtoPrivate(x,x,x)
		test	eax, eax
		jz	loc_451A1B
		cmp	eax, 1
		jnz	short loc_451370
		dec	dword ptr [esp+44h]
		jmp	loc_451A1B
; 

loc_451357:				; CODE XREF: .text:0045116Fj
		mov	eax, ds:_MmProtectToValue[eax*4]
		mov	edx, 1
		mov	ecx, [esp+58h]
		mov	[esp+28h], edx
		jmp	loc_4511F4
; 

loc_451370:				; CODE XREF: .text:0045134Cj
		mov	ecx, [esp+20h]
		mov	dword ptr [esp+3Ch], 0
		mov	dword ptr [esp+28h], 1
		lea	ecx, [ecx+240h]
		call	MiLockWorkingSetShared
		mov	edx, 1
		jmp	loc_451A1F
; 

loc_451399:				; CODE XREF: .text:00451322j
		test	dword ptr [ebp+10h], 101h
		jz	short loc_4513E6
		push	dword ptr [esp+70h]
		lea	eax, [esp+7Ch]
		mov	edx, edi
		push	ecx
		mov	ecx, [esp+24h]
		push	eax
		push	dword ptr [esp+44h]
		call	_MiMakeVaRangeNoAccess@24 ; MiMakeVaRangeNoAccess(x,x,x,x,x,x)
		mov	edx, [esp+28h]
		test	eax, eax
		jz	loc_451A1F
		mov	eax, [esp+14h]
		mov	ecx, [esp+40h]
		lea	eax, [eax+ecx*8]
		mov	[esp+14h], eax
		mov	eax, [esp+50h]
		lea	edi, [edi+eax*8]
		mov	[esp+24h], edi
		jmp	loc_451A1F
; 

loc_4513E6:				; CODE XREF: .text:004513A0j
		push	dword ptr [ebp+0Ch]
		mov	edx, ecx
		mov	ecx, [esp+20h]
		call	_MiUpdatePfnProtection@12 ; MiUpdatePfnProtection(x,x,x)
		mov	[ebp+0Ch], eax
		jmp	short loc_4513FC
; 

loc_4513F9:				; CODE XREF: .text:00451311j
		mov	eax, [ebp+0Ch]

loc_4513FC:				; CODE XREF: .text:004513F7j
		lea	ecx, [esp+78h]
		mov	edx, edi
		push	ecx
		mov	ecx, [esp+0Ch]
		push	ecx
		mov	ecx, [esp+24h]
		push	eax
		call	MiRevertValidPte
		mov	eax, [esp+14h]
		mov	ecx, [esp+40h]
		lea	eax, [eax+ecx*8]
		mov	[esp+14h], eax
		mov	eax, [esp+50h]
		lea	edi, [edi+eax*8]
		jmp	loc_451A17
; 

loc_45142D:				; CODE XREF: .text:004512D0j
		mov	eax, edx
		and	eax, 400h
		or	eax, 0
		jz	short loc_451470
		lea	ecx, [esp+78h]
		call	MiFlushTbList
		push	dword ptr [esp+2Ch]
		mov	edx, 1
		mov	ecx, edi
		call	MiMakeProtoLeafValid
		test	eax, eax
		jns	short loc_451462
		add	dword ptr [esp+14h], 8
		add	edi, 8
		mov	[esp+24h], edi

loc_451462:				; CODE XREF: .text:00451454j
		mov	edx, 1
		mov	[esp+28h], edx
		jmp	loc_451A1F
; 

loc_451470:				; CODE XREF: .text:00451437j
		mov	eax, edx
		and	eax, 800h
		or	eax, 0
		jz	loc_451953
		mov	eax, [esp+1Ch]
		mov	ecx, edi
		mov	[esp+8], edi
		mov	edx, [eax+1Ch]
		mov	eax, edx
		and	eax, offset loc_500000
		cmp	eax, offset loc_500000
		jnz	loc_451687
		shr	edx, 12h
		and	edx, 3
		mov	eax, ds:_MiVadPageSizes[edx*4]
		mov	[esp+4Ch], eax
		sub	eax, 10h
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFFF1h
		add	eax, 10h
		mov	[esp+30h], eax
		xor	eax, eax
		cmp	dword ptr [ebp+0Ch], 18h
		jz	loc_4517F5
		xor	esi, esi
		mov	[esp+18h], eax
		xor	edx, edx
		mov	[esp+10h], edx
		lea	esp, [esp+0]

loc_4514E0:				; CODE XREF: .text:00451672j
		test	edx, edx
		jnz	loc_451622
		mov	esi, [ecx]
		nop
		mov	eax, dword_6D0700
		mov	edx, esi
		mov	edi, dword_6D0704
		mov	ecx, [ecx+4]
		mov	[esp+18h], eax
		or	eax, edi
		mov	[esp+48h], edi
		mov	edi, ecx
		mov	[esp+0Ch], ecx
		jz	short loc_45152D
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_451529
		mov	esi, [esp+18h]
		mov	ecx, [esp+48h]
		not	esi
		not	ecx
		and	esi, edx
		and	ecx, edi
		jmp	short loc_45152D
; 

loc_451529:				; CODE XREF: .text:00451515j
		mov	esi, edx
		mov	ecx, edi

loc_45152D:				; CODE XREF: .text:0045150Bj
					; .text:00451527j
		mov	eax, ds:_MmPfnDatabase
		push	dword ptr [ebp+0Ch]
		shrd	esi, ecx, 0Ch
		and	esi, 3FFFFFFh
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		mov	edx, [eax+ecx*4+8]
		lea	eax, [eax+ecx*4]
		mov	edi, [eax+0Ch]
		mov	ecx, [esp+20h]
		mov	[esp+10h], eax
		mov	eax, edi
		mov	[esp+4Ch], edx
		shrd	edx, eax, 5
		and	edx, 1Fh
		call	MiSanitizePfnProtection
		mov	edx, eax
		mov	[esp+18h], eax
		mov	eax, [esp+48h]
		and	edx, 1Fh
		xor	ecx, ecx
		and	eax, 0FFFFFC1Fh
		shld	ecx, edx, 5
		shl	edx, 5
		or	ecx, edi
		or	edx, eax
		cmp	dword ptr [esp+4Ch], 200h
		mov	eax, [esp+0Ch]
		mov	[eax+0Ch], ecx
		mov	ecx, [esp+18h]
		mov	[eax+8], edx
		jb	short loc_4515AD
		or	ecx, 4000000h
		mov	[esp+18h], ecx

loc_4515AD:				; CODE XREF: .text:004515A1j
		mov	eax, [esp+1Ch]
		mov	eax, [eax+1Ch]
		and	eax, 300000h
		cmp	eax, 300000h
		jz	short loc_4515CA
		or	ecx, 80000000h
		mov	[esp+18h], ecx

loc_4515CA:				; CODE XREF: .text:004515BEj
		mov	eax, [esp+18h]
		mov	ecx, [esp+8]

loc_4515D2:				; CODE XREF: .text:00451623j
		push	eax
		mov	edx, esi
		call	MiMakeValidPte
		mov	ecx, [esp+8]
		mov	edi, eax
		mov	dword ptr [esp+0Ch], 0
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_451643
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_451625
		cmp	byte ptr word_6D07B8+1,	0
		mov	eax, 1
		mov	[esp+0Ch], eax
		jnz	short loc_451645

loc_45160C:				; CODE XREF: .text:0045163Bj
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		mov	eax, [esp+0Ch]
		jz	short loc_451645
		or	edx, 80000000h
		jmp	short loc_451645
; 

loc_451622:				; CODE XREF: .text:004514E2j
		inc	esi
		jmp	short loc_4515D2
; 

loc_451625:				; CODE XREF: .text:004515F8j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_45160C
		mov	eax, [esp+0Ch]
		jmp	short loc_451645
; 

loc_451643:				; CODE XREF: .text:004515EFj
		xor	eax, eax

loc_451645:				; CODE XREF: .text:0045160Aj
					; .text:00451618j ...
		mov	[ecx+4], edx
		nop
		mov	[ecx], edi
		test	eax, eax
		jz	short loc_45165A
		push	edx
		push	edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		mov	ecx, [esp+8]

loc_45165A:				; CODE XREF: .text:0045164Dj
		mov	edx, [esp+10h]
		add	ecx, 8
		mov	eax, [esp+18h]
		inc	edx
		mov	[esp+8], ecx
		mov	[esp+10h], edx
		cmp	edx, [esp+30h]
		jb	loc_4514E0
		mov	esi, [esp+5Ch]
		xor	eax, eax
		mov	edi, [esp+24h]
		jmp	loc_4517F5
; 

loc_451687:				; CODE XREF: .text:00451499j
		mov	ecx, [edi]
		mov	[esp+8], ecx
		nop
		mov	edx, [edi+4]
		mov	eax, ecx
		and	eax, 800h
		mov	[esp+0Ch], edx
		or	eax, 0
		jz	loc_4517F0

loc_4516A5:				; CODE XREF: .text:004517EAj
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jnz	loc_4517D2
		mov	eax, ecx
		or	eax, edx
		jz	short loc_4516F1
		mov	edx, dword_6D0700
		mov	eax, edx
		mov	ecx, dword_6D0704
		or	eax, ecx
		mov	[esp+30h], ecx
		mov	ecx, [esp+8]
		jz	short loc_4516ED
		and	ecx, edx
		mov	edx, [esp+0Ch]
		mov	eax, edx
		and	eax, [esp+30h]
		or	ecx, eax
		jz	loc_4517D2
		mov	ecx, [esp+8]
		jmp	short loc_4516F1
; 

loc_4516ED:				; CODE XREF: .text:004516D1j
		mov	edx, [esp+0Ch]

loc_4516F1:				; CODE XREF: .text:004516B7j
					; .text:004516EBj
		mov	eax, dword_6D0700
		mov	edi, ecx
		mov	esi, dword_6D0704
		mov	ecx, edx
		mov	[esp+30h], eax
		mov	edx, edi
		mov	[esp+4Ch], esi
		or	eax, esi
		mov	esi, [esp+5Ch]
		mov	[esp+10h], ecx
		jz	short loc_45173A
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_451734
		mov	edi, [esp+30h]
		mov	ecx, [esp+4Ch]
		not	edi
		not	ecx
		and	edi, edx
		and	ecx, [esp+10h]
		jmp	short loc_45173A
; 

loc_451734:				; CODE XREF: .text:0045171Ej
		mov	ecx, [esp+10h]
		mov	edi, edx

loc_45173A:				; CODE XREF: .text:00451714j
					; .text:00451732j
		shrd	edi, ecx, 0Ch
		and	edi, 3FFFFFFh
		cmp	edi, dword_6D07B0
		ja	loc_4517CE
		mov	eax, dword_6D35B8
		mov	edx, edi
		shr	edx, 5
		mov	ecx, edi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_4517CE
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[edi*8]
		sub	ecx, edi
		mov	dword ptr [esp+74h], 0
		lea	eax, [eax+ecx*4]
		mov	[esp+18h], eax
		lea	edi, [eax+10h]
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_4517A6

loc_451790:				; CODE XREF: .text:0045179Dj
					; .text:004517A4j
		lea	ecx, [esp+74h]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_451790
		lock bts dword ptr [edi], 1Fh
		jb	short loc_451790

loc_4517A6:				; CODE XREF: .text:0045178Ej
		mov	edx, [esp+24h]
		mov	eax, [edx]
		nop
		mov	ecx, [edx+4]
		mov	[esp+30h], ecx
		mov	ecx, [esp+8]
		cmp	eax, ecx
		jnz	short loc_4517C6
		mov	eax, [esp+0Ch]
		cmp	[esp+30h], eax
		jz	short loc_451819

loc_4517C6:				; CODE XREF: .text:004517BAj
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax

loc_4517CE:				; CODE XREF: .text:0045174Aj
					; .text:00451767j
		mov	edi, [esp+24h]

loc_4517D2:				; CODE XREF: .text:004516ADj
					; .text:004516E1j
		mov	ecx, [edi]
		mov	[esp+8], ecx
		nop
		mov	edx, [edi+4]
		mov	eax, ecx
		and	eax, 800h
		mov	[esp+0Ch], edx
		or	eax, 0
		jnz	loc_4516A5

loc_4517F0:				; CODE XREF: .text:0045169Fj
		mov	eax, 2

loc_4517F5:				; CODE XREF: .text:004514C7j
					; .text:00451682j ...
		mov	ecx, [esp+40h]
		cmp	ecx, 1
		jz	loc_451942
		mov	eax, [esp+14h]
		lea	eax, [eax+ecx*8]
		mov	[esp+14h], eax
		mov	eax, [esp+50h]
		lea	edi, [edi+eax*8]
		jmp	loc_451A17
; 

loc_451819:				; CODE XREF: .text:004517C4j
		mov	eax, [esp+18h]
		mov	eax, [eax+4]
		mov	[esp+30h], eax
		or	eax, 80000000h
		cmp	eax, edx
		jz	short loc_45183E
		mov	eax, [esp+18h]
		test	dword ptr [eax+18h], (offset loc_7FFFFF+1)
		jz	loc_451A96

loc_45183E:				; CODE XREF: .text:0045182Bj
		mov	eax, [edx]
		mov	[esp+4Ch], eax
		nop
		mov	ecx, [esp+18h]
		mov	eax, [edx+4]
		mov	edx, [ebp+0Ch]
		mov	[esp+48h], eax
		mov	eax, [ecx+8]
		mov	esi, [ecx+0Ch]
		mov	ecx, eax
		mov	[esp+30h], eax
		mov	eax, esi
		shrd	ecx, eax, 5
		mov	[esp+8], esi
		and	ecx, 1Fh
		cmp	edx, 18h
		jnz	short loc_451875
		mov	ecx, edx
		jmp	short loc_4518E7
; 

loc_451875:				; CODE XREF: .text:0045186Fj
		cmp	ecx, 18h
		jnz	short loc_4518A5
		mov	eax, [esp+1Ch]
		mov	ecx, [eax+1Ch]
		test	ecx, 100000h
		jz	short loc_45188E
		shr	ecx, 7
		jmp	short loc_451897
; 

loc_45188E:				; CODE XREF: .text:00451887j
		mov	eax, [eax+2Ch]
		movzx	ecx, word ptr [eax+10h]
		shr	ecx, 1

loc_451897:				; CODE XREF: .text:0045188Cj
		and	ecx, 1Fh
		mov	eax, ecx
		sub	ecx, 18h
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_4518A5:				; CODE XREF: .text:00451878j
		and	ecx, 18h
		jz	short loc_4518CE
		cmp	ecx, 10h
		jnz	short loc_4518B3
		mov	ecx, edx
		jmp	short loc_4518E4
; 

loc_4518B3:				; CODE XREF: .text:004518ADj
		cmp	ecx, 8
		jnz	short loc_4518C2
		mov	ecx, edx
		and	ecx, 0FFFFFFEFh
		or	ecx, 8
		jmp	short loc_4518E7
; 

loc_4518C2:				; CODE XREF: .text:004518B6j
		cmp	ecx, 18h
		mov	ecx, edx
		jnz	short loc_4518E7
		or	ecx, 18h
		jmp	short loc_4518E7
; 

loc_4518CE:				; CODE XREF: .text:004518A8j
		mov	eax, edx
		mov	ecx, edx
		and	eax, 18h
		cmp	eax, 18h
		jnz	short loc_4518DF
		and	ecx, 0FFFFFFE7h
		jmp	short loc_4518E7
; 

loc_4518DF:				; CODE XREF: .text:004518D8j
		cmp	eax, 8
		jnz	short loc_4518E7

loc_4518E4:				; CODE XREF: .text:004518B1j
		and	ecx, 0FFFFFFF7h

loc_4518E7:				; CODE XREF: .text:00451873j
					; .text:004518C0j ...
		mov	edx, [esp+18h]
		and	ecx, 1Fh
		mov	esi, [esp+30h]
		xor	eax, eax
		shld	eax, ecx, 5
		and	esi, 0FFFFFC1Fh
		or	[esp+8], eax
		shl	ecx, 5
		or	esi, ecx
		mov	[edx+8], esi
		mov	esi, [esp+8]
		mov	[edx+0Ch], esi
		mov	esi, [esp+4Ch]
		mov	edx, [esp+24h]
		and	esi, 0FFFFFC1Fh
		or	esi, ecx
		mov	ecx, [esp+48h]
		or	ecx, eax
		mov	[edx], esi
		nop
		mov	[edx+4], ecx
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	esi, [esp+5Ch]
		xor	eax, eax
		mov	edi, edx
		jmp	loc_4517F5
; 

loc_451942:				; CODE XREF: .text:004517FCj
		test	eax, eax
		jnz	loc_451A1B
		mov	eax, [esp+14h]
		jmp	loc_451A0D
; 

loc_451953:				; CODE XREF: .text:0045147Aj
		cmp	dword ptr [esp+40h], 1
		jnz	loc_451A83
		mov	eax, edx
		or	eax, ecx
		jnz	short loc_4519A1
		mov	eax, large fs:124h
		mov	edx, 1
		mov	ecx, [esp+14h]
		shr	ecx, 0Ch
		and	ecx, 7FFh
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		add	eax, 190h
		lea	ecx, [eax+ecx*2]
		call	_MiIncreaseUsedPtesCount@8 ; MiIncreaseUsedPtesCount(x,x)
		mov	eax, [esp+1Ch]
		mov	edx, [eax+1Ch]
		shr	edx, 7
		jmp	short loc_4519AB
; 

loc_4519A1:				; CODE XREF: .text:00451962j
		mov	eax, ecx
		shrd	edx, eax, 5
		mov	eax, [esp+1Ch]

loc_4519AB:				; CODE XREF: .text:0045199Fj
		push	dword ptr [ebp+0Ch]
		and	edx, 1Fh
		mov	ecx, eax
		call	MiSanitizePfnProtection
		mov	edx, [esp+30h]
		xor	ecx, ecx
		mov	[ebp+0Ch], eax
		and	eax, 1Fh
		shld	ecx, eax, 5
		shl	eax, 5
		mov	[esp+0Ch], ecx
		mov	ecx, [esp+8]
		mov	[esp+10h], eax
		mov	eax, ecx
		or	eax, edx
		jnz	short loc_4519EE
		push	dword ptr [esp+0Ch]
		push	dword ptr [esp+14h]
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, eax
		jmp	short loc_4519FC
; 

loc_4519EE:				; CODE XREF: .text:004519DBj
		and	ecx, 0FFFFFC1Fh
		or	ecx, [esp+10h]
		or	edx, [esp+0Ch]

loc_4519FC:				; CODE XREF: .text:004519ECj
		mov	eax, [esp+14h]
		mov	[esp+64h], edx
		mov	[esp+60h], ecx
		mov	[eax], ecx
		mov	[eax+4], edx

loc_451A0D:				; CODE XREF: .text:0045194Ej
		add	eax, 8
		add	edi, 8
		mov	[esp+14h], eax

loc_451A17:				; CODE XREF: .text:00451428j
					; .text:00451814j
		mov	[esp+24h], edi

loc_451A1B:				; CODE XREF: .text:00451343j
					; .text:00451352j ...
		mov	edx, [esp+28h]

loc_451A1F:				; CODE XREF: .text:00451394j
					; .text:004513C1j ...
		cmp	edi, [esp+38h]
		jbe	loc_451206

loc_451A29:				; CODE XREF: .text:00451200j
		lea	ecx, [esp+78h]
		call	MiFlushTbList
		mov	eax, [esp+3Ch]
		mov	esi, [esp+20h]
		test	eax, eax
		jz	short loc_451A4B
		mov	edx, eax
		lea	ecx, [esi+240h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_451A4B:				; CODE XREF: .text:00451A3Cj
		mov	dl, [esp+2Ch]
		lea	ecx, [esi+240h]
		call	MiUnlockWorkingSetShared
		mov	edi, [esp+44h]
		test	edi, edi
		jz	short loc_451A6B
		mov	edx, edi
		mov	ecx, esi
		call	_MiReturnFullProcessCommitment@8 ; MiReturnFullProcessCommitment(x,x)

loc_451A6B:				; CODE XREF: .text:00451A60j
		xor	eax, eax

loc_451A6D:				; CODE XREF: .text:004510C2j
		mov	ecx, [esp+114h]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_451A83:				; CODE XREF: .text:00451958j
		push	0
		push	edx
		push	dword ptr [esp+1Ch]
		push	44000h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_451A96:				; CODE XREF: .text:00451838j
		push	dword ptr [esp+30h]
		push	ecx
		push	edx
		push	411h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dd 2 dup(0CCCCCCCCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdatePfnProtection(x, x,	x)
_MiUpdatePfnProtection@12 proc near	; CODE XREF: .text:004513EFp
					; MiSetReadOnlyOnSectionView(x,x,x,x)+2E3p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_8], ecx
		push	esi
		push	edi
		mov	[ebp+var_4], 0
		lea	esi, [ebx+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_451AE6

loc_451AD1:				; CODE XREF: MiUpdatePfnProtection(x,x,x)+2Dj
					; MiUpdatePfnProtection(x,x,x)+34j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_451AD1
		lock bts dword ptr [esi], 1Fh
		jb	short loc_451AD1

loc_451AE6:				; CODE XREF: MiUpdatePfnProtection(x,x,x)+1Fj
		mov	edi, [ebx+8]
		mov	edx, edi
		mov	eax, [ebx+0Ch]
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_4], eax
		shrd	edx, eax, 5
		and	edx, 1Fh
		call	MiSanitizePfnProtection
		mov	edx, eax
		mov	[ebp+var_8], eax
		and	edx, 1Fh
		xor	eax, eax
		shld	eax, edx, 5
		mov	ecx, edi
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_4]
		shl	edx, 5
		or	ecx, eax
		jnz	short loc_451B31
		push	[ebp+arg_0]
		push	edx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[ebx+8], eax
		mov	[ebx+0Ch], edx
		jmp	short loc_451B42
; 

loc_451B31:				; CODE XREF: MiUpdatePfnProtection(x,x,x)+6Ej
		and	edi, 0FFFFFC1Fh
		or	edi, edx
		or	eax, [ebp+arg_0]
		mov	[ebx+8], edi
		mov	[ebx+0Ch], eax

loc_451B42:				; CODE XREF: MiUpdatePfnProtection(x,x,x)+7Fj
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MiUpdatePfnProtection@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLinkPoolCommitChain proc near		; CODE XREF: MiCommitPoolMemory+79p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005AFD38 SIZE 00000175 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	ebx, ecx
		mov	edi, esi
		mov	[ebp+var_8], ebx
		and	edi, 0FFFFF000h
		add	edi, 0FF8h
		mov	eax, [ebx+20h]
		mov	[ebp+var_4], edi
		cmp	edi, eax
		jbe	short loc_451B8F
		mov	edi, eax
		mov	[ebp+var_4], eax

loc_451B8F:				; CODE XREF: MiLinkPoolCommitChain+28j
		test	byte ptr [ebx+2Eh], 4
		jnz	loc_5AFD48
		mov	eax, [ebx+18h]
		mov	edx, edi
		sub	edx, esi
		mov	ecx, esi
		push	1
		sar	edx, 3
		push	eax
		inc	edx
		call	MiFlushTbAsNeeded
		mov	ebx, [ebx+10h]
		cmp	esi, edi
		ja	short loc_451C16
		jmp	short loc_451BC0
; 
		align 10h

loc_451BC0:				; CODE XREF: MiLinkPoolCommitChain+55j
					; MiLinkPoolCommitChain+B4j
		mov	edi, [esi]
		mov	[ebp+var_10], 0
		mov	[ebp+var_C], 0
		nop
		mov	ecx, [esi+4]
		mov	eax, edi
		and	eax, 0C01h
		or	eax, 0
		jnz	short loc_451C28
		mov	eax, edi
		and	eax, 3E0h
		or	eax, 0
		jnz	short loc_451C28
		test	ebx, ebx
		jz	short loc_451C23
		lea	eax, [ebx+3FC00000h]
		sar	eax, 3

loc_451BF9:				; CODE XREF: MiLinkPoolCommitChain+C6j
		push	eax
		push	0
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		or	eax, 3E0h
		mov	[esi], eax
		nop
		mov	[esi+4], edx
		mov	ebx, esi

loc_451C0E:				; CODE XREF: MiLinkPoolCommitChain+D1j
		add	esi, 8
		cmp	esi, [ebp+var_4]
		jbe	short loc_451BC0

loc_451C16:				; CODE XREF: MiLinkPoolCommitChain+53j
		mov	eax, [ebp+var_8]
		mov	[eax+10h], ebx

loc_451C1C:				; CODE XREF: MiLinkPoolCommitChain+15E348j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_451C23:				; CODE XREF: MiLinkPoolCommitChain+8Ej
		or	eax, 0FFFFFFFFh
		jmp	short loc_451BF9
; 

loc_451C28:				; CODE XREF: MiLinkPoolCommitChain+7Ej
					; MiLinkPoolCommitChain+8Aj
		push	ecx
		push	edi
		call	_MiIsPoolPteCommitInProgress@8 ; MiIsPoolPteCommitInProgress(x,x)
		test	eax, eax
		jz	short loc_451C0E
		jmp	loc_5AFD38
MiLinkPoolCommitChain endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiQueryAddressSpan(x, x, x,	x)
_MiQueryAddressSpan@16 proc near	; CODE XREF: MmQueryVirtualMemory+4EEp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	[esp+40h+var_8], edx
		mov	edi, ecx
		mov	[esp+40h+var_24], 0
		mov	eax, [esi+10h]
		shl	eax, 0Ch
		or	eax, 0FFFh
		mov	[esp+40h+var_18], 0
		inc	eax
		mov	[esp+40h+var_30], 0
		mov	[esp+40h+var_1C], 0
		mov	[esp+40h+var_20], 0
		mov	[esp+40h+var_14], 0
		mov	[esp+40h+var_C], 0
		mov	[esp+40h+var_4], 0
		mov	[esp+40h+var_10], 0
		cmp	ebx, eax
		ja	short loc_451CB6
		test	ebx, ebx
		jnz	short loc_451CB8

loc_451CB6:				; CODE XREF: MiQueryAddressSpan(x,x,x,x)+70j
		mov	ebx, eax

loc_451CB8:				; CODE XREF: MiQueryAddressSpan(x,x,x,x)+74j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		add	eax, 240h
		mov	ecx, eax
		mov	[esp+40h+var_28], eax
		call	MiLockWorkingSetShared
		mov	ecx, [esp+40h+var_8]
		lea	edx, [ebx-1]
		mov	byte ptr [esp+40h+var_2C], al
		lea	eax, [esp+40h+var_1C]
		push	eax
		lea	eax, [esp+44h+var_30]
		push	eax
		lea	eax, [esp+48h+var_C]
		push	eax
		lea	eax, [esp+4Ch+var_20]
		push	eax
		lea	eax, [esp+50h+var_24]
		push	eax
		mov	eax, [esp+54h+var_2C]
		push	0
		push	esi
		push	eax
		call	_MiQueryAddressState@40	; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)
		mov	[edi+10h], eax
		mov	eax, [esp+40h+var_24]
		test	eax, eax
		jz	loc_451DAA
		mov	eax, ds:_MmProtectToValue[eax*4]
		mov	[edi+14h], eax
		or	eax, [esp+40h+var_20]

loc_451D22:				; CODE XREF: MiQueryAddressSpan(x,x,x,x)+16Cj
		mov	[edi+14h], eax
		mov	esi, [esp+40h+var_30]
		cmp	esi, ebx
		jnb	short loc_451D92
		lea	ecx, [ecx+0]

loc_451D30:				; CODE XREF: MiQueryAddressSpan(x,x,x,x)+150j
		lea	eax, [esp+40h+var_1C]
		mov	ecx, esi
		push	eax
		lea	eax, [esp+44h+var_30]
		push	eax
		lea	eax, [esp+48h+var_4]
		push	eax
		lea	eax, [esp+4Ch+var_14]
		push	eax
		lea	eax, [esp+50h+var_18]
		push	eax
		push	edi
		push	[ebp+arg_4]
		lea	edx, [ebx-1]
		push	[esp+5Ch+var_2C]
		call	_MiQueryAddressState@40	; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)
		cmp	eax, [edi+10h]
		jnz	short loc_451D92
		mov	eax, [esp+40h+var_18]
		cmp	eax, [esp+40h+var_24]
		jnz	short loc_451D92
		mov	eax, [esp+40h+var_14]
		cmp	eax, [esp+40h+var_20]
		jnz	short loc_451D92
		mov	eax, [esp+40h+var_10]
		mov	esi, [esp+40h+var_30]
		inc	eax
		mov	[esp+40h+var_10], eax
		test	al, 1Fh
		jz	short loc_451DB1

loc_451D85:				; CODE XREF: MiQueryAddressSpan(x,x,x,x)+17Cj
		call	KeShouldYieldProcessor
		test	eax, eax
		jnz	short loc_451DBE

loc_451D8E:				; CODE XREF: MiQueryAddressSpan(x,x,x,x)+194j
		cmp	esi, ebx
		jb	short loc_451D30

loc_451D92:				; CODE XREF: MiQueryAddressSpan(x,x,x,x)+EBj
					; MiQueryAddressSpan(x,x,x,x)+11Ej ...
		mov	dl, byte ptr [esp+40h+var_2C]
		mov	ecx, [esp+40h+var_28]
		call	MiUnlockWorkingSetShared
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_451DAA:				; CODE XREF: MiQueryAddressSpan(x,x,x,x)+CEj
		xor	eax, eax
		jmp	loc_451D22
; 

loc_451DB1:				; CODE XREF: MiQueryAddressSpan(x,x,x,x)+143j
		mov	ecx, [esp+40h+var_28]
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jz	short loc_451D85

loc_451DBE:				; CODE XREF: MiQueryAddressSpan(x,x,x,x)+14Cj
		mov	dl, byte ptr [esp+40h+var_2C]
		mov	ecx, [esp+40h+var_28]
		call	MiUnlockWorkingSetShared
		mov	ecx, [esp+40h+var_28]
		call	MiLockWorkingSetShared
		jmp	short loc_451D8E
_MiQueryAddressSpan@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIsPrototypePteVadLookup(x, x)
_MiIsPrototypePteVadLookup@8 proc near	; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+145p
					; MiComputePageCommitment(x,x,x,x,x,x)+203p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		sub	esp, 8
		mov	eax, edx
		and	eax, 400h
		or	eax, 0
		jz	short loc_451E2F
		mov	eax, dword_6D0704
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, dword_6D0700
		mov	ecx, edi
		or	ecx, eax
		jz	short loc_451E17
		mov	ecx, edx
		and	ecx, 10h
		or	ecx, 0
		jz	short loc_451E29

loc_451E17:				; CODE XREF: MiIsPrototypePteVadLookup(x,x)+2Bj
					; MiIsPrototypePteVadLookup(x,x)+4Dj
		pop	edi
		cmp	esi, 0FFFFFFFFh
		pop	esi
		jnz	short loc_451E2F
		mov	eax, 1

loc_451E23:				; CODE XREF: MiIsPrototypePteVadLookup(x,x)+51j
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_451E29:				; CODE XREF: MiIsPrototypePteVadLookup(x,x)+35j
		not	eax
		and	esi, eax
		jmp	short loc_451E17
; 

loc_451E2F:				; CODE XREF: MiIsPrototypePteVadLookup(x,x)+15j
					; MiIsPrototypePteVadLookup(x,x)+3Cj
		xor	eax, eax
		jmp	short loc_451E23
_MiIsPrototypePteVadLookup@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeFlushMultipleRangeTb proc near	; CODE XREF: .text:00453EB0p
					; MiDeleteVaTail+ACp ...

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00451FE3 SIZE 00000040 BYTES
; FUNCTION CHUNK AT 005AFEAD SIZE 000000D3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ds:_HvlEnlightenments
		mov	[ebp+var_1C], 0
		mov	byte ptr [ebp+var_20], 0
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		mov	ecx, ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()
		mov	[ebp+var_24], ebx
		mov	[ebp+var_18], edx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		test	al, 4
		jnz	loc_5AFEAD

loc_451E80:				; CODE XREF: KeFlushMultipleRangeTb+1DEj
					; KeFlushMultipleRangeTb+15E07Cj
		xor	eax, eax
		mov	[ebp+var_3C], ebx
		mov	esi, ebx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		lea	ebx, [ebx+edx*4]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], ebx
		call	ecx
		mov	[ebp+var_11], al
		test	edi, edi
		jnz	loc_451FD3
		mov	edx, large fs:20h
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_2C], edi
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, [edx+4]
		mov	ecx, [eax+80h]
		mov	eax, [ecx+58h]
		mov	ebx, [ecx+60h]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+5Ch]
		mov	[ebp+var_C], eax
		mov	eax, [edx+3CCh]
		btr	ebx, eax
		mov	[ebp+var_8], ebx
		lea	edx, [ebp+var_10]
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, ds:_RtlpBitsClearTotal[ebx]
		mov	ebx, [ebp+var_30]
		movzx	eax, cl
		xor	ecx, ecx

loc_451F19:				; CODE XREF: KeFlushMultipleRangeTb+19Ej
		mov	[ebp+var_1C], eax
		test	eax, eax
		jnz	loc_451FBE

loc_451F24:				; CODE XREF: KeFlushMultipleRangeTb+109j
					; KeFlushMultipleRangeTb+18Ej
		mov	edx, [esi]
		mov	edi, 1000h
		mov	eax, edx
		shr	eax, 0Ah
		and	eax, 3
		invlpg	byte ptr [edx]
		lea	ecx, [eax+eax*8]
		mov	eax, edx
		shl	edi, cl
		and	eax, 3FFh
		jnz	short loc_451F92

loc_451F44:				; CODE XREF: KeFlushMultipleRangeTb+15Dj
		add	esi, 4
		cmp	esi, ebx
		jb	short loc_451F24
		cmp	[ebp+var_1C], 0
		jnz	short loc_451F9F

loc_451F51:				; CODE XREF: KeFlushMultipleRangeTb+16Dj
					; KeFlushMultipleRangeTb+17Cj
		mov	cl, [ebp+var_11]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	edi
		mov	ebx, [ebp+var_24]
		mov	esi, [ebp+var_18]

loc_451F62:				; CODE XREF: KeFlushMultipleRangeTb+15E10Cj
		mov	eax, [ebp+arg_0]

loc_451F65:				; CODE XREF: KeFlushMultipleRangeTb+15E0FFj
		cmp	ds:_VmTbFlushEnabled, 0
		jnz	loc_5AFF51

loc_451F72:				; CODE XREF: KeFlushMultipleRangeTb+15E11Bj
		cmp	_ExTbFlushActive, 0
		jnz	loc_5AFF60

loc_451F7F:				; CODE XREF: KeFlushMultipleRangeTb+15E13Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_451F92:				; CODE XREF: KeFlushMultipleRangeTb+102j
					; KeFlushMultipleRangeTb+15Bj
		invlpg	byte ptr [edx+edi]
		add	edx, edi
		sub	eax, 1
		jnz	short loc_451F92
		jmp	short loc_451F44
; 

loc_451F9F:				; CODE XREF: KeFlushMultipleRangeTb+10Fj
		mov	eax, large fs:20h
		mov	ecx, [eax+2120h]
		test	ecx, ecx
		jz	short loc_451F51
		nop

loc_451FB0:				; CODE XREF: KeFlushMultipleRangeTb+17Aj
		pause
		mov	ecx, [eax+2120h]
		test	ecx, ecx
		jnz	short loc_451FB0
		jmp	short loc_451F51
; 

loc_451FBE:				; CODE XREF: KeFlushMultipleRangeTb+DEj
		push	ecx
		lea	eax, [ebp+var_3C]
		push	eax
		push	ecx
		push	offset _KiFlushTargetMultipleRangeTb@16	; KiFlushTargetMultipleRangeTb(x,x,x,x)
		call	_KiIpiSendFlushAwakePacket@24 ;	KiIpiSendFlushAwakePacket(x,x,x,x,x,x)
		jmp	loc_451F24
; 

loc_451FD3:				; CODE XREF: KeFlushMultipleRangeTb+66j
		mov	eax, ds:_KeNumberProcessors
		xor	edx, edx
		dec	eax
		lea	ecx, [edx+1]
		jmp	loc_451F19
KeFlushMultipleRangeTb endp

; 
; START	OF FUNCTION CHUNK FOR KeFlushMultipleRangeTb

loc_451FE3:				; CODE XREF: KeFlushMultipleRangeTb+15E06Fj
					; KeFlushMultipleRangeTb+15E084j ...
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_20]
		push	eax
		lea	edx, [ebp+var_1C]
		call	_KiPrepareFlushParameters@12 ; KiPrepareFlushParameters(x,x,x)
		mov	esi, [ebp+var_18]
		push	ebx
		push	esi
		push	1
		push	ecx
		push	[ebp+var_20]
		mov	ecx, edi
		call	_KiFlushAffinity@4 ; KiFlushAffinity(x)
		mov	ecx, [ebp+var_1C]
		mov	edx, eax
		call	_HvlFlushRangeListTb@28	; HvlFlushRangeListTb(x,x,x,x,x,x,x)
		test	al, al
		jnz	loc_5AFF33
		mov	ecx, ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()
		mov	edx, esi
		jmp	loc_451E80
; END OF FUNCTION CHUNK	FOR KeFlushMultipleRangeTb
; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiBuildReservationCluster(x, x, x, x)
_MiBuildReservationCluster@16 proc near	; CODE XREF: MiGatherPagefilePages+1BCp

var_B0		= dword	ptr -0B0h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_6C		= dword	ptr -6Ch
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_88], edi
		mov	ebx, ecx
		mov	[ebp+var_34], ebx
		xor	eax, eax
		mov	[ebp+var_3C], 0
		mov	[ebp+var_84], eax
		mov	[ebp+var_80], eax
		lea	edx, [ebp+var_84]
		mov	[ebp+var_7C], eax
		mov	[ebp+var_78], eax
		mov	ecx, [edi+90h]
		mov	[ebp+var_74], eax
		mov	[ebp+var_A0], eax
		mov	[ebp+var_9C], eax
		mov	[ebp+var_98], eax
		mov	[ebp+var_94], eax
		mov	[ebp+var_90], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_54], eax
		movzx	eax, word ptr [edi+74h]
		and	eax, 0Fh
		mov	[ebp+var_1C], ecx
		lea	eax, [eax+eax*4]
		lea	esi, [ecx+eax*4]
		mov	ecx, edi
		mov	[ebp+var_18], esi
		call	_MiRefPageFileSpaceBitmaps@8 ; MiRefPageFileSpaceBitmaps(x,x)
		mov	edi, [esi+748h]
		xor	eax, eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_80]
		mov	[ebp+var_58], ebx
		mov	[ebp+var_30], eax
		cmp	edi, offset loc_7FFFFF
		jz	loc_452807
		mov	eax, [ebp+var_7C]
		mov	[ebp+var_50], eax
		lea	esp, [esp+0]

loc_4520E0:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+194j
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[edi*8]
		sub	ecx, edi
		lea	ebx, [eax+ecx*4]
		mov	ecx, ebx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	byte ptr [ebp+var_1], al
		cmp	edi, [esi+748h]
		jz	short loc_45211B
		lea	ecx, [ebx+10h]
		mov	edx, 7FFFFFFFh
		lock and [ecx],	edx
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4521B8
; 

loc_45211B:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+D1j
		mov	eax, [ebx+8]
		mov	ecx, dword_6D0700
		mov	edx, dword_6D0704
		mov	esi, [ebx+0Ch]
		mov	[ebp+var_24], eax
		mov	eax, ecx
		or	eax, edx
		jz	short loc_45214A
		mov	eax, [ebp+var_24]
		and	eax, 10h
		or	eax, 0
		jnz	short loc_45214A
		not	ecx
		not	edx
		and	[ebp+var_24], ecx
		and	esi, edx

loc_45214A:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+104j
					; MiBuildReservationCluster(x,x,x,x)+10Fj
		lea	eax, [ebx+10h]
		mov	[ebp+var_40], eax
		cmp	esi, [ebp+var_30]
		jnb	loc_4527F6
		mov	edx, [ebp+var_50]
		mov	eax, esi
		shr	eax, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [edx+eax*4]
		sar	eax, cl
		mov	ecx, ebx
		test	al, 1
		jz	short loc_4521CF
		xor	edx, edx
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		mov	edi, [ebx+8]
		mov	edx, 8
		mov	esi, [ebx+0Ch]
		mov	eax, edi
		and	eax, 0FFFFFFFDh
		mov	ecx, ebx
		mov	[ebx+8], eax
		mov	[ebx+0Ch], esi
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)
		lea	eax, [ebx+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, byte ptr [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_1C]
		xor	edx, edx
		push	esi
		push	edi
		call	MiReleasePageFileInfo
		mov	esi, [ebp+var_18]

loc_4521B8:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+E6j
		mov	edi, [esi+748h]
		cmp	edi, offset loc_7FFFFF
		jnz	loc_4520E0
		jmp	loc_452807
; 

loc_4521CF:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+13Fj
		mov	edx, 1
		call	MiReferencePageForModifiedWrite
		mov	eax, [ebp+var_34]
		mov	[eax], edi
		mov	edi, 1
		mov	eax, [ebp+arg_0]
		cmp	[eax], edi
		jnz	short loc_452203
		mov	eax, [ebp+var_40]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, byte ptr [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_45280B
; 

loc_452203:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+1B8j
		mov	eax, [ebx+4]
		or	eax, 80000000h
		mov	[ebp+var_38], eax
		mov	eax, [ebx+8]
		mov	[ebp+var_14], eax
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_20], eax
		mov	eax, [ebx+18h]
		and	eax, offset loc_7FFFFF
		mov	[ebp+var_60], eax
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	eax, [eax+ecx*4]
		mov	ecx, eax
		mov	[ebp+var_64], eax
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		mov	ecx, [ebp+var_64]
		mov	edx, edi
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		lea	eax, [ecx+10h]
		mov	ecx, 7FFFFFFFh
		mov	[ebp+var_8C], eax
		lock and [eax],	ecx
		lea	eax, [ebx+10h]
		lock and [eax],	ecx
		mov	cl, byte ptr [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, ebx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_45229D
		mov	ecx, [ebp+var_38]
		lea	edx, [ebp+var_A0]
		push	0
		call	MiGetPageFileSectionForReservation
		test	eax, eax
		jz	loc_4527BB
		test	dword ptr [ebx+10h], 40000000h
		mov	[ebp+var_54], edi
		jnz	loc_4527BB

loc_45229D:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+243j
		mov	edx, edi
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		mov	[ebp+var_4C], eax
		test	eax, eax
		jz	loc_4527BB
		mov	edx, [ebp+var_60]
		mov	ecx, eax
		push	20000001h
		call	MiMakeValidPte
		mov	ecx, [ebp+var_4C]
		mov	esi, eax
		xor	ebx, ebx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_45234D
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_4522F9
		cmp	byte ptr word_6D07B8+1,	0
		mov	ebx, edi
		jnz	short loc_45234D
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	short loc_45234D
		or	edx, 80000000h
		jmp	short loc_45234D
; 

loc_4522F9:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+2AAj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_452335
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	short loc_452335
		mov	eax, [ebp+var_7C]
		or	edx, 80000000h
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+var_80]
		mov	[ebp+var_30], eax
		mov	[ebp+var_28], ecx
		jmp	short loc_452347
; 

loc_452335:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+2DFj
					; MiBuildReservationCluster(x,x,x,x)+2E9j
		mov	eax, [ebp+var_7C]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+var_80]
		mov	[ebp+var_30], eax
		mov	eax, [ebp+var_10]
		mov	[ebp+var_28], eax

loc_452347:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+303j
		mov	eax, [ebp+var_8]
		mov	[ebp+var_C], eax

loc_45234D:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+2A1j
					; MiBuildReservationCluster(x,x,x,x)+2B5j ...
		mov	eax, [ebp+var_4C]
		mov	[eax+4], edx
		nop
		mov	[eax], esi
		test	ebx, ebx
		jz	short loc_452366
		push	edx
		push	esi
		mov	ecx, eax
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		mov	eax, [ebp+var_4C]

loc_452366:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+328j
		mov	ecx, eax
		mov	eax, [ebp+var_38]
		shr	eax, 3
		shl	ecx, 9
		and	eax, 1FFh
		cmp	[ebp+var_54], 0
		mov	[ebp+var_18], ecx
		lea	eax, [ecx+eax*8]
		mov	[ebp+var_2C], eax
		jnz	short loc_45238C
		mov	edx, 0FF8h
		jmp	short loc_45239E
; 

loc_45238C:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+353j
		mov	edx, [ebp+var_94]
		shr	edx, 3
		and	edx, 1FFh
		shl	edx, 3

loc_45239E:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+35Aj
		mov	ecx, [ebp+arg_0]
		sub	edx, eax
		add	edx, [ebp+var_18]
		mov	ebx, [ebp+var_14]
		and	ebx, 0FFFFFC1Fh
		sar	edx, 3
		mov	ecx, [ecx]
		mov	esi, ebx
		mov	[ebp+var_1C], ecx
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_20]
		dec	eax
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_24], edx
		cmp	edx, eax
		jb	short loc_4523D2
		mov	edx, eax
		mov	[ebp+var_24], eax

loc_4523D2:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+39Bj
		mov	ebx, dword_6D0704
		mov	eax, dword_6D0700
		mov	[ebp+var_40], ebx
		or	eax, ebx
		mov	ebx, [ebp+var_14]
		mov	[ebp+var_8], ecx
		jz	short loc_452406
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_452403
		mov	ebx, [ebp+var_40]
		not	ebx
		and	ebx, ecx
		mov	[ebp+var_8], ebx
		mov	ebx, [ebp+var_14]
		jmp	short loc_452406
; 

loc_452403:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+3C2j
		mov	[ebp+var_8], ecx

loc_452406:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+3B8j
					; MiBuildReservationCluster(x,x,x,x)+3D1j
		xor	eax, eax
		mov	[ebp+var_40], 0
		mov	ecx, edx
		add	ecx, [ebp+var_8]
		adc	eax, eax
		test	eax, eax
		jb	short loc_452430
		mov	eax, [ebp+var_30]
		ja	short loc_452423
		cmp	ecx, eax
		jb	short loc_452430

loc_452423:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+3EDj
		mov	edx, eax
		mov	eax, [ebp+var_8]
		sub	edx, eax
		dec	edx
		mov	[ebp+var_24], edx
		jmp	short loc_452433
; 

loc_452430:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+3E8j
					; MiBuildReservationCluster(x,x,x,x)+3F1j
		mov	eax, [ebp+var_8]

loc_452433:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+3FEj
		mov	ecx, [ebp+var_2C]
		mov	[ebp+var_5C], ecx
		test	edx, edx
		jz	loc_4525CB
		mov	edx, [ebp+var_38]
		mov	ebx, [ebp+var_10]
		sub	edx, ecx
		mov	[ebp+var_6C], edx
		lea	esp, [esp+0]

loc_452450:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+592j
		add	[ebp+var_5C], 8
		add	eax, 1
		mov	[ebp+var_8], eax
		mov	eax, esi
		adc	[ebp+var_40], 0
		or	eax, ebx
		jnz	short loc_452468
		xor	esi, esi
		jmp	short loc_45248D
; 

loc_452468:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+432j
		mov	ecx, dword_6D0700
		mov	eax, ecx
		mov	edx, dword_6D0704
		or	eax, edx
		jz	short loc_45248D
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_45248A
		not	ecx
		and	esi, ecx
		jmp	short loc_45248D
; 

loc_45248A:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+452j
		and	esi, 0FFFFFFEFh

loc_45248D:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+436j
					; MiBuildReservationCluster(x,x,x,x)+448j ...
		xor	eax, eax
		or	eax, [ebp+var_8]
		push	eax
		push	esi
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	esi, eax
		mov	byte ptr [ebp+var_1], 0
		mov	ebx, edx
		mov	[ebp+var_3C], 1
		mov	edx, [ebp+var_5C]
		lea	eax, [ebp+var_1]
		push	ebx
		push	esi
		push	eax
		push	[ebp+var_60]
		mov	eax, [ebp+var_6C]
		lea	ecx, [ebp+var_80]
		add	eax, [ebp+var_5C]
		push	eax
		call	_MiCheckPteForWriteCluster@28 ;	MiCheckPteForWriteCluster(x,x,x,x,x,x,x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jnz	short loc_452543
		cmp	[ebp+var_28], 1Fh
		ja	loc_4525C8
		mov	eax, dword_6D0704
		mov	edx, ebx
		mov	ecx, dword_6D0700
		mov	[ebp+var_10], eax
		mov	eax, ecx
		or	eax, [ebp+var_10]
		mov	[ebp+var_18], ecx
		jz	short loc_452503
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_452501
		mov	edx, [ebp+var_10]
		not	edx
		and	edx, ebx
		jmp	short loc_452503
; 

loc_452501:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+4C6j
		mov	edx, ebx

loc_452503:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+4BCj
					; MiBuildReservationCluster(x,x,x,x)+4CFj
		mov	eax, [ebp+var_18]
		mov	ecx, ebx
		or	eax, [ebp+var_10]
		jz	short loc_452522
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_452520
		mov	ecx, [ebp+var_10]
		not	ecx
		and	ecx, ebx
		jmp	short loc_452522
; 

loc_452520:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+4E5j
		mov	ecx, ebx

loc_452522:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+4DBj
					; MiBuildReservationCluster(x,x,x,x)+4EEj
		mov	eax, [ebp+var_50]
		and	ecx, 1Fh
		shr	edx, 5
		mov	eax, [eax+edx*4]
		sar	eax, cl
		test	al, 1
		jnz	loc_4525C8
		mov	ecx, dword_6D34E0
		inc	[ebp+var_28]
		jmp	short loc_452576
; 

loc_452543:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+498j
		xor	edx, edx
		mov	ecx, eax
		call	MiReferencePageForModifiedWrite
		mov	ecx, [ebp+var_18]
		mov	[ebp+var_3C], eax
		add	ecx, 10h
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	cl, byte ptr [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_3C], 0
		jz	short loc_4525C8
		mov	ecx, [ebp+var_18]
		mov	[ebp+var_28], 0

loc_452576:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+511j
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		cmp	eax, 0FFFFFFFFh
		jz	short loc_4525C8
		mov	ecx, [ebp+var_34]
		inc	edi
		mov	edx, [ebp+var_24]
		add	ecx, 4
		dec	edx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_24], edx
		mov	[ecx], eax
		cmp	eax, dword_6D34E4
		jnz	short loc_4525B2
		inc	[ebp+var_C]

loc_4525B2:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+57Dj
		cmp	[ebp+var_3C], 3
		jnz	short loc_4525BD
		cmp	edi, 10h
		jnb	short loc_4525C8

loc_4525BD:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+586j
		mov	eax, [ebp+var_8]
		test	edx, edx
		jnz	loc_452450

loc_4525C8:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+49Ej
					; MiBuildReservationCluster(x,x,x,x)+502j ...
		mov	ebx, [ebp+var_14]

loc_4525CB:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+40Bj
		sub	edi, [ebp+var_28]
		mov	eax, [ebp+var_C]
		sub	eax, [ebp+var_28]
		mov	edx, [ebp+var_1C]
		mov	esi, [ebp+var_2C]
		sub	edx, edi
		cmp	[ebp+var_54], 0
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		jnz	short loc_4525F2
		mov	ecx, esi
		and	ecx, 0FFFFF000h
		jmp	short loc_45260C
; 

loc_4525F2:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+5B6j
		mov	ecx, [ebp+var_98]
		mov	eax, [ebp+var_4C]
		shr	ecx, 3
		and	ecx, 1FFh
		shl	eax, 6
		add	ecx, eax
		shl	ecx, 3

loc_45260C:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+5C0j
		sub	esi, ecx
		sar	esi, 3
		cmp	esi, edx
		jb	short loc_452617
		mov	esi, edx

loc_452617:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+5E3j
		mov	eax, dword_6D0704
		mov	edx, dword_6D0700
		mov	ecx, [ebp+var_20]
		mov	[ebp+var_1C], eax
		mov	eax, edx
		or	eax, [ebp+var_1C]
		mov	[ebp+var_14], ecx
		jz	short loc_45264C
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_452646
		mov	ecx, [ebp+var_1C]
		not	ecx
		and	ecx, [ebp+var_20]
		jmp	short loc_452649
; 

loc_452646:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+60Aj
		mov	ecx, [ebp+var_20]

loc_452649:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+614j
		mov	[ebp+var_14], ecx

loc_45264C:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+600j
		xor	eax, eax
		mov	[ebp+var_6C], 0
		mov	edx, ecx
		mov	[ebp+var_1C], eax
		add	edx, 0FFFFFFFFh
		adc	eax, 0FFFFFFFFh
		cmp	[ebp+var_6C], eax
		jb	short loc_45266E
		ja	short loc_45266B
		cmp	esi, edx
		jbe	short loc_45266E

loc_45266B:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+635j
		lea	esi, [ecx-1]

loc_45266E:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+633j
					; MiBuildReservationCluster(x,x,x,x)+639j
		test	esi, esi
		jz	loc_452771
		mov	edx, [ebp+var_58]
		lea	eax, ds:0[edi*4]
		push	eax		; size_t
		push	edx		; void *
		lea	ecx, [edx+esi*4]
		push	ecx		; void *
		mov	[ebp+var_34], ecx
		call	_memmove
		mov	eax, [ebp+var_2C]
		add	esp, 0Ch
		sub	[ebp+var_38], eax
		mov	[ebp+var_10], 0
		mov	edi, edi

loc_4526A0:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+70Dj
		sub	eax, 8
		add	[ebp+var_14], 0FFFFFFFFh
		mov	[ebp+var_2C], eax
		mov	eax, ebx
		adc	[ebp+var_1C], 0FFFFFFFFh
		or	eax, [ebp+var_20]
		jnz	short loc_4526B9
		xor	ebx, ebx
		jmp	short loc_4526DE
; 

loc_4526B9:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+683j
		mov	ecx, dword_6D0700
		mov	eax, ecx
		mov	edx, dword_6D0704
		or	eax, edx
		jz	short loc_4526DE
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4526DB
		not	ecx
		and	ebx, ecx
		jmp	short loc_4526DE
; 

loc_4526DB:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+6A3j
		and	ebx, 0FFFFFFEFh

loc_4526DE:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+687j
					; MiBuildReservationCluster(x,x,x,x)+699j ...
		xor	eax, eax
		or	eax, [ebp+var_14]
		push	eax
		push	ebx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ebx, eax
		lea	ecx, [ebp+var_80]
		mov	eax, edx
		mov	edx, [ebp+var_2C]
		push	eax
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_3C]
		push	ebx
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_60]
		mov	eax, [ebp+var_38]
		add	eax, [ebp+var_2C]
		push	eax
		call	_MiGetPageForWriteCluster@32 ; MiGetPageForWriteCluster(x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_34]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_452743
		sub	ecx, 4
		dec	esi
		inc	edi
		mov	[ebp+var_34], ecx
		mov	[ecx], eax
		cmp	eax, dword_6D34E4
		jnz	short loc_45272D
		inc	[ebp+var_C]

loc_45272D:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+6F8j
		cmp	[ebp+var_3C], 3
		jnz	short loc_452738
		cmp	edi, 10h
		jnb	short loc_452743

loc_452738:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+701j
		mov	eax, [ebp+var_2C]
		test	esi, esi
		jnz	loc_4526A0

loc_452743:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+6E6j
					; MiBuildReservationCluster(x,x,x,x)+706j
		mov	eax, [ebp+var_10]
		sub	edi, eax
		mov	edx, [ebp+var_C]
		mov	ebx, [ebp+var_58]
		sub	edx, eax
		mov	[ebp+var_C], edx
		lea	ecx, [ecx+eax*4]
		mov	[ebp+var_8], edx
		cmp	ebx, ecx
		jz	short loc_452774
		lea	eax, ds:0[edi*4]
		push	eax		; size_t
		push	ecx		; void *
		push	ebx		; void *
		call	_memmove
		add	esp, 0Ch
		jmp	short loc_452774
; 

loc_452771:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+640j
		mov	ebx, [ebp+var_58]

loc_452774:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+72Bj
					; MiBuildReservationCluster(x,x,x,x)+73Fj
		mov	eax, [ebx]
		mov	edx, dword_6D0700
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		mov	ebx, [eax+ecx*4+8]
		mov	esi, [eax+ecx*4+0Ch]
		mov	eax, edx
		mov	ecx, dword_6D0704
		or	eax, ecx
		jz	short loc_4527AC
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4527AC
		not	ecx
		and	esi, ecx

loc_4527AC:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+76Cj
					; MiBuildReservationCluster(x,x,x,x)+776j
		mov	edx, [ebp+var_4C]
		mov	ecx, offset dword_6D35E0
		push	1
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_4527BB:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+257j
					; MiBuildReservationCluster(x,x,x,x)+267j ...
		mov	ecx, [ebp+var_64]
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [ebp+var_64]
		mov	bl, al
		call	MiDecrementShareCount
		mov	eax, [ebp+var_8C]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_54], 0
		jz	short loc_45280B
		lea	ecx, [ebp+var_A0]
		call	_MiReleasePageFileSectionInfo@4	; MiReleasePageFileSectionInfo(x)
		jmp	short loc_45280B
; 

loc_4527F6:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+123j
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, byte ptr [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_452807:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+A0j
					; MiBuildReservationCluster(x,x,x,x)+19Aj
		xor	edi, edi
		xor	esi, esi

loc_45280B:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+1CEj
					; MiBuildReservationCluster(x,x,x,x)+7B7j ...
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		cmp	edi, ecx
		jnb	short loc_45286C
		test	edi, edi
		jz	short loc_45286C
		xor	eax, eax
		mov	edx, edi
		add	edx, esi
		adc	eax, eax
		test	eax, eax
		ja	short loc_45286C
		mov	ebx, [ebp+var_30]
		jb	short loc_45282D
		cmp	edx, ebx
		jnb	short loc_45286C

loc_45282D:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+7F7j
		xor	eax, eax
		mov	edx, ecx
		add	edx, esi
		adc	eax, eax
		test	eax, eax
		jb	short loc_452843
		ja	short loc_45283F
		cmp	edx, ebx
		jbe	short loc_452843

loc_45283F:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+809j
		sub	ebx, esi
		jmp	short loc_452845
; 

loc_452843:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+807j
					; MiBuildReservationCluster(x,x,x,x)+80Dj
		mov	ebx, ecx

loc_452845:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+811j
		mov	ecx, [ebp+var_88]
		lea	eax, [ebp+var_8]
		push	eax
		mov	eax, [ebp+var_58]
		lea	edx, [ebp+var_80]
		sub	ebx, edi
		lea	eax, [eax+edi*4]
		push	eax
		lea	eax, [esi+edi]
		push	eax
		push	ebx
		call	MiAddToReservationCluster
		mov	ebx, [ebp+var_8]
		add	edi, eax
		jmp	short loc_45286F
; 

loc_45286C:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+7E2j
					; MiBuildReservationCluster(x,x,x,x)+7E6j ...
		mov	ebx, [ebp+var_C]

loc_45286F:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+83Aj
		mov	ecx, [ebp+var_88]
		lea	edx, [ebp+var_84]
		push	0
		call	_MiDerefPageFileSpaceBitmaps@12	; MiDerefPageFileSpaceBitmaps(x,x,x)
		test	eax, eax
		jz	short loc_45288E
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_45288E:				; CODE XREF: MiBuildReservationCluster(x,x,x,x)+854j
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	[eax], edi
		sub	edi, ebx
		mov	[ecx], edi
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_MiBuildReservationCluster@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSwizzleInvalidPte(x, x)
_MiSwizzleInvalidPte@8 proc near	; CODE XREF: MiMakeSystemRangeAvailable+F1p
					; MiMakeHyperPteDemandZero(x,x,x)+4Bp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, dword_6D0704
		push	edi
		mov	edi, dword_6D0700
		mov	eax, edi
		or	eax, ecx
		mov	eax, [ebp+arg_0]
		jz	short loc_4528F5
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	edx, ecx
		push	esi
		mov	esi, edi
		and	edx, ebx
		and	esi, eax
		or	esi, edx
		jnz	short loc_4528E9
		or	eax, edi
		or	ebx, ecx
		pop	esi
		mov	edx, ebx
		pop	ebx

loc_4528E4:				; CODE XREF: MiSwizzleInvalidPte(x,x)+48j
		pop	edi
		pop	ebp
		retn	8
; 

loc_4528E9:				; CODE XREF: MiSwizzleInvalidPte(x,x)+2Aj
		pop	esi
		mov	edx, ebx
		or	eax, 10h
		pop	ebx
		pop	edi
		pop	ebp
		retn	8
; 

loc_4528F5:				; CODE XREF: MiSwizzleInvalidPte(x,x)+19j
		mov	edx, [ebp+arg_4]
		jmp	short loc_4528E4
_MiSwizzleInvalidPte@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSanitizePfnProtection	proc near	; CODE XREF: .text:00451567p
					; .text:004519B3p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005AFF80 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		cmp	esi, 18h
		jz	short loc_45292E
		cmp	edx, 18h
		jz	short loc_452938

loc_452913:				; CODE XREF: MiSanitizePfnProtection+52j
					; MiSanitizePfnProtection+56j
		and	edx, 18h
		jnz	short loc_45295D
		mov	eax, esi
		and	eax, 18h
		cmp	eax, 18h
		jz	short loc_45296B
		cmp	eax, 8
		jz	short loc_452966

loc_452927:				; CODE XREF: MiSanitizePfnProtection+69j
					; MiSanitizePfnProtection+6Ej ...
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
; 

loc_45292E:				; CODE XREF: MiSanitizePfnProtection+Cj
		mov	eax, 18h
		pop	esi
		pop	ebp
		retn	4
; 

loc_452938:				; CODE XREF: MiSanitizePfnProtection+11j
		mov	edx, [ecx+1Ch]
		test	edx, 100000h
		jnz	short loc_452958
		mov	eax, [ecx+2Ch]
		movzx	edx, word ptr [eax+10h]
		shr	edx, 1

loc_45294C:				; CODE XREF: MiSanitizePfnProtection+5Bj
		and	edx, 1Fh
		cmp	edx, 18h
		jnz	short loc_452913
		xor	edx, edx
		jmp	short loc_452913
; 

loc_452958:				; CODE XREF: MiSanitizePfnProtection+41j
		shr	edx, 7
		jmp	short loc_45294C
; 

loc_45295D:				; CODE XREF: MiSanitizePfnProtection+16j
		cmp	edx, 10h
		jnz	loc_5AFF80

loc_452966:				; CODE XREF: MiSanitizePfnProtection+25j
		and	esi, 0FFFFFFF7h
		jmp	short loc_452927
; 

loc_45296B:				; CODE XREF: MiSanitizePfnProtection+20j
		and	esi, 0FFFFFFE7h
		jmp	short loc_452927
MiSanitizePfnProtection	endp

; 

; __stdcall MiSetProtectionOnSection(x,	x, x, x, x, x, x, x)
_MiSetProtectionOnSection@32:		; CODE XREF: MiMarkSharedImageCfgBits+FCp
					; MmProtectVirtualMemory+30Fp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1FCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1F8h], eax
		mov	eax, [ebp+18h]
		push	ebx
		mov	ebx, [ebp+0Ch]
		push	esi
		push	edi
		mov	edi, [ebp+8]
		mov	[esp+30h], eax
		mov	eax, [ebp+1Ch]
		push	98h
		mov	[esp+0C0h], eax
		lea	eax, [esp+16Ch]
		push	0
		push	eax
		mov	[esp+34h], edx
		mov	[esp+44h], ecx
		mov	[esp+48h], edi
		mov	[esp+60h], ebx
		mov	dword ptr [esp+0B0h], 0
		mov	dword ptr [esp+0B4h], 0
		mov	dword ptr [esp+98h], 0
		mov	dword ptr [esp+68h], 0
		mov	dword ptr [esp+0BCh], 0
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+0D0h]
		push	98h
		push	0
		push	eax
		call	_memset
		mov	edx, [ebp+10h]
		add	esp, 0Ch
		mov	dword ptr [esp+0ACh], 0
		cmp	edx, 800h
		jnb	loc_4540B5
		mov	eax, edx
		and	eax, 0Fh
		jz	short loc_452A4A
		test	dl, 0F0h
		jnz	loc_4540B5
		mov	al, byte ptr ds:_MmUserProtectionToMask1[eax]
		jmp	short loc_452A5E
; 

loc_452A4A:				; CODE XREF: .text:00452A37j
		mov	eax, edx
		shr	eax, 4
		and	eax, 0Fh
		jz	loc_4540B5
		mov	al, byte ptr ds:_MmUserProtectionToMask2[eax]

loc_452A5E:				; CODE XREF: .text:00452A48j
		movsx	ecx, al
		mov	[esp+40h], ecx
		cmp	ecx, 0FFFFFFFFh
		jz	loc_4540B5
		test	edx, 700h
		jz	short loc_452AE1
		test	edx, 100h
		jz	short loc_452A9A
		cmp	ecx, 18h
		jz	loc_4540B5
		test	edx, 600h
		jnz	loc_4540B5
		or	ecx, 10h
		mov	[esp+40h], ecx

loc_452A9A:				; CODE XREF: .text:00452A7Cj
		test	edx, 200h
		jz	short loc_452AC1
		cmp	ecx, 18h
		jz	loc_4540B5
		mov	eax, edx
		and	eax, 400h
		jnz	loc_4540B5
		or	ecx, 8
		mov	[esp+40h], ecx
		jmp	short loc_452AC8
; 

loc_452AC1:				; CODE XREF: .text:00452AA0j
		mov	eax, edx
		and	eax, 400h

loc_452AC8:				; CODE XREF: .text:00452ABFj
		test	eax, eax
		jz	short loc_452AE5
		cmp	ecx, 18h
		jz	loc_4540B5
		test	cl, 2
		jnz	loc_4540B5
		or	ecx, 18h

loc_452AE1:				; CODE XREF: .text:00452A74j
		mov	[esp+40h], ecx

loc_452AE5:				; CODE XREF: .text:00452ACAj
		cmp	ecx, 0FFFFFFFFh
		jz	loc_4540B5
		xor	esi, esi
		mov	dword ptr [esp+0D0h], 1
		mov	eax, ecx
		mov	[esp+60h], esi
		and	eax, 5
		mov	[esp+64h], esi
		mov	[esp+0D4h], si
		mov	[esp+0E0h], esi
		mov	dword ptr [esp+0D8h], 21h
		mov	[esp+0E4h], esi
		mov	[esp+44h], ecx
		mov	[esp+70h], eax
		cmp	eax, 5
		jnz	short loc_452B3F
		mov	eax, ecx
		and	eax, 0FFFFFFFEh
		mov	[esp+44h], eax

loc_452B3F:				; CODE XREF: .text:00452B34j
		mov	ecx, large fs:124h
		mov	eax, edi
		shr	eax, 9
		xor	edx, edx
		and	eax, offset loc_7FFFF8
		mov	[esp+84h], ecx
		add	eax, 0C0000000h
		mov	dword ptr [esp+168h], 1
		mov	[esp+10h], eax
		mov	eax, ebx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	word ptr [esp+16Ch], 4
		sub	eax, 40000000h
		mov	[esp+178h], esi
		mov	[esp+68h], eax
		mov	eax, [esp+38h]
		mov	dword ptr [esp+170h], 21h
		mov	[esp+17Ch], esi
		mov	[esp+24h], edx
		mov	ecx, [eax+24Ch]
		mov	[esp+48h], edx
		lea	edx, [eax+240h]
		mov	[esp+94h], esi
		mov	[esp+2Ch], edx
		mov	eax, [ecx+88h]
		or	eax, [ecx+8Ch]
		mov	ecx, [esp+28h]
		jz	short loc_452C39
		mov	eax, [ecx+20h]
		and	eax, 7FFFFFFFh
		jz	short loc_452C39
		mov	ecx, edx
		call	MiLockWorkingSetShared
		mov	edx, [esp+54h]
		mov	bl, al
		lea	eax, [esp+48h]
		mov	[esp+6Ch], bl
		push	eax
		push	0
		push	dword ptr [esp+74h]
		mov	ecx, edi
		push	dword ptr [esp+34h]
		call	_MiComputePageCommitment@24 ; MiComputePageCommitment(x,x,x,x,x,x)
		mov	ecx, [esp+2Ch]
		mov	dl, bl
		call	MiUnlockWorkingSetShared
		mov	edx, [esp+48h]
		mov	[esp+24h], edx
		test	edx, edx
		jz	short loc_452C31
		mov	ecx, [esp+38h]
		call	MiChargeFullProcessCommitment
		test	eax, eax
		js	loc_4540BA

loc_452C31:				; CODE XREF: .text:00452C1Ej
		mov	ecx, [esp+28h]
		mov	ebx, [esp+54h]

loc_452C39:				; CODE XREF: .text:00452BD6j
					; .text:00452BE0j
		cmp	dword ptr [esp+70h], 5
		jnz	short loc_452CAC
		push	dword ptr [esp+68h]
		mov	edi, [esp+14h]
		mov	edx, edi
		call	_MiCountSharedPages@12 ; MiCountSharedPages(x,x,x)
		cmp	dword ptr [ebp+14h], 1
		mov	esi, eax
		jnz	short loc_452CCD
		mov	eax, [esp+68h]
		sub	eax, edi
		sar	eax, 3
		sub	eax, esi
		add	eax, 1
		mov	[esp+60h], eax
		jz	short loc_452CAA
		push	0
		mov	edx, eax
		mov	ecx, offset _MiSystemPartition
		call	MiChargeCommit
		test	eax, eax
		jnz	short loc_452CAA
		mov	edx, [esp+24h]
		test	edx, edx
		jz	short loc_452C8E
		mov	ecx, [esp+38h]
		call	_MiReturnFullProcessCommitment@8 ; MiReturnFullProcessCommitment(x,x)

loc_452C8E:				; CODE XREF: .text:00452C83j
		mov	eax, 0C000012Dh
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+1F8h]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_452CAA:				; CODE XREF: .text:00452C69j
					; .text:00452C7Bj
		xor	esi, esi

loc_452CAC:				; CODE XREF: .text:00452C3Ej
					; .text:00452CCFj ...
		mov	edi, [esp+28h]
		mov	eax, [edi+1Ch]
		test	eax, 100000h
		jz	short loc_452D0C
		test	al, 70h
		jnz	loc_452DF8
		cmp	dword ptr [edi+20h], 0
		jge	short loc_452D38
		jmp	loc_452DF8
; 

loc_452CCD:				; CODE XREF: .text:00452C55j
		test	esi, esi
		jz	short loc_452CAC
		mov	ecx, [esp+38h]
		mov	edx, esi
		call	MiChargeFullProcessCommitment
		mov	edi, eax
		test	edi, edi
		jns	short loc_452CAC
		mov	edx, [esp+24h]
		test	edx, edx
		jz	short loc_452CF3
		mov	ecx, [esp+38h]
		call	_MiReturnFullProcessCommitment@8 ; MiReturnFullProcessCommitment(x,x)

loc_452CF3:				; CODE XREF: .text:00452CE8j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+1F8h]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_452D0C:				; CODE XREF: .text:00452CB8j
		and	eax, 0F80h
		cmp	eax, 0C00h
		jnz	loc_452DF8
		mov	eax, [edi+2Ch]
		mov	eax, [eax]
		cmp	dword ptr [eax+20h], 0
		jnz	loc_452DF8
		test	dword ptr [eax+1Ch], 1000h
		jz	loc_452DF8

loc_452D38:				; CODE XREF: .text:00452CC6j
		mov	eax, [esp+84h]
		mov	dword ptr [esp+94h], 1
		dec	word ptr [eax+13Eh]
		nop
		mov	edi, [esp+38h]
		xor	edx, edx
		add	edi, 138h
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [esp+3Ch]
		mov	ecx, [esp+28h]
		push	ebx
		call	_MiCommitPageTablesForVad@12 ; MiCommitPageTablesForVad(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_452DF4
		or	edx, 0FFFFFFFFh
		lock xadd [edi], edx
		and	dl, 6
		cmp	dl, 2
		jnz	short loc_452D8F
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_452D8F:				; CODE XREF: .text:00452D86j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [esp+84h]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		cmp	dword ptr [esp+60h], 0
		jz	short loc_452DE1
		mov	edx, esi
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit

loc_452DB5:				; CODE XREF: .text:00452DE3j
		mov	esi, [esp+38h]

loc_452DB9:				; CODE XREF: .text:00452DF2j
		mov	edx, [esp+24h]
		test	edx, edx
		jz	short loc_452DC8
		mov	ecx, esi
		call	_MiReturnFullProcessCommitment@8 ; MiReturnFullProcessCommitment(x,x)

loc_452DC8:				; CODE XREF: .text:00452DBFj
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+1F8h]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_452DE1:				; CODE XREF: .text:00452DA7j
		test	esi, esi
		jz	short loc_452DB5
		mov	edx, esi
		mov	esi, [esp+38h]
		mov	ecx, esi
		call	_MiReturnFullProcessCommitment@8 ; MiReturnFullProcessCommitment(x,x)
		jmp	short loc_452DB9
; 

loc_452DF4:				; CODE XREF: .text:00452D77j
		mov	edi, [esp+28h]

loc_452DF8:				; CODE XREF: .text:00452CBCj
					; .text:00452CC8j ...
		test	esi, esi
		jz	short loc_452E0E
		mov	ecx, [edi+20h]
		lea	eax, [esi+ecx]
		xor	eax, ecx
		and	eax, 7FFFFFFFh
		xor	eax, ecx
		mov	[edi+20h], eax

loc_452E0E:				; CODE XREF: .text:00452DFAj
		mov	ecx, [esp+2Ch]
		mov	dword ptr [esp+54h], 1
		mov	dword ptr [esp+58h], 0
		mov	dword ptr [esp+50h], 0
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 4
		jbe	short loc_452E49
		cmp	al, 5
		jz	short loc_452E49
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esp+1Fh], al
		mov	[esp+6Ch], al
		jmp	short loc_452EA8
; 

loc_452E49:				; CODE XREF: .text:00452E31j
					; .text:00452E35j
		mov	esi, offset unk_6D3C40
		cmp	al, 2
		jz	short loc_452E58
		lea	esi, [ecx+80h]

loc_452E58:				; CODE XREF: .text:00452E50j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	bl, al
		mov	[esp+1Fh], bl
		jz	short loc_452E7A
		mov	dl, bl
		mov	ecx, esi
		call	@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)
		jmp	short loc_452E98
; 

loc_452E7A:				; CODE XREF: .text:00452E6Dj
		mov	edx, [esi]
		and	edx, 7FFFFFFFh
		mov	eax, edx
		lea	ecx, [edx+1]
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	short loc_452E98
		mov	dl, bl
		mov	ecx, esi
		call	ExpWaitForSpinLockSharedAndAcquire

loc_452E98:				; CODE XREF: .text:00452E78j
					; .text:00452E8Dj
		add	esi, 4
		cmp	dword ptr [esi], 0
		jz	short loc_452EA4
		xor	eax, eax
		xchg	eax, [esi]

loc_452EA4:				; CODE XREF: .text:00452E9Ej
		mov	[esp+6Ch], bl

loc_452EA8:				; CODE XREF: .text:00452E47j
		mov	edx, [esp+3Ch]
		lea	eax, [esp+0A4h]
		push	eax
		lea	eax, [esp+0ACh]
		mov	ecx, edx
		push	eax
		lea	eax, [esp+0B4h]
		push	eax
		lea	eax, [esp+0BCh]
		push	eax
		lea	eax, [esp+6Ch]
		push	eax
		push	0
		push	edi
		push	dword ptr [esp+88h]
		call	_MiQueryAddressState@40	; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)
		mov	eax, [esp+5Ch]
		mov	ecx, [esp+30h]
		mov	eax, ds:_MmProtectToValue[eax*4]
		mov	[ecx], eax
		mov	edi, [edi+1Ch]
		shr	edi, 0Ch
		and	edi, 3Fh
		or	esi, 0FFFFFFFFh
		mov	[esp+74h], edi

loc_452F03:				; CODE XREF: .text:00453525j
					; .text:0045352Cj ...
		mov	eax, [esp+10h]

loc_452F07:				; CODE XREF: .text:004538B6j
					; .text:00453B77j ...
		mov	ebx, 2
		cmp	eax, [esp+68h]
		ja	loc_453E46
		test	eax, 0FFFh
		jz	short loc_452F28
		cmp	dword ptr [esp+54h], 1
		jnz	loc_4533E5

loc_452F28:				; CODE XREF: .text:00452F1Bj
		cmp	dword ptr [esp+50h], 0
		mov	dword ptr [esp+54h], 0
		jz	short loc_452F50
		lea	ecx, [esp+0D0h]
		call	MiFlushTbList
		mov	edx, [esp+50h]
		mov	ecx, [esp+2Ch]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_452F50:				; CODE XREF: .text:00452F35j
		mov	ecx, [esp+2Ch]
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short loc_452F68
		lea	eax, [ecx+80h]

loc_452F68:				; CODE XREF: .text:00452F60j
		mov	eax, [eax]
		test	eax, 40000000h
		jnz	short loc_452F7E
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	short loc_452F90
		mov	ecx, [esp+2Ch]

loc_452F7E:				; CODE XREF: .text:00452F6Fj
		mov	dl, [esp+1Fh]
		call	MiUnlockWorkingSetShared
		mov	ecx, [esp+2Ch]
		call	MiLockWorkingSetShared

loc_452F90:				; CODE XREF: .text:00452F78j
		mov	ecx, [esp+10h]
		mov	eax, large fs:124h
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		mov	eax, [eax+80h]
		mov	[esp+78h], eax
		lea	esi, [ecx-40000000h]
		mov	[esp+50h], esi
		lea	edx, [eax+240h]
		mov	eax, esi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[esp+20h], edx
		add	eax, 0C0000000h
		mov	[esp+88h], eax
		lea	eax, [ecx-40000000h]
		mov	[esp+4Ch], eax

loc_452FE1:				; CODE XREF: .text:004533D8j
		mov	eax, [esp+88h]
		mov	edi, 6
		mov	[esp+0C4h], eax
		mov	al, [edx+60h]
		and	al, 7
		mov	[esp+0C0h], esi
		mov	dword ptr [esp+34h], 0C0603018h
		mov	dword ptr [esp+0B4h], 0
		cmp	al, 2
		jb	short loc_453046
		cmp	al, 7
		jnz	short loc_45302B
		mov	dword ptr [esp+18h], offset unk_6D2E58
		xor	edi, edi
		mov	eax, [esp+18h]
		jmp	short loc_45305E
; 

loc_45302B:				; CODE XREF: .text:00453019j
		cmp	al, 5
		jnz	short loc_45303F
		mov	dword ptr [esp+18h], offset unk_6D2E54
		xor	edi, edi
		mov	eax, [esp+18h]
		jmp	short loc_45305E
; 

loc_45303F:				; CODE XREF: .text:0045302Dj
		mov	eax, offset unk_6D2DD4
		jmp	short loc_45305A
; 

loc_453046:				; CODE XREF: .text:00453015j
		test	al, al
		jnz	short loc_453054
		mov	eax, [edx+0Ch]
		add	eax, 0F10h
		jmp	short loc_45305A
; 

loc_453054:				; CODE XREF: .text:00453048j
		lea	eax, [edx+2A0h]

loc_45305A:				; CODE XREF: .text:00453044j
					; .text:00453052j
		mov	[esp+18h], eax

loc_45305E:				; CODE XREF: .text:00453029j
					; .text:0045303Dj
		mov	edx, [eax]
		mov	esi, [esp+18h]

loc_453064:				; CODE XREF: .text:0045309Dj
					; .text:004530BFj
		mov	ecx, edi
		shl	ebx, cl

loc_453068:				; CODE XREF: .text:004530D8j
		mov	eax, edx
		mov	ecx, edi
		shr	eax, cl
		test	al, 1
		jz	short loc_4530C1
		test	al, 2
		jz	short loc_45309F
		jmp	short loc_453080
; 
		align 10h

loc_453080:				; CODE XREF: .text:00453076j
					; .text:00453096j
		lea	ecx, [esp+0B4h]
		call	KeYieldProcessorEx
		mov	edx, [esi]
		mov	ecx, edi
		mov	eax, edx
		shr	eax, cl
		test	al, 1
		jnz	short loc_453080
		mov	ebx, 2
		jmp	short loc_453064
; 

loc_45309F:				; CODE XREF: .text:00453074j
		mov	ecx, edi
		mov	ebx, 2
		shl	ebx, cl
		mov	eax, edx
		or	ebx, edx
		mov	ecx, ebx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		mov	edx, ebx
		jz	short loc_4530BA
		mov	edx, eax

loc_4530BA:				; CODE XREF: .text:004530B6j
		mov	ebx, 2
		jmp	short loc_453064
; 

loc_4530C1:				; CODE XREF: .text:00453070j
		mov	ecx, edx
		mov	eax, ebx
		not	eax
		bts	ecx, edi
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	short loc_4530DA
		mov	edx, eax
		jmp	short loc_453068
; 

loc_4530DA:				; CODE XREF: .text:004530D4j
		mov	eax, [esp+0C4h]
		mov	ebx, 1
		mov	[esp+30h], ebx
		mov	[esp+3Ch], eax
		mov	ecx, [eax]
		nop
		mov	edx, [eax+4]
		lea	esi, [ebx-2]
		mov	edi, [esp+74h]
		mov	eax, ecx
		and	eax, ebx
		or	eax, 0
		jz	loc_453372
		mov	esi, [esp+3Ch]
		lea	esp, [esp+0]

loc_453110:				; CODE XREF: .text:00453365j
		mov	eax, ecx
		and	eax, 80h
		or	eax, 0
		jnz	loc_45336B
		mov	eax, ecx
		and	eax, 20h
		or	eax, 0
		jnz	short loc_453135
		push	edx
		push	ecx
		push	1
		mov	edx, esi
		call	MiPerformSafePdeWrite

loc_453135:				; CODE XREF: .text:00453128j
		cmp	esi, [esp+34h]
		jz	loc_453343
		mov	edx, [esp+20h]
		lea	eax, [esi+3FA00000h]
		sar	eax, 3
		xor	ebx, ebx
		lea	ecx, [eax+eax]
		mov	eax, ecx
		and	eax, 1Fh
		mov	[esp+24h], eax
		mov	al, [edx+60h]
		and	al, 7
		cmp	al, 2
		jb	short loc_4531BB
		cmp	esi, 0C0603018h
		jz	short loc_45317F
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_4531AF
		cmp	esi, 0C0603010h
		jnz	short loc_4531AF

loc_45317F:				; CODE XREF: .text:00453169j
		cmp	al, 7
		jnz	short loc_45318D
		mov	dword ptr [esp+18h], offset unk_6D2E58
		jmp	short loc_453199
; 

loc_45318D:				; CODE XREF: .text:00453181j
		cmp	al, 5
		jnz	short loc_4531AF
		mov	dword ptr [esp+18h], offset unk_6D2E54

loc_453199:				; CODE XREF: .text:0045318Bj
		mov	eax, [esp+18h]
		mov	ecx, 0C0603018h
		sub	ecx, esi
		sar	ecx, 3
		add	ecx, ecx
		mov	[esp+24h], ecx
		jmp	short loc_4531DD
; 

loc_4531AF:				; CODE XREF: .text:00453175j
					; .text:0045317Dj ...
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]
		jmp	short loc_4531D5
; 

loc_4531BB:				; CODE XREF: .text:00453161j
		shr	ecx, 5
		test	al, al
		jnz	short loc_4531CF
		mov	eax, [edx+0Ch]
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h
		jmp	short loc_4531D5
; 

loc_4531CF:				; CODE XREF: .text:004531C0j
		add	ecx, 48h
		lea	eax, [edx+ecx*4]

loc_4531D5:				; CODE XREF: .text:004531B9j
					; .text:004531CDj
		mov	ecx, [esp+24h]
		mov	[esp+18h], eax

loc_4531DD:				; CODE XREF: .text:004531ADj
		mov	edx, [eax]
		mov	edi, [esp+18h]

loc_4531E3:				; CODE XREF: .text:0045322Aj
					; .text:00453245j ...
		mov	esi, 2
		shl	esi, cl
		lea	ebx, [ebx+0]

loc_4531F0:				; CODE XREF: .text:0045326Aj
		mov	eax, edx
		shr	eax, cl
		test	al, 1
		jz	short loc_45324B
		test	al, 2
		jz	short loc_45322C
		lea	esp, [esp+0]

loc_453200:				; CODE XREF: .text:00453228j
		inc	ebx
		test	ds:_HvlLongSpinCountMask, ebx
		jnz	short loc_45321E
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	short loc_45321E
		push	ebx
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		mov	ecx, [esp+24h]
		jmp	short loc_453220
; 

loc_45321E:				; CODE XREF: .text:00453207j
					; .text:00453210j
		pause

loc_453220:				; CODE XREF: .text:0045321Cj
		mov	edx, [edi]
		mov	eax, edx
		shr	eax, cl
		test	al, 1
		jnz	short loc_453200
		jmp	short loc_4531E3
; 

loc_45322C:				; CODE XREF: .text:004531FAj
		mov	esi, 2
		mov	eax, edx
		shl	esi, cl
		or	esi, edx
		mov	ecx, esi
		lock cmpxchg [edi], ecx
		mov	ecx, [esp+24h]
		cmp	eax, edx
		mov	edx, esi
		jz	short loc_4531E3
		mov	edx, eax
		jmp	short loc_4531E3
; 

loc_45324B:				; CODE XREF: .text:004531F6j
		mov	eax, [esp+24h]
		mov	ecx, edx
		bts	ecx, eax
		mov	eax, esi
		not	eax
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_45326C
		mov	ecx, [esp+24h]
		mov	edx, eax
		jmp	short loc_4531F0
; 

loc_45326C:				; CODE XREF: .text:00453262j
		mov	edx, [esp+34h]
		mov	ebx, [esp+20h]
		lea	eax, [edx+3FA00000h]
		sar	eax, 3
		lea	ecx, [eax+eax]
		mov	al, [ebx+60h]
		mov	esi, ecx
		and	al, 7
		and	esi, 1Fh
		cmp	al, 2
		jb	short loc_4532E4
		cmp	edx, 0C0603018h
		jz	short loc_4532AA
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_4532D8
		cmp	edx, 0C0603010h
		jnz	short loc_4532D8

loc_4532AA:				; CODE XREF: .text:00453294j
		cmp	al, 7
		jnz	short loc_4532C1
		mov	esi, 0C0603018h
		mov	ebx, offset unk_6D2E58
		sub	esi, edx
		sar	esi, 3
		add	esi, esi
		jmp	short loc_453302
; 

loc_4532C1:				; CODE XREF: .text:004532ACj
		cmp	al, 5
		jnz	short loc_4532D8
		mov	esi, 0C0603018h
		mov	ebx, offset unk_6D2E54
		sub	esi, edx
		sar	esi, 3
		add	esi, esi
		jmp	short loc_453302
; 

loc_4532D8:				; CODE XREF: .text:004532A0j
					; .text:004532A8j ...
		shr	ecx, 5
		lea	ebx, unk_6D2C54[ecx*4]
		jmp	short loc_453302
; 

loc_4532E4:				; CODE XREF: .text:0045328Cj
		shr	ecx, 5
		test	al, al
		jnz	short loc_4532F9
		mov	ebx, [ebx+0Ch]
		add	ebx, 0D90h
		lea	ebx, [ebx+ecx*4]
		jmp	short loc_453302
; 

loc_4532F9:				; CODE XREF: .text:004532E9j
		lea	ebx, [ebx+ecx*4]
		add	ebx, 120h

loc_453302:				; CODE XREF: .text:004532BFj
					; .text:004532D6j ...
		mov	edx, [ebx]
		mov	ecx, esi
		mov	eax, 2
		shl	eax, cl
		mov	ecx, edx
		not	eax
		btr	ecx, esi
		mov	[esp+34h], eax
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jz	short loc_453337

loc_453324:				; CODE XREF: .text:00453335j
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, esi
		and	ecx, [esp+34h]
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	short loc_453324

loc_453337:				; CODE XREF: .text:00453322j
		mov	eax, [esp+3Ch]
		mov	ebx, [esp+30h]
		mov	[esp+34h], eax

loc_453343:				; CODE XREF: .text:00453139j
		test	ebx, ebx
		jz	short loc_45336B
		mov	esi, [esp+ebx*4+0BCh]
		dec	ebx
		mov	[esp+30h], ebx
		mov	[esp+3Ch], esi
		mov	ecx, [esi]
		nop
		mov	edx, [esi+4]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jnz	loc_453110

loc_45336B:				; CODE XREF: .text:0045311Aj
					; .text:00453345j
		mov	edi, [esp+74h]
		or	esi, 0FFFFFFFFh

loc_453372:				; CODE XREF: .text:00453102j
		mov	eax, [esp+34h]
		cmp	eax, [esp+4Ch]
		jz	short loc_4533DD
		mov	ecx, [esp+20h]
		mov	edx, eax
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		lea	ecx, [esp+0D0h]
		call	MiFlushTbList
		mov	dl, [esp+1Fh]
		mov	ecx, [esp+20h]
		call	MiUnlockWorkingSetShared
		push	0
		push	0
		push	dword ptr [esp+18h]
		mov	eax, edi
		shl	eax, 19h
		or	eax, 1000002h
		push	eax
		call	MmAccessFault
		mov	ebx, eax
		test	ebx, ebx
		js	loc_4540D1
		mov	ecx, [esp+20h]
		call	MiLockWorkingSetShared
		mov	edx, [esp+20h]
		mov	ebx, 2
		mov	esi, [esp+50h]
		jmp	loc_452FE1
; 

loc_4533DD:				; CODE XREF: .text:0045337Aj
		mov	eax, [esp+48h]
		mov	[esp+24h], eax

loc_4533E5:				; CODE XREF: .text:00452F22j
		mov	ebx, [esp+10h]
		mov	edx, ebx
		shl	edx, 9
		mov	[esp+18h], edx
		mov	ebx, [ebx]
		nop
		mov	eax, [esp+10h]
		mov	ecx, [eax+4]
		mov	eax, ebx
		and	eax, 1
		mov	[esp+20h], ecx
		or	eax, 0
		jz	loc_453A20
		nop
		mov	eax, ebx
		shrd	eax, ecx, 0Ch
		and	eax, 1FFFFFFh
		mov	[esp+88h], eax
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, [eax+ecx*4]
		mov	eax, edx
		shr	eax, 0Ch
		mov	[esp+20h], ecx
		mov	[esp+34h], eax
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_453544
		mov	eax, [ecx+4]
		mov	edx, [esp+34h]
		mov	ecx, [esp+28h]
		mov	[esp+4Ch], eax
		lea	eax, [esp+8Ch]
		push	eax
		push	0
		call	MiGetProtoPteAddress
		mov	edx, [esp+4Ch]
		mov	ecx, edx
		or	ecx, 80000000h
		cmp	ecx, eax
		jz	loc_45354E
		mov	eax, [esp+20h]
		xor	ebx, ebx
		test	dword ptr [eax+18h], 800000h
		jnz	short loc_453493
		test	edx, edx
		js	short loc_453493
		jnz	short loc_4534C4

loc_453493:				; CODE XREF: .text:0045348Bj
					; .text:0045348Fj
		mov	ecx, [esp+38h]
		or	edx, 80000000h
		call	_MiLocateCloneAddress@8	; MiLocateCloneAddress(x,x)
		mov	ebx, eax
		mov	eax, [ecx+24Ch]
		mov	ecx, [eax+8Ch]
		cmp	ecx, [ebx+2Ch]
		ja	short loc_4534C4
		jb	short loc_4534C2
		mov	eax, [eax+88h]
		cmp	eax, [ebx+28h]
		ja	short loc_4534C4

loc_4534C2:				; CODE XREF: .text:004534B5j
		xor	ebx, ebx

loc_4534C4:				; CODE XREF: .text:00453491j
					; .text:004534B3j ...
		lea	ecx, [esp+0D0h]
		call	MiFlushTbList
		mov	edx, [esp+10h]
		mov	ecx, [esp+18h]
		push	0
		push	0FFFFFFFFh
		call	_MiCopyOnWrite@16 ; MiCopyOnWrite(x,x,x,x)
		mov	[esp+4Ch], eax
		test	eax, eax
		jns	short loc_45352A
		mov	ebx, [esp+2Ch]
		mov	ecx, ebx
		mov	edx, [esp+50h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [esp+1Fh]
		mov	ecx, ebx
		call	MiUnlockWorkingSetShared
		mov	edx, [esp+4Ch]
		mov	ecx, ebx
		call	MiCopyOnWriteCheckConditions
		mov	ecx, ebx
		mov	dword ptr [esp+50h], 0
		mov	dword ptr [esp+54h], 1
		call	MiLockWorkingSetShared
		jmp	loc_452F03
; 

loc_45352A:				; CODE XREF: .text:004534E7j
		test	ebx, ebx
		jz	loc_452F03
		mov	eax, [esp+24h]
		dec	eax
		mov	[esp+24h], eax
		mov	[esp+48h], eax
		jmp	loc_452F03
; 

loc_453544:				; CODE XREF: .text:00453446j
		mov	eax, [esp+34h]
		mov	[esp+34h], eax
		jmp	short loc_453556
; 

loc_45354E:				; CODE XREF: .text:00453478j
		mov	edx, [esp+18h]
		mov	ecx, [esp+20h]

loc_453556:				; CODE XREF: .text:0045354Cj
		mov	eax, [ebp+10h]
		and	eax, 101h
		mov	[esp+4Ch], eax
		jnz	loc_4538BB
		cmp	dword ptr [ebp+14h], 1
		jnz	short loc_45357B
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_4538BB

loc_45357B:				; CODE XREF: .text:0045356Cj
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_45374D
		cmp	dword ptr [esp+70h], 5
		jz	short loc_45359E
		and	ebx, 200h
		or	ebx, 0
		jz	short loc_45359E
		inc	dword ptr [esp+58h]

loc_45359E:				; CODE XREF: .text:0045358Dj
					; .text:00453598j
		mov	eax, [esp+2Ch]
		movzx	eax, byte ptr [eax+60h]
		and	eax, 7
		mov	ebx, dword_6D2E68[eax*4]
		add	ebx, [esp+34h]
		mov	al, [ebx]
		mov	cl, al
		and	cl, 0Fh
		cmp	cl, 0Ah
		jz	loc_454103
		mov	ecx, edx
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		nop
		movzx	ebx, al
		shr	ebx, 4
		and	ebx, 7
		jz	short loc_45361B
		mov	eax, [ecx-40000000h]
		mov	[esp+4Ch], eax
		mov	eax, [ecx-3FFFFFFCh]
		mov	ecx, [esp+4Ch]
		mov	[esp+7Ch], eax
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_45360C
		mov	eax, ecx
		and	eax, 8
		or	eax, 0
		jz	short loc_45360C
		or	ebx, 18h
		jmp	short loc_453617
; 

loc_45360C:				; CODE XREF: .text:004535FBj
					; .text:00453605j
		and	ecx, 10h
		or	ecx, 0
		jz	short loc_453617
		or	ebx, 8

loc_453617:				; CODE XREF: .text:0045360Aj
					; .text:00453612j
		test	ebx, ebx
		jnz	short loc_453686

loc_45361B:				; CODE XREF: .text:004535D9j
		mov	ecx, [esp+20h]
		mov	ebx, [ecx+8]
		nop
		mov	eax, [ecx+0Ch]
		shrd	ebx, eax, 5
		and	ebx, 1Fh
		test	dword ptr [ecx+18h], 800000h
		jnz	short loc_453648
		mov	eax, [ecx+4]
		test	eax, eax
		js	short loc_453648
		jz	short loc_453648
		mov	ebx, ds:_MmMakeProtectNotWriteCopy[ebx*4]
		jmp	short loc_453686
; 

loc_453648:				; CODE XREF: .text:00453634j
					; .text:0045363Bj ...
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		cmp	dword ptr [ecx+148h], 0
		jz	short loc_45367E
		mov	eax, [esp+20h]
		mov	edx, [eax+4]
		or	edx, 80000000h
		call	_MiLocateCloneAddress@8	; MiLocateCloneAddress(x,x)
		mov	edx, [esp+18h]
		test	eax, eax
		jz	short loc_45367E
		mov	ebx, ds:_MmMakeProtectNotWriteCopy[ebx*4]

loc_45367E:				; CODE XREF: .text:0045365Bj
					; .text:00453675j
		mov	eax, [esp+48h]
		mov	[esp+24h], eax

loc_453686:				; CODE XREF: .text:00453619j
					; .text:00453646j
		mov	eax, [esp+40h]
		mov	ecx, eax
		mov	[esp+5Ch], ebx
		cmp	eax, 18h
		jnz	short loc_453697
		jmp	short loc_45370F
; 

loc_453697:				; CODE XREF: .text:00453693j
		cmp	ebx, 18h
		jnz	short loc_4536CB
		mov	eax, [esp+28h]
		mov	ebx, [eax+1Ch]
		test	ebx, 100000h
		jz	short loc_4536B0
		shr	ebx, 7
		jmp	short loc_4536B9
; 

loc_4536B0:				; CODE XREF: .text:004536A9j
		mov	eax, [eax+2Ch]
		movzx	ebx, word ptr [eax+10h]
		shr	ebx, 1

loc_4536B9:				; CODE XREF: .text:004536AEj
		and	ebx, 1Fh
		mov	eax, ebx
		sub	ebx, 18h
		neg	ebx
		sbb	ebx, ebx
		and	ebx, eax
		mov	eax, [esp+40h]

loc_4536CB:				; CODE XREF: .text:0045369Aj
		and	ebx, 18h
		jz	short loc_4536F2
		cmp	ebx, 10h
		jnz	short loc_4536D9
		mov	ecx, eax
		jmp	short loc_45370C
; 

loc_4536D9:				; CODE XREF: .text:004536D3j
		cmp	ebx, 8
		jnz	short loc_4536E7
		mov	ecx, eax
		and	ecx, 0FFFFFFEFh
		or	ecx, ebx
		jmp	short loc_45370F
; 

loc_4536E7:				; CODE XREF: .text:004536DCj
		cmp	ebx, 18h
		jnz	short loc_45370F
		mov	ecx, eax
		or	ecx, ebx
		jmp	short loc_45370F
; 

loc_4536F2:				; CODE XREF: .text:004536CEj
		and	eax, 18h
		cmp	eax, 18h
		jnz	short loc_453703
		mov	ecx, [esp+40h]
		and	ecx, 0FFFFFFE7h
		jmp	short loc_45370F
; 

loc_453703:				; CODE XREF: .text:004536F8j
		cmp	eax, 8
		jnz	short loc_45370F
		mov	ecx, [esp+40h]

loc_45370C:				; CODE XREF: .text:004536D7j
		and	ecx, 0FFFFFFF7h

loc_45370F:				; CODE XREF: .text:00453695j
					; .text:004536E5j ...
		mov	eax, [esp+2Ch]
		movzx	eax, byte ptr [eax+60h]
		and	eax, 7
		mov	eax, dword_6D2E68[eax*4]
		add	eax, [esp+34h]
		mov	[esp+30h], eax
		mov	bl, [eax]
		mov	al, bl
		and	al, 0Fh
		cmp	al, 0Ah
		jz	loc_4540ED
		mov	al, cl
		shl	al, 4
		xor	al, bl
		and	al, 70h
		xor	al, bl
		mov	ebx, [esp+30h]
		mov	[ebx], al
		jmp	loc_45388E
; 

loc_45374D:				; CODE XREF: .text:00453582j
		mov	dword ptr [esp+0B8h], 0
		lea	ebx, [ecx+10h]
		lock bts dword ptr [ebx], 1Fh
		jnb	short loc_453782

loc_453762:				; CODE XREF: .text:00453771j
					; .text:00453778j
		lea	ecx, [esp+0B8h]
		call	KeYieldProcessorEx
		cmp	dword ptr [ebx], 0
		jl	short loc_453762
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_453762
		mov	eax, [esp+48h]
		mov	[esp+24h], eax

loc_453782:				; CODE XREF: .text:00453760j
		mov	edx, [esp+20h]
		mov	ecx, [esp+44h]
		mov	[esp+18h], ecx
		mov	eax, [edx+8]
		mov	edx, [edx+0Ch]
		mov	[esp+3Ch], edx
		mov	edx, eax
		mov	[esp+30h], eax
		mov	eax, [esp+3Ch]
		shrd	edx, eax, 5
		mov	eax, ecx
		and	edx, 1Fh
		cmp	eax, 18h
		jnz	short loc_4537B5
		jmp	loc_45382D
; 

loc_4537B5:				; CODE XREF: .text:004537AEj
		cmp	edx, 18h
		jnz	short loc_4537E9
		mov	eax, [esp+28h]
		mov	edx, [eax+1Ch]
		test	edx, 100000h
		jz	short loc_4537CE
		shr	edx, 7
		jmp	short loc_4537D7
; 

loc_4537CE:				; CODE XREF: .text:004537C7j
		mov	eax, [eax+2Ch]
		movzx	edx, word ptr [eax+10h]
		shr	edx, 1

loc_4537D7:				; CODE XREF: .text:004537CCj
		and	edx, 1Fh
		mov	eax, edx
		sub	edx, 18h
		neg	edx
		sbb	edx, edx
		and	edx, eax
		mov	eax, [esp+44h]

loc_4537E9:				; CODE XREF: .text:004537B8j
		and	edx, 18h
		jz	short loc_453810
		cmp	edx, 10h
		jnz	short loc_4537F7
		mov	ecx, eax
		jmp	short loc_45382A
; 

loc_4537F7:				; CODE XREF: .text:004537F1j
		cmp	edx, 8
		jnz	short loc_453805
		mov	ecx, eax
		and	ecx, 0FFFFFFEFh
		or	ecx, edx
		jmp	short loc_45382D
; 

loc_453805:				; CODE XREF: .text:004537FAj
		cmp	edx, 18h
		jnz	short loc_453831
		mov	ecx, eax
		or	ecx, edx
		jmp	short loc_45382D
; 

loc_453810:				; CODE XREF: .text:004537ECj
		and	eax, 18h
		cmp	eax, 18h
		jnz	short loc_453821
		mov	ecx, [esp+44h]
		and	ecx, 0FFFFFFE7h
		jmp	short loc_45382D
; 

loc_453821:				; CODE XREF: .text:00453816j
		cmp	eax, 8
		jnz	short loc_453831
		mov	ecx, [esp+44h]

loc_45382A:				; CODE XREF: .text:004537F5j
		and	ecx, 0FFFFFFF7h

loc_45382D:				; CODE XREF: .text:004537B0j
					; .text:00453803j ...
		mov	[esp+18h], ecx

loc_453831:				; CODE XREF: .text:00453808j
					; .text:00453824j
		mov	edx, ecx
		xor	eax, eax
		and	edx, 1Fh
		shld	eax, edx, 5
		mov	[esp+34h], eax
		mov	eax, [esp+30h]
		shl	edx, 5
		or	eax, [esp+3Ch]
		jnz	short loc_453867
		push	dword ptr [esp+34h]
		push	edx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [esp+20h]
		mov	[ecx+8], eax
		mov	[ecx+0Ch], edx
		mov	ecx, [esp+18h]
		jmp	short loc_453886
; 

loc_453867:				; CODE XREF: .text:0045384Bj
		mov	eax, [esp+30h]
		mov	edi, [esp+20h]
		and	eax, 0FFFFFC1Fh
		or	eax, edx
		mov	edx, [esp+3Ch]
		or	edx, [esp+34h]
		mov	[edi+8], eax
		mov	eax, edi
		mov	[eax+0Ch], edx

loc_453886:				; CODE XREF: .text:00453865j
		mov	eax, 7FFFFFFFh
		lock and [ebx],	eax

loc_45388E:				; CODE XREF: .text:00453748j
		mov	edx, [esp+10h]
		lea	eax, [esp+0D0h]
		push	eax
		push	dword ptr [esp+8Ch]
		push	ecx
		mov	ecx, [esp+34h]
		call	MiRevertValidPte
		mov	eax, [esp+10h]
		add	eax, 8
		mov	[esp+10h], eax
		jmp	loc_452F07
; 

loc_4538BB:				; CODE XREF: .text:00453562j
					; .text:00453575j
		mov	eax, [esp+68h]
		mov	ecx, eax
		mov	edx, [esp+10h]
		mov	[esp+30h], eax
		xor	eax, edx
		test	eax, 0FFFFF000h
		jz	short loc_4538E4
		mov	ecx, edx
		and	ecx, 0FFFFF000h
		add	ecx, 0FF8h
		mov	[esp+30h], ecx

loc_4538E4:				; CODE XREF: .text:004538D0j
		xor	al, al
		mov	ebx, edx
		mov	[esp+17h], al
		cmp	edx, ecx
		ja	loc_4539FB
		mov	edi, [esp+18h]
		mov	esi, [esp+30h]
		lea	esp, [esp+0]

loc_453900:				; CODE XREF: .text:004539F2j
		mov	edx, [ebx]
		mov	dword ptr [esp+78h], 0
		mov	dword ptr [esp+7Ch], 0
		nop
		mov	ecx, [ebx+4]
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jz	loc_4539F8
		nop
		cmp	dword ptr [esp+4Ch], 0
		jnz	short loc_45395E
		cmp	dword ptr [ebp+14h], 1
		jnz	loc_4539F8
		mov	eax, ds:_MmPfnDatabase
		shrd	edx, ecx, 0Ch
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	ecx, [eax+ecx*4]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	loc_4539F8

loc_45395E:				; CODE XREF: .text:0045392Aj
		mov	ecx, [esp+2Ch]
		mov	edx, edi
		call	MiLocateWsle
		mov	al, [eax]
		and	al, 0Fh
		cmp	al, 8
		jnz	short loc_453986
		mov	eax, [esp+0BCh]
		mov	cl, 1
		mov	[esp+17h], cl
		mov	dword ptr [eax], 1
		jmp	short loc_4539B1
; 

loc_453986:				; CODE XREF: .text:0045396Fj
		push	0
		push	1
		mov	edx, edi
		lea	ecx, [esp+170h]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	cl, [esp+17h]
		cmp	cl, 1
		jz	short loc_4539B1
		mov	eax, [esp+174h]
		cmp	eax, [esp+170h]
		jnz	short loc_4539E7

loc_4539B1:				; CODE XREF: .text:00453984j
					; .text:0045399Fj
		cmp	dword ptr [esp+174h], 0
		jz	short loc_4539D1
		mov	ecx, [esp+2Ch]
		lea	edx, [esp+168h]
		push	0
		call	MiFreeWsleList
		mov	cl, [esp+17h]

loc_4539D1:				; CODE XREF: .text:004539B9j
		cmp	cl, 1
		jnz	short loc_4539E7
		mov	ecx, [esp+2Ch]
		mov	edx, edi
		call	_MiUnlockVa@8	; MiUnlockVa(x,x)
		xor	al, al
		mov	[esp+17h], al

loc_4539E7:				; CODE XREF: .text:004539AFj
					; .text:004539D4j
		add	ebx, 8
		add	edi, 1000h
		cmp	ebx, esi
		jbe	loc_453900

loc_4539F8:				; CODE XREF: .text:0045391Ej
					; .text:00453930j ...
		or	esi, 0FFFFFFFFh

loc_4539FB:				; CODE XREF: .text:004538EEj
		cmp	dword ptr [esp+174h], 0
		jz	loc_452F03
		mov	ecx, [esp+2Ch]
		lea	edx, [esp+168h]
		push	0
		call	MiFreeWsleList
		jmp	loc_452F03
; 

loc_453A20:				; CODE XREF: .text:00453408j
		mov	eax, ebx
		and	eax, 400h
		or	eax, 0
		jz	loc_453B7C
		push	ecx
		push	ebx
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		test	eax, eax
		jnz	loc_453ADC
		mov	eax, [esp+20h]
		mov	edx, eax
		mov	ecx, dword_6D0700
		mov	[esp+3Ch], eax
		mov	eax, dword_6D0704
		mov	[esp+30h], eax
		mov	eax, ecx
		or	eax, [esp+30h]
		jz	short loc_453A88
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_453A80
		mov	eax, [esp+30h]
		not	ecx
		not	eax
		and	ecx, ebx
		and	eax, edx
		mov	[esp+78h], ecx
		mov	[esp+3Ch], eax
		jmp	short loc_453A88
; 

loc_453A80:				; CODE XREF: .text:00453A68j
		mov	[esp+78h], ebx
		mov	[esp+3Ch], edx

loc_453A88:				; CODE XREF: .text:00453A5Ej
					; .text:00453A7Ej
		mov	edx, [esp+18h]
		lea	eax, [esp+8Ch]
		mov	ecx, [esp+28h]
		push	eax
		push	0
		shr	edx, 0Ch
		call	MiGetProtoPteAddress
		cmp	[esp+3Ch], eax
		jz	short loc_453ADC
		lea	ecx, [esp+0D0h]
		call	MiFlushTbList
		push	dword ptr [esp+6Ch]
		mov	ecx, [esp+14h]
		mov	edx, 1
		call	MiMakeProtoLeafValid
		test	eax, eax
		jns	short loc_453ACF
		add	dword ptr [esp+10h], 8

loc_453ACF:				; CODE XREF: .text:00453AC8j
		mov	dword ptr [esp+54h], 1
		jmp	loc_452F03
; 

loc_453ADC:				; CODE XREF: .text:00453A39j
					; .text:00453AA6j
		cmp	dword ptr [esp+70h], 5
		jz	short loc_453B03
		push	dword ptr [esp+20h]
		push	ebx
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		test	eax, eax
		jz	short loc_453B03
		mov	eax, ebx
		and	eax, 0A0h
		cmp	eax, 0A0h
		jnz	short loc_453B03
		inc	dword ptr [esp+58h]

loc_453B03:				; CODE XREF: .text:00453AE1j
					; .text:00453AEFj ...
		push	dword ptr [esp+20h]
		push	ebx
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		test	eax, eax
		jz	short loc_453B1B
		mov	eax, [esp+20h]
		shrd	ebx, eax, 5
		jmp	short loc_453B28
; 

loc_453B1B:				; CODE XREF: .text:00453B0Fj
		mov	eax, [esp+28h]
		mov	eax, [eax+2Ch]
		movzx	ebx, word ptr [eax+10h]
		shr	ebx, 1

loc_453B28:				; CODE XREF: .text:00453B19j
		push	dword ptr [esp+40h]
		mov	ecx, [esp+2Ch]
		and	ebx, 1Fh
		mov	edx, ebx
		mov	[esp+60h], ebx
		call	MiSanitizePfnProtection
		and	eax, 1Fh
		mov	ecx, esi
		or	eax, 0F8000020h
		shld	ecx, eax, 5
		shl	eax, 5
		push	ecx
		push	eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [esp+10h]
		mov	[esp+98h], eax
		mov	[esp+9Ch], edx
		mov	[ecx], eax
		nop
		mov	eax, ecx
		mov	[eax+4], edx
		add	eax, 8
		mov	[esp+10h], eax
		jmp	loc_452F07
; 

loc_453B7C:				; CODE XREF: .text:00453A2Aj
		mov	eax, ebx
		and	eax, 800h
		or	eax, 0
		jz	short loc_453BD8
		cmp	dword ptr [ebp+14h], 1
		jnz	short loc_453BAD
		mov	ecx, [esp+10h]
		call	_MiTryDeleteTransitionPte@8 ; MiTryDeleteTransitionPte(x,x)
		cmp	eax, 3
		jnz	short loc_453BA2
		inc	dword ptr [esp+64h]
		jmp	short loc_453C08
; 

loc_453BA2:				; CODE XREF: .text:00453B9Aj
		cmp	eax, 1
		jz	loc_452F03
		jmp	short loc_453C08
; 

loc_453BAD:				; CODE XREF: .text:00453B8Cj
		mov	edx, [esp+10h]
		mov	ecx, [esp+28h]
		push	1
		push	dword ptr [esp+48h]
		call	_MiSetProtectionOnTransitionPte@16 ; MiSetProtectionOnTransitionPte(x,x,x,x)
		test	eax, eax
		mov	eax, [esp+10h]
		jnz	loc_452F07
		add	eax, 8
		mov	[esp+10h], eax
		jmp	loc_452F07
; 

loc_453BD8:				; CODE XREF: .text:00453B86j
		cmp	dword ptr [ebp+14h], 1
		mov	eax, ebx
		mov	byte ptr [esp+17h], 0
		jnz	short loc_453C4E
		or	eax, ecx
		jz	short loc_453C56
		push	ecx
		push	ebx
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	_MiReleasePageFileSpace@16 ; MiReleasePageFileSpace(x,x,x,x)
		push	dword ptr [esp+20h]
		push	ebx
		call	_IS_PTE_NOT_DEMAND_ZERO@8 ; IS_PTE_NOT_DEMAND_ZERO(x,x)
		test	eax, eax
		jz	short loc_453C17

loc_453C08:				; CODE XREF: .text:00453BA0j
					; .text:00453BABj
		mov	eax, [esp+38h]
		mov	ecx, esi
		add	eax, 14Ch
		lock xadd [eax], ecx

loc_453C17:				; CODE XREF: .text:00453C06j
		mov	eax, large fs:124h
		mov	edx, 1
		mov	ecx, [esp+18h]
		shr	ecx, 15h
		add	ecx, 0C8h
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		lea	ecx, [eax+ecx*2]
		call	MiDecreaseUsedPtesCount
		mov	edx, [esp+18h]
		mov	byte ptr [esp+17h], 1
		jmp	short loc_453C56
; 

loc_453C4E:				; CODE XREF: .text:00453BE3j
		or	eax, ecx
		jnz	loc_453DE9

loc_453C56:				; CODE XREF: .text:00453BE7j
					; .text:00453C4Cj
		mov	eax, large fs:124h
		shr	edx, 15h
		mov	eax, [eax+80h]
		mov	ebx, [eax+24Ch]
		mov	eax, large fs:124h
		add	ebx, 18h
		mov	eax, [eax+80h]
		mov	ecx, [eax+24Ch]
		lea	eax, [ebx+178h]
		add	ecx, 190h
		inc	word ptr [ecx+edx*2]
		lea	ecx, [ecx+edx*2]
		cmp	ecx, eax
		jb	short loc_453D04
		lea	eax, [ebx+0D78h]
		cmp	ecx, eax
		jnb	short loc_453D04
		sub	ecx, ebx
		mov	edx, 2
		sub	ecx, 178h
		sar	ecx, 1
		sub	ecx, 40000h
		shl	ecx, 0Ch
		shr	ecx, 9
		sub	ecx, 40000000h
		mov	[esp+0C8h], ecx
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		mov	[esp+0CCh], ecx
		nop

loc_453CE0:				; CODE XREF: .text:00453D02j
		mov	eax, [esp+edx*4+0C4h]
		dec	edx
		mov	ecx, [eax]
		nop
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_453D04
		and	ecx, 80h
		or	ecx, 0
		jnz	short loc_453D04
		test	edx, edx
		jnz	short loc_453CE0

loc_453D04:				; CODE XREF: .text:00453C95j
					; .text:00453C9Fj ...
		cmp	dword ptr [esp+70h], 5
		jz	loc_453D83
		cmp	byte ptr [esp+17h], 1
		jz	short loc_453D7F
		mov	ebx, [esp+28h]
		mov	dword ptr [esp+90h], 0
		mov	ecx, [ebx+1Ch]
		mov	eax, ecx
		and	al, 70h
		cmp	al, 20h
		jnz	short loc_453D70
		and	ecx, 0F80h
		cmp	ecx, 80h
		jz	short loc_453D70
		mov	edx, [esp+10h]
		lea	eax, [esp+90h]
		push	eax
		shr	edx, 3
		mov	ecx, ebx
		push	4
		and	edx, 0FFFFFh
		call	MiGetProtoPteAddress
		mov	eax, [esp+90h]
		test	eax, eax
		jz	short loc_453D70
		mov	al, [eax+10h]
		and	al, 0Ah
		cmp	al, 0Ah
		jmp	short loc_453D7D
; 

loc_453D70:				; CODE XREF: .text:00453D2Ej
					; .text:00453D3Cj ...
		mov	eax, [ebx+1Ch]
		and	eax, 280h
		cmp	eax, 280h

loc_453D7D:				; CODE XREF: .text:00453D6Ej
		jnz	short loc_453D83

loc_453D7F:				; CODE XREF: .text:00453D14j
		inc	dword ptr [esp+58h]

loc_453D83:				; CODE XREF: .text:00453D09j
					; .text:loc_453D7Dj
		mov	eax, [esp+28h]
		xor	ecx, ecx
		push	dword ptr [esp+40h]
		mov	eax, [eax+2Ch]
		movzx	edx, word ptr [eax+10h]
		shr	edx, 1
		and	edx, 1Fh
		mov	[esp+60h], edx
		call	MiSanitizePfnProtection
		and	eax, 1Fh
		mov	ecx, esi
		or	eax, 0F8000020h
		shld	ecx, eax, 5
		shl	eax, 5
		push	ecx
		push	eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [esp+10h]
		mov	[esp+98h], eax
		mov	[esp+9Ch], edx
		mov	[ecx], eax
		mov	eax, ecx
		mov	[eax+4], edx
		mov	eax, [esp+48h]
		mov	[esp+24h], eax
		mov	eax, ecx
		add	eax, 8
		mov	[esp+10h], eax
		jmp	loc_452F07
; 

loc_453DE9:				; CODE XREF: .text:00453C50j
		push	dword ptr [esp+44h]
		mov	eax, ecx
		mov	edx, ebx
		mov	ecx, [esp+2Ch]
		shrd	edx, eax, 5
		and	edx, 1Fh
		mov	[esp+60h], edx
		call	MiSanitizePfnProtection
		mov	edx, eax
		mov	[esp+44h], eax
		mov	eax, [esp+10h]
		and	edx, 1Fh
		xor	ecx, ecx
		and	ebx, 0FFFFFC1Fh
		shld	ecx, edx, 5
		or	ecx, [esp+20h]
		shl	edx, 5
		or	edx, ebx
		mov	[esp+9Ch], ecx
		mov	[esp+98h], edx
		mov	[eax], edx
		mov	[eax+4], ecx
		add	eax, 8
		mov	[esp+10h], eax
		jmp	loc_452F07
; 

loc_453E46:				; CODE XREF: .text:00452F10j
		mov	esi, [esp+0DCh]
		test	esi, esi
		jz	loc_453EED
		mov	ecx, [esp+0D0h]
		mov	edi, dword_6D0748
		mov	al, [esp+0D4h]
		cmp	ecx, 1
		jnz	short loc_453E72
		xor	edx, edx
		jmp	short loc_453E7D
; 

loc_453E72:				; CODE XREF: .text:00453E6Cj
		test	al, 8
		mov	edx, 0
		setnz	dl
		inc	edx

loc_453E7D:				; CODE XREF: .text:00453E70j
		cmp	byte ptr [esp+0D5h], 0
		jnz	short loc_453EB7
		cmp	[esp+0E0h], edi
		ja	short loc_453EB7
		test	al, 1
		jz	short loc_453EA5
		push	ecx
		lea	edx, [esp+0E8h]
		mov	ecx, esi
		call	KeFlushMultipleRangeCurrentTb
		jmp	short loc_453ECF
; 

loc_453EA5:				; CODE XREF: .text:00453E92j
		push	edx
		push	ecx
		lea	edx, [esp+0ECh]
		mov	ecx, esi
		call	KeFlushMultipleRangeTb
		jmp	short loc_453ECF
; 

loc_453EB7:				; CODE XREF: .text:00453E85j
					; .text:00453E8Ej
		test	al, 1
		jz	short loc_453EC2
		call	KeFlushCurrentTbOnly
		jmp	short loc_453EC7
; 

loc_453EC2:				; CODE XREF: .text:00453EB9j
		call	KeFlushTb

loc_453EC7:				; CODE XREF: .text:00453EC0j
		mov	byte ptr [esp+0D5h], 0

loc_453ECF:				; CODE XREF: .text:00453EA3j
					; .text:00453EB5j
		and	byte ptr [esp+0D4h], 0F7h
		mov	dword ptr [esp+0DCh], 0
		mov	dword ptr [esp+0E0h], 0

loc_453EED:				; CODE XREF: .text:00453E4Fj
		mov	edi, [esp+50h]
		test	edi, edi
		jz	loc_453FBC
		mov	edx, [esp+2Ch]
		lea	eax, [edi+3FA00000h]
		sar	eax, 3
		lea	ecx, [eax+eax]
		mov	al, [edx+60h]
		mov	esi, ecx
		and	al, 7
		and	esi, 1Fh
		cmp	al, 2
		jb	short loc_453F71
		cmp	edi, 0C0603018h
		jz	short loc_453F33
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_453F65
		cmp	edi, 0C0603010h
		jnz	short loc_453F65

loc_453F33:				; CODE XREF: .text:00453F1Dj
		cmp	al, 7
		jnz	short loc_453F4C
		mov	esi, 0C0603018h
		mov	edi, offset unk_6D2E58
		sub	esi, [esp+50h]
		sar	esi, 3
		add	esi, esi
		jmp	short loc_453F8C
; 

loc_453F4C:				; CODE XREF: .text:00453F35j
		cmp	al, 5
		jnz	short loc_453F65
		mov	esi, 0C0603018h
		mov	edi, offset unk_6D2E54
		sub	esi, [esp+50h]
		sar	esi, 3
		add	esi, esi
		jmp	short loc_453F8C
; 

loc_453F65:				; CODE XREF: .text:00453F29j
					; .text:00453F31j ...
		shr	ecx, 5
		lea	edi, unk_6D2C54[ecx*4]
		jmp	short loc_453F8C
; 

loc_453F71:				; CODE XREF: .text:00453F15j
		shr	ecx, 5
		test	al, al
		jnz	short loc_453F83
		mov	edi, [edx+0Ch]
		add	edi, 0D90h
		jmp	short loc_453F89
; 

loc_453F83:				; CODE XREF: .text:00453F76j
		lea	edi, [edx+120h]

loc_453F89:				; CODE XREF: .text:00453F81j
		lea	edi, [edi+ecx*4]

loc_453F8C:				; CODE XREF: .text:00453F4Aj
					; .text:00453F63j ...
		mov	edx, [edi]
		mov	ecx, esi
		shl	ebx, cl
		mov	eax, edx
		mov	ecx, edx
		not	ebx
		btr	ecx, esi
		and	ecx, ebx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_453FB6

loc_453FA5:				; CODE XREF: .text:00453FB4j
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, esi
		and	ecx, ebx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_453FA5

loc_453FB6:				; CODE XREF: .text:00453FA3j
		mov	ebx, [esp+48h]
		jmp	short loc_453FC0
; 

loc_453FBC:				; CODE XREF: .text:00453EF3j
		mov	ebx, [esp+24h]

loc_453FC0:				; CODE XREF: .text:00453FBAj
		mov	dl, [esp+1Fh]
		mov	ecx, [esp+2Ch]
		call	MiUnlockWorkingSetShared
		cmp	dword ptr [esp+94h], 1
		mov	edi, [esp+38h]
		jnz	short loc_454029
		lea	esi, [edi+138h]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_453FF5
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_453FF5:				; CODE XREF: .text:00453FECj
		mov	ecx, esi
		call	KeAbPostRelease
		nop
		mov	ecx, [esp+84h]
		mov	ax, [ecx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ecx+13Eh], ax
		test	ax, ax
		jnz	short loc_454029
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	short loc_454029
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_454029:				; CODE XREF: .text:00453FD9j
					; .text:0045401Aj ...
		mov	ecx, [esp+64h]
		mov	eax, [esp+60h]
		test	ecx, ecx
		jz	short loc_454046
		cmp	dword ptr [esp+70h], 5
		jnz	short loc_454046
		sub	eax, ecx
		mov	dword ptr [esp+64h], 0

loc_454046:				; CODE XREF: .text:00454033j
					; .text:0045403Aj
		test	eax, eax
		jz	short loc_454056
		mov	edx, eax
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit

loc_454056:				; CODE XREF: .text:00454048j
		mov	esi, [esp+58h]
		test	esi, esi
		jz	short loc_45408F
		mov	edx, [esp+28h]
		mov	eax, [edx+20h]
		mov	ecx, eax
		sub	ecx, esi
		xor	ecx, eax
		and	ecx, 7FFFFFFFh
		xor	ecx, eax
		mov	[edx+20h], ecx
		mov	edx, esi
		sub	edx, [esp+64h]
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit
		mov	edx, esi
		mov	ecx, edi
		call	_MiReturnFullProcessCharges@8 ;	MiReturnFullProcessCharges(x,x)

loc_45408F:				; CODE XREF: .text:0045405Cj
		test	ebx, ebx
		jz	short loc_45409C
		mov	edx, ebx
		mov	ecx, edi
		call	_MiReturnFullProcessCommitment@8 ; MiReturnFullProcessCommitment(x,x)

loc_45409C:				; CODE XREF: .text:00454091j
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+1F8h]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_4540B5:				; CODE XREF: .text:00452A2Cj
					; .text:00452A3Cj ...
		mov	eax, 0C0000045h

loc_4540BA:				; CODE XREF: .text:00452C2Bj
		mov	ecx, [esp+204h]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_4540D1:				; CODE XREF: .text:004533BCj
		mov	ecx, 1
		call	_MiFlushAllFilesystemPages@4 ; MiFlushAllFilesystemPages(x)
		push	dword ptr [esp+10h]
		push	dword ptr [esp+7Ch]
		push	ebx
		push	1
		push	7Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4540ED:				; CODE XREF: .text:00453731j
		mov	ebx, [esp+30h]
		push	ebx
		push	dword ptr [esp+30h]
		push	edx
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_454103:				; CODE XREF: .text:004535BEj
		push	ebx
		push	dword ptr [esp+30h]
		push	edx
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 3 dup(0CCh)
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiRevertValidPte proc near		; CODE XREF: .text:0045140Dp
					; .text:004538A6p ...

var_48		= dword	ptr -48h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005AFF9F SIZE 00000373 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ecx
		mov	[esp+4Ch+var_14], 0
		push	ebx
		mov	ebx, edx
		mov	[esp+50h+var_1C], eax
		push	esi
		mov	edx, [eax+1Ch]
		mov	eax, edx
		and	eax, offset loc_500000
		mov	[esp+54h+var_34], ebx
		push	edi
		cmp	eax, offset loc_500000
		jz	loc_5AFF9F
		mov	esi, 1
		mov	edi, 2
		mov	[esp+58h+var_24], edi
		mov	[esp+58h+var_3C], esi
		mov	[esp+58h+var_20], esi

loc_45416D:				; CODE XREF: MiRevertValidPte+15BECDj
		mov	[esp+58h+var_28], esi

loc_454171:				; CODE XREF: MiRevertValidPte+15BEC4j
		mov	edx, [ebx]
		mov	eax, ebx
		shl	eax, 9
		mov	[esp+58h+var_30], eax
		mov	[esp+58h+var_C], edx
		nop
		mov	eax, [ebx+4]
		mov	ecx, edx
		and	ecx, 10h
		mov	[esp+58h+var_4], eax
		mov	eax, ecx
		or	eax, 0
		jnz	short loc_4541A2
		mov	eax, edx
		and	eax, 8
		or	eax, 0
		jnz	loc_5AFFF2

loc_4541A2:				; CODE XREF: MiRevertValidPte+72j
		mov	ebx, [ebp+arg_0]
		mov	eax, ebx
		and	eax, 18h
		or	ecx, 0
		jnz	loc_5B000A
		test	eax, eax
		jnz	loc_5B001E

loc_4541BB:				; CODE XREF: MiRevertValidPte+15BEDCj
					; MiRevertValidPte+15BEE5j ...
		mov	edx, [ebp+arg_4]
		cmp	edx, dword_6D07B0
		ja	loc_5B00BC
		mov	eax, dword_6D35B8
		mov	ecx, [ebp+arg_4]
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		mov	edx, [ebp+arg_4]
		shr	eax, cl
		and	eax, 1
		jz	loc_5B00BC
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		test	ds:_MiFlags, 40000h
		lea	ecx, [eax+ecx*4]
		mov	[esp+58h+var_38], ecx
		jnz	loc_5B0026

loc_45420E:				; CODE XREF: MiRevertValidPte+15BF09j
					; MiRevertValidPte+15BF97j ...
		test	edi, edi
		jz	loc_5B00C9

loc_454216:				; CODE XREF: MiRevertValidPte+15BFAFj
		mov	eax, ebx
		mov	ecx, edx
		and	eax, 1Fh
		and	ecx, 1FFFFFFh
		mov	[esp+58h+var_18], eax
		mov	edi, ds:_MmProtectToPteMask[eax*8]
		mov	esi, ds:dword_40B4DC[eax*8]
		and	edi, 0E7Fh
		xor	eax, eax
		and	esi, 0FFFFFFE0h
		shld	eax, ecx, 0Ch
		shl	ecx, 0Ch
		or	esi, eax
		or	edi, ecx
		mov	[esp+58h+var_48], esi
		mov	ecx, [esp+58h+var_34]
		or	edi, 21h
		lea	eax, [ecx+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	short loc_4542B7
		cmp	ecx, 0C0600000h
		jnb	loc_5B00D4

loc_45426F:				; CODE XREF: MiRevertValidPte+15BFBAj
					; MiRevertValidPte+15BFECj ...
		mov	eax, ds:_MmHighestUserAddress
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	ecx, eax
		ja	short loc_45428C
		or	edi, 4
		mov	[esp+58h+var_48], esi

loc_45428C:				; CODE XREF: MiRevertValidPte+163j
		mov	eax, [esp+58h+var_30]
		mov	[esp+58h+var_28], eax
		test	ebx, 4000000h
		jnz	loc_5B011E

loc_4542A0:				; CODE XREF: MiRevertValidPte+15C003j
					; MiRevertValidPte+15C01Ej
		cmp	eax, dword_6D07D0
		jnb	loc_5B0143
		movzx	eax, byte ptr word_6D07B8+1

loc_4542B3:				; CODE XREF: MiRevertValidPte+15C069j
					; MiRevertValidPte+15C076j
		test	eax, eax
		jz	short loc_4542C1

loc_4542B7:				; CODE XREF: MiRevertValidPte+141j
		mov	[esp+58h+var_48], esi
		or	edi, 100h

loc_4542C1:				; CODE XREF: MiRevertValidPte+195j
					; MiRevertValidPte+15C02Ej ...
		test	ebx, ebx
		js	loc_5B019B

loc_4542C9:				; CODE XREF: MiRevertValidPte+15C083j
					; MiRevertValidPte+15C090j
		test	ebx, 40000000h
		jnz	loc_5B01B5

loc_4542D5:				; CODE XREF: MiRevertValidPte+15C09Cj
		test	ebx, 20000000h
		jnz	loc_5B01C1

loc_4542E1:				; CODE XREF: MiRevertValidPte+15C0C4j
		test	ebx, 8000000h
		jnz	loc_5B01E9

loc_4542ED:				; CODE XREF: MiRevertValidPte+15C0D3j
		test	ebx, 4000000h
		jnz	loc_5B01F8

loc_4542F9:				; CODE XREF: MiRevertValidPte+15C0E2j
		cmp	[esp+58h+var_38], 0
		jz	loc_5B0207

loc_454304:				; CODE XREF: MiRevertValidPte+15C0EAj
					; MiRevertValidPte+15C0F7j
		mov	eax, [esp+58h+var_1C]
		xor	ebx, ebx
		mov	[esp+58h+var_28], 0
		mov	[esp+58h+var_2C], ecx
		mov	eax, [eax+1Ch]
		and	eax, 300000h
		cmp	eax, 300000h
		setz	bl
		mov	[esp+58h+var_18], ebx
		mov	ebx, [esp+58h+var_48]
		mov	edi, edi

loc_454330:				; CODE XREF: MiRevertValidPte+2C7j
		cmp	[esp+58h+var_18], 0
		jnz	loc_454612

loc_45433B:				; CODE XREF: MiRevertValidPte+4FFj
					; MiRevertValidPte+544j
		and	edx, 1FFFFFFh
		xor	esi, esi
		shld	esi, edx, 0Ch
		mov	eax, edi
		mov	ecx, ebx
		shl	edx, 0Ch
		and	eax, 0FFFh
		and	ecx, 0FFFFFFE0h
		mov	edi, edx
		or	edi, eax
		or	esi, ecx
		mov	eax, [esp+58h+var_28]
		mov	ecx, [esp+58h+var_2C]
		mov	[esp+58h+var_48], esi
		test	eax, eax
		jnz	short loc_4543BF
		test	ds:_MiFlags, 300h
		jz	loc_5B021C
		mov	edx, [ecx]
		nop
		mov	ebx, [ecx+4]
		mov	eax, edi
		and	eax, 40h
		or	eax, 0
		jnz	short loc_454396
		mov	eax, edx
		and	eax, 40h
		or	eax, 0
		jnz	short loc_454415

loc_454396:				; CODE XREF: MiRevertValidPte+26Aj
		test	esi, esi
		jg	short loc_4543AA
		jl	short loc_4543A0
		test	edi, edi
		jnb	short loc_4543AA

loc_4543A0:				; CODE XREF: MiRevertValidPte+27Aj
		test	ebx, ebx
		jg	short loc_454415
		jl	short loc_4543AA
		test	edx, edx
		jnb	short loc_454415

loc_4543AA:				; CODE XREF: MiRevertValidPte+278j
					; MiRevertValidPte+27Ej ...
		mov	eax, edi
		and	eax, 2
		or	eax, 0
		jnz	short loc_4543BB
		and	edx, 2
		or	edx, eax
		jnz	short loc_454415

loc_4543BB:				; CODE XREF: MiRevertValidPte+292j
		mov	eax, [esp+58h+var_28]

loc_4543BF:				; CODE XREF: MiRevertValidPte+24Aj
					; MiRevertValidPte+2FEj ...
		mov	edx, [ebp+arg_4]
		inc	edx
		cmp	[esp+58h+var_24], 0
		mov	[ebp+arg_4], edx
		jbe	loc_5B022A
		nop
		mov	ebx, [esp+58h+var_48]
		mov	[ecx], edi
		mov	[ecx+4], esi

loc_4543DB:				; CODE XREF: MiRevertValidPte+15C147j
		add	ecx, 8
		sub	[esp+58h+var_20], 1
		mov	[esp+58h+var_2C], ecx
		jnz	loc_454330
		test	eax, eax
		jnz	short loc_454420

loc_4543F1:				; CODE XREF: MiRevertValidPte+39Aj
					; MiRevertValidPte+3EEj ...
		mov	esi, [esp+58h+var_34]

loc_4543F5:				; CODE XREF: MiRevertValidPte+15C1BEj
		cmp	[esp+58h+var_3C], 1
		jnz	short loc_45440C
		mov	eax, [esp+58h+var_C]
		and	eax, 42h
		or	eax, 0
		jnz	loc_454516

loc_45440C:				; CODE XREF: MiRevertValidPte+2DAj
					; MiRevertValidPte+3FCj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_454415:				; CODE XREF: MiRevertValidPte+274j
					; MiRevertValidPte+282j ...
		mov	eax, 1
		mov	[esp+58h+var_28], eax
		jmp	short loc_4543BF
; 

loc_454420:				; CODE XREF: MiRevertValidPte+2CFj
		mov	edx, [esp+58h+var_14]
		test	edx, edx
		jnz	loc_5B02D1
		mov	esi, [ebp+arg_8]
		mov	ecx, [esp+58h+var_3C]
		mov	ebx, ecx
		mov	edx, [esp+58h+var_30]
		cmp	dword ptr [esi], 1
		jnz	loc_5B026C

loc_454442:				; CODE XREF: MiRevertValidPte+15C16Bj
		mov	edi, [esi+0Ch]
		test	edi, edi
		jz	short loc_454495
		test	byte ptr [esi+4], 4
		jnz	short loc_454495
		mov	eax, [esi+edi*4+10h]
		test	eax, 0C00h
		jnz	short loc_45449F
		mov	ecx, eax
		and	eax, 0FFFFF000h
		and	ecx, 3FFh
		mov	[esp+58h+var_14], ecx
		inc	ecx
		shl	ecx, 0Ch
		add	ecx, eax
		cmp	ecx, edx
		mov	edx, [esp+58h+var_3C]
		jnz	short loc_4544A3
		mov	eax, [esp+58h+var_14]
		lea	ecx, [eax+edx]
		cmp	ecx, eax
		jbe	short loc_4544A3
		cmp	ecx, 3FFh
		ja	short loc_4544A3
		mov	eax, 1
		mov	ecx, edx
		jmp	short loc_454497
; 

loc_454495:				; CODE XREF: MiRevertValidPte+327j
					; MiRevertValidPte+32Dj
		xor	eax, eax

loc_454497:				; CODE XREF: MiRevertValidPte+373j
		test	eax, eax
		jnz	loc_454576

loc_45449F:				; CODE XREF: MiRevertValidPte+338j
		mov	edx, [esp+58h+var_3C]

loc_4544A3:				; CODE XREF: MiRevertValidPte+357j
					; MiRevertValidPte+362j ...
		test	edi, edi
		jnz	loc_454592

loc_4544AB:				; CODE XREF: MiRevertValidPte+476j
					; MiRevertValidPte+485j
		mov	edx, [esp+58h+var_3C]

loc_4544AF:				; CODE XREF: MiRevertValidPte+4A0j
					; MiRevertValidPte+15C17Aj ...
		cmp	edi, [esi+8]
		jnb	loc_4545CB
		test	edx, edx
		jz	loc_4543F1

loc_4544C0:				; CODE XREF: MiRevertValidPte+3F4j
		lea	eax, [ebx-1]
		cmp	eax, 3FFh
		ja	loc_5B02BB
		mov	edi, ebx

loc_4544D0:				; CODE XREF: MiRevertValidPte+15C1A0j
		mov	edx, [esp+58h+var_30]
		lea	eax, [edi-1]
		mov	ecx, edx
		and	eax, 3FFh
		and	ecx, 0FFFFF000h
		sub	ebx, edi
		or	eax, ecx
		mov	ecx, edi
		shl	ecx, 0Ch
		add	edx, ecx
		mov	ecx, [esi+0Ch]
		mov	[esp+58h+var_30], edx
		mov	[esi+ecx*4+14h], eax
		inc	dword ptr [esi+0Ch]
		mov	eax, [esi+0Ch]
		add	[esi+10h], edi
		cmp	eax, [esi+8]
		jz	loc_4545D4

loc_45450C:				; CODE XREF: MiRevertValidPte+4B8j
					; MiRevertValidPte+4DFj
		test	ebx, ebx
		jz	loc_4543F1
		jmp	short loc_4544C0
; 

loc_454516:				; CODE XREF: MiRevertValidPte+2E6j
		mov	ebx, [esp+58h+var_38]
		test	ebx, ebx
		jz	loc_45440C
		mov	eax, [esp+58h+var_1C]
		mov	eax, [eax+1Ch]
		and	al, 70h
		cmp	al, 40h
		jz	loc_5B02E3

loc_454533:				; CODE XREF: MiRevertValidPte+15C1D2j
		mov	[esp+58h+var_8], 0
		lea	esi, [ebx+10h]
		lock bts dword ptr [esi], 1Fh
		jb	loc_4546B0

loc_454549:				; CODE XREF: MiRevertValidPte+5A4j
		mov	eax, [esp+58h+var_38]
		xor	edi, edi
		xor	ebx, ebx
		mov	dl, [eax+16h]
		test	dl, 10h
		jz	loc_454669

loc_45455D:				; CODE XREF: MiRevertValidPte+57Dj
		xor	ecx, ecx

loc_45455F:				; CODE XREF: MiRevertValidPte+15C1DCj
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	eax, edi
		or	eax, ebx
		jz	loc_45440C
		jmp	loc_5B0301
; 

loc_454576:				; CODE XREF: MiRevertValidPte+379j
		mov	eax, [esi+edi*4+10h]
		add	[esi+10h], ecx
		add	ecx, eax
		xor	ecx, eax
		and	ecx, 3FFh
		xor	ecx, eax
		mov	[esi+edi*4+10h], ecx
		jmp	loc_4543F1
; 

loc_454592:				; CODE XREF: MiRevertValidPte+385j
		test	byte ptr [esi+4], 4
		jnz	loc_4544AB
		mov	eax, [esi+edi*4+10h]
		test	eax, 0C00h
		jnz	loc_4544AB
		shl	edx, 0Ch
		mov	ecx, eax
		add	edx, [esp+58h+var_30]
		and	ecx, 0FFFFF000h
		cmp	ecx, edx
		mov	edx, [esp+58h+var_3C]
		jnz	loc_4544AF
		jmp	loc_5B0290
; 

loc_4545CB:				; CODE XREF: MiRevertValidPte+392j
		mov	byte ptr [esi+5], 1
		jmp	loc_4543F1
; 

loc_4545D4:				; CODE XREF: MiRevertValidPte+3E6j
		test	byte ptr [esi+4], 4
		jnz	loc_45450C
		push	offset _MiTbFlushSort ;	int __cdecl (*)(const void *,const void	*)
		push	4		; size_t
		push	eax		; size_t
		lea	eax, [esi+14h]
		push	eax		; void *
		call	_qsort
		add	esp, 10h
		mov	ecx, esi
		call	MiCompressTbFlushList
		mov	eax, [esi+0Ch]
		cmp	eax, [esi+8]
		jnz	loc_45450C
		test	ebx, ebx
		jz	loc_4543F1
		jmp	loc_5B02C5
; 

loc_454612:				; CODE XREF: MiRevertValidPte+215j
		mov	ecx, [ecx]
		nop
		mov	esi, [esp+58h+var_2C]
		and	ecx, 42h
		or	ecx, 0
		jz	loc_45433B
		mov	edx, esi
		cmp	esi, 0C0000000h
		jb	short loc_454643
		nop

loc_454630:				; CODE XREF: MiRevertValidPte+521j
		cmp	edx, 0C07FFFFFh
		ja	short loc_454643
		shl	edx, 9
		cmp	edx, 0C0000000h
		jnb	short loc_454630

loc_454643:				; CODE XREF: MiRevertValidPte+50Dj
					; MiRevertValidPte+516j
		mov	ecx, large fs:124h
		push	[esp+58h+var_1C]
		mov	ecx, [ecx+80h]
		call	_MiCaptureWriteWatchDirtyBit@12	; MiCaptureWriteWatchDirtyBit(x,x,x)
		mov	edx, [ebp+arg_4]
		mov	[esp+58h+var_18], 0
		jmp	loc_45433B
; 

loc_454669:				; CODE XREF: MiRevertValidPte+437j
		lea	ecx, [eax+8]
		mov	dh, dl
		mov	eax, [ecx]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_4546CC
		test	dl, 8
		jnz	short loc_4546CC
		push	eax
		lea	edx, [eax+1]
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	edi, eax
		mov	ebx, edx
		mov	eax, [esp+58h+var_38]
		mov	dh, [eax+16h]

loc_454693:				; CODE XREF: MiRevertValidPte+5B0j
		or	dh, 10h
		mov	ecx, edi
		or	ecx, ebx
		mov	[eax+16h], dh
		jz	loc_45455D
		jmp	loc_5B02F7
; 
		jmp	short loc_4546B0
; 
		align 10h

loc_4546B0:				; CODE XREF: MiRevertValidPte+423j
					; MiRevertValidPte+588j ...
		lea	ecx, [esp+58h+var_8]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_4546B0
		lock bts dword ptr [esi], 1Fh
		jnb	loc_454549
		jmp	short loc_4546B0
; 

loc_4546CC:				; CODE XREF: MiRevertValidPte+558j
					; MiRevertValidPte+55Dj
		mov	eax, [esp+58h+var_38]
		jmp	short loc_454693
MiRevertValidPte endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiQueryAddressState(x, x, x, x, x, x, x, x,	x, x)
_MiQueryAddressState@40	proc near	; CODE XREF: MiAllowProtectionChange(x,x,x,x,x,x)+9Dp
					; MiQueryAddressSpan(x,x,x,x)+C0p ...

var_100		= dword	ptr -100h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_AC		= dword	ptr -0ACh
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_8D		= byte ptr -8Dh
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_71		= byte ptr -71h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_52		= byte ptr -52h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0F4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_8C], esi
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_DC], eax
		mov	al, [ebp+arg_0]
		mov	[ebp+var_71], al
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_78], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_E0], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_E4], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_D8], eax
		mov	eax, large fs:124h
		mov	ebx, [ebp+arg_1C]
		shr	edx, 9
		mov	ecx, [eax+80h]
		and	edx, offset loc_7FFFF8
		movzx	eax, word ptr _MiSystemPartition
		sub	edx, 40000000h
		mov	[ebp+var_88], eax
		mov	[ebp+var_BC], eax
		lea	eax, [ecx+240h]
		mov	[ebp+var_C4], ebx
		mov	[ebp+var_60], eax
		mov	eax, esi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	dword ptr [ebx], 1
		sub	eax, 40000000h
		mov	ebx, eax
		mov	[ebp+var_D4], eax
		mov	eax, edx
		mov	[ebp+var_7C], 0
		shl	eax, 9
		mov	[ebp+var_94], 0
		mov	[ebp+var_B4], edx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_B8], 2000h
		mov	[ebp+var_C0], 0
		mov	[ebp+var_A0], 0
		mov	[ebp+var_70], 0
		mov	[ebp+var_F0], eax
		jmp	short loc_4547E0
; 
		align 10h

loc_4547E0:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+F7j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+D0Fj
		xor	edi, edi
		mov	[ebp+var_9C], edx
		push	4Ch		; size_t
		lea	eax, [ebp+var_58]
		mov	[ebp+var_A4], 0
		push	edi		; int
		push	eax		; void *
		mov	[ebp+var_D0], edi
		mov	[ebp+var_CC], edi
		mov	[ebp+var_EC], edi
		mov	[ebp+var_E8], edi
		call	_memset
		mov	edx, ebx
		mov	eax, 861h
		shl	edx, 9
		add	esp, 0Ch
		mov	word ptr [ebp+var_58], ax
		mov	eax, edx
		cmp	edx, 0C0000000h
		jb	short loc_454842

loc_454831:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+160j
		cmp	eax, 0C07FFFFFh
		ja	short loc_454842
		shl	eax, 9
		cmp	eax, 0C0000000h
		jnb	short loc_454831

loc_454842:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+14Fj
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+156j
		cmp	eax, dword_6D07D0
		jb	short loc_454868
		cmp	eax, dword_6D2E88
		jb	short loc_45485A
		cmp	eax, dword_6D2E8C
		jbe	short loc_454868

loc_45485A:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+170j
		mov	ecx, 1
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	ecx, eax
		jmp	short loc_45487A
; 

loc_454868:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+168j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+178j
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		add	ecx, 240h

loc_45487A:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+186j
		mov	eax, 865h
		mov	[ebp+var_48], ecx
		mov	word ptr [ebp+var_58], ax
		lea	ecx, [ebp+var_58]
		lea	eax, [ebp+var_EC]
		mov	[ebp+var_4C], edi
		mov	[ebp+var_10], eax
		mov	al, byte ptr [ebp+var_58+2]
		and	al, 0E7h
		mov	[ebp+var_14], offset _MiGetNextPageTableTail@4 ; MiGetNextPageTableTail(x)
		or	al, 4
		mov	[ebp+var_44], edx
		mov	byte ptr [ebp+var_58+2], al
		mov	al, [ebp+var_71]
		mov	[ebp+var_52], al
		mov	eax, [ebp+var_F0]
		mov	[ebp+var_40], eax
		call	MiWalkPageTables
		mov	ebx, [ebp+var_E8]
		mov	[ebp+var_84], ebx
		test	ebx, ebx
		jnz	short loc_4548E6
		mov	ebx, [ebp+var_B4]
		add	ebx, 8
		xor	edx, edx
		mov	[ebp+var_84], ebx
		mov	[ebp+var_80], edx
		jmp	loc_454980
; 

loc_4548E6:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+1EBj
		mov	eax, [ebp+var_EC]
		mov	ecx, ebx
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		mov	[ebp+var_80], ecx
		test	eax, eax
		jz	loc_454A39
		mov	esi, ecx
		cmp	eax, 1
		jbe	short loc_454924
		dec	eax

loc_454910:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+242j
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		sub	eax, 1
		jnz	short loc_454910

loc_454924:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+22Dj
		mov	ecx, esi
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		mov	[ebp+var_80], ecx
		cmp	ebx, [ebp+var_5C]
		jz	loc_4553F4
		mov	esi, [ebp+var_8C]

loc_454947:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+35Ej
		mov	edx, ecx
		mov	ecx, [ebp+var_60]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	eax, ebx
		xor	edx, edx
		and	eax, 0FFFFF000h
		mov	[ebp+var_80], edx
		sub	eax, 8

loc_454960:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+39Cj
		mov	ecx, [ebp+var_B4]
		mov	[ebp+var_9C], eax
		cmp	eax, ecx
		jbe	short loc_454980
		mov	[ebp+var_9C], ecx
		jmp	short loc_454980
; 
		align 10h

loc_454980:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+201j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+28Ej ...
		mov	edx, [ebp+var_CC]
		xor	ecx, ecx
		mov	[ebp+var_6C], ecx
		mov	ecx, [ebp+var_D0]
		mov	eax, ecx
		or	eax, edx
		mov	[ebp+var_68], 2000h
		mov	[ebp+var_64], 0
		mov	[ebp+var_98], 0
		jz	loc_454A89
		nop
		mov	eax, ecx
		and	eax, 3E0h
		cmp	eax, 200h
		jnz	short loc_4549EB
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jnz	short loc_4549EB
		mov	eax, ecx
		and	eax, 400h
		or	eax, 0
		jz	loc_454C5F
		push	edx
		push	ecx
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		test	eax, eax
		jnz	loc_454C5F

loc_4549EB:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+2E0j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+2EAj
		mov	edx, [ebp+var_5C]
		lea	eax, [ebp+var_88]
		mov	ecx, [ebp+var_78]
		push	eax
		lea	eax, [ebp+var_98]
		mov	[ebp+var_68], 1000h
		push	eax
		lea	eax, [ebp+var_7C]
		push	eax
		call	_MiGetPageProtection@20	; MiGetPageProtection(x,x,x,x,x)
		mov	esi, [ebp+var_7C]
		mov	ecx, eax
		mov	[ebp+var_64], ecx
		test	esi, esi
		jnz	loc_4553BB
		mov	eax, [ebp+var_5C]
		mov	edi, [ebp+var_60]
		mov	edx, [ebp+var_6C]
		test	ecx, ecx
		jnz	short loc_454A81
		mov	esi, 2000h
		mov	[ebp+var_68], esi
		jmp	loc_454B28
; 

loc_454A39:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+222j
		mov	edx, [ebp+var_5C]
		cmp	edx, ebx
		jnz	loc_454947
		mov	ecx, [edx]
		nop
		mov	eax, [edx+4]
		lea	ebx, [edx+8]
		mov	[ebp+var_D0], ecx
		or	ecx, eax
		mov	[ebp+var_CC], eax
		mov	[ebp+var_A4], 1
		mov	[ebp+var_84], ebx
		jnz	short loc_454A70
		lea	edi, [ecx+1]

loc_454A70:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+38Bj
		mov	eax, edx
		and	eax, 0FFFFF000h
		add	eax, 0FF8h
		jmp	loc_454960
; 

loc_454A81:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+34Aj
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+7B7j
		mov	esi, [ebp+var_68]
		jmp	loc_454B28
; 

loc_454A89:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+2CDj
		mov	eax, [ebp+var_C4]
		mov	edx, [ebp+var_78]
		mov	dword ptr [eax], 0
		mov	ecx, [edx+1Ch]
		mov	eax, ecx
		and	eax, 70h
		mov	[ebp+var_AC], ecx
		cmp	al, 30h
		jz	loc_4551BF
		mov	eax, ecx
		and	al, 70h
		cmp	al, 10h
		jz	loc_4551BF
		test	ecx, 100000h
		jz	loc_454BAC
		cmp	dword ptr [edx+20h], 0
		jge	short loc_454AF7
		mov	eax, ecx
		mov	esi, 1000h
		shr	eax, 7
		mov	ecx, edx
		and	eax, 1Fh
		mov	[ebp+var_68], esi
		mov	[ebp+var_64], eax
		call	MI_GET_GRAPHICS_PROTECTION_FROM_VAD
		mov	ecx, [ebp+var_AC]
		mov	edx, [ebp+var_78]
		mov	[ebp+var_98], eax
		jmp	short loc_454AFA
; 

loc_454AF7:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+3EAj
		mov	esi, [ebp+var_68]

loc_454AFA:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+415j
		and	ecx, offset loc_500000
		cmp	ecx, offset loc_500000
		jnz	short loc_454B1C
		mov	eax, [edx+24h]
		test	eax, eax
		jz	short loc_454B1C
		nop

loc_454B10:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+43Aj
		test	byte ptr [eax+24h], 10h
		jnz	short loc_454B7C
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_454B10

loc_454B1C:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+426j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+42Dj ...
		mov	edx, [ebp+var_6C]

loc_454B1F:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+52Aj
		mov	ecx, [ebp+var_64]

loc_454B22:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+587j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+787j ...
		mov	edi, [ebp+var_60]

loc_454B25:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+922j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+A3Fj
		mov	eax, [ebp+var_5C]

loc_454B28:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+354j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+3A4j ...
		cmp	eax, [ebp+var_D4]
		jnz	loc_455263
		mov	eax, [ebp+var_98]
		mov	edx, [ebp+arg_8]
		mov	[ebp+var_A0], eax
		movzx	eax, word ptr [ebp+var_88]
		mov	[ebp+var_B8], esi
		mov	[ebp+var_C0], ecx
		mov	[ebp+var_BC], eax
		test	edx, edx
		jz	loc_4551FE
		cmp	esi, [edx+10h]
		jnz	loc_4554C2
		test	ecx, ecx
		jnz	loc_4551E8
		xor	eax, eax
		jmp	loc_4551F5
; 

loc_454B7C:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+434j
		test	eax, eax
		jz	short loc_454B1C
		mov	esi, [eax+0Ch]
		test	esi, esi
		jz	short loc_454BA4
		mov	ecx, esi
		call	PsReferencePartitionSafe
		test	al, al
		jz	short loc_454BA4
		mov	eax, [esi]
		mov	ecx, esi
		movzx	eax, word ptr [eax]
		mov	[ebp+var_88], eax
		call	PsDereferencePartition

loc_454BA4:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+4A5j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+4B0j
		mov	esi, [ebp+var_68]
		jmp	loc_454B1C
; 

loc_454BAC:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+3E0j
		movzx	eax, word ptr _MiSystemPartition
		mov	ecx, [ebp+var_78]
		mov	[ebp+var_88], eax
		lea	eax, [ebp+var_94]
		shr	esi, 0Ch
		push	eax
		push	4
		mov	edx, esi
		mov	[ebp+var_8C], esi
		call	MiGetProtoPteAddress
		mov	esi, eax
		mov	[ebp+var_7C], esi
		test	esi, esi
		jnz	loc_454C6C
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_454C0F
		push	ecx
		push	esi
		push	esi
		mov	edx, 2000h
		mov	ecx, eax
		call	_MiQueryStateMatches@20	; MiQueryStateMatches(x,x,x,x,x)
		test	eax, eax
		jnz	short loc_454C0F
		mov	ebx, [ebp+var_5C]
		mov	edx, 1
		mov	esi, [ebp+var_68]
		mov	[ebp+var_6C], edx
		jmp	loc_454B1F
; 

loc_454C0F:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+507j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+51Aj
		mov	ecx, [ebp+var_78]
		call	_MiVadPureReserve@4 ; MiVadPureReserve(x)
		test	eax, eax
		jz	short loc_454C59
		mov	eax, [ebp+var_94]
		test	eax, eax
		jz	short loc_454C59
		cmp	dword ptr [eax+4], 0
		jnz	short loc_454C59
		mov	edx, [ebp+var_8C]
		push	eax
		push	ebx
		push	[ebp+var_5C]
		call	_MiSkipEntirePagefileRegions@20	; MiSkipEntirePagefileRegions(x,x,x,x,x)
		mov	ecx, [ebp+var_5C]
		mov	ebx, eax
		mov	esi, [ebp+var_68]
		mov	eax, ecx
		mov	edi, [ebp+var_60]
		cmp	ebx, ecx
		jnz	short loc_454C4F
		lea	ebx, [ecx+8]

loc_454C4F:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+56Aj
		mov	ecx, [ebp+var_64]
		mov	edx, ecx
		jmp	loc_454B28
; 

loc_454C59:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+539j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+543j ...
		mov	ebx, [ebp+var_5C]
		add	ebx, 8

loc_454C5F:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+2F6j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+305j ...
		mov	ecx, [ebp+var_64]
		mov	edx, ecx
		mov	esi, [ebp+var_68]
		jmp	loc_454B22
; 

loc_454C6C:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+4FCj
		test	edi, edi
		jz	loc_454D07
		mov	edx, [ebp+var_9C]
		sub	edx, [ebp+var_5C]
		sar	edx, 3
		inc	edx
		cmp	edx, 20h
		jle	short loc_454C8B
		mov	edx, 20h

loc_454C8B:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+5A4j
		mov	edi, [ebp+var_94]
		mov	ecx, [edi+24h]
		mov	eax, [edi+1Ch]
		and	ecx, 3FFFFFFFh
		mov	ebx, [edi+4]
		sub	eax, ecx
		test	byte ptr [edi+12h], 2
		lea	ecx, [ebx+eax*8]
		jnz	short loc_454CC3
		cmp	esi, ebx
		jb	short loc_454CC3
		cmp	esi, ecx
		jnb	short loc_454CC3
		lea	eax, [esi+edx*8]
		cmp	eax, ecx
		jbe	short loc_454CC5
		mov	edx, ecx
		sub	edx, esi
		sar	edx, 3
		jmp	short loc_454CC5
; 

loc_454CC3:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+5C9j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+5CDj ...
		xor	edx, edx

loc_454CC5:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+5D8j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+5E1j
		mov	eax, [ebp+var_5C]
		lea	edx, [edx-1]
		lea	ebx, [eax+8]
		lea	edx, [eax+edx*8]
		mov	[ebp+var_84], ebx
		cmp	ebx, edx
		ja	short loc_454CF5
		jmp	short loc_454CE0
; 
		align 10h

loc_454CE0:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+5FBj
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+60Dj
		mov	ecx, [ebx]
		nop
		or	ecx, [ebx+4]
		jnz	short loc_454CEF
		add	ebx, 8
		cmp	ebx, edx
		jbe	short loc_454CE0

loc_454CEF:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+606j
		mov	[ebp+var_84], ebx

loc_454CF5:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+5F9j
		cmp	[ebp+var_A4], 0
		jnz	loc_454D9A
		mov	edx, [ebp+var_5C]
		jmp	short loc_454D63
; 

loc_454D07:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+58Ej
		cmp	[ebp+var_A4], 0
		jnz	loc_454D9A
		mov	edi, [ebp+var_94]
		sub	ebx, [ebp+var_5C]
		sar	ebx, 3
		mov	ecx, [edi+24h]
		mov	eax, [edi+1Ch]
		and	ecx, 3FFFFFFFh
		mov	edx, [edi+4]
		sub	eax, ecx
		test	byte ptr [edi+12h], 2
		lea	ecx, [edx+eax*8]
		jnz	short loc_454D52
		cmp	esi, edx
		jb	short loc_454D52
		cmp	esi, ecx
		jnb	short loc_454D52
		lea	eax, [esi+ebx*8]
		cmp	eax, ecx
		jbe	short loc_454D57
		mov	ebx, ecx
		sub	ebx, esi
		sar	ebx, 3
		jmp	short loc_454D57
; 

loc_454D52:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+658j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+65Cj ...
		mov	ebx, 1

loc_454D57:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+667j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+670j
		mov	edx, [ebp+var_5C]
		lea	ebx, [edx+ebx*8]
		mov	[ebp+var_84], ebx

loc_454D63:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+625j
		mov	ecx, [ebp+var_78]
		call	_MiVadPureReserve@4 ; MiVadPureReserve(x)
		test	eax, eax
		jz	short loc_454D9A
		mov	eax, ebx
		mov	ecx, esi
		sub	eax, edx
		mov	edx, edi
		sar	eax, 3
		push	eax
		call	_MiSkipFractionalPagefileRegion@12 ; MiSkipFractionalPagefileRegion(x,x,x)
		cmp	eax, esi
		jz	short loc_454D9A
		mov	ecx, [ebp+var_5C]
		sub	eax, esi
		sar	eax, 3
		xor	esi, esi
		mov	[ebp+var_7C], esi
		lea	ebx, [ecx+eax*8]
		mov	[ebp+var_84], ebx

loc_454D9A:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+61Cj
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+62Ej ...
		mov	eax, [ebp+var_78]
		mov	eax, [eax+44h]
		test	eax, eax
		jns	short loc_454DBA
		mov	edx, [eax]
		mov	edi, 1
		mov	eax, [eax+4]
		add	edx, 0FFFFFFFFh
		adc	eax, 0FFFFFFFFh
		shrd	edx, eax, 0Ch
		jmp	short loc_454DBF
; 

loc_454DBA:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+6C2j
		xor	edi, edi
		or	edx, 0FFFFFFFFh

loc_454DBF:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+6D8j
		test	esi, esi
		jz	loc_454C5F
		mov	eax, [ebp+var_78]
		mov	eax, [eax+1Ch]
		mov	[ebp+var_AC], eax
		and	al, 70h
		cmp	al, 20h
		jnz	loc_454EAA
		mov	eax, [ebp+var_78]
		xor	edx, edx
		mov	edi, [eax+2Ch]
		test	edi, edi
		jz	short loc_454E47
		lea	esp, [esp+0]

loc_454DF0:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+765j
		test	byte ptr [edi+12h], 2
		jz	short loc_454E2F
		mov	eax, [edi]
		mov	[ebp+var_8C], eax
		test	dword ptr [eax+1Ch], 4000000h
		jz	short loc_454E2F
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8C]
		mov	edx, eax
		push	edi
		call	_MiGetSharedProtos@12 ;	MiGetSharedProtos(x,x,x)
		mov	esi, [ebp+var_7C]
		mov	edx, [eax+24h]
		jmp	short loc_454E32
; 

loc_454E2F:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+714j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+725j
		mov	edx, [edi+4]

loc_454E32:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+74Dj
		cmp	esi, edx
		jb	short loc_454E40
		mov	eax, [edi+1Ch]
		lea	eax, [edx+eax*8]
		cmp	esi, eax
		jb	short loc_454E47

loc_454E40:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+754j
		mov	edi, [edi+8]
		test	edi, edi
		jnz	short loc_454DF0

loc_454E47:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+707j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+75Ej
		mov	eax, [edi+24h]
		sub	esi, edx
		mov	ecx, [edi+1Ch]
		and	eax, 3FFFFFFFh
		sub	ecx, eax
		sar	esi, 3
		cmp	esi, ecx
		jb	short loc_454E6C
		mov	esi, [ebp+var_68]
		xor	ecx, ecx
		mov	[ebp+var_64], ecx
		mov	edx, ecx
		jmp	loc_454B22
; 

loc_454E6C:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+77Bj
		mov	eax, [ebp+var_78]
		mov	ecx, [eax+1Ch]
		shr	ecx, 7
		and	ecx, 1Fh
		mov	[ebp+var_64], ecx
		cmp	ecx, 7
		jnz	short loc_454E8C
		movzx	ecx, word ptr [edi+10h]
		shr	ecx, 1
		and	ecx, 1Fh
		mov	[ebp+var_64], ecx

loc_454E8C:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+79Ej
		mov	eax, [ebp+var_5C]
		mov	edi, [ebp+var_60]
		mov	edx, [ebp+var_6C]
		test	ecx, ecx
		jz	loc_454A81
		mov	esi, 1000h
		mov	[ebp+var_68], esi
		jmp	loc_454B28
; 

loc_454EAA:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+6F7j
		mov	ecx, [ebp+var_94]
		mov	eax, [ecx]
		cmp	dword ptr [eax+20h], 0
		jnz	loc_455124
		test	dword ptr [eax+1Ch], 2000h
		jnz	loc_455124
		mov	eax, [ebp+var_80]
		test	eax, eax
		jz	short loc_454F38
		lea	ecx, [ebp+var_AC]
		mov	[ebp+var_AC], 0
		push	ecx
		mov	ecx, [ebp+var_60]
		mov	edx, eax
		call	MiGetPageTableLockBuffer
		mov	edi, eax
		mov	esi, 2
		mov	edx, [edi]
		mov	eax, [ebp+var_AC]
		mov	ecx, eax
		shl	esi, cl
		mov	ecx, edx
		btr	ecx, eax
		not	esi
		and	ecx, esi
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_454F2E
		mov	ebx, [ebp+var_AC]

loc_454F17:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+846j
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, ebx
		and	ecx, esi
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_454F17
		mov	ebx, [ebp+var_84]

loc_454F2E:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+82Fj
		mov	esi, [ebp+var_7C]
		mov	[ebp+var_80], 0

loc_454F38:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+7EEj
		mov	dl, [ebp+var_71]
		mov	ecx, [ebp+var_60]
		call	MiUnlockWorkingSetShared
		mov	edx, [ebp+var_94]
		sub	ebx, [ebp+var_5C]
		sar	ebx, 3
		mov	eax, [edx+24h]
		mov	ecx, [edx+1Ch]
		and	eax, 3FFFFFFFh
		sub	ecx, eax
		mov	eax, [edx+4]
		lea	edi, [eax+ecx*8]
		sub	edi, esi
		sar	edi, 3
		cmp	edi, ebx
		jbe	short loc_454F6D
		mov	edi, ebx

loc_454F6D:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+889j
		mov	ecx, [esi]
		nop
		or	ecx, [esi+4]
		jz	short loc_454F8E
		mov	eax, [ebp+var_78]
		mov	ebx, 1000h
		mov	[ebp+var_68], ebx
		mov	eax, [eax+1Ch]
		shr	eax, 7
		and	eax, 1Fh
		mov	[ebp+var_64], eax
		jmp	short loc_454F94
; 

loc_454F8E:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+893j
		mov	ebx, [ebp+var_68]
		mov	eax, [ebp+var_64]

loc_454F94:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+8ACj
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_454FB8
		push	ecx
		push	0
		push	eax
		mov	edx, ebx
		call	_MiQueryStateMatches@20	; MiQueryStateMatches(x,x,x,x,x)
		test	eax, eax
		jnz	short loc_454FB8
		xor	ecx, ecx
		mov	[ebp+var_6C], 1
		mov	[ebp+var_70], ecx
		jmp	short loc_454FD3
; 

loc_454FB8:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+8B9j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+8C8j
		test	edi, edi
		jz	short loc_454FD0
		lea	esp, [esp+0]

loc_454FC0:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+948j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+9B5j
		mov	ecx, [esi]
		nop
		or	ecx, [esi+4]
		jz	short loc_455007
		cmp	ebx, 1000h
		jz	short loc_45500F

loc_454FD0:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+8DAj
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+92Dj ...
		mov	ecx, [ebp+var_70]

loc_454FD3:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+8D6j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+93Fj ...
		mov	eax, [ebp+var_5C]
		mov	edi, [ebp+var_60]
		lea	ebx, [eax+ecx*8]
		mov	al, [edi+60h]
		and	al, 7
		cmp	al, 4
		jbe	loc_4550B3
		cmp	al, 5
		jz	loc_4550B3
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)

loc_454FF9:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+A2Cj
		mov	esi, [ebp+var_68]
		mov	ecx, [ebp+var_64]
		mov	edx, [ebp+var_6C]
		jmp	loc_454B25
; 

loc_455007:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+8E6j
		cmp	ebx, 1000h
		jz	short loc_454FD0

loc_45500F:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+8EEj
		mov	ecx, [ebp+var_70]
		lea	esi, [esi+8]
		inc	ecx
		mov	[ebp+var_7C], esi
		mov	[ebp+var_70], ecx
		sub	edi, 1
		jz	short loc_454FD3
		mov	eax, esi

loc_455023:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+9A8j
		test	eax, 0FFFh
		jnz	short loc_454FC0
		mov	ecx, eax
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		mov	edx, [ecx-40000000h]
		nop
		mov	ecx, [ecx-3FFFFFFCh]
		mov	[ebp+var_AC], ecx
		mov	ecx, edx
		and	ecx, 1
		or	ecx, 0
		jnz	short loc_45508F
		and	edx, 3E0h
		or	edx, ecx
		jnz	short loc_45508F
		cmp	ebx, 1000h
		jz	loc_454FD0
		cmp	edi, 200h
		jbe	short loc_4550A0
		add	[ebp+var_70], 200h
		lea	esi, [eax+1000h]
		mov	[ebp+var_7C], esi
		mov	eax, esi
		sub	edi, 200h
		jnz	short loc_455023
		jmp	loc_454FD0
; 

loc_45508F:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+970j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+97Aj
		cmp	ebx, 1000h
		jz	loc_454FC0
		jmp	loc_454FD0
; 

loc_4550A0:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+98Ej
		mov	ecx, [ebp+var_70]
		lea	eax, [eax+edi*8]
		add	ecx, edi
		mov	[ebp+var_7C], eax
		mov	[ebp+var_70], ecx
		jmp	loc_454FD3
; 

loc_4550B3:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+903j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+90Bj
		mov	esi, offset unk_6D3C40
		cmp	al, 2
		jz	short loc_4550C2
		lea	esi, [edi+80h]

loc_4550C2:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+9DAj
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_8D], al
		jz	short loc_4550E4
		mov	dl, al
		mov	ecx, esi
		call	@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)
		jmp	short loc_455106
; 

loc_4550E4:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+9F7j
		mov	edx, [esi]
		and	edx, 7FFFFFFFh
		mov	eax, edx
		lea	ecx, [edx+1]
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	short loc_455106
		mov	dl, [ebp+var_8D]
		mov	ecx, esi
		call	ExpWaitForSpinLockSharedAndAcquire

loc_455106:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+A02j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+A17j
		add	esi, 4
		cmp	dword ptr [esi], 0
		jz	loc_454FF9
		xor	eax, eax
		xchg	eax, [esi]
		mov	esi, [ebp+var_68]
		mov	ecx, [ebp+var_64]
		mov	edx, [ebp+var_6C]
		jmp	loc_454B25
; 

loc_455124:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+7D6j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+7E3j
		mov	eax, [ecx+24h]
		mov	ecx, [ecx+1Ch]
		and	eax, 3FFFFFFFh
		sub	ebx, [ebp+var_5C]
		sub	ecx, eax
		mov	eax, [ebp+var_94]
		sar	ebx, 3
		mov	eax, [eax+4]
		lea	eax, [eax+ecx*8]
		sub	eax, esi
		sar	eax, 3
		mov	[ebp+var_70], eax
		cmp	eax, ebx
		jbe	short loc_455154
		mov	[ebp+var_70], ebx
		jmp	short loc_455157
; 

loc_455154:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+A6Dj
		mov	ebx, [ebp+var_70]

loc_455157:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+A72j
		test	edi, edi
		jz	short loc_455181
		mov	eax, [ebp+var_78]
		mov	esi, [ebp+var_8C]
		mov	ecx, [eax+0Ch]
		mov	eax, esi
		sub	eax, ecx
		cmp	eax, edx
		ja	short loc_455181
		sub	ecx, esi
		lea	eax, [ecx+1]
		add	eax, edx
		cmp	ebx, eax
		jbe	short loc_45517F
		mov	ebx, eax
		mov	[ebp+var_70], ebx

loc_45517F:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+A98j
		xor	edi, edi

loc_455181:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+A79j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+A8Dj
		mov	eax, [ebp+var_5C]
		mov	esi, edi
		lea	ebx, [eax+ebx*8]
		test	edi, edi
		jnz	short loc_45519E
		mov	ecx, [ebp+var_AC]
		shr	ecx, 7
		and	ecx, 1Fh
		mov	[ebp+var_64], ecx
		jmp	short loc_4551A1
; 

loc_45519E:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+AABj
		mov	ecx, [ebp+var_64]

loc_4551A1:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+ABCj
		mov	edi, [ebp+var_60]
		neg	esi
		mov	edx, [ebp+var_6C]
		sbb	esi, esi
		and	esi, 1000h
		add	esi, 1000h
		mov	[ebp+var_68], esi
		jmp	loc_454B28
; 

loc_4551BF:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+3C8j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+3D4j
		and	ecx, 70h
		cmp	cl, 30h
		jnz	loc_454C5F
		mov	ecx, edx
		call	_MiGetAweVadPartition@4	; MiGetAweVadPartition(x)
		mov	ecx, [ebp+var_64]
		mov	edx, ecx
		mov	esi, [ebp+var_68]
		movzx	eax, word ptr [eax]
		mov	[ebp+var_88], eax
		jmp	loc_454B22
; 

loc_4551E8:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+48Fj
		mov	eax, ds:_MmProtectToValue[ecx*4]
		or	eax, [ebp+var_A0]

loc_4551F5:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+497j
		cmp	eax, [edx+14h]
		jnz	loc_4554C2

loc_4551FE:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+47Ej
		mov	eax, [ebp+var_70]

loc_455201:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+BC5j
		mov	esi, [ebp+var_5C]

loc_455204:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+BD1j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+CD6j
		cmp	[ebp+var_6C], 0
		jnz	loc_4554C5
		test	eax, eax
		jnz	loc_4554C5
		add	esi, 8
		mov	[ebp+var_5C], esi
		cmp	ebx, esi
		jnz	loc_4554C5
		cmp	ebx, [ebp+var_9C]
		ja	loc_4554C5
		cmp	[ebp+var_A4], eax
		jz	short loc_45524A
		mov	eax, [esi]
		nop
		mov	ecx, [esi+4]
		mov	[ebp+var_D0], eax
		mov	[ebp+var_CC], ecx

loc_45524A:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+B56j
		shl	esi, 9
		add	ebx, 8
		mov	[ebp+var_8C], esi
		xor	edi, edi
		mov	[ebp+var_84], ebx
		jmp	loc_454980
; 

loc_455263:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+44Ej
		cmp	esi, [ebp+var_B8]
		jnz	loc_455495
		mov	eax, [ebp+var_BC]
		cmp	word ptr [ebp+var_88], ax
		jnz	loc_455495
		cmp	ecx, [ebp+var_C0]
		jnz	loc_455495
		mov	eax, [ebp+var_A0]
		cmp	[ebp+var_98], eax
		jnz	loc_455495
		mov	eax, [ebp+var_70]
		test	eax, eax
		jnz	loc_455201
		mov	esi, [ebp+var_5C]
		cmp	edx, 1
		jz	loc_455204
		mov	eax, esi
		sub	eax, [ebp+var_D4]
		and	eax, 0FFFFFFF8h
		cmp	eax, 100h
		jl	loc_4553B3
		mov	edi, [ebp+var_80]
		test	edi, edi
		jz	loc_455384
		lea	eax, [edi+3FA00000h]
		sar	eax, 3
		lea	edx, [eax+eax]
		mov	eax, [ebp+var_60]
		mov	ecx, edx
		and	ecx, 1Fh
		mov	al, [eax+60h]
		and	al, 7
		cmp	al, 2
		jb	short loc_455354
		cmp	edi, 0C0603018h
		jz	short loc_455311
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_455345
		cmp	edi, 0C0603010h
		jnz	short loc_455345

loc_455311:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+C1Bj
		cmp	al, 7
		jnz	short loc_45532B
		mov	ecx, 0C0603018h
		mov	eax, offset unk_6D2E58
		sub	ecx, edi
		mov	edi, [ebp+var_60]
		sar	ecx, 3
		add	ecx, ecx
		jmp	short loc_455374
; 

loc_45532B:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+C33j
		cmp	al, 5
		jnz	short loc_455345
		mov	ecx, 0C0603018h
		mov	eax, offset unk_6D2E54
		sub	ecx, edi
		mov	edi, [ebp+var_60]
		sar	ecx, 3
		add	ecx, ecx
		jmp	short loc_455374
; 

loc_455345:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+C27j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+C2Fj ...
		mov	edi, [ebp+var_60]
		shr	edx, 5
		lea	eax, unk_6D2C54[edx*4]
		jmp	short loc_455374
; 

loc_455354:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+C13j
		mov	edi, [ebp+var_60]
		shr	edx, 5
		test	al, al
		jnz	short loc_45536B
		mov	eax, [edi+0Ch]
		lea	eax, [eax+edx*4]
		add	eax, 0D90h
		jmp	short loc_455374
; 

loc_45536B:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+C7Cj
		lea	eax, [edi+120h]
		lea	eax, [eax+edx*4]

loc_455374:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+C49j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+C63j ...
		mov	eax, [eax]
		shr	eax, cl
		test	al, 2
		jz	short loc_455387

loc_45537C:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+CC2j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+CD1j
		lea	ebx, [esi+8]
		jmp	loc_4554C5
; 

loc_455384:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+BF2j
		mov	edi, [ebp+var_60]

loc_455387:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+C9Aj
		mov	al, [edi+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short loc_45539B
		lea	eax, [edi+80h]

loc_45539B:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+CB3j
		mov	eax, [eax]
		test	eax, 40000000h
		jnz	short loc_45537C
		cmp	[ebp+var_71], 2
		jnb	short loc_4553B3
		call	KeShouldYieldProcessor
		test	eax, eax
		jnz	short loc_45537C

loc_4553B3:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+BE7j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+CC8j
		mov	eax, [ebp+var_70]
		jmp	loc_455204
; 

loc_4553BB:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+339j
		mov	ebx, [ebp+var_60]
		mov	ecx, ebx
		mov	edx, [ebp+var_80]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [ebp+var_71]
		mov	ecx, ebx
		call	MiUnlockWorkingSetShared
		mov	ecx, esi
		call	MiFaultInPagedPool
		mov	ecx, ebx
		call	MiLockWorkingSetShared
		mov	esi, [ebp+var_8C]
		mov	ebx, [ebp+var_5C]
		mov	edx, [ebp+var_B4]
		jmp	loc_4547E0
; 

loc_4553F4:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+25Bj
		mov	edx, [esi]
		nop
		mov	edi, [esi+4]
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jz	short loc_455405
		nop

loc_455405:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+D22j
		mov	ebx, [ebp+var_78]
		mov	ecx, [ebx+1Ch]
		mov	eax, ecx
		and	eax, 70h
		cmp	al, 30h
		jz	short loc_45542A
		mov	eax, ecx
		and	eax, offset loc_500000
		cmp	eax, offset loc_500000
		jz	short loc_45542A
		shr	ecx, 7
		and	ecx, 1Fh
		jmp	short loc_455435
; 

loc_45542A:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+D32j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+D40j
		push	edi
		push	edx
		mov	ecx, ebx
		call	_MiGetProtectionFromPte@12 ; MiGetProtectionFromPte(x,x,x)
		mov	ecx, eax

loc_455435:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+D48j
		mov	edx, [ebp+var_DC]
		mov	[edx], ecx
		mov	edx, [ebp+var_80]
		mov	ecx, [ebp+var_60]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	eax, [ebp+var_E0]
		xor	ecx, ecx
		add	esi, 8
		mov	dword ptr [eax], 0
		mov	eax, [ebp+var_E4]
		mov	[eax], cx

loc_455462:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+D93j
		cmp	esi, 0C07FFFFFh
		ja	short loc_455475
		shl	esi, 9
		cmp	esi, 0C0000000h
		jnb	short loc_455462

loc_455475:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+D88j
		mov	eax, [ebp+var_D8]
		mov	[eax], esi
		mov	eax, 1000h
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_455495:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+B89j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+B9Cj ...
		mov	ecx, [ebp+var_B8]
		mov	[ebp+var_68], ecx
		mov	ecx, [ebp+var_BC]
		movzx	eax, cx
		mov	[ebp+var_88], eax
		mov	eax, [ebp+var_C0]
		mov	[ebp+var_64], eax
		mov	eax, [ebp+var_A0]
		mov	[ebp+var_98], eax

loc_4554C2:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+487j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+B18j
		mov	ebx, [ebp+var_5C]

loc_4554C5:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+B28j
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+B30j ...
		mov	edx, [ebp+var_80]
		test	edx, edx
		jz	loc_455597
		lea	eax, [edx+3FA00000h]
		sar	eax, 3
		lea	ecx, [eax+eax]
		mov	al, [edi+60h]
		mov	esi, ecx
		and	al, 7
		and	esi, 1Fh
		cmp	al, 2
		jb	short loc_455540
		cmp	edx, 0C0603018h
		jz	short loc_455506
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_455534
		cmp	edx, 0C0603010h
		jnz	short loc_455534

loc_455506:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+E10j
		cmp	al, 7
		jnz	short loc_45551D
		mov	esi, 0C0603018h
		mov	edi, offset unk_6D2E58
		sub	esi, edx
		sar	esi, 3
		add	esi, esi
		jmp	short loc_45555E
; 

loc_45551D:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+E28j
		cmp	al, 5
		jnz	short loc_455534
		mov	esi, 0C0603018h
		mov	edi, offset unk_6D2E54
		sub	esi, edx
		sar	esi, 3
		add	esi, esi
		jmp	short loc_45555E
; 

loc_455534:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+E1Cj
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+E24j ...
		shr	ecx, 5
		lea	edi, unk_6D2C54[ecx*4]
		jmp	short loc_45555E
; 

loc_455540:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+E08j
		shr	ecx, 5
		test	al, al
		jnz	short loc_455555
		mov	eax, [edi+0Ch]
		lea	edi, [ecx+364h]
		lea	edi, [eax+edi*4]
		jmp	short loc_45555E
; 

loc_455555:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+E65j
		lea	edi, [edi+ecx*4]
		add	edi, 120h

loc_45555E:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+E3Bj
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+E52j ...
		mov	edx, [edi]
		mov	ecx, esi
		mov	eax, 2
		shl	eax, cl
		mov	ecx, edx
		not	eax
		btr	ecx, esi
		mov	[ebp+var_C4], eax
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_455597

loc_455582:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+EB5j
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, esi
		and	ecx, [ebp+var_C4]
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_455582

loc_455597:				; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+DEAj
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+EA0j
		mov	eax, [ebp+var_D8]
		mov	edx, [ebp+var_DC]
		mov	ecx, [ebp+var_98]
		shl	ebx, 9
		mov	[eax], ebx
		mov	eax, [ebp+var_64]
		mov	[edx], eax
		mov	eax, [ebp+var_E0]
		pop	edi
		pop	esi
		pop	ebx
		mov	[eax], ecx
		mov	eax, [ebp+var_E4]
		mov	cx, word ptr [ebp+var_88]
		mov	[eax], cx
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_68]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	20h
_MiQueryAddressState@40	endp

; 
		align 10h

; __stdcall MiGetPageProtection(x, x, x, x, x)
_MiGetPageProtection@20:		; CODE XREF: .text:00451165p
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+32Ap ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, [ebp+10h]
		push	ebx
		mov	ebx, ecx
		mov	dword ptr [ebp-8], 0
		mov	ecx, [ebp+8]
		push	esi
		push	edi
		mov	edi, edx
		mov	dword ptr [ebp-14h], 0
		mov	dword ptr [ecx], 0
		mov	ecx, [ebp+0Ch]
		mov	esi, [edi]
		mov	dword ptr [ecx], 0
		xor	ecx, ecx
		mov	[eax], cx
		mov	[ebp-28h], ecx
		mov	[ebp-24h], ecx
		nop
		mov	ecx, [ebx+1Ch]
		mov	eax, ecx
		mov	edx, [edi+4]
		and	eax, 70h
		mov	[ebp-20h], edx
		mov	[ebp-30h], esi
		mov	[ebp-2Ch], edx
		mov	[ebp-10h], ecx
		mov	[ebp-24h], eax
		cmp	eax, 30h
		jnz	short loc_4556A4
		test	ecx, 100000h
		jz	short loc_455667
		test	ecx, 1000000h
		jnz	short loc_455667
		test	ecx, 2000000h
		jnz	short loc_4556A4

loc_455667:				; CODE XREF: .text:00455655j
					; .text:0045565Dj
		push	edx
		push	esi
		call	_MiGetValidAwePartitionId@8 ; MiGetValidAwePartitionId(x,x)
		mov	ecx, [ebp+10h]
		push	edx
		push	esi
		mov	[ecx], ax
		mov	ecx, ebx
		call	_MiGetValidAweProtection@12 ; MiGetValidAweProtection(x,x,x)

loc_45567D:				; CODE XREF: .text:0045578Fj
		mov	edx, eax

loc_45567F:				; CODE XREF: .text:004557AAj
		mov	ecx, [ebx+1Ch]
		and	ecx, 1100000h
		cmp	ecx, 1100000h
		jnz	short loc_455699
		mov	eax, [ebp+0Ch]
		mov	dword ptr [eax], 0

loc_455699:				; CODE XREF: .text:0045568Ej
		mov	eax, edx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4556A4:				; CODE XREF: .text:0045564Dj
					; .text:00455665j
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	loc_455897
		nop
		mov	eax, edx
		mov	ecx, esi
		shrd	ecx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	ecx, 1FFFFFFh
		mov	[ebp+8], ecx
		lea	edx, ds:0[ecx*8]
		sub	edx, ecx
		lea	ecx, [eax+edx*4]
		mov	eax, [ebx+1Ch]
		mov	[ebp-1Ch], eax
		and	eax, 70h
		mov	[ebp-14h], ecx
		cmp	eax, 10h
		jnz	short loc_45570C
		mov	ecx, [ebp+8]
		call	_MiIsPfn@4	; MiIsPfn(x)
		test	eax, eax
		jz	short loc_4556FA
		mov	ecx, [ebp+10h]
		xor	eax, eax
		mov	[ecx], ax

loc_4556FA:				; CODE XREF: .text:004556F0j
		mov	eax, [ebp-1Ch]
		shr	eax, 7
		and	eax, 1Fh
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_45570C:				; CODE XREF: .text:004556E4j
		cmp	eax, 40h
		jnz	short loc_455773
		mov	ecx, edi
		call	_MiRotatedToFrameBuffer@4 ; MiRotatedToFrameBuffer(x)
		test	eax, eax
		jz	short loc_455770
		and	esi, 800h
		mov	eax, 4
		or	esi, 0
		jnz	short loc_455731
		mov	eax, 1

loc_455731:				; CODE XREF: .text:0045572Aj
		mov	edx, [ebx+1Ch]
		mov	ecx, edx
		and	ecx, 0C00h
		cmp	ecx, 0C00h
		jnz	short loc_455758
		test	edx, 380h
		jz	short loc_455758
		or	eax, 18h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_455758:				; CODE XREF: .text:00455742j
					; .text:0045574Aj
		cmp	ecx, 400h
		jnz	loc_455AFA
		or	eax, 8
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_455770:				; CODE XREF: .text:0045571Aj
		mov	ecx, [ebp-14h]

loc_455773:				; CODE XREF: .text:0045570Fj
		mov	eax, [ebp+10h]
		xor	edx, edx
		test	dword ptr [ecx+18h], 800000h
		mov	[eax], dx
		jz	short loc_455794
		push	dword ptr [ebp-20h]
		mov	ecx, ebx
		push	esi
		call	_MiGetProtectionFromPte@12 ; MiGetProtectionFromPte(x,x,x)
		jmp	loc_45567D
; 

loc_455794:				; CODE XREF: .text:00455782j
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_4557AF
		mov	edx, [ecx+8]
		mov	eax, [ecx+0Ch]
		shrd	edx, eax, 5
		and	edx, 1Fh
		jmp	loc_45567F
; 

loc_4557AF:				; CODE XREF: .text:0045579Bj
		mov	eax, large fs:124h
		shl	edi, 9
		mov	edx, edi
		shr	edx, 0Ch
		mov	esi, [eax+80h]
		movzx	eax, byte ptr [esi+2A0h]
		add	esi, 240h
		and	eax, 7
		add	edx, dword_6D2E68[eax*4]
		mov	bl, [edx]
		mov	al, bl
		and	al, 0Fh
		cmp	al, 0Ah
		jz	loc_455B03
		nop
		movzx	esi, bl
		shr	esi, 4
		and	esi, 7
		jz	short loc_455834
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		mov	ebx, [edi-40000000h]
		mov	edx, ebx
		mov	eax, [edi-3FFFFFFCh]
		and	edx, 10h
		mov	[ebp-34h], eax
		mov	eax, edx
		or	eax, 0
		jnz	short loc_455824
		and	ebx, 8
		or	ebx, eax
		jz	short loc_455824
		or	esi, 18h
		jmp	short loc_45582C
; 

loc_455824:				; CODE XREF: .text:00455816j
					; .text:0045581Dj
		or	edx, 0
		jz	short loc_45582C
		or	esi, 8

loc_45582C:				; CODE XREF: .text:00455822j
					; .text:00455827j
		test	esi, esi
		jnz	loc_455AF8

loc_455834:				; CODE XREF: .text:004557F2j
		mov	esi, [ecx+8]
		nop
		mov	eax, [ecx+0Ch]
		shrd	esi, eax, 5
		and	esi, 1Fh
		test	dword ptr [ecx+18h], 800000h
		jnz	short loc_455854
		mov	eax, [ecx+4]
		test	eax, eax
		js	short loc_455854
		jnz	short loc_455885

loc_455854:				; CODE XREF: .text:00455849j
					; .text:00455850j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	dword ptr [eax+148h], 0
		jz	loc_455AF8
		mov	edx, [ecx+4]
		mov	ecx, eax
		or	edx, 80000000h
		call	_MiLocateCloneAddress@8	; MiLocateCloneAddress(x,x)
		test	eax, eax
		jz	loc_455AF8

loc_455885:				; CODE XREF: .text:00455852j
		mov	esi, ds:_MmMakeProtectNotWriteCopy[esi*4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_455897:				; CODE XREF: .text:004556ACj
		mov	eax, esi
		and	eax, 400h
		or	eax, 0
		jz	loc_455AD6
		mov	ecx, dword_6D0704
		mov	eax, edx
		mov	[ebp-4], eax
		mov	eax, dword_6D0700
		mov	[ebp-1Ch], eax
		or	eax, ecx
		mov	[ebp-0Ch], ecx
		mov	ecx, [ebp-10h]
		mov	[ebp+0Ch], edx
		jz	short loc_4558EC
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	loc_4559FB
		mov	eax, [ebp-1Ch]
		mov	ecx, [ebp-0Ch]
		not	eax
		not	ecx
		and	eax, esi
		and	ecx, edx
		mov	[ebp-38h], eax
		mov	[ebp-4], ecx
		mov	ecx, [ebp-10h]

loc_4558EC:				; CODE XREF: .text:004558C5j
		mov	eax, [ebp-4]

loc_4558EF:				; CODE XREF: .text:00455A00j
		cmp	eax, 0FFFFFFFFh
		jnz	loc_455A1A
		shrd	esi, edx, 5
		and	esi, 1Fh
		test	ecx, 100000h
		jnz	loc_455AF8
		mov	ecx, [ebp+10h]
		mov	ax, word ptr _MiSystemPartition
		shr	edi, 3
		and	edi, 0FFFFFh
		mov	[ecx], ax
		mov	edx, edi
		lea	eax, [ebp-14h]
		mov	ecx, ebx
		push	eax
		push	4
		call	MiGetProtoPteAddress
		mov	ecx, eax
		mov	[ebp+10h], ecx
		test	ecx, ecx
		jz	loc_4559EE
		mov	eax, [ebx+44h]
		test	eax, eax
		jns	short loc_455960
		mov	ecx, [eax]
		sub	edi, [ebx+0Ch]
		add	ecx, 0FFFFFFFFh
		mov	eax, [eax+4]
		adc	eax, 0FFFFFFFFh
		shrd	ecx, eax, 0Ch
		cmp	edi, ecx
		ja	loc_4559EE
		mov	ecx, [ebp+10h]

loc_455960:				; CODE XREF: .text:00455941j
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		cmp	dword ptr [eax+20h], 0
		jnz	loc_455AF8
		test	dword ptr [eax+1Ch], 2000h
		jnz	loc_455AF8
		push	0
		lea	eax, [ebp-8]
		push	eax
		call	MiTryLockProtoPoolPageAtDpc
		test	eax, eax
		mov	eax, [ebp+10h]
		js	short loc_455A05
		mov	ebx, [eax]
		nop
		mov	ecx, [ebp-8]
		mov	eax, [eax+4]
		mov	[ebp+10h], eax
		mov	dword ptr [ebp+8], 0
		lea	edi, [ecx+10h]
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_4559C8
		jmp	short loc_4559B0
; 
		align 10h

loc_4559B0:				; CODE XREF: .text:004559ABj
					; .text:004559BCj ...
		lea	ecx, [ebp+8]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_4559B0
		lock bts dword ptr [edi], 1Fh
		jb	short loc_4559B0
		mov	ecx, [ebp-8]

loc_4559C8:				; CODE XREF: .text:004559A9j
		mov	al, [ecx+16h]
		and	al, 0DFh
		mov	[ecx+16h], al
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	cl, 2
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		or	ebx, [ebp+10h]
		jnz	loc_455AF8

loc_4559EE:				; CODE XREF: .text:00455936j
					; .text:00455957j
		xor	esi, esi
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4559FB:				; CODE XREF: .text:004558CFj
		mov	[ebp-38h], esi
		mov	eax, edx
		jmp	loc_4558EF
; 

loc_455A05:				; CODE XREF: .text:0045598Cj
		mov	ecx, [ebp+8]
		mov	esi, 100h
		mov	[ecx], eax
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_455A1A:				; CODE XREF: .text:004558F2j
		mov	ecx, [ebp-1Ch]
		mov	eax, ecx
		or	eax, [ebp-0Ch]
		mov	[ebp-18h], esi
		jz	short loc_455A4A
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_455A44
		mov	eax, [ebp-0Ch]
		not	ecx
		not	eax
		and	ecx, esi
		and	eax, edx
		mov	[ebp-18h], ecx
		mov	[ebp+0Ch], eax
		jmp	short loc_455A4A
; 

loc_455A44:				; CODE XREF: .text:00455A2Fj
		mov	[ebp-18h], esi
		mov	[ebp+0Ch], edx

loc_455A4A:				; CODE XREF: .text:00455A25j
					; .text:00455A42j
		push	dword ptr [ebp-20h]
		push	esi
		call	_MI_PROTO_FORMAT_COMBINED@8 ; MI_PROTO_FORMAT_COMBINED(x,x)
		mov	edx, [ebp+0Ch]
		test	al, al
		jz	short loc_455A61
		mov	eax, dword_6D5C60
		jmp	short loc_455A85
; 

loc_455A61:				; CODE XREF: .text:00455A58j
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		cmp	dword ptr [ecx+148h], 0
		jz	short loc_455AA5
		call	_MiLocateCloneAddress@8	; MiLocateCloneAddress(x,x)
		test	eax, eax
		jz	short loc_455AA5
		mov	eax, [eax+1Ch]
		mov	eax, [eax+0Ch]

loc_455A85:				; CODE XREF: .text:00455A5Fj
		mov	ecx, [ebp+10h]
		mov	ax, [eax]
		mov	[ecx], ax
		mov	ecx, edx
		call	_MiCaptureProtectionFromLockedProto@4 ;	MiCaptureProtectionFromLockedProto(x)
		mov	eax, ds:_MmMakeProtectNotWriteCopy[eax*4]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_455AA5:				; CODE XREF: .text:00455A74j
					; .text:00455A7Dj
		cmp	dword ptr [ebp-24h], 20h
		jnz	short loc_455B12
		mov	eax, [ebp-10h]
		and	eax, 0F80h
		cmp	eax, 380h
		jnz	short loc_455B12
		mov	ecx, [ebp+10h]
		mov	ax, word ptr _MiSystemPartition
		mov	[ecx], ax
		mov	ecx, ebx
		call	MiGetImageProtoProtection
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_455AD6:				; CODE XREF: .text:004558A1j
		mov	eax, [ebp+10h]
		xor	edi, edi
		shrd	esi, edx, 5
		and	ecx, 1100000h
		and	esi, 1Fh
		mov	[eax], di
		cmp	ecx, 1100000h
		jnz	short loc_455AF8
		mov	eax, [ebp+0Ch]
		mov	[eax], edi

loc_455AF8:				; CODE XREF: .text:0045582Ej
					; .text:00455867j ...
		mov	eax, esi

loc_455AFA:				; CODE XREF: .text:0045575Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_455B03:				; CODE XREF: .text:004557E2j
		push	edx
		push	esi
		push	edi
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_455B12:				; CODE XREF: .text:00455AA9j
					; .text:00455AB8j
		push	ebx
		push	esi
		push	edi
		push	41202h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 3 dup(0CCh)
		align 10h

; __stdcall MiRevokeExecutePte(x, x, x)
_MiRevokeExecutePte@12:			; DATA XREF: MmRemoveExecuteGrants()+63o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+0Ch]
		mov	esi, edi
		shl	esi, 9
		cmp	esi, ds:_MmHighestUserAddress
		ja	loc_455C9A
		mov	ebx, [ebp+8]
		mov	ecx, [edi]
		mov	dword ptr [esp+20h], 0
		mov	dword ptr [esp+24h], 0
		mov	ebx, [ebx+10h]
		mov	[esp+20h], ecx
		nop
		mov	eax, [edi+4]
		mov	[esp+1Ch], eax
		test	eax, eax
		jl	loc_455C9A
		jg	short loc_455B88
		test	ecx, ecx
		jb	loc_455C9A

loc_455B88:				; CODE XREF: .text:00455B7Ej
		nop
		mov	edx, ecx
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		mov	edx, esi
		shr	edx, 0Ch
		lea	ecx, [eax+ecx*4]
		movzx	eax, byte ptr [ebx+60h]
		and	eax, 7
		mov	[esp+10h], ecx
		add	edx, dword_6D2E68[eax*4]
		mov	ah, [edx]
		mov	al, ah
		and	al, 0Fh
		cmp	al, 0Ah
		jz	loc_455CA5
		nop
		movzx	ebx, ah
		shr	ebx, 4
		and	ebx, 7
		jz	short loc_455C19
		mov	eax, esi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	edx, [eax-40000000h]
		mov	ecx, edx
		mov	eax, [eax-3FFFFFFCh]
		and	ecx, 10h
		mov	[esp+2Ch], eax
		mov	eax, ecx
		or	eax, 0
		jnz	short loc_455C09
		and	edx, 8
		or	edx, eax
		jz	short loc_455C09
		or	ebx, 18h
		jmp	short loc_455C11
; 

loc_455C09:				; CODE XREF: .text:00455BFBj
					; .text:00455C02j
		or	ecx, 0
		jz	short loc_455C11
		or	ebx, 8

loc_455C11:				; CODE XREF: .text:00455C07j
					; .text:00455C0Cj
		test	ebx, ebx
		jnz	short loc_455C69
		mov	ecx, [esp+10h]

loc_455C19:				; CODE XREF: .text:00455BD5j
		mov	ebx, [ecx+8]
		nop
		mov	eax, [ecx+0Ch]
		shrd	ebx, eax, 5
		and	ebx, 1Fh
		test	dword ptr [ecx+18h], 800000h
		jnz	short loc_455C39
		mov	eax, [ecx+4]
		test	eax, eax
		js	short loc_455C39
		jnz	short loc_455C62

loc_455C39:				; CODE XREF: .text:00455C2Ej
					; .text:00455C35j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	dword ptr [eax+148h], 0
		jz	short loc_455C69
		mov	edx, [ecx+4]
		mov	ecx, eax
		or	edx, 80000000h
		call	_MiLocateCloneAddress@8	; MiLocateCloneAddress(x,x)
		test	eax, eax
		jz	short loc_455C69

loc_455C62:				; CODE XREF: .text:00455C37j
		mov	ebx, ds:_MmMakeProtectNotWriteCopy[ebx*4]

loc_455C69:				; CODE XREF: .text:00455C13j
					; .text:00455C4Cj ...
		test	bl, 2
		jnz	short loc_455C9A
		mov	eax, [esp+1Ch]
		mov	edx, [esp+20h]
		or	eax, 80000000h
		mov	[esp+10h], edx
		mov	[esp+14h], eax
		nop
		mov	[edi], edx
		mov	edx, esi
		mov	[edi+4], eax
		mov	eax, [ebp+8]
		push	0
		push	1
		mov	ecx, [eax+48h]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)

loc_455C9A:				; CODE XREF: .text:00455B4Cj
					; .text:00455B78j ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_455CA5:				; CODE XREF: .text:00455BC5j
		push	edx
		push	ebx
		push	esi
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dd 3 dup(0CCCCCCCCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDeleteVaTail	proc near		; DATA XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+1F2o

var_A		= byte ptr -0Ah
var_9		= byte ptr -9
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B0312 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	esi, [ebx+48h]
		lea	ecx, [esi+60h]
		call	MiTerminateWsleCluster
		mov	edi, [ebx+0Ch]
		mov	ecx, [edi+0Ch]
		test	ecx, ecx
		jnz	short loc_455D2C

loc_455CE6:				; CODE XREF: MiDeleteVaTail+C3j
		mov	edi, [esi]
		test	edi, edi
		jnz	short loc_455D02

loc_455CEC:				; CODE XREF: MiDeleteVaTail+6Aj
		mov	ecx, [esi+4Ch]
		test	ecx, ecx
		jnz	loc_455DA6

loc_455CF7:				; CODE XREF: MiDeleteVaTail+F2j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_455D02:				; CODE XREF: MiDeleteVaTail+2Aj
		mov	ecx, [ebx+10h]
		test	byte ptr [ecx+60h], 7
		jnz	loc_455DCA

loc_455D0F:				; CODE XREF: MiDeleteVaTail+115j
		xor	edi, edi
		mov	[esp+18h+var_8], edi

loc_455D15:				; CODE XREF: MiDeleteVaTail+134j
		mov	edx, esi
		call	_MiDeletePteRun@8 ; MiDeletePteRun(x,x)
		test	edi, edi
		jnz	loc_455DF9

loc_455D24:				; CODE XREF: MiDeleteVaTail+144j
		mov	dword ptr [esi], 0
		jmp	short loc_455CEC
; 

loc_455D2C:				; CODE XREF: MiDeleteVaTail+24j
		mov	edx, [edi]
		mov	bl, [edi+4]
		mov	eax, dword_6D0748
		mov	[esp+18h+var_4], edx
		mov	[esp+18h+var_9], bl
		cmp	edx, 1
		jnz	short loc_455DB7
		mov	[esp+18h+var_8], 0

loc_455D4B:				; CODE XREF: MiDeleteVaTail+108j
					; MiDeleteVaTail+151j
		cmp	byte ptr [edi+5], 0
		mov	ebx, [ebp+arg_0]
		jnz	short loc_455D88
		cmp	[edi+10h], eax
		ja	short loc_455D88
		test	[esp+18h+var_9], 1
		jnz	loc_5B0312
		push	[esp+18h+var_8]
		push	edx
		lea	edx, [edi+14h]
		call	KeFlushMultipleRangeTb

loc_455D71:				; CODE XREF: MiDeleteVaTail+E4j
					; MiDeleteVaTail+15A65Bj
		and	byte ptr [edi+4], 0F7h
		mov	dword ptr [edi+0Ch], 0
		mov	dword ptr [edi+10h], 0
		jmp	loc_455CE6
; 

loc_455D88:				; CODE XREF: MiDeleteVaTail+92j
					; MiDeleteVaTail+97j
		test	[esp+18h+var_9], 1
		jnz	loc_5B0320
		mov	edx, [esp+18h+var_8]
		mov	ecx, [esp+18h+var_4]
		call	KeFlushTb

loc_455DA0:				; CODE XREF: MiDeleteVaTail+15A667j
		mov	byte ptr [edi+5], 0
		jmp	short loc_455D71
; 

loc_455DA6:				; CODE XREF: MiDeleteVaTail+31j
		call	MiDecayPfnFullyInitialized
		mov	dword ptr [esi+4Ch], 0
		jmp	loc_455CF7
; 

loc_455DB7:				; CODE XREF: MiDeleteVaTail+81j
		mov	[esp+18h+var_9], bl
		test	bl, 8
		jz	short loc_455E09
		mov	[esp+18h+var_8], 2
		jmp	short loc_455D4B
; 

loc_455DCA:				; CODE XREF: MiDeleteVaTail+49j
		lea	eax, [edi+3FA00000h]
		cmp	eax, 3FFFh
		ja	loc_455D0F
		mov	eax, [esi+4]
		shl	eax, 9
		shl	edi, 9
		mov	edx, eax
		mov	ecx, edi
		mov	[esp+18h+var_8], eax
		call	MiReplicatePteChange
		mov	ecx, [ebx+10h]
		jmp	loc_455D15
; 

loc_455DF9:				; CODE XREF: MiDeleteVaTail+5Ej
		mov	edx, [esp+18h+var_8]
		mov	ecx, edi
		call	MiReplicatePteChange
		jmp	loc_455D24
; 

loc_455E09:				; CODE XREF: MiDeleteVaTail+FEj
		mov	[esp+18h+var_8], 1
		jmp	loc_455D4B
MiDeleteVaTail	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiTerminateWsleCluster proc near	; CODE XREF: MiDeleteVaTail+17p
					; .text:00458A92p ...

var_138		= dword	ptr -138h
var_128		= dword	ptr -128h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E4		= dword	ptr -0E4h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_A9		= byte ptr -0A9h
var_A8		= dword	ptr -0A8h
var_A4		= word ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B032C SIZE 00000290 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 11Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [ebp+var_A8]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_C8], esi
		call	_memset
		mov	ebx, [esi+4]
		xor	eax, eax
		add	esp, 0Ch
		mov	[ebp+var_11C], eax
		mov	[ebp+var_118], eax
		mov	[ebp+var_114], eax
		mov	[ebp+var_110], eax
		mov	[ebp+var_10C], eax
		mov	[ebp+var_108], eax
		mov	[ebp+var_B0], ebx
		test	ebx, ebx
		jnz	short loc_455E9A

loc_455E89:				; CODE XREF: MiTerminateWsleCluster+484j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_455E9A:				; CODE XREF: MiTerminateWsleCluster+67j
		mov	edx, [esi]
		mov	edi, ebx
		shl	edi, 9
		mov	[ebp+var_B4], edi
		mov	[ebp+var_BC], edx
		mov	al, [edx+60h]
		and	al, 7
		jnz	loc_456555
		mov	eax, 1

loc_455EBD:				; CODE XREF: MiTerminateWsleCluster+73Cj
		mov	[ebp+var_A8], eax
		mov	[ebp+var_A4], 0
		mov	[ebp+var_98], 0
		mov	[ebp+var_A0], 21h
		mov	[ebp+var_94], 0
		test	byte ptr [edx+60h], 7
		jnz	loc_456561
		cmp	dword ptr [esi+8], 0
		mov	[ebp+var_C0], 0
		jbe	loc_456077
		mov	esi, ebx
		lea	ebx, [ebx+0]

loc_455F10:				; CODE XREF: MiTerminateWsleCluster+243j
		mov	ecx, [esi]
		nop
		mov	eax, [esi+4]
		and	ecx, 0FFFFFFFEh
		or	ecx, 400h
		mov	[ebp+var_CC], eax
		mov	[ebp+var_D0], ecx
		mov	ecx, [esi]
		mov	edx, [esi+4]
		cmp	dword_6D07D0, 0C0000000h
		jnb	loc_4565BF
		mov	eax, 0C0603010h

loc_455F45:				; CODE XREF: MiTerminateWsleCluster+7A4j
		cmp	esi, 0C0603000h
		jnb	loc_4565B2

loc_455F51:				; CODE XREF: MiTerminateWsleCluster+794j
					; MiTerminateWsleCluster+15A513j ...
		mov	eax, ds:_MiFlags
		test	eax, 800h
		jnz	loc_5B0341
		test	eax, 4000000h
		jnz	loc_456644

loc_455F6C:				; CODE XREF: MiTerminateWsleCluster+827j
					; MiTerminateWsleCluster+15A52Aj
		and	ecx, 20h
		or	ecx, 0
		jz	loc_456374
		mov	eax, [ebp+var_D0]
		mov	[esi], eax
		nop
		mov	eax, [ebp+var_CC]
		mov	[esi+4], eax

loc_455F8A:				; CODE XREF: MiTerminateWsleCluster+5B7j
		cmp	[ebp+var_A8], 1
		mov	cl, byte ptr [ebp+var_A4]
		mov	[ebp+var_D8], 1
		mov	[ebp+var_C4], edi
		jnz	loc_5B036C

loc_455FAD:				; CODE XREF: MiTerminateWsleCluster+15A54Fj
					; MiTerminateWsleCluster+15A560j ...
		mov	ebx, [ebp+var_9C]
		test	ebx, ebx
		jz	loc_4562D7
		and	cl, 4
		mov	[ebp+var_A9], cl
		jnz	loc_4562AF
		lea	eax, [ebp+var_98]
		lea	eax, [eax+ebx*4]
		mov	[ebp+var_DC], eax
		mov	eax, [eax]
		test	eax, 0C00h
		jnz	loc_4562AF
		mov	ecx, eax
		and	ecx, 3FFh
		mov	[ebp+var_B8], ecx
		lea	edx, [ecx+1]
		mov	ecx, eax
		shl	edx, 0Ch
		and	ecx, 0FFFFF000h
		add	edx, ecx
		cmp	edx, edi
		jnz	loc_4562A9
		mov	ecx, [ebp+var_B8]
		lea	edx, [ecx+1]
		cmp	edx, ecx
		jbe	loc_4562A9
		cmp	edx, 3FFh
		ja	loc_4562A9
		lea	ecx, [eax+1]
		xor	ecx, eax
		and	ecx, 3FFh
		xor	eax, ecx
		mov	ecx, [ebp+var_DC]
		inc	[ebp+var_98]
		mov	[ecx], eax

loc_456044:				; CODE XREF: MiTerminateWsleCluster+549j
					; MiTerminateWsleCluster+5B1j ...
		mov	edx, [ebp+var_C0]
		add	esi, 8
		mov	eax, [ebp+var_C8]
		inc	edx
		add	edi, 1000h
		mov	[ebp+var_C0], edx
		cmp	edx, [eax+8]
		jb	loc_455F10
		mov	ebx, [ebp+var_B0]
		mov	esi, eax
		mov	edi, [ebp+var_B4]

loc_456077:				; CODE XREF: MiTerminateWsleCluster+E2j
					; MiTerminateWsleCluster+752j ...
		mov	eax, [esi+0Ch]
		mov	edx, edi
		mov	edi, [ebp+var_BC]
		and	eax, 1
		push	eax
		movzx	eax, byte ptr [esi+10h]
		mov	ecx, edi
		push	0Ah
		push	eax
		mov	eax, [esi+8]
		push	eax
		call	MiRemoveWsle
		test	byte ptr [edi+60h], 7
		jnz	loc_456444

loc_4560A2:				; CODE XREF: MiTerminateWsleCluster+641j
					; MiTerminateWsleCluster+730j
		test	byte ptr [esi+0Ch], 1
		mov	[ebp+var_BC], 0
		jz	short loc_4560BE
		mov	edx, [ebp+var_118]
		mov	[ebp+var_BC], edx

loc_4560BE:				; CODE XREF: MiTerminateWsleCluster+290j
		mov	edx, [ebp+var_9C]
		mov	[ebp+var_B4], edx
		test	edx, edx
		jz	loc_456290
		mov	edi, [ebp+var_A8]
		mov	ecx, dword_6D0748
		mov	al, byte ptr [ebp+var_A4]
		mov	[ebp+var_B0], edi
		cmp	edi, 1
		jnz	loc_456590
		xor	ebx, ebx

loc_4560F5:				; CODE XREF: MiTerminateWsleCluster+77Dj
					; MiTerminateWsleCluster+15A634j
		mov	[ebp+var_B8], ebx
		cmp	[ebp+var_98], ecx
		ja	loc_45642E
		cmp	byte ptr [ebp+var_A4+1], 0
		jnz	loc_45642E
		test	al, 1
		jnz	loc_5B0459
		mov	eax, ds:_HvlEnlightenments
		mov	edi, ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()
		mov	[ebp+var_D4], 0
		mov	byte ptr [ebp+var_EC], 0
		test	al, 4
		jnz	loc_5B0470

loc_456140:				; CODE XREF: MiTerminateWsleCluster+15A65Bj
					; MiTerminateWsleCluster+15A750j
		xor	eax, eax
		mov	[ebp+var_100], edx
		mov	[ebp+var_10], eax
		lea	ebx, [ebp+var_94]
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	eax, ebx
		mov	[ebp+var_104], eax
		mov	eax, [ebp+var_B0]
		mov	[ebp+var_FC], eax
		mov	eax, ebx
		lea	eax, [eax+edx*4]
		mov	[ebp+var_DC], eax
		call	edi
		cmp	[ebp+var_B8], 0
		mov	[ebp+var_A9], al
		jnz	loc_4565A2
		mov	edx, large fs:20h
		lea	eax, [ebp+var_F8]
		mov	[ebp+var_F8], 0
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, [edx+4]
		mov	ecx, [eax+80h]
		mov	eax, [ecx+58h]
		mov	ebx, [ecx+60h]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+5Ch]
		mov	[ebp+var_C], eax
		mov	eax, [edx+3CCh]
		btr	ebx, eax
		mov	[ebp+var_8], ebx
		lea	edx, [ebp+var_10]
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, ds:_RtlpBitsClearTotal[ebx]
		lea	ebx, [ebp+var_94]
		movzx	eax, cl
		xor	ecx, ecx

loc_456205:				; CODE XREF: MiTerminateWsleCluster+78Dj
		mov	[ebp+var_D4], eax
		test	eax, eax
		jnz	loc_456416

loc_456213:				; CODE XREF: MiTerminateWsleCluster+609j
		mov	esi, [ebp+var_DC]
		lea	esp, [esp+0]

loc_456220:				; CODE XREF: MiTerminateWsleCluster+429j
		mov	edx, [ebx]
		mov	edi, 1000h
		mov	eax, edx
		shr	eax, 0Ah
		and	eax, 3
		invlpg	byte ptr [edx]
		lea	ecx, [eax+eax*8]
		mov	eax, edx
		shl	edi, cl
		and	eax, 3FFh
		jnz	loc_4563E0

loc_456244:				; CODE XREF: MiTerminateWsleCluster+5CBj
		add	ebx, 4
		cmp	ebx, esi
		jb	short loc_456220
		cmp	[ebp+var_D4], 0
		jnz	loc_4563F0

loc_456258:				; CODE XREF: MiTerminateWsleCluster+5DFj
					; MiTerminateWsleCluster+5F1j
		mov	cl, [ebp+var_A9]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp+var_C8]
		mov	edi, [ebp+var_B4]

loc_456270:				; CODE XREF: MiTerminateWsleCluster+15A70Dj
		mov	eax, [ebp+var_B0]

loc_456276:				; CODE XREF: MiTerminateWsleCluster+15A700j
		cmp	ds:_VmTbFlushEnabled, 0
		jnz	loc_5B0575

loc_456283:				; CODE XREF: MiTerminateWsleCluster+15A763j
		cmp	_ExTbFlushActive, 0
		jnz	loc_5B0588

loc_456290:				; CODE XREF: MiTerminateWsleCluster+2ACj
					; MiTerminateWsleCluster+61Fj ...
		mov	eax, [ebp+var_BC]
		mov	dword ptr [esi+4], 0
		mov	dword ptr [esi+8], 0
		jmp	loc_455E89
; 

loc_4562A9:				; CODE XREF: MiTerminateWsleCluster+1E6j
					; MiTerminateWsleCluster+1F7j ...
		mov	cl, [ebp+var_A9]

loc_4562AF:				; CODE XREF: MiTerminateWsleCluster+1A4j
					; MiTerminateWsleCluster+1C0j
		test	cl, cl
		jnz	short loc_4562D7
		mov	eax, [ebp+ebx*4+var_98]
		test	eax, 0C00h
		jnz	short loc_4562D7
		mov	ecx, eax
		lea	edx, [edi+1000h]
		and	ecx, 0FFFFF000h
		cmp	ecx, edx
		jz	loc_5B0394

loc_4562D7:				; CODE XREF: MiTerminateWsleCluster+195j
					; MiTerminateWsleCluster+491j ...
		cmp	ebx, [ebp+var_A0]
		jnb	loc_45662A
		mov	ecx, [ebp+var_D8]
		lea	esp, [esp+0]

loc_4562F0:				; CODE XREF: MiTerminateWsleCluster+54Fj
		lea	eax, [ecx-1]
		cmp	eax, 3FFh
		ja	loc_5B03C4
		mov	eax, ecx
		mov	[ebp+var_B8], ecx

loc_456306:				; CODE XREF: MiTerminateWsleCluster+15A5AFj
		mov	edx, [ebp+var_C4]
		sub	ecx, eax
		mov	[ebp+var_D8], ecx
		dec	eax
		mov	ecx, edx
		and	eax, 3FFh
		and	ecx, 0FFFFF000h
		or	eax, ecx
		mov	ecx, [ebp+var_B8]
		mov	[ebp+ebx*4+var_94], eax
		mov	ebx, [ebp+var_9C]
		mov	eax, [ebp+var_B8]
		inc	ebx
		add	[ebp+var_98], eax
		shl	ecx, 0Ch
		add	edx, ecx
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_C4], edx
		cmp	ebx, [ebp+var_A0]
		jz	loc_4565D6

loc_456361:				; CODE XREF: MiTerminateWsleCluster+7BDj
					; MiTerminateWsleCluster+7F1j
		mov	ecx, [ebp+var_D8]
		test	ecx, ecx
		jz	loc_456044
		jmp	loc_4562F0
; 

loc_456374:				; CODE XREF: MiTerminateWsleCluster+152j
					; MiTerminateWsleCluster+580j ...
		mov	eax, [esi]
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[ebp+var_C4], eax
		mov	[ebp+var_E4], ecx
		nop
		mov	ebx, [ebp+var_D0]
		mov	ecx, [ebp+var_CC]
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, [ebp+var_C4]
		cmp	eax, ebx
		jnz	short loc_456374
		cmp	edx, [ebp+var_E4]
		jnz	short loc_456374
		cmp	dword_6D07D0, 0C0000000h
		jnb	loc_5B034F
		mov	eax, 0C0603010h

loc_4563BF:				; CODE XREF: MiTerminateWsleCluster+15A534j
		cmp	esi, 0C0603000h
		jnb	loc_4565C9

loc_4563CB:				; CODE XREF: MiTerminateWsleCluster+7ABj
					; MiTerminateWsleCluster+15A547j
		and	ebx, 20h
		or	ebx, 0
		jz	loc_456044
		jmp	loc_455F8A
; 
		align 10h

loc_4563E0:				; CODE XREF: MiTerminateWsleCluster+41Ej
					; MiTerminateWsleCluster+5C9j
		invlpg	byte ptr [edx+edi]
		add	edx, edi
		sub	eax, 1
		jnz	short loc_4563E0
		jmp	loc_456244
; 

loc_4563F0:				; CODE XREF: MiTerminateWsleCluster+432j
		mov	ecx, large fs:20h
		mov	eax, [ecx+2120h]
		test	eax, eax
		jz	loc_456258

loc_456405:				; CODE XREF: MiTerminateWsleCluster+5EFj
		pause
		mov	eax, [ecx+2120h]
		test	eax, eax
		jnz	short loc_456405
		jmp	loc_456258
; 

loc_456416:				; CODE XREF: MiTerminateWsleCluster+3EDj
		push	ecx
		lea	eax, [ebp+var_104]
		push	eax
		push	ecx
		push	offset _KiFlushTargetMultipleRangeTb@16	; KiFlushTargetMultipleRangeTb(x,x,x,x)
		call	_KiIpiSendFlushAwakePacket@24 ;	KiIpiSendFlushAwakePacket(x,x,x,x,x,x)
		jmp	loc_456213
; 

loc_45642E:				; CODE XREF: MiTerminateWsleCluster+2E1j
					; MiTerminateWsleCluster+2EEj
		mov	ecx, edi
		test	al, 1
		jnz	loc_5B05B2
		mov	edx, ebx
		call	KeFlushTb
		jmp	loc_456290
; 

loc_456444:				; CODE XREF: MiTerminateWsleCluster+27Cj
		mov	eax, [esi+0Ch]
		mov	ecx, eax
		and	ecx, 8
		add	ecx, ecx
		mov	[ebp+var_C4], ecx
		test	al, 10h
		jnz	loc_456636

loc_45645C:				; CODE XREF: MiTerminateWsleCluster+81Fj
		xor	edi, edi
		cmp	[esi+8], edi
		jbe	loc_4560A2

loc_456467:				; CODE XREF: MiTerminateWsleCluster+72Aj
		lea	eax, [ebp+var_11C]
		mov	edx, ebx
		push	eax
		push	ecx
		call	_MiDeleteValidSystemPage@16 ; MiDeleteValidSystemPage(x,x,x,x)
		test	byte ptr [esi+0Ch], 4
		jz	loc_45652D
		mov	[ebp+var_D0], 0
		xor	ecx, ecx
		mov	[ebp+var_CC], 0
		nop
		xor	edx, edx
		mov	[ebp+var_F0], ecx
		xor	ebx, ebx
		lea	eax, [ebp+var_F0]
		lock or	[eax], ebx
		mov	ebx, ds:_KiTbFlushTimeStamp
		mov	eax, ecx
		or	eax, edx
		xor	eax, eax
		or	eax, ebx
		push	eax
		push	ecx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[ebp+var_D0], eax
		nop
		mov	eax, [ebp+var_B0]
		mov	[ebp+var_CC], edx
		mov	edx, [ebp+var_D0]
		mov	[eax], edx
		nop
		mov	ecx, [ebp+var_CC]
		mov	[eax+4], ecx
		mov	eax, dword_6D0704
		mov	ebx, dword_6D0700
		mov	[ebp+var_BC], eax
		mov	eax, ebx
		or	eax, [ebp+var_BC]
		mov	[ebp+var_C0], ecx
		jz	short loc_45651D
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_45651D
		mov	ecx, [ebp+var_BC]
		not	ecx
		and	ecx, [ebp+var_C0]

loc_45651D:				; CODE XREF: MiTerminateWsleCluster+6E3j
					; MiTerminateWsleCluster+6EDj
		xor	eax, eax
		or	eax, ecx
		jz	loc_5B0435

loc_456527:				; CODE XREF: MiTerminateWsleCluster+15A62Aj
		mov	ebx, [ebp+var_B0]

loc_45652D:				; CODE XREF: MiTerminateWsleCluster+65Aj
		add	[ebp+var_B4], 1000h
		inc	edi
		mov	ecx, [ebp+var_C4]
		add	ebx, 8
		mov	[ebp+var_B0], ebx
		cmp	edi, [esi+8]
		jb	loc_456467
		jmp	loc_4560A2
; 

loc_456555:				; CODE XREF: MiTerminateWsleCluster+92j
		cmp	al, 2
		sbb	eax, eax
		and	eax, 2
		jmp	loc_455EBD
; 

loc_456561:				; CODE XREF: MiTerminateWsleCluster+CEj
		mov	al, [esi+10h]
		and	al, 0Fh
		cmp	al, 8
		jz	loc_5B03D4

loc_45656E:				; CODE XREF: MiTerminateWsleCluster+15A610j
		test	byte ptr [esi+0Ch], 4
		jnz	loc_456077
		mov	eax, [esi+8]
		lea	ecx, [ebp+var_A8]
		push	0
		push	eax
		mov	edx, edi
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		jmp	loc_456077
; 

loc_456590:				; CODE XREF: MiTerminateWsleCluster+2CDj
		test	al, 8
		jnz	loc_5B044F
		mov	ebx, 1
		jmp	loc_4560F5
; 

loc_4565A2:				; CODE XREF: MiTerminateWsleCluster+365j
		mov	eax, ds:_KeNumberProcessors
		xor	edx, edx
		dec	eax
		lea	ecx, [edx+1]
		jmp	loc_456205
; 

loc_4565B2:				; CODE XREF: MiTerminateWsleCluster+12Bj
		cmp	esi, eax
		jnb	loc_455F51
		jmp	loc_5B032C
; 

loc_4565BF:				; CODE XREF: MiTerminateWsleCluster+11Aj
		mov	eax, 0C0603018h
		jmp	loc_455F45
; 

loc_4565C9:				; CODE XREF: MiTerminateWsleCluster+5A5j
		cmp	esi, eax
		jnb	loc_4563CB
		jmp	loc_5B0359
; 

loc_4565D6:				; CODE XREF: MiTerminateWsleCluster+53Bj
		test	byte ptr [ebp+var_A4], 4
		jnz	loc_456361
		push	offset _MiTbFlushSort ;	int __cdecl (*)(const void *,const void	*)
		push	4		; size_t
		lea	eax, [ebp+var_94]
		push	ebx		; size_t
		push	eax		; void *
		call	_qsort
		add	esp, 10h
		lea	ecx, [ebp+var_A8]
		call	MiCompressTbFlushList
		mov	ebx, [ebp+var_9C]
		cmp	ebx, [ebp+var_A0]
		jnz	loc_456361
		cmp	[ebp+var_D8], 0
		jz	loc_456044
		mov	[ebp+var_98], ebx

loc_45662A:				; CODE XREF: MiTerminateWsleCluster+4BDj
		mov	byte ptr [ebp+var_A4+1], 1
		jmp	loc_456044
; 

loc_456636:				; CODE XREF: MiTerminateWsleCluster+636j
		or	ecx, 4
		mov	[ebp+var_C4], ecx
		jmp	loc_45645C
; 

loc_456644:				; CODE XREF: MiTerminateWsleCluster+146j
		lfence	eax
		jmp	loc_455F6C
MiTerminateWsleCluster endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiWalkPageTables proc near		; CODE XREF: MiDeleteSystemPageTables(x,x,x,x,x,x)+9Bp
					; MiGetNextPageTable+C3p ...

var_B0		= dword	ptr -0B0h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B05BC SIZE 000000D8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0A8h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0A8h+var_4], eax
		push	esi
		mov	esi, ecx
		push	edi
		mov	[esp+0B0h+var_84], esi
		cmp	byte ptr [esi+5], 0
		jnz	short loc_45667E
		mov	byte ptr [esi+5], 0Fh

loc_45667E:				; CODE XREF: MiWalkPageTables+28j
		mov	eax, [esi+20h]
		mov	dword ptr [esi+28h], offset _MiSystemPartition
		test	eax, eax
		jnz	loc_456AE8
		mov	eax, [esi+14h]
		mov	[esp+0B0h+var_60], eax
		mov	eax, [esi+18h]
		mov	[esp+0B0h+var_5C], eax
		mov	[esp+0B0h+var_80], 1

loc_4566A6:				; CODE XREF: MiWalkPageTables+4EBj
					; MiWalkPageTables+508j
		mov	eax, 800h
		test	[esi], ax
		jz	loc_456A6F
		mov	[esp+0B0h+var_48], 0
		mov	ecx, 3
		mov	[esp+0B0h+var_44], 3FFFFFFFh
		mov	[esp+0B0h+var_40], 40000000h
		mov	[esp+0B0h+var_3C], 7FFFFFFFh
		mov	[esp+0B0h+var_38], 80000000h
		mov	[esp+0B0h+var_34], 0BFFFFFFFh
		mov	[esp+0B0h+var_30], 0C0800000h
		mov	[esp+0B0h+var_2C], 0FFFFFFFFh

loc_4566FF:				; CODE XREF: MiWalkPageTables+485j
					; MiWalkPageTables+600j
		lea	eax, [ecx+1]
		xor	ecx, ecx
		mov	[esp+0B0h+var_78], eax
		mov	[esp+0B0h+var_74], ecx
		lea	esp, [esp+0]

loc_456710:				; CODE XREF: MiWalkPageTables+412j
		xor	edx, edx
		mov	[esp+0B0h+var_7C], edx
		test	eax, eax
		jz	loc_456A59
		mov	eax, [esp+ecx*8+0B0h+var_60]
		mov	ecx, [esp+ecx*8+0B0h+var_5C]
		mov	[esp+0B0h+var_68], eax
		mov	[esp+0B0h+var_64], ecx
		mov	edi, edi

loc_456730:				; CODE XREF: MiWalkPageTables+3FBj
		mov	edi, eax
		mov	eax, ecx
		mov	ecx, [esp+edx*8+0B0h+var_44]
		cmp	edi, ecx
		ja	loc_456A3A
		mov	esi, [esp+edx*8+0B0h+var_48]
		cmp	eax, esi
		mov	[esp+0B0h+var_94], esi
		mov	esi, [esp+0B0h+var_84]
		jb	loc_456A3A
		mov	edx, [esp+0B0h+var_94]
		cmp	edi, edx
		jb	loc_456B74

loc_456760:				; CODE XREF: MiWalkPageTables+526j
		cmp	eax, ecx
		ja	loc_456AE1

loc_456768:				; CODE XREF: MiWalkPageTables+493j
		shr	eax, 9
		shr	edi, 9
		and	eax, offset loc_7FFFF8
		and	edi, offset loc_7FFFF8
		sub	eax, 40000000h
		sub	edi, 40000000h
		mov	[esi+30h], eax
		mov	[esi+2Ch], edi
		shr	eax, 9
		shr	edi, 9
		and	eax, offset loc_7FFFF8
		and	edi, offset loc_7FFFF8
		sub	eax, 40000000h
		sub	edi, 40000000h
		mov	[esi+38h], eax
		mov	[esi+34h], edi
		movzx	eax, word ptr [esi]
		mov	[esp+0B0h+var_88], edi
		mov	dword ptr [esi+24h], 0
		test	al, 4
		jz	loc_456B5D
		mov	edx, [esi+10h]
		mov	eax, edi
		or	byte ptr [esi+2], 1
		mov	ecx, 6
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[esp+0B0h+var_90], edx
		sub	eax, 40000000h
		mov	[esp+0B0h+var_8C], 0C0603018h
		mov	[esp+0B0h+var_6C], eax
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[esp+0B0h+var_98], 0
		mov	[esp+0B0h+var_50], eax
		shr	eax, 9
		sub	eax, 40000000h
		mov	[esp+0B0h+var_A0], ecx
		mov	[esp+0B0h+var_4C], eax
		mov	al, [edx+60h]
		and	al, 7
		cmp	al, 2
		jnb	loc_456B7B
		test	al, al
		jnz	loc_456CBB
		mov	eax, [edx+0Ch]
		add	eax, 0F10h

loc_456830:				; CODE XREF: MiWalkPageTables+671j
		mov	[esp+0B0h+var_9C], eax

loc_456834:				; CODE XREF: MiWalkPageTables+560j
		mov	eax, [eax]
		mov	edi, [esp+0B0h+var_9C]

loc_45683A:				; CODE XREF: MiWalkPageTables+628j
					; MiWalkPageTables+632j
		mov	[esp+0B0h+var_A4], eax

loc_45683E:				; CODE XREF: MiWalkPageTables+6ABj
		mov	edx, 2
		shl	edx, cl

loc_456845:				; CODE XREF: MiWalkPageTables+771j
		shr	eax, cl
		test	al, 1
		jnz	loc_456C55
		mov	ecx, [esp+0B0h+var_A4]
		mov	eax, [esp+0B0h+var_A0]
		bts	ecx, eax
		mov	eax, edx
		not	eax
		and	ecx, eax
		mov	eax, [esp+0B0h+var_A4]
		lock cmpxchg [edi], ecx
		cmp	eax, [esp+0B0h+var_A4]
		jnz	loc_456DB9
		mov	edi, [esp+0B0h+var_88]
		mov	esi, 1

loc_45687B:				; CODE XREF: MiWalkPageTables+3E1j
		mov	edx, [esp+esi*4+0B0h+var_50]
		mov	[esp+0B0h+var_98], esi
		mov	[esp+0B0h+var_94], edx
		mov	ecx, [edx]
		nop
		mov	eax, [edx+4]
		mov	[esp+0B0h+var_A0], eax
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_4569DF
		mov	eax, ecx
		and	eax, 80h
		or	eax, 0
		jnz	loc_4569DF
		mov	eax, ecx
		and	eax, 20h
		or	eax, 0
		jz	loc_5B0618

loc_4568BD:				; CODE XREF: MiWalkPageTables+159FD8j
		cmp	edx, [esp+0B0h+var_8C]
		jz	loc_4569DB
		mov	esi, [esp+0B0h+var_90]
		lea	ecx, [edx+3FA00000h]
		sar	ecx, 3
		add	ecx, ecx
		mov	[esp+0B0h+var_9C], 0
		mov	eax, ecx
		and	eax, 1Fh
		mov	[esp+0B0h+var_A0], eax
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		jnb	loc_456BB5
		shr	ecx, 5
		test	al, al
		jnz	loc_456D00
		mov	edi, [esi+0Ch]
		add	edi, 0D90h

loc_456908:				; CODE XREF: MiWalkPageTables+6B6j
		lea	edi, [edi+ecx*4]

loc_45690B:				; CODE XREF: MiWalkPageTables+59Bj
		mov	[esp+0B0h+var_A4], edi
		mov	edi, [esp+0B0h+var_A0]

loc_456913:				; CODE XREF: MiWalkPageTables+729j
		mov	eax, [esp+0B0h+var_A4]
		mov	esi, [eax]

loc_456919:				; CODE XREF: MiWalkPageTables+666j
					; MiWalkPageTables+70Cj ...
		mov	ecx, edi
		mov	edx, 2
		shl	edx, cl

loc_456922:				; CODE XREF: MiWalkPageTables+778j
		mov	eax, esi
		mov	ecx, edi
		shr	eax, cl
		test	al, 1
		jnz	loc_456C87
		mov	ecx, esi
		mov	eax, edx
		bts	ecx, edi
		not	eax
		mov	edi, [esp+0B0h+var_A4]
		and	ecx, eax
		mov	eax, esi
		lock cmpxchg [edi], ecx
		mov	edi, [esp+0B0h+var_A0]
		cmp	eax, esi
		jnz	loc_456DC6
		mov	edx, [esp+0B0h+var_8C]
		mov	edi, [esp+0B0h+var_88]
		lea	ecx, [edx+3FA00000h]
		sar	ecx, 3
		add	ecx, ecx
		mov	eax, ecx
		and	eax, 1Fh
		mov	[esp+0B0h+var_A4], eax
		mov	eax, [esp+0B0h+var_90]
		mov	al, [eax+60h]
		and	al, 7
		cmp	al, 2
		jnb	loc_456BF0
		shr	ecx, 5
		test	al, al
		mov	eax, [esp+0B0h+var_90]
		jnz	loc_456D0B
		mov	eax, [eax+0Ch]
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h

loc_456998:				; CODE XREF: MiWalkPageTables+5C6j
					; MiWalkPageTables+6C3j
		mov	[esp+0B0h+var_9C], eax

loc_45699C:				; CODE XREF: MiWalkPageTables+750j
		mov	edx, [eax]
		mov	eax, [esp+0B0h+var_A4]
		mov	ecx, eax
		mov	esi, [esp+0B0h+var_9C]
		mov	[esp+0B0h+var_A0], 2
		shl	[esp+0B0h+var_A0], cl
		mov	ecx, edx
		not	[esp+0B0h+var_A0]
		btr	ecx, eax
		and	ecx, [esp+0B0h+var_A0]
		mov	eax, edx
		lock cmpxchg [esi], ecx
		mov	esi, [esp+0B0h+var_98]
		cmp	eax, edx
		jnz	loc_456DCD

loc_4569D3:				; CODE XREF: MiWalkPageTables+7A6j
		mov	edx, [esp+0B0h+var_94]
		mov	[esp+0B0h+var_8C], edx

loc_4569DB:				; CODE XREF: MiWalkPageTables+271j
		test	esi, esi
		jnz	short loc_456A30

loc_4569DF:				; CODE XREF: MiWalkPageTables+249j
					; MiWalkPageTables+259j
		mov	eax, [esp+0B0h+var_8C]
		mov	edx, [esp+0B0h+var_6C]
		mov	esi, [esp+0B0h+var_84]
		cmp	eax, edx
		jnz	loc_5B0666
		mov	[esi+1Ch], edx

loc_4569F6:				; CODE XREF: MiWalkPageTables+519j
					; MiWalkPageTables+15A030j
		and	byte ptr [esi+2], 0FEh

loc_4569FA:				; CODE XREF: MiWalkPageTables+15A021j
		push	1
		mov	edx, edi
		mov	ecx, esi
		call	_MiWalkPageTablesRecursively@12	; MiWalkPageTablesRecursively(x,x,x)
		mov	edi, eax
		mov	eax, 400h
		test	[esi], ax
		jnz	loc_5B0685

loc_456A15:				; CODE XREF: MiWalkPageTables+15A03Fj
		cmp	edi, 3
		jl	short loc_456A36
		mov	eax, edi

loc_456A1C:				; CODE XREF: MiWalkPageTables+41Dj
		mov	ecx, [esp+0B0h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_456A30:				; CODE XREF: MiWalkPageTables+38Dj
		dec	esi
		jmp	loc_45687B
; 

loc_456A36:				; CODE XREF: MiWalkPageTables+3C8j
		mov	edx, [esp+0B0h+var_7C]

loc_456A3A:				; CODE XREF: MiWalkPageTables+EAj
					; MiWalkPageTables+FEj
		mov	eax, [esp+0B0h+var_68]
		inc	edx
		mov	ecx, [esp+0B0h+var_64]
		mov	[esp+0B0h+var_7C], edx
		cmp	edx, [esp+0B0h+var_78]
		jb	loc_456730
		mov	eax, [esp+0B0h+var_78]
		mov	ecx, [esp+0B0h+var_74]

loc_456A59:				; CODE XREF: MiWalkPageTables+C8j
		inc	ecx
		mov	[esp+0B0h+var_74], ecx
		cmp	ecx, [esp+0B0h+var_80]
		jb	loc_456710
		mov	eax, 3
		jmp	short loc_456A1C
; 

loc_456A6F:				; CODE XREF: MiWalkPageTables+5Ej
		mov	eax, [esi+10h]
		test	byte ptr [eax+60h], 7
		jnz	loc_456C1B
		mov	edi, ds:_MmHighestUserAddress
		xor	edx, edx
		add	edi, 10001h
		xor	ecx, ecx
		lea	esp, [esp+0]

loc_456A90:				; CODE XREF: MiWalkPageTables+48Dj
		mov	[esp+ecx*8+0B0h+var_48], edx
		cmp	ecx, 3
		jz	loc_5B05E1
		add	edx, 40000000h
		cmp	edx, edi
		ja	loc_5B05E1

loc_456AAB:				; CODE XREF: MiWalkPageTables+159F93j
		lea	eax, [edx-1]
		mov	[esp+ecx*8+0B0h+var_44], eax
		inc	ecx
		cmp	edx, edi
		jb	short loc_456ADA

loc_456AB7:				; CODE XREF: MiWalkPageTables+48Fj
		mov	eax, dword_6D2E90
		mov	edx, dword_6D2E88
		mov	[esp+ecx*8+0B0h+var_48], edx
		test	eax, eax
		jz	loc_5B05E8

loc_456ACE:				; CODE XREF: MiWalkPageTables+159FA7j
		dec	eax
		add	eax, edx
		mov	[esp+ecx*8+0B0h+var_44], eax
		jmp	loc_4566FF
; 

loc_456ADA:				; CODE XREF: MiWalkPageTables+465j
		cmp	ecx, 3
		jb	short loc_456A90
		jmp	short loc_456AB7
; 

loc_456AE1:				; CODE XREF: MiWalkPageTables+112j
		mov	eax, ecx
		jmp	loc_456768
; 

loc_456AE8:				; CODE XREF: MiWalkPageTables+3Aj
		cmp	eax, 0C0603018h
		jz	loc_5B05CC
		mov	ecx, eax
		cmp	eax, 0C0603010h
		jz	loc_5B05BC

loc_456B00:				; CODE XREF: MiWalkPageTables+159F76j
					; MiWalkPageTables+159F82j
		lea	eax, [ecx+40000000h]
		or	edx, 0FFFFFFFFh
		cmp	eax, offset loc_7FFFFF
		ja	loc_5B05D7

loc_456B14:				; CODE XREF: MiWalkPageTables+6D4j
		shl	ecx, 9
		inc	edx
		cmp	ecx, 0C0000000h
		jnb	loc_456D18

loc_456B24:				; CODE XREF: MiWalkPageTables+6CEj
					; MiWalkPageTables+159F8Cj
		mov	[esp+0B0h+var_60], ecx
		mov	[esp+0B0h+var_5C], 0FFFFFFFFh
		mov	[esp+0B0h+var_80], 1
		cmp	edx, 0FFFFFFFFh
		jz	loc_4566A6
		lea	eax, [ecx-1]
		mov	[esp+0B0h+var_58], 0
		mov	[esp+0B0h+var_54], eax
		mov	[esp+0B0h+var_80], 2
		jmp	loc_4566A6
; 

loc_456B5D:				; CODE XREF: MiWalkPageTables+16Cj
		mov	dword ptr [esi+1Ch], 0
		test	eax, 400h
		jz	loc_4569F6
		jmp	loc_5B0676
; 

loc_456B74:				; CODE XREF: MiWalkPageTables+10Aj
		mov	edi, edx
		jmp	loc_456760
; 

loc_456B7B:				; CODE XREF: MiWalkPageTables+1CAj
		cmp	al, 7
		jz	loc_456D29
		xor	ecx, ecx
		cmp	al, 5
		setnz	cl
		dec	ecx
		and	ecx, offset unk_6D2E54
		mov	eax, ecx
		mov	[esp+0B0h+var_9C], eax
		jnz	short loc_456BA2
		mov	eax, offset unk_6D2DD4

loc_456B9E:				; CODE XREF: MiWalkPageTables+6E0j
		mov	[esp+0B0h+var_9C], eax

loc_456BA2:				; CODE XREF: MiWalkPageTables+547j
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 0FFFFFFFAh
		add	ecx, 6
		mov	[esp+0B0h+var_A0], ecx
		jmp	loc_456834
; 

loc_456BB5:				; CODE XREF: MiWalkPageTables+29Ej
		cmp	edx, 0C0603018h
		jz	short loc_456BD1
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_456BE1
		cmp	edx, 0C0603010h
		jnz	short loc_456BE1

loc_456BD1:				; CODE XREF: MiWalkPageTables+56Bj
		cmp	al, 7
		jz	loc_456D61
		cmp	al, 5
		jz	loc_456DA5

loc_456BE1:				; CODE XREF: MiWalkPageTables+577j
					; MiWalkPageTables+57Fj
		shr	ecx, 5
		lea	edi, unk_6D2C54[ecx*4]
		jmp	loc_45690B
; 

loc_456BF0:				; CODE XREF: MiWalkPageTables+328j
		cmp	edx, 0C0603018h
		jnz	loc_5B0645

loc_456BFC:				; CODE XREF: MiWalkPageTables+15A011j
		cmp	al, 7
		jz	loc_456D7E
		cmp	al, 5
		jz	loc_456DAF

loc_456C0C:				; CODE XREF: MiWalkPageTables+159FFFj
					; MiWalkPageTables+15A00Bj
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]
		jmp	loc_456998
; 

loc_456C1B:				; CODE XREF: MiWalkPageTables+426j
		mov	eax, dword_6D07D0
		xor	ecx, ecx
		cmp	eax, 0C0000000h
		jz	short loc_456C3A
		mov	[esp+0B0h+var_48], eax
		mov	ecx, 1
		mov	[esp+0B0h+var_44], 0BFFFFFFFh

loc_456C3A:				; CODE XREF: MiWalkPageTables+5D7j
		mov	eax, dword_6D2E78
		add	eax, 200000h
		mov	[esp+ecx*8+0B0h+var_44], 0FFFFFFFFh
		mov	[esp+ecx*8+0B0h+var_48], eax
		jmp	loc_4566FF
; 

loc_456C55:				; CODE XREF: MiWalkPageTables+1F9j
		test	al, 2
		jnz	short loc_456CC6
		mov	edx, [esp+0B0h+var_A4]
		mov	eax, 2
		shl	eax, cl
		or	eax, edx
		mov	[esp+0B0h+var_94], eax
		mov	ecx, eax
		mov	eax, edx
		lock cmpxchg [edi], ecx
		mov	ecx, [esp+0B0h+var_A0]
		cmp	eax, edx
		jnz	loc_45683A
		mov	eax, [esp+0B0h+var_94]
		jmp	loc_45683A
; 

loc_456C87:				; CODE XREF: MiWalkPageTables+2DAj
		test	al, 2
		jnz	loc_456D35
		mov	edx, [esp+0B0h+var_A4]
		mov	ecx, edi
		mov	eax, 2
		shl	eax, cl
		or	eax, esi
		mov	[esp+0B0h+var_70], eax
		mov	ecx, eax
		mov	eax, esi
		lock cmpxchg [edx], ecx
		cmp	eax, esi
		jnz	loc_456DFB
		mov	esi, [esp+0B0h+var_70]
		jmp	loc_456919
; 

loc_456CBB:				; CODE XREF: MiWalkPageTables+1D2j
		lea	eax, [edx+2A0h]
		jmp	loc_456830
; 

loc_456CC6:				; CODE XREF: MiWalkPageTables+607j
		mov	esi, [esp+0B0h+var_9C]
		lea	ebx, [ebx+0]

loc_456CD0:				; CODE XREF: MiWalkPageTables+6A1j
		mov	eax, [esp+0B0h+var_98]
		inc	eax
		mov	[esp+0B0h+var_98], eax
		test	ds:_HvlLongSpinCountMask, eax
		jz	loc_5B05FC

loc_456CE5:				; CODE XREF: MiWalkPageTables+159FB3j
		pause

loc_456CE7:				; CODE XREF: MiWalkPageTables+159FC3j
		mov	eax, [esi]
		mov	[esp+0B0h+var_A4], eax
		shr	eax, cl
		test	al, 1
		jnz	short loc_456CD0
		mov	edi, [esp+0B0h+var_9C]
		mov	eax, [esp+0B0h+var_A4]
		jmp	loc_45683E
; 

loc_456D00:				; CODE XREF: MiWalkPageTables+2A9j
		lea	edi, [esi+120h]
		jmp	loc_456908
; 

loc_456D0B:				; CODE XREF: MiWalkPageTables+337j
		lea	eax, [eax+ecx*4]
		add	eax, 120h
		jmp	loc_456998
; 

loc_456D18:				; CODE XREF: MiWalkPageTables+4CEj
		cmp	ecx, 0C07FFFFFh
		ja	loc_456B24
		jmp	loc_456B14
; 

loc_456D29:				; CODE XREF: MiWalkPageTables+52Dj
		mov	eax, offset unk_6D2E58
		mov	ecx, eax
		jmp	loc_456B9E
; 

loc_456D35:				; CODE XREF: MiWalkPageTables+639j
					; MiWalkPageTables+70Aj
		mov	eax, [esp+0B0h+var_9C]
		inc	eax
		mov	[esp+0B0h+var_9C], eax
		test	ds:_HvlLongSpinCountMask, eax
		jz	loc_5B062D

loc_456D4A:				; CODE XREF: MiWalkPageTables+159FE4j
		pause

loc_456D4C:				; CODE XREF: MiWalkPageTables+159FF0j
		mov	eax, [esp+0B0h+var_A4]
		mov	ecx, edi
		mov	esi, [eax]
		mov	eax, esi
		shr	eax, cl
		test	al, 1
		jnz	short loc_456D35
		jmp	loc_456919
; 

loc_456D61:				; CODE XREF: MiWalkPageTables+583j
		mov	[esp+0B0h+var_A4], offset unk_6D2E58

loc_456D69:				; CODE XREF: MiWalkPageTables+75Dj
		mov	edi, 0C0603018h
		sub	edi, edx
		sar	edi, 3
		add	edi, edi
		mov	[esp+0B0h+var_A0], edi
		jmp	loc_456913
; 

loc_456D7E:				; CODE XREF: MiWalkPageTables+5AEj
		mov	[esp+0B0h+var_9C], offset unk_6D2E58

loc_456D86:				; CODE XREF: MiWalkPageTables+767j
		mov	eax, 0C0603018h
		sub	eax, edx
		mov	edx, eax
		mov	[esp+0B0h+var_A4], eax
		mov	eax, [esp+0B0h+var_9C]
		sar	edx, 3
		add	edx, edx
		mov	[esp+0B0h+var_A4], edx
		jmp	loc_45699C
; 

loc_456DA5:				; CODE XREF: MiWalkPageTables+58Bj
		mov	[esp+0B0h+var_A4], offset unk_6D2E54
		jmp	short loc_456D69
; 

loc_456DAF:				; CODE XREF: MiWalkPageTables+5B6j
		mov	[esp+0B0h+var_9C], offset unk_6D2E54
		jmp	short loc_456D86
; 

loc_456DB9:				; CODE XREF: MiWalkPageTables+21Cj
		mov	ecx, [esp+0B0h+var_A0]
		mov	[esp+0B0h+var_A4], eax
		jmp	loc_456845
; 

loc_456DC6:				; CODE XREF: MiWalkPageTables+2FBj
		mov	esi, eax
		jmp	loc_456922
; 

loc_456DCD:				; CODE XREF: MiWalkPageTables+37Dj
		mov	esi, [esp+0B0h+var_A4]
		mov	edi, [esp+0B0h+var_A0]

loc_456DD5:				; CODE XREF: MiWalkPageTables+79Cj
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, esi
		mov	esi, [esp+0B0h+var_9C]
		and	ecx, edi
		lock cmpxchg [esi], ecx
		mov	esi, [esp+0B0h+var_A4]
		cmp	eax, edx
		jnz	short loc_456DD5
		mov	edi, [esp+0B0h+var_88]
		mov	esi, [esp+0B0h+var_98]
		jmp	loc_4569D3
; 

loc_456DFB:				; CODE XREF: MiWalkPageTables+65Cj
		mov	esi, eax
		jmp	loc_456919
MiWalkPageTables endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWalkPageTablesRecursively(x, x, x)
_MiWalkPageTablesRecursively@12	proc near ; CODE XREF: MiWalkPageTables+3B0p
					; MiWalkPageTablesRecursively(x,x,x)+704p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		mov	ecx, [ebp+var_8]
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, [ebx+10h]
		mov	[ebp+var_14], eax
		mov	eax, [ebx+40h]
		lea	edx, ds:0[esi*8]
		mov	[ebp+var_3C], eax
		mov	eax, [edx+ebx+2Ch]
		push	edi
		xor	edi, edi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_C], edi
		mov	[ebp+var_1C], edx
		cmp	ecx, eax
		jnb	short loc_456E51
		mov	ecx, eax
		mov	[ebp+var_8], ecx

loc_456E51:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+3Aj
		cmp	esi, 1
		jnz	short loc_456E5F
		mov	eax, [edx+ebx+30h]
		mov	[ebp+var_20], eax
		jmp	short loc_456E87
; 

loc_456E5F:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+44j
		mov	edx, ecx
		lea	eax, ds:0[esi*8]
		mov	eax, [eax+ebx+30h]
		and	edx, 0FFFFF000h
		add	edx, 0FF8h
		mov	[ebp+var_20], edx
		cmp	edx, eax
		jbe	short loc_456E84
		mov	[ebp+var_20], eax
		jmp	short loc_456E87
; 

loc_456E84:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+6Dj
		mov	eax, [ebp+var_20]

loc_456E87:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+4Dj
					; MiWalkPageTablesRecursively(x,x,x)+72j
		xor	edx, edx
		mov	[ebp+var_38], 400h
		mov	[ebp+var_10], edx
		cmp	ecx, eax
		ja	loc_457029
		jmp	short loc_456EA0
; 
		align 10h

loc_456EA0:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+8Bj
					; MiWalkPageTablesRecursively(x,x,x)+B63j
		test	edx, edx
		jz	short loc_456F23
		mov	[ebp+var_10], 0
		cmp	edi, 3
		jge	loc_457029
		test	byte ptr [ebx+2], 1
		jz	short loc_456F23
		cmp	esi, 1
		jnz	loc_457029
		test	byte ptr [ebx],	4
		mov	esi, [ebx+10h]
		jz	short loc_456EE7
		mov	edx, ecx
		mov	ecx, ebx
		shr	edx, 9
		and	edx, offset loc_7FFFF8
		push	0
		sub	edx, 40000000h
		call	MiReacquireWalkLocks
		jmp	short loc_456F1D
; 

loc_456EE7:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+B9j
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		jnz	short loc_456EF7
		mov	esi, offset unk_6D3C40
		jmp	short loc_456EFA
; 

loc_456EF7:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+DEj
		sub	esi, 0FFFFFF80h

loc_456EFA:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+E5j
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	eax, [ebp+var_38]
		mov	dword ptr [esi+4], 0
		test	[ebx], ax
		jz	short loc_456F19
		push	offset dword_6D2E64
		call	ExAcquireSpinLockExclusiveAtDpcLevel

loc_456F19:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+FDj
		and	byte ptr [ebx+2], 0FEh

loc_456F1D:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+D5j
		mov	esi, [ebp+arg_0]
		mov	ecx, [ebp+var_8]

loc_456F23:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+92j
					; MiWalkPageTablesRecursively(x,x,x)+A8j
		movzx	eax, word ptr [ebx]
		mov	[ebp+var_2C], eax
		test	eax, 840h
		jnz	short loc_456F99 ; default
		cmp	esi, 1
		jnz	short loc_456F99 ; default
		mov	eax, [ebx+10h]
		mov	dl, [eax+60h]
		test	dl, 7
		jz	short loc_456F99 ; default
		mov	eax, ecx
		shl	eax, 12h
		cmp	eax, dword_6D07D0
		jnb	short loc_456F51
		xor	ecx, ecx
		jmp	short loc_456F5B
; 

loc_456F51:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+13Bj
		shr	eax, 15h
		movzx	ecx, byte ptr dword_6D3994[eax]

loc_456F5B:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+13Fj
		movzx	eax, dl
		and	eax, 7
		dec	eax
		cmp	eax, 3		; switch 4 cases
		ja	short loc_456F99 ; default
		jmp	ds:off_457ADC[eax*4] ; switch jump

loc_456F6E:				; DATA XREF: .text:off_457ADCo
		cmp	ecx, 1		; case 0x0
		jz	short loc_456F99 ; default
		cmp	ecx, 0Bh
		jmp	short loc_456F93
; 

loc_456F78:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+157j
					; DATA XREF: .text:off_457ADCo
		xor	eax, eax	; case 0x1
		cmp	ecx, 8
		setnz	al
		test	eax, eax
		jmp	short loc_456F93
; 

loc_456F84:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+157j
					; DATA XREF: .text:off_457ADCo
		xor	eax, eax	; case 0x2
		cmp	ecx, 6
		setnz	al
		test	eax, eax
		jmp	short loc_456F93
; 

loc_456F90:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+157j
					; DATA XREF: .text:off_457ADCo
		cmp	ecx, 0Ch	; case 0x3

loc_456F93:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+166j
					; MiWalkPageTablesRecursively(x,x,x)+172j ...
		jnz	loc_45789C

loc_456F99:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+11Ej
					; MiWalkPageTablesRecursively(x,x,x)+123j ...
		mov	eax, [ebx+3Ch]	; default
		mov	ecx, [ebp+var_2C]
		inc	eax
		mov	[ebp+var_28], eax
		mov	[ebx+3Ch], eax
		test	cl, 8
		jz	loc_4570ED
		test	al, 0Fh
		jnz	loc_4570ED
		mov	eax, [ebx+28h]
		mov	esi, [eax+0FC0h]
		cmp	esi, 420h
		jnb	loc_4570EA
		mov	edi, dword_6D06D4
		add	eax, 954h
		mov	[ebp+var_18], 0
		mov	[ebp+var_24], eax

loc_456FE1:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+20Cj
		mov	ecx, [eax]
		xor	edx, edx
		test	edi, edi
		jz	short loc_45700C
		add	ecx, 4
		lea	esp, [esp+0]

loc_456FF0:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+1F7j
		movzx	eax, word ptr [ecx]
		add	esi, eax
		cmp	esi, 420h
		jnb	loc_4570E4
		inc	edx
		add	ecx, 8
		cmp	edx, edi
		jb	short loc_456FF0
		mov	eax, [ebp+var_24]

loc_45700C:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+1D7j
		mov	ecx, [ebp+var_18]
		add	eax, 4
		inc	ecx
		mov	[ebp+var_24], eax
		mov	[ebp+var_18], ecx
		cmp	ecx, 1
		jle	short loc_456FE1
		mov	esi, [ebp+arg_0]
		mov	edi, 4
		mov	[ebp+var_C], edi

loc_457029:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+85j
					; MiWalkPageTablesRecursively(x,x,x)+9Ej ...
		mov	al, [ebx+2]
		mov	cl, al
		and	cl, 1
		cmp	esi, 1
		jnz	loc_457A91
		test	cl, cl
		jnz	loc_457A26
		test	byte ptr [ebx],	40h
		jz	short loc_457050
		cmp	edi, 3
		jz	loc_457A26

loc_457050:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+235j
		mov	ecx, [ebx+44h]
		or	al, 2
		mov	[ebx+2], al
		test	ecx, ecx
		jz	loc_45797E
		push	ebx
		call	ecx
		mov	ecx, eax
		mov	al, [ebx+2]
		mov	[ebp+arg_0], ecx

loc_45706B:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+B77j
		and	al, 0FDh
		mov	[ebx+2], al
		test	al, 1
		jnz	short loc_457077

loc_457074:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+B82j
		mov	[ebp+arg_0], ecx

loc_457077:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+262j
		mov	edx, [ebx+1Ch]
		test	edx, edx
		jz	loc_457A1C
		mov	edi, [ebp+var_14]
		lea	ecx, [edx+3FA00000h]
		sar	ecx, 3
		add	ecx, ecx
		mov	esi, ecx
		mov	al, [edi+60h]
		and	esi, 1Fh
		and	al, 7
		cmp	al, 2
		jb	loc_4579BA
		cmp	edx, 0C0603018h
		jz	short loc_4570C6
		cmp	dword_6D07D0, 0C0000000h
		jnb	loc_4579AE
		cmp	edx, 0C0603010h
		jnz	loc_4579AE

loc_4570C6:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+298j
		cmp	al, 7
		jnz	loc_457997
		mov	esi, 0C0603018h
		mov	edi, offset unk_6D2E58
		sub	esi, edx
		sar	esi, 3
		add	esi, esi
		jmp	loc_4579D8
; 

loc_4570E4:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+1EBj
		mov	ecx, [ebp+var_2C]
		mov	edi, [ebp+var_C]

loc_4570EA:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+1B6j
		mov	eax, [ebp+var_28]

loc_4570ED:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+199j
					; MiWalkPageTablesRecursively(x,x,x)+1A1j
		test	cl, 2
		jz	loc_45721F
		test	[ebx+5], al
		jnz	loc_45721F
		mov	esi, [ebx+10h]
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short loc_457116
		lea	eax, [esi+80h]

loc_457116:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+2FEj
		mov	eax, [eax]
		test	eax, 40000000h
		jnz	loc_457201
		movzx	eax, word ptr [ebx]
		mov	ecx, eax
		test	al, 4
		jz	loc_4571DE
		mov	eax, [ebp+var_8]
		mov	bl, [esi+60h]
		shr	eax, 9
		and	bl, 7
		and	eax, offset loc_7FFFF8
		mov	[ebp+var_1], bl
		lea	ecx, [eax-600000h]
		sar	ecx, 3
		add	ecx, ecx
		mov	edx, ecx
		and	edx, 1Fh
		cmp	bl, 2
		mov	ebx, [ebp+var_34]
		jb	short loc_4571B4
		cmp	eax, 603018h
		jz	short loc_457176
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_4571A8
		cmp	eax, 603010h
		jnz	short loc_4571A8

loc_457176:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+351j
		cmp	[ebp+var_1], 7
		jnz	short loc_45718F
		mov	edx, 603018h
		mov	ecx, offset unk_6D2E58
		sub	edx, eax
		sar	edx, 3
		add	edx, edx
		jmp	short loc_4571D1
; 

loc_45718F:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+36Aj
		cmp	[ebp+var_1], 5
		jnz	short loc_4571A8
		mov	edx, 603018h
		mov	ecx, offset unk_6D2E54
		sub	edx, eax
		sar	edx, 3
		add	edx, edx
		jmp	short loc_4571D1
; 

loc_4571A8:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+35Dj
					; MiWalkPageTablesRecursively(x,x,x)+364j ...
		shr	ecx, 5
		lea	ecx, unk_6D2C54[ecx*4]
		jmp	short loc_4571D1
; 

loc_4571B4:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+34Aj
		shr	ecx, 5
		cmp	[ebp+var_1], 0
		jnz	short loc_4571CB
		mov	eax, [esi+0Ch]
		add	ecx, 364h
		lea	ecx, [eax+ecx*4]
		jmp	short loc_4571D1
; 

loc_4571CB:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+3ABj
		add	ecx, 48h
		lea	ecx, [esi+ecx*4]

loc_4571D1:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+37Dj
					; MiWalkPageTablesRecursively(x,x,x)+396j ...
		mov	eax, [ecx]
		mov	ecx, edx
		shr	eax, cl
		test	al, 2
		jnz	short loc_457201
		movzx	ecx, word ptr [ebx]

loc_4571DE:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+31Aj
		test	ecx, 400h
		jz	short loc_4571F2
		mov	eax, dword_6D2E64
		test	eax, 40000000h
		jnz	short loc_457201

loc_4571F2:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+3D4j
		cmp	byte ptr [ebx+6], 2
		jnb	short loc_45721F
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	short loc_45721F

loc_457201:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+30Dj
					; MiWalkPageTablesRecursively(x,x,x)+3C9j ...
		mov	edx, 1
		mov	ecx, ebx
		call	MiYieldPageTableWalk
		cmp	eax, 3
		jl	short loc_457217
		mov	edi, eax
		mov	[ebp+var_C], edi

loc_457217:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+400j
		mov	ecx, [ebp+var_8]
		jmp	loc_457965
; 

loc_45721F:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+2E0j
					; MiWalkPageTablesRecursively(x,x,x)+2E9j ...
		test	byte ptr [ebx],	20h
		mov	ecx, ebx
		jz	short loc_457270
		push	[ebp+arg_0]
		mov	esi, [ebp+var_8]
		mov	edx, esi
		call	MiGetNextPageTablePte
		cmp	eax, 3
		jnz	short loc_457244
		mov	edi, eax
		mov	ecx, esi
		mov	[ebp+var_C], edi
		jmp	loc_457965
; 

loc_457244:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+426j
		mov	cl, [ebx+2]
		test	cl, 1
		jz	short loc_457254
		mov	ecx, [ebp+var_8]
		jmp	loc_457965
; 

loc_457254:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+43Aj
		mov	edx, [ebx+24h]
		test	edx, edx
		jz	short loc_45726B
		cmp	edx, esi
		jnz	short loc_45726B
		mov	dword ptr [ebx+24h], 0
		mov	eax, 1

loc_45726B:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+449j
					; MiWalkPageTablesRecursively(x,x,x)+44Dj
		mov	esi, [ebp+arg_0]
		jmp	short loc_45727F
; 

loc_457270:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+414j
		mov	esi, [ebp+arg_0]
		mov	edx, [ebp+var_8]
		push	esi
		call	MiComputePxeWalkAction
		mov	cl, [ebx+2]

loc_45727F:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+45Ej
		test	eax, eax
		jz	loc_45789C
		cmp	eax, 1
		jz	loc_45771B
		movzx	eax, cl
		shr	eax, 2
		and	eax, 7
		cmp	esi, eax
		jle	loc_45771B
		mov	eax, [ebx+44h]
		or	cl, 2
		mov	[ebx+2], cl
		test	eax, eax
		jz	loc_457346
		push	ebx
		call	eax
		mov	cl, [ebx+2]

loc_4572B8:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+53Cj
		and	cl, 0FDh
		mov	[ebx+2], cl
		cmp	eax, 3
		jge	loc_4577BC

loc_4572C7:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+548j
		test	byte ptr [ebx+2], 1
		jnz	loc_4577BC
		mov	edx, [ebp+var_1C]
		mov	edi, [ebp+var_8]
		mov	eax, edi
		shl	eax, 9
		mov	[ebp+var_28], eax
		mov	ecx, [edx+ebx+24h]
		cmp	eax, ecx
		jnb	short loc_4572E9
		mov	eax, ecx

loc_4572E9:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+4D5j
		cmp	eax, [edx+ebx+28h]
		ja	loc_45771E
		test	byte ptr [ebx],	4
		jz	loc_457508
		mov	ebx, [ebp+var_14]
		lea	edx, [edi+3FA00000h]
		sar	edx, 3
		xor	esi, esi
		add	edx, edx
		mov	ecx, edx
		mov	al, [ebx+60h]
		and	ecx, 1Fh
		and	al, 7
		mov	[ebp+var_18], ecx
		cmp	al, 2
		jb	short loc_457388
		cmp	edi, 0C0603018h
		jz	short loc_457339
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_45737C
		cmp	edi, 0C0603010h
		jnz	short loc_45737C

loc_457339:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+513j
		cmp	al, 7
		jnz	short loc_45735D
		mov	[ebp+var_C], offset unk_6D2E58
		jmp	short loc_457368
; 

loc_457346:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+49Cj
		xor	eax, eax
		cmp	byte ptr [ebx+6], 21h
		jnz	loc_4572B8
		and	cl, 0FDh
		mov	[ebx+2], cl
		jmp	loc_4572C7
; 

loc_45735D:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+52Bj
		cmp	al, 5
		jnz	short loc_45737C
		mov	[ebp+var_C], offset unk_6D2E54

loc_457368:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+534j
		mov	eax, [ebp+var_C]
		mov	ecx, 0C0603018h
		sub	ecx, edi
		sar	ecx, 3
		add	ecx, ecx
		mov	[ebp+var_18], ecx
		jmp	short loc_4573A8
; 

loc_45737C:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+51Fj
					; MiWalkPageTablesRecursively(x,x,x)+527j ...
		shr	edx, 5
		lea	eax, unk_6D2C54[edx*4]
		jmp	short loc_4573A5
; 

loc_457388:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+50Bj
		shr	edx, 5
		test	al, al
		jnz	short loc_45739C
		mov	eax, [ebx+0Ch]
		lea	eax, [eax+edx*4]
		add	eax, 0D90h
		jmp	short loc_4573A5
; 

loc_45739C:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+57Dj
		lea	eax, [ebx+120h]
		lea	eax, [eax+edx*4]

loc_4573A5:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+576j
					; MiWalkPageTablesRecursively(x,x,x)+58Aj
		mov	[ebp+var_C], eax

loc_4573A8:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+56Aj
		mov	edx, [eax]
		mov	ebx, [ebp+var_C]

loc_4573AD:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+5D9j
					; MiWalkPageTablesRecursively(x,x,x)+5F3j ...
		mov	edi, 2
		shl	edi, cl

loc_4573B4:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+616j
		mov	eax, edx
		shr	eax, cl
		test	al, 1
		jz	short loc_457409
		test	al, 2
		jz	short loc_4573EB

loc_4573C0:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+5D7j
		inc	esi
		test	ds:_HvlLongSpinCountMask, esi
		jnz	short loc_4573DD
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	short loc_4573DD
		push	esi
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		mov	ecx, [ebp+var_18]
		jmp	short loc_4573DF
; 

loc_4573DD:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+5B7j
					; MiWalkPageTablesRecursively(x,x,x)+5C0j
		pause

loc_4573DF:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+5CBj
		mov	edx, [ebx]
		mov	eax, edx
		shr	eax, cl
		test	al, 1
		jnz	short loc_4573C0
		jmp	short loc_4573AD
; 

loc_4573EB:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+5AEj
		mov	edi, 2
		mov	eax, edx
		shl	edi, cl
		or	edi, edx
		mov	ecx, edi
		lock cmpxchg [ebx], ecx
		mov	ecx, [ebp+var_18]
		cmp	eax, edx
		mov	edx, edi
		jz	short loc_4573AD
		mov	edx, eax
		jmp	short loc_4573AD
; 

loc_457409:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+5AAj
		mov	eax, [ebp+var_18]
		mov	ecx, edx
		bts	ecx, eax
		mov	eax, edi
		not	eax
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jz	short loc_457428
		mov	ecx, [ebp+var_18]
		mov	edx, eax
		jmp	short loc_4573B4
; 

loc_457428:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+60Fj
		mov	eax, [ebp+var_8]
		mov	edi, [ebp+var_14]
		mov	ebx, [ebp+var_34]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	dl, [edi+60h]
		and	dl, 7
		lea	ecx, [eax-600000h]
		sar	ecx, 3
		add	ecx, ecx
		mov	esi, ecx
		and	esi, 1Fh
		cmp	dl, 2
		jb	short loc_4574AA
		cmp	eax, 603018h
		jz	short loc_45746E
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_45749E
		cmp	eax, 603010h
		jnz	short loc_45749E

loc_45746E:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+649j
		cmp	dl, 7
		jnz	short loc_457486
		mov	esi, 603018h
		mov	edi, offset unk_6D2E58
		sub	esi, eax
		sar	esi, 3
		add	esi, esi
		jmp	short loc_4574C8
; 

loc_457486:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+661j
		cmp	dl, 5
		jnz	short loc_45749E
		mov	esi, 603018h
		mov	edi, offset unk_6D2E54
		sub	esi, eax
		sar	esi, 3
		add	esi, esi
		jmp	short loc_4574C8
; 

loc_45749E:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+655j
					; MiWalkPageTablesRecursively(x,x,x)+65Cj ...
		shr	ecx, 5
		lea	edi, unk_6D2C54[ecx*4]
		jmp	short loc_4574C8
; 

loc_4574AA:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+642j
		shr	ecx, 5
		test	dl, dl
		jnz	short loc_4574BF
		mov	edi, [edi+0Ch]
		add	edi, 0D90h
		lea	edi, [edi+ecx*4]
		jmp	short loc_4574C8
; 

loc_4574BF:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+69Fj
		lea	edi, [edi+ecx*4]
		add	edi, 120h

loc_4574C8:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+674j
					; MiWalkPageTablesRecursively(x,x,x)+68Cj ...
		mov	edx, [edi]
		mov	ecx, esi
		mov	eax, 2
		shl	eax, cl
		mov	ecx, edx
		not	eax
		btr	ecx, esi
		mov	[ebp+var_2C], eax
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_457502
		lea	esp, [esp+0]

loc_4574F0:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+6F0j
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, esi
		and	ecx, [ebp+var_2C]
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_4574F0

loc_457502:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+6D7j
		mov	eax, [ebp+var_8]
		mov	[ebx+1Ch], eax

loc_457508:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+4E6j
		mov	eax, [ebp+arg_0]
		mov	ecx, ebx
		mov	edx, [ebp+var_28]
		dec	eax
		push	eax
		xor	esi, esi
		call	_MiWalkPageTablesRecursively@12	; MiWalkPageTablesRecursively(x,x,x)
		mov	edi, eax
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_C], edi
		mov	ecx, [eax+ebx+2Ch]
		cmp	ecx, [ebp+var_8]
		jz	loc_4575F7
		mov	dx, [ebx]
		mov	eax, ecx
		and	eax, 0FFFh
		neg	eax
		sbb	eax, eax
		inc	eax
		mov	[ebp+var_2C], eax
		mov	eax, 4000h
		and	dx, ax
		jz	short loc_457578
		cmp	[ebp+var_8], ecx
		jnb	short loc_457578
		test	byte ptr [ebx+2], 1
		jnz	short loc_457569
		lea	edx, [esi+1]
		mov	ecx, ebx
		call	MiYieldPageTableWalk
		cmp	eax, 4
		jnz	short loc_457569
		mov	edi, eax
		mov	[ebp+var_C], edi

loc_457569:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+743j
					; MiWalkPageTablesRecursively(x,x,x)+752j
		mov	eax, [ebp+var_1C]
		mov	ecx, [eax+ebx+2Ch]
		mov	[ebp+var_8], ecx
		jmp	loc_457965
; 

loc_457578:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+738j
					; MiWalkPageTablesRecursively(x,x,x)+73Dj
		mov	edi, [ebp+var_1C]
		mov	ecx, [ebp+var_8]
		add	edi, ebx
		mov	[ebx+24h], ecx
		mov	eax, ecx
		test	dx, dx
		jz	short loc_45758F
		cmp	ecx, [edi+2Ch]
		jbe	short loc_457592

loc_45758F:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+778j
		mov	[edi+2Ch], ecx

loc_457592:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+77Dj
		mov	esi, [ebp+arg_0]
		cmp	esi, 1
		jge	short loc_4575BF
		mov	edx, 1
		lea	ecx, [edi+34h]
		sub	edx, esi

loc_4575A4:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+7AAj
		shr	eax, 9
		lea	ecx, [ecx+8]
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ecx-8], eax
		sub	edx, 1
		jnz	short loc_4575A4
		mov	ecx, [ebp+var_8]

loc_4575BF:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+788j
		mov	eax, ecx
		test	esi, esi
		jz	loc_457696
		lea	ecx, [edi+24h]
		lea	esp, [esp+0]

loc_4575D0:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+7DFj
		shl	eax, 9
		mov	edx, eax
		mov	eax, 4000h
		test	[ebx], ax
		jz	short loc_4575E5
		mov	eax, [ecx]
		cmp	edx, eax
		jbe	short loc_4575E9

loc_4575E5:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+7CDj
		mov	[ecx], edx
		mov	eax, edx

loc_4575E9:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+7D3j
		sub	ecx, 8
		sub	esi, 1
		jnz	short loc_4575D0
		mov	esi, [ebp+var_2C]
		mov	edi, [ebp+var_C]

loc_4575F7:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+718j
		mov	ecx, [ebp+var_8]

loc_4575FA:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+88Cj
		cmp	edi, 3
		jge	loc_457965
		test	byte ptr [ebx+2], 1
		jnz	loc_457965
		test	byte ptr [ebx],	4
		jz	loc_45771B
		test	esi, esi
		jnz	loc_45779E
		mov	eax, ecx
		mov	ecx, [ebp+var_14]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		add	eax, 0C0000000h
		push	1
		mov	edx, eax
		mov	[ebp+var_28], eax
		call	MiLockPageTableInternal
		test	eax, eax
		jz	loc_45779E
		mov	edx, [ebp+var_8]
		mov	edi, [ebp+var_14]
		lea	ecx, [edx+3FA00000h]
		mov	al, [edi+60h]
		sar	ecx, 3
		and	al, 7
		add	ecx, ecx
		mov	esi, ecx
		and	esi, 1Fh
		cmp	al, 2
		jb	short loc_4576C4
		cmp	edx, 0C0603018h
		jz	short loc_45767F
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_4576B8
		cmp	edx, 0C0603010h
		jnz	short loc_4576B8

loc_45767F:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+859j
		cmp	al, 7
		jnz	short loc_4576A1
		mov	esi, 0C0603018h
		mov	edi, offset unk_6D2E58
		sub	esi, edx
		sar	esi, 3
		add	esi, esi
		jmp	short loc_4576E2
; 

loc_457696:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+7B3j
		mov	esi, [ebp+var_2C]
		mov	edi, [ebp+var_C]
		jmp	loc_4575FA
; 

loc_4576A1:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+871j
		cmp	al, 5
		jnz	short loc_4576B8
		mov	esi, 0C0603018h
		mov	edi, offset unk_6D2E54
		sub	esi, edx
		sar	esi, 3
		add	esi, esi
		jmp	short loc_4576E2
; 

loc_4576B8:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+865j
					; MiWalkPageTablesRecursively(x,x,x)+86Dj ...
		shr	ecx, 5
		lea	edi, unk_6D2C54[ecx*4]
		jmp	short loc_4576E2
; 

loc_4576C4:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+851j
		shr	ecx, 5
		test	al, al
		jnz	short loc_4576D9
		mov	edi, [edi+0Ch]
		add	edi, 0D90h
		lea	edi, [edi+ecx*4]
		jmp	short loc_4576E2
; 

loc_4576D9:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+8B9j
		lea	edi, [edi+ecx*4]
		add	edi, 120h

loc_4576E2:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+884j
					; MiWalkPageTablesRecursively(x,x,x)+8A6j ...
		mov	edx, [edi]
		mov	ecx, esi
		mov	eax, 2
		shl	eax, cl
		mov	ecx, edx
		not	eax
		btr	ecx, esi
		mov	[ebp+var_2C], eax
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_457715

loc_457703:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+903j
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, esi
		and	ecx, [ebp+var_2C]
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_457703

loc_457715:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+8F1j
		mov	eax, [ebp+var_28]
		mov	[ebx+1Ch], eax

loc_45771B:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+47Aj
					; MiWalkPageTablesRecursively(x,x,x)+48Bj ...
		mov	edi, [ebp+var_8]

loc_45771E:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+4DDj
		test	byte ptr [ebx],	1
		mov	ecx, [ebp+arg_0]
		jnz	loc_45780C
		test	ecx, ecx
		jnz	loc_45780C
		mov	eax, [ebp+var_14]
		lea	edx, [ecx+2]
		mov	esi, edi
		shr	esi, 3
		and	esi, 0FFFFFh
		movzx	eax, byte ptr [eax+60h]
		and	eax, 7
		add	esi, dword_6D2E68[eax*4]
		mov	eax, esi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_44], eax
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_40], eax

loc_457773:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+988j
		mov	eax, [ebp+edx*4+var_48]
		dec	edx
		mov	ecx, [eax]
		nop
		mov	eax, [eax+4]
		mov	[ebp+var_2C], eax
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_4577E7
		and	ecx, 80h
		or	ecx, 0
		jnz	short loc_4577D6
		test	edx, edx
		jnz	short loc_457773
		mov	al, [esi]
		jmp	short loc_4577E9
; 

loc_45779E:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+808j
					; MiWalkPageTablesRecursively(x,x,x)+82Ej
		mov	edx, 1
		mov	ecx, ebx
		call	MiYieldPageTableWalk
		cmp	eax, 4
		jnz	short loc_4577B4
		mov	edi, eax
		mov	[ebp+var_C], edi

loc_4577B4:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+99Dj
		mov	ecx, [ebp+var_8]
		jmp	loc_457965
; 

loc_4577BC:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+4B1j
					; MiWalkPageTablesRecursively(x,x,x)+4BBj
		cmp	eax, 4
		jnz	short loc_4577C6
		mov	edi, eax
		mov	[ebp+var_C], edi

loc_4577C6:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+9AFj
		mov	ecx, [ebp+var_8]
		mov	edx, 1
		mov	[ebp+var_10], edx
		jmp	loc_457970
; 

loc_4577D6:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+984j
		lea	eax, [esi+40000000h]
		cmp	eax, offset loc_7FFFFF
		jbe	short loc_4577E7
		mov	al, [esi]
		jmp	short loc_4577E9
; 

loc_4577E7:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+979j
					; MiWalkPageTablesRecursively(x,x,x)+9D1j
		mov	al, 0Ah

loc_4577E9:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+98Cj
					; MiWalkPageTablesRecursively(x,x,x)+9D5j
		and	al, 0Fh
		cmp	al, 0Ah
		jz	loc_45789C
		cmp	al, 9
		jz	loc_45789C
		cmp	al, 8
		jnz	short loc_457809
		cmp	word ptr [ebx],	0
		jge	loc_45789C

loc_457809:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+9EDj
		mov	ecx, [ebp+arg_0]

loc_45780C:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+914j
					; MiWalkPageTablesRecursively(x,x,x)+91Cj
		mov	eax, [ebx+24h]
		lea	edx, ds:0[ecx*8]
		test	eax, eax
		jz	short loc_457827
		cmp	eax, [edx+ebx+2Ch]
		jnz	short loc_457827
		mov	dword ptr [ebx+24h], 0

loc_457827:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+A08j
					; MiWalkPageTablesRecursively(x,x,x)+A0Ej
		mov	eax, [ebx+20h]
		test	eax, eax
		jz	short loc_45783B
		cmp	eax, [edx+ebx+2Ch]
		jnz	short loc_45783B
		mov	dword ptr [ebx+20h], 0

loc_45783B:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+A1Cj
					; MiWalkPageTablesRecursively(x,x,x)+A22j
		cmp	ecx, 1
		jl	short loc_45784E
		mov	eax, [ebp+var_14]
		test	byte ptr [eax+60h], 7
		jz	short loc_45784E
		test	byte ptr [ebx],	1
		jz	short loc_45789C

loc_45784E:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+A2Ej
					; MiWalkPageTablesRecursively(x,x,x)+A37j
		test	byte ptr [ebx],	40h
		jnz	short loc_45789C
		push	ecx
		push	edi
		push	ebx
		call	[ebp+var_3C]
		mov	edi, eax
		mov	[ebp+var_C], eax
		cmp	edi, 1
		jnz	short loc_457870
		mov	ecx, [ebp+var_8]
		xor	edi, edi
		mov	[ebp+var_C], edi
		jmp	loc_457957
; 

loc_457870:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+A51j
		cmp	edi, 2
		jnz	short loc_4578A1
		xor	edi, edi
		mov	ecx, ebx
		mov	[ebp+var_C], edi
		lea	edx, [edi+1]
		call	MiYieldPageTableWalk
		mov	ecx, [ebx+28h]
		call	_MiWaitForFreePage@8 ; MiWaitForFreePage(x,x)
		mov	ecx, [ebp+var_8]
		mov	edx, 1
		mov	[ebp+var_10], edx
		jmp	loc_45795A
; 

loc_45789C:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x):loc_456F93j
					; MiWalkPageTablesRecursively(x,x,x)+471j ...
		xor	edi, edi
		mov	[ebp+var_C], edi

loc_4578A1:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+A63j
		movzx	eax, byte ptr [ebx+3]
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+arg_0]
		mov	byte ptr [ebx+3], 0
		lea	ecx, [ecx+eax*8]
		add	ecx, 8
		mov	[ebp+var_8], ecx
		test	edx, edx
		jnz	short loc_4578CC
		test	ecx, 0FFFh
		jz	short loc_4578CC
		mov	[ebx+2Ch], ecx
		jmp	loc_457954
; 

loc_4578CC:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+AAAj
					; MiWalkPageTablesRecursively(x,x,x)+AB2j
		lea	edi, ds:0[edx*8]
		mov	esi, 4000h
		add	edi, ebx
		mov	eax, ecx
		test	[ebx], si
		jz	short loc_4578E6
		cmp	ecx, [edi+2Ch]
		jbe	short loc_4578E9

loc_4578E6:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+ACFj
		mov	[edi+2Ch], ecx

loc_4578E9:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+AD4j
		cmp	edx, 1
		jge	short loc_45791E
		mov	edx, 1
		lea	ecx, [edi+34h]
		sub	edx, [ebp+arg_0]
		lea	esp, [esp+0]

loc_457900:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+B06j
		shr	eax, 9
		lea	ecx, [ecx+8]
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ecx-8], eax
		sub	edx, 1
		jnz	short loc_457900
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+arg_0]

loc_45791E:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+ADCj
		mov	eax, ecx
		mov	esi, edx
		test	edx, edx
		jz	short loc_457954
		lea	ecx, [edi+24h]
		lea	esp, [esp+0]

loc_457930:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+B3Fj
		shl	eax, 9
		mov	edx, eax
		mov	eax, 4000h
		test	[ebx], ax
		jz	short loc_457945
		mov	eax, [ecx]
		cmp	edx, eax
		jbe	short loc_457949

loc_457945:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+B2Dj
		mov	[ecx], edx
		mov	eax, edx

loc_457949:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+B33j
		sub	ecx, 8
		sub	esi, 1
		jnz	short loc_457930
		mov	ecx, [ebp+var_8]

loc_457954:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+AB7j
					; MiWalkPageTablesRecursively(x,x,x)+B14j
		mov	edi, [ebp+var_C]

loc_457957:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+A5Bj
		mov	edx, [ebp+var_10]

loc_45795A:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+A87j
		test	byte ptr [ebx+2], 1
		jnz	short loc_457965
		cmp	edi, 3
		jl	short loc_45796D

loc_457965:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+40Aj
					; MiWalkPageTablesRecursively(x,x,x)+42Fj ...
		mov	edx, 1
		mov	[ebp+var_10], edx

loc_45796D:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+B53j
		mov	esi, [ebp+arg_0]

loc_457970:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+9C1j
		cmp	ecx, [ebp+var_20]
		jbe	loc_456EA0
		jmp	loc_457029
; 

loc_45797E:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+24Aj
		xor	ecx, ecx
		cmp	byte ptr [ebx+6], 21h
		mov	[ebp+arg_0], ecx
		jnz	loc_45706B
		and	al, 0FDh
		mov	[ebx+2], al
		jmp	loc_457074
; 

loc_457997:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+2B8j
		cmp	al, 5
		jnz	short loc_4579AE
		mov	esi, 0C0603018h
		mov	edi, offset unk_6D2E54
		sub	esi, edx
		sar	esi, 3
		add	esi, esi
		jmp	short loc_4579D8
; 

loc_4579AE:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+2A4j
					; MiWalkPageTablesRecursively(x,x,x)+2B0j ...
		shr	ecx, 5
		lea	edi, unk_6D2C54[ecx*4]
		jmp	short loc_4579D8
; 

loc_4579BA:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+28Cj
		shr	ecx, 5
		test	al, al
		jnz	short loc_4579CF
		mov	edi, [edi+0Ch]
		add	edi, 0D90h
		lea	edi, [edi+ecx*4]
		jmp	short loc_4579D8
; 

loc_4579CF:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+BAFj
		lea	edi, [edi+ecx*4]
		add	edi, 120h

loc_4579D8:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+2CFj
					; MiWalkPageTablesRecursively(x,x,x)+B9Cj ...
		mov	edx, [edi]
		mov	ecx, esi
		mov	eax, 2
		shl	eax, cl
		mov	ecx, edx
		not	eax
		btr	ecx, esi
		mov	[ebp+var_3C], eax
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_457A12
		lea	esp, [esp+0]

loc_457A00:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+C00j
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, esi
		and	ecx, [ebp+var_3C]
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_457A00

loc_457A12:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+BE7j
		mov	ecx, [ebp+arg_0]
		mov	dword ptr [ebx+1Ch], 0

loc_457A1C:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+26Cj
		mov	edi, 4
		cmp	ecx, 4
		jz	short loc_457A29

loc_457A26:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+22Cj
					; MiWalkPageTablesRecursively(x,x,x)+23Aj
		mov	edi, [ebp+var_C]

loc_457A29:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+C14j
		test	byte ptr [ebx+2], 1
		jz	loc_457AB8
		test	byte ptr [ebx],	4
		mov	ecx, [ebp+var_14]
		jz	short loc_457A4F
		call	MiLockWorkingSetShared
		and	byte ptr [ebx+2], 0FEh
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_457A4F:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+C29j
		mov	al, [ecx+60h]
		mov	esi, offset unk_6D3C40
		and	al, 7
		cmp	al, 2
		jz	short loc_457A63
		lea	esi, [ecx+80h]

loc_457A63:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+C4Bj
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	eax, [ebp+var_38]
		mov	dword ptr [esi+4], 0
		test	[ebx], ax
		jz	short loc_457A82
		push	offset dword_6D2E64
		call	ExAcquireSpinLockExclusiveAtDpcLevel

loc_457A82:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+C66j
		and	byte ptr [ebx+2], 0FEh
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_457A91:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+224j
		test	cl, cl
		jnz	short loc_457AB8
		mov	ecx, [ebx+44h]
		or	al, 2
		mov	[ebx+2], al
		test	ecx, ecx
		jz	short loc_457AC3
		push	ebx
		call	ecx
		mov	ecx, eax
		mov	al, [ebx+2]

loc_457AA9:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+CB9j
		and	al, 0FDh
		mov	[ebx+2], al
		mov	eax, 4
		cmp	ecx, 4
		jz	short loc_457ABA

loc_457AB8:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+C1Dj
					; MiWalkPageTablesRecursively(x,x,x)+C83j
		mov	eax, edi

loc_457ABA:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+CA6j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_457AC3:				; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+C8Fj
		xor	ecx, ecx
		cmp	byte ptr [ebx+6], 21h
		jnz	short loc_457AA9
		and	al, 0FDh
		mov	[ebx+2], al
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MiWalkPageTablesRecursively@12	endp

; 
		align 4
off_457ADC	dd offset loc_456F6E	; DATA XREF: MiWalkPageTablesRecursively(x,x,x)+157r
		dd offset loc_456F78	; jump table for switch	statement
		dd offset loc_456F84
		dd offset loc_456F90
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiComputePxeWalkAction proc near	; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+467p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B0694 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [edx]
		push	edi
		mov	edi, ecx
		nop
		mov	ebx, [edx+4]
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jnz	short loc_457B1B
		test	byte ptr [edi],	1
		jnz	short loc_457B30

loc_457B10:				; CODE XREF: MiComputePxeWalkAction+87j
					; MiComputePxeWalkAction+142j ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_457B1B:				; CODE XREF: MiComputePxeWalkAction+19j
		mov	eax, 4000h
		test	[edi], ax
		jnz	loc_457BDB

loc_457B29:				; CODE XREF: MiComputePxeWalkAction+12Bj
					; MiComputePxeWalkAction+139j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_457B3E

loc_457B30:				; CODE XREF: MiComputePxeWalkAction+1Ej
					; MiComputePxeWalkAction+CDj ...
		pop	edi
		pop	esi
		mov	eax, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_457B3E:				; CODE XREF: MiComputePxeWalkAction+3Ej
		mov	ecx, [edi+24h]
		mov	[ebp+var_4], 1
		test	ecx, ecx
		jnz	loc_457C46

loc_457B50:				; CODE XREF: MiComputePxeWalkAction+15Aj
					; MiComputePxeWalkAction+16Ej
		mov	ecx, [edi+20h]
		test	ecx, ecx
		jz	short loc_457B61
		cmp	ecx, [edi+eax*8+2Ch]
		jz	loc_5B0694

loc_457B61:				; CODE XREF: MiComputePxeWalkAction+65j
					; MiComputePxeWalkAction+158BB2j
		mov	eax, esi
		and	eax, 80h
		or	eax, 0
		jnz	loc_457C63
		cmp	edx, 0C0603018h
		jz	short loc_457B10
		cmp	edx, 0C0603010h
		jz	loc_5B06A7

loc_457B85:				; CODE XREF: MiComputePxeWalkAction+158BC1j
		mov	eax, 200h
		test	[edi], ax
		jnz	loc_457C7A

loc_457B93:				; CODE XREF: MiComputePxeWalkAction+195j
					; MiComputePxeWalkAction+1B4j
		test	byte ptr [edi],	1
		jnz	short loc_457BC3
		nop
		mov	eax, ds:_MmPfnDatabase
		shrd	esi, ebx, 0Ch
		and	esi, 1FFFFFFh
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		mov	eax, [eax+ecx*4+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jz	loc_457B30

loc_457BC3:				; CODE XREF: MiComputePxeWalkAction+A6j
		cmp	[ebp+var_4], 0
		jz	loc_457B30
		pop	edi
		pop	esi
		mov	eax, 2
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_457BDB:				; CODE XREF: MiComputePxeWalkAction+33j
		nop
		mov	ecx, esi
		mov	eax, ebx
		shrd	ecx, eax, 0Ch
		mov	eax, [ebp+arg_0]
		and	ecx, 1FFFFFFh
		cmp	ecx, dword_6D3518[eax*4]
		jz	short loc_457C2F
		nop
		mov	ecx, esi
		mov	eax, ebx
		shrd	ecx, eax, 0Ch
		mov	eax, [ebp+arg_0]
		and	ecx, 1FFFFFFh
		cmp	ecx, dword_6D3510[eax*4]
		jz	short loc_457C2F
		mov	eax, esi
		and	eax, 800h
		or	eax, 0
		jnz	loc_457B29
		mov	eax, esi
		and	eax, 42h
		or	eax, 0
		jnz	loc_457B29

loc_457C2F:				; CODE XREF: MiComputePxeWalkAction+104j
					; MiComputePxeWalkAction+11Fj
		test	byte ptr [edi],	1
		jz	loc_457B10
		pop	edi
		pop	esi
		mov	eax, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_457C46:				; CODE XREF: MiComputePxeWalkAction+5Aj
		cmp	ecx, [edi+eax*8+2Ch]
		jnz	loc_457B50
		mov	[ebp+var_4], 0
		mov	dword ptr [edi+24h], 0
		jmp	loc_457B50
; 

loc_457C63:				; CODE XREF: MiComputePxeWalkAction+7Bj
		test	byte ptr [edi],	1
		jz	loc_457B10
		pop	edi
		pop	esi
		mov	eax, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_457C7A:				; CODE XREF: MiComputePxeWalkAction+9Dj
		mov	eax, dword_6D3518
		cmp	eax, dword_6D351C
		jz	loc_457B93
		nop
		mov	ecx, esi
		mov	eax, ebx
		shrd	ecx, eax, 0Ch
		mov	eax, [ebp+arg_0]
		and	ecx, 1FFFFFFh
		cmp	ecx, dword_6D3518[eax*4]
		jnz	loc_457B93
		jmp	loc_457B10
MiComputePxeWalkAction endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAgePte(x,	x, x)
_MiAgePte@12	proc near		; DATA XREF: MiAgeWorkingSet+2D1o

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	ecx, [eax+10h]
		mov	esi, [eax+48h]
		mov	[ebp+var_14], ecx
		mov	ebx, [ecx+0Ch]
		cmp	byte ptr [esi+6], 1
		jnz	loc_457DFE
		mov	byte ptr [esi+6], 0
		mov	ebx, [ecx+0Ch]
		mov	edi, [ecx+48h]
		mov	eax, [ebx+14h]
		cmp	edi, eax
		jbe	loc_457F75
		sub	edi, eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_4], eax
		mov	eax, [esi]
		mov	[ebp+var_C], eax
		test	al, 4
		jz	short loc_457D01
		xor	eax, eax
		jmp	loc_457DCD
; 

loc_457D01:				; CODE XREF: MiAgePte(x,x,x)+48j
		mov	al, [ecx+60h]
		and	al, 7
		mov	[ebp+var_18], 0
		cmp	al, 2
		jnz	short loc_457D18
		mov	ecx, offset unk_6D3C80
		jmp	short loc_457D1E
; 

loc_457D18:				; CODE XREF: MiAgePte(x,x,x)+5Fj
		add	ecx, 0C0h

loc_457D1E:				; CODE XREF: MiAgePte(x,x,x)+66j
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_20], 0
		jz	short loc_457D3D
		mov	edx, ecx
		lea	ecx, [ebp+var_20]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_457D4E
; 

loc_457D3D:				; CODE XREF: MiAgePte(x,x,x)+7Fj
		lea	edx, [ebp+var_20]
		xchg	edx, [ecx]
		test	edx, edx
		jz	short loc_457D4E
		lea	ecx, [ebp+var_20]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_457D4E:				; CODE XREF: MiAgePte(x,x,x)+8Bj
					; MiAgePte(x,x,x)+94j
		xor	edx, edx
		test	byte ptr [ebp+var_C], 2
		jz	short loc_457D6B
		mov	ecx, [ebx+0Ch]
		mov	[ebp+var_8], ecx
		add	ecx, edi
		mov	eax, ecx
		mov	[ebp+var_C], ecx
		div	[ebp+var_4]
		mov	[ebx+0Ch], edx
		jmp	short loc_457D7C
; 

loc_457D6B:				; CODE XREF: MiAgePte(x,x,x)+A4j
		mov	eax, [ebx+10h]
		mov	[ebp+var_8], eax
		add	eax, edi
		mov	[ebp+var_C], eax
		div	[ebp+var_4]
		mov	[ebx+10h], edx

loc_457D7C:				; CODE XREF: MiAgePte(x,x,x)+B9j
		test	ds:byte_70EFC6,	1
		jz	short loc_457D92
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_20]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_457DC3
; 

loc_457D92:				; CODE XREF: MiAgePte(x,x,x)+D3j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	short loc_457DB1
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_20]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_20]
		cmp	eax, ecx
		jz	short loc_457DC3
		call	KxWaitForLockChainValid

loc_457DB1:				; CODE XREF: MiAgePte(x,x,x)+E7j
		mov	[ebp+var_20], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_457DC3:				; CODE XREF: MiAgePte(x,x,x)+E0j
					; MiAgePte(x,x,x)+FAj
		cmp	[ebp+var_C], edi
		sbb	eax, eax
		not	eax
		and	eax, [ebp+var_8]

loc_457DCD:				; CODE XREF: MiAgePte(x,x,x)+4Cj
		lea	ecx, [eax+edi]
		mov	eax, 10624DD3h
		imul	ecx, [ebp+var_4]
		mul	ecx
		shr	edx, 6
		cmp	edx, edi
		jbe	short loc_457DF2
		mov	ecx, [ebp+var_4]
		mov	eax, 10624DD3h
		imul	ecx, edi
		mul	ecx
		shr	edx, 6

loc_457DF2:				; CODE XREF: MiAgePte(x,x,x)+130j
		mov	[esi+20h], edx
		cmp	[esi+1Ch], edx
		jnb	loc_457F75

loc_457DFE:				; CODE XREF: MiAgePte(x,x,x)+1Ej
		mov	eax, [ebp+arg_4]
		shl	eax, 9
		mov	[ebp+arg_4], eax
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[ebp+var_10], 0
		sub	eax, 40000000h
		mov	[ebp+var_C], 0
		mov	[ebp+var_4], eax
		mov	edi, [eax]
		nop
		mov	eax, [eax+4]
		mov	[ebp+var_8], eax
		nop
		mov	edx, edi
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		cmp	[ebp+arg_8], 0
		mov	edx, [ebp+var_4]
		lea	eax, [eax+ecx*4]
		mov	[ebp+var_C], eax
		lea	ecx, [edx+8]
		jz	short loc_457E83
		shl	ecx, 9
		mov	eax, ecx
		shl	eax, 9
		cmp	eax, 0C0000000h
		jb	short loc_457E83
		lea	ebx, [ebx+0]

loc_457E70:				; CODE XREF: MiAgePte(x,x,x)+1D1j
		cmp	eax, 0C07FFFFFh
		ja	short loc_457E83
		mov	ecx, eax
		shl	eax, 9
		cmp	eax, 0C0000000h
		jnb	short loc_457E70

loc_457E83:				; CODE XREF: MiAgePte(x,x,x)+1A9j
					; MiAgePte(x,x,x)+1B8j	...
		mov	eax, [esi]
		test	al, 2
		jz	short loc_457E8E
		mov	[ebx+8], ecx
		jmp	short loc_457E95
; 

loc_457E8E:				; CODE XREF: MiAgePte(x,x,x)+1D7j
		test	al, 4
		jnz	short loc_457E95
		mov	[ebx+4], ecx

loc_457E95:				; CODE XREF: MiAgePte(x,x,x)+1DCj
					; MiAgePte(x,x,x)+1E0j
		cmp	[ebp+arg_8], 0
		jz	short loc_457EC4
		mov	eax, [ebp+var_C]
		mov	eax, [eax+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jnz	short loc_457EB9
		mov	ebx, [ebp+var_14]
		mov	ecx, ebx
		call	_MiIsPageTableLocked@8 ; MiIsPageTableLocked(x,x)
		test	eax, eax
		jz	short loc_457EC9

loc_457EB9:				; CODE XREF: MiAgePte(x,x,x)+1F9j
					; MiAgePte(x,x,x)+2BFj
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_457EC4:				; CODE XREF: MiAgePte(x,x,x)+1E9j
		mov	ebx, [ebp+var_14]
		jmp	short loc_457ECC
; 

loc_457EC9:				; CODE XREF: MiAgePte(x,x,x)+207j
		mov	edx, [ebp+var_4]

loc_457ECC:				; CODE XREF: MiAgePte(x,x,x)+217j
		mov	eax, [ebp+var_C]
		test	dword ptr [eax+18h], 800000h
		jnz	short loc_457EFE
		mov	eax, [eax+4]
		test	eax, eax
		js	short loc_457EFE
		jz	short loc_457EFE
		or	eax, 80000000h
		mov	ecx, ebx
		push	eax
		call	_MiDemoteCombinedPte@12	; MiDemoteCombinedPte(x,x,x)
		mov	ecx, [ebp+var_4]
		cmp	eax, 1
		jnz	short loc_457F01
		mov	edi, [ecx]
		nop
		mov	eax, [ecx+4]
		jmp	short loc_457F04
; 

loc_457EFE:				; CODE XREF: MiAgePte(x,x,x)+226j
					; MiAgePte(x,x,x)+22Dj	...
		mov	ecx, [ebp+var_4]

loc_457F01:				; CODE XREF: MiAgePte(x,x,x)+244j
		mov	eax, [ebp+var_8]

loc_457F04:				; CODE XREF: MiAgePte(x,x,x)+24Cj
		mov	edx, [ebp+arg_4]
		shrd	edi, eax, 5
		and	edi, 1
		mov	eax, edi
		or	eax, 0
		jz	short loc_457F43
		mov	eax, [esi+0C0h]
		test	eax, eax
		jz	short loc_457F43
		cmp	edx, ds:_MmHighestUserAddress
		ja	short loc_457F43
		mov	ecx, eax
		call	_MiInsertVmAccessedEntry@8 ; MiInsertVmAccessedEntry(x,x)
		test	eax, eax
		jz	short loc_457F66
		push	[ebp+arg_0]
		call	MiAgeWorkingSetTail
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_457F43:				; CODE XREF: MiAgePte(x,x,x)+263j
					; MiAgePte(x,x,x)+26Dj	...
		xor	eax, eax
		or	edi, eax
		jz	short loc_457F4E
		mov	eax, 1

loc_457F4E:				; CODE XREF: MiAgePte(x,x,x)+297j
		test	byte ptr [esi],	3
		jz	short loc_457F56
		or	eax, 2

loc_457F56:				; CODE XREF: MiAgePte(x,x,x)+2A1j
		push	eax
		mov	eax, [ebp+var_C]
		push	esi
		push	eax
		push	edx
		mov	edx, ecx
		mov	ecx, ebx
		call	_MiAgePteWorker@24 ; MiAgePteWorker(x,x,x,x,x,x)

loc_457F66:				; CODE XREF: MiAgePte(x,x,x)+280j
		inc	dword ptr [esi+1Ch]
		mov	eax, [esi+1Ch]
		cmp	eax, [esi+20h]
		jb	loc_457EB9

loc_457F75:				; CODE XREF: MiAgePte(x,x,x)+33j
					; MiAgePte(x,x,x)+148j
		pop	edi
		pop	esi
		mov	eax, 3
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_MiAgePte@12	endp

; 
		align 10h

; __stdcall MiAgePteWorker(x, x, x, x, x, x)
_MiAgePteWorker@24:			; CODE XREF: MiAgePte(x,x,x)+2B1p
					; MiAgeWorkingSetEPTCallback(x,x,x,x,x)+7Bp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+8]
		mov	ebx, ecx
		mov	[esp+14h], edx
		lea	eax, [edi+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	short loc_457FED
		mov	eax, edi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	edx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		mov	ecx, [eax+ecx*4]
		shr	ecx, 1
		and	cl, 7
		jmp	short loc_458010
; 

loc_457FED:				; CODE XREF: .text:00457FB2j
		movzx	eax, byte ptr [ebx+60h]
		and	eax, 7
		mov	ecx, dword_6D2E68[eax*4]
		mov	eax, edi
		shr	eax, 0Ch
		add	ecx, eax
		mov	al, [ecx]
		and	al, 0Fh
		cmp	al, 0Ah
		jz	loc_458222
		mov	cl, al

loc_458010:				; CODE XREF: .text:00457FEBj
		test	byte ptr [ebp+14h], 1
		jz	loc_4580DA
		lea	eax, [ecx-1]
		cmp	al, 5
		ja	short loc_458030
		push	0
		push	1
		mov	edx, edi
		mov	ecx, ebx
		call	MiSetVaAgeList
		jmp	short loc_458035
; 

loc_458030:				; CODE XREF: .text:0045801Fj
		cmp	cl, 7
		jz	short loc_458054

loc_458035:				; CODE XREF: .text:0045802Ej
		mov	ecx, [ebp+0Ch]
		mov	al, [ecx+17h]
		test	al, 8
		jnz	short loc_458057
		movzx	eax, al
		and	eax, 7
		cmp	eax, 5
		jnb	short loc_458057
		mov	edx, 5
		call	MiLockSetPfnPriority

loc_458054:				; CODE XREF: .text:00458033j
		mov	ecx, [ebp+0Ch]

loc_458057:				; CODE XREF: .text:0045803Dj
					; .text:00458048j
		mov	eax, [ebp+14h]
		xor	esi, esi
		mov	edi, [ebp+10h]
		xor	edx, edx
		test	al, 2
		jz	short loc_45806A
		mov	esi, [edi+24h]
		jmp	short loc_458073
; 

loc_45806A:				; CODE XREF: .text:00458063j
		test	al, 4
		jz	short loc_458073
		mov	edx, 1

loc_458073:				; CODE XREF: .text:00458068j
					; .text:0045806Cj
		mov	eax, dword_6D3154
		push	edx
		push	eax
		push	esi
		push	dword ptr [esp+20h]
		mov	edx, ecx
		mov	ecx, ebx
		call	_MiClearPteAccessed@24 ; MiClearPteAccessed(x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_45808F
		inc	dword ptr [edi+14h]

loc_45808F:				; CODE XREF: .text:0045808Aj
		test	esi, esi
		jz	loc_4581F0
		mov	eax, [esi+0Ch]
		mov	ecx, dword_6D0748
		cmp	eax, [esi+8]
		jnb	short loc_4580B4
		cmp	byte ptr [esi+5], 0
		jnz	short loc_4580B4
		cmp	[esi+10h], ecx
		jbe	loc_4581F0

loc_4580B4:				; CODE XREF: .text:004580A3j
					; .text:004580A9j
		cmp	ecx, 400h
		jb	loc_4581F0
		cmp	byte ptr [esi+5], 0
		jnz	loc_4581F0
		mov	ecx, esi
		call	MiFlushTbList
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4580DA:				; CODE XREF: .text:00458014j
		mov	eax, [ebp+0Ch]
		mov	al, [eax+17h]
		test	al, 8
		jz	short loc_4580EB
		mov	eax, 5
		jmp	short loc_4580F1
; 

loc_4580EB:				; CODE XREF: .text:004580E2j
		movzx	eax, al
		and	eax, 7

loc_4580F1:				; CODE XREF: .text:004580E9j
		mov	esi, [ebp+10h]
		mov	[esp+14h], eax
		cmp	cl, 6
		jnb	short loc_458126
		cmp	eax, 5
		jnb	short loc_458109
		mov	byte ptr [esp+10h], 6
		jmp	short loc_458114
; 

loc_458109:				; CODE XREF: .text:00458100j
		test	byte ptr [esi],	1
		jz	short loc_458126
		inc	cl
		mov	[esp+10h], cl

loc_458114:				; CODE XREF: .text:00458107j
		push	dword ptr [esp+10h]
		mov	edx, edi
		mov	ecx, ebx
		push	1
		call	MiSetVaAgeList
		inc	dword ptr [esi+10h]

loc_458126:				; CODE XREF: .text:004580FBj
					; .text:0045810Cj
		mov	ecx, [ebp+0Ch]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_458137
		mov	dl, [esi+5]
		jmp	short loc_45813A
; 

loc_458137:				; CODE XREF: .text:00458130j
		mov	dl, [esi+4]

loc_45813A:				; CODE XREF: .text:00458135j
		mov	[esp+0Fh], dl
		test	dl, dl
		jnz	short loc_458147
		mov	byte ptr [esp+0Fh], 7

loc_458147:				; CODE XREF: .text:00458140j
		mov	dl, [ebx+60h]
		mov	al, dl
		and	al, 7
		cmp	al, 3
		jnz	short loc_458174
		mov	eax, [ecx+18h]
		and	eax, 70000000h
		cmp	eax, 40000000h
		jnz	short loc_458174
		mov	eax, [ecx+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jnz	short loc_458174
		cmp	[ecx+14h], ax
		jz	short loc_4581CB

loc_458174:				; CODE XREF: .text:00458150j
					; .text:0045815Fj ...
		test	byte ptr [esi],	3
		jz	short loc_4581F0
		lea	eax, [edi+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	short loc_4581F9
		mov	eax, edi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	edx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		mov	eax, [eax+ecx*4]
		shr	eax, 1
		and	al, 7

loc_4581BC:				; CODE XREF: .text:00458211j
		cmp	al, [esp+0Fh]
		jnb	short loc_4581CB
		mov	eax, [esp+14h]
		cmp	eax, [esi+8]
		jnb	short loc_4581F0

loc_4581CB:				; CODE XREF: .text:00458172j
					; .text:004581C0j
		inc	dword ptr [esi+18h]
		lea	ecx, [esi+28h]
		push	0
		push	1
		mov	edx, edi
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	eax, [esi+34h]
		cmp	eax, [esi+30h]
		jnz	short loc_4581F0
		push	0
		lea	edx, [esi+28h]
		mov	ecx, ebx
		call	MiFreeWsleList

loc_4581F0:				; CODE XREF: .text:00458091j
					; .text:004580AEj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4581F9:				; CODE XREF: .text:00458184j
		movzx	eax, dl
		mov	ecx, edi
		and	eax, 7
		shr	ecx, 0Ch
		add	ecx, dword_6D2E68[eax*4]
		mov	al, [ecx]
		and	al, 0Fh
		cmp	al, 0Ah
		jnz	short loc_4581BC
		push	ecx
		push	ebx
		push	edi
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_458222:				; CODE XREF: .text:00458008j
		push	ecx
		push	ebx
		push	edi
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 3 dup(0CCh)
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetNextPageTablePte proc near		; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+41Ep

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B06BC SIZE 00000129 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], ebx
		mov	edx, [esi]
		nop
		mov	ecx, [esi+4]
		mov	eax, edx
		or	eax, ecx
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_14], ecx
		jz	loc_458472
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jz	short loc_4582D2
		cmp	esi, 0C0603018h
		jz	loc_45847F
		cmp	esi, 0C0603010h
		jz	loc_5B06DF

loc_45828D:				; CODE XREF: MiGetNextPageTablePte+1584A9j
		mov	eax, edx
		and	eax, 80h
		or	eax, 0
		jnz	loc_458494
		mov	eax, 200h
		test	[ebx], ax
		jnz	loc_5B06F4

loc_4582AB:				; CODE XREF: MiGetNextPageTablePte+1584BFj
					; MiGetNextPageTablePte+1584DDj
		movzx	eax, byte ptr [ebx+2]
		shr	eax, 2
		and	eax, 7
		cmp	edi, eax
		jg	loc_458486
		movzx	eax, word ptr [ebx]
		test	al, 40h
		jnz	short loc_45832F

loc_4582C4:				; CODE XREF: MiGetNextPageTablePte+9Dj
					; MiGetNextPageTablePte+E8j ...
		mov	eax, 1

loc_4582C9:				; CODE XREF: MiGetNextPageTablePte+241j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4582D2:				; CODE XREF: MiGetNextPageTablePte+33j
		cmp	edi, 1
		jge	loc_4584FF

loc_4582DB:				; CODE XREF: MiGetNextPageTablePte+2C8j
		test	edi, edi
		jz	short loc_4582C4
		test	byte ptr [ebx],	80h
		jnz	loc_45847F
		mov	ecx, [ebx+0Ch]
		test	ecx, ecx
		jz	short loc_4582F4
		call	MiFlushTbList

loc_4582F4:				; CODE XREF: MiGetNextPageTablePte+ADj
		mov	eax, [ebx+44h]
		test	eax, eax
		jz	short loc_4582FE
		push	ebx
		call	eax

loc_4582FE:				; CODE XREF: MiGetNextPageTablePte+B9j
		test	byte ptr [ebx+2], 1
		jnz	short loc_45830B
		mov	ecx, ebx
		call	MiReleaseWalkLocks

loc_45830B:				; CODE XREF: MiGetNextPageTablePte+C2j
		mov	eax, [ebx+8]
		push	0
		push	0
		shl	eax, 19h
		shl	esi, 9
		or	eax, 1000002h
		push	esi
		push	eax
		call	MmAccessFault
		mov	edi, eax
		test	edi, edi
		jns	short loc_4582C4
		jmp	loc_5B06BC
; 

loc_45832F:				; CODE XREF: MiGetNextPageTablePte+82j
		mov	edx, [ebx+48h]
		mov	[ebp+var_14], edx
		test	al, 4
		jz	loc_458442
		mov	edx, [ebx+10h]
		lea	ecx, [esi+3FA00000h]
		sar	ecx, 3
		add	ecx, ecx
		mov	[ebp+var_4], 0
		mov	edi, ecx
		mov	al, [edx+60h]
		and	edi, 1Fh
		and	al, 7
		cmp	al, 2
		jnb	loc_45856A
		shr	ecx, 5
		test	al, al
		jnz	loc_5B0754
		mov	eax, [edx+0Ch]
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h

loc_45837A:				; CODE XREF: MiGetNextPageTablePte+344j
					; MiGetNextPageTablePte+15851Dj
		mov	[ebp+arg_0], eax

loc_45837D:				; CODE XREF: MiGetNextPageTablePte+15850Fj
		mov	esi, [ebp+arg_0]
		mov	esi, [esi]

loc_458382:				; CODE XREF: MiGetNextPageTablePte+2F4j
		mov	ebx, 2

loc_458387:				; CODE XREF: MiGetNextPageTablePte+2BAj
					; MiGetNextPageTablePte+325j
		mov	ecx, edi
		mov	edx, ebx
		shl	edx, cl
		lea	ecx, [ecx+0]

loc_458390:				; CODE XREF: MiGetNextPageTablePte+31Ej
		mov	eax, esi
		mov	ecx, edi
		shr	eax, cl
		test	al, 1
		jnz	loc_4584D9
		mov	ebx, [ebp+arg_0]
		mov	ecx, esi
		mov	eax, edx
		bts	ecx, edi
		not	eax
		and	ecx, eax
		mov	eax, esi
		lock cmpxchg [ebx], ecx
		mov	ebx, 2
		cmp	eax, esi
		jnz	loc_45855C
		mov	eax, [ebp+var_8]
		mov	ebx, [ebp+var_C]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	edx, [ebx+10h]
		mov	[ebp+arg_0], edx
		lea	ecx, [eax-600000h]
		sar	ecx, 3
		mov	dl, [edx+60h]
		add	ecx, ecx
		mov	edi, ecx
		and	dl, 7
		and	edi, 1Fh
		mov	[ebp+var_4], edi
		cmp	dl, 2
		jnb	loc_458589
		mov	eax, [ebp+arg_0]
		shr	ecx, 5
		test	dl, dl
		jnz	loc_5B07CD
		mov	eax, [eax+0Ch]
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h

loc_45840E:				; CODE XREF: MiGetNextPageTablePte+158588j
					; MiGetNextPageTablePte+158595j
		mov	[ebp+arg_0], eax

loc_458411:				; CODE XREF: MiGetNextPageTablePte+158579j
		mov	edx, [eax]
		mov	ecx, edi
		mov	eax, [ebp+var_4]
		mov	edi, 2
		mov	esi, [ebp+arg_0]
		shl	edi, cl
		mov	ecx, edx
		btr	ecx, eax
		not	edi
		and	ecx, edi
		mov	eax, edx
		lock cmpxchg [esi], ecx
		mov	esi, [ebp+var_8]
		cmp	eax, edx
		jnz	loc_458539

loc_45843C:				; CODE XREF: MiGetNextPageTablePte+317j
		mov	edx, [ebp+var_14]
		mov	[ebx+1Ch], esi

loc_458442:				; CODE XREF: MiGetNextPageTablePte+F7j
		mov	ecx, [ebx+14h]
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		shl	esi, 9
		lea	eax, [ecx-40000000h]
		cmp	esi, eax
		jnb	short loc_4584C8
		lea	esi, [ecx-40000000h]
		mov	eax, 3
		mov	[edx+4], esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_458472:				; CODE XREF: MiGetNextPageTablePte+25j
		test	edi, edi
		jnz	short loc_45847F
		test	byte ptr [ebx],	1
		jnz	loc_4582C4

loc_45847F:				; CODE XREF: MiGetNextPageTablePte+3Bj
					; MiGetNextPageTablePte+A2j ...
		xor	eax, eax
		jmp	loc_4582C9
; 

loc_458486:				; CODE XREF: MiGetNextPageTablePte+77j
		mov	eax, 2
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_458494:				; CODE XREF: MiGetNextPageTablePte+57j
					; MiGetNextPageTablePte+2CEj
		test	byte ptr [ebx],	40h
		jz	loc_4582C4
		mov	edx, [ebx+48h]
		mov	[edx], edi
		test	edi, edi
		jz	short loc_4584AE

loc_4584A6:				; CODE XREF: MiGetNextPageTablePte+26Cj
		shl	esi, 9
		sub	edi, 1
		jnz	short loc_4584A6

loc_4584AE:				; CODE XREF: MiGetNextPageTablePte+264j
		mov	ecx, [ebx+14h]
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		lea	eax, [ecx-40000000h]
		cmp	esi, eax
		jb	loc_5B07DA

loc_4584C8:				; CODE XREF: MiGetNextPageTablePte+219j
					; MiGetNextPageTablePte+1585A0j
		pop	edi
		mov	[edx+4], esi
		mov	eax, 3
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4584D9:				; CODE XREF: MiGetNextPageTablePte+158j
		test	al, 2
		jnz	short loc_458510
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		mov	eax, ebx
		shl	eax, cl
		or	eax, esi
		mov	[ebp+var_10], eax
		mov	ecx, eax
		mov	eax, esi
		lock cmpxchg [edx], ecx
		cmp	eax, esi
		jnz	short loc_458563
		mov	esi, [ebp+var_10]
		jmp	loc_458387
; 

loc_4584FF:				; CODE XREF: MiGetNextPageTablePte+95j
		mov	ecx, esi
		call	_MiIsPdeOrAboveAccessible@4 ; MiIsPdeOrAboveAccessible(x)
		test	eax, eax
		jnz	loc_4582DB
		jmp	short loc_458494
; 

loc_458510:				; CODE XREF: MiGetNextPageTablePte+29Bj
		mov	ebx, [ebp+arg_0]

loc_458513:				; CODE XREF: MiGetNextPageTablePte+2F2j
		mov	eax, [ebp+var_4]
		inc	eax
		mov	[ebp+var_4], eax
		test	ds:_HvlLongSpinCountMask, eax
		jz	loc_5B0762

loc_458526:				; CODE XREF: MiGetNextPageTablePte+158529j
		pause

loc_458528:				; CODE XREF: MiGetNextPageTablePte+158535j
		mov	esi, [ebx]
		mov	ecx, edi
		mov	eax, esi
		shr	eax, cl
		test	al, 1
		jnz	short loc_458513
		jmp	loc_458382
; 

loc_458539:				; CODE XREF: MiGetNextPageTablePte+1F6j
		mov	ebx, [ebp+var_4]
		mov	esi, [ebp+arg_0]
		nop

loc_458540:				; CODE XREF: MiGetNextPageTablePte+30Fj
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, ebx
		and	ecx, edi
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_458540
		mov	esi, [ebp+var_8]
		mov	ebx, [ebp+var_C]
		jmp	loc_45843C
; 

loc_45855C:				; CODE XREF: MiGetNextPageTablePte+179j
		mov	esi, eax
		jmp	loc_458390
; 

loc_458563:				; CODE XREF: MiGetNextPageTablePte+2B5j
		mov	esi, eax
		jmp	loc_458387
; 

loc_45856A:				; CODE XREF: MiGetNextPageTablePte+11Ej
		cmp	dword_6D07D0, 0C0000000h
		jb	loc_5B0722

loc_45857A:				; CODE XREF: MiGetNextPageTablePte+1584E8j
					; MiGetNextPageTablePte+1584FDj
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]
		jmp	loc_45837A
; 

loc_458589:				; CODE XREF: MiGetNextPageTablePte+1AFj
		cmp	eax, (offset loc_603014+4)
		jz	loc_5B078D
		jmp	loc_5B077A
MiGetNextPageTablePte endp

; 
		align 10h

; __stdcall MiDeleteVa(x, x, x)
_MiDeleteVa@12:				; DATA XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+1EAo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0CCh
		push	ebx
		mov	ebx, [ebp+0Ch]
		push	esi
		push	edi
		mov	esi, [ebx]
		mov	[esp+74h], esi
		nop
		mov	edx, [ebx+4]
		mov	eax, esi
		or	eax, edx
		mov	[esp+38h], edx
		mov	[esp+80h], esi
		mov	[esp+84h], edx
		jnz	short loc_458634
		cmp	[ebp+10h], eax
		jnz	loc_4597BB
		mov	edi, [ebp+8]
		mov	eax, ebx
		and	eax, 0FFFFF000h
		add	eax, 0FF8h
		mov	esi, [edi+30h]
		cmp	esi, eax
		jbe	short loc_458603
		mov	esi, ebx
		and	esi, 0FFFFF000h
		add	esi, 0FF8h

loc_458603:				; CODE XREF: .text:004585F3j
		add	ebx, 8
		mov	dl, 1
		cmp	ebx, esi
		ja	short loc_458624
		lea	esp, [esp+0]

loc_458610:				; CODE XREF: .text:00458622j
		mov	ecx, [ebx]
		nop
		or	ecx, [ebx+4]
		jnz	short loc_458624
		add	dl, 1
		jz	short loc_458624
		add	ebx, 8
		cmp	ebx, esi
		jbe	short loc_458610

loc_458624:				; CODE XREF: .text:0045860Aj
					; .text:00458616j ...
		dec	dl
		xor	eax, eax
		mov	[edi+3], dl
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_458634:				; CODE XREF: .text:004585D4j
		mov	ecx, [ebp+8]
		mov	eax, [ecx+48h]
		mov	edi, [ecx+0Ch]
		mov	[esp+34h], eax
		mov	[esp+70h], edi
		mov	eax, [eax+54h]
		mov	[esp+24h], eax
		mov	eax, [ecx+10h]
		mov	[esp+0Ch], eax
		mov	eax, ebx
		shl	eax, 9
		mov	[esp+18h], eax
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	loc_458F5A
		nop
		mov	edx, [ebp+10h]
		cmp	edx, 1
		jl	loc_4587EB
		mov	eax, esi
		and	eax, 80h
		or	eax, 0
		jnz	loc_459773
		mov	eax, [ecx+10h]
		mov	[esp+3Ch], eax
		mov	eax, [esp+18h]
		cmp	eax, 0C0000000h
		jb	short loc_4586B1
		lea	esp, [esp+0]

loc_4586A0:				; CODE XREF: .text:004586AFj
		cmp	eax, 0C07FFFFFh
		ja	short loc_4586B1
		shl	eax, 9
		cmp	eax, 0C0000000h
		jnb	short loc_4586A0

loc_4586B1:				; CODE XREF: .text:00458697j
					; .text:004586A5j
		cmp	eax, ds:_MmHighestUserAddress
		ja	short loc_4586F0
		mov	eax, large fs:124h
		mov	ecx, ebx
		shr	ecx, 3
		and	ecx, 7FFh
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		cmp	word ptr [eax+ecx*2+190h], 0
		jz	loc_4587C0
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4586F0:				; CODE XREF: .text:004586B7j
		mov	edx, [ebx]
		nop
		mov	eax, [ebx+4]
		nop
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		mov	eax, [eax+ecx*4+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jnz	loc_4597BB
		mov	ecx, [esp+3Ch]
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 1
		jnz	loc_4587BD
		mov	eax, [ebp+8]
		test	byte ptr [eax],	4
		jz	short loc_458749
		push	0
		mov	edx, ebx
		mov	[esp+30h], ebx
		call	MiLockPageTableInternal
		jmp	short loc_45874F
; 

loc_458749:				; CODE XREF: .text:00458738j
		xor	eax, eax
		mov	[esp+2Ch], eax

loc_45874F:				; CODE XREF: .text:00458747j
		mov	eax, [esp+18h]
		mov	dword ptr [esp+10h], 1
		mov	[esp+30h], eax
		nop

loc_458760:				; CODE XREF: .text:00458793j
		mov	edx, [eax]
		nop
		mov	ecx, [eax+4]
		mov	eax, edx
		or	eax, ecx
		mov	[esp+98h], edx
		mov	[esp+9Ch], ecx
		jz	short loc_458783
		and	edx, 1
		or	edx, 0
		jz	short loc_458797
		nop

loc_458783:				; CODE XREF: .text:00458778j
		mov	eax, [esp+30h]
		add	eax, 8
		mov	[esp+30h], eax
		test	eax, 0FFFh
		jnz	short loc_458760
		jmp	short loc_45879F
; 

loc_458797:				; CODE XREF: .text:00458780j
		mov	dword ptr [esp+10h], 0

loc_45879F:				; CODE XREF: .text:00458795j
		mov	eax, [esp+2Ch]
		test	eax, eax
		jz	short loc_4587B2
		mov	ecx, [esp+3Ch]
		mov	edx, eax
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_4587B2:				; CODE XREF: .text:004587A5j
		cmp	dword ptr [esp+10h], 0
		jz	loc_4597BB

loc_4587BD:				; CODE XREF: .text:0045872Cj
		mov	edx, [ebp+10h]

loc_4587C0:				; CODE XREF: .text:004586DFj
		mov	ecx, [esp+0Ch]
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 1
		jnz	short loc_4587E8
		cmp	edx, 1
		jnz	short loc_4587E8
		push	ds:dword_40F9FC
		mov	ecx, ebx
		push	ds:_ZeroPte
		shl	ecx, 12h
		call	_MiUpdateSessionPdeMaster@12 ; MiUpdateSessionPdeMaster(x,x,x)

loc_4587E8:				; CODE XREF: .text:004587CBj
					; .text:004587D0j
		mov	ecx, [ebp+8]

loc_4587EB:				; CODE XREF: .text:00458671j
		mov	eax, [esp+0Ch]
		test	byte ptr [eax+60h], 7
		jnz	loc_458EAE
		cmp	dword ptr [ebp+10h], 0
		jnz	loc_4589A9
		mov	eax, [esp+24h]
		test	eax, 800h
		jz	short loc_45882B
		push	0
		mov	edx, ebx
		call	_MiDeleteLargeUserPde@12 ; MiDeleteLargeUserPde(x,x,x)
		xor	edx, edx
		mov	ecx, edi
		call	_MiFlushTbListEarly@8 ;	MiFlushTbListEarly(x,x)
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_45882B:				; CODE XREF: .text:0045880Cj
		test	al, 10h
		jz	short loc_458858
		nop
		mov	ecx, [esp+34h]
		mov	edx, ebx
		lea	eax, [ecx+5Ch]
		mov	ecx, [ecx+8]
		push	eax
		mov	ecx, [ecx+10h]
		call	_MiDeleteVadAwePtes@12 ; MiDeleteVadAwePtes(x,x,x)
		mov	edx, [esp+18h]
		mov	ecx, edi
		push	0
		push	eax
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		jmp	loc_458F1B
; 

loc_458858:				; CODE XREF: .text:0045882Dj
		test	al, 60h
		jz	short loc_458868
		mov	edx, ebx
		call	_MiDeletePhysmemPte@8 ;	MiDeletePhysmemPte(x,x)
		jmp	loc_458F1B
; 

loc_458868:				; CODE XREF: .text:0045885Aj
		test	al, 8
		jz	short loc_4588AB
		mov	ecx, ebx
		call	_MiRotatedToFrameBuffer@4 ; MiRotatedToFrameBuffer(x)
		cmp	eax, 1
		jnz	short loc_4588A7
		lea	eax, [esp+7Ch]
		mov	dword ptr [esp+7Ch], 0
		push	eax
		push	0
		mov	edx, 3
		mov	ecx, ebx
		call	_MiUnmapFrameBuffer@16 ; MiUnmapFrameBuffer(x,x,x,x)
		mov	edx, [esp+18h]
		mov	ecx, edi
		push	0
		push	1
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		jmp	loc_458F1B
; 

loc_4588A7:				; CODE XREF: .text:00458876j
		mov	eax, [esp+24h]

loc_4588AB:				; CODE XREF: .text:0045886Aj
		and	al, 90h
		cmp	al, 80h
		jnz	loc_4589A5
		test	byte ptr [esp+24h], 2
		jz	short loc_45891B
		mov	ecx, [esp+0Ch]
		test	byte ptr [ecx+63h], 1
		jnz	short loc_45891B
		cmp	dword_6D3154, 0
		jz	short loc_45891B
		mov	edx, [esp+18h]
		cmp	edx, 0C0000000h
		jb	short loc_4588E3
		cmp	edx, 0C07FFFFFh
		jbe	short loc_45890A

loc_4588E3:				; CODE XREF: .text:004588D9j
		movzx	eax, byte ptr [ecx+60h]
		mov	ecx, edx
		and	eax, 7
		shr	ecx, 0Ch
		add	ecx, dword_6D2E68[eax*4]
		mov	al, [ecx]
		and	al, 0Fh
		cmp	al, 0Ah
		jz	loc_4597C6
		cmp	al, 7
		jz	short loc_45891B
		mov	ecx, [esp+0Ch]

loc_45890A:				; CODE XREF: .text:004588E1j
		mov	eax, [ebx]
		and	eax, 20h
		or	eax, 0
		jz	short loc_45891B
		mov	edx, ebx
		call	_MiLogPageAccess@8 ; MiLogPageAccess(x,x)

loc_45891B:				; CODE XREF: .text:004588BAj
					; .text:004588C4j ...
		nop
		mov	eax, [esp+38h]
		mov	edx, esi
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	ecx, [eax+ecx*4]
		mov	eax, [ecx+10h]
		and	eax, 3FFFFFFFh
		mov	[esp+1Ch], ecx
		cmp	eax, 1
		jnz	short loc_4589A5
		mov	edx, [esp+24h]
		test	dl, al
		jz	short loc_458977
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		cmp	eax, 2
		jbe	short loc_458977
		cmp	eax, 5
		ja	short loc_458977
		mov	edx, 2
		call	MiLockSetPfnPriority
		mov	ecx, [esp+1Ch]
		mov	edx, [esp+24h]

loc_458977:				; CODE XREF: .text:00458954j
					; .text:0045895Ej ...
		test	dl, 4
		jz	short loc_4589A5
		mov	eax, [esp+34h]
		cmp	dword ptr [eax+4Ch], 0
		jnz	short loc_4589A5
		mov	eax, esi
		and	eax, 42h
		or	eax, 0
		jnz	short loc_4589A5
		call	_MiBoostUnmapPfn@4 ; MiBoostUnmapPfn(x)
		test	eax, eax
		jz	short loc_4589A5
		call	_MiCreateDecayPfn@0 ; MiCreateDecayPfn()
		mov	ecx, [esp+34h]
		mov	[ecx+4Ch], eax

loc_4589A5:				; CODE XREF: .text:004588AFj
					; .text:0045894Cj ...
		mov	eax, [esp+0Ch]

loc_4589A9:				; CODE XREF: .text:004587FDj
		test	dword ptr [esp+24h], 100h
		jz	short loc_4589C7
		mov	edx, [esp+18h]
		mov	ecx, edi
		push	0
		push	1
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		jmp	loc_458D78
; 

loc_4589C7:				; CODE XREF: .text:004589B1j
		cmp	dword ptr [ebp+10h], 0
		jnz	loc_458AC7
		movzx	eax, byte ptr [eax+60h]
		mov	ecx, [esp+18h]
		and	eax, 7
		shr	ecx, 0Ch
		add	ecx, dword_6D2E68[eax*4]
		mov	dl, [ecx]
		mov	al, dl
		mov	[esp+17h], dl
		and	al, 0Fh
		cmp	al, 0Ah
		jz	loc_4597D9
		cmp	al, 8
		jz	loc_458AC7
		mov	esi, [ebx]
		mov	dword ptr [esp+40h], 0
		mov	dword ptr [esp+44h], 0
		nop
		mov	eax, [ebx+4]
		mov	[esp+0A0h], esi
		mov	[esp+0A4h], eax
		nop
		shrd	esi, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	esi, 1FFFFFFh
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		lea	ecx, [eax+ecx*4]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		mov	esi, [esp+34h]
		neg	eax
		sbb	ecx, ecx
		inc	ecx
		mov	eax, [esi+64h]
		mov	[esp+2Ch], ecx
		mov	[esp+1Ch], eax
		test	eax, eax
		jz	short loc_458A9B
		mov	eax, [esi+68h]
		mov	edi, [esp+1Ch]
		mov	[esp+30h], eax
		lea	eax, [edi+eax*8]
		mov	edi, [esp+70h]
		cmp	ebx, eax
		jnz	short loc_458A89
		cmp	dl, [esi+70h]
		jnz	short loc_458A89
		mov	eax, [esi+6Ch]
		and	eax, 1
		cmp	ecx, eax
		jnz	short loc_458A89
		mov	eax, [esp+30h]
		inc	eax
		jmp	short loc_458ABA
; 

loc_458A89:				; CODE XREF: .text:00458A71j
					; .text:00458A76j ...
		test	byte ptr [esi+6Ch], 2
		jnz	short loc_458AC3
		lea	ecx, [esi+60h]
		call	MiTerminateWsleCluster
		mov	dl, [esp+17h]

loc_458A9B:				; CODE XREF: .text:00458A5Bj
		mov	eax, [esi+6Ch]
		mov	ecx, [esp+0Ch]
		and	eax, 0FFFFFFFEh
		or	eax, [esp+2Ch]
		mov	[esi+6Ch], eax
		mov	eax, 1
		mov	[esi+60h], ecx
		mov	[esi+64h], ebx
		mov	[esi+70h], dl

loc_458ABA:				; CODE XREF: .text:00458A87j
		mov	[esi+68h], eax
		nop
		jmp	loc_458F1B
; 

loc_458AC3:				; CODE XREF: .text:00458A8Dj
		mov	esi, [esp+74h]

loc_458AC7:				; CODE XREF: .text:004589CBj
					; .text:004589FAj
		mov	ebx, [esp+18h]
		shr	ebx, 9
		and	ebx, offset loc_7FFFF8
		mov	dword ptr [esp+24h], 0
		sub	ebx, 40000000h
		mov	[esp+30h], ebx
		mov	edx, [ebx]
		nop
		mov	eax, [ebx+4]
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	eax, [eax+ecx*4]
		mov	ecx, [esp+18h]
		mov	[esp+1Ch], eax
		lea	edx, [ecx+40000000h]
		mov	[esp+40h], edx
		cmp	edx, offset loc_7FFFFF
		ja	short loc_458B56
		push	ds:dword_40F9FC
		mov	eax, [eax]
		mov	edx, ebx
		push	ds:_ZeroPte
		mov	ecx, [esp+14h]
		shr	eax, 1
		and	al, 7
		push	0
		mov	[esp+34h], al
		call	MiEvictPageTableLock
		test	eax, eax
		jz	loc_4597BB
		mov	eax, 1
		jmp	loc_458CB2
; 

loc_458B56:				; CODE XREF: .text:00458B1Fj
		mov	edx, [esp+0Ch]
		shr	ecx, 0Ch
		movzx	eax, byte ptr [edx+60h]
		and	eax, 7
		add	ecx, dword_6D2E68[eax*4]
		mov	ah, [ecx]
		mov	al, ah
		and	al, 0Fh
		mov	[esp+17h], al
		cmp	al, 0Ah
		jz	loc_4597EF
		mov	ecx, [esp+1Ch]
		mov	[esp+28h], ah
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		neg	eax
		sbb	eax, eax
		inc	eax
		cmp	byte ptr [esp+17h], 8
		mov	[esp+1Ch], eax
		jnz	short loc_458BBB
		mov	edx, [esp+18h]
		push	ecx
		mov	ecx, [esp+10h]
		call	_MiUnlockWsle@12 ; MiUnlockWsle(x,x,x)
		mov	edx, [esp+18h]
		mov	ecx, [esp+0Ch]
		call	MiLocateWsle
		mov	al, [eax]
		mov	[esp+28h], al

loc_458BBB:				; CODE XREF: .text:00458B98j
		mov	ecx, [ebx]
		mov	eax, ds:_ZeroPte
		mov	edx, [ebx+4]
		cmp	dword_6D07D0, 0C0000000h
		mov	[esp+10h], eax
		mov	eax, ds:dword_40F9FC
		mov	[esp+3Ch], eax
		sbb	eax, eax
		and	eax, 0FFFFFFF8h
		add	eax, 0C0603018h
		cmp	ebx, 0C0603000h
		jb	short loc_458BFE
		cmp	ebx, eax
		jnb	short loc_458BFE
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_458BFE
		or	ecx, 20h

loc_458BFE:				; CODE XREF: .text:00458BECj
					; .text:00458BF0j ...
		mov	eax, ds:_MiFlags
		test	eax, 800h
		jz	short loc_458C13
		or	ecx, 20h
		mov	[esp+4Ch], edx
		jmp	short loc_458C1D
; 

loc_458C13:				; CODE XREF: .text:00458C08j
		test	eax, 4000000h
		jz	short loc_458C1D
		lfence	eax

loc_458C1D:				; CODE XREF: .text:00458C11j
					; .text:00458C18j
		and	ecx, 20h
		or	ecx, 0
		jnz	short loc_458CA0
		mov	edi, [esp+10h]
		mov	esi, ebx
		jmp	short loc_458C30
; 
		align 10h

loc_458C30:				; CODE XREF: .text:00458C2Bj
					; .text:00458C4Ej ...
		mov	eax, [esi]
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[esp+2Ch], eax
		mov	[esp+4Ch], ecx
		nop
		mov	ecx, [esp+3Ch]
		mov	ebx, edi
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, [esp+2Ch]
		jnz	short loc_458C30
		cmp	edx, [esp+4Ch]
		jnz	short loc_458C30
		cmp	dword_6D07D0, 0C0000000h
		mov	edi, [esp+70h]
		sbb	eax, eax
		and	eax, 0FFFFFFF8h
		add	eax, 0C0603018h
		cmp	esi, 0C0603000h
		mov	esi, [esp+74h]
		jb	short loc_458C8E
		mov	ebx, [esp+30h]
		cmp	ebx, eax
		jnb	short loc_458C8E
		push	ecx
		push	dword ptr [esp+14h]
		mov	ecx, ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_458C8E:				; CODE XREF: .text:00458C78j
					; .text:00458C80j
		mov	eax, [esp+2Ch]
		and	eax, 20h
		or	eax, 0
		jnz	short loc_458CAE
		mov	eax, [esp+1Ch]
		jmp	short loc_458CBA
; 

loc_458CA0:				; CODE XREF: .text:00458C23j
		mov	eax, [esp+10h]
		mov	[ebx], eax
		nop
		mov	eax, [esp+3Ch]
		mov	[ebx+4], eax

loc_458CAE:				; CODE XREF: .text:00458C98j
		mov	eax, [esp+1Ch]

loc_458CB2:				; CODE XREF: .text:00458B51j
		mov	dword ptr [esp+24h], 1

loc_458CBA:				; CODE XREF: .text:00458C9Ej
		mov	edx, [esp+18h]
		mov	ecx, [esp+0Ch]
		push	eax
		push	0Ah
		push	dword ptr [esp+30h]
		push	1
		call	MiRemoveWsle
		cmp	dword ptr [esp+24h], 1
		jnz	loc_458D75
		mov	ebx, 1
		cmp	[edi], ebx
		jz	short loc_458CFA
		mov	al, [edi+4]
		test	al, 8
		jnz	short loc_458CFA
		cmp	dword ptr [esp+40h], offset loc_7FFFFF
		ja	short loc_458CFA
		or	al, 8
		mov	[edi+4], al

loc_458CFA:				; CODE XREF: .text:00458CE2j
					; .text:00458CE9j ...
		mov	ecx, [edi+0Ch]
		mov	[esp+10h], ecx
		test	ecx, ecx
		jz	loc_458E10
		test	byte ptr [edi+4], 4
		jnz	loc_458DBD
		lea	eax, [ecx+4]
		lea	eax, [edi+eax*4]
		mov	[esp+1Ch], eax
		mov	eax, [eax]
		test	eax, 0C00h
		jnz	loc_458DBD
		mov	ecx, eax
		and	ecx, 3FFh
		mov	[esp+40h], ecx
		lea	edx, [ecx+1]
		mov	ecx, eax
		shl	edx, 0Ch
		and	ecx, 0FFFFF000h
		add	edx, ecx
		cmp	edx, [esp+18h]
		jnz	short loc_458DB9
		mov	ecx, [esp+40h]
		lea	edx, [ecx+1]
		cmp	edx, ecx
		jbe	short loc_458DB9
		cmp	edx, 3FFh
		ja	short loc_458DB9
		inc	dword ptr [edi+10h]
		lea	ecx, [eax+1]
		xor	ecx, eax
		and	ecx, 3FFh
		xor	ecx, eax
		mov	eax, [esp+1Ch]
		mov	[eax], ecx

loc_458D75:				; CODE XREF: .text:00458CD5j
					; .text:00458E07j ...
		mov	ebx, [ebp+0Ch]

loc_458D78:				; CODE XREF: .text:004589C2j
					; .text:00458E9Cj ...
		mov	eax, [esp+38h]
		and	esi, 0FFFFFFFEh
		or	esi, 400h
		mov	[esp+84h], eax
		cmp	dword ptr [ebp+10h], 1
		mov	[esp+80h], esi
		jnz	loc_458F15
		mov	ecx, [esp+0Ch]
		test	byte ptr [ecx+60h], 7
		jz	loc_458F15
		push	eax
		push	esi
		mov	ecx, ebx
		call	MiWriteTopLevelPxe
		jmp	loc_458F1B
; 

loc_458DB9:				; CODE XREF: .text:00458D4Aj
					; .text:00458D55j ...
		mov	ecx, [esp+10h]

loc_458DBD:				; CODE XREF: .text:00458D0Dj
					; .text:00458D24j
		test	ecx, ecx
		jz	short loc_458E10
		test	byte ptr [edi+4], 4
		jnz	short loc_458E10
		mov	eax, [edi+ecx*4+10h]
		test	eax, 0C00h
		jnz	short loc_458E10
		mov	ecx, [esp+18h]
		mov	edx, eax
		and	edx, 0FFFFF000h
		add	ecx, 1000h
		cmp	edx, ecx
		jnz	short loc_458E0C
		and	eax, 3FFh
		lea	ecx, [eax+1]
		cmp	ecx, eax
		jbe	short loc_458E0C
		cmp	ecx, 3FFh
		ja	short loc_458E0C
		push	0
		push	1
		mov	ecx, edi
		call	_MiMergeTbFlushEntryBackwards@16 ; MiMergeTbFlushEntryBackwards(x,x,x,x)
		jmp	loc_458D75
; 

loc_458E0C:				; CODE XREF: .text:00458DE6j
					; .text:00458DF2j ...
		mov	ecx, [esp+10h]

loc_458E10:				; CODE XREF: .text:00458D03j
					; .text:00458DBFj ...
		cmp	ecx, [edi+8]
		jb	short loc_458E20
		mov	[edi+5], bl
		jmp	loc_458D75
; 
		align 10h

loc_458E20:				; CODE XREF: .text:00458E13j
					; .text:00458E90j
		lea	eax, [ebx-1]
		mov	edx, ebx
		cmp	eax, 3FFh
		jbe	short loc_458E31
		mov	edx, 400h

loc_458E31:				; CODE XREF: .text:00458E2Aj
		mov	ecx, [esp+18h]
		lea	eax, [edx-1]
		and	ecx, 0FFFFF000h
		and	eax, 3FFh
		or	eax, ecx
		sub	ebx, edx
		mov	ecx, edx
		shl	ecx, 0Ch
		add	[esp+18h], ecx
		mov	ecx, [edi+0Ch]
		mov	[edi+ecx*4+14h], eax
		inc	dword ptr [edi+0Ch]
		mov	eax, [edi+0Ch]
		add	[edi+10h], edx
		cmp	eax, [edi+8]
		jnz	short loc_458E8E
		test	byte ptr [edi+4], 4
		jnz	short loc_458E8E
		push	offset _MiTbFlushSort
		push	4
		push	eax
		lea	eax, [edi+14h]
		push	eax
		call	_qsort
		add	esp, 10h
		mov	ecx, edi
		call	MiCompressTbFlushList
		mov	eax, [edi+0Ch]
		cmp	eax, [edi+8]
		jz	short loc_458E97

loc_458E8E:				; CODE XREF: .text:00458E63j
					; .text:00458E69j
		test	ebx, ebx
		jnz	short loc_458E20
		jmp	loc_458D75
; 

loc_458E97:				; CODE XREF: .text:00458E8Cj
		test	ebx, ebx
		mov	ebx, [ebp+0Ch]
		jz	loc_458D78
		mov	byte ptr [edi+5], 1
		mov	[edi+10h], eax
		jmp	loc_458D78
; 

loc_458EAE:				; CODE XREF: .text:004587F3j
		mov	edx, [esp+18h]
		mov	ecx, edi
		push	0
		push	1
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		test	dword ptr [esp+24h], 100h
		jnz	loc_458D78
		mov	eax, [esp+18h]
		cmp	eax, 0C0000000h
		jb	loc_458D78
		cmp	eax, 0C07FFFFFh
		ja	loc_458D78
		push	dword ptr [esp+38h]
		mov	ecx, [esp+10h]
		and	esi, 0FFFFFFFEh
		xor	eax, eax
		or	esi, 400h
		cmp	dword ptr [ebp+10h], 1
		mov	edx, ebx
		push	esi
		setnle	al
		push	eax
		call	MiEvictPageTableLock
		test	eax, eax
		jnz	short loc_458F1B
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_458F15:				; CODE XREF: .text:00458D97j
					; .text:00458DA5j
		mov	[ebx], esi
		nop
		mov	[ebx+4], eax

loc_458F1B:				; CODE XREF: .text:00458853j
					; .text:00458863j ...
		mov	eax, [edi+0Ch]
		mov	ecx, dword_6D0748
		cmp	eax, [edi+8]
		jnb	short loc_458F38
		cmp	byte ptr [edi+5], 0
		jnz	short loc_458F38
		cmp	[edi+10h], ecx
		jbe	loc_4597AD

loc_458F38:				; CODE XREF: .text:00458F27j
					; .text:00458F2Dj
		cmp	ecx, 400h
		jb	loc_4597AD
		cmp	byte ptr [edi+5], 0
		jnz	loc_4597AD
		mov	ecx, edi
		call	MiFlushTbList
		jmp	loc_4597AD
; 

loc_458F5A:				; CODE XREF: .text:00458664j
		mov	eax, esi
		and	eax, 400h
		or	eax, 0
		jz	loc_4595FF
		mov	eax, dword_6D0704
		mov	ecx, edx
		mov	edi, dword_6D0700
		mov	[esp+10h], eax
		mov	eax, edi
		or	eax, [esp+10h]
		mov	[esp+1Ch], edi
		jz	short loc_458F9D
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_458F99
		mov	edx, [esp+10h]
		not	edx
		and	edx, ecx

loc_458F99:				; CODE XREF: .text:00458F8Fj
		mov	[esp+38h], edx

loc_458F9D:				; CODE XREF: .text:00458F85j
		mov	eax, [esp+1Ch]
		mov	edi, ecx
		or	eax, [esp+10h]
		mov	[esp+68h], esi
		jz	short loc_458FD2
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_458FC9
		mov	eax, [esp+1Ch]
		mov	edi, [esp+10h]
		not	eax
		not	edi
		and	eax, esi
		and	edi, ecx
		jmp	short loc_458FCE
; 

loc_458FC9:				; CODE XREF: .text:00458FB5j
		mov	eax, esi
		and	eax, 0FFFFFFEFh

loc_458FCE:				; CODE XREF: .text:00458FC7j
		mov	[esp+68h], eax

loc_458FD2:				; CODE XREF: .text:00458FABj
		mov	[esp+94h], ecx
		cmp	edi, 0FFFFFFFFh
		jz	short loc_458FF6
		mov	eax, esi
		and	eax, 800h
		or	eax, 0
		jz	short loc_458FF6
		call	_MiDecrementCombinedPte@8 ; MiDecrementCombinedPte(x,x)
		mov	ecx, eax
		jmp	loc_4595D3
; 

loc_458FF6:				; CODE XREF: .text:00458FDCj
					; .text:00458FE8j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[esp+30h], eax
		mov	edi, [eax+148h]
		mov	[esp+3Ch], edi
		test	edi, edi
		jz	loc_4596F1
		mov	eax, dword_6D0704
		mov	edx, dword_6D0700
		mov	[esp+1Ch], eax
		mov	eax, edx
		or	eax, [esp+1Ch]
		mov	[esp+40h], esi
		jz	short loc_459056
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_45904F
		mov	eax, [esp+1Ch]
		not	edx
		and	edx, esi
		not	eax
		and	ecx, eax
		mov	[esp+40h], edx
		jmp	short loc_459056
; 

loc_45904F:				; CODE XREF: .text:0045903Bj
		and	esi, 0FFFFFFEFh
		mov	[esp+40h], esi

loc_459056:				; CODE XREF: .text:00459031j
					; .text:0045904Dj
		cmp	ecx, 0FFFFFFFFh
		jz	loc_4596F1
		push	30h
		lea	eax, [esp+0ACh]
		push	0
		push	eax
		call	_memset
		mov	esi, [esp+44h]
		add	esp, 0Ch
		mov	[esp+0B4h], esi
		mov	[esp+0B8h], esi

loc_459085:				; CODE XREF: .text:0045909Cj
		cmp	esi, [edi+10h]
		ja	short loc_459093
		cmp	esi, [edi+0Ch]
		jnb	short loc_4590A3
		mov	edi, [edi]
		jmp	short loc_459096
; 

loc_459093:				; CODE XREF: .text:00459088j
		mov	edi, [edi+4]

loc_459096:				; CODE XREF: .text:00459091j
		mov	[esp+3Ch], edi
		test	edi, edi
		jnz	short loc_459085
		jmp	loc_4596F1
; 

loc_4590A3:				; CODE XREF: .text:0045908Dj
		test	edi, edi
		jz	loc_4596F1
		mov	ecx, [esp+30h]
		mov	ecx, [ecx+140h]
		test	ecx, ecx
		jz	short loc_4590C7
		mov	eax, large fs:124h
		cmp	ecx, eax
		jnz	loc_459801

loc_4590C7:				; CODE XREF: .text:004590B7j
		mov	eax, [edi+1Ch]
		mov	eax, [eax+0Ch]
		mov	[esp+0Ch], eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi+0Ch], eax
		dec	eax
		jnz	loc_45942C
		mov	ecx, [esi]
		xor	al, al
		mov	[esp+17h], al
		nop
		or	ecx, [esi+4]
		jz	loc_459431
		mov	eax, esi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[esp+10h], eax

loc_459100:				; CODE XREF: .text:00459150j
					; .text:0045916Dj
		mov	esi, [eax-40000000h]
		mov	dword ptr [esp+48h], 0
		mov	dword ptr [esp+4Ch], 0
		nop
		mov	ecx, [eax-3FFFFFFCh]
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	loc_45932C
		mov	eax, esi
		and	eax, 200h
		or	eax, 0
		jnz	loc_45932C
		nop
		mov	eax, [esp+10h]
		shrd	esi, ecx, 0Ch
		and	esi, 1FFFFFFh
		cmp	esi, dword_6D07B0
		ja	short loc_459100
		mov	eax, dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		mov	eax, [esp+10h]
		jz	short loc_459100
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		lea	eax, [eax+ecx*4]
		mov	cl, 2
		mov	[esp+28h], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [esp+28h]
		add	ecx, 10h
		mov	[esp+23h], al
		mov	dword ptr [esp+58h], 0
		mov	[esp+2Ch], ecx
		lock bts dword ptr [ecx], 1Fh
		jnb	short loc_4591CC
		mov	ebx, ecx
		lea	esp, [esp+0]

loc_4591B0:				; CODE XREF: .text:004591BCj
					; .text:004591C3j
		lea	ecx, [esp+58h]
		call	KeYieldProcessorEx
		cmp	dword ptr [ebx], 0
		jl	short loc_4591B0
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_4591B0
		mov	ebx, [ebp+0Ch]
		mov	ecx, [esp+2Ch]

loc_4591CC:				; CODE XREF: .text:004591A8j
		mov	eax, [esp+10h]
		mov	dword ptr [esp+48h], 0
		mov	dword ptr [esp+4Ch], 0
		mov	edx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	[esp+40h], eax
		mov	[esp+8Ch], eax
		mov	eax, edx
		and	eax, 1
		mov	[esp+88h], edx
		or	eax, 0
		jz	loc_459314
		mov	eax, edx
		and	eax, 200h
		or	eax, 0
		jnz	loc_459314
		nop
		mov	eax, [esp+40h]
		shrd	edx, eax, 0Ch
		and	edx, 1FFFFFFh
		cmp	esi, edx
		jnz	loc_459314
		mov	esi, [esp+28h]
		mov	edx, 1
		mov	ecx, esi
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		mov	dl, [esp+23h]
		cmp	dl, 21h
		jz	loc_459309
		mov	ecx, [esi+4]
		mov	al, [esi+16h]
		or	ecx, 80000000h
		mov	[esp+17h], dl
		mov	dword ptr [esp+78h], 0
		mov	[esp+40h], ecx
		test	al, 20h
		jz	short loc_4592D1
		lea	ebx, [esi+10h]
		mov	edi, 7FFFFFFFh
		lea	esp, [esp+0]

loc_459280:				; CODE XREF: .text:004592C4j
		lock and [ebx],	edi
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, [esi+16h]
		mov	dword ptr [esp+78h], 0
		mov	[esp+22h], al
		test	al, 20h
		jz	short loc_4592B4
		mov	edi, edi

loc_4592A0:				; CODE XREF: .text:004592B2j
		lea	ecx, [esp+78h]
		call	KeYieldProcessorEx
		mov	al, [esi+16h]
		mov	[esp+22h], al
		test	al, 20h
		jnz	short loc_4592A0

loc_4592B4:				; CODE XREF: .text:0045929Cj
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	al, [esi+16h]
		mov	dl, [esp+23h]
		test	al, 20h
		jnz	short loc_459280
		mov	ebx, [ebp+0Ch]
		mov	edi, [esp+3Ch]
		mov	ecx, [esp+40h]

loc_4592D1:				; CODE XREF: .text:0045926Fj
		or	al, 20h
		mov	[esi+16h], al
		mov	esi, [esp+2Ch]
		test	dword ptr [esi], 40000000h
		jnz	short loc_4592FF
		mov	edx, [ecx]
		nop
		and	edx, 20h
		or	edx, 0
		jnz	short loc_4592FF
		mov	[esp+40h], dl
		mov	edx, 1
		push	dword ptr [esp+40h]
		call	_MiWriteValidPteVolatile@12 ; MiWriteValidPteVolatile(x,x,x)

loc_4592FF:				; CODE XREF: .text:004592E0j
					; .text:004592EBj
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		jmp	short loc_459334
; 

loc_459309:				; CODE XREF: .text:0045924Bj
		mov	dl, 21h
		mov	ecx, esi
		call	_MiLockOwnedProtoPage@8	; MiLockOwnedProtoPage(x,x)
		jmp	short loc_459334
; 

loc_459314:				; CODE XREF: .text:00459207j
					; .text:00459217j ...
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	al, [esp+23h]
		cmp	al, 21h
		jz	short loc_45932C
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_45932C:				; CODE XREF: .text:00459125j
					; .text:00459135j ...
		mov	dword ptr [esp+28h], 0

loc_459334:				; CODE XREF: .text:00459307j
					; .text:00459312j
		mov	esi, [esp+38h]
		mov	ecx, [esi]
		nop
		and	ecx, 400h
		or	ecx, 0
		jz	short loc_459350
		mov	dword ptr [esp+10h], 1
		jmp	short loc_459382
; 

loc_459350:				; CODE XREF: .text:00459344j
		xor	edx, edx
		mov	byte ptr [esp+57h], 21h
		mov	ecx, esi
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		test	eax, eax
		jnz	short loc_45936C
		mov	dword ptr [esp+10h], 1
		jmp	short loc_459382
; 

loc_45936C:				; CODE XREF: .text:00459360j
		push	1
		push	21h
		mov	edx, eax
		mov	ecx, esi
		call	MiDeleteTransitionPte
		mov	[esp+10h], eax
		cmp	eax, 1
		jnz	short loc_459398

loc_459382:				; CODE XREF: .text:0045934Ej
					; .text:0045936Aj
		mov	ecx, [esi]
		nop
		mov	eax, [esi+4]
		mov	edx, 1
		push	eax
		push	ecx
		mov	ecx, [esp+14h]
		call	_MiReleasePageFileSpace@16 ; MiReleasePageFileSpace(x,x,x,x)

loc_459398:				; CODE XREF: .text:00459380j
		mov	ecx, [esp+28h]
		mov	dword ptr [esp+68h], 0
		lea	eax, [ecx+10h]
		mov	[esp+1Ch], eax
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_4593D0
		mov	ebx, eax

loc_4593B4:				; CODE XREF: .text:004593C0j
					; .text:004593C7j
		lea	ecx, [esp+68h]
		call	KeYieldProcessorEx
		cmp	dword ptr [ebx], 0
		jl	short loc_4593B4
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_4593B4
		mov	ebx, [ebp+0Ch]
		mov	ecx, [esp+28h]

loc_4593D0:				; CODE XREF: .text:004593B0j
		mov	al, [ecx+16h]
		and	al, 0DFh
		mov	[ecx+16h], al
		call	_MiRemoveLockedPageCharge@4 ; MiRemoveLockedPageCharge(x)
		test	eax, eax
		jz	short loc_45940A
		mov	ecx, [esp+28h]
		mov	eax, 92492493h
		mov	esi, ecx
		sub	esi, ds:_MmPfnDatabase
		imul	esi
		lea	eax, [esi+edx]
		sar	eax, 4
		mov	edx, eax
		shr	edx, 1Fh
		add	edx, eax
		call	MiPfnReferenceCountIsZero
		mov	esi, [esp+38h]

loc_45940A:				; CODE XREF: .text:004593DFj
		mov	eax, [esp+1Ch]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	al, [esp+17h]
		cmp	al, 21h
		jz	short loc_459426
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_459426:				; CODE XREF: .text:0045941Cj
		mov	ecx, [esp+10h]
		jmp	short loc_459435
; 

loc_45942C:				; CODE XREF: .text:004590DAj
		mov	ecx, 4

loc_459431:				; CODE XREF: .text:004590ECj
		mov	[esp+10h], ecx

loc_459435:				; CODE XREF: .text:0045942Aj
		mov	eax, [esp+30h]
		mov	edx, [eax+24Ch]
		mov	eax, [edx+8Ch]
		cmp	eax, [edi+2Ch]
		jb	loc_4595B9
		ja	short loc_45945F
		mov	eax, [edx+88h]
		cmp	eax, [edi+28h]
		jbe	loc_4595B9

loc_45945F:				; CODE XREF: .text:0045944Ej
		or	eax, 0FFFFFFFFh
		lock xadd [esi+8], eax
		dec	eax
		and	eax, 7FFFFFFh
		jnz	loc_4595B0
		mov	edx, [esp+0Ch]
		lock dec dword ptr [edx+1124h]
		cmp	ecx, 3
		jz	loc_4595B0
		lea	esi, [eax+1]
		mov	[esp+5Ch], eax
		mov	[esp+60h], eax
		mov	[esp+64h], eax
		cmp	[edx+0DA0h], eax
		jz	loc_459521
		lea	ecx, [edx+0D98h]
		lea	edx, [esp+5Ch]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [esp+0Ch]
		mov	edx, esi
		call	_MiRestockOverCommit@8 ; MiRestockOverCommit(x,x)
		test	ds:byte_70EFC6,	1
		mov	esi, eax
		jz	short loc_4594D5
		mov	edx, [ebp+4]
		lea	ecx, [esp+5Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_45950B
; 

loc_4594D5:				; CODE XREF: .text:004594C5j
		mov	eax, [esp+5Ch]
		test	eax, eax
		jnz	short loc_4594F8
		mov	edx, [esp+60h]
		lea	eax, [esp+5Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+5Ch]
		cmp	eax, ecx
		jz	short loc_45950B
		call	KxWaitForLockChainValid

loc_4594F8:				; CODE XREF: .text:004594DBj
		mov	dword ptr [esp+5Ch], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_45950B:				; CODE XREF: .text:004594D3j
					; .text:004594F1j
		mov	cl, [esp+64h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	loc_4595B0
		mov	edx, [esp+0Ch]

loc_459521:				; CODE XREF: .text:0045949Cj
		cmp	edx, offset _MiSystemPartition
		jnz	short loc_459573
		mov	eax, large fs:20h
		mov	edx, [eax+3D2Ch]
		add	eax, 3D2Ch
		mov	[esp+40h], eax
		lea	eax, [esi+edx]
		cmp	eax, 100h
		ja	short loc_45956F
		jmp	short loc_459550
; 
		align 10h

loc_459550:				; CODE XREF: .text:00459548j
					; .text:0045956Dj
		mov	ebx, [esp+40h]
		lea	ecx, [esi+edx]
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		mov	ebx, [ebp+0Ch]
		cmp	eax, edx
		jz	short loc_4595B0
		mov	edx, eax
		add	eax, esi
		cmp	eax, 100h
		jbe	short loc_459550

loc_45956F:				; CODE XREF: .text:00459546j
		mov	edx, [esp+0Ch]

loc_459573:				; CODE XREF: .text:00459527j
		mov	ecx, esi
		lea	eax, [edx+10BCh]
		neg	ecx
		lock xadd [eax], ecx
		mov	edx, [edx+0D94h]
		mov	eax, ecx
		sub	eax, esi
		cmp	ecx, edx
		jb	short loc_459593
		cmp	eax, edx
		jb	short loc_4595A5

loc_459593:				; CODE XREF: .text:0045958Dj
		mov	edx, [esp+0Ch]
		mov	edx, [edx+0D90h]
		cmp	eax, edx
		jnb	short loc_4595B0
		cmp	ecx, edx
		jb	short loc_4595B0

loc_4595A5:				; CODE XREF: .text:00459591j
		mov	ecx, [esp+0Ch]
		xor	edx, edx
		call	MiSyncCommitSignals

loc_4595B0:				; CODE XREF: .text:0045946Dj
					; .text:00459481j ...
		mov	ecx, 5
		mov	[esp+10h], ecx

loc_4595B9:				; CODE XREF: .text:00459448j
					; .text:00459459j
		or	eax, 0FFFFFFFFh
		lock xadd [edi+18h], eax
		dec	eax
		jnz	short loc_4595D3
		mov	ecx, [esp+30h]
		mov	edx, edi
		call	_MiDeleteCloneDescriptor@8 ; MiDeleteCloneDescriptor(x,x)
		mov	ecx, [esp+10h]

loc_4595D3:				; CODE XREF: .text:00458FF1j
					; .text:004595C2j
		cmp	ecx, 3
		jnz	short loc_4595E7
		mov	eax, [esp+34h]
		mov	eax, [eax+8]
		inc	dword ptr [eax+4]
		jmp	loc_4596F1
; 

loc_4595E7:				; CODE XREF: .text:004595D6j
		cmp	ecx, 5
		jnz	loc_4596F1
		mov	eax, [esp+34h]
		mov	eax, [eax+8]
		inc	dword ptr [eax+8]
		jmp	loc_4596F1
; 

loc_4595FF:				; CODE XREF: .text:00458F64j
		mov	eax, esi
		and	eax, 800h
		or	eax, 0
		jnz	loc_459765
		mov	eax, esi
		and	eax, 3E0h
		or	eax, 0
		jz	loc_459811
		mov	ecx, esi
		mov	eax, edx
		shrd	ecx, eax, 2
		test	cl, 1
		jz	short loc_459633
		nop
		mov	ecx, esi
		mov	edi, edx
		jmp	short loc_45964B
; 

loc_459633:				; CODE XREF: .text:0045962Aj
		mov	ecx, esi
		mov	eax, edx
		shrd	ecx, eax, 1
		test	cl, 1
		jz	short loc_459647
		mov	ecx, esi
		nop
		mov	edi, edx
		jmp	short loc_45964B
; 

loc_459647:				; CODE XREF: .text:0045963Ej
		xor	ecx, ecx
		xor	edi, edi

loc_45964B:				; CODE XREF: .text:00459631j
					; .text:00459645j
		mov	eax, ecx
		mov	[esp+90h], ecx
		or	eax, edi
		mov	[esp+94h], edi
		jz	short loc_459671
		push	edi
		push	ecx
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo
		mov	edx, [esp+38h]

loc_459671:				; CODE XREF: .text:0045965Dj
		mov	eax, [esp+0Ch]
		test	byte ptr [eax+60h], 7
		jnz	short loc_4596E7
		test	byte ptr [esp+24h], 80h
		jz	short loc_4596F1
		mov	eax, dword_6D0700
		mov	ecx, esi
		mov	ebx, dword_6D0704
		mov	edi, edx
		mov	[esp+68h], eax
		or	eax, ebx
		mov	[esp+58h], ebx
		mov	ebx, [ebp+0Ch]
		jz	short loc_4596C1
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4596BC
		mov	esi, [esp+68h]
		mov	edx, [esp+58h]
		not	esi
		not	edx
		and	esi, ecx
		and	edx, edi
		jmp	short loc_4596C1
; 

loc_4596BC:				; CODE XREF: .text:004596A8j
		and	esi, 0FFFFFFEFh
		mov	edx, edi

loc_4596C1:				; CODE XREF: .text:0045969Ej
					; .text:004596BAj
		mov	eax, esi
		mov	[esp+8Ch], edx
		and	eax, 400h
		or	eax, 0
		jnz	short loc_4596E7
		mov	eax, esi
		and	eax, 800h
		or	eax, 0
		jnz	short loc_4596E7
		and	esi, 4
		or	esi, eax
		jz	short loc_4596F1

loc_4596E7:				; CODE XREF: .text:00459679j
					; .text:004596D2j ...
		mov	eax, [esp+34h]
		mov	eax, [eax+8]
		inc	dword ptr [eax+0Ch]

loc_4596F1:				; CODE XREF: .text:00459012j
					; .text:00459059j ...
		mov	eax, ds:_ZeroPte
		mov	[ebx], eax
		nop
		test	byte ptr [esp+24h], 80h
		mov	eax, ds:dword_40F9FC
		mov	[ebx+4], eax
		jz	loc_4597BB
		cmp	ebx, 0C0600000h
		jb	short loc_459720
		cmp	ebx, 0C0603FFFh
		jbe	loc_4597BB

loc_459720:				; CODE XREF: .text:00459712j
		mov	eax, large fs:124h
		mov	ecx, [esp+18h]
		shr	ecx, 15h
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		lea	eax, [eax+ecx*2]
		movzx	ecx, word ptr [eax+190h]
		add	eax, 190h
		lea	edx, [ecx-1]
		cmp	edx, 200h
		jnb	loc_459820
		mov	[eax], dx
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_459765:				; CODE XREF: .text:00459609j
		mov	eax, [esp+24h]
		test	eax, 800h
		jz	short loc_459786
		mov	edx, [ebp+10h]

loc_459773:				; CODE XREF: .text:00458681j
		push	edx
		mov	edx, ebx
		call	_MiDeleteLargeUserPde@12 ; MiDeleteLargeUserPde(x,x,x)
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_459786:				; CODE XREF: .text:0045976Ej
		test	al, 10h
		jz	short loc_4597AD
		and	esi, 3E0h
		cmp	esi, 300h
		jnz	short loc_4597AD
		mov	ecx, [esp+34h]
		mov	edx, ebx
		lea	eax, [ecx+5Ch]
		mov	ecx, [ecx+8]
		push	eax
		mov	ecx, [ecx+10h]
		call	_MiDeleteVadAwePtes@12 ; MiDeleteVadAwePtes(x,x,x)

loc_4597AD:				; CODE XREF: .text:00458F32j
					; .text:00458F3Ej ...
		mov	eax, [esp+34h]
		cmp	dword ptr [eax], 0
		jnz	short loc_4597B8
		mov	[eax], ebx

loc_4597B8:				; CODE XREF: .text:004597B4j
		mov	[eax+4], ebx

loc_4597BB:				; CODE XREF: .text:004585D9j
					; .text:0045871Bj ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4597C6:				; CODE XREF: .text:004588FCj
		push	ecx
		mov	ecx, [esp+10h]
		push	ecx
		push	edx
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4597D9:				; CODE XREF: .text:004589F2j
		push	ecx
		mov	ecx, [esp+10h]
		push	ecx
		push	dword ptr [esp+20h]
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4597EF:				; CODE XREF: .text:00458B77j
		push	ecx
		push	edx
		push	dword ptr [esp+20h]
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_459801:				; CODE XREF: .text:004590C1j
		push	0
		push	esi
		push	edi
		push	61945h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_459811:				; CODE XREF: .text:00459619j
		push	edx
		push	esi
		push	ebx
		push	41792h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_459820:				; CODE XREF: .text:00459751j
		push	1
		push	ecx
		push	eax
		push	41790h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dd 4 dup(0CCCCCCCCh)
; 

MiRemoveWsle:				; CODE XREF: MiTerminateWsleCluster+273p
					; .text:00458CCBp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		mov	ebx, ecx
		mov	dword ptr [ebp-18h], 0
		push	esi
		mov	esi, edx
		push	edi
		movzx	eax, byte ptr [ebx+60h]
		and	al, 7
		mov	[ebp-4], esi
		cmp	al, 2
		jz	loc_459C01
		lea	eax, [ebx+0C0h]

loc_45986D:				; CODE XREF: .text:00459C06j
		test	ds:byte_70EFC6,	21h
		mov	[ebp-1Ch], eax
		mov	dword ptr [ebp-20h], 0
		jnz	loc_5B07E5
		lea	edx, [ebp-20h]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_459B44

loc_459891:				; CODE XREF: .text:00459B4Cj
					; .text:005B07EFj
		cmp	dword ptr [ebp+14h], 0
		mov	edi, [ebp+8]
		jnz	loc_459986

loc_45989E:				; CODE XREF: .text:004599A3j
					; .text:00459AA4j
		mov	al, [ebx+60h]
		and	al, 7
		cmp	al, 4
		jz	loc_459ADA

loc_4598AB:				; CODE XREF: .text:00459B01j
					; .text:00459B13j ...
		mov	al, [ebx+60h]
		sub	[ebx+48h], edi
		and	al, 7
		cmp	esi, 0C0000000h
		jnb	loc_459A7A

loc_4598BF:				; CODE XREF: .text:00459A80j
		mov	cl, [ebp+0Ch]
		mov	esi, 1
		sub	[ebx+40h], edi
		and	cl, 0Fh
		mov	[ebp+14h], esi
		cmp	cl, 8
		jz	short loc_4598E9

loc_4598D5:				; CODE XREF: .text:00459A99j
		movzx	eax, cl
		mov	edx, edi
		neg	edx
		add	[ebx+eax*4+18h], edx
		cmp	cl, 7
		jz	loc_4599A8

loc_4598E9:				; CODE XREF: .text:004598D3j
					; .text:004599C6j ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5B0864
		mov	eax, [ebp-20h]
		test	eax, eax
		jnz	loc_459B59
		mov	edx, [ebp-1Ch]
		lea	eax, [ebp-20h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-20h]
		cmp	eax, ecx
		jnz	loc_459B51

loc_459918:				; CODE XREF: .text:00459B6Bj
					; .text:005B086Fj
		cmp	esi, 1
		jnz	short loc_459965
		mov	al, [ebp+10h]
		xor	esi, esi
		and	al, 0Fh
		test	edi, edi
		jz	short loc_459962
		mov	edi, [ebp-4]
		jmp	short loc_459930
; 
		align 10h

loc_459930:				; CODE XREF: .text:0045992Bj
					; .text:0045995Dj
		movzx	edx, byte ptr [ebx+60h]
		mov	ecx, edi
		and	edx, 7
		shr	ecx, 0Ch
		add	ecx, dword_6D2E68[edx*4]
		mov	dl, [ecx]
		and	dl, 0Fh
		cmp	dl, 0Ah
		jz	loc_5B0874
		inc	esi
		mov	[ecx], al
		add	edi, 1000h
		cmp	esi, [ebp+8]
		jb	short loc_459930
		mov	edi, [ebp+8]

loc_459962:				; CODE XREF: .text:00459926j
		mov	esi, [ebp+14h]

loc_459965:				; CODE XREF: .text:0045991Bj
		test	dword ptr ds:byte_70EFC4, 8000000h
		jnz	loc_5B0883

loc_459975:				; CODE XREF: .text:005B0885j
					; .text:005B08AAj
		test	esi, esi
		jz	loc_459AAF

loc_45997D:				; CODE XREF: .text:00459AB3j
					; .text:00459AD5j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_459986:				; CODE XREF: .text:00459898j
		sub	[ebx+4Ch], edi
		xor	eax, eax
		mov	[ebp-2Ch], eax
		mov	[ebp-28h], eax
		mov	[ebp-24h], eax
		cmp	esi, 0C0000000h
		jnb	loc_459A9E

loc_4599A0:				; CODE XREF: .text:00459AAAj
		sub	[ebx+44h], edi
		jmp	loc_45989E
; 

loc_4599A8:				; CODE XREF: .text:004598E3j
		mov	ecx, dword_6D5D40
		xor	eax, eax
		mov	[ebp-14h], eax
		mov	[ebp-10h], eax
		mov	[ebp-0Ch], eax
		mov	eax, [ebx+34h]
		mov	[ebp+0Ch], ecx
		cmp	eax, [ecx+30h]
		jb	short loc_4599D1
		test	edx, edx
		js	loc_4598E9
		jmp	loc_5B07F4
; 

loc_4599D1:				; CODE XREF: .text:004599C2j
		test	edx, edx
		jg	loc_4598E9
		lea	eax, [ebx+10h]
		cmp	dword_6D5D48, eax
		jz	loc_4598E9
		cmp	dword ptr [eax], 0
		jz	loc_4598E9
		mov	dword ptr [ebp-8], 2

loc_4599F8:				; CODE XREF: .text:005B0814j
		test	ds:byte_70EFC6,	21h
		mov	dword ptr [ebp-10h], offset dword_6D3540
		mov	dword ptr [ebp-14h], 0
		jnz	loc_5B0819
		lea	edx, [ebp-14h]
		mov	eax, offset dword_6D3540
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_459BD0

loc_459A25:				; CODE XREF: .text:00459BDBj
		cmp	byte ptr [ecx+2Dh], 0
		jz	loc_459B70

loc_459A2F:				; CODE XREF: .text:00459B78j
		mov	byte ptr [ecx+2Eh], 1

loc_459A33:				; CODE XREF: .text:00459BBBj
					; .text:005B084Fj
		test	ds:byte_70EFC6,	1
		jnz	loc_5B0854
		mov	eax, [ebp-14h]
		test	eax, eax
		jnz	short loc_459A63
		mov	edx, [ebp-10h]
		lea	eax, [ebp-14h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-14h]
		cmp	eax, ecx
		jz	loc_4598E9
		call	KxWaitForLockChainValid

loc_459A63:				; CODE XREF: .text:00459A45j
		mov	dword ptr [ebp-14h], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4598E9
; 

loc_459A7A:				; CODE XREF: .text:004598B9j
		cmp	esi, 0C07FFFFFh
		ja	loc_4598BF
		xor	esi, esi
		mov	[ebp+14h], esi
		test	al, al
		jnz	loc_4598E9
		mov	cl, [ebp+0Ch]
		and	cl, 0Fh
		jmp	loc_4598D5
; 

loc_459A9E:				; CODE XREF: .text:0045999Aj
		cmp	esi, 0C07FFFFFh
		jbe	loc_45989E
		jmp	loc_4599A0
; 

loc_459AAF:				; CODE XREF: .text:00459977j
		test	byte ptr [ebx+60h], 7
		jnz	loc_45997D
		mov	ecx, [ebp-4]
		mov	eax, ecx
		shl	eax, 9
		cmp	eax, 0C0000000h
		jnb	loc_459BC0

loc_459ACC:				; CODE XREF: .text:00459BC5j
		mov	edx, ecx
		mov	ecx, ebx
		call	_MiPruneSoftwareWsles@8	; MiPruneSoftwareWsles(x,x)
		jmp	loc_45997D
; 

loc_459ADA:				; CODE XREF: .text:004598A5j
		mov	eax, ds:_PsNtosImageBase
		test	eax, eax
		jz	short loc_459AFB
		cmp	esi, ds:_PsNtosImageEnd
		jb	loc_459BE0

loc_459AEF:				; CODE XREF: .text:00459BE2j
		cmp	esi, ds:_PsHalImageEnd
		jb	loc_459BF3

loc_459AFB:				; CODE XREF: .text:00459AE1j
					; .text:00459BF9j
		cmp	esi, dword_6D07D0
		jb	loc_4598AB
		mov	eax, esi
		shr	eax, 15h
		cmp	byte ptr dword_6D3994[eax], 0Ch
		jnz	loc_4598AB
		mov	ecx, esi
		mov	edx, 2
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		shl	ecx, 9
		call	_MiLookupDataTableEntry@8 ; MiLookupDataTableEntry(x,x)
		test	eax, eax
		jz	loc_4598AB
		sub	dword_6CF590, edi
		jmp	loc_4598AB
; 

loc_459B44:				; CODE XREF: .text:0045988Bj
		lea	ecx, [ebp-20h]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_459891
; 

loc_459B51:				; CODE XREF: .text:00459912j
		lea	ecx, [ebp-20h]
		call	KxWaitForLockChainValid

loc_459B59:				; CODE XREF: .text:004598FBj
		mov	dword ptr [ebp-20h], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_459918
; 

loc_459B70:				; CODE XREF: .text:00459A29j
		mov	edx, [ebx+10h]
		lea	eax, [ebx+10h]
		test	edx, edx
		jz	loc_459A2F
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_459C0B
		cmp	[ecx], eax
		jnz	short loc_459C0B
		cmp	dword ptr [ebp-8], 1
		mov	[ecx], edx
		mov	[edx+4], ecx
		jz	loc_5B082B
		mov	ecx, dword_6D5D48
		cmp	dword ptr [ecx], offset	dword_6D5D44
		jnz	short loc_459C0B
		mov	dword ptr [eax], offset	dword_6D5D44
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	dword_6D5D48, eax
		jmp	loc_459A33
; 

loc_459BC0:				; CODE XREF: .text:00459AC6j
		cmp	eax, 0C07FFFFFh
		ja	loc_459ACC
		jmp	loc_45997D
; 

loc_459BD0:				; CODE XREF: .text:00459A1Fj
		lea	ecx, [ebp-14h]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_459BD8:				; CODE XREF: .text:005B0826j
		mov	ecx, [ebp+0Ch]
		jmp	loc_459A25
; 

loc_459BE0:				; CODE XREF: .text:00459AE9j
		cmp	esi, eax
		jb	loc_459AEF

loc_459BE8:				; CODE XREF: .text:00459BFFj
		sub	dword_6CF58C, edi
		jmp	loc_4598AB
; 

loc_459BF3:				; CODE XREF: .text:00459AF5j
		cmp	esi, ds:_PsHalImageBase
		jb	loc_459AFB
		jmp	short loc_459BE8
; 

loc_459C01:				; CODE XREF: .text:00459861j
		mov	eax, offset unk_6D3C80
		jmp	loc_45986D
; 

loc_459C0B:				; CODE XREF: .text:00459B84j
					; .text:00459B8Cj ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dw 0CCCCh
		align 10h

; __stdcall MiClearPteAccessed(x, x, x,	x, x, x)
_MiClearPteAccessed@24:			; CODE XREF: .text:00458083p
					; .text:00547FFDp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	[ebp-14h], edx
		xor	eax, eax
		mov	edx, [ebp+8]
		push	ebx
		shl	edx, 9
		xor	ebx, ebx
		push	esi
		mov	[ebp-2Ch], eax
		mov	[ebp-28h], eax
		mov	[ebp-24h], eax
		mov	[ebp-8], eax
		mov	[ebp-18h], eax
		mov	al, [ecx+60h]
		push	edi
		mov	[ebp-10h], edx
		xor	edi, edi
		mov	[ebp-0Ch], ecx
		lea	edx, [edx+40000000h]
		mov	[ebp-4], edx
		and	al, 7
		jz	short loc_459C72
		cmp	edx, offset loc_7FFFFF
		ja	short loc_459C75
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_459C72:				; CODE XREF: .text:00459C5Dj
		mov	[ebp-4], edx

loc_459C75:				; CODE XREF: .text:00459C65j
		mov	esi, [ebp+0Ch]
		test	al, al
		jz	short loc_459CED
		mov	edx, [ebp-14h]
		mov	eax, [edx+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jbe	short loc_459C9E
		mov	ecx, edx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_459DEB
		mov	ecx, [ebp-0Ch]

loc_459C9E:				; CODE XREF: .text:00459C8Aj
		cmp	word ptr [edx+14h], 1
		ja	loc_459DEB
		mov	edi, 1
		test	esi, esi
		jz	short loc_459D28
		mov	eax, [ebp-4]
		mov	edx, [ebp+8]
		cmp	eax, offset loc_7FFFFF
		ja	short loc_459CF3
		mov	eax, edx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		cmp	eax, (offset loc_603014+4)
		jz	short loc_459CE8
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_459CE3
		cmp	eax, (offset loc_60300E+2)
		jz	short loc_459CE8

loc_459CE3:				; CODE XREF: .text:00459CDAj
		mov	[ebp-8], ebx
		jmp	short loc_459CF0
; 

loc_459CE8:				; CODE XREF: .text:00459CCEj
					; .text:00459CE1j
		mov	[ebp-8], edi
		jmp	short loc_459CF0
; 

loc_459CED:				; CODE XREF: .text:00459C7Aj
		mov	edx, [ebp+8]

loc_459CF0:				; CODE XREF: .text:00459CE6j
					; .text:00459CEBj
		mov	eax, [ebp-4]

loc_459CF3:				; CODE XREF: .text:00459CBDj
		test	esi, esi
		jz	short loc_459D0A
		cmp	eax, offset loc_7FFFFF
		ja	short loc_459D0A
		push	0
		mov	ebx, 1
		call	MiLockPageTableInternal

loc_459D0A:				; CODE XREF: .text:00459CF5j
					; .text:00459CFCj
		test	edi, edi
		jz	loc_459DF6
		cmp	dword ptr [ebp-8], 0
		jz	short loc_459D25
		lea	edx, [ebp-2Ch]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)

loc_459D25:				; CODE XREF: .text:00459D16j
		mov	edx, [ebp-14h]

loc_459D28:				; CODE XREF: .text:00459CB0j
		mov	dword ptr [ebp-18h], 1
		lea	edi, [edx+10h]
		mov	dword ptr [ebp+0Ch], 0
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_459D57

loc_459D40:				; CODE XREF: .text:00459D4Bj
					; .text:00459D52j
		lea	ecx, [ebp+0Ch]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_459D40
		lock bts dword ptr [edi], 1Fh
		jb	short loc_459D40
		mov	edx, [ebp-14h]

loc_459D57:				; CODE XREF: .text:00459D3Ej
		mov	eax, [edi]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jbe	short loc_459D6E
		mov	ecx, edx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_459D7E

loc_459D6E:				; CODE XREF: .text:00459D61j
		mov	eax, [ebp-0Ch]
		test	byte ptr [eax+60h], 7
		jz	short loc_459DF6
		cmp	word ptr [edx+14h], 1
		jbe	short loc_459DF6

loc_459D7E:				; CODE XREF: .text:00459D6Cj
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		cmp	dword ptr [ebp-8], 0
		jz	short loc_459DDC
		test	ds:byte_70EFC6,	1
		jz	short loc_459DA2
		mov	edx, [ebp+4]
		lea	ecx, [ebp-2Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_459DD3
; 

loc_459DA2:				; CODE XREF: .text:00459D93j
		mov	eax, [ebp-2Ch]
		test	eax, eax
		jnz	short loc_459DC1
		mov	edx, [ebp-28h]
		lea	eax, [ebp-2Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-2Ch]
		cmp	eax, ecx
		jz	short loc_459DD3
		call	KxWaitForLockChainValid

loc_459DC1:				; CODE XREF: .text:00459DA7j
		mov	dword ptr [ebp-2Ch], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_459DD3:				; CODE XREF: .text:00459DA0j
					; .text:00459DBAj
		mov	cl, [ebp-24h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_459DDC:				; CODE XREF: .text:00459D8Aj
		test	ebx, ebx
		jz	short loc_459DEB
		mov	edx, [ebp+8]
		mov	ecx, [ebp-0Ch]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_459DEB:				; CODE XREF: .text:00459C95j
					; .text:00459CA3j ...
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_459DF6:				; CODE XREF: .text:00459D0Cj
					; .text:00459D75j ...
		test	esi, esi
		jz	loc_459FD2
		mov	edx, [ebp+8]
		mov	ecx, [edx]
		nop
		mov	eax, [edx+4]
		and	ecx, 0FFFFFFDFh
		test	ebx, ebx
		jz	short loc_459E1D
		push	eax
		push	ecx
		push	dword ptr [ebp-8]
		mov	ecx, [ebp-0Ch]
		call	MiUnlockNestedPageTableWritePte
		jmp	short loc_459E23
; 

loc_459E1D:				; CODE XREF: .text:00459E0Cj
		nop
		mov	[edx], ecx
		mov	[edx+4], eax

loc_459E23:				; CODE XREF: .text:00459E1Bj
		mov	ecx, [ebp-10h]
		mov	edi, 1
		mov	[ebp-20h], ecx
		cmp	[esi], edi
		jz	short loc_459E47
		mov	al, [esi+4]
		test	al, 8
		jnz	short loc_459E47
		cmp	dword ptr [ebp-4], offset loc_7FFFFF
		ja	short loc_459E47
		or	al, 8
		mov	[esi+4], al

loc_459E47:				; CODE XREF: .text:00459E30j
					; .text:00459E37j ...
		mov	ebx, [esi+0Ch]
		test	ebx, ebx
		jz	loc_459F0A
		test	byte ptr [esi+4], 4
		jnz	short loc_459EBD
		lea	eax, [esi+10h]
		lea	eax, [eax+ebx*4]
		mov	[ebp-1Ch], eax
		mov	eax, [eax]
		test	eax, 0C00h
		jnz	short loc_459EBD
		mov	ecx, eax
		and	ecx, 3FFh
		mov	[ebp+14h], ecx
		lea	edx, [ecx+1]
		mov	ecx, eax
		and	ecx, 0FFFFF000h
		shl	edx, 0Ch
		add	edx, ecx
		mov	ecx, [ebp-10h]
		cmp	edx, ecx
		jnz	short loc_459EBD
		mov	ecx, [ebp+14h]
		lea	edx, [ecx+1]
		cmp	edx, ecx
		jbe	short loc_459EBA
		cmp	edx, 3FFh
		ja	short loc_459EBA
		lea	ecx, [eax+1]
		mov	ebx, edi
		xor	ecx, eax
		and	ecx, 3FFh
		xor	eax, ecx
		mov	ecx, [ebp-1Ch]
		inc	dword ptr [esi+10h]
		mov	[ecx], eax
		jmp	loc_459F91
; 

loc_459EBA:				; CODE XREF: .text:00459E94j
					; .text:00459E9Cj
		mov	ecx, [ebp-10h]

loc_459EBD:				; CODE XREF: .text:00459E56j
					; .text:00459E68j ...
		test	ebx, ebx
		jz	short loc_459F0A
		test	byte ptr [esi+4], 4
		jnz	short loc_459F0A
		mov	eax, [esi+ebx*4+10h]
		test	eax, 0C00h
		jnz	short loc_459F0A
		mov	edx, eax
		add	ecx, 1000h
		and	edx, 0FFFFF000h
		cmp	edx, ecx
		jnz	short loc_459F0A
		and	eax, 3FFh
		lea	ecx, [eax+1]
		cmp	ecx, eax
		jbe	short loc_459F0A
		cmp	ecx, 3FFh
		ja	short loc_459F0A
		push	0
		push	1
		mov	ecx, esi
		call	_MiMergeTbFlushEntryBackwards@16 ; MiMergeTbFlushEntryBackwards(x,x,x,x)
		mov	ebx, edi
		jmp	loc_459F91
; 

loc_459F0A:				; CODE XREF: .text:00459E4Cj
					; .text:00459EBFj ...
		cmp	ebx, [esi+8]
		jb	short loc_459F17
		mov	byte ptr [esi+5], 1
		mov	ebx, edi
		jmp	short loc_459F91
; 

loc_459F17:				; CODE XREF: .text:00459F0Dj
		mov	ebx, [ebp-20h]
		lea	ebx, [ebx+0]

loc_459F20:				; CODE XREF: .text:00459F8Cj
		lea	eax, [edi-1]
		mov	edx, edi
		cmp	eax, 3FFh
		jbe	short loc_459F31
		mov	edx, 400h

loc_459F31:				; CODE XREF: .text:00459F2Aj
		mov	ecx, ebx
		lea	eax, [edx-1]
		and	ecx, 0FFFFF000h
		and	eax, 3FFh
		or	eax, ecx
		sub	edi, edx
		mov	ecx, edx
		shl	ecx, 0Ch
		add	ebx, ecx
		mov	ecx, [esi+0Ch]
		mov	[esi+ecx*4+14h], eax
		inc	dword ptr [esi+0Ch]
		mov	eax, [esi+0Ch]
		add	[esi+10h], edx
		cmp	eax, [esi+8]
		jnz	short loc_459F8A
		test	byte ptr [esi+4], 4
		jnz	short loc_459F8A
		push	offset _MiTbFlushSort
		push	4
		push	eax
		lea	eax, [esi+14h]
		push	eax
		call	_qsort
		add	esp, 10h
		mov	ecx, esi
		call	MiCompressTbFlushList
		mov	eax, [esi+0Ch]
		cmp	eax, [esi+8]
		jz	short loc_459FC1

loc_459F8A:				; CODE XREF: .text:00459F5Fj
					; .text:00459F65j
		test	edi, edi
		jnz	short loc_459F20
		lea	ebx, [edi+1]

loc_459F91:				; CODE XREF: .text:00459EB5j
					; .text:00459F05j ...
		cmp	dword ptr [ebp-18h], 1
		jnz	short loc_45A011
		mov	eax, [ebp-14h]
		mov	ecx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	ecx
		cmp	dword ptr [ebp-8], 0
		jz	short loc_45A011
		test	ds:byte_70EFC6,	1
		jz	short loc_459FD7
		mov	edx, [ebp+4]
		lea	ecx, [ebp-2Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_45A008
; 

loc_459FC1:				; CODE XREF: .text:00459F88j
		mov	ebx, 1
		test	edi, edi
		jz	short loc_459F91
		mov	[esi+5], bl
		mov	[esi+10h], eax
		jmp	short loc_459F91
; 

loc_459FD2:				; CODE XREF: .text:00459DF8j
		mov	ebx, [ebp+14h]
		jmp	short loc_459F91
; 

loc_459FD7:				; CODE XREF: .text:00459FB2j
		mov	eax, [ebp-2Ch]
		test	eax, eax
		jnz	short loc_459FF6
		mov	edx, [ebp-28h]
		lea	eax, [ebp-2Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-2Ch]
		cmp	eax, ecx
		jz	short loc_45A008
		call	KxWaitForLockChainValid

loc_459FF6:				; CODE XREF: .text:00459FDCj
		mov	dword ptr [ebp-2Ch], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_45A008:				; CODE XREF: .text:00459FBFj
					; .text:00459FEFj
		mov	cl, [ebp-24h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_45A011:				; CODE XREF: .text:00459F95j
					; .text:00459FA9j
		test	ebx, ebx
		jz	loc_45A0A7
		cmp	dword ptr [ebp-4], offset loc_7FFFFF
		mov	edi, [ebp-10h]
		ja	short loc_45A061
		mov	eax, edi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	edx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	esi, [ebp-0Ch]
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		mov	ebx, [eax+ecx*4]
		shr	ebx, 1
		and	bl, 7
		jmp	short loc_45A081
; 

loc_45A061:				; CODE XREF: .text:0045A023j
		mov	esi, [ebp-0Ch]
		mov	ecx, edi
		shr	ecx, 0Ch
		movzx	eax, byte ptr [esi+60h]
		and	eax, 7
		add	ecx, dword_6D2E68[eax*4]
		mov	al, [ecx]
		and	al, 0Fh
		cmp	al, 0Ah
		jz	short loc_45A0B5
		mov	bl, al

loc_45A081:				; CODE XREF: .text:0045A05Fj
		cmp	dword ptr [ebp+10h], 0
		jz	short loc_45A096
		cmp	bl, 7
		jz	short loc_45A096
		mov	edx, [ebp+8]
		mov	ecx, esi
		call	_MiLogPageAccess@8 ; MiLogPageAccess(x,x)

loc_45A096:				; CODE XREF: .text:0045A085j
					; .text:0045A08Aj
		test	bl, bl
		jnz	short loc_45A0A7
		push	1
		push	1
		mov	edx, edi
		mov	ecx, esi
		call	MiSetVaAgeList

loc_45A0A7:				; CODE XREF: .text:0045A013j
					; .text:0045A098j
		pop	edi
		pop	esi
		mov	eax, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_45A0B5:				; CODE XREF: .text:0045A07Dj
		push	ecx
		push	esi
		push	edi
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dd 3 dup(0CCCCCCCCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogPageAccess(x, x)
_MiLogPageAccess@8 proc	near		; CODE XREF: MiIssueHardFault(x,x)+564p
					; MiCopyOnWrite(x,x,x,x)+85Dp ...

var_58		= dword	ptr -58h
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ecx
		mov	[esp+4Ch+var_4], 0
		push	ebx
		mov	[esp+50h+var_44], eax
		push	esi
		lea	ebx, [eax+80h]
		mov	[esp+54h+var_1C], 3
		mov	al, [eax+60h]
		mov	esi, edx
		push	edi
		xor	edi, edi
		mov	[esp+58h+var_40], offset unk_6D3C40
		and	al, 7
		mov	[esp+58h+var_20], edi
		cmp	al, 2
		jz	short loc_45A117
		mov	[esp+58h+var_40], ebx

loc_45A117:				; CODE XREF: MiLogPageAccess(x,x)+41j
		mov	eax, esi
		and	eax, 1
		mov	[esp+58h+var_3C], eax
		jz	short loc_45A125
		and	esi, 0FFFFFFFEh

loc_45A125:				; CODE XREF: MiLogPageAccess(x,x)+50j
		mov	edx, [esi]
		mov	[esp+58h+var_28], edi
		nop
		mov	eax, [esi+4]
		mov	[esp+58h+var_18], edx
		mov	[esp+58h+var_14], eax
		nop
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	eax, [eax+ecx*4]
		mov	ecx, [esp+58h+var_44]
		mov	[esp+58h+var_48], eax
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		jnz	short loc_45A169
		mov	ebx, offset unk_6D3C40

loc_45A169:				; CODE XREF: MiLogPageAccess(x,x)+92j
		add	ebx, 40h
		mov	[esp+58h+var_C], edi
		test	ds:byte_70EFC6,	21h
		mov	[esp+58h+var_8], ebx
		jz	short loc_45A18A
		mov	edx, ebx
		lea	ecx, [esp+58h+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_45A19D
; 

loc_45A18A:				; CODE XREF: MiLogPageAccess(x,x)+ABj
		lea	edx, [esp+58h+var_C]
		xchg	edx, [ebx]
		test	edx, edx
		jz	short loc_45A1A1
		lea	ecx, [esp+58h+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_45A19D:				; CODE XREF: MiLogPageAccess(x,x)+B8j
		mov	ecx, [esp+58h+var_44]

loc_45A1A1:				; CODE XREF: MiLogPageAccess(x,x)+C2j
		mov	edx, [esp+58h+var_40]
		mov	edx, [edx+18h]
		mov	[esp+58h+var_44], edx
		test	edx, edx
		jz	short loc_45A1BB
		mov	eax, [edx+20h]
		add	eax, 8
		cmp	eax, [edx+24h]
		jbe	short loc_45A207

loc_45A1BB:				; CODE XREF: MiLogPageAccess(x,x)+DEj
		call	MiAllocateAccessLog
		mov	edx, eax
		mov	[esp+58h+var_44], eax
		test	edx, edx
		jnz	short loc_45A207
		test	ds:byte_70EFC6,	1
		jnz	loc_45A2AC

loc_45A1D7:				; CODE XREF: MiLogPageAccess(x,x)+1D6j
		mov	eax, [esp+58h+var_C]
		test	eax, eax
		jnz	short loc_45A1FE
		mov	edx, [esp+58h+var_8]
		lea	eax, [esp+58h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+58h+var_C]
		cmp	eax, ecx
		jz	loc_45A594
		call	KxWaitForLockChainValid

loc_45A1FE:				; CODE XREF: MiLogPageAccess(x,x)+10Dj
		mov	[esp+58h+var_C], edi
		jmp	loc_45A589
; 

loc_45A207:				; CODE XREF: MiLogPageAccess(x,x)+E9j
					; MiLogPageAccess(x,x)+F8j
		mov	ebx, [esp+58h+var_48]
		mov	ecx, ebx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_45A532
		mov	ecx, [ebx+8]
		mov	eax, ecx
		mov	ebx, [ebx+0Ch]
		and	eax, 400h
		or	eax, 0
		jz	loc_45A532
		mov	eax, dword_6D0704
		mov	esi, dword_6D0700
		mov	[esp+58h+var_40], eax
		mov	eax, esi
		or	eax, [esp+58h+var_40]
		jz	short loc_45A263
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_45A25F
		mov	eax, [esp+58h+var_40]
		not	esi
		not	eax
		and	ecx, esi
		and	ebx, eax
		jmp	short loc_45A263
; 

loc_45A25F:				; CODE XREF: MiLogPageAccess(x,x)+17Fj
		mov	[esp+58h+var_28], ecx

loc_45A263:				; CODE XREF: MiLogPageAccess(x,x)+175j
					; MiLogPageAccess(x,x)+18Dj
		mov	eax, [esp+58h+var_48]
		mov	esi, [eax+4]
		mov	eax, [edx+28h]
		or	esi, 80000000h
		cmp	dword ptr [edx+2Ch], 1
		mov	[esp+58h+var_38], esi
		mov	[esp+58h+var_2C], eax
		jbe	short loc_45A28A
		mov	ecx, ebx
		mov	ebx, eax
		jmp	loc_45A4D6
; 

loc_45A28A:				; CODE XREF: MiLogPageAccess(x,x)+1AFj
		test	byte ptr [ebx+12h], 2
		mov	eax, [ebx]
		mov	[esp+58h+var_48], eax
		jz	short loc_45A2BF
		test	dword ptr [eax+1Ch], 4000000h
		jz	short loc_45A2BF
		test	ds:byte_70EFC6,	1
		jz	loc_45A1D7

loc_45A2AC:				; CODE XREF: MiLogPageAccess(x,x)+101j
					; MiLogPageAccess(x,x)+488j
		mov	edx, [ebp+4]
		lea	ecx, [esp+58h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_45A2BF:				; CODE XREF: MiLogPageAccess(x,x)+1C4j
					; MiLogPageAccess(x,x)+1CDj
		mov	edx, [eax+20h]
		lea	edi, [eax+20h]
		test	dl, 7
		jz	short loc_45A2E3
		lea	ebx, [ebx+0]

loc_45A2D0:				; CODE XREF: MiLogPageAccess(x,x)+211j
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_45A2E3
		mov	edx, eax
		test	al, 7
		jnz	short loc_45A2D0

loc_45A2E3:				; CODE XREF: MiLogPageAccess(x,x)+1F8j
					; MiLogPageAccess(x,x)+20Bj
		mov	edi, edx
		and	edx, 7
		and	edi, 0FFFFFFF8h
		mov	[esp+58h+var_40], edi
		cmp	edx, 1
		ja	short loc_45A35F
		test	edx, edx
		jz	short loc_45A363
		push	ecx
		mov	edx, 7
		mov	ecx, edi
		call	ObReferenceObjectExWithTag
		mov	edx, [esp+58h+var_48]
		mov	ecx, [edx+20h]
		mov	eax, ecx
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		ja	short loc_45A352
		lea	esp, [esp+0]

loc_45A320:				; CODE XREF: MiLogPageAccess(x,x)+280j
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	edi, eax
		jnz	short loc_45A352
		mov	edi, [esp+58h+var_48]
		lea	edx, [ecx+7]
		mov	eax, ecx
		add	edi, 20h
		lock cmpxchg [edi], edx
		mov	esi, [esp+58h+var_38]
		mov	edi, [esp+58h+var_40]
		cmp	eax, ecx
		jz	short loc_45A35F
		mov	ecx, eax
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		jbe	short loc_45A320

loc_45A352:				; CODE XREF: MiLogPageAccess(x,x)+247j
					; MiLogPageAccess(x,x)+257j
		push	ecx
		mov	edx, 7
		mov	ecx, edi
		call	ObDereferenceObjectExWithTag

loc_45A35F:				; CODE XREF: MiLogPageAccess(x,x)+222j
					; MiLogPageAccess(x,x)+273j
		test	edi, edi
		jnz	short loc_45A3A3

loc_45A363:				; CODE XREF: MiLogPageAccess(x,x)+226j
		mov	edi, [esp+58h+var_48]
		lea	eax, [edi+24h]
		push	eax
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	edi, [edi+20h]
		and	edi, 0FFFFFFF8h
		mov	[esp+58h+var_49], al
		mov	[esp+58h+var_40], edi
		jz	short loc_45A38C
		mov	edx, 746C6644h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag

loc_45A38C:				; CODE XREF: MiLogPageAccess(x,x)+2AEj
		mov	eax, [esp+58h+var_48]
		add	eax, 24h
		push	eax
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [esp+58h+var_49]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_45A3A3:				; CODE XREF: MiLogPageAccess(x,x)+291j
		mov	ecx, [esp+58h+var_48]
		mov	eax, [edi+0Ch]
		mov	[esp+58h+var_28], eax
		mov	ecx, [ecx+20h]
		mov	eax, ecx
		xor	eax, edi
		cmp	eax, 7
		jnb	short loc_45A3E5
		lea	ebx, [ebx+0]

loc_45A3C0:				; CODE XREF: MiLogPageAccess(x,x)+313j
		mov	edi, [esp+58h+var_48]
		lea	edx, [ecx+1]
		mov	eax, ecx
		add	edi, 20h
		lock cmpxchg [edi], edx
		mov	esi, [esp+58h+var_38]
		mov	edi, [esp+58h+var_40]
		cmp	eax, ecx
		jz	short loc_45A3F0
		mov	ecx, eax
		xor	eax, edi
		cmp	eax, 7
		jb	short loc_45A3C0

loc_45A3E5:				; CODE XREF: MiLogPageAccess(x,x)+2E8j
		push	746C6644h
		push	edi
		call	ObDereferenceObjectDeferDeleteWithTag

loc_45A3F0:				; CODE XREF: MiLogPageAccess(x,x)+30Aj
		mov	edi, [ebx]
		mov	ecx, [ebx+4]
		test	byte ptr [edi+1Ch], 20h
		jz	short loc_45A45B
		cmp	esi, ecx
		jb	short loc_45A429
		mov	eax, [ebx+1Ch]
		lea	eax, [ecx+eax*8]
		cmp	esi, eax
		jnb	short loc_45A429
		sub	esi, ecx
		sar	esi, 3
		xor	edx, edx

loc_45A410:				; CODE XREF: MiLogPageAccess(x,x)+377j
					; MiLogPageAccess(x,x)+389j
		mov	eax, [ebx+14h]
		xor	ecx, ecx
		shld	edx, esi, 0Ch
		shld	ecx, eax, 9
		shl	esi, 0Ch
		shl	eax, 9
		add	esi, eax
		adc	edx, ecx
		jmp	short loc_45A49E
; 

loc_45A429:				; CODE XREF: MiLogPageAccess(x,x)+32Dj
					; MiLogPageAccess(x,x)+337j
		test	byte ptr [ebx+12h], 2
		jz	short loc_45A449
		push	ebx
		or	edx, 0FFFFFFFFh
		mov	ecx, edi
		call	_MiGetSharedProtos@12 ;	MiGetSharedProtos(x,x,x)
		mov	eax, [eax+24h]
		sub	esi, eax
		sar	esi, 3
		mov	eax, esi
		cdq
		mov	esi, eax
		jmp	short loc_45A410
; 

loc_45A449:				; CODE XREF: MiLogPageAccess(x,x)+35Dj
		mov	eax, [ebx+0Ch]
		mov	eax, [eax+24h]
		sub	esi, eax
		sar	esi, 3
		mov	eax, esi
		cdq
		mov	esi, eax
		jmp	short loc_45A410
; 

loc_45A45B:				; CODE XREF: MiLogPageAccess(x,x)+329j
		test	ecx, ecx
		jnz	short loc_45A467
		xor	edi, edi
		mov	[esp+58h+var_38], edi
		jmp	short loc_45A47E
; 

loc_45A467:				; CODE XREF: MiLogPageAccess(x,x)+38Dj
		sub	esi, ecx
		sar	esi, 3
		mov	eax, esi
		cdq
		mov	edi, eax
		mov	eax, edx
		shld	eax, edi, 0Ch
		mov	[esp+58h+var_38], eax
		shl	edi, 0Ch

loc_45A47E:				; CODE XREF: MiLogPageAccess(x,x)+395j
		mov	cx, [ebx+10h]
		xor	esi, esi
		or	esi, [ebx+14h]
		shr	cx, 6
		movzx	eax, cx
		cdq
		mov	edx, eax
		shld	edx, esi, 0Ch
		shl	esi, 0Ch
		add	esi, edi
		adc	edx, [esp+58h+var_38]

loc_45A49E:				; CODE XREF: MiLogPageAccess(x,x)+357j
		mov	eax, [esp+58h+var_48]
		mov	edi, [eax+1Ch]
		mov	ecx, edi
		shr	ecx, 5
		mov	eax, esi
		and	ecx, 1
		mov	ecx, [esp+ecx*4+58h+var_20]
		call	__allshl
		mov	ebx, [esp+58h+var_2C]
		mov	esi, edx
		mov	edx, [esp+58h+var_44]
		mov	ecx, [esp+58h+var_28]
		shl	edi, 5
		xor	edi, eax
		and	edi, 400h
		xor	edi, eax
		sub	ebx, 4

loc_45A4D6:				; CODE XREF: MiLogPageAccess(x,x)+1B5j
		mov	eax, [edx+24h]
		lea	edx, [eax+4]
		cmp	edx, ebx
		ja	short loc_45A4FF

loc_45A4E0:				; CODE XREF: MiLogPageAccess(x,x)+419j
		cmp	[edx], ecx
		jz	short loc_45A4FB
		add	edx, 4
		cmp	edx, ebx
		jbe	short loc_45A4E0
		mov	ebx, [esp+58h+var_44]
		mov	edx, eax
		add	eax, 0FFFFFFFCh
		mov	[ebx+24h], eax
		mov	[edx], ecx
		jmp	short loc_45A513
; 

loc_45A4FB:				; CODE XREF: MiLogPageAccess(x,x)+412j
		cmp	edx, ebx
		jbe	short loc_45A50F

loc_45A4FF:				; CODE XREF: MiLogPageAccess(x,x)+40Ej
		mov	ebx, [esp+58h+var_44]
		mov	edx, eax
		add	eax, 0FFFFFFFCh
		mov	[ebx+24h], eax
		mov	[edx], ecx
		jmp	short loc_45A513
; 

loc_45A50F:				; CODE XREF: MiLogPageAccess(x,x)+42Dj
		mov	ebx, [esp+58h+var_44]

loc_45A513:				; CODE XREF: MiLogPageAccess(x,x)+429j
					; MiLogPageAccess(x,x)+43Dj
		mov	ecx, [ebx+28h]
		mov	eax, [esp+58h+var_3C]
		sub	ecx, edx
		sar	ecx, 2
		and	ecx, 1FFh
		shl	eax, 9
		or	ecx, eax
		and	edi, 0FFFFFC00h
		jmp	short loc_45A543
; 

loc_45A532:				; CODE XREF: MiLogPageAccess(x,x)+144j
					; MiLogPageAccess(x,x)+15Aj
		mov	ecx, [esp+58h+var_3C]
		mov	ebx, [esp+58h+var_44]
		shl	ecx, 9
		and	edi, 0FFFFFDFFh

loc_45A543:				; CODE XREF: MiLogPageAccess(x,x)+460j
		mov	eax, [ebx+20h]
		or	ecx, edi
		mov	[eax], ecx
		mov	[eax+4], esi
		add	dword ptr [ebx+20h], 8
		test	ds:byte_70EFC6,	1
		jnz	loc_45A2AC
		mov	eax, [esp+58h+var_C]
		test	eax, eax
		jnz	short loc_45A581
		mov	edx, [esp+58h+var_8]
		lea	eax, [esp+58h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+58h+var_C]
		cmp	eax, ecx
		jz	short loc_45A594
		call	KxWaitForLockChainValid

loc_45A581:				; CODE XREF: MiLogPageAccess(x,x)+494j
		mov	[esp+58h+var_C], 0

loc_45A589:				; CODE XREF: MiLogPageAccess(x,x)+132j
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_45A594:				; CODE XREF: MiLogPageAccess(x,x)+123j
					; MiLogPageAccess(x,x)+4AAj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiLogPageAccess@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAgeWorkingSetTail proc near		; CODE XREF: MiAgePte(x,x,x)+285p
					; DATA XREF: MiAgeWorkingSet+2DBo

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B08AF SIZE 00000064 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	[esp+20h+var_8], 0
		mov	esi, [ebx+48h]

loc_45A5BC:				; CODE XREF: MiAgeWorkingSetTail+15635Ej
		mov	edi, [esi+24h]
		lea	eax, [esi+28h]
		test	edi, edi
		jz	short loc_45A5CD
		mov	ecx, [edi+0Ch]
		test	ecx, ecx
		jnz	short loc_45A5FE

loc_45A5CD:				; CODE XREF: MiAgeWorkingSetTail+24j
					; MiAgeWorkingSetTail+BCj
		cmp	dword ptr [eax+0Ch], 0
		jnz	loc_45A68A

loc_45A5D7:				; CODE XREF: MiAgeWorkingSetTail+F6j
		mov	edx, [esi+0C0h]
		test	edx, edx
		jnz	loc_5B08CA

loc_45A5E5:				; CODE XREF: MiAgeWorkingSetTail+15632Dj
					; MiAgeWorkingSetTail+15633Dj
		test	byte ptr [ebx+2], 2
		jz	loc_5B0903

loc_45A5EF:				; CODE XREF: MiAgeWorkingSetTail+15636Ej
		mov	byte ptr [esi+6], 1

loc_45A5F3:				; CODE XREF: MiAgeWorkingSetTail+156368j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_45A5FE:				; CODE XREF: MiAgeWorkingSetTail+2Bj
		mov	eax, dword_6D0748
		mov	edx, [edi]
		mov	[esp+20h+var_4], eax
		mov	al, [edi+4]
		mov	[esp+20h+var_C], edx
		cmp	edx, 1
		jnz	short loc_45A678
		mov	[esp+20h+var_10], 0

loc_45A61D:				; CODE XREF: MiAgeWorkingSetTail+E8j
					; MiAgeWorkingSetTail+156317j
		cmp	byte ptr [edi+5], 0
		jnz	short loc_45A661
		mov	ebx, [esp+20h+var_4]
		cmp	[edi+10h], ebx
		mov	ebx, [ebp+arg_0]
		ja	short loc_45A661
		lea	edx, [edi+14h]
		test	al, 1
		jnz	loc_5B08BC
		push	[esp+20h+var_10]
		push	[esp+24h+var_C]
		call	KeFlushMultipleRangeTb

loc_45A647:				; CODE XREF: MiAgeWorkingSetTail+D6j
					; MiAgeWorkingSetTail+156325j
		and	byte ptr [edi+4], 0F7h
		lea	eax, [esi+28h]
		mov	dword ptr [edi+0Ch], 0
		mov	dword ptr [edi+10h], 0
		jmp	loc_45A5CD
; 

loc_45A661:				; CODE XREF: MiAgeWorkingSetTail+81j
					; MiAgeWorkingSetTail+8Dj
		test	al, 1
		jnz	short loc_45A69B
		mov	edx, [esp+20h+var_10]
		mov	ecx, [esp+20h+var_C]
		call	KeFlushTb

loc_45A672:				; CODE XREF: MiAgeWorkingSetTail+102j
		mov	byte ptr [edi+5], 0
		jmp	short loc_45A647
; 

loc_45A678:				; CODE XREF: MiAgeWorkingSetTail+73j
		test	al, 8
		jnz	loc_5B08AF
		mov	[esp+20h+var_10], 1
		jmp	short loc_45A61D
; 

loc_45A68A:				; CODE XREF: MiAgeWorkingSetTail+31j
		mov	ecx, [ebx+10h]
		mov	edx, eax
		push	0
		call	MiFreeWsleList
		jmp	loc_45A5D7
; 

loc_45A69B:				; CODE XREF: MiAgeWorkingSetTail+C3j
		mov	ecx, edx
		call	KeFlushCurrentTbOnly
		jmp	short loc_45A672
MiAgeWorkingSetTail endp

; 
		align 10h

; __stdcall MiOutSwapWorkingSetPte(x, x, x)
_MiOutSwapWorkingSetPte@12:		; DATA XREF: MiOutSwapWorkingSet(x,x,x,x,x)+47o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		cmp	dword ptr [ebp+10h], 0
		mov	eax, [ebp+8]
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax+48h]
		mov	[esp+1Ch], eax
		mov	ecx, [eax+8]
		mov	[esp+34h], ecx
		jnz	loc_45AC98
		mov	eax, [eax+0Ch]
		xor	edx, edx
		mov	ebx, [ebp+0Ch]
		xor	esi, esi
		mov	[esp+24h], eax
		mov	[esp+14h], edx
		mov	[esp+10h], edx
		mov	[esp+2Ch], edx
		mov	[esp+30h], edx

loc_45A6F7:				; CODE XREF: .text:0045A745j
		mov	edi, [ebx]
		nop
		mov	edx, [ebx+4]
		mov	eax, edi
		and	eax, 1
		mov	[esp+48h], edi
		or	eax, 0
		mov	[esp+4Ch], edx
		mov	ecx, 7FFFFFFFh
		jnz	loc_45A82A
		mov	eax, edi
		and	eax, 400h
		or	eax, 0
		jnz	loc_45AC61
		mov	eax, edi
		and	eax, 800h
		or	eax, 0
		jz	loc_45A802
		xor	edx, edx
		mov	ecx, ebx
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_45A6F7
		mov	bl, [esi+16h]
		mov	eax, 1
		mov	[esp+18h], eax
		test	bl, 28h
		jnz	loc_45AC70
		mov	edi, [esi+8]
		mov	edx, edi
		mov	ecx, [esi+0Ch]
		mov	[esp+34h], ecx
		shrd	edx, ecx, 1
		test	dl, al
		jz	loc_45AC70
		cmp	word ptr [esi+14h], 0
		mov	edx, edi
		mov	[esp+14h], edx
		mov	edx, ecx
		mov	[esp+10h], edx
		jnz	short loc_45A7F7
		and	bl, 7
		cmp	bl, 3
		jnz	short loc_45A7F7
		xor	edx, edx
		mov	ecx, esi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		mov	eax, [esi+0Ch]
		mov	edx, 8
		and	dword ptr [esi+8], 0FFFFFFFDh
		mov	ecx, esi
		mov	[esi+0Ch], eax
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)
		mov	eax, [esp+18h]

loc_45A7B2:				; CODE XREF: .text:0045A937j
					; .text:0045A97Fj ...
		mov	edx, [esp+10h]

loc_45A7B6:				; CODE XREF: .text:0045A800j
		mov	edi, [esp+14h]

loc_45A7BA:				; CODE XREF: .text:0045A828j
					; .text:0045AC76j
		mov	ecx, 7FFFFFFFh

loc_45A7BF:				; CODE XREF: .text:0045AC69j
		test	al, 1
		jz	short loc_45A7C9
		lea	eax, [esi+10h]
		lock and [eax],	ecx

loc_45A7C9:				; CODE XREF: .text:0045A7C1j
		mov	eax, edi
		or	eax, edx
		jz	loc_45AC7B
		mov	ecx, edi
		mov	eax, edx
		shrd	ecx, eax, 2
		test	cl, 1
		jz	short loc_45A7E3
		and	edi, 0FFFFFFFBh

loc_45A7E3:				; CODE XREF: .text:0045A7DEj
		mov	ebx, [esp+24h]
		mov	ecx, ebx
		push	edx
		push	edi
		xor	edx, edx
		call	MiReleasePageFileInfo
		jmp	loc_45AC7F
; 

loc_45A7F7:				; CODE XREF: .text:0045A785j
					; .text:0045A78Dj
		and	edi, 0FFFFFFFDh
		mov	[esi+8], edi
		mov	[esi+0Ch], ecx
		jmp	short loc_45A7B6
; 

loc_45A802:				; CODE XREF: .text:0045A732j
		mov	ecx, edi
		mov	eax, edx
		shrd	ecx, eax, 1
		test	cl, 1
		jz	loc_45AC6E
		mov	eax, edi
		mov	[esp+4Ch], edx
		and	eax, 0FFFFFFFDh
		mov	[esp+48h], eax
		mov	[ebx], eax
		nop
		mov	[ebx+4], edx
		xor	eax, eax
		jmp	short loc_45A7BA
; 

loc_45A82A:				; CODE XREF: .text:0045A712j
		nop
		mov	eax, edi
		shrd	eax, edx, 0Ch
		and	eax, 1FFFFFFh
		mov	[esp+28h], eax
		cmp	eax, dword_6D07B0
		ja	loc_45AC61
		mov	edx, eax
		mov	ecx, eax
		mov	eax, dword_6D35B8
		and	ecx, 1Fh
		shr	edx, 5
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_45AC6E
		mov	eax, [esp+28h]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	esi, [eax+ecx*4]
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_45A899
		mov	edx, [esp+1Ch]
		xor	eax, eax
		mov	edi, [edx+4]
		test	edi, edi
		jz	loc_45AC70
		jmp	loc_45ABC2
; 

loc_45A899:				; CODE XREF: .text:0045A881j
		mov	eax, [esi+4]
		or	eax, 80000000h
		cmp	eax, ebx
		jnz	loc_45AC6E
		mov	eax, 1
		mov	dword ptr [esp+38h], 0
		mov	[esp+18h], eax
		lea	ebx, [esi+10h]
		lock bts dword ptr [ebx], 1Fh
		jnb	short loc_45A8DE

loc_45A8C4:				; CODE XREF: .text:0045A8D1j
					; .text:0045A8D8j
		lea	ecx, [esp+38h]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		js	short loc_45A8C4
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_45A8C4
		mov	eax, [esp+18h]

loc_45A8DE:				; CODE XREF: .text:0045A8C2j
		mov	cl, [esi+16h]
		mov	[esp+0Eh], cl
		test	cl, 8
		jnz	loc_45AC70
		mov	edx, [esi+8]
		mov	ecx, [esi+0Ch]
		mov	[esp+20h], edx
		mov	[esp+28h], ecx
		shrd	edx, ecx, 1
		test	dl, 1
		jz	short loc_45A928
		mov	ecx, [esp+20h]
		mov	edx, ecx
		and	ecx, 0FFFFFFFDh
		mov	[esp+14h], edx
		mov	edx, [esp+28h]
		mov	[esp+10h], edx
		mov	[esp+20h], ecx
		mov	[esp+28h], edx
		mov	[esi+8], ecx
		mov	[esi+0Ch], edx

loc_45A928:				; CODE XREF: .text:0045A903j
		mov	edx, [esp+1Ch]
		cmp	dword ptr [edx+74h], 0
		jnz	short loc_45A985
		cmp	word ptr [esi+14h], 1
		jnz	loc_45A7B2
		mov	ecx, [esp+34h]
		mov	cl, [ecx+60h]
		test	cl, 7
		jnz	short loc_45A985
		mov	ebx, [ebp+0Ch]
		shl	ebx, 9
		movzx	ecx, cl
		mov	[esp+40h], ebx
		and	ecx, 7
		shr	ebx, 0Ch
		add	ebx, dword_6D2E68[ecx*4]
		mov	ecx, ebx
		mov	bl, [ecx]
		and	bl, 0Fh
		mov	[esp+0Fh], bl
		cmp	bl, 0Ah
		lea	ebx, [esi+10h]
		jz	loc_45ACA3
		cmp	byte ptr [esp+0Fh], 8
		jz	loc_45A7B2

loc_45A985:				; CODE XREF: .text:0045A930j
					; .text:0045A947j
		mov	cl, [esp+0Eh]
		and	edi, 42h
		mov	ch, cl
		and	ch, 10h
		or	edi, 0
		mov	[esp+0Fh], ch
		jnz	short loc_45A9CB
		test	ch, ch
		jnz	short loc_45A9CB
		mov	edi, [esp+20h]
		mov	ecx, edi
		mov	ebx, [esp+28h]
		shrd	ecx, ebx, 2
		lea	ebx, [esi+10h]
		test	cl, 1
		jz	loc_45A7B2
		mov	ch, [esp+0Fh]
		mov	eax, 3
		mov	cl, [esp+0Eh]
		mov	[esp+18h], eax
		jmp	short loc_45A9CF
; 

loc_45A9CB:				; CODE XREF: .text:0045A998j
					; .text:0045A99Cj
		mov	edi, [esp+20h]

loc_45A9CF:				; CODE XREF: .text:0045A9C9j
		mov	dword ptr [esp+2Ch], 0
		mov	dword ptr [esp+30h], 0
		test	ch, ch
		jnz	short loc_45AA16
		and	edi, 400h
		or	edi, 0
		jnz	short loc_45AA0D
		push	edi
		lea	edx, [edi+1]
		lea	ecx, [esi+8]
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	cl, [esi+16h]
		mov	[esp+2Ch], eax
		mov	eax, [esp+18h]
		mov	[esp+30h], edx
		mov	edx, [esp+1Ch]

loc_45AA0D:				; CODE XREF: .text:0045A9ECj
		or	cl, 10h
		mov	[esi+16h], cl
		mov	cl, [esi+16h]

loc_45AA16:				; CODE XREF: .text:0045A9E1j
		shr	cl, 6
		cmp	cl, 1
		jz	short loc_45AA33
		cmp	cl, 2
		jnz	short loc_45AA28
		or	eax, 4
		jmp	short loc_45AA2F
; 

loc_45AA28:				; CODE XREF: .text:0045AA21j
		test	cl, cl
		jnz	short loc_45AA33
		or	eax, 8

loc_45AA2F:				; CODE XREF: .text:0045AA26j
		mov	[esp+18h], eax

loc_45AA33:				; CODE XREF: .text:0045AA1Cj
					; .text:0045AA2Aj
		cmp	dword ptr [edx+10h], 0FFFFFFFFh
		jnz	loc_45AAF6
		mov	eax, [esp+24h]
		mov	ebx, [esp+24h]
		mov	ecx, [esi+8]
		mov	edi, [esi+0Ch]
		mov	eax, [eax+2BCh]
		mov	eax, [ebx+eax*4+0F54h]
		lea	ebx, [esi+10h]
		mov	[esp+40h], eax
		mov	eax, ecx
		and	eax, 400h
		or	eax, 0
		jnz	short loc_45AA6E
		and	ecx, 0FFFFFFF9h

loc_45AA6E:				; CODE XREF: .text:0045AA69j
		mov	eax, [esp+40h]
		test	eax, eax
		jz	short loc_45AAE4
		movzx	eax, word ptr [eax+74h]
		mov	[esp+3Ch], eax
		mov	eax, ecx
		or	eax, edi
		jnz	short loc_45AA89
		push	0FFFFFFFFh
		push	eax
		jmp	short loc_45AABC
; 

loc_45AA89:				; CODE XREF: .text:0045AA82j
		mov	eax, dword_6D0700
		mov	edx, dword_6D0704
		mov	[esp+40h], eax
		or	eax, edx
		mov	[esp+34h], ecx
		jz	short loc_45AAB9
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_45AAB6
		mov	ecx, [esp+40h]
		not	ecx
		and	ecx, [esp+34h]
		jmp	short loc_45AAB9
; 

loc_45AAB6:				; CODE XREF: .text:0045AAA8j
		and	ecx, 0FFFFFFEFh

loc_45AAB9:				; CODE XREF: .text:0045AA9Ej
					; .text:0045AAB4j
		push	0FFFFFFFFh
		push	ecx

loc_45AABC:				; CODE XREF: .text:0045AA87j
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, eax
		mov	edi, edx
		mov	eax, [esp+3Ch]
		movzx	eax, ax
		cdq
		shld	edx, eax, 0Ch
		mov	edx, [esp+1Ch]
		shl	eax, 0Ch
		xor	eax, ecx
		and	eax, 0F000h
		xor	ecx, eax
		xor	edi, 0

loc_45AAE4:				; CODE XREF: .text:0045AA74j
		mov	eax, [esp+18h]
		mov	[esp+48h], ecx
		mov	[esp+4Ch], edi
		mov	[esi+8], ecx
		mov	[esi+0Ch], edi

loc_45AAF6:				; CODE XREF: .text:0045AA37j
		mov	ecx, 7FFFFFFFh
		lock and [ebx],	ecx
		mov	ebx, [edx+10h]
		and	eax, 0FFFFFFFEh
		mov	edi, [edx]
		mov	[esp+18h], eax
		cmp	ebx, 0FFFFFFFFh
		jz	loc_45ABBF
		mov	ecx, ebx
		shl	ecx, 4
		add	ecx, 18h
		add	ecx, edx
		mov	[esp+34h], ecx
		cmp	ebx, 5
		jnb	loc_45A7B2
		cmp	dword ptr [ecx+8], 0
		jz	loc_45A7B2
		mov	edx, [ebp+0Ch]
		push	ecx
		mov	ecx, [esp+28h]
		push	80h
		call	_MiReservePageFileSpaceForPage@16 ; MiReservePageFileSpaceForPage(x,x,x,x)
		mov	ecx, [esp+34h]
		mov	ebx, dword_6D0704
		mov	[esp+20h], ebx
		mov	eax, [ecx]
		mov	edx, [ecx+4]
		mov	[esp+28h], eax
		mov	eax, dword_6D0700
		mov	[esp+40h], eax
		or	eax, ebx
		mov	ebx, [ebp+0Ch]
		jz	short loc_45AB8B
		mov	eax, [esp+28h]
		and	eax, 10h
		or	eax, 0
		jnz	short loc_45AB8B
		mov	eax, [esp+40h]
		not	dword ptr [esp+20h]
		not	eax
		and	[esp+28h], eax
		and	edx, [esp+20h]

loc_45AB8B:				; CODE XREF: .text:0045AB6Bj
					; .text:0045AB77j
		mov	eax, [ecx+4]
		push	eax
		mov	eax, [ecx]
		push	eax
		xor	eax, eax
		add	edx, 1
		adc	eax, eax
		push	eax
		push	edx
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		mov	ecx, [esp+34h]
		add	dword ptr [ecx+8], 0FFFFFFFFh
		mov	[ecx], eax
		mov	[ecx+4], edx
		jnz	short loc_45ABB6
		mov	edx, [esp+1Ch]
		inc	dword ptr [edx+10h]

loc_45ABB6:				; CODE XREF: .text:0045ABADj
		mov	eax, [esp+18h]
		or	eax, 10h
		jmp	short loc_45ABC2
; 

loc_45ABBF:				; CODE XREF: .text:0045AB0Dj
		mov	ebx, [ebp+0Ch]

loc_45ABC2:				; CODE XREF: .text:0045A894j
					; .text:0045ABBDj
		mov	ecx, [edi+8]
		mov	[esp+28h], ecx
		cmp	ecx, [edi+4]
		jnb	loc_45A7B2
		mov	edx, [esp+28h]
		mov	ecx, [edi]
		shl	ebx, 9
		lea	ecx, [ecx+edx*8]
		mov	[esp+20h], ecx
		mov	ecx, edx
		mov	edx, [esp+1Ch]
		test	ecx, ecx
		jz	short loc_45AC10
		mov	ecx, [esp+20h]
		add	ecx, 0FFFFFFFCh
		mov	[esp+1Ch], ecx
		mov	ecx, [ecx]
		mov	[esp+34h], ecx
		mov	ecx, [esp+20h]
		mov	ecx, [ecx-8]
		add	ecx, [esp+34h]
		cmp	ecx, ebx
		jz	short loc_45AC2B
		mov	ecx, [esp+28h]

loc_45AC10:				; CODE XREF: .text:0045ABEAj
		inc	ecx
		mov	[edi+8], ecx
		mov	ecx, [esp+20h]
		mov	[ecx], ebx
		add	ecx, 4
		mov	[esp+1Ch], ecx
		mov	dword ptr [ecx], 0
		xor	ecx, ecx
		jmp	short loc_45AC2F
; 

loc_45AC2B:				; CODE XREF: .text:0045AC0Aj
		mov	ecx, [esp+34h]

loc_45AC2F:				; CODE XREF: .text:0045AC29j
		mov	ebx, [esp+1Ch]
		add	ecx, 1000h
		mov	[ebx], ecx
		inc	dword ptr [edi+0Ch]
		test	al, 2
		jz	short loc_45AC45
		inc	dword ptr [edx+70h]

loc_45AC45:				; CODE XREF: .text:0045AC40j
		test	al, 4
		jz	short loc_45AC51
		inc	dword ptr [edx+68h]
		jmp	loc_45A7B2
; 

loc_45AC51:				; CODE XREF: .text:0045AC47j
		test	al, 8
		jz	loc_45A7B2
		inc	dword ptr [edx+6Ch]
		jmp	loc_45A7B2
; 

loc_45AC61:				; CODE XREF: .text:0045A722j
					; .text:0045A840j
		mov	edx, [esp+10h]
		xor	eax, eax
		xor	edi, edi
		jmp	loc_45A7BF
; 

loc_45AC6E:				; CODE XREF: .text:0045A80Dj
					; .text:0045A85Dj ...
		xor	eax, eax

loc_45AC70:				; CODE XREF: .text:0045A756j
					; .text:0045A76Ej ...
		mov	edx, [esp+10h]
		xor	edi, edi
		jmp	loc_45A7BA
; 

loc_45AC7B:				; CODE XREF: .text:0045A7CDj
		mov	ebx, [esp+24h]

loc_45AC7F:				; CODE XREF: .text:0045A7F2j
		mov	ecx, [esp+2Ch]
		mov	eax, ecx
		mov	edx, [esp+30h]
		or	eax, edx
		jz	short loc_45AC98
		push	edx
		push	ecx
		xor	edx, edx
		mov	ecx, ebx
		call	MiReleasePageFileInfo

loc_45AC98:				; CODE XREF: .text:0045A6D3j
					; .text:0045AC8Bj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_45ACA3:				; CODE XREF: .text:0045A974j
		push	ecx
		push	dword ptr [esp+38h]
		push	dword ptr [esp+48h]
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dd 2 dup(0CCCCCCCCh)
; 

; __stdcall MiTrimPte(x, x, x)
_MiTrimPte@12:				; DATA XREF: MiTrimWorkingSet+177o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	edx, [ebp+8]
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+0Ch]
		push	esi
		mov	ecx, [edx+10h]
		push	edi
		mov	edi, ebx
		mov	dword ptr [esp+18h], 0
		shl	edi, 9
		cmp	[ebp+10h], eax
		mov	[esp+0Ch], ecx
		setz	al
		mov	[esp+1Ch], eax
		mov	eax, [ebx]
		mov	[esp+10h], eax
		nop
		mov	esi, [edx+48h]
		mov	edx, [esi+4]
		mov	eax, [esi+8]
		mov	[esp+14h], edx
		cmp	eax, edx
		jz	loc_45AF5F
		mov	edx, [esi]
		test	edx, 400h
		jz	short loc_45AD3D
		test	edx, 800h
		jz	short loc_45AD2D
		cmp	eax, 100h
		jnb	loc_45AF5F

loc_45AD2D:				; CODE XREF: .text:0045AD20j
		mov	eax, [esi+18h]
		sub	eax, [esp+14h]
		cmp	[ecx+48h], eax
		jbe	loc_45AF5F

loc_45AD3D:				; CODE XREF: .text:0045AD18j
		test	edx, 1000h
		jnz	short loc_45AD5B
		mov	edx, [esp+1Ch]
		mov	ecx, ebx
		call	MiComputeNextWalkPte
		mov	edx, [ebp+8]
		mov	ecx, [edx+10h]
		mov	ecx, [ecx+0Ch]
		mov	[ecx], eax

loc_45AD5B:				; CODE XREF: .text:0045AD43j
		mov	edx, [ebx]
		nop
		mov	eax, [ebx+4]
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		cmp	dword ptr [ebp+10h], 0
		lea	eax, [eax+ecx*4]
		mov	[esp+14h], eax
		jz	short loc_45ADAE
		mov	eax, [eax+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jnz	loc_45AF3F
		mov	ecx, [esp+0Ch]
		mov	edx, ebx
		call	_MiIsPageTableLocked@8 ; MiIsPageTableLocked(x,x)
		test	eax, eax
		jnz	loc_45AF3F
		mov	eax, [esp+14h]

loc_45ADAE:				; CODE XREF: .text:0045AD84j
		test	dword ptr [eax+18h], 800000h
		jnz	short loc_45ADDD
		mov	eax, [eax+4]
		test	eax, eax
		js	short loc_45ADDD
		jz	short loc_45ADDD
		mov	ecx, [esp+0Ch]
		or	eax, 80000000h
		push	eax
		mov	edx, ebx
		call	_MiDemoteCombinedPte@12	; MiDemoteCombinedPte(x,x,x)
		cmp	eax, 1
		jnz	short loc_45ADDD
		mov	eax, [ebx]
		mov	[esp+10h], eax
		nop

loc_45ADDD:				; CODE XREF: .text:0045ADB5j
					; .text:0045ADBCj ...
		lea	eax, [edi+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	loc_45AEB4
		mov	eax, edi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	edx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		mov	eax, [eax+ecx*4]
		shr	eax, 1
		and	al, 7

loc_45AE24:				; CODE XREF: .text:0045AED7j
		mov	ecx, [esi]
		movzx	eax, al
		and	ecx, 0Fh
		mov	[esp+1Ch], eax
		mov	eax, [esp+10h]
		mov	[esp+0Ch], ecx
		and	eax, 20h
		xor	ecx, ecx
		or	eax, ecx
		jz	short loc_45AE46
		mov	ecx, 1

loc_45AE46:				; CODE XREF: .text:0045AE3Fj
		mov	eax, [ebp+8]
		lea	edx, [esp+18h]
		push	edx
		push	ecx
		push	esi
		mov	eax, [eax+10h]
		mov	edx, edi
		push	dword ptr [esp+20h]
		mov	ecx, eax
		mov	[esp+20h], eax
		call	_MiTrimThisWsle@24 ; MiTrimThisWsle(x,x,x,x,x,x)
		test	eax, eax
		jz	loc_45AF1E
		push	0
		lea	ecx, [esi+1Ch]
		mov	edx, edi
		push	1
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		test	byte ptr [esi],	10h
		jz	short loc_45AEF5
		cmp	edi, 0C0000000h
		jb	short loc_45AE8F
		cmp	edi, 0C07FFFFFh
		jbe	short loc_45AEE0

loc_45AE8F:				; CODE XREF: .text:0045AE85j
		mov	edx, [esp+10h]
		mov	ecx, edi
		shr	ecx, 0Ch
		movzx	eax, byte ptr [edx+60h]
		and	eax, 7
		add	ecx, dword_6D2E68[eax*4]
		mov	al, [ecx]
		and	al, 0Fh
		cmp	al, 0Ah
		jz	loc_45AF6D
		jmp	short loc_45AEDC
; 

loc_45AEB4:				; CODE XREF: .text:0045ADE8j
		mov	edx, [esp+0Ch]
		mov	ecx, edi
		shr	ecx, 0Ch
		movzx	eax, byte ptr [edx+60h]
		and	eax, 7
		add	ecx, dword_6D2E68[eax*4]
		mov	al, [ecx]
		and	al, 0Fh
		cmp	al, 0Ah
		jz	loc_45AF7C
		jmp	loc_45AE24
; 

loc_45AEDC:				; CODE XREF: .text:0045AEB2j
		cmp	al, 7
		jz	short loc_45AEF5

loc_45AEE0:				; CODE XREF: .text:0045AE8Dj
		mov	eax, [ebx]
		and	eax, 20h
		or	eax, 0
		jz	short loc_45AEF5
		mov	ecx, [esp+10h]
		mov	edx, ebx
		call	_MiLogPageAccess@8 ; MiLogPageAccess(x,x)

loc_45AEF5:				; CODE XREF: .text:0045AE7Dj
					; .text:0045AEDEj ...
		inc	dword ptr [esi+8]
		mov	eax, [esi+8]
		cmp	eax, [esi+4]
		jz	short loc_45AF08
		mov	eax, [esi+28h]
		cmp	eax, [esi+24h]
		jnz	short loc_45AF1E

loc_45AF08:				; CODE XREF: .text:0045AEFEj
		mov	ebx, [ebp+8]
		mov	edx, esi
		mov	ecx, ebx
		call	MiTrimWorkingSetBuildup
		mov	eax, [esi+8]
		cmp	eax, [esi+4]
		jz	short loc_45AF5F
		jmp	short loc_45AF21
; 

loc_45AF1E:				; CODE XREF: .text:0045AE66j
					; .text:0045AF06j
		mov	ebx, [ebp+8]

loc_45AF21:				; CODE XREF: .text:0045AF1Cj
		cmp	dword ptr [esp+18h], 0
		jz	short loc_45AF4A
		mov	ecx, [esi+0B4h]
		mov	edx, edi
		call	_MiInsertVmAccessedEntry@8 ; MiInsertVmAccessedEntry(x,x)
		test	eax, eax
		jz	short loc_45AF4A
		push	ebx
		call	MiTrimWorkingSetTail

loc_45AF3F:				; CODE XREF: .text:0045AD91j
					; .text:0045ADA4j ...
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_45AF4A:				; CODE XREF: .text:0045AF26j
					; .text:0045AF37j
		mov	eax, [esp+1Ch]
		cmp	eax, [esp+0Ch]
		jb	short loc_45AF3F
		inc	dword ptr [esi+10h]
		mov	eax, [esi+10h]
		cmp	eax, [esi+14h]
		jb	short loc_45AF3F

loc_45AF5F:				; CODE XREF: .text:0045AD0Aj
					; .text:0045AD27j ...
		pop	edi
		pop	esi
		mov	eax, 3
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_45AF6D:				; CODE XREF: .text:0045AEACj
		push	ecx
		push	edx
		push	edi
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_45AF7C:				; CODE XREF: .text:0045AED1j
		push	ecx
		push	edx
		push	edi
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 0CCh
		align 10h

; __stdcall MiTrimThisWsle(x, x, x, x, x, x)
_MiTrimThisWsle@24:			; CODE XREF: .text:0045AE5Fp
					; MiTrimPteWorker(x,x,x,x,x,x,x)+2Dp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+14h]
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		mov	edi, ebx
		mov	[ebp-4], esi
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		test	eax, eax
		jz	short loc_45AFBA
		mov	dword ptr [eax], 0

loc_45AFBA:				; CODE XREF: .text:0045AFB2j
		mov	edx, [ebp+0Ch]
		lea	eax, [ebx+40000000h]
		mov	edx, [edx]
		mov	[ebp-0Ch], edx
		cmp	eax, offset loc_7FFFFF
		ja	loc_45B07B
		mov	esi, [edi-40000000h]
		nop
		mov	eax, [edi-3FFFFFFCh]
		shrd	esi, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	esi, 1FFFFFFh
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		mov	eax, [eax+ecx*4]
		shr	eax, 1
		and	al, 7

loc_45AFFF:				; CODE XREF: .text:0045B09Aj
		movzx	ecx, al
		mov	[ebp-8], ecx
		test	dl, 60h
		jnz	loc_45B09F
		and	edx, 0Fh
		jz	loc_45B100
		mov	esi, [ebp+8]
		mov	al, [esi+17h]
		test	al, 8
		jnz	short loc_45B030
		movzx	eax, al
		and	eax, 7
		cmp	eax, 5
		jb	loc_45B100

loc_45B030:				; CODE XREF: .text:0045B01Fj
		mov	eax, [ebp+10h]
		cmp	ecx, edx
		jb	loc_45B111
		test	al, 1
		jz	loc_45B100
		mov	edx, [ebp+0Ch]
		mov	ecx, [ebp+14h]
		cmp	dword ptr [edx+0B4h], 0
		jz	loc_45B117
		cmp	ebx, ds:_MmHighestUserAddress
		ja	loc_45B117
		test	ecx, ecx
		jz	loc_45B117
		mov	dword ptr [ecx], 1
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_45B07B:				; CODE XREF: .text:0045AFCDj
		movzx	eax, byte ptr [esi+60h]
		mov	ecx, ebx
		and	eax, 7
		shr	ecx, 0Ch
		add	ecx, dword_6D2E68[eax*4]
		mov	al, [ecx]
		and	al, 0Fh
		cmp	al, 0Ah
		jz	loc_45B1AB
		jmp	loc_45AFFF
; 

loc_45B09F:				; CODE XREF: .text:0045B008j
		mov	esi, [ebp+8]
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_45B10E
		test	dl, 20h
		jz	short loc_45B0EE
		mov	eax, [esi+8]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_45B0EE
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	eax, [ebp-4]
		or	edx, 80000000h
		test	dword ptr [esi+18h], (offset loc_7FFFFF+1)
		jnz	short loc_45B0DC
		test	ecx, ecx
		js	short loc_45B0DC
		jnz	short loc_45B100

loc_45B0DC:				; CODE XREF: .text:0045B0D4j
					; .text:0045B0D8j
		lea	ecx, [eax-240h]
		call	_MiLocateCloneAddress@8	; MiLocateCloneAddress(x,x)
		test	eax, eax
		jnz	short loc_45B100
		mov	edx, [ebp-0Ch]

loc_45B0EE:				; CODE XREF: .text:0045B0B0j
					; .text:0045B0BDj
		test	dl, 40h
		jz	short loc_45B10E
		mov	eax, [esi+8]
		and	eax, 400h
		or	eax, 0
		jz	short loc_45B10E

loc_45B100:				; CODE XREF: .text:0045B011j
					; .text:0045B02Aj ...
		mov	eax, 1
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_45B10E:				; CODE XREF: .text:0045B0ABj
					; .text:0045B0F1j ...
		mov	eax, [ebp+10h]

loc_45B111:				; CODE XREF: .text:0045B035j
		mov	edx, [ebp+0Ch]
		mov	ecx, [ebp+14h]

loc_45B117:				; CODE XREF: .text:0045B050j
					; .text:0045B05Cj ...
		test	al, 1
		jz	short loc_45B149
		cmp	ebx, ds:_MmHighestUserAddress
		ja	short loc_45B139
		mov	eax, [ebp-4]
		test	byte ptr [eax+60h], 7
		jnz	short loc_45B139
		cmp	dword ptr [eax+1A4h], 0
		jz	short loc_45B139
		test	ecx, ecx
		jnz	short loc_45B14C

loc_45B139:				; CODE XREF: .text:0045B121j
					; .text:0045B12Aj ...
		mov	eax, [ebp-8]
		dec	eax
		cmp	eax, 5
		ja	short loc_45B1A0
		mov	eax, 0B8h
		jmp	short loc_45B176
; 

loc_45B149:				; CODE XREF: .text:0045B119j
		mov	eax, [ebp-4]

loc_45B14C:				; CODE XREF: .text:0045B137j
		test	byte ptr [eax+60h], 7
		jz	short loc_45B159
		cmp	word ptr [esi+14h], 1
		jnz	short loc_45B1A0

loc_45B159:				; CODE XREF: .text:0045B150j
		cmp	dword ptr [ebp-8], 6
		jnb	short loc_45B1A0
		mov	al, [esi+17h]
		test	al, 8
		jnz	short loc_45B1A0
		movzx	eax, al
		and	eax, 7
		cmp	eax, 5
		jnb	short loc_45B1A0
		mov	eax, 100h

loc_45B176:				; CODE XREF: .text:0045B147j
		add	eax, edx
		cmp	byte ptr [eax+44h], 0
		jnz	short loc_45B185
		mov	byte ptr [eax+44h], 1
		mov	[eax+40h], ebx

loc_45B185:				; CODE XREF: .text:0045B17Cj
		shr	edi, 3
		and	edi, 1FFh
		mov	ecx, edi
		and	edi, 7
		shr	ecx, 3
		add	ecx, eax
		movsx	eax, byte ptr [ecx]
		bts	eax, edi
		mov	[ecx], al

loc_45B1A0:				; CODE XREF: .text:0045B140j
					; .text:0045B157j ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_45B1AB:				; CODE XREF: .text:0045B094j
		push	ecx
		push	esi
		push	ebx
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmUnmapViewInSystemCache proc near	; CODE XREF: CcUnmapVacb+7Ep

var_7A		= dword	ptr -7Ah
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005B0913 SIZE 00000283 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[esp+84h+var_6C], ecx
		mov	esi, ebx
		mov	[esp+84h+var_3C], edx
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		mov	byte ptr [esp+84h+var_7A], 0
		sub	esi, 40000000h
		push	edi
		mov	ecx, esi
		mov	[esp+88h+var_54], esi
		mov	[esp+88h+var_30], esi
		lea	eax, [esi+200h]
		mov	[esp+88h+var_1C], eax
		call	_MiGetContainingPageTable@4 ; MiGetContainingPageTable(x)
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	eax, [eax+ecx*4]
		mov	ecx, edx
		mov	[esp+88h+var_40], eax
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	edi, eax
		mov	[esp+88h+var_64], 0
		xor	ecx, ecx
		mov	[esp+88h+var_38], edi
		mov	[esp+88h+var_50], ecx
		mov	[esp+88h+var_34], ecx
		mov	ecx, ebx
		mov	eax, [edi+20h]
		and	eax, 0FFFFFFF8h
		mov	[esp+88h+var_48], 2
		mov	[esp+88h+var_58], eax
		xor	eax, eax
		mov	[esp+88h+var_68], eax
		mov	[esp+88h+var_5C], eax
		call	_MiGetSystemCacheReverseMap@4 ;	MiGetSystemCacheReverseMap(x)
		mov	ecx, eax
		mov	[esp+88h+var_44], ecx
		mov	eax, [ecx+0Ch]
		mov	[esp+88h+var_70], eax
		test	eax, eax
		jz	short loc_45B27F
		test	al, 1
		jnz	loc_45B9B8

loc_45B277:				; CODE XREF: MmUnmapViewInSystemCache+80Aj
		cmp	[eax], edi
		jnz	loc_5B0913

loc_45B27F:				; CODE XREF: MmUnmapViewInSystemCache+ADj
		lea	eax, [esp+88h+var_7A]
		mov	edx, esi
		push	eax
		mov	ecx, offset unk_6D5E80
		call	_MiLockWorkingSetOptimal@12 ; MiLockWorkingSetOptimal(x,x,x)
		mov	[esp+88h+var_18], eax
		call	_MiGetProcessorFlushList@4 ; MiGetProcessorFlushList(x)
		mov	esi, eax
		mov	ecx, [esi+0Ch]
		mov	edx, [esi+8]
		mov	eax, [esi+4]
		shl	ecx, 3
		push	ecx		; size_t
		push	0		; int
		push	edx		; void *
		mov	[esp+94h+var_74], eax
		mov	[esp+94h+var_4C], edx
		call	_memset
		mov	esi, [esi]
		add	esp, 0Ch
		or	byte ptr [esi+4], 4

loc_45B2C1:				; CODE XREF: MmUnmapViewInSystemCache+26Ej
		mov	edi, 1
		mov	[esp+88h+var_60], ebx
		cmp	[esi], edi
		jz	short loc_45B2EA
		mov	cl, [esi+4]
		test	cl, 8
		jnz	short loc_45B2EA
		mov	eax, [esp+88h+var_6C]
		add	eax, 40000000h
		cmp	eax, offset loc_7FFFFF
		jbe	loc_5B0925

loc_45B2EA:				; CODE XREF: MmUnmapViewInSystemCache+10Cj
					; MmUnmapViewInSystemCache+114j ...
		mov	ecx, [esi+0Ch]
		mov	[esp+88h+var_7A+2], ecx
		test	ecx, ecx
		jz	short loc_45B30D
		mov	bl, [esi+4]
		and	bl, 4
		jz	loc_5B0930

loc_45B301:				; CODE XREF: MmUnmapViewInSystemCache+155781j
					; MmUnmapViewInSystemCache+1557DBj
		test	bl, bl
		jz	loc_5B09A0

loc_45B309:				; CODE XREF: MmUnmapViewInSystemCache+1557ECj
					; MmUnmapViewInSystemCache+155840j
		mov	ebx, [esp+88h+var_60]

loc_45B30D:				; CODE XREF: MmUnmapViewInSystemCache+133j
		cmp	ecx, [esi+8]
		jnb	loc_5B0A4B
		jmp	short loc_45B320
; 
		align 10h

loc_45B320:				; CODE XREF: MmUnmapViewInSystemCache+156j
					; MmUnmapViewInSystemCache+1A6j
		lea	eax, [edi-1]
		cmp	eax, 3FFh
		ja	loc_5B0A05
		mov	edx, edi

loc_45B330:				; CODE XREF: MmUnmapViewInSystemCache+15584Aj
		mov	ecx, ebx
		lea	eax, [edx-1]
		and	ecx, 0FFFFF000h
		and	eax, 3FFh
		or	eax, ecx
		sub	edi, edx
		mov	ecx, edx
		shl	ecx, 0Ch
		add	ebx, ecx
		mov	ecx, [esi+0Ch]
		mov	[esi+ecx*4+14h], eax
		inc	dword ptr [esi+0Ch]
		mov	eax, [esi+0Ch]
		add	[esi+10h], edx
		cmp	eax, [esi+8]
		jz	loc_5B0A0F

loc_45B364:				; CODE XREF: MmUnmapViewInSystemCache+155853j
					; MmUnmapViewInSystemCache+15587Aj
		test	edi, edi
		jnz	short loc_45B320

loc_45B368:				; CODE XREF: MmUnmapViewInSystemCache+1557D2j
					; MmUnmapViewInSystemCache+155837j ...
		mov	edi, [esp+88h+var_54]
		mov	[esp+88h+var_28], 0
		mov	[esp+88h+var_24], 0
		mov	edx, [edi]
		nop
		mov	eax, [esp+88h+var_74]
		mov	ebx, [esp+88h+var_64]
		mov	ecx, [edi+4]
		mov	[esp+88h+var_8], edx
		mov	[esp+88h+var_4], ecx
		mov	[eax+ebx*8], edx
		mov	[eax+ebx*8+4], ecx
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jnz	loc_45B666
		mov	eax, edx
		and	eax, 400h
		or	eax, 0
		jz	loc_5B0ADD
		cmp	[esp+88h+var_58], 0
		jz	short loc_45B400
		mov	eax, ecx
		mov	ecx, dword_6D0700
		mov	[esp+88h+var_5C], eax
		mov	ebx, eax
		mov	eax, dword_6D0704
		mov	[esp+88h+var_60], eax
		mov	eax, ecx
		or	eax, [esp+88h+var_60]
		jz	short loc_45B3FC
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jz	loc_45B64D
		and	edx, 0FFFFFFEFh
		mov	[esp+88h+var_5C], ebx
		mov	[esp+88h+var_28], edx

loc_45B3FC:				; CODE XREF: MmUnmapViewInSystemCache+221j
					; MmUnmapViewInSystemCache+4A1j
		mov	ebx, [esp+88h+var_64]

loc_45B400:				; CODE XREF: MmUnmapViewInSystemCache+202j
		mov	eax, ds:_ZeroPte
		mov	[edi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[edi+4], eax

loc_45B410:				; CODE XREF: MmUnmapViewInSystemCache+601j
		inc	ebx
		add	edi, 8
		mov	[esp+88h+var_64], ebx
		mov	ebx, [esp+88h+var_6C]
		add	ebx, 1000h
		mov	[esp+88h+var_54], edi
		mov	[esp+88h+var_6C], ebx
		cmp	edi, [esp+88h+var_1C]
		jb	loc_45B2C1

loc_45B434:				; CODE XREF: MmUnmapViewInSystemCache+15592Dj
		mov	ecx, [esp+88h+var_50]
		test	ecx, ecx
		jz	short loc_45B44E
		mov	edx, [esp+88h+var_4C]
		push	ecx
		push	edx
		mov	edx, esi
		mov	ecx, offset unk_6D5E80
		call	MiRemoveWsleList

loc_45B44E:				; CODE XREF: MmUnmapViewInSystemCache+27Aj
		mov	eax, [esp+88h+var_44]
		cmp	dword ptr [eax+8], 0
		jz	loc_5B0AF2
		mov	dword ptr [eax+8], 0
		mov	byte ptr [esp+88h+var_7A+1], 1

loc_45B468:				; CODE XREF: MmUnmapViewInSystemCache+155937j
		mov	edx, [esp+88h+var_18]
		mov	ecx, offset unk_6D5E80
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, 2
		mov	ecx, offset unk_6D5E80
		call	MiUnlockWorkingSetShared
		mov	[esp+88h+var_10], 0
		lea	eax, [esp+88h+var_10]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	esi, ds:_KiTbFlushTimeStamp
		xor	ebx, ebx
		mov	[esp+88h+var_50], esi
		mov	[esp+88h+var_7A+2], ecx
		cmp	[esp+88h+var_64], ecx
		jle	loc_5B0B55
		lea	ecx, [ecx+0]

loc_45B4B0:				; CODE XREF: MmUnmapViewInSystemCache+318j
		mov	esi, [esp+88h+var_74]
		mov	edi, ebx
		mov	eax, [esi+ecx*8+4]
		mov	edx, [esi+ecx*8]
		mov	[esp+88h+var_14], eax
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jnz	loc_45B7C6

loc_45B4CF:				; CODE XREF: MmUnmapViewInSystemCache+6BDj
					; MmUnmapViewInSystemCache+15597Dj
		inc	ecx
		mov	[esp+88h+var_68], ecx
		cmp	ecx, [esp+88h+var_64]
		jl	short loc_45B4B0
		mov	eax, [esp+88h+var_7A+2]
		mov	edi, [esp+88h+var_74]
		test	eax, eax
		jz	short loc_45B4F1
		push	2
		mov	edx, eax
		mov	ecx, edi
		call	MiDecrementAndInsertStandbyPages

loc_45B4F1:				; CODE XREF: MmUnmapViewInSystemCache+324j
		mov	esi, [esp+88h+var_50]

loc_45B4F5:				; CODE XREF: MmUnmapViewInSystemCache+155999j
		mov	cl, byte ptr [esp+88h+var_7A]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	byte ptr [esp+88h+var_7A+1], 1
		jnz	short loc_45B517
		push	[esp+88h+var_48]
		mov	edx, [esp+8Ch+var_44]
		mov	ecx, [esp+8Ch+var_70]
		call	MiManageSubsectionView

loc_45B517:				; CODE XREF: MmUnmapViewInSystemCache+344j
		test	ebx, ebx
		jz	loc_45B9A5
		mov	ecx, [esp+88h+var_40]
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [esp+88h+var_40]
		neg	ebx
		mov	edx, ebx
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		lea	eax, [ecx+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	bl, byte ptr [esp+88h+var_7A]

loc_45B544:				; CODE XREF: MmUnmapViewInSystemCache+7F3j
		cmp	[esp+88h+var_58], 0
		jz	loc_5B0B5E

loc_45B54F:				; CODE XREF: MmUnmapViewInSystemCache+1559A4j
		mov	eax, [esp+88h+var_38]
		add	eax, 24h
		push	eax
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	eax, [esp+88h+var_70]
		test	eax, eax
		jz	short loc_45B594

loc_45B564:				; CODE XREF: MmUnmapViewInSystemCache+81Cj
		mov	eax, [eax+1Ch]
		mov	ecx, [esp+88h+var_70]
		push	0
		push	eax
		call	_MiRemoveViewsFromSection@16 ; MiRemoveViewsFromSection(x,x,x,x)
		mov	eax, [esp+88h+var_70]
		mov	edx, [esp+88h+var_5C]
		mov	ecx, [eax+4]
		cmp	edx, ecx
		jb	loc_45B9D3
		mov	eax, [eax+1Ch]
		lea	eax, [ecx+eax*8]
		cmp	edx, eax
		jnb	loc_45B9CF

loc_45B594:				; CODE XREF: MmUnmapViewInSystemCache+3A2j
		mov	eax, [esp+88h+var_38]
		mov	dl, bl
		mov	ecx, eax
		dec	dword ptr [eax+14h]
		dec	dword ptr [eax+30h]
		call	MiCheckControlArea
		and	esi, 0FFFFFh
		push	esi
		push	0
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, ds:_ZeroPte
		mov	esi, eax
		mov	eax, [esp+88h+var_30]
		mov	[esp+88h+var_8], esi
		mov	[esp+88h+var_4], edx
		mov	[eax+10h], esi
		mov	[eax+14h], edx
		mov	[eax+8], ecx
		nop
		cmp	[esp+88h+var_34], 1
		mov	edi, esi
		mov	ecx, ds:dword_40F9FC
		mov	[eax+0Ch], ecx
		mov	ebx, dword_6D0700
		mov	eax, ebx
		mov	ecx, dword_6D0704
		jnz	loc_45B98A
		or	eax, ecx
		jz	short loc_45B615
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	loc_45B980
		mov	esi, ebx
		not	esi
		and	esi, edi

loc_45B615:				; CODE XREF: MmUnmapViewInSystemCache+43Fj
					; MmUnmapViewInSystemCache+7C5j
		xor	eax, eax
		or	eax, 2
		push	eax

loc_45B61B:				; CODE XREF: MmUnmapViewInSystemCache+7E0j
		push	esi
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		test	[ebp+arg_0], 2
		mov	ecx, [esp+88h+var_30]
		mov	[esp+88h+var_4], edx
		mov	[esp+88h+var_8], eax
		mov	[ecx+18h], eax
		mov	[ecx+1Ch], edx
		jnz	short loc_45B644
		call	MiReleaseSystemCacheView

loc_45B644:				; CODE XREF: MmUnmapViewInSystemCache+47Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_45B64D:				; CODE XREF: MmUnmapViewInSystemCache+22Bj
		mov	eax, [esp+88h+var_60]
		not	ecx
		not	eax
		and	ecx, edx
		and	eax, ebx
		mov	[esp+88h+var_28], ecx
		mov	[esp+88h+var_5C], eax
		jmp	loc_45B3FC
; 

loc_45B666:				; CODE XREF: MmUnmapViewInSystemCache+1E7j
		nop
		mov	eax, ds:_MmPfnDatabase
		shrd	edx, ecx, 0Ch
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		cmp	dword_6D3154, 0
		lea	edx, [eax+ecx*4]
		mov	[esp+88h+var_7A+2], edx
		jz	short loc_45B6E2
		mov	edx, edi
		shl	edx, 9
		cmp	edx, 0C0000000h
		jnb	loc_45B88F

loc_45B6A0:				; CODE XREF: MmUnmapViewInSystemCache+6D5j
		movzx	eax, byte_6D5EE0
		and	eax, 7
		mov	ecx, dword_6D2E68[eax*4]
		mov	eax, edx
		shr	eax, 0Ch
		add	ecx, eax
		mov	al, [ecx]
		and	al, 0Fh
		cmp	al, 7
		jz	short loc_45B6DE
		cmp	al, 0Ah
		jz	loc_5B0AB7

loc_45B6C8:				; CODE XREF: MmUnmapViewInSystemCache+6DBj
		mov	eax, [edi]
		and	eax, 20h
		or	eax, 0
		jz	short loc_45B6DE
		mov	edx, edi
		mov	ecx, offset unk_6D5E80
		call	_MiLogPageAccess@8 ; MiLogPageAccess(x,x)

loc_45B6DE:				; CODE XREF: MmUnmapViewInSystemCache+4FEj
					; MmUnmapViewInSystemCache+510j
		mov	edx, [esp+88h+var_7A+2]

loc_45B6E2:				; CODE XREF: MmUnmapViewInSystemCache+4CDj
		test	[ebp+arg_0], 1
		jnz	loc_45B8A0

loc_45B6EC:				; CODE XREF: MmUnmapViewInSystemCache+6EEj
					; MmUnmapViewInSystemCache+707j ...
		mov	edx, [esp+88h+var_7A+2]

loc_45B6F0:				; CODE XREF: MmUnmapViewInSystemCache+747j
		movzx	eax, byte_6D5EE0
		mov	ebx, [esp+88h+var_6C]
		and	eax, 7
		mov	ecx, dword_6D2E68[eax*4]
		mov	eax, ebx
		shr	eax, 0Ch
		add	ecx, eax
		mov	al, [ecx]
		mov	byte ptr [esp+88h+var_7A+1], al
		and	al, 0Fh
		cmp	al, 0Ah
		jz	loc_5B0ACA
		cmp	al, 8
		jz	loc_5B0A6E

loc_45B724:				; CODE XREF: MmUnmapViewInSystemCache+1558CDj
		mov	ecx, [edi]
		mov	eax, [edi+4]
		cmp	dword_6D07D0, 0C0000000h
		mov	edx, ds:_ZeroPte
		mov	ebx, ds:dword_40F9FC
		mov	[esp+88h+var_60], eax
		jnb	loc_45BA04
		mov	eax, 0C0603010h

loc_45B74E:				; CODE XREF: MmUnmapViewInSystemCache+849j
		cmp	edi, 0C0603000h
		jnb	loc_45B882

loc_45B75A:				; CODE XREF: MmUnmapViewInSystemCache+6C4j
					; MmUnmapViewInSystemCache+1558D9j ...
		mov	eax, ds:_MiFlags
		test	eax, 800h
		jnz	loc_5B0AAF
		test	eax, 4000000h
		jnz	loc_45BA0E

loc_45B775:				; CODE XREF: MmUnmapViewInSystemCache+851j
					; MmUnmapViewInSystemCache+1558F2j
		and	ecx, 20h
		or	ecx, 0
		jz	loc_45B921
		mov	[edi], edx
		nop
		mov	[edi+4], ebx

loc_45B787:				; CODE XREF: MmUnmapViewInSystemCache+777j
		mov	[esp+88h+var_34], 1

loc_45B78F:				; CODE XREF: MmUnmapViewInSystemCache+771j
		cmp	[esp+88h+var_58], 0
		mov	ebx, [esp+88h+var_64]
		mov	ecx, [esp+88h+var_4C]
		mov	al, byte ptr [esp+88h+var_7A+1]
		mov	[ecx+ebx*8], al
		mov	byte ptr [ecx+ebx*8+1],	1
		jz	short loc_45B7BA
		mov	eax, [esp+88h+var_7A+2]
		mov	eax, [eax+4]
		or	eax, 80000000h
		mov	[esp+88h+var_5C], eax

loc_45B7BA:				; CODE XREF: MmUnmapViewInSystemCache+5E8j
		lea	eax, [ebx+1]
		mov	[esp+88h+var_50], eax
		jmp	loc_45B410
; 

loc_45B7C6:				; CODE XREF: MmUnmapViewInSystemCache+309j
		inc	ebx
		mov	[esp+88h+var_60], 0
		mov	[esp+88h+var_4C], 0
		nop
		mov	eax, [esi+ecx*8+4]
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	esi, [eax+ecx*4]
		lea	ecx, [esi+10h]
		mov	[esp+88h+var_1C], esi
		mov	[esp+88h+var_18], ecx
		lock bts dword ptr [ecx], 1Fh
		mov	edx, [esp+88h+var_7A+2]
		setb	al
		test	edx, edx
		jz	loc_45B90C
		test	al, al
		jnz	loc_5B0B25

loc_45B81E:				; CODE XREF: MmUnmapViewInSystemCache+756j
					; MmUnmapViewInSystemCache+155960j
		mov	eax, [esp+88h+var_68]
		mov	edi, [esp+88h+var_74]
		mov	eax, [edi+eax*8]
		and	eax, 42h
		or	eax, 0
		jnz	loc_45B96D
		mov	ecx, [ecx]
		mov	eax, ecx
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jnz	loc_45B93C
		cmp	[esi+14h], ax
		jnz	loc_45B93C
		test	ecx, 40000000h
		jnz	loc_45B93C
		test	byte ptr [esi+17h], 40h
		jnz	loc_45B93C
		test	byte ptr [esi+16h], 10h
		jnz	loc_45B93C
		mov	[edi+edx*4], esi
		inc	edx
		mov	[esp+88h+var_7A+2], edx

loc_45B879:				; CODE XREF: MmUnmapViewInSystemCache+7A2j
					; MmUnmapViewInSystemCache+155990j
		mov	ecx, [esp+88h+var_68]
		jmp	loc_45B4CF
; 

loc_45B882:				; CODE XREF: MmUnmapViewInSystemCache+594j
		cmp	edi, eax
		jnb	loc_45B75A
		jmp	loc_5B0A92
; 

loc_45B88F:				; CODE XREF: MmUnmapViewInSystemCache+4DAj
		cmp	edx, 0C07FFFFFh
		ja	loc_45B6A0
		jmp	loc_45B6C8
; 

loc_45B8A0:				; CODE XREF: MmUnmapViewInSystemCache+526j
		mov	eax, [edx+10h]
		lea	ebx, [edx+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jnz	loc_45B6EC
		mov	dl, [edx+17h]
		movzx	ecx, dl
		test	dl, 8
		jnz	short loc_45B8DE
		mov	eax, ecx
		and	eax, 7
		cmp	eax, 2
		jbe	loc_45B6EC
		test	dl, 8
		jnz	short loc_45B8DE
		and	ecx, 7
		cmp	ecx, 5
		ja	loc_45B6EC

loc_45B8DE:				; CODE XREF: MmUnmapViewInSystemCache+6FDj
					; MmUnmapViewInSystemCache+710j
		mov	[esp+88h+var_20], 0
		lock bts dword ptr [ebx], 1Fh
		jb	loc_5B0A54

loc_45B8F1:				; CODE XREF: MmUnmapViewInSystemCache+1558A9j
		mov	edx, [esp+88h+var_7A+2]
		mov	al, [edx+17h]
		and	al, 0FAh
		or	al, 2
		mov	[edx+17h], al
		mov	eax, 7FFFFFFFh
		lock and [ebx],	eax
		jmp	loc_45B6F0
; 

loc_45B90C:				; CODE XREF: MmUnmapViewInSystemCache+650j
		mov	[esp+88h+var_C], 0
		test	al, al
		jz	loc_45B81E
		jmp	loc_5B0AFC
; 

loc_45B921:				; CODE XREF: MmUnmapViewInSystemCache+5BBj
		push	ebx
		push	edx
		mov	ecx, edi
		call	MI_INTERLOCKED_EXCHANGE_PTE
		and	eax, 20h
		xor	edx, edx
		or	eax, edx
		jz	loc_45B78F
		jmp	loc_45B787
; 

loc_45B93C:				; CODE XREF: MmUnmapViewInSystemCache+681j
					; MmUnmapViewInSystemCache+68Bj ...
		mov	edi, [esp+88h+var_60]

loc_45B940:				; CODE XREF: MmUnmapViewInSystemCache+7BEj
		test	edx, edx
		jnz	loc_45B9EE

loc_45B948:				; CODE XREF: MmUnmapViewInSystemCache+83Fj
		mov	ecx, esi
		call	MiDecrementShareCount
		lea	eax, [esi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	ecx, [esp+88h+var_4C]
		mov	eax, edi
		or	eax, ecx
		jz	loc_45B879
		jmp	loc_5B0B42
; 

loc_45B96D:				; CODE XREF: MmUnmapViewInSystemCache+66Fj
		mov	ecx, esi
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		mov	[esp+88h+var_4C], edx
		mov	edi, eax
		mov	edx, [esp+88h+var_7A+2]
		jmp	short loc_45B940
; 

loc_45B980:				; CODE XREF: MmUnmapViewInSystemCache+449j
		mov	esi, edi
		and	esi, 0FFFFFFEFh
		jmp	loc_45B615
; 

loc_45B98A:				; CODE XREF: MmUnmapViewInSystemCache+437j
		or	eax, ecx
		jz	short loc_45B99E
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_45B9E7
		mov	esi, ebx
		not	esi
		and	esi, edi

loc_45B99E:				; CODE XREF: MmUnmapViewInSystemCache+7CCj
					; MmUnmapViewInSystemCache+82Cj
		push	0
		jmp	loc_45B61B
; 

loc_45B9A5:				; CODE XREF: MmUnmapViewInSystemCache+359j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		mov	byte ptr [esp+88h+var_7A], bl
		jmp	loc_45B544
; 

loc_45B9B8:				; CODE XREF: MmUnmapViewInSystemCache+B1j
		and	eax, 0FFFFFFFEh
		mov	[esp+88h+var_48], 4
		mov	[esp+88h+var_70], eax
		mov	[ecx+0Ch], eax
		jmp	loc_45B277
; 

loc_45B9CF:				; CODE XREF: MmUnmapViewInSystemCache+3CEj
		mov	eax, [esp+88h+var_70]

loc_45B9D3:				; CODE XREF: MmUnmapViewInSystemCache+3C0j
		mov	eax, [eax+8]
		mov	[esp+88h+var_70], eax
		test	eax, eax
		jnz	loc_45B564
		jmp	loc_5B0B69
; 

loc_45B9E7:				; CODE XREF: MmUnmapViewInSystemCache+7D6j
		mov	esi, edi
		and	esi, 0FFFFFFEFh
		jmp	short loc_45B99E
; 

loc_45B9EE:				; CODE XREF: MmUnmapViewInSystemCache+782j
		mov	ecx, [esp+88h+var_74]
		push	21h
		call	MiDecrementAndInsertStandbyPages
		xor	eax, eax
		mov	[esp+88h+var_7A+2], eax
		jmp	loc_45B948
; 

loc_45BA04:				; CODE XREF: MmUnmapViewInSystemCache+583j
		mov	eax, 0C0603018h
		jmp	loc_45B74E
; 

loc_45BA0E:				; CODE XREF: MmUnmapViewInSystemCache+5AFj
		lfence	eax
		jmp	loc_45B775
MmUnmapViewInSystemCache endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDeleteTransitionPte proc near		; CODE XREF: .text:00459374p
					; .text:0047674Dp ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005B0B96 SIZE 00000040 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	eax, 92492493h
		push	edi
		mov	edi, esi
		mov	ebx, ecx
		sub	edi, ds:_MmPfnDatabase
		imul	edi
		add	edx, edi
		sar	edx, 4
		mov	edi, edx
		shr	edi, 1Fh
		add	edi, edx
		mov	edx, [ebx]
		mov	[ebp+var_1C], edi
		nop
		mov	ecx, [esi+4]
		mov	eax, ecx
		or	eax, 80000000h
		cmp	eax, ebx
		jnz	loc_5B0B7F
		mov	eax, [esi+18h]
		mov	ecx, [esi+8]
		and	eax, offset loc_7FFFFF
		mov	edx, [esi+0Ch]
		mov	[ebp+var_28], eax
		mov	eax, ecx
		and	eax, 400h
		mov	[ebp+var_C], 0
		or	eax, 0
		mov	[ebp+var_10], 0
		mov	[ebp+var_24], 0
		jnz	loc_45BB9D
		xor	ecx, ecx
		xor	edx, edx

loc_45BA9C:				; CODE XREF: MmUnmapViewInSystemCache+1559D1j
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], ecx

loc_45BAA2:				; CODE XREF: MiDeleteTransitionPte+1BCj
		cmp	word ptr [esi+14h], 0
		mov	[ebp+var_1C], 0
		jnz	loc_45BC28
		xor	edx, edx
		mov	ecx, esi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		mov	eax, [esi+0Ch]
		mov	edx, [esi+8]
		mov	[ebp+var_14], eax
		mov	eax, edx
		and	eax, 400h
		or	eax, 0
		jnz	short loc_45BB0D
		mov	eax, [ebp+var_14]
		mov	ecx, edx
		shrd	ecx, eax, 2
		mov	[ebp+var_C], edx
		test	cl, 1
		jnz	loc_45BC0D
		mov	ecx, [ebp+var_14]
		mov	eax, edx
		shrd	eax, ecx, 1
		test	al, 1
		jnz	loc_45BC19
		mov	[ebp+var_C], 0
		mov	[ebp+var_10], 0

loc_45BB06:				; CODE XREF: MiDeleteTransitionPte+1F4j
					; MiDeleteTransitionPte+203j
		mov	[ebp+var_24], offset _MiSystemPartition

loc_45BB0D:				; CODE XREF: MiDeleteTransitionPte+B0j
		mov	ecx, [ebp+var_4]
		mov	eax, 4
		mov	edx, [ebp+var_8]

loc_45BB18:				; CODE XREF: MiDeleteTransitionPte+21Fj
		mov	[ebp+var_14], eax
		mov	[ebx], ecx
		nop
		mov	[ebx+4], edx
		cmp	eax, 4
		jnz	short loc_45BB30
		lea	edx, [eax-2]
		mov	ecx, edi
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)

loc_45BB30:				; CODE XREF: MiDeleteTransitionPte+104j
		mov	ebx, 7FFFFFFFh
		add	esi, 10h
		lock and [esi],	ebx
		mov	eax, [ebp+var_28]
		mov	[ebp+var_8], 0
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	edi, [eax+ecx*4]
		lea	esi, [edi+10h]
		lock bts dword ptr [esi], 1Fh
		jb	loc_45BC44

loc_45BB64:				; CODE XREF: MiDeleteTransitionPte+236j
		mov	ecx, edi
		call	MiDecrementShareCount
		lock and [esi],	ebx
		mov	bl, [ebp+arg_0]
		cmp	bl, 21h
		jnz	loc_5B0BBF

loc_45BB7A:				; CODE XREF: MiDeleteTransitionPte+1551A7j
		mov	ecx, [ebp+var_1C]
		test	ecx, ecx
		jnz	loc_5B0BCC

loc_45BB85:				; CODE XREF: MiDeleteTransitionPte+1551B1j
		mov	ecx, [ebp+var_C]
		mov	eax, ecx
		mov	edx, [ebp+var_10]
		or	eax, edx
		jnz	short loc_45BBEF

loc_45BB91:				; CODE XREF: MiDeleteTransitionPte+1D3j
					; MiDeleteTransitionPte+1EBj
		mov	eax, [ebp+var_14]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_45BB9D:				; CODE XREF: MiDeleteTransitionPte+72j
		mov	edi, dword_6D0704
		mov	eax, dword_6D0700
		mov	[ebp+var_8], edi
		or	eax, edi
		mov	edi, [ebp+var_1C]
		jz	short loc_45BBBC
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jz	short loc_45BBE7

loc_45BBBC:				; CODE XREF: MiDeleteTransitionPte+190j
					; MiDeleteTransitionPte+1CDj
		mov	ecx, [edx]
		push	2
		push	ecx
		call	MiDereferenceControlAreaPfnList
		mov	ecx, [esi+8]
		mov	eax, ecx
		mov	edx, [esi+0Ch]
		and	eax, 400h
		or	eax, 0
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], edx
		jnz	loc_45BAA2
		jmp	loc_5B0B8E
; 

loc_45BBE7:				; CODE XREF: MiDeleteTransitionPte+19Aj
		not	[ebp+var_8]
		and	edx, [ebp+var_8]
		jmp	short loc_45BBBC
; 

loc_45BBEF:				; CODE XREF: MiDeleteTransitionPte+16Fj
		cmp	[ebp+arg_4], 0
		jz	short loc_45BB91
		cmp	bl, 21h
		jnz	short loc_45BC5E
		mov	eax, 1

loc_45BBFF:				; CODE XREF: MiDeleteTransitionPte+240j
		push	edx
		push	ecx
		mov	ecx, [ebp+var_24]
		mov	edx, eax
		call	MiReleasePageFileInfo
		jmp	short loc_45BB91
; 

loc_45BC0D:				; CODE XREF: MiDeleteTransitionPte+C1j
		nop
		mov	eax, [esi+0Ch]
		mov	[ebp+var_10], eax
		jmp	loc_45BB06
; 

loc_45BC19:				; CODE XREF: MiDeleteTransitionPte+D2j
		mov	[ebp+var_C], edx
		nop
		mov	eax, [esi+0Ch]
		mov	[ebp+var_10], eax
		jmp	loc_45BB06
; 

loc_45BC28:				; CODE XREF: MiDeleteTransitionPte+8Ej
		mov	al, [esi+16h]
		or	dword ptr [esi+10h], 40000000h
		test	al, 20h
		jnz	loc_5B0B96

loc_45BC3A:				; CODE XREF: MiDeleteTransitionPte+155178j
					; MiDeleteTransitionPte+15519Aj
		mov	eax, 3
		jmp	loc_45BB18
; 

loc_45BC44:				; CODE XREF: MiDeleteTransitionPte+13Ej
					; MiDeleteTransitionPte+22Fj ...
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_45BC44
		lock bts dword ptr [esi], 1Fh
		jnb	loc_45BB64
		jmp	short loc_45BC44
; 

loc_45BC5E:				; CODE XREF: MiDeleteTransitionPte+1D8j
		xor	eax, eax
		jmp	short loc_45BBFF
MiDeleteTransitionPte endp

; 
		align 10h
; Exported entry 187. CcCopyReadEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcCopyReadEx
CcCopyReadEx	proc near		; CODE XREF: CcCopyRead(x,x,x,x,x,x)+19p
					; CcFastCopyRead(x,x,x,x,x,x)+25p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005B0BD6 SIZE 0000001C BYTES
; FUNCTION CHUNK AT 005B0BF7 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A10C8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_19], 0
		mov	[ebp+var_24], 0
		mov	edx, large fs:124h
		mov	eax, [edx+2FCh]
		shr	eax, 9
		and	eax, 7
		mov	ecx, [edx+150h]
		test	dword ptr [ecx+0FCh], 100000h
		jnz	loc_45BFAA

loc_45BCD6:				; CODE XREF: CcCopyReadEx+33Cj
		cmp	eax, 2
		jb	loc_45BF5E

loc_45BCDF:				; CODE XREF: CcCopyReadEx+2F7j
					; CcCopyReadEx+304j ...
		mov	[ebp+var_20], 0
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi+14h]
		mov	ebx, [ecx+4]
		mov	ecx, [esi+18h]
		mov	[ebp+arg_0], ecx
		test	eax, eax
		jz	loc_45BF7F

loc_45BCFD:				; CODE XREF: CcCopyReadEx+313j
		mov	edi, [ebp+arg_4]
		mov	ecx, [edi]
		mov	edx, [ebp+arg_8]
		add	ecx, edx
		mov	eax, [edi+4]
		adc	eax, 0
		cmp	eax, [ebx+0Ch]
		jl	short loc_45BD21
		jg	loc_5B0BF7
		cmp	ecx, [ebx+8]
		ja	loc_5B0BF7

loc_45BD21:				; CODE XREF: CcCopyReadEx+A0j
		cmp	[ebp+arg_10], 0
		jz	loc_5B0BE0
		mov	eax, [ebp+arg_0]
		test	dword ptr [eax], 20000h
		jnz	loc_45BF4B

loc_45BD3A:				; CODE XREF: CcCopyReadEx+2E9j
		mov	[ebp+var_4], 0
		xor	eax, eax
		cmp	byte ptr [ebp+arg_C], al
		setnz	al
		lea	eax, ds:60Ch[eax*4]
		inc	dword ptr fs:[eax]
		mov	eax, large fs:124h
		mov	dword ptr [eax+328h], 0
		mov	ecx, [ebp+arg_18]
		test	ecx, ecx
		jnz	loc_45BF2D

loc_45BD6E:				; CODE XREF: CcCopyReadEx+2C5j
					; CcCopyReadEx+2D6j
		mov	eax, [edi+4]
		push	eax		; int
		mov	eax, [edi]
		push	eax		; int
		push	[ebp+var_20]	; int
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		shr	eax, 12h
		and	eax, 7
		push	eax		; int
		lea	eax, [ebp+var_24]
		push	eax		; int
		push	[ebp+arg_10]	; void *
		push	[ebp+arg_C]	; int
		mov	ecx, esi
		call	CcMapAndCopyFromCache
		mov	[ebp+var_19], al
		test	al, al
		jz	loc_45BFB1
		mov	eax, large fs:124h
		mov	eax, [eax+328h]
		add	large fs:684h, eax
		test	dword ptr [ebx+60h], 40000000h
		jnz	loc_45BED6
		cmp	[ebp+var_24], 0
		jnz	loc_45BF88

loc_45BDCA:				; CODE XREF: CcCopyReadEx+321j
					; CcCopyReadEx+335j
		mov	eax, [esi+14h]
		mov	eax, [eax+4]
		mov	[ebp+var_2C], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_28], eax
		lea	ecx, [eax+20h]
		mov	[ebp+arg_18], ecx
		mov	ebx, [ecx]
		mov	[ebp+arg_10], ebx
		mov	ecx, [ecx+4]
		mov	[ebp+arg_0], ecx
		add	eax, 10h
		mov	[ebp+arg_C], eax

loc_45BDF0:				; CODE XREF: CcCopyReadEx+19Ej
					; CcCopyReadEx+1A3j
		mov	esi, [eax]
		mov	ecx, [eax+4]
		mov	[ebp+var_24], ecx
		mov	eax, esi
		mov	edx, ecx
		nop
		mov	ecx, [ebp+arg_0]
		mov	edi, [ebp+arg_C]
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		mov	eax, edi
		mov	ebx, [ebp+arg_10]
		jnz	short loc_45BDF0
		cmp	edx, [ebp+var_24]
		jnz	short loc_45BDF0
		mov	eax, [ebp+var_28]
		lea	ecx, [eax+28h]
		mov	[ebp+arg_0], ecx
		mov	ebx, [ecx]
		mov	[ebp+arg_10], ebx
		mov	ecx, [ecx+4]
		mov	[ebp+var_28], ecx
		add	eax, 18h
		mov	[ebp+arg_C], eax

loc_45BE2F:				; CODE XREF: CcCopyReadEx+154F7Dj
		mov	esi, [eax]
		mov	ecx, [eax+4]
		mov	[ebp+var_24], ecx
		mov	eax, esi
		mov	edx, ecx
		nop
		mov	ecx, [ebp+var_28]
		mov	edi, [ebp+arg_C]
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		mov	edi, [ebp+arg_4]
		mov	ebx, [ebp+arg_10]
		jnz	loc_5B0BEA
		cmp	edx, [ebp+var_24]
		jnz	loc_5B0BEA
		mov	ebx, [edi]
		mov	[ebp+arg_10], ebx
		mov	eax, [edi+4]
		mov	[ebp+var_28], eax

loc_45BE68:				; CODE XREF: CcCopyReadEx+21Aj
					; CcCopyReadEx+21Fj
		mov	eax, [ebp+arg_18]
		mov	esi, [eax]
		mov	ecx, [eax+4]
		mov	[ebp+var_24], ecx
		mov	eax, esi
		mov	edx, ecx
		nop
		mov	ecx, [ebp+var_28]
		mov	edi, [ebp+arg_18]
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		mov	edi, [ebp+arg_4]
		mov	ebx, [ebp+arg_10]
		jnz	short loc_45BE68
		cmp	edx, [ebp+var_24]
		jnz	short loc_45BE68
		mov	ecx, [edi]
		add	ecx, [ebp+arg_8]
		mov	[ebp+arg_4], ecx
		mov	edi, [edi+4]
		adc	edi, 0
		mov	[ebp+arg_10], edi

loc_45BEA2:				; CODE XREF: CcCopyReadEx+253j
					; CcCopyReadEx+258j
		mov	eax, [ebp+arg_0]
		mov	esi, [eax]
		mov	edx, [eax+4]
		mov	[ebp+var_28], edx
		mov	eax, esi
		nop
		mov	ebx, ecx
		mov	ecx, edi
		mov	edi, [ebp+arg_0]
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		mov	ecx, [ebp+arg_4]
		mov	edi, [ebp+arg_10]
		jnz	short loc_45BEA2
		cmp	edx, [ebp+var_28]
		jnz	short loc_45BEA2
		mov	ecx, [ebp+var_2C]
		test	dword ptr [ecx+60h], 200000h
		jnz	short loc_45BF08

loc_45BED6:				; CODE XREF: CcCopyReadEx+14Aj
					; CcCopyReadEx+2ADj ...
		mov	eax, [ebp+arg_14]
		mov	dword ptr [eax], 0
		mov	ecx, [ebp+arg_8]
		mov	[eax+4], ecx

loc_45BEE5:				; CODE XREF: CcCopyReadEx+348j
		mov	[ebp+var_4], 0FFFFFFFEh
		call	sub_45BFBD
		mov	al, [ebp+var_19]
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_45BF08:				; CODE XREF: CcCopyReadEx+264j
		mov	eax, [ebp+arg_C]
		mov	edx, [eax]
		shr	edx, 0Ch
		mov	eax, [ebp+arg_18]
		mov	eax, [eax]
		shr	eax, 0Ch
		sub	eax, edx
		cmp	eax, 1
		jbe	short loc_45BED6
		push	0
		mov	edx, 200000h
		call	CcUpdateSharedCacheMapFlag
		jmp	short loc_45BED6
; 

loc_45BF2D:				; CODE XREF: CcCopyReadEx+F8j
		mov	eax, large fs:124h
		cmp	ecx, eax
		jz	loc_45BD6E
		lea	edx, [ebp+var_20]
		call	_IoReferenceIoAttributionFromThread@8 ;	IoReferenceIoAttributionFromThread(x,x)
		mov	edx, [ebp+arg_8]
		jmp	loc_45BD6E
; 

loc_45BF4B:				; CODE XREF: CcCopyReadEx+C4j
		push	[ebp+arg_18]
		push	edx
		push	edi
		push	esi
		call	CcScheduleReadAheadEx
		mov	edx, [ebp+arg_8]
		jmp	loc_45BD3A
; 

loc_45BF5E:				; CODE XREF: CcCopyReadEx+69j
		mov	ecx, large fs:124h
		cmp	edx, ecx
		jnz	loc_45BCDF
		cmp	dword ptr [edx+32Ch], 0
		jz	loc_45BCDF
		jmp	loc_5B0BD6
; 

loc_45BF7F:				; CODE XREF: CcCopyReadEx+87j
		mov	byte ptr [ebp+arg_C], 1
		jmp	loc_45BCFD
; 

loc_45BF88:				; CODE XREF: CcCopyReadEx+154j
		mov	eax, [ebp+arg_0]
		test	dword ptr [eax], 20000h
		jnz	loc_45BDCA
		push	[ebp+arg_18]
		mov	ecx, [ebp+arg_8]
		push	ecx
		push	edi
		push	esi
		call	CcScheduleReadAheadEx
		jmp	loc_45BDCA
; 

loc_45BFAA:				; CODE XREF: CcCopyReadEx+60j
		xor	eax, eax
		jmp	loc_45BCD6
; 

loc_45BFB1:				; CODE XREF: CcCopyReadEx+12Aj
		inc	large dword ptr	fs:614h
		jmp	loc_45BEE5
CcCopyReadEx	endp


;  S U B	R O U T	I N E 


sub_45BFBD	proc near		; CODE XREF: CcCopyReadEx+27Cp
					; sub_5B0BF2j
		mov	ecx, [ebp-20h]
		test	ecx, ecx
		jnz	short loc_45BFC5

locret_45BFC4:				; CODE XREF: sub_45BFBD+Dj
		retn
; 

loc_45BFC5:				; CODE XREF: sub_45BFBD+5j
		call	_IoDiskIoAttributionDereference@4 ; IoDiskIoAttributionDereference(x)
		jmp	short locret_45BFC4
sub_45BFBD	endp

; 
		align 10h

;  S U B	R O U T	I N E 


CcFreeVirtualAddress proc near		; CODE XREF: CcMdlRead+108p
					; CcMapAndCopyFromCache+EEp ...
		mov	edi, edi
		push	esi
		mov	esi, [ecx+4]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+8], eax
		dec	eax
		movzx	eax, ax
		test	ax, ax
		jnz	short loc_45BFF9
		mov	eax, [esi+74h]
		test	eax, eax
		jnz	loc_5B0C0D

loc_45BFF2:				; CODE XREF: CcCopyReadEx+154FA7j
		lock dec dword ptr [esi+180h]

loc_45BFF9:				; CODE XREF: CcFreeVirtualAddress+15j
		pop	esi
		retn
CcFreeVirtualAddress endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcFetchDataForRead(x, x, x,	x, x, x, x, x)
_CcFetchDataForRead@32 proc near	; CODE XREF: CcMdlRead+BCp
					; CcMapAndCopyFromCache+8Bp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, [edx]
		push	ebx
		mov	ebx, [edx+4]
		mov	edx, eax
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		and	edx, 0FFFFF000h
		mov	[esp+28h+var_14], ecx
		mov	esi, 40000h
		xor	ecx, ecx
		mov	[esp+28h+var_18], ebx
		add	edi, eax
		mov	[esp+28h+var_4], edx
		mov	eax, [ebp+arg_C]
		adc	ecx, ebx
		add	edi, 0FFFh
		adc	ecx, 0
		and	edi, 0FFFFF000h
		sub	edi, edx
		sbb	ecx, ebx
		mov	ebx, edx
		and	ebx, 3FFFFh
		mov	[esp+28h+var_C], ecx
		add	ebx, [eax]
		mov	eax, ebx
		and	eax, 3FFFFh
		sub	esi, eax
		cmp	esi, edi
		jb	short loc_45C068
		mov	esi, edi

loc_45C068:				; CODE XREF: CcFetchDataForRead(x,x,x,x,x,x,x,x)+64j
		push	[esp+28h+var_18]
		mov	ecx, [esp+2Ch+var_14]
		push	edx
		mov	edx, esi
		call	MmHardFaultBytesRequired
		test	eax, eax
		jnz	short loc_45C094

loc_45C07C:				; CODE XREF: CcFetchDataForRead(x,x,x,x,x,x,x,x)+D6j
		push	0
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	_MmCheckCachedPageStates@16 ; MmCheckCachedPageStates(x,x,x,x)
		mov	al, 1
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_45C094:				; CODE XREF: CcFetchDataForRead(x,x,x,x,x,x,x,x)+7Aj
		cmp	[ebp+arg_4], 0
		jz	short loc_45C0D8
		push	[esp+28h+var_18]
		lea	eax, [esp+2Ch+var_10]
		mov	[esp+2Ch+var_10], 0
		push	[esp+2Ch+var_4]
		push	eax
		push	[ebp+arg_14]
		push	ecx
		push	[ebp+arg_10]
		mov	ecx, [esp+40h+var_14]
		push	edi
		call	_MmPrefetchForCacheManager@36 ;	MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x)
		mov	ecx, [esp+28h+var_10]
		test	ecx, ecx
		jz	short loc_45C0CD
		call	_MmWaitForCacheManagerPrefetch@4 ; MmWaitForCacheManagerPrefetch(x)

loc_45C0CD:				; CODE XREF: CcFetchDataForRead(x,x,x,x,x,x,x,x)+C6j
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 1
		jmp	short loc_45C07C
; 

loc_45C0D8:				; CODE XREF: CcFetchDataForRead(x,x,x,x,x,x,x,x)+98j
		pop	edi
		pop	esi
		xor	al, al
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
_CcFetchDataForRead@32 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiOffsetToProtos proc near		; CODE XREF: MiInsertInSystemSpace+B4p
					; MiRemoveMappedPtes+85p ...

var_7A		= byte ptr -7Ah
var_79		= byte ptr -79h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_B		= byte ptr  13h
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_24		= dword	ptr  2Ch

; FUNCTION CHUNK AT 0045C431 SIZE 00000095 BYTES
; FUNCTION CHUNK AT 005B0C1C SIZE 00000079 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, ecx
		shrd	eax, esi, 0Ch
		push	edi
		mov	edi, edx
		shr	esi, 0Ch
		mov	[esp+88h+var_78], eax
		mov	[esp+88h+var_6C], esi
		mov	[edi], eax
		mov	[edi+4], esi
		mov	eax, [ebx+1Ch]
		test	al, 20h
		jnz	loc_45C353
		cmp	dword ptr [ebx+20h], 0
		jz	loc_45C353
		test	eax, 400h
		jnz	loc_45C353
		mov	cl, 2
		lea	esi, [ebx+24h]
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	[esp+88h+var_79], al
		jnz	loc_5B0C1C
		mov	edx, [esi]
		and	edx, 7FFFFFFFh
		mov	eax, edx
		lea	ecx, [edx+1]
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	loc_45C416

loc_45C171:				; CODE XREF: MiOffsetToProtos+331j
					; MiOffsetToProtos+154B35j
		mov	eax, [ebx+0A4h]
		xor	esi, esi
		test	eax, eax
		jz	short loc_45C189
		lea	ecx, [ecx+0]

loc_45C180:				; CODE XREF: MiOffsetToProtos+97j
		mov	esi, eax
		mov	eax, [eax+4]
		test	eax, eax
		jnz	short loc_45C180

loc_45C189:				; CODE XREF: MiOffsetToProtos+8Bj
		mov	ax, [esi-18h]
		mov	ecx, [esi-4]
		shr	ax, 6
		and	ecx, 3FFFFFFFh
		movzx	eax, ax
		cdq
		xor	edx, edx
		mov	[esp+88h+var_74], 0
		or	edx, [esi-14h]
		mov	esi, [esi-0Ch]
		sub	esi, ecx
		mov	ecx, [esp+88h+var_74]
		sbb	ecx, ecx
		add	esi, edx
		adc	ecx, eax
		test	ds:byte_70EFC6,	1
		mov	[esp+88h+var_74], ecx
		jnz	loc_5B0C2A
		lea	eax, [ebx+24h]
		mov	ecx, 0BFFFFFFFh
		lock and [eax],	ecx
		lock dec dword ptr [eax]

loc_45C1D9:				; CODE XREF: MiOffsetToProtos+154B45j
		mov	cl, [esp+88h+var_79]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [edi]
		mov	edx, [edi+4]
		mov	eax, [esp+88h+var_74]

loc_45C1EC:				; CODE XREF: MiOffsetToProtos+288j
		cmp	edx, eax
		jb	short loc_45C1FE
		ja	loc_45C426
		cmp	ecx, esi
		jnb	loc_45C426

loc_45C1FE:				; CODE XREF: MiOffsetToProtos+FEj
		cmp	dword ptr [ebx+20h], 0
		jz	loc_45C37D
		test	byte ptr [ebx+1Ch], 20h
		jnz	loc_45C392
		push	54h		; size_t
		lea	eax, [esp+8Ch+var_58]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		cmp	[ebp+arg_4], 3FFFFFh
		jb	short loc_45C23F
		ja	loc_5B0C8E
		cmp	[ebp+arg_0], 0FFFFF000h
		jnb	loc_5B0C8E

loc_45C23F:				; CODE XREF: MiOffsetToProtos+13Aj
		lea	esi, [ebx+24h]
		mov	cl, 2
		mov	[esp+88h+var_68], esi
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	[esp+88h+var_79], al
		jnz	loc_5B0C3A
		mov	edx, [esi]
		and	edx, 7FFFFFFFh
		mov	eax, edx
		lea	ecx, [edx+1]
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	loc_45C406

loc_45C278:				; CODE XREF: MiOffsetToProtos+321j
					; MiOffsetToProtos+154B53j
		mov	esi, [ebx+0ACh]
		mov	ecx, [esp+88h+var_6C]
		mov	ax, [esi+10h]
		shr	ax, 6
		movzx	eax, ax
		cdq
		xor	edx, edx
		mov	[esp+88h+var_74], eax
		or	edx, [esi+14h]
		mov	eax, [esi+18h]
		mov	[esp+88h+var_70], edx
		xor	edx, edx
		add	eax, [esp+88h+var_70]
		adc	edx, [esp+88h+var_74]
		add	eax, 0FFFFFFFFh
		mov	[esp+88h+var_6C], eax
		adc	edx, 0FFFFFFFFh
		cmp	word ptr [esi+12h], 10h
		jnb	loc_45C3F7

loc_45C2BD:				; CODE XREF: MiOffsetToProtos+311j
		mov	eax, [esp+88h+var_78]
		mov	[esp+88h+var_60], eax
		movzx	eax, cx
		mov	[esp+88h+var_60], eax
		mov	eax, [esp+88h+var_78]
		cmp	ecx, [esp+88h+var_74]
		jb	loc_45C3C4
		ja	short loc_45C2E6
		cmp	eax, [esp+88h+var_70]
		jb	loc_45C3C4

loc_45C2E6:				; CODE XREF: MiOffsetToProtos+1EAj
		movzx	eax, cx
		mov	[esp+88h+var_60], eax
		mov	eax, [esp+88h+var_78]
		cmp	ecx, edx
		ja	loc_45C3C4
		jb	short loc_45C305
		cmp	eax, [esp+88h+var_6C]
		ja	loc_45C3C4

loc_45C305:				; CODE XREF: MiOffsetToProtos+209j
		mov	bl, [esp+88h+var_79]
		cmp	bl, 21h
		jz	short loc_45C332
		test	ds:byte_70EFC6,	1
		jnz	loc_5B0C48
		mov	eax, [esp+88h+var_68]
		mov	ecx, 0BFFFFFFFh
		lock and [eax],	ecx
		lock dec dword ptr [eax]

loc_45C32A:				; CODE XREF: MiOffsetToProtos+154B64j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_45C332:				; CODE XREF: MiOffsetToProtos+21Cj
					; MiOffsetToProtos+3B8j ...
		mov	ax, [esi+10h]
		xor	ecx, ecx
		or	ecx, [esi+14h]
		shr	ax, 6
		sub	[edi], ecx
		movzx	eax, ax
		cdq
		sbb	[edi+4], eax

loc_45C348:				; CODE XREF: MiOffsetToProtos+2AAj
					; MiOffsetToProtos+2B0j ...
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_45C353:				; CODE XREF: MiOffsetToProtos+31j
					; MiOffsetToProtos+3Bj	...
		mov	ecx, [ebx]
		mov	edx, 3FFh
		mov	ax, [ecx+8]
		and	ax, dx
		movzx	eax, ax
		cdq
		xor	edx, edx
		or	edx, [ecx+4]
		mov	ecx, [esp+88h+var_78]
		mov	[esp+88h+var_60], edx
		mov	edx, esi
		mov	esi, [esp+88h+var_60]
		jmp	loc_45C1EC
; 

loc_45C37D:				; CODE XREF: MiOffsetToProtos+112j
		lea	ecx, [ebx+50h]
		mov	edx, edi
		call	_MiLocatePagefileSubsection@8 ;	MiLocatePagefileSubsection(x,x)
		mov	esi, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_45C392:				; CODE XREF: MiOffsetToProtos+11Cj
		lea	esi, [ebx+50h]
		mov	ebx, [esi+1Ch]
		test	edx, edx
		jb	short loc_45C348
		ja	short loc_45C3A2
		cmp	ecx, ebx
		jb	short loc_45C348

loc_45C3A2:				; CODE XREF: MiOffsetToProtos+2ACj
					; MiOffsetToProtos+2CAj ...
		sub	ecx, ebx
		mov	[edi], ecx
		sbb	edx, 0
		mov	[esp+88h+var_60], ecx
		mov	[edi+4], edx
		mov	eax, edx
		mov	esi, [esi+8]
		mov	ebx, [esi+1Ch]
		test	eax, eax
		ja	short loc_45C3A2
		jb	short loc_45C348
		cmp	ecx, ebx
		jnb	short loc_45C3A2
		jmp	short loc_45C348
; 

loc_45C3C4:				; CODE XREF: MiOffsetToProtos+1E4j
					; MiOffsetToProtos+1F0j ...
		mov	esi, [ebx+0A4h]
		mov	[esp+88h+var_64], ecx
		mov	ecx, [esp+88h+var_60]
		mov	[esp+88h+var_44], eax
		mov	eax, [esp+88h+var_48]
		and	eax, 3Fh
		shl	ecx, 6
		or	ecx, eax
		movzx	eax, cx
		mov	word ptr [esp+88h+var_48], cx
		test	esi, esi
		jnz	loc_5B0C59
		jmp	loc_5B0C74
; 

loc_45C3F7:				; CODE XREF: MiOffsetToProtos+1C7j
		add	eax, 1
		mov	[esp+88h+var_6C], eax
		adc	edx, 0
		jmp	loc_45C2BD
; 

loc_45C406:				; CODE XREF: MiOffsetToProtos+182j
		mov	dl, [esp+88h+var_79]
		mov	ecx, esi
		call	ExpWaitForSpinLockSharedAndAcquire
		jmp	loc_45C278
; 

loc_45C416:				; CODE XREF: MiOffsetToProtos+7Bj
		mov	dl, [esp+88h+var_79]
		mov	ecx, esi
		call	ExpWaitForSpinLockSharedAndAcquire
		jmp	loc_45C171
; 

loc_45C426:				; CODE XREF: MiOffsetToProtos+100j
					; MiOffsetToProtos+108j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
MiOffsetToProtos endp

; 
; START	OF FUNCTION CHUNK FOR MiOffsetToProtos

loc_45C431:				; CODE XREF: MiOffsetToProtos+39Bj
					; MiOffsetToProtos+154B7Fj
		mov	cx, [esi-18h]
		shr	cx, 6
		movzx	eax, cx
		xor	ecx, ecx
		or	ecx, [esi-14h]
		cdq
		mov	edx, [esi-10h]
		mov	[esp-4+arg_18],	ecx
		xor	ecx, ecx
		add	edx, [esp-4+arg_18]
		adc	ecx, eax
		add	edx, 0FFFFFFFFh
		adc	ecx, 0FFFFFFFFh
		cmp	word ptr [esi-16h], 10h
		jb	short loc_45C464
		add	edx, 1
		adc	ecx, 0

loc_45C464:				; CODE XREF: MiOffsetToProtos+36Cj
		cmp	[esp-4+arg_1C],	ecx
		ja	short loc_45C486
		mov	ecx, [esp-4+arg_24]
		jb	short loc_45C474
		cmp	ecx, edx
		ja	short loc_45C486

loc_45C474:				; CODE XREF: MiOffsetToProtos+37Ej
		cmp	[esp-4+arg_1C],	eax
		ja	short loc_45C492
		jb	short loc_45C482
		cmp	ecx, [esp-4+arg_18]
		jnb	short loc_45C492

loc_45C482:				; CODE XREF: MiOffsetToProtos+38Aj
		mov	esi, [esi]
		jmp	short loc_45C489
; 

loc_45C486:				; CODE XREF: MiOffsetToProtos+378j
					; MiOffsetToProtos+382j
		mov	esi, [esi+4]

loc_45C489:				; CODE XREF: MiOffsetToProtos+394j
		test	esi, esi
		jnz	short loc_45C431
		jmp	loc_5B0C74
; 

loc_45C492:				; CODE XREF: MiOffsetToProtos+388j
					; MiOffsetToProtos+390j
		test	esi, esi
		jz	loc_5B0C74
		add	esi, 0FFFFFFD8h
		cmp	[esp-4+arg_B], 21h
		mov	[ebx+0ACh], esi
		jz	loc_45C332
		lea	eax, [ebx+24h]
		push	eax
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [esp-4+arg_B]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_45C332
; END OF FUNCTION CHUNK	FOR MiOffsetToProtos
; 
		align 10h

; __stdcall CcMapAndRead(x, x, x, x)
_CcMapAndRead@16:			; CODE XREF: CcPinFileData+370p
					; CcPinFileData+5AEp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		xor	eax, eax
		mov	[esp+8], edx
		cmp	[ebp+8], al
		mov	edx, 1
		push	ebx
		mov	ebx, [ebp+0Ch]
		setnz	al
		dec	eax
		mov	byte ptr [esp+7], 0
		and	eax, 2
		push	esi
		mov	[esp+14h], eax
		lea	esi, [ecx+0FFFh]
		mov	eax, ebx
		and	ebx, 0FFFFF000h
		push	edi
		mov	edi, large fs:124h
		and	eax, 0FFFh
		add	esi, eax
		mov	[esp+0Eh], dl
		shr	esi, 0Ch
		mov	[ebp+0Ch], ebx
		mov	ecx, [edi+2F4h]
		movzx	eax, byte ptr [edi+308h]
		lea	ebx, [eax+ecx*4]
		test	esi, esi
		jz	loc_45C628
		lea	ecx, [ecx+0]

loc_45C540:				; CODE XREF: .text:0045C5BEj
		lea	ecx, [esi-1]
		mov	byte ptr [edi+308h], 1
		mov	[esp+10h], ecx
		cmp	ecx, [edi+2F4h]
		ja	loc_45C5F6

loc_45C55A:				; CODE XREF: .text:0045C601j
					; .text:0045C623j
		mov	eax, edx
		and	eax, [esp+14h]
		neg	eax
		sbb	eax, eax
		neg	eax
		cmp	dword ptr [esp+14h], 0
		jnz	loc_45C606
		mov	ecx, esi

loc_45C573:				; CODE XREF: .text:0045C614j
		mov	[esp+10h], ecx

loc_45C577:				; CODE XREF: .text:0045C609j
		or	eax, [esp+18h]
		lea	edx, [esp+0Eh]
		shl	ecx, 0Ch
		push	edx
		mov	[esp+20h], ecx
		mov	edx, ecx
		mov	ecx, [ebp+0Ch]
		push	eax
		call	_MmCheckCachedPageStates@16 ; MmCheckCachedPageStates(x,x,x,x)
		cmp	byte ptr [esp+0Eh], 0
		mov	ecx, eax
		jz	short loc_45C5EA

loc_45C59B:				; CODE XREF: .text:0045C5EEj
		test	ecx, ecx
		js	short loc_45C5F0
		mov	eax, [ebp+0Ch]
		xor	edx, edx
		add	eax, [esp+1Ch]
		sub	esi, [esp+10h]
		cmp	esi, 1
		mov	[ebp+0Ch], eax
		setz	dl
		lea	edx, ds:2[edx*2]
		test	esi, esi
		jnz	short loc_45C540

loc_45C5C0:				; CODE XREF: .text:0045C62Aj
		mov	dl, 1

loc_45C5C2:				; CODE XREF: .text:0045C5F4j
		mov	al, bl
		shr	ebx, 2
		and	al, 3
		mov	[edi+2F4h], ebx
		cmp	byte ptr [ebp+8], 0
		mov	[edi+308h], al
		jz	short loc_45C5DF
		test	ecx, ecx
		js	short loc_45C62C

loc_45C5DF:				; CODE XREF: .text:0045C5D9j
		pop	edi
		pop	esi
		mov	al, dl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_45C5EA:				; CODE XREF: .text:0045C599j
		cmp	byte ptr [ebp+8], 0
		jnz	short loc_45C59B

loc_45C5F0:				; CODE XREF: .text:0045C59Dj
		mov	dl, [esp+0Fh]
		jmp	short loc_45C5C2
; 

loc_45C5F6:				; CODE XREF: .text:0045C554j
		cmp	ecx, 0Fh
		ja	short loc_45C619
		mov	[edi+2F4h], ecx
		jmp	loc_45C55A
; 

loc_45C606:				; CODE XREF: .text:0045C56Bj
		cmp	edx, 2
		jz	loc_45C577
		mov	ecx, 1
		jmp	loc_45C573
; 

loc_45C619:				; CODE XREF: .text:0045C5F9j
		mov	dword ptr [edi+2F4h], 0Fh
		jmp	loc_45C55A
; 

loc_45C628:				; CODE XREF: .text:0045C537j
		xor	ecx, ecx
		jmp	short loc_45C5C0
; 

loc_45C62C:				; CODE XREF: .text:0045C5DDj
		push	ecx
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
; 
		dw 0CCCCh
		align 10h

; __stdcall MmCheckCachedPageStates(x, x, x, x)
_MmCheckCachedPageStates@16:		; CODE XREF: CcFetchDataForRead(x,x,x,x,x,x,x,x)+84p
					; .text:0045C58Dp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 130h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+12Ch], eax
		mov	eax, [ebp+0Ch]
		mov	[esp+94h], eax
		xor	eax, eax
		mov	[esp+74h], eax
		mov	[esp+78h], eax
		mov	[esp+7Ch], eax
		mov	[esp+60h], eax
		mov	[esp+64h], eax
		mov	[esp+58h], eax
		mov	[esp+4Ch], eax
		mov	[esp+24h], eax
		push	esi
		mov	esi, ecx
		mov	byte ptr [esp+4Fh], 1
		mov	eax, esi
		mov	byte ptr [esp+0Bh], 21h
		shr	eax, 9
		lea	ecx, [edx-1]
		and	eax, offset loc_7FFFF8
		add	ecx, esi
		sub	eax, 40000000h
		shr	ecx, 9
		mov	[esp+20h], eax
		and	ecx, offset loc_7FFFF8
		shr	eax, 9
		sub	ecx, 40000000h
		and	eax, offset loc_7FFFF8
		mov	[esp+58h], ecx
		push	edi
		xor	edi, edi
		mov	[esp+3Ch], edi
		mov	edx, [eax-40000000h]
		mov	[esp+30h], edi
		mov	[esp+34h], edi
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	[esp+0A0h], edx
		mov	[esp+0A4h], eax
		nop
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		shr	esi, 12h
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	eax, [eax+ecx*4]
		mov	ecx, dword_6D07D0
		shr	ecx, 12h
		mov	[esp+58h], eax
		and	ecx, 3FF8h
		mov	eax, esi
		sub	eax, ecx
		sar	eax, 3
		mov	ecx, dword_6D0BD4[eax*4]
		test	ecx, ecx
		jz	short loc_45C73F
		and	esi, 7
		lea	eax, [esi+esi*2]
		lea	ecx, [ecx+eax*8]

loc_45C73F:				; CODE XREF: .text:0045C734j
		mov	eax, [ecx+0Ch]
		test	al, 1
		jz	short loc_45C749
		and	eax, 0FFFFFFFEh

loc_45C749:				; CODE XREF: .text:0045C744j
		mov	edx, [esp+24h]
		mov	eax, [eax]
		mov	[esp+64h], eax
		cmp	edx, [esp+5Ch]
		ja	loc_45D31A
		lea	ecx, [ecx+0]

loc_45C760:				; CODE XREF: .text:0045D263j
		mov	ecx, [edx]
		xor	esi, esi
		mov	[esp+40h], esi
		nop
		mov	eax, [edx+4]
		mov	[esp+30h], ecx
		and	ecx, 1
		or	ecx, esi
		mov	[esp+34h], eax
		jz	short loc_45C7A8

loc_45C77B:				; CODE XREF: .text:0045CCD7j
		test	byte ptr [ebp+8], 4
		jz	loc_45DA42
		mov	dl, [esp+0Fh]
		cmp	dl, 21h
		jz	short loc_45C79A
		mov	ecx, edi
		call	MiUnlockProtoPoolPage
		mov	byte ptr [esp+0Fh], 21h

loc_45C79A:				; CODE XREF: .text:0045C78Cj
		mov	ecx, [esp+24h]
		call	_MiMarkPteDirty@4 ; MiMarkPteDirty(x)
		jmp	loc_45DA42
; 

loc_45C7A8:				; CODE XREF: .text:0045C779j
		cmp	byte ptr [esp+0Fh], 21h
		jz	loc_45C9C3
		mov	[esp+88h], esi
		lea	ecx, [edi+10h]
		lock bts dword ptr [ecx], 1Fh
		jnb	short loc_45C7EB
		lea	esi, [edi+10h]
		jmp	short loc_45C7D0
; 
		align 10h

loc_45C7D0:				; CODE XREF: .text:0045C7C7j
					; .text:0045C7DFj ...
		lea	ecx, [esp+88h]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_45C7D0
		lock bts dword ptr [esi], 1Fh
		jb	short loc_45C7D0
		lea	ecx, [edi+10h]

loc_45C7EB:				; CODE XREF: .text:0045C7C2j
		mov	al, [edi+16h]
		and	al, 0DFh
		mov	[edi+16h], al
		movzx	eax, word ptr [edi+14h]
		test	ax, ax
		jz	loc_45DAD0
		add	eax, 0FFFFh
		test	dword ptr [edi+18h], 800000h
		mov	[edi+14h], ax
		jnz	loc_45C9A5
		mov	ecx, [ecx]
		mov	[esp+20h], ecx
		and	ecx, 3FFFFFFFh
		test	ax, ax
		jz	short loc_45C859
		cmp	ax, 1
		jnz	short loc_45C833
		test	ecx, ecx
		jnz	short loc_45C84F
		jmp	short loc_45C845
; 

loc_45C833:				; CODE XREF: .text:0045C82Bj
		cmp	ax, 2
		jnz	loc_45C9A5
		test	ecx, ecx
		jz	loc_45C9A5

loc_45C845:				; CODE XREF: .text:0045C831j
		test	byte ptr [edi+16h], 8
		jz	loc_45C9A5

loc_45C84F:				; CODE XREF: .text:0045C82Fj
		mov	dword ptr [esp+1Ch], 0
		jmp	short loc_45C861
; 

loc_45C859:				; CODE XREF: .text:0045C825j
		mov	dword ptr [esp+1Ch], 1

loc_45C861:				; CODE XREF: .text:0045C857j
		mov	eax, ds:_MmHighestUserAddress
		mov	edx, [edi+4]
		shr	eax, 9
		or	edx, 80000000h
		and	eax, offset loc_7FFFF8
		add	eax, 0C0000000h
		mov	[esp+44h], eax
		cmp	edx, eax
		ja	short loc_45C88C
		cmp	edx, 0C0000000h
		jnb	short loc_45C89D

loc_45C88C:				; CODE XREF: .text:0045C882j
		mov	al, [edi+17h]
		test	al, 20h
		jz	short loc_45C89D
		and	al, 0DFh
		mov	[edi+17h], al
		jmp	loc_45C97B
; 

loc_45C89D:				; CODE XREF: .text:0045C88Aj
					; .text:0045C891j
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_45C8B5
		mov	eax, [edi+8]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_45C8DA

loc_45C8B5:				; CODE XREF: .text:0045C8A6j
		cmp	edx, [esp+44h]
		ja	short loc_45C8C9
		cmp	edx, 0C0000000h
		jb	short loc_45C8C9
		test	byte ptr [edi+17h], 20h
		jnz	short loc_45C8DA

loc_45C8C9:				; CODE XREF: .text:0045C8B9j
					; .text:0045C8C1j
		cmp	dword ptr [esp+1Ch], 1
		jnz	short loc_45C8E9
		test	dword ptr [esp+20h], 40000000h
		jz	short loc_45C8E9

loc_45C8DA:				; CODE XREF: .text:0045C8B3j
					; .text:0045C8C7j
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit

loc_45C8E9:				; CODE XREF: .text:0045C8CEj
					; .text:0045C8D8j
		mov	eax, large fs:20h
		mov	edx, [eax+3D30h]
		add	eax, 3D30h
		mov	dword ptr [esp+18h], 1
		mov	[esp+20h], eax
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_45C912
		mov	eax, 1
		jmp	short loc_45C972
; 

loc_45C912:				; CODE XREF: .text:0045C909j
		lea	eax, [edx+1]
		cmp	eax, 100h
		ja	short loc_45C940
		lea	esp, [esp+0]

loc_45C920:				; CODE XREF: .text:0045C93Ej
		mov	esi, [esp+20h]
		lea	ecx, [edx+1]
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	short loc_45C97B
		mov	edx, eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_45C940
		inc	eax
		cmp	eax, 100h
		jbe	short loc_45C920

loc_45C940:				; CODE XREF: .text:0045C91Aj
					; .text:0045C936j
		cmp	edx, 0C0h
		jle	short loc_45C96A
		cmp	edx, 0FFFFFFFFh
		jz	short loc_45C96A
		mov	edi, [esp+20h]
		mov	ecx, 0C0h
		mov	eax, edx
		lock cmpxchg [edi], ecx
		mov	edi, [esp+3Ch]
		cmp	eax, edx
		lea	eax, [edx-0BFh]
		jz	short loc_45C96E

loc_45C96A:				; CODE XREF: .text:0045C946j
					; .text:0045C94Bj
		mov	eax, [esp+18h]

loc_45C96E:				; CODE XREF: .text:0045C968j
		test	eax, eax
		jz	short loc_45C97B

loc_45C972:				; CODE XREF: .text:0045C910j
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_45C97B:				; CODE XREF: .text:0045C898j
					; .text:0045C92Fj ...
		cmp	dword ptr [esp+1Ch], 0
		jz	short loc_45C9A5
		mov	ecx, edi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		lea	eax, [ecx+edx]
		mov	ecx, edi
		sar	eax, 4
		mov	edx, eax
		shr	edx, 1Fh
		add	edx, eax
		call	MiPfnReferenceCountIsZero

loc_45C9A5:				; CODE XREF: .text:0045C810j
					; .text:0045C837j ...
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [esp+0Fh]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [esp+24h]
		mov	byte ptr [esp+0Fh], 21h

loc_45C9C3:				; CODE XREF: .text:0045C7ADj
		mov	al, byte_6D5EE0
		mov	edi, edx
		shr	edi, 9
		and	al, 7
		and	edi, offset loc_7FFFF8
		mov	[esp+20h], edi
		cmp	al, 4
		jbe	short loc_45C9EF
		cmp	al, 5
		jz	short loc_45C9EF
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esp+17h], al
		jmp	short loc_45CA49
; 

loc_45C9EF:				; CODE XREF: .text:0045C9DBj
					; .text:0045C9DFj
		mov	esi, offset unk_6D3C40
		cmp	al, 2
		jz	short loc_45C9FD
		mov	esi, offset dword_6D5F00

loc_45C9FD:				; CODE XREF: .text:0045C9F6j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	[esp+17h], al
		jz	short loc_45CA1D
		mov	dl, al
		mov	ecx, esi
		call	@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)
		jmp	short loc_45CA3D
; 

loc_45CA1D:				; CODE XREF: .text:0045CA10j
		mov	edx, [esi]
		and	edx, 7FFFFFFFh
		mov	eax, edx
		lea	ecx, [edx+1]
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	short loc_45CA3D
		mov	dl, [esp+17h]
		mov	ecx, esi
		call	ExpWaitForSpinLockSharedAndAcquire

loc_45CA3D:				; CODE XREF: .text:0045CA1Bj
					; .text:0045CA30j
		add	esi, 4
		cmp	dword ptr [esi], 0
		jz	short loc_45CA49
		xor	eax, eax
		xchg	eax, [esi]

loc_45CA49:				; CODE XREF: .text:0045C9EDj
					; .text:0045CA43j
		lea	eax, [edi-600000h]
		xor	esi, esi
		sar	eax, 3
		mov	[esp+48h], eax
		lea	ecx, [eax+eax]
		mov	al, byte_6D5EE0
		mov	edi, ecx
		and	al, 7
		and	edi, 1Fh
		mov	[esp+1Ch], edi
		cmp	al, 2
		jb	short loc_45CACB
		mov	edx, [esp+20h]
		cmp	edx, 603018h
		jz	short loc_45CA8F
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_45CABF
		cmp	edx, 603010h
		jnz	short loc_45CABF

loc_45CA8F:				; CODE XREF: .text:0045CA79j
		cmp	al, 7
		jnz	short loc_45CA9D
		mov	dword ptr [esp+10h], offset unk_6D2E58
		jmp	short loc_45CAA9
; 

loc_45CA9D:				; CODE XREF: .text:0045CA91j
		cmp	al, 5
		jnz	short loc_45CABF
		mov	dword ptr [esp+10h], offset unk_6D2E54

loc_45CAA9:				; CODE XREF: .text:0045CA9Bj
		mov	eax, [esp+10h]
		mov	edi, 603018h
		sub	edi, edx
		sar	edi, 3
		add	edi, edi
		mov	[esp+1Ch], edi
		jmp	short loc_45CAEC
; 

loc_45CABF:				; CODE XREF: .text:0045CA85j
					; .text:0045CA8Dj ...
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]
		jmp	short loc_45CAE8
; 

loc_45CACB:				; CODE XREF: .text:0045CA6Dj
		shr	ecx, 5
		test	al, al
		jnz	short loc_45CAE1
		mov	eax, dword_6D5E8C
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h
		jmp	short loc_45CAE8
; 

loc_45CAE1:				; CODE XREF: .text:0045CAD0j
		lea	eax, unk_6D5FA0[ecx*4]

loc_45CAE8:				; CODE XREF: .text:0045CAC9j
					; .text:0045CADFj
		mov	[esp+10h], eax

loc_45CAEC:				; CODE XREF: .text:0045CABDj
		mov	edx, [eax]

loc_45CAEE:				; CODE XREF: .text:0045CB4Cj
					; .text:0045CB73j ...
		mov	ecx, edi
		mov	eax, 2
		shl	eax, cl
		jmp	short loc_45CB00
; 
		align 10h

loc_45CB00:				; CODE XREF: .text:0045CAF7j
					; .text:0045CBA1j
		mov	ecx, edi
		mov	[esp+18h], edx
		shr	dword ptr [esp+18h], cl
		mov	ecx, [esp+18h]
		mov	[esp+44h], eax
		test	cl, 1
		jz	short loc_45CB80
		test	cl, 2
		jz	short loc_45CB4E
		lea	esp, [esp+0]

loc_45CB20:				; CODE XREF: .text:0045CB4Aj
		inc	esi
		test	ds:_HvlLongSpinCountMask, esi
		jnz	short loc_45CB3A
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	short loc_45CB3A
		push	esi
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	short loc_45CB3C
; 

loc_45CB3A:				; CODE XREF: .text:0045CB27j
					; .text:0045CB30j
		pause

loc_45CB3C:				; CODE XREF: .text:0045CB38j
		mov	eax, [esp+10h]
		mov	ecx, edi
		mov	edx, [eax]
		mov	eax, edx
		shr	eax, cl
		test	al, 1
		jnz	short loc_45CB20
		jmp	short loc_45CAEE
; 

loc_45CB4E:				; CODE XREF: .text:0045CB1Aj
		mov	ecx, edi
		mov	eax, 2
		mov	edi, [esp+10h]
		shl	eax, cl
		or	eax, edx
		mov	[esp+44h], eax
		mov	ecx, eax
		mov	eax, edx
		lock cmpxchg [edi], ecx
		mov	edi, [esp+1Ch]
		cmp	eax, edx
		mov	edx, [esp+44h]
		jz	loc_45CAEE
		mov	edx, eax
		jmp	loc_45CAEE
; 

loc_45CB80:				; CODE XREF: .text:0045CB15j
		mov	ecx, edx
		not	eax
		bts	ecx, edi
		mov	edi, [esp+10h]
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [edi], ecx
		mov	edi, [esp+1Ch]
		cmp	eax, edx
		jz	short loc_45CBA6
		mov	edx, eax
		mov	eax, [esp+44h]
		jmp	loc_45CB00
; 

loc_45CBA6:				; CODE XREF: .text:0045CB99j
		mov	ecx, [esp+24h]
		mov	eax, [ecx]
		mov	[esp+18h], eax
		nop
		mov	eax, [ecx+4]
		mov	ecx, [esp+48h]
		mov	dl, byte_6D5EE0
		add	ecx, ecx
		mov	esi, [esp+40h]
		and	dl, 7
		mov	[esp+44h], eax
		mov	eax, ecx
		and	eax, 1Fh
		mov	[esp+1Ch], eax
		cmp	dl, 2
		jb	short loc_45CC37
		mov	edi, [esp+20h]
		cmp	edi, 603018h
		jz	short loc_45CBF9
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_45CC2B
		cmp	edi, 603010h
		jnz	short loc_45CC2B

loc_45CBF9:				; CODE XREF: .text:0045CBE3j
		cmp	dl, 7
		jnz	short loc_45CC08
		mov	dword ptr [esp+10h], offset unk_6D2E58
		jmp	short loc_45CC15
; 

loc_45CC08:				; CODE XREF: .text:0045CBFCj
		cmp	dl, 5
		jnz	short loc_45CC2B
		mov	dword ptr [esp+10h], offset unk_6D2E54

loc_45CC15:				; CODE XREF: .text:0045CC06j
		mov	ecx, [esp+10h]
		mov	eax, 603018h
		sub	eax, edi
		sar	eax, 3
		add	eax, eax
		mov	[esp+1Ch], eax
		jmp	short loc_45CC64
; 

loc_45CC2B:				; CODE XREF: .text:0045CBEFj
					; .text:0045CBF7j ...
		shr	ecx, 5
		lea	ecx, unk_6D2C54[ecx*4]
		jmp	short loc_45CC60
; 

loc_45CC37:				; CODE XREF: .text:0045CBD7j
		shr	ecx, 5
		test	dl, dl
		jnz	short loc_45CC59
		mov	eax, dword_6D5E8C
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h
		mov	[esp+10h], eax
		mov	eax, [esp+1Ch]
		mov	ecx, [esp+10h]
		jmp	short loc_45CC64
; 

loc_45CC59:				; CODE XREF: .text:0045CC3Cj
		lea	ecx, unk_6D5FA0[ecx*4]

loc_45CC60:				; CODE XREF: .text:0045CC35j
		mov	[esp+10h], ecx

loc_45CC64:				; CODE XREF: .text:0045CC29j
					; .text:0045CC57j
		mov	edx, [ecx]
		mov	edi, 2
		mov	ecx, eax
		shl	edi, cl
		mov	ecx, edx
		not	edi
		btr	ecx, eax
		mov	[esp+48h], edi
		and	ecx, edi
		mov	edi, [esp+10h]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		mov	edi, [esp+3Ch]
		cmp	eax, edx
		jz	short loc_45CCB1
		mov	esi, [esp+1Ch]
		mov	edi, [esp+10h]

loc_45CC96:				; CODE XREF: .text:0045CCA7j
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, esi
		and	ecx, [esp+48h]
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_45CC96
		mov	esi, [esp+40h]
		mov	edi, [esp+3Ch]

loc_45CCB1:				; CODE XREF: .text:0045CC8Cj
		mov	dl, [esp+17h]
		mov	ecx, offset unk_6D5E80
		call	MiUnlockWorkingSetShared
		mov	ecx, [esp+18h]
		mov	eax, ecx
		mov	edx, [esp+44h]
		and	eax, 1
		or	eax, 0
		mov	[esp+30h], ecx
		mov	[esp+34h], edx
		jnz	loc_45C77B
		mov	eax, ecx
		and	eax, 8
		or	eax, 0
		jz	short loc_45CCF0
		mov	esi, 1
		mov	[esp+40h], esi

loc_45CCF0:				; CODE XREF: .text:0045CCE5j
		mov	ecx, [esp+2Ch]
		mov	eax, edx
		mov	edx, dword_6D0700
		mov	[esp+2Ch], eax
		mov	[esp+1Ch], eax
		mov	eax, dword_6D0704
		mov	[esp+20h], eax
		mov	eax, edx
		or	eax, [esp+20h]
		jz	short loc_45CD4D
		mov	eax, [esp+18h]
		and	eax, 10h
		or	eax, 0
		jnz	short loc_45CD3B
		mov	eax, [esp+20h]
		not	edx
		and	edx, [esp+18h]
		not	eax
		and	eax, [esp+1Ch]
		mov	[esp+2Ch], eax
		mov	[esp+48h], edx
		jmp	short loc_45CD51
; 

loc_45CD3B:				; CODE XREF: .text:0045CD1Fj
		mov	eax, [esp+18h]
		mov	[esp+48h], eax
		mov	eax, [esp+1Ch]
		mov	[esp+2Ch], eax
		jmp	short loc_45CD51
; 

loc_45CD4D:				; CODE XREF: .text:0045CD13j
		mov	eax, [esp+2Ch]

loc_45CD51:				; CODE XREF: .text:0045CD39j
					; .text:0045CD4Bj
		mov	dl, [esp+0Fh]
		and	ecx, 0FFFFF000h
		mov	[esp+48h], ecx
		cmp	dl, 21h
		jz	short loc_45CD81
		and	eax, 0FFFFF000h
		cmp	eax, ecx
		jz	loc_45CFEF
		mov	ecx, edi
		call	MiUnlockProtoPoolPage
		mov	ecx, [esp+48h]
		mov	byte ptr [esp+0Fh], 21h

loc_45CD81:				; CODE XREF: .text:0045CD62j
		mov	edi, [esp+2Ch]
		mov	eax, edi
		and	eax, 0FFFFF000h
		cmp	eax, ecx
		jz	short loc_45CDBE
		mov	ecx, [esp+54h]
		test	ecx, ecx
		jz	short loc_45CDBE
		push	dword ptr [esp+58h]
		lea	eax, ds:0[ecx*8]
		push	ecx
		mov	ecx, [esp+2Ch]
		lea	edx, [esp+0B8h]
		sub	ecx, eax
		call	_MiMakeSystemCacheRangeValid@16	; MiMakeSystemCacheRangeValid(x,x,x,x)
		mov	dword ptr [esp+54h], 0

loc_45CDBE:				; CODE XREF: .text:0045CD8Ej
					; .text:0045CD96j
		mov	eax, edi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[esp+18h], eax
		lea	esp, [esp+0]

loc_45CDD0:				; CODE XREF: .text:0045CE20j
					; .text:0045CE3Dj ...
		mov	edi, [eax-40000000h]
		mov	dword ptr [esp+70h], 0
		mov	dword ptr [esp+74h], 0
		nop
		mov	ecx, [eax-3FFFFFFCh]
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	loc_45D059
		mov	eax, edi
		and	eax, 200h
		or	eax, 0
		jnz	loc_45D059
		nop
		mov	eax, [esp+18h]
		shrd	edi, ecx, 0Ch
		and	edi, 1FFFFFFh
		cmp	edi, dword_6D07B0
		ja	short loc_45CDD0
		mov	eax, dword_6D35B8
		mov	edx, edi
		shr	edx, 5
		mov	ecx, edi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		mov	eax, [esp+18h]
		jz	short loc_45CDD0
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[edi*8]
		sub	ecx, edi
		lea	esi, [eax+ecx*4]
		mov	cl, 2
		mov	[esp+3Ch], esi
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		lea	ecx, [esi+10h]
		mov	[esp+17h], al
		mov	dword ptr [esp+70h], 0
		mov	[esp+20h], ecx
		lock bts dword ptr [ecx], 1Fh
		jnb	short loc_45CE9D
		mov	esi, ecx
		jmp	short loc_45CE80
; 
		align 10h

loc_45CE80:				; CODE XREF: .text:0045CE78j
					; .text:0045CE8Cj ...
		lea	ecx, [esp+70h]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_45CE80
		lock bts dword ptr [esi], 1Fh
		jb	short loc_45CE80
		mov	esi, [esp+3Ch]
		mov	ecx, [esp+20h]

loc_45CE9D:				; CODE XREF: .text:0045CE74j
		mov	eax, [esp+18h]
		mov	dword ptr [esp+48h], 0
		mov	dword ptr [esp+4Ch], 0
		mov	edx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	[esp+48h], eax
		mov	[esp+0ACh], eax
		mov	eax, edx
		and	eax, 1
		mov	[esp+0A8h], edx
		or	eax, 0
		jz	loc_45D041
		mov	eax, edx
		and	eax, 200h
		or	eax, 0
		jnz	loc_45D041
		nop
		mov	eax, [esp+48h]
		shrd	edx, eax, 0Ch
		and	edx, 1FFFFFFh
		cmp	edi, edx
		jnz	loc_45D041
		mov	edx, 1
		mov	ecx, esi
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		mov	cl, [esp+17h]
		cmp	cl, 21h
		jz	loc_45CFDE
		mov	edx, [esi+4]
		mov	al, [esi+16h]
		or	edx, 80000000h
		mov	[esp+0Fh], cl
		mov	byte ptr [esp+2Bh], 0
		mov	[esp+20h], edx
		test	al, 20h
		jz	short loc_45CF9D
		jmp	short loc_45CF40
; 
		align 10h

loc_45CF40:				; CODE XREF: .text:0045CF3Bj
					; .text:0045CF97j
		lea	eax, [esi+10h]
		mov	edx, 7FFFFFFFh
		lock and [eax],	edx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, [esi+16h]
		xor	edi, edi
		mov	[esp+2Bh], al
		test	al, 20h
		jz	short loc_45CF87
		mov	edi, edi

loc_45CF60:				; CODE XREF: .text:0045CF85j
		inc	edi
		test	ds:_HvlLongSpinCountMask, edi
		jnz	short loc_45CF7A
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	short loc_45CF7A
		push	edi
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	short loc_45CF7C
; 

loc_45CF7A:				; CODE XREF: .text:0045CF67j
					; .text:0045CF70j
		pause

loc_45CF7C:				; CODE XREF: .text:0045CF78j
		mov	al, [esi+16h]
		mov	[esp+2Bh], al
		test	al, 20h
		jnz	short loc_45CF60

loc_45CF87:				; CODE XREF: .text:0045CF5Cj
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	al, [esi+16h]
		mov	cl, [esp+17h]
		test	al, 20h
		jnz	short loc_45CF40
		mov	edx, [esp+20h]

loc_45CF9D:				; CODE XREF: .text:0045CF39j
		or	al, 20h
		lea	edi, [esi+10h]
		mov	[esi+16h], al
		test	dword ptr [edi], 40000000h
		jnz	short loc_45CFD4
		mov	edx, [edx]
		nop
		mov	ecx, [esp+20h]
		and	edx, 20h
		or	edx, 0
		jnz	short loc_45CFD4
		mov	[esp+8Ch], dl
		mov	edx, 1
		push	dword ptr [esp+8Ch]
		call	_MiWriteValidPteVolatile@12 ; MiWriteValidPteVolatile(x,x,x)

loc_45CFD4:				; CODE XREF: .text:0045CFABj
					; .text:0045CFBAj
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		jmp	short loc_45CFE7
; 

loc_45CFDE:				; CODE XREF: .text:0045CF18j
		mov	dl, 21h
		mov	ecx, esi
		call	_MiLockOwnedProtoPage@8	; MiLockOwnedProtoPage(x,x)

loc_45CFE7:				; CODE XREF: .text:0045CFDCj
		test	esi, esi
		jz	short loc_45D059
		mov	esi, [esp+40h]

loc_45CFEF:				; CODE XREF: .text:0045CD6Bj
		mov	eax, [esp+24h]
		mov	eax, [eax]
		and	eax, 1
		or	eax, 0
		jnz	loc_45DA42

loc_45D001:				; CODE XREF: .text:0045D0BCj
					; .text:0045D11Bj ...
		mov	eax, [esp+2Ch]
		mov	dword ptr [esp+48h], 0
		mov	dword ptr [esp+4Ch], 0
		mov	edx, [eax]
		mov	[esp+10h], edx
		nop
		mov	ecx, [eax+4]
		mov	eax, edx
		and	eax, 1
		mov	[esp+1Ch], ecx
		or	eax, 0
		jz	short loc_45D072
		nop
		mov	edi, edx
		mov	eax, ecx
		shrd	edi, eax, 0Ch
		and	edi, 1FFFFFFh
		jmp	loc_45D115
; 

loc_45D041:				; CODE XREF: .text:0045CED8j
					; .text:0045CEE8j ...
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	al, [esp+17h]
		cmp	al, 21h
		jz	short loc_45D059
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_45D059:				; CODE XREF: .text:0045CDF5j
					; .text:0045CE05j ...
		mov	edi, [esp+2Ch]
		push	0
		push	0
		push	edi
		push	2
		call	MmAccessFault
		mov	eax, [esp+18h]
		jmp	loc_45CDD0
; 

loc_45D072:				; CODE XREF: .text:0045D02Bj
		mov	eax, edx
		and	eax, 400h
		or	eax, 0
		jnz	loc_45D1AF
		mov	eax, edx
		and	eax, 800h
		or	eax, 0
		jz	loc_45D1AF
		mov	eax, edx
		or	eax, ecx
		jz	short loc_45D0C6
		mov	edi, dword_6D0700
		mov	eax, edi
		mov	ecx, dword_6D0704
		or	eax, ecx
		mov	[esp+48h], ecx
		jz	short loc_45D0C2
		mov	eax, [esp+1Ch]
		mov	ecx, edx
		and	eax, [esp+48h]
		and	ecx, edi
		or	ecx, eax
		jz	loc_45D001

loc_45D0C2:				; CODE XREF: .text:0045D0ACj
		mov	ecx, [esp+1Ch]

loc_45D0C6:				; CODE XREF: .text:0045D096j
		mov	eax, dword_6D0700
		mov	edi, edx
		mov	esi, dword_6D0704
		mov	[esp+48h], eax
		or	eax, esi
		mov	[esp+44h], esi
		mov	esi, [esp+40h]
		mov	[esp+20h], ecx
		jz	short loc_45D10B
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_45D105
		mov	edi, [esp+48h]
		mov	ecx, [esp+44h]
		not	edi
		not	ecx
		and	edi, edx
		and	ecx, [esp+20h]
		jmp	short loc_45D10B
; 

loc_45D105:				; CODE XREF: .text:0045D0EFj
		mov	ecx, [esp+20h]
		mov	edi, edx

loc_45D10B:				; CODE XREF: .text:0045D0E5j
					; .text:0045D103j
		shrd	edi, ecx, 0Ch
		and	edi, 3FFFFFFh

loc_45D115:				; CODE XREF: .text:0045D03Cj
		cmp	edi, dword_6D07B0
		ja	loc_45D001
		mov	eax, dword_6D35B8
		mov	edx, edi
		shr	edx, 5
		mov	ecx, edi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_45D001
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[edi*8]
		sub	ecx, edi
		mov	dword ptr [esp+90h], 0
		lea	edx, [eax+ecx*4]
		mov	[esp+18h], edx
		lea	edi, [edx+10h]
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_45D18C
		jmp	short loc_45D170
; 
		align 10h

loc_45D170:				; CODE XREF: .text:0045D168j
					; .text:0045D17Fj ...
		lea	ecx, [esp+90h]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_45D170
		lock bts dword ptr [edi], 1Fh
		jb	short loc_45D170
		mov	edx, [esp+18h]

loc_45D18C:				; CODE XREF: .text:0045D166j
		mov	ecx, [esp+2Ch]
		mov	eax, [ecx]
		nop
		mov	ecx, [ecx+4]
		cmp	eax, [esp+10h]
		jnz	short loc_45D1A2
		cmp	ecx, [esp+1Ch]
		jz	short loc_45D1B5

loc_45D1A2:				; CODE XREF: .text:0045D19Aj
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		jmp	loc_45D001
; 

loc_45D1AF:				; CODE XREF: .text:0045D07Cj
					; .text:0045D08Cj
		xor	edx, edx
		mov	[esp+18h], edx

loc_45D1B5:				; CODE XREF: .text:0045D1A0j
		mov	eax, [esp+2Ch]
		mov	edi, [eax]
		mov	[esp+1Ch], edi
		nop
		mov	ecx, [eax+4]
		mov	[esp+10h], ecx
		mov	[esp+68h], edi
		mov	[esp+6Ch], ecx
		test	edx, edx
		jz	loc_45D5B6
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	short loc_45D212
		test	byte ptr [edx+17h], 40h
		mov	[esp+30h], edi
		lea	edi, [edx+10h]
		mov	[esp+34h], ecx
		jz	short loc_45D1FF
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		jmp	loc_45DA42
; 

loc_45D1FF:				; CODE XREF: .text:0045D1F0j
		mov	ecx, [esp+18h]
		mov	edx, 1
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		jmp	loc_45D599
; 

loc_45D212:				; CODE XREF: .text:0045D1DFj
		test	byte ptr [edx+16h], 20h
		jnz	loc_45D5A6
		test	byte ptr [edx+17h], 40h
		jnz	loc_45D5A6
		mov	edi, [esp+18h]
		xor	edx, edx
		mov	ecx, edi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		test	eax, eax
		jnz	loc_45D345
		xor	edx, edx
		mov	ecx, edi
		call	_MiDiscardTransitionPteEx@8 ; MiDiscardTransitionPteEx(x,x)
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	dword ptr [esp+2Ch], 0

loc_45D257:				; CODE XREF: .text:0045DA6Fj
					; .text:0045DA8Bj
		mov	edi, [esp+3Ch]

loc_45D25B:				; CODE XREF: .text:0045D83Aj
					; .text:0045DACBj
		mov	edx, [esp+24h]
		cmp	edx, [esp+5Ch]
		jbe	loc_45C760
		cmp	byte ptr [esp+0Fh], 21h
		jz	loc_45D2F4
		mov	dword ptr [esp+98h], 0
		lea	esi, [edi+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_45D2A8
		lea	esp, [esp+0]

loc_45D290:				; CODE XREF: .text:0045D29Fj
					; .text:0045D2A6j
		lea	ecx, [esp+98h]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_45D290
		lock bts dword ptr [esi], 1Fh
		jb	short loc_45D290

loc_45D2A8:				; CODE XREF: .text:0045D287j
		mov	al, [edi+16h]
		mov	ecx, edi
		and	al, 0DFh
		mov	[edi+16h], al
		call	_MiRemoveLockedPageCharge@4 ; MiRemoveLockedPageCharge(x)
		test	eax, eax
		jz	short loc_45D2DE
		mov	ecx, edi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		lea	eax, [ecx+edx]
		mov	ecx, edi
		sar	eax, 4
		mov	edx, eax
		shr	edx, 1Fh
		add	edx, eax
		call	MiPfnReferenceCountIsZero

loc_45D2DE:				; CODE XREF: .text:0045D2B9j
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	cl, [esp+0Fh]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [esp+24h]

loc_45D2F4:				; CODE XREF: .text:0045D26Ej
		mov	eax, [esp+54h]
		test	eax, eax
		jz	short loc_45D31A
		push	dword ptr [esp+58h]
		push	eax
		shl	eax, 3
		sub	edx, eax
		mov	[esp+2Ch], edx
		lea	edx, [esp+0B8h]
		mov	ecx, [esp+2Ch]
		call	_MiMakeSystemCacheRangeValid@16	; MiMakeSystemCacheRangeValid(x,x,x,x)

loc_45D31A:				; CODE XREF: .text:0045C757j
					; .text:0045D2FAj
		mov	eax, [esp+9Ch]
		test	eax, eax
		jz	short loc_45D32B
		mov	cl, [esp+53h]
		mov	[eax], cl

loc_45D32B:				; CODE XREF: .text:0045D323j
		mov	ecx, [esp+134h]
		mov	eax, [esp+60h]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_45D345:				; CODE XREF: .text:0045D235j
		mov	eax, [edi+4]
		inc	word ptr [edi+14h]
		or	eax, 80000000h
		mov	[esp+48h], eax
		mov	al, [edi+16h]
		and	al, 0FEh
		or	al, 6
		mov	[edi+16h], al
		mov	ecx, [edi+8]
		nop
		mov	eax, [edi+0Ch]
		shrd	ecx, eax, 5
		movzx	eax, byte ptr [edi+16h]
		and	ecx, 7
		shr	eax, 6
		mov	[esp+1Ch], ecx
		cmp	eax, 1
		jz	short loc_45D392
		test	eax, eax
		jnz	short loc_45D386
		or	ecx, 8
		jmp	short loc_45D38E
; 

loc_45D386:				; CODE XREF: .text:0045D37Fj
		cmp	eax, 2
		jnz	short loc_45D392
		or	ecx, 18h

loc_45D38E:				; CODE XREF: .text:0045D384j
		mov	[esp+1Ch], ecx

loc_45D392:				; CODE XREF: .text:0045D37Bj
					; .text:0045D389j
		mov	ecx, edi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		mov	eax, [esp+1Ch]
		add	edx, ecx
		sar	edx, 4
		mov	edi, edx
		mov	ecx, ds:_MmProtectToPteMask[eax*8]
		mov	eax, ds:dword_40B4DC[eax*8]
		and	ecx, 0E7Fh
		shr	edi, 1Fh
		and	eax, 0FFFFFFE0h
		add	edi, edx
		xor	edx, edx
		and	edi, 1FFFFFFh
		shld	edx, edi, 0Ch
		or	edx, eax
		shl	edi, 0Ch
		mov	eax, [esp+24h]
		or	edi, ecx
		add	eax, 40000000h
		mov	[esp+10h], edx
		or	edi, 21h
		cmp	eax, offset loc_7FFFFF
		ja	loc_45D4B8
		mov	eax, [esp+24h]
		mov	ecx, eax
		shl	ecx, 9
		add	eax, 3FA00000h
		mov	[esp+20h], ecx
		cmp	eax, 3FFFh
		ja	short loc_45D446
		mov	eax, [esp+24h]
		cmp	eax, 0C0603018h
		jnz	short loc_45D422
		or	edx, 80000000h
		jmp	short loc_45D428
; 

loc_45D422:				; CODE XREF: .text:0045D418j
		and	edx, 7FFFFFFFh

loc_45D428:				; CODE XREF: .text:0045D420j
		mov	ecx, eax
		mov	[esp+10h], edx
		call	_MiUserPdeOrAbove@4 ; MiUserPdeOrAbove(x)
		mov	edx, [esp+10h]
		mov	ecx, [esp+20h]
		test	eax, eax
		jz	short loc_45D446
		or	edi, 4
		mov	[esp+10h], edx

loc_45D446:				; CODE XREF: .text:0045D40Dj
					; .text:0045D43Dj
		mov	eax, ds:_MmHighestUserAddress
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	[esp+24h], eax
		ja	short loc_45D465
		or	edi, 4
		mov	[esp+10h], edx

loc_45D465:				; CODE XREF: .text:0045D45Cj
		cmp	ecx, dword_6D07D0
		jnb	short loc_45D476
		movzx	eax, byte ptr word_6D07B8+1
		jmp	short loc_45D4B4
; 

loc_45D476:				; CODE XREF: .text:0045D46Bj
		mov	eax, ecx
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	short loc_45D4C2
		cmp	al, 0Bh
		jz	short loc_45D4C2
		lea	eax, [ecx+40000000h]
		cmp	eax, offset loc_7FFFFF
		jbe	short loc_45D4C2
		cmp	ecx, dword_6D2E88
		jb	short loc_45D4AD
		movzx	eax, byte ptr word_6D07B8+1
		cmp	ecx, dword_6D2E8C
		jbe	short loc_45D4B4

loc_45D4AD:				; CODE XREF: .text:0045D49Cj
		movzx	eax, byte ptr word_6D07B8

loc_45D4B4:				; CODE XREF: .text:0045D474j
					; .text:0045D4ABj
		test	eax, eax
		jz	short loc_45D4C2

loc_45D4B8:				; CODE XREF: .text:0045D3F0j
		mov	[esp+10h], edx
		or	edi, 100h

loc_45D4C2:				; CODE XREF: .text:0045D483j
					; .text:0045D487j ...
		mov	al, byte ptr word_6D07B8
		and	edi, 0FFFFFEFFh
		and	al, 1
		mov	dword ptr [esp+1Ch], 0
		movzx	eax, al
		cdq
		mov	ecx, eax
		shld	edx, ecx, 8
		or	edx, [esp+10h]
		shl	ecx, 8
		or	ecx, edi
		cmp	dword_6D07D0, 0C0000000h
		mov	edi, [esp+48h]
		sbb	eax, eax
		and	eax, 0FFFFFFF8h
		add	eax, 0C0603018h
		cmp	edi, 0C0603000h
		jb	short loc_45D557
		cmp	edi, eax
		jnb	short loc_45D551
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_45D52D
		cmp	byte ptr word_6D07B8+1,	0
		mov	eax, 1
		jnz	short loc_45D559
		or	edx, 80000000h
		jmp	short loc_45D559
; 

loc_45D52D:				; CODE XREF: .text:0045D515j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		mov	eax, [esp+1Ch]
		jz	short loc_45D559
		or	edx, 80000000h
		jmp	short loc_45D559
; 

loc_45D551:				; CODE XREF: .text:0045D50Cj
		mov	eax, [esp+1Ch]
		jmp	short loc_45D559
; 

loc_45D557:				; CODE XREF: .text:0045D508j
		xor	eax, eax

loc_45D559:				; CODE XREF: .text:0045D523j
					; .text:0045D52Bj ...
		mov	[edi+4], edx
		nop
		mov	[edi], ecx
		test	eax, eax
		jz	short loc_45D56C
		push	edx
		push	ecx
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_45D56C:				; CODE XREF: .text:0045D561j
		mov	edi, [esp+18h]
		add	edi, 10h
		mov	eax, [edi]
		and	eax, 0C0000001h
		or	eax, 1
		mov	[edi], eax
		mov	eax, [esp+2Ch]
		mov	ecx, [eax]
		mov	[esp+1Ch], ecx
		nop
		mov	eax, [eax+4]
		mov	[esp+10h], eax
		mov	[esp+30h], ecx
		mov	[esp+34h], eax

loc_45D599:				; CODE XREF: .text:0045D20Dj
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		jmp	loc_45D8A7
; 

loc_45D5A6:				; CODE XREF: .text:0045D216j
					; .text:0045D220j
		lea	eax, [edx+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		jmp	loc_45DA42
; 

loc_45D5B6:				; CODE XREF: .text:0045D1D1j
		mov	eax, dword_6D0704
		mov	edx, ecx
		mov	[esp+20h], ecx
		mov	ecx, dword_6D0700
		mov	[esp+18h], eax
		mov	eax, ecx
		or	eax, [esp+18h]
		mov	[esp+48h], edx
		jz	short loc_45D5FD
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_45D5F5
		mov	edx, [esp+18h]
		not	ecx
		not	edx
		and	ecx, edi
		and	edx, [esp+48h]
		mov	[esp+48h], ecx
		jmp	short loc_45D5F9
; 

loc_45D5F5:				; CODE XREF: .text:0045D5DFj
		mov	[esp+48h], edi

loc_45D5F9:				; CODE XREF: .text:0045D5F3j
		mov	[esp+20h], edx

loc_45D5FD:				; CODE XREF: .text:0045D5D5j
		mov	eax, [esp+64h]
		mov	eax, [eax+1Ch]
		test	eax, 40000000h
		jnz	loc_45D99B
		test	byte ptr [ebp+8], 1
		jz	loc_45D99B
		shr	eax, 14h
		lea	edx, [esp+7Ch]
		and	eax, 3Fh
		xor	ecx, ecx
		push	eax
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		mov	eax, [esp+7Ch]
		mov	ecx, 1
		lock xadd [eax], ecx
		inc	ecx
		mov	edx, [esp+80h]
		dec	ecx
		and	edx, ecx
		mov	ecx, offset _MiSystemPartition
		or	edx, [esp+84h]
		push	2
		call	MiGetPage
		mov	[esp+44h], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_45D99B
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	eax, [eax+ecx*4]
		mov	[esp+18h], eax
		nop
		mov	eax, [esp+10h]
		mov	ecx, edi
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		mov	ecx, [esp+18h]
		mov	edx, eax
		mov	[esp+48h], eax
		call	_MiPfnZeroingNeeded@8 ;	MiPfnZeroingNeeded(x,x)
		test	eax, eax
		jz	short loc_45D6D8
		mov	dl, [esp+0Fh]
		cmp	dl, 21h
		jz	short loc_45D6B5
		mov	ecx, [esp+3Ch]
		call	MiUnlockProtoPoolPage
		mov	byte ptr [esp+0Fh], 21h

loc_45D6B5:				; CODE XREF: .text:0045D6A5j
		push	dword ptr [esp+48h]
		mov	ecx, [esp+48h]
		mov	edx, 1
		call	MiZeroPhysicalPage
		mov	ecx, [esp+18h]
		mov	eax, [ecx+0Ch]
		and	dword ptr [ecx+8], 0FFFFFC1Fh
		mov	[ecx+0Ch], eax

loc_45D6D8:				; CODE XREF: .text:0045D69Cj
		cmp	byte ptr [esp+0Fh], 21h
		jnz	loc_45D773
		mov	ecx, [esp+2Ch]
		lea	edx, [esp+0Fh]
		call	MiLockProtoPoolPage
		mov	edi, eax
		mov	[esp+3Ch], edi
		test	edi, edi
		jnz	short loc_45D72B
		lea	ebx, [ebx+0]

loc_45D700:				; CODE XREF: .text:0045D723j
		mov	esi, [esp+2Ch]
		push	0
		push	0
		push	esi
		push	2
		call	MmAccessFault
		lea	edx, [esp+0Fh]
		mov	ecx, esi
		call	MiLockProtoPoolPage
		mov	esi, eax
		mov	[esp+3Ch], esi
		test	esi, esi
		jz	short loc_45D700
		mov	esi, [esp+40h]
		mov	edi, eax

loc_45D72B:				; CODE XREF: .text:0045D6F8j
		mov	eax, [esp+2Ch]
		mov	ecx, [eax]
		mov	[esp+1Ch], ecx
		nop
		mov	eax, [eax+4]
		mov	[esp+10h], eax
		mov	[esp+6Ch], eax
		mov	eax, ecx
		and	eax, 1
		mov	[esp+68h], ecx
		or	eax, 0
		jnz	loc_45D819
		mov	eax, ecx
		and	eax, 800h
		or	eax, 0
		jz	short loc_45D76F
		mov	eax, ecx
		and	eax, 400h
		or	eax, 0
		jz	loc_45D819

loc_45D76F:				; CODE XREF: .text:0045D75Dj
		mov	edi, [esp+1Ch]

loc_45D773:				; CODE XREF: .text:0045D6DDj
		mov	edx, [esp+20h]
		mov	ecx, [esp+64h]
		push	1
		call	_MiReferenceControlAreaPfn@12 ;	MiReferenceControlAreaPfn(x,x,x)
		nop
		mov	eax, [esp+10h]
		mov	edx, [esp+2Ch]
		mov	ecx, [esp+18h]
		shrd	edi, eax, 5
		push	12h
		and	edi, 1Fh
		push	edi
		call	_MiInitializePfn@16 ; MiInitializePfn(x,x,x,x)
		mov	edx, [esp+44h]
		or	edi, 20000000h
		mov	ecx, [esp+24h]
		push	edi
		call	MiMakeValidPte
		mov	ecx, [esp+2Ch]
		mov	edi, eax
		mov	[esp+4Ch], edx
		mov	[esp+1Ch], edi
		mov	[esp+10h], edx
		mov	[esp+4Ch], edx
		mov	[esp+30h], edi
		mov	[esp+34h], edx
		mov	[esp+18h], edi
		mov	[esp+40h], edx
		mov	dword ptr [esp+44h], 0
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	loc_45D886
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_45D83F
		cmp	byte ptr word_6D07B8+1,	0
		mov	ecx, 1
		jnz	loc_45D888
		mov	eax, edi
		and	eax, ecx
		or	eax, 0
		jz	short loc_45D888
		or	edx, 80000000h
		jmp	short loc_45D890
; 

loc_45D819:				; CODE XREF: .text:0045D74Dj
					; .text:0045D769j
		mov	dl, [esp+0Fh]
		mov	ecx, edi
		call	MiUnlockProtoPoolPage
		mov	ecx, [esp+18h]
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		mov	byte ptr [esp+0Fh], 21h
		mov	dword ptr [esp+2Ch], 0
		jmp	loc_45D25B
; 

loc_45D83F:				; CODE XREF: .text:0045D7F4j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_45D870
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	short loc_45D870
		mov	eax, edx
		mov	[esp+18h], edi
		or	eax, 80000000h
		mov	[esp+40h], eax

loc_45D870:				; CODE XREF: .text:0045D855j
					; .text:0045D85Fj
		mov	ecx, [esp+30h]
		mov	eax, [esp+34h]
		mov	[esp+1Ch], ecx
		mov	ecx, [esp+44h]
		mov	[esp+10h], eax
		jmp	short loc_45D888
; 

loc_45D886:				; CODE XREF: .text:0045D7E7j
		xor	ecx, ecx

loc_45D888:				; CODE XREF: .text:0045D802j
					; .text:0045D80Fj ...
		mov	edx, [esp+40h]
		mov	edi, [esp+18h]

loc_45D890:				; CODE XREF: .text:0045D817j
		mov	eax, [esp+2Ch]
		mov	[eax+4], edx
		nop
		mov	[eax], edi
		test	ecx, ecx
		jz	short loc_45D8A7
		push	edx
		push	edi
		mov	ecx, eax
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_45D8A7:				; CODE XREF: .text:0045D5A1j
					; .text:0045D89Cj
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esp+17h], al
		mov	eax, [esp+58h]
		mov	dword ptr [esp+94h], 0
		lea	edi, [eax+10h]
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_45D8FA
		lea	esp, [esp+0]

loc_45D8D0:				; CODE XREF: .text:0045D8DFj
					; .text:0045D8E6j
		lea	ecx, [esp+94h]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_45D8D0
		lock bts dword ptr [edi], 1Fh
		jb	short loc_45D8D0
		mov	eax, [esp+34h]
		mov	edi, [esp+30h]
		mov	[esp+10h], eax
		mov	eax, [esp+58h]
		jmp	short loc_45D8FE
; 

loc_45D8FA:				; CODE XREF: .text:0045D8CAj
		mov	edi, [esp+1Ch]

loc_45D8FE:				; CODE XREF: .text:0045D8F8j
		lea	edx, [eax+10h]
		mov	eax, [edx]
		lea	ecx, [eax+1]
		xor	ecx, eax
		and	ecx, 3FFFFFFFh
		xor	ecx, eax
		mov	eax, 7FFFFFFFh
		mov	[edx], ecx
		lock and [edx],	eax
		mov	cl, [esp+17h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_45D94F
		nop
		mov	eax, [esp+10h]
		mov	ecx, [esp+24h]
		shrd	edi, eax, 0Ch
		push	20000001h
		and	edi, 1FFFFFFh
		mov	edx, edi
		call	MiMakeValidPte
		mov	edi, eax
		mov	[esp+10h], edx
		jmp	short loc_45D976
; 

loc_45D94F:				; CODE XREF: .text:0045D926j
		test	byte ptr [ebp+8], 4
		jz	short loc_45D976
		mov	eax, edi
		and	eax, 42h
		or	eax, 0
		jnz	short loc_45D976
		mov	eax, edi
		and	eax, 800h
		or	eax, 0
		jz	short loc_45D976
		mov	eax, [esp+10h]
		or	edi, 42h
		mov	[esp+10h], eax

loc_45D976:				; CODE XREF: .text:0045D94Dj
					; .text:0045D953j ...
		mov	al, byte ptr word_6D07B8
		and	edi, 0FFFFFEFBh
		and	al, 1
		movzx	eax, al
		cdq
		mov	ecx, eax
		shld	edx, ecx, 8
		shl	ecx, 8
		or	ecx, edi
		or	edx, [esp+10h]
		jmp	loc_45DA46
; 

loc_45D99B:				; CODE XREF: .text:0045D609j
					; .text:0045D613j ...
		test	byte ptr [ebp+8], 2
		jnz	loc_45DA3D
		mov	dl, [esp+0Fh]
		cmp	dl, 21h
		jz	short loc_45D9BC
		mov	ecx, [esp+3Ch]
		call	MiUnlockProtoPoolPage
		mov	byte ptr [esp+0Fh], 21h

loc_45D9BC:				; CODE XREF: .text:0045D9ACj
		mov	edi, large fs:124h
		mov	edx, [esp+24h]
		mov	ecx, [edi+2F4h]
		movzx	eax, byte ptr [edi+308h]
		mov	byte ptr [edi+308h], 1
		lea	eax, [eax+ecx*4]
		mov	[esp+48h], eax
		mov	eax, [esp+5Ch]
		sub	eax, edx
		sar	eax, 3
		cmp	eax, ecx
		jbe	short loc_45DA06
		cmp	eax, 0Fh
		jbe	short loc_45DA00
		mov	dword ptr [edi+2F4h], 0Fh
		jmp	short loc_45DA06
; 

loc_45DA00:				; CODE XREF: .text:0045D9F2j
		mov	[edi+2F4h], eax

loc_45DA06:				; CODE XREF: .text:0045D9EDj
					; .text:0045D9FEj
		push	0
		mov	eax, edx
		push	0
		shl	eax, 9
		push	eax
		push	0
		call	MmAccessFault
		test	eax, eax
		jns	short loc_45DA26
		cmp	dword ptr [esp+60h], 0
		jl	short loc_45DA26
		mov	[esp+60h], eax

loc_45DA26:				; CODE XREF: .text:0045DA19j
					; .text:0045DA20j
		mov	ecx, [esp+48h]
		mov	al, cl
		and	al, 3
		shr	ecx, 2
		mov	[edi+308h], al
		mov	[edi+2F4h], ecx

loc_45DA3D:				; CODE XREF: .text:0045D99Fj
		mov	byte ptr [esp+53h], 0

loc_45DA42:				; CODE XREF: .text:0045C77Fj
					; .text:0045C7A3j ...
		xor	ecx, ecx
		xor	edx, edx

loc_45DA46:				; CODE XREF: .text:0045D996j
		mov	[esp+30h], ecx
		mov	[esp+34h], edx
		add	dword ptr [esp+24h], 8
		cmp	esi, 2
		jb	short loc_45DA63
		and	ecx, 0FFFFFFFEh
		mov	[esp+34h], edx
		mov	[esp+30h], ecx

loc_45DA63:				; CODE XREF: .text:0045DA56j
		mov	esi, [esp+54h]
		test	esi, esi
		jnz	short loc_45DA75
		mov	eax, ecx
		or	eax, edx
		jz	loc_45D257

loc_45DA75:				; CODE XREF: .text:0045DA69j
		mov	[esp+esi*8+0B0h], ecx
		mov	[esp+esi*8+0B4h], edx
		inc	esi
		mov	[esp+54h], esi
		cmp	esi, 10h
		jnz	loc_45D257
		mov	dl, [esp+0Fh]
		mov	edi, [esp+3Ch]
		cmp	dl, 21h
		jz	short loc_45DAAA
		mov	ecx, edi
		call	MiUnlockProtoPoolPage
		mov	byte ptr [esp+0Fh], 21h

loc_45DAAA:				; CODE XREF: .text:0045DA9Cj
		mov	ecx, [esp+24h]
		lea	edx, [esp+0B0h]
		push	dword ptr [esp+58h]
		push	10h
		lea	ecx, [ecx-80h]
		call	_MiMakeSystemCacheRangeValid@16	; MiMakeSystemCacheRangeValid(x,x,x,x)
		mov	dword ptr [esp+54h], 0
		jmp	loc_45D25B
; 

loc_45DAD0:				; CODE XREF: .text:0045C7FAj
		mov	ecx, edi
		call	_MiBadRefCount@4 ; MiBadRefCount(x)
; 
		db 0CCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcGetVirtualAddress proc near		; CODE XREF: CcMapAndCopyInToCache+398p
					; CcPinFileData+E6p ...

var_66		= byte ptr -66h
var_65		= byte ptr -65h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_52		= byte ptr -52h
var_51		= byte ptr -51h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005B0C95 SIZE 0000019D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		push	ebx
		mov	ebx, [ebp+arg_C]
		mov	eax, ebx
		and	eax, 3FFFFh
		mov	[esp+58h+var_20], edx
		push	esi
		mov	esi, ecx
		mov	[esp+5Ch+var_1C], eax
		mov	edx, ebx
		mov	[esp+5Ch+var_34], esi
		sub	edx, eax
		mov	[esp+5Ch+var_30], 0
		mov	eax, [ebp+arg_10]
		mov	ecx, [esi+174h]
		sbb	eax, 0
		cmp	dword ptr [esi+6Ch], 0
		push	edi
		mov	[esp+60h+var_50], edx
		mov	[esp+60h+var_4C], eax
		mov	[esp+60h+var_18], edx
		mov	[esp+60h+var_14], eax
		mov	[esp+60h+var_48], ecx
		jz	loc_45DBCA
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	edi, offset dword_6CF3C0
		mov	[esp+60h+var_51], al
		jnz	loc_5B0C95
		mov	[esp+60h+var_40], 0
		lock bts dword ptr [edi], 1Fh
		jb	loc_45DEE4

loc_45DB6D:				; CODE XREF: CcGetVirtualAddress+411j
		mov	edx, dword_6CF3C0
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_5B0CA3
		mov	ecx, [esp+60h+var_14]
		mov	[esp+60h+var_4C], ecx

loc_45DB8D:				; CODE XREF: CcGetVirtualAddress+153201j
		mov	eax, [esp+60h+var_18]
		mov	[esp+60h+var_50], eax

loc_45DB95:				; CODE XREF: CcGetVirtualAddress+1531BEj
		test	ds:byte_70EFC6,	1
		jnz	loc_5B0CE6
		mov	dword_6CF3C0, 0

loc_45DBAC:				; CODE XREF: CcGetVirtualAddress+153220j
		mov	cl, [esp+60h+var_51]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, dword_6D4EA4
		mov	ecx, [esp+60h+var_48]
		mov	eax, [eax+4]
		cmp	ecx, eax
		jnz	loc_5B0D05

loc_45DBCA:				; CODE XREF: CcGetVirtualAddress+56j
		mov	eax, [esi+60h]
		mov	edx, 0
		and	eax, 200h
		mov	edi, 1
		setnz	dl
		mov	[esp+60h+var_24], edx
		test	eax, eax
		jz	loc_45DDCB

loc_45DBEB:				; CODE XREF: CcGetVirtualAddress+2EFj
		cmp	_CcNumberOfFreeVacbs, 80h
		mov	[esp+60h+var_44], edi
		jb	loc_5B0D1A

loc_45DBFF:				; CODE XREF: CcGetVirtualAddress+307j
					; CcGetVirtualAddress+153244j ...
		mov	edi, [esp+60h+var_50]

loc_45DC03:				; CODE XREF: CcGetVirtualAddress+1532F5j
		mov	eax, [ebp+arg_10]
		cmp	eax, [esi+1Ch]
		jl	short loc_45DC1A
		jg	loc_5B0DEF
		cmp	ebx, [esi+18h]
		ja	loc_5B0DEF

loc_45DC1A:				; CODE XREF: CcGetVirtualAddress+129j
		lea	ecx, [esi+48h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		cmp	[ebp+arg_8], 0
		jnz	short loc_45DC69
		mov	ecx, [esi+60h]
		mov	eax, ecx
		and	eax, 800200h
		cmp	eax, 200h
		jz	short loc_45DC69
		test	ecx, 40000000h
		jnz	short loc_45DC69
		mov	eax, edi
		and	eax, 0FFFFFh
		or	eax, 0
		jnz	short loc_45DC69
		mov	eax, [esp+60h+var_4C]
		test	eax, eax
		jl	short loc_45DC69
		jg	loc_45DE87
		cmp	edi, 100000h
		jnb	loc_45DE87

loc_45DC69:				; CODE XREF: CcGetVirtualAddress+148j
					; CcGetVirtualAddress+159j ...
		mov	[esp+60h+var_30], 1

loc_45DC71:				; CODE XREF: CcGetVirtualAddress+3ADj
					; CcGetVirtualAddress+3BFj
		mov	eax, [esi+1Ch]
		mov	ecx, [esi+40h]
		mov	edi, [esi+18h]
		mov	[esp+60h+var_2C], eax
		mov	[esp+60h+var_28], ecx
		test	eax, eax
		jl	loc_45DDC1
		jg	short loc_45DC98
		cmp	edi, 2000000h
		jbe	loc_45DDC1

loc_45DC98:				; CODE XREF: CcGetVirtualAddress+1AAj
		mov	edx, [ebp+arg_10]
		mov	ecx, 19h
		mov	[esp+60h+var_3C], ebx
		xor	ebx, ebx
		mov	[esp+60h+var_48], edx
		lea	ebx, [ebx+0]

loc_45DCB0:				; CODE XREF: CcGetVirtualAddress+1F4j
					; CcGetVirtualAddress+1F8j
		mov	esi, ecx
		mov	eax, 1
		add	ecx, 7
		mov	[esp+60h+var_38], esi
		xor	edx, edx
		mov	[esp+60h+var_40], ecx
		inc	ebx
		call	__allshl
		mov	ecx, [esp+60h+var_40]
		cmp	[esp+60h+var_2C], edx
		jl	short loc_45DCDA
		jg	short loc_45DCB0
		cmp	edi, eax
		ja	short loc_45DCB0

loc_45DCDA:				; CODE XREF: CcGetVirtualAddress+1F2j
		mov	edx, [ebp+arg_10]
		mov	ecx, esi
		mov	[esp+60h+var_2C], ebx
		mov	ebx, [ebp+arg_C]
		mov	eax, ebx
		call	__allshr
		mov	edi, [esp+60h+var_28]
		mov	esi, [esp+60h+var_34]
		mov	edi, [edi+eax*4]
		test	edi, edi
		jz	loc_45DDF2
		mov	ebx, [esp+60h+var_2C]

loc_45DD04:				; CODE XREF: CcGetVirtualAddress+268j
		test	ebx, ebx
		jz	short loc_45DD4A
		mov	esi, [esp+60h+var_38]
		mov	eax, 1
		xor	edx, edx
		mov	ecx, esi
		dec	ebx
		call	__allshl
		mov	ecx, [esp+60h+var_3C]
		sub	eax, 1
		sbb	edx, 0
		and	ecx, eax
		and	[esp+60h+var_48], edx
		sub	esi, 7
		mov	edx, [esp+60h+var_48]
		mov	eax, ecx
		mov	[esp+60h+var_3C], ecx
		mov	ecx, esi
		mov	[esp+60h+var_38], esi
		call	__allshr
		mov	edi, [edi+eax*4]
		test	edi, edi
		jnz	short loc_45DD04

loc_45DD4A:				; CODE XREF: CcGetVirtualAddress+226j
		mov	esi, [esp+60h+var_34]
		mov	ebx, [ebp+arg_C]

loc_45DD51:				; CODE XREF: CcGetVirtualAddress+2E9j
		test	edi, edi
		jz	loc_45DDF2
		mov	edx, [edi+4]
		mov	eax, 1
		lock xadd [edi+8], eax
		inc	eax
		movzx	eax, ax
		mov	ecx, eax
		test	ax, ax
		jz	loc_5B0DDA
		cmp	ecx, 1
		jnz	short loc_45DD81
		lock inc dword ptr [edx+180h]

loc_45DD81:				; CODE XREF: CcGetVirtualAddress+298j
		xor	edx, edx
		lea	ecx, [esi+48h]
		call	ExReleasePushLockEx

loc_45DD8B:				; CODE XREF: CcGetVirtualAddress+3A2j
		mov	eax, [esp+60h+var_50]

loc_45DD8F:				; CODE XREF: CcGetVirtualAddress+344j
		mov	ecx, [esp+60h+var_4C]

loc_45DD93:				; CODE XREF: CcGetVirtualAddress+359j
					; CcGetVirtualAddress+361j ...
		cmp	[esp+60h+var_30], 0
		jz	loc_45DEA4

loc_45DD9E:				; CODE XREF: CcGetVirtualAddress+3FFj
					; CcGetVirtualAddress+435j ...
		mov	eax, [esp+60h+var_20]
		mov	ecx, 40000h
		sub	ecx, [esp+60h+var_1C]
		mov	[eax], edi
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	eax, [edi]
		add	eax, [esp+60h+var_1C]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_45DDC1:				; CODE XREF: CcGetVirtualAddress+1A4j
					; CcGetVirtualAddress+1B2j
		mov	eax, ebx
		shr	eax, 12h
		mov	edi, [ecx+eax*4]
		jmp	short loc_45DD51
; 

loc_45DDCB:				; CODE XREF: CcGetVirtualAddress+105j
		cmp	[ebp+arg_4], 0
		jnz	loc_45DBEB
		cmp	_CcNumberOfFreeVacbs, 80h
		mov	[esp+60h+var_44], 0
		jnb	loc_45DBFF
		jmp	loc_5B0D2A
; 

loc_45DDF2:				; CODE XREF: CcGetVirtualAddress+21Aj
					; CcGetVirtualAddress+273j
		xor	edx, edx
		lea	ecx, [esi+48h]
		call	ExReleasePushLockEx
		push	[ebp+arg_10]
		mov	edx, [esp+64h+var_24]
		mov	ecx, esi
		push	ebx
		push	[esp+68h+var_44]
		call	CcGetVacbMiss
		mov	ecx, [esi+60h]
		mov	edi, eax
		mov	eax, [esp+60h+var_50]
		and	ecx, 8000200h
		cmp	ecx, 200h
		jnz	loc_45DD8F
		mov	ecx, eax
		and	ecx, 0FFFFFh
		or	ecx, 0
		mov	ecx, [esp+60h+var_4C]
		jnz	loc_45DD93
		test	ecx, ecx
		jl	loc_45DD93
		jg	short loc_45DE54
		cmp	eax, 100000h
		jb	loc_45DD93

loc_45DE54:				; CODE XREF: CcGetVirtualAddress+367j
		add	eax, 0FFF00000h
		lea	edx, [esp+60h+var_18]
		push	0
		adc	ecx, 0FFFFFFFFh
		mov	[esp+64h+var_50], eax
		push	0
		push	1
		mov	[esp+6Ch+var_4C], ecx
		mov	[esp+6Ch+var_14], ecx
		mov	ecx, esi
		push	100000h
		mov	[esp+70h+var_18], eax
		call	CcUnmapVacbArray
		jmp	loc_45DD8B
; 

loc_45DE87:				; CODE XREF: CcGetVirtualAddress+177j
					; CcGetVirtualAddress+183j
		cmp	edi, [esi+0D8h]
		jnz	loc_45DC71
		cmp	eax, [esi+0DCh]
		jz	loc_45DC69
		jmp	loc_45DC71
; 

loc_45DEA4:				; CODE XREF: CcGetVirtualAddress+2B8j
		test	dword ptr [esi+60h], (offset loc_7FFFFF+1)
		jnz	short loc_45DF1A
		mov	edx, _CcUnmapBehindLength
		test	ecx, ecx
		jl	short loc_45DEBD
		jg	short loc_45DEF6
		cmp	eax, edx
		jnb	short loc_45DEF6

loc_45DEBD:				; CODE XREF: CcGetVirtualAddress+3D5j
		mov	[esp+60h+var_10], 0
		lea	edx, [esp+60h+var_10]
		mov	[esp+60h+var_C], 0

loc_45DED1:				; CODE XREF: CcGetVirtualAddress+45Bj
		push	0
		push	0
		push	1
		push	eax
		mov	ecx, esi
		call	CcUnmapVacbArray
		jmp	loc_45DD9E
; 

loc_45DEE4:				; CODE XREF: CcGetVirtualAddress+87j
		mov	dl, al
		mov	ecx, edi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[esp+60h+var_40], eax
		jmp	loc_45DB6D
; 

loc_45DEF6:				; CODE XREF: CcGetVirtualAddress+3D7j
					; CcGetVirtualAddress+3DBj
		push	0
		sub	eax, edx
		push	0
		sbb	ecx, 0
		mov	[esp+68h+var_18], eax
		push	1
		mov	[esp+6Ch+var_14], ecx
		mov	ecx, esi
		push	edx
		lea	edx, [esp+70h+var_18]
		call	CcUnmapVacbArray
		jmp	loc_45DD9E
; 

loc_45DF1A:				; CODE XREF: CcGetVirtualAddress+3CBj
		test	ecx, ecx
		jl	short loc_45DF27
		jg	short loc_45DF3D
		cmp	eax, (offset loc_83FFFB+5)
		jnb	short loc_45DF3D

loc_45DF27:				; CODE XREF: CcGetVirtualAddress+43Cj
		mov	[esp+60h+var_8], 40000h
		lea	edx, [esp+60h+var_8]
		mov	[esp+60h+var_4], 0
		jmp	short loc_45DED1
; 

loc_45DF3D:				; CODE XREF: CcGetVirtualAddress+43Ej
					; CcGetVirtualAddress+445j
		push	0
		add	eax, 0FF800000h
		lea	edx, [esp+64h+var_18]
		push	0
		adc	ecx, 0FFFFFFFFh
		mov	[esp+68h+var_18], eax
		push	1
		mov	[esp+6Ch+var_14], ecx
		mov	ecx, esi
		push	(offset	loc_7FFFFF+1)
		call	CcUnmapVacbArray
		jmp	loc_45DD9E
CcGetVirtualAddress endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall CcCopyBytesToUserBuffer(void *,int,size_t,char)
CcCopyBytesToUserBuffer	proc near	; CODE XREF: CcMapAndCopyFromCache+DCp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005B0E32 SIZE 00000017 BYTES
; FUNCTION CHUNK AT 005B0E85 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1108
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	ebx, edx
		mov	eax, ecx
		mov	[ebp+var_20], eax
		xor	edi, edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_2C], edi
		xor	edx, edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_24], edx
		mov	cl, [ebp+arg_4]
		mov	esi, [ebp+arg_0]
		test	cl, cl
		jnz	loc_5B0E05
		lea	ebx, [ebx+0]

loc_45DFD0:				; CODE XREF: CcCopyBytesToUserBuffer+A9j
					; CcGetVirtualAddress+15334Dj ...
		test	esi, esi
		jz	short loc_45E01B
		cmp	esi, 40000h
		jnb	short loc_45E03E
		mov	edi, esi

loc_45DFDE:				; CODE XREF: CcCopyBytesToUserBuffer+D3j
		test	cl, cl
		jnz	loc_5B0E32
		mov	[ebp+var_4], 0
		push	edi		; size_t
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0FFFFFFFEh

loc_45DFFF:				; CODE XREF: CcCopyBytesToUserBuffer+152ECAj
		sub	esi, edi
		mov	eax, [ebp+var_20]
		add	eax, edi
		mov	[ebp+var_20], eax
		mov	cl, [ebp+arg_4]
		mov	edx, [ebp+var_1C]
		test	cl, cl
		jnz	loc_5B0E3F
		add	ebx, edi
		jmp	short loc_45DFD0
; 

loc_45E01B:				; CODE XREF: CcCopyBytesToUserBuffer+62j
		xor	edi, edi

loc_45E01D:				; CODE XREF: CcGetVirtualAddress+153342j
					; sub_5B0E55+2Bj
		mov	esi, [ebp+var_2C]
		test	esi, esi
		jnz	loc_5B0E85

loc_45E028:				; CODE XREF: CcCopyBytesToUserBuffer+152F21j
		mov	eax, edi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_45E03E:				; CODE XREF: CcCopyBytesToUserBuffer+6Aj
		mov	edi, 40000h
		jmp	short loc_45DFDE
CcCopyBytesToUserBuffer	endp

; 
		align 10h

; __stdcall MiResolveTransitionFault(x,	x, x, x, x)
_MiResolveTransitionFault@20:		; CODE XREF: MiDispatchFault+385p
					; MiResolveProtoPteFault(x,x,x)+EE1p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 50h
		mov	eax, ecx
		mov	dword ptr [esp+2Ch], 0
		mov	[esp+10h], eax
		push	esi
		mov	esi, edx
		mov	dword ptr [esp+2Ch], 0
		lea	ecx, [eax+14h]
		mov	[esp+10h], esi
		mov	eax, [eax+8]
		mov	[esp+18h], eax
		mov	eax, [ebp+10h]
		mov	[esp+4Ch], ecx
		mov	ecx, [ecx]
		push	edi
		mov	edi, [esi]
		mov	[esp+54h], ecx
		mov	dword ptr [eax], 0
		nop
		cmp	dword ptr [ebp+8], 0
		mov	edx, [esi+4]
		mov	[esp+10h], edx
		jnz	loc_45E222
		mov	eax, edi
		and	eax, 800h
		or	eax, 0
		jz	loc_45E1E6
		lea	ebx, [ebx+0]

loc_45E0C0:				; CODE XREF: .text:0045E1E0j
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jnz	loc_45E1CC
		mov	eax, edi
		or	eax, edx
		jz	short loc_45E0F8
		mov	ecx, dword_6D0700
		mov	eax, ecx
		mov	edx, dword_6D0704
		or	eax, edx
		jz	short loc_45E0F4
		and	edx, [esp+10h]
		and	ecx, edi
		or	ecx, edx
		jz	loc_45E1CC

loc_45E0F4:				; CODE XREF: .text:0045E0E4j
		mov	edx, [esp+10h]

loc_45E0F8:				; CODE XREF: .text:0045E0D2j
		mov	eax, dword_6D0700
		mov	ecx, edx
		mov	edx, dword_6D0704
		mov	esi, edi
		mov	[esp+3Ch], eax
		or	eax, edx
		mov	[esp+28h], edx
		mov	edx, edi
		mov	[esp+40h], esi
		mov	[esp+2Ch], ecx
		jz	short loc_45E141
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_45E13B
		mov	esi, [esp+3Ch]
		mov	ecx, [esp+28h]
		not	esi
		not	ecx
		and	esi, edx
		and	ecx, [esp+2Ch]
		jmp	short loc_45E141
; 

loc_45E13B:				; CODE XREF: .text:0045E125j
		mov	ecx, [esp+2Ch]
		mov	esi, edx

loc_45E141:				; CODE XREF: .text:0045E11Bj
					; .text:0045E139j
		shrd	esi, ecx, 0Ch
		and	esi, 3FFFFFFh
		cmp	esi, dword_6D07B0
		ja	short loc_45E1C8
		mov	eax, dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_45E1C8
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		mov	dword ptr [esp+44h], 0
		lea	edx, [eax+ecx*4]
		mov	[esp+0Ch], edx
		lea	esi, [edx+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_45E1AC

loc_45E193:				; CODE XREF: .text:0045E19Fj
					; .text:0045E1A6j
		lea	ecx, [esp+44h]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_45E193
		lock bts dword ptr [esi], 1Fh
		jb	short loc_45E193
		mov	edx, [esp+0Ch]

loc_45E1AC:				; CODE XREF: .text:0045E191j
		mov	ecx, [esp+14h]
		mov	eax, [ecx]
		nop
		mov	ecx, [ecx+4]
		cmp	eax, edi
		jnz	short loc_45E1C0
		cmp	ecx, [esp+10h]
		jz	short loc_45E1F3

loc_45E1C0:				; CODE XREF: .text:0045E1B8j
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax

loc_45E1C8:				; CODE XREF: .text:0045E151j
					; .text:0045E16Aj
		mov	esi, [esp+14h]

loc_45E1CC:				; CODE XREF: .text:0045E0C8j
					; .text:0045E0EEj
		mov	edi, [esi]
		nop
		mov	edx, [esi+4]
		mov	eax, edi
		and	eax, 800h
		mov	[esp+10h], edx
		or	eax, 0
		jnz	loc_45E0C0

loc_45E1E6:				; CODE XREF: .text:0045E0B4j
		mov	eax, 0C0000434h
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_45E1F3:				; CODE XREF: .text:0045E1BEj
		mov	ecx, [edx+4]
		mov	eax, ecx
		mov	esi, [esp+14h]
		or	eax, 80000000h
		cmp	eax, esi
		jz	short loc_45E212
		test	dword ptr [edx+18h], 800000h
		jz	loc_45EA48

loc_45E212:				; CODE XREF: .text:0045E203j
		mov	edi, [esi]
		nop
		mov	edx, [esi+4]
		mov	ecx, [esp+0Ch]
		mov	[esp+10h], edx
		jmp	short loc_45E27C
; 

loc_45E222:				; CODE XREF: .text:0045E0A4j
		mov	eax, dword_6D0700
		mov	ecx, edx
		mov	[esp+2Ch], eax
		mov	eax, dword_6D0704
		mov	[esp+28h], eax
		mov	eax, [esp+2Ch]
		or	eax, [esp+28h]
		mov	eax, edi
		jz	short loc_45E25E
		and	eax, 10h
		or	eax, 0
		jnz	short loc_45E25C
		mov	eax, [esp+2Ch]
		mov	ecx, [esp+28h]
		not	eax
		not	ecx
		and	eax, edi
		and	ecx, edx
		jmp	short loc_45E25E
; 

loc_45E25C:				; CODE XREF: .text:0045E248j
		mov	eax, edi

loc_45E25E:				; CODE XREF: .text:0045E240j
					; .text:0045E25Aj
		shrd	eax, ecx, 0Ch
		and	eax, 3FFFFFFh
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, [eax+ecx*4]
		mov	[esp+0Ch], ecx

loc_45E27C:				; CODE XREF: .text:0045E220j
		test	byte ptr [ecx+17h], 10h
		jz	short loc_45E28C
		mov	esi, 0C0000709h
		jmp	loc_45E31D
; 

loc_45E28C:				; CODE XREF: .text:0045E280j
		mov	eax, [esp+1Ch]
		and	eax, 1
		mov	[esp+40h], eax
		jz	short loc_45E2B6
		mov	eax, [esp+1Ch]
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	1
		jnz	short loc_45E2B6
		mov	edx, [eax+28h]
		push	0
		and	edx, 7
		call	_MiUpdatePfnPriority@12	; MiUpdatePfnPriority(x,x,x)
		xor	esi, esi
		jmp	short loc_45E319
; 

loc_45E2B6:				; CODE XREF: .text:0045E297j
					; .text:0045E2A3j
		inc	large dword ptr	fs:3E20h
		mov	al, [ecx+16h]
		mov	[esp+0Bh], al
		test	al, 8
		jz	short loc_45E342
		test	ds:_MiFlags, 40000h
		jz	short loc_45E2F0
		mov	eax, [esp+0Ch]
		mov	ecx, [ecx+8]
		mov	eax, [eax+0Ch]
		shrd	ecx, eax, 5
		test	cl, 1Fh
		jnz	short loc_45E2EC
		test	cl, 2
		jnz	short loc_45E309

loc_45E2EC:				; CODE XREF: .text:0045E2E5j
		mov	ecx, [esp+0Ch]

loc_45E2F0:				; CODE XREF: .text:0045E2D2j
		cmp	dword ptr [esp+40h], 0
		jz	short loc_45E342
		mov	eax, [esp+1Ch]
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	5
		jnz	short loc_45E342
		test	byte ptr [eax+1Ch], 20h
		jz	short loc_45E342

loc_45E309:				; CODE XREF: .text:0045E2EAj
		mov	eax, [esp+18h]
		mov	esi, 0C0000017h
		or	dword ptr [eax+24h], 80h

loc_45E319:				; CODE XREF: .text:0045E2B4j
		mov	ecx, [esp+0Ch]

loc_45E31D:				; CODE XREF: .text:0045E287j
		lea	edx, [ecx+10h]
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		mov	eax, [ebp+8]
		test	eax, eax
		jz	short loc_45E338
		mov	dl, 21h
		mov	ecx, eax
		call	MiUnlockProtoPoolPage

loc_45E338:				; CODE XREF: .text:0045E32Dj
		mov	eax, esi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_45E342:				; CODE XREF: .text:0045E2C6j
					; .text:0045E2F5j ...
		test	byte ptr [esp+0Bh], 20h
		jz	loc_45E415
		lea	eax, [esp+34h]
		mov	edx, esi
		push	eax
		push	dword ptr [ebp+10h]
		push	ecx
		push	dword ptr [ebp+8]
		mov	ecx, [esp+28h]
		call	_MiHandleCollidedFault@24 ; MiHandleCollidedFault(x,x,x,x,x,x)
		mov	ecx, [esp+34h]
		test	ecx, ecx
		jz	loc_45E927
		cmp	ecx, 1
		jz	loc_45E927
		test	eax, eax
		js	loc_45E927

loc_45E381:				; CODE XREF: .text:0045E446j
		mov	edx, [esp+0Ch]

loc_45E385:				; CODE XREF: .text:0045E450j
		mov	eax, [ebp+0Ch]
		mov	[esp+20h], eax
		mov	eax, [esp+18h]
		mov	eax, [eax+8]
		test	al, 1
		jz	short loc_45E3BD
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	4
		jnz	short loc_45E3BD
		mov	ecx, [esi]
		mov	edi, 0FFFFFC9Fh
		or	eax, 0FFFFFFFFh
		and	ecx, edi
		mov	[esp+10h], eax
		or	ecx, 80h
		mov	eax, [esi+4]
		mov	[esi], ecx
		mov	[esi+4], eax

loc_45E3BD:				; CODE XREF: .text:0045E395j
					; .text:0045E39Dj
		mov	eax, [esp+10h]
		shrd	edi, eax, 5
		and	edi, 1Fh
		cmp	edi, 18h
		jnz	short loc_45E3D4
		mov	ecx, esi
		call	_MiMakeProtoReadOnly@8 ; MiMakeProtoReadOnly(x,x)

loc_45E3D4:				; CODE XREF: .text:0045E3CBj
		mov	ecx, [esi]
		nop
		mov	edx, [esi+4]
		mov	edi, ecx
		mov	eax, dword_6D0700
		mov	esi, dword_6D0704
		mov	[esp+2Ch], eax
		or	eax, esi
		mov	[esp+28h], esi
		mov	esi, edx
		mov	[esp+3Ch], edx
		jz	short loc_45E459
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_45E455
		mov	ecx, [esp+2Ch]
		mov	edx, [esp+28h]
		not	ecx
		not	edx
		and	ecx, edi
		and	edx, esi
		jmp	short loc_45E459
; 

loc_45E415:				; CODE XREF: .text:0045E347j
		push	edx
		push	edi
		lea	eax, [esp+38h]
		mov	dword ptr [esp+40h], 0
		push	eax
		lea	eax, [esp+44h]
		mov	edx, esi
		push	eax
		push	ecx
		push	dword ptr [ebp+8]
		mov	ecx, [esp+30h]
		call	_MiHandleTransitionFault@32 ; MiHandleTransitionFault(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_45E927
		mov	edx, [esp+38h]
		test	edx, edx
		jz	loc_45E381
		mov	[esp+0Ch], edx
		jmp	loc_45E385
; 

loc_45E455:				; CODE XREF: .text:0045E401j
		mov	ecx, edi
		mov	edx, esi

loc_45E459:				; CODE XREF: .text:0045E3F7j
					; .text:0045E413j
		shrd	edi, esi, 5
		and	ecx, 0FFFFF000h
		and	edx, 1Fh
		and	edi, 1Fh
		mov	esi, ds:_MmProtectToPteMask[edi*8]
		mov	edi, ds:dword_40B4DC[edi*8]
		and	esi, 0E7Fh
		or	esi, ecx
		and	edi, 0FFFFFFE0h
		mov	ecx, [esp+14h]
		or	esi, 21h
		or	edi, edx
		mov	[esp+10h], esi
		lea	eax, [ecx+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	short loc_45E508
		mov	edx, ecx
		lea	eax, [ecx+3FA00000h]
		shl	edx, 9
		mov	[esp+2Ch], edx
		cmp	eax, 3FFFh
		ja	short loc_45E4E0
		mov	[esp+10h], esi
		cmp	ecx, 0C0603018h
		jnz	short loc_45E4C6
		or	edi, 80000000h
		jmp	short loc_45E4CC
; 

loc_45E4C6:				; CODE XREF: .text:0045E4BCj
		and	edi, 7FFFFFFFh

loc_45E4CC:				; CODE XREF: .text:0045E4C4j
		call	_MiUserPdeOrAbove@4 ; MiUserPdeOrAbove(x)
		mov	edx, [esp+2Ch]
		test	eax, eax
		jz	short loc_45E4E0
		or	esi, 4
		mov	[esp+10h], esi

loc_45E4E0:				; CODE XREF: .text:0045E4B0j
					; .text:0045E4D7j
		mov	eax, ds:_MmHighestUserAddress
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	ecx, eax
		ja	short loc_45E4FD
		or	esi, 4
		mov	[esp+10h], esi

loc_45E4FD:				; CODE XREF: .text:0045E4F4j
		mov	ecx, edx
		call	_MiIsAddressGlobal@4 ; MiIsAddressGlobal(x)
		test	eax, eax
		jz	short loc_45E512

loc_45E508:				; CODE XREF: .text:0045E49Aj
		or	esi, 100h
		mov	[esp+10h], esi

loc_45E512:				; CODE XREF: .text:0045E506j
		mov	eax, ds:_ZeroPte
		mov	[esp+28h], eax
		mov	eax, ds:dword_40F9FC
		mov	[esp+2Ch], eax
		mov	eax, [esp+0Ch]
		mov	edx, [eax+8]
		mov	eax, [eax+0Ch]
		mov	[esp+24h], eax
		mov	eax, edx
		and	eax, 400h
		or	eax, 0
		jnz	short loc_45E56D
		mov	eax, [esp+24h]
		mov	ecx, edx
		shrd	ecx, eax, 2
		test	cl, 1
		jz	short loc_45E56D
		shrd	edx, eax, 0Ch
		and	edx, 0Fh
		cmp	edx, dword_6D50FC
		jnz	short loc_45E56D
		mov	ecx, [esp+0Ch]
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		mov	[esp+28h], eax
		mov	[esp+2Ch], edx

loc_45E56D:				; CODE XREF: .text:0045E53Cj
					; .text:0045E54Bj ...
		mov	ecx, esi
		and	ecx, 800h
		or	ecx, 0
		jz	loc_45E600
		cmp	dword ptr [ebp+0Ch], 0
		mov	edx, [esp+18h]
		jz	short loc_45E5BB
		mov	eax, [edx]
		cmp	eax, ds:_MmHighestUserAddress
		ja	short loc_45E5BB
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	edi, edi
		jl	short loc_45E5B5
		jg	short loc_45E5A8
		test	esi, esi
		jb	short loc_45E5B5

loc_45E5A8:				; CODE XREF: .text:0045E5A2j
		test	byte ptr [eax+0FCh], 10h
		jz	short loc_45E5B5
		xor	ecx, ecx
		jmp	short loc_45E5BF
; 

loc_45E5B5:				; CODE XREF: .text:0045E5A0j
					; .text:0045E5A6j ...
		mov	eax, [eax+4B4h]

loc_45E5BB:				; CODE XREF: .text:0045E586j
					; .text:0045E590j
		mov	ecx, [esp+20h]

loc_45E5BF:				; CODE XREF: .text:0045E5B3j
		mov	eax, [esp+0Ch]
		test	byte ptr [eax+16h], 10h
		jz	short loc_45E5D9
		test	ecx, ecx
		jnz	short loc_45E5F9
		mov	eax, [edx]
		cmp	eax, dword_6D07D0
		jb	short loc_45E600
		jmp	short loc_45E5F9
; 

loc_45E5D9:				; CODE XREF: .text:0045E5C7j
		test	ecx, ecx
		jz	short loc_45E600
		mov	ecx, eax
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_45E600
		mov	ecx, [esp+0Ch]
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		mov	[esp+28h], eax
		mov	[esp+2Ch], edx

loc_45E5F9:				; CODE XREF: .text:0045E5CBj
					; .text:0045E5D7j
		or	esi, 42h
		mov	[esp+10h], esi

loc_45E600:				; CODE XREF: .text:0045E578j
					; .text:0045E5D5j ...
		mov	ecx, [esp+0Ch]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_45E69D
		cmp	dword_6D07D0, 0C0000000h
		mov	edx, edi
		mov	ecx, [esp+14h]
		sbb	eax, eax
		mov	dword ptr [esp+24h], 0
		and	eax, 0FFFFFFF8h
		add	eax, 0C0603018h
		cmp	ecx, 0C0603000h
		jb	short loc_45E687
		cmp	ecx, eax
		jnb	short loc_45E687
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_45E663
		cmp	byte ptr word_6D07B8+1,	0
		mov	eax, esi
		mov	dword ptr [esp+24h], 1
		jnz	short loc_45E689
		or	edx, 80000000h
		jmp	short loc_45E689
; 

loc_45E663:				; CODE XREF: .text:0045E646j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		mov	eax, esi
		jz	short loc_45E689
		mov	edx, edi
		or	edx, 80000000h
		jmp	short loc_45E689
; 

loc_45E687:				; CODE XREF: .text:0045E639j
					; .text:0045E63Dj
		mov	eax, esi

loc_45E689:				; CODE XREF: .text:0045E659j
					; .text:0045E661j ...
		mov	[ecx+4], edx
		nop
		cmp	dword ptr [esp+24h], 0
		mov	[ecx], eax
		jz	short loc_45E69D
		push	edx
		push	eax
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_45E69D:				; CODE XREF: .text:0045E60Bj
					; .text:0045E694j
		mov	eax, [esp+0Ch]
		mov	ecx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	ecx
		mov	edx, [ebp+8]
		test	edx, edx
		jz	loc_45E8B8
		lea	ecx, [edx+10h]
		mov	dword ptr [esp+48h], 0
		mov	[esp+24h], ecx
		lock bts dword ptr [ecx], 1Fh
		jnb	short loc_45E6F0
		mov	esi, ecx
		nop

loc_45E6D0:				; CODE XREF: .text:0045E6DCj
					; .text:0045E6E3j
		lea	ecx, [esp+48h]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_45E6D0
		lock bts dword ptr [esi], 1Fh
		jb	short loc_45E6D0
		mov	esi, [esp+10h]
		mov	ecx, [esp+24h]
		mov	edx, [ebp+8]

loc_45E6F0:				; CODE XREF: .text:0045E6CBj
		mov	al, [edx+16h]
		and	al, 0DFh
		mov	[edx+16h], al
		movzx	eax, word ptr [edx+14h]
		test	ax, ax
		jz	loc_45EA57
		add	eax, 0FFFFh
		test	dword ptr [edx+18h], 800000h
		mov	[edx+14h], ax
		jnz	loc_45E8AC
		mov	ecx, [ecx]
		mov	[esp+4Ch], ecx
		and	ecx, 3FFFFFFFh
		test	ax, ax
		jz	short loc_45E75E
		cmp	ax, 1
		jnz	short loc_45E738
		test	ecx, ecx
		jnz	short loc_45E754
		jmp	short loc_45E74A
; 

loc_45E738:				; CODE XREF: .text:0045E730j
		cmp	ax, 2
		jnz	loc_45E8AC
		test	ecx, ecx
		jz	loc_45E8AC

loc_45E74A:				; CODE XREF: .text:0045E736j
		test	byte ptr [edx+16h], 8
		jz	loc_45E8AC

loc_45E754:				; CODE XREF: .text:0045E734j
		mov	dword ptr [esp+20h], 0
		jmp	short loc_45E766
; 

loc_45E75E:				; CODE XREF: .text:0045E72Aj
		mov	dword ptr [esp+20h], 1

loc_45E766:				; CODE XREF: .text:0045E75Cj
		mov	eax, ds:_MmHighestUserAddress
		mov	edx, [edx+4]
		shr	eax, 9
		or	edx, 80000000h
		and	eax, offset loc_7FFFF8
		add	eax, 0C0000000h
		mov	[esp+3Ch], eax
		cmp	edx, eax
		ja	short loc_45E791
		cmp	edx, 0C0000000h
		jnb	short loc_45E7A5

loc_45E791:				; CODE XREF: .text:0045E787j
		mov	ecx, [ebp+8]
		mov	al, [ecx+17h]
		test	al, 20h
		jz	short loc_45E7A8
		and	al, 0DFh
		mov	[ecx+17h], al
		jmp	loc_45E883
; 

loc_45E7A5:				; CODE XREF: .text:0045E78Fj
		mov	ecx, [ebp+8]

loc_45E7A8:				; CODE XREF: .text:0045E799j
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_45E7BE
		mov	eax, [ecx+8]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_45E7E3

loc_45E7BE:				; CODE XREF: .text:0045E7AFj
		cmp	edx, [esp+3Ch]
		ja	short loc_45E7D2
		cmp	edx, 0C0000000h
		jb	short loc_45E7D2
		test	byte ptr [ecx+17h], 20h
		jnz	short loc_45E7E3

loc_45E7D2:				; CODE XREF: .text:0045E7C2j
					; .text:0045E7CAj
		cmp	dword ptr [esp+20h], 1
		jnz	short loc_45E7F2
		test	dword ptr [esp+4Ch], 40000000h
		jz	short loc_45E7F2

loc_45E7E3:				; CODE XREF: .text:0045E7BCj
					; .text:0045E7D0j
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit

loc_45E7F2:				; CODE XREF: .text:0045E7D7j
					; .text:0045E7E1j
		mov	eax, large fs:20h
		mov	edx, [eax+3D30h]
		add	eax, 3D30h
		mov	[esp+3Ch], eax
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_45E813
		mov	eax, 1
		jmp	short loc_45E877
; 

loc_45E813:				; CODE XREF: .text:0045E80Aj
		lea	eax, [edx+1]
		cmp	eax, 100h
		ja	short loc_45E844
		lea	ecx, [ecx+0]

loc_45E820:				; CODE XREF: .text:0045E842j
		mov	esi, [esp+3Ch]
		lea	ecx, [edx+1]
		mov	eax, edx
		lock cmpxchg [esi], ecx
		mov	esi, [esp+10h]
		cmp	eax, edx
		jz	short loc_45E880
		mov	edx, eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_45E844
		inc	eax
		cmp	eax, 100h
		jbe	short loc_45E820

loc_45E844:				; CODE XREF: .text:0045E81Bj
					; .text:0045E83Aj
		cmp	edx, 0C0h
		jle	short loc_45E86E
		cmp	edx, 0FFFFFFFFh
		jz	short loc_45E86E
		mov	esi, [esp+3Ch]
		mov	ecx, 0C0h
		mov	eax, edx
		lock cmpxchg [esi], ecx
		mov	esi, [esp+10h]
		cmp	eax, edx
		lea	eax, [edx-0BFh]
		jz	short loc_45E873

loc_45E86E:				; CODE XREF: .text:0045E84Aj
					; .text:0045E84Fj
		mov	eax, 1

loc_45E873:				; CODE XREF: .text:0045E86Cj
		test	eax, eax
		jz	short loc_45E880

loc_45E877:				; CODE XREF: .text:0045E811j
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_45E880:				; CODE XREF: .text:0045E833j
					; .text:0045E875j
		mov	ecx, [ebp+8]

loc_45E883:				; CODE XREF: .text:0045E7A0j
		cmp	dword ptr [esp+20h], 0
		jz	short loc_45E8AC
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		lea	eax, [ecx+edx]
		mov	ecx, [ebp+8]
		sar	eax, 4
		mov	edx, eax
		shr	edx, 1Fh
		add	edx, eax
		call	MiPfnReferenceCountIsZero

loc_45E8AC:				; CODE XREF: .text:0045E715j
					; .text:0045E73Cj ...
		mov	eax, [esp+24h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_45E8B8:				; CODE XREF: .text:0045E6B1j
		mov	ecx, [esp+28h]
		mov	eax, ecx
		mov	edx, [esp+2Ch]
		or	eax, edx
		jz	short loc_45E8D7
		push	edx
		push	ecx
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo

loc_45E8D7:				; CODE XREF: .text:0045E8C4j
		mov	eax, [esp+30h]
		test	eax, eax
		jz	short loc_45E8FD
		cmp	dword ptr [eax+68h], 1
		jle	short loc_45E8F6
		push	0
		push	0
		add	eax, 20h
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	eax, [esp+30h]

loc_45E8F6:				; CODE XREF: .text:0045E8E3j
		mov	ecx, eax
		call	_MiFreeInPageSupportBlock@4 ; MiFreeInPageSupportBlock(x)

loc_45E8FD:				; CODE XREF: .text:0045E8DDj
		mov	ecx, [esp+0Ch]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_45E92F
		mov	edx, [ebp+0Ch]
		mov	ecx, [esp+18h]
		push	edi
		push	esi
		push	dword ptr [esp+24h]
		push	0
		call	_MiCompleteProtoPteFault@24 ; MiCompleteProtoPteFault(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_45E927

loc_45E922:				; CODE XREF: .text:0045E991j
					; .text:0045EA2Cj
		mov	eax, 110h

loc_45E927:				; CODE XREF: .text:0045E36Aj
					; .text:0045E373j ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_45E92F:				; CODE XREF: .text:0045E908j
		mov	edx, [esp+1Ch]
		mov	eax, [esp+40h]
		and	edx, 0FFFFFFFEh
		test	eax, eax
		jz	short loc_45E9A7
		cmp	byte ptr [edx],	4
		jnz	short loc_45E9A7
		mov	ecx, [esp+14h]
		xor	edx, edx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_45E989
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_45E96B
		cmp	byte ptr word_6D07B8+1,	0
		mov	edx, 1
		jnz	short loc_45E989
		jmp	short loc_45E983
; 

loc_45E96B:				; CODE XREF: .text:0045E959j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_45E989

loc_45E983:				; CODE XREF: .text:0045E969j
		or	edi, 80000000h

loc_45E989:				; CODE XREF: .text:0045E950j
					; .text:0045E967j ...
		mov	[ecx+4], edi
		nop
		mov	[ecx], esi
		test	edx, edx
		jz	short loc_45E922
		push	edi
		push	esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		mov	eax, 110h
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_45E9A7:				; CODE XREF: .text:0045E93Cj
					; .text:0045E941j
		mov	dword ptr [esp+30h], 0
		mov	dword ptr [esp+40h], 0
		test	eax, eax
		jz	short loc_45E9DA
		cmp	byte ptr [edx],	3
		jnz	short loc_45E9CD
		and	esi, 0FFFFFFDFh
		mov	dword ptr [esp+30h], 1
		jmp	short loc_45E9DA
; 

loc_45E9CD:				; CODE XREF: .text:0045E9BEj
		test	eax, eax
		jz	short loc_45E9DA
		cmp	byte ptr [edx],	5
		jnz	short loc_45E9DA
		mov	[esp+40h], edx

loc_45E9DA:				; CODE XREF: .text:0045E9B9j
					; .text:0045E9CBj ...
		mov	eax, [esp+18h]
		test	byte ptr [eax+1Dh], 8
		jz	short loc_45E9F6
		mov	eax, [eax+8]
		test	al, 1
		jz	short loc_45E9F3
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	2
		jz	short loc_45E9F6

loc_45E9F3:				; CODE XREF: .text:0045E9E9j
		and	esi, 0FFFFFFDFh

loc_45E9F6:				; CODE XREF: .text:0045E9E2j
					; .text:0045E9F1j
		mov	edx, [esp+14h]
		push	ecx
		mov	ecx, [esp+54h]
		call	_MiQueueCoreWorkingSetEntries@12 ; MiQueueCoreWorkingSetEntries(x,x,x)
		test	eax, eax
		mov	eax, [esp+30h]
		jz	short loc_45EA0F
		or	eax, 4

loc_45EA0F:				; CODE XREF: .text:0045EA0Aj
		mov	edx, [esp+14h]
		mov	ecx, [esp+54h]
		push	edi
		push	esi
		push	dword ptr [esp+48h]
		mov	esi, [esp+18h]
		push	eax
		push	0
		push	esi
		call	_MiAllocateWsle@32 ; MiAllocateWsle(x,x,x,x,x,x,x,x)
		test	eax, eax
		jnz	loc_45E922
		xor	edx, edx
		mov	ecx, esi
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		pop	edi
		mov	eax, 0C0000017h
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_45EA48:				; CODE XREF: .text:0045E20Cj
		push	ecx
		push	edi
		push	esi
		push	411h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_45EA57:				; CODE XREF: .text:0045E6FFj
		mov	ecx, edx
		call	_MiBadRefCount@4 ; MiBadRefCount(x)
; 
		dw 0CCCCh
; 

; __stdcall MiHandleTransitionFault(x, x, x, x,	x, x, x, x)
_MiHandleTransitionFault@32:		; CODE XREF: .text:0045E433p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+14h]
		push	ebx
		push	esi
		mov	esi, [ebp+0Ch]
		mov	ebx, edx
		mov	dword ptr [eax], 0
		mov	eax, [ebp+10h]
		push	edi
		mov	edi, ecx
		mov	[ebp-0Ch], ebx
		mov	ecx, esi
		mov	[ebp-4], edi
		mov	dword ptr [eax], 0
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_45EAA8
		mov	edx, [esi+4]
		mov	ecx, edx
		or	ecx, 80000000h
		cmp	ebx, ecx
		jnz	loc_45ED86

loc_45EAA8:				; CODE XREF: .text:0045EA93j
		mov	edi, [edi]
		mov	[ebp+0Ch], edi
		test	eax, eax
		jz	loc_45EBC3
		mov	edx, [esi+8]
		mov	eax, edx
		mov	ebx, [esi+0Ch]
		and	eax, 400h
		or	eax, 0
		jz	loc_45EBC3
		mov	eax, [esi+18h]
		and	eax, 70000000h
		cmp	eax, 30000000h
		jz	loc_45EBC3
		mov	ecx, dword_6D0700
		mov	eax, ecx
		mov	edi, dword_6D0704
		or	eax, edi
		jz	short loc_45EAFE
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_45EAFE
		not	edi
		and	ebx, edi

loc_45EAFE:				; CODE XREF: .text:0045EAEEj
					; .text:0045EAF8j
		mov	eax, [ebx]
		test	byte ptr [eax+1Ch], 20h
		jz	loc_45EBC0
		mov	eax, [eax+38h]
		mov	eax, [eax+14h]
		mov	[ebp-8], eax
		test	eax, eax
		jz	loc_45EBC0
		mov	edi, [ebp+0Ch]
		mov	ecx, eax
		and	ecx, 0FFFFFFF8h
		cmp	ecx, 8
		jz	loc_45EBC3
		and	al, 3
		cmp	al, 2
		jz	loc_45EBC3
		cmp	edi, dword_6D07D0
		jb	short loc_45EB51
		test	byte ptr ds:_MiFlags+2,	1
		jz	short loc_45EBC3
		and	edx, 40h
		or	edx, 0
		jnz	short loc_45EB99
		jmp	short loc_45EBC3
; 

loc_45EB51:				; CODE XREF: .text:0045EB3Cj
		mov	ecx, edi
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		test	eax, eax
		jz	short loc_45EB99
		mov	edx, [eax+1Ch]
		mov	ecx, edx
		and	cl, 70h
		cmp	cl, 20h
		jnz	short loc_45EB99
		and	edx, 0F80h
		cmp	edx, 80h
		jz	short loc_45EBC3
		mov	eax, [eax+28h]
		test	eax, 8000000h
		jz	short loc_45EB87
		test	byte ptr [ebp-8], 4
		jz	short loc_45EBC3

loc_45EB87:				; CODE XREF: .text:0045EB7Fj
		test	ds:_MiFlags, 400h
		jz	short loc_45EB99
		test	byte ptr [ebx+12h], 2
		jnz	short loc_45EBC3

loc_45EB99:				; CODE XREF: .text:0045EB4Dj
					; .text:0045EB5Aj ...
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	ecx, [ebp+8]
		test	ecx, ecx
		jz	short loc_45EBB2
		mov	dl, 21h
		call	MiUnlockProtoPoolPage

loc_45EBB2:				; CODE XREF: .text:0045EBA9j
		mov	eax, 0C0000428h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_45EBC0:				; CODE XREF: .text:0045EB04j
					; .text:0045EB15j
		mov	edi, [ebp+0Ch]

loc_45EBC3:				; CODE XREF: .text:0045EAAFj
					; .text:0045EAC5j ...
		xor	edx, edx
		mov	ecx, esi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		test	eax, eax
		jnz	short loc_45EC04
		xor	edx, edx
		mov	ecx, esi
		call	_MiDiscardTransitionPteEx@8 ; MiDiscardTransitionPteEx(x,x)
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	ecx, [ebp+8]
		test	ecx, ecx
		jz	loc_45ED51
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		mov	eax, 0C0000434h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_45EC04:				; CODE XREF: .text:0045EBCEj
		mov	ebx, [ebp+8]
		mov	byte ptr [ebp+0Fh], 0
		cmp	edi, ds:_MmHighestUserAddress
		ja	loc_45ED0D
		cmp	word ptr [esi+14h], 0
		jnz	loc_45ED0D
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	eax, [eax+80h]
		mov	edx, [eax+24Ch]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_45EC55
		mov	eax, [edx+0B0h]
		test	eax, eax
		setnz	byte ptr [ebp+0Bh]
		test	eax, eax
		jz	loc_45ED0D
		jmp	short loc_45EC76
; 

loc_45EC55:				; CODE XREF: .text:0045EC3Dj
		mov	eax, [esi+8]
		and	eax, 400h
		or	eax, 0
		jnz	loc_45ED0D
		cmp	[edx+0B4h], eax
		jz	loc_45ED0D
		mov	byte ptr [ebp+0Bh], 1

loc_45EC76:				; CODE XREF: .text:0045EC53j
		mov	ecx, edi
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_45ED0D
		mov	edx, [edi+1Ch]
		mov	ecx, edx
		shr	ecx, 12h
		and	ecx, 3
		cmp	ds:_MiVadPageSizes[ecx*4], 10h
		jnz	short loc_45ED0D
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		and	edx, 100000h
		test	eax, eax
		jz	short loc_45ECB5
		test	edx, edx
		jnz	short loc_45ED0D
		test	eax, eax
		jnz	short loc_45ECB9

loc_45ECB5:				; CODE XREF: .text:0045ECABj
		test	edx, edx
		jz	short loc_45ED0D

loc_45ECB9:				; CODE XREF: .text:0045ECB3j
		cmp	byte ptr [ebp+0Bh], 0
		jz	short loc_45ED0D
		push	dword ptr [ebp+1Ch]
		mov	ecx, [ebp-4]
		lea	eax, [ebp+0Fh]
		push	dword ptr [ebp+18h]
		mov	edx, edi
		push	eax
		push	ebx
		push	esi
		push	dword ptr [ebp-0Ch]
		call	_MiIdealClusterPage@32 ; MiIdealClusterPage(x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_45ECEB
		cmp	esi, edi
		jz	short loc_45ED03
		mov	eax, [ebp+10h]
		mov	esi, edi
		mov	[eax], edi
		jmp	short loc_45ED03
; 

loc_45ECEB:				; CODE XREF: .text:0045ECDCj
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		test	ebx, ebx
		jz	short loc_45ED03
		mov	dl, 21h
		mov	ecx, ebx
		call	MiUnlockProtoPoolPage

loc_45ED03:				; CODE XREF: .text:0045ECE0j
					; .text:0045ECE9j ...
		cmp	byte ptr [ebp+0Fh], 0
		jnz	short loc_45ED24
		test	edi, edi
		jz	short loc_45ED28

loc_45ED0D:				; CODE XREF: .text:0045EC11j
					; .text:0045EC1Cj ...
		push	dword ptr [ebp+14h]
		mov	ecx, [ebp-4]
		mov	edx, esi
		push	ebx
		call	_MiMigratePfn@16 ; MiMigratePfn(x,x,x,x)
		mov	edi, eax
		mov	eax, [ebp+10h]
		mov	esi, edi
		mov	[eax], edi

loc_45ED24:				; CODE XREF: .text:0045ED07j
		test	edi, edi
		jnz	short loc_45ED5F

loc_45ED28:				; CODE XREF: .text:0045ED0Bj
		mov	ebx, [ebp+14h]
		mov	esi, [ebx]
		test	esi, esi
		jz	short loc_45ED51
		cmp	dword ptr [esi+68h], 1
		jle	short loc_45ED44
		push	0
		push	0
		lea	eax, [esi+20h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_45ED44:				; CODE XREF: .text:0045ED35j
		mov	ecx, esi
		call	_MiFreeInPageSupportBlock@4 ; MiFreeInPageSupportBlock(x)
		mov	dword ptr [ebx], 0

loc_45ED51:				; CODE XREF: .text:0045EBE9j
					; .text:0045ED2Fj
		mov	eax, 0C0000434h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_45ED5F:				; CODE XREF: .text:0045ED26j
		mov	eax, [esi+10h]
		inc	word ptr [esi+14h]
		and	eax, 0C0000001h
		or	eax, 1
		mov	[esi+10h], eax
		mov	al, [esi+16h]
		and	al, 0FEh
		or	al, 6
		pop	edi
		mov	[esi+16h], al
		xor	eax, eax
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_45ED86:				; CODE XREF: .text:0045EAA2j
		push	esi
		push	edx
		push	ebx
		push	888Ah
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 3 dup(0CCh)
		align 10h

; __stdcall MiUnlinkPageFromList(x, x)
_MiUnlinkPageFromList@8:		; CODE XREF: MiBuildReservationCluster(x,x,x,x)+143p
					; .text:0045A793p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 58h
		push	esi
		xor	eax, eax
		mov	[esp+14h], edx
		push	edi
		mov	edi, ecx
		mov	[esp+38h], eax
		mov	[esp+3Ch], eax
		mov	[esp+40h], eax
		movzx	eax, word ptr [edi+14h]
		test	ax, ax
		jz	short loc_45EDD9
		test	dword ptr [edi+10h], 3FFFFFFFh
		jnz	loc_45F5C0
		jmp	short loc_45EE05
; 

loc_45EDD9:				; CODE XREF: .text:0045EDC8j
		mov	cl, [edi+16h]
		movzx	eax, cl
		and	cl, 7
		and	eax, 7
		cmp	cl, 5
		mov	ecx, edi
		mov	esi, dword_6D579C[eax*4]
		mov	[esp+8], esi
		mov	eax, [esi+4]
		mov	[esp+24h], eax
		jnz	short loc_45EE10
		xor	edx, edx
		call	_MiUnlinkPageFromBadList@8 ; MiUnlinkPageFromBadList(x,x)

loc_45EE05:				; CODE XREF: .text:0045EDD7j
		mov	eax, 1
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_45EE10:				; CODE XREF: .text:0045EDFCj
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		mov	eax, dword_6D3250
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		mov	edx, 41h
		mov	[esp+0Ch], edx
		cmp	ecx, eax
		jb	short loc_45EE4B
		add	eax, 800h
		cmp	ecx, eax
		jnb	short loc_45EE4B
		mov	edx, 45h
		jmp	short loc_45EE76
; 

loc_45EE4B:				; CODE XREF: .text:0045EE39j
					; .text:0045EE42j
		cmp	byte_6D5872, 0
		jz	short loc_45EE7A
		mov	eax, dword_6D5BBC
		shr	ecx, 9
		mov	esi, ecx
		and	ecx, 1Fh
		shr	esi, 5
		mov	eax, [eax+esi*4]
		mov	esi, [esp+8]
		sar	eax, cl
		test	al, 1
		jz	short loc_45EE7A
		mov	edx, 51h

loc_45EE76:				; CODE XREF: .text:0045EE49j
		mov	[esp+0Ch], edx

loc_45EE7A:				; CODE XREF: .text:0045EE52j
					; .text:0045EE6Fj
		mov	eax, [esp+24h]
		mov	[esp+1Ch], edx
		cmp	eax, 2
		jnz	loc_45F17C
		mov	ecx, edi
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		or	edx, 2
		mov	[esp+20h], eax
		mov	[esp+0Ch], edx
		test	dl, 4
		jz	short loc_45EEB2
		mov	edx, [esp+1Ch]
		and	edx, 0FFFFFFBDh
		mov	[esp+0Ch], edx
		test	dl, 4
		jnz	short loc_45EEBF

loc_45EEB2:				; CODE XREF: .text:0045EEA0j
		test	byte ptr [edi+17h], 8
		jz	short loc_45EEBF
		or	edx, 8
		mov	[esp+0Ch], edx

loc_45EEBF:				; CODE XREF: .text:0045EEB0j
					; .text:0045EEB6j
		lea	eax, [eax+eax*4]
		lea	eax, unk_6D5480[eax*4]
		mov	[esp+8], eax
		test	dl, 10h
		jz	short loc_45EED9
		and	edx, 0FFFFFFBDh
		mov	[esp+0Ch], edx

loc_45EED9:				; CODE XREF: .text:0045EED0j
		test	dl, 2
		jz	short loc_45EEFB
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_45EEF0
		lock dec dword_6D5800
		jmp	short loc_45EEF7
; 

loc_45EEF0:				; CODE XREF: .text:0045EEE5j
		lock dec dword_6D5940

loc_45EEF7:				; CODE XREF: .text:0045EEEEj
		mov	eax, [esp+8]

loc_45EEFB:				; CODE XREF: .text:0045EEDCj
		cmp	dword ptr [esp+18h], 0
		jnz	short loc_45EF40
		test	ds:byte_70EFC6,	21h
		lea	ecx, [eax+10h]
		mov	[esp+3Ch], ecx
		mov	dword ptr [esp+38h], 0
		jz	short loc_45EF27
		mov	edx, ecx
		lea	ecx, [esp+38h]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_45EF3C
; 

loc_45EF27:				; CODE XREF: .text:0045EF18j
		lea	eax, [esp+38h]
		xchg	eax, [ecx]
		test	eax, eax
		jz	short loc_45EF40
		mov	edx, eax
		lea	ecx, [esp+38h]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_45EF3C:				; CODE XREF: .text:0045EF25j
		mov	edx, [esp+0Ch]

loc_45EF40:				; CODE XREF: .text:0045EF00j
					; .text:0045EF2Fj
		mov	esi, [edi+10h]
		mov	ecx, [edi]
		and	esi, offset loc_7FFFFF
		mov	[esp+10h], ecx
		test	dl, 8
		jz	loc_45F0A4
		mov	edx, dword_6D3250
		cmp	ecx, edx
		jb	short loc_45EF8B
		lea	eax, [edx+800h]
		cmp	ecx, eax
		jnb	short loc_45EF8B
		cmp	esi, ecx
		jnz	short loc_45EF8B
		mov	ecx, edi
		call	_MiDeleteParentDecayNode@4 ; MiDeleteParentDecayNode(x)
		mov	edx, [esp+0Ch]
		mov	ecx, offset loc_7FFFFF
		mov	[esp+10h], ecx
		mov	esi, ecx
		jmp	loc_45F12A
; 

loc_45EF8B:				; CODE XREF: .text:0045EF60j
					; .text:0045EF6Aj ...
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		lea	ecx, [eax+ecx*4]
		mov	[esp+34h], ecx
		cmp	esi, edx
		jb	loc_45F03D
		lea	eax, [edx+800h]
		cmp	esi, eax
		jnb	loc_45F03D
		mov	edx, [ecx+8]
		mov	ecx, [ecx+0Ch]
		mov	eax, dword_6D0700
		mov	[esp+14h], ecx
		mov	[esp+2Ch], ecx
		mov	ecx, dword_6D0704
		mov	[esp+28h], eax
		or	eax, ecx
		mov	[esp+1Ch], ecx
		mov	ecx, [esp+14h]
		jz	short loc_45F002
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_45EFFB
		mov	eax, [esp+28h]
		not	dword ptr [esp+1Ch]
		not	eax
		and	edx, eax
		and	ecx, [esp+1Ch]
		jmp	short loc_45EFFE
; 

loc_45EFFB:				; CODE XREF: .text:0045EFE7j
		and	edx, 0FFFFFFEFh

loc_45EFFE:				; CODE XREF: .text:0045EFF9j
		mov	[esp+14h], ecx

loc_45F002:				; CODE XREF: .text:0045EFDDj
		mov	ecx, [esp+10h]
		xor	eax, eax
		and	dword ptr [esp+14h], 0FFFFFFC0h
		and	ecx, 3FFFFFFh
		shld	eax, ecx, 0Ch
		and	edx, 0FFFh
		or	eax, [esp+14h]
		shl	ecx, 0Ch
		or	ecx, edx
		push	eax
		push	ecx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [esp+34h]
		mov	[ecx+0Ch], edx
		mov	edx, [esp+10h]
		mov	[ecx+8], eax
		jmp	short loc_45F043
; 

loc_45F03D:				; CODE XREF: .text:0045EFA2j
					; .text:0045EFB0j
		mov	edx, [esp+10h]
		mov	[ecx], edx

loc_45F043:				; CODE XREF: .text:0045F03Bj
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	ecx, [eax+ecx*4]
		mov	eax, dword_6D3250
		cmp	edx, eax
		jb	short loc_45F087
		add	eax, 800h
		cmp	edx, eax
		jnb	short loc_45F087
		mov	eax, [ecx+18h]
		mov	edx, [esp+0Ch]
		and	eax, 0FF800000h
		or	eax, esi
		mov	[ecx+18h], eax
		mov	ecx, offset loc_7FFFFF
		mov	[esp+10h], ecx
		mov	esi, ecx
		jmp	loc_45F12A
; 

loc_45F087:				; CODE XREF: .text:0045F05Bj
					; .text:0045F064j
		push	0
		mov	edx, esi
		call	_MiSetPfnBlink@12 ; MiSetPfnBlink(x,x,x)
		mov	edx, [esp+0Ch]
		mov	ecx, offset loc_7FFFFF
		mov	[esp+10h], ecx
		mov	esi, ecx
		jmp	loc_45F12A
; 

loc_45F0A4:				; CODE XREF: .text:0045EF52j
		cmp	ecx, offset loc_7FFFFF
		jz	short loc_45F0E4
		mov	eax, dword_6D3250
		cmp	ecx, eax
		jb	short loc_45F0BE
		add	eax, 800h
		cmp	ecx, eax
		jb	short loc_45F0E4

loc_45F0BE:				; CODE XREF: .text:0045F0B3j
		mov	eax, ds:_MmPfnDatabase
		shl	ecx, 3
		sub	ecx, [esp+10h]
		lea	ecx, [eax+ecx*4]
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		mov	[esp+1Ch], eax
		mov	eax, [esp+20h]
		cmp	eax, [esp+1Ch]
		jnz	loc_45F5EA

loc_45F0E4:				; CODE XREF: .text:0045F0AAj
					; .text:0045F0BCj
		cmp	esi, offset loc_7FFFFF
		jz	short loc_45F126
		mov	eax, dword_6D3250
		cmp	esi, eax
		jb	short loc_45F0FE
		add	eax, 800h
		cmp	esi, eax
		jb	short loc_45F126

loc_45F0FE:				; CODE XREF: .text:0045F0F3j
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		lea	ecx, [eax+ecx*4]
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		mov	[esp+1Ch], eax
		mov	eax, [esp+20h]
		cmp	eax, [esp+1Ch]
		jnz	loc_45F600

loc_45F126:				; CODE XREF: .text:0045F0EAj
					; .text:0045F0FCj
		mov	ecx, [esp+10h]

loc_45F12A:				; CODE XREF: .text:0045EF86j
					; .text:0045F082j ...
		movzx	eax, byte_6D5870
		cmp	[esp+20h], eax
		jnb	short loc_45F13E
		and	edx, 0FFFFFFFEh
		mov	[esp+0Ch], edx

loc_45F13E:				; CODE XREF: .text:0045F135j
		mov	edx, [esp+8]

loc_45F142:				; CODE XREF: .text:0045F22Fj
					; .text:0045F251j ...
		cmp	ecx, offset loc_7FFFFF
		jz	loc_45F346
		mov	eax, ds:_MmPfnDatabase
		mov	edx, esi
		shl	ecx, 3
		sub	ecx, [esp+10h]
		push	0
		lea	ecx, [eax+ecx*4]
		call	_MiSetPfnBlink@12 ; MiSetPfnBlink(x,x,x)
		mov	eax, [esp+0Ch]
		mov	edx, eax
		mov	ecx, [esp+10h]
		shr	edx, 3
		mov	[esp+14h], edx
		jmp	loc_45F36B
; 

loc_45F17C:				; CODE XREF: .text:0045EE85j
		cmp	eax, 3
		jnz	loc_45F2D7
		lock dec dword ptr [esi]
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		mov	eax, offset dword_6D5800
		jnz	short loc_45F19D
		mov	eax, offset dword_6D5940

loc_45F19D:				; CODE XREF: .text:0045F196j
		lock dec dword ptr [eax]
		mov	eax, [edi+8]
		and	eax, 400h
		or	eax, 0
		jnz	loc_45F256
		cmp	[esp+18h], eax
		jnz	short loc_45F1EB
		add	esi, 10h
		mov	[esp+38h], eax
		test	ds:byte_70EFC6,	21h
		mov	[esp+3Ch], esi
		jz	short loc_45F1D8
		mov	edx, esi
		lea	ecx, [esp+38h]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_45F1EB
; 

loc_45F1D8:				; CODE XREF: .text:0045F1C9j
		lea	edx, [esp+38h]
		xchg	edx, [esi]
		test	edx, edx
		jz	short loc_45F1EB
		lea	ecx, [esp+38h]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_45F1EB:				; CODE XREF: .text:0045F1B5j
					; .text:0045F1D6j ...
		dec	dword_6D5F58
		mov	edx, [edi+8]
		mov	esi, edx
		mov	ecx, [edi+0Ch]
		mov	eax, ecx
		shrd	esi, eax, 0Ch
		shrd	edx, ecx, 1
		and	esi, 0Fh
		test	dl, 1
		jnz	short loc_45F234
		cmp	esi, dword_6D50FC
		jz	short loc_45F234
		mov	esi, [edi+10h]
		mov	edx, offset unk_6D5540
		mov	ecx, [edi]
		and	esi, offset loc_7FFFFF
		mov	dword ptr [esp+8], offset unk_6D5540
		mov	[esp+10h], ecx
		jmp	loc_45F142
; 

loc_45F234:				; CODE XREF: .text:0045F209j
					; .text:0045F211j
		mov	ecx, [edi]
		lea	eax, [esi+esi*4]
		mov	esi, [edi+10h]
		lea	edx, dword_6D5580[eax*4]
		mov	[esp+8], edx
		and	esi, offset loc_7FFFFF
		mov	[esp+10h], ecx
		jmp	loc_45F142
; 

loc_45F256:				; CODE XREF: .text:0045F1ABj
		mov	eax, [edi+18h]
		shr	eax, 1Ah
		and	eax, 3
		cmp	dword ptr [esp+18h], 0
		lea	eax, [eax+eax*4]
		lea	eax, unk_6D56C0[eax*4]
		mov	[esp+8], eax
		jnz	short loc_45F2AC
		add	eax, 10h
		mov	dword ptr [esp+38h], 0
		test	ds:byte_70EFC6,	21h
		mov	[esp+3Ch], eax
		jz	short loc_45F299
		mov	edx, eax
		lea	ecx, [esp+38h]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_45F2AC
; 

loc_45F299:				; CODE XREF: .text:0045F28Aj
		lea	edx, [esp+38h]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_45F2AC
		lea	ecx, [esp+38h]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_45F2AC:				; CODE XREF: .text:0045F272j
					; .text:0045F297j ...
		xor	eax, eax
		mov	[esp+44h], eax
		mov	[esp+48h], eax
		mov	[esp+4Ch], eax
		mov	[esp+50h], eax
		mov	[esp+54h], eax
		mov	[esp+58h], eax
		mov	eax, [edi+18h]
		and	eax, 0F3FFFFFFh
		mov	[esp+5Ch], eax
		mov	[edi+18h], eax
		jmp	short loc_45F32E
; 

loc_45F2D7:				; CODE XREF: .text:0045F17Fj
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		mov	eax, offset dword_6D5800
		jnz	short loc_45F2EC
		mov	eax, offset dword_6D5940

loc_45F2EC:				; CODE XREF: .text:0045F2E5j
		lock dec dword ptr [eax]
		cmp	dword ptr [esp+18h], 0
		jnz	short loc_45F32E
		add	esi, 10h
		mov	dword ptr [esp+38h], 0
		test	ds:byte_70EFC6,	21h
		mov	[esp+3Ch], esi
		jz	short loc_45F31B
		mov	edx, esi
		lea	ecx, [esp+38h]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_45F32E
; 

loc_45F31B:				; CODE XREF: .text:0045F30Cj
		lea	edx, [esp+38h]
		xchg	edx, [esi]
		test	edx, edx
		jz	short loc_45F32E
		lea	ecx, [esp+38h]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_45F32E:				; CODE XREF: .text:0045F2D5j
					; .text:0045F2F4j ...
		mov	esi, [edi+10h]
		mov	ecx, [edi]
		and	esi, offset loc_7FFFFF
		mov	edx, [esp+8]
		mov	[esp+10h], ecx
		jmp	loc_45F142
; 

loc_45F346:				; CODE XREF: .text:0045F148j
		mov	eax, [esp+0Ch]
		mov	[esp+14h], eax
		shr	dword ptr [esp+14h], 3
		test	byte ptr [esp+14h], 1
		jnz	short loc_45F367
		mov	[edx+0Ch], esi
		mov	edx, [esp+14h]
		mov	[esp+14h], edx
		jmp	short loc_45F36B
; 

loc_45F367:				; CODE XREF: .text:0045F358j
		mov	edx, [esp+14h]

loc_45F36B:				; CODE XREF: .text:0045F177j
					; .text:0045F365j
		cmp	esi, offset loc_7FFFFF
		jz	loc_45F444
		mov	ecx, ds:_MmPfnDatabase
		lea	edx, ds:0[esi*8]
		sub	edx, esi
		mov	esi, [esp+10h]
		mov	[ecx+edx*4], esi
		mov	edx, [esp+14h]

loc_45F391:				; CODE XREF: .text:0045F447j
		mov	esi, [esp+8]

loc_45F395:				; CODE XREF: .text:0045F454j
		cmp	eax, 40h
		jb	short loc_45F39C
		dec	dword ptr [esi]

loc_45F39C:				; CODE XREF: .text:0045F398j
		cmp	dword ptr [esp+24h], 2
		jnz	short loc_45F3B5
		test	al, 14h
		jnz	short loc_45F3B5
		test	dl, 1
		jz	short loc_45F3B5
		mov	cl, [edi+17h]
		and	cl, 0F7h
		mov	[edi+17h], cl

loc_45F3B5:				; CODE XREF: .text:0045F3A1j
					; .text:0045F3A5j ...
		xor	edx, edx
		mov	dword ptr [edi], 0
		mov	esi, 1
		mov	ecx, edi
		test	al, 4
		jnz	loc_45F4B6
		push	esi
		call	_MiSetPfnBlink@12 ; MiSetPfnBlink(x,x,x)
		cmp	dword_6D3034, esi
		jnz	short loc_45F41B
		sub	edi, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	edi
		mov	eax, dword_6D3068
		mov	ecx, esi
		add	edx, edi
		sar	edx, 4
		mov	edi, edx
		shr	edi, 1Fh
		add	edi, edx
		mov	edx, edi
		and	edi, 1Fh
		shr	edx, 5
		lea	esi, [eax+edx*4]
		lea	eax, [edi+1]
		cmp	eax, 20h
		ja	short loc_45F459
		mov	eax, ecx
		mov	ecx, edi
		shl	eax, cl

loc_45F413:				; CODE XREF: .text:0045F4B1j
		lock or	[esi], eax

loc_45F416:				; CODE XREF: .text:0045F4A3j
		mov	esi, 1

loc_45F41B:				; CODE XREF: .text:0045F3D8j
					; .text:0045F4BDj
		cmp	dword ptr [esp+18h], 0
		jnz	loc_45F4F3
		test	ds:byte_70EFC6,	1
		jz	loc_45F4C2
		mov	edx, [ebp+4]
		lea	ecx, [esp+38h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_45F4F3
; 

loc_45F444:				; CODE XREF: .text:0045F371j
		test	dl, 1
		jnz	loc_45F391
		mov	esi, [esp+8]
		mov	[esi+8], ecx
		jmp	loc_45F395
; 

loc_45F459:				; CODE XREF: .text:0045F40Bj
		test	edi, edi
		jz	short loc_45F4A9
		mov	edx, 20h
		mov	eax, ecx
		sub	edx, edi
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, edi
		dec	eax
		shl	eax, cl
		lock or	[esi], eax
		mov	ecx, 1
		add	esi, 4
		sub	ecx, edx
		cmp	ecx, 20h
		jb	short loc_45F4A1
		mov	eax, ecx
		shr	eax, 5
		jmp	short loc_45F490
; 
		align 10h

loc_45F490:				; CODE XREF: .text:0045F486j
					; .text:0045F49Fj
		mov	dword ptr [esi], 0FFFFFFFFh
		sub	ecx, 20h
		add	esi, 4
		sub	eax, 1
		jnz	short loc_45F490

loc_45F4A1:				; CODE XREF: .text:0045F47Fj
		test	ecx, ecx
		jz	loc_45F416

loc_45F4A9:				; CODE XREF: .text:0045F45Bj
		mov	eax, 1
		shl	eax, cl
		dec	eax
		jmp	loc_45F413
; 

loc_45F4B6:				; CODE XREF: .text:0045F3C6j
		push	0
		call	_MiSetPfnBlink@12 ; MiSetPfnBlink(x,x,x)
		jmp	loc_45F41B
; 

loc_45F4C2:				; CODE XREF: .text:0045F42Dj
		mov	eax, [esp+38h]
		test	eax, eax
		jnz	short loc_45F4E5
		mov	edx, [esp+3Ch]
		lea	eax, [esp+38h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+38h]
		cmp	eax, ecx
		jz	short loc_45F4F3
		call	KxWaitForLockChainValid

loc_45F4E5:				; CODE XREF: .text:0045F4C8j
		mov	dword ptr [esp+38h], 0
		add	eax, 4
		lock xor [eax],	esi

loc_45F4F3:				; CODE XREF: .text:0045F420j
					; .text:0045F43Fj ...
		mov	eax, [esp+0Ch]
		test	al, 2
		jz	loc_45F5B7
		or	esi, 0FFFFFFFFh
		lock xadd dword_6D5E00,	esi
		dec	esi
		cmp	esi, dword_6D596C
		jz	short loc_45F51B
		cmp	esi, dword_6D5970
		jnz	short loc_45F525

loc_45F51B:				; CODE XREF: .text:0045F511j
		mov	ecx, offset _MiSystemPartition
		call	MiUpdateAvailableEvents

loc_45F525:				; CODE XREF: .text:0045F519j
		lea	edi, [esi+1]
		cmp	esi, 420h
		ja	short loc_45F571
		mov	eax, dword_6D5D40
		test	eax, eax
		jz	short loc_45F540
		mov	al, [eax+2Ch]
		test	al, al
		jnz	short loc_45F54A

loc_45F540:				; CODE XREF: .text:0045F537j
		mov	ecx, offset _MiSystemPartition
		call	_MiObtainFreePages@4 ; MiObtainFreePages(x)

loc_45F54A:				; CODE XREF: .text:0045F53Ej
		cmp	esi, 0A0h
		jnb	short loc_45F571
		cmp	edi, 0A0h
		jb	short loc_45F571
		mov	eax, dword_6D5100
		test	eax, eax
		jz	short loc_45F571
		push	0
		push	0
		push	offset unk_6D50A0
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_45F571:				; CODE XREF: .text:0045F52Ej
					; .text:0045F550j ...
		cmp	esi, 9Fh
		jnb	short loc_45F5B3
		mov	eax, large fs:124h
		mov	ecx, [eax+300h]
		mov	eax, ecx
		and	al, 0Ch
		cmp	al, 8
		jz	short loc_45F5B3
		cmp	esi, 20h
		jb	short loc_45F5A5
		test	cl, 2
		jz	short loc_45F59C
		cmp	esi, 21h
		jnb	short loc_45F5B3

loc_45F59C:				; CODE XREF: .text:0045F595j
		test	byte ptr dword_6D4E44, 20h
		jnz	short loc_45F5B3

loc_45F5A5:				; CODE XREF: .text:0045F590j
		mov	eax, 0FFFFFFFEh
		and	eax, 1
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_45F5B3:				; CODE XREF: .text:0045F577j
					; .text:0045F58Bj ...
		mov	eax, [esp+0Ch]

loc_45F5B7:				; CODE XREF: .text:0045F4F9j
		pop	edi
		and	eax, 1
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_45F5C0:				; CODE XREF: .text:0045EDD1j
		sub	edi, ds:_MmPfnDatabase
		push	eax
		mov	eax, dword_6D5D84
		push	eax
		mov	eax, 92492493h
		imul	edi
		add	edx, edi
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		push	eax
		push	2
		push	4Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_45F5EA:				; CODE XREF: .text:0045F0DEj
		shl	eax, 8
		or	eax, [esp+1Ch]
		push	eax
		push	ecx
		push	edi
		push	8886h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_45F600:				; CODE XREF: .text:0045F120j
		shl	eax, 8
		or	eax, [esp+1Ch]
		push	eax
		push	ecx
		push	edi
		push	8887h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetPfnBlink(x, x,	x)
_MiSetPfnBlink@12 proc near		; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+129p
					; .text:0045F08Bp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 1
		push	esi
		push	edi
		mov	edi, edx
		lea	esi, [ecx+10h]
		jnz	short loc_45F643
		mov	eax, [esi]
		xor	eax, edi
		and	eax, offset loc_7FFFFF
		xor	[esi], eax

loc_45F63D:				; CODE XREF: MiSetPfnBlink(x,x,x)+3Dj
					; MiSetPfnBlink(x,x,x)+52j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_45F643:				; CODE XREF: MiSetPfnBlink(x,x,x)+10j
		mov	ecx, [esi]
		and	edi, offset loc_7FFFFF
		mov	edx, ecx
		mov	eax, ecx
		and	edx, 0FF800000h
		or	edx, edi
		lock cmpxchg [esi], edx
		cmp	ecx, eax
		jz	short loc_45F63D
		nop

loc_45F660:				; CODE XREF: MiSetPfnBlink(x,x,x)+54j
		mov	edx, eax
		mov	ecx, eax
		and	edx, 0FF800000h
		or	edx, edi
		lock cmpxchg [esi], edx
		cmp	ecx, eax
		jz	short loc_45F63D
		jmp	short loc_45F660
_MiSetPfnBlink@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiGetPfnPriority(x)
_MiGetPfnPriority@4 proc near		; CODE XREF: .text:00458956p
					; .text:0045EE8Dp ...
		mov	al, [ecx+17h]
		test	al, 8
		jnz	short loc_45F68E
		movzx	eax, al
		and	eax, 7
		retn
; 

loc_45F68E:				; CODE XREF: MiGetPfnPriority(x)+5j
		mov	eax, 5
		retn
_MiGetPfnPriority@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMigratePfn(x, x, x, x)
_MiMigratePfn@16 proc near		; CODE XREF: .text:0045ED16p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		xor	eax, eax
		cmp	byte_6D5872, 0
		push	esi
		mov	esi, ecx
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		push	edi
		mov	eax, [esi]
		mov	edi, edx
		mov	ebx, [esi+14h]
		mov	[ebp+var_10], eax
		mov	eax, [esi+8]
		mov	[ebp+var_4], edi
		mov	[ebp+var_14], eax
		jz	short loc_45F70C
		mov	ecx, edi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		mov	eax, dword_6D5BBC
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		shr	ecx, 9
		mov	edx, ecx
		and	ecx, 1Fh
		shr	edx, 5
		mov	eax, [eax+edx*4]
		sar	eax, cl
		test	al, 1
		jnz	loc_45FCA8

loc_45F70C:				; CODE XREF: MiMigratePfn(x,x,x,x)+32j
		cmp	ds:_KeNumberNodes, 1
		jbe	loc_45FCA8
		cmp	word ptr [edi+14h], 0
		jnz	loc_45FCA8
		mov	eax, large fs:124h
		test	byte ptr [eax+304h], 40h
		jnz	loc_45FCA8
		mov	ecx, edi
		call	_MiCanPageMove@4 ; MiCanPageMove(x)
		test	eax, eax
		jz	loc_45FCA8
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], 0
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	MiComputeFaultNode
		push	eax
		lea	edx, [ebp+var_38]
		mov	ecx, ebx
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		mov	cl, byte_6D068C
		mov	eax, 92492493h
		mov	ebx, [ebp+var_30]
		mov	esi, ebx
		shr	esi, cl
		mov	ecx, edi
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiSearchNumaNodeTable
		cmp	esi, [eax+4]
		jz	loc_45FCA8
		mov	eax, [ebp+var_38]
		mov	ecx, 1
		lock xadd [eax], ecx
		inc	ecx
		mov	eax, [ebp+var_34]
		dec	ecx
		movzx	edx, ds:_KeNumberNodes
		and	eax, ecx
		or	eax, ebx
		mov	ecx, edx
		imul	ecx, esi
		mov	[ebp+var_8], eax
		mov	eax, dword_6D0698
		lea	edi, [eax+ecx*4]
		lea	ebx, [edi+edx*4]
		cmp	edi, ebx
		jnb	short loc_45F81D
		nop

loc_45F7D0:				; CODE XREF: MiMigratePfn(x,x,x,x)+17Bj
		mov	ecx, [ebp+var_4]
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiSearchNumaNodeTable
		mov	ecx, [edi]
		cmp	ecx, [eax+4]
		jz	loc_45FCA5
		lea	ecx, [ecx+ecx*4]
		shl	ecx, 7
		add	ecx, dword_6D4E50
		mov	eax, [ecx+1D4h]
		or	eax, [ecx+1D0h]
		jnz	short loc_45F81D
		add	edi, 4
		cmp	edi, ebx
		jb	short loc_45F7D0

loc_45F81D:				; CODE XREF: MiMigratePfn(x,x,x,x)+12Dj
					; MiMigratePfn(x,x,x,x)+174j
		mov	edi, [ebp+var_4]
		xor	eax, eax
		mov	ecx, edi
		mov	[ebp+var_C], eax
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_45F847
		mov	eax, [edi+8]
		and	eax, 400h
		or	eax, 0
		jz	short loc_45F847
		mov	eax, 1
		mov	[ebp+var_C], eax
		jmp	short loc_45F85C
; 

loc_45F847:				; CODE XREF: MiMigratePfn(x,x,x,x)+18Ej
					; MiMigratePfn(x,x,x,x)+19Bj
		call	_MiIsPfnCommitNotCharged@4 ; MiIsPfnCommitNotCharged(x)
		test	eax, eax
		jz	short loc_45F85A
		mov	eax, 5
		mov	[ebp+var_C], eax
		jmp	short loc_45F85C
; 

loc_45F85A:				; CODE XREF: MiMigratePfn(x,x,x,x)+1AEj
		xor	eax, eax

loc_45F85C:				; CODE XREF: MiMigratePfn(x,x,x,x)+1A5j
					; MiMigratePfn(x,x,x,x)+1B8j
		push	eax
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiObtainFaultCharges
		test	eax, eax
		jz	loc_45FCA8
		mov	eax, [ebp+var_14]
		mov	ecx, 1
		test	al, cl
		jz	short loc_45F888
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	4
		jz	short loc_45F89F

loc_45F888:				; CODE XREF: MiMigratePfn(x,x,x,x)+1DEj
		mov	eax, [ebp+var_10]
		cmp	eax, dword_6D07D0
		jb	short loc_45F8A4
		shr	eax, 15h
		cmp	byte ptr dword_6D3994[eax], 0Ch
		jnz	short loc_45F8A4

loc_45F89F:				; CODE XREF: MiMigratePfn(x,x,x,x)+1E6j
		mov	ecx, 9

loc_45F8A4:				; CODE XREF: MiMigratePfn(x,x,x,x)+1F1j
					; MiMigratePfn(x,x,x,x)+1FDj
		mov	edx, [ebp+var_8]
		push	ecx
		mov	ecx, offset _MiSystemPartition
		call	MiGetPage
		mov	ecx, eax
		mov	[ebp+var_14], ecx
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_45F8FC
		mov	ebx, 1
		mov	ecx, offset _MiSystemPartition
		mov	edx, ebx
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_45F8DA
		mov	esi, offset dword_6D5E40
		lock xadd [esi], eax

loc_45F8DA:				; CODE XREF: MiMigratePfn(x,x,x,x)+22Fj
					; MiMigratePfn(x,x,x,x)+350j ...
		mov	eax, [ebp+var_C]
		test	al, 1
		jz	loc_45FCA8
		mov	edx, ebx
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_45F8FC:				; CODE XREF: MiMigratePfn(x,x,x,x)+21Aj
		lea	eax, ds:0[ecx*8]
		sub	eax, ecx
		mov	ecx, ds:_MmPfnDatabase
		lea	eax, [ecx+eax*4]
		mov	edi, eax
		mov	[ebp+var_8], eax
		sub	edi, ecx
		mov	eax, 92492493h
		imul	edi
		add	edx, edi
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiSearchNumaNodeTable
		mov	edi, [ebp+var_4]
		cmp	esi, [eax+4]
		jz	short loc_45F9A6
		movzx	ecx, ds:_KeNumberNodes
		mov	eax, dword_6D0698
		imul	ecx, esi
		lea	esi, [eax+ecx*4]
		cmp	esi, ebx
		jnb	short loc_45F9A6
		jmp	short loc_45F950
; 
		align 10h

loc_45F950:				; CODE XREF: MiMigratePfn(x,x,x,x)+2ABj
					; MiMigratePfn(x,x,x,x)+304j
		mov	ecx, edi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiSearchNumaNodeTable
		mov	ecx, [esi]
		cmp	ecx, [eax+4]
		jz	short loc_45F9BF
		mov	ecx, [ebp+var_8]
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiSearchNumaNodeTable
		mov	ecx, [esi]
		cmp	ecx, [eax+4]
		jz	short loc_45F9A6
		add	esi, 4
		cmp	esi, ebx
		jb	short loc_45F950

loc_45F9A6:				; CODE XREF: MiMigratePfn(x,x,x,x)+293j
					; MiMigratePfn(x,x,x,x)+2A9j ...
		cmp	[ebp+arg_0], 0
		jz	short loc_45FA04
		mov	ecx, 6
		call	_MiGetInPageSupportBlock@4 ; MiGetInPageSupportBlock(x)
		mov	ecx, eax
		mov	[ebp+var_10], eax
		test	ecx, ecx
		jnz	short loc_45FA09

loc_45F9BF:				; CODE XREF: MiMigratePfn(x,x,x,x)+2D5j
		mov	ebx, [ebp+var_8]
		mov	ecx, ebx
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		xor	edx, edx
		mov	ecx, ebx
		call	_MiReturnFreeZeroPage@8	; MiReturnFreeZeroPage(x,x)
		mov	ecx, 7FFFFFFFh
		lea	eax, [ebx+10h]
		lock and [eax],	ecx
		mov	ebx, 1
		mov	ecx, offset _MiSystemPartition
		mov	edx, ebx
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	loc_45F8DA
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax
		jmp	loc_45F8DA
; 

loc_45FA04:				; CODE XREF: MiMigratePfn(x,x,x,x)+30Aj
		xor	ecx, ecx
		mov	[ebp+var_10], ecx

loc_45FA09:				; CODE XREF: MiMigratePfn(x,x,x,x)+31Dj
		movzx	esi, byte ptr [edi+16h]
		mov	ebx, [ebp+var_8]
		mov	ecx, ebx
		shr	esi, 6
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		push	1
		mov	edx, esi
		mov	ecx, ebx
		call	_MiFinalizePageAttribute@12 ; MiFinalizePageAttribute(x,x,x)
		push	ecx
		mov	edx, edi
		mov	ecx, ebx
		call	_MiCopyPfnEntryEx@12 ; MiCopyPfnEntryEx(x,x,x)
		and	dword ptr [ebx+10h], 0C0000000h
		mov	eax, 1
		mov	ecx, [ebp+var_10]
		mov	[ebx+14h], ax
		mov	al, [edi+16h]
		and	al, 0FDh
		or	al, 5
		mov	[edi+16h], al
		test	ecx, ecx
		jz	short loc_45FA67
		or	dword ptr [ecx+78h], 20h
		mov	al, [ebx+16h]
		or	al, 20h
		mov	[ebx+16h], al
		lea	eax, [ecx+10h]
		mov	[ebx], eax
		mov	[ecx+94h], ebx

loc_45FA67:				; CODE XREF: MiMigratePfn(x,x,x,x)+3AEj
		mov	edi, [ebx+4]
		or	edi, 80000000h
		mov	[ebp+var_24], edi
		mov	ecx, [edi]
		nop
		mov	eax, [edi+4]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_14]
		call	_MiUpdateTransitionPteFrame@12 ; MiUpdateTransitionPteFrame(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_1C], edx
		mov	[ebp+var_C], ebx
		jmp	short loc_45FA90
; 
		align 10h

loc_45FA90:				; CODE XREF: MiMigratePfn(x,x,x,x)+3EBj
					; MiMigratePfn(x,x,x,x)+409j ...
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp+var_20], ecx
		nop
		mov	ecx, [ebp+var_1C]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [ebp+var_C]
		cmp	eax, esi
		jnz	short loc_45FA90
		cmp	edx, [ebp+var_20]
		jnz	short loc_45FA90
		mov	ebx, [ebp+var_8]
		mov	ecx, 7FFFFFFFh
		add	ebx, 10h
		lock and [ebx],	ecx
		mov	edi, [ebp+var_4]
		mov	esi, [ebp+arg_0]
		add	edi, 10h
		test	esi, esi
		jz	short loc_45FB00
		mov	ecx, esi
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		mov	edx, 3
		mov	ecx, esi
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		add	esi, 10h
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		lock and [edi],	eax
		mov	ecx, [ebp+arg_0]
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+var_10]
		mov	[eax], ecx
		jmp	short loc_45FB10
; 

loc_45FB00:				; CODE XREF: MiMigratePfn(x,x,x,x)+429j
		lock and [edi],	ecx
		mov	cl, 2
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, 10h

loc_45FB10:				; CODE XREF: MiMigratePfn(x,x,x,x)+45Ej
		mov	ecx, [ebp+var_4]
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		push	2
		add	edx, ecx
		mov	ecx, [ebp+var_14]
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		push	0
		mov	edx, eax
		mov	[ebp+arg_4], eax
		call	_MiCopyPage@16	; MiCopyPage(x,x,x,x)
		cmp	[ebp+arg_0], 0
		jz	short loc_45FBAA
		mov	ecx, [ebp+var_24]
		xor	edx, edx
		call	MiLockProtoPoolPage
		mov	[ebp+var_28], 0
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_45FB75
		jmp	short loc_45FB60
; 
		align 10h

loc_45FB60:				; CODE XREF: MiMigratePfn(x,x,x,x)+4BBj
					; MiMigratePfn(x,x,x,x)+4CCj ...
		lea	ecx, [ebp+var_28]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_45FB60
		lock bts dword ptr [esi], 1Fh
		jb	short loc_45FB60

loc_45FB75:				; CODE XREF: MiMigratePfn(x,x,x,x)+4B9j
		mov	ecx, [ebp+arg_0]
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	[ebp+var_2C], 0
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_45FBB2

loc_45FB93:				; CODE XREF: MiMigratePfn(x,x,x,x)+4FFj
					; MiMigratePfn(x,x,x,x)+506j
		lea	ecx, [ebp+var_2C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_45FB93
		lock bts dword ptr [edi], 1Fh
		jb	short loc_45FB93
		jmp	short loc_45FBB2
; 

loc_45FBAA:				; CODE XREF: MiMigratePfn(x,x,x,x)+4A1j
		mov	ecx, [ebp+var_4]
		call	_MiLockPageInline@4 ; MiLockPageInline(x)

loc_45FBB2:				; CODE XREF: MiMigratePfn(x,x,x,x)+4F1j
					; MiMigratePfn(x,x,x,x)+508j
		mov	eax, [ebp+var_4]
		mov	edx, 2
		mov	ecx, [ebp+arg_4]
		and	dword ptr [eax+18h], 8FFFFFFFh
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	[ebp+var_20], 0
		lock bts dword ptr [ebx], 1Fh
		jnb	short loc_45FBF5
		nop

loc_45FBE0:				; CODE XREF: MiMigratePfn(x,x,x,x)+54Cj
					; MiMigratePfn(x,x,x,x)+553j
		lea	ecx, [ebp+var_20]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		js	short loc_45FBE0
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_45FBE0

loc_45FBF5:				; CODE XREF: MiMigratePfn(x,x,x,x)+53Dj
		mov	esi, [ebp+var_8]
		mov	ecx, esi
		mov	al, [esi+16h]
		and	al, 0DFh
		mov	dword ptr [esi], 0
		mov	[esi+16h], al
		movzx	eax, word ptr [esi+14h]
		mov	[ebp+var_2C], eax
		call	_MiRemoveLockedPageCharge@4 ; MiRemoveLockedPageCharge(x)
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_45FC9A
		and	dword ptr [eax+78h], 0FFFFFFDFh
		test	dword ptr [ebx], 40000000h
		jz	short loc_45FC9A
		xor	edi, edi
		cmp	word ptr [ebp+var_2C], 1
		mov	[ebp+arg_4], edi
		jnz	short loc_45FC5D
		mov	eax, [esi+8]
		lea	ecx, [esi+8]
		and	eax, 400h
		or	eax, edi
		jnz	short loc_45FC50
		push	1
		xor	edx, edx
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	edi, eax
		mov	[ebp+arg_4], edx

loc_45FC50:				; CODE XREF: MiMigratePfn(x,x,x,x)+5A0j
		mov	ecx, [ebp+var_14]
		mov	edx, 2
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)

loc_45FC5D:				; CODE XREF: MiMigratePfn(x,x,x,x)+591j
		mov	eax, 7FFFFFFFh
		lock and [ebx],	eax
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_45FC75
		mov	dl, 2
		mov	ecx, eax
		call	MiUnlockProtoPoolPage

loc_45FC75:				; CODE XREF: MiMigratePfn(x,x,x,x)+5CAj
		mov	ecx, [ebp+arg_4]
		mov	eax, edi
		or	eax, ecx
		jz	short loc_45FC8F
		push	ecx
		push	edi
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo

loc_45FC8F:				; CODE XREF: MiMigratePfn(x,x,x,x)+5DCj
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_45FC9A:				; CODE XREF: MiMigratePfn(x,x,x,x)+579j
					; MiMigratePfn(x,x,x,x)+585j
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_45FCA5:				; CODE XREF: MiMigratePfn(x,x,x,x)+156j
		mov	edi, [ebp+var_4]

loc_45FCA8:				; CODE XREF: MiMigratePfn(x,x,x,x)+66j
					; MiMigratePfn(x,x,x,x)+74j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_MiMigratePfn@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFillCommitReturnInfo(x, x, x)
_MiFillCommitReturnInfo@12 proc	near	; CODE XREF: MiRemoveVadCharges+6Cp
					; MiDecommitRegion(x,x,x)+C7p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		sub	ecx, [edx+8]
		mov	[eax], ecx
		sub	ecx, [edx+4]
		mov	[eax+4], ecx
		pop	ebp
		retn	4
_MiFillCommitReturnInfo@12 endp

; 
		align 10h
; Exported entry 1892. PsReturnProcessNonPagedPoolQuota

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsReturnProcessNonPagedPoolQuota(x,	x)
		public _PsReturnProcessNonPagedPoolQuota@8
_PsReturnProcessNonPagedPoolQuota@8 proc near ;	CODE XREF: MiDeleteCloneDescriptor(x,x)+7Ap
					; MiReturnVadQuota+1Dp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		cmp	edx, ds:_PsInitialSystemProcess
		jz	short loc_45FCF0
		push	[ebp+arg_4]
		mov	ecx, [edx+188h]
		push	0
		call	PspReturnQuota

loc_45FCF0:				; CODE XREF: PsReturnProcessNonPagedPoolQuota(x,x)+Ej
		pop	ebp
		retn	8
_PsReturnProcessNonPagedPoolQuota@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeletePagablePteRange(x, x, x, x,	x, x, x)
_MiDeletePagablePteRange@28 proc near	; CODE XREF: MiDeleteWsleRange(x,x,x,x)+6Cp
					; MiDeleteVad(x,x,x)+493p ...

var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_118		= dword	ptr -118h
var_110		= dword	ptr -110h
var_C4		= dword	ptr -0C4h
var_C0		= byte ptr -0C0h
var_BC		= dword	ptr -0BCh
var_AC		= dword	ptr -0ACh
var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 194h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+194h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	[esp+19Ch+var_170], eax
		mov	bl, dl
		mov	eax, [ebp+arg_4]
		push	edi
		mov	[esp+1A0h+var_16C], eax
		mov	edi, ecx
		mov	eax, [ebp+arg_10]
		push	98h		; size_t
		mov	[esp+1A4h+var_178], eax
		lea	eax, [esp+1A4h+var_A0]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	esi, [ebp+arg_C]
		xor	eax, eax
		mov	bh, [ebp+arg_8]
		add	esp, 0Ch
		mov	[esp+1A0h+var_18C], eax
		and	bh, 7
		mov	[esp+1A0h+var_188], eax
		mov	[esp+1A0h+var_184], eax
		mov	eax, esi
		and	eax, 800h
		shl	bh, 2
		mov	[esp+1A0h+var_190], eax
		mov	eax, esi
		and	eax, 100h
		mov	[esp+1A0h+var_17C], eax
		mov	eax, esi
		and	eax, 200h
		mov	[esp+1A0h+var_180], eax
		mov	eax, esi
		and	eax, 10h
		mov	[esp+1A0h+var_174], eax
		push	74h		; size_t
		lea	eax, [esp+1A4h+var_118]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	edx, [esp+1ACh+var_178]
		add	esp, 0Ch
		or	[esp+1A0h+var_AC], 2
		mov	ecx, edi
		mov	[esp+1A0h+var_168], 0
		mov	[esp+1A0h+var_164], 0
		mov	[esp+1A0h+var_160], 0
		mov	[esp+1A0h+var_14C], 0
		mov	[esp+1A0h+var_148], 0
		mov	[esp+1A0h+var_144], 0
		mov	[esp+1A0h+var_140], 0
		mov	[esp+1A0h+var_13C], 0
		mov	[esp+1A0h+var_138], 0
		mov	[esp+1A0h+var_134], 0
		mov	[esp+1A0h+var_130], 0
		mov	[esp+1A0h+var_12C], 0
		mov	[esp+1A0h+var_110], edx
		mov	[esp+1A0h+var_C4], esi
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		test	ds:byte_70EFC4,	1
		mov	[esp+1A0h+var_A0], eax
		lea	eax, [esp+1A0h+var_A0]
		mov	[esp+1A0h+var_94], 0
		mov	[esp+1A0h+var_9C], 0
		mov	[esp+1A0h+var_90], 0
		mov	[esp+1A0h+var_98], 21h
		mov	[esp+1A0h+var_8C], 0
		mov	[esp+1A0h+var_15C], eax
		jz	short loc_45FE81
		mov	[esp+1A0h+var_C0], 1

loc_45FE81:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+177j
		mov	al, byte ptr [esp+1A0h+var_168+2]
		mov	esi, [esp+1A0h+var_180]
		and	al, 0E3h
		or	al, bh
		mov	byte ptr [esp+1A0h+var_168+2], al
		lea	eax, [esp+1A0h+var_118]
		mov	[esp+1A0h+var_120], eax
		mov	eax, 27h
		mov	word ptr [esp+1A0h+var_168], ax
		test	esi, esi
		jz	short loc_45FEB7
		mov	eax, 423h
		mov	word ptr [esp+1A0h+var_168], ax

loc_45FEB7:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+1ABj
		cmp	[esp+1A0h+var_17C], 0
		jz	short loc_45FECB
		mov	ecx, 800h
		or	ax, cx
		mov	word ptr [esp+1A0h+var_168], ax

loc_45FECB:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+1BCj
		cmp	[esp+1A0h+var_190], 0
		jz	short loc_45FED7
		mov	byte ptr [esp+1A0h+var_164+1], 3Fh

loc_45FED7:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+1D0j
		mov	ecx, [esp+1A0h+var_170]
		xor	bh, bh
		cmp	[esp+1A0h+var_174], 0
		mov	[esp+1A0h+var_154], ecx
		mov	ecx, [esp+1A0h+var_16C]
		mov	[esp+1A0h+var_128], offset _MiDeleteVa@12 ; MiDeleteVa(x,x,x)
		mov	[esp+1A0h+var_124], offset MiDeleteVaTail
		mov	[esp+1A0h+var_150], ecx
		mov	[esp+1A0h+var_158], edi
		jz	short loc_45FF27
		mov	eax, [edx+10h]
		mov	ecx, [eax+10h]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		add	ecx, 1Ch
		xor	edx, edx
		call	ExAcquireAutoExpandPushLockExclusive
		mov	ax, word ptr [esp+1A0h+var_168]

loc_45FF27:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+202j
		mov	ecx, 0FFFDh
		cmp	bl, 21h
		jz	short loc_45FF40
		and	ax, cx
		mov	bh, 1
		mov	word ptr [esp+1A0h+var_168], ax
		jmp	loc_45FFE7
; 

loc_45FF40:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+22Fj
		mov	al, [edi+60h]
		and	al, 7
		test	byte ptr [esp+1A0h+var_168], 4
		jz	short loc_45FFBB
		cmp	al, 4
		jbe	short loc_45FF5E
		cmp	al, 5
		jz	short loc_45FF5E
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		jmp	short loc_45FFDB
; 

loc_45FF5E:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+24Ej
					; MiDeletePagablePteRange(x,x,x,x,x,x,x)+252j
		mov	esi, offset unk_6D3C40
		cmp	al, 2
		jz	short loc_45FF6D
		lea	esi, [edi+80h]

loc_45FF6D:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+265j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	bl, al
		jz	short loc_45FF8B
		mov	dl, bl
		mov	ecx, esi
		call	@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)
		jmp	short loc_45FFA9
; 

loc_45FF8B:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+27Ej
		mov	edx, [esi]
		and	edx, 7FFFFFFFh
		mov	eax, edx
		lea	ecx, [edx+1]
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	short loc_45FFA9
		mov	dl, bl
		mov	ecx, esi
		call	ExpWaitForSpinLockSharedAndAcquire

loc_45FFA9:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+289j
					; MiDeletePagablePteRange(x,x,x,x,x,x,x)+29Ej
		add	esi, 4
		cmp	dword ptr [esi], 0
		jz	short loc_45FFB5
		xor	eax, eax
		xchg	eax, [esi]

loc_45FFB5:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+2AFj
		mov	esi, [esp+1A0h+var_180]
		jmp	short loc_45FFDD
; 

loc_45FFBB:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+24Aj
		mov	esi, offset unk_6D3C40
		cmp	al, 2
		jz	short loc_45FFCA
		lea	esi, [edi+80h]

loc_45FFCA:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+2C2j
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	dword ptr [esi+4], 0
		mov	esi, [esp+1A0h+var_180]

loc_45FFDB:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+25Cj
		mov	bl, al

loc_45FFDD:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+2B9j
		mov	ax, word ptr [esp+1A0h+var_168]
		mov	ecx, 0FFFDh

loc_45FFE7:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+23Bj
		cmp	[esp+1A0h+var_17C], 0
		mov	byte ptr [esp+1A0h+var_164+2], bl
		jz	short loc_460055
		test	esi, esi
		jnz	short loc_460004
		mov	eax, [esp+1A0h+var_168]
		and	eax, 0FFFBh

loc_45FFFF:				; DATA XREF: .text:0041AB04o
					; .text:off_5A7432o ...
		or	eax, 1000h

loc_460004:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+2F4j
					; DATA XREF: .text:004072BCo ...
		and	ax, cx
		mov	word ptr [esp+1A0h+var_168], ax
		mov	al, [edi+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C80
		jz	short loc_460020
		lea	eax, [edi+0C0h]

loc_460020:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+318j
		test	ds:byte_70EFC6,	21h
		mov	[esp+1A0h+var_188], eax
		mov	[esp+1A0h+var_18C], 0
		jz	short loc_460042
		mov	edx, eax
		lea	ecx, [esp+1A0h+var_18C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_460055
; 

loc_460042:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+333j
					; DATA XREF: .text:004011A0o ...
		lea	edx, [esp+1A0h+var_18C]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_460055
		lea	ecx, [esp+1A0h+var_18C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_460055:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+2F0j
					; MiDeletePagablePteRange(x,x,x,x,x,x,x)+340j ...
		lea	ecx, [esp+1A0h+var_168]
		call	MiWalkPageTables
		cmp	[esp+1A0h+var_17C], 0
		jz	short loc_4600BC
		test	ds:byte_70EFC6,	1
		jz	short loc_46007C
		mov	edx, [ebp+4]
		lea	ecx, [esp+1A0h+var_18C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4600B2
; 

loc_46007C:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+36Cj
		mov	eax, [esp+1A0h+var_18C]
		test	eax, eax
		jnz	short loc_46009F
		mov	edx, [esp+1A0h+var_188]
		lea	eax, [esp+1A0h+var_18C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+1A0h+var_18C]
		cmp	eax, ecx
		jz	short loc_4600B2
		call	KxWaitForLockChainValid

loc_46009F:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+382j
		mov	[esp+1A0h+var_18C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_4600B2:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+37Aj
					; MiDeletePagablePteRange(x,x,x,x,x,x,x)+398j
		test	esi, esi
		jnz	short loc_4600BC
		or	word ptr [esp+1A0h+var_168], 4

loc_4600BC:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+363j
					; MiDeletePagablePteRange(x,x,x,x,x,x,x)+3B4j
		test	bh, bh
		jnz	short loc_4600D7
		test	byte ptr [esp+1A0h+var_168], 4
		mov	dl, bl
		mov	ecx, edi
		jz	short loc_4600D2
		call	MiUnlockWorkingSetShared
		jmp	short loc_4600D7
; 

loc_4600D2:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+3C9j
		call	MiUnlockWorkingSetExclusive

loc_4600D7:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+3BEj
					; MiDeletePagablePteRange(x,x,x,x,x,x,x)+3D0j
		mov	ebx, [esp+1A0h+var_178]
		mov	ecx, [ebx+14h]
		test	ecx, ecx
		jns	short loc_4600FD
		lea	edx, [esp+1A0h+var_190]
		mov	[esp+1A0h+var_190], 0
		call	_MiFreeLargePages@8 ; MiFreeLargePages(x,x)
		mov	[ebx+4], eax
		mov	eax, [esp+1A0h+var_190]
		mov	[ebx+14h], eax

loc_4600FD:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+3E0j
		mov	ecx, [ebx+10h]
		test	ecx, ecx
		jz	short loc_460116
		mov	edx, [esp+1A0h+var_BC]
		test	edx, edx
		jz	short loc_460116
		push	1
		call	_MiFreePhysicalPageChain@12 ; MiFreePhysicalPageChain(x,x,x)

loc_460116:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+402j
					; MiDeletePagablePteRange(x,x,x,x,x,x,x)+40Dj
		cmp	[esp+1A0h+var_174], 0
		jz	short loc_46013B
		mov	esi, large fs:124h
		mov	eax, [ebx+10h]
		xor	edx, edx
		mov	ecx, [eax+10h]
		add	ecx, 1Ch
		call	ExReleaseAutoExpandPushLockExclusive
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_46013B:				; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+41Bj
		mov	ecx, [esp+1A0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
_MiDeletePagablePteRange@28 endp


;  S U B	R O U T	I N E 


; __stdcall MiTbFlushType(x)
_MiTbFlushType@4 proc near		; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+123p
					; .text:0046627Dp ...
		mov	al, [ecx+60h]
		and	al, 7
		jnz	short loc_46015D
		xor	eax, eax
		inc	eax
		retn
; 

loc_46015D:				; CODE XREF: MiTbFlushType(x)+5j
		cmp	al, 2
		sbb	eax, eax
		and	eax, 2
		retn
_MiTbFlushType@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiIsVadLarge(x)
_MiIsVadLarge@4	proc near		; CODE XREF: MiInPagePageTable+375p
					; MiRemoveVadCharges+38p ...
		mov	eax, [ecx+1Ch]
		test	eax, 100000h
		jnz	short loc_46017D
		mov	eax, [ecx+28h]
		test	eax, 1000000h
		jnz	short loc_460190

loc_46017A:				; CODE XREF: MiIsVadLarge(x)+28j
		xor	eax, eax
		retn
; 

loc_46017D:				; CODE XREF: MiIsVadLarge(x)+8j
		test	eax, 400000h
		jnz	short loc_460190
		and	eax, 0C0000h
		cmp	eax, 80000h
		jb	short loc_46017A

loc_460190:				; CODE XREF: MiIsVadLarge(x)+12j
					; MiIsVadLarge(x)+1Cj
		xor	eax, eax
		inc	eax
		retn
_MiIsVadLarge@4	endp


;  S U B	R O U T	I N E 


; __stdcall MiFreePhysicalView(x, x)
_MiFreePhysicalView@8 proc near		; CODE XREF: MiReleaseVadEventBlocks+42p
		mov	eax, [edx+1Ch]
		push	ebx
		and	al, 70h
		push	esi
		push	edi
		cmp	al, 10h
		jz	short loc_4601A4
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4601A4:				; CODE XREF: MiFreePhysicalView(x,x)+Aj
		mov	ebx, [ecx+24Ch]
		lea	edi, [ecx+240h]
		mov	al, [edi+60h]
		mov	esi, offset unk_6D3C40
		and	al, 7
		cmp	al, 2
		jz	short loc_4601C4
		lea	esi, [edi+80h]

loc_4601C4:				; CODE XREF: MiFreePhysicalView(x,x)+28j
		push	esi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [esi+4], 0
		mov	ecx, edi
		dec	dword ptr [ebx+74h]
		mov	dl, al
		pop	edi
		pop	esi
		pop	ebx
		jmp	MiUnlockWorkingSetExclusive
_MiFreePhysicalView@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetVadWakeList proc near		; CODE XREF: MiReleaseVadEventBlocks+28p
					; MiFreePlaceholderStorage+8p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005B0E96 SIZE 00000094 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, large fs:124h
		push	ebx
		lea	ebx, [ecx+24h]
		mov	[ebp+var_14], edx
		push	esi
		mov	eax, [eax+80h]
		xor	esi, esi
		push	edi
		mov	[ebp+var_C], esi
		lea	ecx, [eax+240h]
		mov	al, [ecx+60h]
		and	al, 7
		mov	[ebp+var_8], ecx
		cmp	al, 2
		jz	loc_5B0E96
		lea	edi, [ecx+80h]

loc_46021E:				; CODE XREF: MiGetVadWakeList+150CBBj
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_1], al
		jnz	loc_5B0EA0
		xor	esi, esi
		lock bts dword ptr [edi], 1Fh
		jb	loc_4603D0

loc_460243:				; CODE XREF: MiGetVadWakeList+1FBj
		mov	edx, [edi]
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_460390

loc_460257:				; CODE XREF: MiGetVadWakeList+1D7j
		xor	esi, esi

loc_460259:				; CODE XREF: MiGetVadWakeList+150CC9j
		mov	dword ptr [edi+4], 0
		mov	eax, [ebx]
		test	eax, eax
		jnz	loc_46036B

loc_46026A:				; CODE XREF: MiGetVadWakeList+1AAj
		mov	ecx, [ebp+var_8]
		xor	esi, esi
		xor	ebx, ebx
		mov	[ebp+var_10], esi
		mov	[ebp+var_14], ebx
		mov	edx, [ecx+60h]
		mov	al, dl
		and	al, 7
		mov	[ebp+var_18], edx
		cmp	al, 2
		jz	loc_5B0ECD
		lea	edi, [ecx+80h]

loc_46028F:				; CODE XREF: MiGetVadWakeList+150CF2j
		mov	cl, dl
		test	al, al
		jnz	short loc_4602C2
		mov	eax, [ebp+var_8]
		cmp	[eax+0Ch], ebx
		jz	loc_5B0ED7
		mov	eax, large fs:124h
		mov	esi, [eax+80h]
		mov	eax, [esi+24Ch]
		cmp	[eax+94h], bx
		jnz	loc_4603E0
		xor	esi, esi

loc_4602C2:				; CODE XREF: MiGetVadWakeList+B3j
		mov	edx, [ebp+var_8]

loc_4602C5:				; CODE XREF: MiGetVadWakeList+212j
					; MiGetVadWakeList+150CF9j
		mov	eax, large fs:124h
		test	dword ptr [eax+2FCh], 400000h
		jnz	loc_5B0EDE

loc_4602DB:				; CODE XREF: MiGetVadWakeList+150D06j
		test	cl, 7
		setz	cl
		test	ds:_MiFlags, 0C00000h
		setnz	al
		test	cl, al
		jz	short loc_4602FB
		cmp	byte ptr [edx-1CCh], 1
		jnz	short loc_460337

loc_4602FB:				; CODE XREF: MiGetVadWakeList+110j
					; MiGetVadWakeList+161j ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5B0EEB
		mov	dword ptr [edi], 0

loc_46030E:				; CODE XREF: MiGetVadWakeList+150D15j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jnz	loc_4603F7

loc_46031F:				; CODE XREF: MiGetVadWakeList+150D2Dj
		test	ebx, ebx
		jnz	short loc_46032D
		test	byte ptr [ebp+var_18+3], 1Ch
		jnz	loc_5B0F12

loc_46032D:				; CODE XREF: MiGetVadWakeList+141j
					; MiGetVadWakeList+150D45j
		mov	eax, [ebp+var_C]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_460337:				; CODE XREF: MiGetVadWakeList+119j
		rdtsc
		and	eax, 3FF0h
		or	eax, 0
		jnz	short loc_4602FB
		mov	ecx, [ebp+var_8]
		cmp	[ecx+0C4h], eax
		jz	short loc_4602FB
		cmp	[ecx+0Ch], eax
		jz	short loc_4602FB
		cmp	[ecx+10h], eax
		jz	short loc_4602FB
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_4602FB
		lea	ecx, [eax+2]
		call	MiPaeCheckProcessShadow
		jmp	short loc_4602FB
; 

loc_46036B:				; CODE XREF: MiGetVadWakeList+84j
		mov	edx, [ebp+var_14]
		mov	edi, edi

loc_460370:				; CODE XREF: MiGetVadWakeList+1A5j
		mov	ecx, [eax]
		test	[eax+24h], edx
		jz	loc_5B0EC6
		mov	[eax], esi
		mov	esi, eax
		mov	[ebx], ecx

loc_460381:				; CODE XREF: MiGetVadWakeList+150CE8j
		mov	eax, ecx
		test	ecx, ecx
		jnz	short loc_460370
		mov	[ebp+var_C], esi
		jmp	loc_46026A
; 
		align 10h

loc_460390:				; CODE XREF: MiGetVadWakeList+71j
					; MiGetVadWakeList+1D5j
		test	edx, 40000000h
		jz	short loc_4603BC

loc_460398:				; CODE XREF: MiGetVadWakeList+1ECj
		inc	esi
		test	ds:_HvlLongSpinCountMask, esi
		jz	loc_5B0EAE

loc_4603A5:				; CODE XREF: MiGetVadWakeList+150CD5j
		pause

loc_4603A7:				; CODE XREF: MiGetVadWakeList+150CE1j
		mov	eax, [edi]

loc_4603A9:				; CODE XREF: MiGetVadWakeList+1EEj
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_460390
		jmp	loc_460257
; 

loc_4603BC:				; CODE XREF: MiGetVadWakeList+1B6j
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_460398
		jmp	short loc_4603A9
; 

loc_4603D0:				; CODE XREF: MiGetVadWakeList+5Dj
		mov	dl, al
		mov	ecx, edi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	esi, eax
		jmp	loc_460243
; 

loc_4603E0:				; CODE XREF: MiGetVadWakeList+DAj
		mov	ecx, esi
		call	_MiDeleteDeferredCloneDescriptors@4 ; MiDeleteDeferredCloneDescriptors(x)
		mov	edx, [ebp+var_8]
		mov	esi, eax
		mov	[ebp+var_10], esi
		mov	cl, [edx+60h]
		jmp	loc_4602C5
; 

loc_4603F7:				; CODE XREF: MiGetVadWakeList+139j
		mov	ebx, [ebp+var_10]
		jmp	loc_5B0EFA
MiGetVadWakeList endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteVad(x, x, x)
_MiDeleteVad@12	proc near		; CODE XREF: MiFreeVadRange+70p
					; MiUnmapViewOfSection:loc_7762A5p ...

var_A0		= dword	ptr -0A0h
var_94		= dword	ptr -94h
var_8E		= byte ptr -8Eh
var_8D		= byte ptr -8Dh
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 94h
		push	ebx
		push	esi
		push	edi
		mov	[esp+0A0h+var_30], edx
		mov	ebx, ecx
		mov	[esp+0A0h+var_84], ebx
		xor	eax, eax
		mov	[esp+0A0h+var_1C], eax
		mov	[esp+0A0h+var_18], eax
		mov	[esp+0A0h+var_14], eax
		mov	[esp+0A0h+var_10], eax
		mov	[esp+0A0h+var_C], eax
		mov	[esp+0A0h+var_8], eax
		mov	[esp+0A0h+var_8C], eax
		mov	eax, large fs:124h
		mov	[esp+0A0h+var_4C], eax
		mov	esi, [eax+80h]
		xor	ecx, ecx
		mov	[esp+0A0h+var_64], ecx
		mov	eax, [ebx+0Ch]
		mov	ecx, [ebx+1Ch]
		shl	eax, 0Ch
		mov	[esp+0A0h+var_68], eax
		mov	eax, [ebx+10h]
		shl	eax, 0Ch
		or	eax, 0FFFh
		mov	[esp+0A0h+var_88], esi
		mov	[esp+0A0h+var_2C], 0
		mov	[esp+0A0h+var_28], 0
		mov	[esp+0A0h+var_54], eax
		lea	edi, [esi+240h]
		test	ecx, 100000h
		jz	short loc_4604B5
		test	ecx, 400000h
		jnz	short loc_4604C7
		mov	eax, ecx
		and	eax, 0C0000h
		cmp	eax, 80000h
		jnb	short loc_4604C7

loc_4604B5:				; CODE XREF: MiDeleteVad(x,x,x)+9Dj
		and	cl, 70h
		cmp	cl, 20h
		jnz	short loc_4604D0
		mov	eax, [ebx+28h]
		test	eax, 1000000h
		jz	short loc_4604D0

loc_4604C7:				; CODE XREF: MiDeleteVad(x,x,x)+A5j
					; MiDeleteVad(x,x,x)+B3j
		mov	eax, 40h
		mov	[esp+0A0h+var_8C], eax

loc_4604D0:				; CODE XREF: MiDeleteVad(x,x,x)+BBj
					; MiDeleteVad(x,x,x)+C5j
		mov	eax, [ebx+1Ch]
		test	eax, 100000h
		jnz	short loc_4604E9
		mov	ecx, [ebx+48h]
		test	ecx, ecx
		jz	short loc_4604E9
		call	ObfDereferenceObject
		mov	eax, [ebx+1Ch]

loc_4604E9:				; CODE XREF: MiDeleteVad(x,x,x)+D8j
					; MiDeleteVad(x,x,x)+DFj
		mov	ecx, eax
		test	eax, 100000h
		jz	short loc_46050C
		test	eax, 1000000h
		jnz	short loc_46050C
		test	eax, 2000000h
		jz	short loc_46050C
		mov	edx, ebx
		mov	ecx, esi
		call	_MiDeleteEnclavePages@8	; MiDeleteEnclavePages(x,x)
		mov	ecx, [ebx+1Ch]

loc_46050C:				; CODE XREF: MiDeleteVad(x,x,x)+F0j
					; MiDeleteVad(x,x,x)+F7j ...
		and	ecx, 70h
		cmp	cl, 30h
		jnz	short loc_460522
		mov	ecx, ebx
		call	_MiRemoveUserPhysicalPagesView@4 ; MiRemoveUserPhysicalPagesView(x)
		mov	[esp+0A0h+var_C], eax

loc_460522:				; CODE XREF: MiDeleteVad(x,x,x)+112j
		mov	eax, [ebx+20h]
		and	eax, 7FFFFFFFh
		cmp	eax, 0FFFFDh
		jnz	short loc_46053F
		cmp	dword ptr [ebx+8], 0FFFFFFFEh
		jnz	short loc_46053F
		or	[esp+0A0h+var_8C], 80h

loc_46053F:				; CODE XREF: MiDeleteVad(x,x,x)+12Fj
					; MiDeleteVad(x,x,x)+135j
		mov	eax, [esp+0A0h+var_4C]
		dec	word ptr [eax+13Eh]
		nop
		lea	eax, [esi+138h]
		xor	edx, edx
		mov	ecx, eax
		mov	[esp+0A0h+var_5C], eax
		call	ExAcquirePushLockExclusiveEx
		mov	al, [edi+60h]
		and	al, 7
		cmp	al, 2
		jnz	short loc_46056E
		mov	edi, offset unk_6D3C40
		jmp	short loc_460571
; 

loc_46056E:				; CODE XREF: MiDeleteVad(x,x,x)+165j
		sub	edi, 0FFFFFF80h

loc_460571:				; CODE XREF: MiDeleteVad(x,x,x)+16Cj
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	[esp+0A0h+var_8D], al
		jz	short loc_460591
		mov	dl, al
		mov	ecx, edi
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	short loc_4605FD
; 

loc_460591:				; CODE XREF: MiDeleteVad(x,x,x)+184j
		xor	esi, esi
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_4605A5
		mov	dl, al
		mov	ecx, edi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	esi, eax

loc_4605A5:				; CODE XREF: MiDeleteVad(x,x,x)+198j
		mov	edx, [edi]
		mov	ecx, edx
		and	ecx, 0BFFFFFFFh
		cmp	ecx, 80000000h
		jz	short loc_4605FD

loc_4605B7:				; CODE XREF: MiDeleteVad(x,x,x)+1FBj
		test	edx, 40000000h
		jnz	short loc_4605D1
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_4605EF

loc_4605D1:				; CODE XREF: MiDeleteVad(x,x,x)+1BDj
		inc	esi
		test	ds:_HvlLongSpinCountMask, esi
		jnz	short loc_4605EB
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	short loc_4605EB
		push	esi
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	short loc_4605ED
; 

loc_4605EB:				; CODE XREF: MiDeleteVad(x,x,x)+1D8j
					; MiDeleteVad(x,x,x)+1E1j
		pause

loc_4605ED:				; CODE XREF: MiDeleteVad(x,x,x)+1E9j
		mov	eax, [edi]

loc_4605EF:				; CODE XREF: MiDeleteVad(x,x,x)+1CFj
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_4605B7

loc_4605FD:				; CODE XREF: MiDeleteVad(x,x,x)+18Fj
					; MiDeleteVad(x,x,x)+1B5j
		push	1
		mov	edx, 2
		mov	dword ptr [edi+4], 0
		mov	ecx, ebx
		call	MiSetVadFlags
		mov	edx, [esp+0A0h+var_88]
		xor	edi, edi
		mov	esi, offset unk_6D3C40
		mov	eax, [edx+2A0h]
		mov	[esp+0A0h+var_7C], eax
		and	al, 7
		cmp	al, 2
		jz	short loc_460633
		lea	esi, [edx+2C0h]

loc_460633:				; CODE XREF: MiDeleteVad(x,x,x)+22Bj
		test	al, al
		jnz	short loc_460665
		cmp	[edx+24Ch], edi
		jz	short loc_460665
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		mov	eax, [ecx+24Ch]
		cmp	[eax+94h], di
		jz	short loc_460665
		call	_MiDeleteDeferredCloneDescriptors@4 ; MiDeleteDeferredCloneDescriptors(x)
		mov	edx, [esp+0A0h+var_88]
		mov	edi, eax

loc_460665:				; CODE XREF: MiDeleteVad(x,x,x)+235j
					; MiDeleteVad(x,x,x)+23Dj ...
		mov	ecx, large fs:124h
		mov	ebx, [ecx+2FCh]
		and	ebx, 400000h
		test	ds:_MiFlags, 0C00000h
		jz	short loc_4606D2
		test	byte ptr [edx+2A0h], 7
		lea	ecx, [edx+240h]
		jnz	short loc_4606D2
		cmp	byte ptr [edx+74h], 1
		jz	short loc_4606D2
		rdtsc
		and	eax, 3FF0h
		or	eax, 0
		jnz	short loc_4606D2
		mov	edx, [esp+0A0h+var_88]
		cmp	[edx+304h], eax
		jz	short loc_4606D2
		cmp	[edx+24Ch], eax
		jz	short loc_4606D2
		cmp	[edx+250h], eax
		jz	short loc_4606D2
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_4606D2
		lea	ecx, [eax+2]
		call	MiPaeCheckProcessShadow

loc_4606D2:				; CODE XREF: MiDeleteVad(x,x,x)+282j
					; MiDeleteVad(x,x,x)+291j ...
		test	ds:byte_70EFC6,	1
		jz	short loc_4606E7
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	short loc_4606ED
; 

loc_4606E7:				; CODE XREF: MiDeleteVad(x,x,x)+2D9j
		mov	dword ptr [esi], 0

loc_4606ED:				; CODE XREF: MiDeleteVad(x,x,x)+2E5j
		mov	cl, [esp+0A0h+var_8D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	short loc_460710
		jmp	short loc_460700
; 
		align 10h

loc_460700:				; CODE XREF: MiDeleteVad(x,x,x)+2FBj
					; MiDeleteVad(x,x,x)+30Ej
		mov	esi, [edi]
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, esi
		test	esi, esi
		jnz	short loc_460700

loc_460710:				; CODE XREF: MiDeleteVad(x,x,x)+2F9j
		test	ebx, ebx
		jnz	short loc_460739
		test	byte ptr [esp+0A0h+var_7C+3], 1Ch
		jz	short loc_460739
		mov	ebx, [esp+0A0h+var_88]
		lea	ecx, [ebx+240h]
		call	MiLockWorkingSetShared
		mov	dl, [esp+0A0h+var_8D]
		lea	ecx, [ebx+240h]
		call	MiUnlockWorkingSetShared

loc_460739:				; CODE XREF: MiDeleteVad(x,x,x)+312j
					; MiDeleteVad(x,x,x)+319j
		mov	ebx, [esp+0A0h+var_5C]
		or	esi, 0FFFFFFFFh
		mov	eax, esi
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_460753
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_460753:				; CODE XREF: MiDeleteVad(x,x,x)+34Aj
		mov	ecx, ebx
		call	KeAbPostRelease
		nop
		mov	ecx, [esp+0A0h+var_4C]
		mov	ax, [ecx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ecx+13Eh], ax
		test	ax, ax
		jnz	short loc_460784
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	short loc_460784
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_460784:				; CODE XREF: MiDeleteVad(x,x,x)+375j
					; MiDeleteVad(x,x,x)+37Dj
		mov	edi, [esp+0A0h+var_84]
		mov	ecx, [edi+1Ch]
		test	ecx, 100000h
		jz	short loc_4607F6
		mov	eax, ecx
		xor	ebx, ebx
		and	eax, 70h
		cmp	al, 30h
		jnz	short loc_4607B5
		test	ecx, 1000000h
		jnz	short loc_4607AE
		test	ecx, 2000000h
		jnz	short loc_4607B5

loc_4607AE:				; CODE XREF: MiDeleteVad(x,x,x)+3A4j
		mov	ebx, 10h
		jmp	short loc_4607CF
; 

loc_4607B5:				; CODE XREF: MiDeleteVad(x,x,x)+39Cj
					; MiDeleteVad(x,x,x)+3ACj
		mov	eax, ecx
		and	al, 70h
		cmp	al, 10h
		jnz	short loc_4607CF
		mov	ebx, ecx
		and	ebx, 8000000h
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 20h
		add	ebx, 20h

loc_4607CF:				; CODE XREF: MiDeleteVad(x,x,x)+3B3j
					; MiDeleteVad(x,x,x)+3BBj
		mov	eax, ecx
		and	al, 70h
		cmp	al, 40h
		jnz	short loc_4607DE
		mov	ebx, 8
		jmp	short loc_46080B
; 

loc_4607DE:				; CODE XREF: MiDeleteVad(x,x,x)+3D5j
		test	ecx, 1000000h
		jnz	short loc_46080B
		test	ecx, 4000000h
		jz	short loc_46080B
		or	ebx, 400h
		jmp	short loc_46080B
; 

loc_4607F6:				; CODE XREF: MiDeleteVad(x,x,x)+391j
		mov	eax, [ebp+arg_0]
		mov	ebx, eax
		sar	ebx, 1Fh
		and	ebx, 1
		add	ebx, 2
		test	al, 1
		jz	short loc_46080B
		or	ebx, 4

loc_46080B:				; CODE XREF: MiDeleteVad(x,x,x)+3DCj
					; MiDeleteVad(x,x,x)+3E4j ...
		test	ecx, 100000h
		jz	short loc_460829
		test	ecx, 400000h
		jnz	short loc_46083B
		mov	eax, ecx
		and	eax, 0C0000h
		cmp	eax, 80000h
		jnb	short loc_46083B

loc_460829:				; CODE XREF: MiDeleteVad(x,x,x)+411j
		and	cl, 70h
		cmp	cl, 20h
		jnz	short loc_460841
		mov	eax, [edi+28h]
		test	eax, 1000000h
		jz	short loc_460841

loc_46083B:				; CODE XREF: MiDeleteVad(x,x,x)+419j
					; MiDeleteVad(x,x,x)+427j
		or	ebx, 800h

loc_460841:				; CODE XREF: MiDeleteVad(x,x,x)+42Fj
					; MiDeleteVad(x,x,x)+439j
		mov	eax, [edi+1Ch]
		and	eax, 1100000h
		cmp	eax, 1100000h
		jnz	short loc_460856
		or	ebx, 1000h

loc_460856:				; CODE XREF: MiDeleteVad(x,x,x)+44Ej
		mov	eax, [esp+0A0h+var_8C]
		cmp	eax, 80h
		jnb	loc_460914
		mov	eax, large fs:124h
		lea	edx, [esp+0A0h+var_1C]
		push	edx
		mov	dl, 21h
		mov	edi, [eax+80h]
		mov	eax, ebx
		or	eax, 80h
		push	eax
		push	0
		push	[esp+0ACh+var_54]
		lea	ecx, [edi+240h]
		push	[esp+0B0h+var_68]
		call	_MiDeletePagablePteRange@28 ; MiDeletePagablePteRange(x,x,x,x,x,x,x)
		mov	ecx, [esp+0A0h+var_10]
		test	ecx, ecx
		jz	short loc_4608AF
		neg	ecx
		lea	eax, [edi+14Ch]
		lock xadd [eax], ecx

loc_4608AF:				; CODE XREF: MiDeleteVad(x,x,x)+4A1j
		mov	edi, [esp+0A0h+var_84]
		test	ebx, 800h
		jz	short loc_460910
		mov	edx, [esp+0A0h+var_8]
		mov	[esp+0A0h+var_7C], edx
		test	edx, edx
		jz	short loc_460910
		mov	ecx, edi
		mov	[esp+0A0h+var_8], 0
		call	MiVadCommitCrossPartition
		test	eax, eax
		jnz	short loc_460910
		mov	edi, [edi+20h]
		mov	eax, edi
		sub	eax, edx
		mov	ecx, edi
		xor	ecx, eax
		and	ecx, 7FFFFFFFh
		xor	ecx, edi
		mov	edi, [esp+0A0h+var_84]
		mov	[edi+20h], ecx
		mov	ecx, [esp+0A0h+var_88]
		call	_MiReturnFullProcessCharges@8 ;	MiReturnFullProcessCharges(x,x)
		mov	edx, [esp+0A0h+var_7C]
		mov	ecx, [esp+0A0h+var_88]
		call	_MiReturnProcessPhysicalPages@8	; MiReturnProcessPhysicalPages(x,x)

loc_460910:				; CODE XREF: MiDeleteVad(x,x,x)+4B9j
					; MiDeleteVad(x,x,x)+4C8j ...
		mov	eax, [esp+0A0h+var_8C]

loc_460914:				; CODE XREF: MiDeleteVad(x,x,x)+45Fj
		test	bl, 2
		jz	loc_460B33
		mov	ecx, [edi+2Ch]
		mov	edx, [edi+1Ch]
		mov	ebx, [ecx]
		mov	ecx, edx
		and	cl, 70h
		mov	[esp+0A0h+var_64], ebx
		cmp	cl, 20h
		jz	short loc_46098C
		cmp	dword ptr [ebx+20h], 0
		jz	short loc_46099E
		mov	eax, edx
		and	eax, 0F80h
		cmp	eax, 200h
		jz	short loc_460955
		and	edx, 0F80h
		cmp	edx, 300h
		jnz	short loc_460959

loc_460955:				; CODE XREF: MiDeleteVad(x,x,x)+545j
		lock dec dword ptr [ebx+34h]

loc_460959:				; CODE XREF: MiDeleteVad(x,x,x)+553j
		mov	edx, [edi+0Ch]
		lea	eax, [esp+0A0h+var_2C]
		push	eax
		push	0
		mov	ecx, edi
		call	MiGetProtoPteAddress
		mov	eax, [edi+28h]
		test	eax, 1000000h
		jz	short loc_460979
		or	[esp+0A0h+var_8C], 20h

loc_460979:				; CODE XREF: MiDeleteVad(x,x,x)+572j
		mov	edx, [edi+10h]
		lea	eax, [esp+0A0h+var_28]
		push	eax
		push	0
		mov	ecx, edi
		call	MiGetProtoPteAddress
		jmp	short loc_46099E
; 

loc_46098C:				; CODE XREF: MiDeleteVad(x,x,x)+531j
		mov	ecx, [edi+28h]
		test	ecx, 1000000h
		jz	short loc_46099E
		or	eax, 18h
		mov	[esp+0A0h+var_8C], eax

loc_46099E:				; CODE XREF: MiDeleteVad(x,x,x)+537j
					; MiDeleteVad(x,x,x)+58Aj ...
		mov	eax, [esp+0A0h+var_8C]
		test	al, 8
		jnz	loc_460B33
		mov	edx, [edi+1Ch]
		mov	ecx, edx
		and	ecx, 70h
		cmp	cl, 50h
		jz	loc_460B1F
		xor	ecx, ecx
		mov	edi, offset unk_6D3C40
		mov	[esp+0A0h+var_3C], ecx
		mov	[esp+0A0h+var_38], ecx
		mov	[esp+0A0h+var_34], ecx
		mov	ecx, [esp+0A0h+var_88]
		lea	ebx, [ecx+2C0h]
		mov	cl, [ecx+2A0h]
		and	cl, 7
		cmp	cl, 2
		jz	short loc_4609E8
		mov	edi, ebx

loc_4609E8:				; CODE XREF: MiDeleteVad(x,x,x)+5E4j
		cmp	dword ptr [edi+18h], 0
		jz	loc_460AC4
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [esp+0A0h+var_88]
		mov	[esp+0A0h+var_8D], al
		mov	cl, [ecx+2A0h]
		and	cl, 7
		cmp	cl, 2
		jnz	short loc_460A15
		mov	ebx, offset unk_6D3C40

loc_460A15:				; CODE XREF: MiDeleteVad(x,x,x)+60Ej
		add	ebx, 40h
		mov	[esp+0A0h+var_3C], 0
		test	ds:byte_70EFC6,	21h
		mov	[esp+0A0h+var_38], ebx
		jz	short loc_460A3A
		mov	edx, ebx
		lea	ecx, [esp+0A0h+var_3C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_460A4D
; 

loc_460A3A:				; CODE XREF: MiDeleteVad(x,x,x)+62Bj
		lea	edx, [esp+0A0h+var_3C]
		xchg	edx, [ebx]
		test	edx, edx
		jz	short loc_460A4D
		lea	ecx, [esp+0A0h+var_3C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_460A4D:				; CODE XREF: MiDeleteVad(x,x,x)+638j
					; MiDeleteVad(x,x,x)+642j
		mov	ecx, [edi+18h]
		test	ecx, ecx
		jz	short loc_460A60
		call	MiEmptyPageAccessLog
		mov	dword ptr [edi+18h], 0

loc_460A60:				; CODE XREF: MiDeleteVad(x,x,x)+652j
		test	ds:byte_70EFC6,	1
		jz	short loc_460A77
		mov	edx, [ebp+4]
		lea	ecx, [esp+0A0h+var_3C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_460AAD
; 

loc_460A77:				; CODE XREF: MiDeleteVad(x,x,x)+667j
		mov	eax, [esp+0A0h+var_3C]
		test	eax, eax
		jnz	short loc_460A9A
		mov	edx, [esp+0A0h+var_38]
		lea	eax, [esp+0A0h+var_3C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+0A0h+var_3C]
		cmp	eax, ecx
		jz	short loc_460AAD
		call	KxWaitForLockChainValid

loc_460A9A:				; CODE XREF: MiDeleteVad(x,x,x)+67Dj
		mov	[esp+0A0h+var_3C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_460AAD:				; CODE XREF: MiDeleteVad(x,x,x)+675j
					; MiDeleteVad(x,x,x)+693j
		mov	cl, [esp+0A0h+var_8D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edi, [esp+0A0h+var_84]
		mov	eax, [esp+0A0h+var_8C]
		mov	edx, [edi+1Ch]
		jmp	short loc_460AC8
; 

loc_460AC4:				; CODE XREF: MiDeleteVad(x,x,x)+5ECj
		mov	edi, [esp+0A0h+var_84]

loc_460AC8:				; CODE XREF: MiDeleteVad(x,x,x)+6C2j
		mov	ecx, edx
		and	cl, 70h
		cmp	cl, 20h
		jnz	short loc_460AEB
		mov	ecx, [esp+0A0h+var_64]
		test	dword ptr [ecx+1Ch], 4000000h
		jz	short loc_460AE2
		or	eax, 2

loc_460AE2:				; CODE XREF: MiDeleteVad(x,x,x)+6DDj
		or	eax, 4
		mov	[esp+0A0h+var_8C], eax
		jmp	short loc_460B1F
; 

loc_460AEB:				; CODE XREF: MiDeleteVad(x,x,x)+6D0j
		test	edx, 100000h
		jnz	short loc_460B1F
		mov	ecx, [esp+0A0h+var_64]
		cmp	dword ptr [ecx+20h], 0
		jnz	short loc_460B1F
		mov	edx, [edi+0Ch]
		lea	eax, [esp+0A0h+var_2C]
		push	eax
		push	0
		mov	ecx, edi
		call	MiGetProtoPteAddress
		mov	edx, [edi+10h]
		lea	eax, [esp+0A0h+var_28]
		push	eax
		push	0
		mov	ecx, edi
		call	MiGetProtoPteAddress

loc_460B1F:				; CODE XREF: MiDeleteVad(x,x,x)+5B5j
					; MiDeleteVad(x,x,x)+6E9j ...
		cmp	dword ptr [edi+44h], 0
		mov	eax, [esp+0A0h+var_8C]
		jge	short loc_460B2C
		or	eax, 1

loc_460B2C:				; CODE XREF: MiDeleteVad(x,x,x)+727j
		or	eax, 8
		mov	[esp+0A0h+var_8C], eax

loc_460B33:				; CODE XREF: MiDeleteVad(x,x,x)+517j
					; MiDeleteVad(x,x,x)+5A4j
		mov	edi, large fs:124h
		mov	[esp+0A0h+var_58], edi
		dec	word ptr [edi+13Eh]
		nop
		mov	eax, [esp+0A0h+var_88]
		add	eax, 134h
		mov	[esp+0A0h+var_60], 0
		mov	ecx, eax
		mov	[esp+0A0h+var_80], eax
		and	ecx, 7FFFFFFCh
		mov	[esp+0A0h+var_7C], ecx
		jnz	short loc_460B70
		xor	ebx, ebx
		jmp	loc_460C92
; 

loc_460B70:				; CODE XREF: MiDeleteVad(x,x,x)+767j
		mov	edi, large fs:124h
		dec	word ptr [edi+13Eh]
		nop
		inc	byte ptr [edi+1E6h]
		nop
		cmp	byte ptr [edi+1E6h], 1
		jz	short loc_460B9E
		xor	ebx, ebx
		lea	eax, [edi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	loc_460C4D
; 

loc_460B9E:				; CODE XREF: MiDeleteVad(x,x,x)+78Dj
		mov	dl, [edi+1E4h]
		mov	[esp+0A0h+var_40], 0
		test	dl, dl
		jnz	short loc_460BCA
		cmp	[edi+222h], dl
		lea	ecx, [edi+222h]
		jz	short loc_460C00
		xor	al, al
		xchg	al, [ecx]
		mov	dl, [edi+1E4h]
		or	dl, al

loc_460BCA:				; CODE XREF: MiDeleteVad(x,x,x)+7AEj
		movzx	eax, dl
		bsf	ecx, eax
		mov	al, 1
		shl	al, cl
		not	al
		mov	[esp+0A0h+var_40], ecx
		and	al, dl
		lea	ebx, [ecx+ecx*2]
		mov	[edi+1E4h], al
		shl	ebx, 4
		add	ebx, [edi+1E8h]

loc_460BEE:				; CODE XREF: MiDeleteVad(x,x,x)+817j
		mov	eax, [esp+0A0h+var_80]

loc_460BF2:				; CODE XREF: MiDeleteVad(x,x,x)+80Cj
		test	ebx, ebx
		jnz	short loc_460C19
		lea	eax, [edi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_460C4D
; 

loc_460C00:				; CODE XREF: MiDeleteVad(x,x,x)+7BCj
		xor	ebx, ebx
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_460BF2
		mov	edx, eax
		mov	ecx, edi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	short loc_460BEE
; 

loc_460C19:				; CODE XREF: MiDeleteVad(x,x,x)+7F4j
		cmp	eax, dword_6D07D0
		jb	short loc_460C3F
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	short loc_460C32
		cmp	al, 0Bh
		jnz	short loc_460C3F

loc_460C32:				; CODE XREF: MiDeleteVad(x,x,x)+82Cj
		mov	ecx, [edi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	short loc_460C42
; 

loc_460C3F:				; CODE XREF: MiDeleteVad(x,x,x)+81Fj
					; MiDeleteVad(x,x,x)+830j
		or	eax, 0FFFFFFFFh

loc_460C42:				; CODE XREF: MiDeleteVad(x,x,x)+83Dj
		mov	[ebx+14h], eax
		nop
		mov	eax, [esp+0A0h+var_7C]
		mov	[ebx+10h], eax

loc_460C4D:				; CODE XREF: MiDeleteVad(x,x,x)+799j
					; MiDeleteVad(x,x,x)+7FEj
		nop
		mov	edx, [esp+0A0h+var_80]
		lea	eax, [esp+0A0h+var_60]
		dec	byte ptr [edi+1E6h]
		mov	ecx, edi
		push	eax
		call	KiAbThreadRemoveBoosts
		nop
		mov	ax, [edi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[edi+13Eh], ax
		test	ax, ax
		jnz	short loc_460C8A
		nop
		lea	eax, [edi+70h]
		cmp	[eax], eax
		jz	short loc_460C8A
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_460C8A:				; CODE XREF: MiDeleteVad(x,x,x)+87Bj
					; MiDeleteVad(x,x,x)+883j
		mov	edi, [esp+0A0h+var_58]
		mov	eax, [esp+0A0h+var_80]

loc_460C92:				; CODE XREF: MiDeleteVad(x,x,x)+76Bj
		lock bts dword ptr [eax], 0
		jb	short loc_460CA8
		test	ebx, ebx
		jz	short loc_460CA1
		or	byte ptr [ebx+0Eh], 1

loc_460CA1:				; CODE XREF: MiDeleteVad(x,x,x)+89Bj
		mov	eax, 1
		jmp	short loc_460CB7
; 

loc_460CA8:				; CODE XREF: MiDeleteVad(x,x,x)+897j
		test	ebx, ebx
		jz	short loc_460CB5
		mov	edx, ebx
		mov	ecx, eax
		call	KeAbPostReleaseEx

loc_460CB5:				; CODE XREF: MiDeleteVad(x,x,x)+8AAj
		xor	eax, eax

loc_460CB7:				; CODE XREF: MiDeleteVad(x,x,x)+8A6j
		test	eax, eax
		jz	short loc_460CC5
		or	byte ptr [edi+304h], 1
		nop
		jmp	short loc_460D2E
; 

loc_460CC5:				; CODE XREF: MiDeleteVad(x,x,x)+8B9j
		mov	ebx, [esp+0A0h+var_84]
		mov	eax, esi
		and	byte ptr [edi+304h], 7Fh
		add	ebx, 18h
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_460CE6
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_460CE6:				; CODE XREF: MiDeleteVad(x,x,x)+8DDj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		dec	word ptr [edi+13Eh]
		nop
		mov	ecx, [esp+0A0h+var_80]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [edi+304h], 1
		nop
		dec	word ptr [edi+13Eh]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [edi+304h], 80h
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_460D2E:				; CODE XREF: MiDeleteVad(x,x,x)+8C3j
		mov	eax, [esp+0A0h+var_8C]
		cmp	eax, 80h
		jnb	loc_461416
		mov	eax, [esp+0A0h+var_4C]
		dec	word ptr [eax+13Eh]
		nop
		mov	ecx, [esp+0A0h+var_5C]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esp+0A0h+var_88]
		mov	ebx, offset unk_6D3C40
		mov	al, [ecx+2A0h]
		and	al, 7
		cmp	al, 2
		jz	short loc_460D6F
		lea	ebx, [ecx+2C0h]

loc_460D6F:				; CODE XREF: MiDeleteVad(x,x,x)+967j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [esp+0A0h+var_74], al
		jz	short loc_460D8F
		mov	dl, al
		mov	ecx, ebx
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	short loc_460DFB
; 

loc_460D8F:				; CODE XREF: MiDeleteVad(x,x,x)+982j
		xor	edi, edi
		lock bts dword ptr [ebx], 1Fh
		jnb	short loc_460DA3
		mov	dl, al
		mov	ecx, ebx
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	edi, eax

loc_460DA3:				; CODE XREF: MiDeleteVad(x,x,x)+996j
		mov	edx, [ebx]
		mov	ecx, edx
		and	ecx, 0BFFFFFFFh
		cmp	ecx, 80000000h
		jz	short loc_460DFB

loc_460DB5:				; CODE XREF: MiDeleteVad(x,x,x)+9F9j
		test	edx, 40000000h
		jnz	short loc_460DCF
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	short loc_460DED

loc_460DCF:				; CODE XREF: MiDeleteVad(x,x,x)+9BBj
		inc	edi
		test	ds:_HvlLongSpinCountMask, edi
		jnz	short loc_460DE9
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	short loc_460DE9
		push	edi
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	short loc_460DEB
; 

loc_460DE9:				; CODE XREF: MiDeleteVad(x,x,x)+9D6j
					; MiDeleteVad(x,x,x)+9DFj
		pause

loc_460DEB:				; CODE XREF: MiDeleteVad(x,x,x)+9E7j
		mov	eax, [ebx]

loc_460DED:				; CODE XREF: MiDeleteVad(x,x,x)+9CDj
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_460DB5

loc_460DFB:				; CODE XREF: MiDeleteVad(x,x,x)+98Dj
					; MiDeleteVad(x,x,x)+9B3j
		mov	eax, [esp+0A0h+var_68]
		mov	esi, [esp+0A0h+var_54]
		mov	dword ptr [ebx+4], 0
		mov	[esp+0A0h+var_20], 0
		mov	[esp+0A0h+var_70], 0
		lea	ecx, [ecx+0]

loc_460E20:				; CODE XREF: MiDeleteVad(x,x,x)+A87j
		shr	eax, 12h
		and	eax, 3FF8h
		sub	eax, 3FA00000h
		xor	edi, edi
		mov	[esp+0A0h+var_44], eax

loc_460E33:				; CODE XREF: MiDeleteVad(x,x,x)+A62j
		mov	ebx, [esp+edi*4+0A0h+var_44]
		mov	edx, [ebx]
		nop
		mov	ecx, edx
		or	ecx, [ebx+4]
		jz	short loc_460E6A
		and	edx, 1
		or	edx, 0
		jnz	short loc_460E5E
		test	edi, edi
		jz	short loc_460E5E
		push	1
		push	[esp+0A4h+var_74]
		shl	ebx, 9
		push	edx
		mov	ecx, ebx
		call	MiMakeSystemAddressValid

loc_460E5E:				; CODE XREF: MiDeleteVad(x,x,x)+A47j
					; MiDeleteVad(x,x,x)+A4Bj
		inc	edi
		cmp	edi, 1
		jb	short loc_460E33
		mov	ecx, [esp+0A0h+var_70]
		jmp	short loc_460E7D
; 

loc_460E6A:				; CODE XREF: MiDeleteVad(x,x,x)+A3Fj
		neg	edi
		mov	al, 1
		mov	ecx, edi
		shl	al, cl
		mov	ecx, [esp+0A0h+var_70]
		mov	byte ptr [esp+ecx+0A0h+var_20],	al

loc_460E7D:				; CODE XREF: MiDeleteVad(x,x,x)+A68j
		inc	ecx
		mov	eax, esi
		mov	[esp+0A0h+var_70], ecx
		cmp	ecx, 2
		jb	short loc_460E20
		mov	edi, [esp+0A0h+var_84]
		mov	esi, 0FFFFFFFFh
		mov	ecx, edi
		mov	edx, [edi]
		mov	[esp+0A0h+var_80], edx
		test	edx, edx
		jz	short loc_460EB7
		mov	eax, [edx+4]
		test	eax, eax
		jz	short loc_460ED6

loc_460EA5:				; CODE XREF: MiDeleteVad(x,x,x)+AB0j
		mov	esi, eax
		mov	[esp+0A0h+var_80], esi
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_460EA5
		or	esi, 0FFFFFFFFh
		jmp	short loc_460ED6
; 

loc_460EB7:				; CODE XREF: MiDeleteVad(x,x,x)+A9Cj
		mov	edx, [edi+8]
		and	edx, 0FFFFFFFCh
		mov	[esp+0A0h+var_80], edx
		jz	short loc_460ED6

loc_460EC3:				; CODE XREF: MiDeleteVad(x,x,x)+AD0j
		cmp	[edx+4], ecx
		jz	short loc_460ED2
		mov	ecx, edx
		mov	edx, [edx+8]
		and	edx, 0FFFFFFFCh
		jnz	short loc_460EC3

loc_460ED2:				; CODE XREF: MiDeleteVad(x,x,x)+AC6j
		mov	[esp+0A0h+var_80], edx

loc_460ED6:				; CODE XREF: MiDeleteVad(x,x,x)+AA3j
					; MiDeleteVad(x,x,x)+AB5j ...
		mov	ebx, [edi+4]
		mov	ecx, edi
		mov	[esp+0A0h+var_6C], ebx
		test	ebx, ebx
		jz	short loc_460F01
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_460F22
		lea	esp, [esp+0]

loc_460EF0:				; CODE XREF: MiDeleteVad(x,x,x)+AFAj
		mov	esi, eax
		mov	[esp+0A0h+var_6C], esi
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_460EF0
		or	esi, 0FFFFFFFFh
		jmp	short loc_460F22
; 

loc_460F01:				; CODE XREF: MiDeleteVad(x,x,x)+AE1j
		mov	ebx, [edi+8]
		and	ebx, 0FFFFFFFCh
		mov	[esp+0A0h+var_6C], ebx
		jz	short loc_460F22
		lea	ecx, [ecx+0]

loc_460F10:				; CODE XREF: MiDeleteVad(x,x,x)+B1Cj
		cmp	[ebx], ecx
		jz	short loc_460F1E
		mov	ecx, ebx
		mov	ebx, [ebx+8]
		and	ebx, 0FFFFFFFCh
		jnz	short loc_460F10

loc_460F1E:				; CODE XREF: MiDeleteVad(x,x,x)+B12j
		mov	[esp+0A0h+var_6C], ebx

loc_460F22:				; CODE XREF: MiDeleteVad(x,x,x)+AE7j
					; MiDeleteVad(x,x,x)+AFFj ...
		mov	edi, [esp+0A0h+var_88]
		mov	ebx, [esp+0A0h+var_84]
		add	edi, 350h
		push	ebx
		push	edi
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		mov	edx, [esp+18h]
		cmp	[edx+354h], ebx
		jnz	short loc_460F4B
		mov	eax, [edi]
		mov	[edx+354h], eax

loc_460F4B:				; CODE XREF: MiDeleteVad(x,x,x)+B41j
		dec	dword ptr [edx+358h]
		mov	ecx, [ebx+1Ch]
		mov	dword ptr [ebx+8], 0FFFFFFFEh
		test	ecx, 100000h
		jz	short loc_460F79
		test	ecx, 400000h
		jnz	short loc_460F8E
		mov	eax, ecx
		and	eax, 0C0000h
		cmp	eax, 80000h
		jnb	short loc_460F8E

loc_460F79:				; CODE XREF: MiDeleteVad(x,x,x)+B61j
		and	cl, 70h
		cmp	cl, 20h
		jnz	short loc_460FA7
		mov	eax, [ebx+28h]
		test	eax, 1000000h
		jz	short loc_460FA7
		mov	ecx, [ebx+1Ch]

loc_460F8E:				; CODE XREF: MiDeleteVad(x,x,x)+B69j
					; MiDeleteVad(x,x,x)+B77j
		shr	ecx, 12h
		and	ecx, 3
		cmp	ds:_MiVadPageSizes[ecx*4], 200h
		jb	short loc_460FA7
		dec	dword ptr [edx+394h]

loc_460FA7:				; CODE XREF: MiDeleteVad(x,x,x)+B7Fj
					; MiDeleteVad(x,x,x)+B89j ...
		mov	eax, [edx+2A0h]
		xor	ebx, ebx
		mov	[esp+0A8h+var_60], eax
		mov	edi, offset unk_6D3C40
		and	al, 7
		cmp	al, 2
		jz	short loc_460FC4
		lea	edi, [edx+2C0h]

loc_460FC4:				; CODE XREF: MiDeleteVad(x,x,x)+BBCj
		test	al, al
		jnz	short loc_460FF6
		cmp	[edx+24Ch], ebx
		jz	short loc_460FF6
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		mov	eax, [ecx+24Ch]
		cmp	[eax+94h], bx
		jz	short loc_460FF6
		call	_MiDeleteDeferredCloneDescriptors@4 ; MiDeleteDeferredCloneDescriptors(x)
		mov	edx, [esp+18h]
		mov	ebx, eax

loc_460FF6:				; CODE XREF: MiDeleteVad(x,x,x)+BC6j
					; MiDeleteVad(x,x,x)+BCEj ...
		mov	ecx, large fs:124h
		mov	eax, [ecx+2FCh]
		and	eax, 400000h
		test	ds:_MiFlags, 0C00000h
		mov	[esp+0A8h+var_84], eax
		jz	short loc_461066
		test	byte ptr [edx+2A0h], 7
		lea	ecx, [edx+240h]
		jnz	short loc_461066
		cmp	byte ptr [edx+74h], 1
		jz	short loc_461066
		rdtsc
		and	eax, 3FF0h
		or	eax, 0
		jnz	short loc_461066
		mov	edx, [esp+18h]
		cmp	[edx+304h], eax
		jz	short loc_461066
		cmp	[edx+24Ch], eax
		jz	short loc_461066
		cmp	[edx+250h], eax
		jz	short loc_461066
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_461066
		lea	ecx, [eax+2]
		call	MiPaeCheckProcessShadow

loc_461066:				; CODE XREF: MiDeleteVad(x,x,x)+C16j
					; MiDeleteVad(x,x,x)+C25j ...
		test	ds:byte_70EFC6,	1
		jz	short loc_46107B
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	short loc_461081
; 

loc_46107B:				; CODE XREF: MiDeleteVad(x,x,x)+C6Dj
		mov	dword ptr [edi], 0

loc_461081:				; CODE XREF: MiDeleteVad(x,x,x)+C79j
		mov	cl, byte ptr [esp+0A8h+var_7C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jz	short loc_4610A0
		nop

loc_461090:				; CODE XREF: MiDeleteVad(x,x,x)+C9Ej
		mov	edi, [ebx]
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, edi
		test	edi, edi
		jnz	short loc_461090

loc_4610A0:				; CODE XREF: MiDeleteVad(x,x,x)+C8Dj
		cmp	[esp+0A8h+var_84], 0
		jnz	short loc_4610CC
		test	byte ptr [esp+0A8h+var_60+3], 1Ch
		jz	short loc_4610CC
		mov	ebx, [esp+18h]
		lea	ecx, [ebx+240h]
		call	MiLockWorkingSetShared
		mov	dl, byte ptr [esp+0A8h+var_7C]
		lea	ecx, [ebx+240h]
		call	MiUnlockWorkingSetShared

loc_4610CC:				; CODE XREF: MiDeleteVad(x,x,x)+CA5j
					; MiDeleteVad(x,x,x)+CACj
		cmp	[esp+0A8h+var_38], 0
		mov	edx, [esp+0A8h+var_88]
		jnz	loc_46137D
		mov	edi, [esp+0A8h+var_5C]
		mov	ebx, edi
		mov	ecx, [esp+0A8h+var_70]
		shr	ecx, 10h
		shr	ebx, 10h
		mov	[esp+0A8h+var_64], ecx
		mov	[esp+0A8h+var_80], ebx
		test	edx, edx
		jz	short loc_46110D
		mov	eax, [edx+10h]
		shl	eax, 0Ch
		xor	eax, [esp+0A8h+var_70]
		test	eax, 0FFFF0000h
		jnz	short loc_46110D
		inc	ecx
		mov	[esp+0A8h+var_64], ecx

loc_46110D:				; CODE XREF: MiDeleteVad(x,x,x)+CF5j
					; MiDeleteVad(x,x,x)+D06j
		mov	ecx, [esp+0A8h+var_74]
		test	ecx, ecx
		jz	short loc_461135
		mov	eax, [ecx+0Ch]
		shl	eax, 0Ch
		xor	eax, edi
		test	eax, 0FFFF0000h
		jnz	short loc_461135
		lea	eax, [ebx-1]
		cmp	eax, ebx
		ja	loc_461381
		mov	ebx, eax
		mov	[esp+0A8h+var_80], eax

loc_461135:				; CODE XREF: MiDeleteVad(x,x,x)+D13j
					; MiDeleteVad(x,x,x)+D22j
		mov	eax, large fs:124h
		mov	[esp+0A8h+var_60], 0
		mov	[esp+0A8h+var_84], 0
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		mov	[esp+0A8h+var_C], eax
		cmp	dword ptr [eax+60h], 0
		jbe	loc_461381
		mov	esi, [esp+0A8h+var_74]
		lea	edi, [eax+20h]
		mov	[esp+0A8h+var_58], edi

loc_461173:				; CODE XREF: MiDeleteVad(x,x,x)+F70j
		mov	eax, [edi-4]
		mov	edx, eax
		mov	ecx, [esp+0A8h+var_64]
		sub	edx, dword_6D2E88
		mov	[esp+0A8h+var_7C], ebx
		mov	[esp+0A8h+var_50], eax
		test	ecx, ecx
		jnz	short loc_461197
		test	edx, edx
		jnz	short loc_46119F
		mov	ecx, 1

loc_461197:				; CODE XREF: MiDeleteVad(x,x,x)+D8Cj
		cmp	ecx, ebx
		ja	loc_461356

loc_46119F:				; CODE XREF: MiDeleteVad(x,x,x)+D90j
		shl	edx, 3
		mov	ebx, ecx
		mov	[esp+0A8h+var_48], edx
		cmp	[esp+0A8h+var_80], edx
		jb	loc_461352
		mov	eax, [edi-8]
		add	eax, edx
		cmp	ecx, eax
		jnb	loc_461352
		cmp	ecx, edx
		jnb	short loc_4611C5
		mov	ecx, edx

loc_4611C5:				; CODE XREF: MiDeleteVad(x,x,x)+DC1j
		cmp	ebx, edx
		sbb	ebx, ebx
		neg	ebx
		mov	[esp+0A8h+var_4C], ebx
		cmp	[esp+0A8h+var_80], eax
		jb	short loc_4611E0
		dec	eax
		mov	[esp+0A8h+var_4C], 1
		jmp	short loc_4611E4
; 

loc_4611E0:				; CODE XREF: MiDeleteVad(x,x,x)+DD3j
		mov	eax, [esp+0A8h+var_7C]

loc_4611E4:				; CODE XREF: MiDeleteVad(x,x,x)+DDEj
		mov	ebx, eax
		sub	eax, edx
		sub	ebx, ecx
		mov	[esp+0A8h+var_7C], eax
		mov	eax, [edi+18h]
		sub	ecx, edx
		sub	eax, edx
		mov	[esp+0A8h+var_68], ecx
		inc	ebx
		mov	[esp+0A8h+var_78], eax
		cmp	[esp+0A8h+var_60], 0
		jnz	loc_461293
		test	ebx, ebx
		jz	short loc_461280
		mov	edx, ecx
		and	ecx, 7
		shr	edx, 3
		add	edx, [esp+0A8h+var_50]
		mov	[esp+0A8h+var_50], edx
		lea	eax, [ecx+ebx]
		mov	[esp+0A8h+var_2C], eax
		cmp	eax, 8
		ja	short loc_461235
		mov	al, ds:byte_40BA58[ebx]
		shl	al, cl
		not	al
		jmp	short loc_46127A
; 

loc_461235:				; CODE XREF: MiDeleteVad(x,x,x)+E27j
		test	ecx, ecx
		jz	short loc_46124D
		mov	al, ds:byte_40BA58[ecx]
		and	[edx], al
		inc	edx
		mov	ebx, [esp+0A8h+var_2C]
		mov	[esp+0A8h+var_50], edx
		add	ebx, 0FFFFFFF8h

loc_46124D:				; CODE XREF: MiDeleteVad(x,x,x)+E37j
		cmp	ebx, 8
		jbe	short loc_461270
		mov	edi, ebx
		shr	edi, 3
		push	edi		; size_t
		push	0		; int
		push	edx		; void *
		call	_memset
		mov	edx, [esp+0B4h+var_50]
		add	esp, 0Ch
		add	edx, edi
		mov	edi, [esp+0A8h+var_58]
		and	ebx, 7

loc_461270:				; CODE XREF: MiDeleteVad(x,x,x)+E50j
		test	ebx, ebx
		jz	short loc_46127C
		mov	al, ds:byte_40AA48[ebx]

loc_46127A:				; CODE XREF: MiDeleteVad(x,x,x)+E33j
		and	[edx], al

loc_46127C:				; CODE XREF: MiDeleteVad(x,x,x)+E72j
		mov	eax, [esp+0A8h+var_78]

loc_461280:				; CODE XREF: MiDeleteVad(x,x,x)+E0Bj
		cmp	[esp+0A8h+var_4C], 0
		mov	ecx, [esp+0A8h+var_68]
		jnz	short loc_461293
		mov	[esp+0A8h+var_60], 1

loc_461293:				; CODE XREF: MiDeleteVad(x,x,x)+E03j
					; MiDeleteVad(x,x,x)+E89j
		mov	edx, [edi]
		mov	ebx, 1
		mov	[esp+0A8h+var_68], ebx
		cmp	edx, eax
		jb	short loc_4612A7
		cmp	[edi+8], eax
		jnb	short loc_4612AD

loc_4612A7:				; CODE XREF: MiDeleteVad(x,x,x)+EA0j
		xor	ebx, ebx
		mov	[esp+0A8h+var_68], ebx

loc_4612AD:				; CODE XREF: MiDeleteVad(x,x,x)+EA5j
		cmp	edx, ecx
		jbe	short loc_4612C7
		cmp	ecx, eax
		jnb	short loc_4612C5
		test	ebx, ebx
		jz	short loc_4612C5
		mov	ecx, [esp+0A8h+var_7C]
		cmp	ecx, eax
		jb	short loc_4612CB
		mov	[edi], eax
		jmp	short loc_4612CB
; 

loc_4612C5:				; CODE XREF: MiDeleteVad(x,x,x)+EB3j
					; MiDeleteVad(x,x,x)+EB7j
		mov	[edi], ecx

loc_4612C7:				; CODE XREF: MiDeleteVad(x,x,x)+EAFj
		mov	ecx, [esp+0A8h+var_7C]

loc_4612CB:				; CODE XREF: MiDeleteVad(x,x,x)+EBFj
					; MiDeleteVad(x,x,x)+EC3j
		mov	eax, [esp+0A8h+var_88]
		xor	edx, edx
		mov	ebx, [esp+0A8h+var_48]
		test	eax, eax
		jz	short loc_4612FA
		mov	edx, [eax+10h]
		shl	edx, 0Ch
		or	edx, 0FFFh
		lea	edx, [edx+0FFFFh]
		shr	edx, 10h
		cmp	edx, ebx
		jbe	short loc_4612F8
		sub	edx, ebx
		jnz	short loc_461301
		jmp	short loc_4612FA
; 

loc_4612F8:				; CODE XREF: MiDeleteVad(x,x,x)+EF0j
		xor	edx, edx

loc_4612FA:				; CODE XREF: MiDeleteVad(x,x,x)+ED7j
					; MiDeleteVad(x,x,x)+EF6j
		test	ebx, ebx
		jnz	short loc_461301
		lea	edx, [ebx+1]

loc_461301:				; CODE XREF: MiDeleteVad(x,x,x)+EF4j
					; MiDeleteVad(x,x,x)+EFCj
		cmp	[esp+0A8h+var_68], 0
		jz	short loc_461312
		mov	eax, [esp+0A8h+var_78]
		cmp	edx, eax
		jnb	short loc_461312
		mov	edx, eax

loc_461312:				; CODE XREF: MiDeleteVad(x,x,x)+F06j
					; MiDeleteVad(x,x,x)+F0Ej
		cmp	edx, ecx
		ja	short loc_461352
		test	esi, esi
		jz	short loc_46133A
		mov	ecx, [esi+0Ch]
		mov	eax, [edi-8]
		shl	ecx, 0Ch
		mov	[esp+0A8h+var_2C], eax
		add	eax, ebx
		shr	ecx, 10h
		cmp	ecx, eax
		jbe	short loc_461336
		mov	ecx, [esp+0A8h+var_2C]
		jmp	short loc_46133D
; 

loc_461336:				; CODE XREF: MiDeleteVad(x,x,x)+F2Ej
		sub	ecx, ebx
		jmp	short loc_46133D
; 

loc_46133A:				; CODE XREF: MiDeleteVad(x,x,x)+F18j
		mov	ecx, [edi-8]

loc_46133D:				; CODE XREF: MiDeleteVad(x,x,x)+F34j
					; MiDeleteVad(x,x,x)+F38j
		sub	ecx, edx
		cmp	edx, [edi+8]
		jnb	short loc_461352
		mov	ebx, [esp+0A8h+var_80]
		cmp	ecx, [edi+4]
		jb	short loc_461356
		mov	[edi+8], edx
		jmp	short loc_461356
; 

loc_461352:				; CODE XREF: MiDeleteVad(x,x,x)+DACj
					; MiDeleteVad(x,x,x)+DB9j ...
		mov	ebx, [esp+0A8h+var_80]

loc_461356:				; CODE XREF: MiDeleteVad(x,x,x)+D99j
					; MiDeleteVad(x,x,x)+F4Bj ...
		mov	eax, [esp+0A8h+var_84]
		add	edi, 24h
		mov	ecx, [esp+0A8h+var_C]
		inc	eax
		mov	[esp+0A8h+var_84], eax
		mov	[esp+0A8h+var_58], edi
		cmp	eax, [ecx+60h]
		jb	loc_461173
		mov	edx, [esp+0A8h+var_88]
		or	esi, 0FFFFFFFFh

loc_46137D:				; CODE XREF: MiDeleteVad(x,x,x)+CD5j
		mov	ecx, [esp+0A8h+var_74]

loc_461381:				; CODE XREF: MiDeleteVad(x,x,x)+D29j
					; MiDeleteVad(x,x,x)+D62j
		mov	ebx, [esp+0A8h+var_8C]
		lea	eax, [esp+0A8h+var_28]
		mov	edi, [esp+18h]
		push	eax
		push	ebx
		push	ecx
		mov	ecx, [esp+0B4h+var_70]
		push	edx
		mov	edx, [esp+0B8h+var_5C]
		push	edi
		call	_MiReturnPageTablePageCommitment@28 ; MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)
		mov	eax, esi
		lea	esi, [edi+138h]
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_4613BB
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_4613BB:				; CODE XREF: MiDeleteVad(x,x,x)+FB2j
		mov	ecx, esi
		call	KeAbPostRelease
		nop
		mov	ecx, [esp+0A8h+var_54]
		mov	ax, [ecx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ecx+13Eh], ax
		test	ax, ax
		jnz	short loc_4613EC
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	short loc_4613EC
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_4613EC:				; CODE XREF: MiDeleteVad(x,x,x)+FDDj
					; MiDeleteVad(x,x,x)+FE5j
		mov	esi, [esp+0A8h+var_38]
		test	esi, esi
		jz	short loc_461410
		mov	eax, large fs:124h
		mov	ecx, esi
		push	3
		mov	edx, [eax+80h]
		call	MiInsertVad
		mov	ecx, esi
		call	_MiUnlockNestedVad@4 ; MiUnlockNestedVad(x)

loc_461410:				; CODE XREF: MiDeleteVad(x,x,x)+FF2j
		mov	eax, [esp+0A8h+var_94]
		jmp	short loc_46141E
; 

loc_461416:				; CODE XREF: MiDeleteVad(x,x,x)+937j
		mov	ebx, [esp+0A0h+var_84]
		mov	edi, [esp+0A0h+var_88]

loc_46141E:				; CODE XREF: MiDeleteVad(x,x,x)+1014j
		mov	ecx, [esp+0A0h+var_18]
		mov	[ebx+4], ecx
		mov	ecx, [esp+0A0h+var_14]
		mov	[ebx], ecx
		test	al, 40h
		jz	short loc_461457
		test	ds:byte_70EFC4,	1
		jz	short loc_461457
		mov	eax, [ebx+10h]
		mov	edx, edi
		sub	eax, [ebx+0Ch]
		mov	ecx, [esp+0A0h+var_68]
		inc	eax
		push	eax
		push	1Ah
		call	_MiLogPerfMemoryRangeEvent@16 ;	MiLogPerfMemoryRangeEvent(x,x,x,x)
		mov	eax, [esp+0A0h+var_8C]

loc_461457:				; CODE XREF: MiDeleteVad(x,x,x)+1033j
					; MiDeleteVad(x,x,x)+103Cj
		mov	esi, [esp+0A0h+var_64]
		test	al, 1
		jz	short loc_46146C
		mov	edx, esi
		mov	ecx, ebx
		call	MiDereferenceExtendInfo
		mov	eax, [esp+0A0h+var_8C]

loc_46146C:				; CODE XREF: MiDeleteVad(x,x,x)+105Dj
		test	al, 8
		jz	loc_461529
		test	al, 2
		jz	short loc_461488
		mov	ecx, edi
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	ecx, esi
		call	_MiDereferencePerSessionProtos@8 ; MiDereferencePerSessionProtos(x,x)

loc_461488:				; CODE XREF: MiDeleteVad(x,x,x)+1076j
		push	0
		mov	edx, edi
		mov	ecx, esi
		call	MiRemoveSharedCommitNode
		mov	eax, [ebx+2Ch]
		lea	edi, [ebx+38h]
		mov	esi, [eax]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		lea	ebx, [esi+3Ch]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		test	dword ptr [esi+1Ch], 400h
		jnz	short loc_4614D9
		mov	ecx, [edi]
		mov	eax, [edi+4]
		cmp	[ecx+4], edi
		jnz	loc_46157D
		cmp	[eax], edi
		jnz	loc_46157D
		mov	[eax], ecx
		mov	[ecx+4], eax

loc_4614D9:				; CODE XREF: MiDeleteVad(x,x,x)+10BCj
		mov	esi, large fs:124h
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_4614F4
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_4614F4:				; CODE XREF: MiDeleteVad(x,x,x)+10EBj
		mov	ecx, ebx
		call	KeAbPostRelease
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_461521
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_461521
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_461521:				; CODE XREF: MiDeleteVad(x,x,x)+1112j
					; MiDeleteVad(x,x,x)+111Aj
		mov	eax, [esp+0A0h+var_8C]
		mov	ebx, [esp+0A0h+var_84]

loc_461529:				; CODE XREF: MiDeleteVad(x,x,x)+106Ej
		xor	ecx, ecx
		cmp	[esp+0A0h+var_30], ecx
		jnz	short loc_461538
		cmp	eax, 80h
		jb	short loc_46153D

loc_461538:				; CODE XREF: MiDeleteVad(x,x,x)+112Fj
		mov	ecx, 1

loc_46153D:				; CODE XREF: MiDeleteVad(x,x,x)+1136j
		test	[ebp+arg_0], 40000000h
		jz	short loc_461549
		or	ecx, 2

loc_461549:				; CODE XREF: MiDeleteVad(x,x,x)+1144j
		mov	edx, [esp+0A0h+var_68]
		push	ecx
		push	[esp+0A4h+var_54]
		mov	ecx, ebx
		call	MiFinishVadDeletion
		mov	ebx, [esp+0A0h+var_64]
		test	ebx, ebx
		jz	loc_461664
		mov	eax, [esp+0A0h+var_8C]
		test	al, 10h
		jz	short loc_461584
		mov	ecx, ebx
		call	_MiDereferenceControlArea@4 ; MiDereferenceControlArea(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_46157D:				; CODE XREF: MiDeleteVad(x,x,x)+10C6j
					; MiDeleteVad(x,x,x)+10CEj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_461584:				; CODE XREF: MiDeleteVad(x,x,x)+116Bj
		mov	cl, 2
		lea	esi, [ebx+24h]
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	[esp+0A0h+var_8D], al
		jz	short loc_4615A7
		mov	dl, al
		mov	ecx, esi
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	short loc_461606
; 

loc_4615A7:				; CODE XREF: MiDeleteVad(x,x,x)+119Aj
		mov	[esp+0A0h+var_50], 0
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_4615C3
		mov	dl, al
		mov	ecx, esi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[esp+0A0h+var_50], eax

loc_4615C3:				; CODE XREF: MiDeleteVad(x,x,x)+11B4j
		mov	edx, [esi]
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jz	short loc_461606

loc_4615D3:				; CODE XREF: MiDeleteVad(x,x,x)+1204j
		test	edx, 40000000h
		jnz	short loc_4615ED
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_4615F8

loc_4615ED:				; CODE XREF: MiDeleteVad(x,x,x)+11D9j
		lea	ecx, [esp+0A0h+var_50]
		call	KeYieldProcessorEx
		mov	eax, [esi]

loc_4615F8:				; CODE XREF: MiDeleteVad(x,x,x)+11EBj
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_4615D3

loc_461606:				; CODE XREF: MiDeleteVad(x,x,x)+11A5j
					; MiDeleteVad(x,x,x)+11D1j
		mov	esi, [esp+0A0h+var_2C]
		test	esi, esi
		jz	short loc_461653
		mov	eax, [esi]
		xor	ebx, ebx
		mov	edi, [esp+0A0h+var_28]
		cmp	[eax+20h], ebx
		setnz	bl
		lea	esp, [esp+0]

loc_461620:				; CODE XREF: MiDeleteVad(x,x,x)+124Dj
		cmp	dword ptr [esi+4], 0
		jz	short loc_461644
		mov	ecx, esi
		call	MiDecrementSubsectionViewCount
		test	ebx, ebx
		jz	short loc_461644
		cmp	dword ptr [esi+3Ch], 0
		jnz	short loc_461644
		test	byte ptr [esi+12h], 1
		jnz	short loc_461644
		mov	ecx, esi
		call	_MiInsertUnusedSubsection@8 ; MiInsertUnusedSubsection(x,x)

loc_461644:				; CODE XREF: MiDeleteVad(x,x,x)+1224j
					; MiDeleteVad(x,x,x)+122Fj ...
		cmp	esi, edi
		jz	short loc_46164F
		mov	esi, [esi+8]
		test	esi, esi
		jnz	short loc_461620

loc_46164F:				; CODE XREF: MiDeleteVad(x,x,x)+1246j
		mov	ebx, [esp+0A0h+var_64]

loc_461653:				; CODE XREF: MiDeleteVad(x,x,x)+120Cj
		mov	dl, [esp+0A0h+var_8D]
		mov	ecx, ebx
		dec	dword ptr [ebx+14h]
		dec	dword ptr [ebx+18h]
		call	MiCheckControlArea

loc_461664:				; CODE XREF: MiDeleteVad(x,x,x)+115Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MiDeleteVad@12	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFinishVadDeletion proc near		; CODE XREF: MiDeleteVad(x,x,x)+1154p
					; MiDeletePartialVad+432p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_7		= byte ptr  0Fh

; FUNCTION CHUNK AT 005B0F2A SIZE 000003A7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ecx
		mov	ecx, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	esi, [ecx+80h]
		xor	edi, edi
		mov	[ebp+var_8], ecx
		mov	ebx, edx
		mov	ecx, [eax+1Ch]
		mov	[ebp+var_4], eax
		test	cl, 4
		jz	loc_461CDC
		mov	[ebp+var_14], 1
		test	ecx, 100000h
		jnz	short loc_4616C3
		mov	eax, [eax+20h]
		and	eax, 7FFFFFFFh
		cmp	eax, 0FFFFDh
		jnb	short loc_4616C3
		mov	edi, 1

loc_4616C3:				; CODE XREF: MiFinishVadDeletion+3Dj
					; MiFinishVadDeletion+4Cj ...
		mov	eax, [ebp+arg_0]
		mov	edx, eax
		sub	edx, ebx
		mov	ebx, [ebp+var_4]
		inc	edx
		cmp	eax, [esi+1CCh]
		ja	short loc_4616E5
		test	[ebp+arg_4], 1
		jnz	short loc_4616E5
		sub	[esi+11Ch], edx
		mov	ecx, [ebx+1Ch]

loc_4616E5:				; CODE XREF: MiFinishVadDeletion+64j
					; MiFinishVadDeletion+6Aj
		mov	edx, [esi+24Ch]
		mov	[ebp+var_28], edx
		test	ecx, 100000h
		jnz	short loc_461702
		mov	eax, ecx
		and	al, 70h
		cmp	al, 20h
		jz	loc_461C5D

loc_461702:				; CODE XREF: MiFinishVadDeletion+84j
					; MiFinishVadDeletion+5F3j ...
		cmp	[ebp+var_14], 1
		jnz	short loc_46173A
		lock inc dword ptr [edx+68h]
		mov	ecx, [ebx+1Ch]
		mov	eax, ecx
		shr	eax, 12h
		and	eax, 3
		mov	eax, ds:_MiVadPageSizes[eax*4]
		cmp	eax, 10h
		jz	loc_5B0F2A

loc_461727:				; CODE XREF: MiFinishVadDeletion+14F8C8j
					; MiFinishVadDeletion+14F8D3j
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	MiReturnVadQuota
		mov	edx, esi
		mov	ecx, ebx
		call	MiRemoveVadCharges

loc_46173A:				; CODE XREF: MiFinishVadDeletion+96j
		mov	ecx, [ebp+var_8]
		add	esi, 134h
		mov	[ebp+var_18], esi
		or	eax, 0FFFFFFFFh
		and	byte ptr [ecx+304h], 0FEh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_461D0E

loc_46175E:				; CODE XREF: MiFinishVadDeletion+6A5j
		xor	edi, edi
		mov	[ebp+var_C], edi
		test	esi, 7FFFFFFCh
		jz	loc_46185B
		mov	ebx, large fs:124h
		cmp	esi, dword_6D07D0
		jb	short loc_461799
		mov	eax, esi
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	loc_461C3D
		cmp	al, 0Bh
		jz	loc_461C3D

loc_461799:				; CODE XREF: MiFinishVadDeletion+10Cj
		or	eax, 0FFFFFFFFh

loc_46179C:				; CODE XREF: MiFinishVadDeletion+5D8j
		dec	word ptr [ebx+13Eh]
		mov	[ebp+var_10], eax
		nop
		inc	byte ptr [ebx+1E6h]
		nop
		mov	cl, [ebx+1E6h]
		mov	edx, esi
		mov	byte ptr [ebp+arg_0+3],	cl
		mov	ecx, ebx
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_461CE8
		mov	al, [esi+10h]
		or	al, 2
		mov	[esi+10h], al
		nop
		cmp	[esi+10h], edi
		jl	loc_461D36

loc_4617DD:				; CODE XREF: MiFinishVadDeletion+6CDj
		mov	eax, [esi+2Ch]
		mov	edi, eax
		and	byte ptr [esi+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[esi+2Ch], eax
		nop
		mov	dword ptr [esi+10h], 0
		sub	esi, [ebx+1E8h]
		jnz	loc_461C11
		xor	ecx, ecx

loc_46180D:				; CODE XREF: MiFinishVadDeletion+5B2j
		mov	al, 1
		shl	al, cl
		cmp	byte ptr [ebp+arg_0+3],	1
		jnz	loc_5B0F5B
		or	[ebx+1E4h], al

loc_461821:				; CODE XREF: MiFinishVadDeletion+680j
					; MiFinishVadDeletion+14F8F4j
		nop
		dec	byte ptr [ebx+1E6h]
		mov	esi, edi
		and	esi, 1FFFFh
		jnz	loc_461D62

loc_461836:				; CODE XREF: MiFinishVadDeletion+729j
					; MiFinishVadDeletion+14F915j
		nop
		mov	ax, [ebx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ebx+13Eh], ax
		test	ax, ax
		jnz	short loc_46185B
		nop
		lea	eax, [ebx+70h]
		cmp	[eax], eax
		jnz	loc_461D4E

loc_46185B:				; CODE XREF: MiFinishVadDeletion+F9j
					; MiFinishVadDeletion+1DDj ...
		nop
		mov	esi, [ebp+var_8]
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jz	loc_5B0F8A

loc_46187B:				; CODE XREF: MiFinishVadDeletion+14F920j
					; MiFinishVadDeletion+14F92Bj
		cmp	[ebp+var_14], 1
		mov	ebx, [ebp+var_4]
		mov	[ebp+var_10], 0
		jnz	loc_461A08
		mov	eax, large fs:124h
		lea	esi, [ebx+24h]
		mov	[ebp+var_10], 0
		mov	ecx, [eax+80h]
		mov	al, [ecx+2A0h]
		add	ecx, 240h
		and	al, 7
		mov	[ebp+var_C], ecx
		cmp	al, 2
		jz	loc_5B0FA0
		lea	edi, [ecx+80h]

loc_4618C4:				; CODE XREF: MiFinishVadDeletion+14F935j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [ebp+arg_0+3],	al
		jnz	loc_5B0FAA
		xor	esi, esi
		lock bts dword ptr [edi], 1Fh
		jb	loc_461D26

loc_4618E9:				; CODE XREF: MiFinishVadDeletion+6C1j
		mov	edx, [edi]
		mov	ecx, edx
		and	ecx, 0BFFFFFFFh
		cmp	ecx, 80000000h
		jnz	loc_461C90

loc_4618FF:				; CODE XREF: MiFinishVadDeletion+647j
		lea	esi, [ebx+24h]

loc_461902:				; CODE XREF: MiFinishVadDeletion+14F943j
		mov	dword ptr [edi+4], 0
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5B0FD0

loc_461913:				; CODE XREF: MiFinishVadDeletion+14F980j
		mov	edx, [ebp+var_C]
		xor	esi, esi
		mov	[ebp+var_18], 0
		mov	[ebp+var_1C], esi
		mov	ecx, [edx+60h]
		mov	al, cl
		and	al, 7
		mov	[ebp+var_20], ecx
		cmp	al, 2
		jz	loc_5B0FF5
		lea	edi, [edx+80h]

loc_46193A:				; CODE XREF: MiFinishVadDeletion+14F98Aj
		mov	dl, cl
		test	al, al
		jnz	short loc_46196A
		mov	eax, [ebp+var_C]
		cmp	[eax+0Ch], esi
		jz	short loc_46196A
		mov	eax, large fs:124h
		mov	esi, [eax+80h]
		mov	eax, [esi+24Ch]
		cmp	word ptr [eax+94h], 0
		jnz	loc_461DE2

loc_461968:				; CODE XREF: MiFinishVadDeletion+782j
		xor	esi, esi

loc_46196A:				; CODE XREF: MiFinishVadDeletion+2CEj
					; MiFinishVadDeletion+2D6j
		mov	ecx, large fs:124h
		test	dword ptr [ecx+2FCh], 400000h
		jnz	loc_5B0FFF

loc_461981:				; CODE XREF: MiFinishVadDeletion+14F997j
		test	dl, 7
		setz	cl
		test	ds:_MiFlags, 0C00000h
		setnz	al
		test	cl, al
		jz	short loc_4619A8
		mov	ecx, [ebp+var_C]
		cmp	byte ptr [ecx-1CCh], 1
		jnz	loc_461BC9

loc_4619A8:				; CODE XREF: MiFinishVadDeletion+326j
					; MiFinishVadDeletion+563j ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5B100C
		mov	dword ptr [edi], 0

loc_4619BB:				; CODE XREF: MiFinishVadDeletion+14F9A6j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	loc_5B101B

loc_4619CF:				; CODE XREF: MiFinishVadDeletion+14F9BEj
		test	esi, esi
		jnz	short loc_4619DD
		test	byte ptr [ebp+var_20+3], 1Ch
		jnz	loc_5B1033

loc_4619DD:				; CODE XREF: MiFinishVadDeletion+361j
					; MiFinishVadDeletion+14F9D6j
		cmp	[ebp+var_10], 0
		mov	esi, [ebp+var_8]
		mov	dword ptr [ebx+8], 0FFFFFFFFh
		jnz	loc_5B104B

loc_4619F1:				; CODE XREF: MiFinishVadDeletion+14F9E3j
		mov	ecx, [ebx+1Ch]
		test	ecx, 100000h
		jnz	short loc_461A08
		mov	eax, ecx
		and	al, 70h
		cmp	al, 20h
		jz	loc_461C74

loc_461A08:				; CODE XREF: MiFinishVadDeletion+219j
					; MiFinishVadDeletion+38Aj ...
		test	[ebp+arg_4], 2
		jnz	loc_5B1252
		or	ecx, 0FFFFFFFFh
		mov	eax, ecx
		lock xadd [ebx+14h], eax
		dec	eax
		cmp	eax, ecx
		jz	loc_461DF7
		test	eax, eax
		jnz	loc_461CD0
		test	byte ptr [ebx+1Ch], 4
		jz	loc_461CD0
		mov	[ebp+var_18], 1

loc_461A3E:				; CODE XREF: MiFinishVadDeletion+667j
		mov	eax, large fs:124h
		lea	esi, [ebx+18h]
		mov	[ebp+var_24], eax
		and	byte ptr [eax+304h], 7Fh
		mov	eax, ecx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_461D1A

loc_461A61:				; CODE XREF: MiFinishVadDeletion+6B1j
		xor	edi, edi
		mov	[ebp+var_1C], edi
		test	esi, 7FFFFFFCh
		jz	loc_461B67
		mov	ebx, large fs:124h
		cmp	esi, dword_6D07D0
		jb	short loc_461A9C
		mov	eax, esi
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	loc_461C4D
		cmp	al, 0Bh
		jz	loc_461C4D

loc_461A9C:				; CODE XREF: MiFinishVadDeletion+40Fj
		or	eax, 0FFFFFFFFh

loc_461A9F:				; CODE XREF: MiFinishVadDeletion+5E8j
		dec	word ptr [ebx+13Eh]
		mov	[ebp+arg_0], eax
		nop
		inc	byte ptr [ebx+1E6h]
		nop
		mov	cl, [ebx+1E6h]
		mov	edx, esi
		mov	[ebp+arg_7], cl
		mov	ecx, ebx
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_461CFB
		mov	al, [esi+10h]
		or	al, 2
		mov	[esi+10h], al
		nop
		cmp	[esi+10h], edi
		jl	loc_461D42

loc_461AE0:				; CODE XREF: MiFinishVadDeletion+6D9j
		mov	eax, [esi+2Ch]
		mov	edi, eax
		and	byte ptr [esi+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_1C], edi
		mov	[esi+2Ch], eax
		nop
		mov	dword ptr [esi+10h], 0
		sub	esi, [ebx+1E8h]
		jnz	loc_461C27
		xor	ecx, ecx

loc_461B10:				; CODE XREF: MiFinishVadDeletion+5C8j
		cmp	[ebp+arg_7], 1
		jnz	loc_5B1275
		movzx	eax, byte ptr [ebx+1E4h]
		bts	eax, ecx
		mov	[ebx+1E4h], al

loc_461B2A:				; CODE XREF: MiFinishVadDeletion+693j
					; MiFinishVadDeletion+14FC12j
		nop
		dec	byte ptr [ebx+1E6h]
		mov	esi, edi
		and	esi, 1FFFFh
		jnz	loc_461DA4

loc_461B3F:				; CODE XREF: MiFinishVadDeletion+767j
					; MiFinishVadDeletion+14FC36j
		nop
		mov	ax, [ebx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ebx+13Eh], ax
		test	ax, ax
		jnz	short loc_461B64
		nop
		lea	eax, [ebx+70h]
		cmp	[eax], eax
		jnz	loc_461D58

loc_461B64:				; CODE XREF: MiFinishVadDeletion+4E6j
					; MiFinishVadDeletion+6EDj
		mov	ebx, [ebp+var_4]

loc_461B67:				; CODE XREF: MiFinishVadDeletion+3FCj
		nop
		mov	ecx, [ebp+var_24]
		mov	ax, [ecx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ecx+13Eh], ax
		test	ax, ax
		jnz	short loc_461B8F
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jnz	loc_461C85

loc_461B8F:				; CODE XREF: MiFinishVadDeletion+511j
					; MiFinishVadDeletion+61Aj
		cmp	[ebp+var_18], 1
		jnz	short loc_461B9D
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_461B9D:				; CODE XREF: MiFinishVadDeletion+523j
					; MiFinishVadDeletion+14FBE9j
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_5B12AB

loc_461BA8:				; CODE XREF: MiFinishVadDeletion+14FC4Aj
		cmp	[ebp+var_14], 1
		jnz	short loc_461BC0
		mov	ecx, [ebp+var_28]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+68h], eax
		dec	eax
		jz	loc_5B12BF

loc_461BC0:				; CODE XREF: MiFinishVadDeletion+53Cj
					; MiFinishVadDeletion+14FC5Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_461BC9:				; CODE XREF: MiFinishVadDeletion+332j
		rdtsc
		and	eax, 3FF0h
		or	eax, 0
		jnz	loc_4619A8
		cmp	[ecx+0C4h], eax
		jz	loc_4619A8
		cmp	[ecx+0Ch], eax
		jz	loc_4619A8
		cmp	[ecx+10h], eax
		jz	loc_4619A8
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	loc_4619A8
		lea	ecx, [eax+2]
		call	MiPaeCheckProcessShadow
		jmp	loc_4619A8
; 

loc_461C11:				; CODE XREF: MiFinishVadDeletion+195j
		mov	eax, 2AAAAAABh
		imul	esi
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		jmp	loc_46180D
; 

loc_461C27:				; CODE XREF: MiFinishVadDeletion+498j
		mov	eax, 2AAAAAABh
		imul	esi
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		jmp	loc_461B10
; 

loc_461C3D:				; CODE XREF: MiFinishVadDeletion+11Bj
					; MiFinishVadDeletion+123j
		mov	ecx, [ebx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	loc_46179C
; 

loc_461C4D:				; CODE XREF: MiFinishVadDeletion+41Ej
					; MiFinishVadDeletion+426j
		mov	ecx, [ebx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	loc_461A9F
; 

loc_461C5D:				; CODE XREF: MiFinishVadDeletion+8Cj
		test	ecx, 200000h
		jz	loc_461702
		dec	dword ptr [edx+98h]
		jmp	loc_461702
; 

loc_461C74:				; CODE XREF: MiFinishVadDeletion+392j
		test	ecx, 400000h
		jz	loc_461A08
		jmp	loc_5B1058
; 

loc_461C85:				; CODE XREF: MiFinishVadDeletion+519j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_461B8F
; 
		align 10h

loc_461C90:				; CODE XREF: MiFinishVadDeletion+289j
					; MiFinishVadDeletion+645j
		test	edx, 40000000h
		jz	short loc_461CBC

loc_461C98:				; CODE XREF: MiFinishVadDeletion+65Cj
		inc	esi
		test	ds:_HvlLongSpinCountMask, esi
		jz	loc_5B0FB8

loc_461CA5:				; CODE XREF: MiFinishVadDeletion+14F94Fj
		pause

loc_461CA7:				; CODE XREF: MiFinishVadDeletion+14F95Bj
		mov	eax, [edi]

loc_461CA9:				; CODE XREF: MiFinishVadDeletion+65Ej
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_461C90
		jmp	loc_4618FF
; 

loc_461CBC:				; CODE XREF: MiFinishVadDeletion+626j
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_461C98
		jmp	short loc_461CA9
; 

loc_461CD0:				; CODE XREF: MiFinishVadDeletion+3B7j
					; MiFinishVadDeletion+3C1j
		mov	[ebp+var_18], 0
		jmp	loc_461A3E
; 

loc_461CDC:				; CODE XREF: MiFinishVadDeletion+2Aj
		mov	[ebp+var_14], 0
		jmp	loc_4616C3
; 

loc_461CE8:				; CODE XREF: MiFinishVadDeletion+155j
		mov	eax, [ebx+5Ch]
		test	eax, 10000h
		jnz	loc_461821
		jmp	loc_5B0F48
; 

loc_461CFB:				; CODE XREF: MiFinishVadDeletion+458j
		mov	eax, [ebx+5Ch]
		test	eax, 10000h
		jnz	loc_461B2A
		jmp	loc_5B125E
; 

loc_461D0E:				; CODE XREF: MiFinishVadDeletion+E8j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_46175E
; 

loc_461D1A:				; CODE XREF: MiFinishVadDeletion+3EBj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_461A61
; 

loc_461D26:				; CODE XREF: MiFinishVadDeletion+273j
		mov	dl, al
		mov	ecx, edi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	esi, eax
		jmp	loc_4618E9
; 

loc_461D36:				; CODE XREF: MiFinishVadDeletion+167j
		mov	ecx, esi
		call	KiAbEntryRemoveFromTree
		jmp	loc_4617DD
; 

loc_461D42:				; CODE XREF: MiFinishVadDeletion+46Aj
		mov	ecx, esi
		call	KiAbEntryRemoveFromTree
		jmp	loc_461AE0
; 

loc_461D4E:				; CODE XREF: MiFinishVadDeletion+1E5j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_46185B
; 

loc_461D58:				; CODE XREF: MiFinishVadDeletion+4EEj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_461B64
; 

loc_461D62:				; CODE XREF: MiFinishVadDeletion+1C0j
		test	edi, 8000h
		jnz	loc_461DFE

loc_461D6E:				; CODE XREF: MiFinishVadDeletion+797j
		test	byte ptr [ebp+var_C+2],	1
		jnz	loc_5B0F69

loc_461D78:				; CODE XREF: MiFinishVadDeletion+14F905j
		test	edi, 7FFFh
		jz	short loc_461D8F
		and	edi, 7FFFh
		mov	ecx, ebx
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_461D8F:				; CODE XREF: MiFinishVadDeletion+70Ej
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_461836
		jmp	loc_5B0F7A
; 

loc_461DA4:				; CODE XREF: MiFinishVadDeletion+4C9j
		test	edi, 8000h
		jnz	short loc_461E0C

loc_461DAC:				; CODE XREF: MiFinishVadDeletion+7A5j
		test	byte ptr [ebp+var_1C+2], 1
		jnz	loc_5B1287

loc_461DB6:				; CODE XREF: MiFinishVadDeletion+14FC23j
		test	edi, 7FFFh
		jz	short loc_461DCD
		and	edi, 7FFFh
		mov	ecx, ebx
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_461DCD:				; CODE XREF: MiFinishVadDeletion+74Cj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_461B3F
		jmp	loc_5B1298
; 

loc_461DE2:				; CODE XREF: MiFinishVadDeletion+2F2j
		mov	ecx, esi
		call	_MiDeleteDeferredCloneDescriptors@4 ; MiDeleteDeferredCloneDescriptors(x)
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_C]
		mov	dl, [eax+60h]
		jmp	loc_461968
; 

loc_461DF7:				; CODE XREF: MiFinishVadDeletion+3AFj
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_461DFE:				; CODE XREF: MiFinishVadDeletion+6F8j
		xor	edx, edx
		mov	ecx, ebx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_461D6E
; 

loc_461E0C:				; CODE XREF: MiFinishVadDeletion+73Aj
		xor	edx, edx
		mov	ecx, ebx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	short loc_461DAC
MiFinishVadDeletion endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1749. PsChargeProcessNonPagedPoolQuota

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsChargeProcessNonPagedPoolQuota(x,	x)
		public _PsChargeProcessNonPagedPoolQuota@8
_PsChargeProcessNonPagedPoolQuota@8 proc near ;	CODE XREF: MiCloneVads+104p
					; MiCreateCloneChain+DCp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		cmp	edx, ds:_PsInitialSystemProcess
		jz	short loc_461E40
		push	[ebp+arg_4]
		mov	ecx, [edx+188h]
		push	0
		call	@PspChargeQuota@16 ; PspChargeQuota(x,x,x,x)

loc_461E3C:				; CODE XREF: PsChargeProcessNonPagedPoolQuota(x,x)+26j
		pop	ebp
		retn	8
; 

loc_461E40:				; CODE XREF: PsChargeProcessNonPagedPoolQuota(x,x)+Ej
		xor	eax, eax
		jmp	short loc_461E3C
_PsChargeProcessNonPagedPoolQuota@8 endp

; 
		align 10h
; Exported entry 2329. RtlSetBits

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSetBits(x, x, x)
		public _RtlSetBits@12
_RtlSetBits@12	proc near		; CODE XREF: RtlFindClearBitsAndSet+C7p
					; MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+3D1p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jz	short loc_461E82
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, ecx
		and	ecx, 7
		shr	ebx, 3
		add	ebx, [eax+4]
		lea	edx, [ecx+esi]
		cmp	edx, 8
		ja	short loc_461E87
		mov	al, ds:byte_40BA58[esi]
		shl	al, cl

loc_461E7F:				; CODE XREF: RtlSetBits(x,x,x)+71j
		or	[ebx], al

loc_461E81:				; CODE XREF: RtlSetBits(x,x,x)+69j
		pop	ebx

loc_461E82:				; CODE XREF: RtlSetBits(x,x,x)+Bj
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_461E87:				; CODE XREF: RtlSetBits(x,x,x)+25j
		test	ecx, ecx
		jz	short loc_461E97
		mov	al, ds:byte_40AA48[ecx]
		lea	esi, [edx-8]
		or	[ebx], al
		inc	ebx

loc_461E97:				; CODE XREF: RtlSetBits(x,x,x)+39j
		cmp	esi, 8
		jbe	short loc_461EB7
		push	edi
		mov	edi, esi
		shr	edi, 3
		push	edi		; size_t
		push	0FFh		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		add	ebx, edi
		and	esi, 7
		pop	edi

loc_461EB7:				; CODE XREF: RtlSetBits(x,x,x)+4Aj
		test	esi, esi
		jz	short loc_461E81
		mov	al, ds:byte_40BA58[esi]
		jmp	short loc_461E7F
_RtlSetBits@12	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall LOCK_PAGE_TABLE_COMMITMENT(x, x)
_LOCK_PAGE_TABLE_COMMITMENT@8 proc near	; CODE XREF: MiDeleteEmptyPageTables(x,x,x)+101p
					; MmAssignProcessToJob+69p ...
		dec	word ptr [ecx+13Eh]
		nop
		lea	ecx, [edx+138h]
		xor	edx, edx
		jmp	ExAcquirePushLockExclusiveEx
_LOCK_PAGE_TABLE_COMMITMENT@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

UNLOCK_PAGE_TABLE_COMMITMENT proc near	; CODE XREF: MiDeleteEmptyPageTables(x,x,x)+23Ap
					; MmAssignProcessToJob+A3p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005B12D1 SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	esi
		mov	esi, ecx
		or	eax, 0FFFFFFFFh
		lea	ecx, [edx+138h]
		mov	[ebp+var_1C], esi
		mov	[ebp+var_8], ecx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_462061

loc_461F08:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+189j
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	loc_462009
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_18], esi
		cmp	ecx, edx
		jb	short loc_461F51
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_46202D
		cmp	ecx, edx
		jb	short loc_461F51
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_46202D

loc_461F51:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+51j
					; UNLOCK_PAGE_TABLE_COMMITMENT+62j
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_C], edx

loc_461F57:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+160j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	[ebp+var_1], al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jz	loc_462052
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_46206E

loc_461F98:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+196j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		jnz	short loc_46201A

loc_461FC2:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+14Bj
		cmp	[ebp+var_1], 1
		jnz	loc_5B12E4
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al

loc_461FDC:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+17Aj
					; UNLOCK_PAGE_TABLE_COMMITMENT+14F414j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_18], eax
		jnz	loc_462082

loc_461FF3:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+1D5j
					; UNLOCK_PAGE_TABLE_COMMITMENT+14F437j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_462006
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	short loc_46207B

loc_462006:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+11Cj
					; UNLOCK_PAGE_TABLE_COMMITMENT+1A0j
		mov	esi, [ebp+var_1C]

loc_462009:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+34j
		nop
		add	word ptr [esi+13Eh], 1
		pop	edi
		jz	short loc_462045

loc_462015:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+16Bj
					; UNLOCK_PAGE_TABLE_COMMITMENT+14F441j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_46201A:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+E0j
		mov	eax, 2AAAAAABh
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		jmp	short loc_461FC2
; 

loc_46202D:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+5Aj
					; UNLOCK_PAGE_TABLE_COMMITMENT+6Bj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_C], eax
		jmp	loc_461F57
; 

loc_462045:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+133j
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_462015
		jmp	loc_5B131C
; 

loc_462052:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+A0j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_461FDC
		jmp	loc_5B12D1
; 

loc_462061:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+22j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]
		jmp	loc_461F08
; 

loc_46206E:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+B2j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_14]
		jmp	loc_461F98
; 

loc_46207B:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+124j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_462006
; 

loc_462082:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+10Dj
		test	edi, 8000h
		jnz	short loc_4620C0

loc_46208A:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+1E9j
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5B12F9

loc_462094:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+14F425j
		test	edi, 7FFFh
		jz	short loc_4620AB
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4620AB:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+1BAj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_461FF3
		jmp	loc_5B130A
; 

loc_4620C0:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+1A8j
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	short loc_46208A
UNLOCK_PAGE_TABLE_COMMITMENT endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFlushSectionInternal proc near	; CODE XREF: MmFlushSection+BFp
					; MmFlushSection+157p ...

var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_135		= byte ptr -135h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_A8		= dword	ptr -0A8h
var_48		= dword	ptr -48h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005B1326 SIZE 00000452 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 148h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+148h+var_4], eax
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[esp+150h+var_D8], eax
		mov	eax, [ebp+arg_10]
		push	60h		; size_t
		mov	[esp+154h+var_120], eax
		lea	eax, [esp+154h+var_A8]
		push	0		; int
		push	eax		; void *
		mov	[esp+15Ch+var_E8], edx
		mov	[esp+15Ch+var_B8], ecx
		mov	[esp+15Ch+var_BC], edi
		mov	[esp+15Ch+var_100], esi
		mov	[esp+15Ch+var_C4], 0
		call	_memset
		mov	eax, [ebp+arg_C]
		add	esp, 0Ch
		mov	[esp+150h+var_13C], 0
		test	al, 2
		jnz	short loc_46214E
		mov	[esp+150h+var_13C], 2

loc_46214E:				; CODE XREF: MiFlushSectionInternal+74j
		test	esi, esi
		jnz	loc_5B1326

loc_462156:				; CODE XREF: MiFlushSectionInternal+14F25Cj
		mov	edi, [edi]
		lea	esi, [esp+150h+var_A8]
		mov	[esp+150h+var_DC], 0
		mov	[esp+150h+var_108], 0
		mov	[esp+150h+var_140], esi
		test	dword ptr [edi+1Ch], 40000000h
		mov	[esp+150h+var_10C], edi
		jnz	loc_5B1331

loc_462184:				; CODE XREF: MiFlushSectionInternal+14F267j
		test	al, 4
		jnz	loc_5B133C

loc_46218C:				; CODE XREF: MiFlushSectionInternal+14F2A0j
					; MiFlushSectionInternal+14F31Cj
		add	[esp+150h+var_E8], 8
		mov	ecx, edi
		call	MiReferenceControlAreaFile
		mov	ecx, large fs:124h
		mov	[esp+150h+var_104], eax
		mov	[esp+150h+var_EC], ecx
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		mov	[esp+150h+var_C0], eax
		cmp	eax, 2
		jl	loc_462992

loc_4621BC:				; CODE XREF: MiFlushSectionInternal+8C9j
					; MiFlushSectionInternal+8DCj ...
		cmp	[ebp+arg_C], 0
		jl	loc_5B13F1

loc_4621C6:				; CODE XREF: MiFlushSectionInternal+14F326j
		mov	eax, [esp+150h+var_120]
		mov	[esp+150h+var_11C], 10h
		mov	[esp+150h+var_FC], 0
		mov	[esp+150h+var_E0], 1
		mov	dword ptr [eax], 0
		mov	dword ptr [eax+4], 0
		xor	eax, eax
		mov	[esi+6], ax
		mov	[esi+10h], eax
		mov	[esi+18h], eax
		mov	[esi+14h], eax
		mov	eax, [esp+150h+var_BC]
		mov	dword ptr [esi], 0
		mov	esi, [esp+150h+var_B8]
		dec	word ptr [ecx+13Ch]
		mov	[esp+150h+var_118], 0
		mov	[esp+150h+var_12C], eax
		nop
		lea	eax, [edi+24h]
		push	eax
		mov	[esp+154h+var_F0], eax
		call	ExAcquireSpinLockExclusive
		cmp	dword ptr [edi+10h], 0
		mov	[esp+150h+var_135], al
		jz	loc_5B13FB
		mov	eax, [edi+48h]
		lea	ecx, ds:0[eax*8]
		mov	[esp+150h+var_F8], ecx
		test	ecx, ecx
		jnz	loc_462B02

loc_462257:				; CODE XREF: MiFlushSectionInternal+A40j
					; MiFlushSectionInternal+14F3B9j
		xor	ecx, ecx
		mov	[esp+150h+var_E4], ecx
		mov	ecx, [esp+150h+var_12C]

loc_462261:				; CODE XREF: MiFlushSectionInternal+AA1j
					; MiFlushSectionInternal+B28j
		cmp	ecx, [esp+150h+var_D8]
		jnz	loc_462B35
		mov	edx, [esp+150h+var_E8]

loc_46226F:				; CODE XREF: MiFlushSectionInternal+A80j
		mov	[esp+150h+var_110], edx
		test	esi, esi
		jz	loc_462BFD

loc_46227B:				; CODE XREF: MiFlushSectionInternal+B30j
		cmp	dword ptr [ecx+40h], 0
		jz	loc_462BC6
		cmp	dword ptr [ecx+4], 0
		jz	loc_462BC6
		call	MiIncrementSubsectionViewCount
		mov	eax, [esp+150h+var_12C]
		test	byte ptr [eax+12h], 8
		jnz	loc_462B76

loc_4622A2:				; CODE XREF: MiFlushSectionInternal+AADj
		mov	eax, [esp+150h+var_F0]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+150h+var_135]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	edi, edi
		mov	[esp+150h+var_B0], esi
		mov	al, 21h
		mov	[esp+150h+var_130], edi
		mov	byte ptr [esp+150h+var_134], al
		cmp	esi, [esp+150h+var_110]
		jnb	loc_46272E

loc_4622D3:				; CODE XREF: MiFlushSectionInternal+556j
		test	esi, 0FFFh
		jz	loc_46268A
		cmp	al, 21h
		jz	loc_462692
		jmp	short loc_4622F0
; 
		align 10h

loc_4622F0:				; CODE XREF: MiFlushSectionInternal+217j
					; MiFlushSectionInternal+2A6j ...
		mov	edi, [esi]
		mov	[esp+150h+var_D0], 0
		mov	[esp+150h+var_CC], 0
		mov	[esp+150h+var_F4], edi
		nop
		mov	ecx, [esi+4]
		mov	eax, edi
		and	eax, 1
		mov	[esp+150h+var_144], ecx
		or	eax, 0
		jnz	loc_462668
		mov	eax, edi
		and	eax, 400h
		or	eax, 0
		jnz	loc_46264A
		mov	eax, edi
		and	eax, 800h
		or	eax, 0
		jz	loc_46264A
		mov	eax, edi
		or	eax, ecx
		jz	loc_5B148E
		mov	edx, dword_6D0700
		mov	eax, edx
		mov	ecx, dword_6D0704
		or	eax, ecx
		mov	[esp+150h+var_128], ecx
		jz	loc_5B148E
		mov	ecx, edi
		and	ecx, edx
		mov	edx, [esp+150h+var_144]
		mov	eax, edx
		and	eax, [esp+150h+var_128]
		or	ecx, eax
		jz	loc_4622F0

loc_46237C:				; CODE XREF: MiFlushSectionInternal+14F3C2j
		mov	eax, dword_6D0700
		mov	ecx, edi
		mov	edi, dword_6D0704
		mov	[esp+150h+var_124], eax
		or	eax, edi
		mov	[esp+150h+var_D4], edi
		mov	edi, [esp+150h+var_F4]
		mov	[esp+150h+var_128], ecx
		mov	[esp+150h+var_114], edx
		jz	short loc_4623C3
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	loc_5B1497
		mov	ecx, [esp+150h+var_124]
		mov	edx, [esp+150h+var_D4]
		not	ecx
		and	ecx, [esp+150h+var_128]
		not	edx
		and	edx, [esp+150h+var_114]

loc_4623C3:				; CODE XREF: MiFlushSectionInternal+2CFj
					; MiFlushSectionInternal+14F3CBj
		shrd	ecx, edx, 0Ch
		and	ecx, 3FFFFFFh

loc_4623CD:				; CODE XREF: MiFlushSectionInternal+5A9j
		mov	[esp+150h+var_128], ecx
		cmp	ecx, dword_6D07B0
		ja	loc_4622F0
		mov	eax, dword_6D35B8
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_4622F0
		mov	eax, [esp+150h+var_128]
		mov	[esp+150h+var_D4], 0
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	eax, [eax+ecx*4]
		lea	edx, [eax+10h]
		mov	[esp+150h+var_114], eax
		mov	[esp+150h+var_124], edx
		lock bts dword ptr [edx], 1Fh
		jb	loc_462BA0

loc_46242B:				; CODE XREF: MiFlushSectionInternal+AF1j
		mov	eax, [esi]
		nop
		mov	ecx, [esi+4]
		cmp	eax, edi
		jnz	loc_5B14A0
		cmp	ecx, [esp+150h+var_144]
		jnz	loc_5B14A0
		mov	edi, [esp+150h+var_114]
		test	edi, edi
		jz	loc_46264A
		mov	ecx, [esi]
		mov	[esp+150h+var_128], ecx
		nop
		mov	edx, [esp+150h+var_140]
		mov	al, [edi+16h]
		add	edx, 14h
		mov	[esp+150h+var_144], edx
		test	al, 8
		jnz	loc_462C4E
		mov	[esp+150h+var_144], edx
		test	al, 10h
		jz	loc_46262B
		mov	[esp+150h+var_144], edx
		mov	edx, [edx]
		mov	[esp+150h+var_F4], edx
		test	al, 20h
		jnz	loc_5B14AD
		xor	eax, eax
		mov	[esp+150h+var_124], eax
		test	edx, edx
		jz	loc_462933

loc_462498:				; CODE XREF: MiFlushSectionInternal+8B1j
		and	ecx, 1
		or	ecx, 0
		jnz	loc_46267E

loc_4624A4:				; CODE XREF: MiFlushSectionInternal+5B5j
		mov	eax, [edi+8]
		xor	ecx, ecx
		and	eax, 400h
		mov	[esp+150h+var_128], ecx
		or	eax, ecx
		jz	short loc_4624BF
		mov	ecx, 1
		mov	[esp+150h+var_128], ecx

loc_4624BF:				; CODE XREF: MiFlushSectionInternal+3E4j
		test	byte ptr [esp+150h+var_124], 2
		jnz	loc_462986

loc_4624CA:				; CODE XREF: MiFlushSectionInternal+8BDj
		mov	eax, ecx
		mov	ecx, 0
		and	eax, 2
		setz	cl
		neg	eax
		sbb	eax, eax
		mov	[esp+150h+var_B4], eax
		mov	eax, large fs:20h
		lea	ecx, ds:4[ecx*4]
		mov	edx, [eax+3D30h]
		add	eax, 3D30h
		mov	[esp+150h+var_D0], ecx
		mov	[esp+150h+var_F4], eax
		cmp	edx, 1
		jb	loc_462ADB
		mov	edi, edi

loc_462510:				; CODE XREF: MiFlushSectionInternal+14F470j
		cmp	edx, 0FFFFFFFFh
		jz	loc_462ADB
		mov	edi, [esp+150h+var_F4]
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		mov	edi, [esp+150h+var_114]
		cmp	eax, edx
		jnz	loc_5B153B
		mov	[esp+150h+var_114], 1

loc_46253A:				; CODE XREF: MiFlushSectionInternal+A27j
		test	byte ptr [esp+150h+var_128], 1
		jz	short loc_46255F
		push	[esp+150h+var_D0]
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiChargeCommit
		test	eax, eax
		jz	loc_5B154B

loc_46255F:				; CODE XREF: MiFlushSectionInternal+46Fj
		test	byte ptr [esp+150h+var_124], 4
		jnz	short loc_462576
		xor	edx, edx
		mov	ecx, edi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		and	dword ptr [edi+10h], 0C0000000h

loc_462576:				; CODE XREF: MiFlushSectionInternal+494j
		mov	al, [edi+16h]
		inc	word ptr [edi+14h]
		or	al, 8
		mov	[edi+16h], al
		mov	al, [edi+16h]
		and	al, 0EFh
		mov	[edi+16h], al
		mov	eax, [edi+8]
		and	eax, 400h
		or	eax, 0
		jz	loc_5B1574

loc_46259B:				; CODE XREF: MiFlushSectionInternal+14F49Fj
					; MiFlushSectionInternal+14F4B4j ...
		lea	eax, [edi+10h]
		mov	edx, 7FFFFFFFh
		lock and [eax],	edx
		cmp	[esp+150h+var_114], 0
		jz	loc_5B159B
		sub	edi, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	edi
		add	edx, edi
		mov	edi, [esp+150h+var_140]
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		mov	edx, [esp+150h+var_144]
		mov	eax, [edx]
		mov	[edi+eax*4+1Ch], ecx
		mov	ecx, [edx]
		mov	edi, [edi+18h]
		inc	ecx
		cmp	[esp+150h+var_114], 3
		mov	[edx], ecx
		jz	loc_5B15A5

loc_4625EB:				; CODE XREF: MiFlushSectionInternal+14F4E7j
		cmp	ecx, edi
		jz	loc_4629D7
		mov	[esp+150h+var_144], edx

loc_4625F7:				; CODE XREF: MiFlushSectionInternal+589j
		mov	eax, [esp+150h+var_13C]

loc_4625FB:				; CODE XREF: MiFlushSectionInternal+56Fj
					; MiFlushSectionInternal+578j ...
		add	esi, 8
		test	al, 4
		jnz	loc_462845
		cmp	esi, [esp+150h+var_110]
		jz	loc_46283D

loc_462610:				; CODE XREF: MiFlushSectionInternal+64Bj
					; MiFlushSectionInternal+76Fj ...
		mov	edi, [esp+150h+var_130]

loc_462614:				; CODE XREF: MiFlushSectionInternal+5F4j
		mov	dl, byte ptr [esp+150h+var_134]

loc_462618:				; CODE XREF: MiFlushSectionInternal+BBDj
					; MiFlushSectionInternal+14F466j
		cmp	esi, [esp+150h+var_110]
		jnb	loc_462725
		mov	al, byte ptr [esp+150h+var_134]
		jmp	loc_4622D3
; 

loc_46262B:				; CODE XREF: MiFlushSectionInternal+3A2j
		mov	ecx, [esp+150h+var_124]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	ecx, [edx]
		mov	eax, [esp+150h+var_13C]
		test	ecx, ecx
		jz	short loc_4625FB
		or	eax, 4
		mov	[esp+150h+var_13C], eax
		jmp	short loc_4625FB
; 

loc_46264A:				; CODE XREF: MiFlushSectionInternal+25Cj
					; MiFlushSectionInternal+26Cj ...
		mov	edx, [esp+150h+var_140]
		add	edx, 14h
		mov	[esp+150h+var_144], edx
		mov	ecx, [edx]
		test	ecx, ecx
		jz	short loc_4625F7
		mov	eax, [esp+150h+var_13C]
		or	eax, 4
		mov	[esp+150h+var_13C], eax
		jmp	short loc_4625FB
; 

loc_462668:				; CODE XREF: MiFlushSectionInternal+24Cj
		nop
		mov	eax, [esp+150h+var_144]
		mov	ecx, edi
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		jmp	loc_4623CD
; 

loc_46267E:				; CODE XREF: MiFlushSectionInternal+3CEj
		or	eax, 4
		mov	[esp+150h+var_124], eax
		jmp	loc_4624A4
; 

loc_46268A:				; CODE XREF: MiFlushSectionInternal+209j
		cmp	al, 21h
		jnz	loc_462B27

loc_462692:				; CODE XREF: MiFlushSectionInternal+211j
					; MiFlushSectionInternal+A60j
		lea	edx, [esp+150h+var_134]
		mov	ecx, esi
		call	MiCheckProtoPtePageState
		mov	edi, eax
		mov	[esp+150h+var_130], edi
		test	edi, edi
		jnz	loc_4622F0
		mov	ecx, [esp+150h+var_140]
		and	esi, 0FFFFF000h
		add	ecx, 14h
		add	esi, 1000h
		mov	[esp+150h+var_144], ecx
		cmp	[ecx], eax
		jz	loc_462614
		jmp	loc_462849
; 

loc_4626CF:				; CODE XREF: MiFlushSectionInternal+836j
		mov	esi, edi
		cmp	ecx, 0C0000054h
		jnz	short loc_4626E4
		test	byte ptr [esp+150h+var_13C], 10h
		jnz	loc_5B1656

loc_4626E4:				; CODE XREF: MiFlushSectionInternal+607j
		mov	eax, [esp+150h+var_144]
		mov	edi, [eax]
		mov	edx, edi
		call	_MiIsRetryIoStatus@8 ; MiIsRetryIoStatus(x,x)
		test	eax, eax
		jnz	loc_5B165D

loc_4626F9:				; CODE XREF: MiFlushSectionInternal+14F59Fj
					; MiFlushSectionInternal+14F5ABj
		xor	edi, edi

loc_4626FB:				; CODE XREF: MiFlushSectionInternal+14F5D8j
		mov	eax, [esp+150h+var_140]
		lea	ecx, [esp+150h+var_A8]
		mov	[esp+150h+var_E0], edi
		cmp	eax, ecx
		jnz	loc_462C05

loc_462712:				; CODE XREF: MiFlushSectionInternal+B57j
		mov	dword ptr [eax+14h], 0
		test	edi, edi
		jnz	loc_462610

loc_462721:				; CODE XREF: MiFlushSectionInternal+14F603j
		mov	dl, byte ptr [esp+150h+var_134]

loc_462725:				; CODE XREF: MiFlushSectionInternal+54Cj
		cmp	dl, 21h
		jnz	loc_462A72

loc_46272E:				; CODE XREF: MiFlushSectionInternal+1FDj
					; MiFlushSectionInternal+9ABj
		push	[esp+150h+var_F0]
		mov	eax, esi
		sub	eax, [esp+154h+var_B0]
		sar	eax, 3
		shl	eax, 0Ch
		add	[esp+154h+var_118], eax
		call	ExAcquireSpinLockExclusive
		mov	edx, [esp+150h+var_12C]
		cmp	dword ptr [edx+8], 0
		lea	edi, [edx+8]
		mov	[esp+150h+var_135], al
		jnz	short loc_462776
		mov	eax, [edx+24h]
		mov	ecx, [edx+1Ch]
		and	eax, 3FFFFFFFh
		sub	ecx, eax
		mov	eax, [edx+4]
		lea	eax, [eax+ecx*8]
		cmp	esi, eax
		jz	loc_462AB0

loc_462776:				; CODE XREF: MiFlushSectionInternal+689j
					; MiFlushSectionInternal+9F0j ...
		mov	ecx, edx
		call	MiDecrementSubsectionViewCount
		add	[esp+150h+var_E4], eax
		mov	eax, [esp+150h+var_12C]
		cmp	dword ptr [eax+3Ch], 0
		jz	loc_462B82

loc_46278F:				; CODE XREF: MiFlushSectionInternal+AB6j
					; MiFlushSectionInternal+ACBj
		test	byte ptr [esp+150h+var_13C], 8
		jnz	short loc_4627A0
		cmp	eax, [esp+150h+var_D8]
		jnz	loc_462B55

loc_4627A0:				; CODE XREF: MiFlushSectionInternal+6C4j
					; MiFlushSectionInternal+A8Aj ...
		mov	edi, [esp+150h+var_118]

loc_4627A4:				; CODE XREF: MiFlushSectionInternal+B19j
					; MiFlushSectionInternal+14F621j ...
		push	[esp+150h+var_F0]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+150h+var_135]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [esp+150h+var_DC]
		test	esi, esi
		jnz	loc_462C92

loc_4627C3:				; CODE XREF: MiFlushSectionInternal+BC7j
					; MiFlushSectionInternal+14F65Ej
		mov	esi, [esp+150h+var_10C]
		add	esi, 20h
		mov	ecx, [esi]
		mov	eax, ecx
		xor	eax, [esp+150h+var_104]
		cmp	eax, 7
		jnb	loc_462C3B
		jmp	short loc_4627E0
; 
		align 10h

loc_4627E0:				; CODE XREF: MiFlushSectionInternal+70Bj
					; MiFlushSectionInternal+B65j
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jnz	loc_462C2C

loc_4627F1:				; CODE XREF: MiFlushSectionInternal+B79j
		mov	eax, [esp+150h+var_F8]
		test	eax, eax
		jnz	loc_462B1B

loc_4627FD:				; CODE XREF: MiFlushSectionInternal+A52j
		mov	ecx, [esp+150h+var_EC]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	eax, [esp+150h+var_13C]
		test	al, 1
		jnz	loc_5B1733
		test	al, 8
		mov	eax, [esp+150h+var_120]
		jnz	loc_5B1768
		mov	eax, [eax]

loc_462820:				; CODE XREF: MiFlushSectionInternal+14F6A3j
		mov	ecx, [esp+150h+var_120]
		mov	[ecx+4], edi

loc_462827:				; CODE XREF: MiFlushSectionInternal+14F299j
					; MiFlushSectionInternal+14F3ADj ...
		mov	ecx, [esp+150h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_46283D:				; CODE XREF: MiFlushSectionInternal+53Aj
		test	ecx, ecx
		jz	loc_462610

loc_462845:				; CODE XREF: MiFlushSectionInternal+530j
					; MiFlushSectionInternal+B8Fj ...
		mov	edi, [esp+150h+var_130]

loc_462849:				; CODE XREF: MiFlushSectionInternal+5FAj
		mov	al, byte ptr [esp+150h+var_134]
		cmp	al, 21h
		jz	short loc_46285F
		mov	dl, al
		mov	ecx, edi
		call	MiUnlockProtoPoolPage
		mov	byte ptr [esp+150h+var_134], 21h

loc_46285F:				; CODE XREF: MiFlushSectionInternal+77Fj
					; MiFlushSectionInternal+921j
		mov	ecx, [esp+150h+var_144]

loc_462863:				; CODE XREF: MiFlushSectionInternal+9BBj
					; MiFlushSectionInternal+14F50Cj
		mov	eax, [ecx]
		push	[ebp+arg_C]
		mov	edx, [esp+154h+var_12C]
		and	[esp+154h+var_13C], 0FFFFFFFBh
		shl	eax, 0Ch
		mov	[ecx], eax
		mov	ecx, [esp+154h+var_140]
		call	MiReadyFlushMdlToWrite
		cmp	[esp+150h+var_108], 0
		mov	edi, eax
		mov	[esp+150h+var_D0], edi
		jnz	loc_5B15F9
		mov	eax, [esp+150h+var_140]
		mov	eax, [eax+1Ch]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		mov	edi, [eax+ecx*4+4]
		mov	eax, [esp+150h+var_10C]
		or	edi, 80000000h
		mov	ecx, [esp+150h+var_120]
		push	ecx
		test	dword ptr [eax+1Ch], 40000000h
		jnz	loc_5B1647
		mov	eax, [ebp+arg_C]
		push	[esp+154h+var_F8]
		mov	ecx, [esp+158h+var_104]
		shr	eax, 2
		and	al, 4
		movzx	eax, al
		push	eax
		push	edx
		push	[esp+160h+var_D0]
		mov	edx, [esp+164h+var_140]
		call	_MiIssueSynchronousFlush@28 ; MiIssueSynchronousFlush(x,x,x,x,x,x,x)

loc_4628ED:				; CODE XREF: MiFlushSectionInternal+14F581j
		push	[esp+150h+var_120]
		mov	edx, [esp+154h+var_10C]
		mov	ecx, [esp+154h+var_140]
		call	MiUnlockFlushMdl
		mov	eax, [esp+150h+var_120]
		mov	ecx, [eax]
		test	ecx, ecx
		js	loc_4626CF
		mov	eax, [esp+150h+var_140]
		lea	ecx, [esp+150h+var_A8]
		mov	[esp+150h+var_FC], 0
		cmp	eax, ecx
		jnz	loc_462A90

loc_462927:				; CODE XREF: MiFlushSectionInternal+9DBj
		mov	dword ptr [eax+14h], 0
		jmp	loc_462610
; 

loc_462933:				; CODE XREF: MiFlushSectionInternal+3C2j
		push	[esp+150h+var_F0]
		mov	[esp+154h+var_124], 2
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	eax, [esp+150h+var_10C]
		push	[esp+150h+var_F0]
		inc	dword ptr [eax+28h]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	ecx, [esp+150h+var_140]
		xor	eax, eax
		mov	[ecx+6], ax
		mov	[ecx+10h], eax
		mov	eax, [esp+150h+var_144]
		mov	dword ptr [ecx], 0
		mov	dword ptr [eax], 0
		mov	eax, [esp+150h+var_11C]
		mov	[ecx+18h], eax
		mov	eax, 2
		mov	ecx, [esp+150h+var_128]
		jmp	loc_462498
; 

loc_462986:				; CODE XREF: MiFlushSectionInternal+3F4j
		or	ecx, 2
		mov	[esp+150h+var_128], ecx
		jmp	loc_4624CA
; 

loc_462992:				; CODE XREF: MiFlushSectionInternal+E6j
		test	dword ptr [ecx+58h], 400h
		jnz	loc_4621BC
		mov	cl, [ecx+15Ah]
		cmp	cl, 1
		mov	ecx, [esp+150h+var_EC]
		jz	loc_4621BC
		mov	eax, large fs:124h
		mov	eax, [eax+2D4h]
		cmp	eax, 2
		jz	loc_4621BC
		mov	[esp+150h+var_C0], 2
		jmp	loc_4621BC
; 

loc_4629D7:				; CODE XREF: MiFlushSectionInternal+51Dj
		mov	edi, 1

loc_4629DC:				; CODE XREF: MiFlushSectionInternal+14F4D0j
					; MiFlushSectionInternal+14F4F2j
		mov	dl, byte ptr [esp+150h+var_134]
		mov	ecx, [esp+150h+var_130]
		call	MiUnlockProtoPoolPage
		mov	byte ptr [esp+150h+var_134], 21h
		cmp	edi, 3
		jz	loc_46285F
		cmp	edi, 2
		jz	loc_462A80
		mov	ecx, [esp+150h+var_11C]
		cmp	ecx, 1
		jz	short loc_462A80
		mov	eax, [esp+150h+var_110]
		lea	edi, [esi+8]
		cmp	edi, eax
		jnb	short loc_462A80
		sub	eax, esi
		lea	edx, [ecx-1]
		mov	ecx, [esp+150h+var_140]
		sar	eax, 3
		add	edx, eax
		call	_MiExpandFlushMdl@8 ; MiExpandFlushMdl(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5B15C7
		mov	ecx, [esp+150h+var_140]
		lea	eax, [esp+150h+var_A8]
		cmp	ecx, eax
		jz	short loc_462A54
		mov	eax, [esp+150h+var_108]
		test	eax, eax
		jnz	loc_5B15E1

loc_462A4C:				; CODE XREF: MiFlushSectionInternal+14F51Cj
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_462A54:				; CODE XREF: MiFlushSectionInternal+96Ej
					; MiFlushSectionInternal+14F516j
		mov	eax, [esp+150h+var_108]
		mov	[esp+150h+var_140], esi
		test	eax, eax
		jnz	loc_5B15F1

loc_462A64:				; CODE XREF: MiFlushSectionInternal+14F524j
		mov	eax, [esi+18h]
		mov	esi, edi
		mov	[esp+150h+var_11C], eax
		jmp	loc_462610
; 

loc_462A72:				; CODE XREF: MiFlushSectionInternal+658j
		mov	ecx, [esp+150h+var_130]
		call	MiUnlockProtoPoolPage
		jmp	loc_46272E
; 

loc_462A80:				; CODE XREF: MiFlushSectionInternal+92Aj
					; MiFlushSectionInternal+937j ...
		mov	ecx, [esp+150h+var_144]
		add	esi, 8
		mov	[esp+150h+var_144], ecx
		jmp	loc_462863
; 

loc_462A90:				; CODE XREF: MiFlushSectionInternal+851j
		push	0
		push	eax
		mov	[esp+158h+var_11C], 10h
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lea	eax, [esp+150h+var_A8]

loc_462AA7:				; CODE XREF: MiFlushSectionInternal+14F572j
		mov	[esp+150h+var_140], eax
		jmp	loc_462927
; 

loc_462AB0:				; CODE XREF: MiFlushSectionInternal+6A0j
		mov	ecx, edx
		call	_MiEndingOffset@4 ; MiEndingOffset(x)
		mov	edx, [esp+150h+var_12C]
		and	eax, 0FFFh
		jz	loc_462776
		mov	ecx, [esp+150h+var_118]
		add	ecx, 0FFFFF000h
		add	ecx, eax
		mov	[esp+150h+var_118], ecx
		jmp	loc_462776
; 

loc_462ADB:				; CODE XREF: MiFlushSectionInternal+438j
					; MiFlushSectionInternal+443j ...
		push	[esp+150h+var_B4]
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiChargePartitionResidentAvailable
		mov	[esp+150h+var_114], eax
		test	eax, eax
		jnz	loc_46253A
		jmp	loc_5B1567
; 

loc_462B02:				; CODE XREF: MiFlushSectionInternal+181j
		mov	eax, 1
		lock xadd [ecx+10h], eax
		inc	eax
		cmp	eax, 1
		jg	loc_462257
		jmp	loc_5B1482
; 

loc_462B1B:				; CODE XREF: MiFlushSectionInternal+727j
		mov	ecx, eax
		call	_IoDiskIoAttributionDereference@4 ; IoDiskIoAttributionDereference(x)
		jmp	loc_4627FD
; 

loc_462B27:				; CODE XREF: MiFlushSectionInternal+5BCj
		mov	dl, al
		mov	ecx, edi
		call	MiUnlockProtoPoolPage
		jmp	loc_462692
; 

loc_462B35:				; CODE XREF: MiFlushSectionInternal+195j
		mov	eax, [ecx+24h]
		mov	ecx, [ecx+1Ch]
		and	eax, 3FFFFFFFh
		sub	ecx, eax
		mov	eax, [esp+150h+var_12C]
		mov	eax, [eax+4]
		lea	edx, [eax+ecx*8]
		mov	ecx, [esp+150h+var_12C]
		jmp	loc_46226F
; 

loc_462B55:				; CODE XREF: MiFlushSectionInternal+6CAj
		cmp	[esp+150h+var_E0], 0
		jz	loc_4627A0
		mov	ecx, [edi]
		mov	[esp+150h+var_12C], ecx
		test	ecx, ecx
		jz	loc_4627A0
		mov	esi, [ecx+4]
		jmp	loc_462261
; 

loc_462B76:				; CODE XREF: MiFlushSectionInternal+1CCj
		mov	ecx, eax
		call	_MiRemoveUnusedSubsection@4 ; MiRemoveUnusedSubsection(x)
		jmp	loc_4622A2
; 

loc_462B82:				; CODE XREF: MiFlushSectionInternal+6B9j
		test	byte ptr [eax+12h], 1
		jnz	loc_46278F
		mov	ecx, eax
		call	_MiInsertUnusedSubsection@8 ; MiInsertUnusedSubsection(x,x)
		add	[esp+150h+var_E4], eax
		mov	eax, [esp+150h+var_12C]
		jmp	loc_46278F
; 

loc_462BA0:				; CODE XREF: MiFlushSectionInternal+355j
		mov	edi, [esp+150h+var_124]

loc_462BA4:				; CODE XREF: MiFlushSectionInternal+AE0j
					; MiFlushSectionInternal+AE7j
		lea	ecx, [esp+150h+var_D4]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_462BA4
		lock bts dword ptr [edi], 1Fh
		jb	short loc_462BA4
		mov	edi, [esp+150h+var_F4]
		mov	edx, [esp+150h+var_124]
		jmp	loc_46242B
; 

loc_462BC6:				; CODE XREF: MiFlushSectionInternal+1AFj
					; MiFlushSectionInternal+1B9j
		mov	edi, [esp+150h+var_118]
		mov	eax, edx
		sub	eax, esi
		sar	eax, 3
		shl	eax, 0Ch
		add	edi, eax
		mov	eax, [ecx+8]
		mov	[esp+150h+var_118], edi
		test	eax, eax
		jz	loc_5B16D8
		cmp	[esp+150h+var_D8], ecx
		jz	loc_4627A4
		mov	ecx, eax
		mov	[esp+150h+var_12C], ecx
		mov	esi, [ecx+4]
		jmp	loc_462261
; 

loc_462BFD:				; CODE XREF: MiFlushSectionInternal+1A5j
		mov	esi, [ecx+4]
		jmp	loc_46227B
; 

loc_462C05:				; CODE XREF: MiFlushSectionInternal+63Cj
		cmp	[esp+150h+var_11C], 1
		jz	short loc_462C14
		mov	[esp+150h+var_11C], 10h

loc_462C14:				; CODE XREF: MiFlushSectionInternal+B3Aj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lea	eax, [esp+150h+var_A8]
		mov	[esp+150h+var_140], eax
		jmp	loc_462712
; 

loc_462C2C:				; CODE XREF: MiFlushSectionInternal+71Bj
		mov	ecx, eax
		xor	eax, [esp+150h+var_104]
		cmp	eax, 7
		jb	loc_4627E0

loc_462C3B:				; CODE XREF: MiFlushSectionInternal+705j
		push	746C6644h
		push	[esp+154h+var_104]
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_4627F1
; 

loc_462C4E:				; CODE XREF: MiFlushSectionInternal+396j
		cmp	dword ptr [edx], 0
		jz	short loc_462C64
		mov	ecx, [esp+150h+var_124]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		jmp	loc_462845
; 

loc_462C64:				; CODE XREF: MiFlushSectionInternal+B81j
		mov	eax, [esp+150h+var_13C]
		test	al, 2
		jz	loc_5B16AD
		push	[esp+150h+var_134]
		mov	edx, [esp+154h+var_10C]
		mov	ecx, edi
		push	[esp+154h+var_130]
		call	_MiWaitForPageWriteCompletion@16 ; MiWaitForPageWriteCompletion(x,x,x,x)
		mov	edi, [esp+150h+var_130]
		mov	dl, 21h
		mov	byte ptr [esp+150h+var_134], dl
		jmp	loc_462618
; 

loc_462C92:				; CODE XREF: MiFlushSectionInternal+6EDj
		cmp	[esp+150h+var_100], 0
		jnz	loc_4627C3
		jmp	loc_5B1716
MiFlushSectionInternal endp


;  S U B	R O U T	I N E 


; __stdcall MiVadMapsLargeImage(x)
_MiVadMapsLargeImage@4 proc near	; CODE XREF: MiSoftFaultMappedView+62p
					; MiEmptyWorkingSetPrivatePagesByVa+C3p ...
		mov	eax, [ecx+1Ch]
		and	al, 70h
		cmp	al, 20h
		jnz	short loc_462CB5
		mov	eax, [ecx+28h]
		test	eax, 1000000h
		jnz	short loc_462CB8

loc_462CB5:				; CODE XREF: MiVadMapsLargeImage(x)+7j
		xor	eax, eax
		retn
; 

loc_462CB8:				; CODE XREF: MiVadMapsLargeImage(x)+11j
		xor	eax, eax
		inc	eax
		retn
_MiVadMapsLargeImage@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiVadPureReserve(x)
_MiVadPureReserve@4 proc near		; CODE XREF: MiSplitPrivatePage(x,x,x)+42p
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+532p ...
		mov	eax, [ecx+1Ch]
		test	eax, 100000h
		jz	short loc_462CD7
		test	al, 70h
		jnz	short loc_462CD4
		cmp	dword ptr [ecx+20h], 0
		jge	short loc_462CF7

loc_462CD4:				; CODE XREF: MiVadPureReserve(x)+Cj
					; MiVadPureReserve(x)+21j ...
		xor	eax, eax
		retn
; 

loc_462CD7:				; CODE XREF: MiVadPureReserve(x)+8j
		and	eax, 0F80h
		cmp	eax, 0C00h
		jnz	short loc_462CD4
		mov	eax, [ecx+2Ch]
		mov	eax, [eax]
		cmp	dword ptr [eax+20h], 0
		jnz	short loc_462CD4
		test	dword ptr [eax+1Ch], 1000h
		jz	short loc_462CD4

loc_462CF7:				; CODE XREF: MiVadPureReserve(x)+12j
		mov	eax, 1
		retn
_MiVadPureReserve@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiVadLeafPagesPrecharged(x)
_MiVadLeafPagesPrecharged@4 proc near	; CODE XREF: MiCommitPageTablesForVad(x,x,x)+40p
		mov	eax, [ecx+1Ch]
		test	eax, 100000h
		jz	short loc_462D2A
		test	eax, 400000h
		jnz	short loc_462D34
		and	eax, 0C0000h
		cmp	eax, 80000h
		jnb	short loc_462D34

loc_462D1D:				; CODE XREF: MiVadLeafPagesPrecharged(x)+32j
		mov	eax, [ecx+1Ch]
		and	eax, 70h
		cmp	al, 30h
		jz	short loc_462D34
		xor	eax, eax
		retn
; 

loc_462D2A:				; CODE XREF: MiVadLeafPagesPrecharged(x)+8j
		mov	eax, [ecx+28h]
		test	eax, 1000000h
		jz	short loc_462D1D

loc_462D34:				; CODE XREF: MiVadLeafPagesPrecharged(x)+Fj
					; MiVadLeafPagesPrecharged(x)+1Bj ...
		mov	eax, 1
		retn
_MiVadLeafPagesPrecharged@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiVadPageTableChargeLevel(x)
_MiVadPageTableChargeLevel@4 proc near	; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+62p
					; MiCommitPageTablesForVad(x,x,x)+36p
		mov	edx, [ecx+1Ch]
		test	edx, 100000h
		jz	short loc_462D72
		test	edx, 400000h
		jnz	short loc_462D7F
		mov	eax, edx
		and	eax, 0C0000h
		cmp	eax, 80000h
		jnb	short loc_462D7F

loc_462D61:				; CODE XREF: MiVadPageTableChargeLevel(x)+3Aj
		mov	eax, [ecx+1Ch]
		and	eax, 70h
		cmp	al, 30h
		jz	_MiGetAweVadPageSize@4 ; MiGetAweVadPageSize(x)

loc_462D6F:				; CODE XREF: MiVadPageTableChargeLevel(x)+4Dj
		xor	eax, eax
		retn
; 

loc_462D72:				; CODE XREF: MiVadPageTableChargeLevel(x)+9j
		mov	eax, [ecx+28h]
		test	eax, 1000000h
		jz	short loc_462D61
		mov	edx, [ecx+1Ch]

loc_462D7F:				; CODE XREF: MiVadPageTableChargeLevel(x)+11j
					; MiVadPageTableChargeLevel(x)+1Fj
		shr	edx, 12h
		and	edx, 3
		cmp	ds:_MiVadPageIndices[edx*4], 0
		ja	short loc_462D6F
		mov	eax, 1
		retn
_MiVadPageTableChargeLevel@4 endp

; 
		align 10h

; __stdcall MiCommitExistingVad(x, x, x, x, x, x, x, x,	x, x, x)
_MiCommitExistingVad@44:		; CODE XREF: MiAllocateFromSubAllocatedRegion+14Cp
					; MiAllocateVirtualMemory+244p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0B4h
		mov	eax, [ebp+18h]
		mov	[esp+0B0h], eax
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+14h]
		mov	ebx, ecx
		mov	[esp+98h], eax
		mov	[esp+9Ch], eax
		mov	[esp+0A0h], eax
		mov	eax, [ebp+0Ch]
		mov	[esp+8], edx
		mov	[esp+24h], ebx
		mov	dword ptr [esp+7Ch], 0
		mov	dword ptr [esp+80h], 0
		push	edi
		cmp	eax, 800h
		jb	short loc_462E04

loc_462DFC:				; CODE XREF: .text:00462E55j
					; .text:00462E5Cj ...
		or	ecx, 0FFFFFFFFh
		jmp	loc_462E97
; 

loc_462E04:				; CODE XREF: .text:00462DFAj
		mov	ecx, eax
		and	ecx, 0Fh
		jz	short loc_462E1F
		test	al, 0F0h
		jz	short loc_462E17
		or	ecx, 0FFFFFFFFh
		jmp	loc_462E97
; 

loc_462E17:				; CODE XREF: .text:00462E0Dj
		mov	cl, byte ptr ds:_MmUserProtectionToMask1[ecx]
		jmp	short loc_462E34
; 

loc_462E1F:				; CODE XREF: .text:00462E09j
		mov	ecx, eax
		shr	ecx, 4
		and	ecx, 0Fh
		jnz	short loc_462E2E
		or	ecx, 0FFFFFFFFh
		jmp	short loc_462E97
; 

loc_462E2E:				; CODE XREF: .text:00462E27j
		mov	cl, byte ptr ds:_MmUserProtectionToMask2[ecx]

loc_462E34:				; CODE XREF: .text:00462E1Dj
		movsx	ecx, cl
		mov	[esp+10h], ecx
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_462E44
		or	ecx, ecx
		jmp	short loc_462E97
; 

loc_462E44:				; CODE XREF: .text:00462E3Ej
		test	eax, 700h
		jz	short loc_462E9B
		test	eax, 100h
		jz	short loc_462E61
		cmp	ecx, 18h
		jz	short loc_462DFC
		test	eax, 600h
		jnz	short loc_462DFC
		or	ecx, 10h

loc_462E61:				; CODE XREF: .text:00462E50j
		test	eax, 200h
		jz	short loc_462E79
		cmp	ecx, 18h
		jz	short loc_462DFC
		and	eax, 400h
		jnz	short loc_462DFC
		or	ecx, 8
		jmp	short loc_462E97
; 

loc_462E79:				; CODE XREF: .text:00462E66j
		and	eax, 400h
		jz	short loc_462E97
		cmp	ecx, 18h
		jnz	short loc_462E8A
		or	ecx, 0FFFFFFFFh
		jmp	short loc_462E97
; 

loc_462E8A:				; CODE XREF: .text:00462E83j
		test	cl, 2
		jz	short loc_462E94
		or	ecx, 0FFFFFFFFh
		jmp	short loc_462E97
; 

loc_462E94:				; CODE XREF: .text:00462E8Dj
		or	ecx, 18h

loc_462E97:				; CODE XREF: .text:00462DFFj
					; .text:00462E12j ...
		mov	[esp+10h], ecx

loc_462E9B:				; CODE XREF: .text:00462E49j
		mov	edx, [ebx+1Ch]
		mov	eax, edx
		shr	eax, 7
		and	eax, 1Fh
		cmp	ecx, 18h
		jnz	short loc_462EAD
		jmp	short loc_462F0D
; 

loc_462EAD:				; CODE XREF: .text:00462EA9j
		cmp	eax, 18h
		jnz	short loc_462ED7
		test	edx, 100000h
		jz	short loc_462EBE
		mov	ecx, eax
		jmp	short loc_462ECA
; 

loc_462EBE:				; CODE XREF: .text:00462EB8j
		mov	eax, [ebx+2Ch]
		movzx	ecx, word ptr [eax+10h]
		shr	ecx, 1
		and	ecx, 1Fh

loc_462ECA:				; CODE XREF: .text:00462EBCj
		lea	eax, [ecx-18h]
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	ecx, [esp+10h]

loc_462ED7:				; CODE XREF: .text:00462EB0j
		and	eax, 18h
		jz	short loc_462EF6
		cmp	eax, 10h
		jz	short loc_462F0A
		cmp	eax, 8
		jnz	short loc_462EED
		and	ecx, 0FFFFFFEFh
		or	ecx, eax
		jmp	short loc_462F0D
; 

loc_462EED:				; CODE XREF: .text:00462EE4j
		cmp	eax, 18h
		jnz	short loc_462F11
		or	ecx, eax
		jmp	short loc_462F0D
; 

loc_462EF6:				; CODE XREF: .text:00462EDAj
		mov	eax, ecx
		and	eax, 18h
		cmp	eax, 18h
		jnz	short loc_462F05
		and	ecx, 0FFFFFFE7h
		jmp	short loc_462F0D
; 

loc_462F05:				; CODE XREF: .text:00462EFEj
		cmp	eax, 8
		jnz	short loc_462F11

loc_462F0A:				; CODE XREF: .text:00462EDFj
		and	ecx, 0FFFFFFF7h

loc_462F0D:				; CODE XREF: .text:00462EABj
					; .text:00462EEBj ...
		mov	[esp+10h], ecx

loc_462F11:				; CODE XREF: .text:00462EF0j
					; .text:00462F08j
		mov	eax, large fs:124h
		cmp	dword ptr [ebx+20h], 0
		mov	[esp+70h], eax
		mov	eax, [eax+80h]
		mov	[esp+14h], eax
		jge	short loc_462F40
		mov	eax, [ebx+10h]
		and	eax, 0FFFFFh
		lea	eax, ds:0C0000000h[eax*8]
		mov	[esp+40h], eax
		jmp	short loc_462F48
; 

loc_462F40:				; CODE XREF: .text:00462F29j
		mov	dword ptr [esp+40h], 0

loc_462F48:				; CODE XREF: .text:00462F3Ej
		mov	edi, dword_6D0700
		and	ecx, 1Fh
		mov	ebx, dword_6D0704
		xor	eax, eax
		shld	eax, ecx, 5
		mov	[esp+44h], eax
		mov	[esp+5Ch], eax
		mov	eax, edi
		shl	ecx, 5
		or	eax, ebx
		mov	[esp+60h], ecx
		mov	[esp+7Ch], ecx
		jz	short loc_462FA3
		mov	eax, [esp+44h]
		and	ecx, edi
		and	eax, ebx
		or	ecx, eax
		mov	eax, [esp+60h]
		jnz	short loc_462F94
		or	eax, edi
		mov	[esp+7Ch], eax
		mov	eax, [esp+44h]
		or	eax, ebx
		jmp	short loc_462F9F
; 

loc_462F94:				; CODE XREF: .text:00462F84j
		or	eax, 10h
		mov	[esp+7Ch], eax
		mov	eax, [esp+44h]

loc_462F9F:				; CODE XREF: .text:00462F92j
		mov	[esp+5Ch], eax

loc_462FA3:				; CODE XREF: .text:00462F74j
		mov	edi, [ebp+8]
		mov	ebx, [esp+0Ch]
		dec	edi
		add	edi, ebx
		mov	ecx, ebx
		or	edi, 0FFFh
		shr	ecx, 9
		mov	eax, edi
		mov	[esp+54h], edi
		shr	eax, 9
		and	ecx, offset loc_7FFFF8
		and	eax, offset loc_7FFFF8
		sub	ecx, 40000000h
		sub	eax, 40000000h
		mov	[esp+6Ch], ecx
		mov	[esp+74h], eax
		sub	eax, ecx
		sar	eax, 3
		inc	eax
		mov	[esp+1Ch], ecx
		mov	[esp+4Ch], eax
		mov	eax, edx
		and	eax, offset loc_500000
		cmp	eax, offset loc_500000
		jnz	loc_463103
		shr	edx, 12h
		and	edx, 3
		mov	eax, ds:_MiVadPageSizes[edx*4]
		mov	edx, ds:_MiVadPageIndices[edx*4]
		mov	[esp+24h], eax
		sub	eax, 10h
		neg	eax
		mov	[esp+64h], edx
		sbb	eax, eax
		and	esi, 1Ah
		and	eax, 0FFFFFFF1h
		add	eax, 10h
		mov	[esp+68h], eax
		test	edx, edx
		jnz	short loc_46307B
		cmp	esi, 8
		jnz	loc_463197
		mov	eax, ecx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[esp+1Ch], eax
		mov	eax, [esp+74h]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[esp+74h], eax
		mov	eax, [esp+40h]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[esp+40h], eax
		jmp	short loc_463084
; 

loc_46307B:				; CODE XREF: .text:00463031j
		cmp	esi, 2
		jnz	loc_463197

loc_463084:				; CODE XREF: .text:00463079j
		mov	esi, [esp+14h]

loc_463088:				; CODE XREF: .text:00463138j
		lea	ecx, [esi+240h]
		mov	dword ptr [esp+8Ch], 0
		call	MiLockWorkingSetShared
		mov	ecx, [esp+0Ch]
		mov	bl, al
		push	0
		push	0
		mov	[esp+60h], bl
		and	ecx, 0FFFFF000h
		push	dword ptr [esp+60h]
		mov	edx, edi
		push	dword ptr [esp+34h]
		call	_MiComputePageCommitment@24 ; MiComputePageCommitment(x,x,x,x,x,x)
		mov	dl, bl
		mov	esi, eax
		mov	ebx, [esp+14h]
		lea	ecx, [ebx+240h]
		call	MiUnlockWorkingSetShared
		mov	edx, [esp+4Ch]
		sub	edx, esi
		mov	[esp+20h], edx
		jz	loc_463249
		cmp	dword ptr [esp+24h], 1
		jnz	short loc_463156
		mov	ecx, ebx
		call	MiChargeFullProcessCommitment
		test	eax, eax
		jns	loc_463249
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_463103:				; CODE XREF: .text:00462FF9j
		and	esi, 1Ah
		or	esi, 0
		jnz	loc_463197
		mov	esi, [esp+14h]
		mov	ecx, esi
		mov	edx, [esp+4Ch]
		mov	dword ptr [esp+24h], 1
		mov	dword ptr [esp+68h], 1
		mov	dword ptr [esp+64h], 2
		call	MiChargeFullProcessCommitment
		test	eax, eax
		js	loc_463088
		mov	eax, [esp+4Ch]
		mov	dword ptr [esp+8Ch], 1
		mov	[esp+20h], eax
		jmp	loc_463251
; 

loc_463156:				; CODE XREF: .text:004630E9j
		mov	edi, ebx
		mov	ecx, edi
		call	_MiChargeProcessPhysicalPages@8	; MiChargeProcessPhysicalPages(x,x)
		test	eax, eax
		jz	loc_463449
		mov	ebx, [esp+28h]
		mov	eax, [ebx+24h]
		test	eax, eax
		jz	short loc_46317E

loc_463172:				; CODE XREF: .text:0046317Cj
		test	byte ptr [eax+24h], 10h
		jnz	short loc_4631A5
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_463172

loc_46317E:				; CODE XREF: .text:00463170j
					; .text:004631A7j
		xor	esi, esi

loc_463180:				; CODE XREF: .text:004631ACj
		mov	eax, [ebp+20h]
		cmp	eax, 1
		jz	short loc_4631AE
		cmp	eax, esi
		jz	short loc_4631AE
		mov	edx, [esp+20h]
		mov	ecx, edi
		call	_MiReturnProcessPhysicalPages@8	; MiReturnProcessPhysicalPages(x,x)

loc_463197:				; CODE XREF: .text:00463036j
					; .text:0046307Ej ...
		mov	eax, 0C000000Dh
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_4631A5:				; CODE XREF: .text:00463176j
		test	eax, eax
		jz	short loc_46317E
		mov	esi, [eax+0Ch]
		jmp	short loc_463180
; 

loc_4631AE:				; CODE XREF: .text:00463186j
					; .text:0046318Aj
		test	esi, esi
		jz	short loc_4631E3
		mov	ecx, esi
		call	PsReferencePartitionSafe
		test	al, al
		jnz	short loc_4631D6
		mov	edx, [esp+20h]
		mov	ecx, edi
		call	_MiReturnProcessPhysicalPages@8	; MiReturnProcessPhysicalPages(x,x)
		mov	eax, 0C00004A0h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_4631D6:				; CODE XREF: .text:004631BBj
		mov	eax, [esi]
		mov	cx, [eax]
		mov	eax, [ebp+28h]
		mov	[eax], cx
		jmp	short loc_4631F4
; 

loc_4631E3:				; CODE XREF: .text:004631B0j
		mov	edx, [esp+20h]
		mov	ecx, edi
		call	MiChargeFullProcessCommitment
		mov	edi, eax
		test	edi, edi
		js	short loc_46322D

loc_4631F4:				; CODE XREF: .text:004631E1j
		mov	edx, [esp+20h]
		lea	eax, [esp+9Ch]
		push	eax
		push	esi
		push	dword ptr [ebp+1Ch]
		mov	ecx, ebx
		call	_MiCreateLargePfnList@20 ; MiCreateLargePfnList(x,x,x,x,x)
		mov	edi, eax
		test	esi, esi
		jz	short loc_463218
		mov	ecx, esi
		call	PsDereferencePartition

loc_463218:				; CODE XREF: .text:0046320Fj
		test	edi, edi
		jns	short loc_463245
		test	esi, esi
		jnz	short loc_46322D
		mov	edx, [esp+20h]
		mov	ecx, [esp+14h]
		call	_MiReturnFullProcessCommitment@8 ; MiReturnFullProcessCommitment(x,x)

loc_46322D:				; CODE XREF: .text:004631F2j
					; .text:0046321Ej
		mov	edx, [esp+20h]
		mov	ecx, [esp+14h]
		call	_MiReturnProcessPhysicalPages@8	; MiReturnProcessPhysicalPages(x,x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_463245:				; CODE XREF: .text:0046321Aj
		mov	edi, [esp+54h]

loc_463249:				; CODE XREF: .text:004630DEj
					; .text:004630F4j
		mov	ebx, [esp+0Ch]
		mov	esi, [esp+14h]

loc_463251:				; CODE XREF: .text:00463151j
		mov	ecx, [esp+28h]
		mov	dword ptr [esp+58h], 0
		mov	eax, [ecx+1Ch]
		test	eax, 100000h
		jz	loc_4633AF
		test	al, 70h
		jnz	short loc_463279
		cmp	dword ptr [ecx+20h], 0
		jge	loc_4633DB

loc_463279:				; CODE XREF: .text:0046326Dj
					; .text:004633B9j ...
		xor	ecx, ecx
		xor	esi, esi
		mov	[esp+2Ch], ecx
		mov	[esp+34h], esi
		mov	[esp+48h], ecx

loc_463289:				; CODE XREF: .text:00463A70j
		mov	edi, 2
		mov	edi, edi
		mov	ecx, [esp+14h]
		xor	esi, esi
		mov	[esp+30h], esi
		xor	ebx, ebx
		lea	ecx, [ecx+240h]
		call	MiLockWorkingSetShared
		mov	ecx, [esp+1Ch]
		mov	[esp+1Bh], al
		nop

loc_4632B0:				; CODE XREF: .text:00463A2Cj
		cmp	ecx, [esp+74h]
		ja	loc_463A75
		test	ebx, ebx
		jz	short loc_4632CA
		test	ecx, 0FFFh
		jnz	loc_463840

loc_4632CA:				; CODE XREF: .text:004632BCj
		mov	eax, [esp+2Ch]
		test	ax, ax
		jz	short loc_4632E7
		mov	ecx, [esp+48h]
		movzx	edx, ax
		call	_MiIncreaseUsedPtesCount@8 ; MiIncreaseUsedPtesCount(x,x)
		mov	dword ptr [esp+2Ch], 0

loc_4632E7:				; CODE XREF: .text:004632D1j
		test	esi, esi
		jz	short loc_4632FC
		mov	ecx, [esp+14h]
		mov	edx, esi
		lea	ecx, [ecx+240h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_4632FC:				; CODE XREF: .text:004632E9j
		mov	eax, [esp+28h]
		mov	edx, [esp+1Ch]
		shr	edx, 9
		and	edx, offset loc_7FFFF8
		mov	esi, [eax+1Ch]
		add	edx, 0C0000000h
		mov	eax, large fs:124h
		shr	esi, 0Ch
		and	esi, 3Fh
		mov	[esp+30h], edx
		mov	[esp+54h], esi
		mov	eax, [eax+80h]
		mov	[esp+90h], eax
		lea	ecx, [eax+240h]
		mov	[esp+3Ch], ecx

loc_463341:				; CODE XREF: .text:004637F7j
		mov	eax, edx
		mov	[esp+0B8h], edx
		shr	eax, 9
		mov	ebx, 6
		and	eax, offset loc_7FFFF8
		mov	dword ptr [esp+38h], 0C0603018h
		sub	eax, 40000000h
		mov	dword ptr [esp+0A8h], 0
		mov	[esp+78h], eax
		mov	[esp+0BCh], eax
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		jb	loc_463483
		cmp	al, 7
		jnz	loc_463457
		mov	ebx, offset unk_6D2E58
		mov	dword ptr [esp+0Ch], offset unk_6D2E58
		mov	eax, [esp+0Ch]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 0FFFFFFFAh
		add	ebx, 6
		jmp	loc_46349B
; 

loc_4633AF:				; CODE XREF: .text:00463265j
		and	eax, 0F80h
		cmp	eax, 0C00h
		jnz	loc_463279
		mov	eax, [ecx+2Ch]
		mov	eax, [eax]
		cmp	dword ptr [eax+20h], 0
		jnz	loc_463279
		test	dword ptr [eax+1Ch], 1000h
		jz	loc_463279

loc_4633DB:				; CODE XREF: .text:00463273j
		mov	eax, [esp+70h]
		mov	dword ptr [esp+58h], 1
		dec	word ptr [eax+13Eh]
		nop
		add	esi, 138h
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esp+28h]
		mov	edx, ebx
		push	edi
		call	_MiCommitPageTablesForVad@12 ; MiCommitPageTablesForVad(x,x,x)
		test	eax, eax
		jns	loc_463279
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_463426
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_463426:				; CODE XREF: .text:0046341Dj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [esp+70h]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [esp+20h]
		test	eax, eax
		jz	short loc_463449
		mov	ecx, [esp+14h]
		mov	edx, eax
		call	_MiReturnFullProcessCommitment@8 ; MiReturnFullProcessCommitment(x,x)

loc_463449:				; CODE XREF: .text:00463161j
					; .text:0046343Cj
		mov	eax, 0C000012Dh
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_463457:				; CODE XREF: .text:00463389j
		xor	ebx, ebx
		cmp	al, 5
		setnz	bl
		dec	ebx
		and	ebx, offset unk_6D2E54
		mov	[esp+0Ch], ebx
		jnz	short loc_463473
		mov	dword ptr [esp+0Ch], offset unk_6D2DD4

loc_463473:				; CODE XREF: .text:00463469j
		mov	eax, [esp+0Ch]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 0FFFFFFFAh
		add	ebx, 6
		jmp	short loc_46349B
; 

loc_463483:				; CODE XREF: .text:00463381j
		test	al, al
		jnz	short loc_463491
		mov	eax, [ecx+0Ch]
		add	eax, 0F10h
		jmp	short loc_463497
; 

loc_463491:				; CODE XREF: .text:00463485j
		lea	eax, [ecx+2A0h]

loc_463497:				; CODE XREF: .text:0046348Fj
		mov	[esp+0Ch], eax

loc_46349B:				; CODE XREF: .text:004633AAj
					; .text:00463481j
		mov	edx, [eax]
		mov	esi, [esp+0Ch]

loc_4634A1:				; CODE XREF: .text:004634D0j
					; .text:004634F2j
		mov	ecx, ebx
		shl	edi, cl

loc_4634A5:				; CODE XREF: .text:0046350Bj
		mov	eax, edx
		mov	ecx, ebx
		shr	eax, cl
		test	al, 1
		jz	short loc_4634F4
		test	al, 2
		jz	short loc_4634D2

loc_4634B3:				; CODE XREF: .text:004634C9j
		lea	ecx, [esp+0A8h]
		call	KeYieldProcessorEx
		mov	edx, [esi]
		mov	ecx, ebx
		mov	eax, edx
		shr	eax, cl
		test	al, 1
		jnz	short loc_4634B3
		mov	edi, 2
		jmp	short loc_4634A1
; 

loc_4634D2:				; CODE XREF: .text:004634B1j
		mov	ecx, ebx
		mov	edi, 2
		shl	edi, cl
		mov	eax, edx
		or	edi, edx
		mov	ecx, edi
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		mov	edx, edi
		jz	short loc_4634ED
		mov	edx, eax

loc_4634ED:				; CODE XREF: .text:004634E9j
		mov	edi, 2
		jmp	short loc_4634A1
; 

loc_4634F4:				; CODE XREF: .text:004634ADj
		mov	ecx, edx
		mov	eax, edi
		not	eax
		bts	ecx, ebx
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	short loc_46350D
		mov	edx, eax
		jmp	short loc_4634A5
; 

loc_46350D:				; CODE XREF: .text:00463507j
		mov	edi, [esp+78h]
		mov	ebx, 1
		mov	[esp+88h], ebx
		mov	ecx, [edi]
		nop
		mov	edx, [edi+4]
		mov	eax, ecx
		mov	esi, [esp+54h]
		and	eax, ebx
		or	eax, 0
		jz	loc_4637A1

loc_463534:				; CODE XREF: .text:00463797j
		mov	eax, ecx
		and	eax, 80h
		or	eax, 0
		jnz	loc_46379D
		mov	eax, ecx
		and	eax, 20h
		or	eax, 0
		jnz	short loc_463559
		push	edx
		push	ecx
		push	1
		mov	edx, edi
		call	MiPerformSafePdeWrite

loc_463559:				; CODE XREF: .text:0046354Cj
		cmp	edi, [esp+38h]
		jz	loc_463772
		mov	edx, [esp+3Ch]
		lea	eax, [edi+3FA00000h]
		sar	eax, 3
		mov	dword ptr [esp+50h], 0
		lea	ecx, [eax+eax]
		mov	al, [edx+60h]
		mov	ebx, ecx
		and	al, 7
		and	ebx, 1Fh
		cmp	al, 2
		jb	short loc_4635ED
		cmp	edi, 0C0603018h
		jz	short loc_4635A5
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_4635E1
		cmp	edi, 0C0603010h
		jnz	short loc_4635E1

loc_4635A5:				; CODE XREF: .text:0046358Fj
		cmp	al, 7
		jnz	short loc_4635C3
		mov	ebx, 0C0603018h
		mov	dword ptr [esp+0Ch], offset unk_6D2E58
		mov	eax, [esp+0Ch]
		sub	ebx, edi
		sar	ebx, 3
		add	ebx, ebx
		jmp	short loc_46360E
; 

loc_4635C3:				; CODE XREF: .text:004635A7j
		cmp	al, 5
		jnz	short loc_4635E1
		mov	ebx, 0C0603018h
		mov	dword ptr [esp+0Ch], offset unk_6D2E54
		mov	eax, [esp+0Ch]
		sub	ebx, edi
		sar	ebx, 3
		add	ebx, ebx
		jmp	short loc_46360E
; 

loc_4635E1:				; CODE XREF: .text:0046359Bj
					; .text:004635A3j ...
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]
		jmp	short loc_46360A
; 

loc_4635ED:				; CODE XREF: .text:00463587j
		shr	ecx, 5
		test	al, al
		jnz	short loc_463601
		mov	eax, [edx+0Ch]
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h
		jmp	short loc_46360A
; 

loc_463601:				; CODE XREF: .text:004635F2j
		lea	eax, [edx+120h]
		lea	eax, [eax+ecx*4]

loc_46360A:				; CODE XREF: .text:004635EBj
					; .text:004635FFj
		mov	[esp+0Ch], eax

loc_46360E:				; CODE XREF: .text:004635C1j
					; .text:004635DFj
		mov	edx, [eax]
		mov	esi, [esp+0Ch]

loc_463614:				; CODE XREF: .text:00463660j
					; .text:00463679j ...
		mov	ecx, ebx
		mov	edi, 2
		shl	edi, cl
		lea	ecx, [ecx+0]

loc_463620:				; CODE XREF: .text:00463696j
		mov	eax, edx
		mov	ecx, ebx
		shr	eax, cl
		test	al, 1
		jz	short loc_46367F
		test	al, 2
		jz	short loc_463662
		mov	edi, edi

loc_463630:				; CODE XREF: .text:0046365Ej
		mov	eax, [esp+50h]
		inc	eax
		mov	[esp+50h], eax
		test	ds:_HvlLongSpinCountMask, eax
		jnz	short loc_463652
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	short loc_463652
		push	eax
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	short loc_463654
; 

loc_463652:				; CODE XREF: .text:0046363Fj
					; .text:00463648j
		pause

loc_463654:				; CODE XREF: .text:00463650j
		mov	edx, [esi]
		mov	ecx, ebx
		mov	eax, edx
		shr	eax, cl
		test	al, 1
		jnz	short loc_463630
		jmp	short loc_463614
; 

loc_463662:				; CODE XREF: .text:0046362Cj
		mov	ecx, ebx
		mov	edi, 2
		shl	edi, cl
		mov	eax, edx
		or	edi, edx
		mov	ecx, edi
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		mov	edx, edi
		jz	short loc_463614
		mov	edx, eax
		jmp	short loc_463614
; 

loc_46367F:				; CODE XREF: .text:00463628j
		mov	ecx, edx
		mov	eax, edi
		not	eax
		bts	ecx, ebx
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	short loc_463698
		mov	edx, eax
		jmp	short loc_463620
; 

loc_463698:				; CODE XREF: .text:00463692j
		mov	edx, [esp+38h]
		mov	ebx, [esp+3Ch]
		lea	eax, [edx+3FA00000h]
		sar	eax, 3
		lea	ecx, [eax+eax]
		mov	al, [ebx+60h]
		mov	edi, ecx
		and	al, 7
		and	edi, 1Fh
		cmp	al, 2
		jb	short loc_463710
		cmp	edx, 0C0603018h
		jz	short loc_4636D6
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_463704
		cmp	edx, 0C0603010h
		jnz	short loc_463704

loc_4636D6:				; CODE XREF: .text:004636C0j
		cmp	al, 7
		jnz	short loc_4636ED
		mov	edi, 0C0603018h
		mov	ebx, offset unk_6D2E58
		sub	edi, edx
		sar	edi, 3
		add	edi, edi
		jmp	short loc_46372E
; 

loc_4636ED:				; CODE XREF: .text:004636D8j
		cmp	al, 5
		jnz	short loc_463704
		mov	edi, 0C0603018h
		mov	ebx, offset unk_6D2E54
		sub	edi, edx
		sar	edi, 3
		add	edi, edi
		jmp	short loc_46372E
; 

loc_463704:				; CODE XREF: .text:004636CCj
					; .text:004636D4j ...
		shr	ecx, 5
		lea	ebx, unk_6D2C54[ecx*4]
		jmp	short loc_46372E
; 

loc_463710:				; CODE XREF: .text:004636B8j
		shr	ecx, 5
		test	al, al
		jnz	short loc_463725
		mov	ebx, [ebx+0Ch]
		add	ebx, 0D90h
		lea	ebx, [ebx+ecx*4]
		jmp	short loc_46372E
; 

loc_463725:				; CODE XREF: .text:00463715j
		lea	ebx, [ebx+ecx*4]
		add	ebx, 120h

loc_46372E:				; CODE XREF: .text:004636EBj
					; .text:00463702j ...
		mov	edx, [ebx]
		mov	ecx, edi
		mov	eax, 2
		shl	eax, cl
		mov	ecx, edx
		not	eax
		btr	ecx, edi
		mov	[esp+50h], eax
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jz	short loc_463763

loc_463750:				; CODE XREF: .text:00463761j
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, edi
		and	ecx, [esp+50h]
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	short loc_463750

loc_463763:				; CODE XREF: .text:0046374Ej
		mov	eax, [esp+78h]
		mov	ebx, [esp+88h]
		mov	[esp+38h], eax

loc_463772:				; CODE XREF: .text:0046355Dj
		test	ebx, ebx
		jz	short loc_46379D
		mov	edi, [esp+ebx*4+0B4h]
		dec	ebx
		mov	[esp+88h], ebx
		mov	[esp+78h], edi
		mov	ecx, [edi]
		nop
		mov	edx, [edi+4]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jnz	loc_463534

loc_46379D:				; CODE XREF: .text:0046353Ej
					; .text:00463774j
		mov	esi, [esp+54h]

loc_4637A1:				; CODE XREF: .text:0046352Ej
		mov	eax, [esp+38h]
		cmp	eax, [esp+30h]
		jz	short loc_4637FC
		mov	ebx, [esp+3Ch]
		mov	edx, eax
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [esp+1Bh]
		mov	ecx, ebx
		call	MiUnlockWorkingSetShared
		push	0
		push	0
		push	dword ptr [esp+24h]
		mov	eax, esi
		shl	eax, 19h
		or	eax, 1000002h
		push	eax
		call	MmAccessFault
		mov	edi, eax
		test	edi, edi
		js	loc_463C46
		mov	ecx, ebx
		call	MiLockWorkingSetShared
		mov	edx, [esp+30h]
		mov	edi, 2
		mov	ecx, ebx
		jmp	loc_463341
; 

loc_4637FC:				; CODE XREF: .text:004637A9j
		mov	ecx, [esp+1Ch]
		cmp	ecx, 0C0600000h
		jb	short loc_463810
		cmp	ecx, 0C0603FFFh
		jbe	short loc_46383B

loc_463810:				; CODE XREF: .text:00463806j
		mov	eax, large fs:124h
		shr	ecx, 0Ch
		and	ecx, 7FFh
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		lea	eax, [eax+ecx*2]
		mov	ecx, [esp+1Ch]
		add	eax, 190h
		mov	[esp+48h], eax

loc_46383B:				; CODE XREF: .text:0046380Ej
		mov	ebx, 1

loc_463840:				; CODE XREF: .text:004632C4j
		mov	esi, [ecx]
		mov	dword ptr [esp+90h], 0
		mov	dword ptr [esp+94h], 0
		nop
		mov	edi, [ecx+4]
		mov	eax, esi
		or	eax, edi
		mov	[esp+0B0h], esi
		mov	[esp+0B4h], edi
		jnz	short loc_4638B5
		mov	edi, [esp+24h]
		cmp	ecx, [esp+40h]
		ja	short loc_46387E
		add	[esp+34h], edi

loc_46387E:				; CODE XREF: .text:00463878j
		cmp	edi, 1
		jnz	loc_463926
		cmp	ecx, 0C0600000h
		jb	short loc_463897
		cmp	ecx, 0C0603FFFh
		jbe	short loc_46389F

loc_463897:				; CODE XREF: .text:0046388Dj
		mov	eax, [esp+68h]
		add	[esp+2Ch], eax

loc_46389F:				; CODE XREF: .text:00463895j
		mov	eax, [esp+7Ch]
		mov	edi, [esp+24h]
		mov	[ecx], eax
		mov	eax, [esp+5Ch]
		mov	[ecx+4], eax
		jmp	loc_463A0D
; 

loc_4638B5:				; CODE XREF: .text:0046386Ej
		nop
		mov	eax, esi
		and	eax, 3E0h
		cmp	eax, 200h
		jnz	loc_4639A5
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jnz	loc_4639A5
		mov	eax, esi
		and	eax, 400h
		or	eax, 0
		jz	short loc_4638F5
		push	edi
		push	esi
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		mov	ecx, [esp+1Ch]
		test	eax, eax
		jz	loc_4639A5

loc_4638F5:				; CODE XREF: .text:004638E0j
		cmp	dword ptr [esp+24h], 1
		jnz	short loc_463926
		and	esi, 0FFFFFC1Fh
		or	esi, [esp+60h]
		or	edi, [esp+44h]
		mov	[esp+0B4h], edi
		mov	[esp+0B0h], esi
		mov	[ecx], esi
		mov	[ecx+4], edi
		mov	edi, [esp+24h]
		jmp	loc_463A0D
; 

loc_463926:				; CODE XREF: .text:00463881j
					; .text:004638FAj
		mov	edi, [esp+64h]
		mov	esi, [esp+edi*4+9Ch]
		test	esi, esi
		jnz	short loc_46394A
		mov	edx, edi
		lea	ecx, [esp+9Ch]
		call	_MiDemotePfnListChain@8	; MiDemotePfnListChain(x,x)
		mov	esi, [esp+edi*4+9Ch]

loc_46394A:				; CODE XREF: .text:00463933j
		mov	eax, [esi]
		mov	ecx, ds:_MmPfnDatabase
		sub	esi, ecx
		mov	[esp+edi*4+9Ch], eax
		mov	eax, 92492493h
		imul	esi
		push	dword ptr [esp+14h]
		add	edx, esi
		sar	edx, 4
		mov	esi, edx
		shr	esi, 1Fh
		add	esi, edx
		mov	edx, [esp+70h]
		lea	eax, ds:0[esi*8]
		sub	eax, esi
		lea	ecx, [ecx+eax*4]
		call	_MiInitializeLargeUserBasePfn@12 ; MiInitializeLargeUserBasePfn(x,x,x)
		mov	edx, [esp+64h]
		push	ecx
		push	dword ptr [esp+14h]
		mov	ecx, [esp+30h]
		push	edx
		mov	edx, [esp+78h]
		push	esi
		call	_MiInsertLargeUserMapping@24 ; MiInsertLargeUserMapping(x,x,x,x,x,x)
		mov	edi, [esp+24h]
		jmp	short loc_463A09
; 

loc_4639A5:				; CODE XREF: .text:004638C2j
					; .text:004638D0j ...
		mov	eax, [ebp+24h]
		mov	edi, [esp+24h]
		add	[esp+34h], edi
		cmp	dword ptr [eax], 0
		jnz	short loc_463A0D
		lea	eax, [esp+0ACh]
		mov	dword ptr [esp+0ACh], 0
		push	eax
		lea	eax, [esp+88h]
		mov	edx, ecx
		mov	ecx, [esp+2Ch]
		push	eax
		lea	eax, [esp+88h]
		push	eax
		call	_MiGetPageProtection@20	; MiGetPageProtection(x,x,x,x,x)
		mov	esi, [esp+80h]
		test	esi, esi
		jnz	short loc_463A31
		cmp	[esp+10h], eax
		jnz	short loc_463A00
		mov	eax, [ebp+10h]
		cmp	[esp+84h], eax
		jz	short loc_463A09

loc_463A00:				; CODE XREF: .text:004639F2j
		mov	eax, [ebp+24h]
		mov	dword ptr [eax], 1

loc_463A09:				; CODE XREF: .text:004639A3j
					; .text:004639FEj
		mov	ecx, [esp+1Ch]

loc_463A0D:				; CODE XREF: .text:004638B0j
					; .text:00463921j ...
		mov	eax, [esp+68h]
		mov	esi, [esp+30h]
		lea	ecx, [ecx+eax*8]
		mov	eax, [esp+6Ch]
		mov	[esp+1Ch], ecx
		lea	eax, [eax+edi*8]
		mov	edi, 2
		mov	[esp+6Ch], eax
		jmp	loc_4632B0
; 

loc_463A31:				; CODE XREF: .text:004639ECj
		mov	ecx, [esp+2Ch]
		test	cx, cx
		jz	short loc_463A4C
		movzx	edx, cx
		mov	ecx, [esp+48h]
		call	_MiIncreaseUsedPtesCount@8 ; MiIncreaseUsedPtesCount(x,x)
		xor	ecx, ecx
		mov	[esp+2Ch], ecx

loc_463A4C:				; CODE XREF: .text:00463A38j
		mov	ebx, [esp+14h]
		mov	edx, [esp+30h]
		lea	ecx, [ebx+240h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [esp+1Bh]
		lea	ecx, [ebx+240h]
		call	MiUnlockWorkingSetShared
		mov	al, [esi]
		jmp	loc_463289
; 

loc_463A75:				; CODE XREF: .text:004632B4j
		mov	ecx, [esp+2Ch]
		test	cx, cx
		jz	short loc_463ACC
		mov	eax, large fs:124h
		mov	ebx, [esp+48h]
		mov	eax, [eax+80h]
		mov	edx, [eax+24Ch]
		add	[ebx], cx
		add	edx, 18h
		lea	eax, [edx+178h]
		cmp	ebx, eax
		jb	short loc_463ACC
		lea	eax, [edx+0D78h]
		cmp	ebx, eax
		jnb	short loc_463ACC
		cmp	cx, 1
		ja	short loc_463ACC
		sub	ebx, edx
		lea	ecx, [ebx-178h]
		sar	ecx, 1
		sub	ecx, 40000h
		shl	ecx, 0Ch
		call	MmIsAddressValidEx

loc_463ACC:				; CODE XREF: .text:00463A7Cj
					; .text:00463AA2j ...
		test	esi, esi
		jz	loc_463BA5
		mov	edx, [esp+14h]
		lea	ecx, [esi+3FA00000h]
		sar	ecx, 3
		add	ecx, ecx
		mov	edi, ecx
		mov	al, [edx+2A0h]
		and	edi, 1Fh
		and	al, 7
		cmp	al, 2
		jb	short loc_463B4A
		cmp	esi, 0C0603018h
		jz	short loc_463B10
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_463B3E
		cmp	esi, 0C0603010h
		jnz	short loc_463B3E

loc_463B10:				; CODE XREF: .text:00463AFAj
		cmp	al, 7
		jnz	short loc_463B27
		mov	edi, 0C0603018h
		mov	ebx, offset unk_6D2E58
		sub	edi, esi
		sar	edi, 3
		add	edi, edi
		jmp	short loc_463B68
; 

loc_463B27:				; CODE XREF: .text:00463B12j
		cmp	al, 5
		jnz	short loc_463B3E
		mov	edi, 0C0603018h
		mov	ebx, offset unk_6D2E54
		sub	edi, esi
		sar	edi, 3
		add	edi, edi
		jmp	short loc_463B68
; 

loc_463B3E:				; CODE XREF: .text:00463B06j
					; .text:00463B0Ej ...
		shr	ecx, 5
		lea	ebx, unk_6D2C54[ecx*4]
		jmp	short loc_463B68
; 

loc_463B4A:				; CODE XREF: .text:00463AF2j
		shr	ecx, 5
		test	al, al
		jnz	short loc_463B5F
		mov	ebx, [edx+24Ch]
		add	ebx, 0D90h
		jmp	short loc_463B65
; 

loc_463B5F:				; CODE XREF: .text:00463B4Fj
		lea	ebx, [edx+360h]

loc_463B65:				; CODE XREF: .text:00463B5Dj
		lea	ebx, [ebx+ecx*4]

loc_463B68:				; CODE XREF: .text:00463B25j
					; .text:00463B3Cj ...
		mov	edx, [ebx]
		mov	ecx, edi
		mov	eax, 2
		shl	eax, cl
		mov	ecx, edx
		not	eax
		btr	ecx, edi
		mov	[esp+90h], eax
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jz	short loc_463BA5
		mov	ecx, [esp+90h]

loc_463B94:				; CODE XREF: .text:00463BA3j
		mov	edx, eax
		mov	esi, eax
		btr	edx, edi
		and	edx, ecx
		lock cmpxchg [ebx], edx
		cmp	eax, esi
		jnz	short loc_463B94

loc_463BA5:				; CODE XREF: .text:00463ACEj
					; .text:00463B8Bj
		mov	ebx, [esp+14h]
		mov	dl, [esp+1Bh]
		lea	ecx, [ebx+240h]
		call	MiUnlockWorkingSetShared
		cmp	dword ptr [esp+58h], 1
		jnz	short loc_463BFC
		lea	esi, [ebx+138h]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_463BD9
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_463BD9:				; CODE XREF: .text:00463BD0j
		mov	ecx, esi
		call	KeAbPostRelease
		nop
		mov	eax, [esp+70h]
		add	word ptr [eax+13Eh], 1
		jnz	short loc_463BFC
		nop
		add	eax, 70h
		cmp	[eax], eax
		jz	short loc_463BFC
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_463BFC:				; CODE XREF: .text:00463BBDj
					; .text:00463BEDj ...
		cmp	dword ptr [esp+8Ch], 1
		jnz	short loc_463C21
		mov	esi, [esp+34h]
		test	esi, esi
		jz	short loc_463C17
		mov	edx, esi
		mov	ecx, ebx
		call	_MiReturnFullProcessCommitment@8 ; MiReturnFullProcessCommitment(x,x)

loc_463C17:				; CODE XREF: .text:00463C0Cj
		mov	eax, [esp+4Ch]
		sub	eax, esi
		mov	[esp+20h], eax

loc_463C21:				; CODE XREF: .text:00463C04j
		mov	edx, [esp+28h]
		mov	ecx, [esp+20h]
		pop	edi
		pop	esi
		mov	eax, [edx+20h]
		add	ecx, eax
		xor	ecx, eax
		and	ecx, 7FFFFFFFh
		xor	ecx, eax
		xor	eax, eax
		mov	[edx+20h], ecx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_463C46:				; CODE XREF: .text:004637DFj
		mov	ecx, 1
		call	_MiFlushAllFilesystemPages@4 ; MiFlushAllFilesystemPages(x)
		push	dword ptr [esp+1Ch]
		push	dword ptr [esp+94h]
		push	edi
		push	1
		push	7Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 3 dup(0CCh)
		align 10h

;  S U B	R O U T	I N E 


MiLockWorkingSetShared proc near	; CODE XREF: MiDeleteSystemPageTables(x,x,x,x,x,x)+8Ep
					; MiMakeHyperRangeAccessible+35p ...

; FUNCTION CHUNK AT 005B1778 SIZE 0000000E BYTES

		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 4
		ja	short loc_463CC5

loc_463C79:				; CODE XREF: MiLockWorkingSetShared+57j
		push	ebx
		push	esi
		cmp	al, 2
		jz	short loc_463CBE
		lea	esi, [ecx+80h]

loc_463C85:				; CODE XREF: MiLockWorkingSetShared+53j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	bl, al
		jnz	loc_5B1778
		mov	edx, [esi]
		and	edx, 7FFFFFFFh
		mov	eax, edx
		lea	ecx, [edx+1]
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_463CD1

loc_463CB1:				; CODE XREF: MiLockWorkingSetShared+6Aj
					; MiLockWorkingSetShared+14DB11j
		add	esi, 4
		cmp	dword ptr [esi], 0
		jnz	short loc_463CDC

loc_463CB9:				; CODE XREF: MiLockWorkingSetShared+70j
		pop	esi
		mov	al, bl
		pop	ebx
		retn
; 

loc_463CBE:				; CODE XREF: MiLockWorkingSetShared+Dj
		mov	esi, offset unk_6D3C40
		jmp	short loc_463C85
; 

loc_463CC5:				; CODE XREF: MiLockWorkingSetShared+7j
		cmp	al, 5
		jz	short loc_463C79
		mov	cl, 2
		jmp	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
; 

loc_463CD1:				; CODE XREF: MiLockWorkingSetShared+3Fj
		mov	dl, bl
		mov	ecx, esi
		call	ExpWaitForSpinLockSharedAndAcquire
		jmp	short loc_463CB1
; 

loc_463CDC:				; CODE XREF: MiLockWorkingSetShared+47j
		xor	eax, eax
		xchg	eax, [esi]
		jmp	short loc_463CB9
MiLockWorkingSetShared endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiMakeProtectionMask(x)
_MiMakeProtectionMask@4	proc near	; CODE XREF: MmProtectPool(x,x,x):loc_4A0734p
					; MiInitializePoolCommitPacket+1Dp ...
		cmp	ecx, 800h
		jnb	short loc_463D75
		mov	eax, ecx
		and	eax, 0Fh
		jz	short loc_463D1B
		test	cl, 0F0h
		jnz	short loc_463D75
		mov	al, byte ptr ds:_MmUserProtectionToMask1[eax]

loc_463D0A:				; CODE XREF: MiMakeProtectionMask(x)+3Bj
		movsx	eax, al
		cmp	eax, 0FFFFFFFFh
		jz	short loc_463D75
		test	ecx, 700h
		jnz	short loc_463D2D

locret_463D1A:				; CODE XREF: MiMakeProtectionMask(x)+64j
		retn
; 

loc_463D1B:				; CODE XREF: MiMakeProtectionMask(x)+Dj
		mov	eax, ecx
		shr	eax, 4
		and	eax, 0Fh
		jz	short loc_463D75
		mov	al, byte ptr ds:_MmUserProtectionToMask2[eax]
		jmp	short loc_463D0A
; 

loc_463D2D:				; CODE XREF: MiMakeProtectionMask(x)+28j
		test	ecx, 100h
		jnz	short loc_463D63

loc_463D35:				; CODE XREF: MiMakeProtectionMask(x)+83j
		test	ecx, 200h
		jz	short loc_463D4E
		cmp	eax, 18h
		jz	short loc_463D75
		and	ecx, 400h
		jnz	short loc_463D75
		or	eax, 8
		retn
; 

loc_463D4E:				; CODE XREF: MiMakeProtectionMask(x)+4Bj
		and	ecx, 400h
		jz	short locret_463D1A
		cmp	eax, 18h
		jz	short loc_463D75
		test	al, 2
		jnz	short loc_463D75
		or	eax, 18h
		retn
; 

loc_463D63:				; CODE XREF: MiMakeProtectionMask(x)+43j
		cmp	eax, 18h
		jz	short loc_463D75
		test	ecx, 600h
		jnz	short loc_463D75
		or	eax, 10h
		jmp	short loc_463D35
; 

loc_463D75:				; CODE XREF: MiMakeProtectionMask(x)+6j
					; MiMakeProtectionMask(x)+12j ...
		or	eax, 0FFFFFFFFh
		retn
_MiMakeProtectionMask@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiChargeCommit	proc near		; CODE XREF: MiCopyOnWrite(x,x,x,x)+AE6p
					; .text:00452C74p ...

var_30		= dword	ptr -30h
var_24		= byte ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B1786 SIZE 000001DE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	ebx, ecx

loc_463D92:				; CODE XREF: MiChargeCommit+14DAD1j
		mov	eax, [ebp+arg_0]
		jmp	short loc_463DA0
; 
		align 10h

loc_463DA0:				; CODE XREF: MiChargeCommit+15j
		mov	edi, large fs:20h
		mov	ecx, eax
		mov	[esp+30h+var_20], ecx
		mov	[esp+30h+var_14], edi
		cmp	ebx, offset _MiSystemPartition
		jnz	short loc_463DF4
		mov	ecx, [edi+3D2Ch]
		add	edi, 3D2Ch
		cmp	esi, ecx
		ja	short loc_463DF0
		lea	esp, [esp+0]

loc_463DD0:				; CODE XREF: MiChargeCommit+14DA0Aj
		mov	edx, ecx
		mov	eax, ecx
		sub	edx, esi
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jnz	loc_5B1786

loc_463DE2:				; CODE XREF: MiChargeCommit+179j
					; MiChargeCommit+199j ...
		mov	eax, 1

loc_463DE7:				; CODE XREF: MiChargeCommit+14DBDFj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_463DF0:				; CODE XREF: MiChargeCommit+47j
					; MiChargeCommit+14DA13j
		mov	ecx, [esp+30h+var_20]

loc_463DF4:				; CODE XREF: MiChargeCommit+37j
		mov	[esp+30h+var_8], 0
		test	al, 4
		jnz	loc_463FD7

loc_463E04:				; CODE XREF: MiChargeCommit+260j
		test	cl, 8
		jz	loc_463F86
		mov	eax, large fs:124h
		or	ecx, 2
		mov	[esp+30h+var_20], ecx
		test	byte ptr [eax+300h], 2
		jnz	loc_463F9A

loc_463E27:				; CODE XREF: MiChargeCommit+225j
		mov	[esp+30h+var_1C], 40h
		cmp	ebx, offset _MiSystemPartition
		jnz	loc_5B1798

loc_463E3B:				; CODE XREF: MiChargeCommit+142j
					; MiChargeCommit+215j ...
		mov	edx, [ebx+10BCh]
		lea	eax, [ebx+10BCh]
		mov	[esp+30h+var_C], edx
		lea	eax, [edx+esi]
		mov	[esp+30h+var_18], eax
		cmp	eax, edx
		jbe	loc_5B1824
		lea	ebx, [ebx+0]

loc_463E60:				; CODE XREF: MiChargeCommit+14DA9Ej
		mov	edi, [esp+30h+var_1C]
		add	edi, eax
		mov	[esp+30h+var_4], edi
		cmp	edi, eax
		jb	loc_5B1824
		mov	edi, [ebx+1114h]
		mov	[esp+30h+var_10], edi
		cmp	[esp+30h+var_4], edi
		ja	loc_5B17AF
		cmp	[esp+30h+var_8], 0
		jnz	loc_5B1898
		mov	eax, 51EB851Fh
		mul	edi
		shr	edx, 5
		imul	eax, edx, 5Fh
		mov	edx, [esp+30h+var_18]
		cmp	edx, eax
		jnb	loc_5B18B1

loc_463EAA:				; CODE XREF: MiChargeCommit+14DB1Cj
		mov	eax, [esp+30h+var_C]
		lea	edi, [ebx+10BCh]
		lock cmpxchg [edi], edx
		mov	edx, [esp+30h+var_C]
		mov	edi, [esp+30h+var_14]
		cmp	eax, edx
		jnz	loc_463E3B
		add	eax, esi
		mov	esi, [ebx+0D94h]
		mov	[esp+30h+var_C], eax
		cmp	eax, esi
		jnb	loc_5B18FE

loc_463EDC:				; CODE XREF: MiChargeCommit+14DB82j
		mov	esi, [ebx+0D90h]
		cmp	eax, esi
		jnb	loc_5B1907

loc_463EEA:				; CODE XREF: MiChargeCommit+14DB89j
					; MiChargeCommit+14DBA0j
		cmp	eax, [ebx+0D80h]
		ja	loc_463FBF

loc_463EF6:				; CODE XREF: MiChargeCommit+245j
		test	cl, 2
		jnz	loc_463DE2
		mov	ecx, [ebx+1114h]
		mov	edx, eax
		mov	[esp+30h+var_14], ecx
		push	ecx
		mov	ecx, ebx
		call	MiExtendPageFilesIfNecessary
		cmp	ebx, offset _MiSystemPartition
		jnz	loc_463DE2
		test	[esp+34h+var_24], 1
		mov	esi, [esp+34h+var_10]
		mov	ecx, [esp+34h+var_18]
		jnz	short loc_463F3A
		cmp	esi, [ebx+0D94h]
		jnb	loc_5B1925

loc_463F3A:				; CODE XREF: MiChargeCommit+1ACj
					; MiChargeCommit+14DBABj ...
		mov	eax, [edi+3D2Ch]
		cmp	eax, 80h
		jnb	loc_463DE2
		mov	edx, 100h
		sub	edx, eax
		mov	eax, esi
		add	esi, edx
		mov	[esp+34h+var_8], eax
		cmp	esi, eax
		jbe	loc_463DE2
		add	esi, [esp+34h+var_20]
		cmp	esi, eax
		jbe	loc_463DE2
		cmp	esi, ecx
		ja	loc_463DE2
		push	edx
		push	eax
		mov	edx, edi
		mov	ecx, ebx
		call	MiReplenishLocalCommit
		jmp	loc_463DE2
; 

loc_463F86:				; CODE XREF: MiChargeCommit+87j
		test	cl, 7
		jnz	short loc_463FCA
		mov	eax, [ebx+0D9Ch]

loc_463F91:				; CODE XREF: MiChargeCommit+14DA2Aj
		mov	[esp+30h+var_1C], eax
		jmp	loc_463E3B
; 

loc_463F9A:				; CODE XREF: MiChargeCommit+A1j
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jnz	loc_463E27
		or	ecx, 4
		mov	[esp+30h+var_1C], 0
		mov	[esp+30h+var_20], ecx
		jmp	loc_463E3B
; 

loc_463FBF:				; CODE XREF: MiChargeCommit+170j
		mov	[ebx+0D80h], eax
		jmp	loc_463EF6
; 

loc_463FCA:				; CODE XREF: MiChargeCommit+209j
		mov	[esp+30h+var_1C], 0
		jmp	loc_463E3B
; 

loc_463FD7:				; CODE XREF: MiChargeCommit+7Ej
		mov	ecx, eax
		or	ecx, 2
		mov	[esp+30h+var_20], ecx
		jmp	loc_463E04
MiChargeCommit	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiGetControlAreaPartition(x)
_MiGetControlAreaPartition@4 proc near	; CODE XREF: MmPerformMemoryListCommand+3p
					; MiDeleteVadBitmap+69p ...
		mov	eax, offset _MiSystemPartition
		retn
_MiGetControlAreaPartition@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


MiChargeProcessCommitment proc near	; CODE XREF: MiChargeFullProcessCommitment+3Bp
					; MiAllocateUserPhysicalPages(x,x,x,x,x)+2B0p

; FUNCTION CHUNK AT 005B1964 SIZE 00000015 BYTES

		cmp	dword ptr [ecx+220h], 0
		push	ebx
		push	esi
		push	edi
		lea	edi, [ecx+224h]
		jnz	short loc_464031
		mov	esi, edx
		lock xadd [edi], esi

loc_464008:				; CODE XREF: MiChargeProcessCommitment+5Dj
		mov	eax, [ecx+228h]
		add	esi, edx
		lea	edx, [ecx+228h]

loc_464016:				; CODE XREF: MiChargeProcessCommitment+3Fj
		mov	edi, eax
		cmp	esi, eax
		ja	short loc_464025

loc_46401C:				; CODE XREF: MiChargeProcessCommitment+3Dj
		mov	eax, 1

loc_464021:				; CODE XREF: MiChargeProcessCommitment+14D984j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_464025:				; CODE XREF: MiChargeProcessCommitment+2Aj
		mov	ecx, esi
		lock cmpxchg [edx], ecx
		cmp	eax, edi
		jz	short loc_46401C
		jmp	short loc_464016
; 

loc_464031:				; CODE XREF: MiChargeProcessCommitment+10j
		mov	esi, [edi]

loc_464033:				; CODE XREF: MiChargeProcessCommitment+5Fj
		mov	ebx, esi
		add	esi, edx
		cmp	esi, [ecx+220h]
		ja	loc_5B1964
		mov	eax, ebx
		lock cmpxchg [edi], esi
		mov	esi, eax
		cmp	esi, ebx
		jz	short loc_464008
		jmp	short loc_464033
MiChargeProcessCommitment endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PspChargeQuota(x, x, x, x)
@PspChargeQuota@16 proc	near		; CODE XREF: PsChargeProcessQuota(x,x,x)+1Ap
					; PsChargeProcessNonPagedPoolQuota(x,x)+1Bp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, eax
		mov	ebx, edx
		mov	dl, ds:_PspResourceFlags[eax*8]
		lea	eax, [ebp+var_C]
		shl	esi, 7
		add	esi, ecx
		mov	[ebp+var_1], dl
		push	edi
		xor	ecx, ecx
		mov	edi, [esi]
		mov	[ebp+var_C], 0
		lock or	[eax], ecx

loc_464092:				; CODE XREF: PspChargeQuota(x,x,x,x)+FFj
		mov	eax, [esi+40h]
		mov	edx, [ebp+arg_4]

loc_464098:				; CODE XREF: PspChargeQuota(x,x,x,x)+110j
		mov	[ebp+var_8], eax
		jmp	short loc_4640A0
; 
		align 10h

loc_4640A0:				; CODE XREF: PspChargeQuota(x,x,x,x)+3Bj
					; PspChargeQuota(x,x,x,x)+F8j
		lea	ecx, [edi+edx]
		cmp	ecx, edi
		jb	loc_464175
		cmp	ecx, eax
		ja	short loc_464124
		mov	edx, ecx
		mov	eax, edi
		lock cmpxchg [esi], edx
		cmp	eax, edi
		jnz	loc_46415D
		mov	eax, [esi+4]
		lea	edi, [esi+4]
		cmp	ecx, eax
		ja	short loc_464112

loc_4640C9:				; CODE XREF: PspChargeQuota(x,x,x,x)+BCj
					; PspChargeQuota(x,x,x,x)+C2j
		test	ebx, ebx
		jnz	short loc_4640D8

loc_4640CD:				; CODE XREF: PspChargeQuota(x,x,x,x)+7Cj
					; PspChargeQuota(x,x,x,x)+9Cj ...
		xor	eax, eax

loc_4640CF:				; CODE XREF: PspChargeQuota(x,x,x,x)+11Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4640D8:				; CODE XREF: PspChargeQuota(x,x,x,x)+6Bj
		test	[ebp+var_1], 4
		jz	short loc_4640CD
		mov	edx, [ebp+arg_0]
		mov	esi, [ebp+arg_4]
		lea	eax, [edx+42h]
		lea	eax, [ebx+eax*4]
		lock xadd [eax], esi
		add	esi, [ebp+arg_4]
		lea	edi, [edx+44h]
		mov	eax, [ebx+edi*4]
		lea	edi, [ebx+edi*4]
		cmp	esi, eax
		jbe	short loc_4640CD
		mov	edi, edi

loc_464100:				; CODE XREF: PspChargeQuota(x,x,x,x)+AEj
		mov	edx, eax
		mov	ecx, esi
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_4640CD
		cmp	esi, eax
		ja	short loc_464100
		jmp	short loc_4640CD
; 

loc_464112:				; CODE XREF: PspChargeQuota(x,x,x,x)+67j
					; PspChargeQuota(x,x,x,x)+C0j
		mov	esi, eax
		mov	edx, ecx
		lock cmpxchg [edi], edx
		cmp	eax, esi
		jz	short loc_4640C9
		cmp	ecx, eax
		ja	short loc_464112
		jmp	short loc_4640C9
; 

loc_464124:				; CODE XREF: PspChargeQuota(x,x,x,x)+4Dj
		test	[ebp+var_1], 1
		jz	short loc_464175
		cmp	dword ptr [esi+48h], 0
		jz	short loc_464175
		xor	ecx, ecx
		lea	eax, [esi+44h]
		xchg	ecx, [eax]
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jnz	short loc_464164
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_8]
		push	eax
		push	edx
		push	edi
		mov	edx, esi
		call	PspExpandQuota
		test	al, al
		jz	short loc_464175
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+arg_4]
		jmp	loc_4640A0
; 

loc_46415D:				; CODE XREF: PspChargeQuota(x,x,x,x)+59j
		mov	edi, eax
		jmp	loc_464092
; 

loc_464164:				; CODE XREF: PspChargeQuota(x,x,x,x)+DCj
		mov	eax, ecx
		lea	ecx, [esi+40h]
		lock xadd [ecx], eax
		add	eax, [ebp+var_C]
		jmp	loc_464098
; 

loc_464175:				; CODE XREF: PspChargeQuota(x,x,x,x)+45j
					; PspChargeQuota(x,x,x,x)+C8j ...
		mov	eax, [ebp+arg_0]
		mov	eax, ds:dword_70EF4C[eax*8]
		jmp	loc_4640CF
@PspChargeQuota@16 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetSharedVm(x)
_MiGetSharedVm@4 proc near		; CODE XREF: MmDeleteProcessAddressSpace+41p
					; MiRemoveVadCharges+C6p ...
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short locret_464198
		lea	eax, [ecx+80h]

locret_464198:				; CODE XREF: MiGetSharedVm(x)+Cj
		retn
_MiGetSharedVm@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnlockAndDereferenceVad proc near	; CODE XREF: .text:00465223p
					; MiDeprioritizeVad+F2p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005B1979 SIZE 0000006B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	esi
		mov	esi, ecx
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_C], esi
		mov	edx, eax
		lock xadd [esi+14h], edx
		dec	edx
		cmp	edx, eax
		jz	loc_5B1979
		test	edx, edx
		jnz	short loc_4641CF
		test	byte ptr [esi+1Ch], 4
		jnz	loc_5B1980

loc_4641CF:				; CODE XREF: MiUnlockAndDereferenceVad+23j
		mov	[ebp+var_18], 0

loc_4641D6:				; CODE XREF: MiUnlockAndDereferenceVad+14D7E7j
		mov	ecx, large fs:124h
		mov	[ebp+var_24], ecx
		and	byte ptr [ecx+304h], 7Fh
		lea	ecx, [esi+18h]
		mov	[ebp+var_8], ecx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_464367

loc_4641FB:				; CODE XREF: MiUnlockAndDereferenceVad+1CFj
		push	edi
		xor	edi, edi
		mov	[ebp+var_14], edi
		test	ecx, 7FFFFFFCh
		jz	loc_464300
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_20], esi
		cmp	ecx, edx
		jb	short loc_464244
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_46433C
		cmp	ecx, edx
		jb	short loc_464244
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_46433C

loc_464244:				; CODE XREF: MiUnlockAndDereferenceVad+84j
					; MiUnlockAndDereferenceVad+95j
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_10], edx

loc_46424A:				; CODE XREF: MiUnlockAndDereferenceVad+1AFj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	[ebp+var_1], al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_1C], ecx
		test	ecx, ecx
		jz	loc_464354
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_464374

loc_46428B:				; CODE XREF: MiUnlockAndDereferenceVad+1DCj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_14], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		jnz	short loc_464326

loc_4642B5:				; CODE XREF: MiUnlockAndDereferenceVad+197j
		cmp	[ebp+var_1], 1
		jnz	loc_5B199F
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al

loc_4642CF:				; CODE XREF: MiUnlockAndDereferenceVad+1BCj
					; MiUnlockAndDereferenceVad+14D80Fj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_20], eax
		jnz	loc_464392

loc_4642E6:				; CODE XREF: MiUnlockAndDereferenceVad+225j
					; MiUnlockAndDereferenceVad+14D832j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_4642FD
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	loc_464388

loc_4642FD:				; CODE XREF: MiUnlockAndDereferenceVad+14Fj
					; MiUnlockAndDereferenceVad+1EDj
		mov	esi, [ebp+var_C]

loc_464300:				; CODE XREF: MiUnlockAndDereferenceVad+67j
		nop
		mov	eax, [ebp+var_24]
		pop	edi
		add	word ptr [eax+13Eh], 1
		jnz	short loc_464317
		nop
		add	eax, 70h
		cmp	[eax], eax
		jnz	short loc_464381

loc_464317:				; CODE XREF: MiUnlockAndDereferenceVad+16Dj
					; MiUnlockAndDereferenceVad+1E6j
		cmp	[ebp+var_18], 1
		jz	loc_5B19D7

loc_464321:				; CODE XREF: MiUnlockAndDereferenceVad+14D83Fj
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_464326:				; CODE XREF: MiUnlockAndDereferenceVad+113j
		mov	eax, 2AAAAAABh
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		jmp	loc_4642B5
; 

loc_46433C:				; CODE XREF: MiUnlockAndDereferenceVad+8Dj
					; MiUnlockAndDereferenceVad+9Ej
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_10], eax
		jmp	loc_46424A
; 

loc_464354:				; CODE XREF: MiUnlockAndDereferenceVad+D3j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_4642CF
		jmp	loc_5B198C
; 

loc_464367:				; CODE XREF: MiUnlockAndDereferenceVad+55j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]
		jmp	loc_4641FB
; 

loc_464374:				; CODE XREF: MiUnlockAndDereferenceVad+E5j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_1C]
		jmp	loc_46428B
; 

loc_464381:				; CODE XREF: MiUnlockAndDereferenceVad+175j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_464317
; 

loc_464388:				; CODE XREF: MiUnlockAndDereferenceVad+157j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4642FD
; 

loc_464392:				; CODE XREF: MiUnlockAndDereferenceVad+140j
		test	edi, 8000h
		jnz	short loc_4643D0

loc_46439A:				; CODE XREF: MiUnlockAndDereferenceVad+239j
		test	byte ptr [ebp+var_14+2], 1
		jnz	loc_5B19B4

loc_4643A4:				; CODE XREF: MiUnlockAndDereferenceVad+14D820j
		test	edi, 7FFFh
		jz	short loc_4643BB
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4643BB:				; CODE XREF: MiUnlockAndDereferenceVad+20Aj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4642E6
		jmp	loc_5B19C5
; 

loc_4643D0:				; CODE XREF: MiUnlockAndDereferenceVad+1F8j
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	short loc_46439A
MiUnlockAndDereferenceVad endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiVadSupportsPrivateCommit(x)
_MiVadSupportsPrivateCommit@4 proc near	; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+BAp
					; MmOutSwapWorkingSet+28Ap ...
		mov	edx, [ecx+1Ch]
		mov	eax, edx
		and	eax, 100000h
		test	dl, 70h
		jnz	short loc_46440F
		test	eax, eax
		jz	short loc_464409
		test	edx, 400000h
		jnz	short loc_46442D
		mov	eax, edx
		and	eax, 0C0000h
		cmp	eax, 80000h
		jnb	short loc_46442D

loc_464409:				; CODE XREF: MiVadSupportsPrivateCommit(x)+11j
					; MiVadSupportsPrivateCommit(x)+4Bj ...
		mov	eax, 1
		retn
; 

loc_46440F:				; CODE XREF: MiVadSupportsPrivateCommit(x)+Dj
		test	eax, eax
		jnz	short loc_464422
		mov	eax, [ecx+28h]
		test	eax, 1000000h
		jz	short loc_464422
		mov	edx, [ecx+1Ch]
		jmp	short loc_46442D
; 

loc_464422:				; CODE XREF: MiVadSupportsPrivateCommit(x)+31j
					; MiVadSupportsPrivateCommit(x)+3Bj
		mov	edx, [ecx+1Ch]
		mov	eax, edx
		and	al, 70h
		cmp	al, 20h
		jz	short loc_464409

loc_46442D:				; CODE XREF: MiVadSupportsPrivateCommit(x)+19j
					; MiVadSupportsPrivateCommit(x)+27j ...
		and	dl, 70h
		cmp	dl, 40h
		jz	short loc_464409
		xor	eax, eax
		retn
_MiVadSupportsPrivateCommit@4 endp

; 
		align 10h
; Exported entry 1455. MmProbeAndLockPages

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmProbeAndLockPages(x, x, x)
		public _MmProbeAndLockPages@12
_MmProbeAndLockPages@12	proc near	; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+17Cp
					; CcZeroDataInCache+AFp ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	dl, [ebp+arg_4]
		test	dl, dl
		jz	short loc_46444E
		mov	dl, 1

loc_46444E:				; CODE XREF: MmProbeAndLockPages(x,x,x)+Aj
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_46445A
		mov	eax, 1

loc_46445A:				; CODE XREF: MmProbeAndLockPages(x,x,x)+13j
		mov	ecx, [ebp+arg_0]
		push	eax
		call	_MiProbeAndLockPages@12	; MiProbeAndLockPages(x,x,x)
		pop	ebp
		retn	0Ch
_MmProbeAndLockPages@12	endp ; sp = -4

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnlockFaultPageTable proc near	; CODE XREF: MiIssueHardFault(x,x)+6Ap
					; .text:00467DDEp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B19E4 SIZE 0000003D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	[ebp+var_8], esi
		mov	edx, [esi+0Ch]
		mov	ebx, [esi]
		test	edx, edx
		jz	short loc_4644F1
		cmp	word ptr [esi+6], 0
		jnz	loc_5B19E4

loc_464494:				; CODE XREF: MiUnlockFaultPageTable+14D57Cj
		mov	al, [ebx+60h]
		lea	ecx, [edx+3FA00000h]
		sar	ecx, 3
		and	al, 7
		add	ecx, ecx
		mov	edi, ecx
		and	edi, 1Fh
		cmp	al, 2
		jnb	short loc_4644F8
		shr	ecx, 5
		test	al, al
		jnz	short loc_464518
		mov	eax, [ebx+0Ch]
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h

loc_4644BF:				; CODE XREF: MiUnlockFaultPageTable+A6j
					; MiUnlockFaultPageTable+B1j
		mov	[ebp+var_4], eax

loc_4644C2:				; CODE XREF: MiUnlockFaultPageTable+14D5ACj
		mov	edx, [eax]
		mov	ecx, edi
		mov	esi, [ebp+var_4]
		mov	ebx, 2
		shl	ebx, cl
		mov	eax, edx
		mov	ecx, edx
		not	ebx
		btr	ecx, edi
		and	ecx, ebx
		lock cmpxchg [esi], ecx
		mov	esi, [ebp+var_8]
		cmp	eax, edx
		jnz	short loc_464523

loc_4644E6:				; CODE XREF: MiUnlockFaultPageTable+CAj
		or	byte ptr [esi+9], 2
		mov	dword ptr [esi+0Ch], 0

loc_4644F1:				; CODE XREF: MiUnlockFaultPageTable+17j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4644F8:				; CODE XREF: MiUnlockFaultPageTable+3Bj
		cmp	edx, 0C0603018h
		jz	loc_5B19F1
		cmp	edx, 0C0603010h
		jz	short loc_46453C

loc_46450C:				; CODE XREF: MiUnlockFaultPageTable+D6j
					; MiUnlockFaultPageTable+14D590j
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]
		jmp	short loc_4644BF
; 

loc_464518:				; CODE XREF: MiUnlockFaultPageTable+42j
		lea	eax, [ebx+120h]
		lea	eax, [eax+ecx*4]
		jmp	short loc_4644BF
; 

loc_464523:				; CODE XREF: MiUnlockFaultPageTable+74j
		mov	esi, [ebp+var_4]

loc_464526:				; CODE XREF: MiUnlockFaultPageTable+C5j
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, edi
		and	ecx, ebx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_464526
		mov	esi, [ebp+var_8]
		jmp	short loc_4644E6
; 

loc_46453C:				; CODE XREF: MiUnlockFaultPageTable+9Aj
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_46450C
		jmp	loc_5B19F1
MiUnlockFaultPageTable endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLockPageTablePage(x, x)
_MiLockPageTablePage@8 proc near	; CODE XREF: MiProbeLockFrame(x):loc_46558Ap
					; MiLockWsle(x,x)+4Ap ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	[esp+28h+var_C], edi
		mov	[esp+28h+var_1C], ebx
		cmp	edi, 1
		jnz	short loc_464575
		mov	[esp+28h+var_18], ebx
		jmp	short loc_464583
; 

loc_464575:				; CODE XREF: MiLockPageTablePage(x,x)+1Dj
		mov	ecx, edi
		neg	ecx
		sbb	ecx, ecx
		not	ecx
		and	ecx, ebx
		mov	[esp+28h+var_18], ecx

loc_464583:				; CODE XREF: MiLockPageTablePage(x,x)+23j
		mov	edx, 7FFFFFFFh

loc_464588:				; CODE XREF: MiLockPageTablePage(x,x)+C7j
					; MiLockPageTablePage(x,x)+2ACj ...
		cmp	edi, 1
		jnz	short loc_4645AA
		mov	eax, [ecx+18h]
		and	eax, offset loc_7FFFFF
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	ebx, [eax+ecx*4]
		mov	[esp+28h+var_1C], ebx

loc_4645AA:				; CODE XREF: MiLockPageTablePage(x,x)+3Bj
		mov	eax, [ebx+10h]
		lea	esi, [ebx+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 10000h
		jb	short loc_464633
		mov	[esp+28h+var_8], 0
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_4645EA
		jmp	short loc_4645D0
; 
		align 10h

loc_4645D0:				; CODE XREF: MiLockPageTablePage(x,x)+7Bj
					; MiLockPageTablePage(x,x)+8Cj	...
		lea	ecx, [esp+28h+var_8]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_4645D0
		lock bts dword ptr [esi], 1Fh
		jb	short loc_4645D0
		mov	edx, 7FFFFFFFh

loc_4645EA:				; CODE XREF: MiLockPageTablePage(x,x)+79j
		cmp	edi, 1
		jnz	short loc_46461C
		mov	eax, [esp+28h+var_18]
		mov	eax, [eax+18h]
		and	eax, offset loc_7FFFFF
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	eax, [eax+ecx*4]
		cmp	ebx, eax
		jz	short loc_46461C
		lock and [esi],	edx
		mov	ecx, [esp+28h+var_18]
		jmp	loc_464588
; 

loc_46461C:				; CODE XREF: MiLockPageTablePage(x,x)+9Dj
					; MiLockPageTablePage(x,x)+BEj
		mov	ecx, [esi]
		mov	eax, ecx
		and	eax, 3FFFFFFFh
		cmp	eax, 10000h
		jnb	loc_464814
		lock and [esi],	edx

loc_464633:				; CODE XREF: MiLockPageTablePage(x,x)+6Aj
		cmp	edi, 2
		jnz	short loc_46463F
		mov	edi, 1
		jmp	short loc_464646
; 

loc_46463F:				; CODE XREF: MiLockPageTablePage(x,x)+E6j
		neg	edi
		sbb	edi, edi
		add	edi, 2

loc_464646:				; CODE XREF: MiLockPageTablePage(x,x)+EDj
		mov	eax, large fs:20h
		mov	edx, [eax+3D30h]
		mov	[esp+28h+var_10], edi
		lea	esi, [eax+3D30h]
		cmp	edi, edx
		ja	short loc_464679

loc_464660:				; CODE XREF: MiLockPageTablePage(x,x)+127j
		cmp	edx, 0FFFFFFFFh
		jz	short loc_464679
		mov	ecx, edx
		mov	eax, edx
		sub	ecx, edi
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	short loc_464692
		mov	edx, eax
		cmp	edi, eax
		jbe	short loc_464660

loc_464679:				; CODE XREF: MiLockPageTablePage(x,x)+10Ej
					; MiLockPageTablePage(x,x)+113j
		push	200h
		mov	edx, edi
		mov	ecx, offset _MiSystemPartition
		call	MiChargePartitionResidentAvailable
		test	eax, eax
		jz	loc_46488B

loc_464692:				; CODE XREF: MiLockPageTablePage(x,x)+121j
		xor	edx, edx

loc_464694:				; CODE XREF: MiLockPageTablePage(x,x)+282j
		mov	[esp+28h+var_14], edx
		cmp	edx, edi
		jnb	loc_46485E
		mov	[esp+28h+var_4], 0
		lea	esi, [ebx+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_4646CB

loc_4646B2:				; CODE XREF: MiLockPageTablePage(x,x)+16Ej
					; MiLockPageTablePage(x,x)+175j
		lea	ecx, [esp+28h+var_4]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_4646B2
		lock bts dword ptr [esi], 1Fh
		jb	short loc_4646B2
		mov	edx, [esp+28h+var_14]

loc_4646CB:				; CODE XREF: MiLockPageTablePage(x,x)+160j
		cmp	[esp+28h+var_C], 1
		jnz	short loc_4646F7
		mov	eax, [esp+28h+var_18]
		mov	eax, [eax+18h]
		and	eax, offset loc_7FFFFF
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	eax, [eax+ecx*4]
		cmp	ebx, eax
		jnz	loc_4647D7

loc_4646F7:				; CODE XREF: MiLockPageTablePage(x,x)+180j
		mov	ecx, [esi]
		mov	edi, ecx
		and	edi, 3FFFFFFFh
		test	edx, edx
		jnz	short loc_464724
		cmp	edi, 3FFEFDFFh
		jnb	loc_464842
		lea	eax, [ecx+10000h]
		xor	eax, ecx
		and	eax, 3FFFFFFFh
		xor	eax, ecx
		mov	[esi], eax
		jmp	short loc_46472F
; 

loc_464724:				; CODE XREF: MiLockPageTablePage(x,x)+1B3j
		mov	ecx, ebx
		call	_MiIncrementPageTableLockCheckWrap@4 ; MiIncrementPageTableLockCheckWrap(x)
		mov	edx, [esp+28h+var_14]

loc_46472F:				; CODE XREF: MiLockPageTablePage(x,x)+1D2j
		cmp	edi, 10000h
		jnb	loc_464852
		mov	bl, [ebx+16h]
		xor	edi, edi
		xor	ecx, ecx
		test	bl, 10h
		jnz	short loc_464789
		mov	eax, [esp+28h+var_1C]
		mov	dl, bl
		mov	eax, [eax+8]
		and	eax, 400h
		or	eax, ecx
		jnz	short loc_46477D
		test	bl, 8
		mov	ebx, [esp+28h+var_1C]
		jnz	short loc_464781
		push	eax
		lea	edx, [edi+1]
		lea	ecx, [ebx+8]
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	ecx, edx
		mov	edi, eax
		mov	dl, [ebx+16h]
		or	dl, 10h
		mov	[ebx+16h], dl
		jmp	short loc_46478D
; 

loc_46477D:				; CODE XREF: MiLockPageTablePage(x,x)+207j
		mov	ebx, [esp+28h+var_1C]

loc_464781:				; CODE XREF: MiLockPageTablePage(x,x)+210j
		or	dl, 10h
		mov	[ebx+16h], dl
		jmp	short loc_46478D
; 

loc_464789:				; CODE XREF: MiLockPageTablePage(x,x)+1F5j
		mov	ebx, [esp+28h+var_1C]

loc_46478D:				; CODE XREF: MiLockPageTablePage(x,x)+22Bj
					; MiLockPageTablePage(x,x)+237j
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	eax, edi
		or	eax, ecx
		jz	short loc_4647AC
		push	ecx
		push	edi
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo

loc_4647AC:				; CODE XREF: MiLockPageTablePage(x,x)+249j
		mov	eax, [ebx+18h]
		mov	edx, [esp+28h+var_14]
		and	eax, offset loc_7FFFFF
		mov	edi, [esp+28h+var_10]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		inc	edx
		lea	ebx, [eax+ecx*4]
		mov	[esp+28h+var_1C], ebx
		jmp	loc_464694
; 

loc_4647D7:				; CODE XREF: MiLockPageTablePage(x,x)+1A1j
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		sub	edi, edx
		mov	ecx, offset _MiSystemPartition
		mov	edx, edi
		call	MiReturnResavailToPrcb
		mov	edi, [esp+28h+var_C]
		mov	edx, 7FFFFFFFh
		mov	ecx, [esp+28h+var_18]
		test	eax, eax
		jz	loc_464588
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax
		mov	ecx, [esp+28h+var_18]
		jmp	loc_464588
; 

loc_464814:				; CODE XREF: MiLockPageTablePage(x,x)+DAj
		add	ebx, 10h
		cmp	eax, 3FFEFDFFh
		jb	short loc_464822
		xor	eax, eax
		jmp	short loc_464838
; 

loc_464822:				; CODE XREF: MiLockPageTablePage(x,x)+2CCj
		lea	eax, [ecx+10000h]
		xor	eax, ecx
		and	eax, 3FFFFFFFh
		xor	eax, ecx
		mov	[ebx], eax
		mov	eax, 1

loc_464838:				; CODE XREF: MiLockPageTablePage(x,x)+2D0j
		lock and [ebx],	edx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_464842:				; CODE XREF: MiLockPageTablePage(x,x)+1BBj
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	edi, [esp+28h+var_10]
		xor	esi, esi
		jmp	short loc_464863
; 

loc_464852:				; CODE XREF: MiLockPageTablePage(x,x)+1E5j
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	edi, [esp+28h+var_10]

loc_46485E:				; CODE XREF: MiLockPageTablePage(x,x)+14Aj
		mov	esi, 1

loc_464863:				; CODE XREF: MiLockPageTablePage(x,x)+300j
		cmp	edx, edi
		jz	short loc_464882
		sub	edi, edx
		mov	ecx, offset _MiSystemPartition
		mov	edx, edi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_464882
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_464882:				; CODE XREF: MiLockPageTablePage(x,x)+315j
					; MiLockPageTablePage(x,x)+327j
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_46488B:				; CODE XREF: MiLockPageTablePage(x,x)+13Cj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiLockPageTablePage@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiProbeAndLockPrepare proc near		; CODE XREF: MmProbeAndLockSelectedPages+A7p
					; .text:00464C45p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005B1A21 SIZE 00000112 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], 0
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ebx, edx
		mov	edx, [ebp+arg_0]
		add	edi, edx
		cmp	byte ptr [ebp+arg_8], 0
		mov	[esi+30h], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_8], ebx
		mov	[esi+24h], ebx
		mov	[esi+38h], eax
		mov	[esi], edx
		mov	[esi+4], edi
		jz	short loc_4648F2
		cmp	edi, ds:_MmUserProbeAddress
		ja	loc_5B1A21
		cmp	edx, edi
		jnb	loc_5B1A21

loc_4648F2:				; CODE XREF: MiProbeAndLockPrepare+3Cj
		mov	ebx, [ebx+14h]
		mov	ecx, edx
		and	ecx, 0FFFh
		mov	dword ptr [esi+50h], offset loc_7FFFFF
		add	ecx, 0FFFh
		dec	edi
		add	ebx, ecx
		mov	ecx, [ebp+var_8]
		shr	ebx, 0Ch
		lea	eax, [ecx+1Ch]
		mov	[esi+20h], eax
		mov	eax, edx
		mov	edx, [ebp+arg_C]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[esi+8], eax
		mov	eax, edi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[esi+0Ch], eax
		movzx	eax, word ptr [ecx+6]
		test	edx, edx
		jz	loc_464A7F
		or	eax, 80h

loc_464951:				; CODE XREF: MiProbeAndLockPrepare+1E4j
		movzx	eax, ax
		or	eax, 2
		mov	[ecx+6], ax
		mov	eax, [esi]
		mov	dword ptr [esi+48h], 0
		mov	dword ptr [esi+40h], 0
		mov	dword ptr [esi+44h], 0
		cmp	eax, ds:_MmUserProbeAddress
		jnb	loc_464A89
		mov	eax, [esi+30h]
		mov	eax, [eax+80h]
		mov	[esi+34h], eax
		mov	[ecx+8], eax
		cmp	edx, 3
		jz	loc_5B1A31

loc_464996:				; CODE XREF: MiProbeAndLockPrepare+14D23Bj
		cmp	[ebp+arg_10], 0
		jz	short loc_4649A8
		mov	eax, [esi+34h]
		add	eax, 150h
		lock xadd [eax], ebx

loc_4649A8:				; CODE XREF: MiProbeAndLockPrepare+FAj
					; MiProbeAndLockPrepare+1F7j
		mov	ecx, [esi]
		mov	dword ptr [esi+10h], 0
		cmp	ecx, dword_6D07D0
		jnb	loc_464A9C
		xor	eax, eax

loc_4649BF:				; CODE XREF: MiProbeAndLockPrepare+208j
		mov	[ebp+arg_0], eax
		cmp	ecx, ds:_MmUserProbeAddress
		jnb	loc_464AAD
		mov	edx, [esi+28h]
		lea	edi, [esi+28h]
		mov	ecx, [esi+34h]
		lea	ebx, [esi+3Ch]
		add	ecx, 240h
		mov	[ebp+arg_C], ebx
		and	edx, 0FFFFFFF1h
		mov	[ebx], ecx
		or	edx, 1
		mov	[edi], edx

loc_4649ED:				; CODE XREF: MiProbeAndLockPrepare+244j
					; MiProbeAndLockPrepare+273j ...
		and	edx, 0FFFFFFCFh
		mov	[edi], edx
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 4
		ja	loc_464B18

loc_4649FF:				; CODE XREF: MiProbeAndLockPrepare+27Aj
		cmp	al, 2
		jz	loc_464B7F
		lea	ebx, [ecx+80h]

loc_464A0D:				; CODE XREF: MiProbeAndLockPrepare+2E4j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [ebp+arg_8+3],	al
		jnz	loc_5B1B1C
		mov	edx, [ebx]
		and	edx, 7FFFFFFFh
		mov	eax, edx
		lea	ecx, [edx+1]
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	loc_464BBB

loc_464A3E:				; CODE XREF: MiProbeAndLockPrepare+325j
					; MiProbeAndLockPrepare+14D285j
		add	ebx, 4
		cmp	dword ptr [ebx], 0
		jnz	loc_5B1B2A

loc_464A4A:				; CODE XREF: MiProbeAndLockPrepare+14D28Ej
		mov	al, byte ptr [ebp+arg_8+3]

loc_464A4D:				; CODE XREF: MiProbeAndLockPrepare+288j
		mov	ecx, [edi]
		mov	[esi+2Ch], al
		mov	eax, ecx
		and	al, 0Fh
		cmp	al, 1
		jnz	short loc_464A6A
		mov	eax, [esi+34h]
		cmp	dword ptr [eax+148h], 0
		jnz	loc_464BEC

loc_464A6A:				; CODE XREF: MiProbeAndLockPrepare+1B8j
					; MiProbeAndLockPrepare+351j
		cmp	[ebp+arg_0], 8
		jz	loc_464B89

loc_464A74:				; CODE XREF: MiProbeAndLockPrepare+2F2j
		xor	eax, eax

loc_464A76:				; CODE XREF: MiProbeAndLockPrepare+14D18Cj
					; MiProbeAndLockPrepare+14D1AAj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_464A7F:				; CODE XREF: MiProbeAndLockPrepare+A6j
		and	eax, 0FFFFFF7Fh
		jmp	loc_464951
; 

loc_464A89:				; CODE XREF: MiProbeAndLockPrepare+D8j
		mov	dword ptr [esi+34h], 0
		mov	dword ptr [ecx+8], 0
		jmp	loc_4649A8
; 

loc_464A9C:				; CODE XREF: MiProbeAndLockPrepare+117j
		mov	eax, ecx
		shr	eax, 15h
		movzx	eax, byte ptr dword_6D3994[eax]
		jmp	loc_4649BF
; 

loc_464AAD:				; CODE XREF: MiProbeAndLockPrepare+128j
		cmp	eax, 1
		jz	loc_464BCA
		cmp	eax, 0Bh
		jz	loc_464BCA
		cmp	eax, 6
		jnz	short loc_464AE9
		mov	edx, [esi+28h]
		lea	edi, [esi+28h]
		and	edx, 0FFFFFFF3h
		mov	dword ptr [esi+3Ch], offset unk_6D3840
		lea	ebx, [esi+3Ch]
		or	edx, 3
		mov	[ebp+arg_C], ebx
		mov	ecx, offset unk_6D3840
		mov	[edi], edx
		jmp	loc_4649ED
; 

loc_464AE9:				; CODE XREF: MiProbeAndLockPrepare+222j
		cmp	eax, 8
		jz	short loc_464B5B
		cmp	eax, 5
		jnz	short loc_464B2D

loc_464AF3:				; CODE XREF: MiProbeAndLockPrepare+290j
		mov	edx, [esi+28h]
		lea	edi, [esi+28h]
		and	edx, 0FFFFFFF4h
		mov	dword ptr [esi+3Ch], offset unk_6D3B40
		lea	ebx, [esi+3Ch]
		or	edx, 4
		mov	[ebp+arg_C], ebx
		mov	ecx, offset unk_6D3B40
		mov	[edi], edx
		jmp	loc_4649ED
; 

loc_464B18:				; CODE XREF: MiProbeAndLockPrepare+159j
		cmp	al, 5
		jz	loc_4649FF
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		jmp	loc_464A4D
; 

loc_464B2D:				; CODE XREF: MiProbeAndLockPrepare+251j
		cmp	eax, 0Fh
		jz	short loc_464AF3
		mov	edx, [esi+28h]
		lea	ebx, [esi+3Ch]
		mov	[ebp+arg_C], ebx
		lea	edi, [esi+28h]
		cmp	eax, 0Ch
		jnz	short loc_464B97
		and	edx, 0FFFFFFF6h
		mov	dword ptr [ebx], offset	unk_6D3740
		or	edx, 6
		mov	ecx, offset unk_6D3740
		mov	[edi], edx
		jmp	loc_4649ED
; 

loc_464B5B:				; CODE XREF: MiProbeAndLockPrepare+24Cj
		xor	ecx, ecx
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	edx, [esi+28h]
		lea	edi, [esi+28h]
		and	edx, 0FFFFFFF2h
		lea	ebx, [esi+3Ch]
		mov	ecx, eax
		mov	[ebp+arg_C], ebx
		or	edx, 2
		mov	[ebx], ecx
		mov	[edi], edx
		jmp	loc_4649ED
; 

loc_464B7F:				; CODE XREF: MiProbeAndLockPrepare+161j
		mov	ebx, offset unk_6D3C40
		jmp	loc_464A0D
; 

loc_464B89:				; CODE XREF: MiProbeAndLockPrepare+1CEj
		mov	eax, [ebp+arg_C]
		mov	dword ptr [eax], offset	unk_6D5E80
		jmp	loc_464A74
; 

loc_464B97:				; CODE XREF: MiProbeAndLockPrepare+2A1j
		mov	[ebp+arg_C], ebx
		cmp	eax, 0Eh
		jnz	loc_5B1AFE
		and	edx, 0FFFFFFF7h
		mov	dword ptr [ebx], offset	unk_6D3A40
		or	edx, 7
		mov	ecx, offset unk_6D3A40
		mov	[edi], edx
		jmp	loc_4649ED
; 

loc_464BBB:				; CODE XREF: MiProbeAndLockPrepare+198j
		mov	dl, byte ptr [ebp+arg_8+3]
		mov	ecx, ebx
		call	ExpWaitForSpinLockSharedAndAcquire
		jmp	loc_464A3E
; 

loc_464BCA:				; CODE XREF: MiProbeAndLockPrepare+210j
					; MiProbeAndLockPrepare+219j
		mov	edx, [esi+28h]
		lea	edi, [esi+28h]
		and	edx, 0FFFFFFF8h
		or	edx, 8
		mov	[edi], edx
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		mov	ecx, eax
		lea	eax, [esi+3Ch]
		mov	[ebp+arg_C], eax
		mov	[eax], ecx
		jmp	loc_4649ED
; 

loc_464BEC:				; CODE XREF: MiProbeAndLockPrepare+1C4j
		or	ecx, 10h
		mov	[edi], ecx
		jmp	loc_464A6A
MiProbeAndLockPrepare endp

; 
		align 10h

; __stdcall MiProbeAndLockPages(x, x, x)
_MiProbeAndLockPages@12:		; CODE XREF: MmProbeAndLockPages(x,x,x)+1Ep
					; sub_4F0820+1Bp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 84h
		push	ebx
		push	esi
		push	edi
		push	60h
		lea	eax, [esp+34h]
		mov	esi, edx
		push	0
		push	eax
		mov	edi, ecx
		call	_memset
		mov	eax, [edi+14h]
		lea	ecx, [esp+3Ch]
		add	esp, 0Ch
		mov	dword ptr [esp+10h], 0
		mov	edx, edi
		push	1
		push	dword ptr [ebp+8]
		push	esi
		push	eax
		mov	eax, [edi+18h]
		add	eax, [edi+10h]
		push	eax
		call	MiProbeAndLockPrepare
		mov	ebx, eax
		test	ebx, ebx
		js	loc_465235
		mov	edi, [esp+38h]
		mov	esi, [esp+30h]
		lea	esp, [esp+0]

loc_464C60:				; CODE XREF: .text:004650CDj
		test	byte ptr [esp+58h], 20h
		mov	eax, [esp+50h]
		mov	dword ptr [eax], 0FFFFFFFFh
		jz	loc_464CF9
		mov	ecx, [esp+84h]
		cmp	esi, ecx
		jb	short loc_464CF9
		cmp	esi, [esp+88h]
		ja	short loc_464CF9
		test	byte ptr [esp+10h], 3Fh
		jnz	short loc_464CC3
		lea	ecx, [esp+30h]
		call	_MiProbePacketContended@4 ; MiProbePacketContended(x)
		test	eax, eax
		jz	short loc_464CBC
		lea	ecx, [esp+30h]
		call	_MiUnlockProbePacketWorkingSet@4 ; MiUnlockProbePacketWorkingSet(x)
		lea	ecx, [esp+30h]
		call	_MiLockProbePacketWorkingSet@4 ; MiLockProbePacketWorkingSet(x)
		mov	edi, [esp+38h]
		mov	esi, [esp+30h]
		jmp	loc_4650C5
; 

loc_464CBC:				; CODE XREF: .text:00464C9Bj
		mov	ecx, [esp+84h]

loc_464CC3:				; CODE XREF: .text:00464C8Ej
		mov	eax, [esp+8Ch]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_464CDF
		sub	esi, ecx
		shr	esi, 0Ch
		add	esi, eax
		mov	[esp+7Ch], esi
		jmp	loc_46508E
; 

loc_464CDF:				; CODE XREF: .text:00464CCDj
		mov	ecx, [edi]
		nop
		mov	eax, [edi+4]
		nop
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		mov	[esp+7Ch], ecx
		jmp	loc_46508E
; 

loc_464CF9:				; CODE XREF: .text:00464C6Fj
					; .text:00464C7Ej ...
		test	byte ptr [esp+10h], 0Fh
		jnz	short loc_464D5C
		mov	edx, [esp+40h]
		mov	esi, [esp+6Ch]
		test	edx, edx
		jz	short loc_464D17
		mov	ecx, esi
		call	_MiPageTableLockIsContended@8 ;	MiPageTableLockIsContended(x,x)
		test	eax, eax
		jnz	short loc_464D3D

loc_464D17:				; CODE XREF: .text:00464D0Aj
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short loc_464D2B
		lea	eax, [esi+80h]

loc_464D2B:				; CODE XREF: .text:00464D23j
		mov	eax, [eax]
		test	eax, 40000000h
		jnz	short loc_464D3D
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	short loc_464D5C

loc_464D3D:				; CODE XREF: .text:00464D15j
					; .text:00464D32j
		lea	ecx, [esp+30h]
		call	_MiUnlockProbePacketWorkingSet@4 ; MiUnlockProbePacketWorkingSet(x)
		lea	ecx, [esp+30h]
		call	_MiLockProbePacketWorkingSet@4 ; MiLockProbePacketWorkingSet(x)
		mov	edi, [esp+38h]
		mov	esi, [esp+30h]
		jmp	loc_4650C5
; 

loc_464D5C:				; CODE XREF: .text:00464CFEj
					; .text:00464D3Bj
		lea	ecx, [esp+30h]
		mov	dword ptr [esp+14h], 0
		call	MiLockPageLeafPageTable
		mov	ecx, [esp+48h]
		mov	edx, eax
		cmp	ecx, ds:_ZeroPte
		jnz	short loc_464D90
		mov	ecx, [esp+4Ch]
		cmp	ecx, ds:dword_40F9FC

loc_464D85:				; CODE XREF: .text:00464DE4j
		jz	loc_465088
		jmp	short loc_464D90
; 
		align 10h

loc_464D90:				; CODE XREF: .text:00464D79j
					; .text:00464D8Bj ...
		lea	edx, [esp+14h]
		lea	ecx, [esp+30h]
		call	_MiProbeLeafPteAccess@8	; MiProbeLeafPteAccess(x,x)
		mov	edx, eax
		test	edx, edx
		js	loc_465088
		mov	eax, [esp+14h]
		test	eax, eax
		jz	short loc_464DF3
		cmp	eax, 1
		jz	short loc_464DC3
		lea	ecx, [esp+30h]
		call	MiFaultInProbeAddress
		mov	edx, eax
		test	edx, edx
		js	short loc_464DE6

loc_464DC3:				; CODE XREF: .text:00464DB2j
		lea	ecx, [esp+30h]
		call	MiLockPageLeafPageTable
		mov	edx, eax
		mov	eax, [esp+48h]
		cmp	eax, ds:_ZeroPte
		jnz	short loc_464D90
		mov	eax, [esp+4Ch]
		cmp	eax, ds:dword_40F9FC
		jmp	short loc_464D85
; 

loc_464DE6:				; CODE XREF: .text:00464DC1j
		inc	dword_6D30A0
		mov	ebx, eax
		jmp	loc_46508A
; 

loc_464DF3:				; CODE XREF: .text:00464DADj
		mov	ebx, [esp+48h]
		nop
		mov	edi, [esp+4Ch]
		mov	ecx, ebx
		mov	eax, edi
		shrd	ecx, eax, 0Ch
		mov	eax, [esp+58h]
		and	ecx, 1FFFFFFh
		and	al, 0Fh
		mov	[esp+7Ch], ecx
		cmp	al, 1
		jnz	loc_46508E
		cmp	dword ptr [esp+68h], 3
		jz	loc_46508E
		nop
		mov	ecx, ebx
		mov	eax, edi
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		cmp	ecx, dword_6D07B0
		ja	loc_46508E
		mov	eax, dword_6D35B8
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_46508E
		and	ebx, 0FFFh
		mov	dword ptr [esp+14h], 0
		mov	[esp+1Ch], ebx
		and	edi, 80000000h
		mov	ebx, [esp+38h]
		mov	[esp+28h], edi
		mov	[esp+2Ch], ebx

loc_464E81:				; CODE XREF: .text:00465044j
		add	ebx, 8
		test	ebx, 0FFFh
		jz	loc_465049
		cmp	ebx, [esp+3Ch]
		ja	loc_465049
		mov	esi, [ebx]
		mov	dword ptr [esp+20h], 0
		mov	dword ptr [esp+24h], 0
		nop
		mov	ecx, [ebx+4]
		mov	eax, esi
		mov	edx, ecx
		and	eax, 0FFFh
		and	edx, 80000000h
		cmp	eax, [esp+1Ch]
		jnz	loc_465049
		cmp	edx, edi
		jnz	loc_465049
		nop
		shrd	esi, ecx, 0Ch
		and	esi, 1FFFFFFh
		cmp	esi, dword_6D07B0
		ja	loc_465049
		mov	eax, dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_465049
		mov	edx, ds:_MmPfnDatabase
		lea	eax, ds:0[esi*8]
		mov	ecx, dword_6D3580
		sub	eax, esi
		lea	edi, [edx+eax*4]
		test	ecx, ecx
		jz	short loc_464F6F
		mov	eax, [edi+18h]
		and	eax, 70000000h
		cmp	eax, 10000000h
		jnz	short loc_464F6F
		mov	esi, edi
		mov	eax, 92492493h
		sub	esi, edx
		imul	esi
		add	edx, esi
		sar	edx, 4
		mov	esi, edx
		shr	esi, 1Fh
		add	esi, edx
		test	ecx, ecx
		jz	short loc_464F6F
		jmp	short loc_464F50
; 
		align 10h

loc_464F50:				; CODE XREF: .text:00464F4Bj
					; .text:00464F6Dj
		mov	edx, [ecx+0Ch]
		cmp	esi, edx
		jb	short loc_464F69
		mov	eax, esi
		sub	eax, edx
		cmp	eax, [ecx+10h]
		jb	loc_465049
		mov	ecx, [ecx+4]
		jmp	short loc_464F6B
; 

loc_464F69:				; CODE XREF: .text:00464F55j
		mov	ecx, [ecx]

loc_464F6B:				; CODE XREF: .text:00464F67j
		test	ecx, ecx
		jnz	short loc_464F50

loc_464F6F:				; CODE XREF: .text:00464F1Fj
					; .text:00464F2Ej ...
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	loc_464FFF
		mov	ecx, [edi+18h]
		test	ecx, 800000h
		jz	short loc_464FB1
		mov	[esp+18h], eax
		lea	edx, [esp+18h]
		mov	[esp+20h], eax
		mov	ecx, edi
		lea	eax, [esp+20h]
		push	eax
		call	_MiGetPfnPageSizeIndexUnsynchronized@12	; MiGetPfnPageSizeIndexUnsynchronized(x,x,x)
		cmp	eax, 2
		jz	loc_465049
		cmp	dword ptr [esp+18h], 6
		jmp	short loc_464FFD
; 

loc_464FB1:				; CODE XREF: .text:00464F87j
		mov	eax, [edi+4]
		shl	eax, 9
		add	eax, 40000000h
		cmp	eax, offset loc_7FFFFF
		ja	short loc_464FFF
		and	ecx, offset loc_7FFFFF
		cmp	ecx, 7FFFFDh
		jz	short loc_464FFF
		mov	al, [edi+16h]
		test	al, 20h
		jz	short loc_464FE8
		test	dword ptr [edi+10h], 3FFFFFFFh
		jnz	short loc_464FE8
		cmp	word ptr [edi+14h], 0
		jnz	short loc_464FFF

loc_464FE8:				; CODE XREF: .text:00464FD6j
					; .text:00464FDFj
		test	al, 8
		jnz	short loc_464FFF
		mov	eax, [edi]
		shr	eax, 1
		and	eax, 0FFFFFFF8h
		or	eax, 80000000h
		cmp	eax, 80000018h

loc_464FFD:				; CODE XREF: .text:00464FAFj
		jnz	short loc_465049

loc_464FFF:				; CODE XREF: .text:00464F78j
					; .text:00464FC1j ...
		cmp	dword ptr [esp+68h], 0
		jnz	short loc_46503C
		mov	ecx, [edi+18h]
		mov	eax, ecx
		and	eax, 70000000h
		cmp	eax, 10000000h
		jz	short loc_465028
		test	ecx, 800000h
		jnz	short loc_465028
		mov	eax, [edi+4]
		test	eax, eax
		js	short loc_465028
		jnz	short loc_465049

loc_465028:				; CODE XREF: .text:00465015j
					; .text:0046501Dj ...
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_46503C
		mov	ecx, [esp+58h]
		test	cl, 10h
		jnz	short loc_46504D

loc_46503C:				; CODE XREF: .text:00465004j
					; .text:00465031j
		inc	dword ptr [esp+14h]
		mov	edi, [esp+28h]
		jmp	loc_464E81
; 

loc_465049:				; CODE XREF: .text:00464E8Aj
					; .text:00464E94j ...
		mov	ecx, [esp+58h]

loc_46504D:				; CODE XREF: .text:0046503Aj
		mov	ebx, [esp+14h]
		test	ebx, ebx
		jz	short loc_46508E
		mov	eax, [esp+2Ch]
		shl	eax, 9
		mov	[esp+84h], eax
		add	eax, 0FFFh
		shl	ebx, 0Ch
		add	eax, ebx
		mov	dword ptr [esp+8Ch], 0FFFFFFFFh
		or	ecx, 20h
		mov	[esp+88h], eax
		mov	[esp+58h], ecx
		jmp	short loc_46508E
; 

loc_465088:				; CODE XREF: .text:loc_464D85j
					; .text:00464DA1j
		mov	ebx, edx

loc_46508A:				; CODE XREF: .text:00464DEEj
		test	edx, edx
		js	short loc_4650D3

loc_46508E:				; CODE XREF: .text:00464CDAj
					; .text:00464CF4j ...
		lea	ecx, [esp+30h]
		call	_MiProbeLockFrame@4 ; MiProbeLockFrame(x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_4650D3
		mov	eax, [esp+50h]
		mov	esi, [esp+30h]
		mov	edi, [esp+38h]
		add	esi, 1000h
		add	dword ptr [esp+50h], 4
		add	edi, 8
		mov	ecx, [esp+7Ch]
		mov	[eax], ecx
		mov	[esp+30h], esi
		mov	[esp+38h], edi

loc_4650C5:				; CODE XREF: .text:00464CB7j
					; .text:00464D57j
		inc	dword ptr [esp+10h]
		cmp	edi, [esp+3Ch]
		jbe	loc_464C60

loc_4650D3:				; CODE XREF: .text:0046508Cj
					; .text:0046509Bj
		mov	edx, [esp+40h]
		test	edx, edx
		jz	loc_4651A5
		mov	edi, [esp+6Ch]
		lea	ecx, [edx+3FA00000h]
		sar	ecx, 3
		add	ecx, ecx
		mov	esi, ecx
		mov	al, [edi+60h]
		and	esi, 1Fh
		and	al, 7
		cmp	al, 2
		jb	short loc_465152
		cmp	edx, 0C0603018h
		jz	short loc_465118
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_465146
		cmp	edx, 0C0603010h
		jnz	short loc_465146

loc_465118:				; CODE XREF: .text:00465102j
		cmp	al, 7
		jnz	short loc_46512F
		mov	esi, 0C0603018h
		mov	edi, offset unk_6D2E58
		sub	esi, edx
		sar	esi, 3
		add	esi, esi
		jmp	short loc_465170
; 

loc_46512F:				; CODE XREF: .text:0046511Aj
		cmp	al, 5
		jnz	short loc_465146
		mov	esi, 0C0603018h
		mov	edi, offset unk_6D2E54
		sub	esi, edx
		sar	esi, 3
		add	esi, esi
		jmp	short loc_465170
; 

loc_465146:				; CODE XREF: .text:0046510Ej
					; .text:00465116j ...
		shr	ecx, 5
		lea	edi, unk_6D2C54[ecx*4]
		jmp	short loc_465170
; 

loc_465152:				; CODE XREF: .text:004650FAj
		shr	ecx, 5
		test	al, al
		jnz	short loc_465167
		mov	edi, [edi+0Ch]
		add	edi, 0D90h
		lea	edi, [edi+ecx*4]
		jmp	short loc_465170
; 

loc_465167:				; CODE XREF: .text:00465157j
		lea	edi, [edi+ecx*4]
		add	edi, 120h

loc_465170:				; CODE XREF: .text:0046512Dj
					; .text:00465144j ...
		mov	edx, [edi]
		mov	ecx, esi
		mov	eax, 2
		shl	eax, cl
		mov	ecx, edx
		not	eax
		btr	ecx, esi
		mov	[esp+2Ch], eax
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_4651A5

loc_465192:				; CODE XREF: .text:004651A3j
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, esi
		and	ecx, [esp+2Ch]
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_465192

loc_4651A5:				; CODE XREF: .text:004650D9j
					; .text:00465190j
		mov	dl, [esp+5Ch]
		mov	ecx, [esp+6Ch]
		call	MiUnlockWorkingSetShared
		test	byte ptr ds:_MmTrackLockedPages, 1
		mov	esi, [esp+54h]
		jz	short loc_4651E2
		mov	ecx, [esi+18h]
		add	ecx, [esi+10h]
		mov	edx, [esi+14h]
		and	ecx, 0FFFh
		add	edx, 0FFFh
		add	edx, ecx
		mov	ecx, esi
		push	3
		shr	edx, 0Ch
		call	_MiAddMdlTracker@12 ; MiAddMdlTracker(x,x,x)

loc_4651E2:				; CODE XREF: .text:004651BDj
		test	ebx, ebx
		jns	short loc_4651F2
		push	esi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		inc	dword_6D30C4

loc_4651F2:				; CODE XREF: .text:004651E4j
		mov	edi, [esp+78h]
		test	edi, edi
		jz	short loc_465228
		mov	ecx, [edi+20h]
		mov	esi, [esp+70h]
		mov	edx, [esp+74h]
		lea	eax, [ecx+esi]
		xor	eax, ecx
		and	eax, 7FFFFFFFh
		xor	eax, ecx
		mov	[edi+20h], eax
		sub	edx, esi
		jz	short loc_465221
		mov	ecx, [esp+64h]
		call	_MiReturnFullProcessCommitment@8 ; MiReturnFullProcessCommitment(x,x)

loc_465221:				; CODE XREF: .text:00465216j
		mov	ecx, edi
		call	MiUnlockAndDereferenceVad

loc_465228:				; CODE XREF: .text:004651F8j
		test	ebx, ebx
		js	short loc_46523B
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_465235:				; CODE XREF: .text:00464C4Ej
		push	ebx
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_46523B:				; CODE XREF: .text:0046522Aj
		push	ebx
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
; 
		db 3 dup(0CCh)
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiProbeLockFrame(x)
_MiProbeLockFrame@4 proc near		; CODE XREF: MmProbeAndLockSelectedPages+126p
					; .text:00465092p

var_28		= dword	ptr -28h
var_1A		= dword	ptr -1Ah
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	[esp+28h+var_C], esi
		mov	ecx, [esi+4Ch]
		cmp	ecx, dword_6D07B0
		ja	loc_4656DD
		mov	eax, dword_6D35B8
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_4656DD
		mov	eax, [esi+28h]
		and	al, 0Fh
		mov	byte ptr [esp+28h+var_1A], 21h
		cmp	al, 4
		jnz	short loc_4652E9
		mov	ecx, [esi]
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	short loc_4652E9
		mov	ecx, [esi]
		lea	edx, [esp+28h+var_1A]
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		call	MiLockNonPagedPoolPte
		mov	ebx, eax
		mov	[esp+28h+var_1A+2], eax
		mov	ecx, ebx
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		mov	[esi+4Ch], eax
		test	ebx, ebx
		jnz	short loc_465335

loc_4652E9:				; CODE XREF: MiProbeLockFrame(x)+4Aj
					; MiProbeLockFrame(x)+55j
		mov	eax, [esi+4Ch]
		mov	[esp+28h+var_14], 0
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	ebx, [eax+ecx*4]
		mov	cl, 21h
		mov	[esp+28h+var_1A+2], ebx
		lea	esi, [ebx+10h]
		mov	byte ptr [esp+28h+var_1A], cl
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_465339
		lea	esp, [esp+0]

loc_465320:				; CODE XREF: MiProbeLockFrame(x)+DCj
					; MiProbeLockFrame(x)+E3j
		lea	ecx, [esp+28h+var_14]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_465320
		lock bts dword ptr [esi], 1Fh
		jb	short loc_465320

loc_465335:				; CODE XREF: MiProbeLockFrame(x)+97j
		mov	cl, byte ptr [esp+28h+var_1A]

loc_465339:				; CODE XREF: MiProbeLockFrame(x)+C7j
		mov	dl, [ebx+16h]
		mov	al, dl
		and	al, 7
		cmp	al, 1
		jbe	loc_4656B5
		movzx	eax, word ptr [ebx+14h]
		test	ax, ax
		jz	loc_4656B5
		mov	ecx, 7FFFh
		cmp	ax, cx
		jnb	loc_465689
		test	dword ptr [ebx+18h], 800000h
		mov	esi, 1
		jnz	loc_46546F
		mov	ecx, eax
		mov	eax, [ebx+10h]
		and	eax, 3FFFFFFFh
		cmp	ecx, esi
		jnz	short loc_465389
		test	eax, eax
		jnz	short loc_4653A3
		jmp	short loc_46539A
; 

loc_465389:				; CODE XREF: MiProbeLockFrame(x)+131j
		cmp	ecx, 2
		jnz	loc_46546F
		test	eax, eax
		jz	loc_46546F

loc_46539A:				; CODE XREF: MiProbeLockFrame(x)+137j
		test	dl, 8
		jz	loc_46546F

loc_4653A3:				; CODE XREF: MiProbeLockFrame(x)+135j
		mov	ecx, ebx
		mov	byte ptr [esp+28h+var_1A+1], 0
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4653C0
		mov	eax, [ebx+8]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_4653ED

loc_4653C0:				; CODE XREF: MiProbeLockFrame(x)+161j
		mov	eax, ds:_MmHighestUserAddress
		mov	ecx, [ebx+4]
		shr	eax, 9
		or	ecx, 80000000h
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	ecx, eax
		ja	short loc_465408
		cmp	ecx, 0C0000000h
		jb	short loc_465408
		test	byte ptr [ebx+17h], 20h
		jz	short loc_465408

loc_4653ED:				; CODE XREF: MiProbeLockFrame(x)+16Ej
		push	8
		mov	edx, esi
		mov	byte ptr [esp+2Ch+var_1A+1], 1
		mov	ecx, offset _MiSystemPartition
		call	MiChargeCommit
		test	eax, eax
		jz	loc_465689

loc_465408:				; CODE XREF: MiProbeLockFrame(x)+18Dj
					; MiProbeLockFrame(x)+195j ...
		mov	eax, large fs:20h
		mov	edx, [eax+3D30h]
		lea	esi, [eax+3D30h]
		cmp	edx, 1
		jb	short loc_46543D
		nop

loc_465420:				; CODE XREF: MiProbeLockFrame(x)+1EBj
		cmp	edx, 0FFFFFFFFh
		jz	short loc_46543D
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	loc_46556A
		mov	edx, eax
		cmp	eax, 1
		jnb	short loc_465420

loc_46543D:				; CODE XREF: MiProbeLockFrame(x)+1CDj
					; MiProbeLockFrame(x)+1D3j
		push	0
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiChargePartitionResidentAvailable
		mov	esi, eax
		test	esi, esi
		jnz	short loc_46546F
		cmp	byte ptr [esp+28h+var_1A+1], al
		jz	short loc_465467
		lea	edx, [eax+1]
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit

loc_465467:				; CODE XREF: MiProbeLockFrame(x)+208j
		test	esi, esi
		jz	loc_465689

loc_46546F:				; CODE XREF: MiProbeLockFrame(x)+11Fj
					; MiProbeLockFrame(x)+13Cj ...
		inc	word ptr [ebx+14h]
		test	esi, esi
		jz	loc_465689
		test	dword ptr [ebx+10h], 3FFFFFFFh
		lea	edi, [ebx+10h]
		mov	[esp+28h+var_10], edi
		jnz	short loc_4654AD
		mov	ecx, [ebx+8]
		mov	eax, ecx
		mov	edx, [ebx+0Ch]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_4654AD
		shrd	ecx, edx, 2
		test	cl, 1
		jz	short loc_4654AD
		mov	byte_6D4FB7, 1

loc_4654AD:				; CODE XREF: MiProbeLockFrame(x)+239j
					; MiProbeLockFrame(x)+24Bj ...
		mov	al, [ebx+16h]
		test	al, 20h
		jz	short loc_4654F4
		test	al, 8
		jnz	short loc_4654F4
		test	dword ptr [edi], 3FFFFFFFh
		jnz	short loc_4654F4
		mov	edi, [ebx]
		add	edi, 90h

loc_4654C8:				; CODE XREF: MiProbeLockFrame(x)+294j
					; MiProbeLockFrame(x)+29Aj
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[esp+28h+var_14], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_4654C8
		cmp	edx, [esp+28h+var_14]
		jnz	short loc_4654C8
		mov	edi, [esp+28h+var_10]
		mov	ebx, [esp+28h+var_1A+2]

loc_4654F4:				; CODE XREF: MiProbeLockFrame(x)+262j
					; MiProbeLockFrame(x)+266j ...
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	cl, byte ptr [esp+28h+var_1A]
		cmp	cl, 21h
		jz	short loc_46550B
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_46550B:				; CODE XREF: MiProbeLockFrame(x)+2B3j
		mov	esi, [esp+28h+var_C]
		mov	eax, [esi+28h]
		and	al, 0Fh
		cmp	al, 1
		jnz	loc_4655ED
		mov	edx, [ebx+18h]
		test	edx, 800000h
		jnz	loc_4655ED
		mov	eax, edx
		and	eax, 70000000h
		cmp	eax, 10000000h
		jz	loc_4655ED
		and	edx, offset loc_7FFFFF
		cmp	edx, 7FFFFDh
		jz	loc_4655ED
		cmp	[esi+50h], edx
		jz	loc_4655ED
		mov	ecx, ebx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_465574
		mov	edx, 1
		jmp	short loc_46558A
; 

loc_46556A:				; CODE XREF: MiProbeLockFrame(x)+1E0j
		mov	esi, 1
		jmp	loc_46546F
; 

loc_465574:				; CODE XREF: MiProbeLockFrame(x)+311j
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		mov	edx, 2
		lea	ecx, [eax+ecx*4]

loc_46558A:				; CODE XREF: MiProbeLockFrame(x)+318j
		call	_MiLockPageTablePage@8 ; MiLockPageTablePage(x,x)
		test	eax, eax
		jnz	short loc_4655D6
		mov	[esp+28h+var_8], eax
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_4655B5
		mov	edi, edi

loc_4655A0:				; CODE XREF: MiProbeLockFrame(x)+35Cj
					; MiProbeLockFrame(x)+363j
		lea	ecx, [esp+28h+var_8]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_4655A0
		lock bts dword ptr [edi], 1Fh
		jb	short loc_4655A0

loc_4655B5:				; CODE XREF: MiProbeLockFrame(x)+34Cj
		mov	ecx, ebx
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		inc	dword_6D30B8
		mov	eax, 0C00000A1h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4655D6:				; CODE XREF: MiProbeLockFrame(x)+341j
		mov	eax, [ebx+18h]
		mov	ecx, 100h
		and	eax, offset loc_7FFFFF
		mov	[esi+50h], eax
		mov	eax, [esi+24h]
		or	[eax+6], cx

loc_4655ED:				; CODE XREF: MiProbeLockFrame(x)+2C6j
					; MiProbeLockFrame(x)+2D5j ...
		mov	eax, [esi+24h]
		test	byte ptr [eax+6], 80h
		jz	loc_465743
		mov	ecx, ebx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_465743
		mov	edx, [ebx+8]
		mov	eax, edx
		mov	ecx, [ebx+0Ch]
		and	eax, 400h
		or	eax, 0
		jz	loc_465743
		mov	esi, dword_6D0700
		mov	eax, esi
		mov	edi, dword_6D0704
		or	eax, edi
		jz	short loc_465645
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_465641
		not	edi
		and	ecx, edi
		jmp	short loc_465645
; 

loc_465641:				; CODE XREF: MiProbeLockFrame(x)+3E9j
		mov	[esp+28h+var_8], edx

loc_465645:				; CODE XREF: MiProbeLockFrame(x)+3DFj
					; MiProbeLockFrame(x)+3EFj
		mov	eax, [ecx]
		add	eax, 40h
		mov	[esp+28h+var_1A+2], eax
		mov	edi, edi

loc_465650:				; CODE XREF: MiProbeLockFrame(x)+42Aj
					; MiProbeLockFrame(x)+42Ej
		mov	esi, [eax]
		mov	ebx, esi
		mov	edi, [eax+4]
		add	ebx, 1
		mov	ecx, edi
		mov	[esp+28h+var_8], edi
		adc	ecx, 0
		mov	eax, esi
		mov	edx, edi
		nop
		mov	edi, [esp+28h+var_1A+2]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [esp+28h+var_8]
		cmp	eax, esi
		mov	eax, [esp+28h+var_1A+2]
		jnz	short loc_465650
		cmp	edx, edi
		jnz	short loc_465650
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_465689:				; CODE XREF: MiProbeLockFrame(x)+10Dj
					; MiProbeLockFrame(x)+1B2j ...
		mov	ecx, 7FFFFFFFh
		lea	eax, [ebx+10h]
		lock and [eax],	ecx
		mov	cl, byte ptr [esp+28h+var_1A]
		cmp	cl, 21h
		jz	short loc_4656A3
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4656A3:				; CODE XREF: MiProbeLockFrame(x)+44Bj
		inc	dword_6D30B4
		mov	eax, 0C00000A1h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4656B5:				; CODE XREF: MiProbeLockFrame(x)+F2j
					; MiProbeLockFrame(x)+FFj
		mov	edx, 7FFFFFFFh
		lea	eax, [ebx+10h]
		lock and [eax],	edx
		cmp	cl, 21h
		jz	short loc_4656CB
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4656CB:				; CODE XREF: MiProbeLockFrame(x)+473j
		inc	dword_6D30B0
		mov	eax, 0C0000005h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4656DD:				; CODE XREF: MiProbeLockFrame(x)+1Dj
					; MiProbeLockFrame(x)+38j
		cmp	dword ptr [esi+34h], 0
		jz	short loc_465713
		mov	ecx, [esi]
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		test	eax, eax
		jz	short loc_465701
		mov	ecx, [eax+1Ch]
		mov	eax, ecx
		and	al, 70h
		cmp	al, 40h
		jz	short loc_465713
		and	cl, 70h
		cmp	cl, 10h
		jz	short loc_465713

loc_465701:				; CODE XREF: MiProbeLockFrame(x)+49Cj
		inc	dword_6D30BC
		mov	eax, 0C0000005h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_465713:				; CODE XREF: MiProbeLockFrame(x)+491j
					; MiProbeLockFrame(x)+4A7j ...
		mov	edx, [esi+4Ch]
		push	ecx
		push	0
		push	0
		push	0
		push	1
		xor	ecx, ecx
		call	MiReferenceIoPages
		test	eax, eax
		jns	short loc_465737
		inc	dword_6D30C0
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_465737:				; CODE XREF: MiProbeLockFrame(x)+4D8j
		mov	eax, [esi+24h]
		mov	ecx, 800h
		or	[eax+6], cx

loc_465743:				; CODE XREF: MiProbeLockFrame(x)+3A4j
					; MiProbeLockFrame(x)+3B3j ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiProbeLockFrame@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiProbeLeafPteAccess(x, x)
_MiProbeLeafPteAccess@8	proc near	; CODE XREF: .text:00464D98p
					; MiProbeLeafFrame+31p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, edx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_18], eax
		push	esi
		mov	dword ptr [eax], 0
		push	edi
		mov	eax, [ebx]
		mov	esi, [ebx+18h]
		mov	ecx, [ebx+28h]
		mov	edx, [ebx+1Ch]
		and	ecx, 0Fh
		mov	[ebp+var_8], eax
		mov	eax, [ebx+38h]
		mov	[ebp+var_C], eax
		mov	eax, esi
		and	eax, 4
		mov	[ebp+var_10], ecx
		or	eax, 0
		mov	[ebp+var_4], esi
		mov	[ebp+var_14], edx
		jnz	short loc_4657A9
		cmp	ecx, 1
		jnz	short loc_4657A9
		inc	dword_6D30AC

loc_46579D:				; CODE XREF: MiProbeLeafPteAccess(x,x)+1DCj
					; MiProbeLeafPteAccess(x,x)+512j
		mov	eax, 0C0000005h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4657A9:				; CODE XREF: MiProbeLeafPteAccess(x,x)+40j
					; MiProbeLeafPteAccess(x,x)+45j
		nop
		mov	eax, edx
		shrd	esi, eax, 0Ch
		and	esi, 1FFFFFFh
		cmp	esi, dword_6D07B0
		ja	loc_4658EF
		mov	eax, dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_4658EF
		mov	edx, ds:_MmPfnDatabase
		lea	eax, ds:0[esi*8]
		sub	eax, esi
		mov	esi, dword_6D3580
		lea	edi, [edx+eax*4]
		test	esi, esi
		jz	short loc_465844
		mov	eax, [edi+18h]
		and	eax, 70000000h
		cmp	eax, 10000000h
		jnz	short loc_465844
		mov	ecx, edi
		mov	eax, 92492493h
		sub	ecx, edx
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		mov	[ebp+var_1C], eax
		test	esi, esi
		jz	short loc_465844

loc_465828:				; CODE XREF: MiProbeLeafPteAccess(x,x)+F2j
		mov	ecx, [esi+0Ch]
		cmp	eax, ecx
		jb	short loc_46583E
		sub	eax, ecx
		cmp	eax, [esi+10h]
		jb	short loc_46587D
		mov	esi, [esi+4]
		mov	eax, [ebp+var_1C]
		jmp	short loc_465840
; 

loc_46583E:				; CODE XREF: MiProbeLeafPteAccess(x,x)+DDj
		mov	esi, [esi]

loc_465840:				; CODE XREF: MiProbeLeafPteAccess(x,x)+ECj
		test	esi, esi
		jnz	short loc_465828

loc_465844:				; CODE XREF: MiProbeLeafPteAccess(x,x)+A9j
					; MiProbeLeafPteAccess(x,x)+B8j ...
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	loc_4658F1
		mov	ecx, [edi+18h]
		test	ecx, 800000h
		jz	short loc_46588F
		mov	[ebp+var_1C], eax
		lea	edx, [ebp+var_1C]
		mov	[ebp+var_20], eax
		mov	ecx, edi
		lea	eax, [ebp+var_20]
		push	eax
		call	_MiGetPfnPageSizeIndexUnsynchronized@12	; MiGetPfnPageSizeIndexUnsynchronized(x,x,x)
		cmp	eax, 2
		jz	short loc_4658DD
		cmp	[ebp+var_1C], 6
		jmp	short loc_4658DB
; 

loc_46587D:				; CODE XREF: MiProbeLeafPteAccess(x,x)+E4j
		inc	dword_6D30DC
		mov	eax, 0C0000005h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_46588F:				; CODE XREF: MiProbeLeafPteAccess(x,x)+10Cj
		mov	eax, [edi+4]
		shl	eax, 9
		add	eax, 40000000h
		cmp	eax, offset loc_7FFFFF
		ja	short loc_4658F1
		and	ecx, offset loc_7FFFFF
		cmp	ecx, 7FFFFDh
		jz	short loc_4658F1
		mov	al, [edi+16h]
		test	al, 20h
		jz	short loc_4658C6
		test	dword ptr [edi+10h], 3FFFFFFFh
		jnz	short loc_4658C6
		cmp	word ptr [edi+14h], 0
		jnz	short loc_4658F1

loc_4658C6:				; CODE XREF: MiProbeLeafPteAccess(x,x)+164j
					; MiProbeLeafPteAccess(x,x)+16Dj
		test	al, 8
		jnz	short loc_4658F1
		mov	eax, [edi]
		shr	eax, 1
		and	eax, 0FFFFFFF8h
		or	eax, 80000000h
		cmp	eax, 80000018h

loc_4658DB:				; CODE XREF: MiProbeLeafPteAccess(x,x)+12Bj
		jz	short loc_4658F1

loc_4658DD:				; CODE XREF: MiProbeLeafPteAccess(x,x)+125j
		inc	dword_6D30D8
		mov	eax, 0C0000005h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4658EF:				; CODE XREF: MiProbeLeafPteAccess(x,x)+6Cj
					; MiProbeLeafPteAccess(x,x)+89j
		xor	edi, edi

loc_4658F1:				; CODE XREF: MiProbeLeafPteAccess(x,x)+FDj
					; MiProbeLeafPteAccess(x,x)+14Fj ...
		mov	esi, [ebp+var_8]
		xor	edx, edx
		cmp	esi, dword_6D07D0
		jnb	short loc_465902
		xor	eax, eax
		jmp	short loc_46590E
; 

loc_465902:				; CODE XREF: MiProbeLeafPteAccess(x,x)+1ACj
		mov	eax, esi
		shr	eax, 15h
		movzx	eax, byte ptr dword_6D3994[eax]

loc_46590E:				; CODE XREF: MiProbeLeafPteAccess(x,x)+1B0j
		mov	ecx, [ebp+var_10]
		cmp	ecx, 6
		jnz	short loc_46591E
		cmp	eax, 0Ch
		jnz	short loc_46591E
		lea	edx, [ecx-5]

loc_46591E:				; CODE XREF: MiProbeLeafPteAccess(x,x)+1C4j
					; MiProbeLeafPteAccess(x,x)+1C9j
		mov	eax, [ebp+var_C]
		cmp	eax, 3
		jnz	short loc_465964
		cmp	esi, ds:_MmHighestUserAddress
		ja	loc_46579D
		mov	ecx, [ebp+var_14]
		xor	eax, eax
		mov	esi, [ebp+var_4]
		and	ecx, 80000000h
		or	eax, ecx
		jz	loc_465A32
		mov	eax, esi
		and	eax, 800h
		or	eax, 0
		jz	loc_465A32
		mov	eax, 0C0000018h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_465964:				; CODE XREF: MiProbeLeafPteAccess(x,x)+1D4j
		test	eax, eax
		jnz	loc_465A2D
		test	edx, edx
		jz	loc_465B12
		test	edi, edi
		jz	loc_465CC3
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_465B12
		call	_MiCanPageMove@4 ; MiCanPageMove(x)
		cmp	eax, 1
		jnz	loc_465B12
		mov	eax, [edi+0Ch]
		mov	ecx, [edi+8]
		mov	[ebp+var_10], eax
		mov	eax, ecx
		and	eax, 400h
		or	eax, 0
		jz	short loc_4659E2
		mov	edx, dword_6D0700
		mov	eax, edx
		mov	esi, dword_6D0704
		or	eax, esi
		jz	short loc_4659D3
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		mov	eax, [ebp+var_10]
		jnz	short loc_4659D6
		not	esi
		and	eax, esi
		jmp	short loc_4659D6
; 

loc_4659D3:				; CODE XREF: MiProbeLeafPteAccess(x,x)+26Ej
		mov	eax, [ebp+var_10]

loc_4659D6:				; CODE XREF: MiProbeLeafPteAccess(x,x)+27Bj
					; MiProbeLeafPteAccess(x,x)+281j
		mov	eax, [eax]
		test	byte ptr [eax+1Ch], 20h
		jz	loc_465B12

loc_4659E2:				; CODE XREF: MiProbeLeafPteAccess(x,x)+25Cj
		mov	ecx, [ebx+8]
		mov	edx, 2
		shl	ecx, 9
		call	_MiLookupDataTableEntry@8 ; MiLookupDataTableEntry(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_465B12
		mov	ecx, ebx
		call	_MiUnlockProbePacketWorkingSet@4 ; MiUnlockProbePacketWorkingSet(x)
		mov	edx, [ebx+8]
		mov	ecx, esi
		call	_MiSplitDriverPage@8 ; MiSplitDriverPage(x,x)
		mov	ecx, ebx
		mov	esi, eax
		call	_MiLockProbePacketWorkingSet@4 ; MiLockProbePacketWorkingSet(x)
		test	esi, esi
		jns	loc_465CBA
		inc	dword_6D30D4
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_465A2D:				; CODE XREF: MiProbeLeafPteAccess(x,x)+216j
		mov	esi, [ebp+var_4]
		jmp	short loc_465A35
; 

loc_465A32:				; CODE XREF: MiProbeLeafPteAccess(x,x)+1F2j
					; MiProbeLeafPteAccess(x,x)+202j
		mov	ecx, [ebp+var_10]

loc_465A35:				; CODE XREF: MiProbeLeafPteAccess(x,x)+2E0j
		mov	eax, esi
		and	eax, 800h
		or	eax, 0
		jnz	short loc_465AAF
		cmp	[ebp+var_C], 3
		jz	short loc_465A62
		cmp	ecx, 6
		jnz	short loc_465A50
		test	edx, edx
		jnz	short loc_465A62

loc_465A50:				; CODE XREF: MiProbeLeafPteAccess(x,x)+2FAj
		mov	eax, [ebp+var_18]
		mov	dword ptr [eax], 2
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_465A62:				; CODE XREF: MiProbeLeafPteAccess(x,x)+2F5j
					; MiProbeLeafPteAccess(x,x)+2FEj
		test	edi, edi
		jz	loc_465BBB
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	loc_465BBB
		test	ds:_MiFlags, 8000h
		jz	loc_465CC3
		mov	eax, [edi+18h]
		and	eax, 70000000h
		cmp	eax, 30000000h
		jnz	loc_465CC3
		mov	edx, 8
		call	MiClearPfnImageVerified
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_465AAF:				; CODE XREF: MiProbeLeafPteAccess(x,x)+2EFj
		mov	eax, esi
		and	eax, 42h
		or	eax, 0
		jnz	short loc_465B15
		cmp	ecx, 1
		jnz	short loc_465B15
		mov	eax, [ebx+34h]
		test	dword ptr [eax+0FCh], 8000h
		jnz	short loc_465ADD
		push	[ebp+var_14]
		mov	ecx, [ebp+var_8]
		push	esi
		call	_MiOkToSetPteDirtyForNotValidFault@12 ;	MiOkToSetPteDirtyForNotValidFault(x,x,x)
		test	eax, eax
		jnz	short loc_465B15

loc_465ADD:				; CODE XREF: MiProbeLeafPteAccess(x,x)+37Bj
		mov	ecx, ebx
		call	_MiUnlockProbePacketWorkingSet@4 ; MiUnlockProbePacketWorkingSet(x)
		push	0
		push	0
		push	[ebp+var_8]
		push	2
		call	MmAccessFault
		mov	ecx, ebx
		mov	esi, eax
		call	_MiLockProbePacketWorkingSet@4 ; MiLockProbePacketWorkingSet(x)
		test	esi, esi
		jns	loc_465CBA
		inc	dword_6D30A4
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_465B12:				; CODE XREF: MiProbeLeafPteAccess(x,x)+21Ej
					; MiProbeLeafPteAccess(x,x)+235j ...
		mov	esi, [ebp+var_4]

loc_465B15:				; CODE XREF: MiProbeLeafPteAccess(x,x)+367j
					; MiProbeLeafPteAccess(x,x)+36Cj ...
		test	edi, edi
		jz	loc_465CC3
		mov	al, [edi+16h]
		test	al, 20h
		jz	short loc_465B35
		test	al, 8
		jnz	short loc_465B35
		test	dword ptr [edi+10h], 3FFFFFFFh
		jz	loc_465CC3

loc_465B35:				; CODE XREF: MiProbeLeafPteAccess(x,x)+3D2j
					; MiProbeLeafPteAccess(x,x)+3D6j
		mov	ecx, [edi+18h]
		mov	eax, ecx
		and	eax, 70000000h
		cmp	eax, 10000000h
		jz	short loc_465B57
		test	ecx, 800000h
		jnz	short loc_465B57
		mov	eax, [edi+4]
		test	eax, eax
		js	short loc_465B57
		jnz	short loc_465BBB

loc_465B57:				; CODE XREF: MiProbeLeafPteAccess(x,x)+3F4j
					; MiProbeLeafPteAccess(x,x)+3FCj ...
		cmp	[ebp+var_C], 0
		jnz	loc_465CC3
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_465CC3
		mov	ecx, [ebx+34h]
		test	ecx, ecx
		jz	loc_465CC3
		test	byte ptr [ebx+28h], 10h
		jz	loc_465CC3
		mov	edx, [edi+4]
		or	edx, 80000000h
		call	_MiLocateCloneAddress@8	; MiLocateCloneAddress(x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_465CC3
		mov	eax, [ecx+24Ch]
		mov	ecx, [eax+8Ch]
		cmp	ecx, [edx+2Ch]
		jb	short loc_465BBB
		ja	short loc_465C1F
		mov	eax, [eax+88h]
		cmp	eax, [edx+28h]
		ja	short loc_465C1F

loc_465BBB:				; CODE XREF: MiProbeLeafPteAccess(x,x)+314j
					; MiProbeLeafPteAccess(x,x)+323j ...
		cmp	[ebp+var_C], 3
		jnz	loc_465C72
		mov	ecx, [ebp+var_14]
		xor	eax, eax
		and	ecx, 80000000h
		or	eax, ecx
		jz	short loc_465BE0
		mov	eax, 0C0000045h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_465BE0:				; CODE XREF: MiProbeLeafPteAccess(x,x)+482j
		mov	ecx, [ebx+34h]
		test	ecx, ecx
		jz	short loc_465C3B
		test	byte ptr [ebx+28h], 10h
		jz	short loc_465C3B
		mov	edx, [edi+4]
		or	edx, 80000000h
		call	_MiLocateCloneAddress@8	; MiLocateCloneAddress(x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_465C3B
		mov	eax, [ecx+24Ch]
		mov	ecx, [eax+8Ch]
		cmp	ecx, [edx+2Ch]
		jb	short loc_465C72
		ja	short loc_465C1F
		mov	eax, [eax+88h]
		cmp	eax, [edx+28h]
		jbe	short loc_465C72

loc_465C1F:				; CODE XREF: MiProbeLeafPteAccess(x,x)+45Ej
					; MiProbeLeafPteAccess(x,x)+469j ...
		mov	ecx, ebx
		call	_MiSplitReducedCommitClonePage@4 ; MiSplitReducedCommitClonePage(x)
		test	eax, eax
		jns	loc_465CBA
		inc	dword_6D30D0
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_465C3B:				; CODE XREF: MiProbeLeafPteAccess(x,x)+495j
					; MiProbeLeafPteAccess(x,x)+49Bj ...
		and	esi, 200h
		or	esi, 0
		jnz	short loc_465C72
		test	dword ptr [edi+18h], 800000h
		jnz	short loc_465C58
		mov	eax, [edi+4]
		test	eax, eax
		js	short loc_465C58
		jnz	short loc_465C72

loc_465C58:				; CODE XREF: MiProbeLeafPteAccess(x,x)+4FDj
					; MiProbeLeafPteAccess(x,x)+504j
		mov	ecx, [ebp+var_8]
		call	_MiProcessCommitIntact@4 ; MiProcessCommitIntact(x)
		test	eax, eax
		jz	loc_46579D
		inc	dword ptr [ebx+40h]
		mov	edi, 1
		jmp	short loc_465C74
; 

loc_465C72:				; CODE XREF: MiProbeLeafPteAccess(x,x)+46Fj
					; MiProbeLeafPteAccess(x,x)+4C0j ...
		xor	edi, edi

loc_465C74:				; CODE XREF: MiProbeLeafPteAccess(x,x)+520j
		mov	edx, [ebx+8]
		mov	ecx, [ebp+var_8]
		push	0
		push	0FFFFFFFFh
		call	_MiCopyOnWrite@16 ; MiCopyOnWrite(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_465CBA
		test	edi, edi
		jz	short loc_465C90
		dec	dword ptr [ebx+40h]

loc_465C90:				; CODE XREF: MiProbeLeafPteAccess(x,x)+53Bj
		cmp	byte ptr [ebx+2Ch], 2
		jz	short loc_465CCC
		mov	eax, [ebx+30h]
		test	byte ptr [eax+300h], 0Ch
		jnz	short loc_465CCC
		mov	ecx, ebx
		call	_MiUnlockProbePacketWorkingSet@4 ; MiUnlockProbePacketWorkingSet(x)
		mov	ecx, [ebx+3Ch]
		mov	edx, esi
		call	MiCopyOnWriteCheckConditions
		mov	ecx, ebx
		call	_MiLockProbePacketWorkingSet@4 ; MiLockProbePacketWorkingSet(x)

loc_465CBA:				; CODE XREF: MiProbeLeafPteAccess(x,x)+2C8j
					; MiProbeLeafPteAccess(x,x)+3ADj ...
		mov	eax, [ebp+var_18]
		mov	dword ptr [eax], 1

loc_465CC3:				; CODE XREF: MiProbeLeafPteAccess(x,x)+226j
					; MiProbeLeafPteAccess(x,x)+333j ...
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_465CCC:				; CODE XREF: MiProbeLeafPteAccess(x,x)+544j
					; MiProbeLeafPteAccess(x,x)+550j
		inc	dword_6D30D4
		mov	eax, 0C0000017h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiProbeLeafPteAccess@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetPageTableLockBuffer proc near	; CODE XREF: MiIsCfgBitMapPageShared(x,x)+234p
					; MiCountSharedPages(x,x,x)+398p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B1B33 SIZE 00000040 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		lea	eax, [ebx+3FA00000h]
		sar	eax, 3
		mov	cl, [edi+60h]
		add	eax, eax
		mov	esi, eax
		and	cl, 7
		and	esi, 1Fh
		cmp	cl, 2
		jnb	short loc_465D26
		shr	eax, 5
		test	cl, cl
		jnz	short loc_465D54
		mov	ecx, [edi+0Ch]
		add	ecx, 0D90h
		lea	eax, [ecx+eax*4]

loc_465D1A:				; CODE XREF: MiGetPageTableLockBuffer+7Aj
		mov	ecx, [ebp+arg_0]
		mov	[ecx], esi

loc_465D1F:				; CODE XREF: MiGetPageTableLockBuffer+14BE8Ej
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_465D26:				; CODE XREF: MiGetPageTableLockBuffer+25j
		cmp	ebx, 0C0603018h
		jz	loc_5B1B43
		cmp	ebx, 0C0603010h
		jz	loc_5B1B33

loc_465D3E:				; CODE XREF: MiGetPageTableLockBuffer+14BE5Dj
					; MiGetPageTableLockBuffer+14BE72j
		mov	ecx, [ebp+arg_0]
		shr	eax, 5
		pop	edi
		mov	[ecx], esi
		pop	esi
		lea	eax, unk_6D2C54[eax*4]
		pop	ebx
		pop	ebp
		retn	4
; 

loc_465D54:				; CODE XREF: MiGetPageTableLockBuffer+2Cj
		add	eax, 48h
		lea	eax, [edi+eax*4]
		jmp	short loc_465D1A
MiGetPageTableLockBuffer endp

; 
		align 10h

; __stdcall MiValidFault(x, x, x)
_MiValidFault@12:			; CODE XREF: .text:00467D18p
		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFC0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+4], ebp
		mov	ebp, esp
		sub	esp, 0B4h
		mov	eax, [ebx+0Ch]
		mov	[ebp-8Ch], eax
		mov	[ebp-8Ch], eax
		mov	[ebp-8Ch], eax
		mov	[ebp-8Ch], eax
		push	esi
		mov	esi, [ebx+8]
		mov	[ebp-20h], eax
		push	edi
		mov	edi, ecx
		mov	[ebp-80h], esi
		mov	[ebp-84h], edi
		mov	dword ptr [ebp-90h], 0
		mov	dword ptr [ebp-8Ch], 0
		mov	eax, [edi+4]
		mov	edx, [edi]
		mov	ecx, [edi+8]
		mov	[ebp-10h], eax
		mov	eax, edx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[ebp-14h], ecx
		sub	eax, 40000000h
		mov	[ebp-0Ch], edx
		mov	[ebp-4], eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[ebp-8], eax
		mov	eax, ecx
		and	eax, 1
		and	ecx, 0FFFFFFFEh
		mov	[ebp-18h], eax
		mov	[ebp-1Ch], ecx
		test	eax, eax
		jz	short loc_465E2F
		mov	al, [ecx]
		cmp	al, 1
		jnz	short loc_465E1E
		push	0
		call	MiUpdatePrefetchPriority
		xor	eax, eax
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_465E1E:				; CODE XREF: .text:00465E08j
		cmp	al, 3
		jnz	short loc_465E32
		xor	eax, eax
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_465E2F:				; CODE XREF: .text:00465E02j
		mov	[ebp-1Ch], ecx

loc_465E32:				; CODE XREF: .text:00465E20j
		lea	eax, [edx+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	short loc_465E94
		mov	eax, esi
		and	eax, 80h
		or	eax, 0
		jz	short loc_465E94
		mov	eax, [ebp-18h]
		test	eax, eax
		jz	short loc_465E7D
		cmp	byte ptr [ecx],	1
		jz	loc_4661DC
		test	eax, eax
		jz	short loc_465E7D
		cmp	byte ptr [ecx],	3
		jz	loc_4661DC
		test	eax, eax
		jz	short loc_465E7D
		cmp	byte ptr [ecx],	6
		jz	loc_4661DC
		test	eax, eax
		jnz	loc_4662BB

loc_465E7D:				; CODE XREF: .text:00465E50j
					; .text:00465E5Dj ...
		mov	ecx, [ebp-14h]
		xor	edx, edx
		call	@KeInvalidAccessAllowed@8 ; KeInvalidAccessAllowed(x,x)
		cmp	al, 1
		jnz	loc_4662B6
		jmp	loc_4661DC
; 

loc_465E94:				; CODE XREF: .text:00465E3Dj
					; .text:00465E49j
		mov	ecx, [ebp-80h]
		xor	esi, esi
		mov	eax, ecx
		and	eax, 4
		or	eax, esi
		jnz	short loc_465EAE
		cmp	edx, ds:_MmHighestUserAddress
		jbe	loc_4661DC

loc_465EAE:				; CODE XREF: .text:00465EA0j
		mov	eax, [ebp-10h]
		mov	[ebp-10h], eax
		and	dword ptr [ebp-10h], 2
		jz	loc_465FC4
		mov	eax, ecx
		and	eax, 200h
		or	eax, 0
		jz	short loc_465F1D
		mov	edx, [ebp-4]
		mov	ecx, [ebp-0Ch]
		push	0
		push	0FFFFFFFFh
		call	_MiCopyOnWrite@16 ; MiCopyOnWrite(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_465F13
		cmp	esi, 0C0000017h
		jnz	short loc_465EF6
		or	dword ptr [edi+24h], 2
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_465EF6:				; CODE XREF: .text:00465EE5j
		cmp	esi, 0C0000434h
		jnz	loc_4662A9
		or	dword ptr [edi+24h], 4
		mov	eax, esi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_465F13:				; CODE XREF: .text:00465EDDj
		mov	esi, 112h
		jmp	loc_46628E
; 

loc_465F1D:				; CODE XREF: .text:00465EC8j
		mov	eax, ecx
		and	eax, 800h
		or	eax, 0
		jz	loc_4661DC
		cmp	[ebp-20h], esi
		jl	loc_466090
		jg	short loc_465F40
		test	ecx, ecx
		jb	loc_466090

loc_465F40:				; CODE XREF: .text:00465F36j
		mov	ecx, [ebx+8]
		mov	eax, ecx
		and	eax, 42h
		or	eax, 0
		jnz	loc_466093
		mov	eax, [ebp-8]
		test	byte ptr [eax+0FCh], 10h
		jz	loc_466093
		cmp	edx, dword_6D07D0
		jnb	loc_466093
		mov	eax, large fs:124h
		test	byte ptr [edi+24h], 40h
		jz	short loc_465F98
		test	byte ptr [eax+305h], 10h
		jnz	loc_466090
		mov	esi, 0C0000723h
		mov	eax, esi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_465F98:				; CODE XREF: .text:00465F77j
		test	byte ptr [eax+305h], 20h
		jnz	loc_466090
		push	dword ptr [ebx+0Ch]
		mov	edx, [ebp-8]
		mov	ecx, edi
		push	dword ptr [ebx+8]
		call	_MiKernelWriteToExecutableMemory@16 ; MiKernelWriteToExecutableMemory(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_4662A9
		jmp	loc_466090
; 

loc_465FC4:				; CODE XREF: .text:00465EB8j
		test	al, 10h
		jz	loc_466090
		cmp	[ebp-20h], esi
		jg	loc_466078
		jl	short loc_465FDF
		test	ecx, ecx
		jnb	loc_466078

loc_465FDF:				; CODE XREF: .text:00465FD5j
		mov	ecx, [ebp-8]
		call	_MiCanGrantExecute@8 ; MiCanGrantExecute(x,x)
		cmp	eax, 1
		jnz	loc_4661DC
		mov	ecx, [ebx+8]
		mov	[ebp-24h], ecx
		nop
		mov	eax, [ebx+0Ch]
		mov	[ebp-80h], eax
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		cmp	ecx, dword_6D07B0
		ja	loc_4661DC
		mov	eax, dword_6D35B8
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_4661DC
		mov	ecx, [ebp-80h]
		mov	eax, [ebp-24h]
		and	ecx, 7FFFFFFFh
		test	ds:_MiFlags, 300h
		mov	[ebx+8], eax
		mov	[ebx+0Ch], ecx
		jz	short loc_466055
		or	eax, 20h
		mov	[ebx+0Ch], ecx
		mov	[ebx+8], eax

loc_466055:				; CODE XREF: .text:0046604Aj
		nop
		mov	edx, [ebp-4]
		mov	[edx], eax
		mov	[edx+4], ecx
		test	ds:_MiFlags, 300h
		jnz	loc_466291
		mov	edx, 1
		jmp	loc_466284
; 

loc_466078:				; CODE XREF: .text:00465FCFj
					; .text:00465FD9j
		test	byte ptr [edi+24h], 40h
		jnz	short loc_466090
		push	dword ptr [ebx+0Ch]
		mov	edx, 5
		mov	ecx, edi
		push	dword ptr [ebx+8]
		call	MiCheckSystemNxFault

loc_466090:				; CODE XREF: .text:00465F30j
					; .text:00465F3Aj ...
		mov	ecx, [ebx+8]

loc_466093:				; CODE XREF: .text:00465F4Bj
					; .text:00465F5Bj ...
		cmp	dword ptr [ebp-10h], 0
		jz	loc_4661D6
		nop
		mov	eax, [ebx+0Ch]
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		mov	[ebp-80h], ecx
		cmp	ecx, dword_6D07B0
		ja	loc_466187
		mov	eax, dword_6D35B8
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_466187
		mov	eax, [ebp-80h]
		mov	dword ptr [ebp-90h], 0
		mov	dword ptr [ebp-8Ch], 0
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		mov	edx, [eax+ecx*4+8]
		lea	ecx, [eax+ecx*4]
		mov	[ebp-8], ecx
		nop
		mov	eax, [ecx+0Ch]
		mov	[ebp-10h], eax
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jnz	short loc_466169
		mov	eax, edx
		or	eax, [ebp-10h]
		jz	short loc_466146
		mov	eax, dword_6D0700
		mov	ecx, dword_6D0704
		mov	[ebp-80h], eax
		or	eax, ecx
		mov	[ebp-24h], ecx
		mov	ecx, [ebp-8]
		jz	short loc_466146
		mov	eax, [ebp-10h]
		mov	ecx, edx
		and	ecx, [ebp-80h]
		and	eax, [ebp-24h]
		or	ecx, eax
		jz	short loc_466169
		mov	ecx, [ebp-8]

loc_466146:				; CODE XREF: .text:0046611Aj
					; .text:00466132j
		mov	eax, edx
		and	eax, 400h
		or	eax, 0
		jnz	short loc_466169
		nop
		mov	eax, [ebp-10h]
		shrd	edx, eax, 2
		test	dl, 1
		jz	short loc_466169
		mov	edx, 1
		call	MiLockPageAndSetDirty

loc_466169:				; CODE XREF: .text:00466113j
					; .text:00466141j ...
		mov	ecx, [ebp-8]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_466187
		mov	eax, [ecx+8]
		and	eax, 400h
		or	eax, 0
		jz	short loc_466187
		call	_MiCheckAndUpdateIoAttribution@4 ; MiCheckAndUpdateIoAttribution(x)

loc_466187:				; CODE XREF: .text:004660B4j
					; .text:004660CFj ...
		mov	eax, [edi+4]
		mov	ecx, [ebx+8]
		mov	edx, ecx
		mov	[ebp-24h], eax
		mov	eax, [ebx+0Ch]
		mov	[ebp-8], eax
		mov	eax, edx
		and	eax, 20h
		mov	dword ptr [ebp-14h], 0
		or	eax, 0
		mov	dword ptr [ebp-80h], 0
		mov	[ebp-10h], edx
		jz	short loc_4661EE
		cmp	dword ptr [ebp-18h], 0
		jz	short loc_4661C1
		mov	eax, [ebp-1Ch]
		cmp	byte ptr [eax],	5
		jz	short loc_466201

loc_4661C1:				; CODE XREF: .text:004661B7j
		test	ds:_MiFlags, 300h
		jnz	short loc_466201
		mov	dword ptr [ebp-14h], 1
		jmp	short loc_466201
; 

loc_4661D6:				; CODE XREF: .text:00466097j
		test	byte ptr [edi+24h], 20h
		jz	short loc_466187

loc_4661DC:				; CODE XREF: .text:00465E55j
					; .text:00465E62j ...
		mov	esi, 0C0000005h
		mov	eax, esi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_4661EE:				; CODE XREF: .text:004661B1j
		mov	eax, [ebx+0Ch]
		or	edx, 20h
		mov	[ebp-10h], edx
		mov	[ebp-8], eax
		mov	dword ptr [ebp-80h], 1

loc_466201:				; CODE XREF: .text:004661BFj
					; .text:004661CBj ...
		test	byte ptr [ebp-24h], 2
		jz	short loc_466236
		mov	eax, edx
		and	eax, 42h
		mov	[ebp-20h], eax
		or	eax, 0
		mov	eax, [ebp-20h]
		jz	short loc_46621C
		cmp	eax, 40h
		jnz	short loc_466236

loc_46621C:				; CODE XREF: .text:00466215j
		cmp	eax, 40h
		jnz	short loc_466228
		mov	dword ptr [ebp-14h], 1

loc_466228:				; CODE XREF: .text:0046621Fj
		mov	eax, [ebp-8]
		or	edx, 62h
		mov	[ebp-10h], edx
		mov	[ebp-8], eax
		jmp	short loc_46623C
; 

loc_466236:				; CODE XREF: .text:00466205j
					; .text:0046621Aj
		cmp	dword ptr [ebp-80h], 0
		jz	short loc_466262

loc_46623C:				; CODE XREF: .text:00466234j
		mov	edx, [ebx+0Ch]
		mov	eax, ecx
		nop
		mov	ecx, [ebp-8]
		mov	edi, [ebp-4]
		push	ebx
		mov	ebx, [ebp-10h]
		lock cmpxchg8b qword ptr [edi]
		pop	ebx
		nop
		mov	edi, [ebp-84h]
		cmp	eax, [ebx+8]
		jnz	short loc_46628E
		cmp	edx, [ebx+0Ch]
		jnz	short loc_46628E

loc_466262:				; CODE XREF: .text:0046623Aj
		cmp	dword ptr [ebp-14h], 0
		jz	short loc_46628E
		test	ds:_MiFlags, 300h
		jnz	short loc_46628E
		mov	ecx, [edi+14h]
		xor	eax, eax
		test	ecx, ecx
		jz	short loc_466282
		call	_MiTbFlushType@4 ; MiTbFlushType(x)

loc_466282:				; CODE XREF: .text:0046627Bj
		mov	edx, eax

loc_466284:				; CODE XREF: .text:00466073j
		mov	ecx, [ebp-0Ch]
		push	0
		call	KeFlushSingleTb

loc_46628E:				; CODE XREF: .text:00465F18j
					; .text:0046625Bj ...
		mov	edx, [ebp-4]

loc_466291:				; CODE XREF: .text:00466068j
		cmp	dword ptr [ebp-18h], 0
		jz	short loc_4662A9
		mov	eax, [ebp-1Ch]
		cmp	byte ptr [eax],	5
		jnz	short loc_4662A9
		push	edx
		mov	edx, eax
		mov	ecx, edi
		call	_MiValidVirtualizationFault@12 ; MiValidVirtualizationFault(x,x,x)

loc_4662A9:				; CODE XREF: .text:00465EFCj
					; .text:00465FB9j ...
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_4662B6:				; CODE XREF: .text:00465E89j
		mov	edx, [ebp-0Ch]
		jmp	short loc_4662BE
; 

loc_4662BB:				; CODE XREF: .text:00465E77j
		mov	ecx, [ebp-14h]

loc_4662BE:				; CODE XREF: .text:004662B9j
		push	8
		push	ecx
		push	dword ptr [ebp-10h]
		push	edx
		push	50h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dd 0CCCCCCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInsertVad	proc near		; CODE XREF: MiDeleteVad(x,x,x)+1004p
					; MiInsertPrivateVad+1Cp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B1B73 SIZE 000000F3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_10], 0
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_8], esi
		push	edi
		mov	edi, ecx
		lea	ecx, [esi+240h]
		mov	[ebp+var_14], edi
		mov	[ebp+var_C], ecx
		mov	eax, [edi+0Ch]
		mov	ebx, [edi+10h]
		mov	[ebp+var_18], eax
		test	dl, 1
		jz	loc_5B1BA3
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		jz	loc_5B1B73
		lea	edi, [ecx+80h]

loc_46631D:				; CODE XREF: MiInsertVad+14B8A8j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_1], al
		jnz	loc_5B1B7D
		xor	esi, esi
		lock bts dword ptr [edi], 1Fh
		jb	loc_4665B5

loc_466342:				; CODE XREF: MiInsertVad+2F0j
		mov	edx, [edi]
		mov	ecx, edx
		and	ecx, 0BFFFFFFFh
		cmp	ecx, 80000000h
		jnz	loc_466575

loc_466358:				; CODE XREF: MiInsertVad+2CCj
		mov	esi, [ebp+var_8]

loc_46635B:				; CODE XREF: MiInsertVad+14B8B6j
		mov	edx, [ebp+arg_0]
		mov	dword ptr [edi+4], 0
		mov	edi, [ebp+var_14]

loc_466368:				; CODE XREF: MiInsertVad+14B8D7j
		mov	eax, [esi+1CCh]
		inc	dword ptr [esi+358h]
		shr	eax, 0Ch
		mov	[esi+354h], edi
		cmp	ebx, eax
		ja	short loc_4663AA
		test	dl, 2
		jnz	short loc_4663AA
		sub	ebx, [ebp+var_18]
		shl	ebx, 0Ch
		add	ebx, 1000h
		add	[esi+11Ch], ebx
		mov	eax, [esi+11Ch]
		cmp	[esi+118h], eax
		jb	loc_466534

loc_4663AA:				; CODE XREF: MiInsertVad+AFj
					; MiInsertVad+B4j ...
		mov	eax, [esi+350h]
		add	esi, 350h
		mov	edx, [edi+0Ch]
		mov	byte ptr [ebp+arg_0], 0
		test	eax, eax
		jz	short loc_4663E6

loc_4663C1:				; CODE XREF: MiInsertVad+110j
		cmp	edx, [eax+10h]
		ja	short loc_4663CB
		cmp	edx, [eax+0Ch]
		jb	short loc_4663D8

loc_4663CB:				; CODE XREF: MiInsertVad+F4j
		mov	ecx, [eax+4]
		test	ecx, ecx
		jnz	short loc_4663DE
		mov	byte ptr [ebp+arg_0], 1
		jmp	short loc_4663E6
; 

loc_4663D8:				; CODE XREF: MiInsertVad+F9j
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_4663E2

loc_4663DE:				; CODE XREF: MiInsertVad+100j
		mov	eax, ecx
		jmp	short loc_4663C1
; 

loc_4663E2:				; CODE XREF: MiInsertVad+10Cj
		mov	byte ptr [ebp+arg_0], 0

loc_4663E6:				; CODE XREF: MiInsertVad+EFj
					; MiInsertVad+106j
		push	edi
		push	[ebp+arg_0]
		push	eax
		push	esi
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		mov	ecx, [edi+1Ch]
		test	ecx, 100000h
		jnz	loc_46653F

loc_466400:				; CODE XREF: MiInsertVad+287j
		and	cl, 70h
		cmp	cl, 20h
		jz	loc_466562

loc_46640C:				; CODE XREF: MiInsertVad+29Aj
		mov	edx, [ebp+var_8]

loc_46640F:				; CODE XREF: MiInsertVad+14B8F3j
					; MiInsertVad+14B8FFj
		mov	ecx, [edi+1Ch]
		mov	eax, ecx
		and	al, 70h
		cmp	al, 10h
		jz	loc_4665D9

loc_46641E:				; CODE XREF: MiInsertVad+315j
		mov	eax, ecx
		and	eax, 70h
		cmp	al, 30h
		jz	loc_5B1BD4

loc_46642B:				; CODE XREF: MiInsertVad+14B910j
					; MiInsertVad+14B932j
		cmp	[ebp+var_1], 21h
		jz	loc_4664EF
		mov	edx, [ebp+var_C]
		xor	edi, edi
		xor	ebx, ebx
		mov	ecx, [edx+60h]
		mov	al, cl
		and	al, 7
		mov	[ebp+arg_0], ecx
		cmp	al, 2
		jz	loc_5B1C07
		lea	esi, [edx+80h]

loc_466454:				; CODE XREF: MiInsertVad+14B93Cj
		mov	dl, cl
		test	al, al
		jnz	short loc_466483
		mov	eax, [ebp+var_C]
		cmp	[eax+0Ch], ebx
		jz	short loc_466483
		mov	eax, large fs:124h
		mov	edi, [eax+80h]
		mov	eax, [edi+24Ch]
		cmp	[eax+94h], bx
		jnz	loc_4665C5
		xor	edi, edi

loc_466483:				; CODE XREF: MiInsertVad+188j
					; MiInsertVad+190j ...
		mov	ecx, large fs:124h
		test	dword ptr [ecx+2FCh], 400000h
		jnz	loc_5B1C11

loc_46649A:				; CODE XREF: MiInsertVad+14B946j
		test	dl, 7
		setz	cl
		test	ds:_MiFlags, 0C00000h
		setnz	al
		test	cl, al
		jz	short loc_4664BD
		mov	ecx, [ebp+var_C]
		cmp	byte ptr [ecx-1CCh], 1
		jnz	short loc_466503

loc_4664BD:				; CODE XREF: MiInsertVad+1DFj
					; MiInsertVad+23Dj ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5B1C1B
		mov	dword ptr [esi], 0

loc_4664D0:				; CODE XREF: MiInsertVad+14B955j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jnz	loc_5B1C2A

loc_4664E1:				; CODE XREF: MiInsertVad+14B96Aj
		test	ebx, ebx
		jnz	short loc_4664EF
		test	byte ptr [ebp+arg_0+3],	1Ch
		jnz	loc_5B1C3F

loc_4664EF:				; CODE XREF: MiInsertVad+15Fj
					; MiInsertVad+213j ...
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_5B1C57

loc_4664FA:				; CODE XREF: MiInsertVad+14B991j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_466503:				; CODE XREF: MiInsertVad+1EBj
		rdtsc
		and	eax, 3FF0h
		or	eax, 0
		jnz	short loc_4664BD
		cmp	[ecx+0C4h], eax
		jz	short loc_4664BD
		cmp	[ecx+0Ch], eax
		jz	short loc_4664BD
		cmp	[ecx+10h], eax
		jz	short loc_4664BD
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_4664BD
		lea	ecx, [eax+2]
		call	MiPaeCheckProcessShadow
		jmp	short loc_4664BD
; 

loc_466534:				; CODE XREF: MiInsertVad+D4j
		mov	[esi+118h], eax
		jmp	loc_4663AA
; 

loc_46653F:				; CODE XREF: MiInsertVad+12Aj
		test	ecx, 400000h
		jnz	loc_5B1BAF
		mov	eax, ecx
		and	eax, 0C0000h
		cmp	eax, 80000h
		jb	loc_466400
		jmp	loc_5B1BAF
; 

loc_466562:				; CODE XREF: MiInsertVad+136j
		mov	eax, [edi+28h]
		test	eax, 1000000h
		jz	loc_46640C
		jmp	loc_5B1BAC
; 

loc_466575:				; CODE XREF: MiInsertVad+82j
					; MiInsertVad+2CAj
		test	edx, 40000000h
		jz	short loc_4665A1

loc_46657D:				; CODE XREF: MiInsertVad+2E1j
		inc	esi
		test	ds:_HvlLongSpinCountMask, esi
		jz	loc_5B1B8B

loc_46658A:				; CODE XREF: MiInsertVad+14B8C2j
		pause

loc_46658C:				; CODE XREF: MiInsertVad+14B8CEj
		mov	eax, [edi]

loc_46658E:				; CODE XREF: MiInsertVad+2E3j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_466575
		jmp	loc_466358
; 

loc_4665A1:				; CODE XREF: MiInsertVad+2ABj
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_46657D
		jmp	short loc_46658E
; 

loc_4665B5:				; CODE XREF: MiInsertVad+6Cj
		mov	dl, al
		mov	ecx, edi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	esi, eax
		jmp	loc_466342
; 

loc_4665C5:				; CODE XREF: MiInsertVad+1ABj
		mov	ecx, edi
		call	_MiDeleteDeferredCloneDescriptors@4 ; MiDeleteDeferredCloneDescriptors(x)
		mov	edi, eax
		mov	eax, [ebp+var_C]
		mov	dl, [eax+60h]
		jmp	loc_466483
; 

loc_4665D9:				; CODE XREF: MiInsertVad+148j
		mov	eax, [edx+24Ch]
		inc	dword ptr [eax+74h]
		mov	ecx, [edi+1Ch]
		jmp	loc_46641E
MiInsertVad	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInPagePageTable proc near		; CODE XREF: .text:00467E1Fp

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B1C66 SIZE 000002DE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	40h		; size_t
		lea	eax, [ebp+var_48]
		mov	[ebp+var_54], 0
		mov	ebx, edx
		mov	[ebp+var_64], 0
		mov	edi, ecx
		mov	[ebp+var_68], ebx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_7C], edi
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		mov	edx, [edi+8]
		mov	eax, [eax+80h]
		mov	[ebp+var_60], eax
		add	eax, 240h
		mov	[ebp+var_78], eax
		test	dl, 1
		jnz	loc_46693A

loc_466653:				; CODE XREF: MiInPagePageTable+353j
		mov	[ebp+var_50], 0

loc_46665A:				; CODE XREF: MiInPagePageTable+359j
		lea	eax, [edi+14h]
		mov	[ebp+var_74], eax
		mov	eax, [edi+ebx*4+0Ch]
		mov	[ebp+var_58], eax
		mov	edx, [eax]
		mov	[ebp+var_6C], edx
		nop
		mov	ecx, [eax+4]
		mov	esi, eax
		mov	[ebp+var_70], ecx
		mov	ecx, [edi]
		mov	eax, ecx
		shl	esi, 9
		mov	[ebp+var_80], esi
		mov	[ebp+var_5C], ecx
		cmp	eax, 0C0000000h
		jnb	loc_5B1C66

loc_46668D:				; CODE XREF: MiInPagePageTable+14B68Aj
		xor	ebx, ebx
		cmp	ecx, ds:_MmHighestUserAddress
		ja	loc_5B1C9A
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	byte ptr [eax+3A8h], 1
		jnz	short loc_4666CE
		mov	eax, ecx
		and	eax, 0FFFFF000h
		cmp	eax, 7FFE0000h
		jz	loc_466917
		cmp	eax, dword_6D0618
		jz	loc_5B1C7F

loc_4666CE:				; CODE XREF: MiInPagePageTable+BEj
					; MiInPagePageTable+14B691j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[ebp+var_4C], eax
		mov	ebx, [eax+354h]
		test	ebx, ebx
		jz	short loc_466717
		mov	eax, ecx
		shr	eax, 0Ch
		cmp	eax, [ebx+0Ch]
		jnb	loc_46689F

loc_4666F5:				; CODE XREF: MiInPagePageTable+2B2j
		mov	ebx, [ebp+var_4C]
		mov	ebx, [ebx+350h]
		test	ebx, ebx
		jz	short loc_466717

loc_466702:				; CODE XREF: MiInPagePageTable+125j
		cmp	eax, [ebx+10h]
		ja	short loc_466710
		cmp	eax, [ebx+0Ch]
		jnb	short loc_466776
		mov	ebx, [ebx]
		jmp	short loc_466713
; 

loc_466710:				; CODE XREF: MiInPagePageTable+115j
		mov	ebx, [ebx+4]

loc_466713:				; CODE XREF: MiInPagePageTable+11Ej
		test	ebx, ebx
		jnz	short loc_466702

loc_466717:				; CODE XREF: MiInPagePageTable+F5j
					; MiInPagePageTable+110j ...
		xor	ebx, ebx

loc_466719:				; CODE XREF: MiInPagePageTable+2BAj
		mov	[ebp+var_4C], 0

loc_466720:				; CODE XREF: MiInPagePageTable+14B6C3j
		mov	eax, 18h

loc_466725:				; CODE XREF: MiInPagePageTable+335j
					; MiInPagePageTable+14B6A5j ...
		mov	[ebp+var_54], eax

loc_466728:				; CODE XREF: MiInPagePageTable+2D2j
		or	edx, [ebp+var_70]
		jnz	loc_466802
		mov	edx, [edi]
		cmp	edx, dword_6D07D0
		jnb	loc_5B1CB8

loc_46673F:				; CODE XREF: MiInPagePageTable+14B6D8j
					; MiInPagePageTable+14B6E4j ...
		cmp	eax, 18h
		jnz	short loc_466788
		cmp	edx, 10000h
		jnb	loc_4668C7

loc_466750:				; CODE XREF: MiInPagePageTable+2E5j
					; MiInPagePageTable+2EFj ...
		cmp	edx, ds:_MmHighestUserAddress
		ja	short loc_466760
		test	ebx, ebx
		jnz	loc_46692A

loc_466760:				; CODE XREF: MiInPagePageTable+166j
					; MiInPagePageTable+2DDj ...
		mov	eax, 0C0000005h

loc_466765:				; CODE XREF: MiInPagePageTable+2AAj
					; MiInPagePageTable+14B79Cj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_466776:				; CODE XREF: MiInPagePageTable+11Aj
		test	ebx, ebx
		jz	short loc_466717
		mov	eax, [ebp+var_4C]
		mov	[eax+354h], ebx
		jmp	loc_4668A8
; 

loc_466788:				; CODE XREF: MiInPagePageTable+152j
		mov	edx, [ebp+var_50]
		test	ebx, ebx
		jz	short loc_46679C
		test	dword ptr [ebx+1Ch], 100000h
		jnz	loc_46690A

loc_46679C:				; CODE XREF: MiInPagePageTable+19Dj
					; MiInPagePageTable+31Cj ...
		mov	ecx, [ebp+var_60]
		mov	ecx, [ecx+140h]
		test	ecx, ecx
		jnz	loc_5B1D91

loc_4667AD:				; CODE XREF: MiInPagePageTable+14B7B3j
		xor	ecx, ecx
		test	edx, edx
		setnz	cl
		xor	eax, eax
		test	ebx, ebx
		setnz	al
		test	ecx, eax
		jnz	loc_466963

loc_4667C3:				; CODE XREF: MiInPagePageTable+37Cj
		test	ebx, ebx
		jz	short loc_4667D5
		mov	eax, [ebx+1Ch]
		and	eax, 70h
		cmp	al, 50h
		jz	loc_5B1DE1

loc_4667D5:				; CODE XREF: MiInPagePageTable+1D5j
					; MiInPagePageTable+14B7FAj ...
		mov	eax, [ebp+var_58]
		cmp	eax, 0C0600000h
		jb	loc_5B1EA4
		cmp	eax, 0C0603FFFh
		ja	loc_5B1EA4

loc_4667EE:				; CODE XREF: MiInPagePageTable+14B8BDj
					; MiInPagePageTable+14B8ECj
		push	0
		push	80h
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [ebp+var_58]
		mov	[ecx], eax
		mov	[ecx+4], edx

loc_466802:				; CODE XREF: MiInPagePageTable+13Bj
		mov	esi, edi
		mov	ecx, 10h
		lea	edi, [ebp+var_48]
		rep movsd
		mov	esi, [ebp+var_7C]
		mov	[ebp+var_24], 0
		mov	eax, [esi+8]
		test	al, 1
		jnz	loc_46694E

loc_466823:				; CODE XREF: MiInPagePageTable+36Ej
					; MiInPagePageTable+14B8FBj
		mov	eax, [esi+4]
		shr	eax, 19h
		push	eax
		call	MiGetClosestImplicitNode
		shl	eax, 19h
		lea	edx, [ebp+var_64]
		or	eax, 2
		mov	[ebp+var_20], ebx
		mov	[ebp+var_44], eax
		lea	ecx, [ebp+var_48]
		mov	eax, [ebp+var_80]
		mov	[ebp+var_48], eax
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_3C], eax
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_38], eax
		call	MiDispatchFault
		mov	ecx, eax
		cmp	ecx, 0C0033333h
		jz	loc_466980

loc_46687A:				; CODE XREF: MiInPagePageTable+3A3j
		mov	edx, [ebp+var_2C]
		test	dh, 1
		jnz	loc_5B1EF6

loc_466886:				; CODE XREF: MiInPagePageTable+14B91Bj
		test	ecx, ecx
		js	loc_5B1F10
		test	byte ptr [esi+1Dh], 1
		jnz	loc_5B1F17

loc_466898:				; CODE XREF: MiInPagePageTable+14B944j
					; MiInPagePageTable+14B94Fj
		xor	eax, eax
		jmp	loc_466765
; 

loc_46689F:				; CODE XREF: MiInPagePageTable+FFj
		cmp	eax, [ebx+10h]
		ja	loc_4666F5

loc_4668A8:				; CODE XREF: MiInPagePageTable+193j
		test	ebx, ebx
		jz	loc_466719
		push	ebx
		lea	edx, [ebp+var_54]
		call	MiCheckUserVirtualAddress
		mov	edx, [ebp+var_6C]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+var_54]
		jmp	loc_466728
; 

loc_4668C7:				; CODE XREF: MiInPagePageTable+15Aj
		cmp	edx, ds:_MmHighestUserAddress
		ja	loc_466760
		test	ebx, ebx
		jnz	loc_466750
		test	byte ptr [edi+4], 2
		jz	loc_466750
		mov	ecx, [ebp+var_60]
		test	dword ptr [ecx+3A8h], 1000h
		jnz	loc_5B1CF6
		call	_MiIsStoreProcess@4 ; MiIsStoreProcess(x)
		test	eax, eax
		jz	loc_466750
		jmp	loc_5B1D07
; 

loc_46690A:				; CODE XREF: MiInPagePageTable+1A6j
		test	edx, edx
		jz	loc_46679C
		jmp	loc_5B1D58
; 

loc_466917:				; CODE XREF: MiInPagePageTable+CCj
		mov	ecx, dword_6D0610
		mov	eax, 1
		mov	[ebp+var_4C], ecx
		jmp	loc_466725
; 

loc_46692A:				; CODE XREF: MiInPagePageTable+16Aj
		mov	esi, [ebp+var_50]
		test	esi, esi
		jz	loc_466760
		jmp	loc_5B1D18
; 

loc_46693A:				; CODE XREF: MiInPagePageTable+5Dj
		and	edx, 0FFFFFFFEh
		mov	[ebp+var_50], edx
		cmp	byte ptr [edx],	1
		jnz	loc_466653
		jmp	loc_46665A
; 

loc_46694E:				; CODE XREF: MiInPagePageTable+22Dj
		and	eax, 0FFFFFFFEh
		mov	al, [eax]
		cmp	al, 2
		jnz	short loc_466977

loc_466957:				; CODE XREF: MiInPagePageTable+389j
					; MiInPagePageTable+14B8F3j ...
		mov	[ebp+var_40], 0
		jmp	loc_466823
; 

loc_466963:				; CODE XREF: MiInPagePageTable+1CDj
		mov	ecx, ebx
		call	_MiIsVadLarge@4	; MiIsVadLarge(x)
		test	eax, eax
		jz	loc_4667C3
		jmp	loc_5B1DB7
; 

loc_466977:				; CODE XREF: MiInPagePageTable+365j
		cmp	al, 1
		jz	short loc_466957
		jmp	loc_5B1EE1
; 

loc_466980:				; CODE XREF: MiInPagePageTable+284j
		test	byte ptr [ebp+var_24], 40h
		mov	edx, [ebp+var_64]
		jnz	short loc_466998

loc_466989:				; CODE XREF: MiInPagePageTable+3AFj
		lea	ecx, [ebp+var_48]
		call	_MiIssueHardFault@8 ; MiIssueHardFault(x,x)
		mov	ecx, eax
		jmp	loc_46687A
; 

loc_466998:				; CODE XREF: MiInPagePageTable+397j
		or	dword ptr [edx+78h], 40000h
		jmp	short loc_466989
MiInPagePageTable endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCheckProtoAccess proc	near		; CODE XREF: .text:00467CE5p
					; MiDispatchFault+3B6p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

; FUNCTION CHUNK AT 005B1F44 SIZE 00000077 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	[ebp+var_8], ebx
		mov	edx, [esi]
		nop
		mov	ecx, [esi+4]
		mov	edi, edx
		mov	eax, ecx
		shrd	edi, eax, 5
		mov	eax, edx
		and	eax, 400h
		and	edi, 1Fh
		or	eax, 0
		jz	loc_466B46
		mov	ebx, dword_6D0704
		mov	eax, dword_6D0700
		mov	[ebp+var_10], ebx
		or	eax, ebx
		mov	ebx, [ebp+var_8]
		jz	short loc_466A06
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jz	loc_466B17

loc_466A06:				; CODE XREF: MiCheckProtoAccess+46j
		mov	eax, ecx

loc_466A08:				; CODE XREF: MiCheckProtoAccess+171j
		cmp	eax, 0FFFFFFFFh
		jnz	loc_466B46
		shl	esi, 9
		cmp	esi, ds:_MmHighestUserAddress
		ja	loc_466B0A
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	byte ptr [eax+3A8h], 1
		jnz	short loc_466A53
		mov	eax, esi
		and	eax, 0FFFFF000h
		cmp	eax, 7FFE0000h
		jz	loc_466B35
		cmp	eax, dword_6D0618
		jz	loc_466B90

loc_466A53:				; CODE XREF: MiCheckProtoAccess+83j
					; MiCheckProtoAccess+1E2j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, [eax+354h]
		test	ecx, ecx
		jz	loc_466B0A
		mov	edx, esi
		shr	edx, 0Ch
		cmp	edx, [ecx+0Ch]
		jb	loc_466AFC
		cmp	edx, [ecx+10h]
		ja	short loc_466AFC

loc_466A80:				; CODE XREF: MiCheckProtoAccess+22Ej
		test	ecx, ecx
		jz	loc_466B0A
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	byte ptr [eax+3A8h], 1
		jnz	short loc_466ABB
		and	esi, 0FFFFF000h
		cmp	esi, 7FFE0000h
		jz	loc_466B35
		cmp	esi, dword_6D0618
		jz	loc_5B1F44

loc_466ABB:				; CODE XREF: MiCheckProtoAccess+EBj
					; MiCheckProtoAccess+14B59Cj
		mov	eax, [ecx+1Ch]
		and	al, 70h
		cmp	al, 20h
		jz	short loc_466B26

loc_466AC4:				; CODE XREF: MiCheckProtoAccess+17Ej
					; MiCheckProtoAccess+14B5A6j ...
		mov	eax, [ecx+1Ch]
		test	al, 4
		jnz	short loc_466B0A
		test	eax, 100000h
		jnz	loc_5B1F89
		mov	eax, [ecx+28h]
		test	eax, 1000000h
		jnz	loc_5B1FA8

loc_466AE4:				; CODE XREF: MiCheckProtoAccess+14B606j
		lea	eax, [ebp+var_10]
		push	eax
		push	4
		call	MiGetProtoPteAddress
		mov	ecx, eax

loc_466AF1:				; CODE XREF: MiCheckProtoAccess+1C2j
		mov	[ebx], edi
		mov	eax, ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_466AFC:				; CODE XREF: MiCheckProtoAccess+C5j
					; MiCheckProtoAccess+CEj
		mov	ecx, [eax+350h]
		test	ecx, ecx
		jnz	loc_466BB0

loc_466B0A:				; CODE XREF: MiCheckProtoAccess+6Aj
					; MiCheckProtoAccess+B7j ...
		mov	[ebx], edi
		xor	ecx, ecx
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_466B17:				; CODE XREF: MiCheckProtoAccess+50j
		mov	eax, [ebp+var_10]
		mov	ebx, [ebp+var_8]
		not	eax
		and	eax, ecx
		jmp	loc_466A08
; 

loc_466B26:				; CODE XREF: MiCheckProtoAccess+112j
		mov	eax, [ecx+28h]
		test	eax, 10000000h
		jz	short loc_466AC4
		jmp	loc_5B1F51
; 

loc_466B35:				; CODE XREF: MiCheckProtoAccess+91j
					; MiCheckProtoAccess+F9j
		mov	ecx, dword_6D0610
		mov	eax, ecx
		mov	[ebx], edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_466B46:				; CODE XREF: MiCheckProtoAccess+2Dj
					; MiCheckProtoAccess+5Bj
		mov	esi, dword_6D0700
		mov	eax, esi
		mov	edi, dword_6D0704
		or	eax, edi
		mov	[ebp+var_C], ecx
		jz	short loc_466B65
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jz	short loc_466B77

loc_466B65:				; CODE XREF: MiCheckProtoAccess+1A9j
					; MiCheckProtoAccess+1CEj
		and	edx, 8
		or	edx, 0
		jnz	short loc_466B80
		mov	edi, 100h
		jmp	loc_466AF1
; 

loc_466B77:				; CODE XREF: MiCheckProtoAccess+1B3j
		mov	ecx, edi
		not	ecx
		and	ecx, [ebp+var_C]
		jmp	short loc_466B65
; 

loc_466B80:				; CODE XREF: MiCheckProtoAccess+1BBj
		mov	edi, 1
		mov	eax, ecx
		mov	[ebx], edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_466B90:				; CODE XREF: MiCheckProtoAccess+9Dj
		test	eax, eax
		jz	loc_466A53

loc_466B98:				; CODE XREF: MiCheckProtoAccess+14B596j
		mov	ecx, dword_6D0614
		mov	eax, ecx
		mov	[ebx], edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 
		align 10h

loc_466BB0:				; CODE XREF: MiCheckProtoAccess+154j
					; MiCheckProtoAccess+213j
		cmp	edx, [ecx+10h]
		ja	short loc_466BBE
		cmp	edx, [ecx+0Ch]
		jnb	short loc_466BD0
		mov	ecx, [ecx]
		jmp	short loc_466BC1
; 

loc_466BBE:				; CODE XREF: MiCheckProtoAccess+203j
		mov	ecx, [ecx+4]

loc_466BC1:				; CODE XREF: MiCheckProtoAccess+20Cj
		test	ecx, ecx
		jnz	short loc_466BB0
		mov	[ebx], edi
		mov	eax, ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_466BD0:				; CODE XREF: MiCheckProtoAccess+208j
		test	ecx, ecx
		jz	loc_466B0A
		mov	[eax+354h], ecx
		jmp	loc_466A80
MiCheckProtoAccess endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiObtainReferencedVadEx	proc near	; CODE XREF: NtGetWriteWatch+268p
					; MiGetWorkingSetInfoList(x,x,x,x)+3B6p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B1FBB SIZE 000000D1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	ebx, ecx
		mov	dword ptr [eax], 0
		mov	[ebp+var_4], edx
		mov	eax, [edi+80h]
		dec	word ptr [edi+13Eh]
		mov	[ebp+var_8], eax
		nop
		dec	word ptr [edi+13Eh]
		nop
		add	eax, 134h
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	ExAcquirePushLockSharedEx
		or	byte ptr [edi+304h], 2
		nop
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	esi, [eax+354h]
		test	esi, esi
		jz	loc_466D3E
		shr	ebx, 0Ch
		cmp	ebx, [esi+0Ch]
		jb	loc_466D34
		cmp	ebx, [esi+10h]
		ja	loc_466D34

loc_466C71:				; CODE XREF: MiObtainReferencedVadEx+1E8j
		test	esi, esi
		jz	loc_466D3E
		test	byte ptr [ebp+var_4], 1
		jnz	short loc_466C8F
		mov	eax, [ebp+var_8]
		test	byte ptr [eax+0FCh], 20h
		jnz	loc_5B1FBB

loc_466C8F:				; CODE XREF: MiObtainReferencedVadEx+8Dj
		mov	eax, 1
		lock xadd [esi+14h], eax
		jz	loc_5B1FC5
		and	byte ptr [edi+304h], 0FDh
		xor	ecx, ecx
		mov	edx, [ebp+var_C]
		mov	eax, 11h
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jnz	loc_466D9C

loc_466CBD:				; CODE XREF: MiObtainReferencedVadEx+1B6j
		mov	ecx, edx
		call	KeAbPostRelease
		nop
		add	word ptr [edi+13Eh], 1
		jz	loc_466DF7

loc_466CD3:				; CODE XREF: MiObtainReferencedVadEx+20Dj
					; MiObtainReferencedVadEx+14B3E1j
		mov	ecx, [ebp+var_4]
		dec	word ptr [edi+13Eh]
		and	ecx, 2
		mov	[ebp+var_4], ecx
		nop
		xor	edx, edx
		test	ecx, ecx
		lea	ecx, [esi+18h]
		jnz	loc_466D8B
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [edi+304h], 80h

loc_466CFD:				; CODE XREF: MiObtainReferencedVadEx+1A7j
		nop
		nop
		add	word ptr [edi+13Eh], 1
		jz	loc_466DE6

loc_466D0D:				; CODE XREF: MiObtainReferencedVadEx+1FCj
					; MiObtainReferencedVadEx+14B3EBj
		test	byte ptr [esi+1Ch], 4
		jnz	loc_5B1FE0
		cmp	ebx, [esi+0Ch]
		jb	loc_5B2060
		cmp	ebx, [esi+10h]
		ja	loc_5B2060
		mov	eax, esi

loc_466D2B:				; CODE XREF: MiObtainReferencedVadEx+199j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_466D34:				; CODE XREF: MiObtainReferencedVadEx+72j
					; MiObtainReferencedVadEx+7Bj
		mov	esi, [eax+350h]
		test	esi, esi
		jnz	short loc_466DB0

loc_466D3E:				; CODE XREF: MiObtainReferencedVadEx+66j
					; MiObtainReferencedVadEx+83j ...
		mov	eax, [ebp+var_8]
		test	byte ptr [eax+0FCh], 20h
		jnz	loc_5B2082
		mov	eax, 0C00000A0h

loc_466D53:				; CODE XREF: MiObtainReferencedVadEx+14B3D0j
					; MiObtainReferencedVadEx+14B497j
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	esi, [ebp+var_C]
		mov	[ecx], eax
		mov	eax, 11h
		and	byte ptr [edi+304h], 0FDh
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_466DDD

loc_466D72:				; CODE XREF: MiObtainReferencedVadEx+1F4j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_466D87:				; CODE XREF: MiObtainReferencedVadEx+14B46Bj
					; MiObtainReferencedVadEx+14B48Dj
		xor	eax, eax
		jmp	short loc_466D2B
; 

loc_466D8B:				; CODE XREF: MiObtainReferencedVadEx+FBj
		call	ExAcquirePushLockSharedEx
		or	byte ptr [edi+305h], 40h
		jmp	loc_466CFD
; 

loc_466D9C:				; CODE XREF: MiObtainReferencedVadEx+C7j
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	edx, [ebp+var_C]
		jmp	loc_466CBD
; 
		jmp	short loc_466DB0
; 
		align 10h

loc_466DB0:				; CODE XREF: MiObtainReferencedVadEx+14Cj
					; MiObtainReferencedVadEx+1BBj	...
		cmp	ebx, [esi+10h]
		ja	short loc_466DBE
		cmp	ebx, [esi+0Ch]
		jnb	short loc_466DCA
		mov	esi, [esi]
		jmp	short loc_466DC1
; 

loc_466DBE:				; CODE XREF: MiObtainReferencedVadEx+1C3j
		mov	esi, [esi+4]

loc_466DC1:				; CODE XREF: MiObtainReferencedVadEx+1CCj
		test	esi, esi
		jnz	short loc_466DB0
		jmp	loc_466D3E
; 

loc_466DCA:				; CODE XREF: MiObtainReferencedVadEx+1C8j
		test	esi, esi
		jz	loc_466D3E
		mov	[eax+354h], esi
		jmp	loc_466C71
; 

loc_466DDD:				; CODE XREF: MiObtainReferencedVadEx+180j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_466D72
; 

loc_466DE6:				; CODE XREF: MiObtainReferencedVadEx+117j
		nop
		lea	eax, [edi+70h]
		cmp	[eax], eax
		jz	loc_466D0D
		jmp	loc_5B1FD6
; 

loc_466DF7:				; CODE XREF: MiObtainReferencedVadEx+DDj
		nop
		lea	eax, [edi+70h]
		cmp	[eax], eax
		jz	loc_466CD3
		jmp	loc_5B1FCC
MiObtainReferencedVadEx	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmAccessFault	proc near		; CODE XREF: MiMakeSystemAddressValid+291p
					; .text:004533B3p ...

var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005B208C SIZE 000001EE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0B8h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0B8h+var_4], eax
		mov	edx, [ebp+arg_0]
		mov	eax, edx
		push	esi
		mov	esi, [ebp+arg_4]
		and	eax, 9
		mov	[esp+0BCh+var_9C], 0
		push	edi
		mov	edi, [ebp+arg_C]
		mov	[esp+0C0h+var_AC], edi
		cmp	al, 9
		jz	loc_5B208C
		test	edx, 8000h
		jnz	loc_4674F7
		mov	eax, esi
		mov	[esp+0C0h+var_34], 0
		shr	eax, 9
		xor	ecx, ecx
		and	eax, offset loc_7FFFF8
		mov	[esp+0C0h+var_20], ecx
		sub	eax, 40000000h
		mov	[esp+0C0h+var_1C], ecx
		mov	[esp+0C0h+var_3C], eax
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[esp+0C0h+var_18], ecx
		sub	eax, 40000000h
		mov	[esp+0C0h+var_14], ecx
		mov	[esp+0C0h+var_38], eax
		movsx	eax, [ebp+arg_8]
		shl	eax, 6
		xor	eax, ecx
		mov	[esp+0C0h+var_10], ecx
		and	eax, 40h
		mov	[esp+0C0h+var_C], ecx
		xor	ecx, eax
		mov	[esp+0C0h+var_30], 0
		mov	[esp+0C0h+var_2C], 0
		mov	[esp+0C0h+var_28], 0
		mov	[esp+0C0h+var_44], edx
		mov	[esp+0C0h+var_48], esi
		mov	[esp+0C0h+var_40], edi
		mov	[esp+0C0h+var_24], ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 1
		ja	loc_4675B6

loc_466F10:				; CODE XREF: MmAccessFault+59Cj
		mov	eax, [esp+0C0h+var_48]
		mov	[esp+0C0h+var_A0], 1000h
		cmp	eax, dword_6D07D0
		jnb	loc_46717D

loc_466F28:				; CODE XREF: MmAccessFault+37Ej
		lea	ecx, [esp+0C0h+var_48]
		call	MiUserFault
		mov	esi, eax
		cmp	esi, 0C0000016h
		jnz	loc_467051

loc_466F3F:				; CODE XREF: MmAccessFault+38Aj
		lea	edx, [esp+0C0h+var_9C]
		lea	ecx, [esp+0C0h+var_48]
		call	MiDispatchFault
		mov	esi, eax
		mov	[esp+0C0h+var_A8], esi
		cmp	esi, 0C0000016h
		jz	loc_4673B1
		mov	edx, [esp+0C0h+var_9C]
		test	edx, edx
		jnz	loc_4671FE

loc_466F6A:				; CODE XREF: MmAccessFault+422j
		mov	[esp+0C0h+var_1C], 0

loc_466F75:				; CODE XREF: MmAccessFault+648j
		test	byte ptr [esp+0C0h+var_24], 10h
		jnz	loc_46729D
		mov	ecx, [esp+0C0h+var_28]
		mov	edx, [esp+0C0h+var_34]
		mov	[esp+0C0h+var_A4], edx
		test	ecx, ecx
		jz	loc_5B2120
		cmp	word ptr [esp+0C0h+var_30+2], 0
		jnz	loc_467237

loc_466FAC:				; CODE XREF: MmAccessFault+43Ej
		add	ecx, 3FA00000h
		sar	ecx, 3
		add	ecx, ecx
		mov	eax, ecx
		and	eax, 1Fh
		mov	[esp+0C0h+var_B0], eax
		mov	al, [edx+60h]
		and	al, 7
		cmp	al, 2
		jnb	loc_4671C5
		shr	ecx, 5
		test	al, al
		jnz	loc_4671F3
		mov	eax, [edx+0Ch]
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h

loc_466FE3:				; CODE XREF: MmAccessFault+3DEj
					; MmAccessFault+3E9j
		mov	[esp+0C0h+var_B8], eax

loc_466FE7:				; CODE XREF: MmAccessFault+14B30Bj
		mov	edx, [eax]
		mov	eax, [esp+0C0h+var_B0]
		mov	ecx, eax
		mov	edi, [esp+0C0h+var_B8]
		mov	[esp+0C0h+var_B4], 2
		shl	[esp+0C0h+var_B4], cl
		mov	ecx, edx
		not	[esp+0C0h+var_B4]
		btr	ecx, eax
		and	ecx, [esp+0C0h+var_B4]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		mov	edi, [esp+0C0h+var_AC]
		cmp	eax, edx
		jnz	loc_46753B

loc_46701E:				; CODE XREF: MmAccessFault+754j
		mov	al, byte ptr [esp+0C0h+var_2C+1]
		or	al, 2
		mov	[esp+0C0h+var_28], 0
		mov	byte ptr [esp+0C0h+var_2C+1], al

loc_467039:				; CODE XREF: MmAccessFault+14B317j
		mov	dl, byte ptr [esp+0C0h+var_2C]
		mov	ecx, [esp+0C0h+var_A4]
		test	al, 1
		jnz	loc_5B212C
		call	MiUnlockWorkingSetShared

loc_467051:				; CODE XREF: MmAccessFault+129j
					; MmAccessFault+54Aj ...
		test	byte ptr [esp+0C0h+var_24], 1
		jnz	loc_467569

loc_46705F:				; CODE XREF: MmAccessFault+769j
		mov	ecx, [esp+0C0h+var_14]
		test	ecx, ecx
		jnz	loc_5B2136

loc_46706E:				; CODE XREF: MmAccessFault+14B34Ej
		mov	ecx, [esp+0C0h+var_10]
		test	ecx, ecx
		jnz	loc_5B2163
		test	byte ptr [esp+0C0h+var_40], 1
		jnz	loc_467165

loc_46708B:				; CODE XREF: MmAccessFault+362j
					; MmAccessFault+14B382j ...
		mov	ecx, [esp+0C0h+var_34]
		test	byte ptr [ecx+60h], 7
		jnz	loc_4671A5
		mov	eax, large fs:124h
		cmp	byte ptr [eax+87h], 10h
		jge	loc_467253

loc_4670AF:				; CODE XREF: MmAccessFault+390j
					; MmAccessFault+3AAj ...
		test	esi, esi
		jz	short loc_4670DD
		cmp	esi, 0C0000434h
		jz	loc_467467
		test	esi, esi
		js	short loc_46712E

loc_4670C3:				; CODE XREF: MmAccessFault+34Aj
					; MmAccessFault+14B3C0j
		cmp	[esp+0C0h+var_1C], 0
		jnz	short loc_4670DD

loc_4670CD:				; CODE XREF: MmAccessFault+14B2BAj
		test	ds:_PerfGlobalGroupMask, 1000h
		jnz	loc_5B2213

loc_4670DD:				; CODE XREF: MmAccessFault+2A1j
					; MmAccessFault+2BBj ...
		test	byte ptr [esp+0C0h+var_24], 2
		jnz	loc_5B224D

loc_4670EB:				; CODE XREF: MmAccessFault+14B44Ej
		test	byte ptr [esp+0C0h+var_24], 4
		jnz	loc_4675A0

loc_4670F9:				; CODE XREF: MmAccessFault+7A1j
		cmp	[esp+0C0h+var_1C], 0
		jnz	loc_46735F
		mov	ecx, [esp+0C0h+var_18]
		test	ecx, ecx
		jnz	loc_46745D

loc_467116:				; CODE XREF: MmAccessFault+652j
		mov	eax, esi

loc_467118:				; CODE XREF: MmAccessFault+14B292j
		pop	edi
		pop	esi
		mov	ecx, [esp+0B8h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_46712E:				; CODE XREF: MmAccessFault+2B1j
		cmp	esi, 0C0000017h
		jz	loc_46746E
		cmp	esi, 0C000009Ah
		jz	loc_46746E
		cmp	esi, 0C00000A1h
		jz	loc_46746E
		cmp	[esp+0C0h+var_A0], 1000h
		jbe	loc_4670C3
		jmp	loc_5B21C8
; 

loc_467165:				; CODE XREF: MmAccessFault+275j
		mov	eax, [esp+0C0h+var_40]
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	5
		jnz	loc_46708B
		jmp	loc_5B2197
; 

loc_46717D:				; CODE XREF: MmAccessFault+112j
		lea	ecx, [esp+0C0h+var_48]
		call	_MiSystemFault@4 ; MiSystemFault(x)
		mov	esi, eax
		cmp	esi, 0C0h
		jz	loc_466F28
		cmp	esi, 0C0000016h
		jz	loc_466F3F
		jmp	loc_4670AF
; 

loc_4671A5:				; CODE XREF: MmAccessFault+286j
		mov	ecx, [ecx+4]
		and	ecx, 0FFFh
		neg	ecx
		sbb	ecx, ecx
		not	ecx
		and	ecx, offset _MiSystemPartition
		jz	loc_4670AF
		jmp	loc_467286
; 

loc_4671C5:				; CODE XREF: MmAccessFault+1B7j
		mov	edx, [esp+0C0h+var_28]
		cmp	edx, 0C0603018h
		jz	loc_5B20E7
		cmp	edx, 0C0603010h
		jz	loc_4675D5

loc_4671E4:				; CODE XREF: MmAccessFault+7CFj
					; MmAccessFault+14B2E7j
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]
		jmp	loc_466FE3
; 

loc_4671F3:				; CODE XREF: MmAccessFault+1C2j
		lea	eax, [ecx+48h]
		lea	eax, [edx+eax*4]
		jmp	loc_466FE3
; 

loc_4671FE:				; CODE XREF: MmAccessFault+154j
		mov	eax, [edx+0BCh]
		mov	[esp+0C0h+var_A0], eax
		mov	eax, [edx+98h]
		test	eax, eax
		jnz	loc_5B20DB

loc_467216:				; CODE XREF: MmAccessFault+14B2D2j
		cmp	[ebp+arg_8], 1
		jnz	short loc_467223
		or	dword ptr [edx+78h], 40000h

loc_467223:				; CODE XREF: MmAccessFault+40Aj
		lea	ecx, [esp+0C0h+var_48]
		call	_MiIssueHardFault@8 ; MiIssueHardFault(x,x)
		mov	esi, eax
		mov	[esp+0C0h+var_A8], esi
		jmp	loc_466F6A
; 

loc_467237:				; CODE XREF: MmAccessFault+196j
		lea	ecx, [esp+0C0h+var_34]
		call	_MiEmptyDeferredWorkingSetEntries@4 ; MiEmptyDeferredWorkingSetEntries(x)
		mov	edx, [esp+0C0h+var_A4]
		mov	ecx, [esp+0C0h+var_28]
		jmp	loc_466FAC
; 

loc_467253:				; CODE XREF: MmAccessFault+299j
		mov	eax, [eax+300h]
		test	al, 0Ch
		setz	cl
		test	al, 2
		setz	al
		test	cl, al
		jz	loc_4670AF
		mov	ecx, [esp+0C0h+var_34]
		mov	eax, [ecx+40h]
		sub	eax, [ecx+3Ch]
		cmp	eax, 64h
		jle	loc_4670AF
		mov	ecx, offset _MiSystemPartition

loc_467286:				; CODE XREF: MmAccessFault+3B0j
		mov	edx, 420h
		call	MiSufficientAvailablePages
		test	eax, eax
		jnz	loc_4670AF
		jmp	loc_5B21B5
; 

loc_46729D:				; CODE XREF: MmAccessFault+16Dj
		mov	eax, [esp+0C0h+var_34]
		lea	ecx, [esp+0C0h+var_98]
		mov	[esp+0C0h+var_80], eax
		mov	eax, [esp+0C0h+var_30]
		mov	[esp+0C0h+var_7C], eax
		mov	eax, [esp+0C0h+var_2C]
		mov	[esp+0C0h+var_78], eax
		mov	eax, [esp+0C0h+var_28]
		mov	[esp+0C0h+var_74], eax
		mov	eax, [esp+0C0h+var_48]
		mov	[esp+0C0h+var_98], 0
		mov	[esp+0C0h+var_94], 0
		mov	[esp+0C0h+var_90], 0
		mov	[esp+0C0h+var_8C], 0
		mov	[esp+0C0h+var_88], 0
		mov	[esp+0C0h+var_70], 0
		mov	[esp+0C0h+var_6C], 0
		mov	[esp+0C0h+var_68], 0
		mov	[esp+0C0h+var_64], 0
		mov	[esp+0C0h+var_60], 0
		mov	[esp+0C0h+var_5C], 0
		mov	[esp+0C0h+var_58], 0
		mov	[esp+0C0h+var_54], 0
		mov	[esp+0C0h+var_50], 0
		mov	[esp+0C0h+var_4C], 0
		mov	[esp+0C0h+var_84], eax
		call	_MiUnlockSystemVa@4 ; MiUnlockSystemVa(x)
		and	[esp+0C0h+var_24], 0FFFFFFEFh
		jmp	loc_467051
; 

loc_46735F:				; CODE XREF: MmAccessFault+2F1j
		mov	eax, edi
		mov	ecx, edi
		and	eax, 0FFFFFFFEh
		and	ecx, 1
		jnz	loc_46751C

loc_46736F:				; CODE XREF: MmAccessFault+70Fj
		test	ecx, ecx
		jnz	loc_467527

loc_467377:				; CODE XREF: MmAccessFault+726j
					; MmAccessFault+14B456j ...
		xor	edi, edi
		mov	[esp+0C0h+var_AC], edi

loc_46737D:				; CODE XREF: MmAccessFault+14B45Fj
		mov	edx, [esp+0C0h+var_1C]
		lea	eax, [esp+0C0h+var_48]
		mov	esi, [esp+0C0h+var_18]
		mov	ecx, 2
		push	eax		; void *
		push	edi		; int
		push	0		; char
		call	_MiInitializePageFaultPacket@20	; MiInitializePageFaultPacket(x,x,x,x,x)
		or	[esp+0C0h+var_24], 8
		mov	[esp+0C0h+var_18], esi
		jmp	loc_466F10
; 

loc_4673B1:				; CODE XREF: MmAccessFault+148j
		mov	eax, [esp+0C0h+var_48]
		cmp	eax, dword_6D07D0
		jnb	loc_467447
		mov	eax, [esp+0C0h+var_1C]
		cmp	eax, dword_6D0610
		jz	short loc_467447
		mov	ecx, dword_6D0614
		test	ecx, ecx
		jz	short loc_4673DE
		cmp	eax, ecx
		jz	short loc_467447

loc_4673DE:				; CODE XREF: MmAccessFault+5C8j
		mov	eax, [esp+0C0h+var_20]
		test	eax, eax
		jnz	short loc_4673F9
		mov	ecx, [esp+0C0h+var_48]
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	[esp+0C0h+var_20], eax

loc_4673F9:				; CODE XREF: MmAccessFault+5D7j
		test	[esp+0C0h+var_24], 100h
		jnz	loc_5B20A7
		mov	ecx, 4

loc_46740F:				; CODE XREF: MmAccessFault+14B29Cj
		lea	edx, [esp+0C0h+var_18]
		push	edx
		mov	edx, [esp+0C4h+var_48]
		push	ecx
		shr	edx, 0Ch
		mov	ecx, eax
		call	MiGetProtoPteAddress
		test	eax, eax
		jz	loc_5B20B1
		cmp	[esp+0C0h+var_1C], eax
		jnz	loc_5B20CF

loc_46743B:				; CODE XREF: MmAccessFault+14B2C6j
		mov	ecx, [esp+0C0h+var_18]
		call	_MiRetainSubsection@4 ;	MiRetainSubsection(x)

loc_467447:				; CODE XREF: MmAccessFault+5ABj
					; MmAccessFault+5BEj ...
		and	[esp+0C0h+var_24], 0FFFFFEFFh
		xor	esi, esi
		mov	[esp+0C0h+var_A8], esi
		jmp	loc_466F75
; 

loc_46745D:				; CODE XREF: MmAccessFault+300j
		call	_MiReleaseFaultCharges@4 ; MiReleaseFaultCharges(x)
		jmp	loc_467116
; 

loc_467467:				; CODE XREF: MmAccessFault+2A9j
		xor	esi, esi
		jmp	loc_4670DD
; 

loc_46746E:				; CODE XREF: MmAccessFault+324j
					; MmAccessFault+330j ...
		mov	eax, large fs:124h
		test	byte ptr [eax+304h], 4
		jnz	loc_467596
		test	byte ptr [eax+300h], 0Ch
		jnz	loc_467596
		test	byte ptr [esp+0C0h+var_40], 1
		jnz	loc_46757E

loc_46749C:				; CODE XREF: MmAccessFault+77Bj
					; MmAccessFault+14B3CFj
		test	byte ptr [esp+0C0h+var_24], 80h
		jnz	loc_5B21EF
		mov	edx, 420h
		mov	ecx, offset _MiSystemPartition
		call	MiSufficientAvailablePages
		test	eax, eax
		jz	loc_5B21EF
		cmp	dword_6D5E40, 400h
		jb	loc_5B21EF

loc_4674D1:				; CODE XREF: MmAccessFault+14B3EDj
		mov	edx, dword_6D5E00
		test	edx, edx
		jz	short loc_4674DC
		dec	edx

loc_4674DC:				; CODE XREF: MmAccessFault+6C9j
		push	0
		mov	ecx, offset _MiSystemPartition
		call	MiPageAvailableEx
		test	eax, eax
		jz	loc_5B2202

loc_4674F0:				; CODE XREF: MmAccessFault+14B3FEj
		xor	esi, esi
		jmp	loc_4670DD
; 

loc_4674F7:				; CODE XREF: MmAccessFault+46j
		cmp	[ebp+arg_8], 1
		jz	loc_5B209B
		mov	eax, 0C00004A2h
		pop	edi
		pop	esi
		mov	ecx, [esp+0B8h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_46751C:				; CODE XREF: MmAccessFault+559j
		cmp	byte ptr [eax],	1
		jnz	loc_46736F
		jmp	short loc_467532
; 

loc_467527:				; CODE XREF: MmAccessFault+561j
		mov	cl, [eax]
		cmp	cl, 2
		jnz	loc_5B2263

loc_467532:				; CODE XREF: MmAccessFault+715j
		mov	byte ptr [eax+1], 1
		jmp	loc_467377
; 

loc_46753B:				; CODE XREF: MmAccessFault+208j
		mov	edi, [esp+0C0h+var_B0]
		mov	esi, [esp+0C0h+var_B4]

loc_467543:				; CODE XREF: MmAccessFault+74Aj
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, edi
		mov	edi, [esp+0C0h+var_B8]
		and	ecx, esi
		lock cmpxchg [edi], ecx
		mov	edi, [esp+0C0h+var_B0]
		cmp	eax, edx
		jnz	short loc_467543
		mov	esi, [esp+0C0h+var_A8]
		mov	edi, [esp+0C0h+var_AC]
		jmp	loc_46701E
; 

loc_467569:				; CODE XREF: MmAccessFault+249j
		mov	edx, [esp+0C0h+var_48]
		mov	ecx, [esp+0C0h+var_20]
		call	MiDeprioritizeVad
		jmp	loc_46705F
; 

loc_46757E:				; CODE XREF: MmAccessFault+686j
		mov	eax, [esp+0C0h+var_40]
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	5
		jnz	loc_46749C
		jmp	loc_5B21DB
; 

loc_467596:				; CODE XREF: MmAccessFault+66Bj
					; MmAccessFault+678j
		mov	esi, 0C0000017h
		jmp	loc_4670DD
; 

loc_4675A0:				; CODE XREF: MmAccessFault+2E3j
		mov	ecx, [esp+0C0h+var_34]
		mov	edx, 0C0000434h
		call	MiCopyOnWriteCheckConditions
		jmp	loc_4670F9
; 

loc_4675B6:				; CODE XREF: MmAccessFault+FAj
		lea	ecx, [esp+0C0h+var_48]
		call	MiRaisedIrqlFault
		mov	ecx, [esp+0C0h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4675D5:				; CODE XREF: MmAccessFault+3CEj
		cmp	dword_6D07D0, 0C0000000h
		jnb	loc_4671E4
		jmp	loc_5B20E7
MmAccessFault	endp

; 
		align 10h

MiUserFault:				; CODE XREF: MmAccessFault+11Cp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	dword ptr [ebp-34h], 0
		mov	edx, [eax+80h]
		push	edi
		lea	edi, [esi+14h]
		mov	[ebp-8], esi
		mov	[ebp-28h], edx
		lea	ebx, [edx+240h]
		mov	[ebp-10h], edi
		mov	[edi], ebx
		cmp	dword ptr [edx+348h], 10h
		mov	dword ptr [ebp-1Ch], 0
		jbe	loc_467CA9
		test	dword ptr [edx+3A8h], 1000h
		jnz	loc_467CA9
		cmp	dword_6D514C, edx
		jz	loc_46802F

loc_467654:				; CODE XREF: .text:00468036j
		cmp	ds:_KeNumberNodes, 1
		mov	eax, dword_6D5F00
		mov	[ebp-24h], eax
		ja	loc_5B227A

loc_46766A:				; CODE XREF: .text:005B22D4j
					; .text:005B22EDj
		mov	ecx, dword_6D5E00

loc_467670:				; CODE XREF: .text:005B22E7j
		cmp	ecx, 420h
		jb	loc_5B22F2

loc_46767C:				; CODE XREF: .text:005B22FEj
		cmp	dword_6D34D0, 0
		jnz	loc_467CB6

loc_467689:				; CODE XREF: .text:00467CB0j
					; .text:00467CC0j
		mov	al, [ebx+60h]
		and	al, 7
		cmp	al, 4
		ja	loc_5B231D

loc_467696:				; CODE XREF: .text:005B231Fj
		cmp	al, 2
		jz	loc_5B2334
		lea	esi, [ebx+80h]

loc_4676A4:				; CODE XREF: .text:005B2339j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	bl, al
		jnz	loc_5B233E
		mov	edx, [esi]
		and	edx, 7FFFFFFFh
		mov	eax, edx
		lea	ecx, [edx+1]
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	loc_467F93

loc_4676D4:				; CODE XREF: .text:00467F9Cj
					; .text:005B2347j
		add	esi, 4
		cmp	dword ptr [esi], 0
		jnz	loc_468229

loc_4676E0:				; CODE XREF: .text:0046822Dj
		mov	esi, [ebp-8]

loc_4676E3:				; CODE XREF: .text:005B232Fj
		mov	eax, large fs:124h
		mov	[edi+8], bl
		mov	ecx, [eax+80h]
		mov	al, [ecx+2A0h]
		and	al, 7
		cmp	al, 2
		jz	loc_5B234C
		lea	edx, [ecx+2C0h]

loc_467708:				; CODE XREF: .text:005B2351j
		mov	al, [ecx+2A3h]
		and	al, 60h
		cmp	al, 60h
		jz	loc_5B2356

loc_467718:				; CODE XREF: .text:005B235Aj
					; .text:005B2366j ...
		mov	eax, large fs:124h
		mov	esi, [eax+80h]
		cmp	dword ptr [esi+13Ch], 0
		jnz	loc_5B2399

loc_467731:				; CODE XREF: .text:005B23A8j
		mov	eax, [esi+4B4h]
		test	byte ptr [edi+9], 1
		mov	edx, [edi]
		mov	[ebp-2Ch], edx
		mov	dword ptr [ebp-14h], 0
		mov	dword ptr [ebp-0Ch], 2
		jnz	loc_4678BC
		mov	dword ptr [edi+0Ch], 0C0603018h
		mov	ecx, 6
		mov	al, [edx+60h]
		and	al, 7
		mov	dword ptr [ebp-30h], 0
		mov	[ebp-18h], ecx
		cmp	al, 2
		jnb	loc_5B23B7
		test	al, al
		jnz	loc_5B23DF
		mov	esi, [edx+0Ch]
		add	esi, 0F10h

loc_467788:				; CODE XREF: .text:005B23D0j
					; .text:005B23DAj ...
		mov	ebx, [esi]

loc_46778A:				; CODE XREF: .text:00467ECFj
					; .text:00467F61j ...
		mov	edx, [ebp-0Ch]
		shl	edx, cl
		nop

loc_467790:				; CODE XREF: .text:004680C9j
		mov	eax, ebx
		shr	eax, cl
		test	al, 1
		jnz	loc_467E9B
		mov	eax, [ebp-18h]
		mov	ecx, ebx
		bts	ecx, eax
		mov	eax, edx
		not	eax
		and	ecx, eax
		mov	eax, ebx
		lock cmpxchg [esi], ecx
		cmp	eax, ebx
		jnz	loc_4680C4
		mov	ebx, [ebp-8]
		mov	esi, [ebx+10h]
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		mov	[ebp-24h], esi
		cmp	esi, [edi+0Ch]
		jz	loc_4678BC
		mov	edx, [ebp-2Ch]
		lea	eax, [esi+3FA00000h]
		sar	eax, 3
		mov	dword ptr [ebp-30h], 0
		lea	ecx, [eax+eax]
		mov	al, [edx+60h]
		mov	edi, ecx
		and	al, 7
		and	edi, 1Fh
		cmp	al, 2
		jnb	loc_5B2405
		shr	ecx, 5
		test	al, al
		jnz	loc_5B245C
		mov	eax, [edx+0Ch]
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h

loc_467817:				; CODE XREF: .text:005B2457j
					; .text:005B2465j
		mov	[ebp-18h], eax

loc_46781A:				; CODE XREF: .text:005B2448j
		mov	edx, [eax]

loc_46781C:				; CODE XREF: .text:00467E96j
					; .text:00467F31j ...
		mov	ebx, [ebp-0Ch]
		mov	ecx, edi
		shl	ebx, cl

loc_467823:				; CODE XREF: .text:0046812Dj
		mov	eax, edx
		mov	ecx, edi
		shr	eax, cl
		test	al, 1
		jnz	loc_467E6C
		mov	esi, [ebp-18h]
		mov	ecx, edx
		mov	eax, ebx
		bts	ecx, edi
		not	eax
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	loc_46812B
		mov	edi, [ebp-10h]
		mov	edx, [ebp-2Ch]
		mov	esi, [edi+0Ch]
		lea	eax, [esi+3FA00000h]
		sar	eax, 3
		lea	ecx, [eax+eax]
		mov	eax, ecx
		and	eax, 1Fh
		mov	[ebp-30h], eax
		mov	al, [edx+60h]
		and	al, 7
		cmp	al, 2
		jnb	loc_5B2482
		shr	ecx, 5
		test	al, al
		jnz	loc_5B24DC
		mov	eax, [edx+0Ch]
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h

loc_46788D:				; CODE XREF: .text:005B24D7j
					; .text:005B24E5j
		mov	[ebp-18h], eax

loc_467890:				; CODE XREF: .text:005B24C8j
		mov	edx, [eax]
		mov	eax, [ebp-30h]
		mov	ecx, eax
		mov	ebx, [ebp-0Ch]
		mov	esi, [ebp-18h]
		shl	ebx, cl
		mov	ecx, edx
		btr	ecx, eax
		not	ebx
		and	ecx, ebx
		mov	eax, edx
		lock cmpxchg [esi], ecx
		mov	esi, [ebp-24h]
		cmp	eax, edx
		jnz	loc_468139

loc_4678B9:				; CODE XREF: .text:00468157j
		mov	[edi+0Ch], esi

loc_4678BC:				; CODE XREF: .text:0046774Ej
					; .text:004677D3j
		mov	esi, [ebp-8]
		mov	ecx, 1
		mov	[ebp-30h], ecx
		lea	eax, [esi+10h]
		mov	[ebp-24h], eax
		lea	ecx, [ecx+0]

loc_4678D0:				; CODE XREF: .text:00467A07j
		mov	ebx, [eax]
		mov	[ebp-4Ch], ebx
		mov	edx, [ebx]
		nop
		mov	eax, [ebx+4]
		mov	[ebp-44h], eax
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jz	loc_467E0B
		and	edx, 80h
		or	edx, 0
		jnz	loc_5B25E2
		mov	eax, [edi+0Ch]
		test	eax, eax
		jz	loc_4679F5
		cmp	ebx, eax
		jz	loc_4679F5
		mov	edx, [ebp-2Ch]
		lea	eax, [ebx+3FA00000h]
		sar	eax, 3
		xor	esi, esi
		lea	ecx, [eax+eax]
		mov	al, [edx+60h]
		mov	edi, ecx
		and	al, 7
		and	edi, 1Fh
		mov	[ebp-3Ch], edi
		cmp	al, 2
		jnb	loc_5B24EA
		shr	ecx, 5
		test	al, al
		jnz	loc_5B2544
		mov	eax, [edx+0Ch]
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h

loc_46794A:				; CODE XREF: .text:005B253Fj
					; .text:005B254Dj
		mov	[ebp-18h], eax

loc_46794D:				; CODE XREF: .text:005B2530j
		mov	edx, [eax]

loc_46794F:				; CODE XREF: .text:00467E67j
					; .text:00467EFEj ...
		mov	ebx, [ebp-0Ch]
		mov	ecx, edi
		shl	ebx, cl

loc_467956:				; CODE XREF: .text:004681F6j
		mov	eax, edx
		mov	ecx, edi
		shr	eax, cl
		test	al, 1
		jnz	loc_467E3D
		mov	ecx, edx
		mov	eax, ebx
		bts	ecx, edi
		not	eax
		mov	edi, [ebp-18h]
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [edi], ecx
		mov	edi, [ebp-3Ch]
		cmp	eax, edx
		jnz	loc_4681F4
		mov	edi, [ebp-10h]
		mov	edx, [ebp-2Ch]
		mov	esi, [edi+0Ch]
		lea	eax, [esi+3FA00000h]
		sar	eax, 3
		lea	ecx, [eax+eax]
		mov	al, [edx+60h]
		mov	ebx, ecx
		and	al, 7
		and	ebx, 1Fh
		cmp	al, 2
		jnb	loc_5B256A
		shr	ecx, 5
		test	al, al
		jnz	loc_5B25C1
		mov	eax, [edx+0Ch]
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h

loc_4679C0:				; CODE XREF: .text:005B25BCj
					; .text:005B25CAj
		mov	[ebp-18h], eax

loc_4679C3:				; CODE XREF: .text:005B25ADj
		mov	esi, [ebp-0Ch]
		mov	ecx, ebx
		mov	edx, [eax]
		mov	eax, edx
		mov	edi, [ebp-18h]
		shl	esi, cl
		mov	ecx, edx
		not	esi
		btr	ecx, ebx
		and	ecx, esi
		lock cmpxchg [edi], ecx
		mov	edi, [ebp-10h]
		cmp	eax, edx
		jnz	loc_4680CE

loc_4679E9:				; CODE XREF: .text:004680E5j
		mov	eax, [ebp-4Ch]
		mov	esi, [ebp-8]
		mov	ecx, [ebp-30h]
		mov	[edi+0Ch], eax

loc_4679F5:				; CODE XREF: .text:00467900j
					; .text:00467908j
		mov	eax, [ebp-24h]
		mov	ebx, [ebp-14h]

loc_4679FB:				; CODE XREF: .text:00467F40j
		dec	ecx
		sub	eax, 4
		mov	[ebp-30h], ecx
		mov	[ebp-24h], eax
		test	ecx, ecx
		jnz	loc_4678D0
		test	ebx, ebx
		js	loc_467E31

loc_467A15:				; CODE XREF: .text:00467E38j
		cmp	ebx, 0C0000434h
		jz	loc_5B2638
		test	ebx, ebx
		js	loc_467D20
		mov	ebx, [esi+0Ch]
		mov	[ebp-44h], ebx
		mov	ecx, [ebx]
		nop
		mov	edx, [ebx+4]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jnz	loc_467D14
		mov	eax, [esi+4]
		mov	[ebp-4Ch], eax
		test	al, 2
		jnz	loc_467CFF

loc_467A51:				; CODE XREF: .text:00467D09j
					; .text:005B264Cj ...
		mov	eax, ecx
		or	eax, edx
		jnz	loc_467CC5
		mov	[ebp-20h], eax
		xor	ebx, ebx
		mov	[ebp-70h], eax
		mov	[ebp-6Ch], eax
		mov	[ebp-68h], eax
		mov	[ebp-64h], eax
		mov	[ebp-60h], eax
		mov	[ebp-5Ch], eax
		mov	[ebp-54h], eax
		mov	eax, large fs:124h
		mov	byte ptr [ebp-1], 1
		mov	[ebp-78h], ebx
		mov	[ebp-50h], ebx
		mov	eax, [eax+80h]
		mov	[ebp-2Ch], eax
		mov	eax, [edi]
		test	byte ptr [eax+60h], 7
		jnz	short loc_467A9E
		mov	ebx, 40h
		mov	[ebp-78h], ebx

loc_467A9E:				; CODE XREF: .text:00467A94j
		mov	edx, [esi+8]
		mov	edi, edx
		mov	eax, edx
		and	edi, 0FFFFFFFEh
		mov	[ebp-18h], edi
		and	eax, 1
		jnz	loc_467FEB

loc_467AB4:				; CODE XREF: .text:00467FEEj
		mov	ecx, edi
		test	eax, eax
		jnz	loc_46815C

loc_467ABE:				; CODE XREF: .text:0046815Fj
		mov	edi, ecx
		mov	[ebp-18h], edi
		test	eax, eax
		jnz	loc_5B2660

loc_467ACB:				; CODE XREF: .text:00467FFCj
					; .text:00468005j
		test	bl, 0Bh
		jnz	loc_46800B
		xor	edi, edi
		mov	[ebp-18h], edi

loc_467AD9:				; CODE XREF: .text:00468024j
					; .text:005B268Ej ...
		mov	ecx, [esi]
		mov	eax, ecx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[ebp-58h], edi
		mov	[ebp-4Ch], eax
		add	eax, 0C0000000h
		mov	[ebp-74h], esi
		mov	[ebp-30h], ecx
		mov	[ebp-3Ch], eax
		cmp	ecx, dword_6D07D0
		jnb	loc_467FA1

loc_467B05:				; CODE XREF: .text:00467FB5j
					; .text:00467FBDj
		xor	esi, esi
		cmp	ecx, ds:_MmHighestUserAddress
		ja	loc_467FC8
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	byte ptr [eax+3A8h], 1
		jnz	short loc_467B46
		mov	eax, ecx
		and	eax, 0FFFFF000h
		cmp	eax, 7FFE0000h
		jz	loc_4680F1
		cmp	eax, dword_6D0618
		jz	loc_46810A

loc_467B46:				; CODE XREF: .text:00467B26j
					; .text:0046810Cj
		mov	eax, large fs:124h
		mov	edx, [eax+80h]
		mov	esi, [edx+354h]
		test	esi, esi
		jz	loc_467DA1
		mov	eax, ecx
		shr	eax, 0Ch
		cmp	eax, [esi+0Ch]
		jb	loc_467D93
		cmp	eax, [esi+10h]
		ja	loc_467D93

loc_467B77:				; CODE XREF: .text:00467F8Ej
		test	esi, esi
		jz	loc_467DA3
		push	esi
		lea	edx, [ebp-20h]
		call	MiCheckUserVirtualAddress
		mov	edi, [ebp-20h]
		mov	edx, eax
		mov	ebx, [ebp-78h]
		mov	ecx, [ebp-30h]
		mov	[ebp-1Ch], eax
		cmp	edi, 18h
		jz	loc_4680BC

loc_467B9F:				; CODE XREF: .text:00467FE6j
					; .text:00468105j ...
		mov	eax, edi
		and	eax, 0FFFFFFF8h
		cmp	eax, 10h
		jz	loc_468216
		mov	eax, [ebp-8]
		mov	[ebp-70h], ecx
		mov	[ebp-68h], edi
		mov	[ebp-6Ch], edx
		mov	eax, [eax+4]
		shr	eax, 19h
		mov	[ebp-5Ch], eax
		mov	[ebp-54h], esi
		mov	dword ptr [ebp-64h], 0
		test	edx, edx
		jz	loc_467DC7
		test	bl, 2
		jnz	short loc_467BF6
		test	esi, esi
		jz	short loc_467BF6
		cmp	dword ptr [esi+44h], 0
		jl	short loc_467BF6
		lea	ecx, [ebp-78h]
		call	_MiCheckVadSequential@4	; MiCheckVadSequential(x)
		cmp	eax, 0C0000220h
		jz	loc_4681FB

loc_467BF6:				; CODE XREF: .text:00467BD7j
					; .text:00467BDBj ...
		lea	ecx, [ebp-78h]
		mov	[ebp-34h], edi
		call	_MiResolveSharedZeroFault@4 ; MiResolveSharedZeroFault(x)
		mov	ebx, [ebp-44h]
		mov	esi, [ebp-8]

loc_467C07:				; CODE XREF: .text:00467CDAj
					; .text:00467CFAj
		cmp	edi, 100h
		jz	loc_467C97
		mov	eax, [esi+8]
		mov	ecx, [esi+4]
		mov	[ebp-4Ch], eax
		and	ecx, 2
		mov	eax, [esi+24h]
		shr	eax, 6
		test	al, 1
		jz	short loc_467C4F
		mov	eax, ds:_MmHighestUserAddress
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	ebx, eax
		ja	loc_46818A
		cmp	ebx, 0C0000000h
		jb	loc_46818A

loc_467C4F:				; CODE XREF: .text:00467C27j
		mov	edx, [ebx]
		mov	[ebp-44h], edx
		nop
		mov	eax, [ebx+4]
		mov	[ebp-3Ch], eax
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jnz	loc_5B2752
		test	ecx, ecx
		jz	short loc_467C72
		mov	ecx, 1

loc_467C72:				; CODE XREF: .text:00467C6Bj
		mov	eax, edi
		and	eax, 7
		movsx	eax, ds:_MiReadWrite[eax]
		sub	eax, ecx
		cmp	eax, 0Ah
		jl	loc_46818A
		mov	eax, edi
		and	eax, 0FFFFFFF8h
		cmp	eax, 10h
		jz	loc_468041

loc_467C97:				; CODE XREF: .text:00467C0Dj
					; .text:00468240j ...
		mov	eax, [ebp-1Ch]
		mov	[esi+2Ch], eax
		mov	eax, 0C0000016h

loc_467CA2:				; CODE XREF: .text:00467D8Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_467CA9:				; CODE XREF: .text:00467632j
					; .text:00467642j ...
		cmp	dword_6D34D0, 0
		jz	loc_467689

loc_467CB6:				; CODE XREF: .text:00467683j
		mov	ecx, 3

loc_467CBB:				; CODE XREF: .text:005B2318j
		call	MiDelayFaultingThread
		jmp	loc_467689
; 

loc_467CC5:				; CODE XREF: .text:00467A55j
		mov	edi, ecx
		and	ecx, 400h
		shrd	edi, edx, 5
		and	edi, 1Fh
		or	ecx, 0
		mov	[ebp-34h], edi
		jz	loc_467C07
		lea	edx, [ebp-34h]
		mov	ecx, ebx
		call	MiCheckProtoAccess
		mov	edi, eax
		mov	[ebp-1Ch], edi
		test	edi, edi
		jz	loc_5B2743
		mov	edi, [ebp-34h]
		jmp	loc_467C07
; 

loc_467CFF:				; CODE XREF: .text:00467A4Bj
		mov	eax, [ebp-28h]
		test	byte ptr [eax+0FCh], 10h
		jz	loc_467A51
		jmp	loc_5B2644
; 

loc_467D14:				; CODE XREF: .text:00467A3Dj
		push	edx
		push	ecx
		mov	ecx, esi
		call	_MiValidFault@12 ; MiValidFault(x,x,x)
		mov	[ebp-14h], eax

loc_467D20:				; CODE XREF: .text:00467A23j
					; .text:005B2394j ...
		mov	edx, [edi+0Ch]
		mov	esi, [edi]
		test	edx, edx
		jz	short loc_467D76
		cmp	word ptr [edi+6], 0
		jnz	loc_5B27F6

loc_467D34:				; CODE XREF: .text:005B2800j
		lea	eax, [ebp-38h]
		mov	dword ptr [ebp-38h], 0
		push	eax
		mov	ecx, esi
		call	MiGetPageTableLockBuffer
		mov	ebx, eax
		mov	edx, [ebx]
		mov	eax, [ebp-38h]
		mov	ecx, eax
		shl	dword ptr [ebp-0Ch], cl
		mov	ecx, edx
		not	dword ptr [ebp-0Ch]
		btr	ecx, eax
		and	ecx, [ebp-0Ch]
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	loc_4681D0

loc_467D6B:				; CODE XREF: .text:004681E8j
		or	byte ptr [edi+9], 2
		mov	dword ptr [edi+0Ch], 0

loc_467D76:				; CODE XREF: .text:00467D27j
		mov	al, [edi+9]
		mov	ecx, esi
		mov	dl, [edi+8]
		test	al, 1
		jnz	loc_5B2805
		call	MiUnlockWorkingSetShared

loc_467D8B:				; CODE XREF: .text:005B280Aj
		mov	eax, [ebp-14h]
		jmp	loc_467CA2
; 

loc_467D93:				; CODE XREF: .text:00467B68j
					; .text:00467B71j
		mov	esi, [edx+350h]
		test	esi, esi
		jnz	loc_467F66

loc_467DA1:				; CODE XREF: .text:00467B5Aj
					; .text:00467F7Bj ...
		xor	esi, esi

loc_467DA3:				; CODE XREF: .text:00467B79j
		mov	ebx, [ebp-78h]

loc_467DA6:				; CODE XREF: .text:00467FD3j
					; .text:004680BFj
		mov	eax, [ebp-8]
		mov	edx, esi
		push	dword ptr [ebp-2Ch]
		mov	eax, [eax+4]
		push	eax
		call	MiCheckFatalAccessViolation
		test	bl, 2
		jnz	loc_4681C3

loc_467DC0:				; CODE XREF: .text:004681C5j
					; .text:005B2721j
		mov	edi, 0C0000005h
		jmp	short loc_467DD1
; 

loc_467DC7:				; CODE XREF: .text:00467BCEj
		lea	ecx, [ebp-78h]
		call	_MiResolvePrivateZeroFault@4 ; MiResolvePrivateZeroFault(x)
		mov	edi, eax

loc_467DD1:				; CODE XREF: .text:00467DC5j
					; .text:004681EFj
		mov	ebx, [ebp-8]

loc_467DD4:				; CODE XREF: .text:00468224j
					; .text:005B26C2j ...
		mov	esi, [ebp-10h]
		mov	ecx, esi
		mov	eax, [esi]
		mov	[ebp-3Ch], eax
		call	MiUnlockFaultPageTable
		test	byte ptr [esi+9], 1
		mov	dl, [esi+8]
		mov	ecx, [ebp-3Ch]
		jnz	loc_5B2726
		call	MiUnlockWorkingSetShared

loc_467DF8:				; CODE XREF: .text:005B272Bj
		cmp	byte ptr [ebp-1], 2
		jz	loc_5B2730

loc_467E02:				; CODE XREF: .text:004680A1j
					; .text:005B273Ej
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_467E0B:				; CODE XREF: .text:004678E6j
		mov	ecx, ebx
		call	_MiIsPdeOrAboveAccessible@4 ; MiIsPdeOrAboveAccessible(x)
		test	eax, eax
		jz	loc_5B25CF
		mov	edx, [ebp-30h]
		mov	ecx, esi
		call	MiInPagePageTable
		mov	ebx, eax
		mov	[ebp-14h], ebx
		test	ebx, ebx
		jns	loc_467F36

loc_467E31:				; CODE XREF: .text:00467A0Fj
					; .text:005B2625j ...
		mov	ecx, edi
		call	MiUnlockFaultPageTable
		jmp	loc_467A15
; 

loc_467E3D:				; CODE XREF: .text:0046795Ej
		test	al, 2
		jnz	loc_467EE0
		mov	eax, [ebp-0Ch]
		mov	ecx, edi
		mov	ebx, [ebp-18h]
		shl	eax, cl
		or	eax, edx
		mov	[ebp-44h], eax
		mov	ecx, eax
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	loc_4681BC
		mov	edx, [ebp-44h]
		jmp	loc_46794F
; 

loc_467E6C:				; CODE XREF: .text:0046782Bj
		test	al, 2
		jnz	loc_467F03
		mov	eax, [ebp-0Ch]
		mov	ecx, edi
		mov	ebx, [ebp-18h]
		shl	eax, cl
		or	eax, edx
		mov	[ebp-3Ch], eax
		mov	ecx, eax
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	loc_468132
		mov	edx, [ebp-3Ch]
		jmp	loc_46781C
; 

loc_467E9B:				; CODE XREF: .text:00467796j
		test	al, 2
		jz	loc_467F45
		mov	edi, [ebp-30h]
		jmp	short loc_467EB0
; 
		align 10h

loc_467EB0:				; CODE XREF: .text:00467EA6j
					; .text:00467EC7j
		inc	edi
		test	ds:_HvlLongSpinCountMask, edi
		jz	loc_5B23EA

loc_467EBD:				; CODE XREF: .text:005B23F1j
		pause

loc_467EBF:				; CODE XREF: .text:005B2400j
		mov	ebx, [esi]
		mov	eax, ebx
		shr	eax, cl
		test	al, 1
		jnz	short loc_467EB0
		mov	[ebp-30h], edi
		mov	edi, [ebp-10h]
		jmp	loc_46778A
; 
		jmp	short loc_467EE0
; 
		align 10h

loc_467EE0:				; CODE XREF: .text:00467E3Fj
					; .text:00467ED4j ...
		inc	esi
		test	ds:_HvlLongSpinCountMask, esi
		jz	loc_5B2552

loc_467EED:				; CODE XREF: .text:005B2559j
		pause

loc_467EEF:				; CODE XREF: .text:005B2565j
		mov	ecx, [ebp-18h]
		mov	edx, [ecx]
		mov	eax, edx
		mov	ecx, edi
		shr	eax, cl
		test	al, 1
		jnz	short loc_467EE0
		jmp	loc_46794F
; 

loc_467F03:				; CODE XREF: .text:00467E6Ej
		mov	esi, [ebp-30h]
		jmp	short loc_467F10
; 
		align 10h

loc_467F10:				; CODE XREF: .text:00467F06j
					; .text:00467F2Cj
		inc	esi
		test	ds:_HvlLongSpinCountMask, esi
		jz	loc_5B246A

loc_467F1D:				; CODE XREF: .text:005B2471j
		pause

loc_467F1F:				; CODE XREF: .text:005B247Dj
		mov	eax, [ebp-18h]
		mov	ecx, edi
		mov	edx, [eax]
		mov	eax, edx
		shr	eax, cl
		test	al, 1
		jnz	short loc_467F10
		mov	[ebp-30h], esi
		jmp	loc_46781C
; 

loc_467F36:				; CODE XREF: .text:00467E2Bj
		mov	ecx, [ebp-30h]
		mov	eax, [ebp-24h]
		inc	ecx
		add	eax, 4
		jmp	loc_4679FB
; 

loc_467F45:				; CODE XREF: .text:00467E9Dj
		mov	edx, [ebp-0Ch]
		mov	eax, ebx
		shl	edx, cl
		or	edx, ebx
		mov	ecx, edx
		lock cmpxchg [esi], ecx
		mov	ecx, [ebp-18h]
		cmp	eax, ebx
		jnz	loc_4680EA
		mov	ebx, edx
		jmp	loc_46778A
; 

loc_467F66:				; CODE XREF: .text:00467D9Bj
					; .text:00467F79j
		cmp	eax, [esi+10h]
		ja	short loc_467F74
		cmp	eax, [esi+0Ch]
		jnb	short loc_467F80
		mov	esi, [esi]
		jmp	short loc_467F77
; 

loc_467F74:				; CODE XREF: .text:00467F69j
		mov	esi, [esi+4]

loc_467F77:				; CODE XREF: .text:00467F72j
		test	esi, esi
		jnz	short loc_467F66
		jmp	loc_467DA1
; 

loc_467F80:				; CODE XREF: .text:00467F6Ej
		test	esi, esi
		jz	loc_467DA1
		mov	[edx+354h], esi
		jmp	loc_467B77
; 

loc_467F93:				; CODE XREF: .text:004676CEj
		mov	dl, bl
		mov	ecx, esi
		call	ExpWaitForSpinLockSharedAndAcquire
		jmp	loc_4676D4
; 

loc_467FA1:				; CODE XREF: .text:00467AFFj
		test	bl, 2
		jnz	loc_4681ED
		lea	eax, [ecx+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	loc_467B05
		test	edx, edx
		jz	loc_467B05
		jmp	loc_5B269F
; 

loc_467FC8:				; CODE XREF: .text:00467B0Dj
		lea	eax, [ecx+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	loc_467DA6
		mov	edi, 4
		xor	edx, edx
		mov	[ebp-20h], edi
		mov	[ebp-1Ch], edx
		jmp	loc_467B9F
; 

loc_467FEB:				; CODE XREF: .text:00467AAEj
		cmp	byte ptr [edi],	2
		jnz	loc_467AB4
		or	ebx, 1

loc_467FF7:				; CODE XREF: .text:0046816Dj
					; .text:005B2674j
		mov	[ebp-78h], ebx

loc_467FFA:				; CODE XREF: .text:005B2668j
		test	eax, eax
		jz	loc_467ACB
		cmp	byte ptr [edi],	4
		jnz	loc_467ACB

loc_46800B:				; CODE XREF: .text:00467ACEj
		test	eax, eax
		jz	short loc_468018
		cmp	byte ptr [edi],	4
		jz	loc_5B2679

loc_468018:				; CODE XREF: .text:0046800Dj
					; .text:005B267Fj
		test	bl, 2
		jnz	loc_468172

loc_468021:				; CODE XREF: .text:00468179j
					; .text:00468185j
		test	bl, 8
		jz	loc_467AD9
		jmp	loc_5B2684
; 

loc_46802F:				; CODE XREF: .text:0046764Ej
		cmp	dword_6D5100, 0
		jz	loc_467654
		jmp	loc_467CA9
; 

loc_468041:				; CODE XREF: .text:00467C91j
		mov	ecx, [ebp-4Ch]
		test	cl, 1
		jnz	loc_468232

loc_46804D:				; CODE XREF: .text:0046823Aj
		call	MiAllowGuardFault
		test	eax, eax
		jz	loc_46818A
		mov	ecx, [ebp-44h]
		mov	eax, ecx
		and	eax, 800h
		or	eax, 0
		jnz	loc_5B276E

loc_46806D:				; CODE XREF: .text:005B2778j
		and	edi, 0Fh
		xor	eax, eax
		shld	eax, edi, 5
		and	ecx, 0FFFFFC1Fh
		shl	edi, 5
		or	edi, ecx
		or	eax, [ebp-3Ch]
		mov	[ebx], edi
		nop
		mov	[ebx+4], eax

loc_46808A:				; CODE XREF: .text:005B27D9j
					; .text:005B27EAj
		mov	edi, 80000001h

loc_46808F:				; CODE XREF: .text:004681B7j
		mov	ecx, [ebp-10h]
		mov	dl, 21h
		push	0
		call	_MiReleaseFaultState@12	; MiReleaseFaultState(x,x,x)
		cmp	edi, 80000001h
		jnz	loc_467E02
		mov	eax, [ebp-8]
		xor	edx, edx
		mov	ecx, [eax]
		call	MiCheckForUserStackOverflow
		mov	edi, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4680BC:				; CODE XREF: .text:00467B99j
		mov	edi, [ebp-18h]
		jmp	loc_467DA6
; 

loc_4680C4:				; CODE XREF: .text:004677B2j
		mov	ecx, [ebp-18h]
		mov	ebx, eax
		jmp	loc_467790
; 

loc_4680CE:				; CODE XREF: .text:004679E3j
		mov	edi, [ebp-18h]

loc_4680D1:				; CODE XREF: .text:004680E0j
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, ebx
		and	ecx, esi
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_4680D1
		mov	edi, [ebp-10h]
		jmp	loc_4679E9
; 

loc_4680EA:				; CODE XREF: .text:00467F59j
		mov	ebx, eax
		jmp	loc_46778A
; 

loc_4680F1:				; CODE XREF: .text:00467B34j
		mov	edx, dword_6D0610
		mov	edi, 1
		mov	ebx, [ebp-78h]
		mov	[ebp-20h], edi
		mov	[ebp-1Ch], edx
		jmp	loc_467B9F
; 

loc_46810A:				; CODE XREF: .text:00467B40j
		test	eax, eax
		jz	loc_467B46
		mov	edx, dword_6D0614
		mov	edi, 1
		mov	ebx, [ebp-78h]
		mov	[ebp-20h], edi
		mov	[ebp-1Ch], edx
		jmp	loc_467B9F
; 

loc_46812B:				; CODE XREF: .text:00467847j
		mov	edx, eax
		jmp	loc_467823
; 

loc_468132:				; CODE XREF: .text:00467E8Dj
		mov	edx, eax
		jmp	loc_46781C
; 

loc_468139:				; CODE XREF: .text:004678B3j
		mov	edi, [ebp-30h]
		mov	esi, [ebp-18h]
		nop

loc_468140:				; CODE XREF: .text:0046814Fj
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, edi
		and	ecx, ebx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_468140
		mov	esi, [ebp-24h]
		mov	edi, [ebp-10h]
		jmp	loc_4678B9
; 

loc_46815C:				; CODE XREF: .text:00467AB8j
		cmp	byte ptr [ecx],	1
		jnz	loc_467ABE
		mov	edi, ecx
		or	ebx, 2
		mov	[ebp-18h], edi
		jmp	loc_467FF7
; 

loc_468172:				; CODE XREF: .text:0046801Bj
		test	dword ptr [edi+28h], 4000h
		jz	loc_468021
		or	ebx, 4
		mov	[ebp-78h], ebx
		jmp	loc_468021
; 

loc_46818A:				; CODE XREF: .text:00467C3Dj
					; .text:00467C49j ...
		mov	ecx, [esi]
		cmp	ecx, dword_6D07D0
		jnb	loc_5B27EF
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	ecx, [esi]
		mov	edi, eax

loc_4681A1:				; CODE XREF: .text:005B27F1j
		push	dword ptr [ebp-28h]
		mov	edx, [esi+4]
		push	edx
		mov	edx, edi
		call	MiCheckFatalAccessViolation
		mov	[esi+28h], edi
		mov	edi, 0C0000005h
		jmp	loc_46808F
; 

loc_4681BC:				; CODE XREF: .text:00467E5Ej
		mov	edx, eax
		jmp	loc_46794F
; 

loc_4681C3:				; CODE XREF: .text:00467DBAj
		test	esi, esi
		jz	loc_467DC0
		jmp	loc_5B2715
; 

loc_4681D0:				; CODE XREF: .text:00467D65j
		mov	edi, [ebp-38h]

loc_4681D3:				; CODE XREF: .text:004681E3j
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, edi
		and	ecx, [ebp-0Ch]
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	short loc_4681D3
		mov	edi, [ebp-10h]
		jmp	loc_467D6B
; 

loc_4681ED:				; CODE XREF: .text:00467FA4j
		xor	edi, edi
		jmp	loc_467DD1
; 

loc_4681F4:				; CODE XREF: .text:0046797Dj
		mov	edx, eax
		jmp	loc_467956
; 

loc_4681FB:				; CODE XREF: .text:00467BF0j
		mov	eax, 1
		lock xadd [esi+14h], eax
		jz	short loc_468245
		mov	eax, [ebp-8]
		or	dword ptr [eax+24h], 1
		mov	[eax+28h], esi
		jmp	loc_467BF6
; 

loc_468216:				; CODE XREF: .text:00467BA7j
		test	bl, 2
		mov	ebx, [ebp-8]
		jz	loc_5B26B1
		xor	edi, edi
		jmp	loc_467DD4
; 

loc_468229:				; CODE XREF: .text:004676DAj
		xor	eax, eax
		xchg	eax, [esi]
		jmp	loc_4676E0
; 

loc_468232:				; CODE XREF: .text:00468047j
		mov	eax, ecx
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	1
		jnz	loc_46804D
		jmp	loc_467C97
; 

loc_468245:				; CODE XREF: .text:00468205j
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 0CCCCCCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDispatchFault	proc near		; CODE XREF: MiInPagePageTable+277p
					; MmAccessFault+137p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2B		= byte ptr -2Bh
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B280F SIZE 000000ED BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	eax, edx
		mov	[ebp+var_6C], 0
		mov	ebx, ecx
		mov	[ebp+var_78], eax
		push	edi
		mov	ecx, 10h
		lea	edi, [ebp+var_48]
		mov	dword ptr [eax], 0
		mov	esi, ebx
		rep movsd
		mov	eax, [ebp+var_44]
		xor	edi, edi
		mov	esi, [ebp+var_48]
		and	eax, 2
		mov	ecx, [ebp+var_40]
		mov	[ebp+var_5C], eax
		mov	eax, [ebp+var_34]
		shr	esi, 9
		mov	[ebp+var_64], eax
		and	esi, offset loc_7FFFF8
		mov	eax, ecx
		mov	[ebp+var_54], edi
		sub	esi, 40000000h
		and	eax, 1
		jnz	loc_46867B

loc_4682B9:				; CODE XREF: MiDispatchFault+436j
		test	eax, eax
		jnz	loc_468691

loc_4682C1:				; CODE XREF: MiDispatchFault+454j
					; MiDispatchFault+46Bj
		mov	[ebp+var_68], edi

loc_4682C4:				; CODE XREF: MiDispatchFault+43Cj
					; MiDispatchFault+44Cj	...
		xor	edx, edx
		mov	[ebp+var_60], edi
		lea	ecx, [ebp+var_48]
		call	MiComputeMaximumFaultCluster
		mov	cl, [ebp+var_2B]
		mov	[ebp+var_70], eax
		cmp	eax, 1
		ja	loc_4686E6

loc_4682E0:				; CODE XREF: MiDispatchFault+499j
		and	cl, 0FDh
		mov	[ebp+var_2B], cl
		test	eax, eax
		jz	loc_4683D3
		mov	edi, edi

loc_4682F0:				; CODE XREF: MiDispatchFault+17Dj
		test	cl, 8
		jnz	loc_4684F6

loc_4682F9:				; CODE XREF: MiDispatchFault+346j
		mov	ecx, [esi]
		mov	[ebp+var_50], ecx
		nop
		mov	edx, [esi+4]
		mov	eax, ecx
		or	eax, edx
		mov	[ebp+var_58], edx
		jz	loc_4685A1
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jnz	loc_4685A1
		mov	edi, ecx
		mov	[ebp+var_4C], 100h
		mov	eax, edx
		shrd	edi, eax, 0Ah
		and	edi, 1
		mov	eax, edi
		or	eax, 0
		jz	loc_46842F
		cmp	[ebp+var_1C], 0
		jz	loc_468601

loc_468344:				; CODE XREF: MiDispatchFault+1E3j
					; MiDispatchFault+3CFj	...
		test	byte ptr [ebp+var_40], 1
		jnz	loc_4685E5

loc_46834E:				; CODE XREF: MiDispatchFault+39Ej
					; MiDispatchFault+3ACj
		or	edi, 0
		jz	loc_468447
		mov	edx, [ebp+var_5C]
		lea	eax, [ebp+var_6C]
		push	eax
		lea	ecx, [ebp+var_48]
		call	_MiResolveProtoPteFault@12 ; MiResolveProtoPteFault(x,x,x)
		mov	edx, [ebp+var_40]
		mov	[ebp+var_50], edx

loc_46836C:				; CODE XREF: MiDispatchFault+279j
					; MiDispatchFault+390j	...
		mov	edi, [ebp+var_54]

loc_46836F:				; CODE XREF: MiDispatchFault+359j
		test	[ebp+var_2B], 8
		jnz	short loc_46837A
		mov	edi, eax
		mov	[ebp+var_54], edi

loc_46837A:				; CODE XREF: MiDispatchFault+123j
		test	eax, eax
		js	loc_46865C
		mov	cl, [ebp+var_2B]
		add	esi, 8
		add	[ebp+var_48], 1000h
		or	cl, 8
		inc	[ebp+var_60]
		mov	[ebp+var_2B], cl
		mov	[ebp+var_3C], esi
		test	cl, 2
		jnz	loc_4686CD

loc_4683A4:				; CODE XREF: MiDispatchFault+14A680j
		mov	[ebp+var_1C], 0
		and	edx, 1
		jnz	loc_4684CE

loc_4683B4:				; CODE XREF: MiDispatchFault+28Dj
		and	[ebp+var_44], 0FFFFFFFDh
		mov	[ebp+var_5C], 0

loc_4683BF:				; CODE XREF: MiDispatchFault+287j
		test	edx, edx
		jnz	loc_4684E2

loc_4683C7:				; CODE XREF: MiDispatchFault+29Bj
					; MiDispatchFault+14A688j
		mov	edx, [ebp+var_60]
		cmp	edx, [ebp+var_70]
		jb	loc_4682F0

loc_4683D3:				; CODE XREF: MiDispatchFault+98j
					; MiDispatchFault+2ADj	...
		mov	edx, [ebp+var_24]

loc_4683D6:				; CODE XREF: MiDispatchFault+420j
					; MiDispatchFault+14A694j
		test	byte ptr [ebp+var_24], 80h
		mov	eax, [ebp+var_34]
		mov	[ebx+14h], eax
		mov	eax, [ebp+var_30]
		mov	[ebx+18h], eax
		mov	eax, [ebp-2Ch]
		mov	[ebx+1Ch], eax
		mov	eax, [ebp+var_28]
		mov	[ebx+20h], eax
		mov	eax, [ebp+var_14]
		mov	[ebx+34h], eax
		mov	eax, [ebp+var_10]
		mov	[ebx+38h], eax
		mov	eax, [ebp+var_C]
		mov	[ebx+3Ch], eax
		mov	eax, [ebp+var_18]
		mov	[ebx+30h], eax
		jnz	loc_5B28E9

loc_468410:				; CODE XREF: MiDispatchFault+14A6A7j
		cmp	edi, 0C0033333h
		jz	loc_4686C0

loc_46841C:				; CODE XREF: MiDispatchFault+478j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_46842F:				; CODE XREF: MiDispatchFault+E4j
		test	[ebp+var_2B], 8
		jz	loc_468344
		mov	eax, edx
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		jmp	loc_468619
; 

loc_468447:				; CODE XREF: MiDispatchFault+101j
		mov	edx, [ebp+var_50]
		mov	eax, edx
		and	eax, 800h
		or	eax, 0
		jnz	loc_4685C7
		nop
		mov	edi, [ebp+var_58]
		mov	ecx, edx
		mov	eax, edi
		shrd	ecx, eax, 2
		test	cl, 1
		jnz	loc_468788
		mov	ecx, [ebp+var_40]
		xor	eax, eax
		mov	[ebp+var_4C], ecx
		and	[ebp+var_4C], 1
		mov	[ebp+var_50], ecx
		jnz	loc_468715

loc_468484:				; CODE XREF: MiDispatchFault+4D3j
					; MiDispatchFault+4E6j
		mov	eax, [ebp+var_4C]
		test	eax, eax
		jnz	loc_468744

loc_46848F:				; CODE XREF: MiDispatchFault+503j
					; MiDispatchFault+518j	...
		test	ecx, ecx
		jz	short loc_4684B4
		test	byte ptr [ecx+6Ch], 1
		jz	loc_4685AE

loc_46849D:				; CODE XREF: MiDispatchFault+365j
		mov	eax, ds:_KeUserPopEntrySListFault
		mov	[ebp+var_58], eax

loc_4684A5:				; CODE XREF: MiDispatchFault+372j
		mov	eax, [ebp+var_58]
		cmp	[ecx+68h], eax
		mov	eax, [ebp+var_4C]
		jz	loc_4687A9

loc_4684B4:				; CODE XREF: MiDispatchFault+241j
					; MiDispatchFault+52Dj	...
		push	[ebp+var_5C]
		mov	edx, esi
		lea	ecx, [ebp+var_48]
		push	0
		call	MiResolveDemandZeroFault
		mov	edx, [ebp+var_40]
		mov	[ebp+var_50], edx
		jmp	loc_46836C
; 

loc_4684CE:				; CODE XREF: MiDispatchFault+15Ej
		mov	eax, [ebp+var_50]
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	2
		jz	loc_4683BF
		jmp	loc_4683B4
; 

loc_4684E2:				; CODE XREF: MiDispatchFault+171j
		mov	eax, [ebp+var_50]
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	5
		jnz	loc_4683C7
		jmp	loc_5B28D5
; 

loc_4684F6:				; CODE XREF: MiDispatchFault+A3j
		mov	edx, [ebp+var_64]
		test	byte ptr [edx+63h], 8
		jnz	loc_4683D3
		mov	cl, [edx+60h]
		test	cl, 40h
		jnz	loc_4687DC

loc_46850F:				; CODE XREF: MiDispatchFault+593j
		and	cl, 7
		cmp	cl, 2
		jz	loc_5B280F
		lea	eax, [edx+80h]

loc_468521:				; CODE XREF: MiDispatchFault+14A5C4j
		mov	eax, [eax]
		test	eax, 40000000h
		jnz	loc_4683D3
		test	[ebp+var_2B], 1
		jnz	loc_4683D3
		mov	edx, esi
		shr	edx, 9
		and	edx, offset loc_7FFFF8
		lea	eax, [edx-600000h]
		sar	eax, 3
		lea	ecx, [eax+eax]
		mov	eax, ecx
		and	eax, 1Fh
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+var_64]
		mov	al, [eax+60h]
		and	al, 7
		cmp	al, 2
		jnb	loc_4686EE
		shr	ecx, 5
		test	al, al
		mov	eax, [ebp+var_64]
		jnz	loc_4687CF
		mov	eax, [eax+0Ch]
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h

loc_468580:				; CODE XREF: MiDispatchFault+4C0j
					; MiDispatchFault+587j
		mov	ecx, [ebp+var_4C]

loc_468583:				; CODE XREF: MiDispatchFault+14A5FDj
		mov	eax, [eax]
		shr	eax, cl
		test	al, 2
		jnz	loc_4683D3
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	loc_4682F9
		jmp	loc_4683D3
; 

loc_4685A1:				; CODE XREF: MiDispatchFault+B9j
					; MiDispatchFault+C7j
		mov	edx, [ebp+var_40]
		xor	eax, eax
		mov	[ebp+var_50], edx
		jmp	loc_46836F
; 

loc_4685AE:				; CODE XREF: MiDispatchFault+247j
		test	dword ptr [ecx+70h], 20000h
		jnz	loc_46849D
		mov	[ebp+var_58], offset _ExpInterlockedPopEntrySListFault
		jmp	loc_4684A5
; 

loc_4685C7:				; CODE XREF: MiDispatchFault+204j
		lea	eax, [ebp+var_6C]
		mov	edx, esi
		push	eax
		push	[ebp+var_5C]
		lea	ecx, [ebp+var_48]
		push	0
		call	_MiResolveTransitionFault@20 ; MiResolveTransitionFault(x,x,x,x,x)
		mov	edx, [ebp+var_40]
		mov	[ebp+var_50], edx
		jmp	loc_46836C
; 

loc_4685E5:				; CODE XREF: MiDispatchFault+F8j
		mov	eax, [ebp+var_40]
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	2
		jnz	loc_46834E
		lea	ecx, [ebp+var_48]
		call	_MiAdjustFaultList@4 ; MiAdjustFaultList(x)
		jmp	loc_46834E
; 

loc_468601:				; CODE XREF: MiDispatchFault+EEj
		lea	edx, [ebp+var_4C]
		mov	ecx, esi
		call	MiCheckProtoAccess
		test	eax, eax
		jz	loc_5B2852
		mov	ecx, [ebp+var_4C]
		mov	[ebp+var_1C], eax

loc_468619:				; CODE XREF: MiDispatchFault+1F2j
		cmp	ecx, 100h
		jz	loc_468344
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	eax, 10h
		jz	loc_5B2862

loc_468633:				; CODE XREF: MiDispatchFault+14A616j
		mov	eax, [ebp+var_24]
		mov	edx, [ebp+var_5C]
		push	0
		push	[ebp+var_40]
		shr	eax, 6
		and	al, 1
		push	ecx
		movzx	eax, al
		mov	ecx, esi
		push	eax
		call	MiAccessCheck
		test	eax, eax
		jz	loc_468344
		jmp	loc_5B287C
; 

loc_46865C:				; CODE XREF: MiDispatchFault+12Cj
		cmp	eax, 0C0000016h
		jnz	loc_4683D3
		mov	edx, [ebp+var_24]
		test	edx, 100h
		jz	loc_4683D6
		jmp	loc_5B28DD
; 

loc_46867B:				; CODE XREF: MiDispatchFault+63j
		mov	edx, ecx
		and	edx, 0FFFFFFFEh
		mov	[ebp+var_68], edx
		cmp	byte ptr [edx],	5
		jnz	loc_4682B9
		jmp	loc_4682C4
; 

loc_468691:				; CODE XREF: MiDispatchFault+6Bj
		mov	edx, ecx
		and	edx, 0FFFFFFFEh
		mov	[ebp+var_68], edx
		cmp	byte ptr [edx],	2
		jz	loc_4682C4
		test	eax, eax
		jz	loc_4682C1
		mov	eax, ecx
		and	eax, 0FFFFFFFEh
		mov	[ebp+var_68], eax
		cmp	byte ptr [eax],	1
		jz	loc_4682C4
		jmp	loc_4682C1
; 

loc_4686C0:				; CODE XREF: MiDispatchFault+1C6j
		mov	eax, [ebp+var_78]
		mov	ecx, [ebp+var_6C]
		mov	[eax], ecx
		jmp	loc_46841C
; 

loc_4686CD:				; CODE XREF: MiDispatchFault+14Ej
		mov	eax, [ebp+var_70]
		and	cl, 0FDh
		mov	edx, [ebp+var_60]
		mov	[ebp+var_2B], cl
		cmp	edx, eax
		jz	loc_4683D3
		jmp	loc_5B28A1
; 

loc_4686E6:				; CODE XREF: MiDispatchFault+8Aj
		or	cl, 4
		jmp	loc_4682E0
; 

loc_4686EE:				; CODE XREF: MiDispatchFault+311j
		cmp	edx, (offset loc_603014+4)
		jz	loc_5B2829
		cmp	edx, (offset loc_60300E+2)
		jz	loc_5B2819

loc_468706:				; CODE XREF: MiDispatchFault+14A5D3j
					; MiDispatchFault+14A5E6j
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]
		jmp	loc_468580
; 

loc_468715:				; CODE XREF: MiDispatchFault+22Ej
		mov	edi, ecx
		and	edi, 0FFFFFFFEh
		mov	[ebp+var_74], edi
		cmp	byte ptr [edi],	1
		mov	edi, [ebp+var_58]
		jnz	loc_468484
		mov	edi, [ebp+var_74]
		test	dword ptr [edi+28h], 4000h
		mov	edi, [ebp+var_58]
		jnz	loc_468484

loc_46873C:				; CODE XREF: MiDispatchFault+14A60Dj
					; MiDispatchFault+14A64Cj
		mov	edx, [ebp+var_50]
		jmp	loc_46836C
; 

loc_468744:				; CODE XREF: MiDispatchFault+239j
		mov	eax, ecx
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	1
		mov	eax, [ebp+var_4C]
		jz	short loc_4687A9
		test	eax, eax
		jz	loc_46848F
		mov	eax, ecx
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	3
		mov	eax, [ebp+var_4C]
		jz	short loc_4687A9
		test	eax, eax
		jz	loc_46848F
		mov	eax, ecx
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	6
		mov	eax, [ebp+var_4C]
		jz	short loc_4687A9
		test	eax, eax
		jnz	loc_4684B4
		jmp	loc_46848F
; 

loc_468788:				; CODE XREF: MiDispatchFault+219j
		test	[ebp+var_2B], 8
		jnz	short loc_4687EE
		lea	eax, [ebp+var_6C]
		mov	edx, esi
		push	eax
		push	0
		lea	ecx, [ebp+var_48]
		call	MiResolvePageFileFault
		mov	edx, [ebp+var_40]
		mov	[ebp+var_50], edx
		jmp	loc_46836C
; 

loc_4687A9:				; CODE XREF: MiDispatchFault+25Ej
					; MiDispatchFault+4FFj	...
		test	eax, eax
		jz	short loc_4687BB
		mov	eax, ecx
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	6
		jz	loc_4684B4

loc_4687BB:				; CODE XREF: MiDispatchFault+55Bj
		mov	eax, [ebp+var_48]
		cmp	eax, dword_6D07D0
		jb	loc_4684B4
		jmp	loc_5B2887
; 

loc_4687CF:				; CODE XREF: MiDispatchFault+31Fj
		lea	eax, [eax+ecx*4]
		add	eax, 120h
		jmp	loc_468580
; 

loc_4687DC:				; CODE XREF: MiDispatchFault+2B9j
		mov	eax, [edx+40h]
		inc	eax
		cmp	eax, [edx+50h]
		jb	loc_46850F
		jmp	loc_4683D3
; 

loc_4687EE:				; CODE XREF: MiDispatchFault+53Cj
		mov	eax, [ebp+var_68]
		test	eax, eax
		jz	short loc_4687FC
		mov	ecx, eax
		call	_MiAdvanceFaultList@4 ;	MiAdvanceFaultList(x)

loc_4687FC:				; CODE XREF: MiDispatchFault+5A3j
		mov	edx, [ebp+var_40]
		mov	eax, 0C0000434h
		mov	[ebp+var_50], edx
		jmp	loc_46836C
MiDispatchFault	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiComputeMaximumFaultCluster proc near	; CODE XREF: MiDispatchFault+7Cp
					; MiDispatchFault+14A658p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B28FC SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	ecx, [esi+8]
		mov	eax, ecx
		mov	edi, [esi]
		and	eax, 0FFFFFFFEh
		and	edi, 0FFFFF000h
		cmp	ecx, eax
		jnz	short loc_46883D

loc_468831:				; CODE XREF: MiComputeMaximumFaultCluster+37j
		pop	edi
		pop	esi
		mov	eax, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_46883D:				; CODE XREF: MiComputeMaximumFaultCluster+1Fj
		mov	ecx, esi
		call	_MiFaultListPagesRemaining@4 ; MiFaultListPagesRemaining(x)
		cmp	eax, 1
		jz	short loc_468831
		test	ebx, ebx
		jnz	loc_5B28FC

loc_468851:				; CODE XREF: MiComputeMaximumFaultCluster+14A0F4j
		mov	ebx, eax

loc_468853:				; CODE XREF: MiComputeMaximumFaultCluster+14A0EEj
		mov	edx, edi
		mov	ecx, 200h
		shr	edx, 9
		sub	edx, 40000000h
		mov	eax, edx
		mov	[ebp+var_4], edx
		shr	eax, 3
		and	eax, 1FFh
		sub	ecx, eax
		cmp	ebx, ecx
		ja	short loc_4688C0

loc_468876:				; CODE XREF: MiComputeMaximumFaultCluster+B2j
		cmp	edi, dword_6D07D0
		jnb	short loc_46889C
		mov	eax, [esi+28h]
		test	eax, eax
		jnz	short loc_468893
		mov	ecx, edi
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	edx, [ebp+var_4]
		test	eax, eax
		jz	short loc_4688CF

loc_468893:				; CODE XREF: MiComputeMaximumFaultCluster+73j
		mov	ecx, [eax+10h]
		shr	edi, 0Ch
		sub	ecx, edi
		inc	ecx

loc_46889C:				; CODE XREF: MiComputeMaximumFaultCluster+6Cj
					; MiComputeMaximumFaultCluster+C4j
		cmp	ebx, ecx
		ja	short loc_4688CB

loc_4688A0:				; CODE XREF: MiComputeMaximumFaultCluster+BDj
		cmp	ebx, 1
		jbe	short loc_4688B7
		mov	ecx, [esi+14h]
		test	byte ptr [ecx+60h], 7
		jnz	short loc_4688B7
		call	MiPageTableHasValidWsles
		test	eax, eax
		jz	short loc_4688C4

loc_4688B7:				; CODE XREF: MiComputeMaximumFaultCluster+93j
					; MiComputeMaximumFaultCluster+9Cj ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4688C0:				; CODE XREF: MiComputeMaximumFaultCluster+64j
		mov	ebx, ecx
		jmp	short loc_468876
; 

loc_4688C4:				; CODE XREF: MiComputeMaximumFaultCluster+A5j
		mov	ebx, 1
		jmp	short loc_4688B7
; 

loc_4688CB:				; CODE XREF: MiComputeMaximumFaultCluster+8Ej
		mov	ebx, ecx
		jmp	short loc_4688A0
; 

loc_4688CF:				; CODE XREF: MiComputeMaximumFaultCluster+81j
		mov	ecx, 1
		jmp	short loc_46889C
MiComputeMaximumFaultCluster endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnlockWorkingSetShared proc near	; CODE XREF: MiDeleteSystemPageTables(x,x,x,x,x,x)+A6p
					; MiMakeHyperRangeAccessible+F3p ...

; FUNCTION CHUNK AT 005B2909 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		push	edi
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 4
		ja	loc_4689C2

loc_4688FD:				; CODE XREF: MiUnlockWorkingSetShared+E6j
		mov	eax, [esi+60h]
		mov	ecx, eax
		shr	ecx, 18h
		test	cl, 0Ch
		jnz	loc_4689CB
		test	cl, 10h
		jnz	loc_4689CB

loc_468917:				; CODE XREF: MiUnlockWorkingSetShared+F5j
		and	al, 7
		cmp	al, 2
		jz	loc_4689B8
		lea	edi, [esi+80h]

loc_468927:				; CODE XREF: MiUnlockWorkingSetShared+DDj
		test	ds:_MiFlags, 0C00000h
		jz	short loc_468940
		test	al, al
		jnz	short loc_468940
		cmp	byte ptr [esi-1CCh], 1
		jnz	short loc_468967

loc_468940:				; CODE XREF: MiUnlockWorkingSetShared+51j
					; MiUnlockWorkingSetShared+55j	...
		test	ds:byte_70EFC6,	1
		jnz	loc_5B2909
		mov	eax, 0BFFFFFFFh
		lock and [edi],	eax
		lock dec dword ptr [edi]

loc_468958:				; CODE XREF: MiUnlockWorkingSetShared+E4j
					; MiUnlockWorkingSetShared+14A033j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_468967:				; CODE XREF: MiUnlockWorkingSetShared+5Ej
		rdtsc
		and	eax, 3FF0h
		or	eax, 0
		jnz	short loc_468940
		cmp	[esi+0C4h], eax
		jz	short loc_468940
		cmp	[esi+0Ch], eax
		jz	short loc_468940
		cmp	[esi+10h], eax
		jz	short loc_468940
		mov	ecx, esi
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_468940
		push	1
		mov	edx, 0C0603018h
		call	MiLockPageTableInternal
		test	eax, eax
		jz	short loc_468940
		mov	ecx, 1
		call	MiPaeCheckProcessShadow
		mov	edx, 0C0603018h
		mov	ecx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		jmp	short loc_468940
; 

loc_4689B8:				; CODE XREF: MiUnlockWorkingSetShared+3Bj
		mov	edi, offset unk_6D3C40
		jmp	loc_468927
; 

loc_4689C2:				; CODE XREF: MiUnlockWorkingSetShared+17j
		cmp	al, 5
		jnz	short loc_468958
		jmp	loc_4688FD
; 

loc_4689CB:				; CODE XREF: MiUnlockWorkingSetShared+28j
					; MiUnlockWorkingSetShared+31j
		mov	ecx, esi
		call	MiPreUnlockWorkingSetShared
		mov	al, [esi+60h]
		jmp	loc_468917
MiUnlockWorkingSetShared endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiResolveProtoPteFault(x, x, x)
_MiResolveProtoPteFault@12 proc	near	; CODE XREF: MiDispatchFault+111p

var_90		= dword	ptr -90h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_79		= byte ptr -79h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 88h
		mov	eax, [ebp+arg_0]
		mov	[esp+88h+var_74], edx
		mov	edx, ecx
		push	esi
		push	edi
		mov	dword ptr [eax], 0
		mov	eax, [edx+14h]
		mov	ecx, [edx+8]
		mov	[esp+90h+var_30], eax
		mov	eax, [edx]
		mov	[esp+90h+var_50], eax
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[esp+90h+var_5C], edx
		sub	eax, 40000000h
		mov	[esp+90h+var_60], ecx
		mov	[esp+90h+var_38], eax
		mov	eax, ecx
		and	eax, 1
		mov	[esp+90h+var_34], eax
		jz	short loc_468A3F
		and	ecx, 0FFFFFFFEh
		mov	[esp+90h+var_54], ecx
		cmp	byte ptr [ecx],	1
		jz	short loc_468A47

loc_468A3F:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+51j
		mov	[esp+90h+var_54], 0

loc_468A47:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+5Dj
		mov	eax, [edx+2Ch]
		mov	[esp+90h+var_78], eax
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[esp+90h+var_84], eax
		lea	ebx, [ebx+0]

loc_468A60:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+D0j
					; MiResolveProtoPteFault(x,x,x)+EDj
		mov	esi, [eax-40000000h]
		mov	[esp+90h+var_20], 0
		mov	[esp+90h+var_1C], 0
		nop
		mov	ecx, [eax-3FFFFFFCh]
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	loc_469A3B
		mov	eax, esi
		and	eax, 200h
		or	eax, 0
		jnz	loc_469A3B
		nop
		mov	eax, [esp+90h+var_84]
		shrd	esi, ecx, 0Ch
		and	esi, 1FFFFFFh
		cmp	esi, dword_6D07B0
		ja	short loc_468A60
		mov	eax, dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		mov	eax, [esp+90h+var_84]
		jz	short loc_468A60
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		mov	[esp+90h+var_18], 0
		lea	ecx, [eax+ecx*4]
		lea	edi, [ecx+10h]
		mov	[esp+90h+var_80], ecx
		mov	[esp+90h+var_58], edi
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_468B19
		lea	ebx, [ebx+0]

loc_468B00:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+12Cj
					; MiResolveProtoPteFault(x,x,x)+133j
		lea	ecx, [esp+90h+var_18]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_468B00
		lock bts dword ptr [edi], 1Fh
		jb	short loc_468B00
		mov	ecx, [esp+90h+var_80]

loc_468B19:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+118j
		mov	eax, [esp+90h+var_84]
		mov	[esp+90h+var_68], 0
		mov	[esp+90h+var_64], 0
		mov	edx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	[esp+90h+var_88], eax
		mov	[esp+90h+var_4], eax
		mov	eax, edx
		and	eax, 1
		mov	[esp+90h+var_8], edx
		or	eax, 0
		jz	loc_469A33
		mov	eax, edx
		and	eax, 200h
		or	eax, 0
		jnz	loc_469A33
		nop
		mov	eax, [esp+90h+var_88]
		shrd	edx, eax, 0Ch
		and	edx, 1FFFFFFh
		cmp	esi, edx
		jnz	loc_469A33
		mov	edx, 1
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		mov	ecx, [esp+90h+var_80]
		mov	edx, 7FFFFFFFh
		mov	esi, [ecx+4]
		mov	al, [ecx+16h]
		or	esi, 80000000h
		mov	[esp+90h+var_88], esi
		test	al, 20h
		jz	short loc_468C04

loc_468BA8:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+21Ej
		lock and [edi],	edx
		mov	al, [ecx+16h]
		xor	esi, esi
		mov	[esp+90h+var_79], al
		test	al, 20h
		jz	short loc_468BEB
		jmp	short loc_468BC0
; 
		align 10h

loc_468BC0:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+1D8j
					; MiResolveProtoPteFault(x,x,x)+209j
		inc	esi
		test	ds:_HvlLongSpinCountMask, esi
		jnz	short loc_468BDE
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	short loc_468BDE
		push	esi
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		mov	ecx, [esp+90h+var_80]
		jmp	short loc_468BE0
; 

loc_468BDE:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+1E7j
					; MiResolveProtoPteFault(x,x,x)+1F0j
		pause

loc_468BE0:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+1FCj
		mov	al, [ecx+16h]
		mov	[esp+90h+var_79], al
		test	al, 20h
		jnz	short loc_468BC0

loc_468BEB:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+1D6j
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [esp+90h+var_80]
		mov	edx, 7FFFFFFFh
		mov	al, [ecx+16h]
		test	al, 20h
		jnz	short loc_468BA8
		mov	esi, [esp+90h+var_88]

loc_468C04:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+1C6j
		or	al, 20h
		mov	[ecx+16h], al
		test	dword ptr [edi], 40000000h
		jnz	short loc_468C30
		mov	edx, [esi]
		nop
		and	edx, 20h
		or	edx, 0
		jnz	short loc_468C30
		mov	byte ptr [esp+90h+var_88], dl
		mov	ecx, esi
		push	[esp+90h+var_88]
		mov	edx, 1
		call	_MiWriteValidPteVolatile@12 ; MiWriteValidPteVolatile(x,x,x)

loc_468C30:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+22Fj
					; MiResolveProtoPteFault(x,x,x)+23Aj
		mov	ecx, 7FFFFFFFh
		lock and [edi],	ecx
		jmp	short loc_468C40
; 
		align 10h

loc_468C40:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+258j
					; MiResolveProtoPteFault(x,x,x)+2E4j
		mov	edx, [esp+90h+var_78]

loc_468C44:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+351j
					; MiResolveProtoPteFault(x,x,x)+372j ...
		mov	ecx, [edx]
		mov	[esp+90h+var_68], 0
		mov	[esp+90h+var_64], 0
		mov	[esp+90h+var_3C], ecx
		nop
		mov	edx, [edx+4]
		mov	eax, ecx
		and	eax, 1
		mov	[esp+90h+var_84], edx
		or	eax, 0
		jz	short loc_468C80
		nop
		mov	esi, ecx
		mov	eax, edx
		shrd	esi, eax, 0Ch
		and	esi, 1FFFFFFh
		jmp	loc_468D27
; 

loc_468C80:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+28Aj
		mov	eax, ecx
		and	eax, 400h
		or	eax, 0
		jnz	loc_468DB8
		mov	eax, ecx
		and	eax, 800h
		or	eax, 0
		jz	loc_468DB8
		mov	eax, ecx
		or	eax, edx
		jz	short loc_468CD4
		mov	edx, dword_6D0700
		mov	eax, edx
		mov	esi, dword_6D0704
		or	eax, esi
		jz	short loc_468CD0
		and	ecx, edx
		mov	edx, [esp+90h+var_84]
		mov	eax, edx
		and	eax, esi
		or	ecx, eax
		jz	loc_468C40
		mov	ecx, [esp+90h+var_3C]
		jmp	short loc_468CD4
; 

loc_468CD0:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+2D6j
		mov	edx, [esp+90h+var_84]

loc_468CD4:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+2C4j
					; MiResolveProtoPteFault(x,x,x)+2EEj
		mov	eax, dword_6D0700
		mov	esi, ecx
		mov	edi, dword_6D0704
		mov	ecx, edx
		mov	[esp+90h+var_88], eax
		mov	edx, esi
		mov	[esp+90h+var_40], edi
		or	eax, edi
		mov	edi, [esp+90h+var_58]
		mov	[esp+90h+var_6C], ecx
		jz	short loc_468D1D
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_468D17
		mov	esi, [esp+90h+var_88]
		mov	ecx, [esp+90h+var_40]
		not	esi
		not	ecx
		and	esi, edx
		and	ecx, [esp+90h+var_6C]
		jmp	short loc_468D1D
; 

loc_468D17:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+321j
		mov	ecx, [esp+90h+var_6C]
		mov	esi, edx

loc_468D1D:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+317j
					; MiResolveProtoPteFault(x,x,x)+335j
		shrd	esi, ecx, 0Ch
		and	esi, 3FFFFFFh

loc_468D27:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+29Bj
		mov	edx, [esp+90h+var_78]
		cmp	esi, dword_6D07B0
		ja	loc_468C44
		mov	eax, dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		mov	edx, [esp+90h+var_78]
		shr	eax, cl
		and	eax, 1
		jz	loc_468C44
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		mov	[esp+90h+var_28], 0
		lea	eax, [eax+ecx*4]
		mov	[esp+90h+var_70], eax
		lea	esi, [eax+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_468D95
		nop

loc_468D80:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+3ACj
					; MiResolveProtoPteFault(x,x,x)+3B3j
		lea	ecx, [esp+90h+var_28]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_468D80
		lock bts dword ptr [esi], 1Fh
		jb	short loc_468D80

loc_468D95:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+39Dj
		mov	edx, [esp+90h+var_78]
		mov	eax, [edx]
		nop
		mov	ecx, [edx+4]
		cmp	eax, [esp+90h+var_3C]
		jnz	short loc_468DAB
		cmp	ecx, [esp+90h+var_84]
		jz	short loc_468DC4

loc_468DAB:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+3C3j
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		jmp	loc_468C44
; 

loc_468DB8:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+2AAj
					; MiResolveProtoPteFault(x,x,x)+2BAj
		mov	edx, [esp+90h+var_78]
		mov	[esp+90h+var_70], 0

loc_468DC4:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+3C9j
		mov	edx, [edx]
		mov	[esp+90h+var_68], 0
		mov	[esp+90h+var_64], 0
		mov	[esp+90h+var_44], edx
		nop
		mov	ecx, [esp+90h+var_78]
		mov	eax, edx
		and	eax, 1
		mov	[esp+90h+var_10], edx
		or	eax, 0
		mov	ecx, [ecx+4]
		mov	[esp+90h+var_48], ecx
		mov	[esp+90h+var_C], ecx
		jz	loc_4691C7
		mov	eax, [esp+90h+var_54]
		test	eax, eax
		jz	short loc_468E49
		mov	edx, [eax+28h]
		mov	edi, [esp+90h+var_70]
		and	edx, 7
		mov	ecx, edi
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		cmp	edx, eax
		jbe	short loc_468E29
		mov	al, [edi+17h]
		and	al, 0F8h
		or	al, dl
		mov	[edi+17h], al

loc_468E29:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+43Dj
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	ecx, [esp+90h+var_80]
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		xor	eax, eax
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_468E49:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+428j
		mov	ecx, [esp+90h+var_70]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_468EFD
		mov	eax, ecx
		mov	esi, [eax+0Ch]
		mov	edx, [eax+8]
		mov	eax, edx
		and	eax, 400h
		mov	[esp+90h+var_2C], esi
		or	eax, 0
		jz	loc_468EFD
		mov	eax, ecx
		mov	eax, [eax+18h]
		and	eax, 70000000h
		cmp	eax, 30000000h
		jz	short loc_468EFD
		mov	edi, dword_6D0704
		mov	ecx, edx
		mov	eax, dword_6D0700
		mov	[esp+90h+var_54], edi
		or	eax, edi
		mov	edi, [esp+90h+var_58]
		jz	short loc_468EB2
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_468EB2
		not	[esp+90h+var_54]
		and	esi, [esp+90h+var_54]

loc_468EB2:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+4BEj
					; MiResolveProtoPteFault(x,x,x)+4C8j
		mov	eax, [esi]
		test	byte ptr [eax+1Ch], 20h
		jz	short loc_468EFD
		mov	eax, [eax+38h]
		mov	eax, [eax+14h]
		mov	[esp+90h+var_38], eax
		test	eax, eax
		jz	short loc_468EFD
		mov	ecx, eax
		and	ecx, 0FFFFFFF8h
		cmp	ecx, 8
		jz	short loc_468EFD
		and	al, 3
		cmp	al, 2
		jz	short loc_468EFD
		mov	eax, [esp+90h+var_50]
		cmp	eax, dword_6D07D0
		jb	loc_468FA0
		test	byte ptr ds:_MiFlags+2,	1
		jz	short loc_468EFD
		and	edx, 40h
		or	edx, 0
		jnz	loc_468FF5

loc_468EFD:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+474j
					; MiResolveProtoPteFault(x,x,x)+490j ...
		mov	edx, [esp+90h+var_70]
		add	edx, 10h
		mov	eax, [edx]
		lea	ecx, [eax+1]
		xor	ecx, eax
		and	ecx, 3FFFFFFFh
		xor	ecx, eax
		mov	eax, 7FFFFFFFh
		mov	[edx], ecx
		lock and [edx],	eax
		mov	[esp+90h+var_24], 0
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_468F45
		lea	esp, [esp+0]

loc_468F30:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+55Cj
					; MiResolveProtoPteFault(x,x,x)+563j
		lea	ecx, [esp+90h+var_24]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_468F30
		lock bts dword ptr [edi], 1Fh
		jb	short loc_468F30

loc_468F45:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+54Aj
		mov	esi, [esp+90h+var_80]
		mov	al, [esi+16h]
		and	al, 0DFh
		mov	[esi+16h], al
		movzx	eax, word ptr [esi+14h]
		test	ax, ax
		jz	loc_469A48
		add	eax, 0FFFFh
		test	dword ptr [esi+18h], 800000h
		mov	[esi+14h], ax
		jnz	loc_469188
		mov	ecx, [edi]
		mov	[esp+90h+var_28], ecx
		and	ecx, 3FFFFFFFh
		test	ax, ax
		jz	loc_469042
		cmp	ax, 1
		jnz	loc_46901C
		test	ecx, ecx
		jnz	loc_469038
		jmp	loc_46902E
; 

loc_468FA0:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+502j
		mov	ecx, eax
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		test	eax, eax
		jz	short loc_468FF5
		mov	edx, [eax+1Ch]
		mov	ecx, edx
		and	cl, 70h
		cmp	cl, 20h
		jnz	short loc_468FF5
		and	edx, 0F80h
		cmp	edx, 80h
		jz	loc_468EFD
		mov	eax, [eax+28h]
		test	eax, 8000000h
		jz	short loc_468FDF
		test	byte ptr [esp+90h+var_38], 4
		jz	loc_468EFD

loc_468FDF:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+5F2j
		test	ds:_MiFlags, 400h
		jz	short loc_468FF5
		test	byte ptr [esi+12h], 2
		jnz	loc_468EFD

loc_468FF5:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+517j
					; MiResolveProtoPteFault(x,x,x)+5C9j ...
		mov	eax, [esp+90h+var_70]
		mov	ecx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	ecx
		mov	ecx, [esp+90h+var_80]
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		mov	eax, 0C0000428h
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_46901C:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+5ADj
		cmp	ax, 2
		jnz	loc_469188
		test	ecx, ecx
		jz	loc_469188

loc_46902E:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+5BBj
		test	byte ptr [esi+16h], 8
		jz	loc_469188

loc_469038:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+5B5j
		mov	[esp+90h+var_50], 0
		jmp	short loc_46904A
; 

loc_469042:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+5A3j
		mov	[esp+90h+var_50], 1

loc_46904A:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+660j
		mov	eax, ds:_MmHighestUserAddress
		mov	edx, [esi+4]
		shr	eax, 9
		or	edx, 80000000h
		and	eax, offset loc_7FFFF8
		add	eax, 0C0000000h
		mov	[esp+90h+var_24], eax
		cmp	edx, eax
		ja	short loc_469075
		cmp	edx, 0C0000000h
		jnb	short loc_469086

loc_469075:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+68Bj
		mov	al, [esi+17h]
		test	al, 20h
		jz	short loc_469086
		and	al, 0DFh
		mov	[esi+17h], al
		jmp	loc_46915E
; 

loc_469086:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+693j
					; MiResolveProtoPteFault(x,x,x)+69Aj
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_46909E
		mov	eax, [esi+8]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_4690C3

loc_46909E:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+6AFj
		cmp	edx, [esp+90h+var_24]
		ja	short loc_4690B2
		cmp	edx, 0C0000000h
		jb	short loc_4690B2
		test	byte ptr [esi+17h], 20h
		jnz	short loc_4690C3

loc_4690B2:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+6C2j
					; MiResolveProtoPteFault(x,x,x)+6CAj
		cmp	[esp+90h+var_50], 1
		jnz	short loc_4690D2
		test	[esp+90h+var_28], 40000000h
		jz	short loc_4690D2

loc_4690C3:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+6BCj
					; MiResolveProtoPteFault(x,x,x)+6D0j
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit

loc_4690D2:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+6D7j
					; MiResolveProtoPteFault(x,x,x)+6E1j
		mov	eax, large fs:20h
		mov	edx, [eax+3D30h]
		add	eax, 3D30h
		mov	[esp+90h+var_6C], eax
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_4690F3
		mov	eax, 1
		jmp	short loc_469155
; 

loc_4690F3:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+70Aj
		lea	eax, [edx+1]
		cmp	eax, 100h
		ja	short loc_469123
		lea	ecx, [ecx+0]

loc_469100:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+741j
		mov	edi, [esp+90h+var_6C]
		lea	ecx, [edx+1]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		lea	edi, [esi+10h]
		cmp	eax, edx
		jz	short loc_46915E
		mov	edx, eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_469123
		inc	eax
		cmp	eax, 100h
		jbe	short loc_469100

loc_469123:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+71Bj
					; MiResolveProtoPteFault(x,x,x)+739j
		cmp	edx, 0C0h
		jle	short loc_46914C
		cmp	edx, 0FFFFFFFFh
		jz	short loc_46914C
		mov	edi, [esp+90h+var_6C]
		mov	ecx, 0C0h
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		lea	edi, [esi+10h]
		lea	eax, [edx-0BFh]
		jz	short loc_469151

loc_46914C:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+749j
					; MiResolveProtoPteFault(x,x,x)+74Ej
		mov	eax, 1

loc_469151:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+76Aj
		test	eax, eax
		jz	short loc_46915E

loc_469155:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+711j
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_46915E:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+6A1j
					; MiResolveProtoPteFault(x,x,x)+732j ...
		cmp	[esp+90h+var_50], 0
		jz	short loc_469188
		mov	ecx, esi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		lea	eax, [ecx+edx]
		mov	ecx, esi
		sar	eax, 4
		mov	edx, eax
		shr	edx, 1Fh
		add	edx, eax
		call	MiPfnReferenceCountIsZero

loc_469188:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+58Ej
					; MiResolveProtoPteFault(x,x,x)+640j ...
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		push	[esp+90h+var_48]
		mov	edx, [esp+94h+var_74]
		push	[esp+94h+var_44]
		mov	ecx, [esp+98h+var_5C]
		push	[esp+98h+var_60]
		inc	large dword ptr	fs:3E20h
		push	0
		call	_MiCompleteProtoPteFault@24 ; MiCompleteProtoPteFault(x,x,x,x,x,x)
		test	eax, eax
		js	loc_469A40
		mov	eax, 110h
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4691C7:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+41Cj
		mov	eax, edx
		or	eax, ecx
		jnz	short loc_46921B
		mov	[esp+90h+var_14], eax
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_4691F5
		jmp	short loc_4691E0
; 
		align 10h

loc_4691E0:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+7F8j
					; MiResolveProtoPteFault(x,x,x)+80Cj ...
		lea	ecx, [esp+90h+var_14]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_4691E0
		lock bts dword ptr [edi], 1Fh
		jb	short loc_4691E0

loc_4691F5:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+7F6j
		mov	ecx, [esp+90h+var_80]
		mov	al, [ecx+16h]
		and	al, 0DFh
		mov	[ecx+16h], al
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax

loc_46920E:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+DB3j
		mov	eax, 0C0000005h
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_46921B:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+7EBj
		mov	esi, [esp+90h+var_38]
		xor	ecx, ecx
		mov	[esp+90h+var_4C], ecx
		mov	edx, [esi]
		mov	[esp+90h+var_6C], edx
		nop
		mov	esi, [esi+4]
		mov	eax, esi
		mov	[esp+90h+var_40], edx
		shrd	[esp+90h+var_40], eax, 0Ah
		mov	eax, [esp+90h+var_40]
		and	eax, 1
		mov	[esp+90h+var_3C], esi
		mov	[esp+90h+var_40], eax
		or	eax, ecx
		jz	loc_4692D8
		mov	eax, dword_6D0700
		mov	edi, dword_6D0704
		mov	[esp+90h+var_88], eax
		or	eax, edi
		mov	[esp+90h+var_84], esi
		jz	short loc_469290
		mov	eax, edx
		and	eax, 10h
		or	eax, ecx
		jnz	short loc_46928C
		mov	eax, [esp+90h+var_88]
		mov	esi, edi
		not	eax
		not	esi
		and	eax, edx
		and	esi, [esp+90h+var_84]
		mov	[esp+90h+var_68], eax
		mov	eax, [esp+90h+var_84]
		jmp	short loc_469292
; 

loc_46928C:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+890j
		mov	[esp+90h+var_68], edx

loc_469290:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+887j
		mov	eax, esi

loc_469292:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+8AAj
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_4692D8
		mov	ecx, edx
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		mov	eax, ecx
		mov	[esp+90h+var_4C], ecx
		and	eax, 0FFFFFFF8h
		cmp	eax, 10h
		jnz	loc_469429
		mov	eax, [esp+90h+var_5C]
		test	byte ptr [eax+1Dh], 8
		jz	loc_469429
		mov	ecx, [esp+90h+var_80]
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		mov	eax, 0C0000434h
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4692D8:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+86Cj
					; MiResolveProtoPteFault(x,x,x)+8B5j
		mov	eax, edx
		and	eax, 8
		or	eax, 0
		jnz	loc_469429
		mov	ecx, [esp+90h+var_44]
		nop
		mov	eax, [esp+90h+var_48]
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		mov	eax, ecx
		mov	[esp+90h+var_4C], ecx
		shr	eax, 3
		mov	[esp+90h+var_68], eax
		cmp	eax, 2
		jnz	short loc_469316
		mov	eax, [esp+90h+var_5C]
		test	byte ptr [eax+1Dh], 8
		jnz	loc_4699FE

loc_469316:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+926j
		mov	eax, [esp+90h+var_78]
		mov	esi, [esp+90h+var_74]
		mov	[esp+90h+var_84], esi
		mov	esi, [eax]
		nop
		mov	eax, [eax+4]
		mov	[esp+90h+var_88], eax
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	short loc_46935A
		cmp	[esp+90h+var_74], 0
		jz	loc_469429
		and	esi, 0A00h
		or	esi, 0
		jnz	loc_469429
		mov	esi, 0C0000005h
		jmp	loc_4693FD
; 

loc_46935A:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+954j
		cmp	[esp+90h+var_74], 0
		jz	short loc_469369
		mov	[esp+90h+var_84], 1

loc_469369:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+97Fj
		mov	eax, ecx
		and	eax, 7
		movsx	ecx, ds:_MiReadWrite[eax]
		mov	eax, [esp+90h+var_84]
		movsx	eax, al
		sub	ecx, eax
		cmp	ecx, 0Ah
		jge	short loc_46938A
		mov	esi, 0C0000005h
		jmp	short loc_4693FD
; 

loc_46938A:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+9A1j
		cmp	[esp+90h+var_68], 2
		jnz	loc_469425
		cmp	[esp+90h+var_34], 0
		jz	short loc_4693A8
		mov	eax, [esp+90h+var_60]
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	1
		jz	short loc_469425

loc_4693A8:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+9BAj
		mov	ecx, [esp+90h+var_60]
		call	MiAllowGuardFault
		test	eax, eax
		jnz	short loc_4693BC
		mov	esi, 0C0000005h
		jmp	short loc_4693FD
; 

loc_4693BC:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+9D3j
		mov	eax, esi
		and	eax, 800h
		or	eax, 0
		jz	short loc_4693D2
		mov	eax, esi
		and	eax, 400h
		or	eax, 0

loc_4693D2:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+9E6j
		mov	ecx, [esp+90h+var_4C]
		xor	eax, eax
		mov	edx, [esp+90h+var_78]
		and	ecx, 0Fh
		shld	eax, ecx, 5
		and	esi, 0FFFFFC1Fh
		shl	ecx, 5
		or	ecx, esi
		or	eax, [esp+90h+var_88]
		mov	[edx], ecx
		nop
		mov	[edx+4], eax
		mov	esi, 80000001h

loc_4693FD:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+975j
					; MiResolveProtoPteFault(x,x,x)+9A8j ...
		mov	eax, [esp+90h+var_70]
		test	eax, eax
		jz	short loc_469410
		lea	ecx, [eax+10h]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax

loc_469410:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+A23j
		mov	ecx, [esp+90h+var_80]
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		mov	eax, esi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_469425:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+9AFj
					; MiResolveProtoPteFault(x,x,x)+9C6j
		mov	ecx, [esp+90h+var_4C]

loc_469429:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+8CCj
					; MiResolveProtoPteFault(x,x,x)+8DAj ...
		mov	eax, [esp+90h+var_48]
		mov	edi, dword_6D0704
		mov	esi, [esp+90h+var_44]
		mov	[esp+90h+var_20], eax
		mov	[esp+90h+var_84], eax
		mov	eax, dword_6D0700
		mov	[esp+90h+var_68], eax
		or	eax, edi
		mov	[esp+90h+var_70], edi
		mov	edi, [esp+90h+var_58]
		mov	[esp+90h+var_88], esi
		jz	short loc_46947E
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_469478
		mov	esi, [esp+90h+var_68]
		mov	eax, [esp+90h+var_70]
		not	esi
		and	esi, [esp+90h+var_88]
		not	eax
		and	eax, [esp+90h+var_84]
		jmp	short loc_469482
; 

loc_469478:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+A80j
		mov	eax, [esp+90h+var_84]
		jmp	short loc_469482
; 

loc_46947E:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+A76j
		mov	eax, [esp+90h+var_20]

loc_469482:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+A96j
					; MiResolveProtoPteFault(x,x,x)+A9Cj
		mov	[esp+90h+var_1C], eax
		mov	eax, esi
		and	eax, 400h
		or	eax, 0
		jnz	loc_469865
		mov	eax, esi
		and	eax, 800h
		or	eax, 0
		jnz	loc_469865
		and	esi, 4
		or	esi, eax
		mov	esi, [esp+90h+var_74]
		jnz	loc_469869
		mov	eax, ecx
		and	eax, 5
		cmp	al, 5
		jnz	loc_469869
		test	esi, esi
		jnz	short loc_4694E3
		nop
		mov	ecx, [esp+90h+var_44]
		mov	eax, [esp+90h+var_48]
		shrd	ecx, eax, 5
		and	cl, 5
		cmp	cl, 4
		jz	loc_469869
		mov	ecx, [esp+90h+var_4C]

loc_4694E3:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+AE4j
		mov	eax, [esp+90h+var_30]
		test	byte ptr [eax+60h], 7
		jnz	short loc_469506
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	dword ptr [eax+148h], 0
		jnz	loc_469869

loc_469506:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+B0Bj
		test	byte ptr ds:_MiFlags+2,	1
		jz	short loc_469524
		mov	eax, [esp+90h+var_50]
		cmp	eax, dword_6D07D0
		jb	short loc_469524
		test	cl, 2
		jnz	loc_469869

loc_469524:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+B2Dj
					; MiResolveProtoPteFault(x,x,x)+B39j
		mov	[esp+90h+var_20], 0
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_469548

loc_469533:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+B5Fj
					; MiResolveProtoPteFault(x,x,x)+B66j
		lea	ecx, [esp+90h+var_20]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_469533
		lock bts dword ptr [edi], 1Fh
		jb	short loc_469533

loc_469548:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+B51j
		mov	esi, [esp+90h+var_80]
		mov	al, [esi+16h]
		and	al, 0DFh
		mov	[esi+16h], al
		movzx	eax, word ptr [esi+14h]
		test	ax, ax
		jz	loc_469A48
		add	eax, 0FFFFh
		test	dword ptr [esi+18h], 800000h
		mov	[esi+14h], ax
		jnz	loc_4696FD
		mov	ecx, [edi]
		mov	[esp+90h+var_68], ecx
		and	ecx, 3FFFFFFFh
		test	ax, ax
		jz	short loc_4695BA
		cmp	ax, 1
		jnz	short loc_469594
		test	ecx, ecx
		jnz	short loc_4695B0
		jmp	short loc_4695A6
; 

loc_469594:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+BACj
		cmp	ax, 2
		jnz	loc_4696FD
		test	ecx, ecx
		jz	loc_4696FD

loc_4695A6:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+BB2j
		test	byte ptr [esi+16h], 8
		jz	loc_4696FD

loc_4695B0:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+BB0j
		mov	[esp+90h+var_58], 0
		jmp	short loc_4695C2
; 

loc_4695BA:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+BA6j
		mov	[esp+90h+var_58], 1

loc_4695C2:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+BD8j
		mov	eax, ds:_MmHighestUserAddress
		mov	edx, [esi+4]
		shr	eax, 9
		or	edx, 80000000h
		and	eax, offset loc_7FFFF8
		add	eax, 0C0000000h
		mov	[esp+90h+var_30], eax
		cmp	edx, eax
		ja	short loc_4695ED
		cmp	edx, 0C0000000h
		jnb	short loc_4695FE

loc_4695ED:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+C03j
		mov	al, [esi+17h]
		test	al, 20h
		jz	short loc_4695FE
		and	al, 0DFh
		mov	[esi+17h], al
		jmp	loc_4696D3
; 

loc_4695FE:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+C0Bj
					; MiResolveProtoPteFault(x,x,x)+C12j
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_469616
		mov	eax, [esi+8]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_46963B

loc_469616:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+C27j
		cmp	edx, [esp+90h+var_30]
		ja	short loc_46962A
		cmp	edx, 0C0000000h
		jb	short loc_46962A
		test	byte ptr [esi+17h], 20h
		jnz	short loc_46963B

loc_46962A:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+C3Aj
					; MiResolveProtoPteFault(x,x,x)+C42j
		cmp	[esp+90h+var_58], 1
		jnz	short loc_46964A
		test	[esp+90h+var_68], 40000000h
		jz	short loc_46964A

loc_46963B:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+C34j
					; MiResolveProtoPteFault(x,x,x)+C48j
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit

loc_46964A:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+C4Fj
					; MiResolveProtoPteFault(x,x,x)+C59j
		mov	eax, large fs:20h
		mov	edx, [eax+3D30h]
		add	eax, 3D30h
		mov	[esp+90h+var_88], eax
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_46966B
		mov	eax, 1
		jmp	short loc_4696CA
; 

loc_46966B:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+C82j
		lea	eax, [edx+1]
		cmp	eax, 100h
		ja	short loc_469698

loc_469675:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+CB6j
		mov	edi, [esp+90h+var_88]
		lea	ecx, [edx+1]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		lea	edi, [esi+10h]
		cmp	eax, edx
		jz	short loc_4696D3
		mov	edx, eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_469698
		inc	eax
		cmp	eax, 100h
		jbe	short loc_469675

loc_469698:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+C93j
					; MiResolveProtoPteFault(x,x,x)+CAEj
		cmp	edx, 0C0h
		jle	short loc_4696C1
		cmp	edx, 0FFFFFFFFh
		jz	short loc_4696C1
		mov	edi, [esp+90h+var_88]
		mov	ecx, 0C0h
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		lea	edi, [esi+10h]
		lea	eax, [edx-0BFh]
		jz	short loc_4696C6

loc_4696C1:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+CBEj
					; MiResolveProtoPteFault(x,x,x)+CC3j
		mov	eax, 1

loc_4696C6:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+CDFj
		test	eax, eax
		jz	short loc_4696D3

loc_4696CA:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+C89j
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_4696D3:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+C19j
					; MiResolveProtoPteFault(x,x,x)+CA7j ...
		cmp	[esp+90h+var_58], 0
		jz	short loc_4696FD
		mov	ecx, esi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		lea	eax, [ecx+edx]
		mov	ecx, esi
		sar	eax, 4
		mov	edx, eax
		shr	edx, 1Fh
		add	edx, eax
		call	MiPfnReferenceCountIsZero

loc_4696FD:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+B91j
					; MiResolveProtoPteFault(x,x,x)+BB8j ...
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		cmp	[esp+90h+var_54], 0
		mov	edx, [esp+90h+var_34]
		jz	short loc_469735
		test	edx, edx
		jz	short loc_46972B
		mov	esi, [esp+90h+var_60]
		mov	eax, esi
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	1
		jnz	short loc_46972B
		test	dword ptr [eax+28h], 4000h
		jnz	short loc_46973E

loc_46972B:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+D32j
					; MiResolveProtoPteFault(x,x,x)+D40j
		xor	eax, eax
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_469735:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+D2Ej
		mov	esi, [esp+90h+var_60]
		mov	eax, esi
		and	eax, 0FFFFFFFEh

loc_46973E:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+D49j
		test	edx, edx
		jz	short loc_46975D
		cmp	byte ptr [eax],	1
		jz	short loc_469780
		test	edx, edx
		jz	short loc_46975D
		cmp	byte ptr [eax],	3
		jz	short loc_469780
		test	edx, edx
		jz	short loc_46975D
		cmp	byte ptr [eax],	6
		jz	short loc_469780
		test	edx, edx
		jnz	short loc_469799

loc_46975D:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+D60j
					; MiResolveProtoPteFault(x,x,x)+D69j ...
		test	esi, esi
		jz	short loc_469799
		test	byte ptr [esi+6Ch], 1
		jnz	short loc_469775
		test	dword ptr [esi+70h], 20000h
		mov	ecx, offset _ExpInterlockedPopEntrySListFault
		jz	short loc_46977B

loc_469775:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+D85j
		mov	ecx, ds:_KeUserPopEntrySListFault

loc_46977B:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+D93j
		cmp	[esi+68h], ecx
		jnz	short loc_469799

loc_469780:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+D65j
					; MiResolveProtoPteFault(x,x,x)+D6Ej ...
		test	edx, edx
		jz	short loc_469789
		cmp	byte ptr [eax],	6
		jz	short loc_469799

loc_469789:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+DA2j
		mov	eax, [esp+90h+var_50]
		cmp	eax, dword_6D07D0
		jnb	loc_46920E

loc_469799:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+D7Bj
					; MiResolveProtoPteFault(x,x,x)+D7Fj ...
		mov	eax, [esp+90h+var_40]
		or	eax, 0
		jz	short loc_4697E1
		mov	esi, dword_6D0700
		mov	eax, esi
		mov	edi, dword_6D0704
		or	eax, edi
		mov	edx, [esp+90h+var_3C]
		mov	ecx, [esp+90h+var_6C]
		jz	short loc_4697D2
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4697CE
		mov	eax, edi
		not	eax
		and	eax, edx
		jmp	short loc_4697D6
; 

loc_4697CE:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+DE4j
		mov	eax, edx
		jmp	short loc_4697D6
; 

loc_4697D2:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+DDAj
		mov	eax, [esp+90h+var_3C]

loc_4697D6:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+DECj
					; MiResolveProtoPteFault(x,x,x)+DF0j
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_4697E1
		shrd	ecx, edx, 5
		jmp	short loc_4697EE
; 

loc_4697E1:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+DC0j
					; MiResolveProtoPteFault(x,x,x)+DF9j
		mov	ecx, [esp+90h+var_44]
		nop
		mov	eax, [esp+90h+var_48]
		shrd	ecx, eax, 5

loc_4697EE:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+DFFj
		mov	edx, ecx
		and	ecx, 18h
		and	edx, 2
		or	edx, 4
		cmp	ecx, 8
		jnz	short loc_469802
		or	edx, ecx
		jmp	short loc_469809
; 

loc_469802:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+E1Cj
		cmp	ecx, 18h
		jnz	short loc_469809
		or	edx, ecx

loc_469809:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+E20j
					; MiResolveProtoPteFault(x,x,x)+E25j
		mov	edi, dword_6D0700
		xor	esi, esi
		mov	ecx, dword_6D0704
		mov	eax, edi
		shld	esi, edx, 5
		mov	[esp+90h+var_88], ecx
		shl	edx, 5
		or	eax, ecx
		jz	short loc_469841
		mov	ecx, edx
		mov	eax, esi
		and	eax, [esp+90h+var_88]
		and	ecx, edi
		or	ecx, eax
		jnz	short loc_46983E
		or	edx, edi
		or	esi, [esp+90h+var_88]
		jmp	short loc_469841
; 

loc_46983E:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+E54j
		or	edx, 10h

loc_469841:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+E46j
					; MiResolveProtoPteFault(x,x,x)+E5Cj
		mov	eax, [esp+90h+var_38]
		mov	[eax], edx
		nop
		mov	ecx, [esp+90h+var_5C]
		mov	edx, eax
		mov	[eax+4], esi
		mov	esi, [esp+90h+var_74]
		push	esi
		push	0
		call	MiResolveDemandZeroFault
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_469865:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+AB0j
					; MiResolveProtoPteFault(x,x,x)+AC0j
		mov	esi, [esp+90h+var_74]

loc_469869:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+ACFj
					; MiResolveProtoPteFault(x,x,x)+ADCj ...
		mov	ecx, [esp+90h+var_44]
		mov	eax, ecx
		and	eax, 400h
		or	eax, 0
		jz	short loc_4698A4
		mov	eax, [esp+90h+var_5C]
		test	byte ptr [eax+1Dh], 8
		jnz	loc_4699FE
		push	[ebp+arg_0]
		mov	ecx, [esp+94h+var_80]
		mov	edx, [esp+94h+var_78]
		push	ecx
		mov	ecx, eax
		call	MiResolveMappedFileFault
		mov	esi, eax
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4698A4:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+E97j
		mov	eax, ecx
		and	eax, 800h
		or	eax, 0
		jz	short loc_4698D0
		push	[ebp+arg_0]
		mov	ecx, [esp+94h+var_80]
		mov	edx, [esp+94h+var_78]
		push	esi
		push	ecx
		mov	ecx, [esp+9Ch+var_5C]
		call	_MiResolveTransitionFault@20 ; MiResolveTransitionFault(x,x,x,x,x)
		mov	esi, eax
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4698D0:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+ECEj
		nop
		mov	edi, [esp+90h+var_48]
		mov	eax, edi
		shrd	ecx, eax, 2
		test	cl, 1
		jnz	loc_4699F4
		xor	esi, esi
		cmp	[esp+90h+var_54], esi
		jz	short loc_46991E
		cmp	[esp+90h+var_34], esi
		jz	short loc_469909
		mov	ecx, [esp+90h+var_60]
		mov	eax, ecx
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	1
		jnz	short loc_469909
		test	dword ptr [eax+28h], 4000h
		jnz	short loc_469927

loc_469909:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+F10j
					; MiResolveProtoPteFault(x,x,x)+F1Ej
		mov	ecx, [esp+90h+var_80]
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		mov	eax, esi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_46991E:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+F0Aj
		mov	ecx, [esp+90h+var_60]
		mov	eax, ecx
		and	eax, 0FFFFFFFEh

loc_469927:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+F27j
		mov	esi, [esp+90h+var_34]
		test	esi, esi
		jz	short loc_46994E
		cmp	byte ptr [eax],	1
		jz	short loc_46997D
		test	esi, esi
		jz	short loc_46994E
		cmp	byte ptr [eax],	3
		jz	short loc_46997D
		test	esi, esi
		jz	short loc_46994E
		cmp	byte ptr [eax],	6
		jz	short loc_46997D
		test	esi, esi
		jnz	loc_4699D4

loc_46994E:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+F4Dj
					; MiResolveProtoPteFault(x,x,x)+F56j ...
		test	ecx, ecx
		jz	loc_4699D4
		test	byte ptr [ecx+6Ch], 1
		jnz	short loc_46996A
		test	dword ptr [ecx+70h], 20000h
		mov	ecx, offset _ExpInterlockedPopEntrySListFault
		jz	short loc_469970

loc_46996A:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+F7Aj
		mov	ecx, ds:_KeUserPopEntrySListFault

loc_469970:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+F88j
		mov	edi, [esp+90h+var_60]
		cmp	[edi+68h], ecx
		mov	edi, [esp+90h+var_48]
		jnz	short loc_4699D4

loc_46997D:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+F52j
					; MiResolveProtoPteFault(x,x,x)+F5Bj ...
		test	esi, esi
		jz	short loc_469986
		cmp	byte ptr [eax],	6
		jz	short loc_4699D4

loc_469986:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+F9Fj
		mov	eax, [esp+90h+var_50]
		cmp	eax, dword_6D07D0
		jb	short loc_4699D4
		mov	esi, [esp+90h+var_3C]
		push	esi
		push	edx
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		test	eax, eax
		jz	short loc_4699AB
		mov	eax, [esp+90h+var_6C]
		shrd	eax, esi, 5
		jmp	short loc_4699B4
; 

loc_4699AB:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+FBFj
		mov	eax, [esp+90h+var_44]
		nop
		shrd	eax, edi, 5

loc_4699B4:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+FC9j
		and	al, 18h
		cmp	al, 10h
		jnz	short loc_4699D4
		mov	ecx, [esp+90h+var_80]
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		mov	esi, 0C0000005h
		mov	eax, esi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4699D4:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+F68j
					; MiResolveProtoPteFault(x,x,x)+F70j ...
		push	[esp+90h+var_74]
		mov	ecx, [esp+94h+var_80]
		mov	edx, [esp+94h+var_78]
		push	ecx
		mov	ecx, [esp+98h+var_5C]
		call	MiResolveDemandZeroFault
		mov	esi, eax
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4699F4:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+EFEj
		mov	eax, [esp+90h+var_5C]
		test	byte ptr [eax+1Dh], 8
		jz	short loc_469A16

loc_4699FE:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+930j
					; MiResolveProtoPteFault(x,x,x)+EA1j
		mov	ecx, [esp+90h+var_80]
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		mov	eax, 0C0000434h
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_469A16:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+101Cj
		push	[ebp+arg_0]
		mov	ecx, [esp+94h+var_80]
		mov	edx, [esp+94h+var_78]
		push	ecx
		mov	ecx, eax
		call	MiResolvePageFileFault
		mov	esi, eax
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_469A33:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+174j
					; MiResolveProtoPteFault(x,x,x)+184j ...
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax

loc_469A3B:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+A5j
					; MiResolveProtoPteFault(x,x,x)+B5j
		mov	eax, 0C0000016h

loc_469A40:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+7D4j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_469A48:				; CODE XREF: MiResolveProtoPteFault(x,x,x)+578j
					; MiResolveProtoPteFault(x,x,x)+B7Bj
		mov	ecx, esi
		call	_MiBadRefCount@4 ; MiBadRefCount(x)
		int	3		; Trap to Debugger
_MiResolveProtoPteFault@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCheckUserVirtualAddress proc near	; CODE XREF: MiInPagePageTable+2C4p
					; .text:00467B83p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B2918 SIZE 00000091 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		mov	eax, [eax+80h]
		test	byte ptr [eax+3A8h], 1
		jnz	short loc_469A8F
		mov	eax, edi
		and	eax, 0FFFFF000h
		cmp	eax, 7FFE0000h
		jz	loc_5B2918
		cmp	eax, dword_6D0618
		jz	loc_5B2928

loc_469A8F:				; CODE XREF: MiCheckUserVirtualAddress+1Fj
					; MiCheckUserVirtualAddress+148EDAj
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+1Ch]
		and	al, 70h
		cmp	al, 20h
		jnz	short loc_469AAA
		mov	eax, [esi+28h]
		test	eax, 10000000h
		jnz	loc_5B2940

loc_469AAA:				; CODE XREF: MiCheckUserVirtualAddress+4Aj
					; MiCheckUserVirtualAddress+148EF5j ...
		mov	eax, [esi+1Ch]
		test	al, 4
		jnz	loc_469B7C
		test	eax, 100000h
		jnz	short loc_469B12
		mov	eax, [esi+28h]
		test	eax, 1000000h
		jnz	loc_5B298B

loc_469ACA:				; CODE XREF: MiCheckUserVirtualAddress+148F49j
		lea	eax, [ebp+var_4]
		shr	edi, 0Ch
		push	eax
		push	4
		mov	edx, edi
		mov	ecx, esi
		call	MiGetProtoPteAddress
		mov	edx, eax
		test	edx, edx
		jz	short loc_469B59
		mov	eax, [esi+1Ch]
		mov	ecx, eax
		shr	ecx, 7
		and	al, 70h
		and	ecx, 1Fh
		mov	[ebx], ecx
		cmp	al, 20h
		jnz	short loc_469B00
		cmp	ecx, 7
		jnz	short loc_469B00
		mov	dword ptr [ebx], 100h

loc_469B00:				; CODE XREF: MiCheckUserVirtualAddress+A3j
					; MiCheckUserVirtualAddress+A8j ...
		mov	eax, [esi+44h]
		test	eax, eax
		js	short loc_469B61

loc_469B07:				; CODE XREF: MiCheckUserVirtualAddress+125j
					; MiCheckUserVirtualAddress+148F54j
		mov	eax, edx

loc_469B09:				; CODE XREF: MiCheckUserVirtualAddress+100j
		pop	esi

loc_469B0A:				; CODE XREF: MiCheckUserVirtualAddress+148ED3j
					; MiCheckUserVirtualAddress+148EEBj
		pop	edi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_469B12:				; CODE XREF: MiCheckUserVirtualAddress+6Aj
		mov	ecx, eax
		and	ecx, 70h
		cmp	ecx, 10h
		jz	short loc_469B52
		cmp	ecx, 30h
		jz	short loc_469B52
		test	eax, 400000h
		jnz	short loc_469B52
		and	eax, 0C0000h
		cmp	eax, 80000h
		jnb	short loc_469B52
		cmp	ecx, 20h
		jz	loc_5B2978

loc_469B3D:				; CODE XREF: MiCheckUserVirtualAddress+148F36j
		cmp	dword ptr [esi+20h], 0
		jge	short loc_469B52
		mov	eax, [esi+1Ch]
		shr	eax, 7
		and	eax, 1Fh

loc_469B4C:				; CODE XREF: MiCheckUserVirtualAddress+107j
		mov	[ebx], eax

loc_469B4E:				; CODE XREF: MiCheckUserVirtualAddress+132j
		xor	eax, eax
		jmp	short loc_469B09
; 

loc_469B52:				; CODE XREF: MiCheckUserVirtualAddress+CAj
					; MiCheckUserVirtualAddress+CFj ...
		mov	eax, 18h
		jmp	short loc_469B4C
; 

loc_469B59:				; CODE XREF: MiCheckUserVirtualAddress+90j
		mov	dword ptr [ebx], 18h
		jmp	short loc_469B00
; 

loc_469B61:				; CODE XREF: MiCheckUserVirtualAddress+B5j
		mov	ecx, [eax]
		sub	edi, [esi+0Ch]
		add	ecx, 0FFFFFFFFh
		mov	eax, [eax+4]
		adc	eax, 0FFFFFFFFh
		shrd	ecx, eax, 0Ch
		cmp	edi, ecx
		jbe	short loc_469B07
		jmp	loc_5B299E
; 

loc_469B7C:				; CODE XREF: MiCheckUserVirtualAddress+5Fj
					; MiCheckUserVirtualAddress+148F1Dj ...
		mov	dword ptr [ebx], 18h
		jmp	short loc_469B4E
MiCheckUserVirtualAddress endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetProtoPteAddress proc near		; CODE XREF: MiIsCfgBitMapPageShared(x,x)+184p
					; MiSplitPrivatePage(x,x,x)+261p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005B29A9 SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, [ecx+1Ch]
		push	ebx
		push	esi
		push	edi
		and	al, 70h
		mov	edi, edx
		mov	edx, [ecx+0Ch]
		mov	[esp+28h+var_8], edx
		cmp	al, 20h
		jnz	short loc_469BBE
		mov	eax, [ecx+2Ch]
		mov	eax, [eax]
		test	dword ptr [eax+1Ch], 4000000h
		jnz	short loc_469BD9

loc_469BBE:				; CODE XREF: MiGetProtoPteAddress+1Ej
		mov	eax, [ecx+34h]
		mov	esi, edi
		sub	eax, [ecx+30h]
		sub	esi, edx
		sar	eax, 3
		cmp	eax, esi
		jb	short loc_469BD9
		test	[ebp+arg_0], 4
		jz	loc_469D03

loc_469BD9:				; CODE XREF: MiGetProtoPteAddress+2Cj
					; MiGetProtoPteAddress+3Dj
		mov	eax, [ebp+arg_4]
		sub	edi, [esp+28h+var_8]
		mov	dword ptr [eax], 0
		mov	esi, [ecx+2Ch]
		mov	eax, [ecx+30h]
		sub	eax, [esi+4]
		sar	eax, 3
		cdq
		mov	ebx, eax
		mov	eax, edx
		add	ebx, edi
		mov	edi, [esi]
		adc	eax, 0
		mov	[esp+28h+var_8], eax
		cmp	dword ptr [edi+20h], 0
		jz	loc_469CAE
		mov	[esp+28h+var_1C], eax
		mov	edx, ebx
		mov	eax, [esi+1Ch]
		mov	ecx, esi
		mov	[esp+28h+var_18], eax
		mov	eax, [esp+28h+var_8]
		mov	[esp+28h+var_C], 0
		test	eax, eax
		jb	short loc_469C69
		mov	eax, [esp+28h+var_18]
		ja	short loc_469C35
		cmp	ebx, eax
		jb	short loc_469C69

loc_469C35:				; CODE XREF: MiGetProtoPteAddress+9Fj
					; MiGetProtoPteAddress+D3j ...
		mov	ecx, [ecx+8]
		sub	edx, eax
		mov	eax, [esp+28h+var_C]
		sbb	[esp+28h+var_1C], 0
		inc	eax
		mov	[esp+28h+var_C], eax
		cmp	eax, 3
		jz	loc_469D1A

loc_469C51:				; CODE XREF: MiGetProtoPteAddress+18Ej
		test	ecx, ecx
		jz	loc_5B29B3
		cmp	[esp+28h+var_1C], 0
		mov	eax, [ecx+1Ch]
		jb	short loc_469C69
		ja	short loc_469C35
		cmp	edx, eax
		jnb	short loc_469C35

loc_469C69:				; CODE XREF: MiGetProtoPteAddress+99j
					; MiGetProtoPteAddress+A3j ...
		mov	ebx, edx
		mov	esi, ecx
		mov	edx, [esp+28h+var_1C]

loc_469C71:				; CODE XREF: MiGetProtoPteAddress+1F5j
		mov	eax, [esi+24h]
		mov	ecx, [esi+1Ch]
		and	eax, 3FFFFFFFh
		sub	ecx, eax
		test	edx, edx
		jb	short loc_469C90
		ja	loc_469DED
		cmp	ebx, ecx
		jnb	loc_469DED

loc_469C90:				; CODE XREF: MiGetProtoPteAddress+F0j
		mov	eax, [ebp+arg_4]
		mov	ecx, [esi+4]
		mov	[eax], esi

loc_469C98:				; CODE XREF: MiGetProtoPteAddress+166j
		test	byte ptr [esi+12h], 2
		jnz	loc_5B29C2

loc_469CA2:				; CODE XREF: MiGetProtoPteAddress+148E45j
					; MiGetProtoPteAddress+148E6Aj
		lea	eax, [ecx+ebx*8]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_469CAE:				; CODE XREF: MiGetProtoPteAddress+76j
		test	dword ptr [edi+1Ch], 1000h
		mov	ecx, [edi+38h]
		mov	[esp+28h+var_8], ecx
		jnz	loc_469D8A
		cmp	dword ptr [esi+20h], 40000000h
		jnb	loc_469D8A
		mov	ecx, [esi+1Ch]
		test	eax, eax
		jb	short loc_469CE4
		ja	loc_469DED
		cmp	ebx, ecx
		jnb	loc_469DED

loc_469CE4:				; CODE XREF: MiGetProtoPteAddress+144j
					; MiGetProtoPteAddress+24Dj ...
		test	esi, esi
		jz	loc_469DED
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		mov	ecx, [esi+4]
		test	ecx, ecx
		jnz	short loc_469C98
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_469D03:				; CODE XREF: MiGetProtoPteAddress+43j
		mov	eax, [ebp+arg_4]
		mov	edx, [ecx+2Ch]
		mov	[eax], edx
		mov	eax, [ecx+30h]
		lea	eax, [eax+esi*8]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_469D1A:				; CODE XREF: MiGetProtoPteAddress+BBj
		test	byte ptr [edi+1Ch], 20h
		jnz	loc_469C51

loc_469D24:				; CODE XREF: MiGetProtoPteAddress+148E2Dj
		mov	ax, [esi+10h]
		xor	ecx, ecx
		or	ecx, [esi+14h]
		shr	ax, 6
		add	ebx, ecx
		movzx	eax, ax
		cdq
		adc	eax, [esp+28h+var_8]
		shld	eax, ebx, 0Ch
		shl	ebx, 0Ch
		test	[ebp+arg_0], 1
		mov	[esp+28h+var_1C], eax
		jnz	loc_469DF8
		xor	edx, edx

loc_469D52:				; CODE XREF: MiGetProtoPteAddress+26Dj
		push	eax
		push	ebx
		mov	ecx, edi
		call	_MiLocateSubsectionNode@16 ; MiLocateSubsectionNode(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_469DED
		mov	cx, [esi+10h]
		shr	cx, 6
		movzx	eax, cx
		xor	ecx, ecx
		or	ecx, [esi+14h]
		cdq
		mov	edx, [esp+28h+var_1C]
		shrd	ebx, edx, 0Ch
		shr	edx, 0Ch
		sub	ebx, ecx
		sbb	edx, eax
		jmp	loc_469C71
; 

loc_469D8A:				; CODE XREF: MiGetProtoPteAddress+12Cj
					; MiGetProtoPteAddress+139j
		cmp	dword ptr [esi+20h], 40000000h
		mov	ecx, 4000h
		jnb	loc_5B29A9

loc_469D9C:				; CODE XREF: MiGetProtoPteAddress+148E1Ej
		push	ebx
		push	0
		shr	ecx, 3
		push	ecx
		push	eax
		push	ebx
		call	__aulldvrm
		mov	[esp+2Ch+var_1C], ebx
		pop	ebx
		nop
		mov	ebx, ecx
		mov	[esp+28h+var_14], edx
		or	ecx, [esp+28h+var_1C]
		mov	edx, eax
		mov	[esp+28h+var_C], eax
		jz	short loc_469DC3
		inc	edx

loc_469DC3:				; CODE XREF: MiGetProtoPteAddress+230j
		cmp	edx, [esp+28h+var_8]
		ja	short loc_469DED
		shl	eax, 3
		sub	eax, [esp+28h+var_C]
		mov	ecx, [esi+eax*8+1Ch]
		lea	esi, [esi+eax*8]
		mov	eax, [esp+28h+var_1C]
		test	eax, eax
		jb	loc_469CE4
		ja	short loc_469DED
		cmp	ebx, ecx
		jb	loc_469CE4

loc_469DED:				; CODE XREF: MiGetProtoPteAddress+F2j
					; MiGetProtoPteAddress+FAj ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_469DF8:				; CODE XREF: MiGetProtoPteAddress+1BAj
		mov	edx, 1
		jmp	loc_469D52
MiGetProtoPteAddress endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiResolveSharedZeroFault(x)
_MiResolveSharedZeroFault@4 proc near	; CODE XREF: .text:00467BFCp

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		lea	eax, [ebp+var_60]
		mov	[ebp+var_64], 0
		mov	edi, ecx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_4], edi
		call	_memset
		mov	eax, [edi+4]
		add	esp, 0Ch
		mov	ecx, [edi+10h]
		mov	esi, [edi+0Ch]
		mov	[ebp+var_2C], 0
		mov	[ebp+var_28], 0
		mov	ebx, [eax]
		mov	eax, ebx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[ebp+var_30], ecx
		mov	[ebp+var_8], eax
		add	eax, 0C0000000h
		mov	edx, eax
		mov	[ebp+var_1C], eax
		shl	edx, 9
		xor	ecx, ecx
		mov	eax, edx

loc_469E74:				; CODE XREF: MiResolveSharedZeroFault(x)+73j
		cmp	eax, ds:_MmHighestUserAddress
		jbe	short loc_469E8A
		inc	ecx
		shl	eax, 9
		cmp	ecx, 1
		jb	short loc_469E74
		jmp	loc_469F3D
; 

loc_469E8A:				; CODE XREF: MiResolveSharedZeroFault(x)+6Aj
		mov	eax, large fs:124h
		shr	edx, 15h
		mov	eax, [eax+80h]
		mov	edi, [eax+24Ch]
		mov	eax, large fs:124h
		add	edi, 18h
		mov	eax, [eax+80h]
		mov	ecx, [eax+24Ch]
		lea	eax, [edi+178h]
		add	ecx, 190h
		inc	word ptr [ecx+edx*2]
		lea	ecx, [ecx+edx*2]
		cmp	ecx, eax
		jb	short loc_469F3A
		lea	eax, [edi+0D78h]
		cmp	ecx, eax
		jnb	short loc_469F3A
		sub	ecx, edi
		mov	edx, 2
		sub	ecx, 178h
		sar	ecx, 1
		shl	ecx, 0Ch
		sub	ecx, 40000000h
		shr	ecx, 9
		sub	ecx, 40000000h
		mov	[ebp+var_80], ecx
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		mov	[ebp+var_7C], ecx
		jmp	short loc_469F10
; 
		align 10h

loc_469F10:				; CODE XREF: MiResolveSharedZeroFault(x)+FBj
					; MiResolveSharedZeroFault(x)+128j
		mov	eax, [ebp+edx*4+var_84]
		dec	edx
		mov	ecx, [eax]
		nop
		mov	eax, [eax+4]
		mov	[ebp+var_74], eax
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_469F3A
		and	ecx, 80h
		or	ecx, 0
		jnz	short loc_469F3A
		test	edx, edx
		jnz	short loc_469F10

loc_469F3A:				; CODE XREF: MiResolveSharedZeroFault(x)+B9j
					; MiResolveSharedZeroFault(x)+C3j ...
		mov	edi, [ebp+var_4]

loc_469F3D:				; CODE XREF: MiResolveSharedZeroFault(x)+75j
		mov	eax, [ebp+var_30]
		cmp	eax, 100h
		jnz	short loc_469F7A
		mov	eax, dword_6D0700
		xor	edx, edx
		mov	ecx, dword_6D0704
		or	edx, 400h
		mov	[ebp+var_14], eax
		or	eax, ecx
		mov	[ebp+var_4], ecx
		jz	short loc_469FBD
		mov	ecx, edx
		mov	eax, esi
		and	ecx, [ebp+var_14]
		and	eax, [ebp+var_4]
		or	ecx, eax
		jnz	short loc_469FBA
		or	edx, [ebp+var_14]
		or	esi, [ebp+var_4]
		jmp	short loc_469FBD
; 

loc_469F7A:				; CODE XREF: MiResolveSharedZeroFault(x)+135j
		mov	ecx, dword_6D0700
		mov	edx, eax
		mov	eax, dword_6D0704
		and	edx, 1Fh
		or	edx, 0F8000020h
		mov	[ebp+var_4], eax
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_20], ecx
		shld	esi, edx, 5
		mov	eax, ecx
		shl	edx, 5
		or	eax, [ebp+var_4]
		jz	short loc_469FBD
		mov	eax, [ebp+var_4]
		and	ecx, edx
		and	eax, esi
		or	ecx, eax
		jnz	short loc_469FBA
		or	edx, [ebp+var_20]
		or	esi, [ebp+var_4]
		jmp	short loc_469FBD
; 

loc_469FBA:				; CODE XREF: MiResolveSharedZeroFault(x)+160j
					; MiResolveSharedZeroFault(x)+1A0j
		or	edx, 10h

loc_469FBD:				; CODE XREF: MiResolveSharedZeroFault(x)+152j
					; MiResolveSharedZeroFault(x)+168j ...
		mov	eax, [ebp+var_1C]
		mov	[eax], edx
		mov	eax, [ebp+var_8]
		mov	[eax-3FFFFFFCh], esi
		mov	eax, [edi+24h]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	loc_46A32B
		mov	esi, [eax+0Ch]
		mov	edx, [eax+10h]
		mov	ecx, [eax+1Ch]
		mov	eax, ecx
		shr	eax, 12h
		and	eax, 3
		mov	[ebp+var_68], esi
		cmp	ds:_MiVadPageSizes[eax*4], 10h
		jnz	short loc_46A055
		and	ebx, 0FFFF0000h
		mov	[ebp+var_28], 10000h
		mov	eax, ebx
		mov	[ebp+var_2C], ebx
		shr	eax, 0Ch
		cmp	eax, esi
		jb	loc_46A32B
		lea	eax, [ebx+0FFFFh]
		shr	eax, 0Ch
		cmp	eax, edx
		ja	loc_46A32B
		xor	esi, esi
		mov	word ptr [ebp+var_60], 2
		lea	edx, [ebp+var_2C]
		mov	[ebp+var_54], esi
		mov	ecx, 1
		mov	[ebp+var_8], edx
		xor	ebx, ebx
		mov	[ebp+var_5C], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_58], ecx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4], 10h
		jmp	loc_46A0F0
; 

loc_46A055:				; CODE XREF: MiResolveSharedZeroFault(x)+1E5j
		test	byte ptr [edi],	2
		jz	short loc_46A08F
		mov	esi, [edi+20h]
		mov	ecx, 0Ch
		shr	ebx, 0Ch
		lea	edi, [ebp+var_60]
		rep movsd
		mov	eax, [ebp+var_58]
		sub	edx, ebx
		mov	ebx, [ebp+var_50]
		mov	edi, 100h
		mov	esi, [ebp+var_54]
		inc	edx
		mov	[ebp+var_4], edi
		mov	[ebp+var_C], eax
		cmp	edx, edi
		jnb	short loc_46A08A
		mov	edi, edx
		mov	[ebp+var_4], edi

loc_46A08A:				; CODE XREF: MiResolveSharedZeroFault(x)+273j
		mov	edx, [ebp+var_5C]
		jmp	short loc_46A0E5
; 

loc_46A08F:				; CODE XREF: MiResolveSharedZeroFault(x)+248j
		and	cl, 70h
		cmp	cl, 20h
		jz	loc_46A32B
		mov	eax, ebx
		mov	edi, 8
		shr	ebx, 0Ch
		and	eax, 0FFFFF000h
		sub	edx, ebx
		mov	[ebp+var_2C], eax
		inc	edx
		mov	[ebp+var_4], edi
		cmp	edx, edi
		jnb	short loc_46A0BC
		mov	edi, edx
		mov	[ebp+var_4], edx

loc_46A0BC:				; CODE XREF: MiResolveSharedZeroFault(x)+2A5j
		mov	eax, edi
		mov	word ptr [ebp+var_60], 2
		shl	eax, 0Ch
		lea	edx, [ebp+var_2C]
		xor	esi, esi
		mov	[ebp+var_28], eax
		mov	eax, 1
		mov	[ebp+var_5C], edx
		xor	ebx, ebx
		mov	[ebp+var_C], eax
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], esi
		mov	[ebp+var_50], ebx

loc_46A0E5:				; CODE XREF: MiResolveSharedZeroFault(x)+27Dj
		mov	[ebp+var_8], edx
		test	edi, edi
		jz	loc_46A32B

loc_46A0F0:				; CODE XREF: MiResolveSharedZeroFault(x)+240j
		xor	ecx, ecx
		xor	eax, eax
		mov	[ebp+var_20], ecx

loc_46A0F7:				; CODE XREF: MiResolveSharedZeroFault(x)+515j
		lea	edi, [edx+esi*8]
		mov	edx, ebx
		shl	edx, 0Ch
		add	edx, [edi]
		and	edx, 0FFFFF000h
		mov	[ebp+var_74], edi
		mov	edi, edx
		mov	[ebp+var_70], edx
		shr	edi, 9
		sub	edi, 40000000h
		mov	[ebp+var_6C], edi
		test	ecx, ecx
		jz	short loc_46A138
		add	eax, 1000h
		cmp	edx, eax
		jnz	loc_46A32B
		test	edi, 0FFFh
		jz	loc_46A32B

loc_46A138:				; CODE XREF: MiResolveSharedZeroFault(x)+30Dj
		mov	ecx, [edi]
		nop
		or	ecx, [edi+4]
		jnz	loc_46A2D9
		mov	eax, edx
		lea	ecx, [ebp+var_64]
		shr	eax, 0Ch
		push	ecx
		mov	ecx, [ebp+var_1C]
		mov	edx, eax
		push	4
		mov	[ebp+var_14], eax
		call	MiGetProtoPteAddress
		mov	edx, eax
		mov	[ebp+var_24], edx
		test	edx, edx
		jz	loc_46A32B
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+44h]
		test	eax, eax
		jns	short loc_46A190
		mov	ecx, [eax]
		mov	eax, [eax+4]
		add	ecx, 0FFFFFFFFh
		adc	eax, 0FFFFFFFFh
		shrd	ecx, eax, 0Ch
		mov	eax, [ebp+var_14]
		sub	eax, [ebp+var_68]
		cmp	eax, ecx
		ja	loc_46A32B

loc_46A190:				; CODE XREF: MiResolveSharedZeroFault(x)+361j
		shl	edi, 9
		xor	ecx, ecx
		mov	eax, edi

loc_46A197:				; CODE XREF: MiResolveSharedZeroFault(x)+396j
		cmp	eax, ds:_MmHighestUserAddress
		jbe	short loc_46A1AD
		inc	ecx
		shl	eax, 9
		cmp	ecx, 1
		jb	short loc_46A197
		jmp	loc_46A26F
; 

loc_46A1AD:				; CODE XREF: MiResolveSharedZeroFault(x)+38Dj
		mov	eax, large fs:124h
		shr	edi, 15h
		mov	eax, [eax+80h]
		mov	esi, [eax+24Ch]
		mov	eax, large fs:124h
		add	esi, 18h
		mov	eax, [eax+80h]
		lea	ecx, [esi+178h]
		mov	eax, [eax+24Ch]
		lea	eax, [eax+edi*2]
		add	eax, 190h
		inc	word ptr [eax]
		cmp	eax, ecx
		jb	short loc_46A25D
		lea	ecx, [esi+0D78h]
		cmp	eax, ecx
		jnb	short loc_46A25D
		sub	eax, esi
		mov	edx, 2
		sub	eax, 178h
		sar	eax, 1
		shl	eax, 0Ch
		sub	eax, 40000000h
		shr	eax, 9
		sub	eax, 40000000h
		mov	[ebp+var_88], eax
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_84], eax
		lea	ecx, [ecx+0]

loc_46A230:				; CODE XREF: MiResolveSharedZeroFault(x)+448j
		mov	eax, [ebp+edx*4+var_8C]
		dec	edx
		mov	ecx, [eax]
		nop
		mov	eax, [eax+4]
		mov	[ebp+var_14], eax
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_46A25A
		and	ecx, 80h
		or	ecx, 0
		jnz	short loc_46A25A
		test	edx, edx
		jnz	short loc_46A230

loc_46A25A:				; CODE XREF: MiResolveSharedZeroFault(x)+439j
					; MiResolveSharedZeroFault(x)+444j
		mov	edx, [ebp+var_24]

loc_46A25D:				; CODE XREF: MiResolveSharedZeroFault(x)+3DAj
					; MiResolveSharedZeroFault(x)+3E4j
		mov	eax, [ebp+var_58]
		mov	ebx, [ebp+var_50]
		mov	esi, [ebp+var_54]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_5C]
		mov	[ebp+var_8], eax

loc_46A26F:				; CODE XREF: MiResolveSharedZeroFault(x)+398j
		mov	eax, [ebp+var_30]
		cmp	eax, 100h
		jnz	short loc_46A28B
		xor	eax, eax
		or	eax, 400h
		push	edx
		push	eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	edi, eax
		jmp	short loc_46A2CE
; 

loc_46A28B:				; CODE XREF: MiResolveSharedZeroFault(x)+467j
		mov	ecx, dword_6D0700
		mov	edi, eax
		mov	eax, dword_6D0704
		and	edi, 1Fh
		or	edi, 0F8000020h
		mov	[ebp+var_14], eax
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_24], ecx
		shld	edx, edi, 5
		mov	eax, ecx
		shl	edi, 5
		or	eax, [ebp+var_14]
		jz	short loc_46A2CE
		mov	eax, [ebp+var_14]
		and	ecx, edi
		and	eax, edx
		or	ecx, eax
		jnz	short loc_46A2CB
		or	edi, [ebp+var_24]
		or	edx, [ebp+var_14]
		jmp	short loc_46A2CE
; 

loc_46A2CB:				; CODE XREF: MiResolveSharedZeroFault(x)+4B1j
		or	edi, 10h

loc_46A2CE:				; CODE XREF: MiResolveSharedZeroFault(x)+479j
					; MiResolveSharedZeroFault(x)+4A6j ...
		mov	eax, [ebp+var_6C]
		mov	[eax], edi
		mov	[eax+4], edx
		mov	edx, [ebp+var_70]

loc_46A2D9:				; CODE XREF: MiResolveSharedZeroFault(x)+32Ej
		mov	eax, [ebp+var_74]
		inc	ebx
		mov	[ebp+var_50], ebx
		mov	ecx, [eax]
		mov	eax, [eax+4]
		and	ecx, 0FFFh
		add	eax, 0FFFh
		add	eax, ecx
		mov	ecx, [ebp+var_C]
		shr	eax, 0Ch
		cmp	ebx, eax
		jnz	short loc_46A312
		inc	esi
		xor	ebx, ebx
		mov	[ebp+var_54], esi
		mov	[ebp+var_50], ebx
		cmp	esi, ecx
		jnb	short loc_46A314
		mov	eax, [ebp+var_8]
		cmp	[eax+esi*8+4], ebx
		jz	short loc_46A32B

loc_46A312:				; CODE XREF: MiResolveSharedZeroFault(x)+4EAj
		cmp	esi, ecx

loc_46A314:				; CODE XREF: MiResolveSharedZeroFault(x)+4F7j
		jz	short loc_46A32B
		mov	ecx, [ebp+var_20]
		mov	eax, edx
		mov	edx, [ebp+var_8]
		inc	ecx
		mov	[ebp+var_20], ecx
		cmp	ecx, [ebp+var_4]
		jb	loc_46A0F7

loc_46A32B:				; CODE XREF: MiResolveSharedZeroFault(x)+1C3j
					; MiResolveSharedZeroFault(x)+1FEj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiResolveSharedZeroFault@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCheckVadSequential(x)
_MiCheckVadSequential@4	proc near	; CODE XREF: .text:00467BE6p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_24], 0
		push	esi
		push	edi
		mov	cl, 2
		mov	eax, [ebx+8]
		mov	edi, eax
		mov	esi, eax
		shr	edi, 9
		and	esi, 0FFFFF003h
		mov	[ebp+var_20], eax
		mov	eax, [ebx+24h]
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h
		mov	[ebp+var_8], eax
		or	esi, 2
		mov	[ebp+var_1C], edi
		shr	esi, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edi, [ebp+var_8]
		add	edi, 1Ch
		mov	[ebp+var_1], al
		mov	edx, [edi]

loc_46A394:				; CODE XREF: MiCheckVadSequential(x)+284j
					; MiCheckVadSequential(x)+29Dj	...
		test	dl, 1
		jnz	loc_46A5B2
		mov	ecx, edx
		mov	eax, edx
		and	ecx, 0FFFFFFFDh
		or	ecx, 1
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	loc_46A60B
		mov	eax, [ebp+var_8]
		mov	edi, [ebp+var_1C]
		mov	eax, [eax+44h]
		mov	edx, eax
		and	edx, 7FFh
		mov	ecx, eax
		shr	ecx, 0Bh
		add	ecx, edx
		mov	[ebp+var_28], edx
		mov	edx, [ebx]
		or	edx, 20h
		shl	ecx, 0Ch
		mov	[ebp+var_10], edx
		mov	[ebx], edx
		mov	edx, [ebp+var_20]
		and	edx, 0FFFFF000h
		cmp	edx, ecx
		jz	loc_46A49A
		mov	edx, [ebp+var_20]
		cmp	edx, ecx
		jbe	short loc_46A407
		mov	[ebp+var_C], edx
		sub	[ebp+var_C], ecx
		shr	[ebp+var_C], 0Ch
		cmp	[ebp+var_C], 8
		jb	loc_46A4C2

loc_46A407:				; CODE XREF: MiCheckVadSequential(x)+B1j
		test	ecx, ecx
		jz	loc_46A557

loc_46A40F:				; CODE XREF: MiCheckVadSequential(x)+228j
		mov	edx, [ebp+var_10]
		and	edx, 0FFFFFFDFh
		mov	[ebx], edx

loc_46A417:				; CODE XREF: MiCheckVadSequential(x)+17Dj
					; MiCheckVadSequential(x)+204j	...
		test	dl, 20h
		jnz	short loc_46A45C

loc_46A41C:				; CODE XREF: MiCheckVadSequential(x)+1A5j
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_8]
		mov	eax, [eax+28h]
		and	eax, 0FDFFFFFFh
		mov	[edx+28h], eax

loc_46A42D:				; CODE XREF: MiCheckVadSequential(x)+12Aj
					; MiCheckVadSequential(x)+151j
		xor	ebx, ebx

loc_46A42F:				; CODE XREF: MiCheckVadSequential(x)+158j
		mov	[edx+44h], esi
		lea	esi, [edx+1Ch]
		mov	edx, [esi]
		mov	ecx, edx
		and	ecx, 0FFFFFFFCh
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	loc_46A5F6

loc_46A44A:				; CODE XREF: MiCheckVadSequential(x)+2C3j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_46A45C:				; CODE XREF: MiCheckVadSequential(x)+DAj
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_8]
		mov	eax, [eax+28h]
		test	eax, 2000000h
		jz	short loc_46A42D
		mov	eax, [ebp+var_20]
		mov	edi, eax
		mov	ebx, [edx+0Ch]
		shr	edi, 0Ch
		sub	edi, ebx
		shr	edi, 8
		test	ecx, ecx
		jnz	loc_46A58C
		mov	ecx, eax

loc_46A486:				; CODE XREF: MiCheckVadSequential(x)+252j
		shr	ecx, 0Ch
		sub	ecx, ebx
		shr	ecx, 8
		inc	ecx
		cmp	ecx, edi
		jnz	short loc_46A42D
		mov	ebx, 0C0000220h
		jmp	short loc_46A42F
; 

loc_46A49A:				; CODE XREF: MiCheckVadSequential(x)+A6j
		mov	edi, eax
		and	edi, 0FFFFF800h
		cmp	[ebp+var_28], 7FFh
		jz	loc_46A5E5
		lea	esi, [eax+1]
		and	esi, 7FFh
		or	esi, edi

loc_46A4BA:				; CODE XREF: MiCheckVadSequential(x)+2B1j
		mov	edx, [ebp+var_10]
		jmp	loc_46A417
; 

loc_46A4C2:				; CODE XREF: MiCheckVadSequential(x)+C1j
		mov	edx, edi
		shr	edx, 3
		and	edx, 1FFh
		mov	[ebp+var_14], edx
		mov	edx, [ebp+var_C]
		cmp	[ebp+var_14], edx
		jbe	loc_46A576
		mov	[ebp+var_14], edx
		mov	edx, [ebp+var_10]

loc_46A4E2:				; CODE XREF: MiCheckVadSequential(x)+247j
					; MiCheckVadSequential(x)+26Dj
		test	dl, 20h
		jz	loc_46A41C
		lea	edx, [edi-8]
		mov	edi, [ebp+var_14]
		mov	[ebp+var_10], edx
		test	edi, edi
		jz	short loc_46A51F

loc_46A4F8:				; CODE XREF: MiCheckVadSequential(x)+1DDj
		mov	edx, [edx]
		mov	[ebp+var_1C], edx
		nop
		and	edx, 1
		or	edx, 0
		jz	short loc_46A549
		mov	edx, [ebp+var_1C]
		and	edx, 20h
		or	edx, 0
		jz	short loc_46A549
		mov	edx, [ebp+var_10]
		sub	edx, 8
		mov	[ebp+var_10], edx
		sub	edi, 1
		jnz	short loc_46A4F8

loc_46A51F:				; CODE XREF: MiCheckVadSequential(x)+1B6j
					; MiCheckVadSequential(x)+20Bj
		mov	esi, [ebp+var_C]
		mov	edx, eax
		mov	edi, [ebp+var_28]
		inc	esi
		add	edi, esi
		and	edx, 0FFFFF800h
		cmp	edi, 7FFh
		ja	short loc_46A597
		add	esi, eax
		and	esi, 7FFh
		or	esi, edx

loc_46A542:				; CODE XREF: MiCheckVadSequential(x)+268j
		mov	edx, [ebx]
		jmp	loc_46A417
; 

loc_46A549:				; CODE XREF: MiCheckVadSequential(x)+1C4j
					; MiCheckVadSequential(x)+1CFj
		test	edi, edi
		jz	short loc_46A51F
		and	dword ptr [ebx], 0FFFFFFDFh
		mov	edx, [ebx]
		jmp	loc_46A417
; 

loc_46A557:				; CODE XREF: MiCheckVadSequential(x)+C9j
		mov	eax, [ebp+var_10]
		mov	[ebp+var_1C], eax
		mov	eax, edx
		mov	edx, [ebp+var_8]
		shr	eax, 0Ch
		cmp	eax, [edx+0Ch]
		jnz	loc_46A40F
		mov	edx, [ebp+var_1C]
		jmp	loc_46A417
; 

loc_46A576:				; CODE XREF: MiCheckVadSequential(x)+196j
		cmp	[ebp+var_14], 0
		mov	edx, [ebp+var_10]
		mov	[ebp+var_1C], edx
		jz	short loc_46A5AA
		and	edx, 0FFFFFFDFh
		mov	[ebx], edx
		jmp	loc_46A4E2
; 

loc_46A58C:				; CODE XREF: MiCheckVadSequential(x)+13Ej
		sub	ecx, 1000h
		jmp	loc_46A486
; 

loc_46A597:				; CODE XREF: MiCheckVadSequential(x)+1F6j
		shl	edi, 0Bh
		lea	esi, [edx-3FF800h]
		add	esi, edi
		or	esi, 7FFh
		jmp	short loc_46A542
; 

loc_46A5AA:				; CODE XREF: MiCheckVadSequential(x)+240j
		mov	edx, [ebp+var_1C]
		jmp	loc_46A4E2
; 

loc_46A5B2:				; CODE XREF: MiCheckVadSequential(x)+57j
		test	dl, 2
		jnz	short loc_46A5C9
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 2
		lock cmpxchg [edi], ecx
		mov	edx, eax
		jmp	loc_46A394
; 

loc_46A5C9:				; CODE XREF: MiCheckVadSequential(x)+275j
		mov	[ebp+var_24], 0

loc_46A5D0:				; CODE XREF: MiCheckVadSequential(x)+2A3j
		lea	ecx, [ebp+var_24]
		call	KeYieldProcessorEx
		mov	edx, [edi]
		test	dl, 1
		jz	loc_46A394
		jmp	short loc_46A5D0
; 

loc_46A5E5:				; CODE XREF: MiCheckVadSequential(x)+169j
		lea	esi, [edi+800h]
		or	esi, 7FFh
		jmp	loc_46A4BA
; 

loc_46A5F6:				; CODE XREF: MiCheckVadSequential(x)+104j
					; MiCheckVadSequential(x)+2C9j
		mov	ecx, eax
		mov	edx, eax
		and	ecx, 0FFFFFFFCh
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	loc_46A44A
		jmp	short loc_46A5F6
; 

loc_46A60B:				; CODE XREF: MiCheckVadSequential(x)+6Dj
		mov	edx, eax
		jmp	loc_46A394
_MiCheckVadSequential@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiResolveDemandZeroFault proc near	; CODE XREF: MiDispatchFault+26Ep
					; MiResolveProtoPteFault(x,x,x)+E78p ...

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005B29FF SIZE 0000010F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_10], edx
		xor	ecx, ecx
		mov	[ebp+var_3C], 0
		push	esi
		push	edi
		mov	eax, [ebx+14h]
		mov	[ebp+var_54], ecx
		mov	[ebp+var_2C], ecx
		mov	al, [eax+60h]
		and	al, 7
		mov	[ebp+var_1], al
		jnz	short loc_46A654
		mov	ecx, 40h
		mov	[ebp+var_54], ecx

loc_46A654:				; CODE XREF: MiResolveDemandZeroFault+2Aj
		mov	eax, [ebx+8]
		mov	edi, eax
		mov	edx, eax
		mov	[ebp+var_14], eax
		and	edi, 0FFFFFFFEh
		and	edx, 1
		jnz	loc_46A91E

loc_46A66A:				; CODE XREF: MiResolveDemandZeroFault+310j
		test	cl, 0Bh
		jnz	loc_46A936
		xor	edi, edi

loc_46A675:				; CODE XREF: MiResolveDemandZeroFault+32Fj
					; MiResolveDemandZeroFault+1483F1j ...
		mov	eax, ecx
		mov	[ebp+var_34], edi
		and	al, 6
		cmp	al, 2
		jz	loc_46AA8D
		test	cl, 8
		jnz	loc_5B2A22

loc_46A68D:				; CODE XREF: MiResolveDemandZeroFault+148406j
		mov	eax, large fs:124h
		mov	esi, [ebx]
		mov	[ebp+var_C], esi
		mov	esi, [ebx+4]
		mov	eax, [eax+80h]
		shr	esi, 19h
		mov	[ebp+var_24], eax
		mov	[ebp+var_8], 0
		test	esi, esi
		jnz	short loc_46A719
		test	edx, edx
		jnz	loc_46A95A
		xor	ecx, ecx
		mov	[ebp+var_14], ecx

loc_46A6BF:				; CODE XREF: MiResolveDemandZeroFault+34Fj
					; MiResolveDemandZeroFault+35Aj
		cmp	[ebp+var_1], 0
		jnz	short loc_46A719
		mov	eax, large fs:124h
		mov	edx, [ebp+var_C]
		mov	[ebp+var_20], eax
		mov	eax, [eax+80h]
		mov	[ebp+var_1C], eax
		mov	eax, [eax+24Ch]
		cmp	edx, 0C0000000h
		jnb	loc_46A8E3

loc_46A6EC:				; CODE XREF: MiResolveDemandZeroFault+2C9j
		test	ecx, ecx
		jnz	loc_46A99B
		cmp	[eax+0B0h], ecx
		jnz	loc_46A99B
		cmp	[eax+0B4h], ecx
		jnz	loc_46A99B
		cmp	byte ptr [eax+84h], 1
		jz	loc_46A99B

loc_46A719:				; CODE XREF: MiResolveDemandZeroFault+90j
					; MiResolveDemandZeroFault+A3j	...
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+var_10]
		mov	[ebp+var_38], esi
		mov	esi, [ebp+var_8]
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_50], ebx
		test	esi, esi
		jnz	short loc_46A764
		mov	eax, ds:_MmHighestUserAddress
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	edx, eax
		ja	short loc_46A764
		cmp	edx, 0C0000000h
		jb	short loc_46A764
		cmp	dword_6D5100, esi
		jz	short loc_46A764
		mov	eax, [ebp+var_24]
		cmp	dword_6D514C, eax
		jz	loc_5B2A67

loc_46A764:				; CODE XREF: MiResolveDemandZeroFault+10Dj
					; MiResolveDemandZeroFault+123j ...
		mov	ecx, [edx]
		mov	[ebp+var_30], esi
		nop
		cmp	[ebp+arg_0], 0
		mov	edx, [edx+4]
		jnz	short loc_46A7B5
		mov	eax, ecx
		shrd	eax, edx, 5
		mov	edx, [ebx+8]
		and	eax, 1Fh
		test	dl, 1
		jnz	loc_46A985

loc_46A788:				; CODE XREF: MiResolveDemandZeroFault+36Bj
		and	ecx, 400h
		or	ecx, 0
		jnz	loc_46A991

loc_46A797:				; CODE XREF: MiResolveDemandZeroFault+376j
		lea	ecx, [ebp+var_54]
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_48], 0
		call	_MiResolvePrivateZeroFault@4 ; MiResolvePrivateZeroFault(x)

loc_46A7AC:				; CODE XREF: MiResolveDemandZeroFault+225j
					; MiResolveDemandZeroFault+22Fj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_46A7B5:				; CODE XREF: MiResolveDemandZeroFault+151j
		mov	eax, [ebp+var_10]
		xor	edx, edx
		mov	ecx, [ebp+var_54]
		mov	[ebp+var_48], eax
		mov	eax, 18h
		mov	[ebp+var_1C], 1
		mov	[ebp+var_18], eax
		mov	[ebp+var_1], dl
		test	cl, 15h
		jz	short loc_46A7E0
		test	cl, 40h
		jnz	loc_46AA0B

loc_46A7E0:				; CODE XREF: MiResolveDemandZeroFault+1B5j
		test	esi, esi
		jnz	loc_5B2A79

loc_46A7E8:				; CODE XREF: MiResolveDemandZeroFault+148468j
					; MiResolveDemandZeroFault+148482j ...
		cmp	[ebp+var_1], 1
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], eax
		jz	loc_46AA2B

loc_46A7F8:				; CODE XREF: MiResolveDemandZeroFault+416j
					; MiResolveDemandZeroFault+41Ej ...
		lea	edx, [ebp+var_1C]
		lea	ecx, [ebp+var_54]
		call	MiCreateSharedZeroPages
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_14], eax
		mov	[ebp+var_28], 0
		lea	eax, [esi+10h]
		lock bts dword ptr [eax], 1Fh
		jb	loc_46AA69

loc_46A81E:				; CODE XREF: MiResolveDemandZeroFault+468j
		mov	al, [esi+16h]
		mov	ecx, esi
		and	al, 0DFh
		mov	[esi+16h], al
		call	_MiRemoveLockedPageCharge@4 ; MiRemoveLockedPageCharge(x)
		test	eax, eax
		jnz	loc_5B2AD6

loc_46A835:				; CODE XREF: MiResolveDemandZeroFault+1484D9j
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	eax, [ebp+var_14]
		test	eax, eax
		js	loc_46A7AC
		test	byte ptr [ebp+var_54], 4
		jnz	loc_46A7AC
		mov	edx, [ebp+var_4C]
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_10]
		sub	ecx, edx
		shr	ecx, 0Ch
		neg	ecx
		mov	[ebp+var_20], edx
		test	byte ptr [ebp+var_54], 8
		mov	[ebp+arg_0], 0
		lea	eax, [eax+ecx*8]
		mov	ecx, [ebx]
		mov	[ebp+var_10], eax
		mov	[ebp+var_24], ecx
		jnz	loc_5B2AFE

loc_46A884:				; CODE XREF: MiResolveDemandZeroFault+1484E1j
		xor	esi, esi
		cmp	[ebp+var_1C], esi
		jbe	short loc_46A8D9
		mov	edi, [ebp+arg_4]
		mov	edi, edi

loc_46A890:				; CODE XREF: MiResolveDemandZeroFault+2B4j
		mov	ecx, [eax]
		nop
		mov	eax, [eax+4]
		push	eax
		push	ecx
		push	[ebp+arg_0]
		mov	[ebx], edx
		mov	ecx, ebx
		push	1
		mov	edx, edi
		call	_MiCompleteProtoPteFault@24 ; MiCompleteProtoPteFault(x,x,x,x,x,x)
		mov	edx, [ebp+var_20]
		add	edx, 1000h
		mov	[ebp+var_20], edx
		test	esi, esi
		jnz	short loc_46A8C0
		test	eax, eax
		js	loc_5B2B06

loc_46A8C0:				; CODE XREF: MiResolveDemandZeroFault+296j
					; MiResolveDemandZeroFault+1484E9j
		mov	eax, [ebp+var_10]
		inc	esi
		inc	large dword ptr	fs:3E28h
		add	eax, 8
		mov	[ebp+var_10], eax
		cmp	esi, [ebp+var_1C]
		jb	short loc_46A890
		mov	ecx, [ebp+var_24]

loc_46A8D9:				; CODE XREF: MiResolveDemandZeroFault+269j
		mov	eax, [ebp+var_14]
		mov	[ebx], ecx
		jmp	loc_46A7AC
; 

loc_46A8E3:				; CODE XREF: MiResolveDemandZeroFault+C6j
		cmp	edx, 0C07FFFFFh
		ja	loc_46A6EC

loc_46A8EF:				; CODE XREF: MiResolveDemandZeroFault+387j
					; MiResolveDemandZeroFault+3A4j ...
		cmp	[ebp+var_14], 0
		jz	loc_46A719
		mov	eax, [ebp+var_20]
		cmp	byte ptr [eax+16Ah], 1
		jnz	loc_46A719
		movzx	eax, word ptr [eax+168h]
		mov	ecx, [ebp+var_1C]
		movzx	esi, word ptr [ecx+eax*2+70h]
		inc	esi
		jmp	loc_46A719
; 

loc_46A91E:				; CODE XREF: MiResolveDemandZeroFault+44j
		mov	al, [edi]
		cmp	al, 2
		jnz	loc_46A9EB
		or	ecx, 1

loc_46A92B:				; CODE XREF: MiResolveDemandZeroFault+482j
					; MiResolveDemandZeroFault+1483E2j
		mov	[ebp+var_54], ecx

loc_46A92E:				; CODE XREF: MiResolveDemandZeroFault+3D5j
		cmp	al, 4
		jnz	loc_46A66A

loc_46A936:				; CODE XREF: MiResolveDemandZeroFault+4Dj
		test	edx, edx
		jz	short loc_46A943
		cmp	byte ptr [edi],	4
		jz	loc_46AA00

loc_46A943:				; CODE XREF: MiResolveDemandZeroFault+318j
					; MiResolveDemandZeroFault+3E6j
		test	cl, 2
		jnz	loc_46AAA7

loc_46A94C:				; CODE XREF: MiResolveDemandZeroFault+48Ej
					; MiResolveDemandZeroFault+49Aj
		test	cl, 8
		jz	loc_46A675
		jmp	loc_5B2A07
; 

loc_46A95A:				; CODE XREF: MiResolveDemandZeroFault+94j
		mov	ecx, [ebp+var_14]
		and	ecx, 0FFFFFFFEh
		mov	[ebp+var_14], ecx
		mov	al, [ecx]
		cmp	al, 4
		jz	loc_5B2A44
		cmp	al, 2
		jnz	loc_46A6BF
		mov	esi, [ecx+14h]

loc_46A978:				; CODE XREF: MiResolveDemandZeroFault+148442j
		test	esi, esi
		jz	loc_46A6BF
		jmp	loc_46A719
; 

loc_46A985:				; CODE XREF: MiResolveDemandZeroFault+162j
		and	edx, 0FFFFFFFEh
		cmp	byte ptr [edx],	4
		jnz	loc_46A788

loc_46A991:				; CODE XREF: MiResolveDemandZeroFault+171j
		mov	eax, 4
		jmp	loc_46A797
; 

loc_46A99B:				; CODE XREF: MiResolveDemandZeroFault+CEj
					; MiResolveDemandZeroFault+DAj	...
		mov	ecx, edx
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_46A8EF
		mov	ecx, [eax+1Ch]
		mov	esi, ecx
		shr	esi, 0Ch
		and	esi, 3Fh
		jnz	loc_46A719
		test	ecx, 100000h
		jnz	loc_46A8EF
		mov	eax, [eax+2Ch]
		mov	eax, [eax]
		test	eax, eax
		jz	loc_46A8EF
		mov	esi, [eax+1Ch]
		shr	esi, 14h
		and	esi, 3Fh
		jz	loc_46A8EF
		jmp	loc_46A719
; 

loc_46A9EB:				; CODE XREF: MiResolveDemandZeroFault+302j
		cmp	al, 1
		jz	loc_46AA9F
		cmp	al, 5
		jnz	loc_46A92E
		jmp	loc_5B29FF
; 

loc_46AA00:				; CODE XREF: MiResolveDemandZeroFault+31Dj
		mov	eax, [edi+14h]
		mov	[ebp+var_2C], eax
		jmp	loc_46A943
; 

loc_46AA0B:				; CODE XREF: MiResolveDemandZeroFault+1BAj
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		push	eax
		lea	edx, [ebp+var_18]
		call	MiCheckVirtualAddress
		mov	esi, [ebp+var_8]
		mov	edx, eax
		mov	eax, [ebp+var_18]
		mov	ecx, [ebp+var_54]
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], eax

loc_46AA2B:				; CODE XREF: MiResolveDemandZeroFault+1D2j
		test	cl, 4
		jnz	loc_46AABF

loc_46AA34:				; CODE XREF: MiResolveDemandZeroFault+4A7j
					; MiResolveDemandZeroFault+4B8j
		test	edx, edx
		jz	loc_46A7F8
		test	esi, esi
		jz	loc_46A7F8
		cmp	eax, 18h
		jz	loc_46A7F8
		and	eax, 0FFFFFFF8h
		cmp	eax, 10h
		jz	loc_46A7F8
		lea	ecx, [ebp+var_54]
		call	MiExpandSharedZeroCluster
		mov	[ebp+var_1C], eax
		jmp	loc_46A7F8
; 

loc_46AA69:				; CODE XREF: MiResolveDemandZeroFault+1F8j
		mov	esi, eax
		jmp	short loc_46AA70
; 
		align 10h

loc_46AA70:				; CODE XREF: MiResolveDemandZeroFault+44Bj
					; MiResolveDemandZeroFault+45Cj ...
		lea	ecx, [ebp+var_28]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_46AA70
		lock bts dword ptr [esi], 1Fh
		jb	short loc_46AA70
		mov	esi, [ebp+arg_0]
		jmp	loc_46A81E
; 

loc_46AA8D:				; CODE XREF: MiResolveDemandZeroFault+5Ej
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_46AAE3

loc_46AA94:				; CODE XREF: MiResolveDemandZeroFault+4CAj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_46AA9F:				; CODE XREF: MiResolveDemandZeroFault+3CDj
		or	ecx, 2
		jmp	loc_46A92B
; 

loc_46AAA7:				; CODE XREF: MiResolveDemandZeroFault+326j
		test	dword ptr [edi+28h], 4000h
		jz	loc_46A94C
		or	ecx, 4
		mov	[ebp+var_54], ecx
		jmp	loc_46A94C
; 

loc_46AABF:				; CODE XREF: MiResolveDemandZeroFault+40Ej
		mov	ecx, eax
		shr	ecx, 3
		cmp	ecx, 1
		jz	loc_46AA34
		cmp	ecx, 3
		jnz	loc_5B2AC5
		test	al, 7
		jnz	loc_46AA34
		jmp	loc_5B2AC5
; 

loc_46AAE3:				; CODE XREF: MiResolveDemandZeroFault+472j
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		jmp	short loc_46AA94
MiResolveDemandZeroFault endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiResolvePrivateZeroFault(x)
_MiResolvePrivateZeroFault@4 proc near	; CODE XREF: .text:00467DCAp
					; MiResolveDemandZeroFault+187p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_20], edi
		mov	edx, [edi]
		mov	ecx, [edi+8]
		mov	ebx, [edi+20h]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_28], ebx
		test	dl, 2
		jz	short loc_46AB51
		mov	eax, [edi+10h]
		mov	[ebp+var_30], eax
		shr	eax, 3
		cmp	eax, 3
		jnz	short loc_46AB37
		test	byte ptr [ebp+var_30], 7
		jnz	short loc_46AB3C
		mov	ecx, ebx
		call	_MiAdvanceFaultList@4 ;	MiAdvanceFaultList(x)
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_46AB37:				; CODE XREF: MiResolvePrivateZeroFault(x)+2Fj
		cmp	eax, 1
		jnz	short loc_46AB41

loc_46AB3C:				; CODE XREF: MiResolvePrivateZeroFault(x)+35j
		test	dl, 4
		jnz	short loc_46AB51

loc_46AB41:				; CODE XREF: MiResolvePrivateZeroFault(x)+4Aj
		mov	ecx, ebx
		call	_MiAdvanceFaultList@4 ;	MiAdvanceFaultList(x)
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_46AB51:				; CODE XREF: MiResolvePrivateZeroFault(x)+21j
					; MiResolvePrivateZeroFault(x)+4Fj
		test	dl, 8
		jz	short loc_46AB60
		test	byte ptr [ebx+1Ch], 8
		jnz	loc_46AF63

loc_46AB60:				; CODE XREF: MiResolvePrivateZeroFault(x)+64j
		mov	esi, [edi+4]
		mov	eax, [esi+14h]
		mov	[ebp+var_10], eax
		mov	eax, edx
		and	eax, 40h
		mov	[ebp+var_30], eax
		jz	short loc_46ABA2
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+140h]
		test	eax, eax
		jz	short loc_46AB9F
		cmp	eax, large fs:124h
		jz	short loc_46AB9F
		or	dword ptr [esi+24h], 4
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_46AB9F:				; CODE XREF: MiResolvePrivateZeroFault(x)+97j
					; MiResolvePrivateZeroFault(x)+A0j
		mov	eax, [ebp+var_30]

loc_46ABA2:				; CODE XREF: MiResolvePrivateZeroFault(x)+81j
		or	esi, 0FFFFFFFFh
		shr	ecx, 9
		mov	[ebp+var_C], esi
		and	ecx, offset loc_7FFFF8
		mov	esi, [edi+1Ch]
		sub	ecx, 40000000h
		mov	[ebp+var_30], esi
		mov	ebx, 1
		mov	esi, [edi+24h]
		test	esi, esi
		mov	[ebp+var_14], esi
		mov	esi, [ebp+var_30]
		mov	[ebp+var_24], ebx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_18], 0
		mov	[ebp+var_8], 0
		jnz	short loc_46AC27
		test	eax, eax
		jnz	loc_46AF12
		test	dl, bl
		mov	ebx, [ebp+var_10]
		jz	loc_46AF15
		mov	al, [ebx+60h]
		and	al, 7
		cmp	al, 2
		jb	loc_46AF15
		mov	ecx, [ebp+var_28]
		mov	edx, ebx
		push	0
		call	MiComputeZeroClusterMaximum
		mov	[ebp+var_C], eax
		cmp	eax, 1
		jbe	loc_46AF15
		mov	[ebp+var_18], 1
		jmp	loc_46ACF6
; 

loc_46AC27:				; CODE XREF: MiResolvePrivateZeroFault(x)+F1j
		and	edx, 15h
		mov	[ebp+var_30], edx
		jz	short loc_46AC49
		push	[ebp+var_14]
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_28]
		call	MiComputeZeroClusterMaximum
		mov	ecx, [ebp+var_2C]
		mov	edx, [ebp+var_30]
		mov	[ebp+var_C], eax
		mov	[ebp+var_18], ebx

loc_46AC49:				; CODE XREF: MiResolvePrivateZeroFault(x)+13Dj
		mov	eax, [ebp+var_14]
		mov	eax, [eax+1Ch]
		mov	esi, eax
		shr	esi, 0Ch
		and	esi, 3Fh
		mov	[ebp+var_28], eax
		and	[ebp+var_28], 100000h
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], esi
		jz	loc_46ADC3
		shr	eax, 12h
		and	eax, 3
		cmp	ds:_MiVadPageSizes[eax*4], 10h
		jnz	loc_46ADC0
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp-1]
		mov	ecx, [ebp+var_14]
		push	eax
		mov	eax, [edi+14h]
		push	eax
		mov	eax, [edi+10h]
		push	eax
		push	10h
		mov	[ebp+var_1], 0
		call	_MiGetClusterPage@24 ; MiGetClusterPage(x,x,x,x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_46ACE1
		mov	ecx, [eax+10h]
		and	ecx, offset loc_7FFFFF
		cmp	ecx, offset loc_7FFFFF
		jnz	short loc_46ACC0
		cmp	[ebp+var_1], bl
		jnz	short loc_46ACE1
		or	dword ptr [edi], 4
		jmp	short loc_46ACE1
; 

loc_46ACC0:				; CODE XREF: MiResolvePrivateZeroFault(x)+1C4j
		mov	eax, [ebp+var_1C]
		mov	ebx, 10h
		and	eax, 0FFFF0000h
		mov	[ebp+var_24], ebx
		mov	[edi+8], eax
		shr	eax, 9
		sub	eax, 40000000h
		mov	[ebp+var_2C], eax

loc_46ACDE:				; CODE XREF: MiResolvePrivateZeroFault(x)+2D5j
					; MiResolvePrivateZeroFault(x)+2DEj ...
		mov	eax, [ebp+var_8]

loc_46ACE1:				; CODE XREF: MiResolvePrivateZeroFault(x)+1B3j
					; MiResolvePrivateZeroFault(x)+1C9j ...
		cmp	[ebp+var_18], 0
		jz	loc_46AF0E
		test	eax, eax
		jnz	loc_46AF72
		mov	eax, [ebp+var_C]

loc_46ACF6:				; CODE XREF: MiResolvePrivateZeroFault(x)+132j
		mov	ebx, 1
		cmp	eax, ebx
		jbe	short loc_46AD3A

loc_46ACFF:				; CODE XREF: MiResolvePrivateZeroFault(x)+3D8j
		mov	ecx, [ebp+var_20]
		mov	ebx, 1
		mov	esi, [ebp+var_2C]
		lea	ebx, [ebx+0]

loc_46AD10:				; CODE XREF: MiResolvePrivateZeroFault(x)+408j
		mov	edi, [esi+ebx*8]
		nop
		mov	edx, [ecx+14h]
		mov	eax, [esi+ebx*8+4]
		mov	[ebp+var_34], eax
		mov	[ebp+var_2C], edx
		test	edx, edx
		jnz	loc_46AECD
		or	edi, eax
		jz	loc_46AEF2

loc_46AD31:				; CODE XREF: MiResolvePrivateZeroFault(x)+3E6j
					; MiResolvePrivateZeroFault(x)+3F9j
		mov	eax, [ebp+var_C]

loc_46AD34:				; CODE XREF: MiResolvePrivateZeroFault(x)+40Ej
		mov	esi, [ebp+var_30]
		mov	edi, [ebp+var_20]

loc_46AD3A:				; CODE XREF: MiResolvePrivateZeroFault(x)+20Dj
		cmp	[ebp+var_18], 2
		jnz	loc_46AF08
		cmp	ebx, eax
		jnz	loc_46AF03
		mov	ecx, [ebp+var_10]
		lea	edx, [ebp+var_4C]
		xor	eax, eax
		push	esi
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], eax
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		mov	eax, [ebp+var_4C]
		mov	ecx, 1
		lock xadd [eax], ecx
		inc	ecx
		mov	eax, [ebp+var_48]
		dec	ecx
		push	0
		and	eax, ecx
		mov	ecx, [edi+10h]
		or	eax, [ebp+var_44]
		push	4
		push	eax
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		push	eax
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	_MiGetLargePage@24 ; MiGetLargePage(x,x,x,x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_46AF08
		or	dword ptr [edi], 80h
		mov	edx, 1
		push	0
		push	0
		push	1
		push	2
		mov	ecx, eax
		call	_MiConvertEntireLargePageToSmall@24 ; MiConvertEntireLargePageToSmall(x,x,x,x,x,x)
		jmp	loc_46AF08
; 

loc_46ADC0:				; CODE XREF: MiResolvePrivateZeroFault(x)+18Bj
		mov	eax, [ebp+var_34]

loc_46ADC3:				; CODE XREF: MiResolvePrivateZeroFault(x)+177j
		test	edx, edx
		jnz	loc_46ACDE
		test	cl, 7Fh
		jnz	loc_46ACDE
		cmp	[ebp+var_28], edx
		jz	loc_46ACDE
		and	eax, 300000h
		cmp	eax, 300000h
		jz	loc_46ACDE
		cmp	[edi+14h], edx
		jnz	loc_46ACDE
		mov	eax, [ebp+var_14]
		mov	edx, [ebp+var_1C]
		mov	eax, [eax+0Ch]
		add	eax, 10h
		shl	eax, 0Ch
		cmp	edx, eax
		jb	loc_46ACDE
		test	ecx, 0FFFh
		jz	loc_46ACDE
		cmp	edx, 0C0000000h
		jb	short loc_46AE2D
		cmp	edx, 0C07FFFFFh
		jbe	loc_46ACDE

loc_46AE2D:				; CODE XREF: MiResolvePrivateZeroFault(x)+32Fj
		xor	edx, edx
		lea	edi, [ecx-8]

loc_46AE32:				; CODE XREF: MiResolvePrivateZeroFault(x)+364j
		mov	ecx, [edi]
		nop
		mov	eax, [edi+4]
		mov	[ebp+var_34], eax
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_46AE56
		and	ecx, 20h
		or	ecx, 0
		jz	short loc_46AE56
		inc	edx
		sub	edi, 8
		cmp	edx, 10h
		jb	short loc_46AE32

loc_46AE56:				; CODE XREF: MiResolvePrivateZeroFault(x)+353j
					; MiResolvePrivateZeroFault(x)+35Bj
		mov	edi, [ebp+var_20]
		cmp	edx, 10h
		jnz	loc_46ACDE
		push	[ebp+var_14]
		xor	eax, eax
		mov	[ebp+var_74], ebx
		mov	ebx, [ebp+var_10]
		lea	ecx, [ebp+var_7C]
		mov	[ebp+var_7C], eax
		mov	edx, ebx
		mov	[ebp+var_68], eax
		mov	[ebp+var_64], eax
		mov	[ebp+var_60], eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], eax
		mov	[ebp+var_50], eax
		mov	eax, [ebp+var_1C]
		and	eax, 0FFFFF000h
		mov	[ebp+var_3C], 10000h
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_78], eax
		mov	[ebp+var_70], 0
		mov	[ebp+var_6C], 0
		call	MiComputeZeroClusterMaximum
		cmp	eax, 10h
		jb	short loc_46AF15
		mov	[ebp+var_C], 10h
		mov	[ebp+var_18], 2
		jmp	loc_46ACFF
; 

loc_46AECD:				; CODE XREF: MiResolvePrivateZeroFault(x)+233j
		push	eax
		push	edi
		call	_IS_PTE_NOT_DEMAND_ZERO@8 ; IS_PTE_NOT_DEMAND_ZERO(x,x)
		test	eax, eax
		jnz	loc_46AD31
		mov	eax, [ebp+var_34]
		shrd	edi, eax, 5
		and	edi, 1Fh
		cmp	[ebp+var_2C], edi
		jnz	loc_46AD31
		mov	ecx, [ebp+var_20]

loc_46AEF2:				; CODE XREF: MiResolvePrivateZeroFault(x)+23Bj
		mov	eax, [ebp+var_C]
		inc	ebx
		cmp	ebx, eax
		jb	loc_46AD10
		jmp	loc_46AD34
; 

loc_46AF03:				; CODE XREF: MiResolvePrivateZeroFault(x)+256j
		mov	ebx, 1

loc_46AF08:				; CODE XREF: MiResolvePrivateZeroFault(x)+24Ej
					; MiResolvePrivateZeroFault(x)+2ABj ...
		mov	eax, [ebp+var_8]
		mov	[ebp+var_24], ebx

loc_46AF0E:				; CODE XREF: MiResolvePrivateZeroFault(x)+1F5j
		test	eax, eax
		jnz	short loc_46AF72

loc_46AF12:				; CODE XREF: MiResolvePrivateZeroFault(x)+F5j
		mov	ebx, [ebp+var_10]

loc_46AF15:				; CODE XREF: MiResolvePrivateZeroFault(x)+100j
					; MiResolvePrivateZeroFault(x)+10Dj ...
		mov	edx, [edi+10h]
		mov	ecx, 1
		test	edx, edx
		jnz	short loc_46AF26
		lea	ecx, [edx+3]
		jmp	short loc_46AF46
; 

loc_46AF26:				; CODE XREF: MiResolvePrivateZeroFault(x)+42Fj
		cmp	edx, 1Fh
		jz	short loc_46AF46
		mov	eax, edx
		shr	eax, 3
		cmp	eax, 3
		jnz	short loc_46AF3F
		test	dl, 7
		jz	short loc_46AF46
		lea	ecx, [eax-1]
		jmp	short loc_46AF46
; 

loc_46AF3F:				; CODE XREF: MiResolvePrivateZeroFault(x)+443j
		dec	eax
		neg	eax
		sbb	eax, eax
		and	ecx, eax

loc_46AF46:				; CODE XREF: MiResolvePrivateZeroFault(x)+434j
					; MiResolvePrivateZeroFault(x)+439j ...
		lea	eax, [ebp+var_24]
		mov	edx, ebx
		push	eax
		push	0FFFFFFFFh
		push	102h
		push	ecx
		push	esi
		mov	ecx, offset _MiSystemPartition
		call	_MiGetPageChain@28 ; MiGetPageChain(x,x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_46AF6F

loc_46AF63:				; CODE XREF: MiResolvePrivateZeroFault(x)+6Aj
		mov	eax, 0C0000017h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_46AF6F:				; CODE XREF: MiResolvePrivateZeroFault(x)+471j
		mov	ebx, [ebp+var_24]

loc_46AF72:				; CODE XREF: MiResolvePrivateZeroFault(x)+1FDj
					; MiResolvePrivateZeroFault(x)+420j
		push	ebx
		mov	edx, eax
		mov	ecx, edi
		call	_MiCompletePrivateZeroFault@12 ; MiCompletePrivateZeroFault(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiResolvePrivateZeroFault@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCompleteProtoPteFault(x, x, x, x,	x, x)
_MiCompleteProtoPteFault@24 proc near	; CODE XREF: MiIssueHardFault(x,x)+3BFp
					; .text:0045E919p ...

var_A0		= dword	ptr -0A0h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 94h
		mov	eax, [ecx+14h]
		mov	[ebp+var_64], eax
		mov	eax, [ecx]
		mov	[ebp+var_34], eax
		shr	eax, 9
		push	ebx
		and	eax, offset loc_7FFFF8
		mov	[ebp+var_30], edx
		mov	edx, [ebp+arg_8]
		sub	eax, 40000000h
		push	esi
		push	edi
		mov	[ebp+var_1C], ecx
		xor	esi, esi
		mov	[ebp+var_40], 0
		mov	[ebp+var_3C], 0
		mov	[ebp+var_60], 0
		mov	[ebp+var_20], eax
		nop
		mov	eax, [ebp+arg_C]
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		mov	[ebp+var_6C], edx
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	eax, [eax+ecx*4]
		mov	[ebp+var_C], eax
		add	eax, 8
		mov	[ebp+var_68], eax
		mov	edi, [eax]
		mov	ebx, [eax+4]
		mov	eax, edi
		and	eax, 400h
		mov	[ebp+var_70], edi
		or	eax, esi
		mov	[ebp+var_18], ebx
		mov	[ebp+var_78], edi
		mov	[ebp+var_74], ebx
		jz	loc_46B6E5
		mov	ecx, dword_6D0700
		mov	eax, ecx
		mov	edx, dword_6D0704
		or	eax, edx
		mov	[ebp+var_58], edi
		jz	short loc_46B055
		mov	eax, edi
		and	eax, 10h
		or	eax, esi
		jnz	short loc_46B04F
		not	ecx
		not	edx
		and	ecx, edi
		and	ebx, edx
		mov	[ebp+var_58], ecx
		jmp	short loc_46B052
; 

loc_46B04F:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+B0j
		mov	[ebp+var_58], edi

loc_46B052:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+BDj
		mov	[ebp+var_18], ebx

loc_46B055:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+A7j
		mov	eax, [ebx]
		mov	[ebp+var_2C], eax
		cmp	_PfSnNumActiveTraces, esi
		jz	loc_46B6EB
		mov	edx, [eax+20h]
		lea	edi, [eax+20h]
		mov	[ebp+var_24], edi
		test	dl, 7
		jz	short loc_46B087

loc_46B074:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+F5j
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_46B087
		mov	edx, eax
		test	al, 7
		jnz	short loc_46B074

loc_46B087:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+E2j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+EFj
		mov	ebx, edx
		and	edx, 7
		and	ebx, 0FFFFFFF8h
		mov	[ebp+var_10], ebx
		cmp	edx, 1
		ja	short loc_46B0E7
		test	edx, edx
		jz	short loc_46B0EB
		push	ecx
		mov	edx, 7
		mov	ecx, ebx
		call	ObReferenceObjectExWithTag
		mov	ecx, [edi]
		mov	eax, ecx
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		ja	short loc_46B0DA

loc_46B0B7:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+148j
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	ebx, eax
		jnz	short loc_46B0DA
		lea	edx, [ecx+7]
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jz	short loc_46B0E7
		mov	ecx, eax
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		jbe	short loc_46B0B7

loc_46B0DA:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+125j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+12Ej
		push	ecx
		mov	edx, 7
		mov	ecx, ebx
		call	ObDereferenceObjectExWithTag

loc_46B0E7:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+105j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+13Bj
		test	ebx, ebx
		jnz	short loc_46B120

loc_46B0EB:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+109j
		mov	edi, [ebp+var_2C]
		add	edi, 24h
		push	edi
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	bl, al
		mov	eax, [ebp+var_24]
		mov	eax, [eax]
		and	eax, 0FFFFFFF8h
		mov	[ebp+var_10], eax
		jz	short loc_46B112
		mov	edx, 746C6644h
		mov	ecx, eax
		call	ObfReferenceObjectWithTag

loc_46B112:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+174j
		push	edi
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_46B120:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+159j
		mov	ebx, [ebp+var_C]
		mov	eax, [ebp+var_34]
		mov	ebx, [ebx+4]
		or	ebx, 80000000h
		cmp	eax, dword_6D07D0
		jb	short loc_46B148
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	short loc_46B148
		cmp	al, 0Bh
		jnz	short loc_46B16F

loc_46B148:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+1A5j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+1B2j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	edx, [eax+180h]
		test	edx, edx
		jz	short loc_46B16F
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_46B16F
		mov	edx, [edx+8]
		jmp	short loc_46B172
; 

loc_46B16F:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+1B6j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+1CCj ...
		or	edx, 0FFFFFFFFh

loc_46B172:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+1DDj
		mov	eax, [ebp+var_18]
		mov	edi, [eax]
		mov	ecx, [eax+4]
		test	byte ptr [edi+1Ch], 20h
		jz	short loc_46B1FB
		cmp	ebx, ecx
		jb	short loc_46B1BA
		mov	eax, [eax+1Ch]
		lea	eax, [ecx+eax*8]
		cmp	ebx, eax
		jnb	short loc_46B1B7
		sub	ebx, ecx
		xor	edx, edx
		mov	ecx, [ebp+var_18]
		sar	ebx, 3
		shld	edx, ebx, 0Ch
		mov	eax, [ecx+14h]
		xor	ecx, ecx
		shld	ecx, eax, 9
		shl	ebx, 0Ch
		shl	eax, 9
		add	ebx, eax
		adc	edx, ecx
		mov	[ebp+var_14], edx
		jmp	loc_46B244
; 

loc_46B1B7:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+1FCj
		mov	eax, [ebp+var_18]

loc_46B1BA:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+1F2j
		test	byte ptr [eax+12h], 2
		jz	short loc_46B1CA
		push	eax
		mov	ecx, edi
		call	_MiGetSharedProtos@12 ;	MiGetSharedProtos(x,x,x)
		jmp	short loc_46B1CD
; 

loc_46B1CA:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+22Ej
		mov	eax, [eax+0Ch]

loc_46B1CD:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+238j
		mov	eax, [eax+24h]
		xor	edi, edi
		mov	ecx, [ebp+var_18]
		sub	ebx, eax
		sar	ebx, 3
		mov	eax, ebx
		cdq
		mov	ecx, [ecx+14h]
		mov	ebx, eax
		mov	eax, edx
		shld	eax, ebx, 0Ch
		shld	edi, ecx, 9
		shl	ebx, 0Ch
		shl	ecx, 9
		add	ebx, ecx
		adc	eax, edi
		mov	[ebp+var_14], eax
		jmp	short loc_46B244
; 

loc_46B1FB:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+1EEj
		test	ecx, ecx
		jnz	short loc_46B206
		xor	edi, edi
		mov	[ebp+var_8], esi
		jmp	short loc_46B21F
; 

loc_46B206:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+26Dj
		sub	ebx, ecx
		sar	ebx, 3
		mov	eax, ebx
		cdq
		mov	edi, eax
		mov	eax, edx
		shld	eax, edi, 0Ch
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_18]
		shl	edi, 0Ch

loc_46B21F:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+274j
		mov	cx, [eax+10h]
		xor	ebx, ebx
		shr	cx, 6
		movzx	eax, cx
		cdq
		mov	ecx, eax
		mov	eax, [ebp+var_18]
		or	ebx, [eax+14h]
		shld	ecx, ebx, 0Ch
		shl	ebx, 0Ch
		add	ebx, edi
		adc	ecx, [ebp+var_8]
		mov	[ebp+var_14], ecx

loc_46B244:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+222j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+269j
		mov	eax, [ebp+var_2C]
		mov	eax, [eax+1Ch]
		and	eax, 20h
		mov	[ebp+var_4C], eax
		mov	eax, large fs:124h
		mov	[ebp+var_38], eax
		mov	edi, [eax+80h]
		add	edi, 1E8h
		mov	[ebp+var_8], edi
		mov	edx, [edi]
		test	dl, 7
		jz	short loc_46B283
		nop

loc_46B270:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+2F1j
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_46B283
		mov	edx, eax
		test	al, 7
		jnz	short loc_46B270

loc_46B283:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+2DDj
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+2EBj
		mov	edi, edx
		and	edi, 0FFFFFFF8h
		jz	loc_46B6B1
		and	edx, 7
		cmp	edx, 1
		ja	loc_46B3E6
		test	edx, edx
		jnz	short loc_46B302
		mov	[ebp+var_1], 1
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset dword_6D4958
		mov	[ebp+var_25], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebp+var_8]
		mov	edi, [eax]
		and	edi, 0FFFFFFF8h
		jz	short loc_46B2CD
		lea	ecx, [edi+104h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	[ebp+var_1], al

loc_46B2CD:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+32Dj
		test	ds:byte_70EFC6,	1
		mov	ecx, offset dword_6D4958
		jz	short loc_46B2E5
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_46B2EA
; 

loc_46B2E5:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+349j
		xor	eax, eax
		lock and [ecx],	eax

loc_46B2EA:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+353j
		mov	cl, [ebp+var_25]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_1], 0
		jnz	loc_46B3E6
		jmp	loc_46B6B1
; 

loc_46B302:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+30Cj
		mov	edx, [edi+104h]
		test	dl, 1
		jnz	loc_46B3E6

loc_46B311:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+39Dj
		lea	ecx, [edx+0Eh]
		mov	eax, edx
		lea	esi, [edi+104h]
		lock cmpxchg [esi], ecx
		mov	esi, 0
		cmp	eax, edx
		jz	short loc_46B334
		mov	edx, eax
		test	al, 1
		jz	short loc_46B311
		jmp	loc_46B3E6
; 

loc_46B334:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+397j
		mov	eax, [ebp+var_8]
		mov	ecx, [eax]
		mov	eax, ecx
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		ja	short loc_46B375

loc_46B346:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+3E3j
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	edi, eax
		jnz	short loc_46B375
		mov	esi, [ebp+var_8]
		lea	edx, [ecx+7]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		mov	esi, 0
		cmp	eax, ecx
		jz	loc_46B3E6
		mov	ecx, eax
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		jbe	short loc_46B346

loc_46B375:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+3B4j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+3BDj
		mov	edx, [edi+104h]
		xor	eax, eax
		mov	[ebp+var_90], eax
		mov	[ebp+var_8C], eax
		mov	[ebp+var_88], eax
		mov	[ebp+var_84], eax
		test	dl, 1
		jnz	short loc_46B3BE
		lea	ebx, [ebx+0]

loc_46B3A0:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+42Cj
		lea	ecx, [edx-0Eh]
		mov	eax, edx
		lea	esi, [edi+104h]
		lock cmpxchg [esi], ecx
		mov	esi, 0
		cmp	eax, edx
		jz	short loc_46B3E6
		mov	edx, eax
		test	al, 1
		jz	short loc_46B3A0

loc_46B3BE:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+408j
		and	edx, 0FFFFFFFEh
		mov	eax, 0FFFFFFF9h
		lock xadd [edx], eax
		cmp	eax, 7
		jnz	short loc_46B3E6
		lea	eax, [edx+14h]
		lock btr dword ptr [eax], 0
		jb	short loc_46B3E6
		push	0
		push	0
		lea	eax, [edx+4]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_46B3E6:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+304j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+367j ...
		test	edi, edi
		jz	loc_46B6B1
		mov	edx, [ebp+var_38]
		test	byte ptr [edx+304h], 40h
		jnz	loc_46B6A6
		mov	eax, [edx+150h]
		mov	ecx, [edx+2FCh]
		test	dword ptr [eax+0FCh], 100000h
		jnz	short loc_46B424
		and	ecx, 0E00h
		cmp	ecx, 400h
		jnb	short loc_46B43E

loc_46B424:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+484j
		cmp	edx, large fs:124h
		jnz	loc_46B69F
		cmp	dword ptr [edx+32Ch], 0
		jz	loc_46B69F

loc_46B43E:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+492j
		mov	eax, [edi+12Ch]
		test	eax, eax
		jz	short loc_46B462
		cmp	eax, edx
		jnz	loc_46B6A6
		mov	eax, [edx+2B0h]
		cmp	[edi+130h], eax
		jnz	loc_46B6A6

loc_46B462:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+4B6j
		mov	edx, [ebp+var_10]
		mov	ecx, edi
		mov	eax, [edx+0Ch]
		mov	[ebp+var_44], eax
		call	PfSnGetFileInformation
		lea	ecx, [edi+150h]
		mov	edx, 1
		test	[ecx], dl
		jnz	short loc_46B494
		mov	eax, [edi+100h]
		cmp	byte ptr [eax+2A2h], 2
		jnz	short loc_46B494
		lock or	[ecx], dx

loc_46B494:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+4EFj
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+4FEj
		mov	eax, [ebp+var_14]
		cmp	eax, 40h
		ja	loc_46B6A6
		jb	short loc_46B4AA
		test	ebx, ebx
		jnb	loc_46B6A6

loc_46B4AA:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+510j
		shrd	ebx, eax, 9
		xor	eax, eax
		mov	[ebp+var_5C], 0
		cmp	[ebp+var_4C], eax
		mov	[ebp+var_38], ebx
		setnz	al
		mov	[ebp+var_14], eax
		mov	eax, dword_6FB628
		mov	[ebp+var_4C], eax
		nop
		cmp	eax, [edi+11Ch]
		jz	short loc_46B508
		lea	eax, [ebp+var_5C]
		mov	ecx, edi
		push	eax
		call	PfSnTraceGetLogEntry
		test	eax, eax
		js	short loc_46B508
		mov	ecx, [ebp+var_5C]
		mov	eax, [ecx]
		and	eax, 0FFFFFFFAh
		or	eax, 2
		mov	[ecx], eax
		mov	eax, [ebp+var_4C]
		mov	[ecx+4], eax
		mov	[edi+11Ch], eax
		lea	eax, [edi+124h]
		mov	[edi+120h], eax

loc_46B508:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+542j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+551j
		cmp	[ebp+var_14], 0
		jnz	short loc_46B529
		mov	ecx, [edi+120h]
		mov	eax, [ecx]
		shr	eax, 3
		cmp	eax, ebx
		jnz	short loc_46B529
		mov	eax, [ebp+var_44]
		cmp	[ecx+4], eax
		jz	loc_46B6A6

loc_46B529:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+57Cj
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+58Bj
		lea	ecx, [edi+0FCh]
		mov	ebx, 1
		mov	[ebp+var_4C], ecx
		mov	eax, ebx
		lock xadd [ecx], eax
		inc	eax
		cmp	eax, [edi+0F8h]
		jle	short loc_46B578
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		mov	edx, 3
		lea	ecx, [edi+118h]
		xor	eax, eax
		lock cmpxchg [ecx], edx
		test	eax, eax
		jnz	loc_46B6A6
		push	ebx
		lea	eax, [edi+108h]
		push	eax
		call	ExQueueWorkItem
		jmp	loc_46B6A6
; 

loc_46B578:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+5B4j
		mov	ecx, [edi+50h]
		mov	eax, ebx
		mov	[ebp+var_8], ecx
		lea	edx, [ecx+8]
		lock xadd [edx], eax
		inc	eax
		or	ebx, 0FFFFFFFFh
		test	eax, eax
		jle	loc_46B696

loc_46B593:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+6C6j
		cmp	eax, [ecx+0Ch]
		jle	loc_46B667
		mov	eax, ebx
		lock xadd [edx], eax
		call	_PfSnTraceBufferAllocate@0 ; PfSnTraceBufferAllocate()
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_46B693
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [edi+60h]
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [ebp+var_8]
		cmp	[edi+50h], ecx
		jz	short loc_46B5FB
		test	ds:byte_70EFC6,	1
		jz	short loc_46B5E0
		mov	edx, [ebp+4]
		lea	ecx, [edi+60h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_46B5E8
; 

loc_46B5E0:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+641j
		xor	ecx, ecx
		lea	eax, [edi+60h]
		lock and [eax],	ecx

loc_46B5E8:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+64Ej
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_46B63C
; 

loc_46B5FB:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+638j
		mov	ecx, [edi+58h]
		lea	eax, [edi+54h]
		cmp	[ecx], eax
		jnz	short loc_46B660
		mov	[ebx], eax
		mov	[ebx+4], ecx
		mov	[ecx], ebx
		mov	[eax+4], ebx
		inc	dword ptr [edi+5Ch]
		mov	[edi+50h], ebx
		test	ds:byte_70EFC6,	1
		jz	short loc_46B62B
		mov	edx, [ebp+4]
		lea	ecx, [edi+60h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_46B633
; 

loc_46B62B:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+68Cj
		xor	ecx, ecx
		lea	eax, [edi+60h]
		lock and [eax],	ecx

loc_46B633:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+699j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_46B63C:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+669j
		mov	ecx, [edi+50h]
		mov	eax, 1
		mov	[ebp+var_8], ecx
		lea	edx, [ecx+8]
		lock xadd [edx], eax
		inc	eax
		mov	ebx, 0FFFFFFFFh
		test	eax, eax
		jg	loc_46B593
		or	ebx, ebx
		jmp	short loc_46B696
; 

loc_46B660:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+673j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_46B667:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+606j
		mov	edx, [ebp+var_14]
		lea	ecx, [ecx+eax*8]
		mov	eax, [ebp+var_44]
		add	ecx, 8
		mov	[ecx+4], eax
		mov	eax, [ebp+var_38]
		shl	eax, 3
		or	eax, edx
		mov	[ecx], eax
		lock inc dword ptr [edi+0F0h]
		test	edx, edx
		jnz	short loc_46B6A6
		mov	[edi+120h], ecx
		jmp	short loc_46B6A6
; 

loc_46B693:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+61Bj
		or	ebx, 0FFFFFFFFh

loc_46B696:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+5FDj
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+6CEj
		mov	eax, [ebp+var_4C]
		lock xadd [eax], ebx
		jmp	short loc_46B6A6
; 

loc_46B69F:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+49Bj
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+4A8j
		lock inc dword ptr [edi+0F4h]

loc_46B6A6:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+468j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+4BAj ...
		lea	ecx, [edi+104h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_46B6B1:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+2F8j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+36Dj ...
		mov	edi, [ebp+var_24]
		mov	ebx, [ebp+var_10]
		mov	ecx, [edi]
		mov	eax, ecx
		xor	eax, ebx
		cmp	eax, 7
		jnb	short loc_46B6D8

loc_46B6C2:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+746j
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jz	short loc_46B6EB
		mov	ecx, eax
		xor	eax, ebx
		cmp	eax, 7
		jb	short loc_46B6C2

loc_46B6D8:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+730j
		push	746C6644h
		push	ebx
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	short loc_46B6EB
; 

loc_46B6E5:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+8Ej
		mov	[ebp+var_18], esi
		mov	[ebp+var_2C], esi

loc_46B6EB:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+D0j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+73Dj ...
		mov	ebx, [ebp+var_20]
		mov	eax, ebx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[ebp+var_58], 0
		mov	[ebp+var_54], 0
		mov	edx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	[ebp+var_80], edx
		mov	[ebp+var_7C], eax
		nop
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		mov	[ebp+var_54], 0
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	eax, [eax+ecx*4]
		mov	[ebp+var_38], eax
		lea	edi, [eax+10h]
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_46B764
		lea	esp, [esp+0]

loc_46B750:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+7CBj
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+7D2j
		lea	ecx, [ebp+var_54]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_46B750
		lock bts dword ptr [edi], 1Fh
		jb	short loc_46B750

loc_46B764:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+7B7j
		mov	eax, [edi]
		lea	ecx, [eax+1]
		xor	ecx, eax
		and	ecx, 3FFFFFFFh
		xor	ecx, eax
		mov	eax, 7FFFFFFFh
		mov	[edi], ecx
		lock and [edi],	eax
		mov	ecx, [ebx]
		nop
		mov	edx, [ebx+4]
		mov	eax, ecx
		and	eax, 400h
		or	eax, 0
		jz	short loc_46B7CA
		mov	eax, dword_6D0704
		mov	ebx, edx
		mov	edi, dword_6D0700
		mov	[ebp+var_24], eax
		mov	eax, edi
		or	eax, [ebp+var_24]
		jz	short loc_46B7B7
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_46B7B7
		mov	edx, [ebp+var_24]
		not	edx
		and	edx, ebx

loc_46B7B7:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+814j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+81Ej
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_46B7CA
		shrd	ecx, ebx, 5
		and	ecx, 1Fh
		mov	edx, ecx
		mov	[ebp+var_10], edx
		jmp	short loc_46B804
; 

loc_46B7CA:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+7FDj
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+82Aj
		mov	edx, [ebp+var_78]
		nop
		mov	eax, [ebp+var_74]
		and	ecx, 8
		shrd	edx, eax, 5
		mov	esi, 1
		and	edx, 1Fh
		or	ecx, 0
		mov	[ebp+var_10], edx
		jz	short loc_46B7ED
		mov	edx, esi
		mov	[ebp+var_10], edx

loc_46B7ED:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+856j
		mov	ecx, [ebp+var_30]
		test	ecx, ecx
		jz	short loc_46B804
		mov	al, dl
		and	al, 4
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_30], eax

loc_46B804:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+838j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+862j
		test	byte ptr ds:_MiFlags+2,	1
		jz	loc_46B8C5
		mov	edi, [ebp+var_34]
		cmp	edi, dword_6D07D0
		jb	loc_46B8C5
		cmp	edi, 0C0000000h
		jb	short loc_46B834
		cmp	edi, 0C07FFFFFh
		jbe	loc_46B8C5

loc_46B834:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+896j
		test	dl, 2
		jz	loc_46B8C5
		test	ds:_MiFlags, 20000h
		jnz	short loc_46B878
		mov	ecx, [ebp+var_C]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_46B878
		mov	eax, [ebp+var_68]
		mov	eax, [eax]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_46B878
		mov	ecx, edi
		xor	ebx, ebx
		call	_MiIsAddressInDriverView@4 ; MiIsAddressInDriverView(x)
		test	eax, eax
		jz	short loc_46B886
		mov	ebx, 1
		jmp	short loc_46B886
; 

loc_46B878:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+8B7j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+8C3j ...
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		push	0
		call	_MiGetPagePrivilege@12 ; MiGetPagePrivilege(x,x,x)
		mov	ebx, eax

loc_46B886:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+8DFj
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+8E6j
		test	bl, 1
		jz	short loc_46B89C
		mov	ecx, 3
		mov	[ebp+var_30], 0
		mov	[ebp+var_10], ecx
		jmp	short loc_46B8C8
; 

loc_46B89C:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+8F9j
		test	bl, 8
		jz	short loc_46B8B0
		mov	ecx, 1
		xor	eax, eax
		mov	[ebp+var_10], ecx
		mov	[ebp+var_30], eax
		jmp	short loc_46B8C8
; 

loc_46B8B0:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+90Fj
		mov	ecx, [ebp+var_10]
		and	ecx, 0FFFFFFFDh
		mov	[ebp+var_10], ecx
		jnz	short loc_46B8C8
		mov	ecx, 1
		mov	[ebp+var_10], ecx
		jmp	short loc_46B8C8
; 

loc_46B8C5:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+87Bj
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+88Aj ...
		mov	ecx, [ebp+var_10]

loc_46B8C8:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+90Aj
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+91Ej ...
		mov	eax, [ebp+var_C]
		and	ecx, 0FFFFFFE7h
		mov	al, [eax+16h]
		shr	al, 6
		cmp	al, 1
		jz	short loc_46B8E8
		test	al, al
		jnz	short loc_46B8E1
		or	ecx, 8
		jmp	short loc_46B8E8
; 

loc_46B8E1:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+94Aj
		cmp	al, 2
		jnz	short loc_46B8E8
		or	ecx, 18h

loc_46B8E8:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+946j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+94Fj ...
		mov	ebx, ds:_MmProtectToPteMask[ecx*8]
		xor	eax, eax
		mov	edx, [ebp+var_6C]
		and	ebx, 0E7Fh
		mov	ecx, ds:dword_40B4DC[ecx*8]
		shld	eax, edx, 0Ch
		and	ecx, 0FFFFFFE0h
		shl	edx, 0Ch
		or	ecx, eax
		or	ebx, edx
		mov	edx, [ebp+var_20]
		mov	edi, edx
		or	ebx, 21h
		shl	edi, 9
		lea	eax, [edx+3FA00000h]
		cmp	eax, 3FFFh
		ja	short loc_46B951
		cmp	edx, 0C0603018h
		jnz	short loc_46B937
		or	ecx, 80000000h
		jmp	short loc_46B93D
; 

loc_46B937:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+99Dj
		and	ecx, 7FFFFFFFh

loc_46B93D:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+9A5j
		mov	[ebp+var_8], ecx
		mov	ecx, edx
		call	_MiUserPdeOrAbove@4 ; MiUserPdeOrAbove(x)
		mov	ecx, [ebp+var_8]
		test	eax, eax
		jz	short loc_46B951
		or	ebx, 4

loc_46B951:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+995j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+9BCj
		mov	edx, ds:_MmHighestUserAddress
		mov	eax, edx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	[ebp+var_20], eax
		ja	short loc_46B96E
		or	ebx, 4

loc_46B96E:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+9D9j
		cmp	edi, dword_6D07D0
		jnb	short loc_46B97F
		movzx	eax, byte ptr word_6D07B8+1
		jmp	short loc_46B9BD
; 

loc_46B97F:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+9E4j
		mov	eax, edi
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	short loc_46B9C7
		cmp	al, 0Bh
		jz	short loc_46B9C7
		lea	eax, [edi+40000000h]
		cmp	eax, offset loc_7FFFFF
		jbe	short loc_46B9C7
		cmp	edi, dword_6D2E88
		jb	short loc_46B9B6
		movzx	eax, byte ptr word_6D07B8+1
		cmp	edi, dword_6D2E8C
		jbe	short loc_46B9BD

loc_46B9B6:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+A15j
		movzx	eax, byte ptr word_6D07B8

loc_46B9BD:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+9EDj
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+A24j
		test	eax, eax
		jz	short loc_46B9C7
		or	ebx, 100h

loc_46B9C7:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+9FCj
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+A00j ...
		cmp	[ebp+var_30], 0
		mov	eax, ecx
		mov	edi, ebx
		mov	[ebp+var_14], eax
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], eax
		jz	loc_46BB1E
		mov	eax, [ebp+var_1C]
		mov	eax, [eax]
		cmp	eax, edx
		ja	short loc_46BA2A
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	ecx, ecx
		jl	short loc_46BA1B
		jg	short loc_46B9FD
		test	ebx, ebx
		jb	short loc_46BA1B

loc_46B9FD:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+A67j
		test	byte ptr [eax+0FCh], 10h
		jz	short loc_46BA1B
		mov	edx, [ebp+var_3C]
		mov	edi, [ebp+var_40]
		mov	[ebp+var_30], 0
		mov	[ebp+var_14], edx
		jmp	loc_46BB1E
; 

loc_46BA1B:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+A65j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+A6Bj ...
		mov	eax, [eax+4B4h]
		mov	edx, [ebp+var_3C]
		mov	edi, [ebp+var_40]
		mov	[ebp+var_14], edx

loc_46BA2A:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+A55j
		mov	eax, [ebp+var_10]
		and	eax, 5
		cmp	al, 5
		jz	loc_46BB1E
		mov	edi, ebx
		mov	edx, ecx
		mov	ebx, [ebp+var_C]
		or	edi, 42h
		mov	[ebp+var_14], edx
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], edx
		test	byte ptr [ebx+16h], 10h
		jnz	loc_46BAFE
		mov	eax, [ebx+8]
		lea	ecx, [ebx+8]
		and	eax, 400h
		or	eax, 0
		jnz	loc_46BAFE
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		test	eax, eax
		jz	loc_46BAFE
		mov	ecx, ebx
		mov	[ebp+var_24], 0
		mov	[ebp+var_44], 0
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	bh, al
		mov	eax, [ebp+var_C]
		mov	bl, [eax+16h]
		test	bl, 10h
		jnz	short loc_46BACB
		mov	edx, [eax+8]
		lea	ecx, [eax+8]
		and	edx, 400h
		or	edx, 0
		jnz	short loc_46BACB
		test	bl, 8
		jnz	short loc_46BAC5
		push	edx
		mov	edx, 1
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_44], edx
		mov	bl, [eax+16h]

loc_46BAC5:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+B1Cj
		or	bl, 10h
		mov	[eax+16h], bl

loc_46BACB:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+B06j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+B17j
		add	eax, 10h
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	ecx, [ebp+var_24]
		mov	eax, ecx
		mov	edx, [ebp+var_44]
		or	eax, edx
		jz	short loc_46BAF3
		push	edx
		push	ecx
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo

loc_46BAF3:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+B50j
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [ebp+var_C]

loc_46BAFE:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+ABFj
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+AD3j ...
		mov	eax, [ebp+var_70]
		and	eax, 400h
		or	eax, 0
		jz	short loc_46BB1E
		mov	eax, [ebp+var_64]
		mov	al, [eax+60h]
		and	al, 7
		cmp	al, 2
		jz	short loc_46BB1E
		mov	ecx, ebx
		call	_MiCheckAndUpdateIoAttribution@4 ; MiCheckAndUpdateIoAttribution(x)

loc_46BB1E:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+A48j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+A86j ...
		xor	edx, edx
		xor	ebx, ebx
		mov	[ebp+var_8], edx
		cmp	[ebp+arg_0], edx
		jnz	loc_46BC23
		mov	eax, [ebp+var_C]
		test	dword ptr [eax+18h], 800000h
		jnz	short loc_46BB47
		mov	eax, [eax+4]
		test	eax, eax
		js	short loc_46BB47
		jnz	loc_46BC23

loc_46BB47:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+BA8j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+BAFj
		mov	ecx, [ebp+var_34]
		cmp	ecx, dword_6D07D0
		jb	short loc_46BB7C
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jz	short loc_46BB63
		test	byte ptr [eax+1Ch], 20h
		jz	loc_46BC23

loc_46BB63:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+BC7j
		lea	eax, [ebp+var_60]
		push	eax
		lea	edx, [ebp+var_2C]
		call	_MiSystemImageHasPrivateFixups@12 ; MiSystemImageHasPrivateFixups(x,x,x)
		mov	edx, [ebp+var_2C]
		mov	ecx, eax
		mov	eax, [ebp+var_60]
		jmp	loc_46BCCA
; 

loc_46BB7C:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+BC0j
		cmp	[ebp+var_18], edx
		jz	short loc_46BB90
		mov	eax, [ebp+var_2C]
		test	byte ptr [eax+1Ch], 20h
		jz	loc_46BC23
		jmp	short loc_46BBBC
; 

loc_46BB90:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+BEFj
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		cmp	[ecx+148h], edx
		jz	short loc_46BBB9
		mov	eax, [ebp+var_C]
		mov	edx, [eax+4]
		or	edx, 80000000h
		call	_MiLocateCloneAddress@8	; MiLocateCloneAddress(x,x)
		test	eax, eax
		jnz	short loc_46BC18

loc_46BBB9:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+C12j
		mov	ecx, [ebp+var_34]

loc_46BBBC:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+BFEj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		cmp	[eax+98h], ebx
		jz	short loc_46BC18
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	edi, [eax+354h]
		test	edi, edi
		jz	short loc_46BC18
		shr	ecx, 0Ch
		cmp	ecx, [edi+0Ch]
		jb	short loc_46BBF9
		cmp	ecx, [edi+10h]
		jbe	short loc_46BC65

loc_46BBF9:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+C62j
		mov	edi, [eax+350h]
		test	edi, edi
		jz	short loc_46BC18

loc_46BC03:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+C86j
		cmp	ecx, [edi+10h]
		ja	short loc_46BC11
		cmp	ecx, [edi+0Ch]
		jnb	short loc_46BC5B
		mov	edi, [edi]
		jmp	short loc_46BC14
; 

loc_46BC11:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+C76j
		mov	edi, [edi+4]

loc_46BC14:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+C7Fj
		test	edi, edi
		jnz	short loc_46BC03

loc_46BC18:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+C27j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+C44j ...
		mov	ecx, [ebp+var_3C]
		mov	edi, [ebp+var_40]
		mov	[ebp+var_14], ecx

loc_46BC21:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+D3Cj
		xor	edx, edx

loc_46BC23:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+B98j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+BB1j ...
		mov	eax, esi
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, [ebp+var_10]
		mov	[ebp+arg_C], eax
		mov	eax, [ebp+arg_4]
		mov	ecx, eax
		and	ecx, 0FFFFFFFEh
		mov	[ebp+arg_4], ecx
		and	eax, 1
		jz	loc_46BD85
		cmp	byte ptr [ecx],	5
		jnz	loc_46BD85
		mov	[ebp+arg_0], ecx
		jmp	loc_46BD8F
; 

loc_46BC5B:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+C7Bj
		test	edi, edi
		jz	short loc_46BC18
		mov	[eax+354h], edi

loc_46BC65:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+C67j
		test	edi, edi
		jz	short loc_46BC18
		mov	edx, [edi+1Ch]
		mov	eax, edx
		and	al, 70h
		cmp	al, 20h
		jnz	short loc_46BC18
		test	edx, 100000h
		jnz	short loc_46BC18
		test	edx, 200000h
		jz	short loc_46BC18
		mov	eax, [edi+2Ch]
		mov	edx, [eax]
		mov	eax, [edi+30h]
		mov	[ebp+arg_C], edx
		sub	eax, [edx+54h]
		sar	eax, 3
		sub	eax, [edi+0Ch]
		add	eax, ecx
		mov	edx, eax
		mov	[ebp+arg_0], eax
		mov	eax, [edi+54h]
		mov	cl, byte ptr [ebp+arg_0]
		shr	edx, 3
		and	cl, 7
		mov	al, [edx+eax]
		sar	al, cl
		test	al, 1
		jz	loc_46BC18
		mov	edx, [ebp+var_3C]
		mov	ecx, [edi+4Ch]
		mov	edi, [ebp+var_40]
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_14], edx
		mov	edx, [ebp+arg_C]

loc_46BCCA:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+BE7j
		test	ecx, ecx
		jz	loc_46BC21
		mov	esi, [ebp+var_C]
		push	ecx
		mov	ecx, [ebp+var_1C]
		push	esi
		push	eax
		call	_MiPrivateFixup@20 ; MiPrivateFixup(x,x,x,x,x)
		xor	edx, edx
		mov	ecx, esi
		mov	ebx, eax
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		cmp	ebx, 129h
		jz	short loc_46BD63
		cmp	ebx, 0C000009Ah
		jz	short loc_46BD63
		test	ebx, ebx
		js	short loc_46BD7A
		mov	ecx, [ebp+var_20]
		call	_MiMakeTransitionPteValid@4 ; MiMakeTransitionPteValid(x)
		mov	edi, eax
		mov	[ebp+var_14], edx
		nop
		mov	eax, ds:_MmPfnDatabase
		mov	esi, edi
		mov	ecx, edx
		shrd	esi, ecx, 0Ch
		and	esi, 1FFFFFFh
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		lea	eax, [eax+ecx*4]
		mov	ecx, [ebp+var_34]
		mov	[ebp+var_C], eax
		cmp	ecx, dword_6D07D0
		jb	short loc_46BD56
		test	byte ptr [eax+17h], 8
		jz	short loc_46BD56
		mov	edx, 2
		mov	[ebp+var_10], 0
		mov	[ebp+var_8], edx
		mov	esi, edx
		jmp	loc_46BC23
; 

loc_46BD56:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+DA8j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+DAEj
		xor	edx, edx
		mov	[ebp+var_10], edx
		lea	esi, [edx+2]
		jmp	loc_46BC23
; 

loc_46BD63:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+D61j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+D69j
		mov	ecx, [ebp+var_38]
		xor	edx, edx
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		cmp	ebx, 129h
		jnz	short loc_46BD7A
		mov	ebx, 0C0000434h

loc_46BD7A:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+D6Dj
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+DE3j ...
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_46BD85:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+CB4j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+CBDj
		mov	[ebp+arg_0], 0
		mov	[ebp+arg_4], ecx

loc_46BD8F:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+CC6j
		mov	ecx, [ebp+var_14]
		test	eax, eax
		jz	short loc_46BDA4
		mov	eax, [ebp+arg_4]
		cmp	byte ptr [eax],	3
		jnz	short loc_46BDA4
		or	edx, 1
		mov	[ebp+var_8], edx

loc_46BDA4:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+E04j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+E0Cj
		mov	edx, [ebp+var_1C]
		mov	dl, [edx+1Dh]
		test	dl, 8
		jz	short loc_46BDC7
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+8]
		test	al, 1
		jz	short loc_46BDC1
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	2
		jz	short loc_46BDC7

loc_46BDC1:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+E27j
		and	edi, 0FFFFFFDFh
		mov	[ebp+var_14], ecx

loc_46BDC7:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+E1Dj
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+E2Fj
		mov	al, dl
		and	al, 5
		cmp	al, 4
		jnz	loc_46BE83
		test	dl, 2
		jnz	loc_46BE83
		mov	ecx, [ebp+var_1C]
		movzx	eax, word ptr [ecx+1Ah]
		test	ax, ax
		jz	short loc_46BE21
		movzx	ecx, word ptr [ecx+18h]
		add	ecx, eax
		mov	eax, [ebp+var_20]
		shr	eax, 3
		and	eax, 1FFh
		cmp	ecx, eax
		jnz	short loc_46BE16
		mov	ecx, [ebp+var_C]
		and	dl, 10h
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_46BE12
		test	dl, dl
		jz	short loc_46BE24
		jmp	short loc_46BE16
; 

loc_46BE12:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+E7Aj
		test	dl, dl
		jnz	short loc_46BE24

loc_46BE16:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+E6Bj
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+E80j
		mov	ecx, [ebp+var_1C]
		lea	ecx, [ecx+14h]
		call	_MiEmptyDeferredWorkingSetEntries@4 ; MiEmptyDeferredWorkingSetEntries(x)

loc_46BE21:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+E56j
		mov	ecx, [ebp+var_C]

loc_46BE24:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+E7Ej
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+E84j
		mov	edx, [ebp+var_1C]
		movzx	eax, word ptr [edx+1Ah]
		test	ax, ax
		jnz	short loc_46BE76
		mov	eax, 1
		mov	[edx+1Ah], ax
		mov	eax, [ebp+var_20]
		shr	eax, 3
		and	eax, 1FFh
		mov	[edx+18h], ax
		mov	dl, [edx+1Dh]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_46BE65
		mov	ecx, [ebp+var_1C]
		and	dl, 0EFh
		mov	[ecx+1Dh], dl
		mov	eax, [ebp+var_8]
		or	eax, 4
		jmp	short loc_46BE86
; 

loc_46BE65:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+EC2j
		mov	ecx, [ebp+var_1C]
		or	dl, 10h
		mov	[ecx+1Dh], dl
		mov	eax, [ebp+var_8]
		or	eax, 4
		jmp	short loc_46BE86
; 

loc_46BE76:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+E9Ej
		inc	eax
		mov	[edx+1Ah], ax
		mov	eax, [ebp+var_8]
		or	eax, 4
		jmp	short loc_46BE86
; 

loc_46BE83:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+E3Dj
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+E46j
		mov	eax, [ebp+var_8]

loc_46BE86:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+ED3j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+EE4j ...
		mov	edx, [ebp+var_14]
		mov	ecx, [ebp+var_64]
		push	edx
		mov	edx, [ebp+var_20]
		push	edi
		push	[ebp+arg_0]
		push	eax
		push	[ebp+arg_C]
		push	[ebp+var_C]
		call	_MiAllocateWsle@32 ; MiAllocateWsle(x,x,x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_46BECD
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		cmp	esi, 2
		jnb	short loc_46BEBD
		mov	ecx, [ebp+var_38]
		xor	edx, edx
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)

loc_46BEBD:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+F21j
		mov	ebx, 0C0000017h
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_46BECD:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+F12j
		cmp	[ebp+var_30], 0
		jz	loc_46BD7A
		mov	eax, edi
		and	eax, 800h
		or	eax, 0
		jnz	loc_46BD7A
		and	edi, 200h
		or	edi, eax
		jz	loc_46BD7A
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	dword ptr [eax+140h], 0
		jnz	loc_46BD7A
		mov	esi, [ebp+var_1C]
		cmp	dword ptr [esi+20h], 0
		jz	short loc_46BF2C
		test	byte ptr [esi+1Dh], 1
		jnz	short loc_46BF2C
		cmp	word ptr [esi+1Ah], 0
		jz	short loc_46BF2C
		lea	ecx, [esi+14h]
		call	_MiEmptyDeferredWorkingSetEntries@4 ; MiEmptyDeferredWorkingSetEntries(x)

loc_46BF2C:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+F85j
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+F8Bj ...
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_34]
		push	0
		push	0FFFFFFFFh
		call	_MiCopyOnWrite@16 ; MiCopyOnWrite(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	loc_46BD7A
		cmp	ebx, 0C0000017h
		jnz	short loc_46BF5F
		or	dword ptr [esi+24h], 2
		mov	eax, 0C0000434h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_46BF5F:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+FBBj
		cmp	ebx, 0C0000434h
		jnz	short loc_46BF6B
		or	dword ptr [esi+24h], 4

loc_46BF6B:				; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+FD5j
		pop	edi
		pop	esi
		mov	eax, 0C0000434h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_MiCompleteProtoPteFault@24 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCompletePrivateZeroFault(x, x, x)
_MiCompletePrivateZeroFault@12 proc near ; CODE	XREF: MiResolvePrivateZeroFault(x)+487p

var_9C		= dword	ptr -9Ch
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 90h
		push	ebx
		mov	[ebp+var_34], edx
		mov	edx, ecx
		push	esi
		push	edi
		mov	[ebp+var_1C], edx
		mov	edi, [edx+8]
		mov	ecx, [edx+4]
		mov	esi, [edx+20h]
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		mov	[ebp+var_64], esi
		lea	eax, [edi-40000000h]
		mov	[ebp+var_C], eax
		mov	eax, [ecx+14h]
		mov	[ebp+var_74], eax
		xor	eax, eax
		mov	[ebp+var_30], eax
		mov	eax, [ecx+8]
		test	al, 1
		jz	short loc_46BFD5
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	3
		jnz	short loc_46BFD5
		mov	[ebp+var_30], 1

loc_46BFD5:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+44j
					; MiCompletePrivateZeroFault(x,x,x)+4Cj
		mov	eax, [edx]
		and	al, 8
		mov	[ebp+var_10], 10h
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, esi
		mov	[ebp+var_70], eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[ebp+var_40], eax
		mov	eax, [ecx]
		mov	ecx, [edx+24h]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[ebp+var_6C], ecx
		sub	eax, 40000000h
		mov	[ebp+var_68], eax
		xor	eax, eax
		mov	[ebp+var_3C], eax
		test	ecx, ecx
		jz	short loc_46C032
		mov	eax, [ecx+20h]
		and	eax, 7FFFFFFFh
		cmp	eax, 0FFFFEh
		jnz	short loc_46C032
		mov	[ebp+var_10], 50h

loc_46C032:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+9Aj
					; MiCompletePrivateZeroFault(x,x,x)+A9j
		mov	ebx, [edx+10h]
		lea	ecx, [edi-40000000h]
		mov	[ebp+var_38], ebx
		test	bl, 2
		jz	short loc_46C059
		mov	eax, ds:_MmHighestUserAddress
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	ecx, eax
		jbe	short loc_46C062

loc_46C059:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+C1j
		or	ebx, 80000000h
		mov	[ebp+var_38], ebx

loc_46C062:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+D7j
		cmp	dword ptr [edx+14h], 0
		jnz	short loc_46C06F
		inc	large dword ptr	fs:3E28h

loc_46C06F:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+E6j
		and	ebx, 1Fh
		mov	[ebp+var_44], 0
		mov	esi, ecx
		shl	esi, 9
		mov	eax, ds:dword_40B4DC[ebx*8]
		mov	edx, ds:_MmProtectToPteMask[ebx*8]
		and	eax, 0FFFFFFE0h
		and	edx, 0E7Fh
		mov	[ebp+var_4], eax
		or	edx, 21h
		lea	eax, [edi-600000h]
		mov	[ebp+var_8], edx
		cmp	eax, 3FFFh
		ja	short loc_46C0E8
		cmp	edi, 603018h
		mov	edi, [ebp+var_4]
		jnz	short loc_46C0BE
		or	edi, 80000000h
		jmp	short loc_46C0CD
; 

loc_46C0BE:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+134j
		test	[ebp+var_38], 4000000h
		jnz	short loc_46C0D3
		and	edi, 7FFFFFFFh

loc_46C0CD:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+13Cj
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], edx

loc_46C0D3:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+145j
		call	_MiUserPdeOrAbove@4 ; MiUserPdeOrAbove(x)
		mov	edx, [ebp+var_8]
		test	eax, eax
		jz	short loc_46C0E8
		or	edx, 4
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], edx

loc_46C0E8:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+129j
					; MiCompletePrivateZeroFault(x,x,x)+15Dj
		mov	eax, ds:_MmHighestUserAddress
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	ecx, eax
		ja	short loc_46C10A
		mov	eax, [ebp+var_4]
		or	edx, 4
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], eax

loc_46C10A:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+17Cj
		mov	edi, [ebp+var_38]
		mov	ecx, edi
		and	ecx, 4000000h
		jz	short loc_46C133
		cmp	esi, 0C0000000h
		jb	short loc_46C133
		nop

loc_46C120:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+1B1j
		cmp	esi, 0C07FFFFFh
		ja	short loc_46C133
		shl	esi, 9
		cmp	esi, 0C0000000h
		jnb	short loc_46C120

loc_46C133:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+195j
					; MiCompletePrivateZeroFault(x,x,x)+19Dj ...
		cmp	esi, dword_6D07D0
		jnb	short loc_46C144
		movzx	eax, byte ptr word_6D07B8+1
		jmp	short loc_46C182
; 

loc_46C144:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+1B9j
		mov	eax, esi
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	short loc_46C197
		cmp	al, 0Bh
		jz	short loc_46C197
		lea	eax, [esi+40000000h]
		cmp	eax, offset loc_7FFFFF
		jbe	short loc_46C197
		cmp	esi, dword_6D2E88
		jb	short loc_46C17B
		movzx	eax, byte ptr word_6D07B8+1
		cmp	esi, dword_6D2E8C
		jbe	short loc_46C182

loc_46C17B:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+1EAj
		movzx	eax, byte ptr word_6D07B8

loc_46C182:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+1C2j
					; MiCompletePrivateZeroFault(x,x,x)+1F9j
		mov	esi, [ebp+var_4]
		test	eax, eax
		jz	short loc_46C19A
		or	edx, 100h
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], edx
		jmp	short loc_46C19A
; 

loc_46C197:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+1D1j
					; MiCompletePrivateZeroFault(x,x,x)+1D5j ...
		mov	esi, [ebp+var_4]

loc_46C19A:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+207j
					; MiCompletePrivateZeroFault(x,x,x)+215j
		test	edi, edi
		jns	short loc_46C1AF
		and	bl, 5
		cmp	bl, 4
		jnz	short loc_46C1AF
		or	edx, 42h
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], edx

loc_46C1AF:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+21Cj
					; MiCompletePrivateZeroFault(x,x,x)+224j
		test	edi, 40000000h
		jz	short loc_46C1C0
		and	edx, 0FFFFFFFBh
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], edx

loc_46C1C0:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+235j
		test	edi, 20000000h
		jz	short loc_46C1EF
		mov	al, byte ptr word_6D07B8
		mov	ebx, [ebp+var_8]
		and	al, 1
		movzx	eax, al
		and	ebx, 0FFFFFEFFh
		cdq
		shld	edx, eax, 8
		shl	eax, 8
		or	eax, ebx
		or	esi, edx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], esi
		jmp	short loc_46C1F2
; 

loc_46C1EF:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+246j
		mov	eax, [ebp+var_8]

loc_46C1F2:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+26Dj
		test	edi, 8000000h
		jz	short loc_46C205
		and	eax, 0FFFFFEFFh
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], eax

loc_46C205:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+278j
		test	ecx, ecx
		jz	short loc_46C214
		or	eax, 80h
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], eax

loc_46C214:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+287j
		cmp	[ebp+arg_0], 0
		mov	[ebp+var_54], 0
		jbe	loc_46C7F6
		mov	ebx, [ebp+var_C]
		mov	edi, [ebp+var_1C]
		jmp	short loc_46C230
; 
		align 10h

loc_46C230:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+2ABj
					; MiCompletePrivateZeroFault(x,x,x)+870j
		mov	ecx, [ebp+var_34]
		mov	ebx, [ebx]
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_24], ebx
		nop
		cmp	dword ptr [edi+14h], 0
		mov	eax, [ebp+var_C]
		mov	ecx, [eax+4]
		mov	[ebp+var_20], ecx
		jnz	short loc_46C29F
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_46C29F
		mov	ebx, [edi+10h]
		xor	edi, edi
		mov	edx, dword_6D0700
		and	ebx, 1Fh
		inc	[ebp+var_44]
		mov	eax, edx
		mov	esi, dword_6D0704
		shld	edi, ebx, 5
		shl	ebx, 5
		or	eax, esi
		mov	[ebp+var_20], edi
		mov	[ebp+var_24], ebx
		jz	short loc_46C296
		mov	ecx, ebx
		mov	eax, edi
		and	ecx, edx
		and	eax, esi
		or	ecx, eax
		jnz	short loc_46C28D
		or	ebx, edx
		or	edi, esi
		jmp	short loc_46C290
; 

loc_46C28D:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+305j
		or	ebx, 10h

loc_46C290:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+30Bj
		mov	[ebp+var_20], edi
		mov	[ebp+var_24], ebx

loc_46C296:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+2F9j
		mov	eax, [ebp+var_C]
		mov	[eax], ebx
		nop
		mov	[eax+4], edi

loc_46C29F:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+2C9j
					; MiCompletePrivateZeroFault(x,x,x)+2CFj
		mov	eax, [ebp+var_34]
		mov	esi, eax
		mov	[ebp+var_18], esi
		lea	edi, [eax+10h]
		mov	eax, [edi]
		and	eax, offset loc_7FFFFF
		cmp	eax, offset loc_7FFFFF
		jnz	short loc_46C2C1
		mov	[ebp+var_34], 0
		jmp	short loc_46C2D5
; 

loc_46C2C1:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+336j
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	eax, [eax+ecx*4]
		mov	[ebp+var_34], eax

loc_46C2D5:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+33Fj
		mov	ecx, [edi]
		mov	edx, ecx
		and	edx, 0FF800000h
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	ecx, eax
		jz	short loc_46C302
		lea	esp, [esp+0]

loc_46C2F0:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+380j
		mov	edx, eax
		mov	ecx, eax
		and	edx, 0FF800000h
		lock cmpxchg [edi], edx
		cmp	ecx, eax
		jnz	short loc_46C2F0

loc_46C302:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+367j
		mov	ecx, esi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		add	edx, ecx
		mov	ecx, [ebp+var_1C]
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		cmp	dword ptr [ecx+14h], 0
		mov	[ebp+var_2C], eax
		jz	loc_46C426
		cmp	dword ptr [ecx+28h], 0
		jnz	loc_46C426
		mov	eax, ebx
		and	eax, 400h
		or	eax, 0
		jz	loc_46C426
		mov	edx, dword_6D0700
		mov	eax, edx
		mov	ebx, dword_6D0704
		or	eax, ebx
		mov	ecx, [ebp+var_20]
		mov	esi, ecx
		jz	short loc_46C36F
		mov	eax, [ebp+var_24]
		and	eax, 10h
		or	eax, 0
		jnz	short loc_46C36F
		mov	ecx, ebx
		not	ecx
		and	ecx, esi

loc_46C36F:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+3DCj
					; MiCompletePrivateZeroFault(x,x,x)+3E7j
		mov	ebx, [ebp+var_24]
		test	ecx, ecx
		jz	short loc_46C3B6
		mov	[ebp+var_58], 0
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_46C399

loc_46C384:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+410j
					; MiCompletePrivateZeroFault(x,x,x)+417j
		lea	ecx, [ebp+var_58]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_46C384
		lock bts dword ptr [edi], 1Fh
		jb	short loc_46C384

loc_46C399:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+402j
		mov	ecx, [ebp+var_18]
		mov	eax, [ecx+18h]
		and	eax, 0CFFFFFFFh
		or	eax, 40000000h
		mov	[ecx+18h], eax
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		jmp	short loc_46C3D5
; 

loc_46C3B6:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+3F4j
		mov	eax, ebx
		and	eax, 3E0h
		or	eax, 0
		jz	short loc_46C3D0
		mov	eax, [ebp+var_20]
		and	ebx, 0FFFFFBFFh
		mov	[ebp+var_20], eax
		jmp	short loc_46C3D5
; 

loc_46C3D0:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+440j
		xor	ebx, ebx
		mov	[ebp+var_20], ebx

loc_46C3D5:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+434j
					; MiCompletePrivateZeroFault(x,x,x)+44Ej
		mov	ecx, [ebp+var_2C]
		xor	edx, edx
		push	80000000h
		call	MiMapPageInHyperSpaceWorker
		push	[ebp+var_20]
		and	ebx, 0FFFFFFFDh
		mov	esi, eax
		push	ebx
		push	1000h
		push	esi
		call	_RtlFillMemoryUlonglong@16 ; RtlFillMemoryUlonglong(x,x,x,x)
		push	80000000h
		mov	dl, 21h
		mov	ecx, esi
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		push	0
		push	80h
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [ebp+var_1C]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_10]
		or	eax, 8
		mov	[ebp+var_20], edx
		mov	[ebp+var_10], eax
		jmp	short loc_46C429
; 

loc_46C426:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+3A7j
					; MiCompletePrivateZeroFault(x,x,x)+3B1j ...
		mov	eax, [ebp+var_10]

loc_46C429:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+4A4j
		test	byte ptr [ecx],	4
		jz	short loc_46C434
		or	eax, 20h
		mov	[ebp+var_10], eax

loc_46C434:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+4ACj
		mov	ebx, [ecx+10h]
		test	bl, 2
		jz	short loc_46C442
		or	eax, 20h
		mov	[ebp+var_10], eax

loc_46C442:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+4BAj
		mov	eax, [ebp+var_C]
		mov	ecx, [eax]
		nop
		test	byte ptr [ebp+var_10], 4
		mov	esi, [eax+4]
		jz	short loc_46C482
		mov	edx, ebx
		xor	eax, eax
		and	edx, 1Fh
		shld	eax, edx, 5
		mov	[ebp+var_28], eax
		mov	eax, ecx
		shl	edx, 5
		or	eax, esi
		jnz	short loc_46C477
		push	[ebp+var_28]
		push	edx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, eax
		mov	esi, edx
		jmp	short loc_46C482
; 

loc_46C477:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+4E6j
		and	ecx, 0FFFFFC1Fh
		or	ecx, edx
		or	esi, [ebp+var_28]

loc_46C482:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+4CFj
					; MiCompletePrivateZeroFault(x,x,x)+4F5j
		test	byte ptr [ebp+var_10], 2
		mov	eax, [ebp+var_18]
		mov	[eax+8], ecx
		mov	ecx, eax
		mov	[ecx+0Ch], esi
		jz	short loc_46C49A
		or	dword ptr [ecx+18h], 80000000h

loc_46C49A:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+511j
		mov	edx, 1
		mov	[ebp+var_28], edx
		test	ebx, ebx
		jnz	short loc_46C4AF
		mov	[ebp+var_28], 3
		jmp	short loc_46C4DB
; 

loc_46C4AF:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+524j
		cmp	ebx, 1Fh
		jnz	short loc_46C4B9
		mov	[ebp+var_28], edx
		jmp	short loc_46C4DB
; 

loc_46C4B9:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+532j
		mov	eax, ebx
		shr	eax, 3
		cmp	eax, 3
		jnz	short loc_46C4D1
		test	bl, 7
		jz	short loc_46C4DB
		mov	[ebp+var_28], 2
		jmp	short loc_46C4DB
; 

loc_46C4D1:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+541j
		dec	eax
		neg	eax
		sbb	eax, eax
		and	eax, edx
		mov	[ebp+var_28], eax

loc_46C4DB:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+52Dj
					; MiCompletePrivateZeroFault(x,x,x)+537j ...
		mov	eax, edx
		mov	[ebp+var_50], 0
		mov	[ecx+14h], ax
		mov	eax, [ebp+var_C]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[ebp+var_4C], 0
		mov	edx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	[ebp+var_90], edx
		mov	[ebp+var_8C], eax
		nop
		shrd	edx, eax, 0Ch
		mov	eax, [ecx+18h]
		and	edx, 1FFFFFFh
		xor	eax, edx
		and	eax, offset loc_7FFFFF
		xor	[ecx+18h], eax
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	esi, [eax+ecx*4]
		mov	eax, large fs:124h
		mov	ebx, [eax+304h]
		test	ebx, 100h
		jz	short loc_46C555
		shr	ebx, 9
		jmp	short loc_46C57D
; 

loc_46C555:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+5CEj
		mov	ebx, [eax+2FCh]
		mov	eax, [eax+150h]
		shr	ebx, 0Ch
		and	ebx, 7
		test	dword ptr [eax+0FCh], 100000h
		jz	short loc_46C57D
		cmp	ebx, 2
		jb	short loc_46C57D
		mov	ebx, 2

loc_46C57D:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+5D3j
					; MiCompletePrivateZeroFault(x,x,x)+5F1j ...
		mov	ecx, [ebp+var_10]
		mov	eax, ecx
		and	eax, 1
		mov	[ebp+var_11], 21h
		mov	[ebp+var_4C], eax
		jnz	short loc_46C5C3
		test	cl, 10h
		jz	short loc_46C5B8
		mov	[ebp+var_5C], 0
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_46C5C3

loc_46C5A1:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+62Dj
					; MiCompletePrivateZeroFault(x,x,x)+634j
		lea	ecx, [ebp+var_5C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_46C5A1
		lock bts dword ptr [edi], 1Fh
		jb	short loc_46C5A1
		jmp	short loc_46C5C3
; 

loc_46C5B8:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+611j
		mov	ecx, [ebp+var_18]
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	[ebp+var_11], al

loc_46C5C3:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+60Cj
					; MiCompletePrivateZeroFault(x,x,x)+61Fj ...
		mov	[ebp+var_60], 0
		add	esi, 10h
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_46C5E9

loc_46C5D4:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+660j
					; MiCompletePrivateZeroFault(x,x,x)+667j
		lea	ecx, [ebp+var_60]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_46C5D4
		lock bts dword ptr [esi], 1Fh
		jb	short loc_46C5D4

loc_46C5E9:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+652j
		mov	eax, [esi]
		lea	ecx, [eax+1]
		xor	ecx, eax
		and	ecx, 3FFFFFFFh
		xor	ecx, eax
		mov	eax, 7FFFFFFFh
		mov	[esi], ecx
		lock and [esi],	eax
		mov	esi, [ebp+var_18]
		mov	edx, [ebp+var_28]
		mov	cl, [esi+16h]
		movzx	eax, cl
		shr	eax, 6
		cmp	eax, edx
		jz	short loc_46C624
		push	1
		mov	ecx, esi
		call	MiChangePageAttribute
		mov	eax, [ebp+var_7C]
		mov	cl, [eax+16h]

loc_46C624:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+693j
		mov	eax, [edi]
		and	cl, 0FEh
		and	eax, 0C0000001h
		or	cl, 6
		or	eax, 1
		mov	[edi], eax
		mov	al, [esi+17h]
		xor	al, bl
		mov	ebx, [ebp+var_C]
		and	al, 7
		mov	[esi+4], ebx
		xor	[esi+17h], al
		mov	[esi+16h], cl
		mov	ecx, [ebp+var_10]
		test	cl, 20h
		jnz	short loc_46C659
		mov	al, [esi+16h]
		or	al, 10h
		mov	[esi+16h], al

loc_46C659:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+6CFj
		test	cl, 40h
		jz	short loc_46C662
		or	byte ptr [esi+17h], 20h

loc_46C662:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+6DCj
		cmp	[ebp+var_4C], 0
		jnz	short loc_46C681
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		test	cl, 10h
		jnz	short loc_46C681
		mov	cl, [ebp+var_11]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_10]

loc_46C681:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+6E6j
					; MiCompletePrivateZeroFault(x,x,x)+6F3j
		test	cl, 8
		jz	short loc_46C692
		mov	eax, [ebp+var_24]
		mov	[esi+8], eax
		mov	eax, [ebp+var_20]
		mov	[esi+0Ch], eax

loc_46C692:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+704j
		mov	edi, [ebp+var_1C]
		mov	eax, [edi]
		mov	[ebp+var_4C], eax
		test	al, 4
		jz	short loc_46C70A
		mov	edx, [edi+10h]
		mov	ecx, [ebp+var_2C]
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		mov	[ebx], eax
		nop
		test	byte ptr [edi],	40h
		mov	[ebx+4], edx
		jz	short loc_46C6C5
		mov	eax, [ebp+var_40]
		mov	edx, 1
		add	eax, 14Ch
		lock xadd [eax], edx

loc_46C6C5:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+732j
		xor	edx, edx
		mov	ecx, esi
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		mov	esi, [ebp+var_64]
		test	esi, esi
		jz	loc_46C7E0
		mov	eax, [esi+4]
		mov	ecx, [esi+0Ch]
		mov	edx, [esi+10h]
		shl	edx, 0Ch
		add	edx, [eax+ecx*8]
		mov	eax, ebx
		shl	eax, 9
		cmp	eax, edx
		jnz	loc_46C7E0
		cmp	byte ptr [esi],	5
		jz	loc_46C7E0
		mov	ecx, esi
		call	_MiAdvanceFaultList@4 ;	MiAdvanceFaultList(x)
		jmp	loc_46C7E0
; 

loc_46C70A:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+71Cj
		mov	ebx, [ebp+var_2C]
		xor	edx, edx
		mov	eax, [ebp+var_8]
		and	ebx, 1FFFFFFh
		mov	ecx, [ebp+var_4]
		and	eax, 0FFFh
		shld	edx, ebx, 0Ch
		and	ecx, 0FFFFFFE0h
		shl	ebx, 0Ch
		mov	esi, edx
		mov	edx, [ebp+var_1C]
		or	esi, ecx
		or	ebx, eax
		mov	[ebp+var_4], esi
		mov	ecx, ebx
		mov	[ebp+var_8], ebx
		mov	edi, ecx
		mov	[ebp+var_7C], esi
		or	ecx, 20h
		cmp	dword ptr [edx+28h], 0
		mov	[ebp+var_8], ecx
		jz	loc_46C840
		mov	edx, ecx
		mov	[ebp+var_2C], 0
		mov	ecx, [ebp+var_C]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_46C7C5
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_46C792
		cmp	byte ptr word_6D07B8+1,	0
		mov	ecx, 1
		jnz	short loc_46C7C7
		mov	eax, ebx
		and	eax, ecx
		or	eax, 0
		jz	short loc_46C7C7
		mov	edx, ebx
		or	edx, 20h
		or	esi, 80000000h
		jmp	short loc_46C7C7
; 

loc_46C792:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+7ECj
		mov	eax, large fs:124h
		mov	ecx, [ebp+var_2C]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_46C7C7
		and	edi, 1
		or	edi, 0
		jz	short loc_46C7C7
		mov	esi, [ebp+var_4]
		mov	edx, ebx
		or	edx, 20h
		or	esi, 80000000h
		jmp	short loc_46C7C7
; 

loc_46C7C5:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+7E3j
		xor	ecx, ecx

loc_46C7C7:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+7FAj
					; MiCompletePrivateZeroFault(x,x,x)+803j ...
		mov	ebx, [ebp+var_C]
		mov	[ebx+4], esi
		nop
		mov	[ebx], edx
		test	ecx, ecx
		jz	short loc_46C7DD
		push	esi
		push	edx
		mov	ecx, ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_46C7DD:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+852j
		mov	edi, [ebp+var_1C]

loc_46C7E0:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+753j
					; MiCompletePrivateZeroFault(x,x,x)+76Fj ...
		mov	edx, [ebp+var_54]
		add	ebx, 8
		inc	edx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_54], edx
		cmp	edx, [ebp+arg_0]
		jb	loc_46C230

loc_46C7F6:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+29Fj
		mov	edi, 111h

loc_46C7FB:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+B1Aj
		mov	edx, [ebp+var_1C]
		cmp	dword ptr [edx+14h], 0
		jnz	loc_46CB54
		mov	ebx, [ebp+var_44]
		test	ebx, ebx
		jz	loc_46CB54
		mov	edx, [edx+8]
		xor	ecx, ecx
		mov	eax, edx
		lea	ebx, [ebx+0]

loc_46C820:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+8B3j
		cmp	eax, ds:_MmHighestUserAddress
		jbe	loc_46CA9F
		inc	ecx
		shl	eax, 9
		cmp	ecx, 1
		jb	short loc_46C820
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_46C840:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+7CAj
		mov	eax, [ebp+var_C]
		cmp	eax, [ebp+var_68]
		jz	loc_46C8F0
		test	byte ptr [ebp+var_4C], 80h
		jz	loc_46C8F0
		mov	ecx, ebx
		mov	[ebp+var_4], esi
		and	ecx, 0FFFFFFDFh
		mov	ebx, eax
		cmp	[ebp+var_38], 0
		mov	[ebp+var_8], ecx
		jge	loc_46C8F3
		mov	eax, ds:_MmHighestUserAddress
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	ebx, eax
		ja	short loc_46C8F3
		cmp	ebx, 0C0000000h
		jb	short loc_46C8F3
		mov	eax, [ebp+var_40]
		test	dword ptr [eax+0FCh], 8000h
		jz	short loc_46C8F3
		mov	eax, [ebp+var_3C]
		test	eax, eax
		jnz	short loc_46C8E0
		mov	eax, [ebp+var_6C]
		test	eax, eax
		jnz	short loc_46C8B6
		mov	ecx, [edx+8]
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_1C]

loc_46C8B6:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+926j
		mov	eax, [eax+1Ch]
		and	eax, 300000h
		cmp	eax, 300000h
		jnz	short loc_46C8D7
		and	ecx, 0FFFFFFBDh
		mov	[ebp+var_3C], 2
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], esi
		jmp	short loc_46C8F3
; 

loc_46C8D7:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+943j
		mov	[ebp+var_3C], 1
		jmp	short loc_46C8F3
; 

loc_46C8E0:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+91Fj
		cmp	eax, 2
		jnz	short loc_46C8F3
		and	ecx, 0FFFFFFBDh
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], ecx
		jmp	short loc_46C8F3
; 

loc_46C8F0:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+8C6j
					; MiCompletePrivateZeroFault(x,x,x)+8D0j
		mov	ebx, [ebp+var_C]

loc_46C8F3:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+8E7j
					; MiCompletePrivateZeroFault(x,x,x)+901j ...
		mov	esi, [edx+4]
		mov	dl, [esi+1Dh]
		mov	al, dl
		and	al, 5
		cmp	al, 4
		jnz	loc_46C9C5
		test	dl, 2
		jnz	loc_46C9C5
		movzx	eax, word ptr [esi+1Ah]
		test	ax, ax
		jz	short loc_46C94C
		movzx	ecx, word ptr [esi+18h]
		add	ecx, eax
		mov	eax, ebx
		shr	eax, 3
		and	eax, 1FFh
		cmp	ecx, eax
		jnz	short loc_46C944
		mov	ecx, [ebp+var_18]
		and	dl, 10h
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_46C940
		test	dl, dl
		jz	short loc_46C94F
		jmp	short loc_46C944
; 

loc_46C940:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+9B8j
		test	dl, dl
		jnz	short loc_46C94F

loc_46C944:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+9A9j
					; MiCompletePrivateZeroFault(x,x,x)+9BEj
		lea	ecx, [esi+14h]
		call	_MiEmptyDeferredWorkingSetEntries@4 ; MiEmptyDeferredWorkingSetEntries(x)

loc_46C94C:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+995j
		mov	ecx, [ebp+var_18]

loc_46C94F:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+9BCj
					; MiCompletePrivateZeroFault(x,x,x)+9C2j
		movzx	eax, word ptr [esi+1Ah]
		test	ax, ax
		jnz	short loc_46C98B
		mov	dl, [esi+1Dh]
		mov	eax, 1
		mov	[esi+1Ah], ax
		mov	eax, ebx
		shr	eax, 3
		and	eax, 1FFh
		mov	[esi+18h], ax
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_46C983
		and	dl, 0EFh
		mov	[esi+1Dh], dl
		jmp	short loc_46C990
; 

loc_46C983:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+9F9j
		or	dl, 10h
		mov	[esi+1Dh], dl
		jmp	short loc_46C990
; 

loc_46C98B:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+9D6j
		inc	eax
		mov	[esi+1Ah], ax

loc_46C990:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+A01j
					; MiCompletePrivateZeroFault(x,x,x)+A09j
		mov	edi, [ebp+var_1C]
		mov	edx, [ebp+var_30]
		or	edx, 4
		mov	[ebp+var_30], edx
		mov	eax, [edi+4]
		test	byte ptr [eax+1Dh], 8
		jz	short loc_46C9D1
		mov	eax, [eax+8]
		test	al, 1
		jz	short loc_46C9B4
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	2
		jz	short loc_46C9D1

loc_46C9B4:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+A2Aj
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		and	eax, 0FFFFFFDFh
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], ecx
		jmp	short loc_46C9D7
; 

loc_46C9C5:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+97Fj
					; MiCompletePrivateZeroFault(x,x,x)+988j
		mov	edx, [ebp+var_30]
		mov	edi, [ebp+var_1C]
		and	edx, 0FFFFFFFBh
		mov	[ebp+var_30], edx

loc_46C9D1:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+A23j
					; MiCompletePrivateZeroFault(x,x,x)+A32j
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_4]

loc_46C9D7:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+A43j
		mov	esi, [ebp+var_18]
		push	ecx
		mov	ecx, [ebp+var_74]
		push	eax
		push	[ebp+var_70]
		push	edx
		push	0
		push	esi
		mov	edx, ebx
		call	_MiAllocateWsle@32 ; MiAllocateWsle(x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_46CA13
		test	byte ptr [edi],	40h
		jz	short loc_46CA07
		mov	eax, [ebp+var_40]
		mov	ecx, 1
		add	eax, 14Ch
		lock xadd [eax], ecx

loc_46CA07:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+A74j
		inc	large dword ptr	fs:3E28h
		jmp	loc_46C7E0
; 

loc_46CA13:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+A6Fj
		mov	eax, [esi+18h]
		lea	edi, [esi+10h]
		and	eax, offset loc_7FFFFF
		mov	[ebp+var_78], 0
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	ebx, [eax+ecx*4]
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_46CA55
		lea	ecx, [ecx+0]

loc_46CA40:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+ACCj
					; MiCompletePrivateZeroFault(x,x,x)+AD3j
		lea	ecx, [ebp+var_78]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_46CA40
		lock bts dword ptr [edi], 1Fh
		jb	short loc_46CA40

loc_46CA55:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+ABBj
		push	0
		mov	edx, 1
		lea	ecx, [esi+8]
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	eax, [esi+0Ch]
		mov	ecx, [ebp+var_18]
		and	dword ptr [esi+8], 0FFFFFFFDh
		or	dword ptr [edi], 40000000h
		mov	[esi+0Ch], eax
		call	MiDecrementShareCount
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		xor	edx, edx
		mov	ecx, ebx
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		mov	ecx, [ebp+var_34]
		mov	edi, 0C0000017h
		call	_MiFreePageChain@4 ; MiFreePageChain(x)
		jmp	loc_46C7FB
; 

loc_46CA9F:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+8A6j
		mov	eax, large fs:124h
		shr	edx, 15h
		mov	eax, [eax+80h]
		mov	esi, [eax+24Ch]
		mov	eax, large fs:124h
		add	esi, 18h
		mov	eax, [eax+80h]
		mov	ecx, [eax+24Ch]
		lea	eax, [esi+178h]
		add	ecx, 190h
		add	[ecx+edx*2], bx
		lea	ecx, [ecx+edx*2]
		cmp	ecx, eax
		jb	short loc_46CB54
		lea	eax, [esi+0D78h]
		cmp	ecx, eax
		jnb	short loc_46CB54
		cmp	ebx, 1
		ja	short loc_46CB54
		sub	ecx, esi
		mov	edx, 2
		sub	ecx, 178h
		sar	ecx, 1
		shl	ecx, 0Ch
		sub	ecx, 40000000h
		shr	ecx, 9
		sub	ecx, 40000000h
		mov	[ebp+var_88], ecx
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		mov	[ebp+var_84], ecx
		jmp	short loc_46CB30
; 
		align 10h

loc_46CB30:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+BABj
					; MiCompletePrivateZeroFault(x,x,x)+BD2j
		mov	eax, [ebp+edx*4+var_8C]
		dec	edx
		mov	ecx, [eax]
		nop
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_46CB54
		and	ecx, 80h
		or	ecx, 0
		jnz	short loc_46CB54
		test	edx, edx
		jnz	short loc_46CB30

loc_46CB54:				; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+882j
					; MiCompletePrivateZeroFault(x,x,x)+88Dj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MiCompletePrivateZeroFault@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAllocateWsle(x, x, x, x, x, x, x,	x)
_MiAllocateWsle@32 proc	near		; CODE XREF: MiInitializeWorkingSetList(x,x,x,x)+7Ap
					; MiIssueHardFault(x,x)+521p ...

var_1AC		= dword	ptr -1ACh
var_198		= dword	ptr -198h
var_188		= dword	ptr -188h
var_150		= dword	ptr -150h
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E3		= byte ptr -0E3h
var_E2		= byte ptr -0E2h
var_E1		= byte ptr -0E1h
var_E0		= dword	ptr -0E0h
var_D4		= dword	ptr -0D4h
var_C8		= dword	ptr -0C8h
var_C0		= dword	ptr -0C0h
var_B4		= dword	ptr -0B4h
var_B0		= word ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 19Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	eax, edx
		mov	[ebp+var_E2], 0
		mov	edx, [ebp+arg_0]
		mov	ebx, eax
		push	esi
		push	edi
		mov	edi, ecx
		shl	ebx, 9
		mov	ecx, [ebp+arg_C]
		xor	esi, esi
		mov	[ebp+var_11C], eax
		mov	[ebp+var_120], ecx
		mov	eax, [edi+60h]
		mov	cl, al
		mov	[ebp+var_124], eax
		and	cl, 7
		lea	eax, [ebx+40000000h]
		mov	[ebp+var_EC], edi
		mov	[ebp+var_E8], edx
		mov	[ebp+var_F0], ebx
		mov	[ebp+var_E3], cl
		mov	[ebp+var_F8], 1
		cmp	eax, offset loc_7FFFFF
		ja	short loc_46CC01
		xor	ebx, ebx
		mov	[ebp+var_FC], ebx
		test	cl, cl
		jnz	loc_46CFE6
		mov	ecx, [edx]
		mov	eax, ecx
		shr	eax, 1
		test	al, 7
		jz	loc_46CFE6
		and	ecx, 0FFFFFFF1h
		mov	[edx], ecx
		jmp	loc_46CFE6
; 

loc_46CC01:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+77j
		mov	[ebp+var_104], esi
		mov	eax, offset unk_6D3C80
		cmp	cl, 2
		jz	short loc_46CC17
		lea	eax, [edi+0C0h]

loc_46CC17:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+AFj
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_108], eax
		mov	[ebp+var_10C], esi
		jz	short loc_46CC3B
		mov	edx, eax
		lea	ecx, [ebp+var_10C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_46CC52
; 

loc_46CC3B:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+CAj
		lea	edx, [ebp+var_10C]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_46CC52
		lea	ecx, [ebp+var_10C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_46CC52:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+D9j
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+E5j
		mov	esi, [edi+40h]
		inc	esi
		mov	[ebp+var_F4], esi
		cmp	esi, [edi+3Ch]
		jbe	short loc_46CCC3
		test	byte ptr [edi+63h], 8
		jnz	short loc_46CCC3
		mov	eax, [edi+0Ch]
		mov	ecx, [edi+48h]
		mov	ebx, [eax+14h]
		mov	[ebp+var_FC], ebx
		cmp	ecx, ebx
		jbe	loc_46CDF0
		mov	esi, dword_6D5D88
		mov	ebx, ecx
		and	ebx, 3Fh
		jnz	loc_46CD8C
		mov	edi, dword_6D5E00
		mov	eax, 0CCCCCCCDh
		mul	esi
		shr	edx, 4
		cmp	edi, edx
		jnb	loc_46CD8F
		cmp	ecx, edx
		jb	loc_46CD8F

loc_46CCAF:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+27Ej
		mov	edi, [ebp+var_EC]

loc_46CCB5:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+2A3j
		mov	al, [edi+63h]
		or	al, 8
		mov	[edi+63h], al

loc_46CCBD:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+294j
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+29Dj
		mov	ebx, [ebp+var_F0]

loc_46CCC3:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+FFj
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+105j
		mov	al, byte ptr [ebp+var_124]
		and	al, 7
		mov	[ebp+var_E3], al
		jnz	loc_46CF40
		push	4Ch		; size_t
		lea	eax, [ebp+var_198]
		mov	[ebp+var_13C], 0
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_138], 0
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_E0]
		push	0D8h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		movzx	eax, byte ptr [edi+60h]
		add	esp, 0Ch
		and	eax, 7
		shr	ebx, 0Ch
		mov	edx, 2
		add	ebx, dword_6D2E68[eax*4]
		mov	eax, ebx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_144], eax
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_140], eax

loc_46CD52:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+225j
		mov	eax, [ebp+edx*4+var_148]
		dec	edx
		mov	ecx, [eax]
		nop
		mov	eax, [eax+4]
		mov	[ebp+var_FC], eax
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_46CE19
		and	ecx, 80h
		or	ecx, 0
		jnz	loc_46CE08
		test	edx, edx
		jnz	short loc_46CD52
		jmp	loc_46CF2A
; 

loc_46CD8C:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+129j
		or	edi, 0FFFFFFFFh

loc_46CD8F:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+141j
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+149j
		sub	ecx, [ebp+var_FC]
		shr	esi, 2
		lea	eax, [esi+esi*2]
		cmp	ecx, eax
		jb	short loc_46CDE4
		mov	eax, dword_6D5D40
		mov	ecx, offset _MiSystemPartition
		mov	edx, [ebp+var_F8]
		mov	[ebp+var_FC], eax
		mov	esi, [eax+24h]
		call	_MiGetStandbyRepurposed@8 ; MiGetStandbyRepurposed(x,x)
		cmp	eax, esi
		jz	short loc_46CDE4
		test	ebx, ebx
		jz	short loc_46CDCB
		mov	edi, dword_6D5E00

loc_46CDCB:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+263j
		mov	eax, [ebp+var_FC]
		mov	eax, [eax+4D4h]
		lea	eax, [eax+eax*4]
		add	eax, eax
		cmp	edi, eax
		jb	loc_46CCAF

loc_46CDE4:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+23Dj
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+25Fj
		mov	esi, [ebp+var_F4]
		mov	edi, [ebp+var_EC]

loc_46CDF0:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+118j
		test	byte ptr [edi+60h], 40h
		jz	loc_46CCBD
		cmp	esi, [edi+50h]
		jbe	loc_46CCBD
		jmp	loc_46CCB5
; 

loc_46CE08:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+21Dj
		lea	eax, [ebx+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	loc_46CF2A

loc_46CE19:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+20Ej
		lea	eax, [ebp+var_E0]
		mov	[ebp+var_188], edi
		mov	ecx, eax
		mov	[ebp+var_150], eax
		mov	[ebp+var_C8], 2
		mov	[ebp+var_A8], 0
		mov	[ebp+var_B4], 0
		mov	[ebp+var_B0], 0
		mov	[ebp+var_A4], 0
		mov	[ebp+var_AC], 21h
		mov	[ebp+var_A0], 0
		mov	[ebp+var_D4], offset _MiSystemPartition
		mov	[ebp+var_C0], 68h
		call	_MiSetLeafFillToUninitializedWsle@4 ; MiSetLeafFillToUninitializedWsle(x)
		push	0
		lea	edx, [ebp+var_18]
		mov	ecx, ebx
		call	_MiInitializeColorBase@12 ; MiInitializeColorBase(x,x,x)
		mov	edi, 1
		lea	edx, [ebp+var_13C]
		mov	ecx, ebx
		lea	esi, [edi+1]
		call	_MiFillPteHierarchy@8 ;	MiFillPteHierarchy(x,x)
		lea	esp, [esp+0]

loc_46CEB0:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+36Ej
		mov	eax, [ebp+esi*4+var_140]
		dec	esi
		mov	ecx, [eax]
		nop
		mov	eax, [eax+4]
		and	ecx, edi
		or	ecx, 0
		mov	[ebp+var_FC], eax
		jz	short loc_46CED2
		cmp	esi, 1
		jnz	short loc_46CEB0
		jmp	short loc_46CED5
; 

loc_46CED2:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+369j
		lea	edi, [esi+1]

loc_46CED5:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+370j
		mov	esi, [ebp+var_EC]
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		jnz	short loc_46CEEB
		mov	esi, offset unk_6D3C60
		jmp	short loc_46CEF1
; 

loc_46CEEB:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+382j
		add	esi, 0A0h

loc_46CEF1:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+389j
		mov	edx, [ebp+var_F0]
		lea	ecx, [ebp+var_198]
		shr	edx, 9
		and	edx, offset loc_7FFFF8
		sub	edx, 40000000h
		call	MiCreateSoftwareWsle
		test	eax, eax
		jz	short loc_46CF1F
		mov	edi, [ebp+var_EC]
		xor	esi, esi
		jmp	short loc_46CF2F
; 

loc_46CF1F:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+3B3j
		mov	byte ptr [ebx],	0Ah
		add	[esi], edi
		mov	edi, [ebp+var_EC]

loc_46CF2A:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+227j
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+2B3j
		mov	esi, 2

loc_46CF2F:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+3BDj
		cmp	esi, 2
		jnb	short loc_46CF45
		inc	dword ptr [edi+4]
		inc	large dword ptr	fs:3E18h
		jmp	short loc_46CF45
; 

loc_46CF40:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+171j
		mov	esi, 2

loc_46CF45:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+3D2j
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+3DEj
		test	ds:byte_70EFC6,	1
		jz	short loc_46CF5E
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_46CF9F
; 

loc_46CF5E:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+3ECj
		mov	eax, [ebp+var_10C]
		test	eax, eax
		jnz	short loc_46CF89
		mov	edx, [ebp+var_108]
		lea	eax, [ebp+var_10C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10C]
		cmp	eax, ecx
		jz	short loc_46CF9F
		call	KxWaitForLockChainValid

loc_46CF89:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+406j
		mov	ecx, [ebp+var_F8]
		add	eax, 4
		mov	[ebp+var_10C], 0
		lock xor [eax],	ecx

loc_46CF9F:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+3FCj
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+422j
		cmp	esi, 2
		jnb	short loc_46CFBF
		inc	dword_6D30E8
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_46CFBF:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+442j
		movzx	eax, byte ptr [edi+60h]
		and	eax, 7
		mov	ebx, dword_6D2E68[eax*4]
		mov	eax, [ebp+var_F0]
		shr	eax, 0Ch
		add	ebx, eax
		mov	[ebp+var_FC], ebx
		mov	al, [ebx]
		mov	[ebp+var_E2], al

loc_46CFE6:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+83j
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+91j ...
		mov	eax, large fs:124h
		xor	dl, dl
		mov	[ebp+var_E1], dl
		mov	ecx, [eax+304h]
		test	ecx, 100h
		jz	short loc_46D007
		shr	ecx, 9
		jmp	short loc_46D02F
; 

loc_46D007:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+4A0j
		mov	ecx, [eax+2FCh]
		mov	eax, [eax+150h]
		shr	ecx, 0Ch
		and	ecx, 7
		test	dword ptr [eax+0FCh], 100000h
		jz	short loc_46D02F
		cmp	ecx, 2
		jb	short loc_46D02F
		mov	ecx, 2

loc_46D02F:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+4A5j
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+4C3j	...
		and	ecx, 7
		shl	ecx, 3
		or	ecx, esi
		test	ebx, ebx
		mov	ebx, [ebp+arg_10]
		mov	[ebp+var_F4], ecx
		jnz	short loc_46D072
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	eax, 28h
		jbe	short loc_46D060
		mov	eax, ecx
		and	ecx, 0FFFFFFC7h
		and	eax, 0FFFFFFF8h
		or	ecx, eax
		mov	[ebp+var_F4], ecx
		jmp	short loc_46D0C0
; 

loc_46D060:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+4ECj
		mov	eax, 28h
		and	ecx, 0FFFFFFC7h
		or	ecx, eax
		mov	[ebp+var_F4], ecx
		jmp	short loc_46D0C0
; 

loc_46D072:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+4E2j
		test	byte ptr [ebp+arg_8], 2
		jz	short loc_46D07C
		mov	dl, 9
		jmp	short loc_46D0AA
; 

loc_46D07C:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+516j
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	eax, 28h
		jnb	short loc_46D08A
		mov	dl, 7
		jmp	short loc_46D0AA
; 

loc_46D08A:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+524j
		test	byte ptr [ebp+arg_8], 8
		jz	short loc_46D094
		mov	dl, 6
		jmp	short loc_46D0AA
; 

loc_46D094:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+52Ej
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	short loc_46D0B0
		mov	eax, ebx
		and	eax, 20h
		or	eax, 0
		jnz	short loc_46D0B0
		mov	dl, 1

loc_46D0AA:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+51Aj
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+528j	...
		mov	[ebp+var_E1], dl

loc_46D0B0:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+53Cj
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+546j
		mov	al, [ebp+arg_4]
		and	al, 7
		shl	al, 4
		or	al, dl
		mov	[ebp+var_E2], al

loc_46D0C0:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+4FEj
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+510j
		test	byte ptr [ebp+arg_8], 1
		jz	short loc_46D12D
		mov	eax, [ebp+var_E8]
		mov	[ebp+var_128], 0
		lea	esi, [eax+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_46D100

loc_46D0E0:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+58Ej
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+595j
		lea	ecx, [ebp+var_128]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_46D0E0
		lock bts dword ptr [esi], 1Fh
		jb	short loc_46D0E0
		mov	ebx, [ebp+arg_10]
		mov	eax, [ebp+var_E8]

loc_46D100:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+57Ej
		mov	ecx, eax
		call	_MiReleaseWsSwapReservationPfn@4 ; MiReleaseWsSwapReservationPfn(x)
		mov	ecx, 7FFFFFFFh
		lock and [esi],	ecx
		mov	ecx, eax
		or	ecx, edx
		jz	short loc_46D127
		push	edx
		mov	edx, [ebp+var_F8]
		mov	ecx, offset _MiSystemPartition
		push	eax
		call	MiReleasePageFileInfo

loc_46D127:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+5B3j
		mov	ecx, [ebp+var_F4]

loc_46D12D:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+564j
		mov	edx, [ebp+var_E8]
		mov	al, [edx+17h]
		test	al, 8
		jz	short loc_46D141
		mov	eax, 5
		jmp	short loc_46D147
; 

loc_46D141:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+5D8j
		movzx	eax, al
		and	eax, 7

loc_46D147:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+5DFj
		shr	ecx, 3
		mov	[ebp+var_F4], ecx
		cmp	eax, ecx
		jnb	short loc_46D1A8
		mov	[ebp+var_12C], 0
		lea	esi, [edx+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_46D196
		jmp	short loc_46D170
; 
		align 10h

loc_46D170:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+608j
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+61Ej	...
		lea	ecx, [ebp+var_12C]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_46D170
		lock bts dword ptr [esi], 1Fh
		jb	short loc_46D170
		mov	ebx, [ebp+arg_10]
		mov	ecx, [ebp+var_F4]
		mov	edx, [ebp+var_E8]

loc_46D196:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+606j
		mov	al, [edx+17h]
		and	al, 0F8h
		or	al, cl
		mov	[edx+17h], al
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax

loc_46D1A8:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+5F2j
		test	byte ptr [edx],	1
		jnz	short loc_46D1F4
		mov	[ebp+var_130], 0
		lea	esi, [edx+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_46D1E1

loc_46D1C1:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+66Fj
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+676j
		lea	ecx, [ebp+var_130]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_46D1C1
		lock bts dword ptr [esi], 1Fh
		jb	short loc_46D1C1
		mov	ebx, [ebp+arg_10]
		mov	edx, [ebp+var_E8]

loc_46D1E1:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+65Fj
		mov	eax, [edx]
		test	al, 1
		jnz	short loc_46D1EC
		or	eax, 1
		mov	[edx], eax

loc_46D1EC:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+685j
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax

loc_46D1F4:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+64Bj
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	loc_46D430
		cmp	[ebp+var_E3], 2
		jnz	short loc_46D21F
		mov	edi, [ebp+arg_14]
		or	edi, 80000000h
		mov	[ebp+arg_10], ebx
		mov	[ebp+arg_14], edi
		jmp	loc_46D2DE
; 

loc_46D21F:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+6A9j
		test	byte ptr ds:_MiFlags+2,	1
		jz	loc_46D2DB
		mov	eax, [ebp+var_F0]
		cmp	eax, 0C0000000h
		jb	short loc_46D244
		cmp	eax, 0C07FFFFFh
		jbe	loc_46D2DB

loc_46D244:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+6D7j
		mov	edi, [ebp+arg_14]
		xor	eax, eax
		mov	ecx, edi
		and	ecx, 80000000h
		or	eax, ecx
		jnz	loc_46D2DE
		test	ds:_MiFlags, 40000h
		jnz	short loc_46D26D
		cmp	[ebp+var_E3], al
		jz	short loc_46D2DE

loc_46D26D:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+703j
		mov	[ebp+var_134], 0
		lea	esi, [edx+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_46D29E

loc_46D281:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+72Fj
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+736j
		lea	ecx, [ebp+var_134]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_46D281
		lock bts dword ptr [esi], 1Fh
		jb	short loc_46D281
		mov	edi, [ebp+arg_14]
		mov	ebx, [ebp+arg_10]

loc_46D29E:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+71Fj
		mov	edx, [ebp+var_F8]
		mov	ecx, [ebp+var_E8]
		push	0
		call	_MiGetPagePrivilege@12 ; MiGetPagePrivilege(x,x,x)
		test	eax, eax
		jnz	short loc_46D2D1
		movzx	edx, [ebp+var_E3]
		mov	ecx, [ebp+var_E8]
		neg	edx
		sbb	edx, edx
		and	edx, 1Fh
		add	edx, 7
		call	_MiMarkPfnVerified@8 ; MiMarkPfnVerified(x,x)

loc_46D2D1:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+753j
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		jmp	short loc_46D2DE
; 

loc_46D2DB:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+6C6j
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+6DEj
		mov	edi, [ebp+arg_14]

loc_46D2DE:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+6BAj
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+6F3j	...
		mov	ecx, [ebp+var_120]
		test	ecx, ecx
		jz	short loc_46D33D
		mov	edx, [ebp+var_F0]
		call	_MiGetVirtualFaultPageInfo@8 ; MiGetVirtualFaultPageInfo(x,x)
		mov	[ebp+var_F4], eax
		test	eax, eax
		jz	short loc_46D33D
		mov	ecx, [ecx+1Ch]
		test	cl, 20h
		jz	short loc_46D31D
		mov	eax, [ebp+var_E8]
		test	dword ptr [eax+18h], 800000h
		jnz	short loc_46D31D
		mov	eax, [eax+4]
		test	eax, eax
		js	short loc_46D31D
		jnz	short loc_46D33D

loc_46D31D:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+7A3j
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+7B2j	...
		test	cl, 10h
		jz	short loc_46D347
		cmp	[ebp+var_E1], 6
		jnb	short loc_46D347
		mov	al, [ebp+var_E2]
		and	al, 0F6h
		or	al, 6
		mov	[ebp+var_E2], al
		jmp	short loc_46D347
; 

loc_46D33D:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+786j
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+79Bj	...
		mov	[ebp+var_F4], 0

loc_46D347:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+7C0j
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+7C9j	...
		xor	esi, esi
		mov	edx, ebx
		cmp	dword_6D07D0, 0C0000000h
		mov	ecx, edi
		sbb	eax, eax
		and	eax, 0FFFFFFF8h
		add	eax, 0C0603018h
		cmp	[ebp+var_11C], 0C0603000h
		jb	short loc_46D3C0
		cmp	[ebp+var_11C], eax
		jnb	short loc_46D3C0
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_46D3A2
		cmp	byte ptr word_6D07B8+1,	0
		mov	esi, 1
		jnz	short loc_46D3C0

loc_46D38C:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+85Ej
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	short loc_46D3C0
		mov	ecx, edi
		mov	edx, ebx
		or	ecx, 80000000h
		jmp	short loc_46D3C0
; 

loc_46D3A2:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+81Cj
		mov	eax, large fs:124h
		mov	ebx, [ebp+arg_10]
		mov	edi, [ebp+arg_14]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_46D38C

loc_46D3C0:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+80Bj
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+813j	...
		mov	eax, [ebp+var_11C]
		mov	[eax+4], ecx
		nop
		mov	[eax], edx
		test	esi, esi
		jz	short loc_46D3D9
		push	ecx
		push	edx
		mov	ecx, eax
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_46D3D9:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+86Ej
		mov	esi, [ebp+var_F4]
		test	esi, esi
		jz	short loc_46D424
		mov	ecx, [ebp+var_120]
		mov	ecx, [ecx+1Ch]
		test	cl, 1
		jz	short loc_46D3FB
		mov	eax, ebx
		and	eax, 42h
		or	eax, 0
		jz	short loc_46D424

loc_46D3FB:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+88Fj
		test	cl, 2
		jz	short loc_46D40E
		mov	ecx, edi
		xor	eax, eax
		and	ecx, 80000000h
		or	eax, ecx
		jnz	short loc_46D424

loc_46D40E:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+89Ej
		nop
		push	edi
		push	ebx
		shrd	ebx, edi, 0Ch
		mov	ecx, esi
		and	ebx, 1FFFFFFh
		mov	edx, ebx
		call	_MiFillVirtualFaultInfo@16 ; MiFillVirtualFaultInfo(x,x,x,x)

loc_46D424:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+881j
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+899j	...
		mov	edx, [ebp+var_E8]
		mov	edi, [ebp+var_EC]

loc_46D430:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+69Cj
		mov	esi, [ebp+var_FC]
		test	esi, esi
		jz	short loc_46D442
		mov	al, [ebp+var_E2]
		mov	[esi], al

loc_46D442:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+8D8j
		mov	eax, [ebp+arg_8]
		test	al, 2
		jnz	short loc_46D489
		test	al, 4
		jnz	loc_46D507
		mov	ecx, edx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFFFEh
		add	eax, 2
		test	esi, esi
		jnz	short loc_46D46F
		cmp	[ebp+var_E3], 0
		jnz	short loc_46D472

loc_46D46F:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+904j
		or	eax, 4

loc_46D472:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+90Dj
		mov	ebx, [ebp+var_F0]
		mov	ecx, edi
		push	eax
		push	1
		mov	edx, ebx
		call	MiAddWorkingSetEntries
		jmp	loc_46D50D
; 

loc_46D489:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+8E7j
		mov	al, [edi+60h]
		and	al, 7
		mov	[ebp+var_110], 0
		cmp	al, 2
		mov	eax, offset unk_6D3C80
		jz	short loc_46D4A7
		lea	eax, [edi+0C0h]

loc_46D4A7:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+93Fj
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_114], eax
		mov	[ebp+var_118], 0
		jz	short loc_46D4CF
		mov	edx, eax
		lea	ecx, [ebp+var_118]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_46D4E6
; 

loc_46D4CF:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+95Ej
		lea	edx, [ebp+var_118]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_46D4E6
		lea	ecx, [ebp+var_118]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_46D4E6:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+96Dj
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+979j
		inc	dword ptr [edi+4]
		inc	large dword ptr	fs:3E18h
		test	ds:byte_70EFC6,	1
		jz	short loc_46D54C
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_118]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_46D507:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+8EBj
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+A10j
		mov	ebx, [ebp+var_F0]

loc_46D50D:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+924j
		mov	esi, [ebp+var_F8]

loc_46D513:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+A33j
		test	dword ptr ds:byte_70EFC4, 8000001h
		jz	short loc_46D537
		mov	eax, [ebp+var_124]
		mov	ecx, [ebp+var_E8]
		movzx	edx, al
		push	ebx
		and	edx, 7
		call	_MiLogAllocateWsleEvent@12 ; MiLogAllocateWsleEvent(x,x,x)

loc_46D537:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+9BDj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_46D54C:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+997j
		mov	eax, [ebp+var_118]
		test	eax, eax
		jnz	short loc_46D577
		mov	edx, [ebp+var_114]
		lea	eax, [ebp+var_118]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_118]
		cmp	eax, ecx
		jz	short loc_46D507
		call	KxWaitForLockChainValid

loc_46D577:				; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+9F4j
		mov	esi, [ebp+var_F8]
		add	eax, 4
		mov	[ebp+var_118], 0
		lock xor [eax],	esi
		mov	ebx, [ebp+var_F0]
		jmp	loc_46D513
_MiAllocateWsle@32 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MI_READ_PTE_LOCK_FREE(x)
_MI_READ_PTE_LOCK_FREE@4 proc near	; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+369p
					; NtLockVirtualMemory(x,x,x,x)+36Cp ...
		mov	eax, [ecx]
		nop
		mov	edx, [ecx+4]
		retn
_MI_READ_PTE_LOCK_FREE@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAddWorkingSetEntries proc near	; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+91Fp
					; MiEmptyDeferredWorkingSetEntries(x)+31p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005B2B0E SIZE 00000068 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1C], 0
		push	edi
		mov	ebx, edx
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		jz	loc_46D925
		lea	eax, [esi+0C0h]

loc_46D5D9:				; CODE XREF: MiAddWorkingSetEntries+37Aj
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], 0
		jnz	loc_5B2B0E
		lea	edx, [ebp+var_24]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_46D99E

loc_46D5FD:				; CODE XREF: MiAddWorkingSetEntries+3F6j
					; MiAddWorkingSetEntries+145568j
		mov	ecx, [ebp+arg_4]
		mov	edi, [ebp+arg_0]
		test	cl, 1
		jnz	loc_5B2B1D

loc_46D60C:				; CODE XREF: MiAddWorkingSetEntries+145579j
		add	[esi+4], edi
		add	large fs:3E18h,	edi
		add	[esi+48h], edi
		mov	eax, [esi+48h]
		mov	[ebp+var_C], eax
		cmp	ebx, 0C0000000h
		jnb	loc_46D903

loc_46D62B:				; CODE XREF: MiAddWorkingSetEntries+359j
		add	[esi+40h], edi

loc_46D62E:				; CODE XREF: MiAddWorkingSetEntries+35Fj
		mov	eax, [esi+40h]
		add	eax, edi
		cmp	eax, [esi+54h]
		jbe	short loc_46D63B
		mov	[esi+54h], eax

loc_46D63B:				; CODE XREF: MiAddWorkingSetEntries+86j
		test	cl, 2
		jz	short loc_46D65D
		add	[esi+4Ch], edi
		xor	eax, eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		cmp	ebx, 0C0000000h
		jnb	loc_46D914

loc_46D65A:				; CODE XREF: MiAddWorkingSetEntries+370j
		add	[esi+44h], edi

loc_46D65D:				; CODE XREF: MiAddWorkingSetEntries+8Ej
					; MiAddWorkingSetEntries+36Aj
		mov	dl, [esi+60h]
		mov	al, dl
		and	al, 7
		cmp	al, 2
		jnb	loc_46D7F7

loc_46D66C:				; CODE XREF: MiAddWorkingSetEntries+275j
					; MiAddWorkingSetEntries+2A2j ...
		test	cl, 4
		jz	short loc_46D6C6
		test	edi, edi
		jz	short loc_46D6C6
		jmp	short loc_46D680
; 
		align 10h

loc_46D680:				; CODE XREF: MiAddWorkingSetEntries+C5j
					; MiAddWorkingSetEntries+114j
		cmp	ebx, 0C0000000h
		jnb	loc_46D7AF

loc_46D68C:				; CODE XREF: MiAddWorkingSetEntries+205j
		movzx	eax, byte ptr [esi+60h]
		and	eax, 7
		mov	ecx, dword_6D2E68[eax*4]
		mov	eax, ebx
		shr	eax, 0Ch
		add	ecx, eax
		mov	al, [ecx]
		and	al, 0Fh
		cmp	al, 0Ah
		jz	loc_5B2B57
		mov	cl, al

loc_46D6AF:				; CODE XREF: MiAddWorkingSetEntries+242j
		movzx	eax, cl
		inc	dword ptr [esi+eax*4+18h]
		cmp	cl, 7
		jz	short loc_46D6FE

loc_46D6BB:				; CODE XREF: MiAddWorkingSetEntries+168j
					; MiAddWorkingSetEntries+173j ...
		add	ebx, 1000h
		sub	edi, 1
		jnz	short loc_46D680

loc_46D6C6:				; CODE XREF: MiAddWorkingSetEntries+BFj
					; MiAddWorkingSetEntries+C3j
		test	ds:byte_70EFC6,	1
		jnz	loc_5B2B66
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	loc_46D9B3
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jnz	loc_46D9AB

loc_46D6F5:				; CODE XREF: MiAddWorkingSetEntries+415j
					; MiAddWorkingSetEntries+1455C1j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_46D6FE:				; CODE XREF: MiAddWorkingSetEntries+109j
		mov	ecx, dword_6D5D40
		xor	eax, eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	eax, [esi+34h]
		mov	[ebp+arg_4], ecx
		cmp	eax, [ecx+30h]
		jb	short loc_46D6BB
		lea	eax, [esi+10h]
		cmp	dword_6D5D44, eax
		jz	short loc_46D6BB
		cmp	dword ptr [eax], 0
		jz	short loc_46D6BB
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_14], offset dword_6D3540
		mov	[ebp+var_18], 0
		jnz	loc_5B2B2E
		lea	edx, [ebp+var_18]
		mov	ecx, offset dword_6D3540
		xchg	edx, [ecx]
		mov	ecx, [ebp+arg_4]
		test	edx, edx
		jnz	loc_46D9F9

loc_46D75A:				; CODE XREF: MiAddWorkingSetEntries+457j
		cmp	byte ptr [ecx+2Dh], 0
		jz	loc_46D940

loc_46D764:				; CODE XREF: MiAddWorkingSetEntries+394j
		mov	byte ptr [ecx+2Eh], 1

loc_46D768:				; CODE XREF: MiAddWorkingSetEntries+3D7j
		test	ds:byte_70EFC6,	1
		jnz	loc_5B2B40
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	short loc_46D798
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jz	loc_46D6BB
		call	KxWaitForLockChainValid

loc_46D798:				; CODE XREF: MiAddWorkingSetEntries+1CAj
		mov	[ebp+var_18], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_46D6BB
; 

loc_46D7AF:				; CODE XREF: MiAddWorkingSetEntries+D6j
		cmp	ebx, 0C07FFFFFh
		ja	loc_46D68C
		mov	eax, ebx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	edx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		mov	ecx, [eax+ecx*4]
		shr	ecx, 1
		and	cl, 7
		jmp	loc_46D6AF
; 

loc_46D7F7:				; CODE XREF: MiAddWorkingSetEntries+B6j
		movzx	ecx, dl
		and	ecx, 7
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_8]
		add	ecx, dword_6D5800
		mov	[ebp+var_C], ecx
		cmp	ecx, dword_6D57FC[eax*4]
		mov	ecx, [ebp+arg_4]
		ja	loc_46D98C

loc_46D81F:				; CODE XREF: MiAddWorkingSetEntries+3E9j
		and	dl, 7
		cmp	dl, 4
		jnz	loc_46D66C
		mov	eax, ds:_PsNtosImageBase
		test	eax, eax
		jz	short loc_46D84C
		cmp	ebx, ds:_PsNtosImageEnd
		jb	loc_46D9D8

loc_46D840:				; CODE XREF: MiAddWorkingSetEntries+42Aj
		cmp	ebx, ds:_PsHalImageEnd
		jb	loc_46D9EB

loc_46D84C:				; CODE XREF: MiAddWorkingSetEntries+282j
					; MiAddWorkingSetEntries+441j
		cmp	ebx, dword_6D07D0
		jb	loc_46D66C
		mov	eax, ebx
		shr	eax, 15h
		cmp	byte ptr dword_6D3994[eax], 0Ch
		jnz	loc_46D66C
		mov	eax, ebx
		mov	[ebp+var_C], 0
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		shl	eax, 9
		mov	[ebp+var_8], eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[ebp+var_1], al
		cmp	al, 1Bh
		jnb	short loc_46D896
		mov	cl, 1Bh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)

loc_46D896:				; CODE XREF: MiAddWorkingSetEntries+2DCj
		push	offset _PsLoadedModuleSpinLock
		call	ExAcquireSpinLockSharedAtDpcLevel
		mov	ecx, dword_6CF5A0
		test	ecx, ecx
		jz	short loc_46D8D3
		mov	edx, [ebp+var_8]
		lea	ecx, [ecx+0]

loc_46D8B0:				; CODE XREF: MiAddWorkingSetEntries+384j
		mov	eax, [ecx-6Ch]
		mov	[ebp+var_8], eax
		mov	edi, [ebp+var_8]
		mov	eax, [ecx-64h]
		dec	edi
		add	eax, edi
		mov	edi, [ebp+arg_0]
		cmp	edx, eax
		ja	short loc_46D92F
		cmp	edx, [ebp+var_8]
		jb	short loc_46D93C
		test	ecx, ecx
		jnz	loc_46D9CA

loc_46D8D3:				; CODE XREF: MiAddWorkingSetEntries+2F8j
					; MiAddWorkingSetEntries+38Aj ...
		push	offset _PsLoadedModuleSpinLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		cmp	cl, 1Bh
		jnb	short loc_46D8EB
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_46D8EB:				; CODE XREF: MiAddWorkingSetEntries+333j
		cmp	[ebp+var_C], 0
		mov	ecx, [ebp+arg_4]
		jz	loc_46D66C
		add	dword_6CF590, edi
		jmp	loc_46D66C
; 

loc_46D903:				; CODE XREF: MiAddWorkingSetEntries+75j
		cmp	ebx, 0C07FFFFFh
		ja	loc_46D62B
		jmp	loc_46D62E
; 

loc_46D914:				; CODE XREF: MiAddWorkingSetEntries+A4j
		cmp	ebx, 0C07FFFFFh
		jbe	loc_46D65D
		jmp	loc_46D65A
; 

loc_46D925:				; CODE XREF: MiAddWorkingSetEntries+1Dj
		mov	eax, offset unk_6D3C80
		jmp	loc_46D5D9
; 

loc_46D92F:				; CODE XREF: MiAddWorkingSetEntries+314j
		mov	ecx, [ecx+4]

loc_46D932:				; CODE XREF: MiAddWorkingSetEntries+38Ej
		test	ecx, ecx
		jnz	loc_46D8B0
		jmp	short loc_46D8D3
; 

loc_46D93C:				; CODE XREF: MiAddWorkingSetEntries+319j
		mov	ecx, [ecx]
		jmp	short loc_46D932
; 

loc_46D940:				; CODE XREF: MiAddWorkingSetEntries+1AEj
		mov	edx, [eax]
		test	edx, edx
		jz	loc_46D764
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_5B2B50
		cmp	[ecx], eax
		jnz	loc_5B2B50
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, dword_6D5D44
		cmp	dword ptr [ecx+4], offset dword_6D5D44
		jnz	loc_5B2B50
		mov	[eax], ecx
		mov	dword ptr [eax+4], offset dword_6D5D44
		mov	[ecx+4], eax
		mov	dword_6D5D44, eax
		jmp	loc_46D768
; 

loc_46D98C:				; CODE XREF: MiAddWorkingSetEntries+269j
		mov	edx, [ebp+var_C]
		mov	dword_6D57FC[eax*4], edx
		mov	dl, [esi+60h]
		jmp	loc_46D81F
; 

loc_46D99E:				; CODE XREF: MiAddWorkingSetEntries+47j
		lea	ecx, [ebp+var_24]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_46D5FD
; 

loc_46D9AB:				; CODE XREF: MiAddWorkingSetEntries+13Fj
		lea	ecx, [ebp+var_24]
		call	KxWaitForLockChainValid

loc_46D9B3:				; CODE XREF: MiAddWorkingSetEntries+128j
		mov	[ebp+var_24], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_46D6F5
; 

loc_46D9CA:				; CODE XREF: MiAddWorkingSetEntries+31Dj
		lea	eax, [ecx-84h]
		mov	[ebp+var_C], eax
		jmp	loc_46D8D3
; 

loc_46D9D8:				; CODE XREF: MiAddWorkingSetEntries+28Aj
		cmp	ebx, eax
		jb	loc_46D840

loc_46D9E0:				; CODE XREF: MiAddWorkingSetEntries+447j
		add	dword_6CF58C, edi
		jmp	loc_46D66C
; 

loc_46D9EB:				; CODE XREF: MiAddWorkingSetEntries+296j
		cmp	ebx, ds:_PsHalImageBase
		jb	loc_46D84C
		jmp	short loc_46D9E0
; 

loc_46D9F9:				; CODE XREF: MiAddWorkingSetEntries+1A4j
		lea	ecx, [ebp+var_18]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_46DA01:				; CODE XREF: MiAddWorkingSetEntries+14558Bj
		mov	ecx, [ebp+arg_4]
		lea	eax, [esi+10h]
		jmp	loc_46D75A
MiAddWorkingSetEntries endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiGetPageChain(x, x, x, x, x, x, x)
_MiGetPageChain@28 proc	near		; CODE XREF: MiResolvePrivateZeroFault(x)+46Ap
					; MiGetHardFaultPages+A1p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 120h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		mov	eax, [ebx+0Ch]
		push	esi
		push	edi
		mov	edi, [ebx+18h]
		mov	esi, edx
		push	90h		; size_t
		mov	[ebp-0ECh], eax
		lea	eax, [ebp-0D8h]
		push	0		; int
		push	eax		; void *
		mov	[ebp-11Ch], esi
		mov	[ebp-0FCh], ecx
		mov	[ebp-120h], edi
		call	_memset
		add	esp, 0Ch
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, [ebx+8]
		mov	[ebp-0D9h], al
		test	ecx, ecx
		jz	short loc_46DAA3
		mov	edx, large fs:20h
		lea	edi, [ecx-1]
		mov	cl, byte_6D068C
		shl	edi, cl
		mov	[ebp-10Ch], edi
		mov	edi, [ebp-120h]
		jmp	short loc_46DAC2
; 

loc_46DAA3:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+71j
		mov	eax, large fs:124h
		mov	eax, [eax+16Ch]
		mov	edx, ds:_KiProcessorBlock[eax*4]
		mov	eax, [edx+4C8h]
		mov	[ebp-10Ch], eax

loc_46DAC2:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+91j
		mov	cl, byte_6D068D
		mov	eax, 1
		shl	eax, cl
		dec	eax
		mov	[ebp-118h], eax
		test	esi, esi
		jz	short loc_46DAEB
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		jnb	short loc_46DAEB
		mov	[ebp-108h], esi
		jmp	short loc_46DAF7
; 

loc_46DAEB:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+C8j
					; MiGetPageChain(x,x,x,x,x,x,x)+D1j
		lea	eax, [edx+4BCh]
		mov	[ebp-108h], eax

loc_46DAF7:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+D9j
		mov	eax, [ebx+10h]
		xor	esi, esi
		mov	ecx, [edi]
		and	eax, 0FFFFF0FFh
		mov	edx, [ebx+14h]
		xor	edi, edi
		mov	[ebp-0F0h], eax
		mov	[ebp-100h], ecx
		mov	dword ptr [ebp-0F4h], offset loc_7FFFFF
		mov	[ebp-110h], edi
		mov	[ebp-104h], edi
		mov	[ebp-0F8h], esi
		cmp	edx, 0FFFFFFFFh
		jz	short loc_46DB45
		or	eax, 4000h
		mov	[ebp-0F0h], eax
		jmp	loc_46DD33
; 

loc_46DB45:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+123j
		cmp	ecx, 10h
		jb	loc_46DD33
		mov	edx, ecx
		mov	byte ptr [ebp-0E1h], 21h
		xor	ecx, ecx
		mov	dword ptr [ebp-0D8h], 1
		mov	[ebp-0D4h], esi
		mov	dword ptr [ebp-0D0h], 10h
		mov	[ebp-0E8h], edx
		mov	[ebp-0E0h], ecx
		nop

loc_46DB80:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+2CFj
		mov	esi, [ebp-108h]
		mov	eax, 1
		lock xadd [esi], eax
		inc	eax
		mov	esi, [ebp-118h]
		dec	eax
		and	esi, eax
		or	esi, [ebp-10Ch]
		cmp	byte ptr [ebp-0D9h], 2
		jnb	short loc_46DBC2
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [ebp-0E0h]
		mov	edx, [ebp-0E8h]
		mov	[ebp-0E1h], al

loc_46DBC2:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+196j
		cmp	edx, 200h
		jb	short loc_46DBF5
		test	ecx, ecx
		jnz	short loc_46DBF5
		mov	ecx, [ebp-0FCh]
		lea	eax, [ebp-0D8h]
		push	eax
		push	4
		push	esi
		push	dword ptr [ebp-0ECh]
		xor	edx, edx
		call	_MiGetLargePage@24 ; MiGetLargePage(x,x,x,x,x,x)
		mov	[ebp-0E8h], eax
		test	eax, eax
		jnz	short loc_46DC29

loc_46DBF5:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+1B8j
					; MiGetPageChain(x,x,x,x,x,x,x)+1BCj
		mov	ecx, [ebp-0FCh]
		lea	eax, [ebp-0D8h]
		push	eax
		push	4
		push	esi
		push	dword ptr [ebp-0ECh]
		mov	edx, 1
		mov	dword ptr [ebp-0E0h], 1
		call	_MiGetLargePage@24 ; MiGetLargePage(x,x,x,x,x,x)
		mov	[ebp-0E8h], eax
		test	eax, eax
		jz	short loc_46DC3E

loc_46DC29:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+1E3j
		mov	edx, [ebp-0E0h]
		mov	ecx, eax
		push	0
		push	0
		push	1
		push	2
		call	_MiConvertEntireLargePageToSmall@24 ; MiConvertEntireLargePageToSmall(x,x,x,x,x,x)

loc_46DC3E:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+217j
		cmp	byte ptr [ebp-0D9h], 2
		jnb	short loc_46DC53
		mov	cl, [ebp-0E1h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_46DC53:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+235j
		mov	eax, [ebp-0E8h]
		test	eax, eax
		jz	loc_46DCE7
		mov	edi, ds:_MmPfnDatabase
		mov	ecx, eax
		sub	ecx, edi
		mov	eax, 92492493h
		imul	ecx
		mov	eax, [ebp-0E0h]
		add	edi, 0FFFFFFE4h
		add	edx, ecx
		sar	edx, 4
		mov	esi, edx
		mov	ecx, ds:_MiLargePageSizes[eax*4]
		shr	esi, 1Fh
		add	esi, edx
		mov	edx, [ebp-0F4h]
		add	ecx, esi
		push	0
		lea	eax, ds:0[ecx*8]
		sub	eax, ecx
		lea	ecx, [edi+eax*4]
		call	_MiSetPfnBlink@12 ; MiSetPfnBlink(x,x,x)
		mov	ecx, [ebp-0E0h]
		mov	edx, [ebp-100h]
		mov	edi, [ebp-0E8h]
		mov	[ebp-0F4h], esi
		mov	esi, [ebp-0F8h]
		add	esi, ds:_MiLargePageSizes[ecx*4]
		sub	edx, esi
		mov	[ebp-0F8h], esi
		mov	[ebp-0E8h], edx
		cmp	edx, 10h
		jnb	loc_46DB80
		jmp	short loc_46DCED
; 

loc_46DCE7:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+24Bj
		mov	esi, [ebp-0F8h]

loc_46DCED:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+2D5j
		cmp	dword ptr [ebp-0D4h], 0
		jz	short loc_46DD01
		lea	ecx, [ebp-0D8h]
		call	_MiNotifyPageHeat@4 ; MiNotifyPageHeat(x)

loc_46DD01:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+2E4j
		cmp	byte ptr [ebp-0D9h], 2
		jb	short loc_46DD2A
		mov	ecx, [ebp-11Ch]
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	loc_46E07D
		call	KeShouldYieldProcessor
		test	eax, eax
		jnz	loc_46E07D

loc_46DD2A:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+2F8j
		mov	ecx, [ebp-100h]
		mov	edx, [ebx+14h]

loc_46DD33:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+130j
					; MiGetPageChain(x,x,x,x,x,x,x)+138j
		cmp	esi, ecx
		jnb	loc_46E07D
		jmp	short loc_46DD40
; 
		align 10h

loc_46DD40:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+32Bj
					; MiGetPageChain(x,x,x,x,x,x,x)+65Fj
		mov	ecx, [ebp-108h]
		mov	eax, 1
		lock xadd [ecx], eax
		inc	eax
		mov	esi, [ebp-118h]
		dec	eax
		and	esi, eax
		or	esi, [ebp-10Ch]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_46DDC7
		mov	ecx, dword_6D06D0
		mov	eax, 0Fh
		mov	[ebp-0E8h], eax
		cmp	ecx, eax
		jnb	short loc_46DD81
		mov	eax, ecx
		mov	[ebp-0E8h], ecx

loc_46DD81:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+367j
		push	dword ptr [ebp-0F0h]
		mov	ecx, [ebp-0FCh]
		and	edx, eax
		and	esi, 0FFFFFFF0h
		mov	[ebx+14h], edx
		or	esi, edx
		mov	edx, esi
		call	MiGetPage
		mov	edx, eax
		mov	[ebp-0E0h], edx
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_46DDB5
		and	dword ptr [ebp-0F0h], 0FFFFBFFFh

loc_46DDB5:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+399j
		mov	eax, [ebx+14h]
		inc	eax
		and	eax, [ebp-0E8h]
		mov	[ebx+14h], eax
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_46DDEE

loc_46DDC7:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+352j
		push	dword ptr [ebp-0F0h]
		mov	ecx, [ebp-0FCh]
		mov	edx, esi
		call	MiGetPage
		mov	edx, eax
		mov	[ebp-0E0h], eax
		cmp	edx, 0FFFFFFFFh
		jz	loc_46E077
		mov	eax, [ebx+14h]

loc_46DDEE:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+3B5j
		cmp	eax, 0FFFFFFFFh
		jz	short loc_46DDFD
		or	dword ptr [ebp-0F0h], 4000h

loc_46DDFD:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+3E1j
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[edx*8]
		mov	esi, [ebp-0ECh]
		sub	ecx, edx
		lea	edi, [eax+ecx*4]
		movzx	ecx, byte ptr [edi+16h]
		shr	ecx, 6
		cmp	ecx, esi
		jz	short loc_46DE65
		mov	al, 1
		shl	al, cl
		movzx	eax, al
		bts	eax, esi
		test	byte_6D078C, al
		jz	short loc_46DE65
		mov	eax, [ebp-104h]
		mov	[ebp+eax*4-48h], edx
		inc	eax
		mov	[ebp-104h], eax
		cmp	eax, 10h
		jnz	loc_46DFC6
		push	esi
		mov	edx, eax
		lea	ecx, [ebp-48h]
		call	_MiPerformFinalZeroing@12 ; MiPerformFinalZeroing(x,x,x)
		mov	dword ptr [ebp-104h], 0
		jmp	loc_46DFC6
; 

loc_46DE65:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+40Dj
					; MiGetPageChain(x,x,x,x,x,x,x)+41Fj
		mov	eax, [edi+8]
		and	eax, 3E0h
		or	eax, 0
		jz	loc_46DF08
		test	dword ptr [ebx+10h], 100h
		jz	loc_46DF08
		mov	ecx, [ebp-0E0h]
		mov	edx, 1
		push	esi
		call	MiZeroPhysicalPage
		mov	eax, [edi+0Ch]
		xor	ecx, ecx
		and	dword ptr [edi+8], 0FFFFFC1Fh
		mov	[edi+0Ch], eax
		lea	eax, [ebp-0E8h]
		mov	dword ptr [ebp-0E8h], 0
		lock or	[eax], ecx
		mov	eax, ds:_KiTbFlushTimeStamp
		lea	esi, [edi+10h]
		mov	ecx, [edi+10h]
		and	eax, 0Fh
		shl	eax, 17h
		mov	edx, ecx
		and	edx, 0F87FFFFFh
		mov	[ebp-114h], eax
		or	edx, eax
		mov	eax, ecx
		lock cmpxchg [esi], edx
		mov	esi, [ebp-0E0h]
		cmp	ecx, eax
		jz	short loc_46DF0E
		lea	esi, [edi+10h]
		lea	ebx, [ebx+0]

loc_46DEF0:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+4F6j
		mov	edx, eax
		mov	ecx, eax
		and	edx, 0F87FFFFFh
		or	edx, [ebp-114h]
		lock cmpxchg [esi], edx
		cmp	ecx, eax
		jnz	short loc_46DEF0

loc_46DF08:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+460j
					; MiGetPageChain(x,x,x,x,x,x,x)+46Dj
		mov	esi, [ebp-0E0h]

loc_46DF0E:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+4D5j
		movzx	eax, byte ptr [edi+16h]
		mov	edx, [ebp-0ECh]
		shr	eax, 6
		cmp	eax, edx
		jz	loc_46DF99
		cmp	eax, 1
		jz	short loc_46DF62
		cmp	eax, 3
		jz	short loc_46DF90
		mov	ecx, [edi+10h]
		lea	eax, [ebp-114h]
		shr	ecx, 17h
		xor	edx, edx
		and	ecx, 0Fh
		mov	dword ptr [ebp-114h], 0
		lock or	[eax], edx
		mov	edx, ds:_KiTbFlushTimeStamp
		push	0Fh
		call	_MiTbFlushTimeStampMayNeedFlush@12 ; MiTbFlushTimeStampMayNeedFlush(x,x,x)
		mov	edx, [ebp-0ECh]
		cmp	al, 1
		jnz	short loc_46DF90

loc_46DF62:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+516j
		mov	ecx, edi
		call	_MiIsFreshPfnFromZeroedList@4 ;	MiIsFreshPfnFromZeroedList(x)
		test	eax, eax
		jnz	short loc_46DF78
		push	edx
		lea	edx, [eax+1]
		mov	ecx, esi
		call	MiZeroPhysicalPage

loc_46DF78:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+55Bj
		mov	eax, [ebp-110h]
		mov	[edi+8], eax
		mov	dword ptr [edi+0Ch], 0
		mov	[ebp-110h], edi
		jmp	short loc_46DFC6
; 

loc_46DF90:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+51Bj
					; MiGetPageChain(x,x,x,x,x,x,x)+550j
		push	4
		mov	ecx, edi
		call	MiChangePageAttribute

loc_46DF99:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+50Dj
		mov	ecx, [edi+10h]
		lea	esi, [edi+10h]
		mov	edx, ecx
		mov	eax, ecx
		and	edx, 0F87FFFFFh
		lock cmpxchg [esi], edx
		cmp	ecx, eax
		jz	short loc_46DFC6
		lea	esi, [edi+10h]

loc_46DFB4:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+5B4j
		mov	edx, eax
		mov	ecx, eax
		and	edx, 0F87FFFFFh
		lock cmpxchg [esi], edx
		cmp	ecx, eax
		jnz	short loc_46DFB4

loc_46DFC6:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+435j
					; MiGetPageChain(x,x,x,x,x,x,x)+450j ...
		mov	ecx, [edi+10h]
		lea	esi, [edi+10h]
		mov	eax, [ebp-0F4h]
		mov	edx, ecx
		and	eax, offset loc_7FFFFF
		and	edx, 0FF800000h
		mov	[ebp-0F4h], eax
		or	edx, eax
		mov	eax, ecx
		lock cmpxchg [esi], edx
		mov	esi, [ebp-0E0h]
		cmp	ecx, eax
		jz	short loc_46E01E
		lea	esi, [edi+10h]
		lea	ebx, [ebx+0]

loc_46E000:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+606j
		mov	edx, eax
		mov	ecx, eax
		and	edx, 0FF800000h
		or	edx, [ebp-0F4h]
		lock cmpxchg [esi], edx
		cmp	ecx, eax
		jnz	short loc_46E000
		mov	esi, [ebp-0E0h]

loc_46E01E:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+5E5j
		mov	[ebp-0F4h], esi
		mov	esi, [ebp-0F8h]
		inc	esi
		cmp	byte ptr [ebp-0D9h], 2
		mov	[ebp-0F8h], esi
		jb	short loc_46E066
		mov	ecx, [ebp-11Ch]
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short loc_46E054
		lea	eax, [ecx+80h]

loc_46E054:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+63Cj
		mov	eax, [eax]
		test	eax, 40000000h
		jnz	short loc_46E07D
		call	KeShouldYieldProcessor
		test	eax, eax
		jnz	short loc_46E07D

loc_46E066:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+628j
		mov	edx, [ebx+14h]
		cmp	esi, [ebp-100h]
		jb	loc_46DD40
		jmp	short loc_46E07D
; 

loc_46E077:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+3D5j
		mov	esi, [ebp-0F8h]

loc_46E07D:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+307j
					; MiGetPageChain(x,x,x,x,x,x,x)+314j ...
		mov	eax, [ebp-120h]
		mov	[eax], esi
		mov	eax, [ebp-104h]
		mov	esi, [ebp-0ECh]
		test	eax, eax
		jz	short loc_46E0A0
		push	esi
		mov	edx, eax
		lea	ecx, [ebp-48h]
		call	_MiPerformFinalZeroing@12 ; MiPerformFinalZeroing(x,x,x)

loc_46E0A0:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+683j
		mov	eax, [ebp-110h]
		test	eax, eax
		jz	short loc_46E0BF
		push	ds:dword_40F9FC
		mov	edx, esi
		mov	ecx, eax
		push	ds:_ZeroPte
		call	MiChangePageAttributeBatch

loc_46E0BF:				; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+698j
		mov	ecx, [ebp-4]
		mov	eax, edi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	14h
_MiGetPageChain@28 endp	; sp =	4

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnlinkFreeOrZeroedPage proc near	; CODE XREF: MiGetPage+74Fp
					; MiZeroPage(x,x)+389p	...

var_6C		= dword	ptr -6Ch
var_5C		= dword	ptr -5Ch
var_4A		= byte ptr -4Ah
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0046E5A3 SIZE 0000001D BYTES
; FUNCTION CHUNK AT 005B2B76 SIZE 0000036D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		sub	esp, 58h
		xor	eax, eax
		mov	[esp+58h+var_48], ecx
		mov	[esp+58h+var_C], eax
		mov	[esp+58h+var_8], eax
		mov	[esp+58h+var_4], eax
		lea	eax, ds:0[ecx*8]
		sub	eax, ecx
		push	esi
		mov	esi, edx
		mov	edx, ds:_MmPfnDatabase
		push	edi
		mov	[esp+60h+var_44], esi
		lea	edi, [edx+eax*4]
		movzx	eax, byte ptr [edi+16h]
		mov	ecx, edi
		and	eax, 7
		mov	[esp+60h+var_24], edi
		mov	[esp+60h+var_28], eax
		sub	ecx, edx
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		mov	ecx, dword_6D0688
		sar	edx, 4
		mov	eax, edx
		mov	[esp+60h+var_20], ecx
		shr	eax, 1Fh
		add	eax, edx
		mov	[esp+60h+var_2C], eax
		mov	eax, dword_6D0684
		mov	[esp+60h+var_18], eax
		cmp	eax, ecx
		ja	loc_5B2B83
		mov	edx, dword_6D06B0
		mov	esi, [esp+60h+var_2C]
		cmp	esi, [edx+eax*8]
		mov	esi, [esp+60h+var_44]
		mov	[esp+60h+var_40], edx
		lea	edx, [edx+eax*8]
		jb	loc_5B2B83
		cmp	eax, ecx
		jnz	loc_5B2B76

loc_46E182:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144A9Dj
					; MiUnlinkFreeOrZeroedPage+144B2Cj
		mov	edx, [edx+4]
		mov	cl, byte_6D068C
		mov	eax, dword_6D06D0
		shl	edx, cl
		mov	ecx, [esp+60h+var_48]
		and	eax, ecx
		or	edx, eax
		mov	[esp+60h+var_2C], edx
		test	esi, esi
		jnz	loc_46E4C8
		mov	ecx, [esp+60h+var_28]
		mov	eax, dword_6D5380[ecx*4]
		mov	ecx, [esp+60h+var_20]
		mov	[esp+60h+var_1C], eax
		mov	eax, [esp+60h+var_18]
		cmp	eax, ecx
		ja	loc_5B2C20
		mov	esi, [esp+60h+var_40]
		mov	edx, [esp+60h+var_48]
		lea	esi, [esi+eax*8]
		cmp	edx, [esi]
		mov	edx, [esp+60h+var_2C]
		jb	loc_5B2C20
		cmp	eax, ecx
		jnz	loc_5B2C11

loc_46E1E4:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144B38j
					; MiUnlinkFreeOrZeroedPage+144BD4j
		test	ds:byte_70EFC6,	21h
		lea	eax, [edx+edx*4]
		mov	ecx, [esp+60h+var_1C]
		mov	esi, [esi+4]
		mov	[esp+60h+var_C], 0
		lea	edx, [ecx+eax*4]
		lea	ecx, [edx+10h]
		mov	[esp+60h+var_44], edx
		mov	[esp+60h+var_8], ecx
		jnz	loc_5B2CB9
		lea	eax, [esp+60h+var_C]
		xchg	eax, [ecx]
		test	eax, eax
		jnz	loc_46E56E

loc_46E21F:				; CODE XREF: MiUnlinkFreeOrZeroedPage+49Dj
		mov	ecx, [esp+60h+var_48]

loc_46E223:				; CODE XREF: MiUnlinkFreeOrZeroedPage+3EFj
		mov	eax, [esp+60h+var_28]
		mov	eax, dword_6D579C[eax*4]
		lock dec dword ptr [eax]
		cmp	dword_6D3034, 1
		jz	loc_5B2CC9

loc_46E23E:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144C79j
					; MiUnlinkFreeOrZeroedPage+144C92j
		dec	dword ptr [edx]
		mov	eax, [esp+60h+var_48]
		cmp	[edx+8], eax
		jnz	loc_46E4D4
		mov	eax, [edi]
		mov	[edx+8], eax
		cmp	eax, offset loc_7FFFFF
		jnz	loc_46E44A
		mov	cl, byte_6D068C
		mov	eax, [esp+60h+var_2C]
		mov	edx, dword_6D06D0
		and	edx, [esp+60h+var_2C]
		shr	eax, cl
		mov	ecx, edx
		and	ecx, 1Fh
		mov	[esp+60h+var_20], 1
		shl	[esp+60h+var_20], cl
		mov	ecx, [esp+60h+var_28]
		lea	eax, [eax+eax*4]
		shr	edx, 5
		shl	eax, 7
		add	eax, dword_6D4E50
		mov	eax, [eax+ecx*8+184h]
		mov	ecx, [esp+60h+var_20]
		not	ecx
		lea	eax, [eax+edx*4]
		lock and [eax],	ecx
		mov	eax, [esp+60h+var_44]
		mov	dword ptr [eax+0Ch], offset loc_7FFFFF

loc_46E2B5:				; CODE XREF: MiUnlinkFreeOrZeroedPage+39Fj
					; MiUnlinkFreeOrZeroedPage+3C6j ...
		mov	al, [edi+16h]
		and	al, 0FDh
		or	al, 5
		mov	[edi+16h], al
		mov	al, byte_6D5871
		mov	[esp+60h+var_49], al
		cmp	esi, 0FFFFFFFFh
		jz	short loc_46E300
		test	ds:byte_70EFC6,	1
		jnz	loc_5B2D96
		mov	eax, [esp+60h+var_C]
		test	eax, eax
		jnz	loc_46E58B
		mov	edx, [esp+60h+var_8]
		lea	eax, [esp+60h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+60h+var_C]
		cmp	eax, ecx
		jnz	loc_46E582

loc_46E300:				; CODE XREF: MiUnlinkFreeOrZeroedPage+1EBj
					; MiUnlinkFreeOrZeroedPage+4BEj ...
		mov	cl, byte_6D068C
		mov	eax, [esp+60h+var_2C]
		shr	eax, cl
		lea	ecx, [eax+eax*4]
		mov	eax, dword_6D4E50
		shl	ecx, 5
		add	ecx, [esp+60h+var_28]
		lock dec dword ptr [eax+ecx*4+1D0h]
		or	esi, 0FFFFFFFFh
		lock xadd dword_6D5E00,	esi
		dec	esi
		cmp	esi, dword_6D596C
		jz	loc_5B2DA7
		cmp	esi, dword_6D5970
		jz	loc_5B2DA7

loc_46E347:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144CD1j
		lea	ecx, [esi+1]
		cmp	esi, 420h
		jbe	loc_5B2DB6

loc_46E356:				; CODE XREF: MiUnlinkFreeOrZeroedPage+4C9j
					; MiUnlinkFreeOrZeroedPage+4D5j ...
		cmp	esi, 9Fh
		jb	loc_5B2DFC
		mov	esi, 1

loc_46E367:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144D2Cj
					; MiUnlinkFreeOrZeroedPage+144D4Aj ...
		test	byte ptr [edi+16h], 8
		jnz	loc_46E55D

loc_46E371:				; CODE XREF: MiUnlinkFreeOrZeroedPage+489j
		mov	eax, [edi+8]
		and	dword ptr [edi+10h], 0FF800000h
		mov	[esp+60h+var_24], eax
		mov	eax, [edi+0Ch]
		mov	dword ptr [edi], 0
		mov	ecx, dword_6D0700
		mov	edx, dword_6D0704
		mov	[esp+60h+var_20], eax
		mov	eax, ecx
		or	eax, edx
		jz	loc_5B2E78
		mov	eax, [esp+60h+var_24]
		and	eax, 10h
		or	eax, 0
		jnz	loc_5B2E70
		mov	eax, [esp+60h+var_20]
		not	edx
		and	eax, edx

loc_46E3BA:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144D9Cj
		cmp	eax, 0FFFFFFFDh
		jnz	loc_5B2E81
		mov	eax, 2

loc_46E3C8:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144DA3j
		or	esi, eax
		mov	eax, ds:_ZeroPte
		mov	[edi+8], eax
		mov	eax, ds:dword_40F9FC
		mov	[edi+0Ch], eax
		cmp	esi, 2
		jnb	loc_5B2E88

loc_46E3E3:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144DB4j
		cmp	[esp+60h+var_28], 1
		jnz	loc_46E4AB

loc_46E3EE:				; CODE XREF: MiUnlinkFreeOrZeroedPage+3D0j
		mov	ecx, [edi+8]
		mov	eax, ecx
		mov	edx, [edi+0Ch]
		or	eax, edx
		jnz	loc_5B2ECF
		mov	eax, dword_6D0704
		mov	ecx, 80h
		mov	edx, dword_6D0700
		mov	[esp+60h+var_18], eax
		mov	eax, edx
		or	eax, [esp+60h+var_18]
		jz	loc_5B2EC8
		mov	eax, edx
		and	eax, ecx
		or	eax, 0
		jnz	loc_5B2EC3
		mov	eax, [esp+60h+var_18]
		mov	ecx, edx
		or	ecx, 80h

loc_46E437:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144DEAj
		mov	[edi+0Ch], eax

loc_46E43A:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144DFEj
		mov	[edi+8], ecx

loc_46E43D:				; CODE XREF: MiUnlinkFreeOrZeroedPage+3DDj
					; MiUnlinkFreeOrZeroedPage+144DCAj ...
		and	esi, 1
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_46E44A:				; CODE XREF: MiUnlinkFreeOrZeroedPage+177j
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	eax, [eax+ecx*4]
		mov	ecx, [eax+10h]
		add	eax, 10h
		mov	[esp+60h+var_1C], ecx
		mov	[esp+60h+var_18], eax
		mov	edx, ecx
		mov	eax, ecx
		or	edx, offset loc_7FFFFF
		mov	ecx, [esp+60h+var_18]
		lock cmpxchg [ecx], edx
		cmp	[esp+60h+var_1C], eax
		jz	loc_46E2B5
		mov	edi, ecx
		jmp	short loc_46E490
; 
		align 10h

loc_46E490:				; CODE XREF: MiUnlinkFreeOrZeroedPage+3A7j
					; MiUnlinkFreeOrZeroedPage+3C0j
		mov	edx, eax
		mov	ecx, eax
		or	edx, offset loc_7FFFFF
		lock cmpxchg [edi], edx
		cmp	ecx, eax
		jnz	short loc_46E490
		mov	edi, [esp+60h+var_24]
		jmp	loc_46E2B5
; 

loc_46E4AB:				; CODE XREF: MiUnlinkFreeOrZeroedPage+308j
		cmp	[esp+60h+var_49], 1
		jz	loc_46E3EE
		test	byte ptr ds:_MiFlags, 80h
		jz	loc_46E43D
		jmp	loc_5B2E99
; 

loc_46E4C8:				; CODE XREF: MiUnlinkFreeOrZeroedPage+C0j
		mov	edx, [esp+60h+var_44]
		or	esi, 0FFFFFFFFh
		jmp	loc_46E223
; 

loc_46E4D4:				; CODE XREF: MiUnlinkFreeOrZeroedPage+167j
		mov	eax, [edi+10h]
		and	eax, offset loc_7FFFFF
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, [eax+ecx*4]
		mov	eax, [edi]
		mov	[ecx], eax
		mov	eax, [edi]
		cmp	eax, offset loc_7FFFFF
		jnz	short loc_46E50A
		mov	eax, [edi+10h]
		and	eax, offset loc_7FFFFF
		mov	[edx+0Ch], eax
		jmp	loc_46E2B5
; 

loc_46E50A:				; CODE XREF: MiUnlinkFreeOrZeroedPage+418j
		mov	edx, [edi+10h]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		and	edx, offset loc_7FFFFF
		mov	eax, ds:_MmPfnDatabase
		mov	[esp+60h+var_1C], edx
		lea	eax, [eax+ecx*4]
		mov	ecx, [eax+10h]
		add	eax, 10h
		mov	edx, ecx
		mov	[esp+60h+var_18], eax
		and	edx, 0FF800000h
		or	edx, [esp+60h+var_1C]
		mov	eax, ecx
		mov	edi, [esp+60h+var_18]
		lock cmpxchg [edi], edx
		mov	edi, [esp+60h+var_24]
		cmp	ecx, eax
		jz	loc_46E2B5
		mov	edi, [esp+60h+var_18]
		jmp	loc_5B2D77
; 

loc_46E55D:				; CODE XREF: MiUnlinkFreeOrZeroedPage+28Bj
		mov	edx, 1
		mov	ecx, edi
		call	_MiPageListCollision@8 ; MiPageListCollision(x,x)
		jmp	loc_46E371
; 

loc_46E56E:				; CODE XREF: MiUnlinkFreeOrZeroedPage+139j
		mov	edx, eax
		lea	ecx, [esp+60h+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_46E579:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144BE4j
		mov	edx, [esp+60h+var_44]
		jmp	loc_46E21F
; 

loc_46E582:				; CODE XREF: MiUnlinkFreeOrZeroedPage+21Aj
		lea	ecx, [esp+60h+var_C]
		call	KxWaitForLockChainValid

loc_46E58B:				; CODE XREF: MiUnlinkFreeOrZeroedPage+200j
		mov	[esp+60h+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_46E300
MiUnlinkFreeOrZeroedPage endp

; 
; START	OF FUNCTION CHUNK FOR MiUnlinkFreeOrZeroedPage

loc_46E5A3:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144CE4j
					; MiUnlinkFreeOrZeroedPage+144CF7j
		cmp	ecx, 0A0h
		jb	loc_46E356
		cmp	esi, 0A0h
		jnb	loc_46E356
		jmp	loc_5B2DDC
; END OF FUNCTION CHUNK	FOR MiUnlinkFreeOrZeroedPage

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetPage	proc near		; CODE XREF: MiCopyOnWrite(x,x,x,x)+428p
					; .text:0045D651p ...

var_60		= dword	ptr -60h
var_51		= byte ptr -51h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B2EE3 SIZE 00000421 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 58h
		push	esi
		mov	[esp+5Ch+var_48], ecx
		xor	eax, eax
		mov	cl, byte_6D068C
		mov	esi, edx
		shr	esi, cl
		push	edi
		mov	[esp+60h+var_4C], edx
		mov	edi, esi
		mov	[esp+60h+var_24], eax
		mov	[esp+60h+var_38], esi
		jmp	short loc_46E5F0
; 
		align 10h

loc_46E5F0:				; CODE XREF: MiGetPage+2Bj
					; MiGetPage+144D2Ej
		mov	ecx, [esp+60h+var_48]
		lea	eax, [edi+edi*4]
		shl	eax, 7
		add	eax, [ecx+10h]
		cmp	dword ptr [eax+1DCh], 0
		jz	loc_46EEDD

loc_46E60A:				; CODE XREF: MiGetPage+924j
		mov	eax, [ebp+arg_0]
		and	eax, 2
		xor	ecx, ecx
		mov	[esp+60h+var_3C], eax
		mov	[esp+60h+var_28], ecx

loc_46E61A:				; CODE XREF: MiGetPage+144941j
		test	ecx, ecx
		jnz	loc_5B2F06

loc_46E622:				; CODE XREF: MiGetPage+144972j
		test	eax, eax
		jz	loc_46E713
		mov	ecx, offset _MiZeroThenZero

loc_46E62F:				; CODE XREF: MiGetPage+158j
		mov	eax, [ecx]
		mov	[esp+60h+var_34], ecx

loc_46E635:				; CODE XREF: MiGetPage+16Cj
		mov	esi, [esp+60h+var_48]
		mov	[esp+60h+var_40], eax
		mov	eax, [esi+eax*4+954h]
		cmp	word ptr [eax+edx*8+4],	0
		jz	loc_46E725
		lea	ecx, [eax+edx*8]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	ecx, eax
		mov	[esp+60h+var_50], ecx
		test	ecx, ecx
		jz	loc_46E71D
		cmp	[esp+60h+var_40], 0
		mov	eax, ds:_ZeroPte
		mov	[ecx+8], eax
		mov	eax, ds:dword_40F9FC
		mov	[ecx+0Ch], eax
		jnz	loc_46E97D
		test	byte ptr ds:_MiFlags, 80h
		jnz	loc_5B2F37

loc_46E68E:				; CODE XREF: MiGetPage+418j
					; MiGetPage+144988j ...
		mov	dword ptr [ecx], 0

loc_46E694:				; CODE XREF: MiGetPage+1B1j
					; MiGetPage+7D3j
		cmp	ecx, 1
		jz	loc_5B2EF5
		test	ecx, ecx
		jz	loc_46E776

loc_46E6A5:				; CODE XREF: MiGetPage+2B0j
					; MiGetPage+47Cj ...
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		mov	esi, [esp+60h+var_50]
		imul	ecx
		mov	eax, [ebp+arg_0]
		add	edx, ecx
		mov	dword ptr [esi], 0
		sar	edx, 4
		mov	edi, edx
		shr	edi, 1Fh
		add	edi, edx
		test	eax, 200h
		jnz	loc_46EC00
		test	eax, 400h
		jnz	loc_5B32F3
		test	eax, 800h
		jnz	loc_5B32FA
		mov	edx, 3

loc_46E6F1:				; CODE XREF: MiGetPage+645j
					; MiGetPage+144D35j ...
		mov	[esp+60h+var_3C], edx
		test	eax, 100h
		jnz	loc_46ED98

loc_46E700:				; CODE XREF: MiGetPage+7E1j
					; MiGetPage+80Bj
		cmp	edx, 3
		jnz	loc_46EC0A

loc_46E709:				; CODE XREF: MiGetPage+653j
					; MiGetPage+662j
		mov	eax, edi

loc_46E70B:				; CODE XREF: MiGetPage+144938j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_46E713:				; CODE XREF: MiGetPage+64j
		mov	ecx, offset _MiFreeThenFree
		jmp	loc_46E62F
; 

loc_46E71D:				; CODE XREF: MiGetPage+A0j
		mov	ecx, [esp+60h+var_34]
		mov	edx, [esp+60h+var_4C]

loc_46E725:				; CODE XREF: MiGetPage+8Aj
		mov	eax, [ecx+4]
		cmp	[esp+60h+var_40], eax
		jnz	loc_46E635
		mov	eax, [ecx]
		mov	ecx, esi
		mov	[esp+60h+var_2C], eax
		mov	ecx, [ecx+eax*4+540h]
		lea	eax, [edx+edx*4]
		lea	eax, [ecx+eax*4]
		xor	ecx, ecx
		mov	[esp+60h+var_40], eax
		mov	eax, [eax+8]
		mov	[esp+60h+var_C], ecx
		mov	[esp+60h+var_8], ecx
		mov	[esp+60h+var_4], ecx
		mov	[esp+60h+var_34], eax
		cmp	eax, offset loc_7FFFFF
		jnz	loc_46EC4B

loc_46E76B:				; CODE XREF: MiGetPage+8EAj
					; MiGetPage+90Cj ...
		xor	ecx, ecx

loc_46E76D:				; CODE XREF: MiGetPage+144B34j
		mov	[esp+60h+var_50], ecx
		jmp	loc_46E694
; 

loc_46E776:				; CODE XREF: MiGetPage+DFj
		cmp	[esp+60h+var_3C], 0
		mov	eax, [ebp+arg_0]
		jz	loc_46EC27
		and	eax, 0FFFFFFFDh

loc_46E787:				; CODE XREF: MiGetPage+66Aj
		mov	[esp+60h+var_44], eax
		and	eax, 2
		mov	[esp+60h+var_10], eax
		jnz	loc_46EC2F
		mov	ecx, offset _MiFreeThenFree

loc_46E79D:				; CODE XREF: MiGetPage+674j
		mov	eax, [ecx]
		mov	[esp+60h+var_2C], ecx
		mov	[esp+60h+var_40], eax
		jmp	short loc_46E7B0
; 
		align 10h

loc_46E7B0:				; CODE XREF: MiGetPage+1E7j
					; MiGetPage+144B5Ej
		mov	edx, [esp+60h+var_48]
		mov	esi, [esp+60h+var_4C]
		mov	edx, [edx+eax*4+954h]
		cmp	word ptr [edx+esi*8+4],	0
		mov	esi, [esp+60h+var_38]
		jz	loc_46E9E5
		mov	eax, [esp+60h+var_4C]
		lea	ecx, [edx+eax*8]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	ecx, eax
		mov	[esp+60h+var_50], ecx
		test	ecx, ecx
		jz	loc_46E9DD
		cmp	[esp+60h+var_40], 0
		mov	eax, ds:_ZeroPte
		mov	[ecx+8], eax
		mov	eax, ds:dword_40F9FC
		mov	[ecx+0Ch], eax
		jz	loc_46EC39
		mov	edx, [ecx+8]
		mov	[esp+60h+var_2C], eax
		mov	eax, edx
		or	eax, [esp+60h+var_2C]
		jnz	loc_5B3172
		mov	eax, dword_6D0700
		mov	edx, 80h
		mov	ecx, dword_6D0704
		mov	[esp+60h+var_2C], eax
		or	eax, ecx
		mov	[esp+60h+var_30], ecx
		mov	ecx, [esp+60h+var_50]
		jz	loc_5B316B
		mov	edx, [esp+60h+var_2C]
		mov	eax, edx
		and	eax, 80h
		or	eax, 0
		jnz	loc_5B3166
		mov	eax, [esp+60h+var_30]

loc_46E853:				; CODE XREF: MiGetPage+144BBCj
		or	edx, 80h

loc_46E859:				; CODE XREF: MiGetPage+144BADj
		mov	[ecx+0Ch], eax
		mov	[ecx+8], edx

loc_46E85F:				; CODE XREF: MiGetPage+680j
					; MiGetPage+144B74j ...
		mov	dword ptr [ecx], 0

loc_46E865:				; CODE XREF: MiGetPage+45Cj
		cmp	ecx, 1
		jz	loc_5B2EF5
		test	ecx, ecx
		jnz	loc_46E6A5
		mov	ecx, [esp+60h+var_48]
		mov	eax, [ecx+0DB8h]
		cmp	eax, 10h
		jb	short loc_46E88A
		mov	eax, 10h

loc_46E88A:				; CODE XREF: MiGetPage+2C3j
		imul	eax, dword_6D06D0
		mov	edx, [ebp+arg_0]
		test	edx, 10001h
		jnz	short loc_46E8BC
		push	eax
		push	edx
		mov	edx, [esp+68h+var_4C]
		call	_MiDemoteLocalLargePage@16 ; MiDemoteLocalLargePage(x,x,x,x)
		mov	ecx, eax
		mov	[esp+60h+var_50], ecx
		test	ecx, ecx
		jnz	loc_46EA31
		mov	ecx, [esp+60h+var_48]
		mov	edx, [ebp+arg_0]

loc_46E8BC:				; CODE XREF: MiGetPage+2DAj
		push	edx
		mov	edx, [esp+64h+var_4C]
		call	MiRemovePageAnyColor
		mov	ecx, eax
		mov	[esp+60h+var_50], ecx
		cmp	ecx, 1
		jz	loc_5B2EF5
		test	ecx, ecx
		jnz	loc_46EA31
		mov	eax, [ebp+arg_0]
		and	eax, 4000h
		mov	[esp+60h+var_14], eax
		jnz	loc_5B3181
		mov	[esp+60h+var_2C], 1

loc_46E8F7:				; CODE XREF: MiGetPage+144BC9j
		cmp	[esp+60h+var_3C], 0
		jz	loc_46EDD0
		mov	eax, offset _MiZeroThenZero

loc_46E907:				; CODE XREF: MiGetPage+815j
		mov	edx, [esp+60h+var_4C]
		mov	ecx, dword_6D06D0
		mov	[esp+60h+var_40], eax
		mov	[esp+60h+var_30], edx
		mov	[esp+60h+var_18], ecx
		lea	ecx, [ecx+0]

loc_46E920:				; CODE XREF: MiGetPage+3BBj
		mov	eax, [eax]
		shl	edx, 3
		mov	[esp+60h+var_1C], edx

loc_46E929:				; CODE XREF: MiGetPage+144BD0j
		mov	ecx, [esp+60h+var_48]
		mov	[esp+60h+var_34], eax
		mov	ecx, [ecx+eax*4+954h]
		cmp	word ptr [ecx+edx+4], 0
		jnz	loc_46EE28

loc_46E944:				; CODE XREF: MiGetPage+94Fj
		mov	ecx, [esp+60h+var_40]
		mov	ecx, [ecx+4]
		cmp	eax, ecx
		jnz	loc_5B318E
		mov	edx, [esp+60h+var_30]
		mov	ecx, [esp+60h+var_2C]
		mov	eax, [esp+60h+var_18]
		add	ecx, edx
		and	ecx, eax
		not	eax
		and	edx, eax
		or	edx, ecx
		mov	[esp+60h+var_30], edx
		cmp	edx, [esp+60h+var_4C]
		jz	loc_46EA21
		mov	eax, [esp+60h+var_40]
		jmp	short loc_46E920
; 

loc_46E97D:				; CODE XREF: MiGetPage+BBj
		mov	edx, [ecx+8]
		mov	[esp+60h+var_34], eax
		mov	eax, edx
		or	eax, [esp+60h+var_34]
		jnz	loc_5B2F86
		mov	eax, dword_6D0700
		mov	edx, 80h
		mov	ecx, dword_6D0704
		mov	[esp+60h+var_2C], eax
		or	eax, ecx
		mov	[esp+60h+var_30], ecx
		mov	ecx, [esp+60h+var_50]
		jz	loc_5B2F7F
		mov	edx, [esp+60h+var_2C]
		mov	eax, edx
		and	eax, 80h
		or	eax, 0
		jnz	loc_5B2F7A
		mov	eax, [esp+60h+var_30]

loc_46E9CC:				; CODE XREF: MiGetPage+1449D0j
		or	edx, 80h

loc_46E9D2:				; CODE XREF: MiGetPage+1449C1j
		mov	[ecx+0Ch], eax
		mov	[ecx+8], edx
		jmp	loc_46E68E
; 

loc_46E9DD:				; CODE XREF: MiGetPage+223j
		mov	eax, [esp+60h+var_40]
		mov	ecx, [esp+60h+var_2C]

loc_46E9E5:				; CODE XREF: MiGetPage+209j
		mov	edx, [ecx+4]
		cmp	eax, edx
		jnz	loc_5B3118
		mov	eax, [ecx]
		mov	ecx, [esp+60h+var_48]
		push	[esp+60h+var_44]
		push	eax
		mov	ecx, [ecx+eax*4+540h]
		mov	eax, [esp+68h+var_4C]
		push	eax
		lea	eax, [eax+eax*4]
		lea	edx, [ecx+eax*4]
		mov	ecx, [esp+6Ch+var_48]
		call	MiGetPerfectColorHeadPage
		mov	ecx, eax
		mov	[esp+60h+var_50], eax
		jmp	loc_46E865
; 

loc_46EA21:				; CODE XREF: MiGetPage+3B1j
		xor	ecx, ecx
		mov	[esp+60h+var_50], ecx
		cmp	[esp+60h+var_14], ecx
		jnz	loc_5B31D4

loc_46EA31:				; CODE XREF: MiGetPage+2EFj
					; MiGetPage+317j ...
		cmp	ecx, 1
		jz	loc_5B2EF5
		test	ecx, ecx
		jnz	loc_46E6A5
		mov	ecx, [esp+60h+var_48]
		mov	eax, [ecx+0DB8h]
		cmp	eax, 10h
		jb	short loc_46EA56
		mov	eax, 10h

loc_46EA56:				; CODE XREF: MiGetPage+48Fj
		imul	eax, dword_6D06D0
		mov	edx, [esp+60h+var_44]
		test	edx, 10001h
		jnz	short loc_46EA8A
		push	eax
		push	edx
		mov	edx, [esp+68h+var_4C]
		call	_MiDemoteLocalLargePage@16 ; MiDemoteLocalLargePage(x,x,x,x)
		mov	ecx, eax
		mov	[esp+60h+var_50], ecx
		test	ecx, ecx
		jnz	loc_46EB61
		mov	ecx, [esp+60h+var_48]
		mov	edx, [esp+60h+var_44]

loc_46EA8A:				; CODE XREF: MiGetPage+4A7j
		push	edx
		mov	edx, [esp+64h+var_4C]
		call	MiRemovePageAnyColor
		mov	ecx, eax
		mov	[esp+60h+var_50], ecx
		cmp	ecx, 1
		jz	loc_5B2EF5
		test	ecx, ecx
		jnz	loc_46EB61
		mov	eax, [esp+60h+var_44]
		and	eax, 4000h
		mov	[esp+60h+var_18], eax
		jnz	loc_5B3221
		mov	[esp+60h+var_2C], 1

loc_46EAC6:				; CODE XREF: MiGetPage+144C69j
		cmp	[esp+60h+var_10], 0
		jnz	loc_46EDDA
		mov	ecx, offset _MiFreeThenFree

loc_46EAD6:				; CODE XREF: MiGetPage+81Fj
		mov	eax, [esp+60h+var_4C]
		mov	edx, dword_6D06D0
		mov	[esp+60h+var_34], ecx
		mov	[esp+60h+var_30], eax
		mov	[esp+60h+var_14], edx
		lea	esp, [esp+0]

loc_46EAF0:				; CODE XREF: MiGetPage+58Fj
		mov	ecx, [ecx]
		lea	edx, ds:0[eax*8]
		mov	[esp+60h+var_10], edx

loc_46EAFD:				; CODE XREF: MiGetPage+144C70j
		mov	eax, [esp+60h+var_48]
		mov	[esp+60h+var_40], ecx
		mov	eax, [eax+ecx*4+954h]
		cmp	word ptr [eax+edx+4], 0
		jnz	loc_46EDE4

loc_46EB18:				; CODE XREF: MiGetPage+95Cj
		mov	eax, [esp+60h+var_34]
		mov	eax, [eax+4]
		cmp	ecx, eax
		jnz	loc_5B322E
		mov	edx, [esp+60h+var_2C]
		add	edx, [esp+60h+var_30]
		mov	ecx, [esp+60h+var_14]
		and	edx, ecx
		not	ecx
		and	ecx, [esp+60h+var_30]
		or	edx, ecx
		mov	eax, edx
		mov	[esp+60h+var_30], edx
		mov	edx, [esp+60h+var_4C]
		cmp	eax, edx
		jz	short loc_46EB51
		mov	ecx, [esp+60h+var_34]
		jmp	short loc_46EAF0
; 

loc_46EB51:				; CODE XREF: MiGetPage+589j
		xor	ecx, ecx
		mov	[esp+60h+var_50], ecx
		cmp	[esp+60h+var_18], ecx
		jnz	loc_5B3274

loc_46EB61:				; CODE XREF: MiGetPage+4BCj
					; MiGetPage+4E5j ...
		cmp	ecx, 1
		jz	loc_5B2EF5
		test	ecx, ecx
		jnz	loc_46E6A5
		mov	edx, [ebp+arg_0]
		mov	ecx, [esp+60h+var_48]
		call	_MiPageAvailable@8 ; MiPageAvailable(x,x)
		test	eax, eax
		jz	loc_5B2EF5
		mov	ecx, [esp+60h+var_28]
		mov	eax, [esp+60h+var_3C]
		inc	ecx
		mov	[esp+60h+var_28], ecx
		cmp	ecx, 1
		jnz	loc_5B2EFD
		mov	edi, [esp+60h+var_48]

loc_46EBA0:				; CODE XREF: MiGetPage+14492Fj
		mov	edx, [ebp+arg_0]
		test	edx, 4000h
		jnz	loc_5B2EF5
		mov	eax, [esp+60h+var_24]
		movzx	ecx, ds:_KeNumberNodes
		inc	eax
		mov	[esp+60h+var_24], eax
		cmp	eax, ecx
		jnz	loc_5B32BE

loc_46EBC7:				; CODE XREF: MiGetPage+144D01j
		test	dl, 31h
		jnz	loc_5B2EF5
		push	edx
		mov	edx, 8
		mov	ecx, edi
		call	_MiRemoveLowestPriorityStandbyPage@12 ;	MiRemoveLowestPriorityStandbyPage(x,x,x)
		cmp	eax, 0FFFFFFFFh
		jz	loc_5B2EF5
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, [eax+ecx*4]
		mov	[esp+60h+var_50], ecx
		jmp	loc_46E6A5
; 

loc_46EC00:				; CODE XREF: MiGetPage+110j
		mov	edx, 1
		jmp	loc_46E6F1
; 

loc_46EC0A:				; CODE XREF: MiGetPage+143j
		movzx	ecx, byte ptr [esi+16h]
		shr	ecx, 6
		cmp	ecx, edx
		jz	loc_46E709
		push	0
		mov	ecx, esi
		call	MiChangePageAttribute
		jmp	loc_46E709
; 

loc_46EC27:				; CODE XREF: MiGetPage+1BEj
		or	eax, 2
		jmp	loc_46E787
; 

loc_46EC2F:				; CODE XREF: MiGetPage+1D2j
		mov	ecx, offset _MiZeroThenZero
		jmp	loc_46E79D
; 

loc_46EC39:				; CODE XREF: MiGetPage+23Ej
		test	byte ptr ds:_MiFlags, 80h
		jz	loc_46E85F
		jmp	loc_5B3123
; 

loc_46EC4B:				; CODE XREF: MiGetPage+1A5j
		mov	edx, [ebp+arg_0]
		and	edx, 1
		mov	[esp+60h+var_30], edx
		jmp	short loc_46EC60
; 
		align 10h

loc_46EC60:				; CODE XREF: MiGetPage+695j
					; MiGetPage+8F4j
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	eax, [eax+ecx*4]
		mov	[esp+60h+var_50], eax
		lea	ecx, [eax+10h]
		mov	[esp+60h+var_44], ecx
		test	edx, edx
		jnz	loc_5B2F95
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edx, [esp+60h+var_44]
		mov	cl, al
		mov	[esp+60h+var_51], cl
		lock bts dword ptr [edx], 1Fh
		setb	al
		test	[ebp+arg_0], 4000h
		jnz	loc_5B2FAE
		test	al, al
		jnz	loc_46EED2

loc_46ECB3:				; CODE XREF: MiGetPage+1449F8j
					; MiGetPage+144A1Fj
		mov	eax, [esp+60h+var_50]

loc_46ECB7:				; CODE XREF: MiGetPage+1449E9j
		movzx	eax, byte ptr [eax+16h]
		and	eax, 7
		cmp	eax, [esp+60h+var_2C]
		jnz	loc_46EE87
		test	[ebp+arg_0], 4000h
		lea	ecx, [esp+60h+var_C]
		mov	eax, [esp+60h+var_40]
		mov	[esp+60h+var_C], 0
		lea	edx, [eax+10h]
		mov	[esp+60h+var_8], edx
		jnz	loc_5B2FE4
		call	@KxTryToAcquireQueuedSpinLock@8	; KxTryToAcquireQueuedSpinLock(x,x)
		test	eax, eax
		jz	loc_46EEB9

loc_46ECF9:				; CODE XREF: MiGetPage+144A32j
					; MiGetPage+144A4Cj
		mov	eax, [esp+60h+var_40]

loc_46ECFD:				; CODE XREF: MiGetPage+144A3Bj
		mov	ecx, [esp+60h+var_34]
		cmp	ecx, [eax+8]
		jnz	loc_5B3011
		push	[ebp+arg_0]
		mov	edx, eax
		call	MiUnlinkFreeOrZeroedPage
		test	eax, eax
		jz	loc_5B307C
		mov	eax, [esp+60h+var_44]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		cmp	[esp+60h+var_30], 0
		jnz	short loc_46ED4D
		mov	eax, [esp+60h+var_40]
		cmp	dword ptr [eax+8], offset loc_7FFFFF
		jz	short loc_46ED4D
		push	[esp+60h+var_4C]
		mov	edx, [esp+64h+var_2C]
		mov	ecx, [esp+64h+var_48]
		call	_MiReplenishPageSlist@12 ; MiReplenishPageSlist(x,x,x)

loc_46ED4D:				; CODE XREF: MiGetPage+76Dj
					; MiGetPage+77Aj
		test	ds:byte_70EFC6,	1
		jnz	loc_5B30F9
		mov	eax, [esp+60h+var_C]
		test	eax, eax
		jnz	loc_46EEEF
		mov	edx, [esp+60h+var_8]
		lea	eax, [esp+60h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+60h+var_C]
		cmp	eax, ecx
		jnz	loc_5B310A

loc_46ED80:				; CODE XREF: MiGetPage+942j
					; MiGetPage+144B45j
		mov	cl, [esp+60h+var_51]
		cmp	cl, 21h
		jz	short loc_46ED8F
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_46ED8F:				; CODE XREF: MiGetPage+7C7j
		mov	ecx, [esp+60h+var_50]
		jmp	loc_46E694
; 

loc_46ED98:				; CODE XREF: MiGetPage+13Aj
		mov	ecx, esi
		call	_MiPfnZeroingNeeded@8 ;	MiPfnZeroingNeeded(x,x)
		test	eax, eax
		jz	loc_46E700
		push	edx
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		shr	edx, 0Fh
		not	edx
		and	edx, 1
		call	MiZeroPhysicalPage
		mov	eax, [esi+0Ch]
		and	dword ptr [esi+8], 0FFFFFC1Fh
		mov	edx, [esp+60h+var_3C]
		mov	[esi+0Ch], eax
		jmp	loc_46E700
; 

loc_46EDD0:				; CODE XREF: MiGetPage+33Cj
		mov	eax, offset _MiFreeThenFree
		jmp	loc_46E907
; 

loc_46EDDA:				; CODE XREF: MiGetPage+50Bj
		mov	ecx, offset _MiZeroThenZero
		jmp	loc_46EAD6
; 

loc_46EDE4:				; CODE XREF: MiGetPage+552j
		lea	ecx, [eax+edx]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	ecx, eax
		mov	[esp+60h+var_50], ecx
		test	ecx, ecx
		jz	loc_46EF14
		cmp	[esp+60h+var_40], 0
		mov	eax, ds:_ZeroPte
		mov	[ecx+8], eax
		mov	eax, ds:dword_40F9FC
		mov	[ecx+0Ch], eax
		jz	short loc_46EE79
		lea	ecx, [ecx+8]
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)

loc_46EE19:				; CODE XREF: MiGetPage+144CAFj
		mov	ecx, [esp+60h+var_50]

loc_46EE1D:				; CODE XREF: MiGetPage+8C0j
					; MiGetPage+144C86j
		mov	dword ptr [ecx], 0
		jmp	loc_46EB61
; 

loc_46EE28:				; CODE XREF: MiGetPage+37Ej
		add	ecx, edx
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	ecx, eax
		mov	[esp+60h+var_50], ecx
		test	ecx, ecx
		jz	loc_46EF07
		cmp	[esp+60h+var_34], 0
		mov	eax, ds:_ZeroPte
		mov	[ecx+8], eax
		mov	eax, ds:dword_40F9FC
		mov	[ecx+0Ch], eax
		jz	short loc_46EE6B
		lea	ecx, [ecx+8]
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)

loc_46EE5C:				; CODE XREF: MiGetPage+144C0Fj
		mov	ecx, [esp+60h+var_50]

loc_46EE60:				; CODE XREF: MiGetPage+8B2j
					; MiGetPage+144BE6j
		mov	dword ptr [ecx], 0
		jmp	loc_46EA31
; 

loc_46EE6B:				; CODE XREF: MiGetPage+892j
		test	byte ptr ds:_MiFlags, 80h
		jz	short loc_46EE60
		jmp	loc_5B3195
; 

loc_46EE79:				; CODE XREF: MiGetPage+84Fj
		test	byte ptr ds:_MiFlags, 80h
		jz	short loc_46EE1D
		jmp	loc_5B3235
; 

loc_46EE87:				; CODE XREF: MiGetPage+702j
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		cmp	cl, 21h
		jz	short loc_46EE9A

loc_46EE94:				; CODE XREF: MiGetPage+144AB7j
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_46EE9A:				; CODE XREF: MiGetPage+8D2j
					; MiGetPage+144AB1j
		mov	eax, [esp+60h+var_40]
		mov	eax, [eax+8]
		mov	[esp+60h+var_34], eax
		cmp	eax, offset loc_7FFFFF
		jz	loc_46E76B
		mov	edx, [esp+60h+var_30]
		jmp	loc_46EC60
; 

loc_46EEB9:				; CODE XREF: MiGetPage+733j
		mov	eax, [esp+60h+var_44]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [esp+60h+var_51]
		cmp	cl, 21h
		jz	loc_46E76B

loc_46EED2:				; CODE XREF: MiGetPage+6EDj
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_46E76B
; 

loc_46EEDD:				; CODE XREF: MiGetPage+44j
		cmp	_InitializationPhase, 0
		jz	loc_46E60A
		jmp	loc_5B2EE3
; 

loc_46EEEF:				; CODE XREF: MiGetPage+7A0j
					; MiGetPage+144B53j
		mov	[esp+60h+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_46ED80
; 

loc_46EF07:				; CODE XREF: MiGetPage+877j
		mov	eax, [esp+60h+var_34]
		mov	edx, [esp+60h+var_1C]
		jmp	loc_46E944
; 

loc_46EF14:				; CODE XREF: MiGetPage+834j
		mov	ecx, [esp+60h+var_40]
		mov	edx, [esp+60h+var_10]
		jmp	loc_46EB18
MiGetPage	endp

; 
		align 10h

; __stdcall MiZeroLargePages(x)
_MiZeroLargePages@4:			; CODE XREF: MiZeroLargePageThread+59p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 108h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+104h], eax
		mov	eax, large fs:124h
		push	esi
		push	edi
		push	0
		or	dword ptr [eax+300h], 400h
		mov	edi, ecx
		push	eax
		mov	[esp+1Ch], edi
		mov	[esp+74h], eax
		call	KeSetActualBasePriorityThread
		mov	esi, [edi+38h]
		mov	ecx, large fs:124h
		mov	[esp+68h], eax
		mov	dword ptr [esp+34h], 0
		mov	eax, [esi+30h]
		mov	[esp+40h], eax
		mov	eax, [edi+4Ch]
		mov	[edi+54h], ecx
		mov	[esp+4Ch], esi
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, [esi+64h]
		mov	[eax+ecx*4+8], edi
		mov	eax, [edi+4Ch]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, [esi+64h]
		lea	ecx, [eax+ecx*4]
		xor	eax, eax
		mov	[esp+50h], ecx
		xchg	eax, [ecx]
		rdtsc
		mov	[esp+44h], eax
		lea	eax, [esp+54h]
		mov	dword ptr [esp+54h], 0

loc_46EFD3:				; CODE XREF: .text:0046FA63j
		xor	ecx, ecx
		mov	[esp+48h], edx
		lock or	[eax], ecx
		lea	esp, [esp+0]

loc_46EFE0:				; CODE XREF: .text:0046FA23j
					; .text:0046FA7Ej
		mov	edi, [edi+38h]
		xor	eax, eax
		mov	[esp+20h], eax
		xor	esi, esi
		mov	[esp+24h], eax
		mov	[esp+28h], eax
		mov	edx, [edi+30h]
		cmp	[edi+60h], eax
		mov	eax, [esp+14h]
		mov	[esp+18h], esi
		mov	[esp+10h], edi
		mov	[esp+1Ch], edx
		jnz	loc_46F09B
		cmp	byte ptr [eax+68h], 0
		jnz	loc_46F262
		lea	ecx, [edi+10h]
		mov	byte ptr [eax+68h], 1
		lea	edx, [esp+20h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		add	dword ptr [edi+68h], 0FFFFFFFFh
		jnz	short loc_46F036
		mov	dword ptr [edi+60h], 1

loc_46F036:				; CODE XREF: .text:0046F02Dj
		test	ds:byte_70EFC6,	1
		jz	short loc_46F05A
		mov	edx, [ebp+4]
		lea	ecx, [esp+20h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		mov	cl, [esp+28h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_46F25E
; 

loc_46F05A:				; CODE XREF: .text:0046F03Dj
		mov	eax, [esp+20h]
		test	eax, eax
		jnz	short loc_46F07D
		mov	edx, [esp+24h]
		lea	eax, [esp+20h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+20h]
		cmp	eax, ecx
		jz	short loc_46F08C
		call	KxWaitForLockChainValid

loc_46F07D:				; CODE XREF: .text:0046F060j
		mov	[esp+20h], esi
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_46F08C:				; CODE XREF: .text:0046F076j
		mov	cl, [esp+28h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_46F25E
; 

loc_46F09B:				; CODE XREF: .text:0046F009j
		mov	eax, [eax+4Ch]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, [edi+64h]
		lea	esi, [eax+ecx*4]
		mov	al, [esi+4]
		test	al, 1
		jz	loc_46F1F0
		add	edi, 10h
		jmp	short loc_46F0C0
; 
		align 10h

loc_46F0C0:				; CODE XREF: .text:0046F0BBj
					; .text:0046F186j
		mov	[esp+24h], edi
		mov	dword ptr [esp+20h], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	[esp+28h], al
		jz	short loc_46F0EC
		mov	edx, edi
		lea	ecx, [esp+20h]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_46F0FF
; 

loc_46F0EC:				; CODE XREF: .text:0046F0DDj
		lea	edx, [esp+20h]
		xchg	edx, [edi]
		test	edx, edx
		jz	short loc_46F0FF
		lea	ecx, [esp+20h]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_46F0FF:				; CODE XREF: .text:0046F0EAj
					; .text:0046F0F4j
		mov	al, [esi+4]
		test	al, 2
		jnz	loc_46F18E
		mov	al, [esi+4]
		test	al, 1
		jz	short loc_46F18E
		test	ds:byte_70EFC6,	1
		jz	short loc_46F128
		mov	edx, [ebp+4]
		lea	ecx, [esp+20h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_46F15E
; 

loc_46F128:				; CODE XREF: .text:0046F118j
		mov	eax, [esp+20h]
		test	eax, eax
		jnz	short loc_46F14B
		mov	edx, [esp+24h]
		lea	eax, [esp+20h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+20h]
		cmp	eax, ecx
		jz	short loc_46F15E
		call	KxWaitForLockChainValid

loc_46F14B:				; CODE XREF: .text:0046F12Ej
		mov	dword ptr [esp+20h], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_46F15E:				; CODE XREF: .text:0046F126j
					; .text:0046F144j
		mov	cl, [esp+28h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	0
		push	0
		push	0
		lea	eax, [esi+0Ch]
		mov	dword ptr [esp+28h], 1
		push	eax
		call	KeWaitForSingleObject
		mov	al, [esi+4]
		test	al, 1
		jnz	loc_46F0C0
		jmp	short loc_46F1E5
; 

loc_46F18E:				; CODE XREF: .text:0046F104j
					; .text:0046F10Fj
		test	ds:byte_70EFC6,	1
		jz	short loc_46F1A5
		mov	edx, [ebp+4]
		lea	ecx, [esp+20h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_46F1DB
; 

loc_46F1A5:				; CODE XREF: .text:0046F195j
		mov	eax, [esp+20h]
		test	eax, eax
		jnz	short loc_46F1C8
		mov	edx, [esp+24h]
		lea	eax, [esp+20h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+20h]
		cmp	eax, ecx
		jz	short loc_46F1DB
		call	KxWaitForLockChainValid

loc_46F1C8:				; CODE XREF: .text:0046F1ABj
		mov	ecx, 1
		mov	dword ptr [esp+20h], 0
		add	eax, 4
		lock xor [eax],	ecx

loc_46F1DB:				; CODE XREF: .text:0046F1A3j
					; .text:0046F1C1j
		mov	cl, [esp+28h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_46F1E5:				; CODE XREF: .text:0046F18Cj
		mov	edi, [esp+10h]

loc_46F1E9:				; CODE XREF: .text:0046F218j
		mov	edx, [esp+1Ch]
		lea	ecx, [ecx+0]

loc_46F1F0:				; CODE XREF: .text:0046F0B2j
		mov	eax, [edx+0DD0h]
		test	eax, eax
		jnz	short loc_46F202
		cmp	dword_6D35AC, eax
		jz	short loc_46F25A

loc_46F202:				; CODE XREF: .text:0046F1F8j
		push	offset _MiFiveSeconds
		push	0
		push	0
		push	8
		lea	eax, [edx+3Ch]
		push	eax
		call	KeWaitForSingleObject
		test	eax, eax
		jnz	short loc_46F1E9
		mov	eax, large fs:124h
		push	0Ch
		push	eax
		call	KeSetActualBasePriorityThread

loc_46F228:				; CODE XREF: .text:0046F274j
		inc	dword_6C68E8

loc_46F22E:				; CODE XREF: .text:0046FA73j
		push	dword ptr [esp+68h]
		mov	esi, [esp+70h]
		push	esi
		call	KeSetActualBasePriorityThread
		and	dword ptr [esi+300h], 0FFFFFBFFh
		mov	ecx, [esp+10Ch]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_46F25A:				; CODE XREF: .text:0046F200j
		mov	esi, [esp+18h]

loc_46F25E:				; CODE XREF: .text:0046F055j
					; .text:0046F096j
		mov	eax, [esp+14h]

loc_46F262:				; CODE XREF: .text:0046F013j
		cmp	dword ptr [eax+3Ch], 0
		jnz	short loc_46F27D
		mov	ecx, [edi+30h]
		xor	edx, edx
		call	MiReferencePageRuns
		test	eax, eax
		jz	short loc_46F228
		mov	ecx, [esp+14h]
		mov	[ecx+3Ch], eax

loc_46F27D:				; CODE XREF: .text:0046F266j
		test	esi, esi
		jz	short loc_46F2A4
		mov	ecx, [esp+50h]
		xor	eax, eax
		xchg	eax, [ecx]
		rdtsc
		mov	[esp+44h], eax
		xor	ecx, ecx
		mov	[esp+48h], edx
		lea	eax, [esp+58h]
		mov	dword ptr [esp+58h], 0
		lock or	[eax], ecx

loc_46F2A4:				; CODE XREF: .text:0046F27Fj
		mov	eax, [esp+4Ch]
		mov	esi, [esp+14h]
		mov	edx, [esp+34h]
		inc	dword ptr [eax+0F0h]
		mov	eax, [esi+48h]
		mov	cl, byte_6D068C
		shr	eax, cl
		mov	dword ptr [esi+10h], 0
		mov	byte ptr [esi+25h], 0
		cmp	edx, 2
		jnb	short loc_46F2F3
		push	esi
		push	40h
		lea	ecx, [esi+40h]
		push	ecx
		mov	ecx, [esp+4Ch]
		push	1
		push	1
		push	eax
		push	1
		call	_MiUnlinkNodeLargePages@36 ; MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		mov	[esp+2Ch], edi
		jmp	loc_46F4BB
; 

loc_46F2F3:				; CODE XREF: .text:0046F2CFj
		mov	ecx, [esp+40h]
		mov	eax, [esi+48h]
		mov	edx, eax
		mov	dword ptr [esp+18h], 0
		mov	[esp+30h], eax
		mov	ecx, [ecx+544h]
		mov	byte ptr [esp+0Fh], 21h
		mov	[esp+10h], ecx
		mov	dword ptr [esp+1Ch], 0
		nop

loc_46F320:				; CODE XREF: .text:0046F38Dj
					; .text:0046F3B0j
		lea	eax, [edx+edx*4]
		mov	esi, [ecx+eax*4+8]
		mov	[esp+38h], esi
		cmp	esi, offset loc_7FFFFF
		jz	short loc_46F35E
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		cmp	dword ptr [esp+1Ch], 0
		lea	edi, [eax+ecx*4]
		mov	[esp+2Ch], edi
		jnz	short loc_46F3B5
		mov	eax, [edi+10h]
		test	eax, eax
		jns	short loc_46F3B5
		mov	dword ptr [esp+18h], 1

loc_46F35E:				; CODE XREF: .text:0046F331j
					; .text:0046F44Dj
		xor	edi, edi
		mov	[esp+2Ch], edi

loc_46F364:				; CODE XREF: .text:0046F3B7j
		mov	eax, [esp+14h]
		mov	edx, dword_6D0680
		not	edx
		mov	eax, [eax+48h]
		and	edx, eax
		inc	eax
		and	eax, dword_6D0680
		or	edx, eax
		mov	eax, [esp+14h]
		mov	[eax+48h], edx

loc_46F385:				; CODE XREF: .text:0046F471j
		mov	ecx, [esp+10h]
		cmp	edx, [esp+30h]
		jnz	short loc_46F320
		cmp	dword ptr [esp+18h], 0
		jz	loc_46F47A
		mov	ecx, [esp+1Ch]
		inc	ecx
		mov	[esp+1Ch], ecx
		cmp	ecx, 2
		jnb	loc_46F47A
		mov	ecx, [esp+10h]
		jmp	loc_46F320
; 

loc_46F3B5:				; CODE XREF: .text:0046F34Dj
					; .text:0046F354j
		test	edi, edi
		jz	short loc_46F364
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esp+0Fh], al
		xor	esi, esi
		add	edi, 10h
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_46F3F9

loc_46F3D1:				; CODE XREF: .text:0046F3F0j
					; .text:0046F3F7j
		inc	esi
		test	ds:_HvlLongSpinCountMask, esi
		jnz	short loc_46F3EB
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	short loc_46F3EB
		push	esi
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	short loc_46F3ED
; 

loc_46F3EB:				; CODE XREF: .text:0046F3D8j
					; .text:0046F3E1j
		pause

loc_46F3ED:				; CODE XREF: .text:0046F3E9j
		cmp	dword ptr [edi], 0
		jl	short loc_46F3D1
		lock bts dword ptr [edi], 1Fh
		jb	short loc_46F3D1

loc_46F3F9:				; CODE XREF: .text:0046F3CFj
		mov	esi, [esp+38h]
		cmp	esi, dword_6D07B0
		ja	short loc_46F452
		mov	eax, dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_46F452
		mov	edx, [esp+2Ch]
		mov	cl, [edx+16h]
		mov	al, cl
		and	al, 7
		cmp	al, 1
		jnz	short loc_46F452
		test	dword ptr [edx+18h], 800000h
		jnz	short loc_46F452
		test	cl, 8
		jz	short loc_46F476
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	cl, [esp+0Fh]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_46F35E
; 

loc_46F452:				; CODE XREF: .text:0046F403j
					; .text:0046F41Cj ...
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	cl, [esp+0Fh]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esp+14h]
		xor	edi, edi
		mov	[esp+2Ch], edi
		mov	edx, [eax+48h]
		jmp	loc_46F385
; 

loc_46F476:				; CODE XREF: .text:0046F439j
		mov	edi, [esp+2Ch]

loc_46F47A:				; CODE XREF: .text:0046F394j
					; .text:0046F3A6j
		test	edi, edi
		jz	loc_46FA68
		cmp	word ptr [edi+14h], 0
		jnz	loc_46FA83
		mov	ecx, [esp+14h]
		mov	edx, edi
		call	MiBeginPageAccessor
		mov	esi, eax
		lea	edx, [edi+10h]
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		mov	cl, [esp+0Fh]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	loc_46FA68
		mov	esi, [esp+14h]

loc_46F4BB:				; CODE XREF: .text:0046F2EEj
		test	edi, edi
		jz	loc_46FA68
		cmp	byte ptr [esi+2Ch], 0
		jnz	short loc_46F527
		mov	ecx, edi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiSearchNumaNodeTable
		mov	eax, [eax+4]
		cmp	[esi+50h], eax
		jz	short loc_46F527
		lea	edx, [eax+eax*4]
		mov	[esi+50h], eax
		mov	eax, [esp+40h]
		sub	esp, 0Ch
		shl	edx, 7
		mov	ecx, esp
		mov	eax, [eax+10h]
		add	edx, eax
		mov	eax, [edx+264h]
		mov	[ecx], eax
		mov	eax, [edx+268h]
		mov	[ecx+4], eax
		mov	eax, [edx+26Ch]
		mov	[ecx+8], eax
		call	_MiSetIdealProcessorThread@12 ;	MiSetIdealProcessorThread(x,x,x)

loc_46F527:				; CODE XREF: .text:0046F4C7j
					; .text:0046F4EFj
		mov	ecx, [esp+34h]
		cmp	ecx, 2
		jnb	short loc_46F53D
		mov	eax, ds:_MiLargePageSizes[ecx*4]
		mov	[esp+1Ch], eax
		jmp	short loc_46F545
; 

loc_46F53D:				; CODE XREF: .text:0046F52Ej
		mov	dword ptr [esp+1Ch], 1

loc_46F545:				; CODE XREF: .text:0046F53Bj
		test	ecx, ecx
		jnz	short loc_46F551
		mov	edi, [esi+30h]
		jmp	loc_46F695
; 

loc_46F551:				; CODE XREF: .text:0046F547j
		push	98h
		lea	eax, [esp+74h]
		push	0
		push	eax
		call	_memset
		mov	eax, [esi+34h]
		add	esp, 0Ch
		mov	[esp+30h], eax
		mov	esi, [eax]
		nop
		mov	edx, [eax+4]
		mov	edi, edx
		mov	eax, dword_6D0704
		mov	ecx, dword_6D0700
		mov	[esp+18h], eax
		mov	eax, ecx
		or	eax, [esp+18h]
		jz	short loc_46F5AD
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_46F5A7
		mov	edx, [esp+18h]
		not	ecx
		and	ecx, esi
		not	edx
		and	edx, edi
		mov	[esp+38h], ecx
		jmp	short loc_46F5AD
; 

loc_46F5A7:				; CODE XREF: .text:0046F593j
		mov	[esp+38h], esi
		mov	edx, edi

loc_46F5AD:				; CODE XREF: .text:0046F589j
					; .text:0046F5A5j
		cmp	[esp+1Ch], edx
		jbe	short loc_46F616
		mov	eax, 100h
		mov	dword ptr [esp+7Ch], 0
		sub	eax, edx
		mov	dword ptr [esp+70h], 0
		push	0
		push	eax
		mov	eax, [esp+38h]
		lea	ecx, [esp+78h]
		mov	word ptr [esp+7Ch], 0
		mov	dword ptr [esp+88h], 0
		mov	dword ptr [esp+80h], 21h
		lea	edx, [eax+edx*8]
		mov	dword ptr [esp+8Ch], 0
		shl	edx, 9
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		lea	ecx, [esp+70h]
		call	MiFlushTbList
		mov	edx, 100h

loc_46F616:				; CODE XREF: .text:0046F5B1j
		mov	eax, esi
		or	eax, edi
		jnz	short loc_46F620
		xor	esi, esi
		jmp	short loc_46F64A
; 

loc_46F620:				; CODE XREF: .text:0046F61Aj
		mov	eax, dword_6D0704
		mov	ecx, dword_6D0700
		mov	[esp+18h], eax
		mov	eax, ecx
		or	eax, [esp+18h]
		jz	short loc_46F64A
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_46F647
		not	ecx
		and	esi, ecx
		jmp	short loc_46F64A
; 

loc_46F647:				; CODE XREF: .text:0046F63Fj
		and	esi, 0FFFFFFEFh

loc_46F64A:				; CODE XREF: .text:0046F61Ej
					; .text:0046F635j ...
		mov	eax, dword_6D0704
		xor	edi, edi
		mov	ecx, dword_6D0700
		or	edi, esi
		sub	edx, [esp+1Ch]
		mov	[esp+10h], eax
		mov	esi, edx
		mov	eax, ecx
		mov	[esp+38h], ecx
		or	eax, [esp+10h]
		jz	short loc_46F688
		mov	eax, [esp+10h]
		and	ecx, edi
		and	eax, esi
		or	ecx, eax
		jnz	short loc_46F685
		or	edi, [esp+38h]
		or	esi, [esp+10h]
		jmp	short loc_46F688
; 

loc_46F685:				; CODE XREF: .text:0046F679j
		or	edi, 10h

loc_46F688:				; CODE XREF: .text:0046F66Dj
					; .text:0046F683j
		mov	eax, [esp+30h]
		mov	[eax], edi
		nop
		mov	[eax+4], esi
		lea	edi, [eax+edx*8]

loc_46F695:				; CODE XREF: .text:0046F54Cj
		mov	esi, [esp+2Ch]
		mov	eax, edi
		shl	eax, 9
		mov	ecx, esi
		sub	ecx, ds:_MmPfnDatabase
		mov	[esp+38h], eax
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		mov	cl, 2
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		mov	[esp+30h], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esp+0Fh], al
		add	esi, 10h
		mov	dword ptr [esp+5Ch], 0
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_46F6F5
		nop

loc_46F6E0:				; CODE XREF: .text:0046F6ECj
					; .text:0046F6F3j
		lea	ecx, [esp+5Ch]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_46F6E0
		lock bts dword ptr [esi], 1Fh
		jb	short loc_46F6E0

loc_46F6F5:				; CODE XREF: .text:0046F6DDj
		mov	eax, [esp+14h]
		cmp	byte ptr [eax+25h], 1
		jnz	short loc_46F725
		mov	edi, eax
		mov	ecx, edi
		call	MiRemoveFaultNode
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	cl, [esp+0Fh]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	dword_6C6910
		jmp	loc_46FA6C
; 

loc_46F725:				; CODE XREF: .text:0046F6FDj
		mov	esi, [esp+2Ch]
		mov	cl, [esi+16h]
		movzx	eax, cl
		shr	eax, 6
		cmp	dword ptr [esp+1Ch], 1
		jnz	short loc_46F774
		test	eax, eax
		jz	short loc_46F75A
		cmp	eax, 2
		jz	short loc_46F75A
		and	cl, 0C0h
		cmp	cl, 0C0h
		jnz	short loc_46F774
		push	1
		mov	edx, 1
		mov	ecx, esi
		call	_MiFinalizePageAttribute@12 ; MiFinalizePageAttribute(x,x,x)
		jmp	short loc_46F774
; 

loc_46F75A:				; CODE XREF: .text:0046F73Bj
					; .text:0046F740j
		shl	eax, 4
		cmp	dword_6D0750[eax], 1
		jnz	short loc_46F774
		push	1
		mov	edx, 1
		mov	ecx, esi
		call	MiChangePageAttribute

loc_46F774:				; CODE XREF: .text:0046F737j
					; .text:0046F748j ...
		mov	eax, [esp+2Ch]
		mov	esi, 4
		mov	al, [eax+16h]
		shr	al, 6
		test	al, al
		jnz	short loc_46F78E
		mov	esi, 0Ch
		jmp	short loc_46F797
; 

loc_46F78E:				; CODE XREF: .text:0046F785j
		cmp	al, 2
		jnz	short loc_46F797
		mov	esi, 1Ch

loc_46F797:				; CODE XREF: .text:0046F78Cj
					; .text:0046F790j
		mov	edx, [esp+30h]
		and	esi, 1Fh
		and	edx, 1FFFFFFh
		xor	eax, eax
		shld	eax, edx, 0Ch
		mov	ecx, ds:_MmProtectToPteMask[esi*8]
		mov	esi, ds:dword_40B4DC[esi*8]
		and	ecx, 0E7Fh
		and	esi, 0FFFFFFE0h
		shl	edx, 0Ch
		or	esi, eax
		or	ecx, edx
		lea	eax, [edi+40000000h]
		mov	[esp+10h], esi
		or	ecx, 21h
		cmp	eax, offset loc_7FFFFF
		ja	loc_46F895
		lea	eax, [edi+3FA00000h]
		cmp	eax, 3FFFh
		ja	short loc_46F821
		mov	[esp+18h], ecx
		cmp	edi, 0C0603018h
		jnz	short loc_46F801
		or	esi, 80000000h
		jmp	short loc_46F807
; 

loc_46F801:				; CODE XREF: .text:0046F7F7j
		and	esi, 7FFFFFFFh

loc_46F807:				; CODE XREF: .text:0046F7FFj
		mov	ecx, edi
		mov	[esp+10h], esi
		call	_MiUserPdeOrAbove@4 ; MiUserPdeOrAbove(x)
		mov	ecx, [esp+18h]
		test	eax, eax
		jz	short loc_46F821
		or	ecx, 4
		mov	[esp+10h], esi

loc_46F821:				; CODE XREF: .text:0046F7EBj
					; .text:0046F818j
		mov	eax, ds:_MmHighestUserAddress
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	edi, eax
		ja	short loc_46F83E
		or	ecx, 4
		mov	[esp+10h], esi

loc_46F83E:				; CODE XREF: .text:0046F835j
		mov	edx, [esp+38h]
		cmp	edx, dword_6D07D0
		jnb	short loc_46F853
		movzx	eax, byte ptr word_6D07B8+1
		jmp	short loc_46F891
; 

loc_46F853:				; CODE XREF: .text:0046F848j
		mov	eax, edx
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	short loc_46F89F
		cmp	al, 0Bh
		jz	short loc_46F89F
		lea	eax, [edx+40000000h]
		cmp	eax, offset loc_7FFFFF
		jbe	short loc_46F89F
		cmp	edx, dword_6D2E88
		jb	short loc_46F88A
		movzx	eax, byte ptr word_6D07B8+1
		cmp	edx, dword_6D2E8C
		jbe	short loc_46F891

loc_46F88A:				; CODE XREF: .text:0046F879j
		movzx	eax, byte ptr word_6D07B8

loc_46F891:				; CODE XREF: .text:0046F851j
					; .text:0046F888j
		test	eax, eax
		jz	short loc_46F89F

loc_46F895:				; CODE XREF: .text:0046F7DAj
		mov	[esp+10h], esi
		or	ecx, 100h

loc_46F89F:				; CODE XREF: .text:0046F860j
					; .text:0046F864j ...
		mov	al, byte ptr word_6D07B8
		and	ecx, 0FFFFFEFFh
		and	al, 1
		movzx	eax, al
		cdq
		mov	esi, eax
		shld	edx, esi, 8
		or	edx, [esp+10h]
		shl	esi, 8
		or	esi, ecx
		mov	[esp+18h], edx
		mov	ecx, [esp+1Ch]
		or	esi, 42h
		lea	eax, ds:0[ecx*8]
		add	eax, edi
		mov	[esp+10h], eax
		cmp	edi, eax
		jnb	loc_46F9A5
		nop

loc_46F8E0:				; CODE XREF: .text:0046F99Bj
		cmp	dword_6D07D0, 0C0000000h
		mov	ecx, edx
		mov	dword ptr [esp+30h], 0
		sbb	eax, eax
		and	eax, 0FFFFFFF8h
		add	eax, 0C0603018h
		cmp	edi, 0C0603000h
		jb	short loc_46F956
		cmp	edi, eax
		jnb	short loc_46F956
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_46F93A
		cmp	byte ptr word_6D07B8+1,	0
		mov	eax, esi
		mov	dword ptr [esp+30h], 1
		jnz	short loc_46F958

loc_46F926:				; CODE XREF: .text:0046F954j
		and	eax, 1
		or	eax, 0
		mov	eax, esi
		jz	short loc_46F958
		mov	ecx, edx
		or	ecx, 80000000h
		jmp	short loc_46F958
; 

loc_46F93A:				; CODE XREF: .text:0046F911j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		mov	eax, esi
		jz	short loc_46F958
		jmp	short loc_46F926
; 

loc_46F956:				; CODE XREF: .text:0046F904j
					; .text:0046F908j
		mov	eax, esi

loc_46F958:				; CODE XREF: .text:0046F924j
					; .text:0046F92Ej ...
		mov	[edi+4], ecx
		nop
		cmp	dword ptr [esp+30h], 0
		mov	[edi], eax
		jz	short loc_46F972
		push	ecx
		push	eax
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		mov	edx, [esp+18h]

loc_46F972:				; CODE XREF: .text:0046F963j
		mov	ecx, esi
		mov	eax, edx
		add	ecx, 1000h
		adc	eax, 0
		xor	ecx, esi
		xor	eax, edx
		and	ecx, 0FFFFF000h
		and	eax, 1Fh
		add	edi, 8
		xor	edx, eax
		xor	esi, ecx
		mov	[esp+18h], edx
		cmp	edi, [esp+10h]
		jb	loc_46F8E0
		mov	ecx, [esp+1Ch]

loc_46F9A5:				; CODE XREF: .text:0046F8D9j
		mov	esi, [esp+34h]
		lea	eax, ds:0[ecx*8]
		sub	edi, eax
		shl	ecx, 0Ch
		mov	eax, [esp+14h]
		mov	edx, 7FFFFFFFh
		mov	[eax+10h], edi
		mov	edi, [esp+14h]
		mov	eax, [esp+38h]
		mov	[edi+14h], eax
		dec	eax
		add	eax, ecx
		mov	[edi+20h], esi
		mov	ecx, [esp+2Ch]
		mov	[edi+18h], eax
		mov	[edi+28h], ecx
		lea	eax, [ecx+10h]
		lock and [eax],	edx
		mov	cl, [esp+0Fh]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [esp+40h]
		mov	ecx, edi
		call	_MiZeroPage@8	; MiZeroPage(x,x)
		mov	edx, 1
		cmp	esi, 2
		jz	short loc_46FA08
		mov	edx, ds:_MiLargePageSizes[esi*4]

loc_46FA08:				; CODE XREF: .text:0046F9FFj
		mov	eax, [esp+4Ch]
		mov	ecx, edx
		add	eax, 20h
		lock xadd [eax], ecx
		mov	esi, [esp+50h]
		lock xadd [esi], edx
		cmp	dword ptr [esi], 1000h
		jb	loc_46EFE0
		mov	dword ptr [esp+60h], 0
		lea	eax, [esp+60h]
		xor	ecx, ecx
		lock or	[eax], ecx
		rdtsc
		sub	eax, [esp+44h]
		mov	ecx, edi
		sbb	edx, [esp+48h]
		push	edx
		push	eax
		call	MiReassessZeroThreads
		xor	eax, eax
		xchg	eax, [esi]
		rdtsc
		mov	[esp+44h], eax
		lea	eax, [esp+64h]
		mov	dword ptr [esp+64h], 0
		jmp	loc_46EFD3
; 

loc_46FA68:				; CODE XREF: .text:0046F47Cj
					; .text:0046F4B1j ...
		mov	edi, [esp+14h]

loc_46FA6C:				; CODE XREF: .text:0046F720j
		mov	eax, [esp+34h]
		cmp	eax, 2
		jnb	loc_46F22E
		inc	eax
		mov	[esp+34h], eax
		jmp	loc_46EFE0
; 

loc_46FA83:				; CODE XREF: .text:0046F487j
		mov	eax, [edi+4]
		push	eax
		mov	eax, [edi+14h]
		push	eax
		push	esi
		push	8Dh
		push	4Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dd 2 dup(0CCCCCCCCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiZeroPage(x, x)
_MiZeroPage@8	proc near		; CODE XREF: .text:0046F9F2p
					; MiZeroPageThread+7F293p

var_60		= dword	ptr -60h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1198
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 40h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_38], edx
		mov	ebx, ecx
		mov	[ebp+var_4C], ebx
		mov	edi, [ebx+28h]
		mov	[ebp+var_20], edi
		mov	[ebp+var_48], edi
		mov	ecx, [ebx+14h]
		mov	esi, [ebx+20h]
		mov	[ebp+var_34], esi
		mov	[ebp+var_44], esi
		mov	[ebp+var_40], esi
		cmp	esi, 2
		jnb	short loc_46FB03
		mov	eax, ds:_MiLargePageSizes[esi*4]
		jmp	short loc_46FB08
; 

loc_46FB03:				; CODE XREF: MiZeroPage(x,x)+58j
		mov	eax, 1

loc_46FB08:				; CODE XREF: MiZeroPage(x,x)+61j
		inc	dword_6C6948[esi*4]
		shl	eax, 0Ch
		test	esi, esi
		jnz	short loc_46FB1D
		inc	dword_6C6918[esi*4]

loc_46FB1D:				; CODE XREF: MiZeroPage(x,x)+74j
		mov	[ebp+var_4], 0
		push	eax		; size_t
		push	0		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_46FB58
; 

loc_46FB39:				; DATA XREF: .text:006A11ACo
		mov	eax, 1
		retn
; 

loc_46FB3F:				; DATA XREF: .text:006A11B0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-4Ch]
		mov	edi, [ebp-48h]
		mov	[ebp-20h], edi
		mov	esi, [ebp-44h]
		mov	[ebp-34h], esi

loc_46FB58:				; CODE XREF: MiZeroPage(x,x)+97j
		mov	[ebp+var_24], 0
		mov	[ebp+var_28], 0
		mov	[ebp+var_4C], 0
		mov	edx, large fs:124h
		mov	[ebp+var_48], edx
		mov	ecx, esi
		call	_MiColdPageSizeSupported@4 ; MiColdPageSizeSupported(x)
		test	eax, eax
		jz	short loc_46FBC2
		cmp	byte ptr [edx+87h], 0
		jnz	short loc_46FBC2
		cmp	byte ptr [ebx+26h], 0
		jnz	short loc_46FBC2
		cmp	byte ptr [ebx+25h], 0
		jnz	short loc_46FBC2
		mov	[ebp+var_28], 1
		push	1
		mov	esi, [ebp+var_38]
		mov	ecx, esi
		call	_MiSetZeroPageThreadPriority@12	; MiSetZeroPageThreadPriority(x,x,x)
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+var_48]
		dec	word ptr [eax+13Eh]
		nop
		lea	ecx, [esi+6Ch]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx

loc_46FBC2:				; CODE XREF: MiZeroPage(x,x)+E0j
					; MiZeroPage(x,x)+E9j ...
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_1A], al
		xor	ecx, ecx
		mov	[ebp+var_2C], ecx
		add	edi, 10h
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_46FC15
		lea	esp, [esp+0]

loc_46FBE0:				; CODE XREF: MiZeroPage(x,x)+167j
					; MiZeroPage(x,x)+173j
		inc	ecx
		mov	[ebp+var_2C], ecx
		test	ds:_HvlLongSpinCountMask, ecx
		jnz	short loc_46FBFD
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	short loc_46FBFD
		push	ecx
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	short loc_46FBFF
; 

loc_46FBFD:				; CODE XREF: MiZeroPage(x,x)+14Aj
					; MiZeroPage(x,x)+153j
		pause

loc_46FBFF:				; CODE XREF: MiZeroPage(x,x)+15Bj
		cmp	dword ptr [edi], 0
		jge	short loc_46FC09
		mov	ecx, [ebp+var_2C]
		jmp	short loc_46FBE0
; 

loc_46FC09:				; CODE XREF: MiZeroPage(x,x)+162j
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_46FC15
		mov	ecx, [ebp+var_2C]
		jmp	short loc_46FBE0
; 

loc_46FC15:				; CODE XREF: MiZeroPage(x,x)+13Aj
					; MiZeroPage(x,x)+16Ej
		mov	al, [ebx+25h]
		mov	[ebp+var_19], al
		mov	ecx, [ebx+20h]
		mov	edx, [ebx+10h]
		push	3
		call	MiZeroPageWorkMapping
		cmp	byte ptr [ebx+27h], 0
		jnz	short loc_46FC3C
		mov	esi, offset unk_6D2FA8
		mov	[ebp+var_30], offset dword_6D2FAC
		jmp	short loc_46FC48
; 

loc_46FC3C:				; CODE XREF: MiZeroPage(x,x)+18Cj
		mov	esi, offset unk_6D2FA0
		mov	[ebp+var_30], offset dword_6D2FA4

loc_46FC48:				; CODE XREF: MiZeroPage(x,x)+19Aj
		test	ds:byte_70EFC6,	21h
		jz	short loc_46FC5D
		or	dl, 0FFh
		mov	ecx, esi
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	short loc_46FCBA
; 

loc_46FC5D:				; CODE XREF: MiZeroPage(x,x)+1AFj
		mov	[ebp+var_3C], 0
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_46FC78
		or	dl, 0FFh
		mov	ecx, esi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[ebp+var_3C], eax

loc_46FC78:				; CODE XREF: MiZeroPage(x,x)+1C9j
		mov	edx, [esi]
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jz	short loc_46FCBA

loc_46FC88:				; CODE XREF: MiZeroPage(x,x)+218j
		test	edx, 40000000h
		jnz	short loc_46FCA2
		mov	ecx, edx
		or	ecx, 40000000h
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_46FCAC

loc_46FCA2:				; CODE XREF: MiZeroPage(x,x)+1EEj
		lea	ecx, [ebp+var_3C]
		call	KeYieldProcessorEx
		mov	eax, [esi]

loc_46FCAC:				; CODE XREF: MiZeroPage(x,x)+200j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_46FC88

loc_46FCBA:				; CODE XREF: MiZeroPage(x,x)+1BBj
					; MiZeroPage(x,x)+1E6j
		push	ebx
		push	[ebp+var_30]
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		mov	byte ptr [ebx+24h], 0
		test	ds:byte_70EFC6,	1
		jz	short loc_46FCDC
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	short loc_46FCE2
; 

loc_46FCDC:				; CODE XREF: MiZeroPage(x,x)+22Ej
		mov	dword ptr [esi], 0

loc_46FCE2:				; CODE XREF: MiZeroPage(x,x)+23Aj
		mov	eax, [ebp+var_40]
		cmp	[ebp+var_19], 1
		jnz	short loc_46FD01
		inc	dword_6C6930[eax*4]
		inc	dword_6C6914
		xor	esi, esi
		xor	ebx, ebx
		jmp	loc_46FE62
; 

loc_46FD01:				; CODE XREF: MiZeroPage(x,x)+249j
		inc	dword_6C6924[eax*4]
		inc	dword_6C6908
		mov	ecx, [ebp+var_20]
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	esi, edx
		shr	esi, 1Fh
		add	esi, edx
		mov	[ebp+var_30], esi
		mov	ecx, [ebp+var_34]
		cmp	ecx, 2
		jnz	loc_46FE3D
		mov	[ebp+var_44], 1
		inc	dword_6C690C
		mov	dword ptr [ebx+0Ch], 0
		mov	ecx, [ebp+var_20]
		mov	al, [ecx+16h]
		and	al, 0F7h
		mov	[ecx+16h], al
		mov	ecx, 80h
		xor	edx, edx
		mov	esi, dword_6D0700
		mov	eax, dword_6D0704
		mov	[ebp+var_40], eax
		mov	eax, esi
		or	eax, [ebp+var_40]
		jz	short loc_46FD90
		mov	eax, esi
		and	eax, ecx
		or	eax, edx
		jnz	short loc_46FD89
		mov	ecx, esi
		or	ecx, 80h
		mov	edx, [ebp+var_40]
		jmp	short loc_46FD90
; 

loc_46FD89:				; CODE XREF: MiZeroPage(x,x)+2DAj
		mov	ecx, 90h
		xor	edx, edx

loc_46FD90:				; CODE XREF: MiZeroPage(x,x)+2D2j
					; MiZeroPage(x,x)+2E7j
		mov	esi, [ebp+var_20]
		mov	[esi+8], ecx
		mov	[esi+0Ch], edx
		cmp	byte ptr [ebx+26h], 0
		jz	short loc_46FDB0
		mov	esi, [ebp+var_30]
		mov	ecx, esi
		call	_MiFreeListPageContentsChanged@4 ; MiFreeListPageContentsChanged(x)
		xor	ebx, ebx
		jmp	loc_46FE62
; 

loc_46FDB0:				; CODE XREF: MiZeroPage(x,x)+2FDj
		cmp	[ebp+var_28], 0
		jz	short loc_46FE20
		sub	esi, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	esi
		add	edx, esi
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiSearchNumaNodeTable
		mov	esi, [eax+4]
		mov	cl, byte_6D068C
		shl	esi, cl
		mov	eax, dword_6D06D0
		and	eax, [ebp+var_30]
		or	esi, eax
		push	0
		mov	edx, esi
		mov	ebx, [ebp+var_38]
		mov	ecx, ebx
		call	_MiFreeZeroPageSlistSufficient@12 ; MiFreeZeroPageSlistSufficient(x,x,x)
		test	eax, eax
		jz	short loc_46FE20
		lea	edx, [esi+esi*4]
		mov	ecx, [ebx+540h]
		mov	eax, [ebx+0DB8h]
		shl	eax, 2
		cmp	[ecx+edx*4], eax
		jb	short loc_46FE20
		mov	[ebp+var_44], 401h
		mov	[ebp+var_24], 1

loc_46FE20:				; CODE XREF: MiZeroPage(x,x)+314j
					; MiZeroPage(x,x)+359j	...
		push	0
		xor	edx, edx
		mov	esi, [ebp+var_30]
		mov	ecx, esi
		call	MiUnlinkFreeOrZeroedPage
		mov	edx, [ebp+var_44]
		mov	ecx, esi
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		mov	ebx, [ebp+var_24]
		jmp	short loc_46FE62
; 

loc_46FE3D:				; CODE XREF: MiZeroPage(x,x)+293j
		cmp	[ebp+var_28], 0
		jz	short loc_46FE50
		cmp	byte ptr [ebx+26h], 0
		jnz	short loc_46FE50
		mov	[ebp+var_24], 1

loc_46FE50:				; CODE XREF: MiZeroPage(x,x)+3A1j
					; MiZeroPage(x,x)+3A7j
		movzx	eax, byte ptr [ebx+26h]
		push	eax
		mov	ebx, [ebp+var_24]
		push	ebx
		mov	edx, ecx
		mov	ecx, esi
		call	_MiLargePageFreeToZero@16 ; MiLargePageFreeToZero(x,x,x,x)

loc_46FE62:				; CODE XREF: MiZeroPage(x,x)+25Cj
					; MiZeroPage(x,x)+30Bj	...
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	cl, [ebp+var_1A]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jz	short loc_46FE83
		push	0
		mov	edx, [ebp+var_34]
		mov	ecx, esi
		call	_MiChangePageHeatImmediate@12 ;	MiChangePageHeatImmediate(x,x,x)

loc_46FE83:				; CODE XREF: MiZeroPage(x,x)+3D5j
		cmp	[ebp+var_28], 0
		jz	short loc_46FEC2
		mov	ebx, [ebp+var_38]
		lea	esi, [ebx+6Ch]
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_46FEA6
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_46FEA6:				; CODE XREF: MiZeroPage(x,x)+3FDj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_48]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		push	[ebp+var_4C]
		mov	edx, [ebp+var_48]
		mov	ecx, ebx
		call	_MiSetZeroPageThreadPriority@12	; MiSetZeroPageThreadPriority(x,x,x)

loc_46FEC2:				; CODE XREF: MiZeroPage(x,x)+3E7j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiZeroPage@8	endp

; 
		align 10h
; Exported entry 1966. RtlAvlRemoveNode

; __stdcall RtlAvlRemoveNode(x,	x)
		public _RtlAvlRemoveNode@8
_RtlAvlRemoveNode@8:			; CODE XREF: MiDeleteVad(x,x,x)+B32p
					; MiZeroPage(x,x)+21Ep	...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+0Ch]
		sub	esp, 14h
		push	ebx
		mov	ebx, [eax+4]
		push	esi
		push	edi
		mov	edi, [eax]
		lea	esi, [eax+4]
		test	edi, edi
		jnz	short loc_46FF3C

loc_46FEFA:				; CODE XREF: .text:0046FF3Ej
		mov	esi, [esi]
		mov	ecx, edi
		neg	ecx
		sbb	ecx, ecx
		test	ecx, ebx
		jnz	loc_470010
		mov	edx, [eax+8]
		and	edx, 0FFFFFFFCh
		test	esi, esi
		jnz	short loc_46FF2E

loc_46FF14:				; CODE XREF: .text:0046FF3Aj
		test	edx, edx
		jnz	short loc_46FF40
		mov	ecx, [ebp+8]
		cmp	[ecx], eax
		jnz	loc_47024D
		mov	[ecx], esi

loc_46FF25:				; CODE XREF: .text:0046FF85j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_46FF2E:				; CODE XREF: .text:0046FF12j
		cmp	[esi+8], eax
		jnz	loc_47024D
		mov	[esi+8], edx
		jmp	short loc_46FF14
; 

loc_46FF3C:				; CODE XREF: .text:0046FEF8j
		mov	esi, eax
		jmp	short loc_46FEFA
; 

loc_46FF40:				; CODE XREF: .text:0046FF16j
		cmp	[edx+4], eax
		jz	short loc_46FF9A
		cmp	[edx], eax
		jnz	loc_47024D
		mov	bl, 1
		mov	[edx], esi

loc_46FF51:				; CODE XREF: .text:0046FF98j
					; .text:0046FF9Fj ...
		mov	al, [edx+8]
		lea	edi, [edx+8]
		mov	cl, al
		mov	ah, bl
		and	cl, 3
		xor	ah, 2
		mov	[ebp+0Fh], cl
		cmp	cl, ah
		jz	short loc_46FF7C
		test	cl, cl
		jnz	short loc_46FFA1
		pop	edi
		and	al, 0FCh
		or	al, bl
		pop	esi
		mov	[edx+8], al
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_46FF7C:				; CODE XREF: .text:0046FF66j
		and	al, 0FCh
		mov	[edi], al
		mov	esi, [edi]

loc_46FF82:				; CODE XREF: .text:00470167j
					; .text:004701C0j ...
		and	esi, 0FFFFFFFCh
		jz	short loc_46FF25
		cmp	[esi+4], edx
		mov	edx, esi
		setz	al
		lea	eax, ds:1[eax*2]
		mov	bl, al
		jmp	short loc_46FF51
; 

loc_46FF9A:				; CODE XREF: .text:0046FF43j
		mov	bl, 3
		mov	[edx+4], esi
		jmp	short loc_46FF51
; 

loc_46FFA1:				; CODE XREF: .text:0046FF6Aj
		mov	ecx, [edx]
		mov	esi, [edi]
		mov	[ebp-8], ecx
		cmp	bl, 1
		jnz	short loc_46FFB3
		mov	ecx, [edx+4]
		mov	[ebp-8], ecx

loc_46FFB3:				; CODE XREF: .text:0046FFABj
		mov	al, [ecx+8]
		and	al, 3
		mov	[ebp-1], al
		cmp	al, ah
		jz	loc_47016C
		mov	eax, [ecx+8]
		and	eax, 0FFFFFFFCh
		cmp	eax, edx
		jnz	loc_47024D
		xor	eax, eax
		cmp	bl, 1
		setnz	al
		dec	eax
		and	eax, 4
		add	eax, edx
		mov	[ebp-10h], eax
		mov	eax, [eax]
		cmp	eax, ecx
		jnz	loc_47024D
		mov	eax, esi
		and	eax, 0FFFFFFFCh
		mov	[ebp+0Ch], eax
		jz	loc_470242
		mov	eax, [eax+4]
		cmp	eax, edx

loc_46FFFF:				; DATA XREF: PiDqDispatch+3Ao
		mov	eax, [ebp+0Ch]

loc_470002:				; DATA XREF: .text:00407414o
					; PiDqDispatch:loc_7FACA1o ...
		jnz	loc_4700D0

loc_470008:				; DATA XREF: PiDqQueryGetNextIoctlInfo(x,x,x,x):loc_7FA699o
					; PiDqDispatch+18Co
		mov	[eax+4], ecx

loc_47000B:				; DATA XREF: PiDqDispatch:loc_7FAD18o
		jmp	loc_4700DF
; 

loc_470010:				; CODE XREF: .text:0046FF04j
		mov	cl, [eax+8]
		and	cl, 3
		cmp	cl, 3
		jz	loc_4701FF
		mov	ecx, [ebx]
		mov	esi, ebx
		mov	dword ptr [ebp-8], 1
		mov	edx, ebx
		mov	[ebp-0Ch], ecx
		test	ecx, ecx
		jnz	loc_4701C5

loc_470037:				; CODE XREF: .text:004701DFj
		mov	ecx, [esi+4]

loc_47003A:				; CODE XREF: .text:00470223j
		mov	[esi], edi
		mov	[ebp+0Ch], ecx
		mov	[esi+4], ebx
		mov	ecx, [edi+8]

loc_470045:				; DATA XREF: .text:005A4554o
					; .text:005A565Co
		mov	[ebp-0Ch], ecx
		and	ecx, 0FFFFFFFCh
		cmp	ecx, eax
		jnz	loc_47024D
		mov	ecx, [ebp-0Ch]
		and	ecx, 3
		or	ecx, esi
		mov	[edi+8], ecx
		mov	edi, [ebx+8]
		mov	ecx, edi
		and	ecx, 0FFFFFFFCh
		cmp	ecx, eax
		jnz	loc_47024D
		and	edi, 3
		or	edi, esi
		mov	[ebx+8], edi
		mov	ecx, [esi+8]
		and	ecx, 0FFFFFFFCh
		cmp	ecx, edx
		jnz	loc_47024D
		mov	ebx, [ebp-8]
		mov	ecx, [ebp+0Ch]
		mov	[edx+ebx*4], ecx
		test	ecx, ecx
		jnz	loc_4701F2

loc_470095:				; CODE XREF: .text:004701FAj
		mov	ecx, [eax+8]
		test	ebx, ebx
		mov	[esi+8], ecx
		mov	edi, [eax+8]
		setnz	bl
		lea	ebx, ds:1[ebx*2]
		and	edi, 0FFFFFFFCh
		jz	loc_4701E4
		xor	ecx, ecx
		cmp	[edi+4], eax
		setnz	cl
		dec	ecx
		and	ecx, 4
		cmp	[ecx+edi], eax
		jnz	loc_47024D
		mov	[ecx+edi], esi
		jmp	loc_46FF51
; 

loc_4700D0:				; CODE XREF: .text:loc_470002j
		mov	eax, [eax]
		cmp	eax, edx
		jnz	loc_47024D
		mov	eax, [ebp+0Ch]

loc_4700DD:				; CODE XREF: .text:00470247j
		mov	[eax], ecx

loc_4700DF:				; CODE XREF: .text:loc_47000Bj
		mov	eax, [ecx+8]
		and	eax, 3
		or	eax, [ebp+0Ch]
		mov	[ecx+8], eax
		mov	al, bl
		dec	al
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 4
		add	eax, ecx
		mov	[ebp-14h], eax
		mov	eax, [eax]
		mov	[ebp+0Ch], eax
		test	eax, eax
		jnz	short loc_47013C

loc_470107:				; CODE XREF: .text:0047015Dj
		mov	ecx, [ebp-10h]
		mov	[ecx], eax
		mov	eax, [ebp-14h]
		mov	ecx, [ebp-8]
		mov	[eax], edx
		mov	eax, [edi]
		and	eax, 3
		or	eax, ecx
		mov	[edi], eax
		mov	al, [ecx+8]
		and	al, 0FCh
		cmp	byte ptr [ebp-1], 0
		jnz	short loc_47015F
		xor	bl, 0FEh
		and	bl, 3
		pop	edi
		or	bl, al
		pop	esi
		mov	[ecx+8], bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_47013C:				; CODE XREF: .text:00470105j
		mov	eax, [eax+8]
		mov	[ebp-0Ch], eax
		and	eax, 0FFFFFFFCh
		cmp	eax, ecx
		jnz	loc_47024D
		mov	eax, [ebp-0Ch]
		mov	ecx, [ebp+0Ch]
		and	eax, 3
		or	eax, edx
		mov	[ecx+8], eax
		mov	eax, ecx
		jmp	short loc_470107
; 

loc_47015F:				; CODE XREF: .text:00470126j
		mov	[ecx+8], al
		mov	edx, ecx
		and	byte ptr [edi],	0FCh
		jmp	loc_46FF82
; 

loc_47016C:				; CODE XREF: .text:0046FFBDj
		xor	eax, eax
		cmp	bl, 1
		push	ecx
		setz	al
		push	eax
		push	ecx
		mov	ecx, [ebp+8]
		call	_RtlpTreeDoubleRotateNodes@20 ;	RtlpTreeDoubleRotateNodes(x,x,x,x,x)
		mov	ebx, [ebp-8]
		mov	edx, eax
		and	byte ptr [edi],	0FCh
		mov	cl, [ebp+0Fh]
		mov	ch, [ebx+8]
		and	ch, 0FCh
		mov	[ebx+8], ch
		movzx	eax, byte ptr [edx+8]
		movzx	ebx, cl
		mov	[ebp-0Ch], eax
		and	eax, 3
		mov	[ebp+0Ch], ebx
		cmp	ebx, eax
		mov	ebx, [ebp-8]
		jz	loc_47022F
		mov	eax, [ebp-0Ch]
		xor	eax, 0FFFFFFFEh
		and	eax, 3
		cmp	[ebp+0Ch], eax
		jz	short loc_470228

loc_4701BC:				; CODE XREF: .text:0047022Dj
		and	byte ptr [edx+8], 0FCh
		jmp	loc_46FF82
; 

loc_4701C5:				; CODE XREF: .text:00470031j
		mov	eax, [ebp-0Ch]
		xor	ecx, ecx
		mov	[ebp-8], ecx
		lea	ecx, [ecx+0]

loc_4701D0:				; CODE XREF: .text:004701DAj
		mov	ecx, [eax]
		mov	edx, esi
		mov	esi, eax
		mov	eax, ecx
		test	ecx, ecx
		jnz	short loc_4701D0
		mov	eax, [ebp+0Ch]
		jmp	loc_470037
; 

loc_4701E4:				; CODE XREF: .text:004700ADj
		mov	ecx, [ebp+8]
		cmp	[ecx], eax
		jnz	short loc_47024D
		mov	[ecx], esi
		jmp	loc_46FF51
; 

loc_4701F2:				; CODE XREF: .text:0047008Fj
		cmp	[ecx+8], esi
		jnz	short loc_47024D
		mov	[ecx+8], edx
		jmp	loc_470095
; 

loc_4701FF:				; CODE XREF: .text:00470019j
		xor	ecx, ecx
		mov	esi, edi
		mov	[ebp-8], ecx
		mov	edx, edi
		mov	ecx, [edi+4]
		test	ecx, ecx
		jz	short loc_470221
		mov	dword ptr [ebp-8], 1

loc_470216:				; CODE XREF: .text:0047021Fj
		mov	edx, esi
		mov	esi, ecx
		mov	ecx, [esi+4]
		test	ecx, ecx
		jnz	short loc_470216

loc_470221:				; CODE XREF: .text:0047020Dj
		mov	ecx, [esi]
		jmp	loc_47003A
; 

loc_470228:				; CODE XREF: .text:004701BAj
		or	ch, cl
		mov	[ebx+8], ch
		jmp	short loc_4701BC
; 

loc_47022F:				; CODE XREF: .text:004701A8j
		mov	al, [edi]
		xor	al, cl
		xor	al, 0FEh
		and	al, 3
		xor	[edi], al
		and	byte ptr [edx+8], 0FCh
		jmp	loc_46FF82
; 

loc_470242:				; CODE XREF: .text:0046FFF4j
		mov	eax, [ebp+8]
		cmp	[eax], edx
		jz	loc_4700DD

loc_47024D:				; CODE XREF: .text:0046FF1Dj
					; .text:0046FF31j ...
		mov	ecx, 1Dh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 3 dup(0CCCCCCCCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiBeginPageAccessor proc near		; CODE XREF: .text:0046F493p
					; .text:00542212p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B3304 SIZE 0000008E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		test	byte ptr [edx+16h], 8
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jnz	loc_470358
		mov	ebx, large fs:124h
		mov	[esi+0Ch], edx
		mov	[esi+1Ch], ebx
		mov	al, [edx+16h]
		or	al, 8
		mov	[edx+8], esi
		mov	[edx+16h], al
		mov	dword ptr [edx+0Ch], 0
		cmp	byte ptr [esi+27h], 0
		mov	dword ptr [esi+10h], 0
		mov	word ptr [esi+25h], 0
		jnz	loc_5B3304
		mov	edi, offset unk_6D2FA8

loc_4702B2:				; CODE XREF: MiBeginPageAccessor+1430A9j
		test	ds:byte_70EFC6,	21h
		jnz	loc_5B330E
		mov	[ebp+var_4], 0
		lock bts dword ptr [edi], 1Fh
		jb	short loc_470346

loc_4702CD:				; CODE XREF: MiBeginPageAccessor+F3j
		mov	edx, [edi]
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_5B331D

loc_4702E1:				; CODE XREF: MiBeginPageAccessor+1430B8j
					; MiBeginPageAccessor+1430EFj
		xor	cl, cl
		cmp	[esi+27h], cl
		jnz	loc_5B3354
		mov	eax, dword_6D2FAC
		test	eax, eax
		jz	short loc_47030C

loc_4702F5:				; CODE XREF: MiBeginPageAccessor+A2j
		cmp	esi, eax
		jb	short loc_470304
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_470342

loc_470300:				; CODE XREF: MiBeginPageAccessor+A8j
		mov	eax, ecx
		jmp	short loc_4702F5
; 

loc_470304:				; CODE XREF: MiBeginPageAccessor+97j
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_470300
		xor	cl, cl

loc_47030C:				; CODE XREF: MiBeginPageAccessor+93j
					; MiBeginPageAccessor+E4j
		mov	edx, offset dword_6D2FAC

loc_470311:				; CODE XREF: MiBeginPageAccessor+14310Fj
		push	esi
		mov	byte ptr [ebp+var_8], cl
		push	[ebp+var_8]
		push	eax
		push	edx
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		mov	byte ptr [esi+24h], 1
		test	ds:byte_70EFC6,	1
		jnz	loc_5B3383
		mov	dword ptr [edi], 0

loc_470336:				; CODE XREF: MiBeginPageAccessor+14312Dj
		mov	eax, 1
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_470342:				; CODE XREF: MiBeginPageAccessor+9Ej
		mov	cl, 1
		jmp	short loc_47030C
; 

loc_470346:				; CODE XREF: MiBeginPageAccessor+6Bj
		or	dl, 0FFh
		mov	ecx, edi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[ebp+var_4], eax
		jmp	loc_4702CD
; 

loc_470358:				; CODE XREF: MiBeginPageAccessor+11j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
MiBeginPageAccessor endp

; 
		align 10h

; __stdcall MiInsertPageInFreeOrZeroedList(x, x)
_MiInsertPageInFreeOrZeroedList@8:	; CODE XREF: MiFreeSmallPageFromMdl(x,x)+8Fp
					; MiDeleteTransitionPte+10Bp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 70h
		xor	eax, eax
		mov	[esp+18h], edx
		push	esi
		lea	esi, ds:0[ecx*8]
		mov	[esp+68h], eax
		sub	esi, ecx
		mov	[esp+6Ch], eax
		mov	[esp+70h], eax
		mov	eax, ds:_MmPfnDatabase
		mov	[esp+0Ch], ecx
		push	edi
		lea	edi, [eax+esi*4]
		mov	esi, 1
		mov	[esp+2Ch], edi
		test	dl, 1
		jz	short loc_4703E7
		test	byte ptr ds:_MiFlags, 80h
		mov	dword ptr [esp+30h], offset dword_6D53C0
		jz	short loc_4703DD
		mov	eax, dword_6D30F0
		inc	eax
		mov	dword_6D30F0, eax
		test	ds:_MmPageValidationFrequency, eax
		jnz	short loc_4703DD
		mov	edx, esi
		call	_MiArePageContentsZero@8 ; MiArePageContentsZero(x,x)

loc_4703DD:				; CODE XREF: .text:004703C1j
					; .text:004703D4j
		mov	dword ptr [esp+0Ch], 0
		jmp	short loc_470426
; 

loc_4703E7:				; CODE XREF: .text:004703B0j
		test	edx, 100h
		jz	short loc_47041A
		mov	al, [edi+16h]
		mov	edx, 100h
		and	dword ptr [edi+10h], 0BFFFFFFFh
		and	al, 0FDh

loc_470400:				; DATA XREF: PiSwDispatch+2Fo
		or	al, 5
		mov	ecx, edi
		mov	[edi+16h], al
		mov	al, [edi+17h]
		or	al, 10h
		mov	[edi+17h], al
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)

loc_470414:				; CODE XREF: .text:004704F3j
					; .text:004706B5j ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_47041A:				; CODE XREF: .text:004703EDj
		mov	dword ptr [esp+30h], offset dword_6D5400
		mov	[esp+0Ch], esi

loc_470426:				; CODE XREF: .text:004703E5j
		mov	eax, [edi+18h]
		and	eax, 70000000h
		mov	dword ptr [esp+48h], 0
		mov	dword ptr [esp+4Ch], 0
		cmp	eax, 30000000h
		jnz	short loc_470462
		lea	eax, [esp+48h]
		mov	edx, esi
		push	eax
		mov	ecx, edi
		call	_MiGetPagePrivilege@12 ; MiGetPagePrivilege(x,x,x)
		test	eax, eax
		jnz	loc_470F21
		and	dword ptr [edi+18h], 8FFFFFFFh

loc_470462:				; CODE XREF: .text:00470443j
		and	dword ptr [edi+10h], 0BFFFFFFFh
		lea	eax, [esp+34h]
		mov	dword ptr [esp+34h], 0
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, ds:_KiTbFlushTimeStamp
		and	byte ptr [edi+17h], 0F8h
		or	dword ptr [edi+4], 80000000h
		and	dword ptr [edi+18h], 0FFFFFFFh
		shl	eax, 17h
		xor	eax, [edi+10h]
		and	eax, 7800000h
		xor	[edi+10h], eax
		mov	al, [edi+16h]
		and	al, 0C7h
		mov	[edi+16h], al
		mov	al, [edi+17h]
		and	al, 0DFh
		mov	[edi+17h], al
		cmp	byte_6D5872, cl
		jz	short loc_47050F
		mov	ecx, edi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		mov	eax, dword_6D5BBC
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		shr	ecx, 9
		mov	edx, ecx
		and	ecx, 1Fh
		shr	edx, 5
		mov	eax, [eax+edx*4]
		sar	eax, cl
		test	al, 1
		jz	short loc_47050F
		test	dword ptr [esp+20h], 800h
		jnz	loc_470414
		push	edi
		mov	edx, offset _MiFreePageToSlabAllocator@12 ; MiFreePageToSlabAllocator(x,x,x)
		mov	ecx, offset _MiSystemPartition
		call	_MiEnumerateSlabAllocators@12 ;	MiEnumerateSlabAllocators(x,x,x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_47050F:				; CODE XREF: .text:004704B5j
					; .text:004704E9j
		test	byte ptr [edi+17h], 40h
		mov	ecx, edi
		jz	short loc_470527
		mov	edx, 20h
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_470527:				; CODE XREF: .text:00470515j
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		mov	ecx, dword_6D0684
		sar	edx, 4
		mov	esi, edx
		shr	esi, 1Fh
		add	esi, edx
		mov	edx, dword_6D0688
		cmp	ecx, edx
		ja	short loc_470566
		mov	eax, dword_6D06B0
		cmp	esi, [eax+ecx*8]
		lea	eax, [eax+ecx*8]
		jb	short loc_470566
		cmp	ecx, edx
		jz	short loc_4705BB
		cmp	esi, [eax+8]
		jb	short loc_4705BB

loc_470566:				; CODE XREF: .text:0047054Ej
					; .text:0047055Bj
		xor	eax, eax
		mov	[esp+1Ch], eax
		test	edx, edx
		js	loc_470F4B

loc_470574:				; CODE XREF: .text:004705B3j
		lea	ecx, [eax+edx]
		mov	eax, dword_6D06B0
		sar	ecx, 1
		cmp	esi, [eax+ecx*8]
		lea	eax, [eax+ecx*8]
		jnb	short loc_470597
		test	ecx, ecx
		jz	loc_470F5C
		mov	eax, [esp+1Ch]
		lea	edx, [ecx-1]
		jmp	short loc_4705AB
; 

loc_470597:				; CODE XREF: .text:00470584j
		cmp	ecx, dword_6D0688
		jz	short loc_4705B5
		cmp	esi, [eax+8]
		jb	short loc_4705B5
		lea	eax, [ecx+1]
		mov	[esp+1Ch], eax

loc_4705AB:				; CODE XREF: .text:00470595j
		cmp	edx, eax
		jl	loc_470F4B
		jmp	short loc_470574
; 

loc_4705B5:				; CODE XREF: .text:0047059Dj
					; .text:004705A2j
		mov	dword_6D0684, ecx

loc_4705BB:				; CODE XREF: .text:0047055Fj
					; .text:00470564j
		mov	edx, [eax+4]
		movzx	ecx, byte_6D068C
		mov	eax, dword_6D06D0
		and	eax, [esp+10h]
		shl	edx, cl
		or	edx, eax
		mov	dword ptr [esp+24h], 0FFFFFFFDh
		mov	eax, edx
		mov	[esp+14h], edx
		shr	eax, cl
		lea	ecx, [eax+eax*4]
		mov	eax, dword_6D4E50
		shl	ecx, 7
		add	eax, ecx
		mov	ecx, [esp+0Ch]
		mov	[esp+1Ch], eax
		mov	al, [edi+16h]
		and	al, 0F8h
		or	al, cl
		mov	[edi+16h], al
		mov	eax, [esp+20h]
		and	eax, 400h
		mov	[esp+28h], eax
		jnz	short loc_470618
		mov	dword ptr [esp+24h], 0

loc_470618:				; CODE XREF: .text:0047060Ej
		mov	edx, [edi+8]
		mov	eax, edx
		mov	ecx, [edi+0Ch]
		or	eax, ecx
		mov	[esp+44h], ecx
		jnz	short loc_47062C
		xor	edx, edx
		jmp	short loc_470656
; 

loc_47062C:				; CODE XREF: .text:00470626j
		mov	eax, dword_6D0704
		mov	esi, dword_6D0700
		mov	[esp+18h], eax
		mov	eax, esi
		or	eax, [esp+18h]
		jz	short loc_470656
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_470653
		not	esi
		and	edx, esi
		jmp	short loc_470656
; 

loc_470653:				; CODE XREF: .text:0047064Bj
		and	edx, 0FFFFFFEFh

loc_470656:				; CODE XREF: .text:0047062Aj
					; .text:00470641j ...
		mov	eax, dword_6D0704
		xor	esi, esi
		mov	ecx, dword_6D0700
		or	esi, [esp+24h]
		mov	[esp+18h], eax
		mov	eax, ecx
		or	eax, [esp+18h]
		mov	[esp+24h], ecx
		jz	short loc_470690
		mov	eax, [esp+18h]
		and	ecx, edx
		and	eax, esi
		or	ecx, eax
		jnz	short loc_47068D
		or	edx, [esp+24h]
		or	esi, [esp+18h]
		jmp	short loc_470690
; 

loc_47068D:				; CODE XREF: .text:00470681j
		or	edx, 10h

loc_470690:				; CODE XREF: .text:00470675j
					; .text:0047068Bj
		mov	eax, [esp+20h]
		mov	[edi+8], edx
		mov	[edi+0Ch], esi
		test	al, 40h
		jnz	loc_470831
		test	eax, 200h
		jnz	short loc_4706BB
		mov	ecx, [esp+10h]
		call	_MiCoalesceFreePages@4 ; MiCoalesceFreePages(x)
		cmp	eax, 1
		jz	loc_470414

loc_4706BB:				; CODE XREF: .text:004706A7j
		cmp	dword ptr [esp+28h], 0
		jnz	loc_470831
		test	byte ptr dword_6D4E44, 20h
		jnz	loc_470831
		mov	cl, byte_6D068C
		mov	eax, [esp+14h]
		shr	eax, cl
		lea	edx, [eax+eax*4]
		mov	eax, [esp+0Ch]
		shl	edx, 7
		add	edx, dword_6D4E50
		lea	ecx, dword_6D5794[eax*4]
		xor	eax, 1
		mov	[esp+40h], ecx
		mov	ecx, [ecx]
		lea	esi, ds:1000h[eax*2]
		mov	eax, [esp+14h]
		movzx	eax, word ptr [ecx+eax*8+4]
		cmp	eax, dword_6D5BF8
		jge	loc_470831
		shr	esi, 1
		lea	eax, [edx+1D0h]
		not	esi
		mov	[esp+20h], eax
		xor	ecx, ecx
		and	esi, 1
		mov	[esp+3Ch], esi
		lea	esi, [edx+3Ch]
		mov	[esp+24h], ecx
		mov	[esp+18h], esi
		lea	ecx, [ecx+0]

loc_470740:				; CODE XREF: .text:004707BFj
		mov	eax, [eax]
		xor	edi, edi
		add	ecx, eax
		mov	edx, esi
		mov	[esp+38h], ecx
		xor	esi, esi
		mov	edi, edi

loc_470750:				; CODE XREF: .text:00470794j
		mov	eax, [edx-24h]
		lea	edx, [edx+98h]
		add	eax, [edx-0B8h]
		add	eax, [edx-0B4h]
		add	eax, [edx-0B0h]
		add	eax, [edx-90h]
		add	eax, [edx-9Ch]
		add	eax, [edx-94h]
		add	eax, [edx-98h]
		mov	ecx, ds:_MiLargePageSizes[esi]
		add	esi, 4
		imul	ecx, eax
		add	edi, ecx
		cmp	esi, 8
		jb	short loc_470750
		mov	edx, [esp+24h]
		mov	eax, [esp+20h]
		inc	edx
		mov	esi, [esp+18h]
		add	eax, 4
		mov	ecx, [esp+38h]
		add	esi, 10h
		add	ecx, edi
		mov	[esp+24h], edx
		mov	[esp+20h], eax
		mov	[esp+18h], esi
		cmp	edx, [esp+3Ch]
		jle	loc_470740
		mov	edi, [esp+2Ch]
		cmp	ecx, 40h
		jbe	short loc_470831
		mov	esi, dword_6D5E00
		cmp	esi, 420h
		jnb	loc_470877
		mov	eax, dword_6D06D4
		mov	ecx, offset dword_6D5794
		mov	[esp+38h], eax
		mov	[esp+24h], ecx

loc_4707F2:				; CODE XREF: .text:0047082Fj
		mov	edx, [ecx]
		mov	[esp+3Ch], edx
		xor	edx, edx
		test	eax, eax
		jz	short loc_470822

loc_4707FE:				; DATA XREF: PiUEventHandleIoctl+Co
		mov	ecx, [esp+3Ch]
		add	ecx, 4

loc_470805:				; CODE XREF: .text:0047081Cj
		movzx	eax, word ptr [ecx]
		add	esi, eax
		cmp	esi, 420h
		jnb	short loc_470877
		mov	eax, [esp+38h]
		inc	edx
		add	ecx, 8
		cmp	edx, eax
		jb	short loc_470805
		mov	ecx, [esp+24h]

loc_470822:				; CODE XREF: .text:004707FCj
		add	ecx, 4
		mov	[esp+24h], ecx
		cmp	ecx, offset dword_6D5798
		jle	short loc_4707F2

loc_470831:				; CODE XREF: .text:0047069Cj
					; .text:004706C0j ...
		xor	eax, eax
		mov	esi, 1
		mov	[esp+60h], eax
		mov	[esp+64h], eax
		mov	[esp+68h], eax
		lock xadd dword_6D5E00,	esi
		inc	esi
		mov	eax, offset unk_6D58C0
		cmp	esi, 420h
		ja	loc_470A18
		cmp	esi, 0A0h
		jnz	loc_47095B
		mov	dword ptr [esp+18h], offset unk_6D58D8
		jmp	loc_47097E
; 

loc_470877:				; CODE XREF: .text:004707DAj
					; .text:00470810j
		mov	cl, [edi+16h]
		mov	al, cl
		and	al, 7
		cmp	al, 5
		jz	short loc_47088B
		and	cl, 0FDh
		or	cl, 5
		mov	[edi+16h], cl

loc_47088B:				; CODE XREF: .text:00470880j
		mov	edx, [esp+0Ch]
		xor	ecx, ecx
		mov	eax, [edi+8]
		shld	ecx, edx, 0Ch
		and	eax, 0FFFF0FFFh
		or	ecx, [edi+0Ch]
		shl	edx, 0Ch
		or	edx, eax
		mov	[edi+0Ch], ecx
		mov	eax, edx
		mov	[esp+0Ch], edx
		or	eax, ecx
		mov	[edi+8], edx
		mov	[esp+4Ch], ecx
		jnz	short loc_4708C3
		mov	[esp+0Ch], eax
		mov	[esp+4Ch], eax
		jmp	short loc_4708F5
; 

loc_4708C3:				; CODE XREF: .text:004708B7j
		mov	eax, dword_6D0704
		mov	esi, dword_6D0700
		mov	[esp+24h], eax
		mov	eax, esi
		or	eax, [esp+24h]
		jz	short loc_4708F5
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4708EE
		not	esi
		and	esi, edx
		mov	[esp+0Ch], esi
		jmp	short loc_4708F5
; 

loc_4708EE:				; CODE XREF: .text:004708E2j
		and	edx, 0FFFFFFEFh
		mov	[esp+0Ch], edx

loc_4708F5:				; CODE XREF: .text:004708C1j
					; .text:004708D8j ...
		mov	esi, dword_6D0700
		xor	edx, edx
		mov	ecx, dword_6D0704
		mov	eax, esi
		or	edx, 0FFFFFFFEh
		mov	[esp+24h], ecx
		or	eax, ecx
		jz	short loc_470931
		mov	eax, [esp+24h]
		mov	ecx, esi
		and	ecx, [esp+0Ch]
		and	eax, edx
		or	ecx, eax
		mov	eax, [esp+0Ch]
		jnz	short loc_47092C
		or	eax, esi
		or	edx, [esp+24h]
		jmp	short loc_470935
; 

loc_47092C:				; CODE XREF: .text:00470922j
		or	eax, 10h
		jmp	short loc_470935
; 

loc_470931:				; CODE XREF: .text:0047090Ej
		mov	eax, [esp+0Ch]

loc_470935:				; CODE XREF: .text:0047092Aj
					; .text:0047092Fj
		mov	ecx, [esp+40h]
		mov	[edi+0Ch], edx
		mov	edx, [esp+14h]
		mov	[edi+8], eax
		mov	ecx, [ecx]
		lea	eax, ds:0[edx*8]
		mov	edx, edi
		add	ecx, eax
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_47095B:				; CODE XREF: .text:00470864j
		cmp	esi, 420h
		jnz	short loc_47096D
		mov	dword ptr [esp+18h], offset unk_6D58EC
		jmp	short loc_47097E
; 

loc_47096D:				; CODE XREF: .text:00470961j
		cmp	esi, 22h
		jnz	loc_470A18
		mov	dword ptr [esp+18h], offset unk_6D58C4

loc_47097E:				; CODE XREF: .text:00470872j
					; .text:0047096Bj
		test	ds:byte_70EFC6,	21h
		mov	dword ptr [esp+64h], offset unk_6D58C0
		mov	dword ptr [esp+60h], 0
		jz	short loc_4709A4
		mov	edx, eax
		lea	ecx, [esp+60h]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4709B7
; 

loc_4709A4:				; CODE XREF: .text:00470995j
		lea	edx, [esp+60h]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_4709B7
		lea	ecx, [esp+60h]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_4709B7:				; CODE XREF: .text:004709A2j
					; .text:004709ACj
		push	0
		push	0
		push	dword ptr [esp+20h]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	eax, [esp+18h]
		inc	dword ptr [eax+10h]
		test	ds:byte_70EFC6,	1
		jz	short loc_4709E2
		mov	edx, [ebp+4]
		lea	ecx, [esp+60h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_470A18
; 

loc_4709E2:				; CODE XREF: .text:004709D2j
		mov	eax, [esp+60h]
		test	eax, eax
		jnz	short loc_470A05
		mov	edx, [esp+64h]
		lea	eax, [esp+60h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+60h]
		cmp	eax, ecx
		jz	short loc_470A18
		call	KxWaitForLockChainValid

loc_470A05:				; CODE XREF: .text:004709E8j
		mov	dword ptr [esp+60h], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_470A18:				; CODE XREF: .text:00470858j
					; .text:00470970j ...
		dec	esi
		cmp	esi, dword_6D596C
		jz	short loc_470A29
		cmp	esi, dword_6D5970
		jnz	short loc_470A33

loc_470A29:				; CODE XREF: .text:00470A1Fj
		mov	ecx, offset _MiSystemPartition
		call	MiUpdateAvailableEvents

loc_470A33:				; CODE XREF: .text:00470A27j
		mov	edx, [esp+0Ch]
		mov	eax, 1
		mov	ecx, [esp+1Ch]
		lock xadd [ecx+edx*4+1D0h], eax
		inc	eax
		test	ds:byte_70EFC6,	21h
		mov	ecx, dword_6D5380[edx*4]
		mov	[esp+38h], eax
		mov	eax, [esp+14h]
		mov	dword ptr [esp+6Ch], 0
		lea	eax, [eax+eax*4]
		lea	esi, [ecx+eax*4]
		lea	ecx, [esi+10h]
		mov	[esp+20h], esi
		mov	[esp+70h], ecx
		jz	short loc_470A88
		mov	edx, ecx
		lea	ecx, [esp+6Ch]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_470A9D
; 

loc_470A88:				; CODE XREF: .text:00470A79j
		lea	eax, [esp+6Ch]
		xchg	eax, [ecx]
		test	eax, eax
		jz	short loc_470AA1
		mov	edx, eax
		lea	ecx, [esp+6Ch]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_470A9D:				; CODE XREF: .text:00470A86j
		mov	edx, [esp+0Ch]

loc_470AA1:				; CODE XREF: .text:00470A90j
		mov	eax, [esi+8]
		cmp	eax, offset loc_7FFFFF
		jnz	short loc_470B0D
		mov	cl, byte_6D068C
		mov	esi, 1
		mov	eax, [esp+14h]
		mov	edx, dword_6D06D0
		and	edx, [esp+14h]
		shr	eax, cl
		mov	ecx, edx
		and	ecx, 1Fh
		shr	edx, 5
		shl	esi, cl
		mov	ecx, [esp+0Ch]
		lea	eax, [eax+eax*4]
		shl	eax, 7
		add	eax, dword_6D4E50
		mov	eax, [eax+ecx*8+184h]
		lea	eax, [eax+edx*4]
		lock or	[eax], esi
		mov	esi, [esp+20h]
		or	dword ptr [edi+10h], offset loc_7FFFFF
		mov	eax, [esp+10h]
		mov	dword ptr [edi], offset	loc_7FFFFF
		mov	[esi+8], eax
		mov	[esi+0Ch], eax
		jmp	loc_470C01
; 

loc_470B0D:				; CODE XREF: .text:00470AA9j
		cmp	edx, 1
		jz	loc_470BB6
		cmp	dword ptr [esp+28h], 0
		jnz	loc_470BB6
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		or	dword ptr [edi+10h], offset loc_7FFFFF
		lea	eax, [eax+ecx*4]
		mov	ecx, [eax+10h]
		mov	[esp+3Ch], eax
		mov	edx, ecx
		add	eax, 10h
		and	edx, 0FF800000h
		mov	[esp+28h], eax
		mov	eax, [esp+10h]
		mov	esi, [esp+28h]
		and	eax, offset loc_7FFFFF
		mov	[esp+40h], eax
		or	edx, eax
		mov	eax, ecx
		lock cmpxchg [esi], edx
		mov	esi, [esp+20h]
		cmp	ecx, eax
		jz	short loc_470B8E
		mov	edi, [esp+28h]

loc_470B74:				; CODE XREF: .text:00470B88j
		mov	edx, eax
		mov	ecx, eax
		and	edx, 0FF800000h
		or	edx, [esp+40h]
		lock cmpxchg [edi], edx
		cmp	ecx, eax
		jnz	short loc_470B74
		mov	edi, [esp+2Ch]

loc_470B8E:				; CODE XREF: .text:00470B6Ej
		mov	eax, [esp+10h]
		mov	ecx, [esp+3Ch]
		mov	[esi+8], eax
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		mov	[edi], eax
		jmp	short loc_470C01
; 

loc_470BB6:				; CODE XREF: .text:00470B10j
					; .text:00470B1Bj
		mov	eax, [esi+0Ch]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	esi, [eax+ecx*4]
		mov	ecx, esi
		sub	ecx, eax
		mov	eax, 92492493h
		imul	ecx
		mov	eax, [edi+10h]
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		xor	eax, ecx
		and	eax, offset loc_7FFFFF
		xor	[edi+10h], eax
		mov	eax, [esp+10h]
		mov	[esi], eax
		mov	esi, [esp+20h]
		mov	[esi+0Ch], eax
		mov	dword ptr [edi], offset	loc_7FFFFF

loc_470C01:				; CODE XREF: .text:00470B08j
					; .text:00470BB4j
		inc	dword ptr [esi]
		mov	eax, [esp+30h]
		lock inc dword ptr [eax]
		test	ds:byte_70EFC6,	1
		jz	short loc_470C21
		mov	edx, [ebp+4]
		lea	ecx, [esp+6Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_470C57
; 

loc_470C21:				; CODE XREF: .text:00470C11j
		mov	eax, [esp+6Ch]
		test	eax, eax
		jnz	short loc_470C44
		mov	edx, [esp+70h]
		lea	eax, [esp+6Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+6Ch]
		cmp	eax, ecx
		jz	short loc_470C57
		call	KxWaitForLockChainValid

loc_470C44:				; CODE XREF: .text:00470C27j
		mov	dword ptr [esp+6Ch], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_470C57:				; CODE XREF: .text:00470C1Fj
					; .text:00470C3Dj
		cmp	dword ptr [esp+0Ch], 1
		jnz	loc_470414
		cmp	dword ptr [esp+38h], 40h
		jb	loc_470414
		mov	esi, dword_6D5E00
		cmp	esi, 0A0h
		jnb	short loc_470CCD
		mov	edi, dword_6D06D4
		mov	eax, offset dword_6D5794
		mov	[esp+30h], eax
		lea	ebx, [ebx+0]

loc_470C90:				; CODE XREF: .text:00470CC5j
		mov	edx, [eax]
		xor	ecx, ecx
		test	edi, edi
		jz	short loc_470CB9
		add	edx, 4
		jmp	short loc_470CA0
; 
		align 10h

loc_470CA0:				; CODE XREF: .text:00470C9Bj
					; .text:00470CB3j
		movzx	eax, word ptr [edx]
		add	esi, eax
		cmp	esi, 0A0h
		jnb	short loc_470CCD
		inc	ecx
		add	edx, 8
		cmp	ecx, edi
		jb	short loc_470CA0
		mov	eax, [esp+30h]

loc_470CB9:				; CODE XREF: .text:00470C96j
		add	eax, 4
		mov	[esp+30h], eax
		cmp	eax, offset dword_6D5798
		jle	short loc_470C90
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_470CCD:				; CODE XREF: .text:00470C79j
					; .text:00470CABj
		xor	eax, eax
		mov	byte ptr [esp+0Bh], 21h
		mov	[esp+54h], eax
		mov	[esp+58h], eax
		mov	[esp+5Ch], eax
		mov	eax, [esp+1Ch]
		test	eax, eax
		jnz	short loc_470CFF
		movzx	eax, ds:_KeNumberNodes
		mov	edx, dword_6D4E50
		lea	ecx, [eax+eax*4]
		shl	ecx, 7
		add	ecx, edx
		jmp	short loc_470D14
; 

loc_470CFF:				; CODE XREF: .text:00470CE6j
		test	byte ptr dword_6D4E44, 40h
		jnz	loc_470414
		mov	edx, eax
		lea	ecx, [eax+280h]

loc_470D14:				; CODE XREF: .text:00470CFDj
		mov	eax, dword_6D5C10
		test	eax, eax
		jnz	loc_470414
		cmp	edx, ecx
		jnb	loc_470414
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		lea	esi, [edx+272h]
		sub	ecx, edx
		mov	eax, 0CCCCCCCDh
		dec	ecx
		mul	ecx
		mov	eax, edx
		shr	eax, 9
		inc	eax
		mov	[esp+14h], eax
		lea	esp, [esp+0]

loc_470D50:				; CODE XREF: .text:00470F15j
		cmp	byte ptr [esi],	0
		jnz	loc_470F08
		cmp	dword ptr [esp+1Ch], 0
		jz	short loc_470DA2
		push	1
		mov	edx, 1
		lea	ecx, [esi-272h]
		call	_MiNodeLargeFreeZeroPages@12 ; MiNodeLargeFreeZeroPages(x,x,x)
		cmp	eax, 400h
		jb	loc_470EFE
		push	0
		mov	edx, 1
		lea	ecx, [esi-272h]
		call	_MiNodeLargeFreeZeroPages@12 ; MiNodeLargeFreeZeroPages(x,x,x)
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		cmp	eax, 100000h
		jnb	loc_470F04
		jmp	short loc_470DAE
; 

loc_470DA2:				; CODE XREF: .text:00470D5Ej
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esp+0Bh], al

loc_470DAE:				; CODE XREF: .text:00470DA0j
		cmp	byte_6D5BF5, 0
		jz	loc_470E4B
		mov	edi, [esi-2Eh]
		lea	edx, [esp+54h]
		lea	ecx, [edi+10h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	byte ptr [esi],	0
		jnz	short loc_470DDE
		mov	edx, 2
		mov	byte ptr [esi],	1
		mov	ecx, edi
		call	_MiWakeZeroingThreads@8	; MiWakeZeroingThreads(x,x)

loc_470DDE:				; CODE XREF: .text:00470DCDj
		test	ds:byte_70EFC6,	1
		jz	short loc_470E04
		mov	edx, [ebp+4]
		lea	ecx, [esp+54h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		mov	cl, [esp+5Ch]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	edi
		jmp	loc_470EEF
; 

loc_470E04:				; CODE XREF: .text:00470DE5j
		mov	eax, [esp+54h]
		test	eax, eax
		jnz	short loc_470E27
		mov	edx, [esp+58h]
		lea	eax, [esp+54h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+54h]
		cmp	eax, ecx
		jz	short loc_470E3A
		call	KxWaitForLockChainValid

loc_470E27:				; CODE XREF: .text:00470E0Aj
		mov	dword ptr [esp+54h], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_470E3A:				; CODE XREF: .text:00470E20j
		mov	cl, [esp+5Ch]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	edi
		jmp	loc_470EEF
; 

loc_470E4B:				; CODE XREF: .text:00470DB5j
		test	ds:byte_70EFC6,	21h
		mov	dword ptr [esp+58h], offset unk_6D58C0
		mov	dword ptr [esp+54h], 0
		jz	short loc_470E74
		mov	edx, offset unk_6D58C0
		lea	ecx, [esp+54h]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_470E8C
; 

loc_470E74:				; CODE XREF: .text:00470E62j
		lea	edx, [esp+54h]
		mov	eax, offset unk_6D58C0
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_470E8C
		lea	ecx, [esp+54h]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_470E8C:				; CODE XREF: .text:00470E72j
					; .text:00470E81j
		cmp	byte ptr [esi],	0
		jnz	short loc_470EA2
		push	0
		push	0
		push	offset unk_6D5BE4
		mov	byte ptr [esi],	1
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_470EA2:				; CODE XREF: .text:00470E8Fj
		test	ds:byte_70EFC6,	1
		jz	short loc_470EB9
		mov	edx, [ebp+4]
		lea	ecx, [esp+54h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_470EEF
; 

loc_470EB9:				; CODE XREF: .text:00470EA9j
		mov	eax, [esp+54h]
		test	eax, eax
		jnz	short loc_470EDC
		mov	edx, [esp+58h]
		lea	eax, [esp+54h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+54h]
		cmp	eax, ecx
		jz	short loc_470EEF
		call	KxWaitForLockChainValid

loc_470EDC:				; CODE XREF: .text:00470EBFj
		mov	dword ptr [esp+54h], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_470EEF:				; CODE XREF: .text:00470DFFj
					; .text:00470E46j ...
		cmp	dword ptr [esp+1Ch], 0
		jnz	short loc_470F04
		mov	cl, [esp+0Bh]
		call	edi
		jmp	short loc_470F04
; 

loc_470EFE:				; CODE XREF: .text:00470D77j
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)

loc_470F04:				; CODE XREF: .text:00470D9Aj
					; .text:00470EF4j ...
		mov	eax, [esp+14h]

loc_470F08:				; CODE XREF: .text:00470D53j
		add	esi, 280h
		sub	eax, 1
		mov	[esp+14h], eax
		jnz	loc_470D50
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_470F21:				; CODE XREF: .text:00470455j
		sub	edi, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	edi
		push	0
		add	edx, edi
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		push	0
		add	eax, edx
		push	eax
		push	5150Bh
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_470F4B:				; CODE XREF: .text:0047056Ej
					; .text:004705ADj
		push	0
		push	0
		push	esi
		push	6201h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_470F5C:				; CODE XREF: .text:00470588j
		push	0
		push	eax
		push	esi
		push	6200h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dd 0CCCCCCCCh
; 

; __stdcall MiCoalesceFreePages(x)
_MiCoalesceFreePages@4:			; CODE XREF: .text:004706ADp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp-38h], eax
		mov	[ebp-34h], eax
		mov	[ebp-30h], eax
		cmp	ds:_MmPhysicalMemoryBlock, eax
		jz	loc_471136
		mov	edx, ds:_MmPfnDatabase
		lea	eax, ds:0[ecx*8]
		sub	eax, ecx
		and	ecx, 0FFFFFFF0h
		mov	[ebp-3Ch], ecx
		mov	[ebp-20h], ecx
		lea	eax, [edx+eax*4]
		mov	[ebp-1Ch], eax
		movzx	eax, byte ptr [eax+16h]
		and	eax, 7
		mov	[ebp-2Ch], eax
		lea	eax, ds:0[ecx*8]
		sub	eax, ecx
		lea	ebx, [edx+eax*4]
		mov	eax, 92492493h
		mov	ecx, ebx
		sub	ecx, edx
		imul	ecx
		add	edx, ecx
		mov	ecx, dword_6D0684
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		mov	edx, dword_6D0688
		mov	[ebp-24h], eax
		cmp	ecx, edx
		ja	short loc_471012
		mov	eax, dword_6D06B0
		lea	esi, [eax+ecx*8]
		mov	eax, [ebp-24h]
		cmp	eax, [esi]
		jb	short loc_471012
		cmp	ecx, edx
		jz	short loc_471061
		cmp	eax, [esi+8]
		jb	short loc_471061

loc_471012:				; CODE XREF: .text:00470FF8j
					; .text:00471007j
		xor	edi, edi
		test	edx, edx
		js	loc_471517
		lea	esp, [esp+0]

loc_471020:				; CODE XREF: .text:00471059j
		mov	eax, dword_6D06B0
		lea	ecx, [edi+edx]
		sar	ecx, 1
		lea	esi, [eax+ecx*8]
		mov	eax, [ebp-24h]
		cmp	eax, [esi]
		jnb	short loc_471041
		test	ecx, ecx
		jz	loc_471528
		lea	edx, [ecx-1]
		jmp	short loc_471051
; 

loc_471041:				; CODE XREF: .text:00471032j
		cmp	ecx, dword_6D0688
		jz	short loc_47105B
		cmp	eax, [esi+8]
		jb	short loc_47105B
		lea	edi, [ecx+1]

loc_471051:				; CODE XREF: .text:0047103Fj
		cmp	edx, edi
		jl	loc_471517
		jmp	short loc_471020
; 

loc_47105B:				; CODE XREF: .text:00471047j
					; .text:0047104Cj
		mov	dword_6D0684, ecx

loc_471061:				; CODE XREF: .text:0047100Bj
					; .text:00471010j
		mov	esi, [esi+4]
		lea	eax, [ebx+1C0h]
		mov	[ebp-58h], esi
		cmp	ebx, eax
		jz	short loc_4710D3
		mov	ecx, [ebp-20h]
		lea	edi, [ebx+18h]
		jmp	short loc_471080
; 
		align 10h

loc_471080:				; CODE XREF: .text:00471077j
					; .text:004710D1j
		cmp	ecx, dword_6D07B0
		ja	loc_471136
		mov	eax, dword_6D35B8
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_471136
		mov	al, [edi-2]
		and	al, 7
		cmp	al, 1
		ja	loc_471136
		test	dword ptr [edi], 800000h
		jnz	short loc_471136
		mov	ecx, [ebp-20h]
		lea	edx, [ebx+1C0h]
		add	edi, 1Ch
		inc	ecx
		mov	[ebp-20h], ecx
		lea	eax, [edi-18h]
		cmp	eax, edx
		jnz	short loc_471080

loc_4710D3:				; CODE XREF: .text:0047106Fj
		mov	eax, ds:_ZeroPte
		xor	edx, edx
		mov	ecx, [ebp-3Ch]
		mov	[ebp-60h], eax
		mov	eax, ds:dword_40F9FC
		mov	[ebp-5Ch], eax
		xor	eax, eax
		mov	[ebp-18h], ecx
		mov	ecx, offset unk_6D4EAC
		push	1
		mov	[ebp-14h], eax
		mov	[ebp-10h], eax
		mov	[ebp-0Ch], eax
		mov	[ebp-8], eax
		call	KeAbPreAcquire
		mov	edi, eax
		mov	ecx, 11h
		xor	eax, eax
		mov	edx, offset unk_6D4EAC
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	short loc_471149
		mov	ecx, edx
		call	@ExfTryAcquirePushLockShared@4 ; ExfTryAcquirePushLockShared(x)
		test	al, al
		jnz	short loc_471149
		test	edi, edi
		jz	short loc_471136
		mov	edx, edi
		mov	ecx, offset unk_6D4EAC
		call	KeAbPostReleaseEx

loc_471136:				; CODE XREF: .text:00470F96j
					; .text:00471086j ...
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_471149:				; CODE XREF: .text:00471119j
					; .text:00471124j
		test	edi, edi
		jz	short loc_471151
		or	byte ptr [edi+0Eh], 1

loc_471151:				; CODE XREF: .text:0047114Bj
		lea	eax, [ebx+1C0h]
		mov	edi, ebx
		cmp	ebx, eax
		jz	loc_47122E
		mov	eax, [ebp-18h]

loc_471164:				; CODE XREF: .text:00471228j
		mov	ecx, [ebp-1Ch]
		cmp	edi, ecx
		jnz	short loc_47118F
		test	byte ptr [edi+16h], 7
		lea	ecx, [edi+8]
		jnz	short loc_471185
		mov	eax, [ecx+4]
		and	dword ptr [ecx], 0FFFFFC1Fh
		mov	[ecx+4], eax
		jmp	loc_471216
; 

loc_471185:				; CODE XREF: .text:00471172j
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		jmp	loc_471216
; 

loc_47118F:				; CODE XREF: .text:00471169j
		cmp	eax, dword_6D07B0
		ja	loc_4712D5
		mov	edx, eax
		mov	ecx, eax
		mov	eax, dword_6D35B8
		and	ecx, 1Fh
		shr	edx, 5
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_4712D2
		mov	al, [edi+16h]
		and	al, 7
		cmp	al, 1
		ja	loc_4712D2
		lea	eax, [edi+10h]
		lock bts dword ptr [eax], 1Fh
		jb	loc_4712D2
		mov	al, [edi+16h]
		and	al, 7
		cmp	al, 1
		ja	loc_4712C7
		test	byte ptr [edi+17h], 40h
		jnz	loc_4712C7
		test	dword ptr [edi+18h], 800000h
		jnz	loc_4712C7
		mov	ecx, [ebp-18h]
		xor	edx, edx
		push	0
		call	MiUnlinkFreeOrZeroedPage
		test	eax, eax
		jz	loc_4712BB
		movzx	eax, byte ptr [edi+16h]
		shr	eax, 6
		inc	dword ptr [ebp+eax*4-14h]

loc_471216:				; CODE XREF: .text:00471180j
					; .text:0047118Aj
		mov	eax, [ebp-18h]
		lea	ecx, [ebx+1C0h]
		add	edi, 1Ch
		inc	eax
		mov	[ebp-18h], eax
		cmp	edi, ecx
		jnz	loc_471164

loc_47122E:				; CODE XREF: .text:0047115Bj
					; .text:004712DDj
		mov	ecx, [ebp-14h]
		xor	eax, eax
		mov	edx, 1
		mov	[ebp-18h], edx
		test	ecx, ecx
		jz	short loc_471246
		xor	edx, edx
		mov	eax, ecx
		mov	[ebp-18h], edx

loc_471246:				; CODE XREF: .text:0047123Dj
		mov	ecx, [ebp-10h]
		cmp	eax, ecx
		jnb	short loc_471257
		mov	edx, 1
		mov	eax, ecx
		mov	[ebp-18h], edx

loc_471257:				; CODE XREF: .text:0047124Bj
		mov	ecx, [ebp-0Ch]
		cmp	eax, ecx
		jnb	short loc_471268
		mov	edx, 2
		mov	eax, ecx
		mov	[ebp-18h], edx

loc_471268:				; CODE XREF: .text:0047125Cj
		cmp	eax, [ebp-8]
		jnb	short loc_471275
		mov	edx, 3
		mov	[ebp-18h], edx

loc_471275:				; CODE XREF: .text:0047126Bj
		mov	eax, [ebp-2Ch]
		cmp	eax, 1
		jz	short loc_471299
		lea	ecx, [ecx+0]

loc_471280:				; CODE XREF: .text:00471294j
		sub	edi, 1Ch
		mov	ecx, edi
		call	_MiPfnZeroingNeeded@8 ;	MiPfnZeroingNeeded(x,x)
		test	eax, eax
		jnz	loc_47132C
		cmp	edi, ebx
		jnz	short loc_471280
		mov	eax, [ebp-2Ch]

loc_471299:				; CODE XREF: .text:0047127Bj
					; .text:00471334j
		mov	esi, 1
		mov	[ebp-20h], esi
		mov	ecx, esi
		cmp	eax, esi
		jnz	loc_471339
		lea	ecx, [ebp-60h]
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		mov	edx, [ebp-18h]
		jmp	loc_471349
; 

loc_4712BB:				; CODE XREF: .text:00471205j
		mov	edx, 200h
		mov	ecx, edi
		call	_MiReturnFreeZeroPage@8	; MiReturnFreeZeroPage(x,x)

loc_4712C7:				; CODE XREF: .text:004711DAj
					; .text:004711E4j ...
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx

loc_4712D2:				; CODE XREF: .text:004711B2j
					; .text:004711BFj ...
		mov	ecx, [ebp-1Ch]

loc_4712D5:				; CODE XREF: .text:00471195j
		lea	eax, [ebx+1C0h]
		cmp	edi, eax
		jz	loc_47122E
		cmp	ebx, edi
		jnb	short loc_47130C

loc_4712E7:				; CODE XREF: .text:0047130Aj
		cmp	ebx, ecx
		jz	short loc_471305
		mov	edx, 200h
		mov	ecx, ebx
		call	_MiReturnFreeZeroPage@8	; MiReturnFreeZeroPage(x,x)
		lea	eax, [ebx+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	ecx, [ebp-1Ch]

loc_471305:				; CODE XREF: .text:004712E9j
		add	ebx, 1Ch
		cmp	ebx, edi
		jb	short loc_4712E7

loc_47130C:				; CODE XREF: .text:004712E5j
		sub	esp, 8
		mov	ecx, offset unk_6D4EAC
		call	_MiReleasePushLockUnordered@16 ; MiReleasePushLockUnordered(x,x,x,x)
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_47132C:				; CODE XREF: .text:0047128Cj
		mov	eax, 1
		mov	[ebp-2Ch], eax
		jmp	loc_471299
; 

loc_471339:				; CODE XREF: .text:004712A5j
		call	_MiColdPageSizeSupported@4 ; MiColdPageSizeSupported(x)
		neg	eax
		sbb	eax, eax
		not	eax
		and	esi, eax
		mov	[ebp-20h], esi

loc_471349:				; CODE XREF: .text:004712B6j
		xor	eax, eax
		lea	edi, [ebx+1A4h]
		mov	ecx, 10h
		mov	[ebp-54h], eax
		mov	[ebp-40h], edi
		mov	[ebp-24h], ecx
		nop

loc_471360:				; CODE XREF: .text:004713E1j
		movzx	eax, byte ptr [edi+16h]
		shr	eax, 6
		cmp	eax, edx
		jz	short loc_47137A
		push	1
		mov	ecx, edi
		call	MiChangePageAttribute
		mov	edx, [ebp-18h]
		mov	ecx, [ebp-24h]

loc_47137A:				; CODE XREF: .text:00471369j
		test	esi, esi
		jnz	short loc_4713CA
		mov	eax, [edi+8]
		mov	esi, dword_6D0704
		mov	ecx, [edi+0Ch]
		mov	[ebp-28h], eax
		mov	eax, dword_6D0700
		mov	[ebp-44h], eax
		or	eax, esi
		jz	short loc_4713B8
		mov	eax, [ebp-28h]
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4713B2
		mov	eax, [ebp-44h]
		not	esi
		not	eax
		and	[ebp-28h], eax
		and	ecx, esi
		jmp	short loc_4713B8
; 

loc_4713B2:				; CODE XREF: .text:004713A2j
		mov	eax, [ebp-28h]
		mov	[ebp-48h], eax

loc_4713B8:				; CODE XREF: .text:00471397j
					; .text:004713B0j
		mov	esi, [ebp-20h]
		cmp	ecx, 0FFFFFFFDh
		mov	ecx, [ebp-24h]
		jz	short loc_4713CA
		mov	dword ptr [ebp-54h], 1

loc_4713CA:				; CODE XREF: .text:0047137Cj
					; .text:004713C1j
		mov	dword ptr [edi+8], 0
		mov	dword ptr [edi+0Ch], 0
		sub	edi, 1Ch
		sub	ecx, 1
		mov	[ebp-24h], ecx
		jnz	loc_471360
		mov	esi, [ebp-58h]
		xor	eax, eax
		mov	edi, [ebp-3Ch]
		push	1
		push	dword ptr [ebp-20h]
		lea	esi, [esi+esi*4]
		mov	[ebp-44h], eax
		mov	eax, [ebp-2Ch]
		push	edx
		push	1
		shl	esi, 7
		mov	edx, edi
		add	esi, dword_6D4E50
		push	10h
		mov	[ebp-50h], edi
		mov	[ebp-4Ch], eax
		mov	dword ptr [ebp-48h], 2
		mov	byte ptr [ebp-44h], 21h
		call	_MiInitializeAllResidentPageBasePfns@28	; MiInitializeAllResidentPageBasePfns(x,x,x,x,x,x,x)
		push	1
		push	ecx
		push	dword ptr [ebp-18h]
		mov	edx, 10h
		mov	ecx, edi
		push	1
		call	_MiCreateInitialLargeLeafPfns@24 ; MiCreateInitialLargeLeafPfns(x,x,x,x,x,x)
		add	esi, 204h
		mov	dword ptr [ebp-38h], 0
		test	ds:byte_70EFC6,	21h
		mov	[ebp-34h], esi
		jz	short loc_47145C
		mov	edx, esi
		lea	ecx, [ebp-38h]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_47146D
; 

loc_47145C:				; CODE XREF: .text:0047144Ej
		lea	edx, [ebp-38h]
		xchg	edx, [esi]
		test	edx, edx
		jz	short loc_47146D
		lea	ecx, [ebp-38h]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_47146D:				; CODE XREF: .text:0047145Aj
					; .text:00471463j
		mov	esi, [ebp-40h]
		mov	edi, 10h

loc_471475:				; CODE XREF: .text:00471497j
		cmp	esi, ebx
		jnz	short loc_471481
		lea	ecx, [ebp-50h]
		call	_MiInsertLargePageInNodeList@4 ; MiInsertLargePageInNodeList(x)

loc_471481:				; CODE XREF: .text:00471477j
		cmp	esi, [ebp-1Ch]
		jz	short loc_471491
		lea	eax, [esi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_471491:				; CODE XREF: .text:00471484j
		sub	esi, 1Ch
		sub	edi, 1
		jnz	short loc_471475
		test	ds:byte_70EFC6,	1
		jz	short loc_4714E4
		mov	edx, [ebp+4]
		lea	ecx, [ebp-38h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_4714AD:				; CODE XREF: .text:004714FCj
		mov	esi, 1

loc_4714B2:				; CODE XREF: .text:00471515j
		cmp	dword ptr [ebp-54h], 0
		jz	short loc_4714C4
		mov	ecx, [ebp-3Ch]
		mov	edx, esi
		push	0
		call	_MiChangePageHeatImmediate@12 ;	MiChangePageHeatImmediate(x,x,x)

loc_4714C4:				; CODE XREF: .text:004714B6j
		sub	esp, 8
		mov	ecx, offset unk_6D4EAC
		call	_MiReleasePushLockUnordered@16 ; MiReleasePushLockUnordered(x,x,x,x)
		mov	ecx, [ebp-4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4714E4:				; CODE XREF: .text:004714A0j
		mov	eax, [ebp-38h]
		test	eax, eax
		jnz	short loc_471503
		mov	edx, [ebp-34h]
		lea	eax, [ebp-38h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-38h]
		cmp	eax, ecx
		jz	short loc_4714AD
		call	KxWaitForLockChainValid

loc_471503:				; CODE XREF: .text:004714E9j
		mov	dword ptr [ebp-38h], 0
		add	eax, 4
		mov	esi, 1
		lock xor [eax],	esi
		jmp	short loc_4714B2
; 

loc_471517:				; CODE XREF: .text:00471016j
					; .text:00471053j
		push	0
		push	0
		push	eax
		push	6201h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_471528:				; CODE XREF: .text:00471036j
		push	0
		push	esi
		push	eax
		push	6200h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dd 2 dup(0CCCCCCCCh)
; 

; __stdcall MiDeletePteRun(x, x)
_MiDeletePteRun@8:			; CODE XREF: MiDeleteVaTail+57p
					; MiDeleteEmptyPageTableTail(x)+A9p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 17Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+178h], eax
		push	ebx
		push	esi
		xor	eax, eax
		mov	[esp+1Ch], ecx
		push	edi
		push	88h
		push	eax
		mov	[esp+88h], eax
		mov	esi, edx
		mov	[esp+8Ch], eax
		mov	[esp+90h], eax
		mov	[esp+94h], eax
		lea	eax, [esp+0F0h]
		push	eax
		call	_memset
		mov	al, [esi+58h]
		add	esp, 0Ch
		mov	edi, [esi]
		mov	ebx, [esi+8]
		mov	edx, [esi+4]
		mov	[esp+2Fh], al
		mov	eax, [esi+4Ch]
		mov	[esp+78h], eax
		mov	eax, [esi+54h]
		mov	[esp+40h], eax
		mov	eax, edi
		shl	eax, 9
		mov	[esp+10h], ebx
		mov	[esp+24h], edi
		mov	[esp+7Ch], edx
		cmp	eax, 0C0000000h
		jb	short loc_4715DD
		mov	dword ptr [esp+30h], 1
		cmp	eax, 0C07FFFFFh
		jbe	short loc_4715E5

loc_4715DD:				; CODE XREF: .text:004715CCj
		mov	dword ptr [esp+30h], 0

loc_4715E5:				; CODE XREF: .text:004715DBj
		mov	ecx, [esp+20h]
		mov	al, [ecx+60h]
		add	ecx, 0FFFFFDC0h
		and	al, 7
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, ecx
		xor	ecx, ecx
		mov	[esp+50h], eax
		xor	eax, eax
		mov	[esp+64h], eax
		mov	[esp+18h], ecx
		mov	[esp+48h], eax
		mov	[esp+58h], eax
		cmp	edi, edx
		ja	loc_472450
		nop

loc_471620:				; CODE XREF: .text:0047244Aj
		mov	edx, [edi]
		nop
		mov	esi, [edi+4]
		mov	eax, edx
		or	eax, esi
		mov	[esp+0Ch], esi
		jz	loc_47243F
		mov	eax, [esp+40h]
		and	eax, 80h
		mov	[esp+5Ch], eax
		jz	short loc_471688
		cmp	edi, 0C0600000h
		jb	short loc_471653
		cmp	edi, 0C0603FFFh
		jbe	short loc_471688

loc_471653:				; CODE XREF: .text:00471649j
		inc	ecx
		cmp	dword ptr [esp+58h], 0
		mov	[esp+18h], ecx
		jnz	short loc_471688
		mov	eax, large fs:124h
		mov	ecx, edi
		shr	ecx, 0Ch
		and	ecx, 7FFh
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		lea	eax, [eax+ecx*2]
		add	eax, 190h
		mov	[esp+58h], eax

loc_471688:				; CODE XREF: .text:00471641j
					; .text:00471651j ...
		mov	eax, edx
		and	eax, 400h
		or	eax, 0
		jz	loc_4723AE
		xor	ebx, ebx
		mov	dword ptr [esp+4Ch], 0
		or	edx, 1
		mov	[esp+34h], ebx
		and	edx, 0FFFFFBFFh
		mov	[esp+44h], ebx
		mov	[esp+54h], ebx
		mov	[esp+14h], edx
		mov	[esp+70h], edx
		mov	[esp+74h], esi
		nop
		mov	ecx, edx
		mov	eax, esi
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		mov	[esp+1Ch], ecx
		cmp	ecx, dword_6D07B0
		ja	loc_47224A
		mov	eax, dword_6D35B8
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_47224A
		mov	edx, [esp+1Ch]
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		test	byte ptr [esp+40h], 60h
		lea	esi, [eax+ecx*4]
		mov	ecx, [esp+30h]
		jz	short loc_47177F
		test	ecx, ecx
		jnz	short loc_47177F
		lea	ecx, [esp+0E8h]
		call	_MiDeleteBatch@4 ; MiDeleteBatch(x)
		mov	ecx, esi
		call	MiIsPfnLocked
		test	eax, eax
		jnz	short loc_471744
		mov	ecx, [esp+1Ch]
		lea	edx, [ebx+4]
		call	_MiShowBadMapper@8 ; MiShowBadMapper(x,x)

loc_471744:				; CODE XREF: .text:00471736j
		test	byte ptr [esp+40h], 40h
		jz	short loc_471752
		mov	ecx, esi
		call	_MiDoubleUnlockMdlPage@4 ; MiDoubleUnlockMdlPage(x)

loc_471752:				; CODE XREF: .text:00471749j
					; .text:00472266j
		mov	ecx, edi
		call	_MiGetContainingPageTable@4 ; MiGetContainingPageTable(x)
		mov	dword ptr [esp+0Ch], 4
		mov	[esp+14h], ebx
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, [eax+ecx*4]
		mov	[esp+1Ch], ecx
		jmp	loc_47219D
; 

loc_47177F:				; CODE XREF: .text:0047171Bj
					; .text:0047171Fj
		test	esi, esi
		jz	loc_47224A
		mov	eax, [esp+20h]
		test	byte ptr [eax+60h], 7
		jnz	short loc_4717D9
		test	ecx, ecx
		jnz	short loc_4717D9
		test	dl, 0Fh
		jnz	short loc_4717D9
		mov	eax, [esp+7Ch]
		sub	eax, edi
		sar	eax, 3
		inc	eax
		cmp	eax, 10h
		jl	short loc_4717D9
		lea	edx, [esp+0E8h]
		mov	ecx, edi
		call	_MiDeleteClusterPage@8 ; MiDeleteClusterPage(x,x)
		cmp	eax, 1
		jnz	short loc_4717D9
		mov	ecx, [esp+18h]
		cmp	[esp+5Ch], ebx
		jz	short loc_4717CD
		add	ecx, 0Fh
		mov	[esp+18h], ecx

loc_4717CD:				; CODE XREF: .text:004717C4j
		mov	ebx, [esp+10h]
		add	edi, 78h
		jmp	loc_47243F
; 

loc_4717D9:				; CODE XREF: .text:0047178Fj
					; .text:00471793j ...
		mov	edx, [esi+4]
		mov	ecx, esi
		mov	edi, edx
		or	edi, 80000000h
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_471A70
		test	dword ptr [esi+18h], 800000h
		jnz	short loc_471822
		test	edx, edx
		js	short loc_471822
		jz	short loc_471822
		mov	[esp+4Ch], edi

loc_471806:				; CODE XREF: .text:00471899j
		lea	ecx, [esp+0E8h]
		call	_MiDeleteBatch@4 ; MiDeleteBatch(x)
		mov	edi, [esp+10h]
		mov	ecx, [esp+24h]
		add	[edi+4], eax
		jmp	loc_4718A9
; 

loc_471822:				; CODE XREF: .text:004717FAj
					; .text:004717FEj ...
		mov	eax, ds:_MmHighestUserAddress
		mov	ecx, [esp+24h]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	ecx, eax
		ja	short loc_4718A5
		cmp	ecx, 0C0000000h
		jb	short loc_4718A5
		mov	eax, [esp+50h]
		mov	eax, [eax+148h]
		mov	[esp+28h], eax
		test	eax, eax
		jz	short loc_4718A5
		push	30h
		lea	eax, [esp+0BCh]
		mov	[esp+58h], edi
		push	0
		push	eax
		call	_memset
		mov	ebx, [esp+34h]
		add	esp, 0Ch
		mov	[esp+0C4h], edi
		mov	[esp+0C8h], edi

loc_471880:				; CODE XREF: .text:00471893j
		cmp	edi, [ebx+10h]
		ja	short loc_47188E
		cmp	edi, [ebx+0Ch]
		jnb	short loc_471897
		mov	ebx, [ebx]
		jmp	short loc_471891
; 

loc_47188E:				; CODE XREF: .text:00471883j
		mov	ebx, [ebx+4]

loc_471891:				; CODE XREF: .text:0047188Cj
		test	ebx, ebx
		jnz	short loc_471880
		jmp	short loc_47189F
; 

loc_471897:				; CODE XREF: .text:00471888j
		test	ebx, ebx
		jnz	loc_471806

loc_47189F:				; CODE XREF: .text:00471895j
		mov	ecx, [esp+24h]
		xor	ebx, ebx

loc_4718A5:				; CODE XREF: .text:0047183Aj
					; .text:00471842j ...
		mov	edi, [esp+10h]

loc_4718A9:				; CODE XREF: .text:0047181Dj
		mov	eax, ecx
		mov	dword ptr [esp+38h], 0
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	dword ptr [esp+3Ch], 0
		mov	edx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	[esp+0A8h], edx
		mov	[esp+0ACh], eax
		nop
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		cmp	byte ptr [esp+0E8h], 0
		lea	ecx, [eax+ecx*4]
		mov	[esp+1Ch], ecx
		jz	short loc_471938
		cmp	ecx, [esp+0ECh]
		jnz	short loc_47191B
		lea	eax, [esi+10h]
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_47192E

loc_47191B:				; CODE XREF: .text:0047190Fj
		lea	ecx, [esp+0E8h]
		call	_MiDeleteBatch@4 ; MiDeleteBatch(x)
		add	[edi+4], eax
		mov	ecx, [esp+1Ch]

loc_47192E:				; CODE XREF: .text:00471919j
		cmp	byte ptr [esp+0E8h], 0
		jnz	short loc_47197A

loc_471938:				; CODE XREF: .text:00471906j
		mov	[esp+0ECh], ecx
		lea	edi, [esi+10h]
		mov	dword ptr [esp+94h], 0
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_47197A

loc_471954:				; CODE XREF: .text:00471963j
					; .text:0047196Aj
		lea	ecx, [esp+94h]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_471954
		lock bts dword ptr [edi], 1Fh
		jb	short loc_471954
		mov	ecx, [esp+70h]
		mov	edi, [esp+74h]
		mov	[esp+14h], ecx
		jmp	short loc_471982
; 

loc_47197A:				; CODE XREF: .text:00471936j
					; .text:00471952j
		mov	edi, [esp+0Ch]
		mov	ecx, [esp+14h]

loc_471982:				; CODE XREF: .text:00471978j
		mov	eax, [esp+20h]
		test	byte ptr [eax+60h], 7
		jnz	loc_471A3A
		mov	dl, [esi+16h]
		mov	al, dl
		and	al, 7
		cmp	al, 6
		jnz	loc_471A3A
		mov	eax, [esi+8]
		and	eax, 400h
		or	eax, 0
		jnz	loc_471A3A
		mov	eax, ecx
		and	eax, 42h
		or	eax, 0
		jnz	short loc_4719BF
		test	dl, 10h
		jz	short loc_471A3A

loc_4719BF:				; CODE XREF: .text:004719B8j
		cmp	dword ptr [esp+4Ch], 0
		jnz	short loc_471A3A
		test	ebx, ebx
		jnz	short loc_471A3A
		movzx	eax, byte ptr [esp+0E8h]
		mov	[esp+eax*8+0F0h], ecx
		mov	[esp+eax*8+0F4h], edi
		cmp	[esp+0E8h], bl
		jnz	short loc_4719F1
		mov	dword ptr [esp+48h], offset _MiSystemPartition

loc_4719F1:				; CODE XREF: .text:004719E7j
		mov	edi, [esp+24h]
		mov	eax, ds:_ZeroPte
		mov	[edi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[edi+4], eax
		mov	al, [esp+0E8h]
		inc	al
		mov	[esp+0E8h], al
		cmp	al, 10h
		jnz	short loc_471A31
		lea	ecx, [esp+0E8h]
		call	_MiDeleteBatch@4 ; MiDeleteBatch(x)
		mov	ebx, [esp+10h]
		add	[ebx+4], eax
		jmp	loc_47243B
; 

loc_471A31:				; CODE XREF: .text:00471A17j
		mov	ebx, [esp+10h]
		jmp	loc_47243B
; 

loc_471A3A:				; CODE XREF: .text:0047198Aj
					; .text:00471999j ...
		cmp	byte ptr [esp+0E8h], 0
		jz	loc_471B6F
		lea	ecx, [esp+0E8h]
		mov	byte ptr [esp+0E9h], 1
		call	_MiDeleteBatch@4 ; MiDeleteBatch(x)
		mov	edx, [esp+10h]
		mov	byte ptr [esp+0E9h], 0
		add	[edx+4], eax
		jmp	loc_471B73
; 

loc_471A70:				; CODE XREF: .text:004717EDj
		cmp	esi, dword_6D34E0
		jnz	short loc_471A8D
		mov	edi, [esp+24h]
		mov	eax, ds:_ZeroPte
		mov	[edi], eax
		nop
		mov	ebx, [esp+10h]
		jmp	loc_472433
; 

loc_471A8D:				; CODE XREF: .text:00471A76j
		lea	ecx, [esp+0E8h]
		call	_MiDeleteBatch@4 ; MiDeleteBatch(x)
		mov	edx, [esp+10h]
		add	[edx+4], eax
		cmp	edi, [esp+24h]
		jnz	loc_4724A8
		mov	eax, [esi+18h]
		lea	edi, [esi+10h]
		and	eax, offset loc_7FFFFF
		mov	[esp+98h], ebx
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		inc	dword ptr [edx+0Ch]
		lea	eax, [eax+ecx*4]
		mov	[esp+1Ch], eax
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_471AFF
		jmp	short loc_471AE0
; 
		align 10h

loc_471AE0:				; CODE XREF: .text:00471ADBj
					; .text:00471AEEj ...
		lea	ecx, [esp+98h]
		call	KeYieldProcessorEx
		cmp	[edi], ebx
		jl	short loc_471AE0
		lock bts dword ptr [edi], 1Fh
		jb	short loc_471AE0
		mov	ecx, [esp+70h]
		mov	[esp+14h], ecx

loc_471AFF:				; CODE XREF: .text:00471AD9j
		or	dword ptr [edi], 40000000h
		cmp	[esp+2Fh], bl
		jz	short loc_471B45
		cmp	[esp+30h], ebx
		jz	short loc_471B45
		xor	eax, eax
		lea	edx, [esp+80h]
		mov	ecx, esi
		mov	[esp+80h], eax
		mov	[esp+84h], eax
		mov	[esp+88h], eax
		mov	[esp+8Ch], eax
		call	_MiIdentifyPfn@8 ; MiIdentifyPfn(x,x)
		mov	dword ptr [esp+64h], 1

loc_471B45:				; CODE XREF: .text:00471B09j
					; .text:00471B0Fj
		mov	eax, [esp+20h]
		test	byte ptr [eax+60h], 7
		jz	short loc_471B6F
		mov	ecx, [esi+18h]
		mov	eax, ecx
		mov	edx, [esp+10h]
		and	eax, 70000000h
		cmp	eax, 20000000h
		jnz	short loc_471B73
		and	ecx, 8FFFFFFFh
		mov	[esi+18h], ecx
		jmp	short loc_471B73
; 

loc_471B6F:				; CODE XREF: .text:00471A42j
					; .text:00471B4Dj
		mov	edx, [esp+10h]

loc_471B73:				; CODE XREF: .text:00471A6Bj
					; .text:00471B62j ...
		mov	cl, [esi+16h]
		mov	al, cl
		and	al, 7
		cmp	al, 6
		jnz	loc_4724A1
		mov	edi, [esp+14h]
		mov	eax, edi
		and	eax, 42h
		mov	dword ptr [esp+48h], offset _MiSystemPartition
		or	eax, 0
		jz	loc_471C1F
		mov	dword ptr [esp+34h], 0
		mov	dword ptr [esp+44h], 0
		test	cl, 10h
		jnz	short loc_471C1F
		mov	eax, [esi+8]
		mov	ch, cl
		mov	edx, [esi+0Ch]
		mov	[esp+28h], eax
		and	eax, 400h
		or	eax, 0
		mov	[esp+14h], edx
		mov	edx, [esp+10h]
		jnz	short loc_471C19
		test	cl, 8
		jnz	short loc_471C19
		mov	eax, [esp+28h]
		mov	edx, eax
		mov	[esp+34h], edx
		mov	edx, [esp+14h]
		shrd	eax, edx, 2
		mov	edx, [esp+10h]
		test	al, 1
		jz	short loc_471C07
		nop
		mov	eax, [esi+0Ch]
		and	dword ptr [esi+8], 0FFFFFFFBh
		and	dword ptr [esp+34h], 0FFFFFFFDh
		mov	[esi+0Ch], eax
		mov	ch, [esi+16h]
		mov	[esp+44h], eax
		jmp	short loc_471C19
; 

loc_471C07:				; CODE XREF: .text:00471BECj
		mov	dword ptr [esp+34h], 0
		mov	ch, cl
		mov	dword ptr [esp+44h], 0

loc_471C19:				; CODE XREF: .text:00471BCDj
					; .text:00471BD2j ...
		or	ch, 10h
		mov	[esi+16h], ch

loc_471C1F:				; CODE XREF: .text:00471B96j
					; .text:00471BAFj
		mov	eax, [esp+20h]
		test	byte ptr [eax+60h], 7
		jz	short loc_471C96
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_471C96
		mov	eax, [esi+8]
		mov	ecx, [esi+0Ch]
		mov	[esp+28h], eax
		and	eax, 400h
		or	eax, 0
		jz	short loc_471C93
		and	edi, 200h
		or	edi, 0
		jnz	short loc_471C93
		mov	eax, dword_6D0700
		mov	edi, dword_6D0704
		or	eax, edi
		mov	[esp+14h], edi
		jz	short loc_471C82
		mov	edi, [esp+28h]
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_471C7E
		not	dword ptr [esp+14h]
		and	ecx, [esp+14h]
		jmp	short loc_471C82
; 

loc_471C7E:				; CODE XREF: .text:00471C72j
		mov	[esp+38h], edi

loc_471C82:				; CODE XREF: .text:00471C64j
					; .text:00471C7Cj
		mov	eax, [ecx]
		mov	eax, [eax+1Ch]
		and	eax, 820h
		cmp	eax, 820h
		jnz	short loc_471C96

loc_471C93:				; CODE XREF: .text:00471C46j
					; .text:00471C51j
		inc	dword ptr [edx+0Ch]

loc_471C96:				; CODE XREF: .text:00471C27j
					; .text:00471C32j ...
		cmp	dword ptr [esp+30h], 0
		mov	dword ptr [esp+0Ch], 4
		mov	dword ptr [esp+14h], 0
		jz	short loc_471CCB
		cmp	dword ptr [esp+5Ch], 0
		jz	short loc_471CCB
		mov	eax, [esi+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 10000h
		jb	short loc_471CCB
		mov	dword ptr [esp+14h], 1

loc_471CCB:				; CODE XREF: .text:00471CABj
					; .text:00471CB2j ...
		mov	ecx, [esi+10h]
		lea	edi, [esi+10h]
		mov	edx, ecx
		mov	[esp+28h], edi
		lea	eax, [ecx-1]
		xor	edx, eax
		and	edx, 3FFFFFFFh
		xor	edx, ecx
		mov	[edi], edx
		test	edx, 3FFFFFFFh
		jz	short loc_471D1B
		cmp	dword ptr [esp+30h], 0
		jz	loc_472119
		test	dword ptr [esp+40h], 100h
		mov	dword ptr [esp+0Ch], 2
		jnz	loc_472119
		mov	eax, [esi]
		and	eax, 0FFFFFFFEh
		mov	[esi], eax
		jmp	loc_472119
; 

loc_471D1B:				; CODE XREF: .text:00471CECj
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_471F88
		mov	ecx, [esi+8]
		nop
		mov	eax, [esi+0Ch]
		mov	edx, [esi+18h]
		shrd	ecx, eax, 5
		and	edx, offset loc_7FFFFF
		mov	dword ptr [esp+0Ch], 4
		shr	eax, 5
		mov	[esp+6Ch], eax
		mov	eax, [esi+4]
		mov	[esp+38h], ecx
		lea	ecx, ds:0[edx*8]
		mov	[esp+60h], eax
		sub	ecx, edx
		mov	eax, ds:_MmPfnDatabase
		movzx	eax, byte ptr [eax+ecx*4+16h]
		shr	eax, 6
		test	eax, eax
		jz	short loc_471D83
		cmp	eax, 3
		jz	short loc_471D83
		cmp	eax, 2
		jnz	short loc_471D8A
		mov	eax, 1Ch
		jmp	short loc_471D8E
; 

loc_471D83:				; CODE XREF: .text:00471D70j
					; .text:00471D75j
		mov	eax, 0Ch
		jmp	short loc_471D8E
; 

loc_471D8A:				; CODE XREF: .text:00471D7Aj
		mov	eax, [esp+0Ch]

loc_471D8E:				; CODE XREF: .text:00471D81j
					; .text:00471D88j
		and	eax, 1Fh
		mov	edi, ds:_MmProtectToPteMask[eax*8]
		mov	ecx, ds:dword_40B4DC[eax*8]
		and	edi, 0F7Fh
		xor	eax, eax
		and	ecx, 0FFFFFFE0h
		shld	eax, edx, 0Ch
		or	ecx, eax
		shl	edx, 0Ch
		mov	al, byte ptr word_6D07B8
		or	edi, edx
		and	al, 1
		or	edi, 121h
		movzx	eax, al
		and	edi, 0FFFFFEFFh
		cdq
		shld	edx, eax, 8
		shl	eax, 8
		or	edx, ecx
		or	eax, edi
		xor	edi, edi
		or	eax, 42h
		mov	[esp+0Ch], eax
		mov	eax, large fs:20h
		mov	ecx, [eax+3D34h]
		mov	eax, ecx
		and	eax, 0FFFh
		and	ecx, 0FFFFF000h
		shl	eax, 0Ch
		add	ecx, eax
		mov	[esp+68h], ecx
		shr	ecx, 9
		sub	ecx, 40000000h
		cmp	dword_6D07D0, 0C0000000h
		sbb	eax, eax
		and	eax, 0FFFFFFF8h
		add	eax, 0C0603018h
		cmp	ecx, 0C0603000h
		jb	short loc_471E72
		cmp	ecx, eax
		jnb	short loc_471E72
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_471E4E
		cmp	byte ptr word_6D07B8+1,	0
		mov	edi, 1
		mov	eax, [esp+0Ch]
		jnz	short loc_471E76
		or	edx, 80000000h
		jmp	short loc_471E76
; 

loc_471E4E:				; CODE XREF: .text:00471E32j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		mov	eax, [esp+0Ch]
		jz	short loc_471E76
		or	edx, 80000000h
		jmp	short loc_471E76
; 

loc_471E72:				; CODE XREF: .text:00471E25j
					; .text:00471E29j
		mov	eax, [esp+0Ch]

loc_471E76:				; CODE XREF: .text:00471E44j
					; .text:00471E4Cj ...
		mov	[ecx+4], edx
		nop
		mov	[ecx], eax
		test	edi, edi
		jz	short loc_471E87
		push	edx
		push	eax
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_471E87:				; CODE XREF: .text:00471E7Ej
		mov	eax, [esp+60h]
		mov	ecx, [esp+68h]
		shr	eax, 3
		and	eax, 1FFh
		lea	eax, [ecx+eax*8]
		mov	ecx, [eax]
		mov	[esp+68h], eax
		nop
		mov	eax, [eax+4]
		nop
		mov	edx, [esp+38h]
		xor	edi, edi
		and	edx, 1Fh
		and	eax, 1Fh
		or	edx, 40h
		and	ecx, 0FFFFF000h
		shld	edi, edx, 5
		shl	edx, 5
		or	edi, eax
		mov	eax, dword_6D0704
		or	edx, ecx
		mov	ecx, dword_6D0700
		mov	[esp+0Ch], eax
		mov	eax, ecx
		or	eax, [esp+0Ch]
		mov	[esp+38h], ecx
		jz	short loc_471EF9
		mov	eax, [esp+0Ch]
		and	ecx, edx
		and	eax, edi
		or	ecx, eax
		jnz	short loc_471EF6
		or	edx, [esp+38h]
		or	edi, [esp+0Ch]
		jmp	short loc_471EF9
; 

loc_471EF6:				; CODE XREF: .text:00471EEAj
		or	edx, 10h

loc_471EF9:				; CODE XREF: .text:00471EDEj
					; .text:00471EF4j
		mov	ecx, [esp+68h]
		mov	[esp+0B0h], edx
		mov	[esp+0B4h], edi
		mov	[ecx], edx
		nop
		mov	[ecx+4], edi
		mov	eax, large fs:20h
		mov	[esp+60h], eax
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		mov	eax, [eax+3D34h]
		mov	edi, eax
		and	edi, 0FFFh
		and	eax, 0FFFFF000h
		mov	[esp+68h], eax
		lea	eax, [edi+1]
		mov	[esp+38h], eax
		mov	eax, ds:_ZeroPte
		mov	[ecx-40000000h], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[ecx-3FFFFFFCh], eax
		cmp	edi, 0FFh
		jnz	short loc_471F66
		call	_MiFlushHyperSpace@0 ; MiFlushHyperSpace()

loc_471F66:				; CODE XREF: .text:00471F5Fj
		mov	eax, [esp+60h]
		sub	edi, 0FFh
		mov	edx, [esp+28h]
		neg	edi
		sbb	edi, edi
		and	edi, [esp+38h]
		or	edi, [esp+68h]
		mov	[eax+3D34h], edi
		mov	edx, [edx]

loc_471F88:				; CODE XREF: .text:00471D24j
		mov	eax, 0FFFFh
		and	edx, 40000000h
		add	[esi+14h], ax
		movzx	eax, word ptr [esi+14h]
		test	ax, ax
		jz	loc_472024
		mov	al, [esi+16h]
		test	edx, edx
		jz	short loc_471FAF
		or	al, 7
		jmp	short loc_471FBD
; 

loc_471FAF:				; CODE XREF: .text:00471FA9j
		test	al, 10h
		jz	short loc_471FB9
		and	al, 0FBh
		or	al, 3
		jmp	short loc_471FBD
; 

loc_471FB9:				; CODE XREF: .text:00471FB1j
		and	al, 0FAh
		or	al, 2

loc_471FBD:				; CODE XREF: .text:00471FADj
					; .text:00471FB7j
		mov	[esi+16h], al
		lea	ecx, [esi+8]
		mov	eax, [ecx]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_471FDF
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		test	eax, eax
		jz	short loc_471FDF
		mov	byte_6D4FB7, 1

loc_471FDF:				; CODE XREF: .text:00471FCDj
					; .text:00471FD6j
		cmp	dword ptr [esp+30h], 0
		mov	dword ptr [esp+0Ch], 3
		jz	short loc_471FFD
		cmp	dword ptr [esp+5Ch], 0
		jz	short loc_471FFD
		mov	dword ptr [esp+14h], 1

loc_471FFD:				; CODE XREF: .text:00471FECj
					; .text:00471FF3j
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_472119
		cmp	dword ptr [esp+4Ch], 0
		jnz	loc_472119
		test	ebx, ebx
		jnz	loc_472119
		jmp	loc_472111
; 

loc_472024:				; CODE XREF: .text:00471F9Ej
		test	edx, edx
		jz	loc_4720C3
		mov	al, [esi+17h]
		test	al, 10h
		jz	short loc_472038
		and	al, 0EFh
		mov	[esi+17h], al

loc_472038:				; CODE XREF: .text:00472031j
		mov	edx, [esi+8]
		mov	eax, edx
		mov	edi, [esi+0Ch]
		and	eax, 400h
		or	eax, 0
		mov	[esp+0A0h], edx
		mov	[esp+0A4h], edi
		jnz	short loc_47209E
		mov	ecx, edx
		mov	eax, edi
		shrd	ecx, eax, 2
		test	cl, 1
		jz	short loc_472068
		nop
		jmp	short loc_47207C
; 

loc_472068:				; CODE XREF: .text:00472063j
		mov	ecx, edx
		mov	eax, edi
		shrd	ecx, eax, 1
		test	cl, 1
		jz	short loc_472078
		nop
		jmp	short loc_47207C
; 

loc_472078:				; CODE XREF: .text:00472073j
		xor	edx, edx
		xor	edi, edi

loc_47207C:				; CODE XREF: .text:00472066j
					; .text:00472076j
		mov	eax, edx
		mov	[esp+0A0h], edx
		or	eax, edi
		mov	[esp+0A4h], edi
		jz	short loc_47209E
		push	edi
		push	edx
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo

loc_47209E:				; CODE XREF: .text:00472056j
					; .text:0047208Ej
		sub	esi, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	esi
		add	edx, esi
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		mov	edx, 2
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		jmp	short loc_472111
; 

loc_4720C3:				; CODE XREF: .text:00472026j
		mov	al, [esi+16h]
		test	al, 10h
		jz	short loc_4720DE
		mov	edx, [esp+78h]
		dec	edx
		neg	edx
		sbb	edx, edx
		and	edx, 0FFFFFF80h
		add	edx, 88h
		jmp	short loc_47210A
; 

loc_4720DE:				; CODE XREF: .text:004720C8j
		mov	edi, [esp+78h]
		and	al, 0FAh
		or	al, 2
		mov	[esi+16h], al
		cmp	edi, 1
		jbe	short loc_472105
		mov	ecx, esi
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		cmp	eax, 5
		jnb	short loc_472105
		mov	edx, esi
		mov	ecx, edi
		call	_MiInsertProtectedStandbyPage@8	; MiInsertProtectedStandbyPage(x,x)
		jmp	short loc_472111
; 

loc_472105:				; CODE XREF: .text:004720ECj
					; .text:004720F8j
		mov	edx, 4

loc_47210A:				; CODE XREF: .text:004720DCj
		mov	ecx, esi
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)

loc_472111:				; CODE XREF: .text:0047201Fj
					; .text:004720C1j ...
		mov	dword ptr [esp+0Ch], 4

loc_472119:				; CODE XREF: .text:00471CF3j
					; .text:00471D09j ...
		cmp	dword ptr [esp+14h], 1
		jnz	short loc_472131
		push	4
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiChargeCommit

loc_472131:				; CODE XREF: .text:0047211Ej
		mov	eax, [esp+28h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		cmp	dword ptr [esp+64h], 0
		jz	short loc_472199
		push	11401B02h
		push	277h
		lea	eax, [esp+88h]
		mov	dword ptr [esp+17Ch], 0
		push	20000001h
		mov	edx, 1
		mov	[esp+17Ch], eax
		lea	ecx, [esp+17Ch]
		mov	dword ptr [esp+184h], 10h
		mov	dword ptr [esp+188h], 0
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		xor	eax, eax
		mov	[esp+64h], eax

loc_472199:				; CODE XREF: .text:00472142j
		mov	ecx, [esp+1Ch]

loc_47219D:				; CODE XREF: .text:0047177Aj
		test	ecx, ecx
		jz	short loc_472214
		mov	dword ptr [esp+9Ch], 0
		lea	edi, [ecx+10h]
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_4721DC
		jmp	short loc_4721C0
; 
		align 10h

loc_4721C0:				; CODE XREF: .text:004721B6j
					; .text:004721CFj ...
		lea	ecx, [esp+9Ch]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_4721C0
		lock bts dword ptr [edi], 1Fh
		jb	short loc_4721C0
		mov	ecx, [esp+1Ch]

loc_4721DC:				; CODE XREF: .text:004721B4j
		mov	al, [ecx+16h]
		and	al, 7
		cmp	al, 6
		jnz	loc_4724A3
		mov	edx, [edi]
		mov	esi, edx
		and	esi, 3FFFFFFFh
		dec	esi
		mov	eax, esi
		xor	eax, edx
		and	eax, 3FFFFFFFh
		xor	eax, edx
		mov	[edi], eax
		test	esi, esi
		jnz	short loc_47220C
		xor	edx, edx
		call	_MiPfnShareCountIsZero@8 ; MiPfnShareCountIsZero(x,x)

loc_47220C:				; CODE XREF: .text:00472203j
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax

loc_472214:				; CODE XREF: .text:0047219Fj
		mov	edx, [esp+34h]
		mov	eax, edx
		mov	ecx, [esp+44h]
		or	eax, ecx
		mov	edi, [esp+48h]
		jz	short loc_472234
		push	ecx
		push	edx
		mov	edx, 1
		mov	ecx, edi
		call	MiReleasePageFileInfo

loc_472234:				; CODE XREF: .text:00472224j
		mov	eax, [esp+4Ch]
		test	eax, eax
		jz	short loc_47226B
		mov	edx, eax
		call	_MiDecrementCombinedPte@8 ; MiDecrementCombinedPte(x,x)
		mov	ecx, eax
		jmp	loc_47232E
; 

loc_47224A:				; CODE XREF: .text:004716DCj
					; .text:004716F7j ...
		lea	ecx, [esp+0E8h]
		call	_MiDeleteBatch@4 ; MiDeleteBatch(x)
		mov	edx, [esp+1Ch]
		mov	ecx, 1
		push	1
		call	MiDereferenceIoPages
		jmp	loc_471752
; 

loc_47226B:				; CODE XREF: .text:0047223Aj
		test	ebx, ebx
		jz	loc_47232A
		mov	eax, [esp+50h]
		mov	eax, [eax+140h]
		test	eax, eax
		jz	short loc_47228E
		cmp	eax, large fs:124h
		jnz	loc_4724C1

loc_47228E:				; CODE XREF: .text:0047227Fj
		mov	eax, [ebx+1Ch]
		mov	ecx, [esp+54h]
		mov	esi, [eax+0Ch]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+0Ch], eax
		dec	eax
		jnz	short loc_4722B4
		mov	edx, ecx
		mov	ecx, esi
		call	MiDeleteMergedPte
		mov	ecx, eax
		mov	[esp+0Ch], eax
		jmp	short loc_4722BD
; 

loc_4722B4:				; CODE XREF: .text:004722A1j
		mov	ecx, 4
		mov	[esp+0Ch], ecx

loc_4722BD:				; CODE XREF: .text:004722B2j
		mov	eax, [esp+50h]
		mov	edx, [eax+24Ch]
		mov	eax, [edx+8Ch]
		cmp	eax, [ebx+2Ch]
		jb	short loc_472314
		ja	short loc_4722DF
		mov	eax, [edx+88h]
		cmp	eax, [ebx+28h]
		jbe	short loc_472314

loc_4722DF:				; CODE XREF: .text:004722D2j
		mov	edx, [esp+54h]
		or	eax, 0FFFFFFFFh
		lock xadd [edx+8], eax
		dec	eax
		test	eax, 7FFFFFFh
		jnz	short loc_47230B
		lock dec dword ptr [esi+1124h]
		cmp	ecx, 3
		jz	short loc_47230B
		mov	edx, 1
		mov	ecx, esi
		call	MiReturnCommit

loc_47230B:				; CODE XREF: .text:004722F1j
					; .text:004722FDj
		mov	ecx, 5
		mov	[esp+0Ch], ecx

loc_472314:				; CODE XREF: .text:004722D0j
					; .text:004722DDj
		or	eax, 0FFFFFFFFh
		lock xadd [ebx+18h], eax
		dec	eax
		jnz	short loc_47232E
		mov	ecx, [esp+50h]
		mov	edx, ebx
		call	_MiDeleteCloneDescriptor@8 ; MiDeleteCloneDescriptor(x,x)

loc_47232A:				; CODE XREF: .text:0047226Dj
		mov	ecx, [esp+0Ch]

loc_47232E:				; CODE XREF: .text:00472245j
					; .text:0047231Dj
		cmp	dword ptr [esp+14h], 1
		jz	short loc_472363
		cmp	ecx, 3
		jnz	short loc_472355
		mov	ebx, [esp+20h]
		test	byte ptr [ebx+60h], 7
		jz	short loc_47234C
		cmp	edi, offset _MiSystemPartition
		jnz	short loc_472363

loc_47234C:				; CODE XREF: .text:00472342j
		mov	ebx, [esp+10h]
		inc	dword ptr [ebx+4]
		jmp	short loc_472367
; 

loc_472355:				; CODE XREF: .text:00472338j
		mov	ebx, [esp+10h]
		cmp	ecx, 5
		jnz	short loc_472367
		inc	dword ptr [ebx+8]
		jmp	short loc_472367
; 

loc_472363:				; CODE XREF: .text:00472333j
					; .text:0047234Aj
		mov	ebx, [esp+10h]

loc_472367:				; CODE XREF: .text:00472353j
					; .text:0047235Cj ...
		mov	eax, [esp+20h]
		test	byte ptr [eax+60h], 7
		jz	short loc_472373
		inc	dword ptr [ebx]

loc_472373:				; CODE XREF: .text:0047236Fj
		mov	edi, [esp+24h]
		lea	eax, [edi+3FA00000h]
		cmp	eax, 3FFFh
		ja	loc_47242B
		mov	eax, [esp+20h]
		test	byte ptr [eax+60h], 7
		jz	loc_47242B
		push	ds:dword_40F9FC
		mov	ecx, edi
		push	ds:_ZeroPte
		call	MiWriteTopLevelPxe
		jmp	loc_47243B
; 

loc_4723AE:				; CODE XREF: .text:00471692j
		lea	ecx, [esp+0E8h]
		call	_MiDeleteBatch@4 ; MiDeleteBatch(x)
		add	[ebx+4], eax
		mov	ecx, edi
		call	_MiTryDeleteTransitionPte@8 ; MiTryDeleteTransitionPte(x,x)
		cmp	eax, 1
		jz	short loc_4723E6
		mov	ecx, [esp+20h]
		inc	dword ptr [ebx+0Ch]
		test	byte ptr [ecx+60h], 7
		jz	short loc_4723D8
		inc	dword ptr [ebx]

loc_4723D8:				; CODE XREF: .text:004723D4j
		mov	ecx, [esp+18h]
		cmp	eax, 3
		jnz	short loc_47243F
		inc	dword ptr [ebx+4]
		jmp	short loc_47243F
; 

loc_4723E6:				; CODE XREF: .text:004723C7j
		mov	esi, [edi]
		nop
		mov	eax, [edi+4]
		mov	edx, 1
		push	eax
		push	esi
		mov	ecx, offset _MiSystemPartition
		mov	[esp+40h], eax
		mov	[esp+78h], esi
		mov	[esp+7Ch], eax
		call	_MiReleasePageFileSpace@16 ; MiReleasePageFileSpace(x,x,x,x)
		mov	eax, [esp+20h]
		test	byte ptr [eax+60h], 7
		jnz	short loc_472426
		push	dword ptr [esp+38h]
		push	esi
		call	_IS_PTE_NOT_DEMAND_ZERO@8 ; IS_PTE_NOT_DEMAND_ZERO(x,x)
		test	eax, eax
		jz	short loc_47242B
		inc	dword ptr [ebx+0Ch]
		jmp	short loc_47242B
; 

loc_472426:				; CODE XREF: .text:00472411j
		inc	dword ptr [ebx+0Ch]
		inc	dword ptr [ebx]

loc_47242B:				; CODE XREF: .text:00472382j
					; .text:00472390j ...
		mov	eax, ds:_ZeroPte
		mov	[edi], eax
		nop

loc_472433:				; CODE XREF: .text:00471A88j
		mov	eax, ds:dword_40F9FC
		mov	[edi+4], eax

loc_47243B:				; CODE XREF: .text:00471A2Cj
					; .text:00471A35j ...
		mov	ecx, [esp+18h]

loc_47243F:				; CODE XREF: .text:0047162Ej
					; .text:004717D4j ...
		add	edi, 8
		mov	[esp+24h], edi
		cmp	edi, [esp+7Ch]
		jbe	loc_471620

loc_472450:				; CODE XREF: .text:00471619j
		lea	ecx, [esp+0E8h]
		call	_MiDeleteBatch@4 ; MiDeleteBatch(x)
		mov	esi, [esp+18h]
		test	esi, esi
		jz	short loc_47247D
		mov	ebx, [esp+58h]
		movzx	eax, si
		movzx	edx, word ptr [ebx]
		mov	ecx, edx
		sub	ecx, eax
		cmp	ecx, 200h
		jnb	short loc_472492
		mov	[ebx], cx

loc_47247D:				; CODE XREF: .text:00472462j
		mov	ecx, [esp+184h]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_472492:				; CODE XREF: .text:00472478j
		push	esi
		push	edx
		push	ebx
		push	41790h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4724A1:				; CODE XREF: .text:00471B7Cj
		mov	ecx, esi

loc_4724A3:				; CODE XREF: .text:004721E3j
		call	_MiBadShareCount@4 ; MiBadShareCount(x)

loc_4724A8:				; CODE XREF: .text:00471AA4j
		mov	eax, [esi+4]
		mov	ecx, [esp+14h]
		push	eax
		push	ecx
		push	dword ptr [esp+2Ch]
		push	403h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4724C1:				; CODE XREF: .text:00472288j
		mov	edx, [esp+54h]
		push	0
		push	edx
		push	ebx
		push	61945h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 3 dup(0CCh)
		align 10h

; __stdcall MiDeleteBatch(x)
_MiDeleteBatch@4:			; CODE XREF: .text:00471728p
					; .text:0047180Dp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	dword ptr [esp+50h], 0
		push	edi
		mov	[esp+14h], esi
		cmp	byte ptr [esi],	0
		jnz	short loc_47250A
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_47250A:				; CODE XREF: .text:004724FFj
		mov	dword ptr [esp+18h], 0
		nop
		test	ds:byte_70EFC6,	21h
		mov	dword ptr [esp+50h], offset unk_6D5F10
		mov	dword ptr [esp+4Ch], 0
		jz	short loc_47253C
		mov	edx, offset unk_6D5F10
		lea	ecx, [esp+4Ch]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_472554
; 

loc_47253C:				; CODE XREF: .text:0047252Aj
		lea	edx, [esp+4Ch]
		mov	eax, offset unk_6D5F10
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_472554
		lea	ecx, [esp+4Ch]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_472554:				; CODE XREF: .text:0047253Aj
					; .text:00472549j
		xor	al, al
		mov	ebx, 1
		mov	[esp+0Fh], al
		cmp	[esi], al
		jbe	loc_47297F
		jmp	short loc_472570
; 
		align 10h

loc_472570:				; CODE XREF: .text:00472567j
					; .text:00472974j
		movzx	eax, al
		lea	esi, [esi+8]
		mov	ecx, [esi+eax*8+4]
		lea	eax, [esi+eax*8]
		mov	edx, [eax]
		mov	[esp+10h], eax
		mov	[esp+2Ch], ecx
		mov	[esp+38h], edx
		mov	[esp+3Ch], ecx
		nop
		mov	eax, edx
		shrd	eax, ecx, 0Ch
		and	eax, 1FFFFFFh
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		mov	bl, [eax+ecx*4+16h]
		lea	esi, [eax+ecx*4]
		mov	al, bl
		and	al, 7
		cmp	al, 6
		jnz	loc_472A83
		and	edx, 42h
		or	edx, 0
		jz	short loc_4725FB
		xor	edi, edi
		xor	ecx, ecx
		test	bl, 10h
		jnz	short loc_4725FF
		mov	eax, [esi+8]
		mov	dl, bl
		and	eax, 400h
		or	eax, ecx
		jnz	short loc_4725F3
		test	bl, 8
		jnz	short loc_4725F3
		push	eax
		lea	edx, [edi+1]
		lea	ecx, [esi+8]
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	ecx, edx
		mov	edi, eax
		mov	dl, [esi+16h]

loc_4725F3:				; CODE XREF: .text:004725D9j
					; .text:004725DEj
		or	dl, 10h
		mov	[esi+16h], dl
		jmp	short loc_4725FF
; 

loc_4725FB:				; CODE XREF: .text:004725C2j
		xor	edi, edi
		xor	ecx, ecx

loc_4725FF:				; CODE XREF: .text:004725CBj
					; .text:004725F9j
		mov	eax, [esp+10h]
		lea	ebx, [esi+10h]
		mov	[esp+28h], ebx
		mov	[eax], edi
		mov	[eax+4], ecx
		mov	ecx, [ebx]
		mov	edx, ecx
		lea	eax, [ecx-1]
		xor	edx, eax
		and	edx, 3FFFFFFFh
		xor	edx, ecx
		mov	[ebx], edx
		test	edx, 3FFFFFFFh
		jnz	loc_47295C
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_472880
		mov	ebx, [esi+8]
		nop
		mov	eax, [esi+0Ch]
		mov	edx, [esi+18h]
		shrd	ebx, eax, 5
		and	edx, offset loc_7FFFFF
		mov	dword ptr [esp+10h], 4
		shr	eax, 5
		mov	[esp+24h], eax
		mov	eax, [esi+4]
		mov	[esp+1Ch], eax
		lea	ecx, ds:0[edx*8]
		mov	eax, ds:_MmPfnDatabase
		sub	ecx, edx
		movzx	eax, byte ptr [eax+ecx*4+16h]
		shr	eax, 6
		test	eax, eax
		jz	short loc_472692
		cmp	eax, 3
		jz	short loc_472692
		cmp	eax, 2
		jnz	short loc_472699
		mov	eax, 1Ch
		jmp	short loc_47269D
; 

loc_472692:				; CODE XREF: .text:0047267Fj
					; .text:00472684j
		mov	eax, 0Ch
		jmp	short loc_47269D
; 

loc_472699:				; CODE XREF: .text:00472689j
		mov	eax, [esp+10h]

loc_47269D:				; CODE XREF: .text:00472690j
					; .text:00472697j
		and	eax, 1Fh
		mov	edi, ds:_MmProtectToPteMask[eax*8]
		mov	ecx, ds:dword_40B4DC[eax*8]
		and	edi, 0F7Fh
		xor	eax, eax
		and	ecx, 0FFFFFFE0h
		shld	eax, edx, 0Ch
		or	ecx, eax
		shl	edx, 0Ch
		mov	al, byte ptr word_6D07B8
		or	edi, edx
		and	al, 1
		or	edi, 121h
		movzx	eax, al
		and	edi, 0FFFFFEFFh
		cdq
		shld	edx, eax, 8
		shl	eax, 8
		or	edx, ecx
		or	eax, edi
		xor	edi, edi
		or	eax, 42h
		mov	[esp+10h], eax
		mov	eax, large fs:20h
		mov	ecx, [eax+3D34h]
		mov	eax, ecx
		and	eax, 0FFFh
		and	ecx, 0FFFFF000h
		shl	eax, 0Ch
		add	ecx, eax
		mov	[esp+20h], ecx
		shr	ecx, 9
		sub	ecx, 40000000h
		cmp	dword_6D07D0, 0C0000000h
		sbb	eax, eax
		and	eax, 0FFFFFFF8h
		add	eax, 0C0603018h
		cmp	ecx, 0C0603000h
		jb	short loc_472781
		cmp	ecx, eax
		jnb	short loc_472781
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_47275D
		cmp	byte ptr word_6D07B8+1,	0
		mov	edi, 1
		mov	eax, [esp+10h]
		jnz	short loc_472785
		or	edx, 80000000h
		jmp	short loc_472785
; 

loc_47275D:				; CODE XREF: .text:00472741j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		mov	eax, [esp+10h]
		jz	short loc_472785
		or	edx, 80000000h
		jmp	short loc_472785
; 

loc_472781:				; CODE XREF: .text:00472734j
					; .text:00472738j
		mov	eax, [esp+10h]

loc_472785:				; CODE XREF: .text:00472753j
					; .text:0047275Bj ...
		mov	[ecx+4], edx
		nop
		mov	[ecx], eax
		test	edi, edi
		jz	short loc_472796
		push	edx
		push	eax
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_472796:				; CODE XREF: .text:0047278Dj
		mov	eax, [esp+1Ch]
		mov	ecx, [esp+20h]
		shr	eax, 3
		and	eax, 1FFh
		lea	edx, [ecx+eax*8]
		mov	ecx, [edx]
		nop
		mov	eax, [edx+4]
		nop
		and	ebx, 1Fh
		xor	edi, edi
		or	ebx, 40h
		and	eax, 1Fh
		shld	edi, ebx, 5
		and	ecx, 0FFFFF000h
		shl	ebx, 5
		or	edi, eax
		mov	eax, dword_6D0704
		or	ebx, ecx
		mov	ecx, dword_6D0700
		mov	[esp+10h], eax
		mov	eax, ecx
		or	eax, [esp+10h]
		mov	[esp+20h], ecx
		jz	short loc_472800
		mov	eax, [esp+10h]
		and	ecx, ebx
		and	eax, edi
		or	ecx, eax
		jnz	short loc_4727FD
		or	ebx, [esp+20h]
		or	edi, [esp+10h]
		jmp	short loc_472800
; 

loc_4727FD:				; CODE XREF: .text:004727F1j
		or	ebx, 10h

loc_472800:				; CODE XREF: .text:004727E5j
					; .text:004727FBj
		mov	[esp+40h], ebx
		mov	[esp+44h], edi
		mov	[edx], ebx
		nop
		mov	[edx+4], edi
		mov	eax, large fs:20h
		shr	edx, 9
		mov	[esp+1Ch], eax
		and	edx, offset loc_7FFFF8
		mov	ebx, [eax+3D34h]
		mov	edi, ebx
		and	edi, 0FFFh
		and	ebx, 0FFFFF000h
		lea	eax, [edi+1]
		mov	[esp+20h], eax
		mov	eax, ds:_ZeroPte
		mov	[edx-40000000h], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[edx-3FFFFFFCh], eax
		cmp	edi, 0FFh
		jnz	short loc_472860
		call	_MiFlushHyperSpace@0 ; MiFlushHyperSpace()

loc_472860:				; CODE XREF: .text:00472859j
		mov	eax, [esp+1Ch]
		sub	edi, 0FFh
		neg	edi
		sbb	edi, edi
		and	edi, [esp+20h]
		or	edi, ebx
		mov	ebx, [esp+28h]
		mov	[eax+3D34h], edi
		mov	edx, [ebx]

loc_472880:				; CODE XREF: .text:00472637j
		mov	eax, 0FFFFh
		and	edx, 40000000h
		add	[esi+14h], ax
		movzx	eax, word ptr [esi+14h]
		test	ax, ax
		jz	short loc_4728EF
		mov	al, [esi+16h]
		test	edx, edx
		jz	short loc_4728A3
		or	al, 7
		jmp	short loc_4728B1
; 

loc_4728A3:				; CODE XREF: .text:0047289Dj
		test	al, 10h
		jz	short loc_4728AD
		and	al, 0FBh
		or	al, 3
		jmp	short loc_4728B1
; 

loc_4728AD:				; CODE XREF: .text:004728A5j
		and	al, 0FAh
		or	al, 2

loc_4728B1:				; CODE XREF: .text:004728A1j
					; .text:004728ABj
		mov	[esi+16h], al
		mov	eax, [esi+0Ch]
		mov	ecx, [esi+8]
		mov	[esp+2Ch], eax
		mov	eax, ecx
		and	eax, 400h
		or	eax, 0
		jnz	short loc_4728DE
		nop
		mov	eax, [esi+0Ch]
		shrd	ecx, eax, 2
		test	cl, 1
		jz	short loc_4728DE
		mov	byte_6D4FB7, 1

loc_4728DE:				; CODE XREF: .text:004728C8j
					; .text:004728D5j
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_47295C
		inc	dword ptr [esp+18h]
		jmp	short loc_47295C
; 

loc_4728EF:				; CODE XREF: .text:00472896j
		test	edx, edx
		jz	short loc_47293B
		mov	al, [esi+17h]
		test	al, 10h
		jz	short loc_4728FF
		and	al, 0EFh
		mov	[esi+17h], al

loc_4728FF:				; CODE XREF: .text:004728F8j
		mov	eax, [esi+0Ch]
		mov	edx, 1
		push	eax
		mov	eax, [esi+8]
		mov	ecx, offset _MiSystemPartition
		push	eax
		call	_MiReleasePageFileSpace@16 ; MiReleasePageFileSpace(x,x,x,x)
		sub	esi, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	esi
		add	edx, esi
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		mov	edx, 2
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		jmp	short loc_47295C
; 

loc_47293B:				; CODE XREF: .text:004728F1j
		mov	al, [esi+16h]
		mov	ecx, esi
		test	al, 10h
		jz	short loc_47294B
		mov	edx, 88h
		jmp	short loc_472957
; 

loc_47294B:				; CODE XREF: .text:00472942j
		and	al, 0FAh
		mov	edx, 4
		or	al, 2
		mov	[esi+16h], al

loc_472957:				; CODE XREF: .text:00472949j
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)

loc_47295C:				; CODE XREF: .text:00472628j
					; .text:004728E7j ...
		mov	ecx, 7FFFFFFFh
		lock and [ebx],	ecx
		mov	al, [esp+0Fh]
		mov	esi, [esp+14h]
		inc	al
		mov	[esp+0Fh], al
		cmp	al, [esi]
		jb	loc_472570
		mov	ebx, 1

loc_47297F:				; CODE XREF: .text:00472561j
		test	ds:byte_70EFC6,	1
		jz	short loc_472996
		mov	edx, [ebp+4]
		lea	ecx, [esp+4Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4729C7
; 

loc_472996:				; CODE XREF: .text:00472986j
		mov	eax, [esp+4Ch]
		test	eax, eax
		jnz	short loc_4729B9
		mov	edx, [esp+50h]
		lea	eax, [esp+4Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+4Ch]
		cmp	eax, ecx
		jz	short loc_4729C7
		call	KxWaitForLockChainValid

loc_4729B9:				; CODE XREF: .text:0047299Cj
		mov	dword ptr [esp+4Ch], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_4729C7:				; CODE XREF: .text:00472994j
					; .text:004729B2j
		cmp	byte ptr [esi+1], 1
		mov	edi, [esi+4]
		jnz	short loc_4729D9
		mov	ecx, edi
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		jmp	short loc_472A09
; 

loc_4729D9:				; CODE XREF: .text:004729CEj
		mov	dword ptr [esp+34h], 0
		lea	esi, [edi+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_472A05
		jmp	short loc_4729F0
; 
		align 10h

loc_4729F0:				; CODE XREF: .text:004729EBj
					; .text:004729FCj ...
		lea	ecx, [esp+34h]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_4729F0
		lock bts dword ptr [esi], 1Fh
		jb	short loc_4729F0

loc_472A05:				; CODE XREF: .text:004729E9j
		mov	esi, [esp+14h]

loc_472A09:				; CODE XREF: .text:004729D7j
		mov	al, [edi+16h]
		and	al, 7
		cmp	al, 6
		jnz	short loc_472A7C
		mov	ecx, [edi+10h]
		lea	edx, [edi+10h]
		movzx	ebx, byte ptr [esi]
		mov	eax, ecx
		and	eax, 3FFFFFFFh
		cmp	eax, ebx
		jb	short loc_472A7C
		mov	eax, ecx
		sub	eax, ebx
		xor	eax, ecx
		and	eax, 3FFFFFFFh
		xor	eax, ecx
		mov	[edx], eax
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		xor	bl, bl
		cmp	[esi], bl
		jbe	short loc_472A6E

loc_472A43:				; CODE XREF: .text:00472A6Cj
		movzx	eax, bl
		lea	ecx, [esi+eax*8]
		mov	eax, [ecx+8]
		or	eax, [ecx+0Ch]
		jz	short loc_472A68
		mov	eax, [ecx+0Ch]
		mov	edx, 1
		push	eax
		mov	eax, [ecx+8]
		mov	ecx, offset _MiSystemPartition
		push	eax
		call	MiReleasePageFileInfo

loc_472A68:				; CODE XREF: .text:00472A4Fj
		inc	bl
		cmp	bl, [esi]
		jb	short loc_472A43

loc_472A6E:				; CODE XREF: .text:00472A41j
		mov	eax, [esp+18h]
		pop	edi
		mov	byte ptr [esi],	0
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_472A7C:				; CODE XREF: .text:00472A10j
					; .text:00472A24j
		mov	ecx, edi
		call	_MiBadShareCount@4 ; MiBadShareCount(x)

loc_472A83:				; CODE XREF: .text:004725B6j
		mov	ecx, esi
		call	_MiBadShareCount@4 ; MiBadShareCount(x)
; 
		dw 0CCCCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockPageLeafPageTable	proc near	; CODE XREF: .text:00464D68p
					; .text:00464DC7p ...

var_40		= dword	ptr -40h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005B3392 SIZE 00000153 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ds:_ZeroPte
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	[ebp+var_14], esi
		mov	edx, [esi+10h]
		mov	ebx, [esi+3Ch]
		mov	[esi+18h], eax
		mov	eax, ds:dword_40F9FC
		mov	[esi+1Ch], eax
		mov	eax, [esi]
		mov	[ebp+var_1C], eax
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[ebp+var_C], ebx
		sub	eax, 40000000h
		mov	[ebp+var_34], eax
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_30], eax
		test	edx, edx
		jnz	loc_472DC1

loc_472AE6:				; CODE XREF: MiLockPageLeafPageTable+350j
		mov	dword ptr [esi+10h], 0C0603018h
		mov	al, [ebx+60h]
		and	al, 7
		mov	[ebp+var_20], 1
		mov	[ebp+var_28], 0
		mov	[ebp+var_10], 6
		cmp	al, 2
		jnb	loc_472E78
		test	al, al
		jnz	loc_47312F
		mov	edi, [ebx+0Ch]
		add	edi, 0F10h

loc_472B20:				; CODE XREF: MiLockPageLeafPageTable+412j
					; MiLockPageLeafPageTable+489j	...
		mov	eax, [edi]
		mov	ebx, [ebp+var_10]

loc_472B25:				; CODE XREF: MiLockPageLeafPageTable+5E2j
					; MiLockPageLeafPageTable+5EBj
		mov	[ebp+var_8], eax

loc_472B28:				; CODE XREF: MiLockPageLeafPageTable+53Ej
		mov	ecx, ebx
		mov	edx, 2
		shl	edx, cl

loc_472B31:				; CODE XREF: MiLockPageLeafPageTable+615j
		mov	ecx, ebx
		shr	eax, cl
		test	al, 1
		jnz	loc_472FA3
		mov	ecx, [ebp+var_8]
		mov	eax, edx
		not	eax
		bts	ecx, ebx
		and	ecx, eax
		mov	eax, [ebp+var_8]
		lock cmpxchg [edi], ecx
		cmp	eax, [ebp+var_8]
		jnz	loc_4730A2
		mov	edi, [ebp+var_30]
		mov	ebx, [ebp+var_C]
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h
		mov	[ebp+var_18], edi
		cmp	edi, [esi+10h]
		jz	loc_472C70
		mov	al, [ebx+60h]
		lea	ecx, [edi+3FA00000h]
		sar	ecx, 3
		and	al, 7
		add	ecx, ecx
		mov	[ebp+var_2C], 0
		mov	edx, ecx
		and	edx, 1Fh
		mov	[ebp+var_10], edx
		cmp	al, 2
		jnb	loc_472EA7
		shr	ecx, 5
		test	al, al
		jnz	loc_47313A
		mov	eax, [ebx+0Ch]
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h

loc_472BB7:				; CODE XREF: MiLockPageLeafPageTable+449j
					; MiLockPageLeafPageTable+6B3j
		mov	[ebp+var_8], eax

loc_472BBA:				; CODE XREF: MiLockPageLeafPageTable+4BFj
		mov	ebx, [ebp+var_8]
		mov	ebx, [ebx]

loc_472BBF:				; CODE XREF: MiLockPageLeafPageTable+56Fj
					; MiLockPageLeafPageTable+60Dj	...
		mov	ecx, edx
		mov	esi, 2
		shl	esi, cl

loc_472BC8:				; CODE XREF: MiLockPageLeafPageTable+664j
		mov	eax, ebx
		mov	ecx, edx
		shr	eax, cl
		test	al, 1
		jnz	loc_472FD3
		mov	edi, [ebp+var_8]
		mov	ecx, ebx
		mov	eax, esi
		bts	ecx, edx
		not	eax
		and	ecx, eax
		mov	eax, ebx
		lock cmpxchg [edi], ecx
		cmp	eax, ebx
		jnz	loc_4730F2
		mov	esi, [ebp+var_14]
		mov	ebx, [ebp+var_C]
		mov	edi, [esi+10h]
		lea	ecx, [edi+3FA00000h]
		sar	ecx, 3
		add	ecx, ecx
		mov	eax, ecx
		and	eax, 1Fh
		mov	[ebp+var_24], eax
		mov	al, [ebx+60h]
		and	al, 7
		cmp	al, 2
		jnb	loc_472EDE
		shr	ecx, 5
		test	al, al
		jnz	loc_473148
		mov	eax, [ebx+0Ch]
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h

loc_472C31:				; CODE XREF: MiLockPageLeafPageTable+470j
					; MiLockPageLeafPageTable+6C1j
		mov	[ebp+var_8], eax

loc_472C34:				; CODE XREF: MiLockPageLeafPageTable+4DDj
		mov	edx, [eax]
		mov	eax, [ebp+var_24]
		mov	ecx, eax
		mov	edi, [ebp+var_8]
		mov	[ebp+var_10], 2
		shl	[ebp+var_10], cl
		mov	ecx, edx
		not	[ebp+var_10]
		btr	ecx, eax
		and	ecx, [ebp+var_10]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		mov	edi, [ebp+var_18]
		cmp	eax, edx
		jnz	loc_473100

loc_472C64:				; CODE XREF: MiLockPageLeafPageTable+69Aj
		mov	[esi+10h], edi
		jmp	short loc_472C70
; 
		align 10h

loc_472C70:				; CODE XREF: MiLockPageLeafPageTable+E4j
					; MiLockPageLeafPageTable+1D7j
		mov	edi, 1

loc_472C75:				; CODE XREF: MiLockPageLeafPageTable+309j
					; MiLockPageLeafPageTable+381j
		mov	edx, [ebp+edi*4+var_34]
		mov	[ebp+var_10], edx
		mov	ecx, [edx]
		nop
		mov	eax, [edx+4]
		mov	[ebp+var_2C], eax
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_47302D
		mov	eax, ecx
		and	eax, 80h
		or	eax, 0
		jnz	loc_5B33D5
		mov	[ebp+var_1], al

loc_472CA6:				; CODE XREF: MiLockPageLeafPageTable+1409ECj
		mov	al, [ebx+60h]
		lea	ecx, [edx+3FA00000h]
		sar	ecx, 3
		and	al, 7
		add	ecx, ecx
		mov	[ebp+var_24], 0
		mov	edi, ecx
		and	edi, 1Fh
		cmp	al, 2
		jnb	loc_472E16
		shr	ecx, 5
		test	al, al
		jnz	loc_4730B7
		mov	eax, [ebx+0Ch]
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h

loc_472CE0:				; CODE XREF: MiLockPageLeafPageTable+3A8j
					; MiLockPageLeafPageTable+62Dj
		mov	[ebp+var_8], eax

loc_472CE3:				; CODE XREF: MiLockPageLeafPageTable+140A2Cj
		mov	esi, [eax]

loc_472CE5:				; CODE XREF: MiLockPageLeafPageTable+50Ej
					; MiLockPageLeafPageTable+598j	...
		mov	ecx, edi
		mov	edx, 2
		shl	edx, cl
		mov	edi, edi

loc_472CF0:				; CODE XREF: MiLockPageLeafPageTable+6CFj
		mov	eax, esi
		mov	ecx, edi
		shr	eax, cl
		test	al, 1
		jnz	loc_472F72
		mov	ebx, [ebp+var_8]
		mov	ecx, esi
		mov	eax, edx
		bts	ecx, edi
		not	eax
		and	ecx, eax
		mov	eax, esi
		lock cmpxchg [ebx], ecx
		mov	ebx, [ebp+var_C]
		cmp	eax, esi
		jnz	loc_47315D
		mov	esi, [ebp+var_14]
		mov	al, [ebx+60h]
		and	al, 7
		mov	edx, [esi+10h]
		lea	ecx, [edx+3FA00000h]
		sar	ecx, 3
		add	ecx, ecx
		mov	edi, ecx
		and	edi, 1Fh
		cmp	al, 2
		jnb	loc_472E3D
		shr	ecx, 5
		test	al, al
		jnz	loc_4730C2
		mov	eax, [ebx+0Ch]
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h

loc_472D56:				; CODE XREF: MiLockPageLeafPageTable+3E3j
					; MiLockPageLeafPageTable+63Bj
		mov	[ebp+var_8], eax

loc_472D59:				; CODE XREF: MiLockPageLeafPageTable+4A4j
		mov	edx, [eax]
		mov	ecx, edi
		mov	esi, [ebp+var_8]
		mov	eax, 2
		shl	eax, cl
		mov	ecx, edx
		not	eax
		btr	ecx, edi
		mov	[ebp+var_2C], eax
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [esi], ecx
		mov	esi, [ebp+var_14]
		cmp	eax, edx
		jnz	loc_4730D0

loc_472D84:				; CODE XREF: MiLockPageLeafPageTable+65Dj
		cmp	[ebp+var_1], 0
		mov	eax, [ebp+var_10]
		mov	[esi+10h], eax
		jnz	short loc_472DB8
		mov	edi, [ebp+var_20]

loc_472D93:				; CODE XREF: MiLockPageLeafPageTable+5C2j
		sub	edi, 1
		mov	[ebp+var_20], edi
		jnz	loc_472C75

loc_472D9F:				; CODE XREF: MiLockPageLeafPageTable+343j
		mov	eax, [ebp+var_34]
		mov	ecx, [eax]
		nop
		mov	edx, [eax+4]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_472DE5
		mov	[esi+18h], ecx
		mov	[esi+1Ch], edx

loc_472DB8:				; CODE XREF: MiLockPageLeafPageTable+2FEj
		xor	eax, eax

loc_472DBA:				; CODE XREF: MiLockPageLeafPageTable+140962j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_472DC1:				; CODE XREF: MiLockPageLeafPageTable+50j
		mov	eax, [esi+8]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	edx, eax
		jz	short loc_472D9F
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		and	dword ptr [esi+28h], 0FFFFFFDFh
		jmp	loc_472AE6
; 

loc_472DE5:				; CODE XREF: MiLockPageLeafPageTable+320j
		mov	ecx, esi
		call	MiFaultInProbeAddress
		test	eax, eax
		js	loc_4730AA
		push	0
		mov	edx, 0C0603018h
		mov	dword ptr [esi+10h], 0C0603018h
		mov	ecx, ebx
		call	MiLockPageTableInternal
		mov	edi, 1
		mov	[ebp+var_20], edi
		jmp	loc_472C75
; 

loc_472E16:				; CODE XREF: MiLockPageLeafPageTable+234j
		cmp	edx, 0C0603018h
		jz	loc_5B3491
		cmp	edx, 0C0603010h
		jz	loc_5B3481

loc_472E2E:				; CODE XREF: MiLockPageLeafPageTable+1409FBj
					; MiLockPageLeafPageTable+140A10j
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]
		jmp	loc_472CE0
; 

loc_472E3D:				; CODE XREF: MiLockPageLeafPageTable+2AAj
		cmp	edx, 0C0603018h
		jz	short loc_472E59
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_472E69
		cmp	edx, 0C0603010h
		jnz	short loc_472E69

loc_472E59:				; CODE XREF: MiLockPageLeafPageTable+3B3j
		cmp	al, 7
		jz	loc_472F1E
		cmp	al, 5
		jz	loc_5B34D9

loc_472E69:				; CODE XREF: MiLockPageLeafPageTable+3BFj
					; MiLockPageLeafPageTable+3C7j
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]
		jmp	loc_472D56
; 

loc_472E78:				; CODE XREF: MiLockPageLeafPageTable+79j
		xor	edi, edi
		cmp	al, 7
		jz	loc_472F05
		cmp	al, 5
		jz	loc_5B3392

loc_472E8A:				; CODE XREF: MiLockPageLeafPageTable+140907j
		mov	eax, edi
		test	edi, edi
		jnz	short loc_472E95
		mov	edi, offset unk_6D2DD4

loc_472E95:				; CODE XREF: MiLockPageLeafPageTable+3FEj
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFFFAh
		add	eax, 6
		mov	[ebp+var_10], eax
		jmp	loc_472B20
; 

loc_472EA7:				; CODE XREF: MiLockPageLeafPageTable+10Bj
		cmp	edi, 0C0603018h
		jz	short loc_472EC3
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_472ECF
		cmp	edi, 0C0603010h
		jnz	short loc_472ECF

loc_472EC3:				; CODE XREF: MiLockPageLeafPageTable+41Dj
		cmp	al, 7
		jz	short loc_472F39
		cmp	al, 5
		jz	loc_5B339C

loc_472ECF:				; CODE XREF: MiLockPageLeafPageTable+429j
					; MiLockPageLeafPageTable+431j
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]
		jmp	loc_472BB7
; 

loc_472EDE:				; CODE XREF: MiLockPageLeafPageTable+185j
		cmp	edi, 0C0603018h
		jnz	loc_5B33A8

loc_472EEA:				; CODE XREF: MiLockPageLeafPageTable+140934j
		cmp	al, 7
		jz	short loc_472F54
		cmp	al, 5
		jz	loc_5B33C9

loc_472EF6:				; CODE XREF: MiLockPageLeafPageTable+140922j
					; MiLockPageLeafPageTable+14092Ej
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]
		jmp	loc_472C31
; 

loc_472F05:				; CODE XREF: MiLockPageLeafPageTable+3ECj
		mov	edi, offset unk_6D2E58
		mov	eax, edi
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFFFAh
		add	eax, 6
		mov	[ebp+var_10], eax
		jmp	loc_472B20
; 

loc_472F1E:				; CODE XREF: MiLockPageLeafPageTable+3CBj
		mov	[ebp+var_8], offset unk_6D2E58

loc_472F25:				; CODE XREF: MiLockPageLeafPageTable+140A50j
		mov	eax, [ebp+var_8]
		mov	edi, 0C0603018h
		sub	edi, edx
		sar	edi, 3
		add	edi, edi
		jmp	loc_472D59
; 

loc_472F39:				; CODE XREF: MiLockPageLeafPageTable+435j
		mov	[ebp+var_8], offset unk_6D2E58

loc_472F40:				; CODE XREF: MiLockPageLeafPageTable+140913j
		mov	edx, 0C0603018h
		sub	edx, edi
		sar	edx, 3
		add	edx, edx
		mov	[ebp+var_10], edx
		jmp	loc_472BBA
; 

loc_472F54:				; CODE XREF: MiLockPageLeafPageTable+45Cj
		mov	[ebp+var_8], offset unk_6D2E58

loc_472F5B:				; CODE XREF: MiLockPageLeafPageTable+140940j
		mov	eax, [ebp+var_8]
		mov	edx, 0C0603018h
		sub	edx, edi
		sar	edx, 3
		add	edx, edx
		mov	[ebp+var_24], edx
		jmp	loc_472C34
; 

loc_472F72:				; CODE XREF: MiLockPageLeafPageTable+268j
		test	al, 2
		jnz	loc_473004
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		mov	eax, 2
		shl	eax, cl
		or	eax, esi
		mov	[ebp+var_2C], eax
		mov	ecx, eax
		mov	eax, esi
		lock cmpxchg [edx], ecx
		cmp	eax, esi
		jnz	loc_473156
		mov	esi, [ebp+var_2C]
		jmp	loc_472CE5
; 

loc_472FA3:				; CODE XREF: MiLockPageLeafPageTable+A7j
		test	al, 2
		jz	loc_473057
		mov	esi, [ebp+var_10]
		mov	edi, edi

loc_472FB0:				; CODE XREF: MiLockPageLeafPageTable+533j
		lea	ecx, [ebp+var_28]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		mov	ecx, esi
		mov	[ebp+var_8], eax
		shr	eax, cl
		test	al, 1
		jnz	short loc_472FB0
		mov	esi, [ebp+var_14]
		mov	ebx, [ebp+var_10]
		mov	eax, [ebp+var_8]
		jmp	loc_472B28
; 

loc_472FD3:				; CODE XREF: MiLockPageLeafPageTable+140j
		test	al, 2
		jnz	loc_473080
		mov	esi, [ebp+var_8]
		mov	ecx, edx
		mov	eax, 2
		shl	eax, cl
		or	eax, ebx
		mov	[ebp+var_28], eax
		mov	ecx, eax
		mov	eax, ebx
		lock cmpxchg [esi], ecx
		cmp	eax, ebx
		jnz	loc_4730F9
		mov	ebx, [ebp+var_28]
		jmp	loc_472BBF
; 

loc_473004:				; CODE XREF: MiLockPageLeafPageTable+4E4j
		mov	ebx, [ebp+var_8]

loc_473007:				; CODE XREF: MiLockPageLeafPageTable+596j
		mov	eax, [ebp+var_24]
		inc	eax
		mov	[ebp+var_24], eax
		test	ds:_HvlLongSpinCountMask, eax
		jz	loc_5B34C1

loc_47301A:				; CODE XREF: MiLockPageLeafPageTable+140A38j
		pause

loc_47301C:				; CODE XREF: MiLockPageLeafPageTable+140A44j
		mov	esi, [ebx]
		mov	ecx, edi
		mov	eax, esi
		shr	eax, cl
		test	al, 1
		jnz	short loc_473007
		jmp	loc_472CE5
; 

loc_47302D:				; CODE XREF: MiLockPageLeafPageTable+1FDj
		mov	ecx, esi
		call	MiFaultInProbeAddress
		test	eax, eax
		js	short loc_4730AA
		push	0
		mov	edx, 0C0603018h
		mov	dword ptr [esi+10h], 0C0603018h
		mov	ecx, ebx
		call	MiLockPageTableInternal
		mov	edi, 2
		jmp	loc_472D93
; 

loc_473057:				; CODE XREF: MiLockPageLeafPageTable+515j
		mov	edx, [ebp+var_8]
		mov	ecx, ebx
		mov	eax, 2
		shl	eax, cl
		or	eax, edx
		mov	[ebp+var_24], eax
		mov	ecx, eax
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	loc_472B25
		mov	eax, [ebp+var_24]
		jmp	loc_472B25
; 

loc_473080:				; CODE XREF: MiLockPageLeafPageTable+545j
		mov	edi, [ebp+var_10]

loc_473083:				; CODE XREF: MiLockPageLeafPageTable+608j
		lea	ecx, [ebp+var_2C]
		call	KeYieldProcessorEx
		mov	eax, [ebp+var_8]
		mov	ecx, edi
		mov	ebx, [eax]
		mov	eax, ebx
		shr	eax, cl
		test	al, 1
		jnz	short loc_473083
		mov	edx, [ebp+var_10]
		jmp	loc_472BBF
; 

loc_4730A2:				; CODE XREF: MiLockPageLeafPageTable+C3j
		mov	[ebp+var_8], eax
		jmp	loc_472B31
; 

loc_4730AA:				; CODE XREF: MiLockPageLeafPageTable+35Ej
					; MiLockPageLeafPageTable+5A6j
		inc	dword_6D30A0
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4730B7:				; CODE XREF: MiLockPageLeafPageTable+23Fj
		lea	eax, [ecx+48h]
		lea	eax, [ebx+eax*4]
		jmp	loc_472CE0
; 

loc_4730C2:				; CODE XREF: MiLockPageLeafPageTable+2B5j
		lea	eax, [ebx+120h]
		lea	eax, [eax+ecx*4]
		jmp	loc_472D56
; 

loc_4730D0:				; CODE XREF: MiLockPageLeafPageTable+2EEj
		mov	esi, [ebp+var_2C]
		mov	ebx, [ebp+var_8]

loc_4730D6:				; CODE XREF: MiLockPageLeafPageTable+655j
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, edi
		and	ecx, esi
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	short loc_4730D6
		mov	esi, [ebp+var_14]
		mov	ebx, [ebp+var_C]
		jmp	loc_472D84
; 

loc_4730F2:				; CODE XREF: MiLockPageLeafPageTable+15Cj
		mov	ebx, eax
		jmp	loc_472BC8
; 

loc_4730F9:				; CODE XREF: MiLockPageLeafPageTable+566j
		mov	ebx, eax
		jmp	loc_472BBF
; 

loc_473100:				; CODE XREF: MiLockPageLeafPageTable+1CEj
		mov	edi, [ebp+var_24]
		mov	esi, [ebp+var_10]
		mov	ebx, [ebp+var_8]
		lea	esp, [esp+0]

loc_473110:				; CODE XREF: MiLockPageLeafPageTable+68Fj
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, edi
		and	ecx, esi
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	short loc_473110
		mov	esi, [ebp+var_14]
		mov	edi, [ebp+var_18]
		mov	ebx, [ebp+var_C]
		jmp	loc_472C64
; 

loc_47312F:				; CODE XREF: MiLockPageLeafPageTable+81j
		lea	edi, [ebx+2A0h]
		jmp	loc_472B20
; 

loc_47313A:				; CODE XREF: MiLockPageLeafPageTable+116j
		lea	eax, [ebx+120h]
		lea	eax, [eax+ecx*4]
		jmp	loc_472BB7
; 

loc_473148:				; CODE XREF: MiLockPageLeafPageTable+190j
		lea	eax, [ebx+120h]
		lea	eax, [eax+ecx*4]
		jmp	loc_472C31
; 

loc_473156:				; CODE XREF: MiLockPageLeafPageTable+505j
		mov	esi, eax
		jmp	loc_472CE5
; 

loc_47315D:				; CODE XREF: MiLockPageLeafPageTable+287j
		mov	esi, eax
		jmp	loc_472CF0
MiLockPageLeafPageTable	endp

; 
		align 10h

; __stdcall MiDeletePteList(x, x, x, x,	x, x)
_MiDeletePteList@24:			; CODE XREF: .text:00475F76p
					; .text:00475FB0p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		mov	eax, [ebp+14h]
		push	ebx
		or	ebx, 0FFFFFFFFh
		mov	[esp+4Ch], ecx
		xor	ecx, ecx
		mov	[esp+38h], ebx
		mov	ebx, [esp+4Ch]
		push	esi
		xor	esi, esi
		mov	[esp+10h], ecx
		mov	[esp+1Ch], ecx
		mov	[esp+14h], ecx
		mov	ecx, [ebx+0Ch]
		push	edi
		mov	[esp+38h], edx
		mov	[esp+74h], eax
		mov	[esp+28h], esi
		mov	[esp+50h], ecx
		cmp	[ebp+0Ch], esi
		jz	short loc_4731C3
		mov	ecx, ebx
		call	MiFlushTbList
		mov	ecx, [esp+50h]

loc_4731C3:				; CODE XREF: .text:004731B6j
		mov	eax, [ebp+8]
		cmp	[eax+10h], esi
		jnz	loc_4737CB
		cmp	[eax+14h], esi
		jnz	loc_4737CB
		xor	eax, eax
		mov	[esp+1Ch], esi
		mov	[esp+10h], eax
		mov	[esp+4Ch], eax
		test	ecx, ecx
		jz	loc_4737C0
		mov	edi, edi

loc_4731F0:				; CODE XREF: .text:0047372Fj
		mov	eax, [ebx+eax*4+14h]
		mov	ecx, eax
		and	ecx, 3FFh
		inc	ecx
		and	eax, 0FFFFF000h
		mov	[esp+48h], ecx
		mov	[esp+44h], eax
		lea	ebx, [ebx+0]

loc_473210:				; CODE XREF: .text:00473718j
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[esp+24h], eax
		mov	edx, [eax]
		nop
		mov	ecx, [eax+4]
		or	edx, 1
		and	edx, 0FFFFFBFFh
		mov	[esp+6Ch], ecx
		mov	[esp+68h], edx
		nop
		mov	eax, edx
		shrd	eax, ecx, 0Ch
		and	eax, 1FFFFFFh
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		mov	esi, [eax+ecx*4+18h]
		lea	ebx, [eax+ecx*4]
		mov	ecx, ebx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_47337D
		mov	eax, [ebx+4]
		mov	edi, eax
		or	edi, 80000000h
		test	esi, 800000h
		jnz	short loc_473286
		test	eax, eax
		js	short loc_473286
		mov	byte ptr [esp+0Fh], 1
		jnz	short loc_47328B

loc_473286:				; CODE XREF: .text:00473279j
					; .text:0047327Dj
		mov	byte ptr [esp+0Fh], 0

loc_47328B:				; CODE XREF: .text:00473284j
		mov	ecx, [esp+24h]
		call	_MiGetContainingPageTable@4 ; MiGetContainingPageTable(x)
		mov	[esp+3Ch], eax
		lea	esi, [ebx+10h]
		mov	dword ptr [esp+2Ch], 0
		mov	dword ptr [esp+30h], 0
		mov	dword ptr [esp+58h], 0
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_4732D9
		lea	ebx, [ebx+0]

loc_4732C0:				; CODE XREF: .text:004732CCj
					; .text:004732D3j
		lea	ecx, [esp+58h]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_4732C0
		lock bts dword ptr [esi], 1Fh
		jb	short loc_4732C0
		mov	edx, [esp+68h]

loc_4732D9:				; CODE XREF: .text:004732B8j
		and	edx, 42h
		or	edx, 0
		jz	short loc_4732F0
		mov	ecx, ebx
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		mov	[esp+2Ch], eax
		mov	[esp+30h], edx

loc_4732F0:				; CODE XREF: .text:004732DFj
		mov	ecx, ebx
		call	MiDecrementShareCount
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	ecx, [esp+2Ch]
		mov	eax, ecx
		mov	edx, [esp+30h]
		or	eax, edx
		jz	short loc_47331E
		push	edx
		push	ecx
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo

loc_47331E:				; CODE XREF: .text:0047330Bj
		cmp	byte ptr [esp+0Fh], 1
		mov	edx, edi
		jnz	short loc_47332E
		call	_MiDecrementCombinedPte@8 ; MiDecrementCombinedPte(x,x)
		jmp	short loc_473341
; 

loc_47332E:				; CODE XREF: .text:00473325j
		mov	ecx, [esp+38h]
		call	_MiLocateCloneAddress@8	; MiLocateCloneAddress(x,x)
		push	ecx
		mov	edx, edi
		mov	ecx, eax
		call	MiDecrementCloneBlockReference

loc_473341:				; CODE XREF: .text:0047332Cj
		cmp	eax, 3
		jnz	short loc_47335F
		mov	eax, [ebp+8]
		mov	esi, [ebp+10h]
		mov	edi, [ebp+14h]
		mov	[esp+68h], esi
		inc	dword ptr [eax+4]
		mov	[esp+6Ch], edi
		jmp	loc_473650
; 

loc_47335F:				; CODE XREF: .text:00473344j
		cmp	eax, 5
		jnz	short loc_47336A
		mov	eax, [ebp+8]
		inc	dword ptr [eax+8]

loc_47336A:				; CODE XREF: .text:00473362j
		mov	esi, [ebp+10h]
		mov	edi, [ebp+14h]
		mov	[esp+68h], esi
		mov	[esp+6Ch], edi
		jmp	loc_473650
; 

loc_47337D:				; CODE XREF: .text:00473262j
		and	esi, offset loc_7FFFFF
		mov	dword ptr [esp+5Ch], 0
		mov	[esp+3Ch], esi
		lea	esi, [ebx+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_4733B5
		lea	esp, [esp+0]

loc_4733A0:				; CODE XREF: .text:004733ACj
					; .text:004733B3j
		lea	ecx, [esp+5Ch]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_4733A0
		lock bts dword ptr [esi], 1Fh
		jb	short loc_4733A0

loc_4733B5:				; CODE XREF: .text:00473397j
		mov	edi, [ebx+8]
		lea	edx, [ebx+8]
		mov	eax, [edx+4]
		mov	ecx, edi
		or	dword ptr [esi], 40000000h
		mov	[esp+30h], eax
		shrd	ecx, eax, 1
		test	cl, 1
		jz	short loc_47340A
		mov	ecx, offset _MiSystemPartition
		call	_MI_IS_PTE_IN_WS_SWAP_SET@8 ; MI_IS_PTE_IN_WS_SWAP_SET(x,x)
		test	eax, eax
		jnz	short loc_47340A
		cmp	word ptr [ebx+14h], 1
		jnz	short loc_47340A
		mov	eax, [ebp+10h]
		or	eax, [ebp+14h]
		jz	short loc_47340A
		mov	eax, [esp+30h]
		mov	[esp+1Ch], edi
		and	edi, 0FFFFFFFDh
		mov	[ebx+8], edi
		lea	edi, [ebx+8]
		mov	[esp+10h], eax
		mov	[edi+4], eax
		jmp	short loc_47340D
; 

loc_47340A:				; CODE XREF: .text:004733D1j
					; .text:004733DFj ...
		lea	edi, [ebx+8]

loc_47340D:				; CODE XREF: .text:00473408j
		mov	al, [ebx+16h]
		and	al, 7
		cmp	al, 6
		jnz	loc_4737DB
		mov	eax, [esi]
		mov	ecx, eax
		and	ecx, 3FFFFFFFh
		mov	edx, eax
		dec	ecx
		xor	edx, ecx
		and	edx, 3FFFFFFFh
		xor	edx, eax
		mov	[esi], edx
		test	ecx, ecx
		jnz	loc_47355D
		mov	ecx, ebx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_47344D
		call	MiMakeProtoTransition
		mov	edx, [esi]

loc_47344D:				; CODE XREF: .text:00473444j
		mov	eax, 0FFFFh
		and	edx, 40000000h
		add	[ebx+14h], ax
		movzx	eax, word ptr [ebx+14h]
		test	ax, ax
		jz	short loc_4734AA
		mov	al, [ebx+16h]
		test	edx, edx
		jz	short loc_473470
		or	al, 7
		jmp	short loc_47347E
; 

loc_473470:				; CODE XREF: .text:0047346Aj
		test	al, 10h
		jz	short loc_47347A
		and	al, 0FBh
		or	al, 3
		jmp	short loc_47347E
; 

loc_47347A:				; CODE XREF: .text:00473472j
		and	al, 0FAh
		or	al, 2

loc_47347E:				; CODE XREF: .text:0047346Ej
					; .text:00473478j
		mov	[ebx+16h], al
		mov	eax, [edi]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_47349F
		mov	ecx, edi
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		test	eax, eax
		jz	short loc_47349F
		mov	byte_6D4FB7, 1

loc_47349F:				; CODE XREF: .text:0047348Bj
					; .text:00473496j
		mov	eax, [ebp+8]
		inc	dword ptr [eax+4]
		jmp	loc_47355D
; 

loc_4734AA:				; CODE XREF: .text:00473463j
		test	edx, edx
		jz	loc_47353C
		mov	al, [ebx+17h]
		test	al, 10h
		jz	short loc_4734BE
		and	al, 0EFh
		mov	[ebx+17h], al

loc_4734BE:				; CODE XREF: .text:004734B7j
		mov	edx, [edi]
		mov	eax, edx
		mov	edi, [edi+4]
		and	eax, 400h
		or	eax, 0
		mov	[esp+70h], edx
		mov	[esp+74h], edi
		jnz	short loc_473517
		mov	ecx, edx
		mov	eax, edi
		shrd	ecx, eax, 2
		test	cl, 1
		jz	short loc_4734E7
		nop
		jmp	short loc_4734FB
; 

loc_4734E7:				; CODE XREF: .text:004734E2j
		mov	ecx, edx
		mov	eax, edi
		shrd	ecx, eax, 1
		test	cl, 1
		jz	short loc_4734F7
		nop
		jmp	short loc_4734FB
; 

loc_4734F7:				; CODE XREF: .text:004734F2j
		xor	edx, edx
		xor	edi, edi

loc_4734FB:				; CODE XREF: .text:004734E5j
					; .text:004734F5j
		mov	eax, edx
		mov	[esp+70h], edx
		or	eax, edi
		mov	[esp+74h], edi
		jz	short loc_473517
		push	edi
		push	edx
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo

loc_473517:				; CODE XREF: .text:004734D5j
					; .text:00473507j
		sub	ebx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ebx
		add	edx, ebx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		mov	edx, 2
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		jmp	short loc_47355D
; 

loc_47353C:				; CODE XREF: .text:004734ACj
		mov	al, [ebx+16h]
		mov	ecx, ebx
		test	al, 10h
		jz	short loc_47354C
		mov	edx, 8
		jmp	short loc_473558
; 

loc_47354C:				; CODE XREF: .text:00473543j
		and	al, 0FAh
		mov	edx, 4
		or	al, 2
		mov	[ebx+16h], al

loc_473558:				; CODE XREF: .text:0047354Aj
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)

loc_47355D:				; CODE XREF: .text:00473435j
					; .text:004734A5j ...
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	eax, [esp+1Ch]
		mov	edx, [esp+10h]
		or	eax, edx
		mov	esi, [ebp+10h]
		mov	edi, [ebp+14h]
		mov	[esp+68h], esi
		mov	[esp+6Ch], edi
		jz	loc_473640
		mov	esi, [esp+1Ch]
		mov	eax, edx
		mov	edx, dword_6D0704
		mov	ecx, esi
		shrd	ecx, eax, 0Ch
		mov	[esp+30h], esi
		and	ecx, 0Fh
		mov	ebx, dword_6D5D94[ecx*4]
		mov	ecx, dword_6D0700
		mov	eax, ecx
		or	eax, edx
		jz	short loc_4735CF
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4735CB
		not	ecx
		not	edx
		and	ecx, esi
		and	edx, [esp+10h]
		mov	[esp+30h], ecx
		mov	ecx, edx
		jmp	short loc_4735D3
; 

loc_4735CB:				; CODE XREF: .text:004735B7j
		mov	[esp+30h], esi

loc_4735CF:				; CODE XREF: .text:004735ADj
		mov	ecx, [esp+10h]

loc_4735D3:				; CODE XREF: .text:004735C9j
		mov	edx, [ebp+10h]
		mov	esi, edx
		mov	edi, [ebp+14h]
		mov	eax, edx
		and	eax, 400h
		or	eax, 0
		jnz	short loc_4735EA
		and	esi, 0FFFFFFF9h

loc_4735EA:				; CODE XREF: .text:004735E5j
		test	ebx, ebx
		jz	short loc_473628
		movzx	ebx, word ptr [ebx+74h]
		mov	eax, esi
		or	eax, edi
		jnz	short loc_473601
		push	ecx
		push	eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		jmp	short loc_47360B
; 

loc_473601:				; CODE XREF: .text:004735F6j
		push	edi
		push	esi
		push	0
		push	ecx
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)

loc_47360B:				; CODE XREF: .text:004735FFj
		mov	esi, eax
		mov	edi, edx
		mov	eax, ebx
		xor	edi, 0
		cdq
		shld	edx, eax, 0Ch
		shl	eax, 0Ch
		xor	eax, esi
		and	eax, 0F000h
		xor	esi, eax
		or	esi, 2

loc_473628:				; CODE XREF: .text:004735ECj
		mov	[esp+68h], esi
		mov	[esp+6Ch], edi
		mov	dword ptr [esp+1Ch], 0
		mov	dword ptr [esp+10h], 0

loc_473640:				; CODE XREF: .text:0047357Dj
		mov	eax, [esp+38h]
		or	ecx, 0FFFFFFFFh
		add	eax, 14Ch
		lock xadd [eax], ecx

loc_473650:				; CODE XREF: .text:0047335Aj
					; .text:00473378j
		mov	eax, [esp+24h]
		mov	[eax], esi
		nop
		mov	[eax+4], edi
		or	esi, edi
		mov	edi, [esp+20h]
		jnz	short loc_473667
		inc	edi
		mov	[esp+20h], edi

loc_473667:				; CODE XREF: .text:00473660j
		mov	ebx, [esp+3Ch]
		cmp	ebx, [esp+40h]
		jz	loc_4736F9
		mov	eax, [esp+14h]
		test	eax, eax
		jz	short loc_4736DD
		mov	dword ptr [esp+60h], 0
		lea	esi, [eax+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_4736A9
		nop

loc_473690:				; CODE XREF: .text:0047369Cj
					; .text:004736A3j
		lea	ecx, [esp+60h]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_473690
		lock bts dword ptr [esi], 1Fh
		jb	short loc_473690
		mov	eax, [esp+14h]

loc_4736A9:				; CODE XREF: .text:0047368Dj
		mov	edx, [esp+18h]
		mov	ecx, eax
		call	MiReduceShareCount
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	dword ptr [esp+18h], 0
		test	edi, edi
		jz	short loc_4736DD
		mov	ecx, [esp+24h]
		mov	edx, edi
		call	_MiReducePteUseCount@8 ; MiReducePteUseCount(x,x)
		xor	edi, edi
		mov	[esp+28h], eax
		mov	[esp+20h], edi

loc_4736DD:				; CODE XREF: .text:0047367Bj
					; .text:004736C6j
		mov	ecx, ds:_MmPfnDatabase
		lea	edx, ds:0[ebx*8]
		sub	edx, ebx
		mov	[esp+40h], ebx
		lea	ecx, [ecx+edx*4]
		mov	[esp+14h], ecx
		jmp	short loc_4736FD
; 

loc_4736F9:				; CODE XREF: .text:0047366Fj
		mov	ecx, [esp+14h]

loc_4736FD:				; CODE XREF: .text:004736F7j
		mov	edx, [esp+18h]
		mov	eax, [esp+44h]
		inc	edx
		add	eax, 1000h
		mov	[esp+18h], edx
		sub	dword ptr [esp+48h], 1
		mov	[esp+44h], eax
		jnz	loc_473210
		mov	eax, [esp+4Ch]
		mov	ebx, [esp+54h]
		inc	eax
		mov	[esp+4Ch], eax
		cmp	eax, [esp+50h]
		jb	loc_4731F0
		test	edx, edx
		jz	loc_4737BC
		mov	dword ptr [esp+64h], 0
		lea	esi, [ecx+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_473769
		nop

loc_473750:				; CODE XREF: .text:0047375Cj
					; .text:00473763j
		lea	ecx, [esp+64h]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_473750
		lock bts dword ptr [esi], 1Fh
		jb	short loc_473750
		mov	ecx, [esp+14h]

loc_473769:				; CODE XREF: .text:0047374Dj
		mov	al, [ecx+16h]
		and	al, 7
		cmp	al, 6
		jnz	short loc_4737D6
		mov	ecx, [esi]
		mov	edx, ecx
		and	edx, 3FFFFFFFh
		mov	eax, ecx
		sub	edx, [esp+18h]
		xor	eax, edx
		and	eax, 3FFFFFFFh
		xor	eax, ecx
		mov	[esi], eax
		test	edx, edx
		jnz	short loc_47379A
		mov	ecx, [esp+14h]
		call	_MiPfnShareCountIsZero@8 ; MiPfnShareCountIsZero(x,x)

loc_47379A:				; CODE XREF: .text:0047378Fj
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		test	edi, edi
		jz	short loc_4737BC
		mov	ecx, [esp+24h]
		mov	edx, edi
		call	_MiReducePteUseCount@8 ; MiReducePteUseCount(x,x)
		mov	esi, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4737BC:				; CODE XREF: .text:00473737j
					; .text:004737A4j
		mov	esi, [esp+28h]

loc_4737C0:				; CODE XREF: .text:004731E8j
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4737CB:				; CODE XREF: .text:004731C9j
					; .text:004731D2j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4737D6:				; CODE XREF: .text:00473770j
		call	_MiBadShareCount@4 ; MiBadShareCount(x)

loc_4737DB:				; CODE XREF: .text:00473414j
		mov	ecx, ebx
		call	_MiBadShareCount@4 ; MiBadShareCount(x)
; 
		dw 0CCCCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertPageInList(x, x)
_MiInsertPageInList@8 proc near		; CODE XREF: MiBuildReservationCluster(x,x,x,x)+160p
					; .text:0045A7A9p ...

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 60h
		xor	eax, eax
		mov	[esp+60h+var_60], edx
		push	esi
		mov	[esp+64h+var_34], eax
		mov	esi, ecx
		sub	esi, ds:_MmPfnDatabase
		mov	[esp+64h+var_30], eax
		mov	[esp+64h+var_2C], eax
		mov	eax, 92492493h
		imul	esi
		mov	[esp+64h+var_54], ecx
		xor	eax, eax
		mov	ecx, dword_6D3250
		add	edx, esi
		sar	edx, 4
		mov	esi, edx
		mov	[esp+64h+var_5C], eax
		shr	esi, 1Fh
		add	esi, edx
		mov	[esp+64h+var_48], esi
		push	edi
		cmp	esi, ecx
		jb	short loc_473852
		add	ecx, 800h
		cmp	esi, ecx
		jnb	short loc_473852
		mov	eax, 8
		jmp	short loc_47387C
; 

loc_473852:				; CODE XREF: MiInsertPageInList(x,x)+4Fj
					; MiInsertPageInList(x,x)+59j
		cmp	byte_6D5872, al
		jz	short loc_473880
		mov	edx, dword_6D5BBC
		mov	ecx, esi
		shr	ecx, 9
		mov	esi, ecx
		and	ecx, 1Fh
		shr	esi, 5
		mov	edx, [edx+esi*4]
		sar	edx, cl
		test	dl, 1
		jz	short loc_473880
		mov	eax, 2

loc_47387C:				; CODE XREF: MiInsertPageInList(x,x)+60j
		mov	[esp+68h+var_5C], eax

loc_473880:				; CODE XREF: MiInsertPageInList(x,x)+68j
					; MiInsertPageInList(x,x)+85j
		mov	edx, [esp+68h+var_60]
		test	dl, 4
		jz	short loc_473890
		mov	edi, offset unk_6D5440
		jmp	short loc_4738CB
; 

loc_473890:				; CODE XREF: MiInsertPageInList(x,x)+97j
		test	dl, 8
		jz	short loc_47389C
		mov	edi, offset dword_6D5F00
		jmp	short loc_4738CB
; 

loc_47389C:				; CODE XREF: MiInsertPageInList(x,x)+A3j
		test	dl, 10h
		jz	short loc_4738A8
		mov	edi, offset unk_6D5F40
		jmp	short loc_4738CB
; 

loc_4738A8:				; CODE XREF: MiInsertPageInList(x,x)+AFj
		test	edx, 100h
		jz	short loc_4738B7
		mov	edi, offset unk_6D5780
		jmp	short loc_4738CB
; 

loc_4738B7:				; CODE XREF: MiInsertPageInList(x,x)+BEj
		mov	edi, edx
		and	edi, 800h
		neg	edi
		sbb	edi, edi
		not	edi
		and	edi, offset dword_6D5740

loc_4738CB:				; CODE XREF: MiInsertPageInList(x,x)+9Ej
					; MiInsertPageInList(x,x)+AAj ...
		mov	ecx, [edi+4]
		xor	esi, esi
		mov	[esp+68h+var_50], ecx
		lea	ecx, [esp+68h+var_44]
		mov	[esp+68h+var_44], 0
		lock or	[ecx], esi
		mov	ecx, ds:_KiTbFlushTimeStamp
		mov	esi, [esp+68h+var_54]
		shl	ecx, 17h
		xor	ecx, [esi+10h]
		and	ecx, 7800000h
		xor	[esi+10h], ecx
		xor	ecx, ecx
		mov	[esp+68h+var_58], ecx
		mov	ecx, [esp+68h+var_50]
		cmp	ecx, 2
		jnz	loc_473AF8
		mov	dl, [esi+17h]
		test	dl, 40h
		jz	short loc_473936
		test	al, cl
		jnz	short loc_473936
		xor	edx, edx
		mov	ecx, esi
		call	_MiRestoreTransitionPte@8 ; MiRestoreTransitionPte(x,x)
		mov	edx, 20h
		mov	ecx, esi
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_473936:				; CODE XREF: MiInsertPageInList(x,x)+125j
					; MiInsertPageInList(x,x)+129j
		test	[esp+68h+var_60], 800h
		jnz	loc_473AA8
		test	dl, 8
		jz	short loc_473950
		mov	ecx, 5
		jmp	short loc_473956
; 

loc_473950:				; CODE XREF: MiInsertPageInList(x,x)+157j
		movzx	ecx, dl
		and	ecx, 7

loc_473956:				; CODE XREF: MiInsertPageInList(x,x)+15Ej
		lea	ecx, [ecx+ecx*4]
		lea	edi, unk_6D5480[ecx*4]
		test	dl, 8
		jnz	loc_473AA8
		test	al, 2
		jnz	loc_473AA8
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		mov	eax, offset dword_6D5800
		jnz	short loc_473986
		mov	eax, offset dword_6D5940

loc_473986:				; CODE XREF: MiInsertPageInList(x,x)+18Fj
		lock inc dword ptr [eax]
		xor	eax, eax
		mov	[esp+68h+var_28], eax
		mov	[esp+68h+var_24], eax
		mov	[esp+68h+var_20], eax
		mov	eax, 1
		lock xadd dword_6D5E00,	eax
		inc	eax
		mov	[esp+68h+var_4C], eax
		cmp	eax, 420h
		ja	loc_473A8D
		cmp	eax, 0A0h
		jnz	short loc_4739C5
		mov	[esp+68h+var_54], offset unk_6D58D8
		jmp	short loc_4739E7
; 

loc_4739C5:				; CODE XREF: MiInsertPageInList(x,x)+1C9j
		cmp	eax, 420h
		jnz	short loc_4739D6
		mov	[esp+68h+var_54], offset unk_6D58EC
		jmp	short loc_4739E7
; 

loc_4739D6:				; CODE XREF: MiInsertPageInList(x,x)+1DAj
		cmp	eax, 22h
		jnz	loc_473A8D
		mov	[esp+68h+var_54], offset unk_6D58C4

loc_4739E7:				; CODE XREF: MiInsertPageInList(x,x)+1D3j
					; MiInsertPageInList(x,x)+1E4j
		test	ds:byte_70EFC6,	21h
		mov	[esp+68h+var_24], offset unk_6D58C0
		mov	[esp+68h+var_28], 0
		jz	short loc_473A10
		mov	edx, offset unk_6D58C0
		lea	ecx, [esp+68h+var_28]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_473A28
; 

loc_473A10:				; CODE XREF: MiInsertPageInList(x,x)+20Ej
		lea	edx, [esp+68h+var_28]
		mov	eax, offset unk_6D58C0
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_473A28
		lea	ecx, [esp+68h+var_28]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_473A28:				; CODE XREF: MiInsertPageInList(x,x)+21Ej
					; MiInsertPageInList(x,x)+22Dj
		push	0
		push	0
		push	[esp+70h+var_54]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	eax, [esp+68h+var_54]
		inc	dword ptr [eax+10h]
		test	ds:byte_70EFC6,	1
		jz	short loc_473A53
		mov	edx, [ebp+4]
		lea	ecx, [esp+68h+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_473A89
; 

loc_473A53:				; CODE XREF: MiInsertPageInList(x,x)+253j
		mov	eax, [esp+68h+var_28]
		test	eax, eax
		jnz	short loc_473A76
		mov	edx, [esp+68h+var_24]
		lea	eax, [esp+68h+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+68h+var_28]
		cmp	eax, ecx
		jz	short loc_473A89
		call	KxWaitForLockChainValid

loc_473A76:				; CODE XREF: MiInsertPageInList(x,x)+269j
		mov	[esp+68h+var_28], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_473A89:				; CODE XREF: MiInsertPageInList(x,x)+261j
					; MiInsertPageInList(x,x)+27Fj
		mov	eax, [esp+68h+var_4C]

loc_473A8D:				; CODE XREF: MiInsertPageInList(x,x)+1BEj
					; MiInsertPageInList(x,x)+1E9j
		dec	eax
		cmp	eax, dword_6D596C
		jz	short loc_473A9E
		cmp	eax, dword_6D5970
		jnz	short loc_473AA8

loc_473A9E:				; CODE XREF: MiInsertPageInList(x,x)+2A4j
		mov	ecx, offset _MiSystemPartition
		call	MiUpdateAvailableEvents

loc_473AA8:				; CODE XREF: MiInsertPageInList(x,x)+14Ej
					; MiInsertPageInList(x,x)+173j	...
		mov	edx, [esp+68h+var_60]
		test	dl, dl
		js	loc_473EC9
		test	ds:byte_70EFC6,	21h
		lea	eax, [edi+10h]
		mov	[esp+68h+var_30], eax
		mov	[esp+68h+var_34], 0
		jz	short loc_473ADC
		mov	edx, eax
		lea	ecx, [esp+68h+var_34]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_473EC5
; 

loc_473ADC:				; CODE XREF: MiInsertPageInList(x,x)+2DAj
		lea	edx, [esp+68h+var_34]
		xchg	edx, [eax]
		test	edx, edx
		jz	loc_473EC5
		lea	ecx, [esp+68h+var_34]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_473EC5
; 

loc_473AF8:				; CODE XREF: MiInsertPageInList(x,x)+119j
		cmp	ecx, 3
		jnz	short loc_473B20
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_473B14
		lock inc dword_6D5800
		jmp	loc_473C31
; 

loc_473B14:				; CODE XREF: MiInsertPageInList(x,x)+316j
		lock inc dword_6D5940
		jmp	loc_473C31
; 

loc_473B20:				; CODE XREF: MiInsertPageInList(x,x)+30Bj
		cmp	ecx, 4
		jnz	loc_473E03
		mov	edx, [esi+8]
		mov	ecx, [esi+0Ch]
		mov	esi, dword_6D0704
		mov	eax, dword_6D0700
		mov	[esp+68h+var_4C], esi
		or	eax, esi
		mov	esi, [esp+68h+var_54]
		jz	short loc_473B5E
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_473B5A
		not	[esp+68h+var_4C]
		and	ecx, [esp+68h+var_4C]
		jmp	short loc_473B5E
; 

loc_473B5A:				; CODE XREF: MiInsertPageInList(x,x)+35Ej
		mov	[esp+68h+var_40], edx

loc_473B5E:				; CODE XREF: MiInsertPageInList(x,x)+354j
					; MiInsertPageInList(x,x)+368j
		mov	eax, [ecx]
		mov	ecx, esi
		mov	[esp+68h+var_58], eax
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		mov	eax, offset dword_6D5800
		jnz	short loc_473B79
		mov	eax, offset dword_6D5940

loc_473B79:				; CODE XREF: MiInsertPageInList(x,x)+382j
		lock inc dword ptr [eax]
		test	ds:byte_70EFC6,	21h
		lea	eax, [edi+10h]
		mov	[esp+68h+var_30], eax
		mov	[esp+68h+var_34], 0
		jz	short loc_473BA1
		mov	edx, eax
		lea	ecx, [esp+68h+var_34]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_473BB4
; 

loc_473BA1:				; CODE XREF: MiInsertPageInList(x,x)+3A2j
		lea	edx, [esp+68h+var_34]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_473BB4
		lea	ecx, [esp+68h+var_34]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_473BB4:				; CODE XREF: MiInsertPageInList(x,x)+3AFj
					; MiInsertPageInList(x,x)+3B9j
		mov	eax, [esp+68h+var_58]
		add	eax, 24h
		push	eax
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	ecx, [esp+68h+var_58]
		test	byte ptr [ecx+1Ch], 8
		jnz	loc_473EC5
		lea	eax, [ecx+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		test	ds:byte_70EFC6,	1
		jz	short loc_473BEF
		mov	edx, [ebp+4]
		lea	ecx, [esp+68h+var_34]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_473C25
; 

loc_473BEF:				; CODE XREF: MiInsertPageInList(x,x)+3EFj
		mov	eax, [esp+68h+var_34]
		test	eax, eax
		jnz	short loc_473C12
		mov	edx, [esp+68h+var_30]
		lea	eax, [esp+68h+var_34]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+68h+var_34]
		cmp	eax, ecx
		jz	short loc_473C25
		call	KxWaitForLockChainValid

loc_473C12:				; CODE XREF: MiInsertPageInList(x,x)+405j
		mov	[esp+68h+var_34], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_473C25:				; CODE XREF: MiInsertPageInList(x,x)+3FDj
					; MiInsertPageInList(x,x)+41Bj
		mov	edx, [esp+68h+var_60]
		mov	[esp+68h+var_50], 3

loc_473C31:				; CODE XREF: MiInsertPageInList(x,x)+31Fj
					; MiInsertPageInList(x,x)+32Bj
		lock inc dword_6D5F00
		mov	eax, [esi+8]
		and	eax, 400h
		or	eax, 0
		jnz	loc_473CC9
		test	dl, dl
		js	short loc_473C81
		add	edi, 10h
		mov	[esp+68h+var_34], eax
		test	ds:byte_70EFC6,	21h
		mov	[esp+68h+var_30], edi
		jz	short loc_473C6E
		mov	edx, edi
		lea	ecx, [esp+68h+var_34]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_473C81
; 

loc_473C6E:				; CODE XREF: MiInsertPageInList(x,x)+46Fj
		lea	edx, [esp+68h+var_34]
		xchg	edx, [edi]
		test	edx, edx
		jz	short loc_473C81
		lea	ecx, [esp+68h+var_34]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_473C81:				; CODE XREF: MiInsertPageInList(x,x)+45Bj
					; MiInsertPageInList(x,x)+47Cj	...
		mov	ecx, [esi+0Ch]
		mov	eax, ecx
		mov	edx, [esi+8]
		mov	esi, edx
		shrd	esi, eax, 0Ch
		shrd	edx, ecx, 1
		and	esi, 0Fh
		test	dl, 1
		jnz	short loc_473CAA
		cmp	esi, dword_6D50FC
		jz	short loc_473CAA
		mov	edi, offset unk_6D5540
		jmp	short loc_473CB4
; 

loc_473CAA:				; CODE XREF: MiInsertPageInList(x,x)+4A9j
					; MiInsertPageInList(x,x)+4B1j
		lea	eax, [esi+esi*4]
		lea	edi, dword_6D5580[eax*4]

loc_473CB4:				; CODE XREF: MiInsertPageInList(x,x)+4B8j
		cmp	dword ptr [edi], 0
		jnz	short loc_473CBE
		or	[esp+68h+var_5C], 4

loc_473CBE:				; CODE XREF: MiInsertPageInList(x,x)+4C7j
		inc	dword_6D5F58
		jmp	loc_473D4B
; 

loc_473CC9:				; CODE XREF: MiInsertPageInList(x,x)+453j
		test	ds:byte_70EFC6,	21h
		mov	eax, dword_6D5D40
		mov	ecx, [eax+10h]
		mov	[esp+68h+var_4C], ecx
		mov	[esp+68h+var_34], 0
		lea	eax, [ecx+ecx*4]
		lea	edi, unk_6D56C0[eax*4]
		lea	eax, [edi+10h]
		mov	[esp+68h+var_30], eax
		jz	short loc_473D04
		mov	edx, eax
		lea	ecx, [esp+68h+var_34]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_473D17
; 

loc_473D04:				; CODE XREF: MiInsertPageInList(x,x)+505j
		lea	edx, [esp+68h+var_34]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_473D1B
		lea	ecx, [esp+68h+var_34]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_473D17:				; CODE XREF: MiInsertPageInList(x,x)+512j
		mov	ecx, [esp+68h+var_4C]

loc_473D1B:				; CODE XREF: MiInsertPageInList(x,x)+51Cj
		shl	ecx, 1Ah
		xor	eax, eax
		xor	ecx, [esi+18h]
		and	ecx, 0C000000h
		mov	[esp+68h+var_1C], eax
		xor	ecx, [esi+18h]
		mov	[esp+68h+var_18], eax
		mov	[esp+68h+var_14], eax
		mov	[esp+68h+var_10], eax
		mov	[esp+68h+var_C], eax
		mov	[esp+68h+var_8], eax
		mov	[esp+68h+var_4], ecx
		mov	[esi+18h], ecx

loc_473D4B:				; CODE XREF: MiInsertPageInList(x,x)+4D4j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		inc	dword ptr [eax+348h]
		mov	esi, dword_6D5E00
		cmp	esi, 420h
		jnb	loc_473DF2
		mov	eax, dword_6D06D4
		mov	ecx, offset dword_6D5794
		mov	[esp+68h+var_40], eax
		mov	[esp+68h+var_4C], ecx

loc_473D81:				; CODE XREF: MiInsertPageInList(x,x)+5CEj
		mov	edx, [ecx]
		mov	[esp+68h+var_58], edx
		xor	edx, edx
		test	eax, eax
		jz	short loc_473DB1
		mov	ecx, [esp+68h+var_58]
		add	ecx, 4

loc_473D94:				; CODE XREF: MiInsertPageInList(x,x)+5BBj
		movzx	eax, word ptr [ecx]
		add	esi, eax
		cmp	esi, 420h
		jnb	short loc_473DF2
		mov	eax, [esp+68h+var_40]
		inc	edx
		add	ecx, 8
		cmp	edx, eax
		jb	short loc_473D94
		mov	ecx, [esp+68h+var_4C]

loc_473DB1:				; CODE XREF: MiInsertPageInList(x,x)+59Bj
		add	ecx, 4
		mov	[esp+68h+var_4C], ecx
		cmp	ecx, offset dword_6D5798
		jle	short loc_473D81
		mov	esi, dword_6D5F58
		cmp	esi, 10h
		jb	short loc_473DD8
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _MiSystemPartition
		call	MiWakeModifiedPageWriter

loc_473DD8:				; CODE XREF: MiInsertPageInList(x,x)+5D9j
		mov	eax, dword_6D5F00
		sub	eax, esi
		cmp	eax, 10h
		jb	short loc_473DF2
		push	0
		push	0
		push	offset unk_6D500C
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_473DF2:				; CODE XREF: MiInsertPageInList(x,x)+579j
					; MiInsertPageInList(x,x)+5AFj	...
		mov	esi, [esp+68h+var_54]
		mov	[esp+68h+var_58], 0
		jmp	loc_473EC5
; 

loc_473E03:				; CODE XREF: MiInsertPageInList(x,x)+333j
		test	byte ptr [esi+17h], 40h
		jz	short loc_473E16
		xor	edx, edx
		mov	ecx, esi
		call	_MiSetPfnRemovalRequested@8 ; MiSetPfnRemovalRequested(x,x)
		mov	edx, [esp+68h+var_60]

loc_473E16:				; CODE XREF: MiInsertPageInList(x,x)+617j
		test	edx, 100h
		jz	short loc_473E61
		test	ds:byte_70EFC6,	21h
		mov	[esp+68h+var_30], offset unk_6D5790
		mov	[esp+68h+var_34], 0
		jz	short loc_473E47
		mov	edx, offset unk_6D5790
		lea	ecx, [esp+68h+var_34]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_473EBE
; 

loc_473E47:				; CODE XREF: MiInsertPageInList(x,x)+645j
		lea	edx, [esp+68h+var_34]
		mov	eax, offset unk_6D5790
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_473EBE
		lea	ecx, [esp+68h+var_34]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	short loc_473EBE
; 

loc_473E61:				; CODE XREF: MiInsertPageInList(x,x)+62Cj
		cmp	edi, offset dword_6CF480
		jz	short loc_473E75
		mov	edx, 0Ch
		mov	ecx, esi
		call	MiClearPfnImageVerified

loc_473E75:				; CODE XREF: MiInsertPageInList(x,x)+677j
		test	ds:byte_70EFC6,	21h
		mov	[esp+68h+var_30], offset unk_6D5750
		mov	[esp+68h+var_34], 0
		jz	short loc_473E9E
		mov	edx, offset unk_6D5750
		lea	ecx, [esp+68h+var_34]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_473EB6
; 

loc_473E9E:				; CODE XREF: MiInsertPageInList(x,x)+69Cj
		lea	edx, [esp+68h+var_34]
		mov	eax, offset unk_6D5750
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_473EB6
		lea	ecx, [esp+68h+var_34]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_473EB6:				; CODE XREF: MiInsertPageInList(x,x)+6ACj
					; MiInsertPageInList(x,x)+6BBj
		cmp	edi, offset dword_6CF480
		jz	short loc_473EC5

loc_473EBE:				; CODE XREF: MiInsertPageInList(x,x)+655j
					; MiInsertPageInList(x,x)+664j	...
		mov	dword ptr [esi+4], 0FFFFFFFCh

loc_473EC5:				; CODE XREF: MiInsertPageInList(x,x)+2E7j
					; MiInsertPageInList(x,x)+2F4j	...
		mov	edx, [esp+68h+var_60]

loc_473EC9:				; CODE XREF: MiInsertPageInList(x,x)+2BEj
		mov	eax, [esp+68h+var_5C]
		shr	eax, 1
		test	byte ptr [esi+17h], 8
		jnz	short loc_473EEC
		test	al, 1
		jz	short loc_473EE8
		test	edx, 800h
		jnz	short loc_473EE8
		cmp	[esp+68h+var_50], 2
		jz	short loc_473EEC

loc_473EE8:				; CODE XREF: MiInsertPageInList(x,x)+6E7j
					; MiInsertPageInList(x,x)+6EFj
		inc	dword ptr [edi]
		jmp	short loc_473EF7
; 

loc_473EEC:				; CODE XREF: MiInsertPageInList(x,x)+6E3j
					; MiInsertPageInList(x,x)+6F6j
		test	al, 1
		jnz	short loc_473EF7
		mov	ecx, esi
		call	_MiInsertDecayClusterTimer@4 ; MiInsertDecayClusterTimer(x)

loc_473EF7:				; CODE XREF: MiInsertPageInList(x,x)+6FAj
					; MiInsertPageInList(x,x)+6FEj
		mov	eax, [edi+0Ch]
		mov	edx, [esp+68h+var_48]
		mov	[esp+68h+var_40], eax
		cmp	eax, offset loc_7FFFFF
		jz	short loc_473F1C
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		mov	[eax+ecx*4], edx
		jmp	short loc_473F1F
; 

loc_473F1C:				; CODE XREF: MiInsertPageInList(x,x)+717j
		mov	[edi+8], edx

loc_473F1F:				; CODE XREF: MiInsertPageInList(x,x)+72Aj
		mov	al, [esi+16h]
		cmp	edi, offset dword_6CF480
		jnz	short loc_473F40
		and	al, 0FAh
		or	al, 2
		mov	[esi+16h], al
		mov	al, [esi+17h]
		or	al, 10h
		mov	[esi+17h], al
		call	_MiWakeFileOnlyReaper@0	; MiWakeFileOnlyReaper()
		jmp	short loc_473F4E
; 

loc_473F40:				; CODE XREF: MiInsertPageInList(x,x)+738j
		mov	ecx, [esp+68h+var_50]
		xor	cl, al
		and	cl, 7
		xor	cl, al
		mov	[esi+16h], cl

loc_473F4E:				; CODE XREF: MiInsertPageInList(x,x)+74Ej
		mov	eax, [esp+68h+var_48]
		mov	[edi+0Ch], eax
		mov	eax, [esi+10h]
		xor	eax, [esp+68h+var_40]
		and	eax, offset loc_7FFFFF
		xor	eax, [esi+10h]
		mov	dword ptr [esi], offset	loc_7FFFFF
		mov	[esi+10h], eax
		mov	eax, [esp+68h+var_58]
		test	eax, eax
		jz	short loc_473F7E
		add	eax, 24h
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel

loc_473F7E:				; CODE XREF: MiInsertPageInList(x,x)+783j
		test	byte ptr [esp+68h+var_60], 80h
		jnz	short loc_473FD2
		test	ds:byte_70EFC6,	1
		jz	short loc_473F9C
		mov	edx, [ebp+4]
		lea	ecx, [esp+68h+var_34]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_473FD2
; 

loc_473F9C:				; CODE XREF: MiInsertPageInList(x,x)+79Cj
		mov	eax, [esp+68h+var_34]
		test	eax, eax
		jnz	short loc_473FBF
		mov	edx, [esp+68h+var_30]
		lea	eax, [esp+68h+var_34]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+68h+var_34]
		cmp	eax, ecx
		jz	short loc_473FD2
		call	KxWaitForLockChainValid

loc_473FBF:				; CODE XREF: MiInsertPageInList(x,x)+7B2j
		mov	[esp+68h+var_34], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_473FD2:				; CODE XREF: MiInsertPageInList(x,x)+793j
					; MiInsertPageInList(x,x)+7AAj	...
		test	byte ptr [esp+68h+var_5C], 4
		jz	short loc_473FE7
		push	0
		push	0
		push	offset unk_6D5050
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_473FE7:				; CODE XREF: MiInsertPageInList(x,x)+7E7j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_MiInsertPageInList@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInsertAndUnlockStandbyPages proc near	; CODE XREF: .text:00478CC1p
					; MiFinishHardFault(x,x,x,x)+3B9p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005B34E5 SIZE 000000CB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		mov	[ebp+var_8], eax
		mov	ebx, edx
		mov	[ebp+var_10], ecx
		push	edi
		lea	edi, [ebp+var_1C]
		stosd
		stosd
		stosd
		test	ecx, ecx
		jz	short loc_47406D
		xor	edi, edi
		test	esi, esi
		jz	short loc_474028

loc_474018:				; CODE XREF: MiInsertAndUnlockStandbyPages+36j
		mov	edx, [ebx+edi*4]
		call	_MiInsertProtectedStandbyPage@8	; MiInsertProtectedStandbyPage(x,x)
		mov	ecx, [ebp+var_10]
		inc	edi
		cmp	edi, esi
		jb	short loc_474018

loc_474028:				; CODE XREF: MiInsertAndUnlockStandbyPages+26j
					; MiInsertAndUnlockStandbyPages+8Bj ...
		mov	dl, [ebp+arg_4]
		cmp	dl, 21h
		jz	short loc_474031
		dec	esi

loc_474031:				; CODE XREF: MiInsertAndUnlockStandbyPages+3Ej
		xor	eax, eax
		mov	edi, 7FFFFFFFh
		test	esi, esi
		jz	short loc_47404E
		lea	esp, [esp+0]

loc_474040:				; CODE XREF: MiInsertAndUnlockStandbyPages+5Cj
		mov	ecx, [ebx+eax*4]
		add	ecx, 10h
		lock and [ecx],	edi
		inc	eax
		cmp	eax, esi
		jb	short loc_474040

loc_47404E:				; CODE XREF: MiInsertAndUnlockStandbyPages+4Aj
		cmp	dl, 21h
		jz	short loc_474064
		mov	eax, [ebx+eax*4]
		add	eax, 10h
		lock and [eax],	edi
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_474064:				; CODE XREF: MiInsertAndUnlockStandbyPages+61j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_47406D:				; CODE XREF: MiInsertAndUnlockStandbyPages+20j
		xor	eax, eax
		mov	[ebp+var_4], 0FFFFFFh
		mov	[ebp+var_C], eax
		test	esi, esi
		jz	short loc_474028
		lea	ecx, [ecx+0]

loc_474080:				; CODE XREF: MiInsertAndUnlockStandbyPages+126j
		mov	edi, [ebx+eax*4]
		mov	ecx, edi
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		mov	[ebp+arg_0], edi
		add	edx, ecx
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		mov	edx, [edi+10h]
		mov	[ebp+var_10], eax
		and	edx, 3FFFFFFFh
		jnz	loc_5B357F
		mov	cl, [edi+16h]
		mov	al, cl
		and	al, 7
		cmp	al, 6
		jz	loc_5B357F
		test	cl, 10h
		jnz	loc_5B357F
		mov	al, [edi+17h]
		test	al, 40h
		jnz	loc_5B34E5
		test	al, 8
		jnz	loc_5B3546
		movzx	edi, al
		and	edi, 7

loc_4740E4:				; CODE XREF: MiInsertAndUnlockStandbyPages+13F55Bj
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	loc_4741BD

loc_4740EF:				; CODE XREF: MiInsertAndUnlockStandbyPages+1D5j
		mov	eax, [ebp+var_4]
		cmp	edi, eax
		jnz	short loc_474170
		cmp	ecx, offset _MiSystemPartition
		jnz	short loc_474170

loc_4740FE:				; CODE XREF: MiInsertAndUnlockStandbyPages+1BAj
					; MiInsertAndUnlockStandbyPages+1C8j ...
		mov	edi, [ebp+arg_0]
		mov	edx, 84h

loc_474106:				; CODE XREF: MiInsertAndUnlockStandbyPages+13F551j
		mov	ecx, edi
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)
		mov	eax, [ebp+var_C]
		inc	eax
		mov	[ebp+var_C], eax
		cmp	eax, esi
		jb	loc_474080
		cmp	[ebp+var_4], 0FFFFFFh
		jz	loc_474028
		test	ds:byte_70EFC6,	1
		jnz	loc_5B356F
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_474159
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jz	loc_474028
		call	KxWaitForLockChainValid

loc_474159:				; CODE XREF: MiInsertAndUnlockStandbyPages+14Bj
		mov	[ebp+var_1C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_474028
; 

loc_474170:				; CODE XREF: MiInsertAndUnlockStandbyPages+104j
					; MiInsertAndUnlockStandbyPages+10Cj
		cmp	eax, 0FFFFFFh
		jnz	short loc_4741CA

loc_474177:				; CODE XREF: MiInsertAndUnlockStandbyPages+1FFj
					; MiInsertAndUnlockStandbyPages+218j ...
		test	ds:byte_70EFC6,	21h
		mov	eax, offset _MiSystemPartition
		mov	[ebp+var_8], eax
		lea	eax, [edi+edi*4]
		lea	eax, unk_6D5490[eax*4]
		mov	[ebp+var_4], edi
		mov	[ebp+var_18], eax
		mov	[ebp+var_1C], 0
		jnz	loc_5B3560
		lea	edx, [ebp+var_1C]
		xchg	edx, [eax]
		test	edx, edx
		jz	loc_4740FE
		lea	ecx, [ebp+var_1C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4740FE
; 

loc_4741BD:				; CODE XREF: MiInsertAndUnlockStandbyPages+F9j
		mov	ecx, offset _MiSystemPartition
		mov	[ebp+var_8], ecx
		jmp	loc_4740EF
; 

loc_4741CA:				; CODE XREF: MiInsertAndUnlockStandbyPages+185j
		test	ds:byte_70EFC6,	1
		jnz	loc_5B3550
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_4741F6
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jz	short loc_474177
		call	KxWaitForLockChainValid

loc_4741F6:				; CODE XREF: MiInsertAndUnlockStandbyPages+1ECj
		mov	[ebp+var_1C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_474177
MiInsertAndUnlockStandbyPages endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPfnShareCountIsZero(x, x)
_MiPfnShareCountIsZero@8 proc near	; CODE XREF: MiCopyOnWrite(x,x,x,x)+A79p
					; .text:00472207p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		mov	[esp+28h+var_C], ebx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_474489
		mov	ecx, [edi+8]
		nop
		mov	eax, [edi+0Ch]
		mov	edx, [edi+18h]
		shrd	ecx, eax, 5
		and	edx, offset loc_7FFFFF
		shr	eax, 5
		mov	[esp+28h+var_4], eax
		mov	eax, [edi+4]
		mov	[esp+28h+var_14], ecx
		lea	ecx, ds:0[edx*8]
		mov	[esp+28h+var_18], eax
		sub	ecx, edx
		mov	eax, ds:_MmPfnDatabase
		movzx	eax, byte ptr [eax+ecx*4+16h]
		shr	eax, 6
		test	eax, eax
		jz	short loc_474284
		cmp	eax, 3
		jz	short loc_474284
		cmp	eax, 2
		jnz	short loc_47428B
		mov	eax, 1Ch
		jmp	short loc_474290
; 

loc_474284:				; CODE XREF: MiPfnShareCountIsZero(x,x)+61j
					; MiPfnShareCountIsZero(x,x)+66j
		mov	eax, 0Ch
		jmp	short loc_474290
; 

loc_47428B:				; CODE XREF: MiPfnShareCountIsZero(x,x)+6Bj
		mov	eax, 4

loc_474290:				; CODE XREF: MiPfnShareCountIsZero(x,x)+72j
					; MiPfnShareCountIsZero(x,x)+79j
		and	eax, 1Fh
		mov	esi, ds:_MmProtectToPteMask[eax*8]
		mov	ecx, ds:dword_40B4DC[eax*8]
		and	esi, 0F7Fh
		xor	eax, eax
		and	ecx, 0FFFFFFE0h
		shld	eax, edx, 0Ch
		or	ecx, eax
		shl	edx, 0Ch
		mov	al, byte ptr word_6D07B8
		or	esi, edx
		and	al, 1
		or	esi, 121h
		movzx	eax, al
		and	esi, 0FFFFFEFFh
		cdq
		shld	edx, eax, 8
		shl	eax, 8
		or	edx, ecx
		or	eax, esi
		xor	esi, esi
		or	eax, 42h
		mov	[esp+28h+var_1C], eax
		mov	eax, large fs:20h
		mov	ecx, [eax+3D34h]
		mov	eax, ecx
		and	eax, 0FFFh
		and	ecx, 0FFFFF000h
		shl	eax, 0Ch
		add	ecx, eax
		mov	[esp+28h+var_10], ecx
		shr	ecx, 9
		sub	ecx, 40000000h
		cmp	dword_6D07D0, 0C0000000h
		sbb	eax, eax
		and	eax, 0FFFFFFF8h
		add	eax, 0C0603018h
		cmp	ecx, 0C0603000h
		jb	short loc_474374
		cmp	ecx, eax
		jnb	short loc_474374
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_474350
		cmp	byte ptr word_6D07B8+1,	0
		mov	esi, 1
		mov	eax, [esp+28h+var_1C]
		jnz	short loc_474378
		or	edx, 80000000h
		jmp	short loc_474378
; 

loc_474350:				; CODE XREF: MiPfnShareCountIsZero(x,x)+124j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		mov	eax, [esp+28h+var_1C]
		jz	short loc_474378
		or	edx, 80000000h
		jmp	short loc_474378
; 

loc_474374:				; CODE XREF: MiPfnShareCountIsZero(x,x)+117j
					; MiPfnShareCountIsZero(x,x)+11Bj
		mov	eax, [esp+28h+var_1C]

loc_474378:				; CODE XREF: MiPfnShareCountIsZero(x,x)+136j
					; MiPfnShareCountIsZero(x,x)+13Ej ...
		mov	[ecx+4], edx
		nop
		mov	[ecx], eax
		test	esi, esi
		jz	short loc_474389
		push	edx
		push	eax
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_474389:				; CODE XREF: MiPfnShareCountIsZero(x,x)+170j
		mov	eax, [esp+28h+var_18]
		mov	ecx, [esp+28h+var_10]
		shr	eax, 3
		and	eax, 1FFh
		mov	[esp+28h+var_18], eax
		lea	eax, [ecx+eax*8]
		mov	ecx, [eax]
		nop
		mov	eax, [eax+4]
		nop
		mov	edx, [esp+28h+var_14]
		xor	esi, esi
		and	edx, 1Fh
		and	eax, 1Fh
		or	edx, 40h
		and	ecx, 0FFFFF000h
		shld	esi, edx, 5
		shl	edx, 5
		or	esi, eax
		mov	eax, dword_6D0700
		or	edx, ecx
		mov	ecx, dword_6D0704
		mov	[esp+28h+var_1C], eax
		or	eax, ecx
		mov	[esp+28h+var_14], ecx
		jz	short loc_4743FB
		mov	ecx, edx
		mov	eax, esi
		and	ecx, [esp+28h+var_1C]
		and	eax, [esp+28h+var_14]
		or	ecx, eax
		jnz	short loc_4743F8
		or	edx, [esp+28h+var_1C]
		or	esi, [esp+28h+var_14]
		jmp	short loc_4743FB
; 

loc_4743F8:				; CODE XREF: MiPfnShareCountIsZero(x,x)+1DCj
		or	edx, 10h

loc_4743FB:				; CODE XREF: MiPfnShareCountIsZero(x,x)+1CCj
					; MiPfnShareCountIsZero(x,x)+1E6j
		mov	eax, [esp+28h+var_18]
		mov	ebx, [esp+28h+var_10]
		lea	ecx, [ebx+eax*8]
		mov	[esp+28h+var_8], edx
		mov	[esp+28h+var_4], esi
		mov	[ecx], edx
		nop
		mov	[ecx+4], esi
		mov	eax, large fs:20h
		mov	[esp+28h+var_18], eax
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		mov	eax, [eax+3D34h]
		mov	esi, eax
		and	esi, 0FFFh
		and	eax, 0FFFFF000h
		mov	[esp+28h+var_14], eax
		lea	eax, [esi+1]
		mov	[esp+28h+var_10], eax
		mov	eax, ds:_ZeroPte
		mov	[ecx-40000000h], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	ebx, [esp+28h+var_C]
		mov	[ecx-3FFFFFFCh], eax
		cmp	esi, 0FFh
		jnz	short loc_47446D
		call	_MiFlushHyperSpace@0 ; MiFlushHyperSpace()

loc_47446D:				; CODE XREF: MiPfnShareCountIsZero(x,x)+256j
		mov	eax, [esp+28h+var_18]
		sub	esi, 0FFh
		neg	esi
		sbb	esi, esi
		and	esi, [esp+28h+var_10]
		or	esi, [esp+28h+var_14]
		mov	[eax+3D34h], esi

loc_474489:				; CODE XREF: MiPfnShareCountIsZero(x,x)+1Dj
		mov	eax, 0FFFFh
		add	[edi+14h], ax
		mov	eax, [edi+10h]
		jz	short loc_4744E1
		test	eax, 40000000h
		mov	al, [edi+16h]
		jz	short loc_4744A5
		or	al, 7
		jmp	short loc_4744B3
; 

loc_4744A5:				; CODE XREF: MiPfnShareCountIsZero(x,x)+28Fj
		test	al, 10h
		jz	short loc_4744AF
		and	al, 0FBh
		or	al, 3
		jmp	short loc_4744B3
; 

loc_4744AF:				; CODE XREF: MiPfnShareCountIsZero(x,x)+297j
		and	al, 0FAh
		or	al, 2

loc_4744B3:				; CODE XREF: MiPfnShareCountIsZero(x,x)+293j
					; MiPfnShareCountIsZero(x,x)+29Dj
		mov	[edi+16h], al
		lea	ecx, [edi+8]
		mov	eax, [ecx]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_4744D5
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		test	eax, eax
		jz	short loc_4744D5
		mov	byte_6D4FB7, 1

loc_4744D5:				; CODE XREF: MiPfnShareCountIsZero(x,x)+2B3j
					; MiPfnShareCountIsZero(x,x)+2BCj
		mov	eax, 3
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4744E1:				; CODE XREF: MiPfnShareCountIsZero(x,x)+285j
		test	eax, 40000000h
		jz	short loc_474562
		mov	al, [edi+17h]
		test	al, 10h
		jz	short loc_4744F4
		and	al, 0EFh
		mov	[edi+17h], al

loc_4744F4:				; CODE XREF: MiPfnShareCountIsZero(x,x)+2DDj
		mov	edx, [edi+8]
		mov	eax, edx
		mov	esi, [edi+0Ch]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_474533
		mov	ecx, edx
		mov	eax, esi
		shrd	ecx, eax, 2
		test	cl, 1
		jnz	short loc_47451E
		mov	ecx, edx
		shrd	ecx, eax, 1
		test	cl, 1
		jz	short loc_474533

loc_47451E:				; CODE XREF: MiPfnShareCountIsZero(x,x)+301j
		nop
		mov	eax, edx
		or	eax, esi
		jz	short loc_474533
		push	esi
		push	edx
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo

loc_474533:				; CODE XREF: MiPfnShareCountIsZero(x,x)+2F4j
					; MiPfnShareCountIsZero(x,x)+30Cj ...
		sub	edi, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	edi
		add	edx, edi
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		mov	edx, 2
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		mov	eax, 4
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_474562:				; CODE XREF: MiPfnShareCountIsZero(x,x)+2D6j
		mov	al, [edi+16h]
		test	al, 10h
		jz	short loc_47458A
		dec	ebx
		mov	ecx, edi
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 0FFFFFF80h
		lea	edx, [ebx+88h]
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)
		mov	eax, 4
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_47458A:				; CODE XREF: MiPfnShareCountIsZero(x,x)+357j
		and	al, 0FAh
		or	al, 2
		mov	[edi+16h], al
		cmp	ebx, 1
		jbe	short loc_4745B7
		mov	ecx, edi
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		cmp	eax, 5
		jnb	short loc_4745B7
		mov	edx, edi
		mov	ecx, ebx
		call	_MiInsertProtectedStandbyPage@8	; MiInsertProtectedStandbyPage(x,x)
		mov	eax, 4
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4745B7:				; CODE XREF: MiPfnShareCountIsZero(x,x)+384j
					; MiPfnShareCountIsZero(x,x)+390j
		mov	edx, 4
		mov	ecx, edi
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)
		pop	edi
		pop	esi
		mov	eax, 4
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiPfnShareCountIsZero@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiWriteCompletePfn proc	near		; CODE XREF: MiUnlockMdlWritePages+109p
					; MiWriteComplete+1D8p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B35B0 SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		mov	ecx, [ebp+arg_0]
		mov	[esp+14h+var_4], ebx
		mov	[esp+14h+var_8], ebx
		push	edi
		test	cl, 1
		jnz	loc_474725
		test	cl, 2
		jnz	loc_4746BF

loc_4745FF:				; CODE XREF: MiWriteCompletePfn+131j
					; MiWriteCompletePfn+173j ...
		mov	al, [esi+16h]
		and	al, 0F7h
		mov	[esi+16h], al
		mov	eax, 0FFFFh
		add	[esi+14h], ax
		jnz	short loc_47467E
		mov	eax, [esi+8]
		and	eax, 400h
		or	eax, 0
		jz	short loc_47468D

loc_47461F:				; CODE XREF: MiWriteCompletePfn+C4j
					; MiWriteCompletePfn+E1j
		test	cl, 8
		jnz	loc_4746B6

loc_474628:				; CODE XREF: MiWriteCompletePfn+EAj
		mov	edi, esi
		mov	eax, 92492493h
		sub	edi, ds:_MmPfnDatabase
		imul	edi
		add	edx, edi
		sar	edx, 4
		mov	edi, edx
		shr	edi, 1Fh
		add	edi, edx
		test	cl, 4
		jnz	loc_5B35DA
		mov	eax, [esi+10h]
		mov	ecx, eax
		and	ecx, 3FFFFFFFh
		jnz	loc_5B35CD
		test	eax, 40000000h
		jnz	loc_47475C
		test	byte ptr [esi+16h], 10h
		mov	ecx, esi
		jnz	loc_47470C
		mov	edx, 4
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)

loc_47467E:				; CODE XREF: MiWriteCompletePfn+40j
					; MiWriteCompletePfn+1B6j
		mov	edx, [esp+18h+var_8]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_47468D:				; CODE XREF: MiWriteCompletePfn+4Dj
		test	dword ptr [esi+10h], 40000000h
		jz	short loc_47461F
		mov	ecx, esi
		call	_MiIsPfnCommitNotCharged@4 ; MiIsPfnCommitNotCharged(x)
		test	eax, eax
		jnz	short loc_4746AE
		lea	edx, [eax+1]
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit

loc_4746AE:				; CODE XREF: MiWriteCompletePfn+CFj
		mov	ecx, [ebp+arg_0]
		jmp	loc_47461F
; 

loc_4746B6:				; CODE XREF: MiWriteCompletePfn+52j
		and	byte ptr [esi+17h], 0F8h
		jmp	loc_474628
; 

loc_4746BF:				; CODE XREF: MiWriteCompletePfn+29j
		lea	edx, [esi+8]
		mov	ecx, offset _MiSystemPartition
		call	_MI_IS_PTE_IN_WS_SWAP_SET@8 ; MI_IS_PTE_IN_WS_SWAP_SET(x,x)
		mov	ebx, eax
		mov	[esp+18h+var_4], ebx
		test	ebx, ebx
		jnz	short loc_4746E5
		mov	edx, [esi+8]
		mov	ecx, [esi+0Ch]
		shrd	edx, ecx, 1
		test	dl, 1
		jnz	short loc_474748

loc_4746E5:				; CODE XREF: MiWriteCompletePfn+104j
					; MiWriteCompletePfn+185j ...
		push	ebx
		mov	edx, 1
		lea	ecx, [esi+8]
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		cmp	[esp+18h+var_4], 0
		mov	ebx, eax
		mov	ecx, [ebp+arg_0]
		mov	[esp+18h+var_8], edx
		jz	loc_4745FF
		jmp	loc_5B35BE
; 

loc_47470C:				; CODE XREF: MiWriteCompletePfn+9Ej
		mov	edx, 8
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)
		mov	edx, [esp+18h+var_8]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_474725:				; CODE XREF: MiWriteCompletePfn+20j
		mov	eax, [esi+8]
		and	eax, 400h
		or	eax, 0
		jz	loc_5B3591

loc_474736:				; CODE XREF: MiInsertAndUnlockStandbyPages+13F5BBj
		mov	bl, [esi+16h]
		or	bl, 10h
		mov	[esi+16h], bl
		mov	ebx, [esp+18h+var_4]
		jmp	loc_4745FF
; 

loc_474748:				; CODE XREF: MiWriteCompletePfn+113j
		mov	eax, [esi+18h]
		and	eax, 70000000h
		cmp	eax, 20000000h
		jnz	short loc_4746E5
		jmp	loc_5B35B0
; 

loc_47475C:				; CODE XREF: MiWriteCompletePfn+92j
		mov	al, [esi+17h]
		test	al, 10h
		jnz	short loc_47478B

loc_474763:				; CODE XREF: MiWriteCompletePfn+1C0j
		mov	eax, [esi+0Ch]
		mov	edx, 1
		push	eax
		mov	eax, [esi+8]
		mov	ecx, offset _MiSystemPartition
		push	eax
		call	_MiReleasePageFileSpace@16 ; MiReleasePageFileSpace(x,x,x,x)

loc_47477A:				; CODE XREF: MiWriteCompletePfn+13F016j
		mov	edx, 2
		mov	ecx, edi
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		jmp	loc_47467E
; 

loc_47478B:				; CODE XREF: MiWriteCompletePfn+191j
		and	al, 0EFh
		mov	[esi+17h], al
		jmp	short loc_474763
MiWriteCompletePfn endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiGetContainingPageTable(x)
_MiGetContainingPageTable@4 proc near	; CODE XREF: MmUnmapViewInSystemCache+42p
					; .text:00471754p ...
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		mov	eax, [ecx-40000000h]
		nop
		mov	ecx, [ecx-3FFFFFFCh]
		nop
		shrd	eax, ecx, 0Ch
		and	eax, 1FFFFFFh
		retn
_MiGetContainingPageTable@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


MiUnlockMdlWritePages proc near		; CODE XREF: MiUnlockFlushMdl+4Dp
					; MiFlushComplete(x,x,x)+62p

var_38		= dword	ptr -38h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B35EB SIZE 000000D7 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, [ebx+8]
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp-1Ch], edx
		mov	eax, [eax]
		shr	eax, 1Fh
		mov	[ebp-14h], eax
		cmp	edi, edx
		jnb	loc_4748FE

loc_474805:				; CODE XREF: MiUnlockMdlWritePages+128j
		mov	eax, [edi]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	esi, [eax+ecx*4]
		mov	cl, 2
		mov	[ebp-18h], esi
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp-1], al
		add	esi, 10h
		mov	dword ptr [ebp-0Ch], 0
		lock bts dword ptr [esi], 1Fh
		jb	loc_474980

loc_47483B:				; CODE XREF: MiUnlockMdlWritePages+1C2j
		xor	eax, eax
		mov	esi, 1
		mov	[ebp-8], esi
		mov	[ebp-28h], eax
		mov	[ebp-24h], eax
		mov	[ebp-20h], eax
		cmp	dword_6D5BE0, eax
		jnz	loc_5B35EB

loc_47485A:				; CODE XREF: MiUnlockMdlWritePages+13EE91j
		mov	eax, large fs:20h
		mov	edx, [eax+3D2Ch]
		add	eax, 3D2Ch
		mov	[ebp-10h], eax
		lea	eax, [edx+esi]
		cmp	eax, 100h
		ja	loc_474909
		lea	esp, [esp+0]

loc_474880:				; CODE XREF: MiUnlockMdlWritePages+13EE9Fj
		lea	ecx, [edx+esi]
		mov	eax, edx
		mov	esi, [ebp-10h]
		lock cmpxchg [esi], ecx
		mov	esi, [ebp-8]
		cmp	eax, edx
		jnz	loc_5B3666

loc_474897:				; CODE XREF: MiUnlockMdlWritePages+160j
					; MiUnlockMdlWritePages+13EE8Bj ...
		mov	eax, large fs:20h
		mov	ecx, [eax+3D30h]
		lea	esi, [eax+3D30h]
		cmp	ecx, 0FFFFFFFFh
		jz	loc_5B369C
		lea	eax, [ecx+1]
		cmp	eax, 100h
		ja	short loc_47493B
		lea	esp, [esp+0]

loc_4748C0:				; CODE XREF: MiUnlockMdlWritePages+13EEE7j
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jnz	loc_5B36A6

loc_4748D1:				; CODE XREF: MiUnlockMdlWritePages+199j
					; MiUnlockMdlWritePages+1A8j
		push	dword ptr [ebp-14h]
		mov	esi, [ebp-18h]
		mov	ecx, esi
		call	MiWriteCompletePfn
		lea	eax, [esi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		add	edi, 4
		cmp	edi, [ebp-1Ch]
		jb	loc_474805

loc_4748FE:				; CODE XREF: MiUnlockMdlWritePages+2Fj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_474909:				; CODE XREF: MiUnlockMdlWritePages+A6j
					; MiUnlockMdlWritePages+13EEA5j
		mov	eax, esi
		mov	ecx, offset dword_6D5EFC
		neg	eax
		lock xadd [ecx], eax
		mov	edx, dword_6D5BD4
		mov	ecx, eax
		sub	ecx, esi
		cmp	eax, edx
		jnb	loc_5B367A

loc_474928:				; CODE XREF: MiUnlockMdlWritePages+13EEAEj
		mov	edx, dword_6D5BD0
		cmp	eax, edx
		jb	loc_474897
		jmp	loc_5B3683
; 

loc_47493B:				; CODE XREF: MiUnlockMdlWritePages+EAj
					; MiUnlockMdlWritePages+13EEDBj ...
		mov	edx, 1
		cmp	ecx, 0C0h
		jle	short loc_474967
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_474967
		mov	edx, 0C0h
		mov	eax, ecx
		lock cmpxchg [esi], edx
		mov	edx, 1
		cmp	eax, ecx
		jnz	short loc_474967
		lea	edx, [ecx-0BFh]

loc_474967:				; CODE XREF: MiUnlockMdlWritePages+176j
					; MiUnlockMdlWritePages+17Bj ...
		test	edx, edx
		jz	loc_4748D1

loc_47496F:				; CODE XREF: MiUnlockMdlWritePages+13EED1j
		mov	eax, offset dword_6D5E40
		lock xadd [eax], edx
		jmp	loc_4748D1
; 
		align 10h

loc_474980:				; CODE XREF: MiUnlockMdlWritePages+65j
					; MiUnlockMdlWritePages+1BBj ...
		lea	ecx, [ebp-0Ch]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_474980
		lock bts dword ptr [esi], 1Fh
		jnb	loc_47483B
		jmp	short loc_474980
MiUnlockMdlWritePages endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFreeWsleList	proc near		; CODE XREF: .text:004539C8p
					; .text:00453A16p ...

var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= word ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B36C2 SIZE 0000000B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1C4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1C4h+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [esp+1D4h+var_1A8]
		mov	[esp+1D4h+var_1BC], edx
		mov	edi, ecx
		push	0		; int
		push	eax		; void *
		mov	[esp+1DCh+var_1B4], edi
		call	_memset
		mov	edx, [esp+1DCh+var_1BC]
		add	esp, 0Ch
		mov	ecx, edi
		mov	ebx, [edx+0Ch]
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		test	byte ptr [edi+60h], 7
		mov	[esp+1D0h+var_1A8], eax
		mov	[esp+1D0h+var_1A4], 0
		mov	[esp+1D0h+var_198], 0
		mov	[esp+1D0h+var_1A0], 21h
		mov	[esp+1D0h+var_194], 0
		mov	[esp+1D0h+var_1B8], 0
		jnz	short loc_474A40
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, [eax+24Ch]
		mov	eax, [ecx+88h]
		or	eax, [ecx+8Ch]
		jnz	loc_5B36C2

loc_474A40:				; CODE XREF: MiFreeWsleList+7Aj
		mov	eax, [ebp+arg_0]

loc_474A43:				; CODE XREF: MiFreeWsleList+13ED28j
		xor	ecx, ecx
		mov	[esp+1D0h+var_1C0], eax
		mov	[esp+1D0h+var_1C4], ecx
		lea	ecx, [ecx+0]

loc_474A50:				; CODE XREF: MiFreeWsleList+127j
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_474AA6
		lea	edi, [edx+14h]
		lea	esp, [esp+0]

loc_474A60:				; CODE XREF: MiFreeWsleList+104j
		mov	edx, [edi]
		and	edx, 0FFFFF000h
		test	ecx, ecx
		jnz	loc_474B05
		nop
		lea	ecx, [esp+1D0h+var_1A8]
		push	ecx
		mov	ecx, [esp+1D4h+var_1B4]
		push	eax
		call	_MiWsleFlush@16	; MiWsleFlush(x,x,x,x)
		mov	ecx, [esp+1D8h+var_1CC]
		mov	[esp+esi*8+1D8h+var_118], eax
		or	eax, edx
		mov	[esp+esi*8+1D8h+var_114], edx
		jz	loc_474B49

loc_474A9A:				; CODE XREF: MiFreeWsleList+1A4j
					; MiFreeWsleList+1ADj ...
		mov	eax, [esp+1D8h+var_1C8]
		inc	esi
		add	edi, 4
		cmp	esi, ebx
		jb	short loc_474A60

loc_474AA6:				; CODE XREF: MiFreeWsleList+B4j
		test	ecx, ecx
		jnz	short loc_474AB7
		lea	ecx, [esp+1D8h+var_1B0]
		call	MiFlushTbList
		mov	ecx, [esp+1D8h+var_1CC]

loc_474AB7:				; CODE XREF: MiFreeWsleList+108j
		mov	eax, [esp+1D8h+var_1C8]
		inc	ecx
		mov	edx, [esp+1D8h+var_1C4]
		mov	[esp+1D8h+var_1CC], ecx
		cmp	ecx, 2
		jb	short loc_474A50
		mov	edi, [esp+1D8h+var_1C0]
		mov	esi, edx
		cmp	edi, ebx
		jz	short loc_474AE5
		mov	ecx, [esp+1D8h+var_1BC]
		lea	eax, [esp+1D8h+var_118]
		push	ebx
		push	eax
		call	MiRemoveWsleList

loc_474AE5:				; CODE XREF: MiFreeWsleList+131j
		mov	ecx, [esp+1D8h+var_C]
		mov	eax, edi
		pop	edi
		mov	dword ptr [esi+0Ch], 0
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_474B05:				; CODE XREF: MiFreeWsleList+CAj
		mov	eax, [esp+esi*8+1D0h+var_110]
		mov	ecx, [esp+esi*8+1D0h+var_10C]
		mov	[esp+1D0h+var_1AC], eax
		or	eax, ecx
		mov	[esp+1D0h+var_1B0], ecx
		mov	ecx, [esp+1D0h+var_1C4]
		jz	short loc_474B52
		push	[esp+1D0h+var_1B0]
		mov	ecx, [esp+1D4h+var_1B4]
		push	[esp+1D4h+var_1AC]
		push	[esp+1D8h+var_1C0]
		call	_MiWsleFree@20	; MiWsleFree(x,x,x,x,x)
		mov	ecx, [esp+1D0h+var_1C4]
		mov	word ptr [esp+esi*8+1D0h+var_110], ax
		jmp	loc_474A9A
; 

loc_474B49:				; CODE XREF: MiFreeWsleList+F4j
		inc	[esp+1D8h+var_1C0]
		jmp	loc_474A9A
; 

loc_474B52:				; CODE XREF: MiFreeWsleList+181j
		and	byte ptr [esp+esi*8+1D0h+var_110+1], 0FEh
		jmp	loc_474A9A
MiFreeWsleList	endp

; 
		align 10h

; __stdcall MiWsleFlush(x, x, x, x)
_MiWsleFlush@16:			; CODE XREF: MiFreeWsleList+DBp
		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFC0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+4], ebp
		mov	ebp, esp
		sub	esp, 0B4h
		mov	eax, edx
		mov	[ebp-4], ecx
		push	esi
		push	edi
		mov	edi, eax
		mov	[ebp-8], eax
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		mov	dword ptr [ebp-80h], 0
		sub	edi, 40000000h
		mov	dword ptr [ebp-7Ch], 0
		mov	eax, [edi]
		mov	[ebp-10h], eax
		nop
		mov	ecx, [edi+4]
		mov	[ebp-14h], ecx
		nop
		mov	edx, eax
		mov	eax, ecx
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	ecx, [eax+ecx*4]
		mov	eax, [ecx+10h]
		lea	esi, [ecx+10h]
		mov	[ebp-0Ch], ecx
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jbe	short loc_474BF3
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_474EE8

loc_474BF3:				; CODE XREF: .text:00474BE4j
		mov	edx, [ebp-4]
		test	byte ptr [edx+60h], 7
		jz	short loc_474C35
		cmp	word ptr [ecx+14h], 1
		ja	loc_474EE8
		mov	[ebp-18h], ecx
		mov	dword ptr [ebp-28h], 0
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_474C3A

loc_474C18:				; CODE XREF: .text:00474C24j
					; .text:00474C2Bj
		lea	ecx, [ebp-28h]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_474C18
		lock bts dword ptr [esi], 1Fh
		jb	short loc_474C18
		mov	ecx, [ebp-0Ch]
		mov	edx, [ebp-4]
		jmp	short loc_474C3A
; 

loc_474C35:				; CODE XREF: .text:00474BFAj
		xor	eax, eax
		mov	[ebp-18h], eax

loc_474C3A:				; CODE XREF: .text:00474C16j
					; .text:00474C33j
		mov	eax, [esi]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jbe	short loc_474C4F
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_474C5D

loc_474C4F:				; CODE XREF: .text:00474C44j
		mov	al, [edx+60h]
		and	al, 7
		jz	short loc_474C82
		cmp	word ptr [ecx+14h], 1
		jbe	short loc_474C82

loc_474C5D:				; CODE XREF: .text:00474C4Dj
		mov	eax, [ebp-18h]
		test	eax, eax
		jz	loc_474EE8
		mov	ecx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	ecx
		xor	eax, eax
		xor	edx, edx
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_474C82:				; CODE XREF: .text:00474C54j
					; .text:00474C5Bj
		mov	esi, [ebp-10h]
		and	esi, 0FFFFFFFBh
		mov	[ebp-1Ch], esi
		lea	esi, [ecx+10h]
		test	al, al
		jnz	short loc_474CDB
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_474CDB
		mov	eax, ds:_MmHighestUserAddress
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	edi, eax
		ja	short loc_474CDB
		mov	eax, [ebp-10h]
		and	eax, 42h
		or	eax, 0
		jz	short loc_474CDB
		test	dword ptr [edx-144h], 8000h
		lea	ecx, [edx-240h]
		jz	short loc_474CDB
		mov	edx, [ebp-8]
		push	0
		call	_MiCaptureWriteWatchDirtyBit@12	; MiCaptureWriteWatchDirtyBit(x,x,x)
		mov	edx, [ebp-4]

loc_474CDB:				; CODE XREF: .text:00474C90j
					; .text:00474C99j ...
		mov	ecx, [ebp-0Ch]
		mov	dword ptr [ebp-24h], 0
		mov	dword ptr [ebp-20h], 0
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_474E9E
		movzx	eax, byte ptr [edx+60h]
		mov	esi, [ebp-8]
		and	eax, 7
		mov	ecx, esi
		shr	ecx, 0Ch
		add	ecx, dword_6D2E68[eax*4]
		mov	ah, [ecx]
		mov	al, ah
		and	al, 0Fh
		cmp	al, 0Ah
		jz	loc_475188
		mov	[ebp-20h], ah
		mov	ecx, esi
		push	dword ptr [ebp-20h]
		call	_MiGetWsleProtection@8 ; MiGetWsleProtection(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_474DA2
		and	ecx, 1Fh
		or	eax, 0FFFFFFFFh
		or	ecx, 0F8000020h
		shld	eax, ecx, 5
		shl	ecx, 5
		push	eax
		push	ecx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[ebp-88h], eax

loc_474D50:				; CODE XREF: .text:00474E2Dj
		mov	[ebp-84h], edx

loc_474D56:				; CODE XREF: .text:00474E36j
					; .text:00474E49j ...
		mov	ecx, [edi]
		mov	edx, [edi+4]
		cmp	dword_6D07D0, 0C0000000h
		sbb	eax, eax
		and	eax, 0FFFFFFF8h
		add	eax, 0C0603018h
		cmp	edi, 0C0603000h
		jb	short loc_474D87
		cmp	edi, eax
		jnb	short loc_474D87
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_474D87
		or	ecx, 20h

loc_474D87:				; CODE XREF: .text:00474D75j
					; .text:00474D79j ...
		mov	eax, ds:_MiFlags
		test	eax, 800h
		jz	loc_474FF9
		or	ecx, 20h
		mov	[ebp-7Ch], edx
		jmp	loc_475003
; 

loc_474DA2:				; CODE XREF: .text:00474D2Ej
		mov	eax, [ebp-0Ch]
		mov	eax, [eax+4]
		mov	ecx, eax
		mov	[ebp-2Ch], eax
		or	ecx, 80000000h
		xor	eax, eax
		mov	[ebp-7Ch], ecx
		or	eax, 400h
		push	ecx
		push	eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [ebp-4]
		mov	esi, eax
		mov	[ebp-20h], edx
		mov	[ebp-88h], esi
		mov	[ebp-84h], edx
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		jb	short loc_474E0C
		mov	eax, [ebp-10h]
		and	eax, 0A00h
		or	eax, 0
		jnz	short loc_474E0C
		cmp	[ebp-14h], eax
		jg	short loc_474E0C
		jl	short loc_474DFA
		cmp	[ebp-10h], eax
		jnb	short loc_474E0C

loc_474DFA:				; CODE XREF: .text:00474DF3j
		or	esi, 8
		mov	[ebp-20h], edx
		mov	[ebp-88h], esi
		mov	[ebp-84h], edx

loc_474E0C:				; CODE XREF: .text:00474DDFj
					; .text:00474DECj ...
		mov	eax, [ebp-0Ch]
		test	dword ptr [eax+18h], (offset loc_7FFFFF+1)
		jnz	short loc_474E32
		mov	eax, [ebp-2Ch]
		test	eax, eax
		js	short loc_474E32
		jz	short loc_474E32
		or	esi, 800h
		mov	[ebp-88h], esi
		jmp	loc_474D50
; 

loc_474E32:				; CODE XREF: .text:00474E16j
					; .text:00474E1Dj ...
		test	byte ptr [ebx+8], 2
		jz	loc_474D56
		add	ecx, 0FFFFFDC0h
		cmp	dword ptr [ecx+148h], 0
		jz	loc_474D56
		mov	edx, [ebp-7Ch]
		call	_MiLocateCloneAddress@8	; MiLocateCloneAddress(x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_474D56
		mov	ecx, [ecx+24Ch]
		mov	eax, [ecx+8Ch]
		cmp	eax, [edx+2Ch]
		jb	loc_474D56
		ja	short loc_474E87
		mov	eax, [ecx+88h]
		cmp	eax, [edx+28h]
		jbe	loc_474D56

loc_474E87:				; CODE XREF: .text:00474E76j
		mov	eax, [ebp-20h]
		or	esi, 8
		mov	[ebp-88h], esi
		mov	[ebp-84h], eax
		jmp	loc_474D56
; 

loc_474E9E:				; CODE XREF: .text:00474CF3j
		mov	eax, [ebp-8]
		add	eax, 40000000h
		cmp	eax, offset loc_7FFFFF
		ja	short loc_474EFA
		mov	ecx, [ebp-4]
		mov	edx, edi
		push	0
		mov	dword ptr [ebp-20h], 1
		call	MiLockPageTableInternal
		mov	eax, [esi]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jz	short loc_474EF7
		mov	ecx, [ebp-4]
		mov	edx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	eax, [ebp-18h]
		test	eax, eax
		jz	short loc_474EE8
		mov	esi, 7FFFFFFFh
		lea	ecx, [eax+10h]
		lock and [ecx],	esi

loc_474EE8:				; CODE XREF: .text:00474BEDj
					; .text:00474C01j ...
		xor	eax, eax
		xor	edx, edx
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_474EF7:				; CODE XREF: .text:00474ECAj
		mov	ecx, [ebp-0Ch]

loc_474EFA:				; CODE XREF: .text:00474EABj
		mov	eax, [ecx+18h]
		and	eax, 70000000h
		cmp	eax, 40000000h
		jnz	short loc_474F77
		cmp	dword ptr [ebp-4], offset unk_6D3840
		jnz	short loc_474F77
		mov	eax, [ecx+0Ch]
		mov	edx, 1
		push	eax
		mov	eax, [ecx+8]
		mov	ecx, offset _MiSystemPartition
		push	eax
		call	_MiReleasePageFileSpace@16 ; MiReleasePageFileSpace(x,x,x,x)
		mov	edx, [ebp-8]
		and	edx, 0FFFFF000h
		mov	eax, [edx]
		nop
		mov	ecx, [edx+4]
		or	eax, 2
		mov	esi, [ebp-14h]
		or	dword ptr [ebp-1Ch], 4
		mov	[ebp-88h], eax
		mov	[ebp-84h], ecx
		mov	[ebp-14h], esi
		mov	dword ptr [ebp-24h], 1
		mov	[edi], eax
		nop
		push	0
		mov	[edi+4], ecx
		mov	ecx, [ebx+0Ch]
		push	1
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	ecx, [ebx+0Ch]
		call	MiFlushTbList
		jmp	loc_475098
; 

loc_474F77:				; CODE XREF: .text:00474F07j
					; .text:00474F10j
		nop
		mov	eax, [ecx+0Ch]
		xor	esi, esi
		mov	edx, [ecx+8]
		mov	ecx, [ebp-10h]
		and	edx, 3E0h
		mov	[ebp-7Ch], eax
		and	ecx, 0FFFFF000h
		mov	eax, [ebp-14h]
		or	edx, ecx
		mov	ecx, dword_6D0700
		and	eax, 1Fh
		or	esi, eax
		mov	[ebp-7Ch], ecx
		mov	eax, dword_6D0704
		or	edx, 800h
		mov	[ebp-10h], eax
		mov	eax, ecx
		or	eax, [ebp-10h]
		jz	short loc_474FD0
		mov	eax, [ebp-10h]
		and	ecx, edx
		and	eax, esi
		or	ecx, eax
		jnz	short loc_474FCD
		or	edx, [ebp-7Ch]
		or	esi, [ebp-10h]
		jmp	short loc_474FD0
; 

loc_474FCD:				; CODE XREF: .text:00474FC3j
		or	edx, 10h

loc_474FD0:				; CODE XREF: .text:00474FB8j
					; .text:00474FCBj
		cmp	dword ptr [ebp-20h], 0
		mov	[ebp-88h], edx
		mov	[ebp-84h], esi
		jz	loc_474D56
		mov	ecx, [ebp-4]
		push	esi
		push	edx
		push	0
		mov	edx, edi
		call	MiUnlockNestedPageTableWritePte
		jmp	loc_475083
; 

loc_474FF9:				; CODE XREF: .text:00474D91j
		test	eax, 4000000h
		jz	short loc_475003
		lfence	eax

loc_475003:				; CODE XREF: .text:00474D9Dj
					; .text:00474FFEj
		and	ecx, 20h
		or	ecx, 0
		jnz	short loc_475071
		jmp	short loc_475010
; 
		align 10h

loc_475010:				; CODE XREF: .text:0047500Bj
					; .text:00475032j ...
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp-7Ch], ecx
		nop
		mov	ecx, [ebp-84h]
		push	ebx
		mov	ebx, [ebp-88h]
		lock cmpxchg8b qword ptr [edi]
		pop	ebx
		nop
		cmp	eax, esi
		jnz	short loc_475010
		cmp	edx, [ebp-7Ch]
		jnz	short loc_475010
		cmp	dword_6D07D0, 0C0000000h
		sbb	eax, eax
		and	eax, 0FFFFFFF8h
		add	eax, 0C0603018h
		cmp	edi, 0C0603000h
		jb	short loc_475067
		cmp	edi, eax
		jnb	short loc_475067
		push	ecx
		push	dword ptr [ebp-88h]
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_475067:				; CODE XREF: .text:00475053j
					; .text:00475057j
		and	esi, 20h
		or	esi, 0
		jnz	short loc_475083
		jmp	short loc_475098
; 

loc_475071:				; CODE XREF: .text:00475009j
		mov	eax, [ebp-88h]
		mov	[edi], eax
		nop
		mov	eax, [ebp-84h]
		mov	[edi+4], eax

loc_475083:				; CODE XREF: .text:00474FF4j
					; .text:0047506Dj
		mov	edx, [ebp-8]
		mov	ecx, [ebx+0Ch]
		and	edx, 0FFFFF000h
		push	0
		push	1
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)

loc_475098:				; CODE XREF: .text:00474F72j
					; .text:0047506Fj
		mov	eax, [ebp-18h]
		test	eax, eax
		jz	short loc_4750AA
		mov	ecx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	ecx

loc_4750AA:				; CODE XREF: .text:0047509Dj
		cmp	dword ptr [ebp-24h], 1
		jz	loc_475177
		mov	esi, [ebp-0Ch]
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	loc_475177
		mov	edx, [esi+8]
		nop
		mov	ecx, [esi+0Ch]
		mov	eax, edx
		and	eax, 1
		mov	[ebp-18h], ecx
		or	eax, 0
		jnz	loc_475177
		mov	eax, edx
		or	eax, ecx
		jz	short loc_475108
		mov	eax, dword_6D0700
		mov	ecx, dword_6D0704
		mov	[ebp-80h], eax
		or	eax, ecx
		mov	[ebp-2Ch], ecx
		jz	short loc_475108
		mov	eax, [ebp-18h]
		mov	ecx, edx
		and	ecx, [ebp-80h]
		and	eax, [ebp-2Ch]
		or	ecx, eax
		jz	short loc_475177

loc_475108:				; CODE XREF: .text:004750E2j
					; .text:004750F7j
		mov	eax, dword_6D50B4
		test	eax, eax
		jz	short loc_475177
		mov	eax, [ebp-18h]
		mov	ecx, edx
		shrd	ecx, eax, 1
		test	cl, 1
		jnz	short loc_475177
		mov	eax, [ebp-4]
		test	byte ptr [eax+60h], 7
		jnz	short loc_475132
		mov	eax, [eax+90h]
		test	eax, eax
		jnz	short loc_475177

loc_475132:				; CODE XREF: .text:00475126j
		push	dword ptr [ebp-18h]
		push	edx
		call	_MI_IS_RESET_PTE@8 ; MI_IS_RESET_PTE(x,x)
		test	eax, eax
		jz	short loc_47514F
		test	byte ptr [esi+16h], 10h
		jnz	short loc_47514F
		mov	eax, [edi]
		and	eax, 42h
		or	eax, 0
		jz	short loc_475177

loc_47514F:				; CODE XREF: .text:0047513Dj
					; .text:00475143j
		mov	edx, ds:_MmHighestUserAddress
		shr	edx, 9
		and	edx, offset loc_7FFFF8
		sub	edx, 40000000h
		cmp	edi, edx
		ja	short loc_475177
		push	dword ptr [ebp-4]
		mov	edx, edi
		mov	ecx, offset _MiSystemPartition
		call	MiReservePageFileSpace

loc_475177:				; CODE XREF: .text:004750AEj
					; .text:004750C0j ...
		mov	eax, [ebp-1Ch]
		mov	edx, [ebp-14h]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_475188:				; CODE XREF: .text:00474D17j
		push	ecx
		push	edx
		push	esi
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 0CCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWsleFree(x, x, x,	x, x)
_MiWsleFree@20	proc near		; CODE XREF: MiFreeWsleList+193p

var_60		= dword	ptr -60h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		push	ebx
		push	esi
		mov	eax, edx
		mov	[esp+5Ch+var_48], ecx
		mov	esi, eax
		mov	[esp+5Ch+var_30], eax
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[esp+60h+var_38], esi
		nop
		mov	eax, [ebp+arg_8]
		mov	edx, edi
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		mov	edx, [esp+60h+var_30]
		lea	ebx, [eax+ecx*4]
		lea	eax, [edx+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	short loc_475212
		mov	edx, [ebx]
		shr	edx, 1
		and	edx, 0FFFFFF07h
		mov	[esp+60h+var_34], edx
		jmp	short loc_475243
; 

loc_475212:				; CODE XREF: MiWsleFree(x,x,x,x,x)+60j
		mov	eax, [esp+60h+var_48]
		movzx	eax, byte ptr [eax+60h]
		and	eax, 7
		mov	ecx, dword_6D2E68[eax*4]
		mov	eax, edx
		shr	eax, 0Ch
		add	eax, ecx
		mov	[esp+60h+var_30], eax
		mov	al, [eax]
		mov	cl, al
		and	cl, 0Fh
		cmp	cl, 0Ah
		jz	loc_475906
		mov	byte ptr [esp+60h+var_34], al

loc_475243:				; CODE XREF: MiWsleFree(x,x,x,x,x)+70j
		mov	ecx, ebx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	[ebp+arg_0], 4
		mov	[esp+60h+var_30], eax
		jnz	short loc_4752D3
		test	eax, eax
		jnz	short loc_475297
		mov	eax, [esp+60h+var_48]
		mov	cl, [eax+60h]
		and	cl, 7
		cmp	cl, 2
		jnb	short loc_4752D3
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	_MiGetPagePrivilege@12 ; MiGetPagePrivilege(x,x,x)
		test	eax, 0FFFFFFFDh
		jnz	short loc_4752D3
		mov	ecx, ebx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_4752B6
		mov	eax, esi
		shl	eax, 9
		add	eax, 40000000h
		cmp	eax, offset loc_7FFFFF
		ja	short loc_4752B6
		jmp	short loc_4752D3
; 

loc_475297:				; CODE XREF: MiWsleFree(x,x,x,x,x)+B6j
		test	dword ptr [ebx+18h], 800000h
		jnz	short loc_4752A9
		mov	eax, [ebx+4]
		test	eax, eax
		js	short loc_4752A9
		jnz	short loc_4752D3

loc_4752A9:				; CODE XREF: MiWsleFree(x,x,x,x,x)+FEj
					; MiWsleFree(x,x,x,x,x)+105j
		mov	eax, [ebx+8]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_4752D3

loc_4752B6:				; CODE XREF: MiWsleFree(x,x,x,x,x)+E2j
					; MiWsleFree(x,x,x,x,x)+F3j
		cmp	word ptr [ebx+14h], 1
		jnz	short loc_4752D3
		mov	al, [ebx+16h]
		and	al, 0C0h
		cmp	al, 40h
		jnz	short loc_4752D3
		mov	[esp+60h+var_50], 1
		test	[ebx+17h], al
		jz	short loc_4752DB

loc_4752D3:				; CODE XREF: MiWsleFree(x,x,x,x,x)+B2j
					; MiWsleFree(x,x,x,x,x)+C5j ...
		mov	[esp+60h+var_50], 0

loc_4752DB:				; CODE XREF: MiWsleFree(x,x,x,x,x)+131j
		lea	esi, [ebx+10h]
		mov	[esp+60h+var_2C], 0
		mov	[esp+60h+var_3C], esi
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_475309

loc_4752F1:				; CODE XREF: MiWsleFree(x,x,x,x,x)+15Dj
					; MiWsleFree(x,x,x,x,x)+164j
		lea	ecx, [esp+60h+var_2C]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_4752F1
		lock bts dword ptr [esi], 1Fh
		jb	short loc_4752F1
		mov	edi, [ebp+arg_4]

loc_475309:				; CODE XREF: MiWsleFree(x,x,x,x,x)+14Fj
		mov	eax, [esp+60h+var_50]
		test	eax, eax
		jz	loc_47553F
		mov	eax, [esi]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jnz	loc_47553D
		cmp	[ebx+14h], ax
		jnz	loc_47553D
		mov	edi, ds:_MmPfnDatabase
		mov	ecx, ebx
		sub	ecx, edi
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		mov	ecx, 4
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		mov	edx, eax
		lea	eax, ds:0[edx*8]
		sub	eax, edx
		movzx	eax, byte ptr [edi+eax*4+16h]
		shr	eax, 6
		test	eax, eax
		jz	short loc_475377
		cmp	eax, 3
		jz	short loc_475377
		cmp	eax, 2
		jnz	short loc_47537C
		lea	ecx, [eax+1Ah]
		jmp	short loc_47537C
; 

loc_475377:				; CODE XREF: MiWsleFree(x,x,x,x,x)+1C6j
					; MiWsleFree(x,x,x,x,x)+1CBj
		mov	ecx, 0Ch

loc_47537C:				; CODE XREF: MiWsleFree(x,x,x,x,x)+1D0j
					; MiWsleFree(x,x,x,x,x)+1D5j
		xor	eax, eax
		mov	[esp+60h+var_44], 0
		and	ecx, 1Fh
		and	edx, 1FFFFFFh
		shld	eax, edx, 0Ch
		shl	edx, 0Ch
		mov	edi, ds:_MmProtectToPteMask[ecx*8]
		mov	ecx, ds:dword_40B4DC[ecx*8]
		and	edi, 0F7Fh
		and	ecx, 0FFFFFFE0h
		or	edi, edx
		or	ecx, eax
		or	edi, 121h
		mov	al, byte ptr word_6D07B8
		and	edi, 0FFFFFEFFh
		and	al, 1
		movzx	eax, al
		cdq
		shld	edx, eax, 8
		shl	eax, 8
		or	edx, ecx
		or	eax, edi
		or	eax, 42h
		mov	[esp+60h+var_4C], eax
		mov	eax, large fs:20h
		mov	edi, [eax+3D34h]
		mov	eax, edi
		and	eax, 0FFFh
		and	edi, 0FFFFF000h
		shl	eax, 0Ch
		add	edi, eax
		mov	eax, edi
		shr	eax, 9
		cmp	dword_6D07D0, 0C0000000h
		mov	[esp+60h+var_40], eax
		lea	ecx, [eax-40000000h]
		sbb	eax, eax
		and	eax, 0FFFFFFF8h
		add	eax, 0C0603018h
		cmp	ecx, 0C0603000h
		jb	short loc_475471
		cmp	ecx, eax
		jnb	short loc_475471
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_47544D
		cmp	byte ptr word_6D07B8+1,	0
		mov	eax, [esp+60h+var_4C]
		mov	[esp+60h+var_44], 1
		jnz	short loc_475475
		or	edx, 80000000h
		jmp	short loc_475475
; 

loc_47544D:				; CODE XREF: MiWsleFree(x,x,x,x,x)+28Ej
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		mov	eax, [esp+60h+var_4C]
		jz	short loc_475475
		or	edx, 80000000h
		jmp	short loc_475475
; 

loc_475471:				; CODE XREF: MiWsleFree(x,x,x,x,x)+281j
					; MiWsleFree(x,x,x,x,x)+285j
		mov	eax, [esp+60h+var_4C]

loc_475475:				; CODE XREF: MiWsleFree(x,x,x,x,x)+2A3j
					; MiWsleFree(x,x,x,x,x)+2ABj ...
		mov	esi, [esp+60h+var_40]
		mov	[esi-3FFFFFFCh], edx
		nop
		cmp	[esp+60h+var_44], 0
		mov	[ecx], eax
		jz	short loc_475490
		push	edx
		push	eax
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_475490:				; CODE XREF: MiWsleFree(x,x,x,x,x)+2E7j
		lea	ecx, [edi+0FFCh]

loc_475496:				; CODE XREF: MiWsleFree(x,x,x,x,x)+304j
		mov	eax, [edi]
		or	eax, [ecx]
		jnz	short loc_4754A6
		add	edi, 4
		sub	ecx, 4
		cmp	edi, ecx
		jbe	short loc_475496

loc_4754A6:				; CODE XREF: MiWsleFree(x,x,x,x,x)+2FAj
		mov	eax, large fs:20h
		mov	[esp+60h+var_20], eax
		mov	[esp+60h+var_44], ecx
		mov	eax, [eax+3D34h]
		mov	edx, eax
		and	edx, 0FFFh
		and	eax, 0FFFFF000h
		mov	[esp+60h+var_24], eax
		mov	[esp+60h+var_4C], edx
		lea	eax, [edx+1]
		mov	[esp+60h+var_28], eax
		mov	eax, ds:_ZeroPte
		mov	[esi-40000000h], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[esi-3FFFFFFCh], eax
		mov	esi, [esp+60h+var_3C]
		cmp	edx, 0FFh
		jnz	short loc_475506
		call	_MiFlushHyperSpace@0 ; MiFlushHyperSpace()
		mov	ecx, [esp+60h+var_44]
		mov	edx, [esp+60h+var_4C]

loc_475506:				; CODE XREF: MiWsleFree(x,x,x,x,x)+357j
		mov	eax, [esp+60h+var_20]
		sub	edx, 0FFh
		neg	edx
		sbb	edx, edx
		and	edx, [esp+60h+var_28]
		or	edx, [esp+60h+var_24]
		mov	[eax+3D34h], edx
		cmp	edi, ecx
		jbe	short loc_47553A
		mov	ecx, [esp+60h+var_48]
		mov	edx, ebx
		call	_MiRewriteTrimPteAsDemandZero@8	; MiRewriteTrimPteAsDemandZero(x,x)
		mov	edi, [ebp+arg_4]
		mov	eax, [esp+60h+var_50]
		jmp	short loc_47553F
; 

loc_47553A:				; CODE XREF: MiWsleFree(x,x,x,x,x)+384j
		mov	edi, [ebp+arg_4]

loc_47553D:				; CODE XREF: MiWsleFree(x,x,x,x,x)+17Fj
					; MiWsleFree(x,x,x,x,x)+189j
		xor	eax, eax

loc_47553F:				; CODE XREF: MiWsleFree(x,x,x,x,x)+16Fj
					; MiWsleFree(x,x,x,x,x)+398j
		mov	[esp+60h+var_48], 0
		mov	[esp+60h+var_4C], 0
		mov	[esp+60h+var_50], 0
		test	eax, eax
		jnz	loc_47579E
		mov	eax, edi
		and	eax, 4
		or	eax, 0
		jnz	loc_47579E
		and	edi, 42h
		or	edi, eax
		jz	short loc_475591
		mov	ecx, ebx
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		mov	ecx, eax
		mov	[esp+60h+var_48], eax
		or	ecx, edx
		mov	[esp+60h+var_4C], edx
		jz	short loc_475591
		mov	[esp+60h+var_50], offset _MiSystemPartition

loc_475591:				; CODE XREF: MiWsleFree(x,x,x,x,x)+3D2j
					; MiWsleFree(x,x,x,x,x)+3E7j
		cmp	[esp+60h+var_30], 0
		jz	short loc_4755D6
		mov	eax, [esp+60h+var_38]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[esp+60h+var_20], 0
		mov	[esp+60h+var_1C], 0
		mov	edi, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	[esp+60h+var_10], edi
		mov	[esp+60h+var_C], eax
		nop
		shrd	edi, eax, 0Ch
		and	edi, 1FFFFFFh
		jmp	short loc_4755D9
; 

loc_4755D6:				; CODE XREF: MiWsleFree(x,x,x,x,x)+3F6j
		or	edi, 0FFFFFFFFh

loc_4755D9:				; CODE XREF: MiWsleFree(x,x,x,x,x)+434j
		test	[ebp+arg_0], 1
		jz	short loc_47560D
		mov	eax, [esi]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jnz	short loc_47560D
		cmp	[ebx+14h], ax
		jnz	short loc_47560D
		test	byte ptr [ebx+16h], 10h
		jnz	short loc_47560D
		mov	ecx, ebx
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		cmp	eax, 5
		jnz	short loc_47560D
		mov	al, [ebx+17h]
		and	al, 0FCh
		or	al, 4
		mov	[ebx+17h], al

loc_47560D:				; CODE XREF: MiWsleFree(x,x,x,x,x)+43Dj
					; MiWsleFree(x,x,x,x,x)+449j ...
		mov	al, [ebx+16h]
		and	al, 7
		cmp	al, 6
		jnz	loc_47591B
		mov	eax, [esi]
		mov	ecx, eax
		and	ecx, 3FFFFFFFh
		dec	ecx
		mov	edx, ecx
		xor	edx, eax
		and	edx, 3FFFFFFFh
		xor	edx, eax
		mov	[esi], edx
		test	ecx, ecx
		jnz	loc_475715
		mov	ecx, ebx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_47564D
		call	MiMakeProtoTransition
		mov	edx, [esi]

loc_47564D:				; CODE XREF: MiWsleFree(x,x,x,x,x)+4A4j
		mov	eax, 0FFFFh
		and	edx, 40000000h
		add	[ebx+14h], ax
		cmp	word ptr [ebx+14h], 0
		jz	short loc_4756A8
		mov	al, [ebx+16h]
		test	edx, edx
		jz	short loc_47566E
		or	al, 7
		jmp	short loc_47567C
; 

loc_47566E:				; CODE XREF: MiWsleFree(x,x,x,x,x)+4C8j
		test	al, 10h
		jz	short loc_475678
		and	al, 0FBh
		or	al, 3
		jmp	short loc_47567C
; 

loc_475678:				; CODE XREF: MiWsleFree(x,x,x,x,x)+4D0j
		and	al, 0FAh
		or	al, 2

loc_47567C:				; CODE XREF: MiWsleFree(x,x,x,x,x)+4CCj
					; MiWsleFree(x,x,x,x,x)+4D6j
		mov	[ebx+16h], al
		lea	ecx, [ebx+8]
		mov	eax, [ecx]
		and	eax, 400h
		or	eax, 0
		jnz	loc_475715
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		test	eax, eax
		jz	loc_475715
		mov	byte_6D4FB7, 1
		jmp	short loc_475715
; 

loc_4756A8:				; CODE XREF: MiWsleFree(x,x,x,x,x)+4C1j
		test	edx, edx
		jz	short loc_4756F4
		mov	al, [ebx+17h]
		test	al, 10h
		jz	short loc_4756B8
		and	al, 0EFh
		mov	[ebx+17h], al

loc_4756B8:				; CODE XREF: MiWsleFree(x,x,x,x,x)+511j
		mov	ecx, [ebx+0Ch]
		mov	edx, 1
		push	ecx
		mov	ecx, [ebx+8]
		push	ecx
		mov	ecx, offset _MiSystemPartition
		call	_MiReleasePageFileSpace@16 ; MiReleasePageFileSpace(x,x,x,x)
		sub	ebx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ebx
		add	edx, ebx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		mov	edx, 2
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		jmp	short loc_475715
; 

loc_4756F4:				; CODE XREF: MiWsleFree(x,x,x,x,x)+50Aj
		mov	al, [ebx+16h]
		mov	ecx, ebx
		test	al, 10h
		jz	short loc_475704
		mov	edx, 8
		jmp	short loc_475710
; 

loc_475704:				; CODE XREF: MiWsleFree(x,x,x,x,x)+55Bj
		and	al, 0FAh
		mov	edx, 4
		or	al, 2
		mov	[ebx+16h], al

loc_475710:				; CODE XREF: MiWsleFree(x,x,x,x,x)+562j
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)

loc_475715:				; CODE XREF: MiWsleFree(x,x,x,x,x)+495j
					; MiWsleFree(x,x,x,x,x)+4ECj ...
		mov	ebx, 7FFFFFFFh
		cmp	edi, 0FFFFFFFFh
		jz	loc_4758BC
		lock and [esi],	ebx
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[edi*8]
		sub	ecx, edi
		mov	[esp+60h+var_18], 0
		lea	edi, [eax+ecx*4]
		lea	esi, [edi+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_475765
		lea	esp, [esp+0]

loc_475750:				; CODE XREF: MiWsleFree(x,x,x,x,x)+5BCj
					; MiWsleFree(x,x,x,x,x)+5C3j
		lea	ecx, [esp+60h+var_18]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_475750
		lock bts dword ptr [esi], 1Fh
		jb	short loc_475750

loc_475765:				; CODE XREF: MiWsleFree(x,x,x,x,x)+5A7j
		mov	al, [edi+16h]
		and	al, 7
		cmp	al, 6
		jnz	loc_475922
		mov	ecx, [esi]
		mov	edx, ecx
		and	edx, 3FFFFFFFh
		dec	edx
		mov	eax, edx
		xor	eax, ecx
		and	eax, 3FFFFFFFh
		xor	eax, ecx
		mov	[esi], eax
		test	edx, edx
		jnz	loc_4758BC
		mov	ecx, edi
		call	_MiPfnShareCountIsZero@8 ; MiPfnShareCountIsZero(x,x)
		jmp	loc_4758BC
; 

loc_47579E:				; CODE XREF: MiWsleFree(x,x,x,x,x)+3B9j
					; MiWsleFree(x,x,x,x,x)+3C7j
		mov	eax, [esp+60h+var_38]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[esp+60h+var_20], 0
		mov	[esp+60h+var_1C], 0
		mov	ecx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	[esp+60h+var_8], ecx
		mov	[esp+60h+var_4], eax
		nop
		and	dword ptr [ebx+18h], 7FFFFFFFh
		xor	edx, edx
		and	dword ptr [esi], 0C0000000h
		shrd	ecx, eax, 0Ch
		movzx	eax, byte ptr [ebx+16h]
		and	al, 0C7h
		and	ecx, 1FFFFFFh
		mov	[ebx+16h], al
		movzx	eax, byte ptr [ebx+17h]
		and	al, 0DFh
		mov	[esp+60h+var_20], ecx
		mov	[ebx+17h], al
		lea	ecx, [ebx+8]
		xor	eax, eax
		push	eax
		mov	[ebx+14h], ax
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	ecx, edx
		mov	[esp+60h+var_48], eax
		or	eax, ecx
		mov	[esp+60h+var_4C], ecx
		jz	short loc_475824
		mov	[esp+60h+var_50], offset _MiSystemPartition

loc_475824:				; CODE XREF: MiWsleFree(x,x,x,x,x)+67Aj
		and	edi, 4
		mov	eax, 92492493h
		or	edi, 0
		jz	short loc_47584C
		sub	ebx, ds:_MmPfnDatabase
		imul	ebx
		add	edx, ebx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		mov	edx, 2
		jmp	short loc_475865
; 

loc_47584C:				; CODE XREF: MiWsleFree(x,x,x,x,x)+68Fj
		sub	ebx, ds:_MmPfnDatabase
		imul	ebx
		add	edx, ebx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		mov	edx, 1

loc_475865:				; CODE XREF: MiWsleFree(x,x,x,x,x)+6AAj
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		mov	ebx, 7FFFFFFFh
		lock and [esi],	ebx
		mov	eax, [esp+60h+var_20]
		mov	[esp+60h+var_14], 0
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	edi, [eax+ecx*4]
		lea	esi, [edi+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_4758B5
		lea	esp, [esp+0]

loc_4758A0:				; CODE XREF: MiWsleFree(x,x,x,x,x)+70Cj
					; MiWsleFree(x,x,x,x,x)+713j
		lea	ecx, [esp+60h+var_14]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_4758A0
		lock bts dword ptr [esi], 1Fh
		jb	short loc_4758A0

loc_4758B5:				; CODE XREF: MiWsleFree(x,x,x,x,x)+6F7j
		mov	ecx, edi
		call	MiDecrementShareCount

loc_4758BC:				; CODE XREF: MiWsleFree(x,x,x,x,x)+57Dj
					; MiWsleFree(x,x,x,x,x)+5ECj ...
		lock and [esi],	ebx
		mov	ecx, [esp+60h+var_48]
		mov	eax, ecx
		mov	edx, [esp+60h+var_4C]
		or	eax, edx
		jz	short loc_4758DD
		push	edx
		push	ecx
		mov	ecx, [esp+68h+var_50]
		mov	edx, 1
		call	MiReleasePageFileInfo

loc_4758DD:				; CODE XREF: MiWsleFree(x,x,x,x,x)+72Bj
		mov	eax, [esp+60h+var_34]
		cmp	[esp+60h+var_30], 0
		mov	byte ptr [esp+60h+var_50], al
		setz	al
		pop	edi
		pop	esi
		pop	ebx
		lea	eax, ds:1[eax*2]
		mov	byte ptr [esp+54h+var_50+1], al
		mov	ax, word ptr [esp+54h+var_50]
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_475906:				; CODE XREF: MiWsleFree(x,x,x,x,x)+99j
		push	[esp+60h+var_30]
		push	[esp+64h+var_48]
		push	edx
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_47591B:				; CODE XREF: MiWsleFree(x,x,x,x,x)+474j
		mov	ecx, ebx
		call	_MiBadShareCount@4 ; MiBadShareCount(x)

loc_475922:				; CODE XREF: MiWsleFree(x,x,x,x,x)+5CCj
		mov	ecx, edi
		call	_MiBadShareCount@4 ; MiBadShareCount(x)
		int	3		; Trap to Debugger
_MiWsleFree@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetPagePrivilege(x, x, x)
_MiGetPagePrivilege@12 proc near	; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+8EFp
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+74Cp	...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ds:_MiFlags
		mov	ebx, ecx
		mov	[ebp+var_C], edx
		mov	[ebp+var_4], esi
		push	edi
		test	esi, 2000h
		jz	loc_475A37
		mov	eax, [ebx+18h]
		and	eax, 70000000h
		cmp	eax, 30000000h
		jnz	loc_475A37
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	short loc_475976
		mov	eax, esi
		and	eax, 8000h
		neg	eax
		sbb	eax, eax
		and	edx, eax

loc_475976:				; CODE XREF: MiGetPagePrivilege(x,x,x)+3Dj
		mov	eax, [ebx+4]
		mov	edi, eax
		mov	[ebp+arg_0], eax
		or	edi, 80000000h
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	loc_475A40
		test	esi, 40000h
		jz	short loc_4759AF
		shl	edi, 9
		cmp	edi, dword_6D07D0
		sbb	eax, eax
		and	eax, 0FFFFFFF1h
		add	eax, 11h
		jmp	loc_475A39
; 

loc_4759AF:				; CODE XREF: MiGetPagePrivilege(x,x,x)+6Dj
		cmp	[ebp+arg_0], 0
		jnz	short loc_4759C5
		push	4
		pop	eax
		test	edx, edx
		jz	short loc_475A39
		xor	ecx, ecx
		mov	[edx], ecx
		mov	[edx+4], ecx
		jmp	short loc_475A39
; 

loc_4759C5:				; CODE XREF: MiGetPagePrivilege(x,x,x)+89j
		shl	edi, 9
		cmp	edi, dword_6D07D0
		jb	short loc_4759F6
		mov	ecx, [ebx+8]
		mov	eax, [ebx+0Ch]
		shrd	ecx, eax, 5
		and	cl, 2
		movzx	eax, cl
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFFC1h
		add	eax, 40h
		test	edx, edx
		jz	short loc_475A39
		and	dword ptr [edx+4], 0
		mov	[edx], edi
		jmp	short loc_475A39
; 

loc_4759F6:				; CODE XREF: MiGetPagePrivilege(x,x,x)+A4j
		push	14h
		pop	eax
		test	edx, edx
		jz	short loc_475A39
		mov	esi, [ebp+var_C]
		test	esi, esi
		jnz	short loc_475A0E
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	byte ptr [ebp+arg_0+3],	al
		jmp	short loc_475A12
; 

loc_475A0E:				; CODE XREF: MiGetPagePrivilege(x,x,x)+D8j
		mov	byte ptr [ebp+arg_0+3],	21h

loc_475A12:				; CODE XREF: MiGetPagePrivilege(x,x,x)+E2j
		mov	ecx, ebx
		call	MiGetTopLevelPfn
		mov	ecx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	ecx
		test	esi, esi
		jnz	short loc_475A37
		lea	eax, [ebx+10h]
		lock and [eax],	ecx
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_475A37:				; CODE XREF: MiGetPagePrivilege(x,x,x)+1Fj
					; MiGetPagePrivilege(x,x,x)+32j ...
		xor	eax, eax

loc_475A39:				; CODE XREF: MiGetPagePrivilege(x,x,x)+80j
					; MiGetPagePrivilege(x,x,x)+90j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_475A40:				; CODE XREF: MiGetPagePrivilege(x,x,x)+61j
		mov	eax, [ebx+8]
		xor	ecx, ecx
		mov	ebx, [ebx+0Ch]
		mov	[ebp+var_8], eax
		and	eax, 400h
		or	eax, ecx
		mov	[ebp+var_14], ebx
		jnz	short loc_475A6E
		shr	esi, 12h
		and	esi, 1
		shl	esi, 4
		test	edx, edx
		jz	short loc_475A69
		mov	[edx], ecx
		mov	[edx+4], ecx

loc_475A69:				; CODE XREF: MiGetPagePrivilege(x,x,x)+138j
		lea	eax, [esi+3]
		jmp	short loc_475A39
; 

loc_475A6E:				; CODE XREF: MiGetPagePrivilege(x,x,x)+12Bj
		mov	eax, [ebp+var_8]
		mov	esi, dword_6D0704
		mov	[ebp+arg_0], eax
		mov	eax, dword_6D0700
		mov	[ebp+var_C], eax
		or	eax, esi
		jz	short loc_475A9E
		mov	eax, [ebp+arg_0]
		and	eax, 10h
		or	eax, ecx
		jnz	short loc_475A9E
		mov	eax, [ebp+var_C]
		mov	ecx, esi
		not	eax
		not	ecx
		and	[ebp+arg_0], eax
		and	ebx, ecx

loc_475A9E:				; CODE XREF: MiGetPagePrivilege(x,x,x)+15Aj
					; MiGetPagePrivilege(x,x,x)+164j
		mov	ecx, [ebx]
		mov	[ebp+var_C], ecx
		test	byte ptr [ecx+1Ch], 20h
		jnz	short loc_475AAE
		push	2

loc_475AAB:				; CODE XREF: MiGetPagePrivilege(x,x,x)+1C8j
		pop	eax
		jmp	short loc_475A39
; 

loc_475AAE:				; CODE XREF: MiGetPagePrivilege(x,x,x)+17Dj
		mov	eax, [ebx+4]
		mov	[ebp+arg_0], eax
		cmp	edi, eax
		jb	loc_475A37
		mov	esi, [ebp+arg_0]
		mov	eax, [ebx+1Ch]
		lea	eax, [esi+eax*8]
		mov	esi, [ebp+var_4]
		cmp	edi, eax
		jnb	loc_475A37
		mov	eax, [ecx+34h]
		mov	[ebp+var_10], eax
		and	eax, 0C0000h
		mov	[ebp+arg_0], eax
		jz	short loc_475AF7
		test	[ebp+var_10], 20000h
		jz	short loc_475AF7
		lea	eax, [ecx+50h]
		cmp	ebx, eax
		jz	short loc_475AF4
		push	28h
		jmp	short loc_475AAB
; 

loc_475AF4:				; CODE XREF: MiGetPagePrivilege(x,x,x)+1C4j
		mov	eax, [ebp+arg_0]

loc_475AF7:				; CODE XREF: MiGetPagePrivilege(x,x,x)+1B4j
					; MiGetPagePrivilege(x,x,x)+1BDj
		mov	ebx, [ebp+var_8]
		mov	ecx, [ebp+var_14]
		shrd	ebx, ecx, 5
		mov	ecx, [ebp+var_C]
		test	esi, 40000h
		jz	short loc_475B19
		cmp	[ebp+arg_0], 0
		push	2
		pop	eax
		jz	short loc_475B2C
		push	0Ah
		jmp	short loc_475B23
; 

loc_475B19:				; CODE XREF: MiGetPagePrivilege(x,x,x)+1E0j
		test	eax, eax
		jz	loc_475A37
		push	8

loc_475B23:				; CODE XREF: MiGetPagePrivilege(x,x,x)+1EDj
		pop	eax
		test	bl, 2
		jz	short loc_475B2C
		push	0Bh
		pop	eax

loc_475B2C:				; CODE XREF: MiGetPagePrivilege(x,x,x)+1E9j
					; MiGetPagePrivilege(x,x,x)+1FDj
		test	edx, edx
		jz	loc_475A39
		mov	ecx, [ecx+38h]
		mov	ecx, [ecx+18h]
		mov	[edx+4], ecx
		mov	ecx, [ebp+var_C]
		sub	edi, [ecx+54h]
		shl	edi, 9
		and	edi, 0FFFFF000h
		mov	[edx], edi
		jmp	loc_475A39
_MiGetPagePrivilege@12 endp

; 
		align 10h

; __stdcall MiDecommitPages(x, x, x, x,	x, x)
_MiDecommitPages@24:			; CODE XREF: MmStoreDecommitVirtualMemory(x,x)+7Ap
					; MiDecommitRegion(x,x,x)+5Dp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 65Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		mov	eax, [ebp+8]
		push	ebx
		push	esi
		mov	[ebp-5C4h], eax
		mov	esi, ecx
		mov	eax, [ebp+0Ch]
		push	edi
		mov	edi, [ebp+14h]
		mov	[ebp-5F0h], eax
		xor	eax, eax
		push	3FCh
		push	eax
		mov	[ebp-54Ah], ax
		lea	eax, [ebp-538h]
		push	eax
		mov	[ebp-5F4h], edx
		mov	[ebp-5ACh], edi
		mov	dword ptr [ebp-620h], 0
		mov	dword ptr [ebp-61Ch], 0
		call	_memset
		mov	ecx, dword_6D0700
		xor	eax, eax
		mov	edx, dword_6D0704
		add	esp, 0Ch
		mov	[ebp-640h], eax
		mov	ebx, 200h
		mov	[ebp-63Ch], eax
		mov	[ebp-638h], eax
		mov	[ebp-630h], eax
		mov	[ebp-544h], eax
		mov	[ebp-54Ch], ax
		mov	[ebp-540h], eax
		mov	[ebp-53Ch], eax
		mov	[ebp-624h], eax
		mov	[ebp-5E4h], eax
		mov	eax, ecx
		or	eax, edx
		mov	dword ptr [ebp-634h], 2
		mov	dword ptr [ebp-550h], 1
		mov	dword ptr [ebp-548h], 100h
		mov	dword ptr [ebp-5DCh], 1
		mov	[ebp-5E0h], ebx
		jz	short loc_475C85
		mov	eax, ecx
		and	eax, ebx
		or	eax, 0
		jnz	short loc_475C70
		mov	ebx, ecx
		mov	[ebp-5E4h], edx
		or	ebx, 200h
		mov	[ebp-5E0h], ebx
		jmp	short loc_475C87
; 

loc_475C70:				; CODE XREF: .text:00475C58j
		mov	ebx, 210h
		xor	edx, edx
		mov	[ebp-5E0h], ebx
		mov	[ebp-5E4h], edx
		jmp	short loc_475C87
; 

loc_475C85:				; CODE XREF: .text:00475C4Fj
		xor	edx, edx

loc_475C87:				; CODE XREF: .text:00475C6Ej
					; .text:00475C83j
		mov	[ebp-5B0h], ebx
		mov	ebx, [ebp-5F0h]
		mov	[ebp-5A4h], edx
		mov	eax, [ebx+10h]
		mov	ecx, [ebx+20h]
		and	eax, 0FFFFFh
		lea	eax, ds:0C0000000h[eax*8]
		mov	[ebp-62Ch], eax
		mov	eax, ecx
		and	eax, 7FFFFFFFh
		cmp	eax, 0FFFFEh
		jnz	short loc_475CF2
		mov	ecx, [ebx+1Ch]
		xor	eax, eax
		shr	ecx, 7
		and	ecx, 1Fh
		shld	eax, ecx, 5
		shl	ecx, 5
		push	eax
		push	ecx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[ebp-5E0h], eax
		mov	[ebp-5E4h], edx
		mov	[ebp-5B0h], eax
		mov	[ebp-5A4h], edx
		jmp	short loc_475D39
; 

loc_475CF2:				; CODE XREF: .text:00475CBDj
		test	ecx, ecx
		js	short loc_475D39
		mov	eax, [ebx+1Ch]
		test	eax, 100000h
		jz	short loc_475D0E
		test	eax, 1000000h
		jnz	short loc_475D0E
		test	eax, 2000000h
		jnz	short loc_475D22

loc_475D0E:				; CODE XREF: .text:00475CFEj
					; .text:00475D05j
		mov	dword ptr [ebp-5B0h], 0
		mov	dword ptr [ebp-5A4h], 0

loc_475D22:				; CODE XREF: .text:00475D0Cj
		mov	ecx, ebx
		mov	dword ptr [ebp-62Ch], 0
		call	_MiVadPureReserve@4 ; MiVadPureReserve(x)
		mov	[ebp-624h], eax

loc_475D39:				; CODE XREF: .text:00475CF0j
					; .text:00475CF4j
		mov	ecx, [ebx+1Ch]
		mov	eax, ecx
		and	eax, offset loc_500000
		mov	[ebp-654h], edx
		mov	dword ptr [ebp-614h], 1
		mov	dword ptr [ebp-5ECh], 2
		cmp	eax, offset loc_500000
		jnz	short loc_475D97
		shr	ecx, 12h
		and	ecx, 3
		mov	eax, ds:_MiVadPageSizes[ecx*4]
		mov	ecx, ds:_MiVadPageIndices[ecx*4]
		mov	[ebp-5DCh], eax
		mov	[ebp-5ECh], ecx
		lea	edx, [eax-10h]
		neg	edx
		sbb	edx, edx
		and	edx, 0FFFFFFF1h
		add	edx, 10h
		mov	[ebp-614h], edx

loc_475D97:				; CODE XREF: .text:00475D62j
		mov	eax, [ebp+10h]
		mov	ecx, [ebp-5C4h]
		neg	eax
		mov	dword ptr [ebp-610h], 1
		sbb	eax, eax
		add	ecx, 240h
		and	eax, 0FFFFFFFEh
		mov	[ebp-5C8h], ecx
		add	eax, 2
		xor	ebx, ebx
		mov	[ebp+10h], eax
		mov	eax, esi
		shr	eax, 9
		and	esi, 0FFFFF000h
		and	eax, offset loc_7FFFF8
		mov	[ebp-5D4h], ebx
		sub	eax, 40000000h
		mov	[ebp-5C0h], esi
		mov	[ebp-5B4h], eax
		mov	al, [ecx+60h]
		and	al, 7
		mov	[ebp-5BCh], ebx
		cmp	al, 4
		jbe	short loc_475E0F
		cmp	al, 5
		jz	short loc_475E0F
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp-5A5h], al
		jmp	short loc_475E73
; 

loc_475E0F:				; CODE XREF: .text:00475DF9j
					; .text:00475DFDj
		mov	esi, offset unk_6D3C40
		cmp	al, 2
		jz	short loc_475E1E
		lea	esi, [ecx+80h]

loc_475E1E:				; CODE XREF: .text:00475E16j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	[ebp-5A5h], al
		jz	short loc_475E40
		mov	dl, al
		mov	ecx, esi
		call	@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)
		jmp	short loc_475E62
; 

loc_475E40:				; CODE XREF: .text:00475E33j
		mov	edx, [esi]
		and	edx, 7FFFFFFFh
		mov	eax, edx
		lea	ecx, [edx+1]
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	short loc_475E62
		mov	dl, [ebp-5A5h]
		mov	ecx, esi
		call	ExpWaitForSpinLockSharedAndAcquire

loc_475E62:				; CODE XREF: .text:00475E3Ej
					; .text:00475E53j
		add	esi, 4
		cmp	[esi], ebx
		jz	short loc_475E6D
		xor	eax, eax
		xchg	eax, [esi]

loc_475E6D:				; CODE XREF: .text:00475E67j
		mov	al, [ebp-5A5h]

loc_475E73:				; CODE XREF: .text:00475E0Dj
		mov	[ebp-628h], al

loc_475E79:				; CODE XREF: .text:00476BAAj
		mov	edx, [ebp-5B4h]
		cmp	edx, [ebp-5F4h]
		ja	loc_476BC6
		xor	ecx, ecx
		mov	esi, edx
		cmp	dword ptr [ebp-610h], 1
		jnz	short loc_475E9F
		mov	ecx, 1
		jmp	short loc_475ED4
; 

loc_475E9F:				; CODE XREF: .text:00475E96j
		cmp	[ebp-5ECh], ecx
		ja	short loc_475ED4
		mov	eax, 1
		sub	eax, [ebp-5ECh]
		jmp	short loc_475EC0
; 
		lea	esp, [esp+0]
		jmp	short loc_475EC0
; 
		align 10h

loc_475EC0:				; CODE XREF: .text:00475EB2j
					; .text:00475EBBj ...
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		sub	eax, 1
		jnz	short loc_475EC0

loc_475ED4:				; CODE XREF: .text:00475E9Dj
					; .text:00475EA5j
		test	esi, 0FFFh
		jz	short loc_475EE4
		test	ecx, ecx
		jz	loc_4761DB

loc_475EE4:				; CODE XREF: .text:00475EDAj
		push	98h
		lea	eax, [ebp-138h]
		push	0
		push	eax
		call	_memset
		mov	edx, [ebp-63Ch]
		add	esp, 0Ch
		test	edx, edx
		jz	loc_475F8B
		push	0
		push	dword ptr [ebp-638h]
		shl	edx, 9
		lea	ecx, [ebp-138h]
		mov	dword ptr [ebp-138h], 1
		mov	word ptr [ebp-134h], 0
		mov	dword ptr [ebp-128h], 0
		mov	dword ptr [ebp-130h], 21h
		mov	dword ptr [ebp-124h], 0
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		lea	ecx, [ebp-640h]
		call	MiTerminateWsleCluster
		push	dword ptr [ebp-5A4h]
		mov	esi, [ebp-5B0h]
		lea	ecx, [ebp-138h]
		mov	edx, [ebp-5C4h]
		push	esi
		push	0
		push	edi
		call	_MiDeletePteList@24 ; MiDeletePteList(x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_475F91
		mov	dword ptr [ebp-5BCh], 1
		jmp	short loc_475F91
; 

loc_475F8B:				; CODE XREF: .text:00475F02j
		mov	esi, [ebp-5B0h]

loc_475F91:				; CODE XREF: .text:00475F7Dj
					; .text:00475F89j
		cmp	dword ptr [ebp-544h], 0
		jz	short loc_475FC3
		push	dword ptr [ebp-5A4h]
		mov	edx, [ebp-5C4h]
		lea	ecx, [ebp-550h]
		push	esi
		push	1
		push	edi
		call	_MiDeletePteList@24 ; MiDeletePteList(x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_475FC3
		mov	dword ptr [ebp-5BCh], 1

loc_475FC3:				; CODE XREF: .text:00475F98j
					; .text:00475FB7j
		test	ebx, ebx
		jz	short loc_475FDC
		mov	ecx, [ebp-5C8h]
		mov	edx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		xor	eax, eax
		mov	[ebp-5D4h], eax

loc_475FDC:				; CODE XREF: .text:00475FC5j
		cmp	dword ptr [ebp-624h], 0
		jz	loc_47615D
		push	4Ch
		lea	eax, [ebp-5A0h]
		mov	dword ptr [ebp-648h], 0
		push	0
		push	eax
		mov	dword ptr [ebp-644h], 0
		call	_memset
		mov	ebx, [ebp-5B4h]
		mov	eax, 861h
		mov	esi, [ebp-5F4h]
		mov	edx, ebx
		shl	edx, 9
		add	esp, 0Ch
		shl	esi, 9
		mov	[ebp-5A0h], ax
		mov	eax, edx
		cmp	edx, 0C0000000h
		jb	short loc_476051
		lea	ebx, [ebx+0]

loc_476040:				; CODE XREF: .text:0047604Fj
		cmp	eax, 0C07FFFFFh
		ja	short loc_476051
		shl	eax, 9
		cmp	eax, 0C0000000h
		jnb	short loc_476040

loc_476051:				; CODE XREF: .text:00476038j
					; .text:00476045j
		cmp	eax, dword_6D07D0
		jb	short loc_476077
		cmp	eax, dword_6D2E88
		jb	short loc_476069
		cmp	eax, dword_6D2E8C
		jbe	short loc_476077

loc_476069:				; CODE XREF: .text:0047605Fj
		mov	ecx, 1
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	ecx, eax
		jmp	short loc_476089
; 

loc_476077:				; CODE XREF: .text:00476057j
					; .text:00476067j
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		add	ecx, 240h

loc_476089:				; CODE XREF: .text:00476075j
		mov	eax, 865h
		mov	[ebp-590h], ecx
		mov	[ebp-5A0h], ax
		lea	ecx, [ebp-5A0h]
		lea	eax, [ebp-648h]
		mov	dword ptr [ebp-594h], 0
		mov	[ebp-558h], eax
		mov	al, [ebp-59Eh]
		and	al, 0E7h
		mov	dword ptr [ebp-55Ch], offset _MiGetNextPageTableTail@4 ; MiGetNextPageTableTail(x)
		or	al, 4
		mov	[ebp-58Ch], edx
		mov	[ebp-59Eh], al
		mov	al, [ebp-5A5h]
		mov	[ebp-59Ah], al
		mov	[ebp-588h], esi
		call	MiWalkPageTables
		mov	edx, [ebp-644h]
		mov	ecx, [edi+0Ch]
		mov	[ebp-5C0h], edx
		test	edx, edx
		jz	loc_476BAF
		mov	eax, edx
		mov	[ebp-5B4h], edx
		sub	eax, ebx
		mov	esi, edx
		sar	eax, 3
		add	eax, ecx
		mov	[edi+0Ch], eax
		mov	eax, [ebp-648h]
		test	eax, eax
		jz	short loc_476154
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		cmp	eax, 1
		jbe	short loc_476154
		dec	eax
		jmp	short loc_476140
; 
		align 10h

loc_476140:				; CODE XREF: .text:00476138j
					; .text:00476152j
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		sub	eax, 1
		jnz	short loc_476140

loc_476154:				; CODE XREF: .text:00476121j
					; .text:00476135j
		shl	dword ptr [ebp-5C0h], 9
		jmp	short loc_4761BC
; 

loc_47615D:				; CODE XREF: .text:00475FE3j
		mov	ecx, [ebp-5ECh]
		mov	esi, [ebp-5B4h]
		test	ecx, ecx
		jnz	short loc_476194
		mov	eax, 1
		sub	eax, ecx
		jmp	short loc_476180
; 
		align 10h

loc_476180:				; CODE XREF: .text:00476174j
					; .text:00476192j
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		sub	eax, 1
		jnz	short loc_476180

loc_476194:				; CODE XREF: .text:0047616Bj
		mov	eax, [ebp-5F0h]
		xor	edx, edx
		push	dword ptr [ebp+10h]
		mov	ecx, esi
		push	dword ptr [ebp-628h]
		mov	eax, [eax+1Ch]
		shr	eax, 0Ch
		and	eax, 3Fh
		push	eax
		call	MiMakeSystemAddressValid
		mov	edx, [ebp-5B4h]

loc_4761BC:				; CODE XREF: .text:0047615Bj
		mov	eax, esi
		mov	dword ptr [ebp-610h], 0
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp-5D4h], eax

loc_4761DB:				; CODE XREF: .text:00475EDEj
		mov	edi, [esi]
		mov	dword ptr [ebp-608h], 0
		mov	dword ptr [ebp-604h], 0
		nop
		mov	ebx, [esi+4]
		mov	eax, edi
		or	eax, ebx
		mov	[ebp-5D8h], ebx
		mov	[ebp-650h], edi
		mov	[ebp-64Ch], ebx
		jnz	short loc_476283
		cmp	edx, [ebp-62Ch]
		jbe	short loc_476224
		mov	eax, [ebp-5ACh]
		mov	ecx, [ebp-5DCh]
		add	[eax+0Ch], ecx

loc_476224:				; CODE XREF: .text:00476213j
		mov	edi, [ebp-5B0h]
		mov	eax, edi
		mov	ebx, [ebp-5A4h]
		or	eax, ebx
		jz	loc_476AAC
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	edx, [ebp-614h]
		shr	ecx, 0Ch
		and	ecx, 7FFh
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		add	eax, 190h
		lea	ecx, [eax+ecx*2]
		call	_MiIncreaseUsedPtesCount@8 ; MiIncreaseUsedPtesCount(x,x)
		mov	ecx, [ebp-614h]
		xor	eax, eax

loc_476272:				; CODE XREF: .text:0047627Cj
		mov	[esi+eax*8], edi
		mov	[esi+eax*8+4], ebx
		inc	eax
		cmp	eax, ecx
		jb	short loc_476272
		jmp	loc_476AAC
; 

loc_476283:				; CODE XREF: .text:0047620Bj
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	loc_476581
		cmp	dword ptr [ebp-5DCh], 1
		jz	short loc_4762D9
		push	dword ptr [ebp-5A4h]
		mov	edi, [ebp-5B0h]
		lea	eax, [ebp-550h]
		mov	ebx, [ebp-5ACh]
		mov	edx, esi
		mov	ecx, [ebp-5F0h]
		push	edi
		push	eax
		push	ebx
		call	_MiDecommitLargePte@24 ; MiDecommitLargePte(x,x,x,x,x,x)
		test	eax, eax
		jz	loc_476AB2
		mov	dword ptr [ebp-5BCh], 1
		jmp	loc_476AB2
; 

loc_4762D9:				; CODE XREF: .text:00476298j
		mov	esi, [ebp-5C8h]
		mov	ebx, [ebp-5C0h]
		mov	edx, ebx
		shr	edx, 0Ch
		mov	[ebp-5E8h], edx
		movzx	eax, byte ptr [esi+60h]
		and	eax, 7
		mov	ecx, dword_6D2E68[eax*4]
		mov	al, [ecx+edx]
		add	ecx, edx
		and	al, 0Fh
		cmp	al, 0Ah
		jz	loc_476DBF
		cmp	al, 8
		jz	short loc_47632C
		push	dword ptr [ebp-5B4h]
		mov	edx, esi
		lea	ecx, [ebp-640h]
		call	_MiAppendWsleCluster@12	; MiAppendWsleCluster(x,x,x)
		test	eax, eax
		jnz	loc_4763E4

loc_47632C:				; CODE XREF: .text:0047630Fj
		shr	ebx, 9
		mov	esi, 1
		and	ebx, offset loc_7FFFF8
		sub	ebx, 40000000h
		mov	edx, [ebx]
		nop
		mov	eax, [ebx+4]
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	ecx, [eax+ecx*4]
		mov	eax, [ebp-5C0h]
		add	eax, 40000000h
		cmp	eax, offset loc_7FFFFF
		ja	loc_476458
		push	ds:dword_40F9FC
		mov	eax, [ecx]
		mov	edx, ebx
		push	ds:_ZeroPte
		mov	ecx, [ebp-5C8h]
		shr	eax, 1
		and	al, 7
		push	0
		mov	[ebp-60Ch], al
		call	MiEvictPageTableLock
		test	eax, eax
		jnz	loc_47655E
		mov	ebx, [ebp-5C0h]

loc_4763AC:				; CODE XREF: .text:0047657Cj
		push	0
		push	1
		mov	edx, ebx
		lea	ecx, [ebp-550h]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	eax, [ebp-5B4h]
		and	edi, 0FFFFFFFEh
		mov	ecx, [ebp-5D8h]
		or	edi, 400h
		mov	[ebp-650h], edi
		mov	[ebp-64Ch], ecx
		mov	[eax], edi
		nop
		mov	[eax+4], ecx

loc_4763E4:				; CODE XREF: .text:00476326j
		mov	eax, [ebp-548h]
		mov	esi, [ebp-5A4h]
		dec	eax
		mov	edi, [ebp-5B0h]
		mov	ebx, [ebp-5ACh]
		cmp	[ebp-544h], eax
		jnz	loc_476AB8
		mov	edx, [ebp-5C4h]
		lea	ecx, [ebp-640h]
		push	esi
		push	edi
		push	ebx
		call	_MiDeletePteWsleCluster@20 ; MiDeletePteWsleCluster(x,x,x,x,x)
		test	eax, eax
		jz	short loc_47642B
		mov	dword ptr [ebp-5BCh], 1

loc_47642B:				; CODE XREF: .text:0047641Fj
		mov	edx, [ebp-5C4h]
		lea	ecx, [ebp-550h]
		push	esi
		push	edi
		push	1
		push	ebx
		call	_MiDeletePteList@24 ; MiDeletePteList(x,x,x,x,x,x)
		test	eax, eax
		jz	loc_476AB8
		mov	dword ptr [ebp-5BCh], 1
		jmp	loc_476AB8
; 

loc_476458:				; CODE XREF: .text:00476371j
		mov	esi, [ebp-5C8h]
		movzx	eax, byte ptr [esi+60h]
		and	eax, 7
		mov	eax, dword_6D2E68[eax*4]
		add	eax, [ebp-5E8h]
		mov	dh, [eax]
		mov	dl, dh
		and	dl, 0Fh
		cmp	dl, 0Ah
		jz	loc_476DAB
		mov	[ebp-60Ch], dh
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		mov	esi, eax
		neg	esi
		sbb	esi, esi
		inc	esi
		cmp	dl, 8
		jnz	short loc_4764C4
		mov	edx, [ebp-5C0h]
		push	ecx
		mov	ecx, [ebp-5C8h]
		call	_MiUnlockWsle@12 ; MiUnlockWsle(x,x,x)
		mov	edx, [ebp-5C0h]
		mov	ecx, [ebp-5C8h]
		call	MiLocateWsle
		mov	al, [eax]
		mov	[ebp-60Ch], al

loc_4764C4:				; CODE XREF: .text:00476497j
		mov	ecx, [ebx]
		mov	eax, ds:_ZeroPte
		mov	edx, [ebx+4]
		cmp	dword_6D07D0, 0C0000000h
		mov	[ebp-5CCh], eax
		mov	eax, ds:dword_40F9FC
		mov	[ebp-5D0h], eax
		sbb	eax, eax
		and	eax, 0FFFFFFF8h
		add	eax, 0C0603018h
		cmp	ebx, 0C0603000h
		jb	short loc_47650B
		cmp	ebx, eax
		jnb	short loc_47650B
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_47650B
		or	ecx, 20h

loc_47650B:				; CODE XREF: .text:004764F9j
					; .text:004764FDj ...
		mov	eax, ds:_MiFlags
		test	eax, 800h
		jz	short loc_47651C
		or	ecx, 20h
		jmp	short loc_476526
; 

loc_47651C:				; CODE XREF: .text:00476515j
		test	eax, 4000000h
		jz	short loc_476526
		lfence	eax

loc_476526:				; CODE XREF: .text:0047651Aj
					; .text:00476521j
		and	ecx, 20h
		or	ecx, 0
		jnz	short loc_47654C
		mov	eax, [ebp-5D0h]
		mov	ecx, ebx
		push	eax
		mov	eax, [ebp-5CCh]
		push	eax
		call	MI_INTERLOCKED_EXCHANGE_PTE
		and	eax, 20h
		xor	edx, edx
		or	eax, edx
		jmp	short loc_47655E
; 

loc_47654C:				; CODE XREF: .text:0047652Cj
		mov	eax, [ebp-5CCh]
		mov	[ebx], eax
		nop
		mov	eax, [ebp-5D0h]
		mov	[ebx+4], eax

loc_47655E:				; CODE XREF: .text:004763A0j
					; .text:0047654Aj
		mov	ebx, [ebp-5C0h]
		mov	edx, ebx
		mov	ecx, [ebp-5C8h]
		push	esi
		push	0Ah
		push	dword ptr [ebp-60Ch]
		push	1
		call	MiRemoveWsle
		jmp	loc_4763AC
; 

loc_476581:				; CODE XREF: .text:0047628Bj
		mov	eax, edi
		and	eax, 400h
		or	eax, 0
		jz	loc_476661
		mov	eax, dword_6D0704
		mov	esi, ebx
		mov	ecx, dword_6D0700
		mov	edx, esi
		mov	[ebp-5CCh], eax
		mov	eax, ecx
		or	eax, [ebp-5CCh]
		jz	short loc_4765C8
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4765C6
		mov	esi, [ebp-5CCh]
		not	esi
		and	esi, edx
		jmp	short loc_4765C8
; 

loc_4765C6:				; CODE XREF: .text:004765B8j
		mov	esi, edx

loc_4765C8:				; CODE XREF: .text:004765AEj
					; .text:004765C4j
		push	ebx
		push	edi
		call	_MI_PROTO_FORMAT_COMBINED@8 ; MI_PROTO_FORMAT_COMBINED(x,x)
		test	al, al
		jz	short loc_4765DC
		mov	edx, esi
		call	_MiDecrementCombinedPte@8 ; MiDecrementCombinedPte(x,x)
		jmp	short loc_476600
; 

loc_4765DC:				; CODE XREF: .text:004765D1j
		push	ebx
		push	edi
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		test	eax, eax
		jnz	short loc_47661A
		mov	ecx, [ebp-5C4h]
		mov	edx, esi
		call	_MiLocateCloneAddress@8	; MiLocateCloneAddress(x,x)
		test	eax, eax
		jz	short loc_47661A
		push	ecx
		mov	ecx, eax
		call	MiDecrementCloneBlockReference

loc_476600:				; CODE XREF: .text:004765DAj
		mov	ebx, [ebp-5ACh]
		cmp	eax, 3
		jnz	short loc_476610
		inc	dword ptr [ebx+4]
		jmp	short loc_476620
; 

loc_476610:				; CODE XREF: .text:00476609j
		cmp	eax, 5
		jnz	short loc_476620
		inc	dword ptr [ebx+8]
		jmp	short loc_476620
; 

loc_47661A:				; CODE XREF: .text:004765E5j
					; .text:004765F6j
		mov	ebx, [ebp-5ACh]

loc_476620:				; CODE XREF: .text:0047660Ej
					; .text:00476613j ...
		mov	ecx, [ebp-5B4h]
		mov	edi, [ebp-5B0h]
		mov	[ecx], edi
		nop
		mov	esi, [ebp-5A4h]
		mov	eax, edi
		or	eax, esi
		mov	[ecx+4], esi
		jnz	loc_476AB8
		lea	edx, [eax+1]
		call	_MiReducePteUseCount@8 ; MiReducePteUseCount(x,x)
		test	eax, eax
		jz	loc_476AB8
		mov	dword ptr [ebp-5BCh], 1
		jmp	loc_476AB8
; 

loc_476661:				; CODE XREF: .text:0047658Bj
		mov	eax, edi
		and	eax, 800h
		or	eax, 0
		jz	loc_476839
		cmp	dword ptr [ebp-5DCh], 1
		jz	short loc_4766A7
		push	dword ptr [ebp-5A4h]
		mov	edi, [ebp-5B0h]
		lea	eax, [ebp-550h]
		mov	ebx, [ebp-5ACh]
		mov	edx, esi
		mov	ecx, [ebp-5F0h]
		push	edi
		push	eax
		push	ebx
		call	_MiDecommitLargePte@24 ; MiDecommitLargePte(x,x,x,x,x,x)
		jmp	loc_47681C
; 

loc_4766A7:				; CODE XREF: .text:00476678j
		mov	ecx, [ebp-5B4h]
		xor	eax, eax
		xor	ebx, ebx
		mov	[ebp-5D0h], eax
		xor	edx, edx
		mov	[ebp-620h], ebx
		mov	[ebp-61Ch], eax
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		mov	[ebp-5D8h], eax
		test	eax, eax
		jz	loc_476B9E
		xor	esi, esi
		mov	dword ptr [ebp-5B8h], 1
		xor	edi, edi
		cmp	[eax+14h], bx
		jnz	short loc_476741
		mov	ebx, [eax+8]
		mov	esi, ebx
		mov	edx, [eax+0Ch]
		mov	ecx, ebx
		mov	eax, edx
		mov	[ebp-5D0h], edx
		shrd	ecx, eax, 1
		mov	[ebp-620h], ebx
		mov	edi, edx
		mov	[ebp-61Ch], edx
		test	cl, 1
		jz	short loc_47673B
		lea	edx, [ebp-620h]
		mov	ecx, offset _MiSystemPartition
		call	_MI_IS_PTE_IN_WS_SWAP_SET@8 ; MI_IS_PTE_IN_WS_SWAP_SET(x,x)
		test	eax, eax
		mov	eax, [ebp-5D8h]
		jnz	short loc_476741
		mov	dword ptr [ebp-5B8h], 0
		jmp	short loc_476741
; 

loc_47673B:				; CODE XREF: .text:00476713j
		mov	eax, [ebp-5D8h]

loc_476741:				; CODE XREF: .text:004766EAj
					; .text:0047672Dj ...
		mov	ecx, [ebp-5B4h]
		mov	edx, eax
		push	0
		push	21h
		call	MiDeleteTransitionPte
		cmp	eax, 3
		jnz	short loc_476760
		mov	eax, [ebp-5ACh]
		inc	dword ptr [eax+4]

loc_476760:				; CODE XREF: .text:00476755j
		mov	eax, esi
		or	eax, edi
		jz	short loc_476781
		push	dword ptr [ebp-5D0h]
		mov	ecx, offset _MiSystemPartition
		push	ebx
		mov	ebx, [ebp-5B8h]
		mov	edx, ebx
		call	_MiReleasePageFileSpace@16 ; MiReleasePageFileSpace(x,x,x,x)
		jmp	short loc_476787
; 

loc_476781:				; CODE XREF: .text:00476764j
		mov	ebx, [ebp-5B8h]

loc_476787:				; CODE XREF: .text:0047677Fj
		mov	eax, [ebp-5C4h]
		or	ecx, 0FFFFFFFFh
		add	eax, 14Ch
		lock xadd [eax], ecx
		mov	eax, [ebp-5B0h]
		mov	edx, [ebp-5A4h]
		test	ebx, ebx
		jnz	short loc_4767F2
		mov	edx, dword_6D0704
		mov	ecx, esi
		mov	eax, edi
		shrd	ecx, eax, 0Ch
		and	ecx, 0Fh
		mov	ebx, dword_6D5D94[ecx*4]
		mov	ecx, dword_6D0700
		mov	eax, ecx
		or	eax, edx
		jz	short loc_4767DB
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4767DB
		not	edx
		and	edi, edx

loc_4767DB:				; CODE XREF: .text:004767CBj
					; .text:004767D5j
		push	dword ptr [ebp-5E4h]
		mov	edx, edi
		mov	ecx, ebx
		push	dword ptr [ebp-5E0h]
		push	2
		call	_MiTransferSoftwarePte@20 ; MiTransferSoftwarePte(x,x,x,x,x)

loc_4767F2:				; CODE XREF: .text:004767A7j
		mov	ecx, [ebp-5B4h]
		mov	[ecx], eax
		nop
		or	eax, edx
		mov	[ecx+4], edx
		jnz	loc_476AA6

loc_476806:				; CODE XREF: .text:00476AA1j
		mov	edx, 1
		call	_MiReducePteUseCount@8 ; MiReducePteUseCount(x,x)
		mov	ebx, [ebp-5ACh]
		mov	edi, [ebp-5B0h]

loc_47681C:				; CODE XREF: .text:004766A2j
		mov	esi, [ebp-5A4h]
		test	eax, eax
		jz	loc_476AB8
		mov	dword ptr [ebp-5BCh], 1
		jmp	loc_476AB8
; 

loc_476839:				; CODE XREF: .text:0047666Bj
		mov	ecx, edi
		mov	eax, ebx
		shrd	ecx, eax, 5
		and	cl, 1Fh
		cmp	cl, 10h
		jnz	short loc_476863
		mov	ebx, [ebp-5ACh]
		mov	eax, [ebp-5DCh]
		mov	edi, [ebp-5B0h]
		add	[ebx+0Ch], eax
		jmp	loc_476AB2
; 

loc_476863:				; CODE XREF: .text:00476847j
		mov	eax, dword_6D0700
		mov	edx, ebx
		mov	esi, dword_6D0704
		mov	ecx, edi
		mov	[ebp-5E8h], eax
		mov	ebx, ecx
		mov	[ebp-5CCh], esi
		or	eax, esi
		mov	[ebp-5D0h], edx
		mov	esi, edx
		jz	short loc_4768B3
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4768AC
		mov	ecx, [ebp-5E8h]
		mov	edx, [ebp-5CCh]
		not	ecx
		not	edx
		and	ecx, ebx
		and	edx, esi
		jmp	short loc_4768B3
; 

loc_4768AC:				; CODE XREF: .text:00476894j
		mov	ecx, ebx
		mov	edx, esi
		and	ecx, 0FFFFFFEFh

loc_4768B3:				; CODE XREF: .text:0047688Aj
					; .text:004768AAj
		mov	eax, ecx
		mov	[ebp-604h], edx
		and	eax, 400h
		or	eax, 0
		jnz	short loc_4768D8
		mov	eax, ecx
		and	eax, 800h
		or	eax, 0
		jnz	short loc_4768D8
		and	ecx, 4
		or	ecx, eax
		jz	short loc_4768EA

loc_4768D8:				; CODE XREF: .text:004768C3j
					; .text:004768CFj
		mov	eax, [ebp-5C4h]
		or	ecx, 0FFFFFFFFh
		add	eax, 14Ch
		lock xadd [eax], ecx

loc_4768EA:				; CODE XREF: .text:004768D6j
		mov	eax, [ebp-5D0h]
		mov	ecx, ebx
		mov	edx, [ebp-5A4h]
		mov	esi, [ebp-5B0h]
		shrd	ecx, eax, 1
		mov	[ebp-5B8h], edx
		and	ecx, 1
		mov	dword ptr [ebp-5CCh], 1
		mov	[ebp-5E8h], ecx
		jz	loc_476A28
		lea	edx, [ebp-650h]
		mov	ecx, offset _MiSystemPartition
		call	_MI_IS_PTE_IN_WS_SWAP_SET@8 ; MI_IS_PTE_IN_WS_SWAP_SET(x,x)
		test	eax, eax
		jnz	loc_476A1C
		mov	esi, [ebp-5D0h]
		mov	ecx, ebx
		mov	edx, dword_6D0700
		mov	[ebp-5CCh], eax
		mov	eax, esi
		shrd	ecx, eax, 0Ch
		and	ecx, 0Fh
		mov	eax, dword_6D5D94[ecx*4]
		mov	ecx, esi
		mov	[ebp-5FCh], eax
		mov	eax, dword_6D0704
		mov	[ebp-5B8h], eax
		mov	eax, edx
		or	eax, [ebp-5B8h]
		jz	short loc_476992
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_476990
		mov	ecx, [ebp-5B8h]
		not	ecx
		and	ecx, esi
		jmp	short loc_476992
; 

loc_476990:				; CODE XREF: .text:00476982j
		mov	ecx, esi

loc_476992:				; CODE XREF: .text:00476978j
					; .text:0047698Ej
		mov	eax, [ebp-5E0h]
		mov	esi, eax
		mov	edx, [ebp-5E4h]
		and	eax, 400h
		or	eax, 0
		mov	[ebp-5B8h], edx
		jnz	short loc_4769B9
		and	esi, 0FFFFFFF9h
		mov	[ebp-5B8h], edx

loc_4769B9:				; CODE XREF: .text:004769AEj
		mov	eax, [ebp-5FCh]
		test	eax, eax
		jz	short loc_476A22
		movzx	eax, word ptr [eax+74h]
		mov	[ebp-5FCh], eax
		mov	eax, esi
		or	eax, edx
		jnz	short loc_4769DC
		push	ecx
		push	eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		jmp	short loc_4769E6
; 

loc_4769DC:				; CODE XREF: .text:004769D1j
		push	edx
		push	esi
		push	0
		push	ecx
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)

loc_4769E6:				; CODE XREF: .text:004769DAj
		mov	esi, eax
		mov	[ebp-5B8h], edx
		mov	eax, [ebp-5FCh]
		movzx	eax, ax
		cdq
		shld	edx, eax, 0Ch
		mov	edx, [ebp-5B8h]
		shl	eax, 0Ch
		xor	edx, 0
		xor	eax, esi
		mov	[ebp-5B8h], edx
		and	eax, 0F000h
		xor	esi, eax
		or	esi, 2
		jmp	short loc_476A22
; 

loc_476A1C:				; CODE XREF: .text:00476933j
		mov	edx, [ebp-5B8h]

loc_476A22:				; CODE XREF: .text:004769C1j
					; .text:00476A1Aj
		mov	ecx, [ebp-5E8h]

loc_476A28:				; CODE XREF: .text:0047691Bj
		mov	eax, [ebp-5B4h]
		mov	[eax], esi
		mov	[eax+4], edx
		mov	eax, [ebp-5D0h]
		shrd	ebx, eax, 2
		test	bl, 1
		jz	short loc_476A57
		nop
		cmp	dword ptr [ebp-5CCh], 0
		mov	ecx, [ebp-5D8h]
		jnz	short loc_476A71
		and	edi, 0FFFFFFFDh
		jmp	short loc_476A71
; 

loc_476A57:				; CODE XREF: .text:00476A40j
		cmp	dword ptr [ebp-5CCh], 0
		jz	short loc_476A6D
		test	ecx, ecx
		jz	short loc_476A6D
		nop
		mov	ecx, [ebp-5D8h]
		jmp	short loc_476A71
; 

loc_476A6D:				; CODE XREF: .text:00476A5Ej
					; .text:00476A62j
		xor	edi, edi
		xor	ecx, ecx

loc_476A71:				; CODE XREF: .text:00476A50j
					; .text:00476A55j ...
		mov	eax, edi
		mov	[ebp-658h], edi
		or	eax, ecx
		mov	[ebp-654h], ecx
		jz	short loc_476A97
		push	ecx
		push	edi
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo
		mov	edx, [ebp-5B8h]

loc_476A97:				; CODE XREF: .text:00476A81j
		or	esi, edx
		jnz	short loc_476AA6
		mov	ecx, [ebp-5B4h]
		jmp	loc_476806
; 

loc_476AA6:				; CODE XREF: .text:00476800j
					; .text:00476A99j
		mov	edi, [ebp-5B0h]

loc_476AAC:				; CODE XREF: .text:00476234j
					; .text:0047627Ej
		mov	ebx, [ebp-5ACh]

loc_476AB2:				; CODE XREF: .text:004762C4j
					; .text:004762D4j ...
		mov	esi, [ebp-5A4h]

loc_476AB8:				; CODE XREF: .text:00476403j
					; .text:00476443j ...
		mov	eax, [ebp-5B4h]
		mov	ecx, [ebp-5DCh]
		lea	eax, [eax+ecx*8]
		mov	[ebp-5B4h], eax
		test	al, 78h
		jnz	short loc_476AF4
		mov	ecx, [ebp-5C8h]
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short loc_476AEB
		lea	eax, [ecx+80h]

loc_476AEB:				; CODE XREF: .text:00476AE3j
		mov	eax, [eax]
		test	eax, 40000000h
		jnz	short loc_476B01

loc_476AF4:				; CODE XREF: .text:00476ACFj
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	loc_476B8F

loc_476B01:				; CODE XREF: .text:00476AF2j
		mov	edx, [ebp-5C4h]
		lea	ecx, [ebp-640h]
		push	esi
		push	edi
		push	ebx
		call	_MiDeletePteWsleCluster@20 ; MiDeletePteWsleCluster(x,x,x,x,x)
		test	eax, eax
		jz	short loc_476B23
		mov	dword ptr [ebp-5BCh], 1

loc_476B23:				; CODE XREF: .text:00476B17j
		cmp	dword ptr [ebp-544h], 0
		jz	short loc_476B50
		mov	edx, [ebp-5C4h]
		lea	ecx, [ebp-550h]
		push	esi
		push	edi
		push	1
		push	ebx
		call	_MiDeletePteList@24 ; MiDeletePteList(x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_476B50
		mov	dword ptr [ebp-5BCh], 1

loc_476B50:				; CODE XREF: .text:00476B2Aj
					; .text:00476B44j
		mov	eax, [ebp-5D4h]
		mov	ebx, [ebp-5C8h]
		test	eax, eax
		jz	short loc_476B71
		mov	edx, eax
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		xor	eax, eax
		mov	[ebp-5D4h], eax

loc_476B71:				; CODE XREF: .text:00476B5Ej
		mov	dl, [ebp-5A5h]
		mov	ecx, ebx
		call	MiUnlockWorkingSetShared
		mov	ecx, ebx
		mov	dword ptr [ebp-610h], 1
		call	MiLockWorkingSetShared

loc_476B8F:				; CODE XREF: .text:00476AFBj
		mov	eax, [ebp-5DCh]
		shl	eax, 0Ch
		add	[ebp-5C0h], eax

loc_476B9E:				; CODE XREF: .text:004766D2j
		mov	edi, [ebp-5ACh]
		mov	ebx, [ebp-5D4h]
		jmp	loc_475E79
; 

loc_476BAF:				; CODE XREF: .text:004760FFj
		mov	eax, [ebp-5F4h]
		sub	eax, ebx
		mov	ebx, [ebp-5D4h]
		sar	eax, 3
		inc	eax
		add	eax, ecx
		mov	[edi+0Ch], eax

loc_476BC6:				; CODE XREF: .text:00475E85j
		push	98h
		lea	eax, [ebp-0A0h]
		push	0
		push	eax
		call	_memset
		mov	edx, [ebp-63Ch]
		add	esp, 0Ch
		test	edx, edx
		jz	loc_476C6D
		push	0
		push	dword ptr [ebp-638h]
		shl	edx, 9
		lea	ecx, [ebp-0A0h]
		mov	dword ptr [ebp-0A0h], 1
		mov	word ptr [ebp-9Ch], 0
		mov	dword ptr [ebp-90h], 0
		mov	dword ptr [ebp-98h], 21h
		mov	dword ptr [ebp-8Ch], 0
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		lea	ecx, [ebp-640h]
		call	MiTerminateWsleCluster
		push	dword ptr [ebp-5A4h]
		mov	esi, [ebp-5B0h]
		lea	ecx, [ebp-0A0h]
		mov	edx, [ebp-5C4h]
		push	esi
		push	0
		push	edi
		call	_MiDeletePteList@24 ; MiDeletePteList(x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_476C73
		mov	dword ptr [ebp-5BCh], 1
		jmp	short loc_476C73
; 

loc_476C6D:				; CODE XREF: .text:00476BE4j
		mov	esi, [ebp-5B0h]

loc_476C73:				; CODE XREF: .text:00476C5Fj
					; .text:00476C6Bj
		cmp	dword ptr [ebp-544h], 0
		jz	short loc_476CA5
		push	dword ptr [ebp-5A4h]
		mov	edx, [ebp-5C4h]
		lea	ecx, [ebp-550h]
		push	esi
		push	1
		push	edi
		call	_MiDeletePteList@24 ; MiDeletePteList(x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_476CA5
		mov	dword ptr [ebp-5BCh], 1

loc_476CA5:				; CODE XREF: .text:00476C7Aj
					; .text:00476C99j
		test	ebx, ebx
		jz	loc_476D81
		mov	edx, [ebp-5C8h]
		lea	eax, [ebx+3FA00000h]
		sar	eax, 3
		lea	ecx, [eax+eax]
		mov	al, [edx+60h]
		mov	edi, ecx
		and	al, 7
		and	edi, 1Fh
		cmp	al, 2
		jb	short loc_476D2B
		cmp	ebx, 0C0603018h
		jz	short loc_476CE9
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_476D1F
		cmp	ebx, 0C0603010h
		jnz	short loc_476D1F

loc_476CE9:				; CODE XREF: .text:00476CD3j
		cmp	al, 7
		jnz	short loc_476D04
		mov	edi, 0C0603018h
		mov	ebx, offset unk_6D2E58
		sub	edi, [ebp-5D4h]
		sar	edi, 3
		add	edi, edi
		jmp	short loc_476D46
; 

loc_476D04:				; CODE XREF: .text:00476CEBj
		cmp	al, 5
		jnz	short loc_476D1F
		mov	edi, 0C0603018h
		mov	ebx, offset unk_6D2E54
		sub	edi, [ebp-5D4h]
		sar	edi, 3
		add	edi, edi
		jmp	short loc_476D46
; 

loc_476D1F:				; CODE XREF: .text:00476CDFj
					; .text:00476CE7j ...
		shr	ecx, 5
		lea	ebx, unk_6D2C54[ecx*4]
		jmp	short loc_476D46
; 

loc_476D2B:				; CODE XREF: .text:00476CCBj
		shr	ecx, 5
		test	al, al
		jnz	short loc_476D3D
		mov	ebx, [edx+0Ch]
		add	ebx, 0D90h
		jmp	short loc_476D43
; 

loc_476D3D:				; CODE XREF: .text:00476D30j
		lea	ebx, [edx+120h]

loc_476D43:				; CODE XREF: .text:00476D3Bj
		lea	ebx, [ebx+ecx*4]

loc_476D46:				; CODE XREF: .text:00476D02j
					; .text:00476D1Dj ...
		mov	edx, [ebx]
		mov	ecx, edi
		mov	eax, 2
		shl	eax, cl
		mov	ecx, edx
		not	eax
		btr	ecx, edi
		mov	[ebp-5FCh], eax
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jz	short loc_476D81
		mov	ecx, [ebp-5FCh]

loc_476D70:				; CODE XREF: .text:00476D7Fj
		mov	edx, eax
		mov	esi, eax
		btr	edx, edi
		and	edx, ecx
		lock cmpxchg [ebx], edx
		cmp	eax, esi
		jnz	short loc_476D70

loc_476D81:				; CODE XREF: .text:00476CA7j
					; .text:00476D68j
		mov	dl, [ebp-5A5h]
		mov	ecx, [ebp-5C8h]
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp-4]
		mov	eax, [ebp-5BCh]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_476DAB:				; CODE XREF: .text:0047647Cj
		push	eax
		push	esi
		push	dword ptr [ebp-5C0h]
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_476DBF:				; CODE XREF: .text:00476307j
		push	ecx
		push	esi
		push	ebx
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAppendWsleCluster(x, x, x)
_MiAppendWsleCluster@12	proc near	; CODE XREF: .text:0047631Fp
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+4E2p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, edx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], eax
		mov	edx, ebx
		mov	ecx, eax
		shl	edx, 9
		call	MiLocateWsle
		mov	esi, [ebx]
		mov	dl, [eax]
		mov	byte ptr [ebp+arg_0+3],	dl
		nop
		mov	eax, [ebx+4]
		nop
		shrd	esi, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	esi, 1FFFFFFh
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		lea	ecx, [eax+ecx*4]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		neg	eax
		sbb	esi, esi
		mov	eax, [edi+4]
		inc	esi
		test	eax, eax
		jz	short loc_476E71
		mov	ecx, [edi+8]
		lea	eax, [eax+ecx*8]
		cmp	ebx, eax
		jnz	short loc_476E56
		cmp	dl, [edi+10h]
		jnz	short loc_476E56
		mov	eax, [edi+0Ch]
		and	eax, 1
		cmp	esi, eax
		jnz	short loc_476E56
		lea	eax, [ecx+1]
		mov	[edi+8], eax
		mov	eax, 1
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_476E56:				; CODE XREF: MiAppendWsleCluster(x,x,x)+61j
					; MiAppendWsleCluster(x,x,x)+66j ...
		test	byte ptr [edi+0Ch], 2
		jz	short loc_476E67
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_476E67:				; CODE XREF: MiAppendWsleCluster(x,x,x)+8Aj
		mov	ecx, edi
		call	MiTerminateWsleCluster
		mov	dl, byte ptr [ebp+arg_0+3]

loc_476E71:				; CODE XREF: MiAppendWsleCluster(x,x,x)+57j
		mov	eax, [ebp+var_4]
		mov	[edi], eax
		mov	eax, [edi+0Ch]
		and	eax, 0FFFFFFFEh
		mov	[edi+4], ebx
		or	eax, esi
		mov	dword ptr [edi+8], 1
		mov	[edi+0Ch], eax
		mov	eax, 1
		mov	[edi+10h], dl
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MiAppendWsleCluster@12	endp

; 
		align 10h

;  S U B	R O U T	I N E 


MiGetWsleContents proc near		; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+3F5p
					; NtLockVirtualMemory(x,x,x,x)+38Cp

var_20		= dword	ptr -20h

; FUNCTION CHUNK AT 005B36CD SIZE 0000002E BYTES

		movzx	eax, byte ptr [ecx+60h]
		push	esi
		push	edi
		mov	edi, edx
		and	eax, 7
		mov	esi, edi
		shr	esi, 0Ch
		add	esi, dword_6D2E68[eax*4]
		mov	al, [esi]
		mov	dl, al
		and	dl, 0Fh
		cmp	dl, 0Ah
		jz	loc_5B36CD
		pop	edi
		pop	esi
		retn
MiGetWsleContents endp

; 
		align 10h

;  S U B	R O U T	I N E 


MiLocateWsle	proc near		; CODE XREF: .text:00453964p
					; .text:00458BB0p ...
		mov	edi, edi
		push	ebx
		push	esi
		movzx	esi, byte ptr [ecx+60h]
		mov	eax, edx
		and	esi, 7
		shr	eax, 0Ch
		add	eax, dword_6D2E68[esi*4]
		pop	esi
		mov	bl, [eax]
		and	bl, 0Fh
		cmp	bl, 0Ah
		pop	ebx
		jz	loc_5B36DD
		retn
MiLocateWsle	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertTbFlushEntry(x, x, x, x)
_MiInsertTbFlushEntry@16 proc near	; CODE XREF: .text:00432164p
					; MiMakePteClean+48p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	eax, edx
		mov	esi, ecx
		mov	[ebp+var_4], eax
		mov	edx, 1000h
		lea	ecx, [edi+edi*8]
		shl	edx, cl
		cmp	dword ptr [esi], 1
		mov	[ebp+arg_4], edx
		jnz	loc_477056

loc_476F2B:				; CODE XREF: MiInsertTbFlushEntry(x,x,x,x)+15Cj
					; MiInsertTbFlushEntry(x,x,x,x)+167j ...
		mov	ebx, [esi+0Ch]
		test	ebx, ebx
		jz	short loc_476F7C
		test	byte ptr [esi+4], 4
		jnz	short loc_476F7C
		mov	eax, [esi+ebx*4+10h]
		mov	ecx, eax
		shr	ecx, 0Ah
		and	ecx, 3
		cmp	ecx, edi
		jnz	short loc_476F82
		mov	ecx, eax
		and	eax, 0FFFFF000h
		and	ecx, 3FFh
		mov	[ebp+var_8], ecx
		inc	ecx
		imul	ecx, edx
		add	ecx, eax
		cmp	ecx, [ebp+var_4]
		jnz	short loc_476F82
		mov	eax, [ebp+arg_0]
		add	eax, [ebp+var_8]
		cmp	eax, [ebp+var_8]
		jbe	short loc_476F82
		cmp	eax, 3FFh
		ja	short loc_476F82
		mov	eax, 1
		jmp	short loc_476F7E
; 

loc_476F7C:				; CODE XREF: MiInsertTbFlushEntry(x,x,x,x)+30j
					; MiInsertTbFlushEntry(x,x,x,x)+36j
		xor	eax, eax

loc_476F7E:				; CODE XREF: MiInsertTbFlushEntry(x,x,x,x)+7Aj
		test	eax, eax
		jnz	short loc_476FFA

loc_476F82:				; CODE XREF: MiInsertTbFlushEntry(x,x,x,x)+46j
					; MiInsertTbFlushEntry(x,x,x,x)+61j ...
		test	ebx, ebx
		jnz	loc_47701D

loc_476F8A:				; CODE XREF: MiInsertTbFlushEntry(x,x,x,x)+121j
					; MiInsertTbFlushEntry(x,x,x,x)+135j ...
		cmp	ebx, [esi+8]
		jnb	loc_4770BB
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jz	short loc_476FF1
		and	edi, 3
		shl	edi, 0Ah

loc_476FA0:				; CODE XREF: MiInsertTbFlushEntry(x,x,x,x)+EFj
		lea	eax, [ebx-1]
		cmp	eax, 3FFh
		ja	loc_4770F5
		mov	eax, ebx
		mov	[ebp+arg_0], ebx

loc_476FB3:				; CODE XREF: MiInsertTbFlushEntry(x,x,x,x)+1FDj
		mov	ecx, [ebp+var_4]
		sub	ebx, eax
		dec	eax
		and	ecx, 0FFFFF000h
		and	eax, 3FFh
		or	eax, ecx
		mov	ecx, edx
		imul	ecx, [ebp+arg_0]
		or	eax, edi
		add	[ebp+var_4], ecx
		mov	ecx, [esi+0Ch]
		mov	[esi+ecx*4+14h], eax
		inc	dword ptr [esi+0Ch]
		mov	eax, [ebp+arg_0]
		mov	ecx, [esi+0Ch]
		add	[esi+10h], eax
		cmp	ecx, [esi+8]
		jz	loc_477083

loc_476FED:				; CODE XREF: MiInsertTbFlushEntry(x,x,x,x)+187j
					; MiInsertTbFlushEntry(x,x,x,x)+205j
		test	ebx, ebx
		jnz	short loc_476FA0

loc_476FF1:				; CODE XREF: MiInsertTbFlushEntry(x,x,x,x)+98j
					; MiInsertTbFlushEntry(x,x,x,x)+1B2j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_476FFA:				; CODE XREF: MiInsertTbFlushEntry(x,x,x,x)+80j
		mov	eax, [esi+ebx*4+10h]
		mov	ecx, [ebp+arg_0]
		add	[esi+10h], ecx
		add	ecx, eax
		xor	ecx, eax
		and	ecx, 3FFh
		xor	ecx, eax
		pop	edi
		mov	[esi+ebx*4+10h], ecx
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_47701D:				; CODE XREF: MiInsertTbFlushEntry(x,x,x,x)+84j
		test	byte ptr [esi+4], 4
		jnz	loc_476F8A
		mov	eax, [esi+ebx*4+10h]
		mov	ecx, eax
		shr	ecx, 0Ah
		and	ecx, 3
		cmp	ecx, edi
		jnz	loc_476F8A
		imul	edx, [ebp+arg_0]
		mov	ecx, eax
		and	ecx, 0FFFFF000h
		add	edx, [ebp+var_4]
		cmp	ecx, edx
		jz	short loc_4770C4

loc_47704E:				; CODE XREF: MiInsertTbFlushEntry(x,x,x,x)+1D1j
					; MiInsertTbFlushEntry(x,x,x,x)+1DDj
		mov	edx, [ebp+arg_4]
		jmp	loc_476F8A
; 

loc_477056:				; CODE XREF: MiInsertTbFlushEntry(x,x,x,x)+25j
		mov	cl, [esi+4]
		test	cl, 8
		jnz	loc_476F2B
		cmp	eax, 0C0000000h
		jb	loc_476F2B
		cmp	eax, 0C07FFFFFh
		ja	loc_476F2B
		or	cl, 8
		mov	[esi+4], cl
		jmp	loc_476F2B
; 

loc_477083:				; CODE XREF: MiInsertTbFlushEntry(x,x,x,x)+E7j
		test	byte ptr [esi+4], 4
		jnz	loc_476FED
		push	offset _MiTbFlushSort ;	int __cdecl (*)(const void *,const void	*)
		push	4		; size_t
		push	ecx		; size_t
		lea	eax, [esi+14h]
		push	eax		; void *
		call	_qsort
		add	esp, 10h
		mov	ecx, esi
		call	MiCompressTbFlushList
		mov	eax, [esi+0Ch]
		cmp	eax, [esi+8]
		jnz	short loc_477102
		test	ebx, ebx
		jz	loc_476FF1
		mov	[esi+10h], eax

loc_4770BB:				; CODE XREF: MiInsertTbFlushEntry(x,x,x,x)+8Dj
		mov	byte ptr [esi+5], 1
		jmp	loc_476FF1
; 

loc_4770C4:				; CODE XREF: MiInsertTbFlushEntry(x,x,x,x)+14Cj
		mov	ecx, [ebp+arg_0]
		and	eax, 3FFh
		lea	edx, [eax+ecx]
		cmp	edx, eax
		jbe	loc_47704E
		cmp	edx, 3FFh
		ja	loc_47704E
		push	edi
		push	ecx
		mov	ecx, esi
		call	_MiMergeTbFlushEntryBackwards@16 ; MiMergeTbFlushEntryBackwards(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4770F5:				; CODE XREF: MiInsertTbFlushEntry(x,x,x,x)+A8j
		mov	eax, 400h
		mov	[ebp+arg_0], eax
		jmp	loc_476FB3
; 

loc_477102:				; CODE XREF: MiInsertTbFlushEntry(x,x,x,x)+1AEj
		mov	edx, [ebp+arg_4]
		jmp	loc_476FED
_MiInsertTbFlushEntry@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetReadOnlyOnSectionView(x, x, x,	x)
_MiSetReadOnlyOnSectionView@16 proc near
					; CODE XREF: MmSecureVirtualMemoryAgainstWrites+11Dp

var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A5		= byte ptr -0A5h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0DCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		mov	[ebp+var_C0], eax
		mov	esi, edx
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_B4], esi
		push	0		; int
		push	eax		; void *
		mov	ebx, ecx
		mov	[ebp+var_D4], 0
		call	_memset
		add	esp, 0Ch
		mov	ecx, esi
		call	_MiVadPureReserve@4 ; MiVadPureReserve(x)
		test	eax, eax
		jz	short loc_47717E
		mov	eax, 0C0000045h
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_47717E:				; CODE XREF: MiSetReadOnlyOnSectionView(x,x,x,x)+54j
		mov	eax, [ebp+var_C0]
		add	ebx, 240h
		shr	eax, 9
		mov	ecx, ebx
		and	eax, offset loc_7FFFF8
		mov	[ebp+var_BC], 4
		add	eax, 0C0000000h
		mov	[ebp+var_A4], 1
		mov	[ebp+var_DC], eax
		mov	esi, eax
		mov	eax, [ebp+arg_4]
		xor	edi, edi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[ebp+var_C8], 0
		sub	eax, 40000000h
		mov	[ebp+var_A0], 1
		mov	[ebp+var_9C], 0
		mov	[ebp+var_90], 0
		mov	[ebp+var_98], 21h
		mov	[ebp+var_8C], 0
		mov	[ebp+arg_4], eax
		mov	[ebp+var_AC], ebx
		call	MiLockWorkingSetShared
		mov	byte ptr [ebp+var_C4], al
		cmp	esi, [ebp+arg_4]
		ja	loc_4774FF
		nop

loc_477220:				; CODE XREF: MiSetReadOnlyOnSectionView(x,x,x,x)+3E9j
		test	esi, 0FFFh
		jz	short loc_47722E
		test	edi, edi
		jnz	short loc_47727C
		jmp	short loc_477246
; 

loc_47722E:				; CODE XREF: MiSetReadOnlyOnSectionView(x,x,x,x)+116j
		test	edi, edi
		jz	short loc_477246
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList
		mov	edx, edi
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_477246:				; CODE XREF: MiSetReadOnlyOnSectionView(x,x,x,x)+11Cj
					; MiSetReadOnlyOnSectionView(x,x,x,x)+120j
		mov	eax, [ebp+var_B4]
		lea	edx, [ebp+var_A0]
		push	0
		push	[ebp+var_C4]
		mov	ecx, esi
		mov	eax, [eax+1Ch]
		shr	eax, 0Ch
		and	eax, 3Fh
		push	eax
		call	MiMakeSystemAddressValid
		mov	edi, esi
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h

loc_47727C:				; CODE XREF: MiSetReadOnlyOnSectionView(x,x,x,x)+11Aj
		mov	ebx, [esi]
		nop
		mov	edx, [esi+4]
		mov	eax, ebx
		or	eax, edx
		mov	[ebp+var_B0], edx
		jz	loc_477491
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	loc_47741C
		nop
		mov	eax, ds:_MmPfnDatabase
		shrd	ebx, edx, 0Ch
		mov	edx, [ebp+var_A4]
		and	ebx, 1FFFFFFh
		lea	ecx, ds:0[ebx*8]
		sub	ecx, ebx
		cmp	word ptr [eax+ecx*4+14h], 1
		lea	ecx, [eax+ecx*4]
		mov	[ebp+var_B0], ecx
		jbe	short loc_4772DC
		mov	eax, edx
		and	al, 7
		cmp	al, 4
		jnz	loc_477491

loc_4772DC:				; CODE XREF: MiSetReadOnlyOnSectionView(x,x,x,x)+1BEj
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_4773C7
		mov	eax, esi
		lea	ecx, [ebp+var_D4]
		shl	eax, 9
		push	ecx
		mov	ecx, [ebp+var_B4]
		mov	edx, eax
		push	0
		shr	edx, 0Ch
		mov	[ebp+var_B8], eax
		call	MiGetProtoPteAddress
		mov	edx, [ebp+var_B0]
		mov	ecx, [edx+4]
		or	ecx, 80000000h
		cmp	ecx, eax
		jnz	loc_477491
		mov	edx, [ebp+var_B8]
		mov	ecx, [ebp+var_AC]
		call	MiLocateWsle
		mov	ecx, [ebp+var_B8]
		mov	al, [eax]
		mov	byte ptr [ebp+var_D8], al
		push	[ebp+var_D8]
		call	_MiGetWsleProtection@8 ; MiGetWsleProtection(x,x)
		mov	edx, [ebp+var_BC]
		cmp	eax, edx
		jz	short loc_47737C
		test	eax, eax
		jnz	loc_477491
		mov	eax, [ebp+var_B0]
		mov	ecx, [eax+8]
		nop
		mov	eax, [eax+0Ch]
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		cmp	ecx, edx
		jnz	loc_477491

loc_47737C:				; CODE XREF: MiSetReadOnlyOnSectionView(x,x,x,x)+246j
		mov	edx, [ebp+var_B8]
		mov	ecx, [ebp+var_AC]
		call	MiLocateWsle
		mov	edx, [ebp+var_B8]
		mov	ecx, eax
		mov	al, byte ptr [ebp+var_A4]
		shl	al, 4
		xor	al, [ecx]
		and	al, 70h
		xor	al, [ecx]
		mov	ecx, [ebp+var_AC]
		mov	[ebp+var_A5], al
		call	MiLocateWsle
		mov	ecx, eax
		mov	al, [ebp+var_A5]
		mov	[ecx], al
		mov	eax, [ebp+var_A4]
		jmp	short loc_4773FE
; 

loc_4773C7:				; CODE XREF: MiSetReadOnlyOnSectionView(x,x,x,x)+1D3j
		mov	eax, [ebp+var_B0]
		mov	ecx, [ecx+8]
		mov	eax, [eax+0Ch]
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		cmp	ecx, [ebp+var_BC]
		jnz	loc_477491
		mov	ecx, [ebp+var_B4]
		push	edx
		mov	edx, [ebp+var_B0]
		call	_MiUpdatePfnProtection@12 ; MiUpdatePfnProtection(x,x,x)
		mov	[ebp+var_A4], eax

loc_4773FE:				; CODE XREF: MiSetReadOnlyOnSectionView(x,x,x,x)+2B5j
		lea	ecx, [ebp+var_A0]
		mov	edx, esi
		push	ecx
		mov	ecx, [ebp+var_B4]
		push	ebx
		push	eax
		call	MiRevertValidPte
		add	esi, 8
		jmp	loc_4774F0
; 

loc_47741C:				; CODE XREF: MiSetReadOnlyOnSectionView(x,x,x,x)+18Aj
		mov	eax, ebx
		and	eax, 400h
		or	eax, 0
		jz	loc_47753D
		mov	eax, [ebp+var_A4]
		and	al, 7
		cmp	al, 4
		jnz	short loc_477491
		push	edx
		push	ebx
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		mov	ecx, [ebp+var_A4]
		test	eax, eax
		jz	short loc_47747A
		and	ecx, 1Fh
		xor	eax, eax
		shld	eax, ecx, 5
		and	ebx, 0FFFFFC1Fh
		or	eax, [ebp+var_B0]
		shl	ecx, 5
		or	ecx, ebx
		mov	[ebp+var_CC], eax
		mov	[ebp+var_D0], ecx
		mov	[esi], ecx
		nop
		mov	[esi+4], eax
		add	esi, 8
		jmp	short loc_4774F0
; 

loc_47747A:				; CODE XREF: MiSetReadOnlyOnSectionView(x,x,x,x)+337j
		call	_MiMakePrototypePteVadLookup@4 ; MiMakePrototypePteVadLookup(x)
		mov	[ebp+var_D0], eax
		mov	[ebp+var_CC], edx
		mov	[esi], eax
		nop
		mov	[esi+4], edx

loc_477491:				; CODE XREF: MiSetReadOnlyOnSectionView(x,x,x,x)+17Cj
					; MiSetReadOnlyOnSectionView(x,x,x,x)+1C6j ...
		mov	eax, [ebp+var_C0]
		shr	eax, 12h
		and	eax, 3FF8h
		sub	eax, 3FA00000h
		cmp	edi, eax
		jz	short loc_4774C6
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList
		test	edi, edi
		jz	short loc_4774C6
		mov	ecx, [ebp+var_AC]
		mov	edx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		xor	edi, edi

loc_4774C6:				; CODE XREF: MiSetReadOnlyOnSectionView(x,x,x,x)+396j
					; MiSetReadOnlyOnSectionView(x,x,x,x)+3A5j
		add	esi, 0FFFFFFF8h
		mov	[ebp+var_BC], 1
		mov	[ebp+arg_4], esi
		mov	esi, [ebp+var_DC]
		mov	[ebp+var_A4], 4
		mov	[ebp+var_C8], 0C0000045h

loc_4774F0:				; CODE XREF: MiSetReadOnlyOnSectionView(x,x,x,x)+307j
					; MiSetReadOnlyOnSectionView(x,x,x,x)+368j ...
		mov	ebx, [ebp+var_AC]
		cmp	esi, [ebp+arg_4]
		jbe	loc_477220

loc_4774FF:				; CODE XREF: MiSetReadOnlyOnSectionView(x,x,x,x)+109j
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList
		test	edi, edi
		jz	short loc_477517
		mov	edx, edi
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_477517:				; CODE XREF: MiSetReadOnlyOnSectionView(x,x,x,x)+3FCj
		mov	dl, byte ptr [ebp+var_C4]
		mov	ecx, ebx
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_C8]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_47753D:				; CODE XREF: MiSetReadOnlyOnSectionView(x,x,x,x)+316j
		mov	eax, ebx
		and	eax, 800h
		or	eax, 0
		jz	short loc_47757B
		mov	ebx, [ebp+var_A4]
		xor	ecx, ecx
		mov	eax, ebx
		mov	edx, esi
		and	al, 7
		cmp	al, 4
		setz	cl
		push	ecx
		mov	ecx, [ebp+var_B4]
		push	ebx
		call	_MiSetProtectionOnTransitionPte@16 ; MiSetProtectionOnTransitionPte(x,x,x,x)
		test	eax, eax
		jz	short loc_4775BF
		cmp	eax, 2
		jz	loc_4774F0
		jmp	loc_477491
; 

loc_47757B:				; CODE XREF: MiSetReadOnlyOnSectionView(x,x,x,x)+437j
		mov	ecx, ebx
		mov	eax, edx
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		cmp	ecx, [ebp+var_BC]
		jnz	loc_477491
		mov	ecx, [ebp+var_A4]
		xor	eax, eax
		and	ecx, 1Fh
		and	ebx, 0FFFFFC1Fh
		shld	eax, ecx, 5
		shl	ecx, 5
		or	ecx, ebx
		or	eax, edx
		mov	[ebp+var_D0], ecx
		mov	[ebp+var_CC], eax
		mov	[esi], ecx
		mov	[esi+4], eax

loc_4775BF:				; CODE XREF: MiSetReadOnlyOnSectionView(x,x,x,x)+45Bj
		add	esi, 8
		jmp	loc_4774F0
_MiSetReadOnlyOnSectionView@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakePageAvoidRead(x, x, x, x, x, x, x)
_MiMakePageAvoidRead@28	proc near	; CODE XREF: .text:0047C9DAp

var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_37		= byte ptr -37h
var_36		= byte ptr -36h
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A11B8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 0E4h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_20], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_C0], edx
		mov	eax, ecx
		mov	[ebp+var_40], eax
		mov	[ebp+var_74], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_48], eax
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_3C], ebx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_80], eax
		mov	ecx, [ebp+arg_10]
		mov	[ebp+var_84], ecx
		mov	[ebp+var_78], 0
		mov	[ebp+var_36], 0
		xor	edx, edx
		mov	[ebp+var_BC], edx
		mov	[ebp+var_B8], edx
		mov	[ebp+var_B4], edx
		mov	[ebp+var_B0], edx
		mov	[ebp+var_AC], edx
		mov	[ebp+var_A8], edx
		mov	[ecx], edx
		mov	ecx, [eax]
		nop
		mov	eax, [eax+4]
		mov	[ebp+var_70], eax
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], eax
		mov	esi, eax
		mov	edx, dword_6D0700
		mov	edi, dword_6D0704
		mov	eax, edx
		or	eax, edi
		jz	short loc_4776AF
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4776A6
		not	edx
		mov	eax, edi
		not	eax
		and	edx, ecx
		and	eax, esi
		mov	[ebp+var_70], eax
		mov	[ebp+var_54], edx
		jmp	short loc_4776B1
; 

loc_4776A6:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+C2j
		and	ecx, 0FFFFFFEFh
		mov	[ebp+var_70], esi
		mov	[ebp+var_54], ecx

loc_4776AF:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+B8j
		mov	eax, esi

loc_4776B1:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+D4j
		mov	[ebp+var_E4], eax
		mov	eax, [eax]
		mov	[ebp+var_7C], eax
		mov	[ebp+var_C8], eax
		mov	eax, [eax+1Ch]
		shr	eax, 14h
		and	eax, 3Fh
		jz	short loc_4776E1
		mov	edi, large fs:20h
		lea	edx, [eax-1]
		mov	cl, byte_6D068C
		shl	edx, cl
		jmp	short loc_4776FA
; 

loc_4776E1:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+FBj
		mov	eax, large fs:124h
		mov	eax, [eax+16Ch]
		mov	edi, ds:_KiProcessorBlock[eax*4]
		mov	edx, [edi+4C8h]

loc_4776FA:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+10Fj
		mov	esi, 1
		mov	cl, byte_6D068D
		shl	esi, cl
		dec	esi
		lea	eax, [edi+4BCh]
		mov	edi, 1
		mov	ecx, edi
		lock xadd [eax], ecx
		inc	ecx
		dec	ecx
		and	ecx, esi
		lea	eax, [ebx-1000h]
		neg	eax
		sbb	eax, eax
		and	eax, 2
		push	eax
		or	edx, ecx
		mov	ecx, offset _MiSystemPartition
		call	MiGetPage
		mov	[ebp+var_58], eax
		mov	[ebp+var_90], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_47776F
		mov	ecx, offset _MiSystemPartition
		call	_MiWaitForFreePage@8 ; MiWaitForFreePage(x,x)
		mov	eax, edi

loc_477751:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+2A5j
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+6AEj ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_20]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_47776F:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+173j
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	edi, [eax+ecx*4]
		mov	[ebp+var_5C], edi
		mov	eax, [ebp+var_80]
		mov	ecx, [eax]
		nop
		mov	eax, [eax+4]
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		mov	[ebp+var_44], ecx
		mov	[ebp+var_E0], ecx
		mov	eax, ecx
		mov	[ebp+var_98], eax
		mov	[ebp+var_8C], eax
		jnz	short loc_4777B3
		mov	ebx, 3
		jmp	short loc_4777DB
; 

loc_4777B3:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+1DAj
		cmp	ecx, 1Fh
		jnz	short loc_4777BD
		lea	ebx, [ecx-1Eh]
		jmp	short loc_4777DB
; 

loc_4777BD:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+1E6j
		mov	ebx, ecx
		shr	ebx, 3
		cmp	ebx, 3
		jnz	short loc_4777D3
		test	cl, 7
		jz	short loc_4777D3
		mov	ebx, 2
		jmp	short loc_4777DB
; 

loc_4777D3:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+1F5j
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+1FAj
		dec	ebx
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 1

loc_4777DB:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+1E1j
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+1EBj ...
		mov	[ebp+var_60], 0
		xor	eax, eax
		mov	[ebp+var_88], eax
		mov	[ebp+var_DC], eax
		cmp	[ebp+var_3C], 1000h
		jz	short loc_47780D
		mov	edx, ebx
		mov	ecx, edi
		call	_MiPfnZeroingNeeded@8 ;	MiPfnZeroingNeeded(x,x)
		test	eax, eax
		jz	short loc_47780D
		mov	[ebp+var_60], 1

loc_47780D:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+227j
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+234j
		movzx	eax, byte ptr [edi+16h]
		shr	eax, 6
		cmp	eax, ebx
		jz	short loc_477823
		push	0
		mov	edx, ebx
		mov	ecx, edi
		call	MiChangePageAttribute

loc_477823:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+246j
		lea	esi, [edi+10h]
		mov	ecx, [esi]
		jmp	short loc_477830
; 
		align 10h

loc_477830:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+258j
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+CB3j
		mov	edx, ecx
		and	edx, 0F87FFFFFh
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	ecx, eax
		jnz	loc_478281
		mov	edx, 1
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		mov	esi, eax
		mov	[ebp+var_C4], esi
		test	esi, esi
		jnz	loc_477AA8
		test	[ebp+arg_8], 1
		jnz	short loc_47787A
		mov	ecx, edi
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		lea	eax, [esi+4]
		jmp	loc_477751
; 

loc_47787A:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+299j
		cmp	[ebp+var_60], 0
		jz	short loc_47788E
		push	ebx
		mov	edx, 1
		mov	ecx, [ebp+var_58]
		call	MiZeroPhysicalPage

loc_47788E:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+2AEj
		mov	[ebp+var_88], 1

loc_477898:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+697j
		mov	eax, dword ptr ds:byte_70EFC4
		and	eax, 1
		mov	[ebp+var_60], eax
		mov	eax, [ebp+var_40]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[ebp+var_3C], eax

loc_4778B1:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+32Ej
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+34Aj
		mov	[ebp+var_54], 0
		mov	[ebp+var_50], 0
		mov	esi, [eax-40000000h]
		nop
		mov	ecx, [eax-3FFFFFFCh]
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	loc_478270
		mov	eax, esi
		and	eax, 200h
		or	eax, 0
		jnz	loc_478270
		nop
		shrd	esi, ecx, 0Ch
		and	esi, 1FFFFFFh
		cmp	esi, dword_6D07B0
		mov	eax, [ebp+var_3C]
		ja	short loc_4778B1
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, dword_6D35B8
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		mov	eax, [ebp+var_3C]
		jz	short loc_4778B1
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		mov	eax, ds:_MmPfnDatabase
		lea	ebx, [eax+ecx*4]
		mov	[ebp+var_8C], ebx
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_37], al
		mov	[ebp+var_CC], 0
		lea	ecx, [ebx+10h]
		mov	[ebp+var_90], ecx
		lock bts dword ptr [ecx], 1Fh
		jnb	short loc_47797D
		lea	edi, [ebx+10h]
		jmp	short loc_477960
; 
		align 10h

loc_477960:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+38Bj
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+39Ej ...
		lea	ecx, [ebp+var_CC]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_477960
		lock bts dword ptr [edi], 1Fh
		jb	short loc_477960
		mov	edi, [ebp+var_5C]
		lea	ecx, [ebx+10h]

loc_47797D:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+386j
		mov	[ebp+var_54], 0
		mov	[ebp+var_50], 0
		mov	eax, [ebp+var_3C]
		mov	edx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	[ebp+var_74], eax
		mov	[ebp+var_EC], edx
		mov	[ebp+var_E8], eax
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jz	loc_478259
		mov	eax, edx
		and	eax, 200h
		or	eax, 0
		jnz	loc_478259
		nop
		mov	eax, [ebp+var_74]
		shrd	edx, eax, 0Ch
		and	edx, 1FFFFFFh
		cmp	esi, edx
		jnz	loc_478259
		mov	edx, 1
		mov	ecx, ebx
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		mov	cl, [ebp+var_37]
		cmp	cl, 21h
		jz	loc_477C83
		mov	[ebp+var_36], cl
		mov	[ebp+var_9C], 0
		mov	edx, [ebx+4]
		or	edx, 80000000h
		mov	[ebp+var_48], edx
		mov	al, [ebx+16h]
		lea	esi, [ebx+10h]
		test	al, 20h
		jz	short loc_477A6C
		mov	edi, 7FFFFFFFh
		mov	edi, edi

loc_477A20:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+494j
		lock and [esi],	edi
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	[ebp+var_9C], 0
		mov	al, [ebx+16h]
		mov	[ebp+var_35], al
		test	al, 20h
		jz	short loc_477A55
		lea	ecx, [ecx+0]

loc_477A40:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+483j
		lea	ecx, [ebp+var_9C]
		call	KeYieldProcessorEx
		mov	al, [ebx+16h]
		mov	[ebp+var_35], al
		test	al, 20h
		jnz	short loc_477A40

loc_477A55:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+46Bj
		mov	ecx, ebx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	al, [ebx+16h]
		test	al, 20h
		mov	cl, [ebp+var_37]
		jnz	short loc_477A20
		mov	edi, [ebp+var_5C]
		mov	edx, [ebp+var_48]

loc_477A6C:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+447j
		or	al, 20h
		mov	[ebx+16h], al
		test	dword ptr [esi], 40000000h
		jnz	short loc_477A9B
		mov	ecx, [edx]
		nop
		mov	eax, [edx+4]
		mov	[ebp+var_50], eax
		and	ecx, 20h
		or	ecx, 0
		jnz	short loc_477A9B
		mov	byte ptr [ebp+var_74], cl
		push	[ebp+var_74]
		lea	edx, [ecx+1]
		mov	ecx, [ebp+var_48]
		call	_MiWriteValidPteVolatile@12 ; MiWriteValidPteVolatile(x,x,x)

loc_477A9B:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+4A7j
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+4B8j
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		jmp	loc_477C8C
; 

loc_477AA8:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+28Fj
		mov	ebx, 4
		mov	ecx, [ebp+var_58]
		cmp	ecx, dword_6D07B0
		ja	short loc_477B00
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, dword_6D35B8
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_477B00
		mov	eax, [ebp+var_58]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		movzx	eax, byte ptr [eax+ecx*4+16h]
		shr	eax, 6
		test	eax, eax
		jz	short loc_477AFB
		cmp	eax, 3
		jz	short loc_477AFB
		cmp	eax, 2
		jnz	short loc_477B00
		lea	ebx, [eax+1Ah]
		jmp	short loc_477B00
; 

loc_477AFB:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+51Aj
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+51Fj
		mov	ebx, 0Ch

loc_477B00:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+4E6j
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+4FDj ...
		or	ebx, 0A0000000h
		push	ebx
		mov	edx, [ebp+var_58]
		mov	ecx, esi
		call	MiMakeValidPte
		mov	ebx, eax
		mov	[ebp+var_50], edx
		mov	[ebp+var_50], edx
		mov	ecx, esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_477B74
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_477B4C
		mov	ecx, 1
		cmp	byte ptr word_6D07B8+1,	0
		jnz	short loc_477B76
		mov	eax, ebx
		and	eax, ecx
		or	eax, 0
		jz	short loc_477B76
		or	edx, 80000000h
		jmp	short loc_477B76
; 

loc_477B4C:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+55Bj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_477B74
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	short loc_477B74
		or	edx, 80000000h

loc_477B74:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+552j
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+592j ...
		xor	ecx, ecx

loc_477B76:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+569j
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+572j ...
		mov	[esi+4], edx
		nop
		mov	[esi], ebx
		test	ecx, ecx
		jz	short loc_477B89
		push	edx
		push	ebx
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_477B89:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+5AEj
		mov	eax, esi
		shl	eax, 9
		mov	ebx, [ebp+var_48]
		lea	ecx, [ebx+eax]
		mov	[ebp+var_48], ecx
		cmp	[ebp+var_60], 0
		jz	short loc_477BCD
		test	ebx, ebx
		jz	short loc_477BB0
		push	ebx		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, [ebp+var_48]

loc_477BB0:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+5CFj
		mov	eax, 1000h
		mov	edx, [ebp+var_3C]
		sub	eax, edx
		sub	eax, ebx
		jz	short loc_477BD0
		push	eax		; size_t
		push	0		; int
		lea	eax, [edx+ecx]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_477BCD:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+5CBj
		mov	edx, [ebp+var_3C]

loc_477BD0:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+5ECj
		xor	ebx, ebx
		mov	[ebp+var_78], ebx
		mov	[ebp+var_4], ebx
		push	edx		; size_t
		push	[ebp+var_C0]	; void *
		push	[ebp+var_48]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_477C57
; 

loc_477BF3:				; DATA XREF: .text:006A11CCo
		mov	edx, [ebp-14h]
		lea	ecx, [ebp-78h]
		call	_MiMapCacheExceptionFilter@8 ; MiMapCacheExceptionFilter(x,x)
		retn
; 

loc_477BFF:				; DATA XREF: .text:006A11D0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-78h]
		mov	esi, [ebp-0C4h]
		mov	eax, [ebp-0C8h]
		mov	[ebp-7Ch], eax
		mov	eax, [ebp-0DCh]
		mov	[ebp-88h], eax
		mov	eax, [ebp-0E0h]
		mov	[ebp-44h], eax
		mov	eax, [ebp-0E4h]
		mov	[ebp-70h], eax
		mov	eax, [ebp-8Ch]
		mov	[ebp-98h], eax
		mov	eax, [ebp-90h]
		mov	[ebp-58h], eax
		mov	eax, [ebp-74h]
		mov	[ebp-40h], eax
		mov	edi, [ebp-5Ch]

loc_477C57:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+621j
		push	1
		mov	edx, esi
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		test	ebx, ebx
		jns	loc_477898
		mov	ecx, edi
		call	_MiLockAndInsertPageInFreeList@4 ; MiLockAndInsertPageInFreeList(x)
		mov	eax, [ebp+var_84]
		mov	[eax], ebx
		xor	eax, eax
		jmp	loc_477751
; 

loc_477C83:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+420j
		mov	dl, 21h
		mov	ecx, ebx
		call	_MiLockOwnedProtoPage@8	; MiLockOwnedProtoPage(x,x)

loc_477C8C:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+4D3j
		test	ebx, ebx
		jz	loc_478270
		mov	[ebp+var_54], 0
		mov	[ebp+var_50], 0
		mov	esi, [ebp+var_40]
		mov	ecx, [esi]
		nop
		mov	edx, [esi+4]
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], edx
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jnz	loc_47823E
		mov	eax, ecx
		and	eax, 800h
		or	eax, 0
		jz	short loc_477CDB
		mov	eax, ecx
		and	eax, 400h
		or	eax, 0
		jz	loc_47823E

loc_477CDB:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+6F9j
		nop
		shrd	ecx, edx, 5
		and	ecx, 1Fh
		cmp	[ebp+var_44], ecx
		jnz	loc_47823E
		mov	[ebp+var_D0], 0
		lea	ebx, [edi+10h]
		lock bts dword ptr [ebx], 1Fh
		jnb	short loc_477D17

loc_477D00:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+73Ej
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+745j
		lea	ecx, [ebp+var_D0]
		call	KeYieldProcessorEx
		cmp	dword ptr [ebx], 0
		jl	short loc_477D00
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_477D00

loc_477D17:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+72Ej
		mov	eax, [esi]
		nop
		mov	ecx, [esi+4]
		mov	[edi+8], eax
		mov	[edi+0Ch], ecx
		or	dword ptr [edi+18h], 80000000h
		mov	eax, [ebp+var_44]
		test	eax, eax
		jnz	short loc_477D36
		lea	esi, [eax+3]
		jmp	short loc_477D5D
; 

loc_477D36:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+75Fj
		cmp	eax, 1Fh
		jnz	short loc_477D40
		lea	esi, [eax-1Eh]
		jmp	short loc_477D5D
; 

loc_477D40:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+769j
		mov	esi, eax
		shr	esi, 3
		cmp	esi, 3
		jnz	short loc_477D55
		test	al, 7
		jz	short loc_477D55
		mov	esi, 2
		jmp	short loc_477D5D
; 

loc_477D55:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+778j
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+77Cj
		dec	esi
		neg	esi
		sbb	esi, esi
		and	esi, 1

loc_477D5D:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+764j
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+76Ej ...
		mov	eax, 1
		mov	[edi+14h], ax
		mov	[ebp+var_54], 0
		mov	[ebp+var_50], 0
		mov	eax, [ebp+var_3C]
		mov	edx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	[ebp+var_F4], edx
		mov	[ebp+var_F0], eax
		nop
		shrd	edx, eax, 0Ch
		and	edx, 1FFFFFFh
		mov	eax, [edi+18h]
		xor	eax, edx
		and	eax, offset loc_7FFFFF
		xor	[edi+18h], eax
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, [eax+ecx*4]
		mov	eax, large fs:124h
		mov	ebx, [eax+304h]
		test	ebx, 100h
		jz	short loc_477DD8
		and	ebx, 0E00h
		shr	ebx, 9
		jmp	short loc_477E00
; 

loc_477DD8:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+7FBj
		mov	ebx, [eax+2FCh]
		shr	ebx, 0Ch
		and	ebx, 7
		mov	eax, [eax+150h]
		test	dword ptr [eax+0FCh], 100000h
		jz	short loc_477E00
		cmp	ebx, 2
		jb	short loc_477E00
		mov	ebx, 2

loc_477E00:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+806j
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+824j ...
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_D4], 0
		lea	eax, [ecx+10h]
		mov	[ebp+var_44], eax
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_477E43
		mov	edi, eax
		nop

loc_477E20:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+85Ej
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+865j
		lea	ecx, [ebp+var_D4]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_477E20
		lock bts dword ptr [edi], 1Fh
		jb	short loc_477E20
		mov	edi, [ebp+var_5C]
		mov	ebx, [ebp+var_A0]
		mov	eax, [ebp+var_44]

loc_477E43:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+84Bj
		mov	edx, [eax]
		mov	ecx, edx
		and	ecx, 3FFFFFFFh
		inc	ecx
		mov	eax, edx
		xor	eax, ecx
		and	eax, 3FFFFFFFh
		xor	eax, edx
		mov	ecx, [ebp+var_44]
		mov	[ecx], eax
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	cl, [edi+16h]
		movzx	eax, cl
		shr	eax, 6
		cmp	eax, esi
		jz	short loc_477E81
		push	1
		mov	edx, esi
		mov	ecx, edi
		call	MiChangePageAttribute
		mov	cl, [edi+16h]

loc_477E81:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+8A1j
		mov	eax, [edi+10h]
		and	eax, 0C0000001h
		or	eax, 1
		mov	[edi+10h], eax
		mov	al, [edi+17h]
		and	al, 0F8h
		or	al, bl
		mov	[edi+17h], al
		mov	eax, [ebp+var_40]
		mov	[edi+4], eax
		and	cl, 0FEh
		or	cl, 6
		mov	[edi+16h], cl
		mov	al, cl
		or	al, 10h
		mov	[edi+16h], al
		test	[ebp+arg_8], 2
		jz	short loc_477ED1
		mov	cl, [edi+17h]
		test	cl, 8
		jnz	short loc_477EC8
		movzx	eax, cl
		and	eax, 7
		cmp	eax, 2
		jbe	short loc_477ED1

loc_477EC8:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+8EBj
		and	cl, 0FAh
		or	cl, 2
		mov	[edi+17h], cl

loc_477ED1:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+8E3j
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+8F6j
		mov	eax, [ebp+var_7C]
		test	byte ptr [eax+1Ch], 20h
		jnz	short loc_477EE5
		cmp	dword ptr [eax+20h], 0
		jz	short loc_477EE5
		mov	edi, [ebp+var_70]
		jmp	short loc_477EE7
; 

loc_477EE5:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+908j
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+90Ej
		xor	edi, edi

loc_477EE7:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+913j
		lea	esi, [eax+24h]
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		test	ds:byte_70EFC6,	21h
		jz	short loc_477F08
		mov	dl, bl
		mov	ecx, esi
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	short loc_477F6D
; 

loc_477F08:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+92Bj
		mov	[ebp+var_94], 0
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_477F28
		mov	dl, bl
		mov	ecx, esi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[ebp+var_94], eax

loc_477F28:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+947j
		mov	edx, [esi]
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jz	short loc_477F6D

loc_477F38:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+99Bj
		test	edx, 40000000h
		jnz	short loc_477F52
		mov	ecx, edx
		or	ecx, 40000000h
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_477F5F

loc_477F52:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+96Ej
		lea	ecx, [ebp+var_94]
		call	KeYieldProcessorEx
		mov	eax, [esi]

loc_477F5F:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+980j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_477F38

loc_477F6D:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+936j
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+966j
		mov	eax, [ebp+var_7C]
		inc	dword ptr [eax+10h]
		test	edi, edi
		jz	short loc_477F7A
		inc	dword ptr [edi+40h]

loc_477F7A:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+9A5j
		test	ds:byte_70EFC6,	1
		jz	short loc_477F8F
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	short loc_477F95
; 

loc_477F8F:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+9B1j
		mov	dword ptr [esi], 0

loc_477F95:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+9BDj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [ebp+var_98]
		and	edx, 1Fh
		mov	esi, ds:_MmProtectToPteMask[edx*8]
		and	esi, 0F7Fh
		mov	edi, ds:dword_40B4DC[edx*8]
		and	edi, 0FFFFFFE0h
		mov	ecx, [ebp+var_58]
		and	ecx, 1FFFFFFh
		xor	eax, eax
		shld	eax, ecx, 0Ch
		shl	ecx, 0Ch
		or	esi, ecx
		or	edi, eax
		or	esi, 121h
		and	dl, 5
		cmp	dl, 4
		jnz	short loc_477FE4
		or	esi, 42h

loc_477FE4:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+A0Fj
		and	esi, 0FFFFFEFFh
		mov	[ebp+var_6C], esi
		mov	[ebp+var_68], edi
		mov	edx, esi
		mov	ecx, edi
		xor	ebx, ebx
		cmp	dword_6D07D0, 0C0000000h
		sbb	eax, eax
		and	eax, 0FFFFFFF8h
		add	eax, 0C0603018h
		cmp	[ebp+var_40], 0C0603000h
		jb	short loc_478063
		cmp	[ebp+var_40], eax
		jnb	short loc_478063
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_478045
		mov	ebx, 1
		cmp	byte ptr word_6D07B8+1,	0
		jnz	short loc_478063

loc_47802F:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+A91j
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	short loc_478063
		mov	edx, esi
		mov	ecx, edi
		or	ecx, 80000000h
		jmp	short loc_478063
; 

loc_478045:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+A4Fj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	esi, [ebp+var_6C]
		mov	edi, [ebp+var_68]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_47802F

loc_478063:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+A41j
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+A46j ...
		mov	eax, [ebp+var_40]
		mov	[eax+4], ecx
		nop
		mov	[eax], edx
		test	ebx, ebx
		jz	short loc_478079
		push	ecx
		push	edx
		mov	ecx, eax
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_478079:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+A9Ej
		xor	edx, edx
		cmp	dword_6D07D0, 0C0000000h
		sbb	eax, eax
		and	eax, 0FFFFFFF8h
		add	eax, 0C0603018h
		mov	ebx, [ebp+var_80]
		cmp	ebx, 0C0603000h
		jb	short loc_4780F0
		cmp	ebx, eax
		jnb	short loc_4780F0
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_4780C0
		mov	edx, 1
		cmp	byte ptr word_6D07B8+1,	0
		jnz	short loc_4780F0
		mov	eax, esi
		and	eax, edx
		or	eax, 0
		jz	short loc_4780F0
		jmp	short loc_4780EA
; 

loc_4780C0:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+AD5j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_4780F0
		mov	ecx, [ebp+var_6C]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_4780F0
		mov	esi, ecx
		mov	edi, [ebp+var_68]

loc_4780EA:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+AEEj
		or	edi, 80000000h

loc_4780F0:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+AC8j
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+ACCj ...
		mov	[ebx+4], edi
		nop
		mov	[ebx], esi
		test	edx, edx
		jz	short loc_478103
		push	edi
		push	esi
		mov	ecx, ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_478103:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+B28j
		mov	esi, [ebp+var_5C]
		cmp	[ebp+var_60], 0
		jz	short loc_47813F
		xor	eax, eax
		mov	[ebp+var_BC], eax
		mov	[ebp+var_B8], eax
		mov	[ebp+var_B4], eax
		mov	[ebp+var_B0], eax
		mov	[ebp+var_AC], eax
		mov	[ebp+var_A8], eax
		lea	edx, [ebp+var_BC]
		mov	ecx, esi
		call	_MiIdentifyPfn@8 ; MiIdentifyPfn(x,x)

loc_47813F:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+B3Aj
		mov	ecx, esi
		call	MiDecrementShareCount
		lea	eax, [esi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	[ebp+var_D8], 0
		mov	ebx, [ebp+var_90]
		lock bts dword ptr [ebx], 1Fh
		jnb	short loc_478187
		jmp	short loc_478170
; 
		align 10h

loc_478170:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+B98j
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+BAEj ...
		lea	ecx, [ebp+var_D8]
		call	KeYieldProcessorEx
		cmp	dword ptr [ebx], 0
		jl	short loc_478170
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_478170

loc_478187:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+B96j
		mov	edi, [ebp+var_8C]
		mov	al, [edi+16h]
		and	al, 0DFh
		mov	[edi+16h], al
		mov	ecx, edi
		call	_MiRemoveLockedPageCharge@4 ; MiRemoveLockedPageCharge(x)
		test	eax, eax
		jz	short loc_4781C3
		mov	esi, edi
		sub	esi, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	esi
		lea	eax, [esi+edx]
		sar	eax, 4
		mov	edx, eax
		shr	edx, 1Fh
		add	edx, eax
		mov	ecx, edi
		call	MiPfnReferenceCountIsZero

loc_4781C3:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+BCEj
		mov	eax, 7FFFFFFFh
		lock and [ebx],	eax
		mov	cl, [ebp+var_36]
		cmp	cl, 21h
		jz	short loc_4781D9
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4781D9:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+C01j
		mov	eax, [ebp+var_84]
		mov	dword ptr [eax], 0
		cmp	[ebp+var_60], 0
		jz	short loc_47822C
		or	[ebp+var_AC], 4
		lea	eax, [ebp+var_BC]
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], 0
		mov	[ebp+var_2C], 18h
		mov	[ebp+var_28], 0
		push	11401B02h
		push	282h
		push	20000001h
		mov	edx, 1
		lea	ecx, [ebp+var_34]
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_47822C:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+C19j
		mov	eax, [ebp+var_88]
		neg	eax
		sbb	eax, eax
		and	eax, 4
		jmp	loc_477751
; 

loc_47823E:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+6E9j
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+705j ...
		mov	dl, [ebp+var_36]
		mov	ecx, ebx
		call	MiUnlockProtoPoolPage
		mov	ecx, edi
		call	_MiLockAndInsertPageInFreeList@4 ; MiLockAndInsertPageInFreeList(x)
		mov	eax, 1
		jmp	loc_477751
; 

loc_478259:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+3E2j
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+3F2j ...
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	al, [ebp+var_37]
		cmp	al, 21h
		jz	short loc_478270
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_478270:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+304j
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+314j ...
		mov	ecx, edi
		call	_MiLockAndInsertPageInFreeList@4 ; MiLockAndInsertPageInFreeList(x)
		mov	eax, 1
		jmp	loc_477751
; 

loc_478281:				; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+270j
		mov	ecx, eax
		jmp	loc_477830
_MiMakePageAvoidRead@28	endp

; 
		align 10h

; __stdcall MiWalkEntireImage(x, x, x, x)
_MiWalkEntireImage@16:			; CODE XREF: MiRelocateImage+54Ap
					; PAGE:00793A96p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0F4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		mov	eax, [ebp+0Ch]
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp-0D4h], edx
		mov	ecx, [ebp+8]
		mov	[ebp-0A0h], eax
		and	ecx, 8
		xor	eax, eax
		mov	[ebp-68h], edi
		mov	edx, [edi+1Ch]
		mov	ebx, [edi+38h]
		mov	esi, [edi]
		mov	dword ptr [ebp-0BCh], 0
		mov	[ebp-0F4h], eax
		mov	[ebp-0F0h], eax
		mov	[ebp-0ECh], eax
		mov	[ebp-0C0h], ebx
		mov	[ebp-0E8h], esi
		mov	[ebp-0D0h], ecx
		test	edx, 40000000h
		jz	loc_4783F0
		test	ecx, ecx
		jnz	loc_4783F0
		mov	eax, 2
		mov	[ebp-50h], eax

loc_478316:				; CODE XREF: .text:004783FDj
		mov	dword ptr [ebp-90h], 0
		mov	dword ptr [ebp-8Ch], 0

loc_47832A:				; CODE XREF: .text:0047844Aj
		mov	ecx, large fs:124h
		mov	byte ptr [ebp-60h], 21h
		mov	dword ptr [ebp-7Ch], 0FFFFFFFFh
		mov	dword ptr [ebp-0ACh], 0
		mov	ecx, [ecx+80h]
		mov	[ebp-0D8h], ecx
		lea	ecx, [edi+50h]
		mov	[ebp-6Ch], ecx
		mov	ecx, [ecx+4]
		mov	[ebp-0CCh], ecx
		xor	ecx, ecx
		mov	[ebp-78h], ecx
		mov	[ebp-58h], ecx
		mov	[ebp-98h], ecx
		mov	ecx, large fs:124h
		mov	[ebp-0C8h], ecx
		test	edx, 4000000h
		jz	short loc_4783A6
		dec	word ptr [ecx+13Eh]
		or	eax, 4
		mov	[ebp-50h], eax
		nop
		lea	ecx, [esi+1Ch]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	dword ptr [ebp-0ACh], 20000h

loc_4783A6:				; CODE XREF: .text:00478382j
		test	ds:_MiFlags, 4000h
		jz	loc_47844F
		test	dword ptr [edi+34h], 0C0000h
		jz	loc_47844F
		cmp	dword ptr [ebx+18h], 0
		jnz	loc_47844F
		mov	ecx, ebx
		call	_MiGetSectionStrongImageReference@4 ; MiGetSectionStrongImageReference(x)
		mov	ecx, eax
		mov	[ebp-78h], ecx
		test	ecx, ecx
		jns	short loc_47844F
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4783F0:				; CODE XREF: .text:00478300j
					; .text:00478308j
		mov	eax, edx
		shr	eax, 0Ah
		and	eax, 2
		mov	[ebp-50h], eax
		test	ecx, ecx
		jz	loc_478316
		shr	edx, 14h
		mov	ecx, offset unk_6D5EE4
		and	edx, 3Fh
		push	edx
		lea	edx, [ebp-0F4h]
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		xor	edx, edx
		mov	ecx, edi
		call	_MiGetNextDirectFixupProto@8 ; MiGetNextDirectFixupProto(x,x)
		mov	edx, eax
		mov	ecx, [eax+4]
		or	ecx, 80000000h
		mov	[ebp-90h], ecx
		mov	ecx, edi
		call	_MiGetNextDirectFixupProto@8 ; MiGetNextDirectFixupProto(x,x)
		mov	edx, [edi+1Ch]
		mov	[ebp-8Ch], eax
		mov	eax, [ebp-50h]
		mov	[ebp-50h], eax
		jmp	loc_47832A
; 

loc_47844F:				; CODE XREF: .text:004783B0j
					; .text:004783BDj ...
		mov	bl, [ebp-60h]
		lea	edx, [edi+50h]
		mov	esi, [ebp-50h]
		mov	[ebp-49h], bl
		jmp	short loc_478460
; 
		align 10h

loc_478460:				; CODE XREF: .text:0047845Bj
					; .text:0047892Fj
		mov	eax, [edx+8]
		mov	[ebp-0E4h], eax
		mov	eax, [edx+4]
		mov	ecx, eax
		sub	ecx, [ebp-0CCh]
		sar	ecx, 3
		test	byte ptr [edx+12h], 2
		mov	[ebp-54h], eax
		mov	[ebp-5Ch], ecx
		jz	short loc_4784C7
		mov	ecx, [ebp+8]
		test	cl, 1
		jnz	loc_478922
		test	dword ptr [edi+1Ch], 4000000h
		jz	short loc_4784C7
		test	cl, 0Ah
		jnz	loc_478922
		cmp	dword ptr [edx+0Ch], 0
		jz	loc_478922
		push	edx
		mov	edx, [ebp-0A0h]
		mov	ecx, edi
		call	_MiGetSharedProtos@12 ;	MiGetSharedProtos(x,x,x)
		test	eax, eax
		jz	loc_478922
		mov	eax, [eax+24h]
		mov	[ebp-54h], eax

loc_4784C7:				; CODE XREF: .text:00478481j
					; .text:00478496j
		push	dword ptr [ebp-0A0h]
		mov	edi, [ebp-6Ch]
		mov	edx, eax
		mov	ecx, edi
		call	MiStartingOffset
		mov	ecx, [edi+1Ch]
		mov	edi, [ebp-54h]
		mov	[ebp-70h], eax
		mov	[ebp-74h], edx
		lea	eax, [edi+ecx*8]
		mov	ecx, [ebp-90h]
		mov	[ebp-94h], eax
		test	ecx, ecx
		jz	short loc_47851F
		cmp	ecx, eax
		jnb	loc_47891F
		mov	eax, ecx
		sub	eax, edi
		mov	edi, ecx
		sar	eax, 3
		add	[ebp-5Ch], eax
		shl	eax, 0Ch
		cdq
		add	[ebp-70h], eax
		mov	eax, [ebp-94h]
		adc	[ebp-74h], edx
		mov	[ebp-54h], edi

loc_47851F:				; CODE XREF: .text:004784F6j
		mov	dword ptr [ebp-0C4h], 0
		cmp	edi, eax
		jnb	loc_4788B3

loc_478531:				; CODE XREF: .text:004788ADj
		mov	eax, edi
		and	eax, 0FFFh
		mov	[ebp-84h], eax
		jz	short loc_47854F
		cmp	dword ptr [ebp-58h], 0
		jz	short loc_47855F
		mov	ebx, esi
		shr	ebx, 1
		jmp	loc_4785DC
; 

loc_47854F:				; CODE XREF: .text:0047853Ej
		mov	eax, [ebp-58h]
		test	eax, eax
		jz	short loc_47855F
		mov	dl, bl
		mov	ecx, eax
		call	MiUnlockProtoPoolPage

loc_47855F:				; CODE XREF: .text:00478544j
					; .text:00478554j
		mov	ecx, [ebp-54h]
		lea	edx, [ebp-60h]
		mov	ebx, esi
		shr	ebx, 1
		mov	edi, ebx
		and	edi, 1
		jz	short loc_47857C
		call	MiLockProtoPoolPage
		mov	edx, eax
		mov	[ebp-58h], edx
		jmp	short loc_478586
; 

loc_47857C:				; CODE XREF: .text:0047856Ej
		call	MiCheckProtoPtePageState
		mov	edx, eax
		mov	[ebp-58h], eax

loc_478586:				; CODE XREF: .text:0047857Aj
		test	edx, edx
		jnz	short loc_4785D6
		test	edi, edi
		jz	short loc_4785A5
		push	edx
		push	edx
		push	dword ptr [ebp-54h]
		push	2
		call	MmAccessFault
		mov	bl, [ebp-60h]
		mov	[ebp-49h], bl
		jmp	loc_4788A4
; 

loc_4785A5:				; CODE XREF: .text:0047858Cj
		mov	ebx, [ebp-54h]
		mov	ecx, 1000h
		sub	ecx, [ebp-84h]
		shr	ecx, 3
		mov	eax, ecx
		shl	eax, 0Ch
		add	[ebp-70h], eax
		lea	ebx, [ebx+ecx*8]
		adc	dword ptr [ebp-74h], 0
		add	[ebp-5Ch], ecx
		mov	[ebp-54h], ebx
		mov	bl, [ebp-60h]
		mov	[ebp-49h], bl
		jmp	loc_4788A4
; 

loc_4785D6:				; CODE XREF: .text:00478588j
		mov	al, [ebp-60h]
		mov	[ebp-49h], al

loc_4785DC:				; CODE XREF: .text:0047854Aj
		mov	ecx, [ebp-54h]
		xor	edx, edx
		call	MiLockLeafPage
		mov	edi, eax
		mov	[ebp-88h], edi
		test	edi, edi
		jnz	loc_4786D2
		test	bl, 1
		jz	loc_4787BB
		mov	eax, [ebp-54h]
		mov	ecx, [eax]
		nop
		mov	eax, [eax+4]
		mov	[ebp-0B8h], ecx
		and	ecx, 400h
		or	ecx, edi
		mov	[ebp-0B4h], eax
		jnz	loc_4787BB
		lea	ecx, [ebp-0B8h]
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		mov	bl, [ebp-49h]
		test	eax, eax
		jz	loc_4787BE
		mov	ecx, [ebp-58h]
		mov	dl, bl
		call	MiUnlockProtoPoolPage
		test	byte ptr [ebp+8], 2
		mov	[ebp-58h], edi
		jz	short loc_478661
		mov	ecx, [ebp-0C0h]
		mov	edx, [ebp-5Ch]
		call	_MiPageHasRelocations@8	; MiPageHasRelocations(x,x)
		test	eax, eax
		jz	loc_4787BE

loc_478661:				; CODE XREF: .text:00478649j
		mov	edi, [ebp-5Ch]
		mov	ecx, [ebp-0C8h]
		shl	edi, 0Ch
		call	_MiGetEffectivePagePriorityThread@4 ; MiGetEffectivePagePriorityThread(x)
		cmp	eax, 5
		jbe	short loc_47867C
		mov	eax, 5

loc_47867C:				; CODE XREF: .text:00478675j
		mov	ecx, [ebp-54h]
		cmp	ecx, [ebp-0C4h]
		jnz	short loc_47868E
		mov	edx, 1000h
		jmp	short loc_4786A2
; 

loc_47868E:				; CODE XREF: .text:00478685j
		mov	edx, [ebp-94h]
		sub	edx, ecx
		mov	[ebp-0C4h], ecx
		sar	edx, 3
		shl	edx, 0Ch

loc_4786A2:				; CODE XREF: .text:0047868Cj
		mov	ecx, [ebp-68h]
		push	0
		push	edi
		push	dword ptr [ebp-0A0h]
		push	2
		push	eax
		call	_MiPrefetchControlArea@28 ; MiPrefetchControlArea(x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_4786C8
		push	offset _MiShortTime
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)

loc_4786C8:				; CODE XREF: .text:004786B8j
		xor	ecx, ecx
		mov	[ebp-78h], ecx
		jmp	loc_4788A4
; 

loc_4786D2:				; CODE XREF: .text:004785F0j
		mov	ecx, [ebp-54h]
		mov	dword ptr [ebp-0A8h], 0
		mov	dword ptr [ebp-0A4h], 0
		mov	eax, [ecx]
		mov	[ebp-64h], eax
		nop
		mov	ecx, [ecx+4]
		mov	edx, eax
		and	edx, 1
		mov	[ebp-0B8h], eax
		mov	eax, edx
		mov	[ebp-0B4h], ecx
		or	eax, 0
		mov	[ebp-0A4h], edx
		jz	short loc_47871F
		nop
		mov	eax, [ebp-64h]
		shrd	eax, ecx, 0Ch
		and	eax, 1FFFFFFh
		jmp	short loc_478782
; 

loc_47871F:				; CODE XREF: .text:0047870Ej
		mov	eax, [ebp-64h]
		mov	edx, eax
		mov	esi, dword_6D0704
		mov	[ebp-64h], eax
		mov	eax, dword_6D0700
		mov	[ebp-84h], eax
		or	eax, esi
		mov	[ebp-9Ch], esi
		mov	esi, [ebp-50h]
		mov	[ebp-80h], ecx
		jz	short loc_478770
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_478769
		mov	eax, [ebp-84h]
		mov	ecx, [ebp-9Ch]
		not	eax
		not	ecx
		and	eax, edx
		and	ecx, [ebp-80h]
		jmp	short loc_478773
; 

loc_478769:				; CODE XREF: .text:00478750j
		mov	ecx, [ebp-80h]
		mov	eax, edx
		jmp	short loc_478773
; 

loc_478770:				; CODE XREF: .text:00478746j
		mov	eax, [ebp-64h]

loc_478773:				; CODE XREF: .text:00478767j
					; .text:0047876Ej
		mov	edx, [ebp-0A4h]
		shrd	eax, ecx, 0Ch
		and	eax, 3FFFFFFh

loc_478782:				; CODE XREF: .text:0047871Dj
		mov	[ebp-64h], eax
		mov	eax, [ebp+8]
		test	al, 4
		jz	short loc_4787DA
		mov	ecx, edi
		call	_MiIsPfnSystemCharged@4	; MiIsPfnSystemCharged(x)
		test	eax, eax
		jz	short loc_4787B0
		mov	edx, dword_6CF578
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4787A9
		dec	dword ptr [edx+74h]

loc_4787A9:				; CODE XREF: .text:004787A4j
		dec	dword ptr [edx+78h]
		and	byte ptr [edi+17h], 0DFh

loc_4787B0:				; CODE XREF: .text:00478795j
					; .text:004787F2j ...
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_4787BB:				; CODE XREF: .text:004785F9j
					; .text:0047861Cj ...
		mov	bl, [ebp-49h]

loc_4787BE:				; CODE XREF: .text:00478632j
					; .text:0047865Bj ...
		mov	edi, [ebp-54h]
		inc	dword ptr [ebp-5Ch]
		add	edi, 8
		add	dword ptr [ebp-70h], 1000h
		mov	[ebp-54h], edi
		adc	dword ptr [ebp-74h], 0
		jmp	loc_4788A7
; 

loc_4787DA:				; CODE XREF: .text:0047878Aj
		and	eax, 1
		mov	[ebp-0A4h], eax
		jz	short loc_4787F4
		mov	eax, [edi+18h]
		and	eax, 70000000h
		cmp	eax, 30000000h
		jz	short loc_4787B0

loc_4787F4:				; CODE XREF: .text:004787E3j
		mov	eax, [edi+8]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_478806
		test	bl, 1
		jz	short loc_4787B0

loc_478806:				; CODE XREF: .text:004787FFj
		mov	cl, [edi+17h]
		test	cl, 10h
		jnz	short loc_4787B0
		mov	eax, edx
		or	eax, 0
		jnz	loc_47893A
		test	byte ptr [edi+16h], 20h
		jz	loc_47893A
		push	40h
		push	eax
		lea	eax, [ebp-48h]
		push	eax
		call	_memset
		add	esp, 0Ch
		test	byte ptr [ebp+8], 2
		jz	short loc_478854
		mov	eax, [ebp-68h]
		test	byte ptr [eax+1Ch], 2
		jnz	short loc_478854
		mov	ecx, [ebp-54h]
		mov	edx, edi
		push	1
		push	21h
		call	MiDeleteTransitionPte
		jmp	loc_4787BB
; 

loc_478854:				; CODE XREF: .text:00478836j
					; .text:0047883Fj
		lea	eax, [ebp-48h]
		xor	edx, edx
		push	eax
		push	0
		push	0
		xor	ecx, ecx
		call	_MiInitializePageFaultPacket@20	; MiInitializePageFaultPacket(x,x,x,x,x)
		mov	ebx, [ebp-58h]
		mov	edx, 1
		mov	ecx, ebx
		mov	dword ptr [ebp-0BCh], 1
		call	_MiObtainProtoReference@8 ; MiObtainProtoReference(x,x)
		lea	eax, [ebp-0BCh]
		mov	edx, edi
		push	eax
		push	dword ptr [ebp-60h]
		lea	ecx, [ebp-48h]
		push	ebx
		call	MiWaitForCollidedFaultComplete
		mov	dword ptr [ebp-58h], 0
		mov	dword ptr [ebp-78h], 0

loc_4788A1:				; CODE XREF: .text:0047897Cj
		mov	bl, [ebp-49h]

loc_4788A4:				; CODE XREF: .text:004785A0j
					; .text:004785D1j ...
		mov	edi, [ebp-54h]

loc_4788A7:				; CODE XREF: .text:004787D5j
		cmp	edi, [ebp-94h]
		jb	loc_478531

loc_4788B3:				; CODE XREF: .text:0047852Bj
		mov	edi, [ebp-58h]
		test	edi, edi
		jz	short loc_4788CA
		mov	dl, bl
		mov	ecx, edi
		call	MiUnlockProtoPoolPage
		mov	dword ptr [ebp-58h], 0

loc_4788CA:				; CODE XREF: .text:004788B8j
		mov	edi, [ebp-68h]

loc_4788CD:				; CODE XREF: .text:00478E12j
		mov	eax, [ebp-7Ch]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_478922
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	edi, [eax+ecx*4]
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	bl, al
		mov	edx, offset _MiFreePageToSlabAllocator@12 ; MiFreePageToSlabAllocator(x,x,x)
		push	edi
		mov	ecx, offset _MiSystemPartition
		mov	[ebp-49h], bl
		mov	[ebp-60h], bl
		call	_MiEnumerateSlabAllocators@12 ;	MiEnumerateSlabAllocators(x,x,x)
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	dword ptr [ebp-7Ch], 0FFFFFFFFh

loc_47891F:				; CODE XREF: .text:004784FAj
		mov	edi, [ebp-68h]

loc_478922:				; CODE XREF: .text:00478489j
					; .text:0047849Bj ...
		mov	eax, [ebp-0E4h]
		mov	edx, eax
		mov	[ebp-6Ch], edx
		test	eax, eax
		jnz	loc_478460
		jmp	loc_478E50
; 

loc_47893A:				; CODE XREF: .text:00478813j
					; .text:0047881Dj
		or	edx, 0
		mov	dword ptr [ebp-80h], 8
		jnz	short loc_47898E
		test	cl, 8
		jz	short loc_478954
		movzx	ebx, cl
		and	ebx, 7
		mov	[ebp-80h], ebx

loc_478954:				; CODE XREF: .text:00478949j
		xor	edx, edx
		mov	ecx, edi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		test	eax, eax
		jnz	short loc_478987
		xor	edx, edx
		mov	ecx, edi
		call	_MiDiscardTransitionPteEx@8 ; MiDiscardTransitionPteEx(x,x)
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		test	byte ptr [ebp-50h], 2
		mov	esi, [ebp-50h]
		jnz	loc_4788A1
		jmp	loc_4787BB
; 

loc_478987:				; CODE XREF: .text:0047895Fj
		and	dword ptr [edi+10h], 0C0000000h

loc_47898E:				; CODE XREF: .text:00478944j
		cmp	dword ptr [ebp-0A4h], 0
		jz	short loc_4789DC
		mov	eax, [edi+0Ch]
		mov	ecx, offset _MiSystemPartition
		mov	ebx, [ebp-6Ch]
		mov	edx, ebx
		push	eax
		mov	eax, [edi+8]
		push	eax
		push	0
		call	MiUseSlabAllocator
		test	eax, eax
		jz	short loc_4789DC
		mov	ecx, edi
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jz	short loc_4789D6
		movzx	eax, word ptr [ebx+10h]
		xor	edx, edx
		shr	eax, 1
		mov	ecx, edi
		and	eax, 1Fh
		push	eax
		call	_MiCheckSlabPage@12 ; MiCheckSlabPage(x,x,x)
		test	eax, eax
		jnz	short loc_4789DC

loc_4789D6:				; CODE XREF: .text:004789BDj
		or	dword ptr [ebp-50h], 10h
		jmp	short loc_4789E0
; 

loc_4789DC:				; CODE XREF: .text:00478995j
					; .text:004789B2j ...
		and	dword ptr [ebp-50h], 0FFFFFFEFh

loc_4789E0:				; CODE XREF: .text:004789DAj
		mov	edx, 1
		mov	ecx, edi
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	ecx, [ebp-58h]
		mov	dword ptr [ebp-0A4h], 0
		lea	esi, [ecx+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_478A36
		mov	edi, edi

loc_478A10:				; CODE XREF: .text:00478A1Fj
					; .text:00478A26j
		lea	ecx, [ebp-0A4h]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_478A10
		lock bts dword ptr [esi], 1Fh
		jb	short loc_478A10
		mov	edi, [ebp-88h]
		mov	bl, [ebp-60h]
		mov	ecx, [ebp-58h]
		jmp	short loc_478A39
; 

loc_478A36:				; CODE XREF: .text:00478A0Cj
		mov	bl, [ebp-49h]

loc_478A39:				; CODE XREF: .text:00478A34j
		mov	al, [ecx+16h]
		and	al, 0DFh
		mov	[ecx+16h], al
		call	_MiRemoveLockedPageCharge@4 ; MiRemoveLockedPageCharge(x)
		test	eax, eax
		jz	short loc_478A6F
		mov	ecx, [ebp-58h]
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		lea	eax, [ecx+edx]
		mov	ecx, [ebp-58h]
		sar	eax, 4
		mov	edx, eax
		shr	edx, 1Fh
		add	edx, eax
		call	MiPfnReferenceCountIsZero

loc_478A6F:				; CODE XREF: .text:00478A48j
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		cmp	bl, 21h
		jz	short loc_478A84
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_478A84:				; CODE XREF: .text:00478A7Aj
		and	dword ptr [ebp-50h], 0FFFFFFFEh
		cmp	dword ptr [ebp-0D0h], 0
		mov	dword ptr [ebp-58h], 0
		jz	short loc_478AF3
		mov	ecx, [ebp-0C0h]
		mov	edx, [ebp-5Ch]
		call	_MiPageHasRelocations@8	; MiPageHasRelocations(x,x)
		mov	ebx, [ebp-6Ch]
		test	eax, eax
		jz	loc_478B51
		push	dword ptr [ebp-64h]
		lea	edx, [ebp-0F4h]
		mov	ecx, ebx
		call	_MiSplitDirectMapPage@12 ; MiSplitDirectMapPage(x,x,x)
		mov	edx, eax
		mov	eax, [ebp-8Ch]
		shr	eax, 2
		xor	eax, [edi]
		and	eax, 1FFFFFFEh
		mov	[ebp-64h], edx
		xor	eax, [edi]
		lea	ecx, ds:0[edx*8]
		mov	[edi], eax
		sub	ecx, edx
		mov	eax, ds:_MmPfnDatabase
		lea	edi, [eax+ecx*4]
		mov	[ebp-88h], edi
		jmp	short loc_478B51
; 

loc_478AF3:				; CODE XREF: .text:00478A96j
		mov	eax, [ebp+8]
		test	al, 2
		jz	loc_478CE8
		test	ds:_MiFlags, 4000h
		mov	ecx, [ebp-68h]
		jz	short loc_478B29
		test	dword ptr [ecx+34h], 0C0000h
		jz	short loc_478B29
		mov	eax, [edi+18h]
		and	eax, 70000000h
		cmp	eax, 30000000h
		jz	loc_478EF4

loc_478B29:				; CODE XREF: .text:00478B0Bj
					; .text:00478B14j
		mov	edx, [ebp-0D4h]
		push	4
		push	ecx
		push	0
		push	dword ptr [ebp-64h]
		push	dword ptr [ebp-5Ch]
		call	MiRelocateImagePfn
		mov	[ebp-78h], eax
		test	eax, eax
		jnz	loc_478CD0
		or	dword ptr [ebp-50h], 8

loc_478B4E:				; CODE XREF: .text:00478CEAj
		mov	ebx, [ebp-6Ch]

loc_478B51:				; CODE XREF: .text:00478AABj
					; .text:00478AF1j ...
		cmp	dword ptr [ebp-80h], 8
		jz	short loc_478B6B
		cmp	dword ptr [ebp-98h], 0
		jnz	short loc_478B6B
		call	_MiCreateDecayPfn@0 ; MiCreateDecayPfn()
		mov	[ebp-98h], eax

loc_478B6B:				; CODE XREF: .text:00478B55j
					; .text:00478B5Ej
		test	byte ptr [ebp-50h], 10h
		jz	short loc_478BA0
		cmp	dword ptr [ebp-7Ch], 0FFFFFFFFh
		jnz	short loc_478BA0
		push	dword ptr [ebp-0ACh]
		movzx	edx, word ptr [ebx+10h]
		mov	ecx, offset _MiSystemPartition
		push	0FFFFFFFFh
		shr	edx, 1
		push	0
		and	edx, 1Fh
		call	_MiGetSlabPage@20 ; MiGetSlabPage(x,x,x,x,x)
		mov	[ebp-7Ch], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_478BA0
		and	dword ptr [ebp-50h], 0FFFFFFEFh

loc_478BA0:				; CODE XREF: .text:00478B6Fj
					; .text:00478B75j ...
		xor	ebx, ebx
		mov	dword ptr [ebp-84h], 0
		mov	cl, 2
		mov	[ebp-9Ch], ebx
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	dl, al
		mov	[ebp-0DCh], ebx
		mov	[ebp-49h], dl
		lea	esi, [edi+10h]
		mov	[ebp-0E0h], dl
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_478BF6

loc_478BD5:				; CODE XREF: .text:00478BE4j
					; .text:00478BEBj
		lea	ecx, [ebp-0DCh]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_478BD5
		lock bts dword ptr [esi], 1Fh
		jb	short loc_478BD5
		mov	edi, [ebp-88h]
		mov	dl, [ebp-49h]

loc_478BF6:				; CODE XREF: .text:00478BD3j
		mov	eax, [ebp-50h]
		mov	[ebp-60h], dl
		test	al, 10h
		jz	short loc_478C0E
		test	dword ptr [esi], 40000000h
		jz	short loc_478C0E
		and	eax, 0FFFFFFEFh
		mov	[ebp-50h], eax

loc_478C0E:				; CODE XREF: .text:00478BFEj
					; .text:00478C06j
		test	byte ptr [ebp+8], 2
		jz	short loc_478C50
		mov	edx, [edi+8]
		nop
		mov	ecx, [edi+0Ch]
		mov	[ebp-0B8h], edx
		and	edx, 400h
		or	edx, ebx
		mov	[ebp-0B4h], ecx
		jnz	short loc_478C4D
		mov	ecx, edi
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		mov	ebx, eax
		mov	[ebp-9Ch], edx
		mov	eax, [ebp-50h]
		mov	dword ptr [ebp-84h], offset _MiSystemPartition

loc_478C4D:				; CODE XREF: .text:00478C2Fj
		mov	dl, [ebp-49h]

loc_478C50:				; CODE XREF: .text:00478C12j
		test	al, 10h
		jz	short loc_478C78
		mov	cl, [edi+16h]
		and	cl, 7
		cmp	cl, 6
		jnz	short loc_478C78
		push	dword ptr [ebp-0ACh]
		mov	ecx, edi
		call	MiTrimSharedPage
		test	dword ptr [esi], 40000000h
		jz	short loc_478C78
		and	dword ptr [ebp-50h], 0FFFFFFEFh

loc_478C78:				; CODE XREF: .text:00478C52j
					; .text:00478C5Dj ...
		mov	ecx, edi
		call	_MiRemoveLockedPageCharge@4 ; MiRemoveLockedPageCharge(x)
		test	eax, eax
		jz	loc_478D2F
		cmp	dword ptr [ebp-80h], 8
		jz	loc_478D25
		test	byte ptr [edi+16h], 10h
		jnz	loc_478D25
		test	dword ptr [esi], 40000000h
		jnz	loc_478D25
		test	byte ptr [ebp-50h], 10h
		jnz	short loc_478D25
		push	dword ptr [ebp-0E0h]
		mov	ecx, [ebp-98h]
		lea	edx, [ebp-88h]
		push	1
		call	MiInsertAndUnlockStandbyPages
		mov	al, 21h
		mov	[ebp-49h], al
		mov	[ebp-60h], al
		jmp	short loc_478D2F
; 

loc_478CD0:				; CODE XREF: .text:00478B44j
		mov	ebx, [ebp-6Ch]
		cmp	eax, 1
		jnz	loc_478B51
		mov	dword ptr [ebp-78h], 0
		jmp	loc_478B51
; 

loc_478CE8:				; CODE XREF: .text:00478AF8j
		test	al, 10h
		jnz	loc_478B4E
		mov	ebx, [ebp-6Ch]
		mov	edx, [ebp-0D8h]
		push	4000000h
		push	dword ptr [ebp-64h]
		movzx	eax, word ptr [ebx+10h]
		shr	eax, 1
		and	eax, 1Fh
		push	eax
		push	ecx
		push	dword ptr [ebp-5Ch]
		mov	ecx, [ebp-68h]
		push	dword ptr [ebp-74h]
		push	dword ptr [ebp-70h]
		call	MiValidateImagePfn
		mov	[ebp-78h], eax
		jmp	loc_478B51
; 

loc_478D25:				; CODE XREF: .text:00478C8Bj
					; .text:00478C95j ...
		mov	edx, [ebp-64h]
		mov	ecx, edi
		call	MiPfnReferenceCountIsZero

loc_478D2F:				; CODE XREF: .text:00478C81j
					; .text:00478CCEj
		test	byte ptr [ebp-50h], 10h
		jz	short loc_478D88
		cmp	word ptr [edi+14h], 0
		jnz	short loc_478D88
		push	0
		mov	ecx, edi
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		push	eax
		mov	eax, [ebp-7Ch]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	edx, [eax+ecx*4]
		mov	ecx, edi
		call	_MiReplaceTransitionPage@16 ; MiReplaceTransitionPage(x,x,x,x)
		mov	eax, ds:_ZeroPte
		lea	ecx, [edi+8]
		mov	[ecx], eax
		mov	eax, ds:dword_40F9FC
		mov	dword ptr [ebp-7Ch], 0FFFFFFFFh
		mov	[ecx+4], eax
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		xor	edx, edx
		mov	ecx, edi
		call	_MiReturnFreeZeroPage@8	; MiReturnFreeZeroPage(x,x)

loc_478D88:				; CODE XREF: .text:00478D33j
					; .text:00478D3Aj
		cmp	byte ptr [ebp-49h], 21h
		jz	short loc_478D96
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax

loc_478D96:				; CODE XREF: .text:00478D8Cj
		mov	edx, [ebp-9Ch]
		mov	eax, ebx
		or	eax, edx
		jz	short loc_478DB4
		mov	ecx, [ebp-84h]
		push	edx
		push	ebx
		mov	edx, 1
		call	MiReleasePageFileInfo

loc_478DB4:				; CODE XREF: .text:00478DA0j
		mov	bl, [ebp-49h]
		cmp	bl, 21h
		jz	short loc_478DCC
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	bl, 21h
		mov	[ebp-49h], bl
		mov	[ebp-60h], bl

loc_478DCC:				; CODE XREF: .text:00478DBAj
		mov	ecx, [ebp-78h]
		test	ecx, ecx
		js	short loc_478E3D
		cmp	dword ptr [ebp-90h], 0
		jz	short loc_478E35
		mov	eax, [ebp-8Ch]
		mov	esi, eax
		test	eax, eax
		jz	short loc_478E50
		mov	edi, [ebp-68h]
		mov	edx, eax
		mov	ecx, edi
		call	_MiGetNextDirectFixupProto@8 ; MiGetNextDirectFixupProto(x,x)
		mov	ecx, [esi+4]
		mov	esi, [ebp-50h]
		or	ecx, 80000000h
		mov	[ebp-8Ch], eax
		mov	[ebp-90h], ecx
		cmp	ecx, [ebp-94h]
		jnb	loc_4788CD
		mov	eax, ecx
		sub	eax, [ebp-54h]
		sar	eax, 3
		add	[ebp-5Ch], eax
		shl	eax, 0Ch
		cdq
		add	[ebp-70h], eax
		mov	[ebp-54h], ecx
		adc	[ebp-74h], edx
		jmp	loc_4788A4
; 

loc_478E35:				; CODE XREF: .text:00478DDAj
		mov	esi, [ebp-50h]
		jmp	loc_4787BE
; 

loc_478E3D:				; CODE XREF: .text:00478DD1j
		xor	eax, eax
		cmp	ecx, 0C000009Ah
		setnz	al
		add	eax, 71h
		mov	dword_6CF4F4, eax

loc_478E50:				; CODE XREF: .text:00478935j
					; .text:00478DE6j
		mov	eax, [ebp-98h]
		test	eax, eax
		jz	short loc_478E61
		mov	ecx, eax
		call	MiDecayPfnFullyInitialized

loc_478E61:				; CODE XREF: .text:00478E58j
		test	byte ptr [ebp-50h], 4
		jz	short loc_478E99
		mov	esi, [ebp-0E8h]
		xor	edx, edx
		add	esi, 1Ch
		mov	eax, 11h
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_478E87
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_478E87:				; CODE XREF: .text:00478E7Ej
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp-0C8h]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_478E99:				; CODE XREF: .text:00478E65j
		mov	eax, [ebp-7Ch]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_478EDE
		lea	esi, ds:0[eax*8]
		sub	esi, eax
		mov	eax, ds:_MmPfnDatabase
		lea	esi, [eax+esi*4]
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		push	esi
		mov	edx, offset _MiFreePageToSlabAllocator@12 ; MiFreePageToSlabAllocator(x,x,x)
		mov	ecx, offset _MiSystemPartition
		mov	bl, al
		call	_MiEnumerateSlabAllocators@12 ;	MiEnumerateSlabAllocators(x,x,x)
		lea	ecx, [esi+10h]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_478EDE:				; CODE XREF: .text:00478E9Fj
		mov	ecx, [ebp-4]
		mov	eax, [ebp-78h]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_478EF4:				; CODE XREF: .text:00478B23j
		push	ecx
		push	dword ptr [ebp-64h]
		push	0C0000002h
		push	0D8A18h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 3 dup(0CCh)
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFinishHardFault(x, x, x, x)
_MiFinishHardFault@16 proc near		; CODE XREF: MiIssueHardFault(x,x)+345p
					; MiPfCompleteInPageSupport+65p

var_D0		= dword	ptr -0D0h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_55		= dword	ptr -55h
var_50		= dword	ptr -50h
var_4A		= byte ptr -4Ah
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_5C], eax
		mov	edi, edx
		mov	eax, [ebp+arg_4]
		mov	ebx, ecx
		push	40h		; size_t
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_48]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+var_5C]
		lea	eax, [ebx+14h]
		mov	[ebp+var_C0], eax
		add	esp, 0Ch
		mov	eax, [eax]
		mov	[ebp+var_88], eax
		mov	eax, [edx+40h]
		lea	ecx, [edx+0A8h]
		mov	esi, [edx+58h]
		mov	[ebp+var_9C], eax
		mov	eax, [edx+44h]
		mov	[ebp+var_A0], eax
		mov	eax, [edx+8Ch]
		mov	[ebp+var_78], eax
		mov	eax, [edx+98h]
		mov	[ebp+var_50], 0
		mov	[ebp+var_80], ecx
		test	eax, eax
		jz	short loc_478F9C
		mov	ecx, eax
		mov	[ebp+var_80], eax

loc_478F9C:				; CODE XREF: MiFinishHardFault(x,x,x,x)+85j
		lea	eax, [ecx+1Ch]
		mov	ecx, [ecx+18h]
		mov	[ebp+var_84], eax
		mov	[ebp+var_64], eax
		mov	eax, [ebp+var_80]
		add	ecx, [eax+10h]
		mov	eax, [eax+14h]
		and	ecx, 0FFFh
		add	eax, 0FFFh
		add	eax, ecx
		mov	ecx, [ebp+var_80]
		shr	eax, 0Ch
		add	eax, 6
		lea	eax, [ecx+eax*4]
		mov	[ebp+var_7C], eax
		mov	eax, [edx+74h]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_478FE0
		mov	[ebp+var_8C], eax
		jmp	short loc_478FEC
; 

loc_478FE0:				; CODE XREF: MiFinishHardFault(x,x,x,x)+C6j
		add	eax, 7
		lea	eax, [ecx+eax*4]
		mov	[ebp+var_8C], eax

loc_478FEC:				; CODE XREF: MiFinishHardFault(x,x,x,x)+CEj
		mov	eax, [edx+94h]
		mov	ecx, [ebp+var_88]
		mov	[ebp+var_70], eax
		mov	eax, [edx+5Ch]
		mov	[ebp+var_98], eax
		mov	eax, [edx+88h]
		mov	[ebp+var_A8], eax
		mov	eax, [edx+78h]
		test	eax, 100000h
		jnz	short loc_479029
		test	ecx, ecx
		jz	short loc_479029
		mov	[ebp+var_6C], 0
		test	al, 8
		jz	short loc_479030

loc_479029:				; CODE XREF: MiFinishHardFault(x,x,x,x)+108j
					; MiFinishHardFault(x,x,x,x)+10Cj
		mov	[ebp+var_6C], 0C0000434h

loc_479030:				; CODE XREF: MiFinishHardFault(x,x,x,x)+117j
		mov	byte ptr [ebp+var_55], 21h
		test	ecx, ecx
		jz	short loc_47907B
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_4A], al
		mov	eax, [ebp+var_5C]
		test	dword ptr [eax+78h], 1000000h
		jnz	short loc_479069
		mov	eax, [ebp+var_88]
		mov	ecx, esi
		test	byte ptr [eax+60h], 7
		jnz	short loc_479064
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		jmp	short loc_479069
; 

loc_479064:				; CODE XREF: MiFinishHardFault(x,x,x,x)+14Bj
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_479069:				; CODE XREF: MiFinishHardFault(x,x,x,x)+13Dj
					; MiFinishHardFault(x,x,x,x)+152j
		mov	edx, edi
		lea	ecx, [ebx+14h]
		call	MiRelockFaultState
		mov	al, [ebp+var_4A]
		mov	[ebx+1Ch], al
		jmp	short loc_479080
; 

loc_47907B:				; CODE XREF: MiFinishHardFault(x,x,x,x)+126j
		mov	al, 21h
		mov	[ebp+var_4A], al

loc_479080:				; CODE XREF: MiFinishHardFault(x,x,x,x)+169j
		mov	esi, [ebp+var_98]
		test	esi, esi
		jz	short loc_47909E
		xor	edx, edx
		mov	ecx, esi
		cmp	al, 21h
		lea	eax, [ebp+var_55]
		setnz	dl
		dec	edx
		and	edx, eax
		call	_MiRelockProtoPoolPage@8 ; MiRelockProtoPoolPage(x,x)

loc_47909E:				; CODE XREF: MiFinishHardFault(x,x,x,x)+178j
		mov	edi, [ebp+var_5C]
		mov	eax, [edi+6Ch]
		test	eax, eax
		jz	short loc_4790BF
		mov	dword ptr [edi+30h], 0C000009Ah
		mov	dword ptr [edi+34h], 0
		mov	[ebp+var_74], 0C000009Ah
		jmp	short loc_4790C5
; 

loc_4790BF:				; CODE XREF: MiFinishHardFault(x,x,x,x)+196j
		mov	eax, [edi+30h]
		mov	[ebp+var_74], eax

loc_4790C5:				; CODE XREF: MiFinishHardFault(x,x,x,x)+1ADj
		mov	al, 21h
		mov	[ebp+var_49], al
		mov	byte ptr [ebp+var_68], al
		lea	eax, [edi+8]
		cmp	[eax], eax
		jz	short loc_4790F4
		mov	ecx, edi
		call	MiInvalidateCollidedIos
		and	eax, 1
		lea	eax, [eax+eax]
		mov	[ebp+var_50], eax
		jnz	short loc_4790F4
		mov	dword ptr [edi+30h], 0C0000017h
		mov	dword ptr [edi+34h], 0

loc_4790F4:				; CODE XREF: MiFinishHardFault(x,x,x,x)+1C2j
					; MiFinishHardFault(x,x,x,x)+1D4j
		test	esi, esi
		jz	short loc_47913B
		mov	[ebp+var_B8], 0
		add	esi, 10h
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_479128
		lea	esp, [esp+0]

loc_479110:				; CODE XREF: MiFinishHardFault(x,x,x,x)+20Fj
					; MiFinishHardFault(x,x,x,x)+216j
		lea	ecx, [ebp+var_B8]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_479110
		lock bts dword ptr [esi], 1Fh
		jb	short loc_479110

loc_479128:				; CODE XREF: MiFinishHardFault(x,x,x,x)+1FAj
		mov	ecx, [ebp+var_98]
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax

loc_47913B:				; CODE XREF: MiFinishHardFault(x,x,x,x)+1E6j
		cmp	[ebp+var_6C], 0
		jl	short loc_479160
		mov	edx, [ebp+var_A8]
		lea	eax, [edi+60h]
		push	eax
		push	[ebp+var_78]
		mov	ecx, ebx
		call	_MiIsFaultPteIntact@16 ; MiIsFaultPteIntact(x,x,x,x)
		test	eax, eax
		jnz	short loc_479160
		mov	[ebp+var_6C], 0C0000434h

loc_479160:				; CODE XREF: MiFinishHardFault(x,x,x,x)+22Fj
					; MiFinishHardFault(x,x,x,x)+247j
		cmp	[ebp+var_74], 0
		jl	short loc_4791B4
		mov	ecx, [edi+78h]
		test	cl, 8
		jnz	short loc_479190
		cmp	dword ptr [edi+98h], 0
		jnz	short loc_479190
		mov	eax, [ebp+var_7C]
		cmp	eax, [ebp+var_84]
		jz	short loc_4791B4
		mov	eax, [ebp+var_80]
		add	eax, 20h
		cmp	[ebp+var_8C], eax
		jbe	short loc_4791B4

loc_479190:				; CODE XREF: MiFinishHardFault(x,x,x,x)+25Cj
					; MiFinishHardFault(x,x,x,x)+265j
		test	ecx, 0E00h
		jz	short loc_4791B4
		test	ecx, 80000h
		jz	short loc_4791B4
		test	ecx, 8000h
		jnz	short loc_4791B4
		call	_MiCreateDecayPfn@0 ; MiCreateDecayPfn()
		mov	esi, eax
		mov	[ebp+var_60], eax
		jmp	short loc_4791B9
; 

loc_4791B4:				; CODE XREF: MiFinishHardFault(x,x,x,x)+254j
					; MiFinishHardFault(x,x,x,x)+270j ...
		xor	esi, esi
		mov	[ebp+var_60], esi

loc_4791B9:				; CODE XREF: MiFinishHardFault(x,x,x,x)+2A2j
		mov	eax, ds:_ZeroPte
		xor	edx, edx
		mov	ebx, [ebp+var_7C]
		mov	[ebp+var_AC], eax
		mov	eax, ds:dword_40F9FC
		mov	[ebp+var_B0], eax
		mov	eax, [ebp+var_64]
		mov	[ebp+var_55+1],	edx
		mov	[ebp+var_B4], edx
		cmp	eax, ebx
		ja	loc_4795D8
		jmp	short loc_4791F0
; 
		align 10h

loc_4791F0:				; CODE XREF: MiFinishHardFault(x,x,x,x)+2D8j
					; MiFinishHardFault(x,x,x,x)+6AFj
		mov	eax, [eax]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	ebx, [eax+ecx*4]
		cmp	ebx, dword_6D34E8
		jz	loc_4795B0
		lea	esi, [ebx+10h]
		test	edx, edx
		jnz	loc_47933A
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_49], al
		mov	[ebp+var_BC], 0
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_47925B
		jmp	short loc_479240
; 
		align 10h

loc_479240:				; CODE XREF: MiFinishHardFault(x,x,x,x)+326j
					; MiFinishHardFault(x,x,x,x)+33Fj ...
		lea	ecx, [ebp+var_BC]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_479240
		lock bts dword ptr [esi], 1Fh
		jb	short loc_479240
		mov	al, [ebp+var_49]

loc_47925B:				; CODE XREF: MiFinishHardFault(x,x,x,x)+324j
		mov	byte ptr [ebp+var_68], al

loc_47925E:				; CODE XREF: MiFinishHardFault(x,x,x,x)+42Fj
		mov	eax, [ebp+var_50]
		mov	ecx, [ebp+var_A0]
		and	eax, 0FFFFFFCFh
		mov	[ebp+var_50], eax
		test	cl, 1
		jz	short loc_47928A
		mov	edx, ecx
		shr	edx, 10h
		test	edx, edx
		jz	short loc_47928A
		dec	edx
		movzx	ecx, cx
		shl	edx, 10h
		or	edx, ecx
		mov	[ebp+var_A0], edx

loc_47928A:				; CODE XREF: MiFinishHardFault(x,x,x,x)+360j
					; MiFinishHardFault(x,x,x,x)+369j
		test	dword ptr [esi], 40000000h
		jz	loc_479367
		or	eax, 20h

loc_479299:				; CODE XREF: MiFinishHardFault(x,x,x,x)+48Dj
		mov	[ebp+var_50], eax

loc_47929C:				; CODE XREF: MiFinishHardFault(x,x,x,x)+49Bj
		mov	edx, [ebp+var_70]

loc_47929F:				; CODE XREF: MiFinishHardFault(x,x,x,x)+479j
					; MiFinishHardFault(x,x,x,x)+4BBj
		mov	cl, [ebx+16h]
		mov	edi, eax
		and	cl, 0DFh
		mov	dword ptr [ebx], 0
		mov	[ebx+16h], cl
		and	edi, 30h
		jz	loc_4793D0
		mov	ecx, [ebp+var_55+1]
		test	ecx, ecx
		jz	short loc_4792D6
		push	21h
		push	ecx
		mov	ecx, [ebp+var_60]
		lea	edx, [ebp+var_48]
		call	MiInsertAndUnlockStandbyPages
		mov	eax, [ebp+var_50]
		xor	ecx, ecx
		mov	[ebp+var_55+1],	ecx

loc_4792D6:				; CODE XREF: MiFinishHardFault(x,x,x,x)+3AEj
		cmp	edi, 10h
		mov	edi, [ebp+var_5C]
		jnz	short loc_479326
		and	eax, 0FFFFFFFBh
		test	byte ptr [edi+78h], 10h
		mov	[ebp+var_50], eax
		jz	short loc_4792EE
		test	al, 2
		jz	short loc_4792F4

loc_4792EE:				; CODE XREF: MiFinishHardFault(x,x,x,x)+3D8j
		or	eax, 4
		mov	[ebp+var_50], eax

loc_4792F4:				; CODE XREF: MiFinishHardFault(x,x,x,x)+3DCj
		test	al, 4
		jz	short loc_47931F
		mov	eax, [ebx+8]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_47931F
		mov	ecx, ebx
		call	_MiIsPfnCommitNotCharged@4 ; MiIsPfnCommitNotCharged(x)
		test	eax, eax
		jnz	short loc_47931F
		push	4
		lea	edx, [eax+1]
		mov	ecx, offset _MiSystemPartition
		call	MiChargeCommit

loc_47931F:				; CODE XREF: MiFinishHardFault(x,x,x,x)+3E6j
					; MiFinishHardFault(x,x,x,x)+3F3j ...
		mov	ecx, ebx
		call	MiHandleInPageError

loc_479326:				; CODE XREF: MiFinishHardFault(x,x,x,x)+3CCj
		mov	ecx, ebx
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		jmp	loc_4795A1
; 

loc_47933A:				; CODE XREF: MiFinishHardFault(x,x,x,x)+304j
		lock bts dword ptr [esi], 1Fh
		jnb	loc_47925E
		mov	ebx, [ebp+var_68]
		mov	esi, [ebp+var_60]
		mov	ecx, esi
		push	ebx
		push	edx
		lea	edx, [ebp+var_48]
		call	MiInsertAndUnlockStandbyPages
		mov	eax, [ebp+var_64]
		xor	edx, edx
		mov	[ebp+var_55+1],	edx
		sub	eax, 4
		jmp	loc_4795B6
; 

loc_479367:				; CODE XREF: MiFinishHardFault(x,x,x,x)+380j
		mov	cl, [ebx+17h]
		test	cl, 10h
		jz	short loc_47938E
		mov	edx, [ebp+var_70]
		cmp	ebx, edx
		jnz	short loc_479383
		cmp	[ebp+var_74], 0
		jl	short loc_479383
		mov	[ebp+var_74], 0C000003Fh

loc_479383:				; CODE XREF: MiFinishHardFault(x,x,x,x)+464j
					; MiFinishHardFault(x,x,x,x)+46Aj
		or	eax, 10h
		mov	[ebp+var_50], eax
		jmp	loc_47929F
; 

loc_47938E:				; CODE XREF: MiFinishHardFault(x,x,x,x)+45Dj
		cmp	[ebp+var_74], 0
		jge	short loc_4793A2
		or	cl, 10h
		or	eax, 10h
		mov	[ebx+17h], cl
		jmp	loc_479299
; 

loc_4793A2:				; CODE XREF: MiFinishHardFault(x,x,x,x)+482j
		mov	edx, [ebp+var_8C]
		cmp	[ebp+var_64], edx
		jb	loc_47929C
		mov	edx, [ebp+var_70]
		cmp	ebx, edx
		jnz	short loc_4793BF
		mov	[ebp+var_6C], 0C0000434h

loc_4793BF:				; CODE XREF: MiFinishHardFault(x,x,x,x)+4A6j
		or	cl, 10h
		or	eax, 10h
		mov	[ebx+17h], cl
		mov	[ebp+var_50], eax
		jmp	loc_47929F
; 

loc_4793D0:				; CODE XREF: MiFinishHardFault(x,x,x,x)+3A3j
		cmp	ebx, edx
		jnz	loc_47979A
		mov	edi, [ebp+var_9C]
		or	eax, 1
		mov	[ebp+var_50], eax
		test	edi, edi
		jz	short loc_479422
		mov	esi, [ebp+var_55+1]
		test	esi, esi
		jz	short loc_479402
		mov	ecx, [ebp+var_60]
		lea	edx, [ebp+var_48]
		push	21h
		push	esi
		call	MiInsertAndUnlockStandbyPages
		xor	ecx, ecx
		mov	[ebp+var_55+1],	ecx

loc_479402:				; CODE XREF: MiFinishHardFault(x,x,x,x)+4DDj
		mov	esi, [ebp+var_78]
		mov	edx, ebx
		push	edi
		mov	ecx, esi
		call	_MiSwapHardFaultPage@12	; MiSwapHardFaultPage(x,x,x)
		mov	edx, edi
		mov	[ebp+var_9C], 0
		mov	[ebp+var_70], edx
		mov	ebx, edi
		jmp	short loc_479425
; 

loc_479422:				; CODE XREF: MiFinishHardFault(x,x,x,x)+4D6j
		mov	esi, [ebp+var_78]

loc_479425:				; CODE XREF: MiFinishHardFault(x,x,x,x)+510j
		cmp	ebx, edx
		jnz	loc_47979A
		cmp	[ebp+var_6C], 0
		jl	loc_47979A
		mov	eax, [ebp+var_55+1]
		test	eax, eax
		jz	short loc_479453
		mov	ecx, [ebp+var_60]
		lea	edx, [ebp+var_48]
		push	21h
		push	eax
		call	MiInsertAndUnlockStandbyPages
		mov	[ebp+var_55+1],	0

loc_479453:				; CODE XREF: MiFinishHardFault(x,x,x,x)+52Cj
		mov	edx, 3
		mov	ecx, ebx
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		mov	edx, 1
		mov	ecx, ebx
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	al, [ebx+16h]
		and	al, 0FEh
		or	al, 6
		mov	[ebx+16h], al
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	eax, [ebx+8]
		and	eax, 400h
		mov	[ebp+var_B4], offset _MiSystemPartition
		or	eax, 0
		jnz	short loc_4794BA
		mov	eax, [ebx+0Ch]
		mov	ecx, offset _MiSystemPartition
		push	eax
		mov	eax, [ebx+8]
		push	eax
		call	_MiIsPteInStore@16 ; MiIsPteInStore(x,x,x,x)
		test	eax, eax
		jz	short loc_4794BA
		mov	ecx, ebx
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		mov	[ebp+var_AC], eax
		mov	[ebp+var_B0], edx

loc_4794BA:				; CODE XREF: MiFinishHardFault(x,x,x,x)+57Fj
					; MiFinishHardFault(x,x,x,x)+595j
		mov	ecx, ebx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_47958C
		mov	ecx, [esi]
		mov	eax, [esi+4]
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		cmp	cl, 18h
		jnz	short loc_4794E3
		mov	edx, ebx
		mov	ecx, esi
		call	_MiMakeProtoReadOnly@8 ; MiMakeProtoReadOnly(x,x)

loc_4794E3:				; CODE XREF: MiFinishHardFault(x,x,x,x)+5C8j
		mov	ecx, esi
		call	_MiMakeTransitionPteValid@4 ; MiMakeTransitionPteValid(x)
		mov	ecx, [ebp+var_78]
		mov	edi, eax
		mov	eax, edx
		mov	[ebp+var_90], 0
		mov	[ebp+var_94], eax
		mov	edx, edi
		mov	esi, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_47955F
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_47953F
		cmp	byte ptr word_6D07B8+1,	0
		mov	ecx, 1
		jnz	short loc_479561

loc_479525:				; CODE XREF: MiFinishHardFault(x,x,x,x)+64Bj
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	short loc_479561
		mov	esi, [ebp+var_94]
		mov	edx, edi
		or	esi, 80000000h
		jmp	short loc_479561
; 

loc_47953F:				; CODE XREF: MiFinishHardFault(x,x,x,x)+605j
		mov	eax, large fs:124h
		mov	ecx, [ebp+var_90]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_479525
		jmp	short loc_479561
; 

loc_47955F:				; CODE XREF: MiFinishHardFault(x,x,x,x)+5FCj
		xor	ecx, ecx

loc_479561:				; CODE XREF: MiFinishHardFault(x,x,x,x)+613j
					; MiFinishHardFault(x,x,x,x)+61Dj ...
		mov	eax, [ebp+var_78]
		mov	[eax+4], esi
		nop
		mov	[eax], edx
		test	ecx, ecx
		jz	short loc_479577
		push	esi
		push	edx
		mov	ecx, eax
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_479577:				; CODE XREF: MiFinishHardFault(x,x,x,x)+65Cj
		mov	ecx, [ebp+var_A4]
		test	ecx, ecx
		jz	short loc_47958C
		mov	eax, [ebp+var_94]
		mov	[ecx], edi
		mov	[ecx+4], eax

loc_47958C:				; CODE XREF: MiFinishHardFault(x,x,x,x)+5B3j
					; MiFinishHardFault(x,x,x,x)+66Fj
		mov	edi, [ebp+var_5C]

loc_47958F:				; CODE XREF: MiFinishHardFault(x,x,x,x)+89Fj
					; MiFinishHardFault(x,x,x,x)+8ADj
		lea	eax, [ebx+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	edx, [ebp+var_55+1]
		test	edx, edx
		jnz	short loc_4795AD

loc_4795A1:				; CODE XREF: MiFinishHardFault(x,x,x,x)+425j
		mov	cl, [ebp+var_49]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [ebp+var_55+1]

loc_4795AD:				; CODE XREF: MiFinishHardFault(x,x,x,x)+68Fj
		mov	esi, [ebp+var_60]

loc_4795B0:				; CODE XREF: MiFinishHardFault(x,x,x,x)+2F9j
					; MiFinishHardFault(x,x,x,x)+8D5j
		mov	ebx, [ebp+var_68]
		mov	eax, [ebp+var_64]

loc_4795B6:				; CODE XREF: MiFinishHardFault(x,x,x,x)+452j
		add	eax, 4
		mov	[ebp+var_64], eax
		cmp	eax, [ebp+var_7C]
		jbe	loc_4791F0
		test	edx, edx
		jz	short loc_4795D5
		push	ebx
		push	edx
		lea	edx, [ebp+var_48]
		mov	ecx, esi
		call	MiInsertAndUnlockStandbyPages

loc_4795D5:				; CODE XREF: MiFinishHardFault(x,x,x,x)+6B7j
		mov	ebx, [ebp+var_7C]

loc_4795D8:				; CODE XREF: MiFinishHardFault(x,x,x,x)+2D2j
		mov	ecx, [ebp+var_98]
		test	ecx, ecx
		jz	short loc_4795F8
		cmp	[ebp+var_4A], 21h
		movzx	eax, byte ptr [ebp+var_55]
		jz	short loc_4795F1
		mov	eax, 21h

loc_4795F1:				; CODE XREF: MiFinishHardFault(x,x,x,x)+6DAj
		mov	dl, al
		call	MiUnlockProtoPoolPage

loc_4795F8:				; CODE XREF: MiFinishHardFault(x,x,x,x)+6D0j
		test	dword ptr [edi+78h], 8000h
		jz	loc_4796AE
		mov	eax, [ebp+var_80]
		mov	ecx, [edi+38h]
		push	0
		and	ecx, 3FFFFh
		add	ecx, [ebp+var_A8]
		mov	edx, [eax+14h]
		push	2
		call	_MmCheckCachedPageStates@16 ; MmCheckCachedPageStates(x,x,x,x)
		mov	edx, [ebp+var_84]
		mov	eax, ebx
		sub	eax, edx
		mov	edi, 1
		add	eax, 4
		shr	eax, 2
		cmp	ebx, edx
		sbb	ecx, ecx
		not	ecx
		and	ecx, eax
		mov	[ebp+var_A4], ecx
		cmp	ecx, edi
		jb	short loc_4796AB
		lea	ebx, [ebx+0]

loc_479650:				; CODE XREF: MiFinishHardFault(x,x,x,x)+799j
		mov	eax, [edx]
		test	eax, eax
		jns	short loc_47969D
		and	eax, 7FFFFFFFh
		mov	[edx], eax
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	esi, [eax+ecx*4]
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, esi
		mov	bl, al
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		lea	eax, [esi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_A4]
		mov	edx, [ebp+var_84]

loc_47969D:				; CODE XREF: MiFinishHardFault(x,x,x,x)+744j
		add	edx, 4
		inc	edi
		mov	[ebp+var_84], edx
		cmp	edi, ecx
		jbe	short loc_479650

loc_4796AB:				; CODE XREF: MiFinishHardFault(x,x,x,x)+738j
		mov	edi, [ebp+var_5C]

loc_4796AE:				; CODE XREF: MiFinishHardFault(x,x,x,x)+6EFj
		mov	eax, [ebp+var_60]
		test	eax, eax
		jz	short loc_4796BC
		mov	ecx, eax
		call	MiDecayPfnFullyInitialized

loc_4796BC:				; CODE XREF: MiFinishHardFault(x,x,x,x)+7A3j
		mov	edx, [ebp+var_AC]
		mov	eax, edx
		mov	esi, [ebp+var_B0]
		or	eax, esi
		jz	short loc_4796DD
		mov	ecx, [ebp+var_B4]
		push	esi
		push	edx
		xor	edx, edx
		call	MiReleasePageFileInfo

loc_4796DD:				; CODE XREF: MiFinishHardFault(x,x,x,x)+7BCj
		cmp	[ebp+var_88], 0
		jz	short loc_4796FE
		test	dword ptr [edi+78h], 1000000h
		jz	short loc_4796FE
		mov	ecx, [ebp+var_C0]
		mov	dl, 21h
		push	0
		call	_MiReleaseFaultState@12	; MiReleaseFaultState(x,x,x)

loc_4796FE:				; CODE XREF: MiFinishHardFault(x,x,x,x)+7D4j
					; MiFinishHardFault(x,x,x,x)+7DDj
		test	dword ptr [edi+78h], 200000h
		jnz	short loc_479715
		mov	eax, [edi+7Ch]
		push	746C6644h
		push	eax
		call	ObDereferenceObjectDeferDeleteWithTag

loc_479715:				; CODE XREF: MiFinishHardFault(x,x,x,x)+7F5j
		cmp	dword ptr [edi+68h], 1
		jle	short loc_479728
		push	0
		push	0
		lea	eax, [edi+20h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_479728:				; CODE XREF: MiFinishHardFault(x,x,x,x)+809j
		mov	ecx, edi
		call	_MiFreeInPageSupportBlock@4 ; MiFreeInPageSupportBlock(x)
		mov	eax, [ebp+var_9C]
		test	eax, eax
		jz	short loc_47976B
		mov	ecx, eax
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_47976B
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_47976B:				; CODE XREF: MiFinishHardFault(x,x,x,x)+827j
					; MiFinishHardFault(x,x,x,x)+850j
		mov	ecx, [ebp+var_74]
		test	ecx, ecx
		jns	short loc_4797EA
		mov	eax, [ebp+var_A0]
		test	al, 1
		jz	short loc_479785
		test	al, 2
		jnz	short loc_479785
		mov	ecx, 0C0000434h

loc_479785:				; CODE XREF: MiFinishHardFault(x,x,x,x)+86Aj
					; MiFinishHardFault(x,x,x,x)+86Ej
		mov	eax, ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_47979A:				; CODE XREF: MiFinishHardFault(x,x,x,x)+4C2j
					; MiFinishHardFault(x,x,x,x)+517j ...
		mov	edi, [ebp+var_5C]
		test	dword ptr [edi+78h], 8000h
		jz	short loc_4797B4
		mov	eax, [ebp+var_64]
		or	dword ptr [eax], 80000000h
		jmp	loc_47958F
; 

loc_4797B4:				; CODE XREF: MiFinishHardFault(x,x,x,x)+894j
		mov	ecx, ebx
		call	_MiRemoveLockedPageCharge@4 ; MiRemoveLockedPageCharge(x)
		test	eax, eax
		jz	loc_47958F
		mov	edx, [ebp+var_55+1]
		mov	esi, [ebp+var_60]
		cmp	edx, 10h
		jnz	short loc_4797DD
		push	21h
		push	edx
		lea	edx, [ebp+var_48]
		mov	ecx, esi
		call	MiInsertAndUnlockStandbyPages
		xor	edx, edx

loc_4797DD:				; CODE XREF: MiFinishHardFault(x,x,x,x)+8BCj
		mov	[ebp+edx*4+var_48], ebx
		inc	edx
		mov	[ebp+var_55+1],	edx
		jmp	loc_4795B0
; 

loc_4797EA:				; CODE XREF: MiFinishHardFault(x,x,x,x)+860j
		test	byte ptr [ebp+var_50], 1
		mov	eax, 0C0000434h
		jz	short loc_4797F8
		mov	eax, [ebp+var_6C]

loc_4797F8:				; CODE XREF: MiFinishHardFault(x,x,x,x)+8E3j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_MiFinishHardFault@16 endp

; 
		align 10h

; __stdcall MiRemoveLockedPageCharge(x)
_MiRemoveLockedPageCharge@4:		; CODE XREF: .text:004593D8p
					; .text:0045D2B2p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, word ptr [ecx+14h]
		sub	esp, 10h
		test	ax, ax
		jz	loc_479A85
		add	eax, 0FFFFh
		test	dword ptr [ecx+18h], 800000h
		push	esi
		mov	[ecx+14h], ax
		jnz	loc_479A7E
		mov	esi, [ecx+10h]
		mov	edx, esi
		and	edx, 3FFFFFFFh
		test	ax, ax
		jz	short loc_47987D
		cmp	ax, 1
		jnz	short loc_479858
		test	edx, edx
		jnz	short loc_479874
		jmp	short loc_47986A
; 

loc_479858:				; CODE XREF: .text:00479850j
		cmp	ax, 2
		jnz	loc_479A7E
		test	edx, edx
		jz	loc_479A7E

loc_47986A:				; CODE XREF: .text:00479856j
		test	byte ptr [ecx+16h], 8
		jz	loc_479A7E

loc_479874:				; CODE XREF: .text:00479854j
		mov	dword ptr [ebp-4], 0
		jmp	short loc_479884
; 

loc_47987D:				; CODE XREF: .text:0047984Aj
		mov	dword ptr [ebp-4], 1

loc_479884:				; CODE XREF: .text:0047987Bj
		mov	edx, [ecx+4]
		push	edi
		mov	edi, ds:_MmHighestUserAddress
		or	edx, 80000000h
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		add	edi, 0C0000000h
		cmp	edx, edi
		ja	short loc_4798AF
		cmp	edx, 0C0000000h
		jnb	short loc_4798C4

loc_4798AF:				; CODE XREF: .text:004798A5j
		mov	al, [ecx+17h]
		test	al, 20h
		jz	short loc_4798C4
		and	al, 0DFh
		pop	edi
		mov	[ecx+17h], al
		mov	eax, [ebp-4]
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4798C4:				; CODE XREF: .text:004798ADj
					; .text:004798B4j
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4798DA
		mov	eax, [ecx+8]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_479902

loc_4798DA:				; CODE XREF: .text:004798CBj
		cmp	edx, edi
		ja	short loc_4798EC
		cmp	edx, 0C0000000h
		jb	short loc_4798EC
		test	byte ptr [ecx+17h], 20h
		jnz	short loc_479902

loc_4798EC:				; CODE XREF: .text:004798DCj
					; .text:004798E4j
		cmp	dword ptr [ebp-4], 1
		jnz	loc_4799F3
		test	esi, 40000000h
		jz	loc_4799F3

loc_479902:				; CODE XREF: .text:004798D8j
					; .text:004798EAj
		xor	eax, eax
		mov	esi, 1
		mov	[ebp-10h], eax
		mov	[ebp-0Ch], eax
		mov	[ebp-8], eax
		cmp	dword_6D5BE0, eax
		jz	short loc_479986
		lea	edx, [ebp-10h]
		mov	ecx, offset unk_6D5BD8
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edi, esi
		mov	ecx, offset _MiSystemPartition
		mov	edx, edi
		call	_MiRestockOverCommit@8 ; MiRestockOverCommit(x,x)
		test	ds:byte_70EFC6,	1
		mov	esi, eax
		jz	short loc_47994D
		mov	edx, [ebp+4]
		lea	ecx, [ebp-10h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_479979
; 

loc_47994D:				; CODE XREF: .text:0047993Ej
		mov	eax, [ebp-10h]
		test	eax, eax
		jnz	short loc_47996C
		mov	edx, [ebp-0Ch]
		lea	eax, [ebp-10h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-10h]
		cmp	eax, ecx
		jz	short loc_479979
		call	KxWaitForLockChainValid

loc_47996C:				; CODE XREF: .text:00479952j
		mov	dword ptr [ebp-10h], 0
		add	eax, 4
		lock xor [eax],	edi

loc_479979:				; CODE XREF: .text:0047994Bj
					; .text:00479965j
		mov	cl, [ebp-8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_4799F3

loc_479986:				; CODE XREF: .text:00479918j
		mov	eax, large fs:20h
		mov	edx, [eax+3D2Ch]
		lea	edi, [eax+3D2Ch]
		lea	eax, [edx+esi]
		cmp	eax, 100h
		ja	short loc_4799BA

loc_4799A2:				; CODE XREF: .text:004799B8j
		lea	ecx, [edx+esi]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_4799F3
		mov	edx, eax
		add	eax, esi
		cmp	eax, 100h
		jbe	short loc_4799A2

loc_4799BA:				; CODE XREF: .text:004799A0j
		mov	ecx, esi
		mov	eax, offset dword_6D5EFC
		neg	ecx
		lock xadd [eax], ecx
		mov	edx, dword_6D5BD4
		mov	eax, ecx
		sub	eax, esi
		cmp	ecx, edx
		jb	short loc_4799D9
		cmp	eax, edx
		jb	short loc_4799E7

loc_4799D9:				; CODE XREF: .text:004799D3j
		mov	edx, dword_6D5BD0
		cmp	eax, edx
		jnb	short loc_4799F3
		cmp	ecx, edx
		jb	short loc_4799F3

loc_4799E7:				; CODE XREF: .text:004799D7j
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	MiSyncCommitSignals

loc_4799F3:				; CODE XREF: .text:004798F0j
					; .text:004798FCj ...
		mov	eax, large fs:20h
		mov	edx, [eax+3D30h]
		lea	esi, [eax+3D30h]
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_479A11
		mov	ecx, 1
		jmp	short loc_479A6C
; 

loc_479A11:				; CODE XREF: .text:00479A08j
		lea	eax, [edx+1]
		cmp	eax, 100h
		ja	short loc_479A3C
		jmp	short loc_479A20
; 
		align 10h

loc_479A20:				; CODE XREF: .text:00479A1Bj
					; .text:00479A3Aj
		lea	ecx, [edx+1]
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	short loc_479A75
		mov	edx, eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_479A3C
		inc	eax
		cmp	eax, 100h
		jbe	short loc_479A20

loc_479A3C:				; CODE XREF: .text:00479A19j
					; .text:00479A32j
		mov	ecx, 1
		cmp	edx, 0C0h
		jle	short loc_479A68
		cmp	edx, 0FFFFFFFFh
		jz	short loc_479A68
		mov	ecx, 0C0h
		mov	eax, edx
		lock cmpxchg [esi], ecx
		mov	ecx, 1
		cmp	eax, edx
		jnz	short loc_479A68
		lea	ecx, [edx-0BFh]

loc_479A68:				; CODE XREF: .text:00479A47j
					; .text:00479A4Cj ...
		test	ecx, ecx
		jz	short loc_479A75

loc_479A6C:				; CODE XREF: .text:00479A0Fj
		mov	eax, offset dword_6D5E40
		lock xadd [eax], ecx

loc_479A75:				; CODE XREF: .text:00479A2Bj
					; .text:00479A6Aj
		mov	eax, [ebp-4]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_479A7E:				; CODE XREF: .text:00479836j
					; .text:0047985Cj ...
		xor	eax, eax
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_479A85:				; CODE XREF: .text:0047981Fj
		call	_MiBadRefCount@4 ; MiBadRefCount(x)
; 
		dw 0CCCCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCompleteRestrictedImageFault(x, x, x, x)
_MiCompleteRestrictedImageFault@16 proc	near ; CODE XREF: MiSoftFaultMappedView+347p
					; MiSoftFaultMappedView+44Cp ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_14], edx
		mov	edx, dword_6D0704
		mov	[ebp+var_C], 1
		mov	eax, [edi]
		mov	[ebp+var_30], eax
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		lea	esi, ds:0[eax*8]
		sub	esi, eax
		mov	eax, ds:_MmPfnDatabase
		mov	ecx, [eax+esi*4+4]
		mov	ebx, [eax+esi*4+8]
		or	ecx, 80000000h
		mov	esi, [eax+esi*4+0Ch]
		mov	[ebp+var_18], ecx
		mov	ecx, dword_6D0700
		mov	eax, ecx
		or	eax, edx
		jz	short loc_479AF4
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_479AF4
		not	edx
		and	esi, edx

loc_479AF4:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+54j
					; MiCompleteRestrictedImageFault(x,x,x,x)+5Ej
		cmp	_PfSnNumActiveTraces, 0
		mov	eax, [esi]
		mov	[ebp+var_34], eax
		jz	short loc_479B0E
		mov	ecx, eax
		call	MiReferenceControlAreaFile
		mov	[ebp+var_8], eax
		jmp	short loc_479B15
; 

loc_479B0E:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+70j
		mov	[ebp+var_8], 0

loc_479B15:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+7Cj
		xor	ebx, ebx
		cmp	[ebp+arg_4], ebx
		jbe	loc_479D33

loc_479B20:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+294j
		mov	eax, [ebp+arg_0]
		mov	edx, dword_6D0704
		mov	eax, [eax+ebx*4]
		mov	[ebp+var_2C], eax
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		mov	esi, [eax+ecx*4+8]
		lea	eax, [eax+ecx*4]
		mov	ecx, dword_6D0700
		mov	[ebp+var_4], eax
		mov	eax, [eax+0Ch]
		mov	[ebp+var_10], eax
		mov	[ebp+var_3C], eax
		mov	eax, ecx
		or	eax, edx
		mov	[ebp+var_40], esi
		jz	short loc_479B72
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_479B72
		not	edx
		and	edx, [ebp+var_10]
		mov	ecx, edx
		jmp	short loc_479B75
; 

loc_479B72:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+CDj
					; MiCompleteRestrictedImageFault(x,x,x,x)+D7j
		mov	ecx, [ebp+var_10]

loc_479B75:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+E0j
		mov	edx, [ebp+var_4]
		mov	esi, [ebp+var_14]
		mov	edx, [edx+4]
		or	edx, 80000000h
		mov	eax, edx
		sub	eax, [ebp+var_18]
		sar	eax, 3
		cmp	[ebp+var_8], 0
		lea	esi, [esi+eax*8]
		mov	[ebp+var_10], esi
		jz	loc_479C47
		mov	eax, esi
		shl	eax, 9
		cmp	eax, dword_6D07D0
		jb	short loc_479BC1
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	short loc_479BC1
		cmp	al, 0Bh
		jz	short loc_479BC1
		mov	eax, 0FFFFFFFFh
		jmp	short loc_479BEB
; 

loc_479BC1:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+117j
					; MiCompleteRestrictedImageFault(x,x,x,x)+124j	...
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	esi, [eax+180h]
		test	esi, esi
		jz	short loc_479BE8
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_479BE8
		mov	eax, [esi+8]
		jmp	short loc_479BEB
; 

loc_479BE8:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+145j
					; MiCompleteRestrictedImageFault(x,x,x,x)+151j
		or	eax, 0FFFFFFFFh

loc_479BEB:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+12Fj
					; MiCompleteRestrictedImageFault(x,x,x,x)+156j
		push	eax
		call	MiStartingOffset
		mov	[ebp+var_24], eax
		mov	eax, large fs:124h
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], eax
		mov	ecx, [eax+80h]
		call	PfSnReferenceProcessTrace
		mov	esi, eax
		test	esi, esi
		jz	short loc_479C44
		mov	ecx, [ebp+var_1C]
		mov	edx, esi
		push	1
		call	PfSnCheckLoggingForThread
		test	eax, eax
		jz	short loc_479C39
		mov	ecx, [ebp+var_8]
		mov	edx, ecx
		push	1
		push	[ebp+var_20]
		push	[ebp+var_24]
		mov	eax, [ecx+0Ch]
		mov	ecx, esi
		push	eax
		call	PfSnLogPageFaultCommon

loc_479C39:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+18Fj
		lea	ecx, [esi+104h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_479C44:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+17Fj
		mov	esi, [ebp+var_10]

loc_479C47:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+106j
		nop
		mov	ecx, [ebp+var_40]
		nop
		mov	eax, [ebp+var_3C]
		mov	edx, [ebp+var_2C]
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		push	ecx
		mov	ecx, esi
		call	MiMakeValidPte
		and	eax, 0FFFFFFDFh
		mov	[ebp+var_2C], edx
		mov	dl, [edi+9]
		mov	[ebp+var_24], eax
		mov	al, dl
		and	al, 5
		cmp	al, 4
		jnz	loc_479D03
		test	dl, 2
		jnz	loc_479D03
		movzx	eax, word ptr [edi+6]
		test	ax, ax
		jz	short loc_479CBF
		movzx	ecx, word ptr [edi+4]
		add	ecx, eax
		mov	eax, esi
		shr	eax, 3
		and	eax, 1FFh
		cmp	ecx, eax
		jnz	short loc_479CB8
		mov	ecx, [ebp+var_4]
		and	dl, 10h
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_479CB4
		test	dl, dl
		jz	short loc_479CC2
		jmp	short loc_479CB8
; 

loc_479CB4:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+21Cj
		test	dl, dl
		jnz	short loc_479CC2

loc_479CB8:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+20Dj
					; MiCompleteRestrictedImageFault(x,x,x,x)+222j
		mov	ecx, edi
		call	_MiEmptyDeferredWorkingSetEntries@4 ; MiEmptyDeferredWorkingSetEntries(x)

loc_479CBF:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+1F9j
		mov	ecx, [ebp+var_4]

loc_479CC2:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+220j
					; MiCompleteRestrictedImageFault(x,x,x,x)+226j
		movzx	eax, word ptr [edi+6]
		test	ax, ax
		jnz	short loc_479CFE
		mov	dl, [edi+9]
		mov	eax, 1
		mov	[edi+6], ax
		mov	eax, esi
		shr	eax, 3
		and	eax, 1FFh
		mov	[edi+4], ax
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_479CF6
		and	dl, 0EFh
		mov	[edi+9], dl
		jmp	short loc_479D03
; 

loc_479CF6:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+25Cj
		or	dl, 10h
		mov	[edi+9], dl
		jmp	short loc_479D03
; 

loc_479CFE:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+239j
		inc	eax
		mov	[edi+6], ax

loc_479D03:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+1E3j
					; MiCompleteRestrictedImageFault(x,x,x,x)+1ECj	...
		push	[ebp+var_2C]
		mov	ecx, [ebp+var_30]
		mov	edx, esi
		push	[ebp+var_24]
		push	0
		push	0Ch
		push	0
		push	[ebp+var_4]
		call	_MiAllocateWsle@32 ; MiAllocateWsle(x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_479D2C
		inc	ebx
		cmp	ebx, [ebp+arg_4]
		jb	loc_479B20
		jmp	short loc_479D33
; 

loc_479D2C:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+28Ej
		mov	[ebp+var_C], 0

loc_479D33:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+8Aj
					; MiCompleteRestrictedImageFault(x,x,x,x)+29Aj
		test	ebx, ebx
		jnz	short loc_479D42
		xor	eax, eax
		mov	[edi+6], ax
		jmp	loc_479DD3
; 

loc_479D42:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+2A5j
		cmp	word ptr [edi+6], 0
		jz	short loc_479D50
		mov	ecx, edi
		call	_MiEmptyDeferredWorkingSetEntries@4 ; MiEmptyDeferredWorkingSetEntries(x)

loc_479D50:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+2B7j
		mov	ecx, [ebp+var_14]
		call	_MiGetContainingPageTable@4 ; MiGetContainingPageTable(x)
		mov	[ebp+var_1C], 0
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	edi, [eax+ecx*4]
		lea	esi, [edi+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_479D95
		lea	ebx, [ebx+0]

loc_479D80:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+2FCj
					; MiCompleteRestrictedImageFault(x,x,x,x)+303j
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_479D80
		lock bts dword ptr [esi], 1Fh
		jb	short loc_479D80

loc_479D95:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+2E8j
		mov	edx, ebx
		mov	ecx, edi
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	eax, large fs:124h
		mov	edx, ebx
		mov	ecx, [ebp+var_14]
		shr	ecx, 0Ch
		and	ecx, 7FFh
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		add	eax, 190h
		lea	ecx, [eax+ecx*2]
		call	_MiIncreaseUsedPtesCount@8 ; MiIncreaseUsedPtesCount(x,x)

loc_479DD3:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+2ADj
		mov	esi, [ebp+arg_4]
		cmp	ebx, esi
		jz	short loc_479E03
		lea	ebx, [ebx+0]

loc_479DE0:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+371j
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		mov	eax, [eax+ebx*4]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, [eax+ecx*4]
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		inc	ebx
		cmp	ebx, esi
		jnz	short loc_479DE0

loc_479E03:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+348j
		mov	ebx, [ebp+var_8]
		test	ebx, ebx
		jz	short loc_479E41
		mov	esi, [ebp+var_34]
		add	esi, 20h
		mov	ecx, [esi]
		mov	eax, ecx
		xor	eax, ebx
		cmp	eax, 7
		jnb	short loc_479E36
		jmp	short loc_479E20
; 
		align 10h

loc_479E20:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+38Bj
					; MiCompleteRestrictedImageFault(x,x,x,x)+3A4j
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jz	short loc_479E41
		mov	ecx, eax
		xor	eax, ebx
		cmp	eax, 7
		jb	short loc_479E20

loc_479E36:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+389j
		push	746C6644h
		push	ebx
		call	ObDereferenceObjectDeferDeleteWithTag

loc_479E41:				; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+378j
					; MiCompleteRestrictedImageFault(x,x,x,x)+39Bj
		mov	eax, [ebp+var_C]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_MiCompleteRestrictedImageFault@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetPteFromCopyList proc near		; CODE XREF: .text:0047DA83p
					; MiStealPage+92Fp ...

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B36FB SIZE 000000E9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0ACh+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [esp+0BCh+var_A0]
		mov	[esp+0BCh+var_A4], edx
		push	0		; int
		push	eax		; void *
		mov	ebx, ecx
		call	_memset
		mov	edi, [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, 2
		mov	[esp+0B8h+var_A8], eax
		cmp	edi, 0FFFFFFFFh
		jz	loc_5B36ED

loc_479E9E:				; CODE XREF: MiGetWsleContents+13C856j
		mov	ecx, [ebx]
		add	eax, ecx
		cmp	eax, [ebx+4]
		ja	loc_479F99

loc_479EAB:				; CODE XREF: MiGetPteFromCopyList+176j
		mov	eax, [ebx+0Ch]
		mov	edx, [esp+0B8h+var_A4]
		lea	esi, [eax+ecx*8]
		mov	eax, [esp+0B8h+var_A8]
		add	eax, ecx
		lea	ecx, ds:0[edx*8]
		mov	[ebx], eax
		sub	ecx, edx
		mov	eax, ds:_MmPfnDatabase
		mov	ebx, 4
		mov	al, [eax+ecx*4+16h]
		shr	al, 6
		test	al, al
		jz	loc_5B36FB
		cmp	al, 2
		jz	loc_479F88

loc_479EE7:				; CODE XREF: MiGetPteFromCopyList+13Dj
					; MiGetPteFromCopyList+1398B0j
		or	ebx, 0A0000000h
		mov	ecx, esi
		push	ebx
		call	MiMakeValidPte
		mov	ecx, esi
		mov	ebx, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5B3705

loc_479F06:				; CODE XREF: MiGetPteFromCopyList+1398FEj
					; MiGetPteFromCopyList+13990Cj	...
		xor	ecx, ecx

loc_479F08:				; CODE XREF: MiGetPteFromCopyList+1398CAj
					; MiGetPteFromCopyList+1398D7j	...
		mov	[esi+4], edx
		nop
		mov	[esi], ebx
		test	ecx, ecx
		jnz	loc_5B376D

loc_479F16:				; CODE XREF: MiGetPteFromCopyList+139926j
		cmp	edi, 0FFFFFFFFh
		jz	short loc_479F6F
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[edi*8]
		sub	ecx, edi
		mov	edx, 1
		mov	al, [eax+ecx*4+16h]
		shr	al, 6
		test	al, al
		jz	loc_5B377B
		cmp	al, 2
		jz	short loc_479F92

loc_479F41:				; CODE XREF: MiGetPteFromCopyList+147j
					; MiGetPteFromCopyList+139930j
		or	edx, 20000000h
		mov	ecx, esi
		push	edx
		mov	edx, edi
		call	MiMakeValidPte
		lea	ecx, [esi+8]
		mov	edi, eax
		xor	ebx, ebx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5B3785

loc_479F65:				; CODE XREF: MiGetPteFromCopyList+13994Aj
					; MiGetPteFromCopyList+139957j	...
		mov	[ecx+4], edx
		nop
		mov	[ecx], edi
		test	ebx, ebx
		jnz	short loc_479FCB

loc_479F6F:				; CODE XREF: MiGetPteFromCopyList+C9j
					; MiGetPteFromCopyList+182j
		mov	ecx, [esp+0B8h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_479F88:				; CODE XREF: MiGetPteFromCopyList+91j
		mov	ebx, 1Ch
		jmp	loc_479EE7
; 

loc_479F92:				; CODE XREF: MiGetPteFromCopyList+EFj
		mov	edx, 19h
		jmp	short loc_479F41
; 

loc_479F99:				; CODE XREF: MiGetPteFromCopyList+55j
		mov	edx, [ebx+0Ch]
		push	0
		push	ecx
		shl	edx, 9
		lea	ecx, [esp+0C0h+var_A0]
		mov	[esp+0C0h+var_98], 21h
		mov	[esp+0C0h+var_8C], 0
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		lea	ecx, [esp+0B8h+var_A0]
		call	MiFlushTbList
		xor	ecx, ecx
		jmp	loc_479EAB
; 

loc_479FCB:				; CODE XREF: MiGetPteFromCopyList+11Dj
		push	edx
		push	edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	short loc_479F6F
MiGetPteFromCopyList endp

; 
		dd 7 dup(0CCCCCCCCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiZeroPhysicalPage proc	near		; CODE XREF: MiIssueHardFault(x,x)+13Bp
					; .text:004493DEp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B37E4 SIZE 000000B4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, ecx
		push	ebx
		push	esi
		mov	[esp+1Ch+var_10], eax
		mov	ebx, edx
		lea	esi, ds:0[eax*8]
		sub	esi, eax
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, [eax+esi*4]
		push	edi
		movzx	edi, byte ptr [ecx+16h]
		shr	edi, 6
		mov	[esp+20h+var_14], ecx
		mov	[esp+20h+var_4], edi
		test	bl, 2
		jnz	short loc_47A044
		mov	eax, [ebp+arg_0]
		lea	eax, [eax+edi*4]
		mov	eax, dword_6D074C[eax*4]
		mov	[esp+20h+var_4], eax
		cmp	eax, edi
		jnz	loc_47A0FC

loc_47A044:				; CODE XREF: MiZeroPhysicalPage+39j
					; MiZeroPhysicalPage+115j
		xor	esi, esi
		test	bl, 1
		jnz	loc_5B37E4

loc_47A04F:				; CODE XREF: MiZeroPhysicalPage+139807j
		mov	eax, large fs:20h
		cmp	dword ptr [eax+3D34h], 0
		jz	short loc_47A063
		mov	esi, 1

loc_47A063:				; CODE XREF: MiZeroPhysicalPage+6Cj
		mov	ecx, [esp+20h+var_10]
		push	0
		call	MiFillPhysicalPages
		mov	ebx, [esp+20h+var_14]
		jmp	short loc_47A0EB
; 

loc_47A074:				; CODE XREF: MiZeroPhysicalPage+13980Dj
		mov	ebx, [esp+20h+var_14]
		mov	ecx, 4
		mov	edx, ebx
		call	_MiMakeProtectionPfnCompatible@8 ; MiMakeProtectionPfnCompatible(x,x)
		mov	edx, [esp+20h+var_10]
		or	eax, 0A0000000h
		push	eax
		mov	ecx, esi
		call	MiMakeValidPte
		mov	[esp+20h+var_C], edx
		mov	ecx, esi
		mov	[esp+20h+var_14], eax
		mov	[esp+20h+var_C], edx
		mov	[esp+20h+var_10], 0
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5B3802
		mov	ecx, [esp+20h+var_14]

loc_47A0BC:				; CODE XREF: MiZeroPhysicalPage+13982Ej
					; MiZeroPhysicalPage+13983Cj ...
		mov	[esi+4], edx
		nop
		cmp	[esp+20h+var_10], 0
		mov	[esi], ecx
		jnz	loc_5B3872

loc_47A0CD:				; CODE XREF: MiZeroPhysicalPage+13988Bj
		mov	ecx, esi
		mov	edx, 1000h
		shl	ecx, 9
		call	_KeZeroPages	; KiZeroPages(x,x)
		push	1
		mov	edx, esi
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_47A0EB:				; CODE XREF: MiZeroPhysicalPage+82j
		mov	eax, [esp+24h+var_8]
		cmp	eax, edi
		jnz	short loc_47A10A

loc_47A0F3:				; CODE XREF: MiZeroPhysicalPage+11Dj
					; MiZeroPhysicalPage+139892j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_47A0FC:				; CODE XREF: MiZeroPhysicalPage+4Ej
		push	0
		mov	edx, eax
		call	MiChangePageAttribute
		jmp	loc_47A044
; 

loc_47A10A:				; CODE XREF: MiZeroPhysicalPage+101j
		cmp	eax, [ebp+arg_0]
		jz	short loc_47A0F3
		jmp	loc_5B3880
MiZeroPhysicalPage endp

; 
		align 10h
; Exported entry 1478. MmUnlockPages

; __stdcall MmUnlockPages(x)
		public _MmUnlockPages@4
_MmUnlockPages@4:			; CODE XREF: .text:004651E7p
					; MiGetWorkingSetInfoList(x,x,x,x)+1CFp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+8]
		mov	eax, [edi+8]
		lea	esi, [edi+1Ch]
		mov	[esp+5Ch], eax
		movzx	eax, word ptr [edi+6]
		mov	[esp+40h], esi
		mov	ebx, eax
		mov	[esp+30h], ebx
		test	eax, 200h
		jz	short loc_47A157
		mov	ecx, edi
		call	_MiRetardMdl@4	; MiRetardMdl(x)

loc_47A157:				; CODE XREF: .text:0047A14Ej
		mov	ecx, [edi+18h]
		add	ecx, [edi+10h]
		mov	eax, [edi+14h]
		and	ecx, 0FFFh
		add	eax, 0FFFh
		add	eax, ecx
		shr	eax, 0Ch
		mov	[esp+2Ch], eax
		test	bl, 1
		jz	short loc_47A187
		mov	eax, [edi+0Ch]
		push	edi
		push	eax
		call	MmUnmapLockedPages
		mov	eax, [esp+2Ch]

loc_47A187:				; CODE XREF: .text:0047A177j
		test	byte ptr ds:_MmTrackLockedPages, 1
		jz	short loc_47A199
		mov	edx, eax
		mov	ecx, edi
		call	_MiFreeMdlTracker@8 ; MiFreeMdlTracker(x,x)

loc_47A199:				; CODE XREF: .text:0047A18Ej
		xor	eax, eax
		mov	dword ptr [esp+44h], 0
		mov	[esp+18h], eax
		mov	ebx, 1
		mov	[esp+1Ch], eax
		mov	cl, 2
		mov	eax, [esp+2Ch]
		mov	[esp+14h], ebx
		lea	edi, [esi+eax*4]
		mov	eax, offset loc_7FFFFF
		mov	[esp+3Ch], edi
		mov	[esp+28h], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esp+13h], al

loc_47A1D4:				; CODE XREF: .text:0047A662j
		mov	esi, [esi]
		cmp	esi, 0FFFFFFFFh
		jz	loc_47A668
		cmp	esi, dword_6D07B0
		ja	loc_47A6A6
		mov	eax, dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_47A6A6
		lea	eax, ds:0[esi*8]
		sub	eax, esi
		test	dword ptr [esp+30h], 100h
		mov	esi, ds:_MmPfnDatabase
		lea	edi, [esi+eax*4]
		mov	[esp+34h], edi
		jz	short loc_47A291
		mov	ecx, [edi+18h]
		test	ecx, (offset loc_7FFFFF+1)
		jnz	short loc_47A291
		mov	eax, ecx
		and	eax, 70000000h
		cmp	eax, 10000000h
		jz	short loc_47A291
		mov	eax, ecx
		and	eax, offset loc_7FFFFF
		cmp	eax, (offset loc_7FFFFA+3)
		jz	short loc_47A291
		mov	edx, [esp+28h]
		cmp	edx, eax
		jz	short loc_47A291
		cmp	edx, offset loc_7FFFFF
		jz	short loc_47A275
		lea	eax, ds:0[edx*8]
		sub	eax, edx
		mov	edx, ebx
		lea	ecx, [esi+eax*4]
		call	_MiUnlockPageTableCharges@8 ; MiUnlockPageTableCharges(x,x)
		mov	ecx, [edi+18h]

loc_47A275:				; CODE XREF: .text:0047A25Dj
		and	ecx, offset loc_7FFFFF
		mov	[esp+28h], ecx
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		neg	eax
		sbb	eax, eax
		add	eax, 2
		mov	[esp+14h], eax

loc_47A291:				; CODE XREF: .text:0047A226j
					; .text:0047A231j ...
		xor	eax, eax
		lea	ebx, [edi+10h]
		mov	[esp+38h], eax
		xor	esi, esi
		mov	[esp+24h], eax
		mov	[esp+48h], eax
		lock bts dword ptr [ebx], 1Fh
		jnb	short loc_47A2C4
		jmp	short loc_47A2B0
; 
		align 10h

loc_47A2B0:				; CODE XREF: .text:0047A2ABj
					; .text:0047A2BBj ...
		lea	ecx, [esp+48h]
		call	KeYieldProcessorEx
		cmp	[ebx], esi
		jl	short loc_47A2B0
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_47A2B0

loc_47A2C4:				; CODE XREF: .text:0047A2A9j
		mov	al, [edi+16h]
		test	al, 20h
		jz	short loc_47A327
		test	al, 8
		jnz	short loc_47A327
		test	dword ptr [ebx], 3FFFFFFFh
		jnz	short loc_47A327
		mov	eax, [edi]
		sub	eax, 10h
		mov	[esp+50h], eax
		add	eax, 0A0h
		mov	[esp+20h], eax
		lea	esp, [esp+0]

loc_47A2F0:				; CODE XREF: .text:0047A318j
					; .text:0047A31Ej
		mov	esi, [eax]
		mov	ebx, esi
		mov	edx, [eax+4]
		sub	ebx, 1
		mov	ecx, edx
		mov	[esp+4Ch], edx
		sbb	ecx, 0
		mov	eax, esi
		nop
		mov	edi, [esp+20h]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [esp+34h]
		cmp	eax, esi
		mov	eax, [esp+20h]
		jnz	short loc_47A2F0
		cmp	edx, [esp+4Ch]
		jnz	short loc_47A2F0
		mov	esi, [esp+50h]
		lea	ebx, [edi+10h]

loc_47A327:				; CODE XREF: .text:0047A2C9j
					; .text:0047A2CDj ...
		test	byte ptr [esp+30h], 80h
		jz	loc_47A3D9
		test	esi, esi
		jnz	short loc_47A37E
		mov	ecx, [edi+8]
		mov	eax, ecx
		mov	edx, [edi+0Ch]
		and	eax, 400h
		or	eax, esi
		jnz	short loc_47A376
		test	byte ptr [edi+16h], 8
		jnz	short loc_47A376
		mov	esi, ecx
		shrd	ecx, edx, 2
		test	cl, 1
		jz	short loc_47A36C
		nop
		and	dword ptr [edi+8], 0FFFFFFFBh
		and	esi, 0FFFFFFFDh
		mov	eax, [edi+0Ch]
		mov	[edi+0Ch], eax
		mov	[esp+18h], esi
		jmp	short loc_47A372
; 

loc_47A36C:				; CODE XREF: .text:0047A356j
		xor	eax, eax
		mov	[esp+18h], eax

loc_47A372:				; CODE XREF: .text:0047A36Aj
		mov	[esp+1Ch], eax

loc_47A376:				; CODE XREF: .text:0047A345j
					; .text:0047A34Bj
		mov	al, [edi+16h]
		or	al, 10h
		mov	[edi+16h], al

loc_47A37E:				; CODE XREF: .text:0047A334j
		test	dword ptr [edi+18h], (offset loc_7FFFFF+1)
		jnz	short loc_47A3D9
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_47A3D9
		mov	edx, [edi+8]
		mov	eax, edx
		mov	ecx, [edi+0Ch]
		and	eax, 400h
		or	eax, 0
		jz	short loc_47A3D9
		mov	eax, dword_6D0704
		mov	esi, dword_6D0700
		mov	[esp+20h], eax
		mov	eax, esi
		or	eax, [esp+20h]
		jz	short loc_47A3D3
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_47A3CF
		mov	eax, [esp+20h]
		not	eax
		and	ecx, eax
		jmp	short loc_47A3D3
; 

loc_47A3CF:				; CODE XREF: .text:0047A3C3j
		mov	[esp+50h], edx

loc_47A3D3:				; CODE XREF: .text:0047A3B9j
					; .text:0047A3CDj
		mov	eax, [ecx]
		mov	[esp+38h], eax

loc_47A3D9:				; CODE XREF: .text:0047A32Cj
					; .text:0047A385j ...
		movzx	eax, word ptr [edi+14h]
		test	ax, ax
		jz	loc_47A8A4
		add	eax, 0FFFFh
		test	dword ptr [edi+18h], (offset loc_7FFFFF+1)
		mov	[edi+14h], ax
		jnz	loc_47A581
		mov	ecx, [ebx]
		mov	[esp+50h], ecx
		and	ecx, 3FFFFFFFh
		test	ax, ax
		jz	short loc_47A43F
		cmp	ax, 1
		jnz	short loc_47A419
		test	ecx, ecx
		jnz	short loc_47A435
		jmp	short loc_47A42B
; 

loc_47A419:				; CODE XREF: .text:0047A411j
		cmp	ax, 2
		jnz	loc_47A578
		test	ecx, ecx
		jz	loc_47A578

loc_47A42B:				; CODE XREF: .text:0047A417j
		test	byte ptr [edi+16h], 8
		jz	loc_47A578

loc_47A435:				; CODE XREF: .text:0047A415j
		mov	dword ptr [esp+20h], 0
		jmp	short loc_47A447
; 

loc_47A43F:				; CODE XREF: .text:0047A40Bj
		mov	dword ptr [esp+20h], 1

loc_47A447:				; CODE XREF: .text:0047A43Dj
		mov	esi, ds:_MmHighestUserAddress
		mov	edx, [edi+4]
		shr	esi, 9
		or	edx, 80000000h
		and	esi, offset loc_7FFFF8
		add	esi, 0C0000000h
		cmp	edx, esi
		ja	short loc_47A471
		cmp	edx, 0C0000000h
		jnb	short loc_47A482

loc_47A471:				; CODE XREF: .text:0047A467j
		mov	al, [edi+17h]
		test	al, 20h
		jz	short loc_47A482
		and	al, 0DFh
		mov	[edi+17h], al
		jmp	loc_47A54E
; 

loc_47A482:				; CODE XREF: .text:0047A46Fj
					; .text:0047A476j
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_47A49A
		mov	eax, [edi+8]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_47A4BD

loc_47A49A:				; CODE XREF: .text:0047A48Bj
		cmp	edx, esi
		ja	short loc_47A4AC
		cmp	edx, 0C0000000h
		jb	short loc_47A4AC
		test	byte ptr [edi+17h], 20h
		jnz	short loc_47A4BD

loc_47A4AC:				; CODE XREF: .text:0047A49Cj
					; .text:0047A4A4j
		cmp	dword ptr [esp+20h], 1
		jnz	short loc_47A4CC
		test	dword ptr [esp+50h], 40000000h
		jz	short loc_47A4CC

loc_47A4BD:				; CODE XREF: .text:0047A498j
					; .text:0047A4AAj
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit

loc_47A4CC:				; CODE XREF: .text:0047A4B1j
					; .text:0047A4BBj
		mov	eax, large fs:20h
		mov	esi, 1
		mov	edx, [eax+3D30h]
		add	eax, 3D30h
		mov	[esp+34h], eax
		cmp	edx, 0FFFFFFFFh
		jz	short loc_47A545
		lea	eax, [edx+1]
		cmp	eax, 100h
		ja	short loc_47A518

loc_47A4F5:				; CODE XREF: .text:0047A516j
		mov	ebx, [esp+34h]
		lea	ecx, [edx+1]
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		lea	ebx, [edi+10h]
		cmp	eax, edx
		jz	short loc_47A54E
		mov	edx, eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_47A518
		inc	eax
		cmp	eax, 100h
		jbe	short loc_47A4F5

loc_47A518:				; CODE XREF: .text:0047A4F3j
					; .text:0047A50Ej
		cmp	edx, 0C0h
		jle	short loc_47A541
		cmp	edx, 0FFFFFFFFh
		jz	short loc_47A541
		mov	ebx, [esp+34h]
		mov	ecx, 0C0h
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		lea	ebx, [edi+10h]
		cmp	eax, edx
		jnz	short loc_47A541
		lea	esi, [edx-0BFh]

loc_47A541:				; CODE XREF: .text:0047A51Ej
					; .text:0047A523j ...
		test	esi, esi
		jz	short loc_47A54E

loc_47A545:				; CODE XREF: .text:0047A4E9j
		mov	eax, offset dword_6D5E40
		lock xadd [eax], esi

loc_47A54E:				; CODE XREF: .text:0047A47Dj
					; .text:0047A507j ...
		cmp	dword ptr [esp+20h], 0
		jz	short loc_47A578
		mov	ecx, edi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		lea	eax, [ecx+edx]
		mov	ecx, edi
		sar	eax, 4
		mov	edx, eax
		shr	edx, 1Fh
		add	edx, eax
		call	MiPfnReferenceCountIsZero

loc_47A578:				; CODE XREF: .text:0047A41Dj
					; .text:0047A425j ...
		test	dword ptr [edi+18h], (offset loc_7FFFFF+1)
		jz	short loc_47A5BD

loc_47A581:				; CODE XREF: .text:0047A3F6j
		mov	eax, [ebx]
		test	eax, 40000000h
		jz	short loc_47A5BD
		cmp	word ptr [edi+14h], 2
		jnz	short loc_47A5BD
		and	eax, 0BFFFFFFFh
		mov	ecx, edi
		mov	[ebx], eax
		call	_MiGetBaseResidentPage@4 ; MiGetBaseResidentPage(x)
		mov	esi, [eax]
		dec	esi
		mov	[eax], esi
		cmp	eax, edi
		jz	short loc_47A5B3
		lea	ecx, [eax+10h]
		mov	edx, 7FFFFFFFh
		lock and [ecx],	edx

loc_47A5B3:				; CODE XREF: .text:0047A5A6j
		neg	esi
		sbb	esi, esi
		not	esi
		and	esi, eax
		jmp	short loc_47A5C1
; 

loc_47A5BD:				; CODE XREF: .text:0047A57Fj
					; .text:0047A588j ...
		mov	esi, [esp+24h]

loc_47A5C1:				; CODE XREF: .text:0047A5BBj
		mov	eax, 7FFFFFFFh
		lock and [ebx],	eax
		mov	edi, [esp+18h]
		mov	eax, edi
		mov	ecx, [esp+1Ch]
		or	eax, ecx
		jz	short loc_47A5F2
		push	ecx
		push	edi
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo
		xor	eax, eax
		mov	[esp+18h], eax
		mov	[esp+1Ch], eax

loc_47A5F2:				; CODE XREF: .text:0047A5D5j
		test	esi, esi
		jz	short loc_47A602
		mov	edx, 1
		mov	ecx, esi
		call	_MiFinishLargePageFree@8 ; MiFinishLargePageFree(x,x)

loc_47A602:				; CODE XREF: .text:0047A5F4j
		mov	eax, [esp+38h]
		test	eax, eax
		jz	short loc_47A616
		mov	edx, 1
		mov	ecx, eax
		call	_MiDereferenceControlAreaProbe@8 ; MiDereferenceControlAreaProbe(x,x)

loc_47A616:				; CODE XREF: .text:0047A608j
		mov	edi, [esp+3Ch]
		mov	ebx, [esp+14h]

loc_47A61E:				; CODE XREF: .text:0047A6B1j
		mov	eax, [esp+44h]
		mov	esi, [esp+40h]
		inc	eax
		add	esi, 4
		mov	[esp+44h], eax
		mov	[esp+40h], esi
		test	al, 3Fh
		jnz	short loc_47A660
		cmp	byte ptr [esp+13h], 2
		jnb	short loc_47A660
		cmp	esi, edi
		jnb	short loc_47A668
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	short loc_47A660
		mov	cl, [esp+13h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esp+13h], al

loc_47A660:				; CODE XREF: .text:0047A634j
					; .text:0047A63Bj ...
		cmp	esi, edi
		jb	loc_47A1D4

loc_47A668:				; CODE XREF: .text:0047A1D9j
					; .text:0047A63Fj
		mov	eax, [esp+28h]
		cmp	eax, offset loc_7FFFFF
		jz	loc_47A86E
		mov	edi, [esp+14h]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	dword ptr [esp+1Ch], 0
		mov	eax, ds:_MmPfnDatabase
		lea	ebx, [eax+ecx*4]
		cmp	edi, 2
		jnz	short loc_47A702
		mov	al, [ebx+16h]
		and	al, 7
		cmp	al, 6
		jz	short loc_47A6B6
		xor	eax, eax
		jmp	short loc_47A6F0
; 

loc_47A6A6:				; CODE XREF: .text:0047A1E5j
					; .text:0047A202j
		push	1
		mov	edx, esi
		xor	ecx, ecx
		call	MiDereferenceIoPages
		jmp	loc_47A61E
; 

loc_47A6B6:				; CODE XREF: .text:0047A6A0j
		test	dword ptr [ebx+10h], 3FFFFFFFh
		jnz	short loc_47A6C3
		xor	eax, eax
		jmp	short loc_47A6F0
; 

loc_47A6C3:				; CODE XREF: .text:0047A6BDj
		mov	ecx, [ebx+4]
		or	ecx, 80000000h
		lea	eax, [ecx+40000000h]
		cmp	eax, offset loc_7FFFFF
		jbe	short loc_47A6DD
		xor	eax, eax
		jmp	short loc_47A6F0
; 

loc_47A6DD:				; CODE XREF: .text:0047A6D7j
		shl	ecx, 9
		lea	eax, [ecx+40000000h]
		mov	ecx, offset loc_7FFFFF
		cmp	ecx, eax
		sbb	eax, eax
		inc	eax

loc_47A6F0:				; CODE XREF: .text:0047A6A4j
					; .text:0047A6C1j ...
		mov	dword ptr [esp+14h], 1
		test	eax, eax
		jz	loc_47A8AB
		jmp	short loc_47A70D
; 

loc_47A702:				; CODE XREF: .text:0047A697j
		neg	edi
		sbb	edi, edi
		add	edi, 2
		mov	[esp+14h], edi

loc_47A70D:				; CODE XREF: .text:0047A700j
		mov	eax, [ebx+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 10000h
		jb	loc_47A8AB
		xor	edi, edi
		xor	edx, edx
		mov	[esp+28h], edx
		jmp	short loc_47A730
; 
		align 10h

loc_47A730:				; CODE XREF: .text:0047A728j
					; .text:0047A7CFj
		mov	eax, [ebx+18h]
		lea	esi, [ebx+10h]
		and	eax, offset loc_7FFFFF
		mov	dword ptr [esp+58h], 0
		mov	[esp+50h], eax
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_47A765
		mov	edi, edi

loc_47A750:				; CODE XREF: .text:0047A75Cj
					; .text:0047A763j
		lea	ecx, [esp+58h]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_47A750
		lock bts dword ptr [esi], 1Fh
		jb	short loc_47A750

loc_47A765:				; CODE XREF: .text:0047A74Cj
		mov	eax, [esi]
		lea	edx, [eax-10000h]
		xor	edx, eax
		and	edx, 3FFFFFFFh
		xor	edx, eax
		mov	[esi], edx
		and	edx, 3FFFFFFFh
		cmp	edx, 10000h
		jnb	short loc_47A7D4
		cmp	dword ptr [esp+1Ch], 0
		jnz	short loc_47A796
		mov	dword ptr [esp+1Ch], offset _MiSystemPartition

loc_47A796:				; CODE XREF: .text:0047A78Cj
		inc	edi
		test	edx, edx
		jnz	short loc_47A7AB
		mov	ecx, ebx
		call	_MiPfnShareCountIsZero@8 ; MiPfnShareCountIsZero(x,x)
		cmp	eax, 3
		jz	short loc_47A7AB
		inc	dword ptr [esp+28h]

loc_47A7AB:				; CODE XREF: .text:0047A799j
					; .text:0047A7A5j
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		sub	dword ptr [esp+14h], 1
		jz	short loc_47A7DC
		mov	eax, [esp+50h]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	ebx, [eax+ecx*4]
		jmp	loc_47A730
; 

loc_47A7D4:				; CODE XREF: .text:0047A785j
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax

loc_47A7DC:				; CODE XREF: .text:0047A7B8j
		mov	ebx, [esp+1Ch]
		test	edi, edi
		jz	short loc_47A85F
		cmp	ebx, offset _MiSystemPartition
		jnz	short loc_47A851
		mov	eax, large fs:20h
		mov	edx, [eax+3D30h]
		lea	esi, [eax+3D30h]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_47A851
		lea	eax, [edx+edi]
		cmp	eax, 100h
		ja	short loc_47A82D
		lea	ecx, [ecx+0]

loc_47A810:				; CODE XREF: .text:0047A82Bj
		lea	ecx, [edx+edi]
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	short loc_47A85F
		mov	edx, eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_47A82D
		add	eax, edi
		cmp	eax, 100h
		jbe	short loc_47A810

loc_47A82D:				; CODE XREF: .text:0047A80Bj
					; .text:0047A822j
		cmp	edx, 0C0h
		jle	short loc_47A851
		cmp	edx, 0FFFFFFFFh
		jz	short loc_47A851
		mov	eax, edx
		mov	ecx, 0C0h
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_47A851
		add	edi, 0FFFFFF40h
		add	edi, edx

loc_47A851:				; CODE XREF: .text:0047A7EAj
					; .text:0047A801j ...
		test	edi, edi
		jz	short loc_47A85F
		lea	eax, [ebx+1000h]
		lock xadd [eax], edi

loc_47A85F:				; CODE XREF: .text:0047A7E2j
					; .text:0047A81Bj ...
		mov	edx, [esp+28h]
		test	edx, edx
		jz	short loc_47A86E
		mov	ecx, ebx
		call	MiReturnCommit

loc_47A86E:				; CODE XREF: .text:0047A671j
					; .text:0047A865j
		mov	cl, [esp+13h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esp+5Ch]
		test	eax, eax
		jz	short loc_47A88F
		mov	ecx, [esp+2Ch]
		add	eax, 150h
		neg	ecx
		lock xadd [eax], ecx

loc_47A88F:				; CODE XREF: .text:0047A87Ej
		mov	eax, [ebp+8]
		mov	ecx, 0FFFFF6FDh
		pop	edi
		pop	esi
		pop	ebx
		and	[eax+6], cx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_47A8A4:				; CODE XREF: .text:0047A3E0j
		mov	ecx, edi
		call	_MiBadRefCount@4 ; MiBadRefCount(x)

loc_47A8AB:				; CODE XREF: .text:0047A6FAj
					; .text:0047A71Aj
		mov	eax, [ebx+10h]
		and	eax, 3FFFFFFFh
		push	eax
		mov	eax, [ebx+4]
		or	eax, 80000000h
		push	eax
		push	ebx
		push	41791h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh
		align 10h
; Exported entry 1481. MmUnmapLockedPages

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmUnmapLockedPages
MmUnmapLockedPages proc	near		; CODE XREF: .text:00449287p
					; MiFreePagesFromMdl(x,x)+EFp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005B3898 SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, 200h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		xor	edi, edi
		test	[esi+6], ax
		jnz	loc_5B3898

loc_47A8F2:				; CODE XREF: MmUnmapLockedPages+138FD1j
		mov	eax, [esi+18h]
		add	eax, [esi+10h]
		mov	ecx, [esi+14h]
		mov	edx, eax
		mov	ebx, [ebp+arg_0]
		and	edx, 0FFFh
		mov	[esp+20h+var_10], eax
		lea	eax, [ecx+0FFFh]
		add	eax, edx
		shr	eax, 0Ch
		mov	[esp+20h+var_14], eax
		cmp	ebx, ds:_MmHighestUserAddress
		jbe	loc_47A9DE
		and	word ptr [esi+6], 0FFDEh
		sub	ebx, edi
		mov	ax, [esi+6]
		mov	edi, ebx
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		add	edi, 0C0000000h
		test	al, 4
		jnz	loc_5B38A6

loc_47A949:				; CODE XREF: MmUnmapLockedPages+138FDDj
		mov	eax, edi
		mov	[esp+20h+var_10], edi
		shr	eax, 9
		mov	ecx, 2
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[esp+20h+var_C], eax

loc_47A965:				; CODE XREF: MmUnmapLockedPages+B5j
		mov	eax, [esp+ecx*4+20h+var_14]
		dec	ecx
		mov	edx, [eax]
		nop
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jz	short loc_47A987
		and	edx, 80h
		or	edx, 0
		jnz	short loc_47A989
		cmp	ecx, 1
		jnz	short loc_47A965

loc_47A987:				; CODE XREF: MmUnmapLockedPages+A5j
		xor	ecx, ecx

loc_47A989:				; CODE XREF: MmUnmapLockedPages+B0j
		mov	eax, edi
		test	ecx, ecx
		jnz	loc_5B38B2

loc_47A993:				; CODE XREF: MmUnmapLockedPages+138FF4j
		mov	ecx, [eax]
		nop
		and	ecx, 200h
		or	ecx, 0
		jnz	short loc_47A9D1

loc_47A9A1:				; CODE XREF: MmUnmapLockedPages+10Cj
		cmp	ds:_MmProtectFreedNonPagedPool,	1
		mov	eax, [esp+20h+var_14]
		jz	short loc_47A9F1

loc_47A9AE:				; CODE XREF: MmUnmapLockedPages+126j
		test	byte ptr ds:dword_7051B4, 1
		jnz	loc_5B38C9

loc_47A9BB:				; CODE XREF: MmUnmapLockedPages+139007j
		push	eax
		mov	edx, edi
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_47A9D1:				; CODE XREF: MmUnmapLockedPages+CFj
		mov	edx, [esp+20h+var_14]
		mov	ecx, ebx
		call	MiZeroAndFlushPtes
		jmp	short loc_47A9A1
; 

loc_47A9DE:				; CODE XREF: MmUnmapLockedPages+4Fj
		push	ecx
		mov	edx, eax
		mov	ecx, ebx
		call	MiUnmapLockedPagesInUserSpace
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_47A9F1:				; CODE XREF: MmUnmapLockedPages+DCj
		inc	eax
		mov	[esp+20h+var_14], eax
		jmp	short loc_47A9AE
MmUnmapLockedPages endp

; 
		align 10h

; __stdcall MiReleasePtes(x, x,	x)
_MiReleasePtes@12:			; CODE XREF: MiDeleteProcessShadow+1A8p
					; MiCopyToUserVa(x,x,x,x)+369p	...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0D4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0D0h], eax
		push	ebx
		mov	ebx, [ebp+8]
		lea	eax, [esp+38h]
		push	esi
		push	edi
		push	98h
		mov	edi, ecx
		mov	[esp+14h], ebx
		push	0
		push	eax
		mov	esi, edx
		mov	[esp+28h], edi
		mov	dword ptr [esp+3Ch], 0
		mov	dword ptr [esp+40h], 0
		call	_memset
		add	esp, 0Ch
		cmp	edi, offset dword_6D35E0
		jnz	short loc_47AA6C
		test	byte ptr ds:dword_7051B4, 2
		jz	short loc_47AA6C
		mov	edx, ebx
		mov	ecx, esi
		call	_MiCheckPteRelease@8 ; MiCheckPteRelease(x,x)

loc_47AA6C:				; CODE XREF: .text:0047AA58j
					; .text:0047AA61j
		mov	eax, [esp+10h]
		mov	ebx, esi
		sub	ebx, [edi+8]
		mov	edx, eax
		sar	ebx, 3
		test	byte ptr [edi+0Ch], 4
		mov	[esp+20h], eax
		jz	short loc_47AA8E
		shr	ebx, 4
		shr	edx, 4
		mov	[esp+20h], edx

loc_47AA8E:				; CODE XREF: .text:0047AA82j
		cmp	eax, 200h
		jb	short loc_47AAAA
		cmp	edi, offset dword_6D35E0
		jnz	short loc_47AAAA
		mov	dword ptr [esp+24h], 1
		jmp	loc_47AB71
; 

loc_47AAAA:				; CODE XREF: .text:0047AA93j
					; .text:0047AA9Bj
		mov	eax, [edi]
		mov	dword ptr [esp+24h], 0
		cmp	ebx, eax
		jnb	loc_47ADB1
		cmp	edx, 1
		ja	short loc_47AADD
		jnz	loc_47ADB1
		mov	eax, [edi+4]
		bt	[eax], ebx
		setb	al
		test	al, al
		jz	loc_47ADB1
		jmp	loc_47AB71
; 

loc_47AADD:				; CODE XREF: .text:0047AABFj
		sub	eax, ebx
		cmp	eax, edx
		jb	loc_47ADB1
		mov	ecx, [edi+4]
		mov	eax, ebx
		shr	eax, 5
		lea	edi, [ecx+eax*4]
		lea	eax, [ebx-1]
		add	eax, edx
		shr	eax, 5
		lea	eax, [ecx+eax*4]
		mov	ecx, [edi]
		mov	[esp+14h], eax
		mov	[esp+18h], ecx
		cmp	edi, eax
		jnz	short loc_47AB25
		mov	ecx, 20h
		or	eax, 0FFFFFFFFh
		sub	ecx, edx
		shr	eax, cl
		mov	ecx, ebx
		shl	eax, cl
		mov	ecx, [esp+18h]
		and	ecx, eax
		cmp	ecx, eax
		jmp	short loc_47AB67
; 

loc_47AB25:				; CODE XREF: .text:0047AB09j
		or	eax, 0FFFFFFFFh
		mov	ecx, ebx
		shl	eax, cl
		mov	ecx, [esp+18h]
		and	ecx, eax
		cmp	ecx, eax
		jnz	loc_47ADB1
		mov	eax, [esp+14h]
		add	edi, 4
		cmp	edi, eax
		jz	short loc_47AB55

loc_47AB45:				; CODE XREF: .text:0047AB53j
		cmp	dword ptr [edi], 0FFFFFFFFh
		jnz	loc_47ADB1
		add	edi, 4
		cmp	edi, eax
		jnz	short loc_47AB45

loc_47AB55:				; CODE XREF: .text:0047AB43j
		mov	eax, [edi]
		lea	ecx, [edx-1]
		add	ecx, ebx
		or	edx, 0FFFFFFFFh
		not	ecx
		shr	edx, cl
		and	eax, edx
		cmp	eax, edx

loc_47AB67:				; CODE XREF: .text:0047AB23j
		jnz	loc_47ADB1
		mov	edi, [esp+1Ch]

loc_47AB71:				; CODE XREF: .text:0047AAA5j
					; .text:0047AAD8j
		mov	edx, [esp+10h]
		test	edx, edx
		jz	short loc_47AB98
		mov	ecx, edx
		jmp	short loc_47AB80
; 
		align 10h

loc_47AB80:				; CODE XREF: .text:0047AB7Bj
					; .text:0047AB96j
		mov	eax, ds:_ZeroPte
		mov	[esi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[esi+4], eax
		add	esi, 8
		sub	ecx, 1
		jnz	short loc_47AB80

loc_47AB98:				; CODE XREF: .text:0047AB77j
		lea	eax, ds:0[edx*8]
		sub	esi, eax
		cmp	dword ptr [esp+24h], 0
		jnz	loc_47AD89
		test	byte ptr [edi+0Ch], 1
		jz	short loc_47ABC5
		push	edx
		mov	edx, esi
		mov	ecx, edi
		call	_MiInsertCachedPte@12 ;	MiInsertCachedPte(x,x,x)
		cmp	eax, 1
		jz	loc_47AD16

loc_47ABC5:				; CODE XREF: .text:0047ABB0j
		lea	ecx, [esp+30h]
		call	_MiInitializeTbFlushStamps@4 ; MiInitializeTbFlushStamps(x)
		mov	ecx, [esp+10h]
		mov	eax, [esp+30h]
		mov	edx, [esp+34h]
		mov	[esp+18h], eax
		test	ecx, ecx
		jz	short loc_47ABFA
		mov	edi, [esp+18h]
		mov	eax, ecx

loc_47ABE8:				; CODE XREF: .text:0047ABF4j
		mov	[esi], edi
		nop
		mov	[esi+4], edx
		add	esi, 8
		sub	eax, 1
		jnz	short loc_47ABE8
		mov	edi, [esp+1Ch]

loc_47ABFA:				; CODE XREF: .text:0047ABE0j
		lea	eax, ds:0[ecx*8]
		mov	[esp+14h], edx
		mov	ecx, dword_6D0704
		sub	esi, eax
		mov	eax, dword_6D0700
		mov	[esp+3Ch], eax
		or	eax, ecx
		mov	[esp+28h], ecx
		mov	ecx, [esp+10h]
		jz	short loc_47AC52
		mov	edx, [esp+18h]
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_47AC4A
		mov	eax, [esp+3Ch]
		mov	edx, [esp+28h]
		not	eax
		and	eax, [esp+18h]
		not	edx
		and	edx, [esp+14h]
		mov	[esp+28h], eax
		jmp	short loc_47AC52
; 

loc_47AC4A:				; CODE XREF: .text:0047AC2Ej
		mov	[esp+28h], edx
		mov	edx, [esp+14h]

loc_47AC52:				; CODE XREF: .text:0047AC20j
					; .text:0047AC48j
		xor	eax, eax
		or	eax, edx
		jnz	short loc_47AC9D
		mov	eax, [edi+0Ch]
		not	eax
		shl	esi, 9
		push	0
		and	eax, 2
		mov	word ptr [esp+48h], 0
		push	ecx
		mov	edx, esi
		mov	[esp+48h], eax
		lea	ecx, [esp+48h]
		mov	dword ptr [esp+58h], 0
		mov	dword ptr [esp+50h], 21h
		mov	dword ptr [esp+5Ch], 0
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		lea	ecx, [esp+40h]
		call	MiFlushTbList

loc_47AC9D:				; CODE XREF: .text:0047AC56j
		mov	eax, [esp+1Ch]
		mov	ecx, ebx
		mov	edi, [esp+20h]
		mov	esi, edi
		shr	ecx, 5
		mov	eax, [eax+4]
		lea	edx, [eax+ecx*4]
		mov	ecx, ebx
		and	ecx, 1Fh
		mov	[esp+14h], ecx
		lea	eax, [ecx+edi]
		cmp	eax, 20h
		ja	short loc_47AD2D
		cmp	edi, 20h
		jnz	short loc_47ACD0
		mov	dword ptr [edx], 0
		jmp	short loc_47ACE5
; 

loc_47ACD0:				; CODE XREF: .text:0047ACC6j
		mov	ecx, edi
		mov	eax, 1
		shl	eax, cl
		mov	ecx, [esp+14h]
		dec	eax
		shl	eax, cl
		not	eax

loc_47ACE2:				; CODE XREF: .text:0047AD84j
		lock and [edx],	eax

loc_47ACE5:				; CODE XREF: .text:0047ACCEj
					; .text:0047AD77j
		mov	edx, [esp+10h]

loc_47ACE9:				; CODE XREF: .text:0047AD8Dj
		mov	ecx, [esp+1Ch]
		mov	esi, edi
		lea	eax, [ecx+30h]
		lock xadd [eax], esi
		cmp	dword ptr [esp+24h], 1
		jnz	loc_47AD92
		lea	eax, [edx+1FFh]
		mov	edx, ebx
		push	1
		and	eax, 0FFFFFE00h
		push	eax
		call	_MiReturnSystemPtes@16 ; MiReturnSystemPtes(x,x,x,x)

loc_47AD16:				; CODE XREF: .text:0047ABBFj
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+0D0h]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_47AD2D:				; CODE XREF: .text:0047ACC1j
		test	ecx, ecx
		jz	short loc_47AD5A
		mov	esi, 20h
		mov	eax, 1
		sub	esi, ecx
		mov	ecx, esi
		mov	[esp+28h], esi
		shl	eax, cl
		mov	ecx, [esp+14h]
		dec	eax
		shl	eax, cl
		not	eax
		lock and [edx],	eax
		mov	esi, edi
		sub	esi, [esp+28h]
		add	edx, 4

loc_47AD5A:				; CODE XREF: .text:0047AD2Fj
		cmp	esi, 20h
		jb	short loc_47AD75
		mov	eax, esi
		shr	eax, 5

loc_47AD64:				; CODE XREF: .text:0047AD73j
		mov	dword ptr [edx], 0
		sub	esi, 20h
		add	edx, 4
		sub	eax, 1
		jnz	short loc_47AD64

loc_47AD75:				; CODE XREF: .text:0047AD5Dj
		test	esi, esi
		jz	loc_47ACE5
		mov	ecx, esi
		or	eax, 0FFFFFFFFh
		shl	eax, cl
		jmp	loc_47ACE2
; 

loc_47AD89:				; CODE XREF: .text:0047ABA6j
		mov	edi, [esp+20h]
		jmp	loc_47ACE9
; 

loc_47AD92:				; CODE XREF: .text:0047ACFBj
		push	edi
		mov	edx, ebx
		call	MiAttemptCoalesce
		mov	ecx, [esp+0DCh]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_47ADB1:				; CODE XREF: .text:0047AAB6j
					; .text:0047AAC1j ...
		push	ebx
		push	dword ptr [esp+14h]
		shl	esi, 9
		push	esi
		push	302h
		push	0DAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 3 dup(0CCh)
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertCachedPte(x, x, x)
_MiInsertCachedPte@12 proc near		; CODE XREF: .text:0047ABB7p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, edx
		mov	[ebp+var_24], eax
		mov	[ebp+var_28], ecx
		mov	[ebp+var_50], 0
		mov	[ebp+var_4C], 0
		cmp	edi, 40h
		ja	loc_47B0EE
		mov	edx, [ecx+8]
		mov	[ebp+var_34], edx
		cmp	eax, edx
		jz	loc_47B0EE
		cmp	edi, 1
		jnz	short loc_47AE19
		mov	[ebp+var_20], 1000h
		jmp	short loc_47AE5C
; 

loc_47AE19:				; CODE XREF: MiInsertCachedPte(x,x,x)+3Ej
		mov	esi, dword_6D0700
		xor	edx, edx
		mov	ebx, dword_6D0704
		mov	eax, esi
		or	eax, ebx
		mov	ecx, edi
		jz	short loc_47AE48
		mov	ecx, esi
		mov	eax, ebx
		and	ecx, edx
		and	eax, edi
		or	ecx, eax
		jnz	short loc_47AE43
		mov	ecx, ebx
		or	edx, esi
		or	ecx, edi
		jmp	short loc_47AE48
; 

loc_47AE43:				; CODE XREF: MiInsertCachedPte(x,x,x)+69j
		or	edx, 10h
		mov	ecx, edi

loc_47AE48:				; CODE XREF: MiInsertCachedPte(x,x,x)+5Dj
					; MiInsertCachedPte(x,x,x)+71j
		mov	eax, [ebp+var_24]
		mov	[eax+8], edx
		nop
		mov	[eax+0Ch], ecx
		mov	ecx, [ebp+var_28]
		mov	[ebp+var_20], 0

loc_47AE5C:				; CODE XREF: MiInsertCachedPte(x,x,x)+47j
		mov	eax, large fs:20h
		mov	ecx, [ecx+2Ch]
		mov	[ebp+var_18], 0
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		lea	eax, [eax+eax*8]
		lea	ebx, [ecx+eax*8]
		xor	ecx, ecx
		mov	[ebp+var_38], ebx
		lea	eax, [ebp+var_18]
		lock or	[eax], ecx
		mov	ecx, ds:_KiTbFlushTimeStamp
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jnz	short loc_47AEC8
		jmp	short loc_47AEA0
; 
		align 10h

loc_47AEA0:				; CODE XREF: MiInsertCachedPte(x,x,x)+C7j
					; MiInsertCachedPte(x,x,x)+F6j
		mov	edx, 1
		xor	ecx, ecx
		call	KeFlushTb
		mov	[ebp+var_18], 0
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, ds:_KiTbFlushTimeStamp
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jz	short loc_47AEA0

loc_47AEC8:				; CODE XREF: MiInsertCachedPte(x,x,x)+C5j
		mov	edx, dword_6D0700
		mov	eax, ecx
		and	eax, 7
		xor	esi, esi
		xor	edi, edi
		lea	eax, [ebx+eax*8]
		mov	ebx, dword_6D0704
		mov	[ebp+var_14], eax
		mov	eax, edx
		or	eax, ebx
		jz	short loc_47AEED
		mov	esi, edx
		mov	edi, ebx

loc_47AEED:				; CODE XREF: MiInsertCachedPte(x,x,x)+117j
		mov	eax, [ebp+var_14]
		and	esi, 0FFFF0FFFh
		or	esi, [ebp+var_20]
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_C], edi

loc_47AEFF:				; CODE XREF: MiInsertCachedPte(x,x,x)+14Fj
		mov	ebx, [eax]
		mov	edx, [eax+4]
		mov	[ebp+var_8], edx

loc_47AF07:				; CODE XREF: MiInsertCachedPte(x,x,x)+1E4j
					; MiInsertCachedPte(x,x,x)+2C1j
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_30], edx
		cmp	ebx, ecx
		jz	loc_47AFB9
		test	edx, edx
		jz	loc_47AFB9
		test	ebx, ebx
		jz	short loc_47AEFF
		mov	[ebp+var_3C], 0
		lea	eax, [ebp+var_3C]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	edx, ds:_KiTbFlushTimeStamp
		mov	ecx, ebx
		push	0FFFFFFFFh
		call	_MiTbFlushTimeStampMayNeedFlush@12 ; MiTbFlushTimeStampMayNeedFlush(x,x,x)
		test	al, al
		jnz	loc_47B096
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edx, [ebp+var_8]
		mov	[ebp+var_1], al
		mov	eax, ebx
		nop
		mov	edi, [ebp+var_14]
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_C]
		mov	ebx, eax
		mov	[ebp+var_8], edx
		cmp	ebx, [ebp+var_2C]
		jnz	short loc_47AFA2
		mov	eax, [ebp+var_30]
		cmp	edx, eax
		jnz	short loc_47AFA2
		mov	ebx, [ebp+var_28]
		mov	edx, eax
		push	ecx
		mov	ecx, ebx
		call	_MiReplenishBitMap@12 ;	MiReplenishBitMap(x,x,x)
		mov	edx, eax
		lea	eax, [ebx+30h]
		mov	ecx, edx
		lock xadd [eax], ecx
		mov	eax, [ebp+var_38]
		neg	edx
		add	eax, 40h
		lock xadd [eax], edx
		xor	ebx, ebx
		xor	edx, edx
		mov	[ebp+var_8], edx

loc_47AFA2:				; CODE XREF: MiInsertCachedPte(x,x,x)+19Ej
					; MiInsertCachedPte(x,x,x)+1A5j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_14]
		jmp	loc_47AF07
; 

loc_47AFB9:				; CODE XREF: MiInsertCachedPte(x,x,x)+13Fj
					; MiInsertCachedPte(x,x,x)+147j
		mov	eax, esi
		mov	[ebp+var_44], 0
		or	eax, edi
		jnz	short loc_47AFCD
		xor	esi, esi
		mov	[ebp+var_44], esi
		jmp	short loc_47B010
; 

loc_47AFCD:				; CODE XREF: MiInsertCachedPte(x,x,x)+1F4j
		mov	eax, dword_6D0700
		mov	ecx, esi
		mov	edx, dword_6D0704
		mov	[ebp+var_C], eax
		or	eax, edx
		mov	[ebp+var_40], edx
		mov	edx, [ebp+var_8]
		mov	[ebp+var_1C], edi
		jz	short loc_47B00D
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_47B005
		mov	esi, [ebp+var_C]
		mov	edi, [ebp+var_40]
		not	esi
		not	edi
		and	esi, ecx
		and	edi, [ebp+var_1C]
		jmp	short loc_47B00D
; 

loc_47B005:				; CODE XREF: MiInsertCachedPte(x,x,x)+222j
		mov	edi, [ebp+var_1C]
		mov	esi, ecx
		and	esi, 0FFFFFFEFh

loc_47B00D:				; CODE XREF: MiInsertCachedPte(x,x,x)+218j
					; MiInsertCachedPte(x,x,x)+233j
		mov	[ebp+var_44], edi

loc_47B010:				; CODE XREF: MiInsertCachedPte(x,x,x)+1FBj
		mov	eax, dword_6D0704
		xor	edi, edi
		mov	ecx, dword_6D0700
		or	edi, edx
		mov	[ebp+var_8], eax
		mov	eax, ecx
		or	eax, [ebp+var_8]
		mov	[ebp+var_C], edi
		mov	[ebp+var_40], esi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_44], ecx
		jz	short loc_47B05B
		mov	eax, [ebp+var_8]
		mov	edi, esi
		and	eax, [ebp+var_1C]
		and	ecx, edi
		or	ecx, eax
		jnz	short loc_47B050
		mov	esi, [ebp+var_44]
		or	esi, edi
		mov	edi, [ebp+var_8]
		or	edi, [ebp+var_1C]
		jmp	short loc_47B058
; 

loc_47B050:				; CODE XREF: MiInsertCachedPte(x,x,x)+271j
		mov	esi, edi
		mov	edi, [ebp+var_1C]
		or	esi, 10h

loc_47B058:				; CODE XREF: MiInsertCachedPte(x,x,x)+27Ej
		mov	[ebp+var_C], edi

loc_47B05B:				; CODE XREF: MiInsertCachedPte(x,x,x)+263j
		mov	eax, [ebp+var_24]
		mov	[eax], esi
		nop
		mov	ecx, eax
		mov	[eax+4], edi
		sub	ecx, [ebp+var_34]
		mov	eax, ebx
		sar	ecx, 3
		nop
		mov	ebx, [ebp+var_10]
		mov	edi, [ebp+var_14]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_C]
		mov	ebx, eax
		mov	[ebp+var_8], edx
		cmp	ebx, [ebp+var_2C]
		jnz	short loc_47B08B
		cmp	edx, [ebp+var_30]
		jz	short loc_47B0D3

loc_47B08B:				; CODE XREF: MiInsertCachedPte(x,x,x)+2B4j
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_14]
		jmp	loc_47AF07
; 

loc_47B096:				; CODE XREF: MiInsertCachedPte(x,x,x)+171j
		push	0
		push	0
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [ebp+var_24]
		and	eax, 0FFFF0FFFh
		or	eax, [ebp+var_20]
		mov	[ecx], eax
		nop
		mov	esi, [ebp+var_28]
		mov	[ecx+4], edx
		sub	ecx, [ebp+var_34]
		sar	ecx, 3
		mov	edx, ecx
		mov	ecx, esi
		push	0
		call	_MiReplenishBitMap@12 ;	MiReplenishBitMap(x,x,x)
		mov	edx, eax
		lea	eax, [esi+30h]
		mov	ecx, edx
		lock xadd [eax], ecx
		neg	edx
		jmp	short loc_47B0D6
; 

loc_47B0D3:				; CODE XREF: MiInsertCachedPte(x,x,x)+2B9j
		mov	edx, [ebp+arg_0]

loc_47B0D6:				; CODE XREF: MiInsertCachedPte(x,x,x)+301j
		mov	ecx, [ebp+var_38]
		add	ecx, 40h
		lock xadd [ecx], edx
		mov	eax, 1
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_47B0EE:				; CODE XREF: MiInsertCachedPte(x,x,x)+27j
					; MiInsertCachedPte(x,x,x)+35j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MiInsertCachedPte@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDecrementAndInsertStandbyPages proc near ; CODE XREF:	MmUnmapViewInSystemCache+32Cp
					; MmUnmapViewInSystemCache+834p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B38DC SIZE 0000007A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		mov	eax, edx
		mov	[ebp+var_8], ecx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_14], eax
		push	edi
		test	eax, eax
		jz	loc_47B295
		lea	ecx, [ecx+0]

loc_47B120:				; CODE XREF: MiDecrementAndInsertStandbyPages+18Fj
		mov	esi, [ecx+ebx*4]
		xor	eax, eax
		and	dword ptr [esi+10h], 0C0000000h
		mov	[esi+14h], ax
		mov	al, [esi+16h]
		and	al, 0FAh
		or	al, 2
		mov	[esi+16h], al
		mov	ecx, [esi+8]
		nop
		mov	eax, [esi+0Ch]
		mov	edx, [esi+18h]
		shrd	ecx, eax, 5
		mov	eax, [esi+4]
		and	edx, offset loc_7FFFFF
		and	ecx, 1Fh
		mov	[ebp+var_C], eax
		mov	eax, ds:_MmPfnDatabase
		mov	esi, 4
		mov	[ebp+var_10], ecx
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		movzx	eax, byte ptr [eax+ecx*4+16h]
		shr	eax, 6
		test	eax, eax
		jz	loc_5B38E6
		cmp	eax, 3
		jz	loc_5B38E6
		cmp	eax, 2
		jz	loc_5B38DC

loc_47B18F:				; CODE XREF: MiDecrementAndInsertStandbyPages+1387E1j
					; MiDecrementAndInsertStandbyPages+1387EBj
		or	esi, 0A0000000h
		xor	ecx, ecx
		push	esi
		call	MiMakeValidPte
		mov	ecx, large fs:20h
		mov	edi, eax
		mov	[ebp+var_4], 0
		mov	esi, [ecx+3D34h]
		mov	ecx, esi
		and	ecx, 0FFFh
		and	esi, 0FFFFF000h
		shl	ecx, 0Ch
		add	esi, ecx
		mov	ecx, esi
		shr	ecx, 9
		sub	ecx, 40000000h
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5B38F0

loc_47B1DE:				; CODE XREF: MiDecrementAndInsertStandbyPages+138808j
					; MiDecrementAndInsertStandbyPages+138819j ...
		mov	[ecx+4], edx
		nop
		mov	[ecx], edi
		test	eax, eax
		jnz	loc_5B394A

loc_47B1EC:				; CODE XREF: MiDecrementAndInsertStandbyPages+138851j
		mov	eax, [ebp+var_C]
		shr	eax, 3
		and	eax, 1FFh
		mov	ecx, [esi+eax*8]
		lea	edi, [esi+eax*8]
		nop
		mov	eax, [edi+4]
		nop
		mov	edx, [ebp+var_10]
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], edx
		mov	[edi], eax
		nop
		mov	[edi+4], edx
		mov	eax, large fs:20h
		mov	[ebp+var_4], eax
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		mov	eax, [eax+3D34h]
		mov	esi, eax
		and	esi, 0FFFh
		and	eax, 0FFFFF000h
		mov	[ebp+var_C], eax
		lea	eax, [esi+1]
		mov	[ebp+var_10], eax
		mov	eax, ds:_ZeroPte
		mov	[edi-40000000h], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[edi-3FFFFFFCh], eax
		cmp	esi, 0FFh
		jz	short loc_47B2AB

loc_47B26D:				; CODE XREF: MiDecrementAndInsertStandbyPages+1B0j
		mov	eax, [ebp+var_4]
		sub	esi, 0FFh
		mov	ecx, [ebp+var_8]
		neg	esi
		sbb	esi, esi
		inc	ebx
		and	esi, [ebp+var_10]
		or	esi, [ebp+var_C]
		mov	[eax+3D34h], esi
		mov	eax, [ebp+var_14]
		cmp	ebx, eax
		jb	loc_47B120

loc_47B295:				; CODE XREF: MiDecrementAndInsertStandbyPages+17j
		push	[ebp+arg_0]
		mov	edx, ecx
		xor	ecx, ecx
		push	eax
		call	MiInsertAndUnlockStandbyPages
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_47B2AB:				; CODE XREF: MiDecrementAndInsertStandbyPages+16Bj
		call	_MiFlushHyperSpace@0 ; MiFlushHyperSpace()
		jmp	short loc_47B26D
MiDecrementAndInsertStandbyPages endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiPteInShadowRange(x)
_MiPteInShadowRange@4 proc near		; CODE XREF: MiUpdateSystemPdes+72p
					; MiPaeUpdateSelfMap+42p ...
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_47B2E6
		mov	eax, 0C0603010h

loc_47B2D1:				; CODE XREF: MiPteInShadowRange(x)+2Bj
		cmp	ecx, 0C0603000h
		jnb	short loc_47B2DC

loc_47B2D9:				; CODE XREF: MiPteInShadowRange(x)+1Ej
		xor	eax, eax
		retn
; 

loc_47B2DC:				; CODE XREF: MiPteInShadowRange(x)+17j
		cmp	ecx, eax
		jnb	short loc_47B2D9
		mov	eax, 1
		retn
; 

loc_47B2E6:				; CODE XREF: MiPteInShadowRange(x)+Aj
		mov	eax, 0C0603018h
		jmp	short loc_47B2D1
_MiPteInShadowRange@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMakeValidPte	proc near		; CODE XREF: MiCopyToUserVa(x,x,x,x)+2A6p
					; MiAssignNonPagedPoolPte(x,x)+4Ap ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B3956 SIZE 00000008 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		mov	[ebp+var_4], ecx
		xor	eax, eax
		mov	ecx, [ebp+arg_0]
		and	edx, 1FFFFFFh
		push	esi
		mov	ebx, ecx
		and	ebx, 1Fh
		push	edi
		shld	eax, edx, 0Ch
		mov	edi, ds:dword_40B4DC[ebx*8]
		mov	esi, ds:_MmProtectToPteMask[ebx*8]
		and	edi, 0FFFFFFE0h
		and	esi, 0E7Fh
		shl	edx, 0Ch
		or	edi, eax
		or	esi, edx
		mov	eax, [ebp+var_4]
		or	esi, 21h
		add	eax, 40000000h
		cmp	eax, offset loc_7FFFFF
		ja	short loc_47B3C1
		mov	eax, [ebp+var_4]
		mov	edx, eax
		shl	edx, 9
		mov	[ebp+var_8], edx
		cmp	eax, 0C0600000h
		jnb	loc_47B44A

loc_47B358:				; CODE XREF: MiMakeValidPte+15Fj
					; MiMakeValidPte+18Dj ...
		mov	eax, ds:_MmHighestUserAddress
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	[ebp+var_4], eax
		jbe	loc_47B436

loc_47B373:				; CODE XREF: MiMakeValidPte+149j
		test	ecx, 4000000h
		jnz	loc_47B4CA

loc_47B37F:				; CODE XREF: MiMakeValidPte+1E0j
					; MiMakeValidPte+1F6j ...
		cmp	edx, dword_6D07D0
		jb	loc_47B43E
		mov	eax, edx
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 0Bh
		jz	short loc_47B3C7
		cmp	al, 1
		jz	short loc_47B3C7
		cmp	edx, 0C0000000h
		jnb	loc_47B48B

loc_47B3AA:				; CODE XREF: MiMakeValidPte+1A1j
		cmp	edx, dword_6D2E88
		jnb	loc_47B49C

loc_47B3B6:				; CODE XREF: MiMakeValidPte+1B2j
		movzx	eax, byte ptr word_6D07B8

loc_47B3BD:				; CODE XREF: MiMakeValidPte+155j
					; MiMakeValidPte+1BFj
		test	eax, eax
		jz	short loc_47B3C7

loc_47B3C1:				; CODE XREF: MiMakeValidPte+50j
		or	esi, 100h

loc_47B3C7:				; CODE XREF: MiMakeValidPte+A8j
					; MiMakeValidPte+ACj ...
		and	bl, 5
		cmp	bl, 4
		mov	ebx, [ebp+arg_0]
		setz	cl
		bt	ebx, 1Fh
		setb	al
		test	cl, al
		jz	short loc_47B3E1
		or	esi, 42h

loc_47B3E1:				; CODE XREF: MiMakeValidPte+ECj
		test	ebx, 40000000h
		jnz	loc_5B3956

loc_47B3ED:				; CODE XREF: MiMakeValidPte+138669j
		test	ebx, 20000000h
		jz	short loc_47B411
		mov	al, byte ptr word_6D07B8
		and	esi, 0FFFFFEFFh
		and	al, 1
		movzx	eax, al
		cdq
		shld	edx, eax, 8
		shl	eax, 8
		or	esi, eax
		or	edi, edx

loc_47B411:				; CODE XREF: MiMakeValidPte+103j
		test	ebx, 8000000h
		jnz	loc_47B4B4

loc_47B41D:				; CODE XREF: MiMakeValidPte+1CAj
		mov	edx, edi
		test	ebx, 4000000h
		jnz	loc_47B4BF

loc_47B42B:				; CODE XREF: MiMakeValidPte+1D5j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_47B436:				; CODE XREF: MiMakeValidPte+7Dj
		or	esi, 4
		jmp	loc_47B373
; 

loc_47B43E:				; CODE XREF: MiMakeValidPte+95j
		movzx	eax, byte ptr word_6D07B8+1
		jmp	loc_47B3BD
; 

loc_47B44A:				; CODE XREF: MiMakeValidPte+62j
		cmp	eax, 0C0603FFFh
		ja	loc_47B358
		cmp	eax, 0C0603018h
		jz	loc_47B4FD
		test	ecx, 4000000h
		jnz	short loc_47B46E
		and	edi, 7FFFFFFFh

loc_47B46E:				; CODE XREF: MiMakeValidPte+176j
					; MiMakeValidPte+213j
		mov	ecx, eax
		call	_MiUserPdeOrAbove@4 ; MiUserPdeOrAbove(x)
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+var_8]
		test	eax, eax
		jz	loc_47B358
		or	esi, 4
		jmp	loc_47B358
; 

loc_47B48B:				; CODE XREF: MiMakeValidPte+B4j
		cmp	edx, 0C07FFFFFh
		ja	loc_47B3AA
		jmp	loc_47B3C7
; 

loc_47B49C:				; CODE XREF: MiMakeValidPte+C0j
		cmp	edx, dword_6D2E8C
		ja	loc_47B3B6
		movzx	eax, byte ptr word_6D07B8+1
		jmp	loc_47B3BD
; 

loc_47B4B4:				; CODE XREF: MiMakeValidPte+127j
		and	esi, 0FFFFFEFFh
		jmp	loc_47B41D
; 

loc_47B4BF:				; CODE XREF: MiMakeValidPte+135j
		or	esi, 80h
		jmp	loc_47B42B
; 

loc_47B4CA:				; CODE XREF: MiMakeValidPte+89j
		cmp	edx, 0C0000000h
		jb	loc_47B37F
		jmp	short loc_47B4E0
; 
		align 10h

loc_47B4E0:				; CODE XREF: MiMakeValidPte+1E6j
					; MiMakeValidPte+20Bj
		cmp	edx, 0C07FFFFFh
		ja	loc_47B37F
		shl	edx, 9
		cmp	edx, 0C0000000h
		jb	loc_47B37F
		jmp	short loc_47B4E0
; 

loc_47B4FD:				; CODE XREF: MiMakeValidPte+16Aj
		or	edi, 80000000h
		jmp	loc_47B46E
MiMakeValidPte	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakeTransitionPte(x, x)
_MiMakeTransitionPte@8 proc near	; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+724p
					; MiDecrementAndInsertStandbyPages+10Fp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		mov	ecx, dword_6D0704
		and	edi, 3FFFFFFh
		shld	ebx, edi, 7
		and	edx, 1Fh
		shl	edi, 7
		or	edx, 40h
		or	edi, edx
		mov	edx, dword_6D0700
		shld	ebx, edi, 5
		mov	eax, edx
		mov	[ebp+var_4], edx
		shl	edi, 5
		or	eax, ecx
		jz	short loc_47B560
		push	esi
		mov	esi, edx
		mov	edx, ecx
		and	esi, edi
		and	edx, ebx
		or	esi, edx
		pop	esi
		jnz	short loc_47B56A
		or	edi, [ebp+var_4]
		or	ebx, ecx

loc_47B560:				; CODE XREF: MiMakeTransitionPte(x,x)+3Bj
					; MiMakeTransitionPte(x,x)+5Dj
		mov	eax, edi
		mov	edx, ebx
		pop	edi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_47B56A:				; CODE XREF: MiMakeTransitionPte(x,x)+49j
		or	edi, 10h
		jmp	short loc_47B560
_MiMakeTransitionPte@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiIsAddressGlobal(x)
_MiIsAddressGlobal@4 proc near		; CODE XREF: .text:0045E4FFp
		cmp	ecx, dword_6D07D0
		jb	short loc_47B5B6
		mov	eax, ecx
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	short loc_47B5AB
		cmp	al, 0Bh
		jz	short loc_47B5AB
		cmp	ecx, 0C0000000h
		jnb	short loc_47B5A3

loc_47B593:				; CODE XREF: MiIsAddressGlobal(x)+39j
		cmp	ecx, dword_6D2E88
		jnb	short loc_47B5AE

loc_47B59B:				; CODE XREF: MiIsAddressGlobal(x)+44j
		movzx	eax, byte ptr word_6D07B8
		retn
; 

loc_47B5A3:				; CODE XREF: MiIsAddressGlobal(x)+21j
		cmp	ecx, 0C07FFFFFh
		ja	short loc_47B593

loc_47B5AB:				; CODE XREF: MiIsAddressGlobal(x)+15j
					; MiIsAddressGlobal(x)+19j
		xor	eax, eax
		retn
; 

loc_47B5AE:				; CODE XREF: MiIsAddressGlobal(x)+29j
		cmp	ecx, dword_6D2E8C
		ja	short loc_47B59B

loc_47B5B6:				; CODE XREF: MiIsAddressGlobal(x)+6j
		movzx	eax, byte ptr word_6D07B8+1
		retn
_MiIsAddressGlobal@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiMakeProtectionPfnCompatible(x, x)
_MiMakeProtectionPfnCompatible@8 proc near ; CODE XREF:	MiZeroPhysicalPage+8Fp
					; .text:0047FD12p ...
		mov	al, [edx+16h]
		and	ecx, 7
		shr	al, 6
		test	al, al
		jz	short loc_47B5D9
		cmp	al, 2
		jz	short loc_47B5D4

loc_47B5D1:				; CODE XREF: MiMakeProtectionPfnCompatible(x,x)+17j
		mov	eax, ecx
		retn
; 

loc_47B5D4:				; CODE XREF: MiMakeProtectionPfnCompatible(x,x)+Fj
		or	ecx, 18h
		jmp	short loc_47B5D1
; 

loc_47B5D9:				; CODE XREF: MiMakeProtectionPfnCompatible(x,x)+Bj
		or	ecx, 8
		mov	eax, ecx
		retn
_MiMakeProtectionPfnCompatible@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiChargeForLockedPage(x, x)
_MiChargeForLockedPage@8 proc near	; CODE XREF: MiCheckProtoPtePageState+126p
					; MiAddLockedPageCharge(x,x)+30p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		and	edx, 1
		mov	edi, edx
		neg	edi
		sbb	edi, edi
		xor	edx, 1
		xor	bl, bl
		lea	esi, ds:4[edx*4]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_47B610
		mov	eax, [ecx+8]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_47B619

loc_47B610:				; CODE XREF: MiChargeForLockedPage(x,x)+21j
		call	_MiIsPfnCommitNotCharged@4 ; MiIsPfnCommitNotCharged(x)
		test	eax, eax
		jz	short loc_47B633

loc_47B619:				; CODE XREF: MiChargeForLockedPage(x,x)+2Ej
		push	esi
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		mov	bl, 1
		call	MiChargeCommit
		test	eax, eax
		jnz	short loc_47B633
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_47B633:				; CODE XREF: MiChargeForLockedPage(x,x)+37j
					; MiChargeForLockedPage(x,x)+4Dj
		mov	eax, large fs:20h
		mov	ecx, [eax+3D30h]
		lea	esi, [eax+3D30h]
		cmp	ecx, 1
		jb	short loc_47B669
		lea	ebx, [ebx+0]

loc_47B650:				; CODE XREF: MiChargeForLockedPage(x,x)+87j
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_47B669
		lea	edx, [ecx-1]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jz	short loc_47B696
		mov	ecx, eax
		cmp	eax, 1
		jnb	short loc_47B650

loc_47B669:				; CODE XREF: MiChargeForLockedPage(x,x)+68j
					; MiChargeForLockedPage(x,x)+73j
		push	edi
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiChargePartitionResidentAvailable
		mov	esi, eax
		test	esi, esi
		jnz	short loc_47B690
		test	bl, bl
		jz	short loc_47B690
		lea	edx, [eax+1]
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit

loc_47B690:				; CODE XREF: MiChargeForLockedPage(x,x)+9Dj
					; MiChargeForLockedPage(x,x)+A1j
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_47B696:				; CODE XREF: MiChargeForLockedPage(x,x)+80j
		mov	esi, 1
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_MiChargeForLockedPage@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcMapAndCopyInToCache proc near		; CODE XREF: CcCopyWriteEx+188p

var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_35		= dword	ptr -35h
var_31		= byte ptr -31h
var_30		= byte ptr -30h
var_2F		= byte ptr -2Fh
var_2E		= byte ptr -2Eh
var_2D		= byte ptr -2Dh
var_2C		= byte ptr -2Ch
var_2B		= byte ptr -2Bh
var_2A		= byte ptr -2Ah
var_29		= dword	ptr -29h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005B395E SIZE 000003C9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A11D8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 0DCh
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_5C], edx
		mov	ebx, ecx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_60], 0
		mov	[ebp+var_44], 0
		mov	[ebp+var_C4], 0
		mov	[ebp+var_C0], 0
		mov	[ebp+var_94], 0
		mov	[ebp+var_90], 0
		mov	eax, [ebp+arg_C]
		test	byte ptr [eax+2Ch], 10h
		jnz	loc_47BEB9
		mov	byte ptr [ebp+var_35], 0

loc_47B737:				; CODE XREF: CcMapAndCopyInToCache+80Dj
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_9C], eax
		mov	[ebp+var_DC], eax
		mov	esi, [ebp+arg_0]
		mov	eax, [esi]
		and	eax, 0FFFh
		mov	[ebp+var_A0], eax
		mov	[ebp+var_7C], 0
		mov	edx, large fs:124h
		mov	[ebp+var_98], edx
		mov	[ebp+var_2D], 0
		xor	ecx, ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_29+1],	ecx
		mov	[ebp+var_31], cl
		mov	[ebp+var_2C], cl
		xor	edi, edi
		mov	[ebp+var_C8], ecx
		mov	[ebp+var_2E], 1
		mov	[ebp+var_2A], cl
		mov	[ebp+var_30], cl
		xor	eax, eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], eax
		mov	[ebp+var_74], eax
		mov	[ebp+var_70], eax
		mov	[ebp+var_6C], eax
		test	dword ptr [ebx+60h], 1000h
		jnz	loc_5B395E
		mov	[ebp+var_2B], al

loc_47B7B2:				; CODE XREF: CcMapAndCopyInToCache+1382B2j
		mov	eax, [esi]
		mov	[ebp+var_58], eax
		mov	eax, [esi+4]
		mov	[ebp+var_54], eax
		movzx	ecx, byte ptr [edx+308h]
		mov	eax, [edx+2F4h]
		lea	eax, [ecx+eax*4]
		mov	[ebp+var_AC], eax
		mov	[ebp+var_D8], eax
		mov	cl, byte ptr [ebp+var_35]
		mov	al, cl
		mov	[ebp+var_21], al
		mov	[ebp+var_2F], al
		test	cl, cl
		jnz	loc_47BEC2
		mov	[ebp+var_21], cl
		xor	eax, eax
		mov	[ebp+var_88], eax
		mov	[ebp+var_84], eax
		mov	[ebp+var_80], eax
		mov	edi, [ebx+174h]
		cmp	[ebx+6Ch], eax
		jz	loc_5B39DC
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		mov	esi, offset dword_6CF3C0
		test	ds:byte_70EFC6,	21h
		jnz	loc_5B3967
		mov	[ebp+var_B4], 0
		lock bts dword ptr [esi], 1Fh
		jb	loc_47BF2A

loc_47B840:				; CODE XREF: CcMapAndCopyInToCache+889j
		mov	edx, dword_6CF3C0
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_5B3975

loc_47B858:				; CODE XREF: CcMapAndCopyInToCache+1382FDj
		mov	ecx, [ebp+var_29+1]
		mov	[ebp+var_20], ecx

loc_47B85E:				; CODE XREF: CcMapAndCopyInToCache+1382C0j
		test	ds:byte_70EFC6,	1
		jnz	loc_5B39B2
		mov	dword_6CF3C0, 0

loc_47B875:				; CODE XREF: CcMapAndCopyInToCache+138312j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, dword_6D4EA4
		mov	eax, [eax+4]
		cmp	edi, eax
		jnz	loc_5B39C7
		mov	ebx, [ebp+var_3C]

loc_47B890:				; CODE XREF: CcMapAndCopyInToCache+138331j
		mov	eax, [ebp+arg_C]
		test	dword ptr [eax+2Ch], 1000000h
		jnz	loc_5B39E6

loc_47B8A0:				; CODE XREF: CcMapAndCopyInToCache+138350j
		mov	edx, large fs:124h
		mov	ecx, edx
		call	_PsGetBaseIoPriorityThread@4 ; PsGetBaseIoPriorityThread(x)
		cmp	eax, 2
		jl	loc_47BDE9

loc_47B8B7:				; CODE XREF: CcMapAndCopyInToCache+742j
					; CcMapAndCopyInToCache+74Fj
		test	eax, eax
		jle	loc_47BE2D

loc_47B8BF:				; CODE XREF: CcMapAndCopyInToCache+755j
					; CcMapAndCopyInToCache+787j
		mov	ecx, [ebp+var_29+1]
		mov	[ebp+var_20], ecx

loc_47B8C5:				; CODE XREF: CcMapAndCopyInToCache+804j
		mov	al, [ebp+var_21]

loc_47B8C8:				; CODE XREF: CcMapAndCopyInToCache+79Fj
		mov	[ebp+var_2F], al
		xor	edi, edi

loc_47B8CD:				; CODE XREF: CcMapAndCopyInToCache+817j
		test	al, al
		jnz	loc_47BE0A

loc_47B8D5:				; CODE XREF: CcMapAndCopyInToCache+75Ej
		xor	eax, eax
		cmp	[ebp+arg_14], al
		setz	al
		lea	eax, ds:4[eax*2]
		mov	[ebp+var_E4], eax
		mov	eax, [ebx+174h]
		mov	[ebp+var_68], eax
		cmp	dword ptr [ebx+6Ch], 0
		jz	loc_5B3AAA
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		test	ds:byte_70EFC6,	21h
		jnz	loc_5B3A4A
		mov	[ebp+var_B8], 0
		lock bts dword ptr [esi], 1Fh
		jb	loc_47BF3E

loc_47B929:				; CODE XREF: CcMapAndCopyInToCache+89Dj
		mov	edx, dword_6CF3C0
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_5B3A58

loc_47B941:				; CODE XREF: CcMapAndCopyInToCache+1383E0j
		mov	ecx, [ebp+var_29+1]
		mov	[ebp+var_20], ecx

loc_47B947:				; CODE XREF: CcMapAndCopyInToCache+1383A3j
		test	ds:byte_70EFC6,	1
		jnz	loc_5B3A95
		mov	dword_6CF3C0, 0

loc_47B95E:				; CODE XREF: CcMapAndCopyInToCache+1383F5j
		mov	cl, bl
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	esi
		mov	eax, dword_6D4EA4
		mov	eax, [eax+4]
		cmp	[ebp+var_68], eax
		jnz	loc_5B39C7
		mov	ebx, [ebp+var_3C]
		mov	eax, [ebp+var_68]

loc_47B97F:				; CODE XREF: CcMapAndCopyInToCache+138400j
		mov	[ebp+var_E0], eax
		cmp	byte ptr [ebp+var_35], 0
		jnz	loc_47BECC

loc_47B98F:				; CODE XREF: CcMapAndCopyInToCache+875j
		test	edi, edi
		jnz	loc_5B3BC3

loc_47B997:				; CODE XREF: CcMapAndCopyInToCache+13851Aj
		mov	esi, [ebp+arg_18]
		test	esi, esi
		jnz	short loc_47B9AE
		mov	esi, large fs:124h
		mov	[ebp+arg_18], esi
		mov	ecx, [ebp+var_29+1]
		mov	[ebp+var_20], ecx

loc_47B9AE:				; CODE XREF: CcMapAndCopyInToCache+2ECj
		mov	edi, [esi+36Ch]
		mov	[ebp+var_BC], 0
		test	edi, edi
		jnz	loc_47BD90

loc_47B9C6:				; CODE XREF: CcMapAndCopyInToCache+6F6j
		mov	esi, [esi+150h]

loc_47B9CC:				; CODE XREF: CcMapAndCopyInToCache+702j
		cmp	dword ptr [esi+430h], 0
		jnz	loc_47BF52
		mov	esi, 0C0000225h

loc_47B9DE:				; CODE XREF: CcMapAndCopyInToCache+8EEj
					; CcMapAndCopyInToCache+138530j
		cmp	[ebp+var_BC], 0
		jnz	loc_47C01D

loc_47B9EB:				; CODE XREF: CcMapAndCopyInToCache+978j
		mov	[ebp+var_64], esi
		test	esi, esi
		jns	loc_47BFA3

loc_47B9F6:				; CODE XREF: CcMapAndCopyInToCache+90Fj
		mov	[ebp+var_4], 0
		mov	[ebp+var_B0], 1
		mov	ebx, [ebp+var_A0]
		mov	edi, [ebp+arg_18]

loc_47BA10:				; CODE XREF: CcMapAndCopyInToCache+59Dj
					; CcMapAndCopyInToCache+778j
		mov	esi, 1000h
		cmp	[ebp+arg_4], 0
		jz	loc_47BC52
		mov	[ebp+var_19], 0
		cmp	[ebp+var_2B], 0
		jnz	loc_5B3BE5

loc_47BA2D:				; CODE XREF: CcMapAndCopyInToCache+13853Aj
		mov	[ebp+var_44], 0
		push	[ebp+var_54]
		push	[ebp+var_58]
		push	0
		push	0
		lea	eax, [ebp+var_60]
		push	eax
		lea	edx, [ebp+var_7C]
		mov	ecx, [ebp+var_3C]
		call	CcGetVirtualAddress
		mov	edx, eax
		mov	[ebp+var_40], edx
		mov	edi, [ebp+var_60]
		mov	ecx, [ebp+arg_4]
		cmp	edi, ecx
		jbe	short loc_47BA61
		mov	edi, ecx
		mov	[ebp+var_60], edi

loc_47BA61:				; CODE XREF: CcMapAndCopyInToCache+3AAj
		mov	[ebp+var_44], edi
		sub	[ebp+arg_4], edi
		sub	edx, ebx
		mov	[ebp+var_40], edx
		add	edi, ebx
		mov	[ebp+var_78], edi
		mov	[ebp+var_60], edi
		mov	eax, 1
		mov	edx, [ebp+var_58]
		mov	[ebp+var_C4], edx
		mov	ecx, [ebp+var_54]
		mov	[ebp+var_D0], ecx
		mov	[ebp+var_C0], ecx
		sub	edx, ebx
		mov	[ebp+var_A4], edx
		mov	[ebp+var_C4], edx
		mov	[ebp+var_2A], 0
		mov	[ebp+var_19], 0
		mov	ecx, edi

loc_47BAA9:				; CODE XREF: CcMapAndCopyInToCache+504j
					; CcMapAndCopyInToCache+6B9j
		mov	[ebp+var_A8], eax
		mov	byte ptr [ebp+var_29], 0
		mov	[ebp+var_2E], 1
		cmp	esi, ecx
		sbb	esi, esi
		neg	esi
		mov	[ebp+var_E8], esi
		mov	[ebp+var_64], 0
		mov	ecx, [ebp+arg_8]
		test	eax, ecx
		jz	loc_47BC8C
		mov	eax, [ebp+var_D0]
		mov	ecx, [ebp+arg_10]
		cmp	eax, [ecx+4]
		jl	loc_47BD6E
		jg	short loc_47BAF1
		cmp	edx, [ecx]
		jb	loc_47BD6E

loc_47BAF1:				; CODE XREF: CcMapAndCopyInToCache+437j
		mov	ecx, [ebp+var_20]
		or	ecx, 1
		mov	[ebp+var_20], ecx
		mov	[ebp+var_29+1],	ecx

loc_47BAFD:				; CODE XREF: CcMapAndCopyInToCache+6C1j
		mov	eax, [ebp+var_3C]
		mov	eax, [eax+60h]
		test	al, 40h
		jz	short loc_47BB10
		or	ecx, 2
		mov	[ebp+var_20], ecx
		mov	[ebp+var_29+1],	ecx

loc_47BB10:				; CODE XREF: CcMapAndCopyInToCache+455j
		test	eax, 40000000h
		jnz	loc_5B3BEF

loc_47BB1B:				; CODE XREF: CcMapAndCopyInToCache+13855Fj
					; CcMapAndCopyInToCache+13857Aj
		mov	byte ptr [ebp+var_29], 0
		test	esi, esi
		jz	loc_47BD76
		mov	eax, 1000h

loc_47BB2C:				; CODE XREF: CcMapAndCopyInToCache+6C8j
		sub	eax, ebx
		lea	edx, [ebp+var_29]
		push	edx
		push	ecx
		push	eax
		push	ebx
		mov	edx, [ebp+var_5C]
		mov	ecx, [ebp+var_40]
		call	_CcWrapperMmCopyToCachedPage@24	; CcWrapperMmCopyToCachedPage(x,x,x,x,x,x)
		mov	[ebp+var_64], eax
		test	eax, eax
		js	loc_5B3C2F
		mov	[ebp+var_2A], 1
		cmp	[ebp+var_19], 0
		jz	loc_47BD7D

loc_47BB59:				; CODE XREF: CcMapAndCopyInToCache+6AFj
					; CcMapAndCopyInToCache+6D1j ...
		mov	eax, 1000h
		sub	eax, ebx
		add	[ebp+var_5C], eax
		xor	ebx, ebx
		mov	[ebp+var_A0], ebx
		test	esi, esi
		jz	short loc_47BBB9
		add	[ebp+var_40], 1000h
		add	edi, 0FFFFF000h
		mov	[ebp+var_78], edi
		mov	ecx, edi
		mov	[ebp+var_60], edi
		mov	edx, [ebp+var_A4]
		add	edx, 1000h
		mov	[ebp+var_A4], edx
		mov	[ebp+var_C4], edx
		mov	esi, 1000h
		cmp	[ebp+arg_4], ebx
		jnz	loc_47BD64
		cmp	esi, ecx
		sbb	eax, eax
		and	eax, 0FFFFFFFEh
		add	eax, 4
		jmp	loc_47BAA9
; 

loc_47BBB9:				; CODE XREF: CcMapAndCopyInToCache+4BDj
		mov	[ebp+var_2A], bl
		mov	ecx, [ebp+var_7C]
		mov	esi, [ecx+4]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+8], eax
		dec	eax
		movzx	eax, ax
		test	ax, ax
		jnz	short loc_47BBE5
		mov	eax, [esi+74h]
		test	eax, eax
		jnz	loc_5B3CC6

loc_47BBDE:				; CODE XREF: CcMapAndCopyInToCache+138620j
		lock dec dword ptr [esi+180h]

loc_47BBE5:				; CODE XREF: CcMapAndCopyInToCache+521j
		mov	[ebp+var_7C], ebx
		mov	edi, [ebp+arg_18]
		push	edi
		mov	eax, [ebp+var_44]
		push	eax
		lea	edx, [ebp+var_58]
		mov	esi, [ebp+var_3C]
		mov	ecx, esi
		call	CcSetDirtyInMask
		mov	ecx, [esi+60h]
		and	ecx, 40000000h
		jnz	short loc_47BC1C
		mov	eax, [ebp+var_9C]
		sub	eax, [ebp+arg_4]
		cmp	eax, 1000000h
		ja	loc_5B3CDE

loc_47BC1C:				; CODE XREF: CcMapAndCopyInToCache+556j
		test	ecx, ecx
		jnz	loc_5B3CD5

loc_47BC24:				; CODE XREF: CcMapAndCopyInToCache+138628j
		mov	esi, [ebp+var_44]

loc_47BC27:				; CODE XREF: CcMapAndCopyInToCache+138654j
		cmp	[ebp+arg_4], 1000h
		jnb	loc_47BE19
		mov	ecx, [ebp+arg_8]
		mov	al, cl
		and	al, 4
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+arg_8], eax
		add	[ebp+var_58], esi
		adc	[ebp+var_54], ebx
		jmp	loc_47BA10
; 

loc_47BC52:				; CODE XREF: CcMapAndCopyInToCache+369j
		mov	[ebp+var_2D], 1

loc_47BC56:				; CODE XREF: CcMapAndCopyInToCache+925j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	edx, [ebp+var_AC]
		or	ebx, 0FFFFFFFFh
		mov	[ebp+var_B0], 0
		call	sub_47C052
		mov	al, [ebp+var_2D]

loc_47BC78:				; CODE XREF: CcMapAndCopyInToCache+138395j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_47BC8C:				; CODE XREF: CcMapAndCopyInToCache+41Fj
		test	esi, esi
		jnz	loc_47BDB7

loc_47BC94:				; CODE XREF: CcMapAndCopyInToCache+70Aj
					; CcMapAndCopyInToCache+724j ...
		lea	eax, [ebp+var_2E]
		push	eax
		push	[ebp+var_E4]
		mov	edx, 1
		mov	ecx, [ebp+var_40]
		call	_MmCheckCachedPageStates@16 ; MmCheckCachedPageStates(x,x,x,x)
		mov	[ebp+var_EC], eax
		cmp	[ebp+var_2E], 0
		jz	loc_47BFC4

loc_47BCBB:				; CODE XREF: CcMapAndCopyInToCache+918j
		xor	edi, edi
		mov	[ebp+var_8C], edi
		xor	ecx, ecx
		mov	[ebp+var_D4], ecx
		mov	[ebp+var_CC], ecx
		test	eax, eax
		js	loc_5B3C4F
		mov	dl, [ebp+var_2B]
		test	dl, dl
		jnz	loc_5B3C55

loc_47BCE4:				; CODE XREF: CcMapAndCopyInToCache+1385E9j
		mov	[ebp+var_4], 1
		test	dl, dl
		jnz	short loc_47BCF2
		mov	ecx, [ebp+var_40]

loc_47BCF2:				; CODE XREF: CcMapAndCopyInToCache+63Dj
		add	ecx, ebx
		test	esi, esi
		jnz	loc_47BDDF
		mov	eax, [ebp+var_78]

loc_47BCFF:				; CODE XREF: CcMapAndCopyInToCache+734j
		sub	eax, ebx
		mov	byte ptr [ebp+var_29], 0
		push	eax		; size_t
		test	dl, dl
		jnz	loc_5B3C9E
		push	[ebp+var_5C]	; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_47BD1A:				; CODE XREF: CcMapAndCopyInToCache+1385F6j
		mov	byte ptr [ebp+var_29], 1
		mov	[ebp+var_2A], 1
		cmp	[ebp+var_19], 0
		jnz	short loc_47BD2C
		mov	[ebp+var_19], 1

loc_47BD2C:				; CODE XREF: CcMapAndCopyInToCache+676j
		mov	[ebp+var_4], 0
		test	edi, edi
		jnz	loc_5B3CAB

loc_47BD3B:				; CODE XREF: CcMapAndCopyInToCache+138611j
		mov	edx, [ebp+var_AC]
		mov	al, dl
		and	al, 3
		mov	ecx, [ebp+var_98]
		mov	[ecx+308h], al
		mov	eax, edx
		shr	eax, 2
		mov	[ecx+2F4h], eax
		mov	edi, [ebp+var_78]
		jmp	loc_47BB59
; 

loc_47BD64:				; CODE XREF: CcMapAndCopyInToCache+4F4j
		mov	eax, 2
		jmp	loc_47BAA9
; 

loc_47BD6E:				; CODE XREF: CcMapAndCopyInToCache+431j
					; CcMapAndCopyInToCache+43Bj
		mov	ecx, [ebp+var_20]
		jmp	loc_47BAFD
; 

loc_47BD76:				; CODE XREF: CcMapAndCopyInToCache+471j
		mov	eax, edi
		jmp	loc_47BB2C
; 

loc_47BD7D:				; CODE XREF: CcMapAndCopyInToCache+4A3j
		cmp	byte ptr [ebp+var_29], 0
		jz	loc_47BB59
		mov	[ebp+var_19], 1
		jmp	loc_47BB59
; 

loc_47BD90:				; CODE XREF: CcMapAndCopyInToCache+310j
		mov	eax, large fs:124h
		cmp	esi, eax
		jnz	loc_47BFDA

loc_47BD9E:				; CODE XREF: CcMapAndCopyInToCache+968j
		mov	ecx, [ebp+var_29+1]
		mov	[ebp+var_20], ecx
		test	edi, edi
		jz	loc_47B9C6
		mov	esi, [edi+150h]
		jmp	loc_47B9CC
; 

loc_47BDB7:				; CODE XREF: CcMapAndCopyInToCache+5DEj
		test	cl, 4
		jz	loc_47BC94
		mov	eax, [ebp+var_98]
		mov	byte ptr [eax+308h], 1
		cmp	dword ptr [eax+2F4h], 1
		jnb	loc_47BC94
		jmp	loc_5B3C40
; 

loc_47BDDF:				; CODE XREF: CcMapAndCopyInToCache+646j
		mov	eax, 1000h
		jmp	loc_47BCFF
; 

loc_47BDE9:				; CODE XREF: CcMapAndCopyInToCache+201j
		mov	ecx, large fs:124h
		cmp	edx, ecx
		jnz	loc_47B8B7
		cmp	dword ptr [edx+32Ch], 0
		jz	loc_47B8B7
		jmp	loc_47B8BF
; 

loc_47BE0A:				; CODE XREF: CcMapAndCopyInToCache+21Fj
		cmp	[ebp+arg_14], 0
		jnz	loc_47B8D5
		jmp	loc_5B3A43
; 

loc_47BE19:				; CODE XREF: CcMapAndCopyInToCache+57Ej
		mov	eax, [ebp+arg_8]
		or	eax, 1
		mov	[ebp+arg_8], eax
		add	[ebp+var_58], esi
		adc	[ebp+var_54], ebx
		jmp	loc_47BA10
; 

loc_47BE2D:				; CODE XREF: CcMapAndCopyInToCache+209j
		mov	eax, [ebp+arg_C]
		test	dword ptr [eax+2Ch], 8000h
		jnz	loc_47B8BF
		mov	ecx, [ebp+var_29+1]
		mov	[ebp+var_20], ecx

loc_47BE43:				; CODE XREF: CcMapAndCopyInToCache+13834Aj
		mov	al, 1
		mov	[ebp+var_21], al
		test	dword ptr [ebx+60h], 400h
		jnz	loc_47B8C8
		lea	ecx, [edi+40h]
		lea	edx, [ebp+var_88]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		or	dword ptr [ebx+60h], 400h
		test	ds:byte_70EFC6,	1
		jnz	loc_5B3A05
		mov	eax, [ebp+var_88]
		test	eax, eax
		jnz	loc_5B3A29
		mov	edx, [ebp+var_84]
		lea	eax, [ebp+var_88]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_88]
		cmp	eax, ecx
		jnz	loc_5B3A18

loc_47BEA5:				; CODE XREF: CcMapAndCopyInToCache+138363j
		mov	ecx, [ebp+var_29+1]
		mov	[ebp+var_20], ecx

loc_47BEAB:				; CODE XREF: CcMapAndCopyInToCache+13838Ej
		mov	cl, byte ptr [ebp+var_80]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_47B8C5
; 

loc_47BEB9:				; CODE XREF: CcMapAndCopyInToCache+7Dj
		mov	byte ptr [ebp+var_35], 1
		jmp	loc_47B737
; 

loc_47BEC2:				; CODE XREF: CcMapAndCopyInToCache+136j
		mov	esi, offset dword_6CF3C0
		jmp	loc_47B8CD
; 

loc_47BECC:				; CODE XREF: CcMapAndCopyInToCache+2D9j
		lea	ecx, [eax+40h]
		lea	edx, [ebp+var_50]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		test	byte ptr [ebx+60h], 20h
		jnz	loc_5B3AB5

loc_47BEE1:				; CODE XREF: CcMapAndCopyInToCache+1384BBj
					; CcMapAndCopyInToCache+1384F7j
		inc	dword ptr [ebx+16Ch]
		mov	[ebp+var_31], 1
		test	ds:byte_70EFC6,	1
		jnz	loc_5B3BB3
		mov	eax, [ebp+var_50]
		test	eax, eax
		jnz	loc_47C03B
		mov	edx, [ebp+var_4C]
		lea	eax, [ebp+var_50]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_50]
		cmp	eax, ecx
		jnz	loc_47C02D

loc_47BF1A:				; CODE XREF: CcMapAndCopyInToCache+13850Ej
		mov	ecx, [ebp+var_29+1]
		mov	[ebp+var_20], ecx

loc_47BF20:				; CODE XREF: CcMapAndCopyInToCache+99Dj
		mov	cl, byte ptr [ebp+var_48]
		call	esi ; dword_6CF3C0
		jmp	loc_47B98F
; 

loc_47BF2A:				; CODE XREF: CcMapAndCopyInToCache+18Aj
		mov	dl, bl
		mov	ecx, esi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[ebp+var_B4], eax
		jmp	loc_47B840
; 

loc_47BF3E:				; CODE XREF: CcMapAndCopyInToCache+273j
		mov	dl, bl
		mov	ecx, esi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[ebp+var_B8], eax
		jmp	loc_47B929
; 

loc_47BF52:				; CODE XREF: CcMapAndCopyInToCache+323j
		push	offset _IopDiskIoAttributionLock
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	bl, al
		mov	esi, [esi+430h]
		test	esi, esi
		jz	short loc_47BF82
		mov	ecx, 1
		lock xadd [esi+10h], ecx
		inc	ecx
		cmp	ecx, 1
		jle	loc_5B3BCF

loc_47BF7C:				; CODE XREF: CcMapAndCopyInToCache+138526j
		mov	[ebp+var_C8], esi

loc_47BF82:				; CODE XREF: CcMapAndCopyInToCache+8B6j
		push	offset _IopDiskIoAttributionLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	loc_5B3BDB
		xor	esi, esi
		jmp	loc_47B9DE
; 

loc_47BFA3:				; CODE XREF: CcMapAndCopyInToCache+340j
		mov	edx, [ebp+var_C8]
		mov	eax, [ebp+arg_C]
		mov	ecx, [eax+14h]
		call	_MmUpdateSectionIoAttribution@8	; MmUpdateSectionIoAttribution(x,x)
		mov	ecx, [ebp+var_C8]
		call	_IoDiskIoAttributionDereference@4 ; IoDiskIoAttributionDereference(x)
		jmp	loc_47B9F6
; 

loc_47BFC4:				; CODE XREF: CcMapAndCopyInToCache+605j
		cmp	[ebp+arg_14], 0
		jnz	loc_47BCBB
		mov	[ebp+var_2D], 0
		mov	edi, [ebp+arg_18]
		jmp	loc_47BC56
; 

loc_47BFDA:				; CODE XREF: CcMapAndCopyInToCache+6E8j
		push	offset _PspThreadWorkOnBehalfLock
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	bl, al
		mov	edi, [esi+36Ch]
		test	edi, edi
		jz	short loc_47C006
		mov	edx, 746C6644h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag
		mov	[ebp+var_BC], 1

loc_47C006:				; CODE XREF: CcMapAndCopyInToCache+93Ej
		push	offset _PspThreadWorkOnBehalfLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_47BD9E
; 

loc_47C01D:				; CODE XREF: CcMapAndCopyInToCache+335j
		push	746C6644h
		push	edi
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_47B9EB
; 

loc_47C02D:				; CODE XREF: CcMapAndCopyInToCache+864j
		lea	ecx, [ebp+var_50]
		call	KxWaitForLockChainValid
		mov	ecx, [ebp+var_29+1]
		mov	[ebp+var_20], ecx

loc_47C03B:				; CODE XREF: CcMapAndCopyInToCache+84Dj
		mov	[ebp+var_50], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_47BF20
CcMapAndCopyInToCache endp


;  S U B	R O U T	I N E 


sub_47C052	proc near		; CODE XREF: CcMapAndCopyInToCache+5C0p
					; sub_5B3D27+51j

; FUNCTION CHUNK AT 005B3D7D SIZE 00000089 BYTES

		mov	al, dl
		and	al, 3
		mov	ecx, [ebp-98h]
		mov	[ecx+308h], al
		shr	edx, 2
		mov	[ecx+2F4h], edx
		mov	eax, [ebp-7Ch]
		test	eax, eax
		jnz	loc_47C180

loc_47C076:				; CODE XREF: sub_47C052+13Aj
					; sub_47C052+152j
		cmp	dword ptr [ebp-0B0h], 0
		jnz	loc_5B3D8C
		cmp	byte ptr [ebp-2Ah], 0
		jnz	loc_5B3D8C
		mov	ebx, [ebp-3Ch]

loc_47C090:				; CODE XREF: sub_47C052+137D42j
					; sub_47C052+137D54j
		mov	eax, _CcRemoteFileDPInlineFlushThreshold
		mov	esi, [ebp+14h]
		mov	cl, [ebp-35h]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_47C0AD
		test	dword ptr [esi+2Ch], 1000000h
		jnz	loc_5B3DAB

loc_47C0AD:				; CODE XREF: sub_47C052+4Cj
					; sub_47C052+137D5Bj ...
		cmp	byte ptr [ebp-21h], 0
		jnz	short loc_47C0BA
		cmp	byte ptr [ebp-30h], 0
		jnz	short loc_47C0BA

locret_47C0B9:				; CODE XREF: sub_47C052+B4j
					; sub_47C052+137D9Cj
		retn
; 

loc_47C0BA:				; CODE XREF: sub_47C052+5Fj
					; sub_47C052+65j
		xor	eax, eax
		mov	[ebp-94h], eax
		test	cl, cl
		jnz	short loc_47C10D

loc_47C0C6:				; CODE XREF: sub_47C052+C2j
		cmp	[ebp-2Ch], al
		jnz	loc_5B3DC9
		mov	ecx, [ebp-9Ch]

loc_47C0D5:				; CODE XREF: sub_47C052+137D79j
		cmp	[ebp-2Ch], al
		jnz	loc_5B3DD0
		mov	eax, [ebp+8]

loc_47C0E1:				; CODE XREF: sub_47C052+137D80j
		lea	edx, [ebp-94h]
		push	edx
		push	dword ptr [ebp-35h]
		push	0
		push	ecx
		mov	edx, eax
		mov	ecx, [esi+14h]
		call	_CcFlushCachePriv@24 ; CcFlushCachePriv(x,x,x,x,x,x)
		mov	eax, [ebp-94h]

loc_47C0FE:				; CODE XREF: sub_47C052+C4j
		cmp	byte ptr [ebp-31h], 0
		jnz	short loc_47C118

loc_47C104:				; CODE XREF: sub_47C052+110j
		test	eax, eax
		jns	short locret_47C0B9
		jmp	loc_5B3DE7
; 

loc_47C10D:				; CODE XREF: sub_47C052+72j
		test	dword ptr [ebx+60h], 40000000h
		jz	short loc_47C0C6
		jmp	short loc_47C0FE
; 

loc_47C118:				; CODE XREF: sub_47C052+B0j
		mov	ecx, [ebp-68h]
		add	ecx, 40h
		lea	edx, [ebp-50h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		dec	dword ptr [ebx+16Ch]
		test	ds:byte_70EFC6,	1
		jnz	loc_5B3DD7
		mov	eax, [ebp-50h]
		test	eax, eax
		jnz	short loc_47C16C
		mov	edx, [ebp-4Ch]
		lea	eax, [ebp-50h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-50h]
		cmp	eax, ecx
		jnz	short loc_47C164

loc_47C153:				; CODE XREF: sub_47C052+12Cj
					; sub_47C052+137D90j
		mov	cl, [ebp-48h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp-94h]
		jmp	short loc_47C104
; 

loc_47C164:				; CODE XREF: sub_47C052+FFj
		lea	ecx, [ebp-50h]
		call	KxWaitForLockChainValid

loc_47C16C:				; CODE XREF: sub_47C052+ECj
		mov	dword ptr [ebp-50h], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_47C153
; 

loc_47C180:				; CODE XREF: sub_47C052+1Ej
		mov	esi, [eax+4]
		lock xadd [eax+8], ebx
		dec	ebx
		test	bx, bx
		jnz	loc_47C076
		mov	eax, [esi+74h]
		test	eax, eax
		jnz	loc_5B3D7D

loc_47C19D:				; CODE XREF: sub_47C052+137D35j
		lock dec dword ptr [esi+180h]
		jmp	loc_47C076
sub_47C052	endp

; 
		align 10h

; __stdcall MmCopyToCachedPage(x, x, x,	x, x)
_MmCopyToCachedPage@20:			; CODE XREF: CcWrapperMmCopyToCachedPage(x,x,x,x,x,x)+25p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1200
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 84h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	[ebp-40h], edx
		mov	ebx, ecx
		mov	[ebp-3Ch], ebx
		mov	dword ptr [ebp-84h], 0
		mov	dword ptr [ebp-80h], 0
		mov	dword ptr [ebp-28h], 0
		xor	esi, esi
		mov	[ebp-2Ch], esi
		mov	dword ptr [ebp-50h], 1
		mov	edx, ebx
		shr	edx, 12h
		mov	ecx, dword_6D07D0
		shr	ecx, 12h
		and	ecx, 3FF8h
		mov	eax, edx
		and	eax, 3FF8h
		sub	eax, ecx
		sar	eax, 3
		mov	ecx, dword_6D0BD4[eax*4]
		test	ecx, ecx
		jz	short loc_47C248
		and	edx, 7
		lea	eax, [edx+edx*2]
		lea	ecx, [ecx+eax*8]

loc_47C248:				; CODE XREF: .text:0047C23Dj
		mov	eax, [ecx+0Ch]
		test	al, 1
		jz	short loc_47C252
		and	eax, 0FFFFFFFEh

loc_47C252:				; CODE XREF: .text:0047C24Dj
		mov	eax, [eax]
		mov	[ebp-74h], eax
		mov	edx, [ebp+0Ch]
		mov	ecx, [ebp+8]
		lea	eax, [ecx+edx]
		cmp	eax, 1000h
		ja	loc_47CB65
		cmp	eax, edx
		jb	loc_47CB65
		mov	edi, ebx
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h
		mov	[ebp-38h], edi
		mov	ecx, [ebp+10h]
		test	cl, 4
		jz	short loc_47C2B1
		mov	eax, [ebp+8]
		or	eax, edx
		test	al, 3Fh
		jz	short loc_47C2B1
		mov	eax, 0C0000474h
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_47C2B1:				; CODE XREF: .text:0047C28Dj
					; .text:0047C296j
		test	cl, 8
		jz	short loc_47C2E7
		mov	edx, 1
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		mov	ebx, eax
		mov	[ebp-30h], eax
		test	ebx, ebx
		jnz	short loc_47C2EC
		mov	eax, 0C000009Ah
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_47C2E7:				; CODE XREF: .text:0047C2B4j
		xor	ebx, ebx
		mov	[ebp-30h], ebx

loc_47C2EC:				; CODE XREF: .text:0047C2CCj
		mov	ecx, [edi]
		nop
		mov	edx, [edi+4]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_47C317
		test	ebx, ebx
		jz	short loc_47C352
		push	ecx
		mov	edx, edi
		mov	ecx, ebx
		call	_MiMapSystemCachePage@12 ; MiMapSystemCachePage(x,x,x)
		mov	esi, eax
		mov	[ebp-2Ch], esi
		test	esi, esi
		jnz	loc_47C9FD

loc_47C317:				; CODE XREF: .text:0047C2FAj
		mov	dword ptr [ebp-4], 0
		mov	eax, [ebp-40h]
		mov	al, [eax]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		nop
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		mov	[ebp-60h], edi
		mov	al, byte_6D5EE0
		and	al, 7
		cmp	al, 4
		jbe	short loc_47C365
		cmp	al, 5
		jz	short loc_47C365
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		jmp	short loc_47C3BB
; 

loc_47C352:				; CODE XREF: .text:0047C2FEj
		push	edx
		push	ecx
		mov	edx, edi
		mov	ecx, offset unk_6D5E80
		call	_MiDirtySystemCachePte@16 ; MiDirtySystemCachePte(x,x,x,x)
		jmp	loc_47C9FD
; 

loc_47C365:				; CODE XREF: .text:0047C340j
					; .text:0047C344j
		cmp	al, 2
		mov	esi, offset unk_6D3C40
		jz	short loc_47C373
		mov	esi, offset dword_6D5F00

loc_47C373:				; CODE XREF: .text:0047C36Cj
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		test	ds:byte_70EFC6,	21h
		jz	short loc_47C391
		mov	dl, bl
		mov	ecx, esi
		call	@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)
		jmp	short loc_47C3AF
; 

loc_47C391:				; CODE XREF: .text:0047C384j
		mov	edx, [esi]
		and	edx, 7FFFFFFFh
		lea	ecx, [edx+1]
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	short loc_47C3AF
		mov	dl, bl
		mov	ecx, esi
		call	ExpWaitForSpinLockSharedAndAcquire

loc_47C3AF:				; CODE XREF: .text:0047C38Fj
					; .text:0047C3A4j
		add	esi, 4
		cmp	dword ptr [esi], 0
		jz	short loc_47C3BB
		xor	eax, eax
		xchg	eax, [esi]

loc_47C3BB:				; CODE XREF: .text:0047C350j
					; .text:0047C3B5j
		mov	[ebp-20h], bl
		mov	dword ptr [ebp-44h], 0
		lea	eax, [edi-600000h]
		shr	eax, 3
		mov	[ebp-58h], eax
		lea	ecx, [eax+eax]
		mov	esi, ecx
		and	esi, 1Fh
		mov	[ebp-34h], esi
		mov	al, byte_6D5EE0
		and	al, 7
		cmp	al, 2
		jb	short loc_47C43A
		xor	ebx, ebx
		cmp	edi, 603018h
		jz	short loc_47C405
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_47C419
		cmp	edi, 603010h
		jnz	short loc_47C419

loc_47C405:				; CODE XREF: .text:0047C3EFj
		cmp	al, 7
		jnz	short loc_47C410
		mov	ebx, offset unk_6D2E58
		jmp	short loc_47C419
; 

loc_47C410:				; CODE XREF: .text:0047C407j
		cmp	al, 5
		jnz	short loc_47C419
		mov	ebx, offset unk_6D2E54

loc_47C419:				; CODE XREF: .text:0047C3FBj
					; .text:0047C403j ...
		test	ebx, ebx
		jz	short loc_47C42E
		mov	esi, 603018h
		sub	esi, edi
		sar	esi, 3
		add	esi, esi
		mov	[ebp-34h], esi
		jmp	short loc_47C459
; 

loc_47C42E:				; CODE XREF: .text:0047C41Bj
		shr	ecx, 5
		lea	ebx, unk_6D2C54[ecx*4]
		jmp	short loc_47C459
; 

loc_47C43A:				; CODE XREF: .text:0047C3E5j
		shr	ecx, 5
		test	al, al
		jnz	short loc_47C452
		mov	ebx, dword_6D5E8C
		add	ebx, 0D90h
		lea	ebx, [ebx+ecx*4]
		jmp	short loc_47C459
; 

loc_47C452:				; CODE XREF: .text:0047C43Fj
		lea	ebx, unk_6D5FA0[ecx*4]

loc_47C459:				; CODE XREF: .text:0047C42Cj
					; .text:0047C438j ...
		mov	[ebp-48h], esi
		mov	edx, [ebx]
		mov	ecx, esi
		mov	esi, [ebp-48h]

loc_47C463:				; CODE XREF: .text:0047C4B4j
					; .text:0047C4D4j
		mov	edi, 2
		shl	edi, cl
		lea	ebx, [ebx+0]

loc_47C470:				; CODE XREF: .text:0047CAC4j
		mov	eax, edx
		mov	ecx, esi
		shr	eax, cl
		test	al, 1
		jz	short loc_47C4D6
		test	al, 2
		jz	short loc_47C4B6
		mov	edi, edi

loc_47C480:				; CODE XREF: .text:0047C4AFj
		mov	eax, [ebp-44h]
		inc	eax
		mov	[ebp-44h], eax
		test	ds:_HvlLongSpinCountMask, eax
		jnz	short loc_47C4A0
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	short loc_47C4A0
		push	eax
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	short loc_47C4A2
; 

loc_47C4A0:				; CODE XREF: .text:0047C48Dj
					; .text:0047C496j
		pause

loc_47C4A2:				; CODE XREF: .text:0047C49Ej
		mov	edx, [ebx]
		mov	eax, edx
		mov	esi, [ebp-48h]
		mov	ecx, esi
		shr	eax, cl
		test	al, 1
		jnz	short loc_47C480
		mov	ecx, [ebp-34h]
		jmp	short loc_47C463
; 

loc_47C4B6:				; CODE XREF: .text:0047C47Cj
		mov	edi, 2
		mov	ecx, esi
		shl	edi, cl
		or	edi, edx
		mov	ecx, edi
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		mov	edx, edi
		jz	short loc_47C4D1
		mov	edx, eax

loc_47C4D1:				; CODE XREF: .text:0047C4CDj
		mov	ecx, [ebp-34h]
		jmp	short loc_47C463
; 

loc_47C4D6:				; CODE XREF: .text:0047C478j
		mov	ecx, edx
		bts	ecx, esi
		mov	eax, edi
		not	eax
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	loc_47CAC2
		mov	eax, [ebp-38h]
		mov	edi, [eax]
		nop
		mov	eax, [eax+4]
		mov	[ebp-24h], eax
		mov	[ebp-68h], eax
		mov	al, [ebp-20h]
		mov	[ebp-1Fh], al
		mov	esi, [ebp-58h]
		add	esi, esi
		mov	ecx, esi
		and	ecx, 1Fh
		mov	al, byte_6D5EE0
		and	al, 7
		cmp	al, 2
		jb	short loc_47C56C
		xor	edx, edx
		mov	ebx, [ebp-60h]
		cmp	ebx, 603018h
		jz	short loc_47C53A
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_47C54E
		cmp	ebx, 603010h
		jnz	short loc_47C54E

loc_47C53A:				; CODE XREF: .text:0047C524j
		cmp	al, 7
		jnz	short loc_47C545
		mov	edx, offset unk_6D2E58
		jmp	short loc_47C54E
; 

loc_47C545:				; CODE XREF: .text:0047C53Cj
		cmp	al, 5
		jnz	short loc_47C54E
		mov	edx, offset unk_6D2E54

loc_47C54E:				; CODE XREF: .text:0047C530j
					; .text:0047C538j ...
		test	edx, edx
		jz	short loc_47C560
		mov	ecx, 603018h
		sub	ecx, ebx
		sar	ecx, 3
		add	ecx, ecx
		jmp	short loc_47C58F
; 

loc_47C560:				; CODE XREF: .text:0047C550j
		shr	esi, 5
		lea	edx, unk_6D2C54[esi*4]
		jmp	short loc_47C58F
; 

loc_47C56C:				; CODE XREF: .text:0047C517j
		shr	esi, 5
		test	al, al
		jnz	short loc_47C581
		mov	edx, dword_6D5E8C
		add	edx, 0D90h
		jmp	short loc_47C58C
; 

loc_47C581:				; CODE XREF: .text:0047C571j
		mov	edx, offset unk_6D5DC0
		add	edx, 1E0h

loc_47C58C:				; CODE XREF: .text:0047C57Fj
		lea	edx, [edx+esi*4]

loc_47C58F:				; CODE XREF: .text:0047C55Ej
					; .text:0047C56Aj
		mov	[ebp-64h], ecx
		mov	ebx, [edx]
		mov	ecx, [ebp-64h]
		jmp	short loc_47C5A0
; 
		align 10h

loc_47C5A0:				; CODE XREF: .text:0047C597j
					; .text:0047CABDj
		mov	esi, ebx
		btr	esi, ecx
		mov	eax, 2
		shl	eax, cl
		not	eax
		and	esi, eax
		mov	eax, ebx
		lock cmpxchg [edx], esi
		cmp	eax, ebx
		jnz	loc_47CABB
		mov	dl, [ebp-1Fh]
		mov	ecx, offset unk_6D5E80
		call	MiUnlockWorkingSetShared
		mov	[ebp-8Ch], edi
		mov	esi, [ebp-24h]
		mov	[ebp-88h], esi
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	short loc_47C605
		mov	ebx, [ebp-30h]
		test	ebx, ebx
		jz	loc_47C9FA
		push	ecx
		mov	edx, [ebp-38h]
		mov	ecx, ebx
		call	_MiMapSystemCachePage@12 ; MiMapSystemCachePage(x,x,x)
		mov	[ebp-2Ch], eax
		test	eax, eax
		jnz	loc_47C9FA

loc_47C605:				; CODE XREF: .text:0047C5E2j
		mov	[ebp-6Ch], edi
		mov	ecx, dword_6D0700
		mov	edx, dword_6D0704
		mov	eax, ecx
		or	eax, edx
		jz	short loc_47C63F
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_47C636
		not	ecx
		not	edx
		and	ecx, edi
		and	edx, esi
		mov	[ebp-6Ch], ecx
		mov	eax, edx
		mov	[ebp-24h], eax
		jmp	short loc_47C641
; 

loc_47C636:				; CODE XREF: .text:0047C622j
		and	edi, 0FFFFFFEFh
		mov	[ebp-24h], esi
		mov	[ebp-6Ch], edi

loc_47C63F:				; CODE XREF: .text:0047C618j
		mov	eax, esi

loc_47C641:				; CODE XREF: .text:0047C634j
					; .text:0047C8E3j ...
		mov	dword ptr [ebp-84h], 0
		mov	dword ptr [ebp-80h], 0
		mov	byte ptr [ebp-1Eh], 21h
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[ebp-34h], eax

loc_47C661:				; CODE XREF: .text:0047C6AEj
					; .text:0047C6CAj ...
		mov	dword ptr [ebp-6Ch], 0
		mov	dword ptr [ebp-68h], 0
		mov	esi, [eax-40000000h]
		nop
		mov	ecx, [eax-3FFFFFFCh]
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	loc_47CAA5
		mov	eax, esi
		and	eax, 200h
		or	eax, 0
		jnz	loc_47CAA5
		nop
		shrd	esi, ecx, 0Ch
		and	esi, 1FFFFFFh
		cmp	esi, dword_6D07B0
		mov	eax, [ebp-34h]
		ja	short loc_47C661
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, dword_6D35B8
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		mov	eax, [ebp-34h]
		jz	short loc_47C661
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		mov	eax, ds:_MmPfnDatabase
		lea	edi, [eax+ecx*4]
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp-1Fh], al
		mov	dword ptr [ebp-68h], 0
		lea	ebx, [edi+10h]
		lock bts dword ptr [ebx], 1Fh
		jnb	short loc_47C714
		lea	esp, [esp+0]

loc_47C700:				; CODE XREF: .text:0047C70Bj
					; .text:0047C712j
		lea	ecx, [ebp-68h]
		call	KeYieldProcessorEx
		cmp	dword ptr [ebx], 0
		jl	short loc_47C700
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_47C700

loc_47C714:				; CODE XREF: .text:0047C6F7j
		mov	dword ptr [ebp-5Ch], 0
		mov	dword ptr [ebp-58h], 0
		mov	edx, [ebp-34h]
		mov	ecx, [edx-40000000h]
		nop
		mov	edx, [edx-3FFFFFFCh]
		mov	[ebp-94h], ecx
		mov	[ebp-90h], edx
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_47CA8E
		mov	eax, ecx
		and	eax, 200h
		or	eax, 0
		jnz	loc_47CA8E
		nop
		shrd	ecx, edx, 0Ch
		and	ecx, 1FFFFFFh
		cmp	esi, ecx
		jnz	loc_47CA8E
		lea	edx, [eax+1]
		mov	ecx, edi
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		mov	cl, [ebp-1Fh]
		cmp	cl, 21h
		jz	loc_47C81F
		mov	[ebp-1Eh], cl
		mov	dword ptr [ebp-4Ch], 0
		mov	byte ptr [ebp-1Dh], 0
		mov	esi, [edi+4]
		or	esi, 80000000h
		mov	al, [edi+16h]
		test	al, 20h
		jz	short loc_47C7E5

loc_47C7A3:				; CODE XREF: .text:0047C7E3j
		mov	eax, 7FFFFFFFh
		lock and [ebx],	eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	dword ptr [ebp-4Ch], 0
		mov	al, [edi+16h]
		mov	[ebp-1Dh], al
		test	al, 20h
		jz	short loc_47C7D4

loc_47C7C2:				; CODE XREF: .text:0047C7D2j
		lea	ecx, [ebp-4Ch]
		call	KeYieldProcessorEx
		mov	al, [edi+16h]
		mov	[ebp-1Dh], al
		test	al, 20h
		jnz	short loc_47C7C2

loc_47C7D4:				; CODE XREF: .text:0047C7C0j
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	al, [edi+16h]
		test	al, 20h
		mov	cl, [ebp-1Fh]
		jnz	short loc_47C7A3

loc_47C7E5:				; CODE XREF: .text:0047C7A1j
		or	al, 20h
		mov	[edi+16h], al
		test	dword ptr [ebx], 40000000h
		jnz	short loc_47C815
		mov	edx, [esi]
		nop
		mov	eax, [esi+4]
		mov	[ebp-58h], eax
		and	edx, 20h
		or	edx, 0
		jnz	short loc_47C815
		mov	[ebp-60h], dl
		push	dword ptr [ebp-60h]
		mov	edx, 1
		mov	ecx, esi
		call	_MiWriteValidPteVolatile@12 ; MiWriteValidPteVolatile(x,x,x)

loc_47C815:				; CODE XREF: .text:0047C7F0j
					; .text:0047C801j
		mov	eax, 7FFFFFFFh
		lock and [ebx],	eax
		jmp	short loc_47C828
; 

loc_47C81F:				; CODE XREF: .text:0047C77Fj
		mov	dl, 21h
		mov	ecx, edi
		call	_MiLockOwnedProtoPage@8	; MiLockOwnedProtoPage(x,x)

loc_47C828:				; CODE XREF: .text:0047C81Dj
		test	edi, edi
		jz	loc_47CAA5
		xor	edx, edx
		mov	ebx, [ebp-24h]
		mov	ecx, ebx
		call	MiLockLeafPage
		mov	[ebp-34h], eax
		mov	edx, [ebx]
		nop
		mov	ecx, [ebx+4]
		mov	[ebp-84h], edx
		mov	[ebp-80h], ecx
		test	eax, eax
		jz	loc_47C93C
		and	edx, 1
		or	edx, 0
		jz	short loc_47C86E
		mov	edx, 1
		mov	ecx, eax
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		xor	esi, esi
		jmp	short loc_47C88D
; 

loc_47C86E:				; CODE XREF: .text:0047C85Cj
		mov	edx, [ebp+10h]
		mov	ecx, ebx
		call	MiUnlinkStandbyPfn
		mov	esi, eax
		test	esi, esi
		jnz	short loc_47C88D
		mov	ecx, [ebx]
		nop
		mov	edx, [ebx+4]
		mov	[ebp-84h], ecx
		mov	[ebp-80h], edx

loc_47C88D:				; CODE XREF: .text:0047C86Cj
					; .text:0047C87Cj
		xor	eax, eax
		mov	[ebp-58h], eax
		mov	[ebp-28h], eax
		xor	ebx, ebx
		cmp	[ebp-30h], eax
		jz	short loc_47C8BB
		test	esi, esi
		jnz	short loc_47C8BB
		xor	edx, edx
		mov	ecx, [ebp-34h]
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		test	eax, eax
		jnz	short loc_47C8BB
		mov	eax, 0C000009Ah
		mov	[ebp-58h], eax
		mov	[ebp-28h], eax
		mov	ebx, eax

loc_47C8BB:				; CODE XREF: .text:0047C89Aj
					; .text:0047C89Ej ...
		mov	eax, [ebp-34h]
		add	eax, 10h
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	dl, [ebp-1Eh]
		mov	ecx, edi
		call	MiUnlockProtoPoolPage
		xor	edi, edi
		test	ebx, ebx
		js	loc_47CAE8
		cmp	esi, 1
		mov	eax, [ebp-24h]
		jz	loc_47C641
		cmp	esi, 2
		jnz	short loc_47C911

loc_47C8EE:				; CODE XREF: .text:0047C9BAj
		push	0
		push	0
		push	dword ptr [ebp-3Ch]
		push	0
		call	MmAccessFault
		mov	edi, eax
		mov	[ebp-28h], edi
		test	edi, edi
		js	loc_47CAEB

loc_47C909:				; CODE XREF: .text:0047C9EAj
		mov	eax, [ebp-24h]
		jmp	loc_47C641
; 

loc_47C911:				; CODE XREF: .text:0047C8ECj
		mov	ecx, [ebp-30h]
		test	ecx, ecx
		jz	loc_47CA40
		mov	edx, [ebp-84h]
		nop
		mov	eax, [ebp-80h]
		shrd	edx, eax, 0Ch
		and	edx, 1FFFFFFh
		call	_MiMapFrame@8	; MiMapFrame(x,x)
		mov	esi, eax
		jmp	loc_47CA43
; 

loc_47C93C:				; CODE XREF: .text:0047C850j
		mov	dword ptr [ebp-70h], 0
		lea	esi, [edi+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_47C964
		lea	ecx, [ecx+0]

loc_47C950:				; CODE XREF: .text:0047C95Bj
					; .text:0047C962j
		lea	ecx, [ebp-70h]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_47C950
		lock bts dword ptr [esi], 1Fh
		jb	short loc_47C950

loc_47C964:				; CODE XREF: .text:0047C94Bj
		mov	al, [edi+16h]
		and	al, 0DFh
		mov	[edi+16h], al
		mov	ecx, edi
		call	_MiRemoveLockedPageCharge@4 ; MiRemoveLockedPageCharge(x)
		test	eax, eax
		jz	short loc_47C99A
		mov	ecx, edi
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		lea	eax, [ecx+edx]
		sar	eax, 4
		mov	edx, eax
		shr	edx, 1Fh
		add	edx, eax
		mov	ecx, edi
		call	MiPfnReferenceCountIsZero

loc_47C99A:				; CODE XREF: .text:0047C975j
		mov	ebx, 7FFFFFFFh
		lock and [esi],	ebx
		mov	cl, [ebp-1Eh]
		cmp	cl, 21h
		jz	short loc_47C9B0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_47C9B0:				; CODE XREF: .text:0047C9A8j
		mov	eax, [ebp-74h]
		test	dword ptr [eax+1Ch], 40000000h
		jnz	loc_47C8EE
		lea	eax, [ebp-28h]
		push	eax
		lea	eax, [ebp-84h]
		push	eax
		push	dword ptr [ebp+10h]
		push	dword ptr [ebp+0Ch]
		push	dword ptr [ebp+8]
		mov	edx, [ebp-40h]
		mov	ecx, [ebp-24h]
		call	_MiMakePageAvoidRead@28	; MiMakePageAvoidRead(x,x,x,x,x,x,x)
		test	eax, eax
		jz	loc_47CA77
		sub	eax, 1
		jz	loc_47C909
		sub	eax, 2
		jz	short loc_47CA39
		sub	eax, 1
		jnz	short loc_47CA40

loc_47C9FA:				; CODE XREF: .text:0047C5E9j
					; .text:0047C5FFj
		mov	esi, [ebp-2Ch]

loc_47C9FD:				; CODE XREF: .text:0047C311j
					; .text:0047C360j ...
		xor	edi, edi
		mov	[ebp-28h], edi
		cmp	[ebp-50h], edi
		jz	loc_47CAEB
		test	esi, esi
		jnz	short loc_47CA12
		mov	esi, [ebp-3Ch]

loc_47CA12:				; CODE XREF: .text:0047CA0Dj
		mov	dword ptr [ebp-4], 1
		mov	eax, [ebp+8]
		add	eax, esi
		push	dword ptr [ebp+0Ch]
		push	dword ptr [ebp-40h]
		push	eax
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_47CAEB
; 

loc_47CA39:				; CODE XREF: .text:0047C9F3j
		mov	dword ptr [ebp-50h], 0

loc_47CA40:				; CODE XREF: .text:0047C916j
					; .text:0047C9F8j
		mov	esi, [ebp-2Ch]

loc_47CA43:				; CODE XREF: .text:0047C937j
		push	dword ptr [ebp-80h]
		push	dword ptr [ebp-84h]
		push	ecx
		mov	edx, [ebp-38h]
		mov	ecx, offset unk_6D5E80
		call	MiMakeSystemCachePteValid
		jmp	short loc_47C9FD
; 

loc_47CA5C:				; DATA XREF: .text:006A1220o
		mov	edx, [ebp-14h]
		lea	ecx, [ebp-28h]
		call	_MiMapCacheExceptionFilter@8 ; MiMapCacheExceptionFilter(x,x)
		retn
; 

loc_47CA68:				; DATA XREF: .text:006A1224o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-28h]
		jmp	short loc_47CAEB
; 

loc_47CA77:				; CODE XREF: .text:0047C9E1j
		mov	eax, [ebp-28h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_47CA8E:				; CODE XREF: .text:0047C746j
					; .text:0047C756j ...
		mov	eax, 7FFFFFFFh
		lock and [ebx],	eax
		mov	al, [ebp-1Fh]
		cmp	al, 21h
		jz	short loc_47CAA5
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_47CAA5:				; CODE XREF: .text:0047C684j
					; .text:0047C694j ...
		push	0
		push	0
		push	dword ptr [ebp-24h]
		push	2
		call	MmAccessFault
		mov	eax, [ebp-34h]
		jmp	loc_47C661
; 

loc_47CABB:				; CODE XREF: .text:0047C5B8j
		mov	ebx, eax
		jmp	loc_47C5A0
; 

loc_47CAC2:				; CODE XREF: .text:0047C4E9j
		mov	edx, eax
		jmp	loc_47C470
; 

loc_47CAC9:				; DATA XREF: .text:006A1214o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-78h], eax
		mov	eax, 1
		retn
; 

loc_47CAD9:				; DATA XREF: .text:006A1218o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-78h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_47CAEB
; 

loc_47CAE8:				; CODE XREF: .text:0047C8D7j
		mov	edi, [ebp-58h]

loc_47CAEB:				; CODE XREF: .text:0047C903j
					; .text:0047CA05j ...
		mov	eax, [ebp-30h]
		test	eax, eax
		jz	short loc_47CB4F
		mov	esi, [eax]
		nop
		mov	ebx, [eax+4]
		push	1
		mov	edx, eax
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	short loc_47CB4F
		nop
		shrd	esi, ebx, 0Ch
		and	esi, 1FFFFFFh
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		mov	eax, ds:_MmPfnDatabase
		lea	esi, [eax+ecx*4]
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	bl, al
		mov	ecx, esi
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		lea	ecx, [esi+10h]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_47CB4F:				; CODE XREF: .text:0047CAF0j
					; .text:0047CB0Ej
		mov	eax, edi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_47CB65:				; CODE XREF: .text:0047C265j
					; .text:0047C26Dj
		push	ecx
		push	edx
		push	ebx
		push	776h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dd 3 dup(0CCCCCCCCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockLeafPage	proc near		; CODE XREF: .text:004785E1p
					; .text:0047C837p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A7F12 SIZE 00000009 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 28h
		push	esi
		mov	esi, ecx
		mov	[esp+2Ch+var_4], edx
		push	edi
		mov	[esp+30h+var_1C], esi
		jmp	short loc_47CBA0
; 
		align 10h

loc_47CBA0:				; CODE XREF: MiLockLeafPage+17j
					; MiLockLeafPage+92j ...
		mov	edi, [esi]
		mov	[esp+30h+var_10], 0
		mov	[esp+30h+var_C], 0
		nop
		mov	edx, [esi+4]
		mov	eax, edi
		and	eax, 1
		mov	[esp+30h+var_18], edx
		or	eax, 0
		jnz	loc_47CCDC
		mov	eax, edi
		and	eax, 400h
		or	eax, 0
		jz	short loc_47CBDC

loc_47CBD4:				; CODE XREF: MiLockLeafPage+66j
		xor	eax, eax
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_47CBDC:				; CODE XREF: MiLockLeafPage+52j
		mov	eax, edi
		and	eax, 800h
		or	eax, 0
		jz	short loc_47CBD4
		mov	eax, edi
		or	eax, edx
		jz	short loc_47CC14
		mov	ecx, dword_6D0700
		mov	eax, ecx
		mov	edx, dword_6D0704
		or	eax, edx
		mov	[esp+30h+var_20], edx
		mov	edx, [esp+30h+var_18]
		jz	short loc_47CC14
		mov	eax, [esp+30h+var_20]
		and	ecx, edi
		and	eax, edx
		or	ecx, eax
		jz	short loc_47CBA0

loc_47CC14:				; CODE XREF: MiLockLeafPage+6Cj
					; MiLockLeafPage+86j
		mov	eax, dword_6D0700
		mov	ecx, edi
		mov	esi, dword_6D0704
		mov	[esp+30h+var_14], eax
		or	eax, esi
		mov	[esp+30h+var_10], esi
		mov	esi, [esp+30h+var_1C]
		mov	[esp+30h+var_24], ecx
		mov	[esp+30h+var_20], edx
		jz	short loc_47CC59
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	loc_5A7F12
		mov	ecx, [esp+30h+var_14]
		mov	edx, [esp+30h+var_10]
		not	ecx
		not	edx
		and	ecx, edi
		and	edx, [esp+30h+var_20]

loc_47CC59:				; CODE XREF: MiLockLeafPage+B7j
					; MiLockLeafPage+12B396j
		shrd	ecx, edx, 0Ch
		and	ecx, 3FFFFFFh

loc_47CC63:				; CODE XREF: MiLockLeafPage+16Bj
		mov	[esp+30h+var_20], ecx
		cmp	ecx, dword_6D07B0
		ja	loc_47CBA0
		mov	eax, dword_6D35B8
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_47CBA0
		mov	eax, [esp+30h+var_20]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		cmp	[esp+30h+var_4], 0
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, [eax+ecx*4]
		lea	eax, [ecx+10h]
		mov	[esp+30h+var_20], ecx
		mov	[esp+30h+var_24], eax
		jnz	short loc_47CCF0
		mov	[esp+30h+var_10], 0
		lock bts dword ptr [eax], 1Fh
		jb	short loc_47CCFB

loc_47CCC4:				; CODE XREF: MiLockLeafPage+179j
					; MiLockLeafPage+19Ej
		mov	eax, [esi]
		nop
		mov	edx, [esi+4]
		cmp	eax, edi
		jnz	short loc_47CD20
		cmp	edx, [esp+30h+var_18]
		jnz	short loc_47CD20
		pop	edi
		mov	eax, ecx
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_47CCDC:				; CODE XREF: MiLockLeafPage+42j
		nop
		mov	ecx, edi
		mov	eax, edx
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		jmp	loc_47CC63
; 

loc_47CCF0:				; CODE XREF: MiLockLeafPage+133j
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		mov	ecx, [esp+30h+var_20]
		jmp	short loc_47CCC4
; 

loc_47CCFB:				; CODE XREF: MiLockLeafPage+142j
		mov	esi, [esp+30h+var_24]
		nop

loc_47CD00:				; CODE XREF: MiLockLeafPage+18Dj
					; MiLockLeafPage+194j
		lea	ecx, [esp+30h+var_10]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_47CD00
		lock bts dword ptr [esi], 1Fh
		jb	short loc_47CD00
		mov	esi, [esp+30h+var_1C]
		mov	ecx, [esp+30h+var_20]
		jmp	short loc_47CCC4
; 

loc_47CD20:				; CODE XREF: MiLockLeafPage+14Cj
					; MiLockLeafPage+152j
		mov	eax, [esp+30h+var_24]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		jmp	loc_47CBA0
MiLockLeafPage	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiIsPfnCommitNotCharged(x)
_MiIsPfnCommitNotCharged@4 proc	near	; CODE XREF: MiMigratePfn(x,x,x,x):loc_45F847p
					; MiWriteCompletePfn+C8p ...
		mov	edx, ds:_MmHighestUserAddress
		mov	eax, [ecx+4]
		shr	edx, 9
		or	eax, 80000000h
		and	edx, offset loc_7FFFF8
		sub	edx, 40000000h
		cmp	eax, edx
		jbe	short loc_47CD64

loc_47CD61:				; CODE XREF: MiIsPfnCommitNotCharged(x)+29j
		xor	eax, eax
		retn
; 

loc_47CD64:				; CODE XREF: MiIsPfnCommitNotCharged(x)+1Fj
		cmp	eax, 0C0000000h
		jb	short loc_47CD61
		movzx	eax, byte ptr [ecx+17h]
		shr	eax, 5
		and	eax, 1
		retn
_MiIsPfnCommitNotCharged@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiControlAreaUsingExtents(x)
_MiControlAreaUsingExtents@4 proc near	; CODE XREF: MiPfPrepareReadList+2B5p
					; MiPfPrepareSequentialReadList+1D4p ...
		mov	eax, [ecx+1Ch]
		shr	eax, 1Eh
		and	eax, 1
		retn
_MiControlAreaUsingExtents@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnlockProtoPoolPage proc near		; CODE XREF: MiHandleCollidedFault(x,x,x,x,x,x)+33p
					; MiHandleCollidedFault(x,x,x,x,x,x)+D3p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B3E06 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], 0
		push	edi
		mov	bl, dl
		lea	edi, [esi+10h]
		lock bts dword ptr [edi], 1Fh
		jb	short loc_47CDD1

loc_47CD9E:				; CODE XREF: MiUnlockProtoPoolPage+64j
		mov	al, [esi+16h]
		mov	ecx, esi
		and	al, 0DFh
		mov	[esi+16h], al
		call	_MiRemoveLockedPageCharge@4 ; MiRemoveLockedPageCharge(x)
		test	eax, eax
		jnz	loc_5B3E06

loc_47CDB5:				; CODE XREF: MiUnlockProtoPoolPage+1370A9j
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		cmp	bl, 21h
		jz	short loc_47CDCA
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_47CDCA:				; CODE XREF: MiUnlockProtoPoolPage+40j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_47CDD1:				; CODE XREF: MiUnlockProtoPoolPage+1Cj
					; MiUnlockProtoPoolPage+5Dj ...
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_47CDD1
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_47CD9E
		jmp	short loc_47CDD1
MiUnlockProtoPoolPage endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPfPutPagesInTransition proc near	; CODE XREF: MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x)+89p
					; MiPrefetchControlArea(x,x,x,x,x,x,x)+58p ...

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005B3E2E SIZE 00000385 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 90h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_14], ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_90]
		mov	[ebp+var_78], edx
		stosd
		mov	[ebp+var_70], 0
		mov	[ebp+var_6C], 0
		mov	[ebp+var_54], 0
		stosd
		mov	[ebp+var_8], 0
		mov	[ebp+var_58], 0
		stosd
		mov	edi, ecx
		mov	eax, [edi+28h]
		mov	[ebp+var_48], eax
		mov	eax, [edi+2Ch]
		mov	[ebp+var_64], eax
		mov	eax, large fs:124h
		mov	ecx, large fs:124h
		mov	[ebp+var_2], 21h
		mov	esi, [eax+80h]
		mov	eax, [edi+30h]
		inc	eax
		mov	[ebp+var_74], eax
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		mov	ebx, [edi+48h]
		lea	edx, [ebp+var_90]
		mov	cl, byte ptr [ebp+var_48]
		mov	[ebp+var_60], eax
		and	cl, 7
		lea	eax, [edi+48h]
		mov	[ebp+var_24], 0
		mov	[ebp+var_44], eax
		or	cl, 18h
		mov	eax, [edi+4]
		mov	byte ptr [ebp+var_24], cl
		lea	ecx, [esi+240h]
		mov	[ebp+var_28], ebx
		mov	[ebp+var_18], 0
		mov	eax, [eax+1Ch]
		shr	eax, 14h
		and	eax, 3Fh
		push	eax
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		lea	eax, [edi+48h]
		cmp	ebx, eax
		jz	loc_47D1CC
		mov	al, [ebp+var_2]
		mov	esi, [ebp+var_24]
		mov	[ebp+var_1], al
		mov	edi, edi

loc_47CEC0:				; CODE XREF: MiPfPutPagesInTransition+3D6j
		cmp	[ebp+var_60], 2
		mov	[ebp+var_80], ebx
		jl	short loc_47CED5
		test	byte ptr [edi+3Ch], 1
		jz	short loc_47CEDC
		or	dword ptr [ebx+78h], 20h
		jmp	short loc_47CEDC
; 

loc_47CED5:				; CODE XREF: MiPfPutPagesInTransition+D7j
		or	dword ptr [ebx+78h], 80h

loc_47CEDC:				; CODE XREF: MiPfPutPagesInTransition+DDj
					; MiPfPutPagesInTransition+E3j
		mov	edi, [ebx+90h]
		mov	ecx, [ebx+98h]
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], edi
		mov	eax, [edi]
		and	eax, 0FFFFFFFCh
		mov	[ebx+90h], eax
		mov	eax, [edi]
		mov	edx, [ecx+18h]
		and	eax, 0FFFFFFFCh
		add	edx, [ecx+10h]
		mov	[ebp+var_7C], eax
		and	edx, 0FFFh
		mov	eax, [ebx+7Ch]
		add	edx, 0FFFh
		add	eax, 4
		mov	[ebp+var_68], eax
		lea	eax, [ecx+1Ch]
		mov	ecx, [ecx+14h]
		add	edx, ecx
		shr	edx, 0Ch
		mov	[ebp+var_84], eax
		test	edx, edx
		jz	short loc_47CF42

loc_47CF31:				; CODE XREF: MiPfPutPagesInTransition+150j
		mov	ecx, dword_6D34EC
		lea	eax, [eax+4]
		mov	[eax-4], ecx
		sub	edx, 1
		jnz	short loc_47CF31

loc_47CF42:				; CODE XREF: MiPfPutPagesInTransition+13Fj
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		cmp	[ebp+var_18], ebx
		jnz	short loc_47CF6D
		xor	ecx, ecx
		call	_MiGetInPageSupportBlock@4 ; MiGetInPageSupportBlock(x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	short loc_47CF6D
		push	[ebp+var_48]
		mov	edx, [ebp+var_64]
		mov	ecx, eax
		mov	[eax+94h], ebx
		call	_MiSetInPagePriority@12	; MiSetInPagePriority(x,x,x)

loc_47CF6D:				; CODE XREF: MiPfPutPagesInTransition+15Aj
					; MiPfPutPagesInTransition+168j
		cmp	edi, [ebp+var_68]
		jnb	loc_47D175

loc_47CF76:				; CODE XREF: MiPfPutPagesInTransition+37Cj
		mov	ebx, [edi]
		mov	ecx, [ebp+var_8]
		and	ebx, 0FFFFFFFCh
		mov	edi, ebx
		shr	edi, 9
		mov	eax, edi
		test	ecx, ecx
		jz	loc_47D228
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	[ebp+var_58], eax
		jnz	loc_5B3E2E

loc_47CFA0:				; CODE XREF: MiPfPutPagesInTransition+465j
		xor	edx, edx
		mov	ecx, ebx
		call	MiLockLeafPage
		mov	edx, [ebx]
		mov	edi, eax
		mov	[ebp+var_2C], edx
		nop
		mov	ecx, [ebx+4]
		mov	[ebp+var_34], ecx
		mov	[ebp+var_70], edx
		mov	[ebp+var_6C], ecx
		test	edi, edi
		jnz	loc_47D2FF
		mov	eax, edx
		and	eax, 400h
		or	eax, edi
		jz	loc_5B3E93
		mov	eax, dword_6D0704
		mov	edi, ecx
		mov	ecx, dword_6D0700
		mov	[ebp+var_3C], eax
		mov	eax, ecx
		or	eax, [ebp+var_3C]
		mov	[ebp+var_10], edi
		jz	short loc_47CFFC
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jz	loc_47D1F7

loc_47CFFC:				; CODE XREF: MiPfPutPagesInTransition+1FCj
					; MiPfPutPagesInTransition+40Fj
		mov	eax, [ebp+var_14]
		mov	eax, [eax+4]
		test	dword ptr [eax+1Ch], 40000000h
		jnz	loc_47D409
		mov	ecx, [edi]
		mov	[ebp+var_C], 1
		mov	eax, [ecx+1Ch]
		test	al, 20h
		jnz	loc_47D204

loc_47D023:				; CODE XREF: MiPfPutPagesInTransition+419j
					; MiPfPutPagesInTransition+426j ...
		mov	eax, 14h

loc_47D028:				; CODE XREF: MiPfPutPagesInTransition+13709Ej
		mov	ecx, [ebp+var_14]
		add	ecx, eax
		mov	[ebp+var_3C], eax
		mov	edx, [ecx]
		mov	[ebp+var_10], edx
		test	edx, edx
		jz	loc_5B3EBA
		mov	eax, [edx]
		mov	[ecx], eax
		mov	ecx, edx
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		mov	[ebp+var_30], eax
		mov	eax, [ebp+var_10]

loc_47D062:				; CODE XREF: MiPfPutPagesInTransition+137198j
		mov	ecx, [ebp+var_4C]
		mov	[ebp+var_3C], 0
		test	byte ptr [ecx],	1
		jnz	loc_47D2AF

loc_47D075:				; CODE XREF: MiPfPutPagesInTransition+4D4j
					; MiPfPutPagesInTransition+4DDj
		cmp	[ebp+var_C], 1
		jnz	loc_5B3FAF
		mov	ecx, [ebp+var_28]
		cmp	dword ptr [ecx+94h], 0
		jz	loc_47D25A

loc_47D08F:				; CODE XREF: MiPfPutPagesInTransition+473j
		inc	[ebp+var_1C]
		lea	edx, [ebp+var_30]
		push	esi
		push	ecx
		push	ebx
		push	1
		or	ecx, 0FFFFFFFFh
		call	_MiInitializeReadInProgressPfn@24 ; MiInitializeReadInProgressPfn(x,x,x,x,x,x)
		mov	ecx, [ebp+var_14]
		mov	eax, [ecx+4]
		mov	[ebp+var_2C], eax
		test	byte ptr [eax+1Ch], 20h
		jnz	loc_47D221
		cmp	dword ptr [eax+20h], 0
		jz	loc_47D221

loc_47D0BF:				; CODE XREF: MiPfPutPagesInTransition+433j
		add	eax, 24h
		mov	cl, 2
		mov	[ebp+var_C], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_1D], al
		jnz	loc_5B3F8D
		mov	[ebp+var_5C], 0
		lock bts dword ptr [ecx], 1Fh
		jb	loc_47D31B

loc_47D0F2:				; CODE XREF: MiPfPutPagesInTransition+538j
		mov	eax, [ecx]
		mov	[ebp+var_34], eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_47D32D
		mov	dl, [ebp+var_2]
		mov	[ebp+var_1], dl

loc_47D10D:				; CODE XREF: MiPfPutPagesInTransition+585j
					; MiPfPutPagesInTransition+1371A7j
		mov	eax, [ebp+var_2C]
		inc	dword ptr [eax+10h]
		test	edi, edi
		jz	short loc_47D11A
		inc	dword ptr [edi+40h]

loc_47D11A:				; CODE XREF: MiPfPutPagesInTransition+325j
		test	ds:byte_70EFC6,	1
		jnz	loc_5B3F9C
		mov	dword ptr [ecx], 0

loc_47D12D:				; CODE XREF: MiPfPutPagesInTransition+1371BAj
		mov	cl, [ebp+var_1D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		sub	ebx, [ebp+var_7C]
		mov	eax, [ebp+var_50]
		mov	edi, [ebp+var_30]
		sar	ebx, 3
		mov	[eax+ebx*4+1Ch], edi
		mov	ebx, [ebp+var_28]
		cmp	dword ptr [ebx+5Ch], 0
		jz	loc_47D268
		mov	eax, [ebp+var_8]

loc_47D156:				; CODE XREF: MiPfPutPagesInTransition+488j
		cmp	[ebp+var_3C], 1
		jz	loc_47D2D2

loc_47D160:				; CODE XREF: MiPfPutPagesInTransition+50Aj
					; MiPfPutPagesInTransition+526j ...
		mov	edi, [ebp+var_4C]
		add	edi, 4
		mov	[ebp+var_4C], edi
		cmp	edi, [ebp+var_68]
		jb	loc_47CF76

loc_47D172:				; CODE XREF: MiPfPutPagesInTransition+1370D9j
					; MiPfPutPagesInTransition+1370EAj ...
		mov	ebx, [ebp+var_1C]

loc_47D175:				; CODE XREF: MiPfPutPagesInTransition+180j
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_47D18D
		mov	dl, [ebp+var_1]
		mov	ecx, eax
		call	MiUnlockProtoPoolPage
		mov	[ebp+var_8], 0

loc_47D18D:				; CODE XREF: MiPfPutPagesInTransition+38Aj
					; MiPfPutPagesInTransition+63Fj
		test	ebx, ebx
		jz	loc_47D37A
		mov	ecx, [ebp+var_50]
		call	_MiReduceMdl@4	; MiReduceMdl(x)
		mov	ebx, [ebp+var_28]
		test	eax, eax
		jnz	loc_47D3B0

loc_47D1A8:				; CODE XREF: MiPfPutPagesInTransition+5F7j
		mov	ecx, [ebp+var_50]
		lea	edi, [ebx+0A8h]
		cmp	ecx, edi
		jnz	loc_47D27D

loc_47D1B9:				; CODE XREF: MiPfPutPagesInTransition+494j
					; MiPfPutPagesInTransition+4BAj
		mov	ebx, [ebx]
		mov	edi, [ebp+var_14]
		mov	[ebp+var_28], ebx

loc_47D1C1:				; CODE XREF: MiPfPutPagesInTransition+5BBj
		lea	eax, [edi+48h]
		cmp	ebx, eax
		jnz	loc_47CEC0

loc_47D1CC:				; CODE XREF: MiPfPutPagesInTransition+BFj
		mov	ecx, edi
		call	MiFreeReadListPages
		mov	eax, [ebp+var_54]
		test	eax, eax
		jnz	loc_47D3F3

loc_47D1DE:				; CODE XREF: MiPfPutPagesInTransition+611j
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	short loc_47D1EC
		mov	ecx, eax
		call	_MiFreeInPageSupportBlock@4 ; MiFreeInPageSupportBlock(x)

loc_47D1EC:				; CODE XREF: MiPfPutPagesInTransition+3F3j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_47D1F7:				; CODE XREF: MiPfPutPagesInTransition+206j
		mov	edi, [ebp+var_3C]
		not	edi
		and	edi, [ebp+var_10]
		jmp	loc_47CFFC
; 

loc_47D204:				; CODE XREF: MiPfPutPagesInTransition+22Dj
		test	eax, 40000000h
		jnz	loc_47D023
		test	dword ptr [ecx+34h], 0C0000h
		jz	loc_47D023
		jmp	loc_5B3E4E
; 

loc_47D221:				; CODE XREF: MiPfPutPagesInTransition+2BFj
					; MiPfPutPagesInTransition+2C9j
		xor	edi, edi
		jmp	loc_47D0BF
; 

loc_47D228:				; CODE XREF: MiPfPutPagesInTransition+197j
					; MiPfPutPagesInTransition+137048j
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_58], eax

loc_47D235:				; CODE XREF: MiPfPutPagesInTransition+137059j
		lea	edx, [ebp+var_2]
		mov	ecx, ebx
		call	MiLockProtoPoolPage
		mov	esi, eax
		mov	[ebp+var_8], esi
		test	esi, esi
		jz	loc_5B3E3D
		mov	al, [ebp+var_2]
		mov	esi, [ebp+var_24]
		mov	[ebp+var_1], al
		jmp	loc_47CFA0
; 

loc_47D25A:				; CODE XREF: MiPfPutPagesInTransition+299j
		mov	eax, [ebp+var_10]
		mov	[ecx+94h], eax
		jmp	loc_47D08F
; 

loc_47D268:				; CODE XREF: MiPfPutPagesInTransition+35Dj
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		call	_MiObtainProtoReference@8 ; MiObtainProtoReference(x,x)
		mov	eax, [ebp+var_8]
		mov	[ebx+5Ch], eax
		jmp	loc_47D156
; 

loc_47D27D:				; CODE XREF: MiPfPutPagesInTransition+3C3j
		cmp	dword ptr [ecx+14h], 10000h
		ja	loc_47D1B9
		movsx	eax, word ptr [ecx+4]
		push	eax		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [ebp+var_50]
		add	esp, 0Ch
		mov	ecx, [ebp+var_54]
		mov	[ebp+var_54], eax
		mov	[eax], ecx
		mov	[ebx+98h], edi
		jmp	loc_47D1B9
; 

loc_47D2AF:				; CODE XREF: MiPfPutPagesInTransition+27Fj
		mov	edx, 1
		mov	[ebp+var_3C], 0
		mov	ecx, eax
		call	_MiPfnZeroingNeeded@8 ;	MiPfnZeroingNeeded(x,x)
		test	eax, eax
		jz	loc_47D075
		mov	[ebp+var_3C], edx
		jmp	loc_47D075
; 

loc_47D2D2:				; CODE XREF: MiPfPutPagesInTransition+36Aj
		mov	dl, [ebp+var_1]
		mov	ecx, eax
		call	MiUnlockProtoPoolPage
		mov	eax, [ebp+var_10]
		mov	edx, 1
		mov	ecx, edi
		mov	[ebp+var_8], 0
		movzx	eax, byte ptr [eax+16h]
		shr	eax, 6
		push	eax
		call	MiZeroPhysicalPage
		jmp	loc_47D160
; 

loc_47D2FF:				; CODE XREF: MiPfPutPagesInTransition+1CFj
		mov	edx, [ebp+var_48]
		mov	ecx, edi
		push	0
		call	_MiUpdatePfnPriority@12	; MiUpdatePfnPriority(x,x,x)
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		jmp	loc_47D160
; 

loc_47D31B:				; CODE XREF: MiPfPutPagesInTransition+2FCj
		mov	dl, al
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_5C], eax
		jmp	loc_47D0F2
; 

loc_47D32D:				; CODE XREF: MiPfPutPagesInTransition+311j
		mov	esi, [ebp+var_34]

loc_47D330:				; CODE XREF: MiPfPutPagesInTransition+57Aj
		test	esi, 40000000h
		jnz	short loc_47D351
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		or	ecx, 40000000h
		mov	eax, esi
		lock cmpxchg [edx], ecx
		cmp	eax, esi
		jnz	loc_47D3EC

loc_47D351:				; CODE XREF: MiPfPutPagesInTransition+546j
		lea	ecx, [ebp+var_5C]
		call	KeYieldProcessorEx
		mov	ecx, [ebp+var_C]
		mov	eax, [ecx]

loc_47D35E:				; CODE XREF: MiPfPutPagesInTransition+5FEj
		mov	esi, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_47D330
		mov	al, [ebp+var_2]
		mov	esi, [ebp+var_24]
		mov	[ebp+var_1], al
		jmp	loc_47D10D
; 

loc_47D37A:				; CODE XREF: MiPfPutPagesInTransition+39Fj
		mov	ebx, [ebp+var_28]
		mov	ecx, [ebp+var_80]
		mov	eax, [ebx]
		mov	ebx, eax
		mov	edx, [ecx+4]
		mov	[ebp+var_28], eax
		cmp	[eax+4], ecx
		jnz	loc_5B4188
		cmp	[edx], ecx
		jnz	loc_5B4188
		mov	edi, [ebp+var_14]
		mov	[edx], eax
		mov	[eax+4], edx
		dec	dword ptr [edi+40h]
		call	_MiFreeInPageSupportBlock@4 ; MiFreeInPageSupportBlock(x)
		jmp	loc_47D1C1
; 

loc_47D3B0:				; CODE XREF: MiPfPutPagesInTransition+3B2j
		shl	eax, 0Ch
		add	[ebx+38h], eax
		mov	eax, [ebp+var_84]
		adc	dword ptr [ebx+3Ch], 0
		mov	eax, [eax]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, [eax+ecx*4]
		mov	eax, [ecx+4]
		or	eax, 80000000h
		mov	[ebx+94h], ecx
		mov	[ebx+90h], eax
		jmp	loc_47D1A8
; 

loc_47D3EC:				; CODE XREF: MiPfPutPagesInTransition+55Bj
		mov	ecx, edx
		jmp	loc_47D35E
; 

loc_47D3F3:				; CODE XREF: MiPfPutPagesInTransition+3E8j
					; MiPfPutPagesInTransition+617j
		mov	esi, [eax]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		test	esi, esi
		jz	loc_47D1DE
		jmp	short loc_47D3F3
; 

loc_47D409:				; CODE XREF: MiPfPutPagesInTransition+219j
		mov	dl, [ebp+var_1]
		mov	ecx, [ebp+var_8]
		call	MiUnlockProtoPoolPage
		mov	edx, ebx
		mov	[ebp+var_8], 0
		mov	ecx, edi
		call	_MiRefillPurgedExtents@8 ; MiRefillPurgedExtents(x,x)
		test	eax, eax
		jns	loc_47D160
		mov	ebx, [ebp+var_1C]
		jmp	loc_47D18D
MiPfPutPagesInTransition endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeReadInProgressPfn(x, x,	x, x, x, x)
_MiInitializeReadInProgressPfn@24 proc near ; CODE XREF: MiPfPutPagesInTransition+2ADp
					; MiPrivateFixup(x,x,x,x,x)+2B1p ...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		lea	eax, [edx+eax*4]
		mov	[ebp+var_14], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_1C], 0
		mov	[ebp+var_C], offset loc_7FFFFF
		mov	[ebp+var_3C], eax
		cmp	edx, eax
		jnb	loc_47D885
		mov	ecx, ds:__imp_@KfRaiseIrql@4 ; KfRaiseIrql(x)
		mov	eax, [ebp+arg_C]
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_30], ecx
		mov	ecx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[ebp+var_4], eax
		mov	[ebp+var_34], ecx
		mov	[ebp+var_8], edi
		mov	edi, edi

loc_47D490:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+43Fj
		mov	ecx, [edx]
		lea	edx, ds:0[ecx*8]
		sub	edx, ecx
		mov	ecx, ds:_MmPfnDatabase
		lea	ebx, [ecx+edx*4]
		cmp	ebx, dword_6D34E8
		jz	loc_47D86D
		mov	edx, [edi]
		mov	[ebp+var_10], edx
		nop
		mov	esi, [edi+4]
		mov	cl, al
		shr	cl, 6
		mov	edi, edx
		and	cl, 1
		mov	[ebp+var_24], esi
		mov	[ebp+var_48], edi
		mov	[ebp+var_44], esi
		mov	[ebp+arg_4], 0
		mov	byte ptr [ebp+arg_0+3],	cl
		jz	loc_47D58B
		push	esi
		push	edx
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		test	eax, eax
		jz	short loc_47D4F5
		mov	edx, edi
		shrd	edx, esi, 5
		shr	esi, 5
		mov	[ebp+var_24], esi
		jmp	short loc_47D560
; 

loc_47D4F5:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+A5j
		mov	ecx, dword_6D0700
		mov	edi, esi
		mov	edx, dword_6D0704
		mov	eax, ecx
		or	eax, edx
		mov	[ebp+arg_C], edx
		jz	short loc_47D52E
		mov	edx, [ebp+var_10]
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_47D529
		mov	esi, [ebp+arg_C]
		not	ecx
		and	ecx, edx
		not	esi
		and	esi, edi
		mov	[ebp+var_28], ecx
		jmp	short loc_47D52E
; 

loc_47D529:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+D7j
		mov	[ebp+var_28], edx
		mov	esi, edi

loc_47D52E:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+CAj
					; MiInitializeReadInProgressPfn(x,x,x,x,x,x)+E7j
		mov	edx, [esi]
		nop
		mov	eax, [esi+4]
		nop
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		mov	edx, [eax+ecx*4+8]
		nop
		mov	eax, [eax+ecx*4+0Ch]
		shrd	edx, eax, 5
		shr	eax, 5
		mov	[ebp+var_24], eax

loc_47D560:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+B3j
		and	edx, 1Fh
		mov	eax, ds:_MmMakeProtectNotWriteCopy[edx*4]
		mov	ecx, eax
		mov	[ebp+arg_4], eax
		and	ecx, 1Fh
		xor	eax, eax
		shld	eax, ecx, 5
		shl	ecx, 5
		push	eax
		push	ecx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	edi, eax
		mov	esi, edx
		mov	eax, [ebp+var_4]
		jmp	short loc_47D603
; 

loc_47D58B:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+96j
		mov	ecx, edx
		and	ecx, 400h
		or	ecx, 0
		jnz	short loc_47D609
		mov	ecx, edx
		and	ecx, 800h
		or	ecx, 0
		jz	short loc_47D609
		mov	ecx, dword_6D0700
		mov	edi, edx
		mov	eax, dword_6D0704
		mov	[ebp+var_18], ecx
		or	ecx, eax
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_4]
		mov	[ebp+arg_C], esi
		jz	short loc_47D5E2
		mov	ecx, edx
		and	ecx, 10h
		or	ecx, 0
		jnz	short loc_47D5DD
		mov	edi, [ebp+var_18]
		mov	esi, [ebp+var_24]
		not	edi
		not	esi
		and	edi, edx
		and	esi, [ebp+arg_C]
		jmp	short loc_47D5E2
; 

loc_47D5DD:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+18Aj
		mov	esi, [ebp+arg_C]
		mov	edi, edx

loc_47D5E2:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+180j
					; MiInitializeReadInProgressPfn(x,x,x,x,x,x)+19Bj
		mov	ecx, ds:_MmPfnDatabase
		shrd	edi, esi, 0Ch
		and	edi, 3FFFFFFh
		lea	edx, ds:0[edi*8]
		sub	edx, edi
		mov	edi, [ecx+edx*4+8]
		mov	esi, [ecx+edx*4+0Ch]

loc_47D603:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+149j
		mov	[ebp+var_44], esi
		mov	[ebp+var_48], edi

loc_47D609:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+156j
					; MiInitializeReadInProgressPfn(x,x,x,x,x,x)+163j
		cmp	byte ptr [ebp+arg_0+3],	0
		mov	[ebx+8], edi
		mov	[ebx+0Ch], esi
		jz	short loc_47D61A
		mov	ecx, [ebp+arg_4]
		jmp	short loc_47D65E
; 

loc_47D61A:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+1D3j
		test	al, 10h
		jz	short loc_47D626
		or	dword ptr [ebx+18h], 80000000h
		nop

loc_47D626:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+1DCj
		shrd	edi, esi, 5
		and	edi, 1Fh
		shr	esi, 5
		mov	ecx, edi
		mov	[ebp+var_24], esi
		mov	[ebp+arg_4], edi
		cmp	ecx, 18h
		jnz	short loc_47D65E
		mov	eax, [ebp+var_2C]
		mov	[ebp+arg_4], edi
		cmp	eax, ds:_MmHighestUserAddress
		ja	short loc_47D65E
		mov	ecx, eax
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	[ebp+arg_4], edi
		mov	ecx, [eax+1Ch]
		shr	ecx, 7
		and	ecx, 1Fh

loc_47D65E:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+1D8j
					; MiInitializeReadInProgressPfn(x,x,x,x,x,x)+1FBj ...
		mov	edi, 1
		test	ecx, ecx
		jnz	short loc_47D66C
		lea	edi, [ecx+3]
		jmp	short loc_47D68C
; 

loc_47D66C:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+225j
		cmp	ecx, 1Fh
		jz	short loc_47D68C
		mov	eax, ecx
		shr	eax, 3
		cmp	eax, 3
		jnz	short loc_47D685
		test	cl, 7
		jz	short loc_47D68C
		lea	edi, [eax-1]
		jmp	short loc_47D68C
; 

loc_47D685:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+239j
		dec	eax
		neg	eax
		sbb	eax, eax
		and	edi, eax

loc_47D68C:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+22Aj
					; MiInitializeReadInProgressPfn(x,x,x,x,x,x)+22Fj ...
		cmp	[ebp+var_C], offset loc_7FFFFF
		mov	edx, [ebp+var_8]
		jnz	short loc_47D6E5
		mov	eax, edx
		mov	[ebp+var_28], 0
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[ebp+var_24], 0
		mov	esi, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], eax
		nop
		shrd	esi, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	esi, 1FFFFFFh
		mov	[ebp+var_C], esi
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		lea	eax, [eax+ecx*4]
		mov	[ebp+var_1C], eax

loc_47D6E5:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+256j
		test	byte ptr [ebp+var_4], 20h
		mov	[ebp+var_18], edx
		jz	short loc_47D6F8
		mov	eax, edx
		and	eax, 7FFFFFFFh
		mov	[ebp+var_18], eax

loc_47D6F8:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+2ACj
		mov	cl, 2
		call	[ebp+var_30]
		mov	byte ptr [ebp+arg_C+3],	al
		lea	esi, [ebx+10h]
		mov	[ebp+var_24], 0
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_47D726

loc_47D711:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+2DDj
					; MiInitializeReadInProgressPfn(x,x,x,x,x,x)+2E4j
		lea	ecx, [ebp+var_24]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_47D711
		lock bts dword ptr [esi], 1Fh
		jb	short loc_47D711

loc_47D726:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+2CFj
		mov	al, [ebx+16h]
		or	al, 20h
		mov	[ebx+16h], al
		mov	eax, [ebp+arg_8]
		mov	ecx, eax
		add	eax, 10h
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	[ebx], ecx
		mov	dl, [ebx+16h]
		movzx	eax, dl
		shr	eax, 6
		cmp	eax, edi
		jz	short loc_47D759
		push	1
		mov	edx, edi
		mov	ecx, ebx
		call	MiChangePageAttribute
		mov	dl, [ebx+16h]

loc_47D759:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+309j
		and	dword ptr [esi], 0C0000000h
		mov	eax, 1
		mov	[ebx+14h], ax
		mov	eax, [ebp+var_4]
		test	al, 8
		jz	short loc_47D77A
		mov	cl, [ebx+17h]
		xor	cl, al
		and	cl, 7
		xor	[ebx+17h], cl

loc_47D77A:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+32Dj
		mov	ecx, [ebx+18h]
		and	dl, 0FAh
		xor	ecx, [ebp+var_C]
		or	dl, 2
		and	ecx, offset loc_7FFFFF
		xor	[ebx+18h], ecx
		mov	ecx, [ebp+var_18]
		mov	[ebx+4], ecx
		mov	[ebx+16h], dl
		test	al, al
		jns	short loc_47D7A0
		or	byte ptr [ebx+17h], 20h

loc_47D7A0:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+35Aj
		mov	ebx, 7FFFFFFFh
		lock and [esi],	ebx
		mov	cl, byte ptr [ebp+arg_C+3]
		call	[ebp+var_34]
		mov	ecx, [ebp+var_10]
		mov	eax, ecx
		and	eax, 400h
		or	eax, 0
		jnz	short loc_47D7C7
		and	ecx, 800h
		or	ecx, eax
		jnz	short loc_47D824

loc_47D7C7:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+37Bj
		mov	edx, [ebp+var_14]
		xor	esi, esi
		mov	eax, [ebp+arg_4]
		mov	edi, dword_6D0700
		and	eax, 1Fh
		mov	ebx, dword_6D0704
		or	eax, 40h
		mov	edx, [edx]
		and	edx, 3FFFFFFh
		shld	esi, edx, 7
		shl	edx, 7
		or	edx, eax
		mov	eax, edi
		shld	esi, edx, 5
		shl	edx, 5
		or	eax, ebx
		jz	short loc_47D814
		mov	ecx, edi
		mov	eax, ebx
		and	ecx, edx
		and	eax, esi
		or	ecx, eax
		jnz	short loc_47D811
		or	edx, edi
		or	esi, ebx
		jmp	short loc_47D814
; 

loc_47D811:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+3C9j
		or	edx, 10h

loc_47D814:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+3BDj
					; MiInitializeReadInProgressPfn(x,x,x,x,x,x)+3CFj
		mov	edi, [ebp+var_8]
		mov	[edi], edx
		nop
		mov	[edi+4], esi
		mov	ebx, 7FFFFFFFh
		jmp	short loc_47D827
; 

loc_47D824:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+385j
		mov	edi, [ebp+var_8]

loc_47D827:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+3E2j
		cmp	byte ptr [ebp+arg_0+3],	0
		jnz	short loc_47D86A
		mov	esi, [ebp+var_1C]
		mov	[ebp+var_38], 0
		add	esi, 10h
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_47D856

loc_47D841:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+40Dj
					; MiInitializeReadInProgressPfn(x,x,x,x,x,x)+414j
		lea	ecx, [ebp+var_38]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_47D841
		lock bts dword ptr [esi], 1Fh
		jb	short loc_47D841

loc_47D856:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+3FFj
		mov	eax, [esi]
		lea	ecx, [eax+1]
		xor	ecx, eax
		and	ecx, 3FFFFFFFh
		xor	ecx, eax
		mov	[esi], ecx
		lock and [esi],	ebx

loc_47D86A:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+3EBj
		mov	eax, [ebp+var_4]

loc_47D86D:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+6Aj
		mov	edx, [ebp+var_14]
		add	edi, 8
		add	edx, 4
		mov	[ebp+var_8], edi
		mov	[ebp+var_14], edx
		cmp	edx, [ebp+var_3C]
		jb	loc_47D490

loc_47D885:				; CODE XREF: MiInitializeReadInProgressPfn(x,x,x,x,x,x)+2Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_MiInitializeReadInProgressPfn@24 endp

; 
		align 10h

; __stdcall MiCopyPage(x, x, x,	x)
_MiCopyPage@16:				; CODE XREF: .text:004494B0p
					; MiCopyOnWrite(x,x,x,x)+83Bp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		xor	eax, eax
		mov	[ebp-0Ch], edx
		mov	[ebp-34h], eax
		mov	[ebp-30h], eax
		mov	[ebp-2Ch], eax
		mov	[ebp-28h], eax
		mov	[ebp-1Ch], eax
		mov	[ebp-18h], eax
		mov	[ebp-24h], eax
		mov	[ebp-20h], eax
		mov	[ebp-4], eax
		lea	eax, ds:0[edx*8]
		sub	eax, edx
		push	ebx
		mov	ebx, ecx
		mov	ecx, ds:_MmPfnDatabase
		push	esi
		push	edi
		mov	[ebp-10h], ebx
		lea	edi, [ecx+eax*4]
		lea	eax, ds:0[ebx*8]
		mov	[ebp-8], edi
		sub	eax, ebx
		mov	ebx, [ebp+0Ch]
		lea	esi, [ecx+eax*4]
		mov	ecx, ebx
		and	ecx, 4
		mov	eax, ecx
		mov	[ebp-14h], ecx
		neg	eax
		mov	edx, ecx
		mov	ecx, edi
		sbb	eax, eax
		and	eax, 4
		mov	[ebp+0Ch], eax
		lea	eax, [ebp-1Ch]
		push	eax
		call	_MiGetPagePrivilege@12 ; MiGetPagePrivilege(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_47D97E
		test	bl, 12h
		jz	short loc_47D921
		mov	dword ptr [ebp-4], 2
		mov	edi, ebx
		mov	eax, [ebp-4]
		and	edi, 2
		jmp	short loc_47D991
; 

loc_47D921:				; CODE XREF: .text:0047D90Ej
		test	byte ptr ds:_MiFlags+2,	1
		jz	short loc_47D950
		test	bl, 8
		jnz	short loc_47D950
		test	dl, 1
		jz	short loc_47D950
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_47D950
		mov	dword ptr [ebp-4], 2
		mov	edi, ebx
		mov	eax, [ebp-4]
		and	edi, 2
		jmp	short loc_47D991
; 

loc_47D950:				; CODE XREF: .text:0047D928j
					; .text:0047D92Dj ...
		test	ds:_MiFlags, 40000h
		jz	short loc_47D96D
		test	bl, 8
		jnz	short loc_47D96D
		mov	dword ptr [ebp-4], 2
		test	dl, 2
		jnz	short loc_47D974

loc_47D96D:				; CODE XREF: .text:0047D95Aj
					; .text:0047D95Fj
		mov	dword ptr [ebp-4], 4

loc_47D974:				; CODE XREF: .text:0047D96Bj
		mov	eax, [ebp-4]
		mov	edi, ebx
		and	edi, 2
		jmp	short loc_47D991
; 

loc_47D97E:				; CODE XREF: .text:0047D909j
		mov	edi, ebx
		and	edi, 2
		jnz	short loc_47D98F
		mov	eax, 4
		mov	[ebp-4], eax
		jmp	short loc_47D991
; 

loc_47D98F:				; CODE XREF: .text:0047D983j
		xor	eax, eax

loc_47D991:				; CODE XREF: .text:0047D91Fj
					; .text:0047D94Ej ...
		test	al, 2
		jnz	loc_47DAFB
		mov	ecx, [ebp-8]
		mov	ecx, [ecx+18h]
		and	ecx, 70000000h
		cmp	ecx, 30000000h
		jnz	short loc_47D9DD
		test	edi, edi
		mov	edi, [ebp+0Ch]
		jz	short loc_47D9C1
		mov	ecx, [ebp-8]
		mov	edx, edi
		call	MiClearPfnImageVerified
		mov	eax, [ebp-4]

loc_47D9C1:				; CODE XREF: .text:0047D9B2j
		test	al, 4
		jnz	short loc_47D9DD
		mov	eax, [esi+18h]
		and	eax, 70000000h
		cmp	eax, 30000000h
		jz	short loc_47D9DD
		mov	edx, edi
		mov	ecx, esi
		call	_MiMarkPfnVerified@8 ; MiMarkPfnVerified(x,x)

loc_47D9DD:				; CODE XREF: .text:0047D9ABj
					; .text:0047D9C3j ...
		mov	eax, [ebp-8]
		movzx	edx, byte ptr [eax+16h]
		movzx	eax, byte ptr [esi+16h]
		shr	edx, 6
		shr	eax, 6
		cmp	eax, edx
		jz	short loc_47D9FB
		push	0
		mov	ecx, esi
		call	MiChangePageAttribute

loc_47D9FB:				; CODE XREF: .text:0047D9F0j
		cmp	dword ptr [ebp+8], 0
		jnz	short loc_47DA78
		mov	eax, 1
		test	bl, 1
		jnz	short loc_47DA0E
		mov	eax, [ebp-4]

loc_47DA0E:				; CODE XREF: .text:0047DA09j
		lea	ebx, [ebp-34h]
		test	al, 1
		jz	short loc_47DA44
		mov	esi, 2
		mov	byte ptr [ebp-2Ch], 21h
		mov	[ebp-30h], esi
		mov	edi, esi

loc_47DA23:				; CODE XREF: .text:0047DA3Ej
		mov	edx, esi
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		mov	[ebp-28h], eax
		test	eax, eax
		jnz	short loc_47DA40
		add	esi, 0FFFFFFFEh
		mov	edi, esi
		mov	[ebp-30h], esi
		jnz	short loc_47DA23

loc_47DA40:				; CODE XREF: .text:0047DA34j
		test	edi, edi
		jnz	short loc_47DA7B

loc_47DA44:				; CODE XREF: .text:0047DA13j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp-2Ch], al
		mov	dword ptr [ebp-34h], 0
		mov	dword ptr [ebp-30h], 2
		call	_MiAllocateHyperSpace@4	; MiAllocateHyperSpace(x)
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	byte ptr [ebp-2Bh], 1
		sub	eax, 40000000h
		mov	[ebp-28h], eax
		jmp	short loc_47DA7B
; 

loc_47DA78:				; CODE XREF: .text:0047D9FFj
		mov	ebx, [ebp+8]

loc_47DA7B:				; CODE XREF: .text:0047DA42j
					; .text:0047DA76j
		push	dword ptr [ebp-0Ch]
		mov	edx, [ebp-10h]
		mov	ecx, ebx
		call	MiGetPteFromCopyList
		mov	esi, eax
		mov	edx, esi
		shl	edx, 9
		push	1000h
		lea	ecx, [edx+1000h]
		push	ecx
		push	edx
		call	_memcpy
		mov	eax, ds:_ZeroPte
		add	esp, 0Ch
		mov	[esi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[esi+4], eax
		mov	eax, ds:_ZeroPte
		mov	[esi+8], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[esi+0Ch], eax
		lea	eax, [ebp-34h]
		cmp	ebx, eax
		jnz	short loc_47DAF2
		mov	cl, [ebx+8]
		cmp	cl, 21h
		jnz	short loc_47DAEC
		mov	edx, [ebx+0Ch]
		mov	ecx, offset dword_6D35E0
		push	2
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_47DAEC:				; CODE XREF: .text:0047DAD2j
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_47DAF2:				; CODE XREF: .text:0047DACAj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_47DAFB:				; CODE XREF: .text:0047D993j
		test	ds:_MiFlags, 40000h
		mov	byte ptr [ebp+0Bh], 21h
		jz	short loc_47DB1E
		inc	dword_6D06D8
		mov	edx, 2
		lea	ecx, [edx+2]
		call	KeFlushTb

loc_47DB1E:				; CODE XREF: .text:0047DB09j
		test	ds:_MiFlags, 8000h
		jz	short loc_47DB7D
		test	edi, edi
		jnz	short loc_47DB6E
		mov	eax, [esi+4]
		shl	eax, 9
		cmp	eax, dword_6D07D0
		jnb	short loc_47DB6E
		mov	edi, [ebp-14h]
		test	edi, edi
		jnz	short loc_47DB4D
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	[ebp+0Bh], al

loc_47DB4D:				; CODE XREF: .text:0047DB41j
		mov	edx, 4
		mov	ecx, esi
		call	_MiMarkPfnVerified@8 ; MiMarkPfnVerified(x,x)
		mov	ecx, esi
		call	MiAbortCombineScan
		test	edi, edi
		jnz	short loc_47DB6E
		mov	dl, [ebp+0Bh]
		mov	ecx, esi
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)

loc_47DB6E:				; CODE XREF: .text:0047DB2Cj
					; .text:0047DB3Aj ...
		and	bl, 24h
		cmp	bl, 20h
		jnz	short loc_47DB7D
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)

loc_47DB7D:				; CODE XREF: .text:0047DB28j
					; .text:0047DB74j
		push	0C00000BBh
		push	dword ptr [ebp-10h]
		push	dword ptr [ebp-0Ch]
		push	5150Ah
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dd 3 dup(0CCCCCCCCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCheckProtoPtePageState proc near	; CODE XREF: MiFlushSectionInternal+5C8p
					; .text:loc_47857Cp ...

var_26		= byte ptr -26h
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B41B3 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ecx
		mov	[esp+38h+var_24], edx
		mov	edi, eax
		mov	[esp+38h+var_4], eax
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		mov	[esp+38h+var_1C], edi
		jmp	short loc_47DBD0
; 
		align 10h

loc_47DBD0:				; CODE XREF: MiCheckProtoPtePageState+27j
					; MiCheckProtoPtePageState+84j	...
		mov	ebx, [edi-40000000h]
		mov	[esp+38h+var_10], 0
		mov	[esp+38h+var_C], 0
		nop
		mov	ecx, [edi-3FFFFFFCh]
		mov	eax, ebx
		and	eax, 1
		mov	[esp+38h+var_18], ecx
		or	eax, 0
		mov	eax, ebx
		jz	loc_47DD37
		and	eax, 200h
		or	eax, 0
		jnz	loc_47DD06
		nop
		mov	esi, ebx
		mov	eax, ecx
		shrd	esi, eax, 0Ch
		and	esi, 1FFFFFFh

loc_47DC1E:				; CODE XREF: MiCheckProtoPtePageState+209j
		cmp	esi, dword_6D07B0
		ja	short loc_47DBD0
		mov	eax, dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_47DBD0
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		lea	esi, [eax+ecx*4]
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esp+38h+var_25], al
		lea	edx, [esi+10h]
		mov	[esp+38h+var_10], 0
		lock bts dword ptr [edx], 1Fh
		jb	loc_47DD11

loc_47DC72:				; CODE XREF: MiCheckProtoPtePageState+192j
		mov	ecx, [esp+38h+var_24]
		mov	[ecx], al
		mov	eax, [edi-40000000h]
		nop
		mov	edx, [edi-3FFFFFFCh]
		mov	[esp+38h+var_10], edx
		lea	edx, [esi+10h]
		cmp	eax, ebx
		jnz	loc_5B41B3
		mov	ebx, [esp+38h+var_10]
		cmp	ebx, [esp+38h+var_18]
		jnz	loc_5B41B3
		and	eax, 1
		or	eax, 0
		jz	short loc_47DCE9
		mov	eax, [edx]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jz	short loc_47DCF6
		mov	ecx, esi
		call	_MiAreChargesNeededToLockPage@4	; MiAreChargesNeededToLockPage(x)
		test	eax, eax
		jz	short loc_47DCCF
		mov	edx, 1
		call	_MiChargeForLockedPage@8 ; MiChargeForLockedPage(x,x)
		test	eax, eax
		jz	short loc_47DCD3

loc_47DCCF:				; CODE XREF: MiCheckProtoPtePageState+11Fj
		inc	word ptr [esi+14h]

loc_47DCD3:				; CODE XREF: MiCheckProtoPtePageState+12Dj
		mov	ecx, [esp+38h+var_24]
		mov	dl, [ecx]
		mov	ecx, esi
		call	_MiLockOwnedProtoPage@8	; MiLockOwnedProtoPage(x,x)
		mov	eax, esi

loc_47DCE2:				; CODE XREF: MiCheckProtoPtePageState+16Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_47DCE9:				; CODE XREF: MiCheckProtoPtePageState+108j
		mov	al, [esi+16h]
		and	al, 7
		cmp	al, 6
		jnb	loc_5B418F

loc_47DCF6:				; CODE XREF: MiCheckProtoPtePageState+114j
		mov	cl, [ecx]
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_47DD06:				; CODE XREF: MiCheckProtoPtePageState+69j
					; MiCheckProtoPtePageState+19Fj ...
		mov	ecx, [esp+38h+var_24]
		xor	eax, eax
		mov	byte ptr [ecx],	21h
		jmp	short loc_47DCE2
; 

loc_47DD11:				; CODE XREF: MiCheckProtoPtePageState+CCj
		lea	edi, [esi+10h]

loc_47DD14:				; CODE XREF: MiCheckProtoPtePageState+181j
					; MiCheckProtoPtePageState+188j
		lea	ecx, [esp+38h+var_10]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_47DD14
		lock bts dword ptr [edi], 1Fh
		jb	short loc_47DD14
		mov	edi, [esp+38h+var_1C]
		mov	al, [esp+38h+var_25]
		jmp	loc_47DC72
; 

loc_47DD37:				; CODE XREF: MiCheckProtoPtePageState+5Bj
		and	eax, 400h
		or	eax, 0
		jnz	short loc_47DD06
		mov	eax, ebx
		and	eax, 800h
		or	eax, 0
		jz	short loc_47DD06
		push	ecx
		push	ebx
		call	_MiInvalidPteConforms@12 ; MiInvalidPteConforms(x,x,x)
		test	eax, eax
		jz	loc_47DBD0
		mov	eax, dword_6D0700
		mov	esi, ebx
		mov	edi, dword_6D0704
		mov	edx, esi
		mov	ecx, [esp+38h+var_18]
		mov	[esp+38h+var_14], eax
		or	eax, edi
		mov	[esp+38h+var_10], edi
		mov	edi, [esp+38h+var_1C]
		mov	[esp+38h+var_20], ecx
		jz	short loc_47DD9F
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_47DDAE
		mov	esi, [esp+38h+var_14]
		mov	ecx, [esp+38h+var_10]
		not	esi
		not	ecx
		and	esi, edx
		and	ecx, [esp+38h+var_20]

loc_47DD9F:				; CODE XREF: MiCheckProtoPtePageState+1E1j
					; MiCheckProtoPtePageState+210j
		shrd	esi, ecx, 0Ch
		and	esi, 3FFFFFFh
		jmp	loc_47DC1E
; 

loc_47DDAE:				; CODE XREF: MiCheckProtoPtePageState+1EBj
		mov	esi, edx
		jmp	short loc_47DD9F
MiCheckProtoPtePageState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAddLockedPageCharge(x, x)
_MiAddLockedPageCharge@8 proc near	; CODE XREF: MiHandleCollidedFault(x,x,x,x,x,x)+E2p
					; MiWaitForCollidedFaultComplete+45p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		push	edi
		test	bl, 1
		jz	short loc_47DDF1

loc_47DDC7:				; CODE XREF: MiAddLockedPageCharge(x,x)+48j
		xor	edi, edi
		inc	edi
		call	_MiAreChargesNeededToLockPage@4	; MiAreChargesNeededToLockPage(x)
		test	eax, eax
		jnz	short loc_47DDE0

loc_47DDD3:				; CODE XREF: MiAddLockedPageCharge(x,x)+39j
		inc	word ptr [esi+14h]
		mov	eax, edi

loc_47DDD9:				; CODE XREF: MiAddLockedPageCharge(x,x)+3Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_47DDE0:				; CODE XREF: MiAddLockedPageCharge(x,x)+1Fj
		mov	edx, ebx
		call	_MiChargeForLockedPage@8 ; MiChargeForLockedPage(x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_47DDD3

loc_47DDED:				; CODE XREF: MiAddLockedPageCharge(x,x)+4Aj
		xor	eax, eax
		jmp	short loc_47DDD9
; 

loc_47DDF1:				; CODE XREF: MiAddLockedPageCharge(x,x)+13j
		mov	eax, 7FFFh
		cmp	[esi+14h], ax
		jb	short loc_47DDC7
		jmp	short loc_47DDED
_MiAddLockedPageCharge@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiAreChargesNeededToLockPage(x)
_MiAreChargesNeededToLockPage@4	proc near ; CODE XREF: MiCheckProtoPtePageState+118p
					; MiAddLockedPageCharge(x,x)+18p ...
		xor	eax, eax
		test	dword ptr [ecx+18h], 800000h
		jnz	short locret_47DE3E
		mov	edx, [ecx+10h]
		push	esi
		movzx	esi, word ptr [ecx+14h]
		and	edx, 3FFFFFFFh
		test	si, si
		jz	short loc_47DE38
		cmp	esi, 1
		jnz	short loc_47DE29
		test	edx, edx
		jnz	short loc_47DE38
		jmp	short loc_47DE32
; 

loc_47DE29:				; CODE XREF: MiAreChargesNeededToLockPage(x)+21j
		cmp	esi, 2
		jnz	short loc_47DE3D
		test	edx, edx
		jz	short loc_47DE3D

loc_47DE32:				; CODE XREF: MiAreChargesNeededToLockPage(x)+27j
		test	byte ptr [ecx+16h], 8
		jz	short loc_47DE3D

loc_47DE38:				; CODE XREF: MiAreChargesNeededToLockPage(x)+1Cj
					; MiAreChargesNeededToLockPage(x)+25j
		mov	eax, 1

loc_47DE3D:				; CODE XREF: MiAreChargesNeededToLockPage(x)+2Cj
					; MiAreChargesNeededToLockPage(x)+30j ...
		pop	esi

locret_47DE3E:				; CODE XREF: MiAreChargesNeededToLockPage(x)+9j
		retn
_MiAreChargesNeededToLockPage@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLockOwnedProtoPage(x, x)
_MiLockOwnedProtoPage@8	proc near	; CODE XREF: MiRelockProtoPoolPage(x,x)+2Ep
					; .text:0045930Dp ...

var_1C		= dword	ptr -1Ch
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], 0
		push	edi
		mov	bl, dl
		mov	ecx, 7FFFFFFFh
		mov	edi, [esi+4]
		mov	al, [esi+16h]
		or	edi, 80000000h
		mov	[ebp+var_C], edi
		test	al, 20h
		jnz	short loc_47DE99

loc_47DE6E:				; CODE XREF: MiLockOwnedProtoPage(x,x)+A9j
		or	al, 20h
		mov	[esi+16h], al
		add	esi, 10h
		test	dword ptr [esi], 40000000h
		jnz	short loc_47DE8F
		mov	edx, [edi]
		nop
		mov	eax, [edi+4]
		and	edx, 20h
		or	edx, 0
		mov	[ebp+var_C], eax
		jz	short loc_47DEEB

loc_47DE8F:				; CODE XREF: MiLockOwnedProtoPage(x,x)+3Cj
					; MiLockOwnedProtoPage(x,x)+C3j
		lock and [esi],	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_47DE99:				; CODE XREF: MiLockOwnedProtoPage(x,x)+2Cj
		lea	edi, [esi+10h]
		lea	esp, [esp+0]

loc_47DEA0:				; CODE XREF: MiLockOwnedProtoPage(x,x)+A4j
		lock and [edi],	ecx
		cmp	bl, 21h
		jz	short loc_47DEB0
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_47DEB0:				; CODE XREF: MiLockOwnedProtoPage(x,x)+66j
		mov	al, [esi+16h]
		mov	[ebp+var_8], 0
		mov	[ebp+var_1], al
		test	al, 20h
		jz	short loc_47DED3

loc_47DEC1:				; CODE XREF: MiLockOwnedProtoPage(x,x)+91j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	al, [esi+16h]
		mov	[ebp+var_1], al
		test	al, 20h
		jnz	short loc_47DEC1

loc_47DED3:				; CODE XREF: MiLockOwnedProtoPage(x,x)+7Fj
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	al, [esi+16h]
		mov	ecx, 7FFFFFFFh
		test	al, 20h
		jnz	short loc_47DEA0
		mov	edi, [ebp+var_C]
		jmp	short loc_47DE6E
; 

loc_47DEEB:				; CODE XREF: MiLockOwnedProtoPage(x,x)+4Dj
		mov	byte ptr [ebp+var_C], 0
		mov	edx, 1
		push	[ebp+var_C]
		mov	ecx, edi
		call	_MiWriteValidPteVolatile@12 ; MiWriteValidPteVolatile(x,x,x)
		mov	ecx, 7FFFFFFFh
		jmp	short loc_47DE8F
_MiLockOwnedProtoPage@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmPurgeSection	proc near		; CODE XREF: CcPurgeCacheSection+16Cp
					; CcPurgeCacheSection+E06D4p

var_68		= dword	ptr -68h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_9		= dword	ptr -9
var_5		= dword	ptr -5
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005B41C8 SIZE 0000009E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	byte ptr [ebp+var_5], 0
		xor	eax, eax
		mov	[ebp+var_24], 0
		mov	ecx, 6
		mov	[ebp+var_20], 0
		lea	edi, [ebp+var_4C]
		mov	esi, edx
		rep stosd
		lea	edi, [ebp+var_68]
		mov	ecx, 7
		rep stosd
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	0
		test	esi, esi
		jnz	loc_47E237

loc_47DF55:				; CODE XREF: MmPurgeSection+335j
		lea	eax, [ebp+var_5]
		mov	[ebp+var_28], 0
		push	eax
		mov	eax, [ebp+arg_4]
		mov	edx, esi
		shr	eax, 1
		mov	ecx, ebx
		and	eax, 1
		push	eax
		push	1
		call	MiCanFileBeTruncatedInternal
		mov	bl, byte ptr [ebp+var_5]
		mov	edi, eax
		mov	[ebp+var_14], edi
		cmp	bl, 21h
		jz	loc_47E2D4
		test	edi, edi
		jz	loc_47E22C
		test	byte ptr [ebp+arg_4], 1
		jnz	short loc_47DF9D
		cmp	dword ptr [edi+30h], 0
		jnz	loc_5B41C8

loc_47DF9D:				; CODE XREF: MmPurgeSection+81j
		cmp	dword ptr [edi+20h], 0
		jz	loc_5B41C8
		or	dword ptr [edi+1Ch], 8000h
		lea	eax, [ebp+var_4C]
		push	eax
		push	1
		push	[ebp+arg_0]
		mov	dl, bl
		mov	ecx, edi
		push	esi
		call	_MiComputeDataFlushRange@24 ; MiComputeDataFlushRange(x,x,x,x,x,x)
		test	eax, eax
		jz	loc_47E22C
		mov	ebx, [ebp+var_48]
		mov	al, 21h
		mov	esi, [ebp+var_40]
		mov	byte ptr [ebp+var_5], al
		mov	byte ptr [ebp+arg_0+3],	1

loc_47DFD8:				; CODE XREF: MmPurgeSection+36Aj
		mov	[ebp+var_10], esi
		cmp	al, 21h
		jnz	short loc_47DFEB
		lea	eax, [edi+24h]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	byte ptr [ebp+var_5], al

loc_47DFEB:				; CODE XREF: MmPurgeSection+CDj
		cmp	[ebp+var_3C], esi
		jnz	loc_47E24A
		mov	edi, [ebp+var_44]
		add	edi, 8

loc_47DFFA:				; CODE XREF: MmPurgeSection+34Ej
		mov	esi, [ebp+var_14]
		test	dword ptr [esi+1Ch], 40000000h
		jnz	loc_5B41DE
		mov	[ebp+var_20], 0

loc_47E011:				; CODE XREF: MmPurgeSection+1362D5j
		mov	ecx, [ebp+var_10]
		cmp	dword ptr [ecx+4], 0
		jz	loc_47E2B6
		call	MiIncrementSubsectionViewCount
		mov	eax, [ebp+var_10]
		test	byte ptr [eax+12h], 8
		jnz	loc_47E28E

loc_47E030:				; CODE XREF: MmPurgeSection+388j
		or	word ptr [eax+10h], 1
		lea	eax, [esi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_5]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_20], 0
		mov	al, 21h
		mov	byte ptr [ebp+var_9], al
		mov	[ebp+var_18], 0
		jnz	loc_5B41EA

loc_47E05D:				; CODE XREF: MmPurgeSection+1362EEj
		xor	ecx, ecx
		mov	[ebp+var_1C], ecx
		cmp	ebx, edi
		jnb	loc_47E12D
		lea	ebx, [ebx+0]

loc_47E070:				; CODE XREF: MmPurgeSection+2CFj
		test	ebx, 0FFFh
		jz	loc_47E205
		cmp	al, 21h
		jz	loc_47E209

loc_47E084:				; CODE XREF: MmPurgeSection+308j
		xor	edx, edx
		mov	ecx, ebx
		call	MiLockLeafPage
		mov	esi, eax
		test	esi, esi
		jz	loc_47E198
		mov	edx, [ebx]
		mov	[ebp+var_34], 0
		mov	[ebp+var_30], 0
		nop
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jnz	loc_5B4219
		mov	eax, [esi+0Ch]
		mov	ecx, [esi+8]
		mov	[ebp+var_30], eax
		mov	eax, ecx
		and	eax, 400h
		or	eax, 0
		jz	loc_5B4240
		and	ecx, 1
		or	ecx, 0
		jnz	loc_5B4240
		mov	eax, [esi+4]
		or	eax, 80000000h
		cmp	eax, ebx
		jnz	loc_5B4240
		mov	dl, [esi+16h]
		mov	cl, dl
		shr	cl, 4
		test	byte ptr [ebp+arg_4], 2
		setnz	al
		and	cl, al
		test	cl, 1
		jz	loc_47E19D
		lea	eax, [esi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	byte ptr [ebp+arg_0+3],	0

loc_47E114:				; CODE XREF: MmPurgeSection+2D5j
					; MmPurgeSection+136319j
		mov	ecx, [ebp+var_1C]

loc_47E117:				; CODE XREF: MmPurgeSection+2BCj
		mov	dl, byte ptr [ebp+var_9]
		cmp	dl, 21h
		jz	short loc_47E12A
		mov	ecx, [ebp+var_18]
		call	MiUnlockProtoPoolPage
		mov	ecx, [ebp+var_1C]

loc_47E12A:				; CODE XREF: MmPurgeSection+20Dj
		mov	esi, [ebp+var_14]

loc_47E12D:				; CODE XREF: MmPurgeSection+154j
		cmp	[ebp+var_20], 0
		mov	ebx, [ebp+var_10]
		jnz	loc_5B422E

loc_47E13A:				; CODE XREF: MmPurgeSection+13632Bj
		lea	eax, [esi+24h]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, ebx
		mov	byte ptr [ebp+var_5], al
		call	MiDecrementSubsectionViewCount
		cmp	dword ptr [ebx+3Ch], 0
		jz	loc_47E29D

loc_47E157:				; CODE XREF: MmPurgeSection+391j
					; MmPurgeSection+3A1j
		mov	cl, byte ptr [ebp+arg_0+3]
		mov	eax, [ebp+var_3C]

loc_47E15D:				; CODE XREF: MmPurgeSection+3BFj
		cmp	ebx, eax
		jnz	loc_47E263

loc_47E165:				; CODE XREF: MmPurgeSection+355j
					; MmPurgeSection+3ABj ...
		push	ecx
		mov	ecx, [ebp+var_40]
		mov	edx, ecx
		call	_MiDecrementSubsections@12 ; MiDecrementSubsections(x,x,x)
		mov	edx, [ebp+var_3C]
		push	ecx
		mov	ecx, edx
		call	_MiDecrementSubsections@12 ; MiDecrementSubsections(x,x,x)
		mov	dl, byte ptr [ebp+var_5]
		mov	ecx, esi
		dec	dword ptr [esi+14h]
		and	dword ptr [esi+1Ch], 0FFFFFFFBh
		call	MiCheckControlArea
		mov	al, byte ptr [ebp+arg_0+3]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_47E198:				; CODE XREF: MmPurgeSection+181j
		add	ebx, 8
		jmp	short loc_47E1DA
; 

loc_47E19D:				; CODE XREF: MmPurgeSection+1EFj
		test	dl, 8
		jnz	loc_47E2DF
		cmp	[ebp+var_20], 0
		jnz	loc_5B4203

loc_47E1B0:				; CODE XREF: MmPurgeSection+1362F8j
					; MmPurgeSection+136304j
		push	1
		push	21h
		mov	edx, esi
		mov	ecx, ebx
		call	MiDeleteTransitionPte
		mov	esi, [ebp+var_14]
		mov	ecx, 1
		mov	[ebp+var_1C], ecx
		cmp	dword ptr [esi+10h], 0
		jz	loc_47E117
		add	ebx, 8
		test	bl, 78h
		jz	short loc_47E1EA

loc_47E1DA:				; CODE XREF: MmPurgeSection+28Bj
					; MmPurgeSection+2E1j ...
		mov	al, byte ptr [ebp+var_9]

loc_47E1DD:				; CODE XREF: MmPurgeSection+2F3j
					; MmPurgeSection+3E4j
		cmp	ebx, edi
		jb	loc_47E070
		jmp	loc_47E114
; 

loc_47E1EA:				; CODE XREF: MmPurgeSection+2C8j
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	short loc_47E1DA
		mov	dl, byte ptr [ebp+var_9]
		mov	ecx, [ebp+var_18]
		call	MiUnlockProtoPoolPage
		mov	al, 21h
		mov	byte ptr [ebp+var_9], al
		jmp	short loc_47E1DD
; 

loc_47E205:				; CODE XREF: MmPurgeSection+166j
		cmp	al, 21h
		jnz	short loc_47E27F

loc_47E209:				; CODE XREF: MmPurgeSection+16Ej
					; MmPurgeSection+379j
		lea	edx, [ebp+var_9]
		mov	ecx, ebx
		call	MiCheckProtoPtePageState
		mov	[ebp+var_18], eax
		test	eax, eax
		jnz	loc_47E084
		and	ebx, 0FFFFF000h
		add	ebx, 1000h
		jmp	short loc_47E1DA
; 

loc_47E22C:				; CODE XREF: MmPurgeSection+77j
					; MmPurgeSection+B3j
		mov	al, 1
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_47E237:				; CODE XREF: MmPurgeSection+3Fj
		mov	eax, [esi]
		mov	[ebp+var_24], eax
		mov	eax, [esi+4]
		lea	esi, [ebp+var_24]
		mov	[ebp+var_20], eax
		jmp	loc_47DF55
; 

loc_47E24A:				; CODE XREF: MmPurgeSection+DEj
		mov	ecx, [esi+24h]
		mov	edx, [esi+1Ch]
		and	ecx, 3FFFFFFFh
		mov	eax, [esi+4]
		sub	edx, ecx
		lea	edi, [eax+edx*8]
		jmp	loc_47DFFA
; 

loc_47E263:				; CODE XREF: MmPurgeSection+24Fj
		test	cl, cl
		jz	loc_47E165
		mov	esi, [ebp+var_10]
		mov	al, byte ptr [ebp+var_5]
		mov	edi, [ebp+var_14]
		mov	esi, [esi+8]
		mov	ebx, [esi+4]
		jmp	loc_47DFD8
; 

loc_47E27F:				; CODE XREF: MmPurgeSection+2F7j
		mov	ecx, [ebp+var_18]
		mov	dl, al
		call	MiUnlockProtoPoolPage
		jmp	loc_47E209
; 

loc_47E28E:				; CODE XREF: MmPurgeSection+11Aj
		mov	ecx, eax
		call	_MiRemoveUnusedSubsection@4 ; MiRemoveUnusedSubsection(x)
		mov	eax, [ebp+var_10]
		jmp	loc_47E030
; 

loc_47E29D:				; CODE XREF: MmPurgeSection+241j
		test	byte ptr [ebx+12h], 1
		jnz	loc_47E157
		mov	ecx, ebx
		call	_MiInsertUnusedSubsection@8 ; MiInsertUnusedSubsection(x,x)
		add	[ebp+var_28], eax
		jmp	loc_47E157
; 

loc_47E2B6:				; CODE XREF: MmPurgeSection+108j
		mov	eax, [ebp+var_3C]
		cmp	ecx, eax
		jz	loc_47E165
		mov	cl, byte ptr [ebp+arg_0+3]
		test	cl, cl
		jz	loc_47E165
		mov	ebx, [ebp+var_10]
		jmp	loc_47E15D
; 

loc_47E2D4:				; CODE XREF: MmPurgeSection+6Fj
					; MmPurgeSection+1362C9j
		pop	edi
		pop	esi
		xor	al, al
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_47E2DF:				; CODE XREF: MmPurgeSection+290j
		push	[ebp+var_9]
		mov	edx, [ebp+var_14]
		mov	ecx, esi
		push	[ebp+var_18]
		call	_MiWaitForPageWriteCompletion@16 ; MiWaitForPageWriteCompletion(x,x,x,x)
		mov	al, 21h
		mov	byte ptr [ebp+var_9], al
		jmp	loc_47E1DD
MmPurgeSection	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReservePageFileSpace proc near	; CODE XREF: .text:00475172p
					; MiFillNoReservationCluster(x,x,x)+123p

var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B4266 SIZE 0000009A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_14], ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_60]
		mov	ebx, edx
		stosd
		mov	[ebp+var_2C], ebx
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ecx+208h]
		mov	edi, [eax]
		mov	edx, edi
		and	edx, 3FFh
		mov	[ebp+var_3C], eax
		mov	[ebp+var_20], edi
		mov	[ebp+var_30], edx
		cmp	edx, 10h
		jb	loc_47E656
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		mov	[ebp+var_38], edx
		test	eax, eax
		jz	loc_47E646
		test	byte ptr [eax+60h], 7
		jnz	loc_5B4253
		mov	esi, ebx
		shl	esi, 9
		mov	ecx, esi
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	edx, eax
		test	edx, edx
		jz	loc_47E656
		mov	eax, [edx+1Ch]
		test	al, 70h
		mov	[ebp+var_34], eax
		setz	cl
		and	eax, 100004h
		cmp	eax, 100000h
		setz	al
		test	cl, al
		jz	loc_47E656
		mov	eax, [ebp+var_34]
		test	eax, 100000h
		jz	short loc_47E3B4
		test	eax, 400000h
		jnz	loc_47E656
		and	eax, 0C0000h
		cmp	eax, 80000h
		jnb	loc_47E656

loc_47E3B4:				; CODE XREF: MiReservePageFileSpace+97j
		mov	ecx, [edx+0Ch]
		and	esi, 0FFE00000h
		mov	eax, ecx
		shl	eax, 0Ch
		cmp	esi, eax
		jnb	loc_47E6B8
		and	ecx, 0FFFFFh
		shl	ecx, 3

loc_47E3D3:				; CODE XREF: MiReservePageFileSpace+3BDj
		mov	eax, [edx+10h]
		add	ecx, 0C0000000h
		mov	[ebp+var_34], eax
		add	esi, 1FF000h
		shl	eax, 0Ch
		mov	[ebp+var_8], ecx
		cmp	esi, eax
		jbe	loc_47E6D9
		mov	eax, [ebp+var_34]
		and	eax, 0FFFFFh
		lea	esi, ds:0C0000000h[eax*8]

loc_47E402:				; CODE XREF: MiReservePageFileSpace+3D4j
		mov	eax, [ebp+var_30]
		mov	ecx, esi
		sub	ecx, [ebp+var_8]
		sar	ecx, 3
		inc	ecx
		mov	[ebp+var_C], esi
		cmp	ecx, eax
		ja	loc_5B4266
		mov	ecx, [ebp+var_8]

loc_47E41C:				; CODE XREF: MiReservePageFileSpace+135F9Bj
		mov	esi, [ebp+arg_0]
		neg	esi
		sbb	esi, esi
		and	esi, 80h
		inc	esi
		test	edx, edx
		jz	short loc_47E444
		cmp	dword ptr [edx+20h], 0
		jge	short loc_47E444
		mov	eax, [edx+1Ch]
		and	eax, 0F80h
		or	eax, 40h
		shr	eax, 5
		or	esi, eax

loc_47E444:				; CODE XREF: MiReservePageFileSpace+12Cj
					; MiReservePageFileSpace+132j
		lea	eax, [ebx-8]
		mov	[ebp+var_1C], 0
		mov	[ebp+var_18], 0
		mov	[ebp+var_10], 0
		cmp	eax, ecx
		jb	short loc_47E488
		mov	edi, [ebp+var_14]
		mov	ebx, eax

loc_47E465:				; CODE XREF: MiReservePageFileSpace+180j
		lea	eax, [ebp+var_1C]
		mov	edx, ebx
		push	eax
		push	esi
		mov	ecx, edi
		call	_MiReservePageFileSpaceForPage@16 ; MiReservePageFileSpaceForPage(x,x,x,x)
		test	eax, eax
		jz	short loc_47E482
		inc	[ebp+var_10]
		sub	ebx, 8
		cmp	ebx, [ebp+var_8]
		jnb	short loc_47E465

loc_47E482:				; CODE XREF: MiReservePageFileSpace+175j
		mov	edi, [ebp+var_20]
		mov	ebx, [ebp+var_2C]

loc_47E488:				; CODE XREF: MiReservePageFileSpace+15Ej
		xor	edx, edx
		lea	eax, [ebx+8]
		xor	ecx, ecx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_28], ecx
		cmp	eax, [ebp+var_C]
		ja	short loc_47E4C8
		lea	edi, [ebx+8]

loc_47E4A0:				; CODE XREF: MiReservePageFileSpace+1C0j
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_4C]
		push	eax
		push	esi
		mov	edx, edi
		call	_MiReservePageFileSpaceForPage@16 ; MiReservePageFileSpaceForPage(x,x,x,x)
		mov	ecx, [ebp+var_28]
		test	eax, eax
		jz	short loc_47E4C2
		inc	ecx
		add	edi, 8
		mov	[ebp+var_28], ecx
		cmp	edi, [ebp+var_C]
		jbe	short loc_47E4A0

loc_47E4C2:				; CODE XREF: MiReservePageFileSpace+1B4j
		mov	edx, [ebp+var_4C]
		mov	edi, [ebp+var_20]

loc_47E4C8:				; CODE XREF: MiReservePageFileSpace+19Bj
		mov	eax, [ebp+var_10]
		inc	eax
		add	eax, ecx
		mov	ecx, [ebp+var_18]
		mov	[ebp+var_24], eax
		xor	eax, eax
		mov	[ebp+var_34], eax
		mov	eax, [ebp+var_1C]
		or	eax, ecx
		jnz	loc_47E66D
		mov	ecx, [ebp+var_48]
		mov	eax, edx
		or	eax, ecx
		jnz	loc_47E6EE

loc_47E4F1:				; CODE XREF: MiReservePageFileSpace+41Dj
		mov	[ebp+var_44], 0
		mov	[ebp+var_40], 0
		mov	[ebp+var_34], 10h

loc_47E506:				; CODE XREF: MiReservePageFileSpace+3B3j
					; MiReservePageFileSpace+457j
		mov	ecx, [ebp+var_14]
		lea	edx, [ebp+var_44]
		call	_MI_IS_PTE_IN_WS_SWAP_SET@8 ; MI_IS_PTE_IN_WS_SWAP_SET(x,x)
		test	eax, eax
		jnz	loc_5B42A8
		mov	eax, [ebp+var_34]

loc_47E51C:				; CODE XREF: MiReservePageFileSpace+135FBBj
		mov	ecx, [ebp+var_24]
		cmp	ecx, 1
		jz	loc_47E65F

loc_47E528:				; CODE XREF: MiReservePageFileSpace+368j
		or	eax, 1
		lea	edx, [ebp+var_44]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_14]
		call	MiFindFreePageFileSpace
		mov	[ebp+var_34], eax
		cmp	eax, [ebp+var_24]
		jnz	loc_47E782
		mov	eax, [ebp+var_28]

loc_47E547:				; CODE XREF: MiReservePageFileSpace+135FCEj
					; MiReservePageFileSpace+135FDAj
		lea	ecx, [ebx+eax*8]
		and	esi, 0FFFFFFFEh
		mov	eax, [ebp+var_10]
		shl	eax, 3
		sub	ebx, eax
		mov	[ebp+var_3C], ecx
		cmp	ebx, ecx
		ja	loc_47E607

loc_47E560:				; CODE XREF: MiReservePageFileSpace+301j
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_44]
		push	eax
		push	esi
		mov	edx, ebx
		call	_MiReservePageFileSpaceForPage@16 ; MiReservePageFileSpaceForPage(x,x,x,x)
		mov	ecx, [ebp+var_40]
		mov	edi, [ebp+var_44]
		mov	[ebp+var_28], ecx
		test	eax, eax
		jz	loc_5B42DF

loc_47E580:				; CODE XREF: MiReservePageFileSpace+135FF4j
		mov	eax, dword_6D0704
		mov	edx, edi
		mov	[ebp+var_8], ecx
		mov	ecx, dword_6D0700
		mov	[ebp+var_C], eax
		mov	eax, ecx
		or	eax, [ebp+var_C]
		mov	[ebp+var_24], ecx
		jz	short loc_47E5AD
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jz	short loc_47E617
		mov	eax, [ebp+var_8]
		mov	[ebp+var_28], eax

loc_47E5AD:				; CODE XREF: MiReservePageFileSpace+29Bj
					; MiReservePageFileSpace+32Bj
		mov	eax, edx
		or	eax, [ebp+var_8]
		jz	loc_5B42F9
		mov	eax, ecx
		or	eax, [ebp+var_C]
		jz	short loc_47E5CC
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jz	short loc_47E62D
		and	edx, 0FFFFFFEFh

loc_47E5CC:				; CODE XREF: MiReservePageFileSpace+2BDj
					; MiReservePageFileSpace+33Cj ...
		mov	eax, [ebp+var_28]
		xor	edx, edi
		add	edi, 0
		adc	eax, 1
		xor	edx, edi
		xor	edi, edi
		xor	edi, eax
		mov	eax, ecx
		or	eax, [ebp+var_C]
		jz	short loc_47E5F5
		mov	ecx, edx
		mov	eax, edi
		and	ecx, [ebp+var_24]
		and	eax, [ebp+var_C]
		or	ecx, eax
		jz	short loc_47E63E
		or	edx, 10h

loc_47E5F5:				; CODE XREF: MiReservePageFileSpace+2E2j
					; MiReservePageFileSpace+344j
		add	ebx, 8
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], edi
		cmp	ebx, [ebp+var_3C]
		jbe	loc_47E560

loc_47E607:				; CODE XREF: MiReservePageFileSpace+25Aj
					; MiReservePageFileSpace+361j ...
		cmp	[ebp+var_38], 0
		jz	short loc_47E656
		lea	ecx, [ebp+var_60]
		call	_MiReleasePageFileSectionInfo@4	; MiReleasePageFileSectionInfo(x)
		jmp	short loc_47E656
; 

loc_47E617:				; CODE XREF: MiReservePageFileSpace+2A5j
		mov	edi, ecx
		mov	ecx, [ebp+var_C]
		not	edi
		not	ecx
		and	edi, edx
		and	ecx, [ebp+var_8]
		mov	[ebp+var_28], ecx
		mov	ecx, [ebp+var_24]
		jmp	short loc_47E5AD
; 

loc_47E62D:				; CODE XREF: MiReservePageFileSpace+2C7j
		mov	eax, [ebp+var_C]
		not	ecx
		not	eax
		and	edx, ecx
		and	[ebp+var_8], eax
		mov	ecx, [ebp+var_24]
		jmp	short loc_47E5CC
; 

loc_47E63E:				; CODE XREF: MiReservePageFileSpace+2F0j
		or	edx, [ebp+var_24]
		or	edi, [ebp+var_C]
		jmp	short loc_47E5F5
; 

loc_47E646:				; CODE XREF: MiReservePageFileSpace+49j
		push	1
		lea	edx, [ebp+var_60]
		mov	ecx, ebx
		call	MiGetPageFileSectionForReservation
		test	eax, eax
		jnz	short loc_47E6C2

loc_47E656:				; CODE XREF: MiReservePageFileSpace+39j
					; MiReservePageFileSpace+69j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_47E65F:				; CODE XREF: MiReservePageFileSpace+222j
		test	eax, eax
		jnz	short loc_47E607
		mov	eax, 40h
		jmp	loc_47E528
; 

loc_47E66D:				; CODE XREF: MiReservePageFileSpace+1DEj
		mov	eax, dword_6D0704
		mov	edx, dword_6D0700
		mov	[ebp+var_30], eax
		mov	eax, edx
		or	eax, [ebp+var_30]
		mov	[ebp+var_2C], ecx
		jz	loc_5B42A0
		mov	ecx, [ebp+var_1C]
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		mov	eax, ecx
		jz	short loc_47E6E4
		mov	ecx, [ebp+var_2C]

loc_47E69B:				; CODE XREF: MiReservePageFileSpace+3ECj
					; MiReservePageFileSpace+135FA3j
		push	[ebp+var_18]
		push	eax
		xor	eax, eax
		add	ecx, 1
		adc	eax, eax
		push	eax
		push	ecx
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], edx
		jmp	loc_47E506
; 

loc_47E6B8:				; CODE XREF: MiReservePageFileSpace+C4j
		mov	ecx, esi
		shr	ecx, 9
		jmp	loc_47E3D3
; 

loc_47E6C2:				; CODE XREF: MiReservePageFileSpace+354j
		mov	ecx, [ebp+var_58]
		xor	edx, edx
		mov	esi, [ebp+var_54]
		mov	[ebp+var_38], 1

loc_47E6D1:				; CODE XREF: MiReservePageFileSpace+3E2j
					; MmPurgeSection+136351j
		mov	[ebp+var_8], ecx
		jmp	loc_47E402
; 

loc_47E6D9:				; CODE XREF: MiReservePageFileSpace+EDj
		shr	esi, 9
		sub	esi, 40000000h
		jmp	short loc_47E6D1
; 

loc_47E6E4:				; CODE XREF: MiReservePageFileSpace+396j
		mov	ecx, [ebp+var_30]
		not	ecx
		and	ecx, [ebp+var_2C]
		jmp	short loc_47E69B
; 

loc_47E6EE:				; CODE XREF: MiReservePageFileSpace+1EBj
		mov	edi, dword_6D0704
		mov	eax, ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		mov	eax, dword_6D0700
		mov	[ebp+var_30], eax
		or	eax, edi
		mov	[ebp+var_18], edi
		mov	edi, [ebp+var_20]
		jz	short loc_47E76E
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jz	short loc_47E75C
		mov	eax, ecx

loc_47E71A:				; CODE XREF: MiReservePageFileSpace+471j
		cmp	[ebp+var_24], eax
		jnb	loc_47E4F1
		mov	eax, [ebp+var_30]
		or	eax, [ebp+var_18]
		mov	ebx, [ebp+var_2C]
		jz	short loc_47E73E
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jz	short loc_47E773
		mov	eax, [ebp+var_C]

loc_47E73B:				; CODE XREF: MiReservePageFileSpace+480j
		mov	[ebp+var_C], eax

loc_47E73E:				; CODE XREF: MiReservePageFileSpace+42Cj
		push	ecx
		mov	ecx, [ebp+var_C]
		xor	eax, eax
		sub	ecx, [ebp+var_24]
		push	edx
		sbb	eax, eax
		push	eax
		push	ecx
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], edx
		jmp	loc_47E506
; 

loc_47E75C:				; CODE XREF: MiReservePageFileSpace+416j
		mov	ebx, [ebp+var_18]
		mov	[ebp+var_8], ebx
		mov	ebx, [ebp+var_C]
		not	[ebp+var_8]
		and	[ebp+var_8], ebx
		mov	ebx, [ebp+var_2C]

loc_47E76E:				; CODE XREF: MiReservePageFileSpace+40Cj
		mov	eax, [ebp+var_8]
		jmp	short loc_47E71A
; 

loc_47E773:				; CODE XREF: MiReservePageFileSpace+436j
		mov	edi, [ebp+var_18]
		not	edi
		and	edi, [ebp+var_C]
		mov	eax, edi
		mov	edi, [ebp+var_20]
		jmp	short loc_47E73B
; 

loc_47E782:				; CODE XREF: MiReservePageFileSpace+23Ej
		mov	edx, [ebp+var_3C]
		mov	ecx, edi
		xor	ecx, eax
		mov	eax, edi
		and	ecx, 3FFh
		xor	ecx, edi
		lock cmpxchg [edx], ecx
		mov	eax, [ebp+var_34]
		test	eax, eax
		jz	loc_47E607
		jmp	loc_5B42C0
MiReservePageFileSpace endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiReservePageFileSpaceForPage(x, x,	x, x)
_MiReservePageFileSpaceForPage@16 proc near ; CODE XREF: .text:0045AB41p
					; MiReservePageFileSpace+16Ep ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFC0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 0B8h
		mov	eax, [ebx+8]
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp-1Ch], ecx
		and	eax, 80h
		mov	[ebp-14h], edi
		mov	dword ptr [ebp-84h], 0
		mov	dword ptr [ebp-8Ch], 0
		mov	dword ptr [ebp-90h], 0
		mov	dword ptr [ebp-88h], 0
		mov	dword ptr [ebp-10h], 0
		mov	[ebp-0Ch], eax

loc_47E812:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+FBj
		mov	dword ptr [ebp-18h], 0
		test	eax, eax
		jz	short loc_47E821
		xor	esi, esi
		jmp	short loc_47E837
; 

loc_47E821:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+6Bj
		xor	edx, edx
		mov	ecx, edi
		call	MiLockLeafPage
		mov	esi, eax
		test	esi, esi
		jz	short loc_47E837
		mov	dword ptr [ebp-18h], 1

loc_47E837:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+6Fj
					; MiReservePageFileSpaceForPage(x,x,x,x)+7Ej
		mov	ecx, [edi]
		mov	dword ptr [ebp-9Ch], 0
		mov	dword ptr [ebp-0A0h], 0
		mov	[ebp-9Ch], ecx
		nop
		mov	edx, [edi+4]
		mov	eax, ecx
		and	eax, 1
		mov	[ebp-4], edx
		or	eax, 0
		mov	[ebp-0A4h], edx
		mov	edi, ecx
		mov	[ebp-0A8h], edi
		jnz	loc_47E9A1
		mov	eax, ecx
		and	eax, 400h
		or	eax, 0
		jnz	loc_47ED20
		mov	eax, ecx
		and	eax, 800h
		or	eax, 0
		jz	short loc_47E902
		cmp	dword ptr [ebp-0Ch], 0
		jz	short loc_47E8C7
		mov	edi, [ebp-14h]
		xor	edx, edx
		mov	ecx, edi
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		mov	esi, eax
		mov	eax, [ebp-0Ch]
		test	esi, esi
		jz	loc_47E812
		mov	ecx, esi
		mov	dword ptr [ebp-18h], 1
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	loc_47ED26

loc_47E8C7:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+E6j
		cmp	dword ptr [ebp-1Ch], offset _MiSystemPartition
		jnz	loc_47ED20
		mov	edi, [esi+8]
		nop
		mov	edx, [esi+0Ch]
		push	edx
		push	edi
		mov	[ebp-4], edx
		mov	[ebp-0A8h], edi
		mov	[ebp-0A4h], edx
		call	_MI_IS_RESET_PTE@8 ; MI_IS_RESET_PTE(x,x)
		test	eax, eax
		jz	loc_47EAAA
		test	byte ptr [esi+16h], 10h
		jmp	loc_47EAA4
; 

loc_47E902:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+E0j
		mov	eax, ecx
		or	eax, edx
		jnz	short loc_47E94B
		mov	eax, [ebx+8]
		test	al, 2
		jz	loc_47ED20
		mov	ecx, eax
		xor	eax, eax
		shr	ecx, 2
		and	ecx, 1Fh
		shld	eax, ecx, 5
		shl	ecx, 5
		push	eax
		push	ecx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	edi, eax
		mov	[ebp-4], edx
		mov	[ebp-0A8h], edi
		mov	[ebp-0A4h], edx
		mov	dword ptr [ebp-88h], 1
		jmp	loc_47EAAD
; 

loc_47E94B:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+156j
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jnz	loc_47ED20
		mov	eax, dword_6D0700
		mov	edx, dword_6D0704
		mov	[ebp-80h], eax
		or	eax, edx
		mov	[ebp-0Ch], edx
		mov	edx, [ebp-4]
		jz	short loc_47E982
		mov	eax, [ebp-80h]
		and	[ebp-0Ch], edx
		and	eax, ecx
		or	eax, [ebp-0Ch]
		jz	loc_47ED20

loc_47E982:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+1BFj
		mov	eax, edx
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		cmp	ecx, 10h
		jz	loc_47ED20
		test	ecx, ecx
		jz	loc_47ED20
		jmp	loc_47EAAD
; 

loc_47E9A1:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+C0j
		cmp	dword ptr [ebp-0Ch], 0
		jz	short loc_47EA0C
		nop
		mov	eax, ecx
		shrd	eax, edx, 0Ch
		and	eax, 1FFFFFFh
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		test	byte ptr [ebx+8], 1
		mov	eax, ds:_MmPfnDatabase
		lea	esi, [eax+ecx*4]
		jnz	short loc_47E9FD
		mov	dword ptr [ebp-18h], 1
		lea	edi, [esi+10h]
		mov	dword ptr [ebp-94h], 0
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_47E9FD

loc_47E9E5:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+244j
					; MiReservePageFileSpaceForPage(x,x,x,x)+24Bj
		lea	ecx, [ebp-94h]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_47E9E5
		lock bts dword ptr [edi], 1Fh
		jb	short loc_47E9E5

loc_47E9FD:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+218j
					; MiReservePageFileSpaceForPage(x,x,x,x)+233j
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	loc_47ED20

loc_47EA0C:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+1F5j
		test	byte ptr [esi],	1
		jz	loc_47ED20
		cmp	dword ptr [ebp-1Ch], offset _MiSystemPartition
		jnz	loc_47ED20
		test	byte ptr [esi+17h], 8
		jnz	loc_47ED20
		mov	edi, [esi+8]
		nop
		mov	edx, [esi+0Ch]
		mov	eax, edi
		and	eax, 1
		mov	[ebp-4], edx
		or	eax, 0
		mov	[ebp-0A8h], edi
		mov	[ebp-0A4h], edx
		jnz	loc_47ED20
		mov	eax, edi
		or	eax, edx
		jz	short loc_47EA7D
		mov	eax, dword_6D0700
		mov	ecx, dword_6D0704
		mov	[ebp-80h], eax
		or	eax, ecx
		mov	[ebp-8], ecx
		jz	short loc_47EA7D
		mov	ecx, edi
		mov	eax, edx
		and	ecx, [ebp-80h]
		and	eax, [ebp-8]
		or	ecx, eax
		jz	loc_47ED20

loc_47EA7D:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+2A4j
					; MiReservePageFileSpaceForPage(x,x,x,x)+2B9j
		push	edx
		push	edi
		call	_MI_IS_RESET_PTE@8 ; MI_IS_RESET_PTE(x,x)
		test	eax, eax
		jz	short loc_47EAAA
		test	byte ptr [esi+16h], 10h
		jnz	short loc_47EAAA
		cmp	dword ptr [ebp-0Ch], 0
		jz	loc_47ED20
		mov	eax, [ebp-9Ch]
		and	eax, 42h
		or	eax, 0

loc_47EAA4:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+14Dj
		jz	loc_47ED20

loc_47EAAA:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+143j
					; MiReservePageFileSpaceForPage(x,x,x,x)+2D6j ...
		mov	edx, [ebp-4]

loc_47EAAD:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+196j
					; MiReservePageFileSpaceForPage(x,x,x,x)+1ECj
		mov	ecx, edi
		mov	eax, edx
		shrd	ecx, eax, 1
		test	cl, 1
		jz	short loc_47EAD1
		test	byte ptr [ebx+8], 1
		jz	loc_47ED20
		mov	eax, [ebx+0Ch]
		mov	[eax], edi
		mov	[eax+4], edx
		jmp	loc_47ED20
; 

loc_47EAD1:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+308j
		test	esi, esi
		jz	short loc_47EADF
		test	byte ptr [esi+16h], 28h
		jnz	loc_47ED20

loc_47EADF:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+323j
		mov	ecx, edi
		mov	eax, edx
		shrd	ecx, eax, 2
		test	cl, 1
		jz	short loc_47EB4E
		test	esi, esi
		jz	loc_47ED20
		mov	eax, [ebx+8]
		test	al, 1
		jnz	loc_47ED16
		cmp	word ptr [esi+14h], 0
		jnz	short loc_47EB28
		xor	edx, edx
		mov	ecx, esi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		test	eax, eax
		jnz	short loc_47EB21
		xor	edx, edx
		mov	ecx, esi
		call	_MiDiscardTransitionPteEx@8 ; MiDiscardTransitionPteEx(x,x)
		jmp	loc_47ED20
; 

loc_47EB21:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+361j
		mov	dword ptr [ebp-10h], 1

loc_47EB28:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+354j
		push	0
		lea	ecx, [esi+8]
		mov	edx, 1
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	[ebp-8Ch], eax
		mov	al, [esi+16h]
		or	al, 10h
		mov	[ebp-90h], edx
		mov	edx, [ebp-4]
		mov	[esi+16h], al

loc_47EB4E:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+33Aj
		mov	eax, [ebx+8]
		test	al, 1
		jnz	loc_47ED16
		mov	eax, [ebx+0Ch]
		mov	ecx, [eax]
		mov	eax, [eax+4]
		mov	[ebp-0Ch], eax
		mov	[ebp-7Ch], ecx
		shrd	ecx, eax, 0Ch
		mov	eax, [ebp-1Ch]
		and	ecx, 0Fh
		mov	eax, [eax+ecx*4+0F54h]
		mov	ecx, dword_6D0700
		mov	[ebp-9Ch], eax
		mov	eax, dword_6D0704
		mov	[ebp-8], eax
		mov	eax, ecx
		or	eax, [ebp-8]
		mov	[ebp-84h], ecx
		jz	short loc_47EBB5
		mov	eax, [ebp-7Ch]
		and	eax, 10h
		or	eax, 0
		jnz	short loc_47EBB5
		mov	eax, [ebp-8]
		not	ecx
		and	[ebp-7Ch], ecx
		not	eax
		mov	ecx, [ebp-0Ch]
		and	ecx, eax
		jmp	short loc_47EBB8
; 

loc_47EBB5:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+3E7j
					; MiReservePageFileSpaceForPage(x,x,x,x)+3F2j
		mov	ecx, [ebp-0Ch]

loc_47EBB8:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+403j
		mov	eax, edi
		and	eax, 400h
		or	eax, 0
		jnz	short loc_47EBCA
		and	edi, 0FFFFFFF9h
		mov	[ebp-4], edx

loc_47EBCA:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+412j
		mov	eax, [ebp-9Ch]
		test	eax, eax
		jz	loc_47EC7C
		movzx	eax, word ptr [eax+74h]
		mov	[ebp-9Ch], eax
		mov	eax, edi
		or	eax, edx
		jnz	short loc_47EBF6
		push	ecx
		push	eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[ebp-4], eax
		mov	ecx, edx
		jmp	short loc_47EC53
; 

loc_47EBF6:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+436j
		mov	eax, [ebp-84h]
		or	eax, [ebp-8]
		mov	[ebp-7Ch], edi
		jz	short loc_47EC1E
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_47EC1B
		mov	edi, [ebp-84h]
		not	edi
		and	edi, [ebp-7Ch]
		jmp	short loc_47EC1E
; 

loc_47EC1B:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+45Cj
		and	edi, 0FFFFFFEFh

loc_47EC1E:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+452j
					; MiReservePageFileSpaceForPage(x,x,x,x)+469j
		xor	edx, edx
		mov	[ebp-0Ch], ecx
		or	edx, edi
		mov	edi, [ebp-84h]
		mov	eax, edi
		mov	[ebp-4], edx
		or	eax, [ebp-8]
		jz	short loc_47EC53
		mov	eax, [ebp-8]
		mov	ecx, edi
		and	eax, [ebp-0Ch]
		and	ecx, edx
		or	ecx, eax
		mov	ecx, [ebp-0Ch]
		jnz	short loc_47EC4D
		or	edx, edi
		or	ecx, [ebp-8]
		jmp	short loc_47EC50
; 

loc_47EC4D:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+494j
		or	edx, 10h

loc_47EC50:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+49Bj
		mov	[ebp-4], edx

loc_47EC53:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+444j
					; MiReservePageFileSpaceForPage(x,x,x,x)+483j
		mov	eax, [ebp-9Ch]
		movzx	eax, ax
		cdq
		mov	edi, eax
		shld	edx, edi, 0Ch
		xor	edx, edx
		shl	edi, 0Ch
		xor	edx, ecx
		xor	edi, [ebp-4]
		and	edi, 0F000h
		xor	edi, [ebp-4]
		mov	[ebp-4], edx
		or	edi, 2

loc_47EC7C:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+422j
		test	esi, esi
		jz	loc_47ED63
		cmp	word ptr [esi+14h], 0
		mov	eax, [ebp-10h]
		jnz	short loc_47ECA9
		test	byte ptr [esi+16h], 10h
		jz	short loc_47ECA9
		test	eax, eax
		jnz	short loc_47ECA9
		xor	edx, edx
		mov	ecx, esi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		mov	edx, [ebp-4]
		mov	eax, 1

loc_47ECA9:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+4DCj
					; MiReservePageFileSpaceForPage(x,x,x,x)+4E2j ...
		mov	[esi+8], edi
		mov	[esi+0Ch], edx
		test	eax, eax
		jz	short loc_47ECBF
		mov	edx, 8
		mov	ecx, esi
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)

loc_47ECBF:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+501j
		mov	ecx, [ebp-14h]

loc_47ECC2:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+5BBj
		cmp	dword ptr [ebp-88h], 0
		jz	short loc_47ED16
		mov	eax, ds:_MmHighestUserAddress
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	ecx, eax
		ja	short loc_47ED16
		cmp	ecx, 0C0000000h
		jb	short loc_47ED16
		mov	eax, large fs:124h
		mov	edx, 1
		shr	ecx, 0Ch
		and	ecx, 7FFh
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		add	eax, 190h
		lea	ecx, [eax+ecx*2]
		call	_MiIncreaseUsedPtesCount@8 ; MiIncreaseUsedPtesCount(x,x)

loc_47ED16:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+349j
					; MiReservePageFileSpaceForPage(x,x,x,x)+3A3j ...
		mov	dword ptr [ebp-84h], 1

loc_47ED20:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+D0j
					; MiReservePageFileSpaceForPage(x,x,x,x)+11Ej ...
		cmp	dword ptr [ebp-18h], 1
		jnz	short loc_47ED31

loc_47ED26:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+111j
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx

loc_47ED31:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+574j
		mov	ecx, [ebp-8Ch]
		mov	eax, ecx
		mov	edx, [ebp-90h]
		or	eax, edx
		jz	short loc_47ED52
		push	edx
		push	ecx
		mov	ecx, [ebp-1Ch]
		mov	edx, 1
		call	MiReleasePageFileInfo

loc_47ED52:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+591j
		mov	eax, [ebp-84h]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_47ED63:				; CODE XREF: MiReservePageFileSpaceForPage(x,x,x,x)+4CEj
		mov	ecx, [ebp-14h]
		mov	[ecx], edi
		mov	[ecx+4], edx
		jmp	loc_47ECC2
_MiReservePageFileSpaceForPage@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MI_IS_RESET_PTE(x, x)
_MI_IS_RESET_PTE@8 proc	near		; CODE XREF: .text:00475136p
					; MiReservePageFileSpaceForPage(x,x,x,x)+13Cp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		push	esi
		jnz	short loc_47EDE6
		mov	eax, edx
		and	eax, 400h
		or	eax, 0
		jnz	short loc_47EDE6
		mov	eax, edx
		and	eax, 800h
		or	eax, 0
		jnz	short loc_47EDE6
		mov	esi, [ebp+arg_4]
		mov	ecx, edx
		mov	eax, esi
		shrd	ecx, eax, 2
		test	cl, 1
		jnz	short loc_47EDE6
		mov	ecx, edx
		shrd	ecx, eax, 1
		test	cl, 1
		jnz	short loc_47EDE6
		mov	eax, dword_6D0704
		push	edi
		mov	edi, dword_6D0700
		mov	ecx, edi
		or	ecx, eax
		jz	short loc_47EDD6
		mov	ecx, edx
		and	ecx, 10h
		or	ecx, 0
		jnz	short loc_47EDD6
		not	eax
		and	esi, eax

loc_47EDD6:				; CODE XREF: MI_IS_RESET_PTE(x,x)+56j
					; MI_IS_RESET_PTE(x,x)+60j
		pop	edi
		cmp	esi, 1
		jnz	short loc_47EDE6
		mov	eax, 1

loc_47EDE1:				; CODE XREF: MI_IS_RESET_PTE(x,x)+78j
		pop	esi
		pop	ebp
		retn	8
; 

loc_47EDE6:				; CODE XREF: MI_IS_RESET_PTE(x,x)+11j
					; MI_IS_RESET_PTE(x,x)+1Dj ...
		xor	eax, eax
		jmp	short loc_47EDE1
_MI_IS_RESET_PTE@8 endp

; 
		align 10h
; Exported entry 2092. RtlFindSetBits

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlFindSetBits
RtlFindSetBits	proc near		; CODE XREF: MiDeleteEmptyPageTableTail(x)+53p
					; IopLiveDumpGetCapturePagesNoLock(x,x,x,x,x,x)+31p ...

var_38		= dword	ptr -38h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005B4300 SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [eax]
		mov	[ebp+arg_0], edi
		cmp	esi, edi
		jnb	loc_47F184
		mov	edx, esi
		mov	[ebp+var_10], esi

loc_47EE13:				; CODE XREF: RtlFindSetBits+399j
		mov	ebx, [ebp+arg_4]
		lea	ecx, [edi-1]
		mov	eax, [eax+4]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_4], eax
		test	ebx, ebx
		jz	loc_5B4300
		lea	ebx, [ebx+0]

loc_47EE30:				; CODE XREF: RtlFindSetBits+F2j
		mov	eax, ecx
		mov	[ebp+var_1C], 0
		sub	eax, edx
		inc	eax
		cmp	eax, ebx
		jb	loc_47F18E
		mov	esi, [ebp+var_4]
		mov	eax, ecx
		sub	eax, ebx
		mov	ecx, edx
		inc	eax
		and	ecx, 1Fh
		mov	[ebp+var_C], eax
		mov	edx, 1
		shr	eax, 5
		shl	edx, cl
		dec	edx
		lea	edi, [esi+eax*4]
		mov	eax, [ebp+var_10]
		shr	eax, 5
		mov	[ebp+var_18], edi
		lea	eax, [esi+eax*4]
		mov	esi, [eax]
		not	esi
		or	esi, edx
		cmp	ebx, 3Fh
		ja	loc_47F09A
		cmp	ebx, 20h
		jnb	loc_47EFB6
		cmp	ebx, 1
		ja	short loc_47EEE7
		cmp	esi, 0FFFFFFFFh
		jz	loc_47EF70

loc_47EE94:				; CODE XREF: RtlFindSetBits+194j
		not	esi
		mov	edx, eax
		sub	edx, [ebp+var_4]
		bsf	ecx, esi
		sar	edx, 2
		shl	edx, 5
		add	edx, ecx
		cmp	edx, [ebp+var_C]
		ja	loc_47F06B

loc_47EEAF:				; CODE XREF: RtlFindSetBits+175j
					; RtlFindSetBits+207j ...
		cmp	edx, 0FFFFFFFFh
		jz	short loc_47EEC2

loc_47EEB4:				; CODE XREF: RtlFindSetBits+DCj
					; RtlFindSetBits+135513j
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_47EEBF:				; CODE XREF: RtlFindSetBits+17Bj
					; RtlFindSetBits+185j ...
		or	edx, 0FFFFFFFFh

loc_47EEC2:				; CODE XREF: RtlFindSetBits+C2j
					; RtlFindSetBits+27Ej
		mov	edi, [ebp+arg_0]
		mov	esi, [ebp+arg_8]

loc_47EEC8:				; CODE XREF: RtlFindSetBits+3A1j
		cmp	[ebp+var_10], 0
		jz	short loc_47EEB4
		lea	ecx, [ebx+esi]
		cmp	ecx, edi
		ja	loc_5B431C

loc_47EED9:				; CODE XREF: RtlFindSetBits+13552Ej
		dec	ecx
		xor	edx, edx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], edx
		jmp	loc_47EE30
; 

loc_47EEE7:				; CODE XREF: RtlFindSetBits+99j
		mov	ecx, [ebp+var_14]
		xor	edx, edx
		mov	edi, [ebp+var_4]
		shr	ecx, 5
		lea	ecx, [edi+ecx*4]
		mov	edi, [ebp+var_18]
		mov	[ebp+var_1C], ecx
		jmp	short loc_47EF00
; 
		align 10h

loc_47EF00:				; CODE XREF: RtlFindSetBits+10Bj
					; RtlFindSetBits+1C1j
		cmp	esi, 0FFFFFFFFh
		jz	loc_47F050

loc_47EF09:				; CODE XREF: RtlFindSetBits+276j
		bsf	ecx, esi
		mov	[ebp+var_28], 0
		jz	loc_47F07A

loc_47EF19:				; CODE XREF: RtlFindSetBits+28Fj
		add	ecx, edx
		cmp	ecx, ebx
		jnb	loc_47F073
		mov	ecx, esi
		mov	[ebp+var_18], ebx
		not	ecx
		mov	edx, ebx
		mov	[ebp+var_14], ecx
		nop

loc_47EF30:				; CODE XREF: RtlFindSetBits+162j
		shr	edx, 1
		mov	[ebp+var_8], edx
		mov	edx, ecx
		mov	ecx, [ebp+var_8]
		shr	edx, cl
		mov	ecx, [ebp+var_14]
		and	ecx, edx
		mov	[ebp+var_14], ecx
		jz	short loc_47EF89
		mov	edx, [ebp+var_18]
		sub	edx, [ebp+var_8]
		mov	[ebp+var_18], edx
		cmp	edx, 1
		ja	short loc_47EF30
		bsf	edx, ecx

loc_47EF57:				; CODE XREF: RtlFindSetBits+285j
		sub	eax, [ebp+var_4]
		sar	eax, 2
		shl	eax, 5
		add	edx, eax
		cmp	edx, [ebp+var_C]
		jbe	loc_47EEAF
		jmp	loc_47EEBF
; 

loc_47EF70:				; CODE XREF: RtlFindSetBits+9Ej
					; RtlFindSetBits+192j
		add	eax, 4
		cmp	eax, edi
		ja	loc_47EEBF
		mov	esi, [eax]
		not	esi
		cmp	esi, 0FFFFFFFFh
		jz	short loc_47EF70
		jmp	loc_47EE94
; 

loc_47EF89:				; CODE XREF: RtlFindSetBits+154j
		cmp	eax, [ebp+var_1C]
		jz	loc_47EEBF
		bsr	ecx, esi
		mov	[ebp+var_2C], 0
		jz	loc_5B4312
		mov	edx, 1Fh
		sub	edx, ecx

loc_47EFA9:				; CODE XREF: RtlFindSetBits+135527j
		mov	esi, [eax+4]
		add	eax, 4
		not	esi
		jmp	loc_47EF00
; 

loc_47EFB6:				; CODE XREF: RtlFindSetBits+90j
		mov	ecx, [ebp+var_4]
		lea	esp, [esp+0]

loc_47EFC0:				; CODE XREF: RtlFindSetBits+237j
		test	esi, esi

loc_47EFC2:				; CODE XREF: RtlFindSetBits+370j
		js	short loc_47F030

loc_47EFC4:				; CODE XREF: RtlFindSetBits+253j
		bsr	edx, esi
		mov	[ebp+var_20], 0
		jz	loc_47F084
		mov	esi, 1Fh
		sub	esi, edx

loc_47EFDB:				; CODE XREF: RtlFindSetBits+299j
		mov	edx, eax
		sub	edx, ecx
		sar	edx, 2
		inc	edx
		shl	edx, 5
		sub	edx, esi
		cmp	edx, [ebp+var_C]
		ja	loc_47EEBF
		mov	[ebp+var_8], ebx
		sub	[ebp+var_8], esi
		jz	loc_47EEAF
		mov	esi, [eax+4]
		add	eax, 4
		cmp	[ebp+var_8], 20h
		not	esi
		jnb	loc_47F15E

loc_47F00F:				; CODE XREF: RtlFindSetBits+388j
		bsf	ebx, esi
		mov	[ebp+var_24], 0
		mov	[ebp+var_14], ebx
		jz	short loc_47F08E

loc_47F01E:				; CODE XREF: RtlFindSetBits+2A8j
		mov	ebx, [ebp+var_14]
		cmp	ebx, [ebp+var_8]
		mov	ebx, [ebp+arg_4]
		jb	short loc_47EFC0
		jmp	loc_47EEAF
; 
		align 10h

loc_47F030:				; CODE XREF: RtlFindSetBits:loc_47EFC2j
					; RtlFindSetBits+251j
		add	eax, 4
		cmp	eax, edi
		ja	loc_47EEBF
		mov	esi, [eax]
		not	esi
		test	esi, esi
		js	short loc_47F030
		jmp	loc_47EFC4
; 
		jmp	short loc_47F050
; 
		align 10h

loc_47F050:				; CODE XREF: RtlFindSetBits+113j
					; RtlFindSetBits+258j ...
		add	eax, 4
		cmp	eax, edi
		ja	loc_47EEBF
		mov	esi, [eax]
		not	esi
		cmp	esi, 0FFFFFFFFh
		jz	short loc_47F050
		xor	edx, edx
		jmp	loc_47EF09
; 

loc_47F06B:				; CODE XREF: RtlFindSetBits+B9j
		or	edx, 0FFFFFFFFh
		jmp	loc_47EEC2
; 

loc_47F073:				; CODE XREF: RtlFindSetBits+12Dj
		neg	edx
		jmp	loc_47EF57
; 

loc_47F07A:				; CODE XREF: RtlFindSetBits+123j
		mov	ecx, 20h
		jmp	loc_47EF19
; 

loc_47F084:				; CODE XREF: RtlFindSetBits+1DEj
		mov	esi, 20h
		jmp	loc_47EFDB
; 

loc_47F08E:				; CODE XREF: RtlFindSetBits+22Cj
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_14], 20h
		jmp	short loc_47F01E
; 

loc_47F09A:				; CODE XREF: RtlFindSetBits+87j
		test	byte ptr [ebp+var_C], 1Fh
		jz	short loc_47F0A3
		add	edi, 4

loc_47F0A3:				; CODE XREF: RtlFindSetBits+2AEj
		test	esi, esi
		jz	loc_47F17D
		mov	ecx, [eax+4]
		add	eax, 4
		not	ecx
		test	ecx, ecx
		jnz	short loc_47F0C5
		bsr	edx, esi
		mov	[ebp+var_18], ecx
		jz	loc_5B4308
		jmp	short loc_47F0EE
; 

loc_47F0C5:				; CODE XREF: RtlFindSetBits+2C5j
					; RtlFindSetBits+2E7j ...
		cmp	eax, edi
		ja	loc_47EEBF
		mov	ecx, [eax+4]
		add	eax, 4
		not	ecx
		test	ecx, ecx
		jnz	short loc_47F0C5
		mov	ecx, [eax-4]
		not	ecx
		mov	[ebp+var_14], 0
		bsr	edx, ecx
		jz	loc_5B4308

loc_47F0EE:				; CODE XREF: RtlFindSetBits+2D3j
		mov	ecx, 1Fh
		sub	ecx, edx

loc_47F0F5:				; CODE XREF: RtlFindSetBits+38Fj
					; RtlFindSetBits+13551Dj
		mov	edx, eax
		sub	edx, [ebp+var_4]
		sar	edx, 2
		shl	edx, 5
		sub	edx, ecx
		cmp	edx, [ebp+var_C]
		ja	loc_47EEBF
		mov	esi, ebx
		sub	esi, ecx
		mov	ecx, esi
		mov	[ebp+var_18], esi
		shr	ecx, 5
		lea	esi, [eax+ecx*4]
		add	eax, 4
		cmp	eax, esi
		jz	short loc_47F130

loc_47F121:				; CODE XREF: RtlFindSetBits+33Ej
		mov	ecx, [eax]
		not	ecx
		test	ecx, ecx
		jnz	short loc_47F0C5
		add	eax, 4
		cmp	eax, esi
		jnz	short loc_47F121

loc_47F130:				; CODE XREF: RtlFindSetBits+32Fj
		mov	esi, [ebp+var_18]
		and	esi, 1Fh
		jz	loc_47EEAF
		mov	ecx, [eax]
		not	ecx
		mov	[ebp+var_8], 0
		bsf	ecx, ecx
		jnz	short loc_47F151
		mov	ecx, 20h

loc_47F151:				; CODE XREF: RtlFindSetBits+35Aj
		cmp	ecx, esi
		jnb	loc_47EEAF
		jmp	loc_47F0C5
; 

loc_47F15E:				; CODE XREF: RtlFindSetBits+219j
		test	esi, esi
		jnz	loc_47EFC2
		sub	[ebp+var_8], 20h
		jz	loc_47EEAF
		mov	esi, [eax+4]
		add	eax, 4
		not	esi
		jmp	loc_47F00F
; 

loc_47F17D:				; CODE XREF: RtlFindSetBits+2B5j
		xor	ecx, ecx
		jmp	loc_47F0F5
; 

loc_47F184:				; CODE XREF: RtlFindSetBits+18j
		xor	edx, edx
		mov	[ebp+var_10], edx
		jmp	loc_47EE13
; 

loc_47F18E:				; CODE XREF: RtlFindSetBits+4Ej
		or	edx, 0FFFFFFFFh
		jmp	loc_47EEC8
RtlFindSetBits	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiFindNextTimerDueTime proc near	; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+7Dp

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005B4323 SIZE 000002D6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		push	ebx
		push	esi
		push	edi
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_1], dl
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_2C], ecx
		test	ds:_KiVelocityFlags, 2000h
		mov	[ebp+var_C], 0FFFFFFFFh
		mov	[ebp+var_28], 0FFFFFFFFh
		jz	short loc_47F1DE
		mov	eax, ds:_KePseudoHrTimeIncrement
		cmp	eax, ds:_KeMaximumIncrement
		jz	short loc_47F23D

loc_47F1DE:				; CODE XREF: KiFindNextTimerDueTime+2Fj
		mov	ebx, 1

loc_47F1E3:				; CODE XREF: KiFindNextTimerDueTime+A0j
		mov	[ebp+var_10], ebx
		xor	eax, eax

loc_47F1E8:				; CODE XREF: KiFindNextTimerDueTime+8Ej
		mov	[ebp+var_14], eax
		cmp	eax, 1
		jnb	short loc_47F230
		mov	edx, [ebp+arg_0]
		or	esi, 0FFFFFFFFh
		mov	ecx, [ebp+arg_4]
		or	edi, 0FFFFFFFFh
		shrd	edx, ecx, 12h
		cmp	ds:_KiSerializeTimerExpiration,	0
		movzx	edx, dl
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], edi
		mov	[ebp+var_18], edx
		jz	loc_5B433D
		cmp	[ebp+var_1], 0
		jnz	short loc_47F242

loc_47F21F:				; CODE XREF: KiFindNextTimerDueTime+215j
					; KiFindNextTimerDueTime+1352C3j ...
		mov	ecx, esi
		and	ecx, edi
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_47F3BA

loc_47F22C:				; CODE XREF: KiFindNextTimerDueTime+221j
					; KiFindNextTimerDueTime+22Aj
		add	eax, ebx
		jmp	short loc_47F1E8
; 

loc_47F230:				; CODE XREF: KiFindNextTimerDueTime+4Ej
		mov	eax, esi
		mov	edx, edi

loc_47F234:				; CODE XREF: KiFindNextTimerDueTime+135454j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_47F23D:				; CODE XREF: KiFindNextTimerDueTime+3Cj
		or	ebx, 0FFFFFFFFh
		jmp	short loc_47F1E3
; 

loc_47F242:				; CODE XREF: KiFindNextTimerDueTime+7Dj
		mov	ebx, ds:_KiProcessorBlock
		sub	edx, [ebx+eax*4+3AA8h]
		movzx	ecx, dl
		cmp	ecx, 1
		ja	loc_5B45F0
		movzx	edx, byte ptr [ebx+eax*4+3AA8h]
		mov	[ebp+var_8], edx
		imul	edx, eax, 1800h
		shl	ecx, 12h
		mov	[ebp+var_C], 0
		add	edx, ebx
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_20], edx
		mov	edx, [ebp+arg_0]
		and	edx, 0FFFC0000h
		sub	edx, ecx
		sbb	ebx, 0
		add	edx, 4000000h
		mov	[ebp+var_3C], edx
		mov	edx, [ebp+var_8]
		adc	ebx, 0
		mov	[ebp+var_30], ebx
		mov	edi, edi

loc_47F2A0:				; CODE XREF: KiFindNextTimerDueTime+1E3j
		mov	ecx, ds:_KiPendingTimerBitmaps
		mov	[ebp+var_34], ecx
		cmp	edx, ecx
		jnb	loc_5B4323
		mov	[ebp+var_18], edx

loc_47F2B4:				; CODE XREF: KiFindNextTimerDueTime+13518Aj
		lea	ebx, [ecx-1]
		mov	ecx, ds:dword_70E644
		mov	[ebp+var_1C], ecx

loc_47F2C0:				; CODE XREF: KiFindNextTimerDueTime+269j
		mov	ecx, ebx
		mov	[ebp+var_24], ebx
		sub	ecx, [ebp+var_18]
		inc	ecx
		mov	[ebp+var_4C], 0
		cmp	ecx, 1
		jb	loc_47F449
		mov	edx, [ebp+var_1C]
		mov	ecx, ebx
		mov	ebx, [ebp+var_1C]
		shr	ecx, 5
		lea	ecx, [edx+ecx*4]
		mov	edx, 1
		mov	[ebp+var_38], ecx
		mov	ecx, [ebp+var_18]
		and	ecx, 1Fh
		shl	edx, cl
		mov	ecx, [ebp+var_18]
		dec	edx
		shr	ecx, 5
		lea	ebx, [ebx+ecx*4]
		mov	ecx, [ebx]
		not	ecx
		or	ecx, edx
		cmp	ecx, 0FFFFFFFFh
		jz	loc_47F3CF

loc_47F310:				; CODE XREF: KiFindNextTimerDueTime+242j
		sub	ebx, [ebp+var_1C]
		not	ecx
		bsf	ecx, ecx
		sar	ebx, 2
		shl	ebx, 5
		add	ebx, ecx
		cmp	ebx, [ebp+var_24]
		ja	loc_47F3E7
		cmp	ebx, 0FFFFFFFFh
		jz	loc_47F3EA

loc_47F332:				; CODE XREF: KiFindNextTimerDueTime+135198j
		mov	edx, [ebp+var_C]
		mov	ecx, ebx
		sub	ecx, [ebp+var_8]
		inc	ecx
		movzx	ecx, cl
		add	edx, ecx
		mov	[ebp+var_C], edx
		cmp	edx, 100h
		ja	short loc_47F3B2
		cmp	edx, [ebp+var_28]
		ja	short loc_47F3B2
		mov	edx, [ebp+var_20]
		lea	ecx, [ebx+ebx*2]
		mov	eax, [ebp+var_20]
		mov	edx, [edx+ecx*8+22B0h]
		mov	ecx, [eax+ecx*8+22B4h]
		mov	eax, [ebp+var_14]
		mov	[ebp+var_24], edx
		mov	[ebp+var_1C], ecx
		cmp	ecx, edi
		ja	short loc_47F37A
		jb	short loc_47F388
		cmp	edx, esi
		jb	short loc_47F388

loc_47F37A:				; CODE XREF: KiFindNextTimerDueTime+1D2j
					; KiFindNextTimerDueTime+1EBj ...
		lea	ecx, [ebx+1]
		movzx	edx, cl
		mov	[ebp+var_8], edx
		jmp	loc_47F2A0
; 

loc_47F388:				; CODE XREF: KiFindNextTimerDueTime+1D4j
					; KiFindNextTimerDueTime+1D8j
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_47F37A
		cmp	ecx, [ebp+var_30]
		ja	loc_47F440
		jb	short loc_47F3A1
		cmp	edx, [ebp+var_3C]
		jnb	loc_47F440

loc_47F3A1:				; CODE XREF: KiFindNextTimerDueTime+1F6j
		shrd	edx, ecx, 12h
		movzx	ecx, dl
		cmp	ecx, ebx
		jnz	short loc_47F40E
		mov	esi, [ebp+var_24]
		mov	edi, [ebp+var_1C]

loc_47F3B2:				; CODE XREF: KiFindNextTimerDueTime+1A9j
					; KiFindNextTimerDueTime+1AEj ...
		mov	ebx, [ebp+var_10]
		jmp	loc_47F21F
; 

loc_47F3BA:				; CODE XREF: KiFindNextTimerDueTime+86j
		mov	ecx, [ebp+var_C]
		inc	ecx
		cmp	[ebp+var_28], ecx
		jb	loc_47F22C
		mov	[ebp+var_28], ecx
		jmp	loc_47F22C
; 

loc_47F3CF:				; CODE XREF: KiFindNextTimerDueTime+16Aj
		mov	edx, [ebp+var_38]

loc_47F3D2:				; CODE XREF: KiFindNextTimerDueTime+240j
		add	ebx, 4
		cmp	ebx, edx
		ja	short loc_47F3E7
		mov	ecx, [ebx]
		not	ecx
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_47F3D2
		jmp	loc_47F310
; 

loc_47F3E7:				; CODE XREF: KiFindNextTimerDueTime+183j
					; KiFindNextTimerDueTime+237j
		or	ebx, 0FFFFFFFFh

loc_47F3EA:				; CODE XREF: KiFindNextTimerDueTime+18Cj
		mov	edx, [ebp+var_8]

loc_47F3ED:				; CODE XREF: KiFindNextTimerDueTime+2ACj
		cmp	[ebp+var_18], 0
		jz	loc_5B432F
		mov	ecx, [ebp+var_34]
		lea	ebx, [edx+1]
		cmp	ebx, ecx
		ja	short loc_47F44E

loc_47F401:				; CODE XREF: KiFindNextTimerDueTime+2B0j
		dec	ebx
		mov	[ebp+var_18], 0
		jmp	loc_47F2C0
; 

loc_47F40E:				; CODE XREF: KiFindNextTimerDueTime+20Aj
		mov	edx, ebx
		sub	edx, ecx
		mov	ecx, [ebp+var_24]
		shl	edx, 12h
		and	ecx, 0FFFC0000h
		and	edx, 3FC0000h
		add	edx, ecx
		mov	ecx, 0
		adc	ecx, [ebp+var_1C]
		cmp	ecx, edi
		ja	loc_47F37A
		jb	short loc_47F440
		cmp	edx, esi
		jnb	loc_47F37A

loc_47F440:				; CODE XREF: KiFindNextTimerDueTime+1F0j
					; KiFindNextTimerDueTime+1FBj ...
		mov	edi, ecx
		mov	esi, edx
		jmp	loc_47F37A
; 

loc_47F449:				; CODE XREF: KiFindNextTimerDueTime+133j
		or	ebx, 0FFFFFFFFh
		jmp	short loc_47F3ED
; 

loc_47F44E:				; CODE XREF: KiFindNextTimerDueTime+25Fj
		mov	ebx, ecx
		jmp	short loc_47F401
KiFindNextTimerDueTime endp

; 
		align 10h
; Exported entry 2078. RtlFindClearBits

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlFindClearBits
RtlFindClearBits proc near		; CODE XREF: MiFindEmptyAddressRange+C6p
					; MiSelectImageBase+94p ...

var_38		= dword	ptr -38h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005B45F9 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [eax]
		mov	[ebp+arg_0], edi
		cmp	esi, edi
		jnb	loc_47F7CC
		mov	edx, esi
		mov	[ebp+var_10], esi

loc_47F483:				; CODE XREF: RtlFindClearBits+371j
		mov	ebx, [ebp+arg_4]
		lea	ecx, [edi-1]
		mov	eax, [eax+4]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_4], eax
		test	ebx, ebx
		jz	loc_5B45F9
		lea	ebx, [ebx+0]

loc_47F4A0:				; CODE XREF: RtlFindClearBits+F0j
		mov	eax, ecx
		mov	[ebp+var_1C], 0
		sub	eax, edx
		inc	eax
		cmp	eax, ebx
		jb	loc_47F7DD
		mov	esi, [ebp+var_4]
		mov	eax, ecx
		sub	eax, ebx
		mov	ecx, edx
		inc	eax
		and	ecx, 1Fh
		mov	[ebp+var_C], eax
		mov	edx, 1
		shr	eax, 5
		shl	edx, cl
		dec	edx
		lea	edi, [esi+eax*4]
		mov	eax, [ebp+var_10]
		shr	eax, 5
		mov	[ebp+var_18], edi
		lea	eax, [esi+eax*4]
		mov	esi, [eax]
		or	esi, edx
		cmp	ebx, 3Fh
		ja	loc_47F6EC
		cmp	ebx, 20h
		jnb	loc_47F622
		cmp	ebx, 1
		ja	short loc_47F555
		cmp	esi, 0FFFFFFFFh
		jz	loc_47F5E0

loc_47F502:				; CODE XREF: RtlFindClearBits+192j
		not	esi
		mov	edx, eax
		sub	edx, [ebp+var_4]
		bsf	ecx, esi
		sar	edx, 2
		shl	edx, 5
		add	edx, ecx
		cmp	edx, [ebp+var_C]
		ja	loc_47F6BD

loc_47F51D:				; CODE XREF: RtlFindClearBits+175j
					; RtlFindClearBits+1FCj ...
		cmp	edx, 0FFFFFFFFh
		jz	short loc_47F530

loc_47F522:				; CODE XREF: RtlFindClearBits+DAj
					; RtlFindClearBits+13519Cj
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_47F52D:				; CODE XREF: RtlFindClearBits+17Bj
					; RtlFindClearBits+185j ...
		or	edx, 0FFFFFFFFh

loc_47F530:				; CODE XREF: RtlFindClearBits+C0j
					; RtlFindClearBits+260j
		mov	edi, [ebp+arg_0]
		mov	esi, [ebp+arg_8]

loc_47F536:				; CODE XREF: RtlFindClearBits+380j
		cmp	[ebp+var_10], 0
		jz	short loc_47F522
		lea	ecx, [ebx+esi]
		cmp	ecx, edi
		ja	loc_47F7D6

loc_47F547:				; CODE XREF: RtlFindClearBits+378j
		dec	ecx
		xor	edx, edx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], edx
		jmp	loc_47F4A0
; 

loc_47F555:				; CODE XREF: RtlFindClearBits+97j
		mov	ecx, [ebp+var_14]
		xor	edx, edx
		mov	edi, [ebp+var_4]
		shr	ecx, 5
		lea	ecx, [edi+ecx*4]
		mov	edi, [ebp+var_18]
		mov	[ebp+var_1C], ecx
		lea	esp, [esp+0]

loc_47F570:				; CODE XREF: RtlFindClearBits+1BDj
		cmp	esi, 0FFFFFFFFh
		jz	loc_47F6A4

loc_47F579:				; CODE XREF: RtlFindClearBits+258j
		bsf	ecx, esi
		mov	[ebp+var_28], 0
		jz	loc_47F6CC

loc_47F589:				; CODE XREF: RtlFindClearBits+271j
		add	ecx, edx
		cmp	ecx, ebx
		jnb	loc_47F6C5
		mov	ecx, esi
		mov	[ebp+var_18], ebx
		not	ecx
		mov	edx, ebx
		mov	[ebp+var_14], ecx
		nop

loc_47F5A0:				; CODE XREF: RtlFindClearBits+162j
		shr	edx, 1
		mov	[ebp+var_8], edx
		mov	edx, ecx
		mov	ecx, [ebp+var_8]
		shr	edx, cl
		mov	ecx, [ebp+var_14]
		and	ecx, edx
		mov	[ebp+var_14], ecx
		jz	short loc_47F5F7
		mov	edx, [ebp+var_18]
		sub	edx, [ebp+var_8]
		mov	[ebp+var_18], edx
		cmp	edx, 1
		ja	short loc_47F5A0
		bsf	edx, ecx

loc_47F5C7:				; CODE XREF: RtlFindClearBits+267j
		sub	eax, [ebp+var_4]
		sar	eax, 2
		shl	eax, 5
		add	edx, eax
		cmp	edx, [ebp+var_C]
		jbe	loc_47F51D
		jmp	loc_47F52D
; 

loc_47F5E0:				; CODE XREF: RtlFindClearBits+9Cj
					; RtlFindClearBits+190j
		add	eax, 4
		cmp	eax, edi
		ja	loc_47F52D
		mov	esi, [eax]
		cmp	esi, 0FFFFFFFFh
		jz	short loc_47F5E0
		jmp	loc_47F502
; 

loc_47F5F7:				; CODE XREF: RtlFindClearBits+154j
		cmp	eax, [ebp+var_1C]
		jz	loc_47F52D
		bsr	ecx, esi
		mov	[ebp+var_2C], 0
		jz	loc_5B460B
		mov	edx, 1Fh
		sub	edx, ecx

loc_47F617:				; CODE XREF: RtlFindClearBits+1351B0j
		mov	esi, [eax+4]
		add	eax, 4
		jmp	loc_47F570
; 

loc_47F622:				; CODE XREF: RtlFindClearBits+8Ej
		mov	ecx, [ebp+var_4]

loc_47F625:				; CODE XREF: RtlFindClearBits+22Aj
		test	esi, esi

loc_47F627:				; CODE XREF: RtlFindClearBits+34Aj
		js	short loc_47F691

loc_47F629:				; CODE XREF: RtlFindClearBits+242j
		bsr	edx, esi
		mov	[ebp+var_20], 0
		jz	loc_47F6D6
		mov	esi, 1Fh
		sub	esi, edx

loc_47F640:				; CODE XREF: RtlFindClearBits+27Bj
		mov	edx, eax
		sub	edx, ecx
		sar	edx, 2
		inc	edx
		shl	edx, 5
		sub	edx, esi
		cmp	edx, [ebp+var_C]
		ja	loc_47F52D
		mov	[ebp+var_8], ebx
		sub	[ebp+var_8], esi
		jz	loc_47F51D
		mov	esi, [eax+4]
		add	eax, 4
		cmp	[ebp+var_8], 20h
		jnb	loc_47F7A8

loc_47F672:				; CODE XREF: RtlFindClearBits+360j
		bsf	ebx, esi
		mov	[ebp+var_24], 0
		mov	[ebp+var_14], ebx
		jz	short loc_47F6E0

loc_47F681:				; CODE XREF: RtlFindClearBits+28Aj
		mov	ebx, [ebp+var_14]
		cmp	ebx, [ebp+var_8]
		mov	ebx, [ebp+arg_4]
		jb	short loc_47F625
		jmp	loc_47F51D
; 

loc_47F691:				; CODE XREF: RtlFindClearBits:loc_47F627j
					; RtlFindClearBits+240j
		add	eax, 4
		cmp	eax, edi
		ja	loc_47F52D
		mov	esi, [eax]
		test	esi, esi
		js	short loc_47F691
		jmp	short loc_47F629
; 

loc_47F6A4:				; CODE XREF: RtlFindClearBits+113j
					; RtlFindClearBits+254j
		add	eax, 4
		cmp	eax, edi
		ja	loc_47F52D
		mov	esi, [eax]
		cmp	esi, 0FFFFFFFFh
		jz	short loc_47F6A4
		xor	edx, edx
		jmp	loc_47F579
; 

loc_47F6BD:				; CODE XREF: RtlFindClearBits+B7j
		or	edx, 0FFFFFFFFh
		jmp	loc_47F530
; 

loc_47F6C5:				; CODE XREF: RtlFindClearBits+12Dj
		neg	edx
		jmp	loc_47F5C7
; 

loc_47F6CC:				; CODE XREF: RtlFindClearBits+123j
		mov	ecx, 20h
		jmp	loc_47F589
; 

loc_47F6D6:				; CODE XREF: RtlFindClearBits+1D3j
		mov	esi, 20h
		jmp	loc_47F640
; 

loc_47F6E0:				; CODE XREF: RtlFindClearBits+21Fj
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_14], 20h
		jmp	short loc_47F681
; 

loc_47F6EC:				; CODE XREF: RtlFindClearBits+85j
		test	byte ptr [ebp+var_C], 1Fh
		jz	short loc_47F6F5
		add	edi, 4

loc_47F6F5:				; CODE XREF: RtlFindClearBits+290j
		test	esi, esi
		jz	loc_47F7C5
		add	eax, 4
		cmp	dword ptr [eax], 0
		jnz	short loc_47F717
		bsr	edx, esi
		mov	[ebp+var_18], 0
		jz	loc_5B4601
		jmp	short loc_47F73A
; 

loc_47F717:				; CODE XREF: RtlFindClearBits+2A3j
					; RtlFindClearBits+2C5j ...
		cmp	eax, edi
		ja	loc_47F52D
		add	eax, 4
		cmp	dword ptr [eax], 0
		jnz	short loc_47F717
		mov	ecx, [eax-4]
		bsr	edx, ecx
		mov	[ebp+var_14], 0
		jz	loc_5B4601

loc_47F73A:				; CODE XREF: RtlFindClearBits+2B5j
		mov	ecx, 1Fh
		sub	ecx, edx

loc_47F741:				; CODE XREF: RtlFindClearBits+367j
					; RtlFindClearBits+1351A6j
		mov	edx, eax
		sub	edx, [ebp+var_4]
		sar	edx, 2
		shl	edx, 5
		sub	edx, ecx
		cmp	edx, [ebp+var_C]
		ja	loc_47F52D
		mov	esi, ebx
		sub	esi, ecx
		mov	ecx, esi
		mov	[ebp+var_18], esi
		shr	ecx, 5
		lea	esi, [eax+ecx*4]
		add	eax, 4
		cmp	eax, esi
		jz	short loc_47F77C
		lea	ecx, [ecx+0]

loc_47F770:				; CODE XREF: RtlFindClearBits+31Aj
		cmp	dword ptr [eax], 0
		jnz	short loc_47F717
		add	eax, 4
		cmp	eax, esi
		jnz	short loc_47F770

loc_47F77C:				; CODE XREF: RtlFindClearBits+30Bj
		mov	esi, [ebp+var_18]
		and	esi, 1Fh
		jz	loc_47F51D
		mov	ecx, [eax]
		bsf	ecx, ecx
		mov	[ebp+var_8], 0
		jnz	short loc_47F79B
		mov	ecx, 20h

loc_47F79B:				; CODE XREF: RtlFindClearBits+334j
		cmp	ecx, esi
		jnb	loc_47F51D
		jmp	loc_47F717
; 

loc_47F7A8:				; CODE XREF: RtlFindClearBits+20Cj
		test	esi, esi
		jnz	loc_47F627
		sub	[ebp+var_8], 20h
		jz	loc_47F51D
		mov	esi, [eax+4]
		add	eax, 4
		jmp	loc_47F672
; 

loc_47F7C5:				; CODE XREF: RtlFindClearBits+297j
		xor	ecx, ecx
		jmp	loc_47F741
; 

loc_47F7CC:				; CODE XREF: RtlFindClearBits+18j
		xor	edx, edx
		mov	[ebp+var_10], edx
		jmp	loc_47F483
; 

loc_47F7D6:				; CODE XREF: RtlFindClearBits+E1j
		mov	ecx, edi
		jmp	loc_47F547
; 

loc_47F7DD:				; CODE XREF: RtlFindClearBits+4Ej
		or	edx, 0FFFFFFFFh
		jmp	loc_47F536
RtlFindClearBits endp

; 
		align 10h
; Exported entry 1435. MmMapLockedPagesSpecifyCache

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmMapLockedPagesSpecifyCache
MmMapLockedPagesSpecifyCache proc near	; CODE XREF: MiFreePagesFromMdl(x,x)+69p
					; SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+152p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005B4615 SIZE 000000D0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	[esp+20h+var_8], 0
		mov	ecx, [esi+10h]
		add	ecx, [esi+18h]
		cmp	[ebp+arg_4], 0
		jnz	loc_47F97E
		mov	eax, [esi+14h]
		and	ecx, 0FFFh
		mov	ebx, [ebp+arg_14]
		add	eax, 0FFFh
		add	ecx, eax
		shr	ecx, 0Ch
		mov	[esp+20h+var_10], ecx
		test	bl, 20h
		jnz	short loc_47F879
		mov	eax, ebx
		and	eax, 3FFFFFFFh
		lea	edi, [eax-10h]
		neg	edi
		sbb	edi, edi
		xor	edx, edx
		and	edi, 600h
		add	edi, 200h
		cmp	eax, 10h
		setz	dl
		inc	edx
		mov	[esp+20h+var_C], edx
		cmp	edx, 2
		jnz	loc_47F947
		mov	eax, 2000000h

loc_47F86D:				; CODE XREF: MmMapLockedPagesSpecifyCache+162j
		cmp	dword_6D4254, eax
		jb	loc_5B4615

loc_47F879:				; CODE XREF: MmMapLockedPagesSpecifyCache+46j
					; MmMapLockedPagesSpecifyCache+134E32j	...
		cmp	ds:_MmProtectFreedNonPagedPool,	1
		mov	eax, ecx
		mov	[esp+20h+var_C], ecx
		jz	loc_5B4657

loc_47F88C:				; CODE XREF: MmMapLockedPagesSpecifyCache+134E6Ej
		mov	edx, eax
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		mov	ecx, eax
		mov	[esp+20h+var_4], ecx
		test	ecx, ecx
		jz	loc_5B4663
		sar	ebx, 1Fh
		mov	edi, ecx
		shl	edi, 9
		and	ebx, 0FFFFFFFDh
		add	edi, [esi+18h]
		add	ebx, 4
		test	byte ptr ds:_MiFlags+2,	1
		jnz	loc_5B467D
		mov	eax, [ebp+arg_14]

loc_47F8C7:				; CODE XREF: MmMapLockedPagesSpecifyCache+134E92j
		test	eax, 40000000h
		jz	short loc_47F942

loc_47F8CE:				; CODE XREF: MmMapLockedPagesSpecifyCache+155j
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	loc_47F95C
		cmp	eax, 2
		jz	short loc_47F957

loc_47F8DE:				; CODE XREF: MmMapLockedPagesSpecifyCache+16Aj
					; MmMapLockedPagesSpecifyCache+16Fj
		mov	edx, [esp+20h+var_10]
		lea	eax, [esp+20h+var_8]
		push	eax
		push	0
		push	ebx
		lea	eax, [esi+1Ch]
		push	eax
		call	_MiFillSystemPtes@24 ; MiFillSystemPtes(x,x,x,x,x,x)
		movzx	edx, word ptr [esi+6]
		test	eax, eax
		js	loc_5B4687
		mov	eax, [esp+30h+var_18]
		or	edx, 1
		and	eax, 1
		mov	[esi+0Ch], edi
		mov	[esi+6], dx
		mov	[esp+30h+var_20], eax
		movzx	ecx, dx
		jnz	short loc_47F964

loc_47F919:				; CODE XREF: MmMapLockedPagesSpecifyCache+18Cj
		test	byte ptr ds:dword_7051B4, 1
		movzx	ecx, cx
		jnz	loc_5B46B7

loc_47F929:				; CODE XREF: MmMapLockedPagesSpecifyCache+134EF0j
		test	cl, 10h
		jnz	short loc_47F939

loc_47F92E:				; CODE XREF: MmMapLockedPagesSpecifyCache+150j
					; MmMapLockedPagesSpecifyCache+1A5j
		mov	eax, edi

loc_47F930:				; CODE XREF: MmMapLockedPagesSpecifyCache+1A9j
					; MmMapLockedPagesSpecifyCache+134EC2j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_47F939:				; CODE XREF: MmMapLockedPagesSpecifyCache+13Cj
		or	ecx, 20h
		mov	[esi+6], cx
		jmp	short loc_47F92E
; 

loc_47F942:				; CODE XREF: MmMapLockedPagesSpecifyCache+DCj
		or	ebx, 2
		jmp	short loc_47F8CE
; 

loc_47F947:				; CODE XREF: MmMapLockedPagesSpecifyCache+72j
		mov	eax, 4000000h
		xor	edx, edx
		div	[esp+20h+var_C]
		jmp	loc_47F86D
; 

loc_47F957:				; CODE XREF: MmMapLockedPagesSpecifyCache+ECj
		or	ebx, 18h
		jmp	short loc_47F8DE
; 

loc_47F95C:				; CODE XREF: MmMapLockedPagesSpecifyCache+E3j
		or	ebx, 8
		jmp	loc_47F8DE
; 

loc_47F964:				; CODE XREF: MmMapLockedPagesSpecifyCache+127j
		mov	ecx, edi
		call	_MiMappingHasIoReferences@4 ; MiMappingHasIoReferences(x)
		mov	eax, 800h
		or	[esi+6], ax
		movzx	ecx, word ptr [esi+6]
		mov	eax, [esp+30h+var_20]
		jmp	short loc_47F919
; 

loc_47F97E:				; CODE XREF: MmMapLockedPagesSpecifyCache+23j
		push	ecx
		push	[ebp+arg_14]
		mov	edx, ecx
		mov	ecx, esi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	MiMapLockedPagesInUserSpace
		mov	edi, eax
		test	edi, edi
		jnz	short loc_47F92E

loc_47F997:				; CODE XREF: MmMapLockedPagesSpecifyCache+134E62j
					; MmMapLockedPagesSpecifyCache+134E7Cj	...
		xor	eax, eax
		jmp	short loc_47F930
MmMapLockedPagesSpecifyCache endp

; 
		align 10h

; __stdcall MiFillSystemPtes(x,	x, x, x, x, x)
_MiFillSystemPtes@24:			; CODE XREF: MmMapLockedPagesSpecifyCache+FEp
					; MiMapContiguousMemory+110p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, [ebp+14h]
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp-30h], edx
		xor	ecx, ecx
		mov	[ebp-4], esi
		mov	[ebp-2Ch], ecx
		mov	edx, 1
		mov	[ebp-24h], ecx
		mov	ecx, [ebp+0Ch]
		mov	dword ptr [eax], 0
		mov	[ebp-0Ch], edx
		push	edi
		test	ecx, ecx
		jnz	short loc_47F9DC
		mov	dword ptr [ebp-0Ch], 3
		jmp	short loc_47FA08
; 

loc_47F9DC:				; CODE XREF: .text:0047F9D1j
		cmp	ecx, 1Fh
		jnz	short loc_47F9E6
		mov	[ebp-0Ch], edx
		jmp	short loc_47FA08
; 

loc_47F9E6:				; CODE XREF: .text:0047F9DFj
		mov	eax, ecx
		shr	eax, 3
		cmp	eax, 3
		jnz	short loc_47F9FE
		test	cl, 7
		jz	short loc_47FA08
		mov	dword ptr [ebp-0Ch], 2
		jmp	short loc_47FA08
; 

loc_47F9FE:				; CODE XREF: .text:0047F9EEj
		dec	eax
		neg	eax
		sbb	eax, eax
		and	eax, edx
		mov	[ebp-0Ch], eax

loc_47FA08:				; CODE XREF: .text:0047F9DAj
					; .text:0047F9E4j ...
		mov	edx, ecx
		lea	eax, [esi+40000000h]
		and	edx, 1Fh
		mov	[ebp-20h], edx
		mov	edi, ds:_MmProtectToPteMask[edx*8]
		mov	ebx, ds:dword_40B4DC[edx*8]
		and	edi, 0E7Fh
		and	ebx, 0FFFFFFE0h
		or	edi, 21h
		cmp	eax, offset loc_7FFFFF
		ja	loc_47FB19
		mov	eax, [ebp-4]
		add	eax, 3FA00000h
		shl	esi, 9
		cmp	eax, 3FFFh
		ja	short loc_47FA81
		mov	eax, [ebp-4]
		cmp	eax, 0C0603018h
		jnz	short loc_47FA5F
		or	ebx, 80000000h
		jmp	short loc_47FA6D
; 

loc_47FA5F:				; CODE XREF: .text:0047FA55j
		test	ecx, 4000000h
		jnz	short loc_47FA6D
		and	ebx, 7FFFFFFFh

loc_47FA6D:				; CODE XREF: .text:0047FA5Dj
					; .text:0047FA65j
		mov	ecx, eax
		call	_MiUserPdeOrAbove@4 ; MiUserPdeOrAbove(x)
		mov	ecx, [ebp+0Ch]
		mov	edx, [ebp-20h]
		test	eax, eax
		jz	short loc_47FA81
		or	edi, 4

loc_47FA81:				; CODE XREF: .text:0047FA4Bj
					; .text:0047FA7Cj
		mov	eax, ds:_MmHighestUserAddress
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	[ebp-4], eax
		ja	short loc_47FA9B
		or	edi, 4

loc_47FA9B:				; CODE XREF: .text:0047FA96j
		test	ecx, 4000000h
		jz	short loc_47FAC3
		cmp	esi, 0C0000000h
		jb	short loc_47FAC3
		jmp	short loc_47FAB0
; 
		align 10h

loc_47FAB0:				; CODE XREF: .text:0047FAABj
					; .text:0047FAC1j
		cmp	esi, 0C07FFFFFh
		ja	short loc_47FAC3
		shl	esi, 9
		cmp	esi, 0C0000000h
		jnb	short loc_47FAB0

loc_47FAC3:				; CODE XREF: .text:0047FAA1j
					; .text:0047FAA9j ...
		cmp	esi, dword_6D07D0
		jnb	short loc_47FAD4
		movzx	eax, byte ptr word_6D07B8+1
		jmp	short loc_47FB12
; 

loc_47FAD4:				; CODE XREF: .text:0047FAC9j
		mov	eax, esi
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	short loc_47FB21
		cmp	al, 0Bh
		jz	short loc_47FB21
		lea	eax, [esi+40000000h]
		cmp	eax, offset loc_7FFFFF
		jbe	short loc_47FB21
		cmp	esi, dword_6D2E88
		jb	short loc_47FB0B
		movzx	eax, byte ptr word_6D07B8+1
		cmp	esi, dword_6D2E8C
		jbe	short loc_47FB12

loc_47FB0B:				; CODE XREF: .text:0047FAFAj
		movzx	eax, byte ptr word_6D07B8

loc_47FB12:				; CODE XREF: .text:0047FAD2j
					; .text:0047FB09j
		mov	esi, [ebp-4]
		test	eax, eax
		jz	short loc_47FB24

loc_47FB19:				; CODE XREF: .text:0047FA35j
		or	edi, 100h
		jmp	short loc_47FB24
; 

loc_47FB21:				; CODE XREF: .text:0047FAE1j
					; .text:0047FAE5j ...
		mov	esi, [ebp-4]

loc_47FB24:				; CODE XREF: .text:0047FB17j
					; .text:0047FB1Fj
		and	dl, 5
		cmp	dl, 4
		jnz	short loc_47FB2F
		or	edi, 42h

loc_47FB2F:				; CODE XREF: .text:0047FB2Aj
		test	ecx, 40000000h
		jz	short loc_47FB3A
		and	edi, 0FFFFFFFBh

loc_47FB3A:				; CODE XREF: .text:0047FB35j
		mov	al, byte ptr word_6D07B8
		and	edi, 0FFFFFEFFh
		and	al, 1
		movzx	eax, al
		cdq
		shld	edx, eax, 8
		shl	eax, 8
		or	edx, ebx
		or	eax, edi
		mov	[ebp-1Ch], edx
		mov	[ebp-18h], eax
		test	ecx, 8000000h
		jz	short loc_47FB6F
		and	eax, 0FFFFFEFFh
		mov	[ebp-1Ch], edx
		mov	[ebp-18h], eax

loc_47FB6F:				; CODE XREF: .text:0047FB62j
		test	ecx, 4000000h
		jz	short loc_47FB82
		or	eax, 80h
		mov	[ebp-1Ch], edx
		mov	[ebp-18h], eax

loc_47FB82:				; CODE XREF: .text:0047FB75j
		xor	eax, eax
		mov	[ebp-20h], eax
		mov	[ebp-10h], eax
		mov	eax, [ebp-30h]
		mov	[ebp-8], eax
		test	eax, eax
		jz	loc_47FE2D
		mov	ecx, [ebp+8]
		xor	ebx, ebx
		mov	edi, [ebp+0Ch]
		test	ecx, ecx
		sets	bl
		xor	edx, edx
		lea	eax, [ecx-1]
		dec	ebx
		and	ebx, eax
		test	ecx, ecx
		lea	eax, [ecx-4]
		mov	ecx, [ebp+10h]
		setns	dl
		dec	edx
		and	edx, eax
		mov	eax, [ebp-8]
		and	ecx, 4
		mov	[ebp-14h], edx
		mov	[ebp-38h], ecx

loc_47FBC7:				; CODE XREF: .text:0047FE27j
		test	edx, edx
		jz	short loc_47FBD6
		mov	ebx, [edx+4]
		add	edx, 4
		mov	[ebp-14h], edx
		jmp	short loc_47FBD7
; 

loc_47FBD6:				; CODE XREF: .text:0047FBC9j
		inc	ebx

loc_47FBD7:				; CODE XREF: .text:0047FBD4j
		test	ecx, ecx
		jz	short loc_47FBE7
		cmp	ebx, dword_6D34EC
		jz	loc_47FE1B

loc_47FBE7:				; CODE XREF: .text:0047FBD9j
		cmp	ebx, dword_6D07B0
		ja	loc_47FD36
		mov	eax, dword_6D35B8
		mov	edx, ebx
		shr	edx, 5
		mov	ecx, ebx
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_47FD33
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[ebx*8]
		sub	ecx, ebx
		test	byte ptr [ebp+10h], 2
		lea	esi, [eax+ecx*4]
		jnz	loc_47FE69
		cmp	word ptr [esi+14h], 0
		jnz	short loc_47FC3E
		mov	edx, 5
		mov	ecx, ebx
		call	_MiShowBadMapper@8 ; MiShowBadMapper(x,x)

loc_47FC3E:				; CODE XREF: .text:0047FC30j
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	loc_47FCCD
		mov	ecx, [esi+18h]
		test	ecx, (offset loc_7FFFFF+1)
		jz	short loc_47FC7B
		mov	[ebp-28h], eax
		lea	edx, [ebp-28h]
		mov	[ebp-34h], eax
		mov	ecx, esi
		lea	eax, [ebp-34h]
		push	eax
		call	_MiGetPfnPageSizeIndexUnsynchronized@12	; MiGetPfnPageSizeIndexUnsynchronized(x,x,x)
		cmp	eax, 2
		jz	loc_47FE38
		cmp	dword ptr [ebp-28h], 6
		jmp	short loc_47FCC7
; 

loc_47FC7B:				; CODE XREF: .text:0047FC56j
		mov	eax, [esi+4]
		shl	eax, 9
		add	eax, 40000000h
		cmp	eax, offset loc_7FFFFF
		ja	short loc_47FCCD
		and	ecx, offset loc_7FFFFF
		cmp	ecx, (offset loc_7FFFFA+3)
		jz	short loc_47FCCD
		mov	al, [esi+16h]
		test	al, 20h
		jz	short loc_47FCB2
		test	dword ptr [esi+10h], 3FFFFFFFh
		jnz	short loc_47FCB2
		cmp	word ptr [esi+14h], 0
		jnz	short loc_47FCCD

loc_47FCB2:				; CODE XREF: .text:0047FCA0j
					; .text:0047FCA9j
		test	al, 8
		jnz	short loc_47FCCD
		mov	eax, [esi]
		shr	eax, 1
		and	eax, 0FFFFFFF8h
		or	eax, 80000000h
		cmp	eax, 80000018h

loc_47FCC7:				; CODE XREF: .text:0047FC79j
		jnz	loc_47FE38

loc_47FCCD:				; CODE XREF: .text:0047FC47j
					; .text:0047FC8Bj ...
		mov	cl, [esi+16h]
		mov	al, cl
		and	al, 0C0h
		cmp	al, 0C0h
		jnz	short loc_47FCE5
		mov	edx, [ebp-0Ch]
		mov	ecx, esi
		call	_MiAssignInitialPageAttribute@8	; MiAssignInitialPageAttribute(x,x)
		mov	cl, [esi+16h]

loc_47FCE5:				; CODE XREF: .text:0047FCD6j
		movzx	eax, cl
		shr	eax, 6
		cmp	[ebp-0Ch], eax
		jnz	short loc_47FD0E
		mov	esi, [ebp-4]
		mov	eax, ebx
		and	eax, 1FFFFFFh
		xor	edx, edx
		shld	edx, eax, 0Ch
		shl	eax, 0Ch
		or	eax, [ebp-18h]
		or	edx, [ebp-1Ch]
		jmp	loc_47FE0C
; 

loc_47FD0E:				; CODE XREF: .text:0047FCEEj
		mov	edx, esi
		mov	ecx, edi
		call	_MiMakeProtectionPfnCompatible@8 ; MiMakeProtectionPfnCompatible(x,x)
		mov	esi, [ebp-4]
		mov	edi, eax
		or	eax, 0A0000000h
		mov	[ebp+0Ch], edi
		push	eax
		mov	edx, ebx
		mov	ecx, esi
		call	MiMakeValidPte
		jmp	loc_47FE0C
; 

loc_47FD33:				; CODE XREF: .text:0047FC0Aj
		mov	edx, [ebp-14h]

loc_47FD36:				; CODE XREF: .text:0047FBEDj
		mov	eax, [ebp-20h]
		mov	edi, [ebp-8]
		test	eax, eax
		jnz	short loc_47FD69
		push	edi
		mov	ecx, ebx
		call	MiIoSpaceRunIsConstant
		mov	[ebp-20h], eax
		test	eax, eax
		jnz	short loc_47FD69
		mov	dword ptr [ebp-20h], 1

loc_47FD56:				; CODE XREF: .text:0047FD6Cj
		mov	eax, [ebp-10h]
		test	eax, eax
		jnz	short loc_47FDAE
		cmp	[ebp-14h], eax
		jz	short loc_47FD73
		mov	eax, 1
		jmp	short loc_47FD7C
; 

loc_47FD69:				; CODE XREF: .text:0047FD3Ej
					; .text:0047FD4Dj
		cmp	eax, 1
		jbe	short loc_47FD56
		mov	eax, [eax+14h]
		jmp	short loc_47FDD8
; 

loc_47FD73:				; CODE XREF: .text:0047FD60j
		mov	edx, edi
		mov	ecx, ebx
		call	_MiIoPagesInRun@8 ; MiIoPagesInRun(x,x)

loc_47FD7C:				; CODE XREF: .text:0047FD67j
		push	ecx
		lea	ecx, [ebp-24h]
		mov	[ebp-10h], eax
		push	ecx
		push	0
		push	dword ptr [ebp-0Ch]
		mov	edx, ebx
		mov	ecx, 1
		push	eax
		call	MiReferenceIoPages
		mov	esi, eax
		test	esi, esi
		js	loc_47FE40
		mov	eax, [ebp+14h]
		mov	edx, [ebp-24h]
		or	dword ptr [eax], 1
		mov	eax, [ebp-10h]
		jmp	short loc_47FDB1
; 

loc_47FDAE:				; CODE XREF: .text:0047FD5Bj
		mov	edx, [ebp-2Ch]

loc_47FDB1:				; CODE XREF: .text:0047FDACj
		dec	eax
		mov	ecx, ebx
		mov	[ebp-10h], eax
		and	ecx, 1FFFFFFh
		sub	ecx, [edx+14h]
		mov	eax, [edx+18h]
		mov	ax, [eax+ecx*2]
		mov	ecx, [ebp-24h]
		mov	[ebp+8], ax
		movzx	eax, word ptr [ebp+8]
		shr	eax, 0Eh
		mov	[ebp-2Ch], ecx

loc_47FDD8:				; CODE XREF: .text:0047FD71j
		mov	ecx, [ebp+0Ch]
		and	ecx, 7
		mov	[ebp+0Ch], ecx
		sub	eax, 0
		jz	short loc_47FDF0
		sub	eax, 2
		jnz	short loc_47FDF6
		or	ecx, 18h
		jmp	short loc_47FDF3
; 

loc_47FDF0:				; CODE XREF: .text:0047FDE4j
		or	ecx, 8

loc_47FDF3:				; CODE XREF: .text:0047FDEEj
		mov	[ebp+0Ch], ecx

loc_47FDF6:				; CODE XREF: .text:0047FDE9j
		mov	esi, [ebp-4]
		or	ecx, 0A0000000h
		push	ecx
		mov	edx, ebx
		mov	ecx, esi
		call	MiMakeValidPte
		mov	edi, [ebp+0Ch]

loc_47FE0C:				; CODE XREF: .text:0047FD09j
					; .text:0047FD2Ej
		mov	[esi+4], edx
		nop
		mov	edx, [ebp-14h]
		mov	ecx, [ebp-38h]
		mov	[esi], eax
		mov	eax, [ebp-8]

loc_47FE1B:				; CODE XREF: .text:0047FBE1j
		dec	eax
		add	esi, 8
		mov	[ebp-8], eax
		mov	[ebp-4], esi
		test	eax, eax
		jnz	loc_47FBC7

loc_47FE2D:				; CODE XREF: .text:0047FB92j
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_47FE38:				; CODE XREF: .text:0047FC6Fj
					; .text:loc_47FCC7j
		mov	edi, [ebp-8]
		mov	esi, 0C0000018h

loc_47FE40:				; CODE XREF: .text:0047FD9Aj
		mov	eax, [ebp+14h]
		test	byte ptr [eax],	1
		jz	short loc_47FE5E
		mov	edx, [ebp-30h]
		mov	eax, [ebp-4]
		sub	edx, edi
		sub	edi, [ebp-30h]
		lea	ecx, [eax+edi*8]
		shl	ecx, 9
		call	MiZeroAndFlushPtes

loc_47FE5E:				; CODE XREF: .text:0047FE46j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_47FE69:				; CODE XREF: .text:0047FC25j
		push	0
		push	0
		push	ebx
		push	1160Ch
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReservePtes	proc near		; CODE XREF: MiBuildReservationCluster(x,x,x,x)+274p
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+280p ...

var_60		= dword	ptr -60h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B46E5 SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[esp+5Ch+var_8], 0
		push	edi
		mov	edi, edx
		mov	[esp+60h+var_20], esi
		mov	[esp+60h+var_2C], edi
		mov	ebx, edi
		test	byte ptr [esi+0Ch], 4
		mov	[esp+60h+var_4], 0
		jnz	loc_47FF6F
		cmp	esi, offset dword_6D35E0
		jnz	loc_47FF72
		cmp	edi, 20h
		ja	loc_47FF72
		mov	ecx, edi
		call	MiCheckProcessorPteCache
		mov	ecx, eax
		mov	[esp+60h+var_44], ecx
		test	ecx, ecx
		jz	loc_47FF72

loc_47FEE0:				; CODE XREF: MiReservePtes+2B2j
		test	byte ptr [esi+0Ch], 2
		jz	loc_4803E0
		cmp	esi, offset dword_6D35E0
		jnz	short loc_47FEFF
		test	byte ptr ds:dword_7051B4, 2
		jnz	loc_5B472A

loc_47FEFF:				; CODE XREF: MiReservePtes+70j
					; MiReservePtes+1348B5j
		cmp	edi, 10h
		ja	loc_480137
		xor	esi, esi
		test	edi, edi
		jz	short loc_47FF5A
		mov	edi, edi

loc_47FF10:				; CODE XREF: MiReservePtes+D8j
		mov	ebx, [ecx+esi*8]
		nop
		mov	edx, [ecx+esi*8+4]
		mov	ecx, dword_6D0704
		mov	eax, dword_6D0700
		mov	[esp+60h+var_2C], ecx
		mov	ecx, eax
		or	ecx, [esp+60h+var_2C]
		mov	[esp+60h+var_30], edx
		jz	short loc_47FF4B
		mov	ecx, ebx
		and	ecx, 10h
		or	ecx, 0
		jnz	loc_4802CE
		mov	edx, [esp+60h+var_2C]
		not	edx
		and	edx, [esp+60h+var_30]

loc_47FF4B:				; CODE XREF: MiReservePtes+B1j
					; MiReservePtes+452j
		xor	eax, eax
		or	eax, edx
		jnz	short loc_47FF5A
		mov	ecx, [esp+60h+var_44]
		inc	esi
		cmp	esi, edi
		jb	short loc_47FF10

loc_47FF5A:				; CODE XREF: MiReservePtes+8Cj
					; MiReservePtes+CFj
		cmp	esi, edi
		jnz	loc_480137

loc_47FF62:				; CODE XREF: MiReservePtes+56Bj
		mov	esi, [esp+60h+var_44]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_47FF6F:				; CODE XREF: MiReservePtes+30j
		shr	ebx, 4

loc_47FF72:				; CODE XREF: MiReservePtes+3Cj
					; MiReservePtes+45j ...
		cmp	edi, 200h
		jnb	loc_4804DB

loc_47FF7E:				; CODE XREF: MiReservePtes+704j
		xor	edx, edx
		mov	[esp+60h+var_40], 0
		mov	[esp+60h+var_48], edx
		lea	esp, [esp+0]

loc_47FF90:				; CODE XREF: MiReservePtes+4D2j
					; MiReservePtes+4FDj ...
		cmp	dword ptr [esi], 0
		mov	eax, esi
		mov	ecx, [esi+24h]
		mov	[esp+60h+var_54], ecx
		mov	[esp+60h+var_3C], eax
		jz	loc_48034B
		mov	edx, [esi+28h]
		mov	[esp+60h+var_48], edx
		test	edx, edx
		jz	short loc_47FFEE
		mov	eax, [esi+4]
		mov	ecx, edx
		shr	ecx, 5
		lea	ecx, [eax+ecx*4]
		mov	eax, [esi]
		cmp	eax, edx
		jb	loc_5B46F3
		mov	[esp+60h+var_4], ecx
		sub	eax, edx
		lea	ecx, [esp+60h+var_8]
		mov	[esp+60h+var_8], eax
		mov	[esp+60h+var_3C], ecx
		mov	ecx, [esp+60h+var_54]
		test	ecx, ecx
		jz	loc_48058F
		mov	eax, [esp+60h+var_3C]
		sub	ecx, edx
		mov	[esp+60h+var_54], ecx

loc_47FFEE:				; CODE XREF: MiReservePtes+12Fj
					; MiReservePtes+713j ...
		mov	edi, [eax]
		mov	[esp+60h+var_24], edi
		cmp	ecx, edi
		jnb	loc_48050C
		mov	eax, ecx

loc_47FFFE:				; DATA XREF: .text:0041C9F5o
					; .text:004284A6o ...
		mov	[esp+60h+var_50], ecx

loc_480002:				; CODE XREF: MiReservePtes+692j
		dec	edi

loc_480003:				; DATA XREF: .text:00425EBCo
		mov	[esp+60h+var_30], edi
		mov	edi, [esp+60h+var_3C]
		mov	edi, [edi+4]
		mov	[esp+60h+var_44], edi
		mov	edi, [esp+60h+var_2C]
		test	ebx, ebx
		jz	loc_5B4706
		mov	edi, [esp+60h+var_50]
		mov	esi, [esp+60h+var_30]
		jmp	short loc_480030
; 
		align 10h

loc_480030:				; CODE XREF: MiReservePtes+1A6j
					; MiReservePtes+374j
		mov	eax, esi
		mov	[esp+60h+var_28], 0
		sub	eax, edi
		inc	eax
		cmp	eax, ebx

loc_48003F:				; DATA XREF: .text:005A4568o
					; .text:005A5670o
		jb	loc_480576

loc_480045:				; DATA XREF: .text:004011C8o
		mov	ecx, [esp+60h+var_44]
		mov	eax, esi
		sub	eax, ebx
		mov	edx, 1
		inc	eax
		mov	[esp+60h+var_38], eax
		shr	eax, 5
		lea	eax, [ecx+eax*4]
		mov	ecx, edi
		mov	[esp+60h+var_4C], eax
		and	ecx, 1Fh
		shl	edx, cl
		mov	eax, edi
		mov	ecx, [esp+60h+var_44]
		dec	edx
		shr	eax, 5
		lea	ecx, [ecx+eax*4]
		mov	eax, [ecx]
		or	eax, edx
		mov	[esp+60h+var_30], ecx
		mov	[esp+60h+var_34], eax
		cmp	ebx, 3Fh
		ja	loc_4803F0
		cmp	ebx, 20h
		jnb	loc_480250
		cmp	ebx, 1
		ja	loc_480151
		mov	edi, [esp+60h+var_50]
		cmp	eax, 0FFFFFFFFh
		jz	loc_480200

loc_4800A9:				; CODE XREF: MiReservePtes+390j
		not	eax
		mov	edx, ecx
		sub	edx, [esp+60h+var_44]
		bsf	eax, eax
		sar	edx, 2
		shl	edx, 5
		add	edx, eax
		cmp	edx, [esp+60h+var_38]
		ja	loc_5B4722

loc_4800C6:				; CODE XREF: MiReservePtes+349j
					; MiReservePtes+40Dj ...
		cmp	edx, 0FFFFFFFFh
		jz	loc_4801D2

loc_4800CF:				; CODE XREF: MiReservePtes+358j
		mov	edi, [esp+60h+var_2C]
		mov	eax, edx
		mov	esi, [esp+60h+var_20]
		mov	edx, [esp+60h+var_48]

loc_4800DD:				; CODE XREF: MiReservePtes+134889j
		mov	[esp+60h+var_50], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_48034B
		push	ebx
		push	eax
		push	[esp+68h+var_3C]
		call	RtlInterlockedSetClearRun
		test	eax, eax
		jz	loc_480517
		mov	ecx, [esp+60h+var_50]
		lea	eax, [esp+60h+var_8]
		cmp	[esp+60h+var_3C], eax
		jnz	short loc_48010F
		add	ecx, [esp+60h+var_48]

loc_48010F:				; CODE XREF: MiReservePtes+289j
		test	byte ptr [esi+0Ch], 4
		lea	eax, [ebx+ecx]
		mov	[esi+24h], eax
		jnz	loc_4802C6

loc_48011F:				; CODE XREF: MiReservePtes+449j
		mov	eax, [esi+8]
		lea	ecx, [eax+ecx*8]
		mov	[esp+60h+var_44], ecx

loc_480129:				; CODE XREF: MiReservePtes+533j
		neg	ebx
		lea	eax, [esi+30h]
		lock xadd [eax], ebx
		jmp	loc_47FEE0
; 

loc_480137:				; CODE XREF: MiReservePtes+82j
					; MiReservePtes+DCj
		mov	esi, [esp+60h+var_44]
		mov	edx, edi
		push	0
		push	0
		mov	ecx, esi
		call	MiFlushTbAsNeeded
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_480151:				; CODE XREF: MiReservePtes+216j
		mov	edi, [esp+60h+var_44]
		xor	edx, edx
		shr	esi, 5
		lea	esi, [edi+esi*4]
		mov	edi, [esp+60h+var_50]
		mov	[esp+60h+var_28], esi

loc_480165:				; CODE XREF: MiReservePtes+3C5j
		cmp	eax, 0FFFFFFFFh
		jz	loc_480300

loc_48016E:				; CODE XREF: MiReservePtes+49Ej
		bsf	eax, eax
		mov	[esp+60h+var_14], 0
		jz	loc_48032A

loc_48017F:				; CODE XREF: MiReservePtes+4AFj
		add	eax, edx
		cmp	eax, ebx
		jnb	loc_480323
		mov	edx, [esp+60h+var_34]
		mov	eax, ebx
		mov	esi, edx
		mov	[esp+60h+var_34], ebx
		not	esi

loc_480197:				; CODE XREF: MiReservePtes+330j
		mov	ecx, eax
		mov	eax, esi
		shr	ecx, 1
		shr	eax, cl
		and	esi, eax
		jz	short loc_480215
		mov	eax, [esp+60h+var_34]
		sub	eax, ecx
		mov	[esp+60h+var_34], eax
		cmp	eax, 1
		ja	short loc_480197
		mov	ecx, [esp+60h+var_30]
		bsf	edx, esi

loc_4801B9:				; CODE XREF: MiReservePtes+4A5j
		sub	ecx, [esp+60h+var_44]
		sar	ecx, 2
		shl	ecx, 5
		add	edx, ecx
		cmp	edx, [esp+60h+var_38]
		jbe	loc_4800C6

loc_4801CF:				; CODE XREF: MiReservePtes+387j
					; MiReservePtes+39Dj ...
		or	edx, 0FFFFFFFFh

loc_4801D2:				; CODE XREF: MiReservePtes+249j
					; MiReservePtes+1348A5j
		mov	ecx, [esp+60h+var_54]

loc_4801D6:				; CODE XREF: MiReservePtes+6F9j
		test	edi, edi
		jz	loc_4800CF
		mov	eax, [esp+60h+var_24]
		lea	esi, [ebx+ecx]
		cmp	esi, eax
		ja	loc_48053E

loc_4801ED:				; CODE XREF: MiReservePtes+6C0j
		dec	esi
		xor	edi, edi
		mov	[esp+60h+var_50], edi
		jmp	loc_480030
; 
		align 10h

loc_480200:				; CODE XREF: MiReservePtes+223j
					; MiReservePtes+38Ej
		add	ecx, 4
		cmp	ecx, [esp+60h+var_4C]
		ja	short loc_4801CF
		mov	eax, [ecx]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_480200
		jmp	loc_4800A9
; 

loc_480215:				; CODE XREF: MiReservePtes+321j
		mov	ecx, [esp+60h+var_30]
		cmp	ecx, [esp+60h+var_28]
		jz	short loc_4801CF
		bsr	eax, edx
		mov	[esp+60h+var_10], 0
		jz	loc_5B4718
		mov	edx, 1Fh
		sub	edx, eax

loc_480237:				; CODE XREF: MiReservePtes+13489Dj
		mov	eax, [ecx+4]
		add	ecx, 4
		mov	[esp+60h+var_30], ecx
		mov	[esp+60h+var_34], eax
		jmp	loc_480165
; 
		align 10h

loc_480250:				; CODE XREF: MiReservePtes+20Dj
					; MiReservePtes+43Fj
		test	eax, eax

loc_480252:				; CODE XREF: MiReservePtes+641j
		js	loc_4802E0

loc_480258:				; CODE XREF: MiReservePtes+473j
		bsr	edx, eax
		mov	[esp+60h+var_1C], 0
		jz	loc_480334
		mov	eax, 1Fh
		sub	eax, edx

loc_480270:				; CODE XREF: MiReservePtes+4B9j
		mov	edx, ecx
		sub	edx, [esp+60h+var_44]
		sar	edx, 2
		inc	edx
		shl	edx, 5
		sub	edx, eax
		cmp	edx, [esp+60h+var_38]
		ja	loc_4801CF
		mov	esi, ebx
		sub	esi, eax
		jz	loc_4800C6
		mov	eax, [ecx+4]
		add	ecx, 4
		cmp	esi, 20h
		jnb	loc_4804BF

loc_4802A2:				; CODE XREF: MiReservePtes+656j
		bsf	edi, eax
		mov	[esp+60h+var_18], 0
		mov	[esp+60h+var_30], edi
		mov	edi, [esp+60h+var_50]
		jz	loc_48033E

loc_4802BB:				; CODE XREF: MiReservePtes+4C6j
		cmp	[esp+60h+var_30], esi
		jb	short loc_480250
		jmp	loc_4800C6
; 

loc_4802C6:				; CODE XREF: MiReservePtes+299j
		shl	ecx, 4
		jmp	loc_48011F
; 

loc_4802CE:				; CODE XREF: MiReservePtes+BBj
		mov	edx, [esp+60h+var_30]
		jmp	loc_47FF4B
; 
		jmp	short loc_4802E0
; 
		align 10h

loc_4802E0:				; CODE XREF: MiReservePtes:loc_480252j
					; MiReservePtes+457j ...
		add	ecx, 4
		cmp	ecx, [esp+60h+var_4C]
		ja	loc_4801CF
		mov	eax, [ecx]
		test	eax, eax
		js	short loc_4802E0
		jmp	loc_480258
; 
		jmp	short loc_480300
; 
		align 10h

loc_480300:				; CODE XREF: MiReservePtes+2E8j
					; MiReservePtes+478j ...
		add	ecx, 4
		mov	[esp+60h+var_30], ecx
		cmp	ecx, [esp+60h+var_4C]
		ja	loc_4801CF
		mov	eax, [ecx]
		mov	[esp+60h+var_34], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_480300
		xor	edx, edx
		jmp	loc_48016E
; 

loc_480323:				; CODE XREF: MiReservePtes+303j
		neg	edx
		jmp	loc_4801B9
; 

loc_48032A:				; CODE XREF: MiReservePtes+2F9j
		mov	eax, 20h
		jmp	loc_48017F
; 

loc_480334:				; CODE XREF: MiReservePtes+3E3j
		mov	eax, 20h
		jmp	loc_480270
; 

loc_48033E:				; CODE XREF: MiReservePtes+435j
		mov	[esp+60h+var_30], 20h
		jmp	loc_4802BB
; 

loc_48034B:				; CODE XREF: MiReservePtes+120j
					; MiReservePtes+264j
		test	edx, edx
		jz	short loc_480358
		cmp	edx, [esi+28h]
		jnz	loc_47FF90

loc_480358:				; CODE XREF: MiReservePtes+4CDj
		test	byte ptr [esi+0Ch], 1
		jz	short loc_4803A2
		mov	eax, [esp+60h+var_40]
		test	al, 1
		jnz	short loc_480387
		or	eax, 1
		xor	edx, edx
		mov	ecx, esi
		mov	[esp+60h+var_40], eax
		call	_MiEmptyPteBins@8 ; MiEmptyPteBins(x,x)
		mov	edx, [esp+60h+var_48]
		cmp	eax, 1
		jz	loc_47FF90
		mov	eax, [esp+60h+var_40]

loc_480387:				; CODE XREF: MiReservePtes+4E4j
		test	al, 2
		jnz	short loc_4803A2
		or	eax, 2
		mov	ecx, esi
		mov	[esp+60h+var_40], eax
		call	_MiPteBinsNeedTrimming@4 ; MiPteBinsNeedTrimming(x)
		cmp	eax, 1
		jz	loc_480520

loc_4803A2:				; CODE XREF: MiReservePtes+4DCj
					; MiReservePtes+509j ...
		mov	edx, edi
		mov	ecx, esi
		call	MiExpandPtes
		mov	ecx, eax
		mov	[esp+60h+var_44], ecx
		test	ecx, ecx
		jnz	loc_480129
		mov	edx, [esp+60h+var_40]
		test	dl, 4
		setz	cl
		test	byte ptr [esi+0Ch], 1
		setnz	al
		test	cl, al
		jnz	loc_48054C

loc_4803D2:				; CODE XREF: MiReservePtes+70Aj
		mov	eax, [esi+14h]
		inc	dword ptr [eax]
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4803E0:				; CODE XREF: MiReservePtes+64j
		push	0
		push	2
		mov	edx, edi
		call	MiFlushTbAsNeeded
		jmp	loc_47FF62
; 

loc_4803F0:				; CODE XREF: MiReservePtes+204j
		test	byte ptr [esp+60h+var_38], 1Fh
		mov	edx, [esp+60h+var_4C]
		jz	short loc_480402
		add	edx, 4
		mov	[esp+60h+var_4C], edx

loc_480402:				; CODE XREF: MiReservePtes+579j
		test	eax, eax
		jz	loc_480545
		add	ecx, 4
		cmp	dword ptr [ecx], 0
		jnz	short loc_48042D
		mov	edx, [esp+60h+var_34]
		bsr	edx, edx
		mov	[esp+60h+var_30], 0
		jz	loc_5B470E
		jmp	short loc_480451
; 

loc_480429:				; CODE XREF: MiReservePtes+60Aj
					; MiReservePtes+63Aj
		mov	edx, [esp+60h+var_4C]

loc_48042D:				; CODE XREF: MiReservePtes+590j
					; MiReservePtes+5BBj
		cmp	ecx, edx
		ja	loc_4801CF
		add	ecx, 4
		cmp	dword ptr [ecx], 0
		jnz	short loc_48042D
		mov	eax, [ecx-4]
		bsr	edx, eax
		mov	[esp+60h+var_34], 0
		jz	loc_5B470E

loc_480451:				; CODE XREF: MiReservePtes+5A7j
		mov	eax, 1Fh
		sub	eax, edx

loc_480458:				; CODE XREF: MiReservePtes+6C7j
					; MiReservePtes+134893j
		mov	edx, ecx
		sub	edx, [esp+60h+var_44]
		sar	edx, 2
		shl	edx, 5
		sub	edx, eax
		cmp	edx, [esp+60h+var_38]
		ja	loc_4801CF
		mov	esi, ebx
		sub	esi, eax
		mov	eax, esi
		shr	eax, 5
		lea	eax, [ecx+eax*4]
		add	ecx, 4
		mov	[esp+60h+var_30], eax
		cmp	ecx, eax
		jz	short loc_480495

loc_480487:				; CODE XREF: MiReservePtes+613j
		cmp	dword ptr [ecx], 0
		jnz	short loc_480429
		add	ecx, 4
		cmp	ecx, [esp+60h+var_30]
		jnz	short loc_480487

loc_480495:				; CODE XREF: MiReservePtes+605j
		and	esi, 1Fh
		jz	loc_4800C6
		mov	eax, [ecx]
		bsf	eax, eax
		mov	[esp+60h+var_50], 0
		jnz	short loc_4804B2
		mov	eax, 20h

loc_4804B2:				; CODE XREF: MiReservePtes+62Bj
		cmp	eax, esi
		jnb	loc_4800C6
		jmp	loc_480429
; 

loc_4804BF:				; CODE XREF: MiReservePtes+41Cj
		test	eax, eax
		jnz	loc_480252
		sub	esi, 20h
		jz	loc_4800C6
		mov	eax, [ecx+4]
		add	ecx, 4
		jmp	loc_4802A2
; 

loc_4804DB:				; CODE XREF: MiReservePtes+F8j
		mov	edx, edi
		mov	ecx, esi
		call	MiExpandPtes
		mov	[esp+60h+var_30], eax
		test	eax, eax
		jz	loc_48057E
		cmp	esi, offset dword_6D35E0
		jz	short loc_480568

loc_4804F8:				; CODE XREF: MiReservePtes+6EFj
					; MiReservePtes+13486Ej
		neg	ebx
		lea	eax, [esi+30h]
		lock xadd [eax], ebx
		mov	eax, [esp+60h+var_30]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48050C:				; CODE XREF: MiReservePtes+176j
		xor	eax, eax
		mov	[esp+60h+var_50], eax
		jmp	loc_480002
; 

loc_480517:				; CODE XREF: MiReservePtes+277j
		mov	edx, [esp+60h+var_48]
		jmp	loc_47FF90
; 

loc_480520:				; CODE XREF: MiReservePtes+51Cj
		mov	edx, 1
		mov	ecx, esi
		call	_MiEmptyPteBins@8 ; MiEmptyPteBins(x,x)
		mov	edx, [esp+60h+var_48]
		cmp	eax, 1
		jz	loc_47FF90
		jmp	loc_4803A2
; 

loc_48053E:				; CODE XREF: MiReservePtes+367j
		mov	esi, eax
		jmp	loc_4801ED
; 

loc_480545:				; CODE XREF: MiReservePtes+584j
		xor	eax, eax
		jmp	loc_480458
; 

loc_48054C:				; CODE XREF: MiReservePtes+54Cj
		or	edx, 4
		mov	ecx, esi
		mov	[esp+60h+var_40], edx
		mov	edx, 1
		call	_MiEmptyPteBins@8 ; MiEmptyPteBins(x,x)
		mov	edx, [esp+60h+var_48]
		jmp	loc_47FF90
; 

loc_480568:				; CODE XREF: MiReservePtes+676j
		test	byte ptr ds:dword_7051B4, 2
		jz	short loc_4804F8
		jmp	loc_5B46E5
; 

loc_480576:				; CODE XREF: MiReservePtes:loc_48003Fj
		or	edx, 0FFFFFFFFh
		jmp	loc_4801D6
; 

loc_48057E:				; CODE XREF: MiReservePtes+66Aj
		cmp	esi, offset dword_6D35E0
		jnz	loc_47FF7E
		jmp	loc_4803D2
; 

loc_48058F:				; CODE XREF: MiReservePtes+15Ej
		lea	eax, [esp+60h+var_8]
		jmp	loc_47FFEE
MiReservePtes	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCheckProcessorPteCache proc near	; CODE XREF: MiReservePtes+4Dp

var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005B473A SIZE 000000AE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		push	ebx
		mov	ebx, ds:__imp_@KfRaiseIrql@4 ; KfRaiseIrql(x)
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4C], 0
		mov	cl, 2
		mov	[ebp+var_8], edi
		mov	[ebp+var_48], 0
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], eax
		mov	[ebp+var_50], eax
		call	ebx
		mov	dl, al
		mov	eax, large fs:20h
		cmp	dword ptr [eax+406Ch], 0FFFFFFFFh
		mov	[ebp+var_1], dl
		mov	[ebp+var_20], eax
		lea	esi, [eax+406Ch]
		jz	loc_480799

loc_4805F4:				; CODE XREF: MiCheckProcessorPteCache+3A0j
					; MiCheckProcessorPteCache+645j
		mov	[ebp+var_4C], 20h
		mov	ecx, [ebp+var_4C]
		dec	ecx
		mov	[ebp+var_48], esi
		test	edi, edi
		jz	loc_5B47B7
		lea	eax, [ecx+1]
		mov	[ebp+var_28], 0
		cmp	eax, edi
		jb	loc_48078E
		mov	esi, [ebp+var_48]
		mov	edx, ecx
		sub	edx, edi
		inc	edx
		mov	eax, edx
		mov	[ebp+var_C], edx
		shr	eax, 5
		lea	ebx, [esi+eax*4]
		mov	eax, esi
		mov	esi, [eax]
		cmp	edi, 3Fh
		ja	loc_480A45
		cmp	edi, 20h
		jnb	loc_480945
		cmp	edi, 1
		ja	short loc_4806C6
		cmp	esi, 0FFFFFFFFh
		jz	loc_480740

loc_480653:				; CODE XREF: MiCheckProcessorPteCache+1AEj
		not	esi
		mov	edi, eax
		sub	edi, [ebp+var_48]
		bsf	ecx, esi
		sar	edi, 2
		shl	edi, 5
		add	edi, ecx
		cmp	edi, edx
		ja	loc_5B47E0
		mov	ecx, [ebp+var_48]

loc_480670:				; CODE XREF: MiCheckProcessorPteCache+191j
					; MiCheckProcessorPteCache+19Aj ...
		cmp	edi, 0FFFFFFFFh
		jz	loc_480753
		mov	ebx, [ebp+var_8]
		mov	edx, edi
		shr	edx, 3
		add	edx, ecx
		mov	ecx, edi
		and	ecx, 7
		mov	[ebp+var_1C], edx
		lea	esi, [ecx+ebx]
		cmp	esi, 8
		ja	loc_4809F3
		mov	al, ds:byte_40BA58[ebx]
		shl	al, cl

loc_48069F:				; CODE XREF: MiCheckProcessorPteCache+47Dj
		or	[edx], al

loc_4806A1:				; CODE XREF: MiCheckProcessorPteCache+471j
					; MiCheckProcessorPteCache+134219j
		mov	ecx, [ebp+var_20]
		mov	eax, dword_6D35E8
		mov	ecx, [ecx+4070h]
		add	ecx, edi
		lea	esi, [eax+ecx*8]
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4806C6:				; CODE XREF: MiCheckProcessorPteCache+A8j
		mov	edx, [ebp+var_48]
		xor	edi, edi
		shr	ecx, 5
		lea	ecx, [edx+ecx*4]
		mov	[ebp+var_18], ecx

loc_4806D4:				; CODE XREF: MiCheckProcessorPteCache+1E9j
		cmp	esi, 0FFFFFFFFh
		jz	loc_4809D3

loc_4806DD:				; CODE XREF: MiCheckProcessorPteCache+447j
		bsf	ecx, esi
		mov	[ebp+var_40], 0
		jz	loc_480A22

loc_4806ED:				; CODE XREF: MiCheckProcessorPteCache+487j
		mov	edx, [ebp+var_8]
		add	ecx, edi
		cmp	ecx, edx
		jnb	loc_4809EC
		mov	edi, esi
		mov	[ebp+var_1C], edx
		not	edi
		mov	ecx, edx

loc_480703:				; CODE XREF: MiCheckProcessorPteCache+17Cj
		shr	ecx, 1
		mov	edx, edi
		shr	edx, cl
		mov	[ebp+var_24], ecx
		and	edi, edx
		jz	short loc_480767
		mov	ecx, [ebp+var_1C]
		sub	ecx, [ebp+var_24]
		mov	[ebp+var_1C], ecx
		cmp	ecx, 1
		ja	short loc_480703
		bsf	edi, edi

loc_480721:				; CODE XREF: MiCheckProcessorPteCache+44Ej
		mov	ecx, [ebp+var_48]
		sub	eax, ecx
		sar	eax, 2
		shl	eax, 5
		add	edi, eax
		cmp	edi, [ebp+var_C]
		jbe	loc_480670
		or	edi, 0FFFFFFFFh
		jmp	loc_480670
; 
		align 10h

loc_480740:				; CODE XREF: MiCheckProcessorPteCache+ADj
					; MiCheckProcessorPteCache+1ACj
		add	eax, 4
		cmp	eax, ebx
		ja	short loc_48078E
		mov	esi, [eax]
		cmp	esi, 0FFFFFFFFh
		jz	short loc_480740
		jmp	loc_480653
; 

loc_480753:				; CODE XREF: MiCheckProcessorPteCache+D3j
		mov	cl, [ebp+var_1]
		xor	esi, esi
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_480767:				; CODE XREF: MiCheckProcessorPteCache+16Ej
		cmp	eax, [ebp+var_18]
		jz	short loc_48078E
		bsr	ecx, esi
		mov	[ebp+var_44], 0
		jz	loc_5B47D6
		mov	edi, 1Fh
		sub	edi, ecx

loc_480783:				; CODE XREF: MiCheckProcessorPteCache+13423Bj
		mov	esi, [eax+4]
		add	eax, 4
		jmp	loc_4806D4
; 

loc_48078E:				; CODE XREF: MiCheckProcessorPteCache+76j
					; MiCheckProcessorPteCache+1A5j ...
		mov	ecx, [ebp+var_48]

loc_480791:				; CODE XREF: MiCheckProcessorPteCache+524j
		or	edi, 0FFFFFFFFh
		jmp	loc_480670
; 

loc_480799:				; CODE XREF: MiCheckProcessorPteCache+4Ej
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, dword_6D3604

loc_4807A7:				; CODE XREF: MiCheckProcessorPteCache+62Fj
					; MiCheckProcessorPteCache+65Bj
		mov	esi, dword_6D3608
		mov	eax, offset dword_6D35E0
		mov	[ebp+var_C], edx
		mov	[ebp+var_20], eax
		test	esi, esi
		jz	short loc_4807F2
		lea	esp, [esp+0]

loc_4807C0:				; CODE XREF: MiCheckProcessorPteCache+1341FFj
		mov	edx, dword_6D35E0
		cmp	edx, esi
		jb	loc_5B473A
		mov	eax, dword_6D35E4
		mov	ecx, esi
		shr	ecx, 5
		sub	edx, esi
		mov	[ebp+var_4C], edx
		mov	edx, [ebp+var_C]
		lea	eax, [eax+ecx*4]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_4C]
		test	edx, edx
		jz	short loc_4807F2
		sub	edx, esi
		mov	[ebp+var_C], edx

loc_4807F2:				; CODE XREF: MiCheckProcessorPteCache+21Aj
					; MiCheckProcessorPteCache+24Bj ...
		mov	ecx, [eax]
		mov	[ebp+var_18], ecx
		cmp	edx, ecx
		jnb	loc_480BC6

loc_4807FF:				; CODE XREF: MiCheckProcessorPteCache+628j
		mov	eax, [eax+4]
		lea	ebx, [ecx-1]
		mov	[ebp+var_10], ebx
		mov	ebx, ds:__imp_@KfRaiseIrql@4 ; KfRaiseIrql(x)
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_10]

loc_480814:				; CODE XREF: MiCheckProcessorPteCache+5B1j
		sub	eax, edx
		mov	[ebp+var_14], edx
		inc	eax
		mov	[ebp+var_24], 0
		cmp	eax, 1
		jb	loc_480BD4
		mov	ecx, [ebp+var_1C]
		mov	eax, edx
		shr	eax, 5
		lea	edx, [ecx+eax*4]
		mov	eax, [ebp+var_10]
		shr	eax, 5
		lea	eax, [ecx+eax*4]
		mov	ecx, [ebp+var_14]
		mov	[ebp+var_20], eax
		and	ecx, 1Fh
		mov	eax, 1
		shl	eax, cl
		mov	ecx, [edx]
		dec	eax
		or	ecx, eax
		cmp	ecx, 0FFFFFFFFh
		jz	loc_480B1A

loc_48085C:				; CODE XREF: MiCheckProcessorPteCache+58Ej
		sub	edx, [ebp+var_1C]
		not	ecx
		bsf	eax, ecx
		sar	edx, 2
		shl	edx, 5
		add	edx, eax
		mov	[ebp+var_24], eax
		cmp	edx, [ebp+var_10]
		ja	loc_480B33
		cmp	edx, 0FFFFFFFFh
		jz	loc_480B36

loc_480881:				; CODE XREF: MiCheckProcessorPteCache+609j
		mov	eax, dword_6D35E4
		add	esi, edx
		and	esi, 0FFFFFFE0h
		mov	ecx, esi
		mov	[ebp+var_1C], esi
		shr	ecx, 5
		mov	edx, [eax+ecx*4]
		lea	eax, [eax+ecx*4]
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], edx
		cmp	edx, 0FFFFFFFFh
		jz	loc_480BF8

loc_4808A8:				; CODE XREF: MiCheckProcessorPteCache+652j
		mov	edi, [ebp+var_14]
		or	ecx, 0FFFFFFFFh
		mov	eax, edx
		lock cmpxchg [edi], ecx
		mov	edi, [ebp+var_8]
		cmp	eax, edx
		jnz	loc_480BEA
		cmp	edx, 0FFFFFFFFh
		jz	loc_480BF8
		mov	cl, 2
		call	ebx
		mov	[ebp+var_1], al
		mov	eax, large fs:20h
		cmp	dword ptr [eax+406Ch], 0FFFFFFFFh
		mov	[ebp+var_20], eax
		lea	esi, [eax+406Ch]
		jnz	loc_480BDC
		mov	ebx, [ebp+var_18]
		mov	ecx, [ebp+var_1C]
		mov	[eax+4070h], ecx
		movzx	eax, bl
		mov	[esi], ebx
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		movzx	eax, cl
		mov	ecx, offset dword_6D3610
		neg	eax
		lock xadd [ecx], eax
		mov	eax, [ebp+var_1C]
		add	eax, 20h
		mov	dword_6D3604, eax
		jmp	loc_4805F4
; 

loc_480945:				; CODE XREF: MiCheckProcessorPteCache+9Fj
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		jmp	short loc_480950
; 
		align 10h

loc_480950:				; CODE XREF: MiCheckProcessorPteCache+3ABj
					; MiCheckProcessorPteCache+415j
		test	esi, esi

loc_480952:				; CODE XREF: MiCheckProcessorPteCache+5D9j
		js	short loc_4809C0

loc_480954:				; CODE XREF: MiCheckProcessorPteCache+431j
		bsr	edi, esi
		mov	[ebp+var_38], 0
		jz	loc_480A2C
		mov	esi, 1Fh
		sub	esi, edi

loc_48096B:				; CODE XREF: MiCheckProcessorPteCache+491j
		mov	edi, eax
		sub	edi, [ebp+var_48]
		sar	edi, 2
		inc	edi
		shl	edi, 5
		sub	edi, esi
		cmp	edi, ecx
		ja	loc_48078E
		mov	[ebp+var_10], edx
		sub	[ebp+var_10], esi
		jz	short loc_4809B7
		mov	esi, [eax+4]
		add	eax, 4
		cmp	[ebp+var_10], 20h
		jnb	loc_480B77

loc_480999:				; CODE XREF: MiCheckProcessorPteCache+5EFj
		bsf	ecx, esi
		mov	[ebp+var_3C], 0
		mov	[ebp+var_1C], ecx
		jz	loc_480A36

loc_4809AC:				; CODE XREF: MiCheckProcessorPteCache+4A0j
		mov	ecx, [ebp+var_1C]
		cmp	ecx, [ebp+var_10]
		mov	ecx, [ebp+var_C]
		jb	short loc_480950

loc_4809B7:				; CODE XREF: MiCheckProcessorPteCache+3E7j
					; MiCheckProcessorPteCache+553j ...
		mov	ecx, [ebp+var_48]
		jmp	loc_480670
; 
		align 10h

loc_4809C0:				; CODE XREF: MiCheckProcessorPteCache:loc_480952j
					; MiCheckProcessorPteCache+42Fj
		add	eax, 4
		cmp	eax, ebx
		ja	loc_48078E
		mov	esi, [eax]
		test	esi, esi
		js	short loc_4809C0
		jmp	short loc_480954
; 

loc_4809D3:				; CODE XREF: MiCheckProcessorPteCache+137j
					; MiCheckProcessorPteCache+443j
		add	eax, 4
		cmp	eax, ebx
		ja	loc_48078E
		mov	esi, [eax]
		cmp	esi, 0FFFFFFFFh
		jz	short loc_4809D3
		xor	edi, edi
		jmp	loc_4806DD
; 

loc_4809EC:				; CODE XREF: MiCheckProcessorPteCache+154j
		neg	edi
		jmp	loc_480721
; 

loc_4809F3:				; CODE XREF: MiCheckProcessorPteCache+F1j
		test	ecx, ecx
		jz	short loc_480A06
		mov	al, ds:byte_40AA48[ecx]
		lea	ebx, [esi-8]
		or	[edx], al
		inc	edx
		mov	[ebp+var_1C], edx

loc_480A06:				; CODE XREF: MiCheckProcessorPteCache+455j
		cmp	ebx, 8
		ja	loc_480B56

loc_480A0F:				; CODE XREF: MiCheckProcessorPteCache+5D2j
		test	ebx, ebx
		jz	loc_4806A1
		mov	al, ds:byte_40BA58[ebx]
		jmp	loc_48069F
; 

loc_480A22:				; CODE XREF: MiCheckProcessorPteCache+147j
		mov	ecx, 20h
		jmp	loc_4806ED
; 

loc_480A2C:				; CODE XREF: MiCheckProcessorPteCache+3BEj
		mov	esi, 20h
		jmp	loc_48096B
; 

loc_480A36:				; CODE XREF: MiCheckProcessorPteCache+406j
		mov	edx, [ebp+var_8]
		mov	[ebp+var_1C], 20h
		jmp	loc_4809AC
; 

loc_480A45:				; CODE XREF: MiCheckProcessorPteCache+96j
		test	dl, 1Fh
		jz	short loc_480A4D
		add	ebx, 4

loc_480A4D:				; CODE XREF: MiCheckProcessorPteCache+4A8j
		test	esi, esi
		jz	loc_480B94
		add	eax, 4
		cmp	dword ptr [eax], 0
		jnz	short loc_480A7F
		bsr	edx, esi
		mov	[ebp+var_2C], 0
		jz	loc_5B47BE
		mov	ecx, 1Fh
		sub	ecx, edx
		mov	[ebp+var_10], ecx

loc_480A77:				; CODE XREF: MiCheckProcessorPteCache+134225j
		mov	edx, [ebp+var_8]
		mov	esi, [ebp+var_C]
		jmp	short loc_480AB2
; 

loc_480A7F:				; CODE XREF: MiCheckProcessorPteCache+4BBj
		mov	edx, [ebp+var_8]
		mov	esi, [ebp+var_C]

loc_480A85:				; CODE XREF: MiCheckProcessorPteCache+4F3j
					; MiCheckProcessorPteCache+545j ...
		cmp	eax, ebx
		ja	loc_48078E
		add	eax, 4
		cmp	dword ptr [eax], 0
		jnz	short loc_480A85
		mov	ecx, [eax-4]
		bsr	edi, ecx
		mov	[ebp+var_30], 0
		jz	loc_5B47CA
		mov	ecx, 1Fh
		sub	ecx, edi
		mov	[ebp+var_10], ecx

loc_480AB2:				; CODE XREF: MiCheckProcessorPteCache+4DDj
					; MiCheckProcessorPteCache+601j ...
		mov	ecx, [ebp+var_48]
		mov	edi, eax
		sub	edi, ecx
		sar	edi, 2
		shl	edi, 5
		sub	edi, [ebp+var_10]
		cmp	edi, esi
		ja	loc_480791
		mov	ecx, edx
		sub	ecx, [ebp+var_10]
		mov	[ebp+var_18], ecx
		shr	ecx, 5
		lea	ecx, [eax+ecx*4]
		add	eax, 4
		mov	[ebp+var_24], ecx
		cmp	eax, ecx
		jz	short loc_480AEF

loc_480AE2:				; CODE XREF: MiCheckProcessorPteCache+54Dj
		cmp	dword ptr [eax], 0
		jnz	short loc_480A85
		add	eax, 4
		cmp	eax, [ebp+var_24]
		jnz	short loc_480AE2

loc_480AEF:				; CODE XREF: MiCheckProcessorPteCache+540j
		and	[ebp+var_18], 1Fh
		jz	loc_4809B7
		mov	ecx, [eax]
		bsf	ecx, ecx
		mov	[ebp+var_34], 0
		jnz	short loc_480B0C
		mov	ecx, 20h

loc_480B0C:				; CODE XREF: MiCheckProcessorPteCache+565j
		cmp	ecx, [ebp+var_18]
		jnb	loc_4809B7
		jmp	loc_480A85
; 

loc_480B1A:				; CODE XREF: MiCheckProcessorPteCache+2B6j
		mov	eax, [ebp+var_20]
		lea	ecx, [ecx+0]

loc_480B20:				; CODE XREF: MiCheckProcessorPteCache+58Cj
		add	edx, 4
		cmp	edx, eax
		ja	short loc_480B33
		mov	ecx, [edx]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_480B20
		jmp	loc_48085C
; 

loc_480B33:				; CODE XREF: MiCheckProcessorPteCache+2D2j
					; MiCheckProcessorPteCache+585j
		or	edx, 0FFFFFFFFh

loc_480B36:				; CODE XREF: MiCheckProcessorPteCache+2DBj
		mov	ecx, [ebp+var_18]

loc_480B39:				; CODE XREF: MiCheckProcessorPteCache+637j
		cmp	[ebp+var_14], 0
		jz	short loc_480BA6
		mov	eax, [ebp+var_C]
		inc	eax
		cmp	eax, ecx
		ja	loc_5B47B0

loc_480B4B:				; CODE XREF: MiCheckProcessorPteCache+134212j
		dec	eax
		xor	edx, edx
		mov	[ebp+var_10], eax
		jmp	loc_480814
; 

loc_480B56:				; CODE XREF: MiCheckProcessorPteCache+469j
		mov	esi, ebx
		shr	esi, 3
		push	esi		; size_t
		push	0FFh		; int
		push	edx		; void *
		call	_memset
		mov	edx, [ebp+var_1C]
		add	esp, 0Ch
		add	edx, esi
		and	ebx, 7
		jmp	loc_480A0F
; 

loc_480B77:				; CODE XREF: MiCheckProcessorPteCache+3F3j
		test	esi, esi
		jnz	loc_480952
		sub	[ebp+var_10], 20h
		jz	loc_4809B7
		mov	esi, [eax+4]
		add	eax, 4
		jmp	loc_480999
; 

loc_480B94:				; CODE XREF: MiCheckProcessorPteCache+4AFj
		mov	edx, [ebp+var_8]
		mov	esi, [ebp+var_C]
		mov	[ebp+var_10], 0
		jmp	loc_480AB2
; 

loc_480BA6:				; CODE XREF: MiCheckProcessorPteCache+59Dj
		cmp	edx, 0FFFFFFFFh
		jnz	loc_480881
		xor	edx, edx
		mov	ecx, offset dword_6D35E0
		call	_MiEmptyPteBins@8 ; MiEmptyPteBins(x,x)
		test	eax, eax
		jnz	short loc_480BCD
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_480BC6:				; CODE XREF: MiCheckProcessorPteCache+259j
		xor	edx, edx
		jmp	loc_4807FF
; 

loc_480BCD:				; CODE XREF: MiCheckProcessorPteCache+61Dj
		xor	edx, edx
		jmp	loc_4807A7
; 

loc_480BD4:				; CODE XREF: MiCheckProcessorPteCache+284j
		or	edx, 0FFFFFFFFh
		jmp	loc_480B39
; 

loc_480BDC:				; CODE XREF: MiCheckProcessorPteCache+345j
		mov	eax, [ebp+var_18]
		mov	ecx, [ebp+var_14]
		lock and [ecx],	eax
		jmp	loc_4805F4
; 

loc_480BEA:				; CODE XREF: MiCheckProcessorPteCache+319j
		mov	edx, eax
		mov	[ebp+var_18], edx
		cmp	eax, 0FFFFFFFFh
		jnz	loc_4808A8

loc_480BF8:				; CODE XREF: MiCheckProcessorPteCache+302j
					; MiCheckProcessorPteCache+322j
		lea	edx, [esi+20h]
		jmp	loc_4807A7
MiCheckProcessorPteCache endp

; 
		dd 4 dup(0CCCCCCCCh)
; Exported entry 2186. RtlInterlockedSetClearRun

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlInterlockedSetClearRun
RtlInterlockedSetClearRun proc near	; CODE XREF: MiAttemptCoalesce+84p
					; MiReservePtes+270p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005B47E8 SIZE 0000010A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	edx, ebx
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, ebx
		shr	edx, 3
		add	edx, [eax+4]
		and	edi, 1Fh
		and	edx, 0FFFFFFFCh
		mov	[ebp+arg_8], esi
		lea	eax, [edi+esi]
		cmp	eax, 20h
		ja	short loc_480C84
		mov	eax, [edx]
		mov	[ebp+arg_0], eax
		cmp	esi, 20h
		jz	loc_480D0A
		mov	ecx, esi
		mov	ebx, 1
		shl	ebx, cl
		mov	ecx, edi
		dec	ebx
		shl	ebx, cl

loc_480C5B:				; CODE XREF: RtlInterlockedSetClearRun+FDj
		test	eax, ebx
		jnz	loc_480D39

loc_480C63:				; CODE XREF: RtlInterlockedSetClearRun+123j
		mov	ecx, eax
		or	ecx, ebx
		lock cmpxchg [edx], ecx
		mov	ecx, eax
		cmp	ecx, [ebp+arg_0]
		jnz	loc_480D2C

loc_480C76:				; CODE XREF: RtlInterlockedSetClearRun+C3j
					; RtlInterlockedSetClearRun+EFj
		pop	edi
		pop	esi
		mov	eax, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_480C84:				; CODE XREF: RtlInterlockedSetClearRun+2Dj
		test	edi, edi
		jz	short loc_480CCC
		mov	eax, [edx]
		mov	ecx, 20h
		mov	[ebp+arg_4], eax
		sub	ecx, edi
		mov	eax, 1
		mov	[ebp+var_C], ecx
		shl	eax, cl
		mov	ecx, edi
		dec	eax
		shl	eax, cl
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_4], eax
		test	ecx, eax
		jnz	loc_480D39

loc_480CB1:				; CODE XREF: RtlInterlockedSetClearRun+141j
		or	ecx, eax
		mov	eax, [ebp+arg_4]
		lock cmpxchg [edx], ecx
		mov	[ebp+var_8], eax
		cmp	eax, [ebp+arg_4]
		jnz	loc_480D44
		sub	esi, [ebp+var_C]
		add	edx, 4

loc_480CCC:				; CODE XREF: RtlInterlockedSetClearRun+76j
		cmp	esi, 20h
		jnb	short loc_480D12

loc_480CD1:				; CODE XREF: RtlInterlockedSetClearRun+11Aj
		test	esi, esi
		jz	short loc_480C76
		mov	ecx, esi
		mov	eax, 1
		shl	eax, cl
		mov	ecx, [edx]
		dec	eax
		mov	[ebp+var_C], eax
		mov	[ebp+arg_4], ecx
		test	ecx, eax
		jnz	loc_5B4880
		nop

loc_480CF0:				; CODE XREF: RtlInterlockedSetClearRun+133C6Aj
		or	ecx, eax
		mov	eax, [ebp+arg_4]
		lock cmpxchg [edx], ecx
		mov	[ebp+var_8], eax
		cmp	eax, [ebp+arg_4]
		jz	loc_480C76
		jmp	loc_5B486F
; 

loc_480D0A:				; CODE XREF: RtlInterlockedSetClearRun+37j
		or	ebx, 0FFFFFFFFh
		jmp	loc_480C5B
; 

loc_480D12:				; CODE XREF: RtlInterlockedSetClearRun+BFj
					; RtlInterlockedSetClearRun+118j
		or	ecx, 0FFFFFFFFh
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	short loc_480D56
		sub	esi, 20h
		add	edx, 4
		cmp	esi, 20h
		jnb	short loc_480D12
		jmp	short loc_480CD1
; 

loc_480D2C:				; CODE XREF: RtlInterlockedSetClearRun+60j
		mov	eax, ecx
		mov	[ebp+arg_0], eax
		test	ecx, ebx
		jz	loc_480C63

loc_480D39:				; CODE XREF: RtlInterlockedSetClearRun+4Dj
					; RtlInterlockedSetClearRun+9Bj ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_480D44:				; CODE XREF: RtlInterlockedSetClearRun+B0j
		mov	ecx, eax
		mov	eax, [ebp+var_4]
		mov	[ebp+arg_4], ecx
		test	[ebp+var_8], eax
		jnz	short loc_480D39
		jmp	loc_480CB1
; 

loc_480D56:				; CODE XREF: RtlInterlockedSetClearRun+10Dj
		mov	ecx, [ebp+arg_8]
		cmp	ecx, esi
		jz	short loc_480D39
		jmp	loc_5B47E8
RtlInterlockedSetClearRun endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiStoreWriteModifiedPages proc near	; CODE XREF: MiGatherPagefilePages+4F2p

var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B4		= dword	ptr -0B4h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B48F2 SIZE 000001EA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ECh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, ecx
		mov	[ebp+var_9C], 0
		push	ebx
		push	esi
		mov	esi, [edx+94h]
		mov	eax, [edx+54h]
		shr	esi, 0Ch
		push	edi
		mov	[ebp+var_78], edx
		mov	ebx, [eax+90h]
		lea	eax, [edx+80h]
		mov	[ebp+var_A8], 0
		mov	[ebp+var_A4], 0
		mov	[ebp+var_84], 0
		mov	ecx, [ebx+2CCh]
		mov	[ebp+var_C8], 0
		mov	[ebp+var_C4], 0
		mov	[ebp+var_C0], 0
		mov	[ebp+var_BC], 0
		mov	[ebp+var_54], ebx
		mov	[ebp+var_8C], eax
		mov	[ebp+var_74], esi
		test	ecx, ecx
		jnz	loc_48165F
		mov	eax, [ebx+2BCh]
		mov	edi, [ebx+eax*4+0F54h]
		mov	[ebp+var_68], edi
		cmp	[edi+0Ch], ecx
		jz	loc_5B48F2
		mov	eax, large fs:124h
		mov	[ebp+var_A0], eax
		dec	word ptr [eax+13Ch]
		nop
		mov	dword ptr [edx+18h], 1
		mov	eax, [edi+3Ch]
		mov	[ebp+var_CC], ecx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_58], ecx
		mov	cl, 1
		mov	[ebp+var_49], 21h
		mov	[ebp+var_80], eax
		mov	[ebp+var_70], 1
		call	KiQueryUnbiasedInterruptTime
		mov	[ebp+var_E0], eax
		xor	ebx, ebx
		mov	eax, [ebp+var_8C]
		mov	[ebp+var_90], edx
		add	eax, 1Ch

loc_480E84:				; CODE XREF: MiStoreWriteModifiedPages+50Dj
		mov	[ebp+var_7C], eax
		mov	[ebp+var_88], ebx

loc_480E8D:				; CODE XREF: MiStoreWriteModifiedPages+133D04j
		mov	edx, 7FFFFFFFh
		cmp	ebx, esi
		jnb	loc_48133B
		mov	esi, [eax]
		mov	[ebp+var_64], esi
		cmp	esi, dword_6D34E4
		jz	loc_48129F
		cmp	dword ptr [edi+0Ch], 0
		jz	loc_48129F
		mov	eax, [ebp+var_CC]
		cmp	eax, [edi+38h]
		jnz	loc_481321

loc_480EC4:				; CODE XREF: MiStoreWriteModifiedPages+5C6j
		mov	ecx, [ebp+var_C8]
		mov	eax, [ebp+var_80]
		mov	[ebp+var_50], ecx
		cmp	eax, ecx
		jnb	loc_5B4925
		mov	ebx, eax

loc_480EDA:				; CODE XREF: MiStoreWriteModifiedPages+133BB7j
		mov	esi, [ebp+var_C4]
		lea	edx, [ecx-1]
		jmp	short loc_480EF0
; 
		align 10h

loc_480EF0:				; CODE XREF: MiStoreWriteModifiedPages+173j
					; MiStoreWriteModifiedPages+133BD4j
		mov	eax, edx
		mov	[ebp+var_D0], 0
		sub	eax, ebx
		inc	eax
		cmp	eax, 1
		jb	loc_5B492C
		mov	eax, ebx
		mov	ecx, ebx
		shr	eax, 5
		and	ecx, 1Fh
		lea	edi, [esi+eax*4]
		mov	eax, edx
		shr	eax, 5
		lea	eax, [esi+eax*4]
		mov	[ebp+var_5C], eax
		mov	eax, 1
		shl	eax, cl
		mov	ecx, [edi]
		dec	eax
		or	ecx, eax
		cmp	ecx, 0FFFFFFFFh
		jz	loc_4812DC

loc_480F35:				; CODE XREF: MiStoreWriteModifiedPages+57Ej
		not	ecx
		sub	edi, esi
		bsf	eax, ecx
		sar	edi, 2
		shl	edi, 5
		add	edi, eax
		mov	[ebp+var_D0], eax
		cmp	edi, edx
		ja	loc_481316
		cmp	edi, 0FFFFFFFFh
		jz	loc_481319

loc_480F5B:				; CODE XREF: MiStoreWriteModifiedPages+133BC1j
		mov	esi, [ebp+var_64]
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		lea	ebx, [eax+ecx*4]
		mov	cl, 2
		mov	[ebp+var_50], ebx
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_49], al
		lea	esi, [ebx+10h]
		mov	[ebp+var_D4], 0
		lock bts dword ptr [esi], 1Fh
		mov	ebx, [ebp+var_88]
		jb	loc_481690

loc_480F9B:				; CODE XREF: MiStoreWriteModifiedPages+935j
		test	dword ptr [esi], 40000000h
		jnz	loc_48129A
		mov	ecx, [ebp+var_50]
		lea	eax, [ebp+var_84]
		push	eax
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_84], 0
		push	eax
		lea	eax, [ebp+var_9C]
		mov	edx, edi
		push	eax
		call	_MiStoreCheckCandidatePage@20 ;	MiStoreCheckCandidatePage(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_481282
		mov	eax, [ebp+var_50]
		mov	edx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	edx
		mov	cl, [ebp+var_49]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_60], 0
		mov	[ebp+var_49], 21h
		jnz	short loc_481014
		mov	ecx, [ebp+var_54]
		add	ecx, 2F0h
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	[ebp+var_60], eax
		test	eax, eax
		jz	loc_4812F3

loc_481014:				; CODE XREF: MiStoreWriteModifiedPages+289j
					; MiStoreWriteModifiedPages+59Bj
		mov	eax, [ebp+var_68]
		mov	esi, [eax+0Ch]
		dec	esi
		mov	[ebp+var_64], esi
		cmp	esi, 8
		jb	short loc_48102B
		mov	esi, 8
		mov	[ebp+var_64], esi

loc_48102B:				; CODE XREF: MiStoreWriteModifiedPages+2B1j
		cmp	[ebp+var_70], 0
		jz	short loc_481070
		mov	ecx, [ebp+var_54]
		mov	edx, 120h
		call	MiSufficientAvailablePages
		test	eax, eax
		jz	loc_5B49DC
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		sub	eax, [ebp+var_E0]
		sbb	edx, [ebp+var_90]
		mov	[ebp+var_B4], edx
		jnz	loc_5B49F8
		cmp	eax, 2FAF080h
		jnb	loc_5B49F8

loc_481070:				; CODE XREF: MiStoreWriteModifiedPages+2BFj
					; MiStoreWriteModifiedPages+133C76j ...
		mov	eax, [ebp+var_78]
		add	eax, 18h
		lock inc dword ptr [eax]
		mov	eax, [ebp+var_60]
		mov	ecx, [ebp+var_50]
		lea	esi, [eax+24h]
		mov	dword ptr [esi+4], 20h
		mov	dword ptr [esi], 0
		or	word ptr [eax+2Ah], 2
		mov	eax, 92492493h
		mov	dword ptr [esi+10h], 0
		mov	dword ptr [esi+18h], 0
		mov	dword ptr [esi+14h], 1000h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		mov	[ebp+var_AC], 0
		add	edx, ecx
		mov	ecx, [ebp+var_60]
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		lea	edx, [ebp+var_AC]
		mov	[ecx+40h], eax
		mov	eax, [ebp+var_78]
		mov	[ecx+20h], eax
		lea	ecx, [ebp+var_9C]
		call	?SmKeyConvert@@YGJPAT_MM_STORE_KEY@@PAT_SM_PAGE_KEY@@@Z	; SmKeyConvert(_MM_STORE_KEY *,_SM_PAGE_KEY *)
		mov	ecx, eax
		test	ecx, ecx
		js	loc_5B4A2D
		mov	ecx, [ebp+var_60]
		lea	edx, [ebp+var_A8]
		push	[ebp+var_70]
		lea	eax, [ecx+8]
		push	eax
		push	ecx
		push	esi
		push	[ebp+var_84]
		lea	ecx, [ebp+var_AC]
		call	_SmpPageWrite@28 ; SmpPageWrite(x,x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	loc_5B4A2D
		mov	ebx, [ebp+var_68]
		add	ebx, 88h
		mov	[ebp+var_60], 0
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	[ebp+var_49], al
		mov	esi, edi
		mov	eax, [ebp+var_68]
		mov	edx, edi
		shr	esi, 3
		and	edx, 7
		mov	ecx, [eax+38h]
		lea	eax, [edi+1]
		mov	[ebp+var_80], eax
		add	esi, [ecx+8]
		movsx	ecx, byte ptr [esi]
		bts	ecx, edx
		mov	[esi], cl
		mov	esi, [ebp+var_68]
		dec	dword ptr [esi+0Ch]
		mov	ecx, [esi]
		sub	ecx, [esi+0Ch]
		dec	ecx
		mov	[esi+3Ch], eax
		cmp	[esi+10h], ecx
		jnb	short loc_481171
		mov	[esi+10h], ecx

loc_481171:				; CODE XREF: MiStoreWriteModifiedPages+3FCj
		test	ds:byte_70EFC6,	1
		jnz	loc_5B4A04
		mov	dword ptr [ebx], 0

loc_481184:				; CODE XREF: MiStoreWriteModifiedPages+133C9Ej
		mov	cl, [ebp+var_49]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_49], al
		mov	eax, [ebp+var_50]
		mov	[ebp+var_E4], 0
		lea	ebx, [eax+10h]
		lock bts dword ptr [ebx], 1Fh
		jb	loc_4816B0

loc_4811B3:				; CODE XREF: MiStoreWriteModifiedPages+95Aj
		lea	ebx, [eax+8]
		mov	edx, 1
		push	1
		mov	ecx, ebx
		mov	[ebp+var_58], ebx
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	ecx, [ebx+4]
		and	dword ptr [ebx], 0FFFFFFFDh
		push	ecx
		mov	[ebx+4], ecx
		mov	ecx, [ebx]
		push	ecx
		mov	[ebp+var_98], edx
		mov	ecx, esi
		push	1
		mov	edx, edi
		mov	[ebp+var_B4], eax
		call	_MiTransferSoftwarePte@20 ; MiTransferSoftwarePte(x,x,x,x,x)
		mov	[ebp+var_5C], eax
		mov	[ebp+var_64], edx

loc_4811F1:				; CODE XREF: MiStoreWriteModifiedPages+133CA6j
		mov	esi, [ebx]
		mov	eax, esi
		mov	ecx, [ebx+4]
		mov	edx, ecx
		mov	[ebp+var_94], ecx
		nop
		mov	ebx, [ebp+var_5C]
		mov	ecx, [ebp+var_64]
		mov	edi, [ebp+var_58]
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	loc_5B4A13
		cmp	edx, [ebp+var_94]
		jnz	loc_5B4A13
		mov	ecx, edi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5B4A1B

loc_481231:				; CODE XREF: MiStoreWriteModifiedPages+133CB8j
		mov	eax, [ebp+var_50]
		mov	edx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	edx
		mov	cl, [ebp+var_49]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	[ebp+var_98]
		mov	ecx, [ebp+var_54]
		mov	edx, 2
		push	[ebp+var_B4]
		mov	[ebp+var_49], 21h
		call	MiReleasePageFileInfo
		mov	ebx, [ebp+var_88]

loc_48126B:				; CODE XREF: MiStoreWriteModifiedPages+555j
		mov	eax, [ebp+var_7C]
		inc	ebx
		mov	edi, [ebp+var_68]
		add	eax, 4
		xor	esi, esi
		mov	[ebp+var_58], esi
		mov	esi, [ebp+var_74]
		jmp	loc_480E84
; 

loc_481282:				; CODE XREF: MiStoreWriteModifiedPages+264j
		mov	eax, dword_6D35BC
		mov	[ebp+var_5C], eax
		test	eax, eax
		jz	short loc_48129A
		cmp	esi, 0C00001A7h
		jnz	loc_5B4949

loc_48129A:				; CODE XREF: MiStoreWriteModifiedPages+231j
					; MiStoreWriteModifiedPages+51Cj ...
		mov	edx, 7FFFFFFFh

loc_48129F:				; CODE XREF: MiStoreWriteModifiedPages+135j
					; MiStoreWriteModifiedPages+13Fj
		mov	cl, [ebp+var_49]
		cmp	cl, 21h
		jnz	short loc_4812C7

loc_4812A7:				; CODE XREF: MiStoreWriteModifiedPages+56Aj
					; MiStoreWriteModifiedPages+133C67j ...
		mov	eax, [ebp+var_54]
		mov	edx, ebx
		shr	edx, 3
		mov	eax, [eax+308h]
		add	edx, [eax+4]
		mov	eax, ebx
		and	eax, 7
		movsx	ecx, byte ptr [edx]
		bts	ecx, eax
		mov	[edx], cl
		jmp	short loc_48126B
; 

loc_4812C7:				; CODE XREF: MiStoreWriteModifiedPages+535j
		mov	eax, [ebp+var_50]
		add	eax, 10h
		lock and [eax],	edx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	[ebp+var_49], 21h
		jmp	short loc_4812A7
; 

loc_4812DC:				; CODE XREF: MiStoreWriteModifiedPages+1BFj
		mov	eax, [ebp+var_5C]
		nop

loc_4812E0:				; CODE XREF: MiStoreWriteModifiedPages+57Cj
		add	edi, 4
		cmp	edi, eax
		ja	short loc_481316
		mov	ecx, [edi]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_4812E0
		jmp	loc_480F35
; 

loc_4812F3:				; CODE XREF: MiStoreWriteModifiedPages+29Ej
		push	0
		push	40h
		mov	edx, 57536D4Dh
		mov	ecx, 48h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_60], eax
		test	eax, eax
		jnz	loc_481014
		jmp	loc_5B49D0
; 

loc_481316:				; CODE XREF: MiStoreWriteModifiedPages+1DCj
					; MiStoreWriteModifiedPages+575j
		or	edi, 0FFFFFFFFh

loc_481319:				; CODE XREF: MiStoreWriteModifiedPages+1E5j
		mov	ecx, [ebp+var_50]
		jmp	loc_5B492F
; 

loc_481321:				; CODE XREF: MiStoreWriteModifiedPages+14Ej
		test	eax, eax
		jnz	loc_5B4901

loc_481329:				; CODE XREF: MiStoreWriteModifiedPages+133BA2j
					; MiStoreWriteModifiedPages+133BB0j
		lea	edx, [ebp+var_CC]
		mov	ecx, edi
		call	_MiRefPageFileSpaceBitmaps@8 ; MiRefPageFileSpaceBitmaps(x,x)
		jmp	loc_480EC4
; 

loc_48133B:				; CODE XREF: MiStoreWriteModifiedPages+124j
		cmp	[ebp+var_6C], 0
		mov	ebx, [ebp+var_54]
		jnz	loc_5B4AAD

loc_481348:				; CODE XREF: MiStoreWriteModifiedPages+133D47j
		mov	esi, [ebx+308h]
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_4813A6
		mov	edx, [ebp+var_74]
		cmp	edx, 1
		jbe	short loc_481392
		cmp	eax, edx
		jb	short loc_4813A6
		mov	esi, [esi+4]
		lea	ecx, [edx-1]
		mov	eax, ecx
		shr	eax, 5
		mov	edi, [esi]
		lea	eax, [esi+eax*4]
		cmp	esi, eax
		jnz	loc_4815FA
		mov	ecx, 20h
		sub	ecx, edx
		or	edx, 0FFFFFFFFh
		shr	edx, cl
		mov	eax, edx
		and	eax, edi
		cmp	eax, edx
		jz	loc_481633
		jmp	short loc_4813A6
; 

loc_481392:				; CODE XREF: MiStoreWriteModifiedPages+5EAj
		jnz	short loc_4813A6
		mov	eax, [esi+4]
		bt	dword ptr [eax], 0
		setb	al
		test	al, al
		jnz	loc_481636

loc_4813A6:				; CODE XREF: MiStoreWriteModifiedPages+5E2j
					; MiStoreWriteModifiedPages+5EEj ...
		mov	edi, [ebp+var_78]
		or	esi, 0FFFFFFFFh
		push	ds:dword_40F9FC
		push	ds:_ZeroPte
		mov	ecx, [edi+68h]
		mov	eax, [edi+6Ch]
		shrd	ecx, eax, 0Ch
		push	1
		mov	[ebp+var_90], ecx
		mov	edx, ecx
		mov	ecx, [edi+54h]
		call	_MiTransferSoftwarePte@20 ; MiTransferSoftwarePte(x,x,x,x,x)
		mov	[ebp+var_5C], eax
		mov	[ebp+var_7C], edx
		lea	ebx, [ebx+0]

loc_4813E0:				; CODE XREF: MiStoreWriteModifiedPages+777j
					; MiStoreWriteModifiedPages+7B0j
		mov	ecx, [ebx+308h]
		lea	edx, [esi+1]
		mov	[ebp+var_6C], edx
		mov	esi, [ecx]
		mov	[ebp+var_94], esi
		cmp	edx, esi
		jnb	loc_481682
		mov	ebx, edx

loc_4813FE:				; CODE XREF: MiStoreWriteModifiedPages+914j
		mov	ecx, [ecx+4]
		lea	edi, [esi-1]
		mov	[ebp+var_B4], ecx
		lea	ebx, [ebx+0]

loc_481410:				; CODE XREF: MiStoreWriteModifiedPages+885j
		mov	eax, edi
		mov	[ebp+var_E8], 0
		sub	eax, ebx
		inc	eax
		cmp	eax, 1
		jb	loc_4816CF
		mov	eax, edi
		mov	edx, 1
		shr	eax, 5
		lea	eax, [ecx+eax*4]
		mov	ecx, ebx
		mov	[ebp+var_98], eax
		and	ecx, 1Fh
		shl	edx, cl
		mov	eax, ebx
		mov	ecx, [ebp+var_B4]
		dec	edx
		shr	eax, 5
		lea	esi, [ecx+eax*4]
		mov	eax, [esi]
		not	eax
		or	eax, edx
		cmp	eax, 0FFFFFFFFh
		jz	loc_481525

loc_481460:				; CODE XREF: MiStoreWriteModifiedPages+7D0j
		not	eax
		sub	esi, ecx
		bsf	eax, eax
		sar	esi, 2
		shl	esi, 5
		add	esi, eax
		mov	[ebp+var_E8], eax
		cmp	esi, edi
		ja	loc_481545
		cmp	esi, 0FFFFFFFFh
		jz	loc_481548

loc_481486:				; CODE XREF: MiStoreWriteModifiedPages+7E6j
		mov	ebx, [ebp+var_54]
		mov	edx, esi
		shr	edx, 3
		mov	eax, [ebx+308h]
		add	edx, [eax+4]
		mov	eax, esi
		and	eax, 7
		movsx	ecx, byte ptr [edx]
		btr	ecx, eax
		mov	eax, [ebp+var_8C]
		mov	[edx], cl
		mov	eax, [eax+esi*4+1Ch]
		cmp	eax, dword_6D34E4
		jnz	short loc_4814EC
		push	[ebp+var_7C]
		mov	eax, [ebp+var_90]
		push	[ebp+var_5C]
		add	eax, esi
		push	0
		push	eax
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		mov	edi, edx
		mov	ebx, eax
		push	edi
		push	ebx
		mov	[ebp+var_5C], ebx
		mov	edx, 2
		mov	ebx, [ebp+var_54]
		mov	ecx, ebx
		mov	[ebp+var_7C], edi
		call	MiReleasePageFileInfo
		jmp	loc_4813E0
; 

loc_4814EC:				; CODE XREF: MiStoreWriteModifiedPages+744j
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	edi, [eax+ecx*4]
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	cl, [edi+16h]
		mov	edx, 7FFFFFFFh
		or	cl, 10h
		mov	[edi+16h], cl
		lea	ecx, [edi+10h]
		lock and [ecx],	edx
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4813E0
; 

loc_481525:				; CODE XREF: MiStoreWriteModifiedPages+6EAj
		mov	edx, [ebp+var_98]
		jmp	short loc_481530
; 
		align 10h

loc_481530:				; CODE XREF: MiStoreWriteModifiedPages+7BBj
					; MiStoreWriteModifiedPages+7CEj
		add	esi, 4
		cmp	esi, edx
		ja	short loc_481545
		mov	eax, [esi]
		not	eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_481530
		jmp	loc_481460
; 

loc_481545:				; CODE XREF: MiStoreWriteModifiedPages+707j
					; MiStoreWriteModifiedPages+7C5j
		or	esi, 0FFFFFFFFh

loc_481548:				; CODE XREF: MiStoreWriteModifiedPages+710j
		mov	edx, [ebp+var_6C]

loc_48154B:				; CODE XREF: MiStoreWriteModifiedPages+962j
		test	ebx, ebx
		jnz	loc_4815E1
		cmp	esi, 0FFFFFFFFh
		jnz	loc_481486
		push	[ebp+var_74]
		push	[ebp+var_8C]
		call	MiStoreUpdatePagefileHash
		mov	esi, [ebp+var_78]
		mov	edi, [ebp+var_A0]
		or	dword ptr [esi+14h], 20h
		dec	word ptr [edi+13Eh]
		nop
		mov	ebx, [ebp+var_54]
		mov	ecx, edi
		inc	dword ptr [ebx+2D4h]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, esi
		call	_MiStoreModifiedWriteDereference@4 ; MiStoreModifiedWriteDereference(x)
		mov	esi, 103h

loc_48159B:				; CODE XREF: MiStoreWriteModifiedPages+8EAj
		mov	ecx, edi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [ebp+var_60]
		test	ecx, ecx
		jnz	loc_5B4AC3

loc_4815AD:				; CODE XREF: MiStoreWriteModifiedPages+133D5Aj
		cmp	[ebp+var_CC], 0
		jz	short loc_4815CE
		mov	ecx, [ebp+var_68]
		lea	edx, [ebp+var_CC]
		push	0
		call	_MiDerefPageFileSpaceBitmaps@12	; MiDerefPageFileSpaceBitmaps(x,x,x)
		test	eax, eax
		jnz	loc_5B4ACF

loc_4815CE:				; CODE XREF: MiStoreWriteModifiedPages+844j
					; MiStoreWriteModifiedPages+133D67j
		mov	eax, esi

loc_4815D0:				; CODE XREF: MiStoreWriteModifiedPages+133B8Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4815E1:				; CODE XREF: MiStoreWriteModifiedPages+7DDj
		mov	esi, [ebp+var_94]
		lea	edi, [edx+1]
		cmp	edi, esi
		ja	loc_5B4ABC

loc_4815F2:				; CODE XREF: MiStoreWriteModifiedPages+133D4Ej
		dec	edi
		xor	ebx, ebx
		jmp	loc_481410
; 

loc_4815FA:				; CODE XREF: MiStoreWriteModifiedPages+602j
		cmp	edi, 0FFFFFFFFh
		jnz	loc_4813A6
		add	esi, 4
		cmp	esi, eax
		jz	short loc_481620
		lea	ebx, [ebx+0]

loc_481610:				; CODE XREF: MiStoreWriteModifiedPages+8AEj
		cmp	dword ptr [esi], 0FFFFFFFFh
		jnz	loc_4813A6
		add	esi, 4
		cmp	esi, eax
		jnz	short loc_481610

loc_481620:				; CODE XREF: MiStoreWriteModifiedPages+898j
		or	edx, 0FFFFFFFFh
		not	ecx
		shr	edx, cl
		mov	eax, edx
		and	eax, [esi]
		cmp	eax, edx
		jnz	loc_4813A6

loc_481633:				; CODE XREF: MiStoreWriteModifiedPages+61Aj
		mov	edx, [ebp+var_74]

loc_481636:				; CODE XREF: MiStoreWriteModifiedPages+630j
		mov	eax, [ebx+308h]
		push	edx
		push	0
		push	eax
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		mov	ecx, [ebp+var_78]
		mov	esi, 0C0000429h
		mov	edi, [ebp+var_A0]
		mov	dword ptr [ecx+18h], 0
		jmp	loc_48159B
; 

loc_48165F:				; CODE XREF: MiStoreWriteModifiedPages+99j
		mov	edx, esi
		call	MiStoreLogWriteDisabled
		mov	ecx, [ebp+var_4]
		mov	eax, 0C000009Ah
		dec	dword ptr [ebx+2CCh]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_481682:				; CODE XREF: MiStoreWriteModifiedPages+686j
		xor	ebx, ebx
		jmp	loc_4813FE
; 
		align 10h

loc_481690:				; CODE XREF: MiStoreWriteModifiedPages+225j
					; MiStoreWriteModifiedPages+92Ej ...
		lea	ecx, [ebp+var_D4]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_481690
		lock bts dword ptr [esi], 1Fh
		jnb	loc_480F9B
		jmp	short loc_481690
; 
		align 10h

loc_4816B0:				; CODE XREF: MiStoreWriteModifiedPages+43Dj
					; MiStoreWriteModifiedPages+94Ej ...
		lea	ecx, [ebp+var_E4]
		call	KeYieldProcessorEx
		cmp	dword ptr [ebx], 0
		jl	short loc_4816B0
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_4816B0
		mov	eax, [ebp+var_50]
		jmp	loc_4811B3
; 

loc_4816CF:				; CODE XREF: MiStoreWriteModifiedPages+6B2j
		or	esi, 0FFFFFFFFh
		jmp	loc_48154B
MiStoreWriteModifiedPages endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReleasePageFileInfo proc near		; CODE XREF: .text:0044A85Cp
					; MiLockPageAndSetDirty+6Bp ...

var_2A		= byte ptr -2Ah
var_26		= byte ptr -26h
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005B4ADC SIZE 0000005A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		mov	ebx, dword_6D0704
		mov	[esp+30h+var_C], ecx
		mov	ecx, dword_6D0700
		mov	eax, ecx
		or	eax, ebx
		mov	[esp+30h+var_1C], edx
		mov	edx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	[esp+38h+var_8], esi
		mov	edi, edx
		jz	short loc_481730
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	loc_4818C0
		not	ecx
		mov	edi, ebx
		and	ecx, esi
		not	edi
		and	edi, edx
		mov	[esp+38h+var_8], ecx

loc_481730:				; CODE XREF: MiReleasePageFileInfo+32j
					; MiReleasePageFileInfo+1E4j
		mov	ebx, [esp+38h+var_C]
		mov	ecx, esi
		mov	eax, edx
		mov	[esp+38h+var_10], 0
		shrd	ecx, eax, 0Ch
		and	ecx, 0Fh
		mov	ebx, [ebx+ecx*4+0F54h]
		mov	ecx, esi
		shrd	ecx, eax, 1
		mov	eax, [esp+38h+var_1C]
		shrd	esi, edx, 2
		and	ecx, 1
		and	esi, 1
		mov	[esp+38h+var_24], ecx
		and	eax, 1
		mov	[esp+38h+var_20], esi
		mov	[esp+38h+var_8], eax
		lea	eax, [ebx+88h]
		mov	[esp+38h+var_18], eax
		jnz	loc_481928
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	cl, al
		mov	[esp+38h+var_25], cl
		jnz	loc_5B4ADC
		mov	[esp+38h+var_14], 0
		lea	eax, [ebx+88h]
		lock bts dword ptr [eax], 1Fh
		jb	loc_481946

loc_4817B5:				; CODE XREF: MiReleasePageFileInfo+279j
		mov	edx, [eax]
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_48195E

loc_4817C9:				; CODE XREF: MiReleasePageFileInfo+253j
					; MiReleasePageFileInfo+2A9j ...
		cmp	[esp+38h+var_24], 0
		mov	eax, [ebx+38h]
		mov	[esp+38h+var_20], eax
		jz	short loc_4817EF
		mov	edx, edi
		mov	ecx, edi
		shr	edx, 3
		and	ecx, 7
		add	edx, [eax+10h]
		movsx	eax, byte ptr [edx]
		btr	eax, ecx
		mov	[edx], al
		inc	dword ptr [ebx+18h]

loc_4817EF:				; CODE XREF: MiReleasePageFileInfo+F5j
		test	esi, esi
		jz	short loc_48183C
		test	byte ptr [esp+38h+var_1C], 2
		jz	loc_4818EC

loc_4817FE:				; CODE XREF: MiReleasePageFileInfo+215j
		test	byte ptr [ebx+74h], 40h
		mov	edx, edi
		jnz	loc_48191C
		mov	eax, [esp+38h+var_20]
		mov	ecx, edi
		shr	edx, 3
		and	ecx, 7
		add	edx, [eax+8]
		movsx	eax, byte ptr [edx]
		btr	eax, ecx
		mov	[edx], al
		inc	dword ptr [ebx+0Ch]
		mov	eax, [ebx+0Ch]
		cmp	edi, [ebx+3Ch]
		jb	loc_5B4AEE

loc_481830:				; CODE XREF: MiReleasePageFileInfo+133411j
		inc	dword ptr [ebx+44h]
		cmp	eax, 1
		jz	loc_5B4AF6

loc_48183C:				; CODE XREF: MiReleasePageFileInfo+111j
					; MiReleasePageFileInfo+13341Aj ...
		mov	edx, [esp+38h+var_24]
		mov	eax, edi
		shr	eax, 5
		mov	[esp+38h+var_1C], eax
		test	edx, edx
		jz	short loc_4818C9
		mov	[esp+38h+var_1C], eax

loc_481851:				; CODE XREF: MiReleasePageFileInfo+204j
		test	esi, esi
		jz	loc_4818FA

loc_481859:				; CODE XREF: MiReleasePageFileInfo+231j
		push	edi
		mov	ecx, ebx
		call	MiCoalescePageFileBitmapsCache
		mov	ecx, [ebx+90h]
		add	ecx, 208h
		mov	eax, [ecx]
		and	eax, 0FFFFFE00h
		or	eax, 200h
		add	eax, 400h
		xchg	eax, [ecx]

loc_481880:				; CODE XREF: MiReleasePageFileInfo+20Aj
					; MiReleasePageFileInfo+237j ...
		cmp	[esp+3Ch+var_C], 0
		jnz	loc_481938
		test	ds:byte_70EFC6,	1
		jnz	loc_5B4B0D
		mov	eax, [esp+3Ch+var_1C]
		mov	dword ptr [eax], 0

loc_4818A2:				; CODE XREF: MiReleasePageFileInfo+133439j
		mov	cl, [esp+13h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4818AC:				; CODE XREF: MiReleasePageFileInfo+261j
		cmp	[esp+3Ch+var_14], 1
		jz	loc_5B4B1E

loc_4818B7:				; CODE XREF: MiReleasePageFileInfo+133451j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4818C0:				; CODE XREF: MiReleasePageFileInfo+3Cj
		mov	[esp+38h+var_8], esi
		jmp	loc_481730
; 

loc_4818C9:				; CODE XREF: MiReleasePageFileInfo+16Bj
		mov	eax, [esp+38h+var_20]
		mov	ecx, edi
		mov	edx, [esp+38h+var_1C]
		and	ecx, 1Fh
		mov	eax, [eax+10h]
		mov	eax, [eax+edx*4]
		mov	edx, [esp+38h+var_24]
		sar	eax, cl
		test	al, 1
		jz	loc_481851
		jmp	short loc_481880
; 

loc_4818EC:				; CODE XREF: MiReleasePageFileInfo+118j
		mov	edx, edi
		mov	ecx, ebx
		call	MiClearPageFileHash
		jmp	loc_4817FE
; 

loc_4818FA:				; CODE XREF: MiReleasePageFileInfo+173j
		mov	eax, [esp+38h+var_20]
		mov	ecx, edi
		mov	esi, [esp+38h+var_1C]
		and	ecx, 1Fh
		mov	eax, [eax+8]
		mov	eax, [eax+esi*4]
		sar	eax, cl
		test	al, 1
		jz	loc_481859
		jmp	loc_481880
; 

loc_48191C:				; CODE XREF: MiReleasePageFileInfo+124j
		mov	ecx, ebx
		call	_MiStoreSetEvictPageFile@8 ; MiStoreSetEvictPageFile(x,x)
		jmp	loc_481880
; 

loc_481928:				; CODE XREF: MiReleasePageFileInfo+9Bj
		push	eax
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	[esp+38h+var_25], 2
		jmp	loc_4817C9
; 

loc_481938:				; CODE XREF: MiReleasePageFileInfo+1A5j
		push	[esp+3Ch+var_1C]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		jmp	loc_4818AC
; 

loc_481946:				; CODE XREF: MiReleasePageFileInfo+CFj
		mov	dl, cl
		mov	ecx, eax
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[esp+38h+var_14], eax
		lea	eax, [ebx+88h]
		jmp	loc_4817B5
; 

loc_48195E:				; CODE XREF: MiReleasePageFileInfo+E3j
		lea	esi, [ebx+88h]

loc_481964:				; CODE XREF: MiReleasePageFileInfo+2A3j
		test	edx, 40000000h
		jz	short loc_48198E

loc_48196C:				; CODE XREF: MiReleasePageFileInfo+2BEj
		lea	ecx, [esp+38h+var_14]
		call	KeYieldProcessorEx
		mov	eax, [esi]

loc_481977:				; CODE XREF: MiReleasePageFileInfo+2C0j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_481964
		mov	esi, [esp+38h+var_20]
		jmp	loc_4817C9
; 

loc_48198E:				; CODE XREF: MiReleasePageFileInfo+28Aj
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	short loc_48196C
		jmp	short loc_481977
MiReleasePageFileInfo endp

; 
		align 10h

MiCoalescePageFileBitmapsCache:		; CODE XREF: MiReleasePageFileInfo+17Cp
					; MiAttemptPageFileReductionApc(x,x,x)+38Ap ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		test	byte ptr [ecx+77h], 1
		push	ebx
		push	esi
		push	edi
		mov	[ebp-4], ecx
		jnz	loc_481B86
		mov	eax, [ecx+38h]
		lea	ebx, [eax+4]
		add	eax, 0Ch
		mov	[ebp-10h], ebx
		test	edx, edx
		jz	loc_481C42
		mov	[ebp-0Ch], eax

loc_4819DF:				; CODE XREF: .text:00481C48j
		mov	eax, [ecx+60h]
		add	ecx, 5Ch
		mov	dword ptr [ebp-8], 0
		mov	esi, [ecx]
		test	al, 1
		jz	short loc_4819F8
		test	esi, esi
		jz	short loc_4819F8
		xor	esi, ecx

loc_4819F8:				; CODE XREF: .text:004819F0j
					; .text:004819F4j
		mov	edi, [ebp+8]
		xor	edx, edx
		movzx	ecx, al
		and	ecx, 1
		test	esi, esi
		jz	short loc_481A1B

loc_481A07:				; CODE XREF: .text:00481A19j
		cmp	edi, [esi+0Ch]
		jb	short loc_481A52
		jbe	short loc_481A1D
		mov	eax, [esi+4]
		test	ecx, ecx
		jnz	short loc_481A60

loc_481A15:				; CODE XREF: .text:00481A58j
					; .text:00481A5Cj ...
		mov	esi, eax

loc_481A17:				; CODE XREF: .text:00481A66j
		test	esi, esi
		jnz	short loc_481A07

loc_481A1B:				; CODE XREF: .text:00481A05j
		mov	esi, edx

loc_481A1D:				; CODE XREF: .text:00481A0Cj
		mov	ebx, [esi+0Ch]
		lea	ecx, [esi-0Ch]
		lea	eax, [edi+1]
		mov	[ebp+8], ebx
		cmp	ebx, eax
		jz	loc_481D5B

loc_481A31:				; CODE XREF: .text:00481D5Ej
					; .text:00481D6Dj
		mov	ecx, [esi]
		mov	edx, esi
		test	ecx, ecx
		jnz	short loc_481A68
		mov	ecx, [esi+8]
		and	ecx, 0FFFFFFFCh
		jz	short loc_481A7B

loc_481A41:				; CODE XREF: .text:00481A4Ej
		cmp	[ecx+4], edx
		jz	short loc_481A7B
		mov	edx, ecx
		mov	ecx, [ecx+8]
		and	ecx, 0FFFFFFFCh
		jnz	short loc_481A41
		jmp	short loc_481A7B
; 

loc_481A52:				; CODE XREF: .text:00481A0Aj
		mov	eax, [esi]
		mov	edx, esi
		test	ecx, ecx
		jz	short loc_481A15
		test	eax, eax
		jz	short loc_481A15
		jmp	short loc_481A64
; 

loc_481A60:				; CODE XREF: .text:00481A13j
		test	eax, eax
		jz	short loc_481A15

loc_481A64:				; CODE XREF: .text:00481A5Ej
		xor	esi, eax
		jmp	short loc_481A17
; 

loc_481A68:				; CODE XREF: .text:00481A37j
		cmp	dword ptr [ecx+4], 0
		jz	short loc_481A7B
		mov	edi, edi

loc_481A70:				; CODE XREF: .text:00481A79j
		mov	eax, [ecx+4]
		mov	ecx, eax
		cmp	dword ptr [eax+4], 0
		jnz	short loc_481A70

loc_481A7B:				; CODE XREF: .text:00481A3Fj
					; .text:00481A44j ...
		test	ecx, ecx
		jz	loc_481D3B
		mov	eax, [ecx+0Ch]
		lea	ebx, [ecx-0Ch]
		mov	ecx, [ebx+1Ch]
		add	eax, ecx
		lea	edx, [eax-1]
		mov	[ebp-14h], edx
		cmp	eax, edi
		jnz	loc_481C3A
		cmp	[esi+0Ch], edi
		lea	edx, [esi-0Ch]
		jz	loc_481DA0
		mov	edx, [ebp-14h]
		lea	eax, [ecx+1]
		mov	[ebx+1Ch], eax
		mov	[ebp-8], ebx
		mov	ebx, [ebp+8]

loc_481AB7:				; CODE XREF: .text:00481C3Dj
					; .text:00481D3Dj ...
		cmp	dword ptr [ebp-8], 0
		jz	loc_481B8F
		mov	ebx, [ebp-8]
		test	bl, 1
		jnz	loc_481DF6
		mov	edx, [ebx+18h]
		mov	ecx, [ebp-0Ch]
		cmp	edx, edi
		jz	loc_481D72
		mov	esi, [ecx]
		dec	edx
		mov	eax, [ebx+1Ch]
		add	eax, edx
		mov	edx, [ecx+4]
		mov	[ebp-14h], eax
		lea	ecx, [esi-1]
		shr	eax, 5
		shr	ecx, 5
		and	esi, 1Fh
		mov	[ebp-0Ch], esi
		lea	eax, [edx+eax*4]
		lea	edi, [edx+ecx*4]
		jnz	loc_481DFE

loc_481B04:				; CODE XREF: .text:00481E01j
		mov	ecx, [ebp-14h]
		xor	esi, esi
		mov	edx, [eax]
		and	ecx, 1Fh
		mov	[ebp+8], ecx
		mov	ecx, ds:dword_40BA68[ecx*4]
		not	ecx
		and	edx, ecx
		cmp	eax, edi
		ja	loc_481E06
		test	edx, edx
		jz	loc_481CF2

loc_481B2C:				; CODE XREF: .text:00481D21j
		push	0
		push	edx

loc_481B2F:				; CODE XREF: .text:005B4B59j
		call	_RtlFindLeastSignificantBit@8 ;	RtlFindLeastSignificantBit(x,x)
		movsx	eax, al
		add	esi, eax

loc_481B39:				; CODE XREF: .text:00481E0Bj
					; .text:005B4B39j
		sub	esi, [ebp+8]
		cmp	esi, 1
		ja	loc_481D26

loc_481B45:				; CODE XREF: .text:00481D36j
					; .text:00481D7Ej ...
		mov	ecx, [ebx+4]
		mov	edx, ebx
		test	ecx, ecx
		jnz	short loc_481B66
		mov	ecx, [ebx+8]
		and	ecx, 0FFFFFFFCh
		jz	short loc_481B7A

loc_481B56:				; CODE XREF: .text:00481B62j
		cmp	[ecx], edx
		jz	short loc_481B7A
		mov	edx, ecx
		mov	ecx, [ecx+8]
		and	ecx, 0FFFFFFFCh
		jnz	short loc_481B56
		jmp	short loc_481B7A
; 

loc_481B66:				; CODE XREF: .text:00481B4Cj
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_481B7A
		lea	esp, [esp+0]

loc_481B70:				; CODE XREF: .text:00481B78j
		mov	eax, [edx]
		mov	ecx, edx
		mov	edx, eax
		test	eax, eax
		jnz	short loc_481B70

loc_481B7A:				; CODE XREF: .text:00481B54j
					; .text:00481B58j ...
		mov	eax, [ecx+1Ch]
		cmp	eax, [ebx+1Ch]
		jbe	loc_481C6E

loc_481B86:				; CODE XREF: .text:004819C2j
					; .text:00481C35j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_481B8F:				; CODE XREF: .text:00481ABBj
		mov	eax, ebx
		sub	eax, edi
		cmp	dword ptr [ebp+8], 0FFFFFFFFh
		lea	ebx, [eax-1]
		jz	short loc_481B9F
		lea	ebx, [eax-2]

loc_481B9F:				; CODE XREF: .text:00481B9Aj
		mov	eax, edi
		sub	eax, edx
		lea	esi, [eax-1]
		test	edx, edx
		jz	short loc_481BAD
		lea	esi, [eax-2]

loc_481BAD:				; CODE XREF: .text:00481BA8j
		mov	edx, [ebp-4]
		mov	ecx, [edx+64h]
		lea	eax, [edx+64h]
		mov	[ebp+8], ecx
		cmp	ecx, eax
		jz	loc_5B4B5E

loc_481BC1:				; CODE XREF: .text:005B4B72j
					; .text:005B4B7Fj ...
		lea	eax, [ebx+1]
		mov	[ebp-14h], ecx
		add	eax, esi
		cmp	eax, 20h
		jb	loc_481D49
		cmp	[ecx+1Ch], eax
		jnb	loc_481D49
		test	ebx, ebx
		jz	short loc_481C02
		mov	ecx, [ebp-0Ch]
		lea	eax, [ebx+1]
		push	eax
		mov	edx, edi
		call	RtlLengthCurrentClearRunForward
		mov	ecx, [ebp+8]
		lea	ebx, [eax-1]
		lea	eax, [ebx+1]
		add	eax, esi
		cmp	eax, 20h
		jb	short loc_481C24
		cmp	[ecx+1Ch], eax
		jnb	short loc_481C24

loc_481C02:				; CODE XREF: .text:00481BDDj
		test	esi, esi
		jz	short loc_481C52
		mov	ecx, [ebp-0Ch]
		lea	eax, [esi+1]
		push	eax
		mov	edx, edi
		call	_RtlLengthCurrentClearRunBackward@12 ; RtlLengthCurrentClearRunBackward(x,x,x)
		mov	ecx, [ebp+8]
		lea	esi, [eax-1]
		lea	eax, [ebx+1]
		add	eax, esi
		cmp	eax, 20h
		jnb	short loc_481C4D

loc_481C24:				; CODE XREF: .text:00481BFBj
					; .text:00481C00j ...
		mov	edx, [ebp-4]
		mov	ecx, [edx+50h]
		cmp	ecx, eax
		jbe	loc_481D54

loc_481C32:				; CODE XREF: .text:00481D4Ej
					; .text:00481D56j
		mov	[edx+50h], ecx
		jmp	loc_481B86
; 

loc_481C3A:				; CODE XREF: .text:00481A96j
		mov	ebx, [ebp+8]
		jmp	loc_481AB7
; 

loc_481C42:				; CODE XREF: .text:004819D6j
		mov	[ebp-0Ch], ebx
		mov	[ebp-10h], eax
		jmp	loc_4819DF
; 

loc_481C4D:				; CODE XREF: .text:00481C22j
		cmp	[ecx+1Ch], eax
		jnb	short loc_481C24

loc_481C52:				; CODE XREF: .text:00481C04j
		mov	edx, [ebp-10h]
		lea	ecx, [ebp-14h]
		push	ecx
		mov	ecx, [ebp-4]
		sub	edi, esi
		push	eax
		push	edi
		call	MiRescanPageFileBitmapPortion
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_481C6E:				; CODE XREF: .text:00481B80j
		mov	edi, [ebp-4]
		push	ebx
		add	edi, 54h
		push	edi
		call	RtlRbRemoveNode
		mov	eax, [edi+4]
		mov	ecx, [edi]
		test	al, 1
		jz	short loc_481C8E
		test	ecx, ecx
		jz	loc_481D42
		xor	ecx, edi

loc_481C8E:				; CODE XREF: .text:00481C82j
					; .text:00481D44j
		movzx	esi, al
		and	esi, 1
		mov	byte ptr [ebp+8], 0
		test	ecx, ecx
		jz	short loc_481CDE
		mov	edx, [ebx+1Ch]
		nop

loc_481CA0:				; CODE XREF: .text:00481CC2j
		cmp	edx, [ecx+1Ch]
		jb	short loc_481CC4
		ja	short loc_481CAF
		mov	eax, [ebx+18h]
		cmp	eax, [ecx+18h]
		jb	short loc_481CC4

loc_481CAF:				; CODE XREF: .text:00481CA5j
		mov	eax, [ecx+4]
		test	esi, esi
		jz	short loc_481CBC
		test	eax, eax
		jz	short loc_481CDA
		xor	eax, ecx

loc_481CBC:				; CODE XREF: .text:00481CB4j
		test	eax, eax
		jz	short loc_481CDA

loc_481CC0:				; CODE XREF: .text:00481CD2j
		mov	ecx, eax
		jmp	short loc_481CA0
; 

loc_481CC4:				; CODE XREF: .text:00481CA3j
					; .text:00481CADj
		mov	eax, [ecx]
		test	esi, esi
		jz	short loc_481CD0
		test	eax, eax
		jz	short loc_481CD4
		xor	eax, ecx

loc_481CD0:				; CODE XREF: .text:00481CC8j
		test	eax, eax
		jnz	short loc_481CC0

loc_481CD4:				; CODE XREF: .text:00481CCCj
		mov	byte ptr [ebp+8], 0
		jmp	short loc_481CDE
; 

loc_481CDA:				; CODE XREF: .text:00481CB8j
					; .text:00481CBEj
		mov	byte ptr [ebp+8], 1

loc_481CDE:				; CODE XREF: .text:00481C9Aj
					; .text:00481CD8j
		push	ebx
		push	dword ptr [ebp+8]
		push	ecx
		push	edi
		call	RtlRbInsertNodeEx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_481CF2:				; CODE XREF: .text:00481B26j
		mov	ecx, [ebp+8]
		xor	edx, edx
		neg	ecx
		lea	esp, [esp+0]

loc_481D00:				; CODE XREF: .text:00481D1Fj
		add	esi, 20h
		add	ecx, 20h
		cmp	esi, 0FFFFFFFFh
		jnb	loc_5B4B36

loc_481D0F:				; CODE XREF: .text:005B4B3Fj
		cmp	eax, edi
		jz	loc_481E06
		mov	edx, [eax+4]
		add	eax, 4
		test	edx, edx
		jz	short loc_481D00
		jmp	loc_481B2C
; 

loc_481D26:				; CODE XREF: .text:00481B3Fj
		mov	edx, [ebp-14h]
		mov	ecx, [ebp-10h]
		push	esi
		call	RtlLengthCurrentClearRunForward
		dec	eax
		add	[ebx+1Ch], eax
		jmp	loc_481B45
; 

loc_481D3B:				; CODE XREF: .text:00481A7Dj
		xor	edx, edx
		jmp	loc_481AB7
; 

loc_481D42:				; CODE XREF: .text:00481C86j
		xor	ecx, ecx
		jmp	loc_481C8E
; 

loc_481D49:				; CODE XREF: .text:00481BCCj
					; .text:00481BD5j
		mov	ecx, [edx+50h]
		cmp	ecx, eax
		ja	loc_481C32

loc_481D54:				; CODE XREF: .text:00481C2Cj
		mov	ecx, eax
		jmp	loc_481C32
; 

loc_481D5B:				; CODE XREF: .text:00481A2Bj
		cmp	ebx, 0FFFFFFFFh
		jz	loc_481A31
		inc	dword ptr [ecx+1Ch]
		mov	[ecx+18h], edi
		mov	[ebp-8], ecx
		jmp	loc_481A31
; 

loc_481D72:				; CODE XREF: .text:00481AD5j
		push	0FFFFFFFFh
		mov	edx, edi
		call	_RtlLengthCurrentClearRunBackward@12 ; RtlLengthCurrentClearRunBackward(x,x,x)
		cmp	eax, 1
		jbe	loc_481B45
		mov	ecx, [ebp-10h]
		mov	edx, edi
		push	eax
		call	_RtlLengthCurrentClearRunBackward@12 ; RtlLengthCurrentClearRunBackward(x,x,x)
		sub	edi, eax
		lea	ecx, [eax-1]
		add	[ebx+1Ch], ecx
		inc	edi
		mov	[ebx+18h], edi
		jmp	loc_481B45
; 

loc_481DA0:				; CODE XREF: .text:00481AA2j
		mov	eax, [edx+1Ch]
		add	eax, ecx
		mov	[ebx+1Ch], eax
		mov	eax, [ebp-4]
		push	edx
		add	eax, 54h
		mov	dword ptr [edx+1Ch], 0
		push	eax
		call	RtlRbRemoveNode
		mov	eax, [ebp-4]
		push	esi
		add	eax, 5Ch
		push	eax
		call	RtlRbRemoveNode
		mov	ecx, [ebp-4]
		add	ecx, 64h
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_481E16
		lea	eax, [esi-0Ch]
		mov	[eax+4], edx
		mov	[eax], ecx
		mov	[edx], eax
		mov	edx, ebx
		mov	ebx, [ebp+8]
		or	edx, 1
		mov	[ebp-8], edx
		mov	edx, [ebp-14h]
		mov	[ecx+4], eax
		jmp	loc_481AB7
; 

loc_481DF6:				; CODE XREF: .text:00481AC7j
		and	ebx, 0FFFFFFFEh
		jmp	loc_481B45
; 

loc_481DFE:				; CODE XREF: .text:00481AFEj
		sub	edi, 4
		jmp	loc_481B04
; 

loc_481E06:				; CODE XREF: .text:00481B1Ej
					; .text:00481D11j
		mov	ecx, [ebp-0Ch]
		test	ecx, ecx
		jz	loc_481B39
		jmp	loc_5B4B44
; 

loc_481E16:				; CODE XREF: .text:00481DD4j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		dd 4 dup(0CCCCCCCCh)
; Exported entry 2085. RtlFindLeastSignificantBit

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlFindLeastSignificantBit(x, x)
		public _RtlFindLeastSignificantBit@8
_RtlFindLeastSignificantBit@8 proc near	; CODE XREF: .text:loc_481B2Fp
					; RtlFindNextClearRunUlong(x,x,x,x,x)+F2p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, eax
		or	ecx, 0
		push	ebx
		jz	short loc_481E86
		movzx	ecx, ax
		or	ecx, 0
		jz	short loc_481E6D
		movzx	ecx, al
		or	ecx, 0
		jnz	short loc_481E7E
		mov	bl, 8

loc_481E52:				; CODE XREF: RtlFindLeastSignificantBit(x,x)+4Cj
					; RtlFindLeastSignificantBit(x,x)+50j ...
		mov	edx, [ebp+arg_4]
		movzx	ecx, bl
		call	__aullshr
		movzx	eax, al
		mov	al, ds:_RtlpBitsClearLow[eax]
		add	al, bl
		pop	ebx
		pop	ebp
		retn	8
; 

loc_481E6D:				; CODE XREF: RtlFindLeastSignificantBit(x,x)+16j
		mov	ecx, eax
		and	ecx, 0FF0000h
		or	ecx, 0
		jz	short loc_481E82
		mov	bl, 10h
		jmp	short loc_481E52
; 

loc_481E7E:				; CODE XREF: RtlFindLeastSignificantBit(x,x)+1Ej
		xor	bl, bl
		jmp	short loc_481E52
; 

loc_481E82:				; CODE XREF: RtlFindLeastSignificantBit(x,x)+48j
		mov	bl, 18h
		jmp	short loc_481E52
; 

loc_481E86:				; CODE XREF: RtlFindLeastSignificantBit(x,x)+Ej
		mov	ebx, [ebp+arg_4]
		xor	edx, edx
		movzx	ecx, bx
		or	edx, ecx
		jnz	short loc_481EAD
		mov	edx, ebx
		xor	ecx, ecx
		and	edx, 0FF0000h
		or	ecx, edx
		jnz	short loc_481EBE
		mov	ecx, eax
		or	ecx, ebx
		jnz	short loc_481EC2
		or	al, 0FFh
		pop	ebx
		pop	ebp
		retn	8
; 

loc_481EAD:				; CODE XREF: RtlFindLeastSignificantBit(x,x)+60j
		movzx	ecx, bl
		xor	edx, edx
		or	edx, ecx
		jz	short loc_481EBA
		mov	bl, 20h
		jmp	short loc_481E52
; 

loc_481EBA:				; CODE XREF: RtlFindLeastSignificantBit(x,x)+84j
		mov	bl, 28h
		jmp	short loc_481E52
; 

loc_481EBE:				; CODE XREF: RtlFindLeastSignificantBit(x,x)+6Ej
		mov	bl, 30h
		jmp	short loc_481E52
; 

loc_481EC2:				; CODE XREF: RtlFindLeastSignificantBit(x,x)+74j
		mov	bl, 38h
		jmp	short loc_481E52
_RtlFindLeastSignificantBit@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFlushTbAsNeeded proc near		; CODE XREF: MiLinkPoolCommitChain+49p
					; MiReservePtes+2C3p ...

var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B4		= dword	ptr -0B4h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005B4B8E SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [ebp+var_A0]
		mov	edi, edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_AC], edi
		mov	esi, ecx
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		xor	ebx, ebx
		mov	[ebp+var_A8], 0
		mov	[ebp+var_A4], 0
		mov	[ebp+var_A0], eax
		mov	[ebp+var_9C], 0
		mov	[ebp+var_90], 0
		mov	[ebp+var_98], 21h
		mov	[ebp+var_8C], 0
		test	edi, edi
		jz	loc_482007
		jmp	short loc_481F60
; 
		align 10h

loc_481F60:				; CODE XREF: MiFlushTbAsNeeded+86j
					; MiFlushTbAsNeeded+131j
		mov	ecx, [esi]
		mov	[ebp+var_C0], 0
		mov	[ebp+var_BC], 0
		nop
		mov	edi, [esi+4]
		mov	eax, ecx
		and	eax, 0C01h
		or	eax, 0
		jnz	loc_48209D
		mov	eax, ecx
		and	eax, 3E0h
		or	eax, 0
		jnz	loc_48209D
		mov	eax, dword_6D0704
		mov	edx, dword_6D0700
		mov	[ebp+var_B4], eax
		mov	eax, edx
		or	eax, [ebp+var_B4]
		mov	[ebp+var_BC], edi
		jz	short loc_481FD7
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	loc_48204C
		mov	edi, [ebp+var_B4]
		not	edi
		and	edi, [ebp+var_BC]

loc_481FD7:				; CODE XREF: MiFlushTbAsNeeded+E9j
					; MiFlushTbAsNeeded+182j
		mov	eax, ds:_ZeroPte
		mov	[esi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[esi+4], eax
		test	edi, edi
		jnz	short loc_482025
		mov	[ebp+var_A4], edi
		mov	[ebp+var_A8], edi

loc_481FF7:				; CODE XREF: MiFlushTbAsNeeded+164j
					; MiFlushTbAsNeeded+17Aj ...
		inc	ebx
		add	esi, 8
		cmp	ebx, [ebp+var_AC]
		jb	loc_481F60

loc_482007:				; CODE XREF: MiFlushTbAsNeeded+80j
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_482025:				; CODE XREF: MiFlushTbAsNeeded+119j
		cmp	edi, [ebp+var_A8]
		jnz	short loc_482054
		cmp	[ebp+var_A4], 1
		jnz	short loc_481FF7
		push	0
		mov	edx, esi
		lea	ecx, [ebp+var_A0]
		push	1
		shl	edx, 9
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		jmp	short loc_481FF7
; 

loc_48204C:				; CODE XREF: MiFlushTbAsNeeded+F3j
		mov	edi, [ebp+var_BC]
		jmp	short loc_481FD7
; 

loc_482054:				; CODE XREF: MiFlushTbAsNeeded+15Bj
		or	edx, 0FFFFFFFFh
		mov	ecx, edi
		call	MiCompareTbFlushTimeStamp
		test	al, al
		jnz	short loc_482074
		mov	[ebp+var_A4], 0
		mov	[ebp+var_A8], edi
		jmp	short loc_481FF7
; 

loc_482074:				; CODE XREF: MiFlushTbAsNeeded+190j
		push	0
		mov	edx, esi
		lea	ecx, [ebp+var_A0]
		push	1
		shl	edx, 9
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	[ebp+var_A4], 1
		mov	[ebp+var_A8], edi
		jmp	loc_481FF7
; 

loc_48209D:				; CODE XREF: MiFlushTbAsNeeded+B4j
					; MiFlushTbAsNeeded+C4j
		cmp	[ebp+arg_4], 0
		jnz	loc_481FF7
		jmp	loc_5B4B8E
MiFlushTbAsNeeded endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiValidateInPage proc near		; CODE XREF: .text:00449189p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B4BB0 SIZE 0000018D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_30], 0
		mov	eax, [edi+80h]
		lea	ebx, [edi+0A8h]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_C], ebx
		mov	eax, [eax+38h]
		mov	[ebp+var_20], eax
		mov	eax, [edi+98h]
		test	eax, eax
		jnz	loc_4822F5

loc_4820EA:				; CODE XREF: MiValidateInPage+24Aj
		mov	edx, [ebx+18h]
		mov	eax, [ebx+10h]
		mov	ecx, [ebx+14h]
		add	eax, edx
		and	eax, 0FFFh
		mov	esi, [edi+70h]
		add	eax, 0FFFh
		add	eax, ecx
		shr	eax, 0Ch
		mov	[ebp+var_18], eax
		mov	eax, large fs:124h
		mov	ebx, [ebp+var_18]
		mov	eax, [eax+80h]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_C]
		lea	eax, [eax+ebx*4]
		add	eax, 1Ch
		mov	[ebp+var_2C], eax
		mov	eax, esi
		sub	eax, ecx
		sub	eax, edx
		mov	edx, [ebp+var_C]
		add	[edi+38h], eax
		adc	dword ptr [edi+3Ch], 0
		sub	esi, [edx+18h]
		sub	esi, [edx+14h]
		test	esi, 0FFFh
		jnz	loc_5B4BA6
		xor	eax, eax

loc_48214C:				; CODE XREF: MiFlushTbAsNeeded+132CDBj
		shr	esi, 0Ch
		lea	ebx, [edx+1Ch]
		add	esi, eax
		mov	[ebp+var_24], 0
		add	[edi+74h], esi
		mov	ecx, 1
		mov	esi, [ebp+var_20]
		mov	esi, [esi+14h]
		mov	eax, esi
		shr	eax, 3
		cmp	ecx, eax
		mov	[ebp+var_8], eax
		sbb	eax, eax
		and	eax, 2
		mov	[ebp+var_10], eax
		mov	eax, [ebx]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		mov	edx, [eax+ecx*4+8]
		mov	[ebp+var_14], edx
		nop
		mov	eax, [eax+ecx*4+0Ch]
		mov	ecx, edx
		mov	edx, [ebp+var_C]
		shrd	ecx, eax, 5
		mov	eax, [ebp+var_1C]
		and	ecx, 1Fh
		mov	[ebp+var_14], ecx
		test	dword ptr [eax+34h], 0C0000h
		jnz	loc_5B4BB0

loc_4821B6:				; CODE XREF: MiValidateInPage+132B04j
		test	ds:_MiFlags, 40000h
		mov	ecx, [ebp+var_10]
		mov	eax, ecx
		mov	[ebp+var_4], eax
		jnz	loc_5B4BC2

loc_4821CE:				; CODE XREF: MiValidateInPage+132B19j
					; MiValidateInPage+132B29j
		test	dword ptr [edi+78h], 10000h
		jz	short loc_4821ED
		or	eax, 4
		test	ds:_MiFlags, 4000h
		mov	[ebp+var_4], eax
		jnz	loc_5B4BDE

loc_4821ED:				; CODE XREF: MiValidateInPage+125j
					; MiValidateInPage+132B30j ...
		mov	ecx, [ebp+var_14]
		and	ecx, 2
		mov	[ebp+var_8], ecx
		jz	short loc_482208
		test	ds:_MiFlags, 40000h
		jnz	loc_5B4BF1

loc_482208:				; CODE XREF: MiValidateInPage+146j
					; MiValidateInPage+132B6Aj
		mov	[ebp+var_10], 0
		test	al, 2
		jnz	loc_482343

loc_482217:				; CODE XREF: MiValidateInPage+297j
					; MiValidateInPage+2ADj ...
		cmp	ebx, [ebp+var_2C]
		jnb	loc_4822E7
		mov	[ebp+var_18], 0
		jmp	short loc_482230
; 
		align 10h

loc_482230:				; CODE XREF: MiValidateInPage+177j
					; MiValidateInPage+231j
		mov	esi, [ebx]
		mov	ecx, ds:_MmPfnDatabase
		lea	edx, ds:0[esi*8]
		sub	edx, esi
		lea	ecx, [ecx+edx*4]
		lea	edx, [eax+eax]
		xor	edx, eax
		and	edx, 8
		xor	eax, edx
		mov	[ebp+var_4], eax
		cmp	ecx, dword_6D34E8
		jz	short loc_4822C9
		cmp	[ebp+var_10], 0
		jnz	loc_4822FF
		test	al, 2
		jnz	loc_48230F

loc_48226B:				; CODE XREF: MiValidateInPage+25Aj
					; MiValidateInPage+132BCEj ...
		test	al, 8
		jz	short loc_4822C9
		mov	eax, [ebp+var_C]
		test	byte ptr [eax+6], 1
		jz	short loc_4822F1
		mov	esi, [ebp+var_18]
		sar	esi, 2
		shl	esi, 0Ch
		add	esi, [eax+0Ch]
		mov	ecx, esi
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		mov	edx, [ecx]
		nop
		mov	eax, [ecx+4]
		mov	[ebp+var_8], eax
		mov	eax, edx
		and	eax, 42h
		or	eax, 0
		jz	loc_5B4CAC

loc_4822AC:				; CODE XREF: MiValidateInPage+243j
					; MiValidateInPage+132C77j ...
		mov	eax, [ebx]
		mov	edx, esi
		push	2
		push	ecx
		mov	ecx, [ebp+var_1C]
		push	0
		push	eax
		mov	eax, [edi+74h]
		push	eax
		call	MiRelocateImagePfn
		test	eax, eax
		js	short loc_48233A
		mov	eax, [ebp+var_4]

loc_4822C9:				; CODE XREF: MiValidateInPage+1A7j
					; MiValidateInPage+1BDj
		add	[ebp+var_18], 4
		add	ebx, 4
		add	dword ptr [edi+38h], 1000h
		adc	dword ptr [edi+3Ch], 0
		inc	dword ptr [edi+74h]
		cmp	ebx, [ebp+var_2C]
		jb	loc_482230

loc_4822E7:				; CODE XREF: MiValidateInPage+16Aj
					; MiValidateInPage+291j
		mov	eax, [ebp+var_30]

loc_4822EA:				; CODE XREF: MiValidateInPage+132BA5j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4822F1:				; CODE XREF: MiValidateInPage+1C6j
		xor	esi, esi
		jmp	short loc_4822AC
; 

loc_4822F5:				; CODE XREF: MiValidateInPage+34j
		mov	ebx, eax
		mov	[ebp+var_C], eax
		jmp	loc_4820EA
; 

loc_4822FF:				; CODE XREF: MiValidateInPage+1ADj
		mov	edx, [ebp+var_24]
		call	_MiMarkPfnVerified@8 ; MiMarkPfnVerified(x,x)

loc_482307:				; CODE XREF: MiValidateInPage+27Dj
		mov	eax, [ebp+var_4]
		jmp	loc_48226B
; 

loc_48230F:				; CODE XREF: MiValidateInPage+1B5j
		mov	eax, [edi+3Ch]
		mov	edx, [ebp+var_28]
		push	0
		push	esi
		push	[ebp+var_14]
		push	ecx
		mov	ecx, [ebp+var_1C]
		push	0FFFFFFFFh
		push	eax
		mov	eax, [edi+38h]
		push	eax
		call	MiValidateImagePfn
		test	eax, eax
		jns	short loc_482307
		cmp	eax, 0C000009Ah
		jnz	loc_5B4C72

loc_48233A:				; CODE XREF: MiValidateInPage+214j
		mov	dword ptr [edi+30h], 0C000009Ah
		jmp	short loc_4822E7
; 

loc_482343:				; CODE XREF: MiValidateInPage+161j
		cmp	[ebp+var_18], 1
		jbe	loc_482217
		movzx	ecx, word ptr [edx+6]
		mov	[ebp+var_34], ecx
		test	ecx, 4000h
		mov	ecx, [ebp+var_8]
		jz	loc_482217
		test	byte ptr [ebp+var_34], 5
		jz	loc_5B4C1F
		mov	edx, [edx+0Ch]

loc_482370:				; CODE XREF: MiValidateInPage+132B8Aj
		mov	[ebp+var_10], edx
		test	edx, edx
		jz	loc_482217
		and	esi, 0FFFFFFF8h
		test	al, 1
		jnz	loc_5B4C3F

loc_482386:				; CODE XREF: MiValidateInPage+132B96j
					; MiValidateInPage+132BB1j
		push	[ebp+var_28]
		mov	eax, [edi+3Ch]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 2
		push	ecx
		push	eax
		mov	eax, [edi+38h]
		mov	ecx, esi
		push	eax
		mov	eax, [ebp+var_18]
		shl	eax, 0Ch
		push	eax
		call	_SeValidateImageData@28	; SeValidateImageData(x,x,x,x,x,x,x)
		test	eax, eax
		mov	eax, [ebp+var_4]
		jns	loc_482217
		jmp	loc_5B4C66
MiValidateInPage endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiStoreCheckCandidatePage(x, x, x, x, x)
_MiStoreCheckCandidatePage@20 proc near	; CODE XREF: MiStoreWriteModifiedPages+25Bp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, dword_6D50FC
		push	esi
		mov	esi, edx
		shl	eax, 1Ch
		push	edi
		mov	edx, ecx
		mov	dword ptr [ebp-20h], 0
		and	esi, 0FFFFFFFh
		mov	[ebp-4], edx
		mov	dword ptr [ebp-1Ch], 0
		xor	edi, edi
		or	esi, eax
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_482425
		mov	ecx, [edx+4]
		or	ecx, 80000000h
		mov	dword ptr [ebp-4], 3
		mov	[ebp-8], ecx
		jmp	loc_482558
; 

loc_482425:				; CODE XREF: MiStoreCheckCandidatePage(x,x,x,x,x)+4Bj
		mov	edi, [edx+4]
		mov	ecx, dword_6D07D0
		or	edi, 80000000h
		cmp	edi, ecx
		jb	short loc_48245D
		mov	eax, edi
		shr	eax, 15h
		cmp	byte ptr dword_6D3994[eax], 5
		jnz	short loc_48245D
		lea	ecx, [edi-1A0h]
		mov	dword ptr [ebp-4], 0C0603000h
		mov	[ebp-8], ecx
		xor	edi, edi
		jmp	loc_482558
; 

loc_48245D:				; CODE XREF: MiStoreCheckCandidatePage(x,x,x,x,x)+76j
					; MiStoreCheckCandidatePage(x,x,x,x,x)+84j
		shl	edi, 9
		mov	eax, edi
		shr	eax, 15h
		mov	[ebp-0Ch], eax
		cmp	edi, ecx
		jb	short loc_482482
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_4824BE
		cmp	edi, ecx
		jb	short loc_482482
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	short loc_4824BE

loc_482482:				; CODE XREF: MiStoreCheckCandidatePage(x,x,x,x,x)+AAj
					; MiStoreCheckCandidatePage(x,x,x,x,x)+B7j
		cmp	edi, ds:_MmHighestUserAddress
		jbe	short loc_4824BE
		cmp	edi, dword_6D2E88
		jb	short loc_48249A
		cmp	edi, dword_6D2E8C
		jbe	short loc_4824BE

loc_48249A:				; CODE XREF: MiStoreCheckCandidatePage(x,x,x,x,x)+D0j
		cmp	edi, 0C0000000h
		jb	short loc_4824AA
		cmp	edi, 0C07FFFFFh
		jbe	short loc_4824BE

loc_4824AA:				; CODE XREF: MiStoreCheckCandidatePage(x,x,x,x,x)+E0j
		or	edi, 2
		mov	dword ptr [ebp-8], 0
		mov	[ebp-4], edi
		xor	edi, edi
		jmp	loc_482558
; 

loc_4824BE:				; CODE XREF: MiStoreCheckCandidatePage(x,x,x,x,x)+B3j
					; MiStoreCheckCandidatePage(x,x,x,x,x)+C0j ...
		mov	ecx, edx
		call	MiGetTopLevelPfn
		cmp	eax, [ebp-4]
		jnz	short loc_4824DA
		mov	eax, 0C000023Bh
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	0Ch
; 

loc_4824DA:				; CODE XREF: MiStoreCheckCandidatePage(x,x,x,x,x)+108j
		mov	ecx, [eax]
		mov	edx, 7FFFFFFFh
		shr	ecx, 1
		add	eax, 10h
		and	ecx, 0FFFFFFF8h
		or	ecx, 80000000h
		mov	[ebp-8], ecx
		lock and [eax],	edx
		mov	eax, dword_6D07D0
		cmp	edi, eax
		mov	edx, [ebp-4]
		mov	[ebp-20h], eax
		mov	eax, [ebp-0Ch]
		jb	short loc_482510
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_48251E

loc_482510:				; CODE XREF: MiStoreCheckCandidatePage(x,x,x,x,x)+145j
		cmp	edi, [ebp-20h]
		jb	short loc_482528
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jnz	short loc_482528

loc_48251E:				; CODE XREF: MiStoreCheckCandidatePage(x,x,x,x,x)+14Ej
		or	edi, 1
		mov	[ebp-4], edi
		xor	edi, edi
		jmp	short loc_482558
; 

loc_482528:				; CODE XREF: MiStoreCheckCandidatePage(x,x,x,x,x)+153j
					; MiStoreCheckCandidatePage(x,x,x,x,x)+15Cj
		cmp	dword_6D5100, 0
		jz	short loc_482549
		cmp	dword_6D514C, ecx
		jnz	short loc_482549
		mov	eax, 0C00001A7h
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	0Ch
; 

loc_482549:				; CODE XREF: MiStoreCheckCandidatePage(x,x,x,x,x)+16Fj
					; MiStoreCheckCandidatePage(x,x,x,x,x)+177j
		mov	[ebp-4], edi
		mov	edi, [ecx+3A8h]
		shr	edi, 12h
		and	edi, 1

loc_482558:				; CODE XREF: MiStoreCheckCandidatePage(x,x,x,x,x)+60j
					; MiStoreCheckCandidatePage(x,x,x,x,x)+98j ...
		movzx	eax, byte ptr [edx+16h]
		xor	ecx, ecx
		and	al, 0C0h
		cmp	al, 40h
		mov	al, [edx+17h]
		setnz	cl
		test	al, 8
		jz	short loc_482573
		mov	edx, 5
		jmp	short loc_482579
; 

loc_482573:				; CODE XREF: MiStoreCheckCandidatePage(x,x,x,x,x)+1AAj
		movzx	edx, al
		and	edx, 7

loc_482579:				; CODE XREF: MiStoreCheckCandidatePage(x,x,x,x,x)+1B1j
		push	edi
		mov	edi, [ebx+10h]
		push	ecx
		mov	ecx, [edi]
		call	_SmUpdateStoreContext@16 ; SmUpdateStoreContext(x,x,x,x)
		mov	ecx, [ebp-8]
		mov	[edi], eax
		mov	eax, [ebx+8]
		mov	[eax], esi
		mov	eax, [ebx+0Ch]
		mov	[eax], ecx
		mov	ecx, [ebp-4]
		mov	[eax+4], ecx
		xor	eax, eax
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	0Ch
_MiStoreCheckCandidatePage@20 endp ; sp	=  4

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_SM_TRAITS___SmStWorker proc near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkerThread+18p

var_68		= dword	ptr -68h
var_5E		= byte ptr -5Eh
var_5D		= byte ptr -5Dh
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B4D3D SIZE 00000180 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		sub	esp, 68h
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+70h+var_44], 0
		push	0
		mov	[esp+74h+var_40], edi
		mov	[esp+74h+var_10], 0
		mov	esi, [edi]
		mov	[esp+74h+var_C], 0
		mov	[esp+74h+var_58], esi
		mov	[esp+74h+var_28], 0
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	eax, large fs:124h
		mov	[esp+70h+var_54], eax
		mov	al, [esi+10F6h]
		movzx	eax, al
		cmp	eax, 4
		jnz	loc_482CCE
		mov	eax, [esi+12B8h]

loc_482612:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+725j
		push	eax
		push	[esp+74h+var_54]
		call	KeSetActualBasePriorityThread
		xor	ecx, ecx
		test	byte ptr [esi+10F5h], 4
		mov	[esp+70h+var_4C], ecx
		jz	short loc_482685
		xor	edx, edx
		lea	ecx, [esp+70h+var_54]
		call	SmSetThreadPagePriority
		mov	edi, large fs:124h
		mov	edx, 0Eh
		push	400h
		mov	ecx, offset _MiSystemPartition
		call	_MiChargeResident@12 ; MiChargeResident(x,x,x)
		test	eax, eax
		jz	loc_5B4D3D
		dec	word ptr [edi+13Eh]
		nop
		or	byte ptr [edi+304h], 4
		xor	ecx, ecx
		mov	[esp+70h+var_28], 1

loc_482672:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+132792j
		mov	eax, [esp+70h+var_54]
		mov	edi, [esp+70h+var_40]
		mov	[esp+70h+var_4C], ecx
		or	dword ptr [eax+300h], 2

loc_482685:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+79j
		push	0
		push	0
		lea	eax, [edi+4]
		mov	[edi+14h], ecx
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		cmp	[esp+70h+var_4C], 0
		jl	loc_482C5E
		lea	eax, [esi+1148h]
		mov	[esp+70h+var_8], eax
		lea	eax, [esi+1158h]
		mov	[esp+70h+var_4], eax

loc_4826B4:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+171j
					; SMKM_STORE_SM_TRAITS___SmStWorker+6A8j
		lea	ecx, [esi+1268h]
		lea	ebx, [ebx+0]

loc_4826C0:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+4E5j
		mov	eax, [ecx]
		or	eax, [ecx+4]
		jz	loc_482A83
		mov	eax, ecx

loc_4826CD:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+4D5j
		push	0
		push	eax
		push	0
		push	0
		push	0
		push	1
		lea	eax, [esp+88h+var_8]
		push	eax
		push	2
		call	KeWaitForMultipleObjects
		mov	[esp+70h+var_50], eax
		cmp	eax, 2
		jge	loc_482A8A

loc_4826F4:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+692j
		sub	eax, 0
		jnz	loc_482C55
		push	[esp+70h+var_8]
		call	_KeResetEvent@4	; KeResetEvent(x)
		jmp	short loc_482710
; 
		align 10h

loc_482710:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+156j
					; SMKM_STORE_SM_TRAITS___SmStWorker+313j ...
		lea	edx, [esp+70h+var_44]
		mov	ecx, esi
		call	SMKM_STORE_SM_TRAITS___SmStWorkItemGet
		mov	[esp+70h+var_5C], eax
		test	eax, eax
		jz	short loc_4826B4
		mov	ecx, esi
		call	?SmStAcquireStoreLockExclusive@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@@Z ; SMKM_STORE<SM_TRAITS>::SmStAcquireStoreLockExclusive(SMKM_STORE<SM_TRAITS> *)
		mov	al, [esi+10F5h]
		test	al, 1
		jnz	loc_5B4D90

loc_482738:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+1327E5j
		mov	edx, [esp+70h+var_5C]
		test	al, 2
		jnz	loc_5B4DB3

loc_482744:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+132806j
		mov	ecx, esi
		call	ST_STORE_SM_TRAITS___StWorkItemProcess

loc_48274B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+132811j
		mov	[esp+70h+var_50], eax
		cmp	eax, 103h
		jz	loc_4828DC
		test	byte ptr [esi+10F5h], 4
		jz	loc_4828B3
		lea	ecx, [esi+10F8h]
		or	eax, 0FFFFFFFFh
		mov	[esp+70h+var_4C], ecx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_482A73

loc_482782:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+4CEj
		xor	edi, edi
		mov	[esp+70h+var_48], edi
		test	ecx, 7FFFFFFCh
		jz	loc_48289E
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		mov	[esp+70h+var_20], esi
		cmp	ecx, edx
		jb	short loc_4827CC
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_4828C8
		cmp	ecx, edx
		jb	short loc_4827CC
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_4828C8

loc_4827CC:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+1FCj
					; SMKM_STORE_SM_TRAITS___SmStWorker+20Dj
		or	eax, 0FFFFFFFFh

loc_4827CF:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+327j
		dec	word ptr [esi+13Eh]
		mov	[esp+70h+var_40], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	[esp+70h+var_5D], dl
		mov	edx, ecx
		push	eax
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[esp+70h+var_24], ecx
		test	ecx, ecx
		jz	loc_482A46
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_482C47

loc_482816:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+6A0j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+70h+var_48], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		mov	eax, 2AAAAAABh
		sub	ecx, [esi+1E8h]
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	[esp+70h+var_5D], 1
		jnz	loc_5B4DC6
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al

loc_48286B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+49Ej
					; SMKM_STORE_SM_TRAITS___SmStWorker+132827j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+70h+var_20], eax
		jnz	loc_482D0B

loc_482883:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+793j
					; SMKM_STORE_SM_TRAITS___SmStWorker+13284Cj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_48289A
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	loc_482CF1

loc_48289A:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+2DCj
					; SMKM_STORE_SM_TRAITS___SmStWorker+746j
		mov	esi, [esp+70h+var_58]

loc_48289E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+1DEj
		mov	eax, large fs:124h
		nop
		add	word ptr [eax+13Eh], 1
		jz	loc_5B4E01

loc_4828B3:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+1B1j
					; SMKM_STORE_SM_TRAITS___SmStWorker+132857j ...
		lea	eax, [esp+70h+var_50]
		mov	edx, esi
		push	eax
		push	[esp+74h+var_5C]
		call	SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree
		jmp	loc_482710
; 

loc_4828C8:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+205j
					; SMKM_STORE_SM_TRAITS___SmStWorker+216j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [esp+70h+var_4C]
		jmp	loc_4827CF
; 

loc_4828DC:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+1A4j
					; SMKM_STORE_SM_TRAITS___SmStWorker+1327FEj
		test	byte ptr [esi+10F5h], 4
		jz	loc_482710
		lea	ecx, [esi+10F8h]
		or	eax, 0FFFFFFFFh
		mov	[esp+70h+var_24], ecx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_482CFB

loc_482904:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+756j
		xor	edi, edi
		mov	[esp+70h+var_4C], edi
		test	ecx, 7FFFFFFCh
		jz	loc_482A35
		mov	eax, large fs:124h
		mov	edx, ecx
		mov	esi, dword_6D07D0
		shr	edx, 15h
		cmp	ecx, esi
		mov	[esp+70h+var_20], esi
		mov	esi, [esp+70h+var_58]
		mov	[esp+70h+var_5C], eax
		jb	short loc_482944
		cmp	byte ptr dword_6D3994[edx], 1
		jz	loc_482A59

loc_482944:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+385j
		cmp	ecx, [esp+70h+var_20]
		jb	short loc_482957
		cmp	byte ptr dword_6D3994[edx], 0Bh
		jz	loc_482A59

loc_482957:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+398j
		or	edx, 0FFFFFFFFh
		mov	[esp+70h+var_40], edx

loc_48295E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+4BEj
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	cl, [eax+1E6h]
		mov	[esp+70h+var_5D], cl
		mov	ecx, eax
		push	edx
		lea	edx, [esi+10F8h]
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[esp+70h+var_20], edx
		test	edx, edx
		jz	loc_482CDA
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		cmp	[edx+10h], edi
		jl	loc_482D4E

loc_4829A5:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+7A9j
		mov	eax, [edx+2Ch]
		mov	edi, eax
		and	byte ptr [edx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+70h+var_4C], edi
		mov	[edx+2Ch], eax
		nop
		mov	ecx, [esp+70h+var_5C]
		mov	eax, 2AAAAAABh
		mov	dword ptr [edx+10h], 0
		sub	edx, [ecx+1E8h]
		imul	edx
		sar	edx, 3
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		cmp	[esp+70h+var_5D], 1
		mov	[esp+70h+var_48], eax
		jnz	loc_5B4E17
		movzx	eax, byte ptr [ecx+1E4h]
		mov	edx, [esp+70h+var_48]
		bts	eax, edx
		mov	[ecx+1E4h], al

loc_482A06:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+736j
					; SMKM_STORE_SM_TRAITS___SmStWorker+132880j
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+70h+var_20], eax
		jnz	loc_482DDF

loc_482A1E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+870j
					; SMKM_STORE_SM_TRAITS___SmStWorker+1328ABj
		nop
		add	word ptr [ecx+13Eh], 1
		jnz	short loc_482A35
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jnz	loc_482E53

loc_482A35:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+360j
					; SMKM_STORE_SM_TRAITS___SmStWorker+477j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_482710
; 

loc_482A46:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+24Ej
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_48286B
		jmp	loc_5B4E76
; 

loc_482A59:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+38Ej
					; SMKM_STORE_SM_TRAITS___SmStWorker+3A1j
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[esp+70h+var_40], eax
		mov	eax, [esp+70h+var_5C]
		jmp	loc_48295E
; 

loc_482A73:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+1CCj
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [esi+10F8h]
		jmp	loc_482782
; 

loc_482A83:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+115j
		xor	eax, eax
		jmp	loc_4826CD
; 

loc_482A8A:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+13Ej
		lea	ecx, [esi+1268h]
		cmp	eax, 102h
		jnz	loc_4826C0
		mov	ecx, esi
		call	?SmStAcquireStoreLockExclusive@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@@Z ; SMKM_STORE<SM_TRAITS>::SmStAcquireStoreLockExclusive(SMKM_STORE<SM_TRAITS> *)
		mov	ecx, esi
		call	?StDrainReadContextList@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@@Z ; ST_STORE<SM_TRAITS>::StDrainReadContextList(ST_STORE<SM_TRAITS> *)
		mov	eax, [esi+10A0h]
		add	esi, 0FF0h
		mov	cl, 1
		add	[esi+0B8h], eax
		mov	eax, [esi+0B4h]
		adc	[esi+0BCh], eax
		call	KiQueryUnbiasedInterruptTime
		push	edx
		push	eax
		mov	ecx, esi
		call	?StLazyWorkMgrRunExpiredWork@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_LAZY_WORK_MGR@1@_K@Z ; ST_STORE<SM_TRAITS>::StLazyWorkMgrRunExpiredWork(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR *,unsigned __int64)
		mov	esi, [esp+70h+var_58]
		test	byte ptr [esi+10F5h], 4
		jz	loc_482C40
		lea	ecx, [esi+10F8h]
		or	eax, 0FFFFFFFFh
		mov	[esp+70h+var_20], ecx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_482D83

loc_482B03:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+7DEj
		xor	edi, edi
		mov	[esp+70h+var_48], edi
		test	ecx, 7FFFFFFCh
		jz	loc_482C34
		mov	eax, large fs:124h
		mov	edx, ecx
		mov	esi, dword_6D07D0
		shr	edx, 15h
		cmp	ecx, esi
		mov	[esp+70h+var_40], esi
		mov	esi, [esp+70h+var_58]
		mov	[esp+70h+var_5C], eax
		jb	short loc_482B43
		cmp	byte ptr dword_6D3994[edx], 1
		jz	loc_482CB4

loc_482B43:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+584j
		cmp	ecx, [esp+70h+var_40]
		jb	short loc_482B56
		cmp	byte ptr dword_6D3994[edx], 0Bh
		jz	loc_482CB4

loc_482B56:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+597j
		or	edx, 0FFFFFFFFh
		mov	[esp+70h+var_4C], edx

loc_482B5D:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+719j
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	cl, [eax+1E6h]
		mov	[esp+70h+var_5D], cl
		mov	ecx, eax
		push	edx
		lea	edx, [esi+10F8h]
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[esp+70h+var_40], edx
		test	edx, edx
		jz	loc_482D6C
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		cmp	[edx+10h], edi
		jl	loc_482E2B

loc_482BA4:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+886j
		mov	eax, [edx+2Ch]
		mov	edi, eax
		and	byte ptr [edx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+70h+var_48], edi
		mov	[edx+2Ch], eax
		nop
		mov	ecx, [esp+70h+var_5C]
		mov	eax, 2AAAAAABh
		mov	dword ptr [edx+10h], 0
		sub	edx, [ecx+1E8h]
		imul	edx
		sar	edx, 3
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		cmp	[esp+70h+var_5D], 1
		mov	[esp+70h+var_4C], eax
		jnz	loc_5B4D47
		movzx	eax, byte ptr [ecx+1E4h]
		mov	edx, [esp+70h+var_4C]
		bts	eax, edx
		mov	[ecx+1E4h], al

loc_482C05:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+7C8j
					; SMKM_STORE_SM_TRAITS___SmStWorker+1327B0j
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+70h+var_40], eax
		jnz	loc_482D93

loc_482C1D:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+824j
					; SMKM_STORE_SM_TRAITS___SmStWorker+1327DBj
		nop
		add	word ptr [ecx+13Eh], 1
		jnz	short loc_482C34
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jnz	loc_482E3B

loc_482C34:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+55Fj
					; SMKM_STORE_SM_TRAITS___SmStWorker+676j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_482C40:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+532j
		xor	eax, eax
		jmp	loc_4826F4
; 

loc_482C47:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+260j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [esp+70h+var_24]
		jmp	loc_482816
; 

loc_482C55:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+147j
		sub	eax, 1
		jnz	loc_4826B4

loc_482C5E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+EAj
		cmp	[esp+70h+var_28], 0
		jz	short loc_482C91
		mov	edi, large fs:124h
		mov	edx, 0Eh
		mov	ecx, offset _MiSystemPartition
		call	MiReturnResavailToPrcb
		test	eax, eax
		jnz	loc_482D5E

loc_482C83:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+7B7j
		and	byte ptr [edi+304h], 0FBh
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_482C91:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+6B3j
		cmp	dword ptr [esi+12BCh], 0
		mov	[esp+70h+var_10], 0FFFDB610h
		mov	[esp+70h+var_C], 0FFFFFFFFh
		jnz	loc_5B4EA1

loc_482CAE:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+132908j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_482CB4:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+58Dj
					; SMKM_STORE_SM_TRAITS___SmStWorker+5A0j
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[esp+70h+var_4C], eax
		mov	eax, [esp+70h+var_5C]
		jmp	loc_482B5D
; 

loc_482CCE:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+56j
		mov	eax, ds:?PriorityByMemoryCondition@?1??SmStGetPriorityByMemoryCondition@?$SMKM_STORE@USM_TRAITS@@@@SGJW4_SMP_MEMORY_CONDITION@@J@Z@4PAJA[eax*4]	; long * `SMKM_STORE<SM_TRAITS>::SmStGetPriorityByMemoryCondition(_SMP_MEMORY_CONDITION,long)'::`2'::PriorityByMemoryCondition
		jmp	loc_482612
; 

loc_482CDA:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+3DDj
		mov	ecx, [esp+70h+var_5C]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_482A06
		jmp	loc_5B4E8B
; 

loc_482CF1:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+2E4j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_48289A
; 

loc_482CFB:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+34Ej
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [esi+10F8h]
		jmp	loc_482904
; 

loc_482D0B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+2CDj
		test	edi, 8000h
		jnz	loc_482E45

loc_482D17:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+89Ej
		test	byte ptr [esp+70h+var_48+2], 1
		jnz	loc_5B4DDC

loc_482D22:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+132838j
		test	edi, 7FFFh
		jz	short loc_482D39
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_482D39:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+778j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_482883
		jmp	loc_5B4DED
; 

loc_482D4E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+3EFj
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [esp+70h+var_20]
		jmp	loc_4829A5
; 

loc_482D5E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+6CDj
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax
		jmp	loc_482C83
; 

loc_482D6C:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+5DCj
		mov	ecx, [esp+70h+var_5C]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_482C05
		jmp	loc_5B4E60
; 

loc_482D83:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+54Dj
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [esi+10F8h]
		jmp	loc_482B03
; 

loc_482D93:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+667j
		test	edi, 8000h
		jz	short loc_482DA6
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [esp+70h+var_5C]

loc_482DA6:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+7E9j
		test	byte ptr [esp+70h+var_48+2], 1
		jnz	loc_5B4D65

loc_482DB1:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+1327C3j
		test	edi, 7FFFh
		jz	short loc_482DC6
		and	edi, 7FFFh
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_482DC6:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+807j
		test	dword ptr ds:byte_70EFC4, 200h
		mov	ecx, [esp+70h+var_5C]
		jz	loc_482C1D
		jmp	loc_5B4D78
; 

loc_482DDF:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+468j
		test	edi, 8000h
		jz	short loc_482DF2
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [esp+70h+var_5C]

loc_482DF2:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+835j
		test	byte ptr [esp+70h+var_4C+2], 1
		jnz	loc_5B4E35

loc_482DFD:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+132893j
		test	edi, 7FFFh
		jz	short loc_482E12
		and	edi, 7FFFh
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_482E12:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+853j
		test	dword ptr ds:byte_70EFC4, 200h
		mov	ecx, [esp+70h+var_5C]
		jz	loc_482A1E
		jmp	loc_5B4E48
; 

loc_482E2B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+5EEj
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [esp+70h+var_40]
		jmp	loc_482BA4
; 

loc_482E3B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+67Ej
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_482C34
; 

loc_482E45:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+761j
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_482D17
; 

loc_482E53:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+47Fj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_482A35
SMKM_STORE_SM_TRAITS___SmStWorker endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_SM_TRAITS___SmStWorkItemGet proc near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+166p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005B4EBD SIZE 0000016B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	eax, edx
		mov	esi, ecx
		push	edi
		mov	[ebp+var_8], eax
		mov	dword ptr [eax], 0
		lea	ebx, [esi+1108h]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_1], al
		jnz	loc_5B4EBD
		lock bts dword ptr [ebx], 0
		jb	loc_483038

loc_482E9F:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+1DFj
					; SMKM_STORE_SM_TRAITS___SmStWorkItemGet+132064j
		mov	edx, [esi+1124h]
		lea	ecx, [esi+1120h]
		cmp	edx, ecx
		jnz	loc_5B4EC9
		mov	edx, [esi+1114h]
		lea	ecx, [esi+1110h]
		cmp	edx, ecx
		jnz	loc_5B4F0E
		cmp	dword ptr [esi+1130h], 0
		jnz	short loc_482F0D
		mov	eax, [esi+1178h]
		cmp	dword ptr [eax+150h], offset _KiInitialProcess
		jz	loc_5B4F4A
		movsx	ecx, byte ptr [eax+87h]

loc_482EED:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+1320EFj
		mov	al, [esi+10F6h]
		movzx	eax, al
		cmp	eax, 4
		jnz	loc_482FC0
		mov	eax, [esi+12B8h]

loc_482F05:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+167j
		cmp	ecx, eax
		jg	loc_5B4F54

loc_482F0D:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+6Ej
					; SMKM_STORE_SM_TRAITS___SmStWorkItemGet+13211Ej
		mov	edx, [esi+111Ch]
		lea	ecx, [esi+1118h]
		cmp	edx, ecx
		jz	loc_482FCC
		mov	edi, [ecx]
		mov	eax, [edi]
		and	eax, 0FFFFFFF8h
		mov	[ecx], eax
		cmp	edi, edx
		jnz	loc_482FE4
		mov	[ecx+4], ecx
		mov	dword ptr [ecx], 0

loc_482F3B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+196j
		mov	eax, [esi+112Ch]
		dec	eax
		mov	[esi+112Ch], eax
		cmp	dword ptr [esi+112Ch], 0
		jnz	short loc_482F5E
		mov	eax, [edi]
		and	eax, 7
		cmp	al, 6
		jz	loc_482FFB

loc_482F5E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+EFj
					; SMKM_STORE_SM_TRAITS___SmStWorkItemGet+1A2j ...
		test	edi, edi
		jz	short loc_482FCE
		mov	eax, ds:dword_7186C4
		mov	[esi+113Ch], eax
		mov	eax, ds:_KeTickCount
		mov	[esi+1138h], eax
		mov	eax, ds:dword_7186C8
		mov	[ebp+var_C], 0
		cmp	[esi+113Ch], eax
		jnz	loc_5B4F83

loc_482F90:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+13214Ej
		mov	eax, [edi]
		and	al, 7
		cmp	al, 2
		jz	loc_5B4FB3

loc_482F9C:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+182j
					; SMKM_STORE_SM_TRAITS___SmStWorkItemGet+13215Aj ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5B5019
		xor	eax, eax
		lock and [ebx],	eax

loc_482FAE:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+1321C3j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_482FC0:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+99j
		mov	eax, ds:?PriorityByMemoryCondition@?1??SmStGetPriorityByMemoryCondition@?$SMKM_STORE@USM_TRAITS@@@@SGJW4_SMP_MEMORY_CONDITION@@J@Z@4PAJA[eax*4]	; long * `SMKM_STORE<SM_TRAITS>::SmStGetPriorityByMemoryCondition(_SMP_MEMORY_CONDITION,long)'::`2'::PriorityByMemoryCondition
		jmp	loc_482F05
; 

loc_482FCC:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+BBj
		xor	edi, edi

loc_482FCE:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+100j
					; SMKM_STORE_SM_TRAITS___SmStWorkItemGet+132193j ...
		mov	dword ptr [esi+1144h], 0
		mov	dword ptr [esi+1140h], 0
		jmp	short loc_482F9C
; 

loc_482FE4:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+CCj
		mov	ecx, [edx]
		mov	eax, ecx
		shr	eax, 3
		and	ecx, 7
		dec	eax
		shl	eax, 3
		or	ecx, eax
		mov	[edx], ecx
		jmp	loc_482F3B
; 

loc_482FFB:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+F8j
		cmp	byte ptr [esi+10F6h], 0
		jbe	loc_482F5E
		mov	eax, [esi+1178h]
		cmp	dword ptr [eax+150h], offset _KiInitialProcess
		jz	loc_482F5E
		cmp	byte ptr [eax+87h], 4
		jle	loc_482F5E
		push	4
		push	eax
		call	KeSetActualBasePriorityThread
		jmp	loc_482F5E
; 

loc_483038:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+39j
		mov	ecx, ebx
		call	KxWaitForSpinLockAndAcquire
		jmp	loc_482E9F
SMKM_STORE_SM_TRAITS___SmStWorkItemGet endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	SMKM_STORE<struct SM_TRAITS>::SmStAcquireStoreLockExclusive(struct SMKM_STORE<struct SM_TRAITS>	*)
?SmStAcquireStoreLockExclusive@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@@Z proc near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+175p
					; SMKM_STORE_SM_TRAITS___SmStWorker+4EDp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	esi
		mov	esi, ecx
		push	edi
		test	byte ptr [esi+10F5h], 4
		jz	short loc_4830AC
		cmp	dword ptr [esi+1260h], 0
		mov	edi, 14h
		mov	[ebp+var_8], 0FFFDB610h
		mov	[ebp+var_4], 0FFFFFFFFh
		jnz	short loc_4830B2

loc_483081:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStAcquireStoreLockExclusive(SMKM_STORE<SM_TRAITS>	*)+64j
					; SMKM_STORE<SM_TRAITS>::SmStAcquireStoreLockExclusive(SMKM_STORE<SM_TRAITS> *)+6Dj ...
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		lea	ecx, [esi+10F8h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		inc	dword ptr [esi+1100h]
		mov	dword ptr [esi+10FCh], 1

loc_4830AC:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStAcquireStoreLockExclusive(SMKM_STORE<SM_TRAITS>	*)+13j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4830B2:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStAcquireStoreLockExclusive(SMKM_STORE<SM_TRAITS>	*)+2Fj
					; SMKM_STORE<SM_TRAITS>::SmStAcquireStoreLockExclusive(SMKM_STORE<SM_TRAITS> *)+86j
		test	edi, edi
		jz	short loc_483081
		cmp	byte ptr [esi+10F6h], 3
		jb	short loc_483081
		lea	eax, [ebp+var_8]
		push	eax
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		dec	edi
		cmp	dword ptr [esi+1260h], 0
		jz	short loc_483081
		jmp	short loc_4830B2
?SmStAcquireStoreLockExclusive@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@@Z endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StWorkItemProcess proc near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+196p
					; ST_STORE<SM_TRAITS>::StLazyWorkMgrRunExpiredWork(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR *,unsigned __int64)+9Ep

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B5028 SIZE 000001BC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, edx
		mov	[esp+1Ch+var_14], ecx
		mov	eax, esi
		push	edi
		and	eax, 1
		jnz	loc_48322E

loc_4830FF:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+151j
		mov	edi, [esi]
		or	ebx, 0FFFFFFFFh
		and	edi, 7
		mov	[esp+20h+var_8], ebx
		mov	[esp+20h+var_C], 0
		mov	[esp+20h+var_10], 0
		test	eax, eax
		jnz	short loc_48312E
		add	ecx, 0FF0h
		call	?StLazyWorkMgrResetIdle@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_LAZY_WORK_MGR@1@@Z ;	ST_STORE<SM_TRAITS>::StLazyWorkMgrResetIdle(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR *)
		mov	ecx, [esp+20h+var_14]

loc_48312E:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+3Dj
		test	edi, edi
		jnz	short loc_483178

loc_483132:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess:loc_483178j
					; DATA XREF: .text:off_483384o
		add	ecx, 38h
		mov	edx, esi
		call	ST_STORE_SM_TRAITS___StDmPageAdd

loc_48313C:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+A9j
					; ST_STORE_SM_TRAITS___StWorkItemProcess+131F57j ...
		mov	edi, eax

loc_48313E:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+131F6Dj
		mov	esi, [esp+20h+var_14]

loc_483142:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+187j
					; ST_STORE_SM_TRAITS___StWorkItemProcess+1A9j ...
		cmp	edi, 0C0000006h
		jz	loc_5B51BA

loc_48314E:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+1320E9j
		mov	eax, [esp+20h+var_C]

loc_483152:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+132044j
		mov	edx, [esp+20h+var_10]
		test	edx, edx
		jnz	loc_5B51CE

loc_48315E:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+1320FFj
		test	eax, eax
		jnz	loc_4831FF

loc_483166:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+140j
		cmp	ebx, 0FFFFFFFFh
		jnz	loc_483225
		mov	eax, edi

loc_483171:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+13206Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_483178:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+50j
		jmp	ds:off_483384[edi*4] ; case 0x0

loc_48317F:				; DATA XREF: .text:00483388o
		add	ecx, 38h
		mov	edx, esi
		call	ST_STORE_SM_TRAITS___StDmPageRemove
		jmp	short loc_48313C
; 

loc_48318B:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess:loc_483178j
					; DATA XREF: .text:0048339Co
		mov	eax, [esi+4]
		mov	ebx, 103h
		mov	edx, [ecx+14h]
		dec	eax
		neg	eax
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		sbb	eax, eax
		mov	edx, [edx+10F0h]
		and	eax, esi
		mov	[esp+20h+var_10], eax
		call	SmKmStoreReference
		test	eax, eax
		jz	loc_5B5048
		mov	ecx, [esi+4]
		mov	eax, 1
		xor	edi, edi
		mov	[esp+20h+var_C], eax
		cmp	ecx, eax
		jz	short loc_483236
		cmp	ecx, 2
		jz	loc_5B5066
		cmp	ecx, 3
		jz	loc_5B5081
		cmp	ecx, 4
		jz	loc_483332
		cmp	ecx, 5
		jnz	loc_5B50AC
		mov	ecx, 0FFFFFFFEh
		lea	eax, [esi+8]
		lock and [eax],	cx
		mov	esi, [esp+20h+var_14]

loc_4831FF:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+80j
					; ST_STORE_SM_TRAITS___StWorkItemProcess+27Bj ...
		mov	eax, [esi+14h]
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		mov	edx, [eax+10F0h]
		and	edx, 3FFh
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_483166
; 

loc_483225:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+89j
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48322E:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+19j
		and	esi, 0FFFFFFFEh
		jmp	loc_4830FF
; 

loc_483236:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+E9j
		mov	ecx, [esi+0Ch]
		mov	eax, ecx
		cmp	eax, 4
		jz	short loc_48326C
		test	eax, eax
		jnz	short loc_48328E

loc_483244:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess:loc_483178j
					; ST_STORE_SM_TRAITS___StWorkItemProcess+1B8j
					; DATA XREF: ...
		test	ecx, ecx	; case 0x0
		jnz	loc_5B505C
		mov	eax, 38h

loc_483251:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+131F81j
		mov	esi, [esp+20h+var_14]
		lea	ecx, [eax+esi]
		call	?StCompactionWorker@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z ; ST_STORE<SM_TRAITS>::StCompactionWorker(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)
		mov	edi, eax
		mov	eax, [esp+20h+var_10]
		mov	[esp+20h+var_10], eax
		jmp	loc_483142
; 

loc_48326C:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+15Ej
		mov	esi, [esp+20h+var_14]
		xor	edx, edx
		push	0
		lea	ecx, [esi+0A4h]
		call	_SmHpChunkHeapProtect@12 ; SmHpChunkHeapProtect(x,x,x)
		xor	edi, edi

loc_483281:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+24Dj
		mov	eax, [esp+20h+var_10]
		mov	[esp+20h+var_10], eax
		jmp	loc_483142
; 

loc_48328E:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+162j
		dec	eax
		cmp	eax, 5		; switch 6 cases
		ja	loc_483329	; default
		jmp	ds:off_4833A4[eax*4] ; switch jump

loc_48329F:				; DATA XREF: .text:off_4833A4o
		mov	esi, [esp+20h+var_14] ;	case 0x2
		lea	ecx, [esi+38h]
		call	?StDmInvalidateCurrentRegions@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@@Z ; ST_STORE<SM_TRAITS>::StDmInvalidateCurrentRegions(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)
		mov	eax, [esp+20h+var_10]
		xor	edi, edi
		mov	[esp+20h+var_10], eax
		jmp	loc_483142
; 

loc_4832BA:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess:loc_483178j
					; DATA XREF: .text:00483398o
		mov	eax, [esi+4]
		lea	esi, [ecx+38h]
		mov	ecx, esi
		and	eax, 7
		jz	loc_5B5153
		cmp	eax, 1
		jnz	short loc_4832DE
		call	?StDmInvalidateCurrentRegions@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@@Z ; ST_STORE<SM_TRAITS>::StDmInvalidateCurrentRegions(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)

loc_4832D5:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+210j
					; ST_STORE_SM_TRAITS___StWorkItemProcess+289j ...
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4832DE:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+1EEj
		cmp	eax, 3
		jz	short loc_483360
		mov	edx, 1
		call	ST_STORE_SM_TRAITS___StDmCheckForCompaction
		cmp	eax, 2
		jnz	short loc_4832D5
		jmp	loc_5B515D
; 

loc_4832F7:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+1B8j
					; DATA XREF: .text:off_4833A4o
		mov	esi, [esp+20h+var_14] ;	case 0x4
		lea	ecx, [esi+38h]
		call	ST_STORE_SM_TRAITS___StDmCombineLazyCleanup
		mov	eax, [esp+20h+var_10]
		xor	edi, edi
		mov	[esp+20h+var_10], eax
		jmp	loc_483142
; 

loc_483312:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+1B8j
					; DATA XREF: .text:off_4833A4o
		mov	ecx, [esp+20h+var_14] ;	case 0x1
		xor	edx, edx
		lea	eax, [ecx+220h]
		add	ecx, 38h
		push	eax
		call	ST_STORE_SM_TRAITS___StDmLazyRegionsWorker
		mov	edi, eax

loc_483329:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+1B2j
					; ST_STORE_SM_TRAITS___StWorkItemProcess+1B8j ...
		mov	esi, [esp+20h+var_14] ;	default
		jmp	loc_483281
; 

loc_483332:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+100j
		test	[esi+0Ah], al
		jnz	loc_5B509D
		mov	ecx, 7530h
		mov	eax, 7D0h

loc_483345:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+131FC7j
		mov	esi, [esp+20h+var_14]
		mov	edx, 2
		push	ecx
		push	eax
		mov	ecx, [esi+4B8h]
		call	ST_STORE_SM_TRAITS___StLazyWorkMgrQueueWork
		jmp	loc_4831FF
; 

loc_483360:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+201j
		xor	edx, edx
		call	ST_STORE_SM_TRAITS___StDmCheckForCompaction
		test	eax, eax
		jz	loc_4832D5
		mov	edx, eax
		mov	ecx, esi
		call	?StQueueCompaction@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@W4_ST_COMPACTION_CHECK_RESULT@@@Z ; ST_STORE<SM_TRAITS>::StQueueCompaction(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,_ST_COMPACTION_CHECK_RESULT)
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
ST_STORE_SM_TRAITS___StWorkItemProcess endp

; 
		align 4
off_483384	dd offset loc_483132	; DATA XREF: ST_STORE_SM_TRAITS___StWorkItemProcess:loc_483178r
		dd offset loc_48317F
		dd offset loc_5B5028
		dd offset loc_5B503C
		dd offset loc_5B51A5
		dd offset loc_4832BA
		dd offset loc_48318B
		dd offset loc_5B5129
off_4833A4	dd offset loc_483244	; DATA XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+1B8r
		dd offset loc_483312	; jump table for switch	statement
		dd offset loc_48329F
		dd offset loc_483329
		dd offset loc_4832F7
		dd offset loc_5B5052

;  S U B	R O U T	I N E 


; public: static void __stdcall	ST_STORE<struct	SM_TRAITS>::StLazyWorkMgrResetIdle(struct ST_STORE<struct SM_TRAITS>::_ST_LAZY_WORK_MGR	*)
?StLazyWorkMgrResetIdle@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_LAZY_WORK_MGR@1@@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+45p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, [esi+0A8h]
		mov	edi, [esi+0B8h]
		mov	ebx, [esi+0BCh]
		and	eax, [esi+0ACh]
		and	dword ptr [esi+0B8h], 0
		and	dword ptr [esi+0BCh], 0
		cmp	eax, 0FFFFFFFFh
		jz	short loc_48340B
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		cmp	[esi+0ACh], edx
		jb	short loc_48341A
		ja	short loc_483407
		cmp	[esi+0A8h], eax
		jbe	short loc_48341A

loc_483407:				; CODE XREF: ST_STORE<SM_TRAITS>::StLazyWorkMgrResetIdle(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR	*)+41j
		or	edi, ebx
		jnz	short loc_48340F

loc_48340B:				; CODE XREF: ST_STORE<SM_TRAITS>::StLazyWorkMgrResetIdle(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR	*)+30j
					; ST_STORE<SM_TRAITS>::StLazyWorkMgrResetIdle(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR *)+5Cj ...
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_48340F:				; CODE XREF: ST_STORE<SM_TRAITS>::StLazyWorkMgrResetIdle(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR	*)+4Dj
		push	edx
		push	eax
		mov	ecx, esi
		call	ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule
		jmp	short loc_48340B
; 

loc_48341A:				; CODE XREF: ST_STORE<SM_TRAITS>::StLazyWorkMgrResetIdle(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR	*)+3Fj
					; ST_STORE<SM_TRAITS>::StLazyWorkMgrResetIdle(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR *)+49j
		push	edx
		push	eax
		mov	ecx, esi
		call	?StLazyWorkMgrRunExpiredWork@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_LAZY_WORK_MGR@1@_K@Z ; ST_STORE<SM_TRAITS>::StLazyWorkMgrRunExpiredWork(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR *,unsigned __int64)
		jmp	short loc_48340B
?StLazyWorkMgrResetIdle@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_LAZY_WORK_MGR@1@@Z endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiQueryUnbiasedInterruptTime proc near	; CODE XREF: CmpArmLazyWriter+2Cp
					; KiCheckDueTimeExpired+28p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B51E4 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	bl, cl
		mov	[ebp+var_10], 0
		mov	[ebp+var_C], 0
		mov	eax, 0FFDF03B0h

loc_483450:				; CODE XREF: KiQueryUnbiasedInterruptTime+68j
					; KiQueryUnbiasedInterruptTime+6Dj
		mov	edi, [eax]
		mov	esi, [eax+4]
		mov	eax, 0FFDF000Ch
		mov	[ebp+var_C], edi
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], 0
		mov	edx, [eax]
		mov	eax, 0FFDF0008h
		mov	ecx, [eax]
		mov	eax, 0FFDF0010h
		cmp	edx, [eax]
		jnz	loc_5B51E4

loc_48347D:				; CODE XREF: KiQueryUnbiasedInterruptTime+131DD7j
		test	bl, bl
		jz	short loc_48349F
		mov	esi, 0FFDF03B0h
		mov	eax, [esi]
		cmp	edi, eax
		mov	esi, [esi+4]
		mov	eax, 0FFDF03B0h
		mov	[ebp+var_C], esi
		mov	esi, [ebp+var_4]
		jnz	short loc_483450
		cmp	esi, [ebp+var_C]
		jnz	short loc_483450

loc_48349F:				; CODE XREF: KiQueryUnbiasedInterruptTime+4Fj
		sub	ecx, edi
		pop	edi
		sbb	edx, esi
		mov	eax, ecx
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
KiQueryUnbiasedInterruptTime endp


;  S U B	R O U T	I N E 


MiInsertPrivateVad proc	near		; CODE XREF: MiAllocateNewSubAllocatedRegion+1AEp
					; MiReserveUserMemory+2A2p ...

; FUNCTION CHUNK AT 005B520C SIZE 00000011 BYTES

		mov	edi, edi
		push	ecx
		mov	eax, [ecx+1Ch]
		shr	eax, 12h
		and	eax, 3
		cmp	ds:_MiVadPageSizes[eax*4], 10h
		jz	loc_5B520C

loc_4834C6:				; CODE XREF: MiInsertPrivateVad+131D6Cj
		push	1
		call	MiInsertVad
		pop	ecx
		retn
MiInsertPrivateVad endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGatherPagefilePages proc near		; CODE XREF: MiModifiedPageWriter+217p

var_60		= dword	ptr -60h
var_4E		= byte ptr -4Eh
var_4D		= byte ptr -4Dh
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B521D SIZE 000001CE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		push	ebx
		mov	ebx, [ecx+54h]
		xor	eax, eax
		push	esi
		mov	esi, large fs:124h
		push	edi
		mov	edi, [ebx+90h]
		mov	[esp+60h+var_40], ecx
		mov	[esp+60h+var_18], 0
		mov	[esp+60h+var_48], eax
		mov	[esp+60h+var_4C], ebx
		mov	[esp+60h+var_34], edi
		mov	[esp+60h+var_3C], esi
		cmp	[ebx+0Ch], eax
		jz	loc_5B521D
		sub	ecx, 0FFFFFF80h
		mov	[esp+60h+var_1C], ecx
		mov	[ecx], eax
		lea	esi, [ecx+1Ch]
		mov	dword ptr [ecx+4], 2001Ch
		mov	[ecx+10h], eax
		mov	[ecx+18h], eax
		mov	[ecx+14h], eax
		movzx	edx, word ptr [ebx+74h]
		mov	ecx, [edi+2C0h]
		and	edx, 0Fh
		mov	[esp+60h+var_28], esi
		test	ecx, ecx
		jz	short loc_48354F
		mov	eax, 4
		mov	[esp+60h+var_48], eax

loc_48354F:				; CODE XREF: MiGatherPagefilePages+74j
		lea	ecx, [edx+edx*4]
		mov	edx, 4
		mov	ecx, [edi+ecx*4+740h]
		mov	[esp+60h+var_20], ecx
		movzx	ecx, word ptr [ebx+74h]
		bt	cx, dx
		mov	[esp+60h+var_10], ecx
		movzx	ebx, cx
		setnb	dl
		test	al, 4
		setnz	cl
		test	dl, cl
		jz	short loc_483599
		mov	ecx, [edi+2BCh]
		lea	ecx, [ecx+ecx*4]
		mov	edi, [edi+ecx*4+740h]
		test	edi, edi
		jnz	loc_483BAB
		mov	edi, [esp+60h+var_34]

loc_483599:				; CODE XREF: MiGatherPagefilePages+ABj
		cmp	dword ptr [edi+2B8h], 0
		jnz	loc_483B78
		mov	edi, [edi+700h]

loc_4835AC:				; CODE XREF: MiGatherPagefilePages+6E2j
		mov	ecx, [esp+60h+var_20]
		test	ecx, ecx
		jz	loc_483B60
		shr	bx, 4
		movzx	ebx, bx

loc_4835BF:				; CODE XREF: MiGatherPagefilePages+6A2j
		test	al, 2
		jnz	short loc_483615
		test	edi, edi
		jz	short loc_483615
		test	bl, 1
		jnz	short loc_483615
		test	ecx, ecx
		jz	loc_483B4C
		mov	ebx, [esp+60h+var_4C]
		test	byte ptr [ebx+77h], 1
		jnz	loc_483B4C
		mov	ecx, ebx
		call	MiPageFileLargestBitmapsRun
		mov	ecx, [ebx+4Ch]
		shr	ecx, 2
		cmp	eax, ecx
		jb	loc_5B522B
		mov	eax, ds:dword_7051C4
		shr	eax, 2
		cmp	edi, eax
		mov	eax, [esp+60h+var_48]
		jnb	loc_483B4C
		cmp	edi, [esp+60h+var_20]
		jnb	loc_483B4C

loc_483615:				; CODE XREF: MiGatherPagefilePages+F1j
					; MiGatherPagefilePages+F5j ...
		mov	ebx, ds:dword_7051C4
		mov	[esp+60h+var_44], ebx
		test	al, 2
		jnz	loc_483A4E

loc_483627:				; CODE XREF: MiGatherPagefilePages+580j
					; MiGatherPagefilePages+58Cj
		mov	edx, [esp+60h+var_34]
		mov	ecx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[esp+60h+var_2C], ecx
		cmp	byte ptr [edx+258h], 0
		jnz	loc_5B5234

loc_483642:				; CODE XREF: MiGatherPagefilePages+131DD3j
		mov	edi, [esp+60h+var_40]
		mov	ecx, [edi+14h]
		and	cl, 1Ch
		cmp	ebx, 100h
		ja	loc_483A40

loc_483658:				; CODE XREF: MiGatherPagefilePages+573j
					; MiGatherPagefilePages+131DE1j
		mov	ecx, [esp+60h+var_3C]
		or	eax, 1
		mov	[esp+60h+var_48], eax
		dec	word ptr [ecx+13Ch]
		nop
		and	eax, 2
		mov	[esp+60h+var_14], eax
		jnz	loc_483A61
		mov	edx, [esp+60h+var_4C]
		lea	eax, [esp+60h+var_18]
		push	eax
		lea	eax, [esp+64h+var_30]
		mov	[esp+64h+var_30], ebx
		push	eax
		mov	ecx, esi
		call	_MiBuildReservationCluster@16 ;	MiBuildReservationCluster(x,x,x,x)
		mov	ecx, [esp+60h+var_18]
		mov	ebx, eax
		mov	eax, [esp+60h+var_30]
		mov	[esp+60h+var_38], ebx

loc_48369F:				; CODE XREF: MiGatherPagefilePages+5CDj
		mov	[esp+60h+var_30], eax
		test	eax, eax
		jz	loc_483BB7
		mov	edi, eax
		dec	ecx
		mov	eax, [esp+60h+var_4C]
		add	eax, 88h
		mov	[esp+60h+var_20], ecx
		push	eax
		mov	[esp+64h+var_24], edi
		mov	[esp+64h+var_44], edi
		call	ExAcquireSpinLockExclusive
		cmp	[esp+60h+var_14], 0
		mov	[esp+60h+var_4D], al
		jnz	loc_483B2B
		push	ecx
		mov	ecx, [esp+64h+var_4C]
		mov	edx, ebx
		push	edi
		call	_MiSetPageFileAllocationBits@16	; MiSetPageFileAllocationBits(x,x,x,x)
		mov	eax, edi
		mov	[esp+60h+var_10], ebx
		or	edx, 0FFFFFFFFh
		mov	[esp+60h+var_44], edx
		lea	ecx, ds:0[eax*4]
		lea	eax, [ecx+esi]
		shr	ecx, 2
		cmp	eax, esi
		sbb	eax, eax
		not	eax
		and	eax, ecx
		mov	[esp+60h+var_C], eax
		jbe	short loc_48373E
		xor	edi, edi
		nop

loc_483710:				; CODE XREF: MiGatherPagefilePages+260j
		mov	eax, [esi]
		cmp	eax, dword_6D34E4
		jz	loc_4839E5

loc_48371E:				; CODE XREF: MiGatherPagefilePages+534j
		cmp	edx, 0FFFFFFFFh
		jnz	loc_483A1E

loc_483727:				; CODE XREF: MiGatherPagefilePages+53Dj
					; MiGatherPagefilePages+549j
		inc	edi
		inc	ebx
		add	esi, 4
		cmp	edi, [esp+60h+var_C]
		jb	short loc_483710
		mov	esi, [esp+60h+var_28]
		mov	edi, [esp+60h+var_24]

loc_48373A:				; CODE XREF: MiGatherPagefilePages+677j
		mov	ebx, [esp+60h+var_38]

loc_48373E:				; CODE XREF: MiGatherPagefilePages+23Bj
		cmp	[esp+60h+var_14], 0
		mov	edx, [esp+60h+var_4C]
		jnz	short loc_483758
		mov	ecx, [edx+4Ch]
		mov	eax, ecx
		shr	eax, 2
		sub	ecx, eax
		add	ecx, edi
		mov	[edx+4Ch], ecx

loc_483758:				; CODE XREF: MiGatherPagefilePages+277j
		mov	eax, [edx]
		sub	eax, [edx+0Ch]
		dec	eax
		cmp	[edx+10h], eax
		jb	loc_483B58

loc_483767:				; CODE XREF: MiGatherPagefilePages+68Bj
		lea	eax, [edx+88h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+60h+var_4D]
		call	[esp+60h+var_2C]
		mov	ecx, [esp+60h+var_3C]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		and	[esp+60h+var_48], 0FFFFFFFEh
		mov	eax, [esp+60h+var_30]
		cmp	edi, eax
		jnz	loc_5B52C4

loc_483795:				; CODE XREF: MiGatherPagefilePages+131E6Aj
		mov	ecx, [esp+60h+var_1C]
		mov	eax, edi
		shl	eax, 0Ch
		mov	[esp+60h+var_30], edi
		mov	[ecx+14h], eax
		mov	ecx, [esp+60h+var_40]
		mov	[ecx+4Ch], eax
		mov	eax, [esp+60h+var_20]
		mov	[ecx+50h], eax
		mov	ecx, ebx
		xor	eax, eax
		mov	[esp+60h+var_10], ecx
		mov	[esp+60h+var_14], ecx
		mov	ecx, ds:__imp_@KfRaiseIrql@4 ; KfRaiseIrql(x)
		mov	[esp+60h+var_44], eax
		mov	[esp+60h+var_24], ecx
		lea	ecx, [ecx+0]

loc_4837D0:				; CODE XREF: MiGatherPagefilePages+3EEj
		mov	edx, [esi]
		cmp	edx, dword_6D34E4
		jz	loc_4838A7
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	edi, [eax+ecx*4]
		mov	cl, 2
		call	[esp+60h+var_24]
		lea	ebx, [edi+10h]
		mov	[esp+60h+var_4D], al
		mov	[esp+60h+var_C], 0
		mov	[esp+60h+var_4], ebx
		lock bts dword ptr [ebx], 1Fh
		jb	loc_483BE2

loc_483813:				; CODE XREF: MiGatherPagefilePages+726j
		mov	eax, [edi+0Ch]
		lea	esi, [edi+8]
		mov	edx, [esp+60h+var_14]
		push	eax
		mov	eax, [esi]
		mov	ecx, eax
		push	eax
		mov	eax, [esi+4]
		shrd	ecx, eax, 1
		mov	[esp+68h+var_8], esi
		and	ecx, 1
		lea	eax, ds:1[ecx*2]
		mov	ecx, [esp+68h+var_4C]
		push	eax
		call	_MiTransferSoftwarePte@20 ; MiTransferSoftwarePte(x,x,x,x,x)
		mov	ebx, eax
		mov	[esp+60h+var_14], edx
		mov	[esp+60h+var_20], ebx
		lea	esp, [esp+0]

loc_483850:				; CODE XREF: MiGatherPagefilePages+39Cj
					; MiGatherPagefilePages+3A2j
		mov	edi, [esi]
		mov	eax, edi
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[esp+60h+var_C], ecx
		nop
		mov	ecx, [esp+60h+var_14]
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, [esp+60h+var_20]
		cmp	eax, edi
		jnz	short loc_483850
		cmp	edx, [esp+60h+var_C]
		jnz	short loc_483850
		mov	ecx, esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		mov	esi, [esp+60h+var_28]
		test	eax, eax
		jnz	loc_5B533F

loc_483887:				; CODE XREF: MiGatherPagefilePages+131E80j
		mov	eax, [esp+60h+var_4]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [esp+60h+var_4D]
		call	[esp+60h+var_2C]
		mov	edi, [esp+60h+var_30]
		mov	eax, [esp+60h+var_44]
		mov	ebx, [esp+60h+var_38]

loc_4838A7:				; CODE XREF: MiGatherPagefilePages+308j
		inc	eax
		inc	ebx
		add	esi, 4
		mov	[esp+60h+var_44], eax
		mov	[esp+60h+var_28], esi
		mov	[esp+60h+var_38], ebx
		mov	[esp+60h+var_14], ebx
		cmp	eax, edi
		jb	loc_4837D0
		mov	eax, ds:dword_7051C4
		mov	ecx, [esp+60h+var_1C]
		mov	esi, [esp+60h+var_40]
		lea	eax, ds:1Ch[eax*4]
		mov	[ecx+4], ax
		and	dword ptr [esi+14h], 0FFFFFFFDh
		lea	eax, [esi+70h]
		push	eax
		call	KeQuerySystemTime
		mov	edx, [esp+60h+var_34]
		mov	ebx, [esi+14h]
		shr	ebx, 2
		and	ebx, 7
		mov	ecx, [edx+1FCh]
		mov	eax, [edx+0FC0h]
		test	ecx, ecx
		jnz	loc_5B5355
		cmp	eax, 0A0h
		jb	loc_5B5371
		cmp	eax, 120h
		jb	loc_5B537D

loc_483920:				; CODE XREF: MiGatherPagefilePages+131E9Cj
					; MiGatherPagefilePages+131EBCj
		mov	eax, [esi+14h]
		lea	ecx, ds:0[ebx*4]
		and	eax, 0FFFFFFE3h
		or	ecx, eax
		mov	[esi+14h], ecx
		cmp	ebx, 2
		jnb	short loc_483950
		mov	eax, [esp+60h+var_3C]
		dec	word ptr [eax+13Eh]
		nop
		inc	dword ptr [edx+188h]
		mov	ecx, eax
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_483950:				; CODE XREF: MiGatherPagefilePages+465j
		mov	esi, [esp+60h+var_48]
		mov	eax, esi
		shr	eax, 1
		not	eax
		push	0FFFFFFFFh
		and	eax, 1
		push	eax
		mov	eax, [esp+68h+var_40]
		mov	ecx, eax
		push	ebx
		lea	edx, [eax+70h]
		call	_MI_PAGEFILE_WRITE@20 ;	MI_PAGEFILE_WRITE(x,x,x,x,x)
		mov	edx, [esp+60h+var_34]
		mov	eax, [edx+1F0h]
		mov	ecx, [edx+1ECh]
		cmp	eax, 200h
		jz	loc_483A34
		inc	eax
		mov	[edx+1F0h], eax

loc_483991:				; CODE XREF: MiGatherPagefilePages+56Bj
		lea	eax, [ecx+edi]
		xor	ecx, ecx
		mov	[edx+1ECh], eax
		mov	edx, [esp+60h+var_40]
		mov	eax, [esp+60h+var_10]
		lea	edi, [edx+68h]
		shld	ecx, eax, 0Ch
		and	dword ptr [edx+14h], 0FFFFFFDFh
		shl	eax, 0Ch
		mov	[edi], eax
		mov	[edi+4], ecx
		cmp	esi, 4
		jb	loc_483AA2
		mov	ecx, edx
		call	MiStoreWriteModifiedPages
		test	eax, eax
		js	loc_483AA2

loc_4839CF:				; CODE XREF: MiGatherPagefilePages+650j
					; MiGatherPagefilePages+6D6j ...
		mov	esi, [esp+60h+var_3C]

loc_4839D3:				; CODE XREF: MiGatherPagefilePages+701j
					; MiGatherPagefilePages+131D56j
		test	byte ptr [esp+60h+var_48], 1
		jnz	loc_483BD6

loc_4839DE:				; CODE XREF: MiGatherPagefilePages+70Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4839E5:				; CODE XREF: MiGatherPagefilePages+248j
		mov	eax, [esp+60h+var_4C]
		mov	edx, ebx
		shr	edx, 5
		mov	ecx, ebx
		and	ecx, 1Fh
		mov	eax, [eax+38h]
		mov	eax, [eax+10h]
		mov	eax, [eax+edx*4]
		mov	edx, [esp+60h+var_44]
		sar	eax, cl
		test	al, 1
		jnz	loc_48371E
		cmp	edx, 0FFFFFFFFh
		jnz	loc_483727
		mov	edx, ebx

loc_483A15:				; CODE XREF: MiGatherPagefilePages+562j
		mov	[esp+60h+var_44], edx
		jmp	loc_483727
; 

loc_483A1E:				; CODE XREF: MiGatherPagefilePages+251j
		push	ecx
		mov	ecx, [esp+64h+var_4C]
		mov	eax, ebx
		push	0
		sub	eax, edx
		push	eax
		call	MiInvalidatePageFileBitmapsCache
		or	edx, 0FFFFFFFFh
		jmp	short loc_483A15
; 

loc_483A34:				; CODE XREF: MiGatherPagefilePages+4B4j
		mov	eax, ecx
		shr	eax, 9
		sub	ecx, eax
		jmp	loc_483991
; 

loc_483A40:				; CODE XREF: MiGatherPagefilePages+182j
		cmp	cl, 8
		jnb	loc_483658
		jmp	loc_5B52A8
; 

loc_483A4E:				; CODE XREF: MiGatherPagefilePages+151j
		cmp	edi, ebx
		jnb	loc_483627
		mov	ebx, edi
		mov	[esp+60h+var_44], ebx
		jmp	loc_483627
; 

loc_483A61:				; CODE XREF: MiGatherPagefilePages+1A2j
		mov	ebx, [esp+60h+var_4C]
		lea	eax, [esp+60h+var_44]
		push	0
		push	eax
		lea	edx, [esp+68h+var_38]
		mov	[esp+68h+var_38], 0
		mov	ecx, ebx
		call	MiFindPageFileWriteCluster
		mov	eax, [esp+60h+var_44]
		test	eax, eax
		jz	loc_5B52B6
		mov	ecx, [esp+60h+var_34]
		mov	edx, esi
		push	eax
		call	_MiFillNoReservationCluster@12 ; MiFillNoReservationCluster(x,x,x)
		mov	ebx, [esp+60h+var_38]
		mov	ecx, eax
		jmp	loc_48369F
; 

loc_483AA2:				; CODE XREF: MiGatherPagefilePages+4EAj
					; MiGatherPagefilePages+4F9j
		inc	large dword ptr	fs:3E40h
		mov	eax, [esp+60h+var_30]
		add	large fs:3E3Ch,	eax
		push	[esp+60h+var_30]
		mov	esi, [esp+64h+var_1C]
		mov	edx, esi
		push	[esp+64h+var_10]
		mov	ecx, [esp+68h+var_4C]
		push	0
		call	MiMapPageFileHash
		mov	eax, [esp+60h+var_4C]
		mov	ecx, 800h
		mov	edx, [esp+60h+var_40]
		add	edx, 8
		test	[eax+74h], cx
		jnz	loc_5B53BC
		mov	esi, [eax+70h]
		mov	ecx, [eax+1Ch]
		mov	eax, [esp+60h+var_40]
		add	eax, 10h
		push	eax
		push	edx
		push	0
		push	0
		push	esi
		push	ebx
		mov	ebx, [esp+78h+var_40]
		push	ebx
		push	offset MiWriteComplete
		push	edi
		lea	edx, [ebx+80h]
		call	IoAsynchronousPageWrite
		mov	ecx, eax
		and	ecx, 0C0000000h
		cmp	ecx, 0C0000000h
		jnz	loc_4839CF
		jmp	loc_5B5391
; 

loc_483B2B:				; CODE XREF: MiGatherPagefilePages+202j
		mov	ecx, [esp+60h+var_4C]
		lea	eax, [esp+60h+var_44]
		push	1
		push	eax
		lea	edx, [esp+68h+var_38]
		call	MiFindPageFileWriteCluster
		mov	edi, [esp+60h+var_44]
		mov	[esp+60h+var_24], edi
		jmp	loc_48373A
; 

loc_483B4C:				; CODE XREF: MiGatherPagefilePages+FEj
					; MiGatherPagefilePages+10Cj ...
		or	eax, 2
		mov	[esp+60h+var_48], eax
		jmp	loc_483615
; 

loc_483B58:				; CODE XREF: MiGatherPagefilePages+291j
		mov	[edx+10h], eax
		jmp	loc_483767
; 

loc_483B60:				; CODE XREF: MiGatherPagefilePages+E2j
		test	edi, edi
		jz	short loc_483B78
		mov	edx, [esp+60h+var_10]
		shr	dx, 4
		movzx	ebx, dx
		test	dl, 1
		jz	loc_4835BF

loc_483B78:				; CODE XREF: MiGatherPagefilePages+D0j
					; MiGatherPagefilePages+692j
		mov	edi, [esp+60h+var_4C]
		lea	esi, [edi+88h]
		push	esi
		call	ExAcquireSpinLockExclusive
		or	byte ptr [edi+76h], 1
		mov	bl, al
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esp+60h+var_40]
		mov	dword ptr [eax], 99887711h
		jmp	loc_4839CF
; 

loc_483BAB:				; CODE XREF: MiGatherPagefilePages+BFj
		or	eax, 2
		mov	[esp+60h+var_48], eax
		jmp	loc_4835AC
; 

loc_483BB7:				; CODE XREF: MiGatherPagefilePages+1D5j
		mov	esi, [esp+60h+var_3C]
		dec	word ptr [esi+13Eh]
		nop
		mov	ecx, edi
		call	MiMakePagefileWriterEntryAvailable
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_4839D3
; 

loc_483BD6:				; CODE XREF: MiGatherPagefilePages+508j
		mov	ecx, esi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_4839DE
; 

loc_483BE2:				; CODE XREF: MiGatherPagefilePages+33Dj
					; MiGatherPagefilePages+71Fj ...
		lea	ecx, [esp+60h+var_C]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		js	short loc_483BE2
		lock bts dword ptr [ebx], 1Fh
		jnb	loc_483813
		jmp	short loc_483BE2
MiGatherPagefilePages endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiTransferSoftwarePte(x, x,	x, x, x)
_MiTransferSoftwarePte@20 proc near	; CODE XREF: .text:004767EDp
					; MiStoreWriteModifiedPages+476p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, edx
		mov	edx, [ebp+arg_4]
		mov	eax, edx
		and	eax, 400h
		or	eax, 0
		jnz	short loc_483C2A
		test	bl, 4
		jnz	short loc_483C2A
		and	edx, 0FFFFFFF9h

loc_483C2A:				; CODE XREF: MiTransferSoftwarePte(x,x,x,x,x)+20j
					; MiTransferSoftwarePte(x,x,x,x,x)+25j
		test	ecx, ecx
		jz	loc_483CD9
		movzx	eax, word ptr [ecx+74h]
		mov	[ebp+var_4], eax
		mov	eax, edx
		or	eax, esi
		jz	loc_483CCB
		mov	eax, dword_6D0704
		mov	ecx, dword_6D0700
		mov	[ebp+arg_0], eax
		mov	eax, ecx
		or	eax, [ebp+arg_0]
		mov	[ebp+arg_8], ecx
		jz	short loc_483C6C
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_483CC6
		not	ecx
		and	edx, ecx
		mov	ecx, [ebp+arg_8]

loc_483C6C:				; CODE XREF: MiTransferSoftwarePte(x,x,x,x,x)+59j
					; MiTransferSoftwarePte(x,x,x,x,x)+C9j
		xor	esi, esi
		mov	eax, ecx
		or	esi, edx
		mov	edx, [ebp+arg_0]
		or	eax, edx
		jz	short loc_483C88
		mov	eax, edx
		and	ecx, esi
		and	eax, edi
		or	ecx, eax
		jnz	short loc_483CBC
		or	esi, [ebp+arg_8]
		or	edi, edx

loc_483C88:				; CODE XREF: MiTransferSoftwarePte(x,x,x,x,x)+77j
					; MiTransferSoftwarePte(x,x,x,x,x)+BFj	...
		mov	eax, [ebp+var_4]
		xor	edi, 0
		movzx	eax, ax
		cdq
		shld	edx, eax, 0Ch
		shl	eax, 0Ch
		xor	eax, esi
		and	eax, 0F000h
		xor	esi, eax
		test	bl, 1
		jz	short loc_483CAA
		or	esi, 4

loc_483CAA:				; CODE XREF: MiTransferSoftwarePte(x,x,x,x,x)+A5j
		mov	edx, edi
		test	bl, 2
		jnz	short loc_483CC1

loc_483CB1:				; CODE XREF: MiTransferSoftwarePte(x,x,x,x,x)+C4j
		mov	eax, esi

loc_483CB3:				; CODE XREF: MiTransferSoftwarePte(x,x,x,x,x)+DDj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_483CBC:				; CODE XREF: MiTransferSoftwarePte(x,x,x,x,x)+81j
		or	esi, 10h
		jmp	short loc_483C88
; 

loc_483CC1:				; CODE XREF: MiTransferSoftwarePte(x,x,x,x,x)+AFj
		or	esi, 2
		jmp	short loc_483CB1
; 

loc_483CC6:				; CODE XREF: MiTransferSoftwarePte(x,x,x,x,x)+63j
		and	edx, 0FFFFFFEFh
		jmp	short loc_483C6C
; 

loc_483CCB:				; CODE XREF: MiTransferSoftwarePte(x,x,x,x,x)+3Dj
		push	edi
		push	0
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	esi, eax
		mov	edi, edx
		jmp	short loc_483C88
; 

loc_483CD9:				; CODE XREF: MiTransferSoftwarePte(x,x,x,x,x)+2Cj
		mov	eax, edx
		mov	edx, esi
		jmp	short loc_483CB3
_MiTransferSoftwarePte@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmUpdateStoreContext(x, x, x, x)
_SmUpdateStoreContext@16 proc near	; CODE XREF: MiStoreCheckCandidatePage(x,x,x,x,x)+1C0p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		neg	eax
		push	esi
		mov	esi, [ebp+arg_0]
		sbb	eax, eax
		and	eax, 40000h
		add	eax, 0C00h
		neg	esi
		sbb	esi, esi
		and	edx, 7
		and	esi, 20000h
		shl	edx, 0Dh
		or	eax, esi
		and	ecx, 0FFF90C00h
		or	eax, edx
		or	eax, ecx
		pop	esi
		pop	ebp
		retn	8
_SmUpdateStoreContext@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmPageAdd proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+57p

var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B53EB SIZE 00000082 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], ecx
		push	edi
		mov	ebx, [esi+8]
		mov	edi, [esi+4]
		mov	eax, [esi+0Ch]
		mov	[ebp+var_1C], edi
		test	byte ptr [ebx+6], 5
		mov	[ebp+var_14], eax
		jz	loc_5B53EB
		mov	eax, [ebx+0Ch]

loc_483D4C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageAdd+1316DEj
		test	eax, eax
		jz	loc_5B5463
		mov	ebx, [ebx+14h]
		test	edi, edi
		jns	loc_5B5403
		mov	ecx, ebx
		mov	[ebp+var_8], 1

loc_483D68:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageAdd+1316EBj
		mov	[ebp+var_C], ecx
		mov	[ebp+var_18], eax
		mov	edi, edi

loc_483D70:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageAdd+131707j
		mov	ebx, [ebp+var_4]
		test	edi, edi
		jns	loc_5B5410
		mov	eax, [ebx+1D4h]
		add	eax, 0Fh
		add	eax, ecx
		shr	eax, 4

loc_483D89:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageAdd+1316F5j
		mov	[ebp+var_10], eax
		lea	esp, [esp+0]

loc_483D90:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageAdd+87j
		lea	eax, [ebp+var_10]
		mov	ecx, ebx
		push	eax
		push	esi
		lea	edx, [ebp+var_1C]
		call	ST_STORE_SM_TRAITS___StDmpSinglePageAdd
		mov	edx, eax
		cmp	edx, 0C000022Dh
		jz	short loc_483D90
		mov	ebx, [ebp+var_8]
		test	edx, edx
		jnz	short loc_483E10
		mov	ecx, [ebp+var_1C]
		mov	edi, ecx
		and	edi, 0FFFFFFF8h
		add	edi, 8
		xor	edi, ecx
		and	edi, 3FFFFFF8h
		xor	edi, ecx
		mov	eax, edi
		mov	[ebp+var_1C], edi
		shr	eax, 3
		and	eax, 7FFFFFFh
		cmp	eax, ebx
		jb	loc_5B541A

loc_483DDA:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageAdd+F9j
		mov	ebx, edi
		shr	ebx, 3
		and	ebx, 7FFFFFFh
		jbe	short loc_483DFA
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+42Ch]
		test	eax, eax
		jnz	loc_5B542C

loc_483DF8:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageAdd+13173Ej
		xor	edx, edx

loc_483DFA:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageAdd+C5j
					; ST_STORE_SM_TRAITS___StDmPageAdd+101j ...
		mov	eax, [esi+4]
		xor	eax, edi
		and	eax, 3FFFFFF8h
		xor	[esi+4], eax
		mov	eax, edx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_483E10:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageAdd+8Ej
		mov	edi, [ebp+var_1C]
		cmp	edx, 0C0000006h
		jnz	short loc_483DDA
		and	edi, 0C0000007h
		jmp	short loc_483DFA
ST_STORE_SM_TRAITS___StDmPageAdd endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmpPageWrite(x, x, x, x, x,	x, x)
_SmpPageWrite@28 proc near		; CODE XREF: MiStoreWriteModifiedPages+3A1p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, [ebx+8]
		push	edi
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_4], ecx
		test	byte ptr [edx+4], 3
		jnz	short loc_483E6A
		push	ecx
		push	dword ptr [edx]
		mov	edx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		mov	ecx, offset unk_718478
		call	_SmpKeyedStoreReference@16 ; SmpKeyedStoreReference(x,x,x,x)
		mov	edi, eax
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_483EC2

loc_483E67:				; CODE XREF: SmpPageWrite(x,x,x,x,x,x,x)+AEj
		mov	ecx, [ebp+var_4]

loc_483E6A:				; CODE XREF: SmpPageWrite(x,x,x,x,x,x,x)+28j
		mov	eax, esi
		and	eax, 7FFh
		cmp	eax, 400h
		jnz	short loc_483E8F
		mov	eax, ds:dword_718490
		cmp	eax, 0FFFFFFFFh
		jz	short loc_483EF0
		and	esi, 0FFFFF800h
		and	eax, 3FFh
		or	esi, eax

loc_483E8F:				; CODE XREF: SmpPageWrite(x,x,x,x,x,x,x)+52j
		push	dword ptr [ebx+18h]
		mov	eax, [ebx+10h]
		mov	edx, ecx
		push	dword ptr [ebx+14h]
		and	eax, 7FFFFFFFh
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		push	eax
		push	dword ptr [ebx+0Ch]
		push	esi
		call	SMKM_STORE_MGR_SM_TRAITS___SmPageWrite
		mov	esi, eax

loc_483EB0:				; CODE XREF: SmpPageWrite(x,x,x,x,x,x,x)+D1j
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_483ED4

loc_483EB5:				; CODE XREF: SmpPageWrite(x,x,x,x,x,x,x)+CAj
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	14h
; 

loc_483EC2:				; CODE XREF: SmpPageWrite(x,x,x,x,x,x,x)+41j
		mov	ecx, edi
		and	esi, 0FFFFF800h
		and	ecx, 3FFh
		or	esi, ecx
		jmp	short loc_483E67
; 

loc_483ED4:				; CODE XREF: SmpPageWrite(x,x,x,x,x,x,x)+8Fj
		and	edi, 3FFh
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		mov	edx, edi
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	short loc_483EB5
; 

loc_483EF0:				; CODE XREF: SmpPageWrite(x,x,x,x,x,x,x)+5Cj
		mov	esi, 0C000021Bh
		jmp	short loc_483EB0
_SmpPageWrite@28 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmPageWrite proc near
					; CODE XREF: SmpPageWrite(x,x,x,x,x,x,x)+85p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005B546D SIZE 000000C3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_4], edx
		mov	ebx, ecx
		mov	ecx, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	[ecx+4], eax
		xor	edi, edi
		mov	eax, [ebp+arg_8]
		mov	[ecx], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_8], edi
		mov	eax, [eax+14h]
		shr	eax, 0Ch
		mov	[ebp+var_10], eax
		mov	eax, esi
		and	eax, 7FFh
		mov	[ebp+arg_0], eax
		cmp	eax, 400h
		jnb	loc_5B5529
		mov	edx, eax
		mov	ecx, ebx
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		test	eax, eax
		jz	loc_5B5526
		movzx	edx, word ptr [eax+10h]
		mov	ecx, ebx
		and	edx, 3Fh
		shl	edx, 0Ah
		or	edx, [ebp+arg_0]
		call	SmKmStoreReference
		mov	ecx, eax
		mov	[ebp+arg_0], ecx
		test	ecx, ecx
		jz	loc_5B5526
		mov	eax, esi
		shr	eax, 0Dh
		and	eax, 7
		mov	edx, eax
		mov	[ebp+arg_8], eax
		call	ST_STORE_SM_TRAITS___StSufficientSpaceForAdd
		test	eax, eax
		jz	loc_5B546D
		mov	ecx, [ebp+arg_8]
		test	esi, 40000h
		jnz	loc_484167

loc_483FA1:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+26Dj
		cmp	ecx, 6
		jz	loc_48417A

loc_483FAA:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+281j
		test	byte ptr [ebx+464h], 20h
		jz	loc_5B5474
		mov	eax, [ebp+arg_0]
		test	dword ptr [eax], 400h
		jnz	loc_5B5474
		lea	ecx, [ebx+360h]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edi, eax
		mov	[ebp+var_C], edi
		test	edi, edi
		jz	loc_484130

loc_483FDE:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+24Dj
		xor	eax, eax
		mov	ecx, 8
		rep stosd
		mov	edi, [ebp+var_C]
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_4]
		mov	eax, [eax]
		mov	[edi+0Ch], eax
		mov	eax, [edi+4]
		and	eax, 0FFFFFFF8h
		mov	[edi+8], ecx
		or	eax, [ebp+arg_8]
		mov	[edi+4], eax
		test	esi, 10000h
		jnz	loc_5B548A

loc_484010:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+131592j
		test	esi, 20000h
		jnz	loc_484186

loc_48401C:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+28Ej
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_C]
		mov	[edi+18h], edx
		mov	esi, [eax+10F0h]
		and	esi, 3FFh
		test	byte ptr [ebx+464h], 2
		jz	short loc_48406A
		test	byte ptr [ecx+6], 5
		jnz	loc_5B5497
		push	40000020h
		push	0
		push	0
		push	1
		push	0
		push	ecx
		call	MmMapLockedPagesSpecifyCache
		mov	edx, [ebp+arg_C]
		mov	ecx, eax
		mov	eax, [ebp+arg_0]

loc_48405F:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+13159Aj
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jz	loc_5B549F

loc_48406A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+138j
		test	byte ptr [ebx+464h], 20h
		jz	loc_5B54BF
		test	dword ptr [eax], 400h
		jnz	loc_5B54BF
		cmp	[ebp+arg_10], 0
		mov	eax, 2
		jz	short loc_484093
		mov	eax, 3

loc_484093:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+18Cj
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		push	eax
		push	0
		push	0
		push	esi
		push	[ebp+var_10]
		call	SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate
		mov	esi, eax
		test	esi, esi
		js	loc_5B54DB
		push	30h		; size_t
		lea	esi, [edi+20h]
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	[esi+2Ch], edi
		mov	cl, 2
		mov	[esi+24h], eax
		lea	esi, [ebx+308h]
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	bl, al
		mov	dl, bl
		mov	ecx, esi
		jnz	loc_5B54A6
		call	ExpAcquireSpinLockExclusive

loc_4840EF:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+1315ABj
		mov	eax, [esi+8]
		lea	ecx, [edi+48h]
		mov	eax, [eax]
		inc	eax
		mov	[ecx], eax
		mov	eax, [esi+8]
		mov	[eax], ecx
		mov	[esi+8], ecx
		cmp	dword ptr [ecx], 1
		jz	short loc_484158

loc_484107:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+265j
		test	ds:byte_70EFC6,	1
		jnz	loc_5B54B0
		mov	dword ptr [esi], 0

loc_48411A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+1315BAj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_484122:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+1315D5j
		mov	eax, 103h

loc_484127:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+131621j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_484130:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+D8j
		mov	eax, 1000h
		mov	ecx, 77576D73h

loc_48413A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+13157Ej
		push	ecx
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_C], eax
		test	edi, edi
		jnz	loc_483FDE
		jmp	loc_5B5483
; 

loc_484158:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+205j
		push	0
		push	0
		lea	eax, [esi+0Ch]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_484107
; 

loc_484167:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+9Bj
		lea	eax, [ecx-5]
		cmp	eax, 1
		ja	loc_483FA1
		mov	[ebp+arg_8], 6

loc_48417A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+A4j
		mov	ecx, ebx
		call	?SmHighMemPriorityTimerStart@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@@Z ; SMKM_STORE_MGR<SM_TRAITS>::SmHighMemPriorityTimerStart(SMKM_STORE_MGR<SM_TRAITS> *)
		jmp	loc_483FAA
; 

loc_484186:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+116j
		or	eax, 40000000h
		mov	[edi+4], eax
		jmp	loc_48401C
SMKM_STORE_MGR_SM_TRAITS___SmPageWrite endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiRemoveSecureEntry proc near		; CODE XREF: MmUnsecureVirtualMemory(x)+35p
					; MiUnmapLockedPagesInUserSpace+6Bp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005B5530 SIZE 0000004F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], ecx
		mov	ebx, [eax+80h]
		mov	al, [ebx+2A0h]
		add	ebx, 240h
		and	al, 7
		mov	[ebp+var_10], esi
		mov	[ebp+var_14], ebx
		push	edi
		mov	edi, edx
		cmp	al, 2
		jz	loc_5B5530
		lea	eax, [ebx+80h]

loc_4841E0:				; CODE XREF: MiRemoveSecureEntry+131395j
		push	eax
		mov	[ebp+var_C], eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_1], al
		mov	[ecx+4], esi
		mov	ecx, [ebp+var_8]
		add	ecx, 24h
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_48422F
		xor	ebx, ebx

loc_484200:				; CODE XREF: MiRemoveSecureEntry+84j
		cmp	dword ptr [edx+24h], 2
		jnz	short loc_48420C
		cmp	esi, 1
		ja	short loc_48420C
		inc	esi

loc_48420C:				; CODE XREF: MiRemoveSecureEntry+64j
					; MiRemoveSecureEntry+69j
		cmp	edx, edi
		jnz	short loc_484219
		mov	eax, [edx]
		mov	ebx, 1
		mov	[ecx], eax

loc_484219:				; CODE XREF: MiRemoveSecureEntry+6Ej
		cmp	esi, 1
		ja	short loc_48426C

loc_48421E:				; CODE XREF: MiRemoveSecureEntry+D1j
		mov	ecx, edx
		mov	edx, [edx]
		test	edx, edx
		jnz	short loc_484200

loc_484226:				; CODE XREF: MiRemoveSecureEntry+CFj
		mov	al, [ebp+var_1]
		mov	[ebp+var_10], ebx
		mov	ebx, [ebp+var_14]

loc_48422F:				; CODE XREF: MiRemoveSecureEntry+5Cj
		mov	dl, al
		mov	ecx, ebx
		call	MiUnlockWorkingSetExclusive
		cmp	[ebp+var_10], 0
		jz	loc_5B553A
		mov	edx, [edi+4]
		mov	ebx, [ebp+var_8]
		test	dl, 10h
		jnz	short loc_484273

loc_48424D:				; CODE XREF: MiRemoveSecureEntry+DEj
		cmp	esi, 1
		jnz	short loc_48425D
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	MiSetVadFlags

loc_48425D:				; CODE XREF: MiRemoveSecureEntry+B0j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48426C:				; CODE XREF: MiRemoveSecureEntry+7Cj
		cmp	ebx, 1
		jz	short loc_484226
		jmp	short loc_48421E
; 

loc_484273:				; CODE XREF: MiRemoveSecureEntry+ABj
		mov	eax, [edi+8]
		mov	ecx, ebx
		push	eax
		call	_MiUnsecureVirtualMemoryAgainstWrites@12 ; MiUnsecureVirtualMemoryAgainstWrites(x,x,x)
		jmp	short loc_48424D
MiRemoveSecureEntry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSetVadFlags	proc near		; CODE XREF: MiDeleteVad(x,x,x)+20Dp
					; MiRemoveSecureEntry+B8p ...

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B557F SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	esi
		mov	esi, ecx
		mov	cl, 2
		push	edi
		mov	edi, edx
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edx, [esi+1Ch]
		add	esi, 1Ch
		mov	[ebp+var_1], al
		nop

loc_4842A0:				; CODE XREF: MiRemoveSecureEntry+1313BFj
					; MiRemoveSecureEntry+1313DAj ...
		test	dl, 1
		jnz	loc_5B554D
		mov	ecx, edx
		mov	eax, edx
		and	ecx, 0FFFFFFFDh
		or	ecx, 1
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	loc_5B557F
		mov	edx, [esi]
		mov	eax, edi
		and	[ebp+arg_0], 1
		and	eax, 2
		push	ebx
		mov	ebx, edi
		mov	[ebp+var_8], eax
		and	ebx, 1
		and	edi, 4

loc_4842D6:				; CODE XREF: MiSetVadFlags+BFj
		mov	ecx, edx
		test	ebx, ebx
		jnz	short loc_484324

loc_4842DC:				; CODE XREF: MiSetVadFlags+B8j
		test	eax, eax
		jz	short loc_4842EB
		mov	eax, [ebp+arg_0]
		and	ecx, 0FFFFFFFBh
		shl	eax, 2
		or	ecx, eax

loc_4842EB:				; CODE XREF: MiSetVadFlags+5Ej
		test	edi, edi
		jnz	loc_5B5586

loc_4842F3:				; CODE XREF: MiSetVadFlags+131314j
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_48433A
		mov	edx, [esi]
		mov	ecx, edx
		and	ecx, 0FFFFFFFCh
		mov	eax, edx
		lock cmpxchg [esi], ecx
		pop	ebx
		cmp	eax, edx
		jnz	loc_5B5599

loc_484313:				; CODE XREF: MiSetVadFlags+131328j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_484324:				; CODE XREF: MiSetVadFlags+5Aj
		mov	eax, [ebp+arg_0]
		lea	ecx, ds:0[eax*8]
		mov	eax, edx
		and	eax, 0FFFFFFF7h
		or	ecx, eax
		mov	eax, [ebp+var_8]
		jmp	short loc_4842DC
; 

loc_48433A:				; CODE XREF: MiSetVadFlags+7Bj
		mov	edx, eax
		mov	eax, [ebp+var_8]
		jmp	short loc_4842D6
MiSetVadFlags	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertVadEvent(x,	x, x)
_MiInsertVadEvent@12 proc near		; CODE XREF: MiWaitForVadDeletion(x)+74p
					; MiCreateVadEventBitmap+69p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		cmp	[ebp+arg_0], 1
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], ecx
		jnz	short loc_4843D1
		mov	esi, large fs:124h
		mov	esi, [esi+80h]
		add	esi, 240h
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		jz	short loc_4843D7
		lea	edi, [esi+80h]

loc_484389:				; CODE XREF: MiInsertVadEvent(x,x,x)+8Cj
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	bl, al
		mov	dl, bl
		mov	ecx, edi
		jnz	short loc_4843DE
		call	ExpAcquireSpinLockExclusive

loc_4843A5:				; CODE XREF: MiInsertVadEvent(x,x,x)+93j
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		mov	dword ptr [edi+4], 0

loc_4843B2:				; CODE XREF: MiInsertVadEvent(x,x,x)+85j
		mov	eax, [ecx+24h]
		mov	[edx], eax
		mov	[ecx+24h], edx
		cmp	bl, 21h
		jz	short loc_4843C8
		mov	dl, bl
		mov	ecx, esi
		call	MiUnlockWorkingSetExclusive

loc_4843C8:				; CODE XREF: MiInsertVadEvent(x,x,x)+6Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4843D1:				; CODE XREF: MiInsertVadEvent(x,x,x)+15j
		mov	bl, 21h
		xor	esi, esi
		jmp	short loc_4843B2
; 

loc_4843D7:				; CODE XREF: MiInsertVadEvent(x,x,x)+31j
		mov	edi, offset unk_6D3C40
		jmp	short loc_484389
; 

loc_4843DE:				; CODE XREF: MiInsertVadEvent(x,x,x)+4Ej
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	short loc_4843A5
_MiInsertVadEvent@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 


ExpAcquireSpinLockExclusive proc near	; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+1EAp
					; MiInsertVadEvent(x,x,x)+50p ...

; FUNCTION CHUNK AT 005A7F1B SIZE 00000018 BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		lock bts dword ptr [edi], 1Fh
		jb	short loc_484416
		mov	edx, [edi]
		mov	ecx, edx
		and	ecx, 0BFFFFFFFh
		cmp	ecx, 80000000h
		jnz	short loc_484430

loc_484411:				; CODE XREF: ExpAcquireSpinLockExclusive+67j
		mov	eax, esi

loc_484413:				; CODE XREF: ExpAcquireSpinLockExclusive+3Dj
		pop	edi
		pop	esi
		retn
; 

loc_484416:				; CODE XREF: ExpAcquireSpinLockExclusive+Dj
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	edx, [edi]
		mov	esi, eax
		mov	ecx, edx
		and	ecx, 0BFFFFFFFh
		cmp	ecx, 80000000h
		jz	short loc_484413
		nop

loc_484430:				; CODE XREF: ExpAcquireSpinLockExclusive+1Fj
					; ExpAcquireSpinLockExclusive+65j
		test	edx, 40000000h
		jz	short loc_484459

loc_484438:				; CODE XREF: ExpAcquireSpinLockExclusive+79j
		inc	esi
		test	ds:_HvlLongSpinCountMask, esi
		jz	loc_5A7F1B

loc_484445:				; CODE XREF: ExpAcquireSpinLockExclusive+123B32j
		pause

loc_484447:				; CODE XREF: ExpAcquireSpinLockExclusive+123B3Ej
		mov	eax, [edi]

loc_484449:				; CODE XREF: ExpAcquireSpinLockExclusive+7Bj
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_484430
		jmp	short loc_484411
; 

loc_484459:				; CODE XREF: ExpAcquireSpinLockExclusive+46j
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_484438
		jmp	short loc_484449
ExpAcquireSpinLockExclusive endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnlockWorkingSetExclusive proc near	; CODE XREF: MmEnforceWorkingSetLimit+15Ap
					; MiDeleteProcessShadow+197p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005B55AD SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1], dl
		xor	esi, esi
		mov	[ebp+var_8], 0
		mov	[ebp+var_C], esi
		mov	ecx, [edi+60h]
		mov	dl, cl
		and	dl, 7
		mov	[ebp+var_10], ecx
		cmp	dl, 2
		jz	loc_48458D
		lea	ebx, [edi+80h]

loc_4844A6:				; CODE XREF: MiUnlockWorkingSetExclusive+122j
		mov	al, cl
		test	dl, dl
		jnz	short loc_4844D5
		cmp	[edi+0Ch], esi
		jz	short loc_4844D5
		mov	eax, large fs:124h
		mov	esi, [eax+80h]
		mov	al, cl
		mov	edx, [esi+24Ch]
		cmp	word ptr [edx+94h], 0
		jnz	loc_484597

loc_4844D3:				; CODE XREF: MiUnlockWorkingSetExclusive+134j
		xor	esi, esi

loc_4844D5:				; CODE XREF: MiUnlockWorkingSetExclusive+3Aj
					; MiUnlockWorkingSetExclusive+3Fj
		mov	ecx, large fs:124h
		test	dword ptr [ecx+2FCh], 400000h
		jnz	loc_5B55AD

loc_4844EC:				; CODE XREF: MiUnlockWorkingSetExclusive+131145j
		test	al, 7
		setz	cl
		test	ds:_MiFlags, 0C00000h
		setnz	al
		test	cl, al
		jz	short loc_484517
		cmp	byte ptr [edi-1CCh], 1
		jz	short loc_484517
		rdtsc
		and	eax, 3FF0h
		or	eax, 0
		jz	short loc_484551

loc_484517:				; CODE XREF: MiUnlockWorkingSetExclusive+90j
					; MiUnlockWorkingSetExclusive+99j ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5B55BA
		mov	dword ptr [ebx], 0

loc_48452A:				; CODE XREF: MiUnlockWorkingSetExclusive+131154j
		mov	bl, [ebp+var_1]
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	loc_5B55C9

loc_484540:				; CODE XREF: MiUnlockWorkingSetExclusive+13116Cj
		test	esi, esi
		jnz	short loc_48454A
		test	byte ptr [ebp+var_10+3], 1Ch
		jnz	short loc_48457B

loc_48454A:				; CODE XREF: MiUnlockWorkingSetExclusive+D2j
					; MiUnlockWorkingSetExclusive+11Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_484551:				; CODE XREF: MiUnlockWorkingSetExclusive+A5j
		cmp	dword ptr [edi+0C4h], 0
		jz	short loc_484517
		cmp	dword ptr [edi+0Ch], 0
		jz	short loc_484517
		cmp	dword ptr [edi+10h], 0
		jz	short loc_484517
		mov	ecx, edi
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_484517
		lea	ecx, [eax+2]
		call	MiPaeCheckProcessShadow
		jmp	short loc_484517
; 

loc_48457B:				; CODE XREF: MiUnlockWorkingSetExclusive+D8j
		mov	ecx, edi
		call	MiLockWorkingSetShared
		mov	dl, bl
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		jmp	short loc_48454A
; 

loc_48458D:				; CODE XREF: MiUnlockWorkingSetExclusive+2Aj
		mov	ebx, offset unk_6D3C40
		jmp	loc_4844A6
; 

loc_484597:				; CODE XREF: MiUnlockWorkingSetExclusive+5Dj
		mov	ecx, esi
		call	_MiDeleteDeferredCloneDescriptors@4 ; MiDeleteDeferredCloneDescriptors(x)
		mov	[ebp+var_8], eax
		mov	al, [edi+60h]
		jmp	loc_4844D3
MiUnlockWorkingSetExclusive endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiObtainReferencedSecureVad proc near	; CODE XREF: MmUnsecureVirtualMemory(x)+26p
					; MmStoreAllocateVirtualMemory+BEp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B55E1 SIZE 00000096 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	eax, edx
		push	esi
		mov	esi, large fs:124h
		push	edi
		mov	[ebp+var_4], eax
		mov	edi, ecx
		mov	dword ptr [eax], 0
		mov	eax, [esi+80h]
		dec	word ptr [esi+13Eh]
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], eax
		nop
		lea	ebx, [eax+134h]
		xor	edx, edx
		mov	ecx, ebx
		mov	[ebp+var_8], ebx
		call	ExAcquirePushLockSharedEx
		or	byte ptr [esi+304h], 2
		nop
		mov	eax, [ebp+var_C]
		test	byte ptr [eax+0FCh], 20h
		jnz	loc_5B55E1
		mov	ebx, [edi+4]
		mov	ecx, ebx
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_5B5618
		mov	eax, 1
		lock xadd [edi+14h], eax
		jz	loc_5B562A
		dec	word ptr [esi+13Eh]
		nop
		and	byte ptr [esi+304h], 0FDh
		xor	edx, edx
		mov	ecx, [ebp+var_8]
		mov	eax, 11h
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	short loc_4846A8

loc_484653:				; CODE XREF: MiObtainReferencedSecureVad+100j
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		dec	word ptr [esi+13Eh]
		shr	ebx, 0Ch
		nop
		lea	ecx, [edi+18h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [esi+304h], 80h
		nop
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		test	byte ptr [edi+1Ch], 4
		jnz	loc_5B5631
		cmp	ebx, [edi+0Ch]
		jb	loc_5B5660
		cmp	ebx, [edi+10h]
		ja	loc_5B5660
		mov	eax, edi

loc_4846A1:				; CODE XREF: MiObtainReferencedSecureVad+1310C2j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4846A8:				; CODE XREF: MiObtainReferencedSecureVad+A1j
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp+var_8]
		jmp	short loc_484653
MiObtainReferencedSecureVad endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiLocateAddress(x)
_MiLocateAddress@4 proc	near		; CODE XREF: MiComputeFaultNode:loc_44FAE8p
					; MiCopyOnWrite(x,x,x,x)+4C4p ...
		mov	eax, large fs:124h
		mov	edx, [eax+80h]
		mov	eax, [edx+354h]
		test	eax, eax
		jz	short loc_4846EE
		shr	ecx, 0Ch
		cmp	ecx, [eax+0Ch]
		jb	short loc_4846E4
		cmp	ecx, [eax+10h]
		ja	short loc_4846E4
		retn
; 

loc_4846E4:				; CODE XREF: MiLocateAddress(x)+1Cj
					; MiLocateAddress(x)+21j
		mov	eax, [edx+350h]
		test	eax, eax
		jnz	short loc_4846F1

loc_4846EE:				; CODE XREF: MiLocateAddress(x)+14j
					; MiLocateAddress(x)+49j
		xor	eax, eax
		retn
; 

loc_4846F1:				; CODE XREF: MiLocateAddress(x)+2Cj
					; MiLocateAddress(x)+44j
		cmp	ecx, [eax+10h]
		ja	short loc_4846FF
		cmp	ecx, [eax+0Ch]
		jnb	short loc_484707
		mov	eax, [eax]
		jmp	short loc_484702
; 

loc_4846FF:				; CODE XREF: MiLocateAddress(x)+34j
		mov	eax, [eax+4]

loc_484702:				; CODE XREF: MiLocateAddress(x)+3Dj
		test	eax, eax
		jnz	short loc_4846F1
		retn
; 

loc_484707:				; CODE XREF: MiLocateAddress(x)+39j
		test	eax, eax
		jz	short loc_4846EE
		mov	[edx+354h], eax
		retn
_MiLocateAddress@4 endp


;  S U B	R O U T	I N E 


SmKmStoreReference proc	near		; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+CCp
					; SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+66p ...

; FUNCTION CHUNK AT 005B5677 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, edi
		and	esi, 3FFh
		mov	eax, esi
		shr	eax, 5
		mov	eax, [ecx+eax*4]
		test	eax, eax
		jz	short loc_48475B
		and	esi, 1Fh
		imul	esi, 14h
		add	esi, eax
		jz	short loc_48475B
		lea	ecx, [esi+4]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_48475B
		movzx	ecx, word ptr [esi+10h]
		and	ecx, 3Fh
		shr	edi, 0Ah
		cmp	ecx, edi
		jnz	loc_5B5677
		mov	eax, [esi]

loc_484757:				; CODE XREF: SmKmStoreReference+4Bj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_48475B:				; CODE XREF: SmKmStoreReference+19j
					; SmKmStoreReference+23j ...
		xor	eax, eax
		jmp	short loc_484757
SmKmStoreReference endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall SmKmStoreRefFromStoreIndex(x, x)
_SmKmStoreRefFromStoreIndex@8 proc near	; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+133p
					; SmpPageWrite(x,x,x,x,x,x,x)+BDp ...
		mov	eax, edx
		shr	eax, 5
		mov	ecx, [ecx+eax*4]
		test	ecx, ecx
		jz	short loc_484775
		and	edx, 1Fh
		imul	eax, edx, 14h
		add	eax, ecx
		retn
; 

loc_484775:				; CODE XREF: SmKmStoreRefFromStoreIndex(x,x)+Aj
		xor	eax, eax
		retn
_SmKmStoreRefFromStoreIndex@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete proc	near
					; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmProcessAddCompletion(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE_MGR<SM_TRAITS>::_SM_WORK_ITEM *,ulong,SMKM_STORE<SM_TRAITS> *,long)+48p
					; SMKM_STORE_MGR<SM_TRAITS>::SmProcessAddCompletion(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE_MGR<SM_TRAITS>::_SM_WORK_ITEM *,ulong,SMKM_STORE<SM_TRAITS> *,long)+76p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B5684 SIZE 000000B2 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		push	esi
		mov	esi, [edx]
		lea	eax, [ebp-48h]
		push	edi
		push	40h		; size_t
		push	0		; int
		push	eax		; void *
		mov	[ebp-6Ch], ecx
		call	_memset
		lea	eax, [ebp-48h]
		mov	dword ptr [ebp-50h], 8
		xor	edx, edx
		mov	[ebp-60h], eax
		mov	eax, [ebx+10h]
		xor	edi, edi
		mov	ecx, eax
		mov	[ebp-80h], edi
		and	ecx, 1
		mov	[ebp-68h], edx
		add	esp, 0Ch
		mov	[ebp-78h], ecx
		mov	ecx, 1
		mov	[ebp-7Ch], edx
		and	eax, 2
		mov	[ebp-5Ch], edx
		mov	[ebp-58h], edx
		mov	[ebp-4Ch], edx
		mov	[ebp-54h], edx
		mov	[ebp-74h], edx
		mov	[ebp-64h], ecx
		mov	[ebx+10h], eax
		jnz	short loc_484830
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		mov	ecx, [ebp-6Ch]
		add	ecx, 0F0h
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [ebp-7Ch]
		mov	ecx, 1
		mov	edi, [ebp-80h]
		mov	[ebp-68h], edx
		lea	ecx, [ecx+0]

loc_484830:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+81j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+130F66j
		test	ecx, ecx
		jz	short loc_484862
		mov	ecx, [ebp-6Ch]
		lea	edx, [ebp-60h]
		push	esi
		lea	ecx, [ecx+0F4h]
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		lea	eax, [ebp-60h]
		push	eax
		lea	edx, [ebp-80h]
		call	?BTreeIteratorFromSearchResult@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUITERATOR@1@PAUSEARCH_RESULT@1@@Z ; B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeIteratorFromSearchResult(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::ITERATOR *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)
		mov	edx, [ebp-7Ch]
		mov	edi, [ebp-80h]
		mov	dword ptr [ebp-64h], 0
		mov	[ebp-68h], edx

loc_484862:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+B2j
		test	edi, edi
		jnz	loc_4849F5
		xor	ecx, ecx

loc_48486C:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+289j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+2ADj
		test	byte ptr [ecx+7], 1
		jnz	loc_5B5684
		cmp	byte ptr [ecx+6], 1
		jnz	short loc_48488A
		cmp	dword ptr [ebp-78h], 0
		jz	loc_484ABE
		mov	byte ptr [ecx+6], 3

loc_48488A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+FAj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+130F0Ej
		mov	ecx, [ebp-64h]

loc_48488D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+377j
		mov	eax, [ebp-74h]
		inc	eax
		mov	[ebp-74h], eax
		cmp	eax, [ebx+8]
		jnz	loc_5B56E2
		cmp	dword ptr [ebx+10h], 0
		jnz	loc_4849E0
		mov	ecx, [ebp-6Ch]
		or	eax, 0FFFFFFFFh
		add	ecx, 0F0h
		mov	[ebp-6Ch], ecx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_484A58

loc_4848C4:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+2E0j
		xor	edi, edi
		mov	[ebp-78h], edi
		test	ecx, 7FFFFFFCh
		jz	loc_4849D4
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		mov	[ebp-68h], esi
		cmp	ecx, edx
		jb	short loc_48490C
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_484A32
		cmp	ecx, edx
		jb	short loc_48490C
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_484A32

loc_48490C:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+16Cj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+17Dj
		or	eax, 0FFFFFFFFh

loc_48490F:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+2C0j
		dec	word ptr [esi+13Eh]
		mov	[ebp-74h], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	[ebp-6Dh], dl
		mov	edx, ecx
		push	eax
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp-64h], ecx
		test	ecx, ecx
		jz	loc_484A45
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_484A65

loc_484953:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+2EDj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp-78h], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		mov	eax, 2AAAAAABh
		sub	ecx, [esi+1E8h]
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	byte ptr [ebp-6Dh], 1
		jnz	loc_5B56FE
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al

loc_4849A6:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+2CDj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+130F8Ej
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp-74h], eax
		jnz	loc_484A7C

loc_4849BD:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+333j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+130FB1j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_4849D4
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	loc_484A72

loc_4849D4:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+14Fj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+246j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_4849E0:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+121j
		mov	ecx, [ebp-4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	0Ch
; 

loc_4849F5:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+E4j
		movzx	eax, word ptr [edi]
		add	edx, 8
		inc	eax
		mov	[ebp-68h], edx
		mov	ecx, edx
		mov	[ebp-7Ch], edx
		lea	eax, [edi+eax*8]
		cmp	ecx, eax
		jb	loc_48486C
		mov	ecx, [edi+4]
		test	ecx, ecx
		jz	short loc_484A24
		lea	edx, [ecx+8]
		mov	edi, ecx
		mov	[ebp-80h], edi
		mov	[ebp-68h], edx
		mov	[ebp-7Ch], edx

loc_484A24:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+294j
		lea	eax, [ecx+8]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		jmp	loc_48486C
; 

loc_484A32:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+175j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+186j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp-6Ch]
		jmp	loc_48490F
; 

loc_484A45:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+1BBj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_4849A6
		jmp	loc_5B56EB
; 

loc_484A58:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+13Ej
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp-6Ch]
		jmp	loc_4848C4
; 

loc_484A65:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+1CDj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp-64h]
		jmp	loc_484953
; 

loc_484A72:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+24Ej
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4849D4
; 

loc_484A7C:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+237j
		test	edi, 8000h
		jnz	loc_484B09

loc_484A88:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+392j
		test	byte ptr [ebp-76h], 1
		jnz	loc_5B5713

loc_484A92:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+130F9Fj
		test	edi, 7FFFh
		jz	short loc_484AA9
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_484AA9:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+318j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4849BD
		jmp	loc_5B5724
; 

loc_484ABE:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+100j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+130F08j
		mov	byte ptr [ecx+6], 0
		mov	ecx, [ebp-6Ch]
		add	ecx, 0F4h
		mov	[ebp-64h], ecx
		mov	ecx, [ebp-54h]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_484AFC

loc_484AD6:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+37Ej
		lea	ecx, [ebp-5Ch]

loc_484AD9:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+387j
		cmp	[ecx], edi
		jnz	loc_5B5693
		mov	[ecx+4], edx

loc_484AE4:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+130F29j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+130F5Dj
		mov	ecx, [ebp-64h]
		lea	edx, [ebp-60h]
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx
		mov	ecx, 1
		mov	[ebp-64h], ecx
		jmp	loc_48488D
; 

loc_484AFC:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+354j
		test	ecx, ecx
		jz	short loc_484AD6
		mov	eax, [ebp-60h]
		dec	ecx
		lea	ecx, [eax+ecx*8]
		jmp	short loc_484AD9
; 

loc_484B09:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+302j
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_484A88
SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue proc near
					; CODE XREF: .text:004BA15Cp
					; SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxProcessEntry(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *,SMKM_STORE_MGR<SM_TRAITS> *,void *,void *,SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_ENTRY *)+257p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_3		= byte ptr  0Bh
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005B5736 SIZE 00000068 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		cmp	[ebp+arg_0], 0FFh
		lea	eax, [ecx+44h]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		lea	esi, [ecx+3Ch]
		mov	[ebp+var_4], eax
		jz	loc_484C6B
		mov	[ebp+var_4], eax

loc_484B44:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue+C0j
					; SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue+154j
		mov	eax, [ebp+arg_4]
		xor	ebx, ebx
		test	eax, eax
		jnz	short loc_484B61
		mov	eax, [esi+4]
		mov	eax, [eax]
		and	eax, 0FFFFFFF8h
		cmp	eax, 80h
		jnb	short loc_484B61
		mov	ebx, 4

loc_484B61:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue+2Bj
					; SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue+3Aj
		mov	edx, [esi+4]
		cmp	edx, esi
		jz	loc_484C4D
		mov	edi, [esi]
		mov	eax, [edi]
		and	eax, 0FFFFFFF8h
		mov	[esi], eax
		cmp	edi, edx
		jnz	loc_484C54
		mov	[esi+4], esi
		mov	dword ptr [esi], 0

loc_484B86:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue+12Fj
					; SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue+146j
		test	ds:byte_70EFC6,	1
		jnz	loc_5B5736
		mov	eax, [ebp+var_4]
		mov	dword ptr [eax], 0

loc_484B9C:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue+130C21j
		mov	cl, [ebp+arg_0]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	loc_484C44
		mov	eax, [edi+18h]
		lea	edx, [edi+0Ch]
		mov	ecx, [ebp+var_8]
		push	ebx
		push	eax
		mov	eax, [edi+44h]
		push	edi
		mov	eax, [eax+10F0h]
		and	eax, 3FFh
		push	eax
		push	1
		call	SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_484BE5

loc_484BD5:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue+130C79j
		push	[ebp+var_4]
		call	ExAcquireSpinLockExclusive
		mov	[ebp+arg_0], al
		jmp	loc_484B44
; 

loc_484BE5:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue+B3j
		cmp	ebx, 0C0000055h
		jnz	loc_5B5746
		mov	ebx, [ebp+var_4]
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	ecx, [esi+4]
		mov	[ebp+arg_3], al
		mov	edx, [ecx]
		mov	ecx, [edi]
		and	ecx, 7
		shr	edx, 3
		or	ecx, [esi]
		mov	[edi], ecx
		mov	eax, [esi+4]
		mov	[esi], edi
		mov	[ebp+arg_4], eax
		cmp	eax, esi
		jnz	short loc_484C22
		mov	[esi+4], edi
		mov	eax, edi
		mov	[ebp+arg_4], edi

loc_484C22:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue+F8j
		mov	eax, [eax]
		lea	ecx, ds:8[edx*8]
		and	eax, 7
		or	ecx, eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	[eax], ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+arg_3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_484C44:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue+87j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_484C4D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue+46j
		xor	edi, edi
		jmp	loc_484B86
; 

loc_484C54:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue+57j
		mov	ecx, [edx]
		mov	eax, ecx
		shr	eax, 3
		and	ecx, 7
		dec	eax
		shl	eax, 3
		or	ecx, eax
		mov	[edx], ecx
		jmp	loc_484B86
; 

loc_484C6B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue+1Bj
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	[ebp+arg_0], al
		jmp	loc_484B44
SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue endp

; 
		align 10h
; Exported entry 312. ExAcquireSpinLockExclusive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExAcquireSpinLockExclusive
ExAcquireSpinLockExclusive proc	near	; CODE XREF: MiReturnSystemVa(x,x,x,x)+DAp
					; MiMakeSystemRangeAvailable+3Ap ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A7F33 SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	bl, al
		jnz	loc_5A7F33
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		lock bts dword ptr [edi], 1Fh
		jb	short loc_484CC6
		mov	edx, [edi]
		mov	ecx, edx
		and	ecx, 0BFFFFFFFh
		cmp	ecx, 80000000h
		jnz	short loc_484CE3

loc_484CBD:				; CODE XREF: ExAcquireSpinLockExclusive+61j
					; ExAcquireSpinLockExclusive+8Aj
		pop	edi
		pop	esi

loc_484CBF:				; CODE XREF: ExAcquireSpinLockExclusive+1232BDj
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	4
; 

loc_484CC6:				; CODE XREF: ExAcquireSpinLockExclusive+29j
		mov	dl, bl
		mov	ecx, edi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	edx, [edi]
		mov	esi, eax
		mov	ecx, edx
		and	ecx, 0BFFFFFFFh
		cmp	ecx, 80000000h
		jz	short loc_484CBD

loc_484CE3:				; CODE XREF: ExAcquireSpinLockExclusive+3Bj
					; ExAcquireSpinLockExclusive+88j
		test	edx, 40000000h
		jz	short loc_484D0C

loc_484CEB:				; CODE XREF: ExAcquireSpinLockExclusive+9Cj
		inc	esi
		test	ds:_HvlLongSpinCountMask, esi
		jz	loc_5A7F42

loc_484CF8:				; CODE XREF: ExAcquireSpinLockExclusive+1232C9j
		pause

loc_484CFA:				; CODE XREF: ExAcquireSpinLockExclusive+1232D5j
		mov	eax, [edi]

loc_484CFC:				; CODE XREF: ExAcquireSpinLockExclusive+9Ej
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_484CE3
		jmp	short loc_484CBD
; 

loc_484D0C:				; CODE XREF: ExAcquireSpinLockExclusive+69j
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_484CEB
		jmp	short loc_484CFC
ExAcquireSpinLockExclusive endp


;  S U B	R O U T	I N E 


SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate proc	near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+1A1p
					; SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue+AAp ...

var_F8		= dword	ptr -0F8h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B579E SIZE 000003CB BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 0E8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		mov	eax, [ebx+10h]
		push	esi
		push	edi
		mov	[ebp-0B0h], eax
		mov	esi, edx
		mov	eax, [ebx+14h]
		push	40h		; size_t
		mov	[ebp-0A8h], eax
		lea	eax, [ebp-48h]
		push	0		; int
		push	eax		; void *
		mov	[ebp-0A4h], esi
		mov	[ebp-8Ch], ecx
		call	_memset
		mov	edi, [esi]
		lea	eax, [ebp-48h]
		mov	esi, [ebp-8Ch]
		add	esp, 0Ch
		mov	ecx, [ebx+18h]
		mov	[ebp-60h], eax
		mov	eax, [ebx+0Ch]
		mov	dword ptr [ebp-0BCh], 0
		lea	esi, [esi+0F0h]
		mov	[ebp-0BCh], ax
		mov	eax, ecx
		and	eax, 2
		mov	dword ptr [ebp-0C8h], 0
		mov	[ebp-88h], eax
		mov	eax, large fs:124h
		mov	dword ptr [ebp-0C4h], 0
		mov	dword ptr [ebp-5Ch], 0
		mov	dword ptr [ebp-58h], 0
		mov	dword ptr [ebp-4Ch], 0
		mov	dword ptr [ebp-54h], 0
		mov	dword ptr [ebp-50h], 8
		mov	dword ptr [ebp-0ACh], 0
		mov	dword ptr [ebp-84h], 0
		mov	dword ptr [ebp-0C0h], 0
		mov	byte ptr [ebp-0BAh], 1
		mov	[ebp-6Ch], esi
		jnz	loc_484EDA
		dec	word ptr [eax+13Eh]
		nop
		test	cl, 4
		jz	loc_48530B
		mov	eax, esi
		mov	dword ptr [ebp-0D0h], 0
		and	eax, 7FFFFFFCh
		mov	[ebp-80h], eax
		jz	loc_4851B9
		mov	edx, large fs:124h
		mov	[ebp-64h], edx
		dec	word ptr [edx+13Eh]
		nop
		inc	byte ptr [edx+1E6h]
		nop
		cmp	byte ptr [edx+1E6h], 1
		jz	loc_4851D1
		mov	dword ptr [ebp-70h], 0
		lea	eax, [edx+5Ch]
		lock bts dword ptr [eax], 10h

loc_484E7B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+547j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+58Bj
		nop
		dec	byte ptr [edx+1E6h]
		lea	eax, [ebp-0D0h]
		mov	ecx, [ebp-64h]
		mov	edx, esi
		push	eax
		call	KiAbThreadRemoveBoosts
		nop
		mov	eax, [ebp-64h]
		add	word ptr [eax+13Eh], 1
		jnz	short loc_484EAE
		nop
		add	eax, 70h
		cmp	[eax], eax
		jz	short loc_484EAE
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_484EAE:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+17Fj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+187j
		mov	eax, [ebp-70h]

loc_484EB1:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+49Bj
		lock bts dword ptr [esi], 0
		jnb	loc_4851C0
		test	eax, eax
		jnz	loc_5B579E

loc_484EC4:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130A87j
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, 0C0000055h
		jmp	loc_4850C6
; 

loc_484EDA:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+F5j
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx

loc_484EEB:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+4A2j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+4ACj ...
		mov	eax, [ebp-8Ch]
		add	eax, 0F4h
		mov	[ebp-0A0h], eax
		lea	esp, [esp+0]

loc_484F00:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130D99j
		push	edi
		lea	edx, [ebp-60h]
		mov	ecx, eax
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		mov	eax, [ebp-0A4h]
		lea	edx, [ebp-0B8h]
		mov	dword ptr [ebp-0B8h], 0
		mov	dword ptr [ebp-0B4h], 0
		mov	esi, [eax]
		lea	eax, [ebp-60h]
		push	eax
		call	?BTreeIteratorFromSearchResult@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUITERATOR@1@PAUSEARCH_RESULT@1@@Z ; B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeIteratorFromSearchResult(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::ITERATOR *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)
		mov	edx, [ebp-0B8h]
		test	edx, edx
		jz	short loc_484F66
		movzx	eax, word ptr [edx]
		mov	ecx, [ebp-0B4h]
		inc	eax
		add	ecx, 8
		mov	[ebp-0B4h], ecx
		lea	eax, [edx+eax*8]
		cmp	ecx, eax
		jnb	loc_485185

loc_484F5E:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+484j
		test	ecx, ecx
		jnz	loc_48526C

loc_484F66:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+21Ej
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+562j
		mov	esi, [ebp-88h]
		test	esi, esi
		jz	loc_4850E0
		mov	dword ptr [ebp-64h], 0

loc_484F7B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+43Aj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130DABj ...
		test	esi, esi
		jnz	loc_48515F
		mov	edx, [ebp-6Ch]
		or	eax, 0FFFFFFFFh
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4852EC

loc_484F97:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+5D6j
		xor	edi, edi
		mov	[ebp-84h], edi
		test	edx, 7FFFFFFCh
		jz	loc_4850B7
		mov	esi, large fs:124h
		mov	eax, edx
		mov	ecx, dword_6D07D0
		shr	eax, 15h
		mov	[ebp-0B0h], esi
		cmp	edx, ecx
		jb	short loc_484FE5
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_4851A9
		cmp	edx, ecx
		jb	short loc_484FE5
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_4851A9

loc_484FE5:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+2A5j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+2B6j
		or	eax, 0FFFFFFFFh

loc_484FE8:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+494j
		dec	word ptr [esi+13Eh]
		mov	[ebp-0A4h], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	[ebp-65h], cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp-0A8h], ecx
		test	ecx, ecx
		jz	loc_4852B0
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_4852FB

loc_485030:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+5E6j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp-84h], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		mov	eax, 2AAAAAABh
		sub	ecx, [esi+1E8h]
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	byte ptr [ebp-65h], 1
		jnz	loc_5B5B2B
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al

loc_485086:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+598j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130E1Ej
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp-0A8h], eax
		jnz	loc_485323

loc_4850A0:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+639j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130E44j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_4850B7
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_485319

loc_4850B7:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+285j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+389j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp-64h]

loc_4850C6:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+1B5j
		mov	ecx, [ebp-4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	14h
; 
		jmp	short loc_4850E0
; 
		align 10h

loc_4850E0:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+24Ej
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+3BBj ...
		mov	ecx, [ebp-0A0h]
		lea	edx, [ebp-60h]
		push	edi
		mov	[ebp-0C0h], edi
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		mov	[ebp-64h], eax
		cmp	eax, 0C0000225h
		jnz	loc_5B5AD9
		mov	ecx, [ebp-0A0h]
		lea	eax, [ebp-0C0h]
		push	eax
		lea	edx, [ebp-60h]
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx

loc_485118:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130DC2j
		mov	[ebp-64h], eax
		test	eax, eax
		js	loc_5B5AED
		mov	eax, [ebp-0ACh]
		inc	eax
		mov	[ebp-0ACh], eax
		cmp	eax, [ebx+8]
		jnz	loc_5B5AE7
		push	dword ptr [ebp-0B0h]
		mov	edx, [ebp-8Ch]
		push	dword ptr [ebx+0Ch]
		mov	ecx, [ebp-0A8h]
		call	SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork
		mov	dword ptr [ebp-64h], 0
		jmp	loc_484F7B
; 

loc_48515F:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+25Dj
		mov	esi, [ebp-6Ch]
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_485179
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_485179:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+450j
		mov	ecx, esi
		call	KeAbPostRelease
		jmp	loc_4850B7
; 

loc_485185:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+238j
		mov	ecx, [edx+4]
		test	ecx, ecx
		jz	short loc_48519B
		lea	eax, [ecx+8]
		mov	[ebp-0B8h], ecx
		mov	[ebp-0B4h], eax

loc_48519B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+46Aj
		lea	eax, [ecx+8]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		jmp	loc_484F5E
; 

loc_4851A9:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+2AEj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+2BFj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	loc_484FE8
; 

loc_4851B9:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+120j
		xor	eax, eax
		jmp	loc_484EB1
; 

loc_4851C0:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+196j
		test	eax, eax
		jz	loc_484EEB
		or	byte ptr [eax+0Eh], 1
		jmp	loc_484EEB
; 

loc_4851D1:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+146j
		mov	cl, [edx+1E4h]
		mov	dword ptr [ebp-0CCh], 0
		test	cl, cl
		jnz	short loc_485204
		cmp	byte ptr [edx+222h], 0
		lea	ecx, [edx+222h]
		jz	loc_4852C3
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [edx+1E4h]
		or	cl, al

loc_485204:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+4C3j
		movzx	eax, cl
		bsf	ecx, eax
		btr	eax, ecx
		mov	[ebp-0CCh], ecx
		mov	[edx+1E4h], al
		lea	eax, [ecx+ecx*2]
		shl	eax, 4
		add	eax, [edx+1E8h]
		mov	[ebp-70h], eax

loc_485228:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+5B2j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+5C7j
		test	eax, eax
		jz	short loc_4852A3
		mov	edx, dword_6D07D0
		mov	ecx, esi
		shr	ecx, 15h
		cmp	esi, edx
		mov	[ebp-0A0h], edx
		mov	edx, [ebp-64h]
		jb	short loc_48528D
		cmp	byte ptr dword_6D3994[ecx], 1
		jnz	short loc_48528D

loc_48524D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+57Cj
		mov	ecx, [edx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	eax, [ebp-70h]

loc_48525D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+581j
		mov	[eax+14h], ecx
		nop
		mov	ecx, [ebp-80h]
		mov	[eax+10h], ecx
		jmp	loc_484E7B
; 

loc_48526C:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+240j
		mov	eax, [ecx]
		mov	[ebp-80h], eax
		cmp	esi, eax
		jnb	loc_5B57AC
		mov	eax, [ebx+8]
		dec	eax
		add	eax, esi
		cmp	eax, [ebp-80h]
		jb	loc_484F66
		jmp	loc_5B57AC
; 

loc_48528D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+522j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+52Bj
		cmp	esi, [ebp-0A0h]
		jb	short loc_48529E
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	short loc_48524D

loc_48529E:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+573j
		or	ecx, 0FFFFFFFFh
		jmp	short loc_48525D
; 

loc_4852A3:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+50Aj
		lea	eax, [edx+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	loc_484E7B
; 

loc_4852B0:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+2F8j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_485086
		jmp	loc_5B5B15
; 

loc_4852C3:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+4D2j
		xor	eax, eax
		test	dword ptr ds:byte_70EFC4, 200h
		mov	[ebp-70h], eax
		jz	loc_485228
		mov	ecx, [ebp-64h]
		mov	edx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		mov	edx, [ebp-64h]
		xor	eax, eax
		jmp	loc_485228
; 

loc_4852EC:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+271j
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp-6Ch]
		jmp	loc_484F97
; 

loc_4852FB:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+30Aj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp-0A8h]
		jmp	loc_485030
; 

loc_48530B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+106j
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		jmp	loc_484EEB
; 

loc_485319:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+391j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4850B7
; 

loc_485323:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+37Aj
		test	edi, 8000h
		jnz	short loc_485364

loc_48532B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+64Dj
		test	byte ptr [ebp-82h], 1
		jnz	loc_5B5B43

loc_485338:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130E2Fj
		test	edi, 7FFFh
		jz	short loc_48534F
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_48534F:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+61Ej
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4850A0
		jmp	loc_5B5B54
; 

loc_485364:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+609j
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	short loc_48532B
SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+C1p
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+1E6p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B5B69 SIZE 0000004A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+14h+var_4], eax
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	[esp+20h+var_8], ebx
		mov	edi, ecx
		cmp	dword ptr [ebx+0Ch], 0FFFFFFFFh
		jz	loc_5B5B69
		mov	dword ptr [ebx+0Ch], 0
		mov	edx, 1
		mov	eax, [edi]
		mov	[esp+20h+var_C], edx
		test	eax, eax
		jz	loc_4854B3
		movzx	ecx, byte ptr [eax+2]

loc_4853B9:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+145j
		cmp	[ebx+10h], ecx
		lea	eax, [ebx+10h]
		jb	loc_5B5B7D

loc_4853C5:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+13082Cj
		mov	ebx, [ebx]

loc_4853C7:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+130808j
		mov	edi, [edi]
		mov	[esp+20h+var_10], ebx
		test	edi, edi
		jz	loc_4854BA
		mov	eax, [ebp+arg_0]

loc_4853D8:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+124j
		mov	ecx, [edi]
		or	esi, 0FFFFFFFFh
		movzx	edx, cx
		shr	ecx, 18h
		test	cl, cl
		jz	short loc_485451
		test	edx, edx
		jz	short loc_485404
		jmp	short loc_4853F0
; 
		align 10h

loc_4853F0:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+7Bj
					; B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+92j
		lea	ecx, [edx+esi]
		shr	ecx, 1
		cmp	[edi+ecx*8+8], eax
		jnb	short loc_48544D
		mov	esi, ecx

loc_4853FD:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+DFj
		lea	ecx, [esi+1]
		cmp	ecx, edx
		jnz	short loc_4853F0

loc_485404:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+79j
					; B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+E3j ...
		cmp	byte ptr [edi+3], 0
		lea	esi, [edi+edx*8]
		jz	short loc_485471
		mov	ecx, [esp+20h+var_10]
		add	esi, 8
		cmp	[esp+20h+var_C], 0
		mov	[ecx], edi
		mov	[ecx+4], esi
		jz	short loc_48542D
		mov	ebx, [esp+20h+var_8]
		sub	ecx, [ebx]
		sar	ecx, 3
		inc	ecx
		mov	[ebx+0Ch], ecx

loc_48542D:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+AEj
		movzx	ecx, word ptr [edi]
		cmp	edx, ecx
		jb	short loc_485499

loc_485434:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+12Bj
					; B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+14Cj ...
		mov	eax, 0C0000225h

loc_485439:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+130822j
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+14h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_48544D:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+89j
		mov	edx, ecx
		jmp	short loc_4853FD
; 

loc_485451:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+75j
		test	edx, edx
		jz	short loc_485404

loc_485455:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+F7j
		lea	ecx, [edx+esi]
		shr	ecx, 1
		cmp	[edi+ecx*8+8], eax
		jnb	short loc_48546B

loc_485460:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey:loc_48546Bj
		mov	esi, ecx

loc_485462:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FFj
		lea	ecx, [esi+1]
		cmp	ecx, edx
		jnz	short loc_485455
		jmp	short loc_485404
; 

loc_48546B:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+EEj
		jz	short loc_485460
		mov	edx, ecx
		jmp	short loc_485462
; 

loc_485471:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+9Bj
		cmp	[esp+20h+var_C], 0
		jz	short loc_48548B
		mov	ebx, [esp+20h+var_10]
		lea	ecx, [esi+8]
		mov	[ebx], edi
		mov	[ebx+4], ecx
		add	ebx, 8
		mov	[esp+20h+var_10], ebx

loc_48548B:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+106j
		test	edx, edx
		jz	short loc_485491
		mov	edi, esi

loc_485491:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+11Dj
		mov	edi, [edi+4]
		jmp	loc_4853D8
; 

loc_485499:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+C2j
		cmp	[esi], eax
		jnz	short loc_485434
		mov	ecx, [esp+20h+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4854B3:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+3Fj
		xor	ecx, ecx
		jmp	loc_4853B9
; 

loc_4854BA:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+5Fj
		test	edx, edx
		jnz	loc_485434
		jmp	loc_5B5BA1
B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	B_TREE<union _SM_PAGE_KEY, struct SMKM_STORE_MGR<struct	SM_TRAITS>::SMKM_FRONTEND_ENTRY, 4096, struct B_TREE_DUMMY_NODE_POOL, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>>::BTreeIteratorFromSearchResult(struct B_TREE<union _SM_PAGE_KEY, struct	SMKM_STORE_MGR<struct SM_TRAITS>::SMKM_FRONTEND_ENTRY, 4096, struct B_TREE_DUMMY_NODE_POOL, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>> *, struct	B_TREE<union _SM_PAGE_KEY, struct SMKM_STORE_MGR<struct	SM_TRAITS>::SMKM_FRONTEND_ENTRY, 4096, struct B_TREE_DUMMY_NODE_POOL, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>>::ITERATOR *, struct B_TREE<union _SM_PAGE_KEY, struct SMKM_STORE_MGR<struct SM_TRAITS>::SMKM_FRONTEND_ENTRY, 4096, struct B_TREE_DUMMY_NODE_POOL, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>>::SEARCH_RESULT *)
?BTreeIteratorFromSearchResult@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUITERATOR@1@PAUSEARCH_RESULT@1@@Z proc	near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+CDp
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+211p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+0Ch]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_4854FD
		test	eax, eax
		jz	short loc_4854FD
		mov	ecx, [ecx]
		lea	ecx, [ecx+eax*8]
		add	ecx, 0FFFFFFF8h

loc_4854EC:				; CODE XREF: B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeIteratorFromSearchResult(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::ITERATOR *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)+30j
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		sub	ecx, 8
		mov	[edx], eax
		mov	[edx+4], ecx
		pop	ebp
		retn	4
; 

loc_4854FD:				; CODE XREF: B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeIteratorFromSearchResult(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::ITERATOR *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)+Ej
					; B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeIteratorFromSearchResult(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::ITERATOR *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)+12j
		add	ecx, 4
		jmp	short loc_4854EC
?BTreeIteratorFromSearchResult@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUITERATOR@1@PAUSEARCH_RESULT@1@@Z endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+3F3p
					; B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+BFp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B5BB3 SIZE 0000008C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ecx]
		mov	[ebp+var_C], ecx
		push	esi
		push	edi
		mov	edi, edx
		test	eax, eax
		jz	loc_485685
		movzx	eax, byte ptr [eax+2]

loc_48552D:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+177j
		lea	edx, [edi+10h]
		mov	esi, [edi+0Ch]
		cmp	[edx], eax
		jbe	loc_5B5BB3

loc_48553B:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+1306C2j
		push	ebx
		test	esi, esi
		jz	loc_48568C
		mov	eax, [edi]
		lea	ebx, [esi-1]
		lea	ebx, [eax+ebx*8]

loc_48554C:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+1A4j
		mov	esi, [ebx]
		mov	edx, [esi]
		cmp	dx, 1FFh
		jnb	short loc_4855A0

loc_485557:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+11Fj
		mov	edi, [ebx+4]
		movzx	eax, dx
		shl	eax, 3
		sub	eax, edi
		add	eax, 8
		add	eax, esi
		cmp	byte ptr [esi+3], 0
		push	eax		; size_t
		push	edi		; void *
		lea	eax, [edi+8]
		push	eax		; void *
		jz	loc_48566B
		call	_memmove
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, [ecx]
		mov	[edi], eax
		mov	eax, [ecx+4]
		mov	[edi+4], eax
		mov	eax, [ebp+var_C]
		inc	dword ptr [eax+4]

loc_485592:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+170j
		inc	word ptr [esi]
		xor	eax, eax

loc_485597:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+13072Aj
		pop	ebx

loc_485598:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+1306BAj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4855A0:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+45j
		mov	eax, [ebx+4]
		sub	eax, esi
		sub	eax, 8
		sar	eax, 3
		mov	[ebp+var_4], eax
		cmp	esi, [ecx]
		jz	loc_4856B9
		mov	edx, edi
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute
		mov	ecx, [ebx-4]
		mov	[ebp+var_8], eax
		test	al, 1
		jz	loc_5B5BD7
		mov	eax, 0FFFFFFF8h

loc_4855D0:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+1306CCj
		mov	edx, [esi]
		add	eax, ecx
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_10], eax

loc_4855DA:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+1B7j
		movzx	eax, dx
		mov	[ebp+var_14], eax
		cmp	eax, 1FFh
		mov	eax, [ebp+var_4]
		jnb	short loc_485634
		mov	ecx, [ebp+var_8]
		test	cl, 1
		jz	loc_5B5C13
		add	eax, 0FFFFFE01h
		shr	edx, 18h
		add	eax, [ebp+var_14]
		and	ecx, 0FFFFFFFEh
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], eax
		test	dl, dl
		jz	loc_5B5BEF
		test	eax, eax
		jle	loc_5B5BE1

loc_48561A:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+1306E1j
		cmp	esi, ecx
		jz	loc_5B5C08

loc_485622:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+148j
					; B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+159j ...
		lea	eax, [eax+1]
		mov	[ebx], esi
		lea	eax, [esi+eax*8]
		mov	[ebx+4], eax
		mov	edx, [esi]
		jmp	loc_485557
; 

loc_485634:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+D8j
		mov	edx, edi
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild
		mov	edx, eax
		test	edx, edx
		jz	loc_5B5C35
		mov	ecx, [edi+0Ch]
		mov	eax, [edi]
		dec	ecx
		lea	ebx, [eax+ecx*8]
		mov	ecx, [esi]
		mov	eax, [ebp+var_4]
		movzx	edi, cx
		cmp	eax, edi
		jle	short loc_485622
		shr	ecx, 18h
		sub	eax, edi
		test	cl, cl
		jz	short loc_4856CC

loc_485663:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+1BDj
		add	dword ptr [ebx-4], 8
		mov	esi, edx
		jmp	short loc_485622 ; void	*
; 

loc_48566B:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+61j
		call	_memmove
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, [ecx]
		mov	[edi], eax
		mov	eax, [ecx+4]
		mov	[edi+4], eax
		jmp	loc_485592
; 

loc_485685:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+13j
		xor	eax, eax
		jmp	loc_48552D
; 

loc_48568C:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+2Ej
		push	1
		mov	edx, 1
		call	?BTreeNewNode@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@@@PAU1@KK@Z ; B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNewNode(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,ulong,ulong)
		mov	ecx, [ebp+var_C]
		mov	[ecx], eax
		test	eax, eax
		jz	loc_5B5C35
		mov	ebx, [edi]
		mov	[ebx], eax
		mov	eax, [ecx]
		add	eax, 8
		mov	[ebx+4], eax
		inc	dword ptr [edi+0Ch]
		jmp	loc_48554C
; 

loc_4856B9:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+A0j
		mov	[ebp+var_10], 0
		mov	[ebp+var_8], 0
		jmp	loc_4855DA
; 

loc_4856CC:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+151j
		dec	eax
		jmp	short loc_485663
B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx endp

; 
		align 10h

ExGenRandom:				; CODE XREF: RtlRandomEx(x)+8p
					; RtlpHeapGenerateRandomValue64()+7p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	dword ptr [ebp-4], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _ExpLFGRngLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	esi, 1
		jnz	short loc_485705
		mov	ecx, _ExpRemainingLeftoverBootRngData
		test	ecx, ecx
		jnz	short loc_48576F

loc_485705:				; CODE XREF: .text:004856F9j
		imul	ecx, esi, 0E4h
		add	ecx, offset _ExpLFGRngState
		call	_RtlpSampleLFGRng@4 ; RtlpSampleLFGRng(x)
		mov	esi, eax

loc_485718:				; CODE XREF: .text:0048579Bj
		test	ds:byte_70EFC6,	1
		jnz	loc_5B5C3F
		xor	eax, eax
		lock and [edi],	eax

loc_48572A:				; CODE XREF: .text:005B5C49j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, ds:_KeFeatureBits
		xor	esi, _ExpRNGAuxiliarySeed
		and	eax, 2000000h
		or	eax, 0
		jz	short loc_485766
		xor	ecx, ecx
		lea	esp, [esp+0]
; 
dword_485750	dd 0B8F7C70Fh, 0	; CODE XREF: .text:004857A4j
; 
		mov	edx, 1
		cmovb	eax, edx
		test	eax, eax
		jz	short loc_4857A0
		xor	esi, edi

loc_485766:				; CODE XREF: .text:00485745j
					; .text:004857A6j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48576F:				; CODE XREF: .text:00485703j
		dec	ecx
		mov	esi, _ExpLeftoverBootRngData[ecx*4]
		lea	eax, _ExpLeftoverBootRngData[ecx*4]
		mov	_ExpRemainingLeftoverBootRngData, ecx
		mov	ecx, 4
		lea	esp, [esp+0]

loc_485790:				; CODE XREF: .text:00485799j
		mov	byte ptr [eax],	0
		lea	eax, [eax+1]
		sub	ecx, 1
		jnz	short loc_485790
		jmp	loc_485718
; 

loc_4857A0:				; CODE XREF: .text:00485762j
		inc	ecx
		cmp	ecx, 0Ah
		jb	short near ptr dword_485750
		jmp	short loc_485766
; 
		align 10h

;  S U B	R O U T	I N E 


SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+42Ep
					; SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict+C8p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B5C4E SIZE 000000B1 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		mov	esi, ecx
		mov	dword ptr [ebp-20h], 0
		push	edi
		mov	eax, edx
		mov	[ebp-8], esi
		lea	ecx, [ebp-28h]
		mov	[ebp-4], eax
		mov	[ebp-24h], ecx
		lea	edx, [ebp-28h]
		mov	ecx, [ebx+0Ch]
		push	edx
		push	ecx
		push	ecx
		mov	edi, [ecx]
		mov	edx, eax
		mov	ecx, esi
		mov	dword ptr [ebp-1Ch], 0
		mov	dword ptr [ebp-28h], 0
		and	edi, 7
		call	SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue
		mov	esi, eax
		test	esi, esi
		js	loc_5B5C90
		mov	esi, [ebx+8]
		cmp	edi, 2
		jz	loc_48589C

loc_48581F:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+141j
					; SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+151j ...
		mov	edi, [ebp-24h]
		lea	eax, [ebp-28h]
		cmp	edi, eax
		jz	loc_5B5C68
		mov	edx, [ebp-28h]
		mov	eax, [edx]
		and	eax, 0FFFFFFF8h
		mov	[ebp-28h], eax
		cmp	edx, edi
		jnz	loc_5B5C6F
		lea	eax, [ebp-28h]
		mov	dword ptr [ebp-28h], 0
		mov	[ebp-24h], eax

loc_48584D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+1304BAj
					; SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+1304D4j
		mov	edi, [ebp-4]
		and	esi, 3FFh
		mov	eax, esi
		shr	eax, 5
		mov	ecx, [edi+eax*4]
		test	ecx, ecx
		jz	loc_5B5C89
		and	esi, 1Fh
		lea	eax, [esi+esi*4]
		lea	ecx, [ecx+eax*4]

loc_48586F:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+1304DBj
		mov	ecx, [ecx]
		push	0
		call	_SmWorkItemQueue@12 ; SmWorkItemQueue(x,x,x)

loc_485878:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+1CEj
		mov	dword ptr [ebp-20h], 0
		xor	esi, esi

loc_485881:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+1304E8j
					; SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+130501j ...
		mov	edx, [ebp-24h]
		lea	eax, [ebp-28h]
		cmp	edx, eax
		jnz	loc_5B5CB6
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_48589C:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+69j
		mov	edi, [ebp-4]
		mov	ecx, [edi+468h]
		test	ecx, ecx
		jz	short loc_4858CD
		xor	eax, eax
		mov	[ebp-10h], si
		mov	[ebp-0Eh], ax
		mov	eax, [ebp-8]
		push	5
		mov	eax, [eax]
		mov	[ebp-18h], eax
		mov	eax, [ebx+0Ch]
		mov	eax, [eax+0Ch]
		mov	[ebp-14h], eax
		lea	eax, [ebp-18h]
		push	eax
		push	edi
		call	ecx

loc_4858CD:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+F7j
		mov	eax, large fs:124h
		mov	edx, esi
		and	edx, 3FFh
		mov	[ebp-8], eax
		mov	ecx, edi
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		mov	eax, [eax]
		mov	[ebp-0Ch], eax
		test	byte ptr [eax+10F5h], 4
		jz	loc_48581F
		mov	edi, [ebx+0Ch]
		test	dword ptr [edi+4], 4000000h
		jz	loc_48581F
		mov	ecx, [ebp-8]
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		cmp	eax, 2
		jl	loc_48581F
		mov	esi, [ebp-24h]
		lea	eax, [ebp-28h]
		lea	edx, [edi+20h]
		cmp	esi, eax
		jz	short loc_485945
		mov	ecx, [ebp-28h]
		mov	eax, [ecx]
		and	eax, 0FFFFFFF8h
		mov	[ebp-28h], eax
		cmp	ecx, esi
		jnz	loc_5B5C4E
		lea	eax, [ebp-28h]
		mov	dword ptr [ebp-28h], 0
		mov	[ebp-24h], eax

loc_485945:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+173j
					; SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+1304B3j
		xor	eax, eax
		mov	ecx, 6
		mov	edi, edx
		rep stosd
		mov	eax, [ebp-0Ch]
		mov	edi, [ebp-4]
		mov	[edx+10h], eax
		mov	eax, [ebp-8]
		lea	ecx, [edi+0FCh]
		mov	[edx+14h], ecx
		cmp	dword ptr [eax+150h], offset _KiInitialProcess
		jz	short loc_485983
		movsx	eax, byte ptr [eax+87h]

loc_485978:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+1D8j
		push	eax
		call	SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueInsert
		jmp	loc_485878
; 

loc_485983:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+1BFj
		mov	eax, 1
		jmp	short loc_485978
SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork endp

; 
		align 10h

;  S U B	R O U T	I N E 


SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+54p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B5CFF SIZE 0000007A BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		mov	esi, [ebx+0Ch]
		mov	[ebp-8], edx
		push	edi
		xor	edi, edi
		mov	[ebp-4], ecx
		mov	edx, [esi]
		lea	ecx, [ebp-20h]
		mov	eax, edx
		mov	[ebp-1Ch], ecx
		and	al, 7
		mov	[ebp-20h], edi
		mov	[ebp-10h], edi
		cmp	al, 2
		jz	loc_485A53

loc_4859D2:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue+114j
		mov	eax, [ecx]
		and	edx, 7
		shr	eax, 3
		lea	eax, ds:8[eax*8]
		or	eax, edx
		mov	[esi], eax
		mov	eax, [ecx]
		and	eax, 7
		or	eax, esi
		mov	[ecx], eax
		lea	eax, [ebp-20h]
		cmp	esi, eax
		mov	[ebp-1Ch], esi
		mov	eax, [ebx+10h]
		jz	loc_5B5D11
		mov	ecx, [ebp-20h]
		xor	edx, edx
		mov	[eax+4], esi
		lea	esi, [ebp-20h]
		mov	[eax], ecx
		mov	[ebp-1Ch], esi
		mov	[ebp-20h], edx

loc_485A12:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue+130384j
		test	edi, edi
		jnz	loc_485AA9

loc_485A1A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue+121j
		mov	ecx, [ebp-4]
		mov	[ebp-0Ch], edi
		mov	[eax+0Ch], ecx
		mov	dword ptr [ebp-14h], 0

loc_485A2A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue+13037Cj
		mov	edi, [ebp-4]
		lea	ecx, [ecx+0]

loc_485A30:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue+1303C8j
		lea	eax, [ebp-20h]
		cmp	esi, eax
		jnz	loc_5B5D19
		cmp	dword ptr [ebp-0Ch], 0
		jnz	loc_5B5D5D

loc_485A45:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue+1303E4j
		mov	eax, [ebp-14h]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	0Ch
; 

loc_485A53:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue+3Cj
		mov	eax, [ebp-8]
		mov	edx, [esi+8]
		mov	[ebp-10h], edx
		mov	eax, [eax+464h]
		test	al, 2
		jz	short loc_485AA2
		xor	ecx, ecx
		test	al, 1
		jz	short loc_485A7A
		cmp	dword ptr [edx+14h], 1000h
		ja	short loc_485A7A
		mov	ecx, 1

loc_485A7A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue+DAj
					; SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue+E3j
		push	ecx
		mov	ecx, [ebp-8]
		push	edx
		push	dword ptr [ebp-4]
		mov	edx, 5
		lea	ecx, [ecx+3ACh]
		call	SmFpAllocate
		mov	edi, eax
		mov	[ebp-0Ch], edi
		test	edi, edi
		jz	loc_5B5CFF
		mov	ecx, [ebp-1Ch]

loc_485AA2:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue+D4j
		mov	edx, [esi]
		jmp	loc_4859D2
; 

loc_485AA9:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue+84j
		mov	ecx, [ebp-10h]
		xor	edi, edi
		mov	[eax+8], ecx
		jmp	loc_485A1A
SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_SM_TRAITS___SmStWorkItemQueue proc near
					; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmStoreRequestEx(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE<SM_TRAITS> *,SMKM_STORE_MGR<SM_TRAITS>::_SM_WORK_ITEM *,_KEVENT	*,_IO_STATUS_BLOCK *)+29p
					; ST_STORE<SM_TRAITS>::StDmLazyWorkItemQueue(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+40p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B5D79 SIZE 000000E1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, [ebx]
		and	edi, 7
		cmp	edi, 2
		jz	loc_485C44

loc_485ADD:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+18Bj
		test	byte ptr [esi+10F5h], 1
		jnz	loc_485C32
		mov	ecx, [ebp+arg_0]
		mov	eax, ecx
		and	eax, 4
		mov	[ebp+var_10], eax
		jnz	short loc_485AFE
		lock inc dword ptr [esi+12BCh]

loc_485AFE:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+35j
		mov	eax, ecx
		and	eax, 1
		mov	[ebp+var_14], eax
		jnz	loc_5B5D88
		cmp	edi, 2
		jz	loc_5B5D9A

loc_485B15:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+1302E1j
		mov	[ebp+var_C], 112Ch
		mov	eax, 1118h

loc_485B21:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+1302D5j
					; SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+1302F4j
		mov	[ebp+var_8], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [esi+1108h]
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebp+var_8]
		add	eax, esi
		mov	ecx, [eax+4]
		mov	edx, [ecx]
		mov	ecx, [ebx]
		and	ecx, 7
		test	byte ptr [ebp+arg_0], 2
		jnz	loc_485CD0
		and	edx, 0FFFFFFF8h
		add	edx, 8
		or	ecx, edx
		mov	[ebx], ecx
		mov	ecx, [eax+4]
		mov	eax, [ecx]
		and	eax, 7
		or	eax, ebx
		mov	[ecx], eax
		mov	eax, [ebp+var_8]
		mov	[eax+esi+4], ebx

loc_485B6E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+23Ej
		cmp	dword ptr [esi+112Ch], 0
		jnz	short loc_485B8C
		cmp	dword ptr [esi+1128h], 0
		jnz	short loc_485B8C
		lea	eax, [esi+1138h]
		push	eax
		call	KeQueryTickCount

loc_485B8C:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+B5j
					; SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+BEj
		mov	ecx, [ebp+var_C]
		mov	eax, [esi+ecx]
		inc	eax
		mov	[esi+ecx], eax
		cmp	edi, 2
		jz	loc_5B5DB9

loc_485B9F:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+130300j
					; SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+130339j
		test	ds:byte_70EFC6,	1
		jnz	loc_5B5DFE
		xor	ecx, ecx
		lea	eax, [esi+1108h]
		lock and [eax],	ecx

loc_485BB7:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+13034Cj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_10], 0
		mov	ecx, large fs:124h
		jnz	short loc_485C32
		mov	al, [esi+10F6h]
		movzx	eax, al
		cmp	eax, 4
		jnz	short loc_485C3B
		mov	edx, [esi+12B8h]

loc_485BE1:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+182j
		cmp	[ebp+var_14], 0
		jnz	loc_5B5E11
		cmp	edi, 2
		jz	loc_5B5E18

loc_485BF4:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+130363j
					; SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+13038Bj
		mov	ecx, edx

loc_485BF6:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+130385j
		mov	eax, [esi+1178h]
		cmp	dword ptr [eax+150h], offset _KiInitialProcess
		jz	loc_5B5E50
		movsx	edx, byte ptr [eax+87h]

loc_485C13:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+130395j
		cmp	ecx, edx
		jg	loc_485D03

loc_485C1B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+24Aj
		push	0
		push	0
		lea	eax, [esi+1148h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		lock dec dword ptr [esi+12BCh]

loc_485C32:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+24j
					; SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+10Bj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_485C3B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+119j
		mov	edx, ds:?PriorityByMemoryCondition@?1??SmStGetPriorityByMemoryCondition@?$SMKM_STORE@USM_TRAITS@@@@SGJW4_SMP_MEMORY_CONDITION@@J@Z@4PAJA[eax*4]	; long * `SMKM_STORE<SM_TRAITS>::SmStGetPriorityByMemoryCondition(_SMP_MEMORY_CONDITION,long)'::`2'::PriorityByMemoryCondition
		jmp	short loc_485BE1
; 

loc_485C44:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+17j
		test	byte ptr [esi+10F5h], 4
		jz	loc_485ADD
		call	SMKM_STORE_SM_TRAITS___SmStDirectRead
		test	eax, eax
		jnz	short loc_485C32
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	edi, [esi+1250h]
		mov	byte ptr [ebp+arg_0+3],	al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [esi+124Ch]
		mov	eax, [ebx]
		and	eax, 7
		mov	ecx, [ecx]
		and	ecx, 0FFFFFFF8h
		add	ecx, 8
		or	eax, ecx
		mov	[ebx], eax
		mov	edx, [esi+124Ch]
		mov	eax, [edx]
		and	eax, 7
		or	eax, ebx
		mov	[edx], eax
		mov	[esi+124Ch], ebx
		test	ds:byte_70EFC6,	1
		jnz	loc_5B5D79
		xor	eax, eax
		lock and [edi],	eax

loc_485CAE:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+1302C3j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	0
		add	esi, 1238h
		push	esi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_485CD0:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+8Bj
		or	ecx, [eax]
		mov	[ebx], ecx
		mov	ecx, [eax+4]
		shr	edx, 3
		mov	[eax], ebx
		mov	[ebp+arg_0], ecx
		cmp	ecx, eax
		jnz	short loc_485CEB
		mov	[eax+4], ebx
		mov	ecx, ebx
		mov	[ebp+arg_0], ebx

loc_485CEB:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+221j
		mov	ecx, [ecx]
		lea	eax, ds:8[edx*8]
		and	ecx, 7
		or	ecx, eax
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jmp	loc_485B6E
; 

loc_485D03:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+155j
		push	ecx
		push	eax
		call	KeSetActualBasePriorityThread
		jmp	loc_485C1B
SMKM_STORE_SM_TRAITS___SmStWorkItemQueue endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTraceSiloKernelEvent	proc near	; CODE XREF: EtwpTraceImageUnload(x,x,x,x,x,x,x,x,x,x)+110p
					; EtwpTraceIo+15Bp ...

var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005B5E5A SIZE 0000006E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, ds:_EtwpHostSiloState
		push	edi
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], ecx
		mov	esi, [esi+924h]
		bsf	edi, esi
		mov	[ebp+var_C], 0
		jz	short loc_485D8D
		lea	esp, [esp+0]

loc_485D40:				; CODE XREF: EtwTraceSiloKernelEvent+78j
		mov	edx, ds:_EtwpHostSiloState
		lea	eax, [esi-1]
		and	esi, eax
		mov	eax, edi
		shl	eax, 5
		lea	ecx, [edx+948h]
		add	ecx, eax
		jz	short loc_485D85
		mov	eax, ebx
		shr	eax, 1Dh
		mov	eax, [ecx+eax*4]
		and	eax, ebx
		test	eax, 1FFFFFFFh
		jz	short loc_485D85
		push	[ebp+arg_C]
		movzx	eax, byte ptr [edx+edi*2+914h]
		push	[ebp+arg_8]
		mov	ecx, [ebp+var_4]
		push	[ebp+arg_0]
		push	eax
		call	EtwpLogKernelEvent

loc_485D85:				; CODE XREF: EtwTraceSiloKernelEvent+48j
					; EtwTraceSiloKernelEvent+59j
		bsf	edi, esi
		jnz	short loc_485D40
		mov	ecx, [ebp+var_8]

loc_485D8D:				; CODE XREF: EtwTraceSiloKernelEvent+2Aj
		test	ecx, ecx
		jnz	loc_5B5E5A

loc_485D95:				; CODE XREF: EtwTraceSiloKernelEvent+130158j
					; EtwTraceSiloKernelEvent+130167j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
EtwTraceSiloKernelEvent	endp


;  S U B	R O U T	I N E 


PpmPerfReadFeedback proc near

; FUNCTION CHUNK AT 005B5EC8 SIZE 0000000E BYTES

		mov	edi, edi
		push	esi
		mov	esi, _PpmPerfControlReadFeedback
		test	esi, esi
		jnz	loc_5B5EC8

loc_485DAF:				; CODE XREF: PpmPerfReadFeedback+130133j
		setz	al
		pop	esi
		retn
PpmPerfReadFeedback endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmCheckSnapAllUtility()
_PpmCheckSnapAllUtility@0 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	[ebp+var_4], 0
		call	PpmParkSnapNodeStatistics
		mov	esi, dword_6B5BAC
		lea	esp, [esp+0]

loc_485DE0:				; CODE XREF: PpmCheckSnapAllUtility()+4Bj
		test	esi, esi
		jz	short loc_485E0D
		bsf	eax, esi
		mov	[ebp+var_4], eax
		btr	esi, eax
		mov	eax, ds:_KeNumberProcessors
		mov	ecx, [ebp+var_4]
		cmp	ecx, eax
		jnb	short loc_485E14
		mov	ecx, ds:_KiProcessorBlock[ecx*4]

loc_485E00:				; CODE XREF: PpmCheckSnapAllUtility()+56j
		add	ecx, 3EA0h
		call	PpmPerfSnapUtility
		jmp	short loc_485DE0
; 

loc_485E0D:				; CODE XREF: PpmCheckSnapAllUtility()+22j
		mov	al, 1
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_485E14:				; CODE XREF: PpmCheckSnapAllUtility()+37j
		xor	ecx, ecx
		jmp	short loc_485E00
_PpmCheckSnapAllUtility@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmPerfSnapUtility proc	near		; CODE XREF: PpmCheckSnapAllUtility()+46p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B5ED6 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		mov	ebx, ecx
		mov	eax, [ebx+8]
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	loc_4860DF
		mov	ecx, [eax+0A0h]
		mov	edx, [eax+0A4h]
		push	esi
		lea	esi, [eax+80h]
		push	edi
		lea	edi, [eax+20h]
		mov	eax, [esi]
		sub	eax, [edi]
		mov	[ebp+var_30], eax
		mov	eax, [esi+4]
		sbb	eax, [edi+4]
		mov	[ebp+var_34], eax
		mov	eax, [esi+8]
		sub	eax, [edi+8]
		mov	[ebp+var_C], eax
		mov	eax, [esi+0Ch]
		sbb	eax, [edi+0Ch]
		sub	ecx, [edi+20h]
		mov	[ebp+var_10], eax
		sbb	edx, [edi+24h]
		mov	eax, [esi+30h]
		sub	eax, [edi+30h]
		mov	[ebp+var_4], eax
		mov	eax, [esi+34h]
		sbb	eax, [edi+34h]
		mov	[ebp+var_8], eax
		mov	eax, [esi+38h]
		sub	eax, [edi+38h]
		mov	[ebp+var_24], eax
		mov	eax, [esi+3Ch]
		sbb	eax, [edi+3Ch]
		cmp	[ebp+var_10], 0
		mov	[ebp+var_28], eax
		ja	loc_486173
		jb	loc_4860E4
		mov	eax, [ebp+var_C]
		cmp	eax, 1
		jb	loc_4860E4

loc_485EB8:				; CODE XREF: PpmPerfSnapUtility+356j
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_10]

loc_485EBE:				; CODE XREF: PpmPerfSnapUtility+2CDj
		push	eax
		push	[ebp+var_1C]
		push	edx
		push	ecx
		call	__aulldiv
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_14], eax
		test	ecx, ecx
		ja	loc_48617B
		jb	loc_4860F2
		mov	eax, [ebp+var_4]
		cmp	eax, 1
		jb	loc_4860F2

loc_485EE9:				; CODE XREF: PpmPerfSnapUtility+35Ej
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], ecx

loc_485EEF:				; CODE XREF: PpmPerfSnapUtility+2E0j
		mov	eax, [ebp+var_28]
		mov	ecx, 64h
		push	[ebp+var_1C]
		mul	ecx
		push	[ebp+var_20]
		mov	ecx, eax
		mov	edx, 64h
		mov	eax, [ebp+var_24]
		mul	edx
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		movzx	ecx, al
		mov	[ebp+var_28], ecx
		cmp	ecx, 64h
		ja	loc_486167

loc_485F23:				; CODE XREF: PpmPerfSnapUtility+34Ej
		cmp	[ebp+var_14], 0
		mov	eax, [ebx+4]
		mov	[ebp+var_1C], eax
		jz	loc_486105

loc_485F33:				; CODE XREF: PpmPerfSnapUtility+2F3j
					; PpmPerfSnapUtility+1300BDj
		mov	eax, [esi+40h]
		sub	eax, [edi+40h]
		mov	edx, [esi+44h]
		sbb	edx, [edi+44h]
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_2C], eax
		test	ecx, ecx
		ja	loc_486183
		jb	loc_486118
		mov	eax, [ebp+var_4]
		cmp	eax, 1
		jb	loc_486118

loc_485F5F:				; CODE XREF: PpmPerfSnapUtility+366j
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], ecx

loc_485F65:				; CODE XREF: PpmPerfSnapUtility+306j
		push	[ebp+var_20]
		mov	eax, edx
		mov	ecx, 64h
		push	[ebp+var_24]
		mul	ecx
		mov	edx, 64h
		mov	ecx, eax
		mov	eax, [ebp+var_2C]
		mul	edx
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		mov	cl, al
		cmp	cl, 64h
		ja	loc_5B5EE2

loc_485F94:				; CODE XREF: PpmPerfSnapUtility+1300C4j
		mov	eax, [ebp+var_18]
		mov	[eax+148h], cl
		mov	eax, [esi+48h]
		sub	eax, [edi+48h]
		mov	edx, [esi+4Ch]
		sbb	edx, [edi+4Ch]
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_2C], eax
		test	ecx, ecx
		ja	loc_48618B
		jb	loc_48612B
		mov	eax, [ebp+var_4]
		cmp	eax, 1
		jb	loc_48612B

loc_485FC9:				; CODE XREF: PpmPerfSnapUtility+36Ej
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], ecx

loc_485FCF:				; CODE XREF: PpmPerfSnapUtility+319j
		push	[ebp+var_24]
		mov	eax, edx
		mov	ecx, 64h
		push	[ebp+var_20]
		mul	ecx
		mov	edx, 64h
		mov	ecx, eax
		mov	eax, [ebp+var_2C]
		mul	edx
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		mov	cl, al
		cmp	cl, 64h
		ja	loc_5B5EE9

loc_485FFE:				; CODE XREF: PpmPerfSnapUtility+1300CBj
		mov	eax, [ebp+var_18]
		mov	[eax+149h], cl
		mov	eax, [esi+50h]
		sub	eax, [edi+50h]
		mov	[ebp+var_2C], eax
		mov	eax, [esi+54h]
		sbb	eax, [edi+54h]
		cmp	[ebp+var_8], 0
		ja	short loc_48602C
		jb	loc_48613E
		cmp	[ebp+var_4], 1
		jb	loc_48613E

loc_48602C:				; CODE XREF: PpmPerfSnapUtility+1FAj
					; PpmPerfSnapUtility+32Cj
		push	[ebp+var_8]
		mov	ecx, 64h
		push	[ebp+var_4]
		mul	ecx
		mov	edx, 64h
		mov	ecx, eax
		mov	eax, [ebp+var_2C]
		mul	edx
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		mov	cl, al
		cmp	cl, 64h
		ja	loc_5B5EF0

loc_486059:				; CODE XREF: PpmPerfSnapUtility+1300D2j
		cmp	[ebp+var_1C], 0
		mov	eax, [ebp+var_18]
		mov	[eax+14Ah], cl
		mov	eax, [ebp+var_28]
		mov	[ebx+20h], ax
		jz	short loc_4860BE
		mov	eax, [esi+18h]
		sub	eax, [edi+18h]
		mov	ecx, [esi+1Ch]
		sbb	ecx, [edi+1Ch]
		cmp	[ebp+var_10], 0
		ja	loc_486193
		jb	loc_486151
		mov	edx, [ebp+var_C]
		cmp	edx, 1
		jb	loc_486151

loc_486097:				; CODE XREF: PpmPerfSnapUtility+376j
		mov	[ebp+var_28], edx
		mov	edx, [ebp+var_10]

loc_48609D:				; CODE XREF: PpmPerfSnapUtility+33Aj
		push	edx
		push	[ebp+var_28]
		push	ecx
		push	eax
		call	__aulldiv
		mov	ecx, eax
		mov	eax, [ebp+var_1C]
		test	ecx, ecx
		jz	loc_48615F

loc_4860B5:				; CODE XREF: PpmPerfSnapUtility+342j
		mov	[eax+64h], ecx
		mov	ecx, [ebp+var_14]
		mov	[eax+68h], ecx

loc_4860BE:				; CODE XREF: PpmPerfSnapUtility+24Dj
		mov	eax, [ebp+var_C]
		mov	ecx, 18h
		rep movsd
		add	[ebx+40h], eax
		mov	eax, [ebp+var_10]
		adc	[ebx+44h], eax
		mov	eax, [ebp+var_30]
		add	[ebx+48h], eax
		mov	eax, [ebp+var_34]
		adc	[ebx+4Ch], eax
		pop	edi
		pop	esi

loc_4860DF:				; CODE XREF: PpmPerfSnapUtility+13j
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4860E4:				; CODE XREF: PpmPerfSnapUtility+86j
					; PpmPerfSnapUtility+92j
		mov	[ebp+var_1C], 1
		xor	eax, eax
		jmp	loc_485EBE
; 

loc_4860F2:				; CODE XREF: PpmPerfSnapUtility+B7j
					; PpmPerfSnapUtility+C3j
		mov	[ebp+var_20], 1
		mov	[ebp+var_1C], 0
		jmp	loc_485EEF
; 

loc_486105:				; CODE XREF: PpmPerfSnapUtility+10Dj
		test	eax, eax
		jz	loc_5B5ED6
		mov	eax, [eax+68h]
		mov	[ebp+var_14], eax
		jmp	loc_485F33
; 

loc_486118:				; CODE XREF: PpmPerfSnapUtility+12Dj
					; PpmPerfSnapUtility+139j
		mov	[ebp+var_24], 1
		mov	[ebp+var_20], 0
		jmp	loc_485F65
; 

loc_48612B:				; CODE XREF: PpmPerfSnapUtility+197j
					; PpmPerfSnapUtility+1A3j
		mov	[ebp+var_20], 1
		mov	[ebp+var_24], 0
		jmp	loc_485FCF
; 

loc_48613E:				; CODE XREF: PpmPerfSnapUtility+1FCj
					; PpmPerfSnapUtility+206j
		mov	[ebp+var_4], 1
		mov	[ebp+var_8], 0
		jmp	loc_48602C
; 

loc_486151:				; CODE XREF: PpmPerfSnapUtility+265j
					; PpmPerfSnapUtility+271j
		mov	[ebp+var_28], 1
		xor	edx, edx
		jmp	loc_48609D
; 

loc_48615F:				; CODE XREF: PpmPerfSnapUtility+28Fj
		mov	ecx, [eax+64h]
		jmp	loc_4860B5
; 

loc_486167:				; CODE XREF: PpmPerfSnapUtility+FDj
		mov	[ebp+var_28], 64h
		jmp	loc_485F23
; 

loc_486173:				; CODE XREF: PpmPerfSnapUtility+80j
		mov	eax, [ebp+var_C]
		jmp	loc_485EB8
; 

loc_48617B:				; CODE XREF: PpmPerfSnapUtility+B1j
		mov	eax, [ebp+var_4]
		jmp	loc_485EE9
; 

loc_486183:				; CODE XREF: PpmPerfSnapUtility+127j
		mov	eax, [ebp+var_4]
		jmp	loc_485F5F
; 

loc_48618B:				; CODE XREF: PpmPerfSnapUtility+191j
		mov	eax, [ebp+var_4]
		jmp	loc_485FC9
; 

loc_486193:				; CODE XREF: PpmPerfSnapUtility+25Fj
		mov	edx, [ebp+var_C]
		jmp	loc_486097
PpmPerfSnapUtility endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmParkSnapNodeStatistics proc near	; CODE XREF: PpmCheckSnapAllUtility()+Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B5EF7 SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edi
		cmp	_PpmParkNumNodes, edi
		jz	short loc_4861EF
		push	ebx
		xor	ecx, ecx
		push	esi

loc_4861B5:				; CODE XREF: PpmParkSnapNodeStatistics+4Fj
		imul	esi, ecx, 0D0h
		add	esi, _PpmParkNodes
		cmp	byte ptr [esi+6], 0
		jz	short loc_4861DE
		mov	ecx, [esi+28h]
		lea	edx, [esi+30h]
		call	PpmIdleSnapConcurrency
		mov	al, [esi+6]
		cmp	al, [esi+58h]
		jnz	loc_5B5EF7

loc_4861DE:				; CODE XREF: PpmParkSnapNodeStatistics+29j
					; PpmParkSnapNodeStatistics+12FD82j
		inc	edi
		movzx	ecx, di
		mov	[ebp+var_8], edi
		cmp	ecx, _PpmParkNumNodes
		jb	short loc_4861B5
		pop	esi
		pop	ebx

loc_4861EF:				; CODE XREF: PpmParkSnapNodeStatistics+13j
		pop	edi
		leave
		retn
PpmParkSnapNodeStatistics endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmIdleSnapConcurrency proc near	; CODE XREF: PpmParkSnapNodeStatistics+31p
					; PpmParkSnapNodeStatistics+12FD6Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005B5F23 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		push	0
		mov	edi, edx
		mov	esi, ecx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ebx, eax
		mov	[ebp+var_8], edx
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	ecx, esi
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [esi+14h]
		mov	eax, [esi+10h]
		mov	[ebp+var_C], ecx
		cmp	[ebp+var_8], ecx
		ja	short loc_48623F
		jb	short loc_486262
		cmp	ebx, eax
		jbe	short loc_486262

loc_48623F:				; CODE XREF: PpmIdleSnapConcurrency+37j
		mov	ecx, ebx
		mov	[esi+10h], ebx
		sub	ecx, eax
		mov	eax, [ebp+var_8]
		mov	edx, eax
		mov	[esi+14h], eax
		sbb	edx, [ebp+var_C]
		add	[esi+18h], ecx
		mov	eax, [esi+8]
		adc	[esi+1Ch], edx
		add	[esi+eax*8+20h], ecx
		adc	[esi+eax*8+24h], edx

loc_486262:				; CODE XREF: PpmIdleSnapConcurrency+39j
					; PpmIdleSnapConcurrency+3Dj
		mov	eax, [esi+18h]
		mov	[edi+10h], eax
		mov	eax, [esi+1Ch]
		mov	[edi+14h], eax
		mov	eax, [edi+20h]
		shl	eax, 3
		push	eax		; size_t
		lea	eax, [esi+20h]
		push	eax		; void *
		mov	eax, [edi]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		test	ds:byte_70EFC6,	1
		jnz	loc_5B5F23
		xor	eax, eax
		lock and [esi],	eax
		cmp	[ebp+var_1], al
		jz	short loc_48629C

loc_48629B:				; CODE XREF: PpmIdleSnapConcurrency+12FD37j
		sti

loc_48629C:				; CODE XREF: PpmIdleSnapConcurrency+99j
					; PpmIdleSnapConcurrency+12FD31j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
PpmIdleSnapConcurrency endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PpmParkDistributeAllUtility()
_PpmParkDistributeAllUtility@0 proc near
		mov	ecx, _PpmCurrentProfile
		imul	eax, dword_6C2D0C, 0F0h
		push	ebx
		push	edi
		cmp	byte ptr [eax+ecx+9Bh],	0
		setnz	bl
		xor	edi, edi
		cmp	_PpmParkNumNodes, edi
		jbe	short loc_486302
		push	esi
		xor	esi, esi

loc_4862CE:				; CODE XREF: PpmParkDistributeAllUtility()+5Bj
		mov	ecx, _PpmParkNodes
		push	0
		push	0
		push	ebx
		movzx	eax, byte ptr [esi+ecx+66h]
		mov	edx, [esi+ecx+14h]
		push	eax
		movzx	eax, word ptr [esi+ecx+4]
		mov	ecx, [esi+ecx+8]
		push	eax
		call	PpmParkDistributeUtility
		inc	edi
		lea	esi, [esi+0D0h]
		cmp	edi, _PpmParkNumNodes
		jb	short loc_4862CE
		pop	esi

loc_486302:				; CODE XREF: PpmParkDistributeAllUtility()+25j
		pop	edi
		mov	al, 1
		pop	ebx
		retn
_PpmParkDistributeAllUtility@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmParkDistributeUtility proc near	; CODE XREF: PpmParkDistributeAllUtility()+49p
					; PpmHeteroDistributeUtility()+79p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_1A		= word ptr -1Ah
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005B5F3C SIZE 00000187 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		mov	eax, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_24], 0
		xor	eax, edi
		mov	[ebp+var_14], edi
		xor	ecx, ecx
		mov	[ebp+var_18], eax
		mov	edi, eax
		mov	[ebp+var_1A], cx
		mov	ax, [ebp+arg_0]
		xor	bh, bh
		mov	[ebp+var_8], ecx
		xor	bl, bl
		xor	dl, dl
		mov	[ebp+arg_C], edi
		mov	ecx, edi
		mov	[ebp+var_1C], ax
		xor	edi, edi

loc_486351:				; CODE XREF: PpmParkDistributeUtility+9Dj
		test	ecx, ecx
		jz	short loc_4863AF
		bsf	eax, ecx
		btr	ecx, eax
		mov	[ebp+var_8], eax
		mov	eax, ds:_KeNumberProcessors
		mov	[ebp+var_20], ecx
		mov	ecx, [ebp+var_8]
		cmp	ecx, eax
		jnb	loc_5B5F3C
		mov	eax, ds:_KiProcessorBlock[ecx*4]

loc_486378:				; CODE XREF: PpmParkDistributeUtility+12FC2Ej
		cmp	byte ptr [eax+3ED0h], 0
		jnz	loc_5B5F43
		inc	bl

loc_486387:				; CODE XREF: PpmParkDistributeUtility+12FC3Bj
		cmp	ds:_PpmHeteroImplementationGeneration, 0
		mov	ecx, [eax+3EB4h]
		jbe	short loc_4863A6
		mov	eax, [eax+3EC4h]
		test	eax, eax
		jz	short loc_4863A6
		imul	ecx, eax
		shr	ecx, 10h

loc_4863A6:				; CODE XREF: PpmParkDistributeUtility+84j
					; PpmParkDistributeUtility+8Ej
		inc	bh
		add	esi, ecx
		mov	ecx, [ebp+var_20]
		jmp	short loc_486351
; 

loc_4863AF:				; CODE XREF: PpmParkDistributeUtility+43j
		mov	eax, [ebp+var_14]
		mov	[ebp+var_C], edi
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_1], dl
		mov	[ebp+var_20], eax
		mov	edi, edi

loc_4863C0:				; CODE XREF: PpmParkDistributeUtility+12FC71j
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jz	loc_5B5F50
		cmp	bh, 1
		jbe	loc_5B5F86

loc_4863DE:				; CODE XREF: PpmParkDistributeUtility+12FC78j
		mov	al, byte ptr [ebp+arg_4]
		cmp	al, bh
		jnb	loc_5B5F8D

loc_4863E9:				; CODE XREF: PpmParkDistributeUtility+12FC82j
		cmp	al, 1
		ja	short loc_4863F1
		mov	byte ptr [ebp+arg_4], 1

loc_4863F1:				; CODE XREF: PpmParkDistributeUtility+DBj
		xor	edx, edx
		movzx	ecx, bh
		mov	eax, esi
		mov	bh, byte ptr [ebp+arg_4]
		div	ecx
		xor	edx, edx
		movzx	ecx, bh
		mov	[ebp+var_10], eax
		mov	eax, esi
		div	ecx
		mov	[ebp+arg_4], eax
		test	bl, bl
		jz	short loc_48641A
		cmp	[ebp+var_1], 0
		ja	loc_5B5F97

loc_48641A:				; CODE XREF: PpmParkDistributeUtility+FEj
					; PpmParkDistributeUtility+12FCF2j
		mov	edx, [ebp+arg_C]
		mov	ecx, edx
		mov	ebx, [ebp+var_10]

loc_486422:				; CODE XREF: PpmParkDistributeUtility+163j
					; PpmParkDistributeUtility+198j ...
		test	ecx, ecx
		jz	loc_4864AD
		bsf	eax, ecx
		btr	ecx, eax
		mov	[ebp+var_8], eax
		mov	eax, ds:_KeNumberProcessors
		mov	[ebp+var_20], ecx
		mov	ecx, [ebp+var_8]
		cmp	ecx, eax
		jnb	loc_5B6007
		mov	ecx, ds:_KiProcessorBlock[ecx*4]

loc_48644D:				; CODE XREF: PpmParkDistributeUtility+12FCF9j
		mov	esi, [ecx+3EC4h]
		mov	edi, [ecx+3EB4h]
		test	esi, esi
		jz	loc_486535
		mov	eax, esi
		imul	eax, edi
		shr	eax, 10h

loc_486469:				; CODE XREF: PpmParkDistributeUtility+227j
		cmp	ebx, eax
		jbe	short loc_486475
		lea	ecx, [ecx+0]

loc_486470:				; CODE XREF: PpmParkDistributeUtility+21Aj
		mov	ecx, [ebp+var_20]
		jmp	short loc_486422
; 

loc_486475:				; CODE XREF: PpmParkDistributeUtility+15Bj
		xor	edx, [ecx+3C8h]
		mov	eax, [ebp+arg_4]
		mov	[ebp+arg_C], edx
		test	esi, esi
		jz	short loc_486497
		shl	eax, 10h
		cmp	esi, 10000h
		jnz	loc_48653C
		shr	eax, 10h

loc_486497:				; CODE XREF: PpmParkDistributeUtility+173j
					; PpmParkDistributeUtility+233j
		cmp	eax, edi
		jbe	loc_486526
		mov	[ecx+3EB4h], eax
		mov	ecx, [ebp+var_20]
		jmp	loc_486422
; 

loc_4864AD:				; CODE XREF: PpmParkDistributeUtility+114j
		mov	ax, [ebp+arg_0]
		mov	edi, [ebp+var_10]
		mov	[ebp+var_1C], ax
		mov	[ebp+var_24], 0
		nop

loc_4864C0:				; CODE XREF: PpmParkDistributeUtility+1F6j
		test	edx, edx
		jz	short loc_486508
		bsf	eax, edx
		btr	edx, eax
		mov	[ebp+var_8], eax
		mov	eax, ds:_KeNumberProcessors
		mov	esi, [ebp+var_8]
		mov	[ebp+var_20], edx
		cmp	esi, eax
		jnb	short loc_48654E
		mov	esi, ds:_KiProcessorBlock[esi*4]

loc_4864E3:				; CODE XREF: PpmParkDistributeUtility+240j
		mov	ecx, [esi+3EC4h]
		mov	eax, edi
		test	ecx, ecx
		jz	short loc_4864FD
		shl	eax, 10h
		cmp	ecx, 10000h
		jnz	short loc_486548
		shr	eax, 10h

loc_4864FD:				; CODE XREF: PpmParkDistributeUtility+1DDj
					; PpmParkDistributeUtility+23Cj
		mov	edx, [ebp+var_20]
		mov	[esi+3EB4h], eax
		jmp	short loc_4864C0
; 

loc_486508:				; CODE XREF: PpmParkDistributeUtility+1B2j
		mov	esi, [ebp+arg_10]
		test	esi, esi
		jnz	loc_5B6028

loc_486513:				; CODE XREF: PpmParkDistributeUtility+12FD6Ej
		cmp	[ebp+arg_8], 0
		pop	edi
		pop	esi
		pop	ebx
		jnz	loc_5B6083

loc_486520:				; CODE XREF: PpmParkDistributeUtility+12FD97j
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_486526:				; CODE XREF: PpmParkDistributeUtility+189j
		cmp	[ebp+arg_8], 0
		jz	loc_486470
		jmp	loc_5B600E
; 

loc_486535:				; CODE XREF: PpmParkDistributeUtility+14Bj
		mov	eax, edi
		jmp	loc_486469
; 

loc_48653C:				; CODE XREF: PpmParkDistributeUtility+17Ej
		xor	edx, edx
		div	esi
		mov	edx, [ebp+arg_C]
		jmp	loc_486497
; 

loc_486548:				; CODE XREF: PpmParkDistributeUtility+1E8j
		xor	edx, edx
		div	ecx
		jmp	short loc_4864FD
; 

loc_48654E:				; CODE XREF: PpmParkDistributeUtility+1CAj
		xor	esi, esi
		jmp	short loc_4864E3
PpmParkDistributeUtility endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiIntSteerCalculateDistribution	proc near ; CODE XREF: PpmParkSteerInterrupts+378p

var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B60C3 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	eax, edx
		mov	[ebp+var_C], 0
		push	esi
		mov	[ebp+var_18], eax
		mov	ebx, ecx
		push	edi
		shl	eax, 2
		mov	[ebp+var_10], ebx
		call	__alloca_probe_16
		mov	edx, [ebx+8]
		mov	eax, esp
		mov	[ebp+var_14], eax
		mov	ecx, eax

loc_486598:				; CODE XREF: KiIntSteerCalculateDistribution+47j
		test	edx, edx
		jz	short loc_4865A9
		bsf	eax, edx
		btr	edx, eax
		mov	[ecx], eax
		add	ecx, 4
		jmp	short loc_486598
; 

loc_4865A9:				; CODE XREF: KiIntSteerCalculateDistribution+3Aj
		mov	esi, _KiIntTrackRootCount
		lea	eax, ds:0[esi*4]
		call	__alloca_probe_16
		mov	eax, _KiIntTrackRootList
		xor	edi, edi
		mov	ebx, esp
		cmp	eax, offset _KiIntTrackRootList
		jz	short loc_4865F1
		lea	edx, [esi-1]
		lea	edx, [ebx+edx*4]

loc_4865D1:				; CODE XREF: KiIntSteerCalculateDistribution+8Fj
		mov	ecx, [eax+98h]
		or	ecx, [eax+9Ch]
		jnz	loc_48667B
		mov	[edx], eax
		sub	edx, 4

loc_4865E8:				; CODE XREF: KiIntSteerCalculateDistribution+11Fj
		mov	eax, [eax]
		cmp	eax, offset _KiIntTrackRootList
		jnz	short loc_4865D1

loc_4865F1:				; CODE XREF: KiIntSteerCalculateDistribution+69j
		push	offset _KiIntSteerLoadCompare ;	int __cdecl (*)(const void *,const void	*)
		push	4		; size_t
		push	edi		; size_t
		push	ebx		; void *
		call	_qsort
		xor	edx, edx
		mov	[ebp+var_C], 1
		add	esp, 10h
		mov	[ebp+var_8], edx
		xor	edi, edi
		cmp	_KiIntTrackRootCount, edx
		jz	short loc_486665
		jmp	short loc_486620
; 
		align 10h

loc_486620:				; CODE XREF: KiIntSteerCalculateDistribution+B8j
					; KiIntSteerCalculateDistribution+103j
		mov	esi, [ebx+edi*4]
		cmp	byte ptr [esi+6Ch], 0
		jz	short loc_48665C
		cmp	dword ptr [esi+70h], 0
		jnz	loc_5B60C3

loc_486633:				; CODE XREF: KiIntSteerCalculateDistribution+12FB75j
		mov	eax, [esi+98h]
		or	eax, [esi+9Ch]
		jnz	short loc_486684
		mov	edx, [ebp+var_10]
		mov	ecx, [esi+80h]
		mov	eax, ecx
		and	eax, [edx+8]
		mov	edx, [ebp+var_8]
		cmp	eax, ecx
		jnz	short loc_486684
		mov	[esi+8Ch], ecx

loc_48665C:				; CODE XREF: KiIntSteerCalculateDistribution+C7j
					; KiIntSteerCalculateDistribution+166j	...
		inc	edi
		cmp	edi, _KiIntTrackRootCount
		jb	short loc_486620

loc_486665:				; CODE XREF: KiIntSteerCalculateDistribution+B6j
		xor	eax, eax
		lea	esp, [ebp-24h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48667B:				; CODE XREF: KiIntSteerCalculateDistribution+7Dj
		mov	[ebx+edi*4], eax
		inc	edi
		jmp	loc_4865E8
; 

loc_486684:				; CODE XREF: KiIntSteerCalculateDistribution+DFj
					; KiIntSteerCalculateDistribution+F4j
		mov	eax, [ebp+var_14]
		mov	ecx, [eax+edx*4]
		mov	eax, 1
		mov	dword ptr [esi+90h], 0
		mov	dword ptr [esi+94h], 0
		add	edx, [ebp+var_C]
		shl	eax, cl
		mov	ecx, [ebp+var_18]
		mov	[esi+8Ch], eax
		mov	[ebp+var_8], edx
		cmp	edx, ecx
		jb	short loc_4866C4
		or	eax, 0FFFFFFFFh
		lea	edx, [ecx-1]
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], edx

loc_4866C4:				; CODE XREF: KiIntSteerCalculateDistribution+156j
		test	edx, edx
		jns	short loc_48665C
		jmp	loc_5B60DA
KiIntSteerCalculateDistribution	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIntSteerDistributeInterrupts()
_KiIntSteerDistributeInterrupts@0 proc near ; CODE XREF: PpmParkSteerInterrupts:loc_486C98p

var_C		= dword	ptr -0Ch
var_8		= word ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	esi
		mov	esi, _KiIntTrackRootList
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		cmp	esi, offset _KiIntTrackRootList
		jz	short loc_486710

loc_4866F0:				; CODE XREF: KiIntSteerDistributeInterrupts()+3Ej
		cmp	byte ptr [esi+6Ch], 0
		jz	short loc_486706
		mov	edx, [esi+8Ch]
		mov	ecx, [esi+80h]
		cmp	edx, ecx
		jnz	short loc_486746

loc_486706:				; CODE XREF: KiIntSteerDistributeInterrupts()+24j
					; KiIntSteerDistributeInterrupts()+93j
		mov	esi, [esi]
		cmp	esi, offset _KiIntTrackRootList
		jnz	short loc_4866F0

loc_486710:				; CODE XREF: KiIntSteerDistributeInterrupts()+1Ej
		mov	esi, _KiIntTrackRootList
		cmp	esi, offset _KiIntTrackRootList
		jz	short loc_48673E
		mov	edi, edi

loc_486720:				; CODE XREF: KiIntSteerDistributeInterrupts()+6Cj
		cmp	byte ptr [esi+6Ch], 0
		jz	short loc_486734
		mov	eax, [esi+8Ch]
		cmp	eax, [esi+80h]
		jnz	short loc_486765

loc_486734:				; CODE XREF: KiIntSteerDistributeInterrupts()+54j
					; KiIntSteerDistributeInterrupts()+E6j
		mov	esi, [esi]
		cmp	esi, offset _KiIntTrackRootList
		jnz	short loc_486720

loc_48673E:				; CODE XREF: KiIntSteerDistributeInterrupts()+4Cj
		pop	edi
		xor	eax, eax
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_486746:				; CODE XREF: KiIntSteerDistributeInterrupts()+34j
		mov	ax, [esi+90h]
		not	ecx
		and	ecx, edx
		mov	[ebp+var_8], ax
		mov	[ebp+var_C], ecx
		xor	edx, edx
		push	ecx
		lea	ecx, [ebp+var_C]
		call	_KiIntSteerUpdateDeviceInterruptMask@12	; KiIntSteerUpdateDeviceInterruptMask(x,x,x)
		jmp	short loc_486706
; 

loc_486765:				; CODE XREF: KiIntSteerDistributeInterrupts()+62j
		lea	edx, [esi+8Ch]
		mov	ecx, esi
		call	_KiIntSteerSetDestination@8 ; KiIntSteerSetDestination(x,x)
		movzx	eax, word ptr [esi+90h]
		mov	edx, 1
		mov	[ebp+var_8], ax
		mov	eax, [esi+8Ch]
		not	eax
		and	eax, [esi+80h]
		push	ecx
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_C], eax
		call	_KiIntSteerUpdateDeviceInterruptMask@12	; KiIntSteerUpdateDeviceInterruptMask(x,x,x)
		movzx	eax, word ptr [esi+90h]
		mov	[esi+84h], ax
		mov	eax, [esi+8Ch]
		mov	[esi+80h], eax
		jmp	loc_486734
_KiIntSteerDistributeInterrupts@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopAllocateFileObjectExtension proc near
					; CODE XREF: IoGetFileObjectFilterContext(x,x,x)+2Fp
					; IopSetFileObjectExtensionFlag+1Ap ...

var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005B60EB SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	eax, [edi+7Ch]
		lea	esi, [edi+7Ch]
		test	eax, eax
		jnz	loc_486886
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_1], al
		lea	eax, [edi+70h]
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edi, [esi]
		test	edi, edi
		jnz	short loc_48684F
		test	ds:byte_70EFC6,	1
		jnz	loc_5B60EB
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_48680E:				; CODE XREF: IopAllocateFileObjectExtension+12F936j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, 2Ch
		call	sub_4FC146
		mov	edi, eax
		test	edi, edi
		jz	short loc_48689D
		push	2Ch		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_4868A4
		mov	eax, edi
		xchg	eax, [esi]

loc_48684F:				; CODE XREF: IopAllocateFileObjectExtension+37j
		xor	esi, esi

loc_486851:				; CODE XREF: IopAllocateFileObjectExtension+E8j
		test	ebx, ebx
		jz	short loc_486857
		mov	[ebx], edi

loc_486857:				; CODE XREF: IopAllocateFileObjectExtension+93j
		test	ds:byte_70EFC6,	1
		jnz	loc_5B60FB
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_48686C:				; CODE XREF: IopAllocateFileObjectExtension+12F946j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jnz	loc_5B610B

loc_48687D:				; CODE XREF: IopAllocateFileObjectExtension+D0j
					; IopAllocateFileObjectExtension+12F953j
		xor	eax, eax

loc_48687F:				; CODE XREF: IopAllocateFileObjectExtension+E2j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_486886:				; CODE XREF: IopAllocateFileObjectExtension+17j
		cmp	eax, _IopRevocationExtension
		jz	short loc_48689D
		test	ebx, ebx
		jz	short loc_48687D
		pop	edi
		mov	[ebx], eax
		xor	eax, eax
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48689D:				; CODE XREF: IopAllocateFileObjectExtension+65j
					; IopAllocateFileObjectExtension+CCj
		mov	eax, 0C000009Ah
		jmp	short loc_48687F
; 

loc_4868A4:				; CODE XREF: IopAllocateFileObjectExtension+89j
		mov	esi, edi
		mov	edi, eax
		jmp	short loc_486851
IopAllocateFileObjectExtension endp

; 
		align 10h
; Exported entry 148. KefAcquireSpinLockAtDpcLevel
; Exported entry 153. KiAcquireSpinLock

;  S U B	R O U T	I N E 


; __stdcall KxAcquireSpinLock(x)
		public _KxAcquireSpinLock@4
_KxAcquireSpinLock@4 proc near		; CODE XREF: ExpUpdateTimerResolution+28p
					; ExpInsertTimerResolutionEntry+19p ...
		test	ds:byte_70EFC6,	21h ; KefAcquireSpinLockAtDpcLevel
		jnz	@KiAcquireSpinLockInstrumented@4 ; KiAcquireSpinLockInstrumented(x)
		lock bts dword ptr [ecx], 0
		jb	KxWaitForSpinLockAndAcquire
		retn
_KxAcquireSpinLock@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmParkSteerInterrupts proc near	; DATA XREF: .text:004049C0o
					; .text:00404A20o

var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= word ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B6118 SIZE 000002E0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_A8], 0
		push	esi
		push	edi
		lea	edi, [ebp+var_B4]
		mov	[ebp+var_A4], 0
		stosd
		mov	[ebp+var_A0], 0
		mov	[ebp+var_94], 0
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_60]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_78]
		stosd
		stosd
		stosd
		xor	eax, eax
		cmp	_PpmIntSteerDisabled, 0
		lea	edi, [ebp+var_84]
		stosd
		stosd
		stosd
		jnz	loc_486CB8
		mov	eax, _KiIntTrackRootEnabled
		test	eax, eax
		jz	loc_5B6118
		mov	al, 1

loc_486951:				; CODE XREF: PpmParkSteerInterrupts+12F84Aj
		test	al, al
		jz	loc_486CB8
		cmp	_PpmIntSteerTrigger, 0
		jz	loc_486D32

loc_486966:				; CODE XREF: PpmParkSteerInterrupts+496j
		push	ebx
		lea	edx, [ebp+var_A8]
		lea	ecx, [ebp+var_A0]
		call	KeIntSteerSnapPerf
		mov	ebx, dword_6B5BB8
		mov	edx, offset _PpmCachedSystemAllowedCpuSetVersion
		mov	ecx, offset _PpmCachedSystemAllowedCpuSet
		not	ebx
		call	KeQuerySystemAllowedCpuSetAffinity
		and	ebx, dword_6BF3C8
		xor	eax, eax
		mov	edi, ds:dword_70E328
		xor	ecx, ecx
		mov	[ebp+var_C4], ebx
		xor	edx, edx
		mov	[ebp+var_C0], 10001h
		mov	[ebp+var_BC], 0
		mov	[ebp+var_B8], ebx
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_90], eax
		mov	[ebp+var_6C], 10001h
		mov	[ebp+var_68], eax
		mov	[ebp+var_64], eax
		mov	[ebp+var_B4], offset _KeActiveProcessors

loc_4869E4:				; CODE XREF: PpmParkSteerInterrupts+12F86Aj
		mov	esi, [ebp+var_64]

loc_4869E7:				; CODE XREF: PpmParkSteerInterrupts+205j
		mov	[ebp+var_88], esi
		lea	ecx, [ecx+0]

loc_4869F0:				; CODE XREF: PpmParkSteerInterrupts+1C0j
					; PpmParkSteerInterrupts+1DAj
		test	edi, edi
		jz	loc_486ADA
		mov	eax, [ebp+var_C4]
		inc	ecx
		bsf	ebx, edi
		mov	[ebp+var_8C], ecx
		mov	ecx, ebx
		mov	[ebp+var_94], ebx
		shr	eax, cl
		btr	edi, ebx
		test	al, 1
		mov	eax, _PpmIntSteerTrigger
		jz	loc_5B611F
		mov	ecx, [eax+ebx*8]
		inc	edx
		or	ecx, [eax+ebx*8+4]
		mov	[ebp+var_98], edx
		jz	loc_486CE5

loc_486A36:				; CODE XREF: PpmParkSteerInterrupts+431j
		mov	eax, _PpmIntSteerTrigger
		mov	ecx, [ebp+var_A8]
		mov	esi, [ebp+var_A4]
		sub	ecx, [eax+ebx*8]
		mov	[ebp+var_9C], ecx
		mov	ecx, 2710h
		sbb	esi, [eax+ebx*8+4]
		mov	eax, dword_6B3FEC
		mul	ecx
		mov	edx, 2710h
		mov	ecx, eax
		mov	eax, _PpmIntSteerTriggerMax
		mul	edx
		add	ecx, edx
		mov	[ebp+var_C8], eax
		mov	eax, [ebp+var_90]
		cmp	esi, ecx
		mov	esi, [ebp+var_88]
		mov	ecx, [ebp+var_8C]
		mov	edx, [ebp+var_98]
		jb	loc_4869F0
		ja	short loc_486AB0
		mov	eax, [ebp+var_C8]
		cmp	[ebp+var_9C], eax
		mov	eax, [ebp+var_90]
		jb	loc_4869F0

loc_486AB0:				; CODE XREF: PpmParkSteerInterrupts+1C6j
		mov	esi, [ebp+var_88]
		mov	eax, [ebp+var_90]
		bts	esi, ebx
		mov	ecx, [ebp+var_8C]
		inc	eax
		mov	edx, [ebp+var_98]
		mov	[ebp+var_64], esi
		mov	[ebp+var_90], eax
		jmp	loc_4869E7
; 

loc_486ADA:				; CODE XREF: PpmParkSteerInterrupts+122j
		mov	ebx, [ebp+var_B8]
		mov	edi, [ebp+var_BC]
		test	eax, eax
		jz	loc_486D06

loc_486AEE:				; CODE XREF: PpmParkSteerInterrupts+12F8AAj
		mov	ecx, [ebp+var_6C]
		mov	[ebp+var_88], ecx

loc_486AF7:				; CODE XREF: PpmParkSteerInterrupts+45Dj
		mov	ecx, _PpmIntSteerMode
		mov	[ebp+var_9C], ecx
		cmp	ecx, 1
		jge	loc_5B617F

loc_486B0C:				; CODE XREF: PpmParkSteerInterrupts+12F8B3j
					; PpmParkSteerInterrupts+12F8B9j
					; DATA XREF: ...
		mov	eax, [ebp+var_A0] ; default
		xor	edx, edx
		add	eax, _PpmIntSteerLoadMax
		div	_PpmIntSteerLoadMax
		mov	edi, eax
		mov	eax, [ebp+var_90]
		mov	[ebp+var_8C], edi
		cmp	edi, eax
		jnb	loc_486CCA
		mov	ecx, _PpmParkPreferenceHandler
		xor	ebx, ebx
		mov	[ebp+var_60], 10001h
		mov	[ebp+var_5C], 0
		mov	[ebp+var_58], ebx
		mov	[ebp+var_78], 10001h
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], ebx
		test	ecx, ecx
		jnz	loc_5B620E
		xor	edi, edi

loc_486B66:				; CODE XREF: PpmParkSteerInterrupts+12F968j
		mov	edx, ebx
		not	edx
		movzx	eax, dl
		shr	edx, 8
		mov	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, ds:_RtlpBitsClearTotal[edx]
		movzx	eax, cl
		mov	ecx, [ebp+var_8C]
		mov	[ebp+var_98], eax
		cmp	eax, ecx
		ja	loc_5B623D

loc_486BAB:				; CODE XREF: PpmParkSteerInterrupts+12F98Aj
		jnb	loc_5B62BE
		not	edi
		mov	[ebp+var_84], 10001h
		and	edi, esi
		mov	[ebp+var_80], 0
		mov	esi, [ebp+var_98]
		mov	[ebp+var_7C], edi
		mov	edi, ecx
		mov	eax, [ebp+var_7C]
		mov	[ebp+var_B0], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_B4], eax
		jmp	short loc_486BF0
; 
		align 10h

loc_486BF0:				; CODE XREF: PpmParkSteerInterrupts+316j
					; PpmParkSteerInterrupts+34Aj ...
		lea	eax, [ebp+var_B4]
		push	eax
		lea	eax, [ebp+var_94]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	loc_5B625F
		mov	ebx, [ebp+var_58]
		mov	eax, ebx
		mov	ecx, [ebp+var_94]
		shr	eax, cl
		test	al, 1
		jnz	short loc_486BF0
		bts	ebx, ecx
		inc	esi
		mov	[ebp+var_58], ebx
		cmp	esi, edi
		jb	short loc_486BF0

loc_486C27:				; CODE XREF: PpmParkSteerInterrupts+410j
					; PpmParkSteerInterrupts+12F8DFj ...
		test	ebx, ebx
		jz	loc_5B62C5

loc_486C2F:				; CODE XREF: PpmParkSteerInterrupts+12F9FCj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _KiIntTrackSpinlock
		mov	bl, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, edi
		lea	ecx, [ebp+var_60]
		call	KiIntSteerCalculateDistribution
		mov	ecx, [ebp+var_60]
		mov	eax, [ebp+var_58]
		mov	_KiIntSteerMask, ecx
		mov	ecx, [ebp+var_5C]
		mov	dword_6C7524, ecx
		mov	ecx, offset _PPM_ETW_INTERRUPT_STEERING_MASK_CHANGE
		mov	dword_6C7528, eax
		mov	_KiIntSteerMaskCount, edi
		call	_KiIntSteerEtwEventEnabled@4 ; KiIntSteerEtwEventEnabled(x)
		test	al, al
		jnz	loc_5B62D1

loc_486C7F:				; CODE XREF: PpmParkSteerInterrupts+12FAAEj
		xor	cl, cl
		call	KiIntSteerLogProc
		mov	ecx, offset _PPM_ETW_INTERRUPT_STEERING_STATE_RETARGET
		call	_KiIntSteerEtwEventEnabled@4 ; KiIntSteerEtwEventEnabled(x)
		test	al, al
		jnz	loc_5B6383

loc_486C98:				; CODE XREF: PpmParkSteerInterrupts+12FB14j
		call	_KiIntSteerDistributeInterrupts@0 ; KiIntSteerDistributeInterrupts()
		test	ds:byte_70EFC6,	1
		jnz	loc_5B63E9
		xor	eax, eax
		lock and [esi],	eax

loc_486CAF:				; CODE XREF: PpmParkSteerInterrupts+12FB23j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx

loc_486CB8:				; CODE XREF: PpmParkSteerInterrupts+6Cj
					; PpmParkSteerInterrupts+83j ...
		mov	ecx, [ebp+var_4]
		mov	al, 1
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_486CCA:				; CODE XREF: PpmParkSteerInterrupts+260j
		mov	ecx, [ebp+var_88]
		mov	ebx, esi
		mov	[ebp+var_60], ecx
		mov	edi, eax
		mov	ecx, [ebp+var_68]
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], ebx
		jmp	loc_486C27
; 

loc_486CE5:				; CODE XREF: PpmParkSteerInterrupts+160j
		mov	ecx, [ebp+var_A8]
		mov	[eax+ebx*8], ecx
		mov	ecx, [ebp+var_A4]
		mov	[eax+ebx*8+4], ecx
		mov	eax, [ebp+var_64]
		mov	[ebp+var_88], eax
		jmp	loc_486A36
; 

loc_486D06:				; CODE XREF: PpmParkSteerInterrupts+218j
		test	edx, edx
		jz	loc_5B613F
		mov	eax, [ebp+var_C0]
		mov	esi, ebx
		mov	[ebp+var_88], eax
		mov	[ebp+var_6C], eax
		mov	eax, edx
		mov	[ebp+var_68], edi
		mov	[ebp+var_64], esi
		mov	[ebp+var_90], eax
		jmp	loc_486AF7
; 

loc_486D32:				; CODE XREF: PpmParkSteerInterrupts+90j
		call	ds:__imp__HalQueryMaximumProcessorCount@0 ; HalQueryMaximumProcessorCount()
		mov	esi, eax
		push	6B725449h
		shl	esi, 3
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	_PpmIntSteerTrigger, eax
		test	eax, eax
		jz	loc_486CB8
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_486966
PpmParkSteerInterrupts endp

; 
		align 10h
; Exported entry 1133. KeEnumerateNextProcessor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeEnumerateNextProcessor(x,	x)
		public _KeEnumerateNextProcessor@8
_KeEnumerateNextProcessor@8 proc near	; CODE XREF: PopQueueTargetDpc(x,x)+19p
					; PpmParkDistributeUtility+B8p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax+4]
		test	ecx, ecx
		jnz	short loc_486D88
		mov	eax, 0C0000225h
		pop	ebp
		retn	8
; 

loc_486D88:				; CODE XREF: KeEnumerateNextProcessor(x,x)+Dj
		mov	edx, [ebp+arg_0]
		bsf	ecx, ecx
		push	esi
		mov	[edx], ecx
		mov	esi, [eax+4]
		btr	esi, ecx
		mov	[eax+4], esi
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	8
_KeEnumerateNextProcessor@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeQuerySystemAllowedCpuSetAffinity proc	near ; CODE XREF: PpmParkSteerInterrupts+BAp
					; PpmCheckContinueExecution+1Fp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B6410 SIZE 00000087 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_14], edx
		push	edi
		mov	[ebp+var_10], ebx
		jmp	short loc_486DD0
; 
		align 10h

loc_486DD0:				; CODE XREF: KeQuerySystemAllowedCpuSetAffinity+13j
					; KeQuerySystemAllowedCpuSetAffinity+8Fj ...
		mov	esi, ds:_KiCpuSetSequence
		mov	eax, esi
		mov	edi, ds:dword_70E6F4
		and	eax, 1
		or	eax, 0
		jnz	loc_5B6410

loc_486DEA:				; CODE XREF: KeQuerySystemAllowedCpuSetAffinity+12F678j
		cmp	[edx], esi
		jnz	short loc_486DFA
		cmp	[edx+4], edi
		jnz	short loc_486DFA

loc_486DF3:				; CODE XREF: KeQuerySystemAllowedCpuSetAffinity+9Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_486DFA:				; CODE XREF: KeQuerySystemAllowedCpuSetAffinity+3Cj
					; KeQuerySystemAllowedCpuSetAffinity+41j
		cmp	ds:_KiRestrictedSystemCpuSetsActive, 0
		mov	dword ptr [ebx], 10001h
		mov	dword ptr [ebx+4], 0
		mov	dword ptr [ebx+8], 0
		jnz	loc_5B642D
		mov	eax, ds:_KeActiveProcessors
		mov	[ebx], eax
		mov	eax, ds:dword_70E324
		mov	[ebx+4], eax
		mov	eax, ds:dword_70E328
		mov	[ebx+8], eax

loc_486E32:				; CODE XREF: KeQuerySystemAllowedCpuSetAffinity+12F68Ej
					; KeQuerySystemAllowedCpuSetAffinity+12F6E2j
		mov	eax, ds:_KiCpuSetSequence
		mov	ecx, ds:dword_70E6F4
		cmp	eax, esi
		jnz	short loc_486DD0
		cmp	ecx, edi
		jnz	short loc_486DD0
		mov	[edx], esi
		mov	[edx+4], edi
		jmp	short loc_486DF3
KeQuerySystemAllowedCpuSetAffinity endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeIntSteerSnapPerf proc	near		; CODE XREF: PpmParkSteerInterrupts+A3p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005B6497 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_48], ecx
		lea	ecx, [ebp+var_38]
		mov	[ebp+var_40], edi
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	esi, large fs:20h
		mov	ecx, edx
		mov	ebx, eax
		mov	[ebp+var_4C], eax
		sub	ebx, _KiIntSteerPreviousPerfSnap
		mov	[ebp+var_44], ecx
		mov	edx, [esi+3C0h]
		mov	esi, ecx
		sbb	esi, dword_6CEA34
		mov	[ebp+var_3C], edx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_34], esi
		jnz	short loc_486EBE
		cmp	ebx, 16E360h
		jnb	short loc_486EBE

loc_486EA3:				; CODE XREF: KeIntSteerSnapPerf+203j
		mov	edx, [ebp+var_48]
		mov	eax, _KiIntSteerLoadPercent
		mov	[edi+4], ecx
		mov	[edx], eax
		mov	eax, [ebp+var_4C]
		mov	[edi], eax
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_486EBE:				; CODE XREF: KeIntSteerSnapPerf+49j
					; KeIntSteerSnapPerf+51j
		xor	edi, edi
		mov	_KiIntSteerPreviousPerfSnap, eax
		mov	dword_6CEA34, ecx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _KiIntTrackSpinlock
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, _KiIntTrackRootList
		mov	[ebp+var_24], eax
		cmp	eax, offset _KiIntTrackRootList
		jz	loc_486FFE

loc_486EF7:				; CODE XREF: KeIntSteerSnapPerf+1A2j
		mov	ecx, [eax+8]
		lea	edx, [eax+8]
		xor	ebx, ebx
		mov	[ebp+var_2C], edx
		xor	esi, esi
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], esi
		mov	[ebp+var_20], ecx
		cmp	ecx, edx
		jz	loc_486FD4

loc_486F15:				; CODE XREF: KeIntSteerSnapPerf+178j
		mov	eax, [ecx]
		mov	[ebp+var_28], eax
		cmp	[eax+4], ecx
		jnz	loc_5B6497
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	loc_5B6497
		mov	esi, [ecx+0Ch]
		xor	eax, eax
		xor	edx, edx
		mov	[ebp+var_10], eax
		xor	edi, edi
		mov	[ebp+var_14], edx
		xor	ebx, ebx
		test	esi, esi
		jz	short loc_486F73
		mov	eax, [ecx+10h]

loc_486F46:				; CODE XREF: KeIntSteerSnapPerf+11Bj
		mov	edx, [eax]
		lea	eax, [eax+4]
		add	edi, [edx+68h]
		mov	ecx, [edx+80h]
		adc	ebx, [edx+6Ch]
		add	[ebp+var_10], ecx
		mov	ecx, [edx+84h]
		mov	edx, [ebp+var_14]
		adc	edx, ecx
		mov	[ebp+var_14], edx
		sub	esi, 1
		jnz	short loc_486F46
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+var_20]

loc_486F73:				; CODE XREF: KeIntSteerSnapPerf+F1j
		mov	esi, edi
		mov	edx, ebx
		sub	esi, [ecx+18h]
		mov	[ecx+18h], edi
		sbb	edx, [ecx+1Ch]
		mov	[ebp+var_20], edx
		mov	edx, [ebp+var_14]
		mov	[ecx+1Ch], ebx
		js	short loc_486F99
		jg	loc_487058
		test	esi, esi
		jnz	loc_487058

loc_486F99:				; CODE XREF: KeIntSteerSnapPerf+139j
		mov	ebx, [ebp+var_C]

loc_486F9C:				; CODE XREF: KeIntSteerSnapPerf+219j
		mov	esi, eax
		mov	edi, edx
		sub	esi, [ecx+20h]
		mov	[ecx+20h], eax
		sbb	edi, [ecx+24h]
		mov	[ecx+24h], edx
		js	short loc_486FBC
		jg	loc_48706E
		test	esi, esi
		jnz	loc_48706E

loc_486FBC:				; CODE XREF: KeIntSteerSnapPerf+15Cj
		mov	esi, [ebp+var_8]

loc_486FBF:				; CODE XREF: KeIntSteerSnapPerf+22Bj
		mov	ecx, [ebp+var_28]
		mov	[ebp+var_20], ecx
		cmp	ecx, [ebp+var_2C]
		jnz	loc_486F15
		mov	eax, [ebp+var_24]
		mov	edi, [ebp+var_1C]

loc_486FD4:				; CODE XREF: KeIntSteerSnapPerf+BFj
		add	edi, ebx
		mov	[eax+98h], ebx
		mov	[eax+9Ch], esi
		mov	eax, [eax]
		adc	[ebp+var_18], esi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_24], eax
		cmp	eax, offset _KiIntTrackRootList
		jnz	loc_486EF7
		mov	ebx, [ebp+var_30]
		mov	esi, [ebp+var_34]

loc_486FFE:				; CODE XREF: KeIntSteerSnapPerf+A1j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _KiIntTrackSpinlock
		jnz	loc_5B649E
		xor	eax, eax
		lock and [ecx],	eax

loc_487015:				; CODE XREF: KeIntSteerSnapPerf+12F656j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	esi
		push	ebx
		push	0
		push	[ebp+var_3C]
		call	__allmul
		mov	edi, eax
		mov	ebx, 2710h
		mov	eax, [ebp+var_18]
		push	edx
		mul	ebx
		push	edi
		mov	ecx, eax
		mov	eax, [ebp+var_1C]
		mul	ebx
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		mov	edi, [ebp+var_40]
		mov	ecx, [ebp+var_44]
		mov	_KiIntSteerLoadPercent,	eax
		jmp	loc_486EA3
; 

loc_487058:				; CODE XREF: KeIntSteerSnapPerf+13Bj
					; KeIntSteerSnapPerf+143j
		mov	ebx, [ebp+var_C]
		add	ebx, esi
		mov	esi, [ebp+var_8]
		mov	[ebp+var_C], ebx
		adc	esi, [ebp+var_20]
		mov	[ebp+var_8], esi
		jmp	loc_486F9C
; 

loc_48706E:				; CODE XREF: KeIntSteerSnapPerf+15Ej
					; KeIntSteerSnapPerf+166j
		add	ebx, esi
		mov	esi, [ebp+var_8]
		mov	[ebp+var_C], ebx
		adc	esi, edi
		mov	[ebp+var_8], esi
		jmp	loc_486FBF
KeIntSteerSnapPerf endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmCheckStart	proc near		; CODE XREF: PpmCheckPeriodicStart(x,x,x,x)+33p
					; PpmCheckCustomRun(x)+17p

var_54		= dword	ptr -54h
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B64AB SIZE 00000081 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		lea	ecx, [ebp+var_48]
		push	edi
		mov	_PpmCheckCurrentPipelineId, esi
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	_PpmCheckTime, eax
		mov	eax, _PpmCheckLastExecutionTime
		mov	ecx, dword_6C049C
		cmp	_PpmEtwRegistered, 0
		mov	dword_6C0464, edx
		mov	[ebp+var_38], esi
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], ecx
		jz	short loc_4870ED
		mov	edi, dword_6BFD04
		mov	ebx, _PpmEtwHandle
		push	offset _PPM_ETW_PERF_CHECK_START
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5B64AB

loc_4870ED:				; CODE XREF: PpmCheckStart+4Bj
					; PpmCheckStart+12F491j
		mov	ecx, _PpmCheckPipelines
		mov	eax, [ecx+esi*4]
		mov	_PpmCheckPipeline, eax
		test	eax, eax
		jz	loc_5B6516

loc_487103:				; CODE XREF: PpmCheckStart+12F49Dj
		mov	edi, _PpmPerfLatencyBoostExpiration
		mov	esi, dword_6C3BDC
		mov	_PpmCheckPipelineIndex,	0
		call	KeQueryInterruptTime
		cmp	esi, edx
		jb	short loc_487130
		ja	loc_4871F1
		cmp	edi, eax
		jnb	loc_4871F1

loc_487130:				; CODE XREF: PpmCheckStart+A0j
		xor	edi, edi

loc_487132:				; CODE XREF: PpmCheckStart+176j
		mov	ebx, _PpmPerfDeadlineBoostExpiration
		mov	esi, dword_6C3BE4
		call	KeQueryInterruptTime
		cmp	esi, edx
		jb	short loc_487155
		ja	loc_5B6522
		cmp	ebx, eax
		jnb	loc_5B6522

loc_487155:				; CODE XREF: PpmCheckStart+C5j
		xor	eax, eax

loc_487157:				; CODE XREF: PpmCheckStart+12F4A7j
		cmp	_PpmCheckLatencyBoostActive, edi
		jnz	short loc_4871BB
		cmp	_PpmCheckDeadlineBoostActive, eax
		jnz	short loc_4871BB

loc_487167:				; CODE XREF: PpmCheckStart+16Cj
		mov	eax, _PpmCheckPipelineIndex
		mov	ecx, _PpmCheckPipeline
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ecx+eax*4]
		test	ecx, ecx
		jz	short loc_48719E
		lea	esp, [esp+0]

loc_487180:				; CODE XREF: PpmCheckStart+11Cj
		inc	eax
		mov	_PpmCheckPipelineIndex,	eax
		call	ecx
		test	al, al
		jz	short loc_4871AD
		mov	eax, _PpmCheckPipelineIndex
		mov	ecx, _PpmCheckPipeline
		mov	ecx, [ecx+eax*4]
		test	ecx, ecx
		jnz	short loc_487180

loc_48719E:				; CODE XREF: PpmCheckStart+FAj
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		call	PpmEventTracePerfCheckStop

loc_4871AD:				; CODE XREF: PpmCheckStart+10Aj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4871BB:				; CODE XREF: PpmCheckStart+DDj
					; PpmCheckStart+E5j
		mov	ecx, ds:_PpmPerfDomainHead
		cmp	ecx, offset _PpmPerfDomainHead
		jz	short loc_4871E1
		lea	esp, [esp+0]

loc_4871D0:				; CODE XREF: PpmCheckStart+15Fj
		mov	byte ptr [ecx+215h], 1
		mov	ecx, [ecx]
		cmp	ecx, offset _PpmPerfDomainHead
		jnz	short loc_4871D0

loc_4871E1:				; CODE XREF: PpmCheckStart+147j
		mov	_PpmCheckLatencyBoostActive, edi
		mov	_PpmCheckDeadlineBoostActive, eax
		jmp	loc_487167
; 

loc_4871F1:				; CODE XREF: PpmCheckStart+A2j
					; PpmCheckStart+AAj
		mov	edi, 1
		jmp	loc_487132
PpmCheckStart	endp

; 
		align 10h
; Exported entry 1226. KeQueryInterruptTimePrecise

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryInterruptTimePrecise(x)
		public _KeQueryInterruptTimePrecise@4
_KeQueryInterruptTimePrecise@4 proc near
					; CODE XREF: PopPowerAggregatorAllocateLogEntry(x,x)+4Cp
					; PopSleepstudyStartNextSession+AAp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		pop	ebp
		retn	4
_KeQueryInterruptTimePrecise@4 endp

; 
		align 10h
; Exported entry 1241. KeQueryUnbiasedInterruptTimePrecise

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryUnbiasedInterruptTimePrecise(x)
		public _KeQueryUnbiasedInterruptTimePrecise@4
_KeQueryUnbiasedInterruptTimePrecise@4 proc near ; CODE	XREF: IoDiskIoAttributionQuery+3Ap

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	ecx, 0FFDF03B0h
		lea	ecx, [ecx+0]

loc_487230:				; CODE XREF: KeQueryUnbiasedInterruptTimePrecise(x)+2Bj
		mov	ebx, ecx

loc_487232:				; CODE XREF: KeQueryUnbiasedInterruptTimePrecise(x)+31j
		mov	edi, [ecx]
		mov	esi, [ecx+4]
		mov	ecx, [ebp+arg_0]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	ecx, [ebx]
		cmp	edi, ecx
		mov	ebx, [ebx+4]
		mov	ecx, 0FFDF03B0h
		jnz	short loc_487230
		cmp	esi, ebx
		mov	ebx, ecx
		jnz	short loc_487232
		sub	eax, edi
		pop	edi
		sbb	edx, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_KeQueryUnbiasedInterruptTimePrecise@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetInterruptTimePrecise(x)
_RtlGetInterruptTimePrecise@4 proc near	; CODE XREF: KiCheckWaitNext(x,x,x,x,x)+4Ap
					; KeIntSteerSnapPerf+16p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, 0FFDF0340h
		mov	[ebp+var_18], ecx
		push	edi
		mov	ebx, esi

loc_487275:				; CODE XREF: RtlGetInterruptTimePrecise(x)+112j
		mov	eax, [esi]
		mov	edi, 0FFDF0008h
		mov	ecx, [esi+4]
		mov	edx, 0FFDF0350h
		mov	[ebp+var_4], eax
		and	eax, 1
		or	eax, 0
		mov	[ebp+var_8], ecx
		jnz	loc_487354

loc_487296:				; CODE XREF: RtlGetInterruptTimePrecise(x)+10Bj
		mov	eax, [edx]
		mov	[ebp+var_C], eax
		mov	eax, [edx+4]
		mov	[ebp+var_10], eax
		mov	eax, [edi]
		mov	[ebp+var_20], eax
		mov	eax, [edi+4]
		push	0
		mov	[ebp+var_24], eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, eax
		mov	edi, edx
		mov	eax, [ebx]
		mov	edx, [ebx+4]
		cmp	eax, [ebp+var_4]
		jnz	loc_487370
		cmp	edx, [ebp+var_8]
		jnz	loc_487370
		mov	esi, 0
		mov	eax, [ebp+var_18]
		mov	ebx, esi
		mov	[eax], ecx
		mov	[eax+4], edi
		cmp	edi, [ebp+var_10]
		jb	short loc_487343
		mov	edx, [ebp+var_C]
		ja	short loc_4872EC
		cmp	ecx, edx
		jbe	short loc_487343

loc_4872EC:				; CODE XREF: RtlGetInterruptTimePrecise(x)+86j
		mov	eax, ds:0FFDF0360h
		sub	ecx, edx
		mov	ebx, ds:0FFDF0364h
		sbb	edi, [ebp+var_10]
		add	ecx, 0FFFFFFFFh
		mov	[ebp+var_C], eax
		mov	al, ds:0FFDF0369h
		adc	edi, 0FFFFFFFFh
		mov	[ebp+var_8], ebx
		test	al, al
		jz	short loc_487323
		movsx	esi, al
		mov	edx, edi
		mov	eax, ecx
		mov	ecx, esi
		call	__allshl
		mov	ecx, eax
		mov	edi, edx

loc_487323:				; CODE XREF: RtlGetInterruptTimePrecise(x)+AFj
		mov	eax, ebx
		mul	ecx
		mov	esi, edx
		mov	ebx, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_18], esi
		test	edi, edi
		jnz	short loc_487377
		mul	ecx
		xor	esi, esi
		add	edx, ebx
		mov	[ebp+var_14], eax
		adc	esi, [ebp+var_18]
		xor	ebx, ebx

loc_487343:				; CODE XREF: RtlGetInterruptTimePrecise(x)+81j
					; RtlGetInterruptTimePrecise(x)+8Aj ...
		add	esi, [ebp+var_20]
		pop	edi
		adc	ebx, [ebp+var_24]
		mov	eax, esi
		pop	esi
		mov	edx, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_487354:				; CODE XREF: RtlGetInterruptTimePrecise(x)+30j
		mov	esi, ebx

loc_487356:				; CODE XREF: RtlGetInterruptTimePrecise(x)+109j
		pause
		mov	eax, [esi]
		mov	ecx, [esi+4]
		mov	[ebp+var_4], eax
		and	eax, 1
		or	eax, 0
		mov	[ebp+var_8], ecx
		jnz	short loc_487356
		jmp	loc_487296
; 

loc_487370:				; CODE XREF: RtlGetInterruptTimePrecise(x)+60j
					; RtlGetInterruptTimePrecise(x)+69j
		pause
		jmp	loc_487275
; 

loc_487377:				; CODE XREF: RtlGetInterruptTimePrecise(x)+D3j
		mul	edi
		mov	[ebp+var_10], 0
		add	eax, ebx
		mov	ecx, edx
		adc	ecx, esi
		cmp	ecx, esi
		ja	short loc_487390
		jb	short loc_4873A0
		cmp	eax, ebx
		jb	short loc_4873A0

loc_487390:				; CODE XREF: RtlGetInterruptTimePrecise(x)+128j
					; RtlGetInterruptTimePrecise(x)+147j
		mov	eax, edi
		mul	[ebp+var_8]
		mov	esi, eax
		mov	ebx, edx
		add	esi, ecx
		adc	ebx, [ebp+var_10]
		jmp	short loc_487343
; 

loc_4873A0:				; CODE XREF: RtlGetInterruptTimePrecise(x)+12Aj
					; RtlGetInterruptTimePrecise(x)+12Ej
		mov	[ebp+var_10], 1
		jmp	short loc_487390
_RtlGetInterruptTimePrecise@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmCheckPeriodicStart(x, x,	x, x)
_PpmCheckPeriodicStart@16 proc near	; DATA XREF: PpmCheckInit()+1Do

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		xor	ecx, ecx
		lea	eax, [esp+8+var_8]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	offset unk_6C2B24
		mov	[esp+1Ch+var_8], ecx
		mov	[esp+1Ch+var_4], ecx
		call	KeWaitForSingleObject
		test	eax, eax
		jnz	short loc_4873E8
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		mov	_PpmCheckMakeupCount, eax
		call	PpmCheckStart

loc_4873E2:				; CODE XREF: PpmCheckPeriodicStart(x,x,x,x)+50j
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4873E8:				; CODE XREF: PpmCheckPeriodicStart(x,x,x,x)+27j
		mov	ecx, _PpmCheckLastExecutionTime
		mov	eax, dword_6C049C
		push	eax
		push	ecx
		call	PpmEventTraceFailedPerfCheckStart
		jmp	short loc_4873E2
_PpmCheckPeriodicStart@16 endp

; 
		dd 5 dup(0CCCCCCCCh)
; Exported entry 1225. KeQueryInterruptTime

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeQueryInterruptTime
KeQueryInterruptTime proc near		; CODE XREF: PopSetWatchdog+EAp
					; PopIncrementPowerSettingPendingUpdates+31p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		mov	edx, ds:0FFDF000Ch
		mov	eax, ds:0FFDF0008h
		mov	[ebp+var_4], 0
		mov	[ebp+var_8], 0
		mov	[ebp+var_4], 0
		cmp	edx, ds:0FFDF0010h
		jnz	sub_5B652C

loc_487444:				; CODE XREF: sub_5B652C+21j
		mov	esp, ebp
		pop	ebp
		retn
KeQueryInterruptTime endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiForwardTick	proc near		; CODE XREF: KiUpdateTime+1B4p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005B6552 SIZE 000000F8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		cmp	ds:_PoSkipTickMode, 2
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_10], edx
		push	edi
		mov	[ebp+var_4], ebx
		jz	loc_487522
		movzx	edi, ds:_KeNumberNodes
		xor	ecx, ecx
		xor	esi, esi
		test	edi, edi
		jz	loc_487522

loc_487483:				; CODE XREF: KiForwardTick+44j
		mov	eax, ds:_KeNodeBlock[esi*4]
		inc	esi
		mov	eax, [eax+40h]
		or	eax, ecx
		mov	ecx, eax
		cmp	esi, edi
		jb	short loc_487483
		test	eax, eax
		jz	loc_487522
		mov	edi, [ebp+arg_C]
		not	eax
		mov	dword ptr [edi], 10001h
		mov	dword ptr [edi+4], 0
		mov	[edi+8], eax
		and	eax, ds:dword_70E328
		cmp	byte ptr [ebp+arg_8], 0
		mov	dword ptr [edi], 10001h
		mov	dword ptr [edi+4], 0
		mov	[edi+8], eax
		jnz	loc_487553

loc_4874D3:				; CODE XREF: KiForwardTick+10Fj
		cmp	ds:_KiSerializeTimerExpiration,	0
		jz	loc_5B6552

loc_4874E0:				; CODE XREF: KiForwardTick+12F16Aj
		mov	esi, [edi+8]
		cmp	esi, ds:dword_70E328
		jz	short loc_487525
		mov	eax, [ebx+3CCh]
		btr	esi, eax
		cmp	ds:_PoSkipTickMode, 0
		mov	[edi+8], esi
		jnz	loc_5B65BF

loc_487504:				; CODE XREF: KiForwardTick+12F1ADj
		xor	ecx, ecx
		mov	edx, edi
		test	esi, esi
		jnz	short loc_487543

loc_48750C:				; CODE XREF: KiForwardTick+101j
		cmp	_KdDebuggerEnabled, 0
		jnz	loc_5B6602

loc_487519:				; CODE XREF: KiForwardTick+12F1DCj
					; KiForwardTick+12F1E9j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_487522:				; CODE XREF: KiForwardTick+1Aj
					; KiForwardTick+2Dj ...
		mov	edi, [ebp+arg_C]

loc_487525:				; CODE XREF: KiForwardTick+99j
					; KiForwardTick+12F1A7j
		mov	eax, ds:_KeActiveProcessors
		mov	ecx, 1
		mov	[edi], eax
		xor	edx, edx
		mov	eax, ds:dword_70E324
		mov	[edi+4], eax
		mov	eax, ds:dword_70E328
		mov	[edi+8], eax

loc_487543:				; CODE XREF: KiForwardTick+BAj
		call	ds:__imp_@HalRequestClockInterrupt@8 ; HalRequestClockInterrupt(x,x)
		mov	eax, [ebp+arg_0]
		mov	_KiLastForwardedHand, eax
		jmp	short loc_48750C
; 

loc_487553:				; CODE XREF: KiForwardTick+7Dj
		push	edi
		push	offset _KiGroupSchedulingOverQuotaMask
		push	edi
		call	_KeOrAffinityEx@12 ; KeOrAffinityEx(x,x,x)
		jmp	loc_4874D3
KiForwardTick	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiUpdateTimeAssist proc	near		; CODE XREF: KiUpdateTime+93p
					; KeResumeClockTimerFromIdle+140p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B664A SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], 0
		push	edi
		mov	ecx, 0FFDF0340h
		mov	[ebp+var_10], 0
		mov	ebx, edx
		call	RtlWriteAcquireTickLock
		test	esi, esi
		jnz	loc_48770A
		push	esi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, edx
		mov	[ebp+var_8], edx

loc_4875AB:				; CODE XREF: KiUpdateTimeAssist+1A2j
		push	ecx
		push	eax
		mov	[ebp+var_4], eax
		call	KiComputeNewSystemTime
		push	[ebp+var_8]
		lea	ecx, [ebp+var_14]
		mov	esi, eax
		push	[ebp+var_4]
		mov	edi, edx
		call	KiComputeNewInterruptTime
		mov	ecx, [ebp+var_8]
		mov	[ebx], eax
		mov	[ebx+4], edx
		mov	ds:0FFDF001Ch, edi
		mov	ds:0FFDF0014h, esi
		mov	esi, [ebp+arg_0]
		mov	ds:0FFDF0018h, edi
		mov	eax, [ebx+4]
		mov	ds:0FFDF0010h, eax
		mov	eax, [ebx]
		mov	ds:0FFDF0008h, eax
		mov	eax, [ebx+4]
		mov	ds:0FFDF000Ch, eax
		mov	eax, [ebp+var_4]
		mov	ds:0FFDF0348h, eax
		mov	ds:0FFDF034Ch, ecx
		mov	ds:0FFDF0350h, eax
		mov	ds:0FFDF0354h, ecx
		mov	eax, ds:dword_7186C4
		mov	[esi+4], eax
		mov	eax, ds:_KeTickCount
		mov	[esi], eax
		mov	eax, ds:dword_7186C8
		mov	[ebp+var_C], 0
		cmp	[esi+4], eax
		jnz	loc_5B664A

loc_487638:				; CODE XREF: KiUpdateTimeAssist+12F0FBj
		mov	edi, _KiTickOffset
		xor	ebx, ebx
		sub	edi, [ebp+var_14]
		sbb	ebx, [ebp+var_10]
		test	ebx, ebx
		jg	short loc_4876A1
		jl	short loc_487650
		test	edi, edi
		jnz	short loc_4876A1

loc_487650:				; CODE XREF: KiUpdateTimeAssist+DAj
		mov	edx, ds:_KeMaximumIncrement
		xor	ecx, ecx
		add	edi, edx
		mov	[ebp+arg_0], edx
		mov	eax, 1
		adc	ebx, ecx
		test	ebx, ebx
		jg	short loc_48766E
		jl	short loc_4876CA
		test	edi, edi
		jz	short loc_4876CA

loc_48766E:				; CODE XREF: KiUpdateTimeAssist+F6j
					; KiUpdateTimeAssist+195j
		add	[esi], eax
		adc	[esi+4], ecx
		mov	eax, [esi+4]
		mov	ds:dword_7186C8, eax
		mov	eax, [esi]
		mov	ds:_KeTickCount, eax
		mov	eax, [esi+4]
		mov	ds:dword_7186C4, eax
		mov	eax, [esi+4]
		mov	ds:0FFDF0328h, eax
		mov	eax, [esi]
		mov	ds:0FFDF0320h, eax
		mov	eax, [esi+4]
		mov	ds:0FFDF0324h, eax

loc_4876A1:				; CODE XREF: KiUpdateTimeAssist+D8j
					; KiUpdateTimeAssist+DEj
		mov	eax, 0FFDF0340h
		mov	edx, 0FFDF0340h
		mov	ecx, [eax]
		mov	eax, [eax+4]
		add	ecx, 1
		mov	_KiTickOffset, edi
		pop	edi
		adc	eax, 0
		mov	[edx], ecx
		pop	esi
		mov	[edx+4], eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4876CA:				; CODE XREF: KiUpdateTimeAssist+F8j
					; KiUpdateTimeAssist+FCj
		mov	ecx, edi
		mov	eax, ebx
		neg	ecx
		push	0
		adc	eax, 0
		push	edx
		neg	eax
		push	eax
		push	ecx
		call	__aulldiv
		add	eax, 1
		mov	[ebp+var_8], eax
		adc	edx, 0
		push	edx
		push	eax
		push	0
		push	[ebp+arg_0]
		mov	[ebp+var_4], edx
		call	__allmul
		mov	ecx, [ebp+var_4]
		add	edi, eax
		mov	eax, [ebp+var_8]
		add	eax, 1
		adc	ecx, 0
		jmp	loc_48766E
; 

loc_48770A:				; CODE XREF: KiUpdateTimeAssist+29j
		mov	ecx, [esi+4]
		mov	eax, [esi]
		mov	[ebp+var_8], ecx
		jmp	loc_4875AB
KiUpdateTimeAssist endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiComputeNewInterruptTime proc near	; CODE XREF: KiUpdateTimeAssist+52p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005B6670 SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:0FFDF0350h
		xor	edx, edx
		push	ebx
		mov	ebx, ecx
		mov	ecx, ds:0FFDF0008h
		mov	[ebp+var_18], ecx
		mov	ecx, ds:0FFDF000Ch
		mov	[ebp+var_1C], ecx
		mov	ecx, ds:0FFDF0360h
		mov	[ebp+var_8], ecx
		mov	ecx, ds:0FFDF0364h
		mov	[ebp+var_10], ecx
		mov	cl, ds:0FFDF0369h
		push	esi
		mov	esi, ds:0FFDF0354h
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_1], cl
		xor	ecx, ecx
		mov	[ebp+var_C], esi
		mov	dword ptr [ebx], 0
		mov	dword ptr [ebx+4], 0
		cmp	edi, esi
		jb	short loc_4877F4
		mov	esi, [ebp+arg_0]
		ja	short loc_487789
		cmp	esi, eax
		jbe	short loc_4877F4

loc_487789:				; CODE XREF: KiComputeNewInterruptTime+63j
		sub	esi, eax
		mov	al, [ebp+var_1]
		sbb	edi, [ebp+var_C]
		test	al, al
		jz	short loc_4877A5
		movsx	ecx, al
		mov	edx, edi
		mov	eax, esi
		call	__allshl
		mov	esi, eax
		mov	edi, edx

loc_4877A5:				; CODE XREF: KiComputeNewInterruptTime+73j
		mov	ecx, [ebp+var_10]
		mov	eax, ecx
		mul	esi
		mov	[ebp+arg_4], eax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_C], edx
		test	edi, edi
		jnz	loc_5B6670
		mul	esi
		mov	esi, _KiInterruptTimeErrorAccumulator
		xor	ecx, ecx
		add	edx, [ebp+arg_4]
		mov	edi, eax
		mov	eax, dword_6D4B04
		adc	ecx, [ebp+var_C]
		add	esi, edi
		mov	_KiInterruptTimeErrorAccumulator, esi
		adc	eax, edx
		mov	dword_6D4B04, eax
		cmp	eax, edx
		ja	short loc_4877ED
		jb	short loc_487805
		cmp	esi, edi
		jb	short loc_487805

loc_4877ED:				; CODE XREF: KiComputeNewInterruptTime+C5j
					; KiComputeNewInterruptTime+E6j
		xor	edx, edx

loc_4877EF:				; CODE XREF: KiComputeNewInterruptTime+12EF9Cj
					; KiComputeNewInterruptTime+12EFA8j
		mov	[ebx+4], edx
		mov	[ebx], ecx

loc_4877F4:				; CODE XREF: KiComputeNewInterruptTime+5Ej
					; KiComputeNewInterruptTime+67j
		add	ecx, [ebp+var_18]
		pop	edi
		adc	edx, [ebp+var_1C]
		mov	eax, ecx
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_487805:				; CODE XREF: KiComputeNewInterruptTime+C7j
					; KiComputeNewInterruptTime+CBj
		inc	ecx
		jmp	short loc_4877ED
KiComputeNewInterruptTime endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiComputeNewSystemTime proc near	; CODE XREF: KiUpdateTimeAssist+40p
					; KiUpdateSystemTime+36p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005B66CD SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	ecx, ds:0FFDF0014h
		xor	edx, edx
		mov	eax, ds:0FFDF0348h
		mov	[ebp+var_14], ecx
		mov	ecx, ds:0FFDF0018h
		push	ebx
		mov	bl, ds:0FFDF0368h
		mov	[ebp+var_18], ecx
		mov	ecx, ds:0FFDF0358h
		push	esi
		mov	esi, ds:0FFDF034Ch
		mov	[ebp+var_4], ecx
		mov	ecx, ds:0FFDF035Ch
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_10], ecx
		xor	ecx, ecx
		mov	[ebp+var_8], esi
		cmp	edi, esi
		jb	short loc_4878C8
		mov	esi, [ebp+arg_0]
		ja	short loc_487867
		cmp	esi, eax
		jbe	short loc_4878C8

loc_487867:				; CODE XREF: KiComputeNewSystemTime+51j
		sub	esi, eax
		sbb	edi, [ebp+var_8]
		test	bl, bl
		jz	short loc_487880
		movsx	ecx, bl
		mov	eax, esi
		mov	edx, edi
		call	__allshl
		mov	esi, eax
		mov	edi, edx

loc_487880:				; CODE XREF: KiComputeNewSystemTime+5Ej
		mov	ecx, [ebp+var_10]
		mov	eax, ecx
		mul	esi
		mov	[ebp+arg_4], edx
		mov	ebx, eax
		mov	eax, [ebp+var_4]
		test	edi, edi
		jnz	loc_5B66CD
		mul	esi
		mov	esi, _KiSystemTimeErrorAccumulator
		xor	ecx, ecx
		add	edx, ebx
		mov	edi, eax
		mov	eax, dword_6D4B0C
		adc	ecx, [ebp+arg_4]
		add	esi, edi
		mov	_KiSystemTimeErrorAccumulator, esi
		adc	eax, edx
		mov	dword_6D4B0C, eax
		cmp	eax, edx
		ja	short loc_4878C6
		jb	short loc_4878D9
		cmp	esi, edi
		jb	short loc_4878D9

loc_4878C6:				; CODE XREF: KiComputeNewSystemTime+AEj
					; KiComputeNewSystemTime+CAj
		xor	edx, edx

loc_4878C8:				; CODE XREF: KiComputeNewSystemTime+4Cj
					; KiComputeNewSystemTime+55j ...
		add	ecx, [ebp+var_14]
		pop	edi
		adc	edx, [ebp+var_18]
		mov	eax, ecx
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4878D9:				; CODE XREF: KiComputeNewSystemTime+B0j
					; KiComputeNewSystemTime+B4j
		inc	ecx
		jmp	short loc_4878C6
KiComputeNewSystemTime endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlWriteAcquireTickLock	proc near	; CODE XREF: KiUpdateTimeAssist+22p
					; KeSetSystemAllowedCpuSets+45p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B671E SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	ecx, [esi]
		mov	edi, [esi+4]
		mov	[ebp+var_4], ecx

loc_4878F0:				; CODE XREF: RtlWriteAcquireTickLock+12EE4Cj
		mov	ebx, ecx
		mov	eax, edi
		add	ebx, 1
		adc	eax, 0
		mov	[ebp+var_8], eax
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jnz	loc_5B671E
		mov	eax, ecx
		mov	edx, edi
		nop
		mov	ecx, [ebp+var_8]
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, [ebp+var_4]
		jnz	short loc_487925
		cmp	edx, edi
		jnz	short loc_487925
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_487925:				; CODE XREF: RtlWriteAcquireTickLock+3Ej
					; RtlWriteAcquireTickLock+42j
		mov	ecx, eax
		mov	[ebp+var_4], eax
		mov	edi, edx
		jmp	loc_5B6726
RtlWriteAcquireTickLock	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoExecuteIdleCheck proc	near		; CODE XREF: KiUpdateTime+165p
					; KeClockInterruptNotify+12EAA4p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= word ptr -24h
var_22		= word ptr -22h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005B672D SIZE 000000CD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, ds:_PpmIdleDurationExpirationTimeout
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, ds:dword_70EE3C
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_22], ax
		lea	edi, [ebp+var_1C]
		stosd
		mov	[ebp+var_20], ebx
		stosd
		stosd
		mov	eax, edx
		or	eax, esi
		jnz	loc_5B672D

loc_48796E:				; CODE XREF: PoExecuteIdleCheck+12EE0Fj
					; PoExecuteIdleCheck+12EE1Cj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
PoExecuteIdleCheck endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoExecutePerfCheck()
_PoExecutePerfCheck@0 proc near		; CODE XREF: KiUpdateTime+170p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		push	edi
		mov	edi, _PpmCheckLastExecutionTime
		mov	eax, edi
		mov	esi, dword_6C049C
		or	eax, esi
		mov	[ebp+var_18], esi
		jz	loc_487A7F
		mov	ecx, ds:_KeTimeIncrement
		push	ebx
		mov	ebx, dword_6C0494
		mov	[ebp+var_C], ecx
		test	ebx, ebx
		jb	short loc_4879C9
		ja	loc_487AA7
		cmp	_PpmCheckPeriod, ecx
		ja	loc_487AA7

loc_4879C9:				; CODE XREF: PoExecutePerfCheck()+35j
		xor	ebx, ebx

loc_4879CB:				; CODE XREF: PoExecutePerfCheck()+130j
		call	KeQueryInterruptTime
		mov	[ebp+var_4], edx
		mov	ecx, ebx
		mov	edx, [ebp+var_C]
		add	edx, edi
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], edx
		adc	ecx, esi
		cmp	ecx, [ebp+var_4]
		mov	[ebp+var_14], ecx
		mov	ecx, [ebp+var_C]
		ja	loc_487A7E
		jb	short loc_4879FB
		cmp	edx, eax
		ja	loc_487A7E

loc_4879FB:				; CODE XREF: PoExecutePerfCheck()+71j
		mov	[ebp+var_C], 0
		cmp	edi, 1
		jnz	short loc_487A0B
		test	esi, esi
		jz	short loc_487A47

loc_487A0B:				; CODE XREF: PoExecutePerfCheck()+85j
		mov	edx, ds:_KeMaximumIncrement
		xor	eax, eax
		add	edx, ecx
		adc	eax, ebx
		add	edx, edi
		adc	eax, esi
		cmp	eax, [ebp+var_4]
		jb	short loc_487A85
		ja	short loc_487A29
		mov	eax, [ebp+var_8]
		cmp	edx, eax
		jbe	short loc_487A88

loc_487A29:				; CODE XREF: PoExecutePerfCheck()+A0j
		mov	eax, [ebp+var_10]
		mov	edx, [ebp+var_14]
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], edx

loc_487A35:				; CODE XREF: PoExecutePerfCheck()+10Bj
		sub	eax, ecx
		sbb	edx, ebx
		sub	eax, edi
		sbb	edx, esi
		cmp	edx, ebx
		jb	short loc_487A47
		ja	short loc_487A8D
		cmp	eax, ecx
		jnb	short loc_487A8D

loc_487A47:				; CODE XREF: PoExecutePerfCheck()+89j
					; PoExecutePerfCheck()+BFj ...
		mov	eax, edi
		mov	[ebp+var_14], offset _PpmCheckLastExecutionTime
		mov	edx, esi
		nop
		mov	ebx, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		mov	esi, [ebp+var_14]
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [ebp+var_18]
		cmp	eax, edi
		jnz	short loc_487A7E
		cmp	edx, esi
		jnz	short loc_487A7E
		mov	edx, [ebp+var_C]
		mov	ecx, offset _PpmCheckStartDpc
		push	0
		push	0
		push	0
		call	KiInsertQueueDpc

loc_487A7E:				; CODE XREF: PoExecutePerfCheck()+6Bj
					; PoExecutePerfCheck()+75j ...
		pop	ebx

loc_487A7F:				; CODE XREF: PoExecutePerfCheck()+1Dj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_487A85:				; CODE XREF: PoExecutePerfCheck()+9Ej
		mov	eax, [ebp+var_8]

loc_487A88:				; CODE XREF: PoExecutePerfCheck()+A7j
		mov	edx, [ebp+var_4]
		jmp	short loc_487A35
; 

loc_487A8D:				; CODE XREF: PoExecutePerfCheck()+C1j
					; PoExecutePerfCheck()+C5j
		push	ebx
		push	ecx
		push	edx
		push	eax
		call	__aulldiv
		mov	[ebp+var_C], eax
		cmp	eax, 40h
		jb	short loc_487A47
		mov	[ebp+var_C], 40h
		jmp	short loc_487A47
; 

loc_487AA7:				; CODE XREF: PoExecutePerfCheck()+37j
					; PoExecutePerfCheck()+43j
		mov	ecx, _PpmCheckPeriod
		mov	[ebp+var_C], ecx
		jmp	loc_4879CB
_PoExecutePerfCheck@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KeIsForceIdleEngaged()
_KeIsForceIdleEngaged@0	proc near	; CODE XREF: KeClockInterruptNotify:loc_487F87p
					; KeSetTimer2:loc_4D82A6p ...
		cmp	ds:_KiForceIdleDisabled, 0
		jnz	short loc_487ACB
		mov	eax, _KiForceIdleState
		cmp	eax, 4
		setz	al
		retn
; 

loc_487ACB:				; CODE XREF: KeIsForceIdleEngaged()+7j
		xor	al, al
		retn
_KeIsForceIdleEngaged@0	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiUpdateTime	proc near		; CODE XREF: KeClockInterruptNotify+165p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_13		= byte ptr -13h
var_12		= byte ptr -12h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B67FA SIZE 000000AC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_1C], 0
		lea	edi, [ebp+var_10]
		mov	[ebp+var_18], 0
		stosd
		mov	[ebp+var_12], dl
		mov	[ebp+var_13], cl
		mov	[ebp+var_34], 0
		stosd
		mov	[ebp+var_30], 0
		mov	[ebp+var_1C], 0
		mov	[ebp+var_18], 0
		stosd
		mov	eax, large fs:20h
		mov	esi, ds:dword_7186C4
		mov	edi, ds:_KeTickCount
		mov	[ebp+var_11], 0
		mov	byte ptr [ebp+var_28], 0
		mov	[ebp+var_2C], eax
		mov	[ebp+var_38], 0
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], edi
		cmp	esi, ds:dword_7186C8
		jnz	loc_5B67FA

loc_487B52:				; CODE XREF: KiUpdateTime+12ED4Bj
		push	ebx
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	bl, al
		lea	edx, [ebp+var_1C]
		lea	eax, [ebp+var_34]
		xor	ecx, ecx
		push	eax
		call	KiUpdateTimeAssist
		mov	[ebp+var_3C], 0
		mov	esi, offset _KiForceIdleLock

loc_487B74:				; CODE XREF: KiUpdateTime+12ED61j
		lock bts dword ptr [esi], 0
		jb	loc_5B6820
		mov	edx, _KiForceIdleStartTime
		mov	edi, 1
		mov	ecx, dword_6CB38C
		mov	eax, edx
		or	eax, ecx
		jnz	loc_5B6836

loc_487B9A:				; CODE XREF: KiUpdateTime+12ED69j
					; KiUpdateTime+12ED74j	...
		mov	eax, _KiForceIdleState
		cmp	eax, 1
		jz	loc_5B689D
		cmp	eax, 3
		jz	loc_5B689D

loc_487BB1:				; CODE XREF: KiUpdateTime+12EDD1j
		xor	eax, eax
		lock and [esi],	eax
		test	bl, bl
		jz	short loc_487BBB
		sti

loc_487BBB:				; CODE XREF: KiUpdateTime+E8j
		mov	ecx, [ebp+var_1C]
		sub	ecx, _KiLastNonHrTimerExpiration
		mov	eax, ds:_KeMinimumIncrement
		dec	eax
		add	ecx, eax
		mov	eax, ds:_KeNonHrTimeIncrement
		cmp	ecx, eax
		mov	ecx, [ebp+var_1C]
		jb	short loc_487BE6
		mov	eax, [ebp+var_18]
		mov	_KiLastNonHrTimerExpiration, ecx
		mov	dword_6CEA2C, eax

loc_487BE6:				; CODE XREF: KiUpdateTime+106j
		mov	eax, ds:_KeMinimumIncrement
		sub	ecx, _KiLastPseudoHrTimerExpiration
		dec	eax
		add	ecx, eax
		mov	eax, ds:_KePseudoHrTimeIncrement
		mov	esi, [ebp+var_18]
		mov	edi, [ebp+var_1C]
		cmp	ecx, eax
		jb	short loc_487C0F
		mov	_KiLastPseudoHrTimerExpiration,	edi
		mov	dword_6CEA24, esi

loc_487C0F:				; CODE XREF: KiUpdateTime+131j
		mov	ecx, [ebp+var_34]
		sub	ecx, [ebp+var_20]
		mov	ebx, [ebp+var_30]
		mov	eax, ebx
		sbb	eax, [ebp+var_24]
		mov	[ebp+var_18], eax
		jnz	short loc_487C26
		test	ecx, ecx
		jz	short loc_487C33

loc_487C26:				; CODE XREF: KiUpdateTime+150j
		sub	_KiBalanceSetManagerCount, 1
		jz	loc_487CDF

loc_487C33:				; CODE XREF: KiUpdateTime+154j
					; KiUpdateTime+22Bj
		push	esi
		push	edi
		call	PoExecuteIdleCheck
		cmp	[ebp+var_11], 0
		jnz	short loc_487C45
		call	_PoExecutePerfCheck@0 ;	PoExecutePerfCheck()

loc_487C45:				; CODE XREF: KiUpdateTime+16Ej
		shrd	edi, esi, 12h
		shr	esi, 12h
		cmp	ds:_KiGroupSchedulingEnabled, 0
		jz	short loc_487C6C
		mov	ecx, dword_6CB3E4
		cmp	ebx, ecx
		jb	short loc_487C6C
		ja	short loc_487CC5
		mov	eax, [ebp+var_34]
		cmp	eax, _KiGenerationEndTick
		ja	short loc_487CC5

loc_487C6C:				; CODE XREF: KiUpdateTime+183j
					; KiUpdateTime+18Dj ...
		mov	edx, ds:_KeNumberProcessors
		pop	ebx
		cmp	edx, 1
		jbe	short loc_487CAA
		mov	ecx, [ebp+var_2C]
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_28]
		push	esi
		push	edi
		call	KiForwardTick
		mov	eax, dword_6B5A60
		or	eax, [ebp+var_8]
		mov	_KiClockCheckPending, 10001h
		mov	dword_6B5A5C, 0
		mov	dword_6B5A60, eax

loc_487CAA:				; CODE XREF: KiUpdateTime+1A6j
		mov	dl, [ebp+var_12]
		mov	cl, [ebp+var_13]
		call	KiUpdateRunTime
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_487CC5:				; CODE XREF: KiUpdateTime+18Fj
					; KiUpdateTime+19Aj
		mov	eax, ds:_KiGenerationTicks
		add	_KiGenerationEndTick, eax
		mov	byte ptr [ebp+var_28], 1
		adc	ecx, 0
		mov	dword_6CB3E4, ecx
		jmp	short loc_487C6C
; 

loc_487CDF:				; CODE XREF: KiUpdateTime+15Dj
		mov	eax, ds:_KiBalanceSetManagerPeriod
		xor	edx, edx
		push	0
		push	0
		push	0
		mov	ecx, offset _KiBalanceSetManagerPeriodicDpc
		mov	_KiBalanceSetManagerCount, eax
		call	KiInsertQueueDpc
		jmp	loc_487C33
KiUpdateTime	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiCheckPreferredHeteroProcessor(x, x, x)
_KiCheckPreferredHeteroProcessor@12 proc near ;	CODE XREF: KiQuantumEnd+152p
					; KiUpdateRunTime+80p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_10], eax
		mov	al, [ebx+61h]
		push	esi
		mov	esi, edx
		push	edi
		test	al, al
		jz	loc_487E44
		movzx	edi, al
		cmp	edi, 5
		jb	short loc_487D35
		push	esi
		call	_KiConvertDynamicHeteroPolicy@12 ; KiConvertDynamicHeteroPolicy(x,x,x)
		mov	edi, eax

loc_487D35:				; CODE XREF: KiCheckPreferredHeteroProcessor(x,x,x)+2Bj
		mov	eax, [esi+338h]
		lea	ecx, [ebp+var_8]
		mov	edx, [ebx+164h]
		push	ecx
		lea	ecx, [ebp+var_10]
		mov	[ebp+var_C], eax
		push	ecx
		lea	ecx, [ebp+var_4]
		push	ecx
		push	edi
		mov	ecx, eax
		call	_KiGenerateHeteroSets@24 ; KiGenerateHeteroSets(x,x,x,x,x,x)
		mov	eax, [ebp+var_8]
		test	[esi+3C8h], eax
		jz	loc_487E4D
		mov	edx, [ebp+var_C]
		mov	edx, [edx]
		mov	eax, [esi+338h]
		mov	ecx, [eax+104h]
		call	_KiIsQosGroupingActive@0 ; KiIsQosGroupingActive()
		test	al, al
		jz	short loc_487DAC
		test	ecx, edx
		jz	short loc_487DAC
		movzx	eax, byte ptr [ebx+244h]
		cmp	eax, 2
		jz	short loc_487D9A
		cmp	eax, 1
		jz	short loc_487D9A
		xor	al, al
		jmp	short loc_487D9C
; 

loc_487D9A:				; CODE XREF: KiCheckPreferredHeteroProcessor(x,x,x)+8Fj
					; KiCheckPreferredHeteroProcessor(x,x,x)+94j
		mov	al, 1

loc_487D9C:				; CODE XREF: KiCheckPreferredHeteroProcessor(x,x,x)+98j
		test	al, al
		jz	short loc_487DAC
		test	[esi+3C8h], ecx
		jz	loc_487E4D

loc_487DAC:				; CODE XREF: KiCheckPreferredHeteroProcessor(x,x,x)+7Fj
					; KiCheckPreferredHeteroProcessor(x,x,x)+83j ...
		mov	eax, [ebp+var_4]
		test	[esi+3C8h], eax
		jnz	loc_487E44
		cmp	[ebp+arg_0], 0
		jnz	short loc_487DD8
		mov	eax, large fs:20h
		mov	eax, [eax+3C8h]
		and	eax, [ebp+var_4]
		neg	eax
		sbb	eax, eax
		neg	eax
		jmp	short loc_487E46
; 

loc_487DD8:				; CODE XREF: KiCheckPreferredHeteroProcessor(x,x,x)+BFj
		mov	eax, [ebp+var_C]
		mov	eax, [eax+4]
		and	eax, edx
		jz	short loc_487DE4
		mov	edx, eax

loc_487DE4:				; CODE XREF: KiCheckPreferredHeteroProcessor(x,x,x)+E0j
		mov	ecx, [ebp+var_4]
		test	edx, ecx
		jnz	short loc_487E4D
		not	ecx
		and	ecx, [ebp+var_10]
		and	ecx, edx
		cmp	edi, 3
		jz	short loc_487E04
		cmp	edi, 4
		jz	short loc_487E04
		mov	bl, [esi+3ED1h]
		jmp	short loc_487E0A
; 

loc_487E04:				; CODE XREF: KiCheckPreferredHeteroProcessor(x,x,x)+F5j
					; KiCheckPreferredHeteroProcessor(x,x,x)+FAj
		mov	bl, [esi+3ED2h]

loc_487E0A:				; CODE XREF: KiCheckPreferredHeteroProcessor(x,x,x)+102j
		test	ecx, ecx
		jz	short loc_487E44

loc_487E0E:				; CODE XREF: KiCheckPreferredHeteroProcessor(x,x,x)+142j
		and	[ebp+var_14], 0
		bsr	eax, ecx
		mov	eax, ds:_KiProcessorBlock[eax*4]
		cmp	edi, 3
		jz	short loc_487E2E
		cmp	edi, 4
		jz	short loc_487E2E
		mov	dl, [eax+3ED1h]
		jmp	short loc_487E34
; 

loc_487E2E:				; CODE XREF: KiCheckPreferredHeteroProcessor(x,x,x)+11Fj
					; KiCheckPreferredHeteroProcessor(x,x,x)+124j
		mov	dl, [eax+3ED2h]

loc_487E34:				; CODE XREF: KiCheckPreferredHeteroProcessor(x,x,x)+12Cj
		cmp	dl, bl
		ja	short loc_487E4D
		mov	eax, [eax+3C8h]
		not	eax
		and	ecx, eax
		jnz	short loc_487E0E

loc_487E44:				; CODE XREF: KiCheckPreferredHeteroProcessor(x,x,x)+1Fj
					; KiCheckPreferredHeteroProcessor(x,x,x)+B5j ...
		xor	eax, eax

loc_487E46:				; CODE XREF: KiCheckPreferredHeteroProcessor(x,x,x)+D6j
					; KiCheckPreferredHeteroProcessor(x,x,x)+150j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_487E4D:				; CODE XREF: KiCheckPreferredHeteroProcessor(x,x,x)+61j
					; KiCheckPreferredHeteroProcessor(x,x,x)+A6j ...
		xor	eax, eax
		inc	eax
		jmp	short loc_487E46
_KiCheckPreferredHeteroProcessor@12 endp


;  S U B	R O U T	I N E 


KiCheckForPendingQosUpdate proc	near	; CODE XREF: KiUpdateRunTime+8Bp

; FUNCTION CHUNK AT 005B6917 SIZE 0000000B BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, large fs:20h
		mov	esi, ecx
		mov	ecx, [edi+4D8h]
		test	ecx, 300h
		jnz	sub_5B68A6
		mov	eax, [esi+244h]
		xor	eax, ecx
		test	al, al
		jnz	loc_5B6917

loc_487E81:				; CODE XREF: sub_5B68A6+65j
					; sub_5B68A6+6Cj
		pop	edi
		pop	esi
		retn
KiCheckForPendingQosUpdate endp

; 
		align 10h
; Exported entry 132. KeClockInterruptNotify

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeClockInterruptNotify
KeClockInterruptNotify proc near

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_1A		= dword	ptr -1Ah
var_16		= word ptr -16h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B6922 SIZE 000001AE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, large fs:20h
		xor	bh, bh
		cmp	ds:_KiForceIdleDisabled, 0
		mov	bl, dl
		push	edi
		mov	edi, ecx
		mov	[ebp+var_58], 0
		mov	[ebp+var_54], 0
		mov	[ebp+var_38], edi
		mov	[ebp+var_48], 0
		mov	[ebp+var_44], 0
		mov	[ebp+var_58], 0
		mov	[ebp+var_54], 0
		mov	[ebp+var_40], 0
		mov	[ebp+var_50], 0
		mov	[ebp+var_4C], 0
		jnz	short loc_487F3A
		cli
		mov	[ebp+var_5C], 0
		mov	edi, offset _KiForceIdleLock
		lea	ebx, [ebx+0]

loc_487F10:				; CODE XREF: KeClockInterruptNotify+203j
		lock bts dword ptr [edi], 0
		jb	loc_488084
		cmp	byte ptr [esi+3D0h], 0
		mov	edi, [ebp+var_38]
		jnz	short loc_487F87

loc_487F27:				; CODE XREF: KeClockInterruptNotify+FEj
					; KeClockInterruptNotify+12EB1Dj ...
		xor	eax, eax
		mov	ecx, offset _KiForceIdleLock
		lock and [ecx],	eax
		sti
		test	bh, bh
		jnz	loc_5B69C3

loc_487F3A:				; CODE XREF: KeClockInterruptNotify+6Bj
		test	byte ptr [edi+6Ch], 1
		jnz	loc_48807D
		test	dword ptr [edi+70h], 20000h
		jnz	loc_48807D
		xor	al, al

loc_487F53:				; CODE XREF: KeClockInterruptNotify+1EFj
		cmp	byte ptr [esi+3D0h], 0
		mov	edi, ds:__imp_@KfRaiseIrql@4 ; KfRaiseIrql(x)
		mov	[ebp+var_2D], al
		jnz	short loc_487F95
		mov	dl, bl
		mov	cl, al
		call	KiUpdateRunTime

loc_487F6E:				; CODE XREF: KeClockInterruptNotify+1E8j
		test	bh, bh
		jnz	loc_5B69C9

loc_487F76:				; CODE XREF: KeClockInterruptNotify+12EB40j
					; KeClockInterruptNotify+12EB7Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_487F87:				; CODE XREF: KeClockInterruptNotify+95j
		call	_KeIsForceIdleEngaged@0	; KeIsForceIdleEngaged()
		test	al, al
		jz	short loc_487F27
		jmp	loc_5B6922
; 

loc_487F95:				; CODE XREF: KeClockInterruptNotify+D3j
		mov	eax, _KiClockTickTraceIndex
		mov	[ebp+var_60], 0
		mov	[ebp+var_64], 0
		mov	[ebp+var_60], 0
		lea	esi, [eax+eax*2]
		inc	eax
		and	eax, 0Fh
		mov	[ebp+var_38], esi
		mov	_KiClockTickTraceIndex,	eax
		mov	eax, ds:0FFDF000Ch
		mov	ecx, ds:0FFDF0008h
		cmp	eax, ds:0FFDF0010h
		jnz	loc_48810B

loc_487FD5:				; CODE XREF: KeClockInterruptNotify+12EB9Ej
		cmp	_KiClockOwnerOneShotRequestState, 1
		mov	dword_6CAF48[esi*8], ecx
		mov	dword_6CAF4C[esi*8], eax
		jz	loc_4880C4

loc_487FF0:				; CODE XREF: KeClockInterruptNotify+25Ej
		mov	cl, [ebp+var_2D]
		mov	dl, bl
		call	KiUpdateTime
		cmp	_KiClockOwnerOneShotRequestState, 2
		jz	loc_4880F3

loc_488007:				; CODE XREF: KeClockInterruptNotify+276j
		mov	eax, ds:0FFDF0350h
		mov	_KiClockTickTraces[esi*8], eax
		mov	eax, ds:0FFDF0354h
		mov	dword_6CAF44[esi*8], eax
		mov	ecx, ds:0FFDF000Ch
		mov	eax, ds:0FFDF0008h
		mov	[ebp+var_68], 0
		mov	[ebp+var_34], ecx
		mov	[ebp+var_3C], eax
		cmp	ecx, ds:0FFDF0010h
		jnz	loc_5B6A33

loc_488043:				; CODE XREF: KeClockInterruptNotify+12EBD4j
		mov	eax, ds:_KiClockState
		cmp	eax, 2
		jz	short loc_48809B

loc_48804D:				; CODE XREF: KeClockInterruptNotify+22Dj
					; KeClockInterruptNotify+12EC3Bj
		mov	eax, ds:_KeTimeIncrement
		xor	ecx, ecx
		add	eax, [ebp+var_3C]
		mov	edx, [ebp+var_34]
		adc	ecx, edx
		mov	_KiClockTimerNextTickTime, eax
		mov	eax, [ebp+var_3C]
		mov	dword_6CABA4, ecx
		mov	dword_6CAF50[esi*8], eax
		mov	dword_6CAF54[esi*8], edx
		jmp	loc_487F6E
; 

loc_48807D:				; CODE XREF: KeClockInterruptNotify+AEj
					; KeClockInterruptNotify+BBj
		mov	al, 1
		jmp	loc_487F53
; 

loc_488084:				; CODE XREF: KeClockInterruptNotify+85j
					; KeClockInterruptNotify+209j
		lea	ecx, [ebp+var_5C]
		call	KeYieldProcessorEx
		mov	eax, _KiForceIdleLock
		test	eax, eax
		jz	loc_487F10
		jmp	short loc_488084
; 

loc_48809B:				; CODE XREF: KeClockInterruptNotify+1BBj
		push	ecx
		push	[ebp+var_3C]
		lea	edx, [ebp+var_48]
		lea	ecx, [ebp+var_50]
		call	KiRestoreClockTickRate
		xor	eax, eax
		mov	ecx, offset _KiClockState
		xchg	eax, [ecx]
		test	ds:dword_70EFC8, 100000h
		jz	short loc_48804D
		jmp	loc_5B6A69
; 

loc_4880C4:				; CODE XREF: KeClockInterruptNotify+15Aj
		mov	cl, 1Fh
		call	edi
		mov	_KiClockOwnerOneShotRequestState, 2
		mov	cl, al
		mov	_KiClockOwnerOneShotRequest, 0
		mov	dword_6CADF4, 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_487FF0
; 

loc_4880F3:				; CODE XREF: KeClockInterruptNotify+171j
		mov	cl, 1Fh
		call	edi
		mov	bl, al
		call	_KiSetClockIntervalToMinimumRequested@0	; KiSetClockIntervalToMinimumRequested()
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_488007
; 

loc_48810B:				; CODE XREF: KeClockInterruptNotify+13Fj
		mov	edi, 0FFDF000Ch
		lea	esi, [edi-4]
		jmp	loc_5B6A10
KeClockInterruptNotify endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PerfInfoLogInterrupt proc near		; CODE XREF: KiChainedDispatch()+116p
					; KiInterruptDispatch()+7Ep ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B6AD0 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	byte ptr [ecx+31h], 0
		push	ebx
		push	esi
		mov	[ebp+var_28], 0
		jz	loc_5B6AD0
		mov	eax, [ecx+10h]
		test	eax, eax
		jz	loc_488217
		mov	[ebp+var_30], eax
		mov	ebx, 0F32h
		mov	eax, [ecx+14h]
		mov	esi, 0Ch
		mov	[ebp+var_28], eax

loc_488163:				; CODE XREF: PerfInfoLogInterrupt+107j
					; PerfInfoLogInterrupt+12E9C0j
		lea	eax, [ebp+var_30]
		mov	[ebp+var_C], esi
		mov	[ebp+var_14], eax
		mov	eax, ds:_EtwpHostSiloState
		mov	[ebp+var_2C], edx
		mov	[ebp+var_34], 0
		mov	[ebp+var_10], 0
		mov	esi, [eax+924h]
		bsf	ecx, esi
		mov	[ebp+var_8], 0
		jz	short loc_488205
		push	edi
		mov	edi, [ebp+arg_0]
		jmp	short loc_4881A0
; 
		align 10h

loc_4881A0:				; CODE XREF: PerfInfoLogInterrupt+78j
					; PerfInfoLogInterrupt+E2j
		mov	edx, ds:_EtwpHostSiloState
		lea	eax, [esi-1]
		and	esi, eax
		mov	eax, ecx
		shl	eax, 5
		add	eax, 948h
		add	eax, edx
		jz	short loc_4881FF
		test	dword ptr [eax+4], 4000h
		jz	short loc_4881FF
		movzx	eax, byte ptr [edx+ecx*2+915h]
		dec	eax
		mov	[ebp+var_20], 0
		push	400A02h
		push	ebx
		mov	[ebp+var_1C], 8
		lea	eax, [edi+eax*8]
		mov	[ebp+var_18], 0
		mov	[ebp+var_24], eax
		movzx	eax, byte ptr [edx+ecx*2+914h]
		lea	ecx, [ebp+var_24]
		push	2
		push	eax
		call	EtwpLogKernelEvent

loc_4881FF:				; CODE XREF: PerfInfoLogInterrupt+97j
					; PerfInfoLogInterrupt+A0j
		bsf	ecx, esi
		jnz	short loc_4881A0
		pop	edi

loc_488205:				; CODE XREF: PerfInfoLogInterrupt+72j
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_488217:				; CODE XREF: PerfInfoLogInterrupt+2Aj
		mov	eax, [ecx+0Ch]
		mov	ebx, 0F43h
		mov	esi, 8
		mov	[ebp+var_30], eax
		jmp	loc_488163
PerfInfoLogInterrupt endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiRetireDpcList	proc near		; CODE XREF: KiDispatchInterrupt(x)+29p
					; KiIdleLoop()+33p

var_138		= dword	ptr -138h
var_12A		= byte ptr -12Ah
var_129		= byte ptr -129h
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B6AE5 SIZE 00000217 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 12Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+12Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	0CCh		; size_t
		lea	eax, [esp+13Ch+var_D4]
		mov	[esp+13Ch+var_E8], 0
		mov	esi, ecx
		mov	[esp+13Ch+var_E4], 0
		push	0		; int
		push	eax		; void *
		mov	[esp+144h+var_108], esi
		call	_memset
		mov	edi, [esi+4]
		add	esp, 0Ch
		mov	[esp+138h+var_11C], edi
		mov	[esp+138h+var_D8], 0

loc_488288:				; CODE XREF: KiRetireDpcList+37Fj
		mov	byte ptr [esi+11h], 1
		nop
		mov	ecx, [edi+30h]
		rdtsc
		mov	ebx, eax
		sub	eax, [esi+3B40h]
		mov	[esp+138h+var_128], eax
		mov	eax, edx
		sbb	eax, [esi+3B44h]
		add	ecx, [esp+138h+var_128]
		mov	[esp+138h+var_124], eax
		mov	eax, [edi+34h]
		adc	eax, [esp+138h+var_124]
		mov	[esp+138h+var_DC], eax
		mov	[esp+138h+var_E0], ecx
		mov	[edi+38h], eax
		mov	[edi+30h], ecx
		mov	eax, [edi+38h]
		mov	[edi+34h], eax
		xor	eax, eax
		mov	ecx, [edi+40h]
		add	ecx, [esp+138h+var_128]
		adc	eax, [esp+138h+var_124]
		jnz	loc_4885D4
		cmp	ecx, 0FFFFFFFFh
		ja	loc_4885D4

loc_4882E5:				; CODE XREF: KiRetireDpcList+3AFj
		mov	[esi+3B40h], ebx
		mov	[esi+3B44h], edx
		mov	bl, [edi+2]
		mov	[edi+40h], ecx
		mov	[esp+138h+var_129], bl
		test	bl, 3Eh
		jz	loc_48843B
		test	bl, 10h
		jnz	loc_5B6AE5

loc_48830D:				; CODE XREF: KiRetireDpcList+12E8FCj
		test	bl, 20h
		jz	loc_488429
		mov	ecx, [edi+388h]
		mov	[esp+138h+var_FC], ecx
		test	ecx, ecx
		jz	loc_488426
		mov	edi, [esi+3EA0h]
		mov	eax, [esi+3EA4h]
		test	edi, edi
		jz	loc_4888FB
		test	eax, eax
		jz	loc_4888FB
		cmp	byte ptr [eax+54h], 0
		jnz	loc_5B6B31
		mov	edx, [eax+38h]
		mov	eax, [edi+88h]
		cmp	edx, eax
		jb	short loc_48835D
		mov	edx, eax

loc_48835D:				; CODE XREF: KiRetireDpcList+129j
					; KiRetireDpcList+6D0j	...
		cmp	edx, 4Bh
		jb	loc_488968
		mov	edx, 3

loc_48836B:				; CODE XREF: KiRetireDpcList+742j
		movzx	eax, byte ptr [esi+3ED0h]
		mov	[esp+138h+var_104], eax
		mov	[esp+138h+var_120], edx
		lea	eax, [eax+edx*2]
		mov	ebx, [ecx+eax*8]
		lea	esi, [ecx+eax*8]
		add	ebx, [esp+138h+var_128]
		mov	eax, [esi+4]
		adc	eax, [esp+138h+var_124]
		mov	[esp+138h+var_100], ebx
		mov	[esp+138h+var_10C], eax

loc_488396:				; CODE XREF: KiRetireDpcList+182j
					; KiRetireDpcList+188j
		mov	edi, [esi]
		mov	eax, edi
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[esp+138h+var_118], ecx
		nop
		mov	ecx, [esp+138h+var_10C]
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, [esp+138h+var_100]
		cmp	eax, edi
		jnz	short loc_488396
		cmp	edx, [esp+138h+var_118]
		jnz	short loc_488396
		mov	edx, [esp+138h+var_FC]
		mov	eax, _KiTimelineBitmapTime
		mov	[esp+138h+var_118], 0
		mov	[esp+138h+var_114], 0
		mov	edi, [edx+0C0h]
		cmp	eax, edi
		ja	loc_488919
		sub	edi, eax
		cmp	edi, 20h
		jnb	short loc_4883F7
		mov	eax, [edx+0C4h]
		bts	eax, edi
		mov	[edx+0C4h], eax

loc_4883F7:				; CODE XREF: KiRetireDpcList+1B6j
					; KiRetireDpcList+709j
		cmp	ds:_KiEfficiencyClassSystem, 0
		mov	esi, [esp+138h+var_108]
		mov	edi, [esp+138h+var_11C]
		jnz	short loc_488415
		cmp	byte ptr [edi+244h], 2
		jz	loc_5B6B39

loc_488415:				; CODE XREF: KiRetireDpcList+1D6j
					; KiRetireDpcList+12E95Aj
		cmp	dword ptr [edi+36Ch], 0
		jnz	loc_4887B6

loc_488422:				; CODE XREF: KiRetireDpcList+636j
		mov	bl, [esp+138h+var_129]

loc_488426:				; CODE XREF: KiRetireDpcList+F2j
		and	bl, 0DFh

loc_488429:				; CODE XREF: KiRetireDpcList+E0j
		test	bl, 40h
		jnz	loc_5B6B8F

loc_488432:				; CODE XREF: KiRetireDpcList+12E962j
		test	bl, 3Eh
		jnz	loc_4885E4

loc_48843B:				; CODE XREF: KiRetireDpcList+CEj
					; KiRetireDpcList+408j	...
		mov	eax, 1
		lea	ecx, [esi+223Ch]
		xchg	ax, [ecx]
		movzx	ebx, ax
		mov	[esp+138h+var_124], ebx
		test	bl, 8
		jnz	loc_488643

loc_488459:				; CODE XREF: KiRetireDpcList+581j
		push	0
		lea	eax, [esp+13Ch+var_D8]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	KiExecuteAllDpcs
		test	bl, 4
		jnz	loc_488905

loc_488472:				; CODE XREF: KiRetireDpcList+6E4j
		mov	edi, [esi+3B68h]
		rdtsc
		mov	ebx, eax
		mov	eax, edx
		mov	edx, ebx
		mov	[esp+138h+var_104], eax
		sub	edx, [esi+3B40h]
		mov	ecx, eax
		mov	eax, [esi+3B6Ch]
		sbb	ecx, [esi+3B44h]
		add	edi, edx
		mov	[esp+138h+var_100], ebx
		adc	eax, ecx
		mov	[esi+3B90h], eax
		mov	[esi+3B68h], edi
		mov	edi, [esp+138h+var_11C]
		mov	[esi+3B6Ch], eax
		test	byte ptr [edi+2], 20h
		jz	loc_488570
		mov	eax, [esi+3EA0h]
		mov	edi, ebx
		sub	edi, [esi+3B40h]
		mov	ebx, [esp+138h+var_104]
		sbb	ebx, [esi+3B44h]
		mov	ecx, [esi+3EA4h]
		test	eax, eax
		jz	loc_48889F
		test	ecx, ecx
		jz	loc_48889F
		cmp	byte ptr [ecx+54h], 0
		jnz	loc_5B6CD2
		mov	ecx, [ecx+38h]
		mov	eax, [eax+88h]
		cmp	ecx, eax
		jb	short loc_488507
		mov	ecx, eax

loc_488507:				; CODE XREF: KiRetireDpcList+2D3j
					; KiRetireDpcList+674j	...
		cmp	ecx, 4Bh
		jb	loc_488949
		mov	edx, 3

loc_488515:				; CODE XREF: KiRetireDpcList+723j
		movzx	eax, byte ptr [esi+3ED0h]
		lea	eax, [eax+edx*2]
		lea	eax, [eax+773h]
		lea	eax, [esi+eax*8]
		mov	esi, eax
		mov	[esp+138h+var_118], eax
		mov	eax, [esi]
		mov	ecx, [esi+4]
		add	eax, edi
		mov	[esp+138h+var_118], eax
		adc	ecx, ebx
		mov	[esp+138h+var_10C], ecx
		nop

loc_488540:				; CODE XREF: KiRetireDpcList+32Cj
					; KiRetireDpcList+332j
		mov	edi, [esi]
		mov	eax, edi
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[esp+138h+var_FC], ecx
		nop
		mov	ebx, [esp+138h+var_118]
		mov	ecx, [esp+138h+var_10C]
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, edi
		jnz	short loc_488540
		cmp	edx, [esp+138h+var_FC]
		jnz	short loc_488540
		mov	esi, [esp+138h+var_108]
		mov	edi, [esp+138h+var_11C]
		mov	ebx, [esp+138h+var_100]

loc_488570:				; CODE XREF: KiRetireDpcList+28Aj
		mov	ecx, [esp+138h+var_104]
		mov	[esi+3B40h], ebx
		mov	[esi+3B44h], ecx
		test	byte ptr [edi+2], 10h
		jnz	loc_5B6CDA

loc_48858A:				; CODE XREF: KiRetireDpcList+12EAB9j
		test	byte ptr [edi+2], 2
		jnz	loc_5B6CEE

loc_488594:				; CODE XREF: KiRetireDpcList+12EAC7j
		nop
		mov	byte ptr [esi+11h], 0
		lea	edx, [esi+223Ch]
		xor	ecx, ecx
		mov	eax, 1
		lock cmpxchg [edx], cx
		cmp	ax, 1
		jnz	loc_488288
		pop	edi
		mov	dword ptr [esi+21F4h], 0
		mov	ecx, [esp+134h+var_4]
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4885D4:				; CODE XREF: KiRetireDpcList+A6j
					; KiRetireDpcList+AFj
		or	ecx, 0FFFFFFFFh
		mov	[esp+138h+var_114], 0
		jmp	loc_4882E5
; 

loc_4885E4:				; CODE XREF: KiRetireDpcList+205j
		mov	eax, [edi+50h]
		test	eax, eax
		jnz	loc_48886B

loc_4885EF:				; CODE XREF: KiRetireDpcList+643j
		mov	ebx, [esp+138h+var_128]

loc_4885F3:				; CODE XREF: KiRetireDpcList+65Ej
		test	byte ptr [edi+2], 8
		jz	loc_488896
		mov	edx, [esi+338h]
		mov	ecx, [edi+164h]
		mov	edx, [edx+84h]
		mov	eax, edx
		and	eax, ecx
		cmp	eax, edx
		mov	eax, [esp+138h+var_124]
		jz	short loc_488627
		add	[esi+3B70h], ebx
		adc	[esi+3B74h], eax

loc_488627:				; CODE XREF: KiRetireDpcList+3E9j
					; KiRetireDpcList+66Aj
		cmp	byte ptr [edi+61h], 0
		jnz	loc_5B6B97

loc_488631:				; CODE XREF: KiRetireDpcList+12E97Cj
					; KiRetireDpcList+12E98Dj
		cmp	dword ptr [edi+0F4h], 0
		jz	loc_48843B
		jmp	loc_5B6BC2
; 

loc_488643:				; CODE XREF: KiRetireDpcList+223j
		mov	dl, 1
		mov	ecx, esi
		call	_KiSelectActiveTimerTable@8 ; KiSelectActiveTimerTable(x,x)
		mov	[esp+138h+var_104], eax
		test	eax, eax
		jz	loc_5B6C6D
		mov	eax, [eax+1848h]
		mov	[esp+138h+var_10C], eax
		mov	eax, ds:0FFDF000Ch
		mov	ecx, ds:0FFDF0008h
		mov	[esp+138h+var_F4], 0
		mov	[esp+138h+var_128], eax
		mov	[esp+138h+var_120], ecx
		cmp	eax, ds:0FFDF0010h
		jnz	loc_5B6BCE

loc_488689:				; CODE XREF: KiRetireDpcList+12E9C6j
		xor	eax, eax
		mov	[esp+138h+var_118], offset _KiLastNonHrTimerExpiration
		xor	edx, edx
		nop
		mov	edi, [esp+138h+var_118]
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [esp+138h+var_104]
		cmp	eax, [ecx+1840h]
		jnz	short loc_4886BA
		cmp	edx, [ecx+1844h]
		jz	loc_4888A9

loc_4886BA:				; CODE XREF: KiRetireDpcList+47Cj
		mov	byte ptr [esp+138h+var_F8], 1

loc_4886BF:				; CODE XREF: KiRetireDpcList+67Ej
		xor	eax, eax
		mov	[esp+138h+var_118], offset _KiLastPseudoHrTimerExpiration
		xor	edx, edx
		nop
		mov	edi, [esp+138h+var_118]
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [esp+138h+var_11C]
		mov	ecx, eax
		mov	eax, edx
		mov	[esp+138h+var_118], ecx
		mov	edx, [esp+138h+var_104]
		cmp	ecx, [edx+1840h]
		jnz	short loc_4886FC
		cmp	eax, [edx+1844h]
		jz	loc_4888B3

loc_4886FC:				; CODE XREF: KiRetireDpcList+4BEj
		mov	cl, 1

loc_4886FE:				; CODE XREF: KiRetireDpcList+685j
		test	ds:_KiVelocityFlags, 2000h
		mov	[esp+138h+var_129], cl
		jz	loc_48893E
		mov	bl, byte ptr [esp+138h+var_F8]

loc_488716:				; CODE XREF: KiRetireDpcList+714j
		test	cl, cl
		jz	loc_4888BA
		mov	ecx, [esp+138h+var_118]
		mov	ebx, [esp+138h+var_128]
		mov	[edx+1840h], ecx
		mov	ecx, [esp+138h+var_120]
		mov	[edx+1844h], eax
		mov	eax, ebx
		shrd	ecx, eax, 12h
		mov	[edx+1848h], ecx

loc_488742:				; CODE XREF: KiRetireDpcList+72Cj
		sti
		mov	eax, 0FFDF0018h
		mov	[esp+138h+var_EC], 0
		mov	eax, [eax]
		mov	[esp+138h+var_CC], eax
		mov	eax, 0FFDF0014h
		mov	eax, [eax]
		mov	[esp+138h+var_D0], eax
		mov	eax, 0FFDF001Ch
		mov	eax, [eax]
		cmp	[esp+138h+var_CC], eax
		jnz	loc_5B6C34

loc_488772:				; CODE XREF: KiRetireDpcList+12EA38j
		mov	edx, [esp+138h+var_10C]
		lea	eax, [esp+138h+var_D8]
		push	eax
		push	ecx
		push	ebx
		push	[esp+144h+var_120]
		mov	ecx, esi
		call	KiTimerExpiration
		mov	cl, [esp+138h+var_129]

loc_48878C:				; CODE XREF: KiRetireDpcList+6C6j
		cmp	byte ptr [esi+3D0h], 0
		jz	short loc_4887AC
		lea	eax, [esp+138h+var_D8]
		mov	dl, cl
		push	eax
		push	[esp+13Ch+var_F8]
		mov	ecx, esi
		push	ebx
		push	[esp+144h+var_120]
		call	KiTimer2Expiration

loc_4887AC:				; CODE XREF: KiRetireDpcList+563j
					; KiRetireDpcList+12EA9Dj
		mov	ebx, [esp+138h+var_124]

loc_4887B0:				; CODE XREF: KiRetireDpcList+12EA67j
		cli
		jmp	loc_488459
; 

loc_4887B6:				; CODE XREF: KiRetireDpcList+1ECj
		mov	ecx, [esp+138h+var_104]
		mov	eax, [esp+138h+var_120]
		add	ecx, 10h
		lea	eax, [ecx+eax*2]
		mov	ecx, [edx+eax*8]
		add	ecx, [esp+138h+var_128]
		lea	esi, [edx+eax*8]
		mov	eax, [esi+4]
		adc	eax, [esp+138h+var_124]
		mov	[esp+138h+var_FC], ecx
		mov	[esp+138h+var_118], eax
		lea	ecx, [ecx+0]

loc_4887E0:				; CODE XREF: KiRetireDpcList+5CCj
					; KiRetireDpcList+5D2j
		mov	edi, [esi]
		mov	eax, edi
		mov	edx, [esi+4]
		mov	[esp+138h+var_10C], edx
		nop
		mov	ebx, ecx
		mov	ecx, [esp+138h+var_118]
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [esp+138h+var_FC]
		cmp	eax, edi
		jnz	short loc_4887E0
		cmp	edx, [esp+138h+var_10C]
		jnz	short loc_4887E0
		mov	eax, [esp+138h+var_11C]
		mov	edx, [esp+138h+var_104]
		mov	eax, [eax+36Ch]
		mov	ecx, [eax+388h]
		mov	eax, [esp+138h+var_120]
		add	eax, 4
		lea	eax, [edx+eax*2]
		lea	eax, [ecx+eax*8]
		mov	[esp+138h+var_120], eax
		lea	esp, [esp+0]

loc_488830:				; CODE XREF: KiRetireDpcList+62Aj
					; KiRetireDpcList+630j
		mov	edi, [eax]
		mov	ebx, edi
		mov	edx, [eax+4]
		mov	ecx, edx
		add	ebx, [esp+138h+var_128]
		mov	eax, edi
		mov	[esp+138h+var_118], edx
		adc	ecx, [esp+138h+var_124]
		nop
		mov	esi, [esp+138h+var_120]
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [esp+138h+var_108]
		cmp	eax, edi
		mov	eax, [esp+138h+var_120]
		jnz	short loc_488830
		cmp	edx, [esp+138h+var_118]
		jnz	short loc_488830
		mov	edi, [esp+138h+var_11C]
		jmp	loc_488422
; 

loc_48886B:				; CODE XREF: KiRetireDpcList+3B9j
		add	eax, [esi+3B34h]
		test	eax, eax
		jz	loc_4885EF
		mov	ebx, [esp+138h+var_128]
		mov	ecx, [esp+138h+var_124]

loc_488881:				; CODE XREF: KiRetireDpcList+664j
		add	[eax], ebx
		adc	[eax+4], ecx
		mov	eax, [eax+0F4h]
		test	eax, eax
		jz	loc_4885F3
		jmp	short loc_488881
; 

loc_488896:				; CODE XREF: KiRetireDpcList+3C7j
		mov	eax, [esp+138h+var_124]
		jmp	loc_488627
; 

loc_48889F:				; CODE XREF: KiRetireDpcList+2B0j
					; KiRetireDpcList+2B8j
		mov	ecx, 64h
		jmp	loc_488507
; 

loc_4888A9:				; CODE XREF: KiRetireDpcList+484j
		mov	byte ptr [esp+138h+var_F8], 0
		jmp	loc_4886BF
; 

loc_4888B3:				; CODE XREF: KiRetireDpcList+4C6j
		xor	cl, cl
		jmp	loc_4886FE
; 

loc_4888BA:				; CODE XREF: KiRetireDpcList+4E8j
		test	bl, bl
		jnz	loc_488958
		sti
		mov	eax, 0FFDF0018h
		mov	[esp+138h+var_F0], 0
		mov	eax, [eax]
		mov	[esp+138h+var_CC], eax
		mov	eax, 0FFDF0014h
		mov	eax, [eax]
		mov	[esp+138h+var_D0], eax
		mov	eax, 0FFDF001Ch
		mov	eax, [eax]
		cmp	[esp+138h+var_CC], eax
		jnz	loc_5B6BFB

loc_4888F2:				; CODE XREF: KiRetireDpcList+12E9FFj
		mov	ebx, [esp+138h+var_128]
		jmp	loc_48878C
; 

loc_4888FB:				; CODE XREF: KiRetireDpcList+106j
					; KiRetireDpcList+10Ej
		mov	edx, 64h
		jmp	loc_48835D
; 

loc_488905:				; CODE XREF: KiRetireDpcList+23Cj
		sti
		lea	ecx, [esi+2228h]
		xor	edx, edx
		call	KeSignalGate
		cli
		jmp	loc_488472
; 

loc_488919:				; CODE XREF: KiRetireDpcList+1ABj
		mov	ecx, eax
		sub	ecx, edi
		cmp	ecx, 20h
		jnb	short loc_488961
		mov	esi, [edx+0C4h]
		shl	esi, cl
		or	esi, 1

loc_48892D:				; CODE XREF: KiRetireDpcList+736j
		mov	[edx+0C0h], eax
		mov	[edx+0C4h], esi
		jmp	loc_4883F7
; 

loc_48893E:				; CODE XREF: KiRetireDpcList+4DCj
		mov	bl, cl
		mov	byte ptr [esp+138h+var_F8], bl
		jmp	loc_488716
; 

loc_488949:				; CODE XREF: KiRetireDpcList+2DAj
		mov	eax, 51EB851Fh
		mul	ecx
		shr	edx, 3
		jmp	loc_488515
; 

loc_488958:				; CODE XREF: KiRetireDpcList+68Cj
		mov	ebx, [esp+138h+var_128]
		jmp	loc_488742
; 

loc_488961:				; CODE XREF: KiRetireDpcList+6F0j
		mov	esi, 1
		jmp	short loc_48892D
; 

loc_488968:				; CODE XREF: KiRetireDpcList+130j
		mov	eax, 51EB851Fh
		mul	edx
		shr	edx, 3
		jmp	loc_48836B
KiRetireDpcList	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiExecuteAllDpcs proc near		; CODE XREF: KiRetireDpcList+234p
					; KiExecuteDpc(x)+A1p

var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005B6CFC SIZE 0000020D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[ebp+var_A4], edx
		mov	ebx, ecx
		mov	edx, [ebp+arg_4]
		push	esi
		push	edi
		mov	[ebp+var_C4], eax
		xor	eax, eax
		lea	edi, [edx+21Eh]
		mov	[ebp+var_88], ebx
		lea	edi, [edx+edi*2]
		mov	[ebp+var_60], edx
		lea	edi, [ebx+edi*8]
		mov	[ebp+var_5C], 0
		mov	[ebp+var_B4], 0
		mov	[ebp+var_B0], 0
		mov	[ebp+var_98], 0
		mov	[ebp+var_94], 0
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_AC], edi
		cmp	[edi+0Ch], eax
		jz	loc_488DE3
		test	ds:byte_70EFC4,	80h
		jz	short loc_488A46
		test	edx, edx
		jnz	loc_488DFE
		mov	eax, 0F44h
		mov	[ebp+var_94], 400A02h

loc_488A39:				; CODE XREF: KiExecuteAllDpcs+48Dj
		mov	word ptr [ebp+var_98], ax
		lea	eax, [ebp+var_98]

loc_488A46:				; CODE XREF: KiExecuteAllDpcs+A0j
		mov	[ebp+var_84], eax
		mov	eax, [ebx+21DCh]
		mov	[ebp+var_CC], eax

loc_488A58:				; CODE XREF: KiExecuteAllDpcs+479j
		test	ds:byte_70EFC6,	21h
		lea	ecx, [edi+8]
		mov	esi, 0FFFFFFEDh
		jnz	loc_5B6CFC
		lock bts dword ptr [ecx], 0
		jb	loc_488E1C

loc_488A78:				; CODE XREF: KiExecuteAllDpcs+4A7j
		cmp	dword ptr [edi+0Ch], 1
		jg	short loc_488A95
		lea	eax, [edx+111Eh]
		lea	eax, [ebx+eax*2]
		lock and [eax],	si
		cmp	dword ptr [edi+0Ch], 0
		jz	loc_5B6ECD

loc_488A95:				; CODE XREF: KiExecuteAllDpcs+FCj
		mov	esi, [edi]
		mov	eax, [esi]
		mov	[edi], eax
		test	eax, eax
		jnz	short loc_488AA2
		mov	[edi+4], edi

loc_488AA2:				; CODE XREF: KiExecuteAllDpcs+11Dj
		mov	eax, [esi+8]
		add	esi, 0FFFFFFFCh
		mov	[ebp+var_5C], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_6C], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_70], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_7C], eax
		mov	eax, [esi+1Ch]
		mov	dword ptr [esi+1Ch], 0
		mov	[ebp+var_A0], eax
		mov	eax, [edi+0Ch]
		dec	eax
		mov	[edi+0Ch], eax
		mov	[edi+14h], esi
		mov	ecx, [ebx+4DCh]
		test	ecx, ecx
		jnz	loc_5B6D06

loc_488AE5:				; CODE XREF: KiExecuteAllDpcs+12E388j
					; KiExecuteAllDpcs+12E395j
		test	ds:byte_70EFC6,	1
		jnz	loc_5B6D1A
		xor	ecx, ecx
		lea	eax, [edi+8]
		lock and [eax],	ecx

loc_488AFA:				; CODE XREF: KiExecuteAllDpcs+12E3A5j
		sti
		test	dword ptr ds:byte_70EFC4, 40000h
		jnz	loc_5B6D2A

loc_488B0B:				; CODE XREF: KiExecuteAllDpcs+12E3F9j
		cmp	[ebp+var_84], 0
		jz	loc_488BD5
		mov	eax, ds:dword_717EF0
		xor	ebx, ebx
		mov	[ebp+var_9C], 0
		test	eax, eax
		jz	loc_488E12
		mov	edx, [eax+924h]
		bsf	ecx, edx
		mov	[ebp+var_9C], ecx
		jz	short loc_488B79
		mov	edi, eax

loc_488B44:				; CODE XREF: KiExecuteAllDpcs+1EBj
		lea	eax, [edx-1]
		and	edx, eax
		mov	eax, ecx
		shl	eax, 5
		add	eax, 948h
		add	eax, edi
		jz	short loc_488B68
		test	byte ptr [eax+4], 80h
		jz	short loc_488B68
		movzx	eax, byte ptr [edi+ecx*2+915h]
		bts	ebx, eax

loc_488B68:				; CODE XREF: KiExecuteAllDpcs+1D5j
					; KiExecuteAllDpcs+1DBj
		bsf	ecx, edx
		jnz	short loc_488B44
		mov	edi, [ebp+var_AC]
		mov	[ebp+var_9C], ecx

loc_488B79:				; CODE XREF: KiExecuteAllDpcs+1C0j
					; KiExecuteAllDpcs+497j
		test	bl, 2
		jnz	loc_5B6D7E
		mov	[ebp+var_48], 0
		mov	[ebp+var_44], 0

loc_488B90:				; CODE XREF: KiExecuteAllDpcs+12E40Cj
		test	bl, 4
		jnz	loc_5B6D91
		mov	[ebp+var_40], 0
		mov	[ebp+var_3C], 0

loc_488BA7:				; CODE XREF: KiExecuteAllDpcs+12E41Cj
		test	bl, 8
		jz	loc_5B6DA1
		rdtsc
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], edx

loc_488BB8:				; CODE XREF: KiExecuteAllDpcs+12E42Fj
		test	bl, 10h
		jnz	loc_5B6DB4
		mov	[ebp+var_30], 0
		mov	[ebp+var_2C], 0

loc_488BCF:				; CODE XREF: KiExecuteAllDpcs+12E467j
		mov	ebx, [ebp+var_88]

loc_488BD5:				; CODE XREF: KiExecuteAllDpcs+192j
		mov	edx, [ebp+var_C4]
		mov	eax, [edx]
		mov	ecx, eax
		inc	eax
		and	ecx, 0Fh
		mov	[edx], eax
		lea	eax, [ecx+2]
		lea	eax, [ecx+eax*2]
		lea	ecx, [edx+eax*4]
		mov	eax, [ebp+var_5C]
		mov	[ecx], eax
		mov	eax, ds:_KeTickCount
		mov	[ecx+4], eax
		mov	eax, [ebp+var_A4]
		mov	[ebp+var_8C], ecx
		mov	ecx, [ebx+4060h]
		mov	eax, [eax+13Ch]
		mov	[ebp+var_90], eax
		mov	dword ptr [ebx+4B0h], 0
		test	ecx, ecx
		jz	short loc_488C33
		cmp	[ebx+4064h], ecx
		jnz	loc_5B6DEC

loc_488C33:				; CODE XREF: KiExecuteAllDpcs+2A5j
					; KiExecuteAllDpcs+12E478j ...
		rdtsc
		mov	ecx, eax
		mov	[ebp+var_64], edx
		mov	eax, [ebp+var_A0]
		mov	[ebp+var_68], ecx
		mov	[ebx+21DCh], eax
		cmp	eax, 1
		jz	short loc_488C54
		mov	[eax+20h], ecx
		mov	[eax+24h], edx

loc_488C54:				; CODE XREF: KiExecuteAllDpcs+2CCj
		cmp	[ebp+var_60], 0
		jnz	short loc_488C61
		mov	byte ptr [ebx+223Ah], 1

loc_488C61:				; CODE XREF: KiExecuteAllDpcs+2D8j
		push	[ebp+var_7C]
		push	[ebp+var_70]
		push	[ebp+var_6C]
		push	esi
		call	[ebp+var_5C]
		cmp	[ebp+var_60], 0
		rdtsc
		mov	ecx, eax
		mov	[ebp+var_70], edx
		mov	[ebp+var_80], ecx
		jnz	short loc_488CA1
		mov	esi, ecx
		mov	byte ptr [ebx+223Ah], 0
		sub	esi, [ebp+var_68]
		mov	eax, [ebx+3F58h]
		sbb	edx, [ebp+var_64]
		mov	[ebp+var_7C], eax
		test	eax, eax
		jnz	loc_5B6E1D

loc_488C9E:				; CODE XREF: KiExecuteAllDpcs+12E548j
		mov	edx, [ebp+var_70]

loc_488CA1:				; CODE XREF: KiExecuteAllDpcs+2FCj
		mov	eax, [ebp+var_A0]
		cmp	eax, 1
		jz	short loc_488CCE
		sub	ecx, [eax+20h]
		sbb	edx, [eax+24h]
		add	[eax+18h], ecx
		adc	[eax+1Ch], edx
		add	dword ptr [eax+28h], 1
		adc	dword ptr [eax+2Ch], 0
		add	[eax+50h], ecx
		adc	[eax+54h], edx
		add	dword ptr [eax+58h], 1
		adc	dword ptr [eax+5Ch], 0

loc_488CCE:				; CODE XREF: KiExecuteAllDpcs+32Aj
		mov	ecx, [ebp+var_8C]
		mov	eax, ds:_KeTickCount
		mov	[ecx+8], eax
		mov	eax, [ebp+var_A4]
		mov	ecx, [ebp+var_90]
		mov	eax, [eax+13Ch]
		cmp	ecx, eax
		jnz	loc_5B6EED
		mov	ecx, [ebp+var_84]
		test	ecx, ecx
		jz	loc_488DD0
		mov	eax, [ecx+4]
		mov	[ebp+var_90], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_18], eax
		mov	eax, ds:_EtwpHostSiloState
		mov	[ebp+var_A8], 0
		mov	[ebp+var_14], 0
		mov	[ebp+var_10], 4
		mov	esi, [eax+924h]
		bsf	ecx, esi
		mov	[ebp+var_C], 0
		mov	[ebp+var_A8], ecx
		jz	loc_488DD0
		mov	edi, [ebp+var_90]
		mov	ebx, [ebp+var_8C]

loc_488D61:				; CODE XREF: KiExecuteAllDpcs+43Cj
		mov	edx, ds:_EtwpHostSiloState
		lea	eax, [esi-1]
		and	esi, eax
		mov	eax, ecx
		shl	eax, 5
		add	eax, 948h
		add	eax, edx
		jz	short loc_488DB9
		test	byte ptr [eax+4], 80h
		jz	short loc_488DB9
		movzx	eax, byte ptr [edx+ecx*2+915h]
		push	edi
		push	ebx
		push	2
		lea	eax, [ebp+eax*8+var_50]
		mov	[ebp+var_24], 0
		mov	[ebp+var_28], eax
		movzx	eax, byte ptr [edx+ecx*2+914h]
		lea	ecx, [ebp+var_28]
		push	eax
		mov	[ebp+var_20], 8
		mov	[ebp+var_1C], 0
		call	EtwpLogKernelEvent

loc_488DB9:				; CODE XREF: KiExecuteAllDpcs+3F8j
					; KiExecuteAllDpcs+3FEj
		bsf	ecx, esi
		jnz	short loc_488D61
		mov	edi, [ebp+var_AC]
		mov	ebx, [ebp+var_88]
		mov	[ebp+var_A8], ecx

loc_488DD0:				; CODE XREF: KiExecuteAllDpcs+37Ej
					; KiExecuteAllDpcs+3CFj
		cli
		cmp	dword ptr [edi+0Ch], 0
		jnz	short loc_488DF6

loc_488DD7:				; CODE XREF: KiExecuteAllDpcs+12E55Ej
					; KiExecuteAllDpcs+12E568j
		mov	eax, [ebp+var_CC]
		mov	[ebx+21DCh], eax

loc_488DE3:				; CODE XREF: KiExecuteAllDpcs+93j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_488DF6:				; CODE XREF: KiExecuteAllDpcs+455j
		mov	edx, [ebp+var_60]
		jmp	loc_488A58
; 

loc_488DFE:				; CODE XREF: KiExecuteAllDpcs+A4j
		mov	eax, 0F42h
		mov	[ebp+var_94], offset byte_401802
		jmp	loc_488A39
; 

loc_488E12:				; CODE XREF: KiExecuteAllDpcs+1ABj
		mov	ebx, 1Eh
		jmp	loc_488B79
; 

loc_488E1C:				; CODE XREF: KiExecuteAllDpcs+F2j
		call	KxWaitForSpinLockAndAcquire

loc_488E21:				; CODE XREF: KiExecuteAllDpcs+12E381j
		mov	edx, [ebp+var_60]
		lea	ecx, [edi+8]
		jmp	loc_488A78
KiExecuteAllDpcs endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpLogKernelEvent proc	near		; CODE XREF: EtwTraceKernelEvent(x,x,x,x,x)+65p
					; EtwTraceSiloKernelEvent+70p ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005B6F09 SIZE 0000020C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		xor	eax, eax
		mov	ebx, edx
		push	esi
		push	edi
		mov	[esp+48h+var_20], ebx
		mov	edi, ecx
		mov	[esp+48h+var_C], eax
		mov	[esp+48h+var_8], eax
		mov	[esp+48h+var_4], eax
		mov	[esp+48h+var_18], eax
		mov	[esp+48h+var_14], eax
		mov	byte ptr [esp+48h+var_2C], al
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		mov	esi, [ebp+arg_0]
		test	al, al
		jz	short loc_488E7A
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jb	loc_48908B

loc_488E7A:				; CODE XREF: EtwpLogKernelEvent+3Aj
					; EtwpLogKernelEvent+289j
		mov	eax, [ebx+18Ch]
		lea	ecx, ds:0[esi*4]
		mov	[esp+48h+var_1C], ecx
		mov	ecx, [ecx+eax]
		mov	[esp+48h+var_30], ecx
		test	cl, 1
		jnz	loc_5B6F09
		test	ecx, ecx
		jz	loc_48902D
		mov	esi, [ebp+arg_4]
		xor	edx, edx
		xor	eax, eax
		mov	[esp+48h+var_34], edx
		xor	ebx, ebx
		cmp	esi, 2
		jb	short loc_488EEA
		lea	eax, [esi-2]
		xor	ecx, ecx
		shr	eax, 1
		lea	ebx, [edi+18h]
		inc	eax
		xor	esi, esi
		lea	edx, [eax+eax]

loc_488EC5:				; CODE XREF: EtwpLogKernelEvent+A1j
		add	ecx, [ebx-10h]
		lea	ebx, [ebx+20h]
		add	esi, [ebx-20h]
		sub	eax, 1
		jnz	short loc_488EC5
		mov	[esp+48h+var_28], esi
		mov	esi, [ebp+arg_4]
		mov	ebx, [esp+48h+var_28]
		mov	[esp+48h+var_24], ecx
		mov	ecx, [esp+48h+var_30]
		mov	eax, [esp+48h+var_24]

loc_488EEA:				; CODE XREF: EtwpLogKernelEvent+83j
		cmp	edx, esi
		jb	loc_489036

loc_488EF2:				; CODE XREF: EtwpLogKernelEvent+210j
		mov	edx, [ebp+arg_C]
		add	eax, ebx
		mov	ebx, [esp+48h+var_34]
		add	ebx, eax
		mov	[esp+48h+var_34], ebx
		test	edx, 100h
		jnz	loc_4890BE
		mov	eax, [ecx+258h]
		test	eax, 0C00h
		jnz	loc_5B6F89

loc_488F1E:				; CODE XREF: EtwpLogKernelEvent+12E199j
		push	edx
		lea	edx, [esp+4Ch+var_18]
		push	edx
		lea	edx, [esp+50h+var_C]
		push	edx
		lea	edx, [ebx+10h]
		call	EtwpReserveTraceBuffer
		test	eax, eax
		jz	loc_489026
		mov	ecx, [esp+48h+var_18]
		mov	edx, [ebp+arg_C]
		mov	[eax+8], ecx
		mov	ecx, [esp+48h+var_14]
		mov	[eax+0Ch], ecx
		movzx	ecx, dl
		or	ecx, 0C0100000h
		mov	[eax], ecx
		lea	ecx, [ebx+10h]
		mov	[eax+4], cx
		mov	ecx, [ebp+arg_8]
		mov	[eax+6], cx
		add	eax, 10h

loc_488F66:				; CODE XREF: EtwpLogKernelEvent+31Aj
					; EtwpLogKernelEvent+12E154j ...
		mov	[esp+48h+var_38], eax
		test	eax, eax
		jz	loc_489026
		mov	[esp+48h+var_24], 0
		mov	ecx, eax
		mov	[esp+48h+var_28], ecx
		test	esi, esi
		jz	short loc_488FB9

loc_488F84:				; CODE XREF: EtwpLogKernelEvent+187j
		mov	esi, [edi+8]
		cmp	esi, ebx
		ja	loc_5B6FE8
		mov	eax, [edi]
		push	esi		; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		mov	eax, [esp+54h+var_24]
		add	esp, 0Ch
		mov	ecx, [esp+48h+var_28]
		inc	eax
		add	ecx, esi
		mov	[esp+48h+var_24], eax
		sub	ebx, esi
		mov	[esp+48h+var_28], ecx
		add	edi, 10h
		cmp	eax, [ebp+arg_4]
		jb	short loc_488F84

loc_488FB9:				; CODE XREF: EtwpLogKernelEvent+152j
		mov	esi, [esp+48h+var_30]

loc_488FBD:				; CODE XREF: EtwpLogKernelEvent+12E1D6j
		test	dword ptr [esi+0Ch], 80000h
		jnz	loc_5B700B

loc_488FCA:				; CODE XREF: EtwpLogKernelEvent+12E1F4j
					; EtwpLogKernelEvent+12E205j
		mov	ecx, [esp+48h+var_8]
		mov	ecx, [ecx]
		mov	edi, [esp+48h+var_C]
		mov	eax, edi
		xor	eax, ecx
		cmp	eax, 7
		jnb	loc_48914F
		mov	ebx, [esp+48h+var_8]

loc_488FE5:				; CODE XREF: EtwpLogKernelEvent+12E213j
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [ebx], edx
		cmp	eax, ecx
		jnz	loc_5B703A

loc_488FF6:				; CODE XREF: EtwpLogKernelEvent+323j
		mov	ebx, [esi+258h]
		mov	edi, [ebp+arg_8]
		test	bl, bl
		js	loc_5B704E

loc_489007:				; CODE XREF: EtwpLogKernelEvent+12E23Bj
					; EtwpLogKernelEvent+12E257j
		test	ebx, 8000h
		jnz	loc_5B708C

loc_489013:				; CODE XREF: EtwpLogKernelEvent+12E267j
					; EtwpLogKernelEvent+12E287j
		mov	ebx, [ebp+arg_C]

loc_489016:				; CODE XREF: EtwpLogKernelEvent+12E29Dj
		test	dword ptr [esi+258h], 4000000h
		jnz	loc_5B70D2

loc_489026:				; CODE XREF: EtwpLogKernelEvent+103j
					; EtwpLogKernelEvent+13Cj ...
		cmp	byte ptr [esp+48h+var_2C], 0
		jnz	short loc_489045

loc_48902D:				; CODE XREF: EtwpLogKernelEvent+6Dj
					; EtwpLogKernelEvent+240j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_489036:				; CODE XREF: EtwpLogKernelEvent+BCj
		add	edx, edx
		mov	edx, [edi+edx*8+8]
		mov	[esp+48h+var_34], edx
		jmp	loc_488EF2
; 

loc_489045:				; CODE XREF: EtwpLogKernelEvent+1FBj
		mov	ecx, [esp+48h+var_20]
		mov	edx, 1
		mov	eax, [esp+48h+var_1C]
		mov	ecx, [ecx+188h]
		mov	ecx, [ecx+eax]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		mov	ecx, large fs:124h
		nop
		add	word ptr [ecx+13Ch], 1
		jnz	short loc_48902D
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	short loc_48902D
		cmp	word ptr [ecx+13Eh], 0
		jnz	short loc_48902D
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_48902D
; 

loc_48908B:				; CODE XREF: EtwpLogKernelEvent+44j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebx+188h]
		mov	edx, 1
		mov	ecx, [ecx+esi*4]
		call	@ExAcquireRundownProtectionCacheAwareEx@8 ; ExAcquireRundownProtectionCacheAwareEx(x,x)
		test	al, al
		jz	loc_5B6EFF
		mov	byte ptr [esp+48h+var_2C], 1
		jmp	loc_488E7A
; 

loc_4890BE:				; CODE XREF: EtwpLogKernelEvent+D7j
		push	edx
		test	edx, 10000000h
		lea	edx, [esp+4Ch+var_18]
		push	edx
		lea	edx, [esp+50h+var_C]
		push	edx
		jnz	loc_5B6F1B
		mov	eax, large fs:124h
		lea	edx, [ebx+20h]
		mov	[esp+54h+var_28], eax
		call	EtwpReserveTraceBuffer
		mov	[esp+48h+var_24], eax
		test	eax, eax
		jz	loc_489026
		mov	edx, [ebp+arg_C]
		movzx	ecx, dl
		mov	edx, eax
		or	ecx, 0C0010000h
		lea	eax, [ebx+20h]
		mov	[edx], ecx
		mov	ecx, [esp+48h+var_18]
		mov	[edx+10h], ecx
		mov	ecx, [esp+48h+var_14]
		mov	[edx+14h], ecx
		mov	ecx, [ebp+arg_8]
		mov	[edx+6], cx
		mov	ecx, [esp+48h+var_28]
		mov	[edx+4], ax
		mov	eax, [ecx+2B0h]
		mov	[edx+8], eax
		mov	eax, [ecx+2ACh]
		mov	[edx+0Ch], eax
		mov	eax, [ecx+194h]
		mov	[edx+18h], eax
		mov	eax, [ecx+1C0h]
		mov	[edx+1Ch], eax
		lea	eax, [edx+20h]
		jmp	loc_488F66
; 

loc_48914F:				; CODE XREF: EtwpLogKernelEvent+1ABj
					; EtwpLogKernelEvent+12E219j
		lock dec dword ptr [edi+0Ch]
		jmp	loc_488FF6
EtwpLogKernelEvent endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpReserveTraceBuffer proc near	; CODE XREF: EtwpTraceMessageVa+1F3p
					; EtwpLogKernelEvent+FCp ...

var_60		= dword	ptr -60h
var_4E		= byte ptr -4Eh
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005B7115 SIZE 000002C0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+60h+var_38], edi
		cmp	dword ptr [edi+10h], 0
		jl	loc_4893D1
		cmp	edx, [edi+8]
		ja	loc_4893D1
		mov	eax, [edi+4]
		add	edx, 7
		and	edx, 0FFFFFFF8h
		mov	[esp+60h+var_40], eax
		mov	[esp+60h+var_2C], edx
		mov	edx, [edi]
		mov	[esp+60h+var_34], edx
		mov	edi, edi

loc_4891A0:				; CODE XREF: EtwpReserveTraceBuffer+268j
		mov	eax, large fs:20h
		mov	ecx, [eax+3CCh]
		mov	eax, [edi+2E4h]
		mov	[esp+60h+var_1C], ecx
		shl	ecx, 6
		add	ecx, [eax+8D8h]
		test	dword ptr [edi+0Ch], 10000000h
		mov	[esp+60h+var_28], ecx
		jnz	loc_48937F
		mov	eax, [ecx]
		lea	edx, [eax+edx*4]

loc_4891D5:				; CODE XREF: EtwpReserveTraceBuffer+222j
		mov	ebx, [edx]
		mov	[esp+60h+var_4C], edx
		mov	byte ptr [esp+13h], 0
		test	bl, 7
		jz	short loc_4891F6

loc_4891E5:				; CODE XREF: EtwpReserveTraceBuffer+307j
		lea	ecx, [ebx-1]
		mov	eax, ebx
		lock cmpxchg [edx], ecx
		cmp	eax, ebx
		jnz	loc_489463

loc_4891F6:				; CODE XREF: EtwpReserveTraceBuffer+83j
					; EtwpReserveTraceBuffer+30Dj
		test	ebx, ebx
		jz	loc_4893CD
		mov	eax, ebx
		and	eax, 7
		cmp	eax, 1
		jb	loc_5B713C
		and	ebx, 0FFFFFFF8h
		mov	[esp+60h+var_48], ebx
		cmp	eax, 1
		jz	loc_4893EE

loc_48921C:				; CODE XREF: EtwpReserveTraceBuffer+2CFj
					; EtwpReserveTraceBuffer+12DFD7j
		test	ebx, ebx
		jz	loc_48939C
		mov	esi, [ebx+8]
		lea	eax, [ebx+8]
		mov	[esp+60h+var_18], 0
		mov	[esp+60h+var_14], 0
		mov	[esp+60h+var_10], 0
		mov	[esp+60h+var_C], 0
		mov	[esp+60h+var_24], eax
		mov	[esp+60h+var_44], esi
		cmp	esi, [esp+60h+var_40]
		ja	loc_48939C
		lea	esp, [esp+0]

loc_489260:				; CODE XREF: EtwpReserveTraceBuffer+286j
		test	dword ptr [edi+258h], 8000000h
		jnz	loc_5B716A
		mov	eax, [edi+20h]
		cmp	eax, 3
		jnz	loc_489365
		rdtsc

loc_48927E:				; CODE XREF: EtwpReserveTraceBuffer+21Aj
					; EtwpReserveTraceBuffer+22Cj
		mov	ecx, eax

loc_489280:				; CODE XREF: EtwpReserveTraceBuffer+12E17Fj
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		mov	[eax+4], edx

loc_489288:				; CODE XREF: EtwpReserveTraceBuffer+12E089j
		mov	ecx, [esp+60h+var_2C]
		lea	edx, [ebx+8]
		add	ecx, esi
		mov	eax, esi
		lock cmpxchg [edx], ecx
		mov	edx, [esp+60h+var_2C]
		mov	[esp+60h+var_30], eax
		cmp	esi, eax
		jnz	loc_4893DC
		add	eax, edx
		cmp	eax, [esp+60h+var_40]
		ja	loc_489391
		test	dword ptr [edi+0Ch], 400h
		jz	short loc_489332
		lea	eax, [ebx+10h]
		mov	[esp+60h+var_40], eax

loc_4892C3:				; CODE XREF: EtwpReserveTraceBuffer+316j
		mov	edi, [eax]
		mov	esi, [eax+4]
		mov	eax, edi
		mov	[esp+60h+var_38], esi
		mov	edx, esi
		nop
		mov	ecx, esi
		mov	ebx, edi
		mov	esi, [esp+60h+var_40]
		lock cmpxchg8b qword ptr [esi]
		mov	esi, ecx
		cmp	eax, edi
		jnz	loc_489472
		cmp	edx, esi
		jnz	loc_489472
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		mov	eax, [eax+4]
		mov	[esp+60h+var_2C], eax
		cmp	eax, esi
		jl	short loc_48932E
		jg	short loc_489305
		cmp	ecx, edi
		jbe	short loc_48932E

loc_489305:				; CODE XREF: EtwpReserveTraceBuffer+19Fj
					; EtwpReserveTraceBuffer+2F0j ...
		mov	eax, edi
		mov	edx, esi
		nop
		mov	esi, [esp+60h+var_40]
		mov	ebx, ecx
		mov	ecx, [esp+60h+var_2C]
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [esp+60h+var_38]
		mov	ebx, eax
		cmp	ebx, edi
		jnz	loc_489434
		cmp	edx, esi
		jnz	loc_489434

loc_48932E:				; CODE XREF: EtwpReserveTraceBuffer+19Dj
					; EtwpReserveTraceBuffer+1A3j ...
		mov	ebx, [esp+60h+var_48]

loc_489332:				; CODE XREF: EtwpReserveTraceBuffer+15Aj
		mov	eax, [esp+60h+var_28]
		mov	ecx, [esp+60h+var_34]
		mov	esi, [esp+60h+var_4C]
		mov	eax, [eax+4]
		add	dword ptr [eax+ecx*8], 1
		adc	dword ptr [eax+ecx*8+4], 0
		mov	eax, [ebp+arg_0]
		mov	ecx, [esp+60h+var_30]
		mov	[eax], ebx
		mov	[eax+4], esi
		mov	[eax+8], ecx
		lea	eax, [ebx+ecx]

loc_48935C:				; CODE XREF: EtwpReserveTraceBuffer+27Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_489365:				; CODE XREF: EtwpReserveTraceBuffer+116j
		sub	eax, 0
		jz	short loc_489387
		sub	eax, 1
		jnz	loc_5B72BB
		push	eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		jmp	loc_48927E
; 

loc_48937F:				; CODE XREF: EtwpReserveTraceBuffer+6Aj
		lea	edx, [edi+58h]
		jmp	loc_4891D5
; 

loc_489387:				; CODE XREF: EtwpReserveTraceBuffer+208j
		call	RtlGetSystemTimePrecise
		jmp	loc_48927E
; 

loc_489391:				; CODE XREF: EtwpReserveTraceBuffer+14Dj
		mov	ecx, [esp+60h+var_30]
		mov	[ebx+4], ecx

loc_489398:				; CODE XREF: EtwpReserveTraceBuffer+28Cj
					; EtwpReserveTraceBuffer+12E18Bj
		mov	edx, [esp+60h+var_4C]

loc_48939C:				; CODE XREF: EtwpReserveTraceBuffer+BEj
					; EtwpReserveTraceBuffer+F6j ...
		push	[ebp+arg_8]
		mov	ecx, edi
		push	[esp+64h+var_1C]
		push	edx
		mov	edx, ebx
		call	_EtwpSwitchBuffer@20 ; EtwpSwitchBuffer(x,x,x,x,x)
		test	dword ptr [edi+0Ch], 4000000h
		mov	esi, eax
		mov	[esp+60h+var_24], esi
		jnz	loc_5B72F0

loc_4893C0:				; CODE XREF: EtwpReserveTraceBuffer+12E257j
		test	esi, esi
		js	short loc_4893D1
		mov	edx, [esp+60h+var_34]
		jmp	loc_4891A0
; 

loc_4893CD:				; CODE XREF: EtwpReserveTraceBuffer+98j
		xor	ebx, ebx
		jmp	short loc_48939C
; 

loc_4893D1:				; CODE XREF: EtwpReserveTraceBuffer+18j
					; EtwpReserveTraceBuffer+21j ...
		mov	ecx, edi
		call	EtwpUpdateEventsLostCount
		xor	eax, eax
		jmp	short loc_48935C
; 

loc_4893DC:				; CODE XREF: EtwpReserveTraceBuffer+141j
					; EtwpReserveTraceBuffer+12E156j
		mov	esi, eax

loc_4893DE:				; CODE XREF: EtwpReserveTraceBuffer+12E115j
					; EtwpReserveTraceBuffer+12E14Dj
		mov	[esp+60h+var_44], esi

loc_4893E2:				; CODE XREF: EtwpReserveTraceBuffer+12E01Cj
		cmp	esi, [esp+60h+var_40]
		jbe	loc_489260
		jmp	short loc_489398
; 

loc_4893EE:				; CODE XREF: EtwpReserveTraceBuffer+B6j
		lea	ecx, [ebx+0Ch]
		mov	eax, 7
		lock xadd [ecx], eax
		mov	ecx, [edx]
		mov	eax, ecx
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		ja	loc_5B712B
		mov	esi, [esp+60h+var_4C]

loc_489411:				; CODE XREF: EtwpReserveTraceBuffer+12DFC0j
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	ebx, eax
		jnz	short loc_48947B
		lea	edx, [ecx+7]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jnz	loc_5B7115

loc_48942B:				; CODE XREF: EtwpReserveTraceBuffer+12E005j
		mov	edx, [esp+60h+var_4C]
		jmp	loc_48921C
; 

loc_489434:				; CODE XREF: EtwpReserveTraceBuffer+1C0j
					; EtwpReserveTraceBuffer+1C8j
		mov	eax, [ebp+arg_4]
		mov	esi, edx
		mov	edi, ebx
		mov	[esp+60h+var_38], esi
		mov	ecx, [eax]
		mov	eax, [eax+4]
		mov	[esp+60h+var_2C], eax
		cmp	eax, edx
		jl	loc_48932E
		jg	loc_489305
		cmp	ecx, ebx
		jbe	loc_48932E
		jmp	loc_489305
; 

loc_489463:				; CODE XREF: EtwpReserveTraceBuffer+90j
		mov	ebx, eax
		test	al, 7
		jnz	loc_4891E5
		jmp	loc_4891F6
; 

loc_489472:				; CODE XREF: EtwpReserveTraceBuffer+181j
					; EtwpReserveTraceBuffer+189j
		mov	eax, [esp+60h+var_40]
		jmp	loc_4892C3
; 

loc_48947B:				; CODE XREF: EtwpReserveTraceBuffer+2B8j
					; EtwpReserveTraceBuffer+12DFC6j
		mov	edx, [esp+60h+var_4C]
		jmp	loc_5B712B
EtwpReserveTraceBuffer endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmPerfAction(x, x,	x, x)
_PpmPerfAction@16 proc near		; DATA XREF: PoInitializePrcb+3Fo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	ebx, ebx
		lea	eax, [esi+3E88h]
		xchg	ebx, [eax]
		test	bl, 1
		jz	short loc_4894BA
		sub	esp, 8
		lea	ecx, [esi+3EA0h]
		call	PpmPerfSnapDeliveredPerformance

loc_4894BA:				; CODE XREF: PpmPerfAction(x,x,x,x)+1Aj
		test	bl, 2
		jnz	short loc_48950E

loc_4894BF:				; CODE XREF: PpmPerfAction(x,x,x,x)+85j
		test	bl, 4
		jnz	short loc_4894EA

loc_4894C4:				; CODE XREF: PpmPerfAction(x,x,x,x)+7Cj
		test	bl, 8
		jnz	short loc_489517

loc_4894C9:				; CODE XREF: PpmPerfAction(x,x,x,x)+8Ej
		test	bl, 10h
		jnz	short loc_489520

loc_4894CE:				; CODE XREF: PpmPerfAction(x,x,x,x)+97j
		or	eax, 0FFFFFFFFh
		lock xadd _PpmCheckCount, eax
		jz	short loc_4894E3

loc_4894DB:				; CODE XREF: PpmPerfAction(x,x,x,x)+58j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4894E3:				; CODE XREF: PpmPerfAction(x,x,x,x)+49j
		call	PpmCheckContinueExecution
		jmp	short loc_4894DB
; 

loc_4894EA:				; CODE XREF: PpmPerfAction(x,x,x,x)+32j
		mov	eax, [esi+3EA4h]
		cmp	byte ptr [eax+6Ch], 0
		jz	short loc_489503
		mov	dl, 1
		mov	byte ptr [eax+6Ch], 0
		mov	ecx, esi
		call	PpmPerfApplyProcessorState

loc_489503:				; CODE XREF: PpmPerfAction(x,x,x,x)+64j
		xor	dl, dl
		mov	ecx, esi
		call	PpmPerfApplyProcessorState
		jmp	short loc_4894C4
; 

loc_48950E:				; CODE XREF: PpmPerfAction(x,x,x,x)+2Dj
		mov	ecx, esi
		call	_PpmParkReportUnparkedCore@4 ; PpmParkReportUnparkedCore(x)
		jmp	short loc_4894BF
; 

loc_489517:				; CODE XREF: PpmPerfAction(x,x,x,x)+37j
		mov	ecx, esi
		call	_PpmParkReportParkedCore@4 ; PpmParkReportParkedCore(x)
		jmp	short loc_4894C9
; 

loc_489520:				; CODE XREF: PpmPerfAction(x,x,x,x)+3Cj
		mov	ecx, esi
		call	_PpmParkReportSoftParkChange@4 ; PpmParkReportSoftParkChange(x)
		jmp	short loc_4894CE
_PpmPerfAction@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiUpdateRunTime	proc near		; CODE XREF: KiUpdateTime+1E0p
					; KeClockInterruptNotify+D9p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		mov	esi, large fs:20h
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		inc	dword ptr [esi+224Ch]
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	ebx, ds:_KeTickCount
		mov	edx, [esi+2240h]
		test	al, al
		jz	short loc_489563
		sti

loc_489563:				; CODE XREF: KiUpdateRunTime+30j
		push	[ebp+var_4]
		mov	ecx, esi
		push	edi
		push	ebx
		call	KeAccumulateTicks
		mov	edi, [esi+4]
		mov	dword ptr [esi+3B00h], 1
		cmp	edi, [esi+0Ch]
		jz	short loc_4895C0
		mov	eax, [edi+34h]
		mov	ecx, [edi+30h]
		mov	[ebp+var_8], 0
		mov	[ebp+var_4], 0
		cmp	eax, [edi+38h]
		jnz	loc_5B73C3

loc_48959E:				; CODE XREF: EtwpReserveTraceBuffer+12E270j
		cmp	eax, [edi+1Ch]
		ja	short loc_4895DE
		jb	short loc_4895AA
		cmp	ecx, [edi+18h]
		jnb	short loc_4895DE

loc_4895AA:				; CODE XREF: KiUpdateRunTime+73j
		push	1
		mov	edx, esi
		mov	ecx, edi
		call	_KiCheckPreferredHeteroProcessor@12 ; KiCheckPreferredHeteroProcessor(x,x,x)
		test	eax, eax
		jnz	short loc_4895DE
		mov	ecx, edi
		call	KiCheckForPendingQosUpdate

loc_4895C0:				; CODE XREF: KiUpdateRunTime+4Fj
		mov	edx, edi
		mov	ecx, esi
		call	KiCheckGroupSchedulingQuantumEnd
		test	al, al
		jnz	short loc_4895DE
		mov	eax, [esi+2250h]
		sub	eax, ebx
		js	short loc_4895F4

loc_4895D7:				; CODE XREF: KiUpdateRunTime+D9j
					; KiUpdateRunTime+E4j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4895DE:				; CODE XREF: KiUpdateRunTime+71j
					; KiUpdateRunTime+78j ...
		mov	cl, 2
		mov	byte ptr [esi+2239h], 1
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4895F4:				; CODE XREF: KiUpdateRunTime+A5j
		mov	ecx, esi
		call	KiShouldScanSharedReadyQueue
		test	eax, eax
		jnz	short loc_489616

loc_4895FF:				; CODE XREF: KiUpdateRunTime+F4j
		test	dword ptr [esi+3B20h], 7FFEh
		jnz	short loc_4895D7
		lea	eax, [ebx+4Bh]
		mov	[esi+2250h], eax
		jmp	short loc_4895D7
; 

loc_489616:				; CODE XREF: KiUpdateRunTime+CDj
		mov	eax, [esi+4024h]
		mov	eax, [eax+4]
		test	eax, 7FFEh
		jz	short loc_4895FF
		jmp	short loc_4895D7
KiUpdateRunTime	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmCheckSnapAllDeliveredPerformance proc near
					; CODE XREF: PpmCheckUpdateDeliveredPerformanceIfTracingEnabled()+21j

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B73D5 SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	eax, _PpmCheckRegistered
		mov	[ebp+var_10], eax
		mov	eax, dword_6B5BA8
		mov	[ebp+var_C], eax
		mov	eax, dword_6B5BAC
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_10]
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_24], eax
		push	esi
		nop

loc_489670:				; CODE XREF: PpmCheckSnapAllDeliveredPerformance+7Aj
					; PpmCheckSnapAllDeliveredPerformance+85j
		test	ecx, ecx
		jz	short loc_4896B7
		bsf	eax, ecx
		btr	ecx, eax
		mov	[ebp+var_18], eax
		mov	eax, ds:_KeNumberProcessors
		mov	esi, [ebp+var_18]
		mov	[ebp+var_20], ecx
		cmp	esi, eax
		jnb	loc_5B73D5
		mov	eax, ds:_KiProcessorBlock[esi*4]

loc_489697:				; CODE XREF: PpmCheckSnapAllDeliveredPerformance+12DDA7j
		sub	esp, 8
		lea	ecx, [eax+3EA0h]
		call	PpmPerfSnapDeliveredPerformance
		mov	ecx, [ebp+var_20]
		test	al, al
		jz	short loc_489670
		mov	eax, [ebp+var_8]
		btr	eax, esi
		mov	[ebp+var_8], eax
		jmp	short loc_489670
; 

loc_4896B7:				; CODE XREF: PpmCheckSnapAllDeliveredPerformance+42j
		mov	edx, [ebp+var_8]
		not	edx
		mov	[ebp+var_11], 0
		movzx	eax, dl
		shr	edx, 8
		mov	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, ds:_RtlpBitsClearTotal[edx]
		movzx	eax, cl
		mov	_PpmCheckCount,	eax
		jz	short loc_48975B
		mov	esi, [ebp+var_8]
		push	ebx
		push	edi
		mov	ebx, 1
		mov	edi, edi

loc_489700:				; CODE XREF: PpmCheckSnapAllDeliveredPerformance+103j
					; PpmCheckSnapAllDeliveredPerformance+115j
		test	esi, esi
		jz	short loc_489747
		bsf	edi, esi
		push	0FFFFh
		btr	esi, edi
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		cmp	edi, eax
		jnb	short loc_48976C
		mov	edi, ds:_KiProcessorBlock[edi*4]

loc_48971F:				; CODE XREF: PpmCheckSnapAllDeliveredPerformance+13Ej
		lea	edx, [edi+3E88h]
		mov	eax, [edx]

loc_489727:				; CODE XREF: PpmCheckSnapAllDeliveredPerformance+FFj
		mov	ecx, eax
		or	ecx, ebx
		lock cmpxchg [edx], ecx
		jnz	short loc_489727
		test	eax, eax
		jnz	short loc_489700
		push	eax
		push	eax
		push	eax
		lea	ecx, [edi+3E68h]
		xor	edx, edx
		call	KiInsertQueueDpc
		jmp	short loc_489700
; 

loc_489747:				; CODE XREF: PpmCheckSnapAllDeliveredPerformance+D2j
		mov	al, [ebp+var_11]
		pop	edi
		pop	ebx
		pop	esi
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48975B:				; CODE XREF: PpmCheckSnapAllDeliveredPerformance+C2j
		mov	ecx, [ebp+var_4]
		mov	al, 1
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48976C:				; CODE XREF: PpmCheckSnapAllDeliveredPerformance+E6j
		xor	edi, edi
		jmp	short loc_48971F
PpmCheckSnapAllDeliveredPerformance endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmPerfSnapDeliveredPerformance	proc near ; CODE XREF: PpmPerfAction(x,x,x,x)+25p
					; PpmCheckSnapAllDeliveredPerformance+70p

var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B73DC SIZE 000000A5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0A4h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+0B0h+var_7C], edi
		mov	eax, [edi+8]
		mov	[esp+0B0h+var_5C], eax
		test	eax, eax
		jz	loc_489A19
		lea	edx, [eax+0E0h]
		lea	ebx, [eax+80h]
		mov	[esp+0B0h+var_78], edx
		mov	eax, large fs:20h
		lea	esi, [edi-3EA0h]
		push	ebx
		cmp	esi, eax
		mov	[esp+0B4h+var_9C], ebx
		push	1
		setnz	byte ptr [esp+0B8h+var_A0]
		mov	ecx, esi
		push	[esp+0B8h+var_A0]
		xor	dl, dl
		call	PpmSnapPerformanceAccumulation
		test	al, al
		jz	loc_489A1B
		mov	edx, [esp+0B0h+var_78]
		mov	ecx, [ebx+4]
		mov	eax, [ebx]
		mov	edi, [edx]
		mov	[esp+0B0h+var_98], edi
		mov	edi, [edx+4]
		cmp	ecx, edi
		mov	[esp+0B0h+var_80], edi
		mov	edi, [esp+0B0h+var_7C]
		ja	short loc_489811
		jb	loc_5B73E8
		cmp	eax, [esp+0B0h+var_98]
		jbe	loc_5B73E8

loc_489811:				; CODE XREF: PpmPerfSnapDeliveredPerformance+8Fj
		sub	eax, [esp+0B0h+var_98]
		mov	[esp+0B0h+var_6C], eax
		sbb	ecx, [esp+0B0h+var_80]
		mov	eax, [ebx+0Ch]
		mov	[esp+0B0h+var_80], ecx
		mov	ecx, [ebx+8]
		sub	ecx, [edx+8]
		mov	[esp+0B0h+var_98], ecx
		sbb	eax, [edx+0Ch]
		mov	[esp+0B0h+var_84], eax
		cmp	eax, [esp+0B0h+var_80]
		jb	short loc_48984B
		ja	loc_5B73DC
		cmp	ecx, [esp+0B0h+var_6C]
		ja	loc_5B73DC

loc_48984B:				; CODE XREF: PpmPerfSnapDeliveredPerformance+C9j
		mov	al, byte ptr [esp+0B0h+var_A0]

loc_48984F:				; CODE XREF: PpmPerfSnapDeliveredPerformance+12DC72j
		test	esi, esi
		jz	short loc_48985B
		test	al, al
		jz	loc_489A32

loc_48985B:				; CODE XREF: PpmPerfSnapDeliveredPerformance+E1j
					; PpmPerfSnapDeliveredPerformance+2F1j	...
		cmp	[esp+0B0h+var_84], 0
		ja	short loc_48986A
		test	ecx, ecx
		jz	loc_489A0C

loc_48986A:				; CODE XREF: PpmPerfSnapDeliveredPerformance+F0j
		mov	eax, [ebx+18h]
		sub	eax, [edx+18h]
		mov	ecx, [ebx+20h]
		push	[esp+0B0h+var_84]
		mov	[esp+0B4h+var_A0], eax
		mov	eax, [ebx+1Ch]
		sbb	eax, [edx+1Ch]
		sub	ecx, [edx+20h]
		mov	[esp+0B4h+var_94], eax
		mov	eax, [ebx+24h]
		sbb	eax, [edx+24h]
		mov	ebx, [esp+0B4h+var_98]
		push	ebx
		push	eax
		push	ecx
		call	__aulldiv
		push	[esp+0B0h+var_84]
		mov	[esp+0B4h+var_70], eax
		push	ebx
		mov	ebx, [esp+0B8h+var_94]
		push	ebx
		push	[esp+0BCh+var_A0]
		call	__aulldiv
		mov	ecx, [edi]
		mov	[esp+0B0h+var_94], eax
		test	ecx, ecx
		jz	loc_489AF6
		mov	ecx, [ecx+54h]

loc_4898C2:				; CODE XREF: PpmPerfSnapDeliveredPerformance+38Cj
		mov	eax, ebx
		mov	edi, 47AE147Ah
		mul	ecx
		push	[esp+0B0h+var_84]
		mov	ebx, eax
		mov	eax, [esp+0B4h+var_A0]
		mul	ecx
		push	[esp+0B4h+var_98]
		add	ebx, edx
		mov	ecx, eax
		mov	edx, 0E147AE15h
		mov	[esp+0B8h+var_74], ecx
		mul	edx
		mov	[esp+0B8h+var_A0], ebx
		mov	[esp+0B8h+var_68], eax
		mov	esi, edx
		mov	eax, ecx
		mov	ecx, 0E147AE15h
		mul	edi
		mov	edi, eax
		mov	[esp+0B8h+var_90], edx
		mov	eax, ebx
		mul	ecx
		mov	ecx, eax
		mov	ebx, edx
		mov	eax, [esp+0B8h+var_A0]
		mov	edx, 47AE147Ah
		mul	edx
		add	ecx, esi
		mov	[esp+0B8h+var_68], eax
		adc	ebx, 0
		add	edi, ecx
		mov	ecx, [esp+0B8h+var_90]
		adc	ecx, 0
		mov	[esp+0B8h+var_50], edi
		xor	eax, eax
		add	ebx, ecx
		mov	ecx, [esp+0B8h+var_68]
		adc	eax, eax
		add	ecx, ebx
		mov	ebx, [esp+0B8h+var_A0]
		adc	edx, eax
		mov	eax, [esp+0B8h+var_74]
		sub	eax, ecx
		sbb	ebx, edx
		shrd	eax, ebx, 1
		shr	ebx, 1
		add	eax, ecx
		adc	ebx, edx
		shrd	eax, ebx, 6
		shr	ebx, 6
		push	ebx
		push	eax
		call	__aulldiv
		mov	ecx, [esp+0B0h+var_5C]
		mov	esi, eax
		mov	eax, [esp+0B0h+var_70]
		mov	edx, [esp+0B0h+var_94]
		cmp	eax, [ecx+140h]
		jz	loc_5B743F

loc_489978:				; CODE XREF: PpmPerfSnapDeliveredPerformance+12DCDBj
		cmp	_PpmEtwRegistered, 0
		mov	ecx, [esp+0B0h+var_7C]
		mov	[esp+0B0h+var_70], eax
		mov	[esp+0B0h+var_A0], 0
		mov	[esp+0B0h+var_68], esi
		movzx	eax, byte ptr [ecx-3ADBh]
		mov	word ptr [esp+0B0h+var_A0], ax
		mov	al, [ecx-3ADCh]
		mov	byte ptr [esp+0B0h+var_A0+2], al
		lea	eax, [esp+0B0h+var_A0]
		mov	[esp+0B0h+var_74], edx
		mov	[esp+0B0h+var_48], eax
		mov	[esp+0B0h+var_44], 0
		mov	[esp+0B0h+var_40], 3
		mov	[esp+0B0h+var_3C], 0
		jz	short loc_489A08
		mov	esi, _PpmEtwHandle
		test	esi, esi
		jz	short loc_489A08
		mov	edx, [esi+10h]
		cmp	dword ptr [edx+40h], 0
		jz	short loc_4899FE
		mov	al, [edx+44h]
		cmp	al, 4
		jb	loc_5B7450

loc_4899ED:				; CODE XREF: PpmPerfSnapDeliveredPerformance+12DCE8j
		mov	eax, [edx+50h]
		and	eax, 80h
		or	eax, 0
		jnz	loc_5B745D

loc_4899FE:				; CODE XREF: PpmPerfSnapDeliveredPerformance+270j
					; PpmPerfSnapDeliveredPerformance+12DCE2j ...
		cmp	byte ptr [esi+35h], 0
		jnz	loc_489B0A

loc_489A08:				; CODE XREF: PpmPerfSnapDeliveredPerformance+25Dj
					; PpmPerfSnapDeliveredPerformance+267j	...
		mov	ebx, [esp+0B0h+var_9C]

loc_489A0C:				; CODE XREF: PpmPerfSnapDeliveredPerformance+F4j
		mov	edi, [esp+0B0h+var_78]
		mov	ecx, 18h
		mov	esi, ebx
		rep movsd

loc_489A19:				; CODE XREF: PpmPerfSnapDeliveredPerformance+2Ej
		mov	al, 1

loc_489A1B:				; CODE XREF: PpmPerfSnapDeliveredPerformance+6Dj
					; PpmPerfSnapDeliveredPerformance+12DC7Aj
		mov	ecx, [esp+0B0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_489A32:				; CODE XREF: PpmPerfSnapDeliveredPerformance+E5j
		cmp	_PopProcessorThrottleLogInterval, 0
		mov	edi, [esi+3EA4h]
		mov	eax, [esi+3EA0h]
		mov	[esp+0B0h+var_A0], edi
		mov	edi, [esp+0B0h+var_7C]
		mov	[esp+0B0h+var_90], 0
		mov	[esp+0B0h+var_8C], 0
		mov	[esp+0B0h+var_94], eax
		jz	loc_48985B
		test	eax, eax
		jz	loc_48985B
		cmp	[esp+0B0h+var_A0], 0
		jz	loc_48985B
		mov	eax, [eax+28h]
		test	eax, eax
		jz	loc_48985B
		cmp	byte ptr [esi+3E48h], 0
		jz	loc_48985B
		lea	ecx, [esp+0B0h+var_90]
		call	eax
		mov	eax, [esp+0B0h+var_A0]
		mov	ecx, [esp+0B0h+var_94]
		mov	eax, [eax+38h]
		cmp	eax, [ecx+5Ch]
		jb	loc_5B73EF
		cmp	byte ptr [esi+3E50h], 0
		jz	short loc_489B01
		mov	eax, [esi+3E58h]
		cmp	eax, [esp+0B0h+var_90]
		jnz	loc_5B73FB
		mov	eax, [esi+3E5Ch]
		cmp	eax, [esp+0B0h+var_8C]
		jnz	loc_5B73FB

loc_489AD5:				; CODE XREF: PpmPerfSnapDeliveredPerformance+398j
					; PpmPerfSnapDeliveredPerformance+12DC86j ...
		mov	eax, [esp+0B0h+var_90]
		mov	edx, [esp+0B0h+var_78]
		mov	ecx, [esp+0B0h+var_98]
		mov	[esi+3E58h], eax
		mov	eax, [esp+0B0h+var_8C]
		mov	[esi+3E5Ch], eax
		jmp	loc_48985B
; 

loc_489AF6:				; CODE XREF: PpmPerfSnapDeliveredPerformance+149j
		mov	ecx, [esi+3C0h]
		jmp	loc_4898C2
; 

loc_489B01:				; CODE XREF: PpmPerfSnapDeliveredPerformance+343j
		mov	byte ptr [esi+3E50h], 1
		jmp	short loc_489AD5
; 

loc_489B0A:				; CODE XREF: PpmPerfSnapDeliveredPerformance+292j
		mov	ecx, [esi+14h]
		mov	dl, 4
		push	0
		push	80h
		add	ecx, 40h
		call	_EtwpLevelKeywordEnabled@16 ; EtwpLevelKeywordEnabled(x,x,x,x)
		test	al, al
		jz	loc_489A08

loc_489B26:				; CODE XREF: PpmPerfSnapDeliveredPerformance+12DD06j
		mov	eax, ds:dword_70ED2C
		push	0
		push	0F4240h
		push	eax
		mov	eax, ds:_PopQpcFrequency
		push	eax
		push	[esp+0C0h+var_80]
		push	[esp+0C4h+var_6C]
		call	PpmConvertTime
		mov	[esp+0B0h+var_58], eax
		lea	eax, [esp+0B0h+var_70]
		mov	[esp+0B0h+var_38], eax
		lea	eax, [esp+0B0h+var_58]
		mov	[esp+0B0h+var_28], eax
		lea	eax, [esp+0B0h+var_74]
		mov	[esp+0B0h+var_18], eax
		lea	eax, [esp+0B0h+var_48]
		push	eax
		mov	eax, dword_6BFD04
		push	4
		push	0
		push	offset _PPM_ETW_DELIVERED_PERF_CHANGE
		push	eax
		push	esi
		mov	[esp+0C8h+var_54], edx
		mov	[esp+0C8h+var_34], 0
		mov	[esp+0C8h+var_30], 4
		mov	[esp+0C8h+var_2C], 0
		mov	[esp+0C8h+var_24], 0
		mov	[esp+0C8h+var_20], 8
		mov	[esp+0C8h+var_1C], 0
		mov	[esp+0C8h+var_14], 0
		mov	[esp+0C8h+var_10], 4
		mov	[esp+0C8h+var_C], 0
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_489A08
PpmPerfSnapDeliveredPerformance	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmSnapPerformanceAccumulation proc near ; CODE	XREF: PpmPerfSnapDeliveredPerformance+66p
					; PpmResetPerfTimes(x)+2Cp ...

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_69		= byte ptr -69h
var_66		= byte ptr -66h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005B7481 SIZE 00000159 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+7Ch+var_4], eax
		xor	eax, eax
		mov	[esp+17h], dl
		push	ebx
		push	esi
		mov	[esp+84h+var_20], eax
		mov	esi, ecx
		mov	[esp+84h+var_1C], eax
		mov	[esp+84h+var_18], eax
		mov	[esp+84h+var_14], eax
		mov	[esp+84h+var_10], eax
		mov	[esp+84h+var_C], eax
		mov	[esp+84h+var_50], eax
		mov	[esp+84h+var_5C], eax
		mov	[esp+84h+var_40], eax
		mov	[esp+84h+var_3C], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+84h+var_4C], esi
		mov	[esp+84h+var_44], eax
		push	edi
		mov	edi, [ebp+arg_8]
		mov	[esp+88h+var_48], edi
		test	al, al
		jz	loc_489F38
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	[esp+24h], eax
		lea	eax, [esi+3D88h]
		mov	[esp+8Ch+var_7C], edx
		mov	esi, eax
		jmp	short loc_489C70
; 
		align 10h

loc_489C70:				; CODE XREF: PpmSnapPerformanceAccumulation+7Bj
					; PpmSnapPerformanceAccumulation+A0j ...
		mov	ecx, [esi]
		mov	eax, ecx
		mov	edi, [esi+4]
		mov	edx, edi
		mov	[esp+8Ch+var_54], ecx
		mov	[esp+8Ch+var_60], edi
		nop
		mov	ebx, ecx
		mov	ecx, edi
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, [esp+8Ch+var_54]
		cmp	eax, ebx
		jnz	short loc_489C70
		cmp	edx, edi
		jnz	short loc_489C70
		mov	esi, [esp+8Ch+var_50]
		mov	eax, ebx
		mov	[esp+8Ch+var_30], edi
		or	eax, edi
		mov	edi, [esp+8Ch+var_4C]
		mov	[esp+8Ch+var_34], ebx
		jz	short loc_489CB9
		cmp	dword ptr [esi+3E38h], 3
		jz	loc_5B7481

loc_489CB9:				; CODE XREF: PpmSnapPerformanceAccumulation+BAj
					; PpmSnapPerformanceAccumulation+12D8B8j
		mov	eax, ebx
		or	eax, [esp+8Ch+var_60]
		jz	loc_48A053

loc_489CC5:				; CODE XREF: PpmSnapPerformanceAccumulation+45Ej
		push	60h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	edx, [esi+3B6Ch]
		add	esp, 0Ch
		mov	eax, [esi+3B68h]
		mov	[esp+8Ch+var_3C], 0
		mov	[esp+8Ch+var_38], 0
		cmp	edx, [esi+3B90h]
		jnz	loc_5B751D

loc_489CFA:				; CODE XREF: PpmSnapPerformanceAccumulation+12D943j
		mov	ecx, [esi+3B70h]
		add	ecx, eax
		mov	eax, [esi+3B74h]
		mov	[edi+38h], ecx
		adc	eax, edx
		mov	[edi+3Ch], eax
		mov	eax, [esi+3B50h]
		mov	[edi+40h], eax
		mov	eax, [esi+3B54h]
		mov	[edi+44h], eax
		mov	eax, [esi+3B58h]
		mov	[edi+48h], eax
		mov	eax, [esi+3B5Ch]
		mov	[edi+4Ch], eax
		mov	eax, [esi+3B60h]
		mov	[edi+50h], eax
		mov	eax, [esi+3B64h]
		mov	[edi+54h], eax
		mov	eax, [esp+8Ch+var_48]
		test	al, al
		jz	loc_489F20

loc_489D52:				; CODE XREF: PpmSnapPerformanceAccumulation+331j
		xor	ecx, ecx
		cmp	dword ptr [esi+3E38h], 3
		mov	[esp+8Ch+var_80], ecx
		jz	loc_5B7538

loc_489D65:				; CODE XREF: PpmSnapPerformanceAccumulation+12D950j
		mov	dl, [esp+8Ch+var_69]
		push	ecx
		push	0
		push	eax
		mov	ecx, esi
		call	PpmUpdatePerformanceFeedback
		test	al, al
		jz	loc_489F0C
		cmp	[ebp+arg_4], 0
		jz	short loc_489D8F
		mov	eax, _PopSnapEnergyCounters
		test	eax, eax
		jnz	loc_5B7545

loc_489D8F:				; CODE XREF: PpmSnapPerformanceAccumulation+190j
					; PpmSnapPerformanceAccumulation+12D963j
		mov	edx, [esp+8Ch+var_80]
		test	edx, edx
		jnz	loc_5B7558
		mov	eax, [esp+8Ch+var_60]
		mov	[esp+8Ch+var_44], ebx
		mov	[esp+8Ch+var_40], eax
		cmp	[esp+8Ch+var_7C], eax
		ja	short loc_489DBD
		jb	loc_48A0A7
		cmp	[esp+24h], ebx
		jbe	loc_48A0A7

loc_489DBD:				; CODE XREF: PpmSnapPerformanceAccumulation+1BBj
					; PpmSnapPerformanceAccumulation+4BFj
		mov	eax, [esi+3DC0h]
		mov	ebx, [esi+3D80h]
		mov	ecx, [esi+3D84h]
		mov	[esp+8Ch+var_58], eax
		mov	eax, [esi+3DC4h]

loc_489DD9:				; CODE XREF: PpmSnapPerformanceAccumulation+12D989j
		cmp	dword ptr [esi+3DC8h], 0
		mov	[esp+8Ch+var_5C], eax
		mov	[esp+8Ch+var_64], ecx
		mov	[esp+8Ch+var_70], ebx
		jz	loc_48A06C
		mov	eax, [esi+3DE8h]
		mov	[esp+8Ch+var_78], eax
		mov	eax, [esi+3DECh]

loc_489E02:				; CODE XREF: PpmSnapPerformanceAccumulation+4B2j
					; PpmSnapPerformanceAccumulation+12D99Ej
		mov	ebx, [esp+8Ch+var_78]
		mov	[edi+18h], ebx
		mov	[edi+1Ch], eax
		cmp	dword ptr [esi+3DCCh], 0
		jnz	loc_5B7593

loc_489E19:				; CODE XREF: PpmSnapPerformanceAccumulation+12D9B7j
		cmp	byte ptr [esp+8Ch+var_48], 0
		mov	[edi+20h], ebx
		mov	ebx, [esp+8Ch+var_70]
		mov	[edi+24h], eax
		mov	eax, [esi+3E00h]
		mov	[edi+28h], eax
		mov	eax, [esi+3E04h]
		mov	[edi+2Ch], eax
		mov	eax, [esi+3E28h]
		mov	[edi+10h], eax
		mov	eax, [esi+3E2Ch]
		mov	[edi+14h], eax
		mov	eax, [esi+21F0h]
		mov	[edi+58h], eax
		jz	loc_489F26
		lea	edi, [esi+3D88h]

loc_489E61:				; CODE XREF: PpmSnapPerformanceAccumulation+28Fj
					; PpmSnapPerformanceAccumulation+293j
		mov	ebx, [edi]
		mov	eax, ebx
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[esp+8Ch+var_3C], ebx
		mov	[esp+8Ch+var_50], ecx
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, edx
		mov	edx, [esp+8Ch+var_3C]
		cmp	eax, edx
		jnz	short loc_489E61
		cmp	ebx, ecx
		jnz	short loc_489E61
		mov	edi, [esp+8Ch+var_4C]
		mov	eax, edx
		or	eax, ecx
		mov	[esp+8Ch+var_2C], edx
		mov	[esp+8Ch+var_28], ecx
		jz	short loc_489EA4
		cmp	dword ptr [esi+3E38h], 3
		jz	loc_5B75AC

loc_489EA4:				; CODE XREF: PpmSnapPerformanceAccumulation+2A5j
		mov	eax, [esp+8Ch+var_50]

loc_489EA8:				; CODE XREF: PpmSnapPerformanceAccumulation+12D9CFj
					; PpmSnapPerformanceAccumulation+12D9DCj
		cmp	[esp+8Ch+var_54], edx
		jnz	loc_48A053
		cmp	[esp+8Ch+var_60], eax
		jnz	loc_48A053
		cmp	[esp+8Ch+var_80], 0
		mov	ebx, [esp+8Ch+var_70]
		jnz	loc_5B75D1
		mov	ecx, [esp+24h]
		sub	ecx, [esp+8Ch+var_44]
		mov	eax, [esp+8Ch+var_7C]
		sbb	eax, [esp+8Ch+var_40]
		add	ebx, ecx
		mov	ecx, [esp+8Ch+var_64]
		adc	ecx, eax

loc_489EE3:				; CODE XREF: PpmSnapPerformanceAccumulation+338j
					; PpmSnapPerformanceAccumulation+346j ...
		mov	eax, [esp+24h]
		mov	edx, [esp+8Ch+var_7C]
		mov	[edi], eax
		sub	eax, ebx
		mov	[edi+8], eax
		mov	ebx, edx
		mov	eax, [esp+8Ch+var_58]
		sbb	ebx, ecx
		mov	[edi+30h], eax
		mov	eax, [esp+8Ch+var_5C]
		mov	[edi+34h], eax
		mov	al, 1
		mov	[edi+4], edx
		mov	[edi+0Ch], ebx

loc_489F0C:				; CODE XREF: PpmSnapPerformanceAccumulation+186j
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+80h+var_8]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_489F20:				; CODE XREF: PpmSnapPerformanceAccumulation+15Cj
		sti
		jmp	loc_489D52
; 

loc_489F26:				; CODE XREF: PpmSnapPerformanceAccumulation+265j
		test	edx, edx
		jnz	short loc_489EE3
		add	ebx, [esi+3D78h]
		adc	ecx, [esi+3D7Ch]
		jmp	short loc_489EE3
; 

loc_489F38:				; CODE XREF: PpmSnapPerformanceAccumulation+5Dj
		cli
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	edi, [esi+3D54h]
		mov	ebx, eax
		mov	[esp+8Ch+var_7C], edx
		and	edi, 4
		rdtsc
		xor	ecx, ecx
		mov	[esp+24h], ebx
		or	ecx, edi
		mov	[esp+8Ch+var_80], eax
		mov	[esp+8Ch+var_58], edx
		jnz	loc_5B74AD
		mov	[esp+8Ch+var_64], ecx
		mov	[esp+8Ch+var_74], ecx

loc_489F70:				; CODE XREF: PpmSnapPerformanceAccumulation+12D8CCj
		mov	eax, ebx
		lea	ecx, [esi+3DE0h]
		sub	eax, [esi+3DD0h]
		mov	[esp+8Ch+var_5C], eax
		mov	eax, [esp+8Ch+var_7C]
		sbb	eax, [esi+3DD4h]
		mov	esi, [esp+8Ch+var_5C]
		mov	[esp+8Ch+var_78], eax
		mov	[esp+8Ch+var_70], ecx

loc_489F98:				; CODE XREF: PpmSnapPerformanceAccumulation+3D2j
					; PpmSnapPerformanceAccumulation+3D8j
		mov	edi, [ecx]
		mov	ebx, edi
		mov	edx, [ecx+4]
		add	ebx, esi
		mov	ecx, edx
		mov	[esp+8Ch+var_3C], edx
		adc	ecx, eax
		mov	eax, edi
		nop
		mov	esi, [esp+8Ch+var_70]
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [esp+8Ch+var_5C]
		cmp	eax, edi
		mov	eax, [esp+8Ch+var_78]
		mov	ecx, [esp+8Ch+var_70]
		jnz	short loc_489F98
		cmp	edx, [esp+8Ch+var_3C]
		jnz	short loc_489F98
		mov	esi, [esp+8Ch+var_50]
		xor	eax, eax
		mov	ecx, [esi+3D54h]
		mov	edi, [esi+3DB8h]
		and	ecx, 4
		or	eax, ecx
		mov	ebx, [esi+3DBCh]
		jnz	loc_5B74C1

loc_489FED:				; CODE XREF: PpmSnapPerformanceAccumulation+12D90Fj
		mov	eax, [esp+24h]
		mov	edx, [esp+8Ch+var_80]
		mov	[esi+3DD0h], eax
		mov	eax, [esp+8Ch+var_7C]
		mov	[esi+3DD4h], eax
		mov	eax, [esp+8Ch+var_58]
		cmp	eax, ebx
		ja	short loc_48A013
		jb	short loc_48A029
		cmp	edx, edi
		jbe	short loc_48A029

loc_48A013:				; CODE XREF: PpmSnapPerformanceAccumulation+41Bj
		mov	ecx, edx
		sub	ecx, edi
		sbb	eax, ebx
		add	[esi+3DC0h], ecx
		adc	[esi+3DC4h], eax
		mov	eax, [esp+8Ch+var_58]

loc_48A029:				; CODE XREF: PpmSnapPerformanceAccumulation+41Dj
					; PpmSnapPerformanceAccumulation+421j
		mov	edi, [esp+8Ch+var_4C]
		mov	[esi+3DBCh], eax
		xor	eax, eax
		mov	[esi+3DB8h], edx
		mov	ecx, [esi+3D54h]
		and	ecx, 4
		or	eax, ecx
		jnz	loc_5B7504

loc_48A04C:				; CODE XREF: PpmSnapPerformanceAccumulation+12D928j
		xor	ebx, ebx
		jmp	loc_489CC5
; 

loc_48A053:				; CODE XREF: PpmSnapPerformanceAccumulation+CFj
					; PpmSnapPerformanceAccumulation+2BCj ...
		mov	ecx, [esp+8Ch+var_8]
		xor	al, al
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_48A06C:				; CODE XREF: PpmSnapPerformanceAccumulation+1FCj
		cmp	dword ptr [esi+3DCCh], 0
		jnz	loc_5B757E
		mov	eax, [esi+3DDCh]
		mov	ebx, 64h
		mul	ebx
		mov	[esp+8Ch+var_74], eax
		mov	eax, [esi+3DD8h]
		mul	ebx
		add	[esp+8Ch+var_74], edx
		mov	edx, [esp+8Ch+var_80]
		mov	[esp+8Ch+var_78], eax
		mov	eax, [esp+8Ch+var_74]
		jmp	loc_489E02
; 

loc_48A0A7:				; CODE XREF: PpmSnapPerformanceAccumulation+1BDj
					; PpmSnapPerformanceAccumulation+1C7j
		mov	[esp+24h], ebx
		mov	[esp+8Ch+var_7C], eax
		jmp	loc_489DBD
PpmSnapPerformanceAccumulation endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PoIdle(x)
@PoIdle@4	proc near		; CODE XREF: KiIdleLoop()+8p

var_58		= dword	ptr -58h
var_51		= byte ptr -51h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+5Ch+var_4], eax
		push	ebx
		mov	ebx, ecx
		mov	byte ptr [esp+60h+var_40], 0
		mov	ecx, _PpmCurrentProfile
		imul	eax, dword_6C2D0C, 0F0h
		push	esi
		push	edi
		mov	[esp+68h+var_38], 0
		mov	[esp+68h+var_34], 0
		mov	[esp+68h+var_30], 0
		mov	[esp+68h+var_2C], 0
		mov	[esp+68h+var_20], 0
		cmp	byte ptr [eax+ecx+0B5h], 0
		mov	[esp+68h+var_1C], 0
		mov	byte ptr [esp+68h+var_44], 0
		mov	[esp+68h+var_3C], 0
		mov	[esp+68h+var_4C], 0
		jnz	loc_48A654
		mov	edi, [ebx+3D70h]
		mov	eax, [ebx+3D74h]
		mov	[esp+68h+var_28], 0
		mov	[esp+68h+var_24], 0
		mov	[esp+68h+var_48], eax
		test	edi, edi
		jnz	loc_48A1EC
		push	edi
		lea	eax, [esp+6Ch+var_50]
		mov	[esp+6Ch+var_50], edi
		push	eax
		lea	edx, [edi+1]
		mov	ecx, ebx
		call	_KeIdleSpecCtrl@16 ; KeIdleSpecCtrl(x,x,x,x)
		mov	esi, [esp+68h+var_50]
		test	si, si
		jz	short loc_48A193
		xor	eax, eax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_48A193:				; CODE XREF: PoIdle(x)+C6j
		mov	eax, esi
		shr	eax, 10h
		test	eax, eax
		jz	short loc_48A1A1
		call	_KeExecuteVerw@0 ; KeExecuteVerw()

loc_48A1A1:				; CODE XREF: PoIdle(x)+DAj
		call	ds:__imp__HalProcessorIdle@0 ; HalProcessorIdle()
		test	si, si
		jz	short loc_48A1D0
		movzx	eax, si
		mov	ecx, 48h
		cdq
		wrmsr
		and	byte ptr [ebx+21B8h], 0FEh
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+5Ch+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48A1D0:				; CODE XREF: PoIdle(x)+EAj
					; PoIdle(x)+2DEj
		lfence	eax

loc_48A1D3:				; CODE XREF: PoIdle(x)+2EFj
		and	byte ptr [ebx+21B8h], 0FEh
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+5Ch+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48A1EC:				; CODE XREF: PoIdle(x)+A5j
		mov	dword ptr [edi+100h], 0
		mov	eax, [ebx+3D70h]
		mov	[esp+68h+var_50], eax
		cmp	byte ptr [eax+5], 0
		jz	loc_48A2EE
		mov	edx, [ebx+3D78h]
		mov	esi, [ebx+3D7Ch]
		mov	ecx, [ebx+3D74h]
		mov	dword ptr [ebx+3D78h], 0
		mov	dword ptr [ebx+3D7Ch], 0
		imul	eax, [eax+14h],	3E8h
		add	ecx, eax
		add	[ebx+3D80h], edx
		mov	eax, [esp+68h+var_50]
		adc	[ebx+3D84h], esi
		add	[ecx+28h], edx
		adc	[ecx+2Ch], esi
		cmp	dword ptr [eax+44h], 3
		jz	short loc_48A25D
		inc	dword ptr [ecx+30h]
		jmp	loc_48A2EE
; 

loc_48A25D:				; CODE XREF: PoIdle(x)+193j
		cmp	dword ptr [eax+40h], 0
		jge	short loc_48A26B
		inc	dword ptr [ecx+34h]
		jmp	loc_48A2EE
; 

loc_48A26B:				; CODE XREF: PoIdle(x)+1A1j
		inc	dword ptr [ecx+38h]
		xor	eax, eax
		mov	[esp+68h+var_58], 0
		jmp	short loc_48A280
; 
		align 10h

loc_48A280:				; CODE XREF: PoIdle(x)+1B8j
					; PoIdle(x)+201j
		cmp	esi, ds:dword_705204[eax]
		jb	loc_48A3BB
		ja	short loc_48A29A
		cmp	edx, ds:_PpmIdleIntervalLimits[eax]
		jb	loc_48A3BB

loc_48A29A:				; CODE XREF: PoIdle(x)+1CCj
		cmp	esi, ds:dword_70521C[eax]
		jb	loc_48A3B4
		ja	short loc_48A2B4
		cmp	edx, ds:dword_705218[eax]
		jb	loc_48A3B4

loc_48A2B4:				; CODE XREF: PoIdle(x)+1E6j
		add	[esp+68h+var_58], 2
		add	eax, 30h
		cmp	eax, 270h
		jb	short loc_48A280

loc_48A2C3:				; CODE XREF: PoIdle(x)+302j
		inc	dword ptr [ecx+3Ch]

loc_48A2C6:				; CODE XREF: PoIdle(x)+349j
					; PoIdle(x)+358j ...
		cmp	esi, [ecx+44h]
		ja	short loc_48A2D8
		jb	short loc_48A2D2
		cmp	edx, [ecx+40h]
		jnb	short loc_48A2D8

loc_48A2D2:				; CODE XREF: PoIdle(x)+20Bj
		mov	[ecx+40h], edx
		mov	[ecx+44h], esi

loc_48A2D8:				; CODE XREF: PoIdle(x)+209j
					; PoIdle(x)+210j
		cmp	esi, [ecx+4Ch]
		jb	short loc_48A2EA
		ja	short loc_48A2E4
		cmp	edx, [ecx+48h]
		jbe	short loc_48A2EA

loc_48A2E4:				; CODE XREF: PoIdle(x)+21Dj
		mov	[ecx+48h], edx
		mov	[ecx+4Ch], esi

loc_48A2EA:				; CODE XREF: PoIdle(x)+21Bj
					; PoIdle(x)+222j
		mov	eax, [esp+68h+var_50]

loc_48A2EE:				; CODE XREF: PoIdle(x)+144j
					; PoIdle(x)+198j ...
		mov	dword ptr [eax+40h], 0
		mov	dword ptr [eax+44h], 3
		mov	byte ptr [eax+5], 0
		xor	eax, eax
		mov	byte ptr [edi+5], 1
		mov	[esp+68h+var_10], 10001h
		mov	[esp+68h+var_C], 0
		mov	[esp+68h+var_8], 0
		mov	[edi+30h], ax
		cmp	[edi], al
		jnz	loc_48A486
		lea	eax, [esp+68h+var_10]
		mov	ecx, ebx
		push	eax
		lea	eax, [esp+6Ch+var_28]
		push	eax
		lea	eax, [esp+70h+var_30]
		push	eax
		lea	eax, [esp+74h+var_38]
		push	eax
		lea	edx, [esp+78h+var_40]
		call	PpmIdlePrepare
		mov	esi, eax
		mov	[esp+68h+var_4C], esi
		cmp	esi, 0FFFFFFFEh
		jnz	loc_48A431
		push	0
		lea	eax, [esp+6Ch+var_58]
		mov	[esp+6Ch+var_58], 0
		push	eax
		mov	edx, 1
		mov	ecx, ebx
		call	_KeIdleSpecCtrl@16 ; KeIdleSpecCtrl(x,x,x,x)
		mov	esi, [esp+68h+var_58]
		test	si, si
		jz	short loc_48A387
		xor	eax, eax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_48A387:				; CODE XREF: PoIdle(x)+2BAj
		mov	eax, esi
		shr	eax, 10h
		test	eax, eax
		jz	short loc_48A395
		call	_KeExecuteVerw@0 ; KeExecuteVerw()

loc_48A395:				; CODE XREF: PoIdle(x)+2CEj
		call	ds:__imp__HalProcessorIdle@0 ; HalProcessorIdle()
		test	si, si
		jz	loc_48A1D0
		movzx	eax, si
		mov	ecx, 48h
		cdq
		wrmsr
		jmp	loc_48A1D3
; 

loc_48A3B4:				; CODE XREF: PoIdle(x)+1E0j
					; PoIdle(x)+1EEj
		mov	eax, [esp+68h+var_58]
		inc	eax
		jmp	short loc_48A3BF
; 

loc_48A3BB:				; CODE XREF: PoIdle(x)+1C6j
					; PoIdle(x)+1D4j
		mov	eax, [esp+68h+var_58]

loc_48A3BF:				; CODE XREF: PoIdle(x)+2F9j
		cmp	eax, 1Ah
		jnb	loc_48A2C3
		shl	eax, 5
		add	[eax+ecx+0D0h],	edx
		adc	[eax+ecx+0D4h],	esi
		inc	dword ptr [eax+ecx+0E8h]
		cmp	esi, [eax+ecx+0DCh]
		ja	short loc_48A402
		jb	short loc_48A3F4
		cmp	edx, [eax+ecx+0D8h]
		jnb	short loc_48A402

loc_48A3F4:				; CODE XREF: PoIdle(x)+329j
		mov	[eax+ecx+0D8h],	edx
		mov	[eax+ecx+0DCh],	esi

loc_48A402:				; CODE XREF: PoIdle(x)+327j
					; PoIdle(x)+332j
		cmp	esi, [eax+ecx+0E4h]
		jb	loc_48A2C6
		ja	short loc_48A41E
		cmp	edx, [eax+ecx+0E0h]
		jbe	loc_48A2C6

loc_48A41E:				; CODE XREF: PoIdle(x)+34Fj
		mov	[eax+ecx+0E0h],	edx
		mov	[eax+ecx+0E4h],	esi
		jmp	loc_48A2C6
; 

loc_48A431:				; CODE XREF: PoIdle(x)+292j
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_48A44F
		mov	eax, [esp+68h+var_48]
		inc	dword ptr [eax+0Ch]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+5Ch+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48A44F:				; CODE XREF: PoIdle(x)+374j
		mov	ecx, [edi+0CCh]
		mov	[esp+68h+var_3C], ecx
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_48A470
		mov	eax, [edi+108h]
		mov	[eax], ecx
		mov	dword ptr [edi+100h], 1

loc_48A470:				; CODE XREF: PoIdle(x)+39Cj
		mov	eax, esi
		shl	eax, 4
		add	eax, esi
		cmp	byte ptr [edi+eax*4+14Ah], 0
		setz	byte ptr [esp+68h+var_44]
		jmp	short loc_48A4D8
; 

loc_48A486:				; CODE XREF: PoIdle(x)+264j
		cmp	_PpmIdleVetoBias, al
		jz	short loc_48A4AB
		cmp	[edi+8], al
		jz	short loc_48A4AB
		call	ds:__imp__HalProcessorIdle@0 ; HalProcessorIdle()
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+5Ch+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48A4AB:				; CODE XREF: PoIdle(x)+3CCj
					; PoIdle(x)+3D1j
		lea	eax, [esp+68h+var_44]
		mov	ecx, ebx
		push	eax
		lea	eax, [esp+6Ch+var_20]
		push	eax
		lea	eax, [esp+70h+var_3C]
		push	eax
		lea	eax, [esp+74h+var_4C]
		push	eax
		lea	eax, [esp+78h+var_40]
		push	eax
		lea	eax, [esp+7Ch+var_30]
		push	eax
		lea	edx, [esp+80h+var_38]
		call	PpmIdleSelectStates
		mov	esi, [esp+68h+var_4C]

loc_48A4D8:				; CODE XREF: PoIdle(x)+3C4j
		mov	edx, [edi+10h]
		cmp	esi, edx
		jz	short loc_48A4EC
		mov	ecx, esi
		mov	[edi+18h], edx
		mov	[edi+10h], esi
		call	PpmEventIdleStateChange

loc_48A4EC:				; CODE XREF: PoIdle(x)+41Dj
		mov	eax, [esp+68h+var_48]
		add	dword ptr [eax+4], 1
		jnz	short loc_48A505
		push	[esp+68h+var_34]
		mov	ecx, eax
		push	[esp+6Ch+var_38]
		call	_PpmResetProcessorIdleAccounting@12 ; PpmResetProcessorIdleAccounting(x,x,x)

loc_48A505:				; CODE XREF: PoIdle(x)+434j
		mov	eax, esi
		shl	eax, 4
		add	eax, esi
		cmp	[esp+68h+var_8], 0
		mov	cl, [edi+eax*4+149h]
		mov	eax, [ebx+3D70h]
		mov	[esp+68h+var_51], cl
		mov	[esp+68h+var_14], eax
		jz	short loc_48A553
		mov	edx, 400h
		or	[eax+30h], dx
		cmp	ds:_KiSerializeTimerExpiration,	0
		jz	short loc_48A553
		mov	edx, [esp+68h+var_28]
		mov	eax, edx
		mov	edi, [esp+68h+var_24]
		or	eax, edi
		jz	short loc_48A553
		push	edi
		push	edx
		call	_PpmSetPlatformIdleDurationHint@8 ; PpmSetPlatformIdleDurationHint(x,x)
		mov	cl, [esp+68h+var_51]

loc_48A553:				; CODE XREF: PoIdle(x)+466j
					; PoIdle(x)+478j ...
		cmp	byte ptr ds:_KiDynamicTickDisableReason, 0
		mov	eax, _KiClockTimerOwner
		mov	[esp+68h+var_18], eax
		jnz	loc_48A613
		cmp	ds:_PpmIpiLastClockOwnerDisable, 0
		jnz	loc_48A613
		cmp	byte ptr [ebx+3D0h], 0
		jnz	loc_48A613
		mov	eax, ds:_KiProcessorBlock[eax*4]
		cmp	byte ptr [eax+3D0h], 0
		jz	loc_48A613
		test	cl, cl
		jnz	short loc_48A613
		mov	esi, large fs:20h
		xor	edi, edi
		mov	ecx, [esi+338h]
		movzx	eax, word ptr [ecx+8Ah]
		mov	edx, [ecx+84h]
		mov	ecx, [ecx+40h]
		mov	[esp+68h+var_48], eax
		mov	eax, [esi+3CCh]
		btr	edx, eax
		movzx	eax, byte ptr [esi+3C4h]
		btr	ecx, eax
		cmp	ecx, edx
		jnz	short loc_48A60F
		movzx	edx, ds:_KeNumberNodes
		mov	esi, [esp+68h+var_48]

loc_48A5E0:				; CODE XREF: PoIdle(x)+54Dj
		inc	edi
		cmp	edi, edx
		jz	loc_48A666
		mov	eax, dword_6D0698
		mov	ecx, edx
		imul	ecx, esi
		add	ecx, edi
		mov	ecx, [eax+ecx*4]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_48A666
		mov	ecx, ds:_KeNodeBlock[ecx*4]
		mov	eax, [ecx+84h]
		cmp	[ecx+40h], eax
		jz	short loc_48A5E0

loc_48A60F:				; CODE XREF: PoIdle(x)+513j
		mov	esi, [esp+68h+var_4C]

loc_48A613:				; CODE XREF: PoIdle(x)+4A3j
					; PoIdle(x)+4B0j ...
		cmp	[esp+68h+var_8], 0
		jz	short loc_48A627
		lea	eax, [esp+68h+var_10]
		push	eax
		push	0
		call	ds:__imp__HalRequestIpi@8 ; HalRequestIpi(x,x)

loc_48A627:				; CODE XREF: PoIdle(x)+558j
		push	[esp+70h+var_4C]
		mov	edx, esi
		mov	ecx, ebx
		push	[esp+74h+var_34]
		push	[esp+78h+var_38]
		push	[esp+7Ch+var_3C]
		push	[esp+80h+var_40]
		push	[esp+84h+var_48]
		push	[esp+88h+var_24]
		push	[esp+8Ch+var_28]
		push	[esp+90h+var_44]
		call	@PpmIdleExecuteTransition@44 ; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)

loc_48A654:				; CODE XREF: PoIdle(x)+7Dj
		mov	ecx, [esp+70h+var_C]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48A666:				; CODE XREF: PoIdle(x)+523j
					; PoIdle(x)+53Bj
		mov	edx, [esp+68h+var_8]
		mov	eax, edx
		mov	ecx, [esp+68h+var_18]
		mov	esi, [esp+68h+var_4C]
		shr	eax, cl
		test	al, 1
		jnz	short loc_48A613
		mov	eax, [esp+68h+var_14]
		bts	edx, ecx
		mov	ecx, 800h
		mov	[esp+68h+var_8], edx
		or	[eax+30h], cx
		jmp	short loc_48A613
@PoIdle@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PpmIdleExecuteTransition(x, x, x, x, x, x,	x, x, x, x, x)
@PpmIdleExecuteTransition@44 proc near	; CODE XREF: PoIdle(x)+58Fp

var_1D0		= dword	ptr -1D0h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_FF		= byte ptr -0FFh
var_FE		= byte ptr -0FEh
var_FD		= byte ptr -0FDh
var_FC		= byte ptr -0FCh
var_FB		= byte ptr -0FBh
var_FA		= byte ptr -0FAh
var_F9		= byte ptr -0F9h
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_ED		= byte ptr -0EDh
var_EC		= dword	ptr -0ECh
var_E5		= byte ptr -0E5h
var_E4		= dword	ptr -0E4h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= byte ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1A0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		push	84h		; size_t
		lea	eax, [ebp+var_E4]
		mov	esi, edx
		mov	edi, ecx
		mov	[ebp+var_110], esi
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_120], edi
		call	_memset
		mov	ebx, [edi+3D70h]
		add	esp, 0Ch
		mov	[ebp+var_104], 0
		mov	[ebp+var_10C], 0
		mov	[ebp+var_134], 0
		mov	eax, [ebx+88h]
		lea	ecx, [ebx+0FCh]
		mov	[ebp+var_130], eax
		mov	eax, esi
		shl	eax, 4
		add	eax, esi
		mov	[ebp+var_144], ecx
		mov	cl, [ebp+arg_20]
		mov	[ebp+var_FD], 0
		mov	[ebp+var_FC], 0
		mov	byte ptr [ebp+var_148],	0
		lea	eax, [ebx+eax*4]
		mov	[ebp+var_FE], 0
		mov	byte ptr [ebp+var_13C],	0
		mov	[ebp+var_138], 7
		mov	[ebp+var_14C], 0FFFFFFFFh
		mov	[ebp+var_11C], ebx
		mov	[ebp+var_128], eax
		mov	[ebp+var_FF], 0
		mov	[ebp+var_EC], 0
		test	cl, cl
		jz	short loc_48A791
		cmp	byte ptr [ebx+0BBh], 0
		jnz	short loc_48A791
		cmp	byte ptr [eax+14Dh], 0
		jnz	short loc_48A791
		mov	byte ptr [ebp+var_114],	1
		mov	[ebp+var_ED], 4
		jmp	short loc_48A79F
; 

loc_48A791:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+DDj
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+E6j ...
		mov	byte ptr [ebp+var_114],	0
		mov	[ebp+var_ED], 3

loc_48A79F:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+FFj
		cmp	byte ptr [ebx],	0
		mov	edx, 1
		mov	[ebp+var_124], 3
		jnz	loc_48AA02
		test	cl, cl
		jz	short loc_48A7C6
		lea	ecx, [edi+3DA8h]
		call	_PpmIdleSetSynchronizationState@8 ; PpmIdleSetSynchronizationState(x,x)

loc_48A7C6:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+129j
		xor	eax, eax
		mov	dword ptr [ebx+54h], 10001h
		mov	[ebp+var_194], eax
		lea	ecx, [ebx+54h]
		mov	[ebp+var_190], eax
		mov	[ebp+var_18C], eax
		mov	[ebp+var_188], eax
		lea	eax, [ebp+var_194]
		mov	dword ptr [ecx+4], 0
		mov	dword ptr [ecx+8], 0
		mov	edx, [ebx+0C4h]
		mov	esi, [ebx+0C8h]
		mov	[ebp+var_198], eax
		xor	eax, eax
		mov	[ebp+var_F4], ecx
		mov	[ebp+var_F8], edx
		mov	[ebp+var_19C], 1
		mov	byte ptr [ebp+var_194],	1
		mov	byte ptr [ebp+var_194+2], 1
		mov	[ebp+var_108], eax
		test	edx, edx
		jz	short loc_48A89C
		add	esi, 4
		mov	ecx, edx

loc_48A845:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+204j
		mov	dl, [esi]
		cmp	dl, 0FFh
		jz	short loc_48A888
		mov	ecx, [esi-4]
		movzx	eax, dl
		mov	[ebp+var_190], eax
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		lea	ecx, [ebp+var_19C]
		push	ecx
		lea	edx, [ebx+54h]
		mov	ecx, eax
		call	_PpmTestAndLockProcessor@12 ; PpmTestAndLockProcessor(x,x,x)
		mov	[ebp+var_EC], eax
		test	eax, eax
		js	loc_48A9D3
		mov	eax, [ebp+var_108]
		mov	ecx, [ebp+var_F8]

loc_48A888:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+1BAj
		inc	eax
		add	esi, 8
		mov	[ebp+var_108], eax
		cmp	eax, ecx
		jb	short loc_48A845
		mov	ecx, [ebp+var_F4]

loc_48A89C:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+1AEj
		mov	ebx, [ecx+8]
		xor	eax, eax
		mov	[ebp+var_178], eax
		mov	[ebp+var_184], eax
		mov	[ebp+var_16C], eax
		mov	[ebp+var_168], eax
		mov	[ebp+var_164], eax
		mov	[ebp+var_160], eax
		mov	[ebp+var_15C], eax
		mov	[ebp+var_158], eax
		mov	[ebp+var_154], eax
		mov	[ebp+var_150], eax
		mov	[ebp+var_17C], ebx
		mov	[ebp+var_180], ecx
		lea	esp, [esp+0]

loc_48A8F0:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+2DEj
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+325j
		test	ebx, ebx
		jz	loc_48A9C1
		bsf	ecx, ebx
		btr	ebx, ecx
		mov	[ebp+var_184], ecx
		mov	[ebp+var_17C], ebx
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		xor	ecx, ecx
		mov	[ebp+var_F4], eax
		mov	[ebp+var_15C], eax
		mov	[ebp+var_154], ecx
		mov	esi, [eax+3D70h]
		mov	eax, ds:_PopIdleTransitionTimeout
		mov	[ebp+var_164], eax
		mov	eax, ds:dword_70ED0C
		mov	[ebp+var_16C], ecx
		mov	[ebp+var_168], ecx
		mov	[ebp+var_158], ecx
		mov	[ebp+var_150], ecx
		mov	ecx, [esi+88h]
		mov	[ebp+var_160], eax
		mov	eax, [esi+80h]
		mov	byte ptr [ebp+var_154],	1
		call	eax
		test	al, al
		jnz	short loc_48A8F0
		mov	ebx, [ebp+var_F4]
		jmp	short loc_48A980
; 
		align 10h

loc_48A980:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+2E6j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+31Dj
		mov	eax, [ebx+3DA8h]
		and	eax, 0FF000000h
		cmp	eax, 5000000h
		jnz	short loc_48A9BA
		lea	ecx, [ebp+var_16C]
		call	_PpmIdleTransitionStall@4 ; PpmIdleTransitionStall(x)
		mov	ecx, [esi+88h]
		mov	eax, [esi+80h]
		call	eax
		test	al, al
		jz	short loc_48A980
		mov	ebx, [ebp+var_17C]
		jmp	loc_48A8F0
; 

loc_48A9BA:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+300j
		mov	eax, 0C000002Ah
		jmp	short loc_48A9C3
; 

loc_48A9C1:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+262j
		xor	eax, eax

loc_48A9C3:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+32Fj
		mov	[ebp+var_EC], eax
		mov	ebx, [ebp+var_11C]
		test	eax, eax
		jns	short loc_48AA02

loc_48A9D3:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+1E6j
		cmp	[ebp+arg_20], 0
		jz	short loc_48A9E6
		xor	dl, dl
		lea	ecx, [edi+3DA8h]
		call	_PpmIdleSetSynchronizationState@8 ; PpmIdleSetSynchronizationState(x,x)

loc_48A9E6:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+347j
		mov	esi, [ebp+var_EC]
		mov	ebx, 1
		mov	[ebp+var_124], ebx
		mov	byte ptr [ebp+var_F4], bl
		jmp	loc_48B775
; 

loc_48AA02:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+121j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+341j
		cmp	dword ptr [ebx+5Ch], 0
		jz	short loc_48AA0D
		or	word ptr [ebx+30h], 20h

loc_48AA0D:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+376j
		xor	al, al
		xor	esi, esi
		mov	[ebp+var_E5], al
		mov	[ebp+var_FB], al
		mov	[ebp+var_F9], al
		mov	[ebp+var_FA], al
		cmp	ds:_PpmPerfQosEnabled, al
		jz	loc_48AB48
		cmp	ds:_PpmPerfQosManageIdleProcessors, esi
		jz	loc_48AB48
		cmp	dword ptr [edi+3F08h], 2
		jz	loc_48AB48
		mov	esi, [edi+3EA4h]
		test	esi, esi
		jz	short loc_48AA77
		cmp	[esi+6Dh], al
		jz	short loc_48AA77
		mov	[ebp+var_F9], 1
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		lea	ecx, [esi+70h]
		mov	[ebp+var_FA], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)

loc_48AA77:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+3C6j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+3CBj
		test	byte ptr [edi+3F10h], 4
		jnz	loc_48AB2C
		rdtsc
		mov	ecx, eax
		mov	[ebp+var_108], edx
		sub	ecx, [edi+3EF8h]
		mov	[ebp+var_F4], eax
		sbb	edx, [edi+3EFCh]
		mov	eax, [edi+3F00h]
		mov	[ebp+var_F8], edx
		mov	edx, [edi+3F04h]
		cmp	[ebp+var_F8], edx
		ja	short loc_48AAF4
		jb	short loc_48AAC0
		cmp	ecx, eax
		jnb	short loc_48AAF4

loc_48AAC0:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+42Aj
		cmp	byte ptr [edi+3ED5h], 0
		jnz	short loc_48AAF4
		mov	eax, [edi+4D8h]
		mov	[ebp+var_E5], 1
		test	eax, 300h
		jnz	loc_48AB67
		and	eax, 0FFFFFEFFh
		mov	[ebp+var_FB], 1
		or	eax, 200h
		jmp	short loc_48AB5A
; 

loc_48AAF4:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+428j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+42Ej	...
		shld	edx, eax, 1
		add	eax, eax
		cmp	[ebp+var_F8], edx
		jb	short loc_48AB0C
		ja	short loc_48AB08
		cmp	ecx, eax
		jb	short loc_48AB0C

loc_48AB08:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+472j
		mov	al, 1
		jmp	short loc_48AB0E
; 

loc_48AB0C:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+470j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+476j
		xor	al, al

loc_48AB0E:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+47Aj
		mov	[edi+3ED5h], al
		mov	eax, [ebp+var_F4]
		mov	[edi+3EF8h], eax
		mov	eax, [ebp+var_108]
		mov	[edi+3EFCh], eax

loc_48AB2C:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+3EEj
		push	0
		mov	dl, 1
		mov	dword ptr [edi+3F08h], 2
		mov	ecx, edi
		call	PpmPerfArbitratorApplyProcessorState
		mov	byte ptr [edi+4D8h], 2

loc_48AB48:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+39Fj
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+3ABj	...
		mov	eax, [edi+4D8h]
		test	eax, 300h
		jz	short loc_48AB67
		and	eax, 0FFFFFCFFh

loc_48AB5A:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+462j
		mov	ecx, edi
		mov	[edi+4D8h], eax
		call	_KeUpdatePendingQosRequest@4 ; KeUpdatePendingQosRequest(x)

loc_48AB67:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+44Bj
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+4C3j
		cmp	[ebp+var_F9], 0
		jz	short loc_48AB97
		test	ds:byte_70EFC6,	1
		lea	eax, [esi+70h]
		jz	short loc_48AB88
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_48AB8D
; 

loc_48AB88:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+4EAj
		xor	ecx, ecx
		lock and [eax],	ecx

loc_48AB8D:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+4F6j
		cmp	[ebp+var_FA], 0
		jz	short loc_48AB97
		sti

loc_48AB97:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+4DEj
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+504j
		cmp	[ebp+var_FB], 0
		jz	short loc_48ABDA
		xor	ebx, ebx
		mov	[ebp+var_EC], 0C0000016h
		mov	[ebp+var_124], ebx
		cmp	[ebp+arg_20], bl
		jz	loc_48B7E0
		xor	dl, dl
		lea	ecx, [edi+3DA8h]
		call	_PpmIdleSetSynchronizationState@8 ; PpmIdleSetSynchronizationState(x,x)
		mov	esi, [ebp+var_EC]
		mov	byte ptr [ebp+var_F4], 1
		jmp	loc_48B775
; 

loc_48ABDA:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+50Ej
		cmp	[ebp+arg_20], 0
		mov	al, byte ptr [ebp+var_114]
		mov	[edi+3D98h], al
		mov	eax, [ebp+var_110]
		mov	[edi+3D9Ch], eax
		jz	short loc_48AC1B
		mov	eax, [ebp+var_128]
		lea	ecx, [edi+3DA8h]
		mov	dl, 2
		cmp	byte ptr [eax+14Ah], 0
		setz	al
		mov	[edi+3D99h], al
		call	_PpmIdleSetSynchronizationState@8 ; PpmIdleSetSynchronizationState(x,x)

loc_48AC1B:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+566j
		mov	al, [ebp+var_E5]
		test	al, al
		jnz	short loc_48AC33
		cmp	[ebx+6], al
		jnz	short loc_48AC33
		cmp	[ebx+7], al
		jz	loc_48ACFB

loc_48AC33:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+593j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+598j
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_FE], 1
		or	esi, 0FFFFFFFFh
		cmp	byte ptr [ebx+6], 0
		jz	short loc_48AC72
		mov	ecx, [ebx+0ACh]
		xor	esi, esi
		mov	edx, ds:_KeMaximumIncrement
		mov	eax, [ebx+0A8h]
		cmp	ecx, esi
		jb	short loc_48AC64
		ja	short loc_48AC68
		cmp	eax, edx
		ja	short loc_48AC68

loc_48AC64:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+5CCj
		mov	eax, edx
		mov	ecx, esi

loc_48AC68:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+5CEj
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+5D2j
		add	edx, eax
		adc	esi, ecx
		add	edx, [ebp+arg_18]
		adc	esi, [ebp+arg_1C]

loc_48AC72:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+5B4j
		cmp	byte ptr [ebx+7], 0
		jz	short loc_48ACAD
		mov	ecx, _PpmCurrentProfile
		imul	eax, dword_6C2D0C, 0F0h
		mov	eax, [eax+ecx+0B8h]
		mov	ecx, 0
		lea	eax, [eax+eax*4]
		add	eax, eax
		add	eax, [ebp+arg_18]
		adc	ecx, [ebp+arg_1C]
		cmp	esi, ecx
		jb	short loc_48ACAD
		ja	short loc_48ACA9
		cmp	edx, eax
		jb	short loc_48ACAD

loc_48ACA9:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+613j
		mov	edx, eax
		mov	esi, ecx

loc_48ACAD:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+5E6j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+611j	...
		cmp	[ebp+var_E5], 0
		jz	short loc_48ACD5
		mov	eax, ds:_PpmPerfQosIdleExpirationTimeout
		add	eax, [ebp+arg_18]
		mov	ecx, ds:dword_70EE1C
		adc	ecx, [ebp+arg_1C]
		cmp	esi, ecx
		jb	short loc_48ACD5
		ja	short loc_48ACD1
		cmp	edx, eax
		jb	short loc_48ACD5

loc_48ACD1:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+63Bj
		mov	edx, eax
		mov	esi, ecx

loc_48ACD5:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+624j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+639j	...
		mov	[edi+3D90h], edx
		mov	[edi+3D94h], esi
		mov	eax, [edi+338h]
		movzx	ecx, byte ptr [edi+3C4h]
		add	eax, 44h
		lock bts [eax],	ecx
		mov	al, [ebp+var_E5]

loc_48ACFB:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+59Dj
		mov	ecx, [ebp+var_128]
		cmp	byte ptr [ecx+149h], 0
		jnz	loc_48AF0B
		test	al, al
		jnz	loc_48AF0B
		mov	edx, [edi+338h]
		mov	esi, [edi+3C8h]
		add	edx, 40h
		mov	[ebp+var_FD], 1
		mov	eax, [edx]

loc_48AD2E:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+6A6j
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_48AD2E
		cmp	byte ptr [ebp+var_114],	0
		mov	esi, [edi+3D70h]
		mov	[ebp+var_F4], eax
		mov	[ebp+var_134], 0
		mov	[ebp+var_E5], 0
		mov	[ebp+var_F8], esi
		jz	short loc_48AD70
		mov	[ebp+var_134], 1
		jmp	short loc_48ADCB
; 

loc_48AD70:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+6D2j
		cmp	[ebp+arg_0], 0FFFFFFFFh
		jnz	short loc_48ADCB
		mov	esi, ds:_KeNumberProcessors
		mov	ecx, [ebp+var_F8]
		mov	ecx, [ecx+5Ch]
		not	ecx
		movzx	eax, cl
		shr	ecx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, cl
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, cl
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		add	dl, ds:_RtlpBitsClearTotal[ecx]
		lea	ecx, [esi-1]
		movzx	eax, dl
		cmp	eax, ecx
		jnz	short loc_48ADFE
		mov	esi, [ebp+var_F8]
		mov	[ebp+var_134], 2

loc_48ADCB:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+6DEj
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+6E4j
		mov	ecx, esi
		call	@PpmPrepareExitLatencyTrace@4 ;	PpmPrepareExitLatencyTrace(x)
		mov	dh, al
		mov	al, byte ptr [ebp+var_114]
		mov	[ebp+var_E5], dh
		test	dh, dh
		jz	short loc_48ADFA
		mov	byte ptr [esi+3], 1
		test	al, al
		jz	short loc_48ADFE
		mov	dword ptr [esi+38h], 0FFFFFFFFh
		mov	dword ptr [esi+3Ch], 0FFFFFFFFh

loc_48ADFA:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+752j
		test	al, al
		jnz	short loc_48AE05

loc_48ADFE:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+729j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+75Aj
		mov	eax, 1
		jmp	short loc_48AE07
; 

loc_48AE05:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+76Cj
		xor	eax, eax

loc_48AE07:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+773j
		push	eax
		call	off_6B12E8	; ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig(x)
		cmp	dword ptr [edi+21ECh], 0
		mov	[ebp+var_EC], eax
		jz	short loc_48AE49
		mov	[ebp+var_EC], 80000011h

loc_48AE27:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+7BBj
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+7E4j
		cmp	[ebp+arg_20], 0
		jz	short loc_48AE3A
		xor	dl, dl
		lea	ecx, [edi+3DA8h]
		call	_PpmIdleSetSynchronizationState@8 ; PpmIdleSetSynchronizationState(x,x)

loc_48AE3A:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+79Bj
		mov	[ebp+var_124], 0
		jmp	loc_48B6D7
; 

loc_48AE49:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+78Bj
		test	eax, eax
		js	short loc_48AE27
		cmp	byte ptr [ebx],	1
		jnz	short loc_48AE76
		mov	eax, [ebp+var_F4]
		mov	ecx, ebx
		or	eax, [edi+3C8h]
		push	eax
		call	_PpmIdleRecheckCoordinatedIdleMask@12 ;	PpmIdleRecheckCoordinatedIdleMask(x,x,x)
		test	al, al
		jz	short loc_48AE76
		mov	[ebp+var_EC], 0C0000016h
		jmp	short loc_48AE27
; 

loc_48AE76:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+7C0j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+7D8j
		mov	al, [ebp+var_E5]
		test	al, al
		jz	short loc_48AE89
		mov	ecx, 200h
		or	[ebx+30h], cx

loc_48AE89:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+7EEj
		mov	cl, byte ptr [ebp+var_114]
		test	cl, cl
		jz	short loc_48AEB2
		mov	[ebp+var_FF], 1
		lock inc _PpmNonInterruptibleCount
		call	_KiSuspendClockTimer@0 ; KiSuspendClockTimer()
		mov	al, [ebp+var_E5]
		mov	cl, byte ptr [ebp+var_114]

loc_48AEB2:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+801j
		cmp	byte ptr [ebx+0BCh], 0
		jz	short loc_48AF0B
		test	al, al
		jz	short loc_48AECA
		test	cl, cl
		jnz	short loc_48AECA
		mov	byte ptr [ebp+var_148],	1

loc_48AECA:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+82Dj
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+831j
		mov	ecx, [ebp+arg_C]
		test	cl, cl
		jz	short loc_48AEEC
		cmp	[ebp+arg_0], 0FFFFFFFFh
		jz	short loc_48AEEC
		cmp	_PpmDripsStateIndex, 0FFFFFFFFh
		jz	short loc_48AEEC
		cmp	byte ptr [ebx],	1
		jnz	short loc_48AEEC
		mov	[ebp+var_FC], 1

loc_48AEEC:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+83Fj
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+845j	...
		push	[ebp+var_148]
		mov	eax, [ebx+0ACh]
		mov	dl, [ebp+var_FC]
		push	eax
		mov	eax, [ebx+0A8h]
		push	eax
		call	_KePrepareClockTimerForIdle@20 ; KePrepareClockTimerForIdle(x,x,x,x,x)

loc_48AF0B:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+678j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+680j	...
		mov	eax, [edi+3EC8h]
		mov	esi, [ebp+arg_14]
		mov	[ebp+var_140], eax
		test	eax, eax
		jz	short loc_48AF44
		push	1
		push	esi
		push	[ebp+arg_10]
		mov	dl, 1
		mov	ecx, eax
		call	_PpmIdleUpdateConcurrency@20 ; PpmIdleUpdateConcurrency(x,x,x,x,x)
		mov	ecx, [edi+3ECCh]
		test	ecx, ecx
		jz	short loc_48AF44
		push	1
		push	esi
		push	[ebp+arg_10]
		mov	dl, 1
		call	_PpmIdleUpdateConcurrency@20 ; PpmIdleUpdateConcurrency(x,x,x,x,x)

loc_48AF44:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+88Cj
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+8A5j
		mov	eax, [ebp+var_110]
		mov	[ebx+14h], eax
		lea	ebx, [edi+3DB0h]
		mov	ecx, [edi+3D54h]
		rdtsc
		mov	[ebp+var_104], eax
		and	ecx, 4
		xor	eax, eax
		mov	[ebp+var_12C], ebx
		or	eax, ecx
		mov	[ebp+var_128], edx
		jz	short loc_48AF8B
		mov	ecx, 0DB2h
		rdmsr
		mov	[ebp+var_108], eax
		mov	[ebp+var_F8], edx
		jmp	short loc_48AF9F
; 

loc_48AF8B:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+8E4j
		mov	[ebp+var_108], 0
		mov	[ebp+var_F8], 0

loc_48AF9F:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+8F9j
		mov	eax, [ebp+arg_10]
		lea	edi, [ebx+30h]
		sub	eax, [ebx+20h]
		mov	ecx, esi
		mov	[ebp+var_10C], eax
		sbb	ecx, [ebx+24h]
		mov	[ebp+var_F4], ecx
		lea	esp, [esp+0]

loc_48AFC0:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+956j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+95Ej
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, eax
		mov	ecx, edx
		mov	[ebp+var_118], edx
		adc	ecx, [ebp+var_F4]
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		mov	eax, [ebp+var_10C]
		jnz	short loc_48AFC0
		cmp	edx, [ebp+var_118]
		jnz	short loc_48AFC0
		mov	edi, [ebp+var_120]
		xor	eax, eax
		mov	ecx, [edi+3D54h]
		and	ecx, 4
		or	eax, ecx
		jz	short loc_48B05F
		mov	ecx, [ebp+var_108]
		sub	ecx, [edi+3E20h]
		mov	eax, [ebp+var_F8]
		sbb	eax, [edi+3E24h]
		mov	esi, [edi+3DB8h]
		mov	ebx, [edi+3DBCh]
		push	eax
		mov	eax, [ebp+var_128]
		push	ecx
		mov	ecx, [ebp+var_104]
		sub	ecx, esi
		sbb	eax, ebx
		push	eax
		push	ecx
		push	[ebp+var_F4]
		push	[ebp+var_10C]
		call	PpmConvertTime
		add	[edi+3E28h], eax
		lea	ecx, [edi+3DB0h]
		adc	[ecx+7Ch], edx
		jmp	short loc_48B06E
; 

loc_48B05F:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+973j
		mov	esi, [edi+3DB8h]
		lea	ecx, [edi+3DB0h]
		mov	ebx, [ecx+0Ch]

loc_48B06E:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+9CDj
		mov	eax, [ebp+arg_10]
		mov	edx, [ebp+var_104]
		mov	[ecx+20h], eax
		mov	eax, [ebp+arg_14]
		mov	[ecx+24h], eax
		mov	eax, [ebp+var_128]
		cmp	eax, ebx
		jb	short loc_48B0AB
		ja	short loc_48B090
		cmp	edx, esi
		jbe	short loc_48B0AB

loc_48B090:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+9FAj
		mov	ecx, edx
		sub	ecx, esi
		sbb	eax, ebx
		add	[edi+3DC0h], ecx
		lea	ecx, [edi+3DB0h]
		adc	[ecx+14h], eax
		mov	eax, [ebp+var_128]

loc_48B0AB:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+9F8j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+9FEj
		mov	[ecx+0Ch], eax
		xor	eax, eax
		mov	[ecx+8], edx
		mov	ecx, [edi+3D54h]
		and	ecx, 4
		or	eax, ecx
		jz	short loc_48B0D8
		mov	eax, [ebp+var_108]
		mov	[edi+3E20h], eax
		mov	eax, [ebp+var_F8]
		mov	[edi+3E24h], eax

loc_48B0D8:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+A2Ej
		push	0
		push	1
		push	0
		xor	dl, dl
		mov	ecx, edi
		call	PpmUpdatePerformanceFeedback
		mov	eax, _PopSnapEnergyCounters
		test	eax, eax
		jz	short loc_48B0FC
		mov	ecx, [edi+3CCh]
		xor	dl, dl
		push	0
		call	eax

loc_48B0FC:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+A5Ej
		lea	eax, [edi+3D88h]
		mov	[ebp+var_108], eax
		mov	edi, eax
		lea	ebx, [ebx+0]

loc_48B110:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+A9Cj
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+AA4j
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp+var_118], ecx
		mov	ecx, [ebp+arg_14]
		nop
		mov	ebx, [ebp+arg_10]
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_48B110
		cmp	edx, [ebp+var_118]
		jnz	short loc_48B110
		mov	esi, [ebp+var_11C]
		mov	edi, [ebp+var_120]
		mov	ebx, [esi+64h]
		test	ebx, ebx
		jz	short loc_48B172
		mov	eax, [esi+108h]
		mov	edx, [ebp+var_110]
		mov	ecx, [ebp+var_130]
		push	eax
		mov	eax, [esi+100h]
		push	eax
		push	[ebp+arg_0]
		call	ebx
		mov	ebx, eax
		mov	[ebp+var_EC], ebx
		jmp	short loc_48B178
; 

loc_48B172:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+AB7j
		mov	ebx, [ebp+var_EC]

loc_48B178:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+AE0j
		test	ebx, ebx
		js	loc_48B4C2
		mov	edx, [ebp+arg_0]
		mov	ecx, [esi+108h]
		mov	ebx, [esi+100h]
		mov	byte ptr [ebp+var_13C],	1
		mov	[ebp+var_F8], ecx
		mov	[ebp+var_118], ebx
		cmp	edx, 0FFFFFFFFh
		jz	loc_48B243
		lea	eax, [edx+edx*2]
		mov	ecx, edx
		shl	eax, 6
		add	eax, ds:_PpmPlatformStates
		mov	[ebp+var_F4], eax
		call	_PpmEventEnterPlatformIdleState@4 ; PpmEventEnterPlatformIdleState(x)
		mov	ecx, dword_6D4600
		mov	eax, dword_6D4604
		or	ecx, eax
		jnz	short loc_48B201
		mov	eax, [ebp+arg_0]
		cmp	eax, dword_6D4640
		jnz	short loc_48B201
		call	KeQueryInterruptTime
		mov	ebx, eax
		mov	ecx, edx
		xor	eax, eax
		mov	edi, offset dword_6D4600
		xor	edx, edx
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_120]
		mov	ebx, [ebp+var_118]

loc_48B201:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+B41j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+B4Cj
		cmp	byte ptr [ebp+arg_C], 0
		jz	short loc_48B21B
		mov	eax, ds:_PpmPlatformStates
		mov	byte ptr [eax+24h], 1
		mov	eax, ds:_PpmPlatformStates
		mov	eax, [eax+20h]
		inc	dword ptr [eax+8]

loc_48B21B:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+B75j
		mov	eax, [ebp+var_F4]
		cmp	byte ptr [eax+68h], 0
		jz	short loc_48B23D
		push	1
		push	80000004h
		call	_KdPowerTransitionEx@8 ; KdPowerTransitionEx(x,x)
		mov	ecx, 4
		call	_KdCallPowerHandlers@4 ; KdCallPowerHandlers(x)

loc_48B23D:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+B95j
		mov	ecx, [ebp+var_F8]

loc_48B243:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+B15j
		test	ebx, ebx
		jz	loc_48B314
		mov	eax, ds:_PpmPlatformStates
		cmp	byte ptr [eax+0Ch], 0
		jz	short loc_48B299
		test	ds:dword_70EFC8, 8000h
		jz	short loc_48B299
		push	602h
		push	123Fh
		mov	[ebp+var_3C], ecx
		lea	eax, ds:0[ebx*4]
		push	40008000h
		mov	edx, 1
		mov	[ebp+var_38], 0
		lea	ecx, [ebp+var_3C]
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], 0
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_48B299:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+BC4j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+BD0j
		test	ebx, ebx
		jz	short loc_48B314
		mov	edi, [ebp+var_F8]
		mov	esi, [ebp+arg_14]
		add	edi, 0FFFFFFFCh
		lea	edi, [edi+ebx*4]
		lea	esp, [esp+0]

loc_48B2B0:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+C76j
		mov	eax, [edi]
		lea	edx, [eax+eax*2]
		mov	eax, [ebp+arg_10]
		shl	edx, 6
		add	edx, ds:_PpmPlatformStates
		mov	[edx+90h], eax
		mov	[edx+94h], esi
		mov	ecx, [edx+88h]
		mov	eax, ds:_PpmPlatformStates
		cmp	dword ptr [eax+4], 0
		jnz	short loc_48B2EE
		movzx	eax, large byte	ptr fs:51h
		and	ecx, 0FFFFF000h
		or	ecx, eax

loc_48B2EE:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+C4Cj
		and	ecx, 0FCFFFFFFh
		sub	edi, 4
		or	ecx, 4000000h
		mov	[edx+88h], ecx
		sub	ebx, 1
		jnz	short loc_48B2B0
		mov	edi, [ebp+var_120]
		mov	esi, [ebp+var_11C]

loc_48B314:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+BB5j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+C0Bj
		cmp	[ebp+arg_0], 0FFFFFFFFh
		jz	short loc_48B31F
		or	word ptr [esi+30h], 10h

loc_48B31F:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+C88j
		test	ds:dword_70EFC8, 8000h
		movzx	eax, word ptr [esi+30h]
		mov	ecx, [esi+0A0h]
		mov	edx, [esi+0A4h]
		mov	bl, [esi+0BDh]
		movzx	eax, ax
		mov	[ebp+var_1C], 0
		mov	[ebp+var_18], 0
		mov	[ebp+var_14], 0
		mov	[ebp+var_10], 0
		jz	short loc_48B3B7
		mov	esi, [ebp+var_110]
		push	602h
		mov	word ptr [ebp+var_18], ax
		lea	eax, [ebp+var_1C]
		push	1239h
		mov	[ebp+var_14], ecx
		lea	ecx, [ebp+var_4C]
		mov	[ebp+var_10], edx
		mov	edx, 1
		push	40008000h
		mov	byte ptr [ebp+var_18+3], 0
		mov	[ebp+var_1C], esi
		mov	byte ptr [ebp+var_18+2], bl
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], 0
		mov	[ebp+var_44], 10h
		mov	[ebp+var_40], 0
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	esi, [ebp+var_11C]

loc_48B3B7:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+CCEj
		cmp	[ebp+arg_20], 0
		jz	short loc_48B3CE
		mov	dl, [ebp+var_ED]
		lea	ecx, [edi+3DA8h]
		call	_PpmIdleSetSynchronizationState@8 ; PpmIdleSetSynchronizationState(x,x)

loc_48B3CE:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+D2Bj
		mov	cl, [edi+21B9h]
		test	cl, 1
		jz	short loc_48B3EA
		cmp	word ptr [edi+21BAh], 0
		jz	short loc_48B3EA
		or	byte ptr [edi+21B8h], 1

loc_48B3EA:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+D47j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+D51j
		xor	eax, eax
		mov	[ebp+var_F4], eax
		test	cl, 20h
		jz	short loc_48B40B
		mov	ax, [edi+4F08h]
		mov	word ptr [ebp+var_F4+2], ax
		mov	eax, [ebp+var_F4]

loc_48B40B:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+D65j
		mov	ecx, [esi+108h]
		mov	edx, [ebp+var_110]
		push	ecx
		mov	ecx, [esi+100h]
		push	ecx
		mov	ecx, [ebp+var_130]
		push	eax
		push	[ebp+arg_0]
		mov	eax, [esi+68h]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	eax
		and	byte ptr [edi+21B8h], 0FEh
		mov	ebx, eax
		mov	eax, [esi+40h]
		mov	[ebp+var_EC], ebx
		test	eax, eax
		jns	short loc_48B456
		test	ebx, ebx
		js	short loc_48B456
		mov	ebx, eax
		mov	[ebp+var_EC], eax

loc_48B456:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+DB8j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+DBCj
		test	ds:dword_70EFC8, 8000h
		mov	[ebp+var_174], 0
		mov	[ebp+var_170], 0
		jz	short loc_48B4C2
		mov	eax, [ebp+var_110]
		lea	ecx, [ebp+var_5C]
		push	602h
		mov	[ebp+var_174], eax
		mov	edx, 1
		push	123Ah
		lea	eax, [ebp+var_174]
		mov	[ebp+var_170], ebx
		push	40008000h
		mov	[ebp+var_5C], eax
		mov	[ebp+var_58], 0
		mov	[ebp+var_54], 8
		mov	[ebp+var_50], 0
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_48B4C2:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+AEAj
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+DE4j
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	edi, [ebp+var_108]
		mov	[ebp+var_104], eax
		mov	[ebp+var_10C], edx
		lea	esp, [esp+0]

loc_48B4E0:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+E6Aj
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+E72j
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp+var_118], ecx
		nop
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_48B4E0
		cmp	edx, [ebp+var_118]
		jnz	short loc_48B4E0
		mov	ebx, [ebp+var_12C]
		mov	edi, [ebp+var_120]
		cmp	[ebx+81h], cl
		jz	short loc_48B579
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	ecx, ebx
		mov	[ebp+var_ED], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	esi, [ebx+18h]
		mov	ebx, 2

loc_48B532:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+EB9j
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_48B543
		cmp	byte ptr [ecx+22h], 0
		jz	short loc_48B543
		call	_PpmPerfFeedbackCounterUpdate@4	; PpmPerfFeedbackCounterUpdate(x)

loc_48B543:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+EA6j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+EACj
		add	esi, 4
		sub	ebx, 1
		jnz	short loc_48B532
		test	ds:byte_70EFC6,	1
		jz	short loc_48B564
		mov	edx, [ebp+4]
		lea	ecx, [edi+3DB0h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_48B56F
; 

loc_48B564:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+EC2j
		xor	eax, eax
		lea	esi, [edi+3DB0h]
		lock and [esi],	eax

loc_48B56F:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+ED2j
		cmp	[ebp+var_ED], 0
		jz	short loc_48B579
		sti

loc_48B579:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+E86j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+EE6j
		mov	esi, [edi+3D54h]
		xor	ecx, ecx
		rdtsc
		mov	ebx, eax
		and	esi, 4
		or	ecx, esi
		mov	eax, edx
		mov	[ebp+var_12C], eax
		jz	short loc_48B5A5
		mov	ecx, 0DB2h
		rdmsr
		mov	esi, eax
		mov	eax, [ebp+var_12C]
		jmp	short loc_48B5A9
; 

loc_48B5A5:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+F02j
		xor	esi, esi
		xor	edx, edx

loc_48B5A9:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+F13j
		mov	ecx, [ebp+var_104]
		mov	[edi+3DD0h], ecx
		mov	ecx, [ebp+var_10C]
		mov	[edi+3DBCh], eax
		xor	eax, eax
		mov	[edi+3DD4h], ecx
		mov	[edi+3DB8h], ebx
		mov	ecx, [edi+3D54h]
		and	ecx, 4
		or	eax, ecx
		jz	short loc_48B5E8
		mov	[edi+3E20h], esi
		mov	[edi+3E24h], edx

loc_48B5E8:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+F4Aj
		mov	ecx, [ebp+var_140]
		mov	esi, [ebp+var_10C]
		mov	ebx, [ebp+var_104]
		test	ecx, ecx
		jz	short loc_48B61E
		push	1
		push	esi
		push	ebx
		xor	dl, dl
		call	_PpmIdleUpdateConcurrency@20 ; PpmIdleUpdateConcurrency(x,x,x,x,x)
		mov	ecx, [edi+3ECCh]
		test	ecx, ecx
		jz	short loc_48B61E
		push	1
		push	esi
		push	ebx
		xor	dl, dl
		call	_PpmIdleUpdateConcurrency@20 ; PpmIdleUpdateConcurrency(x,x,x,x,x)

loc_48B61E:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+F6Cj
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+F81j
		mov	ecx, ebx
		mov	eax, esi
		sub	ecx, [ebp+arg_10]
		mov	[edi+3D78h], ecx
		sbb	eax, [ebp+arg_14]
		cmp	[ebp+arg_20], 0
		mov	[edi+3D7Ch], eax
		jz	short loc_48B66D
		lea	eax, [edi+3DA8h]
		xor	dl, dl
		mov	ecx, eax
		call	_PpmIdleSetSynchronizationState@8 ; PpmIdleSetSynchronizationState(x,x)
		mov	ecx, [ebp+var_EC]
		test	ecx, ecx
		js	short loc_48B664
		cmp	al, 8
		jz	short loc_48B664
		cmp	byte ptr [ebp+var_114],	0
		jnz	loc_48B945

loc_48B664:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+FC1j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+FC5j
		mov	byte ptr [edi+3D99h], 0
		jmp	short loc_48B673
; 

loc_48B66D:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+FA8j
		mov	ecx, [ebp+var_EC]

loc_48B673:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+FDBj
		cmp	[ebp+var_FD], 0
		jz	loc_48B72C
		cmp	byte ptr [ebp+var_13C],	0
		jz	short loc_48B6D7
		test	ecx, ecx
		js	short loc_48B6D7
		mov	ecx, ds:_PpmPlatformStates
		test	ecx, ecx
		jz	short loc_48B6D7
		cmp	byte ptr [ecx+24h], 0
		jz	short loc_48B6D7
		mov	eax, _PpmDripsStateIndex
		cmp	eax, 0FFFFFFFFh
		jz	short loc_48B6D7
		lea	eax, [eax+eax*2]
		shl	eax, 6
		mov	eax, [eax+ecx+88h]
		test	eax, eax
		jz	short loc_48B6D7
		lea	edx, [ebp+var_E4]
		lea	ecx, [ebp+var_138]
		call	_KeQueryWakeSource@8 ; KeQueryWakeSource(x,x)
		test	eax, eax
		jns	short loc_48B6D7
		mov	[ebp+var_138], 3

loc_48B6D7:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+7B4j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+FF7j	...
		mov	eax, [edi+338h]
		movzx	ecx, byte ptr [edi+3C4h]
		add	eax, 40h
		lock btr [eax],	ecx
		cmp	byte ptr [ebp+var_148],	0
		mov	esi, [ebp+var_EC]
		jz	short loc_48B706
		test	esi, esi
		js	short loc_48B706
		lea	ecx, [ebp+var_14C]
		jmp	short loc_48B708
; 

loc_48B706:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+1068j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+106Cj
		xor	ecx, ecx

loc_48B708:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+1074j
		call	KeResumeClockTimerFromIdle
		call	off_6B12F0	; SymCryptFatalIntercept(x)
		mov	eax, ds:_KeTickCount
		mov	ecx, edi
		mov	edx, [edi+2240h]
		push	0
		push	0
		push	eax
		call	KeAccumulateTicks
		jmp	short loc_48B732
; 

loc_48B72C:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+FEAj
		mov	esi, [ebp+var_EC]

loc_48B732:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+109Aj
		cmp	[ebp+var_FE], 0
		jz	short loc_48B763
		mov	eax, [edi+338h]
		movzx	ecx, byte ptr [edi+3C4h]
		add	eax, 44h
		lock btr [eax],	ecx
		mov	dword ptr [edi+3D90h], 0FFFFFFFFh
		mov	dword ptr [edi+3D94h], 0FFFFFFFFh

loc_48B763:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+10A9j
		mov	ebx, [ebp+var_124]
		cmp	ebx, 3
		jnz	short loc_48B7E5
		mov	byte ptr [ebp+var_F4], 0

loc_48B775:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+36Dj
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+545j	...
		push	[ebp+var_138]
		mov	ecx, [ebp+var_10C]
		lea	eax, [ebp+var_E4]
		push	eax
		push	[ebp+arg_C]
		push	ecx
		mov	ecx, [ebp+var_104]
		push	ecx
		push	[ebp+var_F4]
		mov	ecx, edi
		push	esi
		push	[ebp+var_13C]
		mov	esi, [ebp+var_144]
		mov	edx, esi
		call	PpmExitCoordinatedIdle
		mov	edi, eax
		cmp	ebx, 3
		mov	ebx, [ebp+var_11C]
		mov	[ebp+var_12C], edi
		jz	short loc_48B7EE
		cmp	byte ptr [ebx],	0
		jnz	short loc_48B808
		mov	edx, [ebp+var_124]
		mov	ecx, [ebp+var_130]
		mov	esi, [ebx+7Ch]
		call	esi
		lea	esi, [ebx+0FCh]
		jmp	short loc_48B808
; 

loc_48B7E0:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+525j
		mov	esi, 0C0000016h

loc_48B7E5:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+10DCj
		mov	byte ptr [ebp+var_F4], 1
		jmp	short loc_48B775
; 

loc_48B7EE:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+1130j
		mov	eax, [esi+0Ch]
		mov	edx, [ebp+var_110]
		mov	ecx, [ebp+var_130]
		push	eax
		mov	eax, [esi+4]
		push	eax
		mov	eax, [ebx+78h]
		push	edi
		call	eax

loc_48B808:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+1135j
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+114Ej
		mov	edx, [esi+4]
		mov	eax, [esi+0Ch]
		test	edx, edx
		jz	short loc_48B838
		lea	esi, [edx-1]
		lea	esi, [eax+esi*4]

loc_48B818:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+11A6j
		mov	eax, [esi]
		lea	esi, [esi-4]
		lea	ecx, [eax+eax*2]
		mov	eax, ds:_PpmPlatformStates
		shl	ecx, 6
		mov	dword ptr [ecx+eax+88h], 0
		sub	edx, 1
		jnz	short loc_48B818

loc_48B838:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+1180j
		cmp	[ebp+var_FF], 0
		jz	short loc_48B848
		lock dec _PpmNonInterruptibleCount

loc_48B848:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+11AFj
		movzx	eax, large byte	ptr fs:51h
		mov	esi, [ebx+5Ch]
		mov	[ebp+var_1A0], 0
		mov	[ebp+var_28], 10001h
		mov	[ebp+var_24], 0
		mov	[ebp+var_20], 0
		mov	[ebp+var_144], eax

loc_48B878:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+123Bj
		test	esi, esi
		jz	short loc_48B8CD
		bsf	edi, esi
		mov	ecx, edi
		btr	esi, edi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, [eax+3D70h]
		mov	[ebp+var_140], ecx
		lea	ecx, [eax+3DA8h]
		call	_PpmIdleUnlockProcessor@4 ; PpmIdleUnlockProcessor(x)
		cmp	al, 6
		jnz	short loc_48B8AD
		mov	eax, [ebp+var_20]
		bts	eax, edi
		mov	[ebp+var_20], eax

loc_48B8AD:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+1212j
		push	[ebp+var_144]
		mov	eax, [ebp+var_140]
		add	eax, 48h
		push	eax
		call	_KeInterlockedClearProcessorAffinityEx@8 ; KeInterlockedClearProcessorAffinityEx(x,x)
		mov	eax, [ebx+5Ch]
		btr	eax, edi
		mov	[ebx+5Ch], eax
		jmp	short loc_48B878
; 

loc_48B8CD:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+11EAj
		cmp	[ebp+var_20], 0
		jz	short loc_48B8DF
		lea	eax, [ebp+var_28]
		push	eax
		push	0
		call	ds:__imp__HalRequestIpi@8 ; HalRequestIpi(x,x)

loc_48B8DF:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+1241j
		cmp	byte ptr [ebx+3], 0
		jz	short loc_48B920
		push	[ebp+var_12C]
		mov	edx, [ebp+var_EC]
		push	[ebp+var_110]
		mov	ecx, [ebp+var_120]
		push	[ebp+var_134]
		push	[ebp+var_14C]
		push	[ebp+var_10C]
		push	[ebp+var_104]
		push	[ebp+var_114]
		call	_PpmIdleCompleteExitLatencyTrace@36 ; PpmIdleCompleteExitLatencyTrace(x,x,x,x,x,x,x,x,x)

loc_48B920:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+1253j
		mov	eax, [ebp+var_124]
		mov	ecx, [ebp+var_8]
		pop	edi
		mov	[ebx+44h], eax
		xor	ecx, ebp
		mov	eax, [ebp+var_EC]
		pop	esi
		mov	[ebx+40h], eax
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_48B945:				; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+FCEj
		push	edi
		movzx	eax, al
		push	eax
		push	[ebp+var_110]
		push	702h
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
@PpmIdleExecuteTransition@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmExitCoordinatedIdle proc near	; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+111Ap

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 005B75DA SIZE 0000026E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_2C], ecx
		or	ebx, 0FFFFFFFFh
		mov	[ebp+var_2], 0
		mov	esi, edx
		cmp	ds:_PpmPlatformStates, edi
		jnz	loc_5B75DA

loc_48B985:				; CODE XREF: PpmExitCoordinatedIdle+12BED0j
					; PpmExitCoordinatedIdle+12BEE3j
		mov	[esi+4], edi
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
PpmExitCoordinatedIdle endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmUpdatePerformanceFeedback proc near	; CODE XREF: PpmContinueActiveTimeAccumulation(x,x,x)+22p
					; PpmSnapPerformanceAccumulation+17Fp ...

var_76		= byte ptr -76h
var_74		= dword	ptr -74h
var_70		= byte ptr -70h
var_6F		= byte ptr -6Fh
var_6E		= byte ptr -6Eh
var_6D		= byte ptr -6Dh
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005B7848 SIZE 000000D2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		push	ebx
		mov	ebx, ecx
		mov	[esp+78h+var_8], 0
		push	esi
		mov	al, dl
		mov	[esp+7Ch+var_40], ebx
		xor	edx, edx
		mov	[esp+7Ch+var_6F], al
		push	edi
		xor	edi, edi
		mov	[esp+80h+var_5C], edx
		cmp	dword ptr [ebx+3E38h], 3
		mov	[esp+80h+var_60], edi
		mov	[esp+80h+var_20], edx
		mov	[esp+80h+var_1C], edx
		mov	[esp+80h+var_30], edx
		mov	[esp+80h+var_2C], edx
		mov	[esp+80h+var_28], edx
		mov	[esp+80h+var_24], edx
		jz	loc_5B7848
		mov	[esp+80h+var_6D], dl

loc_48B9F7:				; CODE XREF: PpmUpdatePerformanceFeedback+12BEBCj
		lea	esi, [ebx+3DB0h]
		test	al, al
		jnz	short loc_48BA0F
		mov	ecx, [esi+30h]
		mov	eax, [esi+34h]
		or	ecx, eax
		jz	loc_48BC91

loc_48BA0F:				; CODE XREF: PpmUpdatePerformanceFeedback+5Fj
					; PpmUpdatePerformanceFeedback+302j ...
		lea	ecx, [esi+18h]
		mov	[esp+80h+var_6E], 0
		mov	edi, 2
		mov	[esp+80h+var_48], ecx
		xor	eax, eax

loc_48BA22:				; CODE XREF: PpmUpdatePerformanceFeedback+B0j
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_48BA49
		mov	dl, [edx+20h]
		test	dl, dl
		jz	short loc_48BA42
		cmp	[ebp+arg_0], 0
		jnz	loc_48BD78
		test	dl, dl
		jz	short loc_48BA42
		mov	[esp+80h+var_6E], 1

loc_48BA42:				; CODE XREF: PpmUpdatePerformanceFeedback+8Dj
					; PpmUpdatePerformanceFeedback+9Bj
		cmp	edi, 2
		jnz	short loc_48BA49
		mov	edi, eax

loc_48BA49:				; CODE XREF: PpmUpdatePerformanceFeedback+86j
					; PpmUpdatePerformanceFeedback+A5j
		inc	eax
		add	ecx, 4
		cmp	eax, 2
		jb	short loc_48BA22
		cmp	[esp+80h+var_6E], 0
		jz	loc_48BD3A

loc_48BA5D:				; CODE XREF: PpmUpdatePerformanceFeedback+39Ej
					; PpmUpdatePerformanceFeedback+3A9j
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		test	ds:byte_70EFC6,	21h
		mov	[esp+80h+var_6E], al
		jnz	loc_5B7861
		lock bts dword ptr [esi], 0
		jb	loc_5B786D

loc_48BA7E:				; CODE XREF: PpmUpdatePerformanceFeedback+12BEC8j
					; PpmUpdatePerformanceFeedback+12BED4j
		lea	edi, [esi+30h]

loc_48BA81:				; CODE XREF: PpmUpdatePerformanceFeedback+FFj
					; PpmUpdatePerformanceFeedback+107j
		mov	eax, [edi]
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[esp+80h+var_6C], eax
		mov	[esp+80h+var_68], ecx
		nop
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, edx
		cmp	eax, [esp+80h+var_6C]
		jnz	short loc_48BA81
		mov	edx, [esp+80h+var_68]
		cmp	ecx, edx
		jnz	short loc_48BA81
		cmp	[esp+80h+var_6D], 0
		jnz	loc_5B7879
		mov	eax, [esp+80h+var_6C]

loc_48BAB8:				; CODE XREF: PpmUpdatePerformanceFeedback+12BF17j
		add	[esi+28h], eax
		lea	ebx, [esi+18h]
		lea	eax, [esi+38h]
		adc	[esi+2Ch], edx
		xor	edi, edi
		mov	[esp+80h+var_4C], edi
		mov	[esp+80h+var_44], eax
		mov	edi, edi

loc_48BAD0:				; CODE XREF: PpmUpdatePerformanceFeedback+26Cj
		mov	ebx, [ebx]
		mov	[esp+80h+var_64], ebx
		test	ebx, ebx
		jz	loc_48BBF2
		cmp	byte ptr [ebx+21h], 0
		mov	eax, [ebx]
		mov	ecx, [ebx+24h]
		mov	[esp+80h+var_10], 0
		mov	[esp+80h+var_C], 0
		mov	[esp+80h+var_18], 0
		mov	[esp+80h+var_14], 0
		jz	loc_5B78BC
		lea	edx, [esp+80h+var_10]
		push	edx
		lea	edx, [esp+84h+var_18]
		push	edx
		mov	dl, [esp+88h+var_6F]
		call	eax
		mov	eax, [ebx+10h]
		mov	edx, [esp+88h+var_20]
		cmp	edx, eax
		mov	ecx, [ebx+14h]
		mov	[esp+88h+var_60], eax
		mov	eax, [esp+88h+var_1C]
		mov	[esp+88h+var_44], ecx
		jnz	short loc_48BB3F
		cmp	eax, ecx
		jz	loc_48BBBF

loc_48BB3F:				; CODE XREF: PpmUpdatePerformanceFeedback+195j
		sub	edx, [esp+88h+var_60]
		mov	edi, [esp+88h+var_14]
		sbb	eax, ecx
		mov	[esp+88h+var_5C], edx
		mov	ecx, [ebx+8]
		mov	[esp+88h+var_58], eax
		mov	eax, [ebx+0Ch]
		mov	ebx, [esp+88h+var_18]
		sub	ebx, ecx
		mov	[esp+88h+var_3C], eax
		mov	[esp+88h+var_40], ecx
		sbb	edi, eax
		mov	eax, [esp+88h+var_6C]
		push	edi
		push	ebx
		movzx	eax, byte ptr [eax+23h]
		cdq
		push	edx
		push	eax
		call	__allmul
		push	[esp+88h+var_58]
		push	[esp+8Ch+var_5C]
		push	edx
		push	eax
		call	__aulldiv
		mov	ecx, [esp+88h+var_6C]
		mov	edx, [esp+88h+var_60]
		add	edx, [esp+88h+var_5C]
		mov	[ecx+18h], eax
		mov	eax, [esp+88h+var_44]
		adc	eax, [esp+88h+var_58]
		mov	[ecx+14h], eax
		mov	eax, [esp+88h+var_3C]
		mov	[ecx+10h], edx
		mov	ecx, [esp+88h+var_40]
		add	ecx, ebx
		mov	ebx, [esp+88h+var_6C]
		adc	eax, edi
		mov	edi, [esp+88h+var_54]
		mov	[ebx+8], ecx
		mov	[ebx+0Ch], eax

loc_48BBBF:				; CODE XREF: PpmUpdatePerformanceFeedback+199j
		mov	ecx, [ebx+18h]
		mov	[esp+88h+var_10], ecx

loc_48BBC6:				; CODE XREF: PpmUpdatePerformanceFeedback+12BF26j
		mov	eax, dword ptr [esp+88h+var_70]
		mul	ecx
		mov	ebx, eax
		mov	eax, [esp+88h+var_74]
		mul	ecx
		add	ebx, edx
		mov	edx, eax
		mov	eax, [esp+88h+var_4C]
		add	[eax], edx
		adc	[eax+4], ebx
		movzx	ecx, byte ptr [esi+80h]
		cmp	edi, ecx
		jnz	short loc_48BBF2
		add	[esi+48h], edx
		adc	[esi+4Ch], ebx

loc_48BBF2:				; CODE XREF: PpmUpdatePerformanceFeedback+138j
					; PpmUpdatePerformanceFeedback+24Aj
		mov	ebx, [esp+88h+var_50]
		inc	edi
		add	ebx, 4
		mov	[esp+88h+var_54], edi
		add	eax, 8
		mov	[esp+88h+var_50], ebx
		mov	[esp+88h+var_4C], eax
		cmp	edi, 2
		jb	loc_48BAD0
		cmp	byte ptr [esi+80h], 2
		jz	loc_48BD58

loc_48BC1F:				; CODE XREF: PpmUpdatePerformanceFeedback+3D3j
		mov	ebx, [esp+88h+var_48]
		mov	ecx, [ebx+4A4h]
		mov	edi, ecx
		mov	edx, [ebx+4A8h]
		mov	eax, edx
		sub	eax, [esi+58h]
		sub	edi, [esi+5Ch]
		mov	[esp+88h+var_3C], ecx
		lea	ecx, [eax+edi]
		test	ecx, ecx
		jnz	loc_48BCD8

loc_48BC48:				; CODE XREF: PpmUpdatePerformanceFeedback+360j
					; PpmUpdatePerformanceFeedback+385j
		mov	eax, [esp+88h+var_30]
		mov	[esi+60h], eax
		mov	eax, [esp+88h+var_2C]
		mov	[esi+64h], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5B78CB
		xor	eax, eax
		lock and [esi],	eax

loc_48BC68:				; CODE XREF: PpmUpdatePerformanceFeedback+12BF35j
		cmp	[esp+88h+var_76], 0
		jnz	loc_48BD2A

loc_48BC73:				; CODE XREF: PpmUpdatePerformanceFeedback+38Bj
		mov	edx, [esp+88h+var_64]
		mov	edi, [esp+88h+var_68]

loc_48BC7B:				; CODE XREF: PpmUpdatePerformanceFeedback+31Bj
					; PpmUpdatePerformanceFeedback+331j ...
		mov	esi, [ebp+arg_8]
		mov	al, 1
		test	esi, esi
		jnz	loc_5B78DA

loc_48BC88:				; CODE XREF: PpmUpdatePerformanceFeedback+12BF75j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_48BC91:				; CODE XREF: PpmUpdatePerformanceFeedback+69j
		mov	eax, [esi+48h]
		or	eax, [esi+4Ch]
		jz	short loc_48BCB7
		mov	eax, [ebx+4A8h]
		cmp	eax, [esi+58h]
		jnz	loc_48BA0F
		mov	eax, [ebx+4A4h]
		cmp	eax, [esi+5Ch]
		jnz	loc_48BA0F

loc_48BCB7:				; CODE XREF: PpmUpdatePerformanceFeedback+2F7j
		cmp	[ebp+arg_0], 0
		jz	short loc_48BC7B
		mov	eax, [esp+80h+var_28]
		cmp	eax, [esi+60h]
		jnz	loc_48BA0F
		mov	eax, [esp+80h+var_24]
		cmp	eax, [esi+64h]
		jz	short loc_48BC7B
		jmp	loc_48BA0F
; 

loc_48BCD8:				; CODE XREF: PpmUpdatePerformanceFeedback+2A2j
		mov	eax, [esi+48h]
		mov	[esp+88h+var_44], eax
		mov	eax, [esi+4Ch]
		mov	[esp+88h+var_40], eax
		mov	eax, [esp+88h+var_3C]
		mov	dword ptr [esi+48h], 0
		mov	dword ptr [esi+4Ch], 0
		mov	[esi+58h], edx
		mov	[esi+5Ch], eax
		test	edi, edi
		jz	loc_48BC48
		cmp	ecx, 1
		jnz	short loc_48BD30

loc_48BD0B:				; CODE XREF: PpmUpdatePerformanceFeedback+398j
		mov	eax, [esp+88h+var_40]
		mul	edi
		mov	[esp+88h+var_10], edi
		mov	ecx, eax
		mov	eax, [esp+88h+var_44]
		mul	edi
		add	ecx, edx
		add	[esi+50h], eax
		adc	[esi+54h], ecx
		jmp	loc_48BC48
; 

loc_48BD2A:				; CODE XREF: PpmUpdatePerformanceFeedback+2CDj
		sti
		jmp	loc_48BC73
; 

loc_48BD30:				; CODE XREF: PpmUpdatePerformanceFeedback+369j
		mov	eax, edi
		xor	edx, edx
		div	ecx
		mov	edi, eax
		jmp	short loc_48BD0B
; 

loc_48BD3A:				; CODE XREF: PpmUpdatePerformanceFeedback+B7j
		cmp	[ebp+arg_4], 0
		jz	loc_48BA5D
		cmp	[esp+80h+var_6F], 0
		jnz	loc_48BA5D
		xor	edi, edi
		xor	edx, edx
		jmp	loc_48BC7B
; 

loc_48BD58:				; CODE XREF: PpmUpdatePerformanceFeedback+279j
		mov	eax, dword ptr [esp+88h+var_70]
		mov	edi, 64h
		mul	edi
		mov	ecx, eax
		mov	eax, [esp+88h+var_74]
		mul	edi
		add	ecx, edx
		add	[esi+48h], eax
		adc	[esi+4Ch], ecx
		jmp	loc_48BC1F
; 

loc_48BD78:				; CODE XREF: PpmUpdatePerformanceFeedback+93j
		pop	edi
		pop	esi
		xor	al, al
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
PpmUpdatePerformanceFeedback endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmIdlePrepare	proc near		; CODE XREF: PoIdle(x)+284p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005B791A SIZE 00000277 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, _PpmDripsStateIndex
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_58], eax
		mov	[ebp+var_5C], edx
		mov	edx, ds:_PpmPlatformStates
		push	edi
		cmp	byte ptr [esi+3D0h], 0
		mov	ecx, [esi+3D70h]
		mov	[ebp+var_C], esi
		mov	[ebp+var_64], 0
		mov	[ebp+var_1], 0
		lea	eax, [ecx+88h]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_44], edx
		mov	[ebp+var_20], 0
		mov	[ebp+var_24], 0
		mov	[ebp+var_8], eax
		jnz	loc_48C1C1

loc_48BDEC:				; CODE XREF: PpmIdlePrepare+451j
		xor	al, al

loc_48BDEE:				; CODE XREF: PpmIdlePrepare+459j
		test	al, al
		jnz	loc_5B792E

loc_48BDF6:				; CODE XREF: PpmIdlePrepare+12BBA6j
					; PpmIdlePrepare+12BBB0j
		mov	eax, ds:__imp__KeQueryPerformanceCounter@4 ; KeQueryPerformanceCounter(x)
		mov	[ebp+var_48], eax

loc_48BDFE:				; CODE XREF: PpmIdlePrepare+12BC72j
					; PpmIdlePrepare+12BDF5j
		mov	ebx, [esi+3D70h]
		mov	esi, [ebp+var_48]
		mov	[ebp+var_4C], ebx
		mov	ebx, 0FFDF0340h
		mov	[ebp+var_2C], 0

loc_48BE16:				; CODE XREF: PpmIdlePrepare+483j
		mov	eax, [ebx]
		mov	edi, 0FFDF0008h
		mov	ecx, [ebx+4]
		mov	edx, 0FFDF0350h
		mov	[ebp+var_1C], eax
		and	eax, 1
		or	eax, 0
		mov	[ebp+var_18], ecx
		jnz	loc_48C1F2

loc_48BE37:				; CODE XREF: PpmIdlePrepare+47Cj
		mov	eax, [edx]
		mov	[ebp+var_10], eax
		mov	eax, [edx+4]
		mov	[ebp+var_28], eax
		mov	eax, [edi]
		mov	[ebp+var_50], eax
		mov	eax, [edi+4]
		push	0
		mov	[ebp+var_54], eax
		call	esi
		mov	ecx, 0FFDF0340h
		mov	edi, eax
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		cmp	eax, [ebp+var_1C]
		jnz	loc_48C211
		cmp	ecx, [ebp+var_18]
		jnz	loc_48C211
		mov	esi, [ebp+var_C]
		mov	ebx, [ebp+var_4C]
		mov	[ebp+var_34], edi
		mov	[ebp+var_38], edx
		cmp	edx, [ebp+var_28]
		jb	loc_5B7988
		mov	eax, [ebp+var_10]
		ja	short loc_48BE91
		cmp	edi, eax
		jbe	loc_5B7988

loc_48BE91:				; CODE XREF: PpmIdlePrepare+F7j
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_68], 0
		sub	ecx, eax
		mov	[ebp+var_64], 0
		mov	eax, 0FFFFFFFFh
		sbb	eax, [ebp+var_28]
		add	edi, ecx
		mov	cl, ds:0FFDF0369h
		adc	edx, eax
		mov	eax, ds:0FFDF0360h
		mov	[ebp+var_28], eax
		mov	eax, ds:0FFDF0364h
		mov	[ebp+var_4C], edx
		mov	[ebp+var_2C], eax
		test	cl, cl
		jz	loc_5B7945
		movsx	ecx, cl
		mov	eax, edi
		call	__allshl
		mov	edi, eax
		mov	ecx, edx

loc_48BEDF:				; CODE XREF: PpmIdlePrepare+12BBB8j
		mov	eax, [ebp+var_2C]
		mul	edi
		mov	[ebp+var_1C], eax
		mov	eax, ecx
		test	eax, eax
		mov	[ebp+var_18], edx
		mov	eax, [ebp+var_28]
		jnz	loc_5B794D
		mul	edi
		xor	eax, eax
		add	edx, [ebp+var_1C]
		adc	eax, [ebp+var_18]
		xor	ecx, ecx

loc_48BF03:				; CODE XREF: PpmIdlePrepare+12BBF3j
					; PpmIdlePrepare+12BBFDj
		add	eax, [ebp+var_50]
		mov	edx, [ebp+arg_4]
		adc	ecx, [ebp+var_54]
		mov	[edx], eax
		mov	eax, [ebp+var_34]
		mov	[ebx+90h], eax
		mov	eax, [ebp+var_38]
		mov	[ebx+94h], eax
		mov	eax, [esi+3E2Ch]
		mov	[edx+4], ecx
		mov	ecx, [esi+3E28h]
		add	ecx, [esi+3D80h]
		adc	eax, [esi+3D84h]
		mov	[ebx+98h], ecx
		mov	[ebx+9Ch], eax
		movzx	eax, byte ptr [esi+3ED4h]
		mov	[ebx+0BAh], al
		movzx	eax, byte ptr [esi+3DA0h]
		mov	[ebx+0B8h], al
		movzx	eax, byte ptr [esi+3DA1h]
		mov	[ebx+0B9h], al
		mov	byte ptr [ebx+0BBh], 1
		cmp	byte ptr [esi+3D0h], 0
		jnz	loc_48C151

loc_48BF82:				; CODE XREF: PpmIdlePrepare+3FDj
					; PpmIdlePrepare+12BC2Aj
		mov	byte ptr [ebx+0BCh], 0

loc_48BF89:				; CODE XREF: PpmIdlePrepare+42Cj
		cmp	byte ptr [ebx+1], 0
		jnz	loc_5B79C8
		or	ecx, 0FFFFFFFFh

loc_48BF96:				; CODE XREF: PpmIdlePrepare+12BC44j
		mov	[ebx+0B0h], ecx
		cmp	ds:_PpmIdleRespectIdleStateMax,	0
		jz	loc_48C218
		mov	ecx, _PpmCurrentProfile
		imul	eax, dword_6C2D0C, 0F0h
		mov	al, [eax+ecx+0BEh]
		mov	[ebx+0BEh], al
		test	al, al
		jnz	loc_5B79D9

loc_48BFCE:				; CODE XREF: PpmIdlePrepare+48Fj
					; PpmIdlePrepare+12BC52j
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_34]
		mov	bl, [ebp+var_1]
		mov	[ecx], eax
		mov	eax, [ebp+var_38]
		mov	[ecx+4], eax
		test	bl, bl
		jnz	loc_5B79E7

loc_48BFE7:				; CODE XREF: PpmIdlePrepare+12BC61j
		cmp	byte ptr [esi+3D0h], 0
		mov	eax, [ebp+arg_4]
		mov	edi, [esi+3D70h]
		mov	[ebp+var_78], 0
		mov	[ebp+var_74], 0
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], edx
		mov	[ebp+var_40], 0
		mov	[ebp+var_3C], 0
		mov	[ebp+var_70], 0
		mov	[ebp+var_6C], 0
		jnz	loc_48C145
		cmp	ds:_KiSerializeTimerExpiration,	0
		jz	loc_48C145
		mov	eax, _PpmPlatformIdleHint
		mov	esi, dword_6FD5DC
		mov	[ebp+var_18], eax
		movzx	eax, ax
		or	eax, 0
		mov	[ebp+var_1C], 0
		mov	[ebp+var_50], 0
		mov	[ebp+var_10], esi
		jnz	loc_5B7A07

loc_48C06A:				; CODE XREF: PpmIdlePrepare+3BCj
		xor	eax, eax

loc_48C06C:				; CODE XREF: PpmIdlePrepare+12BCCCj
					; PpmIdlePrepare+12BCE4j
		lea	esi, [ebp+var_3C]
		push	esi
		lea	esi, [ebp+var_40]
		push	esi
		lea	esi, [ebp+var_70]
		push	esi
		lea	esi, [ebp+var_78]
		push	esi
		mov	esi, [ebp+var_C]
		push	eax
		push	[ebp+var_1C]
		push	edx
		push	ecx
		push	0
		mov	dl, bl
		mov	ecx, esi
		call	_PpmEstimateIdleDuration@44 ; PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)
		mov	ax, word ptr [ebp+var_3C]
		or	[edi+30h], ax
		mov	eax, [ebp+var_70]
		mov	ecx, [ebp+var_8]
		mov	[edi+0A8h], eax
		mov	eax, [ebp+var_6C]
		mov	[edi+0ACh], eax
		mov	al, byte ptr [ebp+var_40]
		mov	[edi+0BDh], al
		mov	eax, [ebp+var_78]
		mov	[edi+0A0h], eax
		mov	eax, [ebp+var_74]
		mov	[edi+0A4h], eax
		mov	eax, [ebp+var_14]
		mov	eax, [eax+60h]
		call	eax
		mov	eax, [ebp+var_8]
		mov	edi, [eax+48h]
		mov	ecx, [eax+44h]
		mov	[ebp+var_30], ecx
		mov	[ebp+var_38], edi
		cmp	edi, 0FFFFFFFEh
		jz	loc_5B7B8A
		cmp	edi, 0FFFFFFFFh
		jz	loc_5B7B8A
		bsf	edx, [eax+4Ch]
		mov	ecx, [esi+3D74h]
		mov	[ebp+var_34], ecx
		jnz	loc_5B7A79

loc_48C104:				; CODE XREF: PpmIdlePrepare+12BD11j
		mov	ecx, [eax+40h]
		xor	bh, bh
		mov	edx, [eax+3Ch]
		xor	eax, eax
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], eax
		test	edx, edx
		jnz	loc_5B7AA6
		mov	ecx, [ebp+var_8]

loc_48C11F:				; CODE XREF: PpmIdlePrepare+12BD55j
					; PpmIdlePrepare+12BD5Fj ...
		test	bl, bl
		jnz	loc_5B7B1A

loc_48C127:				; CODE XREF: PpmIdlePrepare+12BD9Bj
					; PpmIdlePrepare+12BDACj ...
		mov	eax, [ebp+var_5C]
		mov	ecx, [ebp+arg_8]
		mov	edx, [ebp+var_20]
		mov	[eax], bl
		mov	eax, [ebp+var_24]
		mov	[ecx+4], eax
		mov	eax, edi
		pop	edi
		pop	esi
		mov	[ecx], edx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_48C145:				; CODE XREF: PpmIdlePrepare+29Cj
					; PpmIdlePrepare+2A9j
		mov	[ebp+var_1C], 0
		jmp	loc_48C06A
; 

loc_48C151:				; CODE XREF: PpmIdlePrepare+1ECj
		mov	edi, large fs:20h
		mov	[ebp+var_54], 0
		mov	ecx, [edi+338h]
		movzx	eax, word ptr [ecx+8Ah]
		mov	edx, [ecx+84h]
		mov	ecx, [ecx+40h]
		mov	[ebp+var_50], eax
		mov	eax, [edi+3CCh]
		btr	edx, eax
		movzx	eax, byte ptr [edi+3C4h]
		btr	ecx, eax
		cmp	ecx, edx
		jnz	loc_48BF82
		movzx	eax, ds:_KeNumberNodes
		mov	edx, [ebp+var_54]
		mov	edi, [ebp+var_50]
		mov	[ebp+var_4C], eax

loc_48C1A3:				; CODE XREF: PpmIdlePrepare+12BC33j
		inc	edx
		cmp	edx, eax
		jnz	loc_5B7992

loc_48C1AC:				; CODE XREF: PpmIdlePrepare+12BC14j
		mov	eax, 80h
		mov	byte ptr [ebx+0BCh], 1
		or	[ebx+30h], ax
		jmp	loc_48BF89
; 

loc_48C1C1:				; CODE XREF: PpmIdlePrepare+56j
		cmp	_PopDeepSleepIsEnabled,	0
		jz	short loc_48C1EE
		mov	al, 1

loc_48C1CC:				; CODE XREF: PpmIdlePrepare+460j
		test	al, al
		jz	short loc_48C1DD
		mov	al, _PopDeepSleepIsEngaged
		test	al, al
		jnz	loc_5B791A

loc_48C1DD:				; CODE XREF: PpmIdlePrepare+43Ej
					; PpmIdlePrepare+12BB91j
		xor	al, al

loc_48C1DF:				; CODE XREF: PpmIdlePrepare+12BB99j
		test	al, al
		jz	loc_48BDEC
		mov	al, 1
		jmp	loc_48BDEE
; 

loc_48C1EE:				; CODE XREF: PpmIdlePrepare+438j
		xor	al, al
		jmp	short loc_48C1CC
; 

loc_48C1F2:				; CODE XREF: PpmIdlePrepare+A1j
		mov	ebx, 0FFDF0340h

loc_48C1F7:				; CODE XREF: PpmIdlePrepare+47Aj
		pause
		mov	eax, [ebx]
		mov	ecx, [ebx+4]
		mov	[ebp+var_1C], eax
		and	eax, 1
		or	eax, 0
		mov	[ebp+var_18], ecx
		jnz	short loc_48C1F7
		jmp	loc_48BE37
; 

loc_48C211:				; CODE XREF: PpmIdlePrepare+D0j
					; PpmIdlePrepare+D9j
		pause
		jmp	loc_48BE16
; 

loc_48C218:				; CODE XREF: PpmIdlePrepare+213j
		mov	byte ptr [ebx+0BEh], 0
		jmp	loc_48BFCE
PpmIdlePrepare	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeAccumulateTicks proc near		; CODE XREF: KiUpdateRunTime+3Ap
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+1095p

var_22		= byte ptr -22h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_E		= byte ptr -0Eh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 005B7B91 SIZE 00000185 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	byte ptr [esp+13h], 0
		mov	esi, ecx
		call	KiCheckForTimerExpiration
		mov	ebx, [ebp+arg_0]
		mov	[esi+2240h], ebx
		sub	ebx, edi
		jnz	short loc_48C278
		cmp	ds:_KiForceIdleDisabled, ebx
		jnz	short loc_48C26F
		mov	eax, _KiForceIdleState
		cmp	eax, 4
		jz	loc_48C371

loc_48C26F:				; CODE XREF: KeAccumulateTicks+2Fj
					; KeAccumulateTicks+151j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_48C278:				; CODE XREF: KeAccumulateTicks+27j
		cmp	byte ptr [esi+3D0h], 0
		mov	edi, [esi+4]
		jnz	loc_48C417

loc_48C288:				; CODE XREF: KeAccumulateTicks+1EEj
					; KeAccumulateTicks+233j ...
		cmp	[ebp+arg_8], 0
		jnz	loc_48C4E1
		add	[esi+4A4h], ebx
		cmp	byte ptr [esi+11h], 2
		jz	loc_48C542

loc_48C2A2:				; CODE XREF: KeAccumulateTicks+31Aj
		cmp	byte ptr [esi+11h], 1
		ja	loc_48C594
		add	[edi+194h], ebx

loc_48C2B2:				; CODE XREF: KeAccumulateTicks+33Bj
					; KeAccumulateTicks+359j ...
		cmp	[ebp+arg_4], 2
		jnb	loc_48C3CC
		inc	dword ptr [esi+3BDCh]
		mov	ecx, [esi+4060h]
		mov	dword ptr [esi+3B0Ch], 0
		test	ecx, ecx
		jz	short loc_48C2E2
		cmp	[esi+4064h], ecx
		jnz	loc_5B7CE0

loc_48C2E2:				; CODE XREF: KeAccumulateTicks+A4j
					; KeAccumulateTicks+1B1j ...
		cmp	edi, [esi+0Ch]
		jnz	loc_48C39D

loc_48C2EB:				; CODE XREF: KeAccumulateTicks+171j
					; KeAccumulateTicks+18Bj ...
		cmp	ebx, 8
		jnb	loc_48C533
		mov	ecx, [esi+4A0h]
		sub	ecx, [esi+21D0h]
		mov	eax, ecx
		shl	eax, 4
		sub	eax, ecx
		mov	ecx, ebx
		add	[esi+21D4h], eax
		mov	eax, [esi+21D4h]

loc_48C315:				; CODE XREF: KeAccumulateTicks+EBj
		shr	eax, 4
		sub	ecx, 1
		jnz	short loc_48C315
		mov	[esi+21D4h], eax

loc_48C323:				; CODE XREF: KeAccumulateTicks+30Dj
		mov	eax, [esi+4A0h]
		mov	ecx, ebx
		mov	[esi+21D0h], eax
		mov	eax, [esi+2218h]
		sub	eax, [esi+2220h]
		add	eax, [esi+21F0h]
		shr	eax, cl
		mov	[esi+2218h], eax
		cmp	dword ptr [esi+21ECh], 0
		mov	eax, [esi+21F0h]
		mov	[esi+2220h], eax
		jnz	loc_48C489

loc_48C364:				; CODE XREF: KeAccumulateTicks+263j
		add	dword ptr [esi+4B8h], 0FFFFFFFFh
		jz	loc_48C509

loc_48C371:				; CODE XREF: KeAccumulateTicks+39j
					; KeAccumulateTicks+294j ...
		cmp	_KdDebuggerEnabled, 0
		jnz	short loc_48C387
		cmp	_KdEventLoggingEnabled,	0
		jz	loc_48C26F

loc_48C387:				; CODE XREF: KeAccumulateTicks+148j
		mov	eax, _KiPollSlot
		cmp	eax, [esi+3CCh]
		jnz	loc_48C26F
		jmp	loc_5B7D0C
; 

loc_48C39D:				; CODE XREF: KeAccumulateTicks+B5j
		cmp	byte ptr [esi+11h], 1
		ja	loc_48C2EB
		mov	edx, esi
		mov	ecx, edi
		call	KiIsThreadRankNonZero
		test	al, al
		jnz	short loc_48C3C1
		cmp	byte ptr [edi+87h], 8
		jge	loc_48C2EB

loc_48C3C1:				; CODE XREF: KeAccumulateTicks+182j
		add	[esi+594h], ebx
		jmp	loc_48C2EB
; 

loc_48C3CC:				; CODE XREF: KeAccumulateTicks+86j
		mov	eax, [esi+3B0Ch]
		mov	ecx, [esi+3B08h]
		inc	eax
		mov	[esi+3B0Ch], eax
		test	ecx, ecx
		jz	loc_48C2E2
		mov	edx, [esi+3B14h]
		mov	[esp+20h+var_8], edx
		mov	edx, eax
		cmp	[esp+20h+var_8], 0
		jz	loc_5B7C85
		cmp	eax, [esp+20h+var_8]
		mov	eax, ecx
		jge	loc_5B7C62

loc_48C40A:				; CODE XREF: KeAccumulateTicks+12BA37j
					; KeAccumulateTicks+12BA50j ...
		cmp	edx, eax
		jl	loc_48C2E2
		jmp	loc_5B7C8C
; 

loc_48C417:				; CODE XREF: KeAccumulateTicks+52j
		add	_KiClockPollCycle, 0FFh
		jnz	loc_48C288
		mov	al, ds:_KiClockKeepAliveCycle
		mov	_KiClockPollCycle, al
		movzx	eax, _KiClockCheckSlot
		mov	[esp+20h+var_8], eax
		mov	edx, ds:_KiProcessorBlock[eax*4]
		lea	ecx, [eax+1]
		cmp	ecx, ds:_KeNumberProcessors
		mov	[esp+20h+var_C], edx
		sbb	eax, eax
		and	eax, ecx
		mov	ecx, [edx+3CCh]
		mov	_KiClockCheckSlot, al
		call	_KiCheckKeepAlive@4 ; KiCheckKeepAlive(x)
		test	al, al
		jz	loc_48C288
		mov	ecx, [esp+20h+var_C]
		cmp	dword ptr [ecx+3B00h], 0
		jz	loc_5B7B91

loc_48C47A:				; CODE XREF: KeAccumulateTicks+12B968j
					; KeAccumulateTicks+12B975j
		mov	dword ptr [ecx+3B00h], 0
		jmp	loc_48C288
; 

loc_48C489:				; CODE XREF: KeAccumulateTicks+12Ej
		movzx	ecx, word ptr [esi+223Ch]
		test	cl, 3
		jnz	loc_48C364
		mov	eax, ds:_KiAdjustDpcThreshold
		mov	[esi+4B8h], eax
		test	cl, 2Fh
		jnz	short loc_48C4B1
		mov	cl, 2
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)

loc_48C4B1:				; CODE XREF: KeAccumulateTicks+277j
		mov	ecx, [esi+2214h]
		nop
		mov	eax, [esi+2218h]
		cmp	eax, ds:_KiIdealDpcRate
		jnb	loc_48C371
		cmp	ecx, 1
		jbe	loc_48C371
		lea	eax, [ecx-1]
		mov	[esi+2214h], eax
		jmp	loc_48C371
; 

loc_48C4E1:				; CODE XREF: KeAccumulateTicks+5Cj
		add	[esi+4A8h], ebx
		add	[edi+1C0h], ebx

loc_48C4ED:				; CODE XREF: KeAccumulateTicks+12BA63j
					; KeAccumulateTicks+12BA91j
		inc	dword ptr [esi+3BDCh]
		mov	ecx, esi
		mov	dword ptr [esi+3B0Ch], 0
		call	KiResetGlobalDpcWatchdogProfiler
		jmp	loc_48C2E2
; 

loc_48C509:				; CODE XREF: KeAccumulateTicks+13Bj
		mov	eax, ds:_KiAdjustDpcThreshold
		mov	[esi+4B8h], eax
		mov	eax, [esi+2214h]
		nop
		cmp	eax, ds:_KiMaximumDpcQueueDepth
		jnb	loc_48C371
		inc	eax
		mov	[esi+2214h], eax
		jmp	loc_48C371
; 

loc_48C533:				; CODE XREF: KeAccumulateTicks+BEj
		mov	dword ptr [esi+21D4h], 0
		jmp	loc_48C323
; 

loc_48C542:				; CODE XREF: KeAccumulateTicks+6Cj
		mov	al, [esi+223Ah]
		test	al, al
		jz	loc_48C2A2
		mov	ecx, [esi+4B0h]
		add	[esi+4ACh], ebx
		inc	ecx
		mov	eax, [esi+4D0h]
		mov	[esi+4B0h], ecx
		test	eax, eax
		jz	loc_48C2B2
		mov	edx, [esi+3F74h]
		mov	[esp+20h+var_C], edx
		mov	edx, ecx
		cmp	ecx, [esp+20h+var_C]
		jnb	loc_5B7BD4

loc_48C587:				; CODE XREF: KeAccumulateTicks+12B9A9j
					; KeAccumulateTicks+12B9C7j
		cmp	edx, eax
		jbe	loc_48C2B2
		jmp	loc_5B7BFC
; 

loc_48C594:				; CODE XREF: KeAccumulateTicks+76j
		add	[esi+4B4h], ebx
		jmp	loc_48C2B2
KeAccumulateTicks endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiCheckForTimerExpiration proc near	; CODE XREF: KeAccumulateTicks+17p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2B		= byte ptr -2Bh
var_2A		= byte ptr -2Ah
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B7D16 SIZE 0000010D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_4C], 0
		push	ebx
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		xor	al, al
		mov	ebx, ds:0FFDF000Ch
		push	esi
		mov	esi, ecx
		mov	[ebp+var_29], al
		mov	ecx, ds:0FFDF0008h
		push	edi
		mov	[ebp+var_48], esi
		mov	[ebp+var_40], ebx
		mov	[ebp+var_30], ecx
		cmp	ebx, ds:0FFDF0010h
		jnz	loc_5B7D16

loc_48C5F2:				; CODE XREF: KiCheckForTimerExpiration+12B7A2j
		test	byte ptr [esi+223Ch], 8
		lea	edi, [esi+223Ch]
		jnz	loc_48C767
		cmp	ds:_KiSerializeTimerExpiration,	0
		jz	loc_5B7D47
		cmp	byte ptr [esi+3D0h], 0
		jnz	short loc_48C644

loc_48C61B:				; CODE XREF: KiCheckForTimerExpiration+1CEj
					; KiCheckForTimerExpiration+24Aj
		test	al, al
		jnz	loc_48C8AC

loc_48C623:				; CODE XREF: KiCheckForTimerExpiration+31Aj
					; KiCheckForTimerExpiration+328j
		test	ds:dword_70EFC8, 40000h
		jnz	loc_5B7DB0

loc_48C633:				; CODE XREF: KiCheckForTimerExpiration+12B818j
					; KiCheckForTimerExpiration+12B87Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48C644:				; CODE XREF: KiCheckForTimerExpiration+79j
		mov	edx, ds:_KiProcessorBlock
		mov	[ebp+var_38], edx

loc_48C64D:				; CODE XREF: KiCheckForTimerExpiration+12B7ACj
		add	edx, 2260h
		jz	loc_48C767
		mov	edi, offset _KiLastNonHrTimerExpiration
		xor	eax, eax
		xor	edx, edx
		mov	[ebp+var_44], edi
		nop
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, edx
		mov	edx, [ebp+var_38]
		cmp	[edx+3AA0h], eax
		jnz	loc_48C859
		mov	eax, [edx+3AA4h]
		cmp	eax, ebx
		jnz	loc_48C859
		xor	al, al
		mov	[ebp+var_2A], al

loc_48C692:				; CODE XREF: KiCheckForTimerExpiration+2BDj
		xor	eax, eax
		mov	[ebp+var_34], offset _KiLastPseudoHrTimerExpiration
		xor	edx, edx
		nop
		mov	edi, [ebp+var_34]
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, edx
		lea	edi, [esi+223Ch]
		mov	edx, [ebp+var_38]
		add	edx, 2260h
		cmp	[edx+1840h], eax
		jnz	loc_48C862
		mov	eax, [edx+1844h]
		cmp	eax, ebx
		jnz	loc_48C862
		xor	al, al

loc_48C6D6:				; CODE XREF: KiCheckForTimerExpiration+2C4j
		test	ds:_KiVelocityFlags, 2000h
		mov	[ebp+var_2B], al
		jz	loc_48C9B5
		mov	ah, [ebp+var_2A]

loc_48C6EC:				; CODE XREF: KiCheckForTimerExpiration+41Aj
		test	ah, ah
		jnz	loc_48C7EF
		test	al, al
		jnz	loc_48C7EF
		mov	ebx, [ebp+var_40]
		mov	ecx, [ebp+var_30]

loc_48C702:				; CODE XREF: KiCheckForTimerExpiration+2B4j
		cmp	byte ptr [esi+3D0h], 0
		jz	short loc_48C764
		test	ah, ah
		jnz	short loc_48C717
		test	al, al
		jnz	loc_48C917

loc_48C717:				; CODE XREF: KiCheckForTimerExpiration+16Dj
					; KiCheckForTimerExpiration+3AEj
		mov	al, [ebp+var_29]
		test	al, al
		jnz	short loc_48C767
		test	ah, ah
		jnz	loc_48C869
		cmp	[ebp+var_2B], ah
		jnz	loc_48C96C

loc_48C72F:				; CODE XREF: KiCheckForTimerExpiration+3EEj
					; KiCheckForTimerExpiration+3FBj
		xor	eax, eax
		mov	[ebp+var_3C], offset dword_6CB158
		xor	edx, edx
		nop
		mov	edi, [ebp+var_3C]
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [ebp+var_40]
		lea	edi, [esi+223Ch]
		mov	ecx, [ebp+var_30]
		cmp	edx, ebx
		ja	short loc_48C764
		jb	loc_48C9A1
		cmp	eax, ecx
		jbe	loc_48C9AB

loc_48C764:				; CODE XREF: KiCheckForTimerExpiration+169j
					; KiCheckForTimerExpiration+1B4j ...
		mov	al, [ebp+var_29]

loc_48C767:				; CODE XREF: KiCheckForTimerExpiration+5Fj
					; KiCheckForTimerExpiration+B3j ...
		cmp	byte ptr [esi+3D0h], 0
		jz	loc_48C61B
		mov	eax, ds:_KeMaximumIncrement
		xor	edx, edx
		add	eax, ecx
		mov	[ebp+var_3C], offset dword_6CB158
		mov	[ebp+var_50], eax
		adc	edx, ebx
		xor	eax, eax
		mov	[ebp+var_38], edx
		xor	edx, edx
		nop
		mov	esi, [ebp+var_3C]
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, [ebp+var_40]
		mov	ecx, edx
		mov	esi, [ebp+var_48]
		mov	[ebp+var_34], eax
		mov	[ebp+var_44], ecx
		cmp	ecx, ebx
		jb	loc_48C8AC
		ja	short loc_48C7BD
		cmp	eax, [ebp+var_30]
		jbe	loc_48C8AC

loc_48C7BD:				; CODE XREF: KiCheckForTimerExpiration+212j
		mov	ecx, _KiClockOwnerOneShotRequest
		mov	eax, ecx
		mov	edx, dword_6CADF4
		or	eax, edx
		jnz	short loc_48C7D5
		or	ecx, 0FFFFFFFFh
		or	edx, 0FFFFFFFFh

loc_48C7D5:				; CODE XREF: KiCheckForTimerExpiration+22Dj
		cmp	ecx, [ebp+var_34]
		jnz	loc_48C8D9
		cmp	edx, [ebp+var_44]
		jnz	loc_48C8D9

loc_48C7E7:				; CODE XREF: KiCheckForTimerExpiration+372j
					; KiCheckForTimerExpiration+3C7j
		mov	al, [ebp+var_29]
		jmp	loc_48C61B
; 

loc_48C7EF:				; CODE XREF: KiCheckForTimerExpiration+14Ej
					; KiCheckForTimerExpiration+156j
		mov	ecx, [ebp+var_30]
		mov	ebx, [ebp+var_40]
		mov	eax, ebx
		mov	[ebp+var_38], ecx
		shrd	[ebp+var_38], eax, 12h
		mov	eax, [edx+1848h]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+var_38]
		sub	eax, [ebp+var_34]
		cmp	eax, 100h
		jnb	loc_5B7D51

loc_48C819:				; CODE XREF: KiCheckForTimerExpiration+12B7BCj
		mov	eax, [ebp+var_34]
		dec	eax
		lea	ecx, [ecx+0]

loc_48C820:				; CODE XREF: KiCheckForTimerExpiration+2A6j
		inc	eax
		mov	[ebp+var_34], eax
		movzx	eax, al
		lea	eax, [eax+eax*2]
		cmp	ebx, [edx+eax*8+54h]
		ja	loc_48C8CD
		jb	short loc_48C840
		cmp	ecx, [edx+eax*8+50h]
		jnb	loc_48C8CD

loc_48C840:				; CODE XREF: KiCheckForTimerExpiration+294j
		mov	eax, [ebp+var_34]
		cmp	eax, [ebp+var_38]
		jnz	short loc_48C820

loc_48C848:				; CODE XREF: KiCheckForTimerExpiration+334j
		mov	[edx+1848h], eax
		mov	al, [ebp+var_2B]
		mov	ah, [ebp+var_2A]
		jmp	loc_48C702
; 

loc_48C859:				; CODE XREF: KiCheckForTimerExpiration+D9j
					; KiCheckForTimerExpiration+E7j
		mov	[ebp+var_2A], 1
		jmp	loc_48C692
; 

loc_48C862:				; CODE XREF: KiCheckForTimerExpiration+120j
					; KiCheckForTimerExpiration+12Ej
		mov	al, 1
		jmp	loc_48C6D6
; 

loc_48C869:				; CODE XREF: KiCheckForTimerExpiration+180j
		xor	eax, eax
		mov	[ebp+var_3C], offset _KiNextTimer2DueTime
		xor	edx, edx
		nop
		mov	edi, [ebp+var_3C]
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [ebp+var_40]
		lea	edi, [esi+223Ch]
		mov	ecx, [ebp+var_30]
		cmp	edx, ebx
		ja	loc_48C764
		jb	loc_48C9A1
		cmp	eax, ecx
		ja	loc_48C764
		mov	al, 1
		mov	[ebp+var_29], al
		jmp	loc_48C767
; 

loc_48C8AC:				; CODE XREF: KiCheckForTimerExpiration+7Dj
					; KiCheckForTimerExpiration+20Cj ...
		mov	edx, 8
		mov	ecx, edi
		call	_KiSetDpcRequestFlag@8 ; KiSetDpcRequestFlag(x,x)
		test	al, 29h
		jnz	loc_48C623
		mov	cl, 2
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)
		jmp	loc_48C623
; 

loc_48C8CD:				; CODE XREF: KiCheckForTimerExpiration+28Ej
					; KiCheckForTimerExpiration+29Aj
		mov	eax, [ebp+var_34]
		mov	[ebp+var_29], 1
		jmp	loc_48C848
; 

loc_48C8D9:				; CODE XREF: KiCheckForTimerExpiration+238j
					; KiCheckForTimerExpiration+241j
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [ebp+var_44]
		mov	[ebp+var_2B], al
		cmp	[ebp+var_38], ecx
		jb	short loc_48C8F6
		mov	eax, [ebp+var_34]
		ja	short loc_48C953
		cmp	[ebp+var_50], eax
		ja	short loc_48C953

loc_48C8F6:				; CODE XREF: KiCheckForTimerExpiration+34Aj
		mov	ecx, _KiClockOwnerOneShotRequest
		mov	eax, dword_6CADF4
		or	ecx, eax
		jnz	loc_5B7D84

loc_48C909:				; CODE XREF: KiCheckForTimerExpiration+12B80Bj
		mov	cl, [ebp+var_2B]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_48C7E7
; 

loc_48C917:				; CODE XREF: KiCheckForTimerExpiration+171j
		xor	eax, eax
		mov	[ebp+var_34], offset unk_6CB178
		xor	edx, edx
		nop
		mov	edi, [ebp+var_34]
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [ebp+var_40]
		lea	edi, [esi+223Ch]
		mov	[ebp+var_38], eax
		cmp	ebx, edx
		jb	loc_48C9F7
		ja	short loc_48C9BF
		mov	ecx, [ebp+var_30]
		cmp	ecx, eax
		jnb	short loc_48C9BF

loc_48C94B:				; CODE XREF: KiCheckForTimerExpiration+45Aj
		mov	ah, [ebp+var_2A]
		jmp	loc_48C717
; 

loc_48C953:				; CODE XREF: KiCheckForTimerExpiration+34Fj
					; KiCheckForTimerExpiration+354j
		push	ebx
		push	[ebp+var_30]
		push	ecx
		push	eax
		call	_KiSetClockIntervalOneShot@16 ;	KiSetClockIntervalOneShot(x,x,x,x)
		mov	cl, [ebp+var_2B]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_48C7E7
; 

loc_48C96C:				; CODE XREF: KiCheckForTimerExpiration+189j
		xor	eax, eax
		mov	[ebp+var_3C], offset unk_6CB168
		xor	edx, edx
		nop
		mov	edi, [ebp+var_3C]
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [ebp+var_40]
		lea	edi, [esi+223Ch]
		cmp	edx, ebx
		ja	loc_48C72F
		mov	ecx, [ebp+var_30]
		jb	short loc_48C9A1
		cmp	eax, ecx
		ja	loc_48C72F

loc_48C9A1:				; CODE XREF: KiCheckForTimerExpiration+1B6j
					; KiCheckForTimerExpiration+2F4j ...
		mov	al, 1
		mov	[ebp+var_29], al
		jmp	loc_48C767
; 

loc_48C9AB:				; CODE XREF: KiCheckForTimerExpiration+1BEj
		mov	al, 1
		mov	[ebp+var_29], al
		jmp	loc_48C767
; 

loc_48C9B5:				; CODE XREF: KiCheckForTimerExpiration+143j
		mov	ah, al
		mov	[ebp+var_2A], ah
		jmp	loc_48C6EC
; 

loc_48C9BF:				; CODE XREF: KiCheckForTimerExpiration+3A2j
					; KiCheckForTimerExpiration+3A9j
		mov	eax, ds:_KePseudoHrTimeIncrement
		xor	ecx, ecx
		add	eax, [ebp+var_30]
		mov	[ebp+var_3C], eax
		mov	eax, ds:_KeNonHrTimeIncrement
		adc	ecx, ebx
		mov	[ebp+var_34], eax
		xor	eax, eax
		mov	edi, [ebp+var_34]
		add	edi, [ebp+var_38]
		mov	[ebp+var_34], edi
		lea	edi, [esi+223Ch]
		adc	eax, edx
		cmp	ecx, eax
		jb	short loc_48C9F7
		ja	short loc_48C9FF
		mov	eax, [ebp+var_3C]
		cmp	eax, [ebp+var_34]
		ja	short loc_48C9FF

loc_48C9F7:				; CODE XREF: KiCheckForTimerExpiration+39Cj
					; KiCheckForTimerExpiration+44Bj
		mov	ecx, [ebp+var_30]
		jmp	loc_48C94B
; 

loc_48C9FF:				; CODE XREF: KiCheckForTimerExpiration+44Dj
					; KiCheckForTimerExpiration+455j
		mov	edi, _KiLastNonHrTimerExpiration
		mov	eax, edi
		mov	ecx, dword_6CEA2C
		mov	edx, ecx
		mov	[ebp+var_3C], ecx
		nop
		mov	ebx, [ebp+var_30]
		mov	ecx, [ebp+var_40]
		mov	esi, [ebp+var_44]
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [ebp+var_48]
		cmp	eax, edi
		jnz	short loc_48CA42
		cmp	edx, [ebp+var_3C]
		jnz	short loc_48CA42

loc_48CA2C:				; CODE XREF: KiCheckForTimerExpiration+12B7DFj
		mov	ebx, [ebp+var_40]
		lea	edi, [esi+223Ch]
		mov	ecx, [ebp+var_30]
		mov	al, 1
		mov	[ebp+var_29], al
		jmp	loc_48C767
; 

loc_48CA42:				; CODE XREF: KiCheckForTimerExpiration+485j
					; KiCheckForTimerExpiration+48Aj
		mov	esi, [ebp+var_30]
		jmp	loc_5B7D61
KiCheckForTimerExpiration endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeResumeClockTimerFromIdle proc	near	; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x):loc_48B708p

var_B0		= dword	ptr -0B0h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_82		= dword	ptr -82h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= word ptr -20h
var_1E		= dword	ptr -1Eh
var_1A		= word ptr -1Ah
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B7E23 SIZE 00000251 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	byte ptr ds:_KiDynamicTickDisableReason, 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_98], 0
		mov	[ebp+var_94], 0
		mov	[ebp+var_82+2],	0
		mov	[ebp+var_7C], 0
		mov	[ebp+var_A0], 0
		mov	[ebp+var_9C], 0
		mov	[ebp+var_90], 0
		mov	[ebp+var_8C], 0
		mov	byte ptr [ebp+var_82], 0
		mov	byte ptr [ebp+var_82+1], 0
		jnz	short loc_48CB14
		mov	esi, large fs:20h
		xor	bl, bl
		test	edi, edi
		jnz	loc_5B7E23
		lea	esp, [esp+0]

loc_48CAE0:				; CODE XREF: KeResumeClockTimerFromIdle+113j
					; KeResumeClockTimerFromIdle+12B3D9j
		mov	eax, ds:_KiClockState
		cmp	eax, 1
		jz	short loc_48CB68

loc_48CAEA:				; CODE XREF: KeResumeClockTimerFromIdle+12Ej
		cmp	eax, 3
		jz	short loc_48CB5E

loc_48CAEF:				; CODE XREF: KeResumeClockTimerFromIdle+2F8j
		mov	ecx, _KiClockTimerOwner
		cmp	ecx, [esi+3CCh]
		jz	short loc_48CB25

loc_48CAFD:				; CODE XREF: KeResumeClockTimerFromIdle+DCj
					; KeResumeClockTimerFromIdle+E5j
		mov	al, [esi+3D0h]
		test	al, al
		jnz	short loc_48CB37

loc_48CB07:				; CODE XREF: KeResumeClockTimerFromIdle+10Cj
		test	byte ptr [esi+3D1h], 1
		jnz	loc_48CDBD

loc_48CB14:				; CODE XREF: KeResumeClockTimerFromIdle+79j
					; KeResumeClockTimerFromIdle+10Aj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48CB25:				; CODE XREF: KeResumeClockTimerFromIdle+ABj
		cmp	byte ptr [esi+3D0h], 0
		jnz	short loc_48CAFD
		mov	byte ptr [esi+3D0h], 1
		jmp	short loc_48CAFD
; 

loc_48CB37:				; CODE XREF: KeResumeClockTimerFromIdle+B5j
		cmp	ds:_KiClockTimerPerCpu,	0
		jz	loc_5B8057
		mov	ecx, large fs:20h

loc_48CB4B:				; CODE XREF: KeResumeClockTimerFromIdle+12B60Ej
		test	byte ptr [ecx+3D1h], 1
		jz	loc_5B8063

loc_48CB58:				; CODE XREF: KeResumeClockTimerFromIdle+12B61Fj
		test	al, al
		jnz	short loc_48CB14
		jmp	short loc_48CB07
; 

loc_48CB5E:				; CODE XREF: KeResumeClockTimerFromIdle+9Dj
		call	KiPollFreezeExecution
		jmp	loc_48CAE0
; 

loc_48CB68:				; CODE XREF: KeResumeClockTimerFromIdle+98j
		mov	ecx, 3
		mov	edx, offset _KiClockState
		mov	eax, 1
		lock cmpxchg [edx], ecx
		cmp	eax, 1
		jnz	loc_48CAEA
		lea	eax, [ebp+var_90]
		xor	ecx, ecx
		push	eax
		lea	edx, [ebp+var_82+2]
		call	KiUpdateTimeAssist
		mov	eax, [ebp+var_7C]
		mov	ecx, [ebp+var_82+2]
		mov	dword_6CAB24, eax
		mov	eax, ds:_KeMinimumIncrement
		mov	_KiClockTimerOneShotEndTime, ecx
		dec	eax
		sub	ecx, _KiLastNonHrTimerExpiration
		add	ecx, eax
		mov	eax, ds:_KeNonHrTimeIncrement
		cmp	ecx, eax
		mov	ecx, [ebp+var_82+2]
		jnb	loc_48CD63

loc_48CBC4:				; CODE XREF: KeResumeClockTimerFromIdle+321j
		mov	eax, ds:_KeMinimumIncrement
		sub	ecx, _KiLastPseudoHrTimerExpiration
		dec	eax
		add	ecx, eax
		mov	eax, ds:_KePseudoHrTimeIncrement
		cmp	ecx, eax
		jnb	loc_48CD4D

loc_48CBDF:				; CODE XREF: KeResumeClockTimerFromIdle+30Ej
		call	off_6B1394	; KeIsCetCapable()
		cmp	_KiClockLatencyMeasurementEnabled, 0
		mov	bh, al
		mov	edx, [ebp+var_7C]
		jnz	loc_5B7E2E
		mov	ecx, [ebp+var_82+2]

loc_48CBFA:				; CODE XREF: KeResumeClockTimerFromIdle+12B41Fj
		test	edi, edi
		jnz	loc_5B7E74

loc_48CC02:				; CODE XREF: KeResumeClockTimerFromIdle+12B42Fj
					; KeResumeClockTimerFromIdle+12B43Bj ...
		mov	edi, [ebp+var_82+2]
		mov	eax, edi
		sub	eax, _KiClockTimerOneShotStartTime
		mov	ecx, [ebp+var_7C]
		mov	edx, ecx
		sbb	edx, dword_6CAB2C
		mov	_KiClockLatencyMeasurementEnabled, 0
		cmp	edx, dword_6CAB6C
		ja	short loc_48CC39
		jb	loc_48CDDF
		cmp	eax, dword_6CAB68
		jb	loc_48CDDF

loc_48CC39:				; CODE XREF: KeResumeClockTimerFromIdle+1D5j
					; KeResumeClockTimerFromIdle+39Aj
		cmp	edx, dword_6CAB64
		jb	short loc_48CC53
		ja	loc_48CDCF
		cmp	eax, dword_6CAB60
		ja	loc_48CDCF

loc_48CC53:				; CODE XREF: KeResumeClockTimerFromIdle+1EFj
					; KeResumeClockTimerFromIdle+38Aj
		cmp	_KiConsiderTimerRebasing, 0
		jnz	loc_5B7EBD

loc_48CC60:				; CODE XREF: KeResumeClockTimerFromIdle+12B4AEj
		mov	ecx, esi
		call	KiGetNextClockOwner
		mov	ecx, [ebp+var_7C]
		mov	edx, eax
		mov	eax, [esi+3CCh]
		mov	[ebp+var_88], edx
		mov	[ebp+var_8C], eax
		cmp	eax, edx
		jnz	loc_48CDEF
		mov	edx, _KiLastRequestedTimeIncrement
		xor	eax, eax
		add	edx, edi
		adc	eax, ecx
		cmp	eax, dword_6CABA4
		ja	loc_48CD76
		jb	short loc_48CCAC
		cmp	edx, _KiClockTimerNextTickTime
		ja	loc_48CD76

loc_48CCAC:				; CODE XREF: KeResumeClockTimerFromIdle+24Ej
		cmp	ds:_KiClockTimerPerCpu,	0
		jz	short loc_48CCD4
		mov	eax, [ebp+var_8C]
		mov	byte ptr [esi+3D0h], 1
		mov	_KiClockTimerOwner, eax
		call	KiGetPendingTick
		test	al, al
		jz	loc_48CDAF

loc_48CCD4:				; CODE XREF: KeResumeClockTimerFromIdle+263j
					; KeResumeClockTimerFromIdle+368j
		mov	ebx, [ebp+var_82+2]
		lea	edx, [ebp+var_98]
		push	ecx
		push	ebx
		lea	ecx, [ebp+var_A0]
		xor	edi, edi
		call	KiRestoreClockTickRate
		mov	eax, ds:_KeTimeIncrement
		xor	ecx, ecx
		mov	edx, [ebp+var_7C]
		add	eax, ebx
		mov	_KiClockTimerNextTickTime, eax
		adc	ecx, edx
		test	ds:dword_70EFC8, 100000h
		mov	dword_6CABA4, ecx
		jnz	loc_5B7F03

loc_48CD15:				; CODE XREF: KeResumeClockTimerFromIdle+12B515j
					; KeResumeClockTimerFromIdle+12B594j
		mov	ecx, [ebp+var_7C]

loc_48CD18:				; CODE XREF: KeResumeClockTimerFromIdle+35Aj
		cmp	_KiForceIdleReset, 0
		jnz	loc_5B7FE9

loc_48CD25:				; CODE XREF: KeResumeClockTimerFromIdle+12B5BDj
		test	ds:dword_70EFC8, 100000h
		mov	eax, _KiClockTimerOwner
		mov	[ebp+var_44], 0
		jnz	loc_5B8012

loc_48CD41:				; CODE XREF: KeResumeClockTimerFromIdle+12B602j
		mov	eax, offset _KiClockState
		xchg	edi, [eax]
		jmp	loc_48CAEF
; 

loc_48CD4D:				; CODE XREF: KeResumeClockTimerFromIdle+189j
		mov	eax, [ebp+var_82+2]
		mov	edx, [ebp+var_7C]
		mov	_KiLastPseudoHrTimerExpiration,	eax
		mov	dword_6CEA24, edx
		jmp	loc_48CBDF
; 

loc_48CD63:				; CODE XREF: KeResumeClockTimerFromIdle+16Ej
		mov	eax, [ebp+var_7C]
		mov	_KiLastNonHrTimerExpiration, ecx
		mov	dword_6CEA2C, eax
		jmp	loc_48CBC4
; 

loc_48CD76:				; CODE XREF: KeResumeClockTimerFromIdle+248j
					; KeResumeClockTimerFromIdle+256j
		mov	edx, [ebp+var_88]

loc_48CD7C:				; CODE XREF: KeResumeClockTimerFromIdle+3A1j
		add	dword_6CAB58, 1
		mov	edi, 2
		adc	dword_6CAB5C, 0
		test	ds:dword_70EFC8, 100000h
		jnz	loc_5B7F6A

loc_48CD9F:				; CODE XREF: KeResumeClockTimerFromIdle+12B581j
		test	bl, bl
		jnz	loc_5B7FD6
		mov	ebx, [ebp+var_82+2]
		jmp	loc_48CD18
; 

loc_48CDAF:				; CODE XREF: KeResumeClockTimerFromIdle+27Ej
		call	off_6B1388	; SymCryptFatalIntercept(x)
		mov	ecx, [ebp+var_7C]
		jmp	loc_48CCD4
; 

loc_48CDBD:				; CODE XREF: KeResumeClockTimerFromIdle+BEj
		call	off_6B138C	; SymCryptFatalIntercept(x)
		xor	cl, cl
		call	KiSetPendingTick
		jmp	loc_48CB14
; 

loc_48CDCF:				; CODE XREF: KeResumeClockTimerFromIdle+1F1j
					; KeResumeClockTimerFromIdle+1FDj
		mov	dword_6CAB60, eax
		mov	dword_6CAB64, edx
		jmp	loc_48CC53
; 

loc_48CDDF:				; CODE XREF: KeResumeClockTimerFromIdle+1D7j
					; KeResumeClockTimerFromIdle+1E3j
		mov	dword_6CAB68, eax
		mov	dword_6CAB6C, edx
		jmp	loc_48CC39
; 

loc_48CDEF:				; CODE XREF: KeResumeClockTimerFromIdle+230j
		mov	bl, 1
		jmp	short loc_48CD7C
KeResumeClockTimerFromIdle endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiCheckGroupSchedulingQuantumEnd proc near ; CODE XREF:	KiUpdateRunTime+94p

var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B8074 SIZE 00000063 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		mov	eax, ds:dword_7186C4
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], 0
		mov	ecx, ds:_KeTickCount
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], 0
		mov	[ebp+var_4], 0
		cmp	eax, ds:dword_7186C8
		jnz	loc_5B8074

loc_48CE3A:				; CODE XREF: KiCheckGroupSchedulingQuantumEnd+12B28Fj
		cmp	eax, [esi+3D6Ch]
		ja	short loc_48CE5B
		jb	short loc_48CE4C
		cmp	ecx, [esi+3D68h]
		ja	short loc_48CE5B

loc_48CE4C:				; CODE XREF: KiCheckGroupSchedulingQuantumEnd+42j
		mov	eax, [edi+50h]
		test	eax, eax
		jnz	short loc_48CE5F

loc_48CE53:				; CODE XREF: KiCheckGroupSchedulingQuantumEnd+67j
					; KiCheckGroupSchedulingQuantumEnd+A2j
		xor	al, al

loc_48CE55:				; CODE XREF: KiCheckGroupSchedulingQuantumEnd+5Dj
					; KiCheckGroupSchedulingQuantumEnd+D6j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48CE5B:				; CODE XREF: KiCheckGroupSchedulingQuantumEnd+40j
					; KiCheckGroupSchedulingQuantumEnd+4Aj	...
		mov	al, 1
		jmp	short loc_48CE55
; 

loc_48CE5F:				; CODE XREF: KiCheckGroupSchedulingQuantumEnd+51j
		add	eax, [esi+3B34h]
		test	eax, eax
		jz	short loc_48CE53
		lea	esp, [esp+0]

loc_48CE70:				; CODE XREF: KiCheckGroupSchedulingQuantumEnd+A4j
		mov	dl, [eax+5Ch]
		mov	edi, eax
		sub	edi, [esi+3B34h]
		mov	cl, dl
		and	cl, 10h
		test	dl, 4
		jnz	short loc_48CEA6
		test	cl, cl
		jz	short loc_48CEBF
		mov	ecx, [eax+4]
		cmp	ecx, [eax+0Ch]
		jb	short loc_48CE9A
		ja	short loc_48CE5B
		mov	ecx, [eax]
		cmp	ecx, [eax+8]

loc_48CE98:				; CODE XREF: KiCheckGroupSchedulingQuantumEnd+BDj
		jnb	short loc_48CE5B

loc_48CE9A:				; CODE XREF: KiCheckGroupSchedulingQuantumEnd+8Fj
					; KiCheckGroupSchedulingQuantumEnd+B6j	...
		mov	eax, [eax+0F4h]
		test	eax, eax
		jz	short loc_48CE53
		jmp	short loc_48CE70
; 

loc_48CEA6:				; CODE XREF: KiCheckGroupSchedulingQuantumEnd+83j
		test	cl, cl
		jz	loc_5B8094
		mov	ecx, [eax+4]
		cmp	ecx, [eax+1Ch]
		ja	short loc_48CE5B
		jb	short loc_48CE9A
		mov	ecx, [eax]
		cmp	ecx, [eax+18h]
		jmp	short loc_48CE98
; 

loc_48CEBF:				; CODE XREF: KiCheckGroupSchedulingQuantumEnd+87j
		test	dl, 2
		jnz	short loc_48CE9A
		mov	edx, [edi+30h]
		mov	ecx, [edi+34h]
		test	ecx, ecx
		jg	short loc_48CE9A
		jl	short loc_48CE5B
		test	edx, edx
		jnz	short loc_48CE9A
		mov	al, 1
		jmp	loc_48CE55
KiCheckGroupSchedulingQuantumEnd endp

; 
		align 10h
; Exported entry 1216. KeQueryActiveProcessorCountEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryActiveProcessorCountEx(x)
		public _KeQueryActiveProcessorCountEx@4
_KeQueryActiveProcessorCountEx@4 proc near
					; CODE XREF: PpmCheckSnapAllDeliveredPerformance+DFp
					; PpmCheckComputeEnergy+1A1p ...

arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ax, [ebp+arg_0]
		mov	ecx, 0FFFFh
		cmp	ax, cx
		jnz	short loc_48CEFC
		mov	eax, ds:_KeNumberProcessors

loc_48CEF8:				; CODE XREF: KeQueryActiveProcessorCountEx(x)+6Aj
		pop	ebp
		retn	4
; 

loc_48CEFC:				; CODE XREF: KeQueryActiveProcessorCountEx(x)+11j
		cmp	ax, ds:_KiActiveGroups
		jnb	short loc_48CF48
		movzx	eax, ax
		push	ebx
		mov	ebx, ds:dword_70E328[eax*4]
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		pop	ebx
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		movzx	eax, cl
		pop	ebp
		retn	4
; 

loc_48CF48:				; CODE XREF: KeQueryActiveProcessorCountEx(x)+23j
		xor	eax, eax
		jmp	short loc_48CEF8
_KeQueryActiveProcessorCountEx@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1189. KeInsertQueueDpc

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInsertQueueDpc(x,	x, x)
		public _KeInsertQueueDpc@12
_KeInsertQueueDpc@12 proc near		; CODE XREF: PopQueueTargetDpc(x,x)+46p
					; KiChargeSchedulingGroupCycleTime(x,x)+E1p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	0
		push	[ebp+arg_8]
		call	KiInsertQueueDpc
		pop	ebp
		retn	0Ch
_KeInsertQueueDpc@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiInsertQueueDpc proc near		; CODE XREF: KiTimerWaitTest+F3p
					; PoExecutePerfCheck()+F9p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005B80D7 SIZE 00000096 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], 0
		mov	[ebp+var_1C], 0
		mov	[ebp+var_2], 0
		mov	ax, [edi+2]
		test	dword ptr ds:byte_70EFC4, 40000h
		movzx	esi, ax
		jnz	loc_5B80D7
		mov	[ebp+var_1], 0

loc_48CFAD:				; CODE XREF: KiInsertQueueDpc+12B16Bj
		mov	cl, 1Fh
		mov	[ebp+var_3], 0
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		cmp	dword ptr [edi+0Ch], 0
		mov	[ebp+var_5], al
		jz	loc_5B80E0
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	[ebp+var_4], al
		mov	eax, large fs:20h
		mov	[ebp+var_10], eax
		cmp	esi, 20h
		jnb	loc_48D193
		mov	ecx, [eax+3CCh]
		mov	[ebp+var_C], ecx
		cmp	si, cx
		jnz	loc_48D23D

loc_48CFF2:				; CODE XREF: KiInsertQueueDpc+2D1j
		mov	esi, eax
		mov	[ebp+var_14], eax

loc_48CFF7:				; CODE XREF: KiInsertQueueDpc+237j
		mov	eax, [esi+3C8h]
		lea	ecx, [edi+8]
		test	[ecx], eax
		jz	loc_48D252

loc_48D008:				; CODE XREF: KiInsertQueueDpc+2EDj
		cmp	byte ptr [edi],	1Ah
		jz	loc_48D28B

loc_48D011:				; CODE XREF: KiInsertQueueDpc+322j
		mov	eax, 21E0h

loc_48D016:				; CODE XREF: KiInsertQueueDpc+32Dj
		test	ds:byte_70EFC6,	21h
		lea	ebx, [esi+eax]
		lea	eax, [ebx+8]
		jnz	loc_5B8105
		lock bts dword ptr [eax], 0
		jb	loc_48D2C4

loc_48D034:				; CODE XREF: KiInsertQueueDpc+35Bj
					; KiInsertQueueDpc+12B19Cj
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+var_C]
		mov	edx, [eax+21DCh]
		cmp	ecx, [eax+3CCh]
		jnz	loc_48D1B2

loc_48D04C:				; CODE XREF: KiInsertQueueDpc+247j
		lea	ecx, [edi+1Ch]
		xor	eax, eax
		lock cmpxchg [ecx], edx
		test	eax, eax
		jnz	short loc_48D0B0
		mov	eax, [ebx+0Ch]
		inc	dword ptr [ebx+10h]
		inc	eax
		cmp	[ebp+var_1], 0
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+var_20]
		mov	[edi+14h], eax
		mov	eax, [ebp+arg_0]
		mov	[edi+18h], eax
		jnz	loc_5B8111

loc_48D079:				; CODE XREF: KiInsertQueueDpc+12B1ADj
		cmp	byte ptr [edi+1], 2
		lea	ecx, [edi+4]
		mov	[ebp+var_2], 1
		jz	loc_48D262
		mov	dword ptr [ecx], 0
		mov	eax, [ebx+4]
		mov	[eax], ecx
		mov	[ebx+4], ecx

loc_48D098:				; CODE XREF: KiInsertQueueDpc+2FFj
		cmp	[ebp+var_3], 0
		jnz	loc_48D246

loc_48D0A2:				; CODE XREF: KiInsertQueueDpc+2DDj
		mov	ecx, [esi+4DCh]
		test	ecx, ecx
		jnz	loc_5B8122

loc_48D0B0:				; CODE XREF: KiInsertQueueDpc+E7j
					; KiInsertQueueDpc+12B1BAj ...
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jnz	loc_48D227

loc_48D0BB:				; CODE XREF: KiInsertQueueDpc+2C8j
		test	ds:byte_70EFC6,	1
		jnz	loc_5B813C
		xor	ecx, ecx
		lea	eax, [ebx+8]
		lock and [eax],	ecx

loc_48D0D0:				; CODE XREF: KiInsertQueueDpc+12B1D7j
		cmp	[ebp+var_2], 0
		jz	loc_48D177
		cmp	[ebp+var_1], 0
		jnz	loc_5B814C

loc_48D0E4:				; CODE XREF: KiInsertQueueDpc+12B1F8j
		lea	eax, [esi+21F8h]
		cmp	ebx, eax
		jz	loc_48D2A2
		mov	eax, [ebx+0Ch]
		cmp	eax, [esi+2214h]
		jge	short loc_48D111
		mov	al, [edi+1]
		cmp	[ebp+var_10], esi
		jnz	loc_48D1BC
		test	al, al
		jz	loc_48D274

loc_48D111:				; CODE XREF: KiInsertQueueDpc+18Bj
					; KiInsertQueueDpc+24Ej ...
		mov	ebx, 2

loc_48D116:				; CODE XREF: KiInsertQueueDpc+34Fj
		mov	edi, 2Fh
		cmp	esi, [ebp+var_10]
		jnz	short loc_48D128
		mov	edi, 29h
		or	ebx, 20h

loc_48D128:				; CODE XREF: KiInsertQueueDpc+1AEj
		lea	eax, [esi+223Ch]
		mov	[ebp+var_24], 0
		mov	[ebp+arg_8], eax
		mov	ax, [eax]
		mov	esi, [ebp+arg_8]
		movzx	ecx, ax
		mov	eax, ecx
		or	eax, ebx
		movzx	edx, ax
		mov	ax, cx
		lock cmpxchg [esi], dx
		mov	esi, [ebp+var_14]
		movzx	eax, ax
		cmp	ax, cx
		jnz	loc_48D2D0

loc_48D15F:				; CODE XREF: KiInsertQueueDpc+38Cj
		and	ecx, edi
		test	cx, cx
		jnz	short loc_48D177
		cmp	esi, [ebp+var_10]
		jnz	loc_48D1F7
		mov	cl, 2
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)

loc_48D177:				; CODE XREF: KiInsertQueueDpc+164j
					; KiInsertQueueDpc+1F4j ...
		cmp	[ebp+var_4], 0
		pop	edi
		pop	esi
		pop	ebx
		jz	short loc_48D181
		sti

loc_48D181:				; CODE XREF: KiInsertQueueDpc+20Ej
		mov	cl, [ebp+var_5]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, [ebp+var_2]
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_48D193:				; CODE XREF: KiInsertQueueDpc+6Aj
		mov	ecx, esi
		lea	edx, [ecx-20h]
		mov	esi, ds:_KiProcessorBlock[edx*4]
		mov	[ebp+var_C], edx
		mov	[ebp+var_14], esi
		test	esi, esi
		jnz	loc_48CFF7
		jmp	loc_5B80F1
; 

loc_48D1B2:				; CODE XREF: KiInsertQueueDpc+D6j
		mov	edx, 1
		jmp	loc_48D04C
; 

loc_48D1BC:				; CODE XREF: KiInsertQueueDpc+193j
		cmp	al, 3
		jz	loc_48D111
		cmp	al, 2
		jz	loc_48D111

loc_48D1CC:				; CODE XREF: KiInsertQueueDpc+316j
		lea	ecx, [esi+223Ch]
		mov	edx, 10h
		call	_KiSetDpcRequestFlag@8 ; KiSetDpcRequestFlag(x,x)
		test	al, 2Fh
		jnz	short loc_48D177
		mov	eax, [esi+338h]
		mov	eax, [eax+40h]
		test	[esi+3C8h], eax
		jnz	loc_48D111
		jmp	short loc_48D177
; 

loc_48D1F7:				; CODE XREF: KiInsertQueueDpc+1F9j
		mov	ecx, [ebp+var_C]
		mov	edx, 2
		mov	eax, ds:_KiProcessorBlock[ecx*4]
		add	eax, 21A0h
		lock or	[eax], edx
		mov	eax, large fs:20h
		push	edx
		push	ecx
		inc	dword ptr [eax+40B4h]
		call	ds:__imp__HalSendSoftwareInterrupt@8 ; HalSendSoftwareInterrupt(x,x)
		jmp	loc_48D177
; 

loc_48D227:				; CODE XREF: KiInsertQueueDpc+145j
		movzx	eax, byte ptr [ebp+arg_8]
		shl	eax, 18h
		or	eax, 80h
		not	eax
		lock and [edx],	eax
		jmp	loc_48D0BB
; 

loc_48D23D:				; CODE XREF: KiInsertQueueDpc+7Cj
		mov	[ebp+var_3], 1
		jmp	loc_48CFF2
; 

loc_48D246:				; CODE XREF: KiInsertQueueDpc+12Cj
		mov	eax, [ebp+var_C]
		mov	[edi+2], ax
		jmp	loc_48D0A2
; 

loc_48D252:				; CODE XREF: KiInsertQueueDpc+92j
		movzx	eax, byte ptr [esi+3C4h]
		lock bts [ecx],	eax
		jmp	loc_48D008
; 

loc_48D262:				; CODE XREF: KiInsertQueueDpc+114j
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_48D26B
		mov	[ebx+4], ecx

loc_48D26B:				; CODE XREF: KiInsertQueueDpc+2F6j
		mov	[ecx], eax
		mov	[ebx], ecx
		jmp	loc_48D098
; 

loc_48D274:				; CODE XREF: KiInsertQueueDpc+19Bj
		mov	eax, [esi+2218h]
		cmp	eax, [esi+221Ch]
		jb	loc_48D111
		jmp	loc_48D1CC
; 

loc_48D28B:				; CODE XREF: KiInsertQueueDpc+9Bj
		cmp	byte ptr [esi+2255h], 0
		jz	loc_48D011
		mov	eax, 21F8h
		jmp	loc_48D016
; 

loc_48D2A2:				; CODE XREF: KiInsertQueueDpc+17Cj
		lea	ecx, [esi+223Eh]
		mov	edx, 2
		call	_KiSetDpcRequestFlag@8 ; KiSetDpcRequestFlag(x,x)
		test	al, 2Fh
		jnz	loc_48D177
		mov	ebx, 4
		jmp	loc_48D116
; 

loc_48D2C4:				; CODE XREF: KiInsertQueueDpc+BEj
		mov	ecx, eax
		call	KxWaitForSpinLockAndAcquire
		jmp	loc_48D034
; 

loc_48D2D0:				; CODE XREF: KiInsertQueueDpc+1E9j
		mov	esi, [ebp+arg_8]

loc_48D2D3:				; CODE XREF: KiInsertQueueDpc+387j
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlBackoff@4	; RtlBackoff(x)
		mov	ax, [esi]
		movzx	ecx, ax
		mov	eax, ecx
		or	eax, ebx
		movzx	edx, ax
		mov	ax, cx
		lock cmpxchg [esi], dx
		movzx	eax, ax
		cmp	ax, cx
		jnz	short loc_48D2D3
		mov	esi, [ebp+var_14]
		jmp	loc_48D15F
KiInsertQueueDpc endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiIsThreadRankNonZero proc near		; CODE XREF: KeUpdateThreadSchedulingProperties(x,x,x)+49p
					; KiSchedulerApc+29Bp ...

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005A7F5A SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		cmp	byte ptr [esi+87h], 10h
		jge	short loc_48D37A
		mov	eax, [esi+50h]
		test	eax, eax
		jz	short loc_48D37A
		push	ebx
		xor	ebx, ebx
		test	edi, edi
		jz	loc_5A7F5A
		mov	cl, 2
		mov	[ebp+var_1], cl

loc_48D33C:				; CODE XREF: KiIsThreadRankNonZero+11AC5Cj
		mov	eax, [esi+50h]
		test	eax, eax
		jz	short loc_48D369
		add	eax, [edx+3B34h]
		test	eax, eax
		jz	short loc_48D369
		test	edi, edi
		jz	loc_5A7F71
		push	0
		push	0
		push	0
		mov	edx, eax
		mov	ecx, esi
		call	_KiGetThreadEffectiveRankNonZero@20 ; KiGetThreadEffectiveRankNonZero(x,x,x,x,x)
		mov	cl, [ebp+var_1]
		mov	ebx, eax

loc_48D369:				; CODE XREF: KiIsThreadRankNonZero+31j
					; KiIsThreadRankNonZero+3Bj ...
		cmp	cl, 2
		jb	short loc_48D37E

loc_48D36E:				; CODE XREF: KiIsThreadRankNonZero+74j
		test	ebx, ebx
		pop	ebx
		setnz	al

loc_48D374:				; CODE XREF: KiIsThreadRankNonZero+6Cj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48D37A:				; CODE XREF: KiIsThreadRankNonZero+13j
					; KiIsThreadRankNonZero+1Aj
		xor	al, al
		jmp	short loc_48D374
; 

loc_48D37E:				; CODE XREF: KiIsThreadRankNonZero+5Cj
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_48D36E
KiIsThreadRankNonZero endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiDirectSwitchThread proc near		; CODE XREF: KiExitDispatcher+197p

var_7C		= dword	ptr -7Ch
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005B816D SIZE 000001D4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_30], edx
		push	esi
		push	edi
		mov	[ebp+var_18], ebx
		mov	esi, [ebx+3B1Ch]
		sub	esi, 9Ch
		mov	ecx, [esi+9Ch]
		lea	edx, [esi+9Ch]
		mov	[ebx+3B1Ch], ecx
		cmp	dword ptr [ebx+8], 0
		mov	[ebp+var_24], esi
		jnz	loc_48DEDE
		mov	eax, [esi+5Ch]
		and	eax, 120000h
		cmp	eax, 20000h
		jnz	loc_48DEDE
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_5B816D

loc_48D3F1:				; CODE XREF: KiDirectSwitchThread+12ADEBj
		mov	eax, [esi+50h]
		mov	edi, [ebx+4]
		mov	[ebp+var_C], edi
		mov	[ebp+var_28], 0
		mov	[ebp+var_38], 0
		mov	[ebp+var_44], eax
		test	eax, eax
		jnz	loc_48DB1B

loc_48D413:				; CODE XREF: KiDirectSwitchThread+794j
					; KiDirectSwitchThread+7F9j ...
		movzx	eax, byte ptr [esi+16Bh]
		mov	edi, [esi+98h]
		mov	[ebp+var_3], 0
		mov	[ebp+var_4C], 1
		lea	eax, [eax+eax*2]
		lea	eax, [edi+eax*8]
		mov	[ebp+var_40], eax

loc_48D434:				; CODE XREF: KiDirectSwitchThread+B5j
		mov	al, [edi+9]
		cmp	al, 5
		jb	loc_48DDBC

loc_48D43F:				; CODE XREF: KiDirectSwitchThread+AC4j
		add	edi, 18h
		cmp	edi, [ebp+var_40]
		jnz	short loc_48D434
		cmp	dword ptr [ebx+3B1Ch], 0
		jnz	loc_5B81A4
		mov	[ebp+var_4], 1

loc_48D458:				; CODE XREF: KiDirectSwitchThread+12AE18j
		cli
		mov	byte ptr [ebx+11h], 1
		nop
		rdtsc
		mov	edi, eax
		mov	ecx, edx
		sub	eax, [ebx+3B40h]
		mov	[ebp+var_14], eax
		sbb	ecx, [ebx+3B44h]
		mov	[ebp+var_10], ecx
		mov	ecx, [ebp+var_C]
		mov	esi, [ecx+30h]
		mov	ebx, [ecx+34h]
		add	esi, eax
		mov	[ebp+var_20], esi
		mov	esi, ebx
		adc	esi, [ebp+var_10]
		mov	eax, [ebp+var_20]
		mov	ebx, [ebp+var_18]
		mov	[ebp+var_70], eax
		mov	[ebp+var_6C], esi
		mov	[ecx+38h], esi
		mov	[ecx+30h], eax
		mov	eax, [ecx+38h]
		mov	[ecx+34h], eax
		xor	eax, eax
		mov	ecx, [ecx+40h]
		add	ecx, [ebp+var_14]
		mov	[ebp+var_1C], esi
		adc	eax, [ebp+var_10]
		mov	esi, [ebp+var_24]
		mov	[ebp+var_54], eax
		jnz	loc_48DF63
		cmp	ecx, 0FFFFFFFFh
		ja	loc_48DF63

loc_48D4C4:				; CODE XREF: KiDirectSwitchThread+BDDj
		mov	[ebx+3B40h], edi
		mov	edi, [ebp+var_C]
		mov	[ebx+3B44h], edx
		mov	al, [edi+2]
		mov	[edi+40h], ecx
		mov	[ebp+var_1], al
		test	al, 3Eh
		jz	loc_48D600
		test	al, 10h
		jnz	loc_5B81AD

loc_48D4EC:				; CODE XREF: KiDirectSwitchThread+12AE65j
		test	al, 20h
		jz	loc_48D5F0
		mov	edi, [edi+388h]
		mov	[ebp+var_3C], edi
		test	edi, edi
		jz	loc_48D5EB
		mov	edx, [ebx+3EA0h]
		mov	eax, [ebx+3EA4h]
		test	edx, edx
		jz	loc_5B8202
		test	eax, eax
		jz	loc_5B8202
		cmp	byte ptr [eax+54h], 0
		jnz	loc_5B81FA
		mov	ecx, [eax+38h]
		mov	eax, [edx+88h]
		cmp	ecx, eax
		jb	short loc_48D53A
		mov	ecx, eax

loc_48D53A:				; CODE XREF: KiDirectSwitchThread+1A6j
					; KiDirectSwitchThread+12AE6Dj	...
		cmp	ecx, 4Bh
		jb	loc_48DF72
		mov	ecx, 3

loc_48D548:				; CODE XREF: KiDirectSwitchThread+BEEj
		movzx	eax, byte ptr [ebx+3ED0h]
		mov	[ebp+var_48], eax
		mov	[ebp+var_2C], ecx
		lea	eax, [eax+ecx*2]
		mov	ebx, [edi+eax*8]
		lea	esi, [edi+eax*8]
		add	ebx, [ebp+var_14]
		mov	eax, [esi+4]
		adc	eax, [ebp+var_10]
		mov	[ebp+var_40], ebx
		mov	[ebp+var_34], eax
		lea	ecx, [ecx+0]

loc_48D570:				; CODE XREF: KiDirectSwitchThread+1F9j
					; KiDirectSwitchThread+1FEj
		mov	edi, [esi]
		mov	eax, edi
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[ebp+var_50], ecx
		nop
		mov	ecx, [ebp+var_34]
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, [ebp+var_40]
		cmp	eax, edi
		jnz	short loc_48D570
		cmp	edx, [ebp+var_50]
		jnz	short loc_48D570
		mov	ebx, [ebp+var_3C]
		mov	eax, _KiTimelineBitmapTime
		mov	edx, [ebx+0C0h]
		cmp	eax, edx
		ja	loc_48DE6D
		sub	edx, eax
		cmp	edx, 20h
		jnb	short loc_48D5BC
		mov	eax, [ebx+0C4h]
		bts	eax, edx
		mov	[ebx+0C4h], eax

loc_48D5BC:				; CODE XREF: KiDirectSwitchThread+21Bj
					; KiDirectSwitchThread+AFDj
		cmp	ds:_KiEfficiencyClassSystem, 0
		mov	eax, [ebp+var_C]
		jnz	short loc_48D5D5
		cmp	byte ptr [eax+244h], 2
		jz	loc_5B820C

loc_48D5D5:				; CODE XREF: KiDirectSwitchThread+236j
					; KiDirectSwitchThread+12AEC6j
		cmp	dword ptr [eax+36Ch], 0
		jnz	loc_48DC07

loc_48D5E2:				; CODE XREF: KiDirectSwitchThread+8F6j
		mov	esi, [ebp+var_24]
		mov	ebx, [ebp+var_18]
		mov	al, [ebp+var_1]

loc_48D5EB:				; CODE XREF: KiDirectSwitchThread+16Fj
		mov	edi, [ebp+var_C]
		and	al, 0DFh

loc_48D5F0:				; CODE XREF: KiDirectSwitchThread+15Ej
		test	al, 40h
		jnz	loc_5B825B

loc_48D5F8:				; CODE XREF: KiDirectSwitchThread+12AECDj
		test	al, 3Eh
		jnz	loc_48DAC8

loc_48D600:				; CODE XREF: KiDirectSwitchThread+14Ej
					; KiDirectSwitchThread+780j ...
		mov	edi, [ebx+3B68h]
		rdtsc
		mov	ecx, edx
		mov	[ebp+var_40], eax
		mov	edx, eax
		mov	[ebp+var_3C], ecx
		sub	edx, [ebx+3B40h]
		mov	eax, [ebx+3B6Ch]
		sbb	ecx, [ebx+3B44h]
		add	edi, edx
		adc	eax, ecx
		mov	[ebx+3B90h], eax
		mov	[ebx+3B68h], edi
		mov	edi, [ebp+var_C]
		mov	[ebx+3B6Ch], eax
		test	byte ptr [edi+2], 20h
		jz	loc_48D6EB
		mov	edi, [ebp+var_40]
		sub	edi, [ebx+3B40h]
		mov	eax, [ebp+var_3C]
		sbb	eax, [ebx+3B44h]
		mov	ecx, [ebx+3EA4h]
		mov	[ebp+var_54], eax
		mov	eax, [ebx+3EA0h]
		test	eax, eax
		jz	loc_5B82A1
		test	ecx, ecx
		jz	loc_5B82A1
		cmp	byte ptr [ecx+54h], 0
		jnz	loc_5B8299
		mov	ecx, [ecx+38h]
		mov	eax, [eax+88h]
		cmp	ecx, eax
		jb	short loc_48D691
		mov	ecx, eax

loc_48D691:				; CODE XREF: KiDirectSwitchThread+2FDj
					; KiDirectSwitchThread+12AF0Cj	...
		cmp	ecx, 4Bh
		jb	loc_48DF54
		mov	edx, 3

loc_48D69F:				; CODE XREF: KiDirectSwitchThread+BCEj
		movzx	eax, byte ptr [ebx+3ED0h]
		lea	eax, [eax+edx*2]
		lea	eax, [eax+773h]
		lea	esi, [ebx+eax*8]
		mov	ebx, [esi]
		mov	eax, [esi+4]
		add	ebx, edi
		mov	[ebp+var_48], ebx
		adc	eax, [ebp+var_54]
		mov	[ebp+var_54], eax

loc_48D6C2:				; CODE XREF: KiDirectSwitchThread+34Bj
					; KiDirectSwitchThread+350j
		mov	edi, [esi]
		mov	eax, edi
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[ebp+var_50], ecx
		nop
		mov	ecx, [ebp+var_54]
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, [ebp+var_48]
		cmp	eax, edi
		jnz	short loc_48D6C2
		cmp	edx, [ebp+var_50]
		jnz	short loc_48D6C2
		mov	esi, [ebp+var_24]
		mov	ebx, [ebp+var_18]
		mov	edi, [ebp+var_C]

loc_48D6EB:				; CODE XREF: KiDirectSwitchThread+2B1j
		mov	ecx, [ebp+var_40]
		mov	edx, [ebp+var_3C]
		mov	[ebx+3B40h], ecx
		mov	[ebx+3B44h], edx
		mov	al, [edi+2]
		test	al, 10h
		jnz	loc_5B82AB

loc_48D708:				; CODE XREF: KiDirectSwitchThread+12AF2Dj
		test	al, 2
		jnz	loc_5B82C2

loc_48D710:				; CODE XREF: KiDirectSwitchThread+12AF3Bj
		nop
		mov	byte ptr [ebx+11h], 0
		sti
		lea	eax, [edi+18h]
		xor	edx, edx
		mov	[ebp+var_48], eax
		xor	eax, eax
		nop
		mov	edi, [ebp+var_48]
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		mov	[ebp+var_40], edx
		mov	edx, [esi+34h]
		mov	[ebp+var_3C], eax
		mov	eax, [esi+30h]
		mov	[ebp+var_54], ecx
		mov	[ebp+var_10], edx
		mov	[ebp+var_14], eax
		cmp	edx, [esi+38h]
		jnz	loc_5B82D0

loc_48D74A:				; CODE XREF: KiDirectSwitchThread+12AF53j
		lea	ebx, [esi+2Ch]
		mov	[ebp+var_5C], ecx

loc_48D750:				; CODE XREF: KiDirectSwitchThread+BB6j
		lock bts dword ptr [ebx], 0
		jb	loc_48DF38
		mov	ebx, [ebp+var_18]
		movzx	eax, byte ptr [ebx+3C5h]
		cmp	ax, [esi+168h]
		jnz	loc_48DAAB
		mov	eax, [ebx+3C8h]
		test	[esi+164h], eax
		jz	loc_48DAAB
		mov	al, [esi+87h]
		mov	[ebp+var_4C], 0
		mov	[ebp+var_2], al
		cmp	al, 10h
		jge	loc_48DF4B
		mov	eax, ds:_KeTickCount
		xor	ch, ch
		sub	eax, [esi+138h]
		mov	edx, [ebp+var_10]
		mov	[ebp+var_1], ch
		cmp	edx, [esi+1Ch]
		jb	short loc_48D7CD
		ja	short loc_48D7BE
		mov	edx, [ebp+var_14]
		cmp	edx, [esi+18h]
		jb	short loc_48D7CD

loc_48D7BE:				; CODE XREF: KiDirectSwitchThread+424j
		mov	ch, 4
		mov	[ebp+var_1], ch
		cmp	eax, 2
		jnb	short loc_48D7CD
		mov	ch, 5
		mov	[ebp+var_1], ch

loc_48D7CD:				; CODE XREF: KiDirectSwitchThread+422j
					; KiDirectSwitchThread+42Cj ...
		cmp	ch, 4
		jb	loc_48DBDF

loc_48D7D6:				; CODE XREF: KiDirectSwitchThread+856j
					; KiDirectSwitchThread+872j
		mov	dl, [esi+87h]
		or	ch, 8
		mov	[ebp+var_1], ch
		mov	[ebp+var_2], dl
		cmp	dl, 10h
		jge	short loc_48D83C
		mov	al, ds:_KiForegrounBoostVelocityFlag
		test	al, al
		jnz	loc_5B82E8

loc_48D7F7:				; CODE XREF: KiDirectSwitchThread+12AF61j
		mov	ah, [esi+15Ch]
		or	cl, 0FFh
		mov	al, ah
		mov	ch, ah
		shr	al, 4
		and	ch, 0Fh
		sub	cl, al
		mov	al, [esi+15Bh]
		sub	cl, ch
		add	dl, cl
		cmp	dl, al
		jge	short loc_48D81C
		mov	dl, al

loc_48D81C:				; CODE XREF: KiDirectSwitchThread+488j
		test	ah, ah
		jnz	loc_48DCD4

loc_48D824:				; CODE XREF: KiDirectSwitchThread+953j
					; KiDirectSwitchThread+12AF8Fj
		mov	eax, [esi+214h]
		mov	[ebp+var_60], 0
		test	eax, eax
		jnz	loc_48DCB0

loc_48D839:				; CODE XREF: KiDirectSwitchThread+92Bj
					; KiDirectSwitchThread+933j
		mov	[ebp+var_2], dl

loc_48D83C:				; CODE XREF: KiDirectSwitchThread+458j
		push	1
		mov	ecx, esi
		call	KiAbProcessThreadPriorityModification
		mov	al, [ebp+var_2]
		mov	ch, [ebp+var_1]
		mov	[esi+87h], al

loc_48D851:				; CODE XREF: KiDirectSwitchThread+85Fj
					; KiDirectSwitchThread+86Cj
		mov	eax, [esi+150h]
		mov	al, [eax+2A2h]
		cmp	al, 2
		jz	loc_48DD15

loc_48D865:				; CODE XREF: KiDirectSwitchThread+98Bj
		mov	eax, [esi+5Ch]
		lea	edx, [esi+5Ch]
		test	al, 8
		mov	al, ch
		not	al
		setz	cl
		and	cl, al
		test	cl, 1
		jnz	short loc_48D8AF

loc_48D87B:				; CODE XREF: KiDirectSwitchThread+A17j
					; KiDirectSwitchThread+AABj
		mov	al, ds:_KiForegrounBoostVelocityFlag
		test	al, al
		jnz	loc_48D90E
		mov	edx, [edx]
		mov	al, ch
		and	al, 6
		cmp	al, 6
		setz	cl
		test	dl, 8
		setz	al
		test	cl, al
		jz	short loc_48D90E
		cmp	byte ptr [esi+87h], 0
		jle	short loc_48D90E
		mov	ecx, esi
		call	KiScheduleNextForegroundBoost
		jmp	short loc_48D90B
; 

loc_48D8AF:				; CODE XREF: KiDirectSwitchThread+4E9j
		mov	dh, [esi+87h]
		test	dh, dh
		jle	loc_48DDA4
		mov	al, [esi+15Ch]
		mov	[ebp+var_5], al
		test	al, al
		jnz	loc_48DD9C
		mov	dl, ch
		shr	dl, 1

loc_48D8D2:				; CODE XREF: KiDirectSwitchThread+AA2j
		mov	al, [esi+15Bh]
		mov	ecx, [ebp+var_30]
		mov	[ebp+var_2], al
		movsx	ecx, cl
		movsx	eax, al
		add	eax, ecx
		mov	[ebp+var_54], eax
		mov	ecx, eax
		mov	[ebp+var_34], ecx
		test	dl, 1
		jnz	loc_48DDE0

loc_48D8F7:				; CODE XREF: KiDirectSwitchThread+A5Cj
		cmp	ecx, 10h
		jge	loc_48DDF9

loc_48D900:				; CODE XREF: KiDirectSwitchThread+A71j
		movsx	eax, dh
		cmp	ecx, eax
		jg	loc_48DD60

loc_48D90B:				; CODE XREF: KiDirectSwitchThread+51Dj
					; KiDirectSwitchThread+9FDj
		mov	ch, [ebp+var_1]

loc_48D90E:				; CODE XREF: KiDirectSwitchThread+4F2j
					; KiDirectSwitchThread+50Bj ...
		mov	al, [esi+87h]
		shr	ch, 3
		mov	[ebp+var_1], ch
		mov	[ebp+var_2], al

loc_48D91D:				; CODE XREF: KiDirectSwitchThread+BBFj
		movsx	eax, al
		lea	edi, [ebx+2224h]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_64], 0

loc_48D930:				; CODE XREF: KiDirectSwitchThread+B6Ej
		lock bts dword ptr [edi], 0
		jb	loc_48DEF0
		cmp	dword ptr [ebx+8], 0
		mov	edi, [ebp+var_C]
		movsx	edx, byte ptr [edi+87h]
		mov	[ebp+var_34], edx
		jnz	loc_48DA97
		mov	eax, [ebp+var_28]
		cmp	eax, [ebp+var_38]
		ja	loc_48DDF1
		jnz	loc_48DCC8
		mov	ecx, [ebp+var_2C]
		cmp	ecx, edx
		jg	loc_48DCC8

loc_48D96F:				; CODE XREF: KiDirectSwitchThread+A64j
		mov	edi, [ebx+3B20h]
		mov	eax, 1
		shl	eax, cl
		mov	[ebp+var_C], eax
		mov	eax, [ebx+4024h]
		mov	eax, [eax+4]
		or	edi, eax
		mov	eax, ds:_KiDirectQuantumTarget
		mov	ecx, eax
		add	ecx, [ebp+var_20]
		mov	[ebp+var_54], eax
		mov	eax, 0
		adc	eax, [ebp+var_1C]
		cmp	eax, [ebp+var_40]
		ja	loc_48DD20
		jb	short loc_48D9B3
		cmp	ecx, [ebp+var_3C]
		ja	loc_48DD20

loc_48D9B3:				; CODE XREF: KiDirectSwitchThread+618j
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	loc_48DD23
		cmp	edx, 10h
		jge	loc_48DEC2

loc_48D9C7:				; CODE XREF: KiDirectSwitchThread+B42j
		test	[ebp+var_C], edi
		jnz	loc_48DE06
		mov	ecx, [ebp+var_14]
		mov	ebx, [ebp+var_20]
		sub	ecx, ebx
		mov	edx, [ebp+var_10]
		sbb	edx, [ebp+var_1C]
		add	ecx, [ebp+var_3C]
		adc	edx, [ebp+var_40]

loc_48D9E4:				; CODE XREF: KiDirectSwitchThread+A96j
		mov	[ebp+var_1], 0
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 5
		mov	[esi+18h], ecx
		mov	[esi+1Ch], edx
		mov	esi, [ebp+var_48]
		lea	esp, [esp+0]

loc_48DA00:				; CODE XREF: KiDirectSwitchThread+689j
					; KiDirectSwitchThread+68Ej
		mov	edi, [esi]
		mov	eax, edi
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[ebp+var_54], ecx
		nop
		mov	ecx, [ebp+var_1C]
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, [ebp+var_20]
		cmp	eax, edi
		jnz	short loc_48DA00
		cmp	edx, [ebp+var_54]
		jnz	short loc_48DA00
		cmp	[ebp+arg_0], 0
		mov	esi, [ebp+var_24]
		jz	short loc_48DA35
		mov	ebx, [ebp+var_34]
		cmp	[ebp+var_2C], ebx
		jnz	loc_48DC8E

loc_48DA35:				; CODE XREF: KiDirectSwitchThread+697j
					; KiDirectSwitchThread+91Bj
		mov	ebx, [ebp+var_18]

loc_48DA38:				; CODE XREF: KiDirectSwitchThread+93Fj
					; KiDirectSwitchThread+9A0j ...
		mov	byte ptr [esi+15Dh], 0
		mov	eax, [ebx+3CCh]
		mov	[esi+148h], eax
		test	byte ptr [esi+2], 4
		mov	[ebp+var_3], 1
		jnz	loc_48DBC7

loc_48DA59:				; CODE XREF: KiDirectSwitchThread+84Aj
		mov	cl, [esi+87h]

loc_48DA5F:				; CODE XREF: KiDirectSwitchThread+844j
		mov	eax, [ebx+33Ch]
		mov	[eax], cl
		mov	[ebx+8], esi
		cmp	esi, [ebx+0Ch]
		jz	loc_5B8324
		xor	cl, cl

loc_48DA75:				; CODE XREF: KiDirectSwitchThread+12AF96j
		mov	eax, [ebx+4DCh]
		test	eax, eax
		jz	short loc_48DA82
		mov	[eax+10h], cl

loc_48DA82:				; CODE XREF: KiDirectSwitchThread+6EDj
		mov	al, [esi+90h]
		cmp	al, 1
		jz	loc_5B832B

loc_48DA90:				; CODE XREF: KiDirectSwitchThread+12AFACj
		mov	byte ptr [esi+90h], 3

loc_48DA97:				; CODE XREF: KiDirectSwitchThread+5BCj
					; KiDirectSwitchThread+998j ...
		xor	ecx, ecx
		lea	eax, [ebx+2224h]
		lock and [eax],	ecx
		cmp	[ebp+var_1], cl
		jnz	loc_48DCE8

loc_48DAAB:				; CODE XREF: KiDirectSwitchThread+3DCj
					; KiDirectSwitchThread+3EEj ...
		cmp	[ebp+var_3], 0
		mov	dword ptr [esi+2Ch], 0
		jz	loc_48DE92

loc_48DABC:				; CODE XREF: KiDirectSwitchThread+B2Dj
		mov	al, [ebp+var_4]

loc_48DABF:				; CODE XREF: KiDirectSwitchThread+B58j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_48DAC8:				; CODE XREF: KiDirectSwitchThread+26Aj
		mov	eax, [edi+50h]
		test	eax, eax
		jz	short loc_48DAEF
		add	eax, [ebx+3B34h]
		test	eax, eax
		jz	short loc_48DAEF
		mov	ecx, [ebp+var_14]
		mov	edx, [ebp+var_10]
		nop

loc_48DAE0:				; CODE XREF: KiDirectSwitchThread+75Dj
		add	[eax], ecx
		adc	[eax+4], edx
		mov	eax, [eax+0F4h]
		test	eax, eax
		jnz	short loc_48DAE0

loc_48DAEF:				; CODE XREF: KiDirectSwitchThread+73Dj
					; KiDirectSwitchThread+747j
		test	byte ptr [edi+2], 8
		jnz	loc_48DF03
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+var_10]

loc_48DAFF:				; CODE XREF: KiDirectSwitchThread+B91j
					; KiDirectSwitchThread+BA3j
		cmp	byte ptr [edi+61h], 0
		jnz	loc_5B8262

loc_48DB09:				; CODE XREF: KiDirectSwitchThread+12AEE7j
					; KiDirectSwitchThread+12AEF8j
		cmp	dword ptr [edi+0F4h], 0
		jz	loc_48D600
		jmp	loc_5B828D
; 

loc_48DB1B:				; CODE XREF: KiDirectSwitchThread+7Dj
		add	eax, [ebx+3B34h]
		mov	[ebp+var_44], eax
		jz	loc_48D413
		xor	ecx, ecx
		mov	edx, eax
		cmp	byte ptr [esi+87h], 10h
		jge	loc_48DE66
		test	dword ptr [esi+5Ch], 200h
		jnz	loc_48DE66
		cmp	[esi+13Ch], ecx
		jnz	loc_48DE66
		cmp	byte ptr [esi+92h], 1
		jz	loc_48DE66

loc_48DB61:				; CODE XREF: KiDirectSwitchThread+7E3j
		test	byte ptr [eax+5Ch], 2
		jnz	loc_5B8180
		mov	eax, [eax+0F4h]
		test	eax, eax
		jnz	short loc_48DB61

loc_48DB75:				; CODE XREF: KiDirectSwitchThread+7F2j
		add	ecx, [edx+60h]
		jnz	short loc_48DB84
		mov	edx, [edx+0F4h]
		test	edx, edx
		jnz	short loc_48DB75

loc_48DB84:				; CODE XREF: KiDirectSwitchThread+7E8j
					; KiDirectSwitchThread+AD8j
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		jz	loc_48D413

loc_48DB8F:				; CODE XREF: KiDirectSwitchThread+12ADF7j
		mov	eax, [edi+50h]
		test	eax, eax
		jz	loc_48D413
		add	eax, [ebx+3B34h]
		mov	[ebp+var_4C], eax
		jz	loc_48D413
		push	0
		push	1
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	_KiGetThreadEffectiveRankNonZero@20 ; KiGetThreadEffectiveRankNonZero(x,x,x,x,x)
		mov	[ebp+var_38], eax
		test	eax, eax
		jz	loc_48D413
		jmp	loc_5B818C
; 

loc_48DBC7:				; CODE XREF: KiDirectSwitchThread+6C3j
		mov	edx, ebx
		mov	ecx, esi
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	loc_48DA5F
		jmp	loc_48DA59
; 

loc_48DBDF:				; CODE XREF: KiDirectSwitchThread+440j
		cmp	byte ptr [esi+15Bh], 0Eh
		jge	loc_48D7D6
		cmp	eax, 2
		jb	loc_48D851
		cmp	byte ptr [esi+15Ch], 0
		jnz	loc_48D851
		jmp	loc_48D7D6
; 

loc_48DC07:				; CODE XREF: KiDirectSwitchThread+24Cj
		mov	ecx, [ebp+var_48]
		mov	eax, [ebp+var_2C]
		add	ecx, 10h
		lea	eax, [ecx+eax*2]
		mov	ecx, [ebx+eax*8]
		add	ecx, [ebp+var_14]
		lea	esi, [ebx+eax*8]
		mov	eax, [esi+4]
		adc	eax, [ebp+var_10]
		mov	[ebp+var_40], ecx
		mov	[ebp+var_54], eax

loc_48DC28:				; CODE XREF: KiDirectSwitchThread+8B1j
					; KiDirectSwitchThread+8B6j
		mov	edi, [esi]
		mov	eax, edi
		mov	edx, [esi+4]
		mov	[ebp+var_50], edx
		nop
		mov	ebx, ecx
		mov	ecx, [ebp+var_54]
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [ebp+var_40]
		cmp	eax, edi
		jnz	short loc_48DC28
		cmp	edx, [ebp+var_50]
		jnz	short loc_48DC28
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+var_48]
		mov	eax, [eax+36Ch]
		mov	ecx, [eax+388h]
		mov	eax, [ebp+var_2C]
		add	eax, 4
		lea	eax, [edx+eax*2]
		lea	esi, [ecx+eax*8]

loc_48DC66:				; CODE XREF: KiDirectSwitchThread+8F1j
					; KiDirectSwitchThread+8FCj
		mov	edi, [esi]
		mov	ebx, edi
		mov	edx, [esi+4]
		mov	eax, edi
		add	ebx, [ebp+var_14]
		mov	ecx, edx
		mov	[ebp+var_54], edx
		adc	ecx, [ebp+var_10]
		nop
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, edi
		jnz	short loc_48DC66
		cmp	edx, [ebp+var_54]
		jz	loc_48D5E2
		jmp	short loc_48DC66
; 

loc_48DC8E:				; CODE XREF: KiDirectSwitchThread+69Fj
		push	1
		mov	dl, bl
		mov	ecx, esi
		call	KiAbProcessThreadPriorityModification
		mov	[esi+87h], bl
		sub	bl, [ebp+var_2]
		shl	bl, 4
		add	[esi+15Ch], bl
		jmp	loc_48DA35
; 

loc_48DCB0:				; CODE XREF: KiDirectSwitchThread+4A3j
		bsr	ecx, eax
		movsx	eax, dl
		mov	[ebp+var_60], ecx
		cmp	eax, ecx
		jge	loc_48D839
		mov	dl, cl
		jmp	loc_48D839
; 

loc_48DCC8:				; CODE XREF: KiDirectSwitchThread+5CEj
					; KiDirectSwitchThread+5D9j
		mov	byte ptr [edi+15Dh], 1
		jmp	loc_48DA38
; 

loc_48DCD4:				; CODE XREF: KiDirectSwitchThread+48Ej
		test	ch, ch
		jnz	loc_48DDAC

loc_48DCDC:				; CODE XREF: KiDirectSwitchThread+A27j
		mov	byte ptr [esi+15Ch], 0
		jmp	loc_48D824
; 

loc_48DCE8:				; CODE XREF: KiDirectSwitchThread+715j
		movzx	ecx, byte ptr [esi+193h]
		lea	eax, [esi+5Ch]
		imul	ecx, ds:_KiCyclesPerClockQuantum
		xor	edx, edx
		add	ecx, [ebp+var_14]
		adc	edx, [ebp+var_10]
		test	byte ptr [eax],	20h
		jnz	loc_48DD92

loc_48DD0A:				; CODE XREF: KiDirectSwitchThread+A07j
		mov	[esi+18h], ecx
		mov	[esi+1Ch], edx
		jmp	loc_48DAAB
; 

loc_48DD15:				; CODE XREF: KiDirectSwitchThread+4CFj
		or	ch, 2
		mov	[ebp+var_1], ch
		jmp	loc_48D865
; 

loc_48DD20:				; CODE XREF: KiDirectSwitchThread+612j
					; KiDirectSwitchThread+61Dj
		mov	eax, [ebp+var_28]

loc_48DD23:				; CODE XREF: KiDirectSwitchThread+628j
		mov	ecx, [ebp+var_C]
		cmp	ecx, edi
		jbe	loc_48DA97
		test	eax, eax
		jz	loc_48DA38
		cmp	edi, 1
		ja	loc_48DA97
		mov	eax, [ebp+var_44]
		push	ecx
		mov	ecx, ebx
		mov	edx, [eax+0F8h]
		mov	edx, [edx+60h]
		call	_KiIsNextScheduledScbThread@12 ; KiIsNextScheduledScbThread(x,x,x)
		test	al, al
		jnz	loc_48DA38
		jmp	loc_48DA97
; 

loc_48DD60:				; CODE XREF: KiDirectSwitchThread+575j
		xor	al, al
		cmp	ecx, [ebp+var_54]
		jg	loc_48DE59

loc_48DD6B:				; CODE XREF: KiDirectSwitchThread+AD1j
		xor	al, [ebp+var_5]
		mov	dl, cl
		and	al, 0Fh
		mov	ecx, esi
		xor	al, [ebp+var_5]
		push	1
		mov	[esi+15Ch], al
		call	KiAbProcessThreadPriorityModification
		mov	eax, [ebp+var_34]
		mov	[esi+87h], al
		jmp	loc_48D90B
; 

loc_48DD92:				; CODE XREF: KiDirectSwitchThread+974j
		lock btr dword ptr [eax], 5
		jmp	loc_48DD0A
; 

loc_48DD9C:				; CODE XREF: KiDirectSwitchThread+538j
		test	al, 0F0h
		jz	loc_48DE2B

loc_48DDA4:				; CODE XREF: KiDirectSwitchThread+527j
		lea	edx, [esi+5Ch]
		jmp	loc_48D87B
; 

loc_48DDAC:				; CODE XREF: KiDirectSwitchThread+946j
		mov	eax, ds:_KeTickCount
		mov	[esi+224h], eax
		jmp	loc_48DCDC
; 

loc_48DDBC:				; CODE XREF: KiDirectSwitchThread+A9j
		mov	eax, [edi+10h]
		mov	ecx, eax
		mov	[ebp+var_48], eax
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		cmp	byte ptr [edi+9], 4
		jnz	short loc_48DE49
		mov	ecx, [edi]
		mov	eax, [edi+4]
		cmp	[ecx+4], edi
		jz	short loc_48DE40

loc_48DDD9:				; CODE XREF: KiDirectSwitchThread+AB2j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_48DDE0:				; CODE XREF: KiDirectSwitchThread+561j
		movsx	eax, byte ptr ds:_PsPrioritySeparation
		add	ecx, eax
		mov	[ebp+var_34], ecx
		jmp	loc_48D8F7
; 

loc_48DDF1:				; CODE XREF: KiDirectSwitchThread+5C8j
		mov	ecx, [ebp+var_2C]
		jmp	loc_48D96F
; 

loc_48DDF9:				; CODE XREF: KiDirectSwitchThread+56Aj
		mov	ecx, 0Fh
		mov	[ebp+var_34], ecx
		jmp	loc_48D900
; 

loc_48DE06:				; CODE XREF: KiDirectSwitchThread+63Aj
		mov	ecx, [ebp+var_54]
		mov	edx, 0
		add	ecx, [ebp+var_14]
		mov	ebx, [ebp+var_3C]
		adc	edx, [ebp+var_10]
		sub	ebx, [ebp+var_54]
		mov	eax, [ebp+var_40]
		sbb	eax, 0
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], eax
		jmp	loc_48D9E4
; 

loc_48DE2B:				; CODE XREF: KiDirectSwitchThread+A0Ej
		mov	dl, ch
		shr	dl, 1
		test	dl, 1
		jnz	loc_48D8D2
		lea	edx, [esi+5Ch]
		jmp	loc_48D87B
; 

loc_48DE40:				; CODE XREF: KiDirectSwitchThread+A47j
		cmp	[eax], edi
		jnz	short loc_48DDD9
		mov	[eax], ecx
		mov	[ecx+4], eax

loc_48DE49:				; CODE XREF: KiDirectSwitchThread+A3Dj
		mov	eax, [ebp+var_48]
		mov	ecx, 0FFFFFF7Fh
		lock and [eax],	ecx
		jmp	loc_48D43F
; 

loc_48DE59:				; CODE XREF: KiDirectSwitchThread+9D5j
		mov	al, cl
		sub	al, byte ptr [ebp+var_30]
		sub	al, [ebp+var_2]
		jmp	loc_48DD6B
; 

loc_48DE66:				; CODE XREF: KiDirectSwitchThread+7A5j
					; KiDirectSwitchThread+7B2j ...
		xor	ecx, ecx
		jmp	loc_48DB84
; 

loc_48DE6D:				; CODE XREF: KiDirectSwitchThread+210j
		mov	ecx, eax
		sub	ecx, edx
		cmp	ecx, 20h
		jnb	short loc_48DED7
		mov	edx, [ebx+0C4h]
		shl	edx, cl
		or	edx, 1

loc_48DE81:				; CODE XREF: KiDirectSwitchThread+B4Cj
		mov	[ebx+0C0h], eax
		mov	[ebx+0C4h], edx
		jmp	loc_48D5BC
; 

loc_48DE92:				; CODE XREF: KiDirectSwitchThread+726j
		mov	eax, [ebp+var_4C]
		lea	edx, [ebp+var_68]
		mov	[esi+15Eh], al
		mov	ecx, ebx
		mov	eax, [ebp+var_30]
		mov	[esi+15Fh], al
		lea	eax, [esi+9Ch]
		mov	dword ptr [eax], 0
		mov	[ebp+var_68], eax
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		jmp	loc_48DABC
; 

loc_48DEC2:				; CODE XREF: KiDirectSwitchThread+631j
		mov	eax, [ebp+var_2C]
		cmp	eax, 10h
		jge	short loc_48DECF
		mov	eax, 0Fh

loc_48DECF:				; CODE XREF: KiDirectSwitchThread+B38j
		mov	[ebp+var_34], eax
		jmp	loc_48D9C7
; 

loc_48DED7:				; CODE XREF: KiDirectSwitchThread+AE4j
		mov	edx, 1
		jmp	short loc_48DE81
; 

loc_48DEDE:				; CODE XREF: KiDirectSwitchThread+38j
					; KiDirectSwitchThread+4Bj
		mov	[edx], ecx
		xor	al, al
		mov	[ebx+3B1Ch], edx
		jmp	loc_48DABF
; 
		align 10h

loc_48DEF0:				; CODE XREF: KiDirectSwitchThread+5A5j
					; KiDirectSwitchThread+B6Cj
		lea	ecx, [ebp+var_64]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_48DEF0
		jmp	loc_48D930
; 

loc_48DF03:				; CODE XREF: KiDirectSwitchThread+763j
		mov	edx, [ebx+338h]
		mov	ecx, [edi+164h]
		mov	edx, [edx+84h]
		mov	eax, edx
		and	eax, ecx
		mov	ecx, [ebp+var_10]
		cmp	eax, edx
		mov	eax, [ebp+var_14]
		jz	loc_48DAFF
		add	[ebx+3B70h], eax
		adc	[ebx+3B74h], ecx
		jmp	loc_48DAFF
; 

loc_48DF38:				; CODE XREF: KiDirectSwitchThread+3C5j
					; KiDirectSwitchThread+BB4j
		lea	ecx, [ebp+var_5C]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_48DF38
		jmp	loc_48D750
; 

loc_48DF4B:				; CODE XREF: KiDirectSwitchThread+406j
		mov	[ebp+var_1], 1
		jmp	loc_48D91D
; 

loc_48DF54:				; CODE XREF: KiDirectSwitchThread+304j
		mov	eax, 51EB851Fh
		mul	ecx
		shr	edx, 3
		jmp	loc_48D69F
; 

loc_48DF63:				; CODE XREF: KiDirectSwitchThread+125j
					; KiDirectSwitchThread+12Ej
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_54], 0
		jmp	loc_48D4C4
; 

loc_48DF72:				; CODE XREF: KiDirectSwitchThread+1ADj
		mov	eax, 51EB851Fh
		mul	ecx
		mov	ecx, edx
		shr	ecx, 3
		jmp	loc_48D548
KiDirectSwitchThread endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiGetThreadEffectiveRankNonZero(x, x, x, x,	x)
_KiGetThreadEffectiveRankNonZero@20 proc near
					; CODE XREF: KiAddThreadToReadyQueue(x,x,x,x,x)+76p
					; KiQueueReadyThread+262p ...

arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		test	esi, esi
		jnz	short loc_48E007

loc_48DF9F:				; CODE XREF: KiGetThreadEffectiveRankNonZero(x,x,x,x,x)+7Bj
		xor	bl, bl

loc_48DFA1:				; CODE XREF: KiGetThreadEffectiveRankNonZero(x,x,x,x,x)+7Fj
		xor	eax, eax
		xor	edi, edi
		cmp	byte ptr [ecx+87h], 10h
		jge	short loc_48DFF8
		test	dword ptr [ecx+5Ch], 200h
		jnz	short loc_48DFF8
		cmp	[ebp+arg_4], al
		jnz	short loc_48DFF0

loc_48DFBC:				; CODE XREF: KiGetThreadEffectiveRankNonZero(x,x,x,x,x)+73j
		mov	ecx, edx
		mov	edi, edi

loc_48DFC0:				; CODE XREF: KiGetThreadEffectiveRankNonZero(x,x,x,x,x)+3Ej
		test	byte ptr [ecx+5Ch], 2
		jnz	short loc_48E021
		mov	ecx, [ecx+0F4h]
		test	ecx, ecx
		jnz	short loc_48DFC0

loc_48DFD0:				; CODE XREF: KiGetThreadEffectiveRankNonZero(x,x,x,x,x)+53j
		add	eax, [edx+60h]
		test	bl, bl
		jnz	short loc_48E01A
		test	eax, eax
		jnz	short loc_48DFE5

loc_48DFDB:				; CODE XREF: KiGetThreadEffectiveRankNonZero(x,x,x,x,x)+8Fj
		mov	edx, [edx+0F4h]
		test	edx, edx
		jnz	short loc_48DFD0

loc_48DFE5:				; CODE XREF: KiGetThreadEffectiveRankNonZero(x,x,x,x,x)+49j
					; KiGetThreadEffectiveRankNonZero(x,x,x,x,x)+6Aj ...
		test	esi, esi
		jnz	short loc_48E011

loc_48DFE9:				; CODE XREF: KiGetThreadEffectiveRankNonZero(x,x,x,x,x)+88j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_48DFF0:				; CODE XREF: KiGetThreadEffectiveRankNonZero(x,x,x,x,x)+2Aj
		cmp	[ecx+13Ch], eax
		jz	short loc_48DFFC

loc_48DFF8:				; CODE XREF: KiGetThreadEffectiveRankNonZero(x,x,x,x,x)+1Cj
					; KiGetThreadEffectiveRankNonZero(x,x,x,x,x)+25j ...
		xor	eax, eax
		jmp	short loc_48DFE5
; 

loc_48DFFC:				; CODE XREF: KiGetThreadEffectiveRankNonZero(x,x,x,x,x)+66j
		cmp	byte ptr [ecx+92h], 1
		jnz	short loc_48DFBC
		jmp	short loc_48DFF8
; 

loc_48E007:				; CODE XREF: KiGetThreadEffectiveRankNonZero(x,x,x,x,x)+Dj
		cmp	dword ptr [edx+64h], 0
		jz	short loc_48DF9F
		mov	bl, 1
		jmp	short loc_48DFA1
; 

loc_48E011:				; CODE XREF: KiGetThreadEffectiveRankNonZero(x,x,x,x,x)+57j
		test	edi, edi
		setnz	cl
		mov	[esi], cl
		jmp	short loc_48DFE9
; 

loc_48E01A:				; CODE XREF: KiGetThreadEffectiveRankNonZero(x,x,x,x,x)+45j
		mov	ecx, [edx+64h]
		add	edi, [ecx]
		jmp	short loc_48DFDB
; 

loc_48E021:				; CODE XREF: KiGetThreadEffectiveRankNonZero(x,x,x,x,x)+34j
		or	eax, 0FFFFFFFFh
		jmp	short loc_48DFE5
_KiGetThreadEffectiveRankNonZero@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmCheckComputeEnergy proc near

var_6C		= dword	ptr -6Ch
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B8341 SIZE 0000006A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopComputeEnergy, 0
		mov	[ebp+var_30], 0
		mov	[ebp+var_2C], 0
		mov	[ebp+var_28], 0
		jz	loc_48E203
		push	ebx
		xor	eax, eax
		mov	[ebp+var_3C], 20h
		push	esi
		push	edi
		lea	edi, [ebp+var_5C]
		mov	esi, ds:dword_70E328
		stosd
		mov	[ebp+var_38], 20h
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_4C]
		stosd
		stosd
		stosd
		stosd
		lea	ecx, [ecx+0]

loc_48E090:				; CODE XREF: PpmCheckComputeEnergy+12Aj
		test	esi, esi
		jz	loc_48E15F
		bsf	eax, esi
		mov	[ebp+var_28], eax
		btr	esi, eax
		mov	eax, ds:_KeNumberProcessors
		mov	edx, [ebp+var_28]
		cmp	edx, eax
		jnb	loc_5B8341
		mov	eax, ds:_KiProcessorBlock[edx*4]

loc_48E0B8:				; CODE XREF: PpmCheckComputeEnergy+12A313j
		movzx	ecx, byte ptr [eax+3ED0h]
		lea	edi, ds:0[ecx*4]
		mov	[ebp+edi+var_3C], edx
		lea	edx, ds:0[ecx*8]
		mov	ecx, [eax+3EE0h]
		add	[ebp+edx+var_5C], ecx
		mov	ecx, [eax+3EE4h]
		adc	[ebp+edx+var_58], ecx
		mov	ecx, [eax+3EE8h]
		add	[ebp+edx+var_4C], ecx
		mov	ecx, [eax+3EECh]
		adc	[ebp+edx+var_48], ecx
		mov	edx, [eax+3EA0h]
		mov	ecx, [eax+3EA4h]
		test	edx, edx
		jz	loc_5B8350
		test	ecx, ecx
		jz	loc_5B8350
		cmp	byte ptr [ecx+54h], 0
		jnz	loc_5B8348
		mov	ecx, [ecx+38h]
		mov	edx, [edx+88h]
		cmp	ecx, edx
		jb	short loc_48E12E
		mov	ecx, edx

loc_48E12E:				; CODE XREF: PpmCheckComputeEnergy+FAj
					; PpmCheckComputeEnergy+12A31Bj ...
		mov	[ebp+edi+var_6C], ecx
		mov	dword ptr [eax+3EE0h], 0
		mov	dword ptr [eax+3EE4h], 0
		mov	dword ptr [eax+3EE8h], 0
		mov	dword ptr [eax+3EECh], 0
		jmp	loc_48E090
; 

loc_48E15F:				; CODE XREF: PpmCheckComputeEnergy+62j
		xor	esi, esi

loc_48E161:				; CODE XREF: PpmCheckComputeEnergy+1CAj
		mov	edi, [ebp+esi*4+var_3C]
		cmp	edi, 20h
		jz	loc_48E1F6
		mov	edx, [ebp+esi*4+var_6C]
		lea	eax, [ebp+var_30]
		push	eax
		mov	eax, [ebp+esi*8+var_48]
		mov	ecx, esi
		push	eax
		mov	eax, [ebp+esi*8+var_4C]
		push	eax
		mov	eax, [ebp+esi*8+var_58]
		push	eax
		mov	eax, [ebp+esi*8+var_5C]
		push	eax
		call	_PopComputeEnergy
		cmp	_PpmEtwRegistered, 0
		mov	eax, [ebp+var_30]
		mov	[ebp+var_64], eax
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_60], eax
		mov	[ebp+var_34], esi
		jz	short loc_48E1CC
		mov	ebx, dword_6BFD04
		mov	eax, _PpmEtwHandle
		push	offset _PPM_ETW_COMPUTE_ENERGY
		push	ebx
		push	eax
		mov	[ebp+var_28], eax
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5B835A

loc_48E1CC:				; CODE XREF: PpmCheckComputeEnergy+178j
					; PpmCheckComputeEnergy+12A376j
		push	0FFFFh
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		cmp	edi, eax
		jnb	short loc_48E213
		lfence	eax
		mov	ecx, ds:_KiProcessorBlock[edi*4]

loc_48E1E4:				; CODE XREF: PpmCheckComputeEnergy+1E5j
		mov	eax, [ebp+var_30]
		add	[ecx+3ED8h], eax
		mov	eax, [ebp+var_2C]
		adc	[ecx+3EDCh], eax

loc_48E1F6:				; CODE XREF: PpmCheckComputeEnergy+138j
		inc	esi
		cmp	esi, 2
		jb	loc_48E161
		pop	edi
		pop	esi
		pop	ebx

loc_48E203:				; CODE XREF: PpmCheckComputeEnergy+2Ej
		mov	al, 1
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48E213:				; CODE XREF: PpmCheckComputeEnergy+1A8j
		xor	ecx, ecx
		jmp	short loc_48E1E4
PpmCheckComputeEnergy endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeFlushTb	proc near		; CODE XREF: .text:loc_453EC2p
					; MiDeleteVaTail+DBp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005B83AB SIZE 000000F0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ds:_HvlEnlightenments
		mov	[ebp+var_10], 0
		mov	byte ptr [ebp+var_C], 0
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_14], ebx
		push	esi
		mov	esi, edx
		push	edi
		test	al, 4
		jnz	loc_5B83AB

loc_48E24A:				; CODE XREF: KeFlushTb+12A1A6j
		mov	ecx, ebx
		call	KiFlushTb

loc_48E251:				; CODE XREF: KeFlushTb+12A225j
					; KeFlushTb+12A232j
		cmp	ds:_VmTbFlushEnabled, 0
		jnz	loc_5B8469

loc_48E25E:				; CODE XREF: KeFlushTb+12A253j
		cmp	_ExTbFlushActive, 0
		jnz	loc_5B8478

loc_48E26B:				; CODE XREF: KeFlushTb+12A276j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
KeFlushTb	endp


;  S U B	R O U T	I N E 


KiFlushTb	proc near		; CODE XREF: KeFlushTb+2Cp

; FUNCTION CHUNK AT 005B849B SIZE 00000016 BYTES

		mov	edi, edi
		push	ecx
		cmp	ds:_KiKvaShadow, 0
		jz	loc_5B849B
		sub	ecx, 0
		jz	short loc_48E293
		sub	ecx, 1
		jnz	short loc_48E29C

loc_48E28C:				; CODE XREF: KiFlushTb+2Dj
					; KiFlushTb+12A22Bj ...
		call	_KxFlushEntireTb@4 ; KxFlushEntireTb(x)
		pop	ecx
		retn
; 

loc_48E293:				; CODE XREF: KiFlushTb+13j
					; KiFlushTb+2Fj ...
		mov	ecx, edx
		call	KxFlushNonGlobalTb
		pop	ecx
		retn
; 

loc_48E29C:				; CODE XREF: KiFlushTb+18j
		sub	ecx, 1
		jnz	short loc_48E28C
		jmp	short loc_48E293
KiFlushTb	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KxFlushEntireTb(x)
_KxFlushEntireTb@4 proc	near		; CODE XREF: KiFlushTb:loc_48E28Cp
					; KeFlushEntireTb(x,x):loc_61DC52p
		mov	edi, edi
		push	ebx
		push	esi
		call	ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()
		push	0
		mov	bl, al
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	ecx, offset _KiTbFlushTimeStamp
		mov	esi, eax
		call	_KxSetTimeStampBusy@4 ;	KxSetTimeStampBusy(x)
		test	al, al
		jz	short loc_48E318
		cmp	esi, 1
		jbe	short loc_48E2EB
		push	ecx
		push	0
		xor	edx, edx
		push	ecx
		push	offset _KiFlushTargetEntireTb@16 ; KiFlushTargetEntireTb(x,x,x,x)
		lea	ecx, [edx+1]
		call	_KiIpiSendFlushAwakePacket@24 ;	KiIpiSendFlushAwakePacket(x,x,x,x,x,x)

loc_48E2EB:				; CODE XREF: KxFlushEntireTb(x)+26j
		call	_KeFlushCurrentTb@0 ; KeFlushCurrentTb()
		cmp	esi, 1
		jbe	short loc_48E311
		mov	eax, large fs:20h
		mov	ecx, [eax+2120h]
		test	ecx, ecx
		jz	short loc_48E311

loc_48E305:				; CODE XREF: KxFlushEntireTb(x)+5Fj
		pause
		mov	ecx, [eax+2120h]
		test	ecx, ecx
		jnz	short loc_48E305

loc_48E311:				; CODE XREF: KxFlushEntireTb(x)+43j
					; KxFlushEntireTb(x)+53j
		lock inc ds:_KiTbFlushTimeStamp

loc_48E318:				; CODE XREF: KxFlushEntireTb(x)+21j
		mov	cl, bl
		pop	esi
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_KxFlushEntireTb@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIpiSendFlushAwakePacket(x, x, x, x, x, x)
_KiIpiSendFlushAwakePacket@24 proc near	; CODE XREF: KeFlushMultipleRangeTb+189p
					; MiTerminateWsleCluster+604p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, [ebp+arg_8]
		push	esi
		mov	esi, ecx
		mov	ecx, large fs:20h
		and	[esp+18h+var_10], 0
		and	[esp+18h+var_8], 0
		mov	[esp+18h+var_C], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+18h+var_4], eax
		mov	eax, esi
		neg	eax
		sbb	eax, eax
		and	eax, 80000000h
		add	eax, 8
		push	eax
		lea	eax, [esp+1Ch+var_10]
		push	eax
		push	edx
		mov	edx, esi
		call	KiIpiSendRequest
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	10h
_KiIpiSendFlushAwakePacket@24 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiIpiSendRequest proc near		; CODE XREF: KiIpiSendFlushAwakePacket(x,x,x,x,x,x)+44p
					; KiIpiSendPacket(x,x,x,x,x,x)+3Bp

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005B84B1 SIZE 000000AC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 98h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		xor	eax, eax
		test	ds:dword_70EFC8, 400000h
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_80], eax
		mov	ebx, ecx
		mov	[ebp+var_50], esi
		push	edi
		mov	[ebp+var_60], ebx
		mov	[ebp+var_7C], eax
		mov	[ebp+var_78], eax
		mov	[ebp+var_64], eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_70], eax
		jnz	loc_5B84B1
		mov	[ebp+var_45], al

loc_48E3DE:				; CODE XREF: KiIpiSendRequest+12A144j
		test	esi, esi
		jnz	loc_48E638
		mov	ecx, [ebp+arg_0]
		mov	edi, [ebp+arg_8]
		mov	eax, [ecx]
		mov	edx, [ecx+8]
		mov	[ebp+var_14], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], edx

loc_48E3FD:				; CODE XREF: KiIpiSendRequest+2E7j
					; KiIpiSendRequest+2FDj ...
		mov	esi, [ebp+arg_4]
		and	edi, 0Fh
		mov	eax, [ebx+3CCh]
		mov	ecx, esi
		shl	ecx, 0Ch
		or	ecx, edi
		mov	[ebp+var_84], eax
		movzx	eax, ds:_KeNumberNodes
		lea	edi, [ebx+21A4h]
		mov	[ebp+var_74], edi
		mov	edi, [ebp+arg_8]
		mov	[ebx+21A4h], eax
		mov	dword ptr [ebx+2120h], 1
		mov	[ebp+var_20], 10001h
		mov	[ebp+var_1C], 0
		mov	[ebp+var_18], 0
		mov	[ebp+var_6C], 0
		mov	[ebp+var_5C], 0
		mov	[ebp+var_58], 0
		test	eax, eax
		jz	loc_48E5EC
		mov	ebx, [ebp+var_58]
		mov	edi, edi

loc_48E470:				; CODE XREF: KiIpiSendRequest+258j
		mov	eax, ds:_KeNodeBlock[ebx*4]
		mov	[ebp+var_90], 0
		mov	[ebp+var_8C], 0
		mov	eax, [eax+84h]
		and	eax, edx
		mov	[ebp+var_88], eax
		mov	[ebp+var_94], eax
		jz	loc_5B84E7
		xor	edx, edx
		mov	[ebp+var_4C], 0
		mov	word ptr [ebp+var_78], dx
		mov	edx, eax
		mov	[ebp+var_7C], edx
		mov	[ebp+var_80], 0
		mov	edi, edi

loc_48E4C0:				; CODE XREF: KiIpiSendRequest+1E2j
					; KiIpiSendRequest+12A17Cj
		test	edx, edx
		jz	loc_48E5C5
		bsf	eax, edx
		btr	edx, eax
		mov	[ebp+var_64], eax
		mov	[ebp+var_7C], edx
		mov	edx, [ebp+var_84]
		mov	ebx, ds:_KiProcessorBlock[eax*4]
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_68], ebx
		lea	edx, [edx+2F7h]
		shl	edx, 5
		add	edx, ebx
		test	eax, eax
		jz	short loc_48E567

loc_48E4F6:				; CODE XREF: KiIpiSendRequest+240j
		mov	[edx+18h], eax
		cmp	edi, 8
		jnz	short loc_48E518
		mov	eax, [esi]
		mov	[edx+8], eax
		mov	eax, [esi+4]
		mov	[edx+0Ch], eax
		mov	eax, [esi+8]
		mov	[edx+10h], eax
		mov	eax, [esi+0Ch]
		mov	[edx+14h], eax
		mov	[ebp+var_70], eax

loc_48E518:				; CODE XREF: KiIpiSendRequest+17Cj
		add	ebx, 4920h
		mov	[edx+4], ecx
		mov	eax, [ebx]

loc_48E523:				; CODE XREF: KiIpiSendRequest+1AFj
		mov	edi, eax
		mov	[edx], eax
		mov	esi, edx
		lock cmpxchg [ebx], esi
		cmp	eax, edi
		jnz	short loc_48E523
		test	eax, eax
		jnz	short loc_48E548
		mov	edx, [ebp+var_18]
		mov	eax, [ebp+var_64]
		bts	edx, eax
		mov	[ebp+var_6C], 1
		mov	[ebp+var_18], edx

loc_48E548:				; CODE XREF: KiIpiSendRequest+1B3j
		mov	eax, [ebp+var_68]
		mov	eax, [eax+4DCh]
		test	eax, eax
		jnz	loc_5B84EF
		mov	edx, [ebp+var_7C]
		mov	edi, [ebp+arg_8]
		mov	esi, [ebp+arg_4]
		jmp	loc_48E4C0
; 

loc_48E567:				; CODE XREF: KiIpiSendRequest+174j
		lea	eax, [edx+1Ch]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+var_88]
		not	eax
		mov	[ebp+var_54], eax
		movzx	eax, al
		mov	bh, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_54]
		shr	eax, 8
		mov	[ebp+var_54], eax
		movzx	eax, al
		add	bh, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_54]
		shr	eax, 8
		mov	esi, eax
		movzx	eax, al
		shr	esi, 8
		mov	bl, ds:_RtlpBitsClearTotal[esi]
		add	bl, ds:_RtlpBitsClearTotal[eax]
		mov	esi, [ebp+var_4C]
		add	bl, bh
		movzx	eax, bl
		mov	ebx, [ebp+var_68]
		mov	[esi], eax
		mov	esi, [ebp+arg_4]
		mov	eax, [ebp+var_4C]
		jmp	loc_48E4F6
; 

loc_48E5C5:				; CODE XREF: KiIpiSendRequest+142j
		mov	edx, [ebp+var_C]
		mov	ebx, [ebp+var_58]

loc_48E5CB:				; CODE XREF: KiIpiSendRequest+12A16Aj
		movzx	eax, ds:_KeNumberNodes
		inc	ebx
		mov	[ebp+var_58], ebx
		cmp	ebx, eax
		jb	loc_48E470
		mov	ecx, [ebp+var_5C]
		test	ecx, ecx
		jnz	loc_5B8501

loc_48E5E9:				; CODE XREF: KiIpiSendRequest+12A18Ej
		mov	ebx, [ebp+var_60]

loc_48E5EC:				; CODE XREF: KiIpiSendRequest+E5j
		cmp	edi, 8
		jnz	loc_5B8526
		mov	esi, [ebp+var_50]
		cmp	esi, 1
		jz	short loc_48E630
		cmp	esi, 2
		jz	short loc_48E630
		inc	dword ptr [ebx+40B0h]

loc_48E608:				; CODE XREF: KiIpiSendRequest+2B6j
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		call	ds:__imp__HalRequestIpi@8 ; HalRequestIpi(x,x)

loc_48E613:				; CODE XREF: KiIpiSendRequest+12A1C1j
		cmp	[ebp+var_45], 0
		jnz	loc_5B8546

loc_48E61D:				; CODE XREF: KiIpiSendRequest+12A1A1j
					; KiIpiSendRequest+12A1D8j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_48E630:				; CODE XREF: KiIpiSendRequest+27Bj
					; KiIpiSendRequest+280j
		inc	dword ptr [ebx+40ACh]
		jmp	short loc_48E608
; 

loc_48E638:				; CODE XREF: KiIpiSendRequest+60j
		mov	eax, ds:_KeActiveProcessors
		mov	edx, ds:dword_70E328
		mov	[ebp+var_14], eax
		mov	eax, ds:dword_70E324
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], edx
		cmp	esi, 1
		jnz	short loc_48E662
		mov	eax, [ebx+3CCh]
		btr	edx, eax
		mov	[ebp+var_C], edx

loc_48E662:				; CODE XREF: KiIpiSendRequest+2D4j
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jns	loc_48E3FD
		and	edi, 7FFFFFFFh
		cmp	dword_6C75E8, 0
		mov	[ebp+arg_8], edi
		jz	loc_48E3FD
		jmp	loc_5B84C9
KiIpiSendRequest endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmCheckContinueExecution proc near	; CODE XREF: PpmPerfAction(x,x,x,x):loc_4894E3p
					; PpmPerfControlActionCallback()j

var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch

; FUNCTION CHUNK AT 005B855D SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		mov	edx, offset _PpmCachedSystemAllowedCpuSetVersion
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		mov	ebx, offset _PpmCachedSystemAllowedCpuSet
		stosd
		mov	ecx, ebx
		stosd
		stosd
		call	KeQuerySystemAllowedCpuSetAffinity
		mov	eax, large fs:20h
		xor	edi, edi
		mov	esi, dword_6BF3C8
		mov	ecx, [eax+3CCh]
		mov	eax, esi
		shr	eax, cl
		test	al, 1
		jz	loc_5B855D

loc_48E6CC:				; CODE XREF: PpmCheckContinueExecution+129EF6j
					; PpmCheckContinueExecution+129F02j ...
		mov	eax, dword_6C045C
		test	eax, eax
		jnz	short loc_48E6DE
		lea	eax, [ecx+20h]
		mov	word_6C0442, ax

loc_48E6DE:				; CODE XREF: PpmCheckContinueExecution+4Bj
		push	edi
		push	edi
		push	edi
		xor	edx, edx
		mov	ecx, offset _PpmCheckDpc
		call	KiInsertQueueDpc
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PpmCheckContinueExecution endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PpmCheckRun(x, x, x, x)
_PpmCheckRun@16	proc near		; DATA XREF: PpmCheckInit()+2o
		mov	eax, _PpmCheckPipelineIndex
		mov	ecx, _PpmCheckPipeline
		mov	ecx, [ecx+eax*4]
		test	ecx, ecx
		jz	short loc_48E730

loc_48E712:				; CODE XREF: PpmCheckRun(x,x,x,x)+2Ej
		inc	eax
		mov	_PpmCheckPipelineIndex,	eax
		call	ecx
		test	al, al
		jz	short locret_48E73F
		mov	eax, _PpmCheckPipelineIndex
		mov	ecx, _PpmCheckPipeline
		mov	ecx, [ecx+eax*4]
		test	ecx, ecx
		jnz	short loc_48E712

loc_48E730:				; CODE XREF: PpmCheckRun(x,x,x,x)+10j
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		call	PpmEventTracePerfCheckStop

locret_48E73F:				; CODE XREF: PpmCheckRun(x,x,x,x)+1Cj
		retn	10h
_PpmCheckRun@16	endp


;  S U B	R O U T	I N E 


PpmCheckReportComplete proc near

; FUNCTION CHUNK AT 005B8597 SIZE 00000019 BYTES

		mov	eax, _PpmCheckCompleteHandler
		test	eax, eax
		jnz	loc_5B8597

loc_48E74F:				; CODE XREF: PpmCheckReportComplete+129E69j
		mov	al, 1
		retn
PpmCheckReportComplete endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmEventTracePerfCheckStop proc	near	; CODE XREF: PpmCheckStart+128p
					; PpmCheckRun(x,x,x,x)+3Ap

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B85B0 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PpmEtwRegistered, 0
		jz	short loc_48E794
		push	ebx
		push	esi
		mov	esi, dword_6BFD04
		mov	ebx, offset _PPM_ETW_PERF_CHECK_STOP
		push	edi
		mov	edi, _PpmEtwHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5B85B0

loc_48E791:				; CODE XREF: PpmEventTracePerfCheckStop+129E83j
		pop	edi
		pop	esi
		pop	ebx

loc_48E794:				; CODE XREF: PpmEventTracePerfCheckStop+19j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PpmEventTracePerfCheckStop endp


;  S U B	R O U T	I N E 


; __stdcall PpmReleaseLock(x)
_PpmReleaseLock@4 proc near		; CODE XREF: PoNotifyVSyncChange(x)+21j
					; PpmCheckStart+123p ...
		mov	edi, edi
		push	esi
		mov	esi, [ecx]
		xor	eax, eax
		push	eax
		push	eax
		mov	[ecx], eax
		lea	eax, [ecx+4]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		test	esi, esi
		pop	esi
		jnz	short loc_48E7BA
		retn
; 

loc_48E7BA:				; CODE XREF: PpmReleaseLock(x)+17j
		mov	ecx, large fs:124h
		jmp	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
_PpmReleaseLock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmParkReportUnparkedCores proc	near	; DATA XREF: .text:004049A4o
					; .text:00404A04o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_6		= word ptr -6
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B85DA SIZE 0000009A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		and	[ebp+var_4], eax
		push	esi
		mov	[ebp+var_6], ax
		cmp	_PpmIsParkingEnabled, eax
		jnz	loc_5B85DA

loc_48E7E4:				; CODE XREF: PpmParkReportUnparkedCores+129E2Bj
		mov	al, 1

loc_48E7E6:				; CODE XREF: PpmParkReportUnparkedCores+129EA9j
		pop	esi
		leave
		retn
PpmParkReportUnparkedCores endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmParkReportParkedCores proc near	; DATA XREF: .text:004049A8o
					; .text:00404A08o

var_40		= dword	ptr -40h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= word ptr -28h
var_26		= word ptr -26h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B8674 SIZE 00000143 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		and	[ebp+var_24], eax
		mov	[ebp+var_26], ax
		push	ebx
		push	edi
		lea	edi, [ebp+var_1C]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_40]
		stosd
		stosd
		stosd
		xor	eax, eax
		cmp	_PpmIsParkingEnabled, 0
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		jnz	loc_5B8674

loc_48E82A:				; CODE XREF: PpmParkReportParkedCores+129ED4j
		mov	al, 1

loc_48E82C:				; CODE XREF: PpmParkReportParkedCores+129FC8j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PpmParkReportParkedCores endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmParkUnblockIdle proc	near		; DATA XREF: .text:004049B0o
					; .text:00404A10o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_6		= word ptr -6
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B87B7 SIZE 000000F4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		and	[ebp+var_4], eax
		mov	[ebp+var_6], ax
		inc	eax
		cmp	_PpmIsParkingEnabled, 0
		jnz	loc_5B87B7
		leave
		retn
PpmParkUnblockIdle endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmPerfApplyDomainStates proc near	; DATA XREF: .text:0040499Co
					; .text:004049FCo

; FUNCTION CHUNK AT 005B88AB SIZE 0000003D BYTES
; FUNCTION CHUNK AT 005B88FF SIZE 00000009 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		cmp	ds:_PpmPerfArtificialDomainEnabled, 0
		push	ebx
		push	esi
		push	edi
		mov	edi, offset _PpmPerfDomainHead
		jnz	loc_5B88AB

loc_48E87A:				; CODE XREF: PpmPerfApplyDomainStates+12A057j
					; PpmPerfApplyDomainStates+12A087j ...
		mov	esi, ds:_PpmPerfDomainHead

loc_48E880:				; CODE XREF: PpmPerfApplyDomainStates+3Cj
		cmp	esi, edi
		jnz	short loc_48E88D
		pop	edi
		pop	esi
		mov	al, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48E88D:				; CODE XREF: PpmPerfApplyDomainStates+26j
		cmp	byte ptr [esi+215h], 0
		jnz	short loc_48E89A

loc_48E896:				; CODE XREF: PpmPerfApplyDomainStates+50j
		mov	esi, [esi]
		jmp	short loc_48E880
; 

loc_48E89A:				; CODE XREF: PpmPerfApplyDomainStates+38j
		mov	ecx, esi
		call	PpmPerfApplyDomainState
		test	al, al
		jnz	short loc_48E8AE

loc_48E8A5:				; CODE XREF: PpmPerfApplyDomainStates+59j
		mov	byte ptr [esi+215h], 0
		jmp	short loc_48E896
; 

loc_48E8AE:				; CODE XREF: PpmPerfApplyDomainStates+47j
		mov	byte ptr [esi+216h], 1
		jmp	short loc_48E8A5
PpmPerfApplyDomainStates endp

; 
		align 4

;  S U B	R O U T	I N E 


PpmParkReportMask proc near		; DATA XREF: .text:004049ACo
					; .text:00404A0Co

; FUNCTION CHUNK AT 005B8908 SIZE 00000060 BYTES

		cmp	_PpmIsParkingEnabled, 0
		jnz	loc_5B8908

loc_48E8C5:				; CODE XREF: PpmParkReportMask+12A05Bj
					; PpmParkReportMask+12A0ABj
		mov	al, 1
		retn
PpmParkReportMask endp


;  S U B	R O U T	I N E 


; __stdcall PpmCheckAcquireProcessorPerformance()
_PpmCheckAcquireProcessorPerformance@0 proc near ; DATA	XREF: .text:004049B4o
					; .text:00404A14o
		mov	eax, ds:_PpmPerfDomainHead
		xor	ecx, ecx
		push	esi
		mov	esi, offset _PpmPerfDomainHead
		xor	dl, dl
		inc	ecx
		cmp	eax, esi
		jz	short loc_48E8EF

loc_48E8DC:				; CODE XREF: PpmCheckAcquireProcessorPerformance()+21j
		cmp	byte ptr [eax+216h], 0
		jnz	short loc_48E8FA

loc_48E8E5:				; CODE XREF: PpmCheckAcquireProcessorPerformance()+34j
		mov	eax, [eax]
		cmp	eax, esi
		jnz	short loc_48E8DC
		test	dl, dl
		jnz	short loc_48E8FE

loc_48E8EF:				; CODE XREF: PpmCheckAcquireProcessorPerformance()+12j
		add	_PpmCheckPipelineIndex,	2

loc_48E8F6:				; CODE XREF: PpmCheckAcquireProcessorPerformance()+43j
		mov	al, cl
		pop	esi
		retn
; 

loc_48E8FA:				; CODE XREF: PpmCheckAcquireProcessorPerformance()+1Bj
		mov	dl, cl
		jmp	short loc_48E8E5
; 

loc_48E8FE:				; CODE XREF: PpmCheckAcquireProcessorPerformance()+25j
		mov	ecx, _PpmPerfControlAcquirePerformance
		call	PpmPerfControlExecuteAction
		mov	cl, al
		jmp	short loc_48E8F6
_PpmCheckAcquireProcessorPerformance@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PpmPerfApplyLatencyHints()
_PpmPerfApplyLatencyHints@0 proc near
		cmp	_PpmCheckLatencyBoostActive, 0
		jnz	short loc_48E91A

loc_48E917:				; CODE XREF: PpmPerfApplyLatencyHints()+47j
		mov	al, 1
		retn
; 

loc_48E91A:				; CODE XREF: PpmPerfApplyLatencyHints()+7j
		push	esi
		mov	esi, ds:_PpmPerfDomainHead
		cmp	esi, offset _PpmPerfDomainHead
		jz	short loc_48E954
		push	ebx
		push	edi

loc_48E92B:				; CODE XREF: PpmPerfApplyLatencyHints()+42j
		xor	edi, edi
		cmp	[esi+1Ch], edi
		jbe	short loc_48E948
		xor	ebx, ebx

loc_48E934:				; CODE XREF: PpmPerfApplyLatencyHints()+38j
		mov	ecx, [esi+24h]
		mov	ecx, [ebx+ecx]
		call	PpmPerfApplyLatencyHint
		inc	edi
		lea	ebx, [ebx+78h]
		cmp	edi, [esi+1Ch]
		jb	short loc_48E934

loc_48E948:				; CODE XREF: PpmPerfApplyLatencyHints()+22j
		mov	esi, [esi]
		cmp	esi, offset _PpmPerfDomainHead
		jnz	short loc_48E92B
		pop	edi
		pop	ebx

loc_48E954:				; CODE XREF: PpmPerfApplyLatencyHints()+19j
		pop	esi
		jmp	short loc_48E917
_PpmPerfApplyLatencyHints@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmCheckRecordAllUtility()
_PpmCheckRecordAllUtility@0 proc near

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, dword_6B5BAC
		mov	[ebp+var_4], 0

loc_48E974:				; CODE XREF: PpmCheckRecordAllUtility()+3Fj
		test	esi, esi
		jz	short loc_48E9A1
		bsf	eax, esi
		mov	[ebp+var_4], eax
		btr	esi, eax
		mov	eax, ds:_KeNumberProcessors
		mov	ecx, [ebp+var_4]
		cmp	ecx, eax
		jnb	short loc_48E9AD
		mov	ecx, ds:_KiProcessorBlock[ecx*4]

loc_48E994:				; CODE XREF: PpmCheckRecordAllUtility()+4Fj
		add	ecx, 3EA0h
		call	PpmPerfRecordUtility
		jmp	short loc_48E974
; 

loc_48E9A1:				; CODE XREF: PpmCheckRecordAllUtility()+16j
		call	PpmParkRecordNodeStatistics
		mov	al, 1
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48E9AD:				; CODE XREF: PpmCheckRecordAllUtility()+2Bj
		xor	ecx, ecx
		jmp	short loc_48E994
_PpmCheckRecordAllUtility@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmPerfRecordUtility proc near		; CODE XREF: PpmCheckRecordAllUtility()+3Ap

var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= word ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_B9		= byte ptr -0B9h
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B8968 SIZE 00000379 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 120h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, _PpmCheckMakeupCount
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_E4], eax
		push	esi
		push	edi
		mov	[ebp+var_11C], ebx
		mov	esi, [ebx+8]
		mov	eax, [ebx+0Ch]
		mov	edi, [ebx+4]
		mov	[ebp+var_B9], 0
		mov	[ebp+var_EC], eax
		mov	[ebp+var_120], esi
		test	esi, esi
		jz	loc_48EDAE
		mov	ecx, [esi+0Ch]
		mov	eax, [esi+8]
		mov	edx, [esi+24h]
		mov	[ebp+var_CC], ecx
		mov	ecx, [esi+20h]
		sub	ecx, eax
		mov	[ebp+var_100], eax
		mov	eax, [esi]
		sbb	edx, [ebp+var_CC]
		mov	[ebp+var_E0], ecx
		mov	ecx, [esi+2Ch]
		mov	[ebp+var_C4], eax
		mov	eax, [esi+4]
		mov	[ebp+var_C0], eax
		mov	eax, [esi+28h]
		sub	eax, [ebp+var_C4]
		mov	[ebp+var_C8], edx
		sbb	ecx, [ebp+var_C0]
		mov	edx, [esi+14h]
		mov	[ebp+var_DC], ecx
		mov	ecx, [esi+10h]
		mov	[ebp+var_B8], edx
		mov	edx, [esi+30h]
		sub	edx, ecx
		mov	[ebp+var_104], ecx
		mov	ecx, [esi+34h]
		sbb	ecx, [ebp+var_B8]
		mov	[ebp+var_F8], ecx
		mov	ecx, [esi+78h]
		sub	ecx, [esi+18h]
		mov	[ebp+var_110], ecx
		xor	ecx, ecx
		cmp	[ebp+var_E4], ecx
		mov	[ebp+var_F0], edx
		mov	edx, [ebp+var_C8]
		mov	[ebp+var_D8], cx
		mov	ecx, [ebp+var_E0]
		mov	[ebp+var_D0], eax
		ja	loc_48EDBF

loc_48EAC3:				; CODE XREF: PpmPerfRecordUtility+436j
					; PpmPerfRecordUtility+444j ...
		mov	eax, [ebp+var_100]
		add	eax, ecx
		mov	ecx, [ebp+var_F8]
		mov	[esi+8], eax
		adc	[ebp+var_CC], edx
		mov	eax, [ebp+var_CC]
		mov	[esi+0Ch], eax
		mov	eax, [ebp+var_D0]
		add	[ebp+var_C4], eax
		mov	eax, [ebp+var_DC]
		adc	[ebp+var_C0], eax
		mov	eax, [ebp+var_C4]
		mov	[esi], eax
		mov	eax, [ebp+var_C0]
		mov	[esi+4], eax
		mov	eax, [ebp+var_104]
		add	eax, [ebp+var_F0]
		mov	[esi+10h], eax
		adc	[ebp+var_B8], ecx
		mov	eax, [ebp+var_B8]
		mov	ecx, [ebp+var_E0]
		mov	[esi+14h], eax
		mov	eax, [esi+78h]
		mov	[esi+18h], eax
		mov	eax, [ebp+var_DC]
		cmp	eax, edx
		jb	short loc_48EB52
		ja	loc_5B8968
		cmp	[ebp+var_D0], ecx
		ja	loc_5B8968

loc_48EB52:				; CODE XREF: PpmPerfRecordUtility+17Ej
					; PpmPerfRecordUtility+129FB6j
		cmp	[ebp+var_F8], edx
		jb	short loc_48EB6C
		ja	loc_5B897B
		cmp	[ebp+var_F0], ecx
		ja	loc_5B897B

loc_48EB6C:				; CODE XREF: PpmPerfRecordUtility+198j
					; PpmPerfRecordUtility+129FC7j
		test	edx, edx
		ja	short loc_48EB7F
		jb	loc_5B898C
		cmp	ecx, 1
		jbe	loc_5B898C

loc_48EB7F:				; CODE XREF: PpmPerfRecordUtility+1AEj
					; PpmPerfRecordUtility+129FE0j
		mov	edx, [ebp+var_EC]
		test	edx, edx
		jnz	loc_5B89A5
		movzx	ecx, word ptr [ebx+20h]
		mov	[ebp+var_EC], ecx
		test	edi, edi
		jz	loc_48EE29
		mov	ecx, [edi+64h]
		mov	[ebp+var_E4], ecx
		mov	ecx, [edi+68h]

loc_48EBAB:				; CODE XREF: PpmPerfRecordUtility+478j
		push	[ebp+var_C8]
		mov	[ebp+var_C4], ecx
		push	[ebp+var_E0]
		imul	ecx, 64h
		mul	ecx
		mov	edi, eax
		mov	eax, [ebp+var_D0]
		mul	ecx
		add	edi, edx
		push	edi
		push	eax
		call	__aulldiv
		mov	ecx, [ebp+var_C4]
		imul	ecx, [ebp+var_EC]
		push	[ebp+var_C8]
		mov	[ebp+var_C0], eax
		mov	eax, [ebp+var_DC]
		push	[ebp+var_E0]
		mul	ecx
		mov	edi, eax
		mov	eax, [ebp+var_D0]
		mul	ecx
		add	edi, edx
		push	edi
		push	eax
		call	__aulldiv
		mov	[ebp+var_CC], eax
		movzx	eax, ax
		movzx	ecx, ax
		mov	[ebp+var_10C], eax
		mov	eax, [ebp+var_C0]
		mov	edx, [ebp+var_DC]
		movzx	eax, ax
		mov	[ebp+var_118], eax
		mov	[ebp+var_108], ecx
		movzx	ecx, ax
		mov	eax, [ebp+var_C4]
		mov	[ebp+var_100], eax
		mov	eax, [ebp+var_E4]
		mov	[ebp+var_104], eax
		mov	eax, [ebp+var_F0]
		mov	[ebp+var_F4], eax
		mov	eax, [ebp+var_F8]
		mov	[ebp+var_F0], eax
		mov	eax, [ebp+var_E0]
		mov	[ebp+var_114], ecx
		mov	ecx, [ebp+var_D0]
		sub	eax, ecx
		mov	[ebp+var_E8], eax
		movzx	eax, byte ptr [ebx-3ADBh]
		mov	[ebp+var_B8], 0
		mov	word ptr [ebp+var_B8], ax
		mov	al, [ebx-3ADCh]
		mov	[ebp+var_FC], ecx
		mov	ecx, [ebp+var_C8]
		sbb	ecx, edx
		mov	byte ptr [ebp+var_B8+2], al
		cmp	_PpmEtwRegistered, 0
		lea	eax, [ebp+var_B8]
		mov	byte ptr [ebp+var_D4], 64h
		mov	[ebp+var_F8], edx
		mov	[ebp+var_E4], ecx
		mov	[ebp+var_74], eax
		mov	[ebp+var_70], 0
		mov	[ebp+var_6C], 3
		mov	[ebp+var_68], 0
		jz	short loc_48ED2C
		mov	edi, _PpmEtwHandle
		test	edi, edi
		jz	short loc_48ED2C
		mov	edx, [edi+10h]
		cmp	dword ptr [edx+40h], 0
		jz	short loc_48ED22
		mov	al, [edx+44h]
		cmp	al, 5
		jb	loc_5B89B7

loc_48ED13:				; CODE XREF: PpmPerfRecordUtility+129FFFj
		mov	eax, [edx+50h]
		and	eax, 2
		or	eax, 0
		jnz	loc_5B89C4

loc_48ED22:				; CODE XREF: PpmPerfRecordUtility+346j
					; PpmPerfRecordUtility+129FF9j	...
		cmp	byte ptr [edi+35h], 0
		jnz	loc_5B89EE

loc_48ED2C:				; CODE XREF: PpmPerfRecordUtility+333j
					; PpmPerfRecordUtility+33Dj ...
		mov	edx, [ebx+10h]
		mov	[ebp+var_B8], edx
		test	edx, edx
		jnz	loc_5B8B79
		mov	ax, [esi+148h]
		mov	[ebp+var_D8], ax

loc_48ED4B:				; CODE XREF: PpmPerfRecordUtility+12A2D8j
		mov	al, byte ptr [ebp+var_D8+1]
		cmp	al, 64h
		jnb	loc_5B8C9D

loc_48ED59:				; CODE XREF: PpmPerfRecordUtility+12A2DFj
		movzx	edi, al
		mov	eax, [ebp+var_C0]
		mov	ecx, edi
		imul	ecx, eax
		test	ecx, ecx
		jnz	loc_48EE3D

loc_48ED6F:				; CODE XREF: PpmPerfRecordUtility+48Fj
		cmp	_PpmCheckCurrentPipelineId, 5
		jz	loc_5B8CA4

loc_48ED7C:				; CODE XREF: PpmPerfRecordUtility+12A310j
		cmp	[ebp+var_B9], 0
		mov	[ebx+14h], eax
		mov	eax, [ebp+var_CC]
		mov	[ebx+18h], eax
		mov	eax, [ebp+var_C4]
		mov	[ebx+22h], ax
		mov	eax, [ebp+var_110]
		mov	[ebx+1Ch], ecx
		mov	[esi+150h], eax
		jnz	loc_5B8CD5

loc_48EDAE:				; CODE XREF: PpmPerfRecordUtility+49j
					; PpmPerfRecordUtility+129FF2j	...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48EDBF:				; CODE XREF: PpmPerfRecordUtility+FDj
		mov	eax, [ebp+var_E4]
		push	0
		inc	eax
		push	eax
		push	edx
		push	ecx
		call	__aulldiv
		mov	ecx, eax
		mov	[ebp+var_C8], edx
		mov	[ebp+var_E0], ecx
		cmp	[ebp+var_DC], edx
		jb	short loc_48EDF0
		ja	short loc_48EE1B
		cmp	[ebp+var_D0], ecx
		jnb	short loc_48EE1B

loc_48EDF0:				; CODE XREF: PpmPerfRecordUtility+424j
					; PpmPerfRecordUtility+467j
		cmp	[ebp+var_F8], edx
		jb	loc_48EAC3
		ja	short loc_48EE0A
		cmp	[ebp+var_F0], ecx
		jb	loc_48EAC3

loc_48EE0A:				; CODE XREF: PpmPerfRecordUtility+43Cj
		mov	[ebp+var_F0], ecx
		mov	[ebp+var_F8], edx
		jmp	loc_48EAC3
; 

loc_48EE1B:				; CODE XREF: PpmPerfRecordUtility+426j
					; PpmPerfRecordUtility+42Ej
		mov	[ebp+var_D0], ecx
		mov	[ebp+var_DC], edx
		jmp	short loc_48EDF0
; 

loc_48EE29:				; CODE XREF: PpmPerfRecordUtility+1D9j
		mov	[ebp+var_E4], 64h
		mov	ecx, 64h
		jmp	loc_48EBAB
; 

loc_48EE3D:				; CODE XREF: PpmPerfRecordUtility+3A9j
		mov	eax, 51EB851Fh
		mul	ecx
		mov	eax, [ebp+var_C0]
		mov	ecx, edx
		shr	ecx, 5
		jmp	loc_48ED6F
PpmPerfRecordUtility endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmParkRecordNodeStatistics proc near	; CODE XREF: PpmCheckRecordAllUtility():loc_48E9A1p

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_65		= byte ptr -65h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B8CE1 SIZE 0000014C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, _PpmCurrentProfile
		mov	eax, _PpmCheckMakeupCount
		mov	[ebp+var_7C], eax
		imul	eax, dword_6C2D0C, 0F0h
		push	edi
		xor	edi, edi
		mov	[ebp+var_88], edi
		mov	dl, [eax+ecx+9Dh]
		mov	al, [eax+ecx+9Fh]
		mov	[ebp+var_65], dl
		mov	byte ptr [ebp+var_80], al
		cmp	_PpmParkNumNodes, edi
		jz	loc_48EF5B
		push	ebx
		xor	ecx, ecx
		push	esi
		lea	ebx, [ebx+0]

loc_48EEC0:				; CODE XREF: PpmParkRecordNodeStatistics+F3j
		imul	esi, ecx, 0D0h
		add	esi, _PpmParkNodes
		lea	ebx, [esi+66h]
		push	ebx
		lea	eax, [esi+65h]
		push	eax
		lea	ecx, [esi+64h]
		push	ecx
		mov	ecx, [ebp+var_7C]
		lea	eax, [esi+30h]
		push	eax
		push	[ebp+var_80]
		call	PpmParkComputeSnapStatistics
		test	al, al
		jz	short loc_48EF34
		cmp	_PpmEtwRegistered, 0
		mov	al, [ebx]
		mov	byte ptr [ebp+var_70], al
		mov	al, [esi+64h]
		mov	byte ptr [ebp+var_6C], al
		mov	eax, [esi+8]
		mov	[ebp+var_94], eax
		movzx	eax, word ptr [esi+4]
		mov	[ebp+var_90], eax
		jz	short loc_48EF34
		mov	ebx, dword_6BFD04
		mov	eax, _PpmEtwHandle
		push	offset _PPM_ETW_PARK_NODE_STATS
		push	ebx
		push	eax
		mov	[ebp+var_74], eax
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5B8CE1

loc_48EF34:				; CODE XREF: PpmParkRecordNodeStatistics+89j
					; PpmParkRecordNodeStatistics+B0j ...
		mov	al, [esi+6]
		cmp	al, [esi+58h]
		jnz	loc_5B8DA9

loc_48EF40:				; CODE XREF: PpmParkRecordNodeStatistics+129FC8j
		mov	dl, [ebp+var_65]
		inc	edi
		movzx	ecx, di
		mov	[ebp+var_88], edi
		cmp	ecx, _PpmParkNumNodes
		jb	loc_48EEC0
		pop	esi
		pop	ebx

loc_48EF5B:				; CODE XREF: PpmParkRecordNodeStatistics+50j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
PpmParkRecordNodeStatistics endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmParkComputeSnapStatistics proc near	; CODE XREF: PpmParkRecordNodeStatistics+82p
					; PpmParkRecordNodeStatistics+129F7Dp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005B8E2D SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	esi
		mov	esi, [ebp+arg_4]
		mov	eax, ecx
		mov	[ebp+var_2], dl
		mov	ecx, [esi+10h]
		sub	ecx, [esi+18h]
		mov	edx, [esi+14h]
		sbb	edx, [esi+1Ch]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		test	eax, eax
		jnz	loc_48F21A

loc_48EF9B:				; CODE XREF: PpmParkComputeSnapStatistics+2BDj
		or	ecx, edx
		jz	loc_48F232
		mov	eax, [esi+20h]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_1], 1
		mov	[ebp+var_10], eax
		push	edi
		test	eax, eax
		jle	short loc_48EFDD

loc_48EFB5:				; CODE XREF: PpmParkComputeSnapStatistics+6Bj
		mov	eax, [esi]
		mov	ecx, [esi+4]
		mov	edi, [eax+ebx*8]
		mov	edx, [eax+ebx*8+4]
		sub	edi, [ecx+ebx*8]
		mov	eax, [esi+8]
		sbb	edx, [ecx+ebx*8+4]
		mov	[eax+ebx*8], edi
		mov	[eax+ebx*8+4], edx
		inc	ebx
		mov	eax, [esi+20h]
		mov	[ebp+var_10], eax
		cmp	ebx, eax
		jl	short loc_48EFB5

loc_48EFDD:				; CODE XREF: PpmParkComputeSnapStatistics+43j
		push	[ebp+var_8]
		movzx	eax, byte ptr [ebp+arg_0]
		push	[ebp+var_C]
		cdq
		push	edx
		push	eax
		call	__allmul
		mov	[ebp+arg_0], edx
		mov	ecx, eax
		mov	edx, 0E147AE15h
		mov	[ebp+var_2C], ecx
		mul	edx
		mov	ebx, 47AE147Ah
		mov	[ebp+var_28], eax
		mov	edi, edx
		mov	eax, ecx
		mov	ecx, 0E147AE15h
		mul	ebx
		mov	ebx, eax
		mov	[ebp+var_1C], edx
		mov	eax, [ebp+arg_0]
		mul	ecx
		mov	ecx, eax
		mov	[ebp+var_14], edx
		mov	eax, [ebp+arg_0]
		mov	edx, 47AE147Ah
		mul	edx
		add	ecx, edi
		mov	[ebp+var_24], edx
		mov	edx, [ebp+var_14]
		adc	edx, 0
		mov	[ebp+var_20], eax
		add	ebx, ecx
		mov	ecx, [ebp+var_1C]
		mov	[ebp+var_18], ebx
		mov	ebx, [ebp+arg_0]
		adc	ecx, 0
		xor	eax, eax
		add	edx, ecx
		mov	ecx, [ebp+var_20]
		adc	eax, eax
		add	ecx, edx
		mov	edx, [ebp+var_24]
		adc	edx, eax
		mov	eax, [ebp+var_2C]
		sub	eax, ecx
		sbb	ebx, edx
		shrd	eax, ebx, 1
		shr	ebx, 1
		add	eax, ecx
		mov	ecx, [ebp+var_C]
		adc	ebx, edx
		mov	edx, ecx
		shrd	eax, ebx, 6
		shr	ebx, 6
		sub	edx, eax
		mov	eax, [ebp+var_8]
		sbb	eax, ebx
		mov	[ebp+arg_0], edx
		mov	edx, [ebp+var_10]
		xor	edi, edi
		xor	ebx, ebx
		mov	[ebp+var_2C], eax
		add	edx, 0FFFFFFFFh
		js	short loc_48F0B3
		mov	eax, [esi+8]
		mov	esi, [ebp+arg_0]
		lea	ecx, [eax+edx*8]

loc_48F095:				; CODE XREF: PpmParkComputeSnapStatistics+13Bj
		add	edi, [ecx]
		adc	ebx, [ecx+4]
		cmp	ebx, [ebp+var_2C]
		ja	short loc_48F0AD
		jb	short loc_48F0A5
		cmp	edi, esi
		jnb	short loc_48F0AD

loc_48F0A5:				; CODE XREF: PpmParkComputeSnapStatistics+12Fj
		sub	ecx, 8
		sub	edx, 1
		jns	short loc_48F095

loc_48F0AD:				; CODE XREF: PpmParkComputeSnapStatistics+12Dj
					; PpmParkComputeSnapStatistics+133j
		mov	esi, [ebp+arg_4]
		mov	ecx, [ebp+var_C]

loc_48F0B3:				; CODE XREF: PpmParkComputeSnapStatistics+11Aj
		cmp	[ebp+arg_8], 0
		mov	eax, [ebp+arg_10]
		mov	[eax], dl
		jz	loc_5B8E2D

loc_48F0C2:				; CODE XREF: PpmParkComputeSnapStatistics+129EC1j
		push	[ebp+var_8]
		movzx	eax, [ebp+var_2]
		cdq
		push	ecx
		push	edx
		push	eax
		call	__allmul
		mov	ecx, eax
		mov	[ebp+arg_0], edx
		mov	edx, 0E147AE15h
		mov	[ebp+var_1C], ecx
		mul	edx
		mov	ebx, 47AE147Ah
		mov	[ebp+var_30], eax
		mov	edi, edx
		mov	eax, ecx
		mov	ecx, 0E147AE15h
		mul	ebx
		mov	ebx, eax
		mov	[ebp+var_2C], edx
		mov	eax, [ebp+arg_0]
		mul	ecx
		mov	ecx, eax
		mov	[ebp+arg_10], edx
		mov	eax, [ebp+arg_0]
		mov	edx, 47AE147Ah
		mul	edx
		add	ecx, edi
		mov	[ebp+var_20], edx
		mov	edx, [ebp+arg_10]
		adc	edx, 0
		mov	[ebp+var_24], eax
		add	ebx, ecx
		mov	ecx, [ebp+var_2C]
		mov	[ebp+var_18], ebx
		mov	ebx, [ebp+arg_0]
		adc	ecx, 0
		xor	eax, eax
		add	edx, ecx
		mov	ecx, [ebp+var_24]
		adc	eax, eax
		add	ecx, edx
		mov	edx, [ebp+var_20]
		adc	edx, eax
		mov	eax, [ebp+var_1C]
		sub	eax, ecx
		sbb	ebx, edx
		shrd	eax, ebx, 1
		shr	ebx, 1
		add	eax, ecx
		mov	ecx, [ebp+var_C]
		adc	ebx, edx
		mov	edx, [ebp+var_8]
		shrd	eax, ebx, 6
		shr	ebx, 6
		sub	ecx, eax
		mov	eax, edx
		mov	[ebp+arg_0], ecx
		sbb	eax, ebx
		mov	ebx, [esi+20h]
		xor	edi, edi
		mov	[ebp+arg_10], eax
		sub	ebx, 1
		js	short loc_48F196
		mov	eax, [esi+8]
		xor	edx, edx
		mov	esi, [ebp+arg_0]
		lea	ecx, [eax+ebx*8]

loc_48F178:				; CODE XREF: PpmParkComputeSnapStatistics+21Ej
		add	edi, [ecx]
		adc	edx, [ecx+4]
		cmp	edx, [ebp+arg_10]
		ja	short loc_48F190
		jb	short loc_48F188
		cmp	edi, esi
		jnb	short loc_48F190

loc_48F188:				; CODE XREF: PpmParkComputeSnapStatistics+212j
		sub	ecx, 8
		sub	ebx, 1
		jns	short loc_48F178

loc_48F190:				; CODE XREF: PpmParkComputeSnapStatistics+210j
					; PpmParkComputeSnapStatistics+216j
		mov	esi, [ebp+arg_4]
		mov	edx, [ebp+var_8]

loc_48F196:				; CODE XREF: PpmParkComputeSnapStatistics+1FBj
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_48F19F
		mov	[eax], bl

loc_48F19F:				; CODE XREF: PpmParkComputeSnapStatistics+22Bj
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_48F1B1
		test	ebx, ebx
		jg	loc_5B8E3F
		mov	byte ptr [eax],	0

loc_48F1B1:				; CODE XREF: PpmParkComputeSnapStatistics+234j
					; PpmParkComputeSnapStatistics+129ECAj
		mov	ebx, [ebp+var_C]

loc_48F1B4:				; CODE XREF: PpmParkComputeSnapStatistics+129F01j
		add	[esi+18h], ebx
		mov	edi, [esi+20h]
		adc	[esi+1Ch], edx
		sub	edi, 1
		js	short loc_48F20E

loc_48F1C2:				; CODE XREF: PpmParkComputeSnapStatistics+286j
		mov	eax, [esi+8]
		mov	edx, [eax+edi*8+4]
		mov	ecx, [eax+edi*8]
		mov	eax, [esi+4]
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_8]
		cmp	edx, eax
		ja	short loc_48F204
		jb	short loc_48F1DF
		cmp	ecx, ebx
		ja	short loc_48F204

loc_48F1DF:				; CODE XREF: PpmParkComputeSnapStatistics+269j
		mov	esi, [ebp+arg_0]
		add	[esi+edi*8], ecx
		adc	[esi+edi*8+4], edx
		sub	ebx, ecx
		mov	esi, [ebp+arg_4]
		sbb	eax, edx
		sub	edi, 1
		mov	[ebp+var_8], eax
		jns	short loc_48F1C2
		mov	al, [ebp+var_1]
		pop	edi
		pop	ebx
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_48F204:				; CODE XREF: PpmParkComputeSnapStatistics+267j
					; PpmParkComputeSnapStatistics+26Dj
		mov	ecx, [ebp+arg_0]
		add	[ecx+edi*8], ebx
		adc	[ecx+edi*8+4], eax

loc_48F20E:				; CODE XREF: PpmParkComputeSnapStatistics+250j
		mov	al, [ebp+var_1]
		pop	edi
		pop	ebx

loc_48F213:				; CODE XREF: PpmParkComputeSnapStatistics+2C4j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_48F21A:				; CODE XREF: PpmParkComputeSnapStatistics+25j
		push	0
		inc	eax
		push	eax
		push	edx
		push	ecx
		call	__aulldiv
		mov	ecx, eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], edx
		jmp	loc_48EF9B
; 

loc_48F232:				; CODE XREF: PpmParkComputeSnapStatistics+2Dj
		xor	al, al
		jmp	short loc_48F213
PpmParkComputeSnapStatistics endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmParkCalculateUnparkCount proc near	; CODE XREF: PpmCheckComputeHeteroResponse():loc_657849p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005B8E76 SIZE 0000020B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		cmp	_PpmIsParkingEnabled, 0
		jnz	loc_5B8E76

loc_48F24B:				; CODE XREF: PpmParkCalculateUnparkCount+129E46j
		mov	al, 1
		leave
		retn
PpmParkCalculateUnparkCount endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmParkCalculateCoreParkingMask	proc near

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= word ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B9081 SIZE 000005EB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		push	ebx
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_58]
		stosd
		xor	ebx, ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_3C], ebx
		stosd
		mov	[ebp+var_2C], ebx
		stosd
		cmp	_PpmIsParkingEnabled, ebx
		jnz	loc_5B9081

loc_48F27C:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A40Cj
					; PpmParkCalculateCoreParkingMask+12A417j
		pop	edi
		mov	al, 1
		pop	ebx
		leave
		retn
PpmParkCalculateCoreParkingMask	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PpmPerfSelectProcessorStates()
_PpmPerfSelectProcessorStates@0	proc near
		mov	edi, edi
		push	esi
		mov	esi, ds:_PpmPerfDomainHead
		cmp	esi, offset _PpmPerfDomainHead
		jz	short loc_48F2E0
		push	ebx
		push	edi

loc_48F2A3:				; CODE XREF: PpmPerfSelectProcessorStates()+4Cj
		mov	eax, [esi+210h]
		cmp	eax, 0FFFFFFFFh
		jnb	short loc_48F2B5
		inc	eax
		mov	[esi+210h], eax

loc_48F2B5:				; CODE XREF: PpmPerfSelectProcessorStates()+1Cj
		xor	edi, edi
		cmp	[esi+1Ch], edi
		jbe	short loc_48F2D4
		xor	ebx, ebx
		mov	edi, edi

loc_48F2C0:				; CODE XREF: PpmPerfSelectProcessorStates()+42j
		mov	ecx, [esi+24h]
		mov	ecx, [ecx+ebx]
		call	PpmPerfSelectProcessorState
		inc	edi
		lea	ebx, [ebx+78h]
		cmp	edi, [esi+1Ch]
		jb	short loc_48F2C0

loc_48F2D4:				; CODE XREF: PpmPerfSelectProcessorStates()+2Aj
		mov	esi, [esi]
		cmp	esi, offset _PpmPerfDomainHead
		jnz	short loc_48F2A3
		pop	edi
		pop	ebx

loc_48F2E0:				; CODE XREF: PpmPerfSelectProcessorStates()+Fj
		mov	al, 1
		pop	esi
		retn
_PpmPerfSelectProcessorStates@0	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmPerfSelectProcessorState proc near	; CODE XREF: PpmPerfSelectProcessorStates()+36p

var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_69		= byte ptr -69h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5B		= byte ptr -5Bh
var_5A		= byte ptr -5Ah
var_59		= byte ptr -59h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B966C SIZE 000002F9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, ds:_PpmMfBufferingThreshold
		mov	[ebp+var_58], 0
		mov	[ebp+var_7C], 0
		mov	[ebp+var_98], 1
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ecx, dword_6C2D0C
		push	edi
		mov	edi, [esi+4]
		mov	eax, [esi]
		mov	ebx, [esi+8]
		mov	[ebp+var_74], eax
		mov	eax, [edi+4]
		mov	[ebp+var_78], edi
		mov	[ebp+var_9C], eax
		cmp	edx, 64h
		ja	loc_5B966C

loc_48F34E:				; CODE XREF: PpmPerfSelectProcessorState+12A37Ej
		mov	eax, _PpmCurrentProfile
		imul	ecx, 0F0h
		lea	edi, [eax+20h]
		add	edi, ecx
		mov	[ebp+var_64], edi
		test	ebx, ebx
		jz	short loc_48F371
		cmp	eax, _PpmLowPowerProfile
		jz	loc_5B9673

loc_48F371:				; CODE XREF: PpmPerfSelectProcessorState+73j
					; PpmPerfSelectProcessorState+12A38Aj ...
		mov	ecx, edi

loc_48F373:				; CODE XREF: PpmPerfSelectProcessorState+12A3ACj
		cmp	ds:_PpmHeteroNominalPerformanceClasses,	1
		ja	loc_5B96A1
		mov	al, [esi+30h]

loc_48F383:				; CODE XREF: PpmPerfSelectProcessorState+12A3BAj
		cmp	al, 1
		jnb	loc_5B96B6

loc_48F38B:				; CODE XREF: PpmPerfSelectProcessorState+12A3C1j
					; PpmPerfSelectProcessorState+12A3C8j
		mov	edx, [ecx+38h]
		movzx	eax, al
		mov	[ebp+var_60], edx
		mov	[ebp+var_70], eax
		mov	edi, [ebp+var_70]
		movzx	edx, byte ptr [ecx+eax+1Eh]
		mov	[ebp+var_90], edx
		movzx	edx, byte ptr [ecx+eax+20h]
		mov	[ebp+var_8C], edx
		mov	dl, [ecx+eax+22h]
		mov	[ebp+var_5B], dl
		mov	dl, [ecx+eax+24h]
		mov	[ebp+var_5A], dl
		mov	dl, [ecx+eax+79h]
		mov	cl, [ecx+eax+26h]
		mov	eax, [ebp+var_64]
		movzx	ecx, cl
		mov	[ebp+var_69], dl
		mov	edx, [ebp+var_60]
		mov	al, [eax+edi+28h]
		mov	edi, [ebp+var_78]
		movzx	eax, al
		mov	[ebp+var_88], eax
		add	eax, ecx
		shr	eax, 1
		mov	[ebp+var_94], ecx
		mov	[ebp+var_84], eax
		test	ebx, ebx
		jz	short loc_48F416
		mov	ecx, [ebp+var_64]
		mov	eax, [ebp+var_70]
		mov	edx, [ebp+var_70]
		mov	eax, [ecx+eax*4+5Ch]
		mov	ecx, [ecx+edx*4+54h]
		mov	edx, [ebp+var_60]
		cmp	eax, ecx
		jnz	loc_5B96BD
		mov	byte ptr [edi+2Ch], 0

loc_48F416:				; CODE XREF: PpmPerfSelectProcessorState+104j
					; PpmPerfSelectProcessorState+12A449j ...
		cmp	edx, 1
		jz	loc_5B9756
		cmp	edx, 3
		jz	loc_5B9756
		cmp	edx, 5
		jz	loc_5B974B
		cmp	edx, 6
		jz	loc_5B974B
		cmp	ds:_PpmPerfBoostAtGuaranteed, 0
		jnz	loc_5B974B
		mov	eax, [ebp+var_74]
		mov	ecx, 64h

loc_48F44F:				; CODE XREF: PpmPerfSelectProcessorState+12A461j
					; PpmPerfSelectProcessorState+12A46Cj
		cmp	byte ptr [eax+80h], 0
		mov	[ebp+var_68], ecx
		jz	loc_5B9761
		cmp	byte ptr [esi+34h], 0
		jnz	loc_5B976F

loc_48F469:				; CODE XREF: PpmPerfSelectProcessorState+12A484j
		mov	cl, ds:_PpmPerfIdealAggressiveIncreaseThreshold
		mov	[ebp+var_59], cl
		cmp	cl, 64h
		ja	loc_5B9793

loc_48F47B:				; CODE XREF: PpmPerfSelectProcessorState+12A4A8j
		cmp	byte ptr [ebp+var_84], 0
		jz	loc_5B979D

loc_48F488:				; CODE XREF: PpmPerfSelectProcessorState+12A4BBj
					; PpmPerfSelectProcessorState+12A4C5j
		mov	eax, ds:_PpmPerfCalculateActualUtilization
		test	eax, eax
		mov	edx, [esi+14h]
		mov	edi, [edi+28h]
		mov	[ebp+var_80], eax
		mov	eax, edx
		mov	[ebp+var_60], edx
		jz	loc_5B97BA
		movzx	ecx, word ptr [esi+22h]
		xor	edx, edx
		div	ecx
		cmp	[ebp+var_80], 2
		mov	cl, [ebp+var_59]
		mov	[ebp+var_7C], eax
		jz	loc_5B97C8
		mov	edx, eax

loc_48F4BD:				; CODE XREF: PpmPerfSelectProcessorState+12A4D3j
					; PpmPerfSelectProcessorState+12A4E1j
		mov	[ebp+var_80], edi
		cmp	edx, [ebp+var_88]
		ja	short loc_48F509
		cmp	edx, [ebp+var_94]
		jnb	short loc_48F512
		cmp	edi, 1
		jbe	short loc_48F512
		movzx	eax, [ebp+var_5B]
		mov	[ebp+var_98], 3
		cmp	eax, 1
		jnz	loc_48F66C
		mov	edx, [ebp+var_58]
		mov	eax, ds:_PpmPerfSingleStepSize
		or	edx, 200h
		mov	[ebp+var_58], edx
		cmp	edi, eax
		jbe	loc_5B982F
		sub	edi, eax
		jmp	short loc_48F515
; 

loc_48F509:				; CODE XREF: PpmPerfSelectProcessorState+1D6j
		cmp	edi, [ebp+var_68]
		jb	loc_48F655

loc_48F512:				; CODE XREF: PpmPerfSelectProcessorState+1DEj
					; PpmPerfSelectProcessorState+1E3j ...
		mov	edx, [ebp+var_58]

loc_48F515:				; CODE XREF: PpmPerfSelectProcessorState+217j
					; PpmPerfSelectProcessorState+3A3j ...
		cmp	_PpmCheckCurrentPipelineId, 5
		jz	short loc_48F538
		mov	eax, [ebp+var_74]
		mov	ecx, [eax+210h]
		mov	eax, [ebp+var_80]
		cmp	edi, eax
		ja	loc_48F642

loc_48F532:				; CODE XREF: PpmPerfSelectProcessorState+360j
		jb	loc_48F631

loc_48F538:				; CODE XREF: PpmPerfSelectProcessorState+22Cj
					; PpmPerfSelectProcessorState+347j ...
		test	ebx, ebx
		jz	short loc_48F558
		mov	al, [ebx+14Bh]
		test	al, al
		jnz	loc_5B9852

loc_48F54A:				; CODE XREF: PpmPerfSelectProcessorState+12A57Bj
		mov	al, [ebx+14Ch]
		test	al, al
		jnz	loc_5B9870

loc_48F558:				; CODE XREF: PpmPerfSelectProcessorState+24Aj
					; PpmPerfSelectProcessorState+12A47Aj ...
		mov	ecx, [ebp+var_64]
		mov	edx, edi
		mov	ebx, [ebp+var_74]
		push	0
		push	0
		push	[ebp+var_98]
		mov	eax, [ecx+48h]
		push	eax
		mov	eax, [ebp+var_70]
		mov	eax, [ecx+eax*4+40h]
		mov	ecx, [ebp+var_9C]
		push	eax
		push	[ebp+var_68]
		mov	eax, [ebx+60h]
		push	eax
		mov	eax, [ebx+44h]
		call	eax
		cmp	_PpmEtwRegistered, 0
		mov	ecx, [ebp+var_78]
		mov	[ebp+var_88], eax
		mov	[ebp+var_60], 0
		mov	[ebp+var_8C], edi
		mov	[ecx+28h], eax
		mov	eax, [ebp+var_7C]
		mov	ecx, [ebp+var_58]
		mov	[ebp+var_90], eax
		movzx	eax, byte ptr [esi-3ADBh]
		mov	word ptr [ebp+var_60], ax
		mov	al, [esi-3ADCh]
		mov	byte ptr [ebp+var_60+2], al
		lea	eax, [ebp+var_60]
		mov	[ebp+var_80], ecx
		mov	[ebp+var_54], eax
		mov	[ebp+var_50], 0
		mov	[ebp+var_4C], 3
		mov	[ebp+var_48], 0
		jz	short loc_48F620
		mov	esi, _PpmEtwHandle
		test	esi, esi
		jz	short loc_48F620
		mov	eax, [esi+10h]
		cmp	dword ptr [eax+40h], 0
		jz	short loc_48F616
		mov	cl, [eax+44h]
		cmp	cl, 4
		jb	loc_5B988E

loc_48F607:				; CODE XREF: PpmPerfSelectProcessorState+12A5A6j
		mov	ecx, [eax+50h]
		and	ecx, 20h
		or	ecx, 0
		jnz	loc_5B989B

loc_48F616:				; CODE XREF: PpmPerfSelectProcessorState+309j
					; PpmPerfSelectProcessorState+12A5A0j ...
		cmp	byte ptr [esi+35h], 0
		jnz	loc_5B98B9

loc_48F620:				; CODE XREF: PpmPerfSelectProcessorState+2F6j
					; PpmPerfSelectProcessorState+300j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48F631:				; CODE XREF: PpmPerfSelectProcessorState:loc_48F532j
		cmp	ecx, [ebp+var_90]
		jnb	loc_48F538
		jmp	loc_5B9842
; 

loc_48F642:				; CODE XREF: PpmPerfSelectProcessorState+23Cj
		cmp	ecx, [ebp+var_8C]
		jb	loc_5B9842
		cmp	edi, eax
		jmp	loc_48F532
; 

loc_48F655:				; CODE XREF: PpmPerfSelectProcessorState+21Cj
		movzx	eax, [ebp+var_5A]
		cmp	eax, 2
		jnz	short loc_48F698
		or	[ebp+var_58], 40h
		mov	eax, [ebp+var_68]

loc_48F665:				; CODE XREF: PpmPerfSelectProcessorState+3CCj
		mov	edi, eax
		jmp	loc_48F512
; 

loc_48F66C:				; CODE XREF: PpmPerfSelectProcessorState+1F6j
		sub	eax, 0
		jnz	loc_5B9823
		mov	eax, [ebp+var_84]
		xor	edx, edx
		movzx	ecx, al
		mov	eax, [ebp+var_60]
		div	ecx
		mov	edx, [ebp+var_58]
		or	edx, 100h
		mov	edi, eax
		mov	[ebp+var_58], edx
		jmp	loc_48F515
; 

loc_48F698:				; CODE XREF: PpmPerfSelectProcessorState+36Cj
		sub	eax, 0
		jnz	loc_5B97D6
		mov	eax, [ebp+var_84]
		xor	edx, edx
		movzx	ecx, al
		mov	eax, [ebp+var_60]
		div	ecx
		or	[ebp+var_58], 10h

loc_48F6B5:				; CODE XREF: PpmPerfSelectProcessorState+12A51Fj
		mov	edi, eax

loc_48F6B7:				; CODE XREF: PpmPerfSelectProcessorState+12A4EEj
					; PpmPerfSelectProcessorState+12A52Ej
		mov	eax, [ebp+var_68]
		cmp	edi, eax
		jnb	short loc_48F665
		jmp	loc_48F512
PpmPerfSelectProcessorState endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmCheckMakeupSkippedChecks proc near	; DATA XREF: .text:004049A0o
					; .text:00404A00o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_6		= word ptr -6
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B9965 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		and	[ebp+var_4], eax
		mov	[ebp+var_6], ax
		cmp	_PpmCheckMakeupCount, eax
		ja	short loc_48F6E1

loc_48F6DD:				; CODE XREF: PpmCheckMakeupSkippedChecks+94j
					; PpmCheckMakeupSkippedChecks+12A2B6j
		mov	al, 1
		leave
		retn
; 

loc_48F6E1:				; CODE XREF: PpmCheckMakeupSkippedChecks+17j
		call	_PpmParkMaximumCoresParked@0 ; PpmParkMaximumCoresParked()
		test	al, al
		jz	loc_5B9965
		call	_PpmPerfMinimumPerfReached@0 ; PpmPerfMinimumPerfReached()
		test	al, al
		jz	loc_5B9965
		xor	eax, eax
		mov	[ebp+var_8], ax
		mov	eax, dword_6B5BAC
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], offset _PpmCheckRegistered

loc_48F710:				; CODE XREF: PpmCheckMakeupSkippedChecks+6Dj
					; PpmCheckMakeupSkippedChecks+86j
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_48F74C
		mov	ecx, [ebp+var_4]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, [eax+3EA8h]
		test	ecx, ecx
		jz	short loc_48F710
		mov	eax, [ecx+20h]
		mov	[ecx+8], eax
		mov	eax, [ecx+24h]
		mov	[ecx+0Ch], eax
		mov	eax, [ecx+28h]
		mov	[ecx], eax
		mov	eax, [ecx+2Ch]
		mov	[ecx+4], eax
		jmp	short loc_48F710
; 

loc_48F74C:				; CODE XREF: PpmCheckMakeupSkippedChecks+5Bj
		call	_PpmParkCompleteMakeup@0 ; PpmParkCompleteMakeup()
		and	_PpmCheckMakeupCount, 0
		jmp	short loc_48F6DD
PpmCheckMakeupSkippedChecks endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmCheckAdjustNextPerfCheck proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B997F SIZE 00000060 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		cmp	_PpmCheckCurrentPipelineId, 5
		jz	loc_5B997F

loc_48F76F:				; CODE XREF: PpmCheckAdjustNextPerfCheck+12A232j
					; PpmCheckAdjustNextPerfCheck+12A280j
		mov	al, 1
		leave
		retn
PpmCheckAdjustNextPerfCheck endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PpmPerfSelectDomainStates()
_PpmPerfSelectDomainStates@0 proc near
		mov	edi, edi
		push	esi
		mov	esi, ds:_PpmPerfDomainHead
		push	edi
		mov	edi, offset _PpmPerfDomainHead

loc_48F783:				; CODE XREF: PpmPerfSelectDomainStates()+25j
		cmp	esi, edi
		jnz	short loc_48F78C
		pop	edi
		mov	al, 1
		pop	esi
		retn
; 

loc_48F78C:				; CODE XREF: PpmPerfSelectDomainStates()+11j
		mov	ecx, esi
		call	_PpmPerfSelectDomainState@4 ; PpmPerfSelectDomainState(x)
		test	al, al
		jnz	short loc_48F79B

loc_48F797:				; CODE XREF: PpmPerfSelectDomainStates()+2Ej
		mov	esi, [esi]
		jmp	short loc_48F783
; 

loc_48F79B:				; CODE XREF: PpmPerfSelectDomainStates()+21j
		mov	byte ptr [esi+215h], 1
		jmp	short loc_48F797
_PpmPerfSelectDomainStates@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PpmPerfSelectDomainState(x)
_PpmPerfSelectDomainState@4 proc near	; CODE XREF: PpmPerfSelectDomainStates()+1Ap
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	bh, bh
		xor	bl, bl
		mov	esi, 1
		mov	edx, [edi+1Ch]
		test	edx, edx
		jz	short loc_48F7E4
		mov	eax, [edi+24h]
		add	eax, 2Ch
		lea	ecx, [ecx+0]

loc_48F7D0:				; CODE XREF: PpmPerfSelectDomainState(x)+32j
		mov	ecx, [eax-4]
		cmp	ecx, esi
		ja	short loc_48F806

loc_48F7D7:				; CODE XREF: PpmPerfSelectDomainState(x)+58j
		cmp	byte ptr [eax],	0
		jnz	short loc_48F80E

loc_48F7DC:				; CODE XREF: PpmPerfSelectDomainState(x)+60j
		add	eax, 78h
		sub	edx, 1
		jnz	short loc_48F7D0

loc_48F7E4:				; CODE XREF: PpmPerfSelectDomainState(x)+15j
		cmp	[edi+84h], esi
		jnz	short loc_48F80A
		cmp	[edi+8Ch], bl
		jnz	short loc_48F80A

loc_48F7F4:				; CODE XREF: PpmPerfSelectDomainState(x)+5Cj
		mov	[edi+84h], esi
		mov	al, bh
		mov	[edi+8Ch], bl
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_48F806:				; CODE XREF: PpmPerfSelectDomainState(x)+25j
		mov	esi, ecx
		jmp	short loc_48F7D7
; 

loc_48F80A:				; CODE XREF: PpmPerfSelectDomainState(x)+3Aj
					; PpmPerfSelectDomainState(x)+42j
		mov	bh, 1
		jmp	short loc_48F7F4
; 

loc_48F80E:				; CODE XREF: PpmPerfSelectDomainState(x)+2Aj
		mov	bl, 1
		jmp	short loc_48F7DC
_PpmPerfSelectDomainState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSetDpcRequestFlag(x, x)
_KiSetDpcRequestFlag@8 proc near	; CODE XREF: KiCheckForTimerExpiration+313p
					; KiInsertQueueDpc+267p ...

var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	ax, [ebx]
		movzx	edi, ax
		mov	eax, edi
		or	eax, edx
		movzx	esi, ax
		mov	ax, di
		lock cmpxchg [ebx], si
		movzx	eax, ax
		cmp	ax, di
		jnz	short loc_48F847

loc_48F83F:				; CODE XREF: KiSetDpcRequestFlag(x,x)+5Bj
		mov	ax, di
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_48F847:				; CODE XREF: KiSetDpcRequestFlag(x,x)+2Bj
		mov	esi, edx

loc_48F849:				; CODE XREF: KiSetDpcRequestFlag(x,x)+5Dj
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlBackoff@4	; RtlBackoff(x)
		mov	ax, [ebx]
		movzx	edi, ax
		mov	eax, edi
		or	eax, esi
		movzx	ecx, ax
		mov	ax, di
		lock cmpxchg [ebx], cx
		movzx	ecx, ax
		cmp	cx, di
		jz	short loc_48F83F
		jmp	short loc_48F849
_KiSetDpcRequestFlag@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1230. KeQueryMaximumProcessorCountEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeQueryMaximumProcessorCountEx
KeQueryMaximumProcessorCountEx proc near ; CODE	XREF: ExpGetSystemProcessorInformation+35p
					; KeQueryLogicalProcessorRelationship+264p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B99DF SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_KeDynamicPartitioningSupported, 0
		jnz	loc_5B99DF
		pop	ebp
		jmp	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
KeQueryMaximumProcessorCountEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiScheduleNextForegroundBoost proc near	; CODE XREF: KiTryScheduleNextForegroundBoost(x)+2Cj
					; KiDirectSwitchThread+518p ...

; FUNCTION CHUNK AT 005B9A15 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		lea	esi, [ecx+228h]
		cmp	dword ptr [esi], 1
		jz	short loc_48F8A2

loc_48F89F:				; CODE XREF: KiScheduleNextForegroundBoost+63j
					; KiScheduleNextForegroundBoost+73j
		pop	esi
		pop	ebp
		retn
; 

loc_48F8A2:				; CODE XREF: KiScheduleNextForegroundBoost+Fj
		push	ebx
		push	edi
		mov	edi, offset dword_6CB2C0
		xor	bl, bl
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	dword ptr [esi], 1
		jnz	short loc_48F8DB
		mov	eax, dword_6CB2BC
		mov	ecx, offset dword_6CB2B8
		cmp	dword_6CB2B8, ecx
		setz	bl
		cmp	[eax], ecx
		jnz	short loc_48F903
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6CB2BC, esi

loc_48F8DB:				; CODE XREF: KiScheduleNextForegroundBoost+27j
		test	ds:byte_70EFC6,	1
		jnz	loc_5B9A15
		xor	eax, eax
		lock and [edi],	eax

loc_48F8ED:				; CODE XREF: KiScheduleNextForegroundBoost+12A191j
		pop	edi
		test	bl, bl
		pop	ebx
		jz	short loc_48F89F
		push	0
		push	0
		push	offset unk_6CB298
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)
		jmp	short loc_48F89F
; 

loc_48F903:				; CODE XREF: KiScheduleNextForegroundBoost+3Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
KiScheduleNextForegroundBoost endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall KeGetPrcb(x)
_KeGetPrcb@4	proc near		; CODE XREF: PoGetPerfStateAndParkingInfo+45p
					; PoGetIdleTimes(x,x,x)+31p ...
		mov	edi, edi
		push	esi
		push	0FFFFh
		mov	esi, ecx
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		cmp	esi, eax
		jnb	short loc_48F924
		mov	eax, ds:_KiProcessorBlock[esi*4]
		pop	esi
		retn
; 

loc_48F924:				; CODE XREF: KeGetPrcb(x)+11j
		xor	eax, eax
		pop	esi
		retn
_KeGetPrcb@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiEvaluateGroupSchedulingPreemption proc near ;	CODE XREF: KiDeferredReadySingleThread+52Cp
					; KiDeferredReadySingleThread+6EBp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005B9A24 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], 0
		mov	esi, edx
		cmp	[edi+8], esi
		jz	loc_48FA7E
		mov	eax, large fs:20h
		cmp	edi, eax
		jz	short loc_48F9B3
		mov	byte ptr [ebp+var_C], 0

loc_48F95C:				; CODE XREF: KiEvaluateGroupSchedulingPreemption+87j
					; KiEvaluateGroupSchedulingPreemption+152j
		push	ebx
		mov	ebx, [esi+50h]
		test	ebx, ebx
		jnz	short loc_48F9B9

loc_48F964:				; CODE XREF: KiEvaluateGroupSchedulingPreemption+8Fj
					; KiEvaluateGroupSchedulingPreemption+A3j
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_4], 0
		mov	dword ptr [eax], 0
		mov	eax, [ebp+arg_0]
		mov	edx, [eax+50h]
		test	edx, edx
		jnz	short loc_48F9F8

loc_48F97E:				; CODE XREF: KiEvaluateGroupSchedulingPreemption+D1j
		mov	ecx, [ebp+var_4]
		mov	edi, eax

loc_48F983:				; CODE XREF: KiEvaluateGroupSchedulingPreemption+108j
					; KiEvaluateGroupSchedulingPreemption+116j ...
		test	ebx, ebx
		jnz	short loc_48F9D5

loc_48F987:				; CODE XREF: KiEvaluateGroupSchedulingPreemption+A7j
					; KiEvaluateGroupSchedulingPreemption+C6j
		mov	eax, [ebp+var_8]

loc_48F98A:				; CODE XREF: KiEvaluateGroupSchedulingPreemption+AEj
					; KiEvaluateGroupSchedulingPreemption+B2j
		pop	ebx
		cmp	ecx, eax
		jb	short loc_48F99F
		jnz	short loc_48F9A9
		mov	al, [edi+87h]
		cmp	al, [esi+87h]
		jle	short loc_48F9A9

loc_48F99F:				; CODE XREF: KiEvaluateGroupSchedulingPreemption+5Dj
		pop	edi
		mov	al, 1
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_48F9A9:				; CODE XREF: KiEvaluateGroupSchedulingPreemption+5Fj
					; KiEvaluateGroupSchedulingPreemption+6Dj
		pop	edi
		xor	al, al
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_48F9B3:				; CODE XREF: KiEvaluateGroupSchedulingPreemption+26j
		mov	byte ptr [ebp+var_C], 1
		jmp	short loc_48F95C
; 

loc_48F9B9:				; CODE XREF: KiEvaluateGroupSchedulingPreemption+32j
		add	ebx, [edi+3B34h]
		jz	short loc_48F964
		push	0
		push	[ebp+var_C]
		mov	edx, ebx
		push	ecx
		mov	ecx, esi
		call	_KiGetThreadEffectiveRankNonZero@20 ; KiGetThreadEffectiveRankNonZero(x,x,x,x,x)
		mov	[ebp+var_8], eax
		jmp	short loc_48F964
; 

loc_48F9D5:				; CODE XREF: KiEvaluateGroupSchedulingPreemption+55j
		test	edx, edx
		jz	short loc_48F987
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_48F98A
		test	ecx, ecx
		jz	short loc_48F98A
		lea	eax, [ebp+var_4]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	KiGetComparisonRanks
		mov	ecx, [ebp+var_4]
		jmp	short loc_48F987
; 

loc_48F9F8:				; CODE XREF: KiEvaluateGroupSchedulingPreemption+4Cj
		add	edx, [edi+3B34h]
		mov	[ebp+var_C], edx
		jz	loc_48F97E
		push	0
		push	1
		mov	edi, eax
		push	ecx
		mov	ecx, edi
		call	_KiGetThreadEffectiveRankNonZero@20 ; KiGetThreadEffectiveRankNonZero(x,x,x,x,x)
		mov	edx, [ebp+var_C]
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jnz	short loc_48FA87
		mov	eax, edx

loc_48FA23:				; CODE XREF: KiEvaluateGroupSchedulingPreemption+FEj
		add	ecx, [eax+60h]
		mov	eax, [eax+0F4h]
		test	eax, eax
		jnz	short loc_48FA23
		mov	[ebp+arg_0], ecx
		test	ecx, ecx
		mov	ecx, [ebp+var_4]
		jbe	loc_48F983
		mov	eax, [edi+5Ch]
		test	eax, 200h
		jnz	loc_48F983
		cmp	byte ptr [edi+87h], 10h
		jge	loc_48F983
		test	eax, 0C00h
		jnz	loc_48F983
		cmp	dword ptr [edi+13Ch], 0
		jz	loc_5B9A24

loc_48FA71:				; CODE XREF: KiEvaluateGroupSchedulingPreemption+12A101j
		lea	eax, [edi+5Ch]
		lock bts dword ptr [eax], 0Bh
		jmp	loc_48F983
; 

loc_48FA7E:				; CODE XREF: KiEvaluateGroupSchedulingPreemption+18j
		mov	byte ptr [ebp+var_C], 1
		jmp	loc_48F95C
; 

loc_48FA87:				; CODE XREF: KiEvaluateGroupSchedulingPreemption+EFj
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		jmp	loc_48F983
KiEvaluateGroupSchedulingPreemption endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIpiSendPacket(x, x, x, x,	x, x)
_KiIpiSendPacket@24 proc near		; CODE XREF: KeSynchronizeAddressPolicy(x)+B7p
					; KxFlushNonGlobalTb+4Dp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, ecx
		mov	ecx, large fs:20h
		mov	[esp+18h+var_10], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+18h+var_C], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+18h+var_8], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+18h+var_4], eax
		lea	eax, [esp+18h+var_10]
		push	8
		push	eax
		push	edx
		mov	edx, esi
		call	KiIpiSendRequest
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	10h
_KiIpiSendPacket@24 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeReleaseSemaphoreEx proc near		; CODE XREF: MiDereferenceControlAreaPfnList+18Dp
					; AlpcpSignal+120p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005B9A36 SIZE 00000058 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_20], edx
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, large fs:20h
		mov	cl, al
		mov	byte ptr [ebp+var_10], cl
		mov	[ebp+var_4], edi
		mov	[ebp+var_14], 0
		lock bts dword ptr [esi], 7
		jb	loc_48FCD6

loc_48FB17:				; CODE XREF: KeReleaseSemaphoreEx+20Ej
		mov	eax, [ebp+arg_0]
		mov	ebx, [esi+4]
		add	eax, ebx
		cmp	eax, [esi+10h]
		jg	loc_5B9A5C
		cmp	eax, ebx
		jl	loc_5B9A5C
		mov	[esi+4], eax
		mov	edx, 0FFFFFF7Fh
		test	ebx, ebx
		jnz	short loc_48FB96
		mov	eax, [esi+8]
		lea	ecx, [esi+8]
		cmp	eax, ecx
		jz	short loc_48FB96

loc_48FB46:				; CODE XREF: KeReleaseSemaphoreEx+129F71j
		mov	edi, eax
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		mov	ecx, [edi+4]
		cmp	[eax+4], edi
		jz	short loc_48FB5C

loc_48FB55:				; CODE XREF: KeReleaseSemaphoreEx+7Ej
					; KeReleaseSemaphoreEx+1C7j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_48FB5C:				; CODE XREF: KeReleaseSemaphoreEx+73j
		cmp	[ecx], edi
		jnz	short loc_48FB55
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	al, [edi+8]
		cmp	al, 1
		jnz	short loc_48FBDC
		movzx	eax, word ptr [edi+0Ah]
		mov	edx, edi
		mov	edi, [ebp+var_4]
		mov	ecx, edi
		push	0
		push	eax
		call	KiTryUnwaitThread
		test	al, al
		jz	loc_5B9A49
		add	dword ptr [esi+4], 0FFFFFFFFh
		jnz	loc_5B9A49

loc_48FB91:				; CODE XREF: KeReleaseSemaphoreEx+198j
					; KeReleaseSemaphoreEx+129F77j
		mov	edx, 0FFFFFF7Fh

loc_48FB96:				; CODE XREF: KeReleaseSemaphoreEx+5Aj
					; KeReleaseSemaphoreEx+64j
		lock and [esi],	edx
		mov	eax, [ebp+arg_8]
		test	al, 1
		jnz	short loc_48FBCC
		xor	esi, esi
		test	al, 2
		jz	short loc_48FBB0
		mov	edx, [edi+4]
		mov	ecx, edi
		call	_KiCompleteDirectSwitchThread@8	; KiCompleteDirectSwitchThread(x,x)

loc_48FBB0:				; CODE XREF: KeReleaseSemaphoreEx+C4j
					; KeReleaseSemaphoreEx+F3j ...
		push	[ebp+var_10]
		mov	edx, esi
		mov	ecx, edi
		push	[ebp+var_20]
		push	1
		call	KiExitDispatcher
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_48FBCC:				; CODE XREF: KeReleaseSemaphoreEx+BEj
		mov	esi, 1
		test	al, 4
		jnz	short loc_48FBB0
		mov	esi, 3
		jmp	short loc_48FBB0
; 

loc_48FBDC:				; CODE XREF: KeReleaseSemaphoreEx+8Aj
		cmp	al, 2
		jnz	loc_5B9A36
		mov	byte ptr [edi+9], 5
		mov	eax, [edi+0Ch]
		mov	[ebp+arg_0], eax
		add	eax, 8
		mov	dword ptr [edi], 0
		mov	[ebp+var_18], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_C], eax
		mov	eax, [eax+4]
		mov	[ebp+var_8], eax
		jz	short loc_48FC30
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_48FC30:				; CODE XREF: KeReleaseSemaphoreEx+139j
		mov	ecx, [ebp+arg_0]
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+arg_0]
		cmp	[edx], edx
		jz	short loc_48FC8F
		mov	eax, [ecx+18h]
		cmp	eax, [ecx+1Ch]
		jnb	short loc_48FC8F
		mov	eax, [ebp+var_8]
		mov	eax, [eax+0A4h]
		cmp	eax, ecx
		jz	short loc_48FC83

loc_48FC57:				; CODE XREF: KeReleaseSemaphoreEx+1ADj
		mov	edx, ecx
		mov	ecx, [ebp+var_C]
		push	edi
		call	KiWakeQueueWaiter
		mov	ecx, [ebp+arg_0]
		test	al, al
		jz	short loc_48FC8F

loc_48FC69:				; CODE XREF: KeReleaseSemaphoreEx+1E1j
					; KeReleaseSemaphoreEx+1E5j ...
		mov	edi, 0FFFFFF7Fh
		lock and [ecx],	edi
		add	dword ptr [esi+4], 0FFFFFFFFh
		mov	edi, [ebp+var_4]
		jz	loc_48FB91
		jmp	loc_5B9A49
; 

loc_48FC83:				; CODE XREF: KeReleaseSemaphoreEx+175j
		mov	eax, [ebp+var_8]
		cmp	byte ptr [eax+18Bh], 0Fh
		jnz	short loc_48FC57

loc_48FC8F:				; CODE XREF: KeReleaseSemaphoreEx+160j
					; KeReleaseSemaphoreEx+168j ...
		mov	eax, [ecx+4]
		mov	[ebp+var_8], eax
		inc	eax
		mov	[ecx+4], eax
		lea	eax, [ecx+10h]
		mov	edx, [eax+4]
		mov	[ebp+var_18], edx
		cmp	[edx], eax
		lea	edx, [ecx+8]
		jnz	loc_48FB55
		cmp	[ebp+var_8], 0
		mov	ecx, [ebp+var_18]
		mov	[edi+4], ecx
		mov	[edi], eax
		mov	[ecx], edi
		mov	ecx, [ebp+arg_0]
		mov	[eax+4], edi
		jnz	short loc_48FC69
		cmp	[edx], edx
		jz	short loc_48FC69
		mov	edx, ecx
		mov	ecx, [ebp+var_C]
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		mov	ecx, [ebp+arg_0]
		jmp	short loc_48FC69
; 

loc_48FCD6:				; CODE XREF: KeReleaseSemaphoreEx+31j
					; KeReleaseSemaphoreEx+202j ...
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	al, al
		js	short loc_48FCD6
		lock bts dword ptr [esi], 7
		jb	short loc_48FCD6
		mov	cl, byte ptr [ebp+var_10]
		jmp	loc_48FB17
KeReleaseSemaphoreEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiCompleteDirectSwitchThread(x, x)
_KiCompleteDirectSwitchThread@8	proc near ; CODE XREF: KeReleaseSemaphoreEx+CBp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	esi
		mov	esi, edx
		mov	[ebp+var_8], ecx
		test	byte ptr [esi+5Ch], 20h
		lea	eax, [esi+5Ch]
		mov	[ebp+var_1C], esi
		jz	loc_48FDF6
		push	ebx
		push	edi
		lock btr dword ptr [eax], 5
		cli
		push	0
		call	KiEndThreadCycleAccumulation
		mov	ebx, eax
		mov	[ebp+var_C], edx
		push	ecx
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		mov	[ebp+var_4], ebx
		call	KiStartThreadCycleAccumulation
		sti
		mov	edx, [ebp+var_8]
		mov	eax, [edx+3B1Ch]
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	short loc_48FDC7
		lea	edi, [esi+18h]
		xor	eax, eax
		xor	edx, edx
		nop
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		mov	edi, eax
		mov	[ebp+var_14], edx
		cmp	edx, [ebp+var_C]
		jb	short loc_48FDC4
		ja	short loc_48FD74
		mov	ebx, [ebp+var_4]
		cmp	edi, ebx
		jbe	short loc_48FDC7

loc_48FD74:				; CODE XREF: KiCompleteDirectSwitchThread(x,x)+6Bj
		mov	esi, [ebp+var_10]
		xor	eax, eax
		add	esi, 0FFFFFF7Ch
		xor	edx, edx
		nop
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [esi]
		sub	edi, [ebp+var_4]
		mov	ebx, eax
		mov	eax, [ebp+var_14]
		mov	ecx, edx
		sbb	eax, [ebp+var_C]
		add	ebx, edi
		mov	[ebp+var_10], ebx
		adc	ecx, eax
		mov	[ebp+var_14], ecx

loc_48FDA1:				; CODE XREF: KiCompleteDirectSwitchThread(x,x)+BAj
					; KiCompleteDirectSwitchThread(x,x)+BFj
		mov	edi, [esi]
		mov	eax, edi
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[ebp+var_18], ecx
		nop
		mov	ecx, [ebp+var_14]
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, [ebp+var_10]
		cmp	eax, edi
		jnz	short loc_48FDA1
		cmp	edx, [ebp+var_18]
		jnz	short loc_48FDA1
		mov	esi, [ebp+var_1C]

loc_48FDC4:				; CODE XREF: KiCompleteDirectSwitchThread(x,x)+69j
		mov	ebx, [ebp+var_4]

loc_48FDC7:				; CODE XREF: KiCompleteDirectSwitchThread(x,x)+4Fj
					; KiCompleteDirectSwitchThread(x,x)+72j
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	KiRemoveBoostThread
		lea	edi, [esi+18h]

loc_48FDD4:				; CODE XREF: KiCompleteDirectSwitchThread(x,x)+EDj
					; KiCompleteDirectSwitchThread(x,x)+F2j
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp+var_1C], ecx
		nop
		mov	ecx, [ebp+var_C]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [ebp+var_4]
		cmp	eax, esi
		jnz	short loc_48FDD4
		cmp	edx, [ebp+var_1C]
		jnz	short loc_48FDD4
		pop	edi
		pop	ebx

loc_48FDF6:				; CODE XREF: KiCompleteDirectSwitchThread(x,x)+18j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_KiCompleteDirectSwitchThread@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiRemoveBoostThread proc near		; CODE XREF: KeSetEventBoostPriorityEx+117p
					; KeGenericProcessorCallback(x,x,x,x)+140p ...

var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		mov	esi, edx
		push	edi
		mov	[ebp+var_8], esi
		mov	edi, ecx
		cmp	byte ptr [esi+15Ch], 0
		jz	loc_48FF05
		push	ebx
		lea	ebx, [esi+2Ch]
		mov	[ebp+var_C], 0
		mov	[ebp+var_18], ebx
		lea	esp, [esp+0]

loc_48FE30:				; CODE XREF: KiRemoveBoostThread+15Ej
		lock bts dword ptr [ebx], 0
		jb	loc_48FF50
		mov	al, [esi+15Ch]
		mov	dl, [esi+87h]
		mov	cl, al
		mov	bh, dl
		and	cl, 0Fh
		jnz	loc_48FF0F

loc_48FE54:				; CODE XREF: KiRemoveBoostThread+111j
		shr	al, 4
		test	al, al
		jz	loc_48FF16
		mov	bl, dl
		mov	[esi+15Ch], cl
		sub	bl, al
		mov	[ebp+var_10], 0
		mov	eax, [esi+214h]
		test	eax, eax
		jnz	loc_48FF1A

loc_48FE7E:				; CODE XREF: KiRemoveBoostThread+125j
					; KiRemoveBoostThread+12Dj
		cmp	bl, dl
		jz	short loc_48FEF3
		mov	[ebp+var_1], 0
		lea	esi, [edi+2224h]
		mov	[ebp+var_14], 0

loc_48FE93:				; CODE XREF: KiRemoveBoostThread+171j
		lock bts dword ptr [esi], 0
		jb	loc_48FF63
		cmp	dword ptr [edi+8], 0
		mov	esi, [ebp+var_8]
		jnz	short loc_48FEC3
		push	1
		mov	edx, esi
		mov	ecx, edi
		call	KiSelectReadyThreadEx
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jnz	loc_48FF76
		mov	[ebp+var_1], 1

loc_48FEC3:				; CODE XREF: KiRemoveBoostThread+A5j
					; KiRemoveBoostThread+1C7j
		push	1
		mov	dl, bl
		mov	ecx, esi
		call	KiAbProcessThreadPriorityModification
		cmp	[ebp+var_1], 0
		mov	[esi+87h], bl
		jz	short loc_48FEE8
		test	byte ptr [esi+2], 4
		jnz	short loc_48FF32

loc_48FEE0:				; CODE XREF: KiRemoveBoostThread+13Fj
					; KiRemoveBoostThread+147j
		mov	eax, [edi+33Ch]
		mov	[eax], bl

loc_48FEE8:				; CODE XREF: KiRemoveBoostThread+D8j
		xor	ecx, ecx
		lea	eax, [edi+2224h]
		lock and [eax],	ecx

loc_48FEF3:				; CODE XREF: KiRemoveBoostThread+80j
					; KiRemoveBoostThread+118j
		mov	ecx, [ebp+var_18]
		mov	al, bh
		pop	ebx
		mov	dword ptr [ecx], 0

loc_48FEFF:				; CODE XREF: KiRemoveBoostThread+10Dj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_48FF05:				; CODE XREF: KiRemoveBoostThread+18j
		mov	al, [esi+87h]
		inc	al
		jmp	short loc_48FEFF
; 

loc_48FF0F:				; CODE XREF: KiRemoveBoostThread+4Ej
		sub	bh, cl
		jmp	loc_48FE54
; 

loc_48FF16:				; CODE XREF: KiRemoveBoostThread+59j
		inc	bh
		jmp	short loc_48FEF3
; 

loc_48FF1A:				; CODE XREF: KiRemoveBoostThread+78j
		bsr	ecx, eax
		movsx	eax, bl
		mov	[ebp+var_10], ecx
		cmp	eax, ecx
		jge	loc_48FE7E
		mov	bl, cl
		jmp	loc_48FE7E
; 

loc_48FF32:				; CODE XREF: KiRemoveBoostThread+DEj
		mov	edx, edi
		mov	ecx, esi
		call	KiIsThreadRankNonZero
		mov	bl, 1
		test	al, al
		jnz	short loc_48FEE0
		mov	bl, [esi+87h]
		jmp	short loc_48FEE0
; 
		align 10h

loc_48FF50:				; CODE XREF: KiRemoveBoostThread+35j
					; KiRemoveBoostThread+15Cj
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_48FF50
		jmp	loc_48FE30
; 

loc_48FF63:				; CODE XREF: KiRemoveBoostThread+98j
					; KiRemoveBoostThread+16Fj
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_48FF63
		jmp	loc_48FE93
; 

loc_48FF76:				; CODE XREF: KiRemoveBoostThread+B9j
		test	byte ptr [ecx+2], 4
		jnz	loc_5B9A75

loc_48FF80:				; CODE XREF: KeReleaseSemaphoreEx+129FA9j
		mov	dl, [ecx+87h]

loc_48FF86:				; CODE XREF: KeReleaseSemaphoreEx+129FA3j
		mov	eax, [edi+33Ch]
		mov	[eax], dl
		mov	[edi+8], ecx
		cmp	ecx, [edi+0Ch]
		jz	short loc_48FFCC
		xor	al, al

loc_48FF98:				; CODE XREF: KiRemoveBoostThread+1CEj
		mov	edx, [edi+4DCh]
		test	edx, edx
		jz	short loc_48FFA5
		mov	[edx+10h], al

loc_48FFA5:				; CODE XREF: KiRemoveBoostThread+1A0j
		mov	al, [ecx+90h]
		cmp	al, 1
		jnz	short loc_48FFC0
		mov	eax, ds:_KeTickCount
		sub	eax, [ecx+138h]
		add	[ecx+170h], eax

loc_48FFC0:				; CODE XREF: KiRemoveBoostThread+1ADj
		mov	byte ptr [ecx+90h], 3
		jmp	loc_48FEC3
; 

loc_48FFCC:				; CODE XREF: KiRemoveBoostThread+194j
		mov	al, 1
		jmp	short loc_48FF98
KiRemoveBoostThread endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSelectReadyThreadEx proc near		; CODE XREF: KiSchedulerApc+16Ap
					; KiApplyForegroundBoostThread+122p ...

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005B9A8E SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		test	esi, esi
		jz	short loc_490047
		mov	al, [esi+87h]
		cmp	al, 1Fh
		jz	loc_5B9A8E
		test	[ebp+arg_0], 2
		movsx	edi, al
		jnz	short loc_48FFF8
		inc	edi

loc_48FFF8:				; CODE XREF: KiSelectReadyThreadEx+25j
		mov	edx, [esi+50h]
		test	edx, edx
		jnz	short loc_49000F

loc_48FFFF:				; CODE XREF: KiSelectReadyThreadEx+45j
					; KiSelectReadyThreadEx+64j
					; DATA XREF: ...
		mov	ecx, edi

loc_490001:				; CODE XREF: KiSelectReadyThreadEx+9Aj
		mov	edx, ebx
		call	KiSelectReadyThread

loc_490008:				; CODE XREF: KiSelectReadyThreadEx+85j
					; KiSelectReadyThreadEx+90j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_49000F:				; CODE XREF: KiSelectReadyThreadEx+2Dj
		add	edx, [ebx+3B34h]
		jz	short loc_48FFFF
		mov	eax, large fs:20h
		cmp	ebx, eax
		jnz	short loc_49006C

loc_490021:				; CODE XREF: KiSelectReadyThreadEx+9Fj
		mov	[ebp+arg_0], 1

loc_490025:				; CODE XREF: KiSelectReadyThreadEx+A5j
		push	0
		push	dword ptr [ebp+arg_0]
		push	ecx
		mov	ecx, esi
		call	_KiGetThreadEffectiveRankNonZero@20 ; KiGetThreadEffectiveRankNonZero(x,x,x,x,x)
		test	eax, eax
		jz	short loc_48FFFF
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	KiChooseLowestRankedThread
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_490047:				; CODE XREF: KiSelectReadyThreadEx+Ej
		mov	edx, ebx

loc_490049:				; DATA XREF: .text:005A49C6o
		mov	ecx, 1
		call	KiSelectReadyThread
		test	eax, eax
		jnz	short loc_490008

loc_490057:				; DATA XREF: .text:??_C@_1BE@BDEKEKBI@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAP?$AAK?$AAG@FNODOBFM@o
					; .text:??_C@_1BO@BOGEHPME@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAS?$AAY?$AAS?$AAA?$AAP?$AAP?$AAI?$AAD@FNODOBFM@o ...
		mov	ecx, ebx
		call	KiSelectLowestRankedThread
		test	eax, eax
		jnz	short loc_490008
		test	[ebp+arg_0], 1
		jnz	short loc_490008
		xor	ecx, ecx
		jmp	short loc_490001
; 

loc_49006C:				; CODE XREF: KiSelectReadyThreadEx+4Fj
		cmp	esi, [ebx+4]
		jnz	short loc_490021
		mov	[ebp+arg_0], 0
		jmp	short loc_490025
KiSelectReadyThreadEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KxFlushNonGlobalTb proc	near		; CODE XREF: KiFlushTb+23p

var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B9A95 SIZE 00000076 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		mov	esi, ecx
		stosd
		stosd
		call	ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()
		mov	bl, al
		mov	[ebp+var_11], bl
		test	esi, esi
		jz	loc_5B9A95
		mov	esi, ds:_KeNumberProcessors
		xor	edx, edx
		dec	esi
		lea	ecx, [edx+1]

loc_4900BE:				; CODE XREF: KxFlushNonGlobalTb+129A86j
		test	esi, esi
		jz	short loc_4900D2
		push	0
		push	0
		push	0
		push	offset _KiFlushTargetProcessTb@16 ; KiFlushTargetProcessTb(x,x,x,x)
		call	_KiIpiSendPacket@24 ; KiIpiSendPacket(x,x,x,x,x,x)

loc_4900D2:				; CODE XREF: KxFlushNonGlobalTb+40j
		mov	eax, cr3
		mov	cr3, eax
		test	esi, esi
		jz	short loc_4900FC
		mov	eax, large fs:20h
		mov	ecx, [eax+2120h]
		test	ecx, ecx
		jz	short loc_4900FC
		lea	esp, [esp+0]

loc_4900F0:				; CODE XREF: KxFlushNonGlobalTb+7Aj
		pause
		mov	ecx, [eax+2120h]
		test	ecx, ecx
		jnz	short loc_4900F0

loc_4900FC:				; CODE XREF: KxFlushNonGlobalTb+5Aj
					; KxFlushNonGlobalTb+6Aj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_490104:				; DATA XREF: .text:00425EACo
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
KxFlushNonGlobalTb endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmPerfApplyDomainState	proc near	; CODE XREF: PpmPerfApplyDomainStates+40p

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_39		= byte ptr -39h
var_38		= dword	ptr -38h
var_34		= byte ptr -34h
var_33		= byte ptr -33h
var_32		= byte ptr -32h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_B		= word ptr -0Bh
var_9		= byte ptr -9
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B9B0B SIZE 00000297 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, ecx
		mov	[ebp+var_78], 0
		push	ebx
		xor	eax, eax
		mov	[ebp+var_80], 0
		push	esi
		push	edi
		mov	ecx, 0Ah
		mov	[ebp+var_7C], 0
		lea	edi, [ebp+var_30]
		mov	[ebp+var_38], edx
		rep stosd
		mov	eax, [edx+24h]
		mov	ecx, _PpmCurrentProfile
		add	ecx, 20h
		mov	[ebp+var_33], 0
		mov	eax, [eax+4]
		mov	[ebp+var_88], eax
		xor	al, al
		mov	[ebp+var_39], al
		imul	eax, dword_6C2D0C, 0F0h
		add	eax, ecx
		mov	[ebp+var_68], eax
		mov	eax, [edx+8]
		mov	ecx, eax
		mov	[ebp+var_50], eax
		call	PpmGetPerfPolicyClass
		movzx	eax, al
		xor	ecx, ecx
		mov	[ebp+var_74], eax
		mov	eax, [edx+58h]
		mov	[ebp+var_5C], eax
		mov	[ebp+var_6C], eax
		mov	eax, [edx+60h]
		mov	[ebp+var_48], 64h
		mov	[ebp+var_60], ecx
		mov	[ebp+var_34], cl
		mov	[ebp+var_64], ecx
		mov	[ebp+var_58], eax
		mov	[ebp+var_70], eax
		cmp	ds:_PpmPerfArtificialDomainEnabled, ecx
		jnz	loc_5B9B0B

loc_4901CE:				; CODE XREF: PpmPerfApplyDomainState+129A00j
		mov	edi, [edx]
		mov	esi, edx
		mov	[ebp+var_40], edx

loc_4901D5:				; CODE XREF: PpmPerfApplyDomainState+129A14j
		mov	[ebp+var_54], edi
		cmp	esi, edi
		jz	short loc_490230

loc_4901DC:				; CODE XREF: PpmPerfApplyDomainState+129A1Cj
		mov	ebx, [esi+84h]
		mov	[ebp+var_58], ebx
		cmp	esi, edx
		jnz	loc_5B9B41

loc_4901ED:				; CODE XREF: PpmPerfApplyDomainState+129AD8j
		cmp	ebx, ecx
		jbe	short loc_4901F4
		mov	[ebp+var_60], ebx

loc_4901F4:				; CODE XREF: PpmPerfApplyDomainState+CFj
		cmp	byte ptr [esi+8Ch], 0
		jnz	loc_5B9BFD

loc_490201:				; CODE XREF: PpmPerfApplyDomainState+129AE1j
		push	esi

loc_490202:				; DATA XREF: .text:00425E9Co
		lea	eax, [ebp+var_48]
		push	eax
		lea	edx, [ebp+var_70]
		lea	ecx, [ebp+var_6C]
		call	PpmPerfApplyCapsAndFloors
		or	[ebp+var_33], al
		mov	edx, [ebp+var_38]

loc_490217:				; CODE XREF: PpmPerfApplyDomainState+129A34j
					; PpmPerfApplyDomainState+129A4Cj ...
		mov	esi, [esi]
		mov	[ebp+var_40], esi
		cmp	esi, edi
		jnz	loc_5B9B39
		mov	eax, [ebp+var_6C]
		mov	[ebp+var_5C], eax
		mov	eax, [ebp+var_70]
		mov	[ebp+var_58], eax

loc_490230:				; CODE XREF: PpmPerfApplyDomainState+BAj
		xor	ebx, ebx

loc_490232:				; CODE XREF: PpmPerfApplyDomainState+1C0j
		cmp	dword ptr [edx+ebx*4+11Ch], 0
		jz	loc_490304
		lea	eax, [ebx+7]
		lea	eax, [eax+eax*4]
		lea	esi, [edx+eax*8]

loc_490249:				; CODE XREF: PpmPerfApplyDomainState+447j
		cmp	byte ptr [edx+214h], 0
		lea	eax, [ebx+8]
		lea	eax, [eax+eax*4]
		lea	edi, [edx+eax*8]
		jnz	loc_49059C
		mov	cl, [esi+24h]
		cmp	[edi+24h], cl
		jnz	loc_49059C
		mov	eax, [edi+10h]
		cmp	eax, [esi+10h]
		jnz	loc_49059C
		mov	eax, [edi+14h]
		cmp	eax, [esi+14h]
		jnz	loc_49059C
		mov	eax, [edi+1Ch]
		cmp	eax, [esi+1Ch]
		jnz	loc_49059C
		mov	eax, [edi+20h]
		cmp	eax, [esi+20h]
		jnz	loc_49059C
		mov	eax, [edi]
		cmp	eax, [esi]
		jnz	loc_49059C
		mov	eax, [edi+4]
		cmp	eax, [esi+4]
		jnz	loc_49059C
		mov	eax, [ebp+var_48]
		cmp	eax, [edx+88h]
		jnz	loc_49059C
		test	cl, cl
		jnz	short loc_4902DC
		mov	eax, [edi+18h]
		cmp	eax, [esi+18h]
		jnz	loc_49059C
		mov	eax, [edi+8]
		cmp	eax, [esi+8]
		jnz	loc_49059C

loc_4902DC:				; CODE XREF: PpmPerfApplyDomainState+1A2j
					; PpmPerfApplyDomainState+487j
		inc	ebx
		cmp	ebx, 5
		jb	loc_490232
		mov	bl, [ebp+var_39]
		test	bl, bl
		jnz	loc_4905AC

loc_4902F1:				; CODE XREF: PpmPerfApplyDomainState+4D5j
		mov	al, bl
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_490304:				; CODE XREF: PpmPerfApplyDomainState+11Aj
		lea	edi, ds:0[ebx*8]
		xor	esi, esi
		sub	edi, ebx
		mov	[ebp+var_50], esi
		add	edi, 24h
		cmp	byte ptr [edx+edi*4+15h], 0
		lea	edi, [edx+edi*4]
		mov	[ebp+var_8C], edi
		jnz	loc_5B9C06
		mov	eax, [edx+5Ch]

loc_49032C:				; CODE XREF: PpmPerfApplyDomainState+129AF1j
		mov	ecx, [edi+8]
		cmp	eax, ecx
		ja	short loc_490335
		mov	eax, ecx

loc_490335:				; CODE XREF: PpmPerfApplyDomainState+211j
		mov	cl, [edi+16h]
		mov	[ebp+var_32], cl
		test	cl, cl
		jz	loc_5B9C16
		mov	edx, [edx+58h]

loc_490346:				; CODE XREF: PpmPerfApplyDomainState+129B0Aj
					; PpmPerfApplyDomainState+129B12j
		mov	ecx, [edi]
		mov	[ebp+var_4C], edx
		cmp	ecx, 64h
		jb	loc_5B9C37

loc_490354:				; CODE XREF: PpmPerfApplyDomainState+129B19j
					; PpmPerfApplyDomainState+129B24j
		mov	ecx, [edi+4]
		cmp	edx, ecx
		jb	short loc_490360
		mov	edx, ecx
		mov	[ebp+var_4C], edx

loc_490360:				; CODE XREF: PpmPerfApplyDomainState+239j
		mov	cl, _PpmPerfMaxOverrideEnabled
		mov	[ebp+var_31], cl
		test	cl, cl
		jnz	loc_49056C
		cmp	_PpmCheckLatencyBoostActive, 0
		jnz	loc_5B9C49
		cmp	[ebp+var_34], cl
		jnz	loc_5B9C52
		xor	ecx, ecx

loc_490389:				; CODE XREF: PpmPerfApplyDomainState+451j
					; PpmPerfApplyDomainState+129B2Dj ...
		mov	[ebp+var_44], ecx
		cmp	ecx, edx
		jnb	loc_490576
		mov	esi, ecx

loc_490396:				; CODE XREF: PpmPerfApplyDomainState+458j
		cmp	esi, eax
		ja	loc_5B9C61
		mov	esi, eax

loc_4903A0:				; CODE XREF: PpmPerfApplyDomainState+129B47j
					; PpmPerfApplyDomainState+129B4Ej
		cmp	esi, [ebp+var_48]
		jb	loc_5B9C73
		mov	esi, [ebp+var_48]

loc_4903AC:				; CODE XREF: PpmPerfApplyDomainState+129B65j
					; PpmPerfApplyDomainState+129B6Cj ...
		cmp	esi, [ebp+var_58]
		jbe	loc_5B9CCC
		cmp	ecx, edx
		jnb	loc_49057D
		mov	esi, ecx

loc_4903BF:				; CODE XREF: PpmPerfApplyDomainState+45Fj
		cmp	esi, eax
		ja	loc_5B9C98
		mov	esi, eax

loc_4903C9:				; CODE XREF: PpmPerfApplyDomainState+129B7Ej
					; PpmPerfApplyDomainState+129B85j
		cmp	esi, [ebp+var_48]
		jb	loc_5B9CAA
		mov	ecx, [ebp+var_48]

loc_4903D5:				; CODE XREF: PpmPerfApplyDomainState+129BA0j
					; PpmPerfApplyDomainState+129BA7j ...
		mov	[ebp+var_44], ecx

loc_4903D8:				; CODE XREF: PpmPerfApplyDomainState+129B98j
		cmp	edx, eax
		ja	loc_5B9CD4
		mov	esi, eax

loc_4903E2:				; CODE XREF: PpmPerfApplyDomainState+129BB6j
		cmp	esi, [ebp+var_5C]
		jb	loc_5B9CDB
		mov	esi, [ebp+var_5C]

loc_4903EE:				; CODE XREF: PpmPerfApplyDomainState+129BC1j
					; PpmPerfApplyDomainState+129BC8j
		cmp	esi, [ebp+var_58]
		jbe	loc_5B9D03
		cmp	edx, eax
		ja	loc_5B9CED
		mov	esi, eax

loc_490401:				; CODE XREF: PpmPerfApplyDomainState+129BCFj
		cmp	esi, [ebp+var_5C]
		jb	loc_5B9CF4
		mov	edx, [ebp+var_5C]

loc_49040D:				; CODE XREF: PpmPerfApplyDomainState+129BDEj
					; PpmPerfApplyDomainState+129BE6j
		mov	[ebp+var_4C], edx

loc_490410:				; CODE XREF: PpmPerfApplyDomainState+129BD6j
		cmp	[ebp+var_31], 0
		jnz	loc_490584
		cmp	byte ptr [edi+18h], 0
		jz	loc_5B9D0B
		mov	eax, [ebp+var_60]
		mov	esi, [ebp+var_64]
		cmp	eax, esi
		jbe	short loc_490430
		mov	esi, eax

loc_490430:				; CODE XREF: PpmPerfApplyDomainState+30Cj
					; PpmPerfApplyDomainState+129BEEj
		mov	[ebp+var_40], esi
		cmp	esi, edx
		ja	loc_5B9D13

loc_49043B:				; CODE XREF: PpmPerfApplyDomainState+469j
		cmp	esi, ecx
		jnb	short loc_490442
		mov	[ebp+var_40], ecx

loc_490442:				; CODE XREF: PpmPerfApplyDomainState+31Dj
					; PpmPerfApplyDomainState+129BFAj ...
		mov	al, [ebp+var_32]
		cmp	al, 2
		jnz	loc_5B9D29

loc_49044D:				; CODE XREF: PpmPerfApplyDomainState+129C0Bj
					; PpmPerfApplyDomainState+129C1Dj
		cmp	al, 5
		jz	loc_5B9D42
		cmp	al, 6
		jz	loc_5B9D42
		cmp	ds:_PpmPerfBoostAtGuaranteed, 0
		jnz	loc_5B9D42
		mov	eax, 64h

loc_49046F:				; CODE XREF: PpmPerfApplyDomainState+129C25j
		cmp	[ebp+var_40], eax
		jb	short loc_490477
		mov	[ebp+var_40], edx

loc_490477:				; CODE XREF: PpmPerfApplyDomainState+352j
					; PpmPerfApplyDomainState+129C17j
		cmp	[ebp+var_31], 0
		jnz	loc_49058E
		mov	eax, [ebp+var_68]
		mov	eax, [eax+3Ch]

loc_490487:				; CODE XREF: PpmPerfApplyDomainState+470j
		cmp	eax, esi
		jnb	loc_5B9D4A
		sub	esi, eax

loc_490491:				; CODE XREF: PpmPerfApplyDomainState+129C2Cj
		cmp	esi, ecx
		jnb	short loc_490497
		mov	esi, ecx

loc_490497:				; CODE XREF: PpmPerfApplyDomainState+373j
		mov	eax, [ebp+var_48]
		cmp	esi, eax
		ja	loc_5B9D51

loc_4904A2:				; CODE XREF: PpmPerfApplyDomainState+129C33j
		cmp	[ebp+var_31], 0
		jnz	loc_490595
		cmp	_PpmCheckDeadlineBoostActive, 0
		jnz	loc_490595
		mov	eax, [edi+10h]

loc_4904BC:				; CODE XREF: PpmPerfApplyDomainState+477j
		cmp	[ebp+var_34], 0
		mov	[ebp+var_54], eax
		jnz	loc_5B9D58

loc_4904C9:				; CODE XREF: PpmPerfApplyDomainState+129C4Dj
					; PpmPerfApplyDomainState+129C5Cj
		mov	al, [edi+14h]
		mov	[ebp+var_32], al
		test	al, al
		mov	eax, [ebp+var_50]
		jz	loc_5B9D81

loc_4904DA:				; CODE XREF: PpmPerfApplyDomainState+129C64j
		lea	ecx, [ebp+var_80]
		push	ecx
		lea	ecx, [ebp+var_78]
		push	ecx
		mov	ecx, [ebp+var_44]
		push	eax
		mov	eax, [edi+0Ch]
		mov	edi, [ebp+var_38]
		push	eax
		push	[ebp+var_54]
		mov	eax, [edi+44h]
		push	edx
		mov	edx, [ebp+var_40]
		push	ecx
		mov	ecx, [ebp+var_88]
		call	eax
		mov	ecx, eax
		cmp	esi, ecx
		ja	loc_5B9D89

loc_49050A:				; CODE XREF: PpmPerfApplyDomainState+129C6Bj
		xor	eax, eax
		mov	[ebp+var_B], ax
		mov	[ebp+var_9], al
		cmp	[ebp+var_32], al
		jz	loc_5B9D90
		mov	[ebp+var_C], al

loc_49051F:				; CODE XREF: PpmPerfApplyDomainState+129C74j
		mov	eax, [ebp+var_80]
		mov	edx, edi
		mov	[ebp+var_30], eax
		mov	eax, [ebp+var_7C]
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+var_78]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_44]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_54]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_8C]
		mov	[ebp+var_28], ecx
		mov	[ebp+var_18], esi
		mov	eax, [eax+0Ch]
		mov	[ebp+var_10], eax
		test	ebx, ebx
		jnz	short loc_490564
		cmp	[edx+4Ch], ebx
		jnz	loc_5B9D99

loc_490564:				; CODE XREF: PpmPerfApplyDomainState+439j
					; PpmPerfApplyDomainState+129C7Dj
		lea	esi, [ebp+var_30]
		jmp	loc_490249
; 

loc_49056C:				; CODE XREF: PpmPerfApplyDomainState+24Bj
		mov	ecx, 64h
		jmp	loc_490389
; 

loc_490576:				; CODE XREF: PpmPerfApplyDomainState+26Ej
		mov	esi, edx
		jmp	loc_490396
; 

loc_49057D:				; CODE XREF: PpmPerfApplyDomainState+297j
		mov	esi, edx
		jmp	loc_4903BF
; 

loc_490584:				; CODE XREF: PpmPerfApplyDomainState+2F4j
		mov	esi, edx
		mov	[ebp+var_40], esi
		jmp	loc_49043B
; 

loc_49058E:				; CODE XREF: PpmPerfApplyDomainState+35Bj
		xor	eax, eax
		jmp	loc_490487
; 

loc_490595:				; CODE XREF: PpmPerfApplyDomainState+386j
					; PpmPerfApplyDomainState+393j
		xor	eax, eax
		jmp	loc_4904BC
; 

loc_49059C:				; CODE XREF: PpmPerfApplyDomainState+139j
					; PpmPerfApplyDomainState+145j	...
		mov	ecx, 0Ah
		mov	[ebp+var_39], 1
		rep movsd
		jmp	loc_4902DC
; 

loc_4905AC:				; CODE XREF: PpmPerfApplyDomainState+1CBj
		mov	eax, [edx+13Ch]
		add	eax, 1
		jz	short loc_4905FA

loc_4905B7:				; CODE XREF: PpmPerfApplyDomainState+4DFj
		mov	edi, [ebp+var_38]
		mov	[edx+13Ch], eax
		mov	byte ptr [edx+214h], 0
		mov	edx, [ebp+var_48]
		push	0
		mov	[edi+88h], edx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, edi
		mov	[edi+208h], eax
		mov	[edi+20Ch], edx
		mov	dword ptr [edi+210h], 0
		call	PpmEventDomainPerfStateChange
		jmp	loc_4902F1
; 

loc_4905FA:				; CODE XREF: PpmPerfApplyDomainState+495j
		mov	eax, 1
		jmp	short loc_4905B7
PpmPerfApplyDomainState	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmPerfApplyCapsAndFloors proc near	; CODE XREF: PpmPerfApplyDomainState+ECp

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005B9DA2 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ecx
		mov	edx, [ebp+arg_4]
		xor	al, al
		mov	[ebp+var_1], al
		mov	esi, [edx+1Ch]
		test	esi, esi
		jz	short loc_490682
		mov	al, [edx+7Ah]
		mov	edx, [edx+24h]
		push	ebx
		mov	ebx, [ebp+arg_0]
		add	edx, 8
		mov	byte ptr [ebp+arg_4+3],	al
		mov	edi, edi

loc_490640:				; CODE XREF: PpmPerfApplyCapsAndFloors+6Cj
		mov	eax, [edx+4]
		mov	ecx, [edx+18h]
		cmp	eax, ecx
		jb	short loc_49064C
		mov	eax, ecx

loc_49064C:				; CODE XREF: PpmPerfApplyCapsAndFloors+38j
		cmp	byte ptr [ebp+arg_4+3],	0
		jz	short loc_49065A
		mov	ecx, [edx]
		cmp	eax, ecx
		jb	short loc_49065A
		mov	eax, ecx

loc_49065A:				; CODE XREF: PpmPerfApplyCapsAndFloors+40j
					; PpmPerfApplyCapsAndFloors+46j
		cmp	eax, 64h
		jb	loc_5B9DA2

loc_490663:				; CODE XREF: PpmPerfApplyCapsAndFloors+129797j
					; PpmPerfApplyCapsAndFloors+1297A3j
		mov	ecx, [edx]
		cmp	eax, ecx
		jb	short loc_49066B
		mov	eax, ecx

loc_49066B:				; CODE XREF: PpmPerfApplyCapsAndFloors+57j
		cmp	[ebx], eax
		ja	short loc_49068A

loc_49066F:				; CODE XREF: PpmPerfApplyCapsAndFloors+7Cj
		mov	ecx, [edx+1Ch]
		cmp	[edi], ecx
		jb	short loc_49068E

loc_490676:				; CODE XREF: PpmPerfApplyCapsAndFloors+80j
		add	edx, 78h
		sub	esi, 1
		jnz	short loc_490640
		mov	al, [ebp+var_1]
		pop	ebx

loc_490682:				; CODE XREF: PpmPerfApplyCapsAndFloors+1Cj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_49068A:				; CODE XREF: PpmPerfApplyCapsAndFloors+5Dj
		mov	[ebx], eax
		jmp	short loc_49066F
; 

loc_49068E:				; CODE XREF: PpmPerfApplyCapsAndFloors+64j
		mov	[edi], ecx
		jmp	short loc_490676
PpmPerfApplyCapsAndFloors endp


;  S U B	R O U T	I N E 


PpmGetPerfPolicyClass proc near		; CODE XREF: PpmPerfApplyDomainState+73p
					; PpmPerfApplyLatencyHint+2Ap ...

; FUNCTION CHUNK AT 005B9DB8 SIZE 00000015 BYTES

		test	ecx, ecx
		jz	short loc_4906AB
		cmp	ds:_PpmHeteroNominalPerformanceClasses,	1
		ja	loc_5B9DB8
		mov	al, [ecx+30h]

loc_4906A6:				; CODE XREF: PpmGetPerfPolicyClass+12972Fj
					; PpmGetPerfPolicyClass+129736j
		cmp	al, 1
		jnb	short loc_4906AE
		retn
; 

loc_4906AB:				; CODE XREF: PpmGetPerfPolicyClass+2j
		xor	al, al
		retn
; 

loc_4906AE:				; CODE XREF: PpmGetPerfPolicyClass+16j
		mov	al, 1
		retn
PpmGetPerfPolicyClass endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpGetSystemProcessorInformation proc near ; CODE XREF:	PAGE:0077DBF9p

ms_exc		= CPPEH_RECORD ptr -18h

		push	0Ch
		push	offset dword_6A1228
		call	__SEH_prolog4
		mov	edi, ecx
		xor	esi, esi
		mov	[ebp+ms_exc.disabled], esi
		mov	ax, ds:_KeProcessorArchitecture
		mov	[edi], ax
		mov	ax, ds:_KeProcessorLevel
		mov	[edi+2], ax
		mov	ax, ds:_KeProcessorRevision
		mov	[edi+4], ax
		push	0FFFFh
		call	KeQueryMaximumProcessorCountEx
		mov	[edi+6], ax
		mov	eax, ds:_KeFeatureBits
		mov	[edi+8], eax

loc_4906F8:				; CODE XREF: sub_5B9DDD+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
ExpGetSystemProcessorInformation endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpGetSystemBasicInformation proc near	; CODE XREF: PAGE:0077DB3Dp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B9DE8 SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1248
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, ecx
		xor	edi, edi
		mov	eax, large fs:20h
		mov	cl, [eax+3C5h]
		mov	[ebp+var_4], edi
		mov	[esi], edi
		mov	eax, ds:_KeMaximumIncrement
		mov	[esi+4], eax
		mov	dword ptr [esi+8], 1000h
		mov	dword ptr [esi+18h], 10000h
		mov	dword ptr [esi+1Ch], 10000h
		mov	eax, ds:_MmHighestUserAddress
		mov	[esi+20h], eax
		test	cl, cl
		jnz	loc_5B9DE8
		mov	edx, ds:dword_70E328

loc_49079D:				; CODE XREF: ExpGetSystemBasicInformation+1296CAj
		mov	[esi+24h], edx
		mov	[ebp+var_1C], edx
		not	edx
		mov	[ebp+var_1C], edx
		movzx	eax, dl
		mov	cl, ds:_RtlpBitsClearTotal[eax]
		shr	edx, 8
		mov	[ebp+var_1C], edx
		movzx	eax, dl
		add	cl, ds:_RtlpBitsClearTotal[eax]
		shr	edx, 8
		mov	[ebp+var_1C], edx
		movzx	eax, dl
		add	cl, ds:_RtlpBitsClearTotal[eax]
		shr	edx, 8
		mov	[ebp+var_1C], edx
		mov	al, ds:_RtlpBitsClearTotal[edx]
		add	al, cl
		mov	[esi+28h], al
		push	0
		call	_MmGetNumberOfPhysicalPages@4 ;	MmGetNumberOfPhysicalPages(x)
		mov	[esi+0Ch], eax
		mov	eax, dword_6D3018
		mov	eax, [eax]
		mov	eax, [eax+0F40h]
		mov	[esi+10h], eax
		mov	eax, dword_6D3018
		mov	eax, [eax]
		mov	eax, [eax+0F44h]
		mov	[esi+14h], eax

loc_49080A:				; CODE XREF: sub_5B9DFF+6j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, edi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
ExpGetSystemBasicInformation endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmQueryMemoryListInformation proc near	; CODE XREF: PfpMemoryListQuery+44p
					; EtwpLogMemInfo(x,x)+68p ...

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_84		= dword	ptr -84h
var_7D		= dword	ptr -7Dh
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005B9E0A SIZE 00000010 BYTES
; FUNCTION CHUNK AT 005B9E48 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1268
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_20], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	edi, edx
		mov	esi, ecx
		mov	ebx, [ebp+arg_8]
		mov	[ebp+var_84], ebx
		mov	[ebp+var_8C], ebx
		push	58h		; size_t
		push	0		; int
		lea	eax, [ebp+var_7D+1]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	byte ptr [ebp+var_7D], 0
		mov	dword ptr [ebx], 0
		cmp	[ebp+arg_0], 58h
		jb	loc_5B9E0A
		lea	eax, [ebp+var_7D]
		push	eax
		mov	ecx, esi
		call	MiPartitionObjectToPartition
		mov	[ebp+var_90], eax
		test	eax, eax
		jz	short loc_490911
		lea	edx, [ebp+var_7D+1]
		mov	ecx, eax
		call	MiQueryMemoryListInformation
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		mov	ecx, 16h
		lea	esi, [ebp+var_7D+1]
		rep movsd
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+var_84]

loc_4908DD:				; CODE XREF: sub_5B9E2D+16j
		test	ebx, ebx
		js	short loc_4908E7
		mov	dword ptr [eax], 58h

loc_4908E7:				; CODE XREF: MmQueryMemoryListInformation+AFj
		cmp	byte ptr [ebp+var_7D], 0
		jnz	loc_5B9E48

loc_4908F1:				; CODE XREF: MmQueryMemoryListInformation+129626j
		mov	eax, ebx

loc_4908F3:				; CODE XREF: MmQueryMemoryListInformation+E6j
					; MmQueryMemoryListInformation+1295E5j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_20]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_490911:				; CODE XREF: MmQueryMemoryListInformation+85j
		mov	eax, 0C00004A0h
		jmp	short loc_4908F3
MmQueryMemoryListInformation endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiQueryMemoryListInformation proc near	; CODE XREF: MmQueryMemoryListInformation+8Cp
					; MmManagePartitionMemoryInformation+BFp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005B9E5B SIZE 00000031 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, [edi+0F48h]
		mov	esi, [edi+580h]
		mov	[ebx], esi
		mov	esi, [edi+5C0h]
		mov	[ebx+4], esi
		mov	edx, [edi+10C0h]
		mov	[ebx+8], edx
		mov	ecx, [edi+1100h]
		mov	[ebx+0Ch], ecx
		mov	ecx, [edi+900h]
		mov	[ebx+10h], ecx
		mov	ecx, [edi+1118h]
		mov	[ebx+54h], ecx
		mov	ecx, [edi+640h]
		mov	[ebx+14h], ecx
		mov	ecx, [edi+97Ch]
		mov	[ebx+34h], ecx
		mov	ecx, [edi+654h]
		mov	[ebx+18h], ecx
		mov	ecx, [edi+980h]
		mov	[ebx+38h], ecx
		mov	ecx, [edi+668h]
		mov	[ebx+1Ch], ecx
		mov	ecx, [edi+984h]
		mov	[ebx+3Ch], ecx
		mov	ecx, [edi+67Ch]
		mov	[ebx+20h], ecx
		mov	ecx, [edi+988h]
		mov	[ebx+40h], ecx
		mov	ecx, [edi+690h]
		mov	[ebx+24h], ecx
		mov	ecx, [edi+98Ch]
		mov	[ebx+44h], ecx
		mov	ecx, [edi+6A4h]
		mov	[ebx+28h], ecx
		mov	ecx, [edi+990h]
		mov	[ebx+48h], ecx
		mov	ecx, [edi+6B8h]
		mov	[ebx+2Ch], ecx
		mov	ecx, [edi+994h]
		mov	[ebx+4Ch], ecx
		mov	ecx, [edi+6CCh]
		mov	[ebx+30h], ecx
		mov	ecx, [edi+998h]
		mov	[ebx+50h], ecx
		mov	ecx, [ebx]
		mov	edx, [ebx+4]
		mov	edi, [ebx+0Ch]
		mov	esi, [ebx+10h]
		mov	[ebp+var_4], ecx
		mov	ecx, [ebx+8]
		cmp	[ebp+var_4], eax
		ja	loc_5B9E5B
		sub	eax, [ebp+var_4]

loc_490A15:				; CODE XREF: MiQueryMemoryListInformation+12953Fj
		cmp	edx, eax
		ja	loc_5B9E64
		sub	eax, edx

loc_490A1F:				; CODE XREF: MiQueryMemoryListInformation+129549j
		mov	edx, eax
		cmp	ecx, eax
		ja	loc_5B9E6E
		sub	eax, ecx
		mov	edx, ecx

loc_490A2D:				; CODE XREF: MiQueryMemoryListInformation+129553j
		cmp	edi, eax
		ja	loc_5B9E78
		sub	eax, edi

loc_490A37:				; CODE XREF: MiQueryMemoryListInformation+12955Dj
		cmp	esi, eax
		ja	loc_5B9E82
		sub	eax, esi

loc_490A41:				; CODE XREF: MiQueryMemoryListInformation+129567j
		mov	ecx, [ebx+54h]
		cmp	ecx, edx
		jnb	short loc_490A96

loc_490A48:				; CODE XREF: MiQueryMemoryListInformation+178j
		mov	[ebx+54h], ecx
		mov	ecx, [ebx+14h]
		cmp	ecx, eax
		ja	short loc_490A9A
		sub	eax, ecx

loc_490A54:				; CODE XREF: MiQueryMemoryListInformation+17Fj
		mov	ecx, [ebx+18h]
		cmp	ecx, eax
		ja	short loc_490AA1
		sub	eax, ecx

loc_490A5D:				; CODE XREF: MiQueryMemoryListInformation+186j
		mov	ecx, [ebx+1Ch]
		cmp	ecx, eax
		ja	short loc_490AA8
		sub	eax, ecx

loc_490A66:				; CODE XREF: MiQueryMemoryListInformation+18Dj
		mov	ecx, [ebx+20h]
		cmp	ecx, eax
		ja	short loc_490AAF
		sub	eax, ecx

loc_490A6F:				; CODE XREF: MiQueryMemoryListInformation+194j
		mov	ecx, [ebx+24h]
		cmp	ecx, eax
		ja	short loc_490AB6
		sub	eax, ecx

loc_490A78:				; CODE XREF: MiQueryMemoryListInformation+19Bj
		mov	ecx, [ebx+28h]
		cmp	ecx, eax
		ja	short loc_490ABD
		sub	eax, ecx

loc_490A81:				; CODE XREF: MiQueryMemoryListInformation+1A2j
		mov	ecx, [ebx+2Ch]
		cmp	ecx, eax
		ja	short loc_490AC4
		sub	eax, ecx

loc_490A8A:				; CODE XREF: MiQueryMemoryListInformation+1A9j
		cmp	[ebx+30h], eax
		ja	short loc_490ACB

loc_490A8F:				; CODE XREF: MiQueryMemoryListInformation+1AEj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_490A96:				; CODE XREF: MiQueryMemoryListInformation+126j
		mov	ecx, edx
		jmp	short loc_490A48
; 

loc_490A9A:				; CODE XREF: MiQueryMemoryListInformation+130j
		mov	[ebx+14h], eax
		xor	eax, eax
		jmp	short loc_490A54
; 

loc_490AA1:				; CODE XREF: MiQueryMemoryListInformation+139j
		mov	[ebx+18h], eax
		xor	eax, eax
		jmp	short loc_490A5D
; 

loc_490AA8:				; CODE XREF: MiQueryMemoryListInformation+142j
		mov	[ebx+1Ch], eax
		xor	eax, eax
		jmp	short loc_490A66
; 

loc_490AAF:				; CODE XREF: MiQueryMemoryListInformation+14Bj
		mov	[ebx+20h], eax
		xor	eax, eax
		jmp	short loc_490A6F
; 

loc_490AB6:				; CODE XREF: MiQueryMemoryListInformation+154j
		mov	[ebx+24h], eax
		xor	eax, eax
		jmp	short loc_490A78
; 

loc_490ABD:				; CODE XREF: MiQueryMemoryListInformation+15Dj
		mov	[ebx+28h], eax
		xor	eax, eax
		jmp	short loc_490A81
; 

loc_490AC4:				; CODE XREF: MiQueryMemoryListInformation+166j
		mov	[ebx+2Ch], eax
		xor	eax, eax
		jmp	short loc_490A8A
; 

loc_490ACB:				; CODE XREF: MiQueryMemoryListInformation+16Dj
		mov	[ebx+30h], eax
		jmp	short loc_490A8F
MiQueryMemoryListInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPartitionObjectToPartition proc near	; CODE XREF: MmQueryMemoryListInformation+78p
					; MmAllocatePartitionNodePagesForMdlEx+61p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B9E8C SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		xor	ebx, ebx
		mov	eax, ebx
		push	esi
		test	ecx, ecx
		jz	short loc_490AE4
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_490B0C

loc_490AE4:				; CODE XREF: MiPartitionObjectToPartition+Dj
		mov	esi, offset _MiSystemPartition

loc_490AE9:				; CODE XREF: MiPartitionObjectToPartition+41j
		cmp	dword ptr [esi+8], 12361940h
		jnz	loc_5B9EA8
		cmp	eax, 1
		jz	loc_5B9E8C

loc_490AFF:				; CODE XREF: MiPartitionObjectToPartition+1293CCj
					; MiPartitionObjectToPartition+1293D3j
		mov	ecx, [ebp+arg_0]
		mov	eax, esi
		pop	esi
		mov	[ecx], bl
		pop	ebx
		pop	ebp
		retn	4
; 

loc_490B0C:				; CODE XREF: MiPartitionObjectToPartition+12j
		mov	esi, [ecx]
		xor	eax, eax
		inc	eax
		jmp	short loc_490AE9
MiPartitionObjectToPartition endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MmGetHighestPhysicalPage(x)
_MmGetHighestPhysicalPage@4 proc near	; CODE XREF: PopBuildMemoryImageHeader(x,x)+B0p
					; PAGE:0077D0AFp ...
		mov	eax, dword_6D3018
		movzx	ecx, cx
		mov	eax, [eax+ecx*4]
		mov	eax, [eax+0F44h]
		retn
_MmGetHighestPhysicalPage@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlUIntAdd	proc near		; CODE XREF: sub_69349C+6Cp
					; sub_69349C+FBp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		add	edx, ecx
		cmp	edx, ecx
		mov	ecx, [ebp+arg_0]
		jb	loc_5B9EB8
		mov	[ecx], edx
		xor	eax, eax

loc_490B46:				; CODE XREF: MiPartitionObjectToPartition+1293F3j
		pop	ebp
		retn	4
RtlUIntAdd	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PsGetCurrentServerSiloGlobals()
_PsGetCurrentServerSiloGlobals@0 proc near ; CODE XREF:	.text:00447272p
					; .text:004473E5p ...
		call	_KeIsExecutingInArbitraryThreadContext@0 ; KeIsExecutingInArbitraryThreadContext()
		test	eax, eax
		jnz	short loc_490B89
		mov	eax, large fs:124h
		mov	ecx, [eax+390h]
		cmp	ecx, 0FFFFFFFDh
		jz	short loc_490B72
		push	ecx
		call	_PsGetEffectiveServerSilo@4 ; PsGetEffectiveServerSilo(x)
		jmp	short loc_490B7E
; 

loc_490B72:				; CODE XREF: PsGetCurrentServerSiloGlobals()+18j
		mov	eax, [eax+150h]
		mov	eax, [eax+3A0h]

loc_490B7E:				; CODE XREF: PsGetCurrentServerSiloGlobals()+20j
		test	eax, eax
		jz	short loc_490B89
		mov	eax, [eax+2F8h]
		retn
; 

loc_490B89:				; CODE XREF: PsGetCurrentServerSiloGlobals()+7j
					; PsGetCurrentServerSiloGlobals()+30j
		mov	eax, offset _PspHostSiloGlobals
		retn
_PsGetCurrentServerSiloGlobals@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall StringCbLengthW(x, x, x)
_StringCbLengthW@12 proc near		; CODE XREF: PfVerifyScenarioBuffer+75Cp
					; sub_787DE0+1DCp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		xor	eax, eax
		mov	[ebp+var_4], eax
		test	ecx, ecx
		jz	short loc_490BC4
		lea	eax, [ebp+var_4]
		shr	edx, 1
		push	eax
		call	StringLengthWorkerW
		mov	edx, eax
		mov	eax, [ebp+var_4]

loc_490BAF:				; CODE XREF: StringCbLengthW(x,x,x)+39j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_490BBE
		test	edx, edx
		js	short loc_490BCB
		add	eax, eax
		mov	[ecx], eax

loc_490BBE:				; CODE XREF: StringCbLengthW(x,x,x)+24j
					; StringCbLengthW(x,x,x)+3Ej
		mov	eax, edx
		leave
		retn	4
; 

loc_490BC4:				; CODE XREF: StringCbLengthW(x,x,x)+Dj
		mov	edx, 80070057h
		jmp	short loc_490BAF
; 

loc_490BCB:				; CODE XREF: StringCbLengthW(x,x,x)+28j
		and	dword ptr [ecx], 0
		jmp	short loc_490BBE
_StringCbLengthW@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

StringLengthWorkerW proc near		; CODE XREF: StringCbLengthW(x,x,x)+15p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		mov	eax, edx
		test	edx, edx
		jz	short loc_490BED
		mov	edi, edi

loc_490BE0:				; CODE XREF: StringLengthWorkerW+1Bj
		cmp	[ecx], si
		jz	short loc_490BF4
		add	ecx, 2
		sub	edx, 1
		jnz	short loc_490BE0

loc_490BED:				; CODE XREF: StringLengthWorkerW+Cj
					; StringLengthWorkerW+26j
		mov	esi, 80070057h
		jmp	short loc_490BF8
; 

loc_490BF4:				; CODE XREF: StringLengthWorkerW+13j
		test	edx, edx
		jz	short loc_490BED

loc_490BF8:				; CODE XREF: StringLengthWorkerW+22j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_490C07
		test	esi, esi
		js	short loc_490C0E
		sub	eax, edx
		mov	[ecx], eax

loc_490C07:				; CODE XREF: StringLengthWorkerW+2Dj
					; StringLengthWorkerW+44j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
; 

loc_490C0E:				; CODE XREF: StringLengthWorkerW+31j
		mov	dword ptr [ecx], 0
		jmp	short loc_490C07
StringLengthWorkerW endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PFP_GET_CURRENT_TIME()
_PFP_GET_CURRENT_TIME@0	proc near	; CODE XREF: PfpLogApplicationEvent+92p
					; PfLogForegroundProcess(x)+1Fp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	eax
		call	KeQueryTickCount
		push	[ebp+var_4]
		push	[ebp+var_8]
		call	_PFP_TICKS_TO_TIME@8 ; PFP_TICKS_TO_TIME(x,x)
		leave
		retn
_PFP_GET_CURRENT_TIME@0	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PFP_TICKS_TO_TIME(x, x)
_PFP_TICKS_TO_TIME@8 proc near		; CODE XREF: PFP_GET_CURRENT_TIME()+1Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, ds:0FFDF0004h
		mov	eax, [ebp+arg_4]
		mul	ecx
		push	esi
		push	edi
		mov	edi, eax
		mov	esi, edx
		mov	eax, [ebp+arg_0]
		mul	ecx
		shld	esi, edi, 8
		shrd	eax, edx, 18h
		shl	edi, 8
		shr	edx, 18h
		add	eax, edi
		pop	edi
		adc	esi, edx
		shrd	eax, esi, 0Ah
		pop	esi
		add	eax, dword_6D486C
		pop	ebp
		retn	8
_PFP_TICKS_TO_TIME@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcLazyWriteScan	proc near		; CODE XREF: CcWorkerThread+443p

var_54		= byte ptr -54h
var_53		= byte ptr -53h
var_52		= byte ptr -52h
var_51		= byte ptr -51h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005B9EC8 SIZE 000001B7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		or	[esp+54h+var_18], 0FFFFFFFFh
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		lea	edi, [esp+60h+var_C]
		mov	[esp+60h+var_30], edx
		stosd
		xor	ecx, ecx
		mov	[esp+60h+var_52], cl
		mov	[esp+60h+var_54], cl
		mov	[esp+60h+var_44], ecx
		stosd
		mov	[esp+60h+var_50], ecx
		mov	[esp+60h+var_51], cl
		mov	[esp+60h+var_53], cl
		stosd
		mov	eax, ds:_PspSystemPartition
		mov	[esp+60h+var_20], ecx
		mov	[esp+60h+var_1C], ecx
		mov	[esp+60h+var_14], 7FFFFFFFh
		cmp	ebx, [eax+4]
		jnz	short loc_490CE4
		lea	eax, [esp+60h+var_18]
		mov	ecx, ebx
		push	eax
		push	esi
		lea	edx, [esp+68h+var_50]
		call	CcScanLogHandleList

loc_490CE4:				; CODE XREF: CcLazyWriteScan+57j
		lea	ecx, [ebx+40h]
		lea	edx, [esp+60h+var_C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	CcSetLazyWriteScanQueued
		mov	edx, [ebx+1C8h]
		mov	eax, [ebx+1BCh]
		mov	ecx, [ebx+1B8h]
		mov	edi, [ebx+1C0h]
		mov	esi, [ebx+1C4h]
		push	0
		push	edx
		push	eax
		push	ecx
		mov	[esp+70h+var_3C], edx
		call	__aulldiv
		push	0
		push	[esp+64h+var_3C]
		mov	ecx, edx
		mov	[esp+68h+var_40], eax
		push	esi
		push	edi
		mov	[esp+70h+var_38], ecx
		mov	[ebx+1D8h], eax
		mov	[ebx+1DCh], ecx
		call	__aulldiv
		mov	[ebx+1E0h], eax
		lea	esi, [ebx+198h]
		mov	[esp+60h+var_4C], eax
		mov	ecx, edx
		mov	eax, [ebx+4]
		xor	edx, edx
		mov	[esp+60h+var_48], ecx
		inc	edx
		mov	[ebx+1E4h], ecx
		mov	ecx, [eax]
		mov	eax, [esp+60h+var_3C]
		cmp	eax, edx
		jbe	loc_5B9EC8
		push	[esp+60h+var_38]
		mov	esi, [ecx+0FC0h]
		lea	edi, [eax-1]
		push	[esp+64h+var_40]
		push	0
		push	edi
		call	__allmul
		push	[esp+60h+var_48]
		add	eax, esi
		mov	ecx, edx
		push	[esp+64h+var_4C]
		adc	ecx, 0
		mov	[esp+68h+var_40], eax
		push	0
		mov	[esp+6Ch+var_34], ecx
		lea	esi, [ebx+198h]
		mov	ecx, [esi]
		push	edi
		mov	[esp+70h+var_38], ecx
		call	__allmul
		mov	edi, eax
		mov	ecx, edx
		mov	eax, [esp+60h+var_38]
		add	edi, eax
		mov	edx, [esp+60h+var_34]
		adc	ecx, 0
		mov	[esp+60h+var_3C], ecx
		mov	ecx, [esp+60h+var_40]

loc_490DD7:				; CODE XREF: CcLazyWriteScan+12925Ej
		mov	[ebx+1B8h], ecx
		mov	ecx, [esp+60h+var_3C]
		mov	[ebx+1BCh], edx
		mov	[ebx+1C0h], edi
		mov	[ebx+1C4h], ecx
		test	eax, eax
		jz	loc_4913F9

loc_490DFB:				; CODE XREF: CcLazyWriteScan+786j
		lea	eax, [esp+60h+var_28]
		mov	[esp+60h+var_24], eax
		lea	ecx, [ebx+0ACh]
		mov	[esp+60h+var_28], eax

loc_490E0D:				; CODE XREF: CcLazyWriteScan+129330j
		mov	eax, [ecx]
		cmp	eax, ecx
		jnz	loc_5B9F76
		mov	edx, [ebp+arg_0]
		lea	eax, [ebx+1A8h]
		push	0
		push	eax
		push	esi
		mov	ecx, ebx
		mov	byte ptr [ebx+191h], 0
		call	_CcCalculatePagesToWrite@20 ; CcCalculatePagesToWrite(x,x,x,x,x)
		push	dword ptr [ebx+144h]
		mov	edi, eax
		mov	edx, esi
		lea	eax, [ebx+1A8h]
		mov	[esp+64h+var_4C], edi
		push	eax
		mov	ecx, ebx
		mov	[esp+68h+var_50], edi
		call	CcAdjustThrottle
		mov	ecx, [esi]
		mov	eax, [ebx+1D0h]
		mov	[ebx+19Ch], ecx
		mov	ecx, [ebx+0C4h]
		mov	[ebx+1A0h], edi
		mov	[ebx+144h], edi
		mov	[eax+ecx*8], edi
		lea	eax, [ebx+1F8h]
		push	eax
		call	KeQuerySystemTime
		test	ds:dword_70EFD0, 20000h
		jnz	loc_49132E

loc_490E91:				; CODE XREF: CcLazyWriteScan+702j
		mov	ecx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		lea	eax, [ebx+24h]
		mov	esi, [eax]
		mov	[esp+60h+var_48], ecx
		push	0
		pop	edx
		mov	[esp+60h+var_3C], edx
		sub	esi, 58h
		jz	loc_5B9FFA

loc_490EB0:				; CODE XREF: CcLazyWriteScan+2A7j
		lea	ecx, [esi+58h]
		mov	[esp+60h+var_40], ecx
		cmp	ecx, eax
		jz	short loc_490F23
		test	edx, edx
		jz	loc_49122D

loc_490EC3:				; CODE XREF: CcLazyWriteScan+5B7j
		mov	eax, [esi+44h]
		mov	edx, edi
		push	[ebp+arg_0]
		and	eax, 0FFFFFFF8h
		mov	ecx, esi
		push	eax
		call	CcShouldLazyWriteCacheMap
		mov	ecx, [esi+60h]
		test	al, al
		jnz	loc_490FD0
		mov	edx, 10020h
		mov	eax, ecx
		and	eax, edx
		cmp	eax, edx
		jz	loc_4912A4
		mov	eax, [esp+60h+var_44]
		inc	eax
		mov	[esp+60h+var_44], eax
		cmp	eax, 14h
		jnb	loc_4910EA

loc_490F04:				; CODE XREF: CcLazyWriteScan+45Cj
					; CcLazyWriteScan+476j	...
		mov	esi, [esp+60h+var_40]
		lea	eax, [ebx+24h]
		mov	esi, [esi]
		sub	esi, 58h
		cmp	[esp+60h+var_54], 0
		jnz	loc_4913BB

loc_490F1B:				; CODE XREF: CcLazyWriteScan+77Aj
		mov	edx, [esp+60h+var_3C]
		cmp	esi, edx
		jnz	short loc_490EB0

loc_490F23:				; CODE XREF: CcLazyWriteScan+23Fj
		mov	edi, [esp+60h+var_48]

loc_490F27:				; CODE XREF: CcLazyWriteScan+12937Bj
					; CcLazyWriteScan+129382j
		mov	ecx, [esp+60h+var_28]
		lea	eax, [esp+60h+var_28]
		cmp	ecx, eax
		jnz	loc_5BA001

loc_490F37:				; CODE XREF: CcLazyWriteScan+12938Ej
					; CcLazyWriteScan+1293D4j
		lea	eax, [esp+60h+var_28]
		cmp	ecx, eax
		jnz	loc_5BA00D
		cmp	[esp+60h+var_53], 0
		jz	loc_4912E5

loc_490F4E:				; CODE XREF: CcLazyWriteScan+672j
					; CcLazyWriteScan+680j	...
		lea	edx, [esp+60h+var_20]
		mov	ecx, ebx
		call	CcRescheduleLazyWriteScan
		xor	eax, eax
		inc	eax
		cmp	byte ptr [ebx+48h], 0
		jnz	loc_5BA065

loc_490F66:				; CODE XREF: CcLazyWriteScan+1293E6j
					; CcLazyWriteScan+1293EFj
		test	ds:byte_70EFC6,	al
		jnz	loc_5BA06E
		mov	eax, [esp+60h+var_C]
		test	eax, eax
		jnz	loc_4912B9
		mov	edx, [esp+60h+var_8]
		lea	eax, [esp+60h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+60h+var_C]
		cmp	eax, ecx
		jnz	loc_4912B0

loc_490F98:				; CODE XREF: CcLazyWriteScan+650j
					; CcLazyWriteScan+129400j
		mov	cl, [esp+60h+var_4]
		call	edi
		cmp	[esp+60h+var_51], 0
		jnz	loc_491298

loc_490FA9:				; CODE XREF: CcLazyWriteScan+625j
		test	ds:dword_70EFD0, 20000h
		jnz	loc_491381

loc_490FB9:				; CODE XREF: CcLazyWriteScan+715j
		lea	eax, [ebx+204h]
		cmp	[eax], eax
		jnz	loc_5B9F6A

loc_490FC7:				; CODE XREF: CcLazyWriteScan+7E0j
					; CcLazyWriteScan+1292F7j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_490FD0:				; CODE XREF: CcLazyWriteScan+261j
		xor	eax, eax
		mov	[esp+60h+var_38], eax
		test	ecx, 1000000h
		jnz	loc_491162

loc_490FE2:				; CODE XREF: CcLazyWriteScan+51Fj
					; CcLazyWriteScan+52Aj	...
		mov	ecx, [esi+60h]
		mov	eax, [esi+4Ch]
		mov	[esi+78h], eax
		test	ecx, 200h
		jnz	loc_4911D7

loc_490FF7:				; CODE XREF: CcLazyWriteScan+560j
					; CcLazyWriteScan+585j	...
		cmp	[esp+60h+var_52], 0
		jnz	short loc_491013
		mov	eax, [esi+78h]
		cmp	eax, edi
		jnb	loc_491236
		sub	edi, eax
		mov	[esp+60h+var_4C], edi
		mov	[esp+60h+var_50], edi

loc_491013:				; CODE XREF: CcLazyWriteScan+382j
					; CcLazyWriteScan+619j
		or	dword ptr [esi+60h], 20h
		xor	eax, eax
		inc	dword ptr [esi+4Ch]
		inc	eax
		test	ds:byte_70EFC6,	al
		jnz	loc_5B9FAF
		mov	ecx, [esp+60h+var_C]
		test	ecx, ecx
		jnz	loc_491217
		mov	edx, [esp+60h+var_8]
		lea	eax, [esp+60h+var_C]
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+60h+var_C]
		cmp	eax, ecx
		jnz	loc_491204

loc_49104D:				; CODE XREF: CcLazyWriteScan+129341j
		mov	eax, [esp+60h+var_50]
		mov	[esp+60h+var_4C], eax

loc_491055:				; CODE XREF: CcLazyWriteScan+5AEj
		mov	cl, [esp+60h+var_4]
		mov	edi, [esp+60h+var_48]
		call	edi
		lea	edx, [esp+60h+var_38]
		mov	ecx, ebx
		call	_CcAllocateWorkQueueEntry@8 ; CcAllocateWorkQueueEntry(x,x)
		lea	edx, [esp+60h+var_C]
		lea	ecx, [ebx+40h]
		test	eax, eax
		js	loc_5B9FE9
		mov	edi, [esp+60h+var_38]
		mov	byte ptr [edi+48h], 2
		mov	[edi+8], esi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		dec	dword ptr [esi+4Ch]
		test	dword ptr [esi+60h], 10000h
		mov	eax, [esi+4Ch]
		jnz	loc_5B9FC0
		cmp	dword ptr [esi+4], 0
		jnz	short loc_4910DB
		lea	edx, [ebx+0B4h]
		test	eax, eax
		jnz	short loc_4910DB

loc_4910AC:				; CODE XREF: CcLazyWriteScan+467j
		mov	[esi+160h], edi

loc_4910B2:				; CODE XREF: CcLazyWriteScan+129359j
		mov	eax, [edi+4Ch]
		mov	ecx, edi
		add	eax, 0B4h
		cmp	eax, edx
		jnz	short loc_4910E3
		call	CcPostWorkQueueCachemapUninit

loc_4910C5:				; CODE XREF: CcLazyWriteScan+46Ej
		mov	edi, [esp+60h+var_4C]
		xor	eax, eax
		inc	eax
		mov	[esp+60h+var_53], al
		xor	eax, eax
		mov	[esp+60h+var_44], eax
		jmp	loc_490F04
; 

loc_4910DB:				; CODE XREF: CcLazyWriteScan+426j
					; CcLazyWriteScan+430j
		lea	edx, [ebx+0A4h]
		jmp	short loc_4910AC
; 

loc_4910E3:				; CODE XREF: CcLazyWriteScan+444j
		call	CcPostWorkQueueRegular
		jmp	short loc_4910C5
; 

loc_4910EA:				; CODE XREF: CcLazyWriteScan+284j
		test	ecx, 820h
		jnz	loc_490F04
		or	ecx, 20h
		xor	eax, eax
		inc	dword ptr [esi+4Ch]
		inc	eax
		mov	[esi+60h], ecx
		test	ds:byte_70EFC6,	al
		jnz	loc_5B9FD8
		mov	eax, [esp+60h+var_C]
		test	eax, eax
		jnz	loc_4913A5
		mov	edx, [esp+60h+var_8]
		lea	eax, [esp+60h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+60h+var_C]
		cmp	eax, ecx
		jnz	loc_491394

loc_491134:				; CODE XREF: CcLazyWriteScan+12936Aj
		mov	edi, [esp+60h+var_50]
		mov	[esp+60h+var_4C], edi

loc_49113C:				; CODE XREF: CcLazyWriteScan+73Cj
		mov	cl, [esp+60h+var_4]
		call	[esp+60h+var_48]
		xor	eax, eax
		lea	edx, [esp+60h+var_C]
		lea	ecx, [ebx+40h]
		mov	[esp+60h+var_44], eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		and	dword ptr [esi+60h], 0FFFFFFDFh
		dec	dword ptr [esi+4Ch]
		jmp	loc_490F04
; 

loc_491162:				; CODE XREF: CcLazyWriteScan+362j
		mov	[esp+60h+var_30], eax
		mov	[esp+60h+var_2C], eax
		lea	eax, [esp+60h+var_30]
		push	eax
		call	KeQueryTickCount
		mov	eax, [esi+98h]
		xor	ecx, ecx
		inc	ecx
		mov	[esp+60h+var_51], cl
		or	[eax+60h], ecx
		mov	eax, [esi+98h]
		mov	edx, [esi+0A4h]
		mov	ecx, [esi+0A0h]
		cmp	edx, [eax+4Ch]
		jl	loc_490FE2
		jg	short loc_4911AA
		cmp	ecx, [eax+48h]
		jbe	loc_490FE2

loc_4911AA:				; CODE XREF: CcLazyWriteScan+525j
		mov	[eax+48h], ecx
		mov	[eax+4Ch], edx
		test	ds:dword_70EFD0, 20000h
		jz	loc_490FE2
		mov	ecx, [esi+44h]
		mov	eax, [esi+98h]
		and	ecx, 0FFFFFFF8h
		mov	ecx, [ecx+0Ch]
		mov	[eax+54h], ecx
		jmp	loc_490FE2
; 

loc_4911D7:				; CODE XREF: CcLazyWriteScan+377j
		cmp	eax, 40h
		jb	loc_490FF7
		test	ecx, 1000000h
		jz	short loc_4911F9
		mov	edx, [esi+98h]
		mov	ecx, [edx+40h]
		test	ecx, ecx
		jnz	loc_49145F

loc_4911F9:				; CODE XREF: CcLazyWriteScan+56Cj
		shr	eax, 3
		mov	[esi+78h], eax
		jmp	loc_490FF7
; 

loc_491204:				; CODE XREF: CcLazyWriteScan+3CDj
		lea	ecx, [esp+60h+var_C]
		call	KxWaitForLockChainValid
		mov	ecx, eax
		mov	eax, [esp+60h+var_50]
		mov	[esp+60h+var_4C], eax

loc_491217:				; CODE XREF: CcLazyWriteScan+3B5j
		lea	eax, [ecx+4]
		mov	[esp+60h+var_C], 0
		xor	ecx, ecx
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_491055
; 

loc_49122D:				; CODE XREF: CcLazyWriteScan+243j
		mov	[esp+60h+var_3C], esi
		jmp	loc_490EC3
; 

loc_491236:				; CODE XREF: CcLazyWriteScan+389j
		test	dword ptr [esi+60h], 200h
		jnz	loc_4912DC
		cmp	[esp+60h+var_3C], esi
		jz	loc_4912CF

loc_49124D:				; CODE XREF: CcLazyWriteScan+65Cj
		lea	eax, [ebx+24h]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_491477
		cmp	[ecx], eax
		jnz	loc_491477
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	edx, [esp+60h+var_40]
		mov	ecx, [edx+4]
		cmp	[ecx], edx
		jnz	loc_491477
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[edx+4], eax

loc_491284:				; CODE XREF: CcLazyWriteScan+669j
		xor	eax, eax
		mov	[esp+60h+var_4C], eax
		mov	[esp+60h+var_50], eax
		inc	eax
		mov	[esp+60h+var_52], al
		jmp	loc_491013
; 

loc_491298:				; CODE XREF: CcLazyWriteScan+329j
		mov	ecx, ebx
		call	CcUpdateTimeOnLogHandles
		jmp	loc_490FA9
; 

loc_4912A4:				; CODE XREF: CcLazyWriteScan+272j
		mov	ecx, esi
		call	CcIncrementWriteBehindPriority
		jmp	loc_490F04
; 

loc_4912B0:				; CODE XREF: CcLazyWriteScan+318j
		lea	ecx, [esp+60h+var_C]
		call	KxWaitForLockChainValid

loc_4912B9:				; CODE XREF: CcLazyWriteScan+2FEj
		xor	ecx, ecx
		mov	[esp+60h+var_C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_490F98
; 

loc_4912CF:				; CODE XREF: CcLazyWriteScan+5CDj
		test	byte ptr [esi+0ACh], 0Fh
		jnz	loc_49124D

loc_4912DC:				; CODE XREF: CcLazyWriteScan+5C3j
		xor	eax, eax
		inc	eax
		mov	[esp+60h+var_54], al
		jmp	short loc_491284
; 

loc_4912E5:				; CODE XREF: CcLazyWriteScan+2CEj
		cmp	byte ptr ds:dword_7051D4, 0
		jnz	loc_490F4E
		lea	eax, [ebx+204h]
		cmp	[eax], eax
		jnz	loc_490F4E
		lea	eax, [esp+60h+var_20]
		mov	ecx, ebx
		push	eax
		lea	edx, [esp+64h+var_18]
		call	CcComputeNextScanTime
		cmp	[esp+60h+var_20], 0FFFFFFFFh
		jnz	loc_490F4E
		cmp	[esp+60h+var_1C], 7FFFFFFFh
		jnz	loc_490F4E
		jmp	loc_5BA053
; 

loc_49132E:				; CODE XREF: CcLazyWriteScan+211j
		push	dword ptr [ebx+44h]
		mov	eax, [ebx+4]
		push	dword ptr [ebx+1E4h]
		mov	edx, [ebp+arg_0]
		push	dword ptr [ebx+1E0h]
		mov	eax, [eax]
		push	dword ptr [ebx+1DCh]
		push	dword ptr [ebx+1D8h]
		mov	eax, [eax+0FC0h]
		push	dword ptr [ebx+1B0h]
		push	dword ptr [ebx+1ACh]
		push	ecx
		push	dword ptr [ebx+1A8h]
		mov	ecx, [esp+84h+var_30]
		push	eax
		push	dword ptr [esi]
		push	dword ptr [ebx+144h]
		call	_CcPerfLogLazyWriteScan@56 ; CcPerfLogLazyWriteScan(x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		jmp	loc_490E91
; 

loc_491381:				; CODE XREF: CcLazyWriteScan+339j
		mov	edx, [ebx+144h]
		mov	ecx, [ebp+arg_0]
		call	CcPerfLogLoggedStreamsStats
		jmp	loc_490FB9
; 

loc_491394:				; CODE XREF: CcLazyWriteScan+4B4j
		lea	ecx, [esp+60h+var_C]
		call	KxWaitForLockChainValid
		mov	edi, [esp+60h+var_50]
		mov	[esp+60h+var_4C], edi

loc_4913A5:				; CODE XREF: CcLazyWriteScan+49Aj
		xor	ecx, ecx
		mov	[esp+60h+var_C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_49113C
; 

loc_4913BB:				; CODE XREF: CcLazyWriteScan+29Bj
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_491477
		cmp	[ecx], eax
		jnz	loc_491477
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	edx, [esp+60h+var_40]
		mov	ecx, [edx]
		cmp	[ecx+4], edx
		jnz	loc_491477
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[ecx+4], eax
		mov	[edx], eax
		mov	[esp+60h+var_54], 0
		jmp	loc_490F1B
; 

loc_4913F9:				; CODE XREF: CcLazyWriteScan+17Bj
		cmp	byte ptr [ebx+191h], 0
		jnz	loc_490DFB
		lea	eax, [ebx+204h]
		cmp	[eax], eax
		jnz	loc_5B9F0A
		mov	byte ptr [ebx+190h], 0
		xor	ebx, ebx
		inc	ebx
		test	ds:byte_70EFC6,	bl
		jnz	loc_5B9EDD
		mov	eax, [esp+60h+var_C]
		test	eax, eax
		jnz	loc_5B9EF7
		mov	edx, [esp+60h+var_8]
		lea	eax, [esp+60h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+60h+var_C]
		cmp	eax, ecx
		jnz	loc_5B9EEE

loc_491450:				; CODE XREF: CcLazyWriteScan+12926Fj
					; CcLazyWriteScan+12928Bj
		mov	cl, [esp+60h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_490FC7
; 

loc_49145F:				; CODE XREF: CcLazyWriteScan+579j
		cmp	eax, ecx
		ja	short loc_491473
		sub	ecx, eax

loc_491465:				; CODE XREF: CcLazyWriteScan+7FBj
		mov	[edx+40h], ecx
		inc	_CcDbgSkippedReductions
		jmp	loc_490FF7
; 

loc_491473:				; CODE XREF: CcLazyWriteScan+7E7j
		xor	ecx, ecx
		jmp	short loc_491465
; 

loc_491477:				; CODE XREF: CcLazyWriteScan+5DEj
					; CcLazyWriteScan+5E6j	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
CcLazyWriteScan	endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcShouldLazyWriteCacheMap proc near	; CODE XREF: CcLazyWriteScan+257p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005BA07F SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	ecx, [esi+60h]
		test	ecx, 400820h
		jnz	loc_491528
		test	ecx, 10000h
		jnz	loc_49155D
		cmp	dword ptr [esi+16Ch], 0
		jnz	short loc_491528
		mov	ebx, [esi+4]
		test	ebx, ebx
		jz	short loc_491531

loc_4914B6:				; CODE XREF: CcShouldLazyWriteCacheMap+C1j
		test	ecx, 40000000h
		jnz	loc_49155D
		mov	edx, [esi+4Ch]
		test	edx, edx
		jz	short loc_491528
		test	edi, edi
		jz	short loc_491528
		mov	eax, [esi+0ACh]
		inc	eax
		mov	[esi+0ACh], eax
		test	ecx, 1000000h
		jz	short loc_491545
		lea	eax, [ebp+var_8]
		xor	ebx, ebx
		push	eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	KeQueryTickCount
		mov	edi, [esi+98h]
		cmp	[edi+40h], ebx
		jnz	short loc_49155D
		push	ebx
		push	ds:_KeMaximumIncrement
		push	ebx
		push	9896800h
		call	__aulldiv
		add	eax, [edi+58h]
		adc	edx, [edi+5Ch]
		cmp	[ebp+var_4], edx
		jg	short loc_49155D
		jl	short loc_491522
		cmp	[ebp+var_8], eax
		ja	short loc_49155D

loc_491522:				; CODE XREF: CcShouldLazyWriteCacheMap+9Fj
		cmp	dword ptr [esi+4Ch], 40h
		jnb	short loc_49155D

loc_491528:				; CODE XREF: CcShouldLazyWriteCacheMap+18j
					; CcShouldLazyWriteCacheMap+31j ...
		xor	al, al

loc_49152A:				; CODE XREF: CcShouldLazyWriteCacheMap+E3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_491531:				; CODE XREF: CcShouldLazyWriteCacheMap+38j
		cmp	dword ptr [esi+4Ch], 0
		jz	short loc_49155D
		mov	eax, [esi+8]
		or	eax, [esi+0Ch]
		jnz	loc_4914B6
		jmp	short loc_49155D
; 

loc_491545:				; CODE XREF: CcShouldLazyWriteCacheMap+64j
		test	ecx, 200h
		jnz	loc_5BA07F
		mov	edi, [ebp+arg_0]
		test	dword ptr [edi+2Ch], 8000h
		jnz	short loc_491561

loc_49155D:				; CODE XREF: CcShouldLazyWriteCacheMap+24j
					; CcShouldLazyWriteCacheMap+40j ...
		mov	al, 1
		jmp	short loc_49152A
; 

loc_491561:				; CODE XREF: CcShouldLazyWriteCacheMap+DFj
		test	ebx, ebx
		jz	short loc_49155D
		mov	ecx, esi
		call	CcGetPartition
		push	0
		push	8
		push	0
		push	1000000h
		mov	edx, edi
		mov	ecx, eax
		call	CcCanIWriteStreamEx
		test	al, al

loc_491582:				; CODE XREF: CcShouldLazyWriteCacheMap+128C18j
		jnz	short loc_491528
		jmp	short loc_49155D
CcShouldLazyWriteCacheMap endp

; 
		align 10h
; Exported entry 1323. KeWaitForMultipleObjects

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeWaitForMultipleObjects
KeWaitForMultipleObjects proc near	; CODE XREF: PopFxProcessWorkPool+A4p
					; SMKM_STORE_SM_TRAITS___SmStWorker+132p ...

var_9C		= dword	ptr -9Ch
var_96		= byte ptr -96h
var_95		= byte ptr -95h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 005BA099 SIZE 000004A3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+9Ch+var_4], eax
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		mov	ecx, [ebp+arg_1C]
		push	ebx
		push	esi
		mov	[esp+0A4h+var_80], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+0A4h+var_48], edx
		mov	[esp+0A4h+var_64], ecx
		mov	[esp+0A4h+var_70], 0
		push	edi
		mov	edi, [ebp+arg_18]
		mov	[esp+0A8h+var_6C], edi
		cmp	eax, 1
		jz	loc_491ABD
		mov	esi, large fs:124h
		mov	[esp+0A8h+var_7C], esi
		test	ecx, ecx
		jnz	loc_491B37
		cmp	eax, 3
		ja	loc_5BA099
		lea	ecx, [esi+0E0h]
		mov	[esp+0A8h+var_64], ecx

loc_491604:				; CODE XREF: KeWaitForMultipleObjects+5AAj
		cmp	[ebp+arg_8], 0
		jz	loc_491C90
		mov	[esp+0A8h+var_44], 0
		btr	dword ptr [esi+58h], 2
		mov	[esp+0A8h+var_18], 0
		setb	bh
		mov	[esp+0A8h+var_14], 0
		mov	[esp+0A8h+var_95], bh
		test	bh, bh
		jnz	short loc_491648
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[esi+92h], al

loc_491648:				; CODE XREF: KeWaitForMultipleObjects+AAj
		test	edi, edi
		jz	loc_49196E
		cmp	dword ptr [edi+4], 0
		jge	loc_491B6C
		mov	ecx, 0FFDF03B0h
		mov	[esp+0A8h+var_78], 0
		mov	[esp+0A8h+var_74], 0
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		mov	ebx, ds:0FFDF000Ch
		mov	edx, ds:0FFDF0008h
		mov	[esp+0A8h+var_94], eax
		mov	[esp+0A8h+var_58], ecx
		mov	[esp+0A8h+var_3C], 0
		cmp	ebx, ds:0FFDF0010h
		jnz	loc_5BA0A0

loc_49169C:				; CODE XREF: KeWaitForMultipleObjects+128B46j
		sub	edx, eax
		mov	[esp+0A8h+var_68], 2
		mov	eax, [esi+0B4h]
		sbb	ebx, ecx
		mov	ecx, [esi+0B0h]
		add	ecx, [edi]
		adc	eax, [edi+4]
		sub	edx, ecx
		mov	[esp+0A8h+var_70], edx
		sbb	ebx, eax
		mov	[esp+0A8h+var_80], ebx
		mov	bh, [esp+0A8h+var_95]

loc_4916C9:				; CODE XREF: KeWaitForMultipleObjects+3E6j
					; KeWaitForMultipleObjects+5F1j
		lea	eax, [esi+2Ch]
		mov	byte ptr [esp+0A8h+var_6C], bh
		mov	[esp+0A8h+var_58], eax
		jmp	short loc_4916E0
; 
		align 10h

loc_4916E0:				; CODE XREF: KeWaitForMultipleObjects+144j
					; KeWaitForMultipleObjects+69Ej
		mov	bl, [esi+92h]
		jmp	short loc_4916F0
; 
		align 10h

loc_4916F0:				; CODE XREF: KeWaitForMultipleObjects+156j
					; KeWaitForMultipleObjects+7A1j
		and	dword ptr [esi+58h], 0FFFFFFEFh
		cmp	byte ptr [ebp+arg_14], 0
		mov	ecx, [ebp+arg_10]
		mov	byte ptr [esi+54h], 0
		mov	[esi+93h], cl
		jnz	loc_491AB4

loc_49170B:				; CODE XREF: KeWaitForMultipleObjects+528j
		mov	esi, [esp+0A8h+var_58]
		mov	[esp+0A8h+var_38], 0
		jmp	short loc_491720
; 
		align 10h

loc_491720:				; CODE XREF: KeWaitForMultipleObjects+187j
					; KeWaitForMultipleObjects+75Fj
		lock bts dword ptr [esi], 0
		jb	loc_491CE0
		mov	esi, [esp+0A8h+var_7C]
		cmp	byte ptr [esi+85h], 0
		jnz	loc_491CF4

loc_49173C:				; CODE XREF: KeWaitForMultipleObjects+76Cj
					; KeWaitForMultipleObjects+775j
		cmp	byte ptr [ebp+arg_14], 0
		jnz	loc_491A8C
		test	byte ptr [esi+86h], 2
		jnz	loc_491C50

loc_491753:				; CODE XREF: KeWaitForMultipleObjects+519j
					; KeWaitForMultipleObjects+6C4j
		mov	eax, [ebp+arg_C]
		xor	edx, edx
		mov	ebx, [esp+0A8h+var_64]
		mov	byte ptr [esi+90h], 5
		add	ebx, 9
		mov	[esi+18Bh], al
		mov	eax, ds:_KeTickCount
		mov	[esi+138h], eax
		mov	dword ptr [esi+2Ch], 0
		mov	ecx, large fs:20h
		mov	[esp+0A8h+var_88], 0
		mov	[esp+0A8h+var_84], 0
		mov	[esp+0A8h+var_8C], ecx
		mov	[esp+0A8h+var_9C], edx
		lea	ecx, [ecx+0]

loc_4917A0:				; CODE XREF: KeWaitForMultipleObjects+291j
		mov	eax, [esp+0A8h+var_48]
		mov	[esp+0A8h+var_34], 0
		mov	edi, [eax+edx*4]
		mov	byte ptr [ebx-1], 1
		mov	byte ptr [ebx],	4
		mov	[ebx+1], dx
		mov	[ebx+3], esi
		mov	[ebx+7], edi
		lock bts dword ptr [edi], 7
		jb	loc_491CC0

loc_4917CB:				; CODE XREF: KeWaitForMultipleObjects+74Aj
		mov	al, [edi]
		and	al, 7Fh
		cmp	al, 2
		jz	loc_491B86
		cmp	dword ptr [edi+4], 0
		jg	loc_4919C7

loc_4917E1:				; CODE XREF: KeWaitForMultipleObjects+6A6j
					; KeWaitForMultipleObjects+6BBj
		mov	eax, [edi+0Ch]
		lea	ecx, [edi+8]
		mov	[esp+0A8h+var_94], eax
		cmp	[eax], ecx
		jnz	loc_491A85
		mov	edx, [esp+0A8h+var_94]
		lea	eax, [ebx-9]
		mov	[eax], ecx
		mov	[ebx-5], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		mov	edx, [esp+0A8h+var_9C]
		add	ebx, 18h
		mov	eax, [ebp+arg_0]
		inc	edx
		mov	ecx, [esp+0A8h+var_8C]
		mov	[esp+0A8h+var_9C], edx
		cmp	edx, eax
		jb	loc_4917A0
		cmp	[esp+0A8h+var_68], 2
		mov	edi, [esp+0A8h+var_70]
		mov	edx, edi
		mov	ebx, [esp+0A8h+var_80]
		mov	ecx, ebx
		mov	[esp+0A8h+var_94], edx
		mov	[esp+0A8h+var_78], ecx
		mov	[esp+0A8h+var_60], 0
		mov	[esp+0A8h+var_5C], 0
		jnz	loc_49197B
		mov	edx, 0FFDF03B0h
		mov	[esp+0A8h+var_78], 0
		mov	[esp+0A8h+var_74], 0
		mov	ecx, [edx]
		mov	[esp+0A8h+var_94], ecx
		mov	ecx, [edx+4]
		mov	[esp+0A8h+var_78], ecx
		mov	ecx, ds:0FFDF000Ch
		mov	edx, ds:0FFDF0008h
		mov	[esp+0A8h+var_30], 0
		cmp	ecx, ds:0FFDF0010h
		jnz	loc_5BA0FC

loc_491898:				; CODE XREF: KeWaitForMultipleObjects+128B9Ej
		sub	edx, [esi+0B0h]
		mov	eax, [esi+240h]
		sbb	ecx, [esi+0B4h]
		sub	edx, [esp+0A8h+var_94]
		mov	[esp+0A8h+var_60], edx
		mov	edx, edi
		sbb	ecx, [esp+0A8h+var_78]
		cmp	byte ptr [esi+93h], 0
		mov	[esp+0A8h+var_90], ecx
		mov	ecx, ebx
		mov	[esp+0A8h+var_94], eax
		mov	eax, [ebp+arg_0]
		jnz	loc_491B45

loc_4918D2:				; CODE XREF: KeWaitForMultipleObjects+5BAj
					; KeWaitForMultipleObjects+128BAAj ...
		cmp	[esp+0A8h+var_90], ecx
		ja	loc_491990
		jb	short loc_4918E8
		cmp	[esp+0A8h+var_60], edx
		ja	loc_491990

loc_4918E8:				; CODE XREF: KeWaitForMultipleObjects+34Cj
					; KeWaitForMultipleObjects+3F0j
		mov	ecx, [esp+0A8h+var_88]
		mov	edx, [esp+0A8h+var_84]
		mov	[esi+16Bh], al
		mov	eax, ecx
		or	eax, edx
		mov	[esp+0A8h+var_90], 0
		mov	[esp+0A8h+var_9C], 0
		jnz	loc_5BA1D8

loc_491910:				; CODE XREF: KeWaitForMultipleObjects+128CFDj
		mov	edx, [esp+0A8h+var_64]
		lea	eax, [esp+0A8h+var_44]
		push	eax
		push	ebx
		push	edi
		push	[esp+0B4h+var_68]
		mov	ecx, esi
		call	KiCommitThreadWait
		cmp	[esp+0A8h+var_44], 0
		mov	ecx, eax
		mov	ebx, [esp+0A8h+var_90]
		mov	edi, [esp+0A8h+var_9C]
		mov	[esp+0A8h+var_8C], ecx
		jnz	loc_5BA292

loc_49193F:				; CODE XREF: KeWaitForMultipleObjects+128DF8j
		mov	eax, ebx
		or	eax, edi
		jnz	loc_5BA38D

loc_491949:				; CODE XREF: KeWaitForMultipleObjects+128E9Dj
		cmp	ecx, 100h
		jz	loc_491C18
		mov	eax, ecx

loc_491957:				; CODE XREF: KeWaitForMultipleObjects+5A2j
					; KeWaitForMultipleObjects+7CEj
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+9Ch+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_49196E:				; CODE XREF: KeWaitForMultipleObjects+BAj
		mov	[esp+0A8h+var_68], 0
		jmp	loc_4916C9
; 

loc_49197B:				; CODE XREF: KeWaitForMultipleObjects+2C0j
		cmp	[esp+0A8h+var_68], 0
		jz	loc_4918E8
		mov	eax, edi
		or	eax, ebx
		jnz	loc_5BA169

loc_491990:				; CODE XREF: KeWaitForMultipleObjects+346j
					; KeWaitForMultipleObjects+352j
		mov	[esp+0A8h+var_24], 0
		lea	ebx, [esi+2Ch]
		mov	edi, edi

loc_4919A0:				; CODE XREF: KeWaitForMultipleObjects+802j
		lock bts dword ptr [ebx], 0
		jb	loc_491D80
		test	byte ptr [esi+54h], 7
		jnz	short loc_491A1B
		mov	dword ptr [esi+94h], 102h
		mov	dword ptr [esi+248h], 0
		jmp	short loc_491A1B
; 

loc_4919C7:				; CODE XREF: KeWaitForMultipleObjects+24Bj
		mov	[esp+0A8h+var_20], 0
		lea	ebx, [esi+2Ch]

loc_4919D5:				; CODE XREF: KeWaitForMultipleObjects+7E5j
		lock bts dword ptr [ebx], 0
		jb	loc_491D63
		test	byte ptr [esi+54h], 7
		jnz	short loc_491A13
		mov	ecx, [esp+0A8h+var_9C]
		mov	[esi+94h], ecx
		mov	dword ptr [esi+248h], 0
		mov	cl, [edi]
		mov	al, cl
		and	al, 7
		cmp	al, 1
		jz	loc_491C0C
		and	cl, 7Fh
		cmp	cl, 5
		jnz	short loc_491A13
		dec	dword ptr [edi+4]

loc_491A13:				; CODE XREF: KeWaitForMultipleObjects+454j
					; KeWaitForMultipleObjects+47Ej ...
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax

loc_491A1B:				; CODE XREF: KeWaitForMultipleObjects+41Fj
					; KeWaitForMultipleObjects+435j ...
		mov	byte ptr [esi+90h], 2
		mov	dword ptr [ebx], 0
		mov	ebx, [esi+94h]
		mov	ecx, [esi+248h]
		mov	[esp+0A8h+var_6C], ebx
		test	ecx, ecx
		jnz	loc_5BA49C

loc_491A40:				; CODE XREF: KeWaitForMultipleObjects+128F21j
					; KeWaitForMultipleObjects+128F2Bj
		mov	eax, [esp+0A8h+var_9C]
		test	eax, eax
		jz	loc_491B08
		mov	ebx, [esp+0A8h+var_64]
		movzx	eax, al
		lea	eax, [eax+eax*2]
		lea	eax, [ebx+eax*8]
		mov	[esp+0A8h+var_78], eax
		lea	ecx, [ecx+0]

loc_491A60:				; CODE XREF: KeWaitForMultipleObjects+56Ej
		mov	al, [ebx+9]
		cmp	al, 5
		jnb	loc_491AF7
		mov	edi, [ebx+10h]
		mov	ecx, edi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		cmp	byte ptr [ebx+9], 4
		jnz	short loc_491AEF
		mov	ecx, [ebx]
		mov	eax, [ebx+4]
		cmp	[ecx+4], ebx
		jz	short loc_491AE6

loc_491A85:				; CODE XREF: KeWaitForMultipleObjects+25Dj
					; KeWaitForMultipleObjects+558j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_491A8C:				; CODE XREF: KeWaitForMultipleObjects+1B0j
		mov	ecx, [ebp+arg_10]
		movsx	eax, cl
		cmp	byte ptr [eax+esi+56h],	0
		jnz	loc_5BA440
		test	cl, cl
		jnz	loc_491B55

loc_491AA5:				; CODE XREF: KeWaitForMultipleObjects+5CAj
		cmp	byte ptr [esi+56h], 0
		jz	loc_491753
		jmp	loc_5BA432
; 

loc_491AB4:				; CODE XREF: KeWaitForMultipleObjects+175j
		or	dword ptr [esi+58h], 10h
		jmp	loc_49170B
; 

loc_491ABD:				; CODE XREF: KeWaitForMultipleObjects+48j
		mov	eax, [edx]
		push	edi
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	eax
		call	KeWaitForSingleObject
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+9Ch+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_491AE6:				; CODE XREF: KeWaitForMultipleObjects+4F3j
		cmp	[eax], ebx
		jnz	short loc_491A85
		mov	[eax], ecx
		mov	[ecx+4], eax

loc_491AEF:				; CODE XREF: KeWaitForMultipleObjects+4E9j
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax

loc_491AF7:				; CODE XREF: KeWaitForMultipleObjects+4D5j
		add	ebx, 18h
		cmp	ebx, [esp+0A8h+var_78]
		jnz	loc_491A60
		mov	ebx, [esp+0A8h+var_6C]

loc_491B08:				; CODE XREF: KeWaitForMultipleObjects+4B6j
		mov	dl, [esi+92h]
		mov	al, [esi+54h]
		mov	byte ptr [esp+0A8h+var_78], dl
		test	al, 38h
		jnz	loc_491D36
		cmp	[esp+0A8h+var_95], 0
		jnz	loc_5BA52E
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_491B30:				; CODE XREF: KeWaitForMultipleObjects+128F85j
					; KeWaitForMultipleObjects+128FA7j
		mov	eax, ebx
		jmp	loc_491957
; 

loc_491B37:				; CODE XREF: KeWaitForMultipleObjects+5Bj
		cmp	eax, 40h
		jbe	loc_491604
		jmp	loc_5BA099
; 

loc_491B45:				; CODE XREF: KeWaitForMultipleObjects+33Cj
		cmp	[esp+0A8h+var_94], 0
		jz	loc_4918D2
		jmp	loc_5BA133
; 

loc_491B55:				; CODE XREF: KeWaitForMultipleObjects+50Fj
		lea	eax, [esi+78h]
		cmp	[eax], eax
		jz	loc_491AA5
		or	byte ptr [esi+86h], 2
		jmp	loc_491C5A
; 

loc_491B6C:				; CODE XREF: KeWaitForMultipleObjects+C4j
		mov	eax, [edi]
		mov	[esp+0A8h+var_70], eax
		mov	eax, [edi+4]
		mov	[esp+0A8h+var_80], eax
		mov	[esp+0A8h+var_68], 1
		jmp	loc_4916C9
; 

loc_491B86:				; CODE XREF: KeWaitForMultipleObjects+241j
		test	byte ptr [edi+1Ch], 2
		jnz	loc_5BA0DB

loc_491B90:				; CODE XREF: KeWaitForMultipleObjects+128B67j
		cmp	dword ptr [edi+4], 0
		jle	loc_491C33

loc_491B9A:				; CODE XREF: KeWaitForMultipleObjects+6B5j
		cmp	dword ptr [edi+4], 80000000h
		jz	loc_5BA466
		mov	esi, [esp+0A8h+var_58]
		mov	[esp+0A8h+var_28], 0
		jmp	short loc_491BC0
; 
		align 10h

loc_491BC0:				; CODE XREF: KeWaitForMultipleObjects+626j
					; KeWaitForMultipleObjects+128ED1j
		lock bts dword ptr [esi], 0
		jb	loc_5BA44F
		mov	esi, [esp+0A8h+var_7C]
		test	byte ptr [esi+54h], 7
		jnz	short loc_491BFC
		mov	ecx, [esp+0A8h+var_9C]
		mov	[esi+94h], ecx
		mov	dword ptr [esi+248h], 0
		add	dword ptr [edi+4], 0FFFFFFFFh
		jnz	short loc_491BFC
		push	[esp+0A8h+var_8C]
		mov	edx, esi
		mov	ecx, edi
		call	_KiWaitSatisfyMutant@12	; KiWaitSatisfyMutant(x,x,x)

loc_491BFC:				; CODE XREF: KeWaitForMultipleObjects+643j
					; KeWaitForMultipleObjects+65Dj
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		lea	ebx, [esi+2Ch]
		jmp	loc_491A1B
; 

loc_491C0C:				; CODE XREF: KeWaitForMultipleObjects+472j
		mov	dword ptr [edi+4], 0
		jmp	loc_491A13
; 

loc_491C18:				; CODE XREF: KeWaitForMultipleObjects+3BFj
		xor	al, al
		mov	[esp+0A8h+var_95], al
		mov	byte ptr [esp+0A8h+var_6C], al
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[esi+92h], al
		jmp	loc_4916E0
; 

loc_491C33:				; CODE XREF: KeWaitForMultipleObjects+604j
		cmp	esi, [edi+18h]
		jnz	loc_4917E1
		mov	al, [ecx+223Ah]
		cmp	[edi+2], al
		jz	loc_491B9A
		jmp	loc_4917E1
; 

loc_491C50:				; CODE XREF: KeWaitForMultipleObjects+1BDj
		cmp	byte ptr [ebp+arg_10], 0
		jz	loc_491753

loc_491C5A:				; CODE XREF: KeWaitForMultipleObjects+5D7j
		mov	esi, 0C0h

loc_491C5F:				; CODE XREF: KeWaitForMultipleObjects+128EABj
					; KeWaitForMultipleObjects+128EBAj
		mov	eax, [esp+0A8h+var_58]
		mov	dl, bl
		mov	dword ptr [eax], 0
		mov	ecx, large fs:20h
		call	KiCheckForThreadDispatch
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+9Ch+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_491C90:				; CODE XREF: KeWaitForMultipleObjects+78j
		push	ecx
		push	edi
		push	[ebp+arg_14]
		mov	ecx, eax
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	KiWaitForAllObjects
		mov	ecx, [esp+0A8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	20h
; 
		align 10h

loc_491CC0:				; CODE XREF: KeWaitForMultipleObjects+235j
					; KeWaitForMultipleObjects+73Dj ...
		lea	ecx, [esp+0A8h+var_34]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	al, al
		js	short loc_491CC0
		lock bts dword ptr [edi], 7
		jb	short loc_491CC0
		mov	ecx, [esp+0A8h+var_8C]
		jmp	loc_4917CB
; 
		align 10h

loc_491CE0:				; CODE XREF: KeWaitForMultipleObjects+195j
					; KeWaitForMultipleObjects+75Dj
		lea	ecx, [esp+0A8h+var_38]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_491CE0
		jmp	loc_491720
; 

loc_491CF4:				; CODE XREF: KeWaitForMultipleObjects+1A6j
		cmp	word ptr [esi+13Eh], 0
		jnz	loc_49173C
		cmp	bl, 1
		jnb	loc_49173C
		mov	cl, 1
		mov	dword ptr [esi+2Ch], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	0
		push	0
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[esi+92h], bl
		jmp	loc_4916F0
; 

loc_491D36:				; CODE XREF: KeWaitForMultipleObjects+587j
		test	al, 18h
		jnz	loc_5BA4C0
		mov	ecx, [esp+0A8h+var_8C]
		mov	dl, 1
		call	KiCheckForThreadDispatch
		push	0
		push	0
		push	0
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		xor	cl, cl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, ebx
		jmp	loc_491957
; 

loc_491D63:				; CODE XREF: KeWaitForMultipleObjects+44Aj
					; KeWaitForMultipleObjects+7E3j
		lea	ecx, [esp+0A8h+var_20]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_491D63
		jmp	loc_4919D5
; 
		align 10h

loc_491D80:				; CODE XREF: KeWaitForMultipleObjects+415j
					; KeWaitForMultipleObjects+800j
		lea	ecx, [esp+0A8h+var_24]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_491D80
		jmp	loc_4919A0
KeWaitForMultipleObjects endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1238. KeQueryTimeIncrement

;  S U B	R O U T	I N E 


; __stdcall KeQueryTimeIncrement()
		public _KeQueryTimeIncrement@0
_KeQueryTimeIncrement@0	proc near	; CODE XREF: sub_787DE0+5BBp
					; sub_787DE0+774p ...
		mov	eax, ds:_KeMaximumIncrement
		retn
_KeQueryTimeIncrement@0	endp

; 
		align 8
; Exported entry 1237. KeQueryTickCount

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeQueryTickCount
KeQueryTickCount proc near		; CODE XREF: CcSetDirtyPinnedData+52Ap
					; MiInitializePageAccessLogging+47p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A7F90 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, [ebp+arg_0]

loc_491DB6:				; CODE XREF: KeQueryTickCount+1161F0j
		mov	eax, ds:dword_7186C4
		mov	[esi+4], eax
		mov	eax, ds:_KeTickCount
		mov	[esi], eax
		mov	eax, ds:dword_7186C8
		cmp	[esi+4], eax
		jnz	loc_5A7F90
		pop	esi
		leave
		retn	4
KeQueryTickCount endp


;  S U B	R O U T	I N E 


ObpIncrPointerCountEx proc near		; CODE XREF: ObWaitForMultipleObjects+391p
					; ObWaitForMultipleObjects+479p ...

; FUNCTION CHUNK AT 005BA53C SIZE 00000023 BYTES

		mov	eax, edx
		lock xadd [ecx], eax
		test	eax, eax
		jle	loc_5BA53C
		add	eax, edx
		retn
ObpIncrPointerCountEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExFastReplenishHandleTableEntry	proc near ; CODE XREF: ObWaitForMultipleObjects+3A8p
					; ObpReferenceObjectByHandleWithTag+3FFp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BA55F SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_10], ecx
		push	edi
		mov	edi, [esi]
		mov	ecx, [esi]
		mov	edx, [esi+4]
		shr	edi, 3
		mov	[ebp+var_14], edi
		lea	ecx, [ecx+0]

loc_491E10:				; CODE XREF: ExFastReplenishHandleTableEntry+8Aj
		mov	eax, edx
		mov	[ebp+var_C], ecx
		shr	eax, 1Bh
		add	eax, [ebp+arg_0]
		mov	[ebp+var_4], 0
		cmp	eax, 1Fh
		jg	loc_5BA54F

loc_491E2B:				; CODE XREF: ObpIncrPointerCountEx+128782j
		mov	ebx, edx
		shl	eax, 1Bh
		and	ebx, 7FFFFFFh
		or	ebx, eax
		mov	eax, ecx
		mov	[ebp+var_8], ebx
		nop
		mov	ebx, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		mov	edi, [ebp+var_10]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_14]
		mov	ecx, eax
		cmp	ecx, [esi]
		jnz	short loc_491E65
		cmp	edx, [esi+4]
		jnz	short loc_491E65
		mov	eax, [ebp+var_4]

loc_491E5C:				; CODE XREF: ExFastReplenishHandleTableEntry+12877Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_491E65:				; CODE XREF: ExFastReplenishHandleTableEntry+62j
					; ExFastReplenishHandleTableEntry+67j
		mov	eax, ecx
		mov	[esi], ecx
		shr	eax, 3
		mov	[esi+4], edx
		cmp	eax, edi
		jnz	loc_5BA55F
		test	cl, 1
		jnz	short loc_491E10
		jmp	loc_5BA55F
ExFastReplenishHandleTableEntry	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiWaitSatisfyMutant(x, x, x)
_KiWaitSatisfyMutant@12	proc near	; CODE XREF: KeWaitForMultipleObjects+667p
					; KiWaitSatisfyAny+45p	...

var_10		= dword	ptr -10h
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		cmp	byte ptr [ecx+1Dh], 0
		jnz	short loc_491EF5

loc_491E90:				; CODE XREF: KiWaitSatisfyMutant(x,x,x)+7Aj
		mov	eax, [ebp+arg_0]
		push	ebx
		push	edi
		cmp	[eax+4], edx
		jnz	short loc_491EF1
		mov	bl, [eax+223Ah]

loc_491EA0:				; CODE XREF: KiWaitSatisfyMutant(x,x,x)+71j
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ecx]
		mov	[ebp+var_10], eax
		mov	byte ptr [ebp+var_10+2], bl
		mov	eax, [ebp+var_10]
		mov	[ecx], eax
		mov	al, [ecx+1Ch]
		mov	[ecx+18h], edx
		pop	edi
		pop	ebx
		test	al, 1
		jnz	short loc_491EFE

loc_491EC2:				; CODE XREF: KiWaitSatisfyMutant(x,x,x)+8Ej
		and	al, 2
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		add	ecx, 10h
		mov	[edx+248h], eax
		add	edx, 1DCh
		mov	eax, [edx+4]
		cmp	[eax], edx
		jnz	short loc_491F12
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	[edx+4], ecx
		leave
		retn	4
; 

loc_491EF1:				; CODE XREF: KiWaitSatisfyMutant(x,x,x)+16j
		xor	bl, bl
		jmp	short loc_491EA0
; 

loc_491EF5:				; CODE XREF: KiWaitSatisfyMutant(x,x,x)+Cj
		dec	word ptr [edx+13Ch]
		jmp	short loc_491E90
; 

loc_491EFE:				; CODE XREF: KiWaitSatisfyMutant(x,x,x)+3Ej
		and	al, 0FEh
		mov	[ecx+1Ch], al
		or	dword ptr [edx+94h], 80h
		mov	al, [ecx+1Ch]
		jmp	short loc_491EC2
; 

loc_491F12:				; CODE XREF: KiWaitSatisfyMutant(x,x,x)+5Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_KiWaitSatisfyMutant@12	endp


;  S U B	R O U T	I N E 


; __stdcall ExLockHandleTableEntry(x, x)
_ExLockHandleTableEntry@8 proc near	; CODE XREF: ObWaitForMultipleObjects+43Ep
					; ExDupHandleTable+21Dp ...
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx

loc_491F21:				; CODE XREF: ExLockHandleTableEntry(x,x)+1Bj
					; ExLockHandleTableEntry(x,x)+35j
		mov	ecx, [esi]
		test	cl, 1
		jz	short loc_491F3B
		lea	edx, [ecx-1]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jnz	short loc_491F21
		mov	al, 1

loc_491F37:				; CODE XREF: ExLockHandleTableEntry(x,x)+29j
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_491F3B:				; CODE XREF: ExLockHandleTableEntry(x,x)+Ej
		test	ecx, ecx
		jnz	short loc_491F43
		xor	al, al
		jmp	short loc_491F37
; 

loc_491F43:				; CODE XREF: ExLockHandleTableEntry(x,x)+25j
		push	ecx
		mov	edx, esi
		mov	ecx, edi
		call	_ExpBlockOnLockedHandleEntry@12	; ExpBlockOnLockedHandleEntry(x,x,x)
		jmp	short loc_491F21
_ExLockHandleTableEntry@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfLogForegroundProcess(x)
_PfLogForegroundProcess@4 proc near	; CODE XREF: MiTrimOrAgeWorkingSet+341p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		lea	eax, [ecx-240h]
		mov	[ebp+var_8], eax
		mov	eax, [eax+1DCh]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_8]
		push	8		; size_t
		push	eax		; void *
		call	_PFP_GET_CURRENT_TIME@0	; PFP_GET_CURRENT_TIME()
		push	7
		mov	edx, eax
		pop	ecx
		call	PfLogEvent
		leave
		retn
_PfLogForegroundProcess@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PfLogEvent(void	*,size_t)
PfLogEvent	proc near		; CODE XREF: PfpLogApplicationEvent+9Bp
					; PfHardFaultLog+C1p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005BA572 SIZE 0000000C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		add	ebx, 0Fh
		mov	[ebp+var_C], edx
		and	ebx, 0FFFFFFF8h
		lea	edx, [ebp+var_4]
		push	ebx
		mov	esi, ecx
		mov	ecx, offset unk_6D4380
		push	eax
		call	PfFbLogEntryReserve
		mov	edi, eax
		test	edi, edi
		js	short loc_492010
		mov	edx, [ebp+var_8]
		mov	ecx, ebx
		push	[ebp+arg_4]	; size_t
		and	ecx, 1FF8h
		shl	esi, 0Ch
		push	[ebp+arg_0]	; void *
		mov	eax, [edx]
		or	ecx, 40006h
		and	eax, 0FFFFF003h
		shr	ecx, 1
		or	ecx, eax
		mov	eax, [ebp+var_C]
		mov	[edx], ecx
		mov	[edx+4], eax
		lea	eax, [edx+8]
		xor	esi, [edx]
		and	esi, 1F000h
		xor	[edx], esi
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		push	ebx
		call	_PfFbLogEntryComplete@12 ; PfFbLogEntryComplete(x,x,x)
		xor	edi, edi

loc_492007:				; CODE XREF: PfLogEvent+A1j
					; PfLogEvent+1285F9j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_492010:				; CODE XREF: PfLogEvent+37j
		xor	eax, eax
		mov	ecx, offset dword_6D4484
		inc	eax
		lock xadd [ecx], eax
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_492007
		jmp	loc_5BA572
PfLogEvent	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfFbLogEntryReserve proc near		; CODE XREF: PfLogEvent+2Ep
					; PfFileInfoNotify+3DDp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005BA57E SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	esi, ecx
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_4920B9
		mov	ebx, [ebp+arg_4]

loc_492042:				; CODE XREF: PfFbLogEntryReserve+8Fj
		lea	eax, [esi+10h]
		mov	ecx, eax
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_492073

loc_492052:				; CODE XREF: PfFbLogEntryReserve+59j
					; PfFbLogEntryReserve+12856Bj
		mov	eax, [edx+0Ch]
		mov	ecx, [edx+8]
		sub	eax, ecx
		cmp	ebx, eax
		jg	short loc_4920A0
		mov	eax, [ebp+arg_0]
		xor	edi, edi
		mov	[eax], ecx
		mov	eax, [ebp+var_4]
		mov	[eax], edx

loc_49206A:				; CODE XREF: PfFbLogEntryReserve+76j
		mov	eax, edi

loc_49206C:				; CODE XREF: PfFbLogEntryReserve+96j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_492073:				; CODE XREF: PfFbLogEntryReserve+28j
		lea	eax, [esi+8]

loc_492076:				; CODE XREF: PfFbLogEntryReserve+128565j
		mov	ecx, eax
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_492052
		push	esi
		call	dword ptr [esi+38h]
		mov	edi, eax
		test	edi, edi
		jns	loc_5BA57E

loc_492091:				; CODE XREF: PfFbLogEntryReserve+12857Dj
		inc	dword ptr [esi+44h]
		add	[esi+48h], ebx
		mov	ecx, esi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	short loc_49206A
; 

loc_4920A0:				; CODE XREF: PfFbLogEntryReserve+34j
		cmp	dword ptr [edx+10h], 0
		jz	loc_5BA598
		push	edx
		call	dword ptr [esi+3Ch]
		mov	ecx, esi
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_492042

loc_4920B9:				; CODE XREF: PfFbLogEntryReserve+15j
		mov	eax, 0C0000189h
		jmp	short loc_49206C
PfFbLogEntryReserve endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfFbLogEntryComplete(x, x, x)
_PfFbLogEntryComplete@12 proc near	; CODE XREF: PfLogEvent+80p
					; PfFileInfoNotify+4A4p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi+4]
		test	eax, eax
		jz	short loc_4920E4
		add	[esi+8], eax
		mov	eax, [esi+0Ch]
		sub	eax, [esi+8]
		inc	dword ptr [esi+10h]
		cmp	eax, [edi+30h]
		jl	short loc_4920FB

loc_4920E4:				; CODE XREF: PfFbLogEntryComplete(x,x,x)+11j
		lea	ecx, [edi+10h]
		mov	edx, esi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		mov	ecx, edi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_4920F5:				; CODE XREF: PfFbLogEntryComplete(x,x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_4920FB:				; CODE XREF: PfFbLogEntryComplete(x,x,x)+22j
		push	esi
		call	dword ptr [edi+3Ch]
		jmp	short loc_4920F5
_PfFbLogEntryComplete@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcWriteBehind	proc near		; CODE XREF: CcCachemapUninitWorkerThread+BFp
					; CcWorkerThread+210p ...

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_30		= byte ptr -30h
var_8		= byte ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BA5AA SIZE 00000031 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		push	ebx
		push	esi
		mov	eax, ecx
		mov	[esp+64h+var_54], edx
		xor	ebx, ebx
		mov	[esp+64h+var_58], eax
		and	[esp+64h+var_5C], ebx
		push	edi
		call	CcGetPartition
		mov	esi, eax
		lea	edx, [esp+68h+var_5C]
		mov	ecx, esi
		call	_CcAllocateWorkQueueEntry@8 ; CcAllocateWorkQueueEntry(x,x)
		mov	edi, [esp+68h+var_5C]
		test	eax, eax
		js	loc_49220F
		mov	ecx, [esp+68h+var_58]
		mov	eax, [esp+68h+var_54]
		mov	byte ptr [edi+48h], 2
		and	[edi+4], ebx
		and	[edi], ebx
		mov	[edi+8], ecx
		mov	[edi+0Ch], eax
		mov	eax, [esi+284h]
		cmp	eax, [esi+84h]
		jnb	loc_49220F
		cmp	[esi+270h], ebx
		jnz	loc_49220F
		cmp	[ecx+16Ch], ebx
		jnz	loc_49220F
		test	dword ptr [ecx+60h], 10000h
		jnz	loc_49220F
		cmp	[esi+28Ah], bl
		jnz	short loc_49220F
		push	71576343h
		push	24h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_49220F
		xor	eax, eax
		mov	[ebx+20h], esi
		inc	eax
		lea	esi, [edi+10h]
		push	0
		push	eax
		mov	[ebx+10h], eax
		push	esi
		mov	[edi+20h], al
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [ebx+20h]
		mov	ecx, ebx
		and	dword ptr [ebx], 0
		mov	dword ptr [ebx+8], offset CcWriteBehindInternal
		mov	[ebx+0Ch], edi
		push	dword ptr [eax+4]
		push	0FFFFFFFFh
		push	26h
		pop	edx
		call	ExQueueWorkItemToPartition
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	esi
		call	KeWaitForSingleObject

loc_4921EE:				; CODE XREF: CcWriteBehind+13Ej
		test	edi, edi
		jz	short loc_4921F9
		mov	ecx, edi
		call	_CcFreeWorkQueueEntry@4	; CcFreeWorkQueueEntry(x)

loc_4921F9:				; CODE XREF: CcWriteBehind+EEj
		test	ebx, ebx
		jz	short loc_492208
		push	71576343h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_492208:				; CODE XREF: CcWriteBehind+F9j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_49220F:				; CODE XREF: CcWriteBehind+36j
					; CcWriteBehind+5Fj ...
		push	50h		; size_t
		lea	eax, [esp+6Ch+var_50]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		test	edi, edi
		jz	loc_5BA5AA

loc_492228:				; CODE XREF: CcWriteBehind+1284D4j
		push	edi
		mov	byte ptr [edi+20h], 0
		call	CcWriteBehindInternal
		mov	eax, edi
		lea	ecx, [esp+68h+var_50]
		sub	eax, ecx
		neg	eax
		sbb	eax, eax
		and	edi, eax
		jmp	short loc_4921EE
CcWriteBehind	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcAllocateWorkQueueEntry(x,	x)
_CcAllocateWorkQueueEntry@8 proc near	; CODE XREF: CcScheduleReadAheadEx+28Bp
					; CcAsyncCopyRead+91p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, large fs:20h
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		mov	esi, [ebx+5D0h]
		mov	ecx, esi
		inc	dword ptr [esi+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_492299

loc_49226D:				; CODE XREF: CcAllocateWorkQueueEntry(x,x)+6Ej
					; CcAllocateWorkQueueEntry(x,x)+83j
		mov	eax, [ebx+3CCh]
		mov	[edx], eax

loc_492275:				; CODE XREF: CcAllocateWorkQueueEntry(x,x)+85j
		mov	eax, [ebp+var_4]
		mov	[eax], edx
		test	edx, edx
		jz	short loc_4922C9
		xor	eax, eax
		mov	[edx+4Ch], edi
		inc	eax
		lock xadd [edi+28Ch], eax
		inc	eax
		cmp	eax, 1
		jle	short loc_4922D0

loc_492292:				; CODE XREF: CcAllocateWorkQueueEntry(x,x)+93j
		xor	eax, eax

loc_492294:				; CODE XREF: CcAllocateWorkQueueEntry(x,x)+8Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_492299:				; CODE XREF: CcAllocateWorkQueueEntry(x,x)+29j
		inc	dword ptr [esi+10h]
		mov	esi, [ebx+5D4h]
		mov	ecx, esi
		inc	dword ptr [esi+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_49226D
		push	dword ptr [esi+20h]
		inc	dword ptr [esi+10h]
		push	dword ptr [esi+24h]
		push	dword ptr [esi+1Ch]
		call	dword ptr [esi+28h]
		mov	edx, eax
		test	edx, edx
		jnz	short loc_49226D
		jmp	short loc_492275
; 

loc_4922C9:				; CODE XREF: CcAllocateWorkQueueEntry(x,x)+3Aj
		mov	eax, 0C000009Ah
		jmp	short loc_492294
; 

loc_4922D0:				; CODE XREF: CcAllocateWorkQueueEntry(x,x)+4Ej
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_492292
_CcAllocateWorkQueueEntry@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfpRpLogDeprioEvent(x, x, x)
_PfpRpLogDeprioEvent@12	proc near	; CODE XREF: PfCheckDeprioritizeFile+196p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, dword_6FB628
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_14]
		push	10h		; size_t
		push	eax		; void *
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], edx
		call	_PFP_GET_CURRENT_TIME@0	; PFP_GET_CURRENT_TIME()
		push	1Eh
		mov	edx, eax
		pop	ecx
		call	PfLogEvent
		leave
		retn	4
_PfpRpLogDeprioEvent@12	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfLockSharedTryAcquire proc near	; CODE XREF: PfCheckDeprioritizeFile+22p
					; PfCheckDeprioritizeFile+F2p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BA5DB SIZE 00000055 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, large fs:124h
		mov	edx, ecx
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		dec	word ptr [eax+13Ch]
		nop
		xor	edi, edi
		mov	eax, edx
		and	eax, 7FFFFFFCh
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], eax
		jz	loc_492416
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jnz	loc_492437
		mov	cl, [esi+1E4h]
		mov	[ebp+var_C], edi
		test	cl, cl
		jz	loc_5BA5DB

loc_492386:				; CODE XREF: PfLockSharedTryAcquire+1282E4j
		movzx	ecx, cl
		bsf	eax, ecx
		btr	ecx, eax
		mov	[ebp+var_C], eax
		imul	eax, 30h
		mov	[esi+1E4h], cl
		add	eax, [esi+1E8h]
		mov	[ebp+var_4], eax

loc_4923A4:				; CODE XREF: PfLockSharedTryAcquire+128308j
		mov	edi, eax
		test	eax, eax
		jz	loc_492437
		mov	eax, dword_6D07D0
		mov	ecx, edx
		shr	ecx, 15h
		cmp	edx, eax
		mov	[ebp+var_20], eax
		mov	eax, [ebp+var_4]
		jb	short loc_4923CF
		cmp	byte ptr dword_6D3994[ecx], 1
		jz	loc_5BA61B

loc_4923CF:				; CODE XREF: PfLockSharedTryAcquire+B2j
		cmp	edx, [ebp+var_20]
		jb	short loc_4923E1
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_5BA61B

loc_4923E1:				; CODE XREF: PfLockSharedTryAcquire+C4j
		or	ecx, 0FFFFFFFFh

loc_4923E4:				; CODE XREF: PfLockSharedTryAcquire+12831Dj
		mov	[eax+14h], ecx
		nop
		mov	ecx, [ebp+var_24]
		mov	[eax+10h], ecx

loc_4923EE:				; CODE XREF: PfLockSharedTryAcquire+131j
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp+var_28]
		push	eax
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_492413
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	short loc_492463

loc_492413:				; CODE XREF: PfLockSharedTryAcquire+FBj
					; PfLockSharedTryAcquire+15Aj
		mov	edx, [ebp+var_8]

loc_492416:				; CODE XREF: PfLockSharedTryAcquire+3Ej
		push	11h
		pop	ecx
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	short loc_492441

loc_492423:				; CODE XREF: PfLockSharedTryAcquire+13Cj
		test	edi, edi
		jz	short loc_49242B
		or	byte ptr [edi+0Eh], 1

loc_49242B:				; CODE XREF: PfLockSharedTryAcquire+117j
		xor	eax, eax
		inc	eax

loc_49242E:				; CODE XREF: PfLockSharedTryAcquire+153j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_492437:				; CODE XREF: PfLockSharedTryAcquire+61j
					; PfLockSharedTryAcquire+9Aj ...
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_4923EE
; 

loc_492441:				; CODE XREF: PfLockSharedTryAcquire+113j
		mov	ecx, edx
		call	@ExfTryAcquirePushLockShared@4 ; ExfTryAcquirePushLockShared(x)
		test	al, al
		jnz	short loc_492423
		test	edi, edi
		jz	short loc_49245A
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	KeAbPostReleaseEx

loc_49245A:				; CODE XREF: PfLockSharedTryAcquire+140j
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	eax, eax
		jmp	short loc_49242E
; 

loc_492463:				; CODE XREF: PfLockSharedTryAcquire+103j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_492413
PfLockSharedTryAcquire endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExQueueWorkItemToPartition proc	near	; CODE XREF: CcPostWorkQueueRegular+115p
					; .text:0043A2FAp ...

var_48		= dword	ptr -48h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005BA630 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	ExpValidateWorkItem
		cmp	esi, 7
		jb	short loc_4924A3
		lea	eax, [esi-20h]

loc_492482:				; CODE XREF: ExQueueWorkItemToPartition+40j
		mov	ecx, [ebp+arg_4]
		mov	edx, edi
		push	0
		push	[ebp+arg_0]
		mov	ecx, [ecx+8]
		push	eax
		call	ExpQueueWorkItem
		test	al, al
		jz	loc_5BA630
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_4924A3:				; CODE XREF: ExQueueWorkItemToPartition+13j
		mov	eax, ds:_ExpBuiltinPriorities[esi*4]
		jmp	short loc_492482
ExQueueWorkItemToPartition endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcCachemapUninitWorkerThread proc near	; DATA XREF: CcInitializePartition+3F1o

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= byte ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BA652 SIZE 00000010 BYTES
; FUNCTION CHUNK AT 005BA682 SIZE 00000013 BYTES

		push	5Ch
		push	offset dword_6A1A98
		call	__SEH_prolog4_GS
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_58], ecx
		xor	eax, eax
		lea	edi, [ebp+var_48]
		stosd
		stosd
		stosd
		xor	esi, esi
		mov	[ebp+var_6C], esi
		mov	[ebp+var_68], esi
		cmp	dword ptr [ecx+10h], 5
		jnz	loc_5BA682
		mov	edi, [ecx+20h]
		mov	[ebp+var_60], edi
		lea	eax, [edi+0B4h]
		mov	[ebp+var_54], eax

loc_4924E7:				; CODE XREF: CcCachemapUninitWorkerThread+E6j
		lea	ecx, [edi+80h]
		lea	edx, [ebp+var_48]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edx, [ebp+var_54]
		mov	ecx, edi
		call	CcFindNextWorkQueueEntry
		mov	[ebp+var_4C], eax
		test	eax, eax
		jz	loc_492597
		test	ds:byte_70EFC6,	1
		jnz	loc_5BA652
		mov	eax, [ebp+var_48]
		test	eax, eax
		jnz	loc_492614
		mov	edx, [ebp+var_44]
		lea	eax, [ebp+var_48]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_48]
		cmp	eax, ecx
		jnz	loc_49260C

loc_492539:				; CODE XREF: CcCachemapUninitWorkerThread+174j
					; CcCachemapUninitWorkerThread+1281B1j
		mov	cl, [ebp+var_40]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ds:dword_70EFD0, 20000h
		jnz	loc_492625

loc_492552:				; CODE XREF: CcCachemapUninitWorkerThread+1ACj
		mov	[ebp+ms_exc.disabled], esi
		mov	ecx, [ebp+var_4C]
		movzx	eax, byte ptr [ecx+48h]
		dec	eax
		sub	eax, 1
		jnz	short loc_492570
		mov	[ebp+var_68], ecx
		lea	edx, [ebp+var_6C]
		mov	ecx, [ecx+8]
		call	CcWriteBehind

loc_492570:				; CODE XREF: CcCachemapUninitWorkerThread+B4j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_492577:				; CODE XREF: sub_5BA695+Fj
		xor	ecx, ecx
		inc	ecx
		test	ds:dword_70EFD0, 20000h
		jnz	loc_49265D

loc_49258A:				; CODE XREF: CcCachemapUninitWorkerThread+1E3j
		mov	ecx, [ebp+var_4C]
		call	_CcFreeWorkQueueEntry@4	; CcFreeWorkQueueEntry(x)
		jmp	loc_4924E7
; 

loc_492597:				; CODE XREF: CcCachemapUninitWorkerThread+58j
		lea	ecx, [edi+0CCh]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_4926AD
		mov	eax, [ebp+var_58]
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		dec	dword ptr [edi+0D4h]
		test	ds:byte_70EFC6,	1
		jnz	loc_5BA642
		mov	eax, [ebp+var_48]
		test	eax, eax
		jnz	loc_49269C
		mov	edx, [ebp+var_44]
		lea	eax, [ebp+var_48]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_48]
		cmp	eax, ecx
		jnz	loc_492694

loc_4925EA:				; CODE XREF: CcCachemapUninitWorkerThread+1FCj
					; ExQueueWorkItemToPartition+1281E3j
		mov	cl, [ebp+var_40]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, edi
		call	CcDereferencePartition
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_49260C:				; CODE XREF: CcCachemapUninitWorkerThread+87j
		lea	ecx, [ebp+var_48]
		call	KxWaitForLockChainValid

loc_492614:				; CODE XREF: CcCachemapUninitWorkerThread+70j
		mov	[ebp+var_48], esi
		add	eax, 4
		xor	ecx, ecx
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_492539
; 

loc_492625:				; CODE XREF: CcCachemapUninitWorkerThread+A0j
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], 4
		mov	[ebp+var_20], esi
		push	(offset	off_401900+2)
		push	1601h
		push	80020000h
		xor	edx, edx
		inc	edx
		lea	ecx, [ebp+var_2C]
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_492552
; 

loc_49265D:				; CODE XREF: CcCachemapUninitWorkerThread+D8j
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], 4
		mov	[ebp+var_30], esi
		push	(offset	off_401900+2)
		push	1602h
		push	80020000h
		mov	edx, ecx
		lea	ecx, [ebp+var_3C]
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_49258A
; 

loc_492694:				; CODE XREF: CcCachemapUninitWorkerThread+138j
		lea	ecx, [ebp+var_48]
		call	KxWaitForLockChainValid

loc_49269C:				; CODE XREF: CcCachemapUninitWorkerThread+121j
		mov	[ebp+var_48], esi
		add	eax, 4
		xor	ecx, ecx
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_4925EA
; 

loc_4926AD:				; CODE XREF: CcCachemapUninitWorkerThread+F6j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		retn
CcCachemapUninitWorkerThread endp ; sp = -70h

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcWorkerThread	proc near		; DATA XREF: CcInitializePartition+2FDo
					; CcInitializePartition+376o

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= byte ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3E		= byte ptr -3Eh
var_3D		= byte ptr -3Dh
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BA6A9 SIZE 00000010 BYTES
; FUNCTION CHUNK AT 005BA6D7 SIZE 00000140 BYTES
; FUNCTION CHUNK AT 005BA869 SIZE 0000003E BYTES

		push	98h
		push	offset dword_6A1AB8
		call	__SEH_prolog4_GS
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_6C], ecx
		and	[ebp+var_48], 0
		mov	[ebp+var_3E], 0
		mov	[ebp+var_90], ecx
		and	[ebp+var_54], 0
		and	[ebp+var_50], 0
		xor	eax, eax
		lea	edi, [ebp+var_60]
		stosd
		stosd
		stosd
		and	[ebp+var_74], 0
		and	[ebp+var_70], 0
		mov	eax, [ecx+10h]
		mov	[ebp+var_4C], eax
		mov	[ebp+var_98], eax
		cmp	eax, 1
		jnz	loc_492C40
		cmp	eax, 2

loc_492707:				; CODE XREF: CcWorkerThread+58Fj
		setz	al
		mov	[ebp+var_7C], eax
		mov	[ebp+var_9C], eax
		mov	esi, [ecx+20h]
		mov	[ebp+var_94], esi
		mov	[ebp+var_80], esi
		xor	edi, edi

loc_492721:				; CODE XREF: CcWorkerThread+286j
					; CcWorkerThread+1281BFj ...
		and	[ebp+var_44], 0
		and	[ebp+var_78], 0
		mov	[ebp+var_3D], 0
		lea	ecx, [esi+80h]
		lea	edx, [ebp+var_60]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	[ebp+var_3E], 0
		jnz	loc_5BA6DE

loc_492745:				; CODE XREF: CcWorkerThread+128048j
		cmp	[ebp+var_70], 8A5Eh
		jz	loc_5BA701

loc_492752:				; CODE XREF: CcWorkerThread+128078j
		mov	ecx, [ebp+var_4C]
		cmp	ecx, 2
		jz	loc_492BA1

loc_49275E:				; CODE XREF: CcWorkerThread+4FDj
		mov	eax, [ebp+var_44]
		xor	ecx, ecx
		inc	ecx
		test	al, cl
		jnz	short loc_49277A
		or	eax, ecx
		mov	[ebp+var_44], eax
		lea	edx, [esi+94h]
		mov	[ebp+var_48], edx
		cmp	[edx], edx
		jnz	short loc_4927B3

loc_49277A:				; CODE XREF: CcWorkerThread+B2j
		test	al, 2
		jnz	short loc_492791
		or	eax, 2
		mov	[ebp+var_44], eax
		lea	edx, [esi+9Ch]
		mov	[ebp+var_48], edx
		cmp	[edx], edx
		jnz	short loc_4927B3

loc_492791:				; CODE XREF: CcWorkerThread+C8j
		mov	ecx, [ebp+var_4C]

loc_492794:				; CODE XREF: CcWorkerThread+506j
		test	al, 4
		jnz	loc_49293F
		or	eax, 4
		mov	[ebp+var_44], eax
		lea	edx, [esi+0A4h]
		mov	[ebp+var_48], edx
		cmp	[edx], edx
		jz	loc_49293F

loc_4927B3:				; CODE XREF: CcWorkerThread+C4j
					; CcWorkerThread+DBj
		mov	[ebp+var_68], edx
		push	[ebp+var_7C]
		mov	ecx, esi
		call	CcShouldWorkOnThisQueue
		test	al, al
		mov	ecx, [ebp+var_4C]
		jz	loc_492BAE
		mov	ecx, esi
		call	CcFindNextWorkQueueEntry
		mov	edi, eax
		mov	[ebp+var_8C], edi
		test	edi, edi
		mov	ecx, [ebp+var_4C]
		jz	loc_492BAE
		lea	eax, [ebp+var_54]
		push	eax
		call	KeQuerySystemTime
		cmp	byte ptr [esi+200h], 0
		jnz	loc_492BBF

loc_4927FB:				; CODE XREF: CcWorkerThread+524j
					; CcWorkerThread+52Dj ...
		lea	eax, [esi+0A4h]
		mov	[ebp+var_44], eax
		mov	ecx, [ebp+var_48]
		cmp	ecx, eax
		jnz	short loc_49281D
		mov	eax, [ebp+var_54]
		mov	[esi+1F0h], eax
		mov	eax, [ebp+var_50]
		mov	[esi+1F4h], eax

loc_49281D:				; CODE XREF: CcWorkerThread+155j
		mov	eax, [esi+284h]
		cmp	eax, [esi+84h]
		jnb	loc_492A19

loc_49282F:				; CODE XREF: CcWorkerThread+37Ej
					; CcWorkerThread+387j ...
		xor	edx, edx
		inc	edx

loc_492832:				; CODE XREF: CcWorkerThread+42Ej
		cmp	ecx, [ebp+var_44]
		jnz	loc_4929DA

loc_49283B:				; CODE XREF: CcWorkerThread+339j
		mov	eax, 0ECh

loc_492840:				; CODE XREF: CcWorkerThread+333j
		mov	ecx, [ebp+var_80]
		lock inc dword ptr [ecx+eax]
		test	ds:byte_70EFC6,	dl
		jnz	loc_5BA7DA
		mov	eax, [ebp+var_60]
		test	eax, eax
		jnz	loc_492C2E
		mov	edx, [ebp+var_5C]
		lea	eax, [ebp+var_60]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_60]
		cmp	eax, ecx
		jnz	loc_492C23

loc_492875:				; CODE XREF: CcWorkerThread+587j
					; CcWorkerThread+128131j
		mov	cl, [ebp+var_58]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ds:dword_70EFD0, 20000h
		jnz	loc_492B3B

loc_49288E:				; CODE XREF: CcWorkerThread+49Bj
					; CcWorkerThread+4D9j
		and	[ebp+ms_exc.disabled], 0
		movzx	eax, byte ptr [edi+48h]
		sub	eax, 1
		jz	loc_4929F2
		sub	eax, 1
		jnz	loc_492AE7
		mov	eax, large fs:124h
		mov	[ebp+var_A4], eax
		or	dword ptr [eax+300h], 2

loc_4928BB:				; CODE XREF: CcWorkerThread+228j
		mov	[ebp+var_70], edi
		lea	edx, [ebp+var_74]
		mov	ecx, [edi+8]
		call	CcWriteBehind
		mov	eax, [ebp+var_78]
		cmp	eax, 0Ah
		jnb	short loc_4928DE
		inc	eax
		mov	[ebp+var_78], eax
		cmp	[ebp+var_70], 8A5Eh
		jz	short loc_4928BB

loc_4928DE:				; CODE XREF: CcWorkerThread+21Bj
		mov	eax, large fs:124h
		mov	[ebp+var_A8], eax
		and	dword ptr [eax+300h], 0FFFFFFFDh

loc_4928F1:				; CODE XREF: CcWorkerThread+348j
					; CcWorkerThread+448j ...
		xor	edx, edx
		inc	edx

loc_4928F4:				; CODE XREF: CcWorkerThread+12815Ej
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_48]

loc_4928FE:				; CODE XREF: sub_5BA817+4Dj
		cmp	ecx, [ebp+var_44]
		jnz	loc_492A01

loc_492907:				; CODE XREF: CcWorkerThread+360j
		mov	eax, 0ECh

loc_49290C:				; CODE XREF: CcWorkerThread+35Aj
		mov	ecx, [ebp+var_80]
		lock dec dword ptr [ecx+eax]
		cmp	[ebp+var_70], 8A5Eh
		mov	ecx, [ebp+var_48]
		jz	loc_5BA869
		test	ds:dword_70EFD0, 20000h
		jnz	loc_492B01

loc_492933:				; CODE XREF: CcWorkerThread+482j
		mov	ecx, edi
		call	_CcFreeWorkQueueEntry@4	; CcFreeWorkQueueEntry(x)
		jmp	loc_492721
; 

loc_49293F:				; CODE XREF: CcWorkerThread+E2j
					; CcWorkerThread+F9j ...
		cmp	ecx, 2
		jz	loc_492C4E
		lea	eax, [esi+8Ch]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_492CD5
		mov	edx, [ebp+var_6C]
		mov	[edx], eax
		mov	[edx+4], ecx
		mov	[ecx], edx
		mov	[eax+4], edx
		dec	dword ptr [esi+88h]

loc_49296C:				; CODE XREF: CcWorkerThread+5BAj
		cmp	byte ptr [esi+200h], 0
		jnz	loc_492C90

loc_492979:				; CODE XREF: CcWorkerThread+5E3j
					; CcWorkerThread+5F0j ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5BA888
		mov	eax, [ebp+var_60]
		test	eax, eax
		jnz	loc_492C7B
		mov	edx, [ebp+var_5C]
		lea	eax, [ebp+var_60]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_60]
		cmp	eax, ecx
		jnz	loc_492C73

loc_4929A8:				; CODE XREF: CcWorkerThread+5D7j
					; CcWorkerThread+1281DFj
		mov	cl, [ebp+var_58]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ds:dword_70EFD0, 20000h
		jnz	loc_492B92

loc_4929C1:				; CODE XREF: CcWorkerThread+4E2j
					; CcWorkerThread+1281EEj
		mov	ecx, esi
		call	CcDereferencePartition
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4929DA:				; CODE XREF: CcWorkerThread+181j
		lea	eax, [esi+0B4h]
		cmp	ecx, eax
		mov	eax, 0F0h
		jnz	loc_492840
		jmp	loc_49283B
; 

loc_4929F2:				; CODE XREF: CcWorkerThread+1E5j
		mov	edx, [edi+8]
		mov	ecx, edi
		call	CcPerformReadAhead
		jmp	loc_4928F1
; 

loc_492A01:				; CODE XREF: CcWorkerThread+24Dj
		lea	eax, [esi+0B4h]
		cmp	ecx, eax
		mov	eax, 0F0h
		jnz	loc_49290C
		jmp	loc_492907
; 

loc_492A19:				; CODE XREF: CcWorkerThread+175j
		mov	edx, _CcExtraWBThreadDelay
		xor	eax, eax
		add	edx, [esi+1F0h]
		adc	eax, [esi+1F4h]
		cmp	[ebp+var_50], eax
		jg	short loc_492A41
		jl	loc_49282F
		cmp	[ebp+var_54], edx
		jb	loc_49282F

loc_492A41:				; CODE XREF: CcWorkerThread+37Cj
		lea	eax, [esi+8Ch]
		cmp	[eax], eax
		jnz	loc_49282F
		mov	edx, [ebp+var_44]
		cmp	[edx], edx
		jz	loc_49282F
		lea	eax, [esi+0BCh]
		mov	edx, [eax]
		mov	[ebp+var_84], edx
		cmp	edx, eax
		jz	loc_49282F
		cmp	dword ptr [esi+0C4h], 0
		jnz	loc_49282F
		mov	ecx, [edx]
		cmp	[edx+4], eax
		jnz	loc_492CD5
		cmp	[ecx+4], edx
		jnz	loc_492CD5
		mov	[eax], ecx
		mov	[ecx+4], eax
		inc	dword ptr [esi+0C4h]
		xor	ecx, ecx
		inc	ecx
		mov	eax, ecx
		lock xadd [esi+28Ch], eax
		inc	eax
		cmp	eax, ecx
		jle	loc_5BA7D0

loc_492AB2:				; CODE XREF: CcWorkerThread+128121j
		and	dword ptr [edx], 0
		push	dword ptr [esi+4]
		push	0FFFFFFFFh
		xor	edx, edx
		mov	ecx, [ebp+var_84]
		call	ExQueueWorkItemToPartition
		mov	eax, [ebp+var_54]
		mov	[esi+1F0h], eax
		mov	eax, [ebp+var_50]
		mov	[esi+1F4h], eax
		xor	edx, edx
		inc	edx
		mov	[ebp+var_3D], dl
		mov	ecx, [ebp+var_48]
		jmp	loc_492832
; 

loc_492AE7:				; CODE XREF: CcWorkerThread+1EEj
		sub	eax, 1
		jnz	loc_5BA7F9
		push	dword ptr [edi+8]
		mov	edx, edi
		mov	ecx, esi
		call	CcLazyWriteScan
		jmp	loc_4928F1
; 

loc_492B01:				; CODE XREF: CcWorkerThread+279j
		mov	[ebp+var_A0], edi
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_3C], eax
		and	[ebp+var_38], 0
		mov	[ebp+var_34], 4
		and	[ebp+var_30], 0
		push	(offset	off_401900+2)
		push	1602h
		push	80020000h
		lea	ecx, [ebp+var_3C]
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_492933
; 

loc_492B3B:				; CODE XREF: CcWorkerThread+1D4j
		cmp	[ebp+var_3D], 0
		jnz	loc_5BA7EA

loc_492B45:				; CODE XREF: CcWorkerThread+128140j
		test	ds:dword_70EFD0, 20000h
		jz	loc_49288E
		mov	[ebp+var_88], edi
		lea	eax, [ebp+var_88]
		mov	[ebp+var_2C], eax
		and	[ebp+var_28], 0
		mov	[ebp+var_24], 4
		and	[ebp+var_20], 0
		push	(offset	off_401900+2)
		push	1601h
		push	80020000h
		xor	edx, edx
		inc	edx
		lea	ecx, [ebp+var_2C]
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_49288E
; 

loc_492B92:				; CODE XREF: CcWorkerThread+307j
		cmp	[ebp+var_4C], 2
		jnz	loc_4929C1
		jmp	loc_5BA898
; 

loc_492BA1:				; CODE XREF: CcWorkerThread+A4j
		cmp	byte ptr [esi+201h], 0
		jnz	loc_5BA731

loc_492BAE:				; CODE XREF: CcWorkerThread+111j
					; CcWorkerThread+12Bj
		cmp	ecx, 2
		jnz	loc_49275E
		mov	eax, [ebp+var_44]
		jmp	loc_492794
; 

loc_492BBF:				; CODE XREF: CcWorkerThread+141j
		mov	ecx, _CcExtraWBThreadDelay
		xor	eax, eax
		add	ecx, [esi+1F8h]
		adc	eax, [esi+1FCh]
		cmp	[ebp+var_50], eax
		jg	short loc_492BE7
		jl	loc_4927FB
		cmp	[ebp+var_54], ecx
		jb	loc_4927FB

loc_492BE7:				; CODE XREF: CcWorkerThread+522j
		lea	eax, [esi+8Ch]
		cmp	[eax], eax
		jnz	loc_4927FB
		cmp	dword ptr [esi+144h], 0
		jz	loc_4927FB
		lea	eax, [esi+0A4h]
		cmp	[eax], eax
		jz	loc_4927FB
		lea	eax, [esi+0BCh]
		cmp	[eax], eax
		jz	loc_4927FB
		jmp	loc_5BA73D
; 

loc_492C23:				; CODE XREF: CcWorkerThread+1BBj
		lea	ecx, [ebp+var_60]
		call	KxWaitForLockChainValid
		xor	edx, edx
		inc	edx

loc_492C2E:				; CODE XREF: CcWorkerThread+1A4j
		mov	[ebp+var_60], 0
		add	eax, 4
		lock xor [eax],	edx
		jmp	loc_492875
; 

loc_492C40:				; CODE XREF: CcWorkerThread+4Aj
		cmp	eax, 2
		jz	loc_492707
		jmp	loc_5BA6A9
; 

loc_492C4E:				; CODE XREF: CcWorkerThread+28Ej
		lea	eax, [esi+0BCh]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_492CD5
		mov	edx, [ebp+var_6C]
		mov	[edx], eax
		mov	[edx+4], ecx
		mov	[ecx], edx
		mov	[eax+4], edx
		dec	dword ptr [esi+0C4h]
		jmp	loc_49296C
; 

loc_492C73:				; CODE XREF: CcWorkerThread+2EEj
		lea	ecx, [ebp+var_60]
		call	KxWaitForLockChainValid

loc_492C7B:				; CODE XREF: CcWorkerThread+2D7j
		mov	[ebp+var_60], 0
		add	eax, 4
		xor	ecx, ecx
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_4929A8
; 

loc_492C90:				; CODE XREF: CcWorkerThread+2BFj
		cmp	dword ptr [esi+0C4h], 0
		jnz	loc_492979
		cmp	dword ptr [esi+88h], 1
		ja	loc_492979
		mov	byte ptr [esi+200h], 0
		mov	eax, [esi+0C8h]
		lea	eax, ds:8[eax*8]
		push	eax		; size_t
		push	0		; int
		push	dword ptr [esi+1D0h] ; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_492979
; 
		retn
; 

loc_492CD5:				; CODE XREF: CcWorkerThread+29Fj
					; CcWorkerThread+3CEj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
CcWorkerThread	endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcShouldWorkOnThisQueue	proc near	; CODE XREF: CcWorkerThread+107p

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005BA8A7 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jnz	short loc_492D12

loc_492CE5:				; CODE XREF: CcShouldWorkOnThisQueue+44j
		lea	eax, [ecx+0A4h]
		cmp	edx, eax
		jnz	short loc_492D04
		mov	eax, [ecx+0ECh]
		inc	eax
		cmp	eax, [ecx+284h]
		ja	short loc_492D20

loc_492CFE:				; CODE XREF: CcShouldWorkOnThisQueue+31j
					; CcShouldWorkOnThisQueue+127BDAj ...
		mov	al, 1

loc_492D00:				; CODE XREF: CcShouldWorkOnThisQueue+48j
		pop	ebp
		retn	4
; 

loc_492D04:				; CODE XREF: CcShouldWorkOnThisQueue+13j
		cmp	dword ptr [ecx+0E0h], 0
		jbe	short loc_492CFE
		jmp	loc_5BA8A7
; 

loc_492D12:				; CODE XREF: CcShouldWorkOnThisQueue+9j
		mov	eax, [ecx+284h]
		cmp	eax, [ecx+84h]
		jnb	short loc_492CE5

loc_492D20:				; CODE XREF: CcShouldWorkOnThisQueue+22j
					; CcShouldWorkOnThisQueue+127BEDj
		xor	al, al
		jmp	short loc_492D00
CcShouldWorkOnThisQueue	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcWriteBehindInternal proc near		; CODE XREF: CcWriteBehind+12Bp
					; DATA XREF: CcWriteBehind+C9o

var_72		= byte ptr -72h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_56		= byte ptr -56h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BA8CC SIZE 00000299 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		xor	eax, eax
		mov	[esp+5Ch+var_38], eax
		mov	[esp+5Ch+var_34], eax
		mov	[esp+5Ch+var_30], eax
		mov	[esp+5Ch+var_2C], eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+68h+var_18]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+68h+var_24]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+68h+var_C]
		stosd
		stosd
		stosd
		mov	edi, [ebp+arg_0]
		mov	eax, [edi+0Ch]
		mov	esi, [edi+8]
		mov	ecx, esi
		mov	[esp+68h+var_54], eax
		mov	al, [edi+20h]
		mov	[esp+68h+var_44], esi
		mov	[esp+13h], al
		call	CcGetPartition
		mov	ebx, eax
		mov	[esp+68h+var_50], ebx
		cmp	ebx, [edi+4Ch]
		jnz	loc_5BAB3E
		lea	edi, [ebx+80h]
		lea	eax, [ebx+40h]
		mov	[esp+68h+var_3C], edi
		mov	[esp+68h+var_4C], eax

loc_492D9C:				; CODE XREF: CcWriteBehindInternal+127D6Fj
		xor	cl, cl
		lea	edx, [esp+68h+var_24]
		mov	[esp+68h+var_56], cl
		mov	ecx, eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		inc	dword ptr [esi+4]
		xor	eax, eax
		inc	dword ptr [esi+178h]
		inc	eax
		test	ds:byte_70EFC6,	al
		jnz	loc_5BA8CC
		mov	eax, [esp+68h+var_24]
		test	eax, eax
		jnz	loc_4933AA
		mov	edx, [esp+68h+var_20]
		lea	eax, [esp+68h+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+68h+var_24]
		cmp	eax, ecx
		jnz	loc_4933A1

loc_492DEB:				; CODE XREF: CcWriteBehindInternal+697j
					; CcWriteBehindInternal+127BB4j
		mov	cl, [esp+68h+var_1C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		mov	ecx, ebx
		push	esi
		lea	edx, [eax+1]
		call	CcApplyLowIoPriorityToThread
		lea	edx, [esp+68h+var_C]
		mov	ecx, edi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edi, [ebx+284h]
		xor	eax, eax
		mov	ebx, [ebx+84h]
		inc	eax
		test	ds:byte_70EFC6,	al
		jnz	loc_5BA8DD
		mov	eax, [esp+68h+var_C]
		test	eax, eax
		jnz	loc_4933E8
		mov	edx, [esp+68h+var_8]
		lea	eax, [esp+68h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+68h+var_C]
		cmp	eax, ecx
		jnz	loc_4933DF

loc_492E4E:				; CODE XREF: CcWriteBehindInternal+6D5j
					; CcWriteBehindInternal+127BC5j
		mov	cl, [esp+68h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	edi, ebx
		mov	ebx, [esp+68h+var_50]
		jnb	loc_493392

loc_492E64:				; CODE XREF: CcWriteBehindInternal+678j
		mov	eax, [esi+88h]
		xor	ecx, ecx
		inc	ecx
		push	ecx
		push	dword ptr [esi+8Ch]
		call	dword ptr [eax]
		test	al, al
		jz	loc_5BAAA9
		lea	ecx, [esi+0B4h]
		call	ExAcquireFastMutex
		lea	edx, [esp+70h+var_2C]
		lea	ecx, [ebx+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [esi+60h]
		and	eax, 10000h
		mov	[esp+70h+var_48], eax
		mov	eax, [esi+68h]
		test	eax, eax
		jnz	loc_4930E5
		mov	edi, [esi+78h]

loc_492EAF:				; CODE XREF: CcWriteBehindInternal+3CFj
					; CcWriteBehindInternal+3DAj
		lea	eax, [esi+44h]
		mov	[esp+70h+var_50], eax
		mov	eax, [eax]
		and	eax, 0FFFFFFF8h
		mov	ebx, [eax+14h]
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jnz	loc_5BA8EE
		mov	eax, [esp+70h+var_2C]
		test	eax, eax
		jnz	loc_49337C
		mov	edx, [esp+70h+var_28]
		lea	eax, [esp+70h+var_2C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+70h+var_2C]
		cmp	eax, ecx
		jnz	loc_493373

loc_492EF3:				; CODE XREF: CcWriteBehindInternal+669j
					; CcWriteBehindInternal+127BD6j
		mov	cl, byte ptr [esp+70h+var_24]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	ecx, [esi+0B4h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, [esi+164h]
		mov	ecx, edi
		add	eax, 84h
		lock xadd [eax], ecx
		mov	eax, [esi+60h]
		mov	edx, 1000000h
		test	eax, edx
		jnz	loc_49332C

loc_492F29:				; CODE XREF: CcWriteBehindInternal+61Ej
		xor	eax, eax

loc_492F2B:				; CODE XREF: CcWriteBehindInternal+63Cj
		mov	ecx, [esp+70h+var_5C]
		mov	edx, offset _CcNoDelay
		push	ecx
		push	0
		push	eax
		xor	eax, eax
		mov	ecx, ebx
		inc	eax
		push	eax
		call	_CcFlushCachePriv@24 ; CcFlushCachePriv(x,x,x,x,x,x)
		mov	ecx, [esp+80h+var_68]
		xor	dl, dl
		push	esi
		call	CcApplyLowIoPriorityToThread
		mov	eax, [esi+164h]
		neg	edi
		mov	ecx, edi
		add	eax, 84h
		lock xadd [eax], ecx
		test	dword ptr [esi+60h], 1000000h
		jnz	loc_493318

loc_492F6F:				; CODE XREF: CcWriteBehindInternal+603j
		mov	eax, [esi+88h]
		push	dword ptr [esi+8Ch]
		call	dword ptr [eax+4]
		mov	eax, [esp+84h+var_70]
		mov	edx, [eax]
		cmp	edx, 80000016h
		jnz	loc_4930D1

loc_492F90:				; CODE XREF: CcWriteBehindInternal+3B6j
					; CcWriteBehindInternal+127C1Ej ...
		lea	ecx, [esi+0B4h]
		xor	edi, edi
		call	ExAcquireFastMutex
		mov	eax, [esi+20h]
		mov	ecx, esi
		mov	[esp+84h+var_54], eax
		mov	eax, [esi+24h]
		mov	[esp+84h+var_50], eax
		call	_CcShouldIssueVDLUpdate@4 ; CcShouldIssueVDLUpdate(x)
		test	al, al
		jnz	loc_493103

loc_492FBA:				; CODE XREF: CcWriteBehindInternal+3F4j
					; CcWriteBehindInternal+3FFj ...
		lea	ecx, [esi+0B4h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ebx, [esp+84h+var_68]
		lea	edx, [esp+84h+var_40]
		mov	ecx, ebx
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		dec	dword ptr [esi+4]
		dec	dword ptr [esi+178h]
		cmp	dword ptr [esi+4], 0
		jnz	loc_493280
		test	edi, edi
		js	loc_5BA9AA

loc_492FEF:				; CODE XREF: CcWriteBehindInternal+127C9Cj
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jnz	loc_5BA9F1
		mov	eax, [esp+84h+var_40]
		test	eax, eax
		jnz	loc_4933C9
		mov	edx, [esp+84h+var_3C]
		lea	eax, [esp+84h+var_40]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+84h+var_40]
		cmp	eax, ecx
		jnz	loc_4933C0

loc_493024:				; CODE XREF: CcWriteBehindInternal+6B6j
					; CcWriteBehindInternal+127CD9j
		mov	cl, byte ptr [esp+84h+var_38]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	ecx, [esi+44h]
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_493045
		mov	ecx, esi
		call	_CcSlowReferenceSharedCacheMapFileObject@4 ; CcSlowReferenceSharedCacheMapFileObject(x)
		mov	edi, eax

loc_493045:				; CODE XREF: CcWriteBehindInternal+316j
		push	edi
		call	_FsRtlAcquireFileExclusive@4 ; FsRtlAcquireFileExclusive(x)
		lea	edx, [esp+84h+var_34]
		mov	ecx, offset _CcMasterLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		lea	edx, [esp+84h+var_40]
		mov	ecx, ebx
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ebx, [esi+4]
		test	ebx, ebx
		jnz	loc_4931B7
		cmp	[esi+4Ch], ebx
		jnz	loc_4931AB
		cmp	dword ptr [esi+20h], 0FFFFFFFFh
		jnz	short loc_493087
		cmp	dword ptr [esi+24h], 7FFFFFFFh
		jz	short loc_493094

loc_493087:				; CODE XREF: CcWriteBehindInternal+358j
		test	dword ptr [esi+60h], 400h
		jnz	loc_4932F3

loc_493094:				; CODE XREF: CcWriteBehindInternal+361j
					; CcWriteBehindInternal+5D6j ...
		xor	eax, eax
		lea	edx, [esp+84h+var_34]
		push	edi
		inc	eax
		mov	ecx, esi
		push	eax
		lea	eax, [esp+8Ch+var_40]
		push	eax
		call	CcDeleteSharedCacheMap
		mov	eax, [esp+84h+var_70]
		and	dword ptr [eax+4], 0

loc_4930B1:				; CODE XREF: CcWriteBehindInternal+5CAj
					; CcWriteBehindInternal+127E15j
		cmp	byte ptr [esp+13h], 0
		jz	short loc_4930C8
		mov	eax, [ebp+arg_0]
		push	0
		push	0
		add	eax, 10h
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_4930C8:				; CODE XREF: CcWriteBehindInternal+392j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4930D1:				; CODE XREF: CcWriteBehindInternal+266j
		mov	ecx, esi
		call	CcIsFatalWriteError
		test	al, al
		jz	loc_492F90
		jmp	loc_5BA8FF
; 

loc_4930E5:				; CODE XREF: CcWriteBehindInternal+182j
		mov	edi, [eax+8]
		mov	[eax+4], edi
		mov	ecx, [ebx+144h]
		cmp	edi, ecx
		jbe	loc_492EAF
		mov	[eax+4], ecx
		mov	edi, ecx
		jmp	loc_492EAF
; 

loc_493103:				; CODE XREF: CcWriteBehindInternal+290j
		xor	eax, eax
		inc	eax
		push	eax
		push	ebx
		call	CcGetFlushedValidData
		mov	[esp+84h+var_54], eax
		mov	[esp+84h+var_50], edx
		cmp	edx, [esi+24h]
		jl	loc_492FBA
		jg	short loc_493129
		cmp	eax, [esi+20h]
		jb	loc_492FBA

loc_493129:				; CODE XREF: CcWriteBehindInternal+3FAj
		test	dword ptr [esi+60h], 40000000h
		jnz	short loc_493198
		lea	ecx, [esi+0B4h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		lea	ecx, [esi+44h]
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_493365

loc_49314F:				; CODE XREF: CcWriteBehindInternal+64Aj
		lea	edx, [esp+84h+var_54]
		mov	ecx, ebx
		call	CcSetValidData
		mov	ecx, [esi+44h]
		mov	edi, eax
		mov	edx, ecx
		xor	edx, ebx
		cmp	edx, 7
		jnb	loc_4933FE

loc_49316C:				; CODE XREF: CcWriteBehindInternal+127C44j
		mov	esi, [esp+84h+var_64]
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		mov	esi, [esp+84h+var_60]
		cmp	eax, ecx
		jnz	loc_5BA961

loc_493185:				; CODE XREF: CcWriteBehindInternal+6E5j
		lea	ecx, [esi+0B4h]
		call	ExAcquireFastMutex
		test	edi, edi
		js	loc_5BA973

loc_493198:				; CODE XREF: CcWriteBehindInternal+40Cj
		mov	eax, [esp+84h+var_54]
		mov	[esi+20h], eax
		mov	eax, [esp+84h+var_50]
		mov	[esi+24h], eax
		jmp	loc_492FBA
; 

loc_4931AB:				; CODE XREF: CcWriteBehindInternal+34Ej
					; CcWriteBehindInternal+5DCj ...
		mov	eax, [esi+8]
		or	eax, [esi+0Ch]
		jz	loc_4934BB

loc_4931B7:				; CODE XREF: CcWriteBehindInternal+345j
					; CcWriteBehindInternal+79Bj
		cmp	dword ptr [esi+4Ch], 0
		jz	loc_493459
		test	dword ptr [esi+60h], 10000h
		jnz	loc_493474

loc_4931CE:				; CODE XREF: CcWriteBehindInternal+740j
					; CcWriteBehindInternal+757j
		xor	ebx, ebx
		inc	ebx
		test	ds:byte_70EFC6,	bl
		jnz	loc_5BAA02
		mov	eax, [esp+84h+var_40]
		test	eax, eax
		jnz	loc_493489
		mov	edx, [esp+84h+var_3C]
		lea	eax, [esp+84h+var_40]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+84h+var_40]
		cmp	eax, ecx
		jnz	loc_493480

loc_493203:				; CODE XREF: CcWriteBehindInternal+773j
					; CcWriteBehindInternal+127CEAj
		mov	cl, byte ptr [esp+84h+var_38]
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	ebx
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jnz	loc_5BAA13
		mov	eax, [esp+84h+var_34]
		test	eax, eax
		jnz	loc_493443
		mov	edx, [esp+84h+var_30]
		lea	eax, [esp+84h+var_34]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+84h+var_34]
		cmp	eax, ecx
		jnz	loc_49343A

loc_493244:				; CODE XREF: CcWriteBehindInternal+730j
					; CcWriteBehindInternal+127CFBj
		mov	cl, byte ptr [esp+84h+var_2C]
		call	ebx
		push	edi
		call	FsRtlReleaseFile
		lea	ebx, [esi+44h]
		mov	ecx, [ebx]
		mov	eax, ecx

loc_493257:				; CODE XREF: CcWriteBehindInternal+127D02j
		xor	eax, edi
		cmp	eax, 7
		jnb	loc_49340E
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [ebx], edx
		cmp	eax, ecx
		jnz	loc_5BAA24

loc_493273:				; CODE XREF: CcWriteBehindInternal+6F5j
		mov	ecx, [esp+84h+var_68]
		lea	edx, [esp+84h+var_40]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)

loc_493280:				; CODE XREF: CcWriteBehindInternal+2BDj
					; CcWriteBehindInternal+127CB6j
		mov	dl, [esp+84h+var_72]
		xor	ebx, ebx
		inc	ebx

loc_493287:				; CODE XREF: CcWriteBehindInternal+127CC8j
		mov	eax, [esi+60h]
		mov	edi, 10000h
		test	eax, edi
		jnz	loc_5BAA2B

loc_493297:				; CODE XREF: CcWriteBehindInternal+127D0Cj
		mov	ecx, [esp+84h+var_70]
		cmp	dword ptr [ecx+4], 8A5Eh
		jz	short loc_4932AA
		and	eax, 0FFFFFFDFh
		mov	[esi+60h], eax

loc_4932AA:				; CODE XREF: CcWriteBehindInternal+57Ej
		test	dl, dl
		jnz	loc_49349C

loc_4932B2:				; CODE XREF: CcWriteBehindInternal+792j
		test	ds:byte_70EFC6,	bl
		jnz	loc_5BAA98
		mov	eax, [esp+84h+var_40]
		test	eax, eax
		jnz	loc_493427
		mov	edx, [esp+84h+var_3C]
		lea	eax, [esp+84h+var_40]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+84h+var_40]
		cmp	eax, ecx
		jnz	loc_49341E

loc_4932E4:				; CODE XREF: CcWriteBehindInternal+711j
					; CcWriteBehindInternal+127D80j
		mov	cl, byte ptr [esp+84h+var_38]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4930B1
; 

loc_4932F3:				; CODE XREF: CcWriteBehindInternal+36Aj
		mov	eax, [esp+84h+var_50]
		cmp	eax, [esi+2Ch]
		jg	loc_493094
		jl	loc_4931AB
		mov	eax, [esp+84h+var_54]
		cmp	eax, [esi+28h]
		jnb	loc_493094
		jmp	loc_4931AB
; 

loc_493318:				; CODE XREF: CcWriteBehindInternal+245j
		mov	eax, [esi+164h]
		add	eax, 88h
		lock xadd [eax], edi
		jmp	loc_492F6F
; 

loc_49332C:				; CODE XREF: CcWriteBehindInternal+1FFj
		mov	eax, [esi+164h]
		mov	ecx, edi
		add	eax, 88h
		lock xadd [eax], ecx
		mov	eax, [esi+60h]
		test	eax, edx
		jz	loc_492F29
		mov	ecx, [esi+98h]
		mov	eax, [ecx+48h]
		mov	[esp+70h+var_38], eax
		mov	eax, [ecx+4Ch]
		mov	[esp+70h+var_34], eax
		lea	eax, [esp+70h+var_38]
		jmp	loc_492F2B
; 

loc_493365:				; CODE XREF: CcWriteBehindInternal+425j
		mov	ecx, esi
		call	_CcSlowReferenceSharedCacheMapFileObject@4 ; CcSlowReferenceSharedCacheMapFileObject(x)
		mov	ebx, eax
		jmp	loc_49314F
; 

loc_493373:				; CODE XREF: CcWriteBehindInternal+1C9j
		lea	ecx, [esp+70h+var_2C]
		call	KxWaitForLockChainValid

loc_49337C:				; CODE XREF: CcWriteBehindInternal+1AFj
		xor	ecx, ecx
		mov	[esp+70h+var_2C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_492EF3
; 

loc_493392:				; CODE XREF: CcWriteBehindInternal+13Aj
		push	esi
		xor	dl, dl
		mov	ecx, ebx
		call	CcApplyLowIoPriorityToThread
		jmp	loc_492E64
; 

loc_4933A1:				; CODE XREF: CcWriteBehindInternal+C1j
		lea	ecx, [esp+68h+var_24]
		call	KxWaitForLockChainValid

loc_4933AA:				; CODE XREF: CcWriteBehindInternal+A7j
		xor	ecx, ecx
		mov	[esp+68h+var_24], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_492DEB
; 

loc_4933C0:				; CODE XREF: CcWriteBehindInternal+2FAj
		lea	ecx, [esp+84h+var_40]
		call	KxWaitForLockChainValid

loc_4933C9:				; CODE XREF: CcWriteBehindInternal+2E0j
		xor	ecx, ecx
		mov	[esp+84h+var_40], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_493024
; 

loc_4933DF:				; CODE XREF: CcWriteBehindInternal+124j
		lea	ecx, [esp+68h+var_C]
		call	KxWaitForLockChainValid

loc_4933E8:				; CODE XREF: CcWriteBehindInternal+10Aj
		xor	ecx, ecx
		mov	[esp+68h+var_C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_492E4E
; 

loc_4933FE:				; CODE XREF: CcWriteBehindInternal+442j
					; CcWriteBehindInternal+127C4Aj
		push	746C6644h
		push	ebx
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_493185
; 

loc_49340E:				; CODE XREF: CcWriteBehindInternal+538j
		push	746C6644h
		push	edi
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_493273
; 

loc_49341E:				; CODE XREF: CcWriteBehindInternal+5BAj
		lea	ecx, [esp+84h+var_40]
		call	KxWaitForLockChainValid

loc_493427:				; CODE XREF: CcWriteBehindInternal+5A0j
		mov	[esp+84h+var_40], 0
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_4932E4
; 

loc_49343A:				; CODE XREF: CcWriteBehindInternal+51Aj
		lea	ecx, [esp+84h+var_34]
		call	KxWaitForLockChainValid

loc_493443:				; CODE XREF: CcWriteBehindInternal+500j
		xor	ecx, ecx
		mov	[esp+84h+var_34], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_493244
; 

loc_493459:				; CODE XREF: CcWriteBehindInternal+497j
		test	ebx, ebx
		jz	short loc_493469

loc_49345D:				; CODE XREF: CcWriteBehindInternal+74Ej
		setz	cl
		mov	[esp+84h+var_72], cl
		jmp	loc_4931CE
; 

loc_493469:				; CODE XREF: CcWriteBehindInternal+737j
		mov	ecx, esi
		call	_CcInsertIntoDirtySharedCacheMapList@4 ; CcInsertIntoDirtySharedCacheMapList(x)
		test	ebx, ebx
		jmp	short loc_49345D
; 

loc_493474:				; CODE XREF: CcWriteBehindInternal+4A4j
		mov	ecx, esi
		call	_CcCancelMmWaitForUninitializeCacheMap@4 ; CcCancelMmWaitForUninitializeCacheMap(x)
		jmp	loc_4931CE
; 

loc_493480:				; CODE XREF: CcWriteBehindInternal+4D9j
		lea	ecx, [esp+84h+var_40]
		call	KxWaitForLockChainValid

loc_493489:				; CODE XREF: CcWriteBehindInternal+4BFj
		mov	[esp+84h+var_40], 0
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_493203
; 

loc_49349C:				; CODE XREF: CcWriteBehindInternal+588j
		mov	eax, [esp+84h+var_6C]
		mov	ecx, eax
		mov	[eax+191h], bl
		test	[esi+60h], edi
		jnz	short loc_4934CA
		push	0
		xor	dl, dl

loc_4934B1:				; CODE XREF: CcWriteBehindInternal+7A9j
		call	_CcScheduleLazyWriteScan@12 ; CcScheduleLazyWriteScan(x,x,x)
		jmp	loc_4932B2
; 

loc_4934BB:				; CODE XREF: CcWriteBehindInternal+48Dj
		test	byte ptr [esi+60h], 4
		jnz	loc_4931B7
		jmp	loc_493094
; 

loc_4934CA:				; CODE XREF: CcWriteBehindInternal+787j
		push	ebx
		mov	dl, bl
		jmp	short loc_4934B1
CcWriteBehindInternal endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcApplyLowIoPriorityToThread proc near	; CODE XREF: CcWriteBehindInternal+D9p
					; CcWriteBehindInternal+226p ...

var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BAB65 SIZE 00000071 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	edi, [ebx+8]
		mov	esi, ecx
		xor	ecx, ecx
		mov	[ebp+var_8], eax
		cmp	[edi+4], ecx
		jbe	loc_5BAB65
		test	dl, dl
		jnz	loc_4936CA
		cmp	[esi+270h], eax
		jnz	loc_493880
		lea	eax, [esi+280h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [esi+27Ch]
		mov	ecx, [ebp+var_8]
		call	PsSetIoPriorityThread
		mov	eax, [esi+278h]
		cmp	eax, 20h
		jnz	loc_493911

loc_493548:				; CODE XREF: CcApplyLowIoPriorityToThread+44Ej
		test	dword ptr [edi+60h], 20000000h
		jnz	loc_493923

loc_493555:				; CODE XREF: CcApplyLowIoPriorityToThread+46Fj
		and	dword ptr [esi+270h], 0
		lea	ecx, [esi+280h]
		and	dword ptr [esi+274h], 0
		or	edx, 0FFFFFFFFh
		mov	dword ptr [esi+27Ch], 5
		mov	eax, edx
		mov	dword ptr [esi+278h], 20h
		mov	[ebp+var_8], edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4938F7

loc_493593:				; CODE XREF: CcApplyLowIoPriorityToThread+42Fj
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	loc_493880
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		cmp	ecx, edx
		push	0FFFFFFFFh
		mov	[ebp+var_30], edx
		mov	[ebp+var_20], esi
		pop	edx
		jb	short loc_4935D0
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_4938A3

loc_4935D0:				; CODE XREF: CcApplyLowIoPriorityToThread+F1j
		cmp	ecx, [ebp+var_30]
		jb	short loc_4935E2
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_4938A3

loc_4935E2:				; CODE XREF: CcApplyLowIoPriorityToThread+103j
					; CcApplyLowIoPriorityToThread+3E6j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jz	loc_4938D7
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_493904

loc_493623:				; CODE XREF: CcApplyLowIoPriorityToThread+43Cj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5BABB0
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_49366F:				; CODE XREF: CcApplyLowIoPriorityToThread+40Fj
					; CcApplyLowIoPriorityToThread+1276F2j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_30], eax
		jz	loc_493869
		test	edi, 8000h
		jz	short loc_493697
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_493697:				; CODE XREF: CcApplyLowIoPriorityToThread+1BCj
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5BABC7

loc_4936A1:				; CODE XREF: CcApplyLowIoPriorityToThread+127701j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4936B5
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4936B5:				; CODE XREF: CcApplyLowIoPriorityToThread+1D8j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_493869
		jmp	loc_5BAB9E
; 

loc_4936CA:				; CODE XREF: CcApplyLowIoPriorityToThread+37j
		mov	eax, [esi+284h]
		cmp	eax, [esi+84h]
		jnb	loc_493880
		cmp	[esi+270h], ecx
		jnz	loc_493880
		cmp	[edi+16Ch], ecx
		jnz	loc_493880
		test	dword ptr [edi+60h], 10000h
		jnz	loc_493880
		lea	eax, [esi+280h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+284h]
		cmp	eax, [esi+84h]
		jnb	short loc_49375A
		cmp	dword ptr [esi+270h], 0
		jnz	short loc_49375A
		cmp	dword ptr [edi+16Ch], 0
		jnz	short loc_49375A
		test	dword ptr [edi+60h], 10000h
		jnz	short loc_49375A
		mov	eax, [ebp+var_8]
		xor	edx, edx
		mov	ecx, eax
		mov	[esi+270h], eax
		mov	[esi+274h], edi
		call	PsSetIoPriorityThread
		mov	[esi+27Ch], eax

loc_49375A:				; CODE XREF: CcApplyLowIoPriorityToThread+24Fj
					; CcApplyLowIoPriorityToThread+258j ...
		or	edx, 0FFFFFFFFh
		lea	ecx, [esi+280h]
		mov	[ebp+var_8], edx
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4938BB

loc_493776:				; CODE XREF: CcApplyLowIoPriorityToThread+3F3j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	loc_493880
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		cmp	ecx, edx
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_30], esi
		pop	edx
		jb	short loc_4937B3
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_49388B

loc_4937B3:				; CODE XREF: CcApplyLowIoPriorityToThread+2D4j
		cmp	ecx, [ebp+var_20]
		jb	short loc_4937C5
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_49388B

loc_4937C5:				; CODE XREF: CcApplyLowIoPriorityToThread+2E6j
					; CcApplyLowIoPriorityToThread+3CEj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_4938C8
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_4938EA

loc_493806:				; CODE XREF: CcApplyLowIoPriorityToThread+422j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5BAB78
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_493852:				; CODE XREF: CcApplyLowIoPriorityToThread+400j
					; CcApplyLowIoPriorityToThread+1276BAj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_30], eax
		jnz	loc_49394E

loc_493869:				; CODE XREF: CcApplyLowIoPriorityToThread+1B0j
					; CcApplyLowIoPriorityToThread+1EFj ...
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_493880
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_493944

loc_493880:				; CODE XREF: CcApplyLowIoPriorityToThread+43j
					; CcApplyLowIoPriorityToThread+CEj ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_49388B:				; CODE XREF: CcApplyLowIoPriorityToThread+2DDj
					; CcApplyLowIoPriorityToThread+2EFj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_C]
		mov	edx, eax
		mov	[ebp+var_8], eax
		jmp	loc_4937C5
; 

loc_4938A3:				; CODE XREF: CcApplyLowIoPriorityToThread+FAj
					; CcApplyLowIoPriorityToThread+10Cj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_C]
		mov	edx, eax
		mov	[ebp+var_8], eax
		jmp	loc_4935E2
; 

loc_4938BB:				; CODE XREF: CcApplyLowIoPriorityToThread+2A0j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_C]
		jmp	loc_493776
; 

loc_4938C8:				; CODE XREF: CcApplyLowIoPriorityToThread+31Ej
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_493852
		jmp	loc_5BAB54
; 

loc_4938D7:				; CODE XREF: CcApplyLowIoPriorityToThread+13Bj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_49366F
		jmp	loc_5BAB54
; 

loc_4938EA:				; CODE XREF: CcApplyLowIoPriorityToThread+330j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]
		jmp	loc_493806
; 

loc_4938F7:				; CODE XREF: CcApplyLowIoPriorityToThread+BDj
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_C]
		jmp	loc_493593
; 

loc_493904:				; CODE XREF: CcApplyLowIoPriorityToThread+14Dj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]
		jmp	loc_493623
; 

loc_493911:				; CODE XREF: CcApplyLowIoPriorityToThread+72j
		push	eax
		mov	eax, large fs:124h
		push	eax
		call	KeSetPriorityThread
		jmp	loc_493548
; 

loc_493923:				; CODE XREF: CcApplyLowIoPriorityToThread+7Fj
		mov	ecx, [ebp+var_8]
		mov	dl, 1
		push	0
		push	0
		call	PsBoostThreadIoEx
		push	0
		mov	edx, 20000000h
		mov	ecx, edi
		call	CcUpdateSharedCacheMapFlag
		jmp	loc_493555
; 

loc_493944:				; CODE XREF: CcApplyLowIoPriorityToThread+3AAj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_493880
; 

loc_49394E:				; CODE XREF: CcApplyLowIoPriorityToThread+393j
		test	edi, 8000h
		jz	short loc_49395F
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_49395F:				; CODE XREF: CcApplyLowIoPriorityToThread+484j
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5BAB8F

loc_493969:				; CODE XREF: CcApplyLowIoPriorityToThread+1276C9j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_49397D
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_49397D:				; CODE XREF: CcApplyLowIoPriorityToThread+4A0j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_493869
		push	[ebp+var_30]
		jmp	loc_5BABA1
CcApplyLowIoPriorityToThread endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsSetIoPriorityThread proc near		; CODE XREF: CcApplyLowIoPriorityToThread+64p
					; CcApplyLowIoPriorityToThread+27Fp ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BABD6 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		shl	edx, 9
		mov	[ebp+var_4], edi
		mov	eax, [ebx+2FCh]
		lea	edi, [ebx+2FCh]

loc_4939B5:				; CODE XREF: PsSetIoPriorityThread+31j
		mov	ecx, eax
		mov	esi, eax
		and	ecx, 0FFFFF1FFh
		or	ecx, edx
		lock cmpxchg [edi], ecx
		cmp	eax, esi
		jnz	short loc_4939B5
		mov	edi, [ebp+var_4]
		shr	esi, 9
		and	esi, 7
		test	dword ptr ds:byte_70EFC4, 2000h
		jnz	loc_5BABD6

loc_4939E2:				; CODE XREF: PsSetIoPriorityThread+127250j
		cmp	edi, esi
		jz	short loc_4939F0
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	_KeAbProcessBaseIoPriorityChange@12 ; KeAbProcessBaseIoPriorityChange(x,x,x)

loc_4939F0:				; CODE XREF: PsSetIoPriorityThread+4Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
PsSetIoPriorityThread endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeAbProcessBaseIoPriorityChange(x, x, x)
_KeAbProcessBaseIoPriorityChange@12 proc near ;	CODE XREF: PsSetIoPriorityThread+55p
					; PspNotifyProcessBackgroundTransition(x,x)+CFp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		xor	edx, edx
		cmp	[ebp+arg_0], 2
		jge	short loc_493A1E
		xor	eax, eax
		cmp	esi, 2
		setnl	al

loc_493A10:				; CODE XREF: KeAbProcessBaseIoPriorityChange(x,x,x)+30j
		test	eax, eax
		jz	short loc_493A19
		call	KeAbProcessBaseIoPriorityChangeInternal

loc_493A19:				; CODE XREF: KeAbProcessBaseIoPriorityChange(x,x,x)+1Aj
					; KeAbProcessBaseIoPriorityChange(x,x,x)+29j
		pop	esi
		pop	ebp
		retn	4
; 

loc_493A1E:				; CODE XREF: KeAbProcessBaseIoPriorityChange(x,x,x)+Ej
		cmp	esi, 2
		jge	short loc_493A19
		xor	edx, edx
		inc	edx
		mov	eax, edx
		jmp	short loc_493A10
_KeAbProcessBaseIoPriorityChange@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeAbProcessBaseIoPriorityChangeInternal	proc near
					; CODE XREF: KeAbProcessBaseIoPriorityChange(x,x,x)+1Cp
					; IoUpdateThreadIoRateThrottle(x,x):loc_610C11p

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005BABEB SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ebx, large fs:20h
		cmp	byte ptr [esi+223h], 0
		mov	[ebp+var_1], al
		ja	short loc_493A67

loc_493A50:				; CODE XREF: KeAbProcessBaseIoPriorityChangeInternal+3Fj
		cmp	byte ptr [esi+1E5h], 0
		ja	short loc_493A8C

loc_493A59:				; CODE XREF: KeAbProcessBaseIoPriorityChangeInternal+57j
					; KeAbProcessBaseIoPriorityChangeInternal+60j ...
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_493A67:				; CODE XREF: KeAbProcessBaseIoPriorityChangeInternal+24j
		test	edi, edi
		jnz	short loc_493A50
		lea	ecx, [esi+1F0h]
		push	ecx
		lea	edx, [ebx+45E0h]

loc_493A78:				; CODE XREF: KeAbProcessBaseIoPriorityChangeInternal+1271CEj
		mov	ecx, esi
		call	_KiAbThreadInsertList@12 ; KiAbThreadInsertList(x,x,x)
		test	eax, eax
		jz	short loc_493A59
		mov	ecx, ebx
		call	_KiAbQueueAutoBoostDpc@4 ; KiAbQueueAutoBoostDpc(x)
		jmp	short loc_493A59
; 

loc_493A8C:				; CODE XREF: KeAbProcessBaseIoPriorityChangeInternal+2Dj
		test	edi, edi
		jz	short loc_493A59
		jmp	loc_5BABEB
KeAbProcessBaseIoPriorityChangeInternal	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CcShouldIssueVDLUpdate(x)
_CcShouldIssueVDLUpdate@4 proc near	; CODE XREF: CcWriteBehindInternal+289p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	CcGetPartition
		xor	ecx, ecx
		inc	ecx
		cmp	[esi+4], ecx
		ja	short loc_493B01

loc_493AAA:				; CODE XREF: CcShouldIssueVDLUpdate(x)+72j
		xor	dl, dl

loc_493AAC:				; CODE XREF: CcShouldIssueVDLUpdate(x)+76j
		test	dword ptr [esi+60h], 400h
		jz	short loc_493AE4
		mov	ebx, [esi+24h]
		mov	eax, [esi+2Ch]
		mov	edi, [esi+20h]
		cmp	eax, ebx
		jg	short loc_493ACB
		jl	short loc_493AE4
		mov	eax, [esi+28h]
		cmp	eax, edi
		jb	short loc_493AE4

loc_493ACB:				; CODE XREF: CcShouldIssueVDLUpdate(x)+2Aj
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_493AD8
		cmp	ebx, 7FFFFFFFh
		jz	short loc_493AE4

loc_493AD8:				; CODE XREF: CcShouldIssueVDLUpdate(x)+38j
		mov	eax, [esi+8]
		or	eax, [esi+0Ch]
		jz	short loc_493AE4
		mov	al, cl
		jmp	short loc_493AE6
; 

loc_493AE4:				; CODE XREF: CcShouldIssueVDLUpdate(x)+1Dj
					; CcShouldIssueVDLUpdate(x)+2Cj ...
		xor	al, al

loc_493AE6:				; CODE XREF: CcShouldIssueVDLUpdate(x)+4Cj
		cmp	dword ptr [esi+16Ch], 0
		pop	edi
		pop	esi
		pop	ebx
		jnz	short loc_493AF6
		test	al, al
		jnz	short loc_493AFB

loc_493AF6:				; CODE XREF: CcShouldIssueVDLUpdate(x)+5Aj
					; CcShouldIssueVDLUpdate(x)+69j
		xor	cl, cl

loc_493AF8:				; CODE XREF: CcShouldIssueVDLUpdate(x)+67j
		mov	al, cl
		retn
; 

loc_493AFB:				; CODE XREF: CcShouldIssueVDLUpdate(x)+5Ej
		test	dl, dl
		jz	short loc_493AF8
		jmp	short loc_493AF6
; 

loc_493B01:				; CODE XREF: CcShouldIssueVDLUpdate(x)+12j
		add	eax, 204h
		cmp	[eax], eax
		jz	short loc_493AAA
		mov	dl, cl
		jmp	short loc_493AAC
_CcShouldIssueVDLUpdate@4 endp


;  S U B	R O U T	I N E 


CcFindNextWorkQueueEntry proc near	; CODE XREF: CcCachemapUninitWorkerThread+4Ep
					; CcWorkerThread+119p ...

; FUNCTION CHUNK AT 005BABFD SIZE 00000040 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, [edx]
		xor	ebx, ebx
		push	edi
		mov	edi, ebx
		cmp	esi, edx
		jz	short loc_493B4F
		mov	al, [esi+48h]
		mov	edi, esi
		cmp	al, 4
		jz	loc_5BABFD
		cmp	al, 2
		jnz	short loc_493B55
		mov	eax, [esi+8]
		mov	[eax+160h], ebx

loc_493B37:				; CODE XREF: CcFindNextWorkQueueEntry+49j
					; CcFindNextWorkQueueEntry+54j	...
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_493B64
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_493B64
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	[esi+4], ebx
		mov	[esi], ebx

loc_493B4F:				; CODE XREF: CcFindNextWorkQueueEntry+Dj
					; CcFindNextWorkQueueEntry+12712Aj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_493B55:				; CODE XREF: CcFindNextWorkQueueEntry+1Ej
		cmp	al, 1
		jnz	short loc_493B37
		mov	eax, [esi+8]
		mov	eax, [eax+18h]
		mov	[eax+64h], ebx
		jmp	short loc_493B37
; 

loc_493B64:				; CODE XREF: CcFindNextWorkQueueEntry+2Ej
					; CcFindNextWorkQueueEntry+35j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
CcFindNextWorkQueueEntry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcDeleteSharedCacheMap proc near	; CODE XREF: CcWriteBehindInternal+380p
					; CcUninitializeCacheMap+279p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005BAC3D SIZE 00000096 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		call	CcGetPartition
		xor	ecx, ecx
		mov	[ebp+var_4], eax
		inc	ecx
		mov	esi, ecx
		lock xadd [eax+28Ch], esi
		inc	esi
		cmp	esi, ecx
		jle	loc_5BAC3D

loc_493B96:				; CODE XREF: CcDeleteSharedCacheMap+1270D8j
		lea	eax, [edi+58h]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_493E56
		cmp	[ecx], eax
		jnz	loc_493E56
		mov	[ecx], edx
		mov	[edx+4], ecx
		test	dword ptr [edi+60h], 3000000h
		jz	short loc_493BDB
		lea	eax, [edi+50h]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_493E56
		cmp	[ecx], eax
		jnz	loc_493E56
		mov	[ecx], edx
		mov	[edx+4], ecx

loc_493BDB:				; CODE XREF: CcDeleteSharedCacheMap+51j
		mov	eax, [edi+44h]
		xor	ecx, ecx
		and	eax, 0FFFFFFF8h
		mov	eax, [eax+14h]
		mov	[eax+4], ecx
		or	dword ptr [edi+60h], 80020h
		test	ebx, ebx
		jz	loc_5BAC47
		xor	eax, eax
		inc	eax
		add	_CcSectionDeletionSequencePhase1, eax
		adc	dword_6CE9BC, ecx

loc_493C07:				; CODE XREF: CcDeleteSharedCacheMap+1270E6j
		test	ds:byte_70EFC6,	1
		mov	esi, [ebp+arg_0]
		jnz	loc_5BAC69
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_493DFD
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_493DF4

loc_493C34:				; CODE XREF: CcDeleteSharedCacheMap+29Ej
					; CcDeleteSharedCacheMap+127109j
		mov	cl, [esi+8]
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	esi
		test	ebx, ebx
		jz	short loc_493C72
		test	ds:byte_70EFC6,	1
		jnz	loc_5BAC78
		mov	eax, [ebx]
		test	eax, eax
		jnz	loc_493DC5
		mov	ecx, [ebx+4]
		xor	edx, edx
		mov	eax, ebx
		lock cmpxchg [ecx], edx
		cmp	eax, ebx
		jnz	loc_493DBE

loc_493C6D:				; CODE XREF: CcDeleteSharedCacheMap+26Aj
					; CcDeleteSharedCacheMap+127118j
		mov	cl, [ebx+8]
		call	esi

loc_493C72:				; CODE XREF: CcDeleteSharedCacheMap+D7j
		lea	eax, [edi+10h]
		cmp	[eax], eax
		jnz	loc_493E4A

loc_493C7D:				; CODE XREF: CcDeleteSharedCacheMap+2E7j
		cmp	dword ptr [edi+0Ch], 0
		jl	short loc_493C96
		jg	loc_493E0D
		cmp	dword ptr [edi+8], 100000h
		jnb	loc_493E0D

loc_493C96:				; CODE XREF: CcDeleteSharedCacheMap+117j
		xor	dl, dl

loc_493C98:				; CODE XREF: CcDeleteSharedCacheMap+2A8j
		mov	ecx, edi
		call	_CcUnmapAndPurge@8 ; CcUnmapAndPurge(x,x)
		cmp	[ebp+arg_4], 0
		jz	short loc_493CD5
		mov	esi, [ebp+arg_8]
		push	esi
		call	FsRtlReleaseFile
		mov	ecx, [edi+44h]
		mov	eax, ecx

loc_493CB3:				; CODE XREF: CcDeleteSharedCacheMap+12711Fj
		xor	eax, esi
		cmp	eax, 7
		jnb	loc_493DAE
		lea	edx, [ecx+1]
		mov	eax, ecx
		lea	esi, [edi+44h]
		lock cmpxchg [esi], edx
		mov	esi, [ebp+arg_8]
		cmp	eax, ecx
		jnz	loc_5BAC87

loc_493CD5:				; CODE XREF: CcDeleteSharedCacheMap+139j
					; CcDeleteSharedCacheMap+24Fj
		mov	ecx, [edi+6Ch]
		test	ecx, ecx
		jz	short loc_493CE5
		call	ObfDereferenceObject
		and	dword ptr [edi+6Ch], 0

loc_493CE5:				; CODE XREF: CcDeleteSharedCacheMap+170j
		cmp	dword ptr [edi+68h], 0
		jnz	loc_493DA2

loc_493CEF:				; CODE XREF: CcDeleteSharedCacheMap+23Fj
		mov	ecx, [edi+164h]
		call	CcUninitializeVolumeCacheMap
		xor	edx, edx
		lea	ecx, [edi+44h]
		call	@ObFastReplaceObject@8 ; ObFastReplaceObject(x,x)
		mov	ecx, eax
		call	ObfDereferenceObject
		mov	eax, [edi+0B0h]
		test	eax, eax
		jnz	loc_493E2C

loc_493D19:				; CODE XREF: CcDeleteSharedCacheMap+2D8j
		test	ebx, ebx
		jz	short loc_493D67
		mov	edx, ebx
		mov	ecx, offset _CcMasterLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		xor	eax, eax
		inc	eax
		add	_CcSectionDeletionSequencePhase2, eax
		adc	dword_6CE9AC, 0
		test	ds:byte_70EFC6,	al
		jnz	loc_5BAC8E
		mov	eax, [ebx]
		test	eax, eax
		jnz	loc_493DE0
		mov	ecx, [ebx+4]
		xor	edx, edx
		mov	eax, ebx
		lock cmpxchg [ecx], edx
		cmp	eax, ebx
		jnz	short loc_493DD9

loc_493D5E:				; CODE XREF: CcDeleteSharedCacheMap+285j
					; CcDeleteSharedCacheMap+12712Ej
		mov	cl, [ebx+8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_493D67:				; CODE XREF: CcDeleteSharedCacheMap+1B1j
		mov	ecx, [edi+40h]
		lea	eax, [edi+30h]
		cmp	ecx, eax
		jnz	loc_493E17

loc_493D75:				; CODE XREF: CcDeleteSharedCacheMap+2AFj
					; CcDeleteSharedCacheMap+2BDj
		mov	ecx, [edi+70h]
		test	ecx, ecx
		jnz	loc_5BAC9D

loc_493D80:				; CODE XREF: CcDeleteSharedCacheMap+12713Bj
					; CcDeleteSharedCacheMap+127149j
		mov	ecx, [edi+74h]
		test	ecx, ecx
		jnz	loc_5BACB8

loc_493D8B:				; CODE XREF: CcDeleteSharedCacheMap+127156j
					; CcDeleteSharedCacheMap+127164j
		mov	ecx, [ebp+var_4]
		call	CcDereferencePartition
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_493DA2:				; CODE XREF: CcDeleteSharedCacheMap+17Fj
		mov	ecx, edi
		call	CcDeleteMbcb
		jmp	loc_493CEF
; 

loc_493DAE:				; CODE XREF: CcDeleteSharedCacheMap+14Ej
		push	746C6644h
		push	esi
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_493CD5
; 

loc_493DBE:				; CODE XREF: CcDeleteSharedCacheMap+FDj
		mov	ecx, ebx
		call	KxWaitForLockChainValid

loc_493DC5:				; CODE XREF: CcDeleteSharedCacheMap+EAj
		xor	ecx, ecx
		mov	dword ptr [ebx], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_493C6D
; 

loc_493DD9:				; CODE XREF: CcDeleteSharedCacheMap+1F2j
		mov	ecx, ebx
		call	KxWaitForLockChainValid

loc_493DE0:				; CODE XREF: CcDeleteSharedCacheMap+1DFj
		xor	ecx, ecx
		mov	dword ptr [ebx], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_493D5E
; 

loc_493DF4:				; CODE XREF: CcDeleteSharedCacheMap+C4j
		mov	ecx, esi
		call	KxWaitForLockChainValid
		xor	ecx, ecx

loc_493DFD:				; CODE XREF: CcDeleteSharedCacheMap+B1j
		mov	[esi], ecx
		add	eax, 4
		xor	ecx, ecx
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_493C34
; 

loc_493E0D:				; CODE XREF: CcDeleteSharedCacheMap+119j
					; CcDeleteSharedCacheMap+126j
		xor	eax, eax
		lea	edx, [eax+1]
		jmp	loc_493C98
; 

loc_493E17:				; CODE XREF: CcDeleteSharedCacheMap+205j
		test	ecx, ecx
		jz	loc_493D75
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_493D75
; 

loc_493E2C:				; CODE XREF: CcDeleteSharedCacheMap+1A9j
					; CcDeleteSharedCacheMap+2DEj
		and	eax, 0FFFFFFFEh
		push	0
		push	0
		mov	esi, [eax]
		add	eax, 4
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	eax, esi
		test	esi, esi
		jz	loc_493D19
		jmp	short loc_493E2C
; 

loc_493E4A:				; CODE XREF: CcDeleteSharedCacheMap+10Dj
		mov	ecx, edi
		call	CcDeleteBcbs
		jmp	loc_493C7D
; 

loc_493E56:				; CODE XREF: CcDeleteSharedCacheMap+37j
					; CcDeleteSharedCacheMap+3Fj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
CcDeleteSharedCacheMap endp


;  S U B	R O U T	I N E 


; __fastcall ObFastReplaceObject(x, x)
@ObFastReplaceObject@8 proc near	; CODE XREF: CcDeleteSharedCacheMap+195p
					; MmChangeSectionBackingFile+8Dp ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		test	esi, esi
		jnz	short loc_493E90

loc_493E68:				; CODE XREF: ObFastReplaceObject(x,x)+3Fj
		mov	eax, esi
		or	eax, 7
		neg	esi
		sbb	esi, esi
		and	esi, eax
		xchg	esi, [edi]
		mov	edi, esi
		and	edi, 0FFFFFFF8h
		jz	short loc_493E8B
		and	esi, 7
		jbe	short loc_493E8B
		push	ecx
		mov	edx, esi
		mov	ecx, edi
		call	ObDereferenceObjectExWithTag

loc_493E8B:				; CODE XREF: ObFastReplaceObject(x,x)+1Ej
					; ObFastReplaceObject(x,x)+23j
		mov	eax, edi
		pop	edi
		pop	esi
		retn
; 

loc_493E90:				; CODE XREF: ObFastReplaceObject(x,x)+Aj
		push	ecx
		push	7
		pop	edx
		mov	ecx, esi
		call	ObReferenceObjectExWithTag
		jmp	short loc_493E68
@ObFastReplaceObject@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcUninitializeVolumeCacheMap proc near	; CODE XREF: CcDeleteSharedCacheMap+18Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005BACD3 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		mov	ecx, offset _CcMasterLock
		xor	ebx, ebx
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, esi
		call	CcDecrementVolumeUseCount
		xor	edi, edi
		inc	edi
		test	eax, eax
		jz	short loc_493F20

loc_493ED0:				; CODE XREF: CcUninitializeVolumeCacheMap+9Fj
					; CcUninitializeVolumeCacheMap+126E3Ej
		test	ds:byte_70EFC6,	1
		jnz	loc_5BACE1
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_493F11
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	short loc_493F09

loc_493EF7:				; CODE XREF: CcUninitializeVolumeCacheMap+80j
					; CcUninitializeVolumeCacheMap+126E4Ej
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jnz	short loc_493F44

loc_493F04:				; CODE XREF: CcUninitializeVolumeCacheMap+B1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_493F09:				; CODE XREF: CcUninitializeVolumeCacheMap+57j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_493F11:				; CODE XREF: CcUninitializeVolumeCacheMap+44j
		mov	[ebp+var_C], 0
		add	eax, 4
		lock xor [eax],	edi
		jmp	short loc_493EF7
; 

loc_493F20:				; CODE XREF: CcUninitializeVolumeCacheMap+30j
		lea	eax, [esi+0Ch]
		mov	ebx, edi
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_493F51
		cmp	[ecx], eax
		jnz	short loc_493F51
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, [esi+68h]
		test	ecx, ecx
		jz	short loc_493ED0
		jmp	loc_5BACD3
; 

loc_493F44:				; CODE XREF: CcUninitializeVolumeCacheMap+64j
		push	6D566343h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_493F04
; 

loc_493F51:				; CODE XREF: CcUninitializeVolumeCacheMap+8Fj
					; CcUninitializeVolumeCacheMap+93j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
CcUninitializeVolumeCacheMap endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcUnmapAndPurge(x, x)
_CcUnmapAndPurge@8 proc	near		; CODE XREF: CcDeleteSharedCacheMap+130p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		lea	ebx, [edi+44h]
		mov	ecx, ebx
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_493F7D
		mov	ecx, edi
		call	_CcSlowReferenceSharedCacheMapFileObject@4 ; CcSlowReferenceSharedCacheMapFileObject(x)
		mov	esi, eax

loc_493F7D:				; CODE XREF: CcUnmapAndPurge(x,x)+1Cj
		push	0
		push	1
		push	[ebp+var_4]
		xor	edx, edx
		mov	ecx, edi
		push	0
		call	CcUnmapVacbArray
		test	byte ptr [edi+60h], 10h
		jnz	short loc_493FB2

loc_493F95:				; CODE XREF: CcUnmapAndPurge(x,x)+6Aj
		mov	ecx, [ebx]
		mov	eax, ecx

loc_493F99:				; CODE XREF: CcUnmapAndPurge(x,x)+7Bj
		xor	eax, esi
		cmp	eax, 7
		jnb	short loc_493FC2
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [ebx], edx
		cmp	eax, ecx
		jnz	short loc_493FCF

loc_493FAD:				; CODE XREF: CcUnmapAndPurge(x,x)+77j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_493FB2:				; CODE XREF: CcUnmapAndPurge(x,x)+3Dj
		push	2
		push	0
		push	0
		push	dword ptr [esi+14h]
		call	CcPurgeCacheSection
		jmp	short loc_493F95
; 

loc_493FC2:				; CODE XREF: CcUnmapAndPurge(x,x)+48j
		push	746C6644h
		push	esi
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	short loc_493FAD
; 

loc_493FCF:				; CODE XREF: CcUnmapAndPurge(x,x)+55j
		mov	ecx, eax
		jmp	short loc_493F99
_CcUnmapAndPurge@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


CcDecrementVolumeUseCount proc near	; CODE XREF: CcUninitializeVolumeCacheMap+26p
					; CcScanLogHandleList+115p

; FUNCTION CHUNK AT 005BACF1 SIZE 00000033 BYTES

		mov	eax, [ecx+4]
		test	eax, eax
		jz	loc_5BACF1
		dec	eax
		mov	[ecx+4], eax
		retn
CcDecrementVolumeUseCount endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 243. CcUnmapFileOffsetFromSystemCache

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcUnmapFileOffsetFromSystemCache
CcUnmapFileOffsetFromSystemCache proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+14h]
		mov	ecx, [eax+4]
		xor	eax, eax
		cmp	[ecx+4], eax
		jbe	loc_5BAD07
		mov	edx, [ebp+arg_4]
		push	1
		push	eax
		push	eax
		push	[ebp+arg_8]
		call	CcUnmapVacbArray
		pop	ebp
		retn	10h
CcUnmapFileOffsetFromSystemCache endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcUnmapVacbArray proc near		; CODE XREF: CcGetVirtualAddress+39Dp
					; CcGetVirtualAddress+3FAp ...

var_4C		= byte ptr -4Ch
var_4B		= byte ptr -4Bh
var_4A		= byte ptr -4Ah
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005BAD24 SIZE 0000014B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[esp+54h+var_4A], 1
		xor	ebx, ebx
		mov	[esp+54h+var_1C], esi
		push	edi
		xor	edi, edi
		mov	[esp+58h+var_3C], ebx
		mov	eax, edx
		mov	ecx, [esi+174h]
		mov	[esp+58h+var_10], eax
		mov	[esp+58h+var_48], edi
		mov	[esp+58h+var_34], ebx
		mov	[esp+58h+var_40], ebx
		mov	[esp+58h+var_4B], 1
		mov	[esp+58h+var_2C], ecx
		cmp	[esi+6Ch], ebx
		jz	short loc_4940DF
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	ecx, offset dword_6CF3C0
		mov	[esp+58h+var_49], al
		jnz	loc_5BAD1B
		mov	[esp+58h+var_28], ebx
		lock bts dword ptr [ecx], 1Fh
		jb	loc_49449C

loc_494094:				; CODE XREF: CcUnmapVacbArray+48Cj
		mov	edx, dword_6CF3C0
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_5BAD24

loc_4940AC:				; CODE XREF: CcUnmapVacbArray+126D46j
		test	ds:byte_70EFC6,	1
		jnz	loc_5BAD6B
		mov	dword_6CF3C0, edi

loc_4940BF:				; CODE XREF: CcUnmapVacbArray+126D53j
		mov	cl, [esp+58h+var_49]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, dword_6D4EA4
		mov	eax, [eax+4]
		cmp	[esp+58h+var_2C], eax
		jnz	loc_5BAD78
		mov	eax, [esp+58h+var_10]

loc_4940DF:				; CODE XREF: CcUnmapVacbArray+45j
		cmp	[esi+40h], edi
		jz	loc_5BAD8D
		test	eax, eax
		jz	loc_494423
		mov	ecx, [eax]
		mov	ebx, ecx
		mov	edi, [eax+4]
		and	ebx, 0FFFC0000h
		mov	eax, [ebp+arg_0]
		mov	[esp+58h+var_48], edi
		mov	[esp+58h+var_3C], ebx
		test	eax, eax
		jz	loc_494465
		xor	edx, edx
		add	eax, ecx
		mov	[ebp+arg_0], eax
		adc	edx, edi
		mov	[esp+58h+var_38], edx

loc_49411D:				; CODE XREF: CcUnmapVacbArray+410j
					; CcUnmapVacbArray+458j
		test	dword ptr [esi+60h], 200h
		jz	short loc_494139
		lea	ecx, [esi+0B4h]
		mov	[esp+58h+var_34], 1
		call	ExAcquireFastMutex

loc_494139:				; CODE XREF: CcUnmapVacbArray+104j
		lea	ecx, [esi+48h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		cmp	[ebp+arg_4], 0
		mov	eax, [ebp+arg_0]
		jnz	loc_494447
		mov	ecx, [esp+58h+var_38]

loc_494154:				; CODE XREF: CcUnmapVacbArray+440j
		cmp	edi, ecx
		jg	loc_4942D2
		jl	short loc_494166
		cmp	ebx, eax

loc_494160:				; CODE XREF: CcUnmapVacbArray+27Cj
		jnb	loc_4942D2

loc_494166:				; CODE XREF: CcUnmapVacbArray+13Cj
					; CcUnmapVacbArray+273j
		mov	edx, [esi+1Ch]
		mov	ecx, [esi+18h]
		mov	[esp+58h+var_18], ecx
		mov	[esp+58h+var_14], edx
		cmp	edi, edx
		jg	loc_49427C
		jl	short loc_494186
		cmp	ebx, ecx
		jnb	loc_49427C

loc_494186:				; CODE XREF: CcUnmapVacbArray+15Cj
		mov	eax, [esi+40h]
		mov	[esp+58h+var_30], eax
		test	edx, edx
		jl	loc_494327
		jg	short loc_4941A3
		cmp	ecx, 2000000h
		jbe	loc_494327

loc_4941A3:				; CODE XREF: CcUnmapVacbArray+175j
		mov	esi, [esp+58h+var_14]
		mov	ecx, 19h
		mov	[esp+58h+var_8], ebx
		xor	ebx, ebx
		mov	[esp+58h+var_20], edi
		mov	edi, [esp+58h+var_18]
		lea	ebx, [ebx+0]

loc_4941C0:				; CODE XREF: CcUnmapVacbArray+1C0j
					; CcUnmapVacbArray+1C4j
		mov	[esp+58h+var_24], ecx
		mov	eax, 1
		add	ecx, 7
		xor	edx, edx
		inc	ebx
		mov	[esp+58h+var_44], ecx
		call	__allshl
		mov	ecx, [esp+58h+var_44]
		cmp	esi, edx
		jl	short loc_4941E6
		jg	short loc_4941C0
		cmp	edi, eax
		ja	short loc_4941C0

loc_4941E6:				; CODE XREF: CcUnmapVacbArray+1BEj
		mov	edi, [esp+58h+var_48]
		mov	edx, edi
		mov	ecx, [esp+58h+var_24]
		mov	[esp+58h+var_C], ebx
		mov	ebx, [esp+58h+var_3C]
		mov	eax, ebx
		call	__allshr
		mov	ecx, [esp+58h+var_30]
		mov	esi, [esp+58h+var_1C]
		mov	eax, [ecx+eax*4]
		mov	[esp+58h+var_44], eax
		test	eax, eax
		jz	short loc_494270
		mov	esi, [esp+58h+var_C]
		mov	ebx, [esp+58h+var_24]
		mov	edi, [esp+58h+var_8]
		mov	edi, edi

loc_494220:				; CODE XREF: CcUnmapVacbArray+242j
		test	esi, esi
		jz	short loc_494264
		mov	eax, 1
		xor	edx, edx
		mov	ecx, ebx
		dec	esi
		call	__allshl
		mov	ecx, [esp+58h+var_20]
		sub	eax, 1
		sbb	edx, 0
		and	edi, eax
		and	ecx, edx
		sub	ebx, 7
		mov	[esp+58h+var_20], ecx
		mov	edx, ecx
		mov	eax, edi
		mov	ecx, ebx
		call	__allshr
		mov	ecx, [esp+58h+var_44]
		mov	ecx, [ecx+eax*4]
		mov	eax, ecx
		mov	[esp+58h+var_44], ecx
		test	eax, eax
		jnz	short loc_494220

loc_494264:				; CODE XREF: CcUnmapVacbArray+202j
		mov	esi, [esp+58h+var_1C]
		mov	ebx, [esp+58h+var_3C]
		mov	edi, [esp+58h+var_48]

loc_494270:				; CODE XREF: CcUnmapVacbArray+1F0j
		mov	ecx, [esp+58h+var_18]
		mov	edx, [esp+58h+var_14]

loc_494278:				; CODE XREF: CcUnmapVacbArray+31Bj
		test	eax, eax
		jnz	short loc_4942A1

loc_49427C:				; CODE XREF: CcUnmapVacbArray+156j
					; CcUnmapVacbArray+160j ...
		add	ebx, 40000h
		mov	[esp+58h+var_3C], ebx
		adc	edi, 0
		mov	[esp+58h+var_48], edi

loc_49428D:				; CODE XREF: CcUnmapVacbArray+2ABj
					; CcUnmapVacbArray+126D9Bj ...
		cmp	edi, [esp+58h+var_38]
		jg	short loc_4942D2
		jl	loc_494166
		cmp	ebx, [ebp+arg_0]
		jmp	loc_494160
; 

loc_4942A1:				; CODE XREF: CcUnmapVacbArray+25Aj
		cmp	word ptr [eax+8], 0
		jz	loc_494340
		cmp	[ebp+arg_C], 0
		jz	loc_49447D
		add	ebx, 40000h
		mov	[esp+58h+var_3C], ebx
		adc	edi, 0
		cmp	[ebp+arg_8], 0
		mov	[esp+58h+var_48], edi
		jz	short loc_49428D
		jmp	loc_5BAE4A
; 

loc_4942D2:				; CODE XREF: CcUnmapVacbArray+136j
					; CcUnmapVacbArray:loc_494160j	...
		mov	bh, [esp+58h+var_4A]

loc_4942D6:				; CODE XREF: CcUnmapVacbArray+469j
		xor	edx, edx
		lea	ecx, [esi+48h]
		call	ExReleasePushLockEx
		cmp	[esp+58h+var_34], 0
		jz	short loc_49431C
		mov	bl, [esi+0D0h]
		add	esi, 0B4h
		xor	eax, eax
		mov	ecx, 1
		mov	dword ptr [esi+4], 0
		lock cmpxchg [esi], ecx
		test	eax, eax
		jnz	loc_49448E

loc_49430D:				; CODE XREF: CcUnmapVacbArray+477j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, esi
		call	KeAbPostRelease

loc_49431C:				; CODE XREF: CcUnmapVacbArray+2C5j
		mov	al, bh

loc_49431E:				; CODE XREF: CcUnmapVacbArray+126D6Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_494327:				; CODE XREF: CcUnmapVacbArray+16Fj
					; CcUnmapVacbArray+17Dj
		mov	edi, [esp+58h+var_30]
		mov	eax, ebx
		shr	eax, 12h
		mov	eax, [edi+eax*4]
		mov	edi, [esp+58h+var_48]
		mov	[esp+58h+var_44], eax
		jmp	loc_494278
; 

loc_494340:				; CODE XREF: CcUnmapVacbArray+286j
		mov	[esp+58h+var_4B], 1
		test	edx, edx
		jl	short loc_49435B
		jg	loc_494435
		cmp	ecx, 2000000h
		ja	loc_494435

loc_49435B:				; CODE XREF: CcUnmapVacbArray+327j
		mov	ecx, [esp+58h+var_30]
		mov	eax, ebx
		shr	eax, 12h
		mov	dword ptr [ecx+eax*4], 0

loc_49436B:				; CODE XREF: CcUnmapVacbArray+422j
		lock dec dword ptr [esi+17Ch]
		mov	eax, [esp+58h+var_2C]
		mov	eax, [eax+26Ch]
		cmp	eax, _CcMinimumFreeHighPriorityVacbs
		mov	eax, [esp+58h+var_40]
		jb	loc_5BAE29
		and	eax, 0FFFFFFFDh

loc_49438F:				; CODE XREF: CcUnmapVacbArray+126E0Cj
		mov	ecx, [esp+58h+var_44]
		mov	edx, esi
		push	eax
		mov	[esp+5Ch+var_40], eax
		call	CcUnmapVacb
		mov	ecx, 4
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, [esp+58h+var_40]
		mov	[esp+58h+var_49], al
		mov	eax, [esp+58h+var_44]
		mov	dword ptr [eax+4], 0
		test	cl, 2
		jnz	loc_5BAE31
		mov	byte ptr [esp+58h+var_10], 0

loc_4943CA:				; CODE XREF: CcUnmapVacbArray+126E16j
		push	[esp+58h+var_10]
		mov	ecx, [esp+5Ch+var_2C]
		mov	edx, eax
		call	_CcSetVacbInFreeList@12	; CcSetVacbInFreeList(x,x,x)
		mov	eax, large fs:20h
		add	eax, 438h
		test	ds:byte_70EFC6,	1
		mov	[esp+58h+var_14], eax
		jnz	loc_5BAE3B
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	loc_4944BC
		mov	ecx, [eax+4]
		xor	edx, edx
		lock cmpxchg [ecx], edx
		mov	ecx, [esp+58h+var_14]
		cmp	eax, ecx
		jnz	loc_4944B1

loc_494414:				; CODE XREF: CcUnmapVacbArray+4ADj
					; CcUnmapVacbArray+126E25j
		mov	cl, [esp+58h+var_49]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_49427C
; 

loc_494423:				; CODE XREF: CcUnmapVacbArray+CAj
		mov	eax, [esi+18h]
		mov	[ebp+arg_0], eax
		mov	eax, [esi+1Ch]
		mov	[esp+58h+var_38], eax
		jmp	loc_49411D
; 

loc_494435:				; CODE XREF: CcUnmapVacbArray+329j
					; CcUnmapVacbArray+335j
		push	0
		push	edi
		push	ebx
		xor	edx, edx
		mov	ecx, esi
		call	CcSetVacbLargeOffset
		jmp	loc_49436B
; 

loc_494447:				; CODE XREF: CcUnmapVacbArray+12Aj
		mov	ecx, 1
		mov	[esi+0D8h], eax
		mov	[esp+58h+var_40], ecx
		mov	ecx, [esp+58h+var_38]
		mov	[esi+0DCh], ecx
		jmp	loc_494154
; 

loc_494465:				; CODE XREF: CcUnmapVacbArray+EAj
		mov	eax, [esi+0F0h]
		mov	[ebp+arg_0], eax
		mov	eax, [esi+0F4h]
		mov	[esp+58h+var_38], eax
		jmp	loc_49411D
; 

loc_49447D:				; CODE XREF: CcUnmapVacbArray+290j
		cmp	[ebp+arg_8], 0
		jnz	loc_5BAD94
		xor	bh, bh
		jmp	loc_4942D6
; 

loc_49448E:				; CODE XREF: CcUnmapVacbArray+2E7j
		mov	edx, eax
		mov	ecx, esi
		call	_ExpReleaseFastMutexContended@8	; ExpReleaseFastMutexContended(x,x)
		jmp	loc_49430D
; 

loc_49449C:				; CODE XREF: CcUnmapVacbArray+6Ej
		mov	dl, al
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[esp+58h+var_28], eax
		mov	ecx, offset dword_6CF3C0
		jmp	loc_494094
; 

loc_4944B1:				; CODE XREF: CcUnmapVacbArray+3EEj
		call	KxWaitForLockChainValid
		mov	ecx, eax
		mov	eax, [esp+58h+var_14]

loc_4944BC:				; CODE XREF: CcUnmapVacbArray+3D9j
		mov	dword ptr [eax], 0
		lea	eax, [ecx+4]
		mov	ecx, 1
		lock xor [eax],	ecx
		jmp	loc_494414
CcUnmapVacbArray endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcSetVacbInFreeList(x, x, x)
_CcSetVacbInFreeList@12	proc near	; CODE XREF: CcUnmapVacbArray+3B4p
					; CcGetVacbMiss+23Ap ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		dec	_CcNumberOfMappedVacbs
		cmp	[ebp+arg_0], 0
		push	esi
		mov	esi, edx
		lea	eax, [esi+8]
		jnz	short loc_49451F
		mov	ecx, _CcVacbFreeList
		mov	edx, offset _CcVacbFreeList
		cmp	[ecx+4], edx
		jnz	short loc_494544
		mov	[eax+4], edx
		mov	dl, 1
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	_CcVacbFreeList, eax
		mov	ecx, [esi+10h]
		and	dword ptr [esi+4], 0
		call	CcDereferenceVacbArray
		inc	_CcNumberOfFreeVacbs

loc_49451A:				; CODE XREF: CcSetVacbInFreeList(x,x,x)+70j
		pop	esi
		pop	ebp
		retn	4
; 

loc_49451F:				; CODE XREF: CcSetVacbInFreeList(x,x,x)+15j
		lea	edx, [ecx+264h]
		push	edi
		mov	edi, [edx]
		cmp	[edi+4], edx
		jnz	short loc_494544
		mov	[eax], edi
		mov	[eax+4], edx
		mov	[edi+4], eax
		mov	[edx], eax
		and	dword ptr [esi+4], 0
		inc	dword ptr [ecx+26Ch]
		pop	edi
		jmp	short loc_49451A
; 

loc_494544:				; CODE XREF: CcSetVacbInFreeList(x,x,x)+25j
					; CcSetVacbInFreeList(x,x,x)+59j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_CcSetVacbInFreeList@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcDereferenceVacbArray proc near	; CODE XREF: CcSetVacbInFreeList(x,x,x)+3Dp
					; CcUnmapInactiveViewsInternal(x,x,x,x)+12Fp ...

arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005BAE6F SIZE 000000FE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	bh, dl
		xor	bl, bl
		push	edi
		mov	edi, ecx
		test	bh, bh
		jz	loc_5BAE60

loc_494561:				; CODE XREF: CcUnmapVacbArray+126E4Aj
		mov	eax, [edi+4]
		test	eax, eax
		jz	loc_5BAF2F
		dec	eax
		mov	[edi+4], eax
		test	bh, bh
		jz	short loc_49457A

loc_494574:				; CODE XREF: CcDereferenceVacbArray+126987j
					; CcDereferenceVacbArray+1269E0j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn
; 

loc_49457A:				; CODE XREF: CcDereferenceVacbArray+28j
		test	eax, eax
		jz	loc_5BAE6F
		jmp	loc_5BAED6
CcDereferenceVacbArray endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CcSlowReferenceSharedCacheMapFileObject(x)
_CcSlowReferenceSharedCacheMapFileObject@4 proc	near ; CODE XREF: CcPerfLogFlushCache+EAp
					; CcWriteBehindInternal+31Ap ...
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, offset _CcChangeSharedCacheMapFileLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	esi, [esi+44h]
		and	esi, 0FFFFFFF8h
		jz	short loc_4945B0
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag

loc_4945B0:				; CODE XREF: CcSlowReferenceSharedCacheMapFileObject(x)+1Aj
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_4945CA

loc_4945BE:				; CODE XREF: CcSlowReferenceSharedCacheMapFileObject(x)+49j
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_4945CA:				; CODE XREF: CcSlowReferenceSharedCacheMapFileObject(x)+34j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_4945BE
_CcSlowReferenceSharedCacheMapFileObject@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcAdjustVacbLevelLockCount proc	near	; CODE XREF: CcAllocateInitializeBcb(x,x,x,x)+C9p
					; CcUnpinFileDataEx+464p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[esp+34h+var_20], eax
		mov	[esp+34h+var_10], eax
		xor	ebx, ebx
		mov	eax, [ebp+arg_4]
		push	edi
		mov	edi, [esi+40h]
		mov	[esp+38h+var_24], eax
		mov	[esp+38h+var_4], eax
		mov	eax, [esi+18h]
		mov	[esp+38h+var_18], eax
		mov	eax, [esi+1Ch]
		push	19h
		mov	[esp+3Ch+var_14], edi
		mov	[esp+3Ch+var_8], edx
		mov	[esp+3Ch+var_C], esi
		mov	[esp+3Ch+var_1C], eax
		pop	edi

loc_49461C:				; CODE XREF: CcAdjustVacbLevelLockCount+62j
					; CcAdjustVacbLevelLockCount+68j
		mov	[esp+38h+var_28], edi
		xor	eax, eax
		add	edi, 7
		inc	eax
		xor	edx, edx
		mov	ecx, edi
		inc	ebx
		call	__allshl
		cmp	[esp+38h+var_1C], edx
		jl	short loc_49463E
		jg	short loc_49461C
		cmp	[esp+38h+var_18], eax
		ja	short loc_49461C

loc_49463E:				; CODE XREF: CcAdjustVacbLevelLockCount+60j
		mov	edi, [esp+38h+var_14]
		mov	ecx, [ebp+arg_0]
		mov	[esp+38h+var_18], ebx
		mov	ebx, [esp+38h+var_10]
		mov	esi, [esp+38h+var_18]

loc_494651:				; CODE XREF: CcAdjustVacbLevelLockCount+B9j
		mov	edx, [esp+38h+var_24]
		mov	eax, ecx
		mov	ecx, [esp+38h+var_28]
		call	__allshr
		mov	ecx, [esp+38h+var_28]
		xor	edx, edx
		mov	edi, [edi+eax*4]
		xor	eax, eax
		inc	eax
		call	__allshl
		mov	ecx, [esp+38h+var_20]
		sub	eax, 1
		sbb	edx, 0
		sub	[esp+38h+var_28], 7
		and	[esp+38h+var_24], edx
		and	ecx, eax
		mov	[esp+38h+var_20], ecx
		sub	esi, 1
		jnz	short loc_494651
		push	esi
		mov	esi, [esp+3Ch+var_C]
		mov	edx, edi
		mov	ecx, esi
		call	_VacbLevelReference@12 ; VacbLevelReference(x,x,x)
		mov	ecx, [esp+38h+var_8]
		push	0
		add	[eax], ecx
		mov	ecx, esi
		call	_VacbLevelReference@12 ; VacbLevelReference(x,x,x)
		mov	ecx, [eax+4]
		or	ecx, [eax]
		jz	loc_5BAF45

loc_4946B7:				; CODE XREF: CcDereferenceVacbArray+126A1Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
CcAdjustVacbLevelLockCount endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcSetVacbLargeOffset proc near		; CODE XREF: CcUnmapVacbArray+41Dp
					; SetVacb(x,x,x,x,x)+5Ep ...

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_24		= dword	ptr -24h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005BAF6D SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_6C], edx
		mov	edx, ecx
		mov	[ebp+var_4C], edx
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_5C], eax
		lea	edi, [ebp+var_24]
		xor	eax, eax
		and	[ebp+var_58], eax
		push	7
		pop	ecx
		rep stosd
		mov	eax, [ebp+arg_0]
		lea	edi, [ebp+var_7C]
		mov	esi, [edx+40h]
		xor	ebx, ebx
		mov	[ebp+var_68], eax
		mov	[ebp+var_84], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_54], eax
		mov	[ebp+var_80], eax
		xor	eax, eax
		stosd
		push	19h
		mov	[ebp+var_64], ebx
		mov	[ebp+var_44], esi
		stosd
		pop	ebx
		stosd
		stosd
		mov	eax, [edx+18h]
		xor	edi, edi
		mov	[ebp+var_60], eax
		mov	eax, [edx+1Ch]
		mov	esi, [ebp+var_60]
		mov	[ebp+var_48], eax

loc_494730:				; CODE XREF: CcSetVacbLargeOffset+88j
					; CcSetVacbLargeOffset+8Cj
		mov	[ebp+var_50], ebx
		xor	eax, eax
		add	ebx, 7
		inc	eax
		xor	edx, edx
		mov	ecx, ebx
		inc	edi
		call	__allshl
		cmp	[ebp+var_48], edx
		jl	short loc_49474E
		jg	short loc_494730
		cmp	esi, eax
		ja	short loc_494730

loc_49474E:				; CODE XREF: CcSetVacbLargeOffset+86j
		mov	esi, [ebp+var_44]
		mov	ebx, [ebp+var_64]
		mov	ecx, [ebp+arg_0]

loc_494757:				; CODE XREF: CcSetVacbLargeOffset+F7j
		mov	edx, [ebp+var_54]
		mov	eax, ecx
		mov	ecx, [ebp+var_50]
		mov	[ebp+var_60], edi
		dec	edi
		call	__allshr
		mov	[ebp+var_88], eax
		cmp	ebx, 7
		jnb	loc_5BAF9D
		mov	[ebp+ebx*4+var_40], eax
		mov	eax, [esi+eax*4]
		mov	[ebp+ebx*4+var_24], esi
		inc	ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_44], eax
		test	eax, eax
		jz	loc_494876

loc_494791:				; CODE XREF: CcSetVacbLargeOffset+22Cj
		mov	ecx, [ebp+var_50]
		mov	esi, eax
		xor	eax, eax
		xor	edx, edx
		inc	eax
		call	__allshl
		mov	ecx, [ebp+var_68]
		sub	eax, 1
		sbb	edx, 0
		sub	[ebp+var_50], 7
		and	[ebp+var_54], edx
		and	ecx, eax
		mov	[ebp+var_68], ecx
		test	edi, edi
		jnz	short loc_494757
		mov	ecx, [ebp+var_6C]
		cmp	ecx, 0FFFFFFFEh
		jnb	loc_5BAF75
		mov	eax, [ebp+var_68]
		mov	edx, [ebp+var_54]
		mov	ecx, [ebp+var_50]
		call	__allshr
		mov	edx, [ebp+var_44]
		mov	ecx, [ebp+var_6C]
		mov	[edx+eax*4], ecx
		mov	eax, ecx

loc_4947DE:				; CODE XREF: CcSetVacbLargeOffset+1268C8j
		test	eax, eax
		jz	short loc_494819
		mov	ecx, [ebp+var_4C]
		push	0
		call	_VacbLevelReference@12 ; VacbLevelReference(x,x,x)
		cmp	[ebp+var_58], 0
		jnz	loc_5BAF8D
		inc	dword ptr [eax]

loc_4947F8:				; CODE XREF: CcSetVacbLargeOffset+181j
					; CcSetVacbLargeOffset+185j ...
		mov	eax, [ebp+var_5C]
		lea	ecx, [ebp+var_7C]
		cmp	eax, ecx
		jz	loc_4948F1

loc_494806:				; CODE XREF: CcSetVacbLargeOffset+238j
		mov	al, 1

loc_494808:				; CODE XREF: CcSetVacbLargeOffset+1268DFj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_494819:				; CODE XREF: CcSetVacbLargeOffset+120j
					; CcSetVacbLargeOffset+1B4j
		mov	ecx, [ebp+var_4C]
		mov	edx, esi
		push	edi
		call	_VacbLevelReference@12 ; VacbLevelReference(x,x,x)
		cmp	[ebp+var_58], 0
		jnz	loc_5BAF95
		dec	dword ptr [eax]

loc_494830:				; CODE XREF: CcSetVacbLargeOffset+1268D8j
		and	[ebp+var_58], 0
		mov	edx, esi
		push	edi
		call	_VacbLevelReference@12 ; VacbLevelReference(x,x,x)
		mov	ecx, [eax+4]
		or	ecx, [eax]
		jnz	short loc_4947F8
		test	ebx, ebx
		jz	short loc_4947F8
		dec	ebx
		xor	edx, edx
		mov	eax, edi
		inc	edi
		test	eax, eax
		jnz	short loc_494861
		mov	eax, [ebp+var_4C]
		test	dword ptr [eax+60h], 200h
		jnz	loc_49496A

loc_494861:				; CODE XREF: CcSetVacbLargeOffset+18Fj
					; CcSetVacbLargeOffset+2BEj
		mov	ecx, esi
		call	_CcDeallocateVacbLevel@8 ; CcDeallocateVacbLevel(x,x)
		mov	esi, [ebp+ebx*4+var_24]
		mov	eax, [ebp+ebx*4+var_40]
		and	dword ptr [esi+eax*4], 0
		jmp	short loc_494819
; 

loc_494876:				; CODE XREF: CcSetVacbLargeOffset+CBj
		mov	eax, [ebp+var_4C]
		mov	eax, [eax+60h]
		and	eax, 200h
		jnz	short loc_4948FD

loc_494883:				; CODE XREF: CcSetVacbLargeOffset+23Fj
		and	[ebp+var_48], 0

loc_494887:				; CODE XREF: CcSetVacbLargeOffset+248j
		cmp	[ebp+var_5C], 0
		jnz	loc_5BAF6D
		and	[ebp+var_74], 0
		lea	ecx, [ebp+var_7C]
		and	[ebp+var_70], 0
		test	eax, eax
		mov	[ebp+var_78], ecx
		mov	[ebp+var_7C], ecx
		setnz	dl
		push	ecx
		mov	ecx, [ebp+var_60]
		call	_CcAllocateVacbLevels@12 ; CcAllocateVacbLevels(x,x,x)
		test	al, al
		jz	loc_5BAF9D
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_5C], eax

loc_4948BE:				; CODE XREF: CcSetVacbLargeOffset+1268B0j
		mov	edx, [ebp+var_48]
		mov	ecx, eax
		call	CcAllocateVacbLevel
		cmp	[ebp+var_48], 0
		mov	[ebp+var_44], eax
		jnz	short loc_49490D

loc_4948D1:				; CODE XREF: CcSetVacbLargeOffset+2A5j
		mov	ecx, [ebp+var_88]
		mov	edx, esi
		push	[ebp+var_60]
		mov	[esi+ecx*4], eax
		mov	ecx, [ebp+var_4C]
		call	_VacbLevelReference@12 ; VacbLevelReference(x,x,x)
		inc	dword ptr [eax]
		mov	eax, [ebp+var_44]
		jmp	loc_494791
; 

loc_4948F1:				; CODE XREF: CcSetVacbLargeOffset+140j
		mov	ecx, eax
		call	CcFreeUnusedVacbLevels
		jmp	loc_494806
; 

loc_4948FD:				; CODE XREF: CcSetVacbLargeOffset+1C1j
		test	edi, edi
		jnz	short loc_494883
		mov	[ebp+var_48], 1
		jmp	loc_494887
; 

loc_49490D:				; CODE XREF: CcSetVacbLargeOffset+20Fj
		push	[ebp+var_80]
		mov	ecx, [ebp+var_4C]
		xor	dl, dl
		push	[ebp+var_84]
		call	CcGetBcbListHeadLargeOffset
		mov	edx, 2FDh
		jmp	short loc_494929
; 

loc_494927:				; CODE XREF: CcSetVacbLargeOffset+270j
		mov	eax, ecx

loc_494929:				; CODE XREF: CcSetVacbLargeOffset+265j
		mov	ecx, [eax+4]
		cmp	[ecx-10h], dx
		jz	short loc_494927
		mov	edx, [ebp+var_44]
		add	edx, 200h
		mov	[ebp+var_48], ecx
		push	3Fh
		mov	[eax+4], edx
		pop	ebx
		mov	[edx], eax

loc_494946:				; CODE XREF: CcSetVacbLargeOffset+295j
		lea	eax, [edx+8]
		mov	ecx, edx
		mov	[edx+4], eax
		mov	edx, eax
		mov	[edx], ecx
		sub	ebx, 1
		jnz	short loc_494946
		mov	eax, [ebp+var_48]
		mov	ebx, [ebp+var_64]
		mov	[edx+4], eax
		mov	[eax], edx
		mov	eax, [ebp+var_44]
		jmp	loc_4948D1
; 

loc_49496A:				; CODE XREF: CcSetVacbLargeOffset+19Bj
		mov	ecx, [esi+200h]
		xor	edx, edx
		mov	eax, [esi+3FCh]
		inc	edx
		mov	[ecx+4], eax
		mov	[eax], ecx
		jmp	loc_494861
CcSetVacbLargeOffset endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VacbLevelReference(x, x, x)
_VacbLevelReference@12 proc near	; CODE XREF: CcAdjustVacbLevelLockCount+C4p
					; CcAdjustVacbLevelLockCount+D3p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jnz	short loc_4949A2
		mov	eax, [ecx+60h]
		and	eax, 200h

loc_494997:				; CODE XREF: VacbLevelReference(x,x,x)+20j
		add	eax, 200h
		add	eax, edx
		pop	ebp
		retn	4
; 

loc_4949A2:				; CODE XREF: VacbLevelReference(x,x,x)+9j
		xor	eax, eax
		jmp	short loc_494997
_VacbLevelReference@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcUpdateSharedCacheMapFlag proc	near	; CODE XREF: CcUpdateReadHistory(x,x,x)+128p
					; CcCopyReadEx+2B6p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005BAFA4 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	ebx, edx
		stosd
		mov	esi, ecx
		stosd
		stosd
		call	CcGetPartition
		lea	edx, [ebp+var_C]
		lea	ecx, [eax+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	[ebp+arg_0], 0
		mov	eax, [esi+60h]
		jnz	short loc_494A2E
		not	ebx
		and	eax, ebx

loc_4949DA:				; CODE XREF: CcUpdateSharedCacheMapFlag+8Aj
		pop	edi
		mov	[esi+60h], eax
		test	ds:byte_70EFC6,	1
		pop	esi
		pop	ebx
		jnz	loc_5BAFA4
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_494A1C
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	short loc_494A14

loc_494A07:				; CODE XREF: CcUpdateSharedCacheMapFlag+86j
					; CcUpdateSharedCacheMapFlag+126609j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn	4
; 

loc_494A14:				; CODE XREF: CcUpdateSharedCacheMapFlag+5Fj
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_494A1C:				; CODE XREF: CcUpdateSharedCacheMapFlag+4Cj
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_494A07
; 

loc_494A2E:				; CODE XREF: CcUpdateSharedCacheMapFlag+2Ej
		or	eax, ebx
		jmp	short loc_4949DA
CcUpdateSharedCacheMapFlag endp

; 
		align 8
; Exported entry 310. ExAcquireSharedStarveExclusive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExAcquireSharedStarveExclusive
ExAcquireSharedStarveExclusive proc near ; CODE	XREF: CcPinFileData+498p
					; CcPinFileData+57Fp ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005BAFB4 SIZE 0000007F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	dl, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		test	dl, dl
		push	edi
		setz	bh
		inc	bh
		movzx	eax, word ptr [esi+0Eh]
		mov	ecx, eax
		mov	edi, eax
		and	ecx, 1
		jnz	loc_5BAFB4

loc_494A5F:				; CODE XREF: ExAcquireSharedStarveExclusive+12657Ej
		test	cx, cx
		jnz	short loc_494A77

loc_494A64:				; CODE XREF: ExAcquireSharedStarveExclusive+1265F6j
		mov	ecx, esi
		test	al, 1
		jnz	short loc_494A93
		call	ExpAcquireSharedStarveExclusive

loc_494A6F:				; CODE XREF: ExAcquireSharedStarveExclusive+60j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
; 

loc_494A77:				; CODE XREF: ExAcquireSharedStarveExclusive+2Aj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, large fs:124h
		mov	bl, al
		cmp	bl, bh
		ja	loc_5BAFD4
		jmp	loc_5BAFE2
; 

loc_494A93:				; CODE XREF: ExAcquireSharedStarveExclusive+30j
		call	_ExpFastResourceLegacyAcquireSharedStarveExclusive@8 ; ExpFastResourceLegacyAcquireSharedStarveExclusive(x,x)
		jmp	short loc_494A6F
ExAcquireSharedStarveExclusive endp

; 
		align 10h

;  S U B	R O U T	I N E 


CcPinFileData	proc near		; CODE XREF: CcZeroDataInCache+54p
					; CcPinRead+93p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00495334 SIZE 0000001D BYTES
; FUNCTION CHUNK AT 005BB033 SIZE 00000226 BYTES
; FUNCTION CHUNK AT 005BB2D5 SIZE 00000078 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1B18
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 8
		push	ebx
		sub	esp, 60h
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-28h], edx
		mov	dword ptr [ebp-78h], 0
		mov	dword ptr [ebp-74h], 0
		mov	dword ptr [ebp-2Ch], 0
		mov	dword ptr [ebp-3Ch], 0
		mov	byte ptr [ebp-21h], 0
		mov	dword ptr [ebp-38h], 0
		mov	dword ptr [ebp-30h], 0
		mov	eax, [ecx+14h]
		mov	esi, [eax+4]
		mov	[ebp-44h], esi
		mov	[ebp-5Ch], esi
		mov	ecx, [ebx+8]
		add	ecx, [edx]
		mov	eax, 0
		adc	eax, [edx+4]
		cmp	eax, [esi+1Ch]
		jl	short loc_494B46
		jg	loc_5BB2D5
		cmp	ecx, [esi+18h]
		ja	loc_5BB2D5

loc_494B46:				; CODE XREF: CcPinFileData+95j
		mov	eax, [ebx+18h]
		mov	dword ptr [eax], 0
		mov	edi, [ebx+1Ch]
		mov	dword ptr [edi], 0
		mov	eax, [ebx+14h]
		mov	ecx, eax
		and	ecx, 4
		mov	[ebp-4Ch], ecx
		jnz	loc_5BB03D
		test	al, 40h
		jnz	loc_5BB033
		xor	ecx, ecx

loc_494B73:				; CODE XREF: CcPinFileData+126598j
		mov	eax, [edx+4]
		push	eax
		mov	eax, [edx]
		push	eax
		push	0
		push	ecx
		lea	eax, [ebp-38h]
		push	eax
		lea	edx, [ebp-30h]
		mov	ecx, esi
		call	CcGetVirtualAddress
		mov	[edi], eax

loc_494B8D:				; CODE XREF: CcPinFileData+1265BDj
		add	esi, 0B4h
		mov	dword ptr [ebp-58h], 0
		mov	eax, esi
		and	eax, 7FFFFFFCh
		mov	[ebp-50h], eax
		jz	loc_5BB062
		mov	edi, large fs:124h
		dec	word ptr [edi+13Eh]
		nop
		inc	byte ptr [edi+1E6h]
		nop
		cmp	byte ptr [edi+1E6h], 1
		jnz	loc_494EF1
		mov	dword ptr [ebp-54h], 0
		mov	dl, [edi+1E4h]
		test	dl, dl
		jz	loc_49519B

loc_494BE2:				; CODE XREF: CcPinFileData+70Cj
		movzx	eax, dl
		bsf	ecx, eax
		mov	[ebp-54h], ecx
		mov	al, 1
		shl	al, cl
		not	al
		and	al, dl
		mov	[edi+1E4h], al
		lea	edx, [ecx+ecx*2]
		shl	edx, 4
		add	edx, [edi+1E8h]
		mov	[ebp-40h], edx

loc_494C08:				; CODE XREF: CcPinFileData+721j
					; CcPinFileData+1265D4j
		test	edx, edx
		jz	loc_4951CC
		mov	eax, esi
		shr	eax, 15h
		mov	ecx, dword_6D07D0
		cmp	esi, ecx
		jb	loc_5BB079
		movzx	edx, byte ptr dword_6D3994[eax]
		mov	[ebp-48h], edx

loc_494C2D:				; CODE XREF: CcPinFileData+1265E0j
		mov	edx, [ebp-40h]
		cmp	dword ptr [ebp-48h], 1
		jz	loc_5BB085
		cmp	esi, ecx
		jb	short loc_494C4B
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_5BB085

loc_494C4B:				; CODE XREF: CcPinFileData+19Cj
		or	eax, 0FFFFFFFFh

loc_494C4E:				; CODE XREF: CcPinFileData+1265F0j
		mov	[edx+14h], eax
		nop
		mov	eax, [ebp-50h]
		mov	[edx+10h], eax

loc_494C58:				; CODE XREF: CcPinFileData+734j
		nop
		dec	byte ptr [edi+1E6h]
		lea	eax, [ebp-58h]
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [edi+13Eh], 1
		jnz	short loc_494C83
		nop
		lea	eax, [edi+70h]
		cmp	[eax], eax
		jnz	loc_4950DE

loc_494C83:				; CODE XREF: CcPinFileData+1D5j
					; CcPinFileData+643j
		mov	edi, [ebp-40h]

loc_494C86:				; CODE XREF: CcPinFileData+1265C4j
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	cl, al
		mov	[ebp-22h], cl
		lock btr dword ptr [esi], 0
		jnb	loc_495099

loc_494C9E:				; CODE XREF: CcPinFileData+605j
		test	edi, edi
		jz	short loc_494CA6
		or	byte ptr [edi+0Eh], 1

loc_494CA6:				; CODE XREF: CcPinFileData+200j
		mov	eax, large fs:124h
		mov	[esi+4], eax
		movzx	eax, cl
		mov	[esi+1Ch], eax
		mov	dword ptr [ebp-34h], 1
		mov	dword ptr [ebp-4], 0
		mov	dword ptr [ebp-70h], 0
		mov	dword ptr [ebp-6Ch], 0
		mov	dword ptr [ebp-68h], 0
		mov	dword ptr [ebp-64h], 0
		mov	eax, [ebx+8]
		mov	edi, [ebp-28h]
		add	eax, [edi]
		mov	ecx, 0
		adc	ecx, [edi+4]
		mov	[ebp-78h], eax
		mov	[ebp-74h], ecx
		lea	eax, [ebp-2Ch]
		push	eax
		lea	eax, [ebp-78h]
		push	eax
		mov	edx, edi
		mov	ecx, [ebp-44h]
		call	CcFindBcb
		movzx	eax, al
		test	eax, eax
		jz	loc_494F4A
		mov	eax, [ebp-44h]
		test	dword ptr [eax+60h], 200h
		jz	loc_5BB107
		mov	cl, [ebx+0Ch]

loc_494D25:				; CODE XREF: CcPinFileData+12666Cj
		mov	edi, [ebp-2Ch]
		lea	eax, [edi+74h]
		mov	[ebp-40h], eax
		mov	edx, [ebx+14h]
		and	edx, 1
		cmp	dword ptr [eax], 0
		jnz	loc_494F09
		lea	eax, [edi+8]
		mov	[ebp-48h], eax
		mov	eax, [eax]
		mov	ecx, [ebp-28h]
		sub	eax, [ecx]
		mov	ecx, [ebx+1Ch]
		add	[ecx], eax
		mov	ecx, [ebp-48h]
		mov	eax, [ecx]
		mov	[ebp-70h], eax
		mov	eax, [ecx+4]
		mov	[ebp-6Ch], eax
		mov	eax, [edi+4]
		mov	[ebp-38h], eax
		mov	[ebp-68h], eax
		mov	dword ptr [ebp-64h], 0
		test	edx, edx
		jz	loc_49511E
		inc	dword ptr [edi+34h]
		mov	dword ptr [esi+4], 0
		mov	al, [esi+1Ch]
		mov	[ebp-22h], al
		mov	ecx, 1
		xor	eax, eax
		lock cmpxchg [esi], ecx
		test	eax, eax
		jnz	loc_4950E8

loc_494D98:				; CODE XREF: CcPinFileData+651j
		mov	cl, [ebp-22h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, esi
		call	KeAbPostRelease
		mov	dword ptr [ebp-34h], 0
		cmp	byte ptr [ebx+0Ch], 0
		jnz	short loc_494DF9
		test	byte ptr [ebx+14h], 2
		jnz	loc_5BB111
		lea	edx, [edi+38h]
		mov	[ebp-50h], edx
		movzx	ecx, word ptr [edx+0Eh]
		mov	eax, ecx
		mov	[ebp-58h], eax
		and	eax, 1
		jnz	loc_5BB121

loc_494DD7:				; CODE XREF: CcPinFileData+126684j
		mov	ecx, [ebp-58h]
		movzx	edx, cx
		test	ax, ax
		jnz	loc_495334
		mov	ecx, [ebp-50h]

loc_494DE9:				; CODE XREF: CcPinFileData+126705j
		test	dl, 1
		mov	dl, 1
		jnz	loc_5BB1AA
		call	ExpAcquireSharedStarveExclusive

loc_494DF9:				; CODE XREF: CcPinFileData+313j
					; CcPinFileData+12667Cj ...
		cmp	dword ptr [ebp-4Ch], 0
		jnz	loc_5BB1B4
		mov	eax, [ebx+1Ch]
		mov	eax, [eax]
		push	eax
		push	1
		xor	edx, edx
		mov	ecx, [ebp-38h]
		call	_CcMapAndRead@16 ; CcMapAndRead(x,x,x,x)
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	edi, eax
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	cl, al
		mov	[ebp-22h], cl
		lock btr dword ptr [esi], 0
		jnb	loc_4950F6

loc_494E3A:				; CODE XREF: CcPinFileData+662j
		test	edi, edi
		jz	short loc_494E42
		or	byte ptr [edi+0Eh], 1

loc_494E42:				; CODE XREF: CcPinFileData+39Cj
		mov	eax, large fs:124h
		mov	[esi+4], eax
		movzx	eax, cl
		mov	[esi+1Ch], eax
		mov	ecx, [ebp-40h]
		cmp	dword ptr [ecx], 0
		jnz	loc_49521D
		mov	eax, [ebx+1Ch]
		mov	eax, [eax]
		mov	[ecx], eax
		mov	edi, [ebp-2Ch]
		mov	eax, [ebp-30h]
		mov	[edi+30h], eax
		mov	dword ptr [ebp-30h], 0

loc_494E74:				; CODE XREF: CcPinFileData+780j
		mov	dword ptr [esi+4], 0
		mov	al, [esi+1Ch]
		mov	[ebp-22h], al
		xor	eax, eax
		mov	ecx, 1
		lock cmpxchg [esi], ecx
		test	eax, eax
		jnz	loc_495107

loc_494E94:				; CODE XREF: CcPinFileData+670j
		mov	cl, [ebp-22h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp-40h]
		mov	eax, [ecx]
		mov	ecx, [ebp-48h]
		sub	eax, [ecx]

loc_494EAE:				; CODE XREF: CcPinFileData+4A5j
					; CcPinFileData+6F6j ...
		mov	edx, [ebp-28h]
		mov	ecx, [ebx+1Ch]
		add	eax, [edx]
		mov	[ecx], eax

loc_494EB8:				; CODE XREF: CcPinFileData+126717j
		mov	cl, 1
		mov	[ebp-21h], cl

loc_494EBD:				; CODE XREF: CcPinFileData+5F4j
					; CcPinFileData+126644j ...
		mov	eax, [ebx+14h]

loc_494EC0:				; CODE XREF: CcPinFileData+810j
		cmp	dword ptr [ebp-4Ch], 0
		jnz	loc_5BB1F7

loc_494ECA:				; CODE XREF: CcPinFileData+126759j
					; CcPinFileData+126761j ...
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-44h]
		call	sub_4952C0
		mov	al, cl
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	1Ch
; 

loc_494EF1:				; CODE XREF: CcPinFileData+127j
		push	0
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	esi
		push	edi
		push	192h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_494F09:				; CODE XREF: CcPinFileData+297j
		test	edx, edx
		jz	loc_4951D9
		inc	dword ptr [edi+34h]
		mov	ecx, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	dword ptr [ebp-34h], 0
		cmp	byte ptr [ebx+0Ch], 0
		jnz	short loc_494F3D
		push	1
		lea	eax, [edi+38h]
		push	eax
		test	byte ptr [ebx+14h], 2
		jnz	loc_5BB1DB
		call	ExAcquireSharedStarveExclusive

loc_494F3D:				; CODE XREF: CcPinFileData+486j
					; CcPinFileData+761j ...
		mov	ecx, [ebp-40h]
		mov	eax, [ecx]
		sub	eax, [edi+8]
		jmp	loc_494EAE
; 

loc_494F4A:				; CODE XREF: CcPinFileData+26Cj
		mov	eax, [ebx+14h]
		test	al, 8
		jnz	loc_4952A3
		mov	eax, [edi]
		mov	[ebp-48h], eax
		mov	ecx, [edi+4]
		mov	[ebp-70h], eax
		mov	[ebp-6Ch], ecx
		mov	edx, [ebp-78h]
		sub	edx, eax
		mov	eax, [ebp-74h]
		sbb	eax, ecx
		mov	[ebp-68h], edx
		mov	[ebp-64h], eax
		mov	eax, [ebp-48h]
		mov	edi, eax
		and	edi, 0FFFh
		add	edx, edi
		mov	[ebp-68h], edx
		add	[ebp-38h], edi
		mov	ecx, [ebp-44h]
		cmp	byte ptr [ebx+0Ch], 0
		jnz	short loc_494F99
		test	byte ptr [ecx+60h], 4
		jz	loc_4950AA

loc_494F99:				; CODE XREF: CcPinFileData+4EDj
		cmp	byte ptr [ebx+10h], 0
		jnz	loc_4950AA

loc_494FA3:				; CODE XREF: CcPinFileData+639j
		test	dword ptr [ecx+60h], 200h
		jz	loc_495115

loc_494FB0:				; CODE XREF: CcPinFileData+679j
		lea	edi, [edx+0FFFh]
		and	edi, 0FFFFF000h
		mov	[ebp-40h], edi
		mov	[ebp-68h], edi
		and	eax, 0FFFh
		mov	edx, [ebx+1Ch]
		sub	[edx], eax
		mov	eax, [ebp-48h]
		and	eax, 0FFFFF000h
		mov	[ebp-70h], eax
		mov	eax, [ebp-38h]
		cmp	edi, eax
		ja	loc_4952B5

loc_494FE2:				; CODE XREF: CcPinFileData+81Bj
		lea	eax, [ebp-68h]
		mov	edx, [ebp-2Ch]
		push	eax
		lea	eax, [ebp-70h]
		push	eax
		call	_CcAllocateInitializeBcb@16 ; CcAllocateInitializeBcb(x,x,x,x)
		mov	edi, eax
		mov	[ebp-2Ch], edi
		test	byte ptr [ebx+14h], 1
		jz	loc_495225
		test	edi, edi
		jz	loc_5BB095
		cmp	byte ptr [ebx+0Ch], 0
		jnz	short loc_49502C
		push	0
		lea	eax, [edi+38h]
		push	eax
		test	byte ptr [ebx+14h], 2
		jnz	loc_5BB0AD
		call	ExAcquireSharedStarveExclusive
		test	al, al
		jz	loc_5BB0CB

loc_49502C:				; CODE XREF: CcPinFileData+56Dj
					; CcPinFileData+126614j
		mov	ecx, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	dword ptr [ebp-34h], 0
		cmp	dword ptr [ebp-4Ch], 0
		jnz	short loc_49508C
		mov	eax, [ebx+1Ch]
		mov	eax, [eax]
		push	eax
		push	1
		mov	edx, [ebp-3Ch]
		mov	ecx, [ebp-40h]
		call	_CcMapAndRead@16 ; CcMapAndRead(x,x,x,x)
		mov	ecx, esi
		call	ExAcquireFastMutex
		cmp	dword ptr [edi+74h], 0
		jnz	short loc_495075
		mov	eax, [ebx+1Ch]
		mov	eax, [eax]
		mov	[edi+74h], eax
		mov	eax, [ebp-30h]
		mov	[edi+30h], eax
		mov	dword ptr [ebp-30h], 0

loc_495075:				; CODE XREF: CcPinFileData+5BEj
		mov	ecx, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, [edi+74h]
		sub	eax, [edi+8]
		mov	ecx, [ebp-28h]
		add	eax, [ecx]
		mov	ecx, [ebx+1Ch]
		mov	[ecx], eax

loc_49508C:				; CODE XREF: CcPinFileData+59Ej
		mov	cl, 1
		mov	[ebp-21h], cl
		mov	edx, [ebp-28h]
		jmp	loc_494EBD
; 

loc_495099:				; CODE XREF: CcPinFileData+1F8j
		mov	edx, edi
		mov	ecx, esi
		call	_ExpAcquireFastMutexContended@8	; ExpAcquireFastMutexContended(x,x)
		mov	cl, [ebp-22h]
		jmp	loc_494C9E
; 

loc_4950AA:				; CODE XREF: CcPinFileData+4F3j
					; CcPinFileData+4FDj
		mov	edx, 2
		mov	[ebp-3Ch], edx
		test	edi, edi
		jnz	short loc_4950C7
		cmp	dword ptr [ebx+8], 1000h
		jb	short loc_4950C7
		mov	edx, 3
		mov	[ebp-3Ch], edx

loc_4950C7:				; CODE XREF: CcPinFileData+614j
					; CcPinFileData+61Dj
		test	dword ptr [ebp-68h], 0FFFh
		jnz	short loc_4950D6
		or	edx, 4
		mov	[ebp-3Ch], edx

loc_4950D6:				; CODE XREF: CcPinFileData+62Ej
		mov	edx, [ebp-68h]
		jmp	loc_494FA3
; 

loc_4950DE:				; CODE XREF: CcPinFileData+1DDj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_494C83
; 

loc_4950E8:				; CODE XREF: CcPinFileData+2F2j
		mov	edx, eax
		mov	ecx, esi
		call	_ExpReleaseFastMutexContended@8	; ExpReleaseFastMutexContended(x,x)
		jmp	loc_494D98
; 

loc_4950F6:				; CODE XREF: CcPinFileData+394j
		mov	edx, edi
		mov	ecx, esi
		call	_ExpAcquireFastMutexContended@8	; ExpAcquireFastMutexContended(x,x)
		mov	cl, [ebp-22h]
		jmp	loc_494E3A
; 

loc_495107:				; CODE XREF: CcPinFileData+3EEj
		mov	edx, eax
		mov	ecx, esi
		call	_ExpReleaseFastMutexContended@8	; ExpReleaseFastMutexContended(x,x)
		jmp	loc_494E94
; 

loc_495115:				; CODE XREF: CcPinFileData+50Aj
		mov	byte ptr [ebx+0Ch], 1
		jmp	loc_494FB0
; 

loc_49511E:				; CODE XREF: CcPinFileData+2CFj
		cmp	byte ptr [ebx+0Ch], 0
		jnz	short loc_495137
		push	0
		lea	eax, [edi+38h]
		push	eax
		call	ExAcquireSharedStarveExclusive
		test	al, al
		jz	loc_5BB1BC

loc_495137:				; CODE XREF: CcPinFileData+682j
		inc	dword ptr [edi+34h]
		mov	ecx, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	dword ptr [ebp-34h], 0
		mov	eax, [ebx+1Ch]
		mov	eax, [eax]
		push	eax
		push	0
		xor	edx, edx
		mov	ecx, [edi+4]
		call	_CcMapAndRead@16 ; CcMapAndRead(x,x,x,x)
		test	al, al
		jz	loc_5BB1CE
		mov	ecx, esi
		call	ExAcquireFastMutex
		mov	ecx, [ebp-40h]
		cmp	dword ptr [ecx], 0
		jnz	short loc_495185
		mov	eax, [ebx+1Ch]
		mov	eax, [eax]
		mov	[ecx], eax
		mov	eax, [ebp-30h]
		mov	[edi+30h], eax
		mov	dword ptr [ebp-30h], 0

loc_495185:				; CODE XREF: CcPinFileData+6CFj
		mov	ecx, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, [ebp-40h]
		mov	eax, [ecx]
		mov	ecx, [ebp-48h]
		sub	eax, [ecx]
		jmp	loc_494EAE
; 

loc_49519B:				; CODE XREF: CcPinFileData+13Cj
		lea	ecx, [edi+222h]
		cmp	byte ptr [ecx],	0
		jnz	short loc_495206
		xor	eax, eax
		xor	dl, dl

loc_4951AA:				; CODE XREF: CcPinFileData+77Bj
		test	eax, eax
		jnz	loc_494BE2
		xor	edx, edx
		mov	[ebp-40h], edx
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_494C08
		jmp	loc_5BB069
; 

loc_4951CC:				; CODE XREF: CcPinFileData+16Aj
		lea	eax, [edi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	loc_494C58
; 

loc_4951D9:				; CODE XREF: CcPinFileData+46Bj
		test	cl, cl
		jnz	short loc_4951F0
		push	0
		lea	eax, [edi+38h]
		push	eax
		call	ExAcquireSharedStarveExclusive
		test	al, al
		jz	loc_5BB1E5

loc_4951F0:				; CODE XREF: CcPinFileData+73Bj
		inc	dword ptr [edi+34h]
		mov	ecx, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	dword ptr [ebp-34h], 0
		jmp	loc_494F3D
; 

loc_495206:				; CODE XREF: CcPinFileData+704j
		xor	al, al
		xchg	al, [ecx]
		or	[edi+1E4h], al
		mov	dl, [edi+1E4h]
		mov	eax, 1
		jmp	short loc_4951AA
; 

loc_49521D:				; CODE XREF: CcPinFileData+3B7j
		mov	edi, [ebp-2Ch]
		jmp	loc_494E74
; 

loc_495225:				; CODE XREF: CcPinFileData+55Bj
		test	edi, edi
		jz	loc_5BB0DC
		cmp	byte ptr [ebx+0Ch], 0
		jnz	short loc_495246
		push	0
		lea	eax, [edi+38h]
		push	eax
		call	ExAcquireSharedStarveExclusive
		test	al, al
		jz	loc_5BB0E9

loc_495246:				; CODE XREF: CcPinFileData+791j
		mov	ecx, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	dword ptr [ebp-34h], 0
		mov	eax, [ebx+1Ch]
		mov	eax, [eax]
		push	eax
		push	0
		mov	edx, [ebp-3Ch]
		mov	ecx, [ebp-40h]
		call	_CcMapAndRead@16 ; CcMapAndRead(x,x,x,x)
		test	al, al
		jz	loc_5BB0FA
		mov	ecx, esi
		call	ExAcquireFastMutex
		cmp	dword ptr [edi+74h], 0
		jnz	short loc_495291
		mov	eax, [ebx+1Ch]
		mov	eax, [eax]
		mov	[edi+74h], eax
		mov	eax, [ebp-30h]
		mov	[edi+30h], eax
		mov	dword ptr [ebp-30h], 0

loc_495291:				; CODE XREF: CcPinFileData+7DAj
		mov	ecx, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, [edi+74h]
		sub	eax, [edi+8]
		jmp	loc_494EAE
; 

loc_4952A3:				; CODE XREF: CcPinFileData+4AFj
		xor	edi, edi
		mov	[ebp-2Ch], edi
		xor	cl, cl
		mov	[ebp-21h], cl
		mov	edx, [ebp-28h]
		jmp	loc_494EC0
; 

loc_4952B5:				; CODE XREF: CcPinFileData+53Cj
		mov	[ebp-40h], eax
		mov	[ebp-68h], eax
		jmp	loc_494FE2
CcPinFileData	endp


;  S U B	R O U T	I N E 


sub_4952C0	proc near		; CODE XREF: CcPinFileData+434p
					; sub_5BB259+Fj

; FUNCTION CHUNK AT 005BB26D SIZE 00000068 BYTES

		cmp	dword ptr [ebp-34h], 0
		jnz	loc_5BB26D

loc_4952CA:				; CODE XREF: sub_4952C0+125FBEj
		mov	eax, [ebp-30h]
		test	eax, eax
		jnz	short loc_4952FA

loc_4952D1:				; CODE XREF: sub_4952C0+55j
					; sub_4952C0+72j
		test	byte ptr [ebx+14h], 4
		jnz	loc_5BB29D

loc_4952DB:				; CODE XREF: sub_4952C0+125FEEj
		test	cl, cl
		jz	loc_5BB2B3
		mov	eax, [ebx+18h]
		mov	[eax], edi
		mov	eax, [edi+18h]
		mov	ecx, [ebx+20h]
		mov	[ecx], eax
		mov	eax, [edi+1Ch]
		mov	[ecx+4], eax

loc_4952F6:				; CODE XREF: sub_4952C0+126010j
		mov	cl, [ebp-21h]

locret_4952F9:				; CODE XREF: sub_4952C0+125FFEj
		retn
; 

loc_4952FA:				; CODE XREF: sub_4952C0+Fj
		mov	eax, [eax+4]
		mov	[ebp-50h], eax
		or	eax, 0FFFFFFFFh
		mov	edx, [ebp-30h]
		lock xadd [edx+8], eax
		dec	eax
		movzx	eax, ax
		test	ax, ax
		mov	edx, [ebp-28h]
		jnz	short loc_4952D1
		mov	eax, [ebp-50h]
		mov	edx, [eax+74h]
		mov	[ebp-5Ch], edx
		test	edx, edx
		mov	edx, [ebp-28h]
		jnz	loc_5BB283

loc_49532B:				; CODE XREF: sub_4952C0+125FD8j
		lock dec dword ptr [eax+180h]
		jmp	short loc_4952D1
sub_4952C0	endp

; 
; START	OF FUNCTION CHUNK FOR CcPinFileData

loc_495334:				; CODE XREF: CcPinFileData+340j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	cl, al
		mov	edx, large fs:124h
		cmp	cl, 1
		ja	loc_5BB13B
		jmp	loc_5BB14F
; END OF FUNCTION CHUNK	FOR CcPinFileData
; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcFindBcb	proc near		; CODE XREF: CcPinFileData+262p
					; CcAcquireByteRangeForWrite+47Ep

var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_1], 0
		push	esi
		push	edi
		mov	esi, [ebx]
		mov	edi, [ebx+4]
		add	esi, 80000h
		mov	eax, edi
		adc	eax, 0
		push	eax
		push	esi
		call	_CcGetBcbListHead@16 ; CcGetBcbListHead(x,x,x,x)
		mov	esi, 2FDh
		mov	eax, [eax]
		sub	eax, 10h
		test	edi, edi
		jnz	short loc_4953DB
		cmp	[eax], si
		jnz	short loc_4953C0
		cmp	[eax+1Ch], edi
		jnz	short loc_4953DB
		mov	edi, [ebp+arg_0]

loc_4953A3:				; CODE XREF: CcFindBcb+5Ej
		mov	ecx, [ebx]
		cmp	ecx, [eax+18h]
		jnb	short loc_4953C0
		mov	edx, [eax+8]
		cmp	ecx, edx
		jnb	short loc_4953C5
		cmp	[edi], edx
		jnb	short loc_4953D7

loc_4953B5:				; CODE XREF: CcFindBcb+79j
		mov	eax, [eax+10h]
		sub	eax, 10h
		cmp	[eax], si
		jz	short loc_4953A3

loc_4953C0:				; CODE XREF: CcFindBcb+39j
					; CcFindBcb+48j ...
		mov	dl, [ebp+var_1]
		jmp	short loc_4953C7
; 

loc_4953C5:				; CODE XREF: CcFindBcb+4Fj
					; CcPinFileData+126876j ...
		mov	dl, 1

loc_4953C7:				; CODE XREF: CcFindBcb+63j
		mov	ecx, [ebp+arg_4]
		pop	edi
		pop	esi
		pop	ebx
		mov	[ecx], eax
		mov	al, dl
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4953D7:				; CODE XREF: CcFindBcb+53j
		mov	[edi], edx
		jmp	short loc_4953B5
; 

loc_4953DB:				; CODE XREF: CcFindBcb+34j
					; CcFindBcb+3Ej
		cmp	[eax], si
		jnz	short loc_4953C0
		mov	edx, [ebp+arg_0]
		jmp	loc_5BB2EB
CcFindBcb	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcGetBcbListHead(x,	x, x, x)
_CcGetBcbListHead@16 proc near		; CODE XREF: CcFindBcb+23p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+1Ch]
		mov	edx, [ecx+18h]
		test	eax, eax
		jl	short loc_495431
		jg	short loc_495409
		cmp	edx, 200000h
		jbe	short loc_495431

loc_495409:				; CODE XREF: CcGetBcbListHead(x,x,x,x)+Fj
		test	dword ptr [ecx+60h], 200h
		jz	short loc_495431
		test	eax, eax
		jl	short loc_495438
		jg	short loc_495420
		cmp	edx, 2000000h
		jbe	short loc_495438

loc_495420:				; CODE XREF: CcGetBcbListHead(x,x,x,x)+26j
		push	[ebp+arg_4]
		mov	dl, 1
		push	[ebp+arg_0]
		call	CcGetBcbListHeadLargeOffset

loc_49542D:				; CODE XREF: CcGetBcbListHead(x,x,x,x)+7Aj
					; CcGetBcbListHead(x,x,x,x)+81j
		pop	ebp
		retn	8
; 

loc_495431:				; CODE XREF: CcGetBcbListHead(x,x,x,x)+Dj
					; CcGetBcbListHead(x,x,x,x)+17j ...
		lea	eax, [ecx+10h]
		pop	ebp
		retn	8
; 

loc_495438:				; CODE XREF: CcGetBcbListHead(x,x,x,x)+24j
					; CcGetBcbListHead(x,x,x,x)+2Ej
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	edi, eax
		jl	short loc_49544A
		jg	short loc_49546C
		cmp	esi, edx
		jnb	short loc_49546C

loc_49544A:				; CODE XREF: CcGetBcbListHead(x,x,x,x)+52j
		test	eax, eax
		jnz	short loc_495473
		cmp	edx, 100000h
		jbe	short loc_495478
		shr	edx, 12h
		shl	edx, 2

loc_49545C:				; CODE XREF: CcGetBcbListHead(x,x,x,x)+86j
					; CcGetBcbListHead(x,x,x,x)+8Dj
		mov	eax, [ecx+40h]
		shrd	esi, edi, 13h
		pop	edi
		lea	eax, [eax+esi*8]
		add	eax, edx
		pop	esi
		jmp	short loc_49542D
; 

loc_49546C:				; CODE XREF: CcGetBcbListHead(x,x,x,x)+54j
					; CcGetBcbListHead(x,x,x,x)+58j
		pop	edi
		lea	eax, [ecx+10h]
		pop	esi
		jmp	short loc_49542D
; 

loc_495473:				; CODE XREF: CcGetBcbListHead(x,x,x,x)+5Cj
		or	edx, 0FFFFFFFFh
		jmp	short loc_49545C
; 

loc_495478:				; CODE XREF: CcGetBcbListHead(x,x,x,x)+64j
		mov	edx, 10h
		jmp	short loc_49545C
_CcGetBcbListHead@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpAcquireSharedStarveExclusive	proc near ; CODE XREF: ExAcquireSharedStarveExclusive+32p
					; CcPinFileData+354p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BB34D SIZE 0000017E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		xor	eax, eax
		push	ebx
		push	esi
		mov	[ebp+var_14], eax
		mov	bh, dl
		mov	[ebp+var_10], eax
		mov	esi, ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	eax, large fs:124h
		test	dword ptr ds:byte_70EFC4, 20000h
		push	edi
		mov	[ebp+var_4], eax
		jnz	loc_5BB34D
		xor	bl, bl

loc_4954CA:				; CODE XREF: ExpAcquireSharedStarveExclusive+125ECFj
		inc	large dword ptr	fs:4224h
		lea	edi, [esi+34h]

loc_4954D4:				; DATA XREF: .text:00429919o
		mov	[ebp+var_10], edi
		mov	[ebp+var_14], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [ebp+var_C], al
		jnz	loc_5BB354
		lea	edx, [ebp+var_14]
		xchg	edx, [edi]
		test	edx, edx
		jnz	loc_495735

loc_495501:				; CODE XREF: ExpAcquireSharedStarveExclusive+13Cj
					; ExpAcquireSharedStarveExclusive+2BDj	...
		mov	edi, [ebp+var_4]

loc_495504:				; CODE XREF: ExpAcquireSharedStarveExclusive+25Cj
		mov	eax, [esi+20h]
		test	eax, eax
		jnz	short loc_49557F
		inc	eax
		mov	[esi+18h], edi
		mov	[esi+20h], eax
		mov	ecx, 1
		mov	eax, [esi+1Ch]
		mov	bh, cl
		and	eax, 7
		mov	[esi+0Ch], cx
		or	eax, 8
		mov	[esi+1Ch], eax
		test	ds:byte_70EFC6,	cl
		jnz	loc_5BB4A4
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	loc_49582A
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jnz	loc_49581D

loc_495557:				; CODE XREF: ExpAcquireSharedStarveExclusive+3B7j
					; ExpAcquireSharedStarveExclusive+12602Fj
		mov	cl, byte ptr [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:422Ch
		inc	large dword ptr	fs:41E4h
		test	bl, bl
		jnz	loc_5BB4B4

loc_495576:				; CODE XREF: ExpAcquireSharedStarveExclusive+126046j
		mov	al, bh

loc_495578:				; CODE XREF: ExpAcquireSharedStarveExclusive+125F90j
					; ExpAcquireSharedStarveExclusive+125FC0j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_49557F:				; CODE XREF: ExpAcquireSharedStarveExclusive+89j
		mov	ax, [esi+0Eh]
		mov	ecx, 80h
		and	ax, cx
		movzx	eax, ax
		test	ax, ax
		jnz	loc_4956BB

loc_495597:				; CODE XREF: ExpAcquireSharedStarveExclusive+247j
		mov	ecx, [ebp+var_4]
		call	_ExpGetThreadResourceHint@4 ; ExpGetThreadResourceHint(x)
		push	eax
		xor	eax, eax
		mov	edx, ecx
		cmp	[esi+2Ch], eax
		mov	ecx, esi
		setnz	al
		push	eax
		push	1
		lea	eax, [ebp+var_14]
		push	eax
		call	@ExpFindCurrentThread@24 ; ExpFindCurrentThread(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_495501

loc_4955C2:				; CODE XREF: ExpAcquireSharedStarveExclusive+264j
		mov	edx, [ebp+var_4]
		cmp	[edi], edx
		jnz	short loc_49562F
		mov	eax, [edi+4]
		add	eax, 8
		mov	[edi+4], eax
		shr	eax, 3
		test	ds:byte_70EFC6,	1
		mov	[ebp+var_8], eax
		jnz	loc_5BB3EB
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	loc_495844
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jnz	loc_49583C

loc_495607:				; CODE XREF: ExpAcquireSharedStarveExclusive+3D6j
					; ExpAcquireSharedStarveExclusive+125F76j
		mov	cl, byte ptr [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:4230h
		inc	large dword ptr	fs:41E4h
		test	bl, bl
		jnz	loc_5BB3FB

loc_495626:				; CODE XREF: ExpAcquireSharedStarveExclusive+230j
					; ExpAcquireSharedStarveExclusive+125F4Fj ...
		mov	al, 1
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_49562F:				; CODE XREF: ExpAcquireSharedStarveExclusive+147j
		mov	ecx, esi
		call	_ExpTryAcquireResourceSharedStarveExclusive@4 ;	ExpTryAcquireResourceSharedStarveExclusive(x)
		test	al, al
		jz	loc_4956E9
		mov	eax, [edi+4]
		and	eax, 7
		mov	[edi], edx
		or	eax, 8
		mov	[edi+4], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5BB415
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	loc_49574A
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jnz	loc_495742

loc_49567B:				; CODE XREF: ExpAcquireSharedStarveExclusive+2DCj
					; ExpAcquireSharedStarveExclusive+125FA0j
		mov	cl, byte ptr [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_4]
		test	al, 3
		jnz	loc_5BB425

loc_49568F:				; CODE XREF: ExpAcquireSharedStarveExclusive+390j
		movzx	ecx, byte ptr [eax+26Ch]

loc_495696:				; CODE XREF: ExpAcquireSharedStarveExclusive+398j
					; ExpAcquireSharedStarveExclusive+125FA7j
		push	ecx
		mov	edx, eax
		mov	ecx, esi
		call	ExpBoostIoAfterAcquire
		inc	large dword ptr	fs:422Ch
		inc	large dword ptr	fs:41E4h
		test	bl, bl
		jz	loc_495626
		jmp	loc_5BB42C
; 

loc_4956BB:				; CODE XREF: ExpAcquireSharedStarveExclusive+111j
		cmp	[esi+18h], edi
		jz	loc_5BB363
		test	ax, ax
		jz	loc_495597
		lea	edx, [ebp+var_14]
		mov	ecx, esi
		call	@ExpFindEmptyEntry@8 ; ExpFindEmptyEntry(x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_495504
		mov	edi, eax
		jmp	loc_4955C2
; 

loc_4956E9:				; CODE XREF: ExpAcquireSharedStarveExclusive+1B8j
		test	bh, bh
		jnz	short loc_495761
		test	ds:byte_70EFC6,	1
		jnz	loc_5BB445
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	loc_49585B
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jnz	loc_5BB455

loc_49571C:				; CODE XREF: ExpAcquireSharedStarveExclusive+3EDj
					; ExpAcquireSharedStarveExclusive+125FD0j
		mov	cl, byte ptr [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:4238h
		xor	al, al
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_495735:				; CODE XREF: ExpAcquireSharedStarveExclusive+7Bj
		lea	ecx, [ebp+var_14]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_495501
; 

loc_495742:				; CODE XREF: ExpAcquireSharedStarveExclusive+1F5j
		lea	ecx, [ebp+var_14]
		call	KxWaitForLockChainValid

loc_49574A:				; CODE XREF: ExpAcquireSharedStarveExclusive+1DEj
		mov	[ebp+var_14], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_49567B
; 

loc_495761:				; CODE XREF: ExpAcquireSharedStarveExclusive+26Bj
		mov	eax, [edi+4]
		and	eax, 7
		mov	[edi], edx
		or	eax, 8
		mov	[edi+4], eax
		lea	eax, [ebp+var_24]
		inc	dword ptr [esi+28h]
		push	0
		push	1
		push	eax
		mov	[ebp+var_24], 0
		mov	[ebp+var_20], 0
		mov	[ebp+var_1C], 0
		mov	[ebp+var_18], 0
		mov	[ebp+var_28], edx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	ecx, [esi+10h]
		lea	edx, [ebp+var_30]
		call	RtlInsertHeadCircularList
		test	ds:byte_70EFC6,	1
		jnz	loc_5BB462
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	loc_5BB47A
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jnz	loc_5BB472

loc_4957D8:				; CODE XREF: ExpAcquireSharedStarveExclusive+125FEDj
					; ExpAcquireSharedStarveExclusive+12600Cj
		mov	cl, byte ptr [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:4234h
		test	bl, bl
		jnz	loc_5BB491

loc_4957F0:				; CODE XREF: ExpAcquireSharedStarveExclusive+12601Fj
		mov	ecx, esi
		call	_ExpApplyPrewaitBoost@4	; ExpApplyPrewaitBoost(x)
		push	offset _ExpApplyRewaitBoost@4 ;	ExpApplyRewaitBoost(x)
		push	10244h
		lea	edx, [ebp+var_30]
		mov	ecx, esi
		call	ExpWaitForResource
		mov	eax, [ebp+var_4]
		test	al, 3
		jz	loc_49568F
		xor	ecx, ecx
		jmp	loc_495696
; 

loc_49581D:				; CODE XREF: ExpAcquireSharedStarveExclusive+D1j
		lea	ecx, [ebp+var_14]
		call	KxWaitForLockChainValid
		mov	ecx, 1

loc_49582A:				; CODE XREF: ExpAcquireSharedStarveExclusive+BAj
		mov	[ebp+var_14], 0
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_495557
; 

loc_49583C:				; CODE XREF: ExpAcquireSharedStarveExclusive+181j
		lea	ecx, [ebp+var_14]
		call	KxWaitForLockChainValid

loc_495844:				; CODE XREF: ExpAcquireSharedStarveExclusive+16Aj
		mov	[ebp+var_14], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_495607
; 

loc_49585B:				; CODE XREF: ExpAcquireSharedStarveExclusive+27Fj
					; ExpAcquireSharedStarveExclusive+125FDDj
		mov	[ebp+var_14], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_49571C
ExpAcquireSharedStarveExclusive	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcGetBcbListHeadLargeOffset proc near	; CODE XREF: CcSetVacbLargeOffset+25Bp
					; CcGetBcbListHead(x,x,x,x)+38p

var_64		= dword	ptr -64h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3D		= byte ptr -3Dh
var_3C		= dword	ptr -3Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005BB4CB SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ecx
		mov	[ebp+var_3D], dl
		xor	ecx, ecx
		mov	[ebp+var_58], eax
		push	ebx
		push	esi
		mov	esi, [eax+40h]
		mov	ebx, [eax+18h]
		mov	eax, [eax+1Ch]
		push	edi
		mov	[ebp+var_54], esi
		lea	edi, [ecx+19h]
		mov	[ebp+var_20], ecx
		xor	esi, esi
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], eax
		jmp	short loc_4958D0
; 
		align 10h

loc_4958D0:				; CODE XREF: CcGetBcbListHeadLargeOffset+4Bj
					; CcGetBcbListHeadLargeOffset+6Aj ...
		mov	[ebp+var_50], edi
		mov	eax, 1
		add	edi, 7
		xor	edx, edx
		mov	ecx, edi
		inc	esi
		call	__allshl
		cmp	[ebp+var_48], edx
		jl	short loc_4958F0
		jg	short loc_4958D0
		cmp	ebx, eax
		ja	short loc_4958D0

loc_4958F0:				; CODE XREF: CcGetBcbListHeadLargeOffset+68j
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_44], esi
		mov	esi, [ebp+var_54]
		cmp	ebx, edx
		jg	loc_4959D1
		mov	edi, [ebp+arg_0]
		jl	short loc_49590E
		cmp	edi, eax
		jnb	loc_4959D1

loc_49590E:				; CODE XREF: CcGetBcbListHeadLargeOffset+84j
		mov	eax, [ebp+var_44]
		mov	ecx, [ebp+var_50]

loc_495914:				; CODE XREF: CcGetBcbListHeadLargeOffset+E3j
		dec	eax
		mov	edx, ebx
		mov	[ebp+var_44], eax
		mov	eax, edi
		call	__allshr
		mov	edx, [esi+eax*4]
		mov	[ebp+var_48], edx
		test	edx, edx
		jz	short loc_495990

loc_49592B:				; CODE XREF: CcGetBcbListHeadLargeOffset+17Dj
					; CcGetBcbListHeadLargeOffset+186j
		mov	ecx, [ebp+var_4C]
		mov	[ebp+ecx*4+var_3C], eax
		mov	eax, 1
		mov	[ebp+ecx*4+var_20], esi
		inc	ecx
		mov	[ebp+var_4C], ecx
		mov	esi, edx
		mov	ecx, [ebp+var_50]
		xor	edx, edx
		call	__allshl
		mov	ecx, [ebp+var_50]
		sub	eax, 1
		sbb	edx, 0
		and	edi, eax
		mov	eax, [ebp+var_44]
		sub	ecx, 7
		and	ebx, edx
		mov	[ebp+var_50], ecx
		test	eax, eax
		jnz	short loc_495914
		mov	eax, edi
		mov	edx, ebx
		call	__allshr
		mov	ecx, [ebp+var_48]
		and	eax, 0FFFFFFFEh
		sub	ecx, 0FFFFFE00h
		lea	eax, [ecx+eax*4]

loc_49597D:				; CODE XREF: CcGetBcbListHeadLargeOffset+157j
					; CcGetBcbListHeadLargeOffset+125C67j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_495990:				; CODE XREF: CcGetBcbListHeadLargeOffset+A9j
		mov	ecx, [ebp+var_44]
		mov	edi, [ebp+var_4C]
		mov	dl, [ebp+var_3D]
		lea	esp, [esp+0]

loc_4959A0:				; CODE XREF: CcGetBcbListHeadLargeOffset+125C60j
		test	dl, dl
		jz	short loc_4959D9
		cmp	eax, 7Fh
		jz	short loc_4959C9
		lea	esp, [esp+0]

loc_4959B0:				; CODE XREF: CcGetBcbListHeadLargeOffset+13Aj
		cmp	eax, 7Fh
		jz	short loc_4959BC
		inc	eax
		cmp	dword ptr [esi+eax*4], 0
		jz	short loc_4959B0

loc_4959BC:				; CODE XREF: CcGetBcbListHeadLargeOffset+133j
		mov	edx, [esi+eax*4]
		mov	[ebp+var_48], edx
		test	edx, edx
		jnz	short loc_495A02

loc_4959C6:				; CODE XREF: CcGetBcbListHeadLargeOffset+173j
		mov	dl, [ebp+var_3D]

loc_4959C9:				; CODE XREF: CcGetBcbListHeadLargeOffset+127j
					; CcGetBcbListHeadLargeOffset+15Bj
		test	edi, edi
		jnz	loc_5BB4CB

loc_4959D1:				; CODE XREF: CcGetBcbListHeadLargeOffset+7Bj
					; CcGetBcbListHeadLargeOffset+88j
		mov	eax, [ebp+var_58]
		add	eax, 10h
		jmp	short loc_49597D
; 

loc_4959D9:				; CODE XREF: CcGetBcbListHeadLargeOffset+122j
		test	eax, eax
		jz	short loc_4959C9
		lea	ecx, [ecx+0]

loc_4959E0:				; CODE XREF: CcGetBcbListHeadLargeOffset+169j
		test	eax, eax
		jz	short loc_4959EB
		dec	eax
		cmp	dword ptr [esi+eax*4], 0
		jz	short loc_4959E0

loc_4959EB:				; CODE XREF: CcGetBcbListHeadLargeOffset+162j
		mov	edx, [esi+eax*4]
		mov	[ebp+var_48], edx
		test	edx, edx
		jz	short loc_4959C6
		or	edi, 0FFFFFFFFh
		mov	ebx, 7FFFFFFFh
		jmp	loc_49592B
; 

loc_495A02:				; CODE XREF: CcGetBcbListHeadLargeOffset+144j
		xor	edi, edi
		xor	ebx, ebx
		jmp	loc_49592B
CcGetBcbListHeadLargeOffset endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall ExpGetThreadResourceHint(x)
_ExpGetThreadResourceHint@4 proc near	; CODE XREF: ExpAcquireSharedStarveExclusive+11Ap
					; ExpAcquireResourceSharedLite+122p ...
		test	cl, 3
		jnz	short loc_495A1D
		movzx	eax, byte ptr [ecx+26Ch]
		retn
; 

loc_495A1D:				; CODE XREF: ExpGetThreadResourceHint(x)+3j
		xor	eax, eax
		retn
_ExpGetThreadResourceHint@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcAllocateInitializeBcb(x, x, x, x)
_CcAllocateInitializeBcb@16 proc near	; CODE XREF: CcPinFileData+54Dp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	63426343h
		push	88h
		push	200h
		mov	[esp+1Ch+var_4], edx
		mov	esi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_495B14
		push	86h		; size_t
		lea	eax, [edi+2]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ebx, [ebp+arg_0]
		mov	eax, 2FDh
		mov	edx, [ebp+arg_4]
		add	esp, 0Ch
		mov	[edi], ax
		mov	eax, [ebx]
		mov	[edi+8], eax
		mov	eax, [ebx+4]
		mov	[edi+0Ch], eax
		mov	eax, [edx]
		mov	[edi+4], eax
		mov	ecx, [ebx]
		add	ecx, [edx]
		mov	eax, [ebx+4]
		adc	eax, [edx+4]
		inc	dword ptr [edi+34h]
		mov	[edi+1Ch], eax
		lea	eax, [edi+38h]
		push	eax
		mov	[edi+18h], ecx
		mov	[edi+70h], esi
		call	ExInitializeResourceLite
		lea	ecx, [esi+48h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esp+10h+var_4]
		lea	eax, [edi+10h]
		add	ecx, 10h
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_495B18
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		cmp	dword ptr [esi+1Ch], 0
		jl	short loc_495AEE
		jg	short loc_495AD6
		cmp	dword ptr [esi+18h], 2000000h
		jbe	short loc_495AEE

loc_495AD6:				; CODE XREF: CcAllocateInitializeBcb(x,x,x,x)+ABj
		test	dword ptr [esi+60h], 200h
		jz	short loc_495AEE
		push	dword ptr [ebx+4]
		xor	edx, edx
		mov	ecx, esi
		push	dword ptr [ebx]
		inc	edx
		call	CcAdjustVacbLevelLockCount

loc_495AEE:				; CODE XREF: CcAllocateInitializeBcb(x,x,x,x)+A9j
					; CcAllocateInitializeBcb(x,x,x,x)+B4j	...
		xor	edx, edx
		lea	ecx, [esi+48h]
		call	ExReleasePushLockEx
		test	byte ptr [esi+60h], 2
		jnz	short loc_495B09

loc_495AFE:				; CODE XREF: CcAllocateInitializeBcb(x,x,x,x)+F2j
		mov	eax, edi

loc_495B00:				; CODE XREF: CcAllocateInitializeBcb(x,x,x,x)+F6j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_495B09:				; CODE XREF: CcAllocateInitializeBcb(x,x,x,x)+DCj
		lea	eax, [edi+38h]
		push	eax
		call	ExDisableResourceBoostLite
		jmp	short loc_495AFE
; 

loc_495B14:				; CODE XREF: CcAllocateInitializeBcb(x,x,x,x)+2Aj
		xor	eax, eax
		jmp	short loc_495B00
; 

loc_495B18:				; CODE XREF: CcAllocateInitializeBcb(x,x,x,x)+99j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_CcAllocateInitializeBcb@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcIsFatalWriteError proc near		; CODE XREF: CcWriteBehindInternal+3AFp
					; .text:004ACFABp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BB4EC SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		test	ebx, ebx
		js	short loc_495B35
		xor	al, al

loc_495B31:				; CODE XREF: CcIsFatalWriteError+7Bj
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_495B35:				; CODE XREF: CcIsFatalWriteError+Fj
		cmp	dword ptr [edi+4], 1
		jb	loc_5BB4FE
		lea	eax, [edi+44h]
		push	esi
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_495B5C
		mov	ecx, edi
		call	_CcSlowReferenceSharedCacheMapFileObject@4 ; CcSlowReferenceSharedCacheMapFileObject(x)
		mov	esi, eax

loc_495B5C:				; CODE XREF: CcIsFatalWriteError+33j
		mov	ecx, [esi+4]
		mov	edi, [ebp+var_4]
		mov	eax, [ecx+20h]
		mov	ecx, [edi]
		and	eax, 10h
		mov	edx, ecx
		mov	[ebp+var_8], eax
		xor	edx, esi
		cmp	edx, 7
		jnb	short loc_495B9B

loc_495B76:				; CODE XREF: CcIsFatalWriteError+1259D5j
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jnz	loc_5BB4EC

loc_495B87:				; CODE XREF: CcIsFatalWriteError+88j
		mov	edx, [ebp+var_8]
		xor	ecx, ecx
		push	ebx
		inc	ecx
		call	MmIsWriteErrorFatal
		test	eax, eax
		pop	esi
		setnz	al
		jmp	short loc_495B31
; 

loc_495B9B:				; CODE XREF: CcIsFatalWriteError+56j
					; CcIsFatalWriteError+1259DBj
		push	746C6644h
		push	esi
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	short loc_495B87
CcIsFatalWriteError endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcScanLogHandleList proc near		; CODE XREF: CcLazyWriteScan+65p

var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005BB526 SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		xor	eax, eax
		and	dword ptr [edx], 0
		push	esi
		push	edi
		lea	edi, [ebp+var_20]
		and	[ebp+var_4], 0
		stosd
		mov	ebx, ecx
		mov	[ebp+var_14], edx
		mov	ecx, offset _CcMasterLock
		lea	edx, [ebp+var_20]
		mov	[ebp+var_10], ebx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		stosd
		stosd
		stosd
		mov	edi, [ebp+arg_4]
		or	dword ptr [edi], 0FFFFFFFFh
		mov	dword ptr [edi+4], 7FFFFFFFh
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, _CcVolumeCacheMapList
		mov	[ebp+var_C], eax
		cmp	eax, offset _CcVolumeCacheMapList
		jz	loc_495CD8
		lea	edi, [ebx+40h]
		mov	[ebp+var_8], edi

loc_495C05:				; CODE XREF: CcScanLogHandleList+12Aj
		lea	esi, [eax-0Ch]
		mov	ebx, eax
		inc	dword ptr [esi+4]
		lea	ecx, [ebp+var_20]
		call	KeReleaseInStackQueuedSpinLock
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_495C24
		lea	ecx, [ebp+var_4]
		push	ecx
		push	eax
		call	dword ptr [esi+20h]

loc_495C24:				; CODE XREF: CcScanLogHandleList+72j
		lea	edx, [ebp+var_2C]
		mov	ecx, edi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	dword ptr [esi+18h], 0
		jz	short loc_495C9E
		mov	edi, [esi+24h]
		cmp	edi, 0FFFFFFFFh
		jnb	loc_5BB514
		mov	[esi+3Ch], edi
		cmp	word ptr [ebp+var_4], 0
		jz	loc_495D12
		imul	eax, edi, 64h
		xor	edx, edx
		mov	[esi+3Ch], eax
		movzx	ecx, word ptr [ebp+var_4]
		div	ecx

loc_495C5C:				; CODE XREF: CcScanLogHandleList+16Dj
		mov	edx, [ebp+arg_0]
		lea	ecx, [esi+30h]
		mov	[ecx], eax
		mov	[esi+38h], eax
		mov	[esi+34h], eax
		imul	eax, 3
		push	1
		push	ecx
		mov	ecx, [ebp+var_10]
		shr	eax, 2
		mov	[esi+3Ch], eax
		lea	eax, [esi+24h]
		push	eax
		call	_CcCalculatePagesToWrite@20 ; CcCalculatePagesToWrite(x,x,x,x,x)
		mov	[esi+28h], edi
		shr	edi, 3
		cmp	eax, edi
		ja	short loc_495D02
		and	dword ptr [esi+58h], 0
		xor	eax, eax

loc_495C92:				; CODE XREF: CcScanLogHandleList+168j
		cmp	dword ptr [esi+14h], 0
		mov	[esi+2Ch], eax
		jnz	short loc_495CE7

loc_495C9B:				; CODE XREF: CcScanLogHandleList+14Bj
					; CcScanLogHandleList+151j ...
		mov	edi, [ebp+var_8]

loc_495C9E:				; CODE XREF: CcScanLogHandleList+8Aj
		lea	ecx, [ebp+var_2C]
		call	KeReleaseInStackQueuedSpinLock
		lea	edx, [ebp+var_20]
		mov	ecx, offset _CcMasterLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebp+var_C]
		mov	ecx, esi
		mov	eax, [eax]
		mov	[ebp+var_C], eax
		call	CcDecrementVolumeUseCount
		test	eax, eax
		jz	loc_5BB526

loc_495CCA:				; CODE XREF: CcScanLogHandleList+1259ACj
		mov	eax, [ebp+var_C]
		cmp	eax, offset _CcVolumeCacheMapList
		jnz	loc_495C05

loc_495CD8:				; CODE XREF: CcScanLogHandleList+51j
		lea	ecx, [ebp+var_20]
		call	KeReleaseInStackQueuedSpinLock
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_495CE7:				; CODE XREF: CcScanLogHandleList+F1j
		mov	edi, [ebp+arg_4]
		mov	ecx, [esi+74h]
		mov	eax, [esi+70h]
		cmp	ecx, [edi+4]
		jg	short loc_495C9B
		jl	short loc_495CFB
		cmp	eax, [edi]
		jnb	short loc_495C9B

loc_495CFB:				; CODE XREF: CcScanLogHandleList+14Dj
		mov	[edi], eax
		mov	[edi+4], ecx
		jmp	short loc_495C9B
; 

loc_495D02:				; CODE XREF: CcScanLogHandleList+E2j
		mov	ecx, [ebp+var_14]
		mov	[esi+58h], eax
		add	[ecx], eax
		inc	_CcDbgAdditionalPagesQueuedCount
		jmp	short loc_495C92
; 

loc_495D12:				; CODE XREF: CcScanLogHandleList+A0j
					; CcIsFatalWriteError+125A03j
		mov	eax, [esi+5Ch]
		jmp	loc_495C5C
CcScanLogHandleList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiTryLockProtoPoolPageAtDpc proc near	; CODE XREF: .text:00455982p
					; MiCopyDataPageToImagePage+1EDp ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_14], ecx
		push	edi
		mov	[eax], ebx
		mov	eax, ecx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[ebp+var_C], ebx
		sub	eax, 40000000h
		mov	[ebp+var_8], eax
		mov	edi, [eax]
		nop
		mov	ecx, [eax+4]
		mov	eax, edi
		and	eax, 1
		or	eax, ebx
		jz	loc_495E3C
		push	esi
		nop
		shrd	edi, ecx, 0Ch
		and	edi, 1FFFFFFh
		cmp	edi, dword_6D07B0
		ja	loc_495E5A
		mov	eax, dword_6D35B8
		mov	edx, edi
		shr	edx, 5
		mov	ecx, edi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_495E5A
		imul	esi, edi, 1Ch
		add	esi, ds:_MmPfnDatabase
		lea	eax, [esi+10h]
		mov	[ebp+var_4], eax
		lock bts dword ptr [eax], 1Fh
		jb	loc_495E5A
		test	dword ptr [eax], 40000000h
		jnz	loc_5BB55E
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_C], ebx
		mov	edx, [ecx]
		nop
		mov	eax, [ecx+4]
		mov	[ebp+var_C], eax
		mov	[ebp+var_18], eax
		mov	eax, edx
		and	eax, 1
		mov	[ebp+var_1C], edx
		or	eax, ebx
		jz	short loc_495E43
		mov	eax, edx
		and	eax, 200h
		or	eax, ebx
		jnz	short loc_495E43
		nop
		mov	ecx, [ebp+var_C]
		mov	eax, edx
		shrd	eax, ecx, 0Ch
		mov	ecx, [ebp+var_8]
		and	eax, 1FFFFFFh
		cmp	edi, eax
		jnz	short loc_495E43
		test	byte ptr [esi+16h], 20h
		jnz	short loc_495E43
		and	edx, 20h
		or	edx, ebx
		jz	short loc_495E4A

loc_495DFD:				; CODE XREF: MiTryLockProtoPoolPageAtDpc+13Ej
		cmp	[ebp+arg_4], ebx
		jnz	short loc_495E29

loc_495E02:				; CODE XREF: MiTryLockProtoPoolPageAtDpc+11Ej
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		mov	eax, [ebp+arg_0]
		or	byte ptr [esi+16h], 20h
		mov	[eax], esi

loc_495E15:				; CODE XREF: MiTryLockProtoPoolPageAtDpc+120j
					; MiTryLockProtoPoolPageAtDpc+12Ej
		mov	eax, [ebp+var_4]

loc_495E18:				; CODE XREF: CcScanLogHandleList+1259BBj
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	eax, ebx

loc_495E22:				; CODE XREF: MiTryLockProtoPoolPageAtDpc+145j
		pop	esi

loc_495E23:				; CODE XREF: MiTryLockProtoPoolPageAtDpc+127j
		pop	edi
		pop	ebx
		leave
		retn	8
; 

loc_495E29:				; CODE XREF: MiTryLockProtoPoolPageAtDpc+E6j
		push	[ebp+arg_4]
		mov	ecx, [ebp+var_14]
		call	MiTryLockLeafPage
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_495E02
		jmp	short loc_495E15
; 

loc_495E3C:				; CODE XREF: MiTryLockProtoPoolPageAtDpc+36j
		mov	eax, 0C0033333h
		jmp	short loc_495E23
; 

loc_495E43:				; CODE XREF: MiTryLockProtoPoolPageAtDpc+B3j
					; MiTryLockProtoPoolPageAtDpc+BEj ...
		mov	ebx, 0C0000055h
		jmp	short loc_495E15
; 

loc_495E4A:				; CODE XREF: MiTryLockProtoPoolPageAtDpc+E1j
		xor	edx, edx
		mov	byte ptr [ebp+var_C], bl
		push	[ebp+var_C]
		inc	edx
		call	_MiWriteValidPteVolatile@12 ; MiWriteValidPteVolatile(x,x,x)
		jmp	short loc_495DFD
; 

loc_495E5A:				; CODE XREF: MiTryLockProtoPoolPageAtDpc+4Ej
					; MiTryLockProtoPoolPageAtDpc+6Bj ...
		mov	eax, 0C0000055h
		jmp	short loc_495E22
MiTryLockProtoPoolPageAtDpc endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDereferenceControlAreaProbe(x, x)
_MiDereferenceControlAreaProbe@8 proc near ; CODE XREF:	.text:0047A611p
					; MiSegmentDelete+9Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edi
		lea	eax, [edi+40h]
		mov	edi, eax

loc_495E7A:				; CODE XREF: MiDereferenceControlAreaProbe(x,x)+33j
					; MiDereferenceControlAreaProbe(x,x)+3Aj
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		sub	ebx, 1
		mov	ecx, edx
		mov	[ebp+var_4], edx
		sbb	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_495E7A
		mov	eax, [ebp+var_4]
		cmp	edx, eax
		jnz	short loc_495E7A
		mov	edi, [ebp+var_8]
		add	esi, 0FFFFFFFFh
		adc	eax, 0FFFFFFFFh
		or	esi, eax
		jnz	short loc_495EB8
		cmp	[ebp+var_C], 1
		mov	ecx, edi
		jz	short loc_495EBD
		call	MiDeleteControlArea

loc_495EB8:				; CODE XREF: MiDereferenceControlAreaProbe(x,x)+47j
					; MiDereferenceControlAreaProbe(x,x)+60j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_495EBD:				; CODE XREF: MiDereferenceControlAreaProbe(x,x)+4Fj
		call	_MiQueueControlAreaDelete@4 ; MiQueueControlAreaDelete(x)
		jmp	short loc_495EB8
_MiDereferenceControlAreaProbe@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDeleteControlArea proc near		; CODE XREF: .text:004491EEp
					; MiDereferenceControlAreaProbe(x,x)+51p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BB568 SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		mov	ecx, offset dword_6D5188
		push	esi
		push	edi
		mov	[ebp+var_4], ebx
		mov	eax, [ebx+1Ch]
		test	al, 20h
		jnz	short loc_495F2A
		test	al, al
		js	short loc_495F02
		mov	ecx, offset unk_6D5190

loc_495EE9:				; CODE XREF: MiDeleteControlArea+43j
					; MiDeleteControlArea+64j
		mov	edx, ecx
		mov	ecx, offset _MiSystemPartition
		call	MiDecrementControlAreaCount
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_495F02:				; CODE XREF: MiDeleteControlArea+1Ej
		mov	edi, [ebx+58h]
		test	edi, edi
		jz	short loc_495EE9

loc_495F09:				; CODE XREF: MiDeleteControlArea+5Dj
		test	byte ptr [edi+12h], 1
		mov	esi, [edi+8]
		mov	[ebp+var_8], esi
		jnz	short loc_495F40

loc_495F15:				; CODE XREF: MiDeleteControlArea+84j
					; MiDeleteControlArea+1256DEj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, esi
		test	esi, esi
		jnz	short loc_495F09

loc_495F23:				; CODE XREF: MiDeleteControlArea+7Aj
		mov	ecx, offset dword_6D5188
		jmp	short loc_495EE9
; 

loc_495F2A:				; CODE XREF: MiDeleteControlArea+1Aj
		mov	esi, [ebx+38h]
		mov	ecx, ebx
		call	_MiDeleteImageSecurity@4 ; MiDeleteImageSecurity(x)
		mov	edx, [esi+10h]
		mov	ecx, ebx
		call	MiFreeRelocations
		jmp	short loc_495F23
; 

loc_495F40:				; CODE XREF: MiDeleteControlArea+4Fj
		mov	eax, [edi+20h]
		test	eax, 3FFFFFFFh
		jz	short loc_495F15
		jmp	loc_5BB568
MiDeleteControlArea endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDecrementControlAreaCount proc near	; CODE XREF: MiDereferenceControlAreaPfnList+19Cp
					; MiDeleteControlArea+2Cp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BB5A7 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	edi
		push	ebx
		mov	[ebp+var_8], ecx
		mov	edi, edx
		push	esi

loc_495F5F:				; CODE XREF: MiDecrementControlAreaCount+2Aj
					; MiDecrementControlAreaCount+2Fj
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		sub	ebx, 1
		mov	ecx, edx
		mov	[ebp+var_4], edx
		sbb	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_495F5F
		cmp	edx, [ebp+var_4]
		jnz	short loc_495F5F
		mov	edi, [ebp+var_8]
		pop	esi
		pop	ebx
		mov	ecx, [edi+348h]
		mov	eax, [edi+34Ch]
		or	ecx, eax
		jz	loc_5BB5A7

loc_495F9A:				; CODE XREF: MiDecrementControlAreaCount+125665j
					; MiDecrementControlAreaCount+125678j
		pop	edi
		leave
		retn
MiDecrementControlAreaCount endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDeleteSegmentPages proc near		; CODE XREF: MiSegmentDelete+5Ap

var_E		= byte ptr -0Eh
var_D		= byte ptr -0Dh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BB5CD SIZE 00000040 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		and	[esp+14h+var_C], 0
		and	[esp+14h+var_8], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	esi, [ebx]
		lea	edi, [ebx+50h]
		mov	esi, [esi+8]
		mov	[esp+20h+var_4], esi
		test	edi, edi
		jz	short loc_495FE8
		mov	esi, [esp+20h+var_8]

loc_495FCC:				; CODE XREF: MiDeleteSegmentPages+40j
		lea	edx, [esp+20h+var_C]
		mov	ecx, edi
		call	_MiDeleteSubsectionPages@8 ; MiDeleteSubsectionPages(x,x)
		mov	edi, [edi+8]
		add	esi, eax
		test	edi, edi
		jnz	short loc_495FCC
		mov	[esp+20h+var_8], esi
		mov	esi, [esp+20h+var_4]

loc_495FE8:				; CODE XREF: MiDeleteSegmentPages+28j
		lea	edi, [ebx+24h]
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	[esp+20h+var_D], al

loc_495FF5:				; CODE XREF: MiDeleteSegmentPages+125646j
		cmp	dword ptr [ebx+10h], 0
		push	edi
		jnz	loc_5BB5CD
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+20h+var_D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, ebx
		call	_MiGetCommittedPages@4 ; MiGetCommittedPages(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_496045
		test	esi, 1000h
		mov	esi, [esp+20h+var_C]
		jnz	loc_5BB5E9

loc_49602C:				; CODE XREF: MiDeleteSegmentPages+12565Bj
					; MiDeleteSegmentPages+12566Aj
		mov	edx, edi
		mov	ecx, offset _MiSystemPartition
		sub	edx, esi
		call	MiReturnCommit
		neg	edi
		mov	eax, offset dword_6D5F64
		lock xadd [eax], edi

loc_496045:				; CODE XREF: MiDeleteSegmentPages+7Cj
		mov	eax, [esp+20h+var_8]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
MiDeleteSegmentPages endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiTryLockLeafPage proc near		; CODE XREF: MiTryLockProtoPoolPageAtDpc+115p
					; MiCopyDataPageToImagePage+6E0p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BB60D SIZE 0000000B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		mov	[esp+28h+var_14], ebx
		mov	dword ptr [eax], 0
		lea	ecx, [ecx+0]

loc_496070:				; CODE XREF: MiTryLockLeafPage+71j
					; MiTryLockLeafPage+C6j ...
		mov	edi, [ebx]
		mov	[esp+28h+var_8], 0
		mov	[esp+28h+var_4], 0
		nop
		mov	esi, [ebx+4]
		mov	eax, edi
		and	eax, 1
		mov	[esp+28h+var_8], esi
		or	eax, 0
		jnz	loc_49617C
		mov	eax, edi
		and	eax, 400h
		or	eax, 0
		jnz	loc_496175
		mov	eax, edi
		and	eax, 800h
		or	eax, 0
		jz	loc_496175
		push	esi
		push	edi
		call	_MiInvalidPteConforms@12 ; MiInvalidPteConforms(x,x,x)
		test	eax, eax
		jz	short loc_496070
		mov	ecx, dword_6D0700
		mov	edx, esi
		mov	ebx, dword_6D0704
		mov	eax, edi
		mov	[esp+28h+var_10], ecx
		mov	esi, eax
		mov	[esp+28h+var_C], ebx
		or	ecx, ebx
		mov	ebx, [esp+28h+var_14]
		mov	[esp+28h+var_18], edx
		jz	short loc_496107
		and	eax, 10h
		or	eax, 0
		jnz	loc_5BB60D
		mov	eax, [esp+28h+var_10]
		mov	edx, [esp+28h+var_C]
		not	eax
		not	edx
		and	eax, esi
		and	edx, [esp+28h+var_18]

loc_496107:				; CODE XREF: MiTryLockLeafPage+97j
					; MiTryLockLeafPage+1255C3j
		shrd	eax, edx, 0Ch
		and	eax, 3FFFFFFh

loc_496110:				; CODE XREF: MiTryLockLeafPage+13Aj
		cmp	eax, dword_6D07B0
		ja	loc_496070
		mov	edx, dword_6D35B8
		mov	esi, eax
		shr	esi, 5
		mov	ecx, eax
		and	ecx, 1Fh
		mov	edx, [edx+esi*4]
		shr	edx, cl
		and	edx, 1
		jz	loc_496070
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, [eax+ecx*4]
		lea	esi, [ecx+10h]
		lock bts dword ptr [esi], 1Fh
		jb	short loc_496199
		mov	eax, [ebx]
		nop
		mov	edx, [ebx+4]
		cmp	eax, edi
		jnz	short loc_49618C
		cmp	edx, [esp+28h+var_8]
		jnz	short loc_49618C
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		xor	eax, eax

loc_49616C:				; CODE XREF: MiTryLockLeafPage+12Aj
					; MiTryLockLeafPage+14Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_496175:				; CODE XREF: MiTryLockLeafPage+52j
					; MiTryLockLeafPage+62j
		mov	eax, 0C0000434h
		jmp	short loc_49616C
; 

loc_49617C:				; CODE XREF: MiTryLockLeafPage+42j
		nop
		mov	eax, edi
		mov	ecx, esi
		shrd	eax, ecx, 0Ch
		and	eax, 1FFFFFFh
		jmp	short loc_496110
; 

loc_49618C:				; CODE XREF: MiTryLockLeafPage+10Dj
					; MiTryLockLeafPage+113j
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		jmp	loc_496070
; 

loc_496199:				; CODE XREF: MiTryLockLeafPage+103j
		mov	eax, 0C0000055h
		jmp	short loc_49616C
MiTryLockLeafPage endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteSubsectionPages(x, x)
_MiDeleteSubsectionPages@8 proc	near	; CODE XREF: MiDeleteSegmentPages+34p
					; MiExtendSection+130CFEp

var_70		= dword	ptr -70h
var_62		= byte ptr -62h
var_61		= byte ptr -61h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx]
		xor	esi, esi
		mov	[esp+70h+var_34], edx
		xor	ebx, ebx
		xor	edx, edx
		mov	[esp+70h+var_40], esi
		mov	[esp+70h+var_44], edx
		mov	dl, 21h
		mov	eax, [edi+20h]
		mov	esi, [edi+1Ch]
		and	eax, 0FFFFFFF8h
		mov	[esp+70h+var_20], eax
		xor	eax, eax
		mov	[esp+70h+var_14], esi
		mov	esi, [ecx+4]
		mov	[esp+70h+var_5C], ecx
		mov	[esp+70h+var_50], edi
		mov	[esp+70h+var_58], ebx
		mov	[esp+70h+var_54], eax
		mov	[esp+70h+var_61], dl
		mov	[esp+70h+var_4C], esi
		test	esi, esi
		jz	loc_4965AA
		mov	edi, esi
		mov	esi, [ecx+1Ch]
		shl	esi, 3
		mov	eax, edi
		add	eax, esi
		mov	[esp+70h+var_60], edi
		mov	[esp+70h+var_18], eax
		cmp	edi, eax
		mov	[esp+70h+var_48], esi
		mov	eax, ebx
		jnb	loc_4965A6
		lea	esp, [esp+0]

loc_496220:				; CODE XREF: MiDeleteSubsectionPages(x,x)+3CFj
		mov	ecx, edi
		and	ecx, 0FFFh
		mov	[esp+70h+var_1C], ecx
		jz	short loc_496235
		cmp	dl, 21h
		jnz	short loc_496273
		jmp	short loc_496241
; 

loc_496235:				; CODE XREF: MiDeleteSubsectionPages(x,x)+8Cj
		cmp	dl, 21h
		jz	short loc_496241
		mov	ecx, eax
		call	MiUnlockProtoPoolPage

loc_496241:				; CODE XREF: MiDeleteSubsectionPages(x,x)+93j
					; MiDeleteSubsectionPages(x,x)+98j
		lea	edx, [esp+0Fh]
		mov	ecx, edi
		call	MiLockProtoPoolPage
		mov	[esp+70h+var_54], eax
		test	eax, eax
		jnz	short loc_496273

loc_496254:				; CODE XREF: MiDeleteSubsectionPages(x,x)+D1j
		push	0
		push	0
		push	edi
		push	2
		call	MmAccessFault
		lea	edx, [esp+0Fh]
		mov	ecx, edi
		call	MiLockProtoPoolPage
		mov	[esp+70h+var_54], eax
		test	eax, eax
		jz	short loc_496254

loc_496273:				; CODE XREF: MiDeleteSubsectionPages(x,x)+91j
					; MiDeleteSubsectionPages(x,x)+B2j ...
		mov	ebx, [edi]
		mov	[esp+70h+var_30], 0
		mov	[esp+70h+var_2C], 0
		mov	[esp+70h+var_30], ebx
		nop
		mov	ecx, [edi+4]
		mov	eax, ebx
		and	eax, 1
		mov	[esp+70h+var_38], ecx
		or	eax, 0
		jz	short loc_4962AC
		nop
		mov	esi, ebx
		mov	eax, ecx
		shrd	esi, eax, 0Ch
		and	esi, 1FFFFFFh
		jmp	short loc_496326
; 

loc_4962AC:				; CODE XREF: MiDeleteSubsectionPages(x,x)+F9j
		mov	eax, ebx
		and	eax, 400h
		or	eax, 0
		jnz	loc_4963B0
		mov	eax, ebx
		and	eax, 800h
		or	eax, 0
		jz	loc_4963B0
		push	ecx
		push	ebx
		call	_MiInvalidPteConforms@12 ; MiInvalidPteConforms(x,x,x)
		test	eax, eax
		jz	short loc_496273
		mov	eax, dword_6D0704
		mov	esi, ebx
		mov	ebx, dword_6D0700
		mov	edx, esi
		mov	ecx, [esp+70h+var_38]
		mov	edi, ecx
		mov	[esp+70h+var_3C], eax
		mov	eax, ebx
		or	eax, [esp+70h+var_3C]
		jz	short loc_496314
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_496312
		mov	ecx, [esp+70h+var_3C]
		mov	esi, ebx
		not	esi
		not	ecx
		and	esi, edx
		and	ecx, edi
		jmp	short loc_496314
; 

loc_496312:				; CODE XREF: MiDeleteSubsectionPages(x,x)+160j
		mov	esi, edx

loc_496314:				; CODE XREF: MiDeleteSubsectionPages(x,x)+156j
					; MiDeleteSubsectionPages(x,x)+170j
		mov	ebx, [esp+70h+var_30]
		mov	edi, [esp+70h+var_60]
		shrd	esi, ecx, 0Ch
		and	esi, 3FFFFFFh

loc_496326:				; CODE XREF: MiDeleteSubsectionPages(x,x)+10Aj
		cmp	esi, dword_6D07B0
		ja	loc_496273
		mov	eax, dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_496273
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		mov	[esp+70h+var_24], 0
		lea	edi, [eax+ecx*4]
		mov	[esp+70h+var_3C], edi
		lea	esi, [edi+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_49638B

loc_496376:				; CODE XREF: MiDeleteSubsectionPages(x,x)+1E2j
					; MiDeleteSubsectionPages(x,x)+1E9j
		lea	ecx, [esp+70h+var_24]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_496376
		lock bts dword ptr [esi], 1Fh
		jb	short loc_496376

loc_49638B:				; CODE XREF: MiDeleteSubsectionPages(x,x)+1D4j
		mov	ecx, [esp+70h+var_60]
		mov	eax, [ecx]
		nop
		mov	ecx, [ecx+4]
		cmp	eax, ebx
		jnz	short loc_49639F
		cmp	ecx, [esp+70h+var_38]
		jz	short loc_4963B6

loc_49639F:				; CODE XREF: MiDeleteSubsectionPages(x,x)+1F7j
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	edi, [esp+70h+var_60]
		jmp	loc_496273
; 

loc_4963B0:				; CODE XREF: MiDeleteSubsectionPages(x,x)+116j
					; MiDeleteSubsectionPages(x,x)+126j
		xor	edi, edi
		mov	[esp+70h+var_3C], edi

loc_4963B6:				; CODE XREF: MiDeleteSubsectionPages(x,x)+1FDj
		mov	esi, [esp+70h+var_60]
		mov	[esp+70h+var_30], 0
		mov	[esp+70h+var_2C], 0
		mov	edx, [esi]
		nop
		mov	esi, [esi+4]
		mov	eax, edx
		and	eax, 1
		mov	[esp+70h+var_10], edx
		or	eax, 0
		mov	[esp+70h+var_C], esi
		jz	short loc_496420
		nop
		shrd	edx, esi, 0Ch
		cmp	word ptr [edi+14h], 2
		jbe	short loc_4963F2
		inc	[esp+70h+var_40]

loc_4963F2:				; CODE XREF: MiDeleteSubsectionPages(x,x)+24Cj
		test	edx, 1FFh
		jnz	short loc_496410
		mov	eax, [esp+70h+var_44]
		shr	eax, 2
		xor	eax, [edi]
		and	eax, 1FFFFFFEh
		mov	[esp+70h+var_44], edi
		xor	eax, [edi]
		mov	[edi], eax

loc_496410:				; CODE XREF: MiDeleteSubsectionPages(x,x)+258j
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		jmp	loc_496549
; 

loc_496420:				; CODE XREF: MiDeleteSubsectionPages(x,x)+240j
		mov	eax, edx
		and	eax, 400h
		or	eax, 0
		jnz	loc_496549
		mov	eax, edx
		mov	ecx, edx
		and	eax, 800h
		or	eax, 0
		jz	loc_49650B
		mov	eax, dword_6D0704
		mov	edi, esi
		mov	ebx, dword_6D0700
		mov	[esp+70h+var_38], eax
		mov	eax, ebx
		or	eax, [esp+70h+var_38]
		jz	short loc_496479
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_496475
		mov	esi, [esp+70h+var_38]
		mov	edx, ebx
		not	edx
		not	esi
		and	edx, ecx
		and	esi, edi
		jmp	short loc_496479
; 

loc_496475:				; CODE XREF: MiDeleteSubsectionPages(x,x)+2C3j
		mov	edx, ecx
		mov	esi, edi

loc_496479:				; CODE XREF: MiDeleteSubsectionPages(x,x)+2B9j
					; MiDeleteSubsectionPages(x,x)+2D3j
		shrd	edx, esi, 0Ch
		mov	esi, [esp+70h+var_3C]
		mov	eax, [esi+8]
		and	eax, 400h
		or	eax, 0
		jz	short loc_4964A2
		mov	eax, [esp+70h+var_50]
		test	byte ptr [eax+1Ch], 20h
		jnz	short loc_4964A2
		test	byte ptr [esi+16h], 18h
		jz	short loc_4964A2
		inc	[esp+70h+var_58]

loc_4964A2:				; CODE XREF: MiDeleteSubsectionPages(x,x)+2ECj
					; MiDeleteSubsectionPages(x,x)+2F6j ...
		cmp	[esp+70h+var_20], 0
		jnz	short loc_4964ED
		test	dl, 0Fh
		jnz	short loc_4964ED
		mov	eax, [esp+70h+var_48]
		mov	edi, [esp+70h+var_60]
		and	eax, 0FFFFFFF8h
		cmp	eax, 80h
		jl	short loc_4964F1
		mov	eax, 1000h
		sub	eax, [esp+70h+var_1C]
		and	eax, 0FFFFFFF8h
		cmp	eax, 80h
		jb	short loc_4964F1
		mov	edx, edi
		mov	ecx, esi
		call	_MiDeleteClusterSection@8 ; MiDeleteClusterSection(x,x)
		cmp	eax, 1
		jnz	short loc_4964F1
		mov	eax, 0FFFFFF80h
		mov	ecx, 80h
		jmp	short loc_496557
; 

loc_4964ED:				; CODE XREF: MiDeleteSubsectionPages(x,x)+307j
					; MiDeleteSubsectionPages(x,x)+30Cj
		mov	edi, [esp+70h+var_60]

loc_4964F1:				; CODE XREF: MiDeleteSubsectionPages(x,x)+31Ej
					; MiDeleteSubsectionPages(x,x)+331j ...
		push	1
		push	21h
		mov	edx, esi
		mov	ecx, edi
		call	MiDeleteTransitionPte
		cmp	eax, 3
		jnz	short loc_49654D
		mov	eax, [esp+70h+var_34]
		inc	dword ptr [eax]
		jmp	short loc_49654D
; 

loc_49650B:				; CODE XREF: MiDeleteSubsectionPages(x,x)+29Cj
		mov	eax, esi
		shrd	ecx, eax, 2
		test	cl, 1
		jz	short loc_496519
		nop
		jmp	short loc_49652D
; 

loc_496519:				; CODE XREF: MiDeleteSubsectionPages(x,x)+374j
		mov	ecx, edx
		mov	eax, esi
		shrd	ecx, eax, 1
		test	cl, 1
		jz	short loc_496529
		nop
		jmp	short loc_49652D
; 

loc_496529:				; CODE XREF: MiDeleteSubsectionPages(x,x)+384j
		xor	edx, edx
		xor	esi, esi

loc_49652D:				; CODE XREF: MiDeleteSubsectionPages(x,x)+377j
					; MiDeleteSubsectionPages(x,x)+387j
		mov	eax, edx
		mov	[esp+70h+var_8], edx
		or	eax, esi
		mov	[esp+70h+var_4], esi
		jz	short loc_496549
		push	esi
		push	edx
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo

loc_496549:				; CODE XREF: MiDeleteSubsectionPages(x,x)+27Bj
					; MiDeleteSubsectionPages(x,x)+28Aj ...
		mov	edi, [esp+70h+var_60]

loc_49654D:				; CODE XREF: MiDeleteSubsectionPages(x,x)+361j
					; MiDeleteSubsectionPages(x,x)+369j
		mov	eax, 0FFFFFFF8h
		mov	ecx, 8

loc_496557:				; CODE XREF: MiDeleteSubsectionPages(x,x)+34Bj
		add	[esp+70h+var_48], eax
		add	edi, ecx
		mov	dl, [esp+70h+var_61]
		mov	[esp+70h+var_60], edi
		cmp	edi, [esp+70h+var_18]
		jnb	short loc_496574
		mov	eax, [esp+70h+var_54]
		jmp	loc_496220
; 

loc_496574:				; CODE XREF: MiDeleteSubsectionPages(x,x)+3C9j
		cmp	dl, 21h
		jz	short loc_496582
		mov	ecx, [esp+70h+var_54]
		call	MiUnlockProtoPoolPage

loc_496582:				; CODE XREF: MiDeleteSubsectionPages(x,x)+3D7j
		mov	edx, [esp+70h+var_44]
		mov	ecx, [esp+70h+var_5C]
		test	edx, edx
		jz	short loc_4965A2
		mov	esi, [esp+70h+var_40]
		push	esi
		call	_MiDeleteSubsectionLargePages@12 ; MiDeleteSubsectionLargePages(x,x,x)
		mov	edx, [esp+70h+var_34]
		mov	ecx, [esp+70h+var_5C]
		add	[edx], eax

loc_4965A2:				; CODE XREF: MiDeleteSubsectionPages(x,x)+3ECj
		mov	ebx, [esp+70h+var_58]

loc_4965A6:				; CODE XREF: MiDeleteSubsectionPages(x,x)+76j
		mov	edi, [esp+70h+var_50]

loc_4965AA:				; CODE XREF: MiDeleteSubsectionPages(x,x)+54j
		mov	eax, [esp+70h+var_14]
		test	al, al
		jns	loc_49663D
		test	al, 20h
		jnz	loc_49663D
		call	MiDecrementSubsectionViewCount
		lea	esi, [edi+24h]
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	bl, al
		mov	eax, [esp+70h+var_5C]
		cmp	dword ptr [eax+40h], 0
		jz	short loc_4965FC
		mov	edi, edi

loc_4965E0:				; CODE XREF: MiDeleteSubsectionPages(x,x)+45Aj
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	edi
		pause
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	eax, [esp+70h+var_5C]
		cmp	dword ptr [eax+40h], 0
		jnz	short loc_4965E0

loc_4965FC:				; CODE XREF: MiDeleteSubsectionPages(x,x)+43Cj
		cmp	[esp+70h+var_4C], 0
		jz	short loc_496618
		lea	ecx, [eax+44h]
		xor	edx, edx
		call	_MiUpdateSystemProtoPtesTree@8 ; MiUpdateSystemProtoPtesTree(x,x)
		mov	eax, [esp+70h+var_5C]
		mov	dword ptr [eax+4], 0

loc_496618:				; CODE XREF: MiDeleteSubsectionPages(x,x)+461j
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	edi
		mov	eax, [esp+70h+var_4C]
		test	eax, eax
		jz	short loc_496632
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_496632:				; CODE XREF: MiDeleteSubsectionPages(x,x)+488j
		mov	eax, [esp+70h+var_58]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_49663D:				; CODE XREF: MiDeleteSubsectionPages(x,x)+410j
					; MiDeleteSubsectionPages(x,x)+418j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiDeleteSubsectionPages@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInvalidPteConforms(x, x, x)
_MiInvalidPteConforms@12 proc near	; CODE XREF: MiCheckProtoPtePageState+1AFp
					; MiTryLockLeafPage+6Ap ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		push	esi
		push	edi
		jnz	short loc_496691
		mov	edi, [ebp+arg_4]
		mov	eax, edx
		or	eax, edi
		jz	short loc_496686
		mov	eax, dword_6D0700
		mov	ecx, eax
		mov	esi, dword_6D0704
		or	ecx, esi
		jz	short loc_496686
		and	eax, edx
		and	esi, edi
		or	eax, esi
		jz	short loc_496691

loc_496686:				; CODE XREF: MiInvalidPteConforms(x,x,x)+1Bj
					; MiInvalidPteConforms(x,x,x)+2Cj
		mov	eax, 1

loc_49668B:				; CODE XREF: MiInvalidPteConforms(x,x,x)+43j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_496691:				; CODE XREF: MiInvalidPteConforms(x,x,x)+12j
					; MiInvalidPteConforms(x,x,x)+34j
		xor	eax, eax
		jmp	short loc_49668B
_MiInvalidPteConforms@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSoftFaultMappedView proc near		; CODE XREF: MiMapViewOfImageSection+7D8p

var_9A		= byte ptr -9Ah
var_99		= dword	ptr -99h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BB618 SIZE 00000140 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+9Ch+var_4], eax
		push	ebx
		xor	eax, eax
		mov	edx, ecx
		push	esi
		push	edi
		lea	edi, [esp+0A8h+var_78]
		mov	[esp+0A8h+var_68], edx
		mov	ecx, [edx+1Ch]
		stosd
		stosd
		stosd
		stosd
		mov	eax, ecx
		and	eax, 0F80h
		cmp	eax, 80h
		jz	loc_496B13
		test	ecx, 100000h
		jnz	short loc_496700
		mov	eax, ecx
		and	al, 70h
		cmp	al, 20h
		jnz	short loc_496700
		test	ecx, 200000h
		jnz	loc_496B13

loc_496700:				; CODE XREF: MiSoftFaultMappedView+4Aj
					; MiSoftFaultMappedView+52j
		mov	ecx, edx
		call	_MiVadMapsLargeImage@4 ; MiVadMapsLargeImage(x)
		test	eax, eax
		jnz	loc_496B13
		mov	eax, [edx+2Ch]
		mov	ecx, [eax]
		test	dword ptr [ecx+1Ch], 4000000h
		jnz	loc_496B13
		mov	eax, large fs:124h
		mov	esi, [ecx+10h]
		mov	[esp+0A8h+var_80], 0
		mov	[esp+0A8h+var_99+1], 0
		mov	eax, [eax+80h]
		add	eax, 240h
		mov	[esp+0A8h+var_8C], 0
		mov	[esp+0A8h+var_88], 0
		mov	[esp+0A8h+var_90], eax
		mov	[esp+0A8h+var_64], esi
		test	esi, esi
		jz	loc_496B13
		mov	eax, [edx+0Ch]
		mov	edi, [edx+30h]
		and	eax, 0FFFFFh
		or	byte ptr [esp+0A8h+var_70+1], 4
		mov	byte ptr [esp+0A8h+var_99], 21h
		lea	ebx, ds:0C0000000h[eax*8]
		mov	eax, [edx+10h]
		and	eax, 0FFFFFh
		lea	eax, ds:0C0000000h[eax*8]
		mov	[esp+0A8h+var_5C], eax
		mov	eax, [esp+0A8h+var_90]
		mov	ecx, eax
		mov	[esp+0A8h+var_78], eax
		call	MiLockWorkingSetShared
		mov	byte ptr [esp+0A8h+var_70], al
		cmp	ebx, [esp+0A8h+var_5C]
		ja	loc_496AF1

loc_4967B1:				; CODE XREF: MiSoftFaultMappedView+1C3j
		mov	eax, [esp+0A8h+var_68]
		cmp	edi, [eax+34h]
		ja	loc_496AC4
		test	esi, esi
		jz	loc_496AC4
		mov	eax, [esp+0A8h+var_80]
		test	eax, eax
		jz	short loc_496807
		test	al, 8
		jnz	short loc_496807
		mov	ecx, [esp+0A8h+var_90]
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		jz	loc_5BB618
		lea	eax, [ecx+80h]

loc_4967E9:				; CODE XREF: MiSoftFaultMappedView+124F7Dj
		mov	eax, [eax]
		test	eax, 40000000h
		jnz	loc_496B75
		call	KeShouldYieldProcessor
		test	eax, eax
		jnz	loc_496B75
		mov	eax, [esp+0A8h+var_80]

loc_496807:				; CODE XREF: MiSoftFaultMappedView+12Cj
					; MiSoftFaultMappedView+130j
		cmp	[esp+0A8h+var_6C], 0
		jz	loc_496A49
		test	ebx, 0FFFh
		jz	loc_496A49

loc_49681E:				; CODE XREF: MiSoftFaultMappedView+41Fj
		mov	ecx, [ebx]
		inc	eax
		mov	[esp+0A8h+var_80], eax
		nop
		or	ecx, [ebx+4]
		jnz	short loc_49684F
		mov	esi, edi
		and	esi, 0FFFh
		jz	loc_496A01
		cmp	byte ptr [esp+0A8h+var_99], 21h
		jz	loc_496A18

loc_496844:				; CODE XREF: MiSoftFaultMappedView+395j
		mov	ecx, [edi]
		nop
		and	ecx, 1
		or	ecx, 0
		jnz	short loc_496870

loc_49684F:				; CODE XREF: MiSoftFaultMappedView+189j
					; MiSoftFaultMappedView+275j ...
		add	edi, 8
		add	ebx, 8

loc_496855:				; CODE XREF: MiSoftFaultMappedView+124F96j
					; MiSoftFaultMappedView+124FADj ...
		cmp	ebx, [esp+0A8h+var_5C]
		ja	loc_496AC4
		mov	esi, [esp+0A8h+var_64]
		jmp	loc_4967B1
; 
		jmp	short loc_496870
; 
		align 10h

loc_496870:				; CODE XREF: MiSoftFaultMappedView+1ADj
					; MiSoftFaultMappedView+1C8j ...
		mov	esi, [edi]
		mov	[esp+0A8h+var_58], 0
		mov	[esp+0A8h+var_54], 0
		mov	[esp+0A8h+var_58], esi
		nop
		mov	ecx, [edi+4]
		mov	eax, esi
		and	eax, 1
		mov	[esp+0A8h+var_84], ecx
		or	eax, 0
		jz	loc_5BB669
		nop
		mov	eax, ecx
		shrd	esi, eax, 0Ch
		and	esi, 1FFFFFFh

loc_4968A9:				; CODE XREF: MiSoftFaultMappedView+125047j
		cmp	esi, dword_6D07B0
		ja	short loc_496870
		mov	eax, dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_496870
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		mov	[esp+0A8h+var_7C], 0
		lea	esi, [eax+ecx*4]
		lea	edx, [esi+10h]
		mov	[esp+0A8h+var_60], esi
		mov	[esp+0A8h+var_94], edx
		lock bts dword ptr [edx], 1Fh
		jb	loc_5BB6EC

loc_4968F9:				; CODE XREF: MiSoftFaultMappedView+12506Ej
		mov	eax, [edi]
		nop
		mov	ecx, [edi+4]
		cmp	eax, [esp+0A8h+var_58]
		jnz	loc_5BB713
		cmp	ecx, [esp+0A8h+var_84]
		jnz	loc_5BB713
		test	esi, esi
		jz	loc_49684F
		mov	ecx, [edi]
		nop
		and	ecx, 1
		lea	edx, [esi+10h]
		or	ecx, 0
		mov	[esp+0A8h+var_84], edx
		jz	loc_5BB720
		mov	eax, [esi+8]
		dec	[esp+0A8h+var_64]
		and	eax, 400h
		or	eax, 0
		jz	loc_5BB72D
		test	byte ptr [esi+17h], 40h
		jnz	loc_5BB73A
		push	[esp+0A8h+var_68]
		mov	edx, esi
		push	ecx
		mov	ecx, ebx
		shl	ecx, 9
		call	_MiImagePageOk@16 ; MiImagePageOk(x,x,x,x)
		test	eax, eax
		jz	loc_5BB747
		sub	esi, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	esi
		add	edx, esi
		sar	edx, 4
		mov	esi, edx
		shr	esi, 1Fh
		add	esi, edx
		mov	edx, [esp+0A8h+var_84]
		mov	eax, [edx]
		lea	ecx, [eax+1]
		xor	ecx, eax
		and	ecx, 3FFFFFFFh
		xor	ecx, eax
		mov	eax, 7FFFFFFFh
		mov	[edx], ecx
		lock and [edx],	eax
		cmp	esi, 0FFFFFFFFh
		jz	loc_49684F
		mov	eax, [esp+0A8h+var_99+1]
		test	eax, eax
		jz	loc_496A40

loc_4969B4:				; CODE XREF: MiSoftFaultMappedView+3A4j
		mov	[esp+eax*4+0A8h+var_48], esi
		inc	eax
		mov	[esp+0A8h+var_99+1], eax
		cmp	eax, 10h
		jnz	loc_49684F
		mov	dl, byte ptr [esp+0A8h+var_99]
		mov	ecx, [esp+0A8h+var_8C]
		call	MiUnlockProtoPoolPage
		mov	edx, [esp+0A8h+var_88]
		lea	eax, [esp+0A8h+var_48]
		push	10h
		push	eax
		lea	ecx, [esp+0B0h+var_78]
		mov	byte ptr [esp+0B0h+var_99], 21h
		call	_MiCompleteRestrictedImageFault@16 ; MiCompleteRestrictedImageFault(x,x,x,x)
		test	eax, eax
		jz	loc_496AF1
		mov	[esp+0A8h+var_99+1], 0
		jmp	loc_49684F
; 

loc_496A01:				; CODE XREF: MiSoftFaultMappedView+193j
		mov	dl, byte ptr [esp+0A8h+var_99]
		cmp	dl, 21h
		jz	short loc_496A18
		mov	ecx, [esp+0A8h+var_8C]
		call	MiUnlockProtoPoolPage
		mov	byte ptr [esp+0A8h+var_99], 21h

loc_496A18:				; CODE XREF: MiSoftFaultMappedView+19Ej
					; MiSoftFaultMappedView+368j
		mov	eax, [esp+0A8h+var_99+1]
		test	eax, eax
		jnz	loc_496B9B

loc_496A24:				; CODE XREF: MiSoftFaultMappedView+51Aj
		lea	edx, [esp+0A8h+var_99]
		mov	ecx, edi
		call	MiLockProtoPoolPage
		mov	[esp+0A8h+var_8C], eax
		test	eax, eax
		jnz	loc_496844
		jmp	loc_5BB622
; 

loc_496A40:				; CODE XREF: MiSoftFaultMappedView+30Ej
		mov	[esp+0A8h+var_88], ebx
		jmp	loc_4969B4
; 

loc_496A49:				; CODE XREF: MiSoftFaultMappedView+16Cj
					; MiSoftFaultMappedView+178j
		mov	esi, 2

loc_496A4E:				; CODE XREF: MiSoftFaultMappedView+4DAj
		mov	dl, byte ptr [esp+0A8h+var_99]
		mov	[esp+0A8h+var_94], esi
		cmp	dl, 21h
		jnz	loc_496B3E

loc_496A5F:				; CODE XREF: MiSoftFaultMappedView+4ACj
		mov	eax, [esp+0A8h+var_99+1]
		test	eax, eax
		jnz	loc_496B51

loc_496A6B:				; CODE XREF: MiSoftFaultMappedView+4D0j
		mov	edx, [esp+0A8h+var_6C]
		test	edx, edx
		jnz	loc_496B28

loc_496A77:				; CODE XREF: MiSoftFaultMappedView+499j
		cmp	esi, 1
		jz	loc_496B7F

loc_496A80:				; CODE XREF: MiSoftFaultMappedView+4E8j
		mov	eax, [esp+0A8h+var_68]
		mov	esi, [eax+1Ch]
		shr	esi, 0Ch
		and	esi, 3Fh
		cmp	[esp+0A8h+var_94], 1
		jz	loc_496B8D

loc_496A98:				; CODE XREF: MiSoftFaultMappedView+4F6j
		push	0
		push	[esp+0ACh+var_70]
		xor	edx, edx
		mov	ecx, ebx
		push	esi
		call	MiMakeSystemAddressValid
		mov	eax, ebx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[esp+0A8h+var_6C], eax
		mov	eax, [esp+0A8h+var_80]
		jmp	loc_49681E
; 

loc_496AC4:				; CODE XREF: MiSoftFaultMappedView+118j
					; MiSoftFaultMappedView+120j ...
		mov	ebx, [esp+0A8h+var_99+1]

loc_496AC8:				; CODE XREF: MiSoftFaultMappedView+521j
		mov	dl, byte ptr [esp+0A8h+var_99]
		cmp	dl, 21h
		jz	short loc_496ADA
		mov	ecx, [esp+0A8h+var_8C]
		call	MiUnlockProtoPoolPage

loc_496ADA:				; CODE XREF: MiSoftFaultMappedView+42Fj
		test	ebx, ebx
		jz	short loc_496AF1
		mov	edx, [esp+0A8h+var_88]
		lea	eax, [esp+0A8h+var_48]
		push	ebx
		push	eax
		lea	ecx, [esp+0B0h+var_78]
		call	_MiCompleteRestrictedImageFault@16 ; MiCompleteRestrictedImageFault(x,x,x,x)

loc_496AF1:				; CODE XREF: MiSoftFaultMappedView+10Bj
					; MiSoftFaultMappedView+34Ej ...
		mov	edx, [esp+0A8h+var_6C]
		test	edx, edx
		jz	short loc_496B0A
		mov	ecx, [esp+0A8h+var_90]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	[esp+0A8h+var_6C], 0

loc_496B0A:				; CODE XREF: MiSoftFaultMappedView+457j
		lea	ecx, [esp+0A8h+var_78]
		call	_MiUnlockFaultWorkingSet@4 ; MiUnlockFaultWorkingSet(x)

loc_496B13:				; CODE XREF: MiSoftFaultMappedView+3Ej
					; MiSoftFaultMappedView+5Aj ...
		mov	ecx, [esp+0A8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_496B28:				; CODE XREF: MiSoftFaultMappedView+3D1j
		mov	ecx, [esp+0A8h+var_90]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	[esp+0A8h+var_6C], 0
		jmp	loc_496A77
; 

loc_496B3E:				; CODE XREF: MiSoftFaultMappedView+3B9j
		mov	ecx, [esp+0A8h+var_8C]
		call	MiUnlockProtoPoolPage
		mov	byte ptr [esp+0A8h+var_99], 21h
		jmp	loc_496A5F
; 

loc_496B51:				; CODE XREF: MiSoftFaultMappedView+3C5j
		mov	edx, [esp+0A8h+var_88]
		lea	ecx, [esp+0A8h+var_78]
		push	eax
		lea	eax, [esp+0ACh+var_48]
		push	eax
		call	_MiCompleteRestrictedImageFault@16 ; MiCompleteRestrictedImageFault(x,x,x,x)
		test	eax, eax
		jz	short loc_496BBF
		mov	[esp+0A8h+var_99+1], 0
		jmp	loc_496A6B
; 

loc_496B75:				; CODE XREF: MiSoftFaultMappedView+150j
					; MiSoftFaultMappedView+15Dj
		mov	esi, 1
		jmp	loc_496A4E
; 

loc_496B7F:				; CODE XREF: MiSoftFaultMappedView+3DAj
		lea	ecx, [esp+0A8h+var_78]
		call	_MiUnlockFaultWorkingSet@4 ; MiUnlockFaultWorkingSet(x)
		jmp	loc_496A80
; 

loc_496B8D:				; CODE XREF: MiSoftFaultMappedView+3F2j
		mov	ecx, [esp+0A8h+var_90]
		call	MiLockWorkingSetShared
		jmp	loc_496A98
; 

loc_496B9B:				; CODE XREF: MiSoftFaultMappedView+37Ej
		mov	edx, [esp+0A8h+var_88]
		lea	ecx, [esp+0A8h+var_78]
		push	eax
		lea	eax, [esp+0ACh+var_48]
		push	eax
		call	_MiCompleteRestrictedImageFault@16 ; MiCompleteRestrictedImageFault(x,x,x,x)
		test	eax, eax
		jz	short loc_496BBF
		mov	[esp+0A8h+var_99+1], 0
		jmp	loc_496A24
; 

loc_496BBF:				; CODE XREF: MiSoftFaultMappedView+4C6j
					; MiSoftFaultMappedView+510j
		xor	ebx, ebx
		jmp	loc_496AC8
MiSoftFaultMappedView endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiImagePageOk(x, x,	x, x)
_MiImagePageOk@16 proc near		; CODE XREF: MiWaitForCollidedFaultComplete+148p
					; MiSoftFaultMappedView+2BCp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		mov	[ebp+var_4], ecx
		mov	ecx, edx
		push	edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_496CEA
		mov	esi, [edx+8]
		mov	eax, esi
		mov	edi, [edx+0Ch]
		and	eax, 400h
		or	eax, 0
		jz	loc_496CEA
		mov	eax, [edx+18h]
		and	eax, 70000000h
		cmp	eax, 30000000h
		jz	loc_496CEA
		mov	ecx, dword_6D0700
		mov	ebx, esi
		mov	edx, dword_6D0704
		mov	eax, ecx
		or	eax, edx
		jz	short loc_496C38
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_496C38
		not	edx
		and	edi, edx

loc_496C38:				; CODE XREF: MiImagePageOk(x,x,x,x)+58j
					; MiImagePageOk(x,x,x,x)+62j
		mov	eax, [edi]
		test	byte ptr [eax+1Ch], 20h
		jz	loc_496CEA
		mov	eax, [eax+38h]
		mov	eax, [eax+14h]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_496CEA
		mov	ecx, eax
		and	ecx, 0FFFFFFF8h
		cmp	ecx, 8
		jz	loc_496CEA
		mov	ecx, eax
		and	cl, 3
		cmp	cl, 2
		jz	short loc_496CEA
		mov	ecx, [ebp+var_4]
		cmp	ecx, dword_6D07D0
		jb	short loc_496C8E
		test	byte ptr ds:_MiFlags+2,	1
		jz	short loc_496CEA
		and	esi, 40h
		or	esi, 0
		jz	short loc_496CEA
		mov	edx, [ebp+arg_4]
		jmp	short loc_496C9F
; 

loc_496C8E:				; CODE XREF: MiImagePageOk(x,x,x,x)+A6j
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jnz	short loc_496CA3
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	edx, eax
		mov	eax, [ebp+var_8]

loc_496C9F:				; CODE XREF: MiImagePageOk(x,x,x,x)+BCj
		test	edx, edx
		jz	short loc_496CDF

loc_496CA3:				; CODE XREF: MiImagePageOk(x,x,x,x)+C3j
		mov	esi, [edx+1Ch]
		mov	ecx, esi
		and	cl, 70h
		cmp	cl, 20h
		jnz	short loc_496CDF
		and	esi, 0F80h
		cmp	esi, 80h
		jz	short loc_496CEA
		mov	ecx, [edx+28h]
		test	ecx, 8000000h
		jz	short loc_496CCD
		test	al, 4
		jz	short loc_496CEA

loc_496CCD:				; CODE XREF: MiImagePageOk(x,x,x,x)+F7j
		test	ds:_MiFlags, 400h
		jz	short loc_496CDF
		test	byte ptr [edi+12h], 2
		jnz	short loc_496CEA

loc_496CDF:				; CODE XREF: MiImagePageOk(x,x,x,x)+D1j
					; MiImagePageOk(x,x,x,x)+DEj ...
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_496CEA:				; CODE XREF: MiImagePageOk(x,x,x,x)+17j
					; MiImagePageOk(x,x,x,x)+2Dj ...
		pop	edi
		pop	esi
		mov	eax, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_MiImagePageOk@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockProtoPoolPage proc near		; CODE XREF: .text:0045D6EBp
					; .text:0045D716p ...

var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005BB758 SIZE 00000039 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10], edx
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		lea	esp, [esp+0]

loc_496D20:				; CODE XREF: MiLockProtoPoolPage+6Aj
					; MiLockProtoPoolPage+83j
		mov	esi, [edi-40000000h]
		mov	[ebp+var_20], 0
		mov	[ebp+var_1C], 0
		nop
		mov	ecx, [edi-3FFFFFFCh]
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	loc_496E3E
		mov	eax, esi
		and	eax, 200h
		or	eax, 0
		jnz	loc_496E3E
		nop
		shrd	esi, ecx, 0Ch
		and	esi, 1FFFFFFh
		cmp	esi, dword_6D07B0
		ja	short loc_496D20
		mov	eax, dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_496D20
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		cmp	[ebp+var_10], 0
		lea	ebx, [eax+ecx*4]
		lea	eax, [ebx+10h]
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], eax
		jz	loc_496E42
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	cl, al
		mov	[ebp+var_14], 0
		mov	[ebp+var_1], cl
		lea	eax, [ebx+10h]
		lock bts dword ptr [eax], 1Fh
		jb	loc_496E64

loc_496DCB:				; CODE XREF: MiLockProtoPoolPage+153j
					; MiLockProtoPoolPage+182j
		mov	edx, [edi-40000000h]
		mov	[ebp+var_20], 0
		mov	[ebp+var_1C], 0
		nop
		mov	edi, [edi-3FFFFFFCh]
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jz	loc_5BB772
		mov	eax, edx
		and	eax, 200h
		or	eax, 0
		jnz	loc_5BB772
		nop
		shrd	edx, edi, 0Ch
		and	edx, 1FFFFFFh
		cmp	esi, edx
		jnz	loc_5BB772
		lea	edx, [eax+1]
		mov	ecx, ebx
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		mov	dl, [ebp+var_1]
		cmp	dl, 21h
		jz	short loc_496E60
		mov	eax, [ebp+var_10]
		mov	[eax], dl

loc_496E2E:				; CODE XREF: MiLockProtoPoolPage+162j
		mov	ecx, ebx
		call	_MiLockOwnedProtoPage@8	; MiLockOwnedProtoPage(x,x)
		mov	eax, ebx

loc_496E37:				; CODE XREF: MiLockProtoPoolPage+140j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_496E3E:				; CODE XREF: MiLockProtoPoolPage+43j
					; MiLockProtoPoolPage+53j ...
		xor	eax, eax
		jmp	short loc_496E37
; 

loc_496E42:				; CODE XREF: MiLockProtoPoolPage+A3j
		mov	cl, 21h
		mov	[ebp+var_1C], 0
		mov	[ebp+var_1], cl
		lock bts dword ptr [eax], 1Fh
		jnb	loc_496DCB
		mov	ebx, eax
		jmp	loc_5BB758
; 

loc_496E60:				; CODE XREF: MiLockProtoPoolPage+127j
		mov	dl, 21h
		jmp	short loc_496E2E
; 

loc_496E64:				; CODE XREF: MiLockProtoPoolPage+C5j
		mov	ebx, [ebp+var_8]

loc_496E67:				; CODE XREF: MiLockProtoPoolPage+173j
					; MiLockProtoPoolPage+17Aj
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		js	short loc_496E67
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_496E67

loc_496E7C:				; CODE XREF: MiLockProtoPoolPage+124A6Dj
		mov	cl, [ebp+var_1]
		mov	ebx, [ebp+var_C]
		jmp	loc_496DCB
MiLockProtoPoolPage endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPrepareSegmentForDeletion(x, x)
_MiPrepareSegmentForDeletion@8 proc near ; CODE	XREF: MiSegmentDelete+2Dp

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		lea	ebx, [esi+24h]
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	dl, al
		mov	[ebp+var_1], al
		mov	ecx, esi
		call	_MiDrainControlAreaWrites@8 ; MiDrainControlAreaWrites(x,x)
		mov	ecx, esi
		call	_MiRemoveUnusedSegment@4 ; MiRemoveUnusedSegment(x)
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_MiBuildWakeList@8 ; MiBuildWakeList(x,x)
		mov	esi, eax

loc_496EBD:				; CODE XREF: MiPrepareSegmentForDeletion(x,x)+5Fj
		test	edi, edi
		jnz	short loc_496ED7
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_496ED7:				; CODE XREF: MiPrepareSegmentForDeletion(x,x)+37j
		test	byte ptr [edi+12h], 8
		jnz	short loc_496EE9

loc_496EDD:				; CODE XREF: MiPrepareSegmentForDeletion(x,x)+68j
		mov	ecx, edi
		call	MiIncrementSubsectionViewCount
		mov	edi, [edi+8]
		jmp	short loc_496EBD
; 

loc_496EE9:				; CODE XREF: MiPrepareSegmentForDeletion(x,x)+53j
		mov	ecx, edi
		call	_MiRemoveUnusedSubsection@4 ; MiRemoveUnusedSubsection(x)
		jmp	short loc_496EDD
_MiPrepareSegmentForDeletion@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiRemoveUnusedSegment(x)
_MiRemoveUnusedSegment@4 proc near	; CODE XREF: MiDereferenceControlAreaPfnList+103p
					; MiPrepareSegmentForDeletion(x,x)+24p	...
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		test	dword ptr [esi+1Ch], 8000000h
		jnz	short loc_496F06

loc_496F02:				; CODE XREF: MiRemoveUnusedSegment(x)+2Cj
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_496F06:				; CODE XREF: MiRemoveUnusedSegment(x)+Ej
		mov	edi, offset unk_6D5180
		push	edi
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	ecx, esi
		call	MiUnlinkUnusedControlArea
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		jmp	short loc_496F02
_MiRemoveUnusedSegment@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDrainControlAreaWrites(x,	x)
_MiDrainControlAreaWrites@8 proc near	; CODE XREF: MiPrepareSegmentForDeletion(x,x)+1Dp
					; MiDestroySection+10p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= word ptr -10h
var_D		= byte ptr -0Dh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		push	edi
		mov	bl, dl
		mov	[ebp+var_14], eax
		mov	[ebp+var_D], al
		cmp	[esi+28h], eax
		jnz	short loc_496F41

loc_496F3C:				; CODE XREF: MiDrainControlAreaWrites(x,x)+74j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_496F41:				; CODE XREF: MiDrainControlAreaWrites(x,x)+1Aj
		lea	edi, [esi+24h]

loc_496F44:				; CODE XREF: MiDrainControlAreaWrites(x,x)+76j
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	eax, [esi+2Ch]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_1C]
		push	edi
		mov	[ebp+var_18], 8
		mov	[ebp+var_10], 107h
		mov	byte ptr [ebp-0Eh], 4
		mov	[esi+2Ch], eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	ecx
		push	12h
		pop	edx
		lea	ecx, [ebp+var_10]
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		xor	eax, eax
		cmp	[esi+28h], eax
		jz	short loc_496F3C
		jmp	short loc_496F44
_MiDrainControlAreaWrites@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 748. IoApplyPriorityInfoThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoApplyPriorityInfoThread(x, x, x)
		public _IoApplyPriorityInfoThread@12
_IoApplyPriorityInfoThread@12 proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		mov	esi, [ebp+arg_0]
		cmp	dword ptr [esi+4], 0FFFFh
		jz	short loc_497014
		mov	edx, [esi+0Ch]
		push	edi
		mov	edi, [ebp+arg_8]
		mov	ecx, edi
		call	PsSetIoPriorityThread
		mov	edx, [esi+8]
		mov	[ebp+var_4], eax
		cmp	edx, 0FFFFFFFFh
		jz	short loc_49701B
		mov	ecx, edi
		call	PsSetPagePriorityThread
		mov	[ebp+var_8], eax

loc_496FD6:				; CODE XREF: IoApplyPriorityInfoThread(x,x,x)+81j
		mov	ecx, [esi+4]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_496FFE
		movsx	eax, byte ptr [edi+15Bh]
		push	ecx
		push	edi
		mov	[ebp+var_C], eax
		call	KeSetActualBasePriorityThread

loc_496FEF:				; CODE XREF: IoApplyPriorityInfoThread(x,x,x)+64j
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	short loc_497004

loc_496FF6:				; CODE XREF: IoApplyPriorityInfoThread(x,x,x)+74j
		xor	eax, eax
		pop	edi

loc_496FF9:				; CODE XREF: IoApplyPriorityInfoThread(x,x,x)+7Bj
		pop	esi
		leave
		retn	0Ch
; 

loc_496FFE:				; CODE XREF: IoApplyPriorityInfoThread(x,x,x)+3Ej
		or	[ebp+var_C], 0FFFFFFFFh
		jmp	short loc_496FEF
; 

loc_497004:				; CODE XREF: IoApplyPriorityInfoThread(x,x,x)+56j
		mov	[ebp+var_10], 10h
		lea	esi, [ebp+var_10]
		movsd
		movsd
		movsd
		movsd
		jmp	short loc_496FF6
; 

loc_497014:				; CODE XREF: IoApplyPriorityInfoThread(x,x,x)+13j
		mov	eax, 0C00000EFh
		jmp	short loc_496FF9
; 

loc_49701B:				; CODE XREF: IoApplyPriorityInfoThread(x,x,x)+2Cj
		or	[ebp+var_8], 0FFFFFFFFh
		jmp	short loc_496FD6
_IoApplyPriorityInfoThread@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsSetPagePriorityThread	proc near	; CODE XREF: CcPerformReadAhead+2FBp
					; CcPerformReadAhead+33Bp ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BB791 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	eax, ecx
		mov	ebx, edx
		push	esi
		push	edi
		mov	edi, ebx
		mov	[ebp+var_4], eax
		lea	edx, [eax+2FCh]
		shl	edi, 0Ch
		mov	eax, [edx]
		lea	ecx, [ecx+0]

loc_497050:				; CODE XREF: PsSetPagePriorityThread+32j
		mov	ecx, eax
		mov	esi, eax
		and	ecx, 0FFFF8FFFh
		or	ecx, edi
		lock cmpxchg [edx], ecx
		cmp	eax, esi
		jnz	short loc_497050
		shr	esi, 0Ch
		and	esi, 7
		test	dword ptr ds:byte_70EFC4, 2000h
		jnz	loc_5BB791

loc_49707A:				; CODE XREF: PsSetPagePriorityThread+124772j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
PsSetPagePriorityThread	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcCalculatePagesToWrite(x, x, x, x,	x)
_CcCalculatePagesToWrite@20 proc near	; CODE XREF: CcLazyWriteScan+1B3p
					; CcScanLogHandleList+D5p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	[ebp+var_8], ecx
		push	esi
		cmp	edx, 2
		jz	short loc_4970FD
		cmp	edx, 1
		jz	short loc_4970FD
		cmp	edx, 10h
		jz	short loc_4970FD
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	esi, [eax]
		mov	edx, [eax+4]
		mov	eax, [eax+8]
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		mov	ebx, [eax+0Ch]
		mov	[ebp+var_4], ecx
		mov	ecx, [eax+4]
		mov	[ebp+arg_4], ecx
		mov	ecx, esi
		cmp	esi, _CcMaxLazyWritePages
		ja	short loc_4970CE
		test	[ebp+arg_8], 1
		jz	short loc_4970D1

loc_4970CE:				; CODE XREF: CcCalculatePagesToWrite(x,x,x,x,x)+42j
		shr	ecx, 3

loc_4970D1:				; CODE XREF: CcCalculatePagesToWrite(x,x,x,x,x)+48j
		mov	eax, [ebp+arg_0]
		push	edi
		add	eax, esi
		xor	edi, edi
		cmp	eax, edx
		ja	short loc_4970F4

loc_4970DD:				; CODE XREF: CcCalculatePagesToWrite(x,x,x,x,x)+77j
		mov	edx, esi
		sub	edx, ecx
		add	edx, edi
		pop	edi
		cmp	edx, ebx
		ja	short loc_497104

loc_4970E8:				; CODE XREF: CcCalculatePagesToWrite(x,x,x,x,x)+93j
					; CcCalculatePagesToWrite(x,x,x,x,x)+A7j
		pop	ebx
		cmp	ecx, esi
		ja	short loc_49712F

loc_4970ED:				; CODE XREF: CcCalculatePagesToWrite(x,x,x,x,x)+7Ej
					; CcCalculatePagesToWrite(x,x,x,x,x)+ADj
		mov	eax, ecx
		pop	esi
		leave
		retn	0Ch
; 

loc_4970F4:				; CODE XREF: CcCalculatePagesToWrite(x,x,x,x,x)+57j
		mov	edi, [ebp+arg_0]
		sub	edi, edx
		add	edi, esi
		jmp	short loc_4970DD
; 

loc_4970FD:				; CODE XREF: CcCalculatePagesToWrite(x,x,x,x,x)+Ej
					; CcCalculatePagesToWrite(x,x,x,x,x)+13j ...
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		jmp	short loc_4970ED
; 

loc_497104:				; CODE XREF: CcCalculatePagesToWrite(x,x,x,x,x)+62j
		mov	eax, edx
		sub	eax, ebx
		add	ecx, eax
		mov	eax, [ebp+arg_4]
		cmp	[ebp+var_4], eax
		jnb	short loc_497119

loc_497112:				; CODE XREF: CcCalculatePagesToWrite(x,x,x,x,x)+A9j
		sub	edx, ebx
		lea	ecx, [ecx+edx*2]
		jmp	short loc_4970E8
; 

loc_497119:				; CODE XREF: CcCalculatePagesToWrite(x,x,x,x,x)+8Cj
		mov	eax, [ebp+var_8]
		mov	eax, [eax+4]
		mov	eax, [eax]
		cmp	dword ptr [eax+0FC0h], 1000h
		jnb	short loc_4970E8
		jmp	short loc_497112
; 

loc_49712F:				; CODE XREF: CcCalculatePagesToWrite(x,x,x,x,x)+67j
		mov	ecx, esi
		jmp	short loc_4970ED
_CcCalculatePagesToWrite@20 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiUnlockFaultWorkingSet(x)
_MiUnlockFaultWorkingSet@4 proc	near	; CODE XREF: MiSoftFaultMappedView+46Ep
					; MiSoftFaultMappedView+4E3p ...
		mov	edi, edi
		push	ecx
		mov	eax, [ecx]
		mov	dl, [ecx+8]
		test	byte ptr [ecx+9], 1
		mov	ecx, eax
		jnz	short loc_49714B
		call	MiUnlockWorkingSetShared
		pop	ecx
		retn
; 

loc_49714B:				; CODE XREF: MiUnlockFaultWorkingSet(x)+Ej
		call	MiUnlockWorkingSetExclusive
		pop	ecx
		retn
_MiUnlockFaultWorkingSet@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcDeleteMbcb	proc near		; CODE XREF: CcDeleteSharedCacheMap+23Ap
					; CcSetFileSizesEx+435p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005BB7A7 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+28h+var_C]
		stosd
		mov	ebx, ecx
		mov	[esp+28h+var_18], ebx
		stosd
		stosd
		lea	eax, [esp+28h+var_14]
		mov	[esp+28h+var_10], eax
		mov	[esp+28h+var_14], eax
		call	CcGetPartition
		lea	esi, [ebx+0B4h]
		mov	[esp+28h+var_1C], eax
		mov	ecx, esi
		call	ExAcquireFastMutex
		mov	edi, [ebx+68h]
		test	edi, edi
		jz	loc_5BB7B8
		mov	ecx, [esp+28h+var_1C]
		lea	edx, [esp+28h+var_C]
		add	ecx, 40h
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edx, [edi+8]
		mov	ecx, ebx
		call	CcDeductDirtyPages
		test	ds:byte_70EFC6,	1
		jnz	loc_5BB7A7
		mov	eax, [esp+28h+var_C]
		test	eax, eax
		jnz	loc_497292
		mov	edx, [esp+28h+var_8]
		lea	eax, [esp+28h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+28h+var_C]
		cmp	eax, ecx
		jnz	loc_497289

loc_4971E9:				; CODE XREF: CcDeleteMbcb+151j
					; CcDeleteMbcb+124661j
		mov	cl, [esp+28h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	ebx, [edi+10h]

loc_4971F6:				; CODE XREF: CcDeleteMbcb+DFj
					; CcDeleteMbcb+FCj
		mov	esi, [ebx]
		cmp	esi, ebx
		jz	short loc_497250
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	loc_4972C9
		cmp	[eax], esi
		jnz	loc_4972C9
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	edx, [esi+1Ch]
		test	edx, edx
		jz	short loc_497225
		lea	eax, [edi+48h]
		cmp	edx, eax
		jnz	short loc_49727D

loc_497225:				; CODE XREF: CcDeleteMbcb+CAj
					; CcDeleteMbcb+135j
		cmp	esi, edi
		jb	short loc_497233
		lea	eax, [edi+88h]
		cmp	esi, eax
		jb	short loc_4971F6

loc_497233:				; CODE XREF: CcDeleteMbcb+D5j
		mov	eax, [esp+28h+var_10]
		lea	ecx, [esp+28h+var_14]
		cmp	[eax], ecx
		jnz	loc_4972C9
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[esp+28h+var_10], esi
		jmp	short loc_4971F6
; 

loc_497250:				; CODE XREF: CcDeleteMbcb+A8j
		mov	eax, [esp+28h+var_18]
		and	dword ptr [eax+68h], 0
		lea	ecx, [eax+0B4h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_497263:				; CODE XREF: CcDeleteMbcb+175j
		mov	eax, [esp+28h+var_14]
		lea	ecx, [esp+28h+var_14]
		cmp	eax, ecx
		jnz	short loc_4972A8
		mov	ecx, edi
		call	@CcDeallocateBcb@4 ; CcDeallocateBcb(x)

loc_497276:				; CODE XREF: CcDeleteMbcb+12466Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_49727D:				; CODE XREF: CcDeleteMbcb+D1j
		mov	ecx, offset _CcBitmapLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	short loc_497225
; 

loc_497289:				; CODE XREF: CcDeleteMbcb+91j
		lea	ecx, [esp+28h+var_C]
		call	KxWaitForLockChainValid

loc_497292:				; CODE XREF: CcDeleteMbcb+77j
		xor	ecx, ecx
		mov	[esp+28h+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4971E9
; 

loc_4972A8:				; CODE XREF: CcDeleteMbcb+11Bj
		mov	ecx, [eax]
		lea	edx, [esp+28h+var_14]
		cmp	[eax+4], edx
		jnz	short loc_4972C9
		cmp	[ecx+4], eax
		jnz	short loc_4972C9
		push	0
		mov	[esp+2Ch+var_14], ecx
		push	eax
		mov	[ecx+4], edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_497263
; 

loc_4972C9:				; CODE XREF: CcDeleteMbcb+B2j
					; CcDeleteMbcb+BAj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
CcDeleteMbcb	endp			; AL = character to display


;  S U B	R O U T	I N E 


; __fastcall CcDeallocateBcb(x)
@CcDeallocateBcb@4 proc	near		; CODE XREF: CcDeleteMbcb+11Fp
					; CcUnpinFileDataEx+482p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, 2FDh
		cmp	[esi], ax
		jnz	short loc_4972E6
		lea	eax, [esi+38h]
		push	eax
		call	ExDeleteResourceLite

loc_4972E6:				; CODE XREF: CcDeallocateBcb(x)+Dj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
@CcDeallocateBcb@4 endp

; 
		dd 4 dup(0CCCCCCCCh)
; Exported entry 342. ExDeleteResourceLite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExDeleteResourceLite
ExDeleteResourceLite proc near		; CODE XREF: CcDeallocateBcb(x)+13p
					; .text:0051173Bp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BB7C4 SIZE 0000017A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	byte ptr [esi+0Eh], 1
		jnz	loc_5BB7C4
		inc	large dword ptr	fs:41E0h
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	bl, al
		mov	edi, offset _ExpResourceSpinLock
		jnz	loc_5BB7D5
		mov	[ebp+arg_0], 0
		lock bts dword ptr [edi], 1Fh
		jb	loc_49743B

loc_49734B:				; CODE XREF: ExDeleteResourceLite+147j
		mov	edx, ds:_ExpResourceSpinLock
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_5BB7E3

loc_497363:				; CODE XREF: ExDeleteResourceLite+1244DEj
					; ExDeleteResourceLite+124518j
		mov	edx, [esi]
		mov	eax, [esi+4]
		cmp	[edx+4], esi
		jnz	loc_5BB8F5
		cmp	[eax], esi
		jnz	loc_5BB8F5
		mov	[eax], edx
		mov	[edx+4], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5BB81D
		mov	ds:_ExpResourceSpinLock, 0

loc_497395:				; CODE XREF: ExDeleteResourceLite+124527j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	dword ptr [esi], 0
		mov	dword ptr [esi+4], 0
		test	byte ptr [esi+1Ch], 2
		mov	ebx, [esi+18h]
		jnz	loc_5BB82C
		test	bl, 3
		jnz	short loc_4973C0

loc_4973BC:				; CODE XREF: ExDeleteResourceLite+12452Fj
		test	ebx, ebx
		jnz	short loc_4973D2

loc_4973C0:				; CODE XREF: ExDeleteResourceLite+BAj
					; ExDeleteResourceLite+FDj ...
		mov	eax, [esi+8]
		test	eax, eax
		jnz	short loc_497404

loc_4973C7:				; CODE XREF: ExDeleteResourceLite+139j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4973D2:				; CODE XREF: ExDeleteResourceLite+BEj
		test	byte ptr [esi+0Eh], 1
		jnz	loc_5BB834
		cmp	_ExpResourceEnforceOwnerTransfer, 0
		jnz	loc_5BB834
		mov	ecx, [esi+1Ch]

loc_4973EC:				; CODE XREF: ExDeleteResourceLite+12453Aj
					; ExDeleteResourceLite+124548j
		test	cl, 1
		jnz	loc_5BB863

loc_4973F5:				; CODE XREF: ExDeleteResourceLite+124573j
		test	cl, 4
		jnz	short loc_49744C

loc_4973FA:				; CODE XREF: ExDeleteResourceLite+156j
		test	cl, 2
		jz	short loc_4973C0
		jmp	loc_5BB878
; 

loc_497404:				; CODE XREF: ExDeleteResourceLite+C5j
		mov	edi, 1
		lea	ebx, [eax+4]
		cmp	[ebx], edi
		jbe	short loc_497431

loc_497410:				; CODE XREF: ExDeleteResourceLite+12Fj
		lea	ebx, [ebx+8]
		lea	ecx, [ebx-4]
		call	_ExpOwnerEntryToThread@4 ; ExpOwnerEntryToThread(x)
		mov	edx, eax
		mov	[ebp+var_4], edx
		test	edx, edx
		jnz	loc_5BB888

loc_497428:				; CODE XREF: ExDeleteResourceLite+1245DFj
					; ExDeleteResourceLite+1245F0j
		mov	eax, [esi+8]
		inc	edi
		cmp	edi, [eax+4]
		jb	short loc_497410

loc_497431:				; CODE XREF: ExDeleteResourceLite+10Ej
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_4973C7
; 

loc_49743B:				; CODE XREF: ExDeleteResourceLite+45j
		mov	dl, bl
		mov	ecx, edi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[ebp+arg_0], eax
		jmp	loc_49734B
; 

loc_49744C:				; CODE XREF: ExDeleteResourceLite+F8j
		lock dec dword ptr [ebx+330h]
		mov	ecx, [esi+1Ch]
		jmp	short loc_4973FA
ExDeleteResourceLite endp


;  S U B	R O U T	I N E 


; __stdcall ExpOwnerEntryToThread(x)
_ExpOwnerEntryToThread@4 proc near	; CODE XREF: ExDeleteResourceLite+116p
					; ExReinitializeResourceLite+E9p ...
		test	byte ptr [ecx+4], 2
		jnz	short loc_497470
		mov	ecx, [ecx]
		mov	al, cl
		and	al, 3
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, ecx
		retn
; 

loc_497470:				; CODE XREF: ExpOwnerEntryToThread(x)+4j
		mov	eax, [ecx]
		and	eax, 0FFFFFFFCh
		retn
_ExpOwnerEntryToThread@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteSystemPageTableTail(x)
_MiDeleteSystemPageTableTail@4 proc near
					; DATA XREF: MiDeleteSystemPageTables(x,x,x,x,x,x)+7Eo

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+28h+var_18]
		rep stosd
		mov	eax, [ebp+arg_0]
		mov	esi, [eax+48h]
		mov	ecx, [esi+8]
		call	MiFlushTbList
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_4974E0
		push	ecx
		lea	edx, [esp+2Ch+var_18]
		call	_MiFreeUnmappedPageTables@12 ; MiFreeUnmappedPageTables(x,x,x)
		and	dword ptr [esi+4], 0
		mov	edi, [esp+28h+var_C]
		test	edi, edi
		jz	short loc_4974E0
		cmp	dword_6D5F54, 0
		jz	short loc_4974E0
		mov	edx, edi
		mov	ebx, offset _MiSystemPartition
		sub	edx, [esp+28h+var_14]
		mov	ecx, ebx
		call	MiReturnCommit
		push	dword ptr [esi]
		mov	edx, edi
		mov	ecx, ebx
		call	_MiReturnSystemCharges@12 ; MiReturnSystemCharges(x,x,x)

loc_4974E0:				; CODE XREF: MiDeleteSystemPageTableTail(x)+2Cj
					; MiDeleteSystemPageTableTail(x)+42j ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MiDeleteSystemPageTableTail@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReturnSystemCharges(x, x,	x)
_MiReturnSystemCharges@12 proc near	; CODE XREF: MiDeleteSystemPageTableTail(x)+65p
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+5A6p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		cmp	esi, 1
		jz	short loc_497530
		cmp	esi, 2
		jz	short loc_49751C
		cmp	esi, 0Bh
		jz	short loc_497530
		mov	eax, edi
		neg	eax
		cmp	esi, 4
		jz	short loc_497564
		mov	ecx, offset unk_6D3624

loc_497518:				; CODE XREF: MiReturnSystemCharges(x,x,x)+7Dj
		lock xadd [ecx], eax

loc_49751C:				; CODE XREF: MiReturnSystemCharges(x,x,x)+17j
					; MiReturnSystemCharges(x,x,x)+6Aj
		mov	edx, edi
		mov	ecx, ebx
		call	MiReturnResavailToPrcb
		test	eax, eax
		jnz	short loc_497558

loc_497529:				; CODE XREF: MiReturnSystemCharges(x,x,x)+76j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_497530:				; CODE XREF: MiReturnSystemCharges(x,x,x)+12j
					; MiReturnSystemCharges(x,x,x)+1Cj
		mov	eax, large fs:124h
		mov	esi, edi
		neg	esi
		mov	ecx, esi
		mov	eax, [eax+80h]
		mov	edx, [eax+180h]
		lea	eax, [edx+1Ch]
		lock xadd [eax], ecx
		lea	eax, [edx+20h]
		lock xadd [eax], esi
		jmp	short loc_49751C
; 

loc_497558:				; CODE XREF: MiReturnSystemCharges(x,x,x)+3Bj
		lea	ecx, [ebx+1000h]
		lock xadd [ecx], eax
		jmp	short loc_497529
; 

loc_497564:				; CODE XREF: MiReturnSystemCharges(x,x,x)+25j
		mov	ecx, offset dword_6D3634
		jmp	short loc_497518
_MiReturnSystemCharges@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDeleteSystemPageTable	proc near	; DATA XREF: MiDeleteSystemPageTables(x,x,x,x,x,x)+76o

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005BB93E SIZE 00000075 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+40h+var_C]
		stosd
		stosd
		stosd
		mov	eax, [edx+48h]
		mov	edi, [ebp+arg_8]
		mov	[esp+40h+var_1C], eax
		mov	ecx, [eax+8]
		mov	[esp+40h+var_30], ecx
		xor	ecx, ecx
		inc	ecx
		cmp	edi, ecx
		jnz	short loc_4975A6
		cmp	[eax], ecx
		jz	loc_497719

loc_4975A6:				; CODE XREF: MiDeleteSystemPageTable+30j
		mov	ebx, [ebp+arg_4]
		and	[esp+40h+var_34], 0
		mov	esi, [ebx]
		nop
		mov	ecx, [ebx+4]

loc_4975B4:				; CODE XREF: MiDeleteSystemPageTable+1DFj
		mov	eax, esi
		mov	[esp+40h+var_14], ecx
		and	eax, 1
		mov	[esp+40h+var_18], esi
		or	eax, 0
		mov	[esp+40h+var_24], ecx
		jz	loc_49770E
		and	[esp+40h+var_2C], 0
		nop
		mov	eax, esi
		shrd	eax, ecx, 0Ch
		and	eax, 1FFFFFFh
		mov	[esp+40h+var_28], eax
		mov	eax, esi
		and	eax, 80h
		or	eax, 0
		jnz	short loc_497652
		imul	ecx, [esp+40h+var_28], 1Ch
		movzx	eax, byte ptr [edx+2]
		shr	eax, 2
		and	eax, 7
		add	ecx, ds:_MmPfnDatabase
		mov	[esp+40h+var_28], ecx
		cmp	edi, eax
		jg	loc_5BB8FC
		xor	eax, eax

loc_497612:				; CODE XREF: ExDeleteResourceLite+124639j
		xor	ecx, ecx
		inc	ecx
		cmp	edi, ecx
		jl	short loc_497642
		push	ds:dword_40F9FC
		mov	ecx, [ebp+arg_0]
		mov	edx, ebx
		push	ds:_ZeroPte
		push	eax
		mov	ecx, [ecx+10h]
		call	MiEvictPageTableLock
		test	eax, eax
		jz	loc_49770E
		xor	eax, eax
		inc	eax
		mov	[esp+40h+var_2C], eax

loc_497642:				; CODE XREF: MiDeleteSystemPageTable+ABj
		mov	ecx, [esp+40h+var_1C]
		mov	edx, [esp+40h+var_28]
		add	ecx, 4
		call	_MiAddSystemPageTableToList@8 ;	MiAddSystemPageTableToList(x,x)

loc_497652:				; CODE XREF: MiDeleteSystemPageTable+81j
		cmp	[esp+40h+var_34], 0
		jnz	loc_497750

loc_49765D:				; CODE XREF: MiDeleteSystemPageTable+1F2j
		xor	ecx, ecx
		mov	eax, esi
		inc	ecx
		and	eax, ecx
		or	eax, 0
		jz	short loc_49767C
		cmp	edi, ecx
		jl	short loc_49767C
		and	esi, 80h
		or	esi, 0
		jnz	loc_4977D0

loc_49767C:				; CODE XREF: MiDeleteSystemPageTable+FBj
					; MiDeleteSystemPageTable+FFj
		mov	esi, [esp+40h+var_30]
		mov	edx, ebx
		push	0
		push	ecx
		shl	edx, 9
		mov	ecx, esi
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		xor	eax, eax
		inc	eax
		cmp	edi, eax
		jnz	short loc_4976C1
		mov	eax, 0C0000000h
		mov	edx, ebx
		cmp	ebx, eax
		jb	short loc_4976B0

loc_4976A1:				; CODE XREF: MiDeleteSystemPageTable+142j
		cmp	edx, 0C07FFFFFh
		ja	short loc_4976B0
		shl	edx, 9
		cmp	edx, eax
		jnb	short loc_4976A1

loc_4976B0:				; CODE XREF: MiDeleteSystemPageTable+133j
					; MiDeleteSystemPageTable+13Bj
		push	0
		push	200h
		mov	ecx, esi
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)

loc_4976BE:				; CODE XREF: MiDeleteSystemPageTable+270j
		xor	eax, eax
		inc	eax

loc_4976C1:				; CODE XREF: MiDeleteSystemPageTable+128j
		cmp	[esp+40h+var_2C], 0
		jz	loc_4977E1

loc_4976CC:				; CODE XREF: MiDeleteSystemPageTable+2D8j
					; MiDeleteSystemPageTable+124412j
		cmp	[esp+40h+var_34], 0
		jnz	loc_497763

loc_4976D7:				; CODE XREF: MiDeleteSystemPageTable+25Fj
		xor	eax, eax
		inc	eax
		cmp	edi, eax
		jnz	short loc_49770E
		mov	eax, 0C0000000h

loc_4976E3:				; CODE XREF: MiDeleteSystemPageTable+186j
		cmp	ebx, eax
		jb	short loc_4976F4
		cmp	ebx, 0C07FFFFFh
		ja	short loc_4976F4
		shl	ebx, 9
		jmp	short loc_4976E3
; 

loc_4976F4:				; CODE XREF: MiDeleteSystemPageTable+179j
					; MiDeleteSystemPageTable+181j
		shr	ebx, 9
		and	ebx, offset loc_7FFFF8
		lea	edx, [ebx-40000000h]
		lea	ecx, [ebx-40000000h]
		call	MiReplicatePteChange

loc_49770E:				; CODE XREF: MiDeleteSystemPageTable+5Cj
					; MiDeleteSystemPageTable+C9j ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_497719:				; CODE XREF: MiDeleteSystemPageTable+34j
		mov	eax, large fs:124h
		mov	ebx, [ebp+arg_4]
		mov	ecx, ebx
		shr	ecx, 3
		and	ecx, 7FFh
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		lea	eax, [eax+ecx*8]
		add	eax, 0FFFFE3E0h
		mov	[esp+40h+var_34], eax
		mov	esi, [eax]
		nop
		mov	ecx, [eax+4]
		jmp	loc_4975B4
; 

loc_497750:				; CODE XREF: MiDeleteSystemPageTable+EBj
		mov	esi, [ebx]
		nop
		mov	eax, [ebx+4]
		mov	[esp+40h+var_18], esi
		mov	[esp+40h+var_14], eax
		jmp	loc_49765D
; 

loc_497763:				; CODE XREF: MiDeleteSystemPageTable+165j
		push	0
		push	300h
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	edi, edx
		mov	ecx, offset dword_6D3540
		lea	edx, [esp+40h+var_C]
		mov	esi, eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [esp+40h+var_34]
		mov	[eax], esi
		nop
		mov	[eax+4], edi
		test	ds:byte_70EFC6,	1
		jnz	loc_5BB983
		mov	eax, [esp+40h+var_C]
		test	eax, eax
		jnz	loc_5BB99D
		mov	edx, [esp+40h+var_8]
		lea	eax, [esp+40h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+40h+var_C]
		cmp	eax, ecx
		jnz	loc_5BB994

loc_4977BE:				; CODE XREF: MiDeleteSystemPageTable+124423j
					; MiDeleteSystemPageTable+124442j
		mov	cl, [esp+40h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edi, [ebp+arg_8]
		jmp	loc_4976D7
; 

loc_4977D0:				; CODE XREF: MiDeleteSystemPageTable+10Aj
		mov	ecx, [esp+40h+var_30]
		mov	edx, edi
		push	ebx
		call	_MiInsertLargeTbFlushEntry@12 ;	MiInsertLargeTbFlushEntry(x,x,x)
		jmp	loc_4976BE
; 

loc_4977E1:				; CODE XREF: MiDeleteSystemPageTable+15Aj
		cmp	edi, eax
		jnz	loc_5BB96E
		lea	edx, [esp+40h+var_C]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, ds:_ZeroPte
		mov	[ebx], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[ebx+4], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5BB93E
		mov	eax, [esp+40h+var_C]
		test	eax, eax
		jnz	loc_5BB958
		mov	edx, [esp+40h+var_8]
		lea	eax, [esp+40h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+40h+var_C]
		cmp	eax, ecx
		jnz	loc_5BB94F

loc_49783A:				; CODE XREF: MiDeleteSystemPageTable+1243DEj
					; MiDeleteSystemPageTable+1243FDj
		mov	cl, [esp+40h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4976CC
MiDeleteSystemPageTable	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReplicatePteChange proc near		; CODE XREF: MiDeleteVaTail+12Cp
					; MiDeleteVaTail+13Fp ...

var_58		= dword	ptr -58h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005BB9B3 SIZE 000001F8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		push	ebx
		push	esi
		xor	eax, eax
		mov	esi, edx
		push	edi
		lea	edi, [esp+58h+var_C]
		shr	esi, 9
		stosd
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		mov	[esp+58h+var_48], esi
		stosd
		stosd
		mov	eax, ecx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[esp+58h+var_18], eax
		lea	ebx, [eax-40000000h]
		mov	eax, large fs:124h
		mov	[esp+58h+var_40], ebx
		mov	edi, [eax+80h]
		mov	[esp+58h+var_3C], edi
		cmp	ecx, 0C0000000h
		jb	short loc_4978C3
		lea	esp, [esp+0]

loc_4978B0:				; CODE XREF: MiReplicatePteChange+71j
		cmp	ecx, 0C07FFFFFh
		ja	short loc_4978C3
		shl	ecx, 9
		cmp	ecx, 0C0000000h
		jnb	short loc_4978B0

loc_4978C3:				; CODE XREF: MiReplicatePteChange+5Aj
					; MiReplicatePteChange+66j
		cmp	ecx, dword_6D07D0
		jb	short loc_4978E4
		shr	ecx, 15h
		mov	al, byte ptr dword_6D3994[ecx]
		cmp	al, 1
		jz	loc_497C80
		cmp	al, 0Bh
		jz	loc_497C80

loc_4978E4:				; CODE XREF: MiReplicatePteChange+79j
		xor	eax, eax
		mov	[esp+58h+var_2C], offset dword_6D0608
		mov	[esp+58h+var_34], eax

loc_4978F2:				; CODE XREF: MiReplicatePteChange+44Dj
		lea	edx, [esp+58h+var_C]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edx, [esp+58h+var_34]
		test	edx, edx
		jnz	loc_497CA2

loc_49790C:				; CODE XREF: MiReplicatePteChange+45Cj
					; MiReplicatePteChange+124175j
		mov	eax, [esp+58h+var_2C]
		mov	ecx, [eax]
		mov	[esp+58h+var_1C], ecx
		cmp	ecx, eax
		jz	loc_497C2F
		mov	edi, edi

loc_497920:				; CODE XREF: MiReplicatePteChange+3D9j
		neg	edx
		sbb	eax, eax
		add	ecx, 0FFFFFCC0h
		and	eax, 220h
		add	eax, ecx
		mov	ecx, [eax+0FCh]
		mov	[esp+58h+var_10], eax
		lea	edx, [eax+0FCh]
		test	ecx, (offset loc_7FFFFF+1)
		jnz	loc_497C17
		test	ecx, 0C00h
		jz	loc_497CD5
		test	cl, cl
		js	loc_497CD5
		cmp	eax, edi
		jz	loc_497C17
		mov	edx, [esp+58h+var_18]
		mov	ecx, esi
		sub	ecx, ebx
		mov	[esp+58h+var_30], ebx
		sar	ecx, 3
		mov	ebx, 4
		inc	ecx
		mov	[esp+58h+var_14], ecx
		lea	edx, [edx-600000h]
		mov	ecx, [eax+194h]
		shr	edx, 0Ch
		mov	eax, [ecx+edx*8]
		mov	ecx, [ecx+edx*8+4]
		shrd	eax, ecx, 0Ch
		mov	ecx, ds:_MmPfnDatabase
		and	eax, 1FFFFFFh
		lea	edx, ds:0[eax*8]
		sub	edx, eax
		movzx	ecx, byte ptr [ecx+edx*4+16h]
		shr	ecx, 6
		test	ecx, ecx
		jz	loc_5BB9D4
		cmp	ecx, 3
		jz	loc_5BB9D4
		cmp	ecx, 2
		jz	loc_5BB9CA

loc_4979D2:				; CODE XREF: MiReplicatePteChange+12417Fj
					; MiReplicatePteChange+124189j
		or	ebx, 0A0000000h
		xor	ecx, ecx
		shld	ecx, eax, 0Ch
		shl	eax, 0Ch
		mov	esi, ds:_MmProtectToPteMask[ebx*8]
		mov	edi, ds:dword_40B4DC[ebx*8]
		and	esi, 0F7Fh
		or	esi, eax
		and	edi, 0FFFFFFE0h
		or	edi, ecx
		or	esi, 121h
		bt	ebx, 1Fh
		setb	al
		test	al, 1
		jz	short loc_497A10
		or	esi, 42h

loc_497A10:				; CODE XREF: MiReplicatePteChange+1BBj
		mov	al, byte ptr word_6D07B8
		and	esi, 0FFFFFEFFh
		and	al, 1
		movzx	eax, al
		cdq
		mov	ebx, eax
		mov	eax, edx
		shld	eax, ebx, 8
		or	eax, edi
		shl	ebx, 8
		mov	[esp+58h+var_44], eax
		or	ebx, esi
		mov	eax, large fs:20h
		xor	edi, edi
		mov	esi, [eax+3D34h]
		mov	eax, esi
		and	eax, 0FFFh
		and	esi, 0FFFFF000h
		shl	eax, 0Ch
		add	esi, eax
		mov	edx, esi
		shr	edx, 9
		mov	[esp+58h+var_38], edx
		lea	ecx, [edx-40000000h]
		mov	[esp+58h+var_4C], ecx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5BB9DE
		mov	eax, [esp+58h+var_44]

loc_497A78:				; CODE XREF: MiReplicatePteChange+1241A7j
					; MiReplicatePteChange+1241B2j	...
		mov	[edx-3FFFFFFCh], eax
		nop
		mov	[ecx], ebx
		test	edi, edi
		jnz	loc_5BBA31

loc_497A89:				; CODE XREF: MiReplicatePteChange+1241F0j
		mov	edi, [esp+58h+var_40]
		mov	eax, edi
		mov	ebx, [esp+58h+var_30]
		shr	eax, 3
		and	eax, 1FFh
		lea	esi, [esi+eax*8]
		cmp	edi, [esp+58h+var_48]
		ja	short loc_497B1B

loc_497AA4:				; CODE XREF: MiReplicatePteChange+2C1j
		mov	edx, [ebx]
		mov	[esp+58h+var_28], 0
		mov	[esp+58h+var_24], 0
		nop
		mov	edi, [ebx+4]
		mov	ecx, [esi]
		nop
		mov	eax, [esi+4]
		cmp	edx, ecx
		jnz	short loc_497AC8
		cmp	edi, eax
		jz	short loc_497B07

loc_497AC8:				; CODE XREF: MiReplicatePteChange+272j
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jz	loc_497C6B
		and	ecx, 1
		or	ecx, 0
		mov	ecx, esi
		jnz	loc_5BBA45
		mov	[esp+58h+var_30], 0
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5BBA55

loc_497AF9:				; CODE XREF: MiReplicatePteChange+12421Aj
					; MiReplicatePteChange+124226j	...
		mov	[esi+4], edi
		nop
		mov	[esi], edx
		test	eax, eax
		jnz	loc_5BBAA6

loc_497B07:				; CODE XREF: MiReplicatePteChange+276j
					; MiReplicatePteChange+421j ...
		add	ebx, 8
		add	esi, 8
		cmp	ebx, [esp+58h+var_48]
		jbe	short loc_497AA4
		mov	edx, [esp+58h+var_38]
		mov	ecx, [esp+58h+var_4C]

loc_497B1B:				; CODE XREF: MiReplicatePteChange+252j
		mov	eax, large fs:20h
		mov	[esp+58h+var_30], eax
		mov	edi, [eax+3D34h]
		mov	esi, edi
		and	esi, 0FFFh
		and	edi, 0FFFFF000h
		lea	eax, [esi+1]
		mov	[esp+58h+var_28], eax
		mov	eax, ds:_ZeroPte
		mov	[ecx], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[edx-3FFFFFFCh], eax
		cmp	esi, 0FFh
		jz	loc_497C76

loc_497B5F:				; CODE XREF: MiReplicatePteChange+42Bj
		mov	eax, [esp+58h+var_30]
		sub	esi, 0FFh
		neg	esi
		sbb	esi, esi
		and	esi, [esp+58h+var_28]
		or	esi, edi
		mov	[eax+3D34h], esi
		mov	esi, [esp+58h+var_14]
		lea	eax, ds:0[esi*8]
		sub	ebx, eax
		cmp	ebx, 0C0603000h
		jb	short loc_497C0B
		test	ds:_MiFlags, 0C00000h
		jz	short loc_497C0B
		mov	eax, [esp+58h+var_10]
		mov	eax, [eax+304h]
		test	eax, eax
		jz	short loc_497C0B
		mov	edx, ds:_PsInitialSystemProcess
		test	edx, edx
		jz	short loc_497C0B
		mov	edx, [edx+304h]
		lea	ecx, [ebx+3FA00000h]
		sar	ecx, 3
		mov	[esp+58h+var_30], edx
		test	esi, esi
		jz	short loc_497C0B
		sub	[esp+58h+var_30], eax
		lea	edx, [eax-3000h]
		lea	edx, [edx+ecx*8]
		lea	edi, [ecx-400h]
		mov	[esp+58h+var_38], edx

loc_497BE0:				; CODE XREF: MiReplicatePteChange+3B9j
		mov	eax, edi
		mov	ecx, edi
		shr	eax, 5
		and	ecx, 1Fh
		mov	eax, dword_6D2BD4[eax*4]
		sar	eax, cl
		test	al, 1
		jnz	loc_5BBAB4

loc_497BFB:				; CODE XREF: MiReplicatePteChange+124294j
					; MiReplicatePteChange+124332j	...
		add	edx, 8
		add	ebx, 8
		inc	edi
		mov	[esp+58h+var_38], edx
		sub	esi, 1
		jnz	short loc_497BE0

loc_497C0B:				; CODE XREF: MiReplicatePteChange+33Cj
					; MiReplicatePteChange+348j ...
		mov	edi, [esp+58h+var_3C]
		mov	esi, [esp+58h+var_48]
		mov	ebx, [esp+58h+var_40]

loc_497C17:				; CODE XREF: MiReplicatePteChange+F7j
					; MiReplicatePteChange+113j ...
		mov	ecx, [esp+58h+var_1C]
		mov	edx, [esp+58h+var_34]
		mov	ecx, [ecx]
		mov	[esp+58h+var_1C], ecx
		cmp	ecx, [esp+58h+var_2C]
		jnz	loc_497920

loc_497C2F:				; CODE XREF: MiReplicatePteChange+C8j
		test	ds:byte_70EFC6,	1
		jnz	loc_5BBB9A
		mov	eax, [esp+58h+var_C]
		test	eax, eax
		jnz	short loc_497CC0
		mov	edx, [esp+58h+var_8]
		lea	eax, [esp+58h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+58h+var_C]
		cmp	eax, ecx
		jnz	short loc_497CB7

loc_497C5A:				; CODE XREF: MiReplicatePteChange+483j
					; MiReplicatePteChange+124356j
		mov	cl, [esp+58h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_497C6B:				; CODE XREF: MiReplicatePteChange+280j
		mov	[esi], edx
		nop
		mov	[esi+4], edi
		jmp	loc_497B07
; 

loc_497C76:				; CODE XREF: MiReplicatePteChange+309j
		call	_MiFlushHyperSpace@0 ; MiFlushHyperSpace()
		jmp	loc_497B5F
; 

loc_497C80:				; CODE XREF: MiReplicatePteChange+86j
					; MiReplicatePteChange+8Ej
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		mov	[esp+58h+var_34], eax
		add	eax, 10h
		mov	[esp+58h+var_2C], eax
		jmp	loc_4978F2
; 

loc_497CA2:				; CODE XREF: MiReplicatePteChange+B6j
		mov	al, [edx+121h]
		and	al, 6
		cmp	al, 2
		jnz	loc_49790C
		jmp	loc_5BB9B3
; 

loc_497CB7:				; CODE XREF: MiReplicatePteChange+408j
		lea	ecx, [esp+58h+var_C]
		call	KxWaitForLockChainValid

loc_497CC0:				; CODE XREF: MiReplicatePteChange+3F2j
		mov	[esp+58h+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_497C5A
; 

loc_497CD5:				; CODE XREF: MiReplicatePteChange+103j
					; MiReplicatePteChange+10Bj
		mov	eax, (offset loc_7FFFFF+1)
		lock or	[edx], eax
		jmp	loc_497C17
MiReplicatePteChange endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeUnmappedPageTables(x,	x, x)
_MiFreeUnmappedPageTables@12 proc near	; CODE XREF: MiDeleteSystemPageTableTail(x)+33p

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		mov	esi, edx
		test	edi, edi
		jz	short loc_497D3B

loc_497CF6:				; CODE XREF: MiFreeUnmappedPageTables(x,x,x)+57j
		mov	eax, [edi]
		mov	ecx, edi
		mov	[ebp+var_8], eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	cl, [edi+16h]
		and	cl, 0FEh
		mov	[ebp+var_1], al
		or	cl, 6
		mov	[edi+16h], cl
		mov	ecx, edi
		call	MiDecrementShareCount
		cmp	eax, 3
		jz	short loc_497D47

loc_497D1D:				; CODE XREF: MiFreeUnmappedPageTables(x,x,x)+68j
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_8]
		inc	ebx
		mov	edi, eax
		test	eax, eax
		jnz	short loc_497CF6

loc_497D3B:				; CODE XREF: MiFreeUnmappedPageTables(x,x,x)+12j
		add	[esi+0Ch], ebx
		add	[esi], ebx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_497D47:				; CODE XREF: MiFreeUnmappedPageTables(x,x,x)+39j
		inc	dword ptr [esi+4]
		jmp	short loc_497D1D
_MiFreeUnmappedPageTables@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAddSystemPageTableToList(x, x)
_MiAddSystemPageTableToList@8 proc near	; CODE XREF: MiDeleteSystemPageTable+E1p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	edx, 7FFFFFFFh
		lea	esi, [edi+10h]

loc_497D62:				; CODE XREF: MiAddSystemPageTableToList(x,x)+4Cj
		and	[ebp+var_4], 0
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_497D87

loc_497D6D:				; CODE XREF: MiAddSystemPageTableToList(x,x)+2Dj
					; MiAddSystemPageTableToList(x,x)+34j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_497D6D
		lock bts dword ptr [esi], 1Fh
		jb	short loc_497D6D
		mov	edx, 7FFFFFFFh

loc_497D87:				; CODE XREF: MiAddSystemPageTableToList(x,x)+1Fj
		mov	ecx, [esi]
		mov	eax, ecx
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jz	short loc_497D9A
		lock and [esi],	edx
		jmp	short loc_497D62
; 

loc_497D9A:				; CODE XREF: MiAddSystemPageTableToList(x,x)+47j
		or	ecx, 40000000h
		mov	[esi], ecx
		mov	eax, [ebx]
		mov	[edi], eax
		mov	[ebx], edi
		mov	al, [edi+16h]
		and	al, 0FDh
		or	al, 5
		mov	[edi+16h], al
		lock and [esi],	edx
		mov	eax, [edi+18h]
		and	eax, offset loc_7FFFFF
		imul	edi, eax, 1Ch
		add	edi, ds:_MmPfnDatabase
		and	[ebp+var_8], 0
		lea	esi, [edi+10h]
		jmp	short loc_497DDD
; 

loc_497DCF:				; CODE XREF: MiAddSystemPageTableToList(x,x)+8Fj
					; MiAddSystemPageTableToList(x,x)+96j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_497DCF

loc_497DDD:				; CODE XREF: MiAddSystemPageTableToList(x,x)+81j
		lock bts dword ptr [esi], 1Fh
		jb	short loc_497DCF
		mov	ecx, edi
		call	MiDecrementShareCount
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiAddSystemPageTableToList@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiZeroCfgSystemWideBitmap(x, x)
_MiZeroCfgSystemWideBitmap@8 proc near	; CODE XREF: MiReturnImageBase(x)+25p
		mov	edi, edi
		push	ecx
		mov	eax, [ecx+4]
		mov	ecx, dword_6CF4FC
		shl	eax, 10h
		shr	eax, 4
		add	eax, eax
		shr	edx, 4
		push	eax
		add	edx, edx
		lea	ecx, [ecx+50h]
		call	MiZeroCfgSystemWideBitmapWorker
		pop	ecx
		retn
_MiZeroCfgSystemWideBitmap@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDeletePageDirectoryPages proc	near	; CODE XREF: MiDeleteFinalPageTables+F9p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005BBBAB SIZE 00000048 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	eax, ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], eax
		mov	ebx, [eax+194h]
		mov	[ebp+var_8], edi

loc_497E37:				; CODE XREF: MiDeletePageDirectoryPages+A8j
		mov	ecx, [ebx]
		nop
		mov	eax, [ebx+4]
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	esi, ecx, 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		or	dword ptr [esi+10h], 40000000h
		mov	cl, al
		mov	eax, [esi+10h]
		and	eax, 3FFFFFFFh
		mov	[ebp+var_1], cl
		cmp	eax, 1
		jnz	loc_5BBBAB
		mov	eax, [esi+18h]
		mov	ecx, esi
		and	eax, offset loc_7FFFFF
		mov	[ebp+var_C], eax
		call	_MiClearContainingMapping@4 ; MiClearContainingMapping(x)
		mov	ecx, esi
		call	MiDecrementShareCount
		cmp	eax, 3
		jz	short loc_497ED1

loc_497E92:				; CODE XREF: MiDeletePageDirectoryPages+B6j
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		imul	ecx, [ebp+var_C], 1Ch
		xor	edx, edx
		add	ecx, ds:_MmPfnDatabase
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		mov	eax, [ebp+var_8]
		add	ebx, 8
		inc	eax
		mov	[ebp+var_8], eax
		cmp	eax, 3
		jb	loc_497E37
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_497ED1:				; CODE XREF: MiDeletePageDirectoryPages+74j
		inc	edi
		jmp	short loc_497E92
MiDeletePageDirectoryPages endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiOutPageSingleKernelStack proc	near	; DATA XREF: MmOutPageKernelStack(x)+45o

var_42		= byte ptr -42h
var_41		= byte ptr -41h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005BBBF3 SIZE 0000006B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	edx, [eax+8]
		mov	ebx, offset loc_7FFFF8
		mov	ecx, [eax]
		sub	edx, 4
		mov	eax, [eax+4]
		sub	ecx, 1000h
		shr	eax, 9
		mov	edi, 40000000h
		shr	edx, 9
		and	eax, ebx
		and	edx, ebx
		shr	ecx, 9
		sub	eax, edi
		mov	[esp+50h+var_24], edx
		and	ecx, ebx
		mov	[esp+50h+var_40], eax
		sub	ecx, edi
		lea	esi, [edx-40000000h]
		mov	[esp+50h+var_30], ecx
		mov	eax, ecx
		mov	edx, esi
		sub	eax, esi
		shl	edx, 9
		sar	eax, 3
		push	0
		inc	eax
		mov	[esp+54h+var_34], edx
		push	3E0h
		mov	[esp+58h+var_38], eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [esp+50h+var_30]
		xor	ebx, ebx
		mov	[esp+50h+var_14], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+50h+var_10], edx
		mov	edx, offset loc_7FFFF8
		shr	ecx, 9
		and	ecx, edx
		mov	edi, [eax+150h]
		mov	eax, [esp+50h+var_40]
		shr	eax, 9
		and	eax, edx
		mov	[esp+50h+var_2C], ecx
		mov	ecx, offset unk_6D3A40
		mov	[esp+50h+var_3C], eax
		call	MiLockWorkingSetShared
		mov	edx, [esp+50h+var_3C]
		mov	ecx, offset unk_6D3A40
		push	ebx
		mov	[esp+54h+var_41], al
		lea	edx, [edx-40000000h]
		call	MiLockPageTableInternal
		mov	ecx, [esp+50h+var_3C]
		cmp	[esp+50h+var_2C], ecx
		jnz	loc_5BBBDC

loc_497FA9:				; CODE XREF: MiDeletePageDirectoryPages+123DD2j
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	eax, [eax+8]
		mov	[eax-4], ecx
		test	byte ptr [edi+2A0h], 7
		jnz	short loc_497FCB
		cmp	dword ptr [edi+2D0h], 2
		ja	loc_498175

loc_497FCB:				; CODE XREF: MiOutPageSingleKernelStack+E8j
					; MiOutPageSingleKernelStack+147j ...
		mov	edi, [esi]
		nop
		mov	eax, [esi+4]
		nop
		shrd	edi, eax, 0Ch
		and	edi, 1FFFFFFh
		imul	eax, edi, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[esp+50h+var_28], eax
		test	ebx, ebx
		jnz	loc_498163

loc_497FF1:				; CODE XREF: MiOutPageSingleKernelStack+29Cj
		push	1Fh
		pop	edx
		mov	ecx, edi
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		mov	[esp+50h+var_8], eax
		mov	[esp+50h+var_4], edx
		mov	[esi], eax
		nop
		mov	ecx, [esp+50h+var_28]
		mov	[esi+4], edx
		xor	edx, edx
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		add	esi, 8
		cmp	esi, [esp+50h+var_30]
		jbe	short loc_497FCB
		test	ebx, ebx
		jnz	loc_4981A2

loc_498025:				; CODE XREF: MiOutPageSingleKernelStack+2D8j
		mov	esi, [esp+50h+var_24]
		add	esi, 0BFFFFFF8h
		cmp	esi, [esp+50h+var_40]
		jb	loc_49811D
		xor	ecx, ecx
		inc	ecx

loc_49803C:				; CODE XREF: MiOutPageSingleKernelStack+243j
		mov	eax, [esi]
		xor	edx, edx
		and	eax, ecx
		or	eax, edx
		jz	loc_49811D
		mov	ecx, [esi]
		mov	[esp+50h+var_20], edx
		mov	[esp+50h+var_1C], edx
		nop
		mov	eax, [esi+4]
		mov	[esp+50h+var_8], ecx
		mov	[esp+50h+var_4], eax
		nop
		shrd	ecx, eax, 0Ch
		mov	[esp+50h+var_20], edx
		and	ecx, 1FFFFFFh
		imul	ebx, ecx, 1Ch
		mov	[esp+50h+var_24], ecx
		add	ebx, ds:_MmPfnDatabase
		mov	eax, [ebx+18h]
		lea	edi, [ebx+10h]
		and	eax, offset loc_7FFFFF
		imul	eax, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[esp+50h+var_28], eax

loc_498094:				; CODE XREF: MiOutPageSingleKernelStack+123D3Dj
		lock bts dword ptr [edi], 1Fh
		jb	loc_5BBC02
		xor	eax, eax
		inc	eax
		cmp	[ebx+14h], ax
		jnz	loc_5BBC16
		mov	eax, [esp+50h+var_14]
		mov	[esi], eax
		nop
		mov	eax, [esp+50h+var_10]
		mov	[esi+4], eax
		or	dword ptr [edi], 40000000h
		and	dword ptr [ebx+18h], 8FFFFFFFh

loc_4980C7:				; CODE XREF: MiOutPageSingleKernelStack+123D5Cj
		mov	ecx, ebx
		call	MiDecrementShareCount
		mov	ecx, 7FFFFFFFh
		lock and [edi],	ecx
		cmp	eax, 3
		jz	short loc_498101
		mov	ebx, [esp+50h+var_28]
		and	[esp+50h+var_C], 0
		lea	edi, [ebx+10h]

loc_4980E7:				; CODE XREF: MiOutPageSingleKernelStack+123D70j
		lock bts dword ptr [edi], 1Fh
		jb	loc_5BBC35
		mov	ecx, ebx
		call	MiDecrementShareCount
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax

loc_498101:				; CODE XREF: MiOutPageSingleKernelStack+205j
		inc	[esp+50h+var_38]
		sub	esi, 8
		sub	[esp+50h+var_34], 1000h
		push	1
		pop	ecx
		cmp	esi, [esp+50h+var_40]
		jnb	loc_49803C

loc_49811D:				; CODE XREF: MiOutPageSingleKernelStack+15Fj
					; MiOutPageSingleKernelStack+170j
		mov	ebx, [esp+50h+var_3C]
		cmp	[esp+50h+var_2C], ebx
		jnz	loc_5BBC49

loc_49812B:				; CODE XREF: MiOutPageSingleKernelStack+123D85j
		lea	edx, [ebx-40000000h]
		mov	ebx, offset unk_6D3A40
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [esp+50h+var_41]
		mov	ecx, ebx
		call	MiUnlockWorkingSetShared
		mov	edx, [esp+50h+var_34]
		mov	ecx, [ebp+arg_8]
		push	0
		push	[esp+54h+var_38]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_498163:				; CODE XREF: MiOutPageSingleKernelStack+117j
		push	esi
		mov	edx, offset _MiSystemPartition
		mov	ecx, ebx
		call	_MiOutSwapKernelStackPage@12 ; MiOutSwapKernelStackPage(x,x,x)
		jmp	loc_497FF1
; 

loc_498175:				; CODE XREF: MiOutPageSingleKernelStack+F1j
		push	offset unk_6D50F0
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		test	byte ptr [edi+2A0h], 7
		jnz	loc_5BBBF3
		mov	eax, [edi+2D0h]
		cmp	eax, 2
		jbe	loc_5BBBF3
		mov	ebx, eax
		jmp	loc_497FCB
; 

loc_4981A2:				; CODE XREF: MiOutPageSingleKernelStack+14Bj
		push	offset unk_6D50F0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		jmp	loc_498025
MiOutPageSingleKernelStack endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiDeleteTopLevelPage(x, x)
_MiDeleteTopLevelPage@8	proc near	; CODE XREF: MiDeleteFinalPageTables+117p
					; MiDeleteProcessShadow+1BAp
		mov	edi, edi
		push	ebx
		push	esi
		imul	esi, edx, 1Ch
		push	edi
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, esi
		mov	bl, al
		call	_MiClearContainingMapping@4 ; MiClearContainingMapping(x)
		lea	edi, [esi+10h]
		mov	ecx, esi
		or	dword ptr [edi], 40000000h
		call	MiDecrementShareCount
		mov	ecx, esi
		call	MiDecrementShareCount
		mov	esi, eax
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_MiDeleteTopLevelPage@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiZeroCfgSystemWideBitmapWorker	proc near ; CODE XREF: MiZeroCfgSystemWideBitmap(x,x)+1Dp

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BBC5E SIZE 0000017B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_6C]
		mov	esi, edx
		stosd
		mov	edx, 0FFFh
		shr	esi, 3
		mov	ebx, ecx
		stosd
		stosd
		mov	eax, esi
		and	eax, edx
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_0]
		shr	eax, 3
		add	eax, esi
		mov	ecx, eax
		and	ecx, edx
		dec	eax
		shr	eax, 0Ch
		lea	edx, [ebp+var_58]
		mov	[ebp+var_58], eax
		xor	eax, eax
		mov	[ebp+var_14], ecx
		mov	ecx, ebx
		mov	[ebp+var_54], eax
		call	_MiLocatePagefileSubsection@8 ;	MiLocatePagefileSubsection(x,x)
		mov	edx, [ebp+var_58]
		mov	ecx, ebx
		shl	edx, 3
		mov	[ebp+var_20], eax
		mov	edi, [eax+4]
		xor	eax, eax
		mov	[ebp+var_44], edx
		add	edi, edx
		shr	esi, 0Ch
		lea	edx, [ebp+var_50]
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], eax
		call	_MiLocatePagefileSubsection@8 ;	MiLocatePagefileSubsection(x,x)
		mov	esi, [ebp+var_20]
		xor	edx, edx
		mov	[ebp+var_4], eax
		cmp	[eax+4], edx
		jz	loc_5BBC5E
		mov	ecx, [ebp+var_50]

loc_498285:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+123A79j
		mov	edx, [eax+4]
		lea	ebx, [edx+ecx*8]
		cmp	eax, esi
		jnz	loc_5BBC7E
		mov	esi, edi

loc_498295:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+123A87j
		xor	edx, edx
		mov	[ebp+var_C], esi
		mov	ecx, edx
		mov	[ebp+var_24], edx
		mov	edx, [ebp+var_2C]
		neg	edx
		mov	byte ptr [ebp+arg_0+3],	21h
		mov	[ebp+var_10], ecx
		sbb	edx, edx
		and	edx, ebx
		mov	[ebp+var_18], edx
		mov	edx, [ebp+var_14]
		neg	edx
		sbb	edx, edx
		and	edx, edi
		mov	[ebp+var_1C], edx

loc_4982BE:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+280j
					; MiZeroCfgSystemWideBitmapWorker+123AE1j
		cmp	ebx, esi
		jnb	loc_498485
		xor	edi, edi

loc_4982C8:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+123AB6j
					; MiZeroCfgSystemWideBitmapWorker+123ABFj ...
		mov	edx, [ebp+var_24]
		mov	eax, ebx
		xor	eax, edx
		test	eax, 0FFFFF000h
		jnz	loc_4984B3

loc_4982DA:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+2B5j
					; MiZeroCfgSystemWideBitmapWorker+2CBj
		test	ecx, ecx
		jz	loc_4984D0

loc_4982E2:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+2EAj
		xor	edx, edx
		mov	ecx, ebx
		call	MiLockLeafPage
		mov	edi, [ebx]
		mov	[ebp+var_8], eax
		nop
		mov	esi, [ebx+4]
		xor	eax, eax
		inc	eax
		mov	[ebp+var_60], edi
		mov	ecx, edi
		mov	[ebp+var_5C], esi
		and	ecx, eax
		xor	edx, edx
		or	ecx, edx
		jnz	loc_4984EF
		mov	eax, edi
		and	eax, 400h
		or	eax, edx
		jnz	loc_498474
		mov	eax, edi
		and	eax, 800h
		or	eax, edx
		jz	loc_49855B
		mov	eax, dword_6D0700
		mov	ecx, edi
		mov	edx, dword_6D0704
		mov	[ebp+var_38], eax
		or	eax, edx
		mov	[ebp+var_34], edx
		mov	edx, esi
		mov	[ebp+var_3C], esi
		jz	short loc_498362
		mov	eax, ecx
		xor	esi, esi
		and	eax, 10h
		or	eax, esi
		jnz	loc_5BBCFE
		mov	edi, [ebp+var_38]
		mov	esi, [ebp+var_34]
		not	edi
		not	esi
		and	edi, ecx
		and	esi, edx

loc_498362:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+143j
					; MiZeroCfgSystemWideBitmapWorker+123B02j
		shrd	edi, esi, 0Ch
		mov	esi, [ebp+var_8]
		xor	ecx, ecx
		and	edi, 3FFFFFFh
		mov	[ebp+var_30], ecx
		mov	[ebp+var_34], ecx
		cmp	[esi+14h], cx
		jnz	loc_498453
		cmp	ebx, [ebp+var_18]
		jz	loc_498602
		cmp	ebx, [ebp+var_1C]
		jz	loc_498602
		xor	edx, edx
		mov	ecx, esi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		xor	edx, edx
		test	eax, eax
		jz	loc_5BBD07
		xor	ecx, ecx
		push	ecx
		lea	ecx, [esi+8]
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	[ebp+var_30], eax
		mov	eax, [esi+8]
		mov	[ebp+var_34], edx
		mov	edx, [esi+0Ch]
		mov	ecx, edx
		mov	[ebp+var_38], eax
		shrd	eax, ecx, 1
		test	al, 1
		jz	loc_4984A3
		mov	ecx, [ebp+var_38]
		mov	eax, edx
		shrd	ecx, eax, 0Ch
		and	ecx, 0Fh
		mov	eax, dword_6D5D94[ecx*4]
		mov	ecx, dword_6D0704
		mov	[ebp+var_48], eax
		mov	eax, dword_6D0700
		or	eax, ecx
		mov	[ebp+var_28], ecx
		jz	short loc_498407
		mov	ecx, [ebp+var_38]
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jz	loc_4985F7

loc_498407:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+1F4j
					; MiZeroCfgSystemWideBitmapWorker+3FDj
		push	dword ptr [esi+0Ch]
		mov	ecx, [ebp+var_48]
		push	dword ptr [esi+8]
		push	2

loc_498412:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+2AEj
		call	_MiTransferSoftwarePte@20 ; MiTransferSoftwarePte(x,x,x,x,x)
		mov	ecx, eax
		mov	eax, [esi+18h]
		and	eax, offset loc_7FFFFF
		imul	esi, eax, 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	[ebx], ecx
		nop
		mov	ecx, esi
		mov	[ebx+4], edx
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		mov	ecx, esi
		call	MiDecrementShareCount
		lea	eax, [esi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		push	2
		pop	edx
		mov	ecx, edi
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)

loc_498453:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+17Bj
		xor	edi, edi
		inc	edi

loc_498456:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+4C7j
					; MiZeroCfgSystemWideBitmapWorker+4D7j
		mov	eax, [ebp+var_8]
		mov	ecx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	ecx
		mov	ecx, [ebp+var_30]
		mov	eax, ecx
		mov	edx, [ebp+var_34]
		or	eax, edx
		jnz	loc_498714

loc_498474:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+114j
					; MiZeroCfgSystemWideBitmapWorker+350j	...
		mov	eax, [ebp+var_4]
		add	ebx, 8
		mov	ecx, [ebp+var_10]
		mov	esi, [ebp+var_C]
		jmp	loc_4982BE
; 

loc_498485:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+C0j
		mov	edx, [ebp+var_20]
		cmp	eax, edx
		jnz	loc_5BBC8C

loc_498490:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+123A92j
		test	ecx, ecx
		jz	short loc_49849C
		mov	dl, byte ptr [ebp+arg_0+3]
		call	MiUnlockProtoPoolPage

loc_49849C:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+292j
					; MiZeroCfgSystemWideBitmapWorker+123A60j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4984A3:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+1C8j
		push	edx
		push	dword ptr [esi+8]
		xor	eax, eax
		xor	edx, edx
		push	eax
		xor	ecx, ecx
		jmp	loc_498412
; 

loc_4984B3:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+D4j
		test	edx, edx
		jz	loc_4982DA
		mov	dl, byte ptr [ebp+arg_0+3]
		call	MiUnlockProtoPoolPage
		mov	ecx, edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_10], ecx
		jmp	loc_4982DA
; 

loc_4984D0:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+DCj
		lea	edx, [ebp+arg_0+3]
		mov	ecx, ebx
		call	MiLockProtoPoolPage
		mov	ecx, eax
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jz	loc_5BBCD2
		mov	[ebp+var_24], ebx
		jmp	loc_4982E2
; 

loc_4984EF:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+105j
		nop
		shrd	edi, esi, 0Ch
		push	80000000h
		and	edi, 1FFFFFFh
		xor	edx, edx
		mov	ecx, edi
		call	MiMapPageInHyperSpaceWorker
		mov	esi, eax
		cmp	ebx, [ebp+var_18]
		jz	loc_4986DC
		cmp	ebx, [ebp+var_1C]
		jz	loc_5BBCE6
		mov	edx, 1000h
		mov	ecx, esi
		call	_KeZeroPages	; KiZeroPages(x,x)

loc_498529:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+4F6j
		push	80000000h
		mov	dl, 21h
		mov	ecx, esi
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		mov	esi, [ebp+var_8]
		mov	ecx, esi
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		lea	ecx, [esi+10h]
		mov	esi, 7FFFFFFFh
		lock and [ecx],	esi
		mov	ecx, eax
		or	ecx, edx
		jz	loc_498474
		jmp	loc_5BBCF2
; 

loc_49855B:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+123j
		mov	eax, edi
		or	eax, esi
		jz	loc_498474
		cmp	ebx, [ebp+var_18]
		jz	loc_498474
		cmp	ebx, [ebp+var_1C]
		jz	loc_498474
		mov	ecx, edi
		mov	eax, esi
		shrd	ecx, eax, 1
		test	cl, 1
		jz	loc_4986FB
		mov	ecx, edi
		mov	edx, esi
		shrd	ecx, eax, 0Ch
		mov	[ebp+var_38], edx
		and	ecx, 0Fh
		mov	eax, dword_6D5D94[ecx*4]
		mov	ecx, dword_6D0700
		mov	[ebp+var_48], eax
		mov	eax, dword_6D0704
		mov	[ebp+var_3C], eax
		mov	eax, ecx
		or	eax, [ebp+var_3C]
		jz	short loc_4985C6
		mov	eax, edi
		xor	edx, edx
		and	eax, 10h
		or	eax, edx
		jz	loc_498707
		mov	edx, esi

loc_4985C6:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+3B3j
					; MiZeroCfgSystemWideBitmapWorker+50Fj
		mov	ecx, [ebp+var_48]
		push	esi
		push	edi
		push	2

loc_4985CD:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+502j
		call	_MiTransferSoftwarePte@20 ; MiTransferSoftwarePte(x,x,x,x,x)
		push	esi
		mov	[ebp+var_38], edx
		mov	ecx, offset _MiSystemPartition
		push	edi
		xor	edx, edx
		mov	[ebp+var_3C], eax
		call	_MiReleasePageFileSpace@16 ; MiReleasePageFileSpace(x,x,x,x)
		mov	eax, [ebp+var_3C]
		mov	[ebx], eax
		nop
		mov	eax, [ebp+var_38]
		mov	[ebx+4], eax
		jmp	loc_498474
; 

loc_4985F7:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+201j
		not	[ebp+var_28]
		and	edx, [ebp+var_28]
		jmp	loc_498407
; 

loc_498602:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+184j
					; MiZeroCfgSystemWideBitmapWorker+18Dj
		test	byte ptr [esi+16h], 10h
		mov	[ebp+var_3C], ecx
		jz	loc_498727
		mov	eax, dword_6D57A8
		mov	[ebp+var_28], eax
		add	eax, 10h
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_68], eax
		mov	[ebp+var_6C], ecx
		jnz	loc_5BBD22
		lea	edx, [ebp+var_6C]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_49876D

loc_49863A:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+550j
					; MiZeroCfgSystemWideBitmapWorker+575j	...
		push	80000000h
		xor	edx, edx
		mov	ecx, edi
		call	MiMapPageInHyperSpaceWorker
		mov	[ebp+var_48], eax
		cmp	ebx, [ebp+var_18]
		jnz	loc_5BBD31
		mov	edx, [ebp+var_2C]
		mov	ecx, 1000h
		sub	ecx, edx
		push	ecx		; size_t
		xor	ecx, ecx
		push	ecx		; int
		lea	ecx, [edx+eax]
		push	ecx		; void *

loc_498666:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+123B38j
		call	_memset
		mov	ecx, [ebp+var_48]
		add	esp, 0Ch
		mov	dl, 21h
		push	80000000h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		xor	eax, eax
		inc	eax
		cmp	dword_6D3034, eax
		jz	loc_5BBD3D

loc_49868C:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+123B67j
		xor	edi, edi
		inc	edi

loc_49868F:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+123BC4j
		cmp	[ebp+var_28], 0
		jz	short loc_4986C4
		test	ds:byte_70EFC6,	1
		jnz	loc_5BBDC9
		mov	eax, [ebp+var_6C]
		test	eax, eax
		jnz	loc_49875D
		mov	edx, [ebp+var_68]
		lea	eax, [ebp+var_6C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_6C]
		cmp	eax, ecx
		jnz	loc_498755

loc_4986C4:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+493j
					; MiZeroCfgSystemWideBitmapWorker+568j	...
		cmp	[ebp+var_3C], edi
		jnz	loc_498456
		push	8
		pop	edx
		mov	ecx, esi
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)
		jmp	loc_498456
; 

loc_4986DC:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+30Dj
		mov	eax, [ebp+var_2C]
		mov	ecx, 1000h
		sub	ecx, eax
		push	ecx		; size_t
		xor	ecx, ecx
		push	ecx		; int
		lea	ecx, [eax+esi]
		push	ecx		; void *

loc_4986EE:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+123AEDj
		call	_memset
		add	esp, 0Ch
		jmp	loc_498529
; 

loc_4986FB:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+382j
		push	esi
		push	edi
		push	edx
		xor	edx, edx
		xor	ecx, ecx
		jmp	loc_4985CD
; 

loc_498707:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+3BEj
		mov	edx, [ebp+var_3C]
		not	edx
		and	edx, [ebp+var_38]
		jmp	loc_4985C6
; 

loc_498714:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+26Ej
		push	edx
		push	ecx
		mov	edx, edi

loc_498718:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+123AF9j
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo
		jmp	loc_498474
; 

loc_498727:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+409j
		xor	eax, eax
		xor	edx, edx
		inc	eax
		mov	ecx, esi
		mov	[ebp+var_3C], eax
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		mov	ecx, esi
		test	eax, eax
		jz	loc_5BBD0B
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		mov	[ebp+var_30], eax
		xor	eax, eax
		mov	[ebp+var_34], edx
		mov	[ebp+var_28], eax
		jmp	loc_49863A
; 

loc_498755:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+4BEj
		lea	ecx, [ebp+var_6C]
		call	KxWaitForLockChainValid

loc_49875D:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+4A7j
		xor	ecx, ecx
		add	eax, 4
		mov	[ebp+var_6C], ecx
		lock xor [eax],	edi
		jmp	loc_4986C4
; 

loc_49876D:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+434j
		lea	ecx, [ebp+var_6C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_49863A
MiZeroCfgSystemWideBitmapWorker	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLockAndDecrementShareCount(x, x)
_MiLockAndDecrementShareCount@8	proc near ; CODE XREF: MiIssueHardFault(x,x)+52Fp
					; .text:0045EA36p ...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	[esp+10h+var_1], al
		lea	edi, [esi+10h]
		test	bl, 1
		jnz	short loc_4987BF

loc_49879B:				; CODE XREF: MiLockAndDecrementShareCount(x,x)+4Bj
		mov	ecx, esi
		call	MiDecrementShareCount
		mov	esi, eax
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	cl, [esp+10h+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4987BF:				; CODE XREF: MiLockAndDecrementShareCount(x,x)+1Fj
		or	dword ptr [edi], 40000000h
		jmp	short loc_49879B
_MiLockAndDecrementShareCount@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDecrementShareCount proc near		; CODE XREF: .text:0044A7FBp
					; .text:0044A837p ...

var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch

; FUNCTION CHUNK AT 005A7F9D SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ebx
		mov	bl, [ecx+16h]
		push	esi
		mov	esi, [ecx+10h]
		mov	al, bl
		mov	edx, esi
		and	al, 7
		and	edx, 3FFFFFFFh
		cmp	al, 6
		jnz	loc_5A7F9D
		dec	edx
		mov	eax, esi
		xor	eax, edx
		and	eax, 3FFFFFFFh
		xor	eax, esi
		mov	[ecx+10h], eax
		test	edx, edx
		jz	short loc_498812
		mov	eax, 2
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_498812:				; CODE XREF: MiDecrementShareCount+35j
		xor	edx, edx
		call	_MiPfnShareCountIsZero@8 ; MiPfnShareCountIsZero(x,x)
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
MiDecrementShareCount endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiClearContainingMapping(x)
_MiClearContainingMapping@4 proc near	; CODE XREF: MiDeletePageDirectoryPages+65p
					; MiDeleteTopLevelPage(x,x)+19p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, ds:_MmPfnDatabase
		push	ebx
		mov	ebx, [ecx+18h]
		push	esi
		and	ebx, offset loc_7FFFFF
		imul	edx, ebx, 1Ch
		push	edi
		mov	edi, [ecx+4]
		mov	esi, edi
		and	esi, 0FFFFF1FFh
		mov	ecx, 80000000h
		or	esi, 800001FFh
		shr	esi, 9
		sub	esi, 40000000h
		mov	eax, [edx+eax+4]
		or	eax, ecx
		cmp	eax, esi
		jnz	short loc_4988AA
		push	ecx
		xor	edx, edx
		mov	ecx, ebx
		call	MiMapPageInHyperSpaceWorker
		shr	edi, 3
		and	edi, 1FFh
		mov	edx, [eax+edi*8]
		nop
		mov	esi, [eax+edi*8+4]
		mov	ecx, edx
		and	ecx, 1
		or	ecx, 0
		jz	short loc_49889C
		and	edx, 0FFFFFFFEh
		or	edx, 400h
		mov	[eax+edi*8], edx
		nop
		mov	[eax+edi*8+4], esi

loc_49889C:				; CODE XREF: MiClearContainingMapping(x)+69j
		push	80000000h
		mov	dl, 21h
		mov	ecx, eax
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)

loc_4988AA:				; CODE XREF: MiClearContainingMapping(x)+44j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiClearContainingMapping@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmKmStoreHelperWorker proc near		; DATA XREF: SmKmStoreHelperStart(x,x)+10o

var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BBDD9 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		push	7
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_20]
		rep stosd
		mov	eax, large fs:124h
		push	19h
		push	eax
		call	KeSetActualBasePriorityThread
		mov	eax, large fs:124h
		mov	ebx, [ebp+arg_0]
		or	dword ptr [eax+300h], 2
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	edi, [ebx+4]
		push	edi
		call	KeWaitForSingleObject
		push	edi
		call	_KeResetEvent@4	; KeResetEvent(x)
		movzx	esi, word ptr [ebx+26h]
		xor	eax, eax
		inc	eax
		mov	[ebp+var_4], esi
		cmp	esi, eax
		jnz	short loc_49890F

loc_498908:				; CODE XREF: SmKmStoreHelperWorker+C0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_49890F:				; CODE XREF: SmKmStoreHelperWorker+54j
		lea	eax, [ebx+28h]

loc_498912:				; CODE XREF: SmKmStoreHelperWorker+BEj
		push	eax
		mov	edx, esi
		mov	ecx, ebx
		call	SmKmStoreHelperCommandProcess
		xor	edi, edi
		lea	edx, [ebx+24h]
		inc	edi
		mov	eax, [edx]

loc_498924:				; CODE XREF: SmKmStoreHelperWorker+7Aj
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_498924
		mov	[ebp+arg_0], eax
		lea	edi, [ebx+4]
		test	al, 2
		jnz	short loc_498974

loc_498938:				; CODE XREF: SmKmStoreHelperWorker+E9j
		push	0
		push	0
		lea	eax, [ebx+14h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		test	byte ptr [ebp+arg_0], 2
		jnz	loc_5BBDD9

loc_49894F:				; CODE XREF: SmKmStoreHelperWorker+123534j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	edi
		call	KeWaitForSingleObject
		push	edi
		call	_KeResetEvent@4	; KeResetEvent(x)
		movzx	esi, word ptr [ebx+26h]
		xor	eax, eax
		inc	eax
		mov	[ebp+var_4], esi
		cmp	esi, eax
		lea	eax, [ebx+28h]
		jnz	short loc_498912
		jmp	short loc_498908
; 

loc_498974:				; CODE XREF: SmKmStoreHelperWorker+84j
		push	7
		pop	ecx
		lea	esi, [ebx+28h]
		lea	edi, [ebp+var_20]
		rep movsd
		mov	esi, [ebp+var_4]
		cmp	esi, 4
		jnz	short loc_498998
		lea	eax, [ebp+var_20]
		mov	ecx, ebx
		push	eax
		push	esi
		pop	edx
		call	SmKmStoreHelperCommandCleanup
		and	[ebp+arg_0], 0FFFFFFFDh

loc_498998:				; CODE XREF: SmKmStoreHelperWorker+D3j
		lea	edi, [ebx+4]
		jmp	short loc_498938
SmKmStoreHelperWorker endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmKmStoreHelperCommandProcess proc near	; CODE XREF: SmKmStoreHelperWorker+65p
					; SmKmStoreHelperCommandCleanup+8CE2Dp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BBDEB SIZE 000000D4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_4], 0
		and	[ebp+var_8], 0
		dec	edx
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		sub	edx, 1
		jz	loc_498A92
		sub	edx, 1
		jz	loc_498AB8
		sub	edx, 1
		jnz	loc_498A7E
		mov	eax, [esi]
		mov	ecx, [ebx+48h]
		mov	[ebp+var_4], eax
		mov	eax, [esi+4]
		mov	[ebp+var_8], eax
		mov	eax, [esi+0Ch]
		and	eax, 1
		push	eax
		push	edx
		push	ebx
		push	2
		pop	edx
		call	SmFpAllocate
		mov	edi, eax
		mov	[ebp+arg_0], edi
		test	edi, edi
		jz	loc_5BBE1B
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_10]
		mov	edx, [esi+8]
		mov	[ebp+var_10], eax
		call	SmSetThreadPagePriority
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		push	0
		push	edi
		mov	[ebp+var_14], eax
		call	?SmKmProbeAndLockAddress@@YGJPAXKPAU_MDL@@K@Z ;	SmKmProbeAndLockAddress(void *,ulong,_MDL *,ulong)
		mov	edi, eax
		cmp	edi, 0C00001ADh
		jz	loc_498AEE

loc_498A31:				; CODE XREF: SmKmStoreHelperCommandProcess+154j
					; SmKmStoreHelperCommandProcess+1234C0j ...
		mov	eax, [ebp+var_14]
		cmp	eax, [esi+8]
		jnz	short loc_498A72

loc_498A39:				; CODE XREF: SmKmStoreHelperCommandProcess+DEj
		test	edi, edi
		js	loc_498ADA
		mov	eax, [esi+0Ch]
		mov	edi, [ebp+arg_0]
		and	eax, 1
		mov	ecx, [ebx+48h]
		push	eax
		push	edi
		push	ebx
		push	5
		pop	edx
		call	SmFpAllocate
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_5BBE6D
		mov	[esi+10h], edi

loc_498A66:				; CODE XREF: SmKmStoreHelperCommandProcess+118j
					; SmKmStoreHelperCommandProcess+129j ...
		xor	edi, edi

loc_498A68:				; CODE XREF: SmKmStoreHelperCommandProcess+F2j
					; SmKmStoreHelperCommandProcess+14Bj ...
		mov	[esi+18h], edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_498A72:				; CODE XREF: SmKmStoreHelperCommandProcess+99j
		mov	edx, eax
		lea	ecx, [ebp+var_10]
		call	SmSetThreadPagePriority
		jmp	short loc_498A39
; 

loc_498A7E:				; CODE XREF: SmKmStoreHelperCommandProcess+2Ej
		sub	edx, 1
		jnz	loc_5BBDEB
		push	edx
		push	dword ptr [esi+4]
		push	ebx
		call	dword ptr [esi]
		mov	edi, eax
		jmp	short loc_498A68
; 

loc_498A92:				; CODE XREF: SmKmStoreHelperCommandProcess+1Cj
		mov	ecx, [esi+4]
		mov	[ebp+var_8], ecx
		call	MmStoreAllocateVirtualMemory
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_5BBE1B
		mov	ecx, [ebx+44h]
		test	ecx, ecx
		jnz	loc_5BBE90

loc_498AB3:				; CODE XREF: SmKmStoreHelperCommandProcess+1234F6j
					; SmKmStoreHelperCommandProcess+12351Cj
		mov	[esi+10h], eax
		jmp	short loc_498A66
; 

loc_498AB8:				; CODE XREF: SmKmStoreHelperCommandProcess+25j
		test	byte ptr [esi+8], 1
		mov	ecx, [esi]
		mov	eax, [esi+4]
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], eax
		jnz	short loc_498A66
		call	_MmStoreFreeVirtualMemory@4 ; MmStoreFreeVirtualMemory(x)
		mov	ecx, [ebx+44h]
		test	ecx, ecx
		jz	short loc_498A66
		jmp	loc_5BBE83
; 

loc_498ADA:				; CODE XREF: SmKmStoreHelperCommandProcess+9Dj
					; SmKmStoreHelperCommandProcess+1234E0j
		push	[ebp+arg_0]
		mov	ecx, [ebx+48h]
		push	ebx
		push	2
		pop	edx
		call	SmFpFree
		jmp	loc_498A68
; 

loc_498AEE:				; CODE XREF: SmKmStoreHelperCommandProcess+8Dj
		test	byte ptr [esi+0Ch], 1
		jz	loc_498A31
		jmp	loc_5BBE25
SmKmStoreHelperCommandProcess endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict	proc near ; CODE XREF: MiStoreEvictPageFile+109p
					; MiStoreEvictPageFile+1CBp

var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BBEBF SIZE 00000052 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_20]
		stosd
		mov	ecx, edx
		xor	esi, esi
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], esi
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		mov	edi, esi
		mov	[ebp+arg_0], eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+arg_0]
		push	eax
		call	SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate
		mov	[ebp+var_10], eax
		cmp	eax, 400h
		jz	loc_498BF0
		mov	edx, eax
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		and	edx, 3FFh
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		xor	edx, edx
		mov	ecx, offset unk_718328
		mov	ebx, [eax]
		mov	eax, ds:dword_718424
		and	eax, 1
		push	eax
		push	esi
		push	esi
		mov	[ebp+var_C], eax
		call	SmFpAllocate
		mov	esi, eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+arg_0], eax
		test	esi, esi
		jz	short loc_498BD8
		push	[ebp+var_C]
		and	[esi], edi
		xor	edx, edx
		and	[esi+4], edi
		inc	edx
		push	edi
		push	esi
		mov	ecx, offset unk_718328
		call	SmFpAllocate
		mov	edi, eax
		test	edi, edi
		jz	short loc_498BFA
		xor	eax, eax
		mov	edx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		mov	[edi+0Ch], eax
		mov	ecx, esi
		mov	[edi+10h], eax
		mov	[edi+14h], eax
		mov	[edi+1Ch], eax
		mov	eax, [ebp+var_4]
		push	edi
		push	[ebp+var_10]
		mov	dword ptr [edi], 1
		mov	eax, [eax]
		mov	[edi+4], eax
		mov	eax, [ebp+arg_0]
		mov	[edi+8], eax
		mov	[edi+18h], esi
		call	SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork
		test	eax, eax
		mov	eax, [ebp+arg_0]
		js	short loc_498BD8
		xor	ebx, ebx
		xor	edi, edi
		xor	esi, esi

loc_498BD8:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict+79j
					; SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict+D2j ...
		test	ebx, ebx
		jnz	loc_5BBEBF

loc_498BE0:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict+1233E9j
		test	edi, edi
		jnz	loc_5BBEEC

loc_498BE8:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict+1233FBj
		test	esi, esi
		jnz	loc_5BBEFE

loc_498BF0:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict+3Bj
					; SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict+12340Ej
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_498BFA:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict+96j
		mov	eax, [ebp+arg_0]
		jmp	short loc_498BD8
SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmFpAllocate	proc near		; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue+FDp
					; SmKmStoreHelperCommandProcess+4Ep ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005BBF11 SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	ebx, 5
		jge	short loc_498C59
		cmp	ebx, 2
		jz	short loc_498C73
		cmp	ebx, 3
		jz	short loc_498C81
		cmp	ebx, 4
		jz	loc_5BBF11
		lea	eax, [ebx+30h]
		mov	[ebp+arg_4], 30526D73h
		mov	byte ptr [ebp+arg_4+3],	al
		push	[ebp+arg_4]
		movzx	eax, word ptr [ecx+ebx*2+34h]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)

loc_498C4A:				; CODE XREF: SmFpAllocate+71j
					; SmFpAllocate+7Fj
		mov	esi, eax

loc_498C4C:				; CODE XREF: SmFpAllocate+9Bj
					; SmFpAllocate+A0j
		test	esi, esi
		jz	short loc_498CA2

loc_498C50:				; CODE XREF: SmFpAllocate+123317j
					; SmFpAllocate+12332Cj	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_498C59:				; CODE XREF: SmFpAllocate+15j
		test	byte ptr [edi+6], 5
		jnz	short loc_498C9D
		push	40000010h
		xor	eax, eax
		push	eax
		push	eax
		push	1
		push	eax
		push	edi
		call	MmMapLockedPagesSpecifyCache
		jmp	short loc_498C4A
; 

loc_498C73:				; CODE XREF: SmFpAllocate+1Aj
		movzx	ecx, word ptr [ecx+38h]
		shl	ecx, 0Ch
		call	SmKmAllocateMdlForLock
		jmp	short loc_498C4A
; 

loc_498C81:				; CODE XREF: SmFpAllocate+1Fj
		movzx	ecx, word ptr [ecx+3Ah]
		xor	edx, edx
		push	0
		shl	ecx, 0Ch
		inc	edx
		call	_SmAcquireReleaseCharges@12 ; SmAcquireReleaseCharges(x,x,x)
		mov	esi, eax
		neg	esi
		sbb	esi, esi
		and	esi, 0FFFFFFF8h
		jmp	short loc_498C4C
; 

loc_498C9D:				; CODE XREF: SmFpAllocate+5Dj
		mov	esi, [edi+0Ch]
		jmp	short loc_498C4C
; 

loc_498CA2:				; CODE XREF: SmFpAllocate+4Ej
		mov	ecx, [ebp+var_4]
		jmp	loc_5BBF13
SmFpAllocate	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict+2Ep

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_61		= byte ptr -61h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BBF45 SIZE 0000004F BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 78h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, [ebx+0Ch]
		lea	eax, [ebp+var_60]
		push	edi
		mov	edi, [ebx+8]
		push	58h		; size_t
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_68], edx
		call	_memset
		lea	eax, [ebp+var_48]
		mov	[ebp+var_50], 8
		xor	ecx, ecx
		mov	[ebp+var_60], eax
		mov	eax, large fs:124h
		add	esp, 0Ch
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_54], ecx
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset unk_7180B0
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_68]
		lea	edx, [ebp+var_60]
		mov	ecx, offset unk_7180B4
		push	dword ptr [eax]
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		mov	edx, [ebp+var_68]
		lea	eax, [ebp+var_60]
		push	eax
		push	esi
		push	edi
		call	SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass
		mov	[ebp+var_78], eax
		or	edx, 0FFFFFFFFh
		mov	eax, offset unk_7180B0
		mov	[ebp+var_68], edx
		mov	ecx, edx
		lock xadd [eax], ecx
		and	cl, 6
		cmp	cl, 2
		jz	loc_498EAD

loc_498D5E:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+212j
		xor	edi, edi
		mov	[ebp+var_70], edi
		test	eax, 7FFFFFFCh
		jz	loc_498E65
		mov	esi, large fs:124h
		mov	ecx, dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_6C], esi
		cmp	ecx, offset unk_7180B0
		ja	short loc_498DAB
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_498E89
		cmp	ecx, offset unk_7180B0
		ja	short loc_498DAB
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_498E89

loc_498DAB:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+DDj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+F2j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset unk_7180B0
		mov	[ebp+var_61], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_74], ecx
		test	ecx, ecx
		jz	loc_498E9E
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_498EC1

loc_498DEF:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+21Fj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_70], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_61], 1
		mov	edx, eax
		jnz	loc_5BBF5A
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_498E3B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+1FCj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+1232C2j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_6C], eax
		jnz	loc_498ED5

loc_498E52:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+25Bj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+1232E5j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_498E65
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	short loc_498ECE

loc_498E65:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+BEj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+1B1j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_78]
		xor	ecx, ebp
		pop	edi
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_498E89:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+E6j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+FBj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_68], eax
		jmp	loc_498DAB
; 

loc_498E9E:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+12Dj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_498E3B
		jmp	loc_5BBF45
; 

loc_498EAD:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+AEj
		mov	ecx, eax
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh
		mov	eax, offset unk_7180B0
		jmp	loc_498D5E
; 

loc_498EC1:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+13Fj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_74]
		jmp	loc_498DEF
; 

loc_498ECE:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+1B9j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_498E65
; 

loc_498ED5:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+1A2j
		test	edi, 8000h
		jnz	short loc_498F10

loc_498EDD:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+26Fj
		test	byte ptr [ebp+var_70+2], 1
		jnz	loc_5BBF71

loc_498EE7:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+1232D1j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_498EFB
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_498EFB:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+244j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_498E52
		jmp	loc_5BBF80
; 

loc_498F10:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+231j
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	short loc_498EDD
SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+8Fp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005BBF94 SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		push	ebx
		push	esi
		mov	esi, [edx]
		lea	edx, [ebp+var_18]
		mov	eax, [eax]
		push	edi
		push	[ebp+arg_8]
		mov	[ebp+var_18], ecx
		lea	edi, [eax-1]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_20], eax
		add	edi, esi
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], 400h
		call	?BTreeIteratorFromSearchResult@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUITERATOR@1@PAUSEARCH_RESULT@1@@Z ; B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeIteratorFromSearchResult(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::ITERATOR *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)
		mov	ebx, [ebp+var_14]
		mov	eax, [ebp+var_18]
		mov	edx, [ebp+var_C]
		mov	ecx, edx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], eax

loc_498F67:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+EAj
		test	eax, eax
		jz	loc_499068
		mov	edx, [ebp+var_14]
		add	ebx, 8
		movzx	eax, word ptr [eax]
		add	edx, 8
		mov	[ebp+var_1C], ebx
		lea	eax, [edx+eax*8]
		mov	edx, [ebp+var_C]
		cmp	ebx, eax
		jb	short loc_498FA4
		mov	eax, [ebp+var_14]
		mov	ebx, [eax+4]
		test	ebx, ebx
		jz	short loc_498F9B
		lea	eax, [ebx+8]
		mov	[ebp+var_14], ebx
		mov	[ebp+var_1C], eax

loc_498F9B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+74j
		lea	eax, [ebx+8]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, eax

loc_498FA4:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+6Aj
		test	ebx, ebx
		jz	loc_499045
		mov	eax, [ebx]
		cmp	esi, eax
		jb	loc_499041
		test	byte ptr [ebx+7], 1
		jnz	loc_499041

loc_498FC0:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+12308Aj
		mov	eax, [ebp+var_10]
		cmp	eax, 400h
		jz	short loc_498FD6
		movzx	eax, word ptr [ebx+4]
		cmp	[ebp+var_10], eax
		jnz	short loc_49902A
		mov	eax, [ebp+var_10]

loc_498FD6:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+ACj
		cmp	byte ptr [ebx+6], 2
		jz	loc_5BBFAB
		test	ecx, ecx
		jz	short loc_49900B
		cmp	eax, 400h
		jz	short loc_49902A

loc_498FEB:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+10Cj
		mov	edx, [ebp+var_C]
		mov	byte ptr [ebx+6], 2

loc_498FF2:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+123084j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+12309Aj
		inc	ecx
		inc	edx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], edx
		cmp	ecx, [ebp+var_20]
		jz	short loc_49902A
		mov	eax, [ebp+var_14]
		inc	esi
		mov	ebx, [ebp+var_1C]
		jmp	loc_498F67
; 

loc_49900B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+C6j
		movzx	edx, word ptr [ebx+4]
		push	ecx
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	_SmKmStoreReferenceEx@12 ; SmKmStoreReferenceEx(x,x,x)
		test	eax, eax
		jz	short loc_499070
		movzx	ecx, word ptr [ebx+4]
		mov	[ebp+var_10], ecx
		mov	ecx, [ebp+var_8]
		jmp	short loc_498FEB
; 

loc_49902A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+B5j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+CDj ...
		mov	esi, [ebp+var_8]

loc_49902D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+14Aj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+15Cj
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		pop	edi
		mov	[eax], esi
		mov	eax, [ebp+var_10]
		pop	esi
		mov	[ecx], edx
		pop	ebx
		leave
		retn	0Ch
; 

loc_499041:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+94j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+9Ej
		cmp	edi, eax
		jnb	short loc_49906C

loc_499045:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+8Aj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+14Ej
		xor	ecx, ecx
		mov	eax, edi
		inc	ecx

loc_49904A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+152j
		mov	[ebp+arg_8], eax
		sub	[ebp+arg_8], esi
		add	edx, [ebp+arg_8]
		mov	esi, [ebp+var_8]
		mov	[ebp+var_C], edx
		test	esi, esi
		jnz	short loc_499076
		test	ecx, ecx
		jz	loc_5BBF94

loc_499065:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+15Ej
		inc	edx
		jmp	short loc_49902D
; 

loc_499068:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+4Dj
		xor	ebx, ebx
		jmp	short loc_499045
; 

loc_49906C:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+127j
		xor	ecx, ecx
		jmp	short loc_49904A
; 

loc_499070:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+100j
		mov	edx, [ebp+var_C]
		inc	edx
		jmp	short loc_49902A
; 

loc_499076:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+13Fj
		test	ecx, ecx
		jz	short loc_49902D
		jmp	short loc_499065
SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	SMKM_STORE_MGR<struct SM_TRAITS>::SmUpdateMemoryConditions(struct SMKM_STORE_MGR<struct	SM_TRAITS> *, enum  _SMP_MEMORY_CONDITION, unsigned long)
?SmUpdateMemoryConditions@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@W4_SMP_MEMORY_CONDITION@@K@Z proc near
					; CODE XREF: SmUpdateMemoryCondition(x,x)+47p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, edx
		mov	[ebp+var_4], eax
		test	byte ptr [edi+464h], 20h
		jz	short loc_4990A4
		push	[ebp+arg_0]
		lea	ecx, [edi+308h]
		call	SMKM_STORE_MGR_SM_TRAITS___SmCompressContextUpdateMemoryCondition

loc_4990A4:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmUpdateMemoryConditions(SMKM_STORE_MGR<SM_TRAITS> *,_SMP_MEMORY_CONDITION,ulong)+18j
		xor	esi, esi

loc_4990A6:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmUpdateMemoryConditions(SMKM_STORE_MGR<SM_TRAITS> *,_SMP_MEMORY_CONDITION,ulong)+41j
		push	ecx
		mov	edx, esi
		mov	ecx, edi
		call	_SmKmStoreReferenceEx@12 ; SmKmStoreReferenceEx(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_4990C6

loc_4990B6:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmUpdateMemoryConditions(SMKM_STORE_MGR<SM_TRAITS> *,_SMP_MEMORY_CONDITION,ulong)+6Fj
		inc	esi
		cmp	esi, 400h
		jb	short loc_4990A6
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4990C6:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmUpdateMemoryConditions(SMKM_STORE_MGR<SM_TRAITS> *,_SMP_MEMORY_CONDITION,ulong)+38j
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		call	SMKM_STORE_SM_TRAITS___SmStUpdateMemoryCondition
		mov	edx, [ebx+10F0h]
		mov	ecx, edi
		and	edx, 3FFh
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	short loc_4990B6
?SmUpdateMemoryConditions@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@W4_SMP_MEMORY_CONDITION@@K@Z endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall SmKmStoreReferenceEx(x, x, x)
_SmKmStoreReferenceEx@12 proc near	; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+F9p
					; SMKM_STORE_MGR<SM_TRAITS>::SmUpdateMemoryConditions(SMKM_STORE_MGR<SM_TRAITS>	*,_SMP_MEMORY_CONDITION,ulong)+2Fp ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		cmp	esi, 400h
		jnb	short loc_499107
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		test	eax, eax
		jnz	short loc_49910E

loc_499107:				; CODE XREF: SmKmStoreReferenceEx(x,x,x)+Ej
		xor	eax, eax

loc_499109:				; CODE XREF: SmKmStoreReferenceEx(x,x,x)+33j
		pop	edi
		pop	esi
		retn	4
; 

loc_49910E:				; CODE XREF: SmKmStoreReferenceEx(x,x,x)+17j
		movzx	edx, word ptr [eax+10h]
		mov	ecx, edi
		and	edx, 3Fh
		shl	edx, 0Ah
		or	edx, esi
		call	SmKmStoreReference
		jmp	short loc_499109
_SmKmStoreReferenceEx@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


SmSetThreadPagePriority	proc near	; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+81p
					; SmKmStoreHelperCommandProcess+6Fp ...

; FUNCTION CHUNK AT 005BBFBB SIZE 0000000E BYTES

		mov	edi, edi
		push	esi
		mov	esi, [ecx]
		test	esi, esi
		jz	loc_5BBFBB

loc_499131:				; CODE XREF: SmSetThreadPagePriority+122EA0j
		mov	ecx, esi
		call	_PsGetPagePriorityThread@4 ; PsGetPagePriorityThread(x)
		cmp	eax, edx
		jz	short loc_499144
		mov	ecx, esi
		pop	esi
		jmp	PsSetPagePriorityThread
; 

loc_499144:				; CODE XREF: SmSetThreadPagePriority+16j
		pop	esi
		retn
SmSetThreadPagePriority	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmKmAllocateMdlForLock proc near	; CODE XREF: SmFpAllocate+7Ap
					; SmFpPreAllocate+163p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BBFC9 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	edi
		push	0
		push	3
		pop	edx
		mov	edi, ecx
		call	_SmAcquireReleaseCharges@12 ; SmAcquireReleaseCharges(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_4991C8
		lea	eax, [edi+0FFFh]
		shr	eax, 0Ch
		push	esi
		mov	[ebp+var_8], eax
		push	4C506D73h
		lea	eax, ds:1Ch[eax*4]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_4991B7
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		mov	[esi], ecx
		mov	ebx, ecx
		mov	[esi+10h], ecx
		mov	[esi+18h], ecx
		lea	eax, ds:1Ch[eax*4]
		mov	[esi+14h], edi
		mov	[esi+4], ax
		xor	eax, eax
		mov	[esi+6], ax
		mov	[ebp+var_4], esi
		mov	esi, ecx

loc_4991B7:				; CODE XREF: SmKmAllocateMdlForLock+47j
		test	ebx, ebx
		jnz	loc_5BBFC9

loc_4991BF:				; CODE XREF: SmKmAllocateMdlForLock+122E8Fj
		test	esi, esi
		jnz	loc_5BBFDA

loc_4991C7:				; CODE XREF: SmKmAllocateMdlForLock+122E9Cj
		pop	esi

loc_4991C8:				; CODE XREF: SmKmAllocateMdlForLock+1Dj
		mov	eax, [ebp+var_4]
		pop	edi
		pop	ebx
		leave
		retn
SmKmAllocateMdlForLock endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmKmUnlockMdl	proc near		; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)+93p
					; SmKmStoreHelperCommandCleanup+42p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BBFE7 SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	byte ptr [esi+6], 1
		jz	short loc_4991F8
		push	esi
		test	edi, edi
		jz	loc_5BBFE7
		push	[ebp+arg_0]
		mov	ecx, edi
		push	5
		pop	edx
		call	SmFpFree

loc_4991F8:				; CODE XREF: SmKmUnlockMdl+10j
					; SmKmUnlockMdl+122E1Fj
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5BBFF4

loc_499202:				; CODE XREF: SmKmUnlockMdl+122E35j
		mov	ecx, esi
		call	MiUnlockStoreLockedPages
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
SmKmUnlockMdl	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree proc near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+30Ep
					; SMKM_STORE_SM_TRAITS___SmStDirectReadComplete+1Ap

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005BC00A SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		mov	[esp+30h+var_2C], edx
		xor	eax, eax
		mov	edx, [ebp+arg_0]
		mov	ecx, 8
		push	esi
		push	edi
		lea	edi, [esp+38h+var_20]
		mov	ebx, [edx]
		rep stosd
		mov	edi, [ebp+arg_4]
		and	ebx, 7
		mov	eax, [edx+18h]
		mov	[esp+38h+var_24], eax
		test	edi, edi
		jz	short loc_499255
		mov	ecx, 8
		lea	edi, [esp+38h+var_20]
		mov	esi, edx
		rep movsd
		mov	edi, [ebp+arg_4]

loc_499255:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+33j
		cmp	ebx, 4
		jnb	loc_49934A
		cmp	ebx, 2
		jz	loc_4992FC
		test	ebx, ebx
		jnz	loc_499305
		cmp	[edx+4], ebx
		jge	loc_499305
		mov	eax, [edx+8]
		mov	ecx, offset unk_718320
		mov	eax, [eax]
		mov	[esp+38h+var_18], eax
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_49928B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+100j
					; SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+135j ...
		xor	eax, eax
		cmp	ebx, 1
		setz	al
		mov	[esp+38h+var_28], eax
		mov	esi, eax

loc_499299:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+15Aj
					; SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+122E10j ...
		mov	ebx, 1

loc_49929E:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+122E2Aj
		test	edi, edi
		jz	loc_5BC050
		mov	eax, [edi]
		lea	ecx, [esp+38h+var_20]
		mov	edi, [esp+38h+var_2C]
		push	eax
		push	edi
		call	SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete
		test	eax, eax
		jz	short loc_4992BF

loc_4992BB:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+122E44j
		test	esi, esi
		jnz	short loc_499315

loc_4992BF:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+A9j
					; SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+117j
		test	ebx, ebx
		jz	short loc_4992F3

loc_4992C3:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+122E3Bj
		mov	eax, [edi+10F0h]
		and	eax, 3FFh
		mov	ecx, eax
		shr	ecx, 5
		mov	ecx, ds:?SmGlobals@@3U_SM_GLOBALS@@A[ecx*4] ; _SM_GLOBALS SmGlobals
		test	ecx, ecx
		jz	loc_5BC059
		and	eax, 1Fh
		lea	eax, [eax+eax*4]
		lea	ecx, [ecx+eax*4]

loc_4992EB:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+122E4Bj
		add	ecx, 4
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_4992F3:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+B1j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4992FC:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+51j
		test	dword ptr [edx+4], 4000000h
		jnz	short loc_499329

loc_499305:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+59j
					; SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+62j
		push	eax
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFreeResource
		jmp	loc_49928B
; 

loc_499315:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+ADj
		mov	eax, [esp+38h+var_24]
		xor	edx, edx
		push	eax
		push	eax
		mov	ecx, offset unk_718328
		call	SmFpFree
		jmp	short loc_4992BF
; 

loc_499329:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+F3j
		mov	eax, 1000h
		cmp	ds:word_7182C4,	ax
		jnb	loc_5BC00A
		mov	ecx, offset unk_7182C0
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		jmp	loc_49928B
; 

loc_49934A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+48j
		mov	eax, [edx+4]
		and	eax, 7
		cmp	ebx, 5
		jnz	loc_5BC017
		test	eax, eax
		jz	loc_5BC03F
		xor	esi, esi
		push	esi
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_499299
SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete proc	near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+A2p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005BC060 SIZE 00000091 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+18h]
		cmp	esi, 1
		jbe	loc_5BC060
		mov	edx, [esi]

loc_49938B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+122CF2j
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4], edx
		mov	eax, [eax+10F0h]
		and	eax, 3FFh
		mov	[ebp+var_C], eax
		mov	eax, [edi]
		mov	ecx, eax
		and	ecx, 7
		jnz	loc_499430

loc_4993AC:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+C3j
		mov	ebx, [edi+8]
		mov	edx, [ebx+14h]
		shr	edx, 0Ch
		mov	[ebp+var_8], edx
		mov	edx, [ebp+var_4]
		cmp	ecx, 2
		jz	loc_499474

loc_4993C4:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+10Dj
		mov	ecx, [ebp+var_8]

loc_4993C7:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+D0j
		and	eax, 7
		jnz	short loc_499442
		push	[ebp+arg_4]
		mov	edx, edi
		push	[ebp+arg_0]
		push	ecx
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	?SmProcessAddCompletion@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@PAU_SM_WORK_ITEM@1@KPAU?$SMKM_STORE@USM_TRAITS@@@@J@Z ; SMKM_STORE_MGR<SM_TRAITS>::SmProcessAddCompletion(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE_MGR<SM_TRAITS>::_SM_WORK_ITEM *,ulong,SMKM_STORE<SM_TRAITS> *,long)

loc_4993DF:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+FFj
					; SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+12Bj ...
		mov	edx, [ebp+var_4]

loc_4993E2:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+D6j
					; SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+14Ej ...
		test	ebx, ebx	; default
		jz	short loc_499415
		test	byte ptr [ebx+6], 5
		jz	loc_5BC086

loc_4993F0:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+122D29j
		test	byte ptr ds:dword_718424, 2
		jz	short loc_499412
		mov	eax, [ebx+0Ch]
		mov	[ebp+arg_4], eax
		cmp	ds:dword_7183AC, esi
		jz	loc_5BC09E

loc_49940B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+122D7Cj
		push	ebx
		push	eax
		call	MmUnmapLockedPages

loc_499412:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+87j
					; SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+122D57j ...
		mov	edx, [ebp+var_4]

loc_499415:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+74j
		test	edx, edx
		jz	short loc_499422
		push	esi
		push	edx
		mov	edx, edi
		call	_SmIoRequestComplete@16	; SmIoRequestComplete(x,x,x,x)

loc_499422:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+A7j
		mov	eax, 1

loc_499427:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+155j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_499430:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+36j
		cmp	ecx, 2
		jz	loc_4993AC
		xor	ebx, ebx
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		jmp	short loc_4993C7
; 

loc_499442:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+5Aj
		dec	eax
		cmp	eax, 4		; switch 5 cases
		ja	short loc_4993E2 ; default
		jmp	ds:off_4994CC[eax*4] ; switch jump

loc_49944F:				; DATA XREF: .text:off_4994CCo
		test	byte ptr [edi+0Ch], 1 ;	case 0x0
		jnz	short loc_4994C3
		push	[ebp+var_C]
		mov	eax, [edi+8]
		lea	edx, [edi+4]
		push	eax
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete
		mov	dword ptr [esi], 0
		jmp	loc_4993DF
; 

loc_499474:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+4Ej
		mov	dword ptr [esi+4], 0
		mov	eax, [edi]
		jmp	loc_4993C4
; 

loc_499482:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+D8j
					; DATA XREF: .text:off_4994CCo
		push	[ebp+arg_4]	; case 0x1
		mov	edx, edi
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		sub	esp, 8
		call	?SmProcessReadCompletion@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@PAU_SM_WORK_ITEM@1@KPAU?$SMKM_STORE@USM_TRAITS@@@@J@Z ;	SMKM_STORE_MGR<SM_TRAITS>::SmProcessReadCompletion(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE_MGR<SM_TRAITS>::_SM_WORK_ITEM	*,ulong,SMKM_STORE<SM_TRAITS> *,long)
		test	byte ptr ds:dword_718424, 10h
		jz	loc_4993DF
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		push	1
		call	SmAcquireReleaseResAvailForRead
		jmp	loc_4993DF
; 

loc_4994B2:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+D8j
					; SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+122D11j
					; DATA XREF: ...
		mov	eax, [ebp+arg_4] ; case	0x4
		mov	[esi], eax
		mov	dword ptr [esi+4], 0
		jmp	loc_4993E2	; default
; 

loc_4994C3:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+E3j
					; SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+122D0Bj
		xor	eax, eax
		jmp	loc_499427
SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete endp

; 
		align 4
off_4994CC	dd offset loc_49944F	; DATA XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+D8r
		dd offset loc_499482	; jump table for switch	statement
		dd offset loc_5BC067
		dd offset loc_5BC077
		dd offset loc_4994B2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmIoRequestComplete(x, x, x, x)
_SmIoRequestComplete@16	proc near	; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+ADp
					; SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue+130C4Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [edx]
		push	esi
		mov	esi, [ebp+arg_4]
		and	ecx, 7
		mov	eax, [esi+4]
		sub	ecx, 0
		jnz	short loc_49953B
		and	eax, 1

loc_4994FA:				; CODE XREF: SmIoRequestComplete(x,x,x,x)+64j
		mov	[esi+4], eax

loc_4994FD:				; CODE XREF: SmIoRequestComplete(x,x,x,x)+5Fj
		mov	esi, [ebp+arg_0]
		test	esi, esi
		js	short loc_499546
		or	esi, 80000000h
		mov	ecx, esi
		call	_MiStoreModifiedWriteComplete@4	; MiStoreModifiedWriteComplete(x)
		mov	eax, 100h
		cmp	word_6D5134, ax
		jnb	short loc_499531
		mov	edx, esi
		mov	ecx, offset unk_6D5130
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_49952B:				; CODE XREF: SmIoRequestComplete(x,x,x,x)+59j
					; SmIoRequestComplete(x,x,x,x)+70j
		pop	esi
		pop	ecx
		pop	ebp
		retn	8
; 

loc_499531:				; CODE XREF: SmIoRequestComplete(x,x,x,x)+3Dj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_49952B
; 

loc_49953B:				; CODE XREF: SmIoRequestComplete(x,x,x,x)+15j
		dec	ecx
		sub	ecx, 1
		jnz	short loc_4994FD
		movzx	eax, ax
		jmp	short loc_4994FA
; 

loc_499546:				; CODE XREF: SmIoRequestComplete(x,x,x,x)+22j
		push	0
		push	1
		push	esi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_49952B
_SmIoRequestComplete@16	endp


;  S U B	R O U T	I N E 


; __stdcall MiStoreModifiedWriteComplete(x)
_MiStoreModifiedWriteComplete@4	proc near ; CODE XREF: SmIoRequestComplete(x,x,x,x)+2Cp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, [edi+20h]
		mov	eax, [edi+8]
		mov	ebx, [ecx+78h]
		test	eax, eax
		js	short loc_49956E

loc_499566:				; CODE XREF: MiStoreModifiedWriteComplete(x)+58j
		pop	edi
		pop	esi
		pop	ebx
		jmp	_MiStoreModifiedWriteDereference@4 ; MiStoreModifiedWriteDereference(x)
; 

loc_49956E:				; CODE XREF: MiStoreModifiedWriteComplete(x)+12j
		mov	ecx, eax
		call	MiStoreLogWriteCompleteFailure
		imul	esi, [edi+40h],	1Ch
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		or	byte ptr [esi+16h], 10h
		lea	ecx, [esi+10h]
		mov	edx, 7FFFFFFFh
		lock and [ecx],	edx
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	dword ptr [ebx+2CCh], 20h
		mov	ecx, [edi+20h]
		jmp	short loc_499566
_MiStoreModifiedWriteComplete@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiStoreModifiedWriteDereference(x)
_MiStoreModifiedWriteDereference@4 proc	near ; CODE XREF: MiStoreWriteModifiedPages+821p
					; MiStoreModifiedWriteComplete(x)+17j
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	edi
		mov	edi, ecx
		or	eax, 0FFFFFFFFh
		lock xadd [edi+18h], eax
		dec	eax
		jz	short loc_4995C3

loc_4995C0:				; CODE XREF: MiStoreModifiedWriteDereference(x)+4Ej
		pop	edi
		leave
		retn
; 

loc_4995C3:				; CODE XREF: MiStoreModifiedWriteDereference(x)+12j
		mov	eax, [edi+94h]
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[edi+0Ch], eax
		mov	eax, [edi+78h]
		lea	esi, [edi+1Ch]
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _MiStoreWriteModifiedCompleteApc@20 ; MiStoreWriteModifiedCompleteApc(x,x,x,x,x)
		push	ebx
		mov	[edi+8], ebx
		push	dword ptr [eax+238h]
		push	esi
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		push	ebx
		push	ebx
		push	edi
		push	esi
		call	KeInsertQueueApc
		pop	esi
		pop	ebx
		jmp	short loc_4995C0
_MiStoreModifiedWriteDereference@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	SMKM_STORE_MGR<struct SM_TRAITS>::SmProcessAddCompletion(struct	SMKM_STORE_MGR<struct SM_TRAITS> *, struct SMKM_STORE_MGR<struct SM_TRAITS>::_SM_WORK_ITEM *, unsigned long, struct SMKM_STORE<struct SM_TRAITS> *, long)
?SmProcessAddCompletion@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@PAU_SM_WORK_ITEM@1@KPAU?$SMKM_STORE@USM_TRAITS@@@@J@Z proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+6Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [edx+0Ch]
		mov	ebx, ecx
		mov	ecx, [edx+18h]
		push	edi
		mov	edi, [edx+4]
		mov	edx, [ebp+arg_8]
		shr	edi, 3
		and	edi, 7FFFFFFh
		mov	[ecx], edx
		test	edx, edx
		js	short loc_499630
		mov	eax, [ebp+arg_4]
		test	dword ptr [eax], 100h
		jnz	short loc_49967D

loc_499630:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmProcessAddCompletion(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE_MGR<SM_TRAITS>::_SM_WORK_ITEM *,ulong,SMKM_STORE<SM_TRAITS> *,long)+23j
					; SMKM_STORE_MGR<SM_TRAITS>::SmProcessAddCompletion(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE_MGR<SM_TRAITS>::_SM_WORK_ITEM *,ulong,SMKM_STORE<SM_TRAITS> *,long)+81j
		test	edi, edi
		jz	short loc_499652
		mov	[ebp+arg_8], esi
		test	edx, edx
		js	short loc_499683
		mov	eax, 1

loc_499640:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmProcessAddCompletion(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE_MGR<SM_TRAITS>::_SM_WORK_ITEM *,ulong,SMKM_STORE<SM_TRAITS> *,long)+85j
		push	eax
		push	ecx
		push	edi
		lea	edx, [ebp+arg_8]
		mov	ecx, ebx
		call	SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete
		mov	edx, 0C0000001h

loc_499652:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmProcessAddCompletion(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE_MGR<SM_TRAITS>::_SM_WORK_ITEM *,ulong,SMKM_STORE<SM_TRAITS> *,long)+32j
		mov	ecx, [ebp+arg_0]
		cmp	edi, ecx
		jnz	short loc_499660

loc_499659:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmProcessAddCompletion(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE_MGR<SM_TRAITS>::_SM_WORK_ITEM *,ulong,SMKM_STORE<SM_TRAITS> *,long)+7Bj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_499660:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmProcessAddCompletion(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE_MGR<SM_TRAITS>::_SM_WORK_ITEM *,ulong,SMKM_STORE<SM_TRAITS> *,long)+57j
		sub	ecx, edi
		lea	eax, [edi+esi]
		mov	[ebp+arg_8], eax
		test	edx, edx
		jns	short loc_499687
		xor	eax, eax

loc_49966E:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmProcessAddCompletion(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE_MGR<SM_TRAITS>::_SM_WORK_ITEM *,ulong,SMKM_STORE<SM_TRAITS> *,long)+8Cj
		push	eax
		push	ecx
		push	ecx
		lea	edx, [ebp+arg_8]
		mov	ecx, ebx
		call	SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete
		jmp	short loc_499659
; 

loc_49967D:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmProcessAddCompletion(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE_MGR<SM_TRAITS>::_SM_WORK_ITEM *,ulong,SMKM_STORE<SM_TRAITS> *,long)+2Ej
		or	dword ptr [ecx+4], 1
		jmp	short loc_499630
; 

loc_499683:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmProcessAddCompletion(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE_MGR<SM_TRAITS>::_SM_WORK_ITEM *,ulong,SMKM_STORE<SM_TRAITS> *,long)+39j
		xor	eax, eax
		jmp	short loc_499640
; 

loc_499687:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmProcessAddCompletion(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE_MGR<SM_TRAITS>::_SM_WORK_ITEM *,ulong,SMKM_STORE<SM_TRAITS> *,long)+6Aj
		mov	eax, 1
		jmp	short loc_49966E
?SmProcessAddCompletion@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@PAU_SM_WORK_ITEM@1@KPAU?$SMKM_STORE@USM_TRAITS@@@@J@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFreeResource proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+FBp
					; SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+130545p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BC0F1 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [edx]
		and	eax, 7
		sub	eax, 1
		jnz	short loc_4996B5
		add	ecx, 368h

loc_4996A4:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFreeResource+36j
		push	edx
		push	[ebp+arg_0]
		xor	edx, edx
		inc	edx
		call	SmFpFree

loc_4996B0:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFreeResource+122A6Bj
		pop	ecx
		pop	ebp
		retn	4
; 

loc_4996B5:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFreeResource+Ej
		sub	eax, 1
		jnz	loc_5BC0F1
		add	ecx, 3ACh
		jmp	short loc_4996A4
SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFreeResource endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmFpFree	proc near		; CODE XREF: SmKmStoreHelperCommandProcess+146p
					; SmKmUnlockMdl+23p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005BC0FE SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		cmp	edi, 5
		jge	short loc_499712
		and	[ebp+var_4], 0
		mov	esi, [ebp+arg_4]

loc_4996DF:				; CODE XREF: SmFpFree+55j
		mov	eax, [ebx+40h]
		cmp	eax, [ebp+arg_0]
		jz	loc_5BC0FE

loc_4996EB:				; CODE XREF: SmFpFree+122A42j
		cmp	edi, 5
		jge	short loc_49971D
		cmp	edi, 2
		jz	short loc_499709
		cmp	edi, 3
		jz	short loc_499728
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_499702:				; CODE XREF: SmFpFree+4Aj SmFpFree+60j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_499709:				; CODE XREF: SmFpFree+2Dj
		mov	ecx, esi
		call	_SmKmFreeMdlForLock@4 ;	SmKmFreeMdlForLock(x)
		jmp	short loc_499702
; 

loc_499712:				; CODE XREF: SmFpFree+10j
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_4], ecx
		mov	esi, [ecx+0Ch]
		jmp	short loc_4996DF
; 

loc_49971D:				; CODE XREF: SmFpFree+28j
		push	[ebp+var_4]
		push	esi
		call	MmUnmapLockedPages
		jmp	short loc_499702
; 

loc_499728:				; CODE XREF: SmFpFree+32j
		movzx	ecx, word ptr [ebx+3Ah]
		xor	edx, edx
		inc	edx
		shl	ecx, 0Ch
		push	edx
		call	_SmAcquireReleaseCharges@12 ; SmAcquireReleaseCharges(x,x,x)
		jmp	short loc_499702
SmFpFree	endp

; 
		align 10h

;  S U B	R O U T	I N E 


SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+F4p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BC144 SIZE 000000BC BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		mov	eax, [ebx+0Ch]
		push	esi
		mov	esi, [edx]
		push	edi
		push	40h		; size_t
		mov	[ebp-88h], eax
		mov	edi, ecx
		lea	eax, [ebp-48h]
		mov	[ebp-80h], edi
		push	0		; int
		push	eax		; void *
		call	_memset
		lea	eax, [ebp-48h]
		mov	dword ptr [ebp-5Ch], 0
		mov	[ebp-60h], eax
		add	esp, 0Ch
		mov	eax, large fs:124h
		mov	dword ptr [ebp-58h], 0
		mov	dword ptr [ebp-4Ch], 0
		mov	dword ptr [ebp-54h], 0
		mov	dword ptr [ebp-50h], 8
		dec	word ptr [eax+13Eh]
		mov	dword ptr [ebp-78h], 0
		mov	dword ptr [ebp-74h], 0
		mov	dword ptr [ebp-70h], 0
		nop
		lea	eax, [edi+0F0h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp-6Ch], eax
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [edi+0F4h]
		mov	[ebp-68h], eax

loc_4997F1:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+11Cj
		push	esi
		lea	edx, [ebp-60h]
		mov	ecx, eax
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		lea	eax, [ebp-60h]
		push	eax
		lea	edx, [ebp-78h]
		call	?BTreeIteratorFromSearchResult@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUITERATOR@1@PAUSEARCH_RESULT@1@@Z ; B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeIteratorFromSearchResult(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::ITERATOR *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)
		mov	ecx, [ebp-78h]
		test	ecx, ecx
		jnz	short loc_49985E
		xor	edi, edi

loc_499811:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+130j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+14Dj
		mov	eax, [ebp-80h]
		mov	edx, [eax+3F4h]
		test	edx, edx
		jnz	loc_5BC144

loc_499822:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+122A0Cj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+122A1Fj
		mov	byte ptr [edi+6], 0
		mov	edx, [ebp-54h]
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_49988F

loc_49982E:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+151j
		lea	eax, [ebp-5Ch]

loc_499831:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+15Cj
		cmp	[eax], ecx
		jnz	loc_5BC164
		mov	ecx, [ebp-74h]
		mov	edi, [ebp-68h]
		mov	[eax+4], ecx

loc_499842:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+122A3Dj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+122A6Fj
		lea	edx, [ebp-60h]
		mov	ecx, edi
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx
		mov	edi, [ebp-70h]
		inc	edi
		mov	[ebp-70h], edi
		cmp	edi, [ebx+8]
		jz	short loc_49989E
		mov	eax, [ebp-68h]
		inc	esi
		jmp	short loc_4997F1
; 

loc_49985E:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+CDj
		movzx	eax, word ptr [ecx]
		mov	edi, [ebp-74h]
		inc	eax
		add	edi, 8
		mov	[ebp-74h], edi
		lea	eax, [ecx+eax*8]
		cmp	edi, eax
		jb	short loc_499811
		mov	edi, [ecx+4]
		test	edi, edi
		jz	short loc_499884
		mov	ecx, edi
		lea	eax, [edi+8]
		mov	[ebp-78h], ecx
		mov	[ebp-74h], eax

loc_499884:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+137j
		lea	eax, [edi+8]
		neg	edi
		sbb	edi, edi
		and	edi, eax
		jmp	short loc_499811
; 

loc_49988F:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+ECj
		test	edx, edx
		jz	short loc_49982E
		mov	eax, [ebp-60h]
		lea	eax, [eax+edx*8]
		add	eax, 0FFFFFFF8h
		jmp	short loc_499831
; 

loc_49989E:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+116j
		mov	ecx, [ebp-6Ch]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_499A2C

loc_4998B2:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+2F4j
		xor	edi, edi
		mov	[ebp-68h], edi
		test	ecx, 7FFFFFFCh
		jz	loc_4999C5
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		mov	[ebp-7Ch], esi
		cmp	ecx, edx
		jb	short loc_4998FA
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_499A06
		cmp	ecx, edx
		jb	short loc_4998FA
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_499A06

loc_4998FA:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+19Aj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+1ABj
		or	eax, 0FFFFFFFFh

loc_4998FD:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+2D4j
		dec	word ptr [esi+13Eh]
		mov	[ebp-70h], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	[ebp-61h], dl
		mov	edx, ecx
		push	eax
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp-84h], ecx
		test	ecx, ecx
		jz	loc_499A19
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_499A39

loc_499944:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+304j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp-68h], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		mov	eax, 2AAAAAABh
		sub	ecx, [esi+1E8h]
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	byte ptr [ebp-61h], 1
		jnz	loc_5BC1C8
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al

loc_499997:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+2E1j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+122A98j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp-7Ch], eax
		jnz	loc_499A53

loc_4999AE:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+346j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+122ABBj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_4999C5
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	loc_499A49

loc_4999C5:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+17Dj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+277j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edx, [ebp-88h]
		mov	ecx, [ebp-80h]
		and	edx, 3FFh
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		mov	ecx, [ebp-80h]
		push	0
		mov	edx, [eax]
		call	_SmKmStoreDeleteWhenEmpty@12 ; SmKmStoreDeleteWhenEmpty(x,x,x)
		mov	ecx, [ebp-4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_499A06:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+1A3j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+1B4j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp-6Ch]
		jmp	loc_4998FD
; 

loc_499A19:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+1ECj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_499997
		jmp	loc_5BC1B4
; 

loc_499A2C:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+16Cj
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp-6Ch]
		jmp	loc_4998B2
; 

loc_499A39:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+1FEj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp-84h]
		jmp	loc_499944
; 

loc_499A49:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+27Fj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4999C5
; 

loc_499A53:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+268j
		test	edi, 8000h
		jnz	short loc_499A91

loc_499A5B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+35Aj
		test	byte ptr [ebp-66h], 1
		jnz	loc_5BC1DD

loc_499A65:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+122AA9j
		test	edi, 7FFFh
		jz	short loc_499A7C
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_499A7C:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+32Bj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4999AE
		jmp	loc_5BC1EE
; 

loc_499A91:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+319j
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	short loc_499A5B
SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+36Ap
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+107p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BC200 SIZE 00000047 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		xor	eax, eax
		mov	[ebp+var_4], edx
		mov	[ebp+var_14], eax
		mov	eax, [edx]
		push	ebx
		push	esi
		mov	esi, [edx+0Ch]
		push	edi
		mov	[ebp+var_8], ecx
		lea	eax, [eax+esi*8]
		lea	ebx, [eax-8]
		mov	[ebp+var_10], eax
		mov	edi, [ebx]
		mov	esi, [ebx+4]
		movzx	eax, word ptr [edi]
		shl	eax, 3
		sub	eax, esi
		add	eax, edi
		mov	[ebp+var_C], eax
		mov	al, [edi+3]
		jz	short loc_499AF0
		push	[ebp+var_C]	; size_t
		lea	eax, [esi+8]
		push	eax		; void *
		push	esi		; void *
		call	_memmove
		mov	al, [edi+3]
		add	esp, 0Ch
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]

loc_499AF0:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+39j
		mov	esi, 0FFFFh
		add	[edi], si
		test	al, al
		jz	short loc_499AFF
		dec	dword ptr [ecx+4]

loc_499AFF:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+5Ej
		movzx	eax, word ptr [edi]
		cmp	[ecx], edi
		jz	short loc_499B81
		cmp	eax, 0FFh
		jb	short loc_499B45
		mov	edi, [ebp+var_4]

loc_499B10:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+D3j
					; B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+E3j ...
		mov	ecx, [ebx]
		mov	esi, [ebx+4]
		lea	eax, [ecx+8]
		cmp	esi, eax
		jz	short loc_499B25

loc_499B1C:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+8Dj
					; B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+9Ej ...
		xor	esi, esi

loc_499B1E:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+12279Cj
					; B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+1227A6j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_499B25:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+7Ej
		cmp	byte ptr [ecx+3], 0
		jz	short loc_499B1C
		lea	eax, [ebp+var_18]
		xor	edx, edx
		push	eax
		mov	ecx, edi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeFindSeperatorIndexEntry
		test	eax, eax
		jz	short loc_499B1C
		mov	ecx, [ebp+var_14]
		mov	edx, [esi]
		mov	[ecx], edx
		jmp	short loc_499B1C
; 

loc_499B45:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+6Fj
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute
		mov	esi, eax
		test	esi, esi
		jz	loc_5BC23D
		mov	ecx, [edi]
		and	eax, 1
		mov	edi, [ebp+var_4]
		and	ecx, 0FFFFh
		mov	[ebp+var_10], eax
		cmp	ecx, 0FFh
		jb	short loc_499B8A
		test	eax, eax
		jz	short loc_499B10
		mov	eax, [ebx+4]
		lea	eax, [eax+ecx*8]
		add	eax, 0FFFFF810h
		mov	[ebx+4], eax
		jmp	short loc_499B10
; 

loc_499B81:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+68j
		test	eax, eax
		jnz	short loc_499B1C
		jmp	loc_5BC200
; 

loc_499B8A:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+CFj
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		push	esi
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes
		cmp	[ebp+var_10], 0
		mov	ecx, [edi+0Ch]
		mov	edx, [edi]
		lea	ebx, [ecx-1]
		lea	ebx, [edx+ebx*8]
		jz	loc_499B10
		and	esi, 0FFFFFFFEh
		mov	[ebx], esi
		movzx	eax, word ptr [esi]
		lea	eax, ds:8[eax*8]
		sub	eax, [ebp+var_C]
		add	eax, esi
		mov	[edx+ecx*8-4], eax
		jmp	loc_499B10
B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmStoreDeleteWhenEmpty(x,	x, x)
_SmKmStoreDeleteWhenEmpty@12 proc near	; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+2ACp
					; SmpKeyedStoreDeleteInitiate(x,x,x)+41p ...

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		mov	ebx, [edx+10F0h]
		mov	eax, ecx
		push	esi
		push	edi
		mov	[ebp+var_10], edx
		xor	edi, edi
		and	ebx, 3FFh
		mov	[ebp+var_14], eax
		mov	edx, ebx
		mov	[ebp+var_8], edi
		mov	[ebp+var_C], edi
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		xor	ecx, ecx
		inc	ecx
		lea	esi, [eax+12h]
		cmp	[ebp+arg_0], edi
		jnz	short loc_499C10
		mov	al, [esi]
		test	al, cl
		jnz	short loc_499C13

loc_499C07:				; CODE XREF: SmKmStoreDeleteWhenEmpty(x,x,x)+5Dj
					; SmKmStoreDeleteWhenEmpty(x,x,x)+6Fj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_499C10:				; CODE XREF: SmKmStoreDeleteWhenEmpty(x,x,x)+37j
		lock or	[esi], cl

loc_499C13:				; CODE XREF: SmKmStoreDeleteWhenEmpty(x,x,x)+3Dj
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_8]
		push	eax
		lea	edx, [ebp+var_C]
		call	?StGetUserSpaceStatsKb@?$ST_STORE@USM_TRAITS@@@@SGKPAU1@PAK1@Z ; ST_STORE<SM_TRAITS>::StGetUserSpaceStatsKb(ST_STORE<SM_TRAITS>	*,ulong	*,ulong	*)
		cmp	eax, [ebp+var_8]
		jnz	short loc_499C07
		mov	dl, 2
		mov	al, [esi]

loc_499C2B:				; CODE XREF: SmKmStoreDeleteWhenEmpty(x,x,x)+6Bj
		mov	cl, al
		or	cl, dl
		lock cmpxchg [esi], cl
		jnz	short loc_499C2B
		test	al, dl
		jnz	short loc_499C07
		push	edi
		push	edi
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_38], edi
		push	eax
		mov	[ebp+var_2C], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [ebp+var_14]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_3C]
		push	1
		push	eax
		mov	[ebp+var_18], ebx
		mov	[ebp+var_34], offset _SmKmStoreDeleteWhenEmptyWorker@4 ; SmKmStoreDeleteWhenEmptyWorker(x)
		mov	[ebp+var_30], eax
		mov	[ebp+var_3C], edi
		call	ExQueueWorkItem
		push	edi
		push	edi
		push	edi
		push	1Ah
		lea	eax, [ebp+var_2C]
		push	eax
		call	KeWaitForSingleObject
		xor	edi, edi
		inc	edi
		jmp	short loc_499C07
_SmKmStoreDeleteWhenEmpty@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeFindSeperatorIndexEntry proc near
					; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+97p
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+EEp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BC247 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ecx]
		push	esi
		mov	esi, [ecx+0Ch]
		add	esi, 0FFFFFFFEh
		mov	[ebp+var_4], edx
		push	edi
		lea	esi, [ebx+esi*8]

loc_499C9F:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeFindSeperatorIndexEntry+4Aj
		cmp	esi, ebx
		jb	short loc_499CD4
		test	edx, edx
		jnz	loc_5BC247
		mov	edx, [esi]
		mov	edi, [esi+4]
		lea	eax, [edx+8]
		cmp	edi, eax
		jbe	short loc_499CCC
		mov	ecx, [ebp+arg_0]
		lea	eax, [edi-8]
		mov	[ecx], edx

loc_499CBF:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeFindSeperatorIndexEntry+1225DBj
		mov	[ecx+4], eax
		xor	eax, eax
		inc	eax

loc_499CC5:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeFindSeperatorIndexEntry+4Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_499CCC:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeFindSeperatorIndexEntry+2Dj
		mov	edx, [ebp+var_4]

loc_499CCF:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeFindSeperatorIndexEntry+1225CBj
		sub	esi, 8
		jmp	short loc_499C9F
; 

loc_499CD4:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeFindSeperatorIndexEntry+19j
		xor	eax, eax
		jmp	short loc_499CC5
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeFindSeperatorIndexEntry endp


;  S U B	R O U T	I N E 


; __stdcall SmKmFreeMdlForLock(x)
_SmKmFreeMdlForLock@4 proc near		; CODE XREF: SmFpFree+45p
					; SmFpCleanup+F782Dp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	1
		push	3
		pop	edx
		mov	ecx, [esi+14h]
		call	_SmAcquireReleaseCharges@12 ; SmAcquireReleaseCharges(x,x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
_SmKmFreeMdlForLock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	SMKM_STORE<struct SM_TRAITS>::SmStCompareRegionDataCallback(struct _SMKM_STORE_HELPER *, void *, unsigned long)
?SmStCompareRegionDataCallback@?$SMKM_STORE@USM_TRAITS@@@@SGJPAU_SMKM_STORE_HELPER@@PAXK@Z proc	near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCompareRegionData+D16B6p
					; DATA XREF: SMKM_STORE_SM_TRAITS___SmStCompareRegionData+38o

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	34h
		push	offset dword_6A1B38
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	edi, ebx
		mov	[ebp+var_24], edi
		mov	esi, [ebp+arg_0]
		add	esi, 0FFFFEE74h
		mov	[ebp+var_28], esi
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_40], eax
		mov	[ebp+var_20], ebx
		cmp	[ebp+arg_8], ebx
		jz	short loc_499D2F
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		jmp	loc_499F36
; 

loc_499D2F:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+2Bj
		lea	ecx, [esi+1264h]
		mov	[ebp+var_44], ecx
		lock inc dword ptr [ecx]
		mov	edx, [eax]
		test	byte ptr [esi+10F5h], 4
		jz	short loc_499DB7
		push	40h
		push	ecx
		push	ebx
		mov	ecx, esi
		call	?SmStMapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAXPAU1@KKKK@Z ; SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)
		mov	edx, eax
		mov	[ebp+arg_0], edx
		cmp	edx, 3
		ja	short loc_499DC1

loc_499D5B:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+187j
		mov	ebx, 0C000009Ah
		mov	eax, [ebp+arg_4]

loc_499D63:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+E5j
					; SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+21Fj
		mov	ecx, [ebp+arg_0]
		test	byte ptr [esi+10F5h], 4
		jz	short loc_499D85
		cmp	ecx, 3
		jbe	short loc_499D85
		mov	edx, [eax]
		push	8
		sub	esp, 0Ch
		mov	ecx, esi
		call	?SmStUnmapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@KKKPAXK@Z ; SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)
		mov	ecx, [ebp+arg_0]

loc_499D85:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+79j
					; SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+7Ej
		cmp	edi, 3
		jbe	loc_499F2E
		cmp	edi, ecx
		jz	loc_499F2E
		push	8
		mov	edx, [ebp+var_20]
		mov	ecx, esi
		sub	esp, 0Ch
		test	byte ptr [esi+10F5h], 4
		jz	loc_499F29
		call	?SmStUnmapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@KKKPAXK@Z ; SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)
		jmp	loc_499F2E
; 

loc_499DB7:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+50j
		mov	ecx, esi
		call	?SmStGetRegionVA@?$SMKM_STORE@USM_TRAITS@@@@SGPADPAU1@K@Z ; SMKM_STORE<SM_TRAITS>::SmStGetRegionVA(SMKM_STORE<SM_TRAITS> *,ulong)
		mov	[ebp+arg_0], eax

loc_499DC1:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+65j
		mov	eax, [ebp+arg_4]
		lea	ecx, [eax+8]
		movzx	edx, word ptr [eax+6]
		add	edx, eax
		mov	[ebp+var_2C], edx
		mov	edx, [ebp+arg_0]

loc_499DD3:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+1F4j
		mov	[ebp+arg_8], ecx
		cmp	ecx, [ebp+var_2C]
		jnb	short loc_499D63
		mov	eax, [ecx]
		add	eax, edx
		mov	[ebp+var_38], eax
		mov	byte ptr [ecx+7], 10h
		lea	eax, [ecx+8]
		mov	[ebp+var_3C], eax
		movzx	eax, byte ptr [ecx+6]
		inc	eax
		lea	eax, [ecx+eax*8]
		mov	[ebp+var_30], eax
		lea	eax, [ecx+8]

loc_499DFA:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+230j
		mov	[ebp+var_1C], eax
		cmp	eax, [ebp+var_30]
		jnb	loc_499EDB
		mov	eax, [ebp+var_20]
		test	edi, edi
		jz	short loc_499E40
		mov	edx, [ebp+var_1C]
		cmp	eax, [edx]
		mov	edx, [ebp+arg_0]
		jz	short loc_499E84
		test	edi, edi
		jz	short loc_499E40
		cmp	edi, edx
		jz	short loc_499E40
		push	8
		mov	edx, eax
		mov	ecx, esi
		sub	esp, 0Ch
		test	byte ptr [esi+10F5h], 4
		jz	short loc_499E38
		call	?SmStUnmapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@KKKPAXK@Z ; SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)
		jmp	short loc_499E3D
; 

loc_499E38:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+13Bj
		call	?SmStUnmapPhysicalRegion@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@KKKPAXK@Z ;	SMKM_STORE<SM_TRAITS>::SmStUnmapPhysicalRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)

loc_499E3D:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+142j
		mov	edx, [ebp+arg_0]

loc_499E40:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+117j
					; SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+125j	...
		mov	eax, [ebp+var_1C]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		mov	ecx, [ebp+arg_4]
		cmp	eax, [ecx]
		jnz	short loc_499E56
		mov	edi, edx
		mov	[ebp+var_24], edi
		jmp	short loc_499E81
; 

loc_499E56:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+159j
		push	40h
		mov	edx, eax
		push	ecx
		push	ebx
		mov	ecx, esi
		test	byte ptr [esi+10F5h], 4
		jz	short loc_499E6E
		call	?SmStMapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAXPAU1@KKKK@Z ; SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)
		jmp	short loc_499E73
; 

loc_499E6E:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+171j
		call	?SmStMapPhysicalRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAXPAU1@KKKK@Z ; SMKM_STORE<SM_TRAITS>::SmStMapPhysicalRegion(SMKM_STORE<SM_TRAITS>	*,ulong,ulong,ulong,ulong)

loc_499E73:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+178j
		mov	edi, eax
		mov	[ebp+var_24], edi
		cmp	edi, 3
		jbe	loc_499D5B

loc_499E81:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+160j
		mov	ecx, [ebp+arg_8]

loc_499E84:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+121j
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+4]
		add	eax, edi
		mov	[ebp+var_34], eax
		movzx	edx, word ptr [ecx+4]
		mov	ecx, eax
		call	?SmStCheckResident@?$SMKM_STORE@USM_TRAITS@@@@SG?AW4_SMST_RESIDENT_CHECK_RESULT@1@PAXK@Z ; SMKM_STORE<SM_TRAITS>::SmStCheckResident(void *,ulong)
		cmp	eax, 1
		jnz	short loc_499F18
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+arg_8]
		movzx	eax, word ptr [eax+4]
		push	eax		; size_t
		push	[ebp+var_34]	; void *
		push	[ebp+var_38]	; void *
		call	_memcmp
		add	esp, 0Ch
		mov	ecx, [ebp+arg_8]
		test	eax, eax
		jnz	short loc_499ECB
		mov	eax, [ebp+var_1C]
		sub	eax, [ebp+var_3C]
		sar	eax, 3
		mov	[ecx+7], al

loc_499ECB:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+1C9j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	byte ptr [ecx+7], 10h
		jz	short loc_499F1B
		mov	edx, [ebp+arg_0]

loc_499EDB:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+10Cj
		movzx	eax, byte ptr [ecx+6]
		lea	ecx, [ecx+eax*8]
		add	ecx, 8
		mov	eax, [ebp+arg_4]
		jmp	loc_499DD3
; 

loc_499EED:				; DATA XREF: .text:006A1B4Co
		push	4
		mov	edx, [ebp+ms_exc.exc_ptr]
		mov	ecx, [ebp+var_28]
		call	?SmStUnhandledExceptionFilter@?$SMKM_STORE@USM_TRAITS@@@@SGJPAXPAU_EXCEPTION_POINTERS@@W4_SMST_STORE_EXCEPTION_SOURCE@1@@Z ; SMKM_STORE<SM_TRAITS>::SmStUnhandledExceptionFilter(void *,_EXCEPTION_POINTERS *,SMKM_STORE<SM_TRAITS>::_SMST_STORE_EXCEPTION_SOURCE)
		retn
; 

loc_499EFB:				; DATA XREF: .text:006A1B50o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, 0C0000025h
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+var_28]
		mov	eax, [ebp+var_40]
		mov	edi, [ebp+var_24]
		jmp	loc_499D63
; 

loc_499F18:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+1A9j
		mov	ecx, [ebp+arg_8]

loc_499F1B:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+1E2j
		mov	eax, [ebp+var_1C]
		add	eax, 8
		mov	edx, [ebp+arg_0]
		jmp	loc_499DFA
; 

loc_499F29:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+B3j
		call	?SmStUnmapPhysicalRegion@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@KKKPAXK@Z ;	SMKM_STORE<SM_TRAITS>::SmStUnmapPhysicalRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)

loc_499F2E:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+94j
					; SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+9Cj ...
		mov	eax, [ebp+var_44]
		lock dec dword ptr [eax]
		mov	eax, ebx

loc_499F36:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+36j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
?SmStCompareRegionDataCallback@?$SMKM_STORE@USM_TRAITS@@@@SGJPAU_SMKM_STORE_HELPER@@PAXK@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static enum  SMKM_STORE<struct SM_TRAITS>::_SMST_RESIDENT_CHECK_RESULT __stdcall SMKM_STORE<struct SM_TRAITS>::SmStCheckResident(void	*, unsigned long)
?SmStCheckResident@?$SMKM_STORE@USM_TRAITS@@@@SG?AW4_SMST_RESIDENT_CHECK_RESULT@1@PAXK@Z proc near
					; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+1A1p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		xor	esi, esi
		push	esi
		push	esi
		stosd
		stosd
		stosd
		mov	eax, ecx
		and	eax, 0FFFFF000h
		lea	edi, [edx+0FFFh]
		mov	[ebp+var_10], eax
		and	ecx, 0FFFh
		add	eax, 1000h
		add	edi, ecx
		mov	[ebp+var_8], eax
		xor	edx, edx
		shr	edi, 0Ch
		or	ecx, 0FFFFFFFFh
		mov	eax, edi
		shl	eax, 3
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	4
		call	MmQueryVirtualMemory
		test	eax, eax
		js	short loc_499FC6
		mov	ecx, esi
		test	edi, edi
		jz	short loc_499FAF

loc_499FA2:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCheckResident(void *,ulong)+65j
		mov	eax, [ebp+ecx*8+var_C]
		test	al, 1
		jz	short loc_499FB8

loc_499FAA:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCheckResident(void *,ulong)+7Cj
		inc	ecx
		cmp	ecx, edi
		jb	short loc_499FA2

loc_499FAF:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCheckResident(void *,ulong)+58j
		xor	esi, esi
		inc	esi

loc_499FB2:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCheckResident(void *,ulong)+7Aj
					; SMKM_STORE<SM_TRAITS>::SmStCheckResident(void	*,ulong)+81j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_499FB8:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCheckResident(void *,ulong)+60j
		and	eax, 0C00000h
		cmp	eax, 400000h
		jnz	short loc_499FB2
		jmp	short loc_499FAA
; 

loc_499FC6:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCheckResident(void *,ulong)+52j
		push	2
		pop	esi
		jmp	short loc_499FB2
?SmStCheckResident@?$SMKM_STORE@USM_TRAITS@@@@SG?AW4_SMST_RESIDENT_CHECK_RESULT@1@PAXK@Z endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StMapAndLockRegion	proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+B8p
					; ST_STORE_SM_TRAITS___StCompactionPerformInMem+148p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005BC268 SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		lea	ebx, [edx+edx]
		mov	ecx, 1FFFh
		xor	esi, esi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], esi
		mov	eax, [edi+240h]
		mov	[ebp+var_C], ecx
		test	[ebx+eax], cx
		jz	loc_49A0B3

loc_499FFF:				; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+138j
		cmp	byte ptr [edi+1ACh], 0
		jnz	loc_49A09E
		mov	eax, [edi+240h]
		movzx	eax, word ptr [ebx+eax]
		shr	eax, 0Dh

loc_49A019:				; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+D4j
		mov	ecx, [edi+1C0h]
		shl	eax, 7
		or	eax, [ebp+arg_4]
		or	eax, 10h
		test	byte ptr [ecx+10F5h], 4
		push	eax
		push	ecx
		push	esi
		jz	short loc_49A0A5
		call	?SmStMapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAXPAU1@KKKK@Z ; SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)

loc_49A039:				; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+DEj
		mov	ebx, eax
		mov	[ebp+arg_0], eax
		test	ebx, ebx
		jz	loc_49A110
		cmp	ebx, 3
		jz	loc_49A135
		cmp	ebx, 1
		jz	loc_49A135
		test	dword ptr [edi+1ACh], 40000h
		jz	short loc_49A07A
		mov	edx, [ebp+var_4]
		mov	ecx, [edi+1C0h]
		call	?SmStIsRegionBusy@?$SMKM_STORE@USM_TRAITS@@@@SGKPAU1@K@Z ; SMKM_STORE<SM_TRAITS>::SmStIsRegionBusy(SMKM_STORE<SM_TRAITS> *,ulong)
		test	eax, eax
		jnz	loc_5BC26F

loc_49A07A:				; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+96j
		mov	ecx, [edi+1C0h]
		mov	edx, [ebp+var_4]
		push	2
		push	ecx
		test	byte ptr [ecx+10F5h], 4
		push	esi
		jz	short loc_49A0AC
		call	?SmStMapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAXPAU1@KKKK@Z ; SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)

loc_49A095:				; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+E5j
					; ST_STORE_SM_TRAITS___StMapAndLockRegion+155j	...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_49A09E:				; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+3Aj
		mov	eax, esi
		jmp	loc_49A019
; 

loc_49A0A5:				; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+66j
		call	?SmStMapPhysicalRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAXPAU1@KKKK@Z ; SMKM_STORE<SM_TRAITS>::SmStMapPhysicalRegion(SMKM_STORE<SM_TRAITS>	*,ulong,ulong,ulong,ulong)
		jmp	short loc_49A039
; 

loc_49A0AC:				; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+C2j
		call	?SmStMapPhysicalRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAXPAU1@KKKK@Z ; SMKM_STORE<SM_TRAITS>::SmStMapPhysicalRegion(SMKM_STORE<SM_TRAITS>	*,ulong,ulong,ulong,ulong)
		jmp	short loc_49A095
; 

loc_49A0B3:				; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+2Dj
		mov	ecx, [edi+1C0h]
		test	byte ptr [ecx+10F5h], 4
		jz	short loc_49A109
		call	SMKM_STORE_SM_TRAITS___SmStAllocateVirtualRegion

loc_49A0C7:				; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+142j
		test	eax, eax
		js	loc_5BC268
		mov	ecx, [ebp+arg_0]
		inc	dword ptr [edi+ecx*8+430h]
		cmp	byte ptr [edi+1ACh], 0
		mov	edx, [edi+240h]
		jnz	short loc_49A0FA
		mov	ax, [edx+ebx]
		and	ax, word ptr [ebp+var_C]
		shl	ecx, 0Dh
		or	ax, cx
		mov	[edx+ebx], ax

loc_49A0FA:				; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+11Aj
		mov	edx, [ebp+var_4]
		mov	[ebp+var_8], 1
		jmp	loc_499FFF
; 

loc_49A109:				; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+F4j
		call	?SmStAllocatePhysicalRegion@?$SMKM_STORE@USM_TRAITS@@@@SGJPAU1@K@Z ; SMKM_STORE<SM_TRAITS>::SmStAllocatePhysicalRegion(SMKM_STORE<SM_TRAITS> *,ulong)
		jmp	short loc_49A0C7
; 

loc_49A110:				; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+74j
		mov	ebx, esi

loc_49A112:				; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+182j
					; ST_STORE_SM_TRAITS___StMapAndLockRegion+1222A9j
		test	eax, eax
		jnz	loc_5BC27A
		mov	esi, [ebp+var_4]

loc_49A11D:				; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+1222EAj
					; ST_STORE_SM_TRAITS___StMapAndLockRegion+1222F4j
		cmp	[ebp+var_8], 0
		jz	loc_49A095
		mov	edx, esi
		mov	ecx, edi
		call	ST_STORE_SM_TRAITS___StReleaseRegion
		jmp	loc_49A095
; 

loc_49A135:				; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+7Dj
					; ST_STORE_SM_TRAITS___StMapAndLockRegion+86j
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		push	1
		call	ST_STORE_SM_TRAITS___StDmUpdateRegionLazyCleanup
		xor	eax, eax
		cmp	ebx, 1
		setnz	al
		lea	ebx, [eax-1]
		mov	eax, esi
		jmp	short loc_49A112
ST_STORE_SM_TRAITS___StMapAndLockRegion	endp


;  S U B	R O U T	I N E 


; public: static void __stdcall	ST_STORE<struct	SM_TRAITS>::StUnlockAndUnmapRegion(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, unsigned long, char *)
?StUnlockAndUnmapRegion@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@KPAD@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+1BCp
					; ST_STORE_SM_TRAITS___StCompactionPerformInMem+206p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		push	1
		sub	esp, 0Ch
		mov	ecx, [edi+1C0h]
		test	byte ptr [ecx+10F5h], 4
		jz	short loc_49A1AC
		call	?SmStUnmapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@KKKPAXK@Z ; SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)

loc_49A171:				; CODE XREF: ST_STORE<SM_TRAITS>::StUnlockAndUnmapRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,char	*)+61j
		cmp	byte ptr [edi+1ACh], 0
		jnz	short loc_49A1B3
		mov	eax, [edi+240h]
		movzx	eax, word ptr [eax+esi*2]
		shr	eax, 0Dh

loc_49A187:				; CODE XREF: ST_STORE<SM_TRAITS>::StUnlockAndUnmapRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,char	*)+65j
		mov	ecx, [edi+1C0h]
		mov	edx, esi
		shl	eax, 4
		or	eax, 4
		push	eax
		sub	esp, 0Ch
		test	byte ptr [ecx+10F5h], 4
		jz	short loc_49A1B7
		call	?SmStUnmapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@KKKPAXK@Z ; SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)

loc_49A1A7:				; CODE XREF: ST_STORE<SM_TRAITS>::StUnlockAndUnmapRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,char	*)+6Cj
		pop	edi
		pop	esi
		retn	4
; 

loc_49A1AC:				; CODE XREF: ST_STORE<SM_TRAITS>::StUnlockAndUnmapRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,char	*)+1Aj
		call	?SmStUnmapPhysicalRegion@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@KKKPAXK@Z ;	SMKM_STORE<SM_TRAITS>::SmStUnmapPhysicalRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)
		jmp	short loc_49A171
; 

loc_49A1B3:				; CODE XREF: ST_STORE<SM_TRAITS>::StUnlockAndUnmapRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,char	*)+28j
		xor	eax, eax
		jmp	short loc_49A187
; 

loc_49A1B7:				; CODE XREF: ST_STORE<SM_TRAITS>::StUnlockAndUnmapRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,char	*)+50j
		call	?SmStUnmapPhysicalRegion@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@KKKPAXK@Z ;	SMKM_STORE<SM_TRAITS>::SmStUnmapPhysicalRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)
		jmp	short loc_49A1A7
?StUnlockAndUnmapRegion@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@KPAD@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	SMKM_STORE<struct SM_TRAITS>::SmStUnmapVirtualRegion(struct SMKM_STORE<struct SM_TRAITS> *, unsigned long, unsigned long, unsigned long, void *, unsigned long)
?SmStUnmapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@KKKPAXK@Z proc near
					; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+89p
					; SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+B9p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ecx+1184h]
		and	[ebp+var_8], 0
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		lea	esi, [eax+edx*4]
		mov	[ebp+var_4], ecx
		mov	eax, [esi]
		mov	edx, [ecx+117Ch]
		and	eax, 7FFF0000h
		mov	[ebp+var_C], eax
		mov	[ebp+var_14], edx
		push	edi
		lea	edi, [ecx+10F8h]
		mov	[ebp+var_10], edi
		test	bl, 8
		jz	short loc_49A221
		mov	eax, large fs:124h
		mov	[ebp+var_8], 1
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_C]

loc_49A221:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)+3Dj
		test	bl, 4
		jz	short loc_49A26F
		cmp	dword ptr [esi], 0
		jl	loc_49A2CD
		shr	ebx, 4
		and	ebx, 7
		push	eax
		mov	edx, ebx
		call	?SmStFindVirtualLockedRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAU_SM_VIRTUAL_LOCKED_REGION@@PAU1@KPAX@Z ; SMKM_STORE<SM_TRAITS>::SmStFindVirtualLockedRegion(SMKM_STORE<SM_TRAITS> *,ulong,void *)
		mov	ebx, [ebp+var_4]
		mov	edi, eax
		mov	edx, [ebx+1220h]
		lea	esi, [ebx+11D8h]
		mov	ecx, [edi]
		push	esi
		call	SmKmUnlockMdl
		push	dword ptr [edi]
		mov	ecx, [ebx+1220h]
		push	esi
		push	2
		pop	edx
		call	SmFpFree
		and	dword ptr [edi], 0
		mov	edi, [ebp+var_10]
		jmp	short loc_49A2CD
; 

loc_49A26F:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)+66j
		test	bl, 2
		jz	short loc_49A27F
		mov	eax, 7FFFh

loc_49A279:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)+E3j
		lock and [esi],	ax
		jmp	short loc_49A2CD
; 

loc_49A27F:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)+B4j
		test	bl, 1
		jnz	short loc_49A2CD
		mov	eax, 2000h
		test	[esi], ax
		jz	short loc_49A2A3
		mov	eax, large fs:124h
		cmp	eax, [ecx+1224h]
		jnz	short loc_49A2A3
		mov	eax, 0FFFFDFFFh
		jmp	short loc_49A279
; 

loc_49A2A3:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)+CEj
					; SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)+DCj
		or	ax, 0FFFFh
		lock xadd [esi], ax
		dec	ax
		mov	word ptr [ebp+arg_C], ax
		test	[ebp+arg_C], 1FFFh
		jnz	short loc_49A2CD
		cmp	dword ptr [esi], 0
		jl	short loc_49A2CD
		mov	ecx, [ebp+var_14]
		xor	edx, edx
		push	1
		inc	edx
		call	_SmAcquireReleaseCharges@12 ; SmAcquireReleaseCharges(x,x,x)

loc_49A2CD:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)+6Bj
					; SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)+AFj ...
		cmp	[ebp+var_8], 0
		jz	short loc_49A2FB
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_49A2E8
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_49A2E8:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)+121j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_49A2FB:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)+113j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
?SmStUnmapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@KKKPAXK@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void *	__stdcall SMKM_STORE<struct SM_TRAITS>::SmStMapVirtualRegion(struct SMKM_STORE<struct SM_TRAITS> *, unsigned long, unsigned long, unsigned long, unsigned long)
?SmStMapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAXPAU1@KKKK@Z proc near
					; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+58p
					; SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+173p	...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_10], esi
		test	[ebp+arg_8], 40h
		mov	eax, [esi+1184h]
		mov	[ebp+var_C], ebx
		lea	edi, [eax+edx*4]
		mov	[ebp+var_1C], edi
		jz	short loc_49A359
		mov	eax, large fs:124h
		mov	[ebp+var_C], 1
		dec	word ptr [eax+13Eh]
		nop
		lea	ecx, [esi+10F8h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		test	dword ptr [edi], 7FFF0000h
		jz	short loc_49A3CD
		mov	edx, [ebp+var_8]

loc_49A359:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+28j
		mov	eax, [edi]
		mov	ecx, [esi+117Ch]
		and	eax, 7FFF0000h
		test	[ebp+arg_8], 8
		mov	[ebp+var_20], eax
		mov	[ebp+var_8], ecx
		jz	short loc_49A399
		movzx	eax, word ptr [edi]
		test	eax, 4000h
		jz	short loc_49A386
		and	eax, 0BFFFh
		mov	[edi], ax
		jmp	short loc_49A3C4
; 

loc_49A386:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+78j
		push	ebx
		mov	edx, edi
		mov	ecx, esi
		call	?SmStCheckLockInProgressRegionComplete@?$SMKM_STORE@USM_TRAITS@@@@SGKPAU1@PAT_SM_VIRTUAL_REGION@@K@Z ; SMKM_STORE<SM_TRAITS>::SmStCheckLockInProgressRegionComplete(SMKM_STORE<SM_TRAITS> *,_SM_VIRTUAL_REGION *,ulong)
		test	eax, eax
		jnz	short loc_49A3C4
		push	3

loc_49A396:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+1C9j
		pop	ebx
		jmp	short loc_49A3C4
; 

loc_49A399:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+6Ej
		test	[ebp+arg_8], 10h
		jz	short loc_49A3AF
		push	dword ptr [ebp+arg_8]
		mov	ecx, esi
		push	eax
		push	edi
		call	SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion
		mov	ebx, eax
		jmp	short loc_49A3C4
; 

loc_49A3AF:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+9Bj
		test	[ebp+arg_8], 4
		jz	short loc_49A404
		mov	eax, 0FFFF8000h
		lock or	[edi], ax

loc_49A3BE:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+106j
					; SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+18Fj
		mov	ebx, [ebp+var_20]
		add	ebx, [ebp+arg_0]

loc_49A3C4:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+82j
					; SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+90j ...
		cmp	[ebp+var_C], 0
		jz	short loc_49A3FB
		mov	esi, [ebp+var_10]

loc_49A3CD:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+52j
		push	11h
		add	esi, 10F8h
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_49A3E8
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_49A3E8:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+DDj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_49A3FB:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+C6j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
; 

loc_49A404:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+B1j
		test	[ebp+arg_8], 2
		jnz	short loc_49A3BE
		mov	si, [edi]
		mov	ecx, 1FFFh
		mov	word ptr [ebp+var_4], si
		mov	edx, [ebp+var_4]
		mov	eax, edx
		and	eax, ecx
		cmp	ax, cx
		jz	loc_49A4D0

loc_49A426:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+1C2j
		lea	ecx, [edx+1]
		mov	eax, 1FFFh
		xor	ecx, edx
		and	ecx, eax
		xor	ecx, edx
		mov	[ebp+var_14], ecx
		mov	word ptr [ebp+arg_8], cx
		test	edx, eax
		jnz	short loc_49A47D
		cmp	[edi], ebx
		jl	short loc_49A47D
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		push	ebx
		inc	edx
		call	_SmAcquireReleaseCharges@12 ; SmAcquireReleaseCharges(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_49A478
		mov	eax, [ebp+var_10]
		mov	ecx, large fs:124h
		cmp	ecx, [eax+1224h]
		jnz	short loc_49A4C9
		mov	ecx, dword ptr [ebp+arg_8]
		and	ecx, 0E000h
		or	ecx, 2000h
		jmp	short loc_49A47F
; 

loc_49A478:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+151j
		mov	ecx, [ebp+var_14]
		jmp	short loc_49A47F
; 

loc_49A47D:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+13Bj
					; SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+13Fj
		mov	edx, ebx

loc_49A47F:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+174j
					; SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+179j
		mov	ax, si
		lock cmpxchg [edi], cx
		mov	di, ax
		mov	word ptr [ebp+arg_8], di
		cmp	di, si
		jz	loc_49A3BE
		test	edx, edx
		jz	short loc_49A4A8
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		push	1
		inc	edx
		call	_SmAcquireReleaseCharges@12 ; SmAcquireReleaseCharges(x,x,x)

loc_49A4A8:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+197j
		mov	eax, dword ptr [ebp+arg_8]
		mov	ecx, 1FFFh
		and	eax, ecx
		mov	si, di
		mov	word ptr [ebp+var_4], si
		cmp	ax, cx
		jz	short loc_49A4D0
		mov	edx, [ebp+var_4]
		mov	edi, [ebp+var_1C]
		jmp	loc_49A426
; 

loc_49A4C9:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+163j
		push	2
		jmp	loc_49A396
; 

loc_49A4D0:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+11Ej
					; SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+1BAj
		xor	ebx, ebx
		inc	ebx
		jmp	loc_49A3C4
?SmStMapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAXPAU1@KKKK@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmAcquireReleaseCharges(x, x, x)
_SmAcquireReleaseCharges@12 proc near	; CODE XREF: SmFpAllocate+8Dp
					; SmKmAllocateMdlForLock+14p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		shr	ecx, 0Ch
		inc	esi
		mov	eax, edx
		and	eax, esi
		test	dl, 2
		jnz	short loc_49A50E

loc_49A4ED:				; CODE XREF: SmAcquireReleaseCharges(x,x,x)+39j
		cmp	[ebp+arg_0], 0
		mov	edx, eax
		jnz	short loc_49A505
		push	ecx
		push	ecx
		call	MmChargeResources
		mov	esi, eax

loc_49A4FE:				; CODE XREF: SmAcquireReleaseCharges(x,x,x)+34j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
; 

loc_49A505:				; CODE XREF: SmAcquireReleaseCharges(x,x,x)+1Bj
		push	0
		call	MmReleaseResourceCharge
		jmp	short loc_49A4FE
; 

loc_49A50E:				; CODE XREF: SmAcquireReleaseCharges(x,x,x)+13j
		or	eax, 2
		jmp	short loc_49A4ED
_SmAcquireReleaseCharges@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmChargeResources proc near		; CODE XREF: SmAcquireReleaseCharges(x,x,x)+1Fp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BC2C5 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	eax, edx
		mov	ebx, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], eax
		test	al, 2
		jnz	short loc_49A555

loc_49A52A:				; CODE XREF: MmChargeResources+59j
		xor	esi, esi
		inc	esi
		test	al, 1
		jz	short loc_49A542
		push	esi
		mov	edx, ebx
		mov	ecx, offset _MiSystemPartition
		call	MiChargeCommit
		test	eax, eax
		jz	short loc_49A573

loc_49A542:				; CODE XREF: MmChargeResources+1Bj
		xor	edi, edi

loc_49A544:				; CODE XREF: MmChargeResources+61j
		test	edi, edi
		jnz	loc_5BC2C5

loc_49A54C:				; CODE XREF: MmChargeResources+5Dj
					; MmChargeResources+121DBCj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_49A555:				; CODE XREF: MmChargeResources+14j
		push	0
		mov	edx, ebx
		mov	ecx, offset _MiSystemPartition
		call	_MiChargeResident@12 ; MiChargeResident(x,x,x)
		test	eax, eax
		jz	short loc_49A56F
		mov	eax, [ebp+var_4]
		push	2
		pop	edi
		jmp	short loc_49A52A
; 

loc_49A56F:				; CODE XREF: MmChargeResources+51j
		xor	esi, esi
		jmp	short loc_49A54C
; 

loc_49A573:				; CODE XREF: MmChargeResources+2Cj
		xor	esi, esi
		jmp	short loc_49A544
MmChargeResources endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmReleaseResourceCharge	proc near	; CODE XREF: SmAcquireReleaseCharges(x,x,x)+2Fp
					; MmChargeResources+121DB7p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BC2D5 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		push	edi
		mov	edi, offset _MiSystemPartition
		test	bl, 2
		jnz	short loc_49A5A3

loc_49A58E:				; CODE XREF: MmReleaseResourceCharge+42j
					; MmReleaseResourceCharge+4Dj ...
		test	bl, 1
		jz	short loc_49A59C
		mov	edx, esi
		mov	ecx, edi
		call	MiReturnCommit

loc_49A59C:				; CODE XREF: MmReleaseResourceCharge+19j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_49A5A3:				; CODE XREF: MmReleaseResourceCharge+14j
		mov	eax, [ebp+arg_0]
		sub	eax, 0
		jnz	loc_5BC2D5
		mov	edx, esi
		mov	ecx, edi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_49A58E
		mov	edx, offset dword_6D5E40
		lock xadd [edx], eax
		jmp	short loc_49A58E
MmReleaseResourceCharge	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion proc near
					; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+A4p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005BC2FD SIZE 0000004F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	edi, ecx
		cmp	dword ptr [ebx], 0
		jl	loc_5BC2FD
		mov	edx, [edi+1258h]
		test	edx, edx
		jnz	loc_49A6B4

loc_49A5F2:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion+F5j
		mov	esi, [ebp+arg_8]
		mov	ecx, edi
		shr	esi, 7
		and	esi, 7
		push	0
		mov	edx, esi
		call	?SmStFindVirtualLockedRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAU_SM_VIRTUAL_LOCKED_REGION@@PAU1@KPAX@Z ; SMKM_STORE<SM_TRAITS>::SmStFindVirtualLockedRegion(SMKM_STORE<SM_TRAITS> *,ulong,void *)
		mov	[ebp+arg_0], eax
		xor	eax, eax
		mov	ecx, eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_20], eax
		mov	eax, [edi+117Ch]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_8]
		mov	[edi+1258h], ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_18], esi
		test	al, 1
		jnz	loc_5BC307

loc_49A63C:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion+121D45j
		and	eax, 20h
		mov	ecx, edi
		or	eax, 10h
		shr	eax, 2
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	4
		pop	edx
		call	SMKM_STORE_SM_TRAITS___SmStHelperSendCommand
		test	eax, eax
		js	short loc_49A6C7
		and	dword ptr [edi+1258h], 0
		cmp	[ebp+var_8], 0
		jl	short loc_49A6D3
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		mov	[ecx], eax
		mov	esi, [eax+0Ch]

loc_49A673:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion+121D3Aj
		mov	eax, [edi+1254h]
		test	eax, eax
		jnz	short loc_49A693

loc_49A67D:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion+CEj
					; SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion+EAj
		test	byte ptr [edi+10F5h], 20h
		jnz	loc_5BC312

loc_49A68A:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion+FDj
					; SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion+109j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_49A693:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion+B3j
		cmp	eax, 0FFFFFFFFh
		jz	short loc_49A67D
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_4]
		shr	ecx, 3
		and	edx, 7
		add	ecx, [eax+8]
		movsx	eax, byte ptr [ecx]
		btr	eax, edx
		mov	edx, [ebp+arg_4]
		mov	[ecx], al
		jmp	short loc_49A67D
; 

loc_49A6B4:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion+24j
		push	0
		call	?SmStCheckLockInProgressRegionComplete@?$SMKM_STORE@USM_TRAITS@@@@SGKPAU1@PAT_SM_VIRTUAL_REGION@@K@Z ; SMKM_STORE<SM_TRAITS>::SmStCheckLockInProgressRegionComplete(SMKM_STORE<SM_TRAITS> *,_SM_VIRTUAL_REGION *,ulong)
		test	eax, eax
		jnz	loc_49A5F2

loc_49A6C3:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion+128j
		xor	esi, esi
		jmp	short loc_49A68A
; 

loc_49A6C7:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion+8Ej
		cmp	eax, 0C0000120h
		jnz	short loc_49A6E9
		push	3
		pop	esi
		jmp	short loc_49A68A
; 

loc_49A6D3:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion+9Bj
		xor	esi, esi
		cmp	[ebp+var_8], 0C0000433h
		jnz	short loc_49A68A
		mov	eax, 4000h
		or	[ebx], ax
		inc	esi
		jmp	short loc_49A68A
; 

loc_49A6E9:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion+104j
		and	dword ptr [edi+1258h], 0
		jmp	short loc_49A6C3
SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static struct	_SM_VIRTUAL_LOCKED_REGION * __stdcall SMKM_STORE<struct	SM_TRAITS>::SmStFindVirtualLockedRegion(struct SMKM_STORE<struct SM_TRAITS> *, unsigned	long, void *)
?SmStFindVirtualLockedRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAU_SM_VIRTUAL_LOCKED_REGION@@PAU1@KPAX@Z proc near
					; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)+7Ap
					; SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion+39p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ecx+1188h]
		mov	eax, ebx
		push	esi
		mov	esi, edx
		push	edi
		lea	edi, [eax+28h]
		cmp	esi, 0FFFFFFFFh
		jz	short loc_49A70F
		lea	eax, [eax+esi*4]

loc_49A70F:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStFindVirtualLockedRegion(SMKM_STORE<SM_TRAITS> *,ulong,void *)+18j
		cmp	eax, edi
		jnb	short loc_49A73A
		mov	edx, [ebp+arg_0]

loc_49A716:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStFindVirtualLockedRegion(SMKM_STORE<SM_TRAITS> *,ulong,void *)+46j
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_49A73E
		cmp	[ecx+10h], edx

loc_49A71F:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStFindVirtualLockedRegion(SMKM_STORE<SM_TRAITS> *,ulong,void *)+4Ej
		jnz	short loc_49A728

loc_49A721:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStFindVirtualLockedRegion(SMKM_STORE<SM_TRAITS> *,ulong,void *)+4Aj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_49A728:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStFindVirtualLockedRegion(SMKM_STORE<SM_TRAITS> *,ulong,void *):loc_49A71Fj
		lea	ecx, [ebx+20h]
		cmp	eax, ecx
		jnb	short loc_49A742
		cmp	esi, 0FFFFFFFFh
		jz	short loc_49A742
		mov	eax, ecx

loc_49A736:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStFindVirtualLockedRegion(SMKM_STORE<SM_TRAITS> *,ulong,void *)+53j
		cmp	eax, edi
		jb	short loc_49A716

loc_49A73A:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStFindVirtualLockedRegion(SMKM_STORE<SM_TRAITS> *,ulong,void *)+1Fj
		xor	eax, eax
		jmp	short loc_49A721
; 

loc_49A73E:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStFindVirtualLockedRegion(SMKM_STORE<SM_TRAITS> *,ulong,void *)+28j
		test	edx, edx
		jmp	short loc_49A71F
; 

loc_49A742:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStFindVirtualLockedRegion(SMKM_STORE<SM_TRAITS> *,ulong,void *)+3Bj
					; SMKM_STORE<SM_TRAITS>::SmStFindVirtualLockedRegion(SMKM_STORE<SM_TRAITS> *,ulong,void	*)+40j
		add	eax, 4
		jmp	short loc_49A736
?SmStFindVirtualLockedRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAU_SM_VIRTUAL_LOCKED_REGION@@PAU1@KPAX@Z endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiObtainSystemCharges proc near		; CODE XREF: MiGetPageTablePages+C2p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BC34C SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	edi
		push	1
		mov	edi, edx
		mov	ebx, ecx
		call	MiChargeCommit
		test	eax, eax
		jz	short loc_49A7CD
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		cmp	esi, 2
		jz	short loc_49A7D1

loc_49A769:				; CODE XREF: MiObtainSystemCharges+8Ej
		push	eax
		mov	edx, edi
		mov	ecx, ebx
		call	_MiChargeResident@12 ; MiChargeResident(x,x,x)
		test	eax, eax
		jz	loc_5BC34C
		cmp	esi, 1
		jz	short loc_49A7A2
		cmp	esi, 0Bh
		jz	short loc_49A7A2
		cmp	esi, 2
		jz	short loc_49A798
		cmp	esi, 4
		jz	short loc_49A7C6
		mov	eax, offset unk_6D3624

loc_49A794:				; CODE XREF: MiObtainSystemCharges+83j
		lock xadd [eax], edi

loc_49A798:				; CODE XREF: MiObtainSystemCharges+40j
					; MiObtainSystemCharges+7Cj
		xor	eax, eax
		inc	eax

loc_49A79B:				; CODE XREF: MiObtainSystemCharges+121C0Fj
		pop	esi

loc_49A79C:				; CODE XREF: MiObtainSystemCharges+87j
		pop	edi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_49A7A2:				; CODE XREF: MiObtainSystemCharges+36j
					; MiObtainSystemCharges+3Bj
		mov	eax, large fs:124h
		mov	edx, edi
		mov	eax, [eax+80h]
		mov	esi, [eax+180h]
		lea	ecx, [esi+20h]
		lock xadd [ecx], edx
		lea	ecx, [esi+1Ch]
		lock xadd [ecx], edi
		jmp	short loc_49A798
; 

loc_49A7C6:				; CODE XREF: MiObtainSystemCharges+45j
		mov	eax, offset dword_6D3634
		jmp	short loc_49A794
; 

loc_49A7CD:				; CODE XREF: MiObtainSystemCharges+14j
		xor	eax, eax
		jmp	short loc_49A79C
; 

loc_49A7D1:				; CODE XREF: MiObtainSystemCharges+1Fj
		mov	eax, 80h
		jmp	short loc_49A769
MiObtainSystemCharges endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetPoolPages	proc near		; CODE XREF: MiInitializePoolCommitPacket+93p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BC35C SIZE 000000B5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_8], ecx
		push	esi
		push	edi
		mov	esi, [ebp+arg_0]
		lea	edi, [ebp+var_24]
		stosd
		mov	ebx, edx
		lea	ecx, [esi+esi*8]
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		mov	eax, dword_6D069C
		xor	edi, edi
		lea	eax, [eax+ecx*8]
		mov	[ebp+var_C], eax
		cmp	[eax+30h], edi
		jnz	loc_49A918

loc_49A81C:				; CODE XREF: MiGetPoolPages+203j
		xor	edx, edx
		mov	ecx, ebx
		call	_MiObtainPoolCharges@8 ; MiObtainPoolCharges(x,x)
		test	eax, eax
		jz	loc_5BC38B
		lea	eax, [esi+1]
		xor	ecx, ecx
		push	eax
		lea	edx, [ebp+var_24]
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		mov	esi, [ebp+var_8]
		and	esi, 40000000h
		neg	esi
		sbb	esi, esi
		and	esi, 102h
		add	esi, 20Ch
		mov	[ebp+var_8], esi
		test	ebx, ebx
		jz	loc_49A8F0
		nop

loc_49A860:				; CODE XREF: MiGetPoolPages+10Aj
		cmp	ebx, 1
		jbe	short loc_49A878
		mov	eax, large fs:124h
		test	byte ptr [eax+300h], 2
		jnz	loc_49A8FB

loc_49A878:				; CODE XREF: MiGetPoolPages+83j
					; MiGetPoolPages+12Dj
		call	MiRetryNonPagedAllocation
		mov	eax, [ebp+var_24]
		mov	ecx, 1
		lock xadd [eax], ecx
		inc	ecx
		mov	edx, [ebp+var_20]
		dec	ecx
		and	edx, ecx
		mov	ecx, offset _MiSystemPartition
		or	edx, [ebp+var_1C]
		push	esi
		call	MiGetPage
		cmp	eax, 0FFFFFFFFh
		jz	loc_5BC39F
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	esi, [eax+ecx*4]
		mov	ecx, [esi+10h]
		lea	eax, [esi+10h]
		mov	[ebp+var_C], esi
		mov	[ebp+arg_0], eax
		mov	edx, ecx
		mov	esi, [ebp+arg_0]
		and	edx, 0F87FFFFFh
		mov	eax, ecx
		lock cmpxchg [esi], edx
		mov	esi, [ebp+var_C]
		cmp	ecx, eax
		jnz	loc_5BC3F4

loc_49A8E0:				; CODE XREF: MiGetPoolPages+121C2Cj
		mov	[esi], edi
		dec	ebx
		mov	edi, esi
		mov	esi, [ebp+var_8]

loc_49A8E8:				; CODE XREF: MiGetPoolPages+121BC6j
		test	ebx, ebx
		jnz	loc_49A860

loc_49A8F0:				; CODE XREF: MiGetPoolPages+79j
					; MiGetPoolPages+1FDj ...
		mov	eax, edi

loc_49A8F2:				; CODE XREF: MiGetPoolPages+121BBAj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_49A8FB:				; CODE XREF: MiGetPoolPages+92j
		lea	edx, [ebx+0A0h]
		mov	ecx, offset _MiSystemPartition
		call	MiSufficientAvailablePages
		test	eax, eax
		jnz	loc_49A878
		jmp	loc_5BC3AC
; 

loc_49A918:				; CODE XREF: MiGetPoolPages+36j
		lea	ecx, [eax+34h]
		lea	edx, [ebp+var_18]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edx, [ebp+var_C]
		mov	eax, [edx+30h]
		mov	ecx, eax
		mov	[ebp+var_C], eax
		cmp	ecx, ebx
		jbe	short loc_49A934
		mov	ecx, ebx

loc_49A934:				; CODE XREF: MiGetPoolPages+150j
		test	ecx, ecx
		jz	short loc_49A966
		mov	esi, [ebp+var_C]
		sub	ebx, ecx
		mov	eax, [edx+38h]
		sub	esi, ecx
		mov	[edx+30h], esi
		mov	edi, eax
		mov	esi, [ebp+arg_0]
		lea	ebx, [ebx+0]

loc_49A950:				; CODE XREF: MiGetPoolPages+178j
		mov	[ebp+var_C], eax
		mov	eax, [eax]
		sub	ecx, 1
		jnz	short loc_49A950
		mov	ecx, [ebp+var_C]
		mov	dword ptr [ecx], 0
		mov	[edx+38h], eax

loc_49A966:				; CODE XREF: MiGetPoolPages+156j
		test	ds:byte_70EFC6,	1
		jnz	loc_5BC35C
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	loc_5BC374
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jnz	loc_5BC36C

loc_49A995:				; CODE XREF: MiGetPoolPages+121B87j
					; MiGetPoolPages+121BA6j
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	[ebp+var_8], 40000000h
		jz	short loc_49A9DB
		test	edi, edi
		jz	short loc_49A9DB
		mov	esi, edi
		lea	ecx, [ecx+0]

loc_49A9B0:				; CODE XREF: MiGetPoolPages+1F6j
		mov	ecx, esi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		push	0
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiFillPhysicalPages
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_49A9B0
		mov	esi, [ebp+arg_0]

loc_49A9DB:				; CODE XREF: MiGetPoolPages+1C5j
					; MiGetPoolPages+1C9j
		test	ebx, ebx
		jz	loc_49A8F0
		jmp	loc_49A81C
MiGetPoolPages	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiRetryNonPagedAllocation proc near	; CODE XREF: MiGetPoolPages:loc_49A878p
					; MiGetPoolPages:loc_5BC39Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005BC411 SIZE 00000155 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		xor	ebx, ebx
		inc	ebx
		cmp	al, bl
		ja	short loc_49AA4B
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jnz	short loc_49AA4B
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_49AA4B
		mov	eax, large fs:124h
		test	byte ptr [eax+300h], 2
		jnz	short loc_49AA4B
		mov	edx, 0A0h
		mov	ecx, offset _MiSystemPartition
		call	MiSufficientAvailablePages
		test	eax, eax
		jz	loc_5BC411
		mov	eax, ebx

loc_49AA46:				; CODE XREF: MiRetryNonPagedAllocation+65j
					; MiRetryNonPagedAllocation+121B79j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_49AA4B:				; CODE XREF: MiRetryNonPagedAllocation+1Ej
					; MiRetryNonPagedAllocation+2Bj ...
		xor	eax, eax
		jmp	short loc_49AA46
MiRetryNonPagedAllocation endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiObtainPoolCharges(x, x)
_MiObtainPoolCharges@8 proc near	; CODE XREF: MiGetPoolPages+40p
					; MiInitializePoolCommitPacket+11394Cp	...
		cmp	dword_6D5F54, 0
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		jz	short loc_49AA80
		push	2
		push	0
		mov	edx, esi
		mov	ecx, offset _MiSystemPartition
		call	MiAcquireNonPagedResources
		test	eax, eax
		js	short loc_49AA8D
		mov	eax, offset unk_6D3614
		test	edi, edi
		jnz	short loc_49AA86

loc_49AA7C:				; CODE XREF: MiObtainPoolCharges(x,x)+3Bj
		lock xadd [eax], esi

loc_49AA80:				; CODE XREF: MiObtainPoolCharges(x,x)+Dj
		xor	eax, eax
		inc	eax

loc_49AA83:				; CODE XREF: MiObtainPoolCharges(x,x)+3Fj
		pop	edi
		pop	esi
		retn
; 

loc_49AA86:				; CODE XREF: MiObtainPoolCharges(x,x)+2Aj
		mov	eax, offset unk_6D3618
		jmp	short loc_49AA7C
; 

loc_49AA8D:				; CODE XREF: MiObtainPoolCharges(x,x)+21j
		xor	eax, eax
		jmp	short loc_49AA83
_MiObtainPoolCharges@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAcquireNonPagedResources proc	near	; CODE XREF: MiObtainPoolCharges(x,x)+1Ap
					; MiObtainMdlCharges+3Fp ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005BC566 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_4], 1
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jnz	short loc_49AAD7
		mov	eax, dword ptr [ebp+arg_4]
		shr	eax, 1
		and	eax, 1
		test	[ebp+arg_4], 4
		jnz	short loc_49AAEB

loc_49AAB1:				; CODE XREF: MiAcquireNonPagedResources+5Cj
		push	eax
		call	MiChargeCommit
		test	eax, eax
		jz	short loc_49AAF0
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, edi
		call	_MiChargeResident@12 ; MiChargeResident(x,x,x)
		test	eax, eax
		jz	loc_5BC566

loc_49AACF:				; CODE XREF: MiAcquireNonPagedResources+57j
		xor	eax, eax

loc_49AAD1:				; CODE XREF: MiAcquireNonPagedResources+63j
					; MiAcquireNonPagedResources+121AE2j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_49AAD7:				; CODE XREF: MiAcquireNonPagedResources+Fj
		push	4
		call	MiChargeCommit
		push	0FFFFFFFFh
		mov	edx, esi
		mov	ecx, edi
		call	_MiChargeResident@12 ; MiChargeResident(x,x,x)
		jmp	short loc_49AACF
; 

loc_49AAEB:				; CODE XREF: MiAcquireNonPagedResources+1Dj
		or	eax, 2
		jmp	short loc_49AAB1
; 

loc_49AAF0:				; CODE XREF: MiAcquireNonPagedResources+27j
		mov	eax, 0C000012Dh
		jmp	short loc_49AAD1
MiAcquireNonPagedResources endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiChargeResident(x,	x, x)
_MiChargeResident@12 proc near		; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+9Cp
					; MmChargeResources+4Ap ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		cmp	edi, offset _MiSystemPartition
		jnz	short loc_49AB3B
		mov	eax, large fs:20h
		lea	ebx, [eax+3D30h]
		mov	edx, [ebx]
		cmp	esi, edx
		ja	short loc_49AB3B

loc_49AB1E:				; CODE XREF: MiChargeResident(x,x,x)+55j
		cmp	edx, 0FFFFFFFFh
		jz	short loc_49AB3B
		mov	ecx, edx
		mov	eax, edx
		sub	ecx, esi
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	short loc_49AB49
		xor	eax, eax
		inc	eax

loc_49AB34:				; CODE XREF: MiChargeResident(x,x,x)+4Fj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_49AB3B:				; CODE XREF: MiChargeResident(x,x,x)+12j
					; MiChargeResident(x,x,x)+24j ...
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, edi
		call	MiChargePartitionResidentAvailable
		jmp	short loc_49AB34
; 

loc_49AB49:				; CODE XREF: MiChargeResident(x,x,x)+37j
		mov	edx, eax
		cmp	esi, eax
		jbe	short loc_49AB1E
		jmp	short loc_49AB3B
_MiChargeResident@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_SM_TRAITS___SmStHelperSendCommand proc near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion+87p
					; SMKM_STORE_SM_TRAITS___SmStReleaseVirtualRegion+B9p ...

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BC579 SIZE 00000054 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 48h
		and	[ebp+var_48], 0
		xor	eax, eax
		and	[ebp+var_44], 0
		cmp	edx, 4
		push	esi
		setz	al
		push	edi
		mov	edi, ecx
		mov	[ebp+var_38], edi
		lea	ecx, [eax-1]
		mov	eax, [ebx+0Ch]
		and	ecx, 0FFFFFFB4h
		and	eax, 1
		add	ecx, 11D8h
		push	eax
		push	dword ptr [ebx+8]
		add	ecx, edi
		mov	[ebp+var_3C], ecx
		call	_SmKmStoreHelperSendCommand@16 ; SmKmStoreHelperSendCommand(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C00000AEh
		jz	loc_49AD5B
		mov	eax, [ebx+0Ch]
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_C], edx
		test	al, 2
		jnz	loc_5BC579
		cmp	byte ptr [edi+10F6h], 1
		mov	esi, edx
		mov	ecx, 0FFF0BDC0h
		jbe	short loc_49ABD7
		mov	ecx, 0FFB3B4C0h

loc_49ABD7:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+7Ej
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], esi
		test	al, 8
		jz	short loc_49ABF5
		push	0
		push	4
		push	esi
		push	ecx
		call	__alldiv
		mov	[ebp+var_44], edx
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_48], eax

loc_49ABF5:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+8Dj
		lea	eax, [ebp+var_48]
		mov	[ebp+var_14], eax

loc_49ABFB:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+121A2Bj
		test	byte ptr [edi+10F5h], 4
		jz	loc_49AD3A
		lea	ecx, [edi+10F8h]
		mov	eax, edx
		mov	[ebp+var_8], ecx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_49AD93

loc_49AC21:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+249j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	loc_49AD2B
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		cmp	ecx, edx
		push	0FFFFFFFFh
		mov	[ebp+var_30], edx
		mov	[ebp+var_34], esi
		pop	edx
		jb	short loc_49AC5E
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_49AD68

loc_49AC5E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+FDj
		cmp	ecx, [ebp+var_30]
		jb	short loc_49AC70
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_49AD68

loc_49AC70:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+10Fj
					; SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+229j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jz	loc_49AD80
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_49ADA0

loc_49ACB1:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+256j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5BC595
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_49ACFD:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+236j
					; SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+121A55j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_34], eax
		jnz	loc_49ADB7

loc_49AD14:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+29Ej
					; SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+121A76j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_49AD2B
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_49ADAD

loc_49AD2B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+DAj
					; SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+1CBj ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebp+var_38]

loc_49AD3A:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+B0j
		mov	eax, [ebx+0Ch]
		mov	edx, [ebx+8]
		mov	ecx, [ebp+var_3C]
		shr	eax, 2
		and	eax, 1
		push	eax
		push	[ebp+var_14]
		call	_SmKmStoreHelperWaitForCommand@16 ; SmKmStoreHelperWaitForCommand(x,x,x,x)
		mov	ecx, edi
		mov	esi, eax
		call	?SmStAcquireStoreLockExclusive@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@@Z ; SMKM_STORE<SM_TRAITS>::SmStAcquireStoreLockExclusive(SMKM_STORE<SM_TRAITS> *)

loc_49AD5B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+59j
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_49AD68:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+106j
					; SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+118j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_C], eax
		jmp	loc_49AC70
; 

loc_49AD80:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+147j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_49ACFD
		jmp	loc_5BC582
; 

loc_49AD93:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+C9j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]
		jmp	loc_49AC21
; 

loc_49ADA0:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+159j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]
		jmp	loc_49ACB1
; 

loc_49ADAD:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+1D3j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_49AD2B
; 

loc_49ADB7:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+1BCj
		test	edi, 8000h
		jz	short loc_49ADC8
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_49ADC8:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+26Bj
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5BC5AC

loc_49ADD2:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+121A64j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_49ADE6
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_49ADE6:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+287j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_49AD14
		jmp	loc_5BC5BB
SMKM_STORE_SM_TRAITS___SmStHelperSendCommand endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmStoreHelperWaitForCommand(x, x,	x, x)
_SmKmStoreHelperWaitForCommand@16 proc near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+1FBp
					; SmKmStoreHelperCheckWaitCommand(x,x)+26p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		lea	esi, [ebx+14h]

loc_49AE0B:				; CODE XREF: SmKmStoreHelperWaitForCommand(x,x,x,x)+5Cj
					; SmKmStoreHelperWaitForCommand(x,x,x,x)+69j
		push	[ebp+arg_0]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	esi
		call	KeWaitForSingleObject
		test	eax, eax
		jnz	short loc_49AE4B
		push	esi
		call	_KeResetEvent@4	; KeResetEvent(x)
		test	edi, edi
		jz	short loc_49AE2F
		push	7
		lea	esi, [ebx+28h]
		pop	ecx
		rep movsd

loc_49AE2F:				; CODE XREF: SmKmStoreHelperWaitForCommand(x,x,x,x)+29j
		mov	eax, [ebx+24h]
		and	dword ptr [ebx+24h], 0
		and	al, 2
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 0C0000120h

loc_49AE44:				; CODE XREF: SmKmStoreHelperWaitForCommand(x,x,x,x)+53j
					; SmKmStoreHelperWaitForCommand(x,x,x,x)+70j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_49AE4B:				; CODE XREF: SmKmStoreHelperWaitForCommand(x,x,x,x)+1Fj
		cmp	[ebp+arg_4], 0
		jz	short loc_49AE44
		lea	edx, [ebx+24h]
		mov	eax, [edx]
		test	al, 1
		jnz	short loc_49AE0B
		mov	ecx, eax
		or	ecx, 2
		lock cmpxchg [edx], ecx
		test	al, 1
		jnz	short loc_49AE0B
		mov	eax, 0C0000120h
		jmp	short loc_49AE44
_SmKmStoreHelperWaitForCommand@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmStoreHelperSendCommand(x, x, x,	x)
_SmKmStoreHelperSendCommand@16 proc near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+4Cp
					; SmKmStoreHelperCleanup(x)+11p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	edx, [ebp+arg_4]
		call	_SmKmStoreHelperCheckWaitCommand@8 ; SmKmStoreHelperCheckWaitCommand(x,x)
		mov	esi, eax
		cmp	esi, 0C00000AEh
		jz	short loc_49AEAC
		mov	esi, [ebp+arg_0]
		mov	[ebx+26h], di
		test	esi, esi
		jz	short loc_49AE9F
		push	7
		lea	edi, [ebx+28h]
		pop	ecx
		rep movsd

loc_49AE9F:				; CODE XREF: SmKmStoreHelperSendCommand(x,x,x,x)+27j
		xor	esi, esi
		lea	eax, [ebx+4]
		push	esi
		push	esi
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_49AEAC:				; CODE XREF: SmKmStoreHelperSendCommand(x,x,x,x)+1Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_SmKmStoreHelperSendCommand@16 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall SmKmStoreHelperCheckWaitCommand(x, x)
_SmKmStoreHelperCheckWaitCommand@8 proc	near
					; CODE XREF: SmKmStoreHelperSendCommand(x,x,x,x)+Fp
					; SMKM_STORE<SM_TRAITS>::SmStCheckLockInProgressRegionComplete(SMKM_STORE<SM_TRAITS> *,_SM_VIRTUAL_REGION *,ulong)+21p	...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	eax, eax
		mov	ecx, [esi+24h]
		test	ecx, ecx
		jnz	short loc_49AEC6
		pop	esi
		retn
; 

loc_49AEC6:				; CODE XREF: SmKmStoreHelperCheckWaitCommand(x,x)+Cj
		test	edx, edx
		jnz	short loc_49AED6
		test	cl, 1
		jnz	short loc_49AED6
		mov	eax, 0C00000AEh
		pop	esi
		retn
; 

loc_49AED6:				; CODE XREF: SmKmStoreHelperCheckWaitCommand(x,x)+12j
					; SmKmStoreHelperCheckWaitCommand(x,x)+17j
		push	eax
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	_SmKmStoreHelperWaitForCommand@16 ; SmKmStoreHelperWaitForCommand(x,x,x,x)
		pop	esi
		retn
_SmKmStoreHelperCheckWaitCommand@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; long __stdcall SmKmProbeAndLockAddress(void *, unsigned long,	struct _MDL *, unsigned	long)
?SmKmProbeAndLockAddress@@YGJPAXKPAU_MDL@@K@Z proc near
					; CODE XREF: SmKmStoreHelperCommandProcess+80p
					; SmKmStoreHelperCommandProcess+1234A5p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		lea	eax, [edx+0FFFh]
		and	esi, 0FFFh
		and	ecx, 0FFFFF000h
		add	eax, esi
		shr	eax, 0Ch
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, ds:1Ch[eax*4]
		and	dword ptr [edi], 0
		mov	[edi+4], ax
		xor	eax, eax
		mov	[edi+10h], ecx
		mov	ecx, edi
		mov	[edi+14h], edx
		mov	edx, [ebp+arg_4]
		mov	[edi+6], ax
		mov	[edi+18h], esi
		call	MmStoreProbeAndLockPages
		pop	edi
		pop	esi
		test	eax, eax
		js	short loc_49AF3A
		xor	eax, eax

loc_49AF36:				; CODE XREF: SmKmProbeAndLockAddress(void *,ulong,_MDL *,ulong)+5Bj
					; SmKmProbeAndLockAddress(void *,ulong,_MDL *,ulong)+62j
		pop	ebp
		retn	8
; 

loc_49AF3A:				; CODE XREF: SmKmProbeAndLockAddress(void *,ulong,_MDL *,ulong)+4Ej
		cmp	eax, 0C0000017h
		jnz	short loc_49AF36
		mov	eax, 0C00001ADh
		jmp	short loc_49AF36
?SmKmProbeAndLockAddress@@YGJPAXKPAU_MDL@@K@Z endp

; 
		dd 6 dup(0CCCCCCCCh)
; Exported entry 416. ExReinitializeResourceLite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExReinitializeResourceLite
ExReinitializeResourceLite proc	near

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BC5CD SIZE 0000011E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	esi
		mov	esi, [ebp+arg_0]
		test	byte ptr [esi+0Eh], 1
		jnz	loc_5BC5CD
		push	ebx
		push	edi
		mov	edi, [esi+8]
		xor	edx, edx
		mov	[ebp+arg_0], edx
		test	edi, edi
		jnz	loc_49B028
		xor	eax, eax
		mov	[ebp+var_4], eax

loc_49AF8D:				; CODE XREF: ExReinitializeResourceLite+126j
		mov	ebx, [esi+18h]
		test	ebx, ebx
		jz	short loc_49AFA1
		inc	eax
		mov	[ebp+var_4], eax
		test	bl, 3
		jnz	short loc_49AFA1
		inc	edx
		mov	[ebp+arg_0], edx

loc_49AFA1:				; CODE XREF: ExReinitializeResourceLite+32j
					; ExReinitializeResourceLite+3Bj
		test	byte ptr [esi+1Ch], 2
		jnz	loc_5BC66C
		test	bl, 3
		jnz	short loc_49AFE9

loc_49AFB0:				; CODE XREF: ExReinitializeResourceLite+12170Fj
		test	ebx, ebx
		jz	short loc_49AFE9
		test	byte ptr [esi+0Eh], 1
		jnz	loc_5BC674
		cmp	_ExpResourceEnforceOwnerTransfer, 0
		jnz	loc_5BC674
		mov	ecx, [esi+1Ch]

loc_49AFCE:				; CODE XREF: ExReinitializeResourceLite+12171Aj
					; ExReinitializeResourceLite+121742j
		test	cl, 1
		jnz	loc_5BC6A7

loc_49AFD7:				; CODE XREF: ExReinitializeResourceLite+12175Dj
		test	cl, 4
		jnz	loc_49B08B

loc_49AFE0:				; CODE XREF: ExReinitializeResourceLite+135j
		test	cl, 2
		jnz	loc_5BC6C2

loc_49AFE9:				; CODE XREF: ExReinitializeResourceLite+4Ej
					; ExReinitializeResourceLite+52j ...
		xor	ecx, ecx
		mov	[esi+0Ch], ecx
		mov	[esi+20h], ecx
		mov	[esi+10h], ecx
		mov	[esi+14h], ecx
		mov	[esi+18h], ecx
		mov	[esi+1Ch], ecx
		mov	[esi+24h], ecx
		mov	[esi+28h], ecx
		mov	[esi+2Ch], ecx
		inc	large dword ptr	fs:41DCh
		test	dword ptr ds:byte_70EFC4, 20000h
		pop	edi
		pop	ebx
		jnz	loc_5BC6D8

loc_49B01F:				; CODE XREF: ExReinitializeResourceLite+121786j
		xor	eax, eax
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_49B028:				; CODE XREF: ExReinitializeResourceLite+22j
		mov	ebx, [edi+4]
		lea	ecx, [edi+4]
		mov	[ebp+var_4], ebx
		mov	eax, ebx
		mov	[ebp+var_14], 1
		cmp	ebx, 1
		jbe	short loc_49B06A
		nop

loc_49B040:				; CODE XREF: ExReinitializeResourceLite+105j
		add	ecx, 8
		mov	[ebp+var_8], ecx
		add	ecx, 0FFFFFFFCh
		call	_ExpOwnerEntryToThread@4 ; ExpOwnerEntryToThread(x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	loc_5BC5DE

loc_49B059:				; CODE XREF: ExReinitializeResourceLite+121707j
		mov	ecx, [ebp+var_8]

loc_49B05C:				; CODE XREF: ExReinitializeResourceLite+1216F3j
		mov	eax, [ebp+var_14]
		inc	eax
		mov	[ebp+var_14], eax
		cmp	eax, ebx
		jb	short loc_49B040
		mov	eax, [edi+4]

loc_49B06A:				; CODE XREF: ExReinitializeResourceLite+DDj
		lea	eax, ds:0FFFFFFF8h[eax*8]
		push	eax		; size_t
		lea	eax, [edi+8]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, [ebp+var_4]
		jmp	loc_49AF8D
; 

loc_49B08B:				; CODE XREF: ExReinitializeResourceLite+7Aj
		lock dec dword ptr [ebx+330h]
		mov	ecx, [esi+1Ch]
		jmp	loc_49AFE0
ExReinitializeResourceLite endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRewriteTrimPteAsDemandZero(x, x)
_MiRewriteTrimPteAsDemandZero@8	proc near ; CODE XREF: MiWsleFree(x,x,x,x,x)+38Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_8], ecx
		push	edi
		mov	edi, [esi+8]
		mov	ecx, edi
		mov	ebx, [esi+0Ch]
		mov	eax, ebx
		shrd	ecx, eax, 1
		test	cl, 1
		jnz	short loc_49B0D4
		mov	eax, edi
		and	eax, 400h
		or	eax, 0
		jnz	short loc_49B121
		and	edi, 0FFFFFFF9h
		jmp	short loc_49B121
; 

loc_49B0D4:				; CODE XREF: MiRewriteTrimPteAsDemandZero(x,x)+21j
		mov	edx, dword_6D0704
		mov	ecx, edi
		mov	eax, ebx
		shrd	ecx, eax, 0Ch
		and	ecx, 0Fh
		mov	eax, dword_6D5D94[ecx*4]
		mov	ecx, dword_6D0700
		mov	[ebp+var_4], eax
		mov	eax, ecx
		or	eax, edx
		jz	short loc_49B109
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_49B109
		not	edx
		and	ebx, edx

loc_49B109:				; CODE XREF: MiRewriteTrimPteAsDemandZero(x,x)+59j
					; MiRewriteTrimPteAsDemandZero(x,x)+63j
		mov	eax, [esi+0Ch]
		mov	edx, ebx
		mov	ecx, [ebp+var_4]
		push	eax
		mov	eax, [esi+8]
		push	eax
		push	2
		call	_MiTransferSoftwarePte@20 ; MiTransferSoftwarePte(x,x,x,x,x)
		mov	edi, eax
		mov	ebx, edx

loc_49B121:				; CODE XREF: MiRewriteTrimPteAsDemandZero(x,x)+2Dj
					; MiRewriteTrimPteAsDemandZero(x,x)+32j
		mov	edx, [esi+4]
		mov	ecx, esi
		or	edx, 80000000h
		mov	[ebp+var_4], edx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_49B15A
		mov	[edx], edi
		nop
		mov	eax, [ebp+var_8]
		mov	[edx+4], ebx
		test	byte ptr [eax+60h], 7
		jnz	short loc_49B1BA
		or	ecx, 0FFFFFFFFh
		add	eax, 0FFFFFF0Ch
		lock xadd [eax], ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_49B15A:				; CODE XREF: MiRewriteTrimPteAsDemandZero(x,x)+96j
		mov	ecx, [esi+18h]
		mov	eax, ds:_MmPfnDatabase
		and	ecx, offset loc_7FFFFF
		push	80000000h
		lea	edx, ds:0[ecx*8]
		sub	edx, ecx
		lea	esi, [eax+edx*4]
		xor	edx, edx
		call	MiMapPageInHyperSpaceWorker
		mov	ecx, [ebp+var_4]
		shr	ecx, 3
		and	ecx, 1FFh
		lea	ecx, [eax+ecx*8]
		mov	[ecx], edi
		nop
		push	80000000h
		mov	dl, 21h
		mov	[ecx+4], ebx
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		mov	ecx, esi
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		mov	ecx, esi
		call	MiDecrementShareCount
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx

loc_49B1BA:				; CODE XREF: MiRewriteTrimPteAsDemandZero(x,x)+A5j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiRewriteTrimPteAsDemandZero@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFlushHyperSpace()
_MiFlushHyperSpace@0 proc near		; CODE XREF: .text:00471F61p
					; .text:0047285Bp ...

var_A0		= dword	ptr -0A0h
var_9C		= byte ptr -9Ch
var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0A0h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0A0h+var_4], eax
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [esp+0ACh+var_A0]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	edi, large fs:20h
		lea	ecx, [esp+0B4h+var_A0]
		add	esp, 0Ch
		mov	esi, [edi+3D34h]
		and	[esp+0A8h+var_8C], 0
		and	esi, 0FFFFF000h
		push	0
		push	100h
		mov	edx, esi
		mov	[esp+0B0h+var_98], 21h
		mov	[esp+0B0h+var_9C], 1
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		lea	ecx, [esp+0A8h+var_A0]
		call	MiFlushTbList
		mov	ecx, [esp+0A8h+var_4]
		mov	[edi+3D34h], esi
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_MiFlushHyperSpace@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiObtainMdlCharges proc	near		; CODE XREF: MiAllocatePagesForMdl+7Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BC6EB SIZE 000000CB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, ecx
		xor	ecx, ecx
		push	esi
		push	edi
		inc	ecx
		mov	esi, [ebx+14h]
		mov	edi, esi
		shr	edi, 4
		test	edi, edi
		jz	loc_49B302

loc_49B271:				; CODE XREF: MiObtainMdlCharges+B6j
		mov	eax, [ebx+4]
		test	al, 40h
		jnz	loc_5BC6EB
		test	al, 20h
		jnz	loc_5BC6F0

loc_49B284:				; CODE XREF: MiObtainMdlCharges+1214A7j
					; MiObtainMdlCharges+1214B2j ...
		mov	ecx, [ebx]
		mov	edx, esi
		push	2
		push	dword ptr [ebx+18h]
		call	MiAcquireNonPagedResources
		test	eax, eax
		js	loc_5BC72E
		push	0
		lea	ecx, ds:1Ch[esi*4]
		mov	edx, 69646D4Dh
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_5BC705
		mov	ecx, esi
		xor	edi, edi
		shl	ecx, 0Ch
		mov	eax, ecx
		mov	[edx], edi
		shr	eax, 0Ch
		mov	[edx+10h], edi
		mov	[edx+18h], edi
		mov	[edx+0Ch], edi
		lea	eax, ds:1Ch[eax*4]
		mov	[edx+14h], ecx
		mov	[edx+4], ax
		xor	eax, eax
		mov	[edx+6], ax
		cmp	dword ptr [ebx], offset	_MiSystemPartition
		mov	[ebx+14h], esi
		mov	[ebx+24h], edx
		jnz	short loc_49B2FB
		mov	eax, offset dword_6D3620
		lock xadd [eax], esi

loc_49B2FB:				; CODE XREF: MiObtainMdlCharges+A2j
		xor	eax, eax

loc_49B2FD:				; CODE XREF: MiObtainMdlCharges+121563j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_49B302:				; CODE XREF: MiObtainMdlCharges+1Dj
		mov	edi, ecx
		jmp	loc_49B271
MiObtainMdlCharges endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocatePagesForMdl proc near		; CODE XREF: MmAllocatePartitionNodePagesForMdlEx+88p
					; MmAllocatePagesForMdl(x,x,x,x,x,x,x)+44p ...

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 005BC7B6 SIZE 00000136 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+8Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	2Ch		; size_t
		lea	eax, [esp+9Ch+var_78]
		mov	ebx, edx
		push	0		; int
		push	eax		; void *
		mov	[esp+0A4h+var_7C], ebx
		mov	edi, ecx
		call	_memset
		add	esp, 0Ch
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		push	[ebp+arg_20]
		mov	esi, [ebp+arg_4]
		lea	ecx, [esp+0A0h+var_7C]
		push	[ebp+arg_1C]
		mov	[esp+0A4h+var_88], edx
		mov	edx, edi
		push	[ebp+arg_18]
		mov	[esp+0A8h+var_84], eax
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	esi
		push	[ebp+arg_0]
		push	ebx
		call	MiValidateMdlAllocationRequest
		test	eax, eax
		js	loc_49B402
		lea	ecx, [esp+9Ch+var_7C]
		call	MiObtainMdlCharges
		test	eax, eax
		js	short loc_49B402
		mov	ebx, [esp+9Ch+var_58]
		mov	eax, [esp+9Ch+var_68]
		mov	[esp+9Ch+var_90], eax
		and	dword ptr [ebx+14h], 0
		xor	edi, edi

loc_49B3A1:				; CODE XREF: MiAllocatePagesForMdl+1214F0j
		mov	eax, [ebx+14h]
		lea	ecx, [esp+9Ch+var_7C]
		mov	[esp+9Ch+var_8C], eax
		call	MiFindPagesForMdl
		mov	ecx, [ebx+14h]
		mov	eax, ecx
		shr	eax, 0Ch
		cmp	eax, [esp+9Ch+var_90]
		jnz	loc_5BC7B6

loc_49B3C3:				; CODE XREF: MiAllocatePagesForMdl+1214FEj
		mov	edi, [esp+9Ch+var_58]
		test	edi, edi
		jz	short loc_49B402
		test	byte ptr [ebp+arg_8], 40h
		jnz	short loc_49B3E5
		lea	ecx, [esp+9Ch+var_7C]
		call	_MiInitializeMdlBatchPages@4 ; MiInitializeMdlBatchPages(x)
		mov	edx, [esp+9Ch+var_78]
		mov	ecx, edi
		call	MiInitializeMdlPages

loc_49B3E5:				; CODE XREF: MiAllocatePagesForMdl+C5j
		test	ds:byte_70EFC4,	1
		jnz	loc_5BC80D

loc_49B3F2:				; CODE XREF: MiAllocatePagesForMdl+121517j
		mov	edx, [esp+9Ch+var_78]
		test	edx, 100h
		jnz	loc_5BC826

loc_49B402:				; CODE XREF: MiAllocatePagesForMdl+72j
					; MiAllocatePagesForMdl+83j ...
		mov	edi, [esp+9Ch+var_78]
		mov	ebx, [esp+9Ch+var_58]
		push	offset _KERNEL_MEM_EVENT_MDL_ALLOCATION
		push	dword_6BC304
		push	_EtwpMemoryProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5BC836

loc_49B428:				; CODE XREF: MiAllocatePagesForMdl+1215DDj
		mov	ecx, [esp+9Ch+var_8]
		mov	eax, [esp+9Ch+var_58]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	24h
MiAllocatePagesForMdl endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeMdlPages proc near		; CODE XREF: MiAllocatePagesForMdl+D6p
					; MiReturnMdlExcess(x)+93p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005BC8EC SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], edx
		push	edi
		mov	[ebp+var_1C], esi
		mov	edi, [esi+14h]
		lea	eax, [esi+1Ch]
		shr	edi, 0Ch
		mov	[ebp+var_10], eax
		test	edx, 80000200h
		jnz	loc_5BC8EC
		push	0
		push	80h
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], edx

loc_49B481:				; CODE XREF: MiInitializeMdlPages+1214B0j
		mov	ecx, large fs:124h
		push	2
		mov	eax, [ecx+80h]
		mov	[ebp+var_18], eax
		pop	eax
		mov	cl, al
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		xor	ebx, ebx
		mov	[ebp+var_1], al
		test	edi, edi
		jz	short loc_49B4DC
		mov	esi, [ebp+var_10]

loc_49B4A8:				; CODE XREF: MiInitializeMdlPages+93j
		push	[ebp+var_8]
		imul	ecx, [esi], 1Ch
		xor	edx, edx
		push	[ebp+var_C]
		inc	edx
		push	[ebp+var_14]
		push	[ebp+var_18]
		add	ecx, ds:_MmPfnDatabase
		call	_MiInitializeMdlLeafPfns@24 ; MiInitializeMdlLeafPfns(x,x,x,x,x,x)
		mov	al, [ebp+var_1]
		cmp	al, 2
		jnb	short loc_49B4D1
		test	bl, 0Fh
		jz	short loc_49B4F4

loc_49B4D1:				; CODE XREF: MiInitializeMdlPages+86j
					; MiInitializeMdlPages+BCj ...
		inc	ebx
		add	esi, 4
		cmp	ebx, edi
		jb	short loc_49B4A8
		mov	esi, [ebp+var_1C]

loc_49B4DC:				; CODE XREF: MiInitializeMdlPages+5Fj
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		and	dword ptr [esi+8], 0
		push	2
		pop	eax
		or	[esi+6], ax
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_49B4F4:				; CODE XREF: MiInitializeMdlPages+8Bj
		call	KeShouldYieldProcessor
		test	eax, eax
		jnz	short loc_49B502
		mov	al, [ebp+var_1]
		jmp	short loc_49B4D1
; 

loc_49B502:				; CODE XREF: MiInitializeMdlPages+B7j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_1], al
		jmp	short loc_49B4D1
MiInitializeMdlPages endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeMdlLeafPfns(x, x, x, x,	x, x)
_MiInitializeMdlLeafPfns@24 proc near	; CODE XREF: MiInitializeMdlPages+7Cp
					; MiInitializeLargeMdlLeafPfns(x,x)+7Ep

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		imul	esi, edx, 1Ch
		mov	ebx, ecx
		push	edi
		add	esi, ebx
		cmp	esi, ebx
		jz	loc_49B5C6
		mov	edi, [ebp+arg_0]
		shr	edi, 2
		and	edi, 1FFFFFFEh
		mov	[ebp+arg_0], edi

loc_49B53F:				; CODE XREF: MiInitializeMdlLeafPfns(x,x,x,x,x,x)+A8j
		and	[ebp+var_4], 0
		add	esi, 0FFFFFFE4h
		lea	eax, [esi+10h]
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_49B56B
		lea	edi, [esi+10h]

loc_49B553:				; CODE XREF: MiInitializeMdlLeafPfns(x,x,x,x,x,x)+47j
					; MiInitializeMdlLeafPfns(x,x,x,x,x,x)+4Ej
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_49B553
		lock bts dword ptr [edi], 1Fh
		jb	short loc_49B553
		mov	edi, [ebp+arg_0]

loc_49B56B:				; CODE XREF: MiInitializeMdlLeafPfns(x,x,x,x,x,x)+36j
		mov	eax, [esi+18h]
		test	eax, (offset loc_7FFFFF+1)
		jz	short loc_49B584
		push	1
		push	ecx
		mov	edx, esi
		mov	ecx, ebx
		call	_MiConvertLargePfnToSmall@16 ; MiConvertLargePfnToSmall(x,x,x,x)
		mov	eax, [esi+18h]

loc_49B584:				; CODE XREF: MiInitializeMdlLeafPfns(x,x,x,x,x,x)+5Bj
		and	dword ptr [esi], 0
		and	eax, 7F800000h
		mov	edx, [ebp+arg_4]
		or	eax, (offset loc_7FFFFA+3)
		mov	[esi+18h], eax
		mov	ecx, esi
		mov	eax, [ebp+arg_8]
		mov	[esi+8], eax
		mov	eax, [ebp+arg_C]
		mov	dword ptr [esi+4], 0C0000000h
		mov	[esi+0Ch], eax
		mov	[esi], edi
		call	_MiInitializeMdlPfn@8 ;	MiInitializeMdlPfn(x,x)
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		cmp	esi, ebx
		jnz	loc_49B53F

loc_49B5C6:				; CODE XREF: MiInitializeMdlLeafPfns(x,x,x,x,x,x)+12j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_MiInitializeMdlLeafPfns@24 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiInitializeMdlPfn(x, x)
_MiInitializeMdlPfn@8 proc near		; CODE XREF: MiInitializeMdlLeafPfns(x,x,x,x,x,x)+96p
					; MiInitializeSessionIds+2936Bp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		test	edi, 100h
		jz	short loc_49B5FF
		mov	cl, [esi+16h]
		mov	al, cl
		and	al, 7
		cmp	al, 5
		jz	short loc_49B5F3
		and	cl, 0FDh
		or	cl, 5
		mov	[esi+16h], cl

loc_49B5F3:				; CODE XREF: MiInitializeMdlPfn(x,x)+1Aj
		and	dword ptr [esi+10h], 0C0000000h
		jmp	loc_49B67F
; 

loc_49B5FF:				; CODE XREF: MiInitializeMdlPfn(x,x)+Fj
		mov	eax, [esi+10h]
		mov	ebx, 0BFFFFFFFh
		and	eax, 0C0000001h
		or	eax, 1
		mov	[esi+10h], eax
		push	2
		pop	eax
		mov	[esi+14h], ax
		mov	eax, edi
		and	eax, 80000200h
		neg	eax
		sbb	eax, eax
		and	eax, 40000000h
		add	eax, 0C0000000h
		mov	[esi+4], eax
		test	edi, edi
		jns	short loc_49B638
		and	[esi+10h], ebx

loc_49B638:				; CODE XREF: MiInitializeMdlPfn(x,x)+65j
		test	edi, 200h
		jz	short loc_49B661
		call	MiAbortCombineScan
		mov	eax, [esi+18h]
		and	eax, ebx
		or	eax, 30000000h
		mov	[esi+18h], eax
		test	edi, 20000h
		jnz	short loc_49B661
		lock inc dword_6D07B4

loc_49B661:				; CODE XREF: MiInitializeMdlPfn(x,x)+70j
					; MiInitializeMdlPfn(x,x)+8Aj
		mov	al, [esi+16h]
		and	al, 0FEh
		or	al, 6
		mov	[esi+16h], al
		test	edi, edi
		jns	short loc_49B67F
		mov	eax, [esi+18h]
		and	eax, 9FFFFFFFh
		or	eax, 10000000h
		mov	[esi+18h], eax

loc_49B67F:				; CODE XREF: MiInitializeMdlPfn(x,x)+2Cj
					; MiInitializeMdlPfn(x,x)+9Fj
		and	byte ptr [esi+17h], 0F8h
		pop	edi
		pop	esi
		pop	ebx
		retn
_MiInitializeMdlPfn@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFindPagesForMdl proc near		; CODE XREF: MiAllocatePagesForMdl+A2p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BC8F9 SIZE 0000006A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		inc	edi
		mov	eax, [esi]
		lea	ecx, [esi+1Ch]
		mov	edx, [esi+24h]
		mov	ebx, [esi+4]
		mov	[ebp+var_10], eax
		mov	ax, ds:_KeNumberNodes
		mov	[ebp+var_8], edx
		cmp	ax, di
		ja	loc_5BC8F9
		and	ebx, 0FFFFFFFDh
		lea	edi, [ebp+var_4]
		and	[ebp+var_4], 0

loc_49B6C6:				; CODE XREF: MiFindPagesForMdl+12129Fj
		lea	eax, [ebp+var_4]
		cmp	edi, eax
		jnz	short loc_49B6D3

loc_49B6CD:				; CODE XREF: MiFindPagesForMdl+12127Ej
		lea	eax, [edi+4]
		mov	[ebp+var_C], eax

loc_49B6D3:				; CODE XREF: MiFindPagesForMdl+43j
		test	ebx, 100h
		jnz	loc_5BC92C

loc_49B6DF:				; CODE XREF: MiFindPagesForMdl+1212AAj
		mov	edx, [edx+14h]
		mov	eax, ebx
		and	eax, 10052h
		shr	edx, 0Ch
		cmp	eax, 10000h
		jnz	short loc_49B717
		push	dword ptr [ecx]
		mov	eax, [esi+14h]
		mov	ecx, [ebp+var_10]
		sub	eax, edx
		mov	edx, [ebp+var_8]
		push	eax
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+20h]
		push	ebx
		call	MiAllocateMdlPagesByLists
		cmp	eax, 1
		jnz	short loc_49B75A

loc_49B712:				; CODE XREF: MiFindPagesForMdl+CBj
					; MiFindPagesForMdl+1212C4j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_49B717:				; CODE XREF: MiFindPagesForMdl+69j
					; MiFindPagesForMdl+D8j ...
		mov	eax, [edi]
		mov	ecx, [ebp+var_10]
		imul	edx, eax, 280h
		mov	ecx, [ecx+10h]
		cmp	dword ptr [edx+ecx+1DCh], 0
		jz	loc_5BC937

loc_49B733:				; CODE XREF: MiFindPagesForMdl+1212BCj
		mov	edx, ebx
		mov	ecx, esi
		push	eax
		test	bl, 40h
		jnz	short loc_49B762
		test	bl, 20h
		jnz	short loc_49B769
		call	MiAllocateMostlyContiguousPagesForMdl

loc_49B747:				; CODE XREF: MiFindPagesForMdl+DFj
					; MiFindPagesForMdl+E6j ...
		mov	eax, [ebp+var_8]
		mov	eax, [eax+14h]
		shr	eax, 0Ch
		cmp	eax, [esi+14h]
		jz	short loc_49B712
		jmp	loc_5BC949
; 

loc_49B75A:				; CODE XREF: MiFindPagesForMdl+88j
		and	ebx, 0FFFEFFFFh
		jmp	short loc_49B717
; 

loc_49B762:				; CODE XREF: MiFindPagesForMdl+B3j
		call	_MiAllocateFastLargePagesForMdl@12 ; MiAllocateFastLargePagesForMdl(x,x,x)
		jmp	short loc_49B747
; 

loc_49B769:				; CODE XREF: MiFindPagesForMdl+B8j
		call	_MiAllocateSkipPagesForMdl@12 ;	MiAllocateSkipPagesForMdl(x,x,x)
		jmp	short loc_49B747
MiFindPagesForMdl endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiValidateMdlAllocationRequest proc near ; CODE	XREF: MiAllocatePagesForMdl+6Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

; FUNCTION CHUNK AT 005BC963 SIZE 0000013B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	eax, edx
		mov	edx, [ebp+arg_C]
		mov	[ebp+var_4], eax
		mov	[ebp+arg_C], edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], edi
		test	edx, 100h
		jnz	loc_5BC963

loc_49B796:				; CODE XREF: MiValidateMdlAllocationRequest+1211FEj
		mov	eax, [ebp+arg_14]
		mov	ecx, [ebp+arg_10]
		mov	esi, [ebp+arg_18]
		shrd	ecx, eax, 0Ch
		mov	eax, [ebp+arg_1C]
		shrd	esi, eax, 0Ch
		mov	eax, dword_6D07B0
		mov	[ebp+var_8], ecx
		mov	[ebp+arg_14], esi
		cmp	esi, eax
		jb	loc_5BC973
		mov	[ebp+arg_14], eax

loc_49B7C0:				; CODE XREF: MiValidateMdlAllocationRequest+121212j
		test	ecx, ecx
		jnz	short loc_49B7CD
		or	edx, 10000h
		mov	[ebp+arg_C], edx

loc_49B7CD:				; CODE XREF: MiValidateMdlAllocationRequest+52j
					; MiValidateMdlAllocationRequest+12120Cj
		mov	esi, [ebp+arg_20]
		test	esi, 0FFFh
		jnz	loc_49B883
		mov	eax, [ebp+arg_24]
		shrd	esi, eax, 0Ch
		lea	eax, [esi-1]
		test	eax, esi
		jnz	loc_5BC987
		xor	eax, eax

loc_49B7F0:				; CODE XREF: MiValidateMdlAllocationRequest+121224j
		mov	ecx, [ebp+arg_4]
		test	edx, 400h
		jnz	loc_5BC999

loc_49B7FF:				; CODE XREF: MiValidateMdlAllocationRequest+121244j
					; MiValidateMdlAllocationRequest+121253j
		mov	ecx, [ebp+arg_0]
		cmp	ecx, 0FFFFE000h
		ja	loc_5BC9C8

loc_49B80E:				; CODE XREF: MiValidateMdlAllocationRequest+121269j
					; MiValidateMdlAllocationRequest+121271j ...
		add	ecx, 0FFFh
		mov	[ebp+arg_0], edx
		shr	ecx, 0Ch
		and	[ebp+arg_0], 40h
		jnz	loc_5BC9F8

loc_49B824:				; CODE XREF: MiValidateMdlAllocationRequest+1212CDj
					; MiValidateMdlAllocationRequest+1212E4j
		mov	eax, [ebp+var_4]
		mov	eax, [eax+4]
		shl	eax, 5
		not	eax
		and	eax, 400h
		mov	[edi+18h], eax
		mov	edi, [ebp+var_4]
		mov	edi, [edi+1000h]
		sub	edi, eax
		test	edi, edi
		jle	short loc_49B883
		cmp	ecx, edi
		ja	loc_5BCA59

loc_49B84E:				; CODE XREF: MiValidateMdlAllocationRequest+12131Ej
		test	ecx, ecx
		jz	short loc_49B883
		mov	edi, [ebp+var_C]
		mov	eax, [ebp+var_4]
		mov	[edi], eax
		mov	eax, [ebp+var_8]
		mov	[edi+8], eax
		mov	eax, [ebp+arg_14]
		mov	[edi+0Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[edi+1Ch], eax
		mov	eax, [ebp+arg_4]
		mov	[edi+20h], eax
		xor	eax, eax
		mov	[edi+4], edx
		mov	[edi+10h], esi
		mov	[edi+14h], ecx

loc_49B87D:				; CODE XREF: MiValidateMdlAllocationRequest+118j
					; MiValidateMdlAllocationRequest+121329j
		pop	edi
		pop	esi
		leave
		retn	28h
; 

loc_49B883:				; CODE XREF: MiValidateMdlAllocationRequest+66j
					; MiValidateMdlAllocationRequest+D4j ...
		mov	eax, 0C000000Dh
		jmp	short loc_49B87D
MiValidateMdlAllocationRequest endp

; 
		align 10h
; Exported entry 1380. MmAllocatePartitionNodePagesForMdlEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmAllocatePartitionNodePagesForMdlEx
MmAllocatePartitionNodePagesForMdlEx proc near
					; CODE XREF: MmAllocateNodePagesForMdlEx(x,x,x,x,x,x,x,x,x,x)+28p
					; HvlpDepositPages(x,x,x)+7Ep ...

var_6		= byte ptr -6
var_5		= dword	ptr -5
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

; FUNCTION CHUNK AT 005BCA9E SIZE 0000007E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		movzx	eax, ds:_KeNumberNodes
		push	ebx
		push	esi
		push	edi
		mov	byte ptr [esp+18h+var_5], 0
		cmp	[ebp+arg_20], eax
		jnb	loc_49B93A
		mov	esi, [ebp+arg_1C]
		cmp	esi, 0FFFFFFFFh
		jz	short loc_49B935
		cmp	esi, 2
		jg	short loc_49B935

loc_49B8C0:				; CODE XREF: MmAllocatePartitionNodePagesForMdlEx+A8j
		mov	ebx, [ebp+arg_24]
		test	ebx, 0FFFFF800h
		jnz	short loc_49B93A
		mov	edx, [ebp+arg_14]
		mov	eax, ebx
		mov	edi, [ebp+arg_10]
		and	al, 60h
		cmp	al, 20h
		jz	loc_5BCA9E

loc_49B8DD:				; CODE XREF: MmAllocatePartitionNodePagesForMdlEx+12124Cj
					; MmAllocatePartitionNodePagesForMdlEx+12125Aj
		test	ebx, 100h
		jnz	loc_5BCAEF

loc_49B8E9:				; CODE XREF: MmAllocatePartitionNodePagesForMdlEx+121276j
		mov	ecx, [ebp+arg_28]
		lea	eax, [esp+18h+var_5]
		push	eax
		call	MiPartitionObjectToPartition
		mov	[esp+18h+var_5+1], eax
		test	eax, eax
		jz	short loc_49B93A
		push	[ebp+arg_14]
		mov	edx, [ebp+arg_18]
		mov	ecx, eax
		push	edi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	ebx
		push	[ebp+arg_20]
		push	esi
		call	MiAllocatePagesForMdl
		cmp	byte ptr [esp+18h+var_5], 0
		mov	esi, eax
		jnz	loc_5BCB0B

loc_49B92A:				; CODE XREF: MmAllocatePartitionNodePagesForMdlEx+121287j
		mov	eax, esi

loc_49B92C:				; CODE XREF: MmAllocatePartitionNodePagesForMdlEx+ACj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_49B935:				; CODE XREF: MmAllocatePartitionNodePagesForMdlEx+29j
					; MmAllocatePartitionNodePagesForMdlEx+2Ej
		push	3
		pop	esi
		jmp	short loc_49B8C0
; 

loc_49B93A:				; CODE XREF: MmAllocatePartitionNodePagesForMdlEx+1Dj
					; MmAllocatePartitionNodePagesForMdlEx+39j ...
		xor	eax, eax
		jmp	short loc_49B92C
MmAllocatePartitionNodePagesForMdlEx endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1379. MmAllocatePagesForMdlEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmAllocatePagesForMdlEx(x, x, x, x,	x, x, x, x, x)
		public _MmAllocatePagesForMdlEx@36
_MmAllocatePagesForMdlEx@36 proc near	; CODE XREF: PopGenerateMdl(x)+26p
					; PopGenerateScratchMdl(x,x)+20p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	[ebp+arg_20]
		mov	eax, [eax+16Ch]
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		push	eax
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_MmAllocateNodePagesForMdlEx@40	; MmAllocateNodePagesForMdlEx(x,x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	24h
_MmAllocatePagesForMdlEx@36 endp


;  S U B	R O U T	I N E 


; __stdcall MiMarkPfnTradable(x, x)
_MiMarkPfnTradable@8 proc near		; CODE XREF: MmCreateKernelStack+366p
					; MmInSwapProcess+16274Ep ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	edx, edx
		jnz	short loc_49B9B7
		call	_MiLockPageInline@4 ; MiLockPageInline(x)

loc_49B99C:				; CODE XREF: MiMarkPfnTradable(x,x)+2Bj
		or	dword ptr [esi], 1
		cmp	al, 21h
		jz	short loc_49B9BB
		mov	edx, 7FFFFFFFh
		lea	ecx, [esi+10h]
		lock and [ecx],	edx
		mov	cl, al
		pop	esi
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_49B9B7:				; CODE XREF: MiMarkPfnTradable(x,x)+7j
		mov	al, 21h
		jmp	short loc_49B99C
; 

loc_49B9BB:				; CODE XREF: MiMarkPfnTradable(x,x)+13j
		pop	esi
		retn
_MiMarkPfnTradable@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLfhSubsegmentComputeCommitUnit(x, x)
_RtlpHpLfhSubsegmentComputeCommitUnit@8	proc near
					; CODE XREF: RtlpHpLfhSubsegmentCreate+117p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		add	edx, edx
		push	esi
		mov	esi, ecx
		lea	eax, [edx-1]
		test	eax, edx
		jz	short loc_49B9DB
		bsr	ecx, edx
		xor	edx, edx
		inc	edx
		lea	ecx, [ecx+1]
		shl	edx, cl

loc_49B9DB:				; CODE XREF: RtlpHpLfhSubsegmentComputeCommitUnit(x,x)+10j
		mov	eax, 1000h
		cmp	edx, eax
		ja	short loc_49B9E6
		mov	edx, eax

loc_49B9E6:				; CODE XREF: RtlpHpLfhSubsegmentComputeCommitUnit(x,x)+24j
		cmp	edx, esi
		jnb	short loc_49B9EF

loc_49B9EA:				; CODE XREF: RtlpHpLfhSubsegmentComputeCommitUnit(x,x)+33j
		mov	eax, edx
		pop	esi
		leave
		retn
; 

loc_49B9EF:				; CODE XREF: RtlpHpLfhSubsegmentComputeCommitUnit(x,x)+2Aj
		mov	edx, esi
		jmp	short loc_49B9EA
_RtlpHpLfhSubsegmentComputeCommitUnit@8	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLfhBucketSubsegmentStatsUpdate(x, x)
_RtlpHpLfhBucketSubsegmentStatsUpdate@8	proc near ; CODE XREF: RtlpHpLfhSubsegmentCreate+39p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	eax, ecx
		mov	ebx, edx
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		mov	esi, ebx
		mov	eax, [eax]
		xor	edi, edi
		mov	[ebp+var_C], ebx
		and	esi, 1
		mov	[ebp+var_4], eax

loc_49BA15:				; CODE XREF: RtlpHpLfhBucketSubsegmentStatsUpdate(x,x)+5Aj
		mov	ecx, eax
		movzx	eax, byte ptr [ebp+esi*2+var_4]
		cmp	eax, ebx
		jz	short loc_49BA57
		push	2
		lea	eax, [ebp+var_4+1]
		pop	edx

loc_49BA26:				; CODE XREF: RtlpHpLfhBucketSubsegmentStatsUpdate(x,x)+3Aj
		shr	byte ptr [eax],	1
		lea	eax, [eax+2]
		sub	edx, 1
		jnz	short loc_49BA26
		mov	byte ptr [ebp+esi*2+var_4], bl
		mov	al, 1

loc_49BA36:				; CODE XREF: RtlpHpLfhBucketSubsegmentStatsUpdate(x,x)+75j
		mov	ebx, [ebp+var_8]
		mov	byte ptr [ebp+esi*2+var_4+1], al
		mov	eax, ecx
		mov	edx, [ebp+var_4]
		lock cmpxchg [ebx], edx
		mov	ebx, [ebp+var_C]
		mov	[ebp+var_4], eax
		cmp	eax, ecx
		jnz	short loc_49BA15
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_49BA57:				; CODE XREF: RtlpHpLfhBucketSubsegmentStatsUpdate(x,x)+2Aj
		mov	al, byte ptr [ebp+esi*2+var_4+1]
		cmp	al, 10h
		jz	short loc_49BA6B

loc_49BA5F:				; CODE XREF: RtlpHpLfhBucketSubsegmentStatsUpdate(x,x)+8Bj
		inc	al
		mov	dl, 8
		cmp	dl, al
		sbb	edi, edi
		neg	edi
		jmp	short loc_49BA36
; 

loc_49BA6B:				; CODE XREF: RtlpHpLfhBucketSubsegmentStatsUpdate(x,x)+69j
		push	2
		lea	eax, [ebp+var_4+1]
		pop	edx

loc_49BA71:				; CODE XREF: RtlpHpLfhBucketSubsegmentStatsUpdate(x,x)+85j
		shr	byte ptr [eax],	1
		lea	eax, [eax+2]
		sub	edx, 1
		jnz	short loc_49BA71
		mov	al, byte ptr [ebp+esi*2+var_4+1]
		jmp	short loc_49BA5F
_RtlpHpLfhBucketSubsegmentStatsUpdate@8	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall RtlpHpLfhBucketComputeNewSubsegmentBlockCount(x, x)
_RtlpHpLfhBucketComputeNewSubsegmentBlockCount@8 proc near
					; CODE XREF: RtlpHpLfhSubsegmentCreate+45p
		movzx	eax, byte ptr [ecx+1]
		push	ebx
		push	esi
		mov	esi, [ecx+1Ch]
		movzx	ebx, ds:_RtlpBucketBlockSizes[eax*2]
		push	edi
		movzx	edi, byte ptr [ecx+2]
		test	edx, edx
		jnz	short loc_49BAA5
		shr	esi, 3
		mov	eax, esi
		div	edi
		mov	esi, eax

loc_49BAA5:				; CODE XREF: RtlpHpLfhBucketComputeNewSubsegmentBlockCount(x,x)+18j
		cmp	esi, 0FFFFFFFFh
		jnb	short loc_49BACB

loc_49BAAA:				; CODE XREF: RtlpHpLfhBucketComputeNewSubsegmentBlockCount(x,x)+4Cj
		xor	eax, eax
		mov	edx, esi
		cmp	eax, [ecx+20h]
		mov	ecx, ebx
		sbb	eax, eax
		neg	eax
		cmp	edi, 1
		push	eax
		setnbe	al
		movzx	eax, al
		push	eax
		call	_RtlpGetSubSegmentBlockCount@16	; RtlpGetSubSegmentBlockCount(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_49BACB:				; CODE XREF: RtlpHpLfhBucketComputeNewSubsegmentBlockCount(x,x)+26j
		or	esi, 0FFFFFFFFh
		jmp	short loc_49BAAA
_RtlpHpLfhBucketComputeNewSubsegmentBlockCount@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpGetSubSegmentBlockCount(x, x, x, x)
_RtlpGetSubSegmentBlockCount@16	proc near
					; CODE XREF: RtlpHpLfhBucketComputeNewSubsegmentBlockCount(x,x)+40p

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	al, [ebp+arg_0]
		cmp	ecx, 100h
		jnb	short loc_49BAE2
		dec	al

loc_49BAE2:				; CODE XREF: RtlpGetSubSegmentBlockCount(x,x,x,x)+Ej
		cmp	[ebp+arg_4], 0
		jbe	short loc_49BAEA
		dec	al

loc_49BAEA:				; CODE XREF: RtlpGetSubSegmentBlockCount(x,x,x,x)+16j
		movsx	eax, al
		push	3
		pop	ecx
		sub	ecx, eax
		xor	eax, eax
		inc	eax
		shl	eax, cl
		cmp	edx, eax
		jb	short loc_49BB0F

loc_49BAFB:				; CODE XREF: RtlpGetSubSegmentBlockCount(x,x,x,x)+41j
		cmp	edx, 4
		jb	short loc_49BB17

loc_49BB00:				; CODE XREF: RtlpGetSubSegmentBlockCount(x,x,x,x)+4Aj
		mov	eax, 400h
		cmp	edx, eax
		ja	short loc_49BB13

loc_49BB09:				; CODE XREF: RtlpGetSubSegmentBlockCount(x,x,x,x)+45j
		mov	eax, edx
		pop	ebp
		retn	8
; 

loc_49BB0F:				; CODE XREF: RtlpGetSubSegmentBlockCount(x,x,x,x)+29j
		mov	edx, eax
		jmp	short loc_49BAFB
; 

loc_49BB13:				; CODE XREF: RtlpGetSubSegmentBlockCount(x,x,x,x)+37j
		mov	edx, eax
		jmp	short loc_49BB09
; 

loc_49BB17:				; CODE XREF: RtlpGetSubSegmentBlockCount(x,x,x,x)+2Ej
		push	4
		pop	edx
		jmp	short loc_49BB00
_RtlpGetSubSegmentBlockCount@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLfhSubsegmentInitialize(x, x,	x, x, x)
_RtlpHpLfhSubsegmentInitialize@20 proc near ; CODE XREF: RtlpHpLfhSubsegmentCreate+144p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, edx
		and	[ebp+var_14], 0
		xor	edx, edx
		mov	[ebp+var_10], ebx
		mov	eax, ebx
		div	[ebp+arg_0]
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, ecx
		mov	[ebp+var_8], eax
		lea	edx, [eax+eax]
		sub	ebx, edx
		xor	edx, edx
		lea	ecx, ds:2[edi*8]
		lea	eax, ds:0FFFFFF00h[ebx*8]
		div	ecx
		xor	edx, edx
		mov	ebx, eax
		mov	eax, [ebp+var_8]
		lea	ecx, ds:1Fh[ebx*2]
		shr	ecx, 5
		lea	ecx, [eax+ecx*2]
		mov	eax, [ebp+var_10]
		lea	ecx, ds:27h[ecx*2]
		and	ecx, 0FFFFFFF8h
		sub	eax, ecx
		mov	[ebp+var_C], ecx
		div	edi
		cmp	ebx, eax
		jb	short loc_49BB84
		mov	ebx, eax

loc_49BB84:				; CODE XREF: RtlpHpLfhSubsegmentInitialize(x,x,x,x,x)+64j
		xor	eax, eax
		lea	edx, ds:1Fh[ebx*2]
		push	8
		pop	ecx
		mov	edi, esi
		shr	edx, 5
		rep stosd
		mov	eax, [ebp+var_C]
		mov	edi, [ebp+arg_4]
		mov	word ptr [ebp+var_4+2],	ax
		mov	eax, esi
		shr	eax, 0Ch
		mov	[ebp+var_14], eax
		xor	eax, dword_6BEC64
		mov	word ptr [ebp+var_4], di
		xor	eax, [ebp+var_4]
		mov	[esi+18h], eax
		movzx	eax, bx
		mov	[esi+10h], ax
		mov	[esi+12h], ax
		mov	eax, [ebp+arg_0]
		bsf	eax, eax
		and	[ebp+arg_0], 0
		mov	[esi+1Ch], al
		mov	eax, [ebp+var_8]
		mov	[esi+1Dh], al
		lea	eax, ds:20h[edx*4]
		mov	[esi+1Eh], ax
		movzx	ecx, ax
		mov	eax, [ebp+var_8]
		add	ecx, esi
		movzx	eax, al
		mov	byte ptr [esi+16h], 2
		push	0FFFFFFFFh
		lea	edx, [ecx+eax*2]
		xor	eax, eax
		inc	eax
		mov	[ecx], ax
		add	ecx, 2
		mov	eax, edx
		sub	eax, ecx
		inc	eax
		shr	eax, 1
		cmp	edx, ecx
		sbb	edx, edx
		not	edx
		and	edx, eax
		mov	[ebp+var_8], edx
		pop	eax
		jbe	short loc_49BC23
		mov	edx, [ebp+arg_0]

loc_49BC17:				; CODE XREF: RtlpHpLfhSubsegmentInitialize(x,x,x,x,x)+105j
		inc	edx
		mov	[ecx], ax
		lea	ecx, [ecx+2]
		cmp	edx, [ebp+var_8]
		jb	short loc_49BC17

loc_49BC23:				; CODE XREF: RtlpHpLfhSubsegmentInitialize(x,x,x,x,x)+F6j
		lea	eax, ds:7[ebx*2]
		shr	eax, 3
		lea	ecx, [esi+20h]
		push	eax		; size_t
		push	0		; int
		push	ecx		; void *
		call	_memset
		lea	eax, [ebx+ebx]
		add	esp, 0Ch
		mov	ecx, eax
		and	ecx, 1Fh
		jz	short loc_49BC52
		shr	eax, 5
		or	edx, 0FFFFFFFFh
		shl	edx, cl
		or	[esi+eax*4+20h], edx

loc_49BC52:				; CODE XREF: RtlpHpLfhSubsegmentInitialize(x,x,x,x,x)+128j
		mov	edx, [ebp+var_10]
		mov	ecx, 1000h
		cmp	edx, ecx
		jbe	short loc_49BCC8
		mov	eax, [ebp+arg_8]
		test	byte ptr [eax+22h], 1
		jz	short loc_49BCC8
		lea	eax, [edi-1]
		mov	[ebp+arg_0], eax
		test	eax, edi
		jz	short loc_49BCD4
		mov	ebx, [ebp+arg_4]
		lea	edi, [edx-1001h]
		mov	eax, ecx
		shr	edi, 0Ch
		sub	eax, [ebp+var_C]
		inc	edi
		mov	[ebp+arg_0], eax

loc_49BC86:				; CODE XREF: RtlpHpLfhSubsegmentInitialize(x,x,x,x,x)+1AAj
		xor	edx, edx
		div	ebx
		test	edx, edx
		jz	short loc_49BCBB
		lea	edx, [eax+eax]
		mov	ecx, edx
		lea	eax, [esi+20h]
		shr	ecx, 3
		and	edx, 7
		add	ecx, eax
		movsx	eax, byte ptr [ecx]
		bts	eax, edx
		mov	[ecx], al
		mov	eax, 0FFFFh
		add	[esi+10h], ax
		mov	ecx, 1000h
		add	[esi+12h], ax
		inc	byte ptr [esi+17h]

loc_49BCBB:				; CODE XREF: RtlpHpLfhSubsegmentInitialize(x,x,x,x,x)+170j
		mov	eax, [ebp+arg_0]
		add	eax, ecx
		mov	[ebp+arg_0], eax
		sub	edi, 1
		jnz	short loc_49BC86

loc_49BCC8:				; CODE XREF: RtlpHpLfhSubsegmentInitialize(x,x,x,x,x)+140j
					; RtlpHpLfhSubsegmentInitialize(x,x,x,x,x)+149j ...
		call	_RtlpUpdateLfhRandomDataArray@0	; RtlpUpdateLfhRandomDataArray()
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_49BCD4:				; CODE XREF: RtlpHpLfhSubsegmentInitialize(x,x,x,x,x)+153j
		mov	eax, [ebp+var_C]
		movzx	ecx, ax
		lea	eax, [edi-1]
		add	eax, ecx
		imul	ebx, edi
		and	eax, [ebp+arg_0]
		sub	ecx, eax
		lea	eax, [edi-1]
		add	eax, ecx
		add	ebx, eax
		cmp	ebx, edx
		jnz	short loc_49BD07

loc_49BCF2:				; CODE XREF: RtlpHpLfhSubsegmentInitialize(x,x,x,x,x)+1EDj
		mov	word ptr [ebp+var_4+2],	ax
		mov	eax, [ebp+var_14]
		xor	eax, dword_6BEC64
		xor	eax, [ebp+var_4]
		mov	[esi+18h], eax
		jmp	short loc_49BCC8
; 

loc_49BD07:				; CODE XREF: RtlpHpLfhSubsegmentInitialize(x,x,x,x,x)+1D4j
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	short loc_49BCF2
_RtlpHpLfhSubsegmentInitialize@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpUpdateLfhRandomDataArray()
_RtlpUpdateLfhRandomDataArray@0	proc near
					; CODE XREF: RtlpHpLfhSubsegmentInitialize(x,x,x,x,x):loc_49BCC8p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		mov	ax, [eax+3A2h]
		mov	word ptr [ebp+var_4], ax
		call	_RtlpHeapGenerateRandomValue64@0 ; RtlpHeapGenerateRandomValue64()
		mov	ecx, 7F7F7F7Fh
		and	eax, ecx
		and	edx, ecx
		mov	ecx, [ebp+var_4]
		shr	ecx, 3
		and	ecx, 1Fh
		mov	_RtlpLowFragHeapRandomData[ecx*8], eax
		mov	dword_6BEB44[ecx*8], edx
		leave
		retn
_RtlpUpdateLfhRandomDataArray@0	endp


;  S U B	R O U T	I N E 


; __stdcall RtlpHeapGenerateRandomValue64()
_RtlpHeapGenerateRandomValue64@0 proc near ; CODE XREF:	RtlpUpdateLfhRandomDataArray()+17p
					; RtlpHpLfhContextInitialize(x,x,x,x,x,x,x):loc_55F8ECp ...
		mov	edi, edi
		push	esi
		xor	ecx, ecx
		push	edi
		inc	ecx
		call	ExGenRandom
		xor	ecx, ecx
		mov	esi, eax
		mov	edi, 7FFFFFFFh
		inc	ecx
		and	esi, edi
		call	ExGenRandom
		and	eax, edi
		xor	edx, edx
		pop	edi
		or	edx, esi
		pop	esi
		retn
_RtlpHeapGenerateRandomValue64@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpLfhSubsegmentCreate proc near	; CODE XREF: RtlpHpLfhSlotAllocate+EEFp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BCB1C SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		and	[ebp+var_14], 0
		and	[ebp+var_C], 0
		test	byte ptr _RtlpHpLfhPerfFlags, 1
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	[ebp+var_18], ebx
		mov	esi, ecx
		movzx	edx, byte ptr [ebx+1]
		movzx	edi, ds:_RtlpBucketBlockSizes[edx*2]
		mov	[ebp+var_10], edi
		jz	loc_5BCB1C
		lea	ecx, [esi+40h]
		call	_RtlpHpLfhBucketSubsegmentStatsUpdate@8	; RtlpHpLfhBucketSubsegmentStatsUpdate(x,x)

loc_49BDAE:				; CODE XREF: RtlpHpLfhSubsegmentCreate+120DAEj
		mov	edx, eax
		mov	[ebp+var_8], eax
		mov	ecx, ebx
		call	_RtlpHpLfhBucketComputeNewSubsegmentBlockCount@8 ; RtlpHpLfhBucketComputeNewSubsegmentBlockCount(x,x)
		mov	edx, eax
		imul	edx, edi
		lea	eax, ds:1Fh[eax*2]
		shr	eax, 5
		lea	ecx, ds:27h[eax*4]
		and	ecx, 0FFFFFFF8h
		lea	eax, [ecx+0FFFh]
		add	eax, edx
		shr	eax, 0Ch
		lea	ebx, [ecx+eax*2]
		lea	ecx, [ebx+edx]
		call	_RtlpCalculateSubsegmentSizeIndex@8 ; RtlpCalculateSubsegmentSizeIndex(x,x)
		cmp	eax, 0Ch
		jbe	loc_49BF12

loc_49BDF2:				; CODE XREF: RtlpHpLfhSubsegmentCreate+1A5j
		xor	edi, edi
		mov	ecx, eax
		inc	edi
		shl	edi, cl
		test	byte ptr _RtlpHpLfhPerfFlags, 8
		jz	short loc_49BE2A
		mov	eax, edx
		shr	eax, 6
		cmp	ebx, eax
		ja	short loc_49BE2A
		mov	ecx, edx
		call	_RtlpCalculateSubsegmentSizeIndex@8 ; RtlpCalculateSubsegmentSizeIndex(x,x)
		mov	ecx, eax
		cmp	ecx, 0Ch
		jbe	loc_49BF2B

loc_49BE1D:				; CODE XREF: RtlpHpLfhSubsegmentCreate+1BEj
		xor	eax, eax
		inc	eax
		shl	eax, cl
		cmp	edi, eax
		ja	loc_49BF33

loc_49BE2A:				; CODE XREF: RtlpHpLfhSubsegmentCreate+90j
					; RtlpHpLfhSubsegmentCreate+99j ...
		mov	eax, [ebp+arg_0]
		and	eax, 1
		mov	[ebp+var_1C], eax
		jnz	loc_5BCB23
		movzx	edx, byte ptr [esi+1Dh]
		lea	ecx, [esi+44h]
		call	_RtlpHpAcquireLockShared@8 ; RtlpHpAcquireLockShared(x,x)
		mov	[ebp+var_1], al

loc_49BE48:				; CODE XREF: RtlpHpLfhSubsegmentCreate+120DB7j
		mov	ecx, [esi+4]
		lea	edx, [ebp+var_14]
		xor	ecx, _RtlpHpHeapGlobals
		mov	eax, [esi]
		xor	ecx, esi
		push	edx
		lea	edx, [ebp+var_C]
		push	edx
		push	[ebp+arg_0]
		push	edi
		push	eax
		call	ecx
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5BCB2C
		cmp	[ebp+var_8], 0
		jnz	loc_49BF3A

loc_49BE78:				; CODE XREF: RtlpHpLfhSubsegmentCreate+1D1j
		test	byte ptr [ebp+var_C], 1
		jnz	loc_49BF47
		mov	edx, [ebp+var_10]
		mov	ecx, edi
		call	_RtlpHpLfhSubsegmentComputeCommitUnit@8	; RtlpHpLfhSubsegmentComputeCommitUnit(x,x)
		mov	[ebp+var_8], eax

loc_49BE8F:				; CODE XREF: RtlpHpLfhSubsegmentCreate+1DCj
		mov	edx, [esi+0Ch]
		xor	edx, _RtlpHpHeapGlobals
		mov	ecx, [esi]
		xor	edx, esi
		push	eax
		push	ebx
		push	ecx
		call	edx
		test	eax, eax
		js	loc_5BCB35
		push	esi
		push	[ebp+var_10]
		mov	edx, edi
		mov	ecx, ebx
		push	[ebp+var_8]
		call	_RtlpHpLfhSubsegmentInitialize@20 ; RtlpHpLfhSubsegmentInitialize(x,x,x,x,x)
		mov	eax, [ebp+var_18]
		lock inc dword ptr [eax+20h]
		movzx	ecx, word ptr [ebx+12h]
		add	eax, 1Ch
		lock xadd [eax], ecx
		mov	[ebp+var_8], ebx
		xor	ebx, ebx

loc_49BED0:				; CODE XREF: RtlpHpLfhSubsegmentCreate+120DC9j
		test	ebx, ebx
		jnz	loc_5BCB3E

loc_49BED8:				; CODE XREF: RtlpHpLfhSubsegmentCreate+120DC0j
					; RtlpHpLfhSubsegmentCreate+120DE2j
		cmp	[ebp+var_1C], 0
		jnz	short loc_49BF08
		cmp	byte ptr [esi+1Dh], 0
		lea	edi, [esi+44h]
		jnz	short loc_49BF1A
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_49BF51

loc_49BEF5:				; CODE XREF: RtlpHpLfhSubsegmentCreate+1E8j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_49BF08:				; CODE XREF: RtlpHpLfhSubsegmentCreate+16Cj
					; RtlpHpLfhSubsegmentCreate+1B9j
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_49BF12:				; CODE XREF: RtlpHpLfhSubsegmentCreate+7Cj
		push	0Ch
		pop	eax
		jmp	loc_49BDF2
; 

loc_49BF1A:				; CODE XREF: RtlpHpLfhSubsegmentCreate+175j
		push	edi
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_49BF08
; 

loc_49BF2B:				; CODE XREF: RtlpHpLfhSubsegmentCreate+A7j
		push	0Ch
		pop	ecx
		jmp	loc_49BE1D
; 

loc_49BF33:				; CODE XREF: RtlpHpLfhSubsegmentCreate+B4j
		mov	edi, eax
		jmp	loc_49BE2A
; 

loc_49BF3A:				; CODE XREF: RtlpHpLfhSubsegmentCreate+102j
		test	byte ptr _RtlpHpLfhPerfFlags, 2
		jz	loc_49BE78

loc_49BF47:				; CODE XREF: RtlpHpLfhSubsegmentCreate+10Cj
		mov	eax, edi
		mov	[ebp+var_8], edi
		jmp	loc_49BE8F
; 

loc_49BF51:				; CODE XREF: RtlpHpLfhSubsegmentCreate+183j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_49BEF5
RtlpHpLfhSubsegmentCreate endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpCalculateSubsegmentSizeIndex(x,	x)
_RtlpCalculateSubsegmentSizeIndex@8 proc near ;	CODE XREF: RtlpHpLfhSubsegmentCreate+74p
					; RtlpHpLfhSubsegmentCreate+9Dp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, 78000h
		cmp	ecx, eax
		jnb	short loc_49BF81

loc_49BF69:				; CODE XREF: RtlpCalculateSubsegmentSizeIndex(x,x)+29j
		lea	eax, [ecx-1]
		bsr	eax, eax
		inc	eax
		cmp	eax, 7
		jbe	short loc_49BF85

loc_49BF75:				; CODE XREF: RtlpCalculateSubsegmentSizeIndex(x,x)+2Ej
		cmp	eax, 12h
		jnb	short loc_49BF7C
		leave
		retn
; 

loc_49BF7C:				; CODE XREF: RtlpCalculateSubsegmentSizeIndex(x,x)+1Ej
		push	12h
		pop	eax
		leave
		retn
; 

loc_49BF81:				; CODE XREF: RtlpCalculateSubsegmentSizeIndex(x,x)+Dj
		mov	ecx, eax
		jmp	short loc_49BF69
; 

loc_49BF85:				; CODE XREF: RtlpCalculateSubsegmentSizeIndex(x,x)+19j
		push	7
		pop	eax
		jmp	short loc_49BF75
_RtlpCalculateSubsegmentSizeIndex@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpSegLfhAllocate(x, x, x, x, x)
_RtlpHpSegLfhAllocate@20 proc near	; DATA XREF: RtlpHpHeapCreate+142o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_10]
		mov	eax, [ebp+arg_8]
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_4]
		and	eax, 1
		mov	ecx, [ebp+arg_0]
		or	eax, 8000000h
		push	eax
		call	RtlpHpSegSubAllocate
		pop	ebp
		retn	14h
_RtlpHpSegLfhAllocate@20 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpHpLfhSlotAddSubsegment(x, x)
_RtlpHpLfhSlotAddSubsegment@8 proc near	; CODE XREF: RtlpHpLfhSlotAllocate+F1Cp
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		mov	edx, edi
		mov	ecx, esi
		call	_RtlpHpLfhSubsegmentSetOwner@8 ; RtlpHpLfhSubsegmentSetOwner(x,x)
		xor	ecx, ecx
		cmp	[edi+4], ecx
		ja	short loc_49BFD9

loc_49BFC8:				; CODE XREF: RtlpHpLfhSlotAddSubsegment(x,x)+31j
		push	ecx
		mov	edx, esi
		mov	ecx, edi
		call	RtlpHpLfhOwnerMoveSubsegment
		mov	esi, eax

loc_49BFD4:				; CODE XREF: RtlpHpLfhSlotAddSubsegment(x,x)+36j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_49BFD9:				; CODE XREF: RtlpHpLfhSlotAddSubsegment(x,x)+16j
		mov	ax, [esi+10h]
		cmp	ax, [esi+12h]
		jnz	short loc_49BFC8
		mov	[esi+8], ecx
		jmp	short loc_49BFD4
_RtlpHpLfhSlotAddSubsegment@8 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpHpLfhSubsegmentSetOwner(x, x)
_RtlpHpLfhSubsegmentSetOwner@8 proc near ; CODE	XREF: RtlpHpLfhSlotAddSubsegment(x,x)+Cp
					; RtlpHpLfhBucketAddSubsegment+4Ap
		mov	edi, edi
		push	esi
		push	edi
		lea	edi, [ecx+10h]
		mov	ax, [edi]
		lea	esi, [ecx+8]
		cmp	ax, [ecx+12h]
		jz	short loc_49C005
		xchg	edx, [esi]
		test	dl, 1
		jnz	short loc_49C009

loc_49C002:				; CODE XREF: RtlpHpLfhSubsegmentSetOwner(x,x)+1Fj
					; RtlpHpLfhSubsegmentSetOwner(x,x)+27j
		pop	edi
		pop	esi
		retn
; 

loc_49C005:				; CODE XREF: RtlpHpLfhSubsegmentSetOwner(x,x)+11j
		mov	[esi], edx
		jmp	short loc_49C002
; 

loc_49C009:				; CODE XREF: RtlpHpLfhSubsegmentSetOwner(x,x)+18j
		shr	edx, 1
		lock xadd [edi], edx
		jmp	short loc_49C002
_RtlpHpLfhSubsegmentSetOwner@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpLfhOwnerMoveSubsegment proc near	; CODE XREF: RtlpHpLfhSlotAddSubsegment(x,x)+1Dp
					; RtlpHpLfhBucketAddSubsegment+64p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BCB57 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		movzx	eax, byte ptr [edx+16h]
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], esi
		push	edi
		sub	eax, 0
		jz	short loc_49C08D
		sub	eax, 1
		jz	loc_5BCB57
		sub	eax, 1
		jnz	short loc_49C084
		xor	ebx, ebx

loc_49C03A:				; CODE XREF: RtlpHpLfhOwnerMoveSubsegment+120B48j
		xor	edi, edi

loc_49C03C:				; CODE XREF: RtlpHpLfhOwnerMoveSubsegment+81j
		mov	eax, [ebp+arg_0]
		sub	eax, 0
		jnz	short loc_49C095
		lea	eax, [esi+0Ch]
		lea	ecx, [esi+4]

loc_49C04A:				; CODE XREF: RtlpHpLfhOwnerMoveSubsegment+8Fj
		test	ebx, ebx
		jnz	short loc_49C0A3

loc_49C04E:				; CODE XREF: RtlpHpLfhOwnerMoveSubsegment+A9j
					; RtlpHpLfhOwnerMoveSubsegment+ADj
		mov	ebx, [ebp+arg_0]
		mov	[edx+16h], bl
		test	eax, eax
		jz	short loc_49C071
		mov	edi, [eax+4]
		cmp	[edi], eax
		jnz	short loc_49C0D2
		mov	[edx], eax
		mov	[edx+4], edi
		mov	[edi], edx
		mov	[eax+4], edx
		test	ecx, ecx
		jz	short loc_49C06F
		inc	dword ptr [ecx]

loc_49C06F:				; CODE XREF: RtlpHpLfhOwnerMoveSubsegment+59j
		xor	edx, edx

loc_49C071:				; CODE XREF: RtlpHpLfhOwnerMoveSubsegment+44j
		test	byte ptr [esi],	1
		jnz	short loc_49C080
		cmp	dword ptr [esi+4], 8
		ja	loc_5BCB5F

loc_49C080:				; CODE XREF: RtlpHpLfhOwnerMoveSubsegment+62j
					; RtlpHpLfhOwnerMoveSubsegment+120B6Ej
		test	edx, edx
		jnz	short loc_49C0C1

loc_49C084:				; CODE XREF: RtlpHpLfhOwnerMoveSubsegment+24j
					; RtlpHpLfhOwnerMoveSubsegment+8Bj ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	4
; 

loc_49C08D:				; CODE XREF: RtlpHpLfhOwnerMoveSubsegment+16j
		lea	ebx, [esi+0Ch]
		lea	edi, [esi+4]
		jmp	short loc_49C03C
; 

loc_49C095:				; CODE XREF: RtlpHpLfhOwnerMoveSubsegment+30j
		sub	eax, 1
		jz	short loc_49C0CD
		sub	eax, 1
		jnz	short loc_49C084

loc_49C09F:				; CODE XREF: RtlpHpLfhOwnerMoveSubsegment+BEj
		xor	ecx, ecx
		jmp	short loc_49C04A
; 

loc_49C0A3:				; CODE XREF: RtlpHpLfhOwnerMoveSubsegment+3Aj
		mov	ebx, [edx]
		cmp	[ebx+4], edx
		jnz	short loc_49C0D2
		mov	esi, [edx+4]
		cmp	[esi], edx
		jnz	short loc_49C0D2
		mov	[esi], ebx
		mov	[ebx+4], esi
		mov	esi, [ebp+var_4]
		test	edi, edi
		jz	short loc_49C04E
		dec	dword ptr [edi]
		jmp	short loc_49C04E
; 

loc_49C0C1:				; CODE XREF: RtlpHpLfhOwnerMoveSubsegment+70j
		cmp	byte ptr [edx+16h], 2
		jnz	short loc_49C084
		and	dword ptr [edx+8], 0
		jmp	short loc_49C084
; 

loc_49C0CD:				; CODE XREF: RtlpHpLfhOwnerMoveSubsegment+86j
		lea	eax, [esi+14h]
		jmp	short loc_49C09F
; 

loc_49C0D2:				; CODE XREF: RtlpHpLfhOwnerMoveSubsegment+4Bj
					; RtlpHpLfhOwnerMoveSubsegment+96j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
RtlpHpLfhOwnerMoveSubsegment endp


;  S U B	R O U T	I N E 


; __stdcall RtlpHpAcquireLockExclusive(x, x)
_RtlpHpAcquireLockExclusive@8 proc near	; CODE XREF: RtlpHpLfhBucketAddSubsegment+3Dp
					; RtlpHpLfhSubsegmentFreeBlock+280p ...
		test	edx, edx
		jz	short loc_49C0E3
		push	ecx
		call	ExAcquireSpinLockExclusive
		retn
; 

loc_49C0E3:				; CODE XREF: RtlpHpAcquireLockExclusive(x,x)+2j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		or	al, 0FFh
		retn
_RtlpHpAcquireLockExclusive@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpLfhSubsegmentDecBlockCounts proc near
					; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+1B1p
					; RtlpHpLfhSlotAllocate+BB5F1p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005BCB85 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_4]
		push	ebx
		movzx	ebx, word ptr [edx+1Eh]
		push	esi
		mov	esi, [ebp+arg_0]
		add	ebx, edx
		push	edi
		mov	edi, esi
		mov	[ebp+var_8], ecx
		movzx	ecx, byte ptr [edx+1Ch]
		dec	esi
		add	eax, esi
		shr	edi, cl
		shr	eax, cl
		sub	eax, edi
		mov	[ebp+var_4], edx
		inc	eax
		lea	edx, [edi+edi]
		add	ebx, edx
		mov	[ebp+arg_0], edx
		xor	edx, edx
		lea	edi, [ebx+eax*2]
		or	eax, 0FFFFFFFFh
		mov	[ebp+arg_4], eax
		mov	esi, eax
		cmp	ebx, edi
		jnb	short loc_49C19A
		mov	ecx, [ebp+arg_0]

loc_49C144:				; CODE XREF: RtlpHpLfhSubsegmentDecBlockCounts+6Dj
		lock xadd [ebx], ax
		dec	ax
		movzx	eax, ax
		test	ax, ax
		jz	loc_5BCB85
		cmp	ax, word ptr [ebp+arg_4]
		jnz	short loc_49C15E
		dec	edx

loc_49C15E:				; CODE XREF: RtlpHpLfhSubsegmentDecBlockCounts+5Fj
		or	eax, 0FFFFFFFFh

loc_49C161:				; CODE XREF: RtlpHpLfhSubsegmentDecBlockCounts+120A8Fj
					; RtlpHpLfhSubsegmentDecBlockCounts+120A99j
		add	ebx, 2
		add	ecx, 2
		cmp	ebx, edi
		jb	short loc_49C144
		test	edx, edx
		jz	short loc_49C19A
		test	byte ptr _RtlpHpLfhPerfFlags, 20h
		jz	short loc_49C19A
		mov	eax, [ebp+var_4]
		mov	cl, [eax+1Ch]
		shl	edx, cl
		mov	ecx, 1000h
		mov	eax, edx
		cdq
		idiv	ecx
		mov	edx, [ebp+var_8]
		movsx	ecx, word ptr [edx+1Eh]
		add	ecx, 0Ch
		add	ecx, edx
		lock xadd [ecx], eax

loc_49C19A:				; CODE XREF: RtlpHpLfhSubsegmentDecBlockCounts+43j
					; RtlpHpLfhSubsegmentDecBlockCounts+71j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
RtlpHpLfhSubsegmentDecBlockCounts endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiConvertAndFlushWsleVas(x,	x)
_MiConvertAndFlushWsleVas@8 proc near	; CODE XREF: MiEliminateZeroPages+162p
					; MiEliminateZeroPages+185p ...

var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		cmp	dword ptr [edi+0Ch], 0
		jz	loc_49C2EA
		and	[esp+28h+var_10], 0
		mov	esi, [edi+14h]
		call	MiLockWorkingSetShared
		mov	edx, esi
		mov	[esp+28h+var_19], al
		shr	edx, 9
		lea	eax, [esp+28h+var_4]
		and	edx, offset loc_7FFFF8
		mov	ecx, ebx
		push	eax
		sub	edx, 40000000h
		call	MiLockLowestValidPageTable
		shr	esi, 12h
		and	esi, 3FF8h
		mov	[esp+28h+var_4], eax
		sub	esi, 3FA00000h
		cmp	eax, esi
		jz	short loc_49C210
		and	dword ptr [edi+0Ch], 0
		mov	edx, eax
		jmp	loc_49C2D8
; 

loc_49C210:				; CODE XREF: MiConvertAndFlushWsleVas(x,x)+5Fj
		xor	ecx, ecx
		mov	[esp+28h+var_14], ecx
		cmp	[edi+0Ch], ecx
		jbe	loc_49C2B8
		lea	esi, [edi+14h]
		mov	eax, esi
		mov	[esp+28h+var_18], esi

loc_49C228:				; CODE XREF: MiConvertAndFlushWsleVas(x,x)+10Ej
		mov	edx, [eax]
		mov	eax, edx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	ecx, [eax-40000000h]
		mov	[esp+28h+var_C], ecx
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	[esp+28h+var_8], eax
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_49C29C
		mov	ecx, ebx
		call	_MiTryLocateWsle@8 ; MiTryLocateWsle(x,x)
		and	al, 0Fh
		cmp	al, 0Ah
		jz	short loc_49C29C
		nop
		mov	eax, [esp+28h+var_C]
		mov	ecx, [esp+28h+var_8]
		shrd	eax, ecx, 0Ch
		and	eax, 1FFFFFFh
		imul	eax, 1Ch
		add	eax, ds:_MmPfnDatabase
		test	dword ptr [eax+18h], (offset loc_7FFFFF+1)
		jnz	short loc_49C28D
		mov	eax, [eax+4]
		test	eax, eax
		js	short loc_49C28D
		jnz	short loc_49C29C

loc_49C28D:				; CODE XREF: MiConvertAndFlushWsleVas(x,x)+DEj
					; MiConvertAndFlushWsleVas(x,x)+E5j
		mov	eax, [esp+28h+var_18]
		inc	[esp+28h+var_10]
		mov	eax, [eax]
		mov	[esi], eax
		add	esi, 4

loc_49C29C:				; CODE XREF: MiConvertAndFlushWsleVas(x,x)+ADj
					; MiConvertAndFlushWsleVas(x,x)+BAj ...
		inc	[esp+28h+var_14]
		mov	eax, [esp+28h+var_18]
		mov	ecx, [esp+28h+var_14]
		add	eax, 4
		mov	[esp+28h+var_18], eax
		cmp	ecx, [edi+0Ch]
		jb	loc_49C228

loc_49C2B8:				; CODE XREF: MiConvertAndFlushWsleVas(x,x)+75j
		mov	eax, [esp+28h+var_10]
		test	eax, eax
		jz	short loc_49C2D0
		push	0
		mov	edx, edi
		mov	[edi+0Ch], eax
		mov	ecx, ebx
		call	MiFreeWsleList
		jmp	short loc_49C2D4
; 

loc_49C2D0:				; CODE XREF: MiConvertAndFlushWsleVas(x,x)+11Aj
		and	dword ptr [edi+0Ch], 0

loc_49C2D4:				; CODE XREF: MiConvertAndFlushWsleVas(x,x)+12Aj
		mov	edx, [esp+28h+var_4]

loc_49C2D8:				; CODE XREF: MiConvertAndFlushWsleVas(x,x)+67j
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [esp+28h+var_19]
		mov	ecx, ebx
		call	MiUnlockWorkingSetShared

loc_49C2EA:				; CODE XREF: MiConvertAndFlushWsleVas(x,x)+16j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiConvertAndFlushWsleVas@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiTryLocateWsle(x, x)
_MiTryLocateWsle@8 proc	near		; CODE XREF: MiConvertAndFlushWsleVas(x,x)+B1p
					; MiRecheckEPTAccessedVa(x,x)+23p
		movzx	eax, byte ptr [ecx+60h]
		push	esi
		and	eax, 7
		mov	esi, edx
		shr	esi, 0Ch
		add	esi, dword_6D2E68[eax*4]
		mov	ecx, esi
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_49C315
		mov	al, [esi]
		pop	esi
		retn
; 

loc_49C315:				; CODE XREF: MiTryLocateWsle(x,x)+1Dj
		mov	al, 0Ah
		pop	esi
		retn
_MiTryLocateWsle@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpLfhBucketAddSubsegment proc near	; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+3A2p
					; RtlpHpLfhSlotAllocate+142Fp

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BCB9A SIZE 00000009 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		push	esi
		push	edi
		mov	edi, [ebx+8]
		mov	esi, edx
		mov	[ebp+var_C], esi
		mov	[ebp+var_10], ecx
		mov	ax, [edi+10h]
		cmp	ax, [edi+12h]
		jz	short loc_49C3B2
		movzx	edx, byte ptr [ecx+1Dh]
		add	esi, 8
		mov	ecx, esi
		mov	[ebp+var_8], esi
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		mov	byte ptr [ebp+var_4+3],	al
		call	_RtlpHpLfhSubsegmentSetOwner@8 ; RtlpHpLfhSubsegmentSetOwner(x,x)
		mov	cx, [edi+10h]
		cmp	cx, [edi+12h]
		jz	loc_5BCB9A
		mov	ecx, [ebp+var_C]
		mov	edx, edi
		push	0
		call	RtlpHpLfhOwnerMoveSubsegment
		mov	[ebx+8], eax

loc_49C386:				; CODE XREF: RtlpHpLfhBucketAddSubsegment+120884j
		mov	eax, [ebp+var_10]
		cmp	byte ptr [eax+1Dh], 0
		jz	short loc_49C3C8
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_49C3AC
; 

loc_49C3A0:				; CODE XREF: RtlpHpLfhBucketAddSubsegment+D2j
					; RtlpHpLfhBucketAddSubsegment+1FDj ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_49C3AC:				; CODE XREF: RtlpHpLfhBucketAddSubsegment+84j
		mov	ecx, [ebp+var_10]
		mov	esi, [ebp+var_C]

loc_49C3B2:				; CODE XREF: RtlpHpLfhBucketAddSubsegment+2Fj
		mov	edx, [ebx+8]
		test	edx, edx
		jnz	loc_49C477

loc_49C3BD:				; CODE XREF: RtlpHpLfhBucketAddSubsegment+16Aj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_49C3C8:				; CODE XREF: RtlpHpLfhBucketAddSubsegment+73j
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_14], edx
		mov	eax, edx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_49C3E1
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_49C3E1:				; CODE XREF: RtlpHpLfhBucketAddSubsegment+BEj
		xor	edi, edi
		mov	[ebp+var_18], edi
		test	esi, 7FFFFFFCh
		jz	short loc_49C3A0
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, dword_6D07D0
		shr	ecx, 15h
		cmp	eax, edx
		push	0FFFFFFFFh
		mov	[ebp+var_30], edx
		mov	[ebp+var_34], esi
		pop	edx
		jb	short loc_49C489
		cmp	byte ptr dword_6D3994[ecx], 1
		jnz	short loc_49C489

loc_49C419:				; CODE XREF: RtlpHpLfhBucketAddSubsegment+17Bj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_8]

loc_49C42C:				; CODE XREF: RtlpHpLfhBucketAddSubsegment+172j
					; RtlpHpLfhBucketAddSubsegment+17Dj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_49C499
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_49C4FB
		push	ecx
		push	[ebp+var_14]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_49C477:				; CODE XREF: RtlpHpLfhBucketAddSubsegment+9Dj
		mov	eax, [ebx+0Ch]
		and	eax, 1
		push	eax
		push	esi
		call	_RtlpHpLfhSubsegmentFree@16 ; RtlpHpLfhSubsegmentFree(x,x,x,x)
		jmp	loc_49C3BD
; 

loc_49C489:				; CODE XREF: RtlpHpLfhBucketAddSubsegment+F4j
					; RtlpHpLfhBucketAddSubsegment+FDj
		cmp	eax, [ebp+var_30]
		jb	short loc_49C42C
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	short loc_49C419
		jmp	short loc_49C42C
; 

loc_49C499:				; CODE XREF: RtlpHpLfhBucketAddSubsegment+13Bj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_49C4AF
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_49C4AF:				; CODE XREF: RtlpHpLfhBucketAddSubsegment+18Bj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_18], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_49C583
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_49C4FB:				; CODE XREF: RtlpHpLfhBucketAddSubsegment+145j
					; RtlpHpLfhBucketAddSubsegment+27Bj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_34], eax
		jnz	short loc_49C533

loc_49C50E:				; CODE XREF: RtlpHpLfhBucketAddSubsegment+258j
					; RtlpHpLfhBucketAddSubsegment+267j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	loc_49C3A0
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	loc_49C3A0
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_49C3A0
; 

loc_49C533:				; CODE XREF: RtlpHpLfhBucketAddSubsegment+1F2j
		test	edi, 8000h
		jz	short loc_49C544
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_49C544:				; CODE XREF: RtlpHpLfhBucketAddSubsegment+21Fj
		test	byte ptr [ebp+var_18+2], 1
		jz	short loc_49C554
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_49C554:				; CODE XREF: RtlpHpLfhBucketAddSubsegment+22Ej
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_49C568
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_49C568:				; CODE XREF: RtlpHpLfhBucketAddSubsegment+241j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_49C50E
		push	[ebp+var_34]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	short loc_49C50E
; 

loc_49C583:				; CODE XREF: RtlpHpLfhBucketAddSubsegment+1CBj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_34]
		jmp	loc_49C4FB
RtlpHpLfhBucketAddSubsegment endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetPageTablePfnBuddy(x, x, x)
_MiSetPageTablePfnBuddy@12 proc	near	; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+115p
					; MmInSwapProcess+162736p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		jnz	short loc_49C5E1
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	bl, al

loc_49C5B3:				; CODE XREF: MiSetPageTablePfnBuddy(x,x,x)+49j
		lea	edx, [edi+edi]
		xor	edx, [esi]
		lea	ecx, [edi+edi]
		and	edx, 0Fh
		xor	edx, ecx
		mov	[esi], edx
		cmp	bl, 21h
		jz	short loc_49C5DA
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_49C5DA:				; CODE XREF: MiSetPageTablePfnBuddy(x,x,x)+2Bj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_49C5E1:				; CODE XREF: MiSetPageTablePfnBuddy(x,x,x)+10j
		mov	bl, 21h
		jmp	short loc_49C5B3
_MiSetPageTablePfnBuddy@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializePfnForOtherProcess proc near ; CODE	XREF: MiMapPageFileHash+240p
					; MiDuplicateCloneLeaf(x,x,x,x,x)+204p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005BCBA3 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		imul	esi, ecx, 1Ch
		push	edi
		mov	[ebp+var_8], edx
		add	esi, ds:_MmPfnDatabase
		test	bl, 10h
		jnz	loc_49C6A0
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	byte ptr [ebp+arg_4+3],	al

loc_49C612:				; CODE XREF: MiInitializePfnForOtherProcess+CAj
		mov	edi, [esi+10h]
		mov	eax, [ebp+var_8]
		and	edi, 0F87FFFFFh
		push	0
		push	80h
		mov	[esi+4], eax
		mov	[esi+10h], edi
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[esi+8], eax
		xor	eax, eax
		inc	eax
		mov	[esi+0Ch], edx
		mov	[esi+14h], ax
		test	bl, bl
		js	short loc_49C6BB
		and	edi, 0C0000001h
		lea	ecx, [esi+10h]
		or	edi, eax
		mov	[ecx], edi

loc_49C64E:				; CODE XREF: MiInitializePfnForOtherProcess+E1j
		or	byte ptr [esi+16h], 10h
		test	ebx, 200h
		jz	short loc_49C664
		mov	al, [esi+16h]
		and	al, 0FEh
		or	al, 6
		mov	[esi+16h], al

loc_49C664:				; CODE XREF: MiInitializePfnForOtherProcess+72j
		mov	eax, [esi+18h]
		xor	eax, [ebp+arg_0]
		and	eax, offset loc_7FFFFF
		xor	[esi+18h], eax
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	al, byte ptr [ebp+arg_4+3]
		cmp	al, 21h
		jz	short loc_49C689
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_49C689:				; CODE XREF: MiInitializePfnForOtherProcess+99j
		pop	edi
		pop	esi
		test	ebx, 800h
		pop	ebx
		jnz	short locret_49C69C
		mov	ecx, [ebp+arg_0]
		call	MiLockAndIncrementShareCount

locret_49C69C:				; CODE XREF: MiInitializePfnForOtherProcess+ACj
		leave
		retn	8
; 

loc_49C6A0:				; CODE XREF: MiInitializePfnForOtherProcess+1Cj
		and	[ebp+var_4], 0
		lea	edi, [esi+10h]
		mov	byte ptr [ebp+arg_4+3],	21h

loc_49C6AB:				; CODE XREF: MiInitializePfnForOtherProcess+1205CBj
		lock bts dword ptr [edi], 1Fh
		jnb	loc_49C612
		jmp	loc_5BCBA3
; 

loc_49C6BB:				; CODE XREF: MiInitializePfnForOtherProcess+59j
		mov	edx, eax
		mov	ecx, esi
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		lea	ecx, [esi+10h]
		jmp	short loc_49C64E
MiInitializePfnForOtherProcess endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiGetPfnLink(x)
_MiGetPfnLink@4	proc near		; CODE XREF: MiReturnReservedEnclavePages(x,x)+10p
					; MiInitializePageDirectoryPages+133p ...
		mov	eax, [ecx]
		retn
_MiGetPfnLink@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVsSubsegmentFree(x, x, x)
_RtlpHpVsSubsegmentFree@12 proc	near	; CODE XREF: RtlpHpVsContextFreeList+2B5p
					; RtlpHpHeapDestroy+C1p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, word ptr [edx+14h]
		push	[ebp+arg_0]
		lea	eax, ds:18h[eax*8]
		push	eax
		mov	eax, [ecx+80h]
		xor	eax, ecx
		push	edx
		push	eax
		mov	eax, [ecx+88h]
		xor	eax, _RtlpHpHeapGlobals
		xor	eax, ecx
		call	eax
		pop	ebp
		retn	4
_RtlpHpVsSubsegmentFree@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVsContextMultiAlloc(x, x, x, x, x, x)
_RtlpHpVsContextMultiAlloc@24 proc near	; CODE XREF: ExAllocateHeapPool+A15p

var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_C], edx
		lea	edi, [ebp+var_18]
		mov	[ebp+var_8], ecx
		stosd
		xor	esi, esi
		mov	ebx, esi
		mov	[ebp+var_4], esi
		stosd
		stosd
		mov	edi, esi
		cmp	[ebp+arg_0], ebx
		jbe	short loc_49C76A

loc_49C727:				; CODE XREF: RtlpHpVsContextMultiAlloc(x,x,x,x,x,x)+4Ej
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+arg_4]
		push	edx
		call	RtlpHpVsContextAllocateInternal
		test	eax, eax
		jz	short loc_49C750
		test	ebx, ebx
		jz	short loc_49C77D

loc_49C740:				; CODE XREF: RtlpHpVsContextMultiAlloc(x,x,x,x,x,x)+7Fj
		mov	ecx, [ebp+var_8]
		inc	edi
		mov	edx, [ebp+var_C]
		mov	[eax], esi
		mov	esi, eax
		cmp	edi, [ebp+arg_0]
		jb	short loc_49C727

loc_49C750:				; CODE XREF: RtlpHpVsContextMultiAlloc(x,x,x,x,x,x)+3Aj
		cmp	[ebp+var_4], 0
		jz	short loc_49C76A
		test	byte ptr [ebp+arg_4], 1
		jnz	short loc_49C76A
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_18]
		mov	ecx, [ecx+4]
		call	RtlpHpReleaseQueuedLockExclusive

loc_49C76A:				; CODE XREF: RtlpHpVsContextMultiAlloc(x,x,x,x,x,x)+25j
					; RtlpHpVsContextMultiAlloc(x,x,x,x,x,x)+54j ...
		mov	ecx, [ebp+arg_8]
		mov	eax, edi
		pop	edi
		mov	[ecx], esi
		mov	ecx, [ebp+arg_C]
		pop	esi
		mov	[ecx], ebx
		pop	ebx
		leave
		retn	10h
; 

loc_49C77D:				; CODE XREF: RtlpHpVsContextMultiAlloc(x,x,x,x,x,x)+3Ej
		mov	ebx, eax
		jmp	short loc_49C740
_RtlpHpVsContextMultiAlloc@24 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1978. RtlClearAllBits

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlClearAllBits(x)
		public _RtlClearAllBits@4
_RtlClearAllBits@4 proc	near		; CODE XREF: MiDeleteEmptyPageTableTail(x)+F7p
					; RtlShiftLeftBitMap(x,x)+18p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		push	0
		pop	eax
		mov	ecx, [edx]
		test	cl, 1Fh
		setnz	al
		shr	ecx, 5
		add	eax, ecx
		shl	eax, 2
		push	eax		; size_t
		push	0		; int
		push	dword ptr [edx+4] ; void *
		call	_memset
		add	esp, 0Ch
		pop	ebp
		retn	4
_RtlClearAllBits@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMarkPteDirty(x)
_MiMarkPteDirty@4 proc near		; CODE XREF: .text:0045C79Ep

var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		mov	byte ptr [ebp+var_1], cl
		mov	edx, [esi]
		nop
		mov	eax, [esi+4]
		mov	[ebp+var_8], eax
		mov	eax, edx
		and	eax, 42h
		or	eax, ecx
		jz	short loc_49C7D9

loc_49C7D6:				; CODE XREF: MiMarkPteDirty(x)+2Dj
					; MiMarkPteDirty(x)+93j
		pop	esi
		leave
		retn
; 

loc_49C7D9:				; CODE XREF: MiMarkPteDirty(x)+20j
		and	edx, 800h
		or	edx, ecx
		jz	short loc_49C7D6
		push	ebx
		push	edi
		xor	ecx, ecx
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	edi, eax
		mov	edx, esi
		lea	eax, [ebp+var_1]
		mov	ecx, edi
		push	eax
		call	_MiLockWorkingSetOptimal@12 ; MiLockWorkingSetOptimal(x,x,x)
		mov	edx, [esi]
		mov	ebx, eax
		nop
		mov	eax, [esi+4]
		mov	ecx, edx
		and	ecx, 1
		mov	[ebp+var_8], eax
		or	ecx, 0
		jz	short loc_49C832
		mov	eax, edx
		and	eax, 42h
		or	eax, 0
		jnz	short loc_49C832
		mov	eax, edx
		and	eax, 800h
		or	eax, 0
		jz	short loc_49C832
		or	edx, 62h
		nop
		mov	eax, [ebp+var_8]
		mov	[esi], edx
		mov	[esi+4], eax

loc_49C832:				; CODE XREF: MiMarkPteDirty(x)+5Aj
					; MiMarkPteDirty(x)+64j ...
		mov	edx, ebx
		mov	ecx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [ebp+var_1]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		pop	edi
		pop	ebx
		jmp	short loc_49C7D6
_MiMarkPteDirty@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiGetAnyMultiplexedVm(x)
_MiGetAnyMultiplexedVm@4 proc near	; CODE XREF: MiReturnSystemVa(x,x,x,x)+16Fp
					; MiIsCfgBitMapPageShared(x,x)+EEp ...
		cmp	ecx, 1
		jge	short loc_49C85B
		imul	ecx, 64h
		add	ecx, offset unk_6D5E80

loc_49C858:				; CODE XREF: MiGetAnyMultiplexedVm(x)+1Aj
		mov	eax, ecx
		retn
; 

loc_49C85B:				; CODE XREF: MiGetAnyMultiplexedVm(x)+3j
		shl	ecx, 8
		add	ecx, offset unk_6D3640
		jmp	short loc_49C858
_MiGetAnyMultiplexedVm@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeTbFlushList(x, x, x)
_MiInitializeTbFlushList@12 proc near	; CODE XREF: MiEliminateZeroPages+78p
					; MmDeleteShadowMapping(x,x)+76p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		mov	[ecx], edx
		mov	[ecx+0Ch], ebx
		mov	[ecx+4], bx
		mov	[ecx+10h], ebx
		mov	[ecx+14h], ebx
		mov	[ecx+8], eax
		pop	ebx
		pop	ebp
		retn	4
_MiInitializeTbFlushList@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetPdeAddress(x)
_MiGetPdeAddress@4 proc	near		; CODE XREF: KiCalibrateTimeAdjustment+2B6p
					; KiCalibrateTimeAdjustment+2C3p ...
		shr	ecx, 12h
		and	ecx, 3FF8h
		lea	eax, [ecx-3FA00000h]
		retn
_MiGetPdeAddress@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpVsSubsegmentCreate proc near	; CODE XREF: RtlpHpVsContextAllocateInternal+260p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BCBB6 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_C]
		push	eax
		mov	esi, ecx
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_10], edi
		call	_RtlpHpVsSubsegmentComputeSize@12 ; RtlpHpVsSubsegmentComputeSize(x,x,x)
		mov	edx, eax
		mov	[ebp+var_4], eax

loc_49C8BE:				; CODE XREF: RtlpHpVsSubsegmentCreate+B9j
		mov	ecx, [esi+80h]
		lea	ebx, [ebp+var_8]
		mov	eax, _RtlpHpHeapGlobals
		xor	ecx, esi
		push	ebx
		lea	ebx, [ebp+var_10]
		xor	eax, esi
		xor	eax, [esi+84h]
		push	ebx
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	eax
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_49C942
		test	byte ptr [ebp+var_10], 1
		mov	edx, [ebp+var_4]
		jnz	short loc_49C8F6
		mov	edx, 1000h

loc_49C8F6:				; CODE XREF: RtlpHpVsSubsegmentCreate+57j
		mov	ecx, [esi+80h]
		mov	eax, [esi+8Ch]
		xor	ecx, esi
		xor	eax, _RtlpHpHeapGlobals
		push	edx
		push	ebx
		xor	eax, esi
		mov	[ebp+var_C], edx
		push	ecx
		call	eax
		test	eax, eax
		js	loc_5BCBB6
		mov	edx, [ebp+var_C]
		lea	eax, [esi+18h]
		mov	ecx, edx
		shr	ecx, 0Ch
		lock xadd [eax], ecx
		push	ecx
		push	edx
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		call	_RtlpHpVsSubsegmentInitialize@16 ; RtlpHpVsSubsegmentInitialize(x,x,x,x)
		mov	edi, ebx

loc_49C939:				; CODE XREF: RtlpHpVsSubsegmentCreate+120320j
					; RtlpHpVsSubsegmentCreate+120346j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_49C942:				; CODE XREF: RtlpHpVsSubsegmentCreate+4Ej
		mov	edx, [ebp+var_8]
		cmp	edx, [ebp+var_C]
		jb	loc_5BCBB6
		mov	[ebp+var_4], edx
		jmp	loc_49C8BE
RtlpHpVsSubsegmentCreate endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVsSubsegmentInitialize(x, x, x, x)
_RtlpHpVsSubsegmentInitialize@16 proc near ; CODE XREF:	RtlpHpVsSubsegmentCreate+9Ap

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		push	6
		pop	ecx
		lea	eax, [esi-18h]
		mov	edi, ebx
		shr	eax, 3
		or	edx, 0FFFFFFFFh
		movzx	eax, ax
		mov	[ebp+var_4], eax
		xor	eax, eax
		rep stosd
		mov	eax, [ebp+arg_0]
		push	40h
		shr	eax, 0Ch
		pop	ecx
		sub	ecx, eax
		mov	eax, edx
		call	__aullshr
		mov	[ebx+8], eax
		xor	ecx, ecx
		mov	ax, [ebx+16h]
		cmp	[ebp+arg_0], esi
		mov	esi, 7FFFh
		mov	[ebx+0Ch], edx
		mov	edx, [ebp+var_4]
		setz	cl
		and	ax, si
		shl	cx, 0Fh
		or	cx, ax
		mov	[ebx+14h], dx
		mov	[ebx+16h], cx
		mov	ax, cx
		xor	ax, dx
		mov	ecx, 2BEDh
		xor	ax, cx
		and	edx, esi
		and	ax, si
		lea	ecx, [ebx+18h]
		xor	[ebx+16h], ax
		and	dword ptr [ecx], 0
		and	dword ptr [ecx+4], 0
		lea	eax, [edx+edx]
		mov	[ecx], eax
		xor	eax, _RtlpHpHeapGlobals
		pop	edi
		xor	eax, ecx
		pop	esi
		mov	[ecx], eax
		pop	ebx
		leave
		retn	8
_RtlpHpVsSubsegmentInitialize@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVsSubsegmentComputeSize(x, x,	x)
_RtlpHpVsSubsegmentComputeSize@12 proc near ; CODE XREF: RtlpHpVsSubsegmentCreate+1Cp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		lea	ecx, [edx+1027h]
		and	ecx, 0FFFFF000h
		lea	edx, ds:28h[edx*2]
		mov	[eax], ecx
		lea	eax, [edx-1]
		test	eax, edx
		jz	short loc_49CA1F
		bsr	ecx, edx
		xor	edx, edx
		inc	edx
		lea	ecx, [ecx+1]
		shl	edx, cl

loc_49CA1F:				; CODE XREF: RtlpHpVsSubsegmentComputeSize(x,x,x)+22j
		mov	eax, 10000h
		cmp	edx, eax
		jbe	short loc_49CA37

loc_49CA28:				; CODE XREF: RtlpHpVsSubsegmentComputeSize(x,x,x)+49j
		mov	eax, 40000h
		cmp	edx, eax
		jnb	short loc_49CA3B

loc_49CA31:				; CODE XREF: RtlpHpVsSubsegmentComputeSize(x,x,x)+4Dj
		mov	eax, edx
		pop	ebp
		retn	4
; 

loc_49CA37:				; CODE XREF: RtlpHpVsSubsegmentComputeSize(x,x,x)+36j
		mov	edx, eax
		jmp	short loc_49CA28
; 

loc_49CA3B:				; CODE XREF: RtlpHpVsSubsegmentComputeSize(x,x,x)+3Fj
		mov	edx, eax
		jmp	short loc_49CA31
_RtlpHpVsSubsegmentComputeSize@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpSegVsAllocate(x, x, x, x, x)
_RtlpHpSegVsAllocate@20	proc near	; DATA XREF: RtlpHpHeapCreate+EBo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_10]
		mov	eax, [ebp+arg_8]
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_4]
		and	eax, 1
		mov	ecx, [ebp+arg_0]
		or	eax, 0C000000h
		push	eax
		call	RtlpHpSegSubAllocate
		pop	ebp
		retn	14h
_RtlpHpSegVsAllocate@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpSegSubAllocate proc near		; CODE XREF: RtlpHpSegLfhAllocate(x,x,x,x,x)+1Dp
					; RtlpHpSegVsAllocate(x,x,x,x,x)+1Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005BCBE3 SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		cmp	ebx, 10000h
		jb	short loc_49CA80
		or	eax, 4

loc_49CA80:				; CODE XREF: RtlpHpSegSubAllocate+15j
		push	eax
		push	0
		push	ebx
		call	RtlpHpSegAlloc
		mov	esi, [ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		mov	[ebp+arg_0], eax
		and	dword ptr [esi], 0
		and	dword ptr [ecx], 0
		test	eax, eax
		jz	short loc_49CABC
		mov	ecx, _RtlpHpLfhPerfFlags
		test	cl, cl
		jns	short loc_49CAB0
		mov	eax, [edi+1Ch]
		shr	eax, 8
		cmp	al, 2
		jnb	short loc_49CAC8

loc_49CAB0:				; CODE XREF: RtlpHpSegSubAllocate+3Ej
		test	ecx, 100h
		jnz	loc_5BCBE3

loc_49CABC:				; CODE XREF: RtlpHpSegSubAllocate+34j
					; RtlpHpSegSubAllocate+65j ...
		mov	ebx, [ebp+arg_0]

loc_49CABF:				; CODE XREF: RtlpHpSegSubAllocate+12019Aj
					; RtlpHpSegSubAllocate+1201A3j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_49CAC8:				; CODE XREF: RtlpHpSegSubAllocate+48j
		or	dword ptr [esi], 1
		jmp	short loc_49CABC
RtlpHpSegSubAllocate endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpSegLfhVsFree(x, x, x,	x)
_RtlpHpSegLfhVsFree@16 proc near	; DATA XREF: RtlpHpHeapCreate+F3o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		mov	edx, [ebp+arg_4]
		and	eax, 1
		mov	ecx, [ebp+arg_0]
		push	eax
		call	RtlpHpSegFree
		pop	ebp
		retn	10h
_RtlpHpSegLfhVsFree@16 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1390. MmCreateMdl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmCreateMdl(x, x, x)
		public _MmCreateMdl@12
_MmCreateMdl@12	proc near		; CODE XREF: MiPfAllocateMdls+27Cp
					; SmKmStoreFileWriteHeader(x,x,x,x)+6Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, edi
		and	esi, 0FFFh
		test	ecx, ecx
		jnz	short loc_49CB31
		lea	eax, [ebx+0FFFh]
		mov	edx, 6C646D4Dh
		add	eax, esi
		shr	eax, 0Ch
		push	0
		push	40h
		lea	ecx, ds:1Ch[eax*4]
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_49CB68

loc_49CB31:				; CODE XREF: MmCreateMdl(x,x,x)+1Bj
		and	dword ptr [ecx], 0
		lea	eax, [ebx+0FFFh]
		add	eax, esi
		mov	[ecx+18h], esi
		shr	eax, 0Ch
		mov	[ecx+14h], ebx
		lea	eax, ds:1Ch[eax*4]
		mov	[ecx+4], ax
		xor	eax, eax
		and	edi, 0FFFFF000h
		mov	[ecx+6], ax
		mov	[ecx+10h], edi
		mov	eax, ecx

loc_49CB61:				; CODE XREF: MmCreateMdl(x,x,x)+7Cj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_49CB68:				; CODE XREF: MmCreateMdl(x,x,x)+41j
		xor	eax, eax
		jmp	short loc_49CB61
_MmCreateMdl@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpHpCompactionRoutine(x)
_ExpHpCompactionRoutine@4 proc near	; DATA XREF: ExpHpGCTimerCallback(x,x)+1Do

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		and	[ebp+var_24], 0
		push	esi
		mov	[ebp+var_2C], 2
		mov	[ebp+var_28], 3
		mov	[ebp+var_20], 1
		mov	esi, [ebp+eax*8+var_28]
		push	edi
		mov	edi, [ebp+eax*8+var_2C]
		mov	[ebp+var_1C], edi
		mov	[ebp+var_14], esi
		mov	[ebp+var_C], edx
		cmp	dword_6D8E70, edx
		jz	loc_49CC6B
		mov	ecx, offset dword_6D8E80
		mov	[ebp+var_4], ecx

loc_49CBB9:				; CODE XREF: ExpHpCompactionRoutine(x)+F9j
		mov	[ebp+var_8], edi
		mov	eax, edi
		cmp	edi, esi
		jg	loc_49CC52
		mov	edi, [ebp+var_4]

loc_49CBC9:				; CODE XREF: ExpHpCompactionRoutine(x)+DBj
		mov	edx, [edi+eax*4]
		mov	[ebp+var_18], edx
		mov	ecx, [edx+1Ch]
		test	ecx, ecx
		jz	short loc_49CC05
		call	_RtlpDynamicLookasideFlush@8 ; RtlpDynamicLookasideFlush(x,x)
		mov	esi, eax

loc_49CBDD:				; CODE XREF: ExpHpCompactionRoutine(x)+91j
		mov	eax, esi
		mov	[ebp+var_10], eax
		test	esi, esi
		jz	short loc_49CBFF
		mov	esi, [esi]
		mov	ecx, eax
		call	ExGetHeapFromVA
		mov	edx, [ebp+var_10]
		push	ecx
		push	ecx
		push	0
		mov	ecx, eax
		call	RtlpHpFreeHeap
		jmp	short loc_49CBDD
; 

loc_49CBFF:				; CODE XREF: ExpHpCompactionRoutine(x)+78j
		mov	esi, [ebp+var_14]
		mov	edx, [ebp+var_18]

loc_49CC05:				; CODE XREF: ExpHpCompactionRoutine(x)+68j
		movsx	eax, word ptr [edx+112h]
		mov	ecx, [eax+edx+10Ch]
		add	ecx, [eax+edx+108h]
		mov	eax, [eax+edx+104h]
		mov	[ebp+var_18], ecx
		mov	cl, [edx+107h]
		shr	eax, cl
		cmp	eax, 8
		jbe	loc_49CCD6

loc_49CC35:				; CODE XREF: ExpHpCompactionRoutine(x)+16Dj
		cmp	[ebp+var_18], eax
		ja	loc_49CCDE

loc_49CC3E:				; CODE XREF: ExpHpCompactionRoutine(x)+179j
		mov	eax, [ebp+var_8]
		inc	eax
		mov	[ebp+var_8], eax
		cmp	eax, esi
		jle	short loc_49CBC9
		mov	edi, [ebp+var_1C]
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_C]

loc_49CC52:				; CODE XREF: ExpHpCompactionRoutine(x)+54j
		inc	edx
		add	ecx, 20C0h
		mov	[ebp+var_C], edx
		mov	[ebp+var_4], ecx
		cmp	edx, dword_6D8E70
		jb	loc_49CBB9

loc_49CC6B:				; CODE XREF: ExpHpCompactionRoutine(x)+3Fj
		cmp	esi, 3
		jl	short loc_49CC73
		push	3
		pop	esi

loc_49CC73:				; CODE XREF: ExpHpCompactionRoutine(x)+102j
					; ExpHpCompactionRoutine(x)+147j
		cmp	edi, esi
		jg	short loc_49CCB5
		mov	edx, dword_6F9A80[edi*4]
		movsx	eax, word ptr [edx+112h]
		mov	ecx, [eax+edx+10Ch]
		add	ecx, [eax+edx+108h]
		mov	eax, [eax+edx+104h]
		mov	[ebp+var_1C], ecx
		mov	cl, [edx+107h]
		shr	eax, cl
		cmp	eax, 8
		ja	short loc_49CCAD
		push	8
		pop	eax

loc_49CCAD:				; CODE XREF: ExpHpCompactionRoutine(x)+13Cj
		cmp	[ebp+var_1C], eax
		ja	short loc_49CCF6

loc_49CCB2:				; CODE XREF: ExpHpCompactionRoutine(x)+191j
		inc	edi
		jmp	short loc_49CC73
; 

loc_49CCB5:				; CODE XREF: ExpHpCompactionRoutine(x)+109j
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jnz	short loc_49CCC1
		call	_ExpHpCompactSessionPools@0 ; ExpHpCompactSessionPools()

loc_49CCC1:				; CODE XREF: ExpHpCompactionRoutine(x)+14Ej
		pop	edi
		cmp	esi, 1
		pop	esi
		jz	short loc_49CCEA
		mov	_ExpHpGCScheduledPaged,	0

locret_49CCD2:				; CODE XREF: ExpHpCompactionRoutine(x)+188j
		leave
		retn	4
; 

loc_49CCD6:				; CODE XREF: ExpHpCompactionRoutine(x)+C3j
		push	8
		pop	eax
		jmp	loc_49CC35
; 

loc_49CCDE:				; CODE XREF: ExpHpCompactionRoutine(x)+CCj
		mov	ecx, edx
		call	_RtlpHpHeapCompact@8 ; RtlpHpHeapCompact(x,x)
		jmp	loc_49CC3E
; 

loc_49CCEA:				; CODE XREF: ExpHpCompactionRoutine(x)+15Aj
		mov	_ExpHpGCScheduledNonPaged, 0
		jmp	short locret_49CCD2
; 

loc_49CCF6:				; CODE XREF: ExpHpCompactionRoutine(x)+144j
		mov	ecx, edx
		call	_RtlpHpHeapCompact@8 ; RtlpHpHeapCompact(x,x)
		jmp	short loc_49CCB2
_ExpHpCompactionRoutine@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpFreeHeap	proc near		; CODE XREF: ExpHpCompactionRoutine(x)+8Cp
					; RtlpHpMetadataFree(x,x,x)+1Dp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BCC0E SIZE 000000A2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+10h+var_4], edx
		xor	esi, esi
		inc	esi
		mov	eax, [edi+0Ch]
		mov	ecx, [edi+0B0h]
		and	eax, 11000001h
		or	ebx, eax
		test	ecx, ecx
		jz	short loc_49CD3E
		mov	eax, large fs:124h
		cmp	ecx, [eax+2B0h]
		jz	loc_5BCC0E

loc_49CD3E:				; CODE XREF: RtlpHpFreeHeap+2Aj
					; RtlpHpFreeHeap+11FF10j
		xor	esi, esi
		test	ebx, 1000000h
		jnz	short loc_49CD51
		cmp	[edi+10h], esi
		jnz	loc_5BCC15

loc_49CD51:				; CODE XREF: RtlpHpFreeHeap+46j
					; RtlpHpFreeHeap+11FF6Bj
		test	dword ptr [edi+0Ch], 10000000h
		jnz	loc_5BCC70

loc_49CD5E:				; CODE XREF: RtlpHpFreeHeap+11FF7Bj
		mov	edx, [esp+10h+var_4]
		test	dx, dx
		jz	short loc_49CD8B

loc_49CD67:				; CODE XREF: RtlpHpFreeHeap+B7j
		cmp	esi, 2
		jz	loc_5BCC97
		lea	ecx, [esi+2]
		shl	ecx, 7
		push	ebx
		add	ecx, edi
		call	RtlpHpSegFree
		mov	esi, eax

loc_49CD80:				; CODE XREF: RtlpHpFreeHeap+11FF61j
					; RtlpHpFreeHeap+11FF92j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_49CD8B:				; CODE XREF: RtlpHpFreeHeap+65j
		mov	eax, [edi+4]
		mov	ecx, [edi]
		push	eax
		push	ecx
		call	_RtlpHpEnvGetHeapManager@8 ; RtlpHpEnvGetHeapManager(x,x)
		push	ecx
		sub	edx, [eax+4]
		lea	ecx, [eax+8]
		shr	edx, 14h
		add	edx, edx
		call	RtlCSparseBitmapBitmaskRead
		test	eax, eax
		jz	loc_5BCC97
		mov	edx, [esp+10h+var_4]
		lea	esi, [eax-1]
		jmp	short loc_49CD67
RtlpHpFreeHeap	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpSegFree	proc near		; CODE XREF: RtlpHpSegLfhVsFree(x,x,x,x)+12p
					; RtlpHpFreeHeap+79p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BCCB0 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		call	_RtlpHpSegDescriptorValidate@8 ; RtlpHpSegDescriptorValidate(x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_5BCCB0
		mov	eax, [esi]
		mov	edx, edi
		mov	cl, [esi+4]
		and	eax, edi
		sub	edx, eax
		sar	edx, 4
		shl	edx, cl
		add	edx, eax
		cmp	ebx, edx
		jbe	short loc_49CE2A
		mov	al, [edi+0Ch]
		and	al, 0Ch
		cmp	al, 8
		jz	short loc_49CE3C
		mov	ecx, [esi+18h]
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_0]
		push	ebx
		call	RtlpHpVsContextFree
		mov	edi, eax
		test	edi, edi
		jz	short loc_49CE21
		mov	ecx, [esi+14h]
		mov	edx, [ebp+var_4]
		movzx	eax, word ptr [ecx+20h]
		sub	eax, 8
		cmp	edx, eax
		jbe	short loc_49CE4C

loc_49CE21:				; CODE XREF: RtlpHpSegFree+54j
					; RtlpHpSegFree+80j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_49CE2A:				; CODE XREF: RtlpHpSegFree+35j
		push	[ebp+arg_0]
		mov	edx, edi
		push	ecx
		mov	ecx, esi
		call	RtlpHpSegPageRangeShrink
		xor	edi, edi
		inc	edi
		jmp	short loc_49CE21
; 

loc_49CE3C:				; CODE XREF: RtlpHpSegFree+3Ej
		push	[ebp+arg_0]
		mov	ecx, [esi+14h]
		push	ebx
		call	RtlpHpLfhSubsegmentFreeBlock
		mov	edi, eax
		jmp	short loc_49CE21
; 

loc_49CE4C:				; CODE XREF: RtlpHpSegFree+65j
		push	0
		call	_RtlpHpLfhBucketUpdateStats@12 ; RtlpHpLfhBucketUpdateStats(x,x,x)
		jmp	short loc_49CE21
RtlpHpSegFree	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpVsSubsegmentCommitPages proc near	; CODE XREF: RtlpHpVsChunkSplit+7D0p
					; RtlpHpVsChunkDecommit(x,x,x,x,x)+1B9p

var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005BCCC6 SIZE 00000068 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		mov	ebx, ecx
		xor	ecx, ecx
		mov	esi, edx
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_8], ecx
		stosd
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+arg_4]
		stosd
		test	edx, edx
		jz	loc_5BCCC6
		bsf	edi, edx

loc_49CE89:				; CODE XREF: RtlpHpVsSubsegmentCommitPages+11FE80j
					; RtlpHpVsSubsegmentCommitPages+11FE88j
		and	[ebp+arg_4], 0
		and	[ebp+arg_4], 0
		test	ecx, ecx
		jnz	loc_5BCCE3
		bsr	eax, edx

loc_49CE9C:				; CODE XREF: RtlpHpVsSubsegmentCommitPages+11FE9Dj
					; RtlpHpVsSubsegmentCommitPages+11FEA5j
		sub	eax, edi
		xor	edx, edx
		lea	ecx, [eax+1]
		mov	eax, edi
		shl	eax, 0Ch
		add	eax, esi
		mov	[ebp+var_4], eax
		mov	eax, ecx
		shl	eax, 0Ch
		mov	[ebp+arg_4], eax
		xor	eax, eax
		inc	eax
		call	__allshl
		add	eax, 0FFFFFFFFh
		mov	ecx, edi
		adc	edx, 0FFFFFFFFh
		call	__allshl
		mov	edi, eax
		mov	[ebp+var_8], edx
		mov	edx, [ebx+4]
		lea	eax, [ebp+var_18]
		push	eax
		lea	ecx, [esi+10h]
		mov	[ebp+var_C], edi
		call	RtlpHpAcquireQueuedLockExclusive
		push	[ebp+arg_4]
		mov	ecx, [ebx+80h]
		push	[ebp+var_4]
		xor	ecx, ebx
		cmp	[ebp+arg_C], 0
		push	ecx
		jnz	loc_5BCD00
		mov	eax, [ebx+90h]
		xor	eax, _RtlpHpHeapGlobals
		xor	eax, ebx
		call	eax
		mov	eax, [ebp+var_8]
		not	edi
		mov	ecx, [ebp+arg_8]
		not	eax
		and	[esi+8], edi
		and	[esi+0Ch], eax
		neg	ecx

loc_49CF1C:				; CODE XREF: RtlpHpVsSubsegmentCommitPages+11FED3j
		lea	eax, [ebx+18h]
		lock xadd [eax], ecx
		xor	edi, edi

loc_49CF25:				; CODE XREF: RtlpHpVsSubsegmentCommitPages+11FEBEj
		mov	ecx, [ebx+4]
		lea	edx, [ebp+var_18]
		call	RtlpHpReleaseQueuedLockExclusive
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
RtlpHpVsSubsegmentCommitPages endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpReleaseQueuedLockExclusive proc near
					; CODE XREF: RtlpHpVsContextMultiAlloc(x,x,x,x,x,x)+65p
					; RtlpHpVsSubsegmentCommitPages+D5p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005A7FF2 SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_8], ebx
		push	esi
		mov	esi, [ebx+4]
		mov	[ebp+var_18], esi
		test	ecx, ecx
		jnz	loc_49D0B9
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_49D0FF

loc_49CF6E:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+1C6j
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	esi, 7FFFFFFCh
		jz	loc_49D083
		mov	ebx, large fs:124h
		cmp	esi, dword_6D07D0
		jb	short loc_49CFAA
		mov	eax, esi
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	loc_49D0DC
		cmp	al, 0Bh
		jz	loc_49D0DC

loc_49CFAA:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+4Dj
		or	eax, 0FFFFFFFFh

loc_49CFAD:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+1A7j
		dec	word ptr [ebx+13Eh]
		mov	[ebp+var_C], eax
		nop
		inc	byte ptr [ebx+1E6h]
		nop
		mov	cl, [ebx+1E6h]
		mov	edx, esi
		mov	[ebp+var_1], cl
		mov	ecx, ebx
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jz	loc_49D0EC
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_49D10B

loc_49CFF1:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+1D3j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		mov	eax, 2AAAAAABh
		sub	ecx, [ebx+1E8h]
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	[ebp+var_1], 1
		jnz	loc_5A7FDD
		movzx	eax, byte ptr [ebx+1E4h]
		bts	eax, ecx
		mov	[ebx+1E4h], al

loc_49D044:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+1B4j
					; MiDecrementShareCount+10F81Dj
		nop
		dec	byte ptr [ebx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_18], eax
		jnz	loc_49D134

loc_49D05B:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+227j
					; RtlpHpReleaseQueuedLockExclusive+10B0CFj
		nop
		mov	ax, [ebx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ebx+13Eh], ax
		test	ax, ax
		jnz	short loc_49D080
		nop
		add	ebx, 70h
		cmp	[ebx], ebx
		jnz	loc_49D12A

loc_49D080:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+132j
					; RtlpHpReleaseQueuedLockExclusive+1EFj
		mov	ebx, [ebp+var_8]

loc_49D083:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+3Aj
		mov	ecx, large fs:124h
		nop
		mov	ax, [ecx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ecx+13Eh], ax
		pop	edi
		test	ax, ax
		jnz	short loc_49D0AC
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jnz	short loc_49D118

loc_49D0AC:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+162j
					; RtlpHpReleaseQueuedLockExclusive+19Aj
		pop	esi
		mov	dword ptr [ebx+4], 0
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_49D0B9:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+17j
		test	ds:byte_70EFC6,	1
		mov	al, [ebx+8]
		mov	[ebp+var_1], al
		jnz	loc_5A8014
		mov	dword ptr [esi], 0

loc_49D0D2:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+10B0E1j
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_49D0AC
; 

loc_49D0DC:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+5Cj
					; RtlpHpReleaseQueuedLockExclusive+64j
		mov	ecx, [ebx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	loc_49CFAD
; 

loc_49D0EC:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+99j
		mov	eax, [ebx+5Ch]
		test	eax, 10000h
		jnz	loc_49D044
		jmp	loc_5A7FCC
; 

loc_49D0FF:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+28j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_49CF6E
; 

loc_49D10B:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+ABj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_14]
		jmp	loc_49CFF1
; 

loc_49D118:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+16Aj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		pop	esi
		mov	dword ptr [ebx+4], 0
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_49D12A:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+13Aj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_49D080
; 

loc_49D134:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+115j
		test	edi, 8000h
		jnz	short loc_49D172

loc_49D13C:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+23Bj
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5A7FF2

loc_49D146:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+10B0BEj
		test	edi, 7FFFh
		jz	short loc_49D15D
		and	edi, 7FFFh
		mov	ecx, ebx
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_49D15D:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+20Cj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_49D05B
		jmp	loc_5A8003
; 

loc_49D172:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+1FAj
		xor	edx, edx
		mov	ecx, ebx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	short loc_49D13C
RtlpHpReleaseQueuedLockExclusive endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpAcquireQueuedLockExclusive proc near ; CODE XREF:	RtlpHpVsSubsegmentCommitPages+86p
					; RtlpHpVsChunkSplit+8DDp ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A8026 SIZE 00000045 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		test	edx, edx
		jnz	short loc_49D1B3
		xor	eax, eax
		mov	[esi], eax
		mov	[esi+8], eax
		mov	eax, large fs:124h
		mov	[esi+4], edi
		dec	word ptr [eax+13Eh]
		nop
		call	ExAcquirePushLockExclusiveEx

loc_49D1AD:				; CODE XREF: RtlpHpAcquireQueuedLockExclusive+77j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_49D1B3:				; CODE XREF: RtlpHpAcquireQueuedLockExclusive+Ej
		push	ebx
		mov	cl, 2
		mov	[esi+4], edi
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	bl, al
		jnz	loc_5A8026
		mov	[ebp+arg_0], 0
		lock bts dword ptr [edi], 1Fh
		jb	short loc_49D1F9

loc_49D1DC:				; CODE XREF: RtlpHpAcquireQueuedLockExclusive+85j
		mov	edx, [edi]
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_5A8034

loc_49D1F0:				; CODE XREF: RtlpHpAcquireQueuedLockExclusive+10AEAFj
					; RtlpHpAcquireQueuedLockExclusive+10AEE6j
		movzx	eax, bl
		mov	[esi+8], eax
		pop	ebx
		jmp	short loc_49D1AD
; 

loc_49D1F9:				; CODE XREF: RtlpHpAcquireQueuedLockExclusive+5Aj
		mov	dl, bl
		mov	ecx, edi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[ebp+arg_0], eax
		jmp	short loc_49D1DC
RtlpHpAcquireQueuedLockExclusive endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpSegLfhVsDecommit(x, x, x)
_RtlpHpSegLfhVsDecommit@12 proc	near	; DATA XREF: RtlpHpHeapCreate+103o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	edx, ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		call	_RtlpHpSegDescriptorValidate@8 ; RtlpHpSegDescriptorValidate(x,x)
		mov	esi, [edi]
		mov	ecx, eax
		and	esi, ecx
		mov	[ebp+var_4], ecx
		mov	edx, ecx
		mov	cl, [edi+4]
		sub	edx, esi
		sar	edx, 4
		shl	edx, cl
		sub	ebx, edx
		sub	ebx, esi
		shr	ebx, 0Ch
		mov	[ebp+arg_4], ebx
		mov	ebx, [ebp+arg_8]
		shr	ebx, 0Ch
		test	byte ptr [edi+9], 8
		jnz	short loc_49D2A1
		movsx	eax, word ptr [edi+12h]
		mov	cl, [edi+7]
		mov	[ebp+arg_0], eax
		mov	esi, [eax+edi+4]
		mov	edx, esi
		shr	edx, cl
		cmp	edx, 8
		jbe	short loc_49D29C

loc_49D262:				; CODE XREF: RtlpHpSegLfhVsDecommit(x,x,x)+97j
		mov	cl, [edi+8]
		shr	esi, cl
		cmp	esi, 8
		jbe	short loc_49D2B7

loc_49D26C:				; CODE XREF: RtlpHpSegLfhVsDecommit(x,x,x)+B2j
		mov	ecx, [ebp+arg_0]
		mov	eax, [eax+edi+0Ch]
		add	eax, [ecx+edi+8]
		add	eax, ebx
		mov	[ebp+arg_0], eax
		cmp	eax, edx
		ja	short loc_49D28B

loc_49D280:				; CODE XREF: RtlpHpSegLfhVsDecommit(x,x,x)+92j
		cmp	eax, esi
		ja	short loc_49D2A1

loc_49D284:				; CODE XREF: RtlpHpSegLfhVsDecommit(x,x,x)+ADj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_49D28B:				; CODE XREF: RtlpHpSegLfhVsDecommit(x,x,x)+76j
		mov	ecx, [edi+24h]
		call	_RtlpHpScheduleCompaction@4 ; RtlpHpScheduleCompaction(x)
		test	eax, eax
		js	short loc_49D2A1
		mov	eax, [ebp+arg_0]
		jmp	short loc_49D280
; 

loc_49D29C:				; CODE XREF: RtlpHpSegLfhVsDecommit(x,x,x)+58j
		push	8
		pop	edx
		jmp	short loc_49D262
; 

loc_49D2A1:				; CODE XREF: RtlpHpSegLfhVsDecommit(x,x,x)+41j
					; RtlpHpSegLfhVsDecommit(x,x,x)+7Aj ...
		mov	edx, [ebp+var_4]
		neg	ebx
		push	0
		push	0
		push	ebx
		push	[ebp+arg_4]
		mov	ecx, edi
		call	RtlpHpSegPageRangeCommit
		jmp	short loc_49D284
; 

loc_49D2B7:				; CODE XREF: RtlpHpSegLfhVsDecommit(x,x,x)+62j
		push	8
		pop	esi
		jmp	short loc_49D26C
_RtlpHpSegLfhVsDecommit@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpSegLfhVsCommit(x, x, x)
_RtlpHpSegLfhVsCommit@12 proc near	; DATA XREF: RtlpHpHeapCreate+FBo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	edx, ebx
		push	esi
		push	edi
		call	_RtlpHpSegDescriptorValidate@8 ; RtlpHpSegDescriptorValidate(x,x)
		mov	edi, eax
		mov	eax, [ebp+arg_0]
		mov	edx, edi
		push	0
		push	0
		mov	esi, [eax]
		mov	cl, [eax+4]
		and	esi, edi
		mov	eax, [ebp+arg_8]
		sub	edx, esi
		sar	edx, 4
		shl	edx, cl
		mov	ecx, [ebp+arg_0]
		sub	ebx, edx
		shr	eax, 0Ch
		sub	ebx, esi
		push	eax
		shr	ebx, 0Ch
		mov	edx, edi
		push	ebx
		call	RtlpHpSegPageRangeCommit
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_RtlpHpSegLfhVsCommit@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall RtlpHpSegDescriptorValidate(x, x)
_RtlpHpSegDescriptorValidate@8 proc near ; CODE	XREF: RtlpHpSegFree+12p
					; RtlpHpSegLfhVsDecommit(x,x,x)+13p ...
		mov	edi, edi
		push	esi
		mov	esi, [ecx]
		push	edi
		mov	edi, edx
		and	esi, edi
		mov	eax, [esi+8]
		xor	eax, _RtlpHpHeapGlobals
		xor	eax, esi
		xor	eax, ecx
		cmp	eax, 0A2E64EADh
		jnz	short loc_49D36D
		movzx	ecx, byte ptr [ecx+4]
		mov	eax, edi
		sub	eax, esi
		shr	eax, cl
		shl	eax, 4
		add	eax, esi
		jz	short loc_49D36D
		mov	dl, [eax+0Ch]
		test	dl, 1
		jz	short loc_49D36D
		test	dl, 2
		jnz	short loc_49D371
		movzx	ecx, byte ptr [eax+0Fh]
		shl	ecx, 4
		sub	eax, ecx
		mov	dl, [eax+0Ch]
		mov	cl, dl
		and	cl, 3
		cmp	cl, 3
		jnz	short loc_49D36D
		and	dl, 0Ch
		cmp	dl, 8
		jb	short loc_49D36D

loc_49D36A:				; CODE XREF: RtlpHpSegDescriptorValidate(x,x)+5Fj
					; RtlpHpSegDescriptorValidate(x,x)+67j	...
		pop	edi
		pop	esi
		retn
; 

loc_49D36D:				; CODE XREF: RtlpHpSegDescriptorValidate(x,x)+1Cj
					; RtlpHpSegDescriptorValidate(x,x)+2Dj	...
		xor	eax, eax
		jmp	short loc_49D36A
; 

loc_49D371:				; CODE XREF: RtlpHpSegDescriptorValidate(x,x)+3Aj
		and	dl, 0Ch
		cmp	dl, 8
		jnb	short loc_49D36A
		mov	edx, 1
		shl	edx, cl
		dec	edx
		test	edx, edi
		jz	short loc_49D36A
		xor	eax, eax
		jmp	short loc_49D36A
_RtlpHpSegDescriptorValidate@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpLfhContextCompact	proc near	; CODE XREF: RtlpHpHeapCompact(x,x)+53p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005BCD2E SIZE 00000009 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_C], edx
		push	esi
		and	ebx, 1
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10], ebx
		jnz	loc_5BCD2E
		movzx	edx, byte ptr [edi+1Dh]
		lea	ecx, [edi+44h]
		call	_RtlpHpAcquireLockShared@8 ; RtlpHpAcquireLockShared(x,x)
		mov	[ebp+var_1], al

loc_49D3B7:				; CODE XREF: RtlpHpLfhContextCompact+11F9A8j
		mov	ebx, [ebp+var_C]
		lea	esi, [edi+80h]
		mov	ecx, 81h
		mov	[ebp+var_8], ecx

loc_49D3C8:				; CODE XREF: RtlpHpLfhContextCompact+4Dj
		mov	eax, [esi]
		test	al, 1
		jz	short loc_49D40E

loc_49D3CE:				; CODE XREF: RtlpHpLfhContextCompact+96j
		add	esi, 4
		sub	ecx, 1
		mov	[ebp+var_8], ecx
		jnz	short loc_49D3C8
		cmp	[ebp+var_10], 0
		jnz	short loc_49D409
		cmp	byte ptr [edi+1Dh], 0
		lea	esi, [edi+44h]
		jnz	short loc_49D422
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_49D433

loc_49D3F6:				; CODE XREF: RtlpHpLfhContextCompact+B0j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_49D409:				; CODE XREF: RtlpHpLfhContextCompact+53j
					; RtlpHpLfhContextCompact+A7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_49D40E:				; CODE XREF: RtlpHpLfhContextCompact+42j
		mov	edx, [esi]
		mov	eax, ebx
		or	eax, 1
		mov	ecx, edi
		push	eax
		call	_RtlpHpLfhOwnerCompact@12 ; RtlpHpLfhOwnerCompact(x,x,x)
		mov	ecx, [ebp+var_8]
		jmp	short loc_49D3CE
; 

loc_49D422:				; CODE XREF: RtlpHpLfhContextCompact+5Cj
		push	esi
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_49D409
; 

loc_49D433:				; CODE XREF: RtlpHpLfhContextCompact+6Aj
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_49D3F6
RtlpHpLfhContextCompact	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLfhOwnerCompact(x, x,	x)
_RtlpHpLfhOwnerCompact@12 proc near	; CODE XREF: RtlpHpLfhContextCompact+8Ep
					; RtlpHpLfhOwnerCompact(x,x,x)+2Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		test	byte ptr [esi],	1
		jz	short loc_49D473
		movzx	eax, byte ptr [esi+2]
		xor	edi, edi
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_49D473

loc_49D45D:				; CODE XREF: RtlpHpLfhOwnerCompact(x,x,x)+35j
		mov	edx, [esi+34h]
		mov	ecx, ebx
		push	[ebp+arg_0]
		mov	edx, [edx+edi*4]
		call	_RtlpHpLfhOwnerCompact@12 ; RtlpHpLfhOwnerCompact(x,x,x)
		inc	edi
		cmp	edi, [ebp+var_8]
		jb	short loc_49D45D

loc_49D473:				; CODE XREF: RtlpHpLfhOwnerCompact(x,x,x)+12j
					; RtlpHpLfhOwnerCompact(x,x,x)+1Fj
		lea	edi, [esi+0Ch]
		cmp	[edi], edi
		jz	short loc_49D4C6

loc_49D47A:				; CODE XREF: RtlpHpLfhOwnerCompact(x,x,x)+8Fj
		movzx	edx, byte ptr [ebx+1Dh]
		add	esi, 8
		mov	ecx, esi
		mov	[ebp+var_C], esi
		call	_RtlpHpAcquireLockShared@8 ; RtlpHpAcquireLockShared(x,x)
		mov	ecx, [edi]
		mov	[ebp+var_1], al
		cmp	ecx, edi
		jz	short loc_49D4AF
		mov	esi, ecx

loc_49D496:				; CODE XREF: RtlpHpLfhOwnerCompact(x,x,x)+6Ej
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, ebx
		push	1
		push	0FFFFFFFFh
		call	RtlpHpLfhSubsegmentDecommitPages
		mov	esi, [esi]
		cmp	esi, edi
		jnz	short loc_49D496
		mov	esi, [ebp+var_C]

loc_49D4AF:				; CODE XREF: RtlpHpLfhOwnerCompact(x,x,x)+56j
		cmp	byte ptr [ebx+1Dh], 0
		jz	short loc_49D4D4
		push	esi
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_49D4CD
; 

loc_49D4C6:				; CODE XREF: RtlpHpLfhOwnerCompact(x,x,x)+3Cj
		lea	eax, [esi+14h]
		cmp	[eax], eax
		jnz	short loc_49D47A

loc_49D4CD:				; CODE XREF: RtlpHpLfhOwnerCompact(x,x,x)+88j
					; RtlpHpLfhOwnerCompact(x,x,x)+C0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_49D4D4:				; CODE XREF: RtlpHpLfhOwnerCompact(x,x,x)+77j
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_49D4E9
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_49D4E9:				; CODE XREF: RtlpHpLfhOwnerCompact(x,x,x)+A4j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	short loc_49D4CD
_RtlpHpLfhOwnerCompact@12 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpHpAcquireLockShared(x, x)
_RtlpHpAcquireLockShared@8 proc	near	; CODE XREF: RtlpHpLfhSubsegmentCreate+D0p
					; RtlpHpLfhContextCompact+25p ...
		test	edx, edx
		jnz	short loc_49D518
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		call	ExAcquirePushLockSharedEx
		or	al, 0FFh
		retn
; 

loc_49D518:				; CODE XREF: RtlpHpAcquireLockShared(x,x)+2j
		push	ecx
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		retn
_RtlpHpAcquireLockShared@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


RtlpHpLfhSubsegmentFreeBlock proc near	; CODE XREF: RtlpHpSegFree+89p
					; ExFreeHeapPool+346p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BCD37 SIZE 00000297 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 58h
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp-0Ch], ecx
		mov	ecx, [ebx+8]
		mov	esi, edi
		shr	esi, 0Ch
		xor	edx, edx
		mov	[ebp-10h], edi
		xor	esi, [edi+18h]
		xor	esi, dword_6BEC64
		mov	eax, esi
		mov	[ebp-8], edx
		shr	eax, 10h
		mov	byte ptr [ebp-1], 0FFh
		mov	[ebp-54h], esi
		mov	[ebp-3Ch], eax
		test	ecx, ecx
		jz	loc_49D6C4
		movzx	eax, si
		mov	[ebp-38h], eax
		add	eax, 7
		shr	eax, 3
		mov	[ebp-58h], edx
		mov	edx, [ebp-0Ch]
		movzx	eax, ds:_RtlpLfhBucketIndexMap[eax]
		mov	eax, [edx+eax*4+80h]
		mov	edx, ecx
		sub	edx, [ebp-3Ch]
		sub	edx, edi
		mov	[ebp-3Ch], edx
		mov	ecx, [eax+24h]
		movzx	eax, byte ptr [eax+28h]
		mov	[ebp-30h], eax
		mov	eax, edx
		test	ecx, ecx
		jz	loc_49D74C
		mul	ecx
		mov	ecx, [ebp-30h]
		call	__aullshr
		mov	edx, [ebp-3Ch]
		mov	ecx, eax
		mov	eax, [ebp-38h]
		imul	eax, ecx
		mov	[ebp-18h], ecx
		sub	edx, eax

loc_49D5CA:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+241j
		test	edx, edx
		jnz	loc_5BCD51
		movzx	edx, word ptr [edi+14h]
		movzx	eax, cx
		cmp	dx, ax
		jb	loc_49D766

loc_49D5E2:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+248j
		mov	[edi+14h], ax
		add	ecx, ecx
		mov	eax, ecx
		add	edi, 20h
		shr	eax, 5
		and	ecx, 1Fh
		mov	[ebp-34h], ecx
		lea	eax, [edi+eax*4]
		mov	[ebp-38h], eax
		mov	eax, 3
		mov	edi, [ebp-38h]
		shl	eax, cl
		not	eax
		mov	[ebp-3Ch], eax
		mov	ecx, eax
		mov	eax, [edi]

loc_49D60F:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+F7j
		mov	edx, eax
		and	edx, ecx
		lock cmpxchg [edi], edx
		jnz	short loc_49D60F
		mov	ecx, [ebp-34h]
		mov	edi, [ebp-10h]
		shr	eax, cl
		test	al, 1
		jz	loc_5BCD37
		cmp	byte ptr [edi+1Dh], 1
		jbe	loc_49D6C2
		mov	eax, [ebx+8]
		movzx	ecx, byte ptr [edi+1Ch]
		sub	eax, edi
		mov	[ebx+8], eax
		mov	edx, eax
		movzx	eax, word ptr [edi+1Eh]
		add	eax, edi
		shr	edx, cl
		mov	dword ptr [ebp-14h], 0
		lea	eax, [eax+edx*2]
		mov	[ebp-3Ch], eax
		lea	edi, [edx+edx]
		movzx	eax, si
		mov	esi, [ebx+8]
		dec	esi
		mov	[ebp-38h], edi
		mov	edi, [ebp-10h]
		add	eax, esi
		shr	eax, cl
		or	esi, 0FFFFFFFFh
		mov	ecx, [ebp-3Ch]
		sub	eax, edx
		lea	edx, [ecx+2]
		lea	edx, [edx+eax*2]
		cmp	ecx, edx
		jnb	short loc_49D6C2
		mov	edi, [ebp-38h]
		nop

loc_49D680:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+18Cj
		or	ax, 0FFFFh
		lock xadd [ecx], ax
		dec	ax
		movzx	eax, ax
		test	ax, ax
		jz	loc_49D96D
		cmp	ax, 0FFFFh
		mov	eax, [ebp-14h]
		jz	loc_5BCD58

loc_49D6A4:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+457j
					; RtlpHpLfhSubsegmentFreeBlock+461j ...
		add	ecx, 2
		add	edi, 2
		cmp	ecx, edx
		jb	short loc_49D680
		mov	edi, [ebp-10h]
		test	eax, eax
		jnz	loc_49D93A

loc_49D6B9:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+421j
					; RtlpHpLfhSubsegmentFreeBlock+448j
		cmp	esi, 0FFFFFFFFh
		jnz	loc_49D925

loc_49D6C2:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+10Dj
					; RtlpHpLfhSubsegmentFreeBlock+15Aj ...
		xor	edx, edx

loc_49D6C4:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+4Cj
		movzx	ecx, word ptr [edi+12h]
		mov	[ebp-3Ch], ecx
		nop
		lea	eax, [edi+10h]
		mov	ax, [eax]
		movzx	esi, ax
		mov	[ebp-38h], esi

loc_49D6D8:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+601j
		test	edx, edx
		jnz	short loc_49D6F1
		test	si, si
		jz	loc_49D76D
		dec	ecx
		movzx	eax, si
		cmp	eax, ecx
		jz	loc_49D76D

loc_49D6F1:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+1BAj
					; RtlpHpLfhSubsegmentFreeBlock+2A3j
		lea	ecx, [esi+1]
		mov	ax, si
		movzx	edx, cx
		lea	esi, [edi+10h]
		mov	cx, dx
		lock cmpxchg [esi], cx
		movzx	esi, ax
		mov	eax, edx
		movzx	ecx, si
		inc	ecx
		mov	[ebp-38h], esi
		cmp	eax, ecx
		jnz	loc_49DB1B
		test	si, si
		jz	loc_49D7C8
		mov	ecx, [ebp-3Ch]
		dec	ecx
		movzx	eax, si
		cmp	eax, ecx
		jz	loc_49DB8D

loc_49D731:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+297j
					; RtlpHpLfhSubsegmentFreeBlock+37Ej ...
		mov	ecx, [ebp-8]
		mov	eax, 1
		test	ecx, ecx
		jnz	loc_49DB65

loc_49D741:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+668j
					; RtlpHpLfhSubsegmentFreeBlock+6E4j ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_49D74C:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+8Aj
		mov	ecx, [ebp-30h]
		shr	eax, cl
		mov	[ebp-18h], eax
		mov	eax, 1
		shl	eax, cl
		mov	ecx, [ebp-18h]
		dec	eax
		and	edx, eax
		jmp	loc_49D5CA
; 

loc_49D766:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+BCj
		mov	eax, edx
		jmp	loc_49D5E2
; 

loc_49D76D:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+1BFj
					; RtlpHpLfhSubsegmentFreeBlock+1CBj
		mov	eax, [ebp-0Ch]
		lea	esi, [edi+8]
		mov	edi, [esi]
		mov	[ebp-50h], esi
		movzx	ecx, byte ptr [eax+1Dh]
		mov	[ebp-18h], ecx
		nop

loc_49D780:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+8ABj
					; RtlpHpLfhSubsegmentFreeBlock+11FA38j	...
		test	edi, edi
		jz	loc_49DD96
		mov	eax, edi
		and	eax, 1
		jnz	loc_5BCF76
		lea	eax, [edi+8]
		mov	[ebp-8], edi
		mov	edx, ecx
		mov	[ebp-14h], eax
		mov	ecx, eax
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	edi, [esi]
		mov	[ebp-1], al
		mov	eax, [ebp-8]
		cmp	eax, edi
		jnz	loc_5BCD61

loc_49D7B5:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+11FA79j
		test	eax, eax
		jz	loc_49D731
		mov	edi, [ebp-10h]
		mov	esi, [ebp-38h]
		jmp	loc_49D6F1
; 

loc_49D7C8:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+1FCj
		xor	ecx, ecx

loc_49D7CA:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+672j
		movzx	eax, byte ptr [edi+16h]
		mov	[ebp-3Ch], ecx
		cmp	eax, 1
		jnz	loc_49DB97
		mov	eax, [ebp-8]
		mov	dword ptr [ebp-30h], 0
		lea	edx, [eax+14h]

loc_49D7E7:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+68Cj
					; RtlpHpLfhSubsegmentFreeBlock+11FA91j
		test	ecx, ecx
		jnz	loc_49DBB1
		lea	ecx, [eax+0Ch]
		lea	esi, [eax+4]

loc_49D7F5:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+6A5j
					; RtlpHpLfhSubsegmentFreeBlock+11FA9Bj
		test	edx, edx
		jz	short loc_49D825
		mov	edx, [edi]
		cmp	[edx+4], edi
		jnz	loc_5BCFC0
		mov	eax, [edi+4]
		mov	[ebp-50h], eax
		cmp	[eax], edi
		jnz	loc_5BCFC0
		mov	[eax], edx
		mov	[edx+4], eax
		mov	edx, [ebp-30h]
		mov	eax, [ebp-8]
		test	edx, edx
		jnz	loc_49DBCA

loc_49D825:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+2D7j
					; RtlpHpLfhSubsegmentFreeBlock+6ACj
		mov	edx, [ebp-3Ch]
		mov	[edi+16h], dl
		test	ecx, ecx
		jz	short loc_49D84F
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_5BCFC0
		mov	[edi], ecx
		mov	[edi+4], edx
		mov	[edx], edi
		mov	[ecx+4], edi
		test	esi, esi
		jz	short loc_49D84A
		inc	dword ptr [esi]

loc_49D84A:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+326j
		xor	edi, edi
		mov	[ebp-10h], edi

loc_49D84F:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+30Dj
		test	byte ptr [eax],	1
		jnz	short loc_49D85E
		cmp	dword ptr [eax+4], 8
		ja	loc_49DB3C

loc_49D85E:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+332j
					; RtlpHpLfhSubsegmentFreeBlock+640j
		test	edi, edi
		jnz	loc_49DB26

loc_49D866:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+60Aj
					; RtlpHpLfhSubsegmentFreeBlock+617j ...
		mov	esi, [ebp-0Ch]
		lea	ecx, [eax+8]
		mov	[ebp-18h], ecx
		cmp	byte ptr [esi+1Dh], 0
		jz	short loc_49D8CC
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_49D895
; 

loc_49D886:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+3CCj
					; RtlpHpLfhSubsegmentFreeBlock+597j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebp-10h]

loc_49D895:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+364j
		mov	dword ptr [ebp-8], 0
		test	edi, edi
		jz	loc_49D731
		movzx	eax, word ptr [ebp-54h]
		mov	ecx, esi
		push	dword ptr [ebx+0Ch]
		add	eax, 7
		shr	eax, 3
		push	edi
		movzx	edx, ds:_RtlpLfhBucketIndexMap[eax]
		mov	edx, [esi+edx*4+80h]
		call	RtlpHpLfhBucketAddSubsegment
		jmp	loc_49D731
; 

loc_49D8CC:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+353j
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_49D8E1
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp-18h]

loc_49D8E1:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+3B7j
		xor	edi, edi
		mov	[ebp-38h], edi
		test	ecx, 7FFFFFFCh
		jz	short loc_49D886
		mov	eax, large fs:124h
		mov	edx, ecx
		mov	esi, dword_6D07D0
		shr	edx, 15h
		cmp	ecx, esi
		mov	[ebp-50h], esi
		mov	esi, [ebp-0Ch]
		mov	[ebp-8], eax
		jnb	short loc_49D986

loc_49D90C:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+46Dj
		cmp	ecx, [ebp-50h]
		jb	short loc_49D91A
		cmp	byte ptr dword_6D3994[edx], 0Bh
		jz	short loc_49D993

loc_49D91A:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+3EFj
		or	edx, 0FFFFFFFFh
		mov	[ebp-3Ch], edx
		jmp	loc_49D9A6
; 

loc_49D925:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+19Cj
		push	dword ptr [ebx+0Ch]
		mov	ecx, [ebp-0Ch]
		mov	edx, edi
		push	2
		push	esi
		call	RtlpHpLfhSubsegmentDecommitPages
		jmp	loc_49D6C2
; 

loc_49D93A:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+193j
		test	byte ptr _RtlpHpLfhPerfFlags, 20h
		jz	loc_49D6B9
		mov	cl, [edi+1Ch]
		shl	eax, cl
		cdq
		and	edx, 0FFFh
		add	eax, edx
		mov	edx, [ebp-0Ch]
		sar	eax, 0Ch
		movsx	ecx, word ptr [edx+1Eh]
		add	ecx, 0Ch
		add	ecx, edx
		lock xadd [ecx], eax
		jmp	loc_49D6B9
; 

loc_49D96D:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+171j
		mov	eax, [ebp-14h]
		inc	eax
		mov	[ebp-14h], eax
		cmp	esi, 0FFFFFFFFh
		jnz	loc_49D6A4
		mov	esi, edi
		sar	esi, 1
		jmp	loc_49D6A4
; 

loc_49D986:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+3EAj
		cmp	byte ptr dword_6D3994[edx], 1
		jnz	loc_49D90C

loc_49D993:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+3F8j
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp-3Ch], eax
		mov	eax, [ebp-8]

loc_49D9A6:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+400j
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	cl, [eax+1E6h]
		mov	[ebp-2], cl
		mov	ecx, eax
		push	edx
		mov	edx, [ebp-18h]
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[ebp-50h], edx
		test	edx, edx
		jnz	short loc_49D9F5
		mov	ecx, [ebp-8]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_49DA69
		push	edx
		push	dword ptr [ebp-3Ch]
		push	dword ptr [ebp-18h]
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_49D9F5:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+4B0j
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		cmp	[edx+10h], edi
		jge	short loc_49DA0D
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [ebp-50h]

loc_49DA0D:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+4E1j
		mov	eax, [edx+2Ch]
		mov	edi, eax
		and	byte ptr [edx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp-38h], edi
		mov	[edx+2Ch], eax
		nop
		mov	ecx, [ebp-8]
		mov	eax, 2AAAAAABh
		mov	dword ptr [edx+10h], 0
		sub	edx, [ecx+1E8h]
		imul	edx
		sar	edx, 3
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		cmp	byte ptr [ebp-2], 1
		mov	[ebp-3Ch], eax
		jnz	loc_49DAD3
		movzx	eax, byte ptr [ecx+1E4h]
		mov	edx, [ebp-3Ch]
		bts	eax, edx
		mov	[ecx+1E4h], al

loc_49DA69:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+4BDj
					; RtlpHpLfhSubsegmentFreeBlock+5C9j
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp-50h], eax
		jz	short loc_49DAAE
		test	edi, 8000h
		jz	short loc_49DA8E
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [ebp-8]

loc_49DA8E:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+562j
		test	byte ptr [ebp-36h], 1
		jz	short loc_49DA9E
		mov	edx, 1
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_49DA9E:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+572j
		test	edi, 7FFFh
		jnz	short loc_49DAEE
		mov	edi, [ebp-8]
		jmp	short loc_49DB00
; 

loc_49DAAB:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+5EAj
					; RtlpHpLfhSubsegmentFreeBlock+5F9j
		mov	ecx, [ebp-8]

loc_49DAAE:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+55Aj
		nop
		add	word ptr [ecx+13Eh], 1
		jnz	loc_49D886
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	loc_49D886
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_49D886
; 

loc_49DAD3:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+530j
		mov	ecx, [ebp-3Ch]
		mov	al, 1
		shl	al, cl
		mov	ecx, [ebp-8]
		lea	esi, [ecx+222h]
		lock or	[esi], al
		mov	esi, [ebp-0Ch]
		jmp	loc_49DA69
; 

loc_49DAEE:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+584j
		and	edi, 7FFFh
		mov	edx, edi
		mov	edi, [ebp-8]
		mov	ecx, edi
		call	KiAbThreadUnboostCpuPriority

loc_49DB00:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+589j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_49DAAB
		push	dword ptr [ebp-50h]
		mov	edx, [ebp-18h]
		mov	ecx, edi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	short loc_49DAAB
; 

loc_49DB1B:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+1F3j
		mov	ecx, [ebp-3Ch]
		mov	edx, [ebp-8]
		jmp	loc_49D6D8
; 

loc_49DB26:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+340j
		cmp	byte ptr [edi+16h], 2
		jnz	loc_49D866
		mov	dword ptr [edi+8], 0
		jmp	loc_49D866
; 

loc_49DB3C:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+338j
		mov	edi, [ecx]
		mov	[ebp-10h], edi
		cmp	[edi+4], ecx
		jnz	loc_5BCFC0
		mov	edx, [edi]
		cmp	[edx+4], edi
		jnz	loc_5BCFC0
		mov	[ecx], edx
		mov	[edx+4], ecx
		dec	dword ptr [esi]
		mov	byte ptr [edi+16h], 2
		jmp	loc_49D85E
; 

loc_49DB65:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+21Bj
		mov	eax, [ebp-0Ch]
		add	ecx, 8
		mov	[ebp-18h], ecx
		cmp	byte ptr [eax+1Dh], 0
		jz	short loc_49DBD1
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, 1
		jmp	loc_49D741
; 

loc_49DB8D:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+20Bj
		mov	ecx, 2
		jmp	loc_49D7CA
; 

loc_49DB97:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+2B4j
		sub	eax, 0
		jnz	loc_5BCF9E
		mov	eax, [ebp-8]
		lea	esi, [eax+4]
		lea	edx, [eax+0Ch]
		mov	[ebp-30h], esi
		jmp	loc_49D7E7
; 

loc_49DBB1:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+2C9j
		sub	ecx, 1
		jz	loc_5BCFB6
		sub	ecx, 1
		jnz	loc_49D866
		xor	esi, esi
		jmp	loc_49D7F5
; 

loc_49DBCA:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+2FFj
		dec	dword ptr [edx]
		jmp	loc_49D825
; 

loc_49DBD1:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+652j
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_49DBE6
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp-18h]

loc_49DBE6:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+6BCj
		xor	edi, edi
		mov	[ebp-38h], edi
		test	ecx, 7FFFFFFCh
		jnz	short loc_49DC09

loc_49DBF3:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+7F0j
					; RtlpHpLfhSubsegmentFreeBlock+7FCj ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, 1
		jmp	loc_49D741
; 

loc_49DC09:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+6D1j
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		mov	[ebp-40h], esi
		cmp	ecx, edx
		jb	loc_49DDC0
		cmp	byte ptr dword_6D3994[eax], 1
		jnz	loc_49DDAF

loc_49DC33:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+89Aj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp-18h]

loc_49DC41:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+8A3j
		dec	word ptr [esi+13Eh]
		mov	[ebp-3Ch], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	[ebp-2], dl
		mov	edx, ecx
		push	eax
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp-50h], ecx
		test	ecx, ecx
		jnz	short loc_49DC8B
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_49DCF4
		push	ecx
		push	dword ptr [ebp-3Ch]
		push	dword ptr [ebp-18h]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_49DC8B:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+74Dj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_49DCA1
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp-50h]

loc_49DCA1:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+777j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp-38h], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		mov	eax, 2AAAAAABh
		sub	ecx, [esi+1E8h]
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	byte ptr [ebp-2], 1
		jnz	loc_49DD81
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al

loc_49DCF4:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+757j
					; RtlpHpLfhSubsegmentFreeBlock+871j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp-54h], eax
		jnz	short loc_49DD2C

loc_49DD07:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+850j
					; RtlpHpLfhSubsegmentFreeBlock+85Fj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	loc_49DBF3
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	loc_49DBF3
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_49DBF3
; 

loc_49DD2C:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+7E5j
		test	edi, 8000h
		jz	short loc_49DD3D
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_49DD3D:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+812j
		test	byte ptr [ebp-36h], 1
		jz	short loc_49DD4F
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_49DD4F:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+821j
		test	edi, 7FFFh
		jz	short loc_49DD66
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_49DD66:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+835j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_49DD07
		push	dword ptr [ebp-54h]
		mov	edx, [ebp-18h]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	short loc_49DD07
; 

loc_49DD81:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+7BEj
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp-40h]
		jmp	loc_49DCF4
; 

loc_49DD96:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+262j
		mov	ecx, 3
		xor	eax, eax
		lock cmpxchg [esi], ecx
		mov	edi, eax
		test	edi, edi
		jnz	short loc_49DDC8
		mov	[ebp-8], eax
		jmp	loc_49D731
; 

loc_49DDAF:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+70Dj
		cmp	ecx, edx
		jb	short loc_49DDC0
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_49DC33

loc_49DDC0:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+700j
					; RtlpHpLfhSubsegmentFreeBlock+891j
		or	eax, 0FFFFFFFFh
		jmp	loc_49DC41
; 

loc_49DDC8:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+885j
		mov	ecx, [ebp-18h]
		jmp	loc_49D780
RtlpHpLfhSubsegmentFreeBlock endp


;  S U B	R O U T	I N E 


RtlpHpLfhSubsegmentDecommitPages proc near ; CODE XREF:	RtlpHpLfhOwnerCompact(x,x,x)+65p
					; RtlpHpLfhSubsegmentFreeBlock+410p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BCFCE SIZE 0000003D BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		push	esi
		mov	esi, [ebx+8]
		mov	eax, ecx
		mov	[ebp-8], edx
		mov	[ebp-0Ch], eax
		mov	dword ptr [ebp-14h], 0
		mov	byte ptr [ebp-2], 0FFh
		mov	byte ptr [ebp-1], 0FFh
		mov	dword ptr [ebp-1Ch], 0
		push	edi
		test	esi, esi
		jns	loc_49DF1B
		mov	edi, 1
		mov	esi, edi

loc_49DE1D:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+14Dj
		test	byte ptr _RtlpHpLfhPerfFlags, 20h
		mov	[ebp-18h], edi
		jz	short loc_49DE31
		test	edi, edi
		jz	loc_49DEB5

loc_49DE31:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+57j
					; RtlpHpLfhSubsegmentDecommitPages+EBj	...
		mov	ecx, [ebp-8]
		movzx	eax, byte ptr [ecx+1Dh]
		cmp	esi, eax
		jnb	loc_49DF10

loc_49DE40:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+1CDj
		lea	eax, [ebp-14h]
		mov	edx, esi
		push	eax
		call	_RtlpHpLfhSubsegmentFindEmptyUnits@12 ;	RtlpHpLfhSubsegmentFindEmptyUnits(x,x,x)
		mov	esi, eax
		cmp	esi, 0FFFFFFFFh
		jnz	loc_49DF3A

loc_49DE56:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+1BBj
					; RtlpHpLfhSubsegmentDecommitPages+3C4j
		mov	ecx, [ebp-8]

loc_49DE59:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+1D3j
		mov	eax, [ebp-1Ch]
		test	eax, eax
		jz	loc_49DF10
		mov	esi, [ebp-0Ch]
		add	ecx, 0Ch
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[ebp-10h], ecx
		mov	dl, [esi+1Dh]
		cmp	eax, 2
		jnz	loc_5BCFCE
		test	dl, dl
		jz	loc_49DFD0
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel

loc_49DE8D:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+11F236j
		mov	cl, [ebp-1]
		call	edi

loc_49DE92:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+234j
					; RtlpHpLfhSubsegmentDecommitPages+11F22Bj
		test	byte ptr [ebx+10h], 1
		jnz	short loc_49DF10
		cmp	byte ptr [esi+1Dh], 0
		lea	ecx, [esi+44h]
		mov	[ebp-30h], ecx
		jz	loc_49E20B
		push	ecx
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp-2]
		call	edi
		jmp	short loc_49DF10
; 

loc_49DEB5:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+5Bj
		mov	edx, [eax]
		test	byte ptr [edx+9], 8
		jnz	loc_49DE31
		movsx	eax, word ptr [edx+12h]
		mov	cl, [edx+7]
		add	eax, edx
		mov	[ebp-20h], eax
		mov	eax, [eax+4]
		mov	[ebp-10h], eax
		shr	dword ptr [ebp-10h], cl
		cmp	dword ptr [ebp-10h], 8
		jbe	loc_49E009

loc_49DEE0:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+240j
		mov	cl, [edx+8]
		shr	eax, cl
		mov	[ebp-30h], eax
		cmp	eax, 8
		jbe	loc_49E1FE

loc_49DEF1:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+436j
		mov	ecx, [ebp-20h]
		mov	edi, [ebp-20h]
		mov	ecx, [ecx+0Ch]
		add	ecx, [edi+8]
		mov	edi, [ebp-18h]
		mov	[ebp-20h], ecx
		cmp	ecx, [ebp-10h]
		ja	short loc_49DF22

loc_49DF08:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+168j
		cmp	ecx, eax
		ja	loc_49DE31

loc_49DF10:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+6Aj
					; RtlpHpLfhSubsegmentDecommitPages+8Ej	...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	0Ch
; 

loc_49DF1B:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+40j
		xor	edi, edi
		jmp	loc_49DE1D
; 

loc_49DF22:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+136j
		mov	ecx, [edx+24h]
		call	_RtlpHpScheduleCompaction@4 ; RtlpHpScheduleCompaction(x)
		test	eax, eax
		js	loc_49DE31
		mov	eax, [ebp-30h]
		mov	ecx, [ebp-20h]
		jmp	short loc_49DF08
; 

loc_49DF3A:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+80j
		mov	eax, [ebp-14h]
		cmp	eax, [ebx+0Ch]
		jb	loc_49E192
		cmp	dword ptr [ebp-1Ch], 0
		jz	short loc_49DFA8
		mov	edx, [ebp-8]
		mov	eax, esi
		mov	edi, [ebp-14h]
		movzx	ecx, byte ptr [edx+1Ch]
		shl	eax, cl
		mov	[ebp-30h], eax
		add	eax, edx
		shl	edi, cl
		mov	ecx, [ebp-0Ch]
		push	edi
		push	eax
		mov	eax, [ecx]
		push	eax
		mov	eax, [ecx+10h]
		xor	eax, _RtlpHpHeapGlobals
		xor	eax, ecx
		call	eax
		mov	edx, [ebp-8]
		push	ecx
		mov	ecx, [ebp-0Ch]
		push	edi
		push	dword ptr [ebp-30h]
		call	RtlpHpLfhSubsegmentDecBlockCounts
		mov	edi, [ebp-18h]
		test	edi, edi
		jz	loc_49DE56
		add	esi, [ebp-14h]

loc_49DF94:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+1FEj
					; RtlpHpLfhSubsegmentFreeBlock+11FAA9j
		mov	ecx, [ebp-8]
		movzx	eax, byte ptr [ecx+1Dh]
		cmp	esi, eax
		jb	loc_49DE40
		jmp	loc_49DE59
; 

loc_49DFA8:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+17Aj
		test	byte ptr [ebx+10h], 1
		jz	loc_49E1E7

loc_49DFB2:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+429j
		mov	eax, [ebp-0Ch]
		mov	ecx, [ebp-8]
		add	ecx, 0Ch
		mov	dword ptr [ebp-1Ch], 2
		movzx	edx, byte ptr [eax+1Dh]
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	[ebp-1], al
		jmp	short loc_49DF94
; 

loc_49DFD0:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+B1j
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_49DFE5
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp-10h]

loc_49DFE5:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+20Bj
		xor	edi, edi
		mov	[ebp-20h], edi
		test	ecx, 7FFFFFFCh
		jnz	short loc_49E015

loc_49DFF2:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+3A6j
					; RtlpHpLfhSubsegmentDecommitPages+3B2j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		jmp	loc_49DE92
; 

loc_49E009:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+10Aj
		mov	dword ptr [ebp-10h], 8
		jmp	loc_49DEE0
; 

loc_49E015:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+220j
		mov	eax, large fs:124h
		mov	edx, ecx
		mov	esi, dword_6D07D0
		shr	edx, 15h
		cmp	ecx, esi
		mov	[ebp-30h], esi
		mov	esi, [ebp-0Ch]
		mov	[ebp-8], eax
		jb	short loc_49E09E
		cmp	byte ptr dword_6D3994[edx], 1
		jnz	short loc_49E09E

loc_49E03C:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+2DAj
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp-30h], eax
		mov	eax, [ebp-8]

loc_49E04F:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+2E2j
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	cl, [eax+1E6h]
		mov	[ebp-1], cl
		mov	ecx, eax
		push	edx
		mov	edx, [ebp-10h]
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[ebp-1Ch], edx
		test	edx, edx
		jnz	short loc_49E0B4
		mov	ecx, [ebp-8]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_49E128
		push	edx
		push	dword ptr [ebp-30h]
		push	dword ptr [ebp-10h]
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_49E09E:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+261j
					; RtlpHpLfhSubsegmentDecommitPages+26Aj
		cmp	ecx, [ebp-30h]
		jb	short loc_49E0AC
		cmp	byte ptr dword_6D3994[edx], 0Bh
		jz	short loc_49E03C

loc_49E0AC:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+2D1j
		or	edx, 0FFFFFFFFh
		mov	[ebp-30h], edx
		jmp	short loc_49E04F
; 

loc_49E0B4:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+2A9j
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		cmp	[edx+10h], edi
		jge	short loc_49E0CC
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [ebp-1Ch]

loc_49E0CC:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+2F0j
		mov	eax, [edx+2Ch]
		mov	edi, eax
		and	byte ptr [edx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp-20h], edi
		mov	[edx+2Ch], eax
		nop
		mov	ecx, [ebp-8]
		mov	eax, 2AAAAAABh
		mov	dword ptr [edx+10h], 0
		sub	edx, [ecx+1E8h]
		imul	edx
		sar	edx, 3
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		cmp	byte ptr [ebp-1], 1
		mov	[ebp-30h], eax
		jnz	loc_49E19F
		movzx	eax, byte ptr [ecx+1E4h]
		mov	edx, [ebp-30h]
		bts	eax, edx
		mov	[ecx+1E4h], al

loc_49E128:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+2B6j
					; RtlpHpLfhSubsegmentDecommitPages+3E5j
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp-30h], eax
		jz	short loc_49E16D
		test	edi, 8000h
		jz	short loc_49E14D
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [ebp-8]

loc_49E14D:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+371j
		test	byte ptr [ebp-1Eh], 1
		jz	short loc_49E15D
		mov	edx, 1
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_49E15D:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+381j
		test	edi, 7FFFh
		jnz	short loc_49E1BA
		mov	edi, [ebp-8]
		jmp	short loc_49E1CC
; 

loc_49E16A:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+406j
					; RtlpHpLfhSubsegmentDecommitPages+415j
		mov	ecx, [ebp-8]

loc_49E16D:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+369j
		nop
		add	word ptr [ecx+13Eh], 1
		jnz	loc_49DFF2
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	loc_49DFF2
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_49DFF2
; 

loc_49E192:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+170j
		test	edi, edi
		jz	loc_49DE56
		jmp	loc_5BCFC7
; 

loc_49E19F:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+33Fj
		mov	ecx, [ebp-30h]
		mov	al, 1
		shl	al, cl
		mov	ecx, [ebp-8]
		lea	esi, [ecx+222h]
		lock or	[esi], al
		mov	esi, [ebp-0Ch]
		jmp	loc_49E128
; 

loc_49E1BA:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+393j
		and	edi, 7FFFh
		mov	edx, edi
		mov	edi, [ebp-8]
		mov	ecx, edi
		call	KiAbThreadUnboostCpuPriority

loc_49E1CC:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+398j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_49E16A
		push	dword ptr [ebp-30h]
		mov	edx, [ebp-10h]
		mov	ecx, edi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	short loc_49E16A
; 

loc_49E1E7:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+1DCj
		mov	eax, [ebp-0Ch]
		movzx	edx, byte ptr [eax+1Dh]
		lea	ecx, [eax+44h]
		call	_RtlpHpAcquireLockShared@8 ; RtlpHpAcquireLockShared(x,x)
		mov	[ebp-2], al
		jmp	loc_49DFB2
; 

loc_49E1FE:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+11Bj
		mov	eax, 8
		mov	[ebp-30h], eax
		jmp	loc_49DEF1
; 

loc_49E20B:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+D2j
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_49E223
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp-30h]

loc_49E223:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+449j
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	0Ch
RtlpHpLfhSubsegmentDecommitPages endp ;	sp =  4

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLfhSubsegmentFindEmptyUnits(x, x, x)
_RtlpHpLfhSubsegmentFindEmptyUnits@12 proc near
					; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+76p
					; RtlpHpLfhSubsegmentCountEmptyUnits(x)+22p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, byte ptr [ecx+1Dh]
		push	esi
		movzx	esi, word ptr [ecx+1Eh]
		add	esi, ecx
		cmp	word ptr [esi+edx*2], 0
		lea	ecx, [esi+eax*2]
		lea	eax, [esi+edx*2]
		jz	short loc_49E276
		cmp	eax, ecx
		jnb	short loc_49E26E

loc_49E261:				; CODE XREF: RtlpHpLfhSubsegmentFindEmptyUnits(x,x,x)+2Cj
		cmp	word ptr [eax],	0
		jz	short loc_49E2A4
		add	eax, 2
		cmp	eax, ecx
		jb	short loc_49E261

loc_49E26E:				; CODE XREF: RtlpHpLfhSubsegmentFindEmptyUnits(x,x,x)+1Fj
					; RtlpHpLfhSubsegmentFindEmptyUnits(x,x,x)+66j
		or	eax, 0FFFFFFFFh

loc_49E271:				; CODE XREF: RtlpHpLfhSubsegmentFindEmptyUnits(x,x,x)+62j
		pop	esi
		pop	ebp
		retn	4
; 

loc_49E276:				; CODE XREF: RtlpHpLfhSubsegmentFindEmptyUnits(x,x,x)+1Bj
		sub	eax, 2
		cmp	word ptr [eax],	0
		jz	short loc_49E2C0

loc_49E27F:				; CODE XREF: RtlpHpLfhSubsegmentFindEmptyUnits(x,x,x)+87j
		add	eax, 2

loc_49E282:				; CODE XREF: RtlpHpLfhSubsegmentFindEmptyUnits(x,x,x)+6Ej
		push	edi
		lea	edi, [esi+2]
		cmp	word ptr [edi+edx*2], 0
		lea	edi, [edi+edx*2]
		jz	short loc_49E2B0

loc_49E290:				; CODE XREF: RtlpHpLfhSubsegmentFindEmptyUnits(x,x,x)+72j
					; RtlpHpLfhSubsegmentFindEmptyUnits(x,x,x)+7Dj
		mov	ecx, [ebp+arg_0]
		mov	edx, eax
		sub	edx, esi
		sub	edi, eax
		sar	edx, 1
		sar	edi, 1
		mov	eax, edx
		mov	[ecx], edi
		pop	edi
		jmp	short loc_49E271
; 

loc_49E2A4:				; CODE XREF: RtlpHpLfhSubsegmentFindEmptyUnits(x,x,x)+25j
		cmp	eax, ecx
		jnb	short loc_49E26E
		mov	edx, eax
		sub	edx, esi
		sar	edx, 1
		jmp	short loc_49E282
; 

loc_49E2B0:				; CODE XREF: RtlpHpLfhSubsegmentFindEmptyUnits(x,x,x)+4Ej
					; RtlpHpLfhSubsegmentFindEmptyUnits(x,x,x)+7Bj
		cmp	edi, ecx
		jnb	short loc_49E290
		add	edi, 2
		cmp	word ptr [edi],	0
		jz	short loc_49E2B0
		jmp	short loc_49E290
; 
		align 10h

loc_49E2C0:				; CODE XREF: RtlpHpLfhSubsegmentFindEmptyUnits(x,x,x)+3Dj
					; RtlpHpLfhSubsegmentFindEmptyUnits(x,x,x)+89j
		sub	eax, 2
		cmp	word ptr [eax],	0
		jnz	short loc_49E27F
		jmp	short loc_49E2C0
_RtlpHpLfhSubsegmentFindEmptyUnits@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpScheduleCompaction(x)
_RtlpHpScheduleCompaction@4 proc near	; CODE XREF: RtlpHpSegLfhVsDecommit(x,x,x)+86p
					; RtlpHpLfhSubsegmentDecommitPages+155p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1Ch+var_4], eax
		cmp	_ExpHpGCInitialized, 0
		push	esi
		jz	short loc_49E35C
		mov	eax, [ecx]
		xor	ecx, ecx
		shr	eax, 8
		inc	ecx
		cmp	al, cl
		jnz	short loc_49E321
		mov	edx, offset _ExpHpGCScheduledNonPaged
		xor	eax, eax
		lock cmpxchg [edx], ecx
		mov	ecx, _ExpHpGCTimerNonPaged

loc_49E309:				; CODE XREF: RtlpHpScheduleCompaction(x)+66j
		xor	esi, esi
		test	eax, eax
		jz	short loc_49E334

loc_49E30F:				; CODE XREF: RtlpHpScheduleCompaction(x)+8Ej
					; RtlpHpScheduleCompaction(x)+95j
		mov	ecx, [esp+20h+var_4]
		mov	eax, esi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_49E321:				; CODE XREF: RtlpHpScheduleCompaction(x)+2Aj
		mov	edx, offset _ExpHpGCScheduledPaged
		xor	eax, eax
		lock cmpxchg [edx], ecx
		mov	ecx, _ExpHpGCTimerPaged
		jmp	short loc_49E309
; 

loc_49E334:				; CODE XREF: RtlpHpScheduleCompaction(x)+41j
		or	[esp+20h+var_10], 0FFFFFFFFh
		lea	eax, [esp+20h+var_18]
		or	[esp+20h+var_C], 0FFFFFFFFh
		push	eax
		push	esi
		push	esi
		push	0FFFFFFFFh
		push	0FF676980h
		push	ecx
		mov	[esp+38h+var_18], esi
		mov	[esp+38h+var_14], esi
		call	ExSetTimer
		jmp	short loc_49E30F
; 

loc_49E35C:				; CODE XREF: RtlpHpScheduleCompaction(x)+1Ej
		mov	esi, 0C0000002h
		jmp	short loc_49E30F
_RtlpHpScheduleCompaction@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpVsContextFree proc near		; CODE XREF: RtlpHpSegFree+4Bp
					; RtlpFreeHeapInternal+3Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005BD00B SIZE 0000005C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	ecx, [ebp+arg_0]
		push	esi
		push	edi
		mov	eax, [ebx+98h]
		lea	edi, [ecx-8]
		mov	[ebp+var_8], eax
		test	al, 1
		jnz	loc_49E421

loc_49E387:				; CODE XREF: RtlpHpVsContextFree+C3j
					; RtlpHpVsContextFree+CCj
		xor	esi, esi
		test	edx, edx
		jnz	short loc_49E3B6
		mov	eax, [edi]
		mov	edx, edi
		mov	ecx, _RtlpHpHeapGlobals
		xor	eax, ecx
		xor	eax, edi
		jge	loc_5BD00B
		mov	eax, [edi+4]
		xor	eax, ecx
		xor	eax, edi

loc_49E3A8:				; CODE XREF: RtlpHpVsContextFree+11ECD6j
		movzx	eax, al

loc_49E3AB:				; CODE XREF: RtlpHpVsContextFree+11ECDDj
		shl	eax, 0Ch
		sub	edx, eax
		and	edx, 0FFFFF000h

loc_49E3B6:				; CODE XREF: RtlpHpVsContextFree+27j
		mov	ax, [edx+16h]
		mov	ecx, 7FFFh
		xor	ax, [edx+14h]
		mov	[ebp+var_4], 2BEDh
		xor	ax, word ptr [ebp+var_4]
		test	ax, cx
		mov	ecx, [ebp+arg_0]
		jnz	loc_5BD046
		mov	eax, [edi]
		xor	eax, _RtlpHpHeapGlobals
		xor	eax, edi
		jge	loc_5BD04E
		shr	eax, 1
		mov	ecx, 7FFFh
		and	eax, ecx
		test	byte ptr [ebp+var_8], 4
		lea	ecx, ds:0FFFFFFF8h[eax*8]
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		jnz	short loc_49E435

loc_49E405:				; CODE XREF: RtlpHpVsContextFree+D7j
					; RtlpHpVsContextFree+F4j
		mov	edx, [ebp+arg_4]
		lea	ecx, [edi+8]
		mov	[ecx], esi
		push	ecx
		mov	ecx, ebx
		call	RtlpHpVsContextFreeList

loc_49E415:				; CODE XREF: RtlpHpVsContextFree+EBj
		xor	esi, esi
		inc	esi

loc_49E418:				; CODE XREF: RtlpHpVsContextFree+11ECFEj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_49E421:				; CODE XREF: RtlpHpVsContextFree+1Dj
		test	ecx, 0FFFh
		jnz	loc_49E387
		sub	edi, 8
		jmp	loc_49E387
; 

loc_49E435:				; CODE XREF: RtlpHpVsContextFree+9Fj
		cmp	ecx, 1000h
		jnb	short loc_49E405
		cmp	word ptr [ebx+44h], 20h
		lea	ecx, [ebx+40h]
		jnb	short loc_49E451
		lea	edx, [edi+8]
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		jmp	short loc_49E415
; 

loc_49E451:				; CODE XREF: RtlpHpVsContextFree+E1j
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		mov	esi, eax
		jmp	short loc_49E405
RtlpHpVsContextFree endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExGetHeapFromVA	proc near		; CODE XREF: ExpHpCompactionRoutine(x)+7Ep
					; MiSessionUnlinkProcess+103p ...

var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		call	_MiDeterminePoolType@4 ; MiDeterminePoolType(x)
		xor	ebx, ebx
		mov	[ebp+var_8], ebx
		push	ebx
		lea	ecx, [eax-20h]
		mov	word ptr [ebp+var_8+1],	1
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		cmp	ecx, 21h
		mov	ecx, esi
		setz	al
		lea	eax, ds:3[eax*2]
		mov	byte ptr [ebp+var_8], al
		push	[ebp+var_8]
		call	RtlpHpGetOwnerHeap
		test	eax, eax
		jz	sub_5BD067
		pop	esi
		pop	ebx
		leave
		retn
ExGetHeapFromVA	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpGetOwnerHeap proc	near		; CODE XREF: ExGetHeapFromVA+3Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		test	di, di
		jz	short loc_49E4DA
		xor	esi, esi

loc_49E4B6:				; CODE XREF: RtlpHpGetOwnerHeap+5Dj
		cmp	esi, 2
		jz	loc_5BD076
		mov	edx, esi
		mov	ecx, edi
		call	_RtlpHpSegGetOwner@8 ; RtlpHpSegGetOwner(x,x)
		mov	ecx, eax
		lea	eax, [esi+2]
		shl	eax, 7
		sub	ecx, eax

loc_49E4D2:				; CODE XREF: sub_5BD067+1Ej
		pop	edi
		mov	eax, ecx
		pop	esi
		pop	ebp
		retn	8
; 

loc_49E4DA:				; CODE XREF: RtlpHpGetOwnerHeap+Cj
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_RtlpHpEnvGetHeapManager@8 ; RtlpHpEnvGetHeapManager(x,x)
		mov	edx, edi
		push	ecx
		sub	edx, [eax+4]
		lea	ecx, [eax+8]
		shr	edx, 14h
		add	edx, edx
		call	RtlCSparseBitmapBitmaskRead
		test	eax, eax
		jz	loc_5BD076
		lea	esi, [eax-1]
		jmp	short loc_49E4B6
RtlpHpGetOwnerHeap endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpSegGetOwner(x, x)
_RtlpHpSegGetOwner@8 proc near		; CODE XREF: RtlpHpGetOwnerHeap+1Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, 100000h
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	edx, [ebp+edx*4+var_8]
		neg	edx
		and	edx, ecx
		mov	eax, [edx+8]
		xor	eax, _RtlpHpHeapGlobals
		xor	eax, edx
		xor	eax, 0A2E64EADh
		leave
		retn
_RtlpHpSegGetOwner@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlHpEnvContextCreate(x, x,	x, x)
_RtlHpEnvContextCreate@16 proc near	; CODE XREF: RtlHpHeapManagerStart+83DB4p

var_8		= dword	ptr -8
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	al, [ebp+arg_0]
		and	cl, 3
		push	ebx
		mov	bl, [ebp+arg_4]
		and	bl, 1
		shl	bl, 2
		or	bl, cl
		push	esi
		xor	esi, esi
		add	bl, bl
		mov	[ebp+var_8], esi
		test	edx, edx
		mov	byte ptr [ebp+var_8+2],	al
		setnz	al
		mov	byte ptr [ebp+var_8+1],	dl
		or	bl, al
		mov	edx, esi
		mov	byte ptr [ebp+var_8], bl
		mov	eax, [ebp+var_8]
		pop	esi
		pop	ebx
		leave
		retn	8
_RtlHpEnvContextCreate@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiRemoveFromSystemSpace	proc near	; CODE XREF: MiInsertInSystemSpace+11EA59p
					; MiUnmapImageInSystemSpace+1Ap ...

var_C2		= byte ptr -0C2h
var_C1		= byte ptr -0C1h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_A6		= byte ptr -0A6h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BD08A SIZE 0000007C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		sub	esp, 0A8h
		push	esi
		push	edi
		push	54h		; size_t
		lea	eax, [esp+0B4h+var_58]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		mov	edi, edx
		mov	[esp+0BCh+var_74], esi
		call	_memset
		mov	edx, large fs:124h
		mov	eax, edi
		shr	eax, 9
		add	esp, 0Ch
		and	eax, offset loc_7FFFF8
		mov	[esp+0B0h+var_60], edx
		sub	eax, 40000000h
		mov	[esp+0B0h+var_64], eax
		cmp	esi, offset unk_6CF5A4
		jnz	loc_49E865
		and	[esp+0B0h+var_68], 0
		mov	[esp+0B0h+var_7C], offset unk_6D3740

loc_49E5CE:				; CODE XREF: MiRemoveFromSystemSpace+310j
		dec	word ptr [edx+13Eh]
		nop
		mov	ecx, [esi+4]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esp+0B0h+var_7C]
		mov	esi, offset unk_6D3C40
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		jz	short loc_49E5F8
		lea	esi, [ecx+80h]

loc_49E5F8:				; CODE XREF: MiRemoveFromSystemSpace+82j
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	edx, [esp+0B0h+var_74]
		and	dword ptr [esi+4], 0
		mov	[esp+0Bh], al
		mov	esi, [edx+8]
		jmp	short loc_49E612
; 

loc_49E60F:				; CODE XREF: MiRemoveFromSystemSpace+BCj
		mov	esi, [esi+4]

loc_49E612:				; CODE XREF: MiRemoveFromSystemSpace+9Fj
					; MiRemoveFromSystemSpace+C4j
		mov	[esp+0B0h+var_84], esi
		test	esi, esi
		jz	short loc_49E634
		mov	ecx, [esi+34h]
		mov	eax, [esi+18h]
		and	ecx, 0FFFFF000h
		add	eax, ecx
		cmp	edi, eax
		jnb	short loc_49E60F
		cmp	edi, ecx
		jnb	short loc_49E645
		mov	esi, [esi]
		jmp	short loc_49E612
; 

loc_49E634:				; CODE XREF: MiRemoveFromSystemSpace+AAj
					; MiRemoveFromSystemSpace+D9j
		push	0
		push	0
		push	1
		push	edi
		push	0D7h

loc_49E640:				; CODE XREF: MiRemoveFromSystemSpace+11EB2Cj
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_49E645:				; CODE XREF: MiRemoveFromSystemSpace+C0j
		test	esi, esi
		jz	short loc_49E634
		dec	dword ptr [edx+0Ch]
		lea	eax, [edx+8]
		push	esi
		push	eax
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		mov	dl, [esp+0CCh+var_C1]
		mov	ecx, [esp+0CCh+var_98]
		call	MiUnlockWorkingSetExclusive
		mov	eax, [esi+28h]
		lea	edx, [esi+2Ch]
		mov	[esp+0CCh+var_78], eax
		lea	ecx, [esp+0CCh+var_74]
		mov	eax, [esi+20h]
		push	4
		mov	eax, [eax]
		mov	[esp+0D0h+var_88], eax
		mov	[esp+0D0h+var_74], eax
		call	MiManageSubsectionView
		mov	eax, [esp+0CCh+var_90]
		mov	ecx, [eax+4]
		or	eax, 0FFFFFFFFh
		mov	[esp+0CCh+var_9C], ecx
		mov	[esp+0CCh+var_94], eax
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_49E8A8

loc_49E6A5:				; CODE XREF: MiRemoveFromSystemSpace+343j
		xor	edi, edi
		mov	[esp+0CCh+var_8C], edi
		test	ecx, 7FFFFFFCh
		jz	loc_49E7C4
		mov	eax, large fs:124h
		mov	edx, ecx
		mov	esi, dword_6D07D0
		shr	edx, 15h
		cmp	ecx, esi
		mov	[esp+0CCh+var_BC], esi
		mov	esi, [esp+0CCh+var_A0]
		mov	[esp+0CCh+var_C0], eax
		jb	short loc_49E6E5
		cmp	byte ptr dword_6D3994[edx], 1
		jz	loc_49E849

loc_49E6E5:				; CODE XREF: MiRemoveFromSystemSpace+168j
		cmp	ecx, [esp+0CCh+var_BC]
		jb	short loc_49E6F8
		cmp	byte ptr dword_6D3994[edx], 0Bh
		jz	loc_49E849

loc_49E6F8:				; CODE XREF: MiRemoveFromSystemSpace+17Bj
					; MiRemoveFromSystemSpace+2F2j
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	dl, [eax+1E6h]
		push	[esp+0CCh+var_94]
		mov	[esp+0D0h+var_C1], dl
		mov	edx, ecx
		mov	ecx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[esp+0CCh+var_BC], ecx
		test	ecx, ecx
		jz	loc_49E88F
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_49E8B6

loc_49E73E:				; CODE XREF: MiRemoveFromSystemSpace+351j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+0CCh+var_8C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	eax, [esp+0CCh+var_C0]
		mov	dword ptr [ecx+10h], 0
		push	30h
		sub	ecx, [eax+1E8h]
		mov	eax, ecx
		cdq
		pop	ecx
		idiv	ecx
		cmp	[esp+0CCh+var_C1], 1
		mov	edx, eax
		jnz	loc_5BD09F
		mov	eax, [esp+0CCh+var_C0]
		movzx	ecx, byte ptr [eax+1E4h]
		bts	ecx, edx
		mov	[eax+1E4h], cl

loc_49E794:				; CODE XREF: MiRemoveFromSystemSpace+335j
					; MiRemoveFromSystemSpace+11EB4Cj
		nop
		dec	byte ptr [eax+1E6h]
		mov	ecx, edi
		and	ecx, 1FFFFh
		mov	[esp+0CCh+var_BC], ecx
		jnz	loc_49E8DA

loc_49E7AD:				; CODE XREF: MiRemoveFromSystemSpace+3B8j
		nop
		add	word ptr [eax+13Eh], 1
		jnz	short loc_49E7C4
		nop
		add	eax, 70h
		cmp	[eax], eax
		jnz	loc_49E8C4

loc_49E7C4:				; CODE XREF: MiRemoveFromSystemSpace+143j
					; MiRemoveFromSystemSpace+248j	...
		mov	ecx, [esp+0CCh+var_7C]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [esp+0CCh+var_78]
		test	eax, eax
		jnz	loc_5BD0E2

loc_49E7D9:				; CODE XREF: MiRemoveFromSystemSpace+11EB7Bj
		test	byte ptr [esi+24h], 1
		mov	edi, [esp+0CCh+var_88]
		jnz	loc_49E931

loc_49E7E7:				; CODE XREF: MiRemoveFromSystemSpace+3C7j
		cmp	[ebp+arg_0], 1
		jnz	short loc_49E7F8
		mov	edx, [esp+0CCh+var_98]
		mov	ecx, esi
		call	MiRemoveMappedPtes

loc_49E7F8:				; CODE XREF: MiRemoveFromSystemSpace+27Dj
		mov	edx, [esi+3Ch]
		cmp	edx, 7FFFFh
		jnz	loc_49E8CE

loc_49E807:				; CODE XREF: MiRemoveFromSystemSpace+367j
		mov	edx, [esi+18h]
		mov	eax, [esi+24h]
		shr	edx, 0Ch
		and	al, 18h
		add	edx, 0Fh
		and	edx, 0FFFFFFF0h
		cmp	al, 10h
		jnz	loc_5BD0EE
		cmp	[esp+0CCh+var_90], offset unk_6CF5A4
		push	edx
		mov	edx, [esp+0D0h+var_80]
		jnz	short loc_49E883
		mov	ecx, offset unk_6D339C

loc_49E834:				; CODE XREF: MiRemoveFromSystemSpace+31Fj
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_49E839:				; CODE XREF: MiRemoveFromSystemSpace+11EB93j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_49E849:				; CODE XREF: MiRemoveFromSystemSpace+171j
					; MiRemoveFromSystemSpace+184j
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [esp+0CCh+var_9C]
		mov	[esp+0CCh+var_94], eax
		mov	eax, [esp+0CCh+var_C0]
		jmp	loc_49E6F8
; 

loc_49E865:				; CODE XREF: MiRemoveFromSystemSpace+4Dj
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		mov	ecx, [edx+80h]
		mov	[esp+0ACh+var_78], eax
		mov	eax, [ecx+180h]
		mov	[esp+0ACh+var_64], eax
		jmp	loc_49E5CE
; 

loc_49E883:				; CODE XREF: MiRemoveFromSystemSpace+2BFj
		mov	ecx, [esp+0D0h+var_84]
		add	ecx, 23F0h
		jmp	short loc_49E834
; 

loc_49E88F:				; CODE XREF: MiRemoveFromSystemSpace+1B8j
		mov	ecx, [esp+0CCh+var_C0]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jz	loc_5BD08A
		mov	eax, ecx
		jmp	loc_49E794
; 

loc_49E8A8:				; CODE XREF: MiRemoveFromSystemSpace+131j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [esp+0CCh+var_9C]
		jmp	loc_49E6A5
; 

loc_49E8B6:				; CODE XREF: MiRemoveFromSystemSpace+1CAj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [esp+0CCh+var_BC]
		jmp	loc_49E73E
; 

loc_49E8C4:				; CODE XREF: MiRemoveFromSystemSpace+250j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_49E7C4
; 

loc_49E8CE:				; CODE XREF: MiRemoveFromSystemSpace+293j
		mov	ecx, edi
		call	_MiDereferencePerSessionProtos@8 ; MiDereferencePerSessionProtos(x,x)
		jmp	loc_49E807
; 

loc_49E8DA:				; CODE XREF: MiRemoveFromSystemSpace+239j
		test	edi, 8000h
		jz	short loc_49E8EF
		xor	edx, edx
		mov	ecx, eax
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [esp+0CCh+var_C0]

loc_49E8EF:				; CODE XREF: MiRemoveFromSystemSpace+372j
		test	byte ptr [esp+0CCh+var_8C+2], 1
		jnz	loc_5BD0BF

loc_49E8FA:				; CODE XREF: MiRemoveFromSystemSpace+11EB5Bj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_49E92B
		and	edi, eax
		mov	edx, edi
		mov	edi, [esp+0CCh+var_C0]
		mov	ecx, edi
		call	KiAbThreadUnboostCpuPriority

loc_49E912:				; CODE XREF: MiRemoveFromSystemSpace+3C1j
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_5BD0CE

loc_49E922:				; CODE XREF: MiRemoveFromSystemSpace+11EB6Fj
		mov	eax, [esp+0CCh+var_C0]
		jmp	loc_49E7AD
; 

loc_49E92B:				; CODE XREF: MiRemoveFromSystemSpace+393j
		mov	edi, [esp+0CCh+var_C0]
		jmp	short loc_49E912
; 

loc_49E931:				; CODE XREF: MiRemoveFromSystemSpace+273j
		lock dec dword ptr [edi+34h]
		jmp	loc_49E7E7
MiRemoveFromSystemSpace	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInsertInSystemSpace proc near		; CODE XREF: MiMapViewInSystemSpace+9Dp

var_CC		= dword	ptr -0CCh
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B1		= byte ptr -0B1h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005BD106 SIZE 0000029D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		sub	esp, 0B8h
		push	esi
		push	edi
		push	54h		; size_t
		lea	eax, [esp+0C4h+var_58]
		mov	[esp+0C4h+var_B8], edx
		push	0		; int
		push	eax		; void *
		mov	[esp+0CCh+var_7C], ecx
		mov	[esp+0CCh+var_60], 0
		mov	[esp+0CCh+var_5C], 0
		call	_memset
		mov	eax, [ebp+arg_10]
		add	esp, 0Ch
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	[esp+0C0h+var_88], 0
		xor	esi, esi
		mov	[esp+0C0h+var_80], edx
		xor	edi, edi
		mov	dword ptr [eax], 0
		mov	[esp+0C0h+var_98], 7FFFFh
		mov	[esp+0C0h+var_B1], dl
		mov	[esp+0C0h+var_78], edx
		mov	[esp+0C0h+var_94], offset unk_6D339C
		mov	[esp+0C0h+var_74], 2
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	[esp+0C0h+var_8C], eax
		mov	eax, [esp+0C0h+var_B8]
		movzx	ecx, ax
		neg	ecx
		sbb	ecx, ecx
		shr	eax, 10h
		neg	ecx
		add	ecx, eax
		mov	[esp+0C0h+var_84], ecx
		cmp	ecx, 10000h
		jnb	loc_5BD106
		mov	ecx, [ebp+arg_4]
		lea	edx, [esp+0C0h+var_60]
		mov	eax, [ecx+4]
		push	eax
		mov	eax, [ecx]
		mov	ecx, [esp+0C4h+var_8C]
		push	eax
		call	MiOffsetToProtos
		mov	[esp+0C0h+var_70], eax
		test	eax, eax
		jz	loc_5BD115
		cmp	[esp+0C0h+var_7C], offset unk_6CF5A4
		jnz	loc_49EE89
		test	[ebp+arg_C], 8
		mov	edx, esi
		mov	[esp+0C0h+var_90], offset unk_6D3740
		setnz	dl
		mov	[esp+0C0h+var_B0], esi
		mov	[esp+0C0h+var_6C], 0FFFFFFFFh
		add	edx, 3

loc_49EA33:				; CODE XREF: MiInsertInSystemSpace+57Fj
		mov	eax, [esp+0C0h+var_B8]
		mov	edi, eax
		mov	ecx, [esp+0C0h+var_8C]
		and	edi, 0FFFh
		neg	edi
		sbb	edi, edi
		shr	eax, 0Ch
		neg	edi
		add	edi, eax
		mov	eax, [esp+0C0h+var_84]
		shl	eax, 4
		test	dword ptr [ecx+1Ch], 420h
		mov	[esp+0C0h+var_64], edi
		mov	[esp+0C0h+var_78], eax
		jnz	short loc_49EA9D
		lea	eax, [esp+0C0h+var_74]
		push	eax
		xor	eax, eax
		cmp	edx, 2
		mov	edx, [ebp+arg_4]
		setnz	al
		push	eax
		push	edi
		call	_MiReferenceDataSubsections@20 ; MiReferenceDataSubsections(x,x,x,x,x)
		mov	[esp+0C0h+var_B8], eax
		test	eax, eax
		js	loc_5BD163
		cmp	[esp+0C0h+var_74], 2
		mov	[esp+0C0h+var_B1], 1
		jb	loc_5BD124
		mov	eax, [esp+0C0h+var_78]

loc_49EA9D:				; CODE XREF: MiInsertInSystemSpace+124j
		mov	ecx, [esp+0C0h+var_94]
		mov	edx, eax
		call	MiReservePtes
		mov	esi, eax
		mov	[esp+0C0h+var_84], esi
		test	esi, esi
		jz	loc_5BD16A
		shl	eax, 9
		mov	[esp+0C0h+var_88], eax

loc_49EABD:				; CODE XREF: MiInsertInSystemSpace+11E81Ej
		push	0
		push	40h
		mov	edx, 7756694Dh
		mov	ecx, 40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edx, eax
		mov	[esp+0C0h+var_80], edx
		test	edx, edx
		jz	loc_5BD176
		mov	eax, [esp+0C0h+var_74]
		mov	ecx, [ebp+arg_0]
		shl	eax, 3
		xor	eax, [edx+24h]
		and	eax, 18h
		xor	eax, [edx+24h]
		mov	[edx+24h], eax
		test	dword ptr [ecx+20h], 8000000h
		jnz	loc_5BD182

loc_49EB01:				; CODE XREF: MiInsertInSystemSpace+11E848j
		test	[ebp+arg_8], 1
		jnz	loc_49EE2B

loc_49EB0B:				; CODE XREF: MiInsertInSystemSpace+4F1j
		mov	ecx, [esp+0C0h+var_8C]
		mov	eax, [ecx+1Ch]
		test	al, 20h
		jnz	loc_49EE36
		xor	edx, edx

loc_49EB1C:				; CODE XREF: MiInsertInSystemSpace+50Cj
					; MiInsertInSystemSpace+52Aj
		mov	ecx, [ebp+arg_4]
		mov	eax, edi
		mov	edi, [esp+0C0h+var_80]
		shl	eax, 0Ch
		mov	[edi+18h], eax
		mov	eax, [esp+0C0h+var_70]
		mov	[edi+20h], eax
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		shrd	eax, ecx, 0Ch
		mov	[edi+1Ch], edx
		mov	[edi+10h], eax
		mov	eax, [esp+0C0h+var_88]
		or	eax, 2
		shr	ecx, 0Ch
		cmp	[esp+0C0h+var_7C], offset unk_6CF5A4
		mov	[edi+34h], eax
		mov	eax, [esp+0C0h+var_98]
		mov	[edi+14h], ecx
		mov	[edi+3Ch], eax
		jnz	loc_49EEC4
		or	eax, 0FFFFFFFFh

loc_49EB69:				; CODE XREF: MiInsertInSystemSpace+58Bj
		mov	ecx, [ebp+arg_0]
		mov	[edi+38h], eax
		call	MiReferenceFileObjectForMap
		mov	[edi+28h], eax
		mov	eax, large fs:124h
		mov	[esp+0C0h+var_68], eax
		dec	word ptr [eax+13Eh]
		nop
		mov	eax, [esp+0C0h+var_7C]
		xor	edx, edx
		mov	ecx, [eax+4]
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esp+0C0h+var_90]
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		jz	loc_5BD246
		lea	eax, [ecx+80h]

loc_49EBAE:				; CODE XREF: MiInsertInSystemSpace+11E90Bj
		push	eax
		mov	[esp+0C4h+var_B0], eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [esp+0C0h+var_B0]
		mov	[esp+0C0h+var_B1], al
		mov	eax, [esp+0C0h+var_7C]
		mov	byte ptr [esp+0C0h+var_94], 0
		mov	dword ptr [ecx+4], 0
		inc	dword ptr [eax+0Ch]
		mov	ecx, [eax+8]
		test	ecx, ecx
		jz	short loc_49EC15
		lea	ebx, [ebx+0]

loc_49EBE0:				; CODE XREF: MiInsertInSystemSpace+4E6j
		mov	edx, [ecx+34h]
		mov	eax, [ecx+18h]
		and	edx, 0FFFFF000h
		add	eax, edx
		cmp	[esp+0C0h+var_88], eax
		jnb	short loc_49EBFE
		cmp	[esp+0C0h+var_88], edx
		jb	loc_49EE1A

loc_49EBFE:				; CODE XREF: MiInsertInSystemSpace+2B2j
		mov	eax, [ecx+4]
		test	eax, eax
		jnz	loc_49EE24
		mov	byte ptr [esp+0C0h+var_94], 1
		jmp	short loc_49EC15
; 

loc_49EC10:				; CODE XREF: MiInsertInSystemSpace+4DEj
		mov	byte ptr [esp+0C0h+var_94], 0

loc_49EC15:				; CODE XREF: MiInsertInSystemSpace+298j
					; MiInsertInSystemSpace+2CEj
		mov	eax, [esp+0C0h+var_7C]
		push	edi
		push	[esp+0C4h+var_94]
		add	eax, 8
		push	ecx
		push	eax
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		mov	dl, [esp+0C0h+var_B1]
		mov	ecx, [esp+0C0h+var_90]
		call	MiUnlockWorkingSetExclusive
		mov	eax, [esp+0C0h+var_8C]
		test	dword ptr [eax+1Ch], 400h
		jnz	short loc_49EC54
		push	3
		lea	edx, [edi+2Ch]
		mov	[esp+0C4h+var_58], eax
		lea	ecx, [esp+0C4h+var_58]
		call	MiManageSubsectionView

loc_49EC54:				; CODE XREF: MiInsertInSystemSpace+300j
		mov	eax, [esp+0C0h+var_7C]
		mov	edx, [eax+4]
		or	eax, 0FFFFFFFFh
		mov	[esp+0C0h+var_98], edx
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_49EEE7

loc_49EC70:				; CODE XREF: MiInsertInSystemSpace+5B2j
		xor	edi, edi
		mov	[esp+0C0h+var_90], edi
		test	edx, 7FFFFFFCh
		jz	loc_49ED9E
		mov	eax, large fs:124h
		mov	ecx, edx
		mov	[esp+0C0h+var_B8], eax
		mov	eax, dword_6D07D0
		shr	ecx, 15h
		cmp	edx, eax
		mov	[esp+0C0h+var_B0], eax
		mov	eax, [esp+0C0h+var_B8]
		jb	short loc_49ECAF
		cmp	byte ptr dword_6D3994[ecx], 1
		jz	loc_49EE6F

loc_49ECAF:				; CODE XREF: MiInsertInSystemSpace+360j
		cmp	edx, [esp+0C0h+var_B0]
		jb	short loc_49ECC2
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_49EE6F

loc_49ECC2:				; CODE XREF: MiInsertInSystemSpace+373j
		or	ecx, 0FFFFFFFFh
		mov	[esp+0C0h+var_B0], ecx

loc_49ECC9:				; CODE XREF: MiInsertInSystemSpace+544j
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	dl, [eax+1E6h]
		mov	[esp+0C0h+var_B1], dl
		mov	edx, [esp+0C0h+var_98]
		push	ecx
		mov	ecx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[esp+0C0h+var_94], edx
		test	edx, edx
		jz	loc_49EED0
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		cmp	[edx+10h], edi
		jl	loc_49EEF7

loc_49ED0E:				; CODE XREF: MiInsertInSystemSpace+5C2j
		mov	eax, [edx+2Ch]
		mov	edi, eax
		and	byte ptr [edx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+0C0h+var_90], edi
		mov	[edx+2Ch], eax
		nop
		mov	ecx, [esp+0C0h+var_B8]
		mov	eax, 2AAAAAABh
		mov	dword ptr [edx+10h], 0
		sub	edx, [ecx+1E8h]
		imul	edx
		sar	edx, 3
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		cmp	[esp+0C0h+var_B1], 1
		mov	[esp+0C0h+var_B0], eax
		jnz	loc_5BD265
		movzx	eax, byte ptr [ecx+1E4h]
		mov	edx, [esp+0C0h+var_B0]
		bts	eax, edx
		mov	[ecx+1E4h], al

loc_49ED6F:				; CODE XREF: MiInsertInSystemSpace+59Cj
					; MiInsertInSystemSpace+11E93Ej
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+0C0h+var_84], eax
		jnz	loc_49EF32

loc_49ED87:				; CODE XREF: MiInsertInSystemSpace+633j
					; MiInsertInSystemSpace+11E967j
		nop
		add	word ptr [ecx+13Eh], 1
		jnz	short loc_49ED9E
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jnz	loc_49EF28

loc_49ED9E:				; CODE XREF: MiInsertInSystemSpace+33Cj
					; MiInsertInSystemSpace+450j ...
		mov	ecx, [esp+0C0h+var_68]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [esp+0C0h+var_80]
		test	byte ptr [eax+24h], 1
		jnz	loc_5BD2AC

loc_49EDB5:				; CODE XREF: MiInsertInSystemSpace+11E974j
		mov	edi, [esp+0C0h+var_74]
		cmp	edi, 2
		jb	loc_5BD2B9
		mov	edx, [esp+0C0h+var_64]
		xor	eax, eax
		test	edx, edx
		jz	short loc_49EDE9
		lea	esp, [esp+0]

loc_49EDD0:				; CODE XREF: MiInsertInSystemSpace+4A7j
		mov	ecx, ds:_ZeroPte
		mov	[esi+eax*8], ecx
		nop
		mov	ecx, ds:dword_40F9FC
		mov	[esi+eax*8+4], ecx
		inc	eax
		cmp	eax, edx
		jb	short loc_49EDD0

loc_49EDE9:				; CODE XREF: MiInsertInSystemSpace+48Aj
		push	0
		push	[esp+0C4h+var_6C]
		mov	ecx, esi
		push	[ebp+arg_4]
		push	[esp+0CCh+var_8C]
		call	MiAddMappedPtes
		mov	esi, eax
		test	esi, esi
		js	loc_5BD38A

loc_49EE07:				; CODE XREF: MiInsertInSystemSpace+11EA45j
		mov	ecx, [ebp+arg_10]
		mov	eax, [esp+0C0h+var_88]
		mov	[ecx], eax

loc_49EE10:				; CODE XREF: MiInsertInSystemSpace+11EA5Ej
		mov	eax, esi

loc_49EE12:				; CODE XREF: MiInsertInSystemSpace+11E8EFj
					; MiInsertInSystemSpace+11E901j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_49EE1A:				; CODE XREF: MiInsertInSystemSpace+2B8j
		mov	eax, [ecx]
		test	eax, eax
		jz	loc_49EC10

loc_49EE24:				; CODE XREF: MiInsertInSystemSpace+2C3j
		mov	ecx, eax
		jmp	loc_49EBE0
; 

loc_49EE2B:				; CODE XREF: MiInsertInSystemSpace+1C5j
		or	eax, 2
		mov	[edx+24h], eax
		jmp	loc_49EB0B
; 

loc_49EE36:				; CODE XREF: MiInsertInSystemSpace+1D4j
		test	eax, 4000000h
		jnz	loc_49EF07

loc_49EE41:				; CODE XREF: MiInsertInSystemSpace+5E3j
		mov	eax, [ecx]
		mov	edx, [eax+20h]
		mov	[esp+0C0h+var_B8], edx
		test	edx, edx
		jz	loc_49EB1C
		push	0
		mov	ecx, offset _MiSystemPartition
		call	MiChargeCommit
		test	eax, eax
		jz	loc_5BD19D
		mov	edx, [esp+0C0h+var_B8]
		jmp	loc_49EB1C
; 

loc_49EE6F:				; CODE XREF: MiInsertInSystemSpace+369j
					; MiInsertInSystemSpace+37Cj
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[esp+0C0h+var_B0], eax
		mov	eax, [esp+0C0h+var_B8]
		jmp	loc_49ECC9
; 

loc_49EE89:				; CODE XREF: MiInsertInSystemSpace+CDj
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		mov	ecx, large fs:124h
		mov	edx, 2
		mov	[esp+0BCh+var_8C], eax
		add	eax, 0FFFFFF40h
		mov	[esp+0BCh+var_AC], eax
		add	eax, 23F0h
		mov	[esp+0BCh+var_90], eax
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[esp+0BCh+var_68], eax
		jmp	loc_49EA33
; 

loc_49EEC4:				; CODE XREF: MiInsertInSystemSpace+220j
		mov	eax, [esp+0C0h+var_B0]
		mov	eax, [eax+8]
		jmp	loc_49EB69
; 

loc_49EED0:				; CODE XREF: MiInsertInSystemSpace+3B6j
		mov	ecx, [esp+0C0h+var_B8]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_49ED6F
		jmp	loc_5BD250
; 

loc_49EEE7:				; CODE XREF: MiInsertInSystemSpace+32Aj
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [esp+0C0h+var_98]
		jmp	loc_49EC70
; 

loc_49EEF7:				; CODE XREF: MiInsertInSystemSpace+3C8j
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [esp+0C0h+var_94]
		jmp	loc_49ED0E
; 

loc_49EF07:				; CODE XREF: MiInsertInSystemSpace+4FBj
		or	edx, 0FFFFFFFFh
		mov	[esp+0C0h+var_98], 0FFFFFFFFh
		call	MiCreatePerSessionProtos
		test	eax, eax
		js	loc_5BD18D
		mov	ecx, [esp+0C0h+var_8C]
		jmp	loc_49EE41
; 

loc_49EF28:				; CODE XREF: MiInsertInSystemSpace+458j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_49ED9E
; 

loc_49EF32:				; CODE XREF: MiInsertInSystemSpace+441j
		test	edi, 8000h
		jz	short loc_49EF45
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [esp+0C0h+var_B8]

loc_49EF45:				; CODE XREF: MiInsertInSystemSpace+5F8j
		test	byte ptr [esp+0C0h+var_90+2], 1
		jnz	loc_5BD283

loc_49EF50:				; CODE XREF: MiInsertInSystemSpace+11E951j
		test	edi, 7FFFh
		jz	short loc_49EF65
		and	edi, 7FFFh
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_49EF65:				; CODE XREF: MiInsertInSystemSpace+616j
		test	dword ptr ds:byte_70EFC4, 200h
		mov	ecx, [esp+0C0h+var_B8]
		jz	loc_49ED87
		jmp	loc_5BD296
MiInsertInSystemSpace endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetInPagePriority(x, x, x)
_MiSetInPagePriority@12	proc near	; CODE XREF: MiPfPutPagesInTransition+178p
					; MiSetInPagePrefetchPriority(x,x)+1Bp	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		cmp	eax, 5
		jnb	short loc_49EF9B
		cmp	edx, eax
		jbe	short loc_49EF9B
		or	dword ptr [esi+78h], 80000h
		jmp	short loc_49EFA2
; 

loc_49EF9B:				; CODE XREF: MiSetInPagePriority(x,x,x)+Ej
					; MiSetInPagePriority(x,x,x)+12j
		and	dword ptr [esi+78h], 0FFF7FFFFh

loc_49EFA2:				; CODE XREF: MiSetInPagePriority(x,x,x)+1Bj
		mov	edx, [esi+78h]
		movzx	ecx, al
		and	edx, 0FFFFF1FFh
		and	ecx, 7
		mov	eax, ecx
		shl	ecx, 0Ch
		shl	eax, 9
		or	eax, edx
		and	eax, 0FFFF8FFFh
		or	eax, ecx
		mov	[esi+78h], eax
		pop	esi
		pop	ebp
		retn	4
_MiSetInPagePriority@12	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakePrototypePteDirect(x)
_MiMakePrototypePteDirect@4 proc near	; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+2Bp
					; MiAddMappedPtes+AFp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, dword_6D0700
		mov	eax, edx
		push	ebx
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edx
		mov	ebx, ecx
		or	edi, 400h
		mov	ecx, dword_6D0704
		or	eax, ecx
		jz	short loc_49F00A
		push	esi
		mov	esi, edx
		mov	edx, ecx
		and	esi, edi
		and	edx, ebx
		or	esi, edx
		pop	esi
		jnz	short loc_49F014
		or	edi, [ebp+var_4]
		or	ebx, ecx

loc_49F00A:				; CODE XREF: MiMakePrototypePteDirect(x)+25j
					; MiMakePrototypePteDirect(x)+47j
		mov	eax, edi
		mov	edx, ebx
		pop	edi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_49F014:				; CODE XREF: MiMakePrototypePteDirect(x)+33j
		or	edi, 10h
		jmp	short loc_49F00A
_MiMakePrototypePteDirect@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiGetSubsectionDriverProtos(x)
_MiGetSubsectionDriverProtos@4 proc near ; CODE	XREF: MiPfAllocateMdls+24Dp
					; MiAddMappedPtes+107p	...
		mov	eax, [ecx]
		test	byte ptr [eax+1Ch], 20h
		jz	short loc_49F026
		mov	eax, [ecx+0Ch]
		retn
; 

loc_49F026:				; CODE XREF: MiGetSubsectionDriverProtos(x)+6j
		xor	eax, eax
		retn
_MiGetSubsectionDriverProtos@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteSystemPagableVm(x, x, x, x,	x, x)
_MiDeleteSystemPagableVm@24 proc near	; CODE XREF: MmFreePoolMemory+107p
					; MiDeleteBootRange+E3p ...

var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D4		= dword	ptr -0D4h
var_CC		= dword	ptr -0CCh
var_C2		= byte ptr -0C2h
var_C1		= byte ptr -0C1h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B5		= byte ptr -0B5h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= word ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 12Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, [ebp+arg_C]
		mov	esi, ecx
		push	98h		; size_t
		push	eax		; int
		mov	[ebp+var_11C], eax
		mov	[ebp+var_118], eax
		mov	[ebp+var_114], eax
		mov	[ebp+var_110], eax
		mov	[ebp+var_10C], eax
		lea	eax, [ebp+var_B0]
		push	eax		; void *
		mov	[ebp+var_104], edx
		mov	[ebp+var_C0], esi
		mov	[ebp+var_B4], ebx
		mov	[ebp+var_120], 0
		call	_memset
		mov	eax, [ebp+var_104]
		add	esp, 0Ch
		mov	[ebp+var_100], 0
		test	eax, eax
		jz	short loc_49F0C8
		test	dword ptr [eax+1Ch], 800h
		jz	short loc_49F0C8
		mov	[ebp+var_100], 1

loc_49F0C8:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+83j
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+8Cj
		mov	ecx, [ebp+arg_8]
		mov	eax, 0Ah
		mov	edx, ecx
		mov	[ebp+var_BC], 0
		and	edx, 1
		mov	[ebp+var_FC], 0
		mov	[ebp+var_110], eax
		mov	[ebp+var_128], edx
		jnz	short loc_49F102
		mov	eax, 0Eh
		mov	[ebp+var_110], eax

loc_49F102:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+C5j
		and	ecx, 4
		mov	[ebp+var_108], ecx
		jz	short loc_49F116
		or	eax, 10h
		mov	[ebp+var_110], eax

loc_49F116:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+DBj
		mov	cl, [esi+60h]
		mov	edx, ebx
		mov	eax, [ebp+arg_8]
		and	cl, 7
		shl	edx, 9
		mov	[ebp+var_DC], 0
		cmp	cl, 3
		jz	short loc_49F159
		cmp	cl, 4
		jz	short loc_49F159
		test	al, 2
		jz	short loc_49F14F
		cmp	dword_6D3154, 0
		jz	short loc_49F14F
		mov	[ebp+var_FC], 1

loc_49F14F:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+10Aj
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+113j
		mov	[ebp+var_DC], 2

loc_49F159:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+101j
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+106j
		mov	ebx, [ebp+var_DC]
		and	eax, 8
		mov	[ebp+var_B0], ebx
		mov	ebx, [ebp+var_B4]
		mov	[ebp+var_AC], 0
		mov	[ebp+var_A0], 0
		mov	[ebp+var_A8], 21h
		mov	[ebp+var_9C], 0
		mov	[ebp+arg_8], eax
		jnz	loc_49F284
		test	ds:byte_70EFC4,	1
		jz	loc_49F284
		xor	eax, eax
		mov	[ebp+var_F0], edx
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_F8], eax
		mov	[ebp+var_F4], eax
		mov	[ebp+var_EC], edx
		cmp	cl, 4
		jnz	short loc_49F1E5
		and	eax, 0FFFFFFF6h
		mov	[ebp+var_F4], 0
		or	eax, 6
		mov	[ebp+var_F8], eax
		jmp	short loc_49F24A
; 

loc_49F1E5:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+19Bj
		cmp	cl, 3
		jnz	short loc_49F202
		and	eax, 0FFFFFFF4h
		mov	[ebp+var_F4], 0
		or	eax, 4
		mov	[ebp+var_F8], eax
		jmp	short loc_49F24A
; 

loc_49F202:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+1B8j
		mov	eax, large fs:124h
		xor	esi, esi
		mov	ecx, [ebp+var_F8]
		and	ecx, 7
		mov	eax, [eax+80h]
		mov	edx, [eax+180h]
		mov	eax, [ebp+var_F4]
		shld	esi, edx, 4
		and	eax, 0FFF00000h
		shl	edx, 4
		or	esi, eax
		or	edx, ecx
		mov	[ebp+var_F4], esi
		mov	esi, [ebp+var_C0]
		or	edx, 7
		mov	[ebp+var_F8], edx

loc_49F24A:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+1B3j
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+1D0j
		push	11401B02h
		push	279h
		lea	eax, [ebp+var_F8]
		mov	[ebp+var_14], 0
		push	20000001h
		mov	edx, 1
		mov	[ebp+var_18], eax
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_10], 10h
		mov	[ebp+var_C], 0
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_49F284:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+168j
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+175j
		mov	eax, [ebp+arg_4]
		mov	ecx, esi
		lea	eax, [ebx+eax*8]
		mov	[ebp+var_E0], eax
		call	MiLockWorkingSetShared
		mov	[ebp+var_B5], al
		mov	eax, [ebp+var_B4]
		cmp	eax, [ebp+var_E0]
		jnb	loc_49F84C
		xor	ecx, ecx

loc_49F2B1:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+816j
		test	ecx, ecx
		jz	short loc_49F2EC
		test	eax, 0FFFh
		jnz	loc_49F34D
		lea	ecx, [ebp+var_B0]
		call	MiFlushTbList
		lea	ecx, [ebp+var_11C]
		call	MiTerminateWsleCluster
		mov	edx, [ebp+var_BC]
		mov	ecx, esi
		add	[edi+4], eax
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	eax, [ebp+var_B4]

loc_49F2EC:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+283j
		lea	ecx, [ebp+var_120]
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	MiLockLowestValidPageTable
		mov	ecx, eax
		mov	eax, [ebp+var_B4]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[ebp+var_BC], ecx
		sub	eax, 40000000h
		cmp	ecx, eax
		jz	short loc_49F347
		mov	edx, ecx
		mov	ecx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	eax, [ebp+var_B4]
		xor	ecx, ecx
		and	eax, 0FFFFF000h
		mov	[ebp+var_BC], ecx
		add	eax, 1000h
		mov	[ebp+var_B4], eax
		jmp	loc_49F840
; 

loc_49F347:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+2E9j
		mov	eax, [ebp+var_B4]

loc_49F34D:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+28Aj
		mov	ebx, [eax]
		nop
		mov	esi, [eax+4]
		mov	eax, ebx
		or	eax, esi
		mov	[ebp+var_E8], ebx
		mov	[ebp+var_E4], esi
		jz	loc_49F79E
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	loc_49F5E0
		mov	edx, [ebp+var_B4]
		shl	edx, 9
		mov	[ebp+var_CC], edx
		nop
		mov	eax, ebx
		shrd	eax, esi, 0Ch
		and	eax, 1FFFFFFh
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		cmp	[ebp+arg_8], 0
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, [eax+ecx*4]
		mov	[ebp+var_D4], ecx
		jz	short loc_49F402
		call	_MiIsPfnSystemCharged@4	; MiIsPfnSystemCharged(x)
		test	eax, eax
		jz	loc_49F79E
		mov	[ebp+var_124], 0
		lea	esi, [ecx+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_49F3EE

loc_49F3D0:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+3AFj
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+3B6j
		lea	ecx, [ebp+var_124]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_49F3D0
		lock bts dword ptr [esi], 1Fh
		jb	short loc_49F3D0
		mov	ecx, [ebp+var_D4]

loc_49F3EE:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+39Ej
		and	byte ptr [ecx+17h], 0DFh
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		inc	dword ptr [edi+4]
		jmp	loc_49F79E
; 

loc_49F402:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+37Dj
		mov	esi, [ebp+var_C0]
		mov	ecx, esi
		call	MiLocateWsle
		mov	al, [eax]
		mov	[ebp+var_C1], al
		and	al, 0Fh
		mov	[ebp+var_C2], al
		cmp	al, 9
		jnz	loc_49F4E9
		mov	edx, [ebp+var_CC]
		mov	ecx, esi
		call	MiLocateWsle
		mov	ebx, [ebp+var_B4]
		mov	ecx, eax
		mov	al, [ebp+var_C1]
		mov	edx, ebx
		and	al, 0FAh
		or	al, 0Ah
		mov	[ecx], al
		mov	eax, [ebp+var_108]
		push	edi
		or	eax, 10h
		push	eax
		call	_MiDeleteValidSystemPage@16 ; MiDeleteValidSystemPage(x,x,x,x)
		cmp	[ebp+var_128], 0
		jnz	short loc_49F4CF
		lea	ecx, [ebp+var_E8]
		mov	[ebp+var_E8], 0
		mov	[ebp+var_E4], 0
		call	_MiInitializeTbFlushStamps@4 ; MiInitializeTbFlushStamps(x)
		mov	esi, [ebp+var_E8]
		mov	[ebx], esi
		nop
		mov	ecx, [ebp+var_E4]
		mov	[ebx+4], ecx
		mov	ebx, ecx
		mov	eax, dword_6D0704
		mov	edx, dword_6D0700
		mov	[ebp+var_D4], eax
		mov	eax, edx
		or	eax, [ebp+var_D4]
		jz	short loc_49F4C5
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_49F4C5
		mov	ecx, [ebp+var_D4]
		not	ecx
		and	ecx, ebx

loc_49F4C5:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+47Fj
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+489j
		xor	eax, eax
		or	eax, ecx
		jnz	loc_49F5BB

loc_49F4CF:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+431j
		mov	edx, [ebp+var_CC]
		lea	ecx, [ebp+var_B0]
		push	0
		push	1
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		jmp	loc_49F5BB
; 

loc_49F4E9:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+3F1j
		cmp	[ebp+var_FC], 0
		mov	esi, [ebp+var_B4]
		jz	short loc_49F505
		mov	ecx, [ebp+var_C0]
		mov	edx, esi
		call	MI_WSLE_LOG_ACCESS

loc_49F505:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+4C6j
		mov	edx, [ebp+var_C0]
		lea	ecx, [ebp+var_11C]
		push	esi
		call	_MiAppendWsleCluster@12	; MiAppendWsleCluster(x,x,x)
		test	eax, eax
		jnz	short loc_49F53B
		lea	ecx, [ebp+var_11C]
		call	MiTerminateWsleCluster
		mov	edx, [ebp+var_C0]
		lea	ecx, [ebp+var_11C]
		add	[edi+4], eax
		push	esi
		call	_MiAppendWsleCluster@12	; MiAppendWsleCluster(x,x,x)

loc_49F53B:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+4E9j
		mov	ecx, [ebp+var_D4]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_49F5AB
		mov	eax, [ecx+0Ch]
		mov	esi, [ecx+8]
		mov	[ebp+var_D4], eax
		mov	eax, esi
		and	eax, 400h
		or	eax, 0
		jz	short loc_49F5AB
		and	ebx, 200h
		or	ebx, 0
		jnz	short loc_49F5AB
		mov	ecx, dword_6D0700
		mov	eax, ecx
		mov	edx, dword_6D0704
		or	eax, edx
		jz	short loc_49F594
		mov	eax, esi
		and	eax, 10h
		or	eax, ebx
		mov	eax, [ebp+var_D4]
		jnz	short loc_49F59A
		not	edx
		and	eax, edx
		jmp	short loc_49F59A
; 

loc_49F594:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+54Dj
		mov	eax, [ebp+var_D4]

loc_49F59A:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+55Cj
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+562j
		mov	eax, [eax]
		mov	eax, [eax+1Ch]
		and	eax, 820h
		cmp	eax, 820h
		jnz	short loc_49F5AE

loc_49F5AB:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+518j
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+530j ...
		inc	dword ptr [edi+0Ch]

loc_49F5AE:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+579j
		cmp	[ebp+var_C2], 8
		jnz	loc_49F79E

loc_49F5BB:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+499j
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+4B4j
		inc	dword ptr [edi]
		cmp	[ebp+var_DC], 2
		jnz	loc_49F79E
		push	1
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	_MiReturnSystemCharges@12 ; MiReturnSystemCharges(x,x,x)
		jmp	loc_49F79E
; 

loc_49F5E0:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+341j
		mov	eax, ebx
		and	eax, 400h
		or	eax, 0
		jz	loc_49F6D7
		cmp	[ebp+arg_8], 0
		jnz	loc_49F79E
		mov	eax, ebx
		and	eax, 2
		or	eax, 0
		jnz	loc_49F6B9
		push	esi
		push	ebx
		call	_MI_PROTO_FORMAT_COMBINED@8 ; MI_PROTO_FORMAT_COMBINED(x,x)
		test	al, al
		jz	short loc_49F66A
		inc	dword ptr [edi+0Ch]
		mov	edx, esi
		mov	eax, dword_6D0704
		mov	ecx, dword_6D0700
		mov	[ebp+var_CC], eax
		mov	eax, ecx
		or	eax, [ebp+var_CC]
		jz	short loc_49F64B
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_49F649
		mov	esi, [ebp+var_CC]
		not	esi
		and	esi, edx
		jmp	short loc_49F64B
; 

loc_49F649:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+60Bj
		mov	esi, edx

loc_49F64B:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+601j
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+617j
		mov	ebx, dword_6D5C60
		mov	edx, esi
		call	_MiDecrementCombinedPte@8 ; MiDecrementCombinedPte(x,x)
		cmp	eax, 3
		jnz	short loc_49F6BC
		cmp	ebx, offset _MiSystemPartition
		jnz	short loc_49F6BC
		inc	dword ptr [edi+4]
		jmp	short loc_49F6BC
; 

loc_49F66A:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+5E1j
		cmp	[ebp+var_100], 1
		jz	short loc_49F6B9
		mov	eax, dword_6D0704
		mov	edx, esi
		mov	ecx, dword_6D0700
		mov	[ebp+var_CC], eax
		mov	eax, ecx
		or	eax, [ebp+var_CC]
		jz	short loc_49F6A8
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_49F6A6
		mov	esi, [ebp+var_CC]
		not	esi
		and	esi, edx
		jmp	short loc_49F6A8
; 

loc_49F6A6:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+668j
		mov	esi, edx

loc_49F6A8:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+65Ej
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+674j
		mov	ecx, [ebp+var_104]
		mov	edx, esi
		call	MiImageProtoChargedCommit
		test	eax, eax
		jz	short loc_49F6BC

loc_49F6B9:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+5D2j
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+641j
		inc	dword ptr [edi+0Ch]

loc_49F6BC:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+62Bj
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+633j ...
		mov	ecx, [ebp+var_B4]
		mov	eax, ds:_ZeroPte
		mov	[ecx], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[ecx+4], eax
		jmp	loc_49F79E
; 

loc_49F6D7:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+5BAj
		mov	eax, ebx
		and	eax, 800h
		or	eax, 0
		jz	short loc_49F762
		mov	ebx, [ebp+var_B4]
		xor	edx, edx
		mov	ecx, ebx
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_49F82E
		nop
		cmp	[ebp+arg_8], 0
		jz	short loc_49F720
		call	_MiIsPfnSystemCharged@4	; MiIsPfnSystemCharged(x)
		test	eax, eax
		jz	short loc_49F713
		and	byte ptr [ecx+17h], 0DFh
		inc	dword ptr [edi+4]

loc_49F713:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+6DAj
		lea	eax, [ecx+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		jmp	short loc_49F79E
; 

loc_49F720:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+6D1j
		cmp	[ebp+var_108], 0
		jz	short loc_49F74B
		call	_MiIsPfnSystemCharged@4	; MiIsPfnSystemCharged(x)
		test	eax, eax
		jz	short loc_49F74B
		mov	edx, dword_6CF578
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_49F744
		dec	dword ptr [edx+74h]

loc_49F744:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+70Fj
		dec	dword ptr [edx+78h]
		and	byte ptr [ecx+17h], 0DFh

loc_49F74B:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+6F7j
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+700j
		push	1
		mov	edx, ecx
		mov	ecx, ebx
		push	21h
		call	MiDeleteTransitionPte
		cmp	eax, 3
		jnz	short loc_49F79B
		inc	dword ptr [edi+4]
		jmp	short loc_49F79B
; 

loc_49F762:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+6B1j
		cmp	[ebp+arg_8], 0
		jnz	short loc_49F79E
		mov	eax, ebx
		and	eax, 3E0h
		or	eax, 0
		jz	short loc_49F79E
		push	esi
		push	ebx
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	_MiReleasePageFileSpace@16 ; MiReleasePageFileSpace(x,x,x,x)
		mov	ecx, [ebp+var_B4]
		mov	eax, ds:_ZeroPte
		mov	[ecx], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[ecx+4], eax

loc_49F79B:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+72Bj
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+730j
		inc	dword ptr [edi+0Ch]

loc_49F79E:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+333j
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+386j ...
		mov	eax, [ebp+var_B4]
		mov	esi, [ebp+var_C0]
		add	eax, 8
		mov	[ebp+var_B4], eax
		cmp	eax, [ebp+var_E0]
		jz	short loc_49F83A
		test	al, 78h
		jnz	short loc_49F83A
		mov	ecx, esi
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		mov	ebx, [ebp+var_BC]
		test	eax, eax
		jnz	short loc_49F7E4
		mov	edx, ebx
		call	_MiPageTableLockIsContended@8 ;	MiPageTableLockIsContended(x,x)
		test	eax, eax
		jnz	short loc_49F7E4
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	short loc_49F834

loc_49F7E4:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+79Ej
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+7A9j
		lea	ecx, [ebp+var_B0]
		call	MiFlushTbList
		lea	ecx, [ebp+var_11C]
		call	MiTerminateWsleCluster
		add	[edi+4], eax
		mov	edx, ebx
		mov	ecx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [ebp+var_B5]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		mov	ecx, esi
		mov	[ebp+var_BC], 0
		call	MiLockWorkingSetShared
		mov	eax, [ebp+var_B4]
		xor	ecx, ecx
		jmp	short loc_49F840
; 

loc_49F82E:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+6C6j
		mov	esi, [ebp+var_C0]

loc_49F834:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+7B2j
		mov	eax, [ebp+var_B4]

loc_49F83A:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+789j
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+78Dj
		mov	ecx, [ebp+var_BC]

loc_49F840:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+312j
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+7FCj
		cmp	eax, [ebp+var_E0]
		jb	loc_49F2B1

loc_49F84C:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+279j
		lea	ecx, [ebp+var_B0]
		call	MiFlushTbList
		mov	ebx, [ebp+var_BC]
		test	ebx, ebx
		jz	short loc_49F878
		lea	ecx, [ebp+var_11C]
		call	MiTerminateWsleCluster
		add	[edi+4], eax
		mov	edx, ebx
		mov	ecx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_49F878:				; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+82Fj
		mov	dl, [ebp+var_B5]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_MiDeleteSystemPagableVm@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiEmptyPte(x, x, x)
_MiEmptyPte@12	proc near		; DATA XREF: MiEmptyWorkingSetInitiate(x,x,x,x)+90o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		mov	edx, [esi+48h]
		mov	eax, [edx]
		test	al, 2
		jz	short loc_49F8DE
		cmp	[ebp+arg_8], 0
		jnz	short loc_49F8FA
		mov	ecx, [edi]
		nop
		mov	eax, [edi+4]
		nop
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_49F8FA
		mov	eax, [edx]
		jmp	short loc_49F8E8
; 

loc_49F8DE:				; CODE XREF: MiEmptyPte(x,x,x)+17j
		test	al, 1
		jz	short loc_49F8E8
		cmp	[ebp+arg_8], 0
		jnz	short loc_49F8FA

loc_49F8E8:				; CODE XREF: MiEmptyPte(x,x,x)+44j
					; MiEmptyPte(x,x,x)+48j
		mov	ecx, [esi+10h]
		and	eax, 4
		push	eax
		lea	eax, [edx+4]
		mov	edx, edi
		push	eax
		call	_MiEmptyWorkingSetHelper@16 ; MiEmptyWorkingSetHelper(x,x,x,x)

loc_49F8FA:				; CODE XREF: MiEmptyPte(x,x,x)+1Dj
					; MiEmptyPte(x,x,x)+40j ...
		pop	edi
		xor	eax, eax
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_MiEmptyPte@12	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtUnlockVirtualMemory(x, x,	x, x)
_NtUnlockVirtualMemory@16 proc near	; DATA XREF: .text:00580BDCo

var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_CD		= byte ptr -0CDh
var_CC		= dword	ptr -0CCh
var_C8		= word ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1B78
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 0FCh
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, [ebp+arg_0]
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_108], ebx
		mov	edi, [ebp+arg_8]
		mov	[ebp+var_104], edi
		mov	[ebp+var_DC], 0
		mov	[ebp+var_F0], 0
		mov	[ebp+var_E4], 0
		xor	eax, eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		push	98h		; size_t
		push	eax		; int
		lea	eax, [ebp+var_CC]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_E4]
		push	eax
		lea	eax, [ebp+var_DC]
		push	eax
		lea	eax, [ebp+var_F0]
		push	eax
		push	[ebp+arg_C]
		push	edi
		mov	edx, ebx
		mov	ecx, esi
		call	MiLockUnlockCommon
		mov	[ebp+var_EC], eax
		test	eax, eax
		js	loc_49FDDF
		mov	[ebp+var_F4], 0
		mov	[ebp+var_D8], 0
		mov	edi, [ebp+var_DC]
		dec	edi
		add	edi, [ebp+var_F0]
		and	edi, 0FFFFF000h
		mov	[ebp+var_E8], edi
		mov	eax, [ebp+var_F0]
		and	eax, 0FFFFF000h
		mov	[ebp+var_100], eax
		mov	ebx, eax
		cmp	esi, 0FFFFFFFFh
		jz	short loc_49FA36
		lea	eax, [ebp+var_34]
		push	eax
		mov	esi, [ebp+var_E4]
		push	esi
		call	KeStackAttachProcess
		mov	[ebp+var_D8], 2

loc_49FA36:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+10Aj
		mov	[ebp+var_CC], 1
		mov	[ebp+var_C8], 4
		mov	[ebp+var_BC], 0
		mov	[ebp+var_C4], 21h
		mov	[ebp+var_B8], 0
		xor	esi, esi
		push	esi
		push	edi
		mov	edx, ebx
		mov	edi, [ebp+var_E4]
		mov	ecx, edi
		call	MiLockVadRange
		mov	[ebp+var_FC], eax
		test	eax, eax
		jz	loc_49FDAC
		mov	[ebp+var_D4], esi
		add	edi, 240h
		mov	ecx, edi
		call	MiLockWorkingSetShared
		mov	[ebp+var_CD], al
		cmp	ebx, [ebp+var_E8]
		ja	loc_49FD5A
		lea	ecx, [ecx+0]

loc_49FAB0:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+444j
		mov	ecx, ebx
		shr	ecx, 0Ch
		inc	ecx
		test	cl, 0Fh
		jnz	short loc_49FB2D
		mov	ecx, edi
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_49FAE4
		mov	eax, [ebp+var_D4]
		test	eax, eax
		jz	short loc_49FADB
		mov	edx, eax
		call	_MiPageTableLockIsContended@8 ;	MiPageTableLockIsContended(x,x)
		test	eax, eax
		jnz	short loc_49FAE4

loc_49FADB:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+1BEj
		call	_MiShouldYieldProcessor@0 ; MiShouldYieldProcessor()
		test	eax, eax
		jz	short loc_49FB2D

loc_49FAE4:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+1B4j
					; NtUnlockVirtualMemory(x,x,x,x)+1C9j
		cmp	[ebp+var_C0], 0
		jz	short loc_49FAFC
		push	0
		lea	edx, [ebp+var_CC]
		mov	ecx, edi
		call	MiFreeWsleList

loc_49FAFC:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+1DBj
		mov	eax, [ebp+var_D4]
		test	eax, eax
		jz	short loc_49FB19
		mov	edx, eax
		mov	ecx, edi
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)
		mov	[ebp+var_D4], 0

loc_49FB19:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+1F4j
		mov	dl, [ebp+var_CD]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		mov	ecx, edi
		call	MiLockWorkingSetShared

loc_49FB2D:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+1A9j
					; NtUnlockVirtualMemory(x,x,x,x)+1D2j
		cmp	ebx, [ebp+var_F4]
		ja	short loc_49FB3D
		test	esi, esi
		jnz	loc_49FBC2

loc_49FB3D:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+223j
		test	esi, esi
		jnz	short loc_49FB4C
		mov	ecx, ebx
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	esi, eax
		jmp	short loc_49FB82
; 

loc_49FB4C:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+22Fj
		mov	ecx, esi
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_49FB6C
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_49FB82
		lea	ecx, [ecx+0]

loc_49FB60:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+258j
		mov	esi, ecx
		mov	eax, [ecx]
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_49FB60
		jmp	short loc_49FB82
; 

loc_49FB6C:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+243j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jz	short loc_49FB82

loc_49FB74:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+270j
		cmp	[esi], ecx
		jz	short loc_49FB82
		mov	ecx, esi
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_49FB74

loc_49FB82:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+23Aj
					; NtUnlockVirtualMemory(x,x,x,x)+24Bj ...
		mov	eax, [ebp+var_D8]
		and	eax, 0FFFFFFFBh
		mov	[ebp+var_D8], eax
		mov	ecx, [esi+1Ch]
		and	cl, 70h
		cmp	cl, 40h
		jnz	short loc_49FBA7
		or	eax, 4
		mov	[ebp+var_D8], eax
		jmp	short loc_49FBB6
; 

loc_49FBA7:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+28Aj
		mov	ecx, esi
		call	_MiVadPagesTradable@4 ;	MiVadPagesTradable(x)
		test	eax, eax
		jz	loc_49FD5A

loc_49FBB6:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+295j
		mov	eax, [esi+10h]
		shl	eax, 0Ch
		mov	[ebp+var_F4], eax

loc_49FBC2:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+227j
		mov	eax, ebx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_DC], eax
		mov	ecx, ebx
		shr	ecx, 12h
		and	ecx, 3FF8h
		add	ecx, 0C0600000h
		mov	[ebp+var_E0], ecx
		mov	eax, [ebp+var_D4]
		cmp	eax, ecx
		jz	short loc_49FC73
		test	eax, eax
		jz	short loc_49FC23
		cmp	[ebp+var_C0], 0
		jz	short loc_49FC1A
		push	0
		lea	edx, [ebp+var_CC]
		mov	ecx, edi
		call	MiFreeWsleList
		mov	eax, [ebp+var_D4]

loc_49FC1A:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+2F3j
		mov	edx, eax
		mov	ecx, edi
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)

loc_49FC23:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+2EAj
		lea	eax, [ebp+var_F8]
		push	eax
		mov	edx, [ebp+var_DC]
		mov	ecx, edi
		call	MiLockLowestValidPageTable
		mov	[ebp+var_D4], eax
		cmp	eax, [ebp+var_E0]
		jz	short loc_49FC73
		mov	edx, eax
		mov	ecx, edi
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)
		mov	[ebp+var_D4], 0
		mov	ebx, [ebp+var_E0]
		lea	ebx, [ebx+8]
		shl	ebx, 12h
		mov	[ebp+var_EC], 0C000002Ah
		jmp	loc_49FD4E
; 

loc_49FC73:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+2E6j
					; NtUnlockVirtualMemory(x,x,x,x)+333j
		mov	ecx, [ebp+var_DC]
		call	_MI_READ_PTE_LOCK_FREE@4 ; MI_READ_PTE_LOCK_FREE(x)
		mov	ecx, eax
		and	ecx, 1
		or	ecx, 0
		jz	loc_49FD3E
		nop
		shrd	eax, edx, 0Ch
		and	eax, 1FFFFFFh
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	eax, [eax+ecx*4]
		mov	[ebp+var_E0], eax
		mov	ecx, [eax+4]
		or	ecx, 80000000h
		mov	[ebp+var_F8], ecx
		test	byte ptr [ebp+var_D8], 4
		jz	short loc_49FCE1
		mov	ecx, [ebp+var_DC]
		call	_MiRotatedToFrameBuffer@4 ; MiRotatedToFrameBuffer(x)
		cmp	eax, 1
		jz	short loc_49FD48
		mov	eax, [ebp+var_E0]
		mov	ecx, [ebp+var_F8]

loc_49FCE1:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+3B3j
		test	dword ptr [eax+18h], 800000h
		jnz	short loc_49FD01
		mov	eax, [eax+4]
		test	eax, eax
		js	short loc_49FD01
		jz	short loc_49FD01
		push	ecx
		mov	edx, [ebp+var_DC]
		mov	ecx, edi
		call	_MiDemoteCombinedPte@12	; MiDemoteCombinedPte(x,x,x)

loc_49FD01:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+3D8j
					; NtUnlockVirtualMemory(x,x,x,x)+3DFj ...
		mov	edx, ebx
		mov	ecx, edi
		call	MiGetWsleContents
		and	al, 0Fh
		cmp	al, 8
		jz	short loc_49FD48
		push	0
		push	1
		mov	edx, ebx
		lea	ecx, [ebp+var_CC]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	eax, [ebp+var_C0]
		cmp	eax, [ebp+var_C4]
		jnz	short loc_49FD3E
		push	0
		lea	edx, [ebp+var_CC]
		mov	ecx, edi
		call	MiFreeWsleList

loc_49FD3E:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+376j
					; NtUnlockVirtualMemory(x,x,x,x)+41Dj
		mov	[ebp+var_EC], 0C000002Ah

loc_49FD48:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+3C3j
					; NtUnlockVirtualMemory(x,x,x,x)+3FEj
		add	ebx, 1000h

loc_49FD4E:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+35Ej
		cmp	ebx, [ebp+var_E8]
		jbe	loc_49FAB0

loc_49FD5A:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+197j
					; NtUnlockVirtualMemory(x,x,x,x)+2A0j
		cmp	[ebp+var_C0], 0
		jz	short loc_49FD72
		push	0
		lea	edx, [ebp+var_CC]
		mov	ecx, edi
		call	MiFreeWsleList

loc_49FD72:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+451j
		mov	ebx, [ebp+var_D4]
		test	ebx, ebx
		jz	short loc_49FD87
		mov	edx, ebx
		mov	ecx, edi
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)
		xor	ebx, ebx

loc_49FD87:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+46Aj
		cmp	[ebp+var_EC], 0C000002Ah
		jnz	short loc_49FDFD
		mov	dl, [ebp+var_CD]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		mov	edi, [ebp+var_E4]
		mov	eax, [ebp+var_FC]

loc_49FDAC:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+172j
		push	0
		push	eax
		mov	edx, [ebp+var_F0]
		mov	ecx, edi
		call	_MiUnlockVadRange@16 ; MiUnlockVadRange(x,x,x,x)
		test	byte ptr [ebp+var_D8], 2
		jz	short loc_49FDCE
		lea	eax, [ebp+var_34]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)

loc_49FDCE:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+4B3j
		mov	edx, 6D566D4Dh
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, 0C000002Ah

loc_49FDDF:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+C1j
					; NtUnlockVirtualMemory(x,x,x,x)+6D5j ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_49FDFD:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+481j
		mov	ecx, [ebp+var_100]
		mov	[ebp+var_D4], ecx
		xor	edx, edx
		mov	[ebp+var_E0], edx
		xor	esi, esi
		cmp	ecx, [ebp+var_E8]
		ja	loc_49FF59
		nop

loc_49FE20:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+643j
		cmp	ecx, edx
		ja	short loc_49FE28
		test	esi, esi
		jnz	short loc_49FE8F

loc_49FE28:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+512j
		test	esi, esi
		jnz	short loc_49FE35
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	esi, eax
		jmp	short loc_49FE6E
; 

loc_49FE35:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+51Aj
		mov	ecx, esi
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_49FE52
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_49FE6E

loc_49FE46:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+53Ej
		mov	esi, ecx
		mov	eax, [ecx]
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_49FE46
		jmp	short loc_49FE6E
; 

loc_49FE52:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+52Cj
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jz	short loc_49FE6E
		lea	ebx, [ebx+0]

loc_49FE60:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+55Cj
		cmp	[esi], ecx
		jz	short loc_49FE6E
		mov	ecx, esi
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_49FE60

loc_49FE6E:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+523j
					; NtUnlockVirtualMemory(x,x,x,x)+534j ...
		mov	ecx, esi
		call	_MiVadPagesTradable@4 ;	MiVadPagesTradable(x)
		test	eax, eax
		jz	loc_49FF59
		mov	edx, [esi+10h]
		shl	edx, 0Ch
		mov	[ebp+var_E0], edx
		mov	ecx, [ebp+var_D4]

loc_49FE8F:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+516j
		mov	eax, ecx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_F4], eax
		mov	eax, ecx
		shr	eax, 12h
		and	eax, 3FF8h
		sub	eax, 3FA00000h
		cmp	ebx, eax
		jz	short loc_49FEE0
		test	ebx, ebx
		jz	short loc_49FEC4
		mov	edx, ebx
		mov	ecx, edi
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)

loc_49FEC4:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+5A9j
		lea	eax, [ebp+var_F8]
		push	eax
		mov	edx, [ebp+var_F4]
		mov	ecx, edi
		call	MiLockLowestValidPageTable
		mov	ebx, eax
		mov	ecx, [ebp+var_D4]

loc_49FEE0:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+5A5j
		mov	edx, ecx
		mov	ecx, edi
		call	_MiUnlockVa@8	; MiUnlockVa(x,x)
		mov	ecx, [ebp+var_D4]
		add	ecx, 1000h
		mov	[ebp+var_D4], ecx
		test	ecx, 0F000h
		jnz	short loc_49FF47
		mov	ecx, edi
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_49FF22
		mov	edx, ebx
		call	_MiPageTableLockIsContended@8 ;	MiPageTableLockIsContended(x,x)
		test	eax, eax
		jnz	short loc_49FF22
		call	_MiShouldYieldProcessor@0 ; MiShouldYieldProcessor()
		test	eax, eax
		jz	short loc_49FF41

loc_49FF22:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+5FCj
					; NtUnlockVirtualMemory(x,x,x,x)+607j
		mov	edx, ebx
		mov	ecx, edi
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)
		xor	ebx, ebx
		mov	dl, [ebp+var_CD]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		mov	ecx, edi
		call	MiLockWorkingSetShared

loc_49FF41:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+610j
		mov	ecx, [ebp+var_D4]

loc_49FF47:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+5F1j
		cmp	ecx, [ebp+var_E8]
		mov	edx, [ebp+var_E0]
		jbe	loc_49FE20

loc_49FF59:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+509j
					; NtUnlockVirtualMemory(x,x,x,x)+567j
		test	ebx, ebx
		jz	short loc_49FF66
		mov	edx, ebx
		mov	ecx, edi
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)

loc_49FF66:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+64Bj
		mov	dl, [ebp+var_CD]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		push	0
		push	[ebp+var_FC]
		mov	ebx, [ebp+var_F0]
		mov	edx, ebx
		mov	esi, [ebp+var_E4]
		mov	ecx, esi
		call	_MiUnlockVadRange@16 ; MiUnlockVadRange(x,x,x,x)
		test	byte ptr [ebp+var_D8], 2
		jz	short loc_49FFA2
		lea	eax, [ebp+var_34]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)

loc_49FFA2:				; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+687j
		mov	edx, 6D566D4Dh
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	[ebp+var_4], 0
		mov	eax, [ebp+var_E8]
		sub	eax, [ebp+var_100]
		add	eax, 1000h
		mov	ecx, [ebp+var_104]
		mov	[ecx], eax
		and	ebx, 0FFFFF000h
		mov	eax, [ebp+var_108]
		mov	[eax], ebx
		mov	[ebp+var_4], 0FFFFFFFEh
		xor	eax, eax
		jmp	loc_49FDDF
_NtUnlockVirtualMemory@16 endp


;  S U B	R O U T	I N E 


sub_49FFEA	proc near		; DATA XREF: .text:006A1B8Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-10Ch], eax
		mov	eax, 1
		retn
sub_49FFEA	endp


;  S U B	R O U T	I N E 


sub_49FFFD	proc near		; DATA XREF: .text:006A1B90o
		mov	esp, [ebp-18h]

loc_4A0000:				; DATA XREF: .text:0041AFD0o
					; .text:00424A3Co ...
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-10Ch]
		jmp	loc_49FDDF
sub_49FFFD	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiEmptyWorkingSetHelper(x, x, x, x)
_MiEmptyWorkingSetHelper@16 proc near	; CODE XREF: MiEmptyPte(x,x,x)+5Dp
					; MiUpdateOldPteWorker+33p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		mov	esi, [edx]
		mov	ebx, edx
		push	edi
		mov	[ebp+var_4], edx
		mov	edi, ecx
		shl	ebx, 9
		nop
		mov	eax, [edx+4]
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], eax
		nop
		shrd	esi, eax, 0Ch
		xor	eax, eax
		and	esi, 1FFFFFFh

loc_4A0048:				; DATA XREF: .text:_MiMemoryEventNameso
		inc	eax
		imul	esi, 1Ch
		add	esi, ds:_MmPfnDatabase
		cmp	ebx, 0C0000000h
		jnb	short loc_4A00C3

loc_4A005A:				; CODE XREF: MiEmptyWorkingSetHelper(x,x,x,x)+B7j
					; MiEmptyWorkingSetHelper(x,x,x,x)+BBj
		lea	ecx, [ebp+var_10]
		push	ecx
		push	eax
		push	esi
		mov	ecx, edi
		call	_MiWalkVaCheckCommon@20	; MiWalkVaCheckCommon(x,x,x,x,x)
		test	eax, eax
		jz	short loc_4A00BF
		xor	eax, eax
		inc	eax
		cmp	[esi+14h], ax
		ja	short loc_4A00B9

loc_4A0074:				; CODE XREF: MiEmptyWorkingSetHelper(x,x,x,x)+ABj
		cmp	dword_6D3154, 0
		jz	short loc_4A008A
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		call	MI_WSLE_LOG_ACCESS
		xor	eax, eax
		inc	eax

loc_4A008A:				; CODE XREF: MiEmptyWorkingSetHelper(x,x,x,x)+69j
		mov	esi, [ebp+arg_0]
		mov	edx, ebx
		push	0
		push	eax
		mov	ecx, esi
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	ecx, [esi+0Ch]
		cmp	ecx, [esi+8]
		jz	short loc_4A00AB

loc_4A00A1:				; CODE XREF: MiEmptyWorkingSetHelper(x,x,x,x)+A5j
		xor	eax, eax
		inc	eax

loc_4A00A4:				; CODE XREF: MiEmptyWorkingSetHelper(x,x,x,x)+AFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4A00AB:				; CODE XREF: MiEmptyWorkingSetHelper(x,x,x,x)+8Dj
		push	[ebp+arg_4]
		mov	edx, esi
		mov	ecx, edi
		call	MiFreeWsleList
		jmp	short loc_4A00A1
; 

loc_4A00B9:				; CODE XREF: MiEmptyWorkingSetHelper(x,x,x,x)+60j
		test	byte ptr [edi+60h], 7
		jz	short loc_4A0074

loc_4A00BF:				; CODE XREF: MiEmptyWorkingSetHelper(x,x,x,x)+57j
		xor	eax, eax
		jmp	short loc_4A00A4
; 

loc_4A00C3:				; CODE XREF: MiEmptyWorkingSetHelper(x,x,x,x)+46j
		cmp	ebx, 0C07FFFFFh
		ja	short loc_4A005A
		xor	eax, eax
		jmp	short loc_4A005A
_MiEmptyWorkingSetHelper@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWalkVaCheckCommon(x, x, x, x, x)
_MiWalkVaCheckCommon@20	proc near	; CODE XREF: MiEmptyWorkingSetHelper(x,x,x,x)+50p
					; MiSimpleAgePte(x,x,x)+54p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		jnz	short loc_4A00FF
		mov	eax, [esi+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jnz	short loc_4A00FB
		call	_MiIsPageTableLocked@8 ; MiIsPageTableLocked(x,x)
		test	eax, eax
		jz	short loc_4A00FF

loc_4A00FB:				; CODE XREF: MiWalkVaCheckCommon(x,x,x,x,x)+20j
		xor	eax, eax
		jmp	short loc_4A0136
; 

loc_4A00FF:				; CODE XREF: MiWalkVaCheckCommon(x,x,x,x,x)+13j
					; MiWalkVaCheckCommon(x,x,x,x,x)+29j
		test	dword ptr [esi+18h], 800000h
		jnz	short loc_4A0133
		mov	eax, [esi+4]
		test	eax, eax
		js	short loc_4A0133
		jz	short loc_4A0133
		or	eax, 80000000h
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	_MiDemoteCombinedPte@12	; MiDemoteCombinedPte(x,x,x)
		cmp	eax, 1
		jnz	short loc_4A0133
		mov	edx, [edi]
		nop
		mov	ecx, [ebp+arg_8]
		mov	esi, [edi+4]
		mov	[ecx], edx
		mov	[ecx+4], esi

loc_4A0133:				; CODE XREF: MiWalkVaCheckCommon(x,x,x,x,x)+36j
					; MiWalkVaCheckCommon(x,x,x,x,x)+3Dj ...
		xor	eax, eax
		inc	eax

loc_4A0136:				; CODE XREF: MiWalkVaCheckCommon(x,x,x,x,x)+2Dj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_MiWalkVaCheckCommon@20	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiRemoveMappedPtes proc	near		; CODE XREF: MiRemoveFromSystemSpace+285p

var_44		= dword	ptr -44h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005BD3A3 SIZE 00000043 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ecx
		mov	[ebp+var_8], edx
		push	ebx
		mov	[ebp+var_10], eax
		push	esi
		mov	ecx, [eax+20h]
		mov	esi, [eax+18h]
		mov	ebx, [eax+34h]
		xor	eax, eax
		push	edi
		mov	[ebp+var_14], ecx
		lea	edi, [ebp+var_44]
		mov	ecx, [ecx]
		stosd
		shr	ebx, 9
		and	ebx, offset loc_7FFFF8
		shr	esi, 0Ch
		sub	ebx, 40000000h
		mov	[ebp+var_30], 0
		stosd
		mov	[ebp+var_2C], 0
		mov	[ebp+var_18], ecx
		mov	[ebp+var_C], 0
		stosd
		stosd
		stosd
		mov	eax, [ebp+var_10]
		xor	edi, edi
		test	dword ptr [ecx+1Ch], 420h
		mov	eax, [eax+24h]
		mov	[ebp+var_24], eax
		jnz	loc_4A03B1
		mov	eax, [ebp+var_10]
		lea	edx, [ebp+var_30]
		mov	ecx, [eax+10h]
		mov	eax, [eax+14h]
		shld	eax, ecx, 0Ch
		shl	ecx, 0Ch
		push	eax
		push	ecx
		mov	ecx, [ebp+var_18]
		call	MiOffsetToProtos
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		mov	[ebp+var_14], eax
		xor	eax, eax
		add	ecx, [ebp+var_30]
		mov	[ebp+var_20], ecx
		adc	eax, [ebp+var_2C]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_24]

loc_4A01E3:				; CODE XREF: MiRemoveMappedPtes+277j
		and	al, 18h
		cmp	al, 10h
		jnz	loc_4A0283
		mov	ecx, edx
		call	MiLockWorkingSetShared
		mov	[ebp+var_1], al
		test	esi, esi
		jz	short loc_4A025F
		jmp	short loc_4A0200
; 
		align 10h

loc_4A0200:				; CODE XREF: MiRemoveMappedPtes+BBj
					; MiRemoveMappedPtes+11Dj
		test	edi, edi
		jz	loc_4A0356
		test	ebx, 0FFFh
		jz	loc_4A0356

loc_4A0214:				; CODE XREF: MiRemoveMappedPtes+242j
		mov	ecx, [ebx]
		nop
		mov	edx, [ebx+4]
		mov	eax, ecx
		or	eax, edx
		jz	short loc_4A024E
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jnz	loc_4A02DF
		mov	eax, ecx
		and	eax, 400h
		or	eax, 0
		jz	loc_5BD3A3

loc_4A023E:				; CODE XREF: MiRemoveMappedPtes+11D282j
					; MiRemoveMappedPtes+11D28Bj ...
		mov	eax, ds:_ZeroPte
		mov	[ebx], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[ebx+4], eax

loc_4A024E:				; CODE XREF: MiRemoveMappedPtes+DEj
					; MiRemoveMappedPtes+1BEj
		add	ebx, 8
		dec	esi
		test	bl, 78h
		jz	loc_4A0303

loc_4A025B:				; CODE XREF: MiRemoveMappedPtes+1E1j
					; MiRemoveMappedPtes+211j ...
		test	esi, esi
		jnz	short loc_4A0200

loc_4A025F:				; CODE XREF: MiRemoveMappedPtes+B9j
		lea	ecx, [ebp+var_44]
		call	MiTerminateWsleCluster
		add	[ebp+var_C], eax
		test	edi, edi
		jz	short loc_4A0278
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_4A0278:				; CODE XREF: MiRemoveMappedPtes+12Cj
		mov	dl, [ebp+var_1]
		mov	ecx, [ebp+var_8]
		call	MiUnlockWorkingSetShared

loc_4A0283:				; CODE XREF: MiRemoveMappedPtes+A7j
		mov	esi, [ebp+var_18]
		mov	eax, [esi+1Ch]
		test	al, 20h
		jnz	loc_4A0387
		test	eax, 400h
		jnz	loc_4A0387
		mov	edi, [ebp+var_10]

loc_4A029F:				; CODE XREF: MiRemoveMappedPtes+25Fj
					; MiRemoveMappedPtes+26Cj
		lea	eax, [esi+24h]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_4A02BE
		push	[ebp+var_1C]
		mov	ecx, eax
		push	[ebp+var_20]
		call	_MiRemoveViewsFromSection@16 ; MiRemoveViewsFromSection(x,x,x,x)

loc_4A02BE:				; CODE XREF: MiRemoveMappedPtes+16Fj
		dec	dword ptr [esi+18h]
		mov	dl, bl
		dec	dword ptr [esi+14h]
		mov	ecx, esi
		call	MiCheckControlArea
		mov	edx, [edi+1Ch]
		test	edx, edx
		jnz	loc_4A03BC

loc_4A02D8:				; CODE XREF: MiRemoveMappedPtes+285j
					; MiRemoveMappedPtes+295j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4A02DF:				; CODE XREF: MiRemoveMappedPtes+E8j
		cmp	dword_6D3154, 0
		jz	short loc_4A02F2
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		call	MI_WSLE_LOG_ACCESS

loc_4A02F2:				; CODE XREF: MiRemoveMappedPtes+1A6j
		mov	edx, [ebp+var_8]
		lea	ecx, [ebp+var_44]
		push	ebx
		call	_MiAppendWsleCluster@12	; MiAppendWsleCluster(x,x,x)
		jmp	loc_4A024E
; 

loc_4A0303:				; CODE XREF: MiRemoveMappedPtes+115j
		mov	ecx, [ebp+var_8]
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_4A0327
		mov	edx, edi
		call	_MiPageTableLockIsContended@8 ;	MiPageTableLockIsContended(x,x)
		test	eax, eax
		jnz	short loc_4A0327
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	loc_4A025B

loc_4A0327:				; CODE XREF: MiRemoveMappedPtes+1CDj
					; MiRemoveMappedPtes+1D8j
		lea	ecx, [ebp+var_44]
		call	MiTerminateWsleCluster
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		add	[ebp+var_C], eax
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [ebp+var_1]
		mov	ecx, [ebp+var_8]
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_8]
		xor	edi, edi
		call	MiLockWorkingSetShared
		jmp	loc_4A025B
; 

loc_4A0356:				; CODE XREF: MiRemoveMappedPtes+C2j
					; MiRemoveMappedPtes+CEj
		lea	ecx, [ebp+var_44]
		call	MiTerminateWsleCluster
		add	[ebp+var_C], eax
		test	edi, edi
		jnz	short loc_4A03DA

loc_4A0365:				; CODE XREF: MiRemoveMappedPtes+2A4j
		mov	ecx, [ebp+var_8]
		mov	edi, ebx
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h
		push	0
		mov	edx, edi
		call	MiLockPageTableInternal
		jmp	loc_4A0214
; 

loc_4A0387:				; CODE XREF: MiRemoveMappedPtes+14Bj
					; MiRemoveMappedPtes+156j
		mov	edi, [ebp+var_10]
		mov	[ebp+var_14], 0
		test	byte ptr [edi+24h], 4
		setnz	cl
		test	al, 20h
		setnz	al
		test	cl, al
		jz	loc_4A029F
		mov	ecx, esi
		call	_MiReturnCrossPartitionControlAreaCharges@4 ; MiReturnCrossPartitionControlAreaCharges(x)
		jmp	loc_4A029F
; 

loc_4A03B1:				; CODE XREF: MiRemoveMappedPtes+67j
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edi
		jmp	loc_4A01E3
; 

loc_4A03BC:				; CODE XREF: MiRemoveMappedPtes+192j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_4A03E9

loc_4A03C3:				; CODE XREF: MiRemoveMappedPtes+2ABj
		test	edx, edx
		jz	loc_4A02D8
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit
		jmp	loc_4A02D8
; 

loc_4A03DA:				; CODE XREF: MiRemoveMappedPtes+223j
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		jmp	loc_4A0365
; 

loc_4A03E9:				; CODE XREF: MiRemoveMappedPtes+281j
		sub	edx, eax
		jmp	short loc_4A03C3
MiRemoveMappedPtes endp

; 
		align 2

;  S U B	R O U T	I N E 


MI_WSLE_LOG_ACCESS proc	near		; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+4D0p
					; MiEmptyWorkingSetHelper(x,x,x,x)+70p	...

; FUNCTION CHUNK AT 005BD3E6 SIZE 0000001E BYTES

		mov	edi, edi
		push	esi
		mov	esi, edx
		shl	esi, 9
		push	edi
		mov	edi, ecx
		cmp	esi, 0C0000000h
		jnb	short loc_4A0431

loc_4A0401:				; CODE XREF: MI_WSLE_LOG_ACCESS+49j
		movzx	eax, byte ptr [edi+60h]
		mov	ecx, esi
		and	eax, 7
		shr	ecx, 0Ch
		add	ecx, dword_6D2E68[eax*4]
		mov	al, [ecx]
		and	al, 0Fh
		cmp	al, 0Ah
		jz	loc_5BD3E6
		cmp	al, 7
		jz	short loc_4A042E

loc_4A0424:				; CODE XREF: MI_WSLE_LOG_ACCESS+4Bj
		mov	eax, [edx]
		and	eax, 20h
		or	eax, 0
		jnz	short loc_4A043B

loc_4A042E:				; CODE XREF: MI_WSLE_LOG_ACCESS+34j
		pop	edi
		pop	esi
		retn
; 

loc_4A0431:				; CODE XREF: MI_WSLE_LOG_ACCESS+11j
		cmp	esi, 0C07FFFFFh
		ja	short loc_4A0401
		jmp	short loc_4A0424
; 

loc_4A043B:				; CODE XREF: MI_WSLE_LOG_ACCESS+3Ej
		mov	ecx, edi
		pop	edi
		pop	esi
		jmp	_MiLogPageAccess@8 ; MiLogPageAccess(x,x)
MI_WSLE_LOG_ACCESS endp


;  S U B	R O U T	I N E 


; __stdcall MiWorkingSetIsContended(x)
_MiWorkingSetIsContended@4 proc	near	; CODE XREF: MiFillPoolCommitPageTable+110p
					; .text:00451249p ...
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short loc_4A0458
		lea	eax, [ecx+80h]

loc_4A0458:				; CODE XREF: MiWorkingSetIsContended(x)+Cj
		mov	eax, [eax]
		shr	eax, 1Eh
		and	eax, 1
		retn
_MiWorkingSetIsContended@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPageTableLockIsContended(x, x)
_MiPageTableLockIsContended@8 proc near	; CODE XREF: .text:00464D0Ep
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+7A2p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		call	MiGetPageTableLockBuffer
		mov	eax, [eax]
		mov	ecx, [ebp+var_4]
		shr	eax, cl
		movzx	eax, al
		shr	eax, 1
		and	eax, 1
		leave
		retn
_MiPageTableLockIsContended@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiVadPagesTradable(x)
_MiVadPagesTradable@4 proc near		; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+299p
					; NtUnlockVirtualMemory(x,x,x,x)+560p ...
		mov	eax, [ecx+1Ch]
		mov	edx, eax
		and	edx, 100000h
		test	al, 70h
		jnz	short loc_4A04AF
		test	edx, edx
		jz	short loc_4A04C6
		test	eax, 400000h
		jnz	short loc_4A04AC
		and	eax, 0C0000h
		cmp	eax, 80000h
		jb	short loc_4A04C6

loc_4A04AC:				; CODE XREF: MiVadPagesTradable(x)+18j
					; MiVadPagesTradable(x)+35j ...
		xor	eax, eax
		retn
; 

loc_4A04AF:				; CODE XREF: MiVadPagesTradable(x)+Dj
		test	edx, edx
		jnz	short loc_4A04BD
		mov	eax, [ecx+28h]
		test	eax, 1000000h
		jnz	short loc_4A04AC

loc_4A04BD:				; CODE XREF: MiVadPagesTradable(x)+2Bj
		mov	eax, [ecx+1Ch]
		and	al, 70h
		cmp	al, 20h
		jnz	short loc_4A04AC

loc_4A04C6:				; CODE XREF: MiVadPagesTradable(x)+11j
					; MiVadPagesTradable(x)+24j
		xor	eax, eax
		inc	eax
		retn
_MiVadPagesTradable@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReferenceDataSubsections(x, x, x,	x, x)
_MiReferenceDataSubsections@20 proc near ; CODE	XREF: MiInsertInSystemSpace+138p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	eax, [ebp+arg_8]
		and	[esp+0Ch+var_8], 0
		and	[esp+0Ch+var_4], 0
		push	esi
		push	dword ptr [edx+4]
		mov	dword ptr [eax], 2
		push	dword ptr [edx]
		lea	edx, [esp+18h+var_8]
		call	MiOffsetToProtos
		mov	esi, eax
		test	esi, esi
		jz	short loc_4A052A
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		neg	edx
		sbb	edx, edx
		xor	eax, eax
		and	edx, 0FFFFFF80h
		add	edx, 108h
		add	ecx, [esp+10h+var_8]
		adc	eax, [esp+10h+var_4]
		push	eax
		push	ecx
		mov	ecx, esi
		call	MiAddViewsForSection

loc_4A0523:				; CODE XREF: MiReferenceDataSubsections(x,x,x,x,x)+65j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4A052A:				; CODE XREF: MiReferenceDataSubsections(x,x,x,x,x)+31j
		mov	eax, 0C000001Fh
		jmp	short loc_4A0523
_MiReferenceDataSubsections@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUpdateWsleAge	proc near		; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+261p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		mov	edi, esi
		shl	edi, 9
		mov	edx, edi
		call	MiGetVaAge
		mov	ecx, [ebp+arg_0]
		cmp	cl, al
		jz	short loc_4A056E
		cmp	al, 8
		jnb	short loc_4A056E
		cmp	cl, 7
		jnz	short loc_4A0575

loc_4A055A:				; CODE XREF: MiUpdateWsleAge+47j
		test	cl, cl
		jz	loc_5BD3F6

loc_4A0562:				; CODE XREF: MI_WSLE_LOG_ACCESS+11D011j
		push	ecx
		push	1
		mov	edx, edi
		mov	ecx, ebx
		call	MiSetVaAgeList

loc_4A056E:				; CODE XREF: MiUpdateWsleAge+1Dj
					; MiUpdateWsleAge+21j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4A0575:				; CODE XREF: MiUpdateWsleAge+26j
		cmp	al, 7
		jnz	short loc_4A056E
		jmp	short loc_4A055A
MiUpdateWsleAge	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExProtectPoolEx	proc near		; CODE XREF: CmpProtectPool(x,x,x)+5p
					; ExProtectPool(x,x,x)+Cp ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005BD404 SIZE 0000005F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	esi, edx
		mov	eax, ebx
		mov	[ebp+var_1C], esi
		or	eax, esi
		push	edi
		test	eax, 0FFFh
		jnz	loc_4A06C2
		mov	ecx, esi
		call	_MiDeterminePoolType@4 ; MiDeterminePoolType(x)
		lea	ecx, [eax-20h]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		test	cl, 20h
		jnz	loc_4A06C2
		mov	eax, [ebp+arg_0]
		dec	eax
		shr	ebx, 0Ch
		add	eax, esi
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], eax
		xor	eax, eax
		push	offset _ExpLargePoolTableLock
		mov	[ebp+var_14], eax
		mov	edi, eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_28], eax
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		movzx	edx, bl
		shl	edx, 2
		movzx	ecx, bh
		xor	edx, ecx
		mov	[ebp+var_1], al
		movzx	ecx, byte ptr [ebp+var_8+2]
		shl	edx, 2
		xor	edx, ecx
		movzx	ecx, byte ptr [ebp+var_8+3]
		shl	edx, 2
		xor	edx, ecx
		mov	ecx, _PoolBigPageTableSize
		imul	edx, 9E5Fh
		lea	eax, [ecx-1]
		sar	edx, 2
		and	edx, eax
		mov	eax, _PoolBigPageTable
		test	eax, eax
		jz	loc_5BD404
		shl	edx, 4
		mov	[ebp+var_20], edx
		add	edx, eax
		shl	ecx, 4
		add	ecx, eax

loc_4A062A:				; CODE XREF: ExProtectPoolEx+EFj
		mov	[ebp+var_10], ecx

loc_4A062D:				; CODE XREF: ExProtectPoolEx+D5j
		mov	ebx, [edx]
		test	bl, 1
		jnz	short loc_4A064C
		cmp	esi, ebx
		jb	short loc_4A064C
		mov	eax, [edx+0Ch]
		mov	[ebp+var_24], eax
		lea	esi, [eax+ebx]
		cmp	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	esi, [ebp+var_1C]
		jb	short loc_4A066D

loc_4A064C:				; CODE XREF: ExProtectPoolEx+B6j
					; ExProtectPoolEx+BAj ...
		add	edx, 10h
		cmp	edx, ecx
		jb	short loc_4A062D
		cmp	[ebp+var_14], 1
		jz	short loc_4A06C6
		mov	ecx, [ebp+var_20]
		mov	edx, _PoolBigPageTable
		add	ecx, edx
		mov	[ebp+var_14], 1
		jmp	short loc_4A062A
; 

loc_4A066D:				; CODE XREF: ExProtectPoolEx+CEj
		test	eax, 0FFFh
		jnz	loc_5BD41C

loc_4A0678:				; CODE XREF: ExProtectPoolEx+11CECBj
		mov	[ebp+var_18], ebx
		mov	edi, eax
		mov	ebx, [edx+8]
		shr	ebx, 8

loc_4A0683:				; CODE XREF: ExProtectPoolEx+14Dj
		push	offset _ExpLargePoolTableLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_18], 0
		jz	short loc_4A06C2
		and	edi, 0FFFh
		jnz	loc_5BD44C

loc_4A06A8:				; CODE XREF: ExProtectPoolEx+11CEE2j
		cmp	[ebp+arg_4], 0FFFFFFFFh
		jz	short loc_4A06CB
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_MmProtectPool@12 ; MmProtectPool(x,x,x)

loc_4A06BB:				; CODE XREF: ExProtectPoolEx+148j
					; ExProtectPoolEx+152j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4A06C2:				; CODE XREF: ExProtectPoolEx+1Bj
					; ExProtectPoolEx+34j ...
		xor	eax, eax
		jmp	short loc_4A06BB
; 

loc_4A06C6:				; CODE XREF: ExProtectPoolEx+DBj
		mov	ebx, [ebp+var_28]
		jmp	short loc_4A0683
; 

loc_4A06CB:				; CODE XREF: ExProtectPoolEx+130j
		xor	eax, eax
		inc	eax
		jmp	short loc_4A06BB
ExProtectPoolEx	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmProtectPool(x, x,	x)
_MmProtectPool@12 proc near		; CODE XREF: ExProtectPoolEx+13Ap

var_186		= byte ptr -186h
var_181		= dword	ptr -181h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= word ptr -130h
var_12C		= dword	ptr -12Ch
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= word ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+18Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, 98h
		mov	byte ptr [esp+13h], 0
		push	ebx		; size_t
		lea	eax, [esp+19Ch+var_138]
		mov	edi, edx
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+198h+var_A0]
		push	ebx		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		test	cl, 10h
		jz	short loc_4A0734
		test	byte ptr ds:_MiFlags+2,	1
		jz	short loc_4A0734
		and	ecx, 0FFFFFFEFh

loc_4A0734:				; CODE XREF: MmProtectPool(x,x,x)+56j
					; MmProtectPool(x,x,x)+5Fj
		call	_MiMakeProtectionMask@4	; MiMakeProtectionMask(x)
		mov	ecx, eax
		mov	[esp+198h+var_150], ecx
		cmp	ecx, 8
		jb	short loc_4A074D
		cmp	ecx, 18h
		jnz	loc_4A1173

loc_4A074D:				; CODE XREF: MmProtectPool(x,x,x)+72j
		mov	eax, ecx
		and	eax, 5
		cmp	al, 5
		jz	loc_4A1173
		cmp	ecx, 0FFFFFFFFh
		jz	loc_4A1173
		lea	ecx, [edi-1]
		xor	edx, edx
		mov	edi, esi
		mov	[esp+198h+var_14C], edx
		shr	edi, 9
		add	ecx, esi
		and	edi, offset loc_7FFFF8
		mov	[esp+198h+var_148], ecx
		sub	edi, 40000000h
		mov	[esp+198h+var_168], edx
		mov	[esp+198h+var_178], edi
		cmp	esi, dword_6D07D0
		jb	loc_4A1173
		mov	eax, esi
		mov	ebx, offset unk_6D3840
		shr	eax, 15h
		mov	[esp+198h+var_181+1], ebx
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 6
		jz	short loc_4A07FC
		cmp	al, 5
		jnz	short loc_4A07DD
		mov	edx, ecx
		mov	ecx, esi
		call	_MiFindLargeMapping@8 ;	MiFindLargeMapping(x,x)
		test	eax, eax
		jnz	loc_4A1173
		mov	ecx, [esp+198h+var_148]
		mov	ebx, offset unk_6D3B40
		mov	[esp+198h+var_14C], 1
		xor	edx, edx
		mov	[esp+198h+var_181+1], ebx
		jmp	short loc_4A07FC
; 

loc_4A07DD:				; CODE XREF: MmProtectPool(x,x,x)+E1j
		cmp	al, 1
		jz	short loc_4A07E9
		cmp	al, 0Bh
		jnz	loc_4A1173

loc_4A07E9:				; CODE XREF: MmProtectPool(x,x,x)+10Fj
		mov	[esp+198h+var_168], 2
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		mov	ebx, eax
		mov	[esp+194h+var_17C], eax

loc_4A07FC:				; CODE XREF: MmProtectPool(x,x,x)+DDj
					; MmProtectPool(x,x,x)+10Bj
		mov	eax, [esp+194h+var_164]
		mov	esi, edx
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		mov	[esp+194h+var_181+1], esi
		sub	ecx, 40000000h
		mov	[esp+194h+var_134], eax
		mov	[esp+194h+var_144], ecx
		mov	ecx, ebx
		mov	[esp+194h+var_130], 0
		mov	[esp+194h+var_124], edx
		mov	[esp+194h+var_12C], 21h
		mov	[esp+194h+var_120], edx
		call	MiLockWorkingSetShared
		mov	byte ptr [esp+194h+var_178+3], al
		jmp	loc_4A1143
; 

loc_4A0844:				; CODE XREF: MmProtectPool(x,x,x)+A77j
		test	esi, esi
		jz	short loc_4A0862
		test	edi, 0FFFh
		jnz	short loc_4A0880
		lea	ecx, [esp+194h+var_134]
		call	MiFlushTbList
		mov	edx, esi
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_4A0862:				; CODE XREF: MmProtectPool(x,x,x)+176j
		mov	eax, edi
		mov	ecx, ebx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		push	0
		mov	edx, eax
		mov	[esp+198h+var_181+1], eax
		call	MiLockPageTableInternal

loc_4A0880:				; CODE XREF: MmProtectPool(x,x,x)+17Ej
		mov	esi, [edi]
		nop
		mov	eax, [esp+194h+var_17C]
		mov	ebx, [edi+4]
		mov	ecx, [esp+194h+var_14C]
		mov	[esp+194h+var_15C], ebx
		mov	al, [eax+60h]
		and	al, 7
		mov	[esp+194h+var_154], esi
		mov	[esp+194h+var_150], ebx
		cmp	ecx, 18h
		jnz	loc_4A0BFD
		cmp	al, 7
		jnz	loc_4A09EA
		cmp	[esp+194h+var_148], 1
		jnz	short loc_4A08E9
		and	esi, 1
		xor	edx, edx
		or	esi, edx
		jz	loc_4A1134
		lea	edx, [esp+13h]
		mov	ecx, edi
		call	MiLockNonPagedPoolPte
		mov	esi, [edi]
		mov	edx, eax
		mov	[esp+194h+var_16C], edx
		nop
		mov	ebx, [edi+4]
		mov	[esp+194h+var_15C], ebx
		mov	[esp+194h+var_154], esi
		mov	[esp+194h+var_150], ebx
		jmp	short loc_4A0922
; 

loc_4A08E9:				; CODE XREF: MmProtectPool(x,x,x)+1E5j
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	loc_4A1134
		nop
		mov	ecx, esi
		mov	eax, ebx
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	eax, ecx, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	ecx, eax
		mov	[esp+194h+var_16C], eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	edx, [esp+194h+var_16C]
		mov	byte ptr [esp+194h+var_181], al

loc_4A0922:				; CODE XREF: MmProtectPool(x,x,x)+217j
		mov	ecx, [edx+8]
		mov	eax, [edx+0Ch]
		and	ecx, 0FFFFFF1Fh
		or	ecx, 300h
		mov	[edx+0Ch], eax
		mov	[edx+8], ecx
		nop
		mov	ecx, esi
		mov	eax, ebx
		shrd	ecx, eax, 0Ch
		push	18h
		and	ecx, 1FFFFFFh
		pop	edx
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		cmp	[esp+194h+var_148], 1
		mov	ecx, eax
		mov	eax, edx
		mov	[esp+194h+var_174], eax
		jnz	short loc_4A09BE

loc_4A0960:				; CODE XREF: MmProtectPool(x,x,x)+2CBj
		mov	eax, esi
		mov	edx, ebx
		nop
		mov	ebx, ecx
		mov	ecx, [esp+194h+var_174]
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_4A0979
		cmp	edx, [esp+194h+var_15C]
		jz	short loc_4A099D

loc_4A0979:				; CODE XREF: MmProtectPool(x,x,x)+2A1j
		mov	ebx, edx
		mov	esi, eax
		mov	[esp+194h+var_15C], ebx
		nop
		shrd	eax, edx, 0Ch
		push	18h
		and	eax, 1FFFFFFh
		pop	edx
		mov	ecx, eax
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		mov	ecx, eax
		mov	[esp+194h+var_174], edx
		jmp	short loc_4A0960
; 

loc_4A099D:				; CODE XREF: MmProtectPool(x,x,x)+2A7j
		mov	ecx, [esp+194h+var_16C]
		and	esi, 200h
		or	esi, 0
		jz	short loc_4A09C8
		mov	eax, [ecx+10h]
		and	eax, 0C0010000h
		or	eax, 10000h
		mov	[ecx+10h], eax
		jmp	short loc_4A09C8
; 

loc_4A09BE:				; CODE XREF: MmProtectPool(x,x,x)+28Ej
		mov	[edi], ecx
		nop
		mov	ecx, [esp+194h+var_16C]
		mov	[edi+4], eax

loc_4A09C8:				; CODE XREF: MmProtectPool(x,x,x)+2DAj
					; MmProtectPool(x,x,x)+2ECj
		lea	eax, [ecx+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_4A09D3:				; CODE XREF: MmProtectPool(x,x,x)+70Cj
					; MmProtectPool(x,x,x)+729j
		push	0
		mov	edx, edi
		lea	ecx, [esp+198h+var_134]
		push	1
		shl	edx, 9
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		jmp	loc_4A1134
; 

loc_4A09EA:				; CODE XREF: MmProtectPool(x,x,x)+1DAj
		mov	eax, esi
		xor	edx, edx
		and	eax, 1
		or	eax, edx
		jz	loc_4A0B1B
		nop
		shrd	esi, ebx, 0Ch
		mov	eax, edi
		and	esi, 1FFFFFFh
		shl	eax, 9
		imul	ecx, esi, 1Ch
		mov	[esp+194h+var_174], eax
		add	ecx, ds:_MmPfnDatabase
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4A0A82
		lea	ecx, [esp+194h+var_134]
		call	MiFlushTbList
		mov	ecx, [esp+194h+var_174]
		mov	edx, edi
		push	0
		push	0FFFFFFFFh
		call	_MiCopyOnWrite@16 ; MiCopyOnWrite(x,x,x,x)
		mov	ebx, [esp+194h+var_17C]
		mov	esi, eax
		sub	edi, 8
		test	esi, esi
		jns	loc_4A1138
		mov	edx, [esp+194h+var_181+1]
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [esp+194h+var_178+3]
		mov	ecx, ebx
		call	MiUnlockWorkingSetShared
		mov	edx, esi
		mov	ecx, ebx
		call	MiCopyOnWriteCheckConditions
		mov	ecx, ebx
		call	MiLockWorkingSetShared
		mov	esi, [esp+194h+var_181+1]
		mov	ecx, ebx
		push	0
		mov	edx, esi
		call	MiLockPageTableInternal
		jmp	loc_4A113C
; 

loc_4A0A82:				; CODE XREF: MmProtectPool(x,x,x)+34Dj
		mov	ebx, [esp+194h+var_17C]
		cmp	dword_6D3154, edx
		jz	short loc_4A0A97
		mov	edx, edi
		mov	ecx, ebx
		call	MI_WSLE_LOG_ACCESS

loc_4A0A97:				; CODE XREF: MmProtectPool(x,x,x)+3BCj
		mov	esi, [esp+194h+var_174]
		mov	ecx, ebx
		mov	edx, esi
		call	MiLocateWsle
		mov	al, [eax]
		and	al, 0Fh
		cmp	al, 8
		jz	loc_4A1138
		mov	ecx, ebx
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		xor	ecx, ecx
		mov	[esp+194h+var_9C], eax
		push	ecx
		mov	[esp+198h+var_90], ecx
		mov	edx, esi
		mov	[esp+198h+var_8C], ecx
		mov	[esp+198h+var_88], ecx
		lea	ecx, [esp+198h+var_9C]
		push	1
		mov	[esp+19Ch+var_98], 4
		mov	[esp+19Ch+var_94], 21h
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		push	0
		lea	edx, [esp+198h+var_9C]
		mov	ecx, ebx
		call	MiFreeWsleList
		test	eax, eax
		jnz	loc_4A1138
		sub	edi, 8
		jmp	loc_4A1138
; 

loc_4A0B1B:				; CODE XREF: MmProtectPool(x,x,x)+323j
		mov	eax, esi
		and	eax, 400h
		or	eax, edx
		jz	short loc_4A0B75

loc_4A0B26:				; CODE XREF: MmProtectPool(x,x,x)+9B9j
		lea	ecx, [esp+194h+var_134]
		call	MiFlushTbList
		mov	esi, [esp+194h+var_181+1]
		mov	edx, esi
		mov	ebx, [esp+194h+var_17C]
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [esp+194h+var_178+3]
		mov	ecx, ebx
		call	MiUnlockWorkingSetShared
		xor	ecx, ecx
		mov	eax, edi
		push	ecx
		push	ecx
		shl	eax, 9
		push	eax
		push	ecx
		call	MmAccessFault
		mov	ecx, ebx
		call	MiLockWorkingSetShared

loc_4A0B62:				; CODE XREF: MmProtectPool(x,x,x)+895j
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	MiLockPageTableInternal

loc_4A0B6D:				; CODE XREF: MmProtectPool(x,x,x)+89Ej
		sub	edi, 8
		jmp	loc_4A113C
; 

loc_4A0B75:				; CODE XREF: MmProtectPool(x,x,x)+454j
		mov	eax, esi
		and	eax, 800h
		or	eax, edx
		jz	short loc_4A0BDF
		xor	edx, edx
		mov	ecx, edi
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_4A0B97

loc_4A0B8F:				; CODE XREF: MmProtectPool(x,x,x)+8CFj
					; MmProtectPool(x,x,x)+8DBj ...
		sub	edi, 8
		jmp	loc_4A1134
; 

loc_4A0B97:				; CODE XREF: MmProtectPool(x,x,x)+4BDj
		mov	edx, [edi]
		nop
		mov	ecx, [ebx+8]
		and	edx, 0FFFFFF1Fh
		mov	esi, [edi+4]
		and	ecx, 0FFFFFF1Fh
		mov	eax, [ebx+0Ch]
		or	ecx, 300h
		or	edx, 300h
		mov	[ebx+8], ecx
		mov	[ebx+0Ch], eax
		mov	[esp+194h+var_154], edx
		mov	[esp+194h+var_150], esi
		mov	[edi], edx
		nop
		mov	[edi+4], esi
		lea	eax, [ebx+10h]

loc_4A0BD2:				; CODE XREF: MmProtectPool(x,x,x)+A3Cj
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		jmp	loc_4A1134
; 

loc_4A0BDF:				; CODE XREF: MmProtectPool(x,x,x)+4AEj
		and	esi, 0FFFFFF1Fh
		mov	[esp+194h+var_150], ebx
		or	esi, 300h
		mov	[esp+194h+var_154], esi
		mov	[edi], esi
		mov	[edi+4], ebx
		jmp	loc_4A1134
; 

loc_4A0BFD:				; CODE XREF: MmProtectPool(x,x,x)+1D2j
		cmp	al, 7
		jnz	loc_4A0EE4
		mov	eax, ecx
		or	eax, 80000000h
		mov	[esp+194h+var_140], eax

loc_4A0C10:				; CODE XREF: MmProtectPool(x,x,x)+69Fj
		mov	eax, esi
		and	eax, 1
		mov	[esp+194h+var_160], eax
		or	eax, 0
		jz	short loc_4A0C2F
		nop
		mov	edx, esi
		mov	eax, ebx
		shrd	edx, eax, 0Ch
		and	edx, 1FFFFFFh
		jmp	short loc_4A0C86
; 

loc_4A0C2F:				; CODE XREF: MmProtectPool(x,x,x)+54Cj
		mov	eax, dword_6D0700
		mov	ecx, ebx
		mov	ebx, dword_6D0704
		mov	edx, esi
		mov	[esp+194h+var_170], eax
		or	eax, ebx
		mov	[esp+194h+var_158], ebx
		mov	ebx, [esp+194h+var_15C]
		mov	[esp+194h+var_174], edx
		mov	[esp+194h+var_164], ecx
		jz	short loc_4A0C7C
		mov	ecx, esi
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4A0C76
		mov	edx, [esp+194h+var_170]
		mov	ecx, [esp+194h+var_158]
		not	edx
		not	ecx
		and	edx, esi
		and	ecx, [esp+194h+var_164]
		jmp	short loc_4A0C7C
; 

loc_4A0C76:				; CODE XREF: MmProtectPool(x,x,x)+590j
		mov	edx, ecx
		mov	ecx, [esp+194h+var_164]

loc_4A0C7C:				; CODE XREF: MmProtectPool(x,x,x)+584j
					; MmProtectPool(x,x,x)+5A4j
		shrd	edx, ecx, 0Ch
		and	edx, 3FFFFFFh

loc_4A0C86:				; CODE XREF: MmProtectPool(x,x,x)+55Dj
		push	[esp+194h+var_140]
		imul	eax, edx, 1Ch
		mov	ecx, edi
		add	eax, ds:_MmPfnDatabase
		mov	[esp+198h+var_16C], eax
		call	MiMakeValidPte
		mov	ecx, eax
		mov	eax, edx
		mov	edx, [esp+194h+var_160]
		or	edx, 0
		mov	[esp+194h+var_174], ecx
		mov	[esp+194h+var_164], eax
		jz	loc_4A0DFE
		cmp	[esp+194h+var_148], 1
		jnz	loc_4A0D7E
		lea	edx, [esp+194h+var_181]
		mov	ecx, edi
		call	MiLockNonPagedPoolPte
		mov	edx, [edi]
		mov	[esp+194h+var_16C], eax
		mov	[esp+194h+var_160], edx
		nop
		mov	ecx, [edi+4]
		mov	[esp+194h+var_170], ecx
		cmp	edx, esi
		jnz	short loc_4A0D46
		cmp	ecx, ebx
		jnz	short loc_4A0D46
		mov	edx, [esp+194h+var_174]
		mov	eax, esi
		mov	ecx, [esp+194h+var_164]
		and	eax, 200h
		or	eax, 0
		mov	[esp+194h+var_158], edx
		mov	[esp+194h+var_170], ecx
		jz	short loc_4A0D19
		or	edx, 200h
		mov	[esp+194h+var_164], ecx
		mov	[esp+194h+var_174], edx
		mov	[esp+194h+var_158], edx
		mov	[esp+194h+var_170], ecx

loc_4A0D19:				; CODE XREF: MmProtectPool(x,x,x)+631j
		mov	eax, esi
		mov	edx, ebx
		nop
		mov	ebx, [esp+194h+var_158]
		mov	ecx, [esp+194h+var_170]
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, eax
		mov	eax, edx
		mov	[esp+194h+var_160], ecx
		mov	[esp+194h+var_170], eax
		cmp	ecx, esi
		jnz	short loc_4A0D42
		mov	ebx, [esp+194h+var_15C]
		cmp	eax, ebx
		jz	short loc_4A0D74

loc_4A0D42:				; CODE XREF: MmProtectPool(x,x,x)+668j
		mov	eax, [esp+194h+var_16C]

loc_4A0D46:				; CODE XREF: MmProtectPool(x,x,x)+611j
					; MmProtectPool(x,x,x)+615j
		add	eax, 10h
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, byte ptr [esp+194h+var_181]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [esp+194h+var_170]
		mov	esi, [esp+194h+var_160]
		mov	[esp+194h+var_154], esi
		mov	[esp+194h+var_15C], ebx
		mov	[esp+194h+var_150], ebx
		jmp	loc_4A0C10
; 

loc_4A0D74:				; CODE XREF: MmProtectPool(x,x,x)+670j
		mov	al, byte ptr [esp+194h+var_181]
		mov	byte ptr [esp+194h+var_168+3], al
		jmp	short loc_4A0D8E
; 

loc_4A0D7E:				; CODE XREF: MmProtectPool(x,x,x)+5ECj
		mov	dl, 21h
		mov	byte ptr [esp+194h+var_168+3], dl
		mov	byte ptr [esp+194h+var_181], dl
		nop
		mov	[edi], ecx
		mov	[edi+4], eax

loc_4A0D8E:				; CODE XREF: MmProtectPool(x,x,x)+6ACj
		mov	ecx, [esp+194h+var_14C]
		xor	edx, edx
		mov	eax, [esp+194h+var_16C]
		and	ecx, 1Fh
		shld	edx, ecx, 5
		shl	ecx, 5
		mov	eax, [eax+8]
		and	eax, 0FFFFFC1Fh
		or	ecx, eax
		mov	eax, [esp+194h+var_16C]
		or	[eax+0Ch], edx
		cmp	[esp+194h+var_148], 1
		mov	[eax+8], ecx
		jnz	short loc_4A0DD2
		add	eax, 10h
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, byte ptr [esp+194h+var_168+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4A0DD2:				; CODE XREF: MmProtectPool(x,x,x)+6EBj
		test	ds:_MiFlags, 100h
		jz	loc_4A09D3
		push	[esp+194h+var_164]
		push	[esp+198h+var_174]
		push	ebx
		push	esi
		call	_MI_TIGHTER_PERMISSIONS@16 ; MI_TIGHTER_PERMISSIONS(x,x,x,x)
		test	eax, eax
		jz	loc_4A1134
		jmp	loc_4A09D3
; 

loc_4A0DFE:				; CODE XREF: MmProtectPool(x,x,x)+5E1j
		mov	esi, [esp+194h+var_16C]
		add	esi, 10h
		mov	eax, [esi]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jz	short loc_4A0E4E
		and	[esp+194h+var_13C], 0
		jmp	short loc_4A0E27
; 

loc_4A0E18:				; CODE XREF: MmProtectPool(x,x,x)+755j
					; MmProtectPool(x,x,x)+75Cj
		lea	ecx, [esp+194h+var_13C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_4A0E18

loc_4A0E27:				; CODE XREF: MmProtectPool(x,x,x)+746j
		lock bts dword ptr [esi], 1Fh
		jb	short loc_4A0E18
		mov	eax, [esi]
		and	eax, 0C0000001h
		or	eax, 1
		mov	[esi], eax
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	esi, [esp+194h+var_174]
		or	esi, 200h
		jmp	short loc_4A0E52
; 

loc_4A0E4E:				; CODE XREF: MmProtectPool(x,x,x)+73Fj
		mov	esi, [esp+194h+var_174]

loc_4A0E52:				; CODE XREF: MmProtectPool(x,x,x)+77Cj
		mov	edx, [esp+194h+var_14C]
		xor	ecx, ecx
		mov	eax, [esp+194h+var_16C]
		and	edx, 1Fh
		mov	ebx, [esp+194h+var_164]
		shld	ecx, edx, 5
		mov	eax, [eax+8]
		and	eax, 0FFFFFC1Fh
		shl	edx, 5
		or	edx, eax
		mov	eax, [esp+194h+var_16C]
		or	[eax+0Ch], ecx
		mov	ecx, edi
		mov	[eax+8], edx
		xor	edx, edx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_4A0EC8
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_4A0EA0
		inc	edx
		cmp	byte ptr word_6D07B8+1,	0
		jnz	short loc_4A0EC8
		jmp	short loc_4A0EB8
; 

loc_4A0EA0:				; CODE XREF: MmProtectPool(x,x,x)+7C2j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_4A0EC8

loc_4A0EB8:				; CODE XREF: MmProtectPool(x,x,x)+7CEj
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	short loc_4A0EC8
		or	ebx, 80000000h

loc_4A0EC8:				; CODE XREF: MmProtectPool(x,x,x)+7B9j
					; MmProtectPool(x,x,x)+7CCj ...
		mov	[edi+4], ebx
		nop
		mov	[edi], esi
		test	edx, edx
		jz	loc_4A1134
		push	ebx
		push	esi
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_4A1134
; 

loc_4A0EE4:				; CODE XREF: MmProtectPool(x,x,x)+52Fj
		mov	eax, esi
		xor	edx, edx
		and	eax, 1
		or	eax, edx
		jz	loc_4A1080
		nop
		mov	edx, esi
		mov	eax, ebx
		shrd	edx, eax, 0Ch
		and	edx, 1FFFFFFh
		imul	ecx, edx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		mov	[esp+194h+var_158], ecx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4A0F73
		lea	ecx, [esp+194h+var_134]
		call	MiFlushTbList
		push	0
		mov	ecx, edi
		mov	edx, edi
		push	0FFFFFFFFh
		shl	ecx, 9
		call	_MiCopyOnWrite@16 ; MiCopyOnWrite(x,x,x,x)
		mov	ebx, [esp+194h+var_17C]
		mov	esi, eax
		test	esi, esi
		jns	short loc_4A0F6A
		mov	edx, [esp+194h+var_181+1]
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [esp+194h+var_178+3]
		mov	ecx, ebx
		call	MiUnlockWorkingSetShared
		mov	edx, esi
		mov	ecx, ebx
		call	MiCopyOnWriteCheckConditions
		mov	ecx, ebx
		call	MiLockWorkingSetShared
		mov	esi, [esp+194h+var_181+1]
		jmp	loc_4A0B62
; 

loc_4A0F6A:				; CODE XREF: MmProtectPool(x,x,x)+869j
		mov	esi, [esp+194h+var_181+1]
		jmp	loc_4A0B6D
; 

loc_4A0F73:				; CODE XREF: MmProtectPool(x,x,x)+846j
		mov	eax, [esp+194h+var_14C]
		mov	ecx, edi
		or	eax, 80000000h
		push	eax
		call	MiMakeValidPte
		mov	ecx, eax
		mov	[esp+194h+var_170], edx
		mov	[esp+194h+var_160], ecx
		mov	eax, esi
		mov	edx, ebx
		nop
		mov	ebx, ecx
		mov	ecx, [esp+194h+var_170]
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	loc_4A0B8F
		mov	ecx, [esp+194h+var_15C]
		cmp	edx, ecx
		jnz	loc_4A0B8F
		test	ds:_MiFlags, 100h
		jz	short loc_4A0FD0
		push	[esp+194h+var_170]
		push	[esp+198h+var_160]
		push	ecx
		push	esi
		call	_MI_TIGHTER_PERMISSIONS@16 ; MI_TIGHTER_PERMISSIONS(x,x,x,x)
		test	eax, eax
		jz	short loc_4A0FE2

loc_4A0FD0:				; CODE XREF: MmProtectPool(x,x,x)+8EBj
		push	0
		mov	edx, edi
		lea	ecx, [esp+198h+var_134]
		push	1
		shl	edx, 9
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)

loc_4A0FE2:				; CODE XREF: MmProtectPool(x,x,x)+8FEj
		mov	ebx, [esp+194h+var_158]
		xor	eax, eax
		mov	[esp+194h+var_140], eax
		mov	[esp+194h+var_170], eax
		mov	[esp+194h+var_138], eax
		lea	eax, [ebx+10h]
		mov	[esp+194h+var_160], eax
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_4A101E
		mov	ebx, eax

loc_4A1004:				; CODE XREF: MmProtectPool(x,x,x)+941j
					; MmProtectPool(x,x,x)+948j
		lea	ecx, [esp+194h+var_138]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		js	short loc_4A1004
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_4A1004
		mov	ebx, [esp+194h+var_158]

loc_4A101E:				; CODE XREF: MmProtectPool(x,x,x)+930j
		mov	edx, [esp+194h+var_14C]
		xor	ecx, ecx
		mov	eax, [ebx+8]
		and	edx, 1Fh
		shld	ecx, edx, 5
		and	eax, 0FFFFFC1Fh
		and	esi, 42h
		or	[ebx+0Ch], ecx
		shl	edx, 5
		or	edx, eax
		or	esi, 0
		mov	[ebx+8], edx
		jz	short loc_4A104F
		mov	ecx, ebx
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		jmp	short loc_4A1057
; 

loc_4A104F:				; CODE XREF: MmProtectPool(x,x,x)+974j
		mov	eax, [esp+194h+var_140]
		mov	edx, [esp+194h+var_170]

loc_4A1057:				; CODE XREF: MmProtectPool(x,x,x)+97Dj
		lea	ecx, [ebx+10h]
		mov	esi, 7FFFFFFFh
		lock and [ecx],	esi
		mov	ecx, eax
		or	ecx, edx
		jz	loc_4A1134
		push	edx
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		push	eax
		inc	edx
		call	MiReleasePageFileInfo
		jmp	loc_4A1134
; 

loc_4A1080:				; CODE XREF: MmProtectPool(x,x,x)+81Dj
		mov	eax, esi
		and	eax, 400h
		or	eax, edx
		jnz	loc_4A0B26
		mov	eax, esi
		and	eax, 800h
		or	eax, edx
		jz	short loc_4A1111
		xor	edx, edx
		mov	ecx, edi
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		mov	[esp+194h+var_170], eax
		test	eax, eax
		jz	loc_4A0B8F
		mov	edi, [edi]
		nop
		mov	esi, [esp+194h+var_14C]
		xor	edx, edx
		mov	ecx, [eax+8]
		and	esi, 1Fh
		mov	ebx, [esp+194h+var_174]
		and	ecx, 0FFFFFC1Fh
		mov	eax, [eax+0Ch]
		and	edi, 0FFFFFC1Fh
		shld	edx, esi, 5
		mov	ebx, [ebx+4]
		or	eax, edx
		shl	esi, 5
		or	ecx, esi
		mov	[esp+194h+var_160], esi
		mov	esi, [esp+194h+var_170]
		or	edi, [esp+194h+var_160]
		or	ebx, edx
		mov	[esp+194h+var_154], edi
		mov	[esp+194h+var_150], ebx
		mov	[esi+8], ecx
		mov	ecx, esi
		mov	[ecx+0Ch], eax
		mov	eax, [esp+194h+var_174]
		mov	[eax], edi
		nop
		mov	edi, eax
		lea	eax, [ecx+10h]
		mov	[edi+4], ebx
		jmp	loc_4A0BD2
; 

loc_4A1111:				; CODE XREF: MmProtectPool(x,x,x)+9C8j
		and	ecx, 1Fh
		xor	eax, eax
		shld	eax, ecx, 5
		and	esi, 0FFFFFC1Fh
		shl	ecx, 5
		or	ecx, esi
		or	eax, ebx
		mov	[esp+194h+var_154], ecx
		mov	[esp+194h+var_150], eax
		mov	[edi], ecx
		mov	[edi+4], eax

loc_4A1134:				; CODE XREF: MmProtectPool(x,x,x)+1EEj
					; MmProtectPool(x,x,x)+221j ...
		mov	ebx, [esp+194h+var_17C]

loc_4A1138:				; CODE XREF: MmProtectPool(x,x,x)+372j
					; MmProtectPool(x,x,x)+3DAj ...
		mov	esi, [esp+194h+var_181+1]

loc_4A113C:				; CODE XREF: MmProtectPool(x,x,x)+3ADj
					; MmProtectPool(x,x,x)+4A0j
		add	edi, 8
		mov	[esp+194h+var_174], edi

loc_4A1143:				; CODE XREF: MmProtectPool(x,x,x)+16Fj
		cmp	edi, [esp+194h+var_144]
		jbe	loc_4A0844
		lea	ecx, [esp+194h+var_134]
		call	MiFlushTbList
		test	esi, esi
		jz	short loc_4A1163
		mov	edx, esi
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_4A1163:				; CODE XREF: MmProtectPool(x,x,x)+A88j
		mov	dl, byte ptr [esp+194h+var_178+3]
		mov	ecx, ebx
		call	MiUnlockWorkingSetShared
		xor	eax, eax
		inc	eax
		jmp	short loc_4A1175
; 

loc_4A1173:				; CODE XREF: MmProtectPool(x,x,x)+77j
					; MmProtectPool(x,x,x)+84j ...
		xor	eax, eax

loc_4A1175:				; CODE XREF: MmProtectPool(x,x,x)+AA1j
		mov	ecx, [esp+198h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_MmProtectPool@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpFreeVA(x, x, x, x, x)
_RtlpHpFreeVA@20 proc near		; CODE XREF: RtlpHpSegMgrCommit+10Ap
					; RtlpHpLargeAlloc(x,x,x,x)+1C8p ...

arg_0		= dword	ptr  8
arg_5		= byte ptr  0Dh
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, eax
		and	eax, 0FEFFFFFFh
		and	esi, 1000000h
		push	edi
		mov	edi, ecx
		cmp	eax, 8000h
		jz	short loc_4A11C3

loc_4A11AF:				; CODE XREF: RtlpHpFreeVA(x,x,x,x,x)+39j
		cmp	[ebp+arg_5], 2
		jnb	short loc_4A11F5
		push	eax
		call	_RtlpHpEnvFreeVA@12 ; RtlpHpEnvFreeVA(x,x,x)

loc_4A11BB:				; CODE XREF: RtlpHpFreeVA(x,x,x,x,x)+6Bj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4A11C3:				; CODE XREF: RtlpHpFreeVA(x,x,x,x,x)+21j
		test	esi, esi
		jnz	short loc_4A11AF
		mov	eax, [edi]
		mov	ecx, [edx]
		add	ecx, eax
		add	eax, 0FFFFFh
		and	eax, 0FFF00000h
		sub	ecx, eax
		mov	[edi], eax
		mov	[edx], ecx
		jz	short loc_4A11F5
		push	[ebp+arg_8]
		push	dword ptr [ebp+0Ch]
		call	_RtlpHpEnvGetHeapManager@8 ; RtlpHpEnvGetHeapManager(x,x)
		push	edx
		mov	edx, edi
		lea	ecx, [eax+30h]
		call	RtlpHpVaMgrCtxFree

loc_4A11F5:				; CODE XREF: RtlpHpFreeVA(x,x,x,x,x)+27j
					; RtlpHpFreeVA(x,x,x,x,x)+51j
		xor	eax, eax
		jmp	short loc_4A11BB
_RtlpHpFreeVA@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpEnvFreeVA(x, x, x)
_RtlpHpEnvFreeVA@12 proc near		; CODE XREF: RtlpHpFreeVA(x,x,x,x,x)+2Ap
					; RtlpHpVaMgrRangeFree(x,x)+41p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 8000h
		push	esi
		jz	short loc_4A1210

loc_4A1209:				; CODE XREF: RtlpHpEnvFreeVA(x,x,x)+2Cj
		pop	esi
		pop	ebp
		jmp	MmFreePoolMemory
; 

loc_4A1210:				; CODE XREF: RtlpHpEnvFreeVA(x,x,x)+Dj
		mov	eax, [ecx]
		mov	esi, [edx]
		add	esi, eax
		add	eax, 1FFFFFh
		and	eax, 0FFE00000h
		sub	esi, eax
		mov	[ecx], eax
		mov	[edx], esi
		jnz	short loc_4A1209
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	4
_RtlpHpEnvFreeVA@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmFreePoolMemory proc near		; CODE XREF: RtlpHpEnvFreeVA(x,x,x)+11j
					; RtlpHpVaMgrCtxFree+8Dp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BD463 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		mov	ebx, [edx]
		mov	eax, ebx
		push	esi
		mov	esi, ebx
		mov	[esp+2Ch+var_1C], ebx
		and	esi, 0FFFh
		neg	esi
		push	edi
		mov	edi, [ecx]
		sbb	esi, esi
		shr	eax, 0Ch
		neg	esi
		mov	ecx, edi
		mov	[esp+30h+var_20], edi
		add	esi, eax
		call	_MiDeterminePoolType@4 ; MiDeterminePoolType(x)
		mov	edx, eax
		cmp	edx, 20h
		jz	loc_5BD463
		cmp	edx, 21h
		jz	loc_4A1355
		xor	eax, eax
		test	edx, edx
		setnz	al
		add	eax, 5
		mov	[esp+30h+var_24], eax

loc_4A1288:				; CODE XREF: MmFreePoolMemory+12Dj
		mov	ebx, [ebp+arg_0]
		mov	eax, 4000h
		test	ebx, 8000h
		jnz	loc_4A1385

loc_4A129C:				; CODE XREF: MmFreePoolMemory+157j
		test	ebx, eax
		jz	loc_4A137C
		test	dl, 1
		jnz	short loc_4A12FB
		mov	eax, 40000000h
		test	ebx, eax
		jnz	short loc_4A12BF
		cmp	ds:_MmProtectFreedNonPagedPool,	0
		jnz	loc_5BD474

loc_4A12BF:				; CODE XREF: MmFreePoolMemory+80j
					; MmFreePoolMemory+11C246j
		push	1
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	MiClearNonPagedPtes
		mov	edi, eax

loc_4A12CD:				; CODE XREF: MmFreePoolMemory+120j
		test	edi, edi
		jz	loc_4A137C
		mov	edx, edi
		mov	edi, [esp+30h+var_24]
		push	0
		mov	ecx, edi
		call	MiCountSystemPool

loc_4A12E4:				; CODE XREF: MmFreePoolMemory+150j
		test	ebx, 8000h
		jnz	loc_4A138C

loc_4A12F0:				; CODE XREF: MmFreePoolMemory+175j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4A12FB:				; CODE XREF: MmFreePoolMemory+77j
		push	6
		xor	eax, eax
		lea	edi, [esp+34h+var_18]
		pop	ecx
		rep stosd
		mov	ecx, [esp+30h+var_20]
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		test	dl, 20h
		jnz	short loc_4A1362
		mov	edi, offset unk_6D3840

loc_4A1323:				; CODE XREF: MmFreePoolMemory+14Aj
		lea	eax, [esp+30h+var_18]
		xor	edx, edx
		push	eax
		mov	eax, ebx
		shr	eax, 1Eh
		and	eax, 1
		push	eax
		push	esi
		push	ecx
		mov	ecx, edi
		call	_MiDeleteSystemPagableVm@24 ; MiDeleteSystemPagableVm(x,x,x,x,x,x)
		mov	edi, [esp+30h+var_C]
		mov	ecx, offset _MiSystemPartition
		mov	edx, edi
		sub	edx, [esp+30h+var_14]
		call	MiReturnCommit
		jmp	loc_4A12CD
; 

loc_4A1355:				; CODE XREF: MmFreePoolMemory+44j
		mov	[esp+30h+var_24], 1
		jmp	loc_4A1288
; 

loc_4A1362:				; CODE XREF: MmFreePoolMemory+ECj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	edi, [eax+180h]
		add	edi, 0C0h
		jmp	short loc_4A1323
; 

loc_4A137C:				; CODE XREF: MmFreePoolMemory+6Ej
					; MmFreePoolMemory+9Fj
		mov	edi, [esp+30h+var_24]
		jmp	loc_4A12E4
; 

loc_4A1385:				; CODE XREF: MmFreePoolMemory+66j
		or	ebx, eax
		jmp	loc_4A129C
; 

loc_4A138C:				; CODE XREF: MmFreePoolMemory+BAj
		cmp	edi, 1
		jz	short loc_4A13AA

loc_4A1391:				; CODE XREF: MmFreePoolMemory+19Aj
		mov	eax, [esp+30h+var_20]
		mov	edx, [esp+30h+var_1C]
		push	ecx
		push	edi
		mov	ecx, eax
		lea	edx, [edx+eax]
		call	_MiReturnSystemVa@16 ; MiReturnSystemVa(x,x,x,x)
		jmp	loc_4A12F0
; 

loc_4A13AA:				; CODE XREF: MmFreePoolMemory+15Fj
		mov	eax, large fs:124h
		shr	esi, 9
		neg	esi
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		add	eax, 23E8h
		lock xadd [eax], esi
		jmp	short loc_4A1391
MmFreePoolMemory endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiDeterminePoolType(x)
_MiDeterminePoolType@4 proc near	; CODE XREF: ExGetHeapFromVA+Bp
					; ExProtectPoolEx+23p ...
		cmp	ecx, dword_6D07D0
		jb	short loc_4A1400
		shr	ecx, 15h
		mov	al, byte ptr dword_6D3994[ecx]
		cmp	al, 1
		jz	short loc_4A13FA
		cmp	al, 0Bh
		jz	short loc_4A13FA
		cmp	al, 5
		jnz	short loc_4A13F0
		xor	eax, eax
		retn
; 

loc_4A13F0:				; CODE XREF: MiDeterminePoolType(x)+1Bj
		cmp	al, 6
		jnz	short loc_4A1400
		mov	eax, 1
		retn
; 

loc_4A13FA:				; CODE XREF: MiDeterminePoolType(x)+13j
					; MiDeterminePoolType(x)+17j
		mov	eax, 21h
		retn
; 

loc_4A1400:				; CODE XREF: MiDeterminePoolType(x)+6j
					; MiDeterminePoolType(x)+22j
		mov	eax, 20h
		retn
_MiDeterminePoolType@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockNonPagedPoolPte proc near		; CODE XREF: MiProbeLockFrame(x)+6Cp
					; MmProtectPool(x,x,x)+1FAp ...

var_80		= dword	ptr -80h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BD47B SIZE 00000039 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	esi, ecx

loc_4A1415:				; CODE XREF: MiLockNonPagedPoolPte+11C088j
		mov	ebx, [esi]
		nop
		mov	edx, [esi+4]
		mov	eax, ebx
		and	eax, 1
		mov	[ebp+var_8], edx
		or	eax, 0
		jz	loc_5BD493
		nop
		mov	eax, edx
		mov	ecx, ebx
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	edi, ecx, 1Ch
		add	edi, ds:_MmPfnDatabase
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [ebp+var_4]
		mov	[ecx], al
		mov	eax, [esi]
		nop
		mov	edx, [esi+4]
		cmp	ebx, eax
		jnz	loc_5BD47B
		cmp	[ebp+var_8], edx
		jnz	loc_5BD47B
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiLockNonPagedPoolPte endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFindLargeMapping(x, x)
_MiFindLargeMapping@8 proc near		; CODE XREF: MmProtectPool(x,x,x)+E7p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		shr	ecx, 12h
		mov	esi, 3FF8h
		shr	edx, 12h
		and	ecx, esi
		mov	eax, 3FA00000h
		and	edx, esi
		sub	ecx, eax
		sub	edx, eax
		xor	esi, esi
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], edx

loc_4A1496:				; CODE XREF: MiFindLargeMapping(x,x)+49j
		mov	ecx, [ebp+esi*8+var_8]
		mov	edx, [ebp+esi*8+var_4]

loc_4A149E:				; CODE XREF: MiFindLargeMapping(x,x)+43j
		cmp	ecx, edx
		ja	short loc_4A14B3
		mov	eax, [ecx]
		and	eax, 80h
		or	eax, 0
		jnz	short loc_4A14BE
		add	ecx, 8
		jmp	short loc_4A149E
; 

loc_4A14B3:				; CODE XREF: MiFindLargeMapping(x,x)+32j
		inc	esi
		cmp	esi, 1
		jb	short loc_4A1496
		xor	eax, eax

loc_4A14BB:				; CODE XREF: MiFindLargeMapping(x,x)+53j
		pop	esi
		leave
		retn
; 

loc_4A14BE:				; CODE XREF: MiFindLargeMapping(x,x)+3Ej
		xor	eax, eax
		inc	eax
		jmp	short loc_4A14BB
_MiFindLargeMapping@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiClearNonPagedPtes proc near		; CODE XREF: MmFreePoolMemory+96p
					; MiCommitPoolMemory+113648p

var_118		= dword	ptr -118h
var_114		= word ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_6C		= dword	ptr -6Ch
var_58		= dword	ptr -58h
var_52		= byte ptr -52h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 11Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	4Ch		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_58]
		push	ebx		; int
		push	eax		; void *
		mov	edi, edx
		mov	esi, ecx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_118]
		push	0BCh		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	eax, 887h
		shl	edi, 0Ch
		mov	word ptr [ebp+var_58], ax
		add	esp, 0Ch
		lea	eax, [esi-1]
		mov	[ebp+var_44], esi
		add	eax, edi
		mov	[ebp+var_10C], ebx
		mov	[ebp+var_40], eax
		mov	esi, offset unk_6D3B40
		mov	eax, [ebp+arg_0]
		mov	ecx, esi
		mov	[ebp+var_78], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_118]
		mov	[ebp+var_118], ebx
		mov	[ebp+var_114], bx
		mov	[ebp+var_108], ebx
		mov	[ebp+var_110], 21h
		mov	[ebp+var_104], ebx
		mov	[ebp+var_18], offset MiDeleteNonPagedPoolPte
		mov	[ebp+var_14], offset MiDeleteNonPagedPoolTail
		mov	[ebp+var_10], eax
		mov	[ebp+var_48], esi
		call	MiLockWorkingSetShared
		lea	ecx, [ebp+var_58]
		mov	[ebp+var_52], al
		call	MiWalkPageTables
		mov	dl, [ebp+var_52]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_80]
		test	ecx, ecx
		jz	short loc_4A15A9
		test	ds:byte_70EFC4,	1
		jnz	loc_5BD4A7

loc_4A15A1:				; CODE XREF: MiLockNonPagedPoolPte+11C0A9j
		push	2
		pop	edx
		call	MiReturnPhysicalPoolPages

loc_4A15A9:				; CODE XREF: MiClearNonPagedPtes+CEj
		mov	ecx, [ebp+var_7C]
		test	ecx, ecx
		jnz	short loc_4A15C4

loc_4A15B0:				; CODE XREF: MiClearNonPagedPtes+108j
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_6C]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_4A15C4:				; CODE XREF: MiClearNonPagedPtes+EAj
		push	3
		pop	edx
		call	MiReturnPhysicalPoolPages
		jmp	short loc_4A15B0
MiClearNonPagedPtes endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReturnPhysicalPoolPages proc near	; CODE XREF: MiClearNonPagedPtes+E0p
					; MiClearNonPagedPtes+103p ...

var_4C		= dword	ptr -4Ch
var_40		= dword	ptr -40h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= byte ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005BD4B4 SIZE 00000048 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		xor	eax, eax
		mov	[ebp+var_8], edx
		push	esi
		push	edi
		lea	edi, [ebp+var_34]
		mov	ebx, ecx
		stosd
		mov	ecx, 6
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_4C]
		mov	[ebp+var_14], eax
		rep stosd
		mov	[ebp+var_10], eax
		mov	ecx, ebx
		sub	ecx, ds:_MmPfnDatabase
		mov	[ebp+var_C], eax
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiSearchNumaNodeTable
		mov	esi, [eax+4]
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		and	ecx, 2
		mov	[ebp+var_28], esi
		and	eax, 1
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_8], eax
		mov	esi, eax

loc_4A1636:				; CODE XREF: MiReturnPhysicalPoolPages+F4j
		mov	eax, [ebx]
		mov	ecx, ebx
		sub	ecx, ds:_MmPfnDatabase
		mov	[ebp+var_24], eax
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		mov	cl, 2
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		mov	[ebp+var_20], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_1], al
		lea	edi, [ebx+10h]
		mov	[ebp+var_18], 0
		lock bts dword ptr [edi], 1Fh
		jb	loc_5BD4B4

loc_4A1679:				; CODE XREF: MiReturnPhysicalPoolPages+11BEF8j
		cmp	[ebp+var_1C], 0
		jz	loc_4A177D

loc_4A1683:				; CODE XREF: MiReturnPhysicalPoolPages+1C2j
		test	esi, esi
		jnz	short loc_4A168D
		test	byte ptr [ebx+17h], 10h
		jnz	short loc_4A16E9

loc_4A168D:				; CODE XREF: MiReturnPhysicalPoolPages+B5j
		mov	ecx, [ebp+var_20]
		xor	eax, eax
		and	dword ptr [edi], 0C0000000h
		mov	[ebx+14h], ax
		lea	edx, [eax+2]
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		inc	[ebp+var_4C]
		inc	[ebp+var_40]

loc_4A16AA:				; CODE XREF: MiReturnPhysicalPoolPages+146j
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	cl, [ebp+var_1]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	edi
		mov	eax, [ebp+var_24]
		mov	ebx, eax
		test	eax, eax
		jnz	loc_4A1636
		mov	ebx, [ebp+var_C]
		mov	esi, [ebp+var_28]
		test	ebx, ebx
		jnz	short loc_4A171D

loc_4A16D4:				; CODE XREF: MiReturnPhysicalPoolPages+1A8j
		mov	eax, [ebp+var_8]
		lea	ecx, [ebp+var_4C]
		lea	edx, [eax+eax]
		call	_MiReturnPoolCharges@8 ; MiReturnPoolCharges(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4A16E9:				; CODE XREF: MiReturnPhysicalPoolPages+BBj
		mov	al, [ebx+16h]
		and	al, 0FDh
		mov	dword ptr [ebx+4], 0FFFFFFF8h
		or	al, 5
		mov	[ebx+16h], al
		xor	eax, eax
		and	dword ptr [edi], 0C0000000h
		mov	[ebx+14h], ax
		cmp	[ebp+var_10], eax
		jz	short loc_4A1718

loc_4A170B:				; CODE XREF: MiReturnPhysicalPoolPages+14Bj
		mov	eax, [ebp+var_14]
		inc	[ebp+var_C]
		mov	[ebx], eax
		mov	[ebp+var_14], ebx
		jmp	short loc_4A16AA
; 

loc_4A1718:				; CODE XREF: MiReturnPhysicalPoolPages+139j
		mov	[ebp+var_10], ebx
		jmp	short loc_4A170B
; 

loc_4A171D:				; CODE XREF: MiReturnPhysicalPoolPages+102j
		mov	eax, dword_6D069C
		lea	ecx, [esi+esi*8]
		lea	edx, [ebp+var_34]
		lea	esi, [eax+ecx*8]
		lea	ecx, [esi+34h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [ebp+var_10]
		mov	eax, [esi+38h]
		mov	[ecx], eax
		mov	eax, [ebp+var_14]
		add	[esi+30h], ebx
		mov	[esi+38h], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5BD4CD
		mov	eax, [ebp+var_34]
		test	eax, eax
		jnz	loc_5BD4E5
		mov	edx, [ebp+var_30]
		lea	eax, [ebp+var_34]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_34]
		cmp	eax, ecx
		jnz	loc_5BD4DD

loc_4A1773:				; CODE XREF: MiReturnPhysicalPoolPages+11BF08j
					; MiReturnPhysicalPoolPages+11BF27j
		mov	cl, [ebp+var_2C]
		call	edi
		jmp	loc_4A16D4
; 

loc_4A177D:				; CODE XREF: MiReturnPhysicalPoolPages+ADj
		mov	eax, [edi]
		and	eax, 0C0000001h
		or	eax, 1
		mov	[edi], eax
		mov	eax, 1
		mov	[ebx+14h], ax
		jmp	loc_4A1683
MiReturnPhysicalPoolPages endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiReturnPoolCharges(x, x)
_MiReturnPoolCharges@8 proc near	; CODE XREF: MiReturnPhysicalPoolPages+10Dp
					; MiGetPoolPages+121C0Ap ...
		cmp	dword_6D5F54, 0
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		jz	short loc_4A17DF
		mov	edx, [esi]
		push	ebx
		mov	ebx, offset _MiSystemPartition
		mov	ecx, ebx
		call	MiReturnResavailToPrcb
		test	eax, eax
		jnz	short loc_4A17E2

loc_4A17BA:				; CODE XREF: MiReturnPoolCharges(x,x)+53j
		mov	edx, [esi+0Ch]
		mov	ecx, ebx
		sub	edx, [esi+4]
		call	MiReturnCommit
		pop	ebx
		cmp	edi, 2
		jz	short loc_4A17DF
		mov	eax, [esi+0Ch]
		mov	ecx, offset unk_6D3614
		neg	eax
		test	edi, edi
		jnz	short loc_4A17ED

loc_4A17DB:				; CODE XREF: MiReturnPoolCharges(x,x)+5Aj
		lock xadd [ecx], eax

loc_4A17DF:				; CODE XREF: MiReturnPoolCharges(x,x)+Dj
					; MiReturnPoolCharges(x,x)+33j
		pop	edi
		pop	esi
		retn
; 

loc_4A17E2:				; CODE XREF: MiReturnPoolCharges(x,x)+20j
		mov	edx, offset dword_6D5E40
		lock xadd [edx], eax
		jmp	short loc_4A17BA
; 

loc_4A17ED:				; CODE XREF: MiReturnPoolCharges(x,x)+41j
		mov	ecx, offset unk_6D3618
		jmp	short loc_4A17DB
_MiReturnPoolCharges@8 endp


;  S U B	R O U T	I N E 


MiGetVaAge	proc near		; CODE XREF: MiUpdateWsleAge+13p
					; MiActOnPte(x,x,x,x,x,x,x,x)+3CFp ...

; FUNCTION CHUNK AT 005BD4FC SIZE 0000003C BYTES

		cmp	edx, 0C0000000h
		jnb	loc_5BD4FC

loc_4A1800:				; CODE XREF: MiGetVaAge+11BD0Ej
		call	MiLocateWsle
		mov	al, [eax]
		and	al, 0Fh
		retn
MiGetVaAge	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAdjustCachedStacks()
_MiAdjustCachedStacks@0	proc near	; CODE XREF: MiWorkingSetManager(x,x)+253p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		cmp	ds:_KeNumberProcessors,	esi
		jbe	short loc_4A1840

loc_4A1822:				; CODE XREF: MiAdjustCachedStacks()+34j
		mov	ecx, esi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		add	eax, 4C4h
		cmp	dword ptr [eax], 0
		jnz	loc_4A18F9

loc_4A1837:				; CODE XREF: MiAdjustCachedStacks()+F5j
					; MiAdjustCachedStacks()+100j
		inc	esi
		cmp	esi, ds:_KeNumberProcessors
		jb	short loc_4A1822

loc_4A1840:				; CODE XREF: MiAdjustCachedStacks()+16j
		movzx	edi, ds:_KeNumberNodes
		xor	esi, esi
		push	10h
		xor	eax, eax
		mov	[esp+2Ch+var_10], esi
		pop	edx
		mov	[esp+28h+var_4], edi
		mov	[esp+28h+var_C], eax
		mov	[esp+28h+var_8], edx

loc_4A185E:				; CODE XREF: MiAdjustCachedStacks()+E2j
		xor	edi, edi
		mov	esi, eax
		mov	[esp+28h+var_14], edi

loc_4A1866:				; CODE XREF: MiAdjustCachedStacks()+C8j
		mov	ebx, dword_6D069C
		add	ebx, esi
		mov	eax, [ebx+0Ch]
		mov	[esp+28h+var_18], eax
		sub	eax, [ebx+10h]
		jz	loc_4A190F
		mov	ecx, [ebx+8]
		cmp	eax, edx
		jnb	loc_4A197A
		cmp	ecx, edx
		jl	loc_4A197A
		mov	eax, ecx
		cdq
		cmp	ecx, 40h
		jl	loc_4A1997
		idiv	[esp+28h+var_8]

loc_4A18A1:				; CODE XREF: MiAdjustCachedStacks()+17Fj
					; MiAdjustCachedStacks()+199j
		test	eax, eax
		jz	loc_4A19A8

loc_4A18A9:				; CODE XREF: MiAdjustCachedStacks()+1A1j
		add	ecx, eax
		mov	eax, 100h
		cmp	ecx, eax
		jle	short loc_4A18B6
		mov	ecx, eax

loc_4A18B6:				; CODE XREF: MiAdjustCachedStacks()+A8j
		mov	eax, [esp+28h+var_18]
		mov	[ebx+8], ecx
		mov	[ebx+10h], eax

loc_4A18C0:				; CODE XREF: MiAdjustCachedStacks()+135j
					; MiAdjustCachedStacks()+15Dj
		push	10h
		pop	edx

loc_4A18C3:				; CODE XREF: MiAdjustCachedStacks()+109j
		and	dword ptr [ebx+14h], 0
		add	esi, 18h
		inc	edi
		mov	[esp+28h+var_14], edi
		cmp	edi, 1
		jle	short loc_4A1866
		mov	esi, [esp+28h+var_10]
		mov	eax, [esp+28h+var_C]
		inc	esi
		add	eax, 48h
		mov	[esp+28h+var_10], esi
		mov	[esp+28h+var_C], eax
		cmp	esi, [esp+28h+var_4]
		jb	loc_4A185E
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4A18F9:				; CODE XREF: MiAdjustCachedStacks()+27j
		xor	ecx, ecx
		xchg	ecx, [eax]
		test	ecx, ecx
		jz	loc_4A1837
		call	MiDeleteCachedKernelStack
		jmp	loc_4A1837
; 

loc_4A190F:				; CODE XREF: MiAdjustCachedStacks()+6Ej
		cmp	dword ptr [ebx+14h], 0
		jnz	short loc_4A18C3
		mov	ecx, [ebx+8]
		mov	eax, ecx
		cdq
		mov	[esp+28h+var_18], 14h
		idiv	[esp+28h+var_18]
		test	eax, eax
		jz	short loc_4A198E

loc_4A192B:				; CODE XREF: MiAdjustCachedStacks()+18Bj
		sub	ecx, eax
		mov	[esp+28h+var_18], ecx
		cmp	ecx, 5
		jl	short loc_4A196C

loc_4A1936:				; CODE XREF: MiAdjustCachedStacks()+165j
					; MiAdjustCachedStacks()+16Ej
		movzx	eax, word ptr [ebx+4]
		mov	[ebx+8], ecx
		cmp	eax, ecx
		jle	loc_4A18C0
		mov	edi, [esp+28h+var_18]

loc_4A1949:				; CODE XREF: MiAdjustCachedStacks()+157j
		mov	ecx, ebx
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jz	short loc_4A195B
		mov	ecx, eax
		call	MiDeleteCachedKernelStack

loc_4A195B:				; CODE XREF: MiAdjustCachedStacks()+148j
		movzx	eax, word ptr [ebx+4]
		cmp	eax, edi
		jg	short loc_4A1949
		mov	edi, [esp+28h+var_14]
		jmp	loc_4A18C0
; 

loc_4A196C:				; CODE XREF: MiAdjustCachedStacks()+12Aj
		cmp	edi, 1
		jz	short loc_4A1936
		push	5
		pop	ecx
		mov	[esp+28h+var_18], ecx
		jmp	short loc_4A1936
; 

loc_4A197A:				; CODE XREF: MiAdjustCachedStacks()+79j
					; MiAdjustCachedStacks()+81j
		mov	eax, ecx
		mov	[esp+28h+var_14], 4
		cdq
		idiv	[esp+28h+var_14]
		jmp	loc_4A18A1
; 

loc_4A198E:				; CODE XREF: MiAdjustCachedStacks()+11Fj
		xor	eax, eax
		test	ecx, ecx
		setnz	al
		jmp	short loc_4A192B
; 

loc_4A1997:				; CODE XREF: MiAdjustCachedStacks()+8Dj
		mov	[esp+28h+var_14], 8
		idiv	[esp+28h+var_14]
		jmp	loc_4A18A1
; 

loc_4A19A8:				; CODE XREF: MiAdjustCachedStacks()+99j
		xor	eax, eax
		inc	eax
		jmp	loc_4A18A9
_MiAdjustCachedStacks@0	endp


;  S U B	R O U T	I N E 


MiDeleteCachedKernelStack proc near	; CODE XREF: MiAdjustCachedStacks()+FBp
					; MiAdjustCachedStacks()+14Cp ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BD538 SIZE 00000032 BYTES

		mov	edi, edi
		push	ecx
		mov	eax, dword_6D35A4
		add	ecx, 0FFFFF008h
		xor	eax, ecx
		mov	edx, [ecx+0FF0h]
		cmp	edx, eax
		jnz	loc_5BD538
		shr	ecx, 9
		xor	edx, edx
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		call	_MiDeleteKernelStack@8 ; MiDeleteKernelStack(x,x)
		pop	ecx
		retn
MiDeleteCachedKernelStack endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteKernelStack(x, x)
_MiDeleteKernelStack@8 proc near	; CODE XREF: MiDeleteCachedKernelStack+2Fp
					; MmDeleteKernelStack(x,x)+2A2p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [ebp+var_34]
		push	6
		pop	ecx
		rep stosd
		test	dl, 1
		jnz	loc_4A1B28
		movzx	ebx, byte_6D3408

loc_4A1A0D:				; CODE XREF: MiDeleteKernelStack(x,x)+145j
		imul	eax, ebx, -8
		lea	ecx, [ebx+1]
		xor	edi, edi
		mov	[ebp+var_18], ebx
		and	[ebp+var_C], edi
		add	esi, eax
		mov	[ebp+var_1C], esi
		lea	eax, [esi+ecx*8]
		mov	ecx, offset unk_6D3A40
		mov	[ebp+var_14], eax
		call	MiLockWorkingSetShared
		mov	[ebp+var_1], al
		cmp	esi, [ebp+var_14]
		jnb	short loc_4A1A99
		mov	ebx, [ebp+var_C]

loc_4A1A3B:				; CODE XREF: MiDeleteKernelStack(x,x)+98j
		test	edi, edi
		jz	loc_4A1AF9
		test	esi, 0FFFh
		jz	loc_4A1AED

loc_4A1A4F:				; CODE XREF: MiDeleteKernelStack(x,x)+132j
		mov	ecx, [esi]
		nop
		mov	eax, [esi+4]
		and	ecx, 1
		or	ecx, 0
		mov	[ebp+var_C], eax
		jz	short loc_4A1A78
		test	ebx, ebx
		jz	loc_4A1B1D

loc_4A1A68:				; CODE XREF: MiDeleteKernelStack(x,x)+13Dj
		lea	eax, [ebp+var_34]
		mov	edx, esi
		push	eax
		push	0
		call	_MiDeleteValidSystemPage@16 ; MiDeleteValidSystemPage(x,x,x,x)
		inc	[ebp+var_34]

loc_4A1A78:				; CODE XREF: MiDeleteKernelStack(x,x)+78j
		add	esi, 8
		cmp	esi, [ebp+var_14]
		jb	short loc_4A1A3B
		mov	[ebp+var_C], ebx
		mov	ebx, [ebp+var_18]
		test	edi, edi
		jz	short loc_4A1A96
		mov	edx, edi
		mov	ecx, offset unk_6D3A40
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_4A1A96:				; CODE XREF: MiDeleteKernelStack(x,x)+A2j
		mov	al, [ebp+var_1]

loc_4A1A99:				; CODE XREF: MiDeleteKernelStack(x,x)+50j
		mov	dl, al
		mov	ecx, offset unk_6D3A40
		call	MiUnlockWorkingSetShared
		mov	esi, [ebp+var_C]
		cmp	esi, offset _MiSystemPartition
		jnz	short loc_4A1ABD
		mov	eax, ebx
		mov	ecx, offset unk_6D3628
		neg	eax
		lock xadd [ecx], eax

loc_4A1ABD:				; CODE XREF: MiDeleteKernelStack(x,x)+C8j
		mov	edx, [ebp+var_34]
		mov	ecx, esi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jnz	short loc_4A1B30

loc_4A1ACB:				; CODE XREF: MiDeleteKernelStack(x,x)+154j
		mov	edx, [ebp+var_1C]
		lea	eax, [ebx+1]
		push	eax
		mov	ecx, offset unk_6D33D0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		sub	ebx, [ebp+var_30]
		mov	ecx, esi
		mov	edx, ebx
		call	MiReturnCommit
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4A1AED:				; CODE XREF: MiDeleteKernelStack(x,x)+63j
		mov	edx, edi
		mov	ecx, offset unk_6D3A40
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_4A1AF9:				; CODE XREF: MiDeleteKernelStack(x,x)+57j
		mov	edi, esi
		mov	ecx, offset unk_6D3A40
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h
		push	0
		mov	edx, edi
		call	MiLockPageTableInternal
		jmp	loc_4A1A4F
; 

loc_4A1B1D:				; CODE XREF: MiDeleteKernelStack(x,x)+7Cj
		nop
		mov	ebx, offset _MiSystemPartition
		jmp	loc_4A1A68
; 

loc_4A1B28:				; CODE XREF: MiDeleteKernelStack(x,x)+1Aj
		push	0Fh
		pop	ebx
		jmp	loc_4A1A0D
; 

loc_4A1B30:				; CODE XREF: MiDeleteKernelStack(x,x)+E3j
		lea	ecx, [esi+1000h]
		lock xadd [ecx], eax
		jmp	short loc_4A1ACB
_MiDeleteKernelStack@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiLockWsle(x, x)
_MiLockWsle@8	proc near		; CODE XREF: NtLockVirtualMemory(x,x,x,x)+4B7p
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		mov	eax, edi
		movzx	esi, byte ptr [ebx+60h]
		and	esi, 7
		shr	eax, 0Ch
		mov	esi, dword_6D2E68[esi*4]
		add	esi, eax
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		mov	ecx, [esi-40000000h]
		nop
		mov	eax, [esi-3FFFFFFCh]
		nop
		shrd	ecx, eax, 0Ch
		xor	edx, edx
		and	ecx, 1FFFFFFh
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	_MiLockPageTablePage@8 ; MiLockPageTablePage(x,x)
		test	eax, eax
		jz	short loc_4A1BB0
		push	8
		push	1
		mov	edx, edi
		mov	ecx, ebx
		call	MiSetVaAgeList
		test	eax, eax
		jz	short loc_4A1BA7
		xor	eax, eax
		inc	eax

loc_4A1BA3:				; CODE XREF: MiLockWsle(x,x)+76j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4A1BA7:				; CODE XREF: MiLockWsle(x,x)+62j
		mov	edx, edi
		mov	ecx, ebx
		call	_MiUnlockVaSoftWsle@8 ;	MiUnlockVaSoftWsle(x,x)

loc_4A1BB0:				; CODE XREF: MiLockWsle(x,x)+51j
		xor	eax, eax
		jmp	short loc_4A1BA3
_MiLockWsle@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtLockVirtualMemory(x, x, x, x)
_NtLockVirtualMemory@16	proc near	; DATA XREF: .text:00580FA0o

var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	94h
		push	offset dword_6A1BB8
		call	__SEH_prolog4_GS
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_40], esi
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_A0], edx
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_88], eax
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		xor	ebx, ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_5C], eax
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_4C]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_50]
		push	eax
		push	[ebp+arg_C]
		mov	eax, [ebp+var_88]
		push	eax
		mov	ecx, esi
		call	MiLockUnlockCommon
		test	eax, eax
		js	loc_4A23AD
		mov	eax, large fs:124h
		mov	[ebp+var_9C], eax
		mov	esi, [ebp+var_48]
		dec	esi
		add	esi, [ebp+var_50]
		mov	eax, 0FFFFF000h
		and	esi, eax
		mov	[ebp+var_58], esi
		mov	edi, [ebp+var_50]
		and	edi, eax
		mov	[ebp+var_44], edi
		mov	eax, esi
		sub	eax, edi
		shr	eax, 0Ch
		inc	eax
		mov	ecx, ebx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_68], ecx
		test	al, 3Fh
		push	ebx
		pop	ecx
		setnz	cl
		shr	eax, 6
		add	ecx, eax
		shl	ecx, 3
		push	ebx
		push	40h
		mov	edx, 6B6C6D4Dh
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_78], eax
		test	eax, eax
		jnz	short loc_4A1C90
		mov	edx, 6D566D4Dh
		mov	ecx, [ebp+var_4C]
		call	ObfDereferenceObjectWithTag
		mov	eax, 0C000009Ah
		jmp	loc_4A23AD
; 

loc_4A1C90:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+C3j
		cmp	[ebp+var_40], 0FFFFFFFFh
		jz	short loc_4A1CAB
		lea	eax, [ebp+var_34]
		push	eax
		push	[ebp+var_4C]
		call	KeStackAttachProcess
		push	2
		pop	eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_7C], eax

loc_4A1CAB:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+E0j
		mov	eax, [ebp+var_50]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	ecx, 40000000h
		sub	eax, ecx
		mov	[ebp+var_3C], eax
		mov	[ebp+var_80], edi
		mov	eax, esi
		shr	eax, 9
		sub	eax, ecx
		mov	[ebp+var_90], eax
		push	ebx
		push	esi
		mov	edx, edi
		mov	ecx, [ebp+var_4C]
		call	MiLockVadRange
		mov	esi, eax
		mov	[ebp+var_74], esi
		test	esi, esi
		jnz	short loc_4A1CEF
		mov	esi, 0C0000005h
		jmp	loc_4A21E1
; 

loc_4A1CEF:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+12Fj
		mov	ecx, edi
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	esi, eax
		mov	[ebp+var_64], esi
		mov	ecx, esi
		mov	edi, ebx
		cmp	[ebp+var_74], ebx
		jbe	short loc_4A1D42

loc_4A1D04:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+18Cj
		call	_MiVadPagesTradable@4 ;	MiVadPagesTradable(x)
		test	eax, eax
		jz	loc_4A1DBC
		mov	edx, ecx
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_4A1D34
		mov	ecx, eax
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_4A1D3C

loc_4A1D22:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+176j
		mov	ecx, edx
		mov	eax, [edx]
		mov	edx, eax
		test	eax, eax
		jnz	short loc_4A1D22
		jmp	short loc_4A1D3C
; 

loc_4A1D2E:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+186j
		cmp	[ecx], edx
		jz	short loc_4A1D3C
		mov	edx, ecx

loc_4A1D34:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+164j
		mov	ecx, [ecx+8]
		and	ecx, 0FFFFFFFCh
		jnz	short loc_4A1D2E

loc_4A1D3C:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+16Cj
					; NtLockVirtualMemory(x,x,x,x)+178j ...
		inc	edi
		cmp	edi, [ebp+var_74]
		jb	short loc_4A1D04

loc_4A1D42:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+14Ej
		mov	ecx, esi
		call	_MiVadPureReserve@4 ; MiVadPureReserve(x)
		mov	[ebp+var_84], eax
		mov	edi, ebx
		mov	esi, [ebp+var_4C]
		add	esi, 240h
		mov	[ebp+var_70], esi
		mov	eax, [esi+0Ch]
		mov	[ebp+var_98], eax
		mov	ecx, esi
		call	MiLockWorkingSetShared
		mov	cl, al
		mov	[ebp+var_35], cl
		mov	byte ptr [ebp+var_60], cl

loc_4A1D75:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+31Ej
					; NtLockVirtualMemory(x,x,x,x)+73Ej
		mov	edx, [ebp+var_44]
		mov	eax, [ebp+var_58]

loc_4A1D7B:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+71Cj
		cmp	edx, eax
		ja	loc_4A22F7
		mov	eax, edx
		shr	eax, 0Ch
		mov	ecx, [ebp+var_64]
		cmp	eax, [ecx+10h]
		jbe	short loc_4A1DF3
		mov	[ebp+var_40], ecx
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_4A1DC6
		mov	ecx, eax
		mov	[ebp+var_64], ecx
		mov	eax, [ecx]
		mov	[ebp+var_40], eax
		test	eax, eax
		jz	short loc_4A1DE8
		mov	esi, eax

loc_4A1DAA:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+201j
		mov	ecx, esi
		mov	[ebp+var_64], ecx
		mov	eax, [esi]
		mov	esi, eax
		test	eax, eax
		jnz	short loc_4A1DAA
		mov	esi, [ebp+var_70]
		jmp	short loc_4A1DE8
; 

loc_4A1DBC:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+157j
		mov	esi, 0C000004Dh
		jmp	loc_4A21E1
; 

loc_4A1DC6:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+1E4j
		mov	ecx, [ecx+8]
		and	ecx, 0FFFFFFFCh
		mov	[ebp+var_64], ecx
		jz	short loc_4A1DE8
		mov	edx, [ebp+var_40]

loc_4A1DD4:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+22Cj
		cmp	[ecx], edx
		jz	short loc_4A1DE2
		mov	edx, ecx
		mov	ecx, [ecx+8]
		and	ecx, 0FFFFFFFCh
		jnz	short loc_4A1DD4

loc_4A1DE2:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+222j
		mov	[ebp+var_64], ecx
		mov	edx, [ebp+var_44]

loc_4A1DE8:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+1F2j
					; NtLockVirtualMemory(x,x,x,x)+206j ...
		call	_MiVadPureReserve@4 ; MiVadPureReserve(x)
		mov	[ebp+var_84], eax

loc_4A1DF3:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+1DAj
		mov	eax, edx
		shr	eax, 12h
		and	eax, 3FF8h
		add	eax, 0C0600000h
		mov	[ebp+var_40], eax
		cmp	edi, eax
		jz	loc_4A1E95
		test	edi, edi
		jz	short loc_4A1E1F
		mov	edx, edi
		mov	ecx, esi
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)
		mov	edi, ebx
		mov	ecx, [ebp+var_64]

loc_4A1E1F:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+25Bj
		cmp	[ebp+var_84], 0
		jz	short loc_4A1E6C
		lea	eax, [ebp+var_8C]
		push	eax
		push	ebx
		push	[ebp+var_60]
		push	ebx
		mov	edx, [ebp+var_90]
		mov	ecx, [ebp+var_3C]
		call	MiGetNextPageTable
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_4A1E59
		mov	edi, ecx
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h

loc_4A1E59:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+292j
		mov	eax, [ebp+var_3C]
		cmp	ecx, eax
		jz	short loc_4A1E98
		mov	[ebp+var_3C], 0C0000005h
		jmp	loc_4A20C8
; 

loc_4A1E6C:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+272j
		mov	eax, [ecx+1Ch]
		shr	eax, 0Ch
		and	eax, 3Fh
		push	ebx
		push	[ebp+var_60]
		push	eax
		xor	edx, edx
		mov	edi, [ebp+var_3C]
		mov	ecx, edi
		call	MiMakeSystemAddressValid
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h

loc_4A1E95:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+253j
		mov	eax, [ebp+var_3C]

loc_4A1E98:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+2AAj
		mov	eax, [eax]
		and	eax, 1
		or	eax, ebx
		jnz	short loc_4A1F1D
		mov	edx, edi
		mov	ecx, esi
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)
		mov	edi, ebx
		mov	dl, [ebp+var_35]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		mov	[ebp+ms_exc.disabled], ebx
		mov	edx, [ebp+var_44]
		mov	al, [edx]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, esi
		call	MiLockWorkingSetShared
		mov	[ebp+var_35], al
		mov	byte ptr [ebp+var_60], al
		jmp	loc_4A1D75
; 

loc_4A1ED7:				; DATA XREF: .text:006A1BCCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_94], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_4A1EE8:				; DATA XREF: .text:006A1BD0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_94]
		mov	[ebp+var_3C], eax
		mov	esi, [ebp+var_70]
		mov	ecx, esi
		call	MiLockWorkingSetShared
		mov	[ebp+var_35], al
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	edi, ebx
		mov	eax, [ebp+var_68]
		mov	[ebp+var_54], eax
		mov	eax, [ebp+var_7C]
		mov	[ebp+var_5C], eax
		jmp	loc_4A20C8
; 

loc_4A1F1D:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+2EBj
		mov	ecx, [ebp+var_3C]
		call	_MI_READ_PTE_LOCK_FREE@4 ; MI_READ_PTE_LOCK_FREE(x)
		nop
		shrd	eax, edx, 0Ch
		and	eax, 1FFFFFFh
		imul	eax, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_48], eax
		mov	edx, [ebp+var_44]
		mov	ecx, esi
		call	MiGetWsleContents
		and	al, 0Fh
		cmp	al, 8
		jz	loc_4A2266
		mov	eax, [ebp+var_98]
		mov	eax, [eax+14h]
		add	eax, 6
		cmp	[esi+3Ch], eax
		ja	short loc_4A1F6C
		mov	[ebp+var_3C], 0C00000A1h
		jmp	loc_4A20C8
; 

loc_4A1F6C:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+3AAj
		mov	ecx, [ebp+var_48]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4A1F88
		xor	edx, edx
		inc	edx
		call	_MiLockPageTablePage@8 ; MiLockPageTablePage(x,x)
		test	eax, eax
		jz	loc_4A20C1

loc_4A1F88:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+3C2j
		mov	eax, [ebp+var_40]
		mov	ecx, [eax]
		nop
		mov	eax, [eax+4]
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	eax, ecx, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_40], eax
		push	2
		pop	edx
		mov	ecx, eax
		call	_MiLockPageTablePage@8 ; MiLockPageTablePage(x,x)
		mov	ecx, [ebp+var_48]
		test	eax, eax
		jnz	short loc_4A1FE3
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_4A20C1
		mov	eax, [ecx+18h]
		and	eax, offset loc_7FFFFF
		imul	ecx, eax, 1Ch
		add	ecx, ds:_MmPfnDatabase
		xor	edx, edx
		inc	edx
		call	_MiUnlockPageTableCharges@8 ; MiUnlockPageTableCharges(x,x)
		jmp	loc_4A20C1
; 

loc_4A1FE3:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+402j
		mov	[ebp+var_68], ebx
		lea	edx, [ecx+8]
		mov	[ebp+var_6C], edx
		mov	eax, [edx]
		and	eax, 400h
		or	eax, ebx
		jnz	short loc_4A200F
		mov	ecx, edx
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		test	eax, eax
		jz	short loc_4A2066
		xor	edx, edx
		inc	edx
		mov	ecx, [ebp+var_48]
		call	MiLockPageAndSetDirty
		jmp	short loc_4A2066
; 

loc_4A200F:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+441j
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4A2066
		mov	eax, offset _MiSystemPartition
		mov	[ebp+var_68], eax
		push	ebx
		xor	edx, edx
		inc	edx
		mov	ecx, eax
		call	MiChargeCommit
		test	eax, eax
		jnz	short loc_4A205F
		push	2
		pop	edx
		mov	ecx, [ebp+var_40]
		call	_MiUnlockPageTableCharges@8 ; MiUnlockPageTableCharges(x,x)
		mov	ecx, [ebp+var_48]
		mov	eax, [ecx+18h]
		and	eax, offset loc_7FFFFF
		imul	ecx, eax, 1Ch
		add	ecx, ds:_MmPfnDatabase
		xor	edx, edx
		inc	edx
		call	_MiUnlockPageTableCharges@8 ; MiUnlockPageTableCharges(x,x)
		mov	[ebp+var_3C], 0C000012Dh
		jmp	short loc_4A20C8
; 

loc_4A205F:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+479j
		lock inc dword_6D5F60

loc_4A2066:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+44Cj
					; NtLockVirtualMemory(x,x,x,x)+459j ...
		mov	edx, [ebp+var_44]
		mov	ecx, esi
		call	_MiLockWsle@8	; MiLockWsle(x,x)
		test	eax, eax
		jnz	loc_4A221C
		push	2
		pop	edx
		mov	ecx, [ebp+var_40]
		call	_MiUnlockPageTableCharges@8 ; MiUnlockPageTableCharges(x,x)
		mov	ecx, [ebp+var_48]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4A20C1
		mov	eax, [ecx+18h]
		and	eax, offset loc_7FFFFF
		imul	ecx, eax, 1Ch
		add	ecx, ds:_MmPfnDatabase
		xor	edx, edx
		inc	edx
		call	_MiUnlockPageTableCharges@8 ; MiUnlockPageTableCharges(x,x)
		mov	ecx, [ebp+var_6C]
		mov	eax, [ecx]
		and	eax, 400h
		or	eax, ebx
		jz	short loc_4A20C1
		xor	edx, edx
		inc	edx
		mov	ecx, [ebp+var_68]
		call	MiReturnCommit

loc_4A20C1:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+3CEj
					; NtLockVirtualMemory(x,x,x,x)+40Bj ...
		mov	[ebp+var_3C], 0C000009Ah

loc_4A20C8:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+2B3j
					; NtLockVirtualMemory(x,x,x,x)+364j ...
		test	edi, edi
		jz	short loc_4A20D7
		mov	edx, edi
		mov	ecx, esi
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)
		mov	edi, ebx

loc_4A20D7:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+516j
		mov	eax, [ebp+var_54]
		test	eax, eax
		jz	loc_4A21C7
		lea	ecx, [eax-1]
		mov	[ebp+var_50], ecx
		shl	eax, 0Ch
		mov	edx, [ebp+var_80]
		add	edx, 0FFFFF000h
		add	edx, eax
		mov	[ebp+var_60], edx

loc_4A20F9:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+60Dj
		mov	eax, ecx
		shr	eax, 5
		and	ecx, 1Fh
		mov	esi, [ebp+var_78]
		mov	eax, [esi+eax*4]
		shr	eax, cl
		test	al, 1
		mov	esi, [ebp+var_70]
		jz	short loc_4A214F
		mov	eax, edx
		shr	eax, 12h
		and	eax, 3FF8h
		mov	[ebp+var_6C], eax
		add	eax, 0C0600000h
		cmp	edi, eax
		jz	short loc_4A2148
		test	edi, edi
		jz	short loc_4A2133
		mov	edx, edi
		mov	ecx, esi
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)

loc_4A2133:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+574j
		mov	edi, [ebp+var_6C]
		add	edi, 0C0600000h
		mov	edx, edi
		mov	ecx, esi
		call	_MiLockPageTable@8 ; MiLockPageTable(x,x)
		mov	edx, [ebp+var_60]

loc_4A2148:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+570j
		mov	ecx, esi
		call	_MiUnlockVa@8	; MiUnlockVa(x,x)

loc_4A214F:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+55Aj
		mov	eax, ebx
		mov	[ebp+var_6C], eax
		test	byte ptr [ebp+var_50], 0Fh
		jnz	short loc_4A2185
		mov	ecx, esi
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_4A218A
		test	edi, edi
		jz	short loc_4A2174
		mov	edx, edi
		call	_MiPageTableLockIsContended@8 ;	MiPageTableLockIsContended(x,x)
		test	eax, eax
		jnz	short loc_4A218A

loc_4A2174:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+5B3j
		call	_MiShouldYieldProcessor@0 ; MiShouldYieldProcessor()
		test	eax, eax
		jz	short loc_4A2182
		xor	eax, eax
		inc	eax
		jmp	short loc_4A2185
; 

loc_4A2182:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+5C7j
		mov	eax, [ebp+var_6C]

loc_4A2185:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+5A4j
					; NtLockVirtualMemory(x,x,x,x)+5CCj
		cmp	eax, 1
		jnz	short loc_4A21AA

loc_4A218A:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+5AFj
					; NtLockVirtualMemory(x,x,x,x)+5BEj
		test	edi, edi
		jz	short loc_4A2199
		mov	edx, edi
		mov	ecx, esi
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)
		mov	edi, ebx

loc_4A2199:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+5D8j
		mov	dl, [ebp+var_35]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		mov	ecx, esi
		call	MiLockWorkingSetShared

loc_4A21AA:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+5D4j
		mov	edx, [ebp+var_60]
		sub	edx, 1000h
		mov	[ebp+var_60], edx
		mov	ecx, [ebp+var_50]
		dec	ecx
		mov	[ebp+var_50], ecx
		sub	[ebp+var_54], 1
		jnz	loc_4A20F9

loc_4A21C7:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+528j
		test	edi, edi
		jz	short loc_4A21D4
		mov	edx, edi
		mov	ecx, esi
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)

loc_4A21D4:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+615j
		mov	dl, [ebp+var_35]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		mov	esi, [ebp+var_3C]

loc_4A21E1:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+136j
					; NtLockVirtualMemory(x,x,x,x)+20Dj
		push	ebx
		push	[ebp+var_74]
		mov	edx, [ebp+var_80]
		mov	ecx, [ebp+var_4C]
		call	_MiUnlockVadRange@16 ; MiUnlockVadRange(x,x,x,x)
		test	byte ptr [ebp+var_5C], 2
		jz	short loc_4A21FF
		lea	eax, [ebp+var_34]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)

loc_4A21FF:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+640j
		mov	edx, 6D566D4Dh
		mov	ecx, [ebp+var_4C]
		call	ObfDereferenceObjectWithTag
		push	ebx
		push	[ebp+var_78]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		jmp	loc_4A23AD
; 

loc_4A221C:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+4BEj
		mov	ecx, [ebp+var_9C]
		call	_MiGetEffectivePagePriorityThread@4 ; MiGetEffectivePagePriorityThread(x)
		mov	esi, eax
		mov	ecx, [ebp+var_48]
		call	_MiLockPageAtDpc@4 ; MiLockPageAtDpc(x)
		push	ebx
		mov	edx, esi
		mov	esi, [ebp+var_48]
		mov	ecx, esi
		call	_MiUpdatePfnPriority@12	; MiUpdatePfnPriority(x,x,x)
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	edx, [ebp+var_54]
		shr	edx, 5
		mov	ecx, [ebp+var_54]
		and	ecx, 1Fh
		mov	esi, [ebp+var_78]
		mov	eax, [esi+edx*4]
		bts	eax, ecx
		mov	[esi+edx*4], eax
		mov	esi, [ebp+var_70]
		jmp	short loc_4A2272
; 

loc_4A2266:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+395j
		mov	eax, [ebp+var_5C]
		or	eax, 1
		mov	[ebp+var_5C], eax
		mov	[ebp+var_7C], eax

loc_4A2272:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+6B0j
		mov	eax, [ebp+var_54]
		inc	eax
		mov	[ebp+var_54], eax
		mov	[ebp+var_68], eax
		mov	ecx, [ebp+var_3C]
		add	ecx, 8
		mov	[ebp+var_3C], ecx
		mov	edx, [ebp+var_44]
		add	edx, 1000h
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], ebx
		mov	eax, [ebp+var_58]
		cmp	edx, eax
		ja	short loc_4A22CC
		test	cl, 78h
		jnz	short loc_4A22CC
		mov	ecx, esi
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_4A22D6
		mov	edx, edi
		call	_MiPageTableLockIsContended@8 ;	MiPageTableLockIsContended(x,x)
		test	eax, eax
		jnz	short loc_4A22D6
		call	_MiShouldYieldProcessor@0 ; MiShouldYieldProcessor()
		mov	edx, [ebp+var_44]
		test	eax, eax
		mov	eax, [ebp+var_58]
		jz	short loc_4A22CC
		mov	[ebp+var_40], 1

loc_4A22CC:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+6E5j
					; NtLockVirtualMemory(x,x,x,x)+6EAj ...
		cmp	[ebp+var_40], 0
		jz	loc_4A1D7B

loc_4A22D6:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+6F5j
					; NtLockVirtualMemory(x,x,x,x)+700j
		mov	edx, edi
		mov	ecx, esi
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)
		mov	dl, [ebp+var_35]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		mov	edi, ebx
		mov	ecx, esi
		call	MiLockWorkingSetShared
		jmp	loc_4A1D75
; 

loc_4A22F7:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+1C9j
		test	edi, edi
		jz	short loc_4A2304
		mov	edx, edi
		mov	ecx, esi
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)

loc_4A2304:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+745j
		mov	dl, [ebp+var_35]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		push	ebx
		push	[ebp+var_74]
		mov	edx, [ebp+var_80]
		mov	ecx, [ebp+var_4C]
		call	_MiUnlockVadRange@16 ; MiUnlockVadRange(x,x,x,x)
		test	byte ptr [ebp+var_5C], 2
		jz	short loc_4A232C
		lea	eax, [ebp+var_34]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)

loc_4A232C:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+76Dj
		mov	edx, 6D566D4Dh
		mov	ecx, [ebp+var_4C]
		call	ObfDereferenceObjectWithTag
		push	ebx
		push	[ebp+var_78]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+ms_exc.disabled], 1
		mov	edx, [ebp+var_50]
		mov	eax, edx
		mov	esi, 0FFFFF000h
		and	eax, esi
		mov	ecx, [ebp+var_58]
		sub	ecx, eax
		add	ecx, 1000h
		mov	eax, [ebp+var_88]
		mov	[eax], ecx
		and	edx, esi
		mov	eax, [ebp+var_A0]
		mov	[eax], edx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_5C]
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 40000019h
		jmp	short loc_4A23AD
; 

loc_4A238C:				; DATA XREF: .text:006A1BD8o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_A4], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_4A239D:				; DATA XREF: .text:006A1BDCo
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_A4]

loc_4A23AD:				; CODE XREF: NtLockVirtualMemory(x,x,x,x)+67j
					; NtLockVirtualMemory(x,x,x,x)+D7j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_NtLockVirtualMemory@16	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmFlushSection	proc near		; CODE XREF: CcSetFileSizesEx+56Ap
					; .text:004ACC96p ...

var_32		= byte ptr -32h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		and	[esp+34h+var_30], 0
		xor	eax, eax
		and	[esp+34h+var_2C], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		lea	edi, [esp+40h+var_18]
		push	6
		pop	ecx
		rep stosd
		test	edx, edx
		jz	short loc_4A23FA
		mov	eax, [edx]
		mov	[esp+40h+var_30], eax
		mov	eax, [edx+4]
		lea	edx, [esp+40h+var_30]
		mov	[esp+40h+var_2C], eax

loc_4A23FA:				; CODE XREF: MmFlushSection+27j
		mov	esi, [ebp+arg_8]
		lea	ecx, [esp+40h+var_18]
		mov	eax, [ebp+arg_0]
		xor	edi, edi
		push	ecx
		push	edi
		push	eax
		mov	ecx, ebx
		mov	[esi], edi
		mov	[esi+4], eax
		call	_MiComputeFlushRange@20	; MiComputeFlushRange(x,x,x,x,x)
		test	eax, eax
		jz	loc_4A2520
		test	[ebp+arg_C], 1
		mov	ebx, large fs:124h
		mov	[esp+40h+var_20], ebx
		mov	al, [ebx+308h]
		mov	[esp+40h+var_31], al
		mov	byte ptr [ebx+308h], 1
		jz	loc_4A2502
		mov	eax, [esp+40h+var_18]
		mov	ecx, eax
		mov	[esp+40h+var_30], edi
		mov	[esp+40h+var_24], eax
		call	MiReferenceControlAreaFile
		mov	ebx, eax
		mov	[esp+40h+var_1C], ebx

loc_4A245C:				; CODE XREF: MiDeleteCachedKernelStack+11BBAFj
		mov	ecx, ebx
		call	FsRtlAcquireFileForCcFlushEx
		mov	edi, eax
		test	edi, edi
		js	short loc_4A2499
		mov	edx, [esp+40h+var_10]
		mov	ecx, [esp+40h+var_14]
		push	esi
		push	dword ptr [ebp+arg_C]
		push	0
		push	[esp+4Ch+var_8]
		push	[esp+50h+var_C]
		call	MiFlushSectionInternal
		mov	ecx, ebx
		mov	edi, eax
		call	FsRtlReleaseFileForCcFlush
		cmp	edi, 0C0000054h
		jz	loc_5BD548

loc_4A2499:				; CODE XREF: MmFlushSection+A7j
					; MiDeleteCachedKernelStack+11BBB5j
		mov	eax, [esp+40h+var_24]
		mov	ecx, [eax+20h]
		mov	eax, ecx

loc_4A24A2:				; CODE XREF: MmFlushSection+173j
		xor	eax, ebx
		cmp	eax, 7
		jnb	short loc_4A2524
		mov	esi, [esp+40h+var_24]
		lea	edx, [ecx+1]
		mov	eax, ecx
		add	esi, 20h
		lock cmpxchg [esi], edx
		mov	esi, [ebp+arg_8]
		mov	ebx, [esp+40h+var_1C]
		cmp	eax, ecx
		jnz	short loc_4A2531

loc_4A24C4:				; CODE XREF: MmFlushSection+16Fj
		mov	ebx, [esp+40h+var_20]

loc_4A24C8:				; CODE XREF: MmFlushSection+15Ej
		test	edi, edi
		js	short loc_4A24D2
		cmp	dword ptr [esi+4], 0
		jz	short loc_4A2538

loc_4A24D2:				; CODE XREF: MmFlushSection+10Aj
		mov	eax, [esp+40h+var_4]
		shl	eax, 0Ch
		add	[esi+4], eax

loc_4A24DC:				; CODE XREF: MmFlushSection+17Ej
		mov	al, [esp+40h+var_31]
		push	[esp+40h+var_8]
		mov	edx, [esp+44h+var_C]
		mov	ecx, [esp+44h+var_18]
		mov	[ebx+308h], al
		call	_MiFlushRelease@12 ; MiFlushRelease(x,x,x)
		mov	eax, edi

loc_4A24F9:				; CODE XREF: MmFlushSection+162j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4A2502:				; CODE XREF: MmFlushSection+7Dj
		mov	edx, [esp+40h+var_10]
		mov	ecx, [esp+40h+var_14]
		push	esi
		push	dword ptr [ebp+arg_C]
		push	edi
		push	[esp+4Ch+var_8]
		push	[esp+50h+var_C]
		call	MiFlushSectionInternal
		mov	edi, eax
		jmp	short loc_4A24C8
; 

loc_4A2520:				; CODE XREF: MmFlushSection+57j
		xor	eax, eax
		jmp	short loc_4A24F9
; 

loc_4A2524:				; CODE XREF: MmFlushSection+E7j
		push	746C6644h
		push	ebx
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	short loc_4A24C4
; 

loc_4A2531:				; CODE XREF: MmFlushSection+102j
		mov	ecx, eax
		jmp	loc_4A24A2
; 

loc_4A2538:				; CODE XREF: MmFlushSection+110j
		mov	eax, [ebp+arg_0]
		mov	[esi+4], eax
		jmp	short loc_4A24DC
MmFlushSection	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiComputeFlushRange(x, x, x, x, x)
_MiComputeFlushRange@20	proc near	; CODE XREF: MmFlushSection+50p
					; MmTrimSection(x,x,x,x)+47p

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, edx
		mov	[ebp+var_1], 0
		lea	eax, [ebp-1]
		xor	edx, edx
		push	eax
		inc	edx
		call	MiLockSectionControlArea
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_4A259A
		cmp	[ebp+arg_4], 0
		jnz	short loc_4A259E

loc_4A2566:				; CODE XREF: MiComputeFlushRange(x,x,x,x,x)+65j
		test	byte ptr [ecx+1Ch], 3
		jnz	short loc_4A2588
		cmp	dword ptr [ecx+10h], 0
		jz	short loc_4A2588
		push	[ebp+arg_8]
		mov	dl, [ebp+var_1]
		push	0
		push	[ebp+arg_0]
		push	esi
		call	_MiComputeDataFlushRange@24 ; MiComputeDataFlushRange(x,x,x,x,x,x)

loc_4A2583:				; CODE XREF: MiComputeFlushRange(x,x,x,x,x)+5Cj
		pop	esi
		leave
		retn	0Ch
; 

loc_4A2588:				; CODE XREF: MiComputeFlushRange(x,x,x,x,x)+2Aj
					; MiComputeFlushRange(x,x,x,x,x)+30j ...
		lea	eax, [ecx+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4A259A:				; CODE XREF: MiComputeFlushRange(x,x,x,x,x)+1Ej
		xor	eax, eax
		jmp	short loc_4A2583
; 

loc_4A259E:				; CODE XREF: MiComputeFlushRange(x,x,x,x,x)+24j
		call	MiDoesControlAreaHaveUserWritableReferences
		test	eax, eax
		jnz	short loc_4A2566
		jmp	short loc_4A2588
_MiComputeFlushRange@20	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmSetPfnListInfo(x,	x, x)
_MmSetPfnListInfo@12 proc near		; CODE XREF: PfpPfnPrioRequest+15Dp

var_CA		= byte ptr -0CAh
var_C9		= byte ptr -0C9h
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0CCh+var_4], eax
		push	ebx
		push	esi
		xor	eax, eax
		mov	esi, ecx
		push	edi
		push	84h		; size_t
		push	eax		; int
		mov	[esp+0E0h+var_C8], eax
		mov	edi, edx
		mov	[esp+0E0h+var_C4], eax
		mov	[esp+0E0h+var_C0], eax
		mov	[esp+0E0h+var_BC], eax
		lea	eax, [esp+0E0h+var_8C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		cmp	[ebp+arg_0], 0
		jz	short loc_4A261A
		mov	eax, 0C00000BBh
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+0CCh+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4A261A:				; CODE XREF: MmSetPfnListInfo(x,x,x)+4Cj
		mov	eax, large fs:124h
		xor	ebx, ebx
		shl	esi, 4
		add	esi, edi
		mov	[esp+0D8h+var_98], 0
		mov	[esp+0D8h+var_94], 0
		mov	[esp+0D8h+var_90], 10h
		dec	word ptr [eax+13Eh]
		mov	[esp+0D8h+var_A0], esi
		mov	[esp+0D8h+var_B4], ebx
		mov	[esp+0D8h+var_9C], eax
		nop
		xor	edx, edx
		mov	ecx, offset unk_6D4EAC
		call	ExAcquirePushLockSharedEx
		cmp	edi, esi
		jnb	loc_4A27E5
		jmp	short loc_4A2670
; 
		align 10h

loc_4A2670:				; CODE XREF: MmSetPfnListInfo(x,x,x)+B7j
					; MmSetPfnListInfo(x,x,x)+22Fj
		mov	esi, [edi+8]
		cmp	esi, dword_6D07B0
		ja	loc_4A27CF
		mov	eax, dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_4A27CF
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		mov	[esp+0D8h+var_C0], esi
		lea	ebx, [eax+ecx*4]
		xor	eax, eax
		mov	cl, 2
		mov	[esp+0D8h+var_B0], ebx
		mov	[esp+0D8h+var_C8], eax
		mov	[esp+0D8h+var_C4], eax
		mov	[esp+0D8h+var_BC], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esp+0D8h+var_C9], al
		lea	esi, [ebx+10h]
		mov	[esp+0D8h+var_A4], 0
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_4A26F7

loc_4A26E1:				; CODE XREF: MmSetPfnListInfo(x,x,x)+13Ej
					; MmSetPfnListInfo(x,x,x)+145j
		lea	ecx, [esp+0D8h+var_A4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_4A26E1
		lock bts dword ptr [esi], 1Fh
		jb	short loc_4A26E1

loc_4A26F7:				; CODE XREF: MmSetPfnListInfo(x,x,x)+12Fj
		mov	esi, [esp+0D8h+var_B0]
		lea	edx, [esp+0D8h+var_C8]
		mov	ecx, esi
		call	_MiIdentifyPfn@8 ; MiIdentifyPfn(x,x)
		mov	eax, [esp+0D8h+var_BC]
		cmp	eax, [edi+0Ch]
		jnz	loc_4A279B
		mov	eax, [edi]
		mov	ecx, eax
		mov	ebx, [edi+4]
		xor	ecx, [esp+0D8h+var_C8]
		mov	[esp+0D8h+var_B0], eax
		and	ecx, 0FFFFFE00h
		mov	eax, ebx
		xor	eax, [esp+0D8h+var_C4]
		and	eax, 1FFFFFFh
		or	ecx, eax
		jnz	short loc_4A279B
		mov	dl, [esi+16h]
		and	dl, 7
		cmp	dl, 6
		jz	short loc_4A274A
		mov	al, dl
		sub	al, 2
		cmp	al, 2
		ja	short loc_4A279B

loc_4A274A:				; CODE XREF: MmSetPfnListInfo(x,x,x)+190j
		mov	eax, [esp+0D8h+var_B0]
		mov	ecx, esi
		shr	ebx, 19h
		mov	[esp+0D8h+var_B0], eax
		and	ebx, 7
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		cmp	ebx, eax
		jz	short loc_4A278A
		cmp	dl, 2
		jz	short loc_4A2781
		mov	al, [esi+17h]
		mov	dl, [esp+0D8h+var_C9]
		and	al, 0F8h
		or	al, bl
		mov	[esi+17h], al
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		mov	ebx, [esp+0D8h+var_B4]
		jmp	short loc_4A27D8
; 

loc_4A2781:				; CODE XREF: MmSetPfnListInfo(x,x,x)+1B6j
		mov	edx, ebx
		mov	ecx, esi
		call	_MiRelinkStandbyPage@8 ; MiRelinkStandbyPage(x,x)

loc_4A278A:				; CODE XREF: MmSetPfnListInfo(x,x,x)+1B1j
		mov	dl, [esp+0D8h+var_C9]
		mov	ecx, esi
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		mov	ebx, [esp+0D8h+var_B4]
		jmp	short loc_4A27D8
; 

loc_4A279B:				; CODE XREF: MmSetPfnListInfo(x,x,x)+15Dj
					; MmSetPfnListInfo(x,x,x)+185j	...
		mov	dl, [esp+0D8h+var_C9]
		mov	ecx, esi
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		mov	eax, [esp+0D8h+var_C8]
		mov	ebx, 0C0000024h
		mov	ecx, [esp+0D8h+var_BC]
		mov	[edi], eax
		or	ecx, 2
		mov	eax, [esp+0D8h+var_C4]
		mov	[edi+4], eax
		mov	eax, [esp+0D8h+var_C0]
		mov	[edi+8], eax
		mov	[esp+0D8h+var_BC], ecx
		mov	[edi+0Ch], ecx
		jmp	short loc_4A27D4
; 

loc_4A27CF:				; CODE XREF: MmSetPfnListInfo(x,x,x)+C9j
					; MmSetPfnListInfo(x,x,x)+E6j
		mov	ebx, 0C00000F0h

loc_4A27D4:				; CODE XREF: MmSetPfnListInfo(x,x,x)+21Dj
		mov	[esp+0D8h+var_B4], ebx

loc_4A27D8:				; CODE XREF: MmSetPfnListInfo(x,x,x)+1CFj
					; MmSetPfnListInfo(x,x,x)+1E9j
		add	edi, 10h
		cmp	edi, [esp+0D8h+var_A0]
		jb	loc_4A2670

loc_4A27E5:				; CODE XREF: MmSetPfnListInfo(x,x,x)+B1j
		cmp	[esp+0D8h+var_94], 0
		jz	short loc_4A27F5
		lea	ecx, [esp+0D8h+var_98]
		call	_MiNotifyPageHeat@4 ; MiNotifyPageHeat(x)

loc_4A27F5:				; CODE XREF: MmSetPfnListInfo(x,x,x)+23Aj
		xor	edx, edx
		mov	eax, 11h
		mov	esi, offset unk_6D4EAC
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_4A2811
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_4A2811:				; CODE XREF: MmSetPfnListInfo(x,x,x)+258j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [esp+0D8h+var_9C]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [esp+0D8h+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_MmSetPfnListInfo@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiEmptyDecayClusterTimers proc near	; CODE XREF: MiWorkingSetManager(x,x)+16Bp

var_2A		= byte ptr -2Ah
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

; FUNCTION CHUNK AT 005BD56A SIZE 000000FA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+38h+var_28], ecx
		lea	edi, [esp+38h+var_C]
		mov	cl, 1
		stosd
		stosd
		stosd
		call	KiQueryUnbiasedInterruptTime
		mov	edi, [esp+38h+var_28]
		mov	esi, eax
		mov	ecx, edx
		sub	esi, [edi+0A38h]
		sbb	ecx, [edi+0A3Ch]
		mov	[esp+38h+var_14], ecx
		jnz	short loc_4A2884
		cmp	esi, (offset loc_98967E+2)
		jb	short loc_4A28BB

loc_4A2884:				; CODE XREF: MiEmptyDecayClusterTimers+3Aj
		mov	[edi+0A38h], eax
		mov	eax, [edi+0A2Ch]
		inc	eax
		mov	[edi+0A3Ch], edx
		and	eax, 3
		mov	[esp+38h+var_24], eax
		mov	eax, [edi+eax*4+0A1Ch]
		and	eax, 0FFFE0000h
		cmp	eax, 0FFFE0000h
		jnz	short loc_4A28C2

loc_4A28B1:				; CODE XREF: MiEmptyDecayClusterTimers+1EFj
		mov	eax, [esp+38h+var_24]
		mov	[edi+0A2Ch], eax

loc_4A28BB:				; CODE XREF: MiEmptyDecayClusterTimers+42j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4A28C2:				; CODE XREF: MiEmptyDecayClusterTimers+6Fj
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		lea	ebx, [edi+6B4h]
		mov	[esp+38h+var_18], ebx

loc_4A28D2:				; CODE XREF: MiEmptyDecayClusterTimers+1B5j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	[esp+38h+var_29], al
		mov	[esp+38h+var_8], ebx
		mov	[esp+38h+var_C], 0
		jnz	loc_5BD56A
		lea	edx, [esp+38h+var_C]
		xchg	edx, [ebx]
		test	edx, edx
		jnz	loc_4A2A34

loc_4A2905:				; CODE XREF: MiEmptyDecayClusterTimers+1FDj
					; MiEmptyDecayClusterTimers+11AD35j
		mov	eax, [esp+38h+var_24]
		mov	eax, [edi+eax*4+0A1Ch]
		shr	eax, 11h
		cmp	eax, 7FFFh
		jz	loc_4A29FA
		mov	ebx, dword_6D3250
		mov	ecx, ds:_MmPfnDatabase
		add	ebx, eax
		mov	esi, dword_6D0700
		mov	edi, dword_6D0704
		mov	[esp+38h+var_1C], ecx
		lea	eax, ds:0[ebx*8]
		sub	eax, ebx
		mov	edx, [ecx+eax*4+0Ch]
		lea	ecx, [ecx+eax*4]
		mov	eax, [ecx+8]
		mov	[esp+38h+var_20], ecx
		mov	ecx, esi
		or	ecx, edi
		jz	short loc_4A296B
		mov	ecx, eax
		and	ecx, 10h
		or	ecx, 0
		jnz	short loc_4A296B
		not	esi
		not	edi
		and	eax, esi
		and	edx, edi

loc_4A296B:				; CODE XREF: MiEmptyDecayClusterTimers+117j
					; MiEmptyDecayClusterTimers+121j
		shrd	eax, edx, 0Ch
		and	eax, 3FFFFFFh
		cmp	eax, ebx
		jz	loc_5BD57A
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, [esp+38h+var_1C]
		lea	edi, [eax+ecx*4]
		lea	ebx, [edi+10h]
		lock bts dword ptr [ebx], 1Fh
		jb	loc_5BD5E8
		movzx	esi, byte ptr [edi+17h]
		and	esi, 7
		test	ds:byte_70EFC6,	1
		jnz	loc_5BD5D7
		mov	eax, [esp+38h+var_C]
		test	eax, eax
		jnz	loc_4A2A4B
		mov	edx, [esp+38h+var_8]
		lea	eax, [esp+38h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+38h+var_C]
		cmp	eax, ecx
		jnz	short loc_4A2A42

loc_4A29D0:				; CODE XREF: MiEmptyDecayClusterTimers+21Ej
					; MiEmptyDecayClusterTimers+11ADA3j
		mov	edx, esi
		mov	ecx, edi
		call	_MiRelinkStandbyPage@8 ; MiRelinkStandbyPage(x,x)
		mov	eax, 7FFFFFFFh
		lock and [ebx],	eax

loc_4A29E1:				; CODE XREF: MiEmptyDecayClusterTimers+11AD6Ej
					; MiEmptyDecayClusterTimers+11AD8Fj ...
		mov	cl, [esp+38h+var_29]
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	esi
		mov	ebx, [esp+38h+var_18]
		mov	edi, [esp+38h+var_28]
		jmp	loc_4A28D2
; 

loc_4A29FA:				; CODE XREF: MiEmptyDecayClusterTimers+D8j
		test	ds:byte_70EFC6,	1
		jnz	loc_5BD645
		mov	eax, [esp+38h+var_C]
		test	eax, eax
		jnz	short loc_4A2A63
		mov	edx, [esp+38h+var_8]
		lea	eax, [esp+38h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+38h+var_C]
		cmp	eax, ecx
		jnz	loc_5BD656

loc_4A2A29:				; CODE XREF: MiEmptyDecayClusterTimers+236j
					; MiEmptyDecayClusterTimers+11AE11j
		mov	cl, [esp+38h+var_29]
		call	esi
		jmp	loc_4A28B1
; 

loc_4A2A34:				; CODE XREF: MiEmptyDecayClusterTimers+BFj
		lea	ecx, [esp+38h+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4A2905
; 

loc_4A2A42:				; CODE XREF: MiEmptyDecayClusterTimers+18Ej
		lea	ecx, [esp+38h+var_C]
		call	KxWaitForLockChainValid

loc_4A2A4B:				; CODE XREF: MiEmptyDecayClusterTimers+174j
		mov	[esp+38h+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A29D0
; 

loc_4A2A63:				; CODE XREF: MiEmptyDecayClusterTimers+1CDj
					; MiEmptyDecayClusterTimers+11AE1Fj
		mov	[esp+38h+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_4A2A29
MiEmptyDecayClusterTimers endp


;  S U B	R O U T	I N E 


; __stdcall MiRelinkStandbyPage(x, x)
_MiRelinkStandbyPage@8 proc near	; CODE XREF: MmSetPfnListInfo(x,x,x)+1D5p
					; MiEmptyDecayClusterTimers+194p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		cmp	word ptr [esi+14h], 0
		jnz	short loc_4A2AF9
		xor	edx, edx
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		test	eax, eax
		jz	short loc_4A2AB4
		cmp	ebx, 0FFFFFFh
		jz	short loc_4A2AA4
		mov	al, [esi+17h]
		xor	al, bl
		and	al, 7
		xor	[esi+17h], al

loc_4A2AA4:				; CODE XREF: MiRelinkStandbyPage(x,x)+20j
		push	4
		pop	edx
		mov	ecx, esi
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)

loc_4A2AAE:				; CODE XREF: MiRelinkStandbyPage(x,x)+87j
					; MiRelinkStandbyPage(x,x)+93j
		xor	eax, eax
		inc	eax

loc_4A2AB1:				; CODE XREF: MiRelinkStandbyPage(x,x)+7Fj
		pop	esi
		pop	ebx
		retn
; 

loc_4A2AB4:				; CODE XREF: MiRelinkStandbyPage(x,x)+18j
		xor	edx, edx
		mov	ecx, esi
		call	_MiRestoreTransitionPte@8 ; MiRestoreTransitionPte(x,x)
		and	dword ptr [esi+18h], 7FFFFFFFh
		and	byte ptr [esi+16h], 0C7h
		mov	al, [esi+16h]
		and	byte ptr [esi+17h], 0DFh
		and	al, 0FDh
		or	dword ptr [esi+10h], 40000000h
		or	al, 5
		mov	[esi+16h], al
		sub	esi, ds:_MmPfnDatabase
		mov	eax, esi
		cdq
		push	1Ch
		pop	ecx
		idiv	ecx
		push	2
		pop	edx
		mov	ecx, eax
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		xor	eax, eax
		jmp	short loc_4A2AB1
; 

loc_4A2AF9:				; CODE XREF: MiRelinkStandbyPage(x,x)+Dj
		cmp	ebx, 0FFFFFFh
		jz	short loc_4A2AAE
		mov	al, [esi+17h]
		xor	al, bl
		and	al, 7
		xor	[esi+17h], al
		jmp	short loc_4A2AAE
_MiRelinkStandbyPage@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDrainZeroLookasides(x, x,	x, x)
_MiDrainZeroLookasides@16 proc near	; CODE XREF: MiTradePage(x,x)+21Fp
					; .text:00516BDDp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		mov	ecx, dword_6D06D4
		mov	[ebp+var_4], ebx
		push	esi
		push	edi
		test	ebx, ebx
		jz	short loc_4A2B30
		lea	ecx, [eax+1]

loc_4A2B30:				; CODE XREF: MiDrainZeroLookasides(x,x,x,x)+1Dj
		imul	esi, [ebp+arg_0], 1Ch
		mov	edi, ebx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_10], 2
		add	esi, ebx
		neg	edi
		mov	[ebp+var_14], esi
		mov	esi, 201h
		sbb	edi, edi
		and	edi, eax
		lea	eax, [edx+954h]
		mov	[ebp+var_20], edi
		mov	[ebp+var_C], eax

loc_4A2B5C:				; CODE XREF: MiDrainZeroLookasides(x,x,x,x)+11Fj
		mov	edx, [eax]
		cmp	edi, ecx
		jnb	loc_4A2C1D
		lea	eax, [edx+edi*8]
		sub	ecx, edi
		mov	[ebp+arg_4], eax
		xor	edx, edx
		mov	[ebp+arg_0], ecx

loc_4A2B73:				; CODE XREF: MiDrainZeroLookasides(x,x,x,x)+100j
		cmp	[eax+4], dx
		jz	loc_4A2C02
		mov	ecx, eax
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_4A2BFA

loc_4A2B8A:				; CODE XREF: MiDrainZeroLookasides(x,x,x,x)+EAj
		mov	eax, [edi]
		mov	[ebp+var_1C], eax
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		mov	[ebp+var_18], eax
		test	ebx, ebx
		jz	loc_4A2C43
		cmp	edi, ebx
		jnb	loc_4A2C3A

loc_4A2BB0:				; CODE XREF: MiDrainZeroLookasides(x,x,x,x)+12Fj
		and	esi, 0FFFFFFBFh

loc_4A2BB3:				; CODE XREF: MiDrainZeroLookasides(x,x,x,x)+138j
		push	dword ptr [edi+0Ch]
		xor	eax, eax
		push	dword ptr [edi+8]
		push	eax
		push	eax
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		mov	ecx, edi
		mov	[edi+8], eax
		mov	[edi+0Ch], edx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [ebp+var_18]
		mov	edx, esi
		mov	bl, al
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		mov	eax, 7FFFFFFFh
		lea	ecx, [edi+10h]
		lock and [ecx],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_1C]
		mov	edi, eax
		mov	ebx, [ebp+var_4]
		test	eax, eax
		jnz	short loc_4A2B8A

loc_4A2BFA:				; CODE XREF: MiDrainZeroLookasides(x,x,x,x)+7Aj
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	eax, [ebp+arg_4]

loc_4A2C02:				; CODE XREF: MiDrainZeroLookasides(x,x,x,x)+69j
		add	eax, 8
		sub	ecx, 1
		mov	[ebp+arg_4], eax
		mov	[ebp+arg_0], ecx
		jnz	loc_4A2B73
		mov	edi, [ebp+var_20]
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_C]

loc_4A2C1D:				; CODE XREF: MiDrainZeroLookasides(x,x,x,x)+52j
		and	esi, 0FFFFFFFEh
		add	eax, 4
		or	esi, 2
		mov	[ebp+var_C], eax
		sub	[ebp+var_10], 1
		jnz	loc_4A2B5C
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4A2C3A:				; CODE XREF: MiDrainZeroLookasides(x,x,x,x)+9Cj
		cmp	edi, [ebp+var_14]
		jnb	loc_4A2BB0

loc_4A2C43:				; CODE XREF: MiDrainZeroLookasides(x,x,x,x)+94j
		or	esi, 40h
		jmp	loc_4A2BB3
_MiDrainZeroLookasides@16 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiLocateCloneAddress(x, x)
_MiLocateCloneAddress@8	proc near	; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+248p
					; MiCopyToUserVa(x,x,x,x)+17Ap	...
		mov	eax, [ecx+148h]

loc_4A2C52:				; CODE XREF: MiLocateCloneAddress(x,x)+1Ej
					; MiLocateCloneAddress(x,x)+22j
		test	eax, eax
		jz	short loc_4A2C64
		cmp	edx, [eax+10h]
		ja	short loc_4A2C67
		cmp	edx, [eax+0Ch]
		jb	short loc_4A2C6C
		test	eax, eax
		jnz	short locret_4A2C66

loc_4A2C64:				; CODE XREF: MiLocateCloneAddress(x,x)+8j
		xor	eax, eax

locret_4A2C66:				; CODE XREF: MiLocateCloneAddress(x,x)+16j
		retn
; 

loc_4A2C67:				; CODE XREF: MiLocateCloneAddress(x,x)+Dj
		mov	eax, [eax+4]
		jmp	short loc_4A2C52
; 

loc_4A2C6C:				; CODE XREF: MiLocateCloneAddress(x,x)+12j
		mov	eax, [eax]
		jmp	short loc_4A2C52
_MiLocateCloneAddress@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiClearPageFileHash proc near		; CODE XREF: MiReleasePageFileInfo+210p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch

; FUNCTION CHUNK AT 005BD664 SIZE 0000004C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	eax, [ebx+80h]
		test	eax, eax
		jnz	short loc_4A2C91

loc_4A2C8A:				; CODE XREF: MiClearPageFileHash+CFj
					; MiClearPageFileHash+101j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4A2C91:				; CODE XREF: MiClearPageFileHash+18j
		lea	edi, [eax+edx*4]
		mov	esi, edi
		mov	[esp+30h+var_14], edi
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		mov	edx, [esi]
		nop
		mov	ecx, [esi+4]
		mov	eax, edx
		and	eax, 1
		mov	[esp+30h+var_18], ecx
		or	eax, 0
		mov	[esp+30h+var_10], edx
		mov	[esp+30h+var_C], ecx
		jz	loc_5BD664
		mov	dword ptr [edi], 1
		nop
		mov	edi, dword_6D0704
		shrd	edx, ecx, 0Ch
		mov	ecx, dword_6D0700
		and	edx, 1FFFFFFh
		mov	[esp+30h+var_1C], edi
		imul	eax, edx, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[esp+30h+var_18], eax
		mov	edx, [eax+8]
		mov	eax, [eax+0Ch]
		mov	edi, eax
		mov	[esp+30h+var_20], eax
		mov	eax, ecx
		or	eax, [esp+30h+var_1C]
		jz	short loc_4A2D7A
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		mov	eax, edi
		jnz	short loc_4A2D76
		mov	edi, [esp+30h+var_1C]
		not	edi
		and	edi, eax

loc_4A2D1F:				; CODE XREF: MiClearPageFileHash+108j
					; MiClearPageFileHash+10Ej
		push	eax
		push	edx
		push	0
		dec	edi
		push	edi
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		mov	ecx, [esp+30h+var_18]
		mov	[esp+30h+var_10], eax
		mov	[esp+30h+var_C], edx
		mov	[ecx+8], eax
		nop
		mov	[ecx+0Ch], edx
		test	edi, edi
		jnz	loc_4A2C8A
		dec	dword ptr [ebx+78h]
		mov	eax, ds:_ZeroPte
		mov	[esi], eax
		nop
		mov	eax, ds:dword_40F9FC
		xor	edx, edx
		mov	ecx, [esp+30h+var_14]
		push	1
		mov	[esi+4], eax
		call	KeFlushSingleTb
		mov	edx, [esp+30h+var_18]
		lea	ecx, [ebx+28h]
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		jmp	loc_4A2C8A
; 

loc_4A2D76:				; CODE XREF: MiClearPageFileHash+A5j
		mov	edi, eax
		jmp	short loc_4A2D1F
; 

loc_4A2D7A:				; CODE XREF: MiClearPageFileHash+99j
		mov	eax, [esp+30h+var_20]
		jmp	short loc_4A2D1F
MiClearPageFileHash endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiWriteComplete	proc near		; CODE XREF: MiGatherMappedPages+2A0p
					; MiStoreWriteModifiedCompleteApc(x,x,x,x,x)+12p ...

var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_42		= byte ptr -42h
var_41		= byte ptr -41h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005BD6B0 SIZE 000001F0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		mov	[esp+4Ch+var_30], eax
		xor	esi, esi
		push	edi
		mov	edi, [ebx+7Ch]
		mov	eax, [ebx+78h]
		mov	[esp+50h+var_40], eax
		mov	eax, [ebx+4Ch]
		mov	[esp+50h+var_28], eax
		movzx	eax, word ptr [edi+6]
		mov	[esp+50h+var_1C], esi
		mov	ecx, eax
		mov	[esp+50h+var_3C], edi
		test	eax, 200h
		jnz	loc_5BD6B0

loc_4A2DC3:				; CODE XREF: MiWriteComplete+11A93Bj
		test	cl, 1
		jnz	loc_4A32CF

loc_4A2DCC:				; CODE XREF: MiWriteComplete+559j
		mov	eax, [ebp+arg_4]
		mov	edx, [ebx+60h]
		mov	[esp+50h+var_2C], edx
		mov	eax, [eax]
		mov	[esp+50h+var_34], eax
		mov	eax, [ebx+5Ch]
		mov	[esp+50h+var_38], eax
		test	eax, eax
		jz	loc_4A3196

loc_4A2DEB:				; CODE XREF: MiWriteComplete+440j
		lea	eax, [edi+1Ch]
		mov	[esp+50h+var_24], eax
		mov	eax, [esp+50h+var_28]
		test	eax, 0FFFh
		jnz	loc_5BD6C0
		xor	ecx, ecx

loc_4A2E03:				; CODE XREF: MiWriteComplete+11A945j
		sar	eax, 0Ch
		add	eax, 7
		add	eax, ecx
		lea	eax, [edi+eax*4]
		mov	[esp+50h+var_20], eax
		test	edx, edx
		jnz	loc_4A32DE

loc_4A2E1A:				; CODE XREF: MiWriteComplete+59Ej
					; MiWriteComplete+61Fj
		mov	eax, [esp+50h+var_34]
		test	eax, eax
		jns	loc_4A318D
		mov	edi, [ebx+14h]
		xor	ecx, ecx
		shr	edi, 1
		and	edi, 1
		cmp	[esp+50h+var_38], ecx
		push	eax
		setnz	cl
		mov	edx, edi
		call	MmIsWriteErrorFatal
		test	eax, eax
		jnz	loc_5BD6DC

loc_4A2E47:				; CODE XREF: MiWriteComplete+11A9A1j
		mov	eax, 1
		mov	[esp+50h+var_30], eax

loc_4A2E50:				; CODE XREF: MiWriteComplete+11A97Bj
					; MiWriteComplete+11A9B0j
		mov	edi, [esp+50h+var_38]
		mov	eax, [esp+50h+var_40]
		mov	ecx, [esp+50h+var_34]
		test	edi, edi
		jz	loc_5BD735
		mov	[eax+17Ch], ecx

loc_4A2E6A:				; CODE XREF: MiWriteComplete+411j
					; MiWriteComplete+11A9BBj
		mov	[esp+50h+var_2C], 0
		test	esi, esi
		jnz	loc_5BD740

loc_4A2E7A:				; CODE XREF: MiWriteComplete+11A9CCj
		push	0
		push	0
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	edi, eax
		mov	ecx, edx
		mov	eax, [ebx+54h]
		mov	[esp+50h+var_3C], ecx
		mov	[esp+50h+var_18], eax
		test	eax, eax
		jnz	loc_4A31C5

loc_4A2E9A:				; CODE XREF: MiWriteComplete+468j
		mov	edx, [esp+50h+var_24]
		mov	esi, [esp+50h+var_1C]
		cmp	edx, [esp+50h+var_20]
		jnb	loc_4A301A
		mov	esi, [ebp+arg_0]
		nop

loc_4A2EB0:				; CODE XREF: MiWriteComplete+28Aj
		mov	eax, [edx]
		cmp	eax, dword_6D34E4
		jz	loc_4A30F8
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	ebx, [eax+ecx*4]
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esp+50h+var_41], al
		lea	eax, [ebx+10h]
		mov	[esp+50h+var_14], 0
		mov	[esp+50h+var_18], eax
		lock bts dword ptr [eax], 1Fh
		jb	loc_5BD751

loc_4A2EF5:				; CODE XREF: MiWriteComplete+11A9EDj
		mov	eax, [esp+50h+var_30]
		test	al, 1
		jnz	short loc_4A2F0A
		test	byte ptr [ebx+16h], 10h
		jnz	loc_4A315D

loc_4A2F07:				; CODE XREF: MiWriteComplete+3E9j
		and	eax, 0FFFFFFFDh

loc_4A2F0A:				; CODE XREF: MiWriteComplete+17Bj
					; MiWriteComplete+3F2j
		and	eax, 0FFFFFFF3h
		test	al, 2
		mov	[esp+50h+var_30], eax
		setz	dl
		test	byte ptr [esi+14h], 20h
		setnz	cl
		test	dl, cl
		jz	short loc_4A2F55
		test	dword ptr [ebx+10h], 40000000h
		jnz	short loc_4A2F55
		cmp	word ptr [ebx+14h], 1
		mov	cl, [ebx+16h]
		ja	loc_4A3379
		and	cl, 0FAh
		or	cl, 2
		mov	[ebx+16h], cl
		cmp	dword_6D5150, 0
		jnz	loc_5BD772
		or	eax, 8

loc_4A2F51:				; CODE XREF: MiWriteComplete+602j
					; MiWriteComplete+11A9F5j
		mov	[esp+50h+var_30], eax

loc_4A2F55:				; CODE XREF: MiWriteComplete+19Fj
					; MiWriteComplete+1A8j
		push	eax
		mov	ecx, ebx
		call	MiWriteCompletePfn
		mov	ebx, eax
		mov	[esp+50h+var_10], edx
		mov	eax, [esp+50h+var_18]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [esp+50h+var_41]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esp+50h+var_10]
		mov	ecx, ebx
		or	ecx, eax
		jnz	loc_4A314B

loc_4A2F87:				; CODE XREF: MiWriteComplete+3D8j
		mov	edx, dword_6D0700
		mov	ecx, edx
		mov	ebx, dword_6D0704
		or	ecx, ebx
		mov	eax, [esp+50h+var_3C]
		mov	[esp+50h+var_10], edi
		jz	short loc_4A2FC1
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	loc_4A30E3
		mov	ecx, edx
		mov	eax, ebx
		not	ecx
		not	eax
		and	ecx, edi
		and	eax, [esp+50h+var_3C]
		mov	[esp+50h+var_10], ecx

loc_4A2FC1:				; CODE XREF: MiWriteComplete+21Fj
					; MiWriteComplete+36Bj
		mov	ecx, edi
		add	eax, 1
		or	ecx, [esp+50h+var_3C]
		jz	loc_4A33B0
		mov	ecx, edx
		or	ecx, ebx
		jz	short loc_4A2FE8
		mov	ecx, edi
		and	ecx, 10h
		or	ecx, 0
		jnz	loc_4A30F0
		not	edx
		and	edi, edx

loc_4A2FE8:				; CODE XREF: MiWriteComplete+254j
					; MiWriteComplete+373j	...
		xor	ecx, ecx
		or	ecx, eax
		push	ecx
		push	edi
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)

loc_4A2FF3:				; CODE XREF: MiWriteComplete+3B8j
		mov	ecx, edx
		mov	edi, eax
		mov	edx, [esp+50h+var_24]
		add	edx, 4
		mov	[esp+50h+var_3C], ecx
		mov	[esp+50h+var_24], edx
		cmp	edx, [esp+50h+var_20]
		jb	loc_4A2EB0
		mov	eax, [esi+54h]
		mov	esi, [esp+50h+var_1C]
		mov	ebx, [ebp+arg_0]

loc_4A301A:				; CODE XREF: MiWriteComplete+126j
		mov	edi, [ebx+50h]
		test	edi, edi
		jnz	loc_4A328D
		mov	edi, [esp+50h+var_40]

loc_4A3029:				; CODE XREF: MiWriteComplete+524j
					; MiWriteComplete+534j
		cmp	dword ptr [ebx+54h], 0
		jnz	loc_4A31ED

loc_4A3033:				; CODE XREF: MiWriteComplete+4A4j
					; MiWriteComplete+4C2j	...
		cmp	[esp+50h+var_38], 0
		jz	short loc_4A3083
		test	esi, esi
		jnz	loc_5BD77A

loc_4A3042:				; CODE XREF: MiWriteComplete+11AA46j
		mov	ecx, [esp+50h+var_38]
		xor	edx, edx
		call	_MiDecrementModifiedWriteCount@8 ; MiDecrementModifiedWriteCount(x,x)
		test	eax, eax
		jnz	loc_4A33A4

loc_4A3055:				; CODE XREF: MiWriteComplete+62Bj
		lock dec dword ptr [edi+154h]
		mov	ecx, [ebx+7Ch]
		lea	eax, [ebx+80h]
		cmp	ecx, eax
		jnz	loc_4A3387

loc_4A306D:				; CODE XREF: MiWriteComplete+60Fj
		test	byte ptr [ebx+14h], 1
		jnz	loc_5BD7CB
		mov	edx, 1
		mov	ecx, ebx
		call	_MiFreeModWriterEntry@8	; MiFreeModWriterEntry(x,x)

loc_4A3083:				; CODE XREF: MiWriteComplete+2B8j
					; MiWriteComplete+11AA73j ...
		mov	ebx, [esp+50h+var_38]
		mov	edi, ebx
		mov	eax, [esp+50h+var_40]
		neg	edi
		mov	ecx, [esp+50h+var_34]
		sbb	edi, edi
		and	edi, 3
		add	edi, 258h
		add	edi, eax
		test	ecx, ecx
		jns	loc_4A3177
		mov	edx, [esp+50h+var_28]
		call	_MiIsRetryIoStatus@8 ; MiIsRetryIoStatus(x,x)
		cmp	[ebp+arg_8], 0
		jz	loc_4A3335
		test	esi, esi
		jnz	short loc_4A30CE
		test	eax, eax
		jnz	short loc_4A30CE

loc_4A30C3:				; CODE XREF: MiWriteComplete+5BDj
		mov	eax, [esp+50h+var_40]
		mov	byte ptr [eax+270h], 1

loc_4A30CE:				; CODE XREF: MiWriteComplete+33Dj
					; MiWriteComplete+341j	...
		mov	eax, [esp+50h+var_2C]
		test	eax, eax
		jnz	loc_4A327E

loc_4A30DA:				; CODE XREF: MiWriteComplete+508j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4A30E3:				; CODE XREF: MiWriteComplete+229j
		mov	eax, [esp+50h+var_3C]
		mov	[esp+50h+var_10], edi
		jmp	loc_4A2FC1
; 

loc_4A30F0:				; CODE XREF: MiWriteComplete+25Ej
		and	edi, 0FFFFFFEFh
		jmp	loc_4A2FE8
; 

loc_4A30F8:				; CODE XREF: MiWriteComplete+138j
		test	byte ptr [esi+14h], 20h
		jz	loc_4A32B9

loc_4A3102:				; CODE XREF: MiWriteComplete+54Aj
		mov	edx, dword_6D0700
		mov	eax, edx
		mov	ebx, dword_6D0704
		or	eax, ebx
		mov	[esp+50h+var_10], edi
		jz	short loc_4A3126
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jz	short loc_4A313D
		mov	[esp+50h+var_10], edi

loc_4A3126:				; CODE XREF: MiWriteComplete+396j
		mov	ebx, ecx

loc_4A3128:				; CODE XREF: MiWriteComplete+3C9j
		xor	eax, eax
		add	ebx, 1
		push	ecx
		push	edi
		adc	eax, eax
		push	eax
		push	ebx
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		jmp	loc_4A2FF3
; 

loc_4A313D:				; CODE XREF: MiWriteComplete+3A0j
		not	edx
		not	ebx
		and	edx, edi
		and	ebx, ecx
		mov	[esp+50h+var_10], edx
		jmp	short loc_4A3128
; 

loc_4A314B:				; CODE XREF: MiWriteComplete+201j
		mov	ecx, [esp+50h+var_40]
		xor	edx, edx
		push	eax
		push	ebx
		call	MiReleasePageFileInfo
		jmp	loc_4A2F87
; 

loc_4A315D:				; CODE XREF: MiWriteComplete+181j
		mov	ecx, [ebx+8]
		and	ecx, 400h
		or	ecx, 0
		jnz	loc_4A2F07
		or	eax, 2
		jmp	loc_4A2F0A
; 

loc_4A3177:				; CODE XREF: MiWriteComplete+322j
		test	ebx, ebx
		jnz	loc_4A3329

loc_4A317F:				; CODE XREF: MiWriteComplete+5B0j
		cmp	byte ptr [edi],	0
		jz	loc_4A30CE
		jmp	loc_5BD815
; 

loc_4A318D:				; CODE XREF: MiWriteComplete+A0j
		mov	edi, [esp+50h+var_38]
		jmp	loc_4A2E6A
; 

loc_4A3196:				; CODE XREF: MiWriteComplete+65j
		lea	eax, [esp+50h+var_8]
		mov	[esp+50h+var_8], esi
		push	eax
		mov	[esp+54h+var_4], esi
		call	KeQuerySystemTime
		mov	ecx, [esp+50h+var_34]
		lea	edx, [esp+50h+var_8]
		push	ecx
		push	0
		push	5
		mov	ecx, ebx
		call	_MI_PAGEFILE_WRITE@20 ;	MI_PAGEFILE_WRITE(x,x,x,x,x)
		mov	edx, [esp+50h+var_2C]
		jmp	loc_4A2DEB
; 

loc_4A31C5:				; CODE XREF: MiWriteComplete+114j
		mov	edx, [ebx+68h]
		mov	eax, [ebx+6Ch]
		push	ecx
		mov	ecx, [esp+54h+var_18]
		push	edi
		shrd	edx, eax, 0Ch
		push	1
		call	_MiTransferSoftwarePte@20 ; MiTransferSoftwarePte(x,x,x,x,x)
		mov	ecx, edx
		mov	edi, eax
		mov	eax, [esp+50h+var_18]
		mov	[esp+50h+var_3C], ecx
		jmp	loc_4A2E9A
; 

loc_4A31ED:				; CODE XREF: MiWriteComplete+2ADj
		mov	eax, [ebx+14h]
		and	al, 1Ch
		cmp	al, 8
		jnb	short loc_4A31FC
		dec	dword ptr [edi+188h]

loc_4A31FC:				; CODE XREF: MiWriteComplete+474j
		mov	ecx, ebx
		call	MiMakePagefileWriterEntryAvailable
		xor	ecx, ecx
		lea	eax, [edi+228h]
		cmp	byte ptr [edi+175h], 1
		setnz	cl
		dec	ecx
		and	ecx, eax
		test	byte ptr [ebx+14h], 20h
		mov	[esp+50h+var_10], ecx
		mov	[esp+50h+var_2C], ecx
		jz	loc_4A3033
		mov	eax, [edi+2D4h]
		dec	eax
		mov	[esp+50h+var_2C], ecx
		cmp	byte ptr [edi+176h], 0
		mov	[edi+2D4h], eax
		jnz	loc_4A3033
		cmp	dword ptr [edi+2C0h], 0
		mov	[esp+50h+var_2C], ecx
		jz	loc_4A3033
		mov	[esp+50h+var_2C], ecx
		test	eax, eax
		jnz	loc_4A3033
		xor	edx, edx
		mov	ecx, offset unk_718320
		call	?SmDrainSList@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAT_SLIST_HEADER@@K@Z ;	SMKM_STORE_MGR<SM_TRAITS>::SmDrainSList(_SLIST_HEADER *,ulong)
		mov	edx, [esp+50h+var_10]
		mov	[esp+50h+var_2C], edx
		jmp	loc_4A3033
; 

loc_4A327E:				; CODE XREF: MiWriteComplete+354j
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_4A30DA
; 

loc_4A328D:				; CODE XREF: MiWriteComplete+29Fj
		mov	edx, edi
		test	eax, eax
		jz	loc_4A3348

loc_4A3297:				; CODE XREF: MiWriteComplete+5D3j
		mov	edi, [esp+50h+var_40]
		mov	ecx, edi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	loc_4A3029
		lea	ecx, [edi+1000h]
		lock xadd [ecx], eax
		jmp	loc_4A3029
; 

loc_4A32B9:				; CODE XREF: MiWriteComplete+37Cj
		push	ecx
		mov	ecx, [esp+54h+var_40]
		xor	edx, edx
		push	edi
		call	MiReleasePageFileInfo
		mov	ecx, [esp+50h+var_3C]
		jmp	loc_4A3102
; 

loc_4A32CF:				; CODE XREF: MiWriteComplete+46j
		mov	eax, [edi+0Ch]
		push	edi
		push	eax
		call	MmUnmapLockedPages
		jmp	loc_4A2DCC
; 

loc_4A32DE:				; CODE XREF: MiWriteComplete+94j
		mov	edi, [ebx+58h]
		test	dl, 1
		jz	short loc_4A3358
		and	edx, 0FFFFFFFEh

loc_4A32E9:				; CODE XREF: MiWriteComplete+5F4j
		mov	ecx, edi
		call	FsRtlReleaseFileForModWrite
		mov	ecx, [esp+50h+var_38]
		mov	ecx, [ecx+20h]
		mov	eax, ecx
		xor	eax, edi
		cmp	eax, 7
		jnb	loc_4A3394

loc_4A3304:				; CODE XREF: MiWriteComplete+11A951j
		mov	esi, [esp+50h+var_38]
		lea	edx, [ecx+1]
		mov	eax, ecx
		add	esi, 20h
		lock cmpxchg [esi], edx
		mov	ebx, [ebp+arg_0]
		mov	esi, 0
		cmp	eax, ecx
		jz	loc_4A2E1A
		jmp	loc_5BD6CA
; 

loc_4A3329:				; CODE XREF: MiWriteComplete+3F9j
		mov	byte ptr [eax+270h], 0
		jmp	loc_4A317F
; 

loc_4A3335:				; CODE XREF: MiWriteComplete+335j
		cmp	[esp+50h+var_34], 0C0000054h
		jz	loc_4A30C3
		jmp	loc_5BD84D
; 

loc_4A3348:				; CODE XREF: MiWriteComplete+511j
		mov	ecx, [esp+50h+var_40]
		call	MiReturnCommit
		mov	edx, edi
		jmp	loc_4A3297
; 

loc_4A3358:				; CODE XREF: MiWriteComplete+564j
		mov	eax, [ebx+6Ch]
		mov	edx, [esp+50h+var_28]
		mov	ecx, [edi+14h]
		push	eax
		mov	eax, [ebx+68h]
		push	eax
		push	[esp+58h+var_34]
		call	CcNotifyOfMappedWriteComplete
		mov	edx, [esp+50h+var_2C]
		jmp	loc_4A32E9
; 

loc_4A3379:				; CODE XREF: MiWriteComplete+1B2j
		or	cl, 10h
		or	eax, 2
		mov	[ebx+16h], cl
		jmp	loc_4A2F51
; 

loc_4A3387:				; CODE XREF: MiWriteComplete+2E7j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4A306D
; 

loc_4A3394:				; CODE XREF: MiWriteComplete+57Ej
					; MiWriteComplete+11A957j
		push	746C6644h
		push	edi
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_4A2E1A
; 

loc_4A33A4:				; CODE XREF: MiWriteComplete+2CFj
		mov	ecx, eax
		call	_MiReleaseControlAreaWaiters@4 ; MiReleaseControlAreaWaiters(x)
		jmp	loc_4A3055
; 

loc_4A33B0:				; CODE XREF: MiWriteComplete+24Aj
		xor	edi, edi
		jmp	loc_4A2FE8
MiWriteComplete	endp

; 
		align 10h

;  S U B	R O U T	I N E 


MiWalkVaRange	proc near		; CODE XREF: MiResetVirtualMemory+5Bp
					; MiProcessVaRangesInfoClass+A0p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BD8A0 SIZE 000002CE BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 100h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		push	esi
		push	edi
		mov	edi, [ebx+8]
		lea	eax, [ebp-0A0h]
		push	98h		; size_t
		push	0		; int
		push	eax		; void *
		mov	esi, edx
		mov	[ebp-0A8h], ecx
		mov	dword ptr [ebp-0F0h], 0
		mov	dword ptr [ebp-0ECh], 0
		mov	dword ptr [ebp-0FCh], 0
		mov	dword ptr [ebp-0F4h], 0
		call	_memset
		mov	eax, [ebp-0A8h]
		add	esp, 0Ch
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	dword ptr [ebp-0A0h], 1
		sub	eax, 40000000h
		mov	word ptr [ebp-9Ch], 0
		mov	[ebp-0A8h], eax
		mov	eax, large fs:124h
		mov	dword ptr [ebp-90h], 0
		mov	dword ptr [ebp-98h], 21h
		mov	dword ptr [ebp-8Ch], 0
		mov	eax, [eax+80h]
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		mov	dword ptr [ebp-0C8h], 0
		sub	esi, 40000000h
		mov	dword ptr [ebp-0ACh], 0
		lea	ecx, [eax+240h]
		mov	dword ptr [ebp-0B0h], 0
		mov	byte ptr [ebp-0A1h], 21h
		mov	[ebp-0F8h], esi
		mov	dword ptr [ebp-0C4h], 0
		mov	[ebp-0B4h], eax
		call	MiLockWorkingSetShared
		mov	[ebp-0D4h], al
		mov	eax, [ebp-0A8h]
		cmp	eax, esi
		ja	loc_4A37C1

loc_4A34F2:				; CODE XREF: MiWalkVaRange+3FBj
		mov	edx, [ebp-0C4h]
		test	edx, edx
		jnz	loc_5BD8A0

loc_4A3500:				; CODE XREF: MiWalkVaRange+11A4FFj
		lea	ecx, [ebp-0FCh]
		mov	edx, esi
		push	ecx
		push	0
		push	dword ptr [ebp-0D4h]
		lea	ecx, [ebp-0A0h]
		push	ecx
		mov	ecx, eax
		call	MiGetNextPageTable
		mov	esi, eax
		mov	dword ptr [ebp-0D0h], 1
		mov	eax, [ebp-0A8h]
		cmp	esi, eax
		jnz	loc_4A38F1

loc_4A3539:				; CODE XREF: MiWalkVaRange+578j
					; MiWalkVaRange+11A51Ej
		test	esi, esi
		jz	short loc_4A3554
		mov	ecx, esi
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		mov	[ebp-0C4h], ecx

loc_4A3554:				; CODE XREF: MiWalkVaRange+17Bj
					; MiWalkVaRange+2A1j
		mov	ecx, [ebp-0D0h]
		xor	esi, esi
		mov	[ebp-0C0h], esi
		mov	[ebp-0E4h], esi
		test	ecx, ecx
		jnz	loc_4A3666

loc_4A3570:				; CODE XREF: MiWalkVaRange+2C0j
		test	dword ptr [edi+1Ch], 100000h
		jnz	loc_4A3694
		cmp	[edi+30h], esi
		jz	loc_4A3694
		lea	ecx, [ebp-0B8h]
		shr	eax, 3
		push	ecx
		and	eax, 0FFFFFh
		mov	ecx, edi
		push	0
		mov	edx, eax
		call	MiGetProtoPteAddress
		mov	esi, eax
		test	esi, esi
		jz	loc_5BDAB6

loc_4A35AA:				; CODE XREF: MiWalkVaRange+526j
		mov	eax, [ebp-0B0h]
		xor	eax, esi
		test	eax, 0FFFFF000h
		jnz	loc_4A380C

loc_4A35BD:				; CODE XREF: MiWalkVaRange+2DCj
					; MiWalkVaRange+303j ...
		mov	edx, [ebp-0D0h]
		lea	eax, [ebp-0F0h]
		push	eax
		lea	eax, [ebp-0F4h]
		mov	ecx, edi
		push	eax
		push	dword ptr [ebx+10h]
		push	dword ptr [ebx+0Ch]
		push	esi
		push	dword ptr [ebp-0A8h]
		call	_MiActOnPte@32	; MiActOnPte(x,x,x,x,x,x,x,x)
		test	eax, eax
		jnz	loc_4A36C8

loc_4A35ED:				; CODE XREF: MiWalkVaRange+336j
					; MiWalkVaRange+11A776j
		mov	eax, [ebp-0A8h]

loc_4A35F3:				; CODE XREF: MiWalkVaRange+11A76Bj
		mov	edx, [ebp-0F0h]
		mov	ecx, edx
		mov	esi, [ebp-0ECh]
		or	ecx, esi
		jnz	loc_4A393D

loc_4A3609:				; CODE XREF: MiWalkVaRange+5D2j
					; MiWalkVaRange+11A643j ...
		mov	ecx, [ebp-0C0h]

loc_4A360F:				; CODE XREF: MiWalkVaRange+11A603j
					; MiWalkVaRange+11A619j ...
		mov	esi, [ebp-0E4h]
		add	eax, 8
		mov	[ebp-0A8h], eax
		cmp	ecx, 1
		jz	loc_4A3714
		test	esi, esi
		js	loc_4A3714
		cmp	eax, [ebp-0F8h]
		ja	loc_4A3714
		test	eax, 0FFFh
		jz	loc_4A3714
		test	al, 78h
		jz	loc_4A36FB

loc_4A364E:				; CODE XREF: MiWalkVaRange+34Ej
		call	KeShouldYieldProcessor
		test	eax, eax
		jnz	loc_4A3714
		mov	eax, [ebp-0A8h]
		jmp	loc_4A3554
; 

loc_4A3666:				; CODE XREF: MiWalkVaRange+1AAj
		mov	edx, [eax]
		mov	[ebp-0CCh], edx
		nop
		mov	ecx, [eax+4]
		mov	[ebp-0BCh], ecx
		mov	ecx, edx
		or	ecx, [ebp-0BCh]
		jz	loc_4A3570
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jz	loc_4A3840

loc_4A3694:				; CODE XREF: MiWalkVaRange+1B7j
					; MiWalkVaRange+1C0j ...
		mov	eax, [ebp-0ACh]
		test	eax, eax
		jz	loc_4A35BD
		mov	dl, [ebp-0A1h]
		mov	ecx, eax
		call	MiUnlockProtoPoolPage
		mov	dword ptr [ebp-0ACh], 0
		mov	dword ptr [ebp-0B0h], 0
		jmp	loc_4A35BD
; 

loc_4A36C8:				; CODE XREF: MiWalkVaRange+227j
		cmp	eax, 112h
		jz	loc_5BDAD6
		cmp	eax, 0C0000021h
		jnz	loc_5BDB30
		mov	edx, [ebp-0A8h]
		lea	ecx, [ebp-0A0h]
		push	0
		push	1
		shl	edx, 9
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		jmp	loc_4A35ED
; 

loc_4A36FB:				; CODE XREF: MiWalkVaRange+288j
		mov	ecx, [ebp-0B4h]
		lea	ecx, [ecx+240h]
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jz	loc_4A364E

loc_4A3714:				; CODE XREF: MiWalkVaRange+261j
					; MiWalkVaRange+269j ...
		mov	eax, [ebp-0ACh]
		test	eax, eax
		jz	short loc_4A3731
		mov	dl, [ebp-0A1h]
		mov	ecx, eax
		call	MiUnlockProtoPoolPage
		mov	eax, [ebp-0ACh]

loc_4A3731:				; CODE XREF: MiWalkVaRange+35Cj
		neg	eax
		lea	ecx, [ebp-0A0h]
		sbb	eax, eax
		not	eax
		and	[ebp-0B0h], eax
		call	MiFlushTbList
		mov	eax, [ebp-0C4h]
		test	eax, eax
		jz	short loc_4A376F
		mov	ecx, [ebp-0B4h]
		mov	edx, eax
		lea	ecx, [ecx+240h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dword ptr [ebp-0C4h], 0

loc_4A376F:				; CODE XREF: MiWalkVaRange+390j
		mov	ecx, [ebp-0B4h]
		mov	dl, [ebp-0D4h]
		lea	ecx, [ecx+240h]
		call	MiUnlockWorkingSetShared
		cmp	esi, 0C0000434h
		jz	loc_5BDB3B

loc_4A3792:				; CODE XREF: MiWalkVaRange+11A791j
		mov	dword ptr [ebp-0ACh], 0

loc_4A379C:				; CODE XREF: MiWalkVaRange+62Bj
		mov	ecx, [ebp-0B4h]
		lea	ecx, [ecx+240h]
		call	MiLockWorkingSetShared
		mov	eax, [ebp-0A8h]
		mov	esi, [ebp-0F8h]
		cmp	eax, esi
		jbe	loc_4A34F2

loc_4A37C1:				; CODE XREF: MiWalkVaRange+12Cj
					; MiWalkVaRange+11A510j
		lea	ecx, [ebp-0A0h]
		call	MiFlushTbList
		mov	eax, [ebp-0C4h]
		test	eax, eax
		jnz	loc_5BDB56

loc_4A37DA:				; CODE XREF: MiWalkVaRange+11A7A9j
		mov	ecx, [ebp-0B4h]
		mov	dl, [ebp-0D4h]
		lea	ecx, [ecx+240h]
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp-4]
		mov	eax, [ebp-0C8h]
		xor	ecx, ebp
		pop	edi
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	0Ch
; 

loc_4A380C:				; CODE XREF: MiWalkVaRange+1F7j
		mov	eax, [ebp-0ACh]
		test	eax, eax
		jnz	loc_4A3997

loc_4A381A:				; CODE XREF: MiWalkVaRange+5EEj
		lea	edx, [ebp-0A1h]
		mov	ecx, esi
		call	MiLockProtoPoolPage
		mov	[ebp-0ACh], eax
		test	eax, eax
		jz	loc_4A39B3
		mov	[ebp-0B0h], esi
		jmp	loc_4A35BD
; 

loc_4A3840:				; CODE XREF: MiWalkVaRange+2CEj
		mov	eax, edx
		and	eax, 400h
		or	eax, 0
		jz	loc_4A3694
		cmp	dword ptr [ebx+0Ch], 2
		mov	esi, [ebp-0BCh]
		jz	loc_5BD8E3

loc_4A3860:				; CODE XREF: MiWalkVaRange+11A57Dj
		push	esi
		push	edx
		call	_MI_PROTO_FORMAT_COMBINED@8 ; MI_PROTO_FORMAT_COMBINED(x,x)
		test	al, al
		jnz	loc_5BD942
		mov	eax, [ebp-0A8h]
		mov	ecx, eax
		and	ecx, 0FFFFFFF8h
		shl	ecx, 9
		cmp	ecx, 7FFE0000h
		jz	loc_5BD9E6
		mov	edx, dword_6D0618
		cmp	ecx, edx
		jz	loc_5BD9DE

loc_4A3897:				; CODE XREF: MiWalkVaRange+11A620j
					; MiWalkVaRange+11A633j
		test	dword ptr [edi+1Ch], 100000h
		jnz	loc_5BDA5B
		cmp	dword ptr [edi+30h], 0
		jz	loc_5BDA5B
		lea	ecx, [ebp-0B8h]
		shr	eax, 3
		push	ecx
		and	eax, 0FFFFFh
		mov	ecx, edi
		push	0
		mov	edx, eax
		call	MiGetProtoPteAddress
		push	dword ptr [ebp-0BCh]
		mov	ecx, [ebp-0CCh]
		mov	esi, eax
		push	ecx
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		test	eax, eax
		jz	loc_5BDA08

loc_4A38E4:				; CODE XREF: MiWalkVaRange+11A54Aj
					; MiWalkVaRange+11A55Ej ...
		test	esi, esi
		jnz	loc_4A35AA
		jmp	loc_4A3694
; 

loc_4A38F1:				; CODE XREF: MiWalkVaRange+173j
		test	dword ptr [edi+1Ch], 100000h
		jnz	loc_5BD8C4
		cmp	dword ptr [edi+30h], 0
		jz	loc_5BD8C4
		lea	ecx, [ebp-0B8h]
		shr	eax, 3
		push	ecx
		and	eax, 0FFFFFh
		mov	ecx, edi
		push	0
		mov	edx, eax
		call	MiGetProtoPteAddress
		test	eax, eax
		jz	loc_5BD8C4
		mov	eax, [ebp-0A8h]
		xor	ecx, ecx
		mov	[ebp-0D0h], ecx
		jmp	loc_4A3539
; 

loc_4A393D:				; CODE XREF: MiWalkVaRange+243j
		mov	eax, [ebp-0ACh]
		test	eax, eax
		jz	short loc_4A3960
		mov	dl, [ebp-0A1h]
		mov	ecx, eax
		call	MiUnlockProtoPoolPage
		mov	esi, [ebp-0ECh]
		mov	edx, [ebp-0F0h]

loc_4A3960:				; CODE XREF: MiWalkVaRange+585j
		mov	ecx, [ebp-0F4h]
		push	esi
		push	edx
		mov	edx, 1
		call	MiReleasePageFileInfo
		mov	eax, [ebp-0ACh]
		neg	eax
		sbb	eax, eax
		not	eax
		and	[ebp-0B0h], eax
		xor	eax, eax
		mov	[ebp-0ACh], eax

loc_4A398C:				; CODE XREF: MiWalkVaRange+11A592j
		mov	eax, [ebp-0A8h]
		jmp	loc_4A3609
; 

loc_4A3997:				; CODE XREF: MiWalkVaRange+454j
		mov	dl, [ebp-0A1h]
		mov	ecx, eax
		call	MiUnlockProtoPoolPage
		mov	dword ptr [ebp-0B0h], 0
		jmp	loc_4A381A
; 

loc_4A39B3:				; CODE XREF: MiWalkVaRange+46Fj
		lea	ecx, [ebp-0A0h]
		call	MiFlushTbList
		mov	eax, [ebp-0C4h]
		test	eax, eax
		jnz	short loc_4A39F0

loc_4A39C8:				; CODE XREF: MiWalkVaRange+64Dj
		mov	ecx, [ebp-0B4h]
		mov	dl, [ebp-0D4h]
		lea	ecx, [ecx+240h]
		call	MiUnlockWorkingSetShared
		push	0
		push	0
		push	esi
		push	2
		call	MmAccessFault
		jmp	loc_4A379C
; 

loc_4A39F0:				; CODE XREF: MiWalkVaRange+606j
		mov	ecx, [ebp-0B4h]
		mov	edx, eax
		lea	ecx, [ecx+240h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dword ptr [ebp-0C4h], 0
		jmp	short loc_4A39C8
MiWalkVaRange	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiActOnPte(x, x, x,	x, x, x, x, x)
_MiActOnPte@32	proc near		; CODE XREF: MiWalkVaRange+220p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, [ebp+arg_14]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	dword ptr [eax], 0
		mov	dword ptr [eax+4], 0
		mov	eax, [ebp+arg_10]
		push	edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_14], 0
		mov	dword ptr [eax], 0
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[ebp+var_C], eax
		add	eax, 240h
		mov	[ebp+var_8], eax

loc_4A3A58:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+88j
					; MiActOnPte(x,x,x,x,x,x,x,x)+AFj ...
		test	esi, esi
		jz	short loc_4A3A67
		mov	edi, [esi]
		nop
		mov	ebx, [esi+4]
		mov	ecx, [ebp+arg_0]
		jmp	short loc_4A3A70
; 

loc_4A3A67:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+4Aj
		mov	ecx, [ebp+arg_0]
		mov	edi, [ecx]
		nop
		mov	ebx, [ecx+4]

loc_4A3A70:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+55j
		mov	eax, edi
		mov	[ebp+var_1C], ebx
		and	eax, 1
		mov	[ebp+var_20], edi
		or	eax, 0
		jz	short loc_4A3AC1
		test	esi, esi
		jz	loc_4A3B2F
		xor	edx, edx
		mov	ecx, esi
		call	MiLockLeafPage
		mov	edx, eax
		mov	[ebp+var_4], eax
		test	edx, edx
		jz	short loc_4A3A58
		mov	edi, [esi]
		nop
		mov	ebx, [esi+4]
		mov	eax, edi
		and	eax, 1
		mov	[ebp+var_20], edi
		or	eax, 0
		mov	[ebp+var_1C], ebx
		jnz	loc_4A3C35
		lea	eax, [edx+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		jmp	short loc_4A3A58
; 

loc_4A3AC1:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+6Ej
		mov	eax, edi
		and	eax, 400h
		or	eax, 0
		jnz	loc_4A4112
		mov	eax, edi
		and	eax, 800h
		or	eax, 0
		jz	loc_4A3FC0
		xor	edx, edx
		test	esi, esi
		jz	short loc_4A3AF0
		mov	ecx, esi
		call	MiLockLeafPage
		jmp	short loc_4A3AF5
; 

loc_4A3AF0:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+D5j
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)

loc_4A3AF5:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+DEj
		mov	edi, eax
		test	edi, edi
		jz	loc_4A3A58
		test	esi, esi
		jz	loc_4A3E03
		mov	ecx, [esi]
		nop
		mov	eax, [esi+4]
		mov	[ebp+var_20], ecx
		and	ecx, 1
		or	ecx, 0
		mov	[ebp+var_1C], eax
		jz	loc_4A3E03
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		jmp	loc_4A3A58
; 

loc_4A3B2F:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+72j
		nop
		mov	ecx, edi
		mov	eax, ebx
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		mov	[ebp+var_4], ecx
		cmp	ecx, dword_6D07B0
		ja	loc_4A3C24
		mov	eax, dword_6D35B8
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_4A3C24
		mov	eax, [ebp+var_4]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		test	dword ptr [eax+ecx*4+18h], 800000h
		lea	edx, [eax+ecx*4]
		mov	[ebp+var_4], edx
		jnz	short loc_4A3BB0
		mov	eax, [edx+4]
		test	eax, eax
		js	short loc_4A3BB0
		jz	short loc_4A3BB0
		cmp	[ebp+arg_8], 1
		jz	loc_4A3C24
		cmp	[ebp+arg_8], 0
		jnz	short loc_4A3BC8
		mov	eax, 112h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_4A3BB0:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+177j
					; MiActOnPte(x,x,x,x,x,x,x,x)+17Ej ...
		mov	edx, [edx+4]
		mov	ecx, [ebp+var_C]
		or	edx, 80000000h
		call	_MiLocateCloneAddress@8	; MiLocateCloneAddress(x,x)
		test	eax, eax
		jnz	short loc_4A3C24
		mov	edx, [ebp+var_4]

loc_4A3BC8:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+190j
		lea	eax, [edx+10h]
		mov	[ebp+var_18], 0
		mov	[ebp+var_C], eax
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_4A3C01
		mov	esi, eax
		mov	edi, edi

loc_4A3BE0:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+1DCj
					; MiActOnPte(x,x,x,x,x,x,x,x)+1E3j
		lea	ecx, [ebp+var_18]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_4A3BE0
		lock bts dword ptr [esi], 1Fh
		jb	short loc_4A3BE0
		mov	ebx, [ebp+var_1C]
		mov	edi, [ebp+var_20]
		mov	esi, [ebp+arg_4]
		mov	edx, [ebp+var_4]

loc_4A3C01:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+1CAj
		mov	eax, [ebp+var_10]
		mov	eax, [eax+1Ch]
		and	al, 70h
		cmp	al, 40h
		jnz	short loc_4A3C35
		mov	ecx, [ebp+arg_0]
		call	_MiRotatedToFrameBuffer@4 ; MiRotatedToFrameBuffer(x)
		test	eax, eax
		jz	short loc_4A3C32
		mov	eax, [ebp+var_C]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_4A3C24:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+137j
					; MiActOnPte(x,x,x,x,x,x,x,x)+152j ...
		mov	eax, 0C0000434h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_4A3C32:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+207j
		mov	edx, [ebp+var_4]

loc_4A3C35:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+9Ej
					; MiActOnPte(x,x,x,x,x,x,x,x)+1FBj
		cmp	[ebp+arg_8], 2
		jnz	short loc_4A3CB7
		mov	ebx, [ebp+var_4]
		xor	eax, eax
		mov	edx, [ebp+arg_C]
		test	esi, esi
		mov	ecx, ebx
		setz	al
		push	eax
		call	_MiUpdatePfnPriority@12	; MiUpdatePfnPriority(x,x,x)
		mov	byte ptr [ebp+arg_8], al
		lea	ecx, [ebx+10h]
		mov	edx, 7FFFFFFFh
		lock and [ecx],	edx
		mov	edi, [ebp+arg_0]
		cmp	al, 0FFh
		jz	short loc_4A3C76
		test	esi, esi
		jnz	short loc_4A3C76
		push	[ebp+arg_8]
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	MiUpdateWsleAge

loc_4A3C76:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+253j
					; MiActOnPte(x,x,x,x,x,x,x,x)+257j
		test	dword ptr [ebx+18h], 800000h
		jnz	loc_4A4112
		mov	eax, [ebx+4]
		test	eax, eax
		js	loc_4A4112
		jz	loc_4A4112
		test	esi, esi
		jnz	loc_4A4112
		mov	ecx, [ebp+var_8]
		or	eax, 80000000h
		push	eax
		mov	edx, edi
		call	_MiDemoteCombinedPte@12	; MiDemoteCombinedPte(x,x,x)
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_4A3CB7:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+229j
		mov	al, [edx+16h]
		mov	byte ptr [ebp+arg_4+3],	al
		test	al, 8
		jz	short loc_4A3CDA
		lea	eax, [edx+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	eax, 0C0000434h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_4A3CDA:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+2AFj
		mov	cl, al
		and	cl, 10h
		cmp	[ebp+arg_8], 1
		jnz	short loc_4A3D50
		xor	ebx, ebx
		test	cl, cl
		jnz	short loc_4A3CF6
		test	esi, esi
		jnz	short loc_4A3CFB
		and	edi, 42h
		or	edi, ebx
		jz	short loc_4A3CFB

loc_4A3CF6:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+2D9j
		mov	ebx, 0C0000434h

loc_4A3CFB:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+2DDj
					; MiActOnPte(x,x,x,x,x,x,x,x)+2E4j
		test	cl, cl
		jnz	short loc_4A3D16
		mov	ecx, [edx+8]
		mov	eax, [edx+0Ch]
		shrd	ecx, eax, 2
		test	cl, 1
		jnz	short loc_4A3D16
		mov	al, byte ptr [ebp+arg_4+3]
		or	al, 10h
		mov	[edx+16h], al

loc_4A3D16:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+2EDj
					; MiActOnPte(x,x,x,x,x,x,x,x)+2FCj
		mov	eax, [edx+0Ch]
		lea	esi, [edx+8]
		push	eax
		mov	eax, [esi]
		push	eax
		call	_MI_IS_RESET_PTE@8 ; MI_IS_RESET_PTE(x,x)
		test	eax, eax
		jz	short loc_4A3D32
		mov	ecx, esi
		call	_MI_CLEAR_RESET_PTE@4 ;	MI_CLEAR_RESET_PTE(x)
		jmp	short loc_4A3D37
; 

loc_4A3D32:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+317j
		mov	ebx, 0C0000434h

loc_4A3D37:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+320j
		mov	ecx, [ebp+var_4]
		mov	eax, 7FFFFFFFh
		add	ecx, 10h
		lock and [ecx],	eax
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_4A3D50:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+2D3j
		test	cl, cl
		jz	short loc_4A3D59
		and	al, 0EFh
		mov	[edx+16h], al

loc_4A3D59:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+342j
		lea	eax, [edx+8]
		mov	edx, 1
		push	1
		mov	ecx, eax
		mov	[ebp+arg_8], eax
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	ecx, [ebp+arg_14]
		mov	[ecx], eax
		or	eax, edx
		mov	[ecx+4], edx
		jz	short loc_4A3D82
		mov	eax, [ebp+arg_10]
		mov	dword ptr [eax], offset	_MiSystemPartition

loc_4A3D82:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+367j
		mov	ecx, [ebp+arg_8]
		mov	eax, [ecx+4]
		push	eax
		mov	eax, [ecx]
		push	eax
		push	0
		push	1
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		mov	ecx, [ebp+arg_8]
		and	eax, 0FFFFFFFDh
		mov	[ecx], eax
		mov	ecx, 7FFFFFFFh
		mov	eax, [ebp+var_4]
		mov	[eax+0Ch], edx
		add	eax, 10h
		lock and [eax],	ecx
		test	esi, esi
		jnz	loc_4A4112
		mov	eax, edi
		and	eax, 42h
		or	eax, esi
		jz	loc_4A4112
		and	edi, 0FFFFFF9Dh
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_20], edi
		nop
		mov	esi, [ebp+arg_0]
		mov	[esi], edi
		mov	[esi+4], ebx
		mov	ebx, [ebp+var_8]
		mov	ecx, ebx
		shl	esi, 9
		mov	edx, esi
		call	MiGetVaAge
		cmp	al, 7
		jnb	short loc_4A3DF5
		push	1
		push	1
		mov	edx, esi
		mov	ecx, ebx
		call	MiSetVaAgeList

loc_4A3DF5:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+3D6j
		mov	eax, 0C0000021h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_4A3E03:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+F1j
					; MiActOnPte(x,x,x,x,x,x,x,x)+109j
		mov	ecx, [ebp+arg_8]
		cmp	ecx, 2
		jnz	short loc_4A3E2D
		mov	edx, [ebp+arg_C]
		mov	ecx, edi
		push	1
		call	_MiUpdatePfnPriority@12	; MiUpdatePfnPriority(x,x,x)
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_4A3E2D:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+3F9j
		mov	al, [edi+16h]
		xor	esi, esi
		mov	dl, al
		and	dl, 7
		cmp	dl, 2
		jnz	loc_4A3F1D
		cmp	ecx, 1
		jnz	loc_4A3ECC
		mov	eax, [edi+0Ch]
		push	eax
		mov	eax, [edi+8]
		push	eax
		call	_MI_IS_RESET_PTE@8 ; MI_IS_RESET_PTE(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_4A3E64
		lea	ecx, [edi+8]
		call	_MI_CLEAR_RESET_PTE@4 ;	MI_CLEAR_RESET_PTE(x)

loc_4A3E64:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+44Aj
		mov	ecx, [edi+8]
		neg	esi
		mov	eax, [edi+0Ch]
		sbb	esi, esi
		and	esi, 3FFFFBCCh
		shrd	ecx, eax, 2
		add	esi, 0C0000434h
		test	cl, 1
		jnz	loc_4A3FAA
		mov	al, [edi+16h]
		or	al, 10h
		cmp	word ptr [edi+14h], 0
		mov	[edi+16h], al
		jnz	short loc_4A3EC0
		xor	edx, edx
		mov	ecx, edi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		mov	ecx, edi
		test	eax, eax
		jnz	short loc_4A3EB6
		xor	edx, edx
		call	_MiDiscardTransitionPteEx@8 ; MiDiscardTransitionPteEx(x,x)

loc_4A3EAC:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+519j
		mov	esi, 0C0000434h
		jmp	loc_4A3FAA
; 

loc_4A3EB6:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+493j
		mov	edx, 8
		jmp	loc_4A3FA5
; 

loc_4A3EC0:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+484j
		and	al, 0FBh
		or	al, 3
		mov	[edi+16h], al
		jmp	loc_4A3FAA
; 

loc_4A3ECC:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+433j
		test	al, 28h
		jnz	loc_4A3FAA
		push	1
		mov	edx, 1
		lea	ecx, [edi+8]
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	ecx, [ebp+arg_14]
		mov	[ecx], eax
		or	eax, edx
		mov	[ecx+4], edx
		jz	short loc_4A3EF8
		mov	eax, [ebp+arg_10]
		mov	dword ptr [eax], offset	_MiSystemPartition

loc_4A3EF8:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+4DDj
		mov	eax, [edi+0Ch]
		push	eax
		mov	eax, [edi+8]
		push	eax
		push	0
		push	1
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		and	eax, 0FFFFFFFDh
		mov	[ebp+var_1C], edx
		mov	[ebp+var_20], eax
		mov	[edi+8], eax
		mov	[edi+0Ch], edx
		jmp	loc_4A3FAA
; 

loc_4A3F1D:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+42Aj
		cmp	dl, 3
		jnz	loc_4A3FAA
		cmp	ecx, 1
		jz	short loc_4A3EAC
		test	al, 8
		jnz	short loc_4A3FAA
		test	ecx, ecx
		jnz	short loc_4A3FAA
		test	al, 20h
		jnz	short loc_4A3FAA
		and	al, 0EFh
		mov	[edi+16h], al
		cmp	[edi+14h], si
		jnz	short loc_4A3F4D
		xor	edx, edx
		mov	ecx, edi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		jmp	short loc_4A3F54
; 

loc_4A3F4D:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+530j
		and	al, 0FAh
		or	al, 2
		mov	[edi+16h], al

loc_4A3F54:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+53Bj
		push	1
		mov	edx, 1
		lea	ecx, [edi+8]
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	ecx, [ebp+arg_14]
		mov	[ecx], eax
		or	eax, edx
		mov	[ecx+4], edx
		jz	short loc_4A3F78
		mov	eax, [ebp+arg_10]
		mov	dword ptr [eax], offset	_MiSystemPartition

loc_4A3F78:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+55Dj
		mov	eax, [edi+0Ch]
		push	eax
		mov	eax, [edi+8]
		push	eax
		push	0
		push	1
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		and	eax, 0FFFFFFFDh
		mov	[ebp+var_1C], edx
		mov	[ebp+var_20], eax
		mov	[edi+8], eax
		mov	[edi+0Ch], edx
		cmp	[edi+14h], si
		jnz	short loc_4A3FAA
		mov	edx, 4
		mov	ecx, edi

loc_4A3FA5:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+4ABj
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)

loc_4A3FAA:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+471j
					; MiActOnPte(x,x,x,x,x,x,x,x)+4A1j ...
		lea	ecx, [edi+10h]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_4A3FC0:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+CBj
		mov	edx, [ebp+arg_8]
		cmp	edx, 2
		jz	loc_4A4112
		mov	eax, edi
		or	eax, ebx
		jnz	short loc_4A404A
		test	esi, esi
		jnz	loc_4A3C24
		test	edx, edx
		jnz	loc_4A3C24
		mov	eax, [ebp+var_10]
		lea	edx, [ebp+var_14]
		mov	edi, ecx
		shl	edi, 9
		push	eax
		mov	ecx, edi
		call	MiCheckUserVirtualAddress
		test	eax, eax
		jnz	loc_4A3C24
		mov	esi, [ebp+var_14]
		cmp	esi, 18h
		jz	loc_4A3C24
		lea	edx, [eax+1]
		mov	ecx, edi
		call	MiUpdatePageTableUseCount
		push	1
		push	0
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		and	esi, 1Fh
		xor	ecx, ecx
		shld	ecx, esi, 5
		and	eax, 0FFFFFC1Fh
		or	edx, ecx
		shl	esi, 5
		mov	ecx, [ebp+arg_0]
		or	eax, esi
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], edx
		mov	[ecx], eax
		xor	eax, eax
		mov	[ecx+4], edx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_4A404A:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+5C0j
		push	ebx
		push	edi
		call	_IS_PTE_NOT_DEMAND_ZERO@8 ; IS_PTE_NOT_DEMAND_ZERO(x,x)
		test	eax, eax
		jnz	short loc_4A40C3
		cmp	[ebp+arg_8], 1
		jnz	short loc_4A407A
		push	ebx
		push	edi
		call	_MI_IS_RESET_PTE@8 ; MI_IS_RESET_PTE(x,x)
		test	eax, eax
		jz	loc_4A3C24
		lea	ecx, [ebp+var_20]
		call	_MI_CLEAR_RESET_PTE@4 ;	MI_CLEAR_RESET_PTE(x)
		mov	edx, [ebp+var_1C]
		mov	eax, [ebp+var_20]
		jmp	short loc_4A40AC
; 

loc_4A407A:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+649j
		mov	ecx, edi
		mov	eax, ebx
		shrd	ecx, eax, 1
		test	cl, 1
		jz	short loc_4A409B
		push	ebx
		push	edi
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	_MiReleasePageFileSpace@16 ; MiReleasePageFileSpace(x,x,x,x)
		and	edi, 0FFFFFFFDh

loc_4A409B:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+675j
		push	ebx
		push	edi
		push	0
		push	1
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], edx

loc_4A40AC:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+668j
		test	esi, esi
		jnz	short loc_4A40B3
		mov	esi, [ebp+arg_0]

loc_4A40B3:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+69Ej
		mov	[esi], eax
		xor	eax, eax
		mov	[esi+4], edx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_4A40C3:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+643j
		cmp	[ebp+arg_8], 1
		jz	loc_4A3C24
		push	0
		mov	edx, 1
		lea	ecx, [ebp+var_20]
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	ecx, [ebp+arg_14]
		mov	[ecx], eax
		or	eax, edx
		mov	[ecx+4], edx
		jz	short loc_4A4112
		mov	eax, [ebp+arg_10]
		mov	dword ptr [eax], offset	_MiSystemPartition
		test	esi, esi
		jnz	short loc_4A4107
		mov	eax, [ebp+var_C]
		or	ecx, 0FFFFFFFFh
		add	eax, 14Ch
		lock xadd [eax], ecx
		mov	esi, [ebp+arg_0]

loc_4A4107:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+6E3j
		mov	eax, [ebp+var_20]
		mov	[esi], eax
		mov	eax, [ebp+var_1C]
		mov	[esi+4], eax

loc_4A4112:				; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+BBj
					; MiActOnPte(x,x,x,x,x,x,x,x)+26Dj ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
_MiActOnPte@32	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdatePageFileHighInPte(x, x, x, x)
_MiUpdatePageFileHighInPte@16 proc near	; CODE XREF: .text:0045AB9Bp
					; .text:00473606p ...

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_C]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	eax, edi
		or	eax, ecx
		jz	short loc_4A419B
		mov	edx, dword_6D0700
		mov	eax, edx
		mov	esi, dword_6D0704
		or	eax, esi
		jz	short loc_4A4158
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4A4196
		not	edx
		not	esi
		and	edi, edx
		and	ecx, esi

loc_4A4158:				; CODE XREF: MiUpdatePageFileHighInPte(x,x,x,x)+24j
					; MiUpdatePageFileHighInPte(x,x,x,x)+79j
		mov	[ebp+arg_C], ecx

loc_4A415B:				; CODE XREF: MiUpdatePageFileHighInPte(x,x,x,x)+80j
		mov	edx, dword_6D0700
		xor	ebx, ebx
		or	ebx, [ebp+arg_0]
		mov	eax, edx
		mov	ecx, dword_6D0704
		or	eax, ecx
		mov	[ebp+arg_C], edx
		jz	short loc_4A4186
		mov	esi, edx
		mov	edx, ecx
		and	esi, edi
		and	edx, ebx
		or	esi, edx
		jnz	short loc_4A4191
		or	edi, [ebp+arg_C]
		or	ebx, ecx

loc_4A4186:				; CODE XREF: MiUpdatePageFileHighInPte(x,x,x,x)+53j
					; MiUpdatePageFileHighInPte(x,x,x,x)+74j
		mov	eax, edi
		mov	edx, ebx
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_4A4191:				; CODE XREF: MiUpdatePageFileHighInPte(x,x,x,x)+5Fj
		or	edi, 10h
		jmp	short loc_4A4186
; 

loc_4A4196:				; CODE XREF: MiUpdatePageFileHighInPte(x,x,x,x)+2Ej
		and	edi, 0FFFFFFEFh
		jmp	short loc_4A4158
; 

loc_4A419B:				; CODE XREF: MiUpdatePageFileHighInPte(x,x,x,x)+12j
		xor	edi, edi
		mov	[ebp+arg_C], edi
		jmp	short loc_4A415B
_MiUpdatePageFileHighInPte@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IS_PTE_NOT_DEMAND_ZERO(x, x)
_IS_PTE_NOT_DEMAND_ZERO@8 proc near	; CODE XREF: .text:00453BFFp
					; MiResolvePrivateZeroFault(x)+3DFp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jnz	short loc_4A4208
		mov	eax, dword_6D0704
		push	esi
		mov	esi, dword_6D0700
		mov	ecx, esi
		or	ecx, eax
		push	edi
		jz	short loc_4A41E3
		mov	ecx, edx
		and	ecx, 10h
		or	ecx, 0
		jnz	short loc_4A41E3
		not	esi
		and	edx, esi

loc_4A41E3:				; CODE XREF: IS_PTE_NOT_DEMAND_ZERO(x,x)+23j
					; IS_PTE_NOT_DEMAND_ZERO(x,x)+2Dj
		mov	eax, edx
		and	eax, 400h
		or	eax, 0
		pop	edi
		pop	esi
		jnz	short loc_4A4208
		mov	eax, edx
		and	eax, 800h
		or	eax, 0
		jnz	short loc_4A4208
		and	edx, 4
		or	edx, eax
		jnz	short loc_4A4208

loc_4A4204:				; CODE XREF: IS_PTE_NOT_DEMAND_ZERO(x,x)+5Dj
		pop	ebp
		retn	8
; 

loc_4A4208:				; CODE XREF: IS_PTE_NOT_DEMAND_ZERO(x,x)+10j
					; IS_PTE_NOT_DEMAND_ZERO(x,x)+3Fj ...
		mov	eax, 1
		jmp	short loc_4A4204
_IS_PTE_NOT_DEMAND_ZERO@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdatePfnPriority(x, x, x)
_MiUpdatePfnPriority@12	proc near	; CODE XREF: .text:0045E2ADp
					; MiPfPutPagesInTransition+516p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[esp+10h+var_4], edx
		mov	esi, ecx
		mov	ebx, 0FFh
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		mov	edi, eax
		cmp	edx, edi
		jz	loc_4A42BD
		jnb	short loc_4A424C
		cmp	[ebp+arg_0], 0
		jz	short loc_4A42BD
		cmp	edi, 5
		jbe	short loc_4A424C
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_4A42BD

loc_4A424C:				; CODE XREF: MiUpdatePfnPriority(x,x,x)+26j
					; MiUpdatePfnPriority(x,x,x)+31j
		mov	al, [esi+16h]
		and	al, 7
		cmp	al, 2
		jnz	short loc_4A4286
		test	edi, edi
		jnz	short loc_4A427D
		mov	eax, [esi+8]
		and	eax, 400h
		or	eax, edi
		jnz	short loc_4A427D
		push	dword ptr [esi+0Ch]
		mov	ecx, offset _MiSystemPartition
		push	dword ptr [esi+8]
		call	_MiIsPteInStore@16 ; MiIsPteInStore(x,x,x,x)
		test	eax, eax
		jnz	short loc_4A42BD
		mov	edx, [esp+10h+var_4]

loc_4A427D:				; CODE XREF: MiUpdatePfnPriority(x,x,x)+47j
					; MiUpdatePfnPriority(x,x,x)+53j
		mov	ecx, esi
		call	_MiRelinkStandbyPage@8 ; MiRelinkStandbyPage(x,x)
		jmp	short loc_4A42BD
; 

loc_4A4286:				; CODE XREF: MiUpdatePfnPriority(x,x,x)+43j
		cmp	al, 6
		jnz	short loc_4A429B
		mov	eax, [esi+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jbe	short loc_4A429B
		cmp	edx, edi
		jb	short loc_4A42BD

loc_4A429B:				; CODE XREF: MiUpdatePfnPriority(x,x,x)+78j
					; MiUpdatePfnPriority(x,x,x)+85j
		mov	al, [esi+17h]
		xor	al, dl
		and	al, 7
		xor	[esi+17h], al
		cmp	edi, 5
		jb	short loc_4A42B3
		cmp	edx, 5
		jnb	short loc_4A42BD
		mov	bl, 7
		jmp	short loc_4A42BD
; 

loc_4A42B3:				; CODE XREF: MiUpdatePfnPriority(x,x,x)+98j
		cmp	edx, 5
		setz	al
		dec	al
		and	bl, al

loc_4A42BD:				; CODE XREF: MiUpdatePfnPriority(x,x,x)+20j
					; MiUpdatePfnPriority(x,x,x)+2Cj ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MiUpdatePfnPriority@12	endp


;  S U B	R O U T	I N E 


; __stdcall MiFreeModWriterEntry(x, x)
_MiFreeModWriterEntry@8	proc near	; CODE XREF: MiWriteComplete+2FEp
					; MiMappedPageWriter+15Bp ...
		mov	edi, edi
		push	esi
		mov	esi, [ecx+78h]
		push	edi
		push	0
		push	ecx
		mov	edi, edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edx, edx
		mov	ecx, esi
		push	edi
		inc	edx
		call	_MiReleaseWriteInProgressCharges@12 ; MiReleaseWriteInProgressCharges(x,x,x)
		pop	edi
		pop	esi
		retn
_MiFreeModWriterEntry@8	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReleaseWriteInProgressCharges(x, x, x)
_MiReleaseWriteInProgressCharges@12 proc near ;	CODE XREF: MiFreeModWriterEntry(x,x)+17p
					; MiGatherPagefilePages+131E5Dp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		jz	short loc_4A4302
		call	MiReturnCommit
		mov	edx, edi
		mov	ecx, esi

loc_4A4302:				; CODE XREF: MiReleaseWriteInProgressCharges(x,x,x)+Fj
		call	MiReturnResavailToPrcb
		test	eax, eax
		jnz	short loc_4A4311

loc_4A430B:				; CODE XREF: MiReleaseWriteInProgressCharges(x,x,x)+33j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_4A4311:				; CODE XREF: MiReleaseWriteInProgressCharges(x,x,x)+21j
		lea	ecx, [esi+1000h]
		lock xadd [ecx], eax
		jmp	short loc_4A430B
_MiReleaseWriteInProgressCharges@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


MiReturnResavailToPrcb proc near	; CODE XREF: MiDeleteProcessShadow+1D6p
					; MiReleaseNonPagedResources(x,x)+11p ...

; FUNCTION CHUNK AT 005BDB6E SIZE 00000012 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		cmp	ecx, offset _MiSystemPartition
		jnz	short loc_4A4383
		mov	eax, large fs:20h
		lea	edi, [eax+3D30h]
		mov	edx, [edi]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_4A4383
		lea	eax, [edx+esi]
		mov	ebx, 100h

loc_4A4348:				; CODE XREF: MiReturnResavailToPrcb+11985Dj
		cmp	eax, ebx
		ja	short loc_4A4363
		lea	ecx, [edx+esi]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	loc_5BDB6E
		xor	eax, eax

loc_4A435F:				; CODE XREF: MiReturnResavailToPrcb+67j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4A4363:				; CODE XREF: MiReturnResavailToPrcb+2Cj
					; MiReturnResavailToPrcb+119855j
		mov	ecx, 0C0h
		cmp	edx, ecx
		jle	short loc_4A4383
		cmp	edx, 0FFFFFFFFh
		jz	short loc_4A4383
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_4A4383
		add	esi, 0FFFFFF40h
		add	esi, edx

loc_4A4383:				; CODE XREF: MiReturnResavailToPrcb+Dj
					; MiReturnResavailToPrcb+20j ...
		mov	eax, esi
		jmp	short loc_4A435F
MiReturnResavailToPrcb endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiIsRetryIoStatus(x, x)
_MiIsRetryIoStatus@8 proc near		; CODE XREF: .text:00449407p
					; MiFlushSectionInternal+61Cp ...
		cmp	ecx, 0C000009Ah
		jz	short loc_4A43B5
		cmp	ecx, 0C00000A1h
		jz	short loc_4A43B5
		cmp	ecx, 0C0000017h
		jz	short loc_4A43B5
		cmp	edx, 1000h
		ja	short loc_4A43AB

loc_4A43A8:				; CODE XREF: MiIsRetryIoStatus(x,x)+2Bj
		xor	eax, eax
		retn
; 

loc_4A43AB:				; CODE XREF: MiIsRetryIoStatus(x,x)+1Ej
		push	ecx
		call	_FsRtlIsTotalDeviceFailure@4 ; FsRtlIsTotalDeviceFailure(x)
		test	al, al
		jnz	short loc_4A43A8

loc_4A43B5:				; CODE XREF: MiIsRetryIoStatus(x,x)+6j
					; MiIsRetryIoStatus(x,x)+Ej ...
		xor	eax, eax
		inc	eax
		retn
_MiIsRetryIoStatus@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmIsWriteErrorFatal proc near		; CODE XREF: CcIsFatalWriteError+70p
					; MiWriteComplete+BAp ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BDB80 SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	eax, 0C0000054h
		jnz	loc_5BDB80

loc_4A43CD:				; CODE XREF: MmIsWriteErrorFatal+1197C8j
					; MmIsWriteErrorFatal+1197D6j
		cmp	eax, 0C0000098h
		jz	short loc_4A440F
		cmp	eax, 0C0000102h
		jz	short loc_4A440F
		cmp	eax, 0C000026Eh
		jz	short loc_4A440F
		cmp	eax, 0C000000Eh
		jz	short loc_4A440F
		cmp	eax, 0C000009Dh
		jz	loc_5BDB95
		cmp	eax, 0C00000A2h
		jz	loc_5BDBAA

loc_4A43FF:				; CODE XREF: MmIsWriteErrorFatal+1197E5j
					; MmIsWriteErrorFatal+1197F8j
		push	eax
		call	_FsRtlIsTotalDeviceFailure@4 ; FsRtlIsTotalDeviceFailure(x)
		test	al, al
		jz	short loc_4A440F
		xor	eax, eax

loc_4A440B:				; CODE XREF: MmIsWriteErrorFatal+58j
		pop	ebp
		retn	4
; 

loc_4A440F:				; CODE XREF: MmIsWriteErrorFatal+18j
					; MmIsWriteErrorFatal+1Fj ...
		xor	eax, eax
		inc	eax
		jmp	short loc_4A440B
MmIsWriteErrorFatal endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 575. FsRtlIsTotalDeviceFailure

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlIsTotalDeviceFailure(x)
		public _FsRtlIsTotalDeviceFailure@4
_FsRtlIsTotalDeviceFailure@4 proc near	; CODE XREF: MiIsRetryIoStatus(x,x)+24p
					; MmIsWriteErrorFatal+46p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jns	short loc_4A4441
		cmp	eax, 0C000003Fh
		jz	short loc_4A4441
		cmp	eax, 0C000009Ch
		jz	short loc_4A4441
		cmp	eax, 0C0000470h
		jz	short loc_4A4441
		mov	al, 1

loc_4A443D:				; CODE XREF: FsRtlIsTotalDeviceFailure(x)+29j
		pop	ebp
		retn	4
; 

loc_4A4441:				; CODE XREF: FsRtlIsTotalDeviceFailure(x)+Aj
					; FsRtlIsTotalDeviceFailure(x)+11j ...
		xor	al, al
		jmp	short loc_4A443D
_FsRtlIsTotalDeviceFailure@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlReleaseFileForModWrite proc near	; CODE XREF: MiWriteComplete+56Bp
					; MiGatherMappedPages+250p

var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_132		= byte ptr -132h
var_131		= byte ptr -131h
var_130		= dword	ptr -130h
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_10C		= byte ptr -10Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BDBB7 SIZE 00000076 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_140], edx
		push	124h		; size_t
		push	eax		; int
		lea	eax, [ebp+var_130]
		mov	ebx, ecx
		push	eax		; void *
		mov	[ebp+var_138], ebx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_130]
		mov	[ebp+var_144], eax
		xor	eax, eax
		mov	esi, eax
		mov	[ebp+var_131], al
		mov	[ebp+var_132], al
		push	ebx
		mov	[ebp+var_13C], eax
		call	IoGetRelatedDeviceObject
		push	ebx
		mov	[ebp+var_148], eax
		call	_IoGetBaseFileSystemDeviceObject@4 ; IoGetBaseFileSystemDeviceObject(x)
		mov	ebx, eax
		mov	eax, [ebx+8]
		mov	ecx, [eax+28h]
		mov	eax, [eax+18h]
		mov	[ebp+var_14C], ecx
		mov	edi, [eax+18h]
		test	edi, edi
		jz	short loc_4A44ED
		mov	eax, [edi]
		cmp	eax, 34h
		jb	short loc_4A44DF
		cmp	[edi+30h], esi
		jnz	loc_5BDBB7

loc_4A44DF:				; CODE XREF: FsRtlReleaseFileForModWrite+8Ej
		cmp	eax, 38h
		jb	short loc_4A44ED
		cmp	[edi+34h], esi
		jnz	loc_5BDBB7

loc_4A44ED:				; CODE XREF: FsRtlReleaseFileForModWrite+87j
					; FsRtlReleaseFileForModWrite+9Cj
		mov	al, [ebp+var_131]

loc_4A44F3:				; CODE XREF: FsRtlReleaseFileForModWrite+119773j
		mov	edx, [ebp+var_148]
		cmp	edx, ebx
		jz	loc_5BDBBE

loc_4A4501:				; CODE XREF: FsRtlReleaseFileForModWrite+11977Aj
		push	0
		push	[ebp+var_138]
		push	ecx
		push	edx
		mov	dl, 0FCh
		lea	ecx, [ebp+var_130]
		call	FsFilterCtrlInit
		mov	eax, [ebp+var_140]
		lea	ecx, [ebp+var_130]
		mov	[ebp+var_120], eax
		xor	dl, dl
		lea	eax, [ebp+var_13C]
		push	eax
		push	1
		call	FsFilterPerformCallbacks
		mov	esi, eax
		test	esi, esi
		js	loc_5BDC0C
		jnz	loc_5BDBFB
		test	[ebp+var_10C], 4
		mov	edx, [ebp+var_124]
		mov	[ebp+var_138], edx
		jnz	loc_5BDBD0
		mov	ecx, [ebp+var_14C]

loc_4A4569:				; CODE XREF: FsRtlReleaseFileForModWrite+1197B0j
		test	edi, edi
		jz	short loc_4A4585
		mov	eax, [edi]
		cmp	eax, 34h
		jb	short loc_4A457A
		cmp	dword ptr [edi+30h], 0
		jnz	short loc_4A45A8

loc_4A457A:				; CODE XREF: FsRtlReleaseFileForModWrite+12Cj
		cmp	eax, 38h
		jb	short loc_4A4585
		cmp	dword ptr [edi+34h], 0
		jnz	short loc_4A45A8

loc_4A4585:				; CODE XREF: FsRtlReleaseFileForModWrite+125j
					; FsRtlReleaseFileForModWrite+137j
		test	ecx, ecx
		jz	short loc_4A45F2
		cmp	dword ptr [ecx], 68h
		jb	short loc_4A45F2
		mov	eax, [ecx+64h]
		test	eax, eax
		jz	short loc_4A45F2
		push	ebx
		push	[ebp+var_140]
		push	edx
		call	eax
		mov	esi, eax

loc_4A45A1:				; CODE XREF: FsRtlReleaseFileForModWrite+1B1j
		or	[ebp+var_13C], 1

loc_4A45A8:				; CODE XREF: FsRtlReleaseFileForModWrite+132j
					; FsRtlReleaseFileForModWrite+13Dj
		cmp	[ebp+var_132], 0
		jnz	short loc_4A45F9

loc_4A45B1:				; CODE XREF: FsRtlReleaseFileForModWrite+1BAj
					; FsRtlReleaseFileForModWrite+1197C1j
		test	esi, esi
		js	loc_5BDC0C

loc_4A45B9:				; CODE XREF: FsRtlReleaseFileForModWrite+1197CDj
		xor	ecx, ecx

loc_4A45BB:				; CODE XREF: FsRtlReleaseFileForModWrite+1197E2j
		mov	eax, [ebp+var_144]
		test	eax, eax
		jz	short loc_4A45E3
		cmp	[eax+2Eh], cx
		jbe	short loc_4A45D8
		mov	edx, esi
		lea	ecx, [ebp+var_130]
		call	_FsFilterPerformCompletionCallbacks@8 ;	FsFilterPerformCompletionCallbacks(x,x)

loc_4A45D8:				; CODE XREF: FsRtlReleaseFileForModWrite+183j
		lea	ecx, [ebp+var_130]
		call	_FsFilterCtrlFree@4 ; FsFilterCtrlFree(x)

loc_4A45E3:				; CODE XREF: FsRtlReleaseFileForModWrite+17Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_4A45F2:				; CODE XREF: FsRtlReleaseFileForModWrite+141j
					; FsRtlReleaseFileForModWrite+146j ...
		mov	esi, 0C0000010h
		jmp	short loc_4A45A1
; 

loc_4A45F9:				; CODE XREF: FsRtlReleaseFileForModWrite+169j
		mov	ecx, ebx
		call	ObfDereferenceObject
		jmp	short loc_4A45B1
FsRtlReleaseFileForModWrite endp


;  S U B	R O U T	I N E 


; __stdcall NtYieldExecution()
_NtYieldExecution@0 proc near		; DATA XREF: .text:00580B90o
		push	0
		call	KeYieldExecution
		retn
_NtYieldExecution@0 endp

; 
		align 10h
; Exported entry 1121. KeDelayExecutionThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeDelayExecutionThread(x, x, x)
		public _KeDelayExecutionThread@12
_KeDelayExecutionThread@12 proc	near	; CODE XREF: .text:004786C3p
					; SMKM_STORE<SM_TRAITS>::SmStAcquireStoreLockExclusive(SMKM_STORE<SM_TRAITS> *)+77p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	bl, byte ptr [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, large fs:124h
		mov	[ebp+var_C], 0
		mov	eax, [esi]
		or	eax, [esi+4]
		mov	[ebp+var_8], 0
		mov	[ebp+var_4], 0
		jnz	short loc_4A4667
		test	bl, bl
		jz	short loc_4A4667
		cmp	byte ptr [ebp+arg_4], 0
		jnz	short loc_4A4667
		test	byte ptr [edi+86h], 2
		jnz	short loc_4A4667

loc_4A4657:				; CODE XREF: KeDelayExecutionThread(x,x,x)+FBj
		push	0
		call	KeYieldExecution

loc_4A465E:				; CODE XREF: KeDelayExecutionThread(x,x,x)+83j
					; KeDelayExecutionThread(x,x,x)+D4j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4A4667:				; CODE XREF: KeDelayExecutionThread(x,x,x)+32j
					; KeDelayExecutionThread(x,x,x)+36j ...
		lea	eax, [ebp+var_4]
		mov	edx, esi
		push	eax
		lea	eax, [ebp+var_C]
		mov	ecx, edi
		push	eax
		push	1
		call	_KiCheckWaitNext@20 ; KiCheckWaitNext(x,x,x,x,x)
		mov	byte ptr [ebp+arg_0], al
		lea	ecx, [ecx+0]

loc_4A4680:				; CODE XREF: KeDelayExecutionThread(x,x,x)+119j
		push	[ebp+arg_4]
		mov	dl, bl
		mov	ecx, edi
		push	4
		call	KiBeginThreadWait
		mov	[ebp+arg_8], eax
		test	eax, eax
		jnz	short loc_4A465E
		push	[ebp+var_8]
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		push	[ebp+var_C]
		call	KiCheckDueTimeExpired
		test	eax, eax
		jnz	short loc_4A46F5
		push	eax
		push	[ebp+var_8]
		mov	dword ptr [edi+0F0h], 0FFFFFFFFh
		lea	edx, [edi+0E0h]
		push	[ebp+var_C]
		mov	byte ptr [edi+0E9h], 5
		mov	ecx, edi
		push	[ebp+var_4]
		mov	byte ptr [edi+16Bh], 1
		call	KiCommitThreadWait
		cmp	eax, 100h
		jz	short loc_4A4719
		cmp	eax, 102h
		jnz	loc_4A465E
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4A46F5:				; CODE XREF: KeDelayExecutionThread(x,x,x)+97j
		push	[ebp+arg_0]
		mov	ecx, large fs:20h
		mov	edx, edi
		call	_KiFastExitThreadWait@12 ; KiFastExitThreadWait(x,x,x)
		mov	eax, [esi]
		or	eax, [esi+4]
		jz	loc_4A4657
		mov	eax, [ebp+arg_8]
		jmp	loc_4A465E
; 

loc_4A4719:				; CODE XREF: KeDelayExecutionThread(x,x,x)+CDj
		mov	byte ptr [ebp+arg_0], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[edi+92h], al
		jmp	loc_4A4680
_KeDelayExecutionThread@12 endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry   6.

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeYieldExecution
KeYieldExecution proc near		; CODE XREF: NtYieldExecution()+2p
					; KeDelayExecutionThread(x,x,x)+49p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BDC2D SIZE 00000047 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, [ebp+arg_0]
		test	ebx, 0FFFFFFFEh
		jnz	loc_5BDC2D
		mov	eax, large fs:20h
		cmp	dword ptr [eax+3B20h], 0
		jnz	short loc_4A4780
		mov	eax, [eax+4024h]
		mov	eax, [eax+4]
		test	eax, eax
		jnz	short loc_4A4780
		mov	eax, 40000024h

loc_4A4779:				; CODE XREF: KeYieldExecution+EEj
					; KeYieldExecution+1194F2j
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4A4780:				; CODE XREF: KeYieldExecution+25j
					; KeYieldExecution+32j
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	[ebp+var_4], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, large fs:20h
		mov	byte ptr [ebp+arg_0+3],	al
		cmp	dword ptr [esi+3B20h], 0
		jz	loc_4A4833

loc_4A47A9:				; CODE XREF: KeYieldExecution+FDj
		xor	edx, edx
		mov	ecx, edi
		call	KiAbProcessContextSwitch
		add	edi, 2Ch
		mov	[ebp+var_C], 0
		mov	[ebp+var_8], edi
		nop

loc_4A47C0:				; CODE XREF: KeYieldExecution+119505j
		lock bts dword ptr [edi], 0
		jb	loc_5BDC37
		lea	edi, [esi+2224h]
		mov	[ebp+var_10], 0
		mov	[ebp+var_14], edi
		jmp	short loc_4A47E0
; 
		align 10h

loc_4A47E0:				; CODE XREF: KeYieldExecution+9Bj
					; KeYieldExecution+1E4j
		lock bts dword ptr [edi], 0
		jb	loc_4A4916
		mov	edi, [esi+8]
		test	edi, edi
		jnz	short loc_4A4845
		mov	ecx, 1
		xor	edx, edx
		test	bl, cl
		jnz	loc_5BDC4A

loc_4A4801:				; CODE XREF: KeYieldExecution+119514j
					; KeYieldExecution+119521j
		push	ecx
		mov	ecx, esi
		call	KiSelectReadyThreadEx
		mov	edi, eax
		test	edi, edi
		jnz	short loc_4A4845
		mov	eax, [ebp+var_14]
		xor	ecx, ecx
		lock and [eax],	ecx
		mov	eax, [ebp+var_8]
		mov	[eax], ecx

loc_4A481C:				; CODE XREF: KeYieldExecution+103j
		mov	esi, 40000024h

loc_4A4821:				; CODE XREF: KeYieldExecution+1D1j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		jmp	loc_4A4779
; 

loc_4A4833:				; CODE XREF: KeYieldExecution+63j
		mov	ecx, [esi+4024h]
		cmp	dword ptr [ecx+4], 0
		jnz	loc_4A47A9
		jmp	short loc_4A481C
; 

loc_4A4845:				; CODE XREF: KeYieldExecution+B0j
					; KeYieldExecution+CDj
		cmp	byte ptr [esi+11h], 0
		jnz	loc_5BDC66
		cli
		mov	ebx, [ebp+var_4]
		mov	ecx, esi
		push	0
		mov	edx, ebx
		call	_KiUpdateTotalCyclesCurrentThread@12 ; KiUpdateTotalCyclesCurrentThread(x,x,x)
		sti

loc_4A485F:				; CODE XREF: KeYieldExecution+11952Fj
		push	0
		push	edx
		movzx	edx, byte ptr [ebx+193h]
		mov	ecx, ebx
		push	eax
		call	_KiComputeQuantumTargetThread@20 ; KiComputeQuantumTargetThread(x,x,x,x,x)
		mov	dl, 1
		mov	ecx, ebx
		call	KiComputeNewPriority
		mov	ecx, [ebp+var_4]
		movsx	ebx, al
		push	1
		mov	dl, bl
		call	KiAbProcessThreadPriorityModification
		mov	eax, [ebp+var_4]
		mov	[eax+87h], bl
		mov	eax, [ebp+var_8]
		mov	dword ptr [eax], 0
		mov	dword ptr [esi+8], 0
		cli
		mov	ebx, [ebp+var_4]
		mov	ecx, esi
		push	0
		mov	edx, ebx
		call	KiEndThreadCycleAccumulation
		sti
		test	byte ptr [edi+2], 4
		jnz	short loc_4A4929

loc_4A48B8:				; CODE XREF: KeYieldExecution+1F8j
		mov	cl, [edi+87h]

loc_4A48BE:				; CODE XREF: KeYieldExecution+1F6j
		mov	eax, [esi+33Ch]
		mov	[eax], cl
		mov	[esi+4], edi
		mov	al, [edi+90h]
		cmp	al, 1
		jnz	short loc_4A48E4
		mov	eax, ds:_KeTickCount
		sub	eax, [edi+138h]
		add	[edi+170h], eax

loc_4A48E4:				; CODE XREF: KeYieldExecution+191j
		mov	al, byte ptr [ebp+arg_0+3]
		mov	edx, ebx
		mov	byte ptr [edi+90h], 2
		mov	ecx, esi
		mov	byte ptr [ebx+18Bh], 21h
		mov	[ebx+92h], al
		call	KiQueueReadyThread
		push	1
		mov	edx, edi
		mov	ecx, ebx
		call	@KiSwapContext@12 ; KiSwapContext(x,x,x)
		xor	esi, esi
		jmp	loc_4A4821
; 

loc_4A4916:				; CODE XREF: KeYieldExecution+A5j
					; KeYieldExecution+1E2j
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_4A4916
		jmp	loc_4A47E0
; 

loc_4A4929:				; CODE XREF: KeYieldExecution+176j
		mov	edx, esi
		mov	ecx, edi
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	short loc_4A48BE
		jmp	loc_4A48B8
KeYieldExecution endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlAcquireFileForModWriteEx proc near	; CODE XREF: MiGatherMappedPages+222p

var_15E		= byte ptr -15Eh
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_14E		= byte ptr -14Eh
var_14D		= byte ptr -14Dh
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_10C		= byte ptr -10Ch
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BDC74 SIZE 0000019F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 154h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+154h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[esp+160h+var_140], eax
		mov	ebx, ecx
		xor	eax, eax
		mov	[esp+160h+var_148], edx
		push	124h		; size_t
		push	eax		; int
		lea	eax, [esp+168h+var_130]
		mov	[esp+168h+var_14C], ebx
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+160h+var_130]
		mov	[esp+160h+var_138], eax
		xor	eax, eax
		mov	esi, eax
		mov	[esp+160h+var_14E], al
		mov	[esp+160h+var_14D], al
		push	ebx
		mov	[esp+164h+var_144], eax
		call	IoGetRelatedDeviceObject
		push	ebx
		mov	[esp+164h+var_134], eax
		call	_IoGetBaseFileSystemDeviceObject@4 ; IoGetBaseFileSystemDeviceObject(x)
		mov	ecx, eax
		mov	[esp+160h+var_13C], ecx
		mov	eax, [ecx+8]
		mov	ebx, [eax+28h]
		mov	eax, [eax+18h]
		mov	edi, [eax+18h]
		test	edi, edi
		jz	short loc_4A49DF
		mov	eax, [edi]
		cmp	eax, 2Ch
		jb	short loc_4A49D1
		cmp	[edi+28h], esi
		jnz	loc_5BDC74

loc_4A49D1:				; CODE XREF: FsRtlAcquireFileForModWriteEx+88j
		cmp	eax, 30h
		jb	short loc_4A49DF
		cmp	[edi+2Ch], esi
		jnz	loc_5BDC74

loc_4A49DF:				; CODE XREF: FsRtlAcquireFileForModWriteEx+81j
					; FsRtlAcquireFileForModWriteEx+96j
		mov	al, [esp+160h+var_14E]

loc_4A49E3:				; CODE XREF: FsRtlAcquireFileForModWriteEx+119338j
		mov	edx, [esp+160h+var_134]
		cmp	edx, ecx
		jz	loc_5BDC7B

loc_4A49EF:				; CODE XREF: FsRtlAcquireFileForModWriteEx+11933Fj
		push	1
		push	[esp+164h+var_14C]
		push	ecx
		push	edx
		mov	dl, 0FDh
		lea	ecx, [esp+170h+var_130]
		call	FsFilterCtrlInit
		test	eax, eax
		js	loc_4A4ACD
		mov	eax, [esp+160h+var_148]
		lea	ecx, [esp+160h+var_130]
		mov	[esp+160h+var_120], eax
		mov	dl, 1
		mov	eax, [esp+160h+var_140]
		mov	[esp+160h+var_11C], eax
		lea	eax, [esp+160h+var_144]
		push	eax
		push	1
		call	FsFilterPerformCallbacks
		mov	esi, eax
		test	esi, esi
		js	short loc_4A4A99
		jnz	loc_5BDCB9
		test	[esp+160h+var_10C], 4
		mov	edx, [esp+160h+var_124]
		mov	[esp+160h+var_14C], edx
		jnz	loc_5BDC8B
		mov	ecx, [esp+160h+var_13C]

loc_4A4A4F:				; CODE XREF: FsRtlAcquireFileForModWriteEx+119376j
		test	edi, edi
		jz	short loc_4A4A6B
		mov	eax, [edi]
		cmp	eax, 2Ch
		jb	short loc_4A4A60
		cmp	dword ptr [edi+28h], 0
		jnz	short loc_4A4A8E

loc_4A4A60:				; CODE XREF: FsRtlAcquireFileForModWriteEx+11Aj
		cmp	eax, 30h
		jb	short loc_4A4A6B
		cmp	dword ptr [edi+2Ch], 0
		jnz	short loc_4A4A8E

loc_4A4A6B:				; CODE XREF: FsRtlAcquireFileForModWriteEx+113j
					; FsRtlAcquireFileForModWriteEx+125j
		test	ebx, ebx
		jz	short loc_4A4AE4
		cmp	dword ptr [ebx], 40h
		jb	short loc_4A4AE4
		mov	eax, [ebx+3Ch]
		test	eax, eax
		jz	short loc_4A4AE4
		push	ecx
		push	[esp+164h+var_140]
		push	[esp+168h+var_148]
		push	edx
		call	eax
		mov	esi, eax

loc_4A4A89:				; CODE XREF: FsRtlAcquireFileForModWriteEx+1ABj
		or	[esp+170h+var_154], 1

loc_4A4A8E:				; CODE XREF: FsRtlAcquireFileForModWriteEx+120j
					; FsRtlAcquireFileForModWriteEx+12Bj
		cmp	byte ptr [esp+13h], 0
		jnz	loc_5BDCCA

loc_4A4A99:				; CODE XREF: FsRtlAcquireFileForModWriteEx+F2j
					; FsRtlAcquireFileForModWriteEx+119387j ...
		cmp	esi, 0C0000010h
		jz	loc_5BDCDD

loc_4A4AA5:				; CODE XREF: FsRtlAcquireFileForModWriteEx+1193A4j
					; FsRtlAcquireFileForModWriteEx+1194B5j
		xor	ecx, ecx

loc_4A4AA7:				; CODE XREF: FsRtlAcquireFileForModWriteEx+1193D0j
		mov	eax, [esp+170h+var_148]
		test	eax, eax
		jz	short loc_4A4ACB
		cmp	[eax+2Eh], cx
		jbe	short loc_4A4AC0
		mov	edx, esi
		lea	ecx, [esp+170h+var_140]
		call	_FsFilterPerformCompletionCallbacks@8 ;	FsFilterPerformCompletionCallbacks(x,x)

loc_4A4AC0:				; CODE XREF: FsRtlAcquireFileForModWriteEx+175j
		test	byte ptr [esp+170h+var_11C], 1
		jnz	loc_5BDE05

loc_4A4ACB:				; CODE XREF: FsRtlAcquireFileForModWriteEx+16Fj
					; FsRtlAcquireFileForModWriteEx+1194D0j
		mov	eax, esi

loc_4A4ACD:				; CODE XREF: FsRtlAcquireFileForModWriteEx+C6j
		mov	ecx, [esp+170h+var_14]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4A4AE4:				; CODE XREF: FsRtlAcquireFileForModWriteEx+12Fj
					; FsRtlAcquireFileForModWriteEx+134j ...
		mov	esi, 0C0000010h
		jmp	short loc_4A4A89
FsRtlAcquireFileForModWriteEx endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcZeroEndOfLastPage(x)
_CcZeroEndOfLastPage@4 proc near	; CODE XREF: FsRtlCreateSectionForDataScan+F5p
					; MiCreateSystemSection+61p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		mov	bl, cl
		mov	[ebp+var_4], ecx
		push	edi
		cmp	[eax+2D4h], ecx
		jnz	short loc_4A4B26
		mov	eax, large fs:124h
		xor	ebx, ebx
		inc	ebx
		push	esi
		mov	[eax+2D4h], ebx
		call	_FsRtlAcquireFileExclusive@4 ; FsRtlAcquireFileExclusive(x)

loc_4A4B26:				; CODE XREF: CcZeroEndOfLastPage(x)+23j
		mov	ecx, [esi+0Ch]
		mov	al, [ecx+4]
		test	al, 40h
		jz	short loc_4A4B93
		mov	ecx, [ecx+28h]
		call	ExAcquireFastMutex
		mov	eax, [esi+0Ch]
		or	byte ptr [eax+4], 20h
		mov	ecx, [esi+0Ch]
		mov	ecx, [ecx+28h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_4A4B4A:				; CODE XREF: CcZeroEndOfLastPage(x)+ACj
		mov	eax, [esi+0Ch]
		xor	edi, edi
		test	byte ptr [eax+6], 4
		jnz	short loc_4A4B70

loc_4A4B55:				; CODE XREF: CcZeroEndOfLastPage(x)+98j
					; CcZeroEndOfLastPage(x)+A5j
		test	bl, bl
		jz	short loc_4A4B6B
		mov	eax, large fs:124h
		push	esi
		mov	[eax+2D4h], edi
		call	FsRtlReleaseFile

loc_4A4B6B:				; CODE XREF: CcZeroEndOfLastPage(x)+6Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4A4B70:				; CODE XREF: CcZeroEndOfLastPage(x)+67j
		mov	ecx, [esi+14h]
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		push	edi
		push	edi
		xor	edx, edx
		call	_CcFlushCachePriv@24 ; CcFlushCachePriv(x,x,x,x,x,x)
		cmp	[ebp+var_8], edi
		jnz	short loc_4A4B55
		push	edi
		push	edi
		push	edi
		push	dword ptr [esi+14h]
		call	CcPurgeCacheSection
		jmp	short loc_4A4B55
; 

loc_4A4B93:				; CODE XREF: CcZeroEndOfLastPage(x)+42j
		or	al, 20h
		mov	[ecx+4], al
		jmp	short loc_4A4B4A
_CcZeroEndOfLastPage@4 endp


;  S U B	R O U T	I N E 


; __stdcall FsFilterCtrlFree(x)
_FsFilterCtrlFree@4 proc near		; CODE XREF: FsRtlReleaseFileForModWrite+198p
					; FsRtlQueryOpen(x,x,x,x,x)+DCp ...
		test	byte ptr [ecx+24h], 1
		jnz	_FsFilterFreeCompletionStack@4 ; FsFilterFreeCompletionStack(x)
		retn
_FsFilterCtrlFree@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall FsFilterPerformCompletionCallbacks(x, x)
_FsFilterPerformCompletionCallbacks@8 proc near
					; CODE XREF: FsRtlReleaseFileForModWrite+18Dp
					; FsRtlAcquireFileForModWriteEx+17Dp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		movzx	eax, word ptr [esi+2Eh]
		test	ax, ax
		jz	short loc_4A4C01

loc_4A4BC1:				; CODE XREF: FsFilterPerformCompletionCallbacks(x,x)+4Fj
		movzx	ecx, ax
		shl	ecx, 4
		add	ecx, [esi+30h]
		cmp	byte ptr [esi+4], 0F9h
		jz	short loc_4A4C06

loc_4A4BD0:				; CODE XREF: FsFilterPerformCompletionCallbacks(x,x)+5Dj
		mov	eax, [ecx-10h]
		mov	[esi+8], eax
		mov	eax, [ecx-0Ch]
		mov	[esi+0Ch], eax
		mov	eax, [ecx-8]
		push	eax
		mov	eax, [ecx-4]
		push	edi
		push	esi
		call	eax
		cmp	byte ptr [esi+4], 0F9h
		jz	short loc_4A4C0F

loc_4A4BED:				; CODE XREF: FsFilterPerformCompletionCallbacks(x,x)+62j
		mov	ax, [esi+2Eh]
		dec	ax
		movzx	ecx, ax
		mov	[esi+2Eh], ax
		mov	eax, ecx
		test	cx, cx
		jnz	short loc_4A4BC1

loc_4A4C01:				; CODE XREF: FsFilterPerformCompletionCallbacks(x,x)+Fj
		mov	eax, edi
		pop	edi
		pop	esi
		retn
; 

loc_4A4C06:				; CODE XREF: FsFilterPerformCompletionCallbacks(x,x)+1Ej
		mov	dword ptr [esi+20h], 0
		jmp	short loc_4A4BD0
; 

loc_4A4C0F:				; CODE XREF: FsFilterPerformCompletionCallbacks(x,x)+3Bj
		mov	edi, [esi+20h]
		jmp	short loc_4A4BED
_FsFilterPerformCompletionCallbacks@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsFilterPerformCallbacks proc near	; CODE XREF: FsRtlReleaseFileForModWrite+EFp
					; FsRtlAcquireFileForModWriteEx+E9p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005BDE13 SIZE 0000004C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1], dl
		mov	ecx, [ebp+arg_4]
		mov	esi, [edi+8]
		mov	dword ptr [ecx], 2
		test	esi, esi
		jz	loc_4A4D58

loc_4A4C44:				; CODE XREF: FsFilterPerformCallbacks+132j
		mov	eax, [esi+0B0h]
		xor	ebx, ebx
		xor	edx, edx
		mov	[ebp+var_8], ebx
		mov	eax, [eax+18h]
		mov	[edi+8], esi
		mov	[ebp+var_C], eax
		mov	eax, [esi+8]
		mov	eax, [eax+18h]
		mov	ecx, [eax+18h]
		test	ecx, ecx
		jz	loc_4A4D6B	; default
		movzx	eax, byte ptr [edi+4]
		cmp	eax, 0FEh
		jz	short loc_4A4CAA
		cmp	eax, 0FFh
		jnz	loc_4A4D9D
		mov	eax, [ecx]
		mov	[ebp+var_10], eax
		cmp	eax, 0Ch
		jb	short loc_4A4C97
		mov	eax, [ecx+8]
		test	eax, eax
		jz	short loc_4A4C94
		mov	edx, eax

loc_4A4C94:				; CODE XREF: FsFilterPerformCallbacks+70j
		mov	eax, [ebp+var_10]

loc_4A4C97:				; CODE XREF: FsFilterPerformCallbacks+69j
		cmp	eax, 10h
		jb	short loc_4A4CD0
		mov	eax, [ecx+0Ch]
		test	eax, eax
		jz	short loc_4A4CD0
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		jmp	short loc_4A4CD0
; 

loc_4A4CAA:				; CODE XREF: FsFilterPerformCallbacks+54j
		mov	eax, [ecx]
		mov	[ebp+var_10], eax
		cmp	eax, 14h
		jb	short loc_4A4CC0
		mov	eax, [ecx+10h]
		test	eax, eax
		jz	short loc_4A4CBD
		mov	edx, eax

loc_4A4CBD:				; CODE XREF: FsFilterPerformCallbacks+99j
		mov	eax, [ebp+var_10]

loc_4A4CC0:				; CODE XREF: FsFilterPerformCallbacks+92j
		cmp	eax, 18h
		jb	short loc_4A4CD0
		mov	eax, [ecx+14h]
		test	eax, eax
		jnz	loc_4A4D8A

loc_4A4CD0:				; CODE XREF: FsFilterPerformCallbacks+7Aj
					; FsFilterPerformCallbacks+81j	...
		test	edx, edx
		jz	loc_4A4D63
		test	ebx, ebx
		jz	loc_4A4D82

loc_4A4CE0:				; CODE XREF: FsFilterPerformCallbacks+145j
		movzx	eax, word ptr [edi+2Eh]
		cmp	ax, [edi+2Ch]
		jnb	loc_5BDE21
		mov	ebx, eax
		lea	eax, [eax+1]
		shl	ebx, 4
		mov	[edi+2Eh], ax
		add	ebx, [edi+30h]
		jz	loc_5BDE21
		mov	eax, esi
		mov	[ebx], eax
		mov	eax, [edi+0Ch]
		mov	[ebx+4], eax
		mov	eax, [ebp+var_8]
		mov	dword ptr [ebx+8], 0
		mov	[ebx+0Ch], eax

loc_4A4D1A:				; CODE XREF: FsFilterPerformCallbacks+164j
		test	edx, edx
		jz	short loc_4A4D33
		test	ebx, ebx
		jz	short loc_4A4D86
		lea	eax, [ebx+8]
		push	eax

loc_4A4D26:				; CODE XREF: FsFilterPerformCallbacks+168j
		push	edi
		call	edx
		test	eax, eax
		js	loc_4A4ECB
		jnz	short loc_4A4D94

loc_4A4D33:				; CODE XREF: FsFilterPerformCallbacks+FCj
		mov	ecx, [ebp+var_C]

loc_4A4D36:				; CODE XREF: FsFilterPerformCallbacks+2B6j
		cmp	esi, [edi+8]
		jnz	loc_4A4E7E
		test	ecx, ecx
		jz	loc_4A4EBE

loc_4A4D47:				; CODE XREF: FsFilterPerformCallbacks+2A0j
					; FsFilterPerformCallbacks+1191FCj
		mov	eax, [esi+0B0h]
		mov	esi, [eax+18h]

loc_4A4D50:				; CODE XREF: FsFilterPerformCallbacks+158j
					; FsFilterPerformCallbacks+160j ...
		test	esi, esi
		jnz	loc_4A4C44

loc_4A4D58:				; CODE XREF: FsFilterPerformCallbacks+1Ej
		xor	eax, eax

loc_4A4D5A:				; CODE XREF: FsFilterPerformCallbacks+176j
					; FsFilterPerformCallbacks+2CEj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4A4D63:				; CODE XREF: FsFilterPerformCallbacks+B2j
		test	ebx, ebx
		jnz	loc_4A4CE0

loc_4A4D6B:				; CODE XREF: FsFilterPerformCallbacks+45j
					; FsFilterPerformCallbacks+185j
		cmp	[ebp+var_C], 0	; default
		mov	eax, [esi+0B0h]
		mov	esi, [eax+18h]
		jnz	short loc_4A4D50
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0FFFFFFFDh
		jmp	short loc_4A4D50
; 

loc_4A4D82:				; CODE XREF: FsFilterPerformCallbacks+BAj
		xor	ebx, ebx
		jmp	short loc_4A4D1A
; 

loc_4A4D86:				; CODE XREF: FsFilterPerformCallbacks+100j
		push	0
		jmp	short loc_4A4D26
; 

loc_4A4D8A:				; CODE XREF: FsFilterPerformCallbacks+AAj
		mov	ebx, eax
		mov	[ebp+var_8], eax
		jmp	loc_4A4CD0
; 

loc_4A4D94:				; CODE XREF: FsFilterPerformCallbacks+111j
		test	ebx, ebx
		jz	short loc_4A4D5A
		jmp	loc_5BDE51
; 

loc_4A4D9D:				; CODE XREF: FsFilterPerformCallbacks+5Bj
		add	eax, 0FFFFFF07h	; switch 5 cases
		cmp	eax, 4
		ja	short loc_4A4D6B ; default
		jmp	ds:off_4A4F00[eax*4] ; switch jump

loc_4A4DAE:				; DATA XREF: .text:off_4A4F00o
		mov	eax, [ecx]	; case 0xFD
		mov	[ebp+var_10], eax
		cmp	eax, 2Ch
		jb	short loc_4A4DC4
		mov	eax, [ecx+28h]
		test	eax, eax
		jz	short loc_4A4DC1
		mov	edx, eax

loc_4A4DC1:				; CODE XREF: FsFilterPerformCallbacks+19Dj
		mov	eax, [ebp+var_10]

loc_4A4DC4:				; CODE XREF: FsFilterPerformCallbacks+196j
		cmp	eax, 30h
		jb	loc_4A4CD0
		mov	eax, [ecx+2Ch]
		test	eax, eax
		jz	loc_4A4CD0
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		jmp	loc_4A4CD0
; 

loc_4A4DE2:				; CODE XREF: FsFilterPerformCallbacks+187j
					; DATA XREF: .text:off_4A4F00o
		mov	eax, [ecx]	; case 0xFC
		mov	[ebp+var_10], eax
		cmp	eax, 34h
		jb	short loc_4A4DF8
		mov	eax, [ecx+30h]
		test	eax, eax
		jz	short loc_4A4DF5
		mov	edx, eax

loc_4A4DF5:				; CODE XREF: FsFilterPerformCallbacks+1D1j
		mov	eax, [ebp+var_10]

loc_4A4DF8:				; CODE XREF: FsFilterPerformCallbacks+1CAj
		cmp	eax, 38h
		jb	loc_4A4CD0
		mov	eax, [ecx+34h]
		test	eax, eax
		jz	loc_4A4CD0
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		jmp	loc_4A4CD0
; 

loc_4A4E16:				; CODE XREF: FsFilterPerformCallbacks+187j
					; DATA XREF: .text:off_4A4F00o
		mov	eax, [ecx]	; case 0xFB
		mov	[ebp+var_10], eax
		cmp	eax, 1Ch
		jb	short loc_4A4E2C
		mov	eax, [ecx+18h]
		test	eax, eax
		jz	short loc_4A4E29
		mov	edx, eax

loc_4A4E29:				; CODE XREF: FsFilterPerformCallbacks+205j
		mov	eax, [ebp+var_10]

loc_4A4E2C:				; CODE XREF: FsFilterPerformCallbacks+1FEj
		cmp	eax, 20h
		jb	loc_4A4CD0
		mov	eax, [ecx+1Ch]
		test	eax, eax
		jz	loc_4A4CD0
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		jmp	loc_4A4CD0
; 

loc_4A4E4A:				; CODE XREF: FsFilterPerformCallbacks+187j
					; DATA XREF: .text:off_4A4F00o
		mov	eax, [ecx]	; case 0xFA
		mov	[ebp+var_10], eax
		cmp	eax, 24h
		jb	short loc_4A4E60
		mov	eax, [ecx+20h]
		test	eax, eax
		jz	short loc_4A4E5D
		mov	edx, eax

loc_4A4E5D:				; CODE XREF: FsFilterPerformCallbacks+239j
		mov	eax, [ebp+var_10]

loc_4A4E60:				; CODE XREF: FsFilterPerformCallbacks+232j
		cmp	eax, 28h
		jb	loc_4A4CD0
		mov	eax, [ecx+24h]
		test	eax, eax
		jz	loc_4A4CD0
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		jmp	loc_4A4CD0
; 

loc_4A4E7E:				; CODE XREF: FsFilterPerformCallbacks+119j
		or	dword ptr [edi+24h], 4
		mov	esi, [edi+8]
		jmp	loc_4A4D50
; 

loc_4A4E8A:				; CODE XREF: FsFilterPerformCallbacks+187j
					; DATA XREF: .text:off_4A4F00o
		mov	eax, [ecx]	; case 0xF9
		mov	[ebp+var_10], eax
		cmp	eax, 3Ch
		jb	short loc_4A4EA0
		mov	eax, [ecx+38h]
		test	eax, eax
		jz	short loc_4A4E9D
		mov	edx, eax

loc_4A4E9D:				; CODE XREF: FsFilterPerformCallbacks+279j
		mov	eax, [ebp+var_10]

loc_4A4EA0:				; CODE XREF: FsFilterPerformCallbacks+272j
		cmp	eax, 40h
		jb	loc_4A4CD0
		mov	eax, [ecx+3Ch]
		test	eax, eax
		jz	loc_4A4CD0
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		jmp	loc_4A4CD0
; 

loc_4A4EBE:				; CODE XREF: FsFilterPerformCallbacks+121j
		test	ebx, ebx
		jz	loc_4A4D47
		jmp	loc_5BDE13
; 

loc_4A4ECB:				; CODE XREF: FsFilterPerformCallbacks+10Bj
		cmp	[ebp+var_1], 0
		mov	ecx, [ebp+var_C]
		jnz	short loc_4A4EF9
		test	ecx, ecx
		jnz	loc_4A4D36

loc_4A4EDC:				; CODE XREF: FsFilterPerformCallbacks+2DDj
		cmp	[ebp+arg_0], 0
		jz	loc_5BDE40
		mov	ecx, [ebp+arg_4]
		or	dword ptr [ecx], 1

loc_4A4EEC:				; CODE XREF: FsFilterPerformCallbacks+2DBj
		test	ebx, ebx
		jz	loc_4A4D5A
		jmp	loc_5BDE51
; 

loc_4A4EF9:				; CODE XREF: FsFilterPerformCallbacks+2B2j
		test	ecx, ecx
		jnz	short loc_4A4EEC
		jmp	short loc_4A4EDC
FsFilterPerformCallbacks endp

; 
		align 10h
off_4A4F00	dd offset loc_4A4E8A	; DATA XREF: FsFilterPerformCallbacks+187r
		dd offset loc_4A4E4A	; jump table for switch	statement
		dd offset loc_4A4E16
		dd offset loc_4A4DE2
		dd offset loc_4A4DAE
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsFilterCtrlInit proc near		; CODE XREF: FsRtlReleaseFileForModWrite+CDp
					; FsRtlAcquireFileForModWriteEx+BFp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005BDE5F SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_8]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], 0
		mov	ecx, [ebp+arg_0]
		push	edi
		xor	edi, edi
		mov	[esi+0Ch], eax
		xor	eax, eax
		mov	[esi+8], ecx
		mov	dword ptr [esi], 24h
		mov	[esi+4], dl
		mov	[esi+24h], edi
		mov	[esi+10h], eax
		mov	[esi+14h], eax
		mov	[esi+18h], eax
		mov	[esi+1Ch], eax
		mov	[esi+20h], eax
		movsx	ax, byte ptr [ecx+30h]
		xor	ecx, ecx
		mov	[esi+2Eh], cx
		mov	[esi+2Ch], ax
		cmp	ax, 0Fh
		ja	loc_5BDE5F
		lea	eax, [esi+34h]
		mov	edx, 0Fh
		mov	[esi+30h], eax
		mov	ecx, 0F0h
		mov	[esi+2Ch], dx

loc_4A4F89:				; CODE XREF: FsFilterCtrlInit+118F5Dj
		push	ecx		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, edi
		add	esp, 0Ch

loc_4A4F97:				; CODE XREF: FsFilterCtrlInit+118F51j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	10h
FsFilterCtrlInit endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 844. IoGetBaseFileSystemDeviceObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetBaseFileSystemDeviceObject(x)
		public _IoGetBaseFileSystemDeviceObject@4
_IoGetBaseFileSystemDeviceObject@4 proc	near ; CODE XREF: FsRtlReleaseFileForModWrite+6Cp
					; FsRtlAcquireFileForModWriteEx+68p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+8]
		test	eax, eax
		jz	short loc_4A4FBE
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_4A4FBE

loc_4A4FBA:				; CODE XREF: IoGetBaseFileSystemDeviceObject(x)+30j
					; IoGetBaseFileSystemDeviceObject(x)+37j
		pop	ebp
		retn	4
; 

loc_4A4FBE:				; CODE XREF: IoGetBaseFileSystemDeviceObject(x)+Dj
					; IoGetBaseFileSystemDeviceObject(x)+14j
		test	dword ptr [ecx+2Ch], 800h
		jnz	short loc_4A4FD1
		mov	eax, [ecx+4]
		mov	eax, [eax+24h]
		test	eax, eax
		jnz	short loc_4A4FD6

loc_4A4FD1:				; CODE XREF: IoGetBaseFileSystemDeviceObject(x)+21j
					; IoGetBaseFileSystemDeviceObject(x)+39j
		mov	eax, [ecx+4]
		jmp	short loc_4A4FBA
; 

loc_4A4FD6:				; CODE XREF: IoGetBaseFileSystemDeviceObject(x)+2Bj
		mov	eax, [eax+8]
		test	eax, eax
		jnz	short loc_4A4FBA
		jmp	short loc_4A4FD1
_IoGetBaseFileSystemDeviceObject@4 endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1006. IoSetTopLevelIrp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetTopLevelIrp(x)
		public _IoSetTopLevelIrp@4
_IoSetTopLevelIrp@4 proc near		; CODE XREF: MiShareExistingControlArea+52p
					; MiShareExistingControlArea+82p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, large fs:124h
		mov	eax, [ebp+arg_0]
		mov	[ecx+2D4h], eax
		pop	ebp
		retn	4
_IoSetTopLevelIrp@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MI_UNLOCK_RELOCATIONS_EXCLUSIVE	proc near ; CODE XREF: MiRelocateImageAgain+5Ep
					; MiRelocateImage+556p	...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BDE82 SIZE 0000004B BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ecx
		lea	ecx, [edx+0Ch]
		mov	[ebp+var_28], eax
		or	eax, 1
		mov	[edx+4], eax
		or	edx, 0FFFFFFFFh
		push	esi
		push	edi
		mov	[ebp+var_8], ecx
		mov	eax, edx
		mov	[ebp+var_C], edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4A5194

loc_4A504D:				; CODE XREF: MI_UNLOCK_RELOCATIONS_EXCLUSIVE+192j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	loc_4A514F
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		cmp	ecx, edx
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], esi
		pop	edx
		jb	short loc_4A508A
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_4A5160

loc_4A508A:				; CODE XREF: MI_UNLOCK_RELOCATIONS_EXCLUSIVE+71j
		cmp	ecx, [ebp+var_20]
		jb	short loc_4A509C
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_4A5160

loc_4A509C:				; CODE XREF: MI_UNLOCK_RELOCATIONS_EXCLUSIVE+83j
					; MI_UNLOCK_RELOCATIONS_EXCLUSIVE+169j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_4A5178
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_4A5187

loc_4A50DD:				; CODE XREF: MI_UNLOCK_RELOCATIONS_EXCLUSIVE+185j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5BDE95
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_4A5129:				; CODE XREF: MI_UNLOCK_RELOCATIONS_EXCLUSIVE+176j
					; MI_UNLOCK_RELOCATIONS_EXCLUSIVE+118E9Dj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jnz	short loc_4A51A8

loc_4A513C:				; CODE XREF: MI_UNLOCK_RELOCATIONS_EXCLUSIVE+1CEj
					; MI_UNLOCK_RELOCATIONS_EXCLUSIVE+118EBEj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_4A514F
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	short loc_4A51A1

loc_4A514F:				; CODE XREF: MI_UNLOCK_RELOCATIONS_EXCLUSIVE+4Ej
					; MI_UNLOCK_RELOCATIONS_EXCLUSIVE+13Bj	...
		mov	ecx, [ebp+var_28]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4A5160:				; CODE XREF: MI_UNLOCK_RELOCATIONS_EXCLUSIVE+7Aj
					; MI_UNLOCK_RELOCATIONS_EXCLUSIVE+8Cj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_C], eax
		jmp	loc_4A509C
; 

loc_4A5178:				; CODE XREF: MI_UNLOCK_RELOCATIONS_EXCLUSIVE+BBj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_4A5129
		jmp	loc_5BDE82
; 

loc_4A5187:				; CODE XREF: MI_UNLOCK_RELOCATIONS_EXCLUSIVE+CDj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]
		jmp	loc_4A50DD
; 

loc_4A5194:				; CODE XREF: MI_UNLOCK_RELOCATIONS_EXCLUSIVE+3Dj
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]
		jmp	loc_4A504D
; 

loc_4A51A1:				; CODE XREF: MI_UNLOCK_RELOCATIONS_EXCLUSIVE+143j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_4A514F
; 

loc_4A51A8:				; CODE XREF: MI_UNLOCK_RELOCATIONS_EXCLUSIVE+130j
		test	edi, 8000h
		jnz	short loc_4A51E3

loc_4A51B0:				; CODE XREF: MI_UNLOCK_RELOCATIONS_EXCLUSIVE+1E2j
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5BDEAC

loc_4A51BA:				; CODE XREF: MI_UNLOCK_RELOCATIONS_EXCLUSIVE+118EACj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4A51CE
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4A51CE:				; CODE XREF: MI_UNLOCK_RELOCATIONS_EXCLUSIVE+1B7j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4A513C
		jmp	loc_5BDEBB
; 

loc_4A51E3:				; CODE XREF: MI_UNLOCK_RELOCATIONS_EXCLUSIVE+1A4j
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	short loc_4A51B0
MI_UNLOCK_RELOCATIONS_EXCLUSIVE	endp


;  S U B	R O U T	I N E 


; __stdcall MI_LOCK_RELOCATIONS_EXCLUSIVE(x, x)
_MI_LOCK_RELOCATIONS_EXCLUSIVE@8 proc near ; CODE XREF:	MiRelocateImageAgain+4Ap
					; MiRelocateImage+4C8p	...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		dec	word ptr [esi+13Eh]
		nop
		lea	ecx, [edi+0Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	[edi+4], esi
		pop	edi
		pop	esi
		retn
_MI_LOCK_RELOCATIONS_EXCLUSIVE@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAllocateModWriterEntry(x,	x, x)
_MiAllocateModWriterEntry@12 proc near	; CODE XREF: MiMappedPageWriter+EDp
					; MiAllocateMappedWriterMdls+34p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		lea	ecx, ds:0A0h[edx*4]
		push	0
		push	40h
		mov	edx, 65576D4Dh
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_4A5255
		xor	edx, edx
		mov	ecx, edi
		cmp	[ebp+arg_0], edx
		setnz	dl
		call	MiChargeForWriteInProgressPage
		test	eax, eax
		jz	short loc_4A524D
		mov	eax, esi

loc_4A5247:				; CODE XREF: MiAllocateModWriterEntry(x,x,x)+49j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_4A524D:				; CODE XREF: MiAllocateModWriterEntry(x,x,x)+35j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4A5255:				; CODE XREF: MiAllocateModWriterEntry(x,x,x)+22j
		xor	eax, eax
		jmp	short loc_4A5247
_MiAllocateModWriterEntry@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFillNoReservationCluster(x, x, x)
_MiFillNoReservationCluster@12 proc near ; CODE	XREF: MiGatherPagefilePages+5C2p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, edx
		push	edi
		cmp	dword ptr [ebx+2C0h], 0
		mov	[ebp+var_10], esi
		jz	short loc_4A528B
		imul	eax, [ebx+2BCh], 14h
		add	eax, 740h
		add	eax, ebx
		mov	[ebp+var_14], eax
		cmp	dword ptr [eax], 0
		jnz	short loc_4A5294

loc_4A528B:				; CODE XREF: MiFillNoReservationCluster(x,x,x)+19j
		lea	eax, [ebx+700h]
		mov	[ebp+var_14], eax

loc_4A5294:				; CODE XREF: MiFillNoReservationCluster(x,x,x)+2Fj
		xor	edi, edi
		mov	[ebp+var_1C], 1

loc_4A529D:				; CODE XREF: MiFillNoReservationCluster(x,x,x)+1A4j
		mov	eax, [eax+8]
		mov	[ebp+var_18], eax
		cmp	eax, offset loc_7FFFFF
		jz	loc_4A5404
		imul	eax, 1Ch
		mov	cl, 2
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_8], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [ebp+var_8]
		and	[ebp+var_20], 0
		mov	[ebp+var_1], al
		lea	edx, [ecx+10h]
		mov	[ebp+var_C], edx
		lock bts dword ptr [edx], 1Fh
		jnb	short loc_4A52F6
		mov	esi, edx

loc_4A52DB:				; CODE XREF: MiFillNoReservationCluster(x,x,x)+8Dj
					; MiFillNoReservationCluster(x,x,x)+94j
		lea	ecx, [ebp+var_20]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_4A52DB
		lock bts dword ptr [esi], 1Fh
		jb	short loc_4A52DB
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_C]

loc_4A52F6:				; CODE XREF: MiFillNoReservationCluster(x,x,x)+7Dj
		mov	eax, [ebp+var_14]
		mov	esi, [ebp+var_18]
		cmp	esi, [eax+8]
		mov	esi, [ebp+var_10]
		jz	short loc_4A531A
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4A53F8
; 

loc_4A531A:				; CODE XREF: MiFillNoReservationCluster(x,x,x)+A8j
		mov	eax, [ebx+274h]
		test	eax, eax
		jz	loc_4A53B5
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_4A53B5
		test	dword ptr [ecx+18h], 800000h
		jnz	short loc_4A5347
		mov	eax, [ecx+4]
		test	eax, eax
		js	short loc_4A5347
		jnz	short loc_4A53B5

loc_4A5347:				; CODE XREF: MiFillNoReservationCluster(x,x,x)+E2j
					; MiFillNoReservationCluster(x,x,x)+E9j
		mov	edx, 0A0h
		mov	ecx, ebx
		call	MiSufficientAvailablePages
		test	eax, eax
		jz	short loc_4A53B5
		mov	esi, [ebp+var_8]
		mov	ecx, 7FFFFFFFh
		mov	eax, [ebp+var_C]
		mov	esi, [esi+4]
		or	esi, 80000000h
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	MiReservePageFileSpace
		mov	ecx, [ebp+var_8]
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [ebp+var_18]
		mov	dl, al
		mov	eax, [ebp+var_14]
		mov	[ebp+var_1], dl
		cmp	ecx, [eax+8]
		jz	short loc_4A53B2
		mov	eax, [ebp+var_C]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp+var_10]
		jmp	short loc_4A53F8
; 

loc_4A53B2:				; CODE XREF: MiFillNoReservationCluster(x,x,x)+13Ej
		mov	esi, [ebp+var_10]

loc_4A53B5:				; CODE XREF: MiFillNoReservationCluster(x,x,x)+C8j
					; MiFillNoReservationCluster(x,x,x)+D5j ...
		mov	edx, [ebp+var_1C]
		mov	ecx, [ebp+var_8]
		call	MiReferencePageForModifiedWrite
		mov	[ebp+var_20], eax
		mov	ecx, 7FFFFFFFh
		mov	eax, [ebp+var_C]
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jz	short loc_4A5404
		mov	eax, [ebp+var_18]
		and	[ebp+var_1C], 0FFFFFFFEh
		mov	[esi], eax
		add	esi, 4
		inc	edi
		mov	[ebp+var_10], esi
		cmp	ecx, 3
		jnz	short loc_4A53F8
		cmp	edi, 10h
		jnb	short loc_4A5404

loc_4A53F8:				; CODE XREF: MiFillNoReservationCluster(x,x,x)+BBj
					; MiFillNoReservationCluster(x,x,x)+156j ...
		mov	eax, [ebp+var_14]
		cmp	edi, [ebp+arg_0]
		jb	loc_4A529D

loc_4A5404:				; CODE XREF: MiFillNoReservationCluster(x,x,x)+4Ej
					; MiFillNoReservationCluster(x,x,x)+182j ...
		cmp	edi, 1
		jbe	short loc_4A5421
		push	offset _MiModifiedWriterNoReservationSort ; int	__cdecl	(*)(const void *,const void *)
		mov	ecx, edi
		push	4		; size_t
		shl	ecx, 2
		sub	esi, ecx
		push	edi		; size_t
		push	esi		; void *
		call	_qsort
		add	esp, 10h

loc_4A5421:				; CODE XREF: MiFillNoReservationCluster(x,x,x)+1ADj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiFillNoReservationCluster@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmStoreProbeAndLockPages proc near	; CODE XREF: SmKmProbeAndLockAddress(void *,ulong,_MDL *,ulong)+45p

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_40		= dword	ptr -40h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BDECD SIZE 00000089 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		push	ebx
		push	esi
		push	edi
		push	60h		; size_t
		lea	eax, [esp+84h+var_60]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		mov	ebx, large fs:124h
		add	esp, 0Ch
		mov	[esp+80h+var_68], ebx
		mov	eax, [ebx+300h]
		test	esi, esi
		jnz	loc_5BDECD
		and	eax, 0FFFFFFF7h
		or	eax, 4

loc_4A546C:				; CODE XREF: MmStoreProbeAndLockPages+118AA9j
		push	0
		push	0
		mov	[ebx+300h], eax
		lea	ecx, [esp+88h+var_60]
		mov	eax, [edi+18h]
		mov	edx, edi
		add	eax, [edi+10h]
		push	1
		push	dword ptr [edi+14h]
		push	eax
		call	MiProbeAndLockPrepare
		mov	ecx, [esp+80h+var_40]

loc_4A5491:				; CODE XREF: MmStoreProbeAndLockPages+EDj
		or	dword ptr [ecx], 0FFFFFFFFh
		lea	ecx, [esp+80h+var_60]
		call	MiProbeLeafFrame
		mov	esi, eax
		cmp	esi, 0C0000017h
		jz	short loc_4A551D
		test	esi, esi
		js	loc_5BDF01
		imul	ecx, [esp+80h+var_14], 1Ch
		and	[esp+80h+var_6C], 0
		add	ecx, ds:_MmPfnDatabase
		mov	[esp+80h+var_64], ecx
		lea	eax, [ecx+10h]
		mov	[esp+80h+var_70], eax
		lock bts dword ptr [eax], 1Fh
		jb	loc_5BDED8

loc_4A54D5:				; CODE XREF: MmStoreProbeAndLockPages+118AD2j
		test	byte ptr [ecx+16h], 8
		jnz	short loc_4A5548
		push	0Dh
		pop	edx
		call	MiReferencePageForModifiedWrite
		mov	eax, [esp+80h+var_70]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	ecx, [esp+80h+var_40]
		mov	eax, [esp+80h+var_14]
		add	[esp+80h+var_60], 1000h
		mov	[ecx], eax
		add	ecx, 4
		mov	eax, [esp+80h+var_58]
		add	eax, 8
		mov	[esp+80h+var_40], ecx
		mov	[esp+80h+var_58], eax
		cmp	eax, [esp+80h+var_54]
		jbe	loc_4A5491

loc_4A551D:				; CODE XREF: MmStoreProbeAndLockPages+7Bj
					; MmStoreProbeAndLockPages+12Bj
		lea	ecx, [esp+80h+var_60]
		call	_MiUnlockProbePacketWorkingSet@4 ; MiUnlockProbePacketWorkingSet(x)
		mov	ecx, edi
		test	esi, esi
		js	short loc_4A5541
		call	MiStoreMarkLockedPagesModified

loc_4A5531:				; CODE XREF: MmStoreProbeAndLockPages+11Cj
		and	dword ptr [ebx+300h], 0FFFFFFF3h
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4A5541:				; CODE XREF: MmStoreProbeAndLockPages+100j
		call	MiUnlockStoreLockedPages
		jmp	short loc_4A5531
; 

loc_4A5548:				; CODE XREF: MmStoreProbeAndLockPages+AFj
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	esi, 0C0000433h
		jmp	short loc_4A551D
MmStoreProbeAndLockPages endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiProbeLeafFrame proc near		; CODE XREF: MmProbeAndLockSelectedPages+10Fp
					; MmStoreProbeAndLockPages+6Ep

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	esi, ecx
		call	MiLockPageLeafPageTable
		mov	edx, [esi+18h]
		mov	edi, eax
		cmp	edx, ds:_ZeroPte
		jnz	short loc_4A5584
		mov	ecx, [esi+1Ch]
		cmp	ecx, ds:dword_40F9FC

loc_4A5582:				; CODE XREF: MmStoreProbeAndLockPages+118B27j
		jz	short loc_4A55BD

loc_4A5584:				; CODE XREF: MiProbeLeafFrame+1Fj
					; MmStoreProbeAndLockPages+118B18j
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	_MiProbeLeafPteAccess@8	; MiProbeLeafPteAccess(x,x)
		test	eax, eax
		js	short loc_4A55B9
		cmp	[ebp+var_4], 0
		jnz	loc_5BDF14
		mov	ecx, [esi+18h]
		nop
		mov	eax, [esi+1Ch]
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		mov	[esi+4Ch], ecx
		mov	ecx, esi
		call	_MiSetProbePagesAhead@4	; MiSetProbePagesAhead(x)
		xor	eax, eax

loc_4A55B9:				; CODE XREF: MiProbeLeafFrame+38j
					; MiProbeLeafFrame+67j	...
		pop	edi
		pop	esi
		leave
		retn
; 

loc_4A55BD:				; CODE XREF: MiProbeLeafFrame:loc_4A5582j
		mov	eax, edi
		jmp	short loc_4A55B9
MiProbeLeafFrame endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetProbePagesAhead(x)
_MiSetProbePagesAhead@4	proc near	; CODE XREF: MiProbeLeafFrame+5Ap

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	[ebp+var_4], esi
		mov	eax, [esi+28h]
		and	al, 0Fh
		cmp	al, 1
		jnz	loc_4A5847
		mov	eax, [esi+38h]
		mov	[ebp+var_1C], eax
		cmp	eax, 3
		jz	loc_4A5847
		mov	ebx, [esi+18h]
		mov	edi, [esi+1Ch]
		nop
		mov	ecx, ebx
		mov	eax, edi
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		cmp	ecx, dword_6D07B0
		ja	loc_4A5847
		mov	eax, dword_6D35B8
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_4A5847
		and	ebx, 0FFFh
		mov	[ebp+var_8], 0
		and	edi, 80000000h
		mov	[ebp+var_10], ebx
		mov	ebx, [esi+8]
		mov	[ebp+var_20], edi

loc_4A5654:				; CODE XREF: MiSetProbePagesAhead(x)+238j
					; MiSetProbePagesAhead(x)+246j
		add	ebx, 8
		test	ebx, 0FFFh
		jz	loc_4A581E
		cmp	ebx, [esi+0Ch]
		ja	loc_4A581E
		mov	esi, [ebx]
		mov	[ebp+var_18], 0
		mov	[ebp+var_14], 0
		nop
		mov	ecx, [ebx+4]
		mov	eax, esi
		mov	edx, ecx
		and	eax, 0FFFh
		and	edx, 80000000h
		cmp	eax, [ebp+var_10]
		jnz	loc_4A581B
		cmp	edx, edi
		jnz	loc_4A581B
		nop
		shrd	esi, ecx, 0Ch
		and	esi, 1FFFFFFh
		cmp	esi, dword_6D07B0
		ja	loc_4A581B
		mov	eax, dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_4A581B
		mov	edx, ds:_MmPfnDatabase
		lea	eax, ds:0[esi*8]
		mov	ecx, dword_6D3580
		sub	eax, esi
		lea	edi, [edx+eax*4]
		test	ecx, ecx
		jz	short loc_4A573F
		mov	eax, [edi+18h]
		and	eax, 70000000h
		cmp	eax, 10000000h
		jnz	short loc_4A573F
		mov	esi, edi
		mov	eax, 92492493h
		sub	esi, edx
		imul	esi
		add	edx, esi
		sar	edx, 4
		mov	esi, edx
		shr	esi, 1Fh
		add	esi, edx
		test	ecx, ecx
		jz	short loc_4A573F
		lea	ebx, [ebx+0]

loc_4A5720:				; CODE XREF: MiSetProbePagesAhead(x)+16Dj
		mov	edx, [ecx+0Ch]
		cmp	esi, edx
		jb	short loc_4A5739
		mov	eax, esi
		sub	eax, edx
		cmp	eax, [ecx+10h]
		jb	loc_4A581B
		mov	ecx, [ecx+4]
		jmp	short loc_4A573B
; 

loc_4A5739:				; CODE XREF: MiSetProbePagesAhead(x)+155j
		mov	ecx, [ecx]

loc_4A573B:				; CODE XREF: MiSetProbePagesAhead(x)+167j
		test	ecx, ecx
		jnz	short loc_4A5720

loc_4A573F:				; CODE XREF: MiSetProbePagesAhead(x)+11Ej
					; MiSetProbePagesAhead(x)+12Dj	...
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_4A57C6
		mov	ecx, [edi+18h]
		test	ecx, 800000h
		jz	short loc_4A5778
		mov	[ebp+var_C], eax
		lea	edx, [ebp+var_C]
		mov	[ebp+var_14], eax
		mov	ecx, edi
		lea	eax, [ebp+var_14]
		push	eax
		call	_MiGetPfnPageSizeIndexUnsynchronized@12	; MiGetPfnPageSizeIndexUnsynchronized(x,x,x)
		cmp	eax, 2
		jz	loc_4A581B
		cmp	[ebp+var_C], 6
		jmp	short loc_4A57C4
; 

loc_4A5778:				; CODE XREF: MiSetProbePagesAhead(x)+183j
		mov	eax, [edi+4]
		shl	eax, 9
		add	eax, 40000000h
		cmp	eax, offset loc_7FFFFF
		ja	short loc_4A57C6
		and	ecx, offset loc_7FFFFF
		cmp	ecx, 7FFFFDh
		jz	short loc_4A57C6
		mov	al, [edi+16h]
		test	al, 20h
		jz	short loc_4A57AF
		test	dword ptr [edi+10h], 3FFFFFFFh
		jnz	short loc_4A57AF
		cmp	word ptr [edi+14h], 0
		jnz	short loc_4A57C6

loc_4A57AF:				; CODE XREF: MiSetProbePagesAhead(x)+1CDj
					; MiSetProbePagesAhead(x)+1D6j
		test	al, 8
		jnz	short loc_4A57C6
		mov	eax, [edi]
		shr	eax, 1
		and	eax, 0FFFFFFF8h
		or	eax, 80000000h
		cmp	eax, 80000018h

loc_4A57C4:				; CODE XREF: MiSetProbePagesAhead(x)+1A6j
		jnz	short loc_4A581B

loc_4A57C6:				; CODE XREF: MiSetProbePagesAhead(x)+178j
					; MiSetProbePagesAhead(x)+1B8j	...
		cmp	[ebp+var_1C], 0
		jnz	short loc_4A580D
		mov	ecx, [edi+18h]
		mov	eax, ecx
		and	eax, 70000000h
		cmp	eax, 10000000h
		jz	short loc_4A57EE
		test	ecx, 800000h
		jnz	short loc_4A57EE
		mov	eax, [edi+4]
		test	eax, eax
		js	short loc_4A57EE
		jnz	short loc_4A581B

loc_4A57EE:				; CODE XREF: MiSetProbePagesAhead(x)+20Bj
					; MiSetProbePagesAhead(x)+213j	...
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		mov	esi, [ebp+var_4]
		test	eax, eax
		jz	short loc_4A5810
		test	byte ptr [esi+28h], 10h
		jnz	short loc_4A581E
		inc	[ebp+var_8]
		mov	edi, [ebp+var_20]
		jmp	loc_4A5654
; 

loc_4A580D:				; CODE XREF: MiSetProbePagesAhead(x)+1FAj
		mov	esi, [ebp+var_4]

loc_4A5810:				; CODE XREF: MiSetProbePagesAhead(x)+22Aj
		inc	[ebp+var_8]
		mov	edi, [ebp+var_20]
		jmp	loc_4A5654
; 

loc_4A581B:				; CODE XREF: MiSetProbePagesAhead(x)+C2j
					; MiSetProbePagesAhead(x)+CAj ...
		mov	esi, [ebp+var_4]

loc_4A581E:				; CODE XREF: MiSetProbePagesAhead(x)+8Dj
					; MiSetProbePagesAhead(x)+96j ...
		mov	ebx, [ebp+var_8]
		test	ebx, ebx
		jz	short loc_4A5847
		mov	eax, [esi+8]
		shl	eax, 9
		shl	ebx, 0Ch
		add	ebx, 0FFFh
		mov	[esi+54h], eax
		add	eax, ebx
		mov	dword ptr [esi+5Ch], 0FFFFFFFFh
		or	dword ptr [esi+28h], 20h
		mov	[esi+58h], eax

loc_4A5847:				; CODE XREF: MiSetProbePagesAhead(x)+17j
					; MiSetProbePagesAhead(x)+26j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiSetProbePagesAhead@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 


MiReferencePageForModifiedWrite	proc near
					; CODE XREF: MiGetPageForWriteCluster(x,x,x,x,x,x,x,x)+D1p
					; MiBuildReservationCluster(x,x,x,x)+1A4p ...

; FUNCTION CHUNK AT 005BDF56 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		push	edi
		test	bl, 1
		jnz	short loc_4A58D6
		mov	eax, [esi+8]
		xor	edx, edx
		and	eax, 400h
		or	eax, edx
		jnz	short loc_4A58DD

loc_4A586C:				; CODE XREF: MiReferencePageForModifiedWrite+92j
		test	bl, 2
		jnz	loc_5BDF56

loc_4A5875:				; CODE XREF: MiReferencePageForModifiedWrite+118709j
		mov	ecx, offset _MiSystemPartition
		call	MiChargeForWriteInProgressPage
		mov	edi, eax
		test	edi, edi
		jz	short loc_4A58E4

loc_4A5885:				; CODE XREF: MiReferencePageForModifiedWrite+8Bj
		test	bl, 4
		jnz	short loc_4A589A
		xor	edx, edx
		mov	ecx, esi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		and	dword ptr [esi+10h], 0C0000000h

loc_4A589A:				; CODE XREF: MiReferencePageForModifiedWrite+38j
		mov	al, [esi+16h]
		inc	word ptr [esi+14h]
		or	al, 8
		mov	[esi+16h], al
		test	bl, 8
		jnz	short loc_4A58B0
		and	al, 0EFh
		mov	[esi+16h], al

loc_4A58B0:				; CODE XREF: MiReferencePageForModifiedWrite+59j
		mov	eax, [esi+8]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_4A58D0
		push	eax
		lea	edx, [eax+1]
		mov	ecx, esi
		call	_MiGetPagePrivilege@12 ; MiGetPagePrivilege(x,x,x)
		test	al, 10h
		jnz	loc_5BDF5E

loc_4A58D0:				; CODE XREF: MiReferencePageForModifiedWrite+6Bj
					; MiReferencePageForModifiedWrite+11871Aj
		mov	eax, edi

loc_4A58D2:				; CODE XREF: MiReferencePageForModifiedWrite+96j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4A58D6:				; CODE XREF: MiReferencePageForModifiedWrite+Cj
		mov	edi, 1
		jmp	short loc_4A5885
; 

loc_4A58DD:				; CODE XREF: MiReferencePageForModifiedWrite+1Aj
		mov	edx, 1
		jmp	short loc_4A586C
; 

loc_4A58E4:				; CODE XREF: MiReferencePageForModifiedWrite+33j
		xor	eax, eax
		jmp	short loc_4A58D2
MiReferencePageForModifiedWrite	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiChargeForWriteInProgressPage proc near ; CODE	XREF: MiAllocateModWriterEntry(x,x,x)+2Ep
					; MiReferencePageForModifiedWrite+2Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BDF6F SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		test	bl, 2
		jnz	loc_5BDF6F
		mov	[ebp+var_8], 8
		xor	edx, edx

loc_4A5911:				; CODE XREF: MiChargeForWriteInProgressPage+118689j
		mov	[ebp+var_4], edx
		cmp	edi, offset _MiSystemPartition
		jnz	short loc_4A5974
		mov	eax, large fs:20h
		mov	ecx, [eax+3D30h]
		lea	esi, [eax+3D30h]
		cmp	ecx, 1
		jb	short loc_4A5974

loc_4A5933:				; CODE XREF: MiChargeForWriteInProgressPage+118693j
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_4A598B
		lea	edx, [ecx-1]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jnz	loc_5BDF7E
		mov	esi, 1

loc_4A594E:				; CODE XREF: MiChargeForWriteInProgressPage+95j
		test	bl, 1
		jnz	short loc_4A595C

loc_4A5953:				; CODE XREF: MiChargeForWriteInProgressPage+7Dj
		mov	eax, esi

loc_4A5955:				; CODE XREF: MiChargeForWriteInProgressPage+99j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4A595C:				; CODE XREF: MiChargeForWriteInProgressPage+61j
		push	[ebp+var_8]
		mov	edx, 1
		mov	ecx, edi
		call	MiChargeCommit
		test	eax, eax
		jnz	short loc_4A5953
		jmp	loc_5BDF8E
; 

loc_4A5974:				; CODE XREF: MiChargeForWriteInProgressPage+2Aj
					; MiChargeForWriteInProgressPage+41j ...
		push	edx
		mov	edx, 1
		mov	ecx, edi
		call	MiChargePartitionResidentAvailable
		mov	esi, eax
		test	esi, esi
		jnz	short loc_4A594E

loc_4A5987:				; CODE XREF: MiChargeForWriteInProgressPage+1186ACj
					; MiChargeForWriteInProgressPage+1186BCj
		xor	eax, eax
		jmp	short loc_4A5955
; 

loc_4A598B:				; CODE XREF: MiChargeForWriteInProgressPage+46j
					; MiChargeForWriteInProgressPage+118699j
		mov	edx, [ebp+var_4]
		jmp	short loc_4A5974
MiChargeForWriteInProgressPage endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcGetVirtualAddressIfMapped(x, x, x, x, x)
_CcGetVirtualAddressIfMapped@20	proc near ; CODE XREF: .text:004ACDDBp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		mov	eax, edi
		and	eax, 3FFFFh
		mov	edx, 40000h
		sub	edx, eax
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		xor	esi, esi
		mov	[eax], edx
		lea	eax, [ebx+48h]
		xor	edx, edx
		mov	[ebp+arg_8], eax
		mov	ecx, eax
		call	ExAcquirePushLockSharedEx
		cmp	[ebx+1Ch], esi
		jl	short loc_4A59D9
		jg	short loc_4A5A0C
		cmp	dword ptr [ebx+18h], 2000000h
		ja	short loc_4A5A0C

loc_4A59D9:				; CODE XREF: CcGetVirtualAddressIfMapped(x,x,x,x,x)+3Cj
		mov	eax, [ebx+40h]
		shr	edi, 12h
		mov	eax, [eax+edi*4]

loc_4A59E2:				; CODE XREF: CcGetVirtualAddressIfMapped(x,x,x,x,x)+87j
		mov	edi, [ebp+var_4]
		mov	[edi], eax
		test	eax, eax
		jz	short loc_4A59F9
		mov	ecx, eax
		call	CcIncrementVacbActiveCount
		mov	eax, [edi]
		mov	esi, [eax]
		add	esi, [ebp+var_8]

loc_4A59F9:				; CODE XREF: CcGetVirtualAddressIfMapped(x,x,x,x,x)+59j
		mov	ecx, [ebp+arg_8]
		xor	edx, edx
		call	ExReleasePushLockEx
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_4A5A0C:				; CODE XREF: CcGetVirtualAddressIfMapped(x,x,x,x,x)+3Ej
					; CcGetVirtualAddressIfMapped(x,x,x,x,x)+47j
		push	[ebp+arg_4]
		mov	ecx, ebx
		push	edi
		call	_CcGetVacbLargeOffset@12 ; CcGetVacbLargeOffset(x,x,x)
		jmp	short loc_4A59E2
_CcGetVirtualAddressIfMapped@20	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiEmptyPteBins(x, x)
_MiEmptyPteBins@8 proc near		; CODE XREF: MiReservePtes+4F1p
					; MiReservePtes+6A7p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	[ebp+var_1C], edx
		mov	eax, ecx
		xor	edx, edx
		mov	[ebp+var_28], eax
		and	[ebp+var_C], edx
		lea	ecx, [ebp+var_C]
		push	edi
		mov	[ebp+var_14], edx
		xor	esi, esi
		lock or	[ecx], esi
		mov	ecx, ds:_KiTbFlushTimeStamp
		mov	eax, [eax+2Ch]
		mov	[ebp+var_18], ecx
		movzx	ecx, ds:_KeNumberNodes
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jz	short loc_4A5A88

loc_4A5A5A:				; CODE XREF: MiEmptyPteBins(x,x)+69j
		xor	edi, edi
		mov	esi, eax

loc_4A5A5E:				; CODE XREF: MiEmptyPteBins(x,x)+5Aj
		mov	ebx, [esi]
		mov	eax, [esi+4]
		mov	[ebp+var_20], ebx
		mov	[ebp+var_C], eax
		test	ebx, ebx
		jnz	short loc_4A5A8F

loc_4A5A6D:				; CODE XREF: MiEmptyPteBins(x,x)+FCj
					; MiEmptyPteBins(x,x)+105j
		inc	edi
		add	esi, 8
		cmp	edi, 8
		jb	short loc_4A5A5E
		mov	eax, [ebp+var_8]
		add	eax, 48h
		sub	[ebp+var_10], 1
		mov	[ebp+var_8], eax
		jnz	short loc_4A5A5A
		mov	edx, [ebp+var_14]

loc_4A5A88:				; CODE XREF: MiEmptyPteBins(x,x)+3Ej
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn
; 

loc_4A5A8F:				; CODE XREF: MiEmptyPteBins(x,x)+51j
		mov	edx, [ebp+var_18]
		mov	ecx, ebx
		push	0FFFFFFFFh
		call	_MiTbFlushTimeStampMayNeedFlush@12 ; MiTbFlushTimeStampMayNeedFlush(x,x,x)
		cmp	al, 1
		jz	short loc_4A5B1B

loc_4A5A9F:				; CODE XREF: MiEmptyPteBins(x,x)+10Bj
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edx, [ebp+var_C]
		mov	[ebp+var_1], al
		mov	eax, ebx
		nop
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [ebp+var_20]
		cmp	eax, ecx
		jnz	short loc_4A5B2A
		mov	ebx, [ebp+var_C]
		cmp	edx, ebx
		jnz	short loc_4A5B2A
		and	[ebp+var_24], 0
		lea	eax, [ebp+var_24]
		xor	edx, edx
		lock or	[eax], edx
		mov	edx, ds:_KiTbFlushTimeStamp
		push	0FFFFFFFFh
		call	_MiTbFlushTimeStampMayNeedFlush@12 ; MiTbFlushTimeStampMayNeedFlush(x,x,x)
		movzx	eax, al
		mov	edx, ebx
		mov	ebx, [ebp+var_28]
		mov	ecx, ebx
		push	eax
		call	_MiReplenishBitMap@12 ;	MiReplenishBitMap(x,x,x)
		mov	edx, eax
		lea	eax, [ebx+30h]
		mov	ecx, edx
		lock xadd [eax], ecx
		mov	eax, [ebp+var_8]
		neg	edx
		add	eax, 40h
		lock xadd [eax], edx
		mov	[ebp+var_14], 1

loc_4A5B0D:				; CODE XREF: MiEmptyPteBins(x,x)+114j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4A5A6D
; 

loc_4A5B1B:				; CODE XREF: MiEmptyPteBins(x,x)+83j
		cmp	[ebp+var_1C], 0
		jz	loc_4A5A6D
		jmp	loc_4A5A9F
; 

loc_4A5B2A:				; CODE XREF: MiEmptyPteBins(x,x)+A3j
					; MiEmptyPteBins(x,x)+AAj
		dec	edi
		sub	esi, 8
		jmp	short loc_4A5B0D
_MiEmptyPteBins@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiTbFlushTimeStampMayNeedFlush(x, x, x)
_MiTbFlushTimeStampMayNeedFlush@12 proc	near ; CODE XREF: .text:004321A5p
					; MiGetPageChain(x,x,x,x,x,x,x)+543p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	edx, ecx
		and	edx, [ebp+arg_0]
		cmp	edx, 2
		jbe	short loc_4A5B45

loc_4A5B3F:				; CODE XREF: MiTbFlushTimeStampMayNeedFlush(x,x,x)+1Dj
		xor	al, al

loc_4A5B41:				; CODE XREF: MiTbFlushTimeStampMayNeedFlush(x,x,x)+21j
		pop	ebp
		retn	4
; 

loc_4A5B45:				; CODE XREF: MiTbFlushTimeStampMayNeedFlush(x,x,x)+Dj
		test	cl, 1
		jnz	short loc_4A5B4F
		cmp	edx, 2
		jnb	short loc_4A5B3F

loc_4A5B4F:				; CODE XREF: MiTbFlushTimeStampMayNeedFlush(x,x,x)+18j
		mov	al, 1
		jmp	short loc_4A5B41
_MiTbFlushTimeStampMayNeedFlush@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CcFreeWorkQueueEntry(x)
_CcFreeWorkQueueEntry@4	proc near	; CODE XREF: CcWriteBehind+F2p
					; CcCachemapUninitWorkerThread+E1p ...
		mov	edi, edi
		push	esi
		mov	esi, large fs:20h
		mov	edx, ecx
		push	edi
		mov	ecx, [esi+5D0h]
		mov	edi, [edx+4Ch]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jnb	short loc_4A5B85

loc_4A5B77:				; CODE XREF: CcFreeWorkQueueEntry(x)+45j
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_4A5B7C:				; CODE XREF: CcFreeWorkQueueEntry(x)+4Ej
		mov	ecx, edi
		pop	edi
		pop	esi
		jmp	CcDereferencePartition
; 

loc_4A5B85:				; CODE XREF: CcFreeWorkQueueEntry(x)+21j
		inc	dword ptr [ecx+18h]
		mov	ecx, [esi+5D4h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	short loc_4A5B77
		inc	dword ptr [ecx+18h]
		push	edx
		call	dword ptr [ecx+2Ch]
		jmp	short loc_4A5B7C
_CcFreeWorkQueueEntry@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGatherMappedPages proc near		; CODE XREF: MiMappedPageWriter+138p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005BDFB1 SIZE 000001D0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		xor	edx, edx
		mov	[ebp+var_1C], esi
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], edx
		cmp	edi, 4
		jb	short loc_4A5BE9
		mov	edi, edx
		lea	ecx, [esi+888h]

loc_4A5BD4:				; CODE XREF: MiGatherMappedPages+2C6j
		cmp	dword ptr [ecx], offset	loc_7FFFFF
		jz	loc_4A5E63

loc_4A5BE0:				; CODE XREF: MiGatherMappedPages+2CCj
		cmp	edi, 4
		jz	loc_4A5F7E

loc_4A5BE9:				; CODE XREF: MiGatherMappedPages+26j
		sub	eax, 0FFFFFF80h
		mov	ebx, edx
		mov	[ebp+var_28], eax
		mov	eax, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[ebp+var_C], eax
		cmp	[esi+25Bh], dl
		jnz	loc_5BDFB1

loc_4A5C05:				; CODE XREF: MiGatherMappedPages+118447j
		mov	al, [esi+270h]
		cmp	al, 1
		jnz	short loc_4A5C12
		xor	ebx, ebx
		inc	ebx

loc_4A5C12:				; CODE XREF: MiGatherMappedPages+69j
		test	ebx, ebx
		jz	short loc_4A5C22
		push	offset _Mi10Milliseconds
		push	edx
		push	edx
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)

loc_4A5C22:				; CODE XREF: MiGatherMappedPages+70j
		imul	eax, edi, 14h
		mov	[ebp+var_18], eax

loc_4A5C28:				; CODE XREF: MiGatherMappedPages+2F8j
		mov	ebx, [eax+esi+888h]
		cmp	ebx, offset loc_7FFFFF
		jz	loc_4A5F7E
		imul	edi, ebx, 1Ch
		add	edi, ds:_MmPfnDatabase
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	cl, al
		mov	eax, [ebp+var_18]
		mov	[ebp+var_5], cl
		cmp	ebx, [eax+esi+888h]
		jnz	loc_4A5F6E
		mov	eax, [edi+0Ch]
		mov	ecx, dword_6D0700
		mov	edx, dword_6D0704
		mov	ebx, [edi+8]
		mov	[ebp+var_10], eax
		mov	eax, ecx
		or	eax, edx
		jz	loc_5BDFF0
		mov	eax, ebx
		mov	ebx, [ebp+var_10]
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4A5C93
		not	edx
		and	ebx, edx
		mov	[ebp+var_10], ebx

loc_4A5C93:				; CODE XREF: MiGatherMappedPages+E6j
					; MiGatherMappedPages+11844Fj
		mov	ebx, [ebx]
		mov	eax, [ebx+1Ch]
		test	al, 20h
		jnz	loc_5BDFF8
		test	al, 8
		jnz	loc_4A5E75
		lea	eax, [ebx+24h]
		push	eax
		mov	[ebp+var_20], eax
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		test	byte ptr [ebx+1Ch], 8
		jnz	loc_5BE09A
		mov	ecx, [ebx+48h]
		inc	dword ptr [ebx+28h]
		shl	ecx, 3
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	loc_4A5F85

loc_4A5CD2:				; CODE XREF: MiGatherMappedPages+3EDj
					; MiGatherMappedPages+118509j
		lea	eax, [ebx+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	MiReferencePageForModifiedWrite
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [ebp+var_5]
		call	[ebp+var_C]
		mov	ecx, ebx
		call	MiReferenceControlAreaFile
		mov	esi, eax
		mov	eax, [ebp+var_1C]
		cmp	byte ptr [eax+25Bh], 0
		mov	ecx, [esi+14h]
		mov	[ebp+var_30], ecx
		jnz	loc_5BE0B2
		push	[ebp+var_38]
		xor	edx, edx
		push	[ebp+var_3C]
		call	CcNotifyOfMappedWrite

loc_4A5D22:				; CODE XREF: MiGatherMappedPages+118510j
		mov	edx, [ebp+var_28]
		mov	ecx, edi
		push	eax
		call	MiBuildMappedCluster
		mov	edi, [ebp+arg_0]
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_14], eax
		push	0FFFFFFFFh
		mov	[edi+7Ch], eax
		mov	[edi+5Ch], ebx
		imul	edx, [eax+1Ch],	1Ch
		mov	eax, ds:_MmPfnDatabase
		mov	edx, [edx+eax+4]
		or	edx, 80000000h
		call	MiStartingOffset
		mov	ecx, [ebp+var_14]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], edx
		mov	[ebp+var_18], 2
		mov	eax, [ecx+14h]
		mov	[ebp+arg_0], eax
		shr	[ebp+arg_0], 0Ch
		mov	[edi+4Ch], eax
		mov	eax, [ebp+arg_0]
		dec	eax
		mov	[edi+50h], eax
		mov	eax, [ecx+14h]
		xor	ecx, ecx
		add	eax, [ebp+var_3C]
		mov	[ebp+var_44], eax
		adc	ecx, edx
		lea	edx, [edi+60h]
		and	dword ptr [edx], 0
		mov	[ebp+var_40], ecx
		mov	eax, [esi+4]
		mov	ecx, [edi+14h]
		test	byte ptr [eax+20h], 10h
		jnz	loc_5BE0B9
		and	ecx, 0FFFFFFFDh

loc_4A5DA3:				; CODE XREF: MiGatherMappedPages+118518j
		and	[ebp+var_10], 0
		mov	[edi+14h], ecx
		mov	eax, [ebx+1Ch]
		test	al, 4
		jnz	loc_4A5FB5
		test	al, 10h
		jnz	loc_5BE0D1
		push	edx
		lea	edx, [ebp+var_44]
		mov	[edi+58h], esi
		mov	ecx, esi
		call	FsRtlAcquireFileForModWriteEx
		test	eax, eax
		js	loc_4A5F44
		push	[ebp+var_38]
		mov	edx, [ebp+var_14]
		push	[ebp+var_3C]
		mov	ecx, [ebp+var_30]
		mov	edx, [edx+14h]
		call	CcNotifyOfMappedWrite
		test	eax, eax
		jnz	loc_4A5EB1
		mov	edx, [edi+60h]
		mov	ecx, esi
		call	FsRtlReleaseFileForModWrite
		add	ebx, 20h
		mov	ecx, [ebx]
		mov	eax, ecx

loc_4A5E00:				; CODE XREF: MiGatherMappedPages+11856Aj
		xor	eax, esi
		cmp	eax, 7
		jnb	loc_4A5EA1
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [ebx], edx
		cmp	eax, ecx
		jnz	loc_5BE10C

loc_4A5E1C:				; CODE XREF: MiGatherMappedPages+308j
		and	dword ptr [edi+60h], 0
		mov	ecx, 0C0000054h
		mov	[ebp+var_10], 1

loc_4A5E2C:				; CODE XREF: MiGatherMappedPages+39Bj
					; MiGatherMappedPages+43Cj ...
		and	dword ptr [edi+0Ch], 0
		lea	esi, [edi+8]
		mov	[esi], ecx
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	[ebp+var_10]
		mov	bl, al
		push	esi

loc_4A5E43:				; CODE XREF: MiGatherMappedPages+1185D1j
		push	edi
		call	MiWriteComplete
		mov	cl, bl
		call	[ebp+var_C]

loc_4A5E4E:				; CODE XREF: MiGatherMappedPages+395j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	loc_4A5F9C

loc_4A5E59:				; CODE XREF: MiGatherMappedPages+3FFj
		xor	eax, eax
		inc	eax

loc_4A5E5C:				; CODE XREF: MiGatherMappedPages+3DCj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4A5E63:				; CODE XREF: MiGatherMappedPages+36j
		inc	edi
		add	ecx, 14h
		cmp	edi, 4
		jb	loc_4A5BD4
		jmp	loc_4A5BE0
; 

loc_4A5E75:				; CODE XREF: MiGatherMappedPages+FEj
					; MiGatherMappedPages+1184FFj
		xor	edx, edx
		mov	ecx, edi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		push	10h

loc_4A5E80:				; CODE XREF: MiGatherMappedPages+1184F1j
		pop	edx
		mov	ecx, edi
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [ebp+var_5]

loc_4A5E96:				; CODE XREF: MiGatherMappedPages+3D5j
		call	[ebp+var_C]
		mov	eax, [ebp+var_18]
		jmp	loc_4A5C28
; 

loc_4A5EA1:				; CODE XREF: MiGatherMappedPages+261j
		push	746C6644h
		push	esi
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_4A5E1C
; 

loc_4A5EB1:				; CODE XREF: MiGatherMappedPages+245j
		cmp	eax, 1
		jnz	short loc_4A5EB9
		or	[edi+60h], eax

loc_4A5EB9:				; CODE XREF: MiGatherMappedPages+310j
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+var_3C]
		mov	[edi+68h], eax
		mov	eax, [ebp+var_38]
		mov	[edi+6Ch], eax
		mov	edx, [ecx+184h]
		mov	eax, [ecx+0FC0h]
		test	edx, edx
		jnz	loc_5BE113
		cmp	eax, 120h
		jb	loc_5BE140
		mov	edx, [ebp+var_18]

loc_4A5EEA:				; CODE XREF: MiGatherMappedPages+118597j
					; MiGatherMappedPages+1185B2j
		inc	large dword ptr	fs:3E48h
		lea	ecx, [edi+8]
		mov	eax, [ebp+arg_0]
		add	large fs:3E44h,	eax
		test	dword ptr [ebx+1Ch], 40000000h
		jnz	loc_5BE15B
		lea	eax, [edi+10h]
		push	eax
		push	ecx
		push	[ebp+var_20]
		lea	eax, [ebp+var_3C]
		mov	ecx, esi
		push	0
		push	0
		push	edx
		mov	edx, [ebp+var_14]
		push	edi
		push	offset MiWriteComplete
		push	eax
		call	IoAsynchronousPageWrite
		mov	ecx, eax

loc_4A5F2E:				; CODE XREF: MiGatherMappedPages+3C8j
		mov	edx, 0C0000000h
		mov	eax, ecx
		and	eax, edx
		cmp	eax, edx
		jnz	loc_4A5E4E
		jmp	loc_4A5E2C
; 

loc_4A5F44:				; CODE XREF: MiGatherMappedPages+229j
		add	ebx, 20h
		mov	ecx, [ebx]
		mov	eax, ecx

loc_4A5F4B:				; CODE XREF: MiGatherMappedPages+1185D8j
		xor	eax, esi
		cmp	eax, 7
		jnb	short loc_4A5FA8
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [ebx], edx
		cmp	eax, ecx
		jnz	loc_5BE17A

loc_4A5F63:				; CODE XREF: MiGatherMappedPages+40Fj
		and	dword ptr [edi+60h], 0
		mov	ecx, 0C0000054h
		jmp	short loc_4A5F2E
; 

loc_4A5F6E:				; CODE XREF: MiGatherMappedPages+B6j
		lea	eax, [edi+10h]
		mov	edx, 7FFFFFFFh
		lock and [eax],	edx
		jmp	loc_4A5E96
; 

loc_4A5F7E:				; CODE XREF: MiGatherMappedPages+3Fj
					; MiGatherMappedPages+91j
		xor	eax, eax
		jmp	loc_4A5E5C
; 

loc_4A5F85:				; CODE XREF: MiGatherMappedPages+128j
		xor	eax, eax
		inc	eax
		lock xadd [ecx+10h], eax
		inc	eax
		cmp	eax, 1
		jg	loc_4A5CD2
		jmp	loc_5BE0A8
; 

loc_4A5F9C:				; CODE XREF: MiGatherMappedPages+2AFj
		mov	ecx, eax
		call	_IoDiskIoAttributionDereference@4 ; IoDiskIoAttributionDereference(x)
		jmp	loc_4A5E59
; 

loc_4A5FA8:				; CODE XREF: MiGatherMappedPages+3ACj
		push	746C6644h
		push	esi
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	short loc_4A5F63
; 

loc_4A5FB5:				; CODE XREF: MiGatherMappedPages+20Bj
		add	ebx, 20h
		mov	ecx, [ebx]
		mov	eax, ecx

loc_4A5FBC:				; CODE XREF: MiGatherMappedPages+443j
		xor	eax, esi
		cmp	eax, 7
		jnb	loc_5BE0C1
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [ebx], edx
		cmp	eax, ecx
		jnz	short loc_4A5FE5

loc_4A5FD4:				; CODE XREF: MiGatherMappedPages+118528j
		mov	[ebp+var_10], 1
		mov	ecx, 0C0000054h
		jmp	loc_4A5E2C
; 

loc_4A5FE5:				; CODE XREF: MiGatherMappedPages+42Ej
		mov	ecx, eax
		jmp	short loc_4A5FBC
MiGatherMappedPages endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcNotifyOfMappedWrite proc near		; CODE XREF: MiGatherMappedPages+179p
					; MiGatherMappedPages+23Ep

var_50		= dword	ptr -50h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= byte ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= byte ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005BE181 SIZE 0000015F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_8], edx
		lea	edi, [ebp+var_40]
		mov	[ebp+var_10], 0
		stosd
		lea	edx, [ebp+var_40]
		mov	esi, ecx
		mov	[ebp+var_20], 0
		mov	ecx, offset _CcMasterLock
		mov	[ebp+var_1C], 0
		mov	[ebp+var_14], 0
		xor	ebx, ebx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_34]
		stosd
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	esi, [esi+4]
		test	esi, esi
		jz	loc_4A6382
		test	dword ptr [esi+60h], 100h
		jnz	loc_4A6382
		mov	ecx, esi
		call	CcGetPartition
		mov	ebx, eax
		lea	edx, [ebp+var_34]
		lea	ecx, [ebx+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		inc	dword ptr [esi+4]
		inc	dword ptr [esi+178h]
		test	ds:byte_70EFC6,	1
		jnz	loc_5BE181
		mov	eax, [ebp+var_34]
		test	eax, eax
		jnz	loc_4A6434
		mov	edx, [ebp+var_30]
		lea	eax, [ebp+var_34]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_34]
		cmp	eax, ecx
		jnz	loc_4A642C

loc_4A609F:				; CODE XREF: CcNotifyOfMappedWrite+456j
					; CcNotifyOfMappedWrite+11819Cj
		mov	cl, [ebp+var_2C]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	edi
		test	ds:byte_70EFC6,	1
		jnz	loc_5BE191
		mov	eax, [ebp+var_40]
		test	eax, eax
		jnz	loc_4A63EE
		mov	edx, [ebp+var_3C]
		lea	eax, [ebp+var_40]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_40]
		cmp	eax, ecx
		jnz	loc_4A63E6

loc_4A60D9:				; CODE XREF: CcNotifyOfMappedWrite+410j
					; CcNotifyOfMappedWrite+1181ACj
		mov	cl, [ebp+var_38]
		call	edi
		lea	edx, [ebp+var_34]
		lea	ecx, [ebx+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		push	ecx
		mov	ecx, esi
		call	CcDecrementOpenCount
		test	byte ptr [esi+60h], 20h
		jnz	loc_4A626D
		cmp	dword ptr [esi+16Ch], 0
		jnz	loc_4A626D
		cmp	dword ptr [esi+4Ch], 0
		jz	loc_4A641F
		mov	edx, [esi+44h]
		and	edx, 0FFFFFFF8h
		test	dword ptr [edx+2Ch], 8000h
		jnz	loc_4A6405
		push	0
		push	8
		push	0
		push	1000000h
		mov	ecx, ebx
		call	CcCanIWriteStreamEx
		test	al, al
		jz	loc_4A6405
		xor	edi, edi
		cmp	byte ptr [ebx+288h], 0
		mov	[ebp+var_4], edi
		jnz	loc_5BE1A1

loc_4A6151:				; CODE XREF: CcNotifyOfMappedWrite+282j
					; CcNotifyOfMappedWrite+3D2j ...
		cmp	edi, 2
		jnz	short loc_4A6160
		cmp	[ebp+var_8], 0
		jz	loc_4A6277

loc_4A6160:				; CODE XREF: CcNotifyOfMappedWrite+164j
		test	edi, edi
		jnz	loc_4A627F

loc_4A6168:				; CODE XREF: CcNotifyOfMappedWrite+294j
		test	ebx, ebx
		jz	short loc_4A61A4
		test	ds:byte_70EFC6,	1
		jnz	loc_5BE2D0
		mov	eax, [ebp+var_34]
		test	eax, eax
		jnz	loc_4A63CF
		mov	edx, [ebp+var_30]
		lea	eax, [ebp+var_34]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_34]
		cmp	eax, ecx
		jnz	loc_4A63C7

loc_4A619B:				; CODE XREF: CcNotifyOfMappedWrite+387j
					; CcNotifyOfMappedWrite+3F1j ...
		mov	cl, [ebp+var_2C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4A61A4:				; CODE XREF: CcNotifyOfMappedWrite+17Aj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4A61AF:				; CODE XREF: CcNotifyOfMappedWrite+420j
					; CcNotifyOfMappedWrite+429j
		cmp	[esi+2Ch], edx
		jl	loc_4A641F
		jg	short loc_4A61C3
		cmp	[esi+28h], ecx
		jbe	loc_4A641F

loc_4A61C3:				; CODE XREF: CcNotifyOfMappedWrite+1C8j
		mov	eax, [esi+4Ch]
		mov	[esi+78h], eax
		add	[ebx+144h], eax
		mov	eax, [esi+78h]
		add	[ebx+1A0h], eax
		or	dword ptr [esi+60h], 20h
		inc	dword ptr [esi+4Ch]
		test	ds:byte_70EFC6,	1
		jnz	loc_5BE1B1
		mov	eax, [ebp+var_34]
		test	eax, eax
		jnz	loc_5BE1C9
		mov	edx, [ebp+var_30]
		lea	eax, [ebp+var_34]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_34]
		cmp	eax, ecx
		jnz	loc_5BE1C1

loc_4A620E:				; CODE XREF: CcNotifyOfMappedWrite+1181CCj
					; CcNotifyOfMappedWrite+1181EBj
		mov	cl, [ebp+var_2C]
		call	edi
		lea	edx, [ebp+var_10]
		mov	ecx, ebx
		call	_CcAllocateWorkQueueEntry@8 ; CcAllocateWorkQueueEntry(x,x)
		lea	edx, [ebp+var_34]
		lea	ecx, [ebx+40h]
		test	eax, eax
		js	loc_5BE200
		mov	edi, [ebp+var_10]
		mov	byte ptr [edi+48h], 2
		mov	[edi+8], esi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		dec	dword ptr [esi+4Ch]
		test	dword ptr [esi+60h], 10000h
		jnz	loc_5BE1E0
		mov	[esi+160h], edi
		lea	edx, [ebx+0A4h]

loc_4A6256:				; CODE XREF: CcNotifyOfMappedWrite+118201j
		mov	eax, [edi+4Ch]
		mov	ecx, edi
		add	eax, 0B4h
		cmp	eax, edx
		jz	loc_5BE1F6
		call	CcPostWorkQueueRegular

loc_4A626D:				; CODE XREF: CcNotifyOfMappedWrite+105j
					; CcNotifyOfMappedWrite+112j ...
		xor	edi, edi
		mov	[ebp+var_4], edi
		jmp	loc_4A6151
; 

loc_4A6277:				; CODE XREF: CcNotifyOfMappedWrite+16Aj
		mov	edi, 1
		mov	[ebp+var_4], edi

loc_4A627F:				; CODE XREF: CcNotifyOfMappedWrite+172j
		mov	eax, edi
		sub	eax, 1
		jz	loc_4A6168
		sub	eax, 1
		jnz	loc_5BE241
		or	dword ptr [esi+60h], 400400h
		inc	dword ptr [esi+4]
		inc	dword ptr [esi+178h]
		inc	dword ptr [esi+16Ch]
		test	ds:byte_70EFC6,	1
		jnz	loc_5BE25E
		mov	eax, [ebp+var_34]
		test	eax, eax
		jnz	loc_5BE276
		mov	edx, [ebp+var_30]
		lea	eax, [ebp+var_34]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_34]
		cmp	eax, ecx
		jnz	loc_5BE26E

loc_4A62D8:				; CODE XREF: CcNotifyOfMappedWrite+118279j
					; CcNotifyOfMappedWrite+118298j
		mov	cl, [ebp+var_2C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_C], edx
		test	eax, eax
		jz	short loc_4A6332
		mov	edi, [ebp+arg_0]
		lea	esp, [esp+0]

loc_4A6300:				; CODE XREF: CcNotifyOfMappedWrite+486j
		mov	eax, [esi+8]
		or	eax, [esi+0Ch]
		jz	loc_5BE28D

loc_4A630C:				; CODE XREF: CcNotifyOfMappedWrite+1182A7j
		push	0
		lea	eax, [ebp+var_14]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	0
		push	edx
		lea	edx, [ebp+var_28]
		call	CcAcquireByteRangeForWrite
		test	al, al
		jnz	loc_4A644B

loc_4A632F:				; CODE XREF: CcNotifyOfMappedWrite+480j
					; CcNotifyOfMappedWrite+1182A1j
		mov	edi, [ebp+var_4]

loc_4A6332:				; CODE XREF: CcNotifyOfMappedWrite+307j
		lea	ecx, [ebx+40h]
		lea	edx, [ebp+var_34]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	dword ptr [esi+4], 0
		jbe	loc_5BE2BB
		and	dword ptr [esi+60h], 0FFBFFFFFh
		test	ds:byte_70EFC6,	1
		jnz	loc_5BE2D0
		mov	eax, [ebp+var_34]
		test	eax, eax
		jnz	loc_5BE2A4
		mov	edx, [ebp+var_30]
		lea	eax, [ebp+var_34]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_34]
		cmp	eax, ecx
		jz	loc_4A619B
		jmp	loc_5BE29C
; 

loc_4A6382:				; CODE XREF: CcNotifyOfMappedWrite+50j
					; CcNotifyOfMappedWrite+5Dj
		test	ds:byte_70EFC6,	1
		mov	edi, 1
		mov	[ebp+var_4], edi
		jnz	loc_5BE219
		mov	eax, [ebp+var_40]
		test	eax, eax
		jnz	loc_5BE231
		mov	edx, [ebp+var_3C]
		lea	eax, [ebp+var_40]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_40]
		cmp	eax, ecx
		jnz	loc_5BE229

loc_4A63B9:				; CODE XREF: CcNotifyOfMappedWrite+118234j
					; CcNotifyOfMappedWrite+11824Cj
		mov	cl, [ebp+var_38]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4A6151
; 

loc_4A63C7:				; CODE XREF: CcNotifyOfMappedWrite+1A5j
		lea	ecx, [ebp+var_34]
		call	KxWaitForLockChainValid

loc_4A63CF:				; CODE XREF: CcNotifyOfMappedWrite+18Ej
		mov	[ebp+var_34], 0
		lea	ecx, [eax+4]
		mov	edx, 1
		lock xor [ecx],	edx
		jmp	loc_4A619B
; 

loc_4A63E6:				; CODE XREF: CcNotifyOfMappedWrite+E3j
		lea	ecx, [ebp+var_40]
		call	KxWaitForLockChainValid

loc_4A63EE:				; CODE XREF: CcNotifyOfMappedWrite+CCj
		mov	[ebp+var_40], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A60D9
; 

loc_4A6405:				; CODE XREF: CcNotifyOfMappedWrite+12Fj
					; CcNotifyOfMappedWrite+149j
		mov	edx, [esi+24h]
		mov	ecx, [esi+20h]
		cmp	[ebp+arg_4], edx
		jl	short loc_4A641F
		jg	loc_4A61AF
		cmp	[ebp+arg_0], ecx
		ja	loc_4A61AF

loc_4A641F:				; CODE XREF: CcNotifyOfMappedWrite+11Cj
					; CcNotifyOfMappedWrite+1C2j ...
		mov	edi, 2
		mov	[ebp+var_4], edi
		jmp	loc_4A6151
; 

loc_4A642C:				; CODE XREF: CcNotifyOfMappedWrite+A9j
		lea	ecx, [ebp+var_34]
		call	KxWaitForLockChainValid

loc_4A6434:				; CODE XREF: CcNotifyOfMappedWrite+92j
		mov	[ebp+var_34], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A609F
; 

loc_4A644B:				; CODE XREF: CcNotifyOfMappedWrite+339j
		mov	ecx, [ebp+var_20]
		mov	edx, edi
		add	ecx, [ebp+var_C]
		mov	eax, [ebp+var_1C]
		adc	eax, 0
		mov	[ebp+var_20], ecx
		sub	edx, ecx
		mov	[ebp+var_1C], eax
		add	edx, [ebp+var_8]
		mov	[ebp+arg_4], eax
		mov	[ebp+var_C], edx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], eax
		jz	loc_4A632F
		jmp	loc_4A6300
CcNotifyOfMappedWrite endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReleaseSystemCacheView proc near	; CODE XREF: MmUnmapViewInSystemCache+47Fp
					; MmFreeSystemCacheReserveView(x)+89p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= byte ptr -30h
var_2C		= dword	ptr -2Ch
var_25		= dword	ptr -25h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BE2E0 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	byte ptr [ebp+var_25], 0
		lea	edi, [ebp+var_38]
		mov	edx, ecx
		stosd
		mov	esi, edx
		push	8
		pop	ecx
		mov	[ebp+var_2C], edx
		xor	ebx, ebx
		stosd
		lea	edx, [ebp+var_38]
		mov	[ebp+var_3C], ebx
		shl	esi, 9
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_25+1]
		rep stosd
		mov	ecx, offset dword_6D2EA8
		xor	edi, edi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, dword_6D07D0
		shr	esi, 12h
		shr	eax, 12h
		and	eax, 3FF8h
		sub	esi, eax
		sar	esi, 3
		add	esi, offset unk_6D07D4
		push	1
		sub	byte ptr [esi],	1
		pop	esi
		jz	short loc_4A6553
		mov	edx, [ebp+var_2C]
		mov	ecx, offset unk_6D5290
		call	_InsertTailListPte@8 ; InsertTailListPte(x,x)

loc_4A64F5:				; CODE XREF: MiReleaseSystemCacheView+140j
		test	ds:byte_70EFC6,	1
		jnz	loc_5BE2EA
		mov	eax, [ebp+var_38]
		test	eax, eax
		jnz	short loc_4A6544
		mov	edx, [ebp+var_34]
		lea	eax, [ebp+var_38]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_38]
		cmp	eax, ecx
		jnz	short loc_4A653C

loc_4A651C:				; CODE XREF: MiReleaseSystemCacheView+D5j
					; MiReleaseSystemCacheView+117E79j
		mov	cl, [ebp+var_30]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jnz	loc_4A65C1

loc_4A652D:				; CODE XREF: MiReleaseSystemCacheView+1C6j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_4A653C:				; CODE XREF: MiReleaseSystemCacheView+9Ej
		lea	ecx, [ebp+var_38]
		call	KxWaitForLockChainValid

loc_4A6544:				; CODE XREF: MiReleaseSystemCacheView+8Bj
		mov	[ebp+var_38], 0
		add	eax, 4
		lock xor [eax],	esi
		jmp	short loc_4A651C
; 

loc_4A6553:				; CODE XREF: MiReleaseSystemCacheView+6Aj
		mov	eax, [ebp+var_2C]
		mov	ebx, eax
		and	ebx, 0FFFFF000h
		mov	[ebp+var_3C], ebx
		mov	esi, ebx
		lea	ecx, [ebx+1000h]
		cmp	ebx, ecx
		jnb	short loc_4A65B9

loc_4A656D:				; CODE XREF: MiReleaseSystemCacheView+13Bj
		cmp	esi, eax
		jz	short loc_4A65AF
		mov	edx, esi
		mov	ecx, offset unk_6D5290
		call	_RemoveListEntryPte@8 ;	RemoveListEntryPte(x,x)
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		call	_MiGetPteLink@8	; MiGetPteLink(x,x)
		cmp	eax, 1
		jnz	short loc_4A6595
		test	edx, edx
		jz	loc_5BE2E0

loc_4A6595:				; CODE XREF: MiReleaseSystemCacheView+10Fj
		mov	eax, ds:_ZeroPte
		mov	[esi+18h], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[esi+1Ch], eax

loc_4A65A6:				; CODE XREF: MiReleaseSystemCacheView+117E69j
		mov	eax, [ebp+var_2C]
		lea	ecx, [ebx+1000h]

loc_4A65AF:				; CODE XREF: MiReleaseSystemCacheView+F3j
		add	esi, 200h
		cmp	esi, ecx
		jb	short loc_4A656D

loc_4A65B9:				; CODE XREF: MiReleaseSystemCacheView+EFj
		xor	esi, esi
		inc	esi
		jmp	loc_4A64F5
; 

loc_4A65C1:				; CODE XREF: MiReleaseSystemCacheView+ABj
		xor	esi, esi
		test	edi, edi
		jnz	loc_5BE2FA

loc_4A65CB:				; CODE XREF: MiReleaseSystemCacheView+117E8Cj
		mov	edx, [ebp+var_2C]
		lea	eax, [ebp+var_25]
		push	eax
		mov	ecx, offset unk_6D5E80
		shl	ebx, 9
		call	_MiLockWorkingSetOptimal@12 ; MiLockWorkingSetOptimal(x,x,x)
		mov	ecx, ebx
		mov	esi, eax
		call	_MiGetSystemCacheReverseMap@4 ;	MiGetSystemCacheReverseMap(x)
		mov	edx, dword_6D07D0
		mov	ecx, ebx
		shr	edx, 12h
		mov	edi, eax
		shr	ecx, 12h
		and	edx, 3FF8h
		sub	ecx, edx
		mov	edx, esi
		sar	ecx, 3
		mov	esi, offset unk_6D5E80
		and	dword_6D0BD4[ecx*4], 0
		mov	ecx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [ebp+var_25]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		mov	edx, [ebp+var_3C]
		mov	ecx, ebx
		push	0
		add	edx, 1000h
		push	8
		shl	edx, 9
		call	_MiReturnSystemVa@16 ; MiReturnSystemVa(x,x,x,x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4A652D
MiReleaseSystemCacheView endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcGetVacbMiss	proc near		; CODE XREF: CcGetVirtualAddress+32Ap

var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005BE30D SIZE 000001F6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, ecx
		mov	ecx, edi
		mov	[ebp+var_10], edx
		and	ecx, 3FFFFh
		mov	[ebp+var_2C], 0
		sub	edi, ecx
		mov	[ebp+var_28], 0
		xor	bl, bl
		mov	[ebp+var_14], 0
		mov	ecx, esi
		mov	byte ptr [ebp+var_C], bl
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], edi
		call	CcGetPartition
		mov	edi, eax
		mov	[ebp+var_18], edi
		lea	esp, [esp+0]

loc_4A66A0:				; CODE XREF: CcGetVacbMiss+117DA0j
		mov	ecx, 4
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	byte ptr [ebp+arg_8+3],	al
		test	bl, bl
		jnz	loc_5BE30D

loc_4A66B5:				; CODE XREF: CcGetVacbMiss+117CC1j
		mov	dl, bl
		mov	ecx, edi
		call	CcGetVacbFromFreeList
		mov	ecx, large fs:20h
		mov	edi, eax
		test	ds:byte_70EFC6,	1
		lea	ebx, [ecx+438h]
		jnz	loc_5BE316
		mov	eax, [ebx]
		test	eax, eax
		jnz	loc_4A68D5
		mov	ecx, [ebx+4]
		xor	edx, edx
		mov	eax, ebx
		lock cmpxchg [ecx], edx
		cmp	eax, ebx
		jnz	loc_4A68CE

loc_4A66F7:				; CODE XREF: CcGetVacbMiss+296j
					; CcGetVacbMiss+117CD0j
		mov	cl, byte ptr [ebp+arg_8+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	loc_5BE325

loc_4A6708:				; CODE XREF: CcGetVacbMiss+117D66j
					; CcGetVacbMiss+117D6Dj
		mov	ecx, [esi+18h]
		sub	ecx, [ebp+var_24]
		mov	eax, [esi+1Ch]
		sbb	eax, [ebp+var_20]
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], eax
		jnz	short loc_4A6724
		cmp	ecx, 40000h
		jbe	short loc_4A672B

loc_4A6724:				; CODE XREF: CcGetVacbMiss+CAj
		mov	[ebp+var_2C], 40000h

loc_4A672B:				; CODE XREF: CcGetVacbMiss+D2j
		push	ecx
		mov	ecx, [esi+6Ch]
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_24]
		mov	edx, edi
		push	eax
		call	MmMapViewInSystemCache
		cmp	[ebp+var_10], 0
		mov	[ebp+var_8], eax
		jnz	loc_4A683C

loc_4A674B:				; CODE XREF: CcGetVacbMiss+1F7j
		lea	ecx, [esi+48h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		cmp	dword ptr [esi+1Ch], 0
		mov	edx, [ebp+var_20]
		mov	[ebp+arg_8], edx
		jl	short loc_4A6774
		jg	loc_4A6828
		cmp	dword ptr [esi+18h], 2000000h
		ja	loc_4A6828

loc_4A6774:				; CODE XREF: CcGetVacbMiss+10Fj
		mov	ebx, [ebp+var_24]
		mov	ecx, ebx
		mov	eax, [esi+40h]
		shr	ecx, 12h
		mov	eax, [eax+ecx*4]

loc_4A6782:				; CODE XREF: CcGetVacbMiss+1E7j
		mov	[ebp+var_1C], eax
		test	eax, eax
		jnz	short loc_4A67A9
		cmp	[ebp+var_8], eax
		jl	loc_5BE40B
		push	edx
		push	ebx
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	_SetVacb@20	; SetVacb(x,x,x,x,x)
		test	al, al
		jz	loc_5BE3F5
		mov	eax, [ebp+var_1C]

loc_4A67A9:				; CODE XREF: CcGetVacbMiss+137j
		cmp	[ebp+var_8], 0
		jl	loc_5BE40B
		test	eax, eax
		jnz	loc_4A6859
		cmp	dword ptr [edi+4], 0FFFFFFFFh
		jnz	loc_5BE4C7
		mov	eax, [ebp+arg_8]
		mov	ecx, edi
		mov	[edi+4], esi
		mov	[edi+8], ebx
		mov	[edi+0Ch], eax
		call	CcIncrementVacbActiveCount
		mov	eax, [ebp+arg_8]
		cmp	eax, [esi+0F4h]
		jl	short loc_4A6802
		jg	short loc_4A67ED
		cmp	ebx, [esi+0F0h]
		jb	short loc_4A6802

loc_4A67ED:				; CODE XREF: CcGetVacbMiss+193j
		add	ebx, 40000h
		mov	[esi+0F0h], ebx
		adc	eax, 0
		mov	[esi+0F4h], eax

loc_4A6802:				; CODE XREF: CcGetVacbMiss+191j
					; CcGetVacbMiss+19Bj
		xor	edx, edx
		lea	ecx, [esi+48h]
		call	ExReleasePushLockEx
		cmp	[ebp+var_10], 0
		jnz	short loc_4A684C

loc_4A6812:				; CODE XREF: CcGetVacbMiss+207j
					; CcGetVacbMiss+279j ...
		mov	eax, [ebp+var_8]
		test	eax, eax
		js	loc_5BE3D4
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4A6828:				; CODE XREF: CcGetVacbMiss+111j
					; CcGetVacbMiss+11Ej
		mov	ebx, [ebp+var_24]
		mov	ecx, esi
		push	edx
		push	ebx
		call	_CcGetVacbLargeOffset@12 ; CcGetVacbLargeOffset(x,x,x)
		mov	edx, [ebp+arg_8]
		jmp	loc_4A6782
; 

loc_4A683C:				; CODE XREF: CcGetVacbMiss+F5j
		lea	ecx, [esi+0B4h]
		call	ExAcquireFastMutex
		jmp	loc_4A674B
; 

loc_4A684C:				; CODE XREF: CcGetVacbMiss+1C0j
		lea	ecx, [esi+0B4h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	short loc_4A6812
; 

loc_4A6859:				; CODE XREF: CcGetVacbMiss+165j
		mov	ecx, eax
		call	CcIncrementVacbActiveCount
		mov	ecx, [ebp+var_10]
		mov	edx, esi
		call	_CcReleaseBcbLockAndVacbLock@8 ; CcReleaseBcbLockAndVacbLock(x,x)
		push	[ebp+var_14]
		mov	edx, esi
		mov	ecx, edi
		call	CcUnmapVacb
		mov	ecx, 4
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		push	[ebp+var_C]
		mov	ecx, [ebp+var_18]
		mov	edx, edi
		mov	bl, al
		call	_CcSetVacbInFreeList@12	; CcSetVacbInFreeList(x,x,x)
		mov	ecx, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	edi, [ecx+438h]
		jnz	loc_5BE4B8
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_4A68EB
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jnz	short loc_4A68FE

loc_4A68BE:				; CODE XREF: CcGetVacbMiss+2ACj
					; CcGetVacbMiss+117E72j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edi, [ebp+var_1C]
		jmp	loc_4A6812
; 

loc_4A68CE:				; CODE XREF: CcGetVacbMiss+A1j
		mov	ecx, ebx
		call	KxWaitForLockChainValid

loc_4A68D5:				; CODE XREF: CcGetVacbMiss+8Ej
		mov	dword ptr [ebx], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A66F7
; 

loc_4A68EB:				; CODE XREF: CcGetVacbMiss+25Dj
					; CcGetVacbMiss+2B5j
		mov	dword ptr [edi], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_4A68BE
; 

loc_4A68FE:				; CODE XREF: CcGetVacbMiss+26Cj
		mov	ecx, edi
		call	KxWaitForLockChainValid
		jmp	short loc_4A68EB
CcGetVacbMiss	endp

; 
		align 4

;  S U B	R O U T	I N E 


CcIncrementVacbActiveCount proc	near	; CODE XREF: CcGetVirtualAddressIfMapped(x,x,x,x,x)+5Dp
					; CcGetVacbMiss+183p ...
		mov	edx, [ecx+4]
		push	esi
		xor	esi, esi
		inc	esi
		mov	eax, esi
		lock xadd [ecx+8], eax
		inc	eax
		movzx	eax, ax
		test	ax, ax
		jz	loc_5BE4E3
		cmp	ax, si
		pop	esi
		jnz	short locret_4A6930
		lock inc dword ptr [edx+180h]

locret_4A6930:				; CODE XREF: CcIncrementVacbActiveCount+1Fj
		retn
CcIncrementVacbActiveCount endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmMapViewInSystemCache proc near	; CODE XREF: CcGetVacbMiss+E9p

var_DC		= dword	ptr -0DCh
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_9C		= dword	ptr -9Ch
var_90		= dword	ptr -90h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005BE503 SIZE 000000DB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		lea	eax, [ebp+var_A4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, ecx
		push	98h		; size_t
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_B0], edx
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_C4], 0
		mov	[ebp+var_C0], 0
		call	_memset
		add	esp, 0Ch
		test	byte ptr [esi+20h], 20h
		jnz	loc_5BE4F9
		mov	ecx, esi
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	edi, [edi]
		mov	esi, eax
		mov	[ebp+var_CC], esi
		test	edi, 0FFFh
		jnz	loc_5BE503
		xor	ecx, ecx

loc_4A69BF:				; CODE XREF: MmMapViewInSystemCache+117BC8j
		shr	edi, 0Ch
		add	edi, ecx
		mov	[ebp+var_C8], edi
		jz	loc_5BE50D
		mov	eax, [ebx+4]
		lea	edx, [ebp+var_C4]
		push	eax
		mov	eax, [ebx]
		mov	ecx, esi
		push	eax
		call	MiOffsetToProtos
		mov	ecx, [ebp+var_C4]
		mov	esi, eax
		xor	eax, eax
		mov	[ebp+var_B4], ecx
		mov	ebx, edi
		mov	[ebp+var_A8], esi
		add	ebx, ecx
		mov	edx, 5
		mov	ecx, esi
		adc	eax, [ebp+var_C0]
		push	eax
		push	ebx
		mov	[ebp+var_B8], eax
		call	MiAddViewsForSection
		test	eax, eax
		js	loc_5BE51E
		mov	eax, [ebp+var_B0]
		mov	esi, [eax]
		test	esi, esi
		jnz	loc_5BE54B
		mov	ecx, offset _MiSystemPartition
		call	MiObtainSystemCacheView
		mov	esi, eax
		test	esi, esi
		jz	loc_5BE529
		mov	ecx, [ebp+var_B0]
		shl	eax, 9
		mov	[ecx], eax

loc_4A6A4F:				; CODE XREF: MmMapViewInSystemCache+117C2Aj
					; MmMapViewInSystemCache+117C32j ...
		mov	eax, ds:_ZeroPte
		mov	[esi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[esi+4], eax
		mov	eax, ds:_ZeroPte
		mov	[esi+8], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[esi+0Ch], eax
		mov	eax, ds:_ZeroPte
		mov	[esi+10h], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[esi+14h], eax
		mov	eax, ds:_ZeroPte
		mov	[esi+18h], eax
		nop
		mov	edx, [ebp+var_A8]
		mov	eax, ds:dword_40F9FC
		mov	[esi+1Ch], eax
		mov	eax, [ebp+var_B4]
		mov	ecx, [edx+4]
		lea	ebx, [ecx+eax*8]
		mov	eax, [edx+1Ch]
		lea	eax, [ecx+eax*8]
		mov	[ebp+var_B4], eax
		lea	eax, [esi+edi*8]
		mov	[ebp+var_B8], eax
		mov	eax, [ebp+var_B0]
		mov	ecx, [eax]
		call	_MiGetSystemCacheReverseMap@4 ;	MiGetSystemCacheReverseMap(x)
		mov	edi, [ebp+var_AC]
		mov	[ebp+var_BC], eax
		mov	eax, _MiSystemPartition
		and	eax, 3FFh
		mov	ecx, [edi]
		mov	edi, [edi+4]
		cdq
		shld	edx, eax, 6
		shrd	ecx, edi, 2
		shl	eax, 6
		and	ecx, 0FFFF0000h
		shr	edi, 2
		or	eax, ecx
		and	edi, 3FFFFFFFh
		mov	ecx, [ebp+var_C8]
		or	edx, edi
		and	ecx, 3Fh
		or	eax, ecx
		mov	ecx, [ebp+var_BC]
		and	dword ptr [ecx+8], 0FFFFFFFCh
		mov	[ecx+10h], eax
		mov	eax, [ebp+var_CC]
		mov	[ecx+14h], edx
		mov	edx, [ebp+var_A8]
		mov	[ecx+0Ch], edx
		cmp	dword ptr [eax+20h], 0
		jz	loc_5BE5D1

loc_4A6B34:				; CODE XREF: MmMapViewInSystemCache+117C99j
		cmp	esi, [ebp+var_B8]
		jnb	short loc_4A6BAB
		lea	esp, [esp+0]

loc_4A6B40:				; CODE XREF: MmMapViewInSystemCache+269j
		cmp	ebx, [ebp+var_B4]
		jnb	loc_4A6C10

loc_4A6B4C:				; CODE XREF: MmMapViewInSystemCache+2ECj
		mov	eax, dword_6D0704
		xor	edx, edx
		mov	edi, dword_6D0700
		or	edx, 400h
		mov	[ebp+var_AC], eax
		mov	ecx, ebx
		mov	eax, edi
		or	eax, [ebp+var_AC]
		jz	short loc_4A6B8B
		mov	eax, [ebp+var_AC]
		mov	ecx, edi
		and	ecx, edx
		and	eax, ebx
		or	ecx, eax
		jz	short loc_4A6BFB
		xor	edx, edx
		mov	ecx, ebx
		or	edx, 410h

loc_4A6B8B:				; CODE XREF: MmMapViewInSystemCache+22Fj
					; MmMapViewInSystemCache+2CBj
		mov	[esi], edx
		nop
		mov	edx, [ebp+var_A8]
		add	ebx, 8
		mov	[esi+4], ecx
		add	esi, 8
		mov	ecx, [ebp+var_BC]
		cmp	esi, [ebp+var_B8]
		jb	short loc_4A6B40

loc_4A6BAB:				; CODE XREF: MmMapViewInSystemCache+1FAj
		mov	[ebp+var_D0], 0
		lea	eax, [ebp+var_D0]
		xor	edx, edx
		lock or	[eax], edx
		mov	eax, [ebp+var_B0]
		mov	edx, ecx
		mov	eax, [eax]
		mov	[ecx+8], eax
		mov	eax, [ecx+0Ch]
		mov	ecx, [ebp+var_A8]
		and	eax, 1
		lea	eax, ds:1[eax*2]
		push	eax
		call	MiManageSubsectionView
		xor	eax, eax

loc_4A6BE8:				; CODE XREF: CcGetVacbMiss+117EAEj
					; MmMapViewInSystemCache+117BE4j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4A6BFB:				; CODE XREF: MmMapViewInSystemCache+23Fj
		mov	ecx, [ebp+var_AC]
		mov	edx, edi
		or	ecx, ebx
		or	edx, 400h
		jmp	loc_4A6B8B
; 

loc_4A6C10:				; CODE XREF: MmMapViewInSystemCache+206j
		mov	edx, [edx+8]
		mov	[ebp+var_A8], edx
		mov	ebx, [edx+4]
		mov	eax, [edx+1Ch]
		or	dword ptr [ecx+0Ch], 1
		lea	eax, [ebx+eax*8]
		mov	[ebp+var_B4], eax
		jmp	loc_4A6B4C
MmMapViewInSystemCache endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiManageSubsectionView proc near	; CODE XREF: MmUnmapViewInSystemCache+352p
					; MiRemoveFromSystemSpace+112p	...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BE5DE SIZE 0000004C BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ecx
		push	esi
		push	edi
		mov	[ebp+var_10], eax
		mov	esi, edx
		mov	edi, [eax]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		lea	eax, [edi+3Ch]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebx+8]
		sub	eax, 1
		jz	short loc_4A6CA2
		sub	eax, 1
		jnz	loc_4A6DFC

loc_4A6C85:				; CODE XREF: MiManageSubsectionView+20Cj
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_4A6EC6
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_4A6EC6
		mov	[ecx], eax
		mov	[eax+4], ecx
		jmp	short loc_4A6CBD
; 

loc_4A6CA2:				; CODE XREF: MiManageSubsectionView+48j
		mov	eax, [ebp+var_10]
		add	eax, 34h

loc_4A6CA8:				; CODE XREF: MiManageSubsectionView+1DFj
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_4A6EC6
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[ecx+4], esi
		mov	[eax], esi

loc_4A6CBD:				; CODE XREF: MiManageSubsectionView+6Ej
					; MiManageSubsectionView+1D6j ...
		mov	eax, large fs:124h
		or	edx, 0FFFFFFFFh
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_28], eax
		mov	eax, edx
		mov	[ebp+var_C], edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4A6E5C

loc_4A6CDF:				; CODE XREF: MiManageSubsectionView+232j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	loc_4A6DE9
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		cmp	ecx, edx
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], esi
		pop	edx
		jb	short loc_4A6D1C
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_4A6E16

loc_4A6D1C:				; CODE XREF: MiManageSubsectionView+DBj
		cmp	ecx, [ebp+var_20]
		jb	short loc_4A6D2E
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_4A6E16

loc_4A6D2E:				; CODE XREF: MiManageSubsectionView+EDj
					; MiManageSubsectionView+1F7j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_4A6E49
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_4A6E69

loc_4A6D6F:				; CODE XREF: MiManageSubsectionView+23Fj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5BE5F2
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_4A6DBB:				; CODE XREF: MiManageSubsectionView+21Fj
					; MiManageSubsectionView+1179D2j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jnz	loc_4A6E80

loc_4A6DD2:				; CODE XREF: MiManageSubsectionView+27Ej
					; MiManageSubsectionView+1179F3j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_4A6DE9
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_4A6E76

loc_4A6DE9:				; CODE XREF: MiManageSubsectionView+B8j
					; MiManageSubsectionView+1A9j ...
		mov	ecx, [ebp+var_28]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_4A6DFC:				; CODE XREF: MiManageSubsectionView+4Dj
		sub	eax, 1
		jnz	short loc_4A6E2E
		test	dword ptr [edi+1Ch], 400h
		jnz	loc_4A6CBD
		lea	eax, [edi+4]
		jmp	loc_4A6CA8
; 

loc_4A6E16:				; CODE XREF: MiManageSubsectionView+E4j
					; MiManageSubsectionView+F6j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_C], eax
		jmp	loc_4A6D2E
; 

loc_4A6E2E:				; CODE XREF: MiManageSubsectionView+1CDj
		sub	eax, 1
		jnz	loc_4A6CBD
		test	dword ptr [edi+1Ch], 400h
		jz	loc_4A6C85
		jmp	loc_4A6CBD
; 

loc_4A6E49:				; CODE XREF: MiManageSubsectionView+125j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_4A6DBB
		jmp	loc_5BE5DE
; 

loc_4A6E5C:				; CODE XREF: MiManageSubsectionView+A7j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]
		jmp	loc_4A6CDF
; 

loc_4A6E69:				; CODE XREF: MiManageSubsectionView+137j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]
		jmp	loc_4A6D6F
; 

loc_4A6E76:				; CODE XREF: MiManageSubsectionView+1B1j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4A6DE9
; 

loc_4A6E80:				; CODE XREF: MiManageSubsectionView+19Aj
		test	edi, 8000h
		jnz	short loc_4A6EBB

loc_4A6E88:				; CODE XREF: MiManageSubsectionView+292j
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5BE609

loc_4A6E92:				; CODE XREF: MiManageSubsectionView+1179E1j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4A6EA6
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4A6EA6:				; CODE XREF: MiManageSubsectionView+267j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4A6DD2
		jmp	loc_5BE618
; 

loc_4A6EBB:				; CODE XREF: MiManageSubsectionView+254j
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	short loc_4A6E88
; 

loc_4A6EC6:				; CODE XREF: MiManageSubsectionView+58j
					; MiManageSubsectionView+63j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
MiManageSubsectionView endp


;  S U B	R O U T	I N E 


; __stdcall MiGetSystemCacheReverseMap(x)
_MiGetSystemCacheReverseMap@4 proc near	; CODE XREF: MmUnmapViewInSystemCache+99p
					; MiReleaseSystemCacheView+167p ...
		mov	edx, dword_6D07D0
		shr	ecx, 12h
		shr	edx, 12h
		mov	eax, ecx
		and	edx, 3FF8h
		sub	eax, edx
		sar	eax, 3
		mov	eax, dword_6D0BD4[eax*4]
		test	eax, eax
		jz	short locret_4A6EF8
		and	ecx, 7
		imul	ecx, 18h
		add	eax, ecx

locret_4A6EF8:				; CODE XREF: MiGetSystemCacheReverseMap(x)+22j
		retn
_MiGetSystemCacheReverseMap@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall InsertTailListPte(x, x)
_InsertTailListPte@8 proc near		; CODE XREF: MiReleaseSystemCacheView+74p
					; MiExpandSystemCache+F2p

var_10		= dword	ptr -10h
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, ecx
		mov	eax, ebx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[ebp+var_10], eax
		sub	eax, [ebx+10h]
		push	esi
		sub	eax, 40000000h
		push	edi
		sar	eax, 3
		mov	edi, edx
		cdq
		push	eax
		push	0
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	esi, eax
		mov	eax, edx
		mov	[edi], esi
		nop
		mov	[edi+4], eax
		push	dword ptr [ebx+0Ch]
		push	dword ptr [ebx+8]
		call	_MiGetPteLink@8	; MiGetPteLink(x,x)
		mov	edx, dword_6D0700
		mov	ecx, edx
		mov	[ebp+var_8], eax
		mov	eax, dword_6D0704
		or	ecx, eax
		jz	short loc_4A6F60
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jz	short loc_4A6FAD
		and	esi, 0FFFFFFEFh

loc_4A6F60:				; CODE XREF: InsertTailListPte(x,x)+57j
					; InsertTailListPte(x,x)+B7j
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		or	ecx, esi
		push	eax
		push	ecx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[edi+8], eax
		nop
		mov	eax, [ebp+var_10]
		mov	[edi+0Ch], edx
		mov	esi, [ebx+10h]
		sub	eax, esi
		sub	edi, esi
		sub	eax, 40000000h
		sar	edi, 3
		sar	eax, 3
		push	edi
		push	0
		cmp	[ebp+var_8], eax
		jz	short loc_4A6FB3
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [ebp+var_8]
		mov	[esi+ecx*8], eax
		nop
		mov	[esi+ecx*8+4], edx

loc_4A6FA2:				; CODE XREF: InsertTailListPte(x,x)+C3j
		pop	edi
		pop	esi
		mov	[ebx+8], eax
		mov	[ebx+0Ch], edx
		pop	ebx
		leave
		retn
; 

loc_4A6FAD:				; CODE XREF: InsertTailListPte(x,x)+61j
		not	edx
		and	esi, edx
		jmp	short loc_4A6F60
; 

loc_4A6FB3:				; CODE XREF: InsertTailListPte(x,x)+96j
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[ebx], eax
		mov	[ebx+4], edx
		jmp	short loc_4A6FA2
_InsertTailListPte@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RemoveListHeadPte proc near		; CODE XREF: MiObtainSystemCacheView+12Dp

var_E8		= dword	ptr -0E8h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BE62A SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		push	dword ptr [edi+4]
		push	dword ptr [edi]
		call	_MiGetPteLink@8	; MiGetPteLink(x,x)
		mov	edx, [edi+10h]
		lea	esi, [edx+eax*8]
		xor	edx, edx
		mov	ecx, [esi]
		nop
		mov	eax, [esi+4]
		mov	[ebp+var_4], eax
		mov	eax, ecx
		and	eax, 1
		or	eax, edx
		jnz	loc_5BE62A
		mov	eax, ecx
		mov	ebx, 3E0h
		and	eax, ebx
		or	eax, edx
		jnz	loc_5BE62A
		mov	ecx, [esi+8]
		nop
		mov	eax, [esi+0Ch]
		mov	[ebp+var_4], eax
		mov	eax, ecx
		and	eax, 1
		or	eax, edx
		jnz	short loc_4A707E
		mov	eax, ecx
		and	eax, ebx
		or	eax, edx
		jnz	short loc_4A707E
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		call	_MiGetPteLink@8	; MiGetPteLink(x,x)
		mov	ebx, eax
		push	ebx
		push	0
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, eax
		mov	[edi+4], edx
		mov	eax, [edi+10h]
		mov	[ebp+var_4], eax
		mov	eax, edi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[edi], ecx
		sub	eax, [ebp+var_4]
		sub	eax, 40000000h
		sar	eax, 3
		cmp	ebx, eax
		jz	short loc_4A7076
		cdq
		push	eax
		push	0
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [ebp+var_4]
		mov	[ecx+ebx*8+8], eax
		nop
		mov	[ecx+ebx*8+0Ch], edx

loc_4A706F:				; CODE XREF: RemoveListHeadPte+BCj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4A7076:				; CODE XREF: RemoveListHeadPte+98j
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		jmp	short loc_4A706F
; 

loc_4A707E:				; CODE XREF: RemoveListHeadPte+56j
					; RemoveListHeadPte+5Ej
		push	edx
		push	ecx
		push	esi
		push	3801h
		jmp	loc_5BE632
RemoveListHeadPte endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiObtainSystemCacheView	proc near	; CODE XREF: MmMapViewInSystemCache+F5p
					; MmReserveViewInSystemCache+5p

var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D1		= byte ptr -0D1h
var_D0		= dword	ptr -0D0h
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_BC		= dword	ptr -0BCh
var_34		= dword	ptr -34h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005BE64C SIZE 00000976 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 11Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_108], 0
		mov	esi, ecx
		mov	[ebp+var_114], 0
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_F4], esi
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_E0], 0
		lea	eax, [ebp+var_34]
		push	30h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ebx, ds:__imp_@KfRaiseIrql@4 ; KfRaiseIrql(x)
		add	esp, 0Ch
		mov	cl, 2
		mov	[ebp+var_C8], 21h
		mov	[ebp+var_BC], 0
		mov	[ebp+var_F0], 0
		mov	[ebp+var_10C], 0
		mov	[ebp+var_104], 0
		call	ebx
		test	ds:byte_70EFC6,	21h
		mov	edi, offset dword_6D2EA8
		mov	[ebp+var_D1], al
		mov	[ebp+var_E4], offset dword_6D2EA8
		mov	[ebp+var_E8], 0
		jnz	loc_5BE63A
		lea	edx, [ebp+var_E8]
		xchg	edx, [edi]
		test	edx, edx
		jnz	loc_4A7492

loc_4A716C:				; CODE XREF: MiObtainSystemCacheView+40Dj
					; RemoveListHeadPte+117687j
		cmp	byte ptr [esi+0F50h], 0
		jz	loc_4A7662

loc_4A7179:				; CODE XREF: MiObtainSystemCacheView+6A0j
					; MiObtainSystemCacheView+6ADj
		lea	ebx, [esi+450h]
		mov	eax, ebx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		add	eax, 0C0000000h
		mov	[ebp+var_FC], eax

loc_4A7194:				; CODE XREF: MiObtainSystemCacheView+3D2j
		mov	eax, [ebx+4]
		push	eax
		mov	eax, [ebx]
		push	eax
		call	_MiGetPteLink@8	; MiGetPteLink(x,x)
		mov	ecx, [ebp+var_FC]
		sub	ecx, [esi+460h]
		sar	ecx, 3
		cmp	eax, ecx
		jnz	short loc_4A71BB
		test	edx, edx
		jz	loc_4A7453

loc_4A71BB:				; CODE XREF: MiObtainSystemCacheView+121j
					; MiObtainSystemCacheView+117E1Dj ...
		mov	ecx, ebx
		call	RemoveListHeadPte
		mov	ebx, eax
		mov	eax, dword_6D07D0
		mov	ecx, ebx
		shr	eax, 12h
		shr	ecx, 9
		lea	edi, [ebx+18h]
		and	ecx, 3FF8h
		mov	[ebp+var_EC], ebx
		and	eax, 3FF8h
		sub	ecx, eax
		sar	ecx, 3
		add	ecx, offset unk_6D07D4
		inc	byte ptr [ecx]
		mov	ecx, [edi]
		nop
		mov	eax, [edi+4]
		push	eax
		push	ecx
		call	_MiGetPteLink@8	; MiGetPteLink(x,x)
		mov	ecx, eax
		or	ecx, edx
		jz	short loc_4A724E
		cmp	eax, 1
		jnz	short loc_4A7212
		test	edx, edx
		jz	loc_4A74A2

loc_4A7212:				; CODE XREF: MiObtainSystemCacheView+178j
		mov	[ebp+var_118], 0
		lea	eax, [ebp+var_118]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, [ebx+14h]
		push	0FFFFFh
		push	eax
		mov	eax, [ebx+10h]
		push	eax
		call	_MiGetPteLink@8	; MiGetPteLink(x,x)
		mov	edx, ds:_KiTbFlushTimeStamp
		mov	ecx, eax
		call	_MiTbFlushTimeStampMayNeedFlush@12 ; MiTbFlushTimeStampMayNeedFlush(x,x,x)
		test	al, al
		jnz	loc_4A731D

loc_4A724E:				; CODE XREF: MiObtainSystemCacheView+173j
					; MiObtainSystemCacheView+38Ej	...
		test	ds:byte_70EFC6,	1
		jnz	loc_5BEF3B
		mov	eax, [ebp+var_E8]
		test	eax, eax
		jnz	loc_4A7478
		mov	edx, [ebp+var_E4]
		lea	eax, [ebp+var_E8]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_E8]
		cmp	eax, ecx
		jnz	loc_4A746D

loc_4A7289:				; CODE XREF: MiObtainSystemCacheView+3FDj
					; MiObtainSystemCacheView+117EB9j
		cmp	[ebp+var_C4], 0
		jnz	loc_4A7423

loc_4A7296:				; CODE XREF: MiObtainSystemCacheView+3A8j
					; MiObtainSystemCacheView+3BEj
		mov	cl, [ebp+var_D1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_F0], 0
		mov	ebx, [ebp+var_EC]
		mov	esi, [ebp+var_F4]
		jnz	loc_4A74BD

loc_4A72BB:				; CODE XREF: MiObtainSystemCacheView+5BEj
		cmp	[ebp+var_104], 1
		jz	loc_4A74B1

loc_4A72C8:				; CODE XREF: MiObtainSystemCacheView+428j
		mov	eax, ds:_ZeroPte
		mov	[ebx], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[ebx+4], eax
		mov	eax, ds:_ZeroPte
		mov	[ebx+8], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[ebx+0Ch], eax
		mov	eax, ds:_ZeroPte
		mov	[ebx+10h], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[ebx+14h], eax
		mov	eax, ds:_ZeroPte
		mov	[edi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[ebx+1Ch], eax
		mov	eax, ebx

loc_4A730C:				; CODE XREF: MiObtainSystemCacheView+1177D7j
					; MiObtainSystemCacheView+117DAAj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4A731D:				; CODE XREF: MiObtainSystemCacheView+1B8j
		mov	eax, ebx
		mov	[ebp+var_DC], edi
		mov	edi, [ebp+var_FC]
		xor	ebx, ebx
		mov	[ebp+var_D8], eax

loc_4A7333:				; CODE XREF: MiObtainSystemCacheView+379j
		cmp	[ebp+var_C4], 0
		jz	short loc_4A7341
		mov	[ebp+ebx*4+var_34], eax
		inc	ebx

loc_4A7341:				; CODE XREF: MiObtainSystemCacheView+2AAj
		mov	edx, eax
		lea	ecx, [ebp+var_D0]
		push	0
		shl	edx, 9
		push	40h
		mov	[ebp+var_108], edx
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	eax, [ebp+var_DC]
		mov	edx, dword_6D0700
		mov	ecx, [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_F8], eax
		mov	[ebp+var_10C], eax
		mov	eax, dword_6D0704
		mov	[ebp+var_100], eax
		mov	eax, edx
		or	eax, [ebp+var_100]
		jz	short loc_4A739F
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	loc_5BEF27
		not	edx
		and	ecx, edx

loc_4A739F:				; CODE XREF: MiObtainSystemCacheView+2FBj
					; MiObtainSystemCacheView+117EA6j
		xor	eax, eax
		or	eax, 1
		push	eax
		push	ecx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [ebp+var_DC]
		mov	[ecx], eax
		mov	[ecx+4], edx
		cmp	ebx, 0Ch
		jz	short loc_4A740F
		mov	ecx, [ebp+var_D8]
		mov	eax, [ecx+4]
		push	eax
		mov	eax, [ecx]
		push	eax
		call	_MiGetPteLink@8	; MiGetPteLink(x,x)
		mov	edx, [esi+460h]
		mov	ecx, edi
		sub	ecx, edx
		sar	ecx, 3
		cmp	eax, ecx
		jz	short loc_4A740F
		lea	ecx, [edx+eax*8]
		mov	eax, [ecx+1Ch]
		mov	[ebp+var_D8], ecx
		add	ecx, 18h
		push	eax
		mov	[ebp+var_DC], ecx
		mov	eax, [ecx]
		push	eax
		call	_MiGetPteLink@8	; MiGetPteLink(x,x)
		cmp	eax, 2
		jnz	short loc_4A740F
		mov	eax, [ebp+var_D8]
		test	edx, edx
		jz	loc_4A7333

loc_4A740F:				; CODE XREF: MiObtainSystemCacheView+329j
					; MiObtainSystemCacheView+34Cj	...
		mov	edi, [ebp+var_EC]
		mov	[ebp+var_10C], ebx
		add	edi, 18h
		jmp	loc_4A724E
; 

loc_4A7423:				; CODE XREF: MiObtainSystemCacheView+200j
		lea	ecx, [ebp+var_D0]
		call	MiFlushTbList
		mov	ebx, [ebp+var_10C]
		xor	esi, esi
		test	ebx, ebx
		jz	loc_4A7296
		mov	edi, edi

loc_4A7440:				; CODE XREF: MiObtainSystemCacheView+3BCj
		mov	ecx, [ebp+esi*4+var_34]
		call	_MiCompleteSystemCacheViewFlush@4 ; MiCompleteSystemCacheViewFlush(x)
		inc	esi
		cmp	esi, ebx
		jnz	short loc_4A7440
		jmp	loc_4A7296
; 

loc_4A7453:				; CODE XREF: MiObtainSystemCacheView+125j
		lea	edx, [ebp+var_114]
		mov	ecx, esi
		call	MiExpandSystemCache
		test	eax, eax
		jnz	loc_4A7194
		jmp	loc_5BEAC0
; 

loc_4A746D:				; CODE XREF: MiObtainSystemCacheView+1F3j
		lea	ecx, [ebp+var_E8]
		call	KxWaitForLockChainValid

loc_4A7478:				; CODE XREF: MiObtainSystemCacheView+1D3j
		mov	[ebp+var_E8], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A7289
; 

loc_4A7492:				; CODE XREF: MiObtainSystemCacheView+D6j
		lea	ecx, [ebp+var_E8]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4A716C
; 

loc_4A74A2:				; CODE XREF: MiObtainSystemCacheView+17Cj
		mov	[ebp+var_104], 1
		jmp	loc_4A724E
; 

loc_4A74B1:				; CODE XREF: MiObtainSystemCacheView+232j
		mov	ecx, ebx
		call	_MiWaitForSystemCacheViewFlush@4 ; MiWaitForSystemCacheViewFlush(x)
		jmp	loc_4A72C8
; 

loc_4A74BD:				; CODE XREF: MiObtainSystemCacheView+225j
		lea	edx, [esi+480h]
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_F4], edx
		lock xadd [edx], eax
		test	al, 2
		jnz	loc_5BEF4E

loc_4A74D8:				; CODE XREF: MiObtainSystemCacheView+117EC0j
					; MiObtainSystemCacheView+117ED3j
		xor	edi, edi
		mov	[ebp+var_10C], edi
		test	edx, 7FFFFFFCh
		jz	loc_4A7640
		mov	esi, large fs:124h
		mov	[ebp+var_F8], esi
		cmp	edx, dword_6D07D0
		jb	loc_4A7742
		mov	eax, edx
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	short loc_4A751C
		cmp	al, 0Bh
		jnz	loc_4A7742

loc_4A751C:				; CODE XREF: MiObtainSystemCacheView+482j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)

loc_4A7527:				; CODE XREF: MiObtainSystemCacheView+6B5j
		dec	word ptr [esi+13Eh]
		mov	[ebp+var_EC], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	[ebp+var_D1], cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_100], ecx
		test	ecx, ecx
		jz	loc_4A774A
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_4A7579
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_100]

loc_4A7579:				; CODE XREF: MiObtainSystemCacheView+4DCj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		mov	eax, 2AAAAAABh
		sub	ecx, [esi+1E8h]
		imul	ecx
		mov	al, 1
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		shl	al, cl
		cmp	[ebp+var_D1], 1
		jnz	loc_5BEF81
		or	[esi+1E4h], al

loc_4A75CC:				; CODE XREF: MiObtainSystemCacheView+6C2j
					; MiObtainSystemCacheView+117F00j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_EC], eax
		jz	short loc_4A7627
		test	edi, 8000h
		jz	short loc_4A75F3
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4A75F3:				; CODE XREF: MiObtainSystemCacheView+558j
		test	byte ptr [ebp+var_10C+2], 1
		jnz	loc_5BEF95

loc_4A7600:				; CODE XREF: MiObtainSystemCacheView+117F15j
		test	edi, 7FFFh
		jz	short loc_4A7617
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4A7617:				; CODE XREF: MiObtainSystemCacheView+576j
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_5BEFAA

loc_4A7627:				; CODE XREF: MiObtainSystemCacheView+550j
					; MiObtainSystemCacheView+117F2Dj
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jz	short loc_4A7653

loc_4A7640:				; CODE XREF: MiObtainSystemCacheView+456j
					; MiObtainSystemCacheView+5C9j	...
		mov	ecx, [ebp+var_F0]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		lea	edi, [ebx+18h]
		jmp	loc_4A72BB
; 

loc_4A7653:				; CODE XREF: MiObtainSystemCacheView+5AEj
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_4A7640
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_4A7640
; 

loc_4A7662:				; CODE XREF: MiObtainSystemCacheView+E3j
		test	ds:byte_70EFC6,	1
		jnz	loc_5BE64C
		mov	eax, [ebp+var_E8]
		test	eax, eax
		jnz	loc_5BE66A
		mov	edx, [ebp+var_E4]
		lea	eax, [ebp+var_E8]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_E8]
		cmp	eax, ecx
		jnz	loc_5BE65F

loc_4A769D:				; CODE XREF: MiObtainSystemCacheView+1175CAj
					; MiObtainSystemCacheView+1175EFj
		mov	cl, [ebp+var_D1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, large fs:124h
		mov	[ebp+var_F0], eax
		dec	word ptr [eax+13Eh]
		nop
		lea	eax, [esi+480h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_DC], eax
		call	ExAcquirePushLockExclusiveEx
		cmp	byte ptr [esi+0F50h], 0
		jnz	loc_5BE86C
		mov	ecx, esi
		call	_MiInitializeSystemCache@4 ; MiInitializeSystemCache(x)
		test	eax, eax
		jz	loc_5BE684

loc_4A76EE:				; CODE XREF: MiObtainSystemCacheView+117A09j
		mov	cl, 2
		call	ebx
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_D1], al
		mov	[ebp+var_E4], offset dword_6D2EA8
		mov	[ebp+var_E8], 0
		jnz	loc_5BEA9E
		lea	edx, [ebp+var_E8]
		xchg	edx, [edi]
		test	edx, edx
		jnz	loc_5BEAB0

loc_4A7729:				; CODE XREF: MiObtainSystemCacheView+117A1Bj
					; MiObtainSystemCacheView+117A2Bj
		cmp	[ebp+var_F0], 0
		jz	loc_4A7179
		mov	byte ptr [esi+0F50h], 1
		jmp	loc_4A7179
; 

loc_4A7742:				; CODE XREF: MiObtainSystemCacheView+46Fj
					; MiObtainSystemCacheView+486j
		or	eax, 0FFFFFFFFh
		jmp	loc_4A7527
; 

loc_4A774A:				; CODE XREF: MiObtainSystemCacheView+4CAj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_4A75CC
		jmp	loc_5BEF68
MiObtainSystemCacheView	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetPteLink(x, x)
_MiGetPteLink@8	proc near		; CODE XREF: MiReleaseSystemCacheView+107p
					; InsertTailListPte(x,x)+40p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, esi
		or	eax, edx
		jz	short loc_4A779C
		mov	eax, dword_6D0704
		push	edi
		mov	edi, dword_6D0700
		mov	ecx, edi
		or	ecx, eax
		jz	short loc_4A7792
		mov	ecx, esi
		and	ecx, 10h
		or	ecx, 0
		jnz	short loc_4A7792
		not	eax
		and	edx, eax

loc_4A7792:				; CODE XREF: MiGetPteLink(x,x)+22j
					; MiGetPteLink(x,x)+2Cj
		pop	edi
		mov	eax, edx
		xor	edx, edx
		pop	esi
		pop	ebp
		retn	8
; 

loc_4A779C:				; CODE XREF: MiGetPteLink(x,x)+10j
		xor	eax, eax
		xor	edx, edx
		pop	esi
		pop	ebp
		retn	8
_MiGetPteLink@8	endp

; 
		align 2

;  S U B	R O U T	I N E 


CcGetVacbFromFreeList proc near		; CODE XREF: CcGetVacbMiss+69p
					; CcInitializePartitionVacbs+32p ...

arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005BEFC2 SIZE 00000050 BYTES

		mov	edi, edi
		push	esi
		xor	esi, esi
		push	edi
		test	dl, dl
		jnz	loc_5BEFC2
		mov	edx, offset _CcVacbFreeList
		mov	edi, offset _CcNumberOfFreeVacbs

loc_4A77BE:				; CODE XREF: CcGetVacbFromFreeList+117828j
		mov	eax, [edx]
		cmp	eax, edx
		jz	short loc_4A7816
		mov	edx, [eax]
		lea	esi, [eax-8]
		inc	_CcNumberOfMappedVacbs
		cmp	[edx+4], eax
		jnz	short loc_4A7820
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_4A7820
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	eax, [edi]
		cmp	eax, 1
		jb	loc_5BEFD3
		dec	eax
		mov	[edi], eax
		mov	eax, esi
		mov	ecx, [esi+10h]
		sub	eax, ecx
		sub	eax, 10h
		push	18h
		cdq
		pop	edi
		idiv	edi
		cmp	eax, [ecx+8]
		ja	short loc_4A781B

loc_4A7803:				; CODE XREF: CcGetVacbFromFreeList+78j
		cmp	dword ptr [esi], 0
		jnz	short loc_4A7812
		mov	ecx, [esi+10h]
		mov	ecx, [ecx]
		call	CcReferenceVacbArray

loc_4A7812:				; CODE XREF: CcGetVacbFromFreeList+60j
		or	dword ptr [esi+4], 0FFFFFFFFh

loc_4A7816:				; CODE XREF: CcGetVacbFromFreeList+1Cj
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_4A781B:				; CODE XREF: CcGetVacbFromFreeList+5Bj
		mov	[ecx+8], eax
		jmp	short loc_4A7803
; 

loc_4A7820:				; CODE XREF: CcGetVacbFromFreeList+2Cj
					; CcGetVacbFromFreeList+33j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
CcGetVacbFromFreeList endp


;  S U B	R O U T	I N E 


CcReferenceVacbArray proc near		; CODE XREF: CcGetVacbFromFreeList+67p
					; CcGetFirstVacbArrayWithReference(x)+17p ...
		mov	eax, _CcVacbArrays
		xor	edx, edx
		mov	eax, [eax+ecx*4]
		test	eax, eax
		jz	short loc_4A7841
		mov	edx, eax
		inc	dword ptr [edx+4]
		cmp	[edx], ecx
		jnz	loc_5BEFE9

loc_4A7841:				; CODE XREF: CcReferenceVacbArray+Cj
		mov	eax, edx
		retn
CcReferenceVacbArray endp

; 
		align 10h
; Exported entry 234. CcSetFileSizesEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcSetFileSizesEx
CcSetFileSizesEx proc near		; CODE XREF: CcSetFileSizes(x,x)j

var_42		= byte ptr -42h
var_41		= byte ptr -41h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005BF012 SIZE 0000016C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+50h+var_C]
		mov	[esp+50h+var_20], 0
		stosd
		mov	[esp+50h+var_1C], 0
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+50h+var_18]
		mov	[esp+50h+var_8], offset	_CcMasterLock
		stosd
		mov	[esp+50h+var_C], 0
		stosd
		stosd
		mov	eax, [ecx]
		mov	[esp+50h+var_28], eax
		mov	eax, [ecx+4]
		mov	[esp+50h+var_24], eax
		mov	eax, [ecx+8]
		mov	[esp+50h+var_30], eax
		mov	eax, [ecx+0Ch]
		mov	[esp+50h+var_2C], eax
		mov	eax, [ecx+10h]
		mov	[esp+50h+var_38], eax
		mov	eax, [ecx+14h]
		mov	[esp+50h+var_34], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	[esp+50h+var_4], al
		jnz	loc_5BEFFF
		lea	edx, [esp+50h+var_C]
		mov	eax, offset _CcMasterLock
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_4A7CD1

loc_4A78E6:				; CODE XREF: CcSetFileSizesEx+48Aj
					; CcGetVacbFromFreeList+117867j
		mov	ebx, [ebp+arg_0]
		mov	[esp+50h+var_41], 1
		mov	esi, [ebx+14h]
		mov	esi, [esi+4]
		test	esi, esi
		jz	loc_4A7D3D
		cmp	dword ptr [esi+6Ch], 0
		jz	loc_4A7D3D
		mov	ecx, esi
		call	CcGetPartition
		mov	[esp+50h+var_18], 0
		lea	edi, [eax+40h]
		mov	[esp+50h+var_14], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	[esp+50h+var_10], al
		jnz	loc_5BF012
		lea	edx, [esp+50h+var_18]
		xchg	edx, [edi]
		test	edx, edx
		jnz	loc_4A7CDF

loc_4A7941:				; CODE XREF: CcSetFileSizesEx+498j
					; CcSetFileSizesEx+1177CDj
		mov	eax, [esp+50h+var_24]
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		cmp	eax, [esi+1Ch]
		jl	short loc_4A7963
		jg	loc_4A7B7E
		mov	eax, [esp+50h+var_28]
		cmp	eax, [esi+18h]
		ja	loc_4A7B7E

loc_4A7963:				; CODE XREF: CcSetFileSizesEx+FEj
					; CcSetFileSizesEx+428j
		inc	dword ptr [esi+4]
		inc	dword ptr [esi+178h]
		cmp	[esp+50h+var_41], 0
		jz	loc_4A7A1A
		test	ds:byte_70EFC6,	1
		jnz	loc_5BF0E2
		mov	eax, [esp+50h+var_18]
		test	eax, eax
		jnz	loc_4A7D04
		mov	edx, [esp+50h+var_14]
		lea	eax, [esp+50h+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+50h+var_18]
		cmp	eax, ecx
		jnz	loc_4A7CFB

loc_4A79AA:				; CODE XREF: CcSetFileSizesEx+4C7j
					; CcSetFileSizesEx+11789Ej
		mov	cl, [esp+50h+var_10]
		call	ebx
		test	ds:byte_70EFC6,	1
		jnz	loc_5BF0F3
		mov	eax, [esp+50h+var_C]
		test	eax, eax
		jnz	loc_4A7CB9
		mov	edx, [esp+50h+var_8]
		lea	eax, [esp+50h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+50h+var_C]
		cmp	eax, ecx
		jnz	loc_4A7CB0

loc_4A79E3:				; CODE XREF: CcSetFileSizesEx+47Cj
					; CcSetFileSizesEx+1178AFj
		mov	cl, [esp+50h+var_4]
		call	ebx
		mov	[esp+50h+var_14], edi
		mov	[esp+50h+var_18], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	[esp+50h+var_10], al
		jnz	loc_5BF104
		lea	edx, [esp+50h+var_18]
		xchg	edx, [edi]
		test	edx, edx
		jnz	loc_4A7CED

loc_4A7A1A:				; CODE XREF: CcSetFileSizesEx+121j
					; CcSetFileSizesEx+4A6j ...
		mov	ecx, [esi+20h]
		mov	eax, [esi+24h]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_4A7A2C
		cmp	eax, 7FFFFFFFh
		jz	short loc_4A7A50

loc_4A7A2C:				; CODE XREF: CcSetFileSizesEx+1D3j
		cmp	[esp+50h+var_2C], eax
		jg	short loc_4A7A42
		jl	loc_4A7B6B
		cmp	[esp+50h+var_30], ecx
		jb	loc_4A7B6B

loc_4A7A42:				; CODE XREF: CcSetFileSizesEx+1E0j
					; CcSetFileSizesEx+329j
		mov	eax, [esp+50h+var_38]
		mov	[esi+28h], eax
		mov	eax, [esp+50h+var_34]
		mov	[esi+2Ch], eax

loc_4A7A50:				; CODE XREF: CcSetFileSizesEx+1DAj
		mov	eax, [esp+50h+var_2C]
		mov	[esp+50h+var_40], 0
		cmp	eax, [esi+0Ch]
		jg	short loc_4A7A6C
		jl	short loc_4A7AC8
		mov	eax, [esp+50h+var_30]
		cmp	eax, [esi+8]
		jb	short loc_4A7AC8

loc_4A7A6C:				; CODE XREF: CcSetFileSizesEx+20Fj
					; CcSetFileSizesEx+284j ...
		mov	ecx, [esp+50h+var_30]
		mov	eax, [esp+50h+var_2C]
		mov	[esi+8], ecx
		push	ecx
		mov	ecx, esi
		mov	[esi+0Ch], eax
		call	CcDecrementOpenCount
		test	ds:byte_70EFC6,	1
		jnz	loc_5BF131
		mov	eax, [esp+50h+var_18]
		test	eax, eax
		jnz	loc_4A7C98
		mov	edx, [esp+50h+var_14]
		lea	eax, [esp+50h+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+50h+var_18]
		cmp	eax, ecx
		jnz	loc_4A7C8F

loc_4A7AB5:				; CODE XREF: CcSetFileSizesEx+45Bj
					; CcSetFileSizesEx+1178EDj
		mov	cl, [esp+50h+var_10]
		call	ebx
		mov	eax, [esp+50h+var_40]

loc_4A7ABF:				; CODE XREF: CcSetFileSizesEx+577j
					; CcSetFileSizesEx+117929j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4A7AC8:				; CODE XREF: CcSetFileSizesEx+211j
					; CcSetFileSizesEx+21Aj
		test	byte ptr [esi+60h], 4
		mov	[esp+50h+var_40], 0
		jnz	short loc_4A7A6C
		test	ds:byte_70EFC6,	1
		jnz	loc_5BF114
		mov	eax, [esp+50h+var_18]
		test	eax, eax
		jnz	loc_4A7D25
		mov	edx, [esp+50h+var_14]
		lea	eax, [esp+50h+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+50h+var_18]
		cmp	eax, ecx
		jnz	loc_4A7D1C

loc_4A7B09:				; CODE XREF: CcSetFileSizesEx+4E8j
					; CcSetFileSizesEx+1178D0j
		mov	cl, [esp+50h+var_10]
		call	ebx
		push	0
		push	0
		push	0
		push	0
		lea	edx, [esp+60h+var_30]
		mov	[esp+60h+var_40], 0
		mov	ecx, esi
		call	CcUnmapVacbArray
		test	al, al
		jz	short loc_4A7B5B
		mov	eax, [esp+50h+var_30]
		or	eax, [esp+50h+var_2C]
		jnz	short loc_4A7B4C
		cmp	[esi+68h], eax
		jnz	loc_4A7C83

loc_4A7B41:				; CODE XREF: CcSetFileSizesEx+43Aj
		lea	eax, [esi+10h]
		cmp	[eax], eax
		jnz	loc_5BF125

loc_4A7B4C:				; CODE XREF: CcSetFileSizesEx+2E6j
					; CcSetFileSizesEx+1178DCj
		lea	edx, [esp+50h+var_30]
		mov	ecx, esi
		call	CcPurgeAndClearCacheSection
		mov	[esp+50h+var_40], eax

loc_4A7B5B:				; CODE XREF: CcSetFileSizesEx+2DCj
		lea	edx, [esp+50h+var_18]
		mov	ecx, edi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		jmp	loc_4A7A6C
; 

loc_4A7B6B:				; CODE XREF: CcSetFileSizesEx+1E2j
					; CcSetFileSizesEx+1ECj
		mov	eax, [esp+50h+var_30]
		mov	[esi+20h], eax
		mov	eax, [esp+50h+var_2C]
		mov	[esi+24h], eax
		jmp	loc_4A7A42
; 

loc_4A7B7E:				; CODE XREF: CcSetFileSizesEx+100j
					; CcSetFileSizesEx+10Dj
		inc	dword ptr [esi+4]
		inc	dword ptr [esi+178h]
		test	ds:byte_70EFC6,	1
		jnz	loc_5BF022
		mov	eax, [esp+50h+var_18]
		test	eax, eax
		jnz	loc_4A7DCC
		mov	edx, [esp+50h+var_14]
		lea	eax, [esp+50h+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+50h+var_18]
		cmp	eax, ecx
		jnz	loc_5BF033

loc_4A7BBA:				; CODE XREF: CcSetFileSizesEx+58Fj
					; CcSetFileSizesEx+1177DEj
		mov	cl, [esp+50h+var_10]
		call	ebx
		test	ds:byte_70EFC6,	1
		jnz	loc_5BF041
		mov	eax, [esp+50h+var_C]
		test	eax, eax
		jnz	loc_4A7DE4
		mov	edx, [esp+50h+var_8]
		lea	eax, [esp+50h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+50h+var_C]
		cmp	eax, ecx
		jnz	loc_5BF052

loc_4A7BF3:				; CODE XREF: CcSetFileSizesEx+5A7j
					; CcSetFileSizesEx+1177FDj
		mov	cl, [esp+50h+var_4]
		call	ebx
		mov	ecx, [esp+50h+var_28]
		lea	edx, [esp+50h+var_28]
		mov	eax, [esp+50h+var_24]
		add	ecx, 0FFFFFh
		push	1
		adc	eax, 0
		mov	[esp+54h+var_41], 0
		and	ecx, 0FFF00000h
		mov	[esp+54h+var_24], eax
		mov	[esp+54h+var_28], ecx
		mov	ecx, [esi+6Ch]
		mov	[esp+54h+var_3C], eax
		call	MmExtendSection
		mov	[esp+50h+var_40], eax
		test	eax, eax
		js	loc_5BF060
		push	[esp+50h+var_24]
		mov	ecx, esi
		push	[esp+54h+var_28]
		call	CcExtendVacbArray
		mov	[esp+50h+var_40], eax

loc_4A7C4E:				; CODE XREF: CcSetFileSizesEx+117818j
					; CcSetFileSizesEx+117826j
		lea	edx, [esp+50h+var_18]
		mov	ecx, edi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		push	ecx
		mov	ecx, esi
		call	CcDecrementOpenCount
		mov	esi, [esp+50h+var_40]
		test	esi, esi
		js	loc_5BF07B
		mov	esi, [ebp+arg_0]
		mov	esi, [esi+14h]
		mov	esi, [esi+4]
		test	esi, esi
		jnz	loc_4A7963
		jmp	loc_5BF08A
; 

loc_4A7C83:				; CODE XREF: CcSetFileSizesEx+2EBj
		mov	ecx, esi
		call	CcDeleteMbcb
		jmp	loc_4A7B41
; 

loc_4A7C8F:				; CODE XREF: CcSetFileSizesEx+25Fj
		lea	ecx, [esp+50h+var_18]
		call	KxWaitForLockChainValid

loc_4A7C98:				; CODE XREF: CcSetFileSizesEx+245j
		mov	[esp+50h+var_18], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A7AB5
; 

loc_4A7CB0:				; CODE XREF: CcSetFileSizesEx+18Dj
		lea	ecx, [esp+50h+var_C]
		call	KxWaitForLockChainValid

loc_4A7CB9:				; CODE XREF: CcSetFileSizesEx+173j
		mov	[esp+50h+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A79E3
; 

loc_4A7CD1:				; CODE XREF: CcSetFileSizesEx+90j
		lea	ecx, [esp+50h+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4A78E6
; 

loc_4A7CDF:				; CODE XREF: CcSetFileSizesEx+EBj
		lea	ecx, [esp+50h+var_18]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4A7941
; 

loc_4A7CED:				; CODE XREF: CcSetFileSizesEx+1C4j
		lea	ecx, [esp+50h+var_18]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4A7A1A
; 

loc_4A7CFB:				; CODE XREF: CcSetFileSizesEx+154j
		lea	ecx, [esp+50h+var_18]
		call	KxWaitForLockChainValid

loc_4A7D04:				; CODE XREF: CcSetFileSizesEx+13Aj
		mov	[esp+50h+var_18], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A79AA
; 

loc_4A7D1C:				; CODE XREF: CcSetFileSizesEx+2B3j
		lea	ecx, [esp+50h+var_18]
		call	KxWaitForLockChainValid

loc_4A7D25:				; CODE XREF: CcSetFileSizesEx+299j
		mov	[esp+50h+var_18], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A7B09
; 

loc_4A7D3D:				; CODE XREF: CcSetFileSizesEx+A6j
					; CcSetFileSizesEx+B0j
		test	ds:byte_70EFC6,	1
		jnz	loc_5BF142
		mov	eax, [esp+50h+var_C]
		test	eax, eax
		jnz	loc_5BF15C
		mov	edx, [esp+50h+var_8]
		lea	eax, [esp+50h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+50h+var_C]
		cmp	eax, ecx
		jnz	loc_5BF153

loc_4A7D70:				; CODE XREF: CcSetFileSizesEx+1178FEj
					; CcSetFileSizesEx+11791Fj
		mov	cl, [esp+50h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	[esp+50h+var_30], 0FFFh
		jnz	short loc_4A7DA9

loc_4A7D84:				; CODE XREF: CcSetFileSizesEx+575j
		push	0
		push	0
		lea	eax, [esp+58h+var_30]
		push	eax
		mov	eax, [ebx+14h]
		push	eax
		call	CcPurgeCacheSection
		test	al, al
		jz	loc_5BF174

loc_4A7D9E:				; CODE XREF: CcSetFileSizesEx+11788Dj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4A7DA9:				; CODE XREF: CcSetFileSizesEx+532j
		push	0
		lea	eax, [esp+54h+var_20]
		push	eax
		push	ecx
		mov	ecx, [ebx+14h]
		lea	edx, [esp+5Ch+var_30]
		push	1
		call	MmFlushSection
		mov	eax, [esp+50h+var_20]
		test	eax, eax
		jns	short loc_4A7D84
		jmp	loc_4A7ABF
; 

loc_4A7DCC:				; CODE XREF: CcSetFileSizesEx+34Aj
					; CcSetFileSizesEx+1177ECj
		mov	[esp+50h+var_18], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A7BBA
; 

loc_4A7DE4:				; CODE XREF: CcSetFileSizesEx+383j
					; CcSetFileSizesEx+11780Bj
		mov	[esp+50h+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A7BF3
CcSetFileSizesEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcDecrementOpenCount proc near		; CODE XREF: sub_439EF8+F1p
					; CcNotifyOfMappedWrite+FCp ...

; FUNCTION CHUNK AT 005BF17E SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		dec	dword ptr [esi+4]
		dec	dword ptr [esi+178h]
		cmp	dword ptr [esi+6Ch], 0
		mov	edi, [esi+174h]
		jz	short loc_4A7E58
		push	offset dword_6CF3C0
		call	ExAcquireSpinLockExclusive
		test	ds:byte_70EFC6,	1
		mov	bl, al
		jnz	loc_5BF17E
		mov	dword_6CF3C0, 0

loc_4A7E42:				; CODE XREF: CcDecrementOpenCount+11738Bj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, dword_6D4EA4
		cmp	edi, [eax+4]
		jnz	loc_5BF190

loc_4A7E58:				; CODE XREF: CcDecrementOpenCount+1Dj
		cmp	dword ptr [esi+4], 0
		jz	short loc_4A7E65

loc_4A7E5E:				; CODE XREF: CcDecrementOpenCount+86j
					; CcDecrementOpenCount+8Bj ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4A7E65:				; CODE XREF: CcDecrementOpenCount+5Cj
		mov	eax, [esi+174h]
		mov	byte ptr [eax+191h], 1
		mov	ecx, [esi+60h]
		mov	eax, [esi+4Ch]
		test	ecx, 10000h
		jnz	loc_5BF1A5
		test	eax, eax
		jnz	short loc_4A7E5E
		test	cl, 20h
		jnz	short loc_4A7E5E
		xor	bl, bl
		cmp	[esi+0B0h], eax
		jnz	short loc_4A7EAB

loc_4A7E97:				; CODE XREF: CcDecrementOpenCount+ADj
		mov	ecx, esi
		call	_CcInsertIntoDirtySharedCacheMapList@4 ; CcInsertIntoDirtySharedCacheMapList(x)
		push	0
		mov	dl, bl

loc_4A7EA2:				; CODE XREF: CcDecrementOpenCount+1173B4j
		mov	ecx, edi
		call	_CcScheduleLazyWriteScan@12 ; CcScheduleLazyWriteScan(x,x,x)
		jmp	short loc_4A7E5E
; 

loc_4A7EAB:				; CODE XREF: CcDecrementOpenCount+95j
		mov	bl, 1
		jmp	short loc_4A7E97
CcDecrementOpenCount endp

; 
		align 10h

CcSetDirtyInMask:			; CODE XREF: CcSetDirtyPinnedData+4B7p
					; CcMapAndCopyInToCache+548p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		xor	eax, eax
		mov	[esp+4Ch], edx
		push	ebx
		push	esi
		mov	[esp+58h], eax
		mov	ebx, ecx
		mov	[esp+5Ch], eax
		mov	[esp+60h], eax
		mov	eax, [edx]
		mov	ecx, eax
		add	ecx, [ebp+8]
		push	edi
		mov	edi, [edx+4]
		mov	[esp+14h], eax
		mov	eax, edi
		adc	eax, 0
		mov	[esp+3Ch], ecx
		sub	ecx, 1
		mov	[esp+44h], eax
		push	0
		sbb	eax, 0
		mov	[esp+3Ch], ebx
		push	1000000h
		push	eax
		push	ecx
		mov	dword ptr [esp+38h], 0
		mov	dword ptr [esp+50h], 0
		mov	dword ptr [esp+44h], 0
		mov	[esp+3Ch], edi
		mov	[esp+28h], ecx
		mov	[esp+2Ch], eax
		call	__alldiv
		push	0
		push	1000000h
		push	edi
		mov	edi, [esp+20h]
		mov	esi, eax
		push	edi
		mov	[esp+58h], edx
		call	__alldiv
		cmp	eax, esi
		jnz	loc_5BF3DA
		cmp	edx, [esp+48h]
		jnz	loc_5BF3DA
		test	dword ptr [ebx+60h], 40000000h
		jnz	loc_5BF1B9

loc_4A7F60:				; CODE XREF: .text:005BF1C6j
					; .text:005BF1D9j
		mov	eax, [esp+1Ch]
		shrd	dword ptr [esp+18h], eax, 0Ch
		mov	esi, [esp+2Ch]
		sar	eax, 0Ch
		push	0
		mov	[esp+20h], eax
		mov	eax, [ebx+1Ch]
		push	1000h
		shrd	edi, esi, 0Ch
		push	eax
		mov	eax, [ebx+18h]
		sar	esi, 0Ch
		push	eax
		mov	[esp+24h], edi
		mov	[esp+3Ch], esi
		call	__alldiv
		mov	ecx, eax
		cmp	edx, [esp+1Ch]
		jg	short loc_4A7FB0
		jl	loc_5BF3C5
		cmp	ecx, [esp+18h]
		jbe	loc_5BF3C5

loc_4A7FB0:				; CODE XREF: .text:004A7F9Ej
		cmp	dword ptr [ebx+6Ch], 0
		mov	eax, [ebx+174h]
		mov	[esp+20h], eax
		jz	short loc_4A803C
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	ecx, offset dword_6CF3C0
		mov	[esp+13h], al
		jnz	loc_5BF1DE
		mov	dword ptr [esp+44h], 0
		lock bts dword ptr [ecx], 1Fh
		jb	loc_4A857F

loc_4A7FF1:				; CODE XREF: .text:004A858Fj
		mov	edx, dword_6CF3C0
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_5BF1E7

loc_4A8009:				; CODE XREF: .text:005BF22Bj
		test	ds:byte_70EFC6,	1
		jnz	loc_5BF230
		mov	dword_6CF3C0, 0

loc_4A8020:				; CODE XREF: .text:005BF238j
		mov	cl, [esp+13h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, dword_6D4EA4
		mov	eax, [eax+4]
		cmp	[esp+20h], eax
		jnz	loc_5BF23D

loc_4A803C:				; CODE XREF: .text:004A7FBEj
		test	dword ptr [ebx+60h], 40000000h
		jnz	loc_5BF252
		lea	esp, [esp+0]

loc_4A8050:				; CODE XREF: .text:004A850Bj
					; .text:005BF28Cj
		cmp	dword ptr [ebx+1Ch], 0
		mov	[esp+54h], esi
		jl	short loc_4A806D
		jg	loc_4A83EF
		cmp	dword ptr [ebx+18h], 200000h
		ja	loc_4A83EF

loc_4A806D:				; CODE XREF: .text:004A8058j
					; .text:004A8405j
		lea	ecx, [ebx+0B4h]
		mov	dword ptr [esp+40h], 1
		push	0
		xor	edx, edx
		call	KeAbPreAcquire
		mov	cl, 1
		mov	[esp+3Ch], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	dl, al
		lea	ecx, [ebx+0B4h]
		mov	[esp+13h], dl
		lock btr dword ptr [ecx], 0
		jnb	loc_4A85D5

loc_4A80A7:				; CODE XREF: .text:004A85E8j
		mov	eax, [esp+3Ch]
		test	eax, eax
		jz	short loc_4A80B3
		or	byte ptr [eax+0Eh], 1

loc_4A80B3:				; CODE XREF: .text:004A80ADj
		mov	eax, large fs:124h
		mov	[ecx+4], eax
		movzx	eax, dl
		mov	[ecx+1Ch], eax
		mov	edx, [ebx+68h]
		mov	[esp+24h], edx
		test	edx, edx
		jz	loc_4A8556

loc_4A80D1:				; CODE XREF: .text:004A856Cj
		mov	ecx, [esp+18h]
		mov	eax, [esp+1Ch]
		cmp	edi, ecx
		jnz	loc_4A817D
		cmp	esi, eax
		jnz	loc_4A817D
		cmp	edi, [edx+20h]
		jnz	loc_4A817D
		cmp	esi, [edx+24h]
		jnz	loc_4A817D

loc_4A80FB:				; CODE XREF: .text:004A83EAj
					; .text:005BF25Dj
		mov	edx, [esp+58h]
		mov	ecx, 0
		mov	eax, [ebp+8]
		add	eax, [edx]
		adc	ecx, [edx+4]
		cmp	ecx, [ebx+2Ch]
		jl	short loc_4A812B
		jg	short loc_4A8118
		cmp	eax, [ebx+28h]
		jbe	short loc_4A812B

loc_4A8118:				; CODE XREF: .text:004A8111j
		test	dword ptr [ebx+60h], 40000000h
		mov	[ebx+28h], eax
		mov	[ebx+2Ch], ecx
		jnz	loc_5BF2D9

loc_4A812B:				; CODE XREF: .text:004A810Fj
					; .text:004A8116j
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)

loc_4A8131:				; CODE XREF: .text:005BF366j
					; .text:005BF3C0j
		mov	al, [ebx+0D0h]
		add	ebx, 0B4h
		mov	[esp+13h], al
		mov	ecx, 1
		xor	eax, eax
		mov	dword ptr [ebx+4], 0
		lock cmpxchg [ebx], ecx
		test	eax, eax
		jnz	loc_4A85C7

loc_4A815B:				; CODE XREF: .text:004A85D0j
		mov	cl, [esp+13h]
		call	esi
		mov	ecx, ebx
		call	KeAbPostRelease

loc_4A8168:				; CODE XREF: .text:005BF3BAj
		mov	edx, [esp+28h]
		test	edx, edx
		jnz	loc_4A840A

loc_4A8174:				; CODE XREF: .text:005BF1C0j
					; .text:005BF1D3j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4A817D:				; CODE XREF: .text:004A80DBj
					; .text:004A80E3j ...
		test	eax, eax
		jl	short loc_4A8193
		jg	loc_4A841D
		cmp	ecx, 200h
		jnb	loc_4A841D

loc_4A8193:				; CODE XREF: .text:004A817Fj
					; .text:004A8425j
		mov	ecx, [esp+24h]
		lea	edx, [esp+28h]
		push	esi
		push	edi
		call	_CcFindBitmapRangeToDirty@16 ; CcFindBitmapRangeToDirty(x,x,x,x)
		mov	ecx, eax
		mov	[esp+30h], ecx
		test	ecx, ecx
		jz	loc_5BF297
		mov	eax, [ecx+0Ch]
		mov	edx, [ecx+8]
		mov	ecx, [ecx+10h]
		mov	[esp+3Ch], eax
		mov	[esp+54h], eax
		xor	eax, eax
		add	ecx, edx
		adc	eax, [esp+3Ch]
		cmp	esi, eax
		jg	short loc_4A81DB
		jl	loc_4A851D
		cmp	edi, ecx
		jb	loc_4A851D

loc_4A81DB:				; CODE XREF: .text:004A81CBj
					; .text:004A8528j
		mov	eax, [esp+30h]
		mov	[esp+48h], edi
		mov	ecx, [eax+14h]
		xor	eax, eax
		add	ecx, edx
		adc	eax, [esp+3Ch]
		cmp	[esp+1Ch], eax
		jl	short loc_4A8207
		mov	eax, [esp+18h]
		jg	short loc_4A81FE
		cmp	eax, ecx
		jbe	short loc_4A8207

loc_4A81FE:				; CODE XREF: .text:004A81F8j
		mov	ecx, [esp+30h]
		sub	eax, edx
		mov	[ecx+14h], eax

loc_4A8207:				; CODE XREF: .text:004A81F2j
					; .text:004A81FCj
		mov	eax, [esp+20h]
		add	eax, 40h
		mov	dword ptr [esp+5Ch], 0
		mov	[esp+60h], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	[esp+64h], al
		jnz	loc_5BF262
		mov	ecx, [esp+20h]
		lea	edx, [esp+5Ch]
		lea	eax, [ecx+40h]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_4A85B5

loc_4A8246:				; CODE XREF: .text:004A85C2j
		cmp	dword ptr [ebx+4Ch], 0
		jz	loc_4A852D

loc_4A8250:				; CODE XREF: .text:004A8531j
					; .text:004A8551j
		mov	eax, [esp+30h]
		mov	edi, 1
		mov	ecx, [esp+48h]
		mov	edx, ecx
		and	ecx, 1Fh
		shl	edi, cl
		sub	edx, [eax+8]
		mov	eax, [eax+1Ch]
		shr	edx, 5
		mov	[esp+3Ch], edi
		lea	edx, [eax+edx*4]
		cmp	esi, [esp+1Ch]
		jg	short loc_4A82C8
		mov	ecx, [esp+14h]
		jl	short loc_4A8286
		cmp	ecx, [esp+18h]
		ja	short loc_4A82C8

loc_4A8286:				; CODE XREF: .text:004A827Ej
		mov	ebx, [esp+1Ch]
		lea	ebx, [ebx+0]

loc_4A8290:				; CODE XREF: .text:004A82AEj
					; .text:004A82B6j
		mov	eax, [edx]
		test	eax, edi
		jnz	short loc_4A829E
		or	eax, edi
		inc	dword ptr [esp+34h]
		mov	[edx], eax

loc_4A829E:				; CODE XREF: .text:004A8294j
		add	edi, edi
		jz	loc_4A8510

loc_4A82A6:				; CODE XREF: .text:004A8518j
		add	ecx, 1
		adc	esi, 0
		cmp	esi, ebx
		jl	short loc_4A8290
		jg	short loc_4A82B8
		cmp	ecx, [esp+18h]
		jbe	short loc_4A8290

loc_4A82B8:				; CODE XREF: .text:004A82B0j
		mov	ebx, [esp+38h]
		mov	[esp+14h], ecx
		mov	[esp+2Ch], esi
		mov	[esp+3Ch], edi

loc_4A82C8:				; CODE XREF: .text:004A8278j
					; .text:004A8284j
		push	dword ptr [esp+34h]
		mov	edx, [esp+28h]
		mov	ecx, ebx
		push	dword ptr [esp+34h]
		call	CcChargeDirtyPages
		test	ds:byte_70EFC6,	1
		jnz	loc_5BF277
		mov	eax, [esp+5Ch]
		test	eax, eax
		jnz	loc_4A859D
		mov	edx, [esp+60h]
		lea	eax, [esp+5Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+5Ch]
		cmp	eax, ecx
		jnz	loc_4A8594

loc_4A830E:				; CODE XREF: .text:004A85B0j
					; .text:005BF283j
		mov	cl, [esp+64h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	dword ptr [ebx+60h], 10000000h
		jz	loc_4A83D0
		mov	ecx, [esp+34h]
		test	ecx, ecx
		jz	loc_4A83D0
		mov	eax, [ebp+0Ch]
		test	eax, eax
		jz	loc_4A8571

loc_4A833C:				; CODE XREF: .text:004A857Aj
		mov	eax, [eax+150h]
		shl	ecx, 0Ch
		mov	[esp+48h], ecx
		mov	edx, [eax+3D0h]
		mov	[esp+50h], edx
		test	edx, edx
		jz	short loc_4A83D0
		mov	eax, ecx
		or	eax, 0
		jz	short loc_4A839A
		lea	eax, [edx+8]
		mov	edi, ecx
		mov	[esp+30h], eax

loc_4A8367:				; CODE XREF: .text:004A838Ej
					; .text:004A8394j
		mov	esi, [eax]
		mov	ebx, esi
		mov	edx, [eax+4]
		add	ebx, edi
		mov	ecx, edx
		mov	[esp+4Ch], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		mov	edi, [esp+30h]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [esp+48h]
		cmp	eax, esi
		mov	eax, [esp+30h]
		jnz	short loc_4A8367
		cmp	edx, [esp+4Ch]
		jnz	short loc_4A8367
		mov	edx, [esp+50h]

loc_4A839A:				; CODE XREF: .text:004A835Cj
		lea	edi, [edx+18h]
		lea	ecx, [ecx+0]

loc_4A83A0:				; CODE XREF: .text:004A83BCj
					; .text:004A83C2j
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[esp+50h], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_4A83A0
		cmp	edx, [esp+50h]
		jnz	short loc_4A83A0
		mov	ebx, [esp+38h]
		mov	edi, [esp+3Ch]
		mov	esi, [esp+2Ch]

loc_4A83D0:				; CODE XREF: .text:004A831Fj
					; .text:004A832Bj ...
		test	edi, edi
		jz	loc_5BF288
		mov	ecx, [esp+24h]
		mov	eax, [esp+18h]
		mov	[ecx+20h], eax
		mov	eax, [esp+1Ch]
		mov	[ecx+24h], eax
		jmp	loc_4A80FB
; 

loc_4A83EF:				; CODE XREF: .text:004A805Aj
					; .text:004A8067j
		mov	ecx, offset _CcBitmapLookasideList
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		test	eax, eax
		jz	loc_5BF291
		mov	[esp+28h], eax
		jmp	loc_4A806D
; 

loc_4A840A:				; CODE XREF: .text:004A816Ej
		mov	ecx, offset _CcBitmapLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4A841D:				; CODE XREF: .text:004A8181j
					; .text:004A818Dj
		mov	eax, 2F9h
		cmp	[edx], ax
		jz	loc_4A8193
		push	200h
		push	0
		push	dword ptr [esp+30h]
		call	_memset
		mov	eax, [esp+30h]
		add	esp, 0Ch
		cmp	dword ptr [eax+40h], 0
		jz	short loc_4A846A
		mov	esi, [eax+44h]
		mov	ecx, 10h
		mov	edi, [esp+28h]
		push	40h
		rep movsd
		mov	eax, [eax+44h]
		push	0
		push	eax
		call	_memset
		mov	eax, [esp+30h]
		add	esp, 0Ch

loc_4A846A:				; CODE XREF: .text:004A8446j
		mov	ecx, [esp+28h]
		lea	edx, [eax+48h]
		mov	[eax+44h], ecx
		lea	ecx, [eax+10h]
		mov	ebx, [ecx+4]
		mov	[esp+48h], ebx
		mov	dword ptr [esp+28h], 0
		cmp	[ebx], ecx
		mov	ebx, [esp+38h]
		jnz	loc_4A85ED
		mov	edi, [esp+48h]
		mov	[edx+4], edi
		mov	[edx], ecx
		mov	[edi], edx
		mov	[ecx+4], edx
		lea	edx, [eax+68h]
		mov	dword ptr [eax+50h], 0FFFFFFFFh
		mov	dword ptr [eax+54h], 7FFFFFFFh
		mov	dword ptr [eax+58h], 0FFFFFFFFh
		mov	edi, [ecx+4]
		mov	[esp+48h], edi
		cmp	[edi], ecx
		mov	edi, [esp+14h]
		jnz	loc_4A85ED
		mov	esi, [esp+48h]
		mov	[edx], ecx
		mov	[edx+4], esi
		mov	[esi], edx
		mov	[ecx+4], edx
		mov	ecx, 2F9h
		mov	[eax], cx
		lea	ecx, [ebx+0B4h]
		mov	dword ptr [eax+70h], 0FFFFFFFFh
		mov	dword ptr [eax+74h], 7FFFFFFFh
		mov	dword ptr [eax+78h], 0FFFFFFFFh
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	esi, [esp+2Ch]
		xor	eax, eax
		mov	[esp+40h], eax
		jmp	loc_4A8050
; 

loc_4A8510:				; CODE XREF: .text:004A82A0j
		add	edx, 4
		mov	edi, 1
		jmp	loc_4A82A6
; 

loc_4A851D:				; CODE XREF: .text:004A81CDj
					; .text:004A81D5j
		mov	ecx, [esp+30h]
		mov	eax, edi
		sub	eax, edx
		mov	[ecx+10h], eax
		jmp	loc_4A81DB
; 

loc_4A852D:				; CODE XREF: .text:004A824Aj
		test	byte ptr [ebx+60h], 2
		jnz	loc_4A8250
		push	0
		xor	dl, dl
		call	_CcScheduleLazyWriteScan@12 ; CcScheduleLazyWriteScan(x,x,x)
		mov	ecx, ebx
		call	_CcInsertIntoDirtySharedCacheMapList@4 ; CcInsertIntoDirtySharedCacheMapList(x)
		mov	eax, [esp+24h]
		mov	[eax+18h], edi
		mov	[eax+1Ch], esi
		jmp	loc_4A8250
; 

loc_4A8556:				; CODE XREF: .text:004A80CBj
		call	_CcAllocateInitializeMbcb@0 ; CcAllocateInitializeMbcb()
		mov	edx, eax
		mov	[esp+24h], eax
		test	edx, edx
		jz	loc_5BF297
		mov	[ebx+68h], edx
		jmp	loc_4A80D1
; 

loc_4A8571:				; CODE XREF: .text:004A8336j
		mov	eax, large fs:124h
		mov	[ebp+0Ch], eax
		jmp	loc_4A833C
; 

loc_4A857F:				; CODE XREF: .text:004A7FEBj
		mov	dl, al
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[esp+44h], eax
		mov	ecx, offset dword_6CF3C0
		jmp	loc_4A7FF1
; 

loc_4A8594:				; CODE XREF: .text:004A8308j
		lea	ecx, [esp+5Ch]
		call	KxWaitForLockChainValid

loc_4A859D:				; CODE XREF: .text:004A82EEj
		mov	dword ptr [esp+5Ch], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx
		jmp	loc_4A830E
; 

loc_4A85B5:				; CODE XREF: .text:004A8240j
		lea	ecx, [esp+5Ch]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_4A85BE:				; CODE XREF: .text:005BF272j
		mov	ecx, [esp+20h]
		jmp	loc_4A8246
; 

loc_4A85C7:				; CODE XREF: .text:004A8155j
		mov	edx, eax
		mov	ecx, ebx
		call	_ExpReleaseFastMutexContended@8	; ExpReleaseFastMutexContended(x,x)
		jmp	loc_4A815B
; 

loc_4A85D5:				; CODE XREF: .text:004A80A1j
		mov	edx, [esp+3Ch]
		call	_ExpAcquireFastMutexContended@8	; ExpAcquireFastMutexContended(x,x)
		mov	dl, [esp+13h]
		lea	ecx, [ebx+0B4h]
		jmp	loc_4A80A7
; 

loc_4A85ED:				; CODE XREF: .text:004A848Cj
					; .text:004A84C5j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 3 dup(0CCCCCCCCh)
; Exported entry 242. CcUninitializeCacheMap

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcUninitializeCacheMap
CcUninitializeCacheMap proc near	; CODE XREF: CcPurgeCacheSection+E05FCp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005BF3F0 SIZE 00000229 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_2], 0
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	[ebp+var_8], 0
		stosd
		xor	ebx, ebx
		mov	[ebp+var_1], 0
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_24]
		mov	[ebp+var_14], offset _CcMasterLock
		stosd
		mov	[ebp+var_18], ebx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_30]
		stosd
		stosd
		stosd
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_10], al
		jnz	loc_5BF3F0
		lea	edx, [ebp+var_18]
		mov	eax, offset _CcMasterLock
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_4A89F2

loc_4A8666:				; CODE XREF: CcUninitializeCacheMap+3FAj
					; CcUninitializeCacheMap+116DFDj
		mov	edx, [ebp+arg_0]
		mov	esi, [edx+14h]
		mov	edi, [edx+18h]
		mov	esi, [esi+4]
		test	esi, esi
		jz	short loc_4A86CC
		mov	ecx, esi
		call	CcGetPartition
		mov	ebx, eax
		mov	eax, 1
		lock xadd [ebx+28Ch], eax
		inc	eax
		cmp	eax, 1
		jle	loc_5BF402

loc_4A8696:				; CODE XREF: CcUninitializeCacheMap+116E09j
		lea	eax, [ebx+40h]
		mov	[ebp+var_24], 0
		mov	[ebp+var_20], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_1C], al
		jnz	loc_5BF40E
		lea	edx, [ebp+var_24]
		lea	eax, [ebx+40h]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_4A8AEA

loc_4A86C9:				; CODE XREF: CcUninitializeCacheMap+4F2j
					; CcUninitializeCacheMap+116E19j
		mov	edx, [ebp+arg_0]

loc_4A86CC:				; CODE XREF: CcUninitializeCacheMap+74j
		test	edi, edi
		jz	short loc_4A8727
		cmp	[edi+8], edx
		jnz	loc_5BF49C
		test	ebx, ebx
		jz	loc_5BF487
		cmp	dword ptr [edi+64h], 0
		jnz	loc_4A8A1B

loc_4A86EB:				; CODE XREF: CcUninitializeCacheMap+4C1j
					; CcUninitializeCacheMap+116E5Cj ...
		dec	dword ptr [esi+4]
		lea	eax, [edi+5Ch]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_5BF480
		cmp	[ecx], eax
		jnz	loc_5BF480
		lea	eax, [esi+0F8h]
		mov	[ecx], edx
		mov	[edx+4], ecx
		cmp	edi, eax
		jnz	short loc_4A871D
		xor	eax, eax
		mov	[edi], ax
		xor	edi, edi

loc_4A871D:				; CODE XREF: CcUninitializeCacheMap+114j
		mov	edx, [ebp+arg_0]
		mov	dword ptr [edx+18h], 0

loc_4A8727:				; CODE XREF: CcUninitializeCacheMap+CEj
		test	esi, esi
		jz	loc_4A8961
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	loc_4A888C

loc_4A873A:				; CODE XREF: CcUninitializeCacheMap+2A7j
					; CcUninitializeCacheMap+2B6j ...
		cmp	dword ptr [esi+4], 0
		jnz	loc_4A88BB
		lea	eax, [esi+90h]
		cmp	[eax], eax
		jnz	loc_5BF550
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jnz	loc_4A8B54

loc_4A875D:				; CODE XREF: CcUninitializeCacheMap+569j
					; CcUninitializeCacheMap+573j
		mov	eax, [esi+60h]
		test	al, 4
		jnz	loc_4A884F
		test	ecx, ecx
		jnz	loc_4A884F

loc_4A8770:				; CODE XREF: CcUninitializeCacheMap+25Bj
					; CcUninitializeCacheMap+403j ...
		test	al, 20h
		jnz	short loc_4A877E
		mov	ecx, esi
		call	_CcInsertIntoDirtySharedCacheMapList@4 ; CcInsertIntoDirtySharedCacheMapList(x)
		mov	ecx, [ebp+arg_8]

loc_4A877E:				; CODE XREF: CcUninitializeCacheMap+172j
					; CcUninitializeCacheMap+251j
		cmp	byte ptr [ebx+28Ah], 0
		mov	byte ptr [ebx+191h], 1
		jnz	loc_5BF511
		test	ecx, ecx
		jnz	loc_5BF51F

loc_4A879A:				; CODE XREF: CcUninitializeCacheMap+116F23j
		xor	dl, dl

loc_4A879C:				; CODE XREF: CcUninitializeCacheMap+116F1Aj
					; CcUninitializeCacheMap+116F2Bj
		mov	byte ptr [ebp+arg_8], dl
		mov	ecx, ebx
		push	[ebp+arg_8]
		call	_CcScheduleLazyWriteScan@12 ; CcScheduleLazyWriteScan(x,x,x)
		test	ds:byte_70EFC6,	1
		jnz	loc_5BF530
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	loc_4A8AFF
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jnz	loc_4A8AF7

loc_4A87D8:				; CODE XREF: CcUninitializeCacheMap+511j
					; CcUninitializeCacheMap+116F3Bj
		mov	cl, [ebp+var_1C]
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	esi
		test	ds:byte_70EFC6,	1
		jnz	loc_5BF540
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	loc_4A89DB
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jnz	loc_4A89D3

loc_4A8812:				; CODE XREF: CcUninitializeCacheMap+3EDj
					; CcUninitializeCacheMap+116F4Bj
		mov	cl, [ebp+var_10]
		call	esi
		mov	esi, [ebp+arg_0]

loc_4A881A:				; CODE XREF: CcUninitializeCacheMap+337j
					; CcUninitializeCacheMap+3BBj ...
		mov	al, [ebp+var_1]

loc_4A881D:				; CODE XREF: CcUninitializeCacheMap+28Aj
		test	edi, edi
		jnz	loc_4A893C

loc_4A8825:				; CODE XREF: CcUninitializeCacheMap+347j
		test	al, al
		jnz	loc_5BF601

loc_4A882D:				; CODE XREF: CcUninitializeCacheMap+11700Aj
		mov	edi, [ebp+var_8]
		test	edi, edi
		jnz	loc_4A8ACC

loc_4A8838:				; CODE XREF: CcUninitializeCacheMap+4E5j
		test	ebx, ebx
		jz	short loc_4A8843
		mov	ecx, ebx
		call	CcDereferencePartition

loc_4A8843:				; CODE XREF: CcUninitializeCacheMap+23Aj
		mov	al, [ebp+var_2]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4A884F:				; CODE XREF: CcUninitializeCacheMap+162j
					; CcUninitializeCacheMap+16Aj
		test	al, 20h
		jnz	loc_4A877E
		cmp	dword ptr [esi+4Ch], 0
		jnz	loc_4A8770
		test	eax, 400h
		jnz	loc_4A89FF

loc_4A886C:				; CODE XREF: CcUninitializeCacheMap+410j
		push	0
		push	0
		lea	eax, [ebp+var_24]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_18]
		call	CcDeleteSharedCacheMap
		mov	esi, [ebp+arg_0]
		xor	al, al
		mov	[ebp+var_2], 1
		mov	[ebp+var_1], al
		jmp	short loc_4A881D
; 

loc_4A888C:				; CODE XREF: CcUninitializeCacheMap+134j
		mov	ecx, [eax]
		mov	eax, [eax+4]
		mov	[ebp+arg_4], eax
		mov	eax, ecx
		or	eax, [ebp+arg_4]
		jz	loc_4A894C

loc_4A889F:				; CODE XREF: CcUninitializeCacheMap+352j
		lea	eax, [esi+90h]
		cmp	[eax], eax
		jnz	loc_4A873A
		mov	eax, [ebp+arg_4]
		mov	[esi+8], ecx
		mov	[esi+0Ch], eax
		jmp	loc_4A873A
; 

loc_4A88BB:				; CODE XREF: CcUninitializeCacheMap+13Ej
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jnz	loc_5BF4B1

loc_4A88C6:				; CODE XREF: CcUninitializeCacheMap+116EC8j
					; CcUninitializeCacheMap+116EE2j ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5BF4F1
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	loc_4A8B3D
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jnz	loc_4A8B35

loc_4A88F5:				; CODE XREF: CcUninitializeCacheMap+54Fj
					; CcUninitializeCacheMap+116EFCj
		mov	cl, [ebp+var_1C]
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	esi
		test	ds:byte_70EFC6,	1
		jnz	loc_5BF501
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	loc_4A8B1E
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jnz	loc_4A8B16

loc_4A892F:				; CODE XREF: CcUninitializeCacheMap+530j
					; CcUninitializeCacheMap+116F0Cj
		mov	cl, [ebp+var_10]
		call	esi
		mov	esi, [ebp+arg_0]
		jmp	loc_4A881A
; 

loc_4A893C:				; CODE XREF: CcUninitializeCacheMap+21Fj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	al, [ebp+var_1]
		jmp	loc_4A8825
; 

loc_4A894C:				; CODE XREF: CcUninitializeCacheMap+299j
		mov	eax, [esi+8]
		or	eax, [esi+0Ch]
		jz	loc_4A889F
		or	dword ptr [esi+60h], 10h
		jmp	loc_4A873A
; 

loc_4A8961:				; CODE XREF: CcUninitializeCacheMap+129j
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_4A897B
		mov	eax, [esi]
		or	eax, [esi+4]
		jnz	short loc_4A897B
		mov	eax, [edx+14h]
		cmp	dword ptr [eax], 0
		jnz	loc_5BF565

loc_4A897B:				; CODE XREF: CcUninitializeCacheMap+366j
					; CcUninitializeCacheMap+36Dj
		test	ds:byte_70EFC6,	1
		jnz	loc_5BF5E4
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	loc_4A8B78
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jnz	loc_5BF5F4

loc_4A89AA:				; CODE XREF: CcUninitializeCacheMap+58Aj
					; CcUninitializeCacheMap+116FEFj
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp+arg_0]

loc_4A89B6:				; CODE XREF: CcUninitializeCacheMap+116FCAj
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	loc_4A881A
		push	0
		push	0
		add	eax, 4
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_4A881A
; 

loc_4A89D3:				; CODE XREF: CcUninitializeCacheMap+20Cj
		lea	ecx, [ebp+var_18]
		call	KxWaitForLockChainValid

loc_4A89DB:				; CODE XREF: CcUninitializeCacheMap+1F5j
		mov	[ebp+var_18], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A8812
; 

loc_4A89F2:				; CODE XREF: CcUninitializeCacheMap+60j
		lea	ecx, [ebp+var_18]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4A8666
; 

loc_4A89FF:				; CODE XREF: CcUninitializeCacheMap+266j
		cmp	dword ptr [esi+20h], 0FFFFFFFFh
		jnz	loc_4A8770
		cmp	dword ptr [esi+24h], 7FFFFFFFh
		jz	loc_4A886C
		jmp	loc_4A8770
; 

loc_4A8A1B:				; CODE XREF: CcUninitializeCacheMap+E5j
		test	ds:byte_70EFC6,	21h
		lea	ecx, [ebx+80h]
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_30], 0
		jnz	loc_5BF41E
		lea	eax, [ebp+var_30]
		xchg	eax, [ecx]
		test	eax, eax
		jnz	loc_5BF42D

loc_4A8A45:				; CODE XREF: CcUninitializeCacheMap+116E28j
					; CcUninitializeCacheMap+116E37j
		mov	eax, [edi+64h]
		test	eax, eax
		jz	short loc_4A8A98
		mov	ecx, [eax]
		inc	_CcDbgNumberOfNoopedReadAheads
		mov	[ebp+var_C], ecx
		mov	edx, [ebp+var_C]
		mov	ecx, [eax+4]
		mov	[ebp+var_8], eax
		cmp	[edx+4], eax
		jnz	loc_5BF480
		cmp	[ecx], eax
		jnz	loc_5BF480
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	edx, [ebp+arg_0]
		mov	dword ptr [eax+4], 0
		mov	dword ptr [eax], 0
		cmp	[eax+8], edx
		jnz	loc_5BF43C
		dec	dword ptr [esi+4]
		dec	dword ptr [esi+178h]

loc_4A8A98:				; CODE XREF: CcUninitializeCacheMap+44Aj
		test	ds:byte_70EFC6,	1
		jnz	loc_5BF451
		mov	eax, [ebp+var_30]
		test	eax, eax
		jnz	loc_5BF469
		mov	edx, [ebp+var_2C]
		lea	eax, [ebp+var_30]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_30]
		cmp	eax, ecx
		jz	loc_4A86EB
		jmp	loc_5BF461
; 

loc_4A8ACC:				; CODE XREF: CcUninitializeCacheMap+232j
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	ecx, [edi+0Ch]
		test	ecx, ecx
		jnz	loc_5BF60F

loc_4A8ADE:				; CODE XREF: CcUninitializeCacheMap+117014j
		mov	ecx, edi
		call	_CcFreeWorkQueueEntry@4	; CcFreeWorkQueueEntry(x)
		jmp	loc_4A8838
; 

loc_4A8AEA:				; CODE XREF: CcUninitializeCacheMap+C3j
		lea	ecx, [ebp+var_24]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4A86C9
; 

loc_4A8AF7:				; CODE XREF: CcUninitializeCacheMap+1D2j
		lea	ecx, [ebp+var_24]
		call	KxWaitForLockChainValid

loc_4A8AFF:				; CODE XREF: CcUninitializeCacheMap+1BBj
		mov	[ebp+var_24], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A87D8
; 

loc_4A8B16:				; CODE XREF: CcUninitializeCacheMap+329j
		lea	ecx, [ebp+var_18]
		call	KxWaitForLockChainValid

loc_4A8B1E:				; CODE XREF: CcUninitializeCacheMap+312j
		mov	[ebp+var_18], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A892F
; 

loc_4A8B35:				; CODE XREF: CcUninitializeCacheMap+2EFj
		lea	ecx, [ebp+var_24]
		call	KxWaitForLockChainValid

loc_4A8B3D:				; CODE XREF: CcUninitializeCacheMap+2D8j
		mov	[ebp+var_24], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A88F5
; 

loc_4A8B54:				; CODE XREF: CcUninitializeCacheMap+157j
		mov	eax, [esi+0B0h]
		mov	[ecx], eax
		mov	[esi+0B0h], ecx
		mov	eax, [edx+4]
		test	byte ptr [eax+20h], 10h
		jz	loc_4A875D
		mov	[ebp+var_1], 1
		jmp	loc_4A875D
; 

loc_4A8B78:				; CODE XREF: CcUninitializeCacheMap+38Dj
					; CcUninitializeCacheMap+116FFCj
		mov	[ebp+var_18], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A89AA
CcUninitializeCacheMap endp

; 
		align 10h

;  S U B	R O U T	I N E 


CcDereferencePartition proc near	; CODE XREF: CcCachemapUninitWorkerThread+149p
					; CcWorkerThread+30Fp ...

; FUNCTION CHUNK AT 005BF619 SIZE 00000023 BYTES

		mov	edi, edi
		push	ebx
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+28Ch], eax
		dec	eax
		test	eax, eax
		jle	loc_5BF619

loc_4A8BA7:				; CODE XREF: CcDereferencePartition+116AA7j
		xor	bl, bl

loc_4A8BA9:				; CODE XREF: CcDereferencePartition+116A9Dj
		mov	al, bl
		pop	ebx
		retn
CcDereferencePartition endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 238. CcSetParallelFlushFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcSetParallelFlushFile
CcSetParallelFlushFile proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005BF63C SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+14h]
		mov	edi, [eax+4]
		mov	ecx, edi
		call	CcGetPartition
		and	[ebp+var_C], 0
		lea	esi, [eax+40h]
		mov	[ebp+var_8], esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_4], al
		jnz	loc_5BF63C
		lea	edx, [ebp+var_C]
		xchg	edx, [esi]
		test	edx, edx
		jnz	short loc_4A8C45

loc_4A8BFD:				; CODE XREF: CcSetParallelFlushFile+9Bj
					; CcSetParallelFlushFile+116A94j
		cmp	[ebp+arg_4], 0
		lea	ecx, [edi+60h]
		mov	eax, [ecx]
		pop	edi
		pop	esi
		jz	short loc_4A8C69
		or	eax, 40000h

loc_4A8C0F:				; CODE XREF: CcSetParallelFlushFile+BCj
		mov	[ecx], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5BF64B
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_4A8C57
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	short loc_4A8C4F

loc_4A8C38:				; CODE XREF: CcSetParallelFlushFile+B5j
					; CcSetParallelFlushFile+116AA4j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn	8
; 

loc_4A8C45:				; CODE XREF: CcSetParallelFlushFile+49j
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	short loc_4A8BFD
; 

loc_4A8C4F:				; CODE XREF: CcSetParallelFlushFile+84j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_4A8C57:				; CODE XREF: CcSetParallelFlushFile+71j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_4A8C38
; 

loc_4A8C69:				; CODE XREF: CcSetParallelFlushFile+56j
		and	eax, 0FFFBFFFFh
		jmp	short loc_4A8C0F
CcSetParallelFlushFile endp

; 
		dd 4 dup(0CCCCCCCCh)
; Exported entry 229. CcSetAdditionalCacheAttributesEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcSetAdditionalCacheAttributesEx
CcSetAdditionalCacheAttributesEx proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005BF65B SIZE 0000006C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		sub	esp, 0Ch
		xor	eax, eax
		push	esi
		mov	esi, [ecx+14h]
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		mov	esi, [esi+4]
		cmp	dword ptr [esi+4], 0
		jbe	loc_5BF6A2
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	edx, ebx
		mov	eax, ebx
		shr	edx, 1
		shr	eax, 2
		and	dl, 1
		and	al, 1
		test	dword ptr [esi+60h], 2000h
		jnz	short loc_4A8CC8
		push	eax
		push	edx
		push	ecx
		call	CcSetAdditionalCacheAttributes

loc_4A8CC8:				; CODE XREF: CcSetAdditionalCacheAttributesEx+3Ej
		mov	ecx, esi
		call	CcGetPartition
		mov	[ebp+var_C], 0
		lea	edi, [eax+40h]
		mov	[ebp+var_8], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_4], al
		jnz	loc_5BF65B
		lea	edx, [ebp+var_C]
		xchg	edx, [edi]
		test	edx, edx
		jnz	loc_4A8D9B

loc_4A8CFF:				; CODE XREF: CcSetAdditionalCacheAttributesEx+123j
					; CcSetAdditionalCacheAttributesEx+1169E5j
		mov	eax, [esi+60h]
		test	bl, 1
		jnz	loc_4A8DC4
		and	eax, 0FF7FFFFFh

loc_4A8D10:				; CODE XREF: CcSetAdditionalCacheAttributesEx+149j
		mov	[esi+60h], eax
		test	bl, 8
		jnz	loc_5BF66A
		test	eax, 4000000h
		jnz	loc_5BF674

loc_4A8D27:				; CODE XREF: CcSetAdditionalCacheAttributesEx+1169F9j
		and	eax, 0FBFFFFFFh

loc_4A8D2C:				; CODE XREF: CcSetAdditionalCacheAttributesEx+1169EFj
		test	bl, 10h
		jz	loc_5BF67E
		or	eax, 10000000h

loc_4A8D3A:				; CODE XREF: CcSetAdditionalCacheAttributesEx+116A03j
		mov	[esi+60h], eax
		test	bl, 20h
		jnz	loc_4A8DCE
		and	eax, 0F7FFFFFFh

loc_4A8D4B:				; CODE XREF: CcSetAdditionalCacheAttributesEx+153j
		test	ebx, 10000000h
		mov	[esi+60h], eax
		pop	ebx
		jnz	loc_5BF688
		and	eax, 0FFFFEFFFh

loc_4A8D60:				; CODE XREF: CcSetAdditionalCacheAttributesEx+116A0Dj
		mov	[esi+60h], eax
		test	ds:byte_70EFC6,	1
		pop	edi
		pop	esi
		jnz	loc_5BF692
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_4A8DB0
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	short loc_4A8DA8

loc_4A8D8C:				; CODE XREF: CcSetAdditionalCacheAttributesEx+142j
					; CcSetAdditionalCacheAttributesEx+116A1Dj
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4A8D9B:				; CODE XREF: CcSetAdditionalCacheAttributesEx+79j
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4A8CFF
; 

loc_4A8DA8:				; CODE XREF: CcSetAdditionalCacheAttributesEx+10Aj
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_4A8DB0:				; CODE XREF: CcSetAdditionalCacheAttributesEx+F7j
		mov	[ebp+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_4A8D8C
; 

loc_4A8DC4:				; CODE XREF: CcSetAdditionalCacheAttributesEx+85j
		or	eax, (offset loc_7FFFFF+1)
		jmp	loc_4A8D10
; 

loc_4A8DCE:				; CODE XREF: CcSetAdditionalCacheAttributesEx+C0j
		or	eax, 8000000h
		jmp	loc_4A8D4B
CcSetAdditionalCacheAttributesEx endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 228. CcSetAdditionalCacheAttributes

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcSetAdditionalCacheAttributes
CcSetAdditionalCacheAttributes proc near ; CODE	XREF: CcSetAdditionalCacheAttributesEx+43p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 005BF6C7 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		xor	ebx, ebx
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+14h]
		mov	edi, [eax+4]
		cmp	[edi+4], ebx
		jbe	loc_5BF6D7
		mov	ecx, edi
		call	CcGetPartition
		mov	[ebp+var_C], ebx
		lea	esi, [eax+40h]
		mov	[ebp+var_8], esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_4], al
		jnz	loc_5BF6B8
		lea	edx, [ebp+var_C]
		xchg	edx, [esi]
		test	edx, edx
		jnz	short loc_4A8E84

loc_4A8E34:				; CODE XREF: CcSetAdditionalCacheAttributes+AEj
					; CcSetAdditionalCacheAttributesEx+116A42j
		mov	eax, [edi+60h]
		xor	esi, esi
		inc	esi
		cmp	[ebp+arg_4], bl
		jnz	short loc_4A8EA1
		and	eax, 0FFFFFFFEh

loc_4A8E42:				; CODE XREF: CcSetAdditionalCacheAttributes+C5j
		cmp	[ebp+arg_8], bl
		jnz	short loc_4A8EA5
		and	eax, 0FFFFFFFDh

loc_4A8E4A:				; CODE XREF: CcSetAdditionalCacheAttributes+CCj
		mov	[edi+60h], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5BF6C7
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_4A8E96
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	short loc_4A8E8E

loc_4A8E74:				; CODE XREF: CcSetAdditionalCacheAttributes+C1j
					; CcSetAdditionalCacheAttributes+1168F4j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_4A8E84:				; CODE XREF: CcSetAdditionalCacheAttributes+54j
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	short loc_4A8E34
; 

loc_4A8E8E:				; CODE XREF: CcSetAdditionalCacheAttributes+94j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_4A8E96:				; CODE XREF: CcSetAdditionalCacheAttributes+81j
		mov	[ebp+var_C], ebx
		add	eax, 4
		lock xor [eax],	esi
		jmp	short loc_4A8E74
; 

loc_4A8EA1:				; CODE XREF: CcSetAdditionalCacheAttributes+5Fj
		or	eax, esi
		jmp	short loc_4A8E42
; 

loc_4A8EA5:				; CODE XREF: CcSetAdditionalCacheAttributes+67j
		or	eax, 202h
		jmp	short loc_4A8E4A
CcSetAdditionalCacheAttributes endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcChargeDirtyPages proc	near		; CODE XREF: CcSetDirtyPinnedData+3B8p
					; .text:004A82D6p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005BF6F5 SIZE 00000031 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		test	edi, edi
		jz	loc_5BF6E8
		call	CcGetPartition
		mov	esi, eax

loc_4A8EC8:				; CODE XREF: CcSetAdditionalCacheAttributes+116912j
		mov	edx, [ebp+arg_4]
		add	[esi+198h], edx
		test	ebx, ebx
		jz	short loc_4A8ED8
		add	[ebx+8], edx

loc_4A8ED8:				; CODE XREF: CcChargeDirtyPages+27j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_4A8EE2
		add	[eax+18h], edx

loc_4A8EE2:				; CODE XREF: CcChargeDirtyPages+31j
		test	edi, edi
		jz	short loc_4A8F01
		mov	eax, [edi+164h]
		mov	ecx, edx
		add	[edi+4Ch], edx
		add	eax, 14h
		lock xadd [eax], ecx
		test	dword ptr [edi+60h], 1000000h
		jnz	short loc_4A8F29

loc_4A8F01:				; CODE XREF: CcChargeDirtyPages+38j
					; CcChargeDirtyPages+9Bj ...
		xor	ebx, ebx
		cmp	[esi+288h], bl
		jnz	loc_5BF6F5

loc_4A8F0F:				; CODE XREF: CcChargeDirtyPages+116853j
					; CcChargeDirtyPages+116863j
		cmp	[esi+48h], bl
		jnz	loc_5BF714

loc_4A8F18:				; CODE XREF: CcChargeDirtyPages+116875j
		xor	dl, dl
		mov	ecx, esi
		call	CcAdjustWriteBehindThreadPoolIfNeeded
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
; 

loc_4A8F29:				; CODE XREF: CcChargeDirtyPages+53j
		mov	eax, [edi+98h]
		add	eax, 0Ch
		lock xadd [eax], edx
		mov	ecx, [edi+98h]
		add	ecx, 58h
		mov	eax, [ecx]
		and	eax, [ecx+4]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_4A8F01
		push	ecx
		call	KeQueryTickCount
		jmp	short loc_4A8F01
CcChargeDirtyPages endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcAdjustWriteBehindThreadPoolIfNeeded proc near	; CODE XREF: CcChargeDirtyPages+70p
					; CcQueueLazyWriteScanThread+FFp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005BF726 SIZE 0000004D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		xor	bh, bh
		mov	bl, dl
		stosd
		mov	esi, ecx
		stosd
		stosd
		cmp	byte ptr ds:dword_7051D4, bh
		jnz	loc_4A9045
		lea	edi, [esi+80h]
		mov	[ebp+var_C], 0
		mov	[ebp+var_8], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_4], al
		jnz	loc_5BF726
		lea	edx, [ebp+var_C]
		xchg	edx, [edi]
		test	edx, edx
		jnz	loc_4A907C

loc_4A8FB8:				; CODE XREF: CcAdjustWriteBehindThreadPoolIfNeeded+124j
					; CcAdjustWriteBehindThreadPoolIfNeeded+1167D0j
		cmp	dword ptr [esi+0E0h], 0
		ja	loc_5BF735
		cmp	dword ptr [esi+198h], 2000h
		ja	short loc_4A904C
		test	bl, bl
		jnz	short loc_4A904C
		cmp	dword ptr [esi+0ECh], 0
		jnz	short loc_4A9011
		cmp	dword ptr [esi+0D4h], 0
		jnz	short loc_4A9011
		lea	eax, [esi+0A4h]
		cmp	[eax], eax
		jnz	short loc_4A9011
		lea	eax, [esi+0B4h]
		cmp	[eax], eax
		jnz	short loc_4A9011
		mov	dword ptr [esi+284h], 1
		cmp	[esi+200h], bl
		jnz	loc_5BF757

loc_4A9011:				; CODE XREF: CcAdjustWriteBehindThreadPoolIfNeeded+7Cj
					; CcAdjustWriteBehindThreadPoolIfNeeded+85j ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5BF763
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_4A9091
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	short loc_4A9089

loc_4A9038:				; CODE XREF: CcAdjustWriteBehindThreadPoolIfNeeded+143j
					; CcAdjustWriteBehindThreadPoolIfNeeded+11680Ej
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bh, bh
		jnz	short loc_4A9067

loc_4A9045:				; CODE XREF: CcAdjustWriteBehindThreadPoolIfNeeded+1Fj
					; CcAdjustWriteBehindThreadPoolIfNeeded+10Fj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4A904C:				; CODE XREF: CcAdjustWriteBehindThreadPoolIfNeeded+6Fj
					; CcAdjustWriteBehindThreadPoolIfNeeded+73j
		mov	eax, [esi+284h]
		cmp	eax, [esi+84h]
		jnb	short loc_4A9011
		xor	dl, dl
		mov	ecx, esi
		call	CcAdjustWriteBehindThreadPool
		mov	bh, 1
		jmp	short loc_4A9011
; 

loc_4A9067:				; CODE XREF: CcAdjustWriteBehindThreadPoolIfNeeded+E3j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_4A9045
		xor	edx, edx
		mov	ecx, esi
		call	CcBoostLowPriorityWorkerThread
		jmp	short loc_4A9045
; 

loc_4A907C:				; CODE XREF: CcAdjustWriteBehindThreadPoolIfNeeded+52j
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4A8FB8
; 

loc_4A9089:				; CODE XREF: CcAdjustWriteBehindThreadPoolIfNeeded+D6j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_4A9091:				; CODE XREF: CcAdjustWriteBehindThreadPoolIfNeeded+C3j
		mov	[ebp+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_4A9038
CcAdjustWriteBehindThreadPoolIfNeeded endp

; 
		align 10h
; Exported entry 208. CcInitializeCacheMapEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcInitializeCacheMapEx
CcInitializeCacheMapEx proc near	; CODE XREF: CcInitializeCacheMap(x,x,x,x,x)+16p

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_76		= byte ptr -76h
var_75		= byte ptr -75h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= byte ptr -28h
var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005BF773 SIZE 00000A52 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		push	edi
		lea	edi, [esp+88h+var_30]
		mov	[esp+88h+var_60], 0
		mov	eax, [ebx+80h]
		mov	[esp+88h+var_58], eax
		xor	eax, eax
		stosd
		mov	[esp+88h+var_6C], 0
		mov	[esp+88h+var_54], 0
		mov	[esp+88h+var_64], 0
		stosd
		mov	[esp+88h+var_4C], ebx
		mov	[esp+88h+var_70], 0
		mov	[esp+88h+var_74], 0
		stosd
		xor	eax, eax
		cmp	_CcDbgDisableDAX, 0
		lea	edi, [esp+88h+var_3C]
		stosd
		mov	[esp+88h+var_68], 0
		mov	[esp+88h+var_75], 0
		stosd
		stosd
		mov	eax, [ebp+arg_14]
		jnz	loc_5BF773

loc_4A9132:				; CODE XREF: CcInitializeCacheMapEx+1166C6j
		mov	ecx, [ebp+arg_4]
		mov	[esp+88h+var_5C], eax
		mov	eax, [ecx+8]
		mov	esi, [ecx]
		mov	edx, [ecx+4]
		mov	[esp+88h+var_10], eax
		mov	eax, [ecx+0Ch]
		mov	[esp+88h+var_C], eax
		mov	eax, [ecx+10h]
		mov	[esp+88h+var_8], eax
		mov	eax, [ecx+14h]
		mov	[esp+88h+var_4], eax
		mov	eax, esi
		or	eax, edx
		mov	[esp+88h+var_14], edx
		jz	loc_4A9B01

loc_4A916E:				; CODE XREF: CcInitializeCacheMapEx+A56j
		mov	edi, [ebx+58h]
		mov	ebx, [ebp+arg_0]
		and	edi, 400h
		mov	edx, [esp+88h+var_14]
		mov	[esp+88h+var_50], edi
		cmp	byte ptr [ebx+27h], 0
		jnz	loc_4A95D4
		add	esi, 3FFFFh
		adc	edx, 0
		and	esi, 0FFFC0000h
		mov	[esp+88h+var_44], edx

loc_4A919F:				; CODE XREF: CcInitializeCacheMapEx+537j
		mov	eax, [ebx+14h]
		mov	[esp+88h+var_18], esi
		mov	[esp+88h+var_14], edx
		cmp	dword ptr [eax+4], 0
		jz	loc_4A96B7

loc_4A91B4:				; CODE XREF: CcInitializeCacheMapEx+791j
		mov	[esp+88h+var_2C], offset _CcMasterLock
		mov	[esp+88h+var_30], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	[esp+88h+var_28], al
		jnz	loc_5BF77B
		lea	edx, [esp+88h+var_30]
		mov	eax, offset _CcMasterLock
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_4A9B5B

loc_4A91EE:				; CODE XREF: CcInitializeCacheMapEx+AB4j
					; CcInitializeCacheMapEx+1166D9j
		cmp	dword ptr [ebx+18h], 0
		jnz	loc_5C0152
		mov	esi, [ebx+14h]
		mov	esi, [esi+4]
		test	esi, esi
		jz	loc_4A95EC
		mov	ecx, esi
		call	CcGetPartition
		push	0
		mov	edx, 8
		mov	[esp+8Ch+var_74], eax
		mov	ecx, ebx
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		mov	ecx, [esp+88h+var_74]
		test	eax, eax
		jnz	loc_5BF8EE

loc_4A922B:				; CODE XREF: CcInitializeCacheMapEx+116843j
		add	ecx, 40h
		mov	[esp+88h+var_3C], 0
		test	ds:byte_70EFC6,	21h
		mov	[esp+88h+var_38], ecx
		jnz	loc_5BFA13
		lea	edx, [esp+88h+var_3C]
		xchg	edx, [ecx]
		test	edx, edx
		jnz	loc_4A9BE8

loc_4A9255:				; CODE XREF: CcInitializeCacheMapEx+B41j
					; CcInitializeCacheMapEx+11696Ej
		test	byte ptr [ebx+2Ch], 20h
		jnz	short loc_4A925F
		and	dword ptr [esi+60h], 0FFFFFFBFh

loc_4A925F:				; CODE XREF: CcInitializeCacheMapEx+1A9j
		mov	eax, [esi+60h]
		test	eax, 200000h
		jz	short loc_4A9271
		test	edi, edi
		jnz	loc_4A9C54

loc_4A9271:				; CODE XREF: CcInitializeCacheMapEx+1B7j
					; CcInitializeCacheMapEx+BACj
		mov	eax, [esp+88h+var_58]
		mov	eax, [eax+1DCh]
		test	eax, eax
		jz	short loc_4A9285
		mov	[esi+168h], eax

loc_4A9285:				; CODE XREF: CcInitializeCacheMapEx+1CDj
		test	ds:byte_70EFC6,	1
		jnz	loc_5BFA23
		mov	eax, [esp+88h+var_3C]
		test	eax, eax
		jnz	loc_4A969F
		mov	edx, [esp+88h+var_38]
		lea	eax, [esp+88h+var_3C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+88h+var_3C]
		cmp	eax, ecx
		jnz	loc_4A9696

loc_4A92B8:				; CODE XREF: CcInitializeCacheMapEx+5E0j
					; CcInitializeCacheMapEx+602j ...
		mov	ecx, esi
		call	CcGetPartition
		mov	[esp+88h+var_74], eax
		mov	[esp+88h+var_3C], 0
		lea	edi, [eax+40h]
		mov	[esp+88h+var_38], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [esp+88h+var_34], al
		jnz	loc_5BFA34
		lea	edx, [esp+88h+var_3C]
		xchg	edx, [edi]
		test	edx, edx
		jnz	loc_4A9BDA

loc_4A92F7:				; CODE XREF: CcInitializeCacheMapEx+B33j
					; CcInitializeCacheMapEx+11698Fj
		cmp	_KdDebuggerEnabled, 0
		jnz	loc_5BFA44

loc_4A9304:				; CODE XREF: CcInitializeCacheMapEx+11699Bj
					; CcInitializeCacheMapEx+1169A8j ...
		mov	eax, [esi+60h]
		and	eax, 0FFFFFFEFh
		mov	ecx, eax
		mov	[esi+60h], eax
		and	ecx, 100h
		cmp	dword ptr [esi+40h], 0
		jz	loc_4A9846
		test	ecx, ecx
		jnz	loc_5BFCA0
		inc	dword ptr [esi+4]
		test	ds:byte_70EFC6,	1
		jnz	loc_5BFE71
		mov	eax, [esp+88h+var_3C]
		test	eax, eax
		jnz	loc_4A9C99
		mov	edx, [esp+88h+var_38]
		lea	eax, [esp+88h+var_3C]
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+88h+var_3C]
		cmp	eax, ecx
		jnz	loc_4A9C90

loc_4A935B:				; CODE XREF: CcInitializeCacheMapEx+BFCj
					; CcInitializeCacheMapEx+116DCDj
		mov	cl, byte ptr [esp+88h+var_34]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	edi
		test	ds:byte_70EFC6,	1
		jnz	loc_5BFE82
		mov	eax, [esp+88h+var_30]
		test	eax, eax
		jnz	loc_4A9B22
		mov	edx, [esp+88h+var_2C]
		lea	eax, [esp+88h+var_30]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+88h+var_30]
		cmp	eax, ecx
		jnz	loc_4A9B19

loc_4A939A:				; CODE XREF: CcInitializeCacheMapEx+943j
					; CcInitializeCacheMapEx+A85j ...
		mov	cl, [esp+88h+var_28]
		call	edi

loc_4A93A0:				; CODE XREF: CcInitializeCacheMapEx+116D98j
		mov	eax, [esp+88h+var_6C]
		test	eax, eax
		jnz	loc_5BFE93

loc_4A93AC:				; CODE XREF: CcInitializeCacheMapEx+116DF6j
		cmp	word ptr [esi+0F8h], 0
		lea	edi, [esi+0F8h]
		jnz	loc_4A9ADF

loc_4A93C0:				; CODE XREF: CcInitializeCacheMapEx+A46j
		mov	[esp+88h+var_5C], 1
		mov	[esp+88h+var_2C], offset _CcMasterLock
		mov	[esp+88h+var_30], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	[esp+88h+var_28], al
		jnz	loc_5BFEAB
		lea	edx, [esp+88h+var_30]
		mov	eax, offset _CcMasterLock
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_4A9B0B

loc_4A9402:				; CODE XREF: CcInitializeCacheMapEx+A64j
					; CcInitializeCacheMapEx+116E09j
		mov	eax, [esp+88h+var_74]
		add	eax, 40h
		mov	[esp+88h+var_3C], 0
		mov	[esp+88h+var_38], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [esp+88h+var_34], al
		jnz	loc_5BFEBE
		mov	eax, [esp+88h+var_74]
		lea	edx, [esp+88h+var_3C]
		add	eax, 40h
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_4A9B69

loc_4A9441:				; CODE XREF: CcInitializeCacheMapEx+AC2j
					; CcInitializeCacheMapEx+116E1Ej
		cmp	dword ptr [ebx+18h], 0
		jnz	loc_5C00B0
		cmp	word ptr [edi],	0
		jnz	loc_4A9AC4

loc_4A9455:				; CODE XREF: CcInitializeCacheMapEx+A2Aj
		push	68h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	ecx, [esp+94h+var_4C]
		add	esp, 0Ch
		mov	eax, 2FEh
		mov	[edi+8], ebx
		mov	[edi], ax
		mov	dword ptr [edi+4], 0FFFh
		call	_PsGetPagePriorityThread@4 ; PsGetPagePriorityThread(x)
		movzx	eax, al
		lea	ecx, [esi+90h]
		shl	eax, 12h
		xor	eax, [edi]
		and	eax, 1C0000h
		mov	dword ptr [edi+50h], 0
		xor	[edi], eax
		lea	eax, [edi+5Ch]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_5C0057
		mov	[eax+4], edx
		mov	[eax], ecx
		mov	[edx], eax
		mov	edx, [esp+88h+var_74]
		mov	[ecx+4], eax
		mov	eax, 1
		mov	[ebx+18h], edi

loc_4A94BD:				; CODE XREF: CcInitializeCacheMapEx+116EF1j
		mov	edi, eax
		mov	ebx, eax
		test	esi, esi
		jz	short loc_4A9514
		test	eax, eax
		jz	loc_5C005E

loc_4A94CD:				; CODE XREF: CcInitializeCacheMapEx+116FC8j
		mov	ebx, edi
		test	edx, edx
		jz	short loc_4A94DB
		test	edi, edi
		jz	loc_5C007D

loc_4A94DB:				; CODE XREF: CcInitializeCacheMapEx+421j
					; CcInitializeCacheMapEx+116FDEj
		cmp	[esp+88h+var_54], 0
		jnz	short loc_4A94F5
		cmp	dword ptr [esi+4Ch], 0
		jnz	short loc_4A94F5
		cmp	dword ptr [esi+4], 0
		jz	short loc_4A94F5
		mov	ecx, esi
		call	CcInsertIntoCleanSharedCacheMapList

loc_4A94F5:				; CODE XREF: CcInitializeCacheMapEx+430j
					; CcInitializeCacheMapEx+436j ...
		mov	eax, [esi+0B0h]
		test	eax, eax
		jnz	loc_5C0093

loc_4A9503:				; CODE XREF: CcInitializeCacheMapEx+116FFBj
		and	dword ptr [esi+60h], 0FFFEFFFFh
		mov	dword ptr [esi+0B0h], 0

loc_4A9514:				; CODE XREF: CcInitializeCacheMapEx+413j
		test	ebx, ebx
		jz	loc_5C00D6

loc_4A951C:				; CODE XREF: CcInitializeCacheMapEx+117010j
		test	ds:byte_70EFC6,	1
		jnz	loc_5C00C5
		mov	eax, [esp+88h+var_3C]
		test	eax, eax
		jnz	loc_4A9B80
		mov	edx, [esp+88h+var_38]
		lea	eax, [esp+88h+var_3C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+88h+var_3C]
		cmp	eax, ecx
		jnz	loc_4A9B77

loc_4A954F:				; CODE XREF: CcInitializeCacheMapEx+AE3j
					; CcInitializeCacheMapEx+117021j
		mov	cl, byte ptr [esp+88h+var_34]
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	ebx

loc_4A955B:				; CODE XREF: CcInitializeCacheMapEx+11702Cj
		cmp	[esp+88h+var_5C], 0
		jz	short loc_4A959B
		test	ds:byte_70EFC6,	1
		jnz	loc_5C00E1
		mov	eax, [esp+88h+var_30]
		test	eax, eax
		jnz	loc_4A9B43
		mov	edx, [esp+88h+var_2C]
		lea	eax, [esp+88h+var_30]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+88h+var_30]
		cmp	eax, ecx
		jnz	loc_4A9B3A

loc_4A9595:				; CODE XREF: CcInitializeCacheMapEx+AA6j
					; CcInitializeCacheMapEx+11703Dj
		mov	cl, [esp+88h+var_28]
		call	ebx

loc_4A959B:				; CODE XREF: CcInitializeCacheMapEx+4B0j
					; CcInitializeCacheMapEx+116BEBj ...
		mov	eax, [esp+88h+var_6C]
		test	eax, eax
		jnz	loc_5C00F2

loc_4A95A7:				; CODE XREF: CcInitializeCacheMapEx+11704Dj
		mov	eax, [esp+88h+var_64]
		test	eax, eax
		jnz	loc_5C0102

loc_4A95B3:				; CODE XREF: CcInitializeCacheMapEx+11705Dj
		mov	eax, [esp+88h+var_68]
		test	eax, eax
		jnz	loc_5C0112

loc_4A95BF:				; CODE XREF: CcInitializeCacheMapEx+11706Dj
		mov	esi, [esp+88h+var_70]
		test	esi, esi
		js	loc_5C0122

loc_4A95CB:				; CODE XREF: CcInitializeCacheMapEx+1170FFj
					; CcInitializeCacheMapEx+117110j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_4A95D4:				; CODE XREF: CcInitializeCacheMapEx+D6j
		add	esi, 0FFFFFh
		adc	edx, 0
		and	esi, 0FFF00000h
		mov	[esp+88h+var_44], edx
		jmp	loc_4A919F
; 

loc_4A95EC:				; CODE XREF: CcInitializeCacheMapEx+150j
		mov	eax, [esp+88h+var_6C]
		test	eax, eax
		jz	loc_5BF78E
		test	ds:byte_70EFC6,	21h
		mov	esi, eax
		mov	[esp+88h+var_6C], 0
		mov	edi, [esi+174h]
		mov	[esp+88h+var_3C], 0
		lea	eax, [edi+40h]
		mov	[esp+88h+var_38], eax
		jnz	loc_5BF8CD
		lea	edx, [esp+88h+var_3C]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_4A9BF6

loc_4A9632:				; CODE XREF: CcInitializeCacheMapEx+B4Fj
					; CcInitializeCacheMapEx+116828j
		mov	edx, [edi+0Ch]
		lea	eax, [edi+8]
		lea	ecx, [esi+58h]
		cmp	[edx], eax
		jnz	loc_5C0057
		mov	[ecx+4], edx
		mov	[ecx], eax
		mov	[edx], ecx
		mov	edx, 746C6644h
		mov	[eax+4], ecx
		mov	ecx, ebx
		mov	eax, [ebx+14h]
		mov	[esp+88h+var_54], 1
		mov	[eax+4], esi
		call	ObfReferenceObjectWithTag
		test	ds:byte_70EFC6,	1
		jnz	loc_5BF8DD
		mov	eax, [esp+88h+var_3C]
		test	eax, eax
		jnz	short loc_4A969F
		mov	edx, [esp+88h+var_38]
		lea	eax, [esp+88h+var_3C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+88h+var_3C]
		cmp	eax, ecx
		jz	loc_4A92B8

loc_4A9696:				; CODE XREF: CcInitializeCacheMapEx+202j
		lea	ecx, [esp+88h+var_3C]
		call	KxWaitForLockChainValid

loc_4A969F:				; CODE XREF: CcInitializeCacheMapEx+1E8j
					; CcInitializeCacheMapEx+5CAj
		add	eax, 4
		mov	[esp+88h+var_3C], 0
		mov	ecx, 1
		lock xor [eax],	ecx
		jmp	loc_4A92B8
; 

loc_4A96B7:				; CODE XREF: CcInitializeCacheMapEx+FEj
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)

loc_4A96BD:				; CODE XREF: CcInitializeCacheMapEx+116737j
		push	63536343h
		push	188h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5BF8C3
		push	188h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [esp+94h+var_60]
		add	esp, 0Ch
		test	byte ptr [esp+88h+var_5C], 1
		mov	[esp+88h+var_6C], esi
		jnz	loc_5BF7EC

loc_4A96FE:				; CODE XREF: CcInitializeCacheMapEx+116743j
		push	ebx
		push	[esp+8Ch+var_14]
		mov	edx, eax
		lea	ecx, [esp+90h+var_68]
		push	[esp+90h+var_18]
		call	_MmCreateCacheManagerSection@20	; MmCreateCacheManagerSection(x,x,x,x,x)
		mov	[esp+88h+var_70], eax
		cmp	eax, 0C000060Bh
		jz	loc_5BF835
		test	eax, eax
		js	loc_5BF814
		push	[esp+88h+var_68]
		call	ObDeleteCapturedInsertInfo
		xor	eax, eax
		lea	edi, [esp+88h+var_24]
		stosd
		stosd
		stosd
		mov	eax, ds:_PspSystemPartition
		mov	edx, [eax+4]
		mov	[esp+88h+var_74], edx
		test	edx, edx
		jz	loc_5BF80D
		cmp	byte ptr [edx+28Ah], 2
		jnb	loc_5BF7F8
		test	edx, edx
		jz	loc_5BF80D
		mov	eax, [esp+88h+var_10]
		mov	ecx, [esp+88h+var_8]
		mov	dword ptr [esi], 18802FFh
		mov	[esi+44h], ebx
		mov	[esi+8], eax
		mov	eax, [esp+88h+var_C]
		mov	[esi+0Ch], eax
		mov	eax, [esp+88h+var_4]
		mov	[esi+24h], eax
		mov	[esi+2Ch], eax
		mov	eax, [esp+88h+var_58]
		mov	[esi+20h], ecx
		mov	[esi+28h], ecx
		mov	ecx, ebx
		mov	eax, [eax+1DCh]
		mov	[esi+174h], edx
		lea	edx, [esi+164h]
		mov	[esi+168h], eax
		call	CcInitializeVolumeCacheMap
		mov	[esp+88h+var_70], eax
		test	eax, eax
		js	loc_5BF8C3
		push	0
		push	1
		lea	eax, [esi+0C0h]
		mov	dword ptr [esi+0B4h], 1
		push	eax
		mov	dword ptr [esi+0B8h], 0
		mov	dword ptr [esi+0BCh], 0
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		cmp	[ebp+arg_8], 0
		mov	dword ptr [esi+48h], 0
		jnz	loc_4A99F8

loc_4A9803:				; CODE XREF: CcInitializeCacheMapEx+94Cj
		test	byte ptr [ebx+2Ch], 20h
		jnz	loc_4A9ABB

loc_4A980D:				; CODE XREF: CcInitializeCacheMapEx+A0Fj
		mov	edi, [esp+88h+var_50]
		test	edi, edi
		jnz	short loc_4A981C
		or	dword ptr [esi+60h], 200000h

loc_4A981C:				; CODE XREF: CcInitializeCacheMapEx+763j
		lea	eax, [esi+10h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [ebp+arg_C]
		mov	[esi+88h], eax
		mov	eax, [ebp+arg_10]
		mov	[esi+8Ch], eax
		add	esi, 90h
		mov	[esi+4], esi
		mov	[esi], esi
		jmp	loc_4A91B4
; 

loc_4A9846:				; CODE XREF: CcInitializeCacheMapEx+269j
		test	ecx, ecx
		jnz	loc_5BFCA0
		inc	dword ptr [esi+4]
		or	eax, 100h
		mov	[esi+60h], eax
		mov	eax, [esi+70h]
		test	eax, eax
		jnz	loc_5BFA71

loc_4A9864:				; CODE XREF: CcInitializeCacheMapEx+1169CBj
		test	ds:byte_70EFC6,	1
		jnz	loc_5BFA80
		mov	eax, [esp+88h+var_3C]
		test	eax, eax
		jnz	loc_4A9C6A
		mov	edx, [esp+88h+var_38]
		lea	eax, [esp+88h+var_3C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+88h+var_3C]
		cmp	eax, ecx
		jnz	loc_4A9C61

loc_4A9897:				; CODE XREF: CcInitializeCacheMapEx+BCDj
					; CcInitializeCacheMapEx+1169DCj
		mov	cl, byte ptr [esp+88h+var_34]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ds:byte_70EFC6,	1
		jnz	loc_5BFA91
		mov	eax, [esp+88h+var_30]
		test	eax, eax
		jnz	loc_4A9BA1
		mov	edx, [esp+88h+var_2C]
		lea	eax, [esp+88h+var_30]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+88h+var_30]
		cmp	eax, ecx
		jnz	loc_4A9B98

loc_4A98D4:				; CODE XREF: CcInitializeCacheMapEx+B04j
					; CcInitializeCacheMapEx+1169EDj
		mov	cl, [esp+88h+var_28]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	dword ptr [esi+6Ch], 0
		mov	[esp+88h+var_58], 1
		jnz	loc_5BFC1D
		mov	eax, [esp+88h+var_68]
		test	eax, eax
		jz	loc_5BFC08
		mov	[esi+6Ch], eax
		mov	eax, [ebx+0Ch]
		mov	[esp+88h+var_68], 0
		test	byte ptr [eax+6], 1
		jnz	short loc_4A991A
		cmp	dword ptr [ebx+10h], 0
		jz	loc_4A9A01

loc_4A991A:				; CODE XREF: CcInitializeCacheMapEx+85Ej
					; CcInitializeCacheMapEx+A06j
		push	[esp+88h+var_14]
		mov	ecx, esi
		push	[esp+8Ch+var_18]
		call	CcCreateVacbArray
		mov	[esp+18h], eax
		test	eax, eax
		js	loc_5BFC25
		test	byte ptr [esp+90h+var_64], 1
		jnz	loc_5BFAD4

loc_4A9940:				; CODE XREF: CcInitializeCacheMapEx+116B12j
		lea	edx, [esp+90h+var_38]
		mov	ecx, offset _CcMasterLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		test	ds:byte_70EFC6,	21h
		mov	[esp+90h+var_40], edi
		mov	[esp+90h+var_44], 0
		jnz	loc_5BFBC7
		lea	edx, [esp+90h+var_44]
		xchg	edx, [edi]
		test	edx, edx
		jnz	loc_4A9C04

loc_4A9975:				; CODE XREF: CcInitializeCacheMapEx+B5Dj
					; CcInitializeCacheMapEx+116B22j
		and	dword ptr [esi+60h], 0FFFFFEFFh
		mov	eax, [esi+70h]
		test	eax, eax
		jnz	loc_5BFBD7

loc_4A9987:				; CODE XREF: CcInitializeCacheMapEx+116B31j
		test	ds:byte_70EFC6,	1
		jnz	loc_5BFBE6
		mov	eax, [esp+90h+var_44]
		test	eax, eax
		jnz	loc_4A9C3C
		mov	edx, [esp+90h+var_40]
		lea	eax, [esp+90h+var_44]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+90h+var_44]
		cmp	eax, ecx
		jnz	loc_4A9C33

loc_4A99BA:				; CODE XREF: CcInitializeCacheMapEx+B9Fj
					; CcInitializeCacheMapEx+116B42j
		test	ds:byte_70EFC6,	1
		jnz	loc_5BFBF7
		mov	eax, [esp+90h+var_38]
		test	eax, eax
		jnz	loc_4A9BC2
		mov	edx, [esp+90h+var_34]
		lea	eax, [esp+90h+var_38]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+90h+var_38]
		cmp	eax, ecx
		jnz	loc_4A9BB9

loc_4A99ED:				; CODE XREF: CcInitializeCacheMapEx+B25j
					; CcInitializeCacheMapEx+116B53j
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		jmp	loc_4A939A
; 

loc_4A99F8:				; CODE XREF: CcInitializeCacheMapEx+74Dj
		or	dword ptr [esi+60h], 4
		jmp	loc_4A9803
; 

loc_4A9A01:				; CODE XREF: CcInitializeCacheMapEx+864j
		mov	eax, [ebx+14h]
		push	eax
		call	_MmDisableModifiedWriteOfSection@4 ; MmDisableModifiedWriteOfSection(x)
		lea	edx, [esp+88h+var_30]
		mov	ecx, offset _CcMasterLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		test	ds:byte_70EFC6,	21h
		mov	[esp+88h+var_38], edi
		mov	[esp+88h+var_3C], 0
		jnz	loc_5BFAA2
		lea	edx, [esp+88h+var_3C]
		xchg	edx, [edi]
		test	edx, edx
		jnz	loc_4A9C82

loc_4A9A3F:				; CODE XREF: CcInitializeCacheMapEx+BDBj
					; CcInitializeCacheMapEx+1169FDj
		or	dword ptr [esi+60h], 200h
		test	ds:byte_70EFC6,	1
		jnz	loc_5BFAB2
		mov	eax, [esp+88h+var_3C]
		test	eax, eax
		jnz	loc_4A9CBA
		mov	edx, [esp+88h+var_38]
		lea	eax, [esp+88h+var_3C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+88h+var_3C]
		cmp	eax, ecx
		jnz	loc_4A9CB1

loc_4A9A79:				; CODE XREF: CcInitializeCacheMapEx+C1Dj
					; CcInitializeCacheMapEx+116A0Ej
		test	ds:byte_70EFC6,	1
		jnz	loc_5BFAC3
		mov	eax, [esp+88h+var_30]
		test	eax, eax
		jnz	loc_4A9C1B
		mov	edx, [esp+88h+var_2C]
		lea	eax, [esp+88h+var_30]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+88h+var_30]
		cmp	eax, ecx
		jnz	loc_4A9C12

loc_4A9AAC:				; CODE XREF: CcInitializeCacheMapEx+B7Ej
					; CcInitializeCacheMapEx+116A1Fj
		mov	cl, [esp+88h+var_28]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4A991A
; 

loc_4A9ABB:				; CODE XREF: CcInitializeCacheMapEx+757j
		or	dword ptr [esi+60h], 40h
		jmp	loc_4A980D
; 

loc_4A9AC4:				; CODE XREF: CcInitializeCacheMapEx+39Fj
		mov	eax, [esp+88h+var_64]
		test	eax, eax
		jz	loc_5BFED3
		mov	edi, eax
		mov	[esp+88h+var_64], 0
		jmp	loc_4A9455
; 

loc_4A9ADF:				; CODE XREF: CcInitializeCacheMapEx+30Aj
					; CcInitializeCacheMapEx+116ED1j
		push	63506343h
		push	68h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+88h+var_64], eax
		test	eax, eax
		jnz	loc_4A93C0
		jmp	loc_5BFF86
; 

loc_4A9B01:				; CODE XREF: CcInitializeCacheMapEx+B8j
		mov	esi, 1
		jmp	loc_4A916E
; 

loc_4A9B0B:				; CODE XREF: CcInitializeCacheMapEx+34Cj
		lea	ecx, [esp+88h+var_30]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4A9402
; 

loc_4A9B19:				; CODE XREF: CcInitializeCacheMapEx+2E4j
		lea	ecx, [esp+88h+var_30]
		call	KxWaitForLockChainValid

loc_4A9B22:				; CODE XREF: CcInitializeCacheMapEx+2CAj
		mov	[esp+88h+var_30], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A939A
; 

loc_4A9B3A:				; CODE XREF: CcInitializeCacheMapEx+4DFj
		lea	ecx, [esp+88h+var_30]
		call	KxWaitForLockChainValid

loc_4A9B43:				; CODE XREF: CcInitializeCacheMapEx+4C5j
		mov	[esp+88h+var_30], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A9595
; 

loc_4A9B5B:				; CODE XREF: CcInitializeCacheMapEx+138j
		lea	ecx, [esp+88h+var_30]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4A91EE
; 

loc_4A9B69:				; CODE XREF: CcInitializeCacheMapEx+38Bj
		lea	ecx, [esp+88h+var_3C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4A9441
; 

loc_4A9B77:				; CODE XREF: CcInitializeCacheMapEx+499j
		lea	ecx, [esp+88h+var_3C]
		call	KxWaitForLockChainValid

loc_4A9B80:				; CODE XREF: CcInitializeCacheMapEx+47Fj
		mov	[esp+88h+var_3C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A954F
; 

loc_4A9B98:				; CODE XREF: CcInitializeCacheMapEx+81Ej
		lea	ecx, [esp+88h+var_30]
		call	KxWaitForLockChainValid

loc_4A9BA1:				; CODE XREF: CcInitializeCacheMapEx+804j
		mov	[esp+88h+var_30], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A98D4
; 

loc_4A9BB9:				; CODE XREF: CcInitializeCacheMapEx+937j
		lea	ecx, [esp+90h+var_38]
		call	KxWaitForLockChainValid

loc_4A9BC2:				; CODE XREF: CcInitializeCacheMapEx+91Dj
		mov	[esp+90h+var_38], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A99ED
; 

loc_4A9BDA:				; CODE XREF: CcInitializeCacheMapEx+241j
		lea	ecx, [esp+88h+var_3C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4A92F7
; 

loc_4A9BE8:				; CODE XREF: CcInitializeCacheMapEx+19Fj
		lea	ecx, [esp+88h+var_3C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4A9255
; 

loc_4A9BF6:				; CODE XREF: CcInitializeCacheMapEx+57Cj
		lea	ecx, [esp+88h+var_3C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4A9632
; 

loc_4A9C04:				; CODE XREF: CcInitializeCacheMapEx+8BFj
		lea	ecx, [esp+90h+var_44]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4A9975
; 

loc_4A9C12:				; CODE XREF: CcInitializeCacheMapEx+9F6j
		lea	ecx, [esp+88h+var_30]
		call	KxWaitForLockChainValid

loc_4A9C1B:				; CODE XREF: CcInitializeCacheMapEx+9DCj
		mov	[esp+88h+var_30], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A9AAC
; 

loc_4A9C33:				; CODE XREF: CcInitializeCacheMapEx+904j
		lea	ecx, [esp+90h+var_44]
		call	KxWaitForLockChainValid

loc_4A9C3C:				; CODE XREF: CcInitializeCacheMapEx+8EAj
		mov	[esp+90h+var_44], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A99BA
; 

loc_4A9C54:				; CODE XREF: CcInitializeCacheMapEx+1BBj
		and	eax, 0FFDFFFFFh
		mov	[esi+60h], eax
		jmp	loc_4A9271
; 

loc_4A9C61:				; CODE XREF: CcInitializeCacheMapEx+7E1j
		lea	ecx, [esp+88h+var_3C]
		call	KxWaitForLockChainValid

loc_4A9C6A:				; CODE XREF: CcInitializeCacheMapEx+7C7j
		mov	[esp+88h+var_3C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A9897
; 

loc_4A9C82:				; CODE XREF: CcInitializeCacheMapEx+989j
		lea	ecx, [esp+88h+var_3C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4A9A3F
; 

loc_4A9C90:				; CODE XREF: CcInitializeCacheMapEx+2A5j
		lea	ecx, [esp+88h+var_3C]
		call	KxWaitForLockChainValid

loc_4A9C99:				; CODE XREF: CcInitializeCacheMapEx+28Dj
		mov	[esp+88h+var_3C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A935B
; 

loc_4A9CB1:				; CODE XREF: CcInitializeCacheMapEx+9C3j
		lea	ecx, [esp+88h+var_3C]
		call	KxWaitForLockChainValid

loc_4A9CBA:				; CODE XREF: CcInitializeCacheMapEx+9A9j
		mov	[esp+88h+var_3C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A9A79
CcInitializeCacheMapEx endp

; 
		align 10h
; Exported entry 184. CcCanIWrite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcCanIWrite
CcCanIWrite	proc near		; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+4Bp
					; FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+52p

var_90		= dword	ptr -90h
var_82		= byte ptr -82h
var_81		= byte ptr -81h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005C01C5 SIZE 0000030E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 84h
		xor	eax, eax
		xor	ecx, ecx
		mov	[esp+84h+var_74], eax
		mov	[esp+84h+var_70], eax
		mov	[esp+84h+var_6C], eax
		mov	[esp+84h+var_80], eax
		mov	[esp+84h+var_7C], eax
		mov	[esp+84h+var_78], eax
		mov	[esp+84h+var_81], al
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		test	byte ptr [eax+300h], 2
		jnz	loc_4A9EE3
		mov	esi, [ebp+arg_0]
		lea	ebx, [ecx+1]
		test	esi, esi
		jz	loc_5C01FC
		mov	eax, [esi+2Ch]
		test	al, 10h
		jnz	loc_4A9E98
		test	eax, 1000000h
		jnz	loc_4A9E98
		mov	[esp+90h+var_70], offset _CcMasterLock
		mov	[esp+90h+var_74], ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [esp+90h+var_6C], al
		jnz	loc_5C01C5
		lea	edx, [esp+90h+var_74]
		mov	eax, offset _CcMasterLock
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_4A9EB4

loc_4A9D7E:				; CODE XREF: CcCanIWrite+1DDj
					; CcCanIWrite+1164F3j
		mov	eax, [esi+14h]
		test	eax, eax
		jz	loc_4A9EA3
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	loc_4A9EA3
		call	CcGetPartition
		mov	edi, eax
		mov	[esp+90h+var_68], eax

loc_4A9D9F:				; CODE XREF: CcCanIWrite+1CFj
		mov	eax, ebx
		lock xadd [edi+28Ch], eax
		inc	eax
		cmp	eax, 1
		jle	loc_5C01D8

loc_4A9DB3:				; CODE XREF: CcCanIWrite+1164FFj
		xor	eax, eax
		mov	[esp+90h+var_81], bl
		mov	[esp+90h+var_1C], eax
		xor	bl, bl
		mov	[esp+90h+var_18], eax
		mov	[esp+90h+var_14], eax
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_4A9DE2
		mov	eax, [eax+4]
		test	eax, eax
		jz	short loc_4A9DE2
		test	dword ptr [eax+60h], 40000000h
		jnz	loc_5C01E4

loc_4A9DE2:				; CODE XREF: CcCanIWrite+ECj
					; CcCanIWrite+F3j ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5C01EB
		mov	eax, [esp+90h+var_74]
		test	eax, eax
		jnz	loc_4A9ECB
		mov	edx, [esp+90h+var_70]
		lea	eax, [esp+90h+var_74]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+90h+var_74]
		cmp	eax, ecx
		jnz	loc_4A9EC2

loc_4A9E15:				; CODE XREF: CcCanIWrite+1FEj
					; CcCanIWrite+116517j
		mov	cl, byte ptr [esp+90h+var_6C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bl, bl
		jnz	loc_4A9EE7
		xor	ecx, ecx
		lea	esp, [esp+0]

loc_4A9E30:				; CODE XREF: CcCanIWrite+116528j
					; CcCanIWrite+1165DCj
		xor	bh, bh
		inc	ecx
		xor	bl, bl
		mov	[esp+90h+var_64], ecx
		mov	[esp+90h+var_82], bh
		cmp	[ebp+arg_C], bh
		jnz	short loc_4A9E50
		lea	eax, [edi+204h]
		cmp	[eax], eax
		jnz	loc_5C020D

loc_4A9E50:				; CODE XREF: CcCanIWrite+160j
					; CcCanIWrite+116542j
		lea	eax, [esp+90h+var_82]
		mov	edx, esi
		push	eax
		push	0
		push	0
		push	[ebp+arg_4]
		mov	ecx, edi
		call	CcCanIWriteStreamEx
		mov	bh, [esp+90h+var_82]
		mov	bl, al
		test	bl, bl
		jz	loc_5C0227
		test	bh, bh
		jnz	loc_5C0227

loc_4A9E7B:				; CODE XREF: CcCanIWrite+116550j
					; CcCanIWrite+11659Aj ...
		mov	bl, 1

loc_4A9E7D:				; CODE XREF: CcCanIWrite+11658Ej
					; CcCanIWrite+1165E3j
		cmp	[esp+90h+var_81], 0
		jz	short loc_4A9E98

loc_4A9E84:				; CODE XREF: CcCanIWrite+209j
		or	ecx, 0FFFFFFFFh
		lock xadd [edi+28Ch], ecx
		dec	ecx
		test	ecx, ecx
		jle	loc_5C04B0

loc_4A9E98:				; CODE XREF: CcCanIWrite+57j
					; CcCanIWrite+62j ...
		mov	al, bl

loc_4A9E9A:				; CODE XREF: CcCanIWrite+205j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4A9EA3:				; CODE XREF: CcCanIWrite+A3j
					; CcCanIWrite+AEj
		mov	eax, ds:_PspSystemPartition
		mov	edi, [eax+4]
		mov	[esp+90h+var_68], edi
		jmp	loc_4A9D9F
; 

loc_4A9EB4:				; CODE XREF: CcCanIWrite+98j
		lea	ecx, [esp+90h+var_74]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4A9D7E
; 

loc_4A9EC2:				; CODE XREF: CcCanIWrite+12Fj
		lea	ecx, [esp+90h+var_74]
		call	KxWaitForLockChainValid

loc_4A9ECB:				; CODE XREF: CcCanIWrite+115j
		mov	[esp+90h+var_74], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx
		jmp	loc_4A9E15
; 

loc_4A9EE3:				; CODE XREF: CcCanIWrite+3Ej
		mov	al, 1
		jmp	short loc_4A9E9A
; 

loc_4A9EE7:				; CODE XREF: CcCanIWrite+141j
		mov	bl, 1
		jmp	short loc_4A9E84
CcCanIWrite	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcCanIWriteStreamEx proc near		; CODE XREF: CcScheduleReadAheadEx+B0p
					; CcShouldLazyWriteCacheMap+FFp ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005C04D3 SIZE 00000179 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		xor	bl, bl
		mov	[ebp+var_C], edx
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_8], ecx
		mov	[ebp+var_2], bl
		mov	[ebp+var_1], bl
		test	edi, 0FFFh
		jnz	loc_5C04D3
		xor	eax, eax

loc_4A9F1A:				; CODE XREF: CcCanIWriteStreamEx+1165E8j
		shr	edi, 0Ch
		add	edi, eax
		xor	eax, eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_4A9F3D
		mov	byte ptr [eax],	0

loc_4A9F3D:				; CODE XREF: CcCanIWriteStreamEx+48j
		mov	eax, [ebp+arg_0]
		cmp	eax, 1000000h
		ja	loc_5C04DD

loc_4A9F4B:				; CODE XREF: CcCanIWriteStreamEx+1165F5j
		mov	esi, eax
		and	esi, 0FFFh
		neg	esi
		sbb	esi, esi
		shr	eax, 0Ch
		neg	esi
		add	esi, eax
		mov	eax, [ebp+arg_8]
		and	eax, 8
		mov	[ebp+arg_4], eax
		jnz	short loc_4A9FA2
		lea	eax, [ecx+40h]
		mov	[ebp+var_1C], 0
		mov	[ebp+var_18], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [ebp+var_14], al
		jnz	loc_5C04EA
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_1C]
		lea	eax, [ecx+40h]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_4AA0E0

loc_4A9F9F:				; CODE XREF: CcCanIWriteStreamEx+1FBj
		mov	edx, [ebp+var_C]

loc_4A9FA2:				; CODE XREF: CcCanIWriteStreamEx+77j
		mov	eax, [ecx+198h]
		add	eax, edi
		add	eax, esi
		cmp	eax, [ecx+1A8h]
		jnb	loc_4AA10F

loc_4A9FB8:				; CODE XREF: CcCanIWriteStreamEx+245j
		xor	bh, bh

loc_4A9FBA:				; CODE XREF: CcCanIWriteStreamEx+223j
					; CcCanIWriteStreamEx+23Fj
		cmp	[ebp+arg_C], 0
		jz	short loc_4A9FCE
		mov	edx, _CcAzure_SoftThrottleLargeWriteAtPct
		test	edx, edx
		jnz	loc_5C04FD

loc_4A9FCE:				; CODE XREF: CcCanIWriteStreamEx+CEj
					; CcCanIWriteStreamEx+116617j ...
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	short loc_4AA00D
		test	ds:byte_70EFC6,	1
		jnz	loc_5C0554
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	loc_4AA0F8
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jnz	loc_4AA0F0

loc_4AA004:				; CODE XREF: CcCanIWriteStreamEx+21Aj
					; CcCanIWriteStreamEx+11666Fj
		mov	cl, byte ptr [ebp+var_14]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4AA00D:				; CODE XREF: CcCanIWriteStreamEx+E3j
		xor	eax, eax
		cmp	[ebp+var_1], al
		jnz	loc_4AA0CA
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	loc_5C05BE
		mov	edx, [ebp+arg_8]
		test	dl, 0Ah
		jnz	short loc_4AA071
		mov	eax, [eax+0Ch]
		test	byte ptr [eax+4], 4
		jnz	short loc_4AA06E
		test	bh, bh
		jnz	short loc_4AA06E

loc_4AA038:				; CODE XREF: CcCanIWriteStreamEx+1E2j
		xor	bl, bl
		cmp	byte ptr ds:dword_7051D4, bl
		jnz	loc_5C05C5
		mov	ecx, 1C2h

loc_4AA04B:				; CODE XREF: CcCanIWriteStreamEx+1166DAj
		mov	edx, dword_6D5E00
		cmp	edx, ecx
		jb	loc_5C05CF

loc_4AA059:				; CODE XREF: CcCanIWriteStreamEx+116707j
					; CcCanIWriteStreamEx+116757j
		mov	bl, 1

loc_4AA05B:				; CODE XREF: CcCanIWriteStreamEx+1E0j
					; CcCanIWriteStreamEx+11673Aj ...
		test	bl, bl
		jz	loc_4AA13A
		mov	al, 1

loc_4AA065:				; CODE XREF: CcCanIWriteStreamEx+24Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4AA06E:				; CODE XREF: CcCanIWriteStreamEx+142j
					; CcCanIWriteStreamEx+146j
		mov	eax, [ebp+var_C]

loc_4AA071:				; CODE XREF: CcCanIWriteStreamEx+139j
		test	edi, edi
		jz	loc_4AA141

loc_4AA079:				; CODE XREF: CcCanIWriteStreamEx+265j
		mov	ecx, [eax+14h]
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jz	short loc_4AA0B9
		mov	eax, [ecx+4]
		mov	[ebp+arg_8], eax
		test	eax, eax
		jz	short loc_4AA0B2
		mov	edi, [eax+0A8h]
		test	edi, edi
		mov	[ebp+arg_C], edi
		mov	edi, [ebp+arg_4]
		jnz	loc_5C0564

loc_4AA0A1:				; CODE XREF: CcCanIWriteStreamEx+11667Fj
					; CcCanIWriteStreamEx+116690j ...
		mov	eax, [eax+164h]
		mov	eax, [eax+14h]
		cmp	eax, _CcMaxLazyWritePages
		jbe	short loc_4AA0D7

loc_4AA0B2:				; CODE XREF: CcCanIWriteStreamEx+19Bj
					; CcCanIWriteStreamEx+1EAj ...
		call	MmEnoughMemoryForWrite
		mov	bl, al

loc_4AA0B9:				; CODE XREF: CcCanIWriteStreamEx+191j
		test	edi, edi
		jz	loc_4AA15A

loc_4AA0C1:				; CODE XREF: CcCanIWriteStreamEx+2A2j
		cmp	[ebp+var_2], 0
		jnz	short loc_4AA13A
		mov	eax, [ebp+var_10]

loc_4AA0CA:				; CODE XREF: CcCanIWriteStreamEx+122j
					; CcCanIWriteStreamEx+1166D0j
		test	bh, bh
		jnz	short loc_4AA13A
		test	eax, eax
		jnz	short loc_4AA05B
		jmp	loc_4AA038
; 

loc_4AA0D7:				; CODE XREF: CcCanIWriteStreamEx+1C0j
		test	dl, 4
		jnz	short loc_4AA0B2
		xor	bh, bh
		jmp	short loc_4AA0B2
; 

loc_4AA0E0:				; CODE XREF: CcCanIWriteStreamEx+A9j
		lea	ecx, [ebp+var_1C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_4AA0E8:				; CODE XREF: CcCanIWriteStreamEx+116608j
		mov	ecx, [ebp+var_8]
		jmp	loc_4A9F9F
; 

loc_4AA0F0:				; CODE XREF: CcCanIWriteStreamEx+10Ej
		lea	ecx, [ebp+var_1C]
		call	KxWaitForLockChainValid

loc_4AA0F8:				; CODE XREF: CcCanIWriteStreamEx+F7j
		mov	[ebp+var_1C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4AA004
; 

loc_4AA10F:				; CODE XREF: CcCanIWriteStreamEx+C2j
		mov	bh, 1
		test	edx, edx
		jz	loc_4A9FBA
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+var_C]
		or	edx, 1
		call	CcIsFileObjectDirectMapped
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_1], al
		test	al, al
		jz	loc_4A9FBA
		jmp	loc_4A9FB8
; 

loc_4AA13A:				; CODE XREF: CcCanIWriteStreamEx+16Dj
					; CcCanIWriteStreamEx+1D5j ...
		xor	al, al
		jmp	loc_4AA065
; 

loc_4AA141:				; CODE XREF: CcCanIWriteStreamEx+183j
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_1C]
		lea	ecx, [ecx+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+arg_8]
		jmp	loc_4AA079
; 

loc_4AA15A:				; CODE XREF: CcCanIWriteStreamEx+1CBj
		test	ds:byte_70EFC6,	1
		jnz	loc_5C058F
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	loc_5C05A7
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jnz	loc_5C059F

loc_4AA189:				; CODE XREF: CcCanIWriteStreamEx+1166AAj
					; CcCanIWriteStreamEx+1166C9j
		mov	cl, byte ptr [ebp+var_14]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4AA0C1
CcCanIWriteStreamEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcGetPartition	proc near		; CODE XREF: CcScheduleReadAheadEx+37p
					; CcPerformReadAhead+94p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C064C SIZE 0000009F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	dword ptr [ecx+6Ch], 0
		push	esi
		mov	esi, [ecx+174h]
		jz	short loc_4AA226
		push	ebx
		push	edi
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	bl, al
		mov	edi, offset dword_6CF3C0
		jnz	loc_5C064C
		mov	[ebp+var_4], 0
		lock bts dword ptr [edi], 1Fh
		jb	short loc_4AA22D

loc_4AA1DF:				; CODE XREF: CcGetPartition+99j
		mov	edx, dword_6CF3C0
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_5C065A

loc_4AA1F7:				; CODE XREF: CcGetPartition+1164B5j
					; CcGetPartition+1164EFj
		test	ds:byte_70EFC6,	1
		jnz	loc_5C0694
		mov	dword_6CF3C0, 0

loc_4AA20E:				; CODE XREF: CcGetPartition+1164FEj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, dword_6D4EA4
		pop	edi
		pop	ebx
		cmp	esi, [eax+4]
		jnz	loc_5C06A3

loc_4AA226:				; CODE XREF: CcGetPartition+11j
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4AA22D:				; CODE XREF: CcGetPartition+3Dj
		mov	dl, bl
		mov	ecx, edi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[ebp+var_4], eax
		jmp	short loc_4AA1DF
CcGetPartition	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcScheduleLazyWriteScan(x, x, x)
_CcScheduleLazyWriteScan@12 proc near	; CODE XREF: CcSetDirtyPinnedData+44Cp
					; CcWriteBehindInternal:loc_4934B1p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		mov	al, dl
		mov	cl, [esi+288h]
		test	cl, cl
		jnz	short loc_4AA2AA

loc_4AA250:				; CODE XREF: CcScheduleLazyWriteScan(x,x,x)+72j
		cmp	[ebp+arg_0], 0
		jnz	short loc_4AA2B0
		xor	edx, edx
		test	cl, cl
		setz	dl
		dec	edx
		and	edx, 0Ch
		add	edx, 4

loc_4AA264:				; CODE XREF: CcScheduleLazyWriteScan(x,x,x)+77j
		test	al, al
		jnz	short loc_4AA2B5
		cmp	[esi+190h], al
		jz	short loc_4AA285

loc_4AA270:				; CODE XREF: CcScheduleLazyWriteScan(x,x,x)+6Cj
					; CcScheduleLazyWriteScan(x,x,x)+80j
		cmp	byte ptr [esi+288h], 0
		jnz	short loc_4AA280
		mov	byte ptr [esi+190h], 1

loc_4AA280:				; CODE XREF: CcScheduleLazyWriteScan(x,x,x)+3Bj
					; CcScheduleLazyWriteScan(x,x,x)+70j
		pop	esi
		pop	ebp
		retn	4
; 

loc_4AA285:				; CODE XREF: CcScheduleLazyWriteScan(x,x,x)+32j
		mov	eax, ds:dword_40B264
		xor	edx, edx
		mov	ecx, ds:_CcFirstDelay
		push	eax
		push	ecx
		lea	eax, [esi+148h]
		push	eax
		push	0
		lea	ecx, [esi+168h]
		call	KiSetTimerEx
		jmp	short loc_4AA270
; 

loc_4AA2AA:				; CODE XREF: CcScheduleLazyWriteScan(x,x,x)+12j
		test	al, al
		jz	short loc_4AA280
		jmp	short loc_4AA250
; 

loc_4AA2B0:				; CODE XREF: CcScheduleLazyWriteScan(x,x,x)+18j
		push	8
		pop	edx
		jmp	short loc_4AA264
; 

loc_4AA2B5:				; CODE XREF: CcScheduleLazyWriteScan(x,x,x)+2Aj
		mov	ecx, esi
		call	CcNotifyWriteBehindInternal
		jmp	short loc_4AA270
_CcScheduleLazyWriteScan@12 endp


;  S U B	R O U T	I N E 


; __stdcall CcInsertIntoDirtySharedCacheMapList(x)
_CcInsertIntoDirtySharedCacheMapList@4 proc near ; CODE	XREF: CcSetDirtyPinnedData+453p
					; CcWriteBehindInternal+747p ...
		test	dword ptr [ecx+60h], 3000000h
		mov	eax, [ecx+174h]
		push	esi
		lea	edx, [eax+24h]
		lea	esi, [eax+30h]
		jz	short loc_4AA2FF
		lea	eax, [ecx+50h]
		push	edi
		mov	edi, [eax]
		cmp	[edi+4], eax
		jnz	short loc_4AA328
		push	ebx
		mov	ebx, [eax+4]
		cmp	[ebx], eax
		jnz	short loc_4AA328
		mov	[ebx], edi
		mov	[edi+4], ebx
		mov	edi, [esi+4]
		pop	ebx
		cmp	[edi], esi
		jnz	short loc_4AA328
		mov	[eax+4], edi
		mov	[eax], esi
		mov	[edi], eax
		mov	[esi+4], eax
		pop	edi

loc_4AA2FF:				; CODE XREF: CcInsertIntoDirtySharedCacheMapList(x)+14j
		lea	eax, [ecx+58h]
		mov	esi, [eax]
		cmp	[esi+4], eax
		jnz	short loc_4AA328
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_4AA328
		mov	[ecx], esi
		mov	[esi+4], ecx
		mov	ecx, [edx+4]
		pop	esi
		cmp	[ecx], edx
		jnz	short loc_4AA328
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[edx+4], eax
		retn
; 

loc_4AA328:				; CODE XREF: CcInsertIntoDirtySharedCacheMapList(x)+1Fj
					; CcInsertIntoDirtySharedCacheMapList(x)+27j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_CcInsertIntoDirtySharedCacheMapList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcFindBitmapRangeToDirty(x,	x, x, x)
_CcFindBitmapRangeToDirty@16 proc near	; CODE XREF: .text:004A819Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		lea	eax, [ecx+10h]
		mov	[ebp+var_C], edx
		mov	edx, [ebp+arg_0]
		xor	ebx, ebx
		push	esi
		mov	esi, eax
		mov	[ebp+var_4], eax
		and	edx, 0FFFFF000h
		push	edi
		mov	[ebp+var_8], edx
		mov	eax, [esi]

loc_4AA354:				; CODE XREF: CcFindBitmapRangeToDirty(x,x,x,x)+5Cj
					; CcFindBitmapRangeToDirty(x,x,x,x)+63j ...
		mov	edi, [eax+8]
		mov	ecx, [eax+0Ch]
		cmp	edx, edi
		jnz	short loc_4AA36A
		cmp	[ebp+arg_4], ecx
		jnz	short loc_4AA36A

loc_4AA363:				; CODE XREF: CcFindBitmapRangeToDirty(x,x,x,x)+AEj
					; CcFindBitmapRangeToDirty(x,x,x,x)+EFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4AA36A:				; CODE XREF: CcFindBitmapRangeToDirty(x,x,x,x)+2Ej
					; CcFindBitmapRangeToDirty(x,x,x,x)+33j
		cmp	dword ptr [eax+18h], 0
		jz	short loc_4AA3DE

loc_4AA370:				; CODE XREF: CcFindBitmapRangeToDirty(x,x,x,x)+B2j
		cmp	[ebp+arg_4], ecx
		jl	short loc_4AA37D
		jg	short loc_4AA37B
		cmp	edx, edi
		jbe	short loc_4AA37D

loc_4AA37B:				; CODE XREF: CcFindBitmapRangeToDirty(x,x,x,x)+47j
		mov	esi, eax

loc_4AA37D:				; CODE XREF: CcFindBitmapRangeToDirty(x,x,x,x)+45j
					; CcFindBitmapRangeToDirty(x,x,x,x)+4Bj ...
		mov	eax, [eax]
		cmp	eax, [ebp+var_4]
		jz	short loc_4AA402
		mov	ecx, [ebp+arg_4]
		cmp	ecx, [eax+0Ch]
		jg	short loc_4AA354
		jl	short loc_4AA393
		cmp	edx, [eax+8]
		jnb	short loc_4AA354

loc_4AA393:				; CODE XREF: CcFindBitmapRangeToDirty(x,x,x,x)+5Ej
		test	ebx, ebx
		jz	short loc_4AA354

loc_4AA397:				; CODE XREF: CcFindBitmapRangeToDirty(x,x,x,x)+D6j
		mov	eax, [ebx]
		cmp	[eax+4], ebx
		jnz	loc_4AA42F
		mov	ecx, [ebx+4]
		cmp	[ecx], ebx
		jnz	loc_4AA42F
		mov	[ecx], eax
		mov	[eax+4], ecx

loc_4AA3B2:				; CODE XREF: CcFindBitmapRangeToDirty(x,x,x,x)+FFj
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_4AA42F
		mov	[ebx], eax
		mov	[ebx+4], esi
		mov	[eax+4], ebx
		mov	eax, [ebp+arg_4]
		mov	[esi], ebx
		or	dword ptr [ebx+10h], 0FFFFFFFFh
		mov	[ebx+0Ch], eax
		xor	eax, eax
		mov	[ebx+8], edx
		mov	[ebx+14h], eax
		cmp	[ebx+1Ch], eax
		jz	short loc_4AA3E6

loc_4AA3DA:				; CODE XREF: CcFindBitmapRangeToDirty(x,x,x,x)+D2j
		mov	eax, ebx
		jmp	short loc_4AA363
; 

loc_4AA3DE:				; CODE XREF: CcFindBitmapRangeToDirty(x,x,x,x)+40j
		test	ebx, ebx
		jnz	short loc_4AA370
		mov	ebx, eax
		jmp	short loc_4AA37D
; 

loc_4AA3E6:				; CODE XREF: CcFindBitmapRangeToDirty(x,x,x,x)+AAj
		mov	edi, [ebp+var_C]
		push	200h		; size_t
		push	eax		; int
		mov	esi, [edi]
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebx+1Ch], esi
		and	dword ptr [edi], 0
		jmp	short loc_4AA3DA
; 

loc_4AA402:				; CODE XREF: CcFindBitmapRangeToDirty(x,x,x,x)+54j
		test	ebx, ebx
		jnz	short loc_4AA397
		push	72426343h
		push	20h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		xor	eax, eax
		test	ebx, ebx
		jz	loc_4AA363
		mov	edx, [ebp+var_8]
		mov	edi, ebx
		push	8
		pop	ecx
		rep stosd
		jmp	short loc_4AA3B2
; 

loc_4AA42F:				; CODE XREF: CcFindBitmapRangeToDirty(x,x,x,x)+6Ej
					; CcFindBitmapRangeToDirty(x,x,x,x)+79j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_CcFindBitmapRangeToDirty@16 endp	; AL = character to display


;  S U B	R O U T	I N E 


CcInsertIntoCleanSharedCacheMapList proc near ;	CODE XREF: CcInitializeCacheMapEx+440p
					; CcAcquireByteRangeForWrite+29Cp ...
		cmp	_KdDebuggerEnabled, 0
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, [esi+174h]
		lea	edi, [eax+8]
		lea	ebx, [eax+10h]
		jnz	loc_5C06B9

loc_4AA452:				; CODE XREF: CcGetPartition+116520j
					; CcGetPartition+11652Aj ...
		test	dword ptr [esi+60h], 3000000h
		jz	short loc_4AA482
		lea	eax, [esi+50h]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_4AA4AD
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_4AA4AD
		mov	[edx], ecx
		mov	[ecx+4], edx
		mov	ecx, [ebx+4]
		cmp	[ecx], ebx
		jnz	short loc_4AA4AD
		mov	[eax], ebx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[ebx+4], eax

loc_4AA482:				; CODE XREF: CcInsertIntoCleanSharedCacheMapList+25j
		lea	eax, [esi+58h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_4AA4AD
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_4AA4AD
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	short loc_4AA4AD
		mov	[eax], edi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[edi+4], eax
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4AA4AD:				; CODE XREF: CcInsertIntoCleanSharedCacheMapList+2Fj
					; CcInsertIntoCleanSharedCacheMapList+36j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
CcInsertIntoCleanSharedCacheMapList endp ; AL =	character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SetVacb(x, x, x, x,	x)
_SetVacb@20	proc near		; CODE XREF: CcGetVacbMiss+149p
					; CcDereferenceFileOffset(x,x,x)+3Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	dl, 1
		cmp	dword ptr [edi+1Ch], 0
		jl	short loc_4AA4D3
		jg	short loc_4AA505
		cmp	dword ptr [edi+18h], 2000000h
		ja	short loc_4AA505

loc_4AA4D3:				; CODE XREF: SetVacb(x,x,x,x,x)+14j
		cmp	esi, 0FFFFFFFEh
		jnb	short loc_4AA4E4
		mov	ecx, [ebp+arg_4]
		mov	eax, [edi+40h]
		shr	ecx, 12h
		mov	[eax+ecx*4], esi

loc_4AA4E4:				; CODE XREF: SetVacb(x,x,x,x,x)+24j
					; SetVacb(x,x,x,x,x)+65j
		cmp	esi, 0FFFFFFFFh
		jz	short loc_4AA4FB
		cmp	esi, 0FFFFFFFEh
		jz	short loc_4AA4FB
		add	edi, 17Ch
		test	esi, esi
		jz	short loc_4AA519
		lock inc dword ptr [edi]

loc_4AA4FB:				; CODE XREF: SetVacb(x,x,x,x,x)+35j
					; SetVacb(x,x,x,x,x)+3Aj ...
		pop	edi
		mov	al, dl
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4AA505:				; CODE XREF: SetVacb(x,x,x,x,x)+16j
					; SetVacb(x,x,x,x,x)+1Fj
		push	[ebp+arg_0]
		mov	edx, esi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	CcSetVacbLargeOffset
		mov	dl, al
		jmp	short loc_4AA4E4
; 

loc_4AA519:				; CODE XREF: SetVacb(x,x,x,x,x)+44j
		lock dec dword ptr [edi]
		jmp	short loc_4AA4FB
_SetVacb@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmEnoughMemoryForWrite proc near	; CODE XREF: CcCanIWriteStreamEx:loc_4AA0B2p

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005C06EB SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_1], 21h
		mov	esi, ebx
		push	edi
		test	ecx, ecx
		jz	short loc_4AA545
		lea	edx, [ebp-1]
		push	edx
		xor	edx, edx
		inc	edx
		call	MiLockSectionControlArea
		mov	esi, eax
		test	esi, esi
		jz	short loc_4AA592

loc_4AA545:				; CODE XREF: MmEnoughMemoryForWrite+13j
		xor	edx, edx
		mov	edi, offset _MiSystemPartition
		cmp	byte ptr ds:dword_7051D4, dl
		mov	ecx, edi
		setz	dl
		dec	edx
		and	edx, 3E3Eh
		add	edx, 1C2h
		call	MiSufficientAvailablePages
		test	eax, eax
		jz	loc_5C06EB

loc_4AA571:				; CODE XREF: MmEnoughMemoryForWrite+1161F5j
		mov	bl, 1

loc_4AA573:				; CODE XREF: MmEnoughMemoryForWrite+1161DDj
					; MmEnoughMemoryForWrite+1161EFj
		cmp	[ebp+var_1], 21h
		jz	short loc_4AA58B
		lea	edx, [esi+24h]
		push	edx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4AA58B:				; CODE XREF: MmEnoughMemoryForWrite+59j
		mov	al, bl

loc_4AA58D:				; CODE XREF: MmEnoughMemoryForWrite+76j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4AA592:				; CODE XREF: MmEnoughMemoryForWrite+25j
		mov	al, 1
		jmp	short loc_4AA58D
MmEnoughMemoryForWrite endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRemoveViewsFromSectionWithPfn(x, x, x, x)
_MiRemoveViewsFromSectionWithPfn@16 proc near
					; CODE XREF: MiDereferenceDataSubsections(x,x,x,x,x)+32p
					; PAGE:0078CB32p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi]
		add	esi, 24h
		push	esi
		call	ExAcquireSpinLockExclusive
		push	[ebp+arg_4]
		mov	ecx, edi
		mov	bl, al
		push	[ebp+arg_0]
		call	_MiRemoveViewsFromSection@16 ; MiRemoveViewsFromSection(x,x,x,x)
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_MiRemoveViewsFromSectionWithPfn@16 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiDecrementModifiedWriteCount(x, x)
_MiDecrementModifiedWriteCount@8 proc near ; CODE XREF:	MiWriteComplete+2C8p
					; MiTrimSharedPage+140p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [esi+24h]
		cmp	edx, 1
		jz	short loc_4AA615
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	bl, al

loc_4AA5ED:				; CODE XREF: MiDecrementModifiedWriteCount(x,x)+41j
		dec	dword ptr [esi+28h]
		mov	ecx, esi
		push	8
		pop	edx
		call	_MiBuildWakeList@8 ; MiBuildWakeList(x,x)
		mov	esi, eax
		cmp	bl, 21h
		jz	short loc_4AA60F
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4AA60F:				; CODE XREF: MiDecrementModifiedWriteCount(x,x)+29j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_4AA615:				; CODE XREF: MiDecrementModifiedWriteCount(x,x)+Dj
		mov	bl, 21h
		jmp	short loc_4AA5ED
_MiDecrementModifiedWriteCount@8 endp

; 
		align 2

; __stdcall MiRemoveUnusedSubsection(x)
_MiRemoveUnusedSubsection@4:		; CODE XREF: MiDereferenceControlAreaPfnList+D0p
					; MiFlushSectionInternal+AA8p ...
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, offset unk_6D5180
		mov	esi, ecx
		push	edi
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		lea	eax, [esi+34h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_4AA661
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_4AA661
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, 0FFF7h
		and	[esi+12h], cx
		mov	ecx, esi
		mov	[eax+4], eax
		mov	[eax], eax
		call	_MiReduceUnusedSubsectionCount@4 ; MiReduceUnusedSubsectionCount(x)
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_4AA661:				; CODE XREF: .text:004AA634j
					; .text:004AA63Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dw 0CCCCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReferencePfBackedSection proc	near	; CODE XREF: MiTrimSharedPage+17Cp
					; MiGetPageFileSectionForReservation+Cp

var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005C0718 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		xor	ebx, ebx
		push	esi
		push	edi
		mov	[ebp+var_8], ebx
		mov	edi, ecx
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		jmp	short loc_4AA690
; 
		align 10h

loc_4AA690:				; CODE XREF: MiReferencePfBackedSection+18j
					; MiReferencePfBackedSection+135j
		push	offset unk_6CF4C4
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	ecx, dword_6CF4C0
		mov	[ebp+var_1], al
		test	ecx, ecx
		jz	short loc_4AA6FB

loc_4AA6A7:				; CODE XREF: MiReferencePfBackedSection+5Ej
		mov	eax, [ecx+0Ch]
		xor	edx, edx
		and	eax, 7
		jnz	short loc_4AA6EC
		mov	eax, [ecx-40h]
		mov	edx, [ecx-28h]
		jmp	short loc_4AA6C6
; 

loc_4AA6B9:				; CODE XREF: MiReferencePfBackedSection+80j
		jmp	ds:off_4AA7AC[eax*4]

loc_4AA6C0:				; DATA XREF: .text:off_4AA7ACo
		mov	eax, [ecx-24h]
		mov	edx, [ecx-0Ch]

loc_4AA6C6:				; CODE XREF: MiReferencePfBackedSection+47j
					; MiReferencePfBackedSection+7Aj ...
		cmp	edi, eax
		jnb	short loc_4AA6F4
		mov	ecx, [ecx]

loc_4AA6CC:				; CODE XREF: MiReferencePfBackedSection+BDj
		test	ecx, ecx
		jnz	short loc_4AA6A7
		jmp	short loc_4AA6FB
; 

loc_4AA6D2:				; CODE XREF: MiReferencePfBackedSection:loc_4AA6B9j
					; DATA XREF: .text:004AA7B0o
		mov	esi, [ecx-28h]
		add	esi, 50h
		xor	edx, edx
		mov	eax, [esi+4]
		lea	ecx, [ecx+0]

loc_4AA6E0:				; CODE XREF: MiReferencePfBackedSection+78j
		add	edx, [esi+1Ch]
		mov	esi, [esi+8]
		test	esi, esi
		jnz	short loc_4AA6E0
		jmp	short loc_4AA6C6
; 

loc_4AA6EC:				; CODE XREF: MiReferencePfBackedSection+3Fj
		dec	eax
		cmp	eax, 3
		jbe	short loc_4AA6B9
		xor	eax, eax

loc_4AA6F4:				; CODE XREF: MiReferencePfBackedSection+58j
		lea	eax, [eax+edx*8]
		cmp	edi, eax
		jnb	short loc_4AA72A

loc_4AA6FB:				; CODE XREF: MiReferencePfBackedSection+35j
					; MiReferencePfBackedSection+60j
		xor	esi, esi
		test	ecx, ecx
		jnz	short loc_4AA72F

loc_4AA701:				; CODE XREF: MiReferencePfBackedSection+C8j
		xor	edi, edi

loc_4AA703:				; CODE XREF: MiReferencePfBackedSection+104j
		push	offset unk_6CF4C4
		call	ExReleaseSpinLockSharedFromDpcLevel
		test	esi, esi
		jnz	short loc_4AA776

loc_4AA711:				; CODE XREF: MiReferencePfBackedSection+10Fj
		mov	cl, [ebp+var_1]
		call	ebx
		mov	ebx, [ebp+var_8]
		test	ebx, ebx
		jnz	loc_5C0723

loc_4AA721:				; CODE XREF: MiReferencePfBackedSection+1160BAj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4AA72A:				; CODE XREF: MiReferencePfBackedSection+89j
		mov	ecx, [ecx+4]
		jmp	short loc_4AA6CC
; 

loc_4AA72F:				; CODE XREF: MiReferencePfBackedSection+8Fj
		mov	eax, [ecx+0Ch]
		xor	esi, esi
		and	al, 7
		cmp	al, 1
		jnz	short loc_4AA701
		mov	esi, [ecx-28h]
		lea	ebx, [ecx-28h]
		lea	eax, [esi+24h]
		push	eax
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		test	eax, eax
		jz	short loc_4AA790
		test	byte ptr [esi+1Ch], 3
		jnz	short loc_4AA78C
		mov	edx, 4
		mov	ecx, esi
		call	_MiBuildWakeList@8 ; MiBuildWakeList(x,x)
		inc	dword ptr [esi+28h]
		mov	ecx, esi
		mov	[ebp+var_8], eax
		call	_MiRemoveUnusedSegment@4 ; MiRemoveUnusedSegment(x)
		mov	edi, ebx

loc_4AA76E:				; CODE XREF: MiReferencePfBackedSection+11Ej
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		jmp	short loc_4AA703
; 

loc_4AA776:				; CODE XREF: MiReferencePfBackedSection+9Fj
		lea	eax, [esi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		jmp	short loc_4AA711
; 

loc_4AA781:				; CODE XREF: MiReferencePfBackedSection:loc_4AA6B9j
					; DATA XREF: .text:004AA7B4o
		mov	eax, [ecx+18h]
		mov	edx, [ecx+10h]
		jmp	loc_4AA6C6
; 

loc_4AA78C:				; CODE XREF: MiReferencePfBackedSection+E1j
		xor	edi, edi
		jmp	short loc_4AA76E
; 

loc_4AA790:				; CODE XREF: MiReferencePfBackedSection+DBj
		push	offset unk_6CF4C4
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	ebx
		jmp	loc_4AA690
MiReferencePfBackedSection endp

; 
		align 4
off_4AA7AC	dd offset loc_4AA6C0	; DATA XREF: MiReferencePfBackedSection:loc_4AA6B9r
		dd offset loc_4AA6D2
		dd offset loc_4AA781
		dd offset loc_5C0718
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdateSystemProtoPtesTree(x, x)
_MiUpdateSystemProtoPtesTree@8 proc near ; CODE	XREF: MiDeleteSubsectionPages(x,x)+468p
					; MiCreatePrototypePtes+B6p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, edx
		lea	edx, [ebp+var_C]
		push	edi
		mov	edi, ecx
		call	MiObtainProtoBaseFromNode
		push	offset unk_6CF4C4
		mov	[ebp+var_8], eax
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		test	esi, esi
		jz	short loc_4AA81D
		mov	ecx, dword_6CF4C0
		mov	byte ptr [ebp+var_4], 0
		test	ecx, ecx
		jz	short loc_4AA832
		mov	esi, [ebp+var_8]
		jmp	short loc_4AA800
; 
		align 10h

loc_4AA800:				; CODE XREF: MiUpdateSystemProtoPtesTree(x,x)+3Bj
					; MiUpdateSystemProtoPtesTree(x,x)+ADj
		mov	eax, [ecx+0Ch]
		and	eax, 7
		jz	loc_4AA891
		dec	eax
		cmp	eax, 3		; switch 4 cases
		ja	loc_4AA896	; default
		jmp	ds:off_4AA8B0[eax*4] ; switch jump
; 

loc_4AA81D:				; CODE XREF: MiUpdateSystemProtoPtesTree(x,x)+28j
		push	edi
		push	offset dword_6CF4C0
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		and	dword ptr [edi+0Ch], 0FFFFFFF7h
		jmp	short loc_4AA845
; 

loc_4AA82E:				; CODE XREF: MiUpdateSystemProtoPtesTree(x,x)+DDj
		mov	byte ptr [ebp+var_4], 1

loc_4AA832:				; CODE XREF: MiUpdateSystemProtoPtesTree(x,x)+36j
					; MiUpdateSystemProtoPtesTree(x,x)+E3j
		push	edi
		push	[ebp+var_4]
		push	ecx
		push	offset dword_6CF4C0
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		or	dword ptr [edi+0Ch], 8

loc_4AA845:				; CODE XREF: MiUpdateSystemProtoPtesTree(x,x)+6Cj
		push	offset unk_6CF4C4
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4AA85E:				; CODE XREF: MiUpdateSystemProtoPtesTree(x,x)+56j
					; DATA XREF: .text:off_4AA8B0o
		mov	eax, [ecx-24h]	; case 0x0

loc_4AA861:				; CODE XREF: MiUpdateSystemProtoPtesTree(x,x)+CFj
					; MiUpdateSystemProtoPtesTree(x,x)+D4j	...
		cmp	esi, eax
		jnb	short loc_4AA896 ; default
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_4AA89F

loc_4AA86B:				; CODE XREF: MiUpdateSystemProtoPtesTree(x,x)+DBj
		mov	ecx, eax
		jmp	short loc_4AA800
; 

loc_4AA86F:				; CODE XREF: MiUpdateSystemProtoPtesTree(x,x)+56j
					; DATA XREF: .text:off_4AA8B0o
		mov	edx, [ecx-28h]	; case 0x1
		add	edx, 50h
		mov	[ebp+var_C], 0
		mov	esi, [ebp+var_C]
		mov	eax, [edx+4]

loc_4AA882:				; CODE XREF: MiUpdateSystemProtoPtesTree(x,x)+CAj
		add	esi, [edx+1Ch]
		mov	edx, [edx+8]
		test	edx, edx
		jnz	short loc_4AA882
		mov	esi, [ebp+var_8]
		jmp	short loc_4AA861
; 

loc_4AA891:				; CODE XREF: MiUpdateSystemProtoPtesTree(x,x)+46j
		mov	eax, [ecx-40h]
		jmp	short loc_4AA861
; 

loc_4AA896:				; CODE XREF: MiUpdateSystemProtoPtesTree(x,x)+50j
					; MiUpdateSystemProtoPtesTree(x,x)+A3j
		mov	eax, [ecx+4]	; default
		test	eax, eax
		jnz	short loc_4AA86B
		jmp	short loc_4AA82E
; 

loc_4AA89F:				; CODE XREF: MiUpdateSystemProtoPtesTree(x,x)+A9j
		mov	byte ptr [ebp+var_4], 0
		jmp	short loc_4AA832
; 

loc_4AA8A5:				; CODE XREF: MiUpdateSystemProtoPtesTree(x,x)+56j
					; DATA XREF: .text:off_4AA8B0o
		mov	eax, [ecx+18h]	; case 0x2
		jmp	short loc_4AA861
; 

loc_4AA8AA:				; CODE XREF: MiUpdateSystemProtoPtesTree(x,x)+56j
					; DATA XREF: .text:off_4AA8B0o
		mov	eax, [ecx+10h]	; case 0x3
		jmp	short loc_4AA861
_MiUpdateSystemProtoPtesTree@8 endp

; 
		align 10h
off_4AA8B0	dd offset loc_4AA85E	; DATA XREF: MiUpdateSystemProtoPtesTree(x,x)+56r
		dd offset loc_4AA86F	; jump table for switch	statement
		dd offset loc_4AA8A5
		dd offset loc_4AA8AA

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReferenceControlAreaPfn(x, x, x)
_MiReferenceControlAreaPfn@12 proc near	; CODE XREF: .text:0045D77Dp
					; MiSectionCreated+1E4p ...

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	byte ptr [esi+1Ch], 20h
		jnz	short loc_4AA908
		cmp	dword ptr [esi+20h], 0
		jz	short loc_4AA908

loc_4AA8D9:				; CODE XREF: MiReferenceControlAreaPfn(x,x,x)+4Aj
		lea	ebx, [esi+24h]
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+arg_0]
		add	[esi+10h], ecx
		mov	[ebp+var_1], al
		test	edi, edi
		jz	short loc_4AA8F2
		add	[edi+40h], ecx

loc_4AA8F2:				; CODE XREF: MiReferenceControlAreaPfn(x,x,x)+2Dj
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4AA908:				; CODE XREF: MiReferenceControlAreaPfn(x,x,x)+11j
					; MiReferenceControlAreaPfn(x,x,x)+17j
		xor	edi, edi
		jmp	short loc_4AA8D9
_MiReferenceControlAreaPfn@12 endp


;  S U B	R O U T	I N E 


MiUnlinkUnusedControlArea proc near	; CODE XREF: MiRemoveUnusedSegment(x)+21p
					; MiReferenceActiveControlArea(x,x)+2Dp ...

; FUNCTION CHUNK AT 005C072F SIZE 00000023 BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		call	_MiComputePagedPoolSegmentBytes@4 ; MiComputePagedPoolSegmentBytes(x)
		test	dword ptr [esi+1Ch], 40000h
		mov	edi, eax
		jnz	loc_5C072F

loc_4AA926:				; CODE XREF: MiUnlinkUnusedControlArea+115E2Aj
					; MiUnlinkUnusedControlArea+115E41j
		lea	eax, [esi+4]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_4AA95C
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_4AA95C
		mov	[ecx], edx
		mov	[edx+4], ecx
		and	dword ptr [esi+1Ch], 0F7FFFFFFh
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, offset dword_6CF3CC
		sub	dword_6D5260, edi
		neg	edi
		lock xadd [eax], edi
		pop	edi
		pop	esi
		retn
; 

loc_4AA95C:				; CODE XREF: MiUnlinkUnusedControlArea+22j
					; MiUnlinkUnusedControlArea+29j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
MiUnlinkUnusedControlArea endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertUnusedSubsection(x,	x)
_MiInsertUnusedSubsection@8 proc near	; CODE XREF: MiDereferenceControlAreaPfnList+D7p
					; MiDeleteVad(x,x,x)+123Fp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, [edi+1Ch]
		mov	esi, eax
		shl	esi, 3
		mov	[ebp+var_8], eax
		cmp	esi, 0FF0h
		ja	short loc_4AA9FE
		add	esi, 0Fh
		and	esi, 0FFFFFFF8h

loc_4AA99C:				; CODE XREF: MiInsertUnusedSubsection(x,x)+B0j
					; MiInsertUnusedSubsection(x,x)+BEj
		push	offset unk_6D5180
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		or	word ptr [edi+12h], 8
		mov	eax, offset dword_6CF3CC
		add	dword_6D5260, esi
		lock xadd [eax], esi
		xor	esi, esi
		lea	eax, [edi+34h]
		cmp	[edi+40h], esi
		jz	short loc_4AAA25
		mov	ecx, dword_6D5270
		mov	edx, offset unk_6D526C
		cmp	[ecx], edx
		jnz	loc_4AAA6B
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	dword_6D5270, eax

loc_4AA9E3:				; CODE XREF: MiInsertUnusedSubsection(x,x)+F0j
					; MiInsertUnusedSubsection(x,x)+F9j
		push	offset unk_6D5180
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		cmp	[ebp+var_4], 1
		jz	short loc_4AAA5D

loc_4AA9F3:				; CODE XREF: MiInsertUnusedSubsection(x,x)+107j
		pop	edi
		xor	eax, eax
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4AA9FE:				; CODE XREF: MiInsertUnusedSubsection(x,x)+32j
		mov	eax, esi
		and	eax, 0FFFh
		cmp	eax, 0FE0h
		ja	short loc_4AAA14
		cmp	esi, 10000h
		jb	short loc_4AA99C

loc_4AAA14:				; CODE XREF: MiInsertUnusedSubsection(x,x)+A8j
		add	esi, 0FFFh
		and	esi, 0FFFFF000h
		jmp	loc_4AA99C
; 

loc_4AAA25:				; CODE XREF: MiInsertUnusedSubsection(x,x)+60j
		mov	ecx, dword_6D5278
		mov	edx, offset unk_6D5274
		cmp	[ecx], edx
		jnz	short loc_4AAA6B
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	dword_6D5278, eax
		mov	eax, dword_6D51C0
		add	eax, [ebp+var_8]
		mov	dword_6D51C0, eax
		cmp	eax, 20000h
		jb	short loc_4AA9E3
		mov	[ebp+var_4], 1
		jmp	short loc_4AA9E3
; 

loc_4AAA5D:				; CODE XREF: MiInsertUnusedSubsection(x,x)+8Fj
		push	esi
		push	esi
		push	offset unk_6D51A0
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_4AA9F3
; 

loc_4AAA6B:				; CODE XREF: MiInsertUnusedSubsection(x,x)+6Fj
					; MiInsertUnusedSubsection(x,x)+D0j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_MiInsertUnusedSubsection@8 endp	; AL = character to display


MiInsertUnusedSegment:			; CODE XREF: MiCheckControlArea+15Fp
					; MiCheckControlArea+1BAp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	eax, [esi+1Ch]
		test	eax, 100h
		jnz	loc_4AAB14
		test	al, 20h
		jnz	short loc_4AAA99
		call	MiConvertStaticSubsections
		mov	edi, eax

loc_4AAA99:				; CODE XREF: .text:004AAA90j
		push	offset unk_6D5180
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	edx, [esi+1Ch]
		mov	ebx, 40000h
		or	edx, 8000000h
		mov	[esi+1Ch], edx
		mov	ecx, edx
		test	byte ptr dword_6D4E44, 1
		jnz	loc_5C0752

loc_4AAAC3:				; CODE XREF: .text:005C0754j
					; .text:005C075Fj
		lea	eax, [esi+4]
		test	ecx, ebx
		jnz	loc_5C0764
		mov	ecx, dword_6D5268
		mov	edx, offset unk_6D5264
		cmp	[ecx], edx
		jnz	short loc_4AAB18
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	dword_6D5268, eax

loc_4AAAE9:				; CODE XREF: .text:005C0790j
					; .text:005C07B9j
		mov	ecx, esi
		call	_MiComputePagedPoolSegmentBytes@4 ; MiComputePagedPoolSegmentBytes(x)
		mov	esi, eax
		add	dword_6D5260, esi
		push	offset unk_6D5180
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	eax, offset dword_6CF3CC
		lock xadd [eax], esi
		mov	eax, edi

loc_4AAB0D:				; CODE XREF: .text:004AAB16j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4AAB14:				; CODE XREF: .text:004AAA88j
		xor	eax, eax
		jmp	short loc_4AAB0D
; 

loc_4AAB18:				; CODE XREF: .text:004AAADBj
					; .text:005C0771j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	MiCopyDataPageToImagePage(int,void *,int,int)
MiCopyDataPageToImagePage proc near	; CODE XREF: MiResolveMappedFileFault+301p

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_70		= byte ptr -70h
var_6F		= byte ptr -6Fh
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_50		= byte ptr -50h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005C07BE SIZE 0000021F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		push	ebx
		push	esi
		push	edi
		push	40h		; size_t
		lea	eax, [ebp+var_88]
		mov	byte ptr [ebp+var_14], 0
		mov	esi, ecx
		mov	ebx, edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_3C], esi
		call	_memset
		mov	edi, [ebx]
		add	esp, 0Ch
		mov	ecx, [esi+88h]
		mov	[ebp+var_4], 0
		mov	[ebp+var_34], 0
		mov	[ebp+var_18], edi
		call	_MiGetSessionIdForVa@4 ; MiGetSessionIdForVa(x)
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		push	eax
		call	MiStartingOffset
		mov	[ebp+var_1C], eax
		lea	eax, [edi+24h]
		push	eax
		mov	[ebp+var_28], edx
		mov	[ebp+var_40], eax
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	edi, [edi+20h]
		push	offset dword_6CF3C0
		and	edi, 0FFFFFFF8h
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	eax, [edi+14h]
		mov	edi, [eax]
		test	edi, edi
		jnz	short loc_4AAC17

loc_4AABA0:				; CODE XREF: MiCopyDataPageToImagePage+102j
		push	offset dword_6CF3C0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		xor	eax, eax

loc_4AABAC:				; CODE XREF: MiCopyDataPageToImagePage+11Ej
					; MiCopyDataPageToImagePage+128j ...
		test	al, 1
		jnz	loc_4AB24E

loc_4AABB4:				; CODE XREF: MiCopyDataPageToImagePage+73Aj
		test	al, 2
		jnz	short loc_4AABC3
		push	[ebp+var_40]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	eax, [ebp+var_4]

loc_4AABC3:				; CODE XREF: MiCopyDataPageToImagePage+96j
		mov	ecx, [ebp+var_68]
		mov	edx, 7FFFFFFFh
		test	ecx, ecx
		jnz	loc_5C099A

loc_4AABD3:				; CODE XREF: MiCopyDataPageToImagePage+115E80j
		mov	ecx, [ebp+var_64]
		test	ecx, ecx
		jnz	loc_5C09A5

loc_4AABDE:				; CODE XREF: MiCopyDataPageToImagePage+115E92j
		cmp	[ebp+var_6F], 1
		mov	esi, [ebp+var_88]
		jz	loc_5C09B7

loc_4AABEE:				; CODE XREF: MiCopyDataPageToImagePage+115EA6j
		test	esi, esi
		jnz	loc_4AB2F2

loc_4AABF6:				; CODE XREF: MiCopyDataPageToImagePage+7D8j
		mov	ecx, [ebp+var_84]
		test	ecx, ecx
		jnz	loc_4AB2FD

loc_4AAC04:				; CODE XREF: MiCopyDataPageToImagePage+7E7j
		test	al, 4
		jnz	loc_5C09CB

loc_4AAC0C:				; CODE XREF: MiCopyDataPageToImagePage+115EB8j
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4AAC17:				; CODE XREF: MiCopyDataPageToImagePage+7Ej
		lea	eax, [edi+24h]
		push	eax
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		test	eax, eax
		jz	loc_4AABA0
		push	offset dword_6CF3C0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		cmp	dword ptr [edi+10h], 0
		mov	eax, 1
		mov	[ebp+var_4], eax
		jz	loc_4AABAC
		test	byte ptr [edi+1Ch], 3
		jnz	loc_4AABAC
		mov	ecx, ebx
		call	_MiEndingOffset@4 ; MiEndingOffset(x)
		mov	ecx, [ebp+var_28]
		mov	ebx, eax
		mov	eax, [ebp+var_1C]
		shrd	eax, ecx, 0Ch
		mov	ecx, ebx
		mov	[ebp+var_38], edx
		mov	edx, eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_C], eax
		add	ecx, 0FFFFFFFFh
		mov	eax, [ebp+var_38]
		adc	eax, 0FFFFFFFFh
		mov	[ebp+var_20], ebx
		mov	ebx, [edi+6Ch]
		shrd	ecx, eax, 0Ch
		xor	eax, eax
		cmp	edx, ecx
		mov	[ebp+var_30], ecx
		lea	ecx, [edi+50h]
		setz	al
		mov	[ebp+var_10], ecx
		lea	eax, ds:1[eax*8]
		mov	[ebp+var_4], eax
		cmp	edx, ebx
		jnb	loc_4AB280

loc_4AACA3:				; CODE XREF: MiCopyDataPageToImagePage+778j
		cmp	dword ptr [ecx+40h], 0
		lea	ebx, [ebp+var_88]
		mov	[ebp+var_24], 2
		jz	loc_4AAD8B
		lea	ebx, [ebx+0]

loc_4AACC0:				; CODE XREF: MiCopyDataPageToImagePage+262j
		mov	eax, [ecx+4]
		mov	[ebp+var_44], eax
		test	eax, eax
		jz	loc_4AAD88
		lea	ecx, [eax+edx*8]
		test	ecx, ecx
		jz	loc_4AAD88
		mov	eax, [ebp+arg_0]
		mov	edx, ecx
		shr	edx, 9
		shr	eax, 9
		and	edx, offset loc_7FFFF8
		and	eax, offset loc_7FFFF8
		mov	[ebx+8], ecx
		cmp	eax, edx
		jz	loc_4AB1FF
		lea	eax, [ebp+var_88]
		cmp	ebx, eax
		jnz	loc_4AB1EC

loc_4AAD08:				; CODE XREF: MiCopyDataPageToImagePage+6D9j
		push	ebx
		lea	eax, [ebp+var_34]
		push	eax
		call	MiTryLockProtoPoolPageAtDpc
		test	eax, eax
		js	short loc_4AAD88
		mov	eax, [ebp+var_34]
		mov	[ebx+4], eax

loc_4AAD1C:				; CODE XREF: MiCopyDataPageToImagePage+6E5j
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_4AAD88
		test	byte ptr [eax+16h], 20h
		jnz	short loc_4AAD88
		test	byte ptr [eax+17h], 40h
		jnz	short loc_4AAD88
		mov	ecx, 7FFFh
		cmp	[eax+14h], cx
		jnb	short loc_4AAD88
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_44]
		mov	eax, [ecx+edx*8]
		nop
		mov	ecx, [ecx+edx*8+4]
		mov	[ebx+10h], eax
		lea	eax, [ebp+var_88]
		mov	[ebx+14h], ecx
		cmp	ebx, eax
		jnz	short loc_4AAD93
		test	[ebp+var_1C], 0FFFh
		jz	short loc_4AAD93
		mov	eax, [ebp+var_2C]
		cmp	eax, [ebp+var_30]
		jz	short loc_4AAD93
		mov	ecx, [ebp+var_10]
		inc	edx
		inc	[ebp+var_24]
		add	ebx, 20h
		mov	[ebp+var_C], edx
		cmp	edx, [ecx+1Ch]
		jnb	loc_4AB320

loc_4AAD7E:				; CODE XREF: MiCopyDataPageToImagePage+80Dj
		cmp	dword ptr [ecx+40h], 0
		jnz	loc_4AACC0

loc_4AAD88:				; CODE XREF: MiCopyDataPageToImagePage+1A8j
					; MiCopyDataPageToImagePage+1B3j ...
		mov	eax, [ebp+var_4]

loc_4AAD8B:				; CODE XREF: MiCopyDataPageToImagePage+194j
		mov	[ebp+var_4], eax
		jmp	loc_4AABAC
; 

loc_4AAD93:				; CODE XREF: MiCopyDataPageToImagePage+235j
					; MiCopyDataPageToImagePage+23Ej ...
		lea	eax, [edi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	eax, [ebp+var_18]
		push	[ebp+var_40]
		inc	dword ptr [eax+10h]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	eax, [ebp+var_4]
		lea	ecx, [ebp+var_88]
		and	eax, 0FFFFFFFEh
		mov	[ebp+var_10], ecx
		or	eax, 6
		mov	[ebp+var_4], eax
		mov	eax, large fs:124h
		mov	ebx, [ebp+var_88]
		mov	[ebp+var_2C], eax
		test	ebx, ebx
		jz	loc_4AAE5F

loc_4AADD6:				; CODE XREF: MiCopyDataPageToImagePage+31Fj
		mov	eax, [ecx+10h]
		and	eax, 1
		mov	[ebp+var_5], 0
		or	eax, 0
		jnz	short loc_4AAE12
		cmp	[ebx+14h], ax
		jnz	short loc_4AAE12
		mov	al, [ebx+17h]
		xor	edx, edx
		shr	al, 3
		and	al, 1
		mov	[ecx+18h], al
		mov	ecx, ebx
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		test	eax, eax
		jz	loc_5C07BE
		and	dword ptr [ebx+10h], 0C0000000h
		mov	[ebp+var_5], 1

loc_4AAE12:				; CODE XREF: MiCopyDataPageToImagePage+2C3j
					; MiCopyDataPageToImagePage+2C9j
		xor	edx, edx
		mov	ecx, ebx
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		test	eax, eax
		jz	loc_5C07CF
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_88]
		mov	byte ptr [ecx+19h], 1
		cmp	ecx, eax
		jnz	short loc_4AAE43
		mov	ebx, [ecx+20h]
		add	ecx, 20h
		mov	[ebp+var_10], ecx
		test	ebx, ebx
		jnz	short loc_4AADD6
		jmp	short loc_4AAE59
; 

loc_4AAE43:				; CODE XREF: MiCopyDataPageToImagePage+312j
		lea	eax, [ebx+10h]
		mov	edx, 7FFFFFFFh
		lock and [eax],	edx
		mov	ecx, [ecx+4]
		test	ecx, ecx
		jnz	loc_4AB30C

loc_4AAE59:				; CODE XREF: MiCopyDataPageToImagePage+321j
					; MiCopyDataPageToImagePage+7FBj
		mov	ebx, [ebp+var_88]

loc_4AAE5F:				; CODE XREF: MiCopyDataPageToImagePage+2B0j
		or	dword ptr [esi+78h], 20h
		lea	eax, [ebx+10h]
		mov	[ebp+var_C], ebx
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	ecx, [ebp+var_84]
		test	ecx, ecx
		jz	short loc_4AAE82
		mov	dl, 2
		call	MiUnlockProtoPoolPage

loc_4AAE82:				; CODE XREF: MiCopyDataPageToImagePage+359j
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_30], 0
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	edi, [eax+ecx*4]
		lea	eax, [edi+10h]
		lock bts dword ptr [eax], 1Fh
		jb	loc_5C07FA

loc_4AAEAB:				; CODE XREF: MiCopyDataPageToImagePage+115CFBj
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_8]
		push	0FFFFFFFFh
		call	_MiInitializeTransitionPfn@12 ;	MiInitializeTransitionPfn(x,x,x)
		mov	al, [edi+16h]
		mov	ecx, [ebp+arg_4]
		and	al, 0FAh
		or	al, 2
		mov	[edi+16h], al
		mov	eax, 1
		mov	[edi+14h], ax
		mov	al, [edi+16h]
		or	al, 20h
		mov	[edi+16h], al
		lea	eax, [esi+10h]
		mov	[edi], eax
		test	cl, 1
		jnz	loc_4AB2D8

loc_4AAEE4:				; CODE XREF: MiCopyDataPageToImagePage+7BEj
					; MiCopyDataPageToImagePage+7CDj
		mov	eax, [esi+78h]
		lea	edx, [edi+10h]
		shr	eax, 9
		xor	al, [edi+17h]
		and	al, 7
		xor	[edi+17h], al
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx]
		nop
		mov	edx, [ecx+4]
		mov	[esi+8Ch], ecx
		mov	ecx, [ebp+var_2C]
		mov	[esi+60h], eax
		mov	[esi+64h], edx
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		cmp	eax, 2
		jl	loc_4AB26E

loc_4AAF23:				; CODE XREF: MiCopyDataPageToImagePage+755j
		mov	eax, [ebp+arg_8]
		xor	edx, edx
		mov	ecx, [ebp+arg_C]
		mov	dword ptr [esi+0A8h], 0
		mov	dword ptr [esi+0ACh], 20h
		mov	dword ptr [esi+0B8h], 0
		mov	dword ptr [esi+0C0h], 0
		mov	dword ptr [esi+0BCh], 1000h
		mov	[esi+0C4h], eax
		call	_MiObtainProtoReference@8 ; MiObtainProtoReference(x,x)
		mov	ecx, [ebp+arg_C]
		mov	dl, 2
		call	MiUnlockProtoPoolPage
		or	word ptr [esi+0AEh], 42h
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_18]
		mov	edx, [ebp+var_24]
		mov	[esi+38h], eax
		mov	eax, [ebp+var_28]
		mov	[esi+3Ch], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+90h], eax
		mov	eax, [ebp+arg_C]
		mov	[esi+80h], ecx
		mov	ecx, offset dword_6D35E0
		mov	[esi+94h], edi
		mov	dword ptr [esi+7Ch], 0
		mov	[esi+5Ch], eax
		call	MiReservePtes
		mov	edi, eax
		test	edi, edi
		jz	loc_5C0990
		mov	ecx, [ebp+var_1C]
		mov	edx, [ebp+arg_8]
		and	ecx, 0FFFh
		shl	eax, 9
		add	ecx, 1000h
		mov	[ebp+var_18], eax
		add	eax, ecx
		push	0A0000004h
		mov	ecx, edi
		mov	[ebp+arg_4], eax
		call	MiMakeValidPte
		mov	ecx, edi
		mov	ebx, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5C0820

loc_4AAFFC:				; CODE XREF: MiCopyDataPageToImagePage+115D49j
					; MiCopyDataPageToImagePage+115D57j ...
		xor	ecx, ecx

loc_4AAFFE:				; CODE XREF: MiCopyDataPageToImagePage+115D15j
					; MiCopyDataPageToImagePage+115D22j ...
		mov	[edi+4], edx
		nop
		mov	[edi], ebx
		test	ecx, ecx
		jnz	loc_5C0888

loc_4AB00C:				; CODE XREF: MiCopyDataPageToImagePage+115D71j
		mov	ecx, [ebp+var_C]
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		push	20000001h
		lea	eax, [ecx+edx]
		sar	eax, 4
		lea	ecx, [edi+8]
		mov	edx, eax
		shr	edx, 1Fh
		add	edx, eax
		call	MiMakeValidPte
		lea	ecx, [edi+8]
		mov	[ebp+arg_0], eax
		mov	[ebp+arg_8], 0
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5C0896
		mov	ecx, [ebp+arg_0]

loc_4AB053:				; CODE XREF: MiCopyDataPageToImagePage+115D90j
					; MiCopyDataPageToImagePage+115D9Ej ...
		mov	[edi+0Ch], edx
		nop
		cmp	[ebp+arg_8], 0
		mov	[edi+8], ecx
		jnz	loc_5C0904

loc_4AB064:				; CODE XREF: MiCopyDataPageToImagePage+115DEEj
		mov	ecx, [ebp+var_68]
		test	ecx, ecx
		jz	short loc_4AB0C0
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		push	20000001h
		lea	eax, [ecx+edx]
		sar	eax, 4
		lea	ecx, [edi+10h]
		mov	edx, eax
		shr	edx, 1Fh
		add	edx, eax
		call	MiMakeValidPte
		lea	ecx, [edi+10h]
		mov	[ebp+arg_0], eax
		mov	[ebp+arg_8], 0
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5C0913
		mov	ecx, [ebp+arg_0]

loc_4AB0AF:				; CODE XREF: MiCopyDataPageToImagePage+115E0Dj
					; MiCopyDataPageToImagePage+115E1Bj ...
		mov	[edi+14h], edx
		nop
		cmp	[ebp+arg_8], 0
		mov	[edi+10h], ecx
		jnz	loc_5C0981

loc_4AB0C0:				; CODE XREF: MiCopyDataPageToImagePage+549j
					; MiCopyDataPageToImagePage+115E6Bj
		mov	edx, [ebp+var_1C]
		mov	eax, edx
		mov	ecx, [ebp+var_28]
		add	eax, 1000h
		adc	ecx, 0
		cmp	ecx, [ebp+var_38]
		ja	loc_4AB2A0
		jb	short loc_4AB0E4
		cmp	eax, [ebp+var_20]
		ja	loc_4AB2A0

loc_4AB0E4:				; CODE XREF: MiCopyDataPageToImagePage+5B9j
		mov	ebx, [ebp+var_18]
		push	1000h		; size_t
		push	[ebp+arg_4]	; void *
		push	ebx		; void *
		call	_memcpy

loc_4AB0F5:				; CODE XREF: MiCopyDataPageToImagePage+7B3j
		add	esp, 0Ch
		mov	edx, edi
		mov	ecx, offset dword_6D35E0
		push	[ebp+var_24]
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		inc	large dword ptr	fs:3E20h
		xor	eax, eax
		mov	ebx, [ebp+var_88]

loc_4AB116:				; CODE XREF: MiCopyDataPageToImagePage+115E75j
		xor	edi, edi
		mov	[esi+30h], eax
		cmp	[ebp+var_70], 0
		mov	[ebp+arg_0], edi
		jz	loc_4AB25F

loc_4AB128:				; CODE XREF: MiCopyDataPageToImagePage+749j
		call	_MiCreateDecayPfn@0 ; MiCreateDecayPfn()
		mov	edi, eax
		mov	[ebp+arg_0], eax

loc_4AB132:				; CODE XREF: MiCopyDataPageToImagePage+743j
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		jz	short loc_4AB1A5
		lea	esi, [ebp+var_88]
		nop

loc_4AB140:				; CODE XREF: MiCopyDataPageToImagePage+680j
		mov	ecx, ebx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, ebx
		mov	byte ptr [ebp+var_14], al
		call	_MiRemoveLockedPageCharge@4 ; MiRemoveLockedPageCharge(x)
		test	eax, eax
		jz	loc_4AB22D
		test	edi, edi
		jz	loc_4AB20A
		cmp	byte ptr [esi+18h], 0
		jz	loc_4AB20A
		test	dword ptr [ebx+10h], 40000000h
		jnz	loc_4AB20A
		push	[ebp+var_14]
		lea	edx, [ebp+var_C]
		mov	ecx, edi
		push	1
		call	MiInsertAndUnlockStandbyPages
		mov	byte ptr [ebp+var_14], 21h

loc_4AB18B:				; CODE XREF: MiCopyDataPageToImagePage+729j
		lea	eax, [ebp+var_88]
		cmp	esi, eax
		jnz	short loc_4AB1A2
		mov	ebx, [esi+20h]
		add	esi, 20h
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		jnz	short loc_4AB140

loc_4AB1A2:				; CODE XREF: MiCopyDataPageToImagePage+673j
		mov	esi, [ebp+var_3C]

loc_4AB1A5:				; CODE XREF: MiCopyDataPageToImagePage+617j
		test	edi, edi
		jz	short loc_4AB1B0
		mov	ecx, edi
		call	MiDecayPfnFullyInitialized

loc_4AB1B0:				; CODE XREF: MiCopyDataPageToImagePage+687j
		mov	ecx, [ebp+arg_C]
		lea	edx, [ebp+var_14]
		call	_MiRelockProtoPoolPage@8 ; MiRelockProtoPoolPage(x,x)
		mov	dl, byte ptr [ebp+var_14]
		mov	ecx, [ebp+arg_C]
		and	dword ptr [esi+78h], 0FFFFFFDFh
		call	MiUnlockProtoPoolPage
		push	0
		push	0
		lea	ecx, [esi+10h]
		mov	dword ptr [esi+34h], 1000h
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	edi
		pop	esi
		mov	eax, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4AB1EC:				; CODE XREF: MiCopyDataPageToImagePage+1E2j
		mov	eax, [ebx-18h]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		cmp	eax, edx
		jnz	loc_4AAD08

loc_4AB1FF:				; CODE XREF: MiCopyDataPageToImagePage+1D4j
		push	ebx
		call	MiTryLockLeafPage
		jmp	loc_4AAD1C
; 

loc_4AB20A:				; CODE XREF: MiCopyDataPageToImagePage+63Bj
					; MiCopyDataPageToImagePage+645j ...
		mov	edi, ebx
		mov	eax, 92492493h
		sub	edi, ds:_MmPfnDatabase
		mov	ecx, ebx
		imul	edi
		lea	eax, [edi+edx]
		sar	eax, 4
		mov	edx, eax
		shr	edx, 1Fh
		add	edx, eax
		call	MiPfnReferenceCountIsZero

loc_4AB22D:				; CODE XREF: MiCopyDataPageToImagePage+633j
		mov	cl, byte ptr [ebp+var_14]
		cmp	cl, 21h
		jz	short loc_4AB246
		lea	eax, [ebx+10h]
		mov	edx, 7FFFFFFFh
		lock and [eax],	edx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4AB246:				; CODE XREF: MiCopyDataPageToImagePage+713j
		mov	edi, [ebp+arg_0]
		jmp	loc_4AB18B
; 

loc_4AB24E:				; CODE XREF: MiCopyDataPageToImagePage+8Ej
		lea	eax, [edi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	eax, [ebp+var_4]
		jmp	loc_4AABB4
; 

loc_4AB25F:				; CODE XREF: MiCopyDataPageToImagePage+602j
		cmp	[ebp+var_50], 0
		jz	loc_4AB132
		jmp	loc_4AB128
; 

loc_4AB26E:				; CODE XREF: MiCopyDataPageToImagePage+3FDj
		or	dword ptr [esi+78h], 80h
		jmp	loc_4AAF23
; 
		align 10h

loc_4AB280:				; CODE XREF: MiCopyDataPageToImagePage+17Dj
					; MiCopyDataPageToImagePage+77Ej
		mov	ecx, [ecx+8]
		sub	edx, ebx
		mov	[ebp+var_C], edx
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jz	loc_4AABAC
		mov	ebx, [ecx+1Ch]
		cmp	edx, ebx
		jb	loc_4AACA3
		jmp	short loc_4AB280
; 

loc_4AB2A0:				; CODE XREF: MiCopyDataPageToImagePage+5B3j
					; MiCopyDataPageToImagePage+5BEj
		mov	eax, [ebp+var_20]
		mov	ebx, [ebp+var_18]
		sub	eax, edx
		and	eax, 0FFFh
		push	eax		; size_t
		push	[ebp+arg_4]	; void *
		mov	[ebp+var_20], eax
		push	ebx		; void *
		call	_memcpy
		mov	ecx, [ebp+var_20]
		add	esp, 0Ch
		mov	eax, 1000h
		sub	eax, ecx
		push	eax		; size_t
		lea	eax, [ebx+ecx]
		push	0		; int
		push	eax		; void *
		call	_memset
		jmp	loc_4AB0F5
; 

loc_4AB2D8:				; CODE XREF: MiCopyDataPageToImagePage+3BEj
		and	ecx, 0FFFFFFFEh
		cmp	byte ptr [ecx],	1
		jnz	loc_4AAEE4
		call	_MiAdvanceFaultList@4 ;	MiAdvanceFaultList(x)
		or	dword ptr [esi+78h], 8
		jmp	loc_4AAEE4
; 

loc_4AB2F2:				; CODE XREF: MiCopyDataPageToImagePage+D0j
		lea	ecx, [esi+10h]
		lock and [ecx],	edx
		jmp	loc_4AABF6
; 

loc_4AB2FD:				; CODE XREF: MiCopyDataPageToImagePage+DEj
		mov	dl, 2
		call	MiUnlockProtoPoolPage
		mov	eax, [ebp+var_4]
		jmp	loc_4AAC04
; 

loc_4AB30C:				; CODE XREF: MiCopyDataPageToImagePage+333j
		call	_MiUnlockNestedProtoPoolPage@4 ; MiUnlockNestedProtoPoolPage(x)
		mov	eax, [ebp+var_10]
		mov	dword ptr [eax+4], 0
		jmp	loc_4AAE59
; 

loc_4AB320:				; CODE XREF: MiCopyDataPageToImagePage+258j
		mov	ecx, [ecx+8]
		xor	edx, edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jnz	loc_4AAD7E
		jmp	loc_4AAD88
MiCopyDataPageToImagePage endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDereferencePageRunsEx	proc near	; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+6CDp
					; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+7A9p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005C09DD SIZE 00000062 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		lea	edi, [esi-8]
		mov	eax, [edi]
		mov	[ebp+var_8], eax
		add	eax, 70h
		push	eax
		call	ExAcquireSpinLockExclusive
		dec	dword ptr [esi-4]
		mov	esi, [esi-4]
		neg	esi
		mov	[ebp+var_1], al
		sbb	esi, esi
		not	esi
		and	esi, edi
		mov	[ebp+var_10], esi
		test	ebx, ebx
		jz	loc_5C09DD
		mov	ecx, [ebp+var_8]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		cmp	ecx, offset _MiSystemPartition
		jnz	loc_5C09F7

loc_4AB38D:				; CODE XREF: MiDereferencePageRunsEx+1156DAj
		sub	dword_6D4E5C, 1
		jnz	short loc_4AB3C7
		mov	ebx, dword_6D4E74
		and	dword_6D4E74, 0

loc_4AB3A3:				; CODE XREF: MiDereferencePageRunsEx+92j
		push	offset unk_6D4EB0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	edi
		test	ebx, ebx
		jnz	loc_5C0A17

loc_4AB3BA:				; CODE XREF: MiDereferencePageRunsEx+1156BAj
					; MiDereferencePageRunsEx+1156F5j
		test	esi, esi
		jnz	loc_5C0A32

loc_4AB3C2:				; CODE XREF: MiDereferencePageRunsEx+115702j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4AB3C7:				; CODE XREF: MiDereferencePageRunsEx+5Cj
		mov	ebx, [ebp+var_C]
		jmp	short loc_4AB3A3
MiDereferencePageRunsEx	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReferencePageRuns proc near		; CODE XREF: .text:0046F26Dp
					; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+2DEp ...

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005C0A3F SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	offset unk_6D4EB0
		mov	ebx, edx
		mov	edi, ecx
		call	ExAcquireSpinLockExclusive
		mov	[esp+10h+var_1], al
		mov	eax, offset _MiSystemPartition
		cmp	edi, eax
		jnz	loc_5C0A3F

loc_4AB3F7:				; CODE XREF: MiReferencePageRuns+115681j
		cmp	ebx, 1
		jz	short loc_4AB440
		mov	esi, ds:_MmPhysicalMemoryBlock
		cmp	edi, eax
		jnz	short loc_4AB445

loc_4AB406:				; CODE XREF: MiReferencePageRuns+77j
					; MiReferencePageRuns+7Cj
		test	esi, esi
		jz	short loc_4AB413
		inc	dword ptr [esi-4]
		inc	dword_6D4E5C

loc_4AB413:				; CODE XREF: MiReferencePageRuns+3Cj
		cmp	edi, eax
		jnz	loc_5C0A52

loc_4AB41B:				; CODE XREF: MiReferencePageRuns+11568Fj
		push	offset unk_6D4EB0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+10h+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	loc_5C0A60

loc_4AB437:				; CODE XREF: MiReferencePageRuns+1156A2j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4AB440:				; CODE XREF: MiReferencePageRuns+2Ej
		mov	esi, [edi+18h]
		jmp	short loc_4AB406
; 

loc_4AB445:				; CODE XREF: MiReferencePageRuns+38j
		mov	esi, [edi+38h]
		jmp	short loc_4AB406
MiReferencePageRuns endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReferenceControlArea proc near	; CODE XREF: MiCreateImageOrDataSection+156p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C0A73 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_10], edx
		push	7
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		pop	ecx
		test	dword ptr [ebx+8], 1000000h
		rep stosd
		mov	eax, [ebx+24h]
		mov	[ebp+var_C], eax
		mov	esi, [eax+14h]
		jz	short loc_4AB479
		add	esi, 8

loc_4AB479:				; CODE XREF: MiReferenceControlArea+2Aj
					; MiReferenceControlArea+198j
		push	offset dword_6CF3C0
		call	ExAcquireSpinLockExclusive
		mov	edi, [esi]
		mov	[ebp+var_1], al
		mov	[ebp+var_8], edi
		test	edi, edi
		jz	short loc_4AB4F7
		lea	eax, [edi+24h]
		push	eax
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		test	eax, eax
		jz	loc_4AB5CF
		test	ds:byte_70EFC6,	1
		jnz	loc_5C0A73
		mov	dword_6CF3C0, 0

loc_4AB4B7:				; CODE XREF: MiReferenceControlArea+115636j
		mov	eax, [edi+1Ch]
		mov	ecx, eax
		shr	ecx, 1
		or	ecx, eax
		test	cl, 1
		jnz	short loc_4AB524
		mov	edx, edi
		mov	ecx, ebx
		call	_MiReferenceActiveControlArea@8	; MiReferenceActiveControlArea(x,x)
		mov	esi, eax
		lea	eax, [edi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, esi
		call	_MiReleaseControlAreaWaiters@4 ; MiReleaseControlAreaWaiters(x)

loc_4AB4E9:				; CODE XREF: MiReferenceControlArea+D8j
		mov	eax, [ebp+arg_0]
		mov	[eax], edi
		xor	eax, eax

loc_4AB4F0:				; CODE XREF: MiReferenceControlArea+180j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4AB4F7:				; CODE XREF: MiReferenceControlArea+43j
		mov	edi, [ebp+var_10]
		xor	edx, edx
		push	0
		mov	ecx, esi
		mov	[esi], edi
		call	KeAbPreAcquire
		test	eax, eax
		jz	short loc_4AB50F
		or	byte ptr [eax+0Eh], 1

loc_4AB50F:				; CODE XREF: MiReferenceControlArea+BFj
		push	offset dword_6CF3C0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_4AB4E9
; 

loc_4AB524:				; CODE XREF: MiReferenceControlArea+79j
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	edi, eax
		test	edi, edi
		jz	short loc_4AB53C
		mov	ecx, edi
		call	_KeAbPreWait@4	; KeAbPreWait(x)

loc_4AB53C:				; CODE XREF: MiReferenceControlArea+E9j
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_18]
		and	[ebp+var_1C], 0
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], eax
		mov	word ptr [ebp+var_20], 107h
		mov	byte ptr [ebp+var_20+2], 4
		mov	[ebp+var_28], 1
		mov	eax, [ecx+2Ch]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_2C]
		mov	[ecx+2Ch], eax
		lea	eax, [ecx+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	byte ptr [ebx],	1
		jnz	short loc_4AB59B
		mov	ecx, large fs:124h
		mov	eax, [ebx+78h]
		push	[ebp+var_C]
		mov	[ecx+2D4h], eax
		call	FsRtlReleaseFile
		and	dword ptr [ebx], 0FFFFFFFDh

loc_4AB59B:				; CODE XREF: MiReferenceControlArea+134j
		push	ecx
		push	12h
		pop	edx
		lea	ecx, [ebp+var_20]
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		test	edi, edi
		jz	short loc_4AB5BF
		push	0
		mov	edx, edi
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	edx, edi
		mov	ecx, esi
		call	KeAbPostReleaseEx

loc_4AB5BF:				; CODE XREF: MiReferenceControlArea+15Fj
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax], 0
		mov	eax, 0C000022Dh
		jmp	loc_4AB4F0
; 

loc_4AB5CF:				; CODE XREF: MiReferenceControlArea+50j
		push	offset dword_6CF3C0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4AB479
MiReferenceControlArea endp

; 
		align 10h
; Exported entry 426. ExReleaseSpinLockExclusiveFromDpcLevel

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExReleaseSpinLockExclusiveFromDpcLevel
ExReleaseSpinLockExclusiveFromDpcLevel proc near ; CODE	XREF: MiReturnSystemVa(x,x,x,x)+114p
					; MiMakeSystemRangeAvailable+A6p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A806B SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	ds:byte_70EFC6,	1
		jnz	loc_5A806B
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 0

loc_4AB60C:				; CODE XREF: ExReleaseSpinLockExclusiveFromDpcLevel+FCA86j
		pop	ecx
		pop	ebp
		retn	4
ExReleaseSpinLockExclusiveFromDpcLevel endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiReleaseControlAreaWaiters(x)
_MiReleaseControlAreaWaiters@4 proc near ; CODE	XREF: MiWriteComplete+626p
					; MiReferenceControlArea+9Ap ...
		test	ecx, ecx
		jnz	short loc_4AB617
		retn
; 

loc_4AB617:				; CODE XREF: MiReleaseControlAreaWaiters(x)+2j
		push	esi

loc_4AB618:				; CODE XREF: MiReleaseControlAreaWaiters(x)+17j
		mov	esi, [ecx]
		xor	edx, edx
		add	ecx, 0Ch
		inc	edx
		call	KeSignalGate
		mov	ecx, esi
		test	esi, esi
		jnz	short loc_4AB618
		pop	esi
		retn
_MiReleaseControlAreaWaiters@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiReferenceActiveControlArea(x, x)
_MiReferenceActiveControlArea@8	proc near ; CODE XREF: MiReferenceControlArea+7Fp
					; MiReferenceExistingControlArea+3Cp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	ebx, ecx
		push	4
		pop	edx
		mov	ecx, esi
		call	_MiBuildWakeList@8 ; MiBuildWakeList(x,x)
		inc	dword ptr [esi+0Ch]
		mov	edi, eax
		test	dword ptr [esi+1Ch], 8000000h
		jz	short loc_4AB66A
		push	offset unk_6D5180
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	ecx, esi
		call	MiUnlinkUnusedControlArea
		push	offset unk_6D5180
		call	ExReleaseSpinLockExclusiveFromDpcLevel

loc_4AB66A:				; CODE XREF: MiReferenceActiveControlArea(x,x)+1Fj
		test	byte ptr [ebx],	1
		jnz	short loc_4AB678
		inc	dword ptr [esi+18h]

loc_4AB672:				; CODE XREF: MiReferenceActiveControlArea(x,x)+51j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4AB678:				; CODE XREF: MiReferenceActiveControlArea(x,x)+3Fj
		or	dword ptr [esi+1Ch], 8000h
		jmp	short loc_4AB672
_MiReferenceActiveControlArea@8	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiBuildWakeList(x, x)
_MiBuildWakeList@8 proc	near		; CODE XREF: MiPrepareSegmentForDeletion(x,x)+2Ep
					; MiDecrementModifiedWriteCount(x,x)+1Fp ...
		mov	edi, edi
		push	esi
		push	edi
		lea	edi, [ecx+2Ch]
		xor	esi, esi
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_4AB696

loc_4AB691:				; CODE XREF: MiBuildWakeList(x,x)+2Aj
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_4AB696:				; CODE XREF: MiBuildWakeList(x,x)+Dj
					; MiBuildWakeList(x,x)+2Cj
		mov	ecx, [eax]
		test	[eax+4], edx
		jz	short loc_4AB6B9
		test	dl, 4
		jnz	short loc_4AB6B0
		mov	[eax], esi
		mov	esi, eax
		mov	[edi], ecx

loc_4AB6A8:				; CODE XREF: MiBuildWakeList(x,x)+35j
					; MiBuildWakeList(x,x)+39j
		mov	eax, ecx
		test	ecx, ecx
		jz	short loc_4AB691
		jmp	short loc_4AB696
; 

loc_4AB6B0:				; CODE XREF: MiBuildWakeList(x,x)+1Ej
		mov	dword ptr [eax+8], 1
		jmp	short loc_4AB6A8
; 

loc_4AB6B9:				; CODE XREF: MiBuildWakeList(x,x)+19j
		mov	edi, eax
		jmp	short loc_4AB6A8
_MiBuildWakeList@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiComputePagedPoolSegmentBytes(x)
_MiComputePagedPoolSegmentBytes@4 proc near ; CODE XREF: MiUnlinkUnusedControlArea+6p
					; .text:004AAAEBp
		mov	eax, ecx
		test	byte ptr [eax+1Ch], 20h
		jnz	short loc_4AB6CA
		push	28h
		pop	eax
		retn
; 

loc_4AB6CA:				; CODE XREF: MiComputePagedPoolSegmentBytes(x)+6j
		xor	ecx, ecx
		add	eax, 50h
		jz	short loc_4AB6DB

loc_4AB6D1:				; CODE XREF: MiComputePagedPoolSegmentBytes(x)+1Bj
		add	ecx, [eax+1Ch]
		mov	eax, [eax+8]
		test	eax, eax
		jnz	short loc_4AB6D1

loc_4AB6DB:				; CODE XREF: MiComputePagedPoolSegmentBytes(x)+11j
		shl	ecx, 3
		cmp	ecx, 0FF0h
		ja	short loc_4AB6F0
		add	ecx, 0Fh
		and	ecx, 0FFFFFFF8h

loc_4AB6EC:				; CODE XREF: MiComputePagedPoolSegmentBytes(x)+46j
					; MiComputePagedPoolSegmentBytes(x)+54j
		lea	eax, [ecx+78h]
		retn
; 

loc_4AB6F0:				; CODE XREF: MiComputePagedPoolSegmentBytes(x)+26j
		mov	eax, ecx
		and	eax, 0FFFh
		cmp	ecx, 10000h
		jnb	short loc_4AB706
		cmp	eax, 0FE0h
		jbe	short loc_4AB6EC

loc_4AB706:				; CODE XREF: MiComputePagedPoolSegmentBytes(x)+3Fj
		add	ecx, 0FFFh
		and	ecx, 0FFFFF000h
		jmp	short loc_4AB6EC
_MiComputePagedPoolSegmentBytes@4 endp

; 
		align 10h
; Exported entry 313. ExAcquireSpinLockExclusiveAtDpcLevel

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExAcquireSpinLockExclusiveAtDpcLevel
ExAcquireSpinLockExclusiveAtDpcLevel proc near ; CODE XREF: MiRecycleSystemRegionVa(x,x)+13p
					; KeSetDisableQuantumProcess(x,x)+22p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A807B SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	ds:byte_70EFC6,	21h
		jnz	loc_5A807B
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_4], 0
		lock bts dword ptr [esi], 1Fh
		jb	short loc_4AB782
		mov	edx, [esi]
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_4AB760

loc_4AB755:				; CODE XREF: ExAcquireSpinLockExclusiveAtDpcLevel+60j
					; ExAcquireSpinLockExclusiveAtDpcLevel+7Dj
		pop	esi

loc_4AB756:				; CODE XREF: ExAcquireSpinLockExclusiveAtDpcLevel+FC966j
		mov	esp, ebp
		pop	ebp
		retn	4
; 
		align 10h

loc_4AB760:				; CODE XREF: ExAcquireSpinLockExclusiveAtDpcLevel+33j
					; ExAcquireSpinLockExclusiveAtDpcLevel+5Ej ...
		test	edx, 40000000h
		jz	short loc_4AB7A1

loc_4AB768:				; CODE XREF: ExAcquireSpinLockExclusiveAtDpcLevel+91j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]

loc_4AB772:				; CODE XREF: ExAcquireSpinLockExclusiveAtDpcLevel+93j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_4AB760
		jmp	short loc_4AB755
; 

loc_4AB782:				; CODE XREF: ExAcquireSpinLockExclusiveAtDpcLevel+23j
		or	dl, 0FFh
		mov	ecx, esi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	edx, [esi]
		mov	[ebp+var_4], eax
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jz	short loc_4AB755
		jmp	short loc_4AB760
; 

loc_4AB7A1:				; CODE XREF: ExAcquireSpinLockExclusiveAtDpcLevel+46j
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	short loc_4AB768
		jmp	short loc_4AB772
ExAcquireSpinLockExclusiveAtDpcLevel endp

; 
		align 2

;  S U B	R O U T	I N E 


MiObtainProtoBaseFromNode proc near	; CODE XREF: MiUpdateSystemProtoPtesTree(x,x)+12p
					; MiGetPrototypePteRanges+4Dp ...

; FUNCTION CHUNK AT 005C0A85 SIZE 00000017 BYTES

		mov	eax, [ecx+0Ch]
		push	esi
		and	eax, 7
		xor	esi, esi
		push	edi
		mov	edi, edx
		sub	eax, esi
		jz	short loc_4AB7D8
		sub	eax, 1
		jnz	short loc_4AB7E0
		mov	edx, [ecx-24h]
		mov	esi, [ecx-0Ch]

loc_4AB7D1:				; CODE XREF: MiObtainProtoBaseFromNode+28j
					; MiObtainProtoBaseFromNode+42j ...
		mov	[edi], esi
		mov	eax, edx

loc_4AB7D5:				; CODE XREF: MiObtainProtoBaseFromNode+1152D6j
		pop	edi
		pop	esi
		retn
; 

loc_4AB7D8:				; CODE XREF: MiObtainProtoBaseFromNode+Ej
		mov	edx, [ecx-40h]
		mov	esi, [ecx-28h]
		jmp	short loc_4AB7D1
; 

loc_4AB7E0:				; CODE XREF: MiObtainProtoBaseFromNode+13j
		sub	eax, 1
		jnz	short loc_4AB7FA
		mov	eax, [ecx-28h]
		add	eax, 50h
		mov	edx, [eax+4]

loc_4AB7EE:				; CODE XREF: MiObtainProtoBaseFromNode+40j
		add	esi, [eax+1Ch]
		mov	eax, [eax+8]
		test	eax, eax
		jnz	short loc_4AB7EE
		jmp	short loc_4AB7D1
; 

loc_4AB7FA:				; CODE XREF: MiObtainProtoBaseFromNode+2Dj
		sub	eax, 1
		jnz	loc_5C0A85
		mov	edx, [ecx+18h]
		mov	esi, [ecx+10h]
		jmp	short loc_4AB7D1
MiObtainProtoBaseFromNode endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiReduceUnusedSubsectionCount(x)
_MiReduceUnusedSubsectionCount@4 proc near ; CODE XREF:	.text:004AA652p
					; MiDeleteEmptySubsections(x)+8Fp ...
		mov	ecx, [ecx+1Ch]
		shl	ecx, 3
		cmp	ecx, 0FF0h
		ja	short loc_4AB834
		add	ecx, 0Fh
		and	ecx, 0FFFFFFF8h

loc_4AB820:				; CODE XREF: MiReduceUnusedSubsectionCount(x)+3Cj
					; MiReduceUnusedSubsectionCount(x)+4Aj
		mov	eax, ecx
		mov	edx, offset dword_6CF3CC
		neg	eax
		lock xadd [edx], eax
		sub	dword_6D5260, ecx
		retn
; 

loc_4AB834:				; CODE XREF: MiReduceUnusedSubsectionCount(x)+Cj
		mov	eax, ecx
		and	eax, 0FFFh
		cmp	eax, 0FE0h
		ja	short loc_4AB84A
		cmp	ecx, 10000h
		jb	short loc_4AB820

loc_4AB84A:				; CODE XREF: MiReduceUnusedSubsectionCount(x)+34j
		add	ecx, 0FFFh
		and	ecx, 0FFFFF000h
		jmp	short loc_4AB820
_MiReduceUnusedSubsectionCount@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiConvertStaticSubsections proc	near	; CODE XREF: .text:004AAA92p

; FUNCTION CHUNK AT 005C0A9C SIZE 0000004F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	esi, [ecx+50h]
		push	edi
		mov	edi, ebx

loc_4AB86B:				; CODE XREF: MiConvertStaticSubsections+20j
		movzx	eax, word ptr [esi+12h]
		test	al, 8
		jz	short loc_4AB883

loc_4AB873:				; CODE XREF: MiConvertStaticSubsections+32j
					; MiConvertStaticSubsections+65j ...
		mov	esi, [esi+8]
		test	esi, esi
		jnz	short loc_4AB86B
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4AB883:				; CODE XREF: MiConvertStaticSubsections+19j
		test	al, 1
		jnz	short loc_4AB891
		cmp	[esi+4], ebx
		jz	short loc_4AB873
		jmp	loc_5C0AAE
; 

loc_4AB891:				; CODE XREF: MiConvertStaticSubsections+2Dj
		mov	ecx, [esi+20h]
		test	ecx, 3FFFFFFFh
		jnz	loc_5C0A9C

loc_4AB8A0:				; CODE XREF: MiConvertStaticSubsections+115251j
		push	ebx
		push	dword ptr [esi+1Ch]
		and	eax, 0FFFEh
		mov	dword ptr [esi+3Ch], 1
		mov	ecx, esi
		mov	[esi+12h], ax
		call	_MiRemoveViewsFromSection@16 ; MiRemoveViewsFromSection(x,x,x,x)
		add	edi, eax
		jmp	short loc_4AB873
MiConvertStaticSubsections endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFlushRelease(x, x, x)
_MiFlushRelease@12 proc	near		; CODE XREF: MmFlushSection+132p
					; MmTrimSection(x,x,x,x)+6Ap ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		lea	eax, [esi+24h]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		test	edi, edi
		jz	short loc_4AB8F0
		push	ecx
		mov	edx, edi
		mov	ecx, edi
		call	_MiDecrementSubsections@12 ; MiDecrementSubsections(x,x,x)
		push	ecx
		mov	ecx, [ebp+arg_0]
		mov	edx, ecx
		call	_MiDecrementSubsections@12 ; MiDecrementSubsections(x,x,x)

loc_4AB8F0:				; CODE XREF: MiFlushRelease(x,x,x)+19j
		dec	dword ptr [esi+14h]
		mov	dl, bl
		mov	ecx, esi
		call	MiCheckControlArea
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_MiFlushRelease@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDecrementSubsections(x, x, x)
_MiDecrementSubsections@12 proc	near	; CODE XREF: MmPurgeSection+25Bp
					; MmPurgeSection+266p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		xor	edi, edi
		mov	eax, [esi]
		mov	eax, [eax+20h]
		mov	[ebp+var_4], eax

loc_4AB91C:				; CODE XREF: MiDecrementSubsections(x,x,x)+56j
		cmp	dword ptr [esi+4], 0
		jz	short loc_4AB937
		mov	ecx, esi
		call	MiDecrementSubsectionViewCount
		add	edi, eax
		cmp	[ebp+var_4], 0
		jz	short loc_4AB937
		cmp	dword ptr [esi+3Ch], 0
		jz	short loc_4AB944

loc_4AB937:				; CODE XREF: MiDecrementSubsections(x,x,x)+1Cj
					; MiDecrementSubsections(x,x,x)+2Bj ...
		cmp	esi, ebx
		jnz	short loc_4AB955

loc_4AB93B:				; CODE XREF: MiDecrementSubsections(x,x,x)+58j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4AB944:				; CODE XREF: MiDecrementSubsections(x,x,x)+31j
		test	byte ptr [esi+12h], 1
		jnz	short loc_4AB937
		mov	ecx, esi
		call	_MiInsertUnusedSubsection@8 ; MiInsertUnusedSubsection(x,x)
		add	edi, eax
		jmp	short loc_4AB937
; 

loc_4AB955:				; CODE XREF: MiDecrementSubsections(x,x,x)+35j
		mov	esi, [esi+8]
		test	esi, esi
		jnz	short loc_4AB91C
		jmp	short loc_4AB93B
_MiDecrementSubsections@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRemoveViewsFromSection(x,	x, x, x)
_MiRemoveViewsFromSection@16 proc near	; CODE XREF: MmUnmapViewInSystemCache+3AEp
					; MiRemoveMappedPtes+179p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	eax, [esi]
		mov	eax, [eax+20h]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_4], eax

loc_4AB97E:				; CODE XREF: MiRemoveViewsFromSection(x,x,x,x)+72j
		mov	ecx, esi
		call	MiDecrementSubsectionViewCount
		add	edi, eax
		cmp	[ebp+var_8], 0
		jz	short loc_4AB993
		cmp	dword ptr [esi+3Ch], 0
		jz	short loc_4AB9B2

loc_4AB993:				; CODE XREF: MiRemoveViewsFromSection(x,x,x,x)+2Dj
					; MiRemoveViewsFromSection(x,x,x,x)+58j ...
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		or	eax, ecx
		jz	short loc_4AB9CB
		mov	eax, [esi+1Ch]
		test	ecx, ecx
		jb	short loc_4AB9A9
		ja	short loc_4AB9C3
		cmp	ebx, eax
		ja	short loc_4AB9C3

loc_4AB9A9:				; CODE XREF: MiRemoveViewsFromSection(x,x,x,x)+43j
					; MiRemoveViewsFromSection(x,x,x,x)+74j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4AB9B2:				; CODE XREF: MiRemoveViewsFromSection(x,x,x,x)+33j
		test	byte ptr [esi+12h], 1
		jnz	short loc_4AB993
		mov	ecx, esi
		call	_MiInsertUnusedSubsection@8 ; MiInsertUnusedSubsection(x,x)
		add	edi, eax
		jmp	short loc_4AB993
; 

loc_4AB9C3:				; CODE XREF: MiRemoveViewsFromSection(x,x,x,x)+45j
					; MiRemoveViewsFromSection(x,x,x,x)+49j
		sub	ebx, eax
		sbb	ecx, 0
		mov	[ebp+var_4], ecx

loc_4AB9CB:				; CODE XREF: MiRemoveViewsFromSection(x,x,x,x)+3Cj
		mov	esi, [esi+8]
		test	esi, esi
		jnz	short loc_4AB97E
		jmp	short loc_4AB9A9
_MiRemoveViewsFromSection@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 


MiDecrementSubsectionViewCount proc near ; CODE	XREF: MiDeleteVad(x,x,x)+1228p
					; MiFlushSectionInternal+6A8p ...
		mov	eax, [ecx]
		cmp	dword ptr [eax+20h], 0
		jz	short loc_4ABA18
		mov	eax, [eax+1Ch]
		test	al, 20h
		jnz	short loc_4ABA18
		test	byte ptr [ecx+12h], 1
		jnz	short loc_4AB9FF
		cmp	dword ptr [ecx+3Ch], 0
		jz	loc_5C0AC7

loc_4AB9FF:				; CODE XREF: MiDecrementSubsectionViewCount+13j
		test	al, 20h
		jnz	short loc_4ABA18
		test	byte ptr [ecx+12h], 1
		jnz	short loc_4ABA18
		mov	eax, [ecx+3Ch]
		test	eax, eax
		jz	loc_5C0AC7
		dec	eax
		mov	[ecx+3Ch], eax

loc_4ABA18:				; CODE XREF: MiDecrementSubsectionViewCount+6j
					; MiDecrementSubsectionViewCount+Dj ...
		xor	eax, eax
		retn
MiDecrementSubsectionViewCount endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockSectionControlArea proc near	; CODE XREF: MiComputeFlushRange(x,x,x,x,x)+15p
					; MmEnoughMemoryForWrite+1Cp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], esi

loc_4ABA2E:				; CODE XREF: MiLockSectionControlArea+90j
		push	offset dword_6CF3C0
		call	ExAcquireSpinLockExclusive
		cmp	[ebp+var_4], 1
		mov	bl, al
		mov	eax, [ebp+arg_0]
		mov	[eax], bl
		jnz	short loc_4ABA77
		mov	esi, [esi]

loc_4ABA47:				; CODE XREF: MiLockSectionControlArea+5Ej
		test	esi, esi
		jz	short loc_4ABA7C
		lea	eax, [esi+24h]
		push	eax
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		test	eax, eax
		jz	short loc_4ABA92
		test	ds:byte_70EFC6,	1
		jnz	loc_5C0AD9
		mov	dword_6CF3C0, 0

loc_4ABA6F:				; CODE XREF: MiConvertStaticSubsections+11528Ej
		mov	eax, esi

loc_4ABA71:				; CODE XREF: MiLockSectionControlArea+74j
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4ABA77:				; CODE XREF: MiLockSectionControlArea+27j
		mov	esi, [esi+8]
		jmp	short loc_4ABA47
; 

loc_4ABA7C:				; CODE XREF: MiLockSectionControlArea+2Dj
		push	offset dword_6CF3C0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		jmp	short loc_4ABA71
; 

loc_4ABA92:				; CODE XREF: MiLockSectionControlArea+3Aj
		mov	eax, [ebp+arg_0]
		push	offset dword_6CF3C0
		mov	bl, [eax]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp+var_8]
		jmp	short loc_4ABA2E
MiLockSectionControlArea endp


;  S U B	R O U T	I N E 


; __stdcall KiAcquireReleaseObjectRundownLockExclusive(x)
_KiAcquireReleaseObjectRundownLockExclusive@4 proc near
					; CODE XREF: KeRundownQueueEx(x,x)+47p
					; .text:004F2001p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		shr	esi, 4
		and	esi, 3Fh
		shl	esi, 6
		add	esi, offset _KiObjectRundownLocks
		push	esi
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		pop	esi
		retn
_KiAcquireReleaseObjectRundownLockExclusive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSectionCreated proc near		; CODE XREF: MiCreateNewSection(x,x)+1D8p

var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C0AEB SIZE 00000071 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_24], ebx
		lea	eax, [esi+24h]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	edx, large fs:124h
		mov	[ebp+var_2], al
		mov	eax, [esi+1Ch]
		test	byte ptr [edx+304h], 40h
		jnz	short loc_4ABB75

loc_4ABB04:				; CODE XREF: MiSectionCreated+ADj
		mov	edi, [ebx+14h]
		test	al, 20h
		jnz	loc_4ABCF3
		mov	edi, [edi]
		lea	ebx, [edi+24h]
		push	ebx
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	eax, [edi+2Ch]
		mov	[ebp+var_28], eax

loc_4ABB20:				; CODE XREF: MiSectionCreated+239j
		mov	eax, [edi+20h]
		push	offset dword_6CF3C0
		mov	[esi+20h], eax
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		test	byte ptr [esi+1Ch], 20h
		mov	edi, [ebp+var_24]
		push	offset dword_6CF3C0
		mov	edi, [edi+14h]
		jnz	short loc_4ABB7F
		mov	[edi], esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		and	dword ptr [esi+1Ch], 0FFFFFFFDh
		lea	eax, [esi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, edi
		call	KeAbPostRelease

loc_4ABB6B:				; CODE XREF: MiSectionCreated+E0j
		mov	eax, [ebp+var_28]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4ABB75:				; CODE XREF: MiSectionCreated+32j
		or	eax, 200h
		mov	[esi+1Ch], eax
		jmp	short loc_4ABB04
; 

loc_4ABB7F:				; CODE XREF: MiSectionCreated+6Fj
		mov	[edi+8], esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		lea	eax, [esi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [esi+54h]
		mov	eax, [esi+6Ch]
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_18], ebx
		mov	[ebp+var_2C], eax

loc_4ABBAE:				; CODE XREF: MiSectionCreated+21Ej
		test	edi, edi
		jz	short loc_4ABB6B
		test	byte ptr [edi+6], 4
		jnz	loc_4ABCE9
		push	edi
		push	dword ptr [edi+0Ch]
		call	MmUnmapLockedPages
		mov	eax, [edi+8]
		mov	cl, 21h
		mov	edx, [edi+14h]
		and	[ebp+var_14], 0
		and	[ebp+var_20], 0
		shr	edx, 0Ch
		lea	ebx, [ebx+eax*8]
		mov	[ebp+var_10], eax
		lea	eax, [edi+1Ch]
		mov	[ebp+var_24], edx
		mov	byte ptr [ebp+var_1], cl
		mov	[ebp+var_8], eax
		test	edx, edx
		jz	loc_4ABCE6
		mov	edi, [ebp+var_20]

loc_4ABBF5:				; CODE XREF: MiSectionCreated+1FFj
		mov	eax, [eax]
		mov	edx, [ebp+var_2C]
		mov	[ebp+var_3C], eax
		imul	eax, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_C], eax
		cmp	[ebp+var_10], edx
		jnb	loc_5C0AEB
		mov	eax, ebx
		and	eax, 0FFFFF000h
		cmp	eax, edi
		jz	short loc_4ABC47
		test	edi, edi
		jnz	loc_5C0B02

loc_4ABC25:				; CODE XREF: MiSectionCreated+11503Cj
					; MiSectionCreated+11504Dj
		lea	edx, [ebp+var_1]
		mov	ecx, ebx
		call	MiLockProtoPoolPage
		mov	esi, eax
		mov	[ebp+var_14], esi
		test	esi, esi
		jz	loc_5C0B11
		mov	esi, [ebp+var_1C]
		mov	edi, ebx
		and	edi, 0FFFFF000h

loc_4ABC47:				; CODE XREF: MiSectionCreated+14Bj
		xor	edx, edx
		mov	ecx, ebx
		call	MiLockLeafPage
		mov	edx, [ebx]
		nop
		mov	ecx, [ebx+4]
		mov	[ebp+var_34], ecx
		test	eax, eax
		jnz	loc_5C0B22
		and	edx, 400h
		or	edx, eax
		jz	loc_5C0B2F

loc_4ABC6F:				; CODE XREF: MiSectionCreated+115064j
		mov	eax, [ebp+var_C]
		and	[ebp+var_34], 0
		add	eax, 10h
		mov	[ebp+var_20], eax
		lock bts dword ptr [eax], 1Fh
		jb	loc_5C0B3C

loc_4ABC87:				; CODE XREF: MiSectionCreated+115087j
		mov	ecx, [ebp+var_3C]
		mov	edx, ebx
		push	0FFFFFFFFh
		call	_MiInitializeTransitionPfn@12 ;	MiInitializeTransitionPfn(x,x,x)
		mov	eax, [ebp+var_20]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	eax, [ebp+var_C]
		mov	eax, [eax+8]
		and	eax, 400h
		or	eax, 0
		jz	short loc_4ABCB9
		push	1
		xor	edx, edx
		mov	ecx, esi
		call	_MiReferenceControlAreaPfn@12 ;	MiReferenceControlAreaPfn(x,x,x)

loc_4ABCB9:				; CODE XREF: MiSectionCreated+1DCj
		mov	eax, [ebp+var_8]

loc_4ABCBC:				; CODE XREF: MiSectionCreated+11502Dj
		mov	cl, byte ptr [ebp+var_1]
		add	eax, 4
		add	ebx, 8
		mov	[ebp+var_8], eax
		inc	[ebp+var_10]
		sub	[ebp+var_24], 1
		jnz	loc_4ABBF5
		test	edi, edi
		mov	edi, [ebp+arg_0]
		jz	short loc_4ABCE6
		mov	dl, cl
		mov	ecx, [ebp+var_14]
		call	MiUnlockProtoPoolPage

loc_4ABCE6:				; CODE XREF: MiSectionCreated+11Cj
					; MiSectionCreated+20Aj
		mov	ebx, [ebp+var_18]

loc_4ABCE9:				; CODE XREF: MiSectionCreated+E6j
		mov	edi, [edi]
		mov	[ebp+arg_0], edi
		jmp	loc_4ABBAE
; 

loc_4ABCF3:				; CODE XREF: MiSectionCreated+39j
		mov	edi, [edi+8]
		lea	ebx, [edi+24h]
		push	ebx
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	eax, [edi+2Ch]
		and	[ebp+var_28], 0
		mov	[esi+2Ch], eax
		jmp	loc_4ABB20
MiSectionCreated endp


;  S U B	R O U T	I N E 


CcDeductDirtyPages proc	near		; CODE XREF: CcDeleteMbcb+5Fp
					; CcAcquireByteRangeForWrite+274p ...

; FUNCTION CHUNK AT 005C0B5C SIZE 00000056 BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		test	edi, edi
		jz	loc_5C0B5C
		call	CcGetPartition

loc_4ABD23:				; CODE XREF: CcDeductDirtyPages+114E56j
		sub	[eax+198h], esi
		test	edi, edi
		jz	short loc_4ABD53
		cmp	esi, 0FFFFFFFFh
		jnb	loc_5C0B69
		sub	[edi+4Ch], esi
		neg	esi
		mov	eax, [edi+164h]
		mov	ecx, esi
		add	eax, 14h
		lock xadd [eax], ecx
		test	dword ptr [edi+60h], 1000000h
		jnz	short loc_4ABD56

loc_4ABD53:				; CODE XREF: CcDeductDirtyPages+1Dj
					; CcDeductDirtyPages+55j
		pop	edi
		pop	esi
		retn
; 

loc_4ABD56:				; CODE XREF: CcDeductDirtyPages+43j
		mov	eax, [edi+98h]
		add	eax, 0Ch
		lock xadd [eax], esi
		jmp	short loc_4ABD53
CcDeductDirtyPages endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcAcquireByteRangeForWrite proc	near	; CODE XREF: CcNotifyOfMappedWrite+332p
					; .text:004ACDA5p

var_C8		= dword	ptr -0C8h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= byte ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch

; FUNCTION CHUNK AT 005C0C14 SIZE 000000AC BYTES
; FUNCTION CHUNK AT 005C0D62 SIZE 000000AA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1C00
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 0A8h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_3C], edx
		mov	[ebp+var_20], ecx
		mov	eax, dword ptr [ebp+arg_C]
		mov	[ebp+var_80], eax
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_58], 0
		xor	eax, eax
		mov	[ebp+var_64], eax
		mov	[ebp+var_98], eax
		mov	[ebp+var_68], eax
		mov	[ebp+var_94], eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_48], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_50], eax
		xor	ebx, ebx
		xor	esi, esi
		mov	[ebp+var_24], eax
		mov	[ebp+var_A0], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_9C], eax
		mov	[ebp+var_60], eax
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_28], eax
		mov	[ebp+var_A8], eax
		mov	eax, 7FFFFFFFh
		mov	[ebp+var_34], eax
		mov	[ebp+var_A4], eax
		xor	eax, eax
		lea	edi, [ebp+var_78]
		stosd
		stosd
		stosd
		cmp	[ebp+arg_14], bl
		jnz	loc_4AC35E

loc_4ABE22:				; CODE XREF: CcAcquireByteRangeForWrite+603j
		call	CcGetPartition
		mov	[ebp+var_6C], eax
		mov	eax, [ebp+arg_8]
		mov	[eax], ebx
		mov	[eax+4], ebx
		mov	edi, dword ptr [ebp+arg_C]
		mov	[edi], ebx
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jnz	loc_4AC4DF

loc_4ABE42:				; CODE XREF: CcAcquireByteRangeForWrite+791j
					; sub_5C0BB2+5Dj
		mov	eax, [ebp+var_20]
		add	eax, 0B4h
		mov	[ebp+var_4C], eax
		mov	ecx, eax
		call	ExAcquireFastMutex
		mov	edx, [ebp+var_20]
		mov	eax, [edx+68h]
		mov	[ebp+var_44], eax
		test	eax, eax
		jz	loc_4AC176
		cmp	dword ptr [eax+8], 0
		jz	loc_4AC176
		mov	edx, [ebp+arg_0]
		cmp	dword ptr [eax+4], 0
		jnz	short loc_4ABE80
		test	edx, edx
		jz	loc_4AC176

loc_4ABE80:				; CODE XREF: CcAcquireByteRangeForWrite+106j
		mov	eax, [ebp+var_3C]
		test	eax, eax
		jnz	loc_4AC50D
		mov	[ebp+var_24], eax
		xor	ecx, ecx
		mov	[ebp+var_1C], ecx
		test	edx, edx
		jnz	short loc_4ABEA6
		mov	ecx, [ebp+var_44]
		mov	eax, [ecx+18h]
		mov	[ebp+var_24], eax
		mov	ecx, [ecx+1Ch]
		mov	[ebp+var_1C], ecx

loc_4ABEA6:				; CODE XREF: CcAcquireByteRangeForWrite+125j
		push	ecx
		push	eax
		mov	ecx, [ebp+var_44]
		call	_CcFindBitmapRangeToClean@12 ; CcFindBitmapRangeToClean(x,x,x)
		mov	edx, eax
		mov	[ebp+var_40], eax
		mov	ecx, [edx+14h]
		mov	ebx, [edx+8]
		mov	eax, [edx+0Ch]
		mov	[ebp+var_30], eax
		mov	esi, ecx
		xor	eax, eax
		add	esi, ebx
		adc	eax, [ebp+var_30]
		cmp	[ebp+var_1C], eax
		mov	edi, dword ptr [ebp+arg_C]
		jl	short loc_4ABEE1
		jg	loc_4AC7B1
		cmp	[ebp+var_24], esi
		ja	loc_4AC7B1

loc_4ABEE1:				; CODE XREF: CcAcquireByteRangeForWrite+160j
					; CcAcquireByteRangeForWrite+A51j
		mov	esi, [edx+1Ch]

loc_4ABEE4:				; CODE XREF: CcAcquireByteRangeForWrite+86Fj
		shr	ecx, 5
		lea	eax, [esi+ecx*4]

loc_4ABEEA:				; CODE XREF: CcAcquireByteRangeForWrite+9CDj
		mov	[ebp+var_50], eax
		mov	eax, [edx+10h]
		add	eax, ebx
		mov	ecx, 0
		adc	ecx, [ebp+var_30]
		cmp	[ebp+var_1C], ecx
		jg	short loc_4ABF0E
		jl	loc_4AC645
		cmp	[ebp+var_24], eax
		jb	loc_4AC645

loc_4ABF0E:				; CODE XREF: CcAcquireByteRangeForWrite+18Dj
					; CcAcquireByteRangeForWrite+8DBj
		mov	ecx, [ebp+var_24]
		mov	eax, ecx
		sub	eax, [edx+8]
		mov	[ebp+var_60], eax
		shr	eax, 5
		lea	ebx, [esi+eax*4]
		push	0
		push	20h
		push	[ebp+var_1C]
		push	ecx
		call	__allrem
		or	esi, 0FFFFFFFFh
		mov	ecx, eax
		shl	esi, cl
		mov	eax, [ebx]
		mov	ecx, [ebp+var_24]
		test	eax, esi
		jz	loc_4AC768

loc_4ABF40:				; CODE XREF: CcAcquireByteRangeForWrite+A1Dj
		not	esi
		inc	esi
		test	eax, esi
		jz	loc_4AC696

loc_4ABF4B:				; CODE XREF: CcAcquireByteRangeForWrite+942j
		mov	edx, [ebp+var_3C]
		test	edx, edx
		jnz	loc_4AC5E4

loc_4ABF56:				; CODE XREF: CcAcquireByteRangeForWrite+8AAj
					; CcAcquireByteRangeForWrite+114EFBj ...
		test	_gCcTrace, 1
		jnz	loc_5C0D6A

loc_4ABF63:				; CODE XREF: CcAcquireByteRangeForWrite+11503Dj
		test	[ebx], esi
		jz	short loc_4ABFA4

loc_4ABF67:				; CODE XREF: CcAcquireByteRangeForWrite+232j
		test	edx, edx
		jnz	loc_4AC0D6

loc_4ABF6F:				; CODE XREF: CcAcquireByteRangeForWrite+398j
					; CcAcquireByteRangeForWrite+3A1j
		mov	eax, [ebp+var_40]
		mov	ecx, [eax+14h]
		shr	ecx, 5
		mov	eax, [eax+1Ch]
		lea	eax, [eax+ecx*4]
		cmp	ebx, eax
		ja	loc_5C0DB2
		test	edx, edx
		jnz	short loc_4ABF94
		mov	eax, [edi]
		cmp	eax, _CcMaxLazyWritePages
		jnb	short loc_4ABFA4

loc_4ABF94:				; CODE XREF: CcAcquireByteRangeForWrite+218j
		sub	[ebx], esi
		inc	dword ptr [edi]
		add	esi, esi
		jz	loc_4AC331

loc_4ABFA0:				; CODE XREF: CcAcquireByteRangeForWrite+5CCj
		test	[ebx], esi
		jnz	short loc_4ABF67

loc_4ABFA4:				; CODE XREF: CcAcquireByteRangeForWrite+1F5j
					; CcAcquireByteRangeForWrite+222j ...
		mov	eax, [edi]
		mov	edx, [ebp+var_44]
		mov	ecx, [edx+4]
		cmp	eax, ecx
		jb	loc_4AC6DF
		xor	ecx, ecx

loc_4ABFB6:				; CODE XREF: CcAcquireByteRangeForWrite+971j
		mov	[edx+4], ecx
		mov	ecx, [edx+8]
		cmp	ecx, eax
		jb	loc_5C0DD7
		sub	ecx, eax
		mov	[edx+8], ecx
		mov	ebx, [ebp+var_40]
		sub	[ebx+18h], eax
		mov	ecx, [ebp+var_6C]
		add	ecx, 40h
		lea	edx, [ebp+var_78]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edx, [edi]
		mov	esi, [ebp+var_20]
		mov	ecx, esi
		call	CcDeductDirtyPages
		mov	edx, [ebp+var_6C]
		mov	eax, [edx+144h]
		mov	ecx, [edi]
		cmp	eax, ecx
		ja	loc_4AC506
		xor	eax, eax

loc_4ABFFE:				; CODE XREF: CcAcquireByteRangeForWrite+798j
		mov	[edx+144h], eax
		cmp	dword ptr [esi+4Ch], 0
		jnz	short loc_4AC011
		mov	ecx, esi
		call	CcInsertIntoCleanSharedCacheMapList

loc_4AC011:				; CODE XREF: CcAcquireByteRangeForWrite+298j
		test	ds:byte_70EFC6,	1
		jnz	loc_5C0DC7
		mov	eax, [ebp+var_78]
		test	eax, eax
		jnz	loc_4AC79A
		mov	edx, [ebp+var_74]
		lea	eax, [ebp+var_78]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_78]
		cmp	eax, ecx
		jnz	loc_4AC792

loc_4AC040:				; CODE XREF: CcAcquireByteRangeForWrite+A3Cj
					; CcAcquireByteRangeForWrite+115062j
		mov	cl, [ebp+var_70]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	dword ptr [ebx+18h], 0
		jnz	loc_4AC65C
		mov	dword ptr [ebx+10h], 0FFFFFFFFh
		mov	dword ptr [ebx+14h], 0
		mov	ecx, [ebx+8]
		add	ecx, 1000h
		mov	eax, [ebx+0Ch]
		adc	eax, 0
		mov	edx, [ebp+var_44]
		mov	[edx+18h], ecx
		mov	[edx+1Ch], eax

loc_4AC079:				; CODE XREF: CcAcquireByteRangeForWrite+90Bj
		mov	ebx, [ebp+var_24]

loc_4AC07C:				; CODE XREF: CcAcquireByteRangeForWrite+921j
		lea	eax, [esi+10h]
		cmp	[eax], eax
		jnz	short loc_4AC089
		mov	eax, [edx+4]
		mov	[esi+78h], eax

loc_4AC089:				; CODE XREF: CcAcquireByteRangeForWrite+311j
		lea	ecx, [esi+0B4h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		shl	dword ptr [edi], 0Ch
		mov	eax, [ebp+var_1C]
		shld	eax, ebx, 0Ch
		shl	ebx, 0Ch
		mov	ecx, [ebp+arg_8]
		mov	[ecx], ebx
		mov	[ecx+4], eax
		mov	eax, [ebp+arg_10]
		mov	dword ptr [eax], 0

loc_4AC0B2:				; CODE XREF: CcAcquireByteRangeForWrite+588j
					; CcAcquireByteRangeForWrite+5BCj ...
		cmp	[ebp+arg_14], 0
		jnz	loc_4AC347

loc_4AC0BC:				; CODE XREF: CcAcquireByteRangeForWrite+5E9j
		cmp	dword ptr [edi], 0
		setnz	al
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_4AC0D6:				; CODE XREF: CcAcquireByteRangeForWrite+1F9j
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		add	ecx, [edx]
		adc	eax, [edx+4]
		add	ecx, 0FFFh
		adc	eax, 0
		shrd	ecx, eax, 0Ch
		mov	eax, [edi]
		mov	dword ptr [ebp+arg_C], eax
		xor	eax, eax
		mov	edx, [ebp+var_24]
		add	dword ptr [ebp+arg_C], edx
		adc	eax, [ebp+var_1C]
		test	eax, eax
		mov	edx, [ebp+var_3C]
		jg	loc_4ABFA4
		jl	loc_4ABF6F
		cmp	dword ptr [ebp+arg_C], ecx
		jb	loc_4ABF6F
		jmp	loc_4ABFA4
; 

loc_4AC11C:				; CODE XREF: CcAcquireByteRangeForWrite+A97j
		mov	eax, [ecx+10h]
		mov	[ebp+var_48], eax
		mov	edx, [ecx+8]
		mov	[ebp+var_38], edx
		mov	edx, [ecx+0Ch]
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], eax
		xor	eax, eax
		mov	edx, [ebp+var_38]
		add	[ebp+var_2C], edx
		adc	eax, [ebp+var_30]
		cmp	[ebp+var_34], eax
		mov	edx, [ebp+var_28]
		jl	short loc_4AC176
		jg	short loc_4AC14B
		cmp	edx, [ebp+var_2C]
		jb	short loc_4AC176

loc_4AC14B:				; CODE XREF: CcAcquireByteRangeForWrite+3D4j
		mov	eax, [ecx+14h]
		mov	[ebp+var_54], eax
		mov	[ebp+var_2C], eax
		xor	eax, eax
		mov	edx, [ebp+var_38]
		add	[ebp+var_2C], edx
		adc	eax, [ebp+var_30]
		cmp	[ebp+var_1C], eax
		jg	short loc_4AC176
		jl	loc_5C0C14
		mov	eax, [ebp+var_24]
		cmp	eax, [ebp+var_2C]
		jbe	loc_5C0C14

loc_4AC176:				; CODE XREF: CcAcquireByteRangeForWrite+EFj
					; CcAcquireByteRangeForWrite+F9j ...
		mov	eax, [ebp+var_20]
		add	eax, 10h
		mov	[ebp+var_30], eax
		mov	eax, [ebp+var_7C]
		sub	eax, 0FFFFFF80h
		mov	[ebp+var_34], eax
		jmp	short loc_4AC190
; 
		align 10h

loc_4AC190:				; CODE XREF: CcAcquireByteRangeForWrite+418j
					; CcAcquireByteRangeForWrite+960j
		mov	ecx, [ebp+var_20]
		mov	ecx, [ecx+14h]
		sub	ecx, 10h
		mov	[ebp+var_28], ecx
		mov	[ebp+var_58], ecx
		mov	edx, [ebp+var_20]
		test	dword ptr [edx+60h], 200h
		mov	edx, [ebp+var_3C]
		jz	short loc_4AC20A
		test	edx, edx
		jnz	loc_4AC6D5

loc_4AC1B6:				; CODE XREF: CcAcquireByteRangeForWrite+96Aj
		mov	edx, [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_48], eax
		mov	eax, edx
		or	eax, [ebp+var_48]
		jz	short loc_4AC20A
		add	edx, 1000h
		mov	eax, [ebp+var_48]
		adc	eax, 0
		mov	[ebp+var_B0], edx
		mov	[ebp+var_AC], eax
		lea	eax, [ebp+var_58]
		push	eax
		lea	eax, [ebp+var_B0]
		push	eax
		mov	edx, [ebp+var_34]
		mov	ecx, [ebp+var_20]
		call	CcFindBcb
		test	al, al
		jnz	loc_4AC72A
		mov	eax, [ebp+var_58]
		mov	ecx, [eax+14h]
		sub	ecx, 10h
		mov	[ebp+var_58], ecx

loc_4AC207:				; CODE XREF: CcAcquireByteRangeForWrite+9BDj
		mov	[ebp+var_28], ecx

loc_4AC20A:				; CODE XREF: CcAcquireByteRangeForWrite+43Cj
					; CcAcquireByteRangeForWrite+453j
		lea	eax, [ecx+10h]
		mov	edx, [ebp+var_30]
		cmp	eax, edx
		jz	loc_4AC2B8
		jmp	short loc_4AC220
; 
		align 10h

loc_4AC220:				; CODE XREF: CcAcquireByteRangeForWrite+4A8j
					; CcAcquireByteRangeForWrite+4CBj
		mov	eax, 2FDh
		cmp	[ecx], ax
		jz	short loc_4AC23F

loc_4AC22A:				; CODE XREF: CcAcquireByteRangeForWrite+72Dj
		mov	ecx, [ecx+14h]

loc_4AC22D:				; CODE XREF: CcAcquireByteRangeForWrite+9B5j
					; CcAcquireByteRangeForWrite+ADBj
		add	ecx, 0FFFFFFF0h
		mov	[ebp+var_28], ecx
		mov	[ebp+var_58], ecx
		lea	eax, [ecx+10h]
		cmp	eax, edx
		jnz	short loc_4AC220
		jmp	short loc_4AC2B8
; 

loc_4AC23F:				; CODE XREF: CcAcquireByteRangeForWrite+4B8j
		mov	eax, [ebp+var_20]
		test	dword ptr [eax+60h], 1000000h
		jz	short loc_4AC276
		cmp	[ebp+arg_4], 0
		jz	short loc_4AC276
		mov	eax, [ecx+2Ch]
		mov	edx, [ebp+arg_4]
		cmp	eax, [edx+4]
		mov	edx, [ebp+var_30]
		jl	short loc_4AC276
		jg	loc_4AC71C
		mov	eax, [ecx+28h]
		mov	edx, [ebp+arg_4]
		cmp	eax, [edx]
		mov	edx, [ebp+var_30]
		ja	loc_4AC71C

loc_4AC276:				; CODE XREF: CcAcquireByteRangeForWrite+4D9j
					; CcAcquireByteRangeForWrite+4DFj ...
		mov	edx, [ebp+var_3C]
		test	edx, edx
		jnz	loc_4AC6E6

loc_4AC281:				; CODE XREF: CcAcquireByteRangeForWrite+995j
					; CcAcquireByteRangeForWrite+9A7j
		mov	eax, [edi]
		test	eax, eax
		jz	loc_4AC378
		cmp	byte ptr [ecx+2], 0
		jz	short loc_4AC2B8
		mov	edx, [ecx+8]
		mov	[ebp+var_48], edx
		mov	edx, [ecx+0Ch]
		mov	[ebp+var_54], edx
		xor	edx, edx
		mov	edi, [ebp+arg_8]
		add	eax, [edi]
		adc	edx, [edi+4]
		cmp	[ebp+var_48], eax
		mov	edi, dword ptr [ebp+arg_C]
		jnz	short loc_4AC2B8
		cmp	[ebp+var_54], edx
		jz	loc_4AC625

loc_4AC2B8:				; CODE XREF: CcAcquireByteRangeForWrite+4A2j
					; CcAcquireByteRangeForWrite+4CDj ...
		cmp	[ebp+var_5C], 0
		jnz	loc_5C0D62
		mov	edx, [edi]
		test	edx, edx
		jnz	loc_4AC4A2
		mov	ecx, [ebp+var_20]
		sub	ecx, 0FFFFFF80h
		mov	[ebp+var_34], ecx
		mov	eax, [ecx]
		or	eax, [ecx+4]
		jnz	loc_4AC6B7

loc_4AC2E0:				; CODE XREF: CcAcquireByteRangeForWrite+736j
					; CcAcquireByteRangeForWrite+94Bj
		mov	ebx, [ebp+var_20]

loc_4AC2E3:				; CODE XREF: CcAcquireByteRangeForWrite+76Aj
					; CcAcquireByteRangeForWrite+8E7j
		lea	ecx, [ebx+0B4h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	edx, [ebp+var_64]
		mov	eax, edx
		mov	esi, [ebp+var_68]
		or	eax, esi
		jz	loc_4AC0B2
		mov	[ebp+var_4], 1
		mov	eax, [ebp+var_7C]
		mov	ecx, [eax+98h]
		push	esi
		push	edx
		test	dword ptr [ebx+60h], 2000000h
		jnz	loc_5C0CB4
		mov	eax, [ecx]
		push	eax
		mov	eax, [ecx+4]

loc_4AC323:				; CODE XREF: CcAcquireByteRangeForWrite+114F4Bj
		call	eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_4AC0B2
; 

loc_4AC331:				; CODE XREF: CcAcquireByteRangeForWrite+22Aj
		add	ebx, 4
		mov	esi, 1
		cmp	ebx, [ebp+var_50]
		jbe	loc_4ABFA0
		jmp	loc_4ABFA4
; 

loc_4AC347:				; CODE XREF: CcAcquireByteRangeForWrite+346j
		mov	ecx, large fs:124h
		push	0
		push	0
		mov	dl, 1
		call	PsBoostThreadIoEx
		jmp	loc_4AC0BC
; 

loc_4AC35E:				; CODE XREF: CcAcquireByteRangeForWrite+ACj
		mov	ecx, large fs:124h
		push	0
		push	0
		xor	dl, dl
		call	PsBoostThreadIoEx
		mov	ecx, [ebp+var_20]
		jmp	loc_4ABE22
; 

loc_4AC378:				; CODE XREF: CcAcquireByteRangeForWrite+515j
		cmp	byte ptr [ecx+2], 0
		jz	loc_4AC49A
		test	edx, edx
		jnz	loc_4AC742

loc_4AC38A:				; CODE XREF: CcAcquireByteRangeForWrite+9F3j
		mov	eax, [ecx+0Ch]
		mov	edx, [ebp+var_20]
		cmp	eax, [edx+84h]
		mov	edx, [ebp+var_3C]
		jl	loc_4AC49A
		jg	short loc_4AC3B6
		mov	eax, [ecx+8]
		mov	edx, [ebp+var_20]
		cmp	eax, [edx+80h]
		mov	edx, [ebp+var_3C]
		jb	loc_4AC49A

loc_4AC3B6:				; CODE XREF: CcAcquireByteRangeForWrite+62Fj
					; CcAcquireByteRangeForWrite+9EDj
		cmp	[ebp+var_5C], 0
		jnz	loc_5C0C59

loc_4AC3C0:				; CODE XREF: CcAcquireByteRangeForWrite+8CAj
					; CcAcquireByteRangeForWrite+114F01j ...
		inc	dword ptr [ecx+34h]
		mov	ecx, [ebp+var_4C]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+60h]
		and	eax, 202h
		cmp	eax, 200h
		jnz	loc_4AC7C6
		cmp	dword ptr [edi], 0
		setz	al
		movzx	eax, al
		push	eax
		mov	eax, [ebp+var_28]
		add	eax, 38h
		push	eax
		call	ExAcquireResourceExclusiveLite
		test	al, al
		jz	loc_5C0C9B
		mov	ecx, [ebp+var_4C]
		call	ExAcquireFastMutex
		mov	ecx, [ebp+var_28]
		mov	dl, [ecx+2]
		test	dl, dl
		jz	loc_4AC81D
		mov	eax, [ebp+var_20]
		test	dword ptr [eax+60h], 1000000h
		jz	short loc_4AC44C
		cmp	[ebp+arg_4], 0
		jz	short loc_4AC44C
		mov	eax, [ecx+2Ch]
		mov	ecx, [ebp+arg_4]
		cmp	eax, [ecx+4]
		mov	ecx, [ebp+var_28]
		jl	short loc_4AC44C
		jg	loc_5C0C88
		mov	eax, [ecx+28h]
		mov	ecx, [ebp+arg_4]
		cmp	eax, [ecx]
		mov	ecx, [ebp+var_28]
		ja	loc_5C0C88

loc_4AC44C:				; CODE XREF: CcAcquireByteRangeForWrite+6AFj
					; CcAcquireByteRangeForWrite+6B5j ...
		mov	[ebp+var_5C], 0
		mov	edx, [edi]
		test	edx, edx
		jnz	short loc_4AC46A
		mov	eax, [ecx+8]
		mov	edi, [ebp+arg_8]
		mov	[edi], eax
		mov	eax, [ecx+0Ch]
		mov	[edi+4], eax
		mov	edi, dword ptr [ebp+arg_C]

loc_4AC46A:				; CODE XREF: CcAcquireByteRangeForWrite+6E7j
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx
		mov	eax, [ecx+4]
		add	eax, edx
		mov	[edi], eax
		mov	eax, [ebp+var_20]
		test	dword ptr [eax+60h], 3000000h
		jz	short loc_4AC49A
		mov	eax, [ecx+28h]
		mov	edx, [ecx+2Ch]
		cmp	edx, [ebp+var_68]
		jl	short loc_4AC49A
		jg	short loc_4AC494
		cmp	eax, [ebp+var_64]
		jbe	short loc_4AC49A

loc_4AC494:				; CODE XREF: CcAcquireByteRangeForWrite+71Dj
		mov	[ebp+var_64], eax
		mov	[ebp+var_68], edx

loc_4AC49A:				; CODE XREF: CcAcquireByteRangeForWrite+60Cj
					; CcAcquireByteRangeForWrite+629j ...
		mov	edx, [ebp+var_30]
		jmp	loc_4AC22A
; 

loc_4AC4A2:				; CODE XREF: CcAcquireByteRangeForWrite+556j
		cmp	[ebp+var_3C], 0
		jnz	loc_4AC2E0
		mov	eax, edx
		xor	ecx, ecx
		mov	ebx, [ebp+arg_8]
		add	eax, [ebx]
		adc	ecx, [ebx+4]
		mov	ebx, [ebp+var_20]
		mov	[ebx+80h], eax
		mov	[ebx+84h], ecx
		shr	edx, 0Ch
		mov	eax, [ebx+78h]
		cmp	eax, edx
		jbe	loc_4AC650
		sub	eax, edx
		mov	[ebx+78h], eax
		jmp	loc_4AC2E3
; 

loc_4AC4DF:				; CODE XREF: CcAcquireByteRangeForWrite+CCj
		mov	[ebp+var_4], ebx
		mov	eax, [ebp+var_20]
		mov	ecx, [eax+98h]
		mov	eax, [edx+4]
		push	eax
		mov	eax, [edx]
		push	eax
		mov	eax, [ecx]
		push	eax
		mov	eax, [ecx+4]
		call	eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_4ABE42
; 

loc_4AC506:				; CODE XREF: CcAcquireByteRangeForWrite+286j
		sub	eax, ecx
		jmp	loc_4ABFFE
; 

loc_4AC50D:				; CODE XREF: CcAcquireByteRangeForWrite+115j
		mov	ecx, [eax]
		mov	eax, [eax+4]
		mov	edx, ecx
		mov	edi, eax
		shrd	edx, edi, 0Ch
		mov	[ebp+var_1C], edi
		mov	[ebp+var_24], edx
		sar	[ebp+var_1C], 0Ch
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_34], 0
		add	edx, ecx
		mov	ecx, [ebp+var_34]
		adc	ecx, eax
		sub	edx, 1
		sbb	ecx, 0
		shrd	edx, ecx, 0Ch
		mov	[ebp+var_28], edx
		sar	ecx, 0Ch
		mov	[ebp+var_34], ecx
		push	[ebp+var_1C]
		push	[ebp+var_24]
		mov	ecx, [ebp+var_44]
		call	_CcFindBitmapRangeToClean@12 ; CcFindBitmapRangeToClean(x,x,x)
		mov	edx, eax
		mov	[ebp+var_40], edx
		mov	eax, [edx+8]
		mov	[ebp+var_2C], eax
		mov	ecx, [edx+0Ch]
		mov	[ebp+var_30], ecx
		mov	ecx, [edx+10h]
		mov	[ebp+var_38], ecx
		xor	ecx, ecx
		add	[ebp+var_38], eax
		adc	ecx, [ebp+var_30]
		cmp	[ebp+var_34], ecx
		mov	edi, dword ptr [ebp+arg_C]
		jg	short loc_4AC58F
		jl	loc_4AC176
		mov	eax, [ebp+var_28]
		cmp	eax, [ebp+var_38]
		jb	loc_4AC176

loc_4AC58F:				; CODE XREF: CcAcquireByteRangeForWrite+80Bj
		mov	ecx, [edx+14h]
		mov	eax, ecx
		add	eax, [ebp+var_2C]
		mov	[ebp+var_38], eax
		mov	eax, 0
		adc	eax, [ebp+var_30]
		mov	[ebp+var_54], eax
		cmp	[ebp+var_1C], eax
		mov	eax, [ebp+var_28]
		jl	short loc_4AC5C2
		jg	loc_4AC176
		mov	eax, [ebp+var_24]
		cmp	eax, [ebp+var_38]
		mov	eax, [ebp+var_28]
		ja	loc_4AC176

loc_4AC5C2:				; CODE XREF: CcAcquireByteRangeForWrite+83Bj
		mov	esi, [edx+1Ch]
		mov	ebx, [ebp+var_54]
		cmp	[ebp+var_34], ebx
		jg	short loc_4AC5DC
		jl	loc_4AC732
		cmp	eax, [ebp+var_38]
		jb	loc_4AC732

loc_4AC5DC:				; CODE XREF: CcAcquireByteRangeForWrite+85Bj
		mov	ebx, [ebp+var_2C]
		jmp	loc_4ABEE4
; 

loc_4AC5E4:				; CODE XREF: CcAcquireByteRangeForWrite+1E0j
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		add	ecx, [edx]
		adc	eax, [edx+4]
		add	ecx, 0FFFh
		adc	eax, 0
		shrd	ecx, eax, 0Ch
		sar	eax, 0Ch
		cmp	[ebp+var_1C], eax
		jl	short loc_4AC612
		jg	loc_4AC176
		cmp	[ebp+var_24], ecx
		jnb	loc_4AC176

loc_4AC612:				; CODE XREF: CcAcquireByteRangeForWrite+891j
		mov	eax, [ebp+var_20]
		add	eax, 10h
		cmp	[eax], eax
		jz	loc_4ABF56
		jmp	loc_5C0C4D
; 

loc_4AC625:				; CODE XREF: CcAcquireByteRangeForWrite+542j
		cmp	dword ptr [ecx+34h], 0
		jnz	loc_4AC2B8
		mov	eax, [ebp+var_48]
		and	eax, 1FFFFFFh
		or	eax, 0
		jnz	loc_4AC3C0
		jmp	loc_4AC2B8
; 

loc_4AC645:				; CODE XREF: CcAcquireByteRangeForWrite+18Fj
					; CcAcquireByteRangeForWrite+198j
		mov	[ebp+var_24], eax
		mov	[ebp+var_1C], ecx
		jmp	loc_4ABF0E
; 

loc_4AC650:				; CODE XREF: CcAcquireByteRangeForWrite+75Fj
		mov	dword ptr [ebx+78h], 0
		jmp	loc_4AC2E3
; 

loc_4AC65C:				; CODE XREF: CcAcquireByteRangeForWrite+2DDj
		mov	ecx, [ebp+var_80]
		mov	ecx, [ecx]
		mov	eax, [ebp+var_60]
		cmp	[ebx+10h], eax
		jnz	short loc_4AC674
		mov	eax, [ebp+var_24]
		sub	eax, [ebx+8]
		add	eax, ecx
		mov	[ebx+10h], eax

loc_4AC674:				; CODE XREF: CcAcquireByteRangeForWrite+8F7j
		mov	edx, [ebp+var_44]
		cmp	[ebp+arg_0], 0
		jnz	loc_4AC079
		xor	eax, eax
		mov	ebx, [ebp+var_24]
		add	ecx, ebx
		adc	eax, [ebp+var_1C]
		mov	[edx+18h], ecx
		mov	[edx+1Ch], eax
		jmp	loc_4AC07C
; 

loc_4AC696:				; CODE XREF: CcAcquireByteRangeForWrite+1D5j
		mov	edx, [ebp+var_1C]
		lea	esp, [esp+0]

loc_4AC6A0:				; CODE XREF: CcAcquireByteRangeForWrite+93Aj
		add	esi, esi
		add	ecx, 1
		adc	edx, 0
		test	eax, esi
		jz	short loc_4AC6A0
		mov	[ebp+var_1C], edx
		mov	[ebp+var_24], ecx
		jmp	loc_4ABF4B
; 

loc_4AC6B7:				; CODE XREF: CcAcquireByteRangeForWrite+56Aj
		cmp	[ebp+var_3C], 0
		jnz	loc_4AC2E0
		mov	dword ptr [ecx], 0
		mov	dword ptr [ecx+4], 0
		mov	eax, ecx
		jmp	loc_4AC190
; 

loc_4AC6D5:				; CODE XREF: CcAcquireByteRangeForWrite+440j
		mov	eax, edx
		mov	[ebp+var_34], eax
		jmp	loc_4AC1B6
; 

loc_4AC6DF:				; CODE XREF: CcAcquireByteRangeForWrite+23Ej
		sub	ecx, eax
		jmp	loc_4ABFB6
; 

loc_4AC6E6:				; CODE XREF: CcAcquireByteRangeForWrite+50Bj
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		mov	ecx, [ebp+var_2C]
		add	ecx, [edx]
		mov	[ebp+var_2C], ecx
		adc	eax, [edx+4]
		mov	ecx, [ebp+var_28]
		cmp	eax, [ecx+0Ch]
		jl	loc_4AC2B8
		jg	loc_4AC281
		mov	eax, [ebp+var_2C]
		cmp	eax, [ecx+8]
		jbe	loc_4AC2B8
		jmp	loc_4AC281
; 

loc_4AC71C:				; CODE XREF: CcAcquireByteRangeForWrite+4EFj
					; CcAcquireByteRangeForWrite+500j
		mov	ecx, [ecx+14h]
		inc	_CcDbgLsnLargerThanHint
		jmp	loc_4AC22D
; 

loc_4AC72A:				; CODE XREF: CcAcquireByteRangeForWrite+485j
		mov	ecx, [ebp+var_58]
		jmp	loc_4AC207
; 

loc_4AC732:				; CODE XREF: CcAcquireByteRangeForWrite+85Dj
					; CcAcquireByteRangeForWrite+866j
		mov	ebx, [ebp+var_2C]
		sub	eax, ebx
		shr	eax, 5
		lea	eax, [esi+eax*4]
		jmp	loc_4ABEEA
; 

loc_4AC742:				; CODE XREF: CcAcquireByteRangeForWrite+614j
		mov	eax, [edx+4]
		cmp	eax, [ecx+1Ch]
		jl	short loc_4AC75B
		jg	loc_4AC49A
		mov	eax, [edx]
		cmp	eax, [ecx+18h]
		jnb	loc_4AC49A

loc_4AC75B:				; CODE XREF: CcAcquireByteRangeForWrite+9D8j
		test	edx, edx
		jnz	loc_4AC3B6
		jmp	loc_4AC38A
; 

loc_4AC768:				; CODE XREF: CcAcquireByteRangeForWrite+1CAj
		or	esi, 0FFFFFFFFh
		and	ecx, 0FFFFFFE0h
		mov	edi, edi

loc_4AC770:				; CODE XREF: CcAcquireByteRangeForWrite+A1Bj
		mov	eax, [ebp+var_1C]
		add	ebx, 4
		add	ecx, 20h
		mov	[ebp+var_24], ecx
		adc	eax, 0
		mov	[ebp+var_1C], eax
		cmp	ebx, [ebp+var_50]
		ja	short loc_4AC7E2

loc_4AC787:				; CODE XREF: CcAcquireByteRangeForWrite+114ED8j
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_4AC770
		jmp	loc_4ABF40
; 

loc_4AC792:				; CODE XREF: CcAcquireByteRangeForWrite+2CAj
		lea	ecx, [ebp+var_78]
		call	KxWaitForLockChainValid

loc_4AC79A:				; CODE XREF: CcAcquireByteRangeForWrite+2B3j
		mov	[ebp+var_78], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4AC040
; 

loc_4AC7B1:				; CODE XREF: CcAcquireByteRangeForWrite+162j
					; CcAcquireByteRangeForWrite+16Bj
		mov	eax, [edx+10h]
		xor	esi, esi
		add	eax, ebx
		mov	[ebp+var_24], eax
		adc	esi, [ebp+var_30]
		mov	[ebp+var_1C], esi
		jmp	loc_4ABEE1
; 

loc_4AC7C6:				; CODE XREF: CcAcquireByteRangeForWrite+66Bj
		push	2
		mov	dl, 1
		mov	ecx, [ebp+var_28]
		call	CcUnpinFileDataEx
		mov	ecx, [ebp+var_4C]
		call	ExAcquireFastMutex
		mov	ecx, [ebp+var_28]
		jmp	loc_4AC44C
; 

loc_4AC7E2:				; CODE XREF: CcAcquireByteRangeForWrite+A15j
		mov	ecx, [ebp+var_40]
		cmp	[ebp+arg_0], 0
		jnz	short loc_4AC7F2
		mov	eax, [ebp+var_60]
		dec	eax
		mov	[ecx+14h], eax

loc_4AC7F2:				; CODE XREF: CcAcquireByteRangeForWrite+A79j
		mov	eax, [ebp+var_44]
		add	eax, 10h

loc_4AC7F8:				; CODE XREF: CcAcquireByteRangeForWrite+A95j
		mov	ecx, [ecx]
		mov	[ebp+var_40], ecx
		cmp	ecx, eax
		jz	short loc_4AC80C

loc_4AC801:				; CODE XREF: CcAcquireByteRangeForWrite+AABj
		cmp	dword ptr [ecx+18h], 0
		jz	short loc_4AC7F8
		jmp	loc_4AC11C
; 

loc_4AC80C:				; CODE XREF: CcAcquireByteRangeForWrite+A8Fj
		cmp	[ebp+arg_0], 0
		jnz	loc_4AC176
		mov	ecx, [ecx]
		mov	[ebp+var_40], ecx
		jmp	short loc_4AC801
; 

loc_4AC81D:				; CODE XREF: CcAcquireByteRangeForWrite+69Fj
					; CcAcquireByteRangeForWrite+114F1Aj ...
		mov	ecx, [ebp+var_4C]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		push	0
		xor	dl, dl
		mov	ecx, [ebp+var_28]
		call	CcUnpinFileDataEx
		mov	ecx, [ebp+var_4C]
		call	ExAcquireFastMutex
		cmp	dword ptr [edi], 0
		jnz	loc_4AC2B8
		mov	eax, [ebp+var_20]
		mov	ecx, [eax+14h]
		mov	edx, [ebp+var_30]
		jmp	loc_4AC22D
CcAcquireByteRangeForWrite endp

; 

; __stdcall CcFlushCachePriv(x,	x, x, x, x, x)
_CcFlushCachePriv@24:			; CODE XREF: sub_47C052+A1p
					; CcWriteBehindInternal+21Ap ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 9Ch
		push	ebx
		push	esi
		push	edi
		mov	[esp+64h], edx
		mov	esi, ecx
		mov	[esp+60h], esi
		xor	eax, eax
		mov	[esp+5Ch], eax
		xor	edi, edi
		mov	[esp+40h], eax
		mov	[esp+10h], eax
		mov	[esp+34h], eax
		mov	[esp+98h], eax
		mov	[esp+9Ch], eax
		mov	[esp+28h], eax
		mov	[esp+30h], eax
		mov	[esp+78h], eax
		mov	[esp+54h], eax
		mov	[esp+1Ch], eax
		mov	[esp+8Ch], eax
		mov	[esp+90h], eax
		mov	[esp+94h], eax
		mov	[esp+44h], eax
		mov	[esp+48h], eax
		mov	[esp+4Ch], eax
		xor	al, al
		mov	dword ptr [esp+38h], 0
		mov	dword ptr [esp+3Ch], 0
		mov	dword ptr [esp+70h], 0
		mov	dword ptr [esp+74h], 0
		mov	dword ptr [esp+14h], 0
		mov	dword ptr [esp+7Ch], 0
		mov	dword ptr [esp+0A0h], 0
		mov	dword ptr [esp+0A4h], 0
		mov	dword ptr [esp+50h], 0
		mov	dword ptr [esp+2Ch], 0
		mov	[esp+0Fh], al
		cmp	[ebp+0Ch], edi
		jz	short loc_4AC933
		test	edx, edx
		jz	short loc_4AC933
		cmp	edx, offset _CcNoDelay
		jnz	loc_4AD2A3

loc_4AC933:				; CODE XREF: .text:004AC921j
					; .text:004AC925j
		mov	ebx, [ebp+14h]
		test	ebx, ebx
		jnz	short loc_4AC944
		lea	ebx, [esp+0A0h]
		mov	[ebp+14h], ebx

loc_4AC944:				; CODE XREF: .text:004AC938j
		mov	[ebx], edi
		mov	[esp+68h], edi
		mov	[esp+6Ch], edi
		cmp	edx, offset _CcNoDelay
		jnz	short loc_4AC973
		mov	eax, [ebx+4]
		xor	edx, edx
		mov	[esp+54h], eax
		mov	dword ptr [ebx], 80000016h
		mov	dword ptr [esp+10h], 1
		mov	[esp+64h], edx
		jmp	short loc_4AC988
; 

loc_4AC973:				; CODE XREF: .text:004AC954j
		mov	dword ptr [esp+28h], 1
		cmp	[ebp+10h], al
		jz	short loc_4AC988
		mov	dword ptr [esp+28h], 11h

loc_4AC988:				; CODE XREF: .text:004AC971j
					; .text:004AC97Ej
		mov	eax, edx
		mov	[ebx+4], edi
		sub	eax, offset _CcFlushForImageSection
		mov	ecx, offset _CcMasterLock
		neg	eax
		sbb	eax, eax
		and	eax, edx
		lea	edx, [esp+8Ch]
		mov	[esp+18h], eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	esi, [esi+4]
		mov	eax, [esp+18h]
		mov	[esp+20h], eax
		test	esi, esi
		jz	loc_4ACADF
		mov	ecx, esi
		call	CcGetPartition
		test	ds:byte_70EFC6,	21h
		mov	[esp+1Ch], eax
		mov	[esp+44h], edi
		lea	ecx, [eax+40h]
		mov	[esp+48h], ecx
		jz	short loc_4AC9EC
		mov	edx, ecx
		lea	ecx, [esp+44h]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4AC9FF
; 

loc_4AC9EC:				; CODE XREF: .text:004AC9DDj
		lea	edx, [esp+44h]
		xchg	edx, [ecx]
		test	edx, edx
		jz	short loc_4AC9FF
		lea	ecx, [esp+44h]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_4AC9FF:				; CODE XREF: .text:004AC9EAj
					; .text:004AC9F4j
		mov	ecx, [esi+60h]
		mov	dl, 1
		mov	eax, [esp+18h]
		mov	[esp+0Fh], dl
		mov	[esp+20h], eax
		test	ecx, 2000h
		jz	short loc_4ACA27
		test	al, dl
		jz	loc_4ACB0B
		xor	eax, 1
		mov	[esp+20h], eax

loc_4ACA27:				; CODE XREF: .text:004ACA16j
		mov	eax, [esp+10h]
		test	eax, eax
		jz	short loc_4ACA59
		test	ecx, 10000h
		jz	loc_4ACAE7
		mov	dword ptr [esp+34h], 1
		cmp	[esi+16Ch], edi
		jz	loc_4ACAE7
		mov	edi, 1
		jmp	loc_4ACAE7
; 

loc_4ACA59:				; CODE XREF: .text:004ACA2Dj
		mov	ecx, [esp+20h]
		test	ecx, ecx
		jz	short loc_4ACABB
		mov	edi, [ecx+4]
		mov	eax, [esi+1Ch]
		mov	edx, [ecx]
		mov	ecx, [esi+18h]
		mov	[esp+18h], edi
		mov	[esp+58h], eax
		cmp	edi, eax
		jl	short loc_4ACA86
		jg	loc_4ACB0B
		cmp	edx, ecx
		jnb	loc_4ACB0B

loc_4ACA86:				; CODE XREF: .text:004ACA76j
		mov	eax, [ebp+8]
		mov	edi, eax
		mov	[esp+24h], eax
		xor	eax, eax
		add	edi, edx
		adc	eax, [esp+18h]
		cmp	eax, [esp+58h]
		jl	short loc_4ACACA
		jg	short loc_4ACAA3
		cmp	edi, ecx
		jbe	short loc_4ACACA

loc_4ACAA3:				; CODE XREF: .text:004ACA9Dj
		mov	eax, [esp+10h]
		sub	ecx, edx
		mov	dl, [esp+0Fh]
		xor	edi, edi
		inc	dword ptr [esi+16Ch]
		mov	[esp+24h], ecx
		jmp	short loc_4ACAEE
; 

loc_4ACABB:				; CODE XREF: .text:004ACA5Fj
		mov	ecx, [ebp+8]
		inc	dword ptr [esi+16Ch]
		mov	[esp+24h], ecx
		jmp	short loc_4ACAEE
; 

loc_4ACACA:				; CODE XREF: .text:004ACA9Bj
					; .text:004ACAA1j
		mov	ecx, [ebp+8]
		xor	edi, edi
		mov	dl, [esp+0Fh]
		mov	eax, [esp+10h]
		inc	dword ptr [esi+16Ch]
		jmp	short loc_4ACAEE
; 

loc_4ACADF:				; CODE XREF: .text:004AC9BAj
		mov	dl, [esp+0Fh]
		mov	eax, [esp+10h]

loc_4ACAE7:				; CODE XREF: .text:004ACA35j
					; .text:004ACA49j ...
		mov	ecx, [ebp+8]
		mov	[esp+24h], ecx

loc_4ACAEE:				; CODE XREF: .text:004ACAB9j
					; .text:004ACAC8j ...
		cmp	dword ptr [esp+20h], 0
		jz	short loc_4ACB29
		test	ecx, ecx
		jnz	short loc_4ACB29
		test	esi, esi
		jz	short loc_4ACB07
		test	eax, eax
		jnz	short loc_4ACB07
		dec	dword ptr [esi+16Ch]

loc_4ACB07:				; CODE XREF: .text:004ACAFBj
					; .text:004ACAFFj
		test	dl, dl
		jz	short loc_4ACB14

loc_4ACB0B:				; CODE XREF: .text:004ACA1Aj
					; .text:004ACA78j ...
		lea	ecx, [esp+44h]
		call	KeReleaseInStackQueuedSpinLockFromDpcLevel

loc_4ACB14:				; CODE XREF: .text:004ACB09j
		lea	ecx, [esp+8Ch]
		call	KeReleaseInStackQueuedSpinLock
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4ACB29:				; CODE XREF: .text:004ACAF3j
					; .text:004ACAF7j
		cmp	dword ptr [esp+64h], offset _CcFlushForImageSection
		jnz	short loc_4ACB79
		test	esi, esi
		jz	short loc_4ACB93
		cmp	dword ptr [esi+16Ch], 2
		jnb	short loc_4ACB4F
		mov	ecx, [esp+1Ch]
		mov	edx, esi
		call	_CcSerializeWithLazyWriter@8 ; CcSerializeWithLazyWriter(x,x)
		test	al, al
		jnz	short loc_4ACB79

loc_4ACB4F:				; CODE XREF: .text:004ACB3Ej
		dec	dword ptr [esi+16Ch]
		lea	ecx, [esp+44h]
		call	KeReleaseInStackQueuedSpinLockFromDpcLevel
		lea	ecx, [esp+8Ch]
		call	KeReleaseInStackQueuedSpinLock
		mov	dword ptr [ebx], 0C0000054h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4ACB79:				; CODE XREF: .text:004ACB31j
					; .text:004ACB4Dj
		test	esi, esi
		jz	short loc_4ACB93
		inc	dword ptr [esi+4]
		inc	dword ptr [esi+178h]
		mov	eax, [esi+44h]
		and	eax, 0FFFFFFF8h
		mov	eax, [eax+0Ch]
		mov	[esp+30h], eax

loc_4ACB93:				; CODE XREF: .text:004ACB35j
					; .text:004ACB7Bj
		cmp	byte ptr [esp+0Fh], 0
		jz	short loc_4ACBA3
		lea	ecx, [esp+44h]
		call	KeReleaseInStackQueuedSpinLockFromDpcLevel

loc_4ACBA3:				; CODE XREF: .text:004ACB98j
		lea	ecx, [esp+8Ch]
		call	KeReleaseInStackQueuedSpinLock
		test	esi, esi
		jz	short loc_4ACBC1
		test	dword ptr [esi+60h], 40000000h
		jz	short loc_4ACBC1
		mov	edi, 1

loc_4ACBC1:				; CODE XREF: .text:004ACBB1j
					; .text:004ACBBAj
		test	ds:dword_70EFD0, 20000h
		jz	short loc_4ACBF2
		mov	ecx, [esp+54h]
		cmp	edi, 1
		mov	edx, esi
		setz	al
		movzx	eax, al
		push	eax
		push	dword ptr [esp+38h]
		push	dword ptr [esp+18h]
		push	dword ptr [esp+30h]
		push	dword ptr [esp+30h]
		call	CcPerfLogFlushCache

loc_4ACBF2:				; CODE XREF: .text:004ACBCBj
		mov	ecx, [esp+10h]
		test	ecx, ecx
		jnz	short loc_4ACC13
		test	esi, esi
		jz	short loc_4ACC49
		test	byte ptr [esi+60h], 20h
		jz	short loc_4ACC13
		mov	ecx, [esp+1Ch]
		mov	edx, esi
		call	CcBoostLowPriorityWorkerThread
		mov	ecx, [esp+10h]

loc_4ACC13:				; CODE XREF: .text:004ACBF8j
					; .text:004ACC02j
		test	esi, esi
		jz	short loc_4ACC30
		mov	eax, [esp+30h]
		test	byte ptr [eax+6], 10h
		jz	short loc_4ACC27
		test	byte ptr [eax+4], 20h
		jnz	short loc_4ACC30

loc_4ACC27:				; CODE XREF: .text:004ACC1Fj
		test	dword ptr [esi+60h], 20000h
		jz	short loc_4ACC34

loc_4ACC30:				; CODE XREF: .text:004ACC15j
					; .text:004ACC25j
		test	ecx, ecx
		jz	short loc_4ACC49

loc_4ACC34:				; CODE XREF: .text:004ACC2Ej
		test	edi, edi
		jnz	short loc_4ACC49
		test	esi, esi
		jz	loc_4AD29A
		test	dword ptr [esi+60h], 4000000h
		jz	short loc_4ACCC4

loc_4ACC49:				; CODE XREF: .text:004ACBFCj
					; .text:004ACC32j ...
		test	ds:dword_70EFD0, 20000h
		mov	edi, [esp+28h]
		jz	short loc_4ACC6D
		mov	ecx, [esp+54h]
		mov	edx, esi
		push	edi
		push	dword ptr [esp+28h]
		push	dword ptr [esp+28h]
		call	CcPerfLogFlushSection

loc_4ACC6D:				; CODE XREF: .text:004ACC57j
		test	esi, esi
		jz	short loc_4ACC86
		mov	edx, [esp+20h]
		mov	ecx, esi
		push	0
		push	0
		push	0
		push	dword ptr [esp+30h]
		call	CcUnmapVacbArray

loc_4ACC86:				; CODE XREF: .text:004ACC6Fj
		mov	edx, [esp+20h]
		push	edi
		mov	edi, [esp+28h]
		push	ebx
		push	ecx
		mov	ecx, [esp+6Ch]
		push	edi
		call	MmFlushSection
		test	eax, eax
		jns	short loc_4ACCB8
		cmp	dword ptr [esp+10h], 0
		mov	ecx, [ebx]
		jz	short loc_4ACCB2
		cmp	ecx, 80000016h
		jz	short loc_4ACCB6
		jmp	short loc_4ACCB8
; 

loc_4ACCB2:				; CODE XREF: .text:004ACCA6j
		test	ecx, ecx
		jnz	short loc_4ACCB8

loc_4ACCB6:				; CODE XREF: .text:004ACCAEj
		mov	[ebx], eax

loc_4ACCB8:				; CODE XREF: .text:004ACC9Dj
					; .text:004ACCB0j ...
		mov	eax, [ebx]
		test	eax, eax
		jns	short loc_4ACCC8
		mov	[esp+2Ch], eax
		jmp	short loc_4ACCC8
; 

loc_4ACCC4:				; CODE XREF: .text:004ACC47j
		mov	edi, [esp+24h]

loc_4ACCC8:				; CODE XREF: .text:004ACCBCj
					; .text:004ACCC2j
		test	esi, esi
		jz	loc_4AD290
		test	dword ptr [esi+60h], 4000000h
		jnz	loc_4AD235
		mov	ecx, [esp+20h]
		test	ecx, ecx
		jz	short loc_4ACCF2
		mov	eax, [ecx]
		mov	[esp+70h], eax
		mov	eax, [ecx+4]
		mov	[esp+74h], eax

loc_4ACCF2:				; CODE XREF: .text:004ACCE3j
		mov	dword ptr [esp+14h], 1
		test	edi, edi
		jz	short loc_4ACD02
		mov	[esp+14h], edi

loc_4ACD02:				; CODE XREF: .text:004ACCFCj
		mov	edi, [esp+10h]
		test	edi, edi
		jz	short loc_4ACD14
		lea	eax, [esp+68h]
		push	eax
		call	KeQueryTickCount

loc_4ACD14:				; CODE XREF: .text:004ACD08j
					; .text:004AD1B1j ...
		cmp	dword ptr [esi+78h], 0
		jnz	short loc_4ACD29
		test	edi, edi
		jz	short loc_4ACD29
		cmp	dword ptr [esp+34h], 0
		jz	loc_4AD21B

loc_4ACD29:				; CODE XREF: .text:004ACD18j
					; .text:004ACD1Cj
		mov	eax, [esi+8]
		or	eax, [esi+0Ch]
		jnz	short loc_4ACD40
		test	byte ptr [esi+60h], 4
		jnz	short loc_4ACD40
		cmp	[esi+4Ch], eax
		jz	loc_4AD21B

loc_4ACD40:				; CODE XREF: .text:004ACD2Fj
					; .text:004ACD35j
		cmp	dword ptr [esp+40h], 0
		jnz	loc_4AD21B
		test	edi, edi
		jz	short loc_4ACD5E
		mov	ecx, esi
		call	CcAmILowPriorityWriter
		test	al, al
		jz	short loc_4ACD5E
		mov	al, 1
		jmp	short loc_4ACD60
; 

loc_4ACD5E:				; CODE XREF: .text:004ACD4Dj
					; .text:004ACD58j
		xor	al, al

loc_4ACD60:				; CODE XREF: .text:004ACD5Cj
		mov	edx, [esp+34h]
		mov	cl, al
		test	edi, edi
		jz	short loc_4ACD72
		test	edx, edx
		jnz	short loc_4ACD72
		xor	eax, eax
		jmp	short loc_4ACD76
; 

loc_4ACD72:				; CODE XREF: .text:004ACD68j
					; .text:004ACD6Cj
		mov	eax, [esp+14h]

loc_4ACD76:				; CODE XREF: .text:004ACD70j
		test	edi, edi
		jz	short loc_4ACD7E
		test	edx, edx
		jz	short loc_4ACD8C

loc_4ACD7E:				; CODE XREF: .text:004ACD78j
		mov	edx, [esp+20h]
		lea	edi, [esp+70h]
		neg	edx
		sbb	edx, edx
		and	edx, edi

loc_4ACD8C:				; CODE XREF: .text:004ACD7Cj
		push	ecx
		lea	ecx, [esp+80h]
		push	ecx
		lea	ecx, [esp+1Ch]
		push	ecx
		lea	ecx, [esp+44h]
		push	ecx
		push	dword ptr [ebp+0Ch]
		mov	ecx, esi
		push	eax
		call	CcAcquireByteRangeForWrite
		test	al, al
		jz	loc_4AD21B
		mov	ecx, [esp+14h]
		mov	ebx, ecx
		mov	dword ptr [esp+18h], 0

loc_4ACDC0:				; CODE XREF: .text:004ACEAEj
		lea	eax, [esp+50h]
		push	eax
		xor	eax, eax
		lea	edx, [esp+7Ch]
		sub	ecx, ebx
		sbb	eax, eax
		add	ecx, [esp+3Ch]
		adc	eax, [esp+40h]
		push	eax
		push	ecx
		mov	ecx, esi
		call	_CcGetVirtualAddressIfMapped@20	; CcGetVirtualAddressIfMapped(x,x,x,x,x)
		mov	edi, [esp+50h]
		test	eax, eax
		jz	loc_4ACE9C
		cmp	edi, ebx
		jbe	short loc_4ACDF6
		mov	edi, ebx
		mov	[esp+50h], edi

loc_4ACDF6:				; CODE XREF: .text:004ACDEEj
		push	ecx
		mov	edx, edi
		mov	ecx, eax
		call	MmSetAddressRangeModifiedEx
		test	al, al
		jnz	short loc_4ACE0B
		cmp	dword ptr [esp+18h], 0
		jz	short loc_4ACE5A

loc_4ACE0B:				; CODE XREF: .text:004ACE02j
		mov	ecx, [esp+14h]
		xor	eax, eax
		add	ecx, [esp+38h]
		adc	eax, [esp+3Ch]
		cmp	eax, [esi+24h]
		jg	short loc_4ACE5A
		jl	short loc_4ACE25
		cmp	ecx, [esi+20h]
		jnb	short loc_4ACE5A

loc_4ACE25:				; CODE XREF: .text:004ACE1Ej
		test	byte ptr [esi+0ACh], 0Fh
		jz	short loc_4ACE5A
		cmp	dword ptr [esp+10h], 0
		jz	short loc_4ACE5A
		cmp	dword ptr [esp+34h], 0
		jnz	short loc_4ACE5A
		test	dword ptr [esi+60h], 200h
		jnz	short loc_4ACE5A
		mov	eax, [esp+1Ch]
		mov	dword ptr [esp+18h], 1
		cmp	byte ptr [eax+288h], 0
		jz	short loc_4ACE62

loc_4ACE5A:				; CODE XREF: .text:004ACE09j
					; .text:004ACE1Cj ...
		mov	dword ptr [esp+18h], 0

loc_4ACE62:				; CODE XREF: .text:004ACE58j
		mov	ecx, [esp+78h]
		or	eax, 0FFFFFFFFh
		mov	edx, [ecx+4]
		mov	[esp+58h], edx
		lock xadd [ecx+8], eax
		dec	eax
		movzx	eax, ax
		test	ax, ax
		jnz	short loc_4ACEA6
		mov	eax, [edx+74h]
		test	eax, eax
		jz	short loc_4ACE93
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	edx, [esp+58h]

loc_4ACE93:				; CODE XREF: .text:004ACE83j
		lock dec dword ptr [edx+180h]
		jmp	short loc_4ACEA6
; 

loc_4ACE9C:				; CODE XREF: .text:004ACDE6j
		cmp	edi, ebx
		jbe	short loc_4ACEA6
		mov	edi, ebx
		mov	[esp+50h], edi

loc_4ACEA6:				; CODE XREF: .text:004ACE7Cj
					; .text:004ACE9Aj ...
		sub	ebx, edi
		jz	short loc_4ACEB3
		mov	ecx, [esp+14h]
		jmp	loc_4ACDC0
; 

loc_4ACEB3:				; CODE XREF: .text:004ACEA8j
		mov	eax, [esp+18h]
		add	large fs:668h, eax
		test	eax, eax
		jnz	loc_4AD0C1
		test	ds:dword_70EFD0, 20000h
		jz	short loc_4ACEEA
		push	dword ptr [esp+28h]
		mov	ecx, [esp+58h]
		lea	eax, [esp+3Ch]
		push	dword ptr [esp+18h]
		mov	edx, esi
		push	eax
		call	CcPerfLogFlushSection

loc_4ACEEA:				; CODE XREF: .text:004ACED0j
		push	dword ptr [esp+28h]
		mov	edi, [esp+14h]
		lea	edx, [esp+3Ch]
		mov	ebx, [ebp+14h]
		mov	eax, edi
		neg	eax
		push	ebx
		push	ecx
		push	dword ptr [esp+20h]
		mov	ecx, [esp+70h]
		sbb	eax, eax
		and	eax, 80000016h
		mov	[ebx], eax
		call	MmFlushSection
		test	eax, eax
		jns	short loc_4ACF2F
		mov	ecx, [ebx]
		test	edi, edi
		jz	short loc_4ACF29
		cmp	ecx, 80000016h
		jz	short loc_4ACF2D
		jmp	short loc_4ACF2F
; 

loc_4ACF29:				; CODE XREF: .text:004ACF1Dj
		test	ecx, ecx
		jnz	short loc_4ACF2F

loc_4ACF2D:				; CODE XREF: .text:004ACF25j
		mov	[ebx], eax

loc_4ACF2F:				; CODE XREF: .text:004ACF17j
					; .text:004ACF27j ...
		mov	edx, [ebx]
		test	edx, edx
		js	short loc_4ACF87
		test	dword ptr [esi+60h], 400h
		jnz	short loc_4ACF5E
		mov	eax, [esp+1Ch]
		lea	edx, [esp+44h]
		lea	ecx, [eax+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		or	dword ptr [esi+60h], 400h
		lea	ecx, [esp+44h]
		call	KeReleaseInStackQueuedSpinLock

loc_4ACF5E:				; CODE XREF: .text:004ACF3Cj
		test	edi, edi
		jz	loc_4AD08B
		inc	large dword ptr	fs:66Ch
		mov	eax, [esp+14h]
		add	eax, 0FFFh
		shr	eax, 0Ch
		add	large fs:670h, eax
		xor	al, al
		jmp	loc_4AD0F6
; 

loc_4ACF87:				; CODE XREF: .text:004ACF33j
		mov	eax, [esp+3Ch]
		mov	ecx, esi
		mov	edi, [esp+38h]
		mov	[esp+30h], eax
		mov	[esp+84h], eax
		mov	eax, [esp+14h]
		mov	[esp+80h], edi
		mov	[esp+18h], eax
		call	CcIsFatalWriteError
		test	al, al
		jnz	short loc_4ACFC1
		mov	dword ptr [esp+40h], 1
		jmp	loc_4AD0F1
; 

loc_4ACFC1:				; CODE XREF: .text:004ACFB2j
					; .text:004AD081j
		test	ds:dword_70EFD0, 20000h
		jz	short loc_4ACFE9
		push	dword ptr [esp+28h]
		mov	ecx, [esp+58h]
		lea	eax, [esp+84h]
		push	1000h
		push	eax
		mov	edx, esi
		call	CcPerfLogFlushSection

loc_4ACFE9:				; CODE XREF: .text:004ACFCBj
		push	dword ptr [esp+28h]
		mov	eax, [esp+14h]
		lea	edx, [esp+84h]
		neg	eax
		push	ebx
		sbb	eax, eax
		push	ecx
		mov	ecx, [esp+6Ch]
		and	eax, 80000016h
		push	1000h
		mov	[ebx], eax
		call	MmFlushSection
		test	eax, eax
		jns	short loc_4AD030
		cmp	dword ptr [esp+10h], 0
		mov	ecx, [ebx]
		jz	short loc_4AD02A
		cmp	ecx, 80000016h
		jz	short loc_4AD02E
		jmp	short loc_4AD030
; 

loc_4AD02A:				; CODE XREF: .text:004AD01Ej
		test	ecx, ecx
		jnz	short loc_4AD030

loc_4AD02E:				; CODE XREF: .text:004AD026j
		mov	[ebx], eax

loc_4AD030:				; CODE XREF: .text:004AD015j
					; .text:004AD028j ...
		mov	edx, [ebx]
		test	edx, edx
		js	short loc_4AD08F
		mov	ecx, [esp+1Ch]
		lea	edx, [esp+44h]
		lea	ecx, [ecx+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		or	dword ptr [esi+60h], 400h
		lea	ecx, [esp+44h]
		call	KeReleaseInStackQueuedSpinLock

loc_4AD056:				; CODE XREF: .text:004AD09Fj
					; .text:004AD0A7j
		mov	ecx, [esp+40h]

loc_4AD05A:				; CODE XREF: .text:004AD0B7j
					; .text:004AD0BFj
		mov	eax, [esp+30h]
		add	edi, 1000h
		mov	[esp+80h], edi
		adc	eax, 0
		sub	dword ptr [esp+18h], 1000h
		mov	[esp+30h], eax
		mov	[esp+84h], eax
		jnz	loc_4ACFC1
		test	ecx, ecx
		jnz	short loc_4AD0F1

loc_4AD08B:				; CODE XREF: .text:004ACF60j
		xor	al, al
		jmp	short loc_4AD0F6
; 

loc_4AD08F:				; CODE XREF: .text:004AD034j
		mov	ecx, esi
		call	CcIsFatalWriteError
		test	al, al
		jz	short loc_4AD0A9
		cmp	dword ptr [esp+2Ch], 0
		jnz	short loc_4AD056
		mov	ecx, [ebx]
		mov	[esp+2Ch], ecx
		jmp	short loc_4AD056
; 

loc_4AD0A9:				; CODE XREF: .text:004AD098j
		cmp	dword ptr [esp+2Ch], 0
		mov	ecx, 1
		mov	[esp+40h], ecx
		jnz	short loc_4AD05A
		mov	eax, [ebx]
		mov	[esp+2Ch], eax
		jmp	short loc_4AD05A
; 

loc_4AD0C1:				; CODE XREF: .text:004ACEC0j
		mov	ebx, [esp+1Ch]
		lea	edx, [esp+44h]
		lea	ecx, [ebx+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [esp+14h]
		lea	ecx, [esp+44h]
		shr	eax, 0Ch
		add	[ebx+1E8h], eax
		adc	dword ptr [ebx+1ECh], 0
		call	KeReleaseInStackQueuedSpinLock
		mov	ebx, [ebp+14h]

loc_4AD0F1:				; CODE XREF: .text:004ACFBCj
					; .text:004AD089j
		mov	eax, 1

loc_4AD0F6:				; CODE XREF: .text:004ACF82j
					; .text:004AD08Dj
		push	eax
		push	dword ptr [esp+80h]
		lea	edx, [esp+40h]
		mov	ecx, esi
		push	dword ptr [esp+1Ch]
		call	CcReleaseByteRangeFromWrite
		mov	eax, [esp+5Ch]
		add	eax, [esp+14h]
		mov	ecx, [esp+1Ch]
		mov	[esp+5Ch], eax
		cmp	eax, 40000h
		jb	short loc_4AD13F
		lea	eax, [ecx+204h]
		cmp	[eax], eax
		jz	short loc_4AD13F
		call	_CcPostDeferredWrites@4	; CcPostDeferredWrites(x)
		mov	ecx, [esp+1Ch]
		mov	dword ptr [esp+5Ch], 0

loc_4AD13F:				; CODE XREF: .text:004AD122j
					; .text:004AD12Cj
		mov	edi, [esp+10h]
		test	edi, edi
		jz	short loc_4AD1AB
		cmp	dword ptr [esp+34h], 0
		jnz	short loc_4AD1AB
		lea	eax, [ecx+204h]
		cmp	[eax], eax
		jnz	short loc_4AD16A
		mov	eax, 0CCCCCCCDh
		mul	_CcIdleDelayTick
		mov	edi, edx
		shr	edi, 3
		jmp	short loc_4AD170
; 

loc_4AD16A:				; CODE XREF: .text:004AD156j
		mov	edi, _CcIdleDelayTick

loc_4AD170:				; CODE XREF: .text:004AD168j
		xor	eax, eax
		add	edi, [esp+68h]
		adc	eax, [esp+6Ch]
		mov	[esp+30h], eax
		lea	eax, [esp+98h]
		push	eax
		call	KeQueryTickCount
		mov	eax, [esp+30h]
		cmp	[esp+9Ch], eax
		jg	loc_4AD214
		jl	short loc_4AD1A7
		cmp	[esp+98h], edi
		ja	short loc_4AD214

loc_4AD1A7:				; CODE XREF: .text:004AD19Cj
		mov	edi, [esp+10h]

loc_4AD1AB:				; CODE XREF: .text:004AD145j
					; .text:004AD14Cj
		mov	ecx, [esp+20h]
		test	ecx, ecx
		jz	loc_4ACD14
		mov	edi, [esp+14h]
		mov	eax, 0
		add	edi, [esp+38h]
		mov	edx, [ecx]
		adc	eax, [esp+3Ch]
		mov	[esp+58h], eax
		mov	[esp+3Ch], eax
		mov	eax, [ecx+4]
		mov	ecx, [esp+24h]
		mov	[esp+18h], ecx
		xor	ecx, ecx
		add	[esp+18h], edx
		mov	[esp+38h], edi
		adc	ecx, eax
		mov	eax, [esp+58h]
		cmp	ecx, eax
		jl	short loc_4AD21B
		jg	short loc_4AD1F9
		cmp	[esp+18h], edi
		jbe	short loc_4AD21B

loc_4AD1F9:				; CODE XREF: .text:004AD1F1j
		sub	edx, edi
		mov	[esp+70h], edi
		add	edx, [esp+24h]
		mov	edi, [esp+10h]
		mov	[esp+14h], edx
		mov	[esp+74h], eax
		jmp	loc_4ACD14
; 

loc_4AD214:				; CODE XREF: .text:004AD196j
					; .text:004AD1A5j
		mov	dword ptr [ebx+4], 8A5Eh

loc_4AD21B:				; CODE XREF: .text:004ACD23j
					; .text:004ACD3Aj ...
		cmp	dword ptr [esp+5Ch], 0
		jz	short loc_4AD235
		mov	ecx, [esp+1Ch]
		lea	eax, [ecx+204h]
		cmp	[eax], eax
		jz	short loc_4AD235
		call	_CcPostDeferredWrites@4	; CcPostDeferredWrites(x)

loc_4AD235:				; CODE XREF: .text:004ACCD7j
					; .text:004AD220j ...
		mov	ecx, [esp+1Ch]
		lea	edx, [esp+44h]
		add	ecx, 40h
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		push	ecx
		mov	ecx, esi
		call	CcDecrementOpenCount
		cmp	dword ptr [esp+10h], 0
		jnz	short loc_4AD25A
		dec	dword ptr [esi+16Ch]

loc_4AD25A:				; CODE XREF: .text:004AD252j
		cmp	dword ptr [esp+64h], offset _CcFlushForImageSection
		jnz	short loc_4AD287
		cmp	dword ptr [ebx], 0
		jl	short loc_4AD287
		cmp	dword ptr [esp+2Ch], 0
		jl	short loc_4AD287
		cmp	dword ptr [esi+4Ch], 0
		jnz	short loc_4AD27F
		cmp	dword ptr [esi+16Ch], 0
		jz	short loc_4AD287

loc_4AD27F:				; CODE XREF: .text:004AD274j
		mov	dword ptr [esp+2Ch], 0C0000054h

loc_4AD287:				; CODE XREF: .text:004AD262j
					; .text:004AD267j ...
		lea	ecx, [esp+44h]
		call	KeReleaseInStackQueuedSpinLock

loc_4AD290:				; CODE XREF: .text:004ACCCAj
		mov	eax, [esp+2Ch]
		test	eax, eax
		jns	short loc_4AD29A
		mov	[ebx], eax

loc_4AD29A:				; CODE XREF: .text:004ACC3Aj
					; .text:004AD296j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4AD2A3:				; CODE XREF: .text:004AC92Dj
		push	0
		push	0
		push	0C0000420h
		push	1641h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnCheckLoggingForThread proc near	; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+188p
					; MiMakeSystemCacheRangeValid(x,x,x,x)+69Ap ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	bl, [ecx+304h]
		shr	bl, 6
		test	[ebp+arg_0], 2
		push	esi
		setz	al
		mov	esi, edx
		and	bl, al
		test	bl, 1
		jnz	short loc_4AD302
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		cmp	eax, 2
		jl	short loc_4AD2FB
		mov	eax, [esi+12Ch]
		test	eax, eax
		jnz	loc_5C0DED

loc_4AD2F2:				; CODE XREF: CcAcquireByteRangeForWrite+115097j
		xor	eax, eax
		inc	eax

loc_4AD2F5:				; CODE XREF: PfSnCheckLoggingForThread+4Aj
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4AD2FB:				; CODE XREF: PfSnCheckLoggingForThread+28j
		lock inc dword ptr [esi+0F4h]

loc_4AD302:				; CODE XREF: PfSnCheckLoggingForThread+1Ej
					; CcAcquireByteRangeForWrite+11507Fj ...
		xor	eax, eax
		jmp	short loc_4AD2F5
PfSnCheckLoggingForThread endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpHeapCheckCommitLimit proc	near	; CODE XREF: RtlpHpSegMgrCommit+57p
					; RtlpHpLargeAlloc(x,x,x,x)+13Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C0E0C SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, [edi]
		test	esi, esi
		jnz	loc_5C0E0C
		mov	esi, dword_6BEC6C
		mov	edi, offset dword_6BEC6C
		test	esi, esi
		jnz	loc_5C0E0C

loc_4AD32D:				; CODE XREF: RtlpHpHeapCheckCommitLimit+113B0Bj
		xor	esi, esi
		inc	esi

loc_4AD330:				; CODE XREF: RtlpHpHeapCheckCommitLimit+113B18j
					; RtlpHpHeapCheckCommitLimit+113B2Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
RtlpHpHeapCheckCommitLimit endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlpHpSegMgrCommit(int,size_t,int,int,int)
RtlpHpSegMgrCommit proc	near		; CODE XREF: RtlpHpSegMgrAllocate+44p
					; RtlpHpSegPageRangeCommit+113p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 004AD46C SIZE 0000004F BYTES
; FUNCTION CHUNK AT 005C0E38 SIZE 0000010D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		and	[esp+1Ch+var_18], 0
		and	[esp+1Ch+var_4], 0
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_C]
		mov	eax, esi
		and	eax, 40000000h
		mov	[esp+24h+var_C], edx
		and	esi, 0BFFFFFFFh
		mov	byte ptr [esp+24h+var_8], 0
		mov	[esp+24h+var_10], eax
		push	edi
		mov	edi, ecx
		test	ebx, ebx
		jle	short loc_4AD3A0
		mov	ecx, [edi+24h]
		mov	edx, [ecx+84h]
		lea	eax, [ecx+18h]
		add	edx, [ecx+50h]
		push	eax
		push	ecx
		mov	ecx, ebx
		shl	edx, 0Ch
		shl	ecx, 0Ch
		call	RtlpHpHeapCheckCommitLimit
		test	eax, eax
		jz	loc_5C0E38
		mov	edx, [esp+28h+var_C]

loc_4AD3A0:				; CODE XREF: RtlpHpSegMgrCommit+3Cj
		mov	al, [edi+9]
		and	al, 7
		cmp	al, 1
		jnb	loc_5C0E42
		xor	ecx, ecx

loc_4AD3AF:				; CODE XREF: RtlpHpSegMgrCommit+113B34j
		mov	eax, [ebp+arg_0]
		mov	edx, [esp+28h+var_C]
		shl	eax, 0Ch
		add	edx, eax
		mov	[esp+28h+var_18], ecx
		mov	eax, [ebp+arg_4]
		shl	eax, 0Ch
		mov	[esp+28h+var_C], edx
		mov	[ebp+arg_4], eax

loc_4AD3CC:				; CODE XREF: RtlpHpSegMgrCommit+17Ej
		mov	[esp+28h+var_1C], edx
		mov	[esp+28h+var_14], eax
		test	ecx, ecx
		jnz	loc_5C0E71

loc_4AD3DC:				; CODE XREF: RtlpHpSegMgrCommit+113B60j
					; RtlpHpSegMgrCommit+113B84j
		test	ebx, ebx
		jle	short loc_4AD433
		cmp	[esp+28h+var_10], 0
		jnz	short loc_4AD44B

loc_4AD3E7:				; CODE XREF: RtlpHpSegMgrCommit+119j
					; RtlpHpSegMgrCommit+121j
		mov	eax, [edi+24h]
		mov	eax, [eax+0Ch]
		and	eax, 40000000h
		neg	eax
		sbb	eax, eax
		and	eax, 3Ch
		add	eax, 4
		push	dword ptr [edi+20h]
		lea	edx, [esp+2Ch+var_14]
		push	dword ptr [edi+1Ch]
		lea	ecx, [esp+30h+var_1C]
		push	eax
		push	esi
		push	0
		call	RtlpHpAllocVA
		cmp	[esp+28h+var_10], 0
		mov	ebx, eax
		jnz	short loc_4AD45B

loc_4AD41C:				; CODE XREF: RtlpHpSegMgrCommit+111j
					; RtlpHpSegMgrCommit+125j ...
		mov	eax, [esp+28h+var_18]
		test	eax, eax
		jnz	loc_5C0ED7

loc_4AD428:				; CODE XREF: RtlpHpSegMgrCommit+157j
					; RtlpHpSegMgrCommit+15Bj ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_4AD433:				; CODE XREF: RtlpHpSegMgrCommit+A6j
					; RtlpHpSegMgrCommit+113B78j
		push	dword ptr [edi+20h]
		lea	edx, [esp+2Ch+var_14]
		push	dword ptr [edi+1Ch]
		lea	ecx, [esp+30h+var_1C]
		push	esi
		call	_RtlpHpFreeVA@20 ; RtlpHpFreeVA(x,x,x,x,x)
		mov	ebx, eax
		jmp	short loc_4AD41C
; 

loc_4AD44B:				; CODE XREF: RtlpHpSegMgrCommit+ADj
		test	esi, 20000000h
		jnz	short loc_4AD3E7
		or	esi, 40000000h
		jmp	short loc_4AD3E7
; 

loc_4AD45B:				; CODE XREF: RtlpHpSegMgrCommit+E2j
		test	ebx, ebx
		js	short loc_4AD41C
		test	esi, 40000000h
		jnz	short loc_4AD41C
		jmp	loc_5C0EC1
RtlpHpSegMgrCommit endp

; 
; START	OF FUNCTION CHUNK FOR RtlpHpSegMgrCommit

loc_4AD46C:				; CODE XREF: RtlpHpSegMgrCommit+113BAAj
					; RtlpHpSegMgrCommit+113BB2j ...
		push	[esp+28h+var_8]
		lea	eax, [esp+2Ch+var_4]
		mov	ecx, edi
		push	eax
		mov	eax, ebx
		not	eax
		shr	eax, 1Fh
		push	eax
		push	edx
		mov	edx, [esp+38h+var_18]
		call	_RtlpHpSegMgrCommitComplete@24 ; RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)
		test	esi, 20000000h
		jz	short loc_4AD428
		test	ebx, ebx
		jns	short loc_4AD428
		mov	eax, [ebp+arg_10]
		test	al, 2
		jnz	short loc_4AD428
		mov	ebx, [ebp+arg_8]
		or	eax, 1
		mov	ecx, [esp+28h+var_18]
		and	esi, 0DFFFFFFFh
		mov	edx, [esp+28h+var_C]
		mov	[ebp+arg_10], eax
		mov	eax, [ebp+arg_4]
		jmp	loc_4AD3CC
; END OF FUNCTION CHUNK	FOR RtlpHpSegMgrCommit
; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpAllocVA	proc near		; CODE XREF: RtlpHpSegMgrCommit+D6p
					; RtlpHpLargeAlloc(x,x,x,x)+F2p ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005C0F45 SIZE 0000006E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+34h+var_28], eax
		mov	eax, 1000h
		push	ebx
		mov	ebx, [ebp+arg_C]
		mov	[esp+38h+var_18], eax
		mov	[esp+38h+var_14], eax
		mov	eax, 200000h
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, edx
		mov	[esp+40h+var_10], eax
		mov	edx, edi
		mov	[esp+40h+var_C], eax
		mov	eax, edi
		and	edi, 0FEFFFFFFh
		mov	[esp+40h+var_30], ecx
		mov	ecx, [ebp+arg_10]
		and	eax, 1000000h
		mov	[esp+40h+var_2C], esi
		mov	[esp+40h+var_24], edx
		mov	[esp+40h+var_20], ebx
		mov	[esp+40h+var_34], ecx
		cmp	edi, 2000h
		jz	loc_4AD5C3

loc_4AD530:				; CODE XREF: RtlpHpAllocVA+109j
		mov	esi, [esi]
		test	edx, 2000h
		jnz	loc_4AD66E
		lea	eax, [esi-1]
		mov	ecx, 0FFFh
		and	eax, ecx
		sub	esi, eax
		add	esi, ecx

loc_4AD54C:				; CODE XREF: RtlpHpAllocVA+1CCj
		mov	[esp+40h+var_34], esi
		test	edx, 1000h
		jz	short loc_4AD561
		cmp	bh, 2
		jnb	loc_5C0F8B

loc_4AD561:				; CODE XREF: RtlpHpAllocVA+9Aj
		mov	cl, bl
		shr	cl, 3
		bt	edi, 0Dh
		setb	al
		and	cl, al
		test	cl, 1
		jnz	loc_4AD663

loc_4AD578:				; CODE XREF: RtlpHpAllocVA+1ADj
		movzx	eax, byte ptr [esp+40h+var_20+2]
		lea	edx, [esp+40h+var_34]
		push	eax
		push	ecx
		mov	ecx, [esp+48h+var_30]
		movzx	eax, bh
		push	eax
		movzx	eax, bl
		shr	eax, 1
		and	eax, 3
		push	eax
		push	[ebp+arg_8]
		push	edi
		push	0
		call	RtlpHpEnvAllocVA
		test	eax, eax
		js	short loc_4AD5AF
		mov	ecx, [esp+40h+var_2C]
		mov	eax, [esp+40h+var_34]
		mov	[ecx], eax

loc_4AD5AD:				; CODE XREF: RtlpHpAllocVA+199j
					; RtlpHpAllocVA+113ADBj ...
		xor	eax, eax

loc_4AD5AF:				; CODE XREF: RtlpHpAllocVA+E5j
					; RtlpHpAllocVA+113ACAj
		mov	ecx, [esp+40h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_4AD5C3:				; CODE XREF: RtlpHpAllocVA+6Ej
		test	eax, eax
		jnz	loc_4AD530
		push	ecx
		push	ebx
		call	_RtlpHpEnvGetHeapManager@8 ; RtlpHpEnvGetHeapManager(x,x)
		mov	dl, byte ptr [esp+40h+var_20+3]
		xor	ecx, ecx
		mov	[esp+40h+var_C], ecx
		mov	edi, eax
		test	dl, dl
		jz	loc_5C0F45
		movzx	edx, dl
		dec	edx

loc_4AD5EA:				; CODE XREF: RtlpHpAllocVA+113A8Cj
		movzx	eax, bh
		mov	[esp+40h+var_14], eax
		movzx	eax, byte ptr [esp+40h+var_20+2]
		mov	[esp+40h+var_18], edx
		mov	[esp+40h+var_10], eax
		test	bl, 8
		jnz	short loc_4AD65A

loc_4AD603:				; CODE XREF: RtlpHpAllocVA+1A5j
		mov	ecx, [esi]
		mov	ebx, 0FFFFFh
		mov	eax, [esp+40h+var_34]
		mov	[esp+40h+var_8], eax
		lea	eax, [ecx-1]
		and	eax, ebx
		sub	ecx, eax
		add	ecx, ebx
		mov	[esp+40h+var_34], ecx
		cmp	edx, 0FFFFFFFFh
		jz	loc_5C0F4D
		imul	eax, edx, 1Ch
		add	edi, 6Ch
		add	edi, eax

loc_4AD630:				; CODE XREF: RtlpHpAllocVA+113AC0j
		push	[esp+40h+var_28]
		lea	edx, [esp+44h+var_34]
		mov	ecx, edi
		call	RtlpHpVaMgrAlloc
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_5C0F81
		mov	eax, [esp+40h+var_34]
		mov	[esi], eax
		mov	eax, [esp+40h+var_30]
		mov	[eax], ecx
		jmp	loc_4AD5AD
; 

loc_4AD65A:				; CODE XREF: RtlpHpAllocVA+145j
		or	ecx, 1
		mov	[esp+40h+var_C], ecx
		jmp	short loc_4AD603
; 

loc_4AD663:				; CODE XREF: RtlpHpAllocVA+B6j
		or	edi, 40000h
		jmp	loc_4AD578
; 

loc_4AD66E:				; CODE XREF: RtlpHpAllocVA+7Cj
		movzx	eax, bh
		lea	ecx, [esi-1]
		dec	esi
		mov	edx, [esp+eax*4+40h+var_18]
		add	ecx, edx
		lea	eax, [edx-1]
		and	ecx, eax
		sub	edx, ecx
		add	esi, edx
		mov	edx, [esp+40h+var_24]
		jmp	loc_4AD54C
RtlpHpAllocVA	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializePoolCommitPacket proc near	; CODE XREF: MmAllocatePoolMemory+90p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005C0FB3 SIZE 00000071 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [edx]
		mov	edx, [ecx]
		mov	ecx, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_14]
		mov	[edi+2Eh], ax
		mov	[edi], edx
		call	_MiMakeProtectionMask@4	; MiMakeProtectionMask(x)
		push	4
		pop	ecx
		cmp	eax, ecx
		jnz	loc_4AD776

loc_4AD6BB:				; CODE XREF: MiInitializePoolCommitPacket+EBj
					; MiInitializePoolCommitPacket+113928j	...
		and	dword ptr [edi+8], 0
		lea	ebx, [esi-1]
		and	dword ptr [edi+18h], 0
		add	ebx, edx
		shr	ebx, 9
		mov	esi, offset loc_7FFFF8
		and	ebx, esi
		shr	edx, 9
		add	ebx, 0C0000000h
		mov	dword ptr [edi+1Ch], offset unk_6D3B40
		and	edx, esi
		mov	[edi+20h], ebx
		mov	esi, [ebp+arg_C]
		sub	ebx, edx
		and	eax, 1Fh
		mov	dword ptr [edi+14h], 5
		add	ebx, 40000000h
		mov	ecx, eax
		shl	ecx, 3
		sar	ebx, 3
		inc	ebx
		mov	[edi+2Eh], cx
		test	[ebp+arg_8], 1
		jnz	short loc_4AD749
		mov	ecx, [ebp+arg_0]
		test	ecx, 20000000h
		jnz	loc_5C0FD6
		push	esi
		mov	edx, ebx
		call	MiGetPoolPages
		mov	[edi+8], eax

loc_4AD729:				; CODE XREF: MiInitializePoolCommitPacket+E6j
		test	eax, eax
		jz	loc_5C100E

loc_4AD731:				; CODE XREF: MiInitializePoolCommitPacket+113991j
		xor	eax, eax
		mov	[edi+4], ebx
		mov	[edi+0Ch], eax
		mov	[edi+28h], esi
		mov	[edi+24h], eax
		mov	[edi+10h], eax

loc_4AD742:				; CODE XREF: MiInitializePoolCommitPacket+113985j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_4AD749:				; CODE XREF: MiInitializePoolCommitPacket+7Fj
		push	2
		pop	eax
		or	ecx, eax
		test	[ebp+arg_8], 20h
		mov	[edi+2Eh], cx
		jnz	short loc_4AD784
		push	6
		mov	eax, offset unk_6D3840
		pop	ecx

loc_4AD760:				; CODE XREF: MiInitializePoolCommitPacket+113j
		mov	[edi+14h], ecx
		mov	edx, ebx
		push	1
		mov	ecx, offset _MiSystemPartition
		mov	[edi+1Ch], eax
		call	MiChargeCommit
		jmp	short loc_4AD729
; 

loc_4AD776:				; CODE XREF: MiInitializePoolCommitPacket+27j
		cmp	eax, 6
		jz	loc_4AD6BB
		jmp	loc_5C0FB3
; 

loc_4AD784:				; CODE XREF: MiInitializePoolCommitPacket+C8j
		mov	[edi+18h], eax
		xor	ecx, ecx
		mov	eax, large fs:124h
		inc	ecx
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		add	eax, 0C0h
		jmp	short loc_4AD760
MiInitializePoolCommitPacket endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpEnvAllocVA proc near		; CODE XREF: RtlpHpAllocVA+DEp
					; RtlpCSparseBitmapPageCommit+9Dp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005C1024 SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], ecx
		push	esi
		push	edi
		test	ebx, ebx
		jnz	short loc_4AD7BC
		inc	ebx

loc_4AD7BC:				; CODE XREF: RtlpHpEnvAllocVA+15j
		mov	edi, [ebp+arg_4]
		mov	ecx, 20001000h
		mov	eax, edi
		and	eax, ecx
		cmp	eax, ecx
		jz	short loc_4AD837
		mov	ecx, [ebp+arg_10]

loc_4AD7CF:				; CODE XREF: RtlpHpEnvAllocVA+96j
		mov	eax, [ebp+arg_18]
		and	edi, 0FFEFFFFFh
		mov	esi, [edx]
		inc	eax
		or	edi, eax
		test	edi, 2000h
		jnz	short loc_4AD856
		mov	[ebp+arg_4], esi

loc_4AD7E8:				; CODE XREF: RtlpHpEnvAllocVA+C9j
					; RtlpHpEnvAllocVA+113886j
		mov	edx, 200h
		test	ecx, ecx
		jz	short loc_4AD83C
		mov	ecx, edx

loc_4AD7F3:				; CODE XREF: RtlpHpEnvAllocVA+A4j
		test	byte ptr [ebp+arg_8], 60h
		jnz	short loc_4AD84A

loc_4AD7F9:				; CODE XREF: RtlpHpEnvAllocVA+B0j
		test	edi, 40000h
		jnz	loc_4AD8C4

loc_4AD805:				; CODE XREF: RtlpHpEnvAllocVA+12Cj
		mov	eax, [ebp+var_4]
		lea	edx, [ebp+arg_4]
		push	ecx
		push	[ebp+arg_8]
		lea	ecx, [ebp+arg_0]
		mov	eax, [eax]
		push	edi
		mov	[ebp+arg_0], eax
		call	MmAllocatePoolMemory
		mov	ecx, eax
		mov	[ebp+arg_18], ecx
		test	ecx, ecx
		js	short loc_4AD82E
		test	edi, 2000h
		jnz	short loc_4AD878

loc_4AD82E:				; CODE XREF: RtlpHpEnvAllocVA+80j
					; RtlpHpEnvAllocVA+11Bj
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	1Ch
; 

loc_4AD837:				; CODE XREF: RtlpHpEnvAllocVA+26j
		push	2
		pop	ecx
		jmp	short loc_4AD7CF
; 

loc_4AD83C:				; CODE XREF: RtlpHpEnvAllocVA+4Bj
		mov	ecx, [ebp+arg_C]
		dec	ecx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 20h
		inc	ecx
		jmp	short loc_4AD7F3
; 

loc_4AD84A:				; CODE XREF: RtlpHpEnvAllocVA+53j
		mov	eax, ecx
		sub	eax, edx
		neg	eax
		sbb	eax, eax
		and	ecx, eax
		jmp	short loc_4AD7F9
; 

loc_4AD856:				; CODE XREF: RtlpHpEnvAllocVA+3Fj
		lea	eax, [esi-1]
		mov	edx, 1FFFFFh
		and	eax, edx
		sub	esi, eax
		add	esi, edx
		mov	[ebp+arg_4], esi
		cmp	ebx, 200000h
		jbe	loc_4AD7E8
		jmp	loc_5C1024
; 

loc_4AD878:				; CODE XREF: RtlpHpEnvAllocVA+88j
		mov	ecx, [ebp+arg_0]
		mov	[ebp+arg_10], ecx
		lea	edx, [ecx-1]
		add	edx, ebx
		neg	ebx
		and	edx, ebx
		mov	ebx, 8000h
		mov	edi, edx
		mov	[ebp+arg_0], edx
		sub	edi, ecx
		mov	[ebp+arg_8], edi
		jnz	loc_5C102F
		mov	ecx, [ebp+arg_18]

loc_4AD89F:				; CODE XREF: RtlpHpEnvAllocVA+11389Fj
		lea	eax, [edx+esi]
		mov	[ebp+arg_10], eax
		mov	eax, [ebp+arg_4]
		sub	eax, edi
		sub	eax, esi
		mov	[ebp+arg_8], eax
		jnz	loc_5C1048

loc_4AD8B5:				; CODE XREF: RtlpHpEnvAllocVA+1138B5j
		mov	eax, [ebp+var_4]
		mov	[eax], edx
		mov	eax, [ebp+var_8]
		mov	[eax], esi
		jmp	loc_4AD82E
; 

loc_4AD8C4:				; CODE XREF: RtlpHpEnvAllocVA+5Bj
		and	edi, 0FFFBFFFFh
		or	ecx, 80000000h
		jmp	loc_4AD805
RtlpHpEnvAllocVA endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmAllocatePoolMemory proc near		; CODE XREF: RtlpHpEnvAllocVA+74p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005C105E SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		lea	eax, [esp+54h+var_30]
		mov	edi, ecx
		push	0		; int
		push	eax		; void *
		mov	ebx, edx
		mov	[esp+5Ch+var_34], edi
		call	_memset
		mov	edx, [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, edx
		and	eax, 7Fh
		jz	loc_5C107B
		movzx	ecx, ds:_KeNumberNodes
		cmp	eax, ecx
		ja	loc_5C107B
		mov	ecx, [ebp+arg_8]
		lea	esi, [eax-1]
		and	edx, 0FFFFFF80h
		mov	eax, edx
		mov	[ebp+arg_0], edx
		and	eax, 2000h
		mov	[esp+50h+var_40], eax
		mov	eax, ecx
		and	eax, 1
		cmp	[esp+50h+var_40], 0
		mov	[esp+50h+var_38], eax
		jnz	short loc_4AD9A1

loc_4AD941:				; CODE XREF: MmAllocatePoolMemory+103j
		xor	edi, edi
		test	edx, 1000h
		jz	short loc_4AD996
		test	eax, eax
		jnz	short loc_4AD952
		and	ecx, 0FFFFFFDFh

loc_4AD952:				; CODE XREF: MmAllocatePoolMemory+77j
		lea	eax, [esp+50h+var_30]
		push	eax
		push	ecx
		push	esi
		mov	esi, [esp+5Ch+var_34]
		push	ecx
		push	[ebp+arg_4]
		mov	ecx, esi
		push	edx
		mov	edx, ebx
		call	MiInitializePoolCommitPacket
		mov	edi, eax
		test	edi, edi
		js	loc_5C105E
		lea	ecx, [esp+50h+var_30]
		call	MiCommitPoolMemory
		mov	edi, eax
		test	edi, edi
		js	loc_5C105E

loc_4AD988:				; CODE XREF: MmAllocatePoolMemory+1137A0j
		mov	eax, [ebx]
		add	eax, 0FFFh
		and	eax, 0FFFFF000h
		mov	[ebx], eax

loc_4AD996:				; CODE XREF: MmAllocatePoolMemory+73j
		mov	eax, edi

loc_4AD998:				; CODE XREF: MmAllocatePoolMemory+112j
					; MmAllocatePoolMemory+1137AAj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4AD9A1:				; CODE XREF: MmAllocatePoolMemory+69j
		and	dword ptr [edi], 0
		mov	edx, [ebx]
		mov	[esp+50h+var_3C], edx
		test	eax, eax
		jz	short loc_4AD9DE
		mov	eax, ecx
		and	al, 20h
		movzx	edx, al
		neg	edx
		sbb	edx, edx
		and	edx, 0FFFFFFFBh
		add	edx, 6

loc_4AD9BF:				; CODE XREF: MmAllocatePoolMemory+10Bj
		push	esi
		push	[esp+54h+var_3C]
		call	_MiReservePoolMemory@16	; MiReservePoolMemory(x,x,x,x)
		test	eax, eax
		jz	short loc_4AD9E3
		mov	ecx, [ebp+arg_8]
		mov	edx, [ebp+arg_0]
		mov	[edi], eax
		mov	eax, [esp+50h+var_38]
		jmp	loc_4AD941
; 

loc_4AD9DE:				; CODE XREF: MmAllocatePoolMemory+D6j
		push	5
		pop	edx
		jmp	short loc_4AD9BF
; 

loc_4AD9E3:				; CODE XREF: MmAllocatePoolMemory+F5j
		mov	eax, 0C0000017h
		jmp	short loc_4AD998
MmAllocatePoolMemory endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCountSystemPool proc near		; CODE XREF: MmFreePoolMemory+AFp
					; MiCommitPoolMemory+C0p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C1085 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		cmp	ecx, 5
		jnz	short loc_4ADA2D
		mov	esi, offset dword_6CF344

loc_4AD9FB:				; CODE XREF: MiCountSystemPool+4Dj
					; MiCountSystemPool+8Cj ...
		cmp	[ebp+arg_0], 1
		jnz	short loc_4ADA39

loc_4ADA01:				; CODE XREF: MiCountSystemPool+84j
		mov	eax, edx
		lock xadd [esi], eax
		lea	esi, [eax+edx]
		cmp	ecx, 5
		jnz	short loc_4ADA27
		call	MiFreePoolPagesLeft
		add	eax, esi
		mov	ecx, eax
		sub	ecx, esi
		cmp	esi, eax
		sbb	eax, eax
		and	eax, ecx
		cmp	eax, 300h
		jb	short loc_4ADA78

loc_4ADA27:				; CODE XREF: MiCountSystemPool+23j
					; MiCountSystemPool+55j ...
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_4ADA2D:				; CODE XREF: MiCountSystemPool+Aj
		cmp	ecx, 6
		jnz	short loc_4ADA41
		mov	esi, offset dword_6D35D4
		jmp	short loc_4AD9FB
; 

loc_4ADA39:				; CODE XREF: MiCountSystemPool+15j
		neg	edx
		lock xadd [esi], edx
		jmp	short loc_4ADA27
; 

loc_4ADA41:				; CODE XREF: MiCountSystemPool+46j
		cmp	ecx, 1
		jnz	loc_5C1085

loc_4ADA4A:				; CODE XREF: MiCountSystemPool+11369Ej
		cmp	[ebp+arg_0], 1
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		lea	esi, [eax+6Ch]
		lea	edi, [eax+20h]
		mov	eax, edx
		jnz	short loc_4ADA70
		lock xadd [edi], eax
		jmp	short loc_4ADA01
; 

loc_4ADA70:				; CODE XREF: MiCountSystemPool+7Ej
		neg	eax
		lock xadd [edi], eax
		jmp	short loc_4AD9FB
; 

loc_4ADA78:				; CODE XREF: MiCountSystemPool+3Bj
		call	_MiFreeExcessSegments@0	; MiFreeExcessSegments()
		jmp	short loc_4ADA27
MiCountSystemPool endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReturnExcessPoolCommit proc near	; CODE XREF: MiCommitPoolMemory+C7p

var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch

; FUNCTION CHUNK AT 005C1095 SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		movzx	eax, word ptr [esi+2Eh]
		test	al, 2
		jnz	short loc_4ADAB0
		test	al, 4
		jnz	loc_5C1095
		test	eax, 100h
		jnz	short loc_4ADAAB
		mov	ecx, [esi+8]
		test	ecx, ecx
		jnz	short loc_4ADAC8

loc_4ADAAB:				; CODE XREF: MiReturnExcessPoolCommit+22j
					; MiReturnExcessPoolCommit+38j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4ADAB0:				; CODE XREF: MiReturnExcessPoolCommit+13j
		mov	eax, [esi+0Ch]
		mov	edx, [esi+4]
		cmp	eax, edx
		jz	short loc_4ADAAB
		sub	edx, eax
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit
		jmp	short loc_4ADAAB
; 

loc_4ADAC8:				; CODE XREF: MiReturnExcessPoolCommit+29j
		xor	edx, edx
		call	MiReturnPhysicalPoolPages
		jmp	short loc_4ADAAB
MiReturnExcessPoolCommit endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiUnlockPoolCommitWs(x)
_MiUnlockPoolCommitWs@4	proc near	; CODE XREF: MiFillPoolCommitPageTable+124p
					; MiCommitPoolMemory+8Fp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, [esi+24h]
		test	edx, edx
		jz	short loc_4ADAEA
		mov	ecx, [esi+1Ch]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		and	dword ptr [esi+24h], 0

loc_4ADAEA:				; CODE XREF: MiUnlockPoolCommitWs(x)+Aj
		mov	ecx, [esi+1Ch]
		mov	dl, 2
		call	MiUnlockWorkingSetShared
		mov	cl, [esi+2Ch]
		pop	esi
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_MiUnlockPoolCommitWs@4	endp


;  S U B	R O U T	I N E 


MiCommitPoolMemory proc	near		; CODE XREF: MmAllocatePoolMemory+A3p

; FUNCTION CHUNK AT 005C10D0 SIZE 00000085 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	cl, 2
		push	edi
		mov	edi, [esi]
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h

loc_4ADB18:				; CODE XREF: MiCommitPoolMemory+109j
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [esi+1Ch]
		mov	[esi+2Ch], al
		call	MiLockWorkingSetShared

loc_4ADB29:				; CODE XREF: MiCommitPoolMemory+84j
		xor	ebx, ebx
		cmp	edi, [esi+20h]
		ja	short loc_4ADB84
		mov	edx, [esi+24h]
		test	edx, edx
		jnz	loc_4ADC12

loc_4ADB3B:				; CODE XREF: MiCommitPoolMemory+11Fj
		cmp	byte ptr [esi+2Ch], 2
		jnb	short loc_4ADB5E
		mov	ecx, [esi+1Ch]
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	loc_4ADC22
		call	KeShouldYieldProcessor
		test	eax, eax
		jnz	loc_4ADC22

loc_4ADB5E:				; CODE XREF: MiCommitPoolMemory+41j
					; MiCommitPoolMemory+13Ej
		mov	ebx, edi
		mov	edx, edi
		mov	ecx, esi
		and	ebx, 0FFFFF000h
		call	MiLockPoolCommitPageTable
		mov	ecx, esi
		test	eax, eax
		jz	short loc_4ADBD0
		mov	edx, edi
		call	MiLinkPoolCommitChain
		lea	edi, [ebx+1000h]
		jmp	short loc_4ADB29
; 

loc_4ADB84:				; CODE XREF: MiCommitPoolMemory+30j
					; MiCommitPoolMemory+1135ECj
		mov	ecx, esi
		call	MiFillPoolCommitPageTable
		mov	ecx, esi
		call	_MiUnlockPoolCommitWs@4	; MiUnlockPoolCommitWs(x)
		movzx	ecx, word ptr [esi+2Eh]
		test	cl, 1
		jnz	loc_5C1102
		test	ecx, 104h
		jnz	short loc_4ADBB4
		test	ds:byte_70EFC4,	1
		jnz	loc_5C10EF

loc_4ADBB4:				; CODE XREF: MiCommitPoolMemory+A7j
					; MiCommitPoolMemory+1135FFj
		mov	edx, [esi+0Ch]
		xor	eax, eax
		mov	ecx, [esi+14h]
		inc	eax
		push	eax
		call	MiCountSystemPool

loc_4ADBC3:				; CODE XREF: MiCommitPoolMemory+113652j
		mov	ecx, esi
		call	MiReturnExcessPoolCommit
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		retn
; 

loc_4ADBD0:				; CODE XREF: MiCommitPoolMemory+75j
		call	_MiUnlockPoolCommitWs@4	; MiUnlockPoolCommitWs(x)
		movzx	ecx, word ptr [esi+2Eh]
		lea	edx, [ebx+0FF8h]
		mov	eax, [esi+20h]
		and	ecx, 4
		or	ecx, 400h
		shr	ecx, 1
		cmp	edx, eax
		jbe	short loc_4ADBF3
		mov	edx, eax

loc_4ADBF3:				; CODE XREF: MiCommitPoolMemory+F1j
		mov	eax, [esi+28h]
		inc	eax
		push	eax
		push	dword ptr [esi+14h]
		push	ecx
		mov	ecx, edi
		call	MiMakeZeroedPageTablesEx
		mov	cl, 2
		test	eax, eax
		jnz	loc_4ADB18
		jmp	loc_5C10D0
; 

loc_4ADC12:				; CODE XREF: MiCommitPoolMemory+37j
		mov	ecx, [esi+1Ch]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	[esi+24h], ebx
		jmp	loc_4ADB3B
; 

loc_4ADC22:				; CODE XREF: MiCommitPoolMemory+4Dj
					; MiCommitPoolMemory+5Aj
		mov	ecx, esi
		call	_MiUnlockPoolCommitWs@4	; MiUnlockPoolCommitWs(x)
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [esi+1Ch]
		mov	[esi+2Ch], al
		call	MiLockWorkingSetShared
		jmp	loc_4ADB5E
MiCommitPoolMemory endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiUnlockSystemVa(x)
_MiUnlockSystemVa@4 proc near		; CODE XREF: MmAccessFault+53Dp
					; .text:004B0121p ...
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		test	byte ptr [esi+4], 2
		jz	short loc_4ADC68

loc_4ADC51:				; CODE XREF: MiUnlockSystemVa(x)+2Bj
					; MiUnlockSystemVa(x)+47j
		cmp	[esi+18h], edi
		jz	short loc_4ADC64
		push	edi
		mov	dl, 21h
		lea	ecx, [esi+18h]
		call	_MiReleaseFaultState@12	; MiReleaseFaultState(x,x,x)
		mov	[esi+18h], edi

loc_4ADC64:				; CODE XREF: MiUnlockSystemVa(x)+12j
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_4ADC68:				; CODE XREF: MiUnlockSystemVa(x)+Dj
		mov	ecx, [esi+14h]
		test	ecx, ecx
		jz	short loc_4ADC51
		cmp	[esi+18h], edi
		jz	short loc_4ADC7F
		lea	ecx, [esi+18h]
		call	MiUnlockFaultPageTable
		mov	ecx, [esi+14h]

loc_4ADC7F:				; CODE XREF: MiUnlockSystemVa(x)+30j
		xor	edx, edx
		call	_MiRecycleSystemRegionVa@8 ; MiRecycleSystemRegionVa(x,x)
		mov	[esi+14h], edi
		jmp	short loc_4ADC51
_MiUnlockSystemVa@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReleaseFaultState(x, x, x)
_MiReleaseFaultState@12	proc near	; CODE XREF: MiWaitForCollidedFaultComplete+A7p
					; .text:00468096p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		push	edi
		mov	eax, [esi+0Ch]
		mov	edi, [esi]
		mov	[ebp+var_4], eax
		call	MiUnlockFaultPageTable
		mov	ecx, [ebp+arg_0]
		mov	al, [esi+8]
		test	ecx, ecx
		jnz	short loc_4ADCCC
		mov	bl, al

loc_4ADCB3:				; CODE XREF: MiReleaseFaultState(x,x,x)+42j
		test	byte ptr [esi+9], 1
		mov	dl, bl
		mov	ecx, edi
		jnz	short loc_4ADCD0
		call	MiUnlockWorkingSetShared

loc_4ADCC2:				; CODE XREF: MiReleaseFaultState(x,x,x)+49j
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4ADCCC:				; CODE XREF: MiReleaseFaultState(x,x,x)+23j
		mov	[ecx], al
		jmp	short loc_4ADCB3
; 

loc_4ADCD0:				; CODE XREF: MiReleaseFaultState(x,x,x)+2Fj
		call	MiUnlockWorkingSetExclusive
		jmp	short loc_4ADCC2
_MiReleaseFaultState@12	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockPoolCommitPageTable proc near	; CODE XREF: MiFillPoolCommitPageTable+150p
					; MiCommitPoolMemory+6Cp

var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C1155 SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, ecx
		lea	ecx, [ebp+var_4]
		push	esi
		push	edi
		mov	esi, edx
		mov	eax, [ebx+1Ch]
		mov	edi, esi
		push	ecx
		mov	ecx, eax
		shl	edi, 9
		mov	[ebp+var_C], eax
		call	MiLockLowestValidPageTable
		mov	edx, eax
		mov	eax, [ebp+var_4]
		cmp	eax, esi
		jnz	short loc_4ADD21
		xor	esi, esi
		inc	esi
		test	byte ptr [ebx+2Eh], 4
		jnz	loc_5C1155

loc_4ADD17:				; CODE XREF: MiLockPoolCommitPageTable+83j
					; MiLockPoolCommitPageTable+87j ...
		pop	edi
		mov	eax, esi
		mov	[ebx+24h], edx
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4ADD21:				; CODE XREF: MiLockPoolCommitPageTable+30j
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		cmp	eax, esi
		jnz	short loc_4ADD6D
		mov	ecx, [eax]
		nop
		mov	eax, ecx
		xor	esi, esi
		and	eax, 1
		or	eax, esi
		jnz	loc_5C1170

loc_4ADD46:				; CODE XREF: MiLockPoolCommitPageTable+1134B0j
		mov	ax, [ebx+2Eh]
		and	ax, 4
		movzx	esi, ax
		neg	esi
		sbb	esi, esi
		and	esi, 2
		test	ax, ax
		jnz	short loc_4ADD17

loc_4ADD5D:				; CODE XREF: MiLockPoolCommitPageTable+97j
		test	edx, edx
		jz	short loc_4ADD17
		mov	ecx, [ebp+var_C]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		xor	edx, edx
		jmp	short loc_4ADD17
; 

loc_4ADD6D:				; CODE XREF: MiLockPoolCommitPageTable+5Aj
		xor	esi, esi
		jmp	short loc_4ADD5D
MiLockPoolCommitPageTable endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiComputeDataFlushRange(x, x, x, x,	x, x)
_MiComputeDataFlushRange@24 proc near	; CODE XREF: MmPurgeSection+ACp
					; MiComputeFlushRange(x,x,x,x,x)+3Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1], dl
		xor	ecx, ecx
		mov	[ebp+var_8], edi
		cmp	[edi+10h], ecx
		jz	loc_4ADEF3
		mov	eax, [ebp+arg_0]
		lea	esi, [edi+50h]
		xor	edx, edx
		inc	edx
		test	eax, eax
		jz	loc_4ADEBE
		mov	ebx, [eax]
		mov	ecx, edi
		mov	eax, [eax+4]
		push	eax
		push	ebx
		mov	[ebp+var_C], eax
		call	_MiLocateSubsectionNode@16 ; MiLocateSubsectionNode(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_4ADEF3
		mov	edx, [ebp+var_C]
		xor	ecx, ecx
		or	ecx, [esi+14h]
		shrd	ebx, edx, 0Ch
		mov	edx, [ebp+arg_4]
		sub	ebx, ecx
		mov	[ebp+var_C], ebx
		test	edx, edx
		jz	loc_4ADF76
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		add	edx, [ecx]
		adc	eax, [ecx+4]
		sub	edx, 1
		mov	ebx, edx
		sbb	eax, 0
		push	eax
		mov	ecx, eax
		push	edx
		shrd	ebx, ecx, 0Ch
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	_MiLocateSubsectionNode@16 ; MiLocateSubsectionNode(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_4ADF73
		xor	ecx, ecx
		or	ecx, [edi+14h]
		sub	ebx, ecx

loc_4ADE0D:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+166j
		cmp	dword ptr [esi+40h], 0
		jz	loc_4ADEE3
		mov	ecx, esi
		call	_MiReferenceSubsection@8 ; MiReferenceSubsection(x,x)
		cmp	eax, 1
		jle	loc_4ADEE3
		mov	eax, [esi+4]
		mov	ecx, [ebp+var_C]
		and	[ebp+arg_0], 0
		lea	eax, [eax+ecx*8]

loc_4ADE34:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+1FCj
		cmp	dword ptr [edi+40h], 0
		mov	[ebp+arg_4], eax
		jz	loc_4ADF09
		mov	ecx, edi
		call	_MiReferenceSubsection@8 ; MiReferenceSubsection(x,x)
		cmp	eax, 1
		jle	loc_4ADF09

loc_4ADE51:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+1B7j
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		push	4
		pop	edx
		inc	dword ptr [eax+14h]
		call	_MiBuildWakeList@8 ; MiBuildWakeList(x,x)
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_C], eax
		call	_MiRemoveUnusedSegment@4 ; MiRemoveUnusedSegment(x)
		cmp	[ebp+arg_8], 1
		mov	eax, [ebp+var_8]
		jz	short loc_4ADEDD

loc_4ADE75:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+16Fj
		add	eax, 24h
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_C]
		call	_MiReleaseControlAreaWaiters@4 ; MiReleaseControlAreaWaiters(x)
		mov	ecx, [ebp+arg_C]
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+var_8]
		mov	[ecx+4], eax
		mov	eax, [edi+4]
		mov	[ecx], edx
		mov	[ecx+0Ch], esi
		mov	[ecx+10h], edi
		lea	eax, [eax+ebx*8]
		mov	[ecx+8], eax
		mov	eax, [ebp+arg_0]
		mov	[ecx+14h], eax
		mov	eax, 103h

loc_4ADEB7:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+195j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_4ADEBE:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+29j
		mov	[ebp+var_C], ecx

loc_4ADEC1:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+207j
		mov	ecx, edi
		call	_MiFindLastSubsection@8	; MiFindLastSubsection(x,x)
		mov	edi, eax
		mov	eax, [edi+24h]
		mov	ebx, [edi+1Ch]
		and	eax, 3FFFFFFFh
		sub	ebx, eax
		dec	ebx
		jmp	loc_4ADE0D
; 

loc_4ADEDD:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+101j
		or	dword ptr [eax+1Ch], 4
		jmp	short loc_4ADE75
; 

loc_4ADEE3:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+9Fj
					; MiComputeDataFlushRange(x,x,x,x,x,x)+AFj
		mov	eax, [esi+1Ch]
		sub	eax, [ebp+var_C]

loc_4ADEE9:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+1EBj
		mov	[ebp+arg_0], eax
		cmp	esi, edi
		jnz	short loc_4ADF4D

loc_4ADEF0:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+1E0j
		mov	edi, [ebp+var_8]

loc_4ADEF3:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+18j
					; MiComputeDataFlushRange(x,x,x,x,x,x)+44j
		lea	eax, [edi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		jmp	short loc_4ADEB7
; 

loc_4ADF09:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+C9j
					; MiComputeDataFlushRange(x,x,x,x,x,x)+D9j
		mov	eax, [esi+8]
		xor	ecx, ecx
		cmp	eax, edi
		jnz	short loc_4ADF2E

loc_4ADF12:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+1CFj
		mov	edi, esi

loc_4ADF14:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+1CDj
		mov	ecx, edi
		call	_MiReferenceSubsection@8 ; MiReferenceSubsection(x,x)
		mov	eax, [edi+24h]
		mov	ebx, [edi+1Ch]
		and	eax, 3FFFFFFFh
		sub	ebx, eax
		dec	ebx
		jmp	loc_4ADE51
; 

loc_4ADF2E:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+19Ej
					; MiComputeDataFlushRange(x,x,x,x,x,x)+1C7j
		cmp	dword ptr [eax+40h], 0
		jnz	short loc_4ADF43

loc_4ADF34:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+1D5j
					; MiComputeDataFlushRange(x,x,x,x,x,x)+1D9j
		mov	eax, [eax+8]
		cmp	eax, edi
		jnz	short loc_4ADF2E
		mov	edi, ecx
		test	ecx, ecx
		jnz	short loc_4ADF14
		jmp	short loc_4ADF12
; 

loc_4ADF43:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+1C0j
		cmp	dword ptr [eax+4], 0
		jz	short loc_4ADF34
		mov	ecx, eax
		jmp	short loc_4ADF34
; 

loc_4ADF4D:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+17Cj
		mov	esi, [esi+8]
		test	esi, esi
		jz	short loc_4ADEF0
		cmp	dword ptr [esi+40h], 0
		jnz	short loc_4ADF5F

loc_4ADF5A:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+20Fj
		add	eax, [esi+1Ch]
		jmp	short loc_4ADEE9
; 

loc_4ADF5F:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+1E6j
		mov	ecx, esi
		call	_MiReferenceSubsection@8 ; MiReferenceSubsection(x,x)
		cmp	eax, 1
		jle	short loc_4ADF7E
		mov	eax, [esi+4]
		jmp	loc_4ADE34
; 

loc_4ADF73:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+8Ej
		mov	edi, [ebp+var_8]

loc_4ADF76:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+60j
		xor	edx, edx
		inc	edx
		jmp	loc_4ADEC1
; 

loc_4ADF7E:				; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+1F7j
		mov	eax, [ebp+arg_0]
		jmp	short loc_4ADF5A
_MiComputeDataFlushRange@24 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReferenceSubsection(x, x)
_MiReferenceSubsection@8 proc near	; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+A7p
					; MiComputeDataFlushRange(x,x,x,x,x,x)+D1p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		cmp	dword ptr [esi+4], 0
		mov	edi, [esi]
		jz	short loc_4ADFD4
		mov	eax, [edi+20h]
		push	ebx
		mov	[ebp+var_4], eax
		call	MiIncrementSubsectionViewCount
		mov	ebx, eax
		xor	eax, eax
		inc	eax
		cmp	ebx, eax
		jle	short loc_4ADFC1
		cmp	[ebp+var_4], 0
		jz	short loc_4ADFC1
		test	byte ptr [edi+1Ch], 20h
		jnz	short loc_4ADFC1
		test	byte ptr [esi+12h], 8
		jnz	short loc_4ADFC8

loc_4ADFBD:				; CODE XREF: MiReferenceSubsection(x,x)+4Ej
		or	[esi+10h], ax

loc_4ADFC1:				; CODE XREF: MiReferenceSubsection(x,x)+25j
					; MiReferenceSubsection(x,x)+2Bj ...
		mov	eax, ebx
		pop	ebx

loc_4ADFC4:				; CODE XREF: MiReferenceSubsection(x,x)+53j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_4ADFC8:				; CODE XREF: MiReferenceSubsection(x,x)+37j
		mov	ecx, esi
		call	_MiRemoveUnusedSubsection@4 ; MiRemoveUnusedSubsection(x)
		xor	eax, eax
		inc	eax
		jmp	short loc_4ADFBD
; 

loc_4ADFD4:				; CODE XREF: MiReferenceSubsection(x,x)+10j
		xor	eax, eax
		inc	eax
		jmp	short loc_4ADFC4
_MiReferenceSubsection@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


MiIncrementSubsectionViewCount proc near ; CODE	XREF: MiFlushSectionInternal+1BFp
					; MmPurgeSection+10Ep ...

; FUNCTION CHUNK AT 005C1190 SIZE 00000018 BYTES

		mov	eax, [ecx]
		test	byte ptr [eax+1Ch], 20h
		jnz	short loc_4ADFF9
		xor	edx, edx
		cmp	[eax+20h], edx
		jz	short loc_4ADFF9
		test	byte ptr [ecx+12h], 1
		jnz	short loc_4ADFF9
		add	dword ptr [ecx+3Ch], 1
		jz	loc_5C1190

loc_4ADFF9:				; CODE XREF: MiIncrementSubsectionViewCount+6j
					; MiIncrementSubsectionViewCount+Dj ...
		push	2
		pop	eax
		retn
MiIncrementSubsectionViewCount endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLocateSubsectionNode(x, x, x, x)
_MiLocateSubsectionNode@16 proc	near	; CODE XREF: MiGetProtoPteAddress+1C6p
					; MiComputeDataFlushRange(x,x,x,x,x,x)+3Bp ...

var_80		= dword	ptr -80h
var_70		= dword	ptr -70h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		push	ebx
		push	esi
		push	edi
		push	54h		; size_t
		lea	eax, [ebp+var_70]
		mov	[ebp+var_4], ecx
		push	0		; int
		push	eax		; void *
		mov	ebx, edx
		call	_memset
		mov	esi, [ebp+arg_4]
		add	esp, 0Ch
		cmp	esi, 3FFFFFh
		ja	loc_4AE116
		mov	edi, [ebp+arg_0]
		jb	short loc_4AE040
		cmp	edi, 0FFFFF000h
		jnb	loc_4AE116

loc_4AE040:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+32j
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+24h]
		mov	[ebp+var_8], ecx
		cmp	ebx, 1
		jz	loc_4AE0D7
		push	ecx
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	byte ptr [ebp+arg_4+3],	al
		mov	eax, [ebp+var_4]

loc_4AE05E:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+DBj
		mov	ebx, [eax+0ACh]
		xor	ecx, ecx
		shrd	edi, esi, 0Ch
		shr	esi, 0Ch
		mov	ax, [ebx+10h]
		shr	ax, 6
		movzx	eax, ax
		cdq
		mov	edx, [ebx+18h]
		mov	[ebp+var_C], eax
		xor	eax, eax
		or	eax, [ebx+14h]
		add	edx, eax
		mov	[ebp+var_14], esi
		adc	ecx, [ebp+var_C]
		add	edx, 0FFFFFFFFh
		adc	ecx, 0FFFFFFFFh
		cmp	word ptr [ebx+12h], 10h
		jnb	short loc_4AE0DD

loc_4AE099:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+E3j
		mov	[ebp+var_18], edi
		mov	word ptr [ebp+var_14], si
		cmp	esi, [ebp+var_C]
		jb	short loc_4AE0E5
		ja	short loc_4AE0AB
		cmp	edi, eax
		jb	short loc_4AE0E5

loc_4AE0AB:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+A5j
		cmp	esi, ecx
		ja	short loc_4AE0E5
		jb	short loc_4AE0B5
		cmp	edi, edx
		ja	short loc_4AE0E5

loc_4AE0B5:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+AFj
		cmp	byte ptr [ebp+arg_4+3],	21h
		jz	short loc_4AE0CC
		push	[ebp+var_8]
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4AE0CC:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+B9j
		mov	eax, ebx

loc_4AE0CE:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+118j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4AE0D7:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+4Cj
		mov	byte ptr [ebp+arg_4+3],	21h
		jmp	short loc_4AE05E
; 

loc_4AE0DD:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+97j
		add	edx, 1
		adc	ecx, 0
		jmp	short loc_4AE099
; 

loc_4AE0E5:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+A3j
					; MiLocateSubsectionNode(x,x,x,x)+A9j ...
		mov	eax, [ebp+var_60]
		mov	ebx, [ebp+var_4]
		and	eax, 3Fh
		mov	ecx, [ebp+var_14]
		shl	ecx, 6
		or	ecx, eax
		mov	[ebp+var_5C], edi
		mov	esi, [ebx+0A4h]
		movzx	eax, cx
		mov	word ptr [ebp+var_60], cx
		test	esi, esi
		jnz	short loc_4AE11A

loc_4AE10A:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+181j
					; MiLocateSubsectionNode(x,x,x,x)+185j
		mov	bl, byte ptr [ebp+arg_4+3]
		cmp	bl, 21h
		jnz	loc_4AE1B3

loc_4AE116:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+29j
					; MiLocateSubsectionNode(x,x,x,x)+3Aj ...
		xor	eax, eax
		jmp	short loc_4AE0CE
; 

loc_4AE11A:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+108j
		shr	ax, 6
		xor	ecx, ecx
		movzx	eax, ax
		or	ecx, edi
		cdq
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], eax
		lea	esp, [esp+0]

loc_4AE130:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+17Fj
		mov	cx, [esi-18h]
		xor	edi, edi
		or	edi, [esi-14h]
		shr	cx, 6
		movzx	eax, cx
		xor	ecx, ecx
		cdq
		mov	edx, [esi-10h]
		add	edx, edi
		adc	ecx, eax
		add	edx, 0FFFFFFFFh
		adc	ecx, 0FFFFFFFFh
		cmp	word ptr [esi-16h], 10h
		jb	short loc_4AE15D
		add	edx, 1
		adc	ecx, 0

loc_4AE15D:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+155j
		cmp	[ebp+var_4], ecx
		ja	short loc_4AE17A
		mov	ecx, [ebp+var_C]
		jb	short loc_4AE16B
		cmp	ecx, edx
		ja	short loc_4AE17A

loc_4AE16B:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+165j
		cmp	[ebp+var_4], eax
		ja	short loc_4AE183
		jb	short loc_4AE176
		cmp	ecx, edi
		jnb	short loc_4AE183

loc_4AE176:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+170j
		mov	esi, [esi]
		jmp	short loc_4AE17D
; 

loc_4AE17A:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+160j
					; MiLocateSubsectionNode(x,x,x,x)+169j
		mov	esi, [esi+4]

loc_4AE17D:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+178j
		test	esi, esi
		jnz	short loc_4AE130
		jmp	short loc_4AE10A
; 

loc_4AE183:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+16Ej
					; MiLocateSubsectionNode(x,x,x,x)+174j
		test	esi, esi
		jz	short loc_4AE10A
		add	esi, 0FFFFFFD8h
		mov	[ebx+0ACh], esi
		mov	bl, byte ptr [ebp+arg_4+3]
		cmp	bl, 21h
		jz	short loc_4AE1A8
		push	[ebp+var_8]
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4AE1A8:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+196j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4AE1B3:				; CODE XREF: MiLocateSubsectionNode(x,x,x,x)+110j
		push	[ebp+var_8]
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4AE116
_MiLocateSubsectionNode@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoPageReadEx	proc near		; CODE XREF: MiPageRead(x,x,x,x,x,x,x)+15p
					; MiIssueHardFaultIo+88p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005C11A8 SIZE 0000008A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[esp+28h+var_8], 0
		mov	edx, ecx
		mov	ecx, eax
		and	ecx, 1
		mov	[esp+28h+var_14], edx
		mov	[esp+28h+var_4], ecx
		jnz	loc_4AE35E

loc_4AE200:				; CODE XREF: IoPageReadEx+196j
		mov	ebx, ecx
		neg	ebx
		sbb	bl, bl
		and	bl, 4
		test	al, 2
		jnz	short loc_4AE210
		or	bl, 1

loc_4AE210:				; CODE XREF: IoPageReadEx+3Bj
		test	al, 8
		jnz	loc_5C11A0

loc_4AE218:				; CODE XREF: MiIncrementSubsectionViewCount+1131C9j
		push	edx
		call	IoGetRelatedDeviceObject
		mov	ecx, eax
		mov	eax, [ebp+arg_C]
		and	al, 4
		mov	[esp+28h+var_10], ecx
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 3C0h
		add	eax, 43h
		mov	[esp+28h+var_18], eax
		cmp	bl, 4
		jnb	loc_4AE36B
		mov	esi, ecx
		mov	[esp+28h+var_C], ecx

loc_4AE24B:				; CODE XREF: IoPageReadEx+1A2j
		mov	eax, [ebp+4]
		mov	dl, [ecx+30h]
		mov	ecx, esi
		push	eax
		push	0
		call	IopAllocateIrpExReturn
		mov	esi, eax
		test	esi, esi
		jz	loc_5C11A8

loc_4AE265:				; CODE XREF: IoPageReadEx+112FFEj
					; IoPageReadEx+11303Fj
		mov	ecx, [esp+28h+var_14]
		call	_MmIsFileObjectAPagingFile@4 ; MmIsFileObjectAPagingFile(x)
		mov	edx, [esp+28h+var_18]
		test	eax, eax
		jnz	short loc_4AE290
		mov	ax, [edi+6]
		mov	ecx, 6
		bt	ax, cx
		setb	cl
		test	dl, 40h
		setnz	al
		test	cl, al
		jz	short loc_4AE294

loc_4AE290:				; CODE XREF: IoPageReadEx+A4j
		or	byte ptr [esi+27h], 20h

loc_4AE294:				; CODE XREF: IoPageReadEx+BEj
		mov	eax, [esi+60h]
		mov	ecx, large fs:124h
		sub	eax, 24h
		mov	[esp+28h+var_C], eax
		mov	[esi+8], edx
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		mov	ecx, eax
		cmp	ecx, 2
		jl	loc_4AE383

loc_4AE2B8:				; CODE XREF: IoPageReadEx+1BEj
					; IoPageReadEx+1FEj
		test	bl, 2
		jnz	loc_5C121F

loc_4AE2C1:				; CODE XREF: IoPageReadEx+113052j
					; IoPageReadEx+11305Dj
		mov	edx, [esp+28h+var_C]
		lea	eax, [ecx+1]
		mov	ebx, [ebp+arg_8]
		mov	ecx, [esp+28h+var_14]
		shl	eax, 11h
		or	eax, [esp+28h+var_18]
		mov	[esi+8], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+2Ch], eax
		mov	[esi+4], edi
		mov	byte ptr [esi+20h], 0
		mov	[esi+28h], ebx
		mov	eax, [edi+18h]
		add	eax, [edi+10h]
		mov	[esi+3Ch], eax
		mov	eax, large fs:124h
		mov	[esi+64h], ecx
		mov	[esi+50h], eax
		mov	[edx+18h], ecx
		mov	ecx, [ebp+arg_0]
		mov	byte ptr [edx],	3
		mov	eax, [edi+14h]
		mov	[edx+4], eax
		mov	eax, [ecx]
		mov	[edx+0Ch], eax
		mov	eax, [ecx+4]
		mov	ecx, esi
		mov	[edx+10h], eax
		mov	eax, [ebp+arg_10]
		mov	edx, [esi+50h]
		test	eax, eax
		jnz	loc_4AE3D3
		call	IoSetDiskIoAttributionFromThread

loc_4AE32D:				; CODE XREF: IoPageReadEx+20Ej
		mov	ecx, [esp+28h+var_8]
		xor	eax, eax
		or	eax, ecx
		jnz	short loc_4AE377

loc_4AE337:				; CODE XREF: IoPageReadEx+1B1j
		mov	ecx, esi
		mov	[ebx+4], esi
		call	IopQueueThreadIrp
		call	_MmIsRecursiveIoFault@0	; MmIsRecursiveIoFault()
		test	al, al
		jnz	short loc_4AE393

loc_4AE34A:				; CODE XREF: IoPageReadEx+1DBj
		mov	ecx, [esp+28h+var_10]
		mov	edx, esi
		call	IofCallDriver

loc_4AE355:				; CODE XREF: IoPageReadEx+11304Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_4AE35E:				; CODE XREF: IoPageReadEx+2Aj
		mov	[esp+28h+var_8], 1
		jmp	loc_4AE200
; 

loc_4AE36B:				; CODE XREF: IoPageReadEx+6Fj
		or	esi, 0FFFFFFFFh
		mov	[esp+28h+var_C], esi
		jmp	loc_4AE24B
; 

loc_4AE377:				; CODE XREF: IoPageReadEx+165j
		push	ecx
		push	0
		mov	ecx, esi
		call	_IopSetDriverFlagsExtension@12 ; IopSetDriverFlagsExtension(x,x,x)
		jmp	short loc_4AE337
; 

loc_4AE383:				; CODE XREF: IoPageReadEx+E2j
		test	bl, 1
		jnz	short loc_4AE3AD

loc_4AE388:				; CODE XREF: IoPageReadEx+1E2j
					; IoPageReadEx+1F1j
		inc	_IoPagingReadLowPriorityCount
		jmp	loc_4AE2B8
; 

loc_4AE393:				; CODE XREF: IoPageReadEx+178j
		mov	ecx, large fs:124h
		mov	eax, [edi+14h]
		add	eax, 0FFFh
		shr	eax, 0Ch
		add	[ecx+328h], eax
		jmp	short loc_4AE34A
; 

loc_4AE3AD:				; CODE XREF: IoPageReadEx+1B6j
		cmp	byte ptr [esp+28h+var_4], 1
		jz	short loc_4AE388
		mov	eax, large fs:124h
		test	byte ptr [eax+304h], 40h
		jnz	short loc_4AE388
		inc	_IoPagingReadLowPriorityBumpedCount
		mov	ecx, 2
		jmp	loc_4AE2B8
; 

loc_4AE3D3:				; CODE XREF: IoPageReadEx+152j
		push	0
		push	edx
		mov	edx, [eax+0Ch]
		call	IopSetDiskIoAttributionExtension
		jmp	loc_4AE32D
IoPageReadEx	endp

; 
		align 8
; Exported entry 1424. MmIsRecursiveIoFault

;  S U B	R O U T	I N E 


; __stdcall MmIsRecursiveIoFault()
		public _MmIsRecursiveIoFault@0
_MmIsRecursiveIoFault@0	proc near	; CODE XREF: IoPageReadEx+171p
		mov	eax, large fs:124h
		cmp	byte ptr [eax+309h], 0
		jnz	short loc_4AE403
		cmp	byte ptr [eax+308h], 1
		jz	short loc_4AE403
		xor	al, al
		retn
; 

loc_4AE403:				; CODE XREF: MmIsRecursiveIoFault()+Dj
					; MmIsRecursiveIoFault()+16j
		mov	al, 1
		retn
_MmIsRecursiveIoFault@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmIsFileObjectAPagingFile(x)
_MmIsFileObjectAPagingFile@4 proc near	; CODE XREF: IoPageReadEx+99p
					; IoPageReadEx+112FDCp	...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, offset unk_6D3484
		mov	esi, ecx
		push	edi
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	edx, dword_6D3480
		mov	[ebp+var_1], al
		jmp	short loc_4AE429
; 

loc_4AE427:				; CODE XREF: MmIsFileObjectAPagingFile(x)+2Aj
		mov	edx, [edx]

loc_4AE429:				; CODE XREF: MmIsFileObjectAPagingFile(x)+1Fj
					; MmIsFileObjectAPagingFile(x)+4Ej
		test	edx, edx
		jz	short loc_4AE434
		cmp	esi, [edx-78h]
		jb	short loc_4AE427
		ja	short loc_4AE451

loc_4AE434:				; CODE XREF: MmIsFileObjectAPagingFile(x)+25j
		xor	ebx, ebx
		test	edx, edx
		push	edi
		setnz	bl
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_4AE451:				; CODE XREF: MmIsFileObjectAPagingFile(x)+2Cj
		mov	edx, [edx+4]
		jmp	short loc_4AE429
_MmIsFileObjectAPagingFile@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReacquireWalkLocks proc near		; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+D0p
					; MiQueryEPTAccessedState(x,x,x)+35p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C1232 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	[ebp+arg_0], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	edi, [esi+10h]
		jnz	short loc_4AE473
		mov	ecx, edi
		call	MiLockWorkingSetShared

loc_4AE473:				; CODE XREF: MiReacquireWalkLocks+14j
		lea	eax, [ebp+var_4]
		mov	edx, ebx
		push	eax
		shl	edx, 9
		mov	ecx, edi
		call	MiLockLowestValidPageTable
		cmp	eax, ebx
		jnz	loc_5C1232
		and	byte ptr [esi+2], 0FEh
		xor	eax, eax
		mov	[esi+1Ch], ebx
		inc	eax

loc_4AE495:				; CODE XREF: MiReacquireWalkLocks+112DF8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
MiReacquireWalkLocks endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiRelockFaultState proc	near		; CODE XREF: MiWaitForCollidedFaultComplete+F0p
					; MiIssueHardFault(x,x)+2BEp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005C1253 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		mov	eax, edx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], eax
		push	edi
		mov	edi, [ebx]
		test	eax, eax
		jz	short loc_4AE4E8
		mov	ecx, edi
		call	MiLockWorkingSetShared
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		mov	[ebp+var_1], al
		lea	eax, [ebp+var_C]
		push	eax
		shl	edx, 9
		call	MiLockLowestValidPageTable
		mov	esi, eax
		cmp	esi, [ebp+var_8]
		jnz	loc_5C1253

loc_4AE4DC:				; CODE XREF: MiRelockFaultState+112DCCj
		test	esi, esi
		jz	short loc_4AE4E8

loc_4AE4E0:				; CODE XREF: MiRelockFaultState+66j
		pop	edi
		mov	[ebx+0Ch], esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4AE4E8:				; CODE XREF: MiRelockFaultState+18j
					; MiRelockFaultState+42j
		or	byte ptr [ebx+9], 1
		mov	al, [edi+60h]
		and	al, 7
		cmp	al, 2
		jz	short loc_4AE504
		sub	edi, 0FFFFFF80h

loc_4AE4F8:				; CODE XREF: MiRelockFaultState+6Dj
		push	edi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [edi+4], 0
		jmp	short loc_4AE4E0
; 

loc_4AE504:				; CODE XREF: MiRelockFaultState+57j
		mov	edi, offset unk_6D3C40
		jmp	short loc_4AE4F8
MiRelockFaultState endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLockWorkingSetOptimal(x, x, x)
_MiLockWorkingSetOptimal@12 proc near	; CODE XREF: MmUnmapViewInSystemCache+CBp
					; MiMarkPteDirty(x)+42p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		call	MiLockWorkingSetShared
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	0
		mov	[edx], al
		lea	edx, [edi-40000000h]
		call	MiLockPageTableInternal
		lea	eax, [edi-40000000h]
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_MiLockWorkingSetOptimal@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiEvictPageTableLock proc near		; CODE XREF: .text:00458B3Fp
					; .text:00458F03p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005C126D SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	esi, edi
		cmp	edi, 0C0000000h
		jb	short loc_4AE579

loc_4AE566:				; CODE XREF: MiEvictPageTableLock+27j
		cmp	esi, 0C07FFFFFh
		ja	short loc_4AE579
		shl	esi, 9
		cmp	esi, 0C0000000h
		jnb	short loc_4AE566

loc_4AE579:				; CODE XREF: MiEvictPageTableLock+14j
					; MiEvictPageTableLock+1Cj
		push	0
		call	MiLockPageTableInternal
		cmp	esi, ds:_MmHighestUserAddress
		ja	short loc_4AE5CD
		mov	eax, large fs:124h
		mov	ecx, edi
		shr	ecx, 3
		and	ecx, 7FFh
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		cmp	word ptr [eax+ecx*2+190h], 0
		jnz	short loc_4AE625

loc_4AE5B0:				; CODE XREF: MiEvictPageTableLock+B5j
					; MiEvictPageTableLock+D3j
		push	[ebp+arg_8]
		mov	edx, edi
		mov	ecx, ebx
		push	[ebp+arg_4]
		push	0
		call	MiUnlockNestedPageTableWritePte
		mov	eax, 1

loc_4AE5C6:				; CODE XREF: MiEvictPageTableLock+E0j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_4AE5CD:				; CODE XREF: MiEvictPageTableLock+36j
		mov	edx, [edi]
		nop
		mov	eax, [edi+4]
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		cmp	word ptr [eax+ecx*4+10h], 1
		jnz	short loc_4AE625
		mov	eax, [ebp+arg_0]
		mov	esi, edi
		shl	esi, 9
		test	al, 1
		jnz	loc_5C126D

loc_4AE603:				; CODE XREF: MiEvictPageTableLock+112D38j
		test	al, 2
		jz	short loc_4AE5B0

loc_4AE607:				; CODE XREF: MiEvictPageTableLock+D1j
		mov	ecx, [esi]
		nop
		mov	eax, [esi+4]
		push	eax
		push	ecx
		call	_MiIsPoolPteInUse@8 ; MiIsPoolPteInUse(x,x)
		test	eax, eax
		jnz	short loc_4AE625
		add	esi, 8
		test	esi, 0FFFh
		jnz	short loc_4AE607
		jmp	short loc_4AE5B0
; 

loc_4AE625:				; CODE XREF: MiEvictPageTableLock+5Ej
					; MiEvictPageTableLock+A1j ...
		mov	edx, edi
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		xor	eax, eax
		jmp	short loc_4AE5C6
MiEvictPageTableLock endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakeSystemCacheRangeValid(x, x, x, x)
_MiMakeSystemCacheRangeValid@16	proc near ; CODE XREF: .text:0045CDB1p
					; .text:0045D315p ...

var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_C9		= byte ptr -0C9h
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_48		= dword	ptr -48h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_10C], eax
		mov	edi, edx
		xor	eax, eax
		mov	[ebp+var_D4], edi
		push	40h		; size_t
		push	eax		; int
		mov	[ebp+var_F4], eax
		mov	[ebp+var_F0], eax
		lea	eax, [ebp+var_48]
		push	eax		; void *
		mov	[ebp+var_DC], ebx
		mov	[ebp+var_E8], esi
		call	_memset
		shr	ebx, 9
		add	esp, 0Ch
		and	ebx, offset loc_7FFFF8
		mov	[ebp+var_C8], 0
		sub	ebx, 40000000h
		mov	[ebp+var_C4], 0
		mov	ecx, offset unk_6D5E80
		mov	[ebp+var_E4], ebx
		call	MiLockWorkingSetShared
		push	0
		mov	edx, ebx
		mov	[ebp+var_C9], al
		mov	ecx, offset unk_6D5E80
		call	MiLockPageTableInternal
		mov	al, [ebp+var_C9]
		xor	ecx, ecx
		mov	[ebp+var_EC], ebx
		mov	bl, byte ptr [ebp+var_F0+1]
		or	bl, 4
		mov	[ebp+var_F8], offset unk_6D5E80
		test	esi, esi
		mov	byte ptr [ebp+var_F0], al
		mov	si, word ptr [ebp+var_F4+2]
		mov	byte ptr [ebp+var_F0+1], bl
		mov	[ebp+var_D8], ecx
		jz	loc_4AE945

loc_4AE720:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+150j
		mov	edx, [edi]
		mov	[ebp+ecx*4+var_48], 0
		mov	[ebp+var_108], 0
		mov	[ebp+var_104], 0
		mov	[ebp+var_FC], edx
		nop
		mov	eax, [edi+4]
		mov	[ebp+var_E0], eax
		mov	eax, edx
		or	eax, [ebp+var_E0]
		jz	short loc_4AE773
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jnz	short loc_4AE7A3
		mov	eax, [edi+4]
		or	dword ptr [edi], 1
		mov	[edi+4], eax

loc_4AE76B:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+171j
					; MiMakeSystemCacheRangeValid(x,x,x,x)+2C5j
		mov	[ebp+ecx*4+var_48], 1

loc_4AE773:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+116j
					; MiMakeSystemCacheRangeValid(x,x,x,x)+2DBj ...
		add	[ebp+var_DC], 8
		inc	ecx
		add	edi, 8
		mov	[ebp+var_D8], ecx
		mov	[ebp+var_D4], edi
		cmp	ecx, [ebp+var_E8]
		jb	short loc_4AE720
		mov	edx, [ebp+var_EC]
		mov	ebx, [ebp+var_F8]
		jmp	loc_4AE950
; 

loc_4AE7A3:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+120j
		mov	eax, [ebp+var_DC]
		mov	eax, [eax]
		and	eax, 1
		or	eax, 0
		jnz	short loc_4AE76B
		nop
		mov	eax, [ebp+var_E0]
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	edx, [eax+ecx*4]
		mov	eax, [ebp+var_D8]
		mov	[ebp+var_D0], edx
		lea	ecx, [ebp+var_C8]
		lea	ecx, [ecx+eax*8]
		mov	eax, [edx+8]
		mov	[ecx], eax
		mov	eax, [edx+0Ch]
		mov	[ebp+var_E4], ecx
		mov	[ecx+4], eax
		test	bl, 4
		jz	loc_4AE8D9
		test	bl, 1
		jnz	loc_4AE8D9
		test	bl, 2
		jnz	loc_4AE8D9
		mov	edi, [ebp+var_DC]
		shr	edi, 3
		test	si, si
		jz	short loc_4AE88B
		movzx	ecx, word ptr [ebp+var_F4]
		movzx	eax, si
		add	ecx, eax
		mov	eax, edi
		and	eax, 1FFh
		cmp	ecx, eax
		jnz	short loc_4AE852
		mov	ecx, edx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4AE84D
		test	bl, 10h
		jz	short loc_4AE870
		jmp	short loc_4AE852
; 

loc_4AE84D:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+204j
		test	bl, 10h
		jnz	short loc_4AE870

loc_4AE852:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+1F9j
					; MiMakeSystemCacheRangeValid(x,x,x,x)+20Bj
		lea	ecx, [ebp+var_F8]
		call	_MiEmptyDeferredWorkingSetEntries@4 ; MiEmptyDeferredWorkingSetEntries(x)
		mov	edx, [ebp+var_D0]
		mov	si, word ptr [ebp+var_F4+2]
		mov	bl, byte ptr [ebp+var_F0+1]

loc_4AE870:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+209j
					; MiMakeSystemCacheRangeValid(x,x,x,x)+210j
		test	si, si
		jz	short loc_4AE88B
		mov	edi, [ebp+var_D4]
		inc	si
		mov	word ptr [ebp+var_F4+2], si
		mov	eax, 4
		jmp	short loc_4AE8DB
; 

loc_4AE88B:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+1E2j
					; MiMakeSystemCacheRangeValid(x,x,x,x)+233j
		mov	esi, 1
		and	edi, 1FFh
		mov	ecx, edx
		mov	word ptr [ebp+var_F4+2], si
		mov	word ptr [ebp+var_F4], di
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4AE8C3
		mov	edi, [ebp+var_D4]
		lea	eax, [esi+3]
		and	bl, 0EFh
		mov	byte ptr [ebp+var_F0+1], bl
		jmp	short loc_4AE8DB
; 

loc_4AE8C3:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+26Dj
		mov	edi, [ebp+var_D4]
		or	bl, 10h
		mov	byte ptr [ebp+var_F0+1], bl
		mov	eax, 4
		jmp	short loc_4AE8DB
; 

loc_4AE8D9:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+1BEj
					; MiMakeSystemCacheRangeValid(x,x,x,x)+1C7j ...
		xor	eax, eax

loc_4AE8DB:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+249j
					; MiMakeSystemCacheRangeValid(x,x,x,x)+281j ...
		push	[ebp+var_E0]
		mov	ecx, offset unk_6D5E80
		push	[ebp+var_FC]
		push	0
		push	eax
		push	0
		push	edx
		mov	edx, [ebp+var_DC]
		call	_MiAllocateWsle@32 ; MiAllocateWsle(x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_D8]
		test	eax, eax
		jz	loc_4AE76B
		mov	eax, [ebp+var_E4]
		mov	eax, [eax]
		and	eax, 400h
		or	eax, 0
		jz	loc_4AE773
		cmp	_PfSnNumActiveTraces, 0
		jz	loc_4AE773
		mov	eax, [ebp+var_D0]
		mov	eax, [eax+4]
		or	eax, 80000000h
		mov	[ebp+ecx*4+var_48], eax
		jmp	loc_4AE773
; 

loc_4AE945:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+DAj
		mov	edx, [ebp+var_E4]
		mov	ebx, offset unk_6D5E80

loc_4AE950:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+15Ej
		test	edx, edx
		jz	short loc_4AE9CD
		test	si, si
		jz	short loc_4AE96A
		lea	ecx, [ebp+var_F8]
		call	_MiEmptyDeferredWorkingSetEntries@4 ; MiEmptyDeferredWorkingSetEntries(x)
		mov	edx, [ebp+var_EC]

loc_4AE96A:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+317j
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_D0], 0
		push	eax
		mov	ecx, ebx
		call	MiGetPageTableLockBuffer
		mov	esi, eax
		mov	ebx, 2
		mov	[ebp+var_E4], esi
		mov	edx, [esi]
		mov	eax, [ebp+var_D0]
		mov	ecx, eax
		shl	ebx, cl
		mov	ecx, edx
		btr	ecx, eax
		not	ebx
		and	ecx, ebx
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	short loc_4AE9CD
		mov	edi, [ebp+var_D0]
		mov	ecx, esi

loc_4AE9B6:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+385j
		mov	edx, eax
		mov	esi, eax
		btr	edx, edi
		and	edx, ebx
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_4AE9B6
		mov	edi, [ebp+var_D4]

loc_4AE9CD:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+312j
					; MiMakeSystemCacheRangeValid(x,x,x,x)+36Cj
		mov	dl, [ebp+var_C9]
		mov	ecx, offset unk_6D5E80
		call	MiUnlockWorkingSetShared
		mov	edx, [ebp+var_E8]
		mov	eax, edx
		neg	eax
		lea	ecx, [edi+eax*8]
		xor	eax, eax
		mov	[ebp+var_E0], ecx
		mov	[ebp+var_D8], eax
		test	edx, edx
		jz	loc_4AED6B

loc_4AEA00:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+725j
		mov	edi, [ebp+eax*4+var_48]
		cmp	edi, 1
		jnz	loc_4AEA98
		mov	edx, [ecx]
		nop
		mov	eax, [ecx+4]
		nop
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	esi, [eax+ecx*4]
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, esi
		mov	bl, al
		call	MiDecrementShareCount
		lea	ecx, [esi+10h]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	edi, [ebp+var_10C]
		mov	[ebp+var_FC], 0
		lea	esi, [edi+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_4AEA7C

loc_4AEA64:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+433j
					; MiMakeSystemCacheRangeValid(x,x,x,x)+43Aj
		lea	ecx, [ebp+var_FC]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_4AEA64
		lock bts dword ptr [esi], 1Fh
		jb	short loc_4AEA64

loc_4AEA7C:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+422j
		mov	ecx, edi
		call	MiDecrementShareCount
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4AED41
; 

loc_4AEA98:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+3C7j
		test	edi, edi
		jz	loc_4AED53
		mov	ecx, [ebp+eax*8+var_C4]
		mov	ebx, [ebp+eax*8+var_C8]
		mov	edx, dword_6D0700
		mov	eax, edx
		mov	esi, dword_6D0704
		or	eax, esi
		mov	[ebp+var_DC], ecx
		jz	short loc_4AEADA
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4AEADA
		not	esi
		and	ecx, esi
		mov	[ebp+var_DC], ecx

loc_4AEADA:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+484j
					; MiMakeSystemCacheRangeValid(x,x,x,x)+48Ej
		mov	eax, [ecx]
		mov	edx, [eax+20h]
		lea	esi, [eax+20h]
		mov	[ebp+var_D4], eax
		mov	[ebp+var_104], esi
		test	dl, 7
		jz	short loc_4AEB06

loc_4AEAF3:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+4C4j
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	short loc_4AEB06
		mov	edx, eax
		test	al, 7
		jnz	short loc_4AEAF3

loc_4AEB06:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+4B1j
					; MiMakeSystemCacheRangeValid(x,x,x,x)+4BEj
		mov	ebx, edx
		and	edx, 7
		and	ebx, 0FFFFFFF8h
		cmp	edx, 1
		ja	short loc_4AEB63
		test	edx, edx
		jz	short loc_4AEB67
		push	ecx
		mov	edx, 7
		mov	ecx, ebx
		call	ObReferenceObjectExWithTag
		mov	ecx, [esi]
		mov	eax, ecx
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		ja	short loc_4AEB56

loc_4AEB33:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+514j
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	ebx, eax
		jnz	short loc_4AEB56
		lea	edx, [ecx+7]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jz	short loc_4AEB63
		mov	ecx, eax
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		jbe	short loc_4AEB33

loc_4AEB56:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+4F1j
					; MiMakeSystemCacheRangeValid(x,x,x,x)+4FAj
		push	ecx
		mov	edx, 7
		mov	ecx, ebx
		call	ObDereferenceObjectExWithTag

loc_4AEB63:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+4D1j
					; MiMakeSystemCacheRangeValid(x,x,x,x)+507j
		test	ebx, ebx
		jnz	short loc_4AEBAA

loc_4AEB67:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+4D5j
		mov	eax, [ebp+var_D4]
		add	eax, 24h
		push	eax
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	ebx, [esi]
		mov	[ebp+var_C9], al
		and	ebx, 0FFFFFFF8h
		jz	short loc_4AEB8F
		mov	edx, 746C6644h
		mov	ecx, ebx
		call	ObfReferenceObjectWithTag

loc_4AEB8F:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+541j
		mov	eax, [ebp+var_D4]
		add	eax, 24h
		push	eax
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_C9]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4AEBAA:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+525j
		mov	ecx, [ebp+var_DC]
		mov	eax, [ecx]
		mov	edx, [ecx+4]
		mov	[ebp+var_E4], eax
		test	byte ptr [eax+1Ch], 20h
		jz	loc_4AEC4A
		cmp	edi, edx
		jb	short loc_4AEBFC
		mov	eax, [ecx+1Ch]
		lea	eax, [edx+eax*8]
		cmp	edi, eax
		jnb	short loc_4AEBF6
		mov	eax, [ecx+14h]
		sub	edi, edx
		sar	edi, 3
		xor	edx, edx
		xor	ecx, ecx
		shld	edx, edi, 0Ch
		shld	ecx, eax, 9
		shl	edi, 0Ch
		shl	eax, 9
		add	edi, eax
		adc	edx, ecx
		jmp	loc_4AECA3
; 

loc_4AEBF6:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+591j
		mov	eax, [ebp+var_E4]

loc_4AEBFC:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+587j
		test	byte ptr [ecx+12h], 2
		jz	short loc_4AEC15
		push	ecx
		or	edx, 0FFFFFFFFh
		mov	ecx, eax
		call	_MiGetSharedProtos@12 ;	MiGetSharedProtos(x,x,x)
		mov	ecx, [ebp+var_DC]
		jmp	short loc_4AEC18
; 

loc_4AEC15:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+5C0j
		mov	eax, [ecx+0Ch]

loc_4AEC18:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+5D3j
		sub	edi, [eax+24h]
		xor	esi, esi
		mov	ecx, [ecx+14h]
		sar	edi, 3
		mov	eax, edi
		cdq
		mov	edi, eax
		mov	eax, edx
		shld	esi, ecx, 9
		shld	eax, edi, 0Ch
		shl	ecx, 9
		shl	edi, 0Ch
		add	edi, ecx
		adc	eax, esi
		mov	esi, [ebp+var_104]
		mov	[ebp+var_D4], eax
		jmp	short loc_4AECA9
; 

loc_4AEC4A:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+57Fj
		test	edx, edx
		jnz	short loc_4AEC5C
		mov	[ebp+var_D4], edx
		mov	[ebp+var_D0], edx
		jmp	short loc_4AEC77
; 

loc_4AEC5C:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+60Cj
		sub	edi, edx
		sar	edi, 3
		mov	eax, edi
		cdq
		shld	edx, eax, 0Ch
		shl	eax, 0Ch
		mov	[ebp+var_D0], edx
		mov	[ebp+var_D4], eax

loc_4AEC77:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+61Aj
		mov	cx, [ecx+10h]
		xor	edi, edi
		shr	cx, 6
		movzx	eax, cx
		mov	ecx, [ebp+var_DC]
		cdq
		mov	edx, eax
		or	edi, [ecx+14h]
		shld	edx, edi, 0Ch
		shl	edi, 0Ch
		add	edi, [ebp+var_D4]
		adc	edx, [ebp+var_D0]

loc_4AECA3:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+5B1j
		mov	[ebp+var_D4], edx

loc_4AECA9:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+608j
		cmp	dword ptr [ebx+10h], 0
		jnz	short loc_4AED12
		mov	eax, large fs:124h
		mov	[ebp+var_104], eax
		mov	ecx, [eax+80h]
		call	PfSnReferenceProcessTrace
		mov	[ebp+var_D0], eax
		test	eax, eax
		jz	short loc_4AED12
		mov	ecx, [ebp+var_104]
		mov	edx, eax
		push	4
		call	PfSnCheckLoggingForThread
		test	eax, eax
		jz	short loc_4AED01
		mov	eax, [ebx+0Ch]
		mov	edx, ebx
		push	4
		push	[ebp+var_D4]
		push	edi
		mov	edi, [ebp+var_D0]
		mov	ecx, edi
		push	eax
		call	PfSnLogPageFaultCommon
		jmp	short loc_4AED07
; 

loc_4AED01:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+6A1j
		mov	edi, [ebp+var_D0]

loc_4AED07:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+6BFj
		lea	ecx, [edi+104h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_4AED12:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+66Dj
					; MiMakeSystemCacheRangeValid(x,x,x,x)+68Ej
		mov	ecx, [esi]
		mov	eax, ecx
		xor	eax, ebx
		cmp	eax, 7
		jnb	short loc_4AED36
		lea	ecx, [ecx+0]

loc_4AED20:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+6F4j
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jz	short loc_4AED41
		mov	ecx, eax
		xor	eax, ebx
		cmp	eax, 7
		jb	short loc_4AED20

loc_4AED36:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+6DBj
		push	746C6644h
		push	ebx
		call	ObDereferenceObjectDeferDeleteWithTag

loc_4AED41:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+453j
					; MiMakeSystemCacheRangeValid(x,x,x,x)+6EBj
		mov	eax, [ebp+var_D8]
		mov	ecx, [ebp+var_E0]
		mov	edx, [ebp+var_E8]

loc_4AED53:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+45Aj
		inc	eax
		add	ecx, 8
		mov	[ebp+var_D8], eax
		mov	[ebp+var_E0], ecx
		cmp	eax, edx
		jb	loc_4AEA00

loc_4AED6B:				; CODE XREF: MiMakeSystemCacheRangeValid(x,x,x,x)+3BAj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_MiMakeSystemCacheRangeValid@16	endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1657. PfFileInfoNotify

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PfFileInfoNotify
PfFileInfoNotify proc near

var_8A		= byte ptr -8Ah
var_89		= byte ptr -89h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_7A		= byte ptr -7Ah
var_79		= byte ptr -79h
var_76		= byte ptr -76h
var_75		= byte ptr -75h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C128D SIZE 000006D7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		sub	esp, 78h
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	[esp+80h+var_6C], 0
		mov	[esp+80h+var_68], 0
		cmp	dword ptr [esi], 0Fh
		jnz	loc_5C128D
		mov	eax, [esi+8]
		test	al, 8
		jnz	loc_4AF0C4
		test	al, 4
		jnz	loc_4AF243

loc_4AEDCC:				; CODE XREF: PfFileInfoNotify+4C7j
					; PfFileInfoNotify+5A1j ...
		test	byte ptr [esi+8], 1
		jz	loc_4AF0E1
		mov	eax, dword_6D43F4
		cmp	eax, dword_6D43F8
		jnb	loc_4AF279
		mov	eax, [esi+4]

loc_4AEDEA:				; CODE XREF: PfFileInfoNotify+4F1j
					; PfFileInfoNotify+4FAj ...
		cmp	eax, 4
		jnz	loc_4AF0EB
		mov	edx, [esi+10h]
		mov	ecx, [edx+8]
		mov	edi, [edx+10h]
		and	ecx, 0FFFh
		add	edi, 0FFFh
		add	edi, ecx
		shr	edi, 0Ch
		cmp	_PfSnNumActiveTraces, 0
		mov	[esp+80h+var_3C], edi
		jnz	loc_4AEFFF

loc_4AEE1E:				; CODE XREF: PfFileInfoNotify+2A6j
					; PfFileInfoNotify+322j
		mov	eax, dword_6D43F4
		cmp	eax, dword_6D43F8
		jnb	loc_4AF2A0
		mov	ecx, [esi+10h]
		mov	eax, [ecx+8]
		mov	edx, [ecx+14h]
		mov	[esp+80h+var_50], eax
		mov	eax, [ecx+0Ch]
		mov	[esp+80h+var_60], eax
		mov	eax, [ecx+1Ch]
		mov	ecx, [ecx+18h]
		mov	[esp+80h+var_3C], ecx
		mov	ecx, [eax+2FCh]
		mov	eax, [eax+150h]
		shr	ecx, 0Ch
		and	ecx, 7
		test	dword ptr [eax+0FCh], 100000h
		jnz	loc_4AF3A2

loc_4AEE6F:				; CODE XREF: PfFileInfoNotify+615j
					; PfFileInfoNotify+620j
		cmp	ecx, dword_6D3158
		jb	loc_4AF0B7
		mov	ecx, [esp+80h+var_3C]
		mov	esi, [esp+80h+var_60]
		mov	[esp+80h+var_18], ecx
		mov	ecx, [esp+80h+var_50]
		shrd	ecx, esi, 0Ch
		shl	edx, 1Fh
		or	edx, edi
		mov	[esp+80h+var_14], ecx
		mov	ecx, [eax+100h]
		mov	[esp+80h+var_10], edx
		mov	edx, [eax+0E4h]
		mov	eax, [eax+104h]
		xor	eax, edx
		mov	[esp+80h+var_4], edx
		xor	eax, ecx
		mov	[esp+80h+var_3C], 0
		shr	ecx, 3
		and	eax, 1FFFFFFFh
		and	ecx, 1C000000h
		xor	eax, ecx
		mov	[esp+80h+var_C], eax
		mov	eax, dword_6FB628
		mov	[esp+80h+var_8], eax
		mov	eax, ds:dword_7186C4
		mov	ecx, ds:_KeTickCount
		mov	[esp+80h+var_50], ecx
		cmp	eax, ds:dword_7186C8
		jnz	loc_5C1895

loc_4AEEF6:				; CODE XREF: PfFileInfoNotify+112B25j
		mov	ecx, ds:0FFDF0004h
		mul	ecx
		mov	edi, eax
		mov	esi, edx
		mov	eax, [esp+80h+var_50]
		mul	ecx
		shld	esi, edi, 8
		shrd	eax, edx, 18h
		shl	edi, 8
		mov	ecx, offset unk_6D4380
		shr	edx, 18h
		add	edi, eax
		adc	esi, edx
		shrd	edi, esi, 0Ah
		xor	esi, esi
		add	edi, dword_6D486C
		mov	[esp+80h+var_3C], edi
		xor	edi, edi
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_5C1904
		mov	edi, edi

loc_4AEF40:				; CODE XREF: PfFileInfoNotify+112B6Ej
		mov	ecx, offset unk_6D4390
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_4AF260

loc_4AEF54:				; CODE XREF: PfFileInfoNotify+4DEj
					; PfFileInfoNotify+112B51j
		mov	eax, [ecx+0Ch]
		mov	edx, [ecx+8]
		sub	eax, edx
		cmp	eax, 20h
		jl	loc_5C18E6
		mov	edi, ecx
		mov	esi, edx
		xor	ecx, ecx
		mov	[esp+80h+var_74], ecx

loc_4AEF6F:				; CODE XREF: PfFileInfoNotify+112BCFj
		test	ecx, ecx
		js	loc_5C190C
		mov	eax, [esp+80h+var_3C]
		mov	[esi+4], eax
		mov	eax, [esi]
		and	eax, 0FFFEA013h
		or	eax, 2A013h
		mov	[esi], eax
		mov	eax, [esp+80h+var_18]
		mov	[esi+8], eax
		mov	eax, [esp+80h+var_14]
		mov	[esi+0Ch], eax
		mov	eax, [esp+80h+var_10]
		mov	[esi+10h], eax
		mov	eax, [esp+80h+var_C]
		mov	[esi+14h], eax
		mov	eax, [esp+80h+var_8]
		mov	[esi+18h], eax
		mov	eax, [esp+80h+var_4]
		mov	[esi+1Ch], eax
		mov	esi, [edi+4]
		add	dword ptr [edi+8], 20h
		mov	eax, [edi+0Ch]
		sub	eax, [edi+8]
		inc	dword ptr [edi+10h]
		cmp	eax, [esi+30h]
		jl	loc_4AF2BA
		lea	ecx, [esi+10h]
		mov	edx, edi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		mov	ecx, esi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_4AEFE0:				; CODE XREF: PfFileInfoNotify+530j
		mov	[esp+80h+var_74], 0

loc_4AEFE8:				; CODE XREF: PfFileInfoNotify+112B8Cj
					; PfFileInfoNotify+112B9Bj
		mov	esi, [ebp+arg_0]

loc_4AEFEB:				; CODE XREF: PfFileInfoNotify+32Fj
					; PfFileInfoNotify+B2Aj ...
		mov	eax, [esp+80h+var_74]
		test	eax, eax
		js	loc_4AF2A5

loc_4AEFF7:				; CODE XREF: PfFileInfoNotify+519j
					; PfFileInfoNotify+525j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4AEFFF:				; CODE XREF: PfFileInfoNotify+88j
		mov	eax, [edx+8]
		mov	ecx, [edx+18h]
		mov	[esp+80h+var_64], eax
		mov	eax, [edx+0Ch]
		mov	[esp+80h+var_68], eax
		mov	eax, [edx+1Ch]
		mov	[esp+80h+var_70], ecx
		mov	ecx, [edx]
		mov	[esp+80h+var_74], ecx
		mov	ecx, [eax+150h]
		mov	[esp+80h+var_50], edi
		mov	[esp+80h+var_6C], eax
		call	PfSnReferenceProcessTrace
		mov	[esp+80h+var_60], eax
		test	eax, eax
		jz	loc_4AEE1E
		mov	ecx, [esp+80h+var_6C]
		mov	edx, eax
		push	0
		call	PfSnCheckLoggingForThread
		test	eax, eax
		jz	short loc_4AF0A3
		and	[esp+80h+var_64], 0FFFFF000h
		mov	eax, edi
		test	eax, eax
		jz	short loc_4AF0A3
		mov	esi, [esp+80h+var_60]
		mov	edi, [esp+80h+var_64]
		mov	ecx, [esp+80h+var_68]

loc_4AF067:				; CODE XREF: PfFileInfoNotify+30Aj
		mov	edx, [esp+80h+var_74]
		push	0
		push	ecx
		push	edi
		push	[esp+8Ch+var_70]
		mov	ecx, esi
		call	PfSnLogPageFaultCommon
		test	eax, eax
		js	short loc_4AF09C
		mov	eax, [esp+80h+var_50]
		mov	ecx, [esp+80h+var_68]
		dec	eax
		add	edi, 1000h
		mov	[esp+80h+var_50], eax
		adc	ecx, 0
		mov	[esp+80h+var_68], ecx
		test	eax, eax
		jnz	short loc_4AF067

loc_4AF09C:				; CODE XREF: PfFileInfoNotify+2ECj
		mov	esi, [ebp+arg_0]
		mov	edi, [esp+80h+var_3C]

loc_4AF0A3:				; CODE XREF: PfFileInfoNotify+2BBj
					; PfFileInfoNotify+2C9j
		mov	ecx, [esp+80h+var_60]
		lea	ecx, [ecx+104h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_4AEE1E
; 

loc_4AF0B7:				; CODE XREF: PfFileInfoNotify+E5j
		mov	[esp+80h+var_74], 0
		jmp	loc_4AEFEB
; 

loc_4AF0C4:				; CODE XREF: PfFileInfoNotify+2Ej
		mov	eax, [esi+4]
		cmp	eax, 7
		jnz	loc_4AF4F1
		mov	eax, 1
		lock xadd dword_6FB628,	eax
		inc	eax
		mov	[esi+10h], eax

loc_4AF0E1:				; CODE XREF: PfFileInfoNotify+40j
					; PfFileInfoNotify+382j ...
		xor	eax, eax
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4AF0EB:				; CODE XREF: PfFileInfoNotify+5Dj
		cmp	eax, 0Dh
		ja	loc_5C1297
		movzx	eax, ds:byte_4AF96C[eax]
		jmp	ds:off_4AF950[eax*4]

loc_4AF102:				; DATA XREF: .text:004AF958o
		mov	edx, [esi+10h]
		mov	eax, [edx+10h]
		mov	ecx, eax
		shr	ecx, 10h
		movzx	eax, ax
		cmp	ecx, eax
		jbe	short loc_4AF0E1
		push	1
		mov	ecx, offset unk_6D48C0
		call	PfpRpFileKeyUpdate
		mov	eax, dword_6D43F4
		cmp	eax, dword_6D43F8
		jnb	loc_4AF398
		mov	eax, [esi+10h]
		mov	edx, [eax+10h]
		mov	eax, [eax+0Ch]
		movzx	ecx, dx
		shr	edx, 10h
		sub	edx, ecx
		mov	[esp+80h+var_50], edx
		lea	eax, [eax+ecx*2]
		mov	ecx, offset unk_6D4320
		mov	[esp+80h+var_64], eax
		lea	eax, [edx+edx]
		lea	edi, [eax+29h]
		mov	[esp+80h+var_60], eax
		and	edi, 0FFFFFFF8h
		lea	eax, [esp+80h+var_68]
		push	edi
		push	eax
		lea	edx, [esp+88h+var_6C]
		mov	[esp+88h+var_70], edi
		call	PfFbLogEntryReserve
		mov	[esp+80h+var_74], eax
		test	eax, eax
		js	loc_5C1839
		mov	ecx, edi
		mov	edi, [esp+80h+var_68]
		and	ecx, 0FFFFFFFh
		shl	ecx, 3
		push	[esp+80h+var_60] ; size_t
		mov	eax, [edi]
		and	eax, 80000000h
		or	ecx, eax
		mov	[edi], ecx
		mov	eax, [esi+10h]
		push	[esp+84h+var_64] ; void	*
		mov	eax, [eax+18h]
		mov	[edi+4], eax
		mov	eax, [esi+10h]
		mov	eax, [eax+1Ch]
		mov	[edi+8], eax
		mov	eax, [esi+10h]
		mov	eax, [eax+4]
		mov	[edi+14h], eax
		mov	eax, [esi+10h]
		mov	eax, [eax+20h]
		mov	[edi+18h], eax
		mov	eax, [esi+10h]
		mov	eax, [eax+8]
		mov	[edi+10h], eax
		mov	eax, [esi+10h]
		mov	eax, [eax+14h]
		xor	eax, [edi+1Ch]
		and	eax, 1
		xor	[edi+1Ch], eax
		mov	eax, [esi+10h]
		mov	ecx, [edi+1Ch]
		mov	edx, [eax+14h]
		shr	edx, 3
		xor	edx, ecx
		and	edx, 2
		xor	edx, ecx
		mov	[edi+1Ch], edx
		mov	eax, [esi+10h]
		lea	esi, [edi+20h]
		push	esi		; void *
		mov	eax, [eax+14h]
		add	eax, eax
		xor	eax, edx
		and	eax, 4
		xor	eax, edx
		mov	[edi+1Ch], eax
		mov	eax, [esp+8Ch+var_50]
		mov	[edi+1Eh], ax
		call	_memcpy
		movzx	eax, word ptr [edi+1Eh]
		add	esp, 0Ch
		xor	ecx, ecx
		push	esi		; wchar_t *
		mov	[edi+eax*2+20h], cx
		call	__wcsupr
		mov	ecx, [esp+84h+var_6C]
		add	esp, 4
		push	[esp+80h+var_70]
		call	_PfFbLogEntryComplete@12 ; PfFbLogEntryComplete(x,x,x)
		xor	eax, eax
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4AF243:				; CODE XREF: PfFileInfoNotify+36j
		mov	eax, [esi+4]
		cmp	eax, 2
		jnz	loc_4AF326
		mov	ecx, [esi+10h]
		call	PfSnLogStreamCreate
		jmp	loc_4AEDCC
; 
		align 10h

loc_4AF260:				; CODE XREF: PfFileInfoNotify+1BEj
					; PfFileInfoNotify+112B4Bj
		mov	ecx, offset unk_6D4388
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	loc_4AEF54
		jmp	loc_5C18BA
; 

loc_4AF279:				; CODE XREF: PfFileInfoNotify+51j
		mov	ecx, [esi+4]
		mov	eax, ecx
		cmp	ecx, 4
		jz	loc_4AEDEA
		cmp	ecx, 2
		jz	loc_4AEDEA
		cmp	ecx, 3
		jz	loc_4AEDEA
		mov	eax, 0C000007Fh
		jmp	short loc_4AF2A5
; 

loc_4AF2A0:				; CODE XREF: PfFileInfoNotify+99j
		mov	eax, 0C000007Fh

loc_4AF2A5:				; CODE XREF: PfFileInfoNotify+261j
					; PfFileInfoNotify+50Ej ...
		cmp	dword ptr [esi+4], 3
		jg	loc_4AEFF7
		inc	dword_6D4494
		jmp	loc_4AEFF7
; 

loc_4AF2BA:				; CODE XREF: PfFileInfoNotify+239j
		mov	eax, [esi+3Ch]
		push	edi
		call	eax
		jmp	loc_4AEFE0
; 

loc_4AF2C5:				; CODE XREF: PfFileInfoNotify+36Bj
					; DATA XREF: .text:004AF960o
		mov	ecx, [esi+10h]
		push	10h		; size_t
		mov	eax, [ecx+4]
		mov	esi, [ecx+10h]
		mov	edx, [ecx+14h]
		add	esi, 0FFFh
		mov	[esp+84h+var_38], eax
		mov	eax, [ecx+8]
		adc	edx, 0
		mov	ecx, [ecx]
		and	esi, 0FFFFF000h
		mov	[esp+84h+var_34], eax
		and	ecx, 3
		xor	eax, eax
		shld	eax, ecx, 1
		or	edx, eax
		add	ecx, ecx
		lea	eax, [esp+84h+var_38]
		mov	[esp+84h+var_2C], edx
		or	esi, ecx
		push	eax		; void *
		mov	[esp+88h+var_30], esi
		call	_PFP_GET_CURRENT_TIME@0	; PFP_GET_CURRENT_TIME()
		mov	ecx, 18h

loc_4AF315:				; CODE XREF: PfFileInfoNotify+112B00j
		mov	edx, eax
		call	PfLogEvent
		xor	eax, eax
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4AF326:				; CODE XREF: PfFileInfoNotify+4B9j
		test	eax, eax
		jz	loc_4AF3BF
		cmp	eax, 3
		jnz	loc_4AEDCC
		mov	ecx, [esi+10h]
		call	_PfSnNameRemoveAll@4 ; PfSnNameRemoveAll(x)
		jmp	loc_4AEDCC
; 

loc_4AF344:				; CODE XREF: PfFileInfoNotify+36Bj
					; DATA XREF: .text:004AF95Co
		mov	edx, [esi+10h]
		mov	eax, [edx+10h]
		mov	ecx, eax
		shr	ecx, 10h
		movzx	eax, ax
		cmp	ecx, eax
		jbe	loc_4AF0E1
		push	0
		mov	ecx, offset unk_6D48C0
		call	PfpRpFileKeyUpdate
		mov	eax, dword_6D43F4
		cmp	eax, dword_6D43F8
		jnb	short loc_4AF3B5
		mov	edx, [esi+10h]
		xor	ecx, ecx
		mov	eax, [edx+14h]
		shr	eax, 3
		and	eax, 1
		push	eax
		mov	eax, [edx+1Ch]
		mov	edx, [edx+8]
		push	eax
		call	_PfLogDeleteHelper@16 ;	PfLogDeleteHelper(x,x,x,x)
		xor	eax, eax
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4AF398:				; CODE XREF: PfFileInfoNotify+39Bj
		mov	eax, 0C000007Fh
		jmp	loc_4AF2A5
; 

loc_4AF3A2:				; CODE XREF: PfFileInfoNotify+D9j
		cmp	ecx, 2
		jb	loc_4AEE6F
		mov	ecx, 2
		jmp	loc_4AEE6F
; 

loc_4AF3B5:				; CODE XREF: PfFileInfoNotify+5E1j
		mov	eax, 0C000007Fh
		jmp	loc_4AF2A5
; 

loc_4AF3BF:				; CODE XREF: PfFileInfoNotify+598j
		mov	ecx, [esi+10h]
		call	PfSnLogVolumeCreate
		jmp	loc_4AEDCC
; 

loc_4AF3CC:				; CODE XREF: PfFileInfoNotify+36Bj
					; DATA XREF: .text:off_4AF950o
		mov	eax, [esi+10h]
		lea	edx, [esp+80h+var_6C]
		mov	ecx, offset unk_6D4320
		movzx	eax, word ptr [eax+16h]
		add	eax, eax
		mov	[esp+80h+var_60], eax
		add	eax, 35h
		and	eax, 0FFFFFFF8h
		push	eax
		mov	[esp+84h+var_50], eax
		lea	eax, [esp+84h+var_68]
		push	eax
		call	PfFbLogEntryReserve
		mov	[esp+80h+var_74], eax
		test	eax, eax
		js	loc_5C1839
		mov	edi, [esp+80h+var_68]
		mov	eax, [esp+80h+var_50]
		shl	eax, 3
		push	[esp+80h+var_60] ; size_t
		mov	ecx, [edi]
		and	ecx, 80000002h
		or	ecx, eax
		or	ecx, 2
		mov	[edi], ecx
		mov	eax, [esi+10h]
		mov	eax, [eax+24h]
		mov	[edi+4], eax
		mov	eax, [esi+10h]
		mov	eax, [eax+28h]
		mov	[edi+8], eax
		mov	eax, [esi+10h]
		mov	eax, [eax+4]
		mov	[edi+18h], eax
		mov	eax, [esi+10h]
		mov	eax, [eax+20h]
		xor	eax, [edi+20h]
		and	eax, 0Fh
		xor	[edi+20h], eax
		mov	eax, [esi+10h]
		mov	ecx, [edi+20h]
		mov	eax, [eax+20h]
		xor	eax, ecx
		and	eax, 0F0h
		xor	eax, ecx
		mov	[edi+20h], eax
		mov	ecx, [esi+10h]
		mov	eax, [ecx+8]
		mov	[edi+10h], eax
		mov	eax, [ecx+0Ch]
		mov	[edi+14h], eax
		mov	eax, [esi+10h]
		mov	eax, [eax+10h]
		mov	[edi+1Ch], eax
		mov	eax, [esi+10h]
		lea	esi, [edi+2Ch]
		mov	ax, [eax+16h]
		add	ax, ax
		mov	[edi+24h], ax
		mov	[edi+26h], ax
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+10h]
		mov	eax, [eax+1Ch]
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		xor	ecx, ecx
		mov	eax, [eax+10h]
		push	esi		; wchar_t *
		movzx	eax, word ptr [eax+16h]
		mov	[edi+eax*2+2Ch], cx
		call	__wcsupr
		mov	ecx, [esp+84h+var_6C]
		add	esp, 4
		push	[esp+80h+var_50]
		call	_PfFbLogEntryComplete@12 ; PfFbLogEntryComplete(x,x,x)
		xor	eax, eax
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4AF4D1:				; CODE XREF: PfFileInfoNotify+36Bj
					; DATA XREF: .text:004AF954o
		mov	edx, [esi+10h]
		mov	ecx, 2
		push	0
		mov	eax, [edx+28h]
		mov	edx, [edx+4]
		push	eax
		call	_PfLogDeleteHelper@16 ;	PfLogDeleteHelper(x,x,x,x)
		pop	edi
		xor	eax, eax
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4AF4F1:				; CODE XREF: PfFileInfoNotify+33Aj
		sub	eax, 0Ah
		jnz	loc_4AF8E4
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset dword_6D4930
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		or	eax, 0FFFFFFFFh
		cmp	dword_6D4928, 0
		jnz	loc_5C17CF
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset dword_6D4934
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		and	dword_6D4940, 0FFFFFFFEh
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_4AF55D
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_4AF55D:				; CODE XREF: PfFileInfoNotify+7C4j
		xor	edi, edi
		mov	ecx, offset dword_6D4934
		mov	[esp+80h+var_60], edi
		test	ecx, 7FFFFFFCh
		jz	loc_4AF6E9
		mov	eax, large fs:124h
		mov	edx, ecx
		mov	esi, dword_6D07D0
		shr	edx, 15h
		cmp	esi, ecx
		mov	[esp+80h+var_50], esi
		mov	esi, [ebp+arg_0]
		mov	[esp+80h+var_74], eax
		ja	short loc_4AF59D
		cmp	byte ptr dword_6D3994[edx], 1
		jz	short loc_4AF5B8

loc_4AF59D:				; CODE XREF: PfFileInfoNotify+802j
		cmp	[esp+80h+var_50], offset dword_6D4934
		ja	loc_4AF908
		cmp	byte ptr dword_6D3994[edx], 0Bh
		jnz	loc_4AF908

loc_4AF5B8:				; CODE XREF: PfFileInfoNotify+80Bj
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[esp+80h+var_64], eax
		mov	ecx, offset dword_6D4934
		mov	eax, [esp+80h+var_74]

loc_4AF5D0:				; CODE XREF: PfFileInfoNotify+B7Fj
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	dl, [eax+1E6h]
		mov	[esp+80h+var_75], dl
		mov	edx, [esp+80h+var_64]
		push	edx
		mov	edx, ecx
		mov	ecx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[esp+80h+var_50], edx
		test	edx, edx
		jz	loc_4AF914
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		cmp	[edx+10h], edi
		jge	short loc_4AF61E
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [esp+80h+var_50]

loc_4AF61E:				; CODE XREF: PfFileInfoNotify+881j
		mov	eax, [edx+2Ch]
		mov	edi, eax
		and	byte ptr [edx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+80h+var_60], edi
		mov	[edx+2Ch], eax
		nop
		mov	ecx, [esp+80h+var_74]
		mov	eax, 2AAAAAABh
		mov	dword ptr [edx+10h], 0
		sub	edx, [ecx+1E8h]
		imul	edx
		sar	edx, 3
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		cmp	[esp+80h+var_75], 1
		mov	[esp+80h+var_50], eax
		jnz	loc_5C1788
		movzx	eax, byte ptr [ecx+1E4h]
		mov	edx, [esp+80h+var_50]
		bts	eax, edx
		mov	[ecx+1E4h], al

loc_4AF67F:				; CODE XREF: PfFileInfoNotify+B90j
					; PfFileInfoNotify+112A10j
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+80h+var_50], eax
		jz	short loc_4AF6DA
		test	edi, 8000h
		jz	short loc_4AF6A6
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [esp+80h+var_74]

loc_4AF6A6:				; CODE XREF: PfFileInfoNotify+909j
		test	byte ptr [esp+80h+var_60+2], 1
		jnz	loc_5C17A5

loc_4AF6B1:				; CODE XREF: PfFileInfoNotify+112A23j
		test	edi, 7FFFh
		jz	short loc_4AF6C6
		and	edi, 7FFFh
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4AF6C6:				; CODE XREF: PfFileInfoNotify+927j
		test	dword ptr ds:byte_70EFC4, 200h
		mov	ecx, [esp+80h+var_74]
		jnz	loc_5C17B8

loc_4AF6DA:				; CODE XREF: PfFileInfoNotify+901j
					; PfFileInfoNotify+112A3Aj
		nop
		add	word ptr [ecx+13Eh], 1
		jz	loc_4AF8BF

loc_4AF6E9:				; CODE XREF: PfFileInfoNotify+7DEj
					; PfFileInfoNotify+B35j ...
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [esi+10h]
		push	offset _PfpPrefetchSharedConflictNotifyStart@12	; PfpPrefetchSharedConflictNotifyStart(x,x,x)
		mov	eax, [eax+10h]
		call	eax
		mov	eax, [esi+10h]
		mov	ecx, offset unk_6D492C
		mov	dword_6D4928, eax
		xor	eax, eax
		xchg	eax, [ecx]
		mov	dword ptr [esp+0Ch], 0
		or	eax, 0FFFFFFFFh
		mov	edi, offset dword_6D4930

loc_4AF71C:				; CODE XREF: PfFileInfoNotify+112A47j
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_4AF72D
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_4AF72D:				; CODE XREF: PfFileInfoNotify+994j
		xor	edi, edi
		mov	ecx, offset dword_6D4930
		mov	[esp+84h+var_64], edi
		test	ecx, 7FFFFFFCh
		jz	loc_4AF8B5
		mov	eax, large fs:124h
		mov	edx, ecx
		mov	esi, dword_6D07D0
		shr	edx, 15h
		cmp	esi, ecx
		mov	[esp+84h+var_54], esi
		mov	esi, [ebp+arg_0]
		mov	[esp+84h+var_74], eax
		ja	short loc_4AF76D
		cmp	byte ptr dword_6D3994[edx], 1
		jz	short loc_4AF788

loc_4AF76D:				; CODE XREF: PfFileInfoNotify+9D2j
		cmp	[esp+84h+var_54], offset dword_6D4930
		ja	loc_4AF92B
		cmp	byte ptr dword_6D3994[edx], 0Bh
		jnz	loc_4AF92B

loc_4AF788:				; CODE XREF: PfFileInfoNotify+9DBj
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[esp+84h+var_68], eax
		mov	ecx, offset dword_6D4930
		mov	eax, [esp+84h+var_74]

loc_4AF7A0:				; CODE XREF: PfFileInfoNotify+BA2j
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	dl, [eax+1E6h]
		mov	[esp+84h+var_79], dl
		mov	edx, [esp+84h+var_68]
		push	edx
		mov	edx, ecx
		mov	ecx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[esp+84h+var_54], edx
		test	edx, edx
		jz	loc_4AF937
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		cmp	[edx+10h], edi
		jge	short loc_4AF7EE
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [esp+84h+var_54]

loc_4AF7EE:				; CODE XREF: PfFileInfoNotify+A51j
		mov	eax, [edx+2Ch]
		mov	edi, eax
		and	byte ptr [edx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+84h+var_64], edi
		mov	[edx+2Ch], eax
		nop
		mov	ecx, [esp+84h+var_74]
		mov	eax, 2AAAAAABh
		mov	dword ptr [edx+10h], 0
		sub	edx, [ecx+1E8h]
		imul	edx
		sar	edx, 3
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		cmp	[esp+84h+var_79], 1
		mov	[esp+84h+var_54], eax
		jnz	loc_5C17F2
		movzx	eax, byte ptr [ecx+1E4h]
		mov	edx, [esp+84h+var_54]
		bts	eax, edx
		mov	[ecx+1E4h], al

loc_4AF84F:				; CODE XREF: PfFileInfoNotify+BB3j
					; PfFileInfoNotify+112A7Aj
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+84h+var_54], eax
		jz	short loc_4AF8AA
		test	edi, 8000h
		jz	short loc_4AF876
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [esp+84h+var_74]

loc_4AF876:				; CODE XREF: PfFileInfoNotify+AD9j
		test	byte ptr [esp+84h+var_64+2], 1
		jnz	loc_5C180F

loc_4AF881:				; CODE XREF: PfFileInfoNotify+112A8Dj
		test	edi, 7FFFh
		jz	short loc_4AF896
		and	edi, 7FFFh
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4AF896:				; CODE XREF: PfFileInfoNotify+AF7j
		test	dword ptr ds:byte_70EFC4, 200h
		mov	ecx, [esp+84h+var_74]
		jnz	loc_5C1822

loc_4AF8AA:				; CODE XREF: PfFileInfoNotify+AD1j
					; PfFileInfoNotify+112AA4j
		nop
		add	word ptr [ecx+13Eh], 1
		jz	short loc_4AF8D5

loc_4AF8B5:				; CODE XREF: PfFileInfoNotify+9AEj
					; PfFileInfoNotify+B4Bj ...
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_4AEFEB
; 

loc_4AF8BF:				; CODE XREF: PfFileInfoNotify+953j
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	loc_4AF6E9
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4AF6E9
; 

loc_4AF8D5:				; CODE XREF: PfFileInfoNotify+B23j
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	short loc_4AF8B5
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_4AF8B5
; 

loc_4AF8E4:				; CODE XREF: PfFileInfoNotify+764j
		sub	eax, 1
		jz	loc_5C12AB
		sub	eax, 1
		jnz	loc_5C1297
		test	byte ptr dword_6D49F0, 2
		jz	loc_4AF0E1
		jmp	loc_5C12A1
; 

loc_4AF908:				; CODE XREF: PfFileInfoNotify+815j
					; PfFileInfoNotify+822j
		or	edx, 0FFFFFFFFh
		mov	[esp+80h+var_64], edx
		jmp	loc_4AF5D0
; 

loc_4AF914:				; CODE XREF: PfFileInfoNotify+86Fj
		mov	ecx, [esp+80h+var_74]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_4AF67F
		jmp	loc_5C1772
; 

loc_4AF92B:				; CODE XREF: PfFileInfoNotify+9E5j
					; PfFileInfoNotify+9F2j
		or	edx, 0FFFFFFFFh
		mov	[esp+84h+var_68], edx
		jmp	loc_4AF7A0
; 

loc_4AF937:				; CODE XREF: PfFileInfoNotify+A3Fj
		mov	ecx, [esp+84h+var_74]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_4AF84F
		jmp	loc_5C17DC
PfFileInfoNotify endp

; 
		align 10h
off_4AF950	dd offset loc_4AF3CC	; DATA XREF: PfFileInfoNotify+36Br
		dd offset loc_4AF4D1
		dd offset loc_4AF102
		dd offset loc_4AF344
		dd offset loc_4AF2C5
		dd offset loc_5C1851
		dd offset loc_5C1297
byte_4AF96C	db 0			; DATA XREF: PfFileInfoNotify+364r
		db 1, 2, 3
		dd 6060606h, 6060604h, 0CCCC0506h, 0CCCCCCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnReferenceProcessTrace proc near	; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+176p
					; MiMakeSystemCacheRangeValid(x,x,x,x)+681p ...

; FUNCTION CHUNK AT 005C1964 SIZE 00000071 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ecx+1E8h]
		push	ebx
		push	esi
		push	edi
		lea	edi, [ecx+1E8h]
		test	dl, 7
		jnz	short loc_4AFA00

loc_4AF99A:				; CODE XREF: PfSnReferenceProcessTrace+8Bj
					; PfSnReferenceProcessTrace+93j
		mov	esi, edx
		and	esi, 0FFFFFFF8h
		jnz	short loc_4AF9A9

loc_4AF9A1:				; CODE XREF: PfSnReferenceProcessTrace+2Fj
					; PfSnReferenceProcessTrace+49j ...
		mov	eax, esi

loc_4AF9A3:				; CODE XREF: PfSnReferenceProcessTrace+E6j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn
; 

loc_4AF9A9:				; CODE XREF: PfSnReferenceProcessTrace+1Fj
		and	edx, 7
		cmp	edx, 1
		ja	short loc_4AF9A1
		test	edx, edx
		jz	short loc_4AFA15
		lea	ebx, [esi+104h]
		mov	edx, 7
		mov	ecx, ebx
		call	ExAcquireRundownProtectionEx
		test	al, al
		jz	short loc_4AF9A1
		mov	ecx, [edi]
		mov	eax, ecx
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		ja	loc_5C1982
		mov	edi, edi

loc_4AF9E0:				; CODE XREF: PfSnReferenceProcessTrace+111FFCj
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	esi, eax
		jnz	loc_5C1982
		lea	edx, [ecx+7]
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jz	short loc_4AF9A1
		jmp	loc_5C1971
; 
		align 10h

loc_4AFA00:				; CODE XREF: PfSnReferenceProcessTrace+18j
					; PfSnReferenceProcessTrace+91j
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_4AF99A
		mov	edx, eax
		test	al, 7
		jnz	short loc_4AFA00
		jmp	short loc_4AF99A
; 

loc_4AFA15:				; CODE XREF: PfSnReferenceProcessTrace+33j
		mov	bl, 1
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset dword_6D4958
		mov	bh, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, [edi]
		and	esi, 0FFFFFFF8h
		jz	short loc_4AFA3D
		lea	ecx, [esi+104h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	bl, al

loc_4AFA3D:				; CODE XREF: PfSnReferenceProcessTrace+AEj
		test	ds:byte_70EFC6,	1
		mov	ecx, offset dword_6D4958
		jnz	loc_5C1964
		xor	eax, eax
		lock and [ecx],	eax

loc_4AFA54:				; CODE XREF: PfSnReferenceProcessTrace+111FECj
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bl, bl
		jnz	loc_4AF9A1
		xor	eax, eax
		jmp	loc_4AF9A3
PfSnReferenceProcessTrace endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockLowestValidPageTable proc	near	; CODE XREF: MiConvertAndFlushWsleVas(x,x)+45p
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+2C7p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C19D5 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	dword ptr [eax], 0
		mov	edi, 0C0603018h
		mov	eax, edx
		mov	[esp+38h+var_C], edx
		shr	eax, 9
		mov	edx, edi
		and	eax, offset loc_7FFFF8
		mov	[esp+38h+var_24], ecx
		sub	eax, 40000000h
		mov	[esp+38h+var_14], edi
		mov	[esp+38h+var_8], eax
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		push	0
		mov	[esp+3Ch+var_4], eax
		call	MiLockPageTableInternal
		mov	ebx, 1

loc_4AFACA:				; CODE XREF: MiLockLowestValidPageTable+1A8j
		mov	esi, [esp+ebx*4+38h+var_8]
		mov	[esp+38h+var_18], ebx
		mov	[esp+38h+var_20], esi
		mov	ecx, [esi]
		nop
		mov	edx, [esi+4]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_4AFD50
		mov	eax, ecx
		and	eax, 80h
		or	eax, 0
		jnz	loc_4AFD50
		mov	eax, ecx
		and	eax, 20h
		or	eax, 0
		jz	loc_4AFD92

loc_4AFB08:				; CODE XREF: MiLockLowestValidPageTable+32Dj
		cmp	esi, edi
		jz	loc_4AFC13
		mov	edx, [esp+38h+var_24]
		lea	ecx, [esi+3FA00000h]
		sar	ecx, 3
		xor	edi, edi
		add	ecx, ecx
		mov	ebx, ecx
		mov	al, [edx+60h]
		and	ebx, 1Fh
		and	al, 7
		cmp	al, 2
		jnb	loc_4AFC31
		shr	ecx, 5
		test	al, al
		jnz	loc_4AFCE1
		mov	eax, [edx+0Ch]
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h

loc_4AFB49:				; CODE XREF: MiLockLowestValidPageTable+1DBj
					; MiLockLowestValidPageTable+27Aj
		mov	[esp+38h+var_28], eax

loc_4AFB4D:				; CODE XREF: MiLockLowestValidPageTable+26Cj
		mov	edx, [eax]

loc_4AFB4F:				; CODE XREF: MiLockLowestValidPageTable+2B0j
					; MiLockLowestValidPageTable+2DBj ...
		mov	ecx, ebx
		mov	eax, 2
		shl	eax, cl
		jmp	short loc_4AFB60
; 
		align 10h

loc_4AFB60:				; CODE XREF: MiLockLowestValidPageTable+E8j
					; MiLockLowestValidPageTable+316j
		mov	esi, [esp+38h+var_28]
		mov	ecx, ebx
		mov	[esp+38h+var_1C], edx
		shr	[esp+38h+var_1C], cl
		mov	ecx, [esp+38h+var_1C]
		mov	[esp+38h+var_10], eax
		test	cl, 1
		jnz	loc_4AFCFC
		mov	ecx, edx
		not	eax
		bts	ecx, ebx
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [esi], ecx
		mov	esi, [esp+38h+var_20]
		cmp	eax, edx
		jnz	loc_4AFD80
		mov	eax, [esp+38h+var_14]
		mov	edx, [esp+38h+var_24]
		lea	ecx, [eax+3FA00000h]
		mov	dl, [edx+60h]
		sar	ecx, 3
		and	dl, 7
		add	ecx, ecx
		mov	edi, ecx
		and	edi, 1Fh
		cmp	dl, 2
		jnb	loc_4AFC50
		mov	eax, [esp+38h+var_24]
		shr	ecx, 5
		test	dl, dl
		jnz	loc_4AFCEF
		mov	eax, [eax+0Ch]
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h

loc_4AFBDB:				; CODE XREF: MiLockLowestValidPageTable+1FFj
					; MiLockLowestValidPageTable+287j
		mov	[esp+38h+var_28], eax

loc_4AFBDF:				; CODE XREF: MiLockLowestValidPageTable+24Fj
		mov	edx, [eax]
		mov	ecx, edi
		mov	ebx, [esp+38h+var_28]
		mov	eax, 2
		shl	eax, cl
		mov	ecx, edx
		not	eax
		btr	ecx, edi
		mov	[esp+38h+var_10], eax
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		mov	ebx, [esp+38h+var_18]
		cmp	eax, edx
		jnz	loc_4AFD5A

loc_4AFC0D:				; CODE XREF: MiLockLowestValidPageTable+30Bj
		mov	edi, esi
		mov	[esp+38h+var_14], edi

loc_4AFC13:				; CODE XREF: MiLockLowestValidPageTable+9Aj
		test	ebx, ebx
		jz	short loc_4AFC1D
		dec	ebx
		jmp	loc_4AFACA
; 

loc_4AFC1D:				; CODE XREF: MiLockLowestValidPageTable+1A5j
		mov	eax, [ebp+arg_0]
		mov	ecx, [esp+38h+var_C]
		mov	[eax], ecx

loc_4AFC26:				; CODE XREF: MiLockLowestValidPageTable+2E5j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4AFC31:				; CODE XREF: MiLockLowestValidPageTable+BDj
		cmp	esi, 0C0603018h
		jz	short loc_4AFC80
		cmp	esi, 0C0603010h
		jz	short loc_4AFC74

loc_4AFC41:				; CODE XREF: MiLockLowestValidPageTable+20Ej
					; MiLockLowestValidPageTable+216j
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]
		jmp	loc_4AFB49
; 

loc_4AFC50:				; CODE XREF: MiLockLowestValidPageTable+14Bj
		cmp	eax, 0C0603018h
		jnz	short loc_4AFC92

loc_4AFC57:				; CODE XREF: MiLockLowestValidPageTable+233j
		cmp	dl, 7
		jz	short loc_4AFCA7
		cmp	dl, 5
		jz	loc_5C19ED

loc_4AFC65:				; CODE XREF: MiLockLowestValidPageTable+22Cj
					; MiLockLowestValidPageTable+235j
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]
		jmp	loc_4AFBDB
; 

loc_4AFC74:				; CODE XREF: MiLockLowestValidPageTable+1CFj
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_4AFC41

loc_4AFC80:				; CODE XREF: MiLockLowestValidPageTable+1C7j
		cmp	al, 7
		jz	short loc_4AFCC4
		cmp	al, 5
		jnz	short loc_4AFC41
		mov	[esp+38h+var_28], offset unk_6D2E54
		jmp	short loc_4AFCCC
; 

loc_4AFC92:				; CODE XREF: MiLockLowestValidPageTable+1E5j
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_4AFC65
		cmp	eax, 0C0603010h
		jz	short loc_4AFC57
		jmp	short loc_4AFC65
; 

loc_4AFCA7:				; CODE XREF: MiLockLowestValidPageTable+1EAj
		mov	[esp+38h+var_28], offset unk_6D2E58

loc_4AFCAF:				; CODE XREF: MiLockLowestValidPageTable+111F85j
		mov	edi, 0C0603018h
		sub	edi, eax
		mov	eax, [esp+38h+var_28]
		sar	edi, 3
		add	edi, edi
		jmp	loc_4AFBDF
; 

loc_4AFCC4:				; CODE XREF: MiLockLowestValidPageTable+212j
		mov	[esp+38h+var_28], offset unk_6D2E58

loc_4AFCCC:				; CODE XREF: MiLockLowestValidPageTable+220j
		mov	eax, [esp+38h+var_28]
		mov	ebx, 0C0603018h
		sub	ebx, esi
		sar	ebx, 3
		add	ebx, ebx
		jmp	loc_4AFB4D
; 

loc_4AFCE1:				; CODE XREF: MiLockLowestValidPageTable+C8j
		lea	eax, [edx+120h]
		lea	eax, [eax+ecx*4]
		jmp	loc_4AFB49
; 

loc_4AFCEF:				; CODE XREF: MiLockLowestValidPageTable+15Aj
		lea	eax, [eax+ecx*4]
		add	eax, 120h
		jmp	loc_4AFBDB
; 

loc_4AFCFC:				; CODE XREF: MiLockLowestValidPageTable+109j
		test	cl, 2
		jnz	short loc_4AFD30
		mov	ecx, ebx
		mov	eax, 2
		shl	eax, cl
		or	eax, edx
		mov	[esp+38h+var_1C], eax
		mov	ecx, eax
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_4AFD8B
		mov	edx, [esp+38h+var_1C]
		jmp	loc_4AFB4F
; 
		jmp	short loc_4AFD30
; 
		align 10h

loc_4AFD30:				; CODE XREF: MiLockLowestValidPageTable+28Fj
					; MiLockLowestValidPageTable+2B5j ...
		inc	edi
		test	ds:_HvlLongSpinCountMask, edi
		jz	loc_5C19D5

loc_4AFD3D:				; CODE XREF: MiLockLowestValidPageTable+111F6Cj
		pause

loc_4AFD3F:				; CODE XREF: MiLockLowestValidPageTable+111F78j
		mov	edx, [esi]
		mov	ecx, ebx
		mov	eax, edx
		shr	eax, cl
		test	al, 1
		jnz	short loc_4AFD30
		jmp	loc_4AFB4F
; 

loc_4AFD50:				; CODE XREF: MiLockLowestValidPageTable+74j
					; MiLockLowestValidPageTable+84j
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		jmp	loc_4AFC26
; 

loc_4AFD5A:				; CODE XREF: MiLockLowestValidPageTable+197j
		mov	esi, [esp+38h+var_10]
		mov	ebx, [esp+38h+var_28]

loc_4AFD62:				; CODE XREF: MiLockLowestValidPageTable+301j
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, edi
		and	ecx, esi
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	short loc_4AFD62
		mov	esi, [esp+38h+var_20]
		mov	ebx, [esp+38h+var_18]
		jmp	loc_4AFC0D
; 

loc_4AFD80:				; CODE XREF: MiLockLowestValidPageTable+124j
		mov	edx, eax
		mov	eax, [esp+38h+var_10]
		jmp	loc_4AFB60
; 

loc_4AFD8B:				; CODE XREF: MiLockLowestValidPageTable+2AAj
		mov	edx, eax
		jmp	loc_4AFB4F
; 

loc_4AFD92:				; CODE XREF: MiLockLowestValidPageTable+92j
		push	edx
		push	ecx
		push	1
		mov	edx, esi
		call	MiPerformSafePdeWrite
		jmp	loc_4AFB08
MiLockLowestValidPageTable endp

; 
		align 10h

; __stdcall MiSystemFault(x)
_MiSystemFault@4:			; CODE XREF: MmAccessFault+371p
		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+4], ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		push	esi
		mov	esi, ecx
		mov	dword ptr [ebp-7Ch], 0
		push	edi
		mov	dword ptr [ebp-80h], 0
		mov	eax, [esi+24h]
		test	al, 40h
		jnz	loc_4AFFEE
		test	al, 20h
		jnz	loc_4B05F2
		mov	eax, [esi]
		mov	edi, eax
		cmp	edi, 0C0000000h
		jb	short loc_4AFE23
		lea	esp, [esp+0]

loc_4AFE10:				; CODE XREF: .text:004AFE21j
		cmp	edi, 0C07FFFFFh
		ja	short loc_4AFE23
		shl	edi, 9
		cmp	edi, 0C0000000h
		jnb	short loc_4AFE10

loc_4AFE23:				; CODE XREF: .text:004AFE07j
					; .text:004AFE16j
		xor	cl, cl
		test	dword ptr [esi+4], 1000000h
		mov	[ebp-59h], cl
		jz	short loc_4AFE75
		add	eax, 40000000h
		cmp	eax, offset loc_7FFFFF
		ja	short loc_4AFE5D
		cmp	edi, ds:_MmHighestUserAddress
		jbe	loc_4B05DA
		cmp	edi, dword_6D2E88
		jb	short loc_4AFE5D
		cmp	edi, dword_6D2E8C
		jbe	loc_4B05DA

loc_4AFE5D:				; CODE XREF: .text:004AFE3Bj
					; .text:004AFE4Fj
		mov	eax, 0D0000006h
		pop	edi
		pop	esi
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4AFE75:				; CODE XREF: .text:004AFE2Fj
		cmp	edi, dword_6D07D0
		jb	loc_4B05DA
		mov	ecx, dword_6D2E88
		cmp	edi, ecx
		jb	short loc_4AFEAD
		mov	eax, dword_6D2E90
		test	eax, eax
		jnz	short loc_4AFEA3
		mov	dword_6D2E90, 2000h
		mov	eax, 2000h

loc_4AFEA3:				; CODE XREF: .text:004AFE92j
		add	eax, ecx
		cmp	edi, eax
		jb	loc_4B05DA

loc_4AFEAD:				; CODE XREF: .text:004AFE89j
		mov	ecx, large fs:124h
		mov	[ebp-64h], ecx
		mov	eax, [ecx+300h]
		test	eax, 400h
		jnz	loc_4AFFEE
		test	eax, 100h
		jz	short loc_4AFEDF
		mov	edx, [esi]
		call	_MiTransientPageListWriter@8 ; MiTransientPageListWriter(x,x)
		cmp	eax, 1
		jz	loc_4AFFEE

loc_4AFEDF:				; CODE XREF: .text:004AFECDj
		cmp	dword_6D2F84, 0
		mov	eax, [esi]
		mov	[ebp-68h], eax
		jz	short loc_4AFF66
		push	offset unk_6D2F80
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	ecx, dword_6D2F88
		mov	[ebp-5Ah], al
		mov	[ebp-60h], ecx
		test	ecx, ecx
		jz	short loc_4AFF49
		mov	eax, [ebp-64h]
		lea	ebx, [ebx+0]

loc_4AFF10:				; CODE XREF: .text:004AFF20j
		cmp	eax, [ecx+0Ch]
		ja	short loc_4AFF1B
		jnb	short loc_4AFF22
		mov	ecx, [ecx]
		jmp	short loc_4AFF1E
; 

loc_4AFF1B:				; CODE XREF: .text:004AFF13j
		mov	ecx, [ecx+4]

loc_4AFF1E:				; CODE XREF: .text:004AFF19j
		test	ecx, ecx
		jnz	short loc_4AFF10

loc_4AFF22:				; CODE XREF: .text:004AFF15j
		mov	[ebp-60h], ecx
		test	ecx, ecx
		jz	short loc_4AFF49
		mov	edx, [ebp-68h]
		xor	eax, eax
		shr	edx, 9
		and	edx, offset loc_7FFFF8
		sub	edx, 40000000h
		cmp	[ecx+14h], edx
		setnz	al
		dec	eax
		and	ecx, eax
		mov	[ebp-60h], ecx

loc_4AFF49:				; CODE XREF: .text:004AFF05j
					; .text:004AFF27j
		push	offset unk_6D2F80
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp-5Ah]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	dword ptr [ebp-60h], 0
		jnz	loc_4AFFEE

loc_4AFF66:				; CODE XREF: .text:004AFEEBj
		mov	eax, [esi+8]
		mov	ecx, eax
		and	ecx, 1
		mov	[ebp-64h], eax
		mov	[ebp-68h], ecx
		jz	short loc_4AFFAE
		and	eax, 0FFFFFFFEh
		mov	al, [eax]
		cmp	al, 1
		jz	short loc_4AFFD1
		cmp	al, 3
		jz	short loc_4AFFD1
		cmp	al, 6
		jz	short loc_4AFFD1

loc_4AFF87:				; CODE XREF: .text:004AFFB0j
					; .text:004AFFCFj
		mov	byte ptr [ebp-5Ah], 0

loc_4AFF8B:				; CODE XREF: .text:004AFFD5j
		push	50h
		lea	eax, [ebp-58h]
		push	0
		push	eax
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [ebp-54h], 1
		cmp	edi, dword_6D07D0
		jnb	short loc_4AFFD7
		xor	edx, edx
		jmp	short loc_4AFFE3
; 

loc_4AFFAE:				; CODE XREF: .text:004AFF74j
		test	eax, eax
		jz	short loc_4AFF87
		test	byte ptr [eax+6Ch], 1
		jnz	short loc_4AFFC6
		test	dword ptr [eax+70h], 20000h
		mov	ecx, offset _ExpInterlockedPopEntrySListFault
		jz	short loc_4AFFCC

loc_4AFFC6:				; CODE XREF: .text:004AFFB6j
		mov	ecx, ds:_KeUserPopEntrySListFault

loc_4AFFCC:				; CODE XREF: .text:004AFFC4j
		cmp	[eax+68h], ecx
		jnz	short loc_4AFF87

loc_4AFFD1:				; CODE XREF: .text:004AFF7Dj
					; .text:004AFF81j ...
		mov	byte ptr [ebp-5Ah], 1
		jmp	short loc_4AFF8B
; 

loc_4AFFD7:				; CODE XREF: .text:004AFFA8j
		mov	eax, edi
		shr	eax, 15h
		movzx	edx, byte ptr dword_6D3994[eax]

loc_4AFFE3:				; CODE XREF: .text:004AFFACj
		test	byte ptr [esi+24h], 8
		jz	short loc_4B0006
		cmp	edx, 6
		jz	short loc_4B0044

loc_4AFFEE:				; CODE XREF: .text:004AFDEFj
					; .text:004AFEC2j ...
		mov	eax, 0C0000005h
		pop	edi
		pop	esi
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)

loc_4AFFFF:				; DATA XREF: .text:off_5A496Co
					; .text:off_5A7CF0o
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx

loc_4B0004:				; DATA XREF: .text:00405BD4o
					; .text:00425E7Co
		pop	ebx
		retn
; 

loc_4B0006:				; CODE XREF: .text:004AFFE7j
		cmp	dword ptr [ebp-68h], 0
		mov	ecx, [ebp-64h]
		jz	short loc_4B0019
		mov	eax, ecx
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	1
		jz	short loc_4B0026

loc_4B0019:				; CODE XREF: .text:004B000Dj
		cmp	byte ptr [ebp-5Ah], 0
		jnz	short loc_4B0026
		mov	dword ptr [ebp-54h], 3

loc_4B0026:				; CODE XREF: .text:004B0017j
					; .text:004B001Dj
		cmp	edx, 8
		jnz	short loc_4B0035
		mov	eax, offset unk_6D5E80
		mov	[ebp-60h], eax
		jmp	short loc_4B00AD
; 

loc_4B0035:				; CODE XREF: .text:004B0029j
		cmp	edx, 1
		jz	short loc_4B009D
		cmp	edx, 0Bh
		jz	short loc_4B009D
		cmp	edx, 6
		jnz	short loc_4B004E

loc_4B0044:				; CODE XREF: .text:004AFFECj
		mov	eax, offset unk_6D3840
		mov	[ebp-60h], eax
		jmp	short loc_4B00AD
; 

loc_4B004E:				; CODE XREF: .text:004B0042j
		cmp	edx, 0Ch
		jnz	short loc_4B005D
		mov	eax, offset unk_6D3740
		mov	[ebp-60h], eax
		jmp	short loc_4B00AD
; 

loc_4B005D:				; CODE XREF: .text:004B0051j
		cmp	edx, 0Eh
		jnz	short loc_4B0087
		cmp	dword ptr [ebp-68h], 0
		jz	loc_4B0126
		and	ecx, 0FFFFFFFEh
		mov	al, [ecx]
		cmp	al, 1
		jz	short loc_4B007D
		cmp	al, 4
		jnz	loc_4B0126

loc_4B007D:				; CODE XREF: .text:004B0073j
		mov	eax, offset unk_6D3A40
		mov	[ebp-60h], eax
		jmp	short loc_4B00AD
; 

loc_4B0087:				; CODE XREF: .text:004B0060j
		cmp	edx, 9
		jnz	loc_4B0126
		lea	ecx, [edx-6]
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	[ebp-60h], eax
		jmp	short loc_4B00AD
; 

loc_4B009D:				; CODE XREF: .text:004B0038j
					; .text:004B003Dj
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		mov	[ebp-60h], eax
		test	eax, eax
		jz	short loc_4B0126
		mov	byte ptr [ebp-59h], 1

loc_4B00AD:				; CODE XREF: .text:004B0033j
					; .text:004B004Cj ...
		lea	ecx, [ebp-58h]
		push	ecx
		push	0
		push	edx
		mov	edx, [esi]
		mov	ecx, eax
		call	MiSynchronizeSystemVa
		test	eax, eax
		jz	short loc_4B0126
		mov	eax, [ebp-54h]
		and	eax, 2
		mov	[ebp-6Ch], eax
		jnz	short loc_4B0112
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_4B0112
		call	_MiIsWorkingSetTrimThread@0 ; MiIsWorkingSetTrimThread()
		test	eax, eax
		jnz	short loc_4B0112
		mov	ecx, dword_6D07D0
		mov	eax, edi
		shr	eax, 15h
		cmp	edi, ecx
		jb	short loc_4B0112
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_4B011E
		cmp	edi, ecx
		jb	short loc_4B0112
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	short loc_4B011E

loc_4B0112:				; CODE XREF: .text:004B00CAj
					; .text:004B00E2j ...
		mov	ecx, esi
		call	MiCheckSystemPageTables
		cmp	eax, 2
		jnz	short loc_4B0144

loc_4B011E:				; CODE XREF: .text:004B0103j
					; .text:004B0110j
		lea	ecx, [ebp-58h]
		call	_MiUnlockSystemVa@4 ; MiUnlockSystemVa(x)

loc_4B0126:				; CODE XREF: .text:004B0066j
					; .text:004B0077j ...
		test	byte ptr [ebp-54h], 2
		jz	loc_4AFFEE
		mov	ecx, esi
		call	_MiGenerateAccessViolation@4 ; MiGenerateAccessViolation(x)
		test	eax, eax
		jz	loc_4B0606
		jmp	loc_4AFFEE
; 

loc_4B0144:				; CODE XREF: .text:004B011Cj
		cmp	eax, 1
		jnz	short loc_4B0166
		lea	ecx, [ebp-58h]
		call	_MiUnlockSystemVa@4 ; MiUnlockSystemVa(x)
		xor	eax, eax
		pop	edi
		pop	esi
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4B0166:				; CODE XREF: .text:004B0147j
		mov	eax, [ebp-40h]
		mov	[esi+14h], eax
		mov	eax, [ebp-3Ch]
		mov	[esi+18h], eax
		mov	eax, [ebp-38h]
		mov	[esi+1Ch], eax
		mov	eax, [ebp-34h]
		mov	[esi+20h], eax
		mov	eax, [esi+0Ch]
		mov	[ebp-64h], eax
		mov	edi, [eax]
		nop
		mov	ecx, [eax+4]
		mov	eax, edi
		and	eax, 1
		mov	[ebp-68h], ecx
		or	eax, 0
		jz	loc_4B02C0
		mov	eax, edi
		and	eax, 80h
		or	eax, 0
		jz	short loc_4B01C5
		mov	edx, [esi]
		lea	eax, [edx+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	short loc_4B01C5
		cmp	dword ptr [ebp-6Ch], 0
		jnz	loc_4B061A
		jmp	loc_4B0521
; 

loc_4B01C5:				; CODE XREF: .text:004B01A5j
					; .text:004B01B4j
		mov	edx, [esi+8]
		mov	[ebp-6Ch], edx
		test	dl, 1
		jz	short loc_4B0208
		and	edx, 0FFFFFFFEh
		cmp	byte ptr [edx],	1
		jnz	short loc_4B0205
		mov	edx, [edx+28h]
		mov	ecx, [esi+0Ch]
		and	edx, 7
		call	_MiUpdatePfnPriorityByPte@8 ; MiUpdatePfnPriorityByPte(x,x)

loc_4B01E6:				; CODE XREF: .text:004B02F9j
					; .text:004B0327j
		lea	ecx, [ebp-58h]
		xor	edi, edi
		call	_MiUnlockSystemVa@4 ; MiUnlockSystemVa(x)
		mov	eax, edi
		pop	edi
		pop	esi
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4B0205:				; CODE XREF: .text:004B01D6j
		mov	edx, [ebp-6Ch]

loc_4B0208:				; CODE XREF: .text:004B01CEj
		test	byte ptr [esi+4], 2
		jz	short loc_4B027B
		mov	eax, edi
		and	eax, 800h
		or	eax, 0
		jnz	short loc_4B028F
		mov	eax, edi
		and	eax, 200h
		or	eax, 0
		jnz	short loc_4B0240
		test	byte ptr [esi+24h], 8
		jnz	short loc_4B0240
		mov	ecx, esi
		call	_MiGenerateAccessViolation@4 ; MiGenerateAccessViolation(x)
		test	eax, eax
		jz	loc_4B062C
		jmp	loc_4B0521
; 

loc_4B0240:				; CODE XREF: .text:004B0224j
					; .text:004B022Aj
		mov	edx, [ebp-64h]
		mov	ecx, [esi]
		push	0
		push	0FFFFFFFFh
		call	_MiCopyOnWrite@16 ; MiCopyOnWrite(x,x,x,x)
		lea	ecx, [ebp-58h]
		mov	esi, eax
		call	_MiUnlockSystemVa@4 ; MiUnlockSystemVa(x)
		test	esi, esi
		jns	short loc_4B0266
		mov	ecx, [ebp-60h]
		mov	edx, esi
		call	MiCopyOnWriteCheckConditions

loc_4B0266:				; CODE XREF: .text:004B025Aj
		xor	eax, eax
		pop	edi
		pop	esi
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4B027B:				; CODE XREF: .text:004B020Cj
		push	ecx
		push	edi
		mov	edx, 2
		mov	ecx, esi
		call	MiCheckSystemNxFault
		mov	edx, [esi+8]
		mov	ecx, [ebp-68h]

loc_4B028F:				; CODE XREF: .text:004B0218j
		mov	eax, [esi]
		push	ecx
		push	edi
		push	1
		push	edx
		mov	edx, [ebp-64h]
		mov	ecx, esi
		push	eax
		call	MiNoFaultFound
		lea	ecx, [ebp-58h]
		xor	edi, edi
		call	_MiUnlockSystemVa@4 ; MiUnlockSystemVa(x)
		mov	eax, edi
		pop	edi
		pop	esi
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4B02C0:				; CODE XREF: .text:004B0195j
		mov	edx, [esi]
		mov	[ebp-84h], edx
		lea	eax, [edx+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	short loc_4B02FE
		cmp	byte ptr [ebp-5Ah], 0
		jnz	loc_4B0521
		mov	ecx, [esi+8]
		test	cl, 1
		jz	loc_4B0640
		mov	eax, ecx
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	1
		jnz	loc_4B0640
		jmp	loc_4B01E6
; 

loc_4B02FE:				; CODE XREF: .text:004B02D3j
		xor	eax, eax
		mov	eax, edi
		and	eax, 400h
		or	eax, 0
		mov	eax, edi
		jz	loc_4B043B
		and	eax, 2
		or	eax, 0
		jz	short loc_4B0372
		mov	eax, [esi+8]
		test	al, 1
		jz	short loc_4B032D
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	1
		jz	loc_4B01E6

loc_4B032D:				; CODE XREF: .text:004B031Fj
		mov	edx, [ebp-64h]
		mov	ecx, esi
		push	0
		push	0
		call	MiResolveDemandZeroFault
		mov	ecx, [esi+14h]
		mov	edi, eax
		mov	[ebp-40h], ecx
		mov	ecx, [esi+18h]
		mov	[ebp-3Ch], ecx
		mov	ecx, [esi+1Ch]
		mov	[ebp-38h], ecx
		mov	ecx, [esi+20h]
		mov	[ebp-34h], ecx
		lea	ecx, [ebp-58h]
		call	_MiUnlockSystemVa@4 ; MiUnlockSystemVa(x)
		mov	eax, edi
		pop	edi
		pop	esi
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4B0372:				; CODE XREF: .text:004B0318j
		mov	eax, ecx
		mov	ecx, dword_6D0704
		mov	edx, eax
		mov	[ebp-60h], eax
		mov	eax, dword_6D0700
		mov	[ebp-64h], ecx
		or	eax, ecx
		mov	ecx, [ebp-68h]
		mov	[ebp-74h], edx
		jz	short loc_4B03A6
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4B03A3
		mov	edx, [ebp-64h]
		not	edx
		and	edx, [ebp-74h]

loc_4B03A3:				; CODE XREF: .text:004B0399j
		mov	[ebp-60h], edx

loc_4B03A6:				; CODE XREF: .text:004B038Fj
		mov	al, [ebp-59h]
		test	al, al
		jz	loc_4B0548
		push	ecx
		push	edi
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		test	eax, eax
		jz	loc_4B0543
		mov	ecx, [ebp-84h]
		lea	eax, [ebp-7Ch]
		push	eax
		lea	edx, [ebp-80h]
		call	MiCheckVirtualAddress
		mov	ecx, eax
		test	ecx, ecx
		jnz	loc_4B054F
		mov	ecx, [esi+8]
		test	cl, 1
		jz	short loc_4B03FD
		and	ecx, 0FFFFFFFEh
		mov	al, [ecx]
		cmp	al, 1
		jz	loc_4B0521
		cmp	al, 3
		jz	loc_4B0521
		cmp	al, 6
		jmp	short loc_4B0406
; 

loc_4B03FD:				; CODE XREF: .text:004B03E2j
		xor	edx, edx
		call	@KeInvalidAccessAllowed@8 ; KeInvalidAccessAllowed(x,x)
		cmp	al, 1

loc_4B0406:				; CODE XREF: .text:004B03FBj
		jz	loc_4B0521
		mov	ecx, esi
		call	_MiGenerateAccessViolation@4 ; MiGenerateAccessViolation(x)
		test	eax, eax
		jnz	loc_4B0521
		lea	ecx, [ebp-58h]
		call	_MiUnlockSystemVa@4 ; MiUnlockSystemVa(x)
		mov	eax, 0D0000006h
		pop	edi
		pop	esi
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4B043B:				; CODE XREF: .text:004B030Cj
		and	eax, 800h
		or	eax, 0
		jnz	short loc_4B049F
		mov	eax, edi
		and	eax, 3E0h
		or	eax, 0
		jnz	short loc_4B049F
		test	byte ptr [esi+24h], 8
		jnz	loc_4B0521
		mov	ecx, [esi+8]
		test	cl, 1
		jz	short loc_4B047C
		and	ecx, 0FFFFFFFEh
		mov	al, [ecx]
		cmp	al, 1
		jz	loc_4B0521
		cmp	al, 3
		jz	loc_4B0521
		cmp	al, 6
		jmp	short loc_4B0485
; 

loc_4B047C:				; CODE XREF: .text:004B0461j
		xor	edx, edx
		call	@KeInvalidAccessAllowed@8 ; KeInvalidAccessAllowed(x,x)
		cmp	al, 1

loc_4B0485:				; CODE XREF: .text:004B047Aj
		jz	loc_4B0521
		mov	ecx, esi
		call	_MiGenerateAccessViolation@4 ; MiGenerateAccessViolation(x)
		test	eax, eax
		jz	loc_4B064F
		jmp	loc_4B0521
; 

loc_4B049F:				; CODE XREF: .text:004B0443j
					; .text:004B044Fj
		mov	eax, edi
		and	eax, 3E0h
		cmp	eax, 300h
		jz	short loc_4B04CB
		cmp	eax, 3E0h
		jnz	loc_4B054D
		mov	eax, [esi+8]
		test	al, 1
		jz	short loc_4B04CB
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	4
		jz	loc_4B054D

loc_4B04CB:				; CODE XREF: .text:004B04ABj
					; .text:004B04BDj
		test	byte ptr [esi+24h], 8
		jnz	short loc_4B0504
		mov	ecx, [esi+8]
		test	cl, 1
		jz	short loc_4B04EA
		and	ecx, 0FFFFFFFEh
		mov	al, [ecx]
		cmp	al, 1
		jz	short loc_4B0504
		cmp	al, 3
		jz	short loc_4B0504
		cmp	al, 6
		jmp	short loc_4B04F3
; 

loc_4B04EA:				; CODE XREF: .text:004B04D7j
		xor	edx, edx
		call	@KeInvalidAccessAllowed@8 ; KeInvalidAccessAllowed(x,x)
		cmp	al, 1

loc_4B04F3:				; CODE XREF: .text:004B04E8j
		jz	short loc_4B0504
		mov	ecx, esi
		call	_MiGenerateAccessViolation@4 ; MiGenerateAccessViolation(x)
		test	eax, eax
		jz	loc_4B0663

loc_4B0504:				; CODE XREF: .text:004B04CFj
					; .text:004B04E0j ...
		mov	eax, edi
		and	eax, 3E0h
		cmp	eax, 300h
		jz	short loc_4B0521
		mov	eax, [esi+8]
		test	al, 1
		jz	short loc_4B0521
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	1
		jz	short loc_4B054D

loc_4B0521:				; CODE XREF: .text:004B01C0j
					; .text:004B023Bj ...
		mov	edi, 0C0000005h
		lea	ecx, [ebp-58h]
		call	_MiUnlockSystemVa@4 ; MiUnlockSystemVa(x)
		mov	eax, edi
		pop	edi
		pop	esi
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4B0543:				; CODE XREF: .text:004B03BAj
		mov	ecx, [ebp-60h]
		jmp	short loc_4B054F
; 

loc_4B0548:				; CODE XREF: .text:004B03ABj
		mov	ecx, [ebp-60h]
		jmp	short loc_4B0552
; 

loc_4B054D:				; CODE XREF: .text:004B04B2j
					; .text:004B04C5j ...
		xor	ecx, ecx

loc_4B054F:				; CODE XREF: .text:004B03D6j
					; .text:004B0546j
		mov	al, [ebp-59h]

loc_4B0552:				; CODE XREF: .text:004B054Bj
		test	byte ptr [esi+4], 2
		jz	short loc_4B05B5
		test	ecx, ecx
		jnz	short loc_4B05B5
		test	al, al
		jnz	short loc_4B05B5
		mov	eax, edi
		mov	edx, edi
		and	eax, 800h
		or	eax, ecx
		mov	eax, [ebp-68h]
		shrd	edx, eax, 5
		test	dl, 4
		jnz	short loc_4B05B5
		test	byte ptr [esi+24h], 8
		jnz	short loc_4B0521
		mov	ecx, [esi+8]
		test	cl, 1
		jz	short loc_4B0596
		and	ecx, 0FFFFFFFEh
		mov	al, [ecx]
		cmp	al, 1
		jz	short loc_4B0521
		cmp	al, 3
		jz	short loc_4B0521
		cmp	al, 6
		jmp	short loc_4B059F
; 

loc_4B0596:				; CODE XREF: .text:004B0583j
		xor	edx, edx
		call	@KeInvalidAccessAllowed@8 ; KeInvalidAccessAllowed(x,x)
		cmp	al, 1

loc_4B059F:				; CODE XREF: .text:004B0594j
		jz	short loc_4B0521
		mov	ecx, esi
		call	_MiGenerateAccessViolation@4 ; MiGenerateAccessViolation(x)
		test	eax, eax
		jz	loc_4B0677
		jmp	loc_4B0521
; 

loc_4B05B5:				; CODE XREF: .text:004B0556j
					; .text:004B055Aj ...
		cmp	dword ptr [ebp-44h], 0
		mov	[esi+2Ch], ecx
		jz	short loc_4B05C2
		or	dword ptr [esi+24h], 10h

loc_4B05C2:				; CODE XREF: .text:004B05BCj
		mov	eax, 0C0000016h
		pop	edi
		pop	esi
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4B05DA:				; CODE XREF: .text:004AFE43j
					; .text:004AFE57j ...
		mov	ecx, [ebp-4]
		mov	eax, 0C0h
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4B05F2:				; CODE XREF: .text:004AFDF7j
		mov	eax, [esi+8]
		push	0Eh
		push	eax
		mov	eax, [esi+4]
		push	eax
		mov	eax, [esi]
		push	eax
		push	50h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4B0606:				; CODE XREF: .text:004B0139j
		mov	eax, [esi+8]
		push	2
		push	eax
		mov	eax, [esi+4]
		push	eax
		mov	eax, [esi]
		push	eax
		push	50h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4B061A:				; CODE XREF: .text:004B01BAj
		mov	eax, [esi+8]
		push	8
		push	eax
		mov	eax, [esi+4]
		push	eax
		push	edx
		push	50h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4B062C:				; CODE XREF: .text:004B0235j
		mov	eax, [esi+8]
		push	0Bh
		push	eax
		mov	eax, [esi]
		push	edi
		push	eax
		push	0BEh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4B0640:				; CODE XREF: .text:004B02E5j
					; .text:004B02F3j
		mov	eax, [esi+4]
		push	9
		push	ecx
		push	eax
		push	edx
		push	50h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4B064F:				; CODE XREF: .text:004B0494j
		mov	eax, [esi+8]
		push	0
		push	eax
		mov	eax, [esi+4]
		push	eax
		mov	eax, [esi]
		push	eax
		push	50h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4B0663:				; CODE XREF: .text:004B04FEj
		mov	eax, [esi+8]
		push	1
		push	eax
		mov	eax, [esi+4]
		push	eax
		mov	eax, [esi]
		push	eax
		push	50h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4B0677:				; CODE XREF: .text:004B05AAj
		mov	eax, [esi+8]
		push	0Eh
		push	eax
		mov	eax, [esi]
		push	edi
		push	eax
		push	0BEh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 0CCh
		align 10h

;  S U B	R O U T	I N E 


MiCheckSystemPageTables	proc near	; CODE XREF: .text:004B0114p

var_18		= dword	ptr -18h

; FUNCTION CHUNK AT 005C19FA SIZE 000000DF BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, 1
		lea	esi, [edi+10h]
		nop

loc_4B06A0:				; CODE XREF: MiCheckSystemPageTables+3Dj
		mov	edx, [esi]
		mov	ebx, [edx]
		nop
		mov	edx, [edx+4]
		mov	ecx, ebx
		and	ecx, 1
		or	ecx, 0
		jz	loc_5C1A91
		mov	ecx, ebx
		and	ecx, 80h
		or	ecx, 0
		jnz	loc_5C19FA
		sub	esi, 4
		sub	eax, 1
		jnz	short loc_4B06A0

loc_4B06CF:				; CODE XREF: MiCheckSystemPageTables+11138Cj
					; MiCheckSystemPageTables+1113D3j
		pop	edi
		pop	esi
		pop	ebx
		retn
MiCheckSystemPageTables	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSynchronizeSystemVa proc near		; CODE XREF: .text:004B00B8p
					; MiLockStealSystemVm(x,x,x,x)+19Ep ...

var_48		= dword	ptr -48h
var_36		= byte ptr -36h
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005C1AD9 SIZE 00000124 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		cmp	[ebp+arg_0], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	ebx, edx
		mov	[esp+48h+var_30], ecx
		mov	[esp+48h+var_10], 0
		mov	[esp+48h+var_C], 0
		mov	[esp+48h+var_20], 0
		jz	loc_5C1B4E
		mov	esi, [ebp+arg_4]
		mov	dword ptr [edi+10h], 0
		mov	dword ptr [edi+14h], 0
		mov	al, [edi+21h]
		mov	[edi+18h], ecx
		test	esi, esi
		jnz	loc_5C1AA6
		and	al, 0FEh
		mov	[edi+21h], al
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 4
		ja	loc_4B0AF4

loc_4B074A:				; CODE XREF: MiSynchronizeSystemVa+416j
		cmp	al, 2
		jz	loc_4B0A0B
		lea	esi, [ecx+80h]

loc_4B0758:				; CODE XREF: MiSynchronizeSystemVa+330j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	[esp+48h+var_35], al
		jnz	loc_5C1AD9
		mov	edx, [esi]
		and	edx, 7FFFFFFFh
		mov	eax, edx
		lea	ecx, [edx+1]
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	loc_4B0B09

loc_4B078A:				; CODE XREF: MiSynchronizeSystemVa+434j
					; MiSynchronizeSystemVa+111402j
		add	esi, 4
		cmp	dword ptr [esi], 0
		jnz	loc_5C1AE7

loc_4B0796:				; CODE XREF: MiSynchronizeSystemVa+11140Bj
		mov	esi, [ebp+arg_4]
		mov	al, [esp+48h+var_35]

loc_4B079D:				; CODE XREF: MiSynchronizeSystemVa+424j
					; MiCheckSystemPageTables+111444j
		mov	[edi+20h], al
		test	byte ptr [edi+4], 2
		jz	loc_4B0A15

loc_4B07AA:				; CODE XREF: MiSynchronizeSystemVa+3ADj
		test	esi, esi
		jnz	loc_5C1B15
		mov	ecx, [esp+48h+var_30]
		shr	ebx, 9
		and	ebx, offset loc_7FFFF8
		sub	ebx, 40000000h
		mov	eax, ebx
		mov	[esp+48h+var_24], ebx
		shr	eax, 9
		mov	ebx, 0C0603018h
		and	eax, offset loc_7FFFF8
		mov	[esp+48h+var_2C], ebx
		sub	eax, 40000000h
		mov	edx, ebx
		mov	[esp+48h+var_8], eax
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		push	esi
		mov	[esp+4Ch+var_4], eax
		call	MiLockPageTableInternal
		mov	edi, 1

loc_4B0803:				; CODE XREF: MiSynchronizeSystemVa+2AEj
		mov	esi, [esp+edi*4+48h+var_8]
		mov	[esp+48h+var_28], edi
		mov	[esp+48h+var_14], esi
		mov	ecx, [esi]
		nop
		mov	edx, [esi+4]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_4B0B8B
		mov	eax, ecx
		and	eax, 80h
		or	eax, 0
		jnz	loc_4B0B8B
		mov	eax, ecx
		and	eax, 20h
		or	eax, 0
		jz	loc_5C1B55

loc_4B0841:				; CODE XREF: MiSynchronizeSystemVa+111480j
		cmp	esi, ebx
		jz	loc_4B0967
		mov	edx, [esp+48h+var_30]
		lea	eax, [esi+3FA00000h]
		sar	eax, 3
		mov	[esp+48h+var_18], 0
		lea	ecx, [eax+eax]
		mov	eax, ecx
		and	eax, 1Fh
		mov	[esp+48h+var_1C], eax
		mov	al, [edx+60h]
		and	al, 7
		cmp	al, 2
		jb	loc_4B09D9
		cmp	esi, 0C0603018h
		jz	loc_4B09A3
		cmp	esi, 0C0603010h
		jz	loc_4B0993

loc_4B088F:				; CODE XREF: MiSynchronizeSystemVa+2BDj
					; MiSynchronizeSystemVa+2CDj
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]

loc_4B0899:				; CODE XREF: MiSynchronizeSystemVa+30Dj
					; MiSynchronizeSystemVa+11149Dj
		mov	[esp+48h+var_34], eax

loc_4B089D:				; CODE XREF: MiSynchronizeSystemVa+472j
		mov	esi, [esp+48h+var_34]
		mov	edi, [esi]
		mov	esi, [esp+48h+var_1C]

loc_4B08A7:				; CODE XREF: MiSynchronizeSystemVa+3E3j
					; MiSynchronizeSystemVa+40Fj ...
		mov	ecx, esi
		mov	edx, 2
		shl	edx, cl

loc_4B08B0:				; CODE XREF: MiSynchronizeSystemVa+479j
		mov	eax, edi
		mov	ecx, esi
		shr	eax, cl
		test	al, 1
		jnz	loc_4B0A92
		mov	ebx, [esp+48h+var_34]
		mov	ecx, edi
		mov	eax, edx
		bts	ecx, esi
		not	eax
		and	ecx, eax
		mov	eax, edi
		lock cmpxchg [ebx], ecx
		mov	ebx, [esp+48h+var_2C]
		cmp	eax, edi
		jnz	loc_4B0B57
		mov	edx, [esp+48h+var_30]
		lea	eax, [ebx+3FA00000h]
		mov	edi, [esp+48h+var_28]
		sar	eax, 3
		lea	ecx, [eax+eax]
		mov	eax, ecx
		and	eax, 1Fh
		mov	[esp+48h+var_2C], eax
		mov	al, [edx+60h]
		and	al, 7
		cmp	al, 2
		jb	loc_4B09F2
		cmp	ebx, 0C0603018h
		jnz	loc_4B09B8

loc_4B0915:				; CODE XREF: MiSynchronizeSystemVa+2EEj
		cmp	al, 7
		jz	loc_4B0B19
		cmp	al, 5
		jz	loc_5C1B9A

loc_4B0925:				; CODE XREF: MiSynchronizeSystemVa+2E2j
					; MiSynchronizeSystemVa+2F4j
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]

loc_4B092F:				; CODE XREF: MiSynchronizeSystemVa+326j
					; MiSynchronizeSystemVa+1114D2j
		mov	[esp+48h+var_34], eax

loc_4B0933:				; CODE XREF: MiSynchronizeSystemVa+455j
		mov	edx, [eax]
		mov	ebx, 2
		mov	eax, [esp+48h+var_2C]
		mov	ecx, eax
		mov	esi, [esp+48h+var_34]
		shl	ebx, cl
		mov	ecx, edx
		btr	ecx, eax
		not	ebx
		and	ecx, ebx
		mov	eax, edx
		lock cmpxchg [esi], ecx
		mov	esi, [esp+48h+var_14]
		cmp	eax, edx
		jnz	loc_4B0B5E

loc_4B0961:				; CODE XREF: MiSynchronizeSystemVa+49Fj
		mov	ebx, esi
		mov	[esp+48h+var_2C], ebx

loc_4B0967:				; CODE XREF: MiSynchronizeSystemVa+163j
		test	edi, edi
		jnz	short loc_4B098D
		mov	ecx, [esp+48h+var_24]
		mov	esi, ecx

loc_4B0971:				; CODE XREF: MiSynchronizeSystemVa+4AFj
		mov	edi, [ebp+arg_8]
		mov	[edi+24h], ebx
		cmp	esi, ecx
		jnz	loc_5C1BB7

loc_4B097F:				; CODE XREF: MiSynchronizeSystemVa+111457j
					; MiSynchronizeSystemVa+111518j
		mov	eax, 1

loc_4B0984:				; CODE XREF: MiSynchronizeSystemVa+111470j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4B098D:				; CODE XREF: MiSynchronizeSystemVa+289j
		dec	edi
		jmp	loc_4B0803
; 

loc_4B0993:				; CODE XREF: MiSynchronizeSystemVa+1A9j
		cmp	dword_6D07D0, 0C0000000h
		jnb	loc_4B088F

loc_4B09A3:				; CODE XREF: MiSynchronizeSystemVa+19Dj
		cmp	al, 7
		jz	loc_4B0B3A
		cmp	al, 5
		jnz	loc_4B088F
		jmp	loc_5C1B65
; 

loc_4B09B8:				; CODE XREF: MiSynchronizeSystemVa+22Fj
		cmp	dword_6D07D0, 0C0000000h
		jnb	loc_4B0925
		cmp	ebx, 0C0603010h
		jz	loc_4B0915
		jmp	loc_4B0925
; 

loc_4B09D9:				; CODE XREF: MiSynchronizeSystemVa+191j
		shr	ecx, 5
		test	al, al
		jz	loc_5C1B72
		lea	eax, [edx+120h]
		lea	eax, [eax+ecx*4]
		jmp	loc_4B0899
; 

loc_4B09F2:				; CODE XREF: MiSynchronizeSystemVa+223j
		shr	ecx, 5
		test	al, al
		jz	loc_5C1BA7
		lea	eax, [edx+120h]
		lea	eax, [eax+ecx*4]
		jmp	loc_4B092F
; 

loc_4B0A0B:				; CODE XREF: MiSynchronizeSystemVa+6Cj
		mov	esi, offset unk_6D3C40
		jmp	loc_4B0758
; 

loc_4B0A15:				; CODE XREF: MiSynchronizeSystemVa+C4j
		push	offset dword_6D2E64
		mov	[esp+4Ch+var_34], 0
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	ecx, ebx
		shr	ecx, 15h
		cmp	ebx, dword_6D07D0
		jb	loc_5C1AF0
		movzx	eax, byte ptr dword_6D3994[ecx]

loc_4B0A3F:				; CODE XREF: MiSynchronizeSystemVa+111412j
		cmp	[ebp+arg_0], eax
		jnz	loc_5C1B08
		mov	edx, dword_6D0BD4[ecx*4]
		test	edx, edx
		js	loc_5C1B08
		lea	eax, [edx+1]
		xor	eax, edx
		and	eax, 7FFFFFFFh
		xor	eax, edx
		mov	dword_6D0BD4[ecx*4], eax
		test	eax, 7FFFFFFFh
		jz	loc_5C1AF7

loc_4B0A75:				; CODE XREF: MiSynchronizeSystemVa+111430j
		push	offset dword_6D2E64
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		cmp	[esp+48h+var_34], 0
		jnz	loc_5C1B47
		mov	[edi+14h], ebx
		jmp	loc_4B07AA
; 

loc_4B0A92:				; CODE XREF: MiSynchronizeSystemVa+1D8j
		test	al, 2
		jz	short loc_4B0AC8
		mov	ebx, [esp+48h+var_34]
		lea	ebx, [ebx+0]

loc_4B0AA0:				; CODE XREF: MiSynchronizeSystemVa+3E1j
		mov	eax, [esp+48h+var_18]
		inc	eax
		mov	[esp+48h+var_18], eax
		test	ds:_HvlLongSpinCountMask, eax
		jz	loc_5C1B82

loc_4B0AB5:				; CODE XREF: MiSynchronizeSystemVa+1114A9j
		pause

loc_4B0AB7:				; CODE XREF: MiSynchronizeSystemVa+1114B5j
		mov	edi, [ebx]
		mov	ecx, esi
		mov	eax, edi
		shr	eax, cl
		test	al, 1
		jnz	short loc_4B0AA0
		jmp	loc_4B08A7
; 

loc_4B0AC8:				; CODE XREF: MiSynchronizeSystemVa+3B4j
		mov	edx, [esp+48h+var_34]
		mov	ecx, esi
		mov	eax, 2
		shl	eax, cl
		or	eax, edi
		mov	[esp+48h+var_1C], eax
		mov	ecx, eax
		mov	eax, edi
		lock cmpxchg [edx], ecx
		cmp	eax, edi
		jnz	loc_4B0B84
		mov	edi, [esp+48h+var_1C]
		jmp	loc_4B08A7
; 

loc_4B0AF4:				; CODE XREF: MiSynchronizeSystemVa+64j
		cmp	al, 5
		jz	loc_4B074A
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		jmp	loc_4B079D
; 

loc_4B0B09:				; CODE XREF: MiSynchronizeSystemVa+A4j
		mov	dl, [esp+48h+var_35]
		mov	ecx, esi
		call	ExpWaitForSpinLockSharedAndAcquire
		jmp	loc_4B078A
; 

loc_4B0B19:				; CODE XREF: MiSynchronizeSystemVa+237j
		mov	[esp+48h+var_34], offset unk_6D2E58

loc_4B0B21:				; CODE XREF: MiSynchronizeSystemVa+1114C2j
		mov	eax, [esp+48h+var_34]
		mov	edx, 0C0603018h
		sub	edx, ebx
		sar	edx, 3
		add	edx, edx
		mov	[esp+48h+var_2C], edx
		jmp	loc_4B0933
; 

loc_4B0B3A:				; CODE XREF: MiSynchronizeSystemVa+2C5j
		mov	[esp+48h+var_34], offset unk_6D2E58

loc_4B0B42:				; CODE XREF: MiSynchronizeSystemVa+11148Dj
		mov	eax, 0C0603018h
		sub	eax, esi
		sar	eax, 3
		add	eax, eax
		mov	[esp+48h+var_1C], eax
		jmp	loc_4B089D
; 

loc_4B0B57:				; CODE XREF: MiSynchronizeSystemVa+1F9j
		mov	edi, eax
		jmp	loc_4B08B0
; 

loc_4B0B5E:				; CODE XREF: MiSynchronizeSystemVa+27Bj
		mov	edi, [esp+48h+var_2C]
		mov	esi, [esp+48h+var_34]

loc_4B0B66:				; CODE XREF: MiSynchronizeSystemVa+495j
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, edi
		and	ecx, ebx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_4B0B66
		mov	esi, [esp+48h+var_14]
		mov	edi, [esp+48h+var_28]
		jmp	loc_4B0961
; 

loc_4B0B84:				; CODE XREF: MiSynchronizeSystemVa+405j
		mov	edi, eax
		jmp	loc_4B08A7
; 

loc_4B0B8B:				; CODE XREF: MiSynchronizeSystemVa+13Dj
					; MiSynchronizeSystemVa+14Dj
		mov	ecx, [esp+48h+var_24]
		jmp	loc_4B0971
MiSynchronizeSystemVa endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockPageTableInternal	proc near	; CODE XREF: MiInitializeWorkingSetList(x,x,x,x)+48p
					; MiWalkPageTablesRecursively(x,x,x)+827p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C1BFD SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], 0
		lea	eax, [edx+3FA00000h]
		sar	eax, 3
		add	eax, eax
		mov	cl, [esi+60h]
		push	edi
		mov	edi, eax
		and	cl, 7
		and	edi, 1Fh
		cmp	cl, 2
		jnb	short loc_4B0C34
		shr	eax, 5
		test	cl, cl
		jnz	loc_4B0C6F
		mov	edx, [esi+0Ch]
		add	edx, 0D90h

loc_4B0BE3:				; CODE XREF: MiLockPageTableInternal+D5j
		lea	edx, [edx+eax*4]

loc_4B0BE6:				; CODE XREF: MiLockPageTableInternal+AEj
		mov	[ebp+var_4], edx

loc_4B0BE9:				; CODE XREF: MiLockPageTableInternal+F0j
		mov	esi, [ebp+arg_0]
		mov	ebx, [edx]
		and	esi, 1
		mov	[ebp+arg_0], esi
		mov	[ebp+var_C], esi

loc_4B0BF7:				; CODE XREF: MiLockPageTableInternal+13Ej
					; MiLockPageTableInternal+167j	...
		mov	eax, ebx
		mov	ecx, edi
		shr	eax, cl
		test	al, 1
		jnz	loc_4B0C95
		mov	eax, 2
		mov	edx, ebx
		shl	eax, cl
		bts	edx, edi
		mov	ecx, [ebp+var_4]
		not	eax
		and	edx, eax
		mov	eax, ebx
		lock cmpxchg [ecx], edx
		cmp	eax, ebx
		jnz	loc_4B0D0C
		pop	edi
		pop	esi
		mov	eax, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4B0C34:				; CODE XREF: MiLockPageTableInternal+2Dj
		cmp	edx, 0C0603018h
		jz	short loc_4B0C5C
		cmp	edx, 0C0603010h
		jz	short loc_4B0C50

loc_4B0C44:				; CODE XREF: MiLockPageTableInternal+BAj
					; MiLockPageTableInternal+C4j
		shr	eax, 5
		lea	edx, unk_6D2C54[eax*4]
		jmp	short loc_4B0BE6
; 

loc_4B0C50:				; CODE XREF: MiLockPageTableInternal+A2j
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_4B0C44

loc_4B0C5C:				; CODE XREF: MiLockPageTableInternal+9Aj
		cmp	cl, 7
		jz	short loc_4B0C7A
		cmp	cl, 5
		jnz	short loc_4B0C44
		mov	[ebp+var_4], offset unk_6D2E54
		jmp	short loc_4B0C81
; 

loc_4B0C6F:				; CODE XREF: MiLockPageTableInternal+34j
		lea	edx, [esi+120h]
		jmp	loc_4B0BE3
; 

loc_4B0C7A:				; CODE XREF: MiLockPageTableInternal+BFj
		mov	[ebp+var_4], offset unk_6D2E58

loc_4B0C81:				; CODE XREF: MiLockPageTableInternal+CDj
		mov	edi, 0C0603018h
		sub	edi, edx
		mov	edx, [ebp+var_4]
		sar	edi, 3
		add	edi, edi
		jmp	loc_4B0BE9
; 

loc_4B0C95:				; CODE XREF: MiLockPageTableInternal+5Fj
		test	esi, esi
		jz	short loc_4B0CA4

loc_4B0C99:				; CODE XREF: MiLockPageTableInternal+170j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4B0CA4:				; CODE XREF: MiLockPageTableInternal+F7j
		test	al, 2
		jz	short loc_4B0CE3
		mov	esi, [ebp+var_4]
		jmp	short loc_4B0CB0
; 
		align 10h

loc_4B0CB0:				; CODE XREF: MiLockPageTableInternal+10Bj
					; MiLockPageTableInternal+12Fj
		mov	eax, [ebp+var_8]
		inc	eax
		mov	[ebp+var_8], eax
		test	ds:_HvlLongSpinCountMask, eax
		jz	loc_5C1BFD

loc_4B0CC3:				; CODE XREF: MiLockPageTableInternal+111064j
		pause

loc_4B0CC5:				; CODE XREF: MiLockPageTableInternal+111070j
		mov	ebx, [esi]
		mov	ecx, edi
		mov	eax, ebx
		shr	eax, cl
		test	al, 1
		jnz	short loc_4B0CB0
		mov	esi, [ebp+arg_0]

loc_4B0CD4:				; CODE XREF: MiLockPageTableInternal+174j
		mov	edx, [ebp+var_4]
		mov	[ebp+var_C], 0
		jmp	loc_4B0BF7
; 

loc_4B0CE3:				; CODE XREF: MiLockPageTableInternal+106j
		mov	ecx, edi
		mov	eax, 2
		shl	eax, cl
		or	eax, ebx
		mov	[ebp+var_C], eax
		mov	ecx, eax
		mov	eax, ebx
		lock cmpxchg [edx], ecx
		cmp	eax, ebx
		jnz	short loc_4B0D16
		mov	ebx, [ebp+var_C]
		mov	[ebp+var_C], 0
		jmp	loc_4B0BF7
; 

loc_4B0D0C:				; CODE XREF: MiLockPageTableInternal+80j
		cmp	[ebp+var_C], 0
		jnz	short loc_4B0C99
		mov	ebx, eax
		jmp	short loc_4B0CD4
; 

loc_4B0D16:				; CODE XREF: MiLockPageTableInternal+15Bj
		mov	ebx, eax
		mov	[ebp+var_C], 0
		jmp	loc_4B0BF7
MiLockPageTableInternal	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiEmptyDeferredWorkingSetEntries(x)
_MiEmptyDeferredWorkingSetEntries@4 proc near ;	CODE XREF: MmAccessFault+42Ep
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+E8Cp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, [esi+0Ch]
		movzx	eax, word ptr [esi+4]
		mov	ecx, [esi]
		shl	edx, 6
		add	edx, eax
		movzx	eax, byte ptr [esi+9]
		shr	eax, 3
		shl	edx, 0Ch
		and	eax, 2
		cmp	edx, 0C0000000h
		jnb	short loc_4B0D6E

loc_4B0D58:				; CODE XREF: MiEmptyDeferredWorkingSetEntries(x)+44j
					; MiEmptyDeferredWorkingSetEntries(x)+4Cj
		or	eax, 4

loc_4B0D5B:				; CODE XREF: MiEmptyDeferredWorkingSetEntries(x)+4Aj
		push	eax
		movzx	eax, word ptr [esi+6]
		push	eax
		call	MiAddWorkingSetEntries
		xor	eax, eax
		mov	[esi+6], ax
		pop	esi
		retn
; 

loc_4B0D6E:				; CODE XREF: MiEmptyDeferredWorkingSetEntries(x)+26j
		cmp	edx, 0C07FFFFFh
		ja	short loc_4B0D58
		test	byte ptr [ecx+60h], 7
		jnz	short loc_4B0D5B
		jmp	short loc_4B0D58
_MiEmptyDeferredWorkingSetEntries@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnlockNestedPageTableWritePte	proc near ; CODE XREF: .text:00459E16p
					; .text:00474FEFp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005C1C15 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, edx
		stosd
		mov	ebx, ecx
		stosd
		stosd
		mov	eax, esi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		cmp	eax, (offset loc_603014+4)
		jz	short loc_4B0DE9
		cmp	eax, (offset loc_60300E+2)
		jz	short loc_4B0DDD

loc_4B0DAF:				; CODE XREF: MiUnlockNestedPageTableWritePte+67j
		xor	edi, edi

loc_4B0DB1:				; CODE XREF: MiUnlockNestedPageTableWritePte+72j
					; MiUnlockNestedPageTableWritePte+81j
		mov	ecx, [ebp+arg_4]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jnz	short loc_4B0E3B
		mov	[esi], ecx
		nop

loc_4B0DC1:				; CODE XREF: MiUnlockNestedPageTableWritePte+BEj
		mov	eax, [ebp+arg_8]
		mov	[esi+4], eax
		test	edi, edi
		jnz	short loc_4B0E03

loc_4B0DCB:				; CODE XREF: MiUnlockNestedPageTableWritePte+87j
					; MiUnlockNestedPageTableWritePte+B9j
		mov	edx, esi
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4B0DDD:				; CODE XREF: MiUnlockNestedPageTableWritePte+2Dj
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_4B0DAF

loc_4B0DE9:				; CODE XREF: MiUnlockNestedPageTableWritePte+26j
		cmp	[ebp+arg_0], 0
		mov	edi, 1
		jnz	short loc_4B0DB1
		lea	edx, [ebp+var_C]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		jmp	short loc_4B0DB1
; 

loc_4B0E03:				; CODE XREF: MiUnlockNestedPageTableWritePte+49j
		cmp	[ebp+arg_0], 0
		jnz	short loc_4B0DCB
		test	ds:byte_70EFC6,	1
		jnz	loc_5C1C15
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_4B0E48
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	short loc_4B0E40

loc_4B0E30:				; CODE XREF: MiUnlockNestedPageTableWritePte+DAj
					; MiUnlockNestedPageTableWritePte+110EA0j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_4B0DCB
; 

loc_4B0E3B:				; CODE XREF: MiUnlockNestedPageTableWritePte+3Cj
		nop
		mov	[esi], ecx
		jmp	short loc_4B0DC1
; 

loc_4B0E40:				; CODE XREF: MiUnlockNestedPageTableWritePte+AEj
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_4B0E48:				; CODE XREF: MiUnlockNestedPageTableWritePte+9Bj
		mov	[ebp+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_4B0E30
MiUnlockNestedPageTableWritePte	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnLogPageFaultCommon proc near	; CODE XREF: MiCompleteRestrictedImageFault(x,x,x,x)+1A4p
					; MiMakeSystemCacheRangeValid(x,x,x,x)+6BAp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005C1C25 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_4], 0
		call	PfSnGetFileInformation
		test	byte ptr [esi+150h], 1
		lea	ecx, [esi+150h]
		jnz	short loc_4B0E99
		mov	eax, [esi+100h]
		cmp	byte ptr [eax+2A2h], 2
		jz	loc_4B0F4C

loc_4B0E99:				; CODE XREF: PfSnLogPageFaultCommon+24j
					; PfSnLogPageFaultCommon+F5j
		mov	eax, [ebp+arg_8]
		mov	edi, [ebp+arg_4]
		cmp	eax, 40h
		jb	short loc_4B0EB2
		ja	loc_4B0F5A
		test	edi, edi
		jnb	loc_4B0F5A

loc_4B0EB2:				; CODE XREF: PfSnLogPageFaultCommon+42j
		shrd	edi, eax, 9
		mov	eax, [ebp+arg_C]
		test	al, 1
		jnz	loc_5C1C25
		test	al, 2
		jnz	short loc_4B0F42
		xor	ebx, ebx

loc_4B0EC7:				; CODE XREF: PfSnLogPageFaultCommon+E7j
					; PfSnLogPageFaultCommon+110DCAj
		mov	ecx, esi
		call	_PfSnCheckLogSequenceNumber@4 ;	PfSnCheckLogSequenceNumber(x)
		test	ebx, ebx
		jnz	short loc_4B0EE6
		mov	eax, [esi+120h]
		mov	ecx, eax
		mov	[ebp+var_4], eax
		mov	eax, [ecx]
		shr	eax, 3
		cmp	eax, edi
		jz	short loc_4B0F38

loc_4B0EE6:				; CODE XREF: PfSnLogPageFaultCommon+70j
					; PfSnLogPageFaultCommon+E0j
		lea	eax, [ebp+var_4]
		mov	edx, 1
		push	eax
		mov	ecx, esi
		call	PfSnTraceGetLogEntry
		test	eax, eax
		js	short loc_4B0F2F
		mov	edx, [ebp+var_4]
		lea	eax, ds:0[edi*8]
		mov	ecx, [edx]
		and	ecx, 7
		or	ecx, eax
		mov	eax, [ebp+arg_0]
		mov	[edx], ecx
		mov	[edx+4], eax
		mov	eax, [edx]
		and	eax, 0FFFFFFF8h
		or	eax, ebx
		mov	[edx], eax
		lock inc dword ptr [esi+0F0h]
		test	ebx, ebx
		jnz	short loc_4B0F2D
		mov	[esi+120h], edx

loc_4B0F2D:				; CODE XREF: PfSnLogPageFaultCommon+C5j
					; PfSnLogPageFaultCommon+DEj
		xor	eax, eax

loc_4B0F2F:				; CODE XREF: PfSnLogPageFaultCommon+98j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4B0F38:				; CODE XREF: PfSnLogPageFaultCommon+84j
		mov	eax, [ebp+arg_0]
		cmp	[ecx+4], eax
		jz	short loc_4B0F2D
		jmp	short loc_4B0EE6
; 

loc_4B0F42:				; CODE XREF: PfSnLogPageFaultCommon+63j
		mov	ebx, 3
		jmp	loc_4B0EC7
; 

loc_4B0F4C:				; CODE XREF: PfSnLogPageFaultCommon+33j
		mov	eax, 1
		lock or	[ecx], ax
		jmp	loc_4B0E99
; 

loc_4B0F5A:				; CODE XREF: PfSnLogPageFaultCommon+44j
					; PfSnLogPageFaultCommon+4Cj
		pop	edi
		pop	esi
		mov	eax, 0C0000904h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
PfSnLogPageFaultCommon endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnGetFileInformation proc near	; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+4DDp
					; PfSnLogPageFaultCommon+12p

var_20		= dword	ptr -20h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005C1C2F SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, edx
		mov	[ebp+var_1], 0
		push	ebx
		push	esi
		mov	[ebp+var_C], eax
		mov	ebx, ecx
		mov	esi, [eax+0Ch]
		mov	eax, [eax+4]
		push	edi
		mov	[ebp+var_10], 0
		test	byte ptr [eax+20h], 10h
		jnz	loc_4B1276
		lea	eax, [ebx+154h]
		lea	edi, [ebx+164h]
		cmp	eax, edi
		jnb	short loc_4B0FBB
		lea	ecx, [ecx+0]

loc_4B0FB0:				; CODE XREF: PfSnGetFileInformation+49j
		cmp	[eax], esi
		jz	short loc_4B1013
		add	eax, 4
		cmp	eax, edi
		jb	short loc_4B0FB0

loc_4B0FBB:				; CODE XREF: PfSnGetFileInformation+3Bj
		lea	eax, [ebx+180h]
		push	eax
		mov	[ebp+var_14], eax
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	ecx, [edi+4]
		mov	[ebp+var_2], al
		mov	eax, [edi]
		test	cl, 1
		jz	short loc_4B101E
		test	eax, eax
		jnz	short loc_4B101C
		jmp	short loc_4B101E
; 

loc_4B0FDD:				; CODE XREF: PfSnGetFileInformation+C5j
					; PfSnGetFileInformation+E2j
		mov	[ebp+var_8], eax

loc_4B0FE0:				; CODE XREF: PfSnGetFileInformation+B9j
		lea	eax, [ebx+180h]
		push	eax
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_8], 0
		jz	short loc_4B105C
		inc	byte ptr [ebx+184h]
		nop
		movzx	eax, byte ptr [ebx+184h]
		and	eax, 3
		mov	[ebx+eax*4+154h], esi

loc_4B1013:				; CODE XREF: PfSnGetFileInformation+42j
					; PfSnGetFileInformation+2E2j ...
		xor	eax, eax

loc_4B1015:				; CODE XREF: PfSnGetFileInformation+110CD8j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4B101C:				; CODE XREF: PfSnGetFileInformation+69j
		xor	eax, edi

loc_4B101E:				; CODE XREF: PfSnGetFileInformation+65j
					; PfSnGetFileInformation+6Bj
		movzx	edx, cl
		and	edx, 1
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_4B0FE0
		jmp	short loc_4B1030
; 
		align 10h

loc_4B1030:				; CODE XREF: PfSnGetFileInformation+BBj
					; PfSnGetFileInformation+E0j
		cmp	[eax+0Ch], esi
		ja	short loc_4B1046
		jnb	short loc_4B0FDD
		mov	ecx, [eax+4]
		test	edx, edx
		jz	short loc_4B104C
		test	ecx, ecx
		jz	short loc_4B104C
		xor	eax, ecx
		jmp	short loc_4B104E
; 

loc_4B1046:				; CODE XREF: PfSnGetFileInformation+C3j
		mov	ecx, [eax]
		test	edx, edx
		jnz	short loc_4B1054

loc_4B104C:				; CODE XREF: PfSnGetFileInformation+CCj
					; PfSnGetFileInformation+D0j ...
		mov	eax, ecx

loc_4B104E:				; CODE XREF: PfSnGetFileInformation+D4j
					; PfSnGetFileInformation+EAj
		test	eax, eax
		jnz	short loc_4B1030
		jmp	short loc_4B0FDD
; 

loc_4B1054:				; CODE XREF: PfSnGetFileInformation+DAj
		test	ecx, ecx
		jz	short loc_4B104C
		xor	eax, ecx
		jmp	short loc_4B104E
; 

loc_4B105C:				; CODE XREF: PfSnGetFileInformation+89j
		push	6E506343h
		push	18h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_8], edx
		test	edx, edx
		jz	loc_5C1C2F
		mov	edi, edx
		xor	eax, eax
		mov	ecx, 6
		mov	edx, 746C6644h
		rep stosd
		mov	edi, [ebp+var_C]
		mov	ecx, edi
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+var_8]
		mov	[eax+14h], edi
		mov	[eax+0Ch], esi
		lea	eax, [ebx+180h]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebx+168h]
		lea	edi, [ebx+164h]
		mov	[ebp+var_2], al
		mov	eax, [edi]
		test	cl, 1
		jnz	loc_4B11D3

loc_4B10C3:				; CODE XREF: PfSnGetFileInformation+26Dj
					; PfSnGetFileInformation+2FAj
		movzx	edx, cl
		and	edx, 1
		test	eax, eax
		jz	short loc_4B111A
		lea	ecx, [ecx+0]

loc_4B10D0:				; CODE XREF: PfSnGetFileInformation+1A8j
		cmp	[eax+0Ch], esi
		ja	short loc_4B110A
		jb	loc_4B11AA
		xor	esi, esi

loc_4B10DD:				; CODE XREF: PfSnGetFileInformation+110CE2j
		push	[ebp+var_14]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [ebp+var_8]
		mov	ecx, [ebx+14h]
		call	ObfDereferenceObject
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4B110A:				; CODE XREF: PfSnGetFileInformation+163j
		mov	ecx, [eax]
		test	edx, edx
		jnz	loc_4B11C4

loc_4B1114:				; CODE XREF: PfSnGetFileInformation+23Fj
					; PfSnGetFileInformation+247j ...
		mov	eax, ecx

loc_4B1116:				; CODE XREF: PfSnGetFileInformation+24Fj
					; PfSnGetFileInformation+25Ej
		test	eax, eax
		jnz	short loc_4B10D0

loc_4B111A:				; CODE XREF: PfSnGetFileInformation+15Bj
		cmp	dword ptr [ebx+17Ch], 0
		jnz	short loc_4B115A
		lea	ecx, [ebx+104h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	[ebp+var_1], al
		test	al, al
		jz	loc_5C1C4D
		mov	[ebp+var_10], 1
		mov	dword ptr [ebx+178h], offset _PfSnNameQueryWorker@4 ; PfSnNameQueryWorker(x)
		mov	[ebx+17Ch], ebx
		mov	dword ptr [ebx+170h], 0

loc_4B115A:				; CODE XREF: PfSnGetFileInformation+1B1j
		mov	ecx, [ebp+var_8]
		mov	eax, [ebx+16Ch]
		add	ecx, 10h
		mov	[ecx], eax
		mov	[ebx+16Ch], ecx
		mov	eax, [edi+4]
		mov	ecx, [edi]
		test	al, 1
		jnz	loc_4B125D

loc_4B117B:				; CODE XREF: PfSnGetFileInformation+2F3j
					; PfSnGetFileInformation+301j
		movzx	edx, al
		and	edx, 1
		mov	byte ptr [ebp+var_C], 0
		test	ecx, ecx
		jz	short loc_4B11FC
		lea	esp, [esp+0]

loc_4B1190:				; CODE XREF: PfSnGetFileInformation+238j
		cmp	[ecx+0Ch], esi
		ja	short loc_4B11E2
		mov	eax, [ecx+4]
		test	edx, edx
		jz	short loc_4B11A2
		test	eax, eax
		jz	short loc_4B11F8
		xor	eax, ecx

loc_4B11A2:				; CODE XREF: PfSnGetFileInformation+22Aj
		test	eax, eax
		jz	short loc_4B11F8

loc_4B11A6:				; CODE XREF: PfSnGetFileInformation+280j
		mov	ecx, eax
		jmp	short loc_4B1190
; 

loc_4B11AA:				; CODE XREF: PfSnGetFileInformation+165j
		mov	ecx, [eax+4]
		test	edx, edx
		jz	loc_4B1114
		test	ecx, ecx
		jz	loc_4B1114
		xor	eax, ecx
		jmp	loc_4B1116
; 

loc_4B11C4:				; CODE XREF: PfSnGetFileInformation+19Ej
		test	ecx, ecx
		jz	loc_4B1114
		xor	eax, ecx
		jmp	loc_4B1116
; 

loc_4B11D3:				; CODE XREF: PfSnGetFileInformation+14Dj
		test	eax, eax
		jz	loc_4B1268
		xor	eax, edi
		jmp	loc_4B10C3
; 

loc_4B11E2:				; CODE XREF: PfSnGetFileInformation+223j
		mov	eax, [ecx]
		test	edx, edx
		jz	short loc_4B11EE
		test	eax, eax
		jz	short loc_4B11F2
		xor	eax, ecx

loc_4B11EE:				; CODE XREF: PfSnGetFileInformation+276j
		test	eax, eax
		jnz	short loc_4B11A6

loc_4B11F2:				; CODE XREF: PfSnGetFileInformation+27Aj
		mov	byte ptr [ebp+var_C], 0
		jmp	short loc_4B11FC
; 

loc_4B11F8:				; CODE XREF: PfSnGetFileInformation+22Ej
					; PfSnGetFileInformation+234j
		mov	byte ptr [ebp+var_C], 1

loc_4B11FC:				; CODE XREF: PfSnGetFileInformation+217j
					; PfSnGetFileInformation+286j
		push	[ebp+var_8]
		push	[ebp+var_C]
		push	ecx
		push	edi
		call	RtlRbInsertNodeEx
		lea	eax, [ebx+180h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_10], 0
		jz	short loc_4B1236
		push	1
		lea	eax, [ebx+170h]
		mov	[ebp+var_1], 0
		push	eax
		call	ExQueueWorkItem

loc_4B1236:				; CODE XREF: PfSnGetFileInformation+2B2j
		inc	byte ptr [ebx+184h]
		nop
		movzx	eax, byte ptr [ebx+184h]
		and	eax, 3
		cmp	[ebp+var_1], 0
		mov	[ebx+eax*4+154h], esi
		jz	loc_4B1013
		jmp	loc_5C1C57
; 

loc_4B125D:				; CODE XREF: PfSnGetFileInformation+205j
		test	ecx, ecx
		jz	short loc_4B126F
		xor	ecx, edi
		jmp	loc_4B117B
; 

loc_4B1268:				; CODE XREF: PfSnGetFileInformation+265j
		xor	eax, eax
		jmp	loc_4B10C3
; 

loc_4B126F:				; CODE XREF: PfSnGetFileInformation+2EFj
		xor	ecx, ecx
		jmp	loc_4B117B
; 

loc_4B1276:				; CODE XREF: PfSnGetFileInformation+27j
		pop	edi
		pop	esi
		mov	eax, 0C00000BBh
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
PfSnGetFileInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnCheckLogSequenceNumber(x)
_PfSnCheckLogSequenceNumber@4 proc near	; CODE XREF: PfSnLogPageFaultCommon+69p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	edi, dword_6FB628
		mov	esi, ecx
		nop
		cmp	edi, [esi+11Ch]
		jnz	short loc_4B12A9
		mov	eax, 40190034h

loc_4B12A5:				; CODE XREF: PfSnCheckLogSequenceNumber(x)+35j
					; PfSnCheckLogSequenceNumber(x)+5Bj
		pop	edi
		pop	esi
		leave
		retn
; 

loc_4B12A9:				; CODE XREF: PfSnCheckLogSequenceNumber(x)+1Cj
		lea	eax, [ebp+var_4]
		xor	edx, edx
		push	eax
		inc	edx
		call	PfSnTraceGetLogEntry
		test	eax, eax
		js	short loc_4B12A5
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx]
		and	eax, 0FFFFFFFAh
		or	eax, 2
		mov	[ecx], eax
		lea	eax, [esi+124h]
		mov	[ecx+4], edi
		mov	[esi+11Ch], edi
		mov	[esi+120h], eax
		xor	eax, eax
		jmp	short loc_4B12A5
_PfSnCheckLogSequenceNumber@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnTraceGetLogEntry proc near		; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+54Ap
					; PfSnLogPageFaultCommon+91p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C1C67 SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	eax, esi
		lea	ecx, [edi+0FCh]
		mov	[ebp+var_10], ecx
		lock xadd [ecx], eax
		add	eax, esi
		cmp	eax, [edi+0F8h]
		jg	loc_4B13D4
		mov	ecx, [edi+50h]
		mov	eax, esi
		mov	[ebp+var_8], ecx
		lea	edx, [ecx+8]
		lock xadd [edx], eax
		add	eax, esi
		test	eax, eax
		jle	loc_5C1C9A
		xor	ebx, ebx

loc_4B1327:				; CODE XREF: PfSnTraceGetLogEntry+E9j
		cmp	eax, [ecx+0Ch]
		jg	short loc_4B1342
		sub	eax, esi
		lea	ecx, [ecx+eax*8]
		mov	eax, [ebp+arg_0]
		add	ecx, 10h
		mov	[eax], ecx

loc_4B1339:				; CODE XREF: PfSnTraceGetLogEntry+120j
					; PfSnTraceGetLogEntry+1109B5j	...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
; 

loc_4B1342:				; CODE XREF: PfSnTraceGetLogEntry+4Aj
		mov	eax, esi
		neg	eax
		lock xadd [edx], eax
		call	_PfSnTraceBufferAllocate@0 ; PfSnTraceBufferAllocate()
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_5C1C87
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [edi+60h]
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebp+var_8]
		cmp	[edi+50h], eax
		jnz	loc_4B1405
		lea	ecx, [edi+54h]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_4B142E
		mov	eax, [ebp+var_C]
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		inc	dword ptr [edi+5Ch]
		mov	[edi+50h], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5C1C77
		xor	ecx, ecx
		lea	eax, [edi+60h]
		lock and [eax],	ecx

loc_4B13AD:				; CODE XREF: PfSnTraceGetLogEntry+1109A2j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4B13B6:				; CODE XREF: PfSnTraceGetLogEntry+14Cj
		mov	ecx, [edi+50h]
		mov	eax, esi
		mov	[ebp+var_8], ecx
		lea	edx, [ecx+8]
		lock xadd [edx], eax
		add	eax, esi
		test	eax, eax
		jg	loc_4B1327
		jmp	loc_5C1C9A
; 

loc_4B13D4:				; CODE XREF: PfSnTraceGetLogEntry+26j
		neg	esi
		lock xadd [ecx], esi
		push	3
		pop	edx
		lea	ecx, [edi+118h]
		xor	eax, eax
		lock cmpxchg [ecx], edx
		test	eax, eax
		jnz	short loc_4B13FB
		push	1
		lea	eax, [edi+108h]
		push	eax
		call	ExQueueWorkItem

loc_4B13FB:				; CODE XREF: PfSnTraceGetLogEntry+10Bj
		mov	ebx, 0C0000189h
		jmp	loc_4B1339
; 

loc_4B1405:				; CODE XREF: PfSnTraceGetLogEntry+91j
		test	ds:byte_70EFC6,	1
		jnz	loc_5C1C67
		xor	ecx, ecx
		lea	eax, [edi+60h]
		lock and [eax],	ecx

loc_4B141A:				; CODE XREF: PfSnTraceGetLogEntry+110992j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	ebx
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_4B13B6
; 

loc_4B142E:				; CODE XREF: PfSnTraceGetLogEntry+9Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall MiGetSessionVm()
_MiGetSessionVm@0:			; CODE XREF: MiReturnSystemVa(x,x,x,x):loc_4326ECp
					; MiCopyOnWrite(x,x,x,x):loc_44FDBBp ...
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		test	eax, eax
		jz	short loc_4B1450
		add	eax, 0C0h
		retn
; 

loc_4B1450:				; CODE XREF: PfSnTraceGetLogEntry+168j
		xor	eax, eax
		retn
PfSnTraceGetLogEntry endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIsPoolPteInUse(x,	x)
_MiIsPoolPteInUse@8 proc near		; CODE XREF: MiEvictPageTableLock+BFp
					; MiLinkPoolCommitChain+15E22Fp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	eax, ecx
		and	eax, 1
		or	eax, edx
		jnz	short loc_4B148B
		mov	eax, ecx
		and	eax, 400h
		or	eax, edx
		jnz	short loc_4B148B
		mov	eax, ecx
		and	eax, 800h
		or	eax, edx
		jnz	short loc_4B148B
		and	ecx, 3E0h
		or	ecx, edx
		jnz	short loc_4B148B

loc_4B1487:				; CODE XREF: MiIsPoolPteInUse(x,x)+3Aj
		pop	ebp
		retn	8
; 

loc_4B148B:				; CODE XREF: MiIsPoolPteInUse(x,x)+11j
					; MiIsPoolPteInUse(x,x)+1Cj ...
		xor	eax, eax
		inc	eax
		jmp	short loc_4B1487
_MiIsPoolPteInUse@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSystemImageHasPrivateFixups(x, x,	x)
_MiSystemImageHasPrivateFixups@12 proc near
					; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+BDAp

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		cmp	dword_6CF540, offset dword_6CF540
		mov	eax, edx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], eax
		mov	ecx, [ebp+arg_0]
		mov	dword ptr [eax], 0
		mov	dword ptr [ecx], 0
		jz	short loc_4B1532
		cmp	ebx, dword_6D07D0
		jb	loc_4B156D
		mov	eax, ebx
		shr	eax, 15h
		movzx	eax, byte ptr dword_6D3994[eax]
		cmp	eax, 0Ch
		jnz	short loc_4B1528

loc_4B14D8:				; CODE XREF: MiSystemImageHasPrivateFixups(x,x,x)+9Bj
					; MiSystemImageHasPrivateFixups(x,x,x)+A0j
		push	esi
		push	offset unk_6CF554
		xor	esi, esi
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	[ebp+var_1], al
		mov	eax, dword_6CF540
		cmp	eax, offset dword_6CF540
		jz	short loc_4B150B
		push	edi

loc_4B14F5:				; CODE XREF: MiSystemImageHasPrivateFixups(x,x,x)+78j
		mov	edi, [eax+8]
		cmp	ebx, edi
		jb	short loc_4B1501
		cmp	ebx, [eax+0Ch]
		jbe	short loc_4B1536

loc_4B1501:				; CODE XREF: MiSystemImageHasPrivateFixups(x,x,x)+6Aj
		mov	eax, [eax]
		cmp	eax, offset dword_6CF540
		jnz	short loc_4B14F5

loc_4B150A:				; CODE XREF: MiSystemImageHasPrivateFixups(x,x,x)+C7j
					; MiSystemImageHasPrivateFixups(x,x,x)+DBj
		pop	edi

loc_4B150B:				; CODE XREF: MiSystemImageHasPrivateFixups(x,x,x)+62j
		push	offset unk_6CF554
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi
		pop	esi

loc_4B1521:				; CODE XREF: MiSystemImageHasPrivateFixups(x,x,x)+A4j
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4B1528:				; CODE XREF: MiSystemImageHasPrivateFixups(x,x,x)+46j
					; MiSystemImageHasPrivateFixups(x,x,x)+DFj
		cmp	eax, 0Bh
		jz	short loc_4B14D8
		cmp	eax, 1
		jz	short loc_4B14D8

loc_4B1532:				; CODE XREF: MiSystemImageHasPrivateFixups(x,x,x)+29j
		xor	eax, eax
		jmp	short loc_4B1521
; 

loc_4B1536:				; CODE XREF: MiSystemImageHasPrivateFixups(x,x,x)+6Fj
		mov	ecx, [eax+14h]
		sub	ebx, edi
		shr	ebx, 0Ch
		mov	esi, ebx
		shr	esi, 3
		mov	edx, [ecx+4]
		mov	cl, bl
		and	cl, 7
		mov	dl, [esi+edx]
		sar	dl, cl
		test	dl, 1
		jnz	short loc_4B1559
		xor	esi, esi
		jmp	short loc_4B150A
; 

loc_4B1559:				; CODE XREF: MiSystemImageHasPrivateFixups(x,x,x)+C3j
		mov	ecx, [ebp+arg_0]
		mov	esi, edi
		sub	esi, [eax+10h]
		mov	[ecx], ebx
		mov	ecx, [eax+18h]
		mov	eax, [ebp+var_8]
		mov	[eax], ecx
		jmp	short loc_4B150A
; 

loc_4B156D:				; CODE XREF: MiSystemImageHasPrivateFixups(x,x,x)+31j
		xor	eax, eax
		jmp	short loc_4B1528
_MiSystemImageHasPrivateFixups@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 428. ExReleaseSpinLockSharedFromDpcLevel

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExReleaseSpinLockSharedFromDpcLevel
ExReleaseSpinLockSharedFromDpcLevel proc near
					; CODE XREF: IopReferenceIoAttributionFromProcess+55p
					; ExReferenceCallBackBlock+B3p	...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C1CAD SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	ds:byte_70EFC6,	1
		jnz	loc_5C1CAD
		mov	eax, [ebp+arg_0]
		mov	ecx, 0BFFFFFFFh
		lock and [eax],	ecx
		lock dec dword ptr [eax]

loc_4B1597:				; CODE XREF: ExReleaseSpinLockSharedFromDpcLevel+110742j
		pop	ecx
		pop	ebp
		retn	4
ExReleaseSpinLockSharedFromDpcLevel endp

; 
		dd 5 dup(0CCCCCCCCh)
; Exported entry 314. ExAcquireSpinLockShared

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExAcquireSpinLockShared(x)
		public _ExAcquireSpinLockShared@4
_ExAcquireSpinLockShared@4 proc	near	; CODE XREF: IopReferenceIoAttributionFromProcess+28p
					; ExReferenceCallBackBlock+94p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	bl, al
		mov	ecx, [ebp+arg_0]
		jnz	short loc_4B15F3
		push	esi
		mov	esi, [ecx]
		and	esi, 7FFFFFFFh
		mov	eax, esi
		lea	edx, [esi+1]
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		pop	esi
		jnz	short loc_4B15EA

loc_4B15E3:				; CODE XREF: ExAcquireSpinLockShared(x)+41j
					; ExAcquireSpinLockShared(x)+4Aj
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4B15EA:				; CODE XREF: ExAcquireSpinLockShared(x)+31j
		mov	dl, bl
		call	ExpWaitForSpinLockSharedAndAcquire
		jmp	short loc_4B15E3
; 

loc_4B15F3:				; CODE XREF: ExAcquireSpinLockShared(x)+1Aj
		mov	dl, bl
		call	@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)
		jmp	short loc_4B15E3
_ExAcquireSpinLockShared@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall ExpTryAcquireSpinLockShared(x)
_ExpTryAcquireSpinLockShared@4 proc near
					; CODE XREF: ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)+4Bp
					; ExpTryAcquireSpinLockSharedAtDpcLevelInstrumented(x):loc_689C1Dp ...
		mov	edi, edi
		push	esi
		mov	esi, [ecx]
		and	esi, 7FFFFFFFh
		mov	eax, esi
		lea	edx, [esi+1]
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		pop	esi
		jnz	short loc_4B161C
		mov	al, 1
		retn
; 

loc_4B161C:				; CODE XREF: ExpTryAcquireSpinLockShared(x)+17j
		xor	al, al
		retn
_ExpTryAcquireSpinLockShared@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoSetDiskIoAttributionFromThread proc near ; CODE XREF:	IoPageReadEx+158p
					; IoAsynchronousPageWrite+C0p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005C1CBD SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	eax, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], eax
		mov	ebx, [esi+36Ch]
		test	ebx, ebx
		jnz	short loc_4B167E

loc_4B163E:				; CODE XREF: IoSetDiskIoAttributionFromThread+6Dj
		cmp	esi, large fs:124h
		jnz	short loc_4B1655
		mov	edx, [esi+80h]
		cmp	edx, [esi+150h]
		jnz	short loc_4B1697

loc_4B1655:				; CODE XREF: IoSetDiskIoAttributionFromThread+25j
					; IoSetDiskIoAttributionFromThread+80j
		mov	esi, [esi+150h]

loc_4B165B:				; CODE XREF: IoSetDiskIoAttributionFromThread+75j
		cmp	dword ptr [esi+430h], 0
		jnz	short loc_4B16A6
		mov	esi, 0C0000225h

loc_4B1669:				; CODE XREF: IoSetDiskIoAttributionFromThread+DFj
					; IoSetDiskIoAttributionFromThread+1106E5j
		test	esi, esi
		jns	short loc_4B16A2

loc_4B166D:				; CODE XREF: IoSetDiskIoAttributionFromThread+84j
					; IoSetDiskIoAttributionFromThread+D7j
		test	edi, edi
		jnz	loc_5C1D0A

loc_4B1675:				; CODE XREF: IoSetDiskIoAttributionFromThread+1106F5j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4B167E:				; CODE XREF: IoSetDiskIoAttributionFromThread+1Cj
		cmp	esi, large fs:124h
		jnz	loc_5C1CBD

loc_4B168B:				; CODE XREF: IoSetDiskIoAttributionFromThread+1106DBj
		test	ebx, ebx
		jz	short loc_4B163E
		mov	esi, [ebx+150h]
		jmp	short loc_4B165B
; 

loc_4B1697:				; CODE XREF: IoSetDiskIoAttributionFromThread+33j
		mov	ecx, eax
		call	IopSetDiskIoAttributionFromProcess
		test	eax, eax
		js	short loc_4B1655

loc_4B16A2:				; CODE XREF: IoSetDiskIoAttributionFromThread+4Bj
		xor	esi, esi
		jmp	short loc_4B166D
; 

loc_4B16A6:				; CODE XREF: IoSetDiskIoAttributionFromThread+42j
		push	offset _IopDiskIoAttributionLock
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	[ebp+var_1], al
		mov	eax, [esi+430h]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_4B1704
		mov	esi, [eax+0Ch]

loc_4B16C3:				; CODE XREF: IoSetDiskIoAttributionFromThread+E6j
		push	offset _IopDiskIoAttributionLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_C], 0
		jz	loc_5C1D00
		mov	eax, large fs:124h
		mov	edx, esi
		mov	ecx, [ebp+var_8]
		push	0
		push	eax
		call	IopSetDiskIoAttributionExtension
		mov	esi, eax
		test	esi, esi
		js	loc_4B166D
		xor	esi, esi
		jmp	loc_4B1669
; 

loc_4B1704:				; CODE XREF: IoSetDiskIoAttributionFromThread+9Ej
		xor	esi, esi
		jmp	short loc_4B16C3
IoSetDiskIoAttributionFromThread endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeMdlBatchPages(x)
_MiInitializeMdlBatchPages@4 proc near	; CODE XREF: MiAllocatePagesForMdl+CBp
					; MiReturnMdlExcess(x)+89p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ecx
		mov	[ebp+var_18], eax
		push	ebx
		push	esi
		mov	eax, [eax+24h]
		push	edi
		mov	ecx, [eax+14h]
		add	eax, 1Ch
		mov	esi, eax
		shr	ecx, 0Ch
		mov	[ebp+var_10], eax
		xor	eax, eax
		mov	[ebp+var_1C], ecx
		mov	edi, eax
		mov	[ebp+var_C], esi
		mov	ebx, eax
		mov	[ebp+var_8], esi
		test	ecx, ecx
		jz	short loc_4B178C
		mov	[ebp+var_14], ecx

loc_4B173F:				; CODE XREF: MiInitializeMdlBatchPages(x)+73j
		mov	ecx, [esi]
		call	MiSearchNumaNodeTable
		mov	esi, [eax+4]
		test	ebx, ebx
		jz	short loc_4B1763
		cmp	esi, edi
		jnz	short loc_4B1757
		mov	eax, [ebp+var_8]
		inc	ebx
		jmp	short loc_4B176E
; 

loc_4B1757:				; CODE XREF: MiInitializeMdlBatchPages(x)+47j
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_18]
		push	ebx
		call	MiInitializeMdlOneNodeBatchPages

loc_4B1763:				; CODE XREF: MiInitializeMdlBatchPages(x)+43j
		mov	eax, [ebp+var_C]
		xor	ebx, ebx
		inc	ebx
		mov	[ebp+var_8], eax
		mov	edi, esi

loc_4B176E:				; CODE XREF: MiInitializeMdlBatchPages(x)+4Dj
		mov	esi, [ebp+var_C]
		add	esi, 4
		sub	[ebp+var_14], 1
		mov	[ebp+var_C], esi
		jnz	short loc_4B173F
		test	ebx, ebx
		jz	short loc_4B178C
		mov	ecx, [ebp+var_18]
		mov	edx, eax
		push	ebx
		call	MiInitializeMdlOneNodeBatchPages

loc_4B178C:				; CODE XREF: MiInitializeMdlBatchPages(x)+32j
					; MiInitializeMdlBatchPages(x)+77j
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	cl, 2
		mov	ebx, eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edi, [ebp+var_1C]
		mov	[ebp+var_1], al
		test	edi, edi
		jz	short loc_4B181F
		mov	ecx, [ebp+var_10]
		shr	ebx, 2
		and	ebx, 1FFFFFFEh
		mov	[ebp+var_1C], ebx
		xor	ebx, ebx

loc_4B17B6:				; CODE XREF: MiInitializeMdlBatchPages(x)+115j
		imul	esi, [ecx], 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockPageAtDpc@4 ; MiLockPageAtDpc(x)
		mov	eax, [esi]
		mov	ecx, [esi+4]
		and	eax, 0E0000001h
		or	eax, [ebp+var_1C]
		mov	dword ptr [esi+4], 0C0000000h
		mov	[esi], eax
		lea	eax, [esi+10h]
		mov	[esi+4], ecx
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		test	bl, 0Fh
		jnz	short loc_4B180E
		call	_MiShouldYieldProcessor@0 ; MiShouldYieldProcessor()
		test	eax, eax
		jz	short loc_4B180E
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_1], al
		jmp	short loc_4B1811
; 

loc_4B180E:				; CODE XREF: MiInitializeMdlBatchPages(x)+E5j
					; MiInitializeMdlBatchPages(x)+EEj
		mov	al, [ebp+var_1]

loc_4B1811:				; CODE XREF: MiInitializeMdlBatchPages(x)+104j
		mov	ecx, [ebp+var_10]
		inc	ebx
		add	ecx, 4
		mov	[ebp+var_10], ecx
		cmp	ebx, edi
		jb	short loc_4B17B6

loc_4B181F:				; CODE XREF: MiInitializeMdlBatchPages(x)+9Bj
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiInitializeMdlBatchPages@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiGetWorkingSetInfoList(x, x, x, x)
_MiGetWorkingSetInfoList@16 proc near	; CODE XREF: MmQueryVirtualMemory+80Bp

var_130		= dword	ptr -130h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1C28
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 8
		push	ebx
		sub	esp, 100h
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		mov	[ebp-24h], eax
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	[ebp-104h], edx
		mov	eax, ecx
		mov	[ebp-0F4h], eax
		mov	[ebp-118h], eax
		mov	eax, [ebx+8]
		mov	[ebp-0D0h], eax
		mov	esi, [ebx+0Ch]
		mov	dword ptr [ebp-0C8h], 0
		mov	dword ptr [ebp-0C4h], 0
		mov	dword ptr [ebp-0E0h], 0
		xor	eax, eax
		mov	[ebp-80h], eax
		mov	[ebp-7Ch], eax
		mov	[ebp-78h], eax
		mov	[ebp-74h], eax
		mov	[ebp-70h], eax
		mov	[ebp-6Ch], eax
		mov	ecx, esi
		shr	ecx, 3
		mov	[ebp-0ECh], ecx
		test	ecx, ecx
		jnz	short loc_4B18EC
		mov	eax, 0C0000004h
		jmp	loc_4B2AA9
; 

loc_4B18EC:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+B0j
		test	edx, 3FFFFFFCh
		jnz	loc_4B2AA4
		mov	eax, edx
		and	eax, 3
		cmp	al, 3
		jz	loc_4B2AA4
		mov	edi, large fs:124h
		cmp	ecx, 8
		jbe	loc_4B1A51
		mov	ecx, esi
		and	ecx, 0FFFh
		neg	ecx
		sbb	ecx, ecx
		neg	ecx
		add	ecx, 8
		mov	eax, esi
		shr	eax, 0Ch
		add	ecx, eax
		shl	ecx, 2
		push	0
		push	40h
		mov	edx, 20206D4Dh
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edx, eax
		mov	[ebp-0DCh], edx
		test	edx, edx
		jz	loc_4B1A0C
		mov	dword ptr [edx], 0
		mov	ecx, [ebp-0D0h]
		and	ecx, 0FFFh
		lea	eax, [esi+0FFFh]
		add	eax, ecx
		shr	eax, 0Ch
		lea	eax, ds:1Ch[eax*4]
		mov	[edx+4], ax
		xor	eax, eax
		mov	[edx+6], ax
		mov	eax, [ebp-0D0h]
		and	eax, 0FFFFF000h
		mov	[edx+10h], eax
		mov	[edx+18h], ecx
		mov	[edx+14h], esi
		mov	dword ptr [ebp-4], 0
		mov	al, [edi+15Ah]
		mov	[ebp-0A8h], al
		push	1
		push	dword ptr [ebp-0A8h]
		push	edx
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-0DCh]
		test	byte ptr [esi+6], 5
		jz	short loc_4B19D5
		mov	ecx, [esi+0Ch]
		mov	[ebp-94h], ecx
		mov	[ebp-0D8h], ecx
		jmp	short loc_4B19F6
; 

loc_4B19D5:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+192j
		push	40000010h
		push	0
		push	0
		push	1
		push	0
		push	esi
		call	MmMapLockedPagesSpecifyCache
		mov	ecx, eax
		mov	[ebp-94h], eax
		mov	[ebp-0D8h], eax

loc_4B19F6:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+1A3j
		test	ecx, ecx
		jnz	loc_4B1A92
		push	esi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4B1A0C:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+118j
		mov	eax, 0C000009Ah
		jmp	loc_4B2AA9
; 

loc_4B1A16:				; DATA XREF: .text:006A1C3Co
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-108h], eax
		mov	eax, 1
		retn
; 

loc_4B1A2C:				; DATA XREF: .text:006A1C40o
		mov	ebx, [ebp-1Ch]
		mov	esp, [ebp-18h]
		push	0
		push	dword ptr [ebp-0DCh]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-108h]
		jmp	loc_4B2AA9
; 

loc_4B1A51:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+DFj
		mov	dword ptr [ebp-4], 1
		lea	eax, ds:0[ecx*8]
		push	eax		; size_t
		push	dword ptr [ebp-0D0h] ; void *
		lea	eax, [ebp-68h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	dword ptr [ebp-0DCh], 0
		lea	eax, [ebp-68h]
		mov	[ebp-94h], eax
		mov	[ebp-0D8h], eax

loc_4B1A92:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+1C8j
		mov	esi, [ebp-0F4h]
		cmp	[edi+80h], esi
		jz	short loc_4B1AB4
		lea	eax, [ebp-80h]
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	KiStackAttachProcess
		mov	eax, 1
		jmp	short loc_4B1AB6
; 

loc_4B1AB4:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+26Ej
		xor	eax, eax

loc_4B1AB6:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+282j
		mov	dword ptr [ebp-0A0h], 0
		lea	edi, [esi+240h]
		mov	[ebp-88h], edi
		mov	cl, 21h
		mov	[ebp-84h], cl
		xor	esi, esi
		mov	[ebp-9Ch], esi
		xor	edx, edx
		mov	[ebp-0CCh], edx
		mov	[ebp-0F0h], edx
		jmp	short loc_4B1AF6
; 
		align 10h

loc_4B1AF0:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+1163j
		mov	esi, [ebp-9Ch]

loc_4B1AF6:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+2BAj
		xor	edx, edx
		mov	[ebp-8Ch], edx
		mov	[ebp-0C4h], edx
		and	eax, 0FFFFFFFBh
		mov	[ebp-90h], eax
		mov	edi, [ebp-94h]
		mov	edi, [edi]
		mov	[ebp-0ACh], edi
		cmp	edi, ds:_MmHighestUserAddress
		mov	edi, [ebp-88h]
		ja	loc_4B2942
		mov	edx, [ebp-0ACh]
		shr	edx, 0Ch
		mov	[ebp-0E8h], edx
		mov	edx, [ebp-0A0h]
		test	edx, edx
		jz	loc_4B1BD4
		mov	esi, [ebp-0E8h]
		cmp	esi, [edx+0Ch]
		mov	esi, [ebp-9Ch]
		jb	short loc_4B1B6C
		mov	edi, [ebp-0E8h]
		cmp	edi, [edx+10h]
		mov	edi, [ebp-88h]
		jbe	short loc_4B1BD0

loc_4B1B6C:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+329j
		mov	eax, [ebp-0CCh]
		test	eax, eax
		jz	short loc_4B1B93
		push	dword ptr [ebp-84h]
		mov	edx, eax
		xor	ecx, ecx
		call	_MiLockProtoPage@12 ; MiLockProtoPage(x,x,x)
		xor	eax, eax
		mov	[ebp-0CCh], eax
		mov	cl, [ebp-84h]

loc_4B1B93:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+344j
		cmp	cl, 21h
		jz	short loc_4B1BC3
		test	esi, esi
		jz	short loc_4B1BB3
		mov	edx, esi
		mov	ecx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		xor	esi, esi
		mov	[ebp-9Ch], esi
		mov	cl, [ebp-84h]

loc_4B1BB3:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+36Aj
		mov	dl, cl
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		mov	byte ptr [ebp-84h], 21h

loc_4B1BC3:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+366j
		mov	ecx, [ebp-0A0h]
		call	MiUnlockAndDereferenceVadShared
		jmp	short loc_4B1BD4
; 

loc_4B1BD0:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+33Aj
		test	edx, edx
		jnz	short loc_4B1C20

loc_4B1BD4:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+314j
					; MiGetWorkingSetInfoList(x,x,x,x)+39Ej
		lea	eax, [ebp-0F0h]
		push	eax
		mov	edx, 2
		mov	ecx, [ebp-0ACh]
		call	MiObtainReferencedVadEx
		mov	edx, eax
		mov	[ebp-0A0h], edx
		test	edx, edx
		jnz	short loc_4B1C1A
		mov	esi, [ebp-0F0h]
		cmp	esi, 0C000010Ah
		jz	loc_4B299B
		mov	eax, [ebp-90h]
		mov	edx, [ebp-8Ch]
		jmp	loc_4B293C
; 

loc_4B1C1A:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+3C5j
		mov	eax, [ebp-90h]

loc_4B1C20:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+3A2j
		mov	ecx, [ebp-0ACh]
		and	ecx, 0FFFFF000h
		cmp	ecx, 7FFE0000h
		jz	short loc_4B1C42
		mov	edx, dword_6D0618
		cmp	ecx, edx
		jnz	short loc_4B1C5A
		test	edx, edx
		jz	short loc_4B1C5A

loc_4B1C42:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+402j
		mov	ecx, [ebp-0F4h]
		test	byte ptr [ecx+3A8h], 1
		jnz	short loc_4B1C5A
		or	eax, 4
		mov	[ebp-90h], eax

loc_4B1C5A:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+40Cj
					; MiGetWorkingSetInfoList(x,x,x,x)+410j ...
		mov	edx, [ebp-0A0h]
		mov	edx, [edx+1Ch]
		mov	ecx, edx
		and	cl, 70h
		cmp	cl, 10h
		jnz	short loc_4B1C90
		shr	edx, 7
		and	edx, 1Fh
		mov	edx, ds:_MmProtectToValue[edx*4]
		and	edx, 7FFh
		shl	edx, 4
		or	edx, 400001h
		jmp	loc_4B293C
; 
		align 10h

loc_4B1C90:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+43Bj
					; MiGetWorkingSetInfoList(x,x,x,x)+EF6j
		and	eax, 0FFFFFFFDh
		mov	[ebp-90h], eax
		mov	[ebp-0A4h], eax
		mov	ecx, [ebp-0A0h]
		mov	edx, [ecx+1Ch]
		mov	edi, edx
		and	edi, 100000h
		jz	short loc_4B1CD2
		mov	ecx, edx
		shr	ecx, 12h
		and	ecx, 3
		test	edx, 400000h
		jnz	short loc_4B1CC7
		cmp	ecx, 2
		jb	short loc_4B1CCC

loc_4B1CC7:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+490j
		cmp	ecx, 2
		jnb	short loc_4B1CE1

loc_4B1CCC:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+495j
		mov	ecx, [ebp-0A0h]

loc_4B1CD2:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+480j
		test	edi, edi
		jnz	short loc_4B1CF0
		mov	ecx, [ecx+28h]
		test	ecx, 1000000h
		jz	short loc_4B1CF0

loc_4B1CE1:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+49Aj
		or	eax, 2
		mov	[ebp-0A4h], eax
		mov	[ebp-90h], eax

loc_4B1CF0:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+4A4j
					; MiGetWorkingSetInfoList(x,x,x,x)+4AFj
		and	eax, 2
		mov	[ebp-0D4h], eax
		jz	short loc_4B1D4C
		mov	al, [ebp-84h]
		cmp	al, 21h
		jz	short loc_4B1D36
		mov	edi, [ebp-88h]
		test	esi, esi
		jz	short loc_4B1D26
		mov	edx, esi
		mov	ecx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		xor	esi, esi
		mov	[ebp-9Ch], esi
		mov	al, [ebp-84h]

loc_4B1D26:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+4DDj
		mov	dl, al
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		mov	byte ptr [ebp-84h], 21h

loc_4B1D36:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+4D3j
		mov	dword ptr [ebp-4], 2
		mov	eax, [ebp-0ACh]
		mov	al, [eax]
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_4B1D4C:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+4C9j
		mov	ecx, [ebp-0ACh]
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		mov	[ebp-98h], ecx
		mov	dl, [ebp-84h]
		cmp	dl, 21h
		jz	loc_4B1E37
		lea	eax, [ecx+8]
		mov	edi, [ebp-88h]
		test	al, 78h
		jnz	short loc_4B1D8E
		mov	ecx, edi
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_4B1D9B

loc_4B1D8E:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+551j
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	loc_4B1E2B

loc_4B1D9B:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+55Cj
		test	esi, esi
		jz	short loc_4B1DB0
		mov	edx, esi
		mov	ecx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		xor	esi, esi
		mov	[ebp-9Ch], esi

loc_4B1DB0:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+56Dj
		mov	dl, [ebp-84h]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		mov	dl, 21h
		mov	[ebp-84h], dl
		jmp	short loc_4B1E31
; 

loc_4B1DC7:				; DATA XREF: .text:006A1C54o
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-114h], eax
		mov	eax, 1
		retn
; 

loc_4B1DDD:				; DATA XREF: .text:006A1C58o
		mov	ebx, [ebp-1Ch]
		mov	esp, [ebp-18h]
		mov	eax, [ebp-114h]
		mov	[ebp-0F0h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-0D8h]
		mov	edx, [ebp-0C4h]
		mov	eax, [ebp-0A4h]
		mov	[ebp-90h], eax
		mov	ecx, [ebp-118h]
		mov	[ebp-0F4h], ecx
		mov	edi, [ebp-88h]
		mov	cl, [ebp-84h]
		jmp	loc_4B2948
; 

loc_4B1E2B:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+565j
		mov	dl, [ebp-84h]

loc_4B1E31:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+595j
		mov	ecx, [ebp-98h]

loc_4B1E37:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+540j
		mov	eax, ecx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		add	eax, 0C0000000h
		mov	[ebp-0A8h], eax
		lea	esp, [esp+0]

loc_4B1E50:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+7C1j
					; MiGetWorkingSetInfoList(x,x,x,x)+8A3j ...
		cmp	dl, 21h
		jnz	short loc_4B1E6E
		mov	ecx, [ebp-88h]
		call	MiLockWorkingSetShared
		mov	dl, al
		mov	[ebp-84h], dl
		mov	ecx, [ebp-98h]

loc_4B1E6E:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+623j
		or	eax, 0FFFFFFFFh
		mov	[ebp-0A4h], eax
		mov	dword ptr [ebp-0BCh], 0FFFFFFFFh
		xor	edi, edi
		mov	[ebp-8Ch], edi
		mov	[ebp-0C4h], edi
		cmp	esi, [ebp-0A8h]
		jnz	short loc_4B1EA1
		mov	edx, ecx
		mov	[ebp-0E0h], edx
		jmp	short loc_4B1ED6
; 

loc_4B1EA1:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+665j
		test	esi, esi
		jz	short loc_4B1EB2
		mov	edx, esi
		mov	ecx, [ebp-88h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_4B1EB2:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+673j
		lea	eax, [ebp-0E0h]
		push	eax
		mov	edx, [ebp-98h]
		mov	ecx, [ebp-88h]
		call	MiLockLowestValidPageTable
		mov	[ebp-9Ch], eax
		mov	edx, [ebp-0E0h]

loc_4B1ED6:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+66Fj
		mov	[ebp-0B8h], edi
		mov	[ebp-0B4h], edi
		mov	ecx, [edx]
		mov	[ebp-0C0h], ecx
		nop
		mov	esi, [edx+4]
		mov	[ebp-0B0h], esi
		mov	eax, ecx
		or	eax, esi
		jnz	short loc_4B1F13
		mov	eax, [ebp-0D4h]
		test	eax, eax
		jz	loc_4B20F9
		mov	esi, [ebp-9Ch]
		jmp	loc_4B2010
; 

loc_4B1F13:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+6C8j
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_4B1FAC
		mov	eax, ecx
		and	eax, 80h
		or	eax, 0
		jz	short loc_4B1FAC
		mov	edi, ecx
		nop
		mov	eax, esi
		shrd	edi, eax, 0Ch
		and	edi, 1FFFFFFh
		mov	[ebp-0BCh], edi
		or	esi, 0FFFFFFFFh
		cmp	edx, 0C0000000h
		jb	short loc_4B1F64
		lea	ecx, [ecx+0]

loc_4B1F50:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+732j
		cmp	edx, 0C07FFFFFh
		ja	short loc_4B1F64
		shl	edx, 9
		inc	esi
		cmp	edx, 0C0000000h
		jnb	short loc_4B1F50

loc_4B1F64:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+71Bj
					; MiGetWorkingSetInfoList(x,x,x,x)+726j
		mov	edx, 1
		mov	ecx, [ebp-0ACh]
		shr	ecx, 0Ch
		test	esi, esi
		jz	short loc_4B1F8D

loc_4B1F76:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+75Bj
		mov	eax, ecx
		and	eax, 1FFh
		imul	eax, edx
		add	edi, eax
		shr	ecx, 9
		shl	edx, 9
		sub	esi, 1
		jnz	short loc_4B1F76

loc_4B1F8D:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+744j
		mov	edx, 800001h
		mov	[ebp-8Ch], edx
		mov	[ebp-0C4h], edx
		mov	esi, [ebp-9Ch]
		mov	eax, [ebp-0D4h]
		jmp	short loc_4B201C
; 

loc_4B1FAC:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+6EBj
					; MiGetWorkingSetInfoList(x,x,x,x)+6FBj
		mov	esi, [ebp-9Ch]
		cmp	esi, [ebp-0A8h]
		jz	short loc_4B200A
		push	dword ptr [ebp-84h]
		push	dword ptr [ebp-104h]
		lea	eax, [ebp-0C8h]
		push	eax
		mov	ecx, [ebp-88h]
		call	_MiWorkingSetInfoCheckPageTable@20 ; MiWorkingSetInfoCheckPageTable(x,x,x,x,x)
		cmp	eax, 1
		jnz	short loc_4B1FF6
		xor	esi, esi
		mov	[ebp-9Ch], esi
		mov	ecx, [ebp-98h]
		mov	dl, [ebp-84h]
		jmp	loc_4B1E50
; 

loc_4B1FF6:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+7ABj
		mov	edx, [ebp-0C4h]
		mov	[ebp-8Ch], edx
		mov	eax, [ebp-0D4h]
		jmp	short loc_4B2016
; 

loc_4B200A:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+788j
		mov	eax, [ebp-0D4h]

loc_4B2010:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+6DEj
		mov	edx, [ebp-8Ch]

loc_4B2016:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+7D8j
		mov	edi, [ebp-0A4h]

loc_4B201C:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+77Aj
		cmp	dword ptr [ebp-0BCh], 0FFFFFFFFh
		jnz	loc_4B25FE
		test	eax, eax
		jnz	loc_4B2720
		mov	eax, [ebp-0ACh]
		shr	eax, 12h
		and	eax, 3FF8h
		sub	eax, 3FA00000h
		cmp	esi, eax
		jnz	loc_4B2353
		mov	dword ptr [ebp-0B8h], 0
		mov	dword ptr [ebp-0B4h], 0
		mov	ecx, [ebp-98h]
		mov	edi, [ecx]
		mov	[ebp-0A4h], edi
		nop
		mov	esi, [ecx+4]
		mov	[ebp-0B0h], esi
		mov	eax, edi
		mov	[ebp-0C0h], eax
		mov	[ebp-100h], eax
		mov	[ebp-0FCh], esi
		and	eax, 1
		or	eax, 0
		jnz	loc_4B2446
		mov	eax, edi
		and	eax, 400h
		or	eax, 0
		jnz	short loc_4B2118
		mov	eax, edi
		and	eax, 800h
		or	eax, 0
		jz	short loc_4B20D8
		xor	edx, edx
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_4B231B
		mov	esi, [ebp-9Ch]
		mov	ecx, [ebp-98h]
		mov	dl, [ebp-84h]
		jmp	loc_4B1E50
; 

loc_4B20D8:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+87Ej
		lea	ecx, [ebp-100h]
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		test	eax, eax
		jnz	loc_4B235E
		or	edi, esi
		jnz	loc_4B292A
		mov	edi, [ebp-8Ch]

loc_4B20F9:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+6D2j
		mov	eax, [ebp-90h]
		test	al, 4
		jnz	short loc_4B2124
		mov	ecx, [ebp-0A0h]
		test	dword ptr [ecx+1Ch], 100000h
		jnz	loc_4B2930
		jmp	short loc_4B2124
; 

loc_4B2118:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+872j
		mov	eax, [ebp-90h]
		mov	edi, [ebp-8Ch]

loc_4B2124:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+8D1j
					; MiGetWorkingSetInfoList(x,x,x,x)+8E6j
		xor	ecx, ecx
		mov	[ebp-0A4h], ecx
		test	al, 4
		jz	short loc_4B2157
		mov	ecx, [ebp-0ACh]
		and	ecx, 0FFFFF000h
		cmp	ecx, 7FFE0000h
		mov	ecx, dword_6D0610
		jz	short loc_4B2150
		mov	ecx, dword_6D0614

loc_4B2150:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+918j
		mov	esi, ecx
		jmp	loc_4B228B
; 

loc_4B2157:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+8FEj
		mov	ecx, [ebp-0A0h]
		test	dword ptr [ecx+1Ch], 100000h
		jnz	loc_4B221C
		lea	eax, [ebp-0B4h]
		push	eax
		push	0
		mov	edx, [ebp-0ACh]
		shr	edx, 0Ch
		call	MiGetProtoPteAddress
		mov	[ebp-0A4h], eax
		mov	edx, [ebp-0C0h]
		mov	ecx, edx
		or	ecx, esi
		jz	short loc_4B220C
		push	esi
		push	edx
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		test	eax, eax
		jnz	short loc_4B220C
		mov	[ebp-0E4h], esi
		mov	edx, dword_6D0700
		mov	ecx, dword_6D0704
		mov	[ebp-0BCh], ecx
		mov	eax, edx
		or	eax, ecx
		jz	short loc_4B21EA
		mov	ecx, [ebp-0C0h]
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4B21FB
		not	edx
		mov	esi, [ebp-0BCh]
		not	esi
		and	edx, ecx
		and	esi, [ebp-0E4h]
		mov	[ebp-0B0h], esi
		mov	[ebp-0B8h], edx

loc_4B21EA:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+98Aj
		mov	esi, [ebp-0B0h]
		mov	eax, [ebp-90h]
		jmp	loc_4B2285
; 

loc_4B21FB:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+99Aj
		and	ecx, 0FFFFFFEFh
		mov	[ebp-0B8h], ecx
		mov	eax, [ebp-90h]
		jmp	short loc_4B2285
; 

loc_4B220C:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+961j
					; MiGetWorkingSetInfoList(x,x,x,x)+96Cj
		mov	ecx, [ebp-0A4h]
		mov	esi, ecx
		mov	eax, [ebp-90h]
		jmp	short loc_4B228B
; 

loc_4B221C:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+934j
		mov	[ebp-0B0h], esi
		mov	[ebp-0B4h], esi
		mov	ecx, dword_6D0700
		mov	[ebp-0E4h], ecx
		mov	edx, dword_6D0704
		mov	[ebp-0BCh], edx
		or	ecx, edx
		jz	short loc_4B227F
		mov	edx, [ebp-0C0h]
		mov	ecx, edx
		and	ecx, 10h
		or	ecx, 0
		jnz	short loc_4B2274
		mov	ecx, [ebp-0E4h]
		not	ecx
		mov	esi, [ebp-0BCh]
		not	esi
		and	ecx, edx
		and	esi, [ebp-0B4h]
		mov	[ebp-0B8h], ecx
		jmp	short loc_4B2285
; 

loc_4B2274:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+A22j
		and	edx, 0FFFFFFEFh
		mov	[ebp-0B8h], edx
		jmp	short loc_4B2285
; 

loc_4B227F:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+A12j
		mov	esi, [ebp-0B0h]

loc_4B2285:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+9C6j
					; MiGetWorkingSetInfoList(x,x,x,x)+9DAj ...
		mov	ecx, [ebp-0A4h]

loc_4B228B:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+922j
					; MiGetWorkingSetInfoList(x,x,x,x)+9EAj
		test	esi, esi
		jz	loc_4B2930
		or	edi, 8000h
		mov	[ebp-8Ch], edi
		mov	[ebp-0C4h], edi
		cmp	esi, ecx
		jnz	short loc_4B22BB
		or	edi, 40000000h
		mov	[ebp-8Ch], edi
		mov	[ebp-0C4h], edi

loc_4B22BB:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+A77j
		mov	edi, [ebp-0CCh]
		mov	eax, edi
		xor	eax, esi
		test	eax, 0FFFFF000h
		jz	loc_4B237B
		mov	edx, [ebp-9Ch]
		test	edx, edx
		jz	short loc_4B22EF
		mov	ecx, [ebp-88h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dword ptr [ebp-9Ch], 0

loc_4B22EF:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+AA8j
		push	dword ptr [ebp-84h]
		mov	edx, edi
		mov	ecx, esi
		call	_MiLockProtoPage@12 ; MiLockProtoPage(x,x,x)
		mov	[ebp-0CCh], eax
		mov	esi, [ebp-9Ch]
		mov	ecx, [ebp-98h]
		mov	dl, [ebp-84h]
		jmp	loc_4B1E50
; 

loc_4B231B:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+88Bj
		nop
		mov	ecx, esi
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		lea	edx, [ebp-0C8h]
		call	_MiQueryPfn@8	; MiQueryPfn(x,x)
		lea	eax, [esi+10h]

loc_4B2345:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+B9Fj
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	edx, [ebp-0C4h]

loc_4B2353:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+816j
					; MiGetWorkingSetInfoList(x,x,x,x)+10C1j
		mov	eax, [ebp-90h]
		jmp	loc_4B2936
; 

loc_4B235E:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+8B5j
		mov	edx, [ebp-8Ch]
		and	edx, 0FFBFFFFFh
		or	edx, 800000h
		mov	eax, [ebp-90h]
		jmp	loc_4B2936
; 

loc_4B237B:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+A9Aj
		xor	edx, edx
		mov	ecx, esi
		call	MiLockLeafPage
		mov	[ebp-0B4h], eax
		mov	edi, [esi]
		nop
		mov	esi, [esi+4]
		mov	[ebp-100h], edi
		mov	[ebp-0FCh], esi
		test	eax, eax
		jz	short loc_4B23D4
		mov	ecx, eax
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		lea	edx, [ebp-0C8h]
		call	_MiQueryPfn@8	; MiQueryPfn(x,x)
		mov	eax, [ebp-0B4h]
		add	eax, 10h
		jmp	loc_4B2345
; 

loc_4B23D4:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+B6Ej
		mov	eax, edi
		and	eax, 0C00h
		or	eax, 0
		jnz	loc_4B292A
		push	esi
		push	edi
		call	_MiInvalidPteConforms@12 ; MiInvalidPteConforms(x,x,x)
		test	eax, eax
		jz	loc_4B292A
		lea	ecx, [ebp-100h]
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		test	eax, eax
		jz	short loc_4B241F
		mov	edx, [ebp-8Ch]
		and	edx, 0FFBFFFFFh
		or	edx, 800000h
		mov	eax, [ebp-90h]
		jmp	loc_4B2936
; 

loc_4B241F:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+BD0j
		or	edi, esi
		mov	eax, [ebp-90h]
		mov	edi, [ebp-88h]
		mov	cl, [ebp-84h]
		mov	esi, [ebp-94h]
		jnz	loc_4B2922
		xor	edx, edx
		jmp	loc_4B2948
; 

loc_4B2446:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+862j
		or	edx, 1
		mov	[ebp-8Ch], edx
		mov	eax, [ebp-0A0h]
		mov	eax, [eax+1Ch]
		nop
		and	al, 70h
		cmp	al, 40h
		jnz	loc_4B25F2
		shrd	edi, esi, 0Ch
		and	edi, 1FFFFFFh
		lea	ecx, ds:0[edi*8]
		sub	ecx, edi
		mov	eax, ds:_MmPfnDatabase
		lea	esi, [eax+ecx*4]
		mov	[ebp-0A8h], esi
		cmp	edi, dword_6D07B0
		ja	short loc_4B24CA
		mov	edx, edi
		shr	edx, 5
		and	edi, 1Fh
		mov	eax, dword_6D35B8
		mov	eax, [eax+edx*4]
		mov	ecx, edi
		shr	eax, cl
		and	eax, 1
		jz	short loc_4B24CA
		test	byte ptr [esi+17h], 40h
		jnz	short loc_4B24B6
		mov	ecx, esi
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jz	short loc_4B24CA

loc_4B24B6:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+C79j
		mov	edi, [ebp-8Ch]
		or	edi, 80000000h
		mov	[ebp-8Ch], edi
		jmp	short loc_4B24D0
; 

loc_4B24CA:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+C5Aj
					; MiGetWorkingSetInfoList(x,x,x,x)+C73j ...
		mov	edi, [ebp-8Ch]

loc_4B24D0:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+C98j
		mov	ecx, [ebp-98h]
		call	_MiRotatedToFrameBuffer@4 ; MiRotatedToFrameBuffer(x)
		test	eax, eax
		jz	short loc_4B254B
		mov	eax, [ebp-0A4h]
		and	eax, 800h
		or	eax, 0
		mov	ecx, 4
		jnz	short loc_4B24F9
		mov	ecx, 1

loc_4B24F9:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+CC2j
		mov	eax, [ebp-0A0h]
		mov	edx, [eax+1Ch]
		mov	eax, edx
		and	eax, 0C00h
		cmp	eax, 0C00h
		jnz	short loc_4B253F
		test	edx, 380h
		jz	short loc_4B253F
		or	ecx, 18h

loc_4B251B:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+D14j
					; MiGetWorkingSetInfoList(x,x,x,x)+D19j
		mov	edx, [ebp-8Ch]

loc_4B2521:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+D7Cj
					; MiGetWorkingSetInfoList(x,x,x,x)+D87j ...
		mov	eax, ds:_MmProtectToValue[ecx*4]
		shl	eax, 4
		xor	eax, edx
		and	eax, 7FF0h
		xor	edx, eax
		mov	eax, [ebp-90h]
		jmp	loc_4B2936
; 

loc_4B253F:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+CDEj
					; MiGetWorkingSetInfoList(x,x,x,x)+CE6j
		cmp	eax, 400h
		jnz	short loc_4B251B
		or	ecx, 8
		jmp	short loc_4B251B
; 

loc_4B254B:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+CADj
		mov	ecx, esi
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		mov	esi, eax
		mov	ecx, [ebp-0A8h]
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiSearchNumaNodeTable
		mov	edx, [eax+4]
		and	esi, 7
		shl	esi, 8
		and	edx, 3Fh
		or	edx, esi
		shl	edx, 10h
		mov	eax, edi
		and	eax, 0F8C0FFFFh
		or	edx, eax
		mov	esi, [ebp-0A8h]
		mov	ecx, [esi+8]
		mov	eax, [esi+0Ch]
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		test	dword ptr [esi+18h], 800000h
		jnz	loc_4B2521
		mov	eax, [esi+4]
		test	eax, eax
		js	loc_4B2521
		jz	loc_4B2521
		mov	eax, edx
		or	eax, 8000h
		mov	edx, [esi+10h]
		and	edx, 3FFFFFFFh
		cmp	edx, 7
		jb	short loc_4B25DD
		mov	edx, 7

loc_4B25DD:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+DA6j
		add	edx, edx
		xor	edx, eax
		and	edx, 0Eh
		xor	edx, eax
		mov	ecx, ds:_MmMakeProtectNotWriteCopy[ecx*4]
		jmp	loc_4B2521
; 

loc_4B25F2:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+C2Dj
		mov	eax, esi
		shrd	edi, eax, 0Ch
		and	edi, 1FFFFFFh

loc_4B25FE:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+7F3j
		lea	eax, ds:0[edi*8]
		sub	eax, edi
		mov	edx, ds:_MmPfnDatabase
		lea	eax, [edx+eax*4]
		mov	[ebp-0B4h], eax
		mov	ecx, eax
		mov	[ebp-0A8h], eax
		test	dword ptr [eax+18h], 800000h
		jz	short loc_4B2649
		mov	ecx, [ebp-0BCh]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_4B2637
		mov	ecx, edi
		and	ecx, 0FFFFFFF0h

loc_4B2637:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+E00j
		lea	eax, ds:0[ecx*8]
		sub	eax, ecx
		lea	ecx, [edx+eax*4]
		mov	[ebp-0A8h], ecx

loc_4B2649:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+DF5j
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		mov	esi, eax
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		mov	edi, eax
		mov	[ebp-98h], edi
		sub	ecx, edx
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiSearchNumaNodeTable
		mov	eax, [eax+4]
		mov	edx, edi
		and	edx, 7
		shl	edx, 8
		and	eax, 3Fh
		or	edx, eax
		add	edx, edx
		and	esi, 1
		or	edx, esi
		shl	edx, 0Fh
		mov	edi, [ebp-8Ch]
		and	edi, 0F8C07FFFh
		or	edx, edi
		mov	[ebp-98h], edx
		mov	esi, [ebp-0B4h]
		test	byte ptr [esi+17h], 40h
		jnz	short loc_4B26BC
		mov	ecx, esi
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jz	short loc_4B26C8

loc_4B26BC:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+E7Fj
		or	edx, 80000000h
		mov	[ebp-98h], edx

loc_4B26C8:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+E8Aj
		test	edx, 800000h
		jnz	loc_4B28A5
		mov	edx, [esi+18h]
		test	edx, 800000h
		jnz	loc_4B28A5
		and	edx, 70000000h
		cmp	edx, 10000000h
		jnz	loc_4B2775
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	loc_4B28A5
		cmp	edx, edx
		jnz	short loc_4B2775
		call	MiIsPfnEnclave
		test	eax, eax
		jz	short loc_4B272B
		mov	edx, [esi+8]
		mov	eax, [esi+0Ch]
		shrd	edx, eax, 5
		and	edx, 1Fh
		jmp	short loc_4B2746
; 

loc_4B2720:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+7FBj
		mov	eax, [ebp-90h]
		jmp	loc_4B1C90
; 

loc_4B272B:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+EDFj
		mov	esi, [ebp-0B0h]
		push	esi
		mov	edx, [ebp-0C0h]
		push	edx
		mov	ecx, [ebp-0A0h]
		call	_MiGetValidAweProtection@12 ; MiGetValidAweProtection(x,x,x)
		mov	edx, eax

loc_4B2746:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+EEEj
		mov	edx, ds:_MmProtectToValue[edx*4]
		and	edx, 7FFh
		or	edx, 40000h
		shl	edx, 4
		mov	edi, [ebp-98h]
		and	edi, 0FFFF800Fh
		or	edx, edi
		mov	eax, [ebp-90h]
		jmp	loc_4B2936
; 

loc_4B2775:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+EBFj
					; MiGetWorkingSetInfoList(x,x,x,x)+ED6j
		mov	edx, [ebp-0ACh]
		mov	ecx, [ebp-88h]
		call	MiLocateWsle
		mov	al, [eax]
		and	al, 0Fh
		mov	edi, [ebp-98h]
		cmp	al, 8
		jnz	short loc_4B279A
		or	edi, 400000h

loc_4B279A:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+F62j
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_4B27D5
		mov	ecx, [esi+8]
		mov	eax, [esi+0Ch]
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		mov	edx, ds:_MmProtectToValue[ecx*4]
		and	edx, 7FFh
		shl	edx, 4
		and	edi, 0FFFF8001h
		or	edx, edi
		mov	eax, [ebp-90h]
		jmp	loc_4B2936
; 

loc_4B27D5:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+F73j
		mov	eax, [esi+10h]
		and	eax, 3FFFFFFFh
		mov	[ebp-0A8h], eax
		cmp	eax, 7
		jb	short loc_4B27F2
		mov	dword ptr [ebp-0A8h], 7

loc_4B27F2:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+FB6j
		push	esi
		mov	edx, [ebp-0ACh]
		mov	ecx, [ebp-88h]
		call	_MiGetPfnProtection@12 ; MiGetPfnProtection(x,x,x)
		mov	edx, ds:_MmProtectToValue[eax*4]
		and	edx, 7FFh
		shl	edx, 3
		mov	eax, [ebp-0A8h]
		and	eax, 7
		or	edx, eax
		add	edx, edx
		and	edi, 0FFFF8001h
		or	edx, edi
		mov	[ebp-8Ch], edx
		mov	eax, [ebp-90h]
		test	al, 4
		jz	short loc_4B2844
		or	edx, 40000000h
		jmp	loc_4B2936
; 

loc_4B2844:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+1007j
		mov	ecx, [ebp-0A0h]
		test	dword ptr [ecx+1Ch], 100000h
		jnz	loc_4B2936
		lea	eax, [ebp-0B4h]
		push	eax
		push	0
		mov	edx, [ebp-0E8h]
		call	MiGetProtoPteAddress
		mov	ecx, [esi+4]
		or	ecx, 80000000h
		mov	edx, [ebp-8Ch]
		mov	edi, [ebp-88h]
		mov	esi, [ebp-94h]
		cmp	eax, ecx
		mov	eax, [ebp-90h]
		mov	cl, [ebp-84h]
		jnz	loc_4B2948
		or	edx, 40000000h
		jmp	loc_4B2948
; 

loc_4B28A5:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+E9Ej
					; MiGetWorkingSetInfoList(x,x,x,x)+EADj ...
		mov	esi, [ebp-0B0h]
		push	esi
		mov	edx, [ebp-0C0h]
		push	edx
		mov	ecx, [ebp-0A0h]
		call	_MiGetProtectionFromPte@12 ; MiGetProtectionFromPte(x,x,x)
		mov	edx, ds:_MmProtectToValue[eax*4]
		and	edx, 7FFh
		or	edx, 40000h
		shl	edx, 4
		mov	edi, [ebp-98h]
		and	edi, 0FFFF800Fh
		or	edx, edi
		mov	esi, edx
		mov	ecx, [ebp-0A8h]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_4B2353
		mov	edx, [ecx+10h]
		and	edx, 3FFFFFFFh
		cmp	edx, 7
		jb	short loc_4B290A
		mov	edx, 7

loc_4B290A:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+10D3j
		and	edx, 7
		or	edx, 20000000h
		add	edx, edx
		and	esi, 0FFFFFFF1h
		or	edx, esi
		mov	eax, [ebp-90h]
		jmp	short loc_4B2936
; 

loc_4B2922:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+C09j
		mov	edx, [ebp-8Ch]
		jmp	short loc_4B2948
; 

loc_4B292A:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+8BDj
					; MiGetWorkingSetInfoList(x,x,x,x)+BAEj ...
		mov	eax, [ebp-90h]

loc_4B2930:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+8E0j
					; MiGetWorkingSetInfoList(x,x,x,x)+A5Dj
		mov	edx, [ebp-8Ch]

loc_4B2936:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+B29j
					; MiGetWorkingSetInfoList(x,x,x,x)+B46j ...
		mov	edi, [ebp-88h]

loc_4B293C:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+3E5j
					; MiGetWorkingSetInfoList(x,x,x,x)+459j
		mov	cl, [ebp-84h]

loc_4B2942:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+2F7j
		mov	esi, [ebp-94h]

loc_4B2948:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+5F6j
					; MiGetWorkingSetInfoList(x,x,x,x)+C11j ...
		test	dword ptr [ebp-104h], 40000000h
		jz	short loc_4B297A
		test	dl, 1
		jz	short loc_4B296C
		test	edx, 40000000h
		jz	short loc_4B297A
		and	edx, 0F8C0FFFFh
		or	edx, 0Eh
		jmp	short loc_4B297A
; 

loc_4B296C:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+1127j
		test	edx, 40000000h
		jz	short loc_4B297A
		and	edx, 0F03FFFFFh

loc_4B297A:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+1122j
					; MiGetWorkingSetInfoList(x,x,x,x)+112Fj ...
		mov	[esi+4], edx
		add	esi, 8
		mov	[ebp-94h], esi
		mov	[ebp-0D8h], esi
		sub	dword ptr [ebp-0ECh], 1
		jnz	loc_4B1AF0
		xor	esi, esi

loc_4B299B:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+3D3j
		mov	al, [ebp-84h]
		cmp	al, 21h
		jz	short loc_4B29C5
		mov	edx, [ebp-9Ch]
		test	edx, edx
		jz	short loc_4B29BC
		mov	ecx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	al, [ebp-84h]

loc_4B29BC:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+117Dj
		mov	dl, al
		mov	ecx, edi
		call	MiUnlockWorkingSetShared

loc_4B29C5:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+1173j
		mov	edx, [ebp-0CCh]
		test	edx, edx
		jz	short loc_4B29D8
		push	21h
		xor	ecx, ecx
		call	_MiLockProtoPage@12 ; MiLockProtoPage(x,x,x)

loc_4B29D8:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+119Dj
		mov	eax, [ebp-0A0h]
		test	eax, eax
		jz	short loc_4B29E9
		mov	ecx, eax
		call	MiUnlockAndDereferenceVadShared

loc_4B29E9:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+11B0j
		mov	eax, [ebp-90h]
		test	al, 1
		jz	short loc_4B29FD
		xor	edx, edx
		lea	ecx, [ebp-80h]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_4B29FD:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+11C1j
		mov	edi, [ebp-0DCh]
		test	edi, edi
		jz	short loc_4B2A1C
		push	edi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		jmp	loc_4B2AA9
; 

loc_4B2A1C:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+11D5j
		mov	dword ptr [ebp-4], 3
		lea	ecx, [ebp-68h]
		mov	eax, [ebp-94h]
		sub	eax, ecx
		and	eax, 0FFFFFFF8h
		push	eax		; size_t
		mov	eax, ecx
		push	eax		; void *
		push	dword ptr [ebp-0D0h] ; void *
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, esi
		jmp	short loc_4B2AA9
; 

loc_4B2A4E:				; DATA XREF: .text:006A1C60o
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-10Ch], eax
		mov	eax, 1
		retn
; 

loc_4B2A64:				; DATA XREF: .text:006A1C64o
		mov	ebx, [ebp-1Ch]
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-10Ch]
		jmp	short loc_4B2AA9
; 

loc_4B2A79:				; DATA XREF: .text:006A1C48o
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-110h], eax
		mov	eax, 1
		retn
; 

loc_4B2A8F:				; DATA XREF: .text:006A1C4Co
		mov	ebx, [ebp-1Ch]
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-110h]
		jmp	short loc_4B2AA9
; 

loc_4B2AA4:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+C2j
					; MiGetWorkingSetInfoList(x,x,x,x)+CFj
		mov	eax, 0C000000Dh

loc_4B2AA9:				; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+B7j
					; MiGetWorkingSetInfoList(x,x,x,x)+1E1j ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		mov	ecx, [ebp-24h]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
_MiGetWorkingSetInfoList@16 endp ; sp =	 4

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertLargePageInNodeList(x)
_MiInsertLargePageInNodeList@4 proc near ; CODE	XREF: .text:0047147Cp
					; .text:004B5B3Ep ...

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 40h
		mov	eax, ecx
		xor	ecx, ecx
		push	esi
		push	edi
		mov	[esp+48h+var_14], eax
		mov	edx, [eax+4]
		mov	esi, [eax]
		mov	[esp+48h+var_C], ecx
		mov	[esp+48h+var_8], ecx
		mov	[esp+48h+var_4], ecx
		mov	[esp+48h+var_24], ecx
		mov	[esp+48h+var_38], esi
		mov	[esp+48h+var_34], edx
		cmp	edx, 5
		jnz	short loc_4B2B10
		mov	edx, 1
		mov	[esp+48h+var_34], edx

loc_4B2B10:				; CODE XREF: MiInsertLargePageInNodeList(x)+35j
		mov	eax, [eax+8]
		lea	ecx, ds:0[esi*8]
		mov	[esp+48h+var_30], eax
		sub	ecx, esi
		mov	eax, ds:_MmPfnDatabase
		mov	[esp+48h+var_1C], 0
		lea	edi, [eax+ecx*4]
		movzx	eax, byte ptr [edi+16h]
		mov	ecx, edi
		shr	eax, 6
		mov	[esp+48h+var_18], eax
		call	_MiGetPfnPageSizeIndex@4 ; MiGetPfnPageSizeIndex(x)
		and	dword ptr [edi+18h], 7FFFFFFFh
		mov	[esp+48h+var_3C], eax
		mov	ecx, ds:_MiLargePageSizes[eax*4]
		mov	[esp+48h+var_28], ecx
		cmp	edx, 1
		jz	short loc_4B2B82
		test	byte ptr ds:_MiFlags, 80h
		jz	short loc_4B2B82
		mov	eax, dword_6D30F0
		inc	eax
		mov	dword_6D30F0, eax
		test	ds:_MmPageValidationFrequency, eax
		jnz	short loc_4B2B82
		mov	edx, ecx
		mov	ecx, esi
		call	_MiArePageContentsZero@8 ; MiArePageContentsZero(x,x)

loc_4B2B82:				; CODE XREF: MiInsertLargePageInNodeList(x)+8Bj
					; MiInsertLargePageInNodeList(x)+94j ...
		mov	ecx, esi
		call	MiSearchNumaNodeTable
		mov	ecx, [esp+48h+var_3C]
		xor	edx, edx
		mov	eax, [eax+4]
		lea	esi, [eax+eax*4]
		imul	eax, ecx, 98h
		mov	ecx, ds:_MiLargePageSizes[ecx*4]
		shl	esi, 7
		add	esi, dword_6D4E50
		add	eax, esi
		mov	[esp+48h+var_2C], eax
		mov	eax, [esp+48h+var_38]
		div	ecx
		mov	ecx, [esp+48h+var_3C]
		xor	edx, edx
		div	dword_6D0740[ecx*4]
		cmp	[esp+48h+var_38], 100000h
		mov	ecx, [esp+48h+var_18]
		sbb	eax, eax
		and	eax, 2
		add	eax, [esp+48h+var_34]
		lea	eax, [ecx+eax*4]
		mov	[esp+48h+var_20], eax
		lea	ecx, [edx+edx*2]
		mov	eax, [esp+48h+var_2C]
		mov	edx, [esp+48h+var_20]
		mov	eax, [eax+edx*4+58h]
		lea	eax, [eax+ecx*4]
		mov	[esp+48h+var_10], eax
		mov	eax, [esp+48h+var_30]
		and	eax, 2
		mov	[esp+48h+var_18], eax
		jnz	short loc_4B2C3E
		test	ds:byte_70EFC6,	21h
		lea	eax, [esi+204h]
		mov	[esp+48h+var_8], eax
		mov	[esp+48h+var_C], 0
		jz	short loc_4B2C2B
		mov	edx, eax
		lea	ecx, [esp+48h+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4B2C3E
; 

loc_4B2C2B:				; CODE XREF: MiInsertLargePageInNodeList(x)+14Cj
		lea	edx, [esp+48h+var_C]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_4B2C3E
		lea	ecx, [esp+48h+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_4B2C3E:				; CODE XREF: MiInsertLargePageInNodeList(x)+131j
					; MiInsertLargePageInNodeList(x)+159j ...
		cmp	dword ptr [esi+214h], 0
		jz	loc_4B2DA8
		mov	ecx, [esp+48h+var_38]
		mov	edx, [esp+48h+var_3C]
		call	_MiAnyPagesRemovalPending@8 ; MiAnyPagesRemovalPending(x,x)
		test	eax, eax
		jz	loc_4B2DA8
		test	ds:byte_70EFC6,	1
		jz	short loc_4B2C77
		mov	edx, [ebp+4]
		lea	ecx, [esp+48h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4B2CAD
; 

loc_4B2C77:				; CODE XREF: MiInsertLargePageInNodeList(x)+197j
		mov	eax, [esp+48h+var_C]
		test	eax, eax
		jnz	short loc_4B2C9A
		mov	edx, [esp+48h+var_8]
		lea	eax, [esp+48h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+48h+var_C]
		cmp	eax, ecx
		jz	short loc_4B2CAD
		call	KxWaitForLockChainValid

loc_4B2C9A:				; CODE XREF: MiInsertLargePageInNodeList(x)+1ADj
		mov	[esp+48h+var_C], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_4B2CAD:				; CODE XREF: MiInsertLargePageInNodeList(x)+1A5j
					; MiInsertLargePageInNodeList(x)+1C3j
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	edx, [esp+48h+var_3C]
		lea	eax, [esp+48h+var_24]
		push	eax
		push	0
		push	[esp+50h+var_34]
		mov	ecx, edi
		push	1
		call	_MiConvertEntireLargePageToSmall@24 ; MiConvertEntireLargePageToSmall(x,x,x,x,x,x)
		test	byte ptr [esp+48h+var_30], 4
		jz	loc_4B2D95
		test	ds:byte_70EFC6,	21h
		lea	eax, [esi+204h]
		mov	[esp+48h+var_8], eax
		mov	[esp+48h+var_C], 0
		jz	short loc_4B2D03
		mov	edx, eax
		lea	ecx, [esp+48h+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4B2D16
; 

loc_4B2D03:				; CODE XREF: MiInsertLargePageInNodeList(x)+224j
		lea	edx, [esp+48h+var_C]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_4B2D16
		lea	ecx, [esp+48h+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_4B2D16:				; CODE XREF: MiInsertLargePageInNodeList(x)+231j
					; MiInsertLargePageInNodeList(x)+23Bj
		mov	eax, [esi+1F8h]
		dec	dword ptr [esi+1F4h]
		mov	dword ptr [esi+1F8h], 0
		test	ds:byte_70EFC6,	1
		mov	[esp+48h+var_38], eax
		jz	short loc_4B2D52
		mov	edx, [ebp+4]
		lea	ecx, [esp+48h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		mov	[esp+48h+var_20], 0
		jmp	loc_4B2EC2
; 

loc_4B2D52:				; CODE XREF: MiInsertLargePageInNodeList(x)+267j
		mov	eax, [esp+48h+var_C]
		test	eax, eax
		jnz	short loc_4B2D75
		mov	edx, [esp+48h+var_8]
		lea	eax, [esp+48h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+48h+var_C]
		cmp	eax, ecx
		jz	short loc_4B2D9B
		call	KxWaitForLockChainValid

loc_4B2D75:				; CODE XREF: MiInsertLargePageInNodeList(x)+288j
		mov	[esp+48h+var_C], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx
		mov	[esp+48h+var_20], 0
		jmp	loc_4B2EC2
; 

loc_4B2D95:				; CODE XREF: MiInsertLargePageInNodeList(x)+205j
		xor	eax, eax
		mov	[esp+48h+var_38], eax

loc_4B2D9B:				; CODE XREF: MiInsertLargePageInNodeList(x)+29Ej
		mov	[esp+48h+var_20], 0
		jmp	loc_4B2EC2
; 

loc_4B2DA8:				; CODE XREF: MiInsertLargePageInNodeList(x)+175j
					; MiInsertLargePageInNodeList(x)+18Aj
		mov	al, [edi+16h]
		mov	edx, [esp+48h+var_34]
		mov	cl, dl
		xor	cl, al
		and	cl, 7
		xor	cl, al
		mov	eax, [esp+48h+var_10]
		mov	[edi+16h], cl
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jz	short loc_4B2DCD
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_4B2DCD:				; CODE XREF: MiInsertLargePageInNodeList(x)+2F4j
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	ecx, [esp+48h+var_20]
		mov	[eax+4], edi
		inc	dword ptr [eax+8]
		mov	eax, [esp+48h+var_2C]
		inc	dword ptr [eax+ecx*4+18h]
		inc	dword ptr [eax+edx*4]
		cmp	[esp+48h+var_38], 100000h
		mov	ecx, [esp+48h+var_2C]
		sbb	eax, eax
		and	eax, 2
		add	eax, 2
		add	eax, edx
		inc	dword ptr [ecx+eax*4]
		test	edx, edx
		mov	edx, offset dword_6D53C0
		jz	short loc_4B2E10
		mov	edx, offset dword_6D5400

loc_4B2E10:				; CODE XREF: MiInsertLargePageInNodeList(x)+339j
		mov	eax, [esp+48h+var_28]
		lock xadd [edx], eax
		mov	edx, [esp+48h+var_3C]
		mov	ecx, [esp+48h+var_38]
		push	1
		call	_MiUpdateLargePageCandidates@12	; MiUpdateLargePageCandidates(x,x,x)
		mov	edx, [esp+48h+var_28]
		mov	ecx, offset _MiSystemPartition
		mov	[esp+48h+var_1C], eax
		call	MiIncreaseAvailablePages
		test	byte ptr [esp+48h+var_30], 4
		mov	eax, [esp+48h+var_28]
		mov	[esp+48h+var_20], 1
		mov	[esp+48h+var_24], eax
		jz	short loc_4B2E68
		mov	eax, [esi+1F8h]
		dec	dword ptr [esi+1F4h]
		mov	dword ptr [esi+1F8h], 0
		jmp	short loc_4B2E6A
; 

loc_4B2E68:				; CODE XREF: MiInsertLargePageInNodeList(x)+37Ej
		xor	eax, eax

loc_4B2E6A:				; CODE XREF: MiInsertLargePageInNodeList(x)+396j
		cmp	[esp+48h+var_18], 0
		mov	[esp+48h+var_38], eax
		jnz	short loc_4B2EC2
		test	ds:byte_70EFC6,	1
		jz	short loc_4B2E8C
		mov	edx, [ebp+4]
		lea	ecx, [esp+48h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4B2EC2
; 

loc_4B2E8C:				; CODE XREF: MiInsertLargePageInNodeList(x)+3ACj
		mov	eax, [esp+48h+var_C]
		test	eax, eax
		jnz	short loc_4B2EAF
		mov	edx, [esp+48h+var_8]
		lea	eax, [esp+48h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+48h+var_C]
		cmp	eax, ecx
		jz	short loc_4B2EC2
		call	KxWaitForLockChainValid

loc_4B2EAF:				; CODE XREF: MiInsertLargePageInNodeList(x)+3C2j
		mov	[esp+48h+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_4B2EC2:				; CODE XREF: MiInsertLargePageInNodeList(x)+27Dj
					; MiInsertLargePageInNodeList(x)+2C0j ...
		mov	eax, [esp+48h+var_38]
		test	eax, eax
		jz	short loc_4B2ED1
		mov	ecx, eax
		call	_MiWakeLargePageWaiters@4 ; MiWakeLargePageWaiters(x)

loc_4B2ED1:				; CODE XREF: MiInsertLargePageInNodeList(x)+3F8j
		cmp	[esp+48h+var_20], 0
		jz	short loc_4B2F51
		cmp	[esp+48h+var_34], 1
		jnz	short loc_4B2EEB
		mov	edx, esi
		mov	ecx, offset _MiSystemPartition
		call	_MiWakePageZeroing@8 ; MiWakePageZeroing(x,x)

loc_4B2EEB:				; CODE XREF: MiInsertLargePageInNodeList(x)+40Dj
		cmp	[esp+48h+var_1C], 0
		jz	short loc_4B2F10
		test	byte ptr [esp+48h+var_30], 1
		jnz	short loc_4B2F10
		test	byte ptr ds:_MiFlags, 30h
		jz	short loc_4B2F10
		push	0
		push	0
		push	offset unk_6D595C
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_4B2F10:				; CODE XREF: MiInsertLargePageInNodeList(x)+420j
					; MiInsertLargePageInNodeList(x)+427j ...
		mov	eax, [esp+48h+var_14]
		mov	cl, [eax+0Ch]
		cmp	cl, 21h
		jz	short loc_4B2F63
		add	edi, 10h
		cmp	byte ptr [eax+0Dh], 0
		mov	eax, 7FFFFFFFh
		jz	short loc_4B2F37
		lock and [edi],	eax
		mov	eax, [esp+48h+var_24]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4B2F37:				; CODE XREF: MiInsertLargePageInNodeList(x)+458j
		lock and [edi],	eax
		cmp	[esp+48h+var_18], 0
		jnz	short loc_4B2F63
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esp+48h+var_24]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4B2F51:				; CODE XREF: MiInsertLargePageInNodeList(x)+406j
		mov	eax, [esp+48h+var_14]
		mov	cl, [eax+0Ch]
		cmp	cl, 21h
		jz	short loc_4B2F63
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4B2F63:				; CODE XREF: MiInsertLargePageInNodeList(x)+44Aj
					; MiInsertLargePageInNodeList(x)+46Fj ...
		mov	eax, [esp+48h+var_24]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_MiInsertLargePageInNodeList@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1135. KeExpandKernelStackAndCalloutEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeExpandKernelStackAndCalloutEx(x, x, x, x,	x)
		public _KeExpandKernelStackAndCalloutEx@20
_KeExpandKernelStackAndCalloutEx@20 proc near ;	CODE XREF: sub_7C1970+2Fp
					; IopIssueSystemEnvironmentRequest(x,x,x,x,x,x,x,x,x)+8Bp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, [ebp+arg_C]
		push	[ebp+arg_10]
		neg	eax
		sbb	eax, eax
		and	eax, 2
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	KeExpandKernelStackAndCalloutInternal
		pop	ebp
		retn	14h
_KeExpandKernelStackAndCalloutEx@20 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry   7.

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeExpandKernelStackAndCalloutInternal
KeExpandKernelStackAndCalloutInternal proc near
					; CODE XREF: KeExpandKernelStackAndCalloutEx(x,x,x,x,x)+1Dp
					; MiSwapStackPage(x,x,x,x,x,x,x)+3D3p ...

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 004B3104 SIZE 00000009 BYTES
; FUNCTION CHUNK AT 005C1D32 SIZE 00000035 BYTES

		push	0Ch
		push	offset dword_6A1C68
		call	__SEH_prolog4
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	KiExpandKernelStackAndCalloutSwitchStack
		cmp	eax, 0C000048Bh
		jz	short loc_4B2FD7

loc_4B2FC5:				; CODE XREF: KeExpandKernelStackAndCalloutInternal+B3j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_4B2FD7:				; CODE XREF: KeExpandKernelStackAndCalloutInternal+25j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	byte ptr [ebp+arg_C+3],	al
		mov	ecx, large fs:124h
		mov	[ebp+var_1C], ecx
		mov	eax, [ecx+58h]
		mov	edx, 1000h
		test	eax, edx
		jnz	short loc_4B3056
		or	eax, edx
		mov	[ecx+58h], eax
		mov	byte ptr [ebp+arg_10+3], 0

loc_4B2FFF:				; CODE XREF: KeExpandKernelStackAndCalloutInternal+BCj
		and	[ebp+ms_exc.disabled], 0
		mov	[ebp+arg_8], 1
		mov	[ebp+ms_exc.disabled], 1
		push	[ebp+arg_4]
		call	[ebp+arg_0]

loc_4B3017:				; CODE XREF: sub_5C1D1A+Ej
		and	[ebp+ms_exc.disabled], 0
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+arg_8], 0
		call	loc_4B305C
		cmp	byte ptr [ebp+arg_10+3], 0
		jnz	short loc_4B303E
		mov	eax, [ebp+var_1C]
		and	dword ptr [eax+58h], 0FFFFEFFFh

loc_4B303E:				; CODE XREF: KeExpandKernelStackAndCalloutInternal+94j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, byte ptr [ebp+arg_C+3]
		cmp	al, bl
		jnz	loc_5C1D32
		xor	eax, eax
		jmp	loc_4B2FC5
; 

loc_4B3056:				; CODE XREF: KeExpandKernelStackAndCalloutInternal+56j
		mov	byte ptr [ebp+arg_10+3], 1
		jmp	short loc_4B2FFF
KeExpandKernelStackAndCalloutInternal endp

; 

loc_4B305C:				; CODE XREF: KeExpandKernelStackAndCalloutInternal+8Bp
					; .text:loc_5C1D2Dj
		cmp	dword ptr [ebp+10h], 0
		jnz	short loc_4B3064
		retn
; 
		retn
; 

loc_4B3064:				; CODE XREF: .text:004B3060j
		push	1Eh
		call	_KeBugCheck@4	; KeBugCheck(x)
; 
		db 0CCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiExpandKernelStackAndCalloutSwitchStack proc near
					; CODE XREF: KeExpandKernelStackAndCalloutInternal+1Bp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 004B310D SIZE 00000075 BYTES
; FUNCTION CHUNK AT 005C1D67 SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_14], edx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_8], 0
		mov	[ebp+var_C], 0
		mov	[ebp+var_4], 0
		push	edi
		cmp	esi, 0E800h
		ja	loc_5C1D5D
		mov	edi, large fs:124h
		call	_KeGetCurrentStackPointer@0 ; KeGetCurrentStackPointer()
		mov	[ebp+var_10], eax
		mov	eax, [edi+24h]
		mov	ecx, [edi+20h]
		mov	[ebp+arg_0], eax
		mov	edi, [ecx+4]
		and	edi, 0FFFFFFFEh
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jz	short loc_4B312C
		ja	loc_5C1D67
		mov	eax, ds:_KeKernelStackSize
		cmp	esi, eax
		jnz	loc_4B3167

loc_4B30E0:				; CODE XREF: KiExpandKernelStackAndCalloutSwitchStack+10ED17j
		mov	ebx, [ebp+arg_4]
		or	ebx, 5

loc_4B30E6:				; CODE XREF: KiExpandKernelStackAndCalloutSwitchStack+EEj
					; KiExpandKernelStackAndCalloutSwitchStack+106j
		mov	edx, [ebp+arg_0]

loc_4B30E9:				; CODE XREF: KiExpandKernelStackAndCalloutSwitchStack+F5j
		mov	ecx, [ebp+var_10]
		mov	eax, ecx
		sub	eax, edi
		cmp	eax, esi
		jnb	short loc_4B310D

loc_4B30F4:				; CODE XREF: KiExpandKernelStackAndCalloutSwitchStack+A0j
					; KiExpandKernelStackAndCalloutSwitchStack+10ED2Bj
		push	[ebp+arg_8]
		mov	edx, [ebp+var_14]
		mov	ecx, [ebp+var_18]
		push	ebx
		push	esi
		call	KiExpandKernelStackAndCalloutOnStackSegment
KiExpandKernelStackAndCalloutSwitchStack endp

; START	OF FUNCTION CHUNK FOR KeExpandKernelStackAndCalloutInternal

loc_4B3104:				; CODE XREF: KeExpandKernelStackAndCalloutInternal+10EDC4j
					; KiExpandKernelStackAndCalloutSwitchStack+10ED0Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; END OF FUNCTION CHUNK	FOR KeExpandKernelStackAndCalloutInternal
; 
; START	OF FUNCTION CHUNK FOR KiExpandKernelStackAndCalloutSwitchStack

loc_4B310D:				; CODE XREF: KiExpandKernelStackAndCalloutSwitchStack+82j
		test	bl, 1
		jnz	short loc_4B30F4
		mov	eax, ecx
		sub	eax, edx
		cmp	eax, esi
		jb	loc_5C1D92

loc_4B311E:				; CODE XREF: KiExpandKernelStackAndCalloutSwitchStack+10ED31j
		pop	edi
		pop	esi
		mov	eax, 0C000048Bh
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4B312C:				; CODE XREF: KiExpandKernelStackAndCalloutSwitchStack+5Bj
		mov	ebx, [ebp+arg_4]
		test	bl, 2
		jnz	loc_5C1D78
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeGetCurrentStackPointer@0 ; KeGetCurrentStackPointer()
		lea	edx, [ebp+var_4]
		mov	ecx, eax
		call	KeQueryCurrentStackInformationEx
		test	al, al
		jz	short loc_4B317B
		mov	eax, [ebp+var_4]
		cmp	eax, 1
		jz	short loc_4B3160
		cmp	eax, 0Ah
		jnz	short loc_4B30E6

loc_4B3160:				; CODE XREF: KiExpandKernelStackAndCalloutSwitchStack+E9j
		mov	edx, [ebp+var_8]
		mov	edi, edx
		jmp	short loc_4B30E9
; 

loc_4B3167:				; CODE XREF: KiExpandKernelStackAndCalloutSwitchStack+6Aj
		cmp	esi, 3000h
		jz	loc_5C1D82

loc_4B3173:				; CODE XREF: KiExpandKernelStackAndCalloutSwitchStack+10ED1Dj
		mov	ebx, [ebp+arg_4]
		jmp	loc_4B30E6
; 

loc_4B317B:				; CODE XREF: KiExpandKernelStackAndCalloutSwitchStack+E1j
		mov	ecx, 4
		int	29h		; DOS 2+ internal - FAST PUTCHAR
; END OF FUNCTION CHUNK	FOR KiExpandKernelStackAndCalloutSwitchStack ; AL = character to display
; 
		dw 0CCCCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiExpandKernelStackAndCalloutOnStackSegment proc near
					; CODE XREF: KiExpandKernelStackAndCalloutSwitchStack+8Fp

var_24		= byte ptr -24h
var_23		= byte ptr -23h
var_22		= byte ptr -22h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005C1DA6 SIZE 000000C3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		push	ebx
		push	esi
		xor	esi, esi
		mov	[esp+2Ch+var_14], edx
		push	edi
		mov	edi, large fs:124h
		mov	[esp+30h+var_10], ecx
		mov	[esp+30h+var_8], 0
		mov	[esp+30h+var_4], 0
		mov	[esp+30h+var_23], 0
		mov	[esp+30h+var_1C], esi
		mov	[esp+30h+var_18], esi
		mov	[esp+30h+var_C], eax
		call	eax
		mov	edx, [ebp+arg_8]
		mov	[esp+30h+var_21], al
		cmp	al, 2
		jz	loc_4B3314

loc_4B31E6:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+18Ej
		mov	al, [esp+30h+var_23]

loc_4B31EA:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+19Aj
		mov	ecx, [ebp+arg_4]
		test	cl, 8
		jnz	loc_5C1DA6

loc_4B31F6:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+10EC18j
					; KiExpandKernelStackAndCalloutOnStackSegment+10EC24j
		mov	edx, [ebp+arg_0]
		xor	ebx, ebx
		mov	[esp+30h+var_20], edx
		cmp	edx, ds:_KeKernelStackSize
		ja	loc_4B33CF
		or	ecx, 4
		mov	[esp+30h+var_20], ebx

loc_4B3212:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+255j
					; KiExpandKernelStackAndCalloutOnStackSegment+10EC2Dj ...
		test	al, 0F0h
		jnz	loc_4B332F
		test	cl, 2
		jnz	short loc_4B3222
		or	ebx, 2

loc_4B3222:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+8Dj
		test	cl, 4
		jz	short loc_4B3231
		or	ebx, 10h
		or	esi, 4
		mov	[esp+30h+var_1C], esi

loc_4B3231:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+95j
		mov	eax, [edi+16Ch]
		mov	ecx, ebx
		push	edi
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	eax, [eax+338h]
		movzx	edx, byte ptr [eax+8Ah]
		call	MmCreateKernelStack
		mov	esi, eax
		mov	al, [esp+30h+var_23]
		test	esi, esi
		jz	loc_4B332F

loc_4B3261:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+202j
					; KiExpandKernelStackAndCalloutOnStackSegment+20Cj ...
		mov	[esi-20h], esi
		lea	edx, [esi-20h]
		test	al, 1
		jnz	loc_4B33F0
		mov	ecx, esi
		sub	ecx, ds:_KeKernelStackSize
		inc	ecx

loc_4B3278:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+266j
		mov	[edx+4], ecx
		mov	ecx, [edi+28h]
		mov	[edx+10h], ecx
		mov	ecx, [edi+20h]
		mov	[edx+1Ch], ecx
		mov	ecx, large fs:0
		mov	[edx+0Ch], ecx
		test	bl, 1
		jnz	loc_4B33FB

loc_4B329A:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+271j
					; KiExpandKernelStackAndCalloutOnStackSegment+27Aj
		mov	ecx, [edi+58h]
		test	ecx, 1000h
		jnz	short loc_4B3307
		or	ecx, 1000h
		mov	[esp+30h+var_22], 0
		mov	[edi+58h], ecx

loc_4B32B3:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+182j
		push	[esp+30h+var_20]
		push	edx
		push	[esp+38h+var_10]
		push	[esp+3Ch+var_14]
		call	_KiSwitchKernelStackAndCallout@16 ; KiSwitchKernelStackAndCallout(x,x,x,x)
		mov	ebx, eax
		mov	al, [esp+30h+var_23]
		test	al, 8
		jnz	loc_4B33A7
		mov	edx, [esp+30h+var_1C]
		mov	ecx, esi
		call	_MmDeleteKernelStack@8 ; MmDeleteKernelStack(x,x)

loc_4B32DE:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+23Aj
		cmp	[esp+30h+var_22], 0
		jnz	short loc_4B32EC
		and	dword ptr [edi+58h], 0FFFFEFFFh

loc_4B32EC:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+153j
		mov	esi, [esp+30h+var_C]
		call	esi
		cmp	al, [esp+30h+var_21]
		jnz	loc_5C1E2F
		mov	eax, ebx

loc_4B32FE:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+10EC4Cj
					; KiExpandKernelStackAndCalloutOnStackSegment+10EC74j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4B3307:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+113j
		or	al, 2
		mov	[esp+30h+var_22], 2
		mov	[esp+30h+var_23], al
		jmp	short loc_4B32B3
; 

loc_4B3314:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+50j
		lea	eax, [esp+30h+var_8]
		mov	[esp+30h+var_18], eax
		test	edx, edx
		jz	loc_4B31E6
		mov	al, 10h
		mov	[esp+30h+var_23], al
		jmp	loc_4B31EA
; 

loc_4B332F:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+84j
					; KiExpandKernelStackAndCalloutOnStackSegment+CBj
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	loc_5C1DD7
		test	al, 1
		jnz	loc_5C1DCD

loc_4B3342:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+10EC41j
		bts	dword ptr [edi+58h], 0Fh
		jb	loc_5C1DE1

loc_4B334D:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+10EC57j
		push	[esp+30h+var_18]
		lea	esi, [ecx+8]
		push	0
		push	0
		push	19h
		push	esi
		call	KeWaitForSingleObject
		cmp	eax, 102h
		jz	loc_5C1DEC
		mov	edx, [ebp+arg_8]
		mov	cl, [edx+6]
		cmp	cl, [edx+5]
		jnb	loc_5C1E09
		movzx	eax, cl
		inc	cl
		mov	esi, [edx+eax*4+28h]
		mov	al, [esp+30h+var_23]
		or	al, 8
		mov	[edx+6], cl
		mov	[esp+30h+var_23], al
		test	al, 1
		jnz	loc_4B3261
		cmp	byte ptr [edx+4], 0
		jz	loc_4B3261
		jmp	loc_5C1E17
; 

loc_4B33A7:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+13Dj
		mov	ecx, [ebp+arg_8]
		add	byte ptr [ecx+6], 0FFh
		jnz	short loc_4B33BB
		test	al, 4
		jnz	short loc_4B33BB
		and	dword ptr [edi+58h], 0FFFF7FFFh

loc_4B33BB:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+21Ej
					; KiExpandKernelStackAndCalloutOnStackSegment+222j
		push	0
		push	0
		push	1
		lea	eax, [ecx+8]
		push	eax
		call	KeReleaseMutant
		jmp	loc_4B32DE
; 

loc_4B33CF:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+75j
		mov	edx, [ebp+arg_8]
		mov	ebx, 1
		or	al, 1
		mov	esi, ebx
		mov	[esp+30h+var_23], al
		mov	[esp+30h+var_1C], esi
		test	edx, edx
		jz	loc_4B3212
		jmp	loc_5C1DB9
; 

loc_4B33F0:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+D9j
		lea	ecx, [esi-0EFFFh]
		jmp	loc_4B3278
; 

loc_4B33FB:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+104j
		or	edx, 1
		test	bl, 4
		jz	loc_4B329A
		or	edx, 2
		jmp	loc_4B329A
KiExpandKernelStackAndCalloutOnStackSegment endp

; 
		align 10h

;  S U B	R O U T	I N E 


MiAllocateMdlPagesByLists proc near	; CODE XREF: MiFindPagesForMdl+80p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C1E69 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 40h
		push	esi
		mov	esi, large fs:124h
		xor	eax, eax
		push	edi
		lea	edi, [ebp-3Ch]
		mov	[ebp-1Ch], ecx
		stosd
		xor	ecx, ecx
		mov	[ebp-28h], edx
		lea	edx, [ebp-3Ch]
		stosd
		stosd
		xor	eax, eax
		mov	[ebp-10h], eax
		mov	[ebp-18h], eax
		mov	eax, [ebx+18h]
		inc	eax
		push	eax
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		mov	eax, [ebp-3Ch]
		mov	ecx, 1
		lock xadd [eax], ecx
		inc	ecx
		mov	eax, [esi+16Ch]
		dec	ecx
		mov	edx, [ebp-28h]
		or	esi, 0FFFFFFFFh
		mov	edi, [ebp-38h]
		and	edi, ecx
		mov	ecx, 8
		mov	eax, ds:_KiProcessorBlock[eax*4]
		or	edi, [ebp-34h]
		mov	[ebp-30h], eax
		mov	eax, [edx+14h]
		add	edx, 1Ch
		shr	eax, 0Ch
		mov	[ebp-0Ch], edi
		mov	[ebp-4], ecx
		lea	eax, [edx+eax*4]
		mov	edx, 1
		mov	[ebp-20h], eax
		mov	eax, [ebx+8]
		and	eax, 400h
		mov	[ebp-14h], edx
		mov	[ebp-24h], eax

loc_4B34B2:				; CODE XREF: MiAllocateMdlPagesByLists+1D8j
		cmp	edx, 1
		jz	loc_4B3606

loc_4B34BB:				; CODE XREF: MiAllocateMdlPagesByLists+210j
		test	eax, eax
		jnz	loc_5C1E5A
		push	ecx
		mov	ecx, [ebp-1Ch]
		mov	edx, edi
		call	MiGetPage

loc_4B34CE:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+10ECD4j
		mov	edi, eax
		cmp	edi, 0FFFFFFFFh
		jz	loc_4B3685
		mov	ecx, ds:_MmPfnDatabase
		lea	eax, ds:0[edi*8]
		sub	eax, edi
		mov	[ebp-2Ch], ecx
		lea	eax, [ecx+eax*4]
		mov	ecx, eax
		mov	[ebp-8], eax
		cmp	edi, [ebx+10h]
		ja	loc_5C1E75
		mov	edx, [ebx+0Ch]
		call	_MiPfnZeroingNeeded@8 ;	MiPfnZeroingNeeded(x,x)
		test	eax, eax
		jnz	loc_4B35ED

loc_4B350C:				; CODE XREF: MiAllocateMdlPagesByLists+1E0j
		cmp	esi, 0FFFFFFFFh
		jz	loc_4B3625

loc_4B3515:				; CODE XREF: MiAllocateMdlPagesByLists+236j
		mov	ecx, [ebp-8]
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiSearchNumaNodeTable
		cmp	[eax+4], esi
		jnz	loc_5C1E69
		mov	edx, [ebx+8]
		mov	ecx, [ebp-8]
		and	edx, 1
		call	_MiIsFreshPfnFromZeroedList@4 ;	MiIsFreshPfnFromZeroedList(x)
		test	eax, eax
		jz	loc_4B35F5
		test	edx, edx
		jz	short loc_4B355D
		or	dword ptr [ebp-4], 2

loc_4B355D:				; CODE XREF: MiAllocateMdlPagesByLists+147j
					; MiAllocateMdlPagesByLists+1E7j ...
		mov	ecx, [ebp-8]
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiSearchNumaNodeTable
		mov	ecx, [ebp-8]
		inc	dword ptr [ebp-10h]
		mov	esi, [eax+4]
		mov	eax, [ebp-20h]
		mov	[eax], edi
		add	eax, 4
		sub	ecx, ds:_MmPfnDatabase
		mov	[ebp-20h], eax
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiSearchNumaNodeTable
		mov	cl, byte_6D068C
		mov	edx, [eax+4]
		mov	eax, dword_6D06D0
		and	eax, edi
		shl	edx, cl
		or	edx, eax
		mov	eax, dword_6D0680
		lea	edi, [edx+1]
		and	edi, eax
		not	eax
		and	eax, edx
		or	edi, eax
		mov	eax, [ebp-10h]
		mov	[ebp-0Ch], edi
		cmp	eax, [ebx+14h]
		jnb	short loc_4B364B
		mov	ecx, [ebp-4]
		mov	edx, [ebp-14h]
		mov	eax, [ebp-24h]
		jmp	loc_4B34B2
; 

loc_4B35ED:				; CODE XREF: MiAllocateMdlPagesByLists+F6j
		inc	dword ptr [ebp-18h]
		jmp	loc_4B350C
; 

loc_4B35F5:				; CODE XREF: MiAllocateMdlPagesByLists+13Fj
		test	edx, edx
		jnz	loc_4B355D
		and	dword ptr [ebp-4], 0FFFFFFFDh
		jmp	loc_4B355D
; 

loc_4B3606:				; CODE XREF: MiAllocateMdlPagesByLists+A5j
		xor	eax, eax
		mov	[ebp-14h], eax
		mov	eax, [ebx+8]
		not	eax
		and	eax, 1
		lea	ecx, ds:8[eax*2]
		mov	eax, [ebp-24h]
		mov	[ebp-4], ecx
		jmp	loc_4B34BB
; 

loc_4B3625:				; CODE XREF: MiAllocateMdlPagesByLists+FFj
		mov	ecx, [ebp-8]
		mov	eax, 92492493h
		sub	ecx, [ebp-2Ch]
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiSearchNumaNodeTable
		mov	esi, [eax+4]
		jmp	loc_4B3515
; 

loc_4B364B:				; CODE XREF: MiAllocateMdlPagesByLists+1CDj
					; MiAllocateMdlPagesByLists+278j
		mov	edx, 1

loc_4B3650:				; CODE XREF: MiAllocateMdlPagesByLists+10EA6Fj
		mov	esi, [ebp-10h]
		test	esi, esi
		jz	short loc_4B3660
		mov	eax, [ebp-30h]
		mov	[eax+4BCh], edi

loc_4B3660:				; CODE XREF: MiAllocateMdlPagesByLists+245j
		mov	ecx, [ebp-28h]
		mov	eax, edx
		shl	esi, 0Ch
		add	[ecx+14h], esi
		cmp	dword ptr [ebp-18h], 0
		jnz	short loc_4B367C

loc_4B3671:				; CODE XREF: MiAllocateMdlPagesByLists+273j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	14h
; 

loc_4B367C:				; CODE XREF: MiAllocateMdlPagesByLists+25Fj
		mov	dword ptr [ecx+0Ch], 1
		jmp	short loc_4B3671
; 

loc_4B3685:				; CODE XREF: MiAllocateMdlPagesByLists+C3j
		mov	edi, [ebp-0Ch]
		jmp	short loc_4B364B
MiAllocateMdlPagesByLists endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmCreateKernelStack proc near		; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+BEp
					; KiStartDynamicProcessor(x,x,x,x)+15Ep ...

var_50		= dword	ptr -50h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C1E84 SIZE 000000A5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		mov	eax, ecx
		mov	[esp+38h+var_C], edx
		mov	[esp+38h+var_24], ecx
		push	esi
		push	edi
		and	eax, 10h
		jnz	loc_4B385C
		mov	esi, [ebp+arg_0]
		mov	[esp+40h+var_28], esi
		test	esi, esi
		jz	loc_4B39E5

loc_4B36C0:				; CODE XREF: MmCreateKernelStack+1D5j
		test	cl, 1
		jnz	loc_4B39BE
		movzx	ecx, byte_6D3408
		mov	[esp+40h+var_30], ecx
		mov	[esp+40h+var_2C], ecx
		test	eax, eax
		jnz	loc_4B386A
		xor	edi, edi

loc_4B36E2:				; CODE XREF: MmCreateKernelStack+1F5j
					; MmCreateKernelStack+208j ...
		lea	eax, [edx+edx*2]
		mov	[esp+40h+var_20], eax
		lea	esp, [esp+0]

loc_4B36F0:				; CODE XREF: MmCreateKernelStack+27Cj
		add	eax, edi
		lea	ecx, [eax+eax*2]
		mov	eax, dword_6D069C
		lea	ebx, [eax+ecx*8]
		movzx	eax, word ptr [ebx+4]
		mov	[esp+40h+var_1C], eax
		test	ax, ax
		jz	loc_4B38FE
		cmp	edi, 1
		jz	loc_4B39B4
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esp+40h+var_31], al

loc_4B3723:				; CODE XREF: MmCreateKernelStack+329j
		mov	ecx, ebx
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jz	loc_4B38EF
		cmp	word ptr [esp+40h+var_1C], 1
		jz	loc_4B38D9

loc_4B373E:				; CODE XREF: MmCreateKernelStack+24Dj
					; MmCreateKernelStack+25Aj
		mov	ecx, [eax-8]
		lea	ebx, [eax-0FF8h]
		mov	eax, dword_6D35A4
		xor	eax, ebx
		cmp	ecx, eax
		jnz	loc_5C1E93
		shr	ebx, 9
		and	ebx, offset loc_7FFFF8
		lea	esi, [ebx-40000000h]
		add	ebx, 8
		shl	ebx, 9
		mov	[esp+40h+var_C], ebx
		cmp	edi, 1
		jz	loc_4B3840
		movzx	eax, byte_6D3408
		mov	ecx, esi
		mov	ebx, [esp+40h+var_28]
		shl	eax, 3
		sub	ecx, eax
		add	ecx, 8
		mov	[esp+40h+var_10], ecx

loc_4B3791:				; CODE XREF: MmCreateKernelStack+19Cj
		mov	ecx, [esi]
		mov	[esp+40h+var_18], 0
		mov	[esp+40h+var_14], 0
		mov	[esp+40h+var_20], ecx
		nop
		mov	eax, [esi+4]
		mov	[esp+40h+var_18], eax
		mov	[esp+40h+var_8], ecx
		mov	[esp+40h+var_4], eax
		nop
		mov	edx, ecx
		mov	[esp+40h+var_1C], 0
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	edi, [eax+ecx*4]
		lea	eax, [edi+10h]
		lock bts dword ptr [eax], 1Fh
		jb	loc_5C1EA2

loc_4B37EB:				; CODE XREF: MmCreateKernelStack+10E82Ej
		mov	eax, [esi]
		nop
		mov	ecx, [esi+4]
		cmp	[esp+40h+var_20], eax
		jnz	short loc_4B381D
		cmp	[esp+40h+var_18], ecx
		jnz	short loc_4B381D
		mov	eax, ebx
		shr	eax, 2
		xor	eax, [edi]
		and	eax, 1FFFFFFEh
		xor	eax, [edi]
		mov	[edi], eax
		test	ebx, ebx
		jz	short loc_4B381A
		test	byte ptr [edi],	1
		jz	loc_4B39EF

loc_4B381A:				; CODE XREF: MmCreateKernelStack+17Fj
					; MmCreateKernelStack+36Bj
		sub	esi, 8

loc_4B381D:				; CODE XREF: MmCreateKernelStack+165j
					; MmCreateKernelStack+16Bj
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		cmp	esi, [esp+40h+var_10]
		jnb	loc_4B3791
		mov	cl, [esp+40h+var_31]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [esp+40h+var_C]

loc_4B3840:				; CODE XREF: MmCreateKernelStack+E2j
					; MmCreateKernelStack+244j
		mov	esi, [esp+40h+var_30]

loc_4B3844:				; CODE XREF: MmCreateKernelStack+31Fj
		test	ds:byte_70EFC4,	1
		jnz	loc_5C1F07

loc_4B3851:				; CODE XREF: MmCreateKernelStack+10E87Cj
					; MmCreateKernelStack+10E894j
		mov	eax, ebx

loc_4B3853:				; CODE XREF: MmCreateKernelStack+10E872j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4B385C:				; CODE XREF: MmCreateKernelStack+1Bj
		mov	esi, 0FFFFFFF0h

loc_4B3861:				; CODE XREF: MmCreateKernelStack+35Aj
		mov	[esp+40h+var_28], esi
		jmp	loc_4B36C0
; 

loc_4B386A:				; CODE XREF: MmCreateKernelStack+4Aj
		mov	ecx, large fs:20h
		mov	edi, 1
		mov	eax, [ecx+338h]
		movzx	eax, word ptr [eax+8Ah]
		cmp	eax, edx
		jnz	loc_4B36E2
		cmp	dword ptr [ecx+4C4h], 0
		lea	eax, [ecx+4C4h]
		jz	loc_4B36E2
		xor	ebx, ebx
		xchg	ebx, [eax]
		test	ebx, ebx
		jz	loc_4B36E2
		mov	eax, dword_6D35A4
		add	ebx, 0FFFFF008h
		xor	eax, ebx
		mov	ecx, [ebx+0FF0h]
		cmp	ecx, eax
		jnz	loc_5C1E84
		shr	ebx, 9
		and	ebx, offset loc_7FFFF8
		add	ebx, 8
		shl	ebx, 9
		jmp	loc_4B3840
; 

loc_4B38D9:				; CODE XREF: MmCreateKernelStack+A8j
		cmp	dword ptr [ebx+14h], 0
		jnz	loc_4B373E
		mov	dword ptr [ebx+14h], 1
		jmp	loc_4B373E
; 

loc_4B38EF:				; CODE XREF: MmCreateKernelStack+9Cj
		cmp	edi, 1
		jz	short loc_4B38FE
		mov	cl, [esp+40h+var_31]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4B38FE:				; CODE XREF: MmCreateKernelStack+78j
					; MmCreateKernelStack+262j
		inc	dword ptr [ebx+0Ch]
		cmp	edi, 1
		jnz	short loc_4B3911
		mov	eax, [esp+40h+var_20]
		xor	edi, edi
		jmp	loc_4B36F0
; 

loc_4B3911:				; CODE XREF: MmCreateKernelStack+274j
		mov	ecx, [esp+40h+var_24]
		mov	ebx, [esp+40h+var_30]

loc_4B3919:				; CODE XREF: MmCreateKernelStack+344j
					; MmCreateKernelStack+374j
		mov	eax, ecx
		mov	edx, ebx
		shr	eax, 1
		mov	ecx, offset _MiSystemPartition
		and	eax, 1
		push	eax
		call	MiChargeCommit
		test	eax, eax
		jz	loc_5C1F00
		lea	edx, [ebx+1]
		mov	ecx, offset unk_6D33D0
		call	MiReservePtes
		mov	edi, eax
		test	edi, edi
		jz	loc_5C1EC3
		mov	eax, [esp+40h+var_24]
		inc	ebx
		and	al, 5
		mov	[esp+40h+var_28], edi
		lea	ebx, [edi+ebx*8]
		shl	ebx, 9
		cmp	al, 1
		jz	short loc_4B39D9

loc_4B3961:				; CODE XREF: MmCreateKernelStack+350j
		mov	edx, [esp+40h+var_2C]
		mov	ecx, offset _MiSystemPartition
		push	0
		call	_MiChargeResident@12 ; MiChargeResident(x,x,x)
		test	eax, eax
		jz	loc_5C1EE0
		push	[esp+40h+var_24]
		mov	edx, [esp+44h+var_28]
		mov	ecx, offset _MiSystemPartition
		push	[esp+44h+var_C]
		add	edx, 8
		push	esi
		mov	esi, [esp+4Ch+var_2C]
		push	esi
		call	MiAllocateKernelStackPages
		test	eax, eax
		jz	loc_5C1EC7
		mov	esi, [esp+40h+var_30]
		mov	ecx, offset unk_6D3628
		mov	eax, esi
		lock xadd [ecx], eax
		jmp	loc_4B3844
; 

loc_4B39B4:				; CODE XREF: MmCreateKernelStack+81j
		mov	[esp+40h+var_31], 21h
		jmp	loc_4B3723
; 

loc_4B39BE:				; CODE XREF: MmCreateKernelStack+33j
		mov	ebx, 0Fh
		mov	[esp+40h+var_30], ebx
		test	cl, 4
		jnz	short loc_4B3A00
		mov	[esp+40h+var_2C], 3
		jmp	loc_4B3919
; 

loc_4B39D9:				; CODE XREF: MmCreateKernelStack+2CFj
		lea	eax, [edi+60h]
		mov	[esp+40h+var_28], eax
		jmp	loc_4B3961
; 

loc_4B39E5:				; CODE XREF: MmCreateKernelStack+2Aj
		mov	esi, 0FFFFFFF8h
		jmp	loc_4B3861
; 

loc_4B39EF:				; CODE XREF: MmCreateKernelStack+184j
		mov	edx, 1
		mov	ecx, edi
		call	_MiMarkPfnTradable@8 ; MiMarkPfnTradable(x,x)
		jmp	loc_4B381A
; 

loc_4B3A00:				; CODE XREF: MmCreateKernelStack+33Aj
		mov	[esp+40h+var_2C], ebx
		jmp	loc_4B3919
MmCreateKernelStack endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmDeleteKernelStack(x, x)
_MmDeleteKernelStack@8 proc near	; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+149p
					; KiStartDynamicProcessor(x,x,x,x)+4D2p ...

var_38		= dword	ptr -38h
var_26		= byte ptr -26h
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		test	ds:byte_70EFC4,	1
		mov	eax, edx
		push	ebx
		push	esi
		push	edi
		mov	[esp+38h+var_24], eax
		mov	ebx, ecx
		jz	short loc_4B3A55
		test	al, 2
		jz	short loc_4B3A55
		mov	edx, 0Fh
		test	al, 1
		jnz	short loc_4B3A43
		movzx	edx, byte_6D3408

loc_4B3A43:				; CODE XREF: MmDeleteKernelStack(x,x)+2Aj
		mov	eax, edx
		shl	eax, 0Ch
		push	0
		sub	ecx, eax
		call	_MiLogKernelStackEvent@12 ; MiLogKernelStackEvent(x,x,x)
		mov	eax, [esp+38h+var_24]

loc_4B3A55:				; CODE XREF: MmDeleteKernelStack(x,x)+1Dj
					; MmDeleteKernelStack(x,x)+21j
		shr	ebx, 9
		and	ebx, offset loc_7FFFF8
		sub	ebx, 40000008h
		nop
		nop
		test	al, 1
		jnz	loc_4B3CAE
		mov	ecx, [ebx]
		nop
		mov	eax, [ebx+4]
		nop
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		lea	eax, ds:0[ecx*8]
		sub	eax, ecx
		mov	ecx, ds:_MmPfnDatabase
		lea	esi, [ecx+eax*4]
		mov	eax, 92492493h
		sub	esi, ecx
		imul	esi
		add	edx, esi
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiSearchNumaNodeTable
		xor	edx, edx
		test	byte ptr [esp+38h+var_24], 4
		mov	[esp+38h+var_20], edx
		mov	esi, [eax+4]
		mov	[esp+38h+var_4], esi
		jz	loc_4B3C05
		mov	esi, 7FFFFFFFh
		jmp	short loc_4B3AD0
; 
		align 10h

loc_4B3AD0:				; CODE XREF: MmDeleteKernelStack(x,x)+B8j
					; MmDeleteKernelStack(x,x)+158j
		mov	eax, [ebx]
		mov	[esp+38h+var_10], 0
		mov	[esp+38h+var_C], 0
		mov	[esp+38h+var_18], eax
		nop
		mov	ecx, [ebx+4]
		mov	[esp+38h+var_14], ecx
		nop
		mov	edx, eax
		mov	eax, ecx
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	edi, [eax+ecx*4]
		mov	cl, 2
		mov	[esp+38h+var_10], edi
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	dl, al
		mov	[esp+38h+var_1C], 0
		mov	[esp+38h+var_25], dl
		add	edi, 10h
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_4B3B4B

loc_4B3B32:				; CODE XREF: MmDeleteKernelStack(x,x)+12Ej
					; MmDeleteKernelStack(x,x)+135j
		lea	ecx, [esp+38h+var_1C]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_4B3B32
		lock bts dword ptr [edi], 1Fh
		jb	short loc_4B3B32
		mov	dl, [esp+38h+var_25]

loc_4B3B4B:				; CODE XREF: MmDeleteKernelStack(x,x)+120j
		mov	eax, [ebx]
		nop
		mov	ecx, [ebx+4]
		cmp	[esp+38h+var_18], eax
		jnz	short loc_4B3B5D
		cmp	[esp+38h+var_14], ecx
		jz	short loc_4B3B6D

loc_4B3B5D:				; CODE XREF: MmDeleteKernelStack(x,x)+145j
		lock and [edi],	esi
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4B3AD0
; 

loc_4B3B6D:				; CODE XREF: MmDeleteKernelStack(x,x)+14Bj
		mov	eax, [esp+38h+var_10]
		mov	eax, [eax]
		test	eax, 1FFFFFFEh
		jnz	short loc_4B3B84
		mov	[esp+38h+var_1C], 0
		jmp	short loc_4B3B93
; 

loc_4B3B84:				; CODE XREF: MmDeleteKernelStack(x,x)+168j
		and	eax, 0FFFFFFFEh
		or	eax, 0E0000000h
		shl	eax, 2
		mov	[esp+38h+var_1C], eax

loc_4B3B93:				; CODE XREF: MmDeleteKernelStack(x,x)+172j
		mov	eax, esi
		lock and [edi],	eax
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[esp+38h+var_1C], 0FFFFFFF0h
		mov	esi, [esp+38h+var_4]
		jnz	short loc_4B3C03
		mov	ecx, large fs:20h
		mov	eax, [ecx+338h]
		movzx	eax, word ptr [eax+8Ah]
		cmp	eax, esi
		jnz	short loc_4B3BF8
		cmp	dword ptr [ecx+4C4h], 0
		lea	edx, [ecx+4C4h]
		jnz	short loc_4B3BF8
		mov	eax, dword_6D35A4
		mov	ecx, ebx
		shl	ecx, 9
		xor	eax, ecx
		mov	[ecx+0FF0h], eax
		add	ecx, 0FF8h
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	loc_4B3CB7

loc_4B3BF8:				; CODE XREF: MmDeleteKernelStack(x,x)+1B1j
					; MmDeleteKernelStack(x,x)+1C0j
		mov	edx, 1
		mov	[esp+38h+var_20], edx
		jmp	short loc_4B3C05
; 

loc_4B3C03:				; CODE XREF: MmDeleteKernelStack(x,x)+199j
		xor	edx, edx

loc_4B3C05:				; CODE XREF: MmDeleteKernelStack(x,x)+ADj
					; MmDeleteKernelStack(x,x)+1F1j
		lea	eax, [esi+esi*2]
		mov	[esp+38h+var_4], eax
		lea	esp, [esp+0]

loc_4B3C10:				; CODE XREF: MmDeleteKernelStack(x,x)+266j
		add	eax, edx
		lea	ecx, [eax+eax*2]
		mov	eax, dword_6D069C
		lea	edi, [eax+ecx*8]
		movzx	eax, word ptr [edi+4]
		cmp	eax, [edi+8]
		jge	short loc_4B3C67
		mov	eax, dword_6D35A4
		mov	esi, ebx
		shl	esi, 9
		xor	eax, esi
		mov	[esi+0FF0h], eax
		cmp	edx, 1
		jz	short loc_4B3C96
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edx, [esp+38h+var_24]
		mov	ecx, ebx
		mov	[esp+38h+var_25], al
		call	MiClearStackOwners
		cmp	eax, 1
		jz	short loc_4B3C78
		mov	cl, [esp+38h+var_25]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [esp+38h+var_20]

loc_4B3C67:				; CODE XREF: MmDeleteKernelStack(x,x)+214j
		cmp	edx, 1
		jnz	short loc_4B3CAA
		mov	eax, [esp+38h+var_4]
		xor	edx, edx
		mov	[esp+38h+var_20], edx
		jmp	short loc_4B3C10
; 

loc_4B3C78:				; CODE XREF: MmDeleteKernelStack(x,x)+247j
		lea	edx, [esi+0FF8h]
		mov	ecx, edi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		mov	cl, [esp+38h+var_25]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4B3C96:				; CODE XREF: MmDeleteKernelStack(x,x)+22Bj
		lea	edx, [esi+0FF8h]
		mov	ecx, edi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4B3CAA:				; CODE XREF: MmDeleteKernelStack(x,x)+25Aj
		mov	eax, [esp+38h+var_24]

loc_4B3CAE:				; CODE XREF: MmDeleteKernelStack(x,x)+58j
		mov	edx, eax
		mov	ecx, ebx
		call	_MiDeleteKernelStack@8 ; MiDeleteKernelStack(x,x)

loc_4B3CB7:				; CODE XREF: MmDeleteKernelStack(x,x)+1E2j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MmDeleteKernelStack@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiClearStackOwners proc	near		; CODE XREF: MmDeleteKernelStack(x,x)+23Fp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C1F29 SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		mov	ebx, 1
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_10], ebx
		mov	[ebp+var_4], esi
		push	edi
		mov	edi, ecx
		test	dl, bl
		jnz	loc_5C1F29
		movzx	ecx, byte_6D3408
		mov	eax, ecx
		neg	eax
		lea	edi, [edi+eax*8]

loc_4B3CF1:				; CODE XREF: MiClearStackOwners+10E271j
		lea	eax, [ecx+1]
		lea	eax, [edi+eax*8]
		add	edi, 8
		mov	[ebp+var_24], eax
		cmp	edi, eax
		jnb	loc_4B3DF0
		jmp	short loc_4B3D10
; 
		align 10h

loc_4B3D10:				; CODE XREF: MiClearStackOwners+45j
					; MiClearStackOwners+10Aj
		mov	ebx, [edi]
		mov	[ebp+var_20], 0
		mov	[ebp+var_1C], 0
		nop
		mov	ecx, [edi+4]
		mov	eax, ebx
		and	eax, 1
		mov	[ebp+var_1C], ecx
		or	eax, 0
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ecx
		jz	loc_4B3DE2
		nop
		mov	eax, ecx
		mov	[ebp+var_14], 0
		mov	edx, ebx
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	ecx, [eax+ecx*4]
		lea	eax, [ecx+10h]
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], eax
		lock bts dword ptr [eax], 1Fh
		jb	loc_5C1F36

loc_4B3D76:				; CODE XREF: MiClearStackOwners+10E294j
		mov	eax, [edi]
		nop
		mov	edx, [edi+4]
		cmp	ebx, eax
		jnz	short loc_4B3DBC
		cmp	[ebp+var_1C], edx
		jnz	short loc_4B3DBC
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiSearchNumaNodeTable
		cmp	esi, 0FFFFFFFFh
		jz	short loc_4B3DDA
		cmp	esi, [eax+4]
		jnz	short loc_4B3DE7

loc_4B3DAD:				; CODE XREF: MiClearStackOwners+120j
					; MiClearStackOwners+12Ej
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx]
		and	eax, 0E0000001h
		add	edi, 8
		mov	[ecx], eax

loc_4B3DBC:				; CODE XREF: MiClearStackOwners+BEj
					; MiClearStackOwners+C3j
		mov	ecx, [ebp+var_C]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax

loc_4B3DC7:				; CODE XREF: MiClearStackOwners+125j
		cmp	edi, [ebp+var_24]
		jb	loc_4B3D10
		mov	eax, [ebp+var_10]

loc_4B3DD3:				; CODE XREF: MiClearStackOwners+132j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4B3DDA:				; CODE XREF: MiClearStackOwners+E6j
		mov	esi, [eax+4]
		mov	[ebp+var_4], esi
		jmp	short loc_4B3DAD
; 

loc_4B3DE2:				; CODE XREF: MiClearStackOwners+75j
		add	edi, 8
		jmp	short loc_4B3DC7
; 

loc_4B3DE7:				; CODE XREF: MiClearStackOwners+EBj
		mov	[ebp+var_10], 0
		jmp	short loc_4B3DAD
; 

loc_4B3DF0:				; CODE XREF: MiClearStackOwners+3Fj
		mov	eax, ebx
		jmp	short loc_4B3DD3
MiClearStackOwners endp

; 
		align 10h

;  S U B	R O U T	I N E 


MiSearchNumaNodeTable proc near		; CODE XREF: .text:0044904Cp
					; MiMigratePfn(x,x,x,x)+EEp ...

; FUNCTION CHUNK AT 005C1F59 SIZE 00000069 BYTES

		mov	edx, dword_6D0684
		push	esi
		mov	esi, dword_6D0688
		cmp	edx, esi
		ja	loc_5C1F62
		mov	eax, dword_6D06B0
		cmp	ecx, [eax+edx*8]
		lea	eax, [eax+edx*8]
		jb	loc_5C1F62
		cmp	edx, esi
		jnz	loc_5C1F59

loc_4B3E2E:				; CODE XREF: MiSearchNumaNodeTable+10E15Cj
		pop	esi
		retn
MiSearchNumaNodeTable endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiIncreaseAvailablePages proc near	; CODE XREF: MiInsertLargePageInNodeList(x)+364p
					; MiUnlinkNodeLargePageHelper(x,x,x,x,x)+46p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C1FC2 SIZE 00000173 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_20]
		stosd
		mov	ebx, ecx
		xor	ecx, ecx
		mov	[ebp+var_10], ebx
		inc	ecx
		stosd
		stosd
		lea	eax, [ebx+0FC0h]
		cmp	edx, ecx
		jz	loc_5C1FC2
		mov	esi, edx
		lock xadd [eax], esi
		mov	ecx, esi
		xor	edi, edi
		add	esi, edx
		mov	[ebp+var_8], ecx
		mov	eax, 0A0h
		mov	[ebp+var_14], esi
		mov	edx, edi
		mov	[ebp+var_4], edx
		cmp	ecx, eax
		jb	loc_5C20A7

loc_4B3E7D:				; CODE XREF: MiIncreaseAvailablePages+10E279j
					; MiIncreaseAvailablePages+10E285j
		cmp	ecx, 22h
		jb	loc_5C20BA

loc_4B3E86:				; CODE XREF: MiIncreaseAvailablePages+10E28Dj
					; MiIncreaseAvailablePages+10E29Bj
		mov	eax, 420h
		cmp	ecx, eax
		jb	loc_4B3F3D

loc_4B3E93:				; CODE XREF: MiIncreaseAvailablePages+10Fj
					; MiIncreaseAvailablePages+11Bj
		test	edx, edx
		jnz	short loc_4B3EB8

loc_4B3E97:				; CODE XREF: MiIncreaseAvailablePages+108j
		mov	eax, [ebx+0B30h]
		cmp	ecx, eax
		jbe	loc_5C2117

loc_4B3EA5:				; CODE XREF: MiIncreaseAvailablePages+10E2E9j
		mov	eax, [ebx+0B2Ch]
		cmp	ecx, eax
		jbe	loc_5C2121

loc_4B3EB3:				; CODE XREF: MiIncreaseAvailablePages+10E26Cj
					; MiIncreaseAvailablePages+10E2F3j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4B3EB8:				; CODE XREF: MiIncreaseAvailablePages+65j
		test	ds:byte_70EFC6,	21h
		lea	ecx, [ebx+0A80h]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_20], edi
		jnz	loc_5C20D0
		lea	eax, [ebp+var_20]
		xchg	eax, [ecx]
		test	eax, eax
		jnz	loc_5C20DC

loc_4B3EDE:				; CODE XREF: MiIncreaseAvailablePages+10E2B9j
		mov	ecx, edi
		lea	esi, [ebx+0A94h]
		mov	[ebp+var_C], ecx
		xor	ebx, ebx

loc_4B3EEB:				; CODE XREF: MiIncreaseAvailablePages+CEj
		lea	eax, [ebx+1]
		shl	eax, cl
		test	eax, edx
		jnz	short loc_4B3F50

loc_4B3EF4:				; CODE XREF: MiIncreaseAvailablePages+133j
		inc	ecx
		add	esi, 14h
		mov	[ebp+var_C], ecx
		cmp	ecx, 3
		jl	short loc_4B3EEB
		test	ds:byte_70EFC6,	1
		mov	ebx, [ebp+var_10]
		mov	esi, [ebp+var_14]
		jnz	loc_5C20EE
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	loc_5C2106
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_20]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_20]
		cmp	eax, ecx
		jnz	loc_5C20FE

loc_4B3F35:				; CODE XREF: MiIncreaseAvailablePages+10E2C9j
					; MiIncreaseAvailablePages+10E2E2j
		mov	ecx, [ebp+var_8]
		jmp	loc_4B3E97
; 

loc_4B3F3D:				; CODE XREF: MiIncreaseAvailablePages+5Dj
		cmp	esi, eax
		jb	loc_4B3E93
		or	edx, 4
		mov	[ebp+var_4], edx
		jmp	loc_4B3E93
; 

loc_4B3F50:				; CODE XREF: MiIncreaseAvailablePages+C2j
		push	edi
		push	edi
		lea	eax, [esi-10h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		inc	dword ptr [esi]
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_C]
		jmp	short loc_4B3EF4
MiIncreaseAvailablePages endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdateLargePageCandidates(x, x, x)
_MiUpdateLargePageCandidates@12	proc near ; CODE XREF: MiInsertLargePageInNodeList(x)+352p
					; MiInitializeRebuildCandidateCounts(x,x)+8Bp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	byte_6D5872, 0
		push	esi
		mov	esi, ecx
		jz	short loc_4B3F9A
		cmp	edx, 1
		jnz	short loc_4B3F9A
		mov	eax, dword_6D5950
		mov	edx, esi
		shr	edx, 9
		cmp	[ebp+arg_0], 0
		jle	short loc_4B3FBF
		inc	byte ptr [eax+edx]
		mov	eax, dword_6D5950
		cmp	byte ptr [eax+edx], 20h
		jz	short loc_4B3FA1

loc_4B3F9A:				; CODE XREF: MiUpdateLargePageCandidates(x,x,x)+Fj
					; MiUpdateLargePageCandidates(x,x,x)+14j ...
		xor	eax, eax

loc_4B3F9C:				; CODE XREF: MiUpdateLargePageCandidates(x,x,x)+57j
		pop	esi
		pop	ebp
		retn	4
; 

loc_4B3FA1:				; CODE XREF: MiUpdateLargePageCandidates(x,x,x)+32j
		shr	esi, 12h
		xor	eax, eax
		mov	edx, esi
		and	esi, 7
		shr	edx, 3
		add	edx, dword_6D5958
		movsx	ecx, byte ptr [edx]
		bts	ecx, esi
		inc	eax
		mov	[edx], cl
		jmp	short loc_4B3F9C
; 

loc_4B3FBF:				; CODE XREF: MiUpdateLargePageCandidates(x,x,x)+24j
		dec	byte ptr [eax+edx]
		jmp	short loc_4B3F9A
_MiUpdateLargePageCandidates@12	endp


;  S U B	R O U T	I N E 


; __stdcall MiIsPageOnBadList(x)
_MiIsPageOnBadList@4 proc near		; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+C7Dp
					; MiGetWorkingSetInfoList(x,x,x,x)+E83p ...
		mov	al, [ecx+16h]
		and	al, 7
		cmp	al, 5
		jz	short loc_4B3FD0

loc_4B3FCD:				; CODE XREF: MiIsPageOnBadList(x)+17j
		xor	eax, eax
		retn
; 

loc_4B3FD0:				; CODE XREF: MiIsPageOnBadList(x)+7j
		mov	eax, [ecx+4]
		or	eax, 80000000h
		cmp	eax, 0FFFFFFFCh
		jnz	short loc_4B3FCD
		xor	eax, eax
		inc	eax
		retn
_MiIsPageOnBadList@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiIsFreshPfnFromZeroedList(x)
_MiIsFreshPfnFromZeroedList@4 proc near	; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+554p
					; MiAllocateMdlPagesByLists+138p ...
		mov	eax, [ecx+8]
		xor	ecx, ecx
		and	eax, 3E0h
		or	eax, ecx
		jnz	short loc_4B3FF1
		inc	ecx

loc_4B3FF1:				; CODE XREF: MiIsFreshPfnFromZeroedList(x)+Cj
		mov	eax, ecx
		retn
_MiIsFreshPfnFromZeroedList@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiPfnZeroingNeeded(x, x)
_MiPfnZeroingNeeded@8 proc near		; CODE XREF: .text:0045D695p
					; MiGetPage+7DAp ...
		mov	eax, [ecx+8]
		and	eax, 3E0h
		or	eax, 0
		jnz	short loc_4B400F
		movzx	ecx, byte ptr [ecx+16h]
		shr	ecx, 6
		cmp	ecx, edx
		jnz	short loc_4B4013

loc_4B400C:				; CODE XREF: MiPfnZeroingNeeded(x,x)+2Fj
		xor	eax, eax
		retn
; 

loc_4B400F:				; CODE XREF: MiPfnZeroingNeeded(x,x)+Bj
					; MiPfnZeroingNeeded(x,x)+31j
		xor	eax, eax
		inc	eax
		retn
; 

loc_4B4013:				; CODE XREF: MiPfnZeroingNeeded(x,x)+16j
		mov	al, 1
		shl	al, cl
		movzx	eax, al
		bts	eax, edx
		test	byte_6D078C, al
		jz	short loc_4B400C
		jmp	short loc_4B400F
_MiPfnZeroingNeeded@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpCopyExtendedContext(x, x, x, x,	x, x)
_RtlpCopyExtendedContext@24 proc near	; CODE XREF: KiDispatchException+4BAp
					; RtlpReadExtendedContext+11Ap	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_1], cl
		mov	ecx, [ebp+arg_4]
		lea	edx, [ebp+var_8]
		mov	[ebp+var_C], ebx
		call	RtlpValidateContextFlags
		test	eax, eax
		js	short loc_4B4098
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jnz	short loc_4B4056
		mov	esi, ebx

loc_4B4056:				; CODE XREF: RtlpCopyExtendedContext(x,x,x,x,x,x)+2Aj
		mov	ebx, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_C]
		test	edi, edi
		jz	short loc_4B409D

loc_4B4061:				; CODE XREF: RtlpCopyExtendedContext(x,x,x,x,x,x)+77j
		test	byte ptr [ebp+var_8], 1
		jz	short loc_4B408E
		mov	ecx, [esi+8]
		mov	edx, [edi+8]
		cmp	ecx, edx
		jnz	short loc_4B40B5
		mov	eax, [esi+0Ch]
		cmp	eax, [edi+0Ch]
		jb	short loc_4B40B5
		lea	eax, [edx+ebx]
		mov	edx, [ebp+var_C]
		push	eax
		push	[ebp+arg_4]
		lea	edx, [ecx+edx]
		mov	cl, [ebp+var_1]
		call	RtlpCopyLegacyContext

loc_4B408E:				; CODE XREF: RtlpCopyExtendedContext(x,x,x,x,x,x)+3Dj
		test	byte ptr [ebp+var_8], 2
		jnz	short loc_4B40A1

loc_4B4094:				; CODE XREF: RtlpCopyExtendedContext(x,x,x,x,x,x)+89j
		xor	eax, eax

loc_4B4096:				; CODE XREF: RtlpCopyExtendedContext(x,x,x,x,x,x)+8Bj
					; RtlpCopyExtendedContext(x,x,x,x,x,x)+92j
		pop	edi
		pop	esi

loc_4B4098:				; CODE XREF: RtlpCopyExtendedContext(x,x,x,x,x,x)+22j
		pop	ebx
		leave
		retn	10h
; 

loc_4B409D:				; CODE XREF: RtlpCopyExtendedContext(x,x,x,x,x,x)+37j
		mov	edi, ebx
		jmp	short loc_4B4061
; 

loc_4B40A1:				; CODE XREF: RtlpCopyExtendedContext(x,x,x,x,x,x)+6Aj
		mov	edx, [ebp+var_C]
		mov	cl, [ebp+var_1]
		push	edi
		push	ebx
		push	esi
		call	RtlpCopyXStateChunk
		test	eax, eax
		jns	short loc_4B4094
		jmp	short loc_4B4096
; 

loc_4B40B5:				; CODE XREF: RtlpCopyExtendedContext(x,x,x,x,x,x)+47j
					; RtlpCopyExtendedContext(x,x,x,x,x,x)+4Fj
		mov	eax, 0C000000Dh
		jmp	short loc_4B4096
_RtlpCopyExtendedContext@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpCopyLegacyContext proc near		; CODE XREF: RtlpCopyExtendedContext(x,x,x,x,x,x)+61p
					; RtlCopyContext+93p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C2135 SIZE 00000043 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, 10000h
		jz	loc_5C2135
		push	[ebp+arg_4]
		push	eax
		call	RtlpCopyLegacyContextX86

loc_4B40D8:				; CODE XREF: RtlpCopyLegacyContext+10E089j
					; RtlpCopyLegacyContext+10E09Ej ...
		pop	ebp
		retn	8
RtlpCopyLegacyContext endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpCopyLegacyContextX86 proc near	; CODE XREF: RtlpCopyLegacyContext+17p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C2178 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, eax
		and	esi, 67FFFFFFh
		mov	[edx], esi
		test	cl, cl
		jz	loc_4B424D
		push	ebx
		mov	ebx, [ebp+arg_4]
		test	eax, 40000000h
		jnz	loc_5C2178

loc_4B410A:				; CODE XREF: RtlpCopyLegacyContextX86+10E0A4j
		mov	ecx, eax
		and	ecx, 10001h
		cmp	ecx, 10001h
		jnz	short loc_4B4162
		mov	ecx, [ebx+0B4h]
		mov	[edx+0B4h], ecx
		mov	ecx, [ebx+0B8h]
		mov	[edx+0B8h], ecx
		mov	ecx, [ebx+0BCh]
		mov	[edx+0BCh], ecx
		mov	ecx, [ebx+0C0h]
		mov	[edx+0C0h], ecx
		mov	ecx, [ebx+0C4h]
		mov	[edx+0C4h], ecx
		mov	ecx, [ebx+0C8h]
		mov	[edx+0C8h], ecx

loc_4B4162:				; CODE XREF: RtlpCopyLegacyContextX86+38j
		mov	ecx, eax
		and	ecx, 10002h
		cmp	ecx, 10002h
		jnz	short loc_4B41BA
		mov	ecx, [ebx+9Ch]
		mov	[edx+9Ch], ecx
		mov	ecx, [ebx+0A0h]
		mov	[edx+0A0h], ecx
		mov	ecx, [ebx+0A4h]
		mov	[edx+0A4h], ecx
		mov	ecx, [ebx+0ACh]
		mov	[edx+0ACh], ecx
		mov	ecx, [ebx+0A8h]
		mov	[edx+0A8h], ecx
		mov	ecx, [ebx+0B0h]
		mov	[edx+0B0h], ecx

loc_4B41BA:				; CODE XREF: RtlpCopyLegacyContextX86+90j
		mov	ecx, eax
		and	ecx, 10004h
		cmp	ecx, 10004h
		jnz	short loc_4B41FA
		mov	ecx, [ebx+8Ch]
		mov	[edx+8Ch], ecx
		mov	ecx, [ebx+90h]
		mov	[edx+90h], ecx
		mov	ecx, [ebx+94h]
		mov	[edx+94h], ecx
		mov	ecx, [ebx+98h]
		mov	[edx+98h], ecx

loc_4B41FA:				; CODE XREF: RtlpCopyLegacyContextX86+E8j
		mov	ecx, eax
		and	ecx, 10008h
		push	edi
		cmp	ecx, 10008h
		jz	short loc_4B4252

loc_4B420B:				; CODE XREF: RtlpCopyLegacyContextX86+17Fj
		mov	ecx, eax
		and	ecx, 10010h
		cmp	ecx, 10010h
		jnz	short loc_4B423F
		mov	ecx, [ebx+4]
		mov	[edx+4], ecx
		mov	ecx, [ebx+8]
		mov	[edx+8], ecx
		mov	ecx, [ebx+0Ch]
		mov	[edx+0Ch], ecx
		mov	ecx, [ebx+10h]
		mov	[edx+10h], ecx
		mov	ecx, [ebx+14h]
		mov	[edx+14h], ecx
		mov	ecx, [ebx+18h]
		mov	[edx+18h], ecx

loc_4B423F:				; CODE XREF: RtlpCopyLegacyContextX86+139j
		and	eax, 10020h
		cmp	eax, 10020h
		jz	short loc_4B4261

loc_4B424B:				; CODE XREF: RtlpCopyLegacyContextX86+194j
		pop	edi
		pop	ebx

loc_4B424D:				; CODE XREF: RtlpCopyLegacyContextX86+15j
		pop	esi
		pop	ebp
		retn	8
; 

loc_4B4252:				; CODE XREF: RtlpCopyLegacyContextX86+129j
		lea	esi, [ebx+1Ch]
		mov	ecx, 1Ch
		lea	edi, [edx+1Ch]
		rep movsd
		jmp	short loc_4B420B
; 

loc_4B4261:				; CODE XREF: RtlpCopyLegacyContextX86+169j
		lea	esi, [ebx+0CCh]
		mov	ecx, 48h
		lea	edi, [edx+0CCh]
		rep movsd
		jmp	short loc_4B424B
RtlpCopyLegacyContextX86 endp


;  S U B	R O U T	I N E 


RtlpSanitizeContextFlags proc near	; CODE XREF: KiRaiseException(x,x,x,x,x)+82p
					; KiContinuePreviousModeUser+38p ...

; FUNCTION CHUNK AT 005C2189 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		xor	edx, edx
		mov	ecx, [esi]
		call	RtlpValidateContextFlags
		mov	edx, 10000h
		mov	ecx, 0C000000Dh
		test	eax, eax
		js	short loc_4B4299
		test	[esi], edx
		jz	short loc_4B42A4

loc_4B4299:				; CODE XREF: RtlpSanitizeContextFlags+1Dj
					; RtlpSanitizeContextFlags+30j
		cmp	eax, ecx
		jz	loc_5C2189

loc_4B42A1:				; CODE XREF: RtlpSanitizeContextFlags+10DF15j
					; RtlpSanitizeContextFlags+10DF28j
		pop	esi
		pop	ebx
		retn
; 

loc_4B42A4:				; CODE XREF: RtlpSanitizeContextFlags+21j
		mov	eax, ecx
		jmp	short loc_4B4299
RtlpSanitizeContextFlags endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetExtendedContextLength(x, x)
_RtlGetExtendedContextLength@8 proc near ; CODE	XREF: KiRaiseException(x,x,x,x,x)+95p
					; KiContinuePreviousModeUser+47p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	ebx, edx
		xor	esi, esi
		push	edi
		lea	edx, [ebp+var_4]
		mov	[ebp+var_4], esi
		mov	edi, ecx
		call	RtlpValidateContextFlags
		test	eax, eax
		js	short loc_4B42D9
		test	byte ptr [ebp+var_4], 2
		mov	eax, esi
		jnz	short loc_4B42DE

loc_4B42CE:				; CODE XREF: RtlGetExtendedContextLength(x,x)+4Dj
		push	eax
		push	esi
		mov	edx, ebx
		mov	ecx, edi
		call	RtlGetExtendedContextLength2

loc_4B42D9:				; CODE XREF: RtlGetExtendedContextLength(x,x)+1Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4B42DE:				; CODE XREF: RtlGetExtendedContextLength(x,x)+24j
		mov	esi, ds:0FFDF03D8h
		mov	eax, ds:0FFDF03DCh
		or	esi, ds:0FFDF0708h
		or	eax, ds:0FFDF070Ch
		jmp	short loc_4B42CE
_RtlGetExtendedContextLength@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlGetExtendedContextLength2 proc near	; CODE XREF: RtlGetExtendedContextLength(x,x)+2Cp
					; NtCreateThreadEx+DCp	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C21A3 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		xor	eax, eax
		mov	ebx, edx
		push	esi
		lea	edx, [ebp+var_8]
		mov	[ebp+var_8], eax
		mov	esi, ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], eax
		call	RtlpValidateContextFlags
		test	eax, eax
		js	short loc_4B4343
		push	edi
		lea	eax, [ebp+var_C]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_4]
		call	RtlpGetLegacyContextLength
		mov	eax, [ebp+var_4]
		mov	edi, [ebp+var_C]
		add	eax, 18h
		test	byte ptr [ebp+var_8], 2
		jnz	short loc_4B4349

loc_4B433B:				; CODE XREF: RtlGetExtendedContextLength2+81j
		dec	edi
		add	eax, edi
		mov	[ebx], eax
		xor	eax, eax
		pop	edi

loc_4B4343:				; CODE XREF: RtlGetExtendedContextLength2+23j
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4B4349:				; CODE XREF: RtlGetExtendedContextLength2+41j
		mov	edx, [ebp+arg_0]
		lea	esi, [edi-1]
		add	esi, eax
		lea	eax, [edi-1]
		not	eax
		and	esi, eax
		test	byte ptr ds:0FFDF03ECh,	2
		jnz	loc_5C21A3
		mov	eax, [ebp+arg_4]

loc_4B4368:				; CODE XREF: RtlGetExtendedContextLength2+10DECFj
		push	eax
		push	edx
		call	RtlpGetEntireXStateAreaLength
		sub	esi, edi
		add	esi, 0FFFFFE40h
		add	eax, esi
		jmp	short loc_4B433B
RtlGetExtendedContextLength2 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpGetLegacyContextLength proc	near	; CODE XREF: RtlGetExtendedContextLength2+2Fp
					; RtlpWriteExtendedContext+2Ep

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C21CC SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		push	esi
		mov	esi, eax
		test	ecx, 10000h
		jz	loc_5C21CC
		mov	eax, 2CCh
		push	4

loc_4B4399:				; CODE XREF: RtlpGetLegacyContextLength+10DE6Ej
					; RtlpGetLegacyContextLength+10DE86j
		pop	esi

loc_4B439A:				; CODE XREF: RtlpGetLegacyContextLength+10DE79j
		test	edx, edx
		jz	short loc_4B43A0
		mov	[edx], eax

loc_4B43A0:				; CODE XREF: RtlpGetLegacyContextLength+20j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_4B43A9
		mov	[eax], esi

loc_4B43A9:				; CODE XREF: RtlpGetLegacyContextLength+29j
		pop	esi
		pop	ebp
		retn	4
RtlpGetLegacyContextLength endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlInitializeExtendedContext(x, x, x)
_RtlInitializeExtendedContext@12 proc near ; CODE XREF:	KiRaiseException(x,x,x,x,x)+B6p
					; KiContinuePreviousModeUser+61p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		xor	esi, esi
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		mov	[ebp+var_4], esi
		call	RtlpValidateContextFlags
		test	eax, eax
		js	short loc_4B43E4
		test	byte ptr [ebp+var_4], 2
		mov	eax, esi
		jnz	short loc_4B43EB

loc_4B43D6:				; CODE XREF: RtlInitializeExtendedContext(x,x,x)+54j
		push	eax
		push	esi
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, ebx
		call	RtlInitializeExtendedContext2

loc_4B43E4:				; CODE XREF: RtlInitializeExtendedContext(x,x,x)+1Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4B43EB:				; CODE XREF: RtlInitializeExtendedContext(x,x,x)+26j
		mov	esi, ds:0FFDF03D8h
		mov	eax, ds:0FFDF03DCh
		or	esi, ds:0FFDF0708h
		or	eax, ds:0FFDF070Ch
		jmp	short loc_4B43D6
_RtlInitializeExtendedContext@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiDispatchException proc near		; CODE XREF: KiRaiseException(x,x,x,x,x)+1BAp
					; KiInitializeUserApc(x,x,x,x,x,x,x)+243p ...

var_14C		= dword	ptr -14Ch
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_104		= dword	ptr -104h
var_FD		= byte ptr -0FDh
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_DD		= byte ptr -0DDh
var_DC		= dword	ptr -0DCh
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_7C		= dword	ptr -7Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

; FUNCTION CHUNK AT 005C2207 SIZE 00000221 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1CD8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 12Ch
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_20], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_F4], ebx
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_E4], edi
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_E8], esi
		mov	[ebp+var_104], 0
		mov	[ebp+var_F8], 0
		push	50h		; size_t
		push	0		; int
		lea	eax, [ebp+var_DC]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	50h		; size_t
		push	0		; int
		lea	eax, [ebp+var_8C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_DD], al
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		mov	[ebp+var_FC], ecx
		mov	eax, large fs:20h
		inc	dword ptr [eax+58Ch]
		cmp	[ebp+arg_10], 0
		jz	short loc_4B44EB
		cmp	dword ptr [ecx+3D4h], 0
		jnz	loc_5C2207

loc_4B44EB:				; CODE XREF: KiDispatchException+CCj
		mov	ecx, [ebp+arg_C]

loc_4B44EE:				; CODE XREF: KiDispatchException+10DE58j
		mov	esi, 1003Fh
		mov	[ebp+var_F0], esi
		mov	eax, ds:_KeFeatureBits
		and	eax, 400000h
		or	eax, 0
		jz	short loc_4B4513
		mov	esi, 1007Fh
		mov	[ebp+var_F0], esi

loc_4B4513:				; CODE XREF: KiDispatchException+F6j
		test	cl, cl
		jnz	short loc_4B4520
		and	esi, 0FFFFFFB7h
		mov	[ebp+var_F0], esi

loc_4B4520:				; CODE XREF: KiDispatchException+105j
		mov	[ebp+var_118], 0
		mov	ecx, 1
		mov	eax, esi
		and	eax, 10040h
		cmp	eax, 10040h
		jnz	short loc_4B4554
		mov	ecx, ds:0FFDF03D8h
		or	ecx, ds:0FFDF03DCh
		jz	loc_5C226D
		mov	ecx, 3

loc_4B4554:				; CODE XREF: KiDispatchException+12Bj
		mov	[ebp+var_118], ecx
		xor	edx, edx
		xor	edi, edi
		test	cl, 2
		jnz	loc_4B49BC

loc_4B4567:				; CODE XREF: KiDispatchException+5C4j
		mov	[ebp+var_11C], 0
		mov	[ebp+var_120], 0
		mov	[ebp+var_124], 0
		mov	ecx, 1
		cmp	eax, 10040h
		jnz	short loc_4B45A7
		mov	eax, ds:0FFDF03D8h
		or	eax, ds:0FFDF03DCh
		jz	loc_5C226D
		mov	ecx, 3

loc_4B45A7:				; CODE XREF: KiDispatchException+17Fj
		mov	[ebp+var_11C], ecx
		mov	[ebp+var_120], 4
		mov	eax, 2E4h
		test	cl, 2
		jnz	loc_4B49D9
		mov	edx, 4

loc_4B45CA:				; CODE XREF: KiDispatchException+604j
		dec	eax
		add	eax, edx
		mov	[ebp+var_124], eax
		mov	[ebp+var_F8], eax

loc_4B45D9:				; CODE XREF: KiDispatchException+10DE63j
		mov	[ebp+var_EC], eax
		call	__alloca_probe_16
		mov	[ebp+var_18], esp
		mov	edi, esp
		mov	[ebp+var_12C], edi
		cmp	byte ptr [ebp+arg_C], 0
		jnz	loc_4B46FB

loc_4B45F9:				; CODE XREF: KiDispatchException+2FCj
		mov	[ebp+var_128], 0
		mov	ecx, 1
		mov	eax, esi
		and	eax, 10040h
		cmp	eax, 10040h
		jnz	short loc_4B4628
		mov	eax, ds:0FFDF03D8h
		or	eax, ds:0FFDF03DCh
		jz	short loc_4B464D
		mov	ecx, 3

loc_4B4628:				; CODE XREF: KiDispatchException+204j
		mov	[ebp+var_128], ecx
		xor	eax, eax
		xor	edx, edx
		test	cl, 2
		jnz	loc_4B4A19

loc_4B463B:				; CODE XREF: KiDispatchException+620j
		push	edx
		push	eax
		lea	eax, [ebp+var_104]
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	RtlInitializeExtendedContext2

loc_4B464D:				; CODE XREF: KiDispatchException+211j
		push	edi
		push	[ebp+var_E4]
		push	[ebp+var_E8]
		call	KeContextFromKframes
		mov	eax, [ebx]
		cmp	eax, 80000003h
		jz	loc_4B4A35
		cmp	eax, 10000004h
		mov	eax, [ebp+arg_C]
		jnz	short loc_4B4684
		mov	dword ptr [ebx], 0C0000005h
		cmp	al, 1
		jz	loc_5C22A6

loc_4B4684:				; CODE XREF: KiDispatchException+264j
					; KiDispatchException+62Ej
		test	al, al
		jnz	loc_4B4711
		cmp	[ebp+arg_10], al
		jz	loc_5C2374
		cmp	_KdpDebugRoutineSelect,	0
		jnz	loc_5C2358
		cmp	dword ptr [ebx], 80000003h
		jz	loc_4B4A43

loc_4B46AE:				; CODE XREF: KiDispatchException+637j
					; KiDispatchException+10DF08j
		cmp	_KdPitchDebugger, 1
		jnz	loc_5C231D
		xor	al, al

loc_4B46BD:				; CODE XREF: KiDispatchException+64Dj
					; KiDispatchException+10DF43j ...
		test	al, al
		jnz	short loc_4B46D0
		push	edi
		push	ebx
		call	RtlDispatchException
		test	al, al
		jz	loc_5C2374

loc_4B46D0:				; CODE XREF: KiDispatchException+2AFj
					; KiDispatchException+371j ...
		push	[ebp+arg_C]
		mov	eax, [edi]
		push	eax
		push	edi
		push	[ebp+var_E4]
		mov	edi, [ebp+var_E8]
		push	edi
		call	KeContextToKframes
		cmp	[ebp+var_DD], 0
		jz	loc_4B4998
		jmp	loc_5C23B6
; 

loc_4B46FB:				; CODE XREF: KiDispatchException+1E3j
		push	[ebp+var_EC]	; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_4B45F9
; 

loc_4B4711:				; CODE XREF: KiDispatchException+276j
		mov	eax, [ebx+10h]
		add	eax, 5
		lea	ecx, [ebx+eax*4]
		mov	eax, ebx
		sub	eax, ecx
		add	eax, 50h
		push	eax		; size_t
		push	0		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		cmp	[ebp+arg_10], 0
		jz	loc_4B4A71
		push	ecx
		mov	ecx, ebx
		call	_KdIsThisAKdTrap@12 ; KdIsThisAKdTrap(x,x,x)
		mov	cl, al
		mov	[ebp+var_DD], cl
		mov	eax, [ebp+var_FC]
		cmp	dword ptr [eax+190h], 0
		jnz	loc_5C23A9
		cmp	_KdIgnoreUmExceptions, 0
		jnz	loc_5C23A9

loc_4B4767:				; CODE XREF: KiDispatchException+10DFA1j
		push	0
		push	[ebp+arg_C]
		push	edi
		push	ebx
		mov	edx, [ebp+var_E4]
		mov	ecx, [ebp+var_E8]
		call	_KdTrap@24	; KdTrap(x,x,x,x,x,x)
		test	al, al
		jnz	loc_4B46D0

loc_4B4787:				; CODE XREF: KiDispatchException+10DF9Bj
		push	0
		mov	dl, 1
		mov	ecx, ebx
		call	DbgkForwardException
		test	al, al
		jnz	loc_4B4998

loc_4B479A:				; CODE XREF: sub_5C24A4+5Cj
		mov	eax, [ebp+var_E8]
		mov	[ebp+var_4], 0
		cmp	dword ptr [eax+78h], 23h
		jnz	loc_5C23D5
		test	dword ptr [eax+70h], 20000h
		jnz	loc_5C23D5

loc_4B47BE:				; CODE XREF: KiDispatchException+10DFECj
		mov	edx, [edi+0C4h]
		and	edx, 0FFFFFFFCh
		mov	[ebp+var_130], edx
		mov	ecx, edx
		mov	[ebp+var_10C], ecx
		mov	eax, esi
		and	eax, 10040h
		cmp	eax, 10040h
		jnz	short loc_4B47FB
		mov	eax, [ebp+var_104]
		sub	ecx, [eax+14h]
		mov	[ebp+var_10C], ecx
		and	ecx, 0FFFFFFC0h
		mov	[ebp+var_10C], ecx

loc_4B47FB:				; CODE XREF: KiDispatchException+3D1j
		lea	eax, [ecx-18h]
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_E4], eax
		mov	[ebp+var_114], eax
		lea	edi, [eax-2CCh]
		mov	[ebp+var_EC], edi
		mov	[ebp+var_110], edi
		mov	[ebp+var_38], 0FFFFFD34h
		mov	eax, edx
		sub	eax, edi
		mov	[ebp+var_FC], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], 0FFFFFD34h
		mov	[ebp+var_2C], 2CCh
		mov	eax, ecx
		sub	eax, [ebp+var_E4]
		mov	[ebp+var_28], eax
		sub	edx, ecx
		mov	[ebp+var_24], edx
		mov	ecx, [ebp+var_FC]
		test	ecx, ecx
		jz	loc_5C241A
		cmp	ecx, 1000h
		jnb	loc_5C241A
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	loc_5C2401

loc_4B4878:				; CODE XREF: KiDispatchException+10DFF4j
		mov	al, [edi]
		mov	edi, [ebp+var_110]
		mov	[ebp+var_EC], edi
		mov	[edi], al
		cmp	ecx, 4
		jbe	loc_5C2409
		dec	ecx
		and	ecx, 0FFFFFFFCh
		mov	al, [ecx+edi]
		mov	[ecx+edi], al
		mov	eax, [ebp+var_114]
		mov	[ebp+var_E4], eax
		mov	edi, [ebp+var_110]
		mov	[ebp+var_EC], edi

loc_4B48B3:				; CODE XREF: KiDispatchException+10E005j
					; KiDispatchException+10E013j
		push	0
		push	[ebp+var_104]
		push	esi
		lea	eax, [ebp+var_38]
		push	eax
		mov	esi, [ebp+var_E4]
		mov	edx, esi
		mov	cl, 1
		call	_RtlpCopyExtendedContext@24 ; RtlpCopyExtendedContext(x,x,x,x,x,x)
		mov	eax, [ebp+var_38]
		mov	[esi], eax
		mov	eax, [ebp+var_34]
		mov	[esi+4], eax
		mov	eax, [ebp+var_30]
		mov	[esi+8], eax
		mov	eax, [ebp+var_2C]
		mov	[esi+0Ch], eax
		mov	eax, [ebp+var_28]
		mov	[esi+10h], eax
		mov	eax, [ebp+var_24]
		mov	[esi+14h], eax
		mov	eax, [ebx+10h]
		lea	esi, ds:14h[eax*4]
		mov	[ebp+var_134], esi
		sub	edi, esi
		mov	[ebp+var_138], edi
		lea	ebx, [edi-8]
		mov	[ebp+var_13C], ebx
		push	4
		lea	eax, [esi+8]
		push	eax
		push	ebx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	esi		; size_t
		push	[ebp+var_F4]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebx], edi
		mov	eax, [ebp+var_EC]
		mov	[ebx+4], eax
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		mov	[ebp+var_FD], bl
		mov	edx, 20h
		mov	esi, [ebp+var_E8]
		mov	ecx, esi
		call	_KiSegSsToTrapFrame@8 ;	KiSegSsToTrapFrame(x,x)
		lea	edx, [edi-8]
		call	KiEspToTrapFrame
		mov	dword ptr [esi+6Ch], 1Bh
		mov	dword ptr [esi+34h], 23h
		mov	dword ptr [esi+30h], 23h
		mov	eax, ds:_KeUserExceptionDispatcher
		mov	[esi+68h], eax
		push	0
		push	esi
		call	KiSetupForInstrumentationReturn
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	[ebp+var_4], 0FFFFFFFEh

loc_4B4998:				; CODE XREF: KiDispatchException+2E0j
					; KiDispatchException+384j ...
		lea	esp, [ebp-14Ch]
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_20]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_4B49BC:				; CODE XREF: KiDispatchException+151j
		mov	edx, ds:0FFDF03D8h
		or	edx, ds:0FFDF0708h
		mov	edi, ds:0FFDF03DCh
		or	edi, ds:0FFDF070Ch
		jmp	loc_4B4567
; 

loc_4B49D9:				; CODE XREF: KiDispatchException+1AFj
		mov	eax, 4
		neg	eax
		and	eax, 2E7h
		mov	[ebp+var_F8], eax
		test	byte ptr ds:0FFDF03ECh,	2
		jnz	loc_5C2278

loc_4B49F8:				; CODE XREF: KiDispatchException+10DE91j
		push	edi
		push	edx
		call	RtlpGetEntireXStateAreaLength
		mov	ecx, [ebp+var_F8]
		mov	edx, 4
		sub	ecx, edx
		add	ecx, 0FFFFFE40h
		add	eax, ecx
		jmp	loc_4B45CA
; 

loc_4B4A19:				; CODE XREF: KiDispatchException+225j
		mov	eax, ds:0FFDF03D8h
		or	eax, ds:0FFDF0708h
		mov	edx, ds:0FFDF03DCh
		or	edx, ds:0FFDF070Ch
		jmp	loc_4B463B
; 

loc_4B4A35:				; CODE XREF: KiDispatchException+256j
		dec	dword ptr [edi+0B8h]

loc_4B4A3B:				; CODE XREF: KiDispatchException+10DEADj
					; KiDispatchException+10DEB7j ...
		mov	eax, [ebp+arg_C]
		jmp	loc_4B4684
; 

loc_4B4A43:				; CODE XREF: KiDispatchException+298j
		cmp	dword ptr [ebx+10h], 0
		jbe	loc_4B46AE
		mov	eax, [ebx+14h]
		cmp	eax, 3
		jnz	short loc_4B4A62

loc_4B4A55:				; CODE XREF: KiDispatchException+655j
					; KiDispatchException+65Aj ...
		inc	dword ptr [edi+0B8h]
		mov	al, 1
		jmp	loc_4B46BD
; 

loc_4B4A62:				; CODE XREF: KiDispatchException+643j
		cmp	eax, 1
		jz	short loc_4B4A55
		cmp	eax, 4
		jz	short loc_4B4A55
		jmp	loc_5C230F
; 

loc_4B4A71:				; CODE XREF: KiDispatchException+321j
					; sub_5C24A4+6Ej
		push	1
		mov	dl, 1
		mov	ecx, ebx
		call	DbgkForwardException
		test	al, al
		jnz	loc_4B4998
		push	1
		xor	dl, dl
		mov	ecx, ebx
		call	DbgkForwardException
		test	al, al
		jnz	loc_4B4998
		mov	eax, [ebx]
		push	eax
		push	0FFFFFFFFh
		call	_ZwTerminateProcess@8 ;	ZwTerminateProcess(x,x)
		jmp	loc_4B4998
KiDispatchException endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlInitializeExtendedContext2 proc near	; CODE XREF: RtlInitializeExtendedContext(x,x,x)+31p
					; KiDispatchException+238p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005C2517 SIZE 000000F4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		mov	eax, edx
		and	eax, 27FFFF80h
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, ecx
		cmp	eax, 10000h
		jnz	loc_5C2517

loc_4B4AD1:				; CODE XREF: RtlInitializeExtendedContext2+10DA73j
					; RtlInitializeExtendedContext2+10DA85j ...
		mov	eax, edx
		mov	ebx, 1
		and	eax, 100040h
		cmp	eax, 100040h
		mov	eax, edx
		setnz	cl
		and	eax, 10040h
		cmp	eax, 10040h
		setnz	al
		test	cl, al
		jnz	short loc_4B4B0E
		mov	eax, ds:0FFDF03D8h
		or	eax, ds:0FFDF03DCh
		jz	loc_5C2557
		mov	ebx, 3

loc_4B4B0E:				; CODE XREF: RtlInitializeExtendedContext2+46j
		test	edx, 10000h
		jz	loc_5C2561
		lea	eax, [edi+3]
		and	eax, 0FFFFFFFCh
		lea	esi, [eax+2CCh]
		mov	[eax], edx
		mov	dword ptr [esi+0Ch], 2CCh

loc_4B4B2F:				; CODE XREF: RtlInitializeExtendedContext2+10DACFj
					; RtlInitializeExtendedContext2+10DAF1j ...
		mov	ecx, [esi+0Ch]
		mov	eax, ecx
		neg	eax
		mov	[esi+8], eax
		mov	[esi], eax
		lea	eax, [ecx+18h]
		mov	[esi+4], eax
		mov	eax, edx
		and	eax, 10020h
		cmp	eax, 10020h
		setnz	cl
		bt	edx, 10h
		setb	al
		test	cl, al
		jz	short loc_4B4B62
		mov	dword ptr [esi+0Ch], 0CCh

loc_4B4B62:				; CODE XREF: RtlInitializeExtendedContext2+A9j
		test	bl, 2
		jnz	short loc_4B4B84
		xor	ebx, ebx
		mov	edi, 19h

loc_4B4B6E:				; CODE XREF: RtlInitializeExtendedContext2+124j
		mov	eax, [ebp+arg_0]
		mov	[esi+10h], edi
		mov	[esi+14h], ebx
		mov	[eax], esi
		xor	eax, eax

loc_4B4B7B:				; CODE XREF: RtlInitializeExtendedContext2+10DAA2j
					; RtlInitializeExtendedContext2+10DAACj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4B4B84:				; CODE XREF: RtlInitializeExtendedContext2+B5j
		mov	edx, [ebp+arg_4]
		lea	edi, [esi+57h]
		and	edi, 0FFFFFFC0h
		test	byte ptr ds:0FFDF03ECh,	2
		jnz	loc_5C25CC
		mov	eax, [ebp+arg_8]

loc_4B4B9D:				; CODE XREF: RtlInitializeExtendedContext2+10DB40j
		push	eax
		push	edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], eax
		call	RtlpGetEntireXStateAreaLength
		lea	ebx, [eax-200h]
		push	ebx		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		test	byte ptr ds:0FFDF03ECh,	2
		jnz	loc_5C25F5

loc_4B4BC9:				; CODE XREF: RtlInitializeExtendedContext2+10DB56j
		sub	edi, esi
		mov	eax, edi
		sub	eax, [esi]
		add	eax, ebx
		mov	[esi+4], eax
		jmp	short loc_4B4B6E
RtlInitializeExtendedContext2 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeContextFromKframes proc near		; CODE XREF: KiDispatchException+24Ap
					; KiInitializeUserApc(x,x,x,x,x,x,x)+6Bp ...

var_44		= dword	ptr -44h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005C260B SIZE 0000027A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	loc_5C260B
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ch, al
		mov	[ebp+var_5], ch
		cmp	ch, 1
		jnb	short loc_4B4C1F
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ch, al
		mov	[ebp+var_5], al

loc_4B4C1F:				; CODE XREF: KeContextFromKframes+30j
					; KeContextFromKframes+10DA30j
		mov	esi, [ebp+arg_8]
		mov	ebx, [ebp+arg_0]
		mov	edi, [esi]
		mov	eax, edi
		and	eax, 10001h
		mov	[ebp+var_38], edi
		cmp	eax, 10001h
		jnz	short loc_4B4CB0
		mov	eax, [ebx+60h]
		mov	[esi+0B4h], eax
		mov	eax, [ebx+68h]
		mov	[esi+0B8h], eax
		mov	eax, [ebx+6Ch]
		test	eax, 0FFF9h
		jz	loc_5C2615

loc_4B4C58:				; CODE XREF: KeContextFromKframes+10DA3Cj
		movzx	eax, ax

loc_4B4C5B:				; CODE XREF: KeContextFromKframes+10DA46j
		mov	[esi+0BCh], eax
		mov	eax, [ebx+70h]
		mov	[esi+0C0h], eax
		test	dword ptr [ebx+70h], 20000h
		jnz	loc_5C262B
		test	byte ptr [ebx+6Ch], 1
		jnz	loc_4B4EDA
		mov	eax, 10h

loc_4B4C86:				; CODE XREF: KeContextFromKframes+300j
					; KeContextFromKframes+10DA4Ej
		mov	[esi+0C8h], eax
		mov	edx, [ebx+6Ch]
		test	dl, 1
		setz	cl
		test	dword ptr [ebx+70h], 20000h
		setz	al
		test	cl, al
		jnz	loc_4B4DF7
		mov	eax, [ebx+74h]

loc_4B4CAA:				; CODE XREF: KeContextFromKframes+226j
					; KeContextFromKframes+10DA56j
		mov	[esi+0C4h], eax

loc_4B4CB0:				; CODE XREF: KeContextFromKframes+56j
		mov	eax, edi
		and	eax, 10004h
		cmp	eax, 10004h
		jnz	short loc_4B4CFD
		test	dword ptr [ebx+70h], 20000h
		jnz	loc_5C263B
		cmp	byte ptr [ebx+0Fh], 2
		jz	loc_4B4F7B
		movzx	eax, word ptr [ebx+30h]
		mov	[esi+94h], eax
		movzx	eax, word ptr [ebx+34h]

loc_4B4CE3:				; CODE XREF: KeContextFromKframes+3AAj
		mov	[esi+98h], eax
		movzx	eax, word ptr [ebx+2Ch]
		mov	[esi+8Ch], eax
		movzx	eax, word ptr [ebx+50h]
		mov	[esi+90h], eax

loc_4B4CFD:				; CODE XREF: KeContextFromKframes+DCj
					; KeContextFromKframes+10DA8Cj
		mov	eax, edi
		and	eax, 10002h
		cmp	eax, 10002h
		jnz	short loc_4B4D4B
		mov	eax, [ebx+54h]
		mov	[esi+9Ch], eax
		mov	eax, [ebx+58h]
		mov	[esi+0A0h], eax
		mov	eax, [ebx+5Ch]
		mov	[esi+0A4h], eax
		mov	eax, [ebx+40h]
		mov	[esi+0B0h], eax
		cmp	byte ptr [ebx+0Fh], 2
		jz	loc_4B4F6A
		mov	eax, [ebx+3Ch]
		mov	[esi+0ACh], eax
		mov	eax, [ebx+38h]

loc_4B4D45:				; CODE XREF: KeContextFromKframes+396j
		mov	[esi+0A8h], eax

loc_4B4D4B:				; CODE XREF: KeContextFromKframes+129j
		mov	eax, edi
		and	eax, 10020h
		mov	[ebp+var_30], eax
		mov	eax, edi
		and	eax, 10008h
		mov	[ebp+var_34], eax
		mov	eax, edi
		and	eax, 10040h
		cmp	[ebp+var_34], 10008h
		mov	edx, eax
		mov	[ebp+var_C], eax
		setnz	cl
		cmp	[ebp+var_30], 10020h
		setnz	al
		sub	edx, 10040h
		and	cl, al
		neg	edx
		sbb	dl, dl
		test	dl, cl
		jz	short loc_4B4E0B

loc_4B4D8F:				; CODE XREF: KeContextFromKframes+2F5j
		and	edi, 10010h
		cmp	edi, 10010h
		jnz	short loc_4B4DD4
		test	dword ptr [ebx+28h], 0FFFF23FFh
		jnz	loc_5C284C
		mov	dword ptr [esi+4], 0
		mov	dword ptr [esi+8], 0
		mov	dword ptr [esi+0Ch], 0
		mov	dword ptr [esi+10h], 0
		mov	dword ptr [esi+14h], 0
		mov	dword ptr [esi+18h], 0

loc_4B4DD4:				; CODE XREF: KeContextFromKframes+1BBj
					; KeContextFromKframes+10DCA0j
		cmp	ch, 1
		jnb	short loc_4B4DE1
		mov	cl, ch
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4B4DE1:				; CODE XREF: KeContextFromKframes+1F7j
		lea	esp, [ebp-44h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4B4DF7:				; CODE XREF: KeContextFromKframes+C1j
		test	edx, 0FFF9h
		jz	loc_5C2633
		lea	eax, [ebx+74h]
		jmp	loc_4B4CAA
; 

loc_4B4E0B:				; CODE XREF: KeContextFromKframes+1ADj
		mov	ecx, large fs:124h
		test	byte ptr [ebx+6Ch], 1
		jnz	loc_4B4EE5
		test	dword ptr [ebx+70h], 20000h
		jnz	loc_4B4EE5

loc_4B4E29:				; CODE XREF: KeContextFromKframes+311j
		mov	ecx, ds:0FFDF03D8h
		mov	edx, ds:0FFDF03DCh
		and	ecx, 0FFFFFFFCh
		cmp	[ebp+var_C], 10040h
		jz	loc_4B4F20

loc_4B4E45:				; CODE XREF: KeContextFromKframes+344j
					; KeContextFromKframes+35Dj
		mov	eax, 210h
		mov	[ebp+var_1C], 3
		mov	[ebp+var_10], 0
		call	__alloca_probe_16
		lea	edx, [esp+44h+var_38+3]
		and	edx, 0FFFFFFF0h
		mov	[ebp+var_24], edx
		nop
		fxsave	dword ptr [edx]
		nop

loc_4B4E6C:				; CODE XREF: KeContextFromKframes+327j
		cmp	byte ptr [ebx+0Fh], 2
		jz	loc_4B4FA7
		mov	eax, ebx
		and	eax, 0FFFFFFF0h
		add	eax, 0FFFFFF80h

loc_4B4E7E:				; CODE XREF: KeContextFromKframes+3C9j
		lea	edi, [edx+0A0h]
		test	eax, eax
		jz	loc_4B4F8F
		mov	ecx, 20h
		mov	esi, eax
		rep movsd
		mov	esi, [ebp+arg_8]

loc_4B4E98:				; CODE XREF: KeContextFromKframes+3C2j
		cmp	[ebp+var_C], 10040h
		mov	eax, [ebx+48h]
		mov	[edx+18h], eax
		jz	loc_4B4F42

loc_4B4EAB:				; CODE XREF: KeContextFromKframes+37Fj
					; KeContextFromKframes+10DBF3j	...
		cmp	[ebp+var_30], 10020h
		jnz	short loc_4B4EC3
		lea	edi, [esi+0CCh]
		mov	ecx, 48h
		mov	esi, edx
		rep movsd

loc_4B4EC3:				; CODE XREF: KeContextFromKframes+2D2j
		cmp	[ebp+var_34], 10008h
		mov	esi, [ebp+arg_8]
		jz	short loc_4B4F0C

loc_4B4ECF:				; CODE XREF: KeContextFromKframes+33Ej
		mov	ch, [ebp+var_5]
		mov	edi, [ebp+var_38]
		jmp	loc_4B4D8F
; 

loc_4B4EDA:				; CODE XREF: KeContextFromKframes+9Bj
		mov	eax, [ebx+78h]
		or	eax, 3
		jmp	loc_4B4C86
; 

loc_4B4EE5:				; CODE XREF: KeContextFromKframes+236j
					; KeContextFromKframes+243j
		call	KiGetAllocatedXSaveArea
		mov	edx, eax
		mov	[ebp+var_24], edx
		test	edx, edx
		jz	loc_4B4E29
		mov	eax, ds:0FFDF03D8h
		mov	[ebp+var_1C], eax
		mov	eax, ds:0FFDF03DCh
		mov	[ebp+var_10], eax
		jmp	loc_4B4E6C
; 

loc_4B4F0C:				; CODE XREF: KeContextFromKframes+2EDj
		lea	ecx, [esi+1Ch]
		mov	dword ptr [esi+88h], 0
		call	RtlFxToFnFrame
		jmp	short loc_4B4ECF
; 

loc_4B4F20:				; CODE XREF: KeContextFromKframes+25Fj
		mov	eax, ecx
		or	eax, edx
		jz	loc_4B4E45
		push	edx
		push	ecx
		lea	ecx, [esi+0CCh]
		add	ecx, [esi+2DCh]
		call	RtlXSave
		jmp	loc_4B4E45
; 

loc_4B4F42:				; CODE XREF: KeContextFromKframes+2C5j
		mov	eax, [esi+2DCh]
		mov	ecx, [ebp+var_1C]
		add	eax, 0CCh
		mov	edi, [ebp+var_10]
		add	eax, esi
		and	ecx, 0FFFFFFFCh
		mov	[ebp+var_C], eax
		mov	eax, ecx
		or	eax, edi
		jz	loc_4B4EAB
		jmp	loc_5C2671
; 

loc_4B4F6A:				; CODE XREF: KeContextFromKframes+153j
		mov	eax, [ebx+74h]
		mov	[esi+0ACh], eax
		mov	eax, [ebx+68h]
		jmp	loc_4B4D45
; 

loc_4B4F7B:				; CODE XREF: KeContextFromKframes+EFj
		mov	dword ptr [esi+94h], 23h
		mov	eax, 23h
		jmp	loc_4B4CE3
; 

loc_4B4F8F:				; CODE XREF: KeContextFromKframes+2A6j
		push	80h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	edx, [ebp+var_24]
		add	esp, 0Ch
		jmp	loc_4B4E98
; 

loc_4B4FA7:				; CODE XREF: KeContextFromKframes+290j
		xor	eax, eax
		jmp	loc_4B4E7E
KeContextFromKframes endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 2389. RtlUnwind

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlUnwind
RtlUnwind	proc near		; CODE XREF: __global_unwind2+13p
					; _EH4_GlobalUnwind(x)+10p

var_3B4		= dword	ptr -3B4h
var_3B0		= dword	ptr -3B0h
var_3A8		= dword	ptr -3A8h
var_3A4		= dword	ptr -3A4h
var_3A0		= dword	ptr -3A0h
var_39C		= dword	ptr -39Ch
var_398		= dword	ptr -398h
var_394		= dword	ptr -394h
var_390		= dword	ptr -390h
var_38C		= dword	ptr -38Ch
var_388		= dword	ptr -388h
var_384		= dword	ptr -384h
var_380		= dword	ptr -380h
var_37C		= dword	ptr -37Ch
var_378		= dword	ptr -378h
var_374		= dword	ptr -374h
var_370		= dword	ptr -370h
var_368		= dword	ptr -368h
var_328		= dword	ptr -328h
var_324		= dword	ptr -324h
var_320		= dword	ptr -320h
var_31C		= dword	ptr -31Ch
var_318		= dword	ptr -318h
var_2D8		= dword	ptr -2D8h
var_228		= dword	ptr -228h
var_214		= dword	ptr -214h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005C2885 SIZE 000000F2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3A4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3A4h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_8]
		lea	eax, [esp+3A8h+var_2D8]
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		push	eax
		mov	[esp+3B4h+var_3A4], ebx
		call	_RtlpCaptureContext@4 ;	RtlpCaptureContext(x)
		add	[esp+3B0h+var_214], 10h
		lea	eax, [esp+3B0h+var_328]
		push	50h		; size_t
		push	0		; int
		push	eax		; void *
		mov	[esp+3BCh+var_228], esi
		mov	[esp+3BCh+var_394], 0
		call	_memset
		push	50h		; size_t
		lea	eax, [esp+3C0h+var_378]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 18h
		mov	[esp+3B0h+var_39C], 0
		lea	edx, [esp+3B0h+var_39C]
		mov	[esp+3B0h+var_398], 0
		lea	ecx, [esp+3B0h+var_398]
		call	_RtlpGetStackLimits@8 ;	RtlpGetStackLimits(x,x)
		test	al, al
		jz	loc_5C2885
		test	ebx, ebx
		jnz	short loc_4B5099
		mov	eax, [ebp+4]
		lea	ebx, [esp+3B0h+var_328]
		mov	[esp+3B0h+var_3A4], ebx
		mov	[esp+3B0h+var_328], 0C0000027h
		mov	[esp+3B0h+var_324], 0
		mov	[esp+3B0h+var_320], 0
		mov	[esp+3B0h+var_31C], eax
		mov	[esp+3B0h+var_318], 0

loc_4B5099:				; CODE XREF: RtlUnwind+96j
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	loc_5C288F
		mov	ecx, 1

loc_4B50A9:				; CODE XREF: RtlUnwind+10D8D1j
		test	ecx, ecx
		jz	loc_5C2896
		mov	ecx, 2

loc_4B50B6:				; CODE XREF: RtlUnwind+10D8DBj
		or	[ebx+4], ecx
		mov	ebx, large fs:0
		cmp	ebx, 0FFFFFFFFh
		jz	loc_5C2940
		mov	ecx, [esp+3B0h+var_39C]
		mov	edi, [esp+3B0h+var_398]
		mov	[esp+3B0h+var_3A0], ecx
		mov	[esp+3B0h+var_38C], edi
		lea	esp, [esp+0]

loc_4B50E0:				; CODE XREF: RtlUnwind+207j
		cmp	ebx, edx
		jz	loc_4B51D2
		test	edx, edx
		jz	short loc_4B50F4
		cmp	edx, ebx
		jb	loc_5C28A0

loc_4B50F4:				; CODE XREF: RtlUnwind+12Aj
					; RtlUnwind+225j
		cmp	ebx, edi
		jb	loc_5C28D8
		lea	eax, [ebx+8]
		cmp	eax, ecx
		ja	loc_5C28D8
		test	bl, 3
		jnz	loc_5C28D8
		mov	edi, [ebx+4]
		lea	edx, [esp+3B0h+var_388]
		xor	eax, eax
		mov	ecx, edi
		mov	[esp+3B0h+var_388], eax
		mov	[esp+3B0h+var_384], eax
		mov	[esp+3B0h+var_380], eax
		mov	[esp+3B0h+var_37C], eax
		call	RtlpxLookupFunctionTable
		mov	esi, eax
		mov	[esp+3B0h+var_390], esi
		test	esi, esi
		jz	short loc_4B518B
		mov	ecx, [esp+3B0h+var_37C]
		test	ecx, ecx
		jz	short loc_4B518B
		cmp	esi, 0FFFFFFFFh
		jz	loc_5C28CF

loc_4B514B:				; CODE XREF: RtlUnwind+10D912j
		sub	edi, [esp+3B0h+var_384]
		xor	edx, edx
		test	ecx, ecx
		js	loc_5C28D8
		lea	esp, [esp+0]

loc_4B5160:				; CODE XREF: RtlUnwind+1BDj
		lea	eax, [edx+ecx]
		sar	eax, 1
		mov	esi, [esi+eax*4]
		cmp	edi, esi
		jnb	short loc_4B5184
		test	eax, eax
		jz	loc_5C28D8
		lea	ecx, [eax-1]

loc_4B5177:				; CODE XREF: RtlUnwind+1C9j
		mov	esi, [esp+3B0h+var_390]
		cmp	ecx, edx
		jge	short loc_4B5160
		jmp	loc_5C28D8
; 

loc_4B5184:				; CODE XREF: RtlUnwind+1AAj
		jbe	short loc_4B518B
		lea	edx, [eax+1]
		jmp	short loc_4B5177
; 

loc_4B518B:				; CODE XREF: RtlUnwind+178j
					; RtlUnwind+180j ...
		mov	eax, [ebx+4]
		mov	esi, [esp+3B0h+var_3A4]
		push	eax
		lea	eax, [esp+3B4h+var_394]
		push	eax
		lea	eax, [esp+3B8h+var_2D8]
		push	eax
		push	ebx
		push	esi
		call	_RtlpExecuteHandlerForUnwind@20	; RtlpExecuteHandlerForUnwind(x,x,x,x,x)
		sub	eax, 1
		jnz	loc_5C2907

loc_4B51B0:				; CODE XREF: RtlUnwind+10D972j
					; RtlUnwind+10D97Bj
		mov	ebx, [ebx]
		mov	large fs:0, ebx

loc_4B51B9:				; CODE XREF: RtlUnwind+10D942j
		mov	edx, [ebp+arg_0]
		mov	edi, [esp+3C4h+var_3A0]
		mov	ecx, [esp+3C4h+var_3B4]
		cmp	ebx, 0FFFFFFFFh
		jnz	loc_4B50E0
		jmp	loc_5C2944
; 

loc_4B51D2:				; CODE XREF: RtlUnwind+122j
		push	0
		lea	eax, [esp+3B4h+var_2D8]
		push	eax
		call	_ZwContinue@8	; ZwContinue(x,x)

loc_4B51E1:				; CODE XREF: RtlUnwind+10D90Aj
		mov	ecx, [esp+3B0h+var_3A0]
		jmp	loc_4B50F4
RtlUnwind	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlDispatchException proc near		; CODE XREF: KiDispatchException+2B3p
					; RtlRaiseException(x)+2Cp ...

var_86		= byte ptr -86h
var_85		= byte ptr -85h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C2977 SIZE 00000104 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+8Ch+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		lea	eax, [esp+90h+var_58]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	50h		; size_t
		push	0		; int
		push	eax		; void *
		mov	[esp+0A4h+var_84], esi
		mov	[esp+0A4h+var_70], ebx
		mov	[esp+0A4h+var_86], 0
		mov	[esp+0A4h+var_6C], 0
		mov	[esp+0A4h+var_85], 0
		call	_memset
		add	esp, 0Ch
		mov	[esp+98h+var_80], 0
		test	_NtGlobalFlag, (offset loc_7FFFFF+1)
		mov	[esp+98h+var_7C], 0
		jnz	loc_5C2977

loc_4B5260:				; CODE XREF: RtlDispatchException+10D795j
		lea	edx, [esp+98h+var_80]
		lea	ecx, [esp+98h+var_7C]
		call	_RtlpGetStackLimits@8 ;	RtlpGetStackLimits(x,x)
		test	al, al
		jz	loc_5C2996
		mov	eax, [esp+98h+var_80]
		sub	eax, [esp+98h+var_7C]
		cmp	eax, 8
		jb	loc_5C2996
		mov	ebx, large fs:0
		mov	edi, ds:_KiI386ExceptionChainTerminator
		mov	edx, [esp+98h+var_7C]
		mov	[esp+98h+var_74], ebx
		cmp	edi, 0FFFFFFFFh
		jz	short loc_4B52F1
		mov	esi, [esp+98h+var_80]
		mov	ecx, ebx
		add	esi, 0FFFFFFF8h
		mov	eax, edx
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_4B52ED

loc_4B52B0:				; CODE XREF: RtlDispatchException+FBj
		cmp	eax, ecx
		ja	loc_4B53E8
		cmp	ecx, esi
		jnb	loc_4B53E8
		test	cl, 3
		jnz	loc_4B53E8
		mov	eax, [ecx+4]
		cmp	edx, eax
		jbe	loc_4B540B

loc_4B52D4:				; CODE XREF: RtlDispatchException+1FEj
					; RtlDispatchException+21Fj
		mov	edx, [ecx]
		cmp	edx, 0FFFFFFFFh
		jz	loc_4B53FD

loc_4B52DF:				; CODE XREF: RtlDispatchException+213j
		lea	eax, [ecx+8]
		mov	ecx, edx
		mov	edx, [esp+98h+var_7C]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_4B52B0

loc_4B52ED:				; CODE XREF: RtlDispatchException+BEj
		mov	esi, [esp+98h+var_84]

loc_4B52F1:				; CODE XREF: RtlDispatchException+AEj
		xor	ecx, ecx
		mov	[esp+98h+var_78], ecx
		cmp	ebx, 0FFFFFFFFh
		jz	loc_5C2A62

loc_4B5300:				; CODE XREF: RtlDispatchException+1EEj
		cmp	ebx, edx
		jb	loc_5C298A
		lea	eax, [ebx+8]
		cmp	eax, [esp+98h+var_80]
		ja	loc_5C298A
		test	bl, 3
		jnz	loc_5C298A

loc_4B531E:				; CODE XREF: RtlDispatchException+10D7A0j
		mov	edi, [ebx+4]
		lea	edx, [esp+98h+var_68]
		xor	eax, eax
		mov	ecx, edi
		mov	[esp+98h+var_68], eax
		mov	[esp+98h+var_64], eax
		mov	[esp+98h+var_60], eax
		mov	[esp+98h+var_5C], eax
		call	RtlpxLookupFunctionTable
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_4B5383

loc_4B5344:				; DATA XREF: VhdiMountVhdFile(x)+283o
		mov	ecx, [esp+98h+var_5C]
		test	ecx, ecx
		jz	short loc_4B5383
		cmp	ebx, 0FFFFFFFFh
		jz	loc_5C299F

loc_4B5355:				; CODE XREF: RtlDispatchException+10D7B2j
		sub	edi, [esp+98h+var_64]
		xor	esi, esi
		test	ecx, ecx
		js	loc_5C29A8

loc_4B5363:				; CODE XREF: RtlDispatchException+18Aj
		lea	eax, [esi+ecx]
		sar	eax, 1
		cmp	edi, [ebx+eax*4]
		jnb	short loc_4B5381
		test	eax, eax
		jz	loc_5C29A8
		lea	ecx, [eax-1]

loc_4B5378:				; CODE XREF: RtlDispatchException+1F6j
		cmp	ecx, esi
		jge	short loc_4B5363
		jmp	loc_5C29A8
; 

loc_4B5381:				; CODE XREF: RtlDispatchException+17Bj
		ja	short loc_4B53E3

loc_4B5383:				; CODE XREF: RtlDispatchException+152j
					; RtlDispatchException+15Aj
		mov	ebx, [esp+98h+var_74]
		xor	esi, esi
		cmp	[esp+98h+var_85], 0
		mov	edi, [esp+98h+var_84]
		jnz	loc_5C29B9

loc_4B5398:				; CODE XREF: RtlDispatchException+10D7DBj
		mov	eax, [ebx+4]
		push	eax
		lea	eax, [esp+9Ch+var_6C]
		push	eax
		push	[esp+0A0h+var_70]
		push	ebx
		push	edi
		call	_RtlpExecuteHandlerForException@20 ; RtlpExecuteHandlerForException(x,x,x,x,x)
		test	esi, esi
		jnz	short loc_4B5417

loc_4B53B0:				; CODE XREF: RtlDispatchException+22Dj
		mov	ecx, [esp+98h+var_78]
		mov	esi, [esp+98h+var_84]
		cmp	ecx, ebx
		jz	loc_5C29D0

loc_4B53C0:				; CODE XREF: RtlDispatchException+10D7EAj
		cmp	eax, 1
		jnz	loc_5C29DF

loc_4B53C9:				; CODE XREF: RtlDispatchException+10D869j
		test	byte ptr [esi+4], 8
		jnz	short loc_4B53F4

loc_4B53CF:				; CODE XREF: RtlDispatchException+10D81Fj
					; RtlDispatchException+10D82Ej	...
		mov	ebx, [ebx]
		mov	[esp+98h+var_74], ebx
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_4B53F4
		mov	edx, [esp+98h+var_7C]
		jmp	loc_4B5300
; 

loc_4B53E3:				; CODE XREF: RtlDispatchException:loc_4B5381j
		lea	esi, [eax+1]
		jmp	short loc_4B5378
; 

loc_4B53E8:				; CODE XREF: RtlDispatchException+C2j
					; RtlDispatchException+CAj ...
		cmp	ecx, ds:_KiI386ExceptionChainTerminator
		jz	loc_4B52D4

loc_4B53F4:				; CODE XREF: RtlDispatchException+1DDj
					; RtlDispatchException+1E8j ...
		mov	al, [esp+98h+var_86]
		jmp	loc_5C2A64
; 

loc_4B53FD:				; CODE XREF: RtlDispatchException+E9j
		mov	eax, [ecx+4]
		cmp	eax, [edi+4]
		jz	loc_4B52DF
		jmp	short loc_4B53F4
; 

loc_4B540B:				; CODE XREF: RtlDispatchException+DEj
		cmp	eax, [esp+98h+var_80]
		jnb	loc_4B52D4
		jmp	short loc_4B53E8
; 

loc_4B5417:				; CODE XREF: RtlDispatchException+1BEj
		mov	[esi+320h], eax
		jmp	short loc_4B53B0
RtlDispatchException endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 885. IoGetStackLimits

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoGetStackLimits
IoGetStackLimits proc near		; CODE XREF: .text:005289E4p
					; EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+101p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C2A7B SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	edx, edi
		call	_RtlpGetStackLimits@8 ;	RtlpGetStackLimits(x,x)
		test	al, al
		jz	loc_5C2A7B

loc_4B544E:				; CODE XREF: IoGetStackLimits+10D657j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
IoGetStackLimits endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpGetStackLimits(x, x)
_RtlpGetStackLimits@8 proc near		; CODE XREF: RtlUnwind+87p
					; RtlDispatchException+78p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	edx
		push	ecx
		call	_KeGetCurrentStackPointer@0 ; KeGetCurrentStackPointer()
		lea	edx, [ebp+var_4]
		mov	ecx, eax
		call	KeQueryCurrentStackInformationEx
		mov	esp, ebp
		pop	ebp
		retn
_RtlpGetStackLimits@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeQueryCurrentStackInformationEx proc near
					; CODE XREF: KiExpandKernelStackAndCalloutSwitchStack+DAp
					; RtlpGetStackLimits(x,x)+12p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C2A8C SIZE 0000005A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, _KiBugCheckActive
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], esi
		push	edi
		mov	edi, ecx
		test	al, 3
		jnz	loc_5C2A8C
		push	ebx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, al
		cmp	bl, 2
		jnb	loc_4B5550
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()

loc_4B54B5:				; CODE XREF: KeQueryCurrentStackInformationEx+DFj
					; KeQueryCurrentStackInformationEx+E7j
		mov	esi, large fs:124h
		mov	ecx, esi
		call	@KeIsContextSwapActive@4 ; KeIsContextSwapActive(x)
		test	al, al
		jnz	loc_5C2AC3
		cmp	bl, 2
		jnb	loc_4B5572

loc_4B54D4:				; CODE XREF: KeQueryCurrentStackInformationEx+103j
					; KeQueryCurrentStackInformationEx+10Bj
		test	dword ptr [esi+58h], 1000h
		mov	eax, [ebp+var_4]
		jnz	loc_4B55A6
		cmp	byte ptr [esi+1BFh], 0
		jnz	short loc_4B5548
		mov	dword ptr [eax], 3

loc_4B54F3:				; CODE XREF: KeQueryCurrentStackInformationEx+CEj
					; KeQueryCurrentStackInformationEx+12Cj
		mov	eax, [esi+28h]
		mov	[ebp+var_14], eax
		mov	eax, [esi+24h]
		mov	ecx, [esi+24h]
		mov	ebx, [esi+28h]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_14]
		mov	esi, [ebp+var_10]
		cmp	ebx, eax
		jnz	loc_4B55B1
		cmp	esi, ecx
		ja	loc_4B55B1
		cmp	ecx, eax
		jnb	loc_4B55B1
		mov	edx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]
		mov	[edx], ebx
		mov	[eax], ecx

loc_4B552D:				; CODE XREF: KeQueryCurrentStackInformationEx+13Dj
		cmp	ecx, edi
		ja	loc_4B55C2
		cmp	edi, [edx]
		jnb	loc_4B55C2

loc_4B553D:				; CODE XREF: KeQueryCurrentStackInformationEx+124j
		mov	al, 1

loc_4B553F:				; CODE XREF: KeQueryCurrentStackInformationEx+144j
					; KeQueryCurrentStackInformationEx+10D63Ej ...
		pop	ebx

loc_4B5540:				; CODE XREF: KeQueryCurrentStackInformationEx+10D627j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4B5548:				; CODE XREF: KeQueryCurrentStackInformationEx+6Bj
		mov	dword ptr [eax], 4
		jmp	short loc_4B54F3
; 

loc_4B5550:				; CODE XREF: KeQueryCurrentStackInformationEx+2Aj
		mov	ecx, large fs:43BCh
		lea	edx, [ecx-3000h]
		cmp	edx, edi
		ja	loc_4B54B5
		cmp	edi, ecx
		jnb	loc_4B54B5
		jmp	loc_5C2AAC
; 

loc_4B5572:				; CODE XREF: KeQueryCurrentStackInformationEx+4Ej
		mov	edx, large fs:2330h
		mov	ecx, edx
		sub	ecx, ds:_KeKernelStackSize
		cmp	ecx, edi
		ja	loc_4B54D4
		cmp	edi, edx
		jnb	loc_4B54D4
		mov	eax, [ebp+var_4]
		mov	dword ptr [eax], 1
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jmp	short loc_4B553D
; 

loc_4B55A6:				; CODE XREF: KeQueryCurrentStackInformationEx+5Ej
		mov	dword ptr [eax], 2
		jmp	loc_4B54F3
; 

loc_4B55B1:				; CODE XREF: KeQueryCurrentStackInformationEx+8Dj
					; KeQueryCurrentStackInformationEx+95j	...
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		mov	[edx], eax
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		jmp	loc_4B552D
; 

loc_4B55C2:				; CODE XREF: KeQueryCurrentStackInformationEx+AFj
					; KeQueryCurrentStackInformationEx+B7j
		xor	al, al
		jmp	loc_4B553F
KeQueryCurrentStackInformationEx endp

; 
		align 10h

;  S U B	R O U T	I N E 


RtlpValidateContextFlags proc near	; CODE XREF: RtlpCopyExtendedContext(x,x,x,x,x,x)+1Bp
					; RtlpSanitizeContextFlags+Cp ...

; FUNCTION CHUNK AT 005C2AE6 SIZE 0000003D BYTES

		mov	eax, ecx
		and	eax, 27FFFF80h
		push	esi
		mov	esi, edx
		cmp	eax, 10000h
		jnz	loc_5C2AE6

loc_4B55E5:				; CODE XREF: RtlpValidateContextFlags+10D522j
					; RtlpValidateContextFlags+10D534j ...
		mov	eax, ecx
		and	eax, 100040h
		cmp	eax, 100040h
		push	edi
		setnz	dl
		mov	edi, 1
		and	ecx, 10040h
		cmp	ecx, 10040h
		setnz	al
		test	dl, al
		jnz	short loc_4B561F
		mov	eax, ds:0FFDF03D8h
		or	eax, ds:0FFDF03DCh
		jz	short loc_4B562A
		mov	edi, 3

loc_4B561F:				; CODE XREF: RtlpValidateContextFlags+3Bj
		test	esi, esi
		jz	short loc_4B5625
		mov	[esi], edi

loc_4B5625:				; CODE XREF: RtlpValidateContextFlags+51j
		xor	eax, eax

loc_4B5627:				; CODE XREF: RtlpValidateContextFlags+5Fj
		pop	edi
		pop	esi
		retn
; 

loc_4B562A:				; CODE XREF: RtlpValidateContextFlags+48j
		mov	eax, 0C00000BBh
		jmp	short loc_4B5627
RtlpValidateContextFlags endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReleasePageFileSpace(x, x, x, x)
_MiReleasePageFileSpace@16 proc	near	; CODE XREF: .text:00453BF5p
					; .text:00459393p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		and	eax, 400h
		or	eax, 0
		push	esi
		mov	esi, ecx
		jnz	short loc_4B5667
		push	edx
		xor	edx, edx
		lea	ecx, [ebp+arg_0]
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	ecx, eax
		or	ecx, edx
		jnz	short loc_4B566F

loc_4B5667:				; CODE XREF: MiReleasePageFileSpace(x,x,x,x)+14j
		xor	eax, eax
		pop	esi
		pop	ecx
		pop	ebp
		retn	8
; 

loc_4B566F:				; CODE XREF: MiReleasePageFileSpace(x,x,x,x)+25j
		push	edx
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	MiReleasePageFileInfo
		mov	eax, 1
		pop	esi
		pop	ecx
		pop	ebp
		retn	8
_MiReleasePageFileSpace@16 endp

; 
		align 10h

; __stdcall MiDeleteClusterSection(x, x)
_MiDeleteClusterSection@8:		; CODE XREF: MiDeleteSubsectionPages(x,x)+337p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		xor	eax, eax
		mov	[ebp-4Ch], edx
		mov	[ebp-58h], eax
		mov	[ebp-54h], eax
		mov	[ebp-50h], eax
		mov	[ebp-48h], eax
		mov	[ebp-44h], eax
		mov	[ebp-40h], eax
		mov	[ebp-3Ch], eax
		mov	eax, [ecx+18h]
		push	ebx
		and	eax, offset loc_7FFFFF
		mov	dword ptr [ebp-1Ch], 0FFFFFFFFh
		push	esi
		mov	[ebp-30h], eax
		xor	ebx, ebx
		push	edi
		mov	dword ptr [ebp-20h], 0
		mov	eax, edx
		mov	[ebp-28h], edx
		nop

loc_4B56E0:				; CODE XREF: .text:004B57B2j
		mov	ecx, eax
		call	_MI_READ_PTE_LOCK_FREE@4 ; MI_READ_PTE_LOCK_FREE(x)
		mov	esi, eax
		or	eax, edx
		jz	loc_4B5B61
		mov	eax, esi
		and	eax, 800h
		or	eax, 0
		jz	loc_4B5B61
		mov	eax, dword_6D0700
		mov	ecx, esi
		mov	edi, dword_6D0704
		mov	[ebp-18h], eax
		or	eax, edi
		mov	[ebp-2Ch], edi
		mov	edi, edx
		mov	[ebp-24h], edx
		jz	short loc_4B573E
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4B5737
		mov	esi, [ebp-18h]
		mov	edx, [ebp-2Ch]
		not	esi
		not	edx
		and	esi, ecx
		and	edx, edi
		jmp	short loc_4B573E
; 

loc_4B5737:				; CODE XREF: .text:004B5725j
		mov	esi, ecx
		mov	edx, edi
		and	esi, 0FFFFFFEFh

loc_4B573E:				; CODE XREF: .text:004B571Bj
					; .text:004B5735j
		shrd	esi, edx, 0Ch
		and	esi, 3FFFFFFh
		cmp	esi, dword_6D07B0
		ja	loc_4B5B61
		mov	eax, dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_4B5B61
		mov	eax, ds:_MmPfnDatabase
		lea	edi, ds:0[esi*8]
		sub	edi, esi
		mov	[ebp-2Ch], eax
		lea	ecx, [eax+edi*4]
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jnz	loc_4B5B61
		test	ebx, ebx
		jz	short loc_4B579F
		cmp	esi, [ebp-1Ch]
		jnz	loc_4B5B61

loc_4B579F:				; CODE XREF: .text:004B5794j
		mov	eax, [ebp-28h]
		lea	ecx, [esi+1]
		inc	ebx
		mov	[ebp-1Ch], ecx
		add	eax, 8
		mov	[ebp-28h], eax
		cmp	ebx, 10h
		jb	loc_4B56E0
		mov	edx, [ebp-30h]
		lea	ebx, [ecx-10h]
		mov	ecx, [ebp-2Ch]
		mov	[ebp-34h], ebx
		lea	eax, [ecx+edi*4]
		mov	[ebp-1Ch], eax
		mov	[ebp-28h], eax
		lea	eax, ds:0[edx*8]
		sub	eax, edx
		mov	edx, [ebp-4Ch]
		add	edx, 78h
		mov	[ebp-24h], edx
		lea	eax, [ecx+eax*4]
		mov	[ebp-30h], eax
		xor	eax, eax
		mov	[ebp-14h], eax
		cmp	esi, ebx
		mov	[ebp-10h], eax
		mov	[ebp-0Ch], eax
		mov	[ebp-8], eax

loc_4B57F5:				; CODE XREF: .text:004B5971j
		jz	short loc_4B581B
		lea	eax, [ebp-28h]
		mov	ecx, edx
		push	eax
		call	MiTryLockLeafPage
		mov	edi, [ebp-28h]
		test	edi, edi
		jz	loc_4B5988
		cmp	edi, [ebp-1Ch]
		jnz	loc_4B597D
		mov	edx, [ebp-24h]
		jmp	short loc_4B582F
; 

loc_4B581B:				; CODE XREF: .text:loc_4B57F5j
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[ebx*8]
		sub	ecx, ebx
		lea	edi, [eax+ecx*4]
		mov	[ebp-28h], edi

loc_4B582F:				; CODE XREF: .text:004B5819j
		mov	eax, [edi+4]
		or	eax, 80000000h
		cmp	eax, edx
		jnz	loc_4B5B7B
		mov	al, [edi+16h]
		and	al, 7
		cmp	al, 6
		jz	loc_4B5B74
		cmp	word ptr [edi+14h], 0
		jnz	loc_4B5979
		test	byte ptr [edi+17h], 40h
		jnz	loc_4B5979
		mov	ecx, edi
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jnz	loc_4B5979
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jnz	loc_4B5979
		xor	edx, edx
		mov	ecx, edi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		mov	eax, [edi+18h]
		and	eax, 70000000h
		cmp	eax, 30000000h
		jnz	short loc_4B58A1
		mov	edx, 0Ch
		mov	ecx, edi
		call	MiClearPfnImageVerified

loc_4B58A1:				; CODE XREF: .text:004B5893j
		mov	eax, [edi+0Ch]
		mov	edx, 1
		push	eax
		mov	eax, [edi+8]
		mov	ecx, offset _MiSystemPartition
		push	eax
		call	_MiReleasePageFileSpace@16 ; MiReleasePageFileSpace(x,x,x,x)
		mov	edx, [edi+8]
		mov	ecx, edx
		mov	eax, [edi+0Ch]
		mov	[ebp-18h], eax
		shrd	ecx, eax, 2
		test	cl, 1
		jz	short loc_4B58D8
		and	edx, 0FFFFFFFBh
		mov	[ebp-18h], eax
		mov	[edi+8], edx
		mov	[edi+0Ch], eax

loc_4B58D8:				; CODE XREF: .text:004B58CAj
		mov	ecx, edx
		shrd	ecx, eax, 1
		test	cl, 1
		jz	short loc_4B58EF
		mov	eax, [ebp-18h]
		and	edx, 0FFFFFFFDh
		mov	[edi+8], edx
		mov	[edi+0Ch], eax

loc_4B58EF:				; CODE XREF: .text:004B58E1j
		and	byte ptr [edi+17h], 0F8h
		and	dword ptr [edi+18h], 8FFFFFFFh
		movzx	eax, byte ptr [edi+16h]
		and	dword ptr [edi+18h], 7FFFFFFFh
		shr	eax, 6
		mov	edx, [ebp-24h]
		inc	dword ptr [ebp+eax*4-14h]
		movzx	eax, byte ptr [edi+16h]
		and	al, 0C7h
		mov	[edi+16h], al
		movzx	eax, byte ptr [edi+17h]
		and	al, 0DFh
		mov	[edi+17h], al
		movzx	eax, byte ptr [edi+16h]
		and	al, 0EFh
		mov	[edi+16h], al
		movzx	eax, byte ptr [edi+16h]
		and	al, 0F9h
		or	al, 1
		mov	[edi+16h], al
		mov	dword ptr [edi+4], 0
		and	dword ptr [edi+10h], 80000000h
		mov	dword ptr [edi+8], 0
		mov	dword ptr [edi+0Ch], 0
		mov	eax, ds:_ZeroPte
		mov	[edx], eax
		nop
		mov	eax, ds:dword_40F9FC
		dec	esi
		inc	dword ptr [ebp-20h]
		sub	dword ptr [ebp-1Ch], 1Ch
		mov	[edx+4], eax
		sub	edx, 8
		mov	[ebp-24h], edx
		cmp	esi, ebx
		jnb	loc_4B57F5
		jmp	short loc_4B5988
; 

loc_4B5979:				; CODE XREF: .text:004B5851j
					; .text:004B585Bj ...
		cmp	esi, ebx
		jz	short loc_4B5988

loc_4B597D:				; CODE XREF: .text:004B5810j
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx

loc_4B5988:				; CODE XREF: .text:004B5807j
					; .text:004B5977j ...
		mov	eax, [ebp-14h]
		xor	ecx, ecx
		xor	edx, edx
		cmp	ecx, eax
		sbb	esi, esi
		inc	esi
		cmp	ecx, eax
		mov	[ebp-18h], esi
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, [ebp-10h]
		test	eax, eax
		jz	short loc_4B59AD
		test	ecx, ecx
		jz	short loc_4B59AD
		mov	edx, 1

loc_4B59AD:				; CODE XREF: .text:004B59A2j
					; .text:004B59A6j
		cmp	ecx, eax
		jnb	short loc_4B59BB
		mov	esi, 1
		mov	ecx, eax
		mov	[ebp-18h], esi

loc_4B59BB:				; CODE XREF: .text:004B59AFj
		mov	eax, [ebp-0Ch]
		test	eax, eax
		jz	short loc_4B59CB
		test	ecx, ecx
		jz	short loc_4B59CB
		mov	edx, 1

loc_4B59CB:				; CODE XREF: .text:004B59C0j
					; .text:004B59C4j
		cmp	ecx, eax
		jnb	short loc_4B59D9
		mov	esi, 2
		mov	ecx, eax
		mov	[ebp-18h], esi

loc_4B59D9:				; CODE XREF: .text:004B59CDj
		mov	eax, [ebp-8]
		test	eax, eax
		jz	short loc_4B59E9
		test	ecx, ecx
		jz	short loc_4B59E9
		mov	edx, 1

loc_4B59E9:				; CODE XREF: .text:004B59DEj
					; .text:004B59E2j
		cmp	ecx, eax
		jnb	short loc_4B59F5
		mov	esi, 3
		mov	[ebp-18h], esi

loc_4B59F5:				; CODE XREF: .text:004B59EBj
		test	edx, edx
		jz	short loc_4B5A36
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[ebx*8]
		sub	ecx, ebx
		mov	edi, 10h
		mov	ebx, [ebp-18h]
		lea	esi, [eax+ecx*4]

loc_4B5A12:				; CODE XREF: .text:004B5A2Ej
		movzx	eax, byte ptr [esi+16h]
		shr	eax, 6
		cmp	eax, ebx
		jz	short loc_4B5A28
		push	1
		mov	edx, ebx
		mov	ecx, esi
		call	MiChangePageAttribute

loc_4B5A28:				; CODE XREF: .text:004B5A1Bj
		add	esi, 1Ch
		sub	edi, 1
		jnz	short loc_4B5A12
		mov	ebx, [ebp-34h]
		mov	esi, [ebp-18h]

loc_4B5A36:				; CODE XREF: .text:004B59F7j
		mov	eax, ds:_MmPfnDatabase
		lea	edi, [ebx+0Fh]
		lea	ecx, ds:0[edi*8]
		sub	ecx, edi
		lea	eax, [eax+ecx*4]
		mov	ecx, [ebp-20h]
		mov	[ebp-34h], eax
		cmp	ecx, 10h
		jnz	short loc_4B5ABB
		mov	ecx, eax
		mov	[ebp-48h], ebx
		mov	dword ptr [ebp-44h], 1
		mov	dword ptr [ebp-40h], 2
		mov	byte ptr [ebp-3Ch], 2
		call	_MI_NODE_FROM_PFN@4 ; MI_NODE_FROM_PFN(x)
		push	1
		push	1
		push	esi
		lea	eax, [eax+eax*4]
		mov	edx, ebx
		shl	eax, 7
		add	eax, dword_6D4E50
		push	1
		push	10h
		mov	[ebp-18h], eax
		call	_MiInitializeAllResidentPageBasePfns@28	; MiInitializeAllResidentPageBasePfns(x,x,x,x,x,x,x)
		push	1
		push	ecx
		push	esi
		push	1
		mov	edx, 10h
		mov	ecx, ebx
		call	_MiCreateInitialLargeLeafPfns@24 ; MiCreateInitialLargeLeafPfns(x,x,x,x,x,x)
		mov	ecx, [ebp-18h]
		lea	edx, [ebp-58h]
		lea	ecx, [ecx+204h]
		call	@KeAcquireInStackQueuedSpinLockAtDpcLevel@8 ; KeAcquireInStackQueuedSpinLockAtDpcLevel(x,x)
		mov	eax, [ebp-18h]
		mov	ecx, [ebp-20h]
		jmp	short loc_4B5AC4
; 

loc_4B5ABB:				; CODE XREF: .text:004B5A53j
		xor	eax, eax
		mov	[ebp-18h], eax
		test	ecx, ecx
		jz	short loc_4B5B0E

loc_4B5AC4:				; CODE XREF: .text:004B5AB9j
		mov	esi, [ebp-34h]
		mov	edx, 7FFFFFFFh
		add	esi, 18h
		mov	dword ptr [ebp-1Ch], 0

loc_4B5AD6:				; CODE XREF: .text:004B5B0Cj
		cmp	edi, ebx
		jz	short loc_4B5B0E
		test	eax, eax
		jnz	short loc_4B5AF6
		and	dword ptr [esi], 0FF800000h
		lea	edx, [eax+2]
		mov	ecx, edi
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		mov	ecx, [ebp-20h]
		mov	edx, 7FFFFFFFh

loc_4B5AF6:				; CODE XREF: .text:004B5ADCj
		lea	eax, [esi-8]
		lock and [eax],	edx
		mov	eax, [ebp-1Ch]
		dec	edi
		inc	eax
		sub	esi, 1Ch
		mov	[ebp-1Ch], eax
		cmp	eax, ecx
		mov	eax, [ebp-18h]
		jb	short loc_4B5AD6

loc_4B5B0E:				; CODE XREF: .text:004B5AC2j
					; .text:004B5AD8j
		mov	ebx, [ebp-20h]
		test	ebx, ebx
		jz	short loc_4B5B35
		mov	esi, [ebp-30h]
		mov	ecx, esi
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		neg	ebx
		mov	ecx, esi
		mov	edx, ebx
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		lea	eax, [esi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_4B5B35:				; CODE XREF: .text:004B5B13j
		cmp	dword ptr [ebp-18h], 0
		jz	short loc_4B5B61
		lea	ecx, [ebp-48h]
		call	_MiInsertLargePageInNodeList@4 ; MiInsertLargePageInNodeList(x)
		lea	ecx, [ebp-58h]
		call	KeReleaseInStackQueuedSpinLockFromDpcLevel
		mov	eax, 1
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4B5B61:				; CODE XREF: .text:004B56EBj
					; .text:004B56FBj ...
		mov	ecx, [ebp-4]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4B5B74:				; CODE XREF: .text:004B5846j
		mov	ecx, edi
		call	_MiBadShareCount@4 ; MiBadShareCount(x)

loc_4B5B7B:				; CODE XREF: .text:004B5839j
		mov	ecx, edx
		call	_MI_READ_PTE_LOCK_FREE@4 ; MI_READ_PTE_LOCK_FREE(x)
		mov	ecx, [edi+4]
		push	ecx
		push	eax
		push	dword ptr [ebp-24h]
		push	403h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiUpdatePfnPriorityByPte(x,	x)
_MiUpdatePfnPriorityByPte@8 proc near	; CODE XREF: .text:004B01E1p
					; MiPfPrepareReadList+23Fp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp-24h], edx
		mov	[ebp-8], edi
		jmp	short loc_4B5BD0
; 
		align 10h

loc_4B5BD0:				; CODE XREF: MiUpdatePfnPriorityByPte(x,x)+25j
					; MiUpdatePfnPriorityByPte(x,x)+1E6j ...
		mov	esi, [edi]
		mov	dword ptr [ebp-1Ch], 0
		mov	dword ptr [ebp-20h], 0
		mov	[ebp-1Ch], esi
		nop
		mov	ecx, [edi+4]
		mov	eax, esi
		and	eax, 1
		mov	[ebp-0Ch], ecx
		or	eax, 0
		jz	short loc_4B5C0D
		nop
		mov	eax, ecx
		mov	dword ptr [ebp-14h], 6
		shrd	esi, eax, 0Ch
		and	esi, 1FFFFFFh
		jmp	loc_4B5CA3
; 

loc_4B5C0D:				; CODE XREF: MiUpdatePfnPriorityByPte(x,x)+52j
		mov	eax, esi
		and	eax, 400h
		or	eax, 0
		jnz	loc_4B5E09
		mov	eax, esi
		and	eax, 800h
		or	eax, 0
		jz	loc_4B5E09
		mov	eax, esi
		or	eax, ecx
		jz	short loc_4B5C55
		mov	ecx, dword_6D0700
		mov	eax, ecx
		mov	edx, dword_6D0704
		or	eax, edx
		jz	short loc_4B5C52
		and	edx, [ebp-0Ch]
		and	ecx, esi
		or	ecx, edx
		jz	loc_4B5E09

loc_4B5C52:				; CODE XREF: MiUpdatePfnPriorityByPte(x,x)+A3j
		mov	ecx, [ebp-0Ch]

loc_4B5C55:				; CODE XREF: MiUpdatePfnPriorityByPte(x,x)+91j
		mov	eax, dword_6D0700
		mov	edx, esi
		mov	edi, dword_6D0704
		mov	[ebp-10h], eax
		or	eax, edi
		mov	[ebp-18h], edi
		mov	edi, ecx
		mov	[ebp-14h], ecx
		jz	short loc_4B5C8F
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4B5C8B
		mov	esi, [ebp-10h]
		mov	ecx, [ebp-18h]
		not	esi
		not	ecx
		and	esi, edx
		and	ecx, edi
		jmp	short loc_4B5C8F
; 

loc_4B5C8B:				; CODE XREF: MiUpdatePfnPriorityByPte(x,x)+D9j
		mov	esi, edx
		mov	ecx, edi

loc_4B5C8F:				; CODE XREF: MiUpdatePfnPriorityByPte(x,x)+CFj
					; MiUpdatePfnPriorityByPte(x,x)+E9j
		mov	edi, [ebp-8]
		shrd	esi, ecx, 0Ch
		mov	dword ptr [ebp-14h], 2
		and	esi, 3FFFFFFh

loc_4B5CA3:				; CODE XREF: MiUpdatePfnPriorityByPte(x,x)+68j
		cmp	esi, dword_6D07B0
		ja	loc_4B5E09
		mov	eax, dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_4B5E09
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		lea	ecx, [eax+ecx*4]
		mov	[ebp-10h], ecx
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [ebp-10h]
		mov	dl, al
		mov	[ebp-1], dl
		mov	dword ptr [ebp-18h], 0
		lea	esi, [ecx+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_4B5D1C

loc_4B5D01:				; CODE XREF: MiUpdatePfnPriorityByPte(x,x)+16Dj
					; MiUpdatePfnPriorityByPte(x,x)+174j
		lea	ecx, [ebp-18h]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_4B5D01
		lock bts dword ptr [esi], 1Fh
		jb	short loc_4B5D01
		mov	ecx, [ebp-10h]
		mov	dl, [ebp-1]

loc_4B5D1C:				; CODE XREF: MiUpdatePfnPriorityByPte(x,x)+15Fj
		mov	eax, [ecx+4]
		or	eax, 80000000h
		cmp	eax, edi
		jz	short loc_4B5D58
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4B5D3F
		add	edi, 40000000h
		cmp	edi, offset loc_7FFFFF
		jbe	short loc_4B5D5E

loc_4B5D3F:				; CODE XREF: MiUpdatePfnPriorityByPte(x,x)+18Fj
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4B5D58:				; CODE XREF: MiUpdatePfnPriorityByPte(x,x)+186j
		add	edi, 40000000h

loc_4B5D5E:				; CODE XREF: MiUpdatePfnPriorityByPte(x,x)+19Dj
		mov	al, [ecx+16h]
		and	al, 7
		cmp	dword ptr [ebp-14h], 6
		jnz	short loc_4B5DC8
		cmp	al, 6
		jz	short loc_4B5DD8
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	edi, offset loc_7FFFFF
		mov	edi, [ebp-8]
		ja	loc_4B5BD0
		mov	eax, edi
		shl	eax, 9
		cmp	eax, 0C0000000h
		jb	short loc_4B5DA3
		cmp	eax, 0C07FFFFFh
		jbe	loc_4B5BD0

loc_4B5DA3:				; CODE XREF: MiUpdatePfnPriorityByPte(x,x)+1F6j
		cmp	eax, dword_6D07D0
		jb	loc_4B5BD0
		shr	eax, 15h
		cmp	byte ptr dword_6D3994[eax], 9
		jnz	loc_4B5BD0
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4B5DC8:				; CODE XREF: MiUpdatePfnPriorityByPte(x,x)+1C7j
		cmp	al, 2
		jb	short loc_4B5E12
		cmp	al, 4
		ja	short loc_4B5E12
		test	dword ptr [esi], 40000000h
		jnz	short loc_4B5E12

loc_4B5DD8:				; CODE XREF: MiUpdatePfnPriorityByPte(x,x)+1CBj
		mov	edi, [ebp-8]
		mov	eax, [edi]
		nop
		mov	ecx, [edi+4]
		cmp	[ebp-1Ch], eax
		jnz	short loc_4B5E15
		cmp	[ebp-0Ch], ecx
		jnz	short loc_4B5E15
		mov	edx, [ebp-24h]
		mov	ecx, [ebp-10h]
		push	0
		call	_MiUpdatePfnPriority@12	; MiUpdatePfnPriority(x,x,x)
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4B5E09:				; CODE XREF: MiUpdatePfnPriorityByPte(x,x)+77j
					; MiUpdatePfnPriorityByPte(x,x)+87j ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4B5E12:				; CODE XREF: MiUpdatePfnPriorityByPte(x,x)+22Aj
					; MiUpdatePfnPriorityByPte(x,x)+22Ej ...
		mov	edi, [ebp-8]

loc_4B5E15:				; CODE XREF: MiUpdatePfnPriorityByPte(x,x)+244j
					; MiUpdatePfnPriorityByPte(x,x)+249j
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4B5BD0
_MiUpdatePfnPriorityByPte@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetPteAddress(x)
_MiGetPteAddress@4 proc	near		; CODE XREF: MmInvalidateDumpAddresses(x,x)+9p
					; MiTerminateHardwareEnclave(x,x)+17p ...
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		lea	eax, [ecx-40000000h]
		retn
_MiGetPteAddress@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


MiVadCommitCrossPartition proc near	; CODE XREF: MiDeleteVad(x,x,x)+4D7p
					; MiDecommitRegion(x,x,x)+B5p ...

; FUNCTION CHUNK AT 005C2B23 SIZE 00000029 BYTES

		mov	eax, [ecx+1Ch]
		test	eax, 100000h
		jz	short loc_4B5E5D
		test	eax, 400000h
		jnz	short loc_4B5E60
		and	eax, 0C0000h
		cmp	eax, 80000h
		jnb	short loc_4B5E60

loc_4B5E5D:				; CODE XREF: MiVadCommitCrossPartition+8j
					; MiVadCommitCrossPartition+25j ...
		xor	eax, eax
		retn
; 

loc_4B5E60:				; CODE XREF: MiVadCommitCrossPartition+Fj
					; MiVadCommitCrossPartition+1Bj
		mov	eax, [ecx+24h]
		test	eax, eax
		jz	short loc_4B5E5D
		jmp	loc_5C2B23
MiVadCommitCrossPartition endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReturnCommit	proc near		; CODE XREF: MiDeleteProcessShadow+1CDp
					; MiReleaseNonPagedResources(x,x)+8p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C2B4C SIZE 000000A9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		xor	eax, eax
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		test	edi, edi
		jz	short loc_4B5ED2
		cmp	[esi+0DA0h], eax
		jnz	loc_5C2B4C

loc_4B5E99:				; CODE XREF: MiReturnCommit+10CD4Dj
		push	ebx
		cmp	esi, offset _MiSystemPartition
		jnz	short loc_4B5ED8
		mov	eax, large fs:20h
		mov	edx, [eax+3D2Ch]
		lea	ebx, [eax+3D2Ch]
		lea	eax, [edx+edi]
		cmp	eax, 100h
		ja	short loc_4B5ED8
		mov	edi, edi

loc_4B5EC0:				; CODE XREF: MiReturnCommit+10CD5Bj
		lea	ecx, [edx+edi]
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	loc_5C2BC2

loc_4B5ED1:				; CODE XREF: MiReturnCommit+90j
					; MiReturnCommit+10CD71j ...
		pop	ebx

loc_4B5ED2:				; CODE XREF: MiReturnCommit+1Bj
					; MiReturnCommit+10CD47j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4B5ED8:				; CODE XREF: MiReturnCommit+30j
					; MiReturnCommit+4Cj ...
		mov	ecx, edi
		lea	eax, [esi+10BCh]
		neg	ecx
		lock xadd [eax], ecx
		mov	edx, [esi+0D94h]
		mov	eax, ecx
		sub	eax, edi
		cmp	ecx, edx
		jnb	loc_5C2BD6

loc_4B5EF8:				; CODE XREF: MiReturnCommit+10CD6Aj
		mov	edx, [esi+0D90h]
		cmp	ecx, edx
		jb	short loc_4B5ED1
		jmp	loc_5C2BDF
MiReturnCommit	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiReturnFullProcessCharges(x, x)
_MiReturnFullProcessCharges@8 proc near	; CODE XREF: .text:0045408Ap
					; MiDeleteVad(x,x,x)+4FEp ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		mov	esi, ebx
		neg	esi
		test	byte ptr [edi+0F8h], 10h
		jz	short loc_4B5F35
		push	0
		push	edi
		mov	edx, esi
		mov	ecx, 2
		call	PspChangeJobMemoryUsageByProcess

loc_4B5F35:				; CODE XREF: MiReturnFullProcessCharges(x,x)+14j
		lea	eax, [edi+224h]
		lock xadd [eax], esi
		mov	ecx, edi
		mov	edx, ebx
		pop	edi
		pop	esi
		pop	ebx
		jmp	_PsReturnProcessPageFileQuota@8	; PsReturnProcessPageFileQuota(x,x)
_MiReturnFullProcessCharges@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiSetPfnLink(x, x)
_MiSetPfnLink@8	proc near		; CODE XREF: MiAllocateTopLevelPage+6Ap
					; MiInitializePageDirectoryPages+7Dp ...
		mov	[ecx], edx
		retn
_MiSetPfnLink@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUseSlabAllocator proc	near		; CODE XREF: .text:004789ABp
					; MiResolveMappedFileFault+2B6p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C2BF5 SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [edx]
		mov	eax, [esi+1Ch]
		test	al, 20h
		jnz	short loc_4B5F66

loc_4B5F5F:				; CODE XREF: MiUseSlabAllocator+1Bj
					; MiUseSlabAllocator+28j ...
		xor	eax, eax

loc_4B5F61:				; CODE XREF: MiUseSlabAllocator+10CCCDj
					; MiUseSlabAllocator+10CCE2j
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_4B5F66:				; CODE XREF: MiUseSlabAllocator+Dj
		test	eax, 40000000h
		jnz	short loc_4B5F5F
		mov	eax, [ebp+arg_4]
		and	eax, 400h
		or	eax, 0
		jz	short loc_4B5F5F
		test	dword ptr [esi+34h], 0C0000h
		mov	eax, [ecx+4]
		jnz	loc_5C2BF5
		test	al, 10h
		jz	short loc_4B5F5F
		jmp	loc_5C2C22
MiUseSlabAllocator endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiObtainFaultCharges proc near		; CODE XREF: MiMigratePfn(x,x,x,x)+1C7p
					; MiResolveMappedFileFault+27Bp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005C2C37 SIZE 00000072 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	esi, edx
		push	edi
		mov	[ebp+var_8], ebx

loc_4B5FB2:				; CODE XREF: MiObtainFaultCharges+B6j
		lea	edx, [esi-1]
		neg	edx
		sbb	edx, edx
		and	edx, 3FFh
		inc	edx
		cmp	ebx, offset _MiSystemPartition
		jnz	short loc_4B6046
		mov	eax, large fs:20h
		mov	edi, [eax+3D30h]
		add	eax, 3D30h
		mov	[ebp+var_4], eax
		cmp	esi, edi
		ja	short loc_4B6046

loc_4B5FE0:				; CODE XREF: MiObtainFaultCharges+10CC9Bj
		cmp	edi, 0FFFFFFFFh
		jz	short loc_4B6046
		mov	ebx, [ebp+var_4]
		mov	ecx, edi
		sub	ecx, esi
		mov	eax, edi
		lock cmpxchg [ebx], ecx
		mov	ebx, [ebp+var_8]
		cmp	eax, edi
		jnz	loc_5C2C37

loc_4B5FFD:				; CODE XREF: MiObtainFaultCharges+B2j
		test	esi, esi
		jz	loc_5C2C46

loc_4B6005:				; CODE XREF: MiObtainFaultCharges+10CCC3j
		test	[ebp+arg_0], 1
		jz	short loc_4B603B
		mov	edi, esi
		lea	ecx, [ecx+0]

loc_4B6010:				; CODE XREF: MiObtainFaultCharges+C3j
		push	1
		mov	edx, edi
		mov	ecx, ebx
		call	MiChargeCommit
		cmp	eax, 1
		jnz	short loc_4B6061
		test	edi, edi
		jz	loc_5C2C68

loc_4B6028:				; CODE XREF: MiObtainFaultCharges+10CCCCj
					; MiObtainFaultCharges+10CCE2j
		cmp	edi, esi
		jnz	loc_5C2C87

loc_4B6030:				; CODE XREF: MiObtainFaultCharges+10CCF4j
					; MiObtainFaultCharges+10CD04j
		mov	eax, edi

loc_4B6032:				; CODE XREF: MiObtainFaultCharges+10CCAEj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4B603B:				; CODE XREF: MiObtainFaultCharges+69j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4B6046:				; CODE XREF: MiObtainFaultCharges+26j
					; MiObtainFaultCharges+3Ej ...
		push	edx
		mov	edx, esi
		mov	ecx, ebx
		call	MiChargePartitionResidentAvailable
		test	eax, eax
		jnz	short loc_4B5FFD
		shr	esi, 1
		jnz	loc_4B5FB2
		jmp	loc_5C2C46
; 

loc_4B6061:				; CODE XREF: MiObtainFaultCharges+7Ej
		shr	edi, 1
		jnz	short loc_4B6010
		jmp	loc_5C2C68
MiObtainFaultCharges endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiEndingOffsetWithLock proc near	; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+B1p
					; MiViewMayContainPage+25Ap ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C2CA9 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi]
		add	esi, 24h
		push	esi
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	ecx, edi
		mov	bl, al
		call	_MiEndingOffset@4 ; MiEndingOffset(x)
		test	ds:byte_70EFC6,	1
		mov	edi, eax
		mov	[ebp+var_4], edx
		jnz	loc_5C2CA9
		mov	eax, 0BFFFFFFFh
		lock and [esi],	eax
		lock dec dword ptr [esi]

loc_4B60AC:				; CODE XREF: MiEndingOffsetWithLock+10CC43j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
MiEndingOffsetWithLock endp


;  S U B	R O U T	I N E 


; __stdcall MiEndingOffset(x)
_MiEndingOffset@4 proc near		; CODE XREF: MiFlushSectionInternal+9E2p
					; MiCopyDataPageToImagePage+130p ...
		mov	eax, [ecx]
		push	esi
		push	edi
		test	byte ptr [eax+1Ch], 20h
		jz	short loc_4B60F6
		mov	eax, [ecx+18h]
		push	ebx
		mov	ebx, 200h
		mul	ebx
		mov	esi, eax
		mov	edi, edx
		mov	eax, [ecx+14h]
		mul	ebx
		pop	ebx

loc_4B60DF:				; CODE XREF: MiEndingOffset(x)+5Aj
		add	esi, eax
		mov	ax, [ecx+12h]
		adc	edi, edx
		shr	ax, 4
		movzx	eax, ax
		cdq
		add	eax, esi
		adc	edx, edi
		pop	edi
		pop	esi
		retn
; 

loc_4B60F6:				; CODE XREF: MiEndingOffset(x)+8j
		mov	ax, [ecx+10h]
		xor	esi, esi
		or	esi, [ecx+14h]
		shr	ax, 6
		movzx	eax, ax
		cdq
		mov	edi, eax
		mov	edx, 1000h
		mov	eax, [ecx+18h]
		shld	edi, esi, 0Ch
		shl	esi, 0Ch
		mul	edx
		jmp	short loc_4B60DF
_MiEndingOffset@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiStartingOffsetNeedLock(x,	x)
_MiStartingOffsetNeedLock@8 proc near	; CODE XREF: MiPfPrepareReadList+3E8p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		mov	eax, [edi]
		test	byte ptr [eax+1Ch], 20h
		jz	short loc_4B6168

loc_4B6132:				; CODE XREF: MiStartingOffsetNeedLock(x,x)+50j
		mov	bl, 21h
		lea	esi, [eax+24h]

loc_4B6137:				; CODE XREF: MiStartingOffsetNeedLock(x,x)+5Dj
		push	[ebp+var_4]
		mov	edx, [edi+4]
		mov	ecx, edi
		call	MiStartingOffset
		mov	[ebp+var_4], edx
		mov	edi, eax
		cmp	bl, 21h
		jnz	short loc_4B6158

loc_4B614E:				; CODE XREF: MiStartingOffsetNeedLock(x,x)+4Aj
		mov	edx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4B6158:				; CODE XREF: MiStartingOffsetNeedLock(x,x)+30j
		push	esi
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_4B614E
; 

loc_4B6168:				; CODE XREF: MiStartingOffsetNeedLock(x,x)+14j
		cmp	dword ptr [eax+20h], 0
		jz	short loc_4B6132
		lea	esi, [eax+24h]
		push	esi
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	bl, al
		jmp	short loc_4B6137
_MiStartingOffsetNeedLock@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiStartingOffset proc near		; CODE XREF: .text:004784D4p
					; MiCompleteRestrictedImageFault(x,x,x,x)+15Cp	...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C2CB8 SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	ebx, [edi]
		mov	ecx, [edi+4]
		test	byte ptr [ebx+1Ch], 20h
		jz	short loc_4B61D1
		cmp	esi, ecx
		jb	loc_5C2CB8
		mov	eax, [edi+1Ch]
		lea	eax, [ecx+eax*8]
		cmp	esi, eax
		jnb	loc_5C2CB8
		sub	esi, ecx
		xor	edx, edx
		sar	esi, 3
		shld	edx, esi, 3
		shl	esi, 3
		add	esi, [edi+14h]
		adc	edx, 0
		shld	edx, esi, 9
		shl	esi, 9
		mov	eax, esi

loc_4B61CA:				; CODE XREF: MiStartingOffset+88j
					; MiStartingOffset+10CB6Aj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4B61D1:				; CODE XREF: MiStartingOffset+15j
		test	ecx, ecx
		jz	short loc_4B620A
		sub	esi, ecx
		sar	esi, 3
		mov	eax, esi
		cdq
		mov	esi, eax
		mov	ebx, edx
		shld	ebx, esi, 0Ch
		shl	esi, 0Ch

loc_4B61E8:				; CODE XREF: MiStartingOffset+8Ej
		mov	cx, [edi+10h]
		shr	cx, 6
		movzx	eax, cx
		xor	ecx, ecx
		or	ecx, [edi+14h]
		cdq
		mov	edx, eax
		shld	edx, ecx, 0Ch
		shl	ecx, 0Ch
		add	ecx, esi
		mov	eax, ecx
		adc	edx, ebx
		jmp	short loc_4B61CA
; 

loc_4B620A:				; CODE XREF: MiStartingOffset+53j
		xor	esi, esi
		xor	ebx, ebx
		jmp	short loc_4B61E8
MiStartingOffset endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiClaimPhysicalRun proc	near		; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+4AFp
					; MiScrubNode(x)+109p ...

var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 005C2CEF SIZE 00000050 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_C], 0
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		test	eax, eax
		jnz	loc_5C2CEF

loc_4B622F:				; CODE XREF: MiClaimPhysicalRun+10CAE5j
		mov	eax, [ebp+arg_14]
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		mov	ebx, [ebp+arg_C]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_8], eax
		mov	eax, ds:_MmPfnDatabase
		mov	[ebp+var_28], ecx
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_20], edx
		mov	[ebp+var_10], 0FFFFFFFFh
		mov	[ebp+arg_8], 0
		lea	edi, [eax+ecx*4]
		mov	[ebp+arg_18], edx
		lea	eax, ds:0[edx*8]
		sub	eax, edx
		and	ebx, 2000h
		lea	eax, [edi+eax*4]
		mov	[ebp+arg_4], eax
		lea	eax, [esi+edx]
		mov	[ebp+arg_10], eax
		lea	esp, [esp+0]

loc_4B62A0:				; CODE XREF: MiClaimPhysicalRun+D2j
		mov	edx, esi
		lea	ecx, [ebp+var_28]
		call	_MiTradePage@8	; MiTradePage(x,x)
		test	eax, eax
		jnz	short loc_4B630E
		mov	ecx, [ebp+var_C]
		mov	eax, 1
		cmp	ecx, eax
		ja	loc_5C2CFA

loc_4B62BE:				; CODE XREF: MiClaimPhysicalRun+10CAF9j
					; MiClaimPhysicalRun+10CB07j
		cmp	[ebp+arg_8], 0
		jz	short loc_4B62F4

loc_4B62C4:				; CODE XREF: MiClaimPhysicalRun+FCj
		test	ebx, ebx
		jz	short loc_4B632B
		mov	ecx, [ebp+arg_10]
		sub	ecx, esi
		cmp	eax, ecx
		jnb	short loc_4B62E4

loc_4B62D1:				; CODE XREF: MiClaimPhysicalRun+101j
		lea	ecx, ds:0[eax*8]
		add	esi, eax
		sub	ecx, eax
		lea	edi, [edi+ecx*4]
		cmp	edi, [ebp+arg_4]
		jb	short loc_4B62A0

loc_4B62E4:				; CODE XREF: MiClaimPhysicalRun+BFj
		test	ebx, ebx
		jz	short loc_4B632B

loc_4B62E8:				; CODE XREF: MiClaimPhysicalRun+12Ej
					; MiClaimPhysicalRun+13Fj
		mov	eax, [ebp+arg_18]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_4B62F4:				; CODE XREF: MiClaimPhysicalRun+B2j
		test	ecx, ecx
		jz	short loc_4B6305
		mov	edx, [ebp+arg_10]
		dec	ecx
		not	ecx
		and	ecx, esi
		sub	edx, ecx
		mov	[ebp+arg_18], edx

loc_4B6305:				; CODE XREF: MiClaimPhysicalRun+E6j
		mov	[ebp+arg_8], 1
		jmp	short loc_4B62C4
; 

loc_4B630E:				; CODE XREF: MiClaimPhysicalRun+9Cj
		sub	[ebp+var_20], eax
		jnz	short loc_4B62D1
		test	[ebp+arg_C], 400000h
		jnz	loc_5C2D1C

loc_4B6320:				; CODE XREF: MiClaimPhysicalRun+10CB11j
					; MiClaimPhysicalRun+10CB1Cj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_4B632B:				; CODE XREF: MiClaimPhysicalRun+B6j
					; MiClaimPhysicalRun+D6j
		mov	esi, [ebp+arg_0]
		sub	esi, [ebp+var_20]
		mov	ecx, [ebp+arg_14]
		test	ecx, ecx
		jnz	loc_5C2D31

loc_4B633C:				; CODE XREF: MiClaimPhysicalRun+10CB2Aj
		test	esi, esi
		jz	short loc_4B62E8

loc_4B6340:				; CODE XREF: MiClaimPhysicalRun+13Dj
		sub	edi, 1Ch
		mov	ecx, edi
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		sub	esi, 1
		jnz	short loc_4B6340
		jmp	short loc_4B62E8
MiClaimPhysicalRun endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiTradePage(x, x)
_MiTradePage@8	proc near		; CODE XREF: MiClaimPhysicalRun+95p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ecx
		mov	[ebp+var_40], 0
		push	ebx
		push	esi
		push	edi
		mov	ecx, [eax+4]
		mov	ebx, edx
		mov	edi, [eax+0Ch]
		mov	[ebp+var_24], ecx
		mov	ecx, [eax+14h]
		mov	[ebp+var_44], ecx
		mov	ecx, [eax]
		mov	[ebp+var_10], ecx
		mov	ecx, edi
		and	ecx, 400000h
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], eax
		mov	[ebp+var_30], 0
		mov	dword ptr [eax+1Ch], 0
		mov	[ebp+var_18], edi
		mov	[ebp+var_1C], ecx
		jz	short loc_4B63B6
		mov	edi, [eax+10h]
		mov	[ebp+var_34], edi
		jmp	short loc_4B63BD
; 

loc_4B63B6:				; CODE XREF: MiTradePage(x,x)+4Cj
		mov	[ebp+var_34], 0FFFFFFFFh

loc_4B63BD:				; CODE XREF: MiTradePage(x,x)+54j
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[ebx*8]
		sub	ecx, ebx
		mov	[ebp+var_14], 0
		mov	[ebp+var_20], 0FFFFFFFFh
		mov	[ebp+var_2C], 0
		lea	esi, [eax+ecx*4]
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		lea	ebx, [esi+10h]
		mov	[ebp+var_2], al
		mov	[ebp+var_28], 0
		mov	[ebp+var_38], ebx
		lock bts dword ptr [ebx], 1Fh
		jnb	short loc_4B641A

loc_4B6402:				; CODE XREF: MiTradePage(x,x)+AEj
					; MiTradePage(x,x)+B5j
		lea	ecx, [ebp+var_28]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		js	short loc_4B6402
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_4B6402
		mov	al, [ebp+var_2]

loc_4B641A:				; CODE XREF: MiTradePage(x,x)+A0j
		mov	edx, [ebp+var_C]
		mov	bl, al
		mov	edi, [ebp+var_8]
		mov	eax, edx
		and	eax, 1Fh
		mov	[ebp+var_1], bl
		mov	[ebp+var_3C], eax

loc_4B642D:				; CODE XREF: MiTradePage(x,x)+231j
					; MiTradePage(x,x)+4A3j ...
		mov	ecx, 7FFFFFFFh
		cmp	edx, dword_6D07B0
		ja	loc_4B6A28
		mov	eax, dword_6D35B8
		mov	ecx, edx
		shr	ecx, 5
		mov	eax, [eax+ecx*4]
		mov	ecx, [ebp+var_3C]
		shr	eax, cl
		and	eax, 1
		jz	loc_4B6A36
		cmp	[ebp+var_10], offset _MiSystemPartition
		jnz	loc_4B69DE
		movzx	edi, byte ptr [esi+16h]
		or	ebx, 0FFFFFFFFh
		and	edi, 7
		test	dword ptr [esi+18h], 800000h
		jz	short loc_4B64AA
		mov	ecx, esi
		call	_MiGetBaseResidentPage@4 ; MiGetBaseResidentPage(x)
		mov	edx, eax
		mov	ecx, edx
		movzx	edi, byte ptr [edx+16h]
		and	edi, 7
		call	_MiGetPfnPageSizeIndex@4 ; MiGetPfnPageSizeIndex(x)
		mov	ebx, eax
		mov	ecx, 7FFFFFFFh
		cmp	edx, esi
		jz	short loc_4B64A1
		lea	eax, [edx+10h]
		lock and [eax],	ecx

loc_4B64A1:				; CODE XREF: MiTradePage(x,x)+139j
		cmp	edi, 6
		jz	loc_4B689B

loc_4B64AA:				; CODE XREF: MiTradePage(x,x)+117j
		cmp	edi, 5
		jnz	loc_4B659B
		mov	ecx, esi
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jnz	loc_4B6A36
		cmp	ebx, 0FFFFFFFFh
		jnz	loc_4B6596
		mov	ebx, [esi+8]
		nop
		mov	edi, [esi+0Ch]
		push	edi
		push	ebx
		call	_MiInvalidPteConforms@12 ; MiInvalidPteConforms(x,x,x)
		test	eax, eax
		jz	loc_4B6A36
		mov	eax, dword_6D0704
		mov	edx, edi
		mov	ecx, dword_6D0700
		mov	[ebp+var_28], eax
		mov	eax, ecx
		or	eax, [ebp+var_28]
		jz	short loc_4B6515
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4B6512
		mov	edi, [ebp+var_28]
		not	ecx
		and	ecx, ebx
		not	edi
		and	edi, edx
		mov	[ebp+var_50], ecx
		jmp	short loc_4B6515
; 

loc_4B6512:				; CODE XREF: MiTradePage(x,x)+1A0j
		mov	[ebp+var_50], ebx

loc_4B6515:				; CODE XREF: MiTradePage(x,x)+196j
					; MiTradePage(x,x)+1B0j
		cmp	edi, 0FFFFFFFEh
		jnz	loc_4B6A36
		cmp	[ebp+var_2C], esi
		jz	loc_4B6A36
		mov	ecx, esi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiSearchNumaNodeTable
		mov	cl, byte_6D068C
		mov	edi, [eax+4]
		mov	eax, dword_6D06D0
		and	eax, [ebp+var_C]
		shl	edi, cl
		mov	ecx, 7FFFFFFFh
		or	edi, eax
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	bl, [ebp+var_1]
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_10]
		mov	edx, esi
		push	edi
		mov	edi, [ebp+var_8]
		mov	eax, [edi+8]
		push	eax
		call	_MiDrainZeroLookasides@16 ; MiDrainZeroLookasides(x,x,x,x)
		mov	ecx, esi
		mov	[ebp+var_2C], esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	edx, [ebp+var_C]
		jmp	loc_4B642D
; 

loc_4B6596:				; CODE XREF: MiTradePage(x,x)+165j
		mov	edi, 1

loc_4B659B:				; CODE XREF: MiTradePage(x,x)+14Dj
		mov	ecx, esi
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jnz	loc_4B6A36
		cmp	edi, 1
		ja	loc_4B668D
		cmp	ebx, 0FFFFFFFFh
		jz	loc_4B68DF
		mov	eax, [ebp+var_18]
		mov	edi, ds:_MiLargePageSizes[ebx*4]
		test	eax, 2000000h
		jz	short loc_4B65D9
		cmp	edi, 200h
		jnb	loc_4B6A36

loc_4B65D9:				; CODE XREF: MiTradePage(x,x)+26Bj
		test	eax, 1000000h
		jz	short loc_4B65E9
		cmp	edi, 10h
		jz	loc_4B6A36

loc_4B65E9:				; CODE XREF: MiTradePage(x,x)+27Ej
		lea	eax, [esi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_1C], 0
		mov	ecx, [ebp+var_C]
		jnz	short loc_4B663E
		mov	eax, edi
		neg	eax
		and	eax, ecx
		cmp	ecx, eax
		jnz	short loc_4B663E
		mov	eax, [ebp+var_8]
		cmp	[eax+8], edi
		jb	short loc_4B663E
		lea	edx, [ecx-1]
		add	edx, edi
		cmp	edx, [eax+20h]
		ja	short loc_4B663E
		push	[ebp+var_18]
		mov	eax, [eax+24h]
		mov	ecx, [ebp+var_10]
		push	eax
		push	ebx
		call	_MiLargeFreePageToMdl@20 ; MiLargeFreePageToMdl(x,x,x,x,x)
		cmp	eax, 1
		jz	loc_4B68AD
		mov	ecx, [ebp+var_C]

loc_4B663E:				; CODE XREF: MiTradePage(x,x)+2A4j
					; MiTradePage(x,x)+2AEj ...
		lea	eax, [ebp+var_30]
		mov	edx, ecx
		mov	ecx, [ebp+var_10]
		push	eax
		push	[ebp+var_18]
		push	ebx
		call	_MiDemoteLargeFreePage@20 ; MiDemoteLargeFreePage(x,x,x,x,x)
		test	eax, eax
		jnz	loc_4B6884
		cmp	[ebp+var_30], eax
		jnz	loc_4B6884
		mov	ecx, esi
		call	_MiLargePageMovesInProgress@4 ;	MiLargePageMovesInProgress(x)
		mov	edi, [ebp+var_8]
		test	eax, eax
		jnz	loc_4B6937
		mov	eax, ds:_MiLargePageSizes[ebx*4]
		mov	ecx, [ebp+var_20]
		mov	[edi+1Ch], eax
		mov	eax, [ebp+var_14]
		mov	[edi+18h], ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4B668D:				; CODE XREF: MiTradePage(x,x)+24Dj
		mov	edx, [ebp+var_24]
		cmp	dword ptr [edx+0Ch], 0
		jz	short loc_4B669D
		mov	al, [esi+17h]
		test	al, al
		jns	short loc_4B66EB

loc_4B669D:				; CODE XREF: MiTradePage(x,x)+334j
		cmp	edi, 2
		jz	loc_4B69B6
		cmp	edi, 6
		jnz	loc_4B6A23
		test	byte ptr [esi+16h], 10h
		jnz	loc_4B6A36
		cmp	word ptr [esi+14h], 1
		jnz	loc_4B6A36
		mov	eax, [esi+18h]
		and	eax, 70000000h
		cmp	eax, 20000000h
		jz	loc_4B6A36
		test	byte ptr [esi],	1
		jz	loc_4B6A36
		mov	al, [esi+17h]
		test	al, 8
		jnz	loc_4B6A36

loc_4B66EB:				; CODE XREF: MiTradePage(x,x)+33Bj
		cmp	edi, 4
		ja	short loc_4B675A
		mov	edi, [ebp+var_18]
		test	edi, 4000000h
		jnz	short loc_4B6711
		test	dword ptr [esi+18h], 800000h
		jnz	short loc_4B6711
		mov	ecx, [esi+4]
		test	ecx, ecx
		js	short loc_4B6711
		jnz	loc_4B6A36

loc_4B6711:				; CODE XREF: MiTradePage(x,x)+399j
					; MiTradePage(x,x)+3A2j ...
		test	edi, 200000h
		jz	short loc_4B6730
		test	al, 40h
		jnz	loc_4B6A36
		mov	ecx, esi
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jnz	loc_4B6A36

loc_4B6730:				; CODE XREF: MiTradePage(x,x)+3B7j
		lea	eax, [ebp+var_20]
		mov	ecx, esi
		push	eax
		push	edi
		push	[ebp+var_34]
		push	edx
		mov	dl, [ebp+var_1]
		call	MiTradeTransitionPage
		cmp	eax, 3
		jz	loc_4B6913
		cmp	eax, 2
		jnz	loc_4B6934
		jmp	loc_4B6884
; 

loc_4B675A:				; CODE XREF: MiTradePage(x,x)+38Ej
		cmp	edi, 6
		jnz	loc_4B6A36
		mov	ebx, [ebp+var_18]
		test	ebx, 200000h
		jz	short loc_4B6785
		test	al, 40h
		jnz	loc_4B6A36
		mov	ecx, esi
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jnz	loc_4B6A36

loc_4B6785:				; CODE XREF: MiTradePage(x,x)+40Cj
		mov	eax, [esi+18h]
		and	eax, 70000000h
		cmp	eax, 20000000h
		jnz	short loc_4B6808
		cmp	[ebp+var_2], 2
		jz	loc_4B6A36
		mov	ecx, 7FFFFFFFh
		test	bl, 8
		jnz	loc_4B6A28
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edi, [ebp+var_8]
		lea	eax, [ebp+var_40]
		mov	ecx, [ebp+var_24]
		mov	edx, esi
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		mov	eax, [edi+10h]
		push	ebx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_10]
		call	_MiSwapStackPage@28 ; MiSwapStackPage(x,x,x,x,x,x,x)
		test	eax, eax
		jnz	loc_4B694A
		mov	eax, [esi+18h]
		and	eax, 70000000h
		cmp	eax, 20000000h
		jz	loc_4B6937
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	edx, [ebp+var_C]
		mov	bl, al
		mov	[ebp+var_1], al
		jmp	loc_4B642D
; 

loc_4B6808:				; CODE XREF: MiTradePage(x,x)+432j
		push	ecx
		mov	ecx, [ebp+var_10]
		mov	edx, esi
		push	1
		call	_MiActivePageClaimCandidate@16 ; MiActivePageClaimCandidate(x,x,x,x)
		test	eax, eax
		jnz	loc_4B69AB
		cmp	[ebp+var_2], 2
		jz	loc_4B6A36
		test	bl, 8
		jnz	loc_4B6A36
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		mov	dl, [ebp+var_1]
		test	eax, eax
		jz	short loc_4B6846
		push	ebx
		call	MiTrimSharedPage
		jmp	short loc_4B685D
; 

loc_4B6846:				; CODE XREF: MiTradePage(x,x)+4DCj
		mov	ecx, [ebp+var_24]
		lea	eax, [ebp+var_20]
		push	eax
		mov	eax, [ebp+var_8]
		mov	eax, [eax+10h]
		push	eax
		push	ecx
		push	ebx
		mov	ecx, esi
		call	MiStealPage

loc_4B685D:				; CODE XREF: MiTradePage(x,x)+4E4j
		mov	edi, eax
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	loc_4B6934
		cmp	edi, 2
		jnz	loc_4B6947

loc_4B6884:				; CODE XREF: MiTradePage(x,x)+2F2j
					; MiTradePage(x,x)+2FBj ...
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	edi, [ebp+var_8]
		mov	bl, al
		mov	edx, [ebp+var_C]
		mov	[ebp+var_1], al
		jmp	loc_4B642D
; 

loc_4B689B:				; CODE XREF: MiTradePage(x,x)+144j
		mov	edi, [ebp+var_8]
		mov	eax, ds:_MiLargePageSizes[ebx*4]
		mov	[edi+1Ch], eax
		jmp	loc_4B6A3E
; 

loc_4B68AD:				; CODE XREF: MiTradePage(x,x)+2D5j
		mov	[ebp+var_14], edi
		mov	edi, [ebp+var_8]
		mov	ebx, [edi+24h]
		test	ebx, ebx
		jz	short loc_4B6937
		mov	edx, [ebp+var_44]
		mov	ecx, esi
		call	_MiPfnZeroingNeeded@8 ;	MiPfnZeroingNeeded(x,x)
		test	eax, eax
		jz	short loc_4B6937
		mov	eax, [ebp+var_14]
		mov	dword ptr [ebx+0Ch], 1
		mov	ecx, [ebp+var_20]
		mov	[edi+18h], ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4B68DF:				; CODE XREF: MiTradePage(x,x)+256j
		cmp	[ebp+var_1C], 0
		mov	ebx, [ebp+var_C]
		jnz	short loc_4B68FB
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	MiUnlinkFreeOrZeroedPage
		test	eax, eax
		jz	loc_4B6A2D

loc_4B68FB:				; CODE XREF: MiTradePage(x,x)+586j
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		push	0
		mov	[ebp+var_14], 1
		call	_MiAddMdlPageToTradeBlock@12 ; MiAddMdlPageToTradeBlock(x,x,x)
		jmp	loc_4B6A36
; 

loc_4B6913:				; CODE XREF: MiTradePage(x,x)+3E6j
		cmp	[ebp+var_1C], 0
		jz	short loc_4B6920
		mov	ecx, esi
		call	_MiLockAndInsertPageInFreeList@4 ; MiLockAndInsertPageInFreeList(x)

loc_4B6920:				; CODE XREF: MiTradePage(x,x)+5B7j
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_14], 1
		push	1

loc_4B692F:				; CODE XREF: MiTradePage(x,x)+61Cj
					; MiTradePage(x,x)+649j
		call	_MiAddMdlPageToTradeBlock@12 ; MiAddMdlPageToTradeBlock(x,x,x)

loc_4B6934:				; CODE XREF: MiTradePage(x,x)+3EFj
					; MiTradePage(x,x)+515j ...
		mov	edi, [ebp+var_8]

loc_4B6937:				; CODE XREF: MiTradePage(x,x)+30Dj
					; MiTradePage(x,x)+48Ej ...
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+var_14]
		mov	[edi+18h], ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4B6947:				; CODE XREF: MiTradePage(x,x)+51Ej
		mov	edi, [ebp+var_8]

loc_4B694A:				; CODE XREF: MiTradePage(x,x)+47Bj
		mov	eax, ds:_ZeroPte
		lea	ecx, [esi+8]
		mov	[ecx], eax
		mov	eax, ds:dword_40F9FC
		mov	[ecx+4], eax
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		cmp	[ebp+var_1C], 0
		jz	short loc_4B697E
		mov	ecx, esi
		call	_MiLockAndInsertPageInFreeList@4 ; MiLockAndInsertPageInFreeList(x)
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		mov	[ebp+var_14], 1
		push	1
		jmp	short loc_4B692F
; 

loc_4B697E:				; CODE XREF: MiTradePage(x,x)+605j
		mov	[ebp+var_4C], 0
		lea	eax, [ebp+var_4C]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	edx, ds:_KiTbFlushTimeStamp
		push	ecx
		mov	ecx, esi
		call	_MiSetPfnTbFlushStamp@12 ; MiSetPfnTbFlushStamp(x,x,x)
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		mov	[ebp+var_14], 1
		push	1
		jmp	short loc_4B692F
; 

loc_4B69AB:				; CODE XREF: MiTradePage(x,x)+4B7j
		mov	edi, [ebp+var_8]
		mov	[edi+1Ch], eax
		jmp	loc_4B6A39
; 

loc_4B69B6:				; CODE XREF: MiTradePage(x,x)+340j
		cmp	word ptr [esi+14h], 0
		jnz	short loc_4B6A36
		mov	ecx, esi
		call	_MiReuseStandbyPage@4 ;	MiReuseStandbyPage(x)
		test	eax, eax
		jz	short loc_4B6A2D
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		push	1
		mov	[ebp+var_14], 1
		call	_MiAddMdlPageToTradeBlock@12 ; MiAddMdlPageToTradeBlock(x,x,x)
		jmp	short loc_4B6A36
; 

loc_4B69DE:				; CODE XREF: MiTradePage(x,x)+100j
		mov	ecx, offset _MiSystemPartition
		call	_MiPfnLargeBitSet@8 ; MiPfnLargeBitSet(x,x)
		mov	esi, eax
		mov	ecx, 7FFFFFFFh
		mov	eax, [ebp+var_38]
		lock and [eax],	ecx
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	esi, 0FFFFFFFFh
		jz	loc_4B6934
		mov	eax, ds:_MiLargePageSizes[esi*4]
		mov	ecx, [ebp+var_20]
		mov	[edi+1Ch], eax
		mov	edi, [ebp+var_8]
		mov	eax, [ebp+var_14]
		mov	[edi+18h], ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4B6A23:				; CODE XREF: MiTradePage(x,x)+349j
		mov	ecx, 7FFFFFFFh

loc_4B6A28:				; CODE XREF: MiTradePage(x,x)+D8j
					; MiTradePage(x,x)+446j
		mov	edi, [ebp+var_8]
		jmp	short loc_4B6A3E
; 

loc_4B6A2D:				; CODE XREF: MiTradePage(x,x)+595j
					; MiTradePage(x,x)+666j
		xor	edx, edx
		mov	ecx, esi
		call	_MiReturnFreeZeroPage@8	; MiReturnFreeZeroPage(x,x)

loc_4B6A36:				; CODE XREF: MiTradePage(x,x)+F3j
					; MiTradePage(x,x)+15Cj ...
		mov	edi, [ebp+var_8]

loc_4B6A39:				; CODE XREF: MiTradePage(x,x)+651j
		mov	ecx, 7FFFFFFFh

loc_4B6A3E:				; CODE XREF: MiTradePage(x,x)+548j
					; MiTradePage(x,x)+6CBj
		mov	dl, [ebp+var_1]
		cmp	dl, 21h
		jz	loc_4B6937
		mov	eax, [ebp+var_38]
		lock and [eax],	ecx
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+var_14]
		mov	[edi+18h], ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiTradePage@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiIsPfnFromSlabAllocation(x)
_MiIsPfnFromSlabAllocation@4 proc near	; CODE XREF: MiFreeSmallPageFromMdl(x,x)+4Ap
					; .text:004789B6p ...
		cmp	byte_6D5872, 0
		jz	short loc_4B6AAB
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		mov	eax, dword_6D5BBC
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		shr	ecx, 9
		mov	edx, ecx
		and	ecx, 1Fh
		shr	edx, 5
		mov	eax, [eax+edx*4]
		sar	eax, cl
		test	al, 1
		jnz	short loc_4B6AAE

loc_4B6AAB:				; CODE XREF: MiIsPfnFromSlabAllocation(x)+7j
		xor	eax, eax
		retn
; 

loc_4B6AAE:				; CODE XREF: MiIsPfnFromSlabAllocation(x)+39j
		mov	eax, 1
		retn
_MiIsPfnFromSlabAllocation@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFindContiguousPages(x, x,	x, x, x, x, x, x, x, x,	x)
_MiFindContiguousPages@44 proc near	; CODE XREF: .text:00449082p
					; MiAllocateContiguousMemory+1C3p ...

var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= byte ptr -64h
var_63		= word ptr -63h
var_61		= byte ptr -61h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0B4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0B4h+var_4], eax
		mov	eax, [ebp+arg_1C]
		mov	[esp+0B4h+var_A0], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+0B4h+var_A8], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+0B4h+var_88], eax
		mov	eax, [ebp+arg_18]
		push	ebx
		push	esi
		mov	[esp+0BCh+var_B0], eax
		mov	esi, edx
		mov	eax, [ebp+arg_20]
		mov	edx, [ebp+arg_10]
		push	edi
		mov	[esp+0C0h+var_54], eax
		mov	edi, ecx
		xor	eax, eax
		mov	[esp+0C0h+var_AC], edi
		mov	[esp+0C0h+var_90], edx
		mov	[esp+0C0h+var_50], eax
		mov	[esp+0C0h+var_4C], eax
		mov	[esp+0C0h+var_48], eax
		mov	[esp+0C0h+var_44], eax
		mov	[esp+0C0h+var_7C], eax
		mov	[esp+0C0h+var_78], eax
		mov	[esp+0C0h+var_63], ax
		mov	[esp+0C0h+var_61], al
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, al
		cmp	bl, 2
		jbe	short loc_4B6B5D
		mov	eax, 0C00000BBh
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+0B4h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_4B6B5D:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+7Fj
		movzx	eax, ds:_KeNumberNodes
		mov	ecx, [esp+0C0h+var_90]
		cmp	ecx, eax
		jnb	short loc_4B6BA4
		mov	eax, [edi+10h]
		lea	ecx, [ecx+ecx*4]
		shl	ecx, 7
		cmp	dword ptr [ecx+eax+1DCh], 0
		jnz	short loc_4B6BA4
		cmp	_InitializationPhase, 0
		jz	short loc_4B6BA4
		mov	eax, 0C0000017h
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+0B4h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_4B6BA4:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+AAj
					; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+BDj ...
		mov	edx, [esp+0C0h+var_B0]
		cmp	bl, 2
		jnz	short loc_4B6BB4
		or	edx, 8
		mov	[esp+0C0h+var_B0], edx

loc_4B6BB4:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+EBj
		test	edx, 20000000h
		jnz	short loc_4B6BEF
		mov	edx, [esp+0C0h+var_A8]
		mov	ecx, edi
		push	2
		push	0
		call	MiAcquireNonPagedResources
		test	eax, eax
		jns	short loc_4B6BEB
		mov	eax, 0C000009Ah
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+0B4h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_4B6BEB:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+10Dj
		mov	edx, [esp+0C0h+var_B0]

loc_4B6BEF:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+FAj
		mov	eax, [esp+0C0h+var_A0]
		mov	ecx, [esp+0C0h+var_A8]
		test	eax, eax
		jz	short loc_4B6C05
		mov	eax, [eax+14h]
		shr	eax, 0Ch
		add	eax, ecx
		jmp	short loc_4B6C07
; 

loc_4B6C05:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+139j
		xor	eax, eax

loc_4B6C07:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+143j
		mov	[esp+0C0h+var_5C], eax
		test	dl, 40h
		jz	loc_4B6CF5
		cmp	esi, 100000h
		jnz	short loc_4B6C26
		or	edx, 8000h
		mov	[esp+0C0h+var_B0], edx

loc_4B6C26:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+15Aj
		mov	esi, [esp+0C0h+var_A8]
		xor	eax, eax
		mov	[esp+0C0h+var_94], eax
		xor	ecx, ecx

loc_4B6C32:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+185j
		cmp	esi, ds:_MiLargePageSizes[eax*4]
		jz	short loc_4B6C47
		inc	eax
		mov	[esp+0C0h+var_94], eax
		mov	ecx, eax
		cmp	eax, 2
		jb	short loc_4B6C32

loc_4B6C47:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+179j
		push	[esp+0C0h+var_88]
		lea	eax, [esp+0C4h+var_94]
		push	0
		push	edx
		mov	edx, [esp+0CCh+var_90]
		push	ecx
		push	eax
		mov	ecx, edi
		call	_MiFindLargeNodePage@28	; MiFindLargeNodePage(x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_4B6C6F
		mov	esi, 0C0000017h
		jmp	loc_4B7272
; 

loc_4B6C6F:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+1A3j
		mov	ecx, ebx
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		mov	eax, [esp+0C0h+var_54]
		add	edx, ecx
		mov	ecx, [esp+0C0h+var_A0]
		sar	edx, 4
		mov	esi, edx
		shr	esi, 1Fh
		add	esi, edx
		mov	[eax], esi
		test	ecx, ecx
		jz	short loc_4B6CDC
		mov	edi, [ecx+14h]
		mov	eax, edi
		add	ecx, 1Ch
		shr	eax, 0Ch
		lea	edx, [ecx+eax*4]
		mov	ecx, ebx
		call	_MiIsFreshPfnFromZeroedList@4 ;	MiIsFreshPfnFromZeroedList(x)
		mov	ecx, [esp+0C0h+var_A0]
		test	eax, eax
		jnz	short loc_4B6CBC
		mov	dword ptr [ecx+0Ch], 1

loc_4B6CBC:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+1F3j
		mov	ebx, [esp+0C0h+var_A8]
		test	ebx, ebx
		jz	short loc_4B6CD4
		mov	eax, ebx

loc_4B6CC6:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+20Fj
		mov	[edx], esi
		lea	edx, [edx+4]
		inc	esi
		sub	eax, 1
		jnz	short loc_4B6CC6
		mov	edi, [ecx+14h]

loc_4B6CD4:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+202j
		shl	ebx, 0Ch
		add	ebx, edi
		mov	[ecx+14h], ebx

loc_4B6CDC:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+1D6j
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+0B4h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_4B6CF5:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+14Ej
		test	byte ptr [edi+4], 20h
		jnz	short loc_4B6D1A
		lea	edx, [ecx+0A0h]
		mov	ecx, edi
		call	MiSufficientAvailablePages
		test	eax, eax
		jnz	short loc_4B6D16
		mov	esi, 0C000009Ah
		jmp	loc_4B7272
; 

loc_4B6D16:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+24Aj
		mov	edx, [esp+0C0h+var_B0]

loc_4B6D1A:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+239j
		mov	eax, edx
		and	eax, 10000000h
		mov	[esp+0C0h+var_3C], eax
		jnz	short loc_4B6D52
		mov	ecx, [esp+0C0h+var_A8]
		lea	eax, [esp+0C0h+var_50]
		push	eax
		mov	edx, 40h
		call	MiCreatePteCopyList
		cmp	[esp+0C0h+var_4C], 0
		jnz	short loc_4B6D4E
		mov	esi, 0C000009Ah
		jmp	loc_4B7289
; 

loc_4B6D4E:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+282j
		mov	edx, [esp+0C0h+var_B0]

loc_4B6D52:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+268j
		xor	eax, eax
		mov	[esp+0C0h+var_9C], eax
		mov	eax, edx
		and	eax, 0B000008h
		cmp	eax, 8000000h
		jnz	short loc_4B6D7C
		cmp	_InitializationPhase, 0
		jz	short loc_4B6D7C
		cmp	bl, 2
		jz	short loc_4B6D7C
		mov	[esp+0C0h+var_9C], 1

loc_4B6D7C:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+2A4j
					; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+2ADj ...
		movzx	eax, ds:_KeNumberNodes
		mov	ecx, [esp+0C0h+var_90]
		cmp	ecx, eax
		jb	short loc_4B6D95
		or	ecx, 80000000h
		mov	[esp+0C0h+var_90], ecx

loc_4B6D95:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+2C9j
		mov	ebx, edi
		mov	edx, 1
		mov	ecx, ebx
		call	MiReferencePageRuns
		mov	[esp+0C0h+var_98], eax
		or	edi, 0FFFFFFFFh
		mov	[esp+0C0h+var_58], 0
		mov	[esp+0C0h+var_74], esi
		mov	ecx, [eax]
		add	eax, 8
		jmp	short loc_4B6DC0
; 
		align 10h

loc_4B6DC0:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+2FBj
		lea	ecx, [eax+ecx*8]
		mov	eax, [esp+0C0h+var_A8]
		mov	[esp+0C0h+var_40], ecx
		mov	ecx, [ebp+arg_4]
		mov	[esp+0C0h+var_68], eax
		mov	eax, [esp+0C0h+var_B0]
		lea	edx, [ecx-1]
		and	edx, ecx
		neg	edx
		sbb	edx, edx
		not	edx
		and	edx, ecx
		and	eax, 2000h
		mov	[esp+0C0h+var_2C], eax
		setnz	[esp+0C0h+var_64]
		mov	[esp+0C0h+var_6C], edx
		xor	eax, eax
		mov	[esp+0C0h+var_80], eax
		mov	edx, [esp+0C0h+var_98]
		xor	ecx, ecx
		mov	[esp+0C0h+var_A4], ecx
		jmp	short loc_4B6E14
; 
		align 10h

loc_4B6E10:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+5BBj
		mov	ebx, [esp+0C0h+var_AC]

loc_4B6E14:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+34Bj
					; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+5E3j ...
		mov	eax, [ebp+arg_0]
		mov	[esp+0C0h+var_70], eax
		mov	eax, [edx]
		test	eax, eax
		jz	loc_4B706B
		lea	ecx, ds:0Ch[eax*8]
		add	ecx, edx
		mov	edi, edi

loc_4B6E30:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+59Ej
		mov	edx, [esp+0C0h+var_40]
		dec	eax
		sub	ecx, 8
		mov	[esp+0C0h+var_34], eax
		mov	[esp+0C0h+var_30], ecx
		mov	esi, [edx+eax*8]
		mov	edx, [edx+eax*8+4]
		mov	eax, [ecx-4]
		mov	ecx, [ecx]
		add	ecx, eax
		mov	[esp+0C0h+var_7C], eax
		mov	[esp+0C0h+var_78], ecx
		cmp	[esp+0C0h+var_74], ecx
		jnb	loc_4B7063
		mov	eax, [esp+0C0h+var_90]
		test	eax, eax
		js	short loc_4B6E79
		cmp	esi, eax
		jnz	loc_4B7048

loc_4B6E79:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+3AFj
		mov	ecx, [esp+0C0h+var_A4]
		test	ecx, ecx
		jz	short loc_4B6E8C
		movzx	eax, byte ptr [ecx]
		cmp	edx, eax
		jnz	loc_4B704C

loc_4B6E8C:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+3BFj
		lea	ecx, [esp+0C0h+var_7C]
		call	MiCollapseRunTopDown
		test	eax, eax
		jz	loc_4B7048
		lea	ecx, [esi+esi*4]
		shl	ecx, 7
		mov	[esp+0C0h+var_38], ecx
		lea	ebx, [ebx+0]

loc_4B6EB0:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+582j
		mov	eax, [ebx+10h]
		cmp	dword ptr [ecx+eax+1DCh], 0
		jnz	short loc_4B6ECA
		cmp	_InitializationPhase, 0
		jnz	loc_4B7048

loc_4B6ECA:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+3FBj
		cmp	[esp+0C0h+var_64], 1
		mov	edx, [esp+0C0h+var_68]
		mov	ecx, edx
		mov	ebx, [esp+0C0h+var_78]
		mov	[esp+0C0h+var_60], 0
		mov	[esp+0C0h+var_94], ecx
		jnz	short loc_4B6EF7
		mov	eax, ebx
		sub	eax, [esp+0C0h+var_7C]
		cmp	ecx, eax
		jbe	short loc_4B6EF7
		mov	ecx, eax
		mov	[esp+0C0h+var_94], eax

loc_4B6EF7:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+425j
					; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+42Fj
		mov	eax, ebx
		sub	eax, ecx
		mov	[esp+0C0h+var_84], eax
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		cmp	[esp+0C0h+var_64], 1
		mov	eax, ds:_MmPfnDatabase
		lea	eax, [eax+ecx*4]
		mov	[esp+0C0h+var_8C], eax
		jz	short loc_4B6F46
		lea	ecx, [esp+0C0h+var_60]
		push	ecx
		push	[esp+0C4h+var_B0]
		mov	ecx, [esp+0C8h+var_AC]
		push	edx
		mov	edx, eax
		call	_MiPfnsWorthTrying@20 ;	MiPfnsWorthTrying(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_4B7004
		cmp	[esp+0C0h+var_60], 1
		jnz	short loc_4B6F46
		call	MiEmptyKernelStackCache

loc_4B6F46:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+459j
					; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+47Fj
		mov	eax, [esp+0C0h+var_A0]
		mov	edx, [esp+0C0h+var_84]
		mov	ecx, [esp+0C0h+var_AC]
		push	0
		push	[esp+0C4h+var_88]
		push	eax
		push	0FFFFFFFFh
		push	[esp+0D0h+var_B0]
		lea	eax, [esp+0D4h+var_50]
		push	eax
		push	[esp+0D8h+var_70]
		push	[esp+0DCh+var_94]
		call	MiClaimPhysicalRun
		mov	esi, eax
		mov	eax, [esp+0C0h+var_A0]
		test	eax, eax
		jz	short loc_4B6F98
		mov	ecx, [eax+14h]
		mov	eax, [esp+0C0h+var_5C]
		shr	ecx, 0Ch
		cmp	ecx, eax
		jz	loc_4B7184
		sub	eax, ecx
		mov	[esp+0C0h+var_68], eax
		jmp	short loc_4B6FA0
; 

loc_4B6F98:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+4BCj
		test	esi, esi
		jz	loc_4B7184

loc_4B6FA0:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+4D6j
		cmp	[esp+0C0h+var_AC], offset _MiSystemPartition
		jnz	short loc_4B7004
		mov	ecx, [esp+0C0h+var_8C]
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jz	short loc_4B6FFC
		call	_MiLockPage@4	; MiLockPage(x)
		mov	ecx, [esp+0C0h+var_8C]
		mov	dl, al
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jz	short loc_4B6FED
		cmp	[esp+0C0h+var_3C], 0
		jz	short loc_4B6FF5
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		mov	ecx, [esp+0C0h+var_A4]
		xor	eax, eax
		mov	edx, [esp+0C0h+var_98]
		mov	[esp+0C0h+var_9C], eax
		jmp	loc_4B706F
; 

loc_4B6FED:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+509j
		mov	[esp+0C0h+var_80], 1

loc_4B6FF5:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+513j
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		jmp	short loc_4B7004
; 

loc_4B6FFC:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+4F5j
		mov	[esp+0C0h+var_80], 1

loc_4B7004:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+474j
					; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+4E8j ...
		mov	eax, ebx
		sub	eax, [esp+0C0h+var_7C]
		cmp	esi, eax
		jnb	short loc_4B701D
		cmp	[esp+0C0h+var_64], 0
		jnz	short loc_4B7026
		sub	eax, esi
		cmp	eax, [esp+0C0h+var_94]
		jnb	short loc_4B7026

loc_4B701D:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+54Cj
		mov	eax, ebx
		sub	eax, esi
		dec	eax
		mov	[esp+0C0h+var_70], eax

loc_4B7026:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+553j
					; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+55Bj
		sub	ebx, esi
		lea	ecx, [esp+0C0h+var_7C]
		mov	[esp+0C0h+var_78], ebx
		call	MiCollapseRunTopDown
		mov	ebx, [esp+0C0h+var_AC]
		mov	ecx, [esp+0C0h+var_38]
		test	eax, eax
		jnz	loc_4B6EB0

loc_4B7048:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+3B3j
					; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+3D7j ...
		mov	ecx, [esp+0C0h+var_A4]

loc_4B704C:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+3C6j
		mov	eax, [esp+0C0h+var_34]
		test	eax, eax
		jz	short loc_4B7067
		mov	ecx, [esp+0C0h+var_30]
		jmp	loc_4B6E30
; 

loc_4B7063:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+3A3j
		mov	ecx, [esp+0C0h+var_A4]

loc_4B7067:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+595j
		mov	edx, [esp+0C0h+var_98]

loc_4B706B:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+35Fj
		mov	eax, [esp+0C0h+var_9C]

loc_4B706F:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+528j
		test	ecx, ecx
		jz	short loc_4B70A8
		inc	ecx
		mov	[esp+0C0h+var_A4], ecx
		cmp	ecx, 1
		jb	loc_4B6E10
		cmp	edi, 0FFFFFFFFh
		jz	short loc_4B70A8
		mov	ecx, [esp+0C0h+var_58]
		add	ecx, 4
		mov	[esp+0C0h+var_58], ecx
		jz	short loc_4B70A8
		mov	edi, [ecx]
		xor	ecx, ecx
		mov	ebx, [esp+0C0h+var_AC]
		mov	edx, [esp+0C0h+var_98]
		mov	[esp+0C0h+var_A4], ecx
		jmp	loc_4B6E14
; 

loc_4B70A8:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+5B1j
					; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+5C4j ...
		test	eax, eax
		jz	loc_4B725B
		cmp	[esp+0C0h+var_80], 1
		jnz	loc_4B725B
		test	dword ptr ds:byte_70EFC4, 100000h
		jz	loc_4B7153
		mov	eax, large fs:124h
		xor	ecx, ecx
		push	(offset	off_401A00+2)
		push	271h
		push	20100000h
		mov	eax, [eax+2B0h]
		mov	edx, 1
		mov	[esp+0CCh+var_28], eax
		mov	eax, [esp+0CCh+var_A8]
		shld	ecx, eax, 0Ch
		mov	[esp+0CCh+var_24], 0
		shl	eax, 0Ch
		mov	[esp+0CCh+var_20], eax
		lea	eax, [esp+0CCh+var_28]
		mov	[esp+0CCh+var_1C], ecx
		lea	ecx, [esp+0CCh+var_18]
		mov	[esp+0CCh+var_18], eax
		mov	[esp+0CCh+var_14], 0
		mov	[esp+0CCh+var_10], 10h
		mov	[esp+0CCh+var_C], 0
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_4B7153:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+605j
		cmp	byte_6D35B0, 0
		mov	ebx, [esp+0C0h+var_AC]
		jz	short loc_4B716C
		mov	edx, 20h
		mov	ecx, ebx
		call	MiQueueWorkingSetRequest

loc_4B716C:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+69Ej
		mov	edx, [esp+0C0h+var_98]
		xor	eax, eax
		or	edi, 0FFFFFFFFh
		mov	[esp+0C0h+var_9C], eax
		xor	ecx, ecx
		mov	[esp+0C0h+var_A4], ecx
		jmp	loc_4B6E14
; 

loc_4B7184:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+4CAj
					; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+4DAj
		mov	ecx, [esp+0C0h+var_98]
		mov	edx, 1
		call	MiDereferencePageRunsEx
		mov	eax, [esp+0C0h+var_4C]
		test	eax, eax
		jz	short loc_4B71A9
		mov	edx, [esp+0C0h+var_44]
		mov	ecx, offset dword_6D35E0
		push	eax
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_4B71A9:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+6D8j
		cmp	[esp+0C4h+var_30], 0
		mov	ebx, [esp+0C4h+var_88]
		mov	esi, [esp+0C4h+var_AC]
		jnz	short loc_4B71F6
		lea	edx, [ebx+1FFh]
		lea	eax, [esi+ebx]
		and	edx, 0FFFFFE00h
		and	eax, 0FFFFFE00h
		cmp	edx, eax
		jnb	short loc_4B71E3
		mov	ecx, [esp+0C4h+var_B0]
		sub	eax, edx
		push	1
		push	1
		push	eax
		call	MiUpdateLargePageBitMap

loc_4B71E3:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+711j
		push	[esp+0C4h+var_8C]
		mov	edi, [esp+0C8h+var_90]
		mov	edx, esi
		mov	ecx, edi
		call	_MiConvertContiguousPages@12 ; MiConvertContiguousPages(x,x,x)
		jmp	short loc_4B71FA
; 

loc_4B71F6:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+6F9j
		mov	edi, [esp+0C4h+var_90]

loc_4B71FA:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+734j
		test	[esp+0C4h+var_B4], 40000000h
		jnz	short loc_4B723C
		mov	ebx, [esp+0C4h+var_B4]
		lea	eax, ds:0[esi*8]
		and	ebx, 100000h
		neg	ebx
		sbb	ebx, ebx
		neg	ebx
		inc	ebx
		sub	eax, esi
		lea	esi, [edi+eax*4]

loc_4B7221:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+776j
		push	ebx
		push	[esp+0C8h+var_8C]
		xor	edx, edx
		mov	ecx, edi
		push	0FFFFFFF8h
		call	_MiSetPfnOwnedAndActive@20 ; MiSetPfnOwnedAndActive(x,x,x,x,x)
		add	edi, 1Ch
		cmp	edi, esi
		jnz	short loc_4B7221
		mov	ebx, [esp+0C4h+var_88]

loc_4B723C:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+742j
		mov	eax, [esp+0C4h+var_58]
		mov	[eax], ebx
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+0B8h+var_8]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_4B725B:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+5EAj
					; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+5F5j
		mov	ecx, [esp+0C0h+var_98]
		mov	edx, 1
		mov	esi, 0C0000017h
		call	MiDereferencePageRunsEx
		mov	edi, [esp+0C0h+var_AC]

loc_4B7272:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+1AAj
					; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+251j
		mov	eax, [esp+0C0h+var_4C]
		test	eax, eax
		jz	short loc_4B7289
		mov	edx, [esp+0C0h+var_44]
		mov	ecx, offset dword_6D35E0
		push	eax
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_4B7289:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+289j
					; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+7B8j
		test	[esp+0C4h+var_B4], 20000000h
		jnz	short loc_4B72B7
		mov	edx, [esp+0C4h+var_AC]
		mov	ecx, edi
		call	MiReturnCommit
		mov	edx, [esp+0C4h+var_AC]
		mov	ecx, edi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_4B72B7
		lea	ecx, [edi+1000h]
		lock xadd [ecx], eax

loc_4B72B7:				; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+7D1j
					; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+7EBj
		mov	ecx, [esp+0C4h+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	24h
_MiFindContiguousPages@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCollapseRunTopDown proc near		; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+3D0p
					; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+570p ...

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005C2D3F SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ecx+0Ch]
		sub	esp, 8
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+4]
		lea	eax, [edi-1]
		cmp	eax, edx
		ja	short loc_4B733C

loc_4B72E8:				; CODE XREF: MiCollapseRunTopDown+72j
		mov	esi, [ecx]
		mov	eax, [ecx+8]
		cmp	esi, eax
		jb	short loc_4B7348

loc_4B72F1:				; CODE XREF: MiCollapseRunTopDown+7Cj
		cmp	esi, edi
		jnb	short loc_4B7344
		mov	al, [ecx+18h]
		mov	[ebp+var_1], al
		jmp	short loc_4B7300
; 
		align 10h

loc_4B7300:				; CODE XREF: MiCollapseRunTopDown+2Bj
					; MiCollapseRunTopDown+10BA9Ej
		test	al, al
		jnz	short loc_4B730D
		mov	eax, edi
		sub	eax, esi
		cmp	[ecx+14h], eax
		ja	short loc_4B7344

loc_4B730D:				; CODE XREF: MiCollapseRunTopDown+32j
		mov	ebx, [ecx+10h]
		test	ebx, ebx
		jnz	short loc_4B7320

loc_4B7314:				; CODE XREF: MiCollapseRunTopDown+65j
		mov	eax, 1

loc_4B7319:				; CODE XREF: MiCollapseRunTopDown+76j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4B7320:				; CODE XREF: MiCollapseRunTopDown+42j
		lea	eax, [ebx-1]
		mov	edx, edi
		sub	edx, [ecx+14h]
		not	eax
		mov	[ebp+var_8], eax
		lea	eax, [edi-1]
		xor	edx, eax
		test	[ebp+var_8], edx
		jz	short loc_4B7314
		jmp	loc_5C2D3F
; 

loc_4B733C:				; CODE XREF: MiCollapseRunTopDown+16j
		lea	edi, [edx+1]
		mov	[ecx+4], edi
		jmp	short loc_4B72E8
; 

loc_4B7344:				; CODE XREF: MiCollapseRunTopDown+23j
					; MiCollapseRunTopDown+3Bj ...
		xor	eax, eax
		jmp	short loc_4B7319
; 

loc_4B7348:				; CODE XREF: MiCollapseRunTopDown+1Fj
		mov	[ecx], eax
		mov	esi, eax
		jmp	short loc_4B72F1
MiCollapseRunTopDown endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPfnsWorthTrying(x, x, x, x, x)
_MiPfnsWorthTrying@20 proc near		; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+46Bp
					; MiFindRebuildCandidate(x,x,x,x,x,x)+CDp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ecx
		mov	[ebp+var_8], 0FFFFFFFFh
		mov	[ebp+var_C], eax
		push	ebx
		push	esi
		movzx	ecx, word ptr [eax]
		mov	esi, edx
		mov	eax, [ebp+arg_8]
		push	edi
		mov	[ebp+var_14], ecx
		mov	dword ptr [eax], 0
		mov	eax, [ebp+arg_0]
		lea	edx, ds:0[eax*8]
		sub	edx, eax
		lea	edi, [esi+edx*4]
		mov	[ebp+arg_0], edi
		cmp	esi, edi
		jnb	loc_4B783F
		mov	eax, [ebp+arg_4]

loc_4B7395:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+39Aj
		xor	edx, edx
		cmp	dx, cx
		jnz	loc_4B77D7
		movzx	edi, byte ptr [esi+16h]
		or	ebx, 0FFFFFFFFh
		and	edi, 7
		test	dword ptr [esi+18h], 800000h
		mov	[ebp+var_4], edi
		jz	short loc_4B740A
		lea	eax, [ebp+var_10]
		mov	[ebp+var_10], edx
		push	eax
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	_MiGetPfnPageSizeIndexUnsynchronized@12	; MiGetPfnPageSizeIndexUnsynchronized(x,x,x)
		mov	ebx, eax
		cmp	ebx, 0FFFFFFFFh
		jz	loc_4B76D6
		mov	eax, ds:_MiLargePageSizes[ebx*4]
		mov	ecx, esi
		mov	edi, [ebp+var_4]
		mov	[ebp+var_10], eax
		mov	eax, ds:_MmPfnDatabase
		sub	ecx, eax
		mov	[ebp+var_18], eax
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		cmp	edi, 6
		jz	loc_4B76EF
		mov	eax, [ebp+arg_4]

loc_4B740A:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+64j
		cmp	edi, 5
		jnz	short loc_4B7489
		mov	ecx, esi
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jnz	loc_4B7548
		cmp	ebx, 0FFFFFFFFh
		jnz	short loc_4B749B
		test	byte ptr [esi],	1
		jnz	loc_4B76D6
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		xor	eax, eax
		jmp	short loc_4B7450
; 
		align 10h

loc_4B7450:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+F7j
					; MiPfnsWorthTrying(x,x,x,x,x)+112j
		cmp	ecx, dword_6D3518[eax]
		jz	loc_4B7548
		add	eax, 4
		cmp	eax, 8
		jb	short loc_4B7450
		xor	eax, eax
		jmp	short loc_4B7470
; 
		align 10h

loc_4B7470:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+116j
					; MiPfnsWorthTrying(x,x,x,x,x)+132j
		cmp	ecx, dword_6D3510[eax]
		jz	loc_4B7548
		add	eax, 4
		cmp	eax, 8
		jb	short loc_4B7470
		jmp	loc_4B76D6
; 

loc_4B7489:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+BDj
		cmp	edi, 1
		jg	loc_4B752A
		cmp	ebx, 0FFFFFFFFh
		jz	loc_4B76D9

loc_4B749B:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+D1j
		mov	eax, ds:_MmPfnDatabase
		mov	ecx, esi
		mov	edi, ds:_MiLargePageSizes[ebx*4]
		sub	ecx, eax
		mov	[ebp+var_18], eax
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		mov	[ebp+var_4], eax
		xor	eax, eax
		cmp	edi, 200h
		jb	short loc_4B74D9
		mov	eax, [ebp+arg_4]
		shr	eax, 19h
		and	eax, 1
		jmp	short loc_4B74E7
; 

loc_4B74D9:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+17Cj
		test	[ebp+arg_4], 1000000h
		jz	short loc_4B74E7
		mov	eax, 1

loc_4B74E7:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+187j
					; MiPfnsWorthTrying(x,x,x,x,x)+190j
		lea	ecx, [edi-1]
		cmp	eax, 1
		jz	loc_4B7726
		and	ecx, [ebp+var_4]
		mov	eax, 92492493h
		sub	edi, ecx
		mov	ecx, [ebp+arg_0]
		sub	ecx, esi
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		cmp	edi, eax
		jbe	short loc_4B7516
		mov	edi, eax

loc_4B7516:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+1C2j
		lea	eax, ds:0[edi*8]
		sub	eax, edi
		lea	esi, [esi+eax*4]
		add	esi, 0FFFFFFE4h
		jmp	loc_4B76D6
; 

loc_4B752A:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+13Cj
		mov	cl, [esi+17h]
		mov	[ebp+var_4], 0
		test	cl, cl
		jns	short loc_4B7585
		cmp	edi, 2
		jnz	short loc_4B7552
		cmp	word ptr [esi+14h], 0
		jz	loc_4B76D9

loc_4B7548:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+C8j
					; MiPfnsWorthTrying(x,x,x,x,x)+106j ...
		mov	ebx, [ebp+arg_0]

loc_4B754B:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+215j
					; MiPfnsWorthTrying(x,x,x,x,x)+224j ...
		sub	ebx, esi
		jmp	loc_4B770A
; 

loc_4B7552:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+1EBj
		cmp	edi, 6
		jnz	short loc_4B7548
		test	byte ptr [esi+16h], 10h
		jnz	short loc_4B7548
		cmp	word ptr [esi+14h], 1
		mov	ebx, [ebp+arg_0]
		jnz	short loc_4B754B
		mov	eax, [esi+18h]
		and	eax, 70000000h
		cmp	eax, 20000000h
		jz	short loc_4B754B
		test	cl, 8
		jnz	short loc_4B754B
		test	byte ptr [esi],	1
		jz	short loc_4B754B
		jmp	loc_4B769C
; 

loc_4B7585:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+1E6j
		cmp	edi, 4
		jg	short loc_4B75BB
		cmp	word ptr [esi+14h], 0
		jnz	short loc_4B7548
		test	eax, 4000000h
		jnz	loc_4B76D9
		test	dword ptr [esi+18h], 800000h
		jnz	loc_4B76D9
		mov	eax, [esi+4]
		test	eax, eax
		js	loc_4B76D6
		jnz	short loc_4B7548
		jmp	loc_4B76D6
; 

loc_4B75BB:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+238j
		mov	eax, ds:_MmPfnDatabase
		mov	ecx, esi
		sub	ecx, eax
		mov	[ebp+var_18], eax
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ebx, edx
		shr	ebx, 1Fh
		add	ebx, edx
		mov	eax, ebx
		and	eax, 0FFFFFE00h
		cmp	eax, [ebp+var_8]
		jz	short loc_4B75FC
		mov	ecx, [ebp+var_C]
		mov	edx, ebx
		mov	[ebp+var_8], eax
		call	_MiPfnLargeBitSet@8 ; MiPfnLargeBitSet(x,x)
		cmp	eax, 0FFFFFFFFh
		jnz	loc_4B775B

loc_4B75FC:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+294j
		cmp	edi, 6
		jnz	loc_4B7548
		mov	eax, [esi+18h]
		mov	ecx, [ebp+arg_4]
		and	eax, 70000000h
		cmp	eax, 20000000h
		jnz	short loc_4B7650
		test	cl, 8
		jnz	loc_4B7548
		mov	eax, [esi]
		test	eax, 1FFFFFFEh
		jz	short loc_4B7642
		and	eax, 0FFFFFFFEh
		or	eax, 0E0000000h
		shl	eax, 2
		cmp	eax, 0FFFFFFF0h
		jz	loc_4B7548
		jmp	loc_4B76D6
; 

loc_4B7642:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+2D7j
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 1
		jmp	loc_4B76D6
; 

loc_4B7650:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+2C5j
		test	ecx, 800000h
		jz	short loc_4B7699
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4B7679
		mov	eax, [esi+10h]
		mov	ebx, [ebp+arg_0]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		ja	loc_4B754B
		jmp	short loc_4B769C
; 

loc_4B7679:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+311j
		mov	eax, ebx
		and	eax, 0FFFFFFF0h
		cmp	ebx, eax
		mov	ebx, [ebp+arg_0]
		jnz	short loc_4B769C
		mov	eax, ebx
		sub	eax, esi
		cmp	eax, 1C0h
		jl	short loc_4B769C
		mov	[ebp+var_4], 1
		jmp	short loc_4B769C
; 

loc_4B7699:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+306j
		mov	ebx, [ebp+arg_0]

loc_4B769C:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+230j
					; MiPfnsWorthTrying(x,x,x,x,x)+327j ...
		push	ecx
		mov	ecx, [ebp+var_C]
		mov	edx, esi
		push	0
		call	_MiActivePageClaimCandidate@16 ; MiActivePageClaimCandidate(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_4B7796
		mov	eax, [ebp+arg_4]
		test	al, 8
		jnz	loc_4B754B
		cmp	[ebp+var_4], 1
		jnz	short loc_4B76D9
		xor	edx, edx
		mov	ecx, esi
		call	_MiClusterVadFull@8 ; MiClusterVadFull(x,x)
		cmp	eax, 1
		jz	loc_4B754B

loc_4B76D6:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+7Cj
					; MiPfnsWorthTrying(x,x,x,x,x)+D6j ...
		mov	eax, [ebp+arg_4]

loc_4B76D9:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+145j
					; MiPfnsWorthTrying(x,x,x,x,x)+1F2j ...
		mov	edi, [ebp+arg_0]
		add	esi, 1Ch
		cmp	esi, edi
		jnb	loc_4B783F
		mov	ecx, [ebp+var_14]
		jmp	loc_4B7395
; 

loc_4B76EF:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+B1j
		mov	edx, [ebp+var_10]
		mov	ebx, [ebp+arg_0]
		neg	edx
		and	edx, eax
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		shl	ecx, 2
		sub	ebx, ecx
		sub	ebx, [ebp+var_18]

loc_4B770A:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+1FDj
		mov	eax, 92492493h
		imul	ebx
		add	edx, ebx
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4B7726:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+19Dj
		mov	ebx, [ebp+arg_0]
		not	ecx
		and	ecx, [ebp+var_4]
		lea	eax, ds:0[ecx*8]
		sub	eax, ecx
		shl	eax, 2
		sub	ebx, eax
		mov	eax, 92492493h
		sub	ebx, [ebp+var_18]
		imul	ebx
		add	edx, ebx
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4B775B:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+2A6j
		mov	ecx, ds:_MiLargePageSizes[eax*4]
		neg	ecx
		and	ecx, ebx
		mov	ebx, [ebp+arg_0]
		lea	eax, ds:0[ecx*8]
		sub	eax, ecx
		shl	eax, 2
		sub	ebx, eax
		mov	eax, 92492493h
		sub	ebx, [ebp+var_18]
		imul	ebx
		add	edx, ebx
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4B7796:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+35Dj
		sub	esi, ds:_MmPfnDatabase
		mov	eax, 92492493h
		sub	ebx, ds:_MmPfnDatabase
		neg	edi
		imul	esi
		mov	eax, 92492493h
		add	edx, esi
		sar	edx, 4
		mov	esi, edx
		shr	esi, 1Fh
		add	esi, edx
		imul	ebx
		and	esi, edi
		add	edx, ebx
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		sub	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4B77D7:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+4Aj
		mov	eax, ds:_MmPfnDatabase
		mov	ecx, esi
		sub	ecx, eax
		mov	[ebp+arg_4], eax
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		mov	ecx, offset _MiSystemPartition
		sar	edx, 4
		mov	ebx, edx
		shr	ebx, 1Fh
		add	ebx, edx
		mov	edx, ebx
		call	_MiPfnLargeBitSet@8 ; MiPfnLargeBitSet(x,x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_4B7821
		mov	ecx, ds:_MiLargePageSizes[eax*4]
		neg	ecx
		and	ecx, ebx
		lea	eax, ds:0[ecx*8]
		sub	eax, ecx
		mov	ecx, [ebp+arg_4]
		lea	esi, [ecx+eax*4]

loc_4B7821:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+4B5j
		sub	edi, esi
		mov	eax, 92492493h
		imul	edi
		add	edx, edi
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4B783F:				; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+3Cj
					; MiPfnsWorthTrying(x,x,x,x,x)+391j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_MiPfnsWorthTrying@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiActivePageClaimCandidate(x, x, x,	x)
_MiActivePageClaimCandidate@16 proc near ; CODE	XREF: MiTradePage(x,x)+4B0p
					; MiPfnsWorthTrying(x,x,x,x,x)+354p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp-14h], ecx
		mov	esi, edi
		mov	eax, 92492493h
		sub	esi, ds:_MmPfnDatabase
		imul	esi
		add	edx, esi
		mov	esi, [edi+4]
		sar	edx, 4
		or	esi, 80000000h
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		test	byte ptr [edi+17h], 8
		mov	[ebp-0Ch], eax
		jnz	loc_4B7C43
		test	dword ptr [edi+18h], 800000h
		jz	short loc_4B790D
		cmp	dword ptr [ebx+8], 1
		mov	ecx, edi
		jnz	short loc_4B78D5
		call	_MiGetBaseResidentPage@4 ; MiGetBaseResidentPage(x)
		mov	edx, eax
		mov	ecx, edx
		call	_MiGetPfnPageSizeIndex@4 ; MiGetPfnPageSizeIndex(x)
		mov	ecx, eax
		cmp	edx, edi
		jz	short loc_4B78F1
		lea	eax, [edx+10h]
		mov	edx, 7FFFFFFFh
		lock and [eax],	edx
		jmp	short loc_4B78F1
; 

loc_4B78D5:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+62j
		lea	eax, [ebp-8]
		mov	dword ptr [ebp-4], 0
		push	eax
		lea	edx, [ebp-4]
		mov	dword ptr [ebp-8], 0
		call	_MiGetPfnPageSizeIndexUnsynchronized@12	; MiGetPfnPageSizeIndexUnsynchronized(x,x,x)
		mov	ecx, eax

loc_4B78F1:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+76j
					; MiActivePageClaimCandidate(x,x,x,x)+83j
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_4B790A
		mov	ecx, ds:_MiLargePageSizes[ecx*4]
		mov	eax, ecx
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_4B790A:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+A4j
		mov	ecx, [ebp-14h]

loc_4B790D:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+5Aj
		cmp	esi, 0C0603000h
		jb	short loc_4B7921
		cmp	esi, 0C0603018h
		jb	loc_4B7C43

loc_4B7921:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+C3j
		cmp	ecx, offset _MiSystemPartition
		jnz	loc_4B7C43
		cmp	byte ptr [ecx+0A32h], 0
		jz	short loc_4B798E
		xor	eax, eax
		add	ecx, 0B04h
		mov	[ebp-8], eax
		mov	[ebp-4], ecx

loc_4B7944:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+13Cj
		cmp	dword ptr [ecx], 0
		jz	short loc_4B797F
		mov	ecx, ds:_MiLargePageSizes[eax*4]
		xor	edx, edx
		mov	eax, [ebp-0Ch]
		div	ecx
		mov	[ebp-14h], ecx
		mov	edx, eax
		mov	eax, [ebp-4]
		mov	ecx, edx
		and	dl, 7
		shr	ecx, 3
		mov	eax, [eax+4]
		mov	al, [ecx+eax]
		mov	cl, dl
		sar	al, cl
		test	al, 1
		jnz	loc_4B7A4E
		mov	eax, [ebp-8]
		mov	ecx, [ebp-4]

loc_4B797F:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+F7j
		inc	eax
		add	ecx, 8
		mov	[ebp-8], eax
		mov	[ebp-4], ecx
		cmp	eax, 1
		jb	short loc_4B7944

loc_4B798E:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+E4j
					; MiActivePageClaimCandidate(x,x,x,x)+202j
		cmp	byte_6D5872, 0
		jz	short loc_4B79CF
		mov	ecx, edi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		mov	eax, dword_6D5BBC
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		shr	ecx, 9
		mov	edx, ecx
		and	ecx, 1Fh
		shr	edx, 5
		mov	eax, [eax+edx*4]
		sar	eax, cl
		test	al, 1
		jnz	loc_4B7C43

loc_4B79CF:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+145j
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_4B7A68
		mov	ecx, [edi+10h]
		test	ecx, 40000000h
		jnz	loc_4B7C43
		cmp	esi, dword_6D0610
		jz	loc_4B7C43
		cmp	esi, dword_6D0614
		jz	loc_4B7C43
		movzx	eax, word ptr [edi+14h]
		cmp	eax, 1
		ja	loc_4B7C43
		and	ecx, 3FFFFFFFh
		cmp	eax, ecx
		ja	loc_4B7C43
		test	byte ptr [edi],	1
		jz	loc_4B7C43
		test	dword ptr [edi+18h], 800000h
		jnz	short loc_4B7A3F
		mov	eax, [edi+4]
		test	eax, eax
		js	short loc_4B7A3F
		jnz	loc_4B7C43

loc_4B7A3F:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+1E0j
					; MiActivePageClaimCandidate(x,x,x,x)+1E7j ...
		xor	ecx, ecx
		mov	eax, ecx
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_4B7A4E:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+123j
		cmp	dword ptr [ebp-8], 0FFFFFFFFh
		jz	loc_4B798E
		mov	ecx, [ebp-14h]
		mov	eax, ecx
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_4B7A68:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+188j
		cmp	esi, 0FFFFFFF8h
		jz	loc_4B7C43
		mov	ecx, esi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 5
		jz	loc_4B7C43
		mov	ecx, [edi+18h]
		mov	eax, ecx
		and	eax, 70000000h
		cmp	eax, 10000000h
		jz	loc_4B7C43
		and	ecx, offset loc_7FFFFF
		mov	[ebp-14h], ecx
		cmp	ecx, 7FFFFDh
		jz	loc_4B7C43
		lea	eax, [esi+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	loc_4B7C43
		mov	eax, esi
		shl	eax, 9
		test	byte ptr [edi],	1
		mov	[ebp-4], eax
		jnz	loc_4B7BA5
		mov	ecx, edi
		call	_MiHyperPage@4	; MiHyperPage(x)
		test	eax, eax
		jz	short loc_4B7B05
		movzx	eax, word ptr [edi+14h]
		cmp	eax, 1
		ja	loc_4B7C43
		mov	ecx, [edi+10h]
		and	ecx, 3FFFFFFFh
		cmp	eax, ecx
		ja	loc_4B7C43
		xor	ecx, ecx
		mov	eax, ecx
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_4B7B05:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+286j
		lea	edx, [ebp-14h]
		mov	ecx, edi
		call	_MiSoftwareWslePfn@8 ; MiSoftwareWslePfn(x,x)
		cmp	eax, 8
		jz	short loc_4B7B28
		xor	ecx, ecx
		test	eax, eax
		setnz	cl
		mov	eax, ecx
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_4B7B28:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+2C2j
		mov	edx, [ebp-4]
		call	_MiVaIsPageFileHash@8 ;	MiVaIsPageFileHash(x,x)
		test	eax, eax
		jnz	loc_4B7A3F
		mov	ecx, [ebp-4]
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 5
		jnz	loc_4B7C43
		test	byte ptr [edi+17h], 10h
		jnz	loc_4B7C43
		cmp	word ptr [edi+14h], 1
		ja	loc_4B7C43
		test	ds:_MiFlags, 800h
		jnz	loc_4B7C43
		cmp	dword ptr [ebx+8], 1
		jnz	loc_4B7A3F
		mov	ecx, [esi]
		nop
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_4B7C43
		and	ecx, 200h
		or	ecx, 0
		jnz	loc_4B7C43
		mov	eax, ecx
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_4B7BA5:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+277j
		mov	eax, ds:_PsInitialSystemProcess
		test	eax, eax
		jz	short loc_4B7BC9
		mov	eax, [eax+194h]
		mov	ecx, [eax+18h]
		mov	eax, [eax+1Ch]
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		cmp	[ebp-0Ch], ecx
		jz	short loc_4B7C43

loc_4B7BC9:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+35Cj
		cmp	esi, 0C0603018h
		jz	short loc_4B7BE5
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_4B7BE5
		cmp	esi, 0C0603010h
		jz	short loc_4B7C43

loc_4B7BE5:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+37Fj
					; MiActivePageClaimCandidate(x,x,x,x)+38Bj
		mov	eax, ds:_MmHighestUserAddress
		mov	ecx, 0C0600000h
		shr	eax, 12h
		and	eax, 3FF8h
		sub	eax, 3FA00000h
		xor	edx, edx
		mov	edi, edi

loc_4B7C00:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+3D8j
		cmp	esi, ecx
		jb	short loc_4B7C08
		cmp	esi, eax
		jbe	short loc_4B7C55

loc_4B7C08:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+3B2j
		shr	ecx, 9
		inc	edx
		shr	eax, 9
		and	ecx, offset loc_7FFFF8
		and	eax, offset loc_7FFFF8
		sub	ecx, 40000000h
		sub	eax, 40000000h
		cmp	edx, 1
		jb	short loc_4B7C00
		mov	eax, [ebp-0Ch]
		cmp	[ebp-14h], eax
		jnz	short loc_4B7C7A
		xor	ecx, ecx
		cmp	esi, 0C0603018h
		jnz	short loc_4B7C43
		cmp	word ptr [edi+14h], 1
		jbe	short loc_4B7C48

loc_4B7C43:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+4Dj
					; MiActivePageClaimCandidate(x,x,x,x)+CBj ...
		mov	ecx, 1

loc_4B7C48:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+3F1j
					; MiActivePageClaimCandidate(x,x,x,x)+4B9j
		mov	eax, ecx
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_4B7C55:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+3B6j
		cmp	word ptr [edi+14h], 1
		ja	short loc_4B7C43
		mov	eax, [edi+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 10000h
		jnb	short loc_4B7C43
		xor	ecx, ecx
		mov	eax, ecx
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_4B7C7A:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+3E0j
		mov	eax, [edi+10h]
		mov	edx, eax
		and	edx, 3FFFFFFFh
		cmp	edx, 1
		jbe	short loc_4B7CDA
		mov	ecx, [ebp-4]
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 6
		jnz	short loc_4B7CB5
		cmp	word ptr [edi+14h], 1
		ja	short loc_4B7C43
		cmp	edx, 10000h
		jnb	short loc_4B7C43
		xor	ecx, ecx
		mov	eax, ecx
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_4B7CB5:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+445j
		mov	ecx, edi
		call	_MiHyperPage@4	; MiHyperPage(x)
		test	eax, eax
		jz	short loc_4B7C43
		cmp	word ptr [edi+14h], 1
		ja	loc_4B7C43
		xor	ecx, ecx
		mov	eax, ecx
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_4B7CDA:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+438j
		test	eax, offset loc_7FFFFF
		jz	loc_4B7C43
		mov	eax, dword_6D05D4
		mov	ecx, [ebp-4]
		cmp	ecx, eax
		jb	short loc_4B7CFE
		add	eax, 3000h
		cmp	ecx, eax
		jb	loc_4B7C43

loc_4B7CFE:				; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+49Fj
		movzx	eax, word ptr [edi+14h]
		mov	ecx, 1
		cmp	eax, ecx
		ja	loc_4B7C48
		cmp	edx, eax
		pop	edi
		sbb	eax, eax
		and	ecx, eax
		mov	eax, ecx
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
_MiActivePageClaimCandidate@16 endp ; sp =  4

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiPfnLargeBitSet(x,	x)
_MiPfnLargeBitSet@8 proc near		; CODE XREF: MiTradePage(x,x)+683p
					; MiPfnsWorthTrying(x,x,x,x,x)+29Ep ...
		cmp	byte ptr [ecx+0A32h], 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		jz	short loc_4B7D7C
		xor	esi, esi
		lea	edi, [ecx+0B04h]

loc_4B7D46:				; CODE XREF: MiPfnLargeBitSet(x,x)+4Aj
		cmp	dword ptr [edi], 0
		jz	short loc_4B7D73
		cmp	ds:_MiLargePageSizes[esi*4], 200h
		jnz	short loc_4B7D83
		mov	edx, ebx
		shr	edx, 9

loc_4B7D5D:				; CODE XREF: MiPfnLargeBitSet(x,x)+60j
		mov	eax, [edi+4]
		mov	ecx, edx
		shr	ecx, 3
		and	dl, 7
		mov	al, [ecx+eax]
		mov	cl, dl
		sar	al, cl
		test	al, 1
		jnz	short loc_4B7D92

loc_4B7D73:				; CODE XREF: MiPfnLargeBitSet(x,x)+19j
		inc	esi
		add	edi, 8
		cmp	esi, 1
		jb	short loc_4B7D46

loc_4B7D7C:				; CODE XREF: MiPfnLargeBitSet(x,x)+Cj
		or	eax, 0FFFFFFFFh

loc_4B7D7F:				; CODE XREF: MiPfnLargeBitSet(x,x)+64j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4B7D83:				; CODE XREF: MiPfnLargeBitSet(x,x)+26j
		xor	edx, edx
		mov	eax, ebx
		div	ds:_MiLargePageSizes[esi*4]
		mov	edx, eax
		jmp	short loc_4B7D5D
; 

loc_4B7D92:				; CODE XREF: MiPfnLargeBitSet(x,x)+41j
		mov	eax, esi
		jmp	short loc_4B7D7F
_MiPfnLargeBitSet@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetNextPageColor(x)
_MiGetNextPageColor@4 proc near		; CODE XREF: MiAllocateTopLevelPage+3Ap
					; MiInitializePageDirectoryPages+43p ...
		mov	eax, [ecx]
		xor	edx, edx
		inc	edx
		lock xadd [eax], edx
		inc	edx
		mov	eax, [ecx+4]
		dec	edx
		and	eax, edx
		or	eax, [ecx+8]
		retn
_MiGetNextPageColor@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPrefetchNormally(x, x)
_MiPrefetchNormally@8 proc near		; CODE XREF: MiPfPutPagesInTransition+1370D2p
					; MiPfPrepareReadList+326p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		cmp	dword ptr [esi+1000h], 0A0h
		jl	short loc_4B7E47
		mov	eax, [esi+1114h]
		mov	ecx, [esi+10BCh]
		cmp	ecx, eax
		ja	short loc_4B7E47
		sub	eax, ecx
		cmp	eax, 1080h
		jb	short loc_4B7E47
		mov	ecx, [ebp+var_4]
		lea	eax, [esi+640h]
		mov	edx, [esi+5C0h]
		add	edx, [esi+580h]
		push	ebx
		lea	ecx, [ecx+ecx*4]
		xor	ebx, ebx
		lea	ecx, [ecx+190h]
		push	edi
		lea	esi, [esi+ecx*4]
		xor	edi, edi
		cmp	eax, esi
		jnb	short loc_4B7E37
		mov	ecx, esi
		sub	ecx, eax
		add	ecx, 13h
		cmp	ecx, 28h
		jb	short loc_4B7E2C
		lea	ecx, [esi-14h]
		jmp	short loc_4B7E20
; 
		align 10h

loc_4B7E20:				; CODE XREF: MiPrefetchNormally(x,x)+6Bj
					; MiPrefetchNormally(x,x)+7Aj
		add	edi, [eax]
		add	ebx, [eax+14h]
		add	eax, 28h
		cmp	eax, ecx
		jb	short loc_4B7E20

loc_4B7E2C:				; CODE XREF: MiPrefetchNormally(x,x)+66j
		cmp	eax, esi
		jnb	short loc_4B7E32
		add	edx, [eax]

loc_4B7E32:				; CODE XREF: MiPrefetchNormally(x,x)+7Ej
		lea	eax, [edi+ebx]
		add	edx, eax

loc_4B7E37:				; CODE XREF: MiPrefetchNormally(x,x)+5Aj
		pop	edi
		pop	ebx
		test	edx, edx
		jz	short loc_4B7E47
		mov	eax, 1

loc_4B7E42:				; CODE XREF: MiPrefetchNormally(x,x)+99j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4B7E47:				; CODE XREF: MiPrefetchNormally(x,x)+16j
					; MiPrefetchNormally(x,x)+26j ...
		xor	eax, eax
		jmp	short loc_4B7E42
_MiPrefetchNormally@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFreeVadRange	proc near		; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+410p
					; MmStoreFreeVirtualMemory(x)+4Ep ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005C2D79 SIZE 00000121 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, esi
		shl	eax, 0Ch
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ebx, edi
		mov	[esp+18h+var_8], eax
		mov	eax, [ecx+1Ch]
		shl	ebx, 0Ch
		and	eax, 3100000h
		or	ebx, 0FFFh
		mov	[esp+18h+var_C], ecx
		cmp	eax, 2100000h
		jz	loc_5C2D79

loc_4B7E90:				; CODE XREF: MiFreeVadRange+10AF3Bj
		lea	eax, [esp+18h+var_4]
		push	eax
		push	edi
		push	esi
		call	MiPrepareVadDelete
		test	eax, eax
		js	short loc_4B7ED4
		mov	edi, [ebp+arg_8]
		xor	esi, esi
		cmp	[esp+18h+var_4], esi
		jnz	short loc_4B7EDD
		cmp	[ebp+arg_C], esi
		jnz	loc_5C2DA1

loc_4B7EB4:				; CODE XREF: MiFreeVadRange+10AF8Aj
		mov	ecx, [esp+18h+var_C]
		mov	edx, esi
		push	0
		call	_MiDeleteVad@12	; MiDeleteVad(x,x,x)

loc_4B7EC1:				; CODE XREF: MiFreeVadRange+CBj
		mov	eax, 8000h
		test	dword ptr ds:byte_70EFC4, eax
		jnz	loc_5C2E83

loc_4B7ED2:				; CODE XREF: MiFreeVadRange+10B049j
		xor	eax, eax

loc_4B7ED4:				; CODE XREF: MiFreeVadRange+52j
					; MiFreeVadRange+D7j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_4B7EDD:				; CODE XREF: MiFreeVadRange+5Dj
		test	byte ptr [edi+0FCh], 20h
		jnz	short loc_4B7F1E
		mov	eax, [esp+18h+var_C]
		mov	eax, [eax+24h]
		test	eax, eax
		jnz	loc_5C2DDB

loc_4B7EF5:				; CODE XREF: MiFreeVadRange+10AF9Dj
		cmp	[ebp+arg_C], esi
		jnz	loc_5C2DF9

loc_4B7EFE:				; CODE XREF: MiFreeVadRange+10AFF9j
		mov	edx, [esp+18h+var_8]
		mov	ecx, [esp+18h+var_C]
		push	esi
		push	[esp+1Ch+var_4]
		push	ebx
		call	MiDeletePartialVad
		mov	[esp+18h+var_C], eax
		test	eax, eax
		jns	short loc_4B7EC1
		jmp	loc_5C2E4A
; 

loc_4B7F1E:				; CODE XREF: MiFreeVadRange+98j
		mov	eax, 0C000010Ah
		jmp	short loc_4B7ED4
MiFreeVadRange	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeColorBase(x, x,	x)
_MiInitializeColorBase@12 proc near	; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+332p
					; MiMakeZeroedPageTablesEx+106p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ecx
		push	esi
		mov	esi, dword_6D07D0
		shr	eax, 15h
		cmp	ecx, esi
		jb	short loc_4B7F51
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_4B7F99
		cmp	ecx, esi
		jb	short loc_4B7F51
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	short loc_4B7F99

loc_4B7F51:				; CODE XREF: MiInitializeColorBase(x,x,x)+13j
					; MiInitializeColorBase(x,x,x)+20j
		cmp	ecx, ds:_MmHighestUserAddress
		jbe	short loc_4B7F69
		cmp	ecx, dword_6D2E88
		jb	short loc_4B7F82
		cmp	ecx, dword_6D2E8C
		ja	short loc_4B7F82

loc_4B7F69:				; CODE XREF: MiInitializeColorBase(x,x,x)+31j
					; MiInitializeColorBase(x,x,x)+71j
		pop	esi
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		add	ecx, 240h

loc_4B7F7C:				; CODE XREF: MiInitializeColorBase(x,x,x)+67j
					; MiInitializeColorBase(x,x,x)+7Bj
		pop	ebp
		jmp	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
; 

loc_4B7F82:				; CODE XREF: MiInitializeColorBase(x,x,x)+39j
					; MiInitializeColorBase(x,x,x)+41j
		cmp	ecx, 0C0000000h
		jnb	short loc_4B7F8F

loc_4B7F8A:				; CODE XREF: MiInitializeColorBase(x,x,x)+6Fj
		pop	esi
		xor	ecx, ecx
		jmp	short loc_4B7F7C
; 

loc_4B7F8F:				; CODE XREF: MiInitializeColorBase(x,x,x)+62j
		cmp	ecx, 0C07FFFFFh
		ja	short loc_4B7F8A
		jmp	short loc_4B7F69
; 

loc_4B7F99:				; CODE XREF: MiInitializeColorBase(x,x,x)+1Cj
					; MiInitializeColorBase(x,x,x)+29j
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		pop	esi
		mov	ecx, eax
		jmp	short loc_4B7F7C
_MiInitializeColorBase@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializePageColorBase(x, x, x)
_MiInitializePageColorBase@12 proc near	; CODE XREF: .text:0045D626p
					; MiMigratePfn(x,x,x,x)+C1p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		push	edi
		test	eax, eax
		jnz	short loc_4B800C
		mov	eax, large fs:124h
		mov	eax, [eax+16Ch]
		mov	edi, ds:_KiProcessorBlock[eax*4]
		mov	eax, [edi+4C8h]

loc_4B7FD9:				; CODE XREF: MiInitializePageColorBase(x,x,x)+6Cj
		mov	[edx+8], eax
		mov	eax, 1
		mov	cl, byte_6D068D
		shl	eax, cl
		dec	eax
		mov	[edx+4], eax
		test	esi, esi
		jz	short loc_4B8002
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		jnb	short loc_4B8002
		mov	[edx], esi

loc_4B7FFC:				; CODE XREF: MiInitializePageColorBase(x,x,x)+5Aj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_4B8002:				; CODE XREF: MiInitializePageColorBase(x,x,x)+3Fj
					; MiInitializePageColorBase(x,x,x)+48j
		lea	eax, [edi+4BCh]
		mov	[edx], eax
		jmp	short loc_4B7FFC
; 

loc_4B800C:				; CODE XREF: MiInitializePageColorBase(x,x,x)+Ej
		mov	edi, large fs:20h
		dec	eax
		mov	cl, byte_6D068C
		shl	eax, cl
		jmp	short loc_4B7FD9
_MiInitializePageColorBase@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiResolveMappedFileFault proc near	; CODE XREF: MiIssueFlowThroughFault(x,x,x,x,x,x,x)+D3p
					; MiResolveProtoPteFault(x,x,x)+EB5p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 004B8677 SIZE 00000010 BYTES
; FUNCTION CHUNK AT 005C2E9A SIZE 0000028A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_C], edx
		lea	edi, [ebp+var_64]
		mov	[ebp+var_48], 0
		stosd
		mov	ebx, ecx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_44], 0
		mov	[ebp+var_18], 0
		mov	ecx, [ebx+8]
		stosd
		mov	[ebp+var_2C], ecx
		stosd
		mov	eax, [ebx]
		mov	[ebp+var_10], eax
		mov	eax, [ebx+14h]
		mov	ebx, [edx]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_4], ebx
		nop
		mov	eax, large fs:124h
		mov	edi, [edx+4]
		mov	[ebp+var_1C], edi
		mov	[ebp+var_8], 0
		test	byte ptr [eax+304h], 4
		mov	[ebp+var_34], 2
		jnz	loc_5C2E9A
		mov	esi, ecx
		mov	edx, ecx
		and	esi, 0FFFFFFFEh
		and	edx, 1
		jnz	loc_4B84D8

loc_4B809E:				; CODE XREF: MiResolveMappedFileFault+4BBj
		test	edx, edx
		jnz	loc_4B84E6

loc_4B80A6:				; CODE XREF: MiResolveMappedFileFault+4E9j
					; MiResolveMappedFileFault+581j ...
		mov	eax, ebx
		and	eax, 400h
		or	eax, 0
		mov	eax, dword_6D0704
		jz	loc_4B85CD
		mov	ecx, dword_6D0700
		mov	[ebp+var_38], eax
		mov	eax, ecx
		or	eax, [ebp+var_38]
		mov	[ebp+var_30], edi
		jz	short loc_4B80DC
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jz	loc_4B83F5

loc_4B80DC:				; CODE XREF: MiResolveMappedFileFault+ACj
					; MiResolveMappedFileFault+3DDj
		mov	[ebp+var_38], 0

loc_4B80E3:				; CODE XREF: MiResolveMappedFileFault+619j
					; MiResolveMappedFileFault+628j ...
		mov	ebx, [edi]
		mov	[ebp+var_54], 0
		mov	[ebp+var_4C], ebx
		mov	eax, [ebx+1Ch]
		test	al, 10h
		jnz	loc_5C2EED
		test	byte ptr [edi+12h], 2
		mov	ecx, [edi+4]
		mov	[ebp+var_24], 0FFFFFFFFh
		mov	[ebp+var_40], 0
		mov	[ebp+var_20], ecx
		jnz	loc_5C2F01

loc_4B8118:				; CODE XREF: MiResolveMappedFileFault+10AEE6j
		mov	ecx, [ebp+var_10]
		xor	edx, edx
		cmp	ecx, dword_6D07D0
		jnb	loc_4B84AD

loc_4B8129:				; CODE XREF: MiResolveMappedFileFault+48Fj
					; MiResolveMappedFileFault+49Aj ...
		mov	ecx, [edi+24h]
		mov	eax, [edi+1Ch]
		and	ecx, 3FFFFFFFh
		sub	eax, ecx
		mov	ecx, [ebp+var_20]
		lea	eax, [ecx+eax*8]
		cmp	[ebp+var_C], eax
		jnb	loc_5C2F59
		xor	esi, esi
		test	dword ptr [ebx+1Ch], 40000000h
		mov	[ebp+var_14], esi
		jnz	loc_5C2F8F

loc_4B8158:				; CODE XREF: MiResolveMappedFileFault+10AF95j
		mov	ecx, [ebp+var_28]
		lea	eax, [ebp+var_30]
		push	eax
		mov	edx, ebx
		mov	[ebp+var_30], esi
		call	MiComputeFaultNode
		cmp	[ebp+var_14], 2
		mov	esi, eax
		mov	[ebp+var_18], 0
		jz	loc_5C2FBA
		cmp	[ebp+var_8], 0
		jnz	loc_4B850E
		mov	edx, [ebp+var_4]
		mov	eax, edx
		and	eax, 400h
		or	eax, 0
		jz	short loc_4B819F
		test	byte ptr [ebx+1Ch], 20h
		jz	loc_4B8402

loc_4B819F:				; CODE XREF: MiResolveMappedFileFault+173j
					; MiResolveMappedFileFault+3E9j ...
		mov	edx, [ebp+var_34]
		lea	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	MiAllocateInPageSupport
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5C2FC6
		mov	ecx, [ebp+var_C]
		mov	eax, [ecx]
		nop
		mov	edx, [ebp+var_4]
		mov	ecx, [ecx+4]
		cmp	eax, edx
		jnz	loc_5C30F7
		mov	eax, [ebp+var_1C]
		cmp	ecx, eax
		jnz	loc_5C30F7
		mov	ecx, edx
		shrd	ecx, eax, 0Ah
		and	ecx, 1
		mov	eax, ecx
		mov	[ebp+var_34], ecx
		or	eax, 0
		jz	loc_4B85AF

loc_4B81F2:				; CODE XREF: MiResolveMappedFileFault+5A2j
		cmp	[ebp+var_14], 3
		jz	loc_5C308C
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	loc_4B8531

loc_4B8207:				; CODE XREF: MiResolveMappedFileFault+514j
					; MiResolveMappedFileFault+529j
		mov	eax, ecx
		or	eax, 0
		jz	short loc_4B820F
		nop

loc_4B820F:				; CODE XREF: MiResolveMappedFileFault+1ECj
		mov	eax, [ebp+var_1C]
		xor	ecx, ecx
		shrd	edx, eax, 5
		shr	eax, 5
		and	edx, 1Fh
		mov	[ebp+var_54], eax
		movzx	eax, word ptr [edi+10h]
		shr	eax, 1
		and	eax, 1Fh
		push	edx
		mov	edx, eax
		mov	[ebp+var_50], eax
		call	MiSanitizePfnProtection
		mov	ecx, [ebp+var_3C]
		lea	edx, [ebp+var_64]
		push	esi
		mov	[ebp+var_54], eax
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		cmp	[ebp+var_14], 2
		mov	[ebp+var_30], 0FFFFFFFFh
		jz	loc_5C2FD0
		mov	eax, [ebp+var_4C]
		mov	eax, [eax+1Ch]
		and	eax, 40020h
		cmp	eax, 20h
		jnz	loc_4B8354
		mov	esi, [ebp+var_34]
		mov	eax, esi
		or	eax, 0
		jz	loc_4B8354
		cmp	dword_6D348C, 0
		jnz	loc_4B8354
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	loc_4B8575

loc_4B828F:				; CODE XREF: MiResolveMappedFileFault+558j
					; MiResolveMappedFileFault+574j ...
		push	1
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiObtainFaultCharges
		test	eax, eax
		jz	loc_5C3084
		mov	eax, [ebp+var_64]
		mov	ecx, 1
		lock xadd [eax], ecx
		inc	ecx
		mov	eax, [ebp+var_60]
		dec	ecx
		and	eax, ecx
		or	eax, [ebp+var_5C]
		or	esi, 0
		mov	esi, [ebp+var_4]
		mov	[ebp+var_4C], eax
		jz	short loc_4B82E6
		push	[ebp+var_1C]
		mov	edx, edi
		mov	ecx, offset _MiSystemPartition
		push	esi
		push	0
		call	MiUseSlabAllocator
		test	eax, eax
		jnz	loc_5C2FD8
		mov	eax, [ebp+var_4C]

loc_4B82E6:				; CODE XREF: MiResolveMappedFileFault+2A7j
		push	0
		mov	edx, eax
		mov	ecx, offset _MiSystemPartition
		call	MiGetPage

loc_4B82F4:				; CODE XREF: MiResolveMappedFileFault+10AFCBj
		mov	[ebp+var_30], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_5C2FF0
		cmp	[ebp+var_14], 2
		mov	edx, edi
		jz	loc_5C3020
		push	[ebp+arg_0]	; int
		mov	ecx, [ebp+var_10]
		push	eax		; int
		push	[ebp+var_2C]	; void *
		mov	[ebx+88h], ecx
		mov	ecx, ebx
		push	[ebp+var_C]	; int
		call	MiCopyDataPageToImagePage
		cmp	eax, 1
		jz	loc_4B84C5

loc_4B832F:				; CODE XREF: MiResolveMappedFileFault+10AFFBj
					; MiResolveMappedFileFault+10B067j
		cmp	[ebp+var_14], 2
		jnz	short loc_4B8357

loc_4B8335:				; CODE XREF: MiResolveMappedFileFault+3ABj
		mov	ecx, [ebp+arg_0]
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		mov	ecx, ebx
		call	_MiFreeInPageSupportBlock@4 ; MiFreeInPageSupportBlock(x)
		mov	eax, 0C0000017h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4B8354:				; CODE XREF: MiResolveMappedFileFault+243j
					; MiResolveMappedFileFault+251j ...
		mov	esi, [ebp+var_4]

loc_4B8357:				; CODE XREF: MiResolveMappedFileFault+313j
		mov	eax, [ebp+arg_0]
		mov	edx, ebx
		mov	[ebx+5Ch], eax
		mov	ecx, offset _MiSystemPartition
		mov	eax, [ebp+var_1C]
		mov	[ebx+64h], eax
		mov	eax, [ebp+var_C]
		mov	[ebx+8Ch], eax
		mov	eax, [ebp+var_18]
		mov	[ebx+70h], eax
		lea	eax, [ebp+var_44]
		push	eax
		lea	eax, [ebp+var_48]
		mov	[ebx+60h], esi
		mov	esi, [ebp+var_30]
		push	eax
		push	esi
		push	[ebp+var_24]
		mov	[ebx+80h], edi
		push	[ebp+var_20]
		push	[ebp+var_8]
		call	MiPickClusterForMappedFileFault
		mov	edx, [ebp+var_48]
		mov	edi, eax
		lea	eax, [ebp+var_64]
		mov	ecx, ebx
		push	eax
		push	[ebp+var_28]
		push	[ebp+var_8]
		push	[ebp+var_54]
		push	esi
		push	edi
		push	offset _MiSystemPartition
		push	[ebp+var_44]
		call	_MiBuildMdlForMappedFileFault@40 ; MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, edi
		jnz	loc_4B854E

loc_4B83C9:				; CODE XREF: MiResolveMappedFileFault+550j
		test	esi, esi
		jz	loc_4B8335
		push	[ebp+var_24]
		mov	edx, [ebp+var_2C]
		mov	ecx, ebx
		push	[ebp+var_38]
		push	esi
		call	_MiFinishMdlForMappedFileFault@20 ; MiFinishMdlForMappedFileFault(x,x,x,x,x)
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx
		mov	eax, 0C0033333h

loc_4B83EC:				; CODE XREF: MiResolveMappedFileFault+65Cj
					; MiResolveMappedFileFault+10AE89j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4B83F5:				; CODE XREF: MiResolveMappedFileFault+B6j
		mov	edi, [ebp+var_38]
		not	edi
		and	edi, [ebp+var_30]
		jmp	loc_4B80DC
; 

loc_4B8402:				; CODE XREF: MiResolveMappedFileFault+179j
		mov	eax, [ebp+var_3C]
		test	byte ptr [eax+60h], 7
		jnz	loc_4B819F
		mov	eax, [ebp+var_30]
		test	eax, eax
		jnz	short loc_4B8421
		mov	ecx, [ebp+var_10]
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	edx, [ebp+var_4]

loc_4B8421:				; CODE XREF: MiResolveMappedFileFault+3F4j
		mov	eax, [eax+44h]
		test	eax, eax
		js	loc_4B819F
		mov	ebx, eax
		and	ebx, 7FFh
		cmp	ebx, 11h
		jb	loc_4B819F
		shr	eax, 0Bh
		lea	ecx, [eax-1]
		mov	eax, [ebp+var_10]
		add	ecx, ebx
		and	eax, 0FFFFF000h
		shl	ecx, 0Ch
		cmp	eax, ecx
		jnz	loc_4B819F
		mov	eax, [ebp+var_C]
		add	eax, 8
		mov	[ebp+var_30], eax
		test	eax, 0FFFh
		jz	loc_4B819F
		mov	ecx, [edi+24h]
		mov	eax, [edi+1Ch]
		and	ecx, 3FFFFFFFh
		sub	eax, ecx
		mov	ecx, [ebp+var_20]
		lea	eax, [ecx+eax*8]
		mov	ecx, [ebp+var_30]
		cmp	ecx, eax
		jnb	loc_4B819F
		mov	eax, [ecx]
		nop
		mov	ecx, [ecx+4]
		cmp	eax, edx
		jnz	loc_4B819F
		cmp	ecx, [ebp+var_1C]
		jnz	loc_4B819F
		lea	eax, [ebx-1]
		mov	[ebp+var_18], eax
		jmp	loc_4B819F
; 

loc_4B84AD:				; CODE XREF: MiResolveMappedFileFault+103j
		test	al, 20h
		jz	loc_4B8129
		mov	eax, [edi+0Ch]
		test	eax, eax
		jz	loc_4B8129
		jmp	loc_5C2F84
; 

loc_4B84C5:				; CODE XREF: MiResolveMappedFileFault+309j
					; MiResolveMappedFileFault+10B019j
		mov	eax, [ebp+arg_4]
		pop	edi
		pop	esi
		mov	[eax], ebx
		mov	eax, 0C0033333h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4B84D8:				; CODE XREF: MiResolveMappedFileFault+78j
		cmp	byte ptr [esi],	5
		jnz	loc_4B809E
		jmp	loc_5C2EAE
; 

loc_4B84E6:				; CODE XREF: MiResolveMappedFileFault+80j
		mov	al, [esi]
		cmp	al, 1
		jnz	loc_4B859F
		mov	ecx, esi
		mov	[ebp+var_8], ecx
		test	dword ptr [ecx+28h], 100h
		jnz	loc_5C2ED4
		mov	[ebp+var_34], 0
		jmp	loc_4B80A6
; 

loc_4B850E:				; CODE XREF: MiResolveMappedFileFault+160j
		mov	eax, [ebp+var_30]
		test	eax, eax
		jz	loc_4B866A

loc_4B8519:				; CODE XREF: MiResolveMappedFileFault+652j
		mov	edx, [ebp+var_8]
		mov	ecx, offset _MiSystemPartition
		push	0
		push	eax
		call	_MiComputeFaultCluster@16 ; MiComputeFaultCluster(x,x,x,x)
		mov	[ebp+var_18], eax
		jmp	loc_4B819F
; 

loc_4B8531:				; CODE XREF: MiResolveMappedFileFault+1E1j
		cmp	byte ptr [eax],	1
		jnz	loc_4B8207
		mov	edx, ebx
		mov	ecx, eax
		call	_MiSetInPagePrefetchPriority@8 ; MiSetInPagePrefetchPriority(x,x)
		mov	ecx, [ebp+var_34]
		mov	edx, [ebp+var_4]
		jmp	loc_4B8207
; 

loc_4B854E:				; CODE XREF: MiResolveMappedFileFault+3A3j
		sub	edi, esi
		mov	ecx, offset _MiSystemPartition
		mov	edx, edi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jnz	loc_4B865C

loc_4B8564:				; CODE XREF: MiResolveMappedFileFault+645j
		mov	edx, edi
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit
		jmp	loc_4B83C9
; 

loc_4B8575:				; CODE XREF: MiResolveMappedFileFault+269j
		cmp	byte ptr [eax],	1
		jnz	loc_4B828F
		mov	edx, [eax+28h]
		mov	ecx, offset _MiSystemPartition
		shr	edx, 3
		and	edx, 7
		inc	edx
		call	_MiGetAvailablePagesBelowPriority@8 ; MiGetAvailablePagesBelowPriority(x,x)
		test	eax, eax
		jnz	loc_4B828F
		jmp	loc_4B8354
; 

loc_4B859F:				; CODE XREF: MiResolveMappedFileFault+4CAj
		cmp	al, 2
		jnz	loc_4B80A6
		mov	[ebp+var_8], esi
		jmp	loc_4B80A6
; 

loc_4B85AF:				; CODE XREF: MiResolveMappedFileFault+1CCj
		mov	eax, [ebp+var_38]
		test	byte ptr [eax+16h], 20h
		jz	loc_5C30F7
		mov	eax, [eax]
		test	byte ptr [eax+68h], 20h
		jz	loc_4B81F2
		jmp	loc_5C30F7
; 

loc_4B85CD:				; CODE XREF: MiResolveMappedFileFault+95j
		mov	ecx, edi
		mov	[ebp+var_24], eax
		mov	edi, dword_6D0700
		mov	eax, edi
		or	eax, [ebp+var_24]
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_40], edi
		jz	short loc_4B8607
		mov	ecx, ebx
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jnz	loc_5C2EE5
		mov	ecx, [ebp+var_24]
		mov	ebx, edi
		not	ebx
		not	ecx
		and	ebx, [ebp+var_38]
		and	ecx, [ebp+var_30]

loc_4B8607:				; CODE XREF: MiResolveMappedFileFault+5C6j
					; MiResolveMappedFileFault+10AEC8j
		mov	eax, ds:_MmPfnDatabase
		shrd	ebx, ecx, 0Ch
		and	ebx, 3FFFFFFh
		lea	ecx, ds:0[ebx*8]
		sub	ecx, ebx
		mov	ebx, [ebp+var_24]
		mov	edi, [eax+ecx*4+0Ch]
		lea	ecx, [eax+ecx*4]
		mov	eax, [ecx+8]
		mov	[ebp+var_38], ecx
		mov	ecx, [ebp+var_40]
		mov	[ebp+var_20], eax
		mov	eax, ecx
		or	eax, ebx
		jz	loc_4B80E3
		mov	eax, [ebp+var_20]
		and	eax, 10h
		or	eax, 0
		jnz	loc_4B80E3
		not	ecx
		not	ebx
		and	[ebp+var_20], ecx
		and	edi, ebx
		jmp	loc_4B80E3
; 

loc_4B865C:				; CODE XREF: MiResolveMappedFileFault+53Ej
		mov	edx, offset dword_6D5E40
		lock xadd [edx], eax
		jmp	loc_4B8564
; 

loc_4B866A:				; CODE XREF: MiResolveMappedFileFault+4F3j
		mov	ecx, [ebp+var_10]
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		jmp	loc_4B8519
MiResolveMappedFileFault endp

; 
; START	OF FUNCTION CHUNK FOR MiResolveMappedFileFault

loc_4B8677:				; CODE XREF: MiResolveMappedFileFault+10AFABj
					; MiResolveMappedFileFault+10B0EDj
		mov	edx, [ebp+var_8]
		test	edx, edx
		jz	loc_4B83EC
		jmp	loc_5C3112
; END OF FUNCTION CHUNK	FOR MiResolveMappedFileFault
; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocateInPageSupport	proc near	; CODE XREF: MiResolveMappedFileFault+18Dp
					; MiResolvePageFileFault+284p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C3124 SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		push	edi
		test	esi, esi
		jz	short loc_4B86CE
		mov	ecx, [esi]
		mov	[ebp+arg_4], ecx

loc_4B86A2:				; CODE XREF: MiAllocateInPageSupport+4Aj
		mov	edi, [ebp+arg_0]
		mov	ecx, 100h
		mov	eax, [edi]
		cmp	eax, ecx
		ja	short loc_4B86D9

loc_4B86B0:				; CODE XREF: MiAllocateInPageSupport+55j
		cmp	eax, 10h
		ja	short loc_4B86D4

loc_4B86B5:				; CODE XREF: MiAllocateInPageSupport+4Fj
		mov	ecx, ebx
		test	esi, esi
		jz	short loc_4B86BE
		or	ecx, 4

loc_4B86BE:				; CODE XREF: MiAllocateInPageSupport+31j
		call	_MiGetInPageSupportBlock@4 ; MiGetInPageSupportBlock(x)
		test	eax, eax
		jz	short loc_4B86DF

loc_4B86C7:				; CODE XREF: MiAllocateInPageSupport+94j
					; MiAllocateInPageSupport+10AAE0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4B86CE:				; CODE XREF: MiAllocateInPageSupport+13j
		and	[ebp+arg_4], 0
		jmp	short loc_4B86A2
; 

loc_4B86D4:				; CODE XREF: MiAllocateInPageSupport+2Bj
		or	ebx, 1
		jmp	short loc_4B86B5
; 

loc_4B86D9:				; CODE XREF: MiAllocateInPageSupport+26j
		mov	[edi], ecx
		mov	eax, ecx
		jmp	short loc_4B86B0
; 

loc_4B86DF:				; CODE XREF: MiAllocateInPageSupport+3Dj
		test	esi, esi
		jz	loc_5C3124
		mov	ecx, [ebp+arg_4]
		mov	dl, 21h
		call	MiUnlockProtoPoolPage

loc_4B86F1:				; CODE XREF: MiAllocateInPageSupport+10AAAAj
		mov	ecx, ebx
		call	_MiGetInPageSupportBlock@4 ; MiGetInPageSupportBlock(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_5C3137

loc_4B8702:				; CODE XREF: MiAllocateInPageSupport+10AACFj
		test	esi, esi
		jz	short loc_4B871A
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		call	MiLockProtoPoolPage
		test	eax, eax
		jz	loc_5C315F
		mov	[esi], eax

loc_4B871A:				; CODE XREF: MiAllocateInPageSupport+7Cj
					; MiAllocateInPageSupport+10AAB2j
		mov	eax, edi
		jmp	short loc_4B86C7
MiAllocateInPageSupport	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPickClusterForMappedFileFault	proc near ; CODE XREF: MiResolveMappedFileFault+377p

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005C316D SIZE 0000000B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, edx
		mov	[ebp+var_18], ecx
		mov	ecx, large fs:124h
		push	ebx
		push	esi
		mov	esi, [eax+8Ch]
		mov	ebx, [eax+60h]
		mov	[ebp+var_14], eax
		push	edi
		mov	edi, [eax+64h]
		mov	eax, [eax+80h]
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], 1
		mov	[ebp+var_1C], ecx
		mov	edx, [eax]
		mov	eax, ebx
		and	eax, 400h
		mov	[ebp+var_24], edx
		or	eax, 0
		jz	loc_4B8989
		cmp	byte ptr [ecx+309h], 0
		jnz	loc_4B8989
		mov	eax, [edx+1Ch]
		mov	[ebp+var_10], eax
		test	al, 8
		jnz	loc_4B897C

loc_4B8789:				; CODE XREF: MiPickClusterForMappedFileFault+263j
		mov	ecx, [ebp+var_18]
		cmp	dword ptr [ecx+1000h], 0A0h
		jl	loc_4B8989
		mov	eax, dword_6D348C
		test	eax, eax
		jnz	loc_5C316D
		mov	edx, 140h
		call	MiSufficientAvailablePages
		test	eax, eax
		jz	loc_4B8989
		mov	edx, [ebp+var_14]
		mov	edx, [edx+70h]
		cmp	edx, 1
		jz	loc_4B8989
		mov	ecx, [ebp+var_C]
		mov	eax, [ecx+24h]
		mov	ecx, [ecx+1Ch]
		and	eax, 3FFFFFFFh
		sub	ecx, eax
		mov	eax, [ebp+arg_4]
		lea	eax, [eax+ecx*8]
		mov	ecx, [ebp+var_10]
		add	eax, 0FFFFFFF8h
		cmp	[ebp+arg_0], 0
		mov	[ebp+var_4], eax
		jnz	short loc_4B8816
		test	cl, 20h
		jz	short loc_4B8808
		mov	eax, [ebp+var_C]
		mov	edx, 4
		test	[eax+10h], dl
		jz	short loc_4B8816
		mov	edx, 8
		jmp	short loc_4B8816
; 

loc_4B8808:				; CODE XREF: MiPickClusterForMappedFileFault+D2j
		test	edx, edx
		jnz	short loc_4B8816
		mov	edx, [ebp+var_1C]
		mov	edx, [edx+2F4h]
		inc	edx

loc_4B8816:				; CODE XREF: MiPickClusterForMappedFileFault+CDj
					; MiPickClusterForMappedFileFault+DFj ...
		lea	eax, ds:0[edx*8]
		mov	edx, [ebp+var_4]
		mov	[ebp+var_10], eax
		add	eax, 0FFFFFFF8h
		add	eax, esi
		cmp	edx, eax
		jbe	short loc_4B8837
		mov	edx, [ebp+var_10]
		add	edx, 0FFFFFFF8h
		add	edx, esi
		mov	[ebp+var_4], edx

loc_4B8837:				; CODE XREF: MiPickClusterForMappedFileFault+10Aj
		cmp	[ebp+arg_0], 0
		jnz	short loc_4B8849
		test	ecx, 20000000h
		jnz	loc_4B89C7

loc_4B8849:				; CODE XREF: MiPickClusterForMappedFileFault+11Bj
		mov	[ebp+arg_8], 0
		mov	[ebp+var_1C], 0

loc_4B8857:				; CODE XREF: MiPickClusterForMappedFileFault+2D2j
					; MiPickClusterForMappedFileFault+2DEj
		mov	eax, esi
		and	eax, 0FFFFFFF8h
		or	eax, 0FF8h
		cmp	edx, eax
		ja	loc_4B89A7

loc_4B8869:				; CODE XREF: MiPickClusterForMappedFileFault+295j
		mov	eax, edx
		cmp	edx, esi
		jbe	short loc_4B8893
		nop

loc_4B8870:				; CODE XREF: MiPickClusterForMappedFileFault+16Ej
		mov	ecx, [eax]
		nop
		mov	edx, [eax+4]
		cmp	ecx, ebx
		jnz	loc_4B8932
		cmp	edx, edi
		jnz	loc_4B8932
		inc	[ebp+var_8]

loc_4B8889:				; CODE XREF: MiPickClusterForMappedFileFault+217j
					; MiPickClusterForMappedFileFault+223j
		sub	eax, 8
		cmp	eax, esi
		ja	short loc_4B8870
		mov	edx, [ebp+var_4]

loc_4B8893:				; CODE XREF: MiPickClusterForMappedFileFault+14Dj
		mov	eax, [ebp+arg_4]
		mov	ecx, edx
		sub	ecx, [ebp+var_10]
		add	ecx, 8
		cmp	ecx, eax
		jb	loc_4B8992

loc_4B88A6:				; CODE XREF: MiPickClusterForMappedFileFault+274j
		mov	eax, esi
		and	eax, 0FFFFF000h
		cmp	ecx, eax
		jb	loc_4B89BA

loc_4B88B5:				; CODE XREF: MiPickClusterForMappedFileFault+2A2j
		cmp	[ebp+arg_0], 0
		jnz	loc_4B89A0
		mov	eax, [ebp+var_14]
		test	byte ptr [eax+78h], 40h
		jnz	loc_4B89A0
		mov	eax, [ebp+var_24]
		test	dword ptr [eax+1Ch], 20000000h
		jnz	loc_4B8A03

loc_4B88DC:				; CODE XREF: MiPickClusterForMappedFileFault+282j
					; MiPickClusterForMappedFileFault+2FDj	...
		mov	[ebp+arg_0], ecx
		cmp	ecx, esi
		jb	short loc_4B8950

loc_4B88E3:				; CODE XREF: MiPickClusterForMappedFileFault+248j
		mov	ebx, [ebp+var_4]
		mov	edi, [ebp+arg_0]

loc_4B88E9:				; CODE XREF: MiPickClusterForMappedFileFault+26Dj
		mov	esi, [ebp+arg_C]
		mov	ecx, [ebp+var_8]
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_4B8948

loc_4B88F4:				; CODE XREF: MiPickClusterForMappedFileFault+229j
		test	ecx, ecx
		jz	loc_4B8999
		xor	eax, eax
		mov	edx, ecx
		mov	ecx, [ebp+var_18]
		cmp	esi, 0FFFFFFFFh
		setz	al
		lea	eax, ds:1[eax*2]
		push	eax
		call	MiObtainFaultCharges
		mov	ecx, eax

loc_4B8918:				; CODE XREF: MiPickClusterForMappedFileFault+27Bj
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_4B894B

loc_4B891D:				; CODE XREF: MiPickClusterForMappedFileFault+22Cj
		mov	eax, [ebp+arg_10]
		mov	[eax], edi
		mov	eax, [ebp+arg_14]
		pop	edi
		pop	esi
		mov	[eax], ebx
		mov	eax, ecx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_4B8932:				; CODE XREF: MiPickClusterForMappedFileFault+158j
					; MiPickClusterForMappedFileFault+160j
		mov	ecx, [ebp+var_4]
		cmp	eax, ecx
		jnz	loc_4B8889
		sub	ecx, 8
		mov	[ebp+var_4], ecx
		jmp	loc_4B8889
; 

loc_4B8948:				; CODE XREF: MiPickClusterForMappedFileFault+1D2j
		dec	ecx
		jmp	short loc_4B88F4
; 

loc_4B894B:				; CODE XREF: MiPickClusterForMappedFileFault+1FBj
		inc	ecx
		jmp	short loc_4B891D
; 
		align 10h

loc_4B8950:				; CODE XREF: MiPickClusterForMappedFileFault+1C1j
					; MiPickClusterForMappedFileFault+246j
		mov	eax, [ecx]
		nop
		mov	edx, [ecx+4]
		cmp	eax, ebx
		jnz	short loc_4B896D
		cmp	edx, edi
		jnz	short loc_4B896D
		inc	[ebp+var_8]

loc_4B8961:				; CODE XREF: MiPickClusterForMappedFileFault+252j
					; MiPickClusterForMappedFileFault+25Aj
		add	ecx, 8
		cmp	ecx, esi
		jb	short loc_4B8950
		jmp	loc_4B88E3
; 

loc_4B896D:				; CODE XREF: MiPickClusterForMappedFileFault+238j
					; MiPickClusterForMappedFileFault+23Cj
		mov	eax, [ebp+arg_0]
		cmp	ecx, eax
		jnz	short loc_4B8961
		add	eax, 8
		mov	[ebp+arg_0], eax
		jmp	short loc_4B8961
; 

loc_4B897C:				; CODE XREF: MiPickClusterForMappedFileFault+63j
		cmp	byte ptr [ecx+308h], 2
		jz	loc_4B8789

loc_4B8989:				; CODE XREF: MiPickClusterForMappedFileFault+48j
					; MiPickClusterForMappedFileFault+55j ...
		mov	edi, esi
		mov	ebx, esi
		jmp	loc_4B88E9
; 

loc_4B8992:				; CODE XREF: MiPickClusterForMappedFileFault+180j
		mov	ecx, eax
		jmp	loc_4B88A6
; 

loc_4B8999:				; CODE XREF: MiPickClusterForMappedFileFault+1D6j
		xor	ecx, ecx
		jmp	loc_4B8918
; 

loc_4B89A0:				; CODE XREF: MiPickClusterForMappedFileFault+199j
					; MiPickClusterForMappedFileFault+1A6j
		mov	ecx, esi
		jmp	loc_4B88DC
; 

loc_4B89A7:				; CODE XREF: MiPickClusterForMappedFileFault+143j
		mov	edx, esi
		and	edx, 0FFFFFFF8h
		or	edx, 0FF8h
		mov	[ebp+var_4], edx
		jmp	loc_4B8869
; 

loc_4B89BA:				; CODE XREF: MiPickClusterForMappedFileFault+18Fj
		mov	ecx, esi
		and	ecx, 0FFFFF000h
		jmp	loc_4B88B5
; 

loc_4B89C7:				; CODE XREF: MiPickClusterForMappedFileFault+123j
		push	[ebp+arg_8]
		mov	ecx, [ebp+var_C]
		mov	edx, esi
		call	MiStartingOffset
		mov	edx, dword_6D34D4
		mov	[ebp+arg_8], eax
		lea	ecx, [edx-1]
		and	ecx, eax
		sub	edx, ecx
		shr	edx, 0Ch
		lea	ecx, [esi+edx*8]
		mov	edx, [ebp+var_4]
		lea	eax, [ecx-8]
		cmp	edx, eax
		jbe	loc_4B8857
		lea	edx, [ecx-8]
		mov	[ebp+var_4], edx
		jmp	loc_4B8857
; 

loc_4B8A03:				; CODE XREF: MiPickClusterForMappedFileFault+1B6j
		mov	eax, dword_6D34D4
		mov	edx, [ebp+arg_8]
		dec	eax
		shr	edx, 0Ch
		shr	eax, 0Ch
		and	eax, edx
		mov	edx, esi
		shl	eax, 3
		sub	edx, eax
		cmp	ecx, edx
		jnb	loc_4B88DC
		mov	ecx, edx
		jmp	loc_4B88DC
MiPickClusterForMappedFileFault	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFinishMdlForMappedFileFault(x, x,	x, x, x)
_MiFinishMdlForMappedFileFault@20 proc near ; CODE XREF: MiResolveMappedFileFault+3BDp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		push	[ebp+arg_0]
		mov	eax, [esi+70h]
		mov	[ebp+var_4], eax
		mov	eax, [esi+80h]
		mov	edx, eax
		mov	[ebp+var_C], eax
		mov	ecx, [eax]
		mov	[ebp+var_10], ecx
		call	_MiReferenceControlAreaPfn@12 ;	MiReferenceControlAreaPfn(x,x,x)
		mov	edi, [esi+5Ch]
		xor	edx, edx
		mov	ecx, edi
		mov	[ebp+var_8], edi
		call	_MiObtainProtoReference@8 ; MiObtainProtoReference(x,x)
		and	[ebp+var_14], 0
		add	edi, 10h

loc_4B8A6D:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+291j
		lock bts dword ptr [edi], 1Fh
		jb	loc_4B8CAF
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_8]
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		imul	ecx, [esi+0C4h], 1Ch
		mov	eax, ds:_MmPfnDatabase
		mov	edx, [ebp+arg_4]
		mov	edi, [ecx+eax+4]
		or	edi, 80000000h
		mov	[ebp+var_1C], edi
		test	edx, edx
		jnz	loc_4B8C99

loc_4B8AAF:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+276j
		mov	edx, [esi+8Ch]
		mov	[ebp+var_20], edx
		mov	eax, [edx]
		nop
		mov	edx, [edx+4]
		push	[ebp+arg_8]
		mov	[esi+64h], edx
		mov	edx, edi
		mov	edi, [ebp+var_C]
		mov	ecx, edi
		mov	[esi+60h], eax
		call	MiStartingOffset
		mov	ecx, edi
		mov	[ebp+arg_4], eax
		mov	[ebp+var_C], edx
		call	MiEndingOffsetWithLock
		mov	ecx, [esi+78h]
		mov	[ebp+arg_8], eax
		mov	[ebp+var_18], edx
		test	ecx, 20000h
		jnz	loc_4B8C5F
		mov	byte ptr [ebp+arg_0+3],	0

loc_4B8AF9:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+242j
		mov	eax, [ebp+var_10]
		mov	edi, ecx
		test	byte ptr [eax+1Ch], 20h
		jnz	loc_4B8C0E

loc_4B8B08:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+1F4j
					; MiFinishMdlForMappedFileFault(x,x,x,x,x)+201j ...
		mov	eax, ebx
		xor	ecx, ecx
		and	ebx, 0FFFFFFFEh
		and	eax, 1
		jnz	loc_4B8C71

loc_4B8B18:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+24Aj
		test	eax, eax
		jnz	loc_4B8CA5

loc_4B8B20:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+252j
					; MiFinishMdlForMappedFileFault(x,x,x,x,x)+280j
		test	ecx, ecx
		jnz	loc_4B8C81

loc_4B8B28:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+25Ej
					; MiFinishMdlForMappedFileFault(x,x,x,x,x)+26Aj
		mov	ecx, large fs:124h
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		cmp	eax, 2
		jl	loc_4B8C51

loc_4B8B3D:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+230j
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		mov	ebx, [ebp+var_8]
		mov	[esi+0A8h], edx
		mov	[esi+0B8h], edx
		lea	eax, [ecx+0FFFh]
		mov	[esi+0C0h], edx
		shr	eax, 0Ch
		lea	edi, [ebx+10h]
		mov	[esi+0BCh], ecx
		mov	[ebp+var_18], edx
		lea	eax, ds:1Ch[eax*4]
		mov	[esi+0ACh], ax
		xor	eax, eax
		mov	[esi+0AEh], ax

loc_4B8B83:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+2A5j
		lock bts dword ptr [edi], 1Fh
		jb	loc_4B8CC3
		and	byte ptr [ebx+16h], 0DFh
		mov	ecx, ebx
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	eax, [ebp+var_20]
		mov	edi, [ebp+var_1C]
		sub	eax, edi
		sar	eax, 3
		imul	edx, [esi+eax*4+0C4h], 1Ch
		mov	ax, [esi+0AEh]
		or	ax, 42h
		movzx	ecx, ax
		add	edx, ds:_MmPfnDatabase
		cmp	byte ptr [ebp+arg_0+3],	0
		mov	[esi+0AEh], ax
		jnz	short loc_4B8BE2
		or	ecx, 4000h
		mov	[esi+0AEh], cx

loc_4B8BE2:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+1A9j
		mov	eax, [ebp+arg_4]
		and	dword ptr [esi+7Ch], 0
		mov	[esi+38h], eax
		mov	eax, [ebp+var_C]
		mov	[esi+3Ch], eax
		mov	eax, [ebp+var_10]
		mov	[esi+90h], edi
		pop	edi
		mov	[esi+94h], edx
		mov	[esi+80h], eax
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_4B8C0E:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+D8j
		mov	edx, [ebp+var_4]
		xor	eax, eax
		add	edx, [ebp+arg_4]
		mov	edi, ecx
		adc	eax, [ebp+var_C]
		cmp	eax, [ebp+var_18]
		jb	loc_4B8B08
		mov	eax, [ebp+arg_8]
		ja	short loc_4B8C31
		cmp	edx, eax
		jbe	loc_4B8B08

loc_4B8C31:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+1FDj
		sub	eax, [ebp+arg_4]
		mov	edi, ecx
		add	eax, 1FFh
		and	eax, 0FFFFFE00h
		or	edi, 20000h
		mov	[ebp+var_4], eax
		mov	[esi+78h], edi
		jmp	loc_4B8B08
; 

loc_4B8C51:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+10Dj
		or	edi, 80h
		mov	[esi+78h], edi
		jmp	loc_4B8B3D
; 

loc_4B8C5F:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+C5j
		and	ecx, 0FFFDFFFFh
		mov	byte ptr [ebp+arg_0+3],	1
		mov	[esi+78h], ecx
		jmp	loc_4B8AF9
; 

loc_4B8C71:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+E8j
		cmp	byte ptr [ebx],	1
		jnz	loc_4B8B18

loc_4B8C7A:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+27Ej
		mov	ecx, ebx
		jmp	loc_4B8B20
; 

loc_4B8C81:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+F8j
		test	eax, eax
		jz	short loc_4B8C8E
		cmp	byte ptr [ebx],	2
		jz	loc_4B8B28

loc_4B8C8E:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+259j
		or	edi, 8
		mov	[esi+78h], edi
		jmp	loc_4B8B28
; 

loc_4B8C99:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+7Fj
		mov	ecx, esi
		call	_MiFlowThroughInsertNode@8 ; MiFlowThroughInsertNode(x,x)
		jmp	loc_4B8AAF
; 

loc_4B8CA5:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+F0j
		cmp	byte ptr [ebx],	2
		jz	short loc_4B8C7A
		jmp	loc_4B8B20
; 

loc_4B8CAF:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+48j
					; MiFinishMdlForMappedFileFault(x,x,x,x,x)+297j
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jns	loc_4B8A6D
		jmp	short loc_4B8CAF
; 

loc_4B8CC3:				; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+15Ej
					; MiFinishMdlForMappedFileFault(x,x,x,x,x)+2ABj
		lea	ecx, [ebp+var_18]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jns	loc_4B8B83
		jmp	short loc_4B8CC3
_MiFinishMdlForMappedFileFault@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDemoteLocalLargePage(x, x, x, x)
_MiDemoteLocalLargePage@16 proc	near	; CODE XREF: MiGetPage+2E2p
					; MiGetPage+4AFp

var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_99		= byte ptr -99h
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0BCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		mov	[ebp+var_B0], ebx
		mov	[ebp+var_AC], edx
		push	esi
		push	edi
		test	al, 1
		jnz	loc_4B8E51
		mov	cl, byte_6D068C
		mov	esi, ebx
		shr	esi, cl
		xor	ebx, ebx
		mov	[ebp+var_B8], esi
		xor	edi, edi
		lea	ecx, [esi+esi*4]
		mov	esi, ecx
		mov	ecx, eax
		shl	esi, 7
		add	esi, [edx+10h]
		and	ecx, 2
		mov	[ebp+var_A8], ecx
		mov	edx, eax
		mov	ecx, ebx
		setz	cl
		and	edx, 1000h
		lea	eax, [esi+1D0h]
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_B4], edx
		mov	[ebp+var_A0], eax

loc_4B8D62:				; CODE XREF: MiDemoteLocalLargePage(x,x,x,x)+B2j
		add	edi, [eax]
		test	edx, edx
		jz	short loc_4B8D86
		push	ebx
		xor	edx, edx
		mov	ecx, esi
		call	_MiNodeLargeFreeZeroPages@12 ; MiNodeLargeFreeZeroPages(x,x,x)
		mov	ecx, [ebp+var_A4]
		add	edi, eax
		mov	eax, [ebp+var_A0]
		mov	edx, [ebp+var_B4]

loc_4B8D86:				; CODE XREF: MiDemoteLocalLargePage(x,x,x,x)+86j
		inc	ebx
		add	eax, 4
		mov	[ebp+var_A0], eax
		cmp	ebx, ecx
		jle	short loc_4B8D62
		mov	esi, [ebp+var_B8]
		cmp	edi, [ebp+arg_4]
		jnb	loc_4B8E51
		mov	eax, [ebp+arg_0]
		mov	ebx, 1
		mov	[ebp+var_A0], ebx
		test	eax, 400h
		jz	short loc_4B8DBC
		xor	ebx, ebx
		jmp	short loc_4B8DC8
; 

loc_4B8DBC:				; CODE XREF: MiDemoteLocalLargePage(x,x,x,x)+D6j
		test	eax, 800h
		jz	short loc_4B8DCE
		mov	ebx, 2

loc_4B8DC8:				; CODE XREF: MiDemoteLocalLargePage(x,x,x,x)+DAj
		mov	[ebp+var_A0], ebx

loc_4B8DCE:				; CODE XREF: MiDemoteLocalLargePage(x,x,x,x)+E1j
		xor	eax, eax
		mov	cl, 2
		cmp	[ebp+var_A8], eax
		mov	edi, 2
		setnz	al
		lea	eax, ds:9[eax*4]
		mov	[ebp+var_A4], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_99], al
		mov	eax, [ebp+var_A4]
		nop

loc_4B8E00:				; CODE XREF: MiDemoteLocalLargePage(x,x,x,x)+14Fj
					; MiDemoteLocalLargePage(x,x,x,x)+163j
		mov	ecx, [ebp+var_AC]
		dec	edi
		push	ebx
		push	0
		push	[ebp+var_B0]
		mov	edx, edi
		push	esi
		push	eax
		push	1
		call	_MiGetFreeZeroLargePages@32 ; MiGetFreeZeroLargePages(x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_4B8E66
		mov	eax, [ebp+var_A4]
		mov	ebx, [ebp+var_A0]
		test	edi, edi
		jnz	short loc_4B8E00
		test	al, 1
		jz	short loc_4B8E45
		and	eax, 0FFFFFFDEh
		mov	edi, 2
		mov	[ebp+var_A4], eax
		jmp	short loc_4B8E00
; 

loc_4B8E45:				; CODE XREF: MiDemoteLocalLargePage(x,x,x,x)+153j
		mov	cl, [ebp+var_99]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4B8E51:				; CODE XREF: MiDemoteLocalLargePage(x,x,x,x)+2Dj
					; MiDemoteLocalLargePage(x,x,x,x)+BDj
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4B8E66:				; CODE XREF: MiDemoteLocalLargePage(x,x,x,x)+13Fj
		mov	esi, ds:_MiLargePageSizes[edi*4]
		mov	ecx, ebx
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		mov	[ebp+var_A8], eax
		mov	eax, [ebp+var_AC]
		mov	edx, [eax+0FC0h]
		test	edx, edx
		jz	short loc_4B8E9F
		dec	edx

loc_4B8E9F:				; CODE XREF: MiDemoteLocalLargePage(x,x,x,x)+1BCj
		push	0
		mov	ecx, eax
		call	MiPageAvailableEx
		test	eax, eax
		jz	short loc_4B8EC3
		lea	ecx, [esi-1]
		and	ecx, [ebp+var_B0]
		lea	eax, ds:0[ecx*8]
		sub	eax, ecx
		lea	esi, [ebx+eax*4]
		jmp	short loc_4B8EC5
; 

loc_4B8EC3:				; CODE XREF: MiDemoteLocalLargePage(x,x,x,x)+1CAj
		xor	esi, esi

loc_4B8EC5:				; CODE XREF: MiDemoteLocalLargePage(x,x,x,x)+1E1j
		mov	ecx, ebx
		call	_MiIsFreeZeroPfnCold@4 ; MiIsFreeZeroPfnCold(x)
		test	eax, eax
		jz	short loc_4B8F2B
		test	ds:_HvlEnlightenments, 200000h
		jz	short loc_4B8F2B
		push	84h		; size_t
		lea	eax, [ebp+var_8C]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+var_A8]
		lea	ecx, [ebp+var_98]
		add	esp, 0Ch
		mov	[ebp+var_98], 1
		mov	[ebp+var_94], 0
		mov	[ebp+var_90], 1
		push	edi
		call	_MiAddPageToHeatList@12	; MiAddPageToHeatList(x,x,x)
		xor	edx, edx
		mov	ecx, ebx
		call	_MiSetFreeZeroPfnCold@8	; MiSetFreeZeroPfnCold(x,x)

loc_4B8F2B:				; CODE XREF: MiDemoteLocalLargePage(x,x,x,x)+1EEj
					; MiDemoteLocalLargePage(x,x,x,x)+1FAj
		mov	ecx, ebx
		call	_MiIsFreshPfnFromZeroedList@4 ;	MiIsFreshPfnFromZeroedList(x)
		xor	ecx, ecx
		mov	edx, edi
		push	0
		test	eax, eax
		push	esi
		setz	cl
		push	ecx
		push	1
		mov	ecx, ebx
		call	_MiConvertEntireLargePageToSmall@24 ; MiConvertEntireLargePageToSmall(x,x,x,x,x,x)
		mov	cl, [ebp+var_99]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_MiDemoteLocalLargePage@16 endp

; 
		align 2

; __stdcall MiUnlockPageTableCharges(x,	x)
_MiUnlockPageTableCharges@8:		; CODE XREF: MiCopyOnWrite(x,x,x,x)+4A2p
					; .text:0047A26Dp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	esi, ecx
		push	2
		pop	ecx
		xor	edi, edi
		mov	[ebp-4], ecx
		inc	ebx
		mov	[ebp-0Ch], edi
		cmp	edx, ecx
		jnz	short loc_4B8F92
		mov	ecx, esi
		call	_MiIsLowestPageTablePage@4 ; MiIsLowestPageTablePage(x)
		jmp	short loc_4B8F98
; 

loc_4B8F92:				; CODE XREF: .text:004B8F87j
		test	edx, edx
		jz	short loc_4B8FA3
		mov	eax, ebx

loc_4B8F98:				; CODE XREF: .text:004B8F90j
		mov	[ebp-4], ebx
		test	eax, eax
		jz	loc_4B908B

loc_4B8FA3:				; CODE XREF: .text:004B8F94j
		mov	eax, [esi+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 10000h
		jb	loc_4B908B
		xor	edx, edx
		xor	ebx, ebx
		mov	[ebp-8], edx

loc_4B8FBD:				; CODE XREF: .text:004B9050j
		mov	eax, [esi+18h]
		and	dword ptr [ebp-14h], 0
		and	eax, offset loc_7FFFFF
		mov	[ebp-18h], eax
		lea	eax, [esi+10h]
		mov	[ebp-10h], eax
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_4B8FF4
		lea	edi, [esi+10h]

loc_4B8FDC:				; CODE XREF: .text:004B8FE8j
					; .text:004B8FEFj
		lea	ecx, [ebp-14h]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_4B8FDC
		lock bts dword ptr [edi], 1Fh
		jb	short loc_4B8FDC
		mov	edi, [ebp-0Ch]

loc_4B8FF4:				; CODE XREF: .text:004B8FD7j
		mov	edx, 0FFFF0000h
		mov	ecx, esi
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		lea	eax, [esi+10h]
		mov	ecx, [eax]
		and	ecx, 3FFFFFFFh
		cmp	ecx, 10000h
		jnb	short loc_4B9055
		test	edi, edi
		jnz	short loc_4B901F
		mov	edi, offset _MiSystemPartition
		mov	[ebp-0Ch], edi

loc_4B901F:				; CODE XREF: .text:004B9015j
		inc	dword ptr [ebp-8]
		test	ecx, ecx
		jnz	short loc_4B9038
		xor	edx, edx
		mov	ecx, esi
		call	_MiPfnShareCountIsZero@8 ; MiPfnShareCountIsZero(x,x)
		cmp	eax, 3
		mov	eax, [ebp-10h]
		jz	short loc_4B9038
		inc	ebx

loc_4B9038:				; CODE XREF: .text:004B9024j
					; .text:004B9035j
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		sub	dword ptr [ebp-4], 1
		jz	short loc_4B905D
		imul	esi, [ebp-18h],	1Ch
		add	esi, ds:_MmPfnDatabase
		jmp	loc_4B8FBD
; 

loc_4B9055:				; CODE XREF: .text:004B9011j
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_4B905D:				; CODE XREF: .text:004B9044j
		mov	edx, [ebp-8]
		test	edx, edx
		jz	short loc_4B9079
		mov	ecx, edi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_4B9079
		lea	esi, [edi+1000h]
		lock xadd [esi], eax

loc_4B9079:				; CODE XREF: .text:004B9062j
					; .text:004B906Dj
		test	ebx, ebx
		jz	short loc_4B9086
		mov	edx, ebx
		mov	ecx, edi
		call	MiReturnCommit

loc_4B9086:				; CODE XREF: .text:004B907Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4B908B:				; CODE XREF: .text:004B8F9Dj
					; .text:004B8FB0j
		mov	eax, [esi+10h]
		and	eax, 3FFFFFFFh
		push	eax
		mov	eax, [esi+4]
		or	eax, 80000000h
		push	eax
		push	esi
		push	41791h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiChangePageAttributeBatch proc	near	; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+6AAp
					; MiConvertContiguousPages(x,x,x)+CFp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C3178 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		mov	edi, ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_1], 21h

loc_4B90C3:				; CODE XREF: MiChangePageAttributeBatch+14Aj
		test	edi, edi
		jz	loc_4B9219
		xor	ebx, ebx
		mov	[ebp+var_C], 1
		and	[ebp+var_10], ebx
		mov	esi, edi
		mov	[ebp+var_18], ebx
		test	edi, edi
		jz	short loc_4B912B
		mov	edi, [ebp+var_C]

loc_4B90E3:				; CODE XREF: MiChangePageAttributeBatch+70j
		cmp	ebx, 1000h
		jnb	short loc_4B911E
		test	ebx, ebx
		jz	loc_4B91FB
		lea	eax, [esi+10h]
		lock bts dword ptr [eax], 1Fh
		jb	short loc_4B911E

loc_4B90FD:				; CODE XREF: MiChangePageAttributeBatch+159j
		mov	al, [esi+16h]
		mov	ecx, esi
		and	al, 0C0h
		sub	al, 0C0h
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	edi, eax
		call	MiAbortCombineScan
		mov	esi, [esi+8]
		inc	ebx
		test	esi, esi
		jnz	short loc_4B90E3

loc_4B911E:				; CODE XREF: MiChangePageAttributeBatch+3Dj
					; MiChangePageAttributeBatch+4Fj
		mov	[ebp+var_C], edi
		test	edi, edi
		mov	edi, [ebp+var_14]
		mov	[ebp+var_18], ebx
		jz	short loc_4B9130

loc_4B912B:				; CODE XREF: MiChangePageAttributeBatch+32j
					; MiChangePageAttributeBatch+10A0E5j
		mov	edx, [ebp+var_8]
		jmp	short loc_4B9150
; 

loc_4B9130:				; CODE XREF: MiChangePageAttributeBatch+7Dj
		inc	dword_6D06D8
		push	2
		pop	edx
		push	4
		pop	ecx
		call	KeFlushTb
		mov	edx, [ebp+var_8]
		cmp	ebx, dword_6D06E4
		jnb	loc_5C3178

loc_4B9150:				; CODE XREF: MiChangePageAttributeBatch+82j
					; MiChangePageAttributeBatch+10A0D1j
		and	[ebp+var_14], 0
		mov	esi, edi
		test	edi, edi
		jz	loc_4B9219
		mov	bl, dl
		shl	bl, 6
		mov	[ebp+var_2], bl

loc_4B9166:				; CODE XREF: MiChangePageAttributeBatch+141j
		mov	al, [esi+16h]
		movzx	ecx, al
		and	al, 3Fh
		or	al, bl
		shr	ecx, 6
		mov	[esi+16h], al
		cmp	edx, 1
		jz	short loc_4B91AF
		cmp	ecx, 1
		jnz	short loc_4B91AF
		cmp	[ebp+var_10], 0
		jnz	short loc_4B91AF
		cmp	[ebp+var_C], 0
		jnz	short loc_4B91AF
		cmp	ecx, edx
		jz	short loc_4B91AF
		push	edx
		mov	eax, esi
		inc	dword_6D06E0
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		xor	edx, edx
		inc	edx
		mov	ecx, eax
		call	_MiFlushCacheForAttributeChange@12 ; MiFlushCacheForAttributeChange(x,x,x)

loc_4B91AF:				; CODE XREF: MiChangePageAttributeBatch+CDj
					; MiChangePageAttributeBatch+D2j ...
		mov	ecx, [ebp+var_14]
		lea	eax, [esi+10h]
		and	dword ptr [eax], 0F87FFFFFh
		mov	edx, 7FFFFFFFh
		inc	ecx
		mov	[ebp+var_14], ecx
		lock and [eax],	edx
		lea	ebx, [esi+8]
		cmp	ecx, [ebp+var_18]
		jz	short loc_4B920A
		mov	esi, [ebx]

loc_4B91D1:				; CODE XREF: MiChangePageAttributeBatch+16Bj
		mov	edx, [ebp+arg_0]
		mov	eax, edx
		mov	ecx, [ebp+arg_4]
		and	eax, ecx
		cmp	eax, 0FFFFFFFFh
		jz	short loc_4B91E5
		mov	[ebx], edx
		mov	[ebx+4], ecx

loc_4B91E5:				; CODE XREF: MiChangePageAttributeBatch+132j
		mov	edx, [ebp+var_8]
		mov	bl, [ebp+var_2]
		test	esi, esi
		jnz	loc_4B9166
		mov	[ebp+var_14], edi
		jmp	loc_4B90C3
; 

loc_4B91FB:				; CODE XREF: MiChangePageAttributeBatch+41j
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	[ebp+var_1], al
		jmp	loc_4B90FD
; 

loc_4B920A:				; CODE XREF: MiChangePageAttributeBatch+121j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edi, [ebx]
		xor	esi, esi
		jmp	short loc_4B91D1
; 

loc_4B9219:				; CODE XREF: MiChangePageAttributeBatch+19j
					; MiChangePageAttributeBatch+ACj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
MiChangePageAttributeBatch endp


;  S U B	R O U T	I N E 


MiAbortCombineScan proc	near		; CODE XREF: .text:0047DB5Bp
					; MiInitializeMdlPfn(x,x)+72p ...

; FUNCTION CHUNK AT 005C3196 SIZE 00000056 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		call	_MiPageCombiningActive@4 ; MiPageCombiningActive(x)
		test	eax, eax
		jnz	loc_5C3196

loc_4B9236:				; CODE XREF: MiAbortCombineScan+109FC7j
		pop	edi
		pop	esi
		pop	ebx
		retn
MiAbortCombineScan endp


;  S U B	R O U T	I N E 


; __stdcall MiPageCombiningActive(x)
_MiPageCombiningActive@4 proc near	; CODE XREF: MiAbortCombineScan+9p
					; MiChangePageAttribute+4Fp ...
		test	ecx, ecx
		jnz	short loc_4B9249
		cmp	dword_6D2F84, ecx

loc_4B9244:				; CODE XREF: MiPageCombiningActive(x)+16j
		jnz	short loc_4B9252
		xor	eax, eax
		retn
; 

loc_4B9249:				; CODE XREF: MiPageCombiningActive(x)+2j
		cmp	dword ptr [ecx+0E40h], 0
		jmp	short loc_4B9244
; 

loc_4B9252:				; CODE XREF: MiPageCombiningActive(x):loc_4B9244j
		xor	eax, eax
		inc	eax
		retn
_MiPageCombiningActive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFlushCacheForAttributeChange(x, x, x)
_MiFlushCacheForAttributeChange@12 proc	near ; CODE XREF: MiChangePageAttributeBatch+FEp
					; MiChangePageAttribute+DFp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		cmp	[ebp+arg_0], 2
		mov	eax, ecx
		push	esi
		setz	bl
		dec	ebx
		and	ebx, 0EFFFFFFEh
		push	edi
		mov	edi, edx
		add	ebx, 0D0000002h
		test	edi, edi
		jz	short loc_4B92B2

loc_4B9281:				; CODE XREF: MiFlushCacheForAttributeChange(x,x,x)+5Aj
		push	ebx
		xor	edx, edx
		mov	ecx, eax
		call	MiMapPageInHyperSpaceWorker
		mov	esi, eax
		push	1000h
		push	esi
		call	KeInvalidateRangeAllCachesNoIpi
		push	80000000h
		mov	dl, 21h
		mov	ecx, esi
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		mov	eax, [ebp+var_4]
		inc	eax
		mov	[ebp+var_4], eax
		sub	edi, 1
		jnz	short loc_4B9281

loc_4B92B2:				; CODE XREF: MiFlushCacheForAttributeChange(x,x,x)+29j
		cmp	[ebp+arg_0], 3
		jz	short loc_4B92BF

loc_4B92B8:				; CODE XREF: MiFlushCacheForAttributeChange(x,x,x)+6Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4B92BF:				; CODE XREF: MiFlushCacheForAttributeChange(x,x,x)+60j
		call	_MiFlushHyperSpace@0 ; MiFlushHyperSpace()
		jmp	short loc_4B92B8
_MiFlushCacheForAttributeChange@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreateSoftwareWsle proc near		; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+3ACp
					; MiCreatePteWsle(x,x,x)+1Cp

var_28		= dword	ptr -28h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C31EC SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ecx
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	eax, [eax+10h]
		push	edi
		mov	[ebp+var_8], eax
		mov	edi, edx
		shr	edi, 3
		movzx	eax, byte ptr [eax+60h]
		and	edi, 0FFFFFh
		and	eax, 7
		add	edi, dword_6D2E68[eax*4]
		mov	ecx, edi
		call	MmIsAddressValidEx
		test	al, al
		jnz	short loc_4B937B
		lea	edx, [ebp+var_10]
		mov	[ebp+var_10], 0
		mov	ecx, edi
		mov	[ebp+var_C], 0
		call	_MiFillPteHierarchy@8 ;	MiFillPteHierarchy(x,x)
		xor	ebx, ebx
		mov	esi, 2
		lea	esp, [esp+0]

loc_4B9330:				; CODE XREF: MiCreateSoftwareWsle+81j
		mov	edx, [ebp+esi*4+var_14]
		dec	esi
		mov	ecx, [edx]
		nop
		and	ecx, 1
		or	ecx, 0
		jnz	short loc_4B934F
		push	esi
		push	edx
		push	[ebp+var_4]
		call	MiCreateSystemPageTable
		test	eax, eax
		jnz	short loc_4B937F

loc_4B934E:				; CODE XREF: MiCreateSoftwareWsle+B2j
		inc	ebx

loc_4B934F:				; CODE XREF: MiCreateSoftwareWsle+6Ej
		test	esi, esi
		jnz	short loc_4B9330
		push	1000h		; size_t
		mov	eax, edi
		and	eax, 0FFFFF000h
		push	0Ah		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	al, 0Ah

loc_4B936C:				; CODE XREF: MiCreateSoftwareWsle+ADj
		and	al, 0F9h
		or	al, 9
		mov	[edi], al
		xor	eax, eax

loc_4B9374:				; CODE XREF: MiCreateSoftwareWsle+109F32j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4B937B:				; CODE XREF: MiCreateSoftwareWsle+38j
		mov	al, [edi]
		jmp	short loc_4B936C
; 

loc_4B937F:				; CODE XREF: MiCreateSoftwareWsle+7Cj
		cmp	eax, 1
		jz	short loc_4B934E
		jmp	loc_5C31EC
MiCreateSoftwareWsle endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreateSystemPageTable	proc near	; CODE XREF: MiCreateSoftwareWsle+75p
					; DATA XREF: MiMakeZeroedPageTablesEx+17Ao

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005C3207 SIZE 0000008D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 28h
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edx, [eax]
		mov	[esp+30h+var_24], 0
		mov	esi, [esi+48h]
		mov	[esp+30h+var_10], 0
		mov	[esp+30h+var_C], 0
		nop
		mov	edi, [eax+4]
		mov	eax, edx
		and	eax, 1
		mov	[esp+30h+var_1C], edi
		mov	[esp+30h+var_20], eax
		or	eax, 0
		mov	[esp+30h+var_8], edx
		mov	[esp+30h+var_4], edi
		jnz	loc_4B9531
		mov	edi, [ebp+arg_8]

loc_4B93E5:				; CODE XREF: MiCreateSystemPageTable+1C6j
					; MiCreateSystemPageTable+1E3j	...
		lea	eax, [esp+30h+var_24]
		mov	edx, 1
		push	eax
		mov	ecx, esi
		call	MiGetPageTablePages
		mov	ecx, eax
		test	ecx, ecx
		js	loc_5C3207
		mov	ecx, [esp+30h+var_24]
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		inc	dword ptr [esi+14h]
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		test	byte ptr ds:_MiFlags, 80h
		mov	[esp+30h+var_1C], ecx
		jnz	loc_5C324F

loc_4B9431:				; CODE XREF: MiCreateSystemPageTable+109ED0j
					; MiCreateSystemPageTable+109EE4j
		mov	eax, [esp+30h+var_20]
		or	eax, 0
		jnz	loc_4B95DE
		test	byte ptr [esi+20h], 40h
		jz	loc_4B94E5
		test	edi, edi
		jnz	loc_4B94E5
		push	80000000h
		xor	edx, edx
		call	MiMapPageInHyperSpaceWorker
		push	1000h		; size_t
		mov	edi, eax
		push	0Ah		; int
		push	edi		; void *
		call	_memset
		mov	eax, large fs:20h
		add	esp, 0Ch
		mov	[esp+30h+var_10], eax
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		mov	eax, [eax+3D34h]
		mov	ecx, eax
		and	ecx, 0FFFh
		and	eax, 0FFFFF000h
		mov	[esp+30h+var_14], eax
		mov	[esp+30h+var_1C], ecx
		lea	eax, [ecx+1]
		mov	[esp+30h+var_18], eax
		mov	eax, ds:_ZeroPte
		mov	[edi-40000000h], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[edi-3FFFFFFCh], eax
		cmp	ecx, 0FFh
		jz	loc_4B95D0

loc_4B94C6:				; CODE XREF: MiCreateSystemPageTable+249j
		mov	eax, [esp+30h+var_10]
		sub	ecx, 0FFh
		neg	ecx
		sbb	ecx, ecx
		and	ecx, [esp+30h+var_18]
		or	ecx, [esp+30h+var_14]
		mov	[eax+3D34h], ecx

loc_4B94E2:				; CODE XREF: MiCreateSystemPageTable+295j
		mov	edi, [ebp+arg_8]

loc_4B94E5:				; CODE XREF: MiCreateSystemPageTable+B2j
					; MiCreateSystemPageTable+BAj ...
		lea	eax, [esi+2Ch]
		mov	edx, edi
		push	eax
		push	[esp+34h+var_24]
		mov	ecx, esi
		mov	[esp+38h+var_10], eax
		push	[ebp+arg_4]
		call	MiInitializeSystemPageTable
		cmp	edi, 1
		jz	loc_4B9598
		mov	esi, [ebp+arg_4]

loc_4B9509:				; CODE XREF: MiCreateSystemPageTable+20Fj
					; MiCreateSystemPageTable+221j
		mov	ecx, [ebp+arg_0]
		movzx	eax, byte ptr [ecx+2]
		shr	eax, 2
		and	eax, 7
		cmp	edi, eax
		jg	loc_4B95B6
		cmp	edi, 1
		jg	loc_5C3287

loc_4B9527:				; CODE XREF: MiCreateSystemPageTable+1ABj
					; MiCreateSystemPageTable+1F3j	...
		xor	eax, eax

loc_4B9529:				; CODE XREF: MiCreateSystemPageTable+109EAAj
					; MiCreateSystemPageTable+109EBAj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4B9531:				; CODE XREF: MiCreateSystemPageTable+4Cj
		mov	eax, edx
		and	eax, 80h
		or	eax, 0
		jnz	short loc_4B9527
		nop
		mov	eax, edi
		mov	ecx, edx
		mov	edi, [ebp+arg_8]
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		cmp	ecx, dword_6D3518[edi*4]
		jz	loc_4B93E5
		nop
		mov	ecx, [esp+30h+var_1C]
		mov	eax, edx
		shrd	eax, ecx, 0Ch
		and	eax, 1FFFFFFh
		cmp	eax, dword_6D3510[edi*4]
		jz	loc_4B93E5
		mov	eax, edx
		and	eax, 800h
		or	eax, 0
		jnz	short loc_4B9527
		and	edx, 42h
		or	edx, eax
		jz	loc_4B93E5
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4B9598:				; CODE XREF: MiCreateSystemPageTable+170j
		cmp	dword ptr [esi+18h], 2
		mov	esi, [ebp+arg_4]
		jz	loc_4B9509
		mov	ecx, esi
		shl	ecx, 9
		mov	edx, ecx
		call	MiReplicatePteChange
		jmp	loc_4B9509
; 

loc_4B95B6:				; CODE XREF: MiCreateSystemPageTable+188j
		mov	eax, [esp+30h+var_20]
		or	eax, 0
		jnz	loc_5C3279

loc_4B95C3:				; CODE XREF: MiCreateSystemPageTable+109EF2j
		pop	edi
		mov	eax, 1
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4B95D0:				; CODE XREF: MiCreateSystemPageTable+130j
		call	_MiFlushHyperSpace@0 ; MiFlushHyperSpace()
		mov	ecx, [esp+30h+var_1C]
		jmp	loc_4B94C6
; 

loc_4B95DE:				; CODE XREF: MiCreateSystemPageTable+A8j
		mov	eax, large fs:20h
		mov	edx, [ebp+arg_4]
		shl	edx, 9
		mov	[esp+30h+var_1C], edx
		cmp	dword ptr [eax+3D34h], 0
		jz	short loc_4B962A
		push	80000000h
		xor	edx, edx
		call	MiMapPageInHyperSpaceWorker
		push	1000h		; size_t
		push	[esp+34h+var_1C] ; void	*
		mov	edi, eax
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	dl, 21h
		mov	ecx, edi
		push	80000000h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		jmp	loc_4B94E2
; 

loc_4B962A:				; CODE XREF: MiCreateSystemPageTable+265j
		call	MxCopyPage
		jmp	loc_4B94E5
MiCreateSystemPageTable	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeSystemPageTable proc near	; CODE XREF: MiCreateSystemPageTable+168p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= byte ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005C3294 SIZE 000000A5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		lea	edi, [ebp+var_2C]
		mov	[ebp+var_1C], edx
		stosd
		mov	[ebp+var_14], ecx
		mov	[ebp+var_18], 0
		stosd
		stosd
		mov	edi, [esi]
		nop
		mov	eax, [esi+4]
		mov	ecx, [ebp+arg_4]
		sub	ecx, ds:_MmPfnDatabase
		mov	[ebp+var_C], eax
		mov	eax, 92492493h
		imul	ecx
		mov	eax, esi
		add	edx, ecx
		shl	eax, 9
		sar	edx, 4
		mov	ebx, edx
		shr	ebx, 1Fh
		lea	ecx, [eax+40000000h]
		add	ebx, edx
		mov	[ebp+var_C], ecx
		cmp	ecx, offset loc_7FFFFF
		jbe	loc_4B9852
		and	edi, 1
		or	edi, 0
		jnz	loc_4B9944
		mov	eax, [ebp+var_14]
		mov	eax, [eax+0D4h]

loc_4B96B7:				; CODE XREF: MiInitializeSystemPageTable+306j
		push	eax
		mov	ecx, ebx
		call	MiFillPhysicalPages
		mov	edx, 90000004h

loc_4B96C4:				; CODE XREF: MiInitializeSystemPageTable+217j
		mov	eax, esi
		cmp	esi, 0C0000000h
		jb	short loc_4B96E1
		mov	edi, edi

loc_4B96D0:				; CODE XREF: MiInitializeSystemPageTable+9Fj
		cmp	eax, 0C07FFFFFh
		ja	short loc_4B96E1
		shl	eax, 9
		cmp	eax, 0C0000000h
		jnb	short loc_4B96D0

loc_4B96E1:				; CODE XREF: MiInitializeSystemPageTable+8Cj
					; MiInitializeSystemPageTable+95j
		cmp	eax, dword_6D07D0
		jb	short loc_4B9706
		mov	ecx, eax
		shr	ecx, 15h
		mov	cl, byte ptr dword_6D3994[ecx]
		cmp	cl, 1
		jz	loc_4B9924
		cmp	cl, 0Bh
		jz	loc_4B9924

loc_4B9706:				; CODE XREF: MiInitializeSystemPageTable+A7j
		cmp	eax, ds:_MmHighestUserAddress
		jbe	short loc_4B9726
		cmp	eax, dword_6D2E88
		jb	loc_4B9909
		cmp	eax, dword_6D2E8C
		ja	loc_4B9909

loc_4B9726:				; CODE XREF: MiInitializeSystemPageTable+CCj
					; MiInitializeSystemPageTable+2DFj
		mov	[ebp+var_18], 4

loc_4B972D:				; CODE XREF: MiInitializeSystemPageTable+2CEj
					; MiInitializeSystemPageTable+2D9j ...
		mov	eax, [ebp+arg_4]
		mov	ecx, esi
		mov	dword ptr [eax], 0
		call	_MiGetContainingPageTable@4 ; MiGetContainingPageTable(x)
		cmp	[ebp+var_C], offset loc_7FFFFF
		mov	[ebp+var_14], eax
		jbe	loc_4B985C

loc_4B974D:				; CODE XREF: MiInitializeSystemPageTable+222j
		push	edx
		mov	edx, ebx
		mov	ecx, esi
		call	MiMakeValidPte
		cmp	[ebp+var_1C], 1
		mov	edi, eax
		mov	ecx, edx
		mov	[ebp+var_C], edi
		mov	[ebp+var_4], ecx
		jz	loc_4B9867

loc_4B976B:				; CODE XREF: MiInitializeSystemPageTable+22Ej
					; MiInitializeSystemPageTable+242j ...
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[ebx*8]
		sub	ecx, ebx
		lea	ebx, [eax+ecx*4]
		mov	ecx, ebx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	[ebx+4], esi
		lea	edi, [ebx+10h]
		mov	esi, [edi]
		push	0
		and	esi, 0F87FFFFFh
		mov	byte ptr [ebp+arg_4+3],	al
		push	80h
		mov	[edi], esi
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[ebx+8], eax
		and	esi, 0C0000001h
		mov	eax, 1
		mov	[ebx+0Ch], edx
		mov	[ebx+14h], ax
		or	esi, eax
		mov	al, [ebx+16h]
		or	al, 10h
		mov	[edi], esi
		mov	esi, [ebp+var_14]
		mov	[ebx+16h], al
		mov	al, [ebx+16h]
		and	al, 0FEh
		or	al, 6
		mov	[ebx+16h], al
		mov	eax, [ebx+18h]
		xor	eax, esi
		and	eax, offset loc_7FFFFF
		xor	[ebx+18h], eax
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	al, byte ptr [ebp+arg_4+3]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		cmp	al, 21h
		jz	short loc_4B97F6
		mov	cl, al
		call	edi

loc_4B97F6:				; CODE XREF: MiInitializeSystemPageTable+1B0j
		mov	ecx, esi
		call	MiLockAndIncrementShareCount
		mov	ebx, [ebp+var_1C]
		cmp	ebx, 1
		jz	loc_4B98BD

loc_4B9809:				; CODE XREF: MiInitializeSystemPageTable+28Aj
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi]
		nop
		and	ecx, 1
		or	ecx, 0
		jnz	loc_4B994B
		mov	ecx, esi
		xor	edx, edx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5C32B0
		mov	ecx, [ebp+var_C]

loc_4B982F:				; CODE XREF: MiInitializeSystemPageTable+109C88j
					; MiInitializeSystemPageTable+109CC1j
		mov	eax, [ebp+var_4]

loc_4B9832:				; CODE XREF: MiInitializeSystemPageTable+109C99j
					; MiInitializeSystemPageTable+109CA4j
		mov	[esi+4], eax
		nop
		mov	[esi], ecx
		test	edx, edx
		jnz	loc_5C3306

loc_4B9840:				; CODE XREF: MiInitializeSystemPageTable+109CCFj
		cmp	ebx, 1
		jz	loc_4B98CF

loc_4B9849:				; CODE XREF: MiInitializeSystemPageTable+2C4j
					; MiInitializeSystemPageTable+320j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4B9852:				; CODE XREF: MiInitializeSystemPageTable+5Cj
		mov	edx, 90000006h
		jmp	loc_4B96C4
; 

loc_4B985C:				; CODE XREF: MiInitializeSystemPageTable+107j
		or	edx, 8000000h
		jmp	loc_4B974D
; 

loc_4B9867:				; CODE XREF: MiInitializeSystemPageTable+125j
		test	byte ptr ds:_MiFlags, 30h
		jz	loc_4B976B
		mov	eax, [ebp+var_18]
		test	al, 1
		jnz	loc_4B9930
		cmp	eax, 4
		jnb	loc_4B976B
		mov	eax, ds:_PsInitialSystemProcess
		test	eax, eax
		jz	loc_5C3294
		mov	eax, [eax+194h]
		lea	ecx, [esi+3FA00000h]
		shr	ecx, 0Ch
		mov	edx, [eax+ecx*8]
		mov	eax, [eax+ecx*8+4]

loc_4B98AB:				; CODE XREF: MiInitializeSystemPageTable+109C6Bj
		shrd	edx, eax, 0Ch
		and	edx, 1FFFFFFh
		mov	[ebp+var_14], edx
		jmp	loc_4B976B
; 

loc_4B98BD:				; CODE XREF: MiInitializeSystemPageTable+1C3j
		lea	edx, [ebp+var_2C]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		jmp	loc_4B9809
; 

loc_4B98CF:				; CODE XREF: MiInitializeSystemPageTable+203j
		mov	esi, 1

loc_4B98D4:				; CODE XREF: MiInitializeSystemPageTable+109CE4j
		test	ds:byte_70EFC6,	1
		jnz	loc_5C3329
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jnz	loc_4B9973
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_2C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_2C]
		cmp	eax, ecx
		jnz	short loc_4B996B

loc_4B98FF:				; CODE XREF: MiInitializeSystemPageTable+340j
					; MiInitializeSystemPageTable+109CF4j
		mov	cl, [ebp+var_24]
		call	edi
		jmp	loc_4B9849
; 

loc_4B9909:				; CODE XREF: MiInitializeSystemPageTable+D4j
					; MiInitializeSystemPageTable+E0j
		cmp	eax, 0C0000000h
		jb	loc_4B972D
		cmp	eax, 0C07FFFFFh
		ja	loc_4B972D
		jmp	loc_4B9726
; 

loc_4B9924:				; CODE XREF: MiInitializeSystemPageTable+B7j
					; MiInitializeSystemPageTable+C0j
		mov	[ebp+var_18], 1
		jmp	loc_4B972D
; 

loc_4B9930:				; CODE XREF: MiInitializeSystemPageTable+239j
		push	ecx
		mov	ecx, esi
		push	edi
		shl	ecx, 12h
		call	_MiUpdateSessionPdeMaster@12 ; MiUpdateSessionPdeMaster(x,x,x)
		mov	[ebp+var_14], eax
		jmp	loc_4B976B
; 

loc_4B9944:				; CODE XREF: MiInitializeSystemPageTable+68j
		mov	eax, [eax]
		jmp	loc_4B96B7
; 

loc_4B994B:				; CODE XREF: MiInitializeSystemPageTable+1D5j
		mov	eax, [ebp+var_4]
		mov	edx, esi
		mov	ecx, [ebp+var_C]
		push	eax
		push	ecx
		push	ebx
		mov	ecx, esi
		call	MiTransformValidPteInPlace
		cmp	ebx, 1
		jnz	loc_4B9849
		jmp	loc_5C3314
; 

loc_4B996B:				; CODE XREF: MiInitializeSystemPageTable+2BDj
		lea	ecx, [ebp+var_2C]
		call	KxWaitForLockChainValid

loc_4B9973:				; CODE XREF: MiInitializeSystemPageTable+2A6j
		mov	[ebp+var_2C], 0
		add	eax, 4
		lock xor [eax],	esi
		jmp	loc_4B98FF
MiInitializeSystemPageTable endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockAndIncrementShareCount proc near	; CODE XREF: MiInitializePfnForOtherProcess+B1p
					; MiInitializeSystemPageTable+1B8p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C3339 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		imul	edi, ecx, 1Ch
		mov	cl, 2
		add	edi, ds:_MmPfnDatabase
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		and	[ebp+var_4], 0
		lea	esi, [edi+10h]
		mov	bl, al

loc_4B99A9:				; CODE XREF: MiLockAndIncrementShareCount+1099C1j
		lock bts dword ptr [esi], 1Fh
		jb	loc_5C3339
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiLockAndIncrementShareCount endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiUpdateShareCount(x, x)
_MiUpdateShareCount@8 proc near		; CODE XREF: MiHandleCollidedFault(x,x,x,x,x,x)+ECp
					; MiBuildReservationCluster(x,x,x,x)+215p ...
		mov	edi, edi
		push	esi
		mov	esi, [ecx+10h]
		mov	eax, esi
		push	edi
		mov	edi, 3FFFFFFFh
		and	eax, edi
		add	eax, edx
		mov	edx, esi
		xor	edx, eax
		and	edx, edi
		xor	edx, esi
		pop	edi
		mov	[ecx+10h], edx
		pop	esi
		retn
_MiUpdateShareCount@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetPageTablePages proc near		; CODE XREF: MiCreateSystemPageTable+61p
					; MiDemoteValidLargePageOneLevel(x)+12Cp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C334C SIZE 0000006D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		and	[eax], ebx
		mov	esi, edx
		mov	[ebp+var_18], esi
		mov	edx, [edi+20h]
		mov	eax, [edi+0Ch]
		mov	[ebp+var_4], eax
		test	dl, 8
		jz	loc_4B9AA3

loc_4B9A1F:				; CODE XREF: MiGetPageTablePages+B5j
		and	[ebp+var_10], ebx

loc_4B9A22:				; CODE XREF: MiGetPageTablePages+D8j
		and	[ebp+var_8], ebx
		and	edx, 400h
		or	edx, 20C280h
		shr	edx, 6
		mov	[ebp+var_C], edx
		test	esi, esi
		jz	short loc_4B9A95

loc_4B9A3B:				; CODE XREF: MiGetPageTablePages+E7j
		mov	eax, [edi+0C8h]
		xor	ecx, ecx
		inc	ecx
		lock xadd [eax], ecx
		inc	ecx
		mov	eax, [edi+0CCh]
		dec	ecx
		and	eax, ecx
		mov	ecx, [ebp+var_4]
		or	eax, [edi+0D0h]
		push	edx
		mov	edx, eax
		mov	[ebp+var_14], eax
		call	MiGetPage
		cmp	eax, 0FFFFFFFFh
		jz	loc_5C334C

loc_4B9A6F:				; CODE XREF: MiGetPageTablePages+109982j
		imul	esi, eax, 1Ch
		xor	edx, edx
		push	0
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiSetPfnTbFlushStamp@12 ; MiSetPfnTbFlushStamp(x,x,x)
		mov	eax, [ebp+var_8]
		mov	[esi], ebx
		inc	eax
		mov	ebx, esi
		mov	[ebp+var_8], eax
		mov	esi, [ebp+var_18]
		cmp	eax, esi
		jb	short loc_4B9AD8

loc_4B9A95:				; CODE XREF: MiGetPageTablePages+45j
		mov	eax, [ebp+arg_0]
		mov	[eax], ebx
		xor	eax, eax

loc_4B9A9C:				; CODE XREF: MiGetPageTablePages+E2j
					; MiGetPageTablePages+1099C0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4B9AA3:				; CODE XREF: MiGetPageTablePages+25j
		cmp	[eax+1114h], ebx
		jz	loc_4B9A1F
		push	dword ptr [edi+18h]
		mov	edx, esi
		mov	ecx, eax
		call	MiObtainSystemCharges
		test	eax, eax
		jz	short loc_4B9AD1
		add	[edi+10h], esi
		mov	edx, [edi+20h]
		mov	[ebp+var_10], 1
		jmp	loc_4B9A22
; 

loc_4B9AD1:				; CODE XREF: MiGetPageTablePages+C9j
		mov	eax, 0C000012Dh
		jmp	short loc_4B9A9C
; 

loc_4B9AD8:				; CODE XREF: MiGetPageTablePages+9Fj
		mov	edx, [ebp+var_C]
		jmp	loc_4B9A3B
MiGetPageTablePages endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetPfnTbFlushStamp(x, x, x)
_MiSetPfnTbFlushStamp@12 proc near	; CODE XREF: MiTradePage(x,x)+636p
					; MiGetPageTablePages+8Ap ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		and	esi, 0Fh
		shl	esi, 17h
		cmp	[ebp+arg_0], 1
		push	edi
		lea	edi, [ecx+10h]
		jnz	short loc_4B9B09
		mov	eax, [edi]
		and	eax, 0F87FFFFFh
		or	eax, esi
		mov	[edi], eax

loc_4B9B03:				; CODE XREF: MiSetPfnTbFlushStamp(x,x,x)+42j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_4B9B09:				; CODE XREF: MiSetPfnTbFlushStamp(x,x,x)+16j
		mov	ecx, [edi]
		mov	edx, ecx
		push	ebx
		mov	ebx, 0F87FFFFFh
		mov	eax, ecx

loc_4B9B15:				; CODE XREF: MiSetPfnTbFlushStamp(x,x,x)+48j
		and	edx, ebx
		or	edx, esi
		lock cmpxchg [edi], edx
		cmp	ecx, eax
		jnz	short loc_4B9B24
		pop	ebx
		jmp	short loc_4B9B03
; 

loc_4B9B24:				; CODE XREF: MiSetPfnTbFlushStamp(x,x,x)+3Fj
		mov	ecx, eax
		mov	edx, eax
		jmp	short loc_4B9B15
_MiSetPfnTbFlushStamp@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFillPhysicalPages proc near		; CODE XREF: MiZeroPhysicalPage+79p
					; MiGetPoolPages+1EDp ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C33B9 SIZE 0000007F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, large fs:20h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_14], ecx
		mov	eax, [eax+3D34h]
		mov	esi, ecx
		and	[ebp+var_18], ebx
		push	edi
		mov	byte ptr [ebp+var_1], 21h
		mov	[ebp+var_1C], eax

loc_4B9B52:				; CODE XREF: MiFillPhysicalPages+7Bj
		test	eax, eax
		jz	short loc_4B9BBD
		push	80000000h
		lea	edx, [ebp+var_1]
		mov	ecx, esi
		call	MiMapPageInHyperSpaceWorker
		mov	edi, eax

loc_4B9B67:				; CODE XREF: MiFillPhysicalPages+F0j
		cmp	[ebp+arg_0], 0
		jz	short loc_4B9BAE
		push	[ebp+arg_0]
		push	1000h
		push	edi
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)

loc_4B9B7B:				; CODE XREF: MiFillPhysicalPages+91j
		cmp	[ebp+var_1C], 0
		jz	loc_4B9C1F
		mov	dl, byte ptr [ebp+var_1]
		mov	ecx, edi
		push	80000000h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)

loc_4B9B94:				; CODE XREF: MiFillPhysicalPages+110j
		mov	eax, [ebp+var_18]
		inc	eax
		inc	esi
		mov	[ebp+var_18], eax
		cmp	eax, 1
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_14], esi
		jb	short loc_4B9B52
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4B9BAE:				; CODE XREF: MiFillPhysicalPages+41j
		mov	edx, 1000h
		mov	ecx, edi
		call	_KeZeroPages	; KiZeroPages(x,x)
		jmp	short loc_4B9B7B
; 

loc_4B9BBD:				; CODE XREF: MiFillPhysicalPages+2Aj
		call	MxGetPhase0Mapping
		mov	edi, eax
		test	edi, edi
		jz	loc_5C341C
		mov	ebx, edi
		mov	edx, esi
		shr	ebx, 9
		and	ebx, offset loc_7FFFF8
		sub	ebx, 40000000h
		push	0A0000004h
		mov	ecx, ebx
		call	MiMakeValidPte
		mov	[ebp+var_C], edx
		mov	ecx, ebx
		mov	[ebp+var_C], edx
		mov	esi, eax
		and	[ebp+var_C], 0
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5C33B9

loc_4B9C06:				; CODE XREF: MiFillPhysicalPages+1098DCj
		mov	ecx, [ebp+var_C]

loc_4B9C09:				; CODE XREF: MiFillPhysicalPages+1098A2j
					; MiFillPhysicalPages+1098B5j ...
		mov	[ebx+4], edx
		nop
		mov	[ebx], esi
		test	ecx, ecx
		jnz	loc_5C340E

loc_4B9C17:				; CODE XREF: MiFillPhysicalPages+1098EDj
		mov	esi, [ebp+var_14]
		jmp	loc_4B9B67
; 

loc_4B9C1F:				; CODE XREF: MiFillPhysicalPages+55j
		mov	eax, ds:_ZeroPte
		mov	[ebx], eax
		nop
		mov	eax, ds:dword_40F9FC
		xor	edx, edx
		push	1
		mov	ecx, edi
		mov	[ebx+4], eax
		call	KeFlushSingleTb
		jmp	loc_4B9B94
MiFillPhysicalPages endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUnmapPageInHyperSpaceWorker(x, x,	x)
_MiUnmapPageInHyperSpaceWorker@12 proc near ; CODE XREF: MiUpdateSystemPdes+94p
					; MiCopyTopLevelMappings(x,x)+DFp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:20h
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax+3D34h]
		mov	bl, dl
		mov	esi, edi
		shr	ecx, 9
		and	esi, 0FFFh
		mov	[ebp+var_8], eax
		and	ecx, offset loc_7FFFF8
		and	edi, 0FFFFF000h
		lea	eax, [esi+1]
		mov	[ebp+var_4], eax
		mov	eax, ds:_ZeroPte
		mov	[ecx-40000000h], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[ecx-3FFFFFFCh], eax
		cmp	esi, 0FFh
		jz	short loc_4B9CC3

loc_4B9C97:				; CODE XREF: MiUnmapPageInHyperSpaceWorker(x,x,x)+88j
		mov	eax, [ebp+var_8]
		sub	esi, 0FFh
		neg	esi
		sbb	esi, esi
		and	esi, [ebp+var_4]
		or	esi, edi
		mov	[eax+3D34h], esi
		cmp	bl, 21h
		jz	short loc_4B9CBC
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4B9CBC:				; CODE XREF: MiUnmapPageInHyperSpaceWorker(x,x,x)+72j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4B9CC3:				; CODE XREF: MiUnmapPageInHyperSpaceWorker(x,x,x)+55j
		call	_MiFlushHyperSpace@0 ; MiFlushHyperSpace()
		jmp	short loc_4B9C97
_MiUnmapPageInHyperSpaceWorker@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapPageInHyperSpaceWorker proc near	; CODE XREF: MiUpdateSystemPdes+56p
					; MiCopyTopLevelMappings(x,x)+178p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C3438 SIZE 0000009A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4], edx
		push	ebx
		push	esi
		push	edi
		test	eax, 20000000h
		jnz	loc_5C342E
		mov	ebx, 4

loc_4B9CF1:				; CODE XREF: MiFillPhysicalPages+109909j
		test	eax, 40000000h
		jnz	loc_4B9E0B
		mov	eax, ds:_MmPfnDatabase
		lea	edx, ds:0[ecx*8]
		sub	edx, ecx
		movzx	eax, byte ptr [eax+edx*4+16h]
		shr	eax, 6

loc_4B9D12:				; CODE XREF: MiMapPageInHyperSpaceWorker+141j
		test	eax, eax
		jz	loc_5C3438
		cmp	eax, 3
		jz	loc_5C3438
		cmp	eax, 2
		jz	loc_4B9E1D

loc_4B9D2C:				; CODE XREF: MiMapPageInHyperSpaceWorker+150j
					; MiMapPageInHyperSpaceWorker+10976Bj
		or	ebx, 0A0000000h
		and	ecx, 1FFFFFFh
		mov	edx, ebx
		xor	eax, eax
		and	edx, 1Fh
		shld	eax, ecx, 0Ch
		shl	ecx, 0Ch
		mov	esi, ds:_MmProtectToPteMask[edx*8]
		mov	edi, ds:dword_40B4DC[edx*8]
		and	esi, 0F7Fh
		or	esi, ecx
		and	edi, 0FFFFFFE0h
		or	edi, eax
		and	dl, 5
		or	esi, 121h
		cmp	dl, 4
		setz	cl
		bt	ebx, 1Fh
		setb	al
		test	cl, al
		jz	short loc_4B9D7E
		or	esi, 42h

loc_4B9D7E:				; CODE XREF: MiMapPageInHyperSpaceWorker+A9j
		mov	al, byte ptr word_6D07B8
		and	esi, 0FFFFFEFFh
		and	al, 1
		movzx	eax, al
		cdq
		mov	ebx, eax
		shld	edx, ebx, 8
		shl	ebx, 8
		or	edx, edi
		or	ebx, esi
		mov	[ebp+var_8], edx
		mov	esi, [ebp+var_4]
		test	esi, esi
		jnz	short loc_4B9DFC

loc_4B9DA6:				; CODE XREF: MiMapPageInHyperSpaceWorker+139j
		mov	eax, large fs:20h
		mov	eax, [eax+3D34h]
		mov	esi, eax
		and	esi, 0FFFh
		and	eax, 0FFFFF000h
		shl	esi, 0Ch
		add	esi, eax
		mov	ecx, esi
		shr	ecx, 9
		sub	ecx, 40000000h
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		xor	edi, edi
		cmp	[ebp+arg_0], edi
		jge	loc_5C3484
		test	eax, eax
		jnz	loc_5C3440

loc_4B9DE7:				; CODE XREF: MiMapPageInHyperSpaceWorker+109785j
					; MiMapPageInHyperSpaceWorker+1097A3j ...
		mov	[ecx+4], edx
		nop
		mov	[ecx], ebx
		test	edi, edi
		jnz	short loc_4B9E25

loc_4B9DF1:				; CODE XREF: MiMapPageInHyperSpaceWorker+15Cj
					; MiMapPageInHyperSpaceWorker+1097F7j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4B9DFC:				; CODE XREF: MiMapPageInHyperSpaceWorker+D4j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edx, [ebp+var_8]
		mov	[esi], al
		jmp	short loc_4B9DA6
; 

loc_4B9E0B:				; CODE XREF: MiMapPageInHyperSpaceWorker+26j
		and	eax, 3
		cmp	eax, 2
		jnz	loc_4B9D12
		or	ebx, 2000000h

loc_4B9E1D:				; CODE XREF: MiMapPageInHyperSpaceWorker+56j
		or	ebx, 18h
		jmp	loc_4B9D2C
; 

loc_4B9E25:				; CODE XREF: MiMapPageInHyperSpaceWorker+11Fj
					; MiMapPageInHyperSpaceWorker+1097FDj
		push	edx
		push	ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	short loc_4B9DF1
MiMapPageInHyperSpaceWorker endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1409. MmGetPhysicalAddress

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmGetPhysicalAddress(x)
		public _MmGetPhysicalAddress@4
_MmGetPhysicalAddress@4	proc near	; CODE XREF: PopGetNextTable+2A9p
					; PoSetHiberRange+B8p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	esi
		xor	esi, esi
		lea	edx, [ebp+var_C]
		push	eax
		mov	[ebp+var_4], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		call	MiGetPhysicalAddress
		test	eax, eax
		jz	short loc_4B9E68
		mov	edx, [ebp+var_8]
		mov	esi, [ebp+var_C]

loc_4B9E61:				; CODE XREF: MmGetPhysicalAddress(x)+36j
		mov	eax, esi
		pop	esi
		leave
		retn	4
; 

loc_4B9E68:				; CODE XREF: MmGetPhysicalAddress(x)+25j
		mov	edx, esi
		jmp	short loc_4B9E61
_MmGetPhysicalAddress@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetPhysicalAddress proc near		; CODE XREF: MmGetPhysicalAddress(x)+1Ep

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C34D2 SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		mov	[ebp+var_14], edx
		mov	esi, ecx
		push	edi
		lea	edx, [ebp+var_10]
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebx], eax
		call	_MiFillPteHierarchy@8 ;	MiFillPteHierarchy(x,x)
		mov	ecx, esi
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_4B9F64
		push	2
		pop	edx

loc_4B9EA5:				; CODE XREF: MiGetPhysicalAddress+56j
		mov	eax, [ebp+edx*4+var_14]
		dec	edx
		mov	ecx, [eax]
		nop
		mov	eax, [eax+4]
		and	ecx, 1
		or	ecx, 0
		mov	[ebp+var_4], eax
		jz	loc_4B9F85
		cmp	edx, 1
		jnz	short loc_4B9EA5
		mov	ebx, [ebp+var_10]
		mov	edi, [ebx]
		nop
		mov	edx, [ebx+4]
		mov	[ebp+var_C], edx
		cmp	esi, dword_6D07D0
		jb	loc_5C34D2
		mov	eax, esi
		shr	eax, 15h
		movzx	ecx, byte ptr dword_6D3994[eax]
		mov	[ebp+var_4], ecx
		cmp	ecx, 0Ch
		jz	short loc_4B9F51

loc_4B9EF0:				; CODE XREF: MiGetPhysicalAddress+F6j
					; MiGetPhysicalAddress+109668j
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	loc_4B9F85
		cmp	ecx, 5
		jnz	short loc_4B9F10
		mov	ecx, ebx
		call	MiSetNonPagedPoolNoSteal
		mov	edi, [ebx]
		nop
		mov	edx, [ebx+4]

loc_4B9F10:				; CODE XREF: MiGetPhysicalAddress+95j
		mov	eax, edi
		nop
		shrd	eax, edx, 0Ch
		and	edi, 800h
		and	eax, 1FFFFFFh
		or	edi, 0
		jz	short loc_4B9F30
		mov	ecx, [ebp+arg_0]
		mov	dword ptr [ecx], 1

loc_4B9F30:				; CODE XREF: MiGetPhysicalAddress+B9j
					; MiGetPhysicalAddress+10Fj ...
		mov	ecx, 1000h
		and	esi, 0FFFh
		mul	ecx
		mov	ecx, [ebp+var_14]
		add	eax, esi
		mov	[ecx], eax
		xor	eax, eax
		mov	[ecx+4], edx
		inc	eax

loc_4B9F4A:				; CODE XREF: MiGetPhysicalAddress+11Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4B9F51:				; CODE XREF: MiGetPhysicalAddress+82j
		push	edx
		push	edi
		xor	edx, edx
		mov	ecx, esi
		call	MiQueuePinDriverAddressLog
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_C]
		jmp	short loc_4B9EF0
; 

loc_4B9F64:				; CODE XREF: MiGetPhysicalAddress+30j
		mov	ecx, esi
		call	_MiVaToPfn@4	; MiVaToPfn(x)
		mov	ecx, [ebp+edi*4+var_10]
		mov	edx, [ecx]
		nop
		and	edx, 800h
		or	edx, 0
		jz	short loc_4B9F30
		mov	dword ptr [ebx], 1
		jmp	short loc_4B9F30
; 

loc_4B9F85:				; CODE XREF: MiGetPhysicalAddress+4Dj
					; MiGetPhysicalAddress+8Cj
		xor	eax, eax
		jmp	short loc_4B9F4A
MiGetPhysicalAddress endp

; 
		align 4
		dd 5 dup(0CCCCCCCCh)
; 

SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxWorkerThread:
					; DATA XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThread+44o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+8]
		mov	dword ptr [esp+10h], 0FD050F80h
		mov	dword ptr [esp+14h], 0FFFFFFFFh
		mov	[esp+24h], eax
		mov	esi, [edi]
		push	esi
		call	ExAcquireSpinLockExclusive
		inc	dword ptr [esi+38h]
		lea	ecx, [esi+2Ch]
		mov	edx, [ecx+4]
		mov	bl, al
		cmp	[edx], ecx
		jnz	loc_4BA1FF
		mov	[esp+1Ch], ecx
		lea	eax, [esp+1Ch]
		mov	[esp+20h], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		mov	eax, [esi+4Ch]
		push	eax
		push	dword ptr [esp+28h]
		call	KeSetActualBasePriorityThread
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [edi+8]
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_4BA01F:				; CODE XREF: .text:004BA161j
					; .text:004BA1F3j
		mov	edx, 1
		lea	ecx, [esi+0Ch]
		cmp	edx, [esi+38h]
		lea	edx, [esp+10h]
		sbb	eax, eax
		and	eax, edx
		push	eax
		push	0
		push	0
		push	1Ah
		push	ecx
		call	KeWaitForSingleObject
		push	esi
		cmp	eax, 102h
		jz	loc_4BA166
		xor	edi, edi
		call	ExAcquireSpinLockExclusive
		mov	bl, al

loc_4BA054:				; CODE XREF: .text:004BA0F4j
					; .text:004BA103j ...
		mov	eax, [esi+38h]
		cmp	eax, [esi+34h]
		ja	loc_4BA1DC
		mov	edx, [esi+8]
		lea	ecx, [esi+4]
		cmp	edx, ecx
		jz	loc_4BA13D
		mov	edi, [ecx]
		mov	eax, [edi]
		mov	[ecx], eax
		cmp	edi, edx
		jnz	loc_4BA11B
		mov	[ecx+4], ecx
		mov	dword ptr [ecx], 0

loc_4BA085:				; CODE XREF: .text:004BA11Dj
					; .text:004BA148j ...
		cmp	dword ptr [esi+10h], 0
		lea	ecx, [esi+0Ch]
		jz	loc_4BA122

loc_4BA092:				; CODE XREF: .text:004BA128j
					; .text:004BA138j
		test	ds:byte_70EFC6,	1
		jnz	loc_5C34D9
		mov	dword ptr [esi], 0

loc_4BA0A5:				; CODE XREF: .text:005C34E3j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	loc_4BA14D
		mov	ecx, [ebp+8]
		add	edi, 0FFFFFFD8h
		push	edi
		mov	eax, [ecx+10h]
		mov	edx, [ecx+4]
		push	eax
		mov	eax, [ecx+0Ch]
		mov	ecx, esi
		push	eax
		call	?SmCompressCtxProcessEntry@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU_SM_COMPRESS_CONTEXT@1@PAU1@PAX2PAU_SM_COMPRESS_ENTRY@1@@Z ; SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxProcessEntry(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *,SMKM_STORE_MGR<SM_TRAITS> *,void *,void *,SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_ENTRY *)
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	bl, al
		mov	dl, bl
		mov	ecx, esi
		jnz	loc_5C34E8
		call	ExpAcquireSpinLockExclusive

loc_4BA0EE:				; CODE XREF: .text:005C34EDj
		mov	ecx, [esi+38h]
		cmp	[esi+34h], ecx
		jbe	loc_4BA054
		mov	eax, [esi+8]
		mov	eax, [eax]
		shr	eax, 1
		cmp	eax, ecx
		jbe	loc_4BA054
		push	0
		push	0
		lea	eax, [esi+1Ch]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_4BA054
; 

loc_4BA11B:				; CODE XREF: .text:004BA076j
		dec	dword ptr [edx]
		jmp	loc_4BA085
; 

loc_4BA122:				; CODE XREF: .text:004BA08Cj
		mov	eax, [esi+8]
		cmp	dword ptr [eax], 3
		jb	loc_4BA092
		push	0
		push	0
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_4BA092
; 

loc_4BA13D:				; CODE XREF: .text:004BA068j
		lea	eax, [esi+0Ch]
		xor	edi, edi
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		jmp	loc_4BA085
; 

loc_4BA14D:				; CODE XREF: .text:004BA0AFj
		mov	edi, [ebp+8]
		mov	ecx, esi
		push	1
		push	0FFh
		mov	edx, [edi+4]
		call	SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue
		jmp	loc_4BA01F
; 

loc_4BA166:				; CODE XREF: .text:004BA045j
		call	ExAcquireSpinLockExclusive
		cmp	dword ptr [esi+38h], 1
		mov	bl, al
		jbe	short loc_4BA1E5

loc_4BA173:				; CODE XREF: .text:004BA1E3j
		cmp	dword ptr [esi+10h], 0
		jnz	short loc_4BA187
		lea	eax, [esi+4]
		cmp	[eax+4], eax
		jnz	short loc_4BA1CD
		cmp	dword ptr [esi+34h], 0
		jz	short loc_4BA1CD

loc_4BA187:				; CODE XREF: .text:004BA177j
					; .text:004BA1DAj
		mov	ecx, [esp+1Ch]
		lea	edx, [esp+1Ch]
		mov	eax, [esp+20h]
		cmp	[ecx+4], edx
		jnz	short loc_4BA1FF
		cmp	[eax], edx
		jnz	short loc_4BA1FF
		mov	[eax], ecx
		mov	[ecx+4], eax
		dec	dword ptr [esi+38h]
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [edi]
		add	ecx, 48h
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4BA1CD:				; CODE XREF: .text:004BA17Fj
					; .text:004BA185j
		push	0
		push	0
		lea	eax, [esi+0Ch]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_4BA187
; 

loc_4BA1DC:				; CODE XREF: .text:004BA05Aj
		test	edi, edi
		jnz	short loc_4BA1F8
		mov	edi, [ebp+8]
		jmp	short loc_4BA173
; 

loc_4BA1E5:				; CODE XREF: .text:004BA171j
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4BA01F
; 

loc_4BA1F8:				; CODE XREF: .text:004BA1DEj
		xor	edi, edi
		jmp	loc_4BA085
; 

loc_4BA1FF:				; CODE XREF: .text:004B9FE0j
					; .text:004BA196j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dw 0CCCCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessEntry(int,void *,int)
?SmCompressCtxProcessEntry@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU_SM_COMPRESS_CONTEXT@1@PAU1@PAX2PAU_SM_COMPRESS_ENTRY@1@@Z proc	near
					; CODE XREF: .text:004BA0C9p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	[ebp+var_4], 0
		push	1000h		; size_t
		mov	[ebp+var_18], edx
		mov	ebx, [edi+2Ch]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ebx
		mov	eax, [ebx+8]
		mov	[ebp+var_8], eax
		mov	eax, [eax+0Ch]
		push	eax		; void *
		push	[ebp+arg_4]	; void *
		mov	[ebp+var_C], eax
		call	_memcpy
		mov	eax, [edi+24h]
		lea	esi, [edi+28h]
		add	esp, 0Ch
		movzx	edx, word ptr [eax+99Ch]
		movzx	eax, dl
		test	dl, dl
		jz	loc_4BA47F
		cmp	eax, 1
		jz	loc_4BA47F
		cmp	eax, 4
		ja	loc_4BA47F
		push	[ebp+arg_0]
		mov	ecx, eax
		and	edx, 0FF00h
		lea	eax, [ebp+var_4]
		push	eax
		push	1000h
		mov	eax, ebx
		sub	eax, esi
		add	eax, 1000h
		push	eax
		mov	eax, ds:_RtlCompressBufferProcs[ecx*4]
		push	esi
		push	1000h
		push	[ebp+arg_4]
		push	edx
		call	eax
		test	eax, eax
		js	loc_4BA47F
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		and	edx, 0FFFh
		mov	dword ptr [edi], 0
		push	edi
		mov	[edi+18h], edx
		lea	eax, [ecx+0FFFh]
		mov	[edi+14h], ecx
		add	eax, edx
		shr	eax, 0Ch
		lea	eax, ds:1Ch[eax*4]
		mov	[edi+4], ax
		xor	eax, eax
		mov	[edi+6], ax
		mov	eax, esi
		and	eax, 0FFFFF000h
		mov	[edi+10h], eax
		call	MmBuildMdlForNonPagedPool

loc_4BA2F4:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxProcessEntry(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *,SMKM_STORE_MGR<SM_TRAITS> *,void *,void *,SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_ENTRY *)+28Cj
		mov	eax, [ebp+var_4]
		lea	ebx, [eax+esi]
		mov	[ebp+arg_0], ebx
		cmp	eax, 10h
		jb	loc_4BA475
		lea	eax, [ebx-10h]
		mov	edx, 24234428h
		mov	[ebp+arg_4], eax
		mov	edi, 85EBCA77h
		xor	ebx, ebx
		mov	eax, 61C8864Fh
		lea	ecx, [ecx+0]

loc_4BA320:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxProcessEntry(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *,SMKM_STORE_MGR<SM_TRAITS> *,void *,void *,SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_ENTRY *)+15Dj
		imul	ecx, [esi], 7A143589h
		sub	edx, ecx
		imul	ecx, [esi+4], 7A143589h
		rol	edx, 0Dh
		imul	edx, 9E3779B1h
		sub	edi, ecx
		imul	ecx, [esi+8], 7A143589h
		rol	edi, 0Dh
		imul	edi, 9E3779B1h
		sub	ebx, ecx
		imul	ecx, [esi+0Ch],	7A143589h
		rol	ebx, 0Dh
		add	esi, 10h
		imul	ebx, 9E3779B1h
		sub	eax, ecx
		rol	eax, 0Dh
		imul	eax, 9E3779B1h
		cmp	esi, [ebp+arg_4]
		jbe	short loc_4BA320
		rol	eax, 12h
		rol	ebx, 0Ch
		add	eax, ebx
		rol	edi, 7
		mov	ebx, [ebp+arg_0]
		add	eax, edi
		rol	edx, 1
		add	eax, edx

loc_4BA383:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxProcessEntry(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *,SMKM_STORE_MGR<SM_TRAITS> *,void *,void *,SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_ENTRY *)+26Aj
		add	eax, [ebp+var_4]
		lea	edx, [esi+4]
		cmp	edx, ebx
		ja	short loc_4BA3AA
		lea	ecx, [ecx+0]

loc_4BA390:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxProcessEntry(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *,SMKM_STORE_MGR<SM_TRAITS> *,void *,void *,SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_ENTRY *)+198j
		imul	ecx, [esi], 3D4D51C3h
		mov	esi, edx
		lea	edx, [esi+4]
		sub	eax, ecx
		rol	eax, 11h
		imul	eax, 27D4EB2Fh
		cmp	edx, ebx
		jbe	short loc_4BA390

loc_4BA3AA:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxProcessEntry(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *,SMKM_STORE_MGR<SM_TRAITS> *,void *,void *,SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_ENTRY *)+17Bj
		mov	ecx, ebx
		xor	edx, edx
		sub	ecx, esi
		cmp	ebx, esi
		sbb	edi, edi
		not	edi
		and	edi, ecx
		jbe	short loc_4BA3DC
		lea	ebx, [ebx+0]

loc_4BA3C0:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxProcessEntry(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *,SMKM_STORE_MGR<SM_TRAITS> *,void *,void *,SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_ENTRY *)+1CAj
		movzx	ecx, byte ptr [esi]
		lea	esi, [esi+1]
		imul	ecx, 165667B1h
		inc	edx
		add	ecx, eax
		rol	ecx, 0Bh
		imul	eax, ecx, 9E3779B1h
		cmp	edx, edi
		jb	short loc_4BA3C0

loc_4BA3DC:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxProcessEntry(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *,SMKM_STORE_MGR<SM_TRAITS> *,void *,void *,SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_ENTRY *)+1A8j
		mov	edi, [ebp+arg_8]
		mov	ecx, eax
		mov	ebx, [ebp+var_10]
		shr	ecx, 0Fh
		xor	ecx, eax
		mov	esi, [ebp+var_14]
		imul	ecx, 85EBCA77h
		mov	eax, ecx
		shr	eax, 0Dh
		xor	eax, ecx
		imul	eax, 0C2B2AE3Dh
		mov	ecx, eax
		shr	ecx, 10h
		xor	ecx, eax
		mov	eax, [ebp+var_8]
		mov	[edi+20h], ecx
		mov	cl, 2
		mov	[edi], eax
		or	dword ptr [ebx+4], 80000000h
		mov	[ebx+8], edi
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		lea	ecx, [esi+44h]
		mov	byte ptr [ebp+arg_4], al
		mov	dl, al
		jnz	short loc_4BA4A1
		call	ExpAcquireSpinLockExclusive

loc_4BA436:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxProcessEntry(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *,SMKM_STORE_MGR<SM_TRAITS> *,void *,void *,SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_ENTRY *)+296j
		mov	eax, [esi+40h]
		mov	edx, [ebp+var_18]
		push	0
		push	[ebp+arg_4]
		mov	eax, [eax]
		shr	eax, 3
		lea	ecx, ds:8[eax*8]
		mov	eax, [ebx]
		and	eax, 7
		or	ecx, eax
		mov	[ebx], ecx
		mov	ecx, [esi+40h]
		mov	eax, [ecx]
		and	eax, 7
		or	eax, ebx
		mov	[ecx], eax
		mov	ecx, esi
		mov	[esi+40h], ebx
		call	SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4BA475:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxProcessEntry(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *,SMKM_STORE_MGR<SM_TRAITS> *,void *,void *,SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_ENTRY *)+F0j
		mov	eax, 165667B1h
		jmp	loc_4BA383
; 

loc_4BA47F:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxProcessEntry(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *,SMKM_STORE_MGR<SM_TRAITS> *,void *,void *,SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_ENTRY *)+50j
					; SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxProcessEntry(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *,SMKM_STORE_MGR<SM_TRAITS> *,void *,void *,SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_ENTRY *)+59j ...
		mov	ecx, [ebp+var_8]
		mov	esi, [ebp+var_C]
		mov	[ebp+var_4], 1000h
		push	0
		mov	eax, [ecx+18h]
		add	eax, [ecx+10h]
		push	eax
		push	edi
		push	ecx
		call	IoBuildPartialMdl
		jmp	loc_4BA2F4
; 

loc_4BA4A1:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxProcessEntry(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *,SMKM_STORE_MGR<SM_TRAITS> *,void *,void *,SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_ENTRY *)+21Fj
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	short loc_4BA436
?SmCompressCtxProcessEntry@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU_SM_COMPRESS_CONTEXT@1@PAU1@PAX2PAU_SM_COMPRESS_ENTRY@1@@Z endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlCompressBufferXpressLz proc near	; DATA XREF: .text:00403FD0o

arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 005C34F2 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_1C]
		mov	cx, [ebp+arg_0]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		test	cx, cx
		jnz	loc_5C34F2
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		push	edx
		push	0
		push	0
		push	eax
		push	[ebp+arg_18]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	RtlCompressBufferXpressLzStandard

loc_4BA4E5:				; CODE XREF: RtlCompressBufferXpressLz+109066j
					; RtlCompressBufferXpressLz+109070j
		pop	ebp
		retn	20h
RtlCompressBufferXpressLz endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlCompressBufferXpressLzStandard proc near ; CODE XREF: RtlCompressBufferXpressLz+30p
					; RtlCompressBufferProgress+48p

var_40		= dword	ptr -40h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005C3525 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		add	edi, [ebp+arg_4]
		lea	ecx, [edx+ebx]
		cmp	[ebp+arg_4], 40h
		mov	[ebp+var_20], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_1C], edi
		jb	loc_4BAAEB
		cmp	ebx, 8
		jb	loc_4BAAEB
		xor	eax, eax
		lea	esi, [ecx-26h]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jnz	loc_4BAB26

loc_4BA537:				; CODE XREF: RtlCompressBufferXpressLzStandard+641j
		mov	ecx, ebx

loc_4BA539:				; CODE XREF: RtlCompressBufferXpressLzStandard+63Bj
		lea	ebx, [edx+ecx]
		mov	[ebp+var_8], ebx
		cmp	esi, ebx
		jnb	short loc_4BA546
		mov	[ebp+var_8], esi

loc_4BA546:				; CODE XREF: RtlCompressBufferXpressLzStandard+51j
		mov	[ebp+var_34], eax
		lea	esi, [edx+1]
		mov	eax, [ebp+arg_14]
		mov	ebx, 2
		mov	[ebp+var_30], eax
		mov	eax, [ebp+arg_0]
		lea	edi, [eax+4]
		mov	[ebp+var_2C], ecx
		mov	ecx, eax
		mov	[ebp+arg_18], ebx
		mov	al, [edx]
		mov	[edi], al
		inc	edi
		cmp	[ebp+var_20], 40h
		mov	[ebp+var_C], ecx
		mov	[ebp+arg_14], edi
		jb	loc_4BAA52
		mov	eax, edx
		mov	ecx, 0AF6h
		mov	edx, [ebp+arg_C]
		mov	edi, edx
		rep stosd
		lea	edi, [edx+2BD8h]
		mov	ecx, 12EEh
		rep stosd

loc_4BA595:				; CODE XREF: RtlCompressBufferXpressLzStandard+E2j
					; RtlCompressBufferXpressLzStandard+304j ...
		movzx	eax, byte ptr [esi]
		movzx	ecx, byte ptr [esi+1]
		lea	edx, [edx+eax*4]
		movzx	eax, byte ptr [esi+2]
		lea	eax, [eax+ecx*4]
		mov	edi, [edx+eax*8]
		mov	[edx+eax*8], esi
		mov	cl, [esi]
		mov	[ebp+var_14], eax
		cmp	[edi], cl
		jz	short loc_4BA5D4

loc_4BA5B5:				; CODE XREF: RtlCompressBufferXpressLzStandard+EAj
					; RtlCompressBufferXpressLzStandard+F2j ...
		mov	edi, [ebp+arg_14]
		lea	eax, [ebx+ebx]
		inc	esi
		mov	[edi], cl
		inc	edi
		mov	[ebp+arg_14], edi
		test	ebx, ebx
		jle	loc_4BA856
		mov	edx, [ebp+arg_C]
		mov	ebx, eax
		mov	[ebp+arg_18], ebx
		jmp	short loc_4BA595
; 

loc_4BA5D4:				; CODE XREF: RtlCompressBufferXpressLzStandard+C3j
		mov	al, [edi+1]
		cmp	al, [esi+1]
		jnz	short loc_4BA5B5
		mov	al, [edi+2]
		cmp	al, [esi+2]
		jnz	short loc_4BA5B5
		mov	eax, esi
		sub	eax, edi
		cmp	eax, 2000h
		jge	short loc_4BA5B5
		mov	ch, [edi+3]
		lea	eax, [esi+3]
		lea	edx, [edi+3]
		mov	[ebp+var_20], eax
		mov	al, [eax]
		mov	[ebp+var_4], esi
		mov	byte ptr [ebp+arg_10+3], ch
		mov	byte ptr [ebp+arg_4+3],	al
		cmp	al, ch
		jnz	loc_4BA6E5

loc_4BA60E:				; CODE XREF: RtlCompressBufferXpressLzStandard+44Aj
		mov	dh, [edi+4]
		lea	eax, [edi+4]
		mov	bh, [esi+4]
		mov	[ebp+var_24], eax
		lea	eax, [esi+4]
		mov	[ebp+arg_10], eax
		cmp	bh, dh
		jnz	loc_4BA732
		mov	edx, [ebp+var_4]

loc_4BA62B:				; CODE XREF: RtlCompressBufferXpressLzStandard+486j
		mov	bh, [edi+5]
		lea	ecx, [edi+5]
		mov	[ebp+var_28], ecx
		lea	ecx, [esi+5]
		mov	[ebp+var_14], ecx
		mov	cl, [ecx]
		mov	byte ptr [ebp+arg_4+3],	cl
		cmp	cl, bh
		jnz	loc_4BA892

loc_4BA647:				; CODE XREF: RtlCompressBufferXpressLzStandard+515j
		mov	ecx, [ebp+var_10]
		lea	esi, [edx+6]
		add	edi, 6
		lea	ebx, [ecx-26h]
		cmp	esi, ebx
		jnb	short loc_4BA6C8
		jmp	short loc_4BA660
; 
		align 10h

loc_4BA660:				; CODE XREF: RtlCompressBufferXpressLzStandard+167j
					; RtlCompressBufferXpressLzStandard+1D6j
		mov	eax, [edi]
		cmp	[esi], eax
		jnz	loc_4BA805
		mov	eax, [edi+4]
		cmp	[esi+4], eax
		jnz	loc_4BA7FF
		mov	eax, [edi+8]
		cmp	[esi+8], eax
		jnz	loc_4BA97B
		mov	eax, [edi+0Ch]
		cmp	[esi+0Ch], eax
		jnz	loc_4BAA0A
		mov	eax, [edi+10h]
		cmp	[esi+10h], eax
		jnz	loc_4BAA15
		mov	eax, [edi+14h]
		cmp	[esi+14h], eax
		jnz	loc_4BAA20
		mov	eax, [edi+18h]
		cmp	[esi+18h], eax
		jnz	loc_4BAA2B
		mov	eax, [edi+1Ch]
		cmp	[esi+1Ch], eax
		jnz	loc_4BAA36
		add	esi, 20h
		add	edi, 20h
		cmp	esi, ebx
		jb	short loc_4BA660

loc_4BA6C8:				; CODE XREF: RtlCompressBufferXpressLzStandard+165j
		cmp	esi, ecx
		jnb	loc_4BA7A3

loc_4BA6D0:				; CODE XREF: RtlCompressBufferXpressLzStandard+1EEj
		mov	al, [esi]
		cmp	al, [edi]
		jnz	loc_4BA7A3
		inc	esi
		inc	edi
		cmp	esi, ecx
		jb	short loc_4BA6D0
		jmp	loc_4BA7A3
; 

loc_4BA6E5:				; CODE XREF: RtlCompressBufferXpressLzStandard+118j
		movzx	eax, cl
		mov	ecx, [ebp+var_14]
		lea	ecx, [eax+ecx*2]
		movzx	eax, byte ptr [ebp+arg_4+3]
		add	eax, ecx
		mov	[ebp+var_14], ecx
		mov	ecx, [ebp+arg_C]
		mov	eax, [ecx+eax*4+2BD8h]
		mov	[ebp+arg_4], eax
		movzx	eax, byte ptr [ebp+arg_10+3]
		add	eax, [ebp+var_14]
		mov	[ecx+eax*4+2BD8h], edi
		mov	eax, [ebp+var_4]
		mov	edi, [ebp+arg_4]
		sub	eax, edi
		cmp	eax, 2000h
		jge	short loc_4BA72B
		mov	eax, [esi]
		cmp	eax, [edi]
		jz	loc_4BA92D

loc_4BA72B:				; CODE XREF: RtlCompressBufferXpressLzStandard+22Fj
		mov	esi, [ebp+var_20]
		mov	edi, edx
		jmp	short loc_4BA7A6
; 

loc_4BA732:				; CODE XREF: RtlCompressBufferXpressLzStandard+132j
		movzx	eax, byte ptr [esi+2]
		mov	bl, [esi+1]
		add	al, 61h
		mov	dl, [esi]
		add	al, bl
		ror	al, 1
		xor	al, dl
		rol	al, 3
		movzx	ecx, al
		mov	eax, [ebp+var_20]
		movzx	eax, byte ptr [eax]
		add	al, dl
		rol	al, 3
		xor	al, bl
		ror	al, 1
		movzx	eax, al
		lea	ecx, [eax+ecx*4]
		movzx	eax, bh
		add	ecx, ecx
		add	eax, ecx
		mov	[ebp+var_14], ecx
		mov	ecx, [ebp+arg_C]
		mov	ebx, [ecx+eax*4+2BD8h]
		movzx	eax, dh
		add	eax, [ebp+var_14]
		mov	edx, [ebp+var_4]
		mov	[ecx+eax*4+2BD8h], edi
		mov	eax, edx
		sub	eax, ebx
		cmp	eax, 2000h
		jge	loc_4BAAD5
		mov	eax, [esi]
		cmp	eax, [ebx]
		mov	eax, [ebp+arg_10]
		jz	loc_4BA94A

loc_4BA79E:				; CODE XREF: RtlCompressBufferXpressLzStandard+465j
					; RtlCompressBufferXpressLzStandard+46Dj ...
		mov	edi, [ebp+var_24]
		mov	esi, eax

loc_4BA7A3:				; CODE XREF: RtlCompressBufferXpressLzStandard+1DAj
					; RtlCompressBufferXpressLzStandard+1E4j ...
		mov	ebx, [ebp+arg_18]

loc_4BA7A6:				; CODE XREF: RtlCompressBufferXpressLzStandard+240j
					; RtlCompressBufferXpressLzStandard+336j ...
		mov	ecx, [ebp+arg_14]
		mov	edx, esi
		sub	edx, [ebp+var_4]
		mov	eax, esi
		sub	eax, edi
		sub	edx, 3
		lea	edi, [ecx+2]
		mov	[ebp+arg_14], edi
		lea	eax, ds:0FFFFFFF8h[eax*8]
		cmp	edx, 7
		jnb	short loc_4BA82B
		add	eax, edx
		mov	[ecx], ax

loc_4BA7CC:				; CODE XREF: RtlCompressBufferXpressLzStandard+361j
					; RtlCompressBufferXpressLzStandard+438j ...
		lea	eax, ds:1[ebx*2]
		test	ebx, ebx
		jle	loc_4BA986
		mov	ebx, eax

loc_4BA7DD:				; CODE XREF: RtlCompressBufferXpressLzStandard+4A9j
		mov	[ebp+arg_18], ebx
		cmp	esi, [ebp+var_8]
		jnb	loc_4BAA41

loc_4BA7E9:				; CODE XREF: RtlCompressBufferXpressLzStandard+631j
		mov	eax, [ebp+var_1C]
		mov	edx, [ebp+arg_C]
		add	eax, 0FFFFFFD7h
		cmp	edi, eax
		jb	loc_4BA595
		jmp	loc_4BAA4F
; 

loc_4BA7FF:				; CODE XREF: RtlCompressBufferXpressLzStandard+180j
		add	esi, 4
		add	edi, 4

loc_4BA805:				; CODE XREF: RtlCompressBufferXpressLzStandard+174j
					; RtlCompressBufferXpressLzStandard+491j ...
		cmp	[esi], al
		jnz	short loc_4BA7A3
		mov	al, [esi+1]
		cmp	al, [edi+1]
		jnz	short loc_4BA88B
		mov	al, [esi+2]
		mov	ebx, [ebp+arg_18]
		cmp	al, [edi+2]
		jz	loc_4BA93F
		add	esi, 2
		add	edi, 2
		jmp	loc_4BA7A6
; 

loc_4BA82B:				; CODE XREF: RtlCompressBufferXpressLzStandard+2D5j
		or	eax, 7
		sub	edx, 7
		mov	[ecx], ax
		mov	ecx, [ebp+var_18]
		test	ecx, ecx
		jnz	loc_4BA911
		mov	[ebp+var_18], edi
		cmp	edx, 0Fh
		jnb	loc_4BA99E
		mov	[edi], dl
		inc	edi

loc_4BA84E:				; CODE XREF: RtlCompressBufferXpressLzStandard+10903Fj
		mov	[ebp+arg_14], edi
		jmp	loc_4BA7CC
; 

loc_4BA856:				; CODE XREF: RtlCompressBufferXpressLzStandard+D4j
		mov	ecx, [ebp+var_C]
		mov	ebx, 1
		mov	[ebp+var_C], edi
		add	edi, 4
		mov	[ebp+arg_18], ebx
		mov	[ebp+arg_14], edi
		mov	[ecx], eax
		cmp	esi, [ebp+var_8]
		jnb	loc_4BAAF2

loc_4BA875:				; CODE XREF: RtlCompressBufferXpressLzStandard+61Ej
		mov	eax, [ebp+var_1C]
		add	eax, 0FFFFFFD7h
		cmp	edi, eax
		jnb	loc_4BAA4F
		mov	edx, [ebp+arg_C]
		jmp	loc_4BA595
; 

loc_4BA88B:				; CODE XREF: RtlCompressBufferXpressLzStandard+31Fj
		inc	esi
		inc	edi
		jmp	loc_4BA7A3
; 

loc_4BA892:				; CODE XREF: RtlCompressBufferXpressLzStandard+151j
		mov	cl, [eax]
		mov	bl, [esi]
		mov	al, bl
		rol	bl, cl
		ror	al, 1
		add	al, 45h
		xor	al, cl
		movzx	ecx, bl
		rol	al, 3
		movzx	edx, al
		mov	eax, [ebp+var_20]
		movzx	eax, byte ptr [eax]
		rol	al, 3
		xor	al, [esi+1]
		ror	al, 1
		movzx	eax, al
		add	edx, eax
		movzx	eax, byte ptr [esi+2]
		xor	ecx, eax
		movzx	eax, byte ptr [ebp+arg_4+3]
		lea	edx, [ecx+edx*4]
		mov	ecx, [ebp+arg_C]
		add	edx, edx
		add	eax, edx
		mov	[ebp+var_24], edx
		mov	eax, [ecx+eax*4+2BD8h]
		mov	[ebp+arg_4], eax
		movzx	eax, bh
		mov	ebx, [ebp+arg_4]
		add	eax, edx
		mov	edx, [ebp+var_4]
		mov	[ecx+eax*4+2BD8h], edi
		mov	eax, edx
		sub	eax, ebx
		cmp	eax, 2000h
		jge	short loc_4BA904
		mov	eax, [esi]
		cmp	eax, [ebx]
		jz	loc_4BA9CB

loc_4BA904:				; CODE XREF: RtlCompressBufferXpressLzStandard+408j
		mov	eax, [ebp+var_14]

loc_4BA907:				; CODE XREF: RtlCompressBufferXpressLzStandard+4E6j
					; RtlCompressBufferXpressLzStandard+4F7j ...
		mov	edi, [ebp+var_28]
		mov	esi, eax
		jmp	loc_4BA7A3
; 

loc_4BA911:				; CODE XREF: RtlCompressBufferXpressLzStandard+349j
		mov	al, [ecx]
		cmp	edx, 0Fh
		jnb	loc_4BA9C0
		shl	dl, 4
		or	dl, al
		xor	eax, eax
		mov	[ecx], dl
		mov	[ebp+var_18], eax
		jmp	loc_4BA7CC
; 

loc_4BA92D:				; CODE XREF: RtlCompressBufferXpressLzStandard+235j
		shr	eax, 18h
		add	eax, [ebp+var_14]
		mov	[ecx+eax*4+2BD8h], esi
		jmp	loc_4BA60E
; 

loc_4BA93F:				; CODE XREF: RtlCompressBufferXpressLzStandard+32Aj
		add	esi, 3
		add	edi, 3
		jmp	loc_4BA7A6
; 

loc_4BA94A:				; CODE XREF: RtlCompressBufferXpressLzStandard+2A8j
		mov	cl, [eax]
		cmp	cl, [ebx+4]
		mov	byte ptr [ebp+arg_4+3],	cl
		mov	ecx, [ebp+arg_C]
		jnz	loc_4BA79E
		cmp	edx, ebx
		jz	loc_4BA79E
		movzx	eax, byte ptr [ebp+arg_4+3]
		mov	edi, ebx
		add	eax, [ebp+var_14]
		mov	[ecx+eax*4+2BD8h], esi
		mov	eax, [ebp+arg_10]
		jmp	loc_4BA62B
; 

loc_4BA97B:				; CODE XREF: RtlCompressBufferXpressLzStandard+18Cj
		add	esi, 8
		add	edi, 8
		jmp	loc_4BA805
; 

loc_4BA986:				; CODE XREF: RtlCompressBufferXpressLzStandard+2E5j
		mov	ecx, [ebp+var_C]
		mov	ebx, 1
		mov	[ebp+var_C], edi
		add	edi, 4
		mov	[ebp+arg_14], edi
		mov	[ecx], eax
		jmp	loc_4BA7DD
; 

loc_4BA99E:				; CODE XREF: RtlCompressBufferXpressLzStandard+355j
		mov	byte ptr [edi],	0Fh
		inc	edi

loc_4BA9A2:				; CODE XREF: RtlCompressBufferXpressLzStandard+4D9j
		sub	edx, 0Fh
		lea	eax, [edi+1]
		cmp	edx, 0FFh
		jnb	loc_4BAAB5
		mov	[edi], dl
		mov	edi, eax
		mov	[ebp+arg_14], edi
		jmp	loc_4BA7CC
; 

loc_4BA9C0:				; CODE XREF: RtlCompressBufferXpressLzStandard+426j
		or	al, 0F0h
		mov	[ecx], al
		xor	eax, eax
		mov	[ebp+var_18], eax
		jmp	short loc_4BA9A2
; 

loc_4BA9CB:				; CODE XREF: RtlCompressBufferXpressLzStandard+40Ej
		mov	eax, [ebp+arg_10]
		mov	al, [eax]
		cmp	al, [ebx+4]
		mov	eax, [ebp+var_14]
		jnz	loc_4BA907
		mov	cl, [eax]
		cmp	cl, [ebx+5]
		mov	byte ptr [ebp+arg_4+3],	cl
		mov	ecx, [ebp+arg_C]
		jnz	loc_4BA907
		cmp	edx, ebx
		jz	loc_4BA907
		movzx	eax, byte ptr [ebp+arg_4+3]
		mov	edi, ebx
		add	eax, [ebp+var_24]
		mov	[ecx+eax*4+2BD8h], esi
		jmp	loc_4BA647
; 

loc_4BAA0A:				; CODE XREF: RtlCompressBufferXpressLzStandard+198j
		add	esi, 0Ch
		add	edi, 0Ch
		jmp	loc_4BA805
; 

loc_4BAA15:				; CODE XREF: RtlCompressBufferXpressLzStandard+1A4j
		add	esi, 10h
		add	edi, 10h
		jmp	loc_4BA805
; 

loc_4BAA20:				; CODE XREF: RtlCompressBufferXpressLzStandard+1B0j
		add	esi, 14h
		add	edi, 14h
		jmp	loc_4BA805
; 

loc_4BAA2B:				; CODE XREF: RtlCompressBufferXpressLzStandard+1BCj
		add	esi, 18h
		add	edi, 18h
		jmp	loc_4BA805
; 

loc_4BAA36:				; CODE XREF: RtlCompressBufferXpressLzStandard+1C8j
		add	esi, 1Ch
		add	edi, 1Ch
		jmp	loc_4BA805
; 

loc_4BAA41:				; CODE XREF: RtlCompressBufferXpressLzStandard+2F3j
		mov	eax, [ebp+var_10]
		add	eax, 0FFFFFFDAh
		cmp	esi, eax
		jb	loc_4BAB13

loc_4BAA4F:				; CODE XREF: RtlCompressBufferXpressLzStandard+30Aj
					; RtlCompressBufferXpressLzStandard+38Dj ...
		mov	ecx, [ebp+var_C]

loc_4BAA52:				; CODE XREF: RtlCompressBufferXpressLzStandard+84j
		mov	edx, [ebp+var_10]
		cmp	esi, edx
		jnb	short loc_4BAA7C
		lea	esp, [esp+0]

loc_4BAA60:				; CODE XREF: RtlCompressBufferXpressLzStandard+58Aj
		cmp	edi, [ebp+var_1C]
		jnb	loc_4BAAEB
		mov	al, [esi]
		inc	esi
		mov	[edi], al
		inc	edi
		lea	eax, [ebx+ebx]
		test	ebx, ebx
		jle	short loc_4BAADD
		mov	ebx, eax

loc_4BAA78:				; CODE XREF: RtlCompressBufferXpressLzStandard+5F9j
		cmp	esi, edx
		jb	short loc_4BAA60

loc_4BAA7C:				; CODE XREF: RtlCompressBufferXpressLzStandard+567j
		cmp	edi, [ebp+var_1C]
		jnb	short loc_4BAAEB
		test	ebx, ebx
		jle	short loc_4BAA90

loc_4BAA85:				; CODE XREF: RtlCompressBufferXpressLzStandard+59Ej
		lea	ebx, ds:1[ebx*2]
		test	ebx, ebx
		jg	short loc_4BAA85

loc_4BAA90:				; CODE XREF: RtlCompressBufferXpressLzStandard+593j
		sub	edi, [ebp+arg_0]
		lea	eax, ds:1[ebx*2]
		mov	[ecx], eax
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		cmp	edi, 8
		jb	loc_5C3534

loc_4BAAAA:				; CODE XREF: RtlCompressBufferXpressLzStandard+10904Aj
		xor	eax, eax

loc_4BAAAC:				; CODE XREF: RtlCompressBufferXpressLzStandard+600j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_4BAAB5:				; CODE XREF: RtlCompressBufferXpressLzStandard+4BEj
		mov	byte ptr [edi],	0FFh
		add	edx, 16h
		lea	edi, [eax+2]
		mov	[ebp+arg_14], edi
		cmp	edx, 10000h
		jnb	loc_5C3525
		mov	[eax], dx
		jmp	loc_4BA7CC
; 

loc_4BAAD5:				; CODE XREF: RtlCompressBufferXpressLzStandard+29Bj
		mov	eax, [ebp+arg_10]
		jmp	loc_4BA79E
; 

loc_4BAADD:				; CODE XREF: RtlCompressBufferXpressLzStandard+584j
		mov	[ecx], eax
		mov	ebx, 1
		mov	ecx, edi
		add	edi, 4
		jmp	short loc_4BAA78
; 

loc_4BAAEB:				; CODE XREF: RtlCompressBufferXpressLzStandard+25j
					; RtlCompressBufferXpressLzStandard+2Ej ...
		mov	eax, 0C0000023h
		jmp	short loc_4BAAAC
; 

loc_4BAAF2:				; CODE XREF: RtlCompressBufferXpressLzStandard+37Fj
		mov	eax, [ebp+var_10]
		add	eax, 0FFFFFFDAh
		cmp	esi, eax
		jnb	loc_4BAA4F
		push	esi
		mov	edx, eax
		lea	ecx, [ebp+var_34]
		call	_RtlpMakeXpressCallback@12 ; RtlpMakeXpressCallback(x,x,x)
		mov	[ebp+var_8], eax
		jmp	loc_4BA875
; 

loc_4BAB13:				; CODE XREF: RtlCompressBufferXpressLzStandard+559j
		push	esi
		mov	edx, eax
		lea	ecx, [ebp+var_34]
		call	_RtlpMakeXpressCallback@12 ; RtlpMakeXpressCallback(x,x,x)
		mov	[ebp+var_8], eax
		jmp	loc_4BA7E9
; 

loc_4BAB26:				; CODE XREF: RtlCompressBufferXpressLzStandard+41j
		mov	ecx, [ebp+arg_18]
		cmp	ecx, ebx
		jbe	loc_4BA539
		jmp	loc_4BA537
RtlCompressBufferXpressLzStandard endp

; 
		align 10h
; Exported entry 1383. MmBuildMdlForNonPagedPool

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmBuildMdlForNonPagedPool
MmBuildMdlForNonPagedPool proc near	; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxProcessEntry(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *,SMKM_STORE_MGR<SM_TRAITS> *,void *,void *,SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_ENTRY *)+DFp
					; SmKmIssueVolumeIo(x,x,x,x,x)+80p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C353F SIZE 0000008C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		or	edi, 0FFFFFFFFh
		mov	[esp+30h+var_14], 0
		mov	esi, [ebx+10h]
		lea	eax, [ebx+1Ch]
		mov	ecx, [ebx+18h]
		mov	[esp+30h+var_20], eax
		add	ecx, esi
		mov	eax, [ebp+arg_0]
		mov	[ebx+0Ch], ecx
		and	ecx, 0FFFh
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		mov	dword ptr [ebx+8], 0
		mov	eax, [eax+14h]
		sub	esi, 40000000h
		add	eax, 0FFFh
		mov	[esp+30h+var_4], 0
		add	eax, ecx
		xor	ebx, ebx
		shr	eax, 0Ch
		mov	[esp+30h+var_1C], ebx
		mov	[esp+30h+var_18], ebx
		lea	eax, [esi+eax*8]
		mov	[esp+30h+var_C], eax
		cmp	esi, eax
		jnb	loc_4BACE2
		mov	eax, [esp+30h+var_20]
		nop

loc_4BABC0:				; CODE XREF: MmBuildMdlForNonPagedPool+19Cj
		test	ebx, ebx
		jnz	loc_4BACF3
		mov	edi, esi
		shl	edi, 9
		mov	ecx, edi
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	loc_5C353F
		mov	ecx, [esi]
		nop
		nop
		cmp	edi, dword_6D07D0
		jb	loc_5C3556
		shr	edi, 15h
		movzx	edx, byte ptr dword_6D3994[edi]
		mov	[esp+30h+var_18], edx
		cmp	edx, 5
		jnz	loc_4BAD33
		mov	ebx, 3
		mov	[esp+30h+var_1C], ebx

loc_4BAC0C:				; CODE XREF: MmBuildMdlForNonPagedPool+1BCj
					; MmBuildMdlForNonPagedPool+1FCj
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_5C35A1
		cmp	ebx, 3
		jnz	short loc_4BAC35
		mov	edi, [esi]
		nop
		mov	ecx, [esi+4]
		mov	eax, edi
		and	eax, 200h
		or	eax, 0
		jz	loc_4BAD01

loc_4BAC35:				; CODE XREF: MmBuildMdlForNonPagedPool+DDj
					; MmBuildMdlForNonPagedPool+1E6j
		mov	ecx, [esi]
		mov	[esp+30h+var_8], 0
		mov	[esp+30h+var_4], 0
		mov	[esp+30h+var_14], ecx
		nop
		mov	edx, [esi+4]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_5C3590
		mov	edi, ecx
		nop
		mov	eax, edx
		shrd	edi, eax, 0Ch
		and	edi, 1FFFFFFh
		cmp	[esp+30h+var_18], 0Ch
		jz	loc_5C357A

loc_4BAC77:				; CODE XREF: MmBuildMdlForNonPagedPool+108A11j
					; MmBuildMdlForNonPagedPool+108A4Bj
		mov	eax, [esp+30h+var_20]

loc_4BAC7B:				; CODE XREF: MmBuildMdlForNonPagedPool+1B6j
		mov	ecx, [ebp+arg_0]
		mov	[eax], edi
		movzx	ecx, word ptr [ecx+6]
		mov	[esp+30h+var_10], ecx
		test	ecx, 800h
		jnz	short loc_4BACBD
		cmp	edi, dword_6D07B0
		ja	loc_4BAD45
		mov	eax, dword_6D35B8
		mov	edx, edi
		shr	edx, 5
		mov	ecx, edi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		mov	eax, [esp+30h+var_20]
		jz	loc_4BAD41

loc_4BACBD:				; CODE XREF: MmBuildMdlForNonPagedPool+14Ej
					; MmBuildMdlForNonPagedPool+212j
		add	eax, 4
		add	esi, 8
		mov	[esp+30h+var_20], eax
		test	esi, 0FFFh
		jz	short loc_4BAD2B
		cmp	ebx, 1
		jz	loc_4BAD57

loc_4BACD8:				; CODE XREF: MmBuildMdlForNonPagedPool+1F1j
					; MmBuildMdlForNonPagedPool+218j
		cmp	esi, [esp+30h+var_C]
		jb	loc_4BABC0

loc_4BACE2:				; CODE XREF: MmBuildMdlForNonPagedPool+75j
		mov	eax, [ebp+arg_0]
		pop	edi
		pop	esi
		pop	ebx
		or	word ptr [eax+6], 4
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4BACF3:				; CODE XREF: MmBuildMdlForNonPagedPool+82j
		cmp	ebx, 2
		jl	short loc_4BAC7B
		mov	ecx, [esp+30h+var_14]
		jmp	loc_4BAC0C
; 

loc_4BAD01:				; CODE XREF: MmBuildMdlForNonPagedPool+EFj
					; MmBuildMdlForNonPagedPool+108A2Fj
		mov	ebx, edi
		mov	eax, edi
		or	ebx, 220h
		mov	edx, ecx
		nop
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, edi
		jnz	loc_5C3563
		cmp	edx, ecx
		jnz	loc_5C3563

loc_4BAD22:				; CODE XREF: MmBuildMdlForNonPagedPool+108A35j
		mov	ebx, [esp+30h+var_1C]
		jmp	loc_4BAC35
; 

loc_4BAD2B:				; CODE XREF: MmBuildMdlForNonPagedPool+18Dj
		xor	ebx, ebx
		mov	[esp+30h+var_1C], ebx
		jmp	short loc_4BACD8
; 

loc_4BAD33:				; CODE XREF: MmBuildMdlForNonPagedPool+BDj
					; MmBuildMdlForNonPagedPool+108A1Ej
		mov	ebx, 2
		mov	[esp+30h+var_1C], ebx
		jmp	loc_4BAC0C
; 

loc_4BAD41:				; CODE XREF: MmBuildMdlForNonPagedPool+177j
		mov	ecx, [esp+30h+var_10]

loc_4BAD45:				; CODE XREF: MmBuildMdlForNonPagedPool+156j
		mov	edx, [ebp+arg_0]
		or	ecx, 800h
		mov	[edx+6], cx
		jmp	loc_4BACBD
; 

loc_4BAD57:				; CODE XREF: MmBuildMdlForNonPagedPool+192j
		inc	edi
		jmp	loc_4BACD8
MmBuildMdlForNonPagedPool endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MI_IS_PHYSICAL_ADDRESS(x)
_MI_IS_PHYSICAL_ADDRESS@4 proc near	; CODE XREF: MiProbeLockFrame(x)+4Ep
					; MiGetPhysicalAddress+27p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		shr	ecx, 9
		mov	eax, 2
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		mov	[ebp+var_8], ecx
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		mov	[ebp+var_4], ecx

loc_4BAD91:				; CODE XREF: MI_IS_PHYSICAL_ADDRESS(x)+51j
		mov	ecx, [ebp+eax*4+var_C]
		dec	eax
		mov	edx, [ecx]
		nop
		mov	ecx, edx
		and	ecx, 1
		or	ecx, 0
		jz	short loc_4BADB3
		and	edx, 80h
		or	edx, 0
		jnz	short loc_4BADB5
		cmp	eax, 1
		jnz	short loc_4BAD91

loc_4BADB3:				; CODE XREF: MI_IS_PHYSICAL_ADDRESS(x)+41j
		xor	eax, eax

loc_4BADB5:				; CODE XREF: MI_IS_PHYSICAL_ADDRESS(x)+4Cj
		mov	esp, ebp
		pop	ebp
		retn
_MI_IS_PHYSICAL_ADDRESS@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiFillPteHierarchy(x, x)
_MiFillPteHierarchy@8 proc near		; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+347p
					; MiCreateSoftwareWsle+4Dp ...
		xor	eax, eax

loc_4BADBC:				; CODE XREF: MiFillPteHierarchy(x,x)+18j
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		mov	[edx+eax*4], ecx
		inc	eax
		cmp	eax, 2
		jl	short loc_4BADBC
		retn
_MiFillPteHierarchy@8 endp

; 
		align 10h
; Exported entry 1193. KeInvalidateRangeAllCachesNoIpi

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeInvalidateRangeAllCachesNoIpi
KeInvalidateRangeAllCachesNoIpi	proc near
					; CODE XREF: MiFlushCacheForAttributeChange(x,x,x)+3Dp
					; KeInvalidateRangeAllCaches(x,x)+75p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		cmp	edx, ds:_KiLargestCacheSize
		jnb	short loc_4BAE31
		mov	eax, large fs:20h
		mov	ecx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, [eax+3B8h]
		lea	esi, [ecx+edx]
		mov	edx, ds:dword_70E754
		and	edx, 2
		lea	eax, [edi-1]
		not	eax
		and	eax, ecx
		xor	ecx, ecx
		or	ecx, edx
		jnz	loc_5C35B3
		cmp	eax, esi
		jnb	short loc_4BAE2B

loc_4BAE22:				; CODE XREF: KeInvalidateRangeAllCachesNoIpi+49j
		clflush	byte ptr [eax]
		add	eax, edi
		cmp	eax, esi
		jb	short loc_4BAE22

loc_4BAE2B:				; CODE XREF: KeInvalidateRangeAllCachesNoIpi+40j
					; MmBuildMdlForNonPagedPool+108A86j
		pop	edi
		pop	esi

loc_4BAE2D:				; CODE XREF: KeInvalidateRangeAllCachesNoIpi+56j
		pop	ebp
		retn	8
; 

loc_4BAE31:				; CODE XREF: KeInvalidateRangeAllCachesNoIpi+Ej
		call	KeInvalidateAllCaches
		jmp	short loc_4BAE2D
KeInvalidateRangeAllCachesNoIpi	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUnlinkNodeLargePageHelper(x, x, x, x, x)
_MiUnlinkNodeLargePageHelper@20	proc near
					; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+201p
					; MiChangePageAttributeLargeFreeZeroPage(x,x,x)+8Dp ...

var_30		= dword	ptr -30h
var_26		= byte ptr -26h
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 28h
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, edx
		mov	[esp+30h+var_18], ecx
		push	0
		mov	esi, ds:_MiLargePageSizes[esi*4]
		mov	ecx, offset _MiSystemPartition
		push	0FFFFFFFFh
		mov	edx, esi
		mov	[esp+38h+var_4], edi
		mov	[esp+38h+var_1C], esi
		call	MiDecreaseAvailablePages
		test	[ebp+arg_8], 8
		jnz	short loc_4BAE95
		test	eax, eax
		jnz	short loc_4BAE95
		mov	edx, esi
		mov	ecx, offset _MiSystemPartition
		call	MiIncreaseAvailablePages
		xor	eax, eax
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4BAE95:				; CODE XREF: MiUnlinkNodeLargePageHelper(x,x,x,x,x)+39j
					; MiUnlinkNodeLargePageHelper(x,x,x,x,x)+3Dj
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	loc_4BB178
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	loc_4BB178
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	al, [edi+16h]
		mov	[esp+30h+var_25], al
		test	al, 8
		jz	short loc_4BAED6
		mov	edx, 1
		mov	ecx, edi
		call	_MiPageListCollision@8 ; MiPageListCollision(x,x)
		lea	ecx, [edi+8]
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		mov	al, [edi+16h]
		mov	[esp+30h+var_25], al

loc_4BAED6:				; CODE XREF: MiUnlinkNodeLargePageHelper(x,x,x,x,x)+79j
		mov	ecx, edi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		add	edx, ecx
		mov	ecx, [esp+30h+var_18]
		sub	ecx, dword_6D4E50
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		mov	[esp+30h+var_24], eax
		mov	eax, 66666667h
		imul	ecx
		imul	eax, [ebp+arg_0], 26h
		movzx	ecx, [esp+30h+var_25]
		sar	edx, 8
		and	ecx, 7
		mov	esi, edx
		mov	[esp+30h+var_20], ecx
		shr	esi, 1Fh
		add	esi, edx
		mov	edx, [esp+30h+var_18]
		mov	[esp+30h+var_14], eax
		add	eax, ecx
		dec	dword ptr [edx+eax*4]
		cmp	[esp+30h+var_24], 100000h
		sbb	ecx, ecx
		imul	eax, [ebp+arg_0], 26h
		and	ecx, 2
		add	ecx, 2
		add	ecx, [esp+30h+var_20]
		add	eax, ecx
		dec	dword ptr [edx+eax*4]
		cmp	byte_6D5872, 0
		jz	short loc_4BAF68
		cmp	[ebp+arg_0], 1
		jnz	short loc_4BAF68
		mov	ecx, [esp+30h+var_24]
		mov	eax, dword_6D5950
		shr	ecx, 9
		dec	byte ptr [eax+ecx]

loc_4BAF68:				; CODE XREF: MiUnlinkNodeLargePageHelper(x,x,x,x,x)+111j
					; MiUnlinkNodeLargePageHelper(x,x,x,x,x)+117j
		movzx	ecx, byte ptr [edi+16h]
		mov	edx, [esp+30h+var_14]
		shr	ecx, 6
		cmp	[esp+30h+var_24], 100000h
		sbb	eax, eax
		and	eax, 2
		add	eax, [esp+30h+var_20]
		add	eax, [ebp+arg_4]
		lea	edi, [edx+eax*4]
		mov	eax, [esp+30h+var_24]
		add	edi, ecx
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		div	ds:_MiLargePageSizes[ecx*4]
		xor	edx, edx
		div	dword_6D0740[ecx*4]
		lea	ecx, [edx+edx*2]
		mov	edx, [esp+30h+var_18]
		mov	eax, [edx+edi*4+58h]
		dec	dword ptr [eax+ecx*4+8]
		mov	ecx, offset dword_6D53C0
		dec	dword ptr [edx+edi*4+18h]
		mov	edx, [esp+30h+var_1C]
		mov	eax, edx
		neg	eax
		cmp	[esp+30h+var_20], 0
		jz	short loc_4BAFD1
		mov	ecx, offset dword_6D5400

loc_4BAFD1:				; CODE XREF: MiUnlinkNodeLargePageHelper(x,x,x,x,x)+18Aj
		lock xadd [ecx], eax
		cmp	dword_6D3034, 1
		jnz	loc_4BB080
		mov	ecx, [esp+30h+var_24]
		mov	eax, dword_6D3068
		shr	ecx, 5
		lea	edi, [eax+ecx*4]
		mov	ecx, [esp+30h+var_24]
		and	ecx, 1Fh
		mov	[esp+30h+var_14], ecx
		lea	eax, [ecx+edx]
		cmp	eax, 20h
		ja	short loc_4BB023
		cmp	edx, 20h
		jnz	short loc_4BB011
		mov	dword ptr [edi], 0FFFFFFFFh
		jmp	short loc_4BB080
; 

loc_4BB011:				; CODE XREF: MiUnlinkNodeLargePageHelper(x,x,x,x,x)+1C7j
		mov	ecx, edx
		mov	eax, 1
		shl	eax, cl
		mov	ecx, [esp+30h+var_14]
		dec	eax
		shl	eax, cl
		jmp	short loc_4BB07D
; 

loc_4BB023:				; CODE XREF: MiUnlinkNodeLargePageHelper(x,x,x,x,x)+1C2j
		test	ecx, ecx
		jz	short loc_4BB050
		mov	edx, 20h
		mov	eax, 1
		sub	edx, ecx
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, [esp+30h+var_14]
		dec	eax
		shl	eax, cl
		lock or	[edi], eax
		mov	ecx, [esp+30h+var_1C]
		sub	ecx, edx
		mov	edx, [esp+30h+var_1C]
		add	edi, 4
		jmp	short loc_4BB052
; 

loc_4BB050:				; CODE XREF: MiUnlinkNodeLargePageHelper(x,x,x,x,x)+1E5j
		mov	ecx, edx

loc_4BB052:				; CODE XREF: MiUnlinkNodeLargePageHelper(x,x,x,x,x)+20Ej
		cmp	ecx, 20h
		jb	short loc_4BB071
		mov	eax, ecx
		shr	eax, 5
		lea	esp, [esp+0]

loc_4BB060:				; CODE XREF: MiUnlinkNodeLargePageHelper(x,x,x,x,x)+22Fj
		mov	dword ptr [edi], 0FFFFFFFFh
		sub	ecx, 20h
		add	edi, 4
		sub	eax, 1
		jnz	short loc_4BB060

loc_4BB071:				; CODE XREF: MiUnlinkNodeLargePageHelper(x,x,x,x,x)+215j
		test	ecx, ecx
		jz	short loc_4BB080
		mov	eax, 1
		shl	eax, cl
		dec	eax

loc_4BB07D:				; CODE XREF: MiUnlinkNodeLargePageHelper(x,x,x,x,x)+1E1j
		lock or	[edi], eax

loc_4BB080:				; CODE XREF: MiUnlinkNodeLargePageHelper(x,x,x,x,x)+19Cj
					; MiUnlinkNodeLargePageHelper(x,x,x,x,x)+1CFj ...
		cmp	[esp+30h+var_20], 0
		jnz	short loc_4BB0BF
		cmp	byte_6D5871, 1
		jnz	short loc_4BB09A
		mov	[esp+30h+var_20], 1
		jmp	short loc_4BB0BF
; 

loc_4BB09A:				; CODE XREF: MiUnlinkNodeLargePageHelper(x,x,x,x,x)+24Ej
		test	byte ptr ds:_MiFlags, 80h
		jz	short loc_4BB0BF
		mov	eax, dword_6D30F0
		inc	eax
		mov	dword_6D30F0, eax
		test	ds:_MmPageValidationFrequency, eax
		jnz	short loc_4BB0BF
		mov	ecx, [esp+30h+var_24]
		call	_MiArePageContentsZero@8 ; MiArePageContentsZero(x,x)

loc_4BB0BF:				; CODE XREF: MiUnlinkNodeLargePageHelper(x,x,x,x,x)+245j
					; MiUnlinkNodeLargePageHelper(x,x,x,x,x)+258j ...
		mov	edi, [esp+30h+var_4]
		mov	al, [edi+16h]
		and	al, 0FDh
		or	al, 5
		cmp	[esp+30h+var_20], 1
		mov	[edi+16h], al
		mov	eax, ds:_ZeroPte
		mov	[esp+30h+var_14], eax
		mov	[esp+30h+var_10], eax
		mov	eax, ds:dword_40F9FC
		mov	[esp+30h+var_24], eax
		mov	[esp+30h+var_C], eax
		jnz	short loc_4BB107
		lea	ecx, [esp+30h+var_10]
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		mov	eax, [esp+30h+var_C]
		mov	[esp+30h+var_24], eax
		mov	eax, [esp+30h+var_10]
		mov	[esp+30h+var_14], eax

loc_4BB107:				; CODE XREF: MiUnlinkNodeLargePageHelper(x,x,x,x,x)+2ACj
		mov	ecx, edi
		call	_MiIsFreeZeroPfnCold@4 ; MiIsFreeZeroPfnCold(x)
		mov	ecx, [esp+30h+var_14]
		mov	[edi+8], ecx
		mov	ecx, [esp+30h+var_24]
		mov	[edi+0Ch], ecx
		test	eax, eax
		jz	short loc_4BB12C
		mov	edx, 1
		mov	ecx, edi
		call	_MiSetFreeZeroPfnCold@8	; MiSetFreeZeroPfnCold(x,x)

loc_4BB12C:				; CODE XREF: MiUnlinkNodeLargePageHelper(x,x,x,x,x)+2DEj
		cmp	[esp+30h+var_1C], 10h
		jnz	short loc_4BB16B
		mov	ecx, [esp+30h+var_18]
		mov	eax, [ecx+4]
		add	eax, [ecx]
		shl	eax, 5
		add	eax, [ecx+9Ch]
		add	eax, [ecx+98h]
		shl	eax, 4
		cmp	eax, 200h
		ja	short loc_4BB16B
		test	byte ptr ds:_MiFlags, 30h
		jz	short loc_4BB16B
		push	esi
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	_MiWakeLargePageRebuild@12 ; MiWakeLargePageRebuild(x,x,x)

loc_4BB16B:				; CODE XREF: MiUnlinkNodeLargePageHelper(x,x,x,x,x)+2F1j
					; MiUnlinkNodeLargePageHelper(x,x,x,x,x)+313j ...
		pop	edi
		mov	eax, 1
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4BB178:				; CODE XREF: MiUnlinkNodeLargePageHelper(x,x,x,x,x)+5Aj
					; MiUnlinkNodeLargePageHelper(x,x,x,x,x)+65j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_MiUnlinkNodeLargePageHelper@20	endp


;  S U B	R O U T	I N E 


; __stdcall MiIsFreeZeroPfnCold(x)
_MiIsFreeZeroPfnCold@4 proc near	; CODE XREF: MiDemoteLocalLargePage(x,x,x,x)+1E7p
					; MiUnlinkNodeLargePageHelper(x,x,x,x,x)+2C9p ...
		mov	edx, dword_6D0700
		mov	eax, dword_6D0704
		push	esi
		mov	esi, [ecx+0Ch]
		push	edi
		mov	edi, [ecx+8]
		mov	ecx, edx
		or	ecx, eax
		jz	short loc_4BB1A7
		mov	ecx, edi
		and	ecx, 10h
		or	ecx, 0
		jnz	short loc_4BB1A7
		not	eax
		and	esi, eax

loc_4BB1A7:				; CODE XREF: MiIsFreeZeroPfnCold(x)+17j
					; MiIsFreeZeroPfnCold(x)+21j
		pop	edi
		cmp	esi, 0FFFFFFFDh
		pop	esi
		jnz	short loc_4BB1B4
		mov	eax, 1
		retn
; 

loc_4BB1B4:				; CODE XREF: MiIsFreeZeroPfnCold(x)+2Cj
		xor	eax, eax
		retn
_MiIsFreeZeroPfnCold@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiReplenishPageSlist(x, x, x)
_MiReplenishPageSlist@12 proc near	; CODE XREF: MiGetPage+788p
					; MiGetPerfectColorHeadPage+156p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 0E8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		mov	eax, [ebx+8]
		push	esi
		push	edi
		push	90h		; size_t
		mov	[ebp-0CCh], eax
		mov	esi, edx
		lea	eax, [ebp-98h]
		mov	[ebp-0B4h], esi
		mov	edi, ecx
		push	0		; int
		push	eax		; void *
		mov	[ebp-9Ch], edi
		call	_memset
		add	esp, 0Ch
		test	byte ptr [edi+4], 20h
		jnz	loc_4BB710
		mov	eax, [edi+esi*4+954h]
		mov	ecx, [ebp-0CCh]
		mov	edx, [edi+0DB8h]
		lea	eax, [eax+ecx*8]
		mov	[ebp-0E0h], eax
		movzx	eax, word ptr [eax+4]
		cmp	eax, edx
		jnb	loc_4BB710
		sub	edx, eax
		mov	eax, ecx
		mov	cl, byte_6D068C
		shr	eax, cl
		mov	[ebp-0B0h], edx
		lea	esi, [edx+40h]
		xor	edx, edx
		lea	eax, [eax+eax*4]
		shl	eax, 7
		add	eax, [edi+10h]
		mov	[ebp-0E4h], eax
		cmp	[ebp-0B4h], edx
		jnz	short loc_4BB2C1
		mov	esi, [eax+1D0h]
		lea	ecx, [edi+580h]
		mov	edi, [edi+540h]
		mov	[ebp-0D4h], ecx
		mov	ecx, eax
		push	edx
		call	_MiNodeLargeFreeZeroPages@12 ; MiNodeLargeFreeZeroPages(x,x,x)
		mov	edx, [ebp-0B0h]
		add	esi, eax
		lea	eax, [edx+40h]
		cmp	esi, eax
		jb	loc_4BB710
		mov	esi, [ebp-9Ch]
		cmp	byte ptr [esi+0A31h], 1
		jz	loc_4BB710
		jmp	short loc_4BB2F3
; 

loc_4BB2C1:				; CODE XREF: MiReplenishPageSlist(x,x,x)+B7j
		lea	ecx, [edi+5C0h]
		mov	edi, [edi+544h]
		mov	[ebp-0D4h], ecx
		mov	ecx, eax
		push	1000h
		call	_MiNodeFreeZeroPages@12	; MiNodeFreeZeroPages(x,x,x)
		cmp	eax, esi
		jb	loc_4BB710
		mov	edx, [ebp-0B0h]
		mov	esi, [ebp-9Ch]

loc_4BB2F3:				; CODE XREF: MiReplenishPageSlist(x,x,x)+FFj
		mov	eax, [ebp-0CCh]
		lea	eax, [eax+eax*4]
		lea	edi, [edi+eax*4]
		mov	eax, [edi]
		mov	[ebp-0D0h], edi
		cmp	edx, eax
		jbe	short loc_4BB313
		mov	edx, eax
		mov	[ebp-0B0h], eax

loc_4BB313:				; CODE XREF: MiReplenishPageSlist(x,x,x)+149j
		mov	eax, [esi+0FC0h]
		sub	eax, edx
		cmp	eax, 420h
		jb	loc_4BB710
		mov	eax, ds:_HvlEnlightenments
		mov	ecx, esi
		push	0
		and	eax, 200000h
		mov	dword ptr [ebp-0C4h], 0
		push	420h
		mov	dword ptr [ebp-90h], 10h
		mov	[ebp-0D8h], eax
		mov	[ebp-0C0h], edx
		call	MiDecreaseAvailablePages
		test	eax, eax
		jz	loc_4BB6FD
		mov	eax, [edi+8]
		mov	[ebp-0C8h], eax
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	esi, [eax+ecx*4]
		xor	eax, eax
		mov	[ebp-0ACh], esi
		mov	[ebp-0BCh], eax
		mov	[ebp-0DCh], esi

loc_4BB394:				; CODE XREF: MiReplenishPageSlist(x,x,x)+463j
		lea	edi, [esi+10h]
		mov	[ebp-0A4h], edi
		lock bts dword ptr [edi], 1Fh
		jb	loc_4BB62B
		cmp	dword ptr [ebp-0B4h], 0
		mov	[ebp-0BCh], esi
		jnz	short loc_4BB3F8
		test	byte ptr ds:_MiFlags, 80h
		jz	short loc_4BB3F8
		mov	eax, dword_6D30F0
		inc	eax
		mov	dword_6D30F0, eax
		test	ds:_MmPageValidationFrequency, eax
		jnz	short loc_4BB3F8
		mov	ecx, esi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		mov	edx, 1
		call	_MiArePageContentsZero@8 ; MiArePageContentsZero(x,x)

loc_4BB3F8:				; CODE XREF: MiReplenishPageSlist(x,x,x)+1F5j
					; MiReplenishPageSlist(x,x,x)+1FEj ...
		cmp	dword_6D3034, 1
		jnz	loc_4BB4AF
		mov	ecx, esi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		mov	edi, 1
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		mov	[ebp-0B8h], eax
		mov	ecx, eax
		mov	eax, dword_6D3068
		shr	ecx, 5
		lea	esi, [eax+ecx*4]
		mov	ecx, [ebp-0B8h]
		and	ecx, 1Fh
		mov	[ebp-0B8h], ecx
		lea	eax, [ecx+1]
		cmp	eax, 20h
		ja	short loc_4BB455
		mov	eax, edi
		shl	eax, cl
		jmp	short loc_4BB4A0
; 

loc_4BB455:				; CODE XREF: MiReplenishPageSlist(x,x,x)+28Dj
		test	ecx, ecx
		jz	short loc_4BB496
		mov	edx, 20h
		mov	eax, edi
		sub	edx, ecx
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, [ebp-0B8h]
		dec	eax
		shl	eax, cl
		lock or	[esi], eax
		sub	edi, edx
		add	esi, 4
		cmp	edi, 20h
		jb	short loc_4BB492
		mov	eax, edi
		shr	eax, 5

loc_4BB481:				; CODE XREF: MiReplenishPageSlist(x,x,x)+2D0j
		mov	dword ptr [esi], 0FFFFFFFFh
		sub	edi, 20h
		add	esi, 4
		sub	eax, 1
		jnz	short loc_4BB481

loc_4BB492:				; CODE XREF: MiReplenishPageSlist(x,x,x)+2BAj
		test	edi, edi
		jz	short loc_4BB4A3

loc_4BB496:				; CODE XREF: MiReplenishPageSlist(x,x,x)+297j
		mov	eax, 1
		mov	ecx, edi
		shl	eax, cl
		dec	eax

loc_4BB4A0:				; CODE XREF: MiReplenishPageSlist(x,x,x)+293j
		lock or	[esi], eax

loc_4BB4A3:				; CODE XREF: MiReplenishPageSlist(x,x,x)+2D4j
		mov	esi, [ebp-0ACh]
		mov	edi, [ebp-0A4h]

loc_4BB4AF:				; CODE XREF: MiReplenishPageSlist(x,x,x)+23Fj
		mov	al, [esi+16h]
		and	al, 0FDh
		or	al, 5
		mov	[esi+16h], al
		test	byte ptr [esi+16h], 8
		jz	short loc_4BB4CB
		mov	edx, 1
		mov	ecx, esi
		call	_MiPageListCollision@8 ; MiPageListCollision(x,x)

loc_4BB4CB:				; CODE XREF: MiReplenishPageSlist(x,x,x)+2FDj
		and	dword ptr [edi], 0FF800000h
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		cmp	dword ptr [ebp-0D8h], 0
		jz	short loc_4BB519
		mov	ecx, esi
		call	_MiIsFreeZeroPfnCold@4 ; MiIsFreeZeroPfnCold(x)
		test	eax, eax
		jz	short loc_4BB519
		mov	ecx, [ebp-94h]
		cmp	ecx, 10h
		jnb	short loc_4BB519
		mov	eax, [ebp-0C8h]
		mov	edx, 1000h
		mul	edx
		mov	[ebp+ecx*8-88h], eax
		mov	[ebp+ecx*8-84h], edx
		inc	dword ptr [ebp-94h]

loc_4BB519:				; CODE XREF: MiReplenishPageSlist(x,x,x)+320j
					; MiReplenishPageSlist(x,x,x)+32Bj ...
		mov	eax, [esi]
		mov	[ebp-0C8h], eax
		cmp	eax, offset loc_7FFFFF
		jz	short loc_4BB53B
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	esi, [eax+ecx*4]
		jmp	short loc_4BB53D
; 

loc_4BB53B:				; CODE XREF: MiReplenishPageSlist(x,x,x)+366j
		xor	esi, esi

loc_4BB53D:				; CODE XREF: MiReplenishPageSlist(x,x,x)+379j
		mov	edi, [ebp-0BCh]
		xor	ecx, ecx
		mov	edx, [ebp-0B4h]
		and	edx, 0Fh
		mov	[ebp-0ACh], esi
		shld	ecx, edx, 0Ch
		mov	eax, [edi+8]
		or	ecx, [edi+0Ch]
		and	eax, 0FFFF0FFFh
		shl	edx, 0Ch
		or	edx, eax
		mov	[edi+0Ch], ecx
		mov	eax, edx
		mov	[edi+8], edx
		or	eax, ecx
		jnz	short loc_4BB57E
		xor	edx, edx
		mov	[ebp-0A4h], edx
		jmp	short loc_4BB5BC
; 

loc_4BB57E:				; CODE XREF: MiReplenishPageSlist(x,x,x)+3B2j
		mov	eax, dword_6D0704
		mov	edi, dword_6D0700
		mov	[ebp-0A4h], eax
		mov	eax, edi
		or	eax, [ebp-0A4h]
		jz	short loc_4BB5B6
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4BB5B3
		mov	eax, [ebp-0A4h]
		not	edi
		not	eax
		and	edx, edi
		and	ecx, eax
		jmp	short loc_4BB5B6
; 

loc_4BB5B3:				; CODE XREF: MiReplenishPageSlist(x,x,x)+3E1j
		and	edx, 0FFFFFFEFh

loc_4BB5B6:				; CODE XREF: MiReplenishPageSlist(x,x,x)+3D7j
					; MiReplenishPageSlist(x,x,x)+3F1j
		mov	[ebp-0A4h], ecx

loc_4BB5BC:				; CODE XREF: MiReplenishPageSlist(x,x,x)+3BCj
		mov	eax, dword_6D0704
		xor	edi, edi
		mov	ecx, dword_6D0700
		or	edi, 0FFFFFFFEh
		mov	[ebp-0A4h], eax
		mov	eax, ecx
		or	eax, [ebp-0A4h]
		mov	[ebp-0B8h], ecx
		jz	short loc_4BB601
		mov	eax, [ebp-0A4h]
		and	ecx, edx
		and	eax, edi
		or	ecx, eax
		jnz	short loc_4BB5FE
		or	edx, [ebp-0B8h]
		or	edi, [ebp-0A4h]
		jmp	short loc_4BB601
; 

loc_4BB5FE:				; CODE XREF: MiReplenishPageSlist(x,x,x)+42Ej
		or	edx, 10h

loc_4BB601:				; CODE XREF: MiReplenishPageSlist(x,x,x)+420j
					; MiReplenishPageSlist(x,x,x)+43Cj
		mov	eax, [ebp-0BCh]
		mov	[eax+0Ch], edi
		mov	edi, [ebp-0C4h]
		inc	edi
		mov	[eax+8], edx
		sub	dword ptr [ebp-0B0h], 1
		mov	[eax], esi
		mov	[ebp-0C4h], edi
		jnz	loc_4BB394
		jmp	short loc_4BB631
; 

loc_4BB62B:				; CODE XREF: MiReplenishPageSlist(x,x,x)+1E2j
		mov	edi, [ebp-0C4h]

loc_4BB631:				; CODE XREF: MiReplenishPageSlist(x,x,x)+469j
		mov	eax, [ebp-0C0h]
		sub	eax, edi
		mov	[ebp-0C0h], eax
		test	edi, edi
		jz	loc_4BB753
		cmp	dword ptr [ebp-94h], 0
		jz	short loc_4BB665
		lea	ecx, [ebp-98h]
		mov	dword ptr [ebp-98h], 1
		call	_MiNotifyPageHeat@4 ; MiNotifyPageHeat(x)

loc_4BB665:				; CODE XREF: MiReplenishPageSlist(x,x,x)+48Ej
		mov	ecx, [ebp-0D0h]
		mov	eax, [ebp-0C8h]
		mov	[ecx+8], eax
		cmp	eax, offset loc_7FFFFF
		jz	loc_4BB725
		mov	ecx, [esi+10h]
		add	esi, 10h
		mov	edx, ecx
		mov	eax, ecx
		or	edx, offset loc_7FFFFF
		lock cmpxchg [esi], edx
		cmp	ecx, eax
		jz	short loc_4BB6B2
		jmp	short loc_4BB6A0
; 
		align 10h

loc_4BB6A0:				; CODE XREF: MiReplenishPageSlist(x,x,x)+4D7j
					; MiReplenishPageSlist(x,x,x)+4F0j
		mov	edx, eax
		mov	ecx, eax
		or	edx, offset loc_7FFFFF
		lock cmpxchg [esi], edx
		cmp	ecx, eax
		jnz	short loc_4BB6A0

loc_4BB6B2:				; CODE XREF: MiReplenishPageSlist(x,x,x)+4D5j
		mov	esi, [ebp-9Ch]

loc_4BB6B8:				; CODE XREF: MiReplenishPageSlist(x,x,x)+58Ej
		mov	eax, [ebp-0BCh]
		mov	edx, [ebp-0DCh]
		mov	ecx, [ebp-0E0h]
		push	edi
		push	eax
		call	@InterlockedPushListSList@16 ; InterlockedPushListSList(x,x,x,x)
		mov	eax, [ebp-0D0h]
		mov	ecx, [ebp-0D4h]
		sub	[eax], edi
		neg	edi
		mov	eax, edi
		lock xadd [ecx], eax
		mov	eax, [ebp-0B4h]
		mov	ecx, [ebp-0E4h]
		add	eax, 74h
		lea	eax, [ecx+eax*4]
		lock xadd [eax], edi

loc_4BB6FD:				; CODE XREF: MiReplenishPageSlist(x,x,x)+1A0j
		mov	eax, [ebp-0C0h]

loc_4BB703:				; CODE XREF: MiReplenishPageSlist(x,x,x)+599j
		test	eax, eax
		jz	short loc_4BB710
		mov	edx, eax
		mov	ecx, esi
		call	MiIncreaseAvailablePages

loc_4BB710:				; CODE XREF: MiReplenishPageSlist(x,x,x)+5Dj
					; MiReplenishPageSlist(x,x,x)+85j ...
		mov	ecx, [ebp-4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_4BB725:				; CODE XREF: MiReplenishPageSlist(x,x,x)+4B9j
		mov	ecx, [ebp-0CCh]
		mov	esi, [ebp-9Ch]
		mov	edx, [ebp-0B4h]
		push	0
		push	ecx
		mov	ecx, esi
		call	_MiUpdateZeroFreeBitmap@16 ; MiUpdateZeroFreeBitmap(x,x,x,x)
		mov	eax, [ebp-0D0h]
		mov	dword ptr [eax+0Ch], offset loc_7FFFFF
		jmp	loc_4BB6B8
; 

loc_4BB753:				; CODE XREF: MiReplenishPageSlist(x,x,x)+481j
		mov	esi, [ebp-9Ch]
		jmp	short loc_4BB703
_MiReplenishPageSlist@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiNodeLargeFreeZeroPages(x,	x, x)
_MiNodeLargeFreeZeroPages@12 proc near	; CODE XREF: .text:00470D6Dp
					; .text:00470D8Ap ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4], edx
		mov	edx, ecx
		push	ebx
		push	esi
		xor	ecx, ecx
		mov	[ebp+var_8], edx
		lea	eax, [edx+eax*4]
		mov	[ebp+var_C], ecx
		push	edi
		xor	esi, esi
		mov	[ebp+var_10], eax
		xor	edi, edi
		jmp	short loc_4BB790
; 
		align 10h

loc_4BB790:				; CODE XREF: MiNodeLargeFreeZeroPages(x,x,x)+25j
					; MiNodeLargeFreeZeroPages(x,x,x)+B4j
		cmp	[ebp+var_4], 1
		mov	ebx, ds:_MiLargePageSizes[edi]
		jnz	short loc_4BB7AF
		cmp	[ebp+arg_0], 2
		jnz	short loc_4BB7AB
		mov	eax, [esi+edx+4]
		add	eax, [esi+edx]
		jmp	short loc_4BB7F5
; 

loc_4BB7AB:				; CODE XREF: MiNodeLargeFreeZeroPages(x,x,x)+40j
		mov	eax, [eax]
		jmp	short loc_4BB7F5
; 

loc_4BB7AF:				; CODE XREF: MiNodeLargeFreeZeroPages(x,x,x)+3Aj
		mov	ecx, [ebp+var_4]
		add	ecx, [ebp+arg_0]
		mov	eax, ecx
		shl	eax, 4
		add	eax, esi
		add	edx, eax
		lea	eax, [ecx+4]
		shl	eax, 4
		add	ecx, 2
		add	eax, esi
		mov	[ebp+var_14], edx
		mov	edx, [ebp+var_8]
		shl	ecx, 4
		add	ecx, esi
		mov	eax, [eax+edx]
		add	eax, [ecx+edx]
		mov	edx, [ebp+var_14]
		mov	ecx, [ebp+var_C]
		add	eax, [edx+44h]
		add	eax, [edx+3Ch]
		add	eax, [edx+38h]
		add	eax, [edx+24h]
		add	eax, [edx+1Ch]
		add	eax, [edx+18h]
		mov	edx, [ebp+var_8]

loc_4BB7F5:				; CODE XREF: MiNodeLargeFreeZeroPages(x,x,x)+49j
					; MiNodeLargeFreeZeroPages(x,x,x)+4Dj
		imul	ebx, eax
		add	edi, 4
		mov	eax, [ebp+var_10]
		add	esi, 98h
		add	eax, 98h
		mov	[ebp+var_10], eax
		add	ecx, ebx
		mov	[ebp+var_C], ecx
		cmp	edi, 8
		jb	loc_4BB790
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MiNodeLargeFreeZeroPages@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDecreaseAvailablePages proc near	; CODE XREF: MiUnlinkNodeLargePageHelper(x,x,x,x,x)+30p
					; MiReplenishPageSlist(x,x,x)+199p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C35CB SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	eax, [edi+0FC0h]
		cmp	edx, 1
		jz	short loc_4BB897
		mov	ebx, edx
		neg	ebx
		lock xadd [eax], ebx
		mov	eax, [edi+0B30h]
		mov	esi, ebx
		sub	esi, edx
		cmp	esi, eax
		jbe	short loc_4BB8BB

loc_4BB85B:				; CODE XREF: MiDecreaseAvailablePages+8Dj
		mov	eax, [edi+0B2Ch]
		cmp	esi, eax
		jbe	short loc_4BB8C4

loc_4BB865:				; CODE XREF: MiDecreaseAvailablePages+82j
					; MiDecreaseAvailablePages+96j	...
		cmp	esi, 420h
		jbe	loc_5C35D5

loc_4BB871:				; CODE XREF: MiDecreaseAvailablePages+107DC3j
					; MiDecreaseAvailablePages+107DCFj ...
		mov	eax, [ebp+arg_0]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_4BB889
		cmp	esi, eax
		jb	short loc_4BB8CD
		mov	eax, 1

loc_4BB882:				; CODE XREF: MiDecreaseAvailablePages+65j
					; MiDecreaseAvailablePages+9Fj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_4BB889:				; CODE XREF: MiDecreaseAvailablePages+47j
		push	[ebp+arg_4]
		mov	edx, esi
		mov	ecx, edi
		call	MiPageAvailableEx
		jmp	short loc_4BB882
; 

loc_4BB897:				; CODE XREF: MiDecreaseAvailablePages+13j
		or	esi, 0FFFFFFFFh
		lock xadd [eax], esi
		dec	esi
		cmp	esi, [edi+0B2Ch]
		jz	short loc_4BB8B4
		cmp	esi, [edi+0B30h]
		jz	short loc_4BB8B4

loc_4BB8AF:				; CODE XREF: MiDecreaseAvailablePages+89j
		lea	ebx, [esi+1]
		jmp	short loc_4BB865
; 

loc_4BB8B4:				; CODE XREF: MiDecreaseAvailablePages+75j
					; MiDecreaseAvailablePages+7Dj
		call	MiUpdateAvailableEvents
		jmp	short loc_4BB8AF
; 

loc_4BB8BB:				; CODE XREF: MiDecreaseAvailablePages+29j
		cmp	ebx, eax
		jbe	short loc_4BB85B
		jmp	loc_5C35CB
; 

loc_4BB8C4:				; CODE XREF: MiDecreaseAvailablePages+33j
		cmp	ebx, eax
		jbe	short loc_4BB865
		jmp	loc_5C35CB
; 

loc_4BB8CD:				; CODE XREF: MiDecreaseAvailablePages+4Bj
		xor	eax, eax
		jmp	short loc_4BB882
MiDecreaseAvailablePages endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPageAvailableEx proc near		; CODE XREF: MmAccessFault+6D3p
					; MiDemoteLocalLargePage(x,x,x,x)+1C3p	...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C3628 SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		cmp	edx, 9Fh
		jb	loc_5C3628

loc_4BB8E4:				; CODE XREF: MiPageAvailableEx+107D5Dj
					; MiPageAvailableEx+107D75j ...
		xor	eax, eax
		inc	eax

loc_4BB8E7:				; CODE XREF: MiPageAvailableEx+107DACj
		pop	ebx
		pop	ebp
		retn	4
MiPageAvailableEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiObtainProtoReference(x, x)
_MiObtainProtoReference@8 proc near	; CODE XREF: MiHandleCollidedFault(x,x,x,x,x,x)+79p
					; .text:00478879p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		lea	esi, [edi+10h]
		test	dl, 1
		jnz	short loc_4BB91F
		and	[ebp+var_4], 0

loc_4BB902:				; CODE XREF: MiObtainProtoReference(x,x)+48j
		lock bts dword ptr [esi], 1Fh
		jb	short loc_4BB926

loc_4BB909:				; CODE XREF: MiObtainProtoReference(x,x)+38j
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		pop	edi
		pop	esi
		leave
		retn
; 

loc_4BB91F:				; CODE XREF: MiObtainProtoReference(x,x)+10j
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		jmp	short loc_4BB909
; 

loc_4BB926:				; CODE XREF: MiObtainProtoReference(x,x)+1Bj
					; MiObtainProtoReference(x,x)+46j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_4BB926
		jmp	short loc_4BB902
_MiObtainProtoReference@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiRemoveLockedPageChargeAndDecRef(x)
_MiRemoveLockedPageChargeAndDecRef@4 proc near
					; CODE XREF: MiHandleCollidedFault(x,x,x,x,x,x)+ADp
					; MiHandleCollidedFault(x,x,x,x,x,x)+FBp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_MiRemoveLockedPageCharge@4 ; MiRemoveLockedPageCharge(x)
		test	eax, eax
		jnz	short loc_4BB946
		pop	esi
		retn
; 

loc_4BB946:				; CODE XREF: MiRemoveLockedPageChargeAndDecRef(x)+Cj
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, esi
		mov	edx, eax
		call	MiPfnReferenceCountIsZero
		xor	eax, eax
		inc	eax
		pop	esi
		retn
_MiRemoveLockedPageChargeAndDecRef@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMappingHasIoTracker(x)
_MiMappingHasIoTracker@4 proc near	; CODE XREF: MmUnmapIoSpace+33p
					; MmProtectMdlSystemAddress(x,x)+142p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, 40000000h
		push	edi
		shr	esi, 9
		mov	edi, offset loc_7FFFF8
		and	esi, edi
		sub	esi, ebx
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	short loc_4BB9A2

loc_4BB988:				; CODE XREF: MiMappingHasIoTracker(x)+4Aj
		mov	ecx, [esi]
		nop
		pop	edi
		and	ecx, 200h
		or	ecx, 0
		pop	esi
		pop	ebx
		jnz	short loc_4BB99D
		xor	eax, eax
		leave
		retn
; 

loc_4BB99D:				; CODE XREF: MiMappingHasIoTracker(x)+35j
		xor	eax, eax
		inc	eax
		leave
		retn
; 

loc_4BB9A2:				; CODE XREF: MiMappingHasIoTracker(x)+24j
					; MiMappingHasIoTracker(x)+4Cj
		shr	esi, 9
		and	esi, edi
		sub	esi, ebx
		sub	eax, 1
		jz	short loc_4BB988
		jmp	short loc_4BB9A2
_MiMappingHasIoTracker@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1480. MmUnmapIoSpace
; Exported entry 1483. MmUnmapVideoDisplay

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmUnmapIoSpace
MmUnmapIoSpace	proc near		; CODE XREF: MmFreeContiguousMemory+D7p
					; WmipFirmwareTableHandler+93p	...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi	; MmUnmapIoSpace
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		add	ebx, 0FFFh
		mov	eax, edi
		and	eax, 0FFFh
		add	ebx, eax
		shr	ebx, 0Ch
		test	byte ptr ds:dword_7051B4, 1
		jnz	sub_5C3683

loc_4BB9E7:				; CODE XREF: sub_5C3683+Aj
		mov	ecx, edi
		call	_MiMappingHasIoTracker@4 ; MiMappingHasIoTracker(x)
		mov	ecx, edi
		mov	esi, eax
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		mov	[esp+10h+var_4], eax
		cmp	esi, 1
		jz	short loc_4BBA27

loc_4BBA00:				; CODE XREF: MmUnmapIoSpace+7Ej
		test	eax, eax
		jnz	short loc_4BBA36
		shr	edi, 9
		mov	ecx, offset dword_6D35E0
		and	edi, offset loc_7FFFF8
		push	ebx
		lea	edx, [edi-40000000h]
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_4BBA1E:				; CODE XREF: MmUnmapIoSpace+8Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4BBA27:				; CODE XREF: MmUnmapIoSpace+48j
		mov	edx, ebx
		mov	ecx, edi
		call	MiZeroAndFlushPtes
		mov	eax, [esp+10h+var_4]
		jmp	short loc_4BBA00
; 

loc_4BBA36:				; CODE XREF: MmUnmapIoSpace+4Cj
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		push	9
		call	MiUnmapLargePages
		jmp	short loc_4BBA1E
MmUnmapIoSpace	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPrivateFixup(x, x, x, x, x)
_MiPrivateFixup@20 proc	near		; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+D4Bp

var_70		= dword	ptr -70h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= dword	ptr -5
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		lea	eax, [ecx+14h]
		mov	[ebp+var_1C], edx
		mov	edx, [eax]
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		test	byte ptr [edx+60h], 7
		push	edi
		mov	edi, [ecx]
		mov	[ebp+var_10], eax
		mov	eax, [ebx+80h]
		mov	[ebp+var_30], ecx
		mov	byte ptr [ebp+var_5], 0
		mov	[ebp+var_38], edx
		mov	[ebp+var_14], edi
		mov	[ebp+var_20], ebx
		mov	[ebp+var_3C], eax
		jnz	short loc_4BBAAE
		mov	eax, [eax+140h]
		test	eax, eax
		jz	short loc_4BBAAE
		cmp	eax, ebx
		jz	short loc_4BBAA0
		or	dword ptr [ecx+24h], 4

loc_4BBAA0:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+4Aj
		mov	eax, 129h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4BBAAE:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+3Cj
					; MiPrivateFixup(x,x,x,x,x)+46j
		mov	esi, [ebp+arg_4]
		mov	ebx, [esi+8]
		mov	eax, [esi+0Ch]
		shrd	ebx, eax, 5
		and	ebx, 1Fh
		cmp	edi, dword_6D07D0
		jb	short loc_4BBAE7
		test	byte ptr ds:_MiFlags+2,	1
		jz	short loc_4BBAE7
		test	ds:_MiFlags, 4000h
		jz	short loc_4BBAE7
		test	bl, 2
		jz	short loc_4BBAE7
		xor	edi, edi
		mov	[ebp+var_18], edi
		jmp	short loc_4BBB03
; 

loc_4BBAE7:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+74j
					; MiPrivateFixup(x,x,x,x,x)+7Dj ...
		mov	edx, 1
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		mov	edi, eax
		mov	[ebp+var_18], edi
		test	edi, edi
		jz	loc_4BBCB5

loc_4BBB03:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+95j
		mov	eax, [ebp+var_14]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_24], eax
		mov	ecx, [eax]
		nop
		mov	eax, [eax+4]
		mov	[ebp+var_4C], ecx
		mov	ecx, esi
		sub	ecx, ds:_MmPfnDatabase
		mov	[ebp+var_48], eax
		mov	eax, 92492493h
		imul	ecx
		push	2
		add	edx, ecx
		mov	ecx, offset _MiSystemPartition
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		mov	edx, 1
		mov	[ebp+var_2C], eax
		call	MiObtainFaultCharges
		test	edi, edi
		jnz	short loc_4BBBD0
		mov	eax, [ebp+var_14]
		cmp	eax, dword_6D07D0
		jb	short loc_4BBBD0
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_5]
		push	eax
		mov	dl, 1
		call	_MiReleaseFaultState@12	; MiReleaseFaultState(x,x,x)
		mov	cl, byte ptr [ebp+var_5]
		mov	esi, eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	edi
		mov	edx, ebx
		mov	ecx, offset _MiSystemPartition
		call	MiAllocateDriverPage
		mov	ecx, [ebp+var_10]
		mov	ebx, eax
		mov	edx, esi
		mov	[ebp+var_C], ebx
		call	MiRelockFaultState
		mov	ecx, [ebp+var_30]
		lea	eax, [ebp+var_4C]
		push	eax
		push	[ebp+var_24]
		mov	edx, [ecx]
		call	_MiIsFaultPteIntact@16 ; MiIsFaultPteIntact(x,x,x,x)
		test	eax, eax
		jnz	loc_4BBC59
		mov	esi, 0C0000434h
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_4BBC20
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[ebx*8]
		sub	ecx, ebx
		lea	ecx, [eax+ecx*4]
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		jmp	short loc_4BBC20
; 

loc_4BBBD0:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+103j
					; MiPrivateFixup(x,x,x,x,x)+10Ej
		mov	ecx, esi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiSearchNumaNodeTable
		mov	cl, byte_6D068C
		push	0
		mov	edx, [eax+4]
		mov	eax, dword_6D06D0
		and	eax, [ebp+var_2C]
		shl	edx, cl
		mov	ecx, offset _MiSystemPartition
		or	edx, eax
		call	MiGetPage
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		cmp	ebx, 0FFFFFFFFh
		jnz	short loc_4BBC59
		mov	esi, 0C000009Ah

loc_4BBC20:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+166j
					; MiPrivateFixup(x,x,x,x,x)+17Ej
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_4BBC3C
		mov	edx, offset dword_6D5E40
		lock xadd [edx], eax

loc_4BBC3C:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+1E1j
		test	edi, edi
		jz	short loc_4BBC4E
		push	1
		mov	edx, edi
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_4BBC4E:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+1EEj
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4BBC59:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+158j
					; MiPrivateFixup(x,x,x,x,x)+1C9j
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[ebx*8]
		sub	ecx, ebx
		lea	ebx, [eax+ecx*4]
		mov	ecx, 2
		mov	[ebp+var_34], ebx
		call	_MiGetInPageSupportBlock@4 ; MiGetInPageSupportBlock(x)
		mov	esi, eax
		mov	[ebp+var_40], esi
		test	esi, esi
		jnz	short loc_4BBCC3
		test	edi, edi
		jz	short loc_4BBC92
		push	1
		mov	edx, edi
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_4BBC92:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+232j
		mov	ecx, ebx
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_4BBCB5
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_4BBCB5:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+ADj
					; MiPrivateFixup(x,x,x,x,x)+25Aj
		mov	eax, 0C000009Ah
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4BBCC3:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+22Ej
		mov	ecx, [ebp+var_20]
		mov	[ebp+var_28], 0
		call	_MiGetEffectivePagePriorityThread@4 ; MiGetEffectivePagePriorityThread(x)
		mov	ecx, [ebp+var_14]
		lea	edx, [ebp+var_C]
		or	dword ptr [esi+78h], 20h
		and	al, 7
		or	al, 48h
		mov	[esi+94h], ebx
		mov	ebx, [ebp+var_24]
		mov	byte ptr [ebp+var_28], al
		push	[ebp+var_28]
		mov	dword ptr [esi+30h], 0
		push	esi
		push	ebx
		push	1
		mov	dword ptr [esi+34h], 0
		call	_MiInitializeReadInProgressPfn@24 ; MiInitializeReadInProgressPfn(x,x,x,x,x,x)
		mov	eax, [ebp+var_38]
		test	byte ptr [eax+60h], 7
		jnz	short loc_4BBD20
		mov	eax, [ebp+var_3C]
		mov	ecx, 1
		add	eax, 14Ch
		lock xadd [eax], ecx

loc_4BBD20:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+2BDj
		mov	eax, [ebx]
		nop
		mov	ecx, [ebx+4]
		mov	[ebp+var_54], eax
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_50], ecx
		mov	[esi+80h], eax
		lea	edi, [eax+40h]
		mov	[ebp+var_38], edi
		jmp	short loc_4BBD40
; 
		align 10h

loc_4BBD40:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+2EBj
					; MiPrivateFixup(x,x,x,x,x)+30Bj ...
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[ebp+var_3C], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_4BBD40
		cmp	edx, [ebp+var_3C]
		jnz	short loc_4BBD40
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_5]
		push	eax
		mov	dl, 1
		call	_MiReleaseFaultState@12	; MiReleaseFaultState(x,x,x)
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+var_20]
		dec	word ptr [eax+13Eh]
		nop
		mov	cl, byte ptr [ebp+var_5]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edi, [ebp+var_18]
		mov	ecx, edi
		mov	ebx, [ebp+var_C]
		neg	ecx
		mov	edx, [ebp+var_2C]
		sbb	ecx, ecx
		and	ecx, 38h
		add	ecx, 11h
		push	ecx
		push	0
		mov	ecx, ebx
		call	_MiCopyPage@16	; MiCopyPage(x,x,x,x)
		test	edi, edi
		jz	loc_4BBE79
		mov	edx, [ebp+var_34]
		mov	ecx, 4
		call	_MiMakeProtectionPfnCompatible@8 ; MiMakeProtectionPfnCompatible(x,x)
		or	eax, 0A0000000h
		mov	edx, ebx
		push	eax
		mov	ecx, edi
		call	MiMakeValidPte
		mov	ecx, edi
		mov	esi, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_4BBE2A
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_4BBDFF
		cmp	byte ptr word_6D07B8+1,	0
		mov	ecx, 1
		jnz	short loc_4BBE2C
		mov	eax, esi
		and	eax, ecx
		or	eax, 0
		jz	short loc_4BBE2C
		or	edx, 80000000h
		jmp	short loc_4BBE2C
; 

loc_4BBDFF:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+38Ej
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_4BBE27
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	short loc_4BBE27
		or	edx, 80000000h

loc_4BBE27:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+3C5j
					; MiPrivateFixup(x,x,x,x,x)+3CFj
		mov	ebx, [ebp+var_C]

loc_4BBE2A:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+385j
		xor	ecx, ecx

loc_4BBE2C:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+39Cj
					; MiPrivateFixup(x,x,x,x,x)+3A5j ...
		mov	[edi+4], edx
		nop
		mov	[edi], esi
		test	ecx, ecx
		jz	short loc_4BBE3F
		push	edx
		push	esi
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_4BBE3F:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+3E4j
		mov	eax, [ebp+arg_4]
		mov	edx, edi
		shl	edx, 9
		test	dword ptr [eax+18h], 800000h
		jnz	short loc_4BBE59
		mov	eax, [eax+4]
		test	eax, eax
		js	short loc_4BBE59
		jnz	short loc_4BBE6B

loc_4BBE59:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+3FEj
					; MiPrivateFixup(x,x,x,x,x)+405j
		push	2
		push	ecx
		push	[ebp+arg_8]
		mov	ecx, [ebp+var_1C]
		push	ebx
		push	[ebp+arg_0]
		call	MiRelocateImagePfn

loc_4BBE6B:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+407j
		push	1
		mov	edx, edi
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_4BBE79:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+358j
		mov	edi, [ebp+var_38]
		lea	esp, [esp+0]

loc_4BBE80:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+44Ej
					; MiPrivateFixup(x,x,x,x,x)+452j
		mov	eax, [edi]
		mov	ebx, eax
		mov	esi, [edi+4]
		sub	ebx, 1
		mov	ecx, esi
		mov	[ebp+arg_4], eax
		sbb	ecx, 0
		mov	edx, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [ebp+arg_4]
		cmp	eax, ecx
		jnz	short loc_4BBE80
		cmp	edx, esi
		jnz	short loc_4BBE80
		mov	edi, [ebp+var_18]
		add	ecx, 0FFFFFFFFh
		adc	esi, 0FFFFFFFFh
		or	ecx, esi
		jnz	short loc_4BBEB9
		mov	ecx, [ebp+var_1C]
		call	MiDeleteControlArea

loc_4BBEB9:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+45Fj
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [ebp+var_20]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edx, [ebp+var_3C]
		mov	ecx, [ebp+var_10]
		call	MiRelockFaultState
		lea	eax, [ebp+var_54]
		push	eax
		mov	eax, [ebp+var_30]
		mov	ecx, eax
		push	[ebp+var_24]
		mov	edx, [eax]
		call	_MiIsFaultPteIntact@16 ; MiIsFaultPteIntact(x,x,x,x)
		mov	ebx, [ebp+var_34]
		mov	ecx, ebx
		mov	[ebp+arg_8], eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	cl, [ebx+16h]
		lea	esi, [ebx+10h]
		and	cl, 0DFh
		mov	byte ptr [ebp+arg_4+3],	al
		test	dword ptr [esi], 40000000h
		mov	[ebx+16h], cl
		mov	dword ptr [ebx], 0
		jnz	short loc_4BBF18
		mov	al, cl
		or	al, 10h
		mov	[ebx+16h], al

loc_4BBF18:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+4BFj
		cmp	[ebp+arg_8], 1
		jnz	short loc_4BBF99
		mov	edx, 3
		mov	ecx, ebx
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		mov	edx, 1
		mov	ecx, ebx
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	al, [ebx+16h]
		and	al, 0FEh
		or	al, 6
		mov	[ebx+16h], al
		test	edi, edi
		jnz	short loc_4BBF53
		mov	eax, [ebp+var_14]
		cmp	eax, dword_6D07D0
		jb	short loc_4BBF53
		or	byte ptr [ebx+17h], 8

loc_4BBF53:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+4F2j
					; MiPrivateFixup(x,x,x,x,x)+4FDj
		xor	edi, edi

loc_4BBF55:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+54Ej
		mov	ecx, ebx
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp+var_40]
		and	dword ptr [esi+78h], 0FFFFFFDFh
		cmp	dword ptr [esi+68h], 1
		jle	short loc_4BBF87
		push	0
		push	0
		lea	ecx, [esi+20h]
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_4BBF87:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+528j
		mov	ecx, esi
		call	_MiFreeInPageSupportBlock@4 ; MiFreeInPageSupportBlock(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4BBF99:				; CODE XREF: MiPrivateFixup(x,x,x,x,x)+4CCj
		mov	edi, 0C0000434h
		jmp	short loc_4BBF55
_MiPrivateFixup@20 endp


;  S U B	R O U T	I N E 


; __stdcall MiFreeInPageSupportBlock(x)
_MiFreeInPageSupportBlock@4 proc near	; CODE XREF: MiWaitForCollidedFaultComplete+DDp
					; .text:0045E8F8p ...
		mov	eax, large fs:124h
		push	esi
		mov	esi, ecx
		cmp	[esi+58h], eax
		jnz	short loc_4BBFBC
		cmp	dword ptr [esi+84h], 0
		jz	short loc_4BBFBC
		call	KeAbPostRelease

loc_4BBFBC:				; CODE XREF: MiFreeInPageSupportBlock(x)+Cj
					; MiFreeInPageSupportBlock(x)+15j
		or	eax, 0FFFFFFFFh
		lock xadd [esi+68h], eax
		jnz	short loc_4BBFDB
		mov	ecx, [esi+98h]
		test	ecx, ecx
		jnz	short loc_4BBFDD

loc_4BBFD0:				; CODE XREF: MiFreeInPageSupportBlock(x)+45j
					; MiFreeInPageSupportBlock(x)+4Fj
		mov	ecx, esi
		call	_MiInsertInPageBlock@4 ; MiInsertInPageBlock(x)
		test	eax, eax
		jz	short loc_4BBFF1

loc_4BBFDB:				; CODE XREF: MiFreeInPageSupportBlock(x)+24j
		pop	esi
		retn
; 

loc_4BBFDD:				; CODE XREF: MiFreeInPageSupportBlock(x)+2Ej
		lea	eax, [esi+0A8h]
		cmp	ecx, eax
		jz	short loc_4BBFD0
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_4BBFD0
; 

loc_4BBFF1:				; CODE XREF: MiFreeInPageSupportBlock(x)+39j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
_MiFreeInPageSupportBlock@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiInsertInPageBlock(x)
_MiInsertInPageBlock@4 proc near	; CODE XREF: MiFreeInPageSupportBlock(x)+32p
					; MiInitializePageFaultResources()+89p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, [esi+78h]
		shr	edx, 6
		not	edx
		and	edx, 1
		cmp	esi, dword_6D34B4[edx*4]
		jb	short loc_4BC01E
		cmp	esi, dword_6D34BC[edx*4]
		jb	short loc_4BC042

loc_4BC01E:				; CODE XREF: MiInsertInPageBlock(x)+17j
		movzx	eax, byte_6D34B0[edx]
		cmp	word ptr dword_6D3494[edx*8], ax
		jnb	short loc_4BC04B
		lea	ecx, dword_6D3490[edx*8]

loc_4BC036:				; CODE XREF: MiInsertInPageBlock(x)+4Dj
		mov	edx, esi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		xor	eax, eax
		inc	eax
		pop	esi
		retn
; 

loc_4BC042:				; CODE XREF: MiInsertInPageBlock(x)+20j
		lea	ecx, dword_6D34A0[edx*8]
		jmp	short loc_4BC036
; 

loc_4BC04B:				; CODE XREF: MiInsertInPageBlock(x)+31j
		xor	eax, eax
		pop	esi
		retn
_MiInsertInPageBlock@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIsFaultPteIntact(x, x, x,	x)
_MiIsFaultPteIntact@16 proc near	; CODE XREF: MiWaitForCollidedFaultComplete+138p
					; MiFinishHardFault(x,x,x,x)+240p ...

var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_4], 0
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		call	MiFindActualFaultingPte
		test	eax, eax
		jz	short loc_4BC0E3
		mov	edi, [eax]
		nop
		mov	esi, [eax+4]
		cmp	eax, [ebp+arg_0]
		jz	short loc_4BC0BB
		mov	eax, edi
		and	eax, 400h
		or	eax, 0
		jz	short loc_4BC0E3
		push	esi
		push	edi
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		test	eax, eax
		jnz	short loc_4BC0D1
		mov	ecx, dword_6D0700
		mov	eax, ecx
		mov	edx, dword_6D0704
		or	eax, edx
		jz	short loc_4BC0B0
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4BC0B0
		not	edx
		and	esi, edx

loc_4BC0B0:				; CODE XREF: MiIsFaultPteIntact(x,x,x,x)+50j
					; MiIsFaultPteIntact(x,x,x,x)+5Aj ...
		cmp	esi, [ebp+arg_0]
		jnz	short loc_4BC0E3
		mov	edi, [esi]
		nop
		mov	esi, [esi+4]

loc_4BC0BB:				; CODE XREF: MiIsFaultPteIntact(x,x,x,x)+27j
		mov	eax, [ebp+arg_4]
		cmp	edi, [eax]
		jnz	short loc_4BC0E3
		cmp	esi, [eax+4]
		jnz	short loc_4BC0E3
		xor	eax, eax
		inc	eax

loc_4BC0CA:				; CODE XREF: MiIsFaultPteIntact(x,x,x,x)+95j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4BC0D1:				; CODE XREF: MiIsFaultPteIntact(x,x,x,x)+3Ej
		lea	eax, [ebp+var_4]
		mov	ecx, ebx
		push	eax
		lea	edx, [ebp+var_C]
		call	MiCheckVirtualAddress
		mov	esi, eax
		jmp	short loc_4BC0B0
; 

loc_4BC0E3:				; CODE XREF: MiIsFaultPteIntact(x,x,x,x)+1Cj
					; MiIsFaultPteIntact(x,x,x,x)+33j ...
		xor	eax, eax
		jmp	short loc_4BC0CA
_MiIsFaultPteIntact@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFindActualFaultingPte	proc near	; CODE XREF: MiIsFaultPteIntact(x,x,x,x)+15p
					; MiFindActualFaultingPte+F9p

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_2E		= word ptr -2Eh
var_2C		= byte ptr -2Ch
var_2B		= byte ptr -2Bh
var_28		= dword	ptr -28h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C3692 SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	40h		; size_t
		lea	eax, [ebp+var_48]
		mov	[ebp+var_4C], 0
		push	0		; int
		push	eax		; void *
		mov	edi, edx
		mov	[ebp+var_5C], 0
		mov	esi, ecx
		mov	[ebp+var_58], 0
		mov	[ebp+var_54], 0
		call	_memset
		add	esp, 0Ch
		mov	ecx, edi
		test	byte ptr [esi+1Dh], 1
		jnz	loc_5C3692
		mov	eax, [esi+20h]
		shr	ecx, 12h
		and	ecx, 3FF8h
		sub	ecx, 3FA00000h
		cmp	eax, ecx
		jnz	loc_4BC1F4
		mov	esi, edi
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h

loc_4BC16C:				; CODE XREF: MiFindActualFaultingPte+1075DCj
		mov	ebx, [esi]
		nop
		mov	ecx, [esi+4]
		mov	eax, ebx
		and	eax, 1
		mov	[ebp+var_54], ecx
		or	eax, 0
		jnz	loc_4BC205
		mov	eax, ebx
		and	eax, 400h
		or	eax, 0
		jz	short loc_4BC1F2
		push	ecx
		push	ebx
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		test	eax, eax
		jnz	short loc_4BC20E
		mov	ecx, dword_6D0700
		mov	eax, ecx
		mov	edi, dword_6D0704
		or	eax, edi
		mov	edx, [ebp+var_54]
		mov	[ebp+var_4C], edx
		jz	short loc_4BC1C3
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4BC209
		mov	edx, edi
		not	edx
		and	edx, [ebp+var_4C]

loc_4BC1C3:				; CODE XREF: MiFindActualFaultingPte+C0j
					; MiFindActualFaultingPte+11Cj	...
		and	[ebp+var_2B], 0FEh
		lea	ecx, [ebp+var_48]
		xor	eax, eax
		mov	[ebp+var_48], edx
		mov	[ebp+var_2E], ax
		mov	eax, edx
		shr	eax, 12h
		and	eax, 3FF8h
		mov	[ebp+var_2C], 21h
		sub	eax, 3FA00000h
		mov	[ebp+var_28], eax
		call	MiFindActualFaultingPte
		test	eax, eax
		jnz	short loc_4BC1F4

loc_4BC1F2:				; CODE XREF: MiFindActualFaultingPte+9Dj
					; MiFindActualFaultingPte+1075BFj
		mov	eax, esi

loc_4BC1F4:				; CODE XREF: MiFindActualFaultingPte+65j
					; MiFindActualFaultingPte+100j	...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4BC205:				; CODE XREF: MiFindActualFaultingPte+8Dj
					; MiFindActualFaultingPte+132j	...
		xor	eax, eax
		jmp	short loc_4BC1F4
; 

loc_4BC209:				; CODE XREF: MiFindActualFaultingPte+CAj
		mov	edx, [ebp+var_4C]
		jmp	short loc_4BC1C3
; 

loc_4BC20E:				; CODE XREF: MiFindActualFaultingPte+A8j
		lea	eax, [ebp+var_4C]
		mov	ecx, edi
		push	eax
		lea	edx, [ebp+var_5C]
		call	MiCheckVirtualAddress
		mov	edx, eax
		test	edx, edx
		jnz	short loc_4BC1C3
		jmp	short loc_4BC205
MiFindActualFaultingPte	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiChangePageAttribute proc near		; CODE XREF: MiAssignNonPagedPoolPte(x,x)+155p
					; MiInitializeHardFaultPfn(x,x,x,x,x)+E4p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005C36D1 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		test	[ebp+arg_0], 1
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	esi, ecx
		jnz	loc_4BC312
		mov	eax, dword_6D3058
		cmp	eax, large fs:124h
		jz	loc_4BC312
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	bh, al

loc_4BC257:				; CODE XREF: MiChangePageAttribute+F0j
		mov	eax, esi
		mov	bl, [esi+16h]
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		movzx	edi, bl
		xor	ecx, ecx
		shr	edi, 6
		mov	[ebp+var_C], eax
		call	_MiPageCombiningActive@4 ; MiPageCombiningActive(x)
		test	eax, eax
		jnz	loc_5C36D1
		mov	ecx, dword ptr [ebp+arg_0]

loc_4BC283:				; CODE XREF: MiChangePageAttribute+1074BAj
		mov	al, byte ptr [ebp+var_4]
		and	bl, 3Fh
		shl	al, 6
		or	bl, al
		mov	[esi+16h], bl
		cmp	edi, 3
		jz	short loc_4BC29B
		test	cl, 4
		jz	short loc_4BC2BA

loc_4BC29B:				; CODE XREF: MiChangePageAttribute+70j
					; MiChangePageAttribute+C4j ...
		cmp	bh, 21h
		jz	short loc_4BC2B3
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4BC2B3:				; CODE XREF: MiChangePageAttribute+7Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4BC2BA:				; CODE XREF: MiChangePageAttribute+75j
		test	cl, 2
		jnz	short loc_4BC319
		mov	ecx, [esi+10h]
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		xor	edx, edx
		shr	ecx, 17h
		and	ecx, 0Fh
		lock or	[eax], edx
		mov	edx, ds:_KiTbFlushTimeStamp
		push	0Fh
		call	_MiTbFlushTimeStampMayNeedFlush@12 ; MiTbFlushTimeStampMayNeedFlush(x,x,x)
		cmp	al, 1
		jz	short loc_4BC319

loc_4BC2E5:				; CODE XREF: MiChangePageAttribute+106j
		cmp	edi, 1
		jnz	short loc_4BC29B
		inc	dword_6D06E0
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	[ebp+var_4]
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		inc	edx
		mov	bl, al
		call	_MiFlushCacheForAttributeChange@12 ; MiFlushCacheForAttributeChange(x,x,x)
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_4BC29B
; 

loc_4BC312:				; CODE XREF: MiChangePageAttribute+14j
					; MiChangePageAttribute+26j
		mov	bh, 21h
		jmp	loc_4BC257
; 

loc_4BC319:				; CODE XREF: MiChangePageAttribute+99j
					; MiChangePageAttribute+BFj
		inc	dword_6D06D8
		push	2
		pop	edx
		push	4
		pop	ecx
		call	KeFlushTb
		jmp	short loc_4BC2E5
MiChangePageAttribute endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFinalizePageAttribute(x, x, x)
_MiFinalizePageAttribute@12 proc near	; CODE XREF: MiMigratePfn(x,x,x,x)+380p
					; .text:0046F753p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		movzx	eax, byte ptr [esi+16h]
		shr	eax, 6
		cmp	eax, edx
		jnz	short loc_4BC350

loc_4BC33F:				; CODE XREF: MiFinalizePageAttribute(x,x,x)+33j
		push	[ebp+arg_0]
		xor	edx, edx
		mov	ecx, esi
		call	_MiSetPfnTbFlushStamp@12 ; MiSetPfnTbFlushStamp(x,x,x)
		pop	esi
		pop	ebp
		retn	4
; 

loc_4BC350:				; CODE XREF: MiFinalizePageAttribute(x,x,x)+11j
		xor	eax, eax
		cmp	[ebp+arg_0], 1
		setz	al
		push	eax
		call	MiChangePageAttribute
		jmp	short loc_4BC33F
_MiFinalizePageAttribute@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	MiInitializePageFaultPacket(char,int,void *)
_MiInitializePageFaultPacket@20	proc near ; CODE XREF: MmAccessFault+588p
					; .text:00478860p ...

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		push	40h		; size_t
		push	0		; int
		push	ebx		; void *
		mov	edi, edx
		mov	esi, ecx
		call	_memset
		add	esp, 0Ch
		lea	edx, [ebx+0Ch]
		mov	ecx, edi
		call	_MiFillPteHierarchy@8 ;	MiFillPteHierarchy(x,x)
		mov	eax, [ebp+arg_4]
		mov	[ebx+8], eax
		movsx	eax, [ebp+arg_0]
		shl	eax, 6
		xor	eax, [ebx+24h]
		mov	[ebx], edi
		and	eax, 40h
		xor	[ebx+24h], eax
		pop	edi
		mov	[ebx+4], esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_MiInitializePageFaultPacket@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUnlockWsle(x, x, x)
_MiUnlockWsle@12 proc near		; CODE XREF: .text:00458BA3p
					; .text:004764A6p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		mov	ecx, esi
		mov	edi, edx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4BC3ED
		mov	eax, [esi+8]
		and	eax, 400h
		or	eax, 0
		jz	short loc_4BC3ED
		test	byte ptr [ebx+60h], 7
		jnz	short loc_4BC3ED
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		inc	edx
		call	MiReturnCommit
		lock dec dword_6D5F60

loc_4BC3ED:				; CODE XREF: MiUnlockWsle(x,x,x)+1Aj
					; MiUnlockWsle(x,x,x)+27j ...
		mov	eax, edi
		mov	byte ptr [ebp+arg_0], 0
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	ecx, [eax-40000000h]
		nop
		and	ecx, 20h
		or	ecx, 0
		jnz	short loc_4BC40E
		mov	byte ptr [ebp+arg_0], 1

loc_4BC40E:				; CODE XREF: MiUnlockWsle(x,x,x)+5Ej
		mov	ecx, large fs:124h
		call	_MiGetEffectivePagePriorityThread@4 ; MiGetEffectivePagePriorityThread(x)
		cmp	eax, 5
		jnb	short loc_4BC423
		mov	byte ptr [ebp+arg_0], 7

loc_4BC423:				; CODE XREF: MiUnlockWsle(x,x,x)+73j
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, ebx
		push	1
		call	MiSetVaAgeList
		cmp	edi, dword_6D07D0
		jnb	short loc_4BC498
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4BC45D
		mov	eax, [esi+18h]
		xor	edx, edx
		and	eax, offset loc_7FFFFF
		inc	edx
		imul	ecx, eax, 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	_MiUnlockPageTableCharges@8 ; MiUnlockPageTableCharges(x,x)

loc_4BC45D:				; CODE XREF: MiUnlockWsle(x,x,x)+98j
		mov	eax, edi
		shr	eax, 12h
		and	eax, 3FF8h
		mov	ecx, [eax-3FA00000h]
		nop
		mov	eax, [eax-3F9FFFFCh]
		shrd	ecx, eax, 0Ch
		push	2
		and	ecx, 1FFFFFFh
		imul	ecx, 1Ch
		pop	edx
		add	ecx, ds:_MmPfnDatabase
		call	_MiUnlockPageTableCharges@8 ; MiUnlockPageTableCharges(x,x)
		mov	edx, edi
		mov	ecx, ebx
		call	_MiUnlockVaSoftWsle@8 ;	MiUnlockVaSoftWsle(x,x)

loc_4BC498:				; CODE XREF: MiUnlockWsle(x,x,x)+8Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiUnlockWsle@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPfCompleteInPageSupport proc near	; CODE XREF: MiPfCompletePrefetchIos(x,x,x)+35p
					; MiPfCompleteCoalescedIo+A3p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_34		= dword	ptr -34h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C36E3 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	40h		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_48]
		push	ebx		; int
		push	eax		; void *
		mov	esi, edx
		mov	edi, ecx
		call	_memset
		mov	edx, [edi+78h]
		add	esp, 0Ch
		mov	[ebp+var_4C], ebx
		cmp	esi, 1
		jz	short loc_4BC519

loc_4BC4D5:				; CODE XREF: MiPfCompleteInPageSupport+91j
		lea	eax, [ebp+var_48]
		or	edx, 1000000h
		push	eax		; void *
		push	ebx		; int
		mov	[edi+78h], edx
		xor	ecx, ecx
		push	ebx		; char
		xor	edx, edx
		call	_MiInitializePageFaultPacket@20	; MiInitializePageFaultPacket(x,x,x,x,x)
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_34], esi
		push	eax
		mov	edx, edi
		lea	ecx, [ebp+var_48]
		call	_MiWaitForInPageComplete@12 ; MiWaitForInPageComplete(x,x,x)
		push	ebx
		push	edi
		xor	edx, edx
		lea	ecx, [ebp+var_48]
		call	_MiFinishHardFault@16 ;	MiFinishHardFault(x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_4BC519:				; CODE XREF: MiPfCompleteInPageSupport+33j
		mov	eax, edx
		shr	eax, 1
		and	eax, 3
		sub	eax, 1
		jnz	short loc_4BC533
		xor	ecx, ecx

loc_4BC527:				; CODE XREF: MiPfCompleteInPageSupport+107250j
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	esi, eax

loc_4BC52E:				; CODE XREF: MiPfCompleteInPageSupport+A6j
					; MiPfCompleteInPageSupport+ADj ...
		and	edx, 0FFFFFFF9h
		jmp	short loc_4BC4D5
; 

loc_4BC533:				; CODE XREF: MiPfCompleteInPageSupport+83j
		sub	eax, 1
		jz	short loc_4BC548
		sub	eax, 1
		jnz	loc_5C36E3
		mov	esi, offset unk_6D3740
		jmp	short loc_4BC52E
; 

loc_4BC548:				; CODE XREF: MiPfCompleteInPageSupport+96j
		mov	esi, offset unk_6D3840
		jmp	short loc_4BC52E
MiPfCompleteInPageSupport endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPfCompletePrefetchIos(x, x, x)
_MiPfCompletePrefetchIos@12 proc near	; CODE XREF: MmWaitForCacheManagerPrefetch(x)+22p
					; MiPrefetchVirtualMemory+391p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	eax, edx
		xor	edi, edi
		mov	esi, ecx
		test	eax, eax
		jnz	short loc_4BC5A2

loc_4BC562:				; CODE XREF: MiPfCompletePrefetchIos(x,x,x)+3Cj
					; MiPfCompletePrefetchIos(x,x,x)+43j ...
		mov	ecx, [esi]
		cmp	ecx, esi
		jz	short loc_4BC599
		cmp	[ecx+4], esi
		jnz	short loc_4BC5B5
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_4BC5B5
		mov	edx, [ebp+arg_0]
		mov	[esi], eax
		mov	[eax+4], esi
		test	dword ptr [ecx+78h], (offset loc_7FFFFF+1)
		jnz	short loc_4BC5AE
		call	MiPfCompleteInPageSupport

loc_4BC58A:				; CODE XREF: MiPfCompletePrefetchIos(x,x,x)+63j
		test	eax, eax
		jns	short loc_4BC562
		cmp	eax, 0C0000434h
		jz	short loc_4BC562
		mov	edi, eax
		jmp	short loc_4BC562
; 

loc_4BC599:				; CODE XREF: MiPfCompletePrefetchIos(x,x,x)+16j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
; 

loc_4BC5A2:				; CODE XREF: MiPfCompletePrefetchIos(x,x,x)+10j
		push	edi
		mov	edx, esi
		mov	ecx, eax
		call	MiPfCoalesceAndIssueIOs
		jmp	short loc_4BC562
; 

loc_4BC5AE:				; CODE XREF: MiPfCompletePrefetchIos(x,x,x)+33j
		call	MiPfCompleteCoalescedIo
		jmp	short loc_4BC58A
; 

loc_4BC5B5:				; CODE XREF: MiPfCompletePrefetchIos(x,x,x)+1Bj
					; MiPfCompletePrefetchIos(x,x,x)+22j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_MiPfCompletePrefetchIos@12 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiBuildMappedCluster proc near		; CODE XREF: MiGatherMappedPages+184p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C36F5 SIZE 0000027A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		xor	eax, eax
		mov	[ebp+var_3C], ecx
		push	ebx
		mov	byte ptr [ebp+var_1], al
		mov	ebx, edx
		push	esi
		push	edi
		mov	eax, ecx
		mov	edi, [ecx+8]
		sub	eax, ds:_MmPfnDatabase
		cdq
		push	1Ch
		pop	esi
		idiv	esi
		mov	edx, dword_6D0704
		mov	[ebp+var_44], eax
		lea	eax, [ebx+1Ch]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_C], eax
		mov	eax, [ecx+4]
		mov	esi, eax
		or	esi, 80000000h
		mov	[ebp+var_4C], eax
		mov	eax, [ecx+0Ch]
		mov	ecx, dword_6D0700
		mov	[ebp+var_28], ebx
		mov	ebx, esi
		mov	[ebp+var_14], eax
		and	ebx, 0FFFFF000h
		mov	eax, ecx
		mov	[ebp+var_24], esi
		or	eax, edx
		mov	[ebp+var_18], esi
		jz	loc_5C36F5
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		mov	eax, [ebp+var_14]
		jnz	short loc_4BC63B
		not	edx
		and	eax, edx
		mov	[ebp+var_14], eax

loc_4BC63B:				; CODE XREF: MiBuildMappedCluster+78j
					; MiBuildMappedCluster+10713Ej
		mov	eax, [eax+4]
		cmp	ebx, eax
		jb	loc_4BC7A7

loc_4BC646:				; CODE XREF: MiBuildMappedCluster+1EFj
		lea	eax, [esi-78h]
		mov	[ebp+var_20], ebx
		cmp	ebx, eax
		jnb	short loc_4BC653
		lea	ebx, [esi-78h]

loc_4BC653:				; CODE XREF: MiBuildMappedCluster+94j
		mov	eax, [ebp+var_3C]
		lea	edx, [ebp+var_1]
		push	80000000h
		mov	eax, [eax+18h]
		and	eax, offset loc_7FFFFF
		mov	ecx, eax
		mov	[ebp+var_38], eax
		call	MiMapPageInHyperSpaceWorker
		mov	edi, esi
		mov	[ebp+var_1C], eax
		and	edi, 0FFFh
		add	edi, eax
		cmp	[ebp+arg_0], 0
		jnz	loc_4BC921
		mov	eax, esi
		mov	[ebp+var_20], eax

loc_4BC68C:				; CODE XREF: MiBuildMappedCluster+36Aj
		mov	ecx, esi
		xor	esi, esi
		inc	esi
		mov	[ebp+var_8], ecx
		cmp	ecx, eax
		ja	loc_4BC95F

loc_4BC69C:				; CODE XREF: MiBuildMappedCluster+3BBj
					; MiBuildMappedCluster+3CBj ...
		mov	eax, edi
		mov	edx, ecx
		xor	eax, ecx
		and	edx, 0FFFFF000h
		and	eax, 0FFFh
		add	edx, 1000h
		xor	edi, eax
		mov	[ebp+var_10], edx
		mov	eax, [ebp+var_14]
		mov	ecx, [eax+1Ch]
		mov	eax, [eax+4]
		lea	eax, [eax+ecx*8]
		cmp	edx, eax
		ja	loc_4BC79D

loc_4BC6CC:				; CODE XREF: MiBuildMappedCluster+1E8j
		mov	ebx, [ebp+var_8]
		mov	[ebp+var_14], edx
		lea	eax, [ebx+80h]
		cmp	edx, eax
		jbe	short loc_4BC6DF
		mov	[ebp+var_14], eax

loc_4BC6DF:				; CODE XREF: MiBuildMappedCluster+120j
		cmp	[ebp+arg_0], 0
		jnz	short loc_4BC6F0
		lea	eax, [ebx+8]
		mov	edx, eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], edx

loc_4BC6F0:				; CODE XREF: MiBuildMappedCluster+129j
		mov	ecx, esi
		mov	[ebp+var_20], ecx
		cmp	[ebp+var_8], edx
		jnb	short loc_4BC723
		mov	eax, [ebp+var_18]

loc_4BC6FD:				; CODE XREF: MiBuildMappedCluster+167j
		cmp	ebx, eax
		jnz	loc_4BC7AE
		mov	ecx, [ebp+var_C]
		mov	esi, [ebp+var_44]
		mov	[ecx], esi
		add	ecx, 4
		xor	esi, esi
		mov	[ebp+var_C], ecx
		inc	esi

loc_4BC716:				; CODE XREF: MiBuildMappedCluster+2E6j
					; MiBuildMappedCluster+1071B2j
		mov	ecx, [ebp+var_20]
		add	ebx, 8
		add	edi, 8
		cmp	ebx, edx
		jb	short loc_4BC6FD

loc_4BC723:				; CODE XREF: MiBuildMappedCluster+13Ej
					; MiBuildMappedCluster+39Aj
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_4BC739
		mov	dl, byte ptr [ebp+var_1]
		mov	ecx, eax
		push	80000000h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)

loc_4BC739:				; CODE XREF: MiBuildMappedCluster+16Ej
		mov	edi, [ebp+var_14]
		mov	eax, ebx
		mov	[ebp+var_C], eax
		cmp	ebx, edi
		ja	loc_4BCC4A

loc_4BC749:				; CODE XREF: MiBuildMappedCluster+692j
		mov	edx, [ebp+var_8]
		sub	ebx, edx
		sar	ebx, 3
		cmp	[ebp+var_20], 3
		jz	short loc_4BC76A
		cmp	eax, edi
		mov	edi, [ebp+var_24]
		ja	loc_4BCA13
		cmp	edi, edx
		jb	loc_4BCA13

loc_4BC76A:				; CODE XREF: MiBuildMappedCluster+19Bj
					; MiBuildMappedCluster+479j
		mov	ecx, [ebp+var_28]

loc_4BC76D:				; CODE XREF: MiBuildMappedCluster+676j
		shl	ebx, 0Ch
		xor	edx, edx
		mov	eax, ebx
		mov	[ecx+14h], ebx
		shr	eax, 0Ch
		push	2
		mov	[ecx], edx
		mov	[ecx+10h], edx
		lea	eax, ds:1Ch[eax*4]
		mov	[ecx+18h], edx
		mov	[ecx+4], ax
		pop	eax
		pop	edi
		pop	esi
		mov	[ecx+6], ax
		mov	eax, ecx
		pop	ebx
		leave
		retn	4
; 

loc_4BC79D:				; CODE XREF: MiBuildMappedCluster+10Cj
		mov	edx, eax
		mov	[ebp+var_10], eax
		jmp	loc_4BC6CC
; 

loc_4BC7A7:				; CODE XREF: MiBuildMappedCluster+86j
		mov	ebx, eax
		jmp	loc_4BC646
; 

loc_4BC7AE:				; CODE XREF: MiBuildMappedCluster+145j
		cmp	ecx, 3
		jz	loc_5C36FD

loc_4BC7B7:				; CODE XREF: MiBuildMappedCluster+107158j
		mov	ecx, [edi]
		mov	[ebp+var_30], ecx
		nop
		mov	eax, [edi+4]
		mov	[ebp+var_34], eax
		mov	eax, ecx
		and	eax, 401h
		or	eax, 0
		jnz	loc_4BC934
		mov	eax, ecx
		xor	ecx, ecx
		and	eax, 800h
		or	eax, ecx
		jz	loc_4BC934
		mov	ecx, dword_6D0700
		mov	eax, dword_6D0704
		not	ecx
		not	eax
		shrd	ecx, eax, 0Ch
		mov	eax, [ebp+var_34]
		mov	[ebp+arg_0], ecx
		mov	ecx, [ebp+var_30]
		shrd	ecx, eax, 0Ch
		mov	eax, [ebp+arg_0]
		and	eax, ecx
		and	eax, 3FFFFFFh
		mov	[ebp+arg_0], eax
		cmp	eax, dword_6D07B0
		ja	loc_5C3763
		mov	edx, eax
		mov	ecx, eax
		mov	eax, dword_6D35B8
		and	ecx, 1Fh
		shr	edx, 5
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, esi
		jz	loc_5C3760
		imul	ecx, [ebp+arg_0], 1Ch
		xor	eax, eax
		mov	[ebp+var_48], eax
		add	ecx, ds:_MmPfnDatabase
		mov	[ebp+var_40], ecx
		lea	eax, [ecx+10h]
		mov	[ebp+arg_0], eax
		lock bts dword ptr [eax], 1Fh
		jb	loc_5C3717

loc_4BC85C:				; CODE XREF: MiBuildMappedCluster+10717Aj
		mov	eax, [edi]
		nop
		mov	edx, [edi+4]
		cmp	[ebp+var_30], eax
		jnz	loc_5C374A
		cmp	[ebp+var_34], edx
		jnz	loc_5C374A
		test	byte ptr [ecx+16h], 10h
		jz	loc_4BC929
		xor	eax, eax
		cmp	[ecx+14h], ax
		jnz	loc_4BC929
		cmp	ebx, [ebp+var_14]
		jb	short loc_4BC8A5

loc_4BC88F:				; CODE XREF: MiBuildMappedCluster+362j
		mov	eax, [ebp+arg_0]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_4BC89A:				; CODE XREF: MiBuildMappedCluster+1071A1j
		mov	eax, [ebp+var_18]

loc_4BC89D:				; CODE XREF: MiBuildMappedCluster+10726Fj
		mov	edx, [ebp+var_10]
		jmp	loc_4BC716
; 

loc_4BC8A5:				; CODE XREF: MiBuildMappedCluster+2D3j
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	loc_5C3739
		push	80000000h
		mov	dl, 2
		mov	ecx, eax
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		mov	ecx, [ebp+var_40]
		xor	edx, edx
		call	MiReferencePageForModifiedWrite
		mov	ecx, [ebp+var_38]
		xor	edx, edx
		push	80000000h
		mov	[ebp+var_20], eax
		call	MiMapPageInHyperSpaceWorker
		mov	ecx, [ebp+var_20]
		and	edi, 0FFFh
		mov	[ebp+var_1C], eax
		add	edi, eax

loc_4BC8E8:				; CODE XREF: MiBuildMappedCluster+10718Bj
		test	ecx, ecx
		jz	short loc_4BC929
		mov	ecx, dword_6D0700
		mov	eax, dword_6D0704
		not	ecx
		mov	edx, [ebp+var_34]
		not	eax
		shrd	ecx, eax, 0Ch
		mov	eax, [ebp+var_30]
		shrd	eax, edx, 0Ch
		and	ecx, eax
		mov	eax, [ebp+var_C]
		and	ecx, 3FFFFFFh
		mov	[eax], ecx
		add	eax, 4
		mov	[ebp+var_C], eax
		jmp	loc_4BC88F
; 

loc_4BC921:				; CODE XREF: MiBuildMappedCluster+C7j
		mov	eax, [ebp+var_20]
		jmp	loc_4BC68C
; 

loc_4BC929:				; CODE XREF: MiBuildMappedCluster+2BEj
					; MiBuildMappedCluster+2CAj ...
		mov	eax, [ebp+arg_0]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_4BC934:				; CODE XREF: MiBuildMappedCluster+213j
					; MiBuildMappedCluster+224j ...
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_4BC94F
		mov	dl, byte ptr [ebp+var_1]
		mov	ecx, eax
		push	80000000h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		xor	eax, eax
		mov	[ebp+var_1C], eax

loc_4BC94F:				; CODE XREF: MiBuildMappedCluster+37Fj
		mov	edx, [ebp+var_18]
		cmp	ebx, edx
		jnb	loc_4BC723
		jmp	loc_5C3771
; 

loc_4BC95F:				; CODE XREF: MiBuildMappedCluster+DCj
					; MiBuildMappedCluster+43Fj
		sub	edi, 8
		mov	edx, [edi]
		nop
		mov	eax, [edi+4]
		mov	[ebp+var_40], eax
		mov	eax, edx
		and	eax, 401h
		or	eax, 0
		jnz	loc_4BC69C
		mov	eax, edx
		and	eax, 800h
		or	eax, 0
		jz	loc_4BC69C
		mov	ecx, dword_6D0700
		mov	eax, dword_6D0704
		not	ecx
		not	eax
		shrd	ecx, eax, 0Ch
		mov	eax, [ebp+var_40]
		shrd	edx, eax, 0Ch
		and	ecx, edx
		and	ecx, 3FFFFFFh
		mov	[ebp+var_40], ecx
		cmp	ecx, dword_6D07B0
		ja	short loc_4BCA04
		mov	eax, dword_6D35B8
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, esi
		jz	short loc_4BCA04
		imul	eax, [ebp+var_40], 1Ch
		add	eax, ds:_MmPfnDatabase
		test	byte ptr [eax+16h], 10h
		jz	short loc_4BCA04
		xor	ecx, ecx
		cmp	[eax+14h], cx
		jnz	short loc_4BCA04
		mov	eax, [ebp+var_24]
		sub	eax, 8
		mov	[ebp+var_24], eax
		cmp	eax, ebx
		jnb	short loc_4BCA0C
		mov	ecx, [ebp+var_8]

loc_4BC9F6:				; CODE XREF: MiBuildMappedCluster+457j
		cmp	eax, [ebp+var_20]
		ja	loc_4BC95F
		jmp	loc_4BC69C
; 

loc_4BCA04:				; CODE XREF: MiBuildMappedCluster+3FCj
					; MiBuildMappedCluster+412j ...
		mov	ecx, [ebp+var_8]
		jmp	loc_4BC69C
; 

loc_4BCA0C:				; CODE XREF: MiBuildMappedCluster+437j
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		jmp	short loc_4BC9F6
; 

loc_4BCA13:				; CODE XREF: MiBuildMappedCluster+1A2j
					; MiBuildMappedCluster+1AAj
		sub	eax, edi
		mov	edx, 65576D4Dh
		sar	eax, 3
		lea	ecx, ds:1Ch[eax*4]
		xor	eax, eax
		push	eax
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_4BC76A
		mov	ecx, [ebp+var_2C]
		lea	edx, [ebp+var_1]
		add	eax, 1Ch
		mov	[ebp+var_18], ecx
		mov	[ebp+var_40], eax
		mov	ebx, eax
		mov	eax, [ebp+var_3C]
		push	80000000h
		mov	[ebp+var_28], esi
		mov	ecx, [eax+18h]
		and	ecx, offset loc_7FFFFF
		call	MiMapPageInHyperSpaceWorker
		mov	edx, edi
		mov	ecx, eax
		and	edx, 0FFFh
		mov	[ebp+arg_0], ecx
		add	edx, ecx
		mov	[ebp+var_1C], edx
		cmp	edi, [ebp+var_C]
		jnb	loc_4BCC13
		mov	eax, [ebp+var_8]

loc_4BCA81:				; CODE XREF: MiBuildMappedCluster+653j
		cmp	edi, [ebp+var_14]
		jb	loc_4BCC35

loc_4BCA8A:				; CODE XREF: MiBuildMappedCluster+67Dj
		cmp	[ebp+var_28], 3
		jz	loc_5C382E

loc_4BCA94:				; CODE XREF: MiBuildMappedCluster+107282j
		mov	eax, [edx]
		mov	[ebp+var_20], eax
		nop
		mov	esi, [edx+4]
		and	eax, 401h
		mov	[ebp+var_30], esi
		xor	esi, esi
		push	1
		or	eax, esi
		pop	esi
		jnz	loc_5C3842
		mov	eax, [ebp+var_20]
		and	eax, 800h
		or	eax, 0
		jz	loc_5C3842
		mov	ecx, dword_6D0700
		mov	eax, dword_6D0704
		not	ecx
		not	eax
		shrd	ecx, eax, 0Ch
		mov	eax, [ebp+var_30]
		mov	[ebp+var_34], ecx
		mov	ecx, [ebp+var_20]
		shrd	ecx, eax, 0Ch
		mov	eax, [ebp+var_34]
		and	eax, ecx
		and	eax, 3FFFFFFh
		mov	[ebp+var_34], eax
		cmp	eax, dword_6D07B0
		ja	loc_4BCC51
		mov	edx, eax
		mov	ecx, eax
		mov	eax, dword_6D35B8
		and	ecx, 1Fh
		shr	edx, 5
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, esi
		jz	loc_5C3967
		imul	ecx, [ebp+var_34], 1Ch
		xor	eax, eax
		mov	[ebp+var_50], eax
		add	ecx, ds:_MmPfnDatabase
		mov	[ebp+var_34], ecx
		lea	eax, [ecx+10h]
		mov	[ebp+var_24], eax
		lock bts dword ptr [eax], 1Fh
		jb	loc_5C38FD

loc_4BCB3B:				; CODE XREF: MiBuildMappedCluster+10735Dj
		mov	edx, [ebp+var_1C]
		mov	eax, [edx]
		nop
		mov	esi, [edx+4]
		push	1
		mov	[ebp+var_50], esi
		pop	esi
		cmp	[ebp+var_20], eax
		jnz	loc_5C3957
		mov	eax, [ebp+var_30]
		cmp	eax, [ebp+var_50]
		jnz	loc_5C3957
		test	byte ptr [ecx+16h], 10h
		jz	loc_5C3944
		xor	eax, eax
		cmp	[ecx+14h], ax
		jnz	loc_5C3944
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	loc_5C391C
		push	80000000h
		mov	dl, 2
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		mov	ecx, [ebp+var_34]
		xor	edx, edx
		call	MiReferencePageForModifiedWrite
		mov	ecx, [ebp+var_38]
		xor	edx, edx
		push	80000000h
		mov	[ebp+var_28], eax
		call	MiMapPageInHyperSpaceWorker
		mov	edx, [ebp+var_1C]
		mov	ecx, eax
		mov	eax, [ebp+var_28]
		and	edx, 0FFFh
		mov	[ebp+arg_0], ecx
		add	edx, ecx

loc_4BCBBB:				; CODE XREF: MiBuildMappedCluster+107375j
		test	eax, eax
		jz	loc_5C3934
		mov	ecx, dword_6D0700
		mov	eax, dword_6D0704
		not	ecx
		mov	esi, [ebp+var_30]
		not	eax
		shrd	ecx, eax, 0Ch
		mov	eax, [ebp+var_20]
		shrd	eax, esi, 0Ch
		and	ecx, eax
		mov	eax, [ebp+var_24]
		and	ecx, 3FFFFFFh
		mov	[ebx], ecx
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	ecx, [ebp+arg_0]
		xor	esi, esi
		inc	esi

loc_4BCBFB:				; CODE XREF: MiBuildMappedCluster+68Ej
		add	edx, 8
		add	edi, 8
		mov	[ebp+var_1C], edx
		add	ebx, 4

loc_4BCC07:				; CODE XREF: MiBuildMappedCluster+69Aj
		mov	eax, [ebp+var_8]

loc_4BCC0A:				; CODE XREF: MiBuildMappedCluster+10733Ej
		cmp	edi, [ebp+var_C]
		jb	loc_4BCA81

loc_4BCC13:				; CODE XREF: MiBuildMappedCluster+4BEj
					; MiBuildMappedCluster+1072A0j
		test	ecx, ecx
		jz	short loc_4BCC24
		mov	dl, byte ptr [ebp+var_1]
		push	80000000h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)

loc_4BCC24:				; CODE XREF: MiBuildMappedCluster+65Bj
		sub	ebx, [ebp+var_10]
		mov	ecx, [ebp+var_10]
		sub	ebx, 1Ch
		sar	ebx, 2
		jmp	loc_4BC76D
; 

loc_4BCC35:				; CODE XREF: MiBuildMappedCluster+4CAj
		cmp	edi, eax
		jb	loc_4BCA8A
		mov	eax, [ebp+var_18]
		add	[ebp+var_18], 4
		mov	eax, [eax]
		mov	[ebx], eax
		jmp	short loc_4BCBFB
; 

loc_4BCC4A:				; CODE XREF: MiBuildMappedCluster+189j
		mov	ebx, edi
		jmp	loc_4BC749
; 

loc_4BCC51:				; CODE XREF: MiBuildMappedCluster+53Cj
					; MiBuildMappedCluster+1073A8j	...
		mov	ecx, [ebp+arg_0]
		jmp	short loc_4BCC07
MiBuildMappedCluster endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeTransitionPfn(x, x, x)
_MiInitializeTransitionPfn@12 proc near	; CODE XREF: MiCopyDataPageToImagePage+393p
					; MiSectionCreated+1BEp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	eax, ecx
		push	esi
		imul	esi, eax, 1Ch
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], eax
		mov	ecx, edi
		add	esi, ds:_MmPfnDatabase
		call	_MiGetContainingPageTable@4 ; MiGetContainingPageTable(x)
		and	dword ptr [esi], 0
		mov	ebx, eax
		mov	edx, [edi]
		mov	[ebp+var_8], ebx
		nop
		mov	ecx, [edi+4]
		mov	eax, edx
		and	eax, 400h
		mov	[ebp+var_10], edx
		or	eax, 0
		mov	[ebp+var_C], ecx
		jnz	short loc_4BCCBB
		mov	eax, edx
		and	eax, 800h
		or	eax, 0
		jz	short loc_4BCCBB
		imul	ecx, [ebp+arg_0], 1Ch
		mov	eax, ds:_MmPfnDatabase
		mov	edx, [ecx+eax+8]
		mov	ecx, [ecx+eax+0Ch]
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx

loc_4BCCBB:				; CODE XREF: MiInitializeTransitionPfn(x,x,x)+40j
					; MiInitializeTransitionPfn(x,x,x)+4Cj
		and	dword ptr [esi+10h], 0BFFFFFFFh
		mov	eax, ebx
		mov	[esi+0Ch], ecx
		and	eax, offset loc_7FFFFF
		mov	ecx, [esi+18h]
		and	ecx, 0FF800000h
		mov	[esi+8], edx
		or	ecx, eax
		mov	[esi+4], edi
		mov	al, [esi+16h]
		or	ecx, 80000000h
		mov	[esi+18h], ecx
		test	al, 10h
		jz	short loc_4BCCF3
		and	al, 0FBh
		or	al, 3
		jmp	short loc_4BCCF7
; 

loc_4BCCF3:				; CODE XREF: MiInitializeTransitionPfn(x,x,x)+95j
		and	al, 0FAh
		or	al, 2

loc_4BCCF7:				; CODE XREF: MiInitializeTransitionPfn(x,x,x)+9Bj
		mov	[esi+16h], al
		mov	ebx, [edi]
		nop
		mov	eax, [edi+4]
		nop
		shrd	ebx, eax, 5
		push	1
		and	ebx, 1Fh
		mov	ecx, ebx
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		mov	edx, eax
		mov	ecx, esi
		call	_MiFinalizePageAttribute@12 ; MiFinalizePageAttribute(x,x,x)
		and	dword ptr [esi+10h], 0C0000000h
		cmp	[ebp+arg_0], 0FFFFFFFFh
		jnz	short loc_4BCD3D
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], edx
		mov	[edi], eax
		nop
		mov	[edi+4], edx

loc_4BCD3D:				; CODE XREF: MiInitializeTransitionPfn(x,x,x)+CFj
		imul	esi, [ebp+var_8], 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiInitializeTransitionPfn@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetHardFaultPages proc near		; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+1CCp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005C396F SIZE 000000BB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	[ebp+var_14], edi
		mov	esi, [edi]
		mov	[ebp+var_8], esi
		test	esi, esi
		jnz	loc_4BCE27
		mov	[ebp+var_4], offset loc_7FFFFF

loc_4BCD94:				; CODE XREF: MiGetHardFaultPages+DFj
					; MiGetHardFaultPages+106C19j
		mov	eax, [ebp+arg_C]
		mov	edx, [eax+80h]
		mov	[ebp+var_14], edx
		movzx	esi, word ptr [edx+10h]
		mov	edx, [ebp+arg_4]
		shr	esi, 1
		and	esi, 1Fh
		mov	[ebp+var_10], esi
		test	edx, edx
		jnz	loc_4BCE70

loc_4BCDB7:				; CODE XREF: MiGetHardFaultPages+109j
					; MiGetHardFaultPages+123j ...
		push	[ebp+arg_18]
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_C]
		push	[ebp+arg_14]
		mov	edx, [ebp+var_14]
		push	eax
		call	MiUseSlabAllocator
		test	eax, eax
		jnz	loc_5C3997

loc_4BCDD4:				; CODE XREF: MiGetHardFaultPages+106C30j
					; MiGetHardFaultPages+106C8Dj ...
		mov	eax, [edi+4]
		cmp	eax, ebx
		jnb	short loc_4BCE20
		mov	esi, [ebp+arg_10]
		sub	ebx, eax
		mov	cl, byte_6D068C
		lea	eax, [ebp+arg_C]
		push	eax
		mov	[ebp+arg_C], ebx
		xor	ebx, ebx
		mov	esi, [esi+8]
		push	0FFFFFFFFh
		shr	esi, cl
		mov	ecx, [ebp+var_10]
		inc	esi
		push	ebx
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		mov	ecx, [ebp+arg_0]
		push	eax
		mov	eax, [ebp+arg_8]
		push	esi
		mov	edx, [eax+14h]
		call	_MiGetPageChain@28 ; MiGetPageChain(x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_4BCE20
		cmp	[edi], ebx
		jnz	short loc_4BCE57
		mov	[edi], eax

loc_4BCE1A:				; CODE XREF: MiGetHardFaultPages+104j
		mov	eax, [ebp+arg_C]
		add	[edi+4], eax

loc_4BCE20:				; CODE XREF: MiGetHardFaultPages+6Fj
					; MiGetHardFaultPages+A8j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_4BCE27:				; CODE XREF: MiGetHardFaultPages+1Dj
		mov	ecx, ds:_MmPfnDatabase
		mov	eax, esi
		sub	eax, ecx
		mov	[ebp+var_10], ecx
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		mov	ecx, [esi+10h]
		mov	[ebp+var_4], eax
		mov	eax, offset loc_7FFFFF
		and	ecx, eax
		cmp	ecx, eax
		jz	loc_4BCD94
		mov	edx, [ebp+var_10]
		jmp	loc_5C396F
; 

loc_4BCE57:				; CODE XREF: MiGetHardFaultPages+ACj
		sub	eax, ds:_MmPfnDatabase
		push	ebx
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		call	_MiSetPfnBlink@12 ; MiSetPfnBlink(x,x,x)
		jmp	short loc_4BCE1A
; 

loc_4BCE70:				; CODE XREF: MiGetHardFaultPages+47j
		cmp	byte ptr [edx],	1
		jnz	loc_4BCDB7
		mov	edx, [edx+28h]
		mov	ecx, [ebp+arg_0]
		shr	edx, 3
		and	edx, 7
		inc	edx
		call	_MiGetAvailablePagesBelowPriority@8 ; MiGetAvailablePagesBelowPriority(x,x)
		cmp	ebx, eax
		jbe	loc_4BCDB7
		jmp	loc_5C3988
MiGetHardFaultPages endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocateKernelStackPages proc	near	; CODE XREF: MmCreateKernelStack+303p
					; MmGrowKernelStackEx+C3p

var_26		= byte ptr -26h
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005C3A2A SIZE 000000B3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+38h+var_1C], ecx
		lea	edi, [esp+38h+var_C]
		mov	ebx, edx
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	loc_4BD01C
		lea	eax, [ebx+eax*8]
		xor	edi, edi
		mov	[esp+38h+var_10], eax
		lea	edx, [esp+38h+var_C]
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		inc	eax
		push	eax
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)

loc_4BCED9:				; CODE XREF: MiAllocateKernelStackPages+83j
		mov	ecx, [esp+38h+var_C]
		xor	eax, eax
		inc	eax
		lock xadd [ecx], eax
		inc	eax
		mov	esi, [esp+38h+var_8]
		dec	eax
		mov	ecx, [esp+38h+var_1C]
		and	esi, eax
		or	esi, [esp+38h+var_4]
		push	0
		mov	edx, esi
		call	MiGetPage
		cmp	eax, 0FFFFFFFFh
		jz	loc_5C3A2A

loc_4BCF06:				; CODE XREF: MiAllocateKernelStackPages+106BC1j
		imul	esi, eax, 1Ch
		add	esi, ds:_MmPfnDatabase
		sub	[ebp+arg_0], 1
		mov	[esp+38h+var_20], esi
		mov	[esi], edi
		mov	edi, esi
		jnz	short loc_4BCED9
		push	0A0000004h
		xor	edx, edx
		mov	ecx, ebx
		call	MiMakeValidPte
		mov	ecx, offset unk_6D3A40
		mov	[esp+38h+var_18], eax
		mov	[esp+38h+var_24], edx
		xor	edi, edi
		call	MiLockWorkingSetShared
		mov	[esp+38h+var_25], al

loc_4BCF43:				; CODE XREF: MiAllocateKernelStackPages+160j
		mov	eax, [esi]
		mov	[esp+38h+var_14], eax
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		xor	esi, esi
		cdq
		push	1Ch
		pop	ecx
		idiv	ecx
		mov	ecx, [esp+38h+var_24]
		mov	edx, eax
		and	ecx, 0FFFFFFE0h
		mov	eax, [esp+38h+var_18]
		and	edx, 1FFFFFFh
		shld	esi, edx, 0Ch
		and	eax, 0FFFh
		shl	edx, 0Ch
		or	edx, eax
		mov	eax, esi
		or	eax, ecx
		mov	[esp+38h+var_18], edx
		mov	[esp+38h+var_24], eax
		test	edi, edi
		jz	loc_4BD034
		test	ebx, 0FFFh
		jz	loc_4BD028

loc_4BCF9A:				; CODE XREF: MiAllocateKernelStackPages+1BBj
		mov	ecx, [esp+38h+var_20]
		mov	edx, ebx
		push	14h
		push	4
		call	_MiInitializePfn@16 ; MiInitializePfn(x,x,x,x)
		mov	esi, [esp+38h+var_18]
		mov	ecx, ebx
		mov	edx, [esp+38h+var_24]
		and	[esp+38h+var_1C], 0
		mov	[esp+38h+var_20], esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5C3A78
		mov	ecx, [esp+38h+var_1C]

loc_4BCFCD:				; CODE XREF: MiAllocateKernelStackPages+106BF3j
					; MiAllocateKernelStackPages+106C01j ...
		mov	esi, [esp+38h+var_20]

loc_4BCFD1:				; CODE XREF: MiAllocateKernelStackPages+106C11j
		mov	[ebx+4], edx
		nop
		mov	[ebx], esi
		test	ecx, ecx
		jnz	loc_5C3ACF

loc_4BCFDF:				; CODE XREF: MiAllocateKernelStackPages+106C40j
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		call	MiMarkKernelStack
		mov	esi, [esp+38h+var_14]
		add	ebx, 8
		mov	[esp+38h+var_20], esi
		cmp	ebx, [esp+38h+var_10]
		jb	loc_4BCF43
		test	edi, edi
		jz	short loc_4BD00E
		mov	edx, edi
		mov	ecx, offset unk_6D3A40
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_4BD00E:				; CODE XREF: MiAllocateKernelStackPages+168j
		mov	dl, [esp+38h+var_25]
		mov	ecx, offset unk_6D3A40
		call	MiUnlockWorkingSetShared

loc_4BD01C:				; CODE XREF: MiAllocateKernelStackPages+22j
		xor	eax, eax
		inc	eax

loc_4BD01F:				; CODE XREF: MiAllocateKernelStackPages+106BDBj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4BD028:				; CODE XREF: MiAllocateKernelStackPages+FCj
		mov	edx, edi
		mov	ecx, offset unk_6D3A40
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_4BD034:				; CODE XREF: MiAllocateKernelStackPages+F0j
		mov	edi, ebx
		mov	ecx, offset unk_6D3A40
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h
		push	0
		mov	edx, edi
		call	MiLockPageTableInternal
		jmp	loc_4BCF9A
MiAllocateKernelStackPages endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMarkKernelStack proc near		; CODE XREF: MiAllocateKernelStackPages+14Cp
					; MiMarkBootKernelStack+75p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C3ADD SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ecx]
		mov	ebx, edx
		push	edi
		nop
		mov	eax, [ecx+4]
		nop
		shrd	esi, eax, 0Ch
		and	esi, 1FFFFFFh
		imul	esi, 1Ch
		add	esi, ds:_MmPfnDatabase
		and	[ebp+var_4], 0
		lea	edi, [esi+10h]

loc_4BD084:				; CODE XREF: MiMarkKernelStack+106A93j
		lock bts dword ptr [edi], 1Fh
		jb	loc_5C3ADD
		mov	eax, [esi+18h]
		mov	edx, ebx
		and	eax, 0AFFFFFFFh
		mov	ecx, esi
		or	eax, 20000000h
		mov	[esi+18h], eax
		call	_MiSetPfnKernelStack@8 ; MiSetPfnKernelStack(x,x)
		mov	eax, [esi+0Ch]
		or	dword ptr [esi+8], 3E0h
		mov	[esi+0Ch], eax
		mov	al, [esi+17h]
		and	al, 0FDh
		or	al, 5
		mov	[esi+17h], al
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiMarkKernelStack endp


;  S U B	R O U T	I N E 


; __stdcall MiSetPfnKernelStack(x, x)
_MiSetPfnKernelStack@8 proc near	; CODE XREF: MiMarkKernelStack+4Bp
					; MiInPageSingleKernelStack+29Cp
		mov	eax, edx
		shr	eax, 2
		xor	eax, [ecx]
		and	eax, 1FFFFFFEh
		xor	eax, [ecx]
		mov	[ecx], eax
		test	edx, edx
		jz	short locret_4BD0E9
		test	al, 1
		jnz	short locret_4BD0E9
		or	eax, 1
		mov	[ecx], eax

locret_4BD0E9:				; CODE XREF: MiSetPfnKernelStack(x,x)+12j
					; MiSetPfnKernelStack(x,x)+16j
		retn
_MiSetPfnKernelStack@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


MiCreateSharedZeroPages	proc near	; CODE XREF: MiResolveDemandZeroFault+1DEp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C3AF0 SIZE 00000137 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		mov	esi, ecx
		mov	[ebp-8], edx
		push	edi
		mov	[ebp-18h], esi
		mov	edi, [esi+0Ch]
		mov	edx, [esi+8]
		mov	[ebp-0Ch], edx
		mov	ecx, [edi]
		mov	eax, [edi+4]
		shrd	ecx, eax, 5
		mov	eax, [esi+24h]
		and	ecx, 1Fh
		mov	[ebp-14h], eax
		mov	[ebp-28h], ecx
		test	eax, eax
		jnz	loc_4BD2C6

loc_4BD13B:				; CODE XREF: MiCreateSharedZeroPages+1DEj
					; MiCreateSharedZeroPages+1F2j
		mov	eax, [ebp-8]

loc_4BD13E:				; CODE XREF: MiCreateSharedZeroPages+106A7Dj
		nop
		push	eax
		push	0FFFFFFFFh
		push	102h
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		mov	edx, [esi+4]
		mov	ecx, offset _MiSystemPartition
		push	eax
		mov	eax, [esi+1Ch]
		push	eax
		mov	edx, [edx+14h]
		call	_MiGetPageChain@28 ; MiGetPageChain(x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_4BD348
		mov	ecx, [ebp-0Ch]

loc_4BD16E:				; CODE XREF: MiCreateSharedZeroPages+106A45j
					; MiCreateSharedZeroPages+106A4Ej ...
		mov	eax, [esi+20h]
		mov	[ebp-20h], eax
		xor	eax, eax
		mov	[ebp-10h], eax
		mov	eax, [ebp-14h]
		test	eax, eax
		jnz	loc_4BD2ED

loc_4BD184:				; CODE XREF: MiCreateSharedZeroPages+20Aj
					; MiCreateSharedZeroPages+106A89j
		mov	eax, [ebp-8]
		and	ecx, 0FFFFF000h
		mov	[ebp-0Ch], ecx
		mov	dword ptr [ebp-24h], 0
		cmp	dword ptr [eax], 0
		jbe	loc_4BD28E

loc_4BD1A0:				; CODE XREF: MiCreateSharedZeroPages+198j
		mov	eax, [edx+10h]
		mov	esi, edx
		and	eax, offset loc_7FFFFF
		mov	[ebp-1Ch], esi
		cmp	eax, offset loc_7FFFFF
		jnz	loc_4BD29C
		xor	eax, eax

loc_4BD1BA:				; CODE XREF: MiCreateSharedZeroPages+1BDj
		mov	[ebp-28h], eax
		mov	ecx, esi
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		test	byte ptr ds:_MiFlags, 80h
		mov	[ebp-14h], ecx
		jnz	loc_5C3B7E

loc_4BD1E8:				; CODE XREF: MiCreateSharedZeroPages+106A9Fj
					; MiCreateSharedZeroPages+106AAFj
		mov	esi, [edi]
		mov	eax, [edi+4]
		shrd	esi, eax, 5
		and	esi, 1Fh
		cmp	esi, 18h
		jz	loc_5C3BA4

loc_4BD1FD:				; CODE XREF: MiCreateSharedZeroPages+106AB9j
		mov	eax, [ebp-18h]
		mov	ecx, [ebp-10h]
		or	ecx, 112h
		mov	[ebp-10h], ecx
		test	byte ptr [eax],	4
		jnz	loc_4BD2BB
		cmp	esi, 4
		jnz	loc_4BD2B2

loc_4BD21E:				; CODE XREF: MiCreateSharedZeroPages+1C5j
					; MiCreateSharedZeroPages+1D1j
		push	ecx
		mov	ecx, [ebp-1Ch]
		mov	edx, edi
		push	esi
		call	_MiInitializePfn@16 ; MiInitializePfn(x,x,x,x)
		mov	edx, [ebp-14h]
		or	esi, 20000000h
		push	esi
		mov	ecx, edi
		call	MiMakeValidPte
		mov	ecx, edi
		mov	dword ptr [ebp-14h], 0
		mov	esi, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5C3BAE
		xor	ecx, ecx

loc_4BD255:				; CODE XREF: MiCreateSharedZeroPages+106AD3j
					; MiCreateSharedZeroPages+106AE0j ...
		mov	[edi+4], edx
		nop
		mov	[edi], esi
		test	ecx, ecx
		jnz	loc_5C3C19

loc_4BD263:				; CODE XREF: MiCreateSharedZeroPages+106B32j
		mov	esi, [ebp-18h]
		test	byte ptr [esi],	4
		jnz	loc_4BD305

loc_4BD26F:				; CODE XREF: MiCreateSharedZeroPages+224j
					; MiCreateSharedZeroPages+22Dj	...
		mov	ecx, [ebp-24h]
		add	edi, 8
		mov	eax, [ebp-8]
		inc	ecx
		add	dword ptr [ebp-0Ch], 1000h
		mov	edx, [ebp-28h]
		mov	[ebp-24h], ecx
		cmp	ecx, [eax]
		jb	loc_4BD1A0

loc_4BD28E:				; CODE XREF: MiCreateSharedZeroPages+AAj
		mov	eax, 111h
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4BD29C:				; CODE XREF: MiCreateSharedZeroPages+C2j
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	eax, [eax+ecx*4]
		jmp	loc_4BD1BA
; 

loc_4BD2B2:				; CODE XREF: MiCreateSharedZeroPages+128j
		cmp	esi, 6
		jz	loc_4BD21E

loc_4BD2BB:				; CODE XREF: MiCreateSharedZeroPages+11Fj
		or	ecx, 20h
		mov	[ebp-10h], ecx
		jmp	loc_4BD21E
; 

loc_4BD2C6:				; CODE XREF: MiCreateSharedZeroPages+45j
		mov	eax, [eax+1Ch]
		test	eax, 100000h
		jnz	loc_4BD13B
		shr	eax, 12h
		and	eax, 3
		cmp	ds:_MiVadPageSizes[eax*4], 10h
		jnz	loc_4BD13B
		jmp	loc_5C3AF0
; 

loc_4BD2ED:				; CODE XREF: MiCreateSharedZeroPages+8Ej
		mov	eax, [eax+20h]
		and	eax, 7FFFFFFFh
		cmp	eax, 0FFFFEh
		jnz	loc_4BD184
		jmp	loc_5C3B72
; 

loc_4BD305:				; CODE XREF: MiCreateSharedZeroPages+179j
		mov	ecx, [ebp-1Ch]
		xor	edx, edx
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		mov	ecx, [ebp-20h]
		test	ecx, ecx
		jz	loc_4BD26F
		test	byte ptr [esi],	8
		jnz	loc_4BD26F
		mov	edx, [ecx+0Ch]
		mov	eax, [ecx+4]
		mov	ecx, [ecx+10h]
		shl	ecx, 0Ch
		add	ecx, [eax+edx*8]
		cmp	[ebp-0Ch], ecx
		jnz	loc_4BD26F
		mov	ecx, [ebp-20h]
		call	_MiAdvanceFaultList@4 ;	MiAdvanceFaultList(x)
		jmp	loc_4BD26F
; 

loc_4BD348:				; CODE XREF: MiCreateSharedZeroPages+75j
		pop	edi
		mov	eax, 0C0000017h
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
MiCreateSharedZeroPages	endp ; sp =  4

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializePfn(x, x, x, x)
_MiInitializePfn@16 proc near		; CODE XREF: .text:0045D799p
					; MiAllocateKernelStackPages+10Cp ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		mov	ecx, [edx]
		nop
		test	[ebp+arg_4], 4
		mov	esi, [edx+4]
		mov	ebx, [ebp+arg_0]
		jz	short loc_4BD3B3
		mov	edx, ebx
		xor	eax, eax
		and	edx, 1Fh
		shld	eax, edx, 5
		mov	[ebp+arg_0], eax
		mov	eax, ecx
		shl	edx, 5
		or	eax, esi
		jnz	short loc_4BD3A5
		push	[ebp+arg_0]
		push	edx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, eax
		mov	esi, edx
		jmp	short loc_4BD3B0
; 

loc_4BD3A5:				; CODE XREF: MiInitializePfn(x,x,x,x)+34j
		and	ecx, 0FFFFFC1Fh
		or	ecx, edx
		or	esi, [ebp+arg_0]

loc_4BD3B0:				; CODE XREF: MiInitializePfn(x,x,x,x)+43j
		mov	edx, [ebp+var_8]

loc_4BD3B3:				; CODE XREF: MiInitializePfn(x,x,x,x)+1Dj
		test	[ebp+arg_4], 2
		mov	[edi+8], ecx
		mov	[edi+0Ch], esi
		jz	short loc_4BD3C6
		or	dword ptr [edi+18h], 80000000h

loc_4BD3C6:				; CODE XREF: MiInitializePfn(x,x,x,x)+5Dj
		mov	esi, 1
		mov	[ebp+var_4], esi
		test	ebx, ebx
		jnz	short loc_4BD3DB
		mov	[ebp+var_4], 3
		jmp	short loc_4BD407
; 

loc_4BD3DB:				; CODE XREF: MiInitializePfn(x,x,x,x)+70j
		cmp	ebx, 1Fh
		jnz	short loc_4BD3E5
		mov	[ebp+var_4], esi
		jmp	short loc_4BD407
; 

loc_4BD3E5:				; CODE XREF: MiInitializePfn(x,x,x,x)+7Ej
		mov	eax, ebx
		shr	eax, 3
		cmp	eax, 3
		jnz	short loc_4BD3FD
		test	bl, 7
		jz	short loc_4BD407
		mov	[ebp+var_4], 2
		jmp	short loc_4BD407
; 

loc_4BD3FD:				; CODE XREF: MiInitializePfn(x,x,x,x)+8Dj
		dec	eax
		neg	eax
		sbb	eax, eax
		and	eax, esi
		mov	[ebp+var_4], eax

loc_4BD407:				; CODE XREF: MiInitializePfn(x,x,x,x)+79j
					; MiInitializePfn(x,x,x,x)+83j	...
		mov	eax, esi
		mov	[ebp+var_20], 0
		mov	[edi+14h], ax
		mov	eax, edx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[ebp+var_1C], 0
		mov	edx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], eax
		nop
		shrd	edx, eax, 0Ch
		mov	eax, [edi+18h]
		and	edx, 1FFFFFFh
		xor	eax, edx
		and	eax, offset loc_7FFFFF
		xor	[edi+18h], eax
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	eax, [eax+ecx*4]
		mov	[ebp+var_10], eax
		mov	eax, large fs:124h
		mov	ebx, [eax+304h]
		test	ebx, 100h
		jz	short loc_4BD47D
		shr	ebx, 9
		jmp	short loc_4BD4A5
; 

loc_4BD47D:				; CODE XREF: MiInitializePfn(x,x,x,x)+116j
		mov	ebx, [eax+2FCh]
		mov	eax, [eax+150h]
		shr	ebx, 0Ch
		and	ebx, 7
		test	dword ptr [eax+0FCh], 100000h
		jz	short loc_4BD4A5
		cmp	ebx, 2
		jb	short loc_4BD4A5
		mov	ebx, 2

loc_4BD4A5:				; CODE XREF: MiInitializePfn(x,x,x,x)+11Bj
					; MiInitializePfn(x,x,x,x)+139j ...
		mov	eax, dword ptr [ebp+arg_4]
		mov	ecx, eax
		and	ecx, esi
		mov	byte ptr [ebp+arg_0+3],	21h
		mov	[ebp+var_1C], ecx
		jnz	short loc_4BD4F1
		test	al, 10h
		jz	short loc_4BD4E7
		mov	[ebp+var_C], 0
		lea	esi, [edi+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_4BD4F1
		lea	ebx, [ebx+0]

loc_4BD4D0:				; CODE XREF: MiInitializePfn(x,x,x,x)+17Cj
					; MiInitializePfn(x,x,x,x)+183j
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_4BD4D0
		lock bts dword ptr [esi], 1Fh
		jb	short loc_4BD4D0
		jmp	short loc_4BD4F1
; 

loc_4BD4E7:				; CODE XREF: MiInitializePfn(x,x,x,x)+157j
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	byte ptr [ebp+arg_0+3],	al

loc_4BD4F1:				; CODE XREF: MiInitializePfn(x,x,x,x)+153j
					; MiInitializePfn(x,x,x,x)+168j ...
		mov	esi, [ebp+var_10]
		mov	[ebp+var_14], 0
		add	esi, 10h
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_4BD51A

loc_4BD505:				; CODE XREF: MiInitializePfn(x,x,x,x)+1B1j
					; MiInitializePfn(x,x,x,x)+1B8j
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_4BD505
		lock bts dword ptr [esi], 1Fh
		jb	short loc_4BD505

loc_4BD51A:				; CODE XREF: MiInitializePfn(x,x,x,x)+1A3j
		mov	eax, [esi]
		lea	ecx, [eax+1]
		xor	ecx, eax
		and	ecx, 3FFFFFFFh
		xor	ecx, eax
		mov	eax, 7FFFFFFFh
		mov	[esi], ecx
		lock and [esi],	eax
		mov	cl, [edi+16h]
		mov	edx, [ebp+var_4]
		movzx	eax, cl
		shr	eax, 6
		cmp	eax, edx
		jz	short loc_4BD54F
		push	1
		mov	ecx, edi
		call	MiChangePageAttribute
		mov	cl, [edi+16h]

loc_4BD54F:				; CODE XREF: MiInitializePfn(x,x,x,x)+1E1j
		mov	eax, [edi+10h]
		lea	edx, [edi+10h]
		and	eax, 0C0000001h
		and	cl, 0FEh
		or	eax, 1
		or	cl, 6
		mov	[edx], eax
		mov	al, [edi+17h]
		xor	al, bl
		and	al, 7
		xor	[edi+17h], al
		mov	eax, [ebp+var_8]
		mov	[edi+4], eax
		mov	[edi+16h], cl
		mov	ecx, dword ptr [ebp+arg_4]
		test	cl, 20h
		jnz	short loc_4BD588
		mov	al, [edi+16h]
		or	al, 10h
		mov	[edi+16h], al

loc_4BD588:				; CODE XREF: MiInitializePfn(x,x,x,x)+21Ej
		test	cl, 40h
		jz	short loc_4BD591
		or	byte ptr [edi+17h], 20h

loc_4BD591:				; CODE XREF: MiInitializePfn(x,x,x,x)+22Bj
		cmp	[ebp+var_1C], 0
		jnz	short loc_4BD5AD
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		test	cl, 10h
		jnz	short loc_4BD5AD
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4BD5AD:				; CODE XREF: MiInitializePfn(x,x,x,x)+235j
					; MiInitializePfn(x,x,x,x)+242j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_MiInitializePfn@16 endp


;  S U B	R O U T	I N E 


; __stdcall MiProtectionToCacheAttribute(x)
_MiProtectionToCacheAttribute@4	proc near
					; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+251p
					; .text:0045D686p ...
		xor	edx, edx
		inc	edx
		test	ecx, ecx
		jz	short loc_4BD5E0
		cmp	ecx, 1Fh
		jz	short loc_4BD5D3
		mov	eax, ecx
		shr	eax, 3
		cmp	eax, 3
		jz	short loc_4BD5D6
		dec	eax
		neg	eax
		sbb	eax, eax
		and	edx, eax

loc_4BD5D3:				; CODE XREF: MiProtectionToCacheAttribute(x)+Aj
					; MiProtectionToCacheAttribute(x)+23j ...
		mov	eax, edx
		retn
; 

loc_4BD5D6:				; CODE XREF: MiProtectionToCacheAttribute(x)+14j
		test	cl, 7
		jz	short loc_4BD5D3
		push	2

loc_4BD5DD:				; CODE XREF: MiProtectionToCacheAttribute(x)+2Cj
		pop	edx
		jmp	short loc_4BD5D3
; 

loc_4BD5E0:				; CODE XREF: MiProtectionToCacheAttribute(x)+5j
		push	3
		jmp	short loc_4BD5DD
_MiProtectionToCacheAttribute@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUnlockCodePage(x,	x, x)
_MiUnlockCodePage@12 proc near		; CODE XREF: MiLockCode(x,x,x,x)+613p
					; MiUnlockImageSection+50p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	eax, edx
		mov	edi, ecx
		mov	[esp+10h+var_4], eax
		cmp	edi, eax
		ja	short loc_4BD642

loc_4BD5FC:				; CODE XREF: MiUnlockCodePage(x,x,x)+5Cj
		mov	edx, [edi]
		nop
		mov	eax, [edi+4]
		nop
		shrd	edx, eax, 0Ch
		and	edx, 1FFFFFFh
		imul	esi, edx, 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, esi
		mov	bl, al
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	eax, 7FFFFFFFh
		lea	ecx, [esi+10h]
		lock and [ecx],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		add	edi, 8
		cmp	edi, [esp+10h+var_4]
		jbe	short loc_4BD5FC

loc_4BD642:				; CODE XREF: MiUnlockCodePage(x,x,x)+16j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MiUnlockCodePage@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMakeSystemCachePteValid proc near	; CODE XREF: .text:0047CA55p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005C3C27 SIZE 00000047 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], ecx
		mov	byte ptr [ebp+var_1], 0
		nop
		mov	edi, [ebp+arg_8]
		mov	edx, esi
		and	[ebp+var_14], 0
		mov	eax, edi
		shrd	edx, eax, 0Ch
		mov	eax, [ebp+var_8]
		and	edx, 1FFFFFFh
		shr	eax, 9
		imul	ebx, edx, 1Ch
		and	eax, offset loc_7FFFF8
		mov	ecx, [eax-40000000h]
		add	ebx, ds:_MmPfnDatabase
		mov	[ebp+var_24], ebx
		nop
		mov	eax, [eax-3FFFFFFCh]
		nop
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	eax, ecx, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	ecx, eax
		mov	[ebp+var_10], eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [ebp+var_10]
		xor	edx, edx
		inc	edx
		mov	byte ptr [ebp+arg_8+3],	al
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	eax, 7FFFFFFFh
		add	ecx, 10h
		lock and [ecx],	eax
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_1]
		mov	ecx, [ebp+var_C]
		push	eax
		call	_MiLockWorkingSetOptimal@12 ; MiLockWorkingSetOptimal(x,x,x)
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_8]
		mov	edx, [eax]
		nop
		mov	ecx, [eax+4]
		mov	[ebp+var_1C], ecx
		mov	ecx, edx
		and	ecx, 1
		or	ecx, 0
		jnz	loc_5C3C48
		nop
		and	edx, 8
		or	edx, ecx
		jnz	loc_5C3C27

loc_4BD70D:				; CODE XREF: MiMakeSystemCachePteValid+1065F7j
		mov	cl, byte ptr word_6D07B8
		and	esi, 0FFFFFEFBh
		mov	ebx, [ebx+4]
		and	cl, 1
		movzx	eax, cl
		or	ebx, 80000000h
		mov	ecx, [ebp+var_C]
		cdq
		shld	edx, eax, 8
		mov	[ebp+var_1C], ebx
		mov	ebx, [ebp+var_24]
		or	edx, edi
		push	edx
		mov	edx, [ebp+var_8]
		shl	eax, 8
		mov	edi, [ebx+0Ch]
		or	eax, esi
		mov	esi, [ebx+8]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	ebx
		call	_MiAllocateWsle@32 ; MiAllocateWsle(x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	loc_5C3C56
		cmp	_PfSnNumActiveTraces, 0
		jz	short loc_4BD778
		mov	ecx, esi
		and	ecx, 400h
		or	ecx, 0
		jz	short loc_4BD778
		mov	[ebp+var_14], 1

loc_4BD778:				; CODE XREF: MiMakeSystemCachePteValid+116j
					; MiMakeSystemCachePteValid+123j ...
		test	eax, eax
		jz	loc_5C3C56

loc_4BD780:				; CODE XREF: MiMakeSystemCachePteValid+10661Dj
		mov	edx, [ebp+var_28]
		mov	ecx, [ebp+var_C]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [ebp+arg_8+3]
		mov	ecx, [ebp+var_C]
		call	MiUnlockWorkingSetShared
		cmp	[ebp+var_14], 0
		jz	short loc_4BD7FA
		mov	ecx, dword_6D0700
		mov	eax, ecx
		mov	edx, dword_6D0704
		or	eax, edx
		jz	short loc_4BD7BC
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4BD7BC
		not	edx
		and	edi, edx

loc_4BD7BC:				; CODE XREF: MiMakeSystemCachePteValid+160j
					; MiMakeSystemCachePteValid+16Aj
		mov	esi, [edi]
		mov	ecx, esi
		call	MiReferenceControlAreaFile
		mov	edx, [ebp+var_1C]
		mov	ecx, edi
		push	0FFFFFFFFh
		mov	ebx, eax
		call	MiStartingOffset
		push	edx
		push	eax
		push	4
		pop	edx
		mov	ecx, ebx
		call	_PfSnLogPageFault@16 ; PfSnLogPageFault(x,x,x,x)
		add	esi, 20h
		mov	ecx, [esi]
		mov	eax, ecx

loc_4BD7E6:				; CODE XREF: MiMakeSystemCachePteValid+1C4j
		xor	eax, ebx
		cmp	eax, 7
		jnb	short loc_4BD801
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jnz	short loc_4BD80E

loc_4BD7FA:				; CODE XREF: MiMakeSystemCachePteValid+14Ej
					; MiMakeSystemCachePteValid+1C0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_4BD801:				; CODE XREF: MiMakeSystemCachePteValid+19Fj
		push	746C6644h
		push	ebx
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	short loc_4BD7FA
; 

loc_4BD80E:				; CODE XREF: MiMakeSystemCachePteValid+1ACj
		mov	ecx, eax
		jmp	short loc_4BD7E6
MiMakeSystemCachePteValid endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReturnFreeZeroPage(x, x)
_MiReturnFreeZeroPage@8	proc near	; CODE XREF: MiMigratePfn(x,x,x,x)+32Dp
					; .text:004712C2p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, [edi+16h]
		mov	cl, dl
		mov	[ebp+var_4], eax
		and	cl, 7
		cmp	cl, 6
		jz	short loc_4BD885

loc_4BD83D:				; CODE XREF: MiReturnFreeZeroPage(x,x)+7Fj
		and	dword ptr [edi+18h], 7FFFFFFFh
		and	dl, 0C7h
		and	dword ptr [edi+10h], 0C0000000h
		xor	eax, eax
		mov	[edi+16h], dl
		mov	ecx, edi
		and	byte ptr [edi+17h], 0CFh
		mov	[edi+14h], ax
		call	_MiIsFreshPfnFromZeroedList@4 ;	MiIsFreshPfnFromZeroedList(x)
		neg	eax
		mov	ecx, edi
		sbb	esi, esi
		add	esi, 2
		call	_MiIsFreeZeroPfnCold@4 ; MiIsFreeZeroPfnCold(x)
		test	eax, eax
		jnz	short loc_4BD893

loc_4BD874:				; CODE XREF: MiReturnFreeZeroPage(x,x)+87j
		mov	ecx, [ebp+var_4]
		or	esi, ebx
		mov	edx, esi
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4BD885:				; CODE XREF: MiReturnFreeZeroPage(x,x)+29j
		and	dl, 0FDh
		or	dl, 5
		mov	[edi+16h], dl
		mov	dl, [edi+16h]
		jmp	short loc_4BD83D
; 

loc_4BD893:				; CODE XREF: MiReturnFreeZeroPage(x,x)+60j
		or	esi, 400h
		jmp	short loc_4BD874
_MiReturnFreeZeroPage@8	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCheckVirtualAddress proc near		; CODE XREF: MiResolveDemandZeroFault+3F5p
					; .text:004B03CDp ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C3C6E SIZE 00000041 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		push	edi
		and	dword ptr [ebx], 0
		mov	edi, edx
		cmp	esi, ds:_MmHighestUserAddress
		ja	loc_5C3C8D
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	byte ptr [eax+3A8h], 1
		jnz	short loc_4BD8ED
		mov	eax, esi
		and	eax, 0FFFFF000h
		cmp	eax, 7FFE0000h
		jz	loc_5C3C6E
		cmp	eax, dword_6D0618
		jz	loc_5C3C75

loc_4BD8ED:				; CODE XREF: MiCheckVirtualAddress+31j
					; MiCheckVirtualAddress+1063DBj
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	[ebx], eax
		test	eax, eax
		jz	loc_5C3CA2
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	MiCheckUserVirtualAddress

loc_4BD906:				; CODE XREF: MiCheckVirtualAddress+1063ECj
					; MiCheckVirtualAddress+10640Ej
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
MiCheckVirtualAddress endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 757. IoBuildPartialMdl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoBuildPartialMdl
IoBuildPartialMdl proc near		; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxProcessEntry(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *,SMKM_STORE_MGR<SM_TRAITS> *,void *,void *,SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_ENTRY *)+287p

var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005C3CAF SIZE 00000054 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_8]
		mov	edx, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		push	edi
		sub	esi, [ebx+18h]
		mov	eax, [ebx+10h]
		sub	esi, eax
		test	edx, edx
		jz	loc_4BD9DB
		mov	[ebp+arg_0], edx

loc_4BD946:				; CODE XREF: IoBuildPartialMdl+C3j
		cmp	ecx, eax
		jb	loc_5C3CAF
		cmp	esi, [ebx+14h]
		ja	loc_5C3CAF
		mov	edi, [ebp+arg_4]
		mov	edx, ecx
		mov	eax, [ebx+8]
		and	edx, 0FFFFF000h
		and	ecx, 0FFFh
		mov	[ebp+arg_4], 48C5h
		mov	[ebp+arg_8], ecx
		mov	[edi+10h], edx
		mov	[edi+8], eax
		sub	edx, [ebx+10h]
		and	word ptr [edi+6], 8
		mov	eax, [ebp+arg_0]
		mov	[edi+18h], ecx
		mov	[edi+14h], eax
		mov	cx, [ebx+6]
		and	cx, word ptr [ebp+arg_4]
		or	cx, [edi+6]
		shr	edx, 0Ch
		or	cx, 10h
		add	edx, 7
		mov	[edi+6], cx
		mov	eax, [ebx+0Ch]
		add	eax, esi
		mov	[edi+0Ch], eax
		lea	eax, [ebx+edx*4]
		mov	edx, [ebp+arg_0]
		add	edx, 0FFFh
		add	edx, [ebp+arg_8]
		shr	edx, 0Ch
		test	edx, edx
		jz	short loc_4BD9D4
		sub	edi, eax

loc_4BD9C6:				; CODE XREF: IoBuildPartialMdl+B2j
		mov	ecx, [eax]
		lea	eax, [eax+4]
		mov	[edi+eax+18h], ecx
		sub	edx, 1
		jnz	short loc_4BD9C6

loc_4BD9D4:				; CODE XREF: IoBuildPartialMdl+A2j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_4BD9DB:				; CODE XREF: IoBuildPartialMdl+1Dj
		mov	edi, [ebx+14h]
		sub	edi, esi
		mov	[ebp+arg_0], edi
		jmp	loc_4BD946
IoBuildPartialMdl endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiRemovePageAnyColor proc near		; CODE XREF: MiGetPage+301p
					; MiGetPage+4CFp ...

var_44		= dword	ptr -44h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C3D03 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, edx
		shr	esi, 1
		mov	edx, ecx
		mov	[ebp+var_30], 0
		mov	cl, byte_6D068C
		mov	eax, edi
		shr	eax, cl
		not	esi
		and	esi, 1
		mov	[ebp+var_24], edx
		mov	[ebp+var_28], esi
		lea	eax, [eax+eax*4]
		shl	eax, 7
		add	eax, [edx+10h]
		cmp	dword ptr [eax+esi*4+1D0h], 0
		jnz	short loc_4BDA3E

loc_4BDA33:				; CODE XREF: MiRemovePageAnyColor+168j
					; MiRemovePageAnyColor+171j
		xor	eax, eax

loc_4BDA35:				; CODE XREF: MiRemovePageAnyColor+126j
					; MiRemovePageAnyColor+14Bj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4BDA3E:				; CODE XREF: MiRemovePageAnyColor+41j
		mov	ecx, dword_6D06D0
		lea	eax, [eax+esi*8]
		mov	edx, [edx+esi*4+540h]
		add	eax, 180h
		mov	[ebp+var_C], ecx
		mov	[ebp+var_20], edi
		lea	ebx, [ecx+1]
		mov	[ebp+var_10], 0
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_18], ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_30], edx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_8], 0
		lea	esp, [esp+0]

loc_4BDA80:				; CODE XREF: MiRemovePageAnyColor+F9j
					; MiRemovePageAnyColor+157j ...
		mov	eax, [eax+4]
		mov	edx, ecx
		and	edx, edi
		mov	ecx, edx
		shr	ecx, 5
		lea	eax, [eax+ecx*4]
		cmp	[ebp+var_10], eax
		jz	short loc_4BDAC7
		mov	[ebp+var_10], eax
		mov	ecx, edx
		and	ecx, 1Fh
		or	eax, 0FFFFFFFFh
		shl	eax, cl
		mov	ecx, [ebp+var_10]
		and	eax, [ecx]
		mov	[ebp+var_8], eax
		test	ebx, 4000h
		jnz	loc_5C3CC0
		mov	ecx, [ebp+var_18]
		mov	eax, edx
		xor	eax, ecx
		test	eax, 0FFFFFFE0h
		jz	loc_4BDB7F

loc_4BDAC7:				; CODE XREF: MiRemovePageAnyColor+A2j
		mov	ecx, [ebp+var_8]

loc_4BDACA:				; CODE XREF: MiRemovePageAnyColor+1A2j
					; IoBuildPartialMdl+1063DEj
		and	edx, 0FFFFFFE0h
		test	ecx, ecx
		jnz	short loc_4BDAEB
		mov	eax, [ebp+var_18]
		add	edx, 20h
		cmp	edx, eax
		jnb	short loc_4BDB4C
		mov	ecx, [ebp+var_C]
		mov	eax, ecx
		not	eax
		and	edi, eax
		mov	eax, [ebp+var_1C]
		add	edi, edx
		jmp	short loc_4BDA80
; 

loc_4BDAEB:				; CODE XREF: MiRemovePageAnyColor+DFj
		mov	eax, [ebp+var_C]
		bsf	ecx, ecx
		not	eax
		mov	[ebp+var_38], esi
		and	edi, eax
		mov	[ebp+var_34], esi
		mov	eax, [ebp+var_8]
		add	edi, edx
		add	edi, ecx
		btr	eax, ecx
		mov	ecx, [ebp+var_24]
		lea	edx, [ebp+var_38]
		push	edi
		mov	[ebp+var_8], eax
		call	MiSlistGetFreePage
		test	eax, eax
		jnz	loc_4BDA35
		mov	ecx, [ebp+var_30]
		lea	eax, [edi+edi*4]
		push	ebx
		push	esi
		push	edi
		lea	edx, [ecx+eax*4]
		mov	ecx, [ebp+var_24]
		call	MiGetPerfectColorHeadPage
		cmp	eax, 1
		jz	loc_5C3D03
		test	eax, eax
		jnz	loc_4BDA35
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_1C]
		jmp	loc_4BDA80
; 

loc_4BDB4C:				; CODE XREF: MiRemovePageAnyColor+E9j
		mov	edx, [ebp+var_20]
		mov	[ebp+var_10], 0
		test	edx, edx
		jz	loc_4BDA33
		cmp	eax, [ebp+var_2C]
		jnz	loc_4BDA33
		mov	ecx, [ebp+var_C]
		mov	eax, ecx
		and	eax, edx
		mov	edi, ecx
		not	edi
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_1C]
		and	edi, edx
		jmp	loc_4BDA80
; 

loc_4BDB7F:				; CODE XREF: MiRemovePageAnyColor+D1j
		and	ecx, 1Fh
		mov	eax, 1
		shl	eax, cl
		mov	ecx, [ebp+var_8]
		dec	eax
		and	ecx, eax
		mov	[ebp+var_8], ecx
		jmp	loc_4BDACA
MiRemovePageAnyColor endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSlistGetFreePage proc	near		; CODE XREF: MiRemovePageAnyColor+11Fp
					; MiGetPageSlist(x,x,x)+40p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C3D0D SIZE 00000034 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, edx
		mov	edx, ecx
		mov	ecx, [ebx+8]
		push	esi
		push	edi
		mov	edi, [eax]
		xor	esi, esi
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], edx

loc_4BDBC4:				; CODE XREF: MiSlistGetFreePage+9Cj
		mov	eax, [edx+edi*4+954h]
		cmp	[eax+ecx*8+4], si
		jnz	short loc_4BDBE9

loc_4BDBD2:				; CODE XREF: MiSlistGetFreePage+98j
		mov	eax, [ebp+var_8]
		mov	eax, [eax+4]
		cmp	edi, eax
		jnz	short loc_4BDC32
		xor	eax, eax

loc_4BDBDE:				; CODE XREF: MiSlistGetFreePage+87j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_4BDBE9:				; CODE XREF: MiSlistGetFreePage+38j
		lea	ecx, [eax+ecx*8]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_4BDC28
		mov	eax, ds:_ZeroPte
		lea	ecx, [esi+8]
		mov	[ecx], eax
		mov	eax, ds:dword_40F9FC
		mov	[ecx+4], eax
		test	edi, edi
		jnz	short loc_4BDC21
		test	byte ptr ds:_MiFlags, 80h
		jnz	loc_5C3D0D

loc_4BDC1A:				; CODE XREF: MiSlistGetFreePage+8Ej
					; MiSlistGetFreePage+106186j ...
		and	dword ptr [esi], 0
		mov	eax, esi
		jmp	short loc_4BDBDE
; 

loc_4BDC21:				; CODE XREF: MiSlistGetFreePage+73j
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		jmp	short loc_4BDC1A
; 

loc_4BDC28:				; CODE XREF: MiSlistGetFreePage+5Dj
		mov	ecx, [ebx+8]
		xor	esi, esi
		mov	edx, [ebp+var_4]
		jmp	short loc_4BDBD2
; 

loc_4BDC32:				; CODE XREF: MiSlistGetFreePage+42j
		mov	edi, eax
		jmp	short loc_4BDBC4
MiSlistGetFreePage endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetPerfectColorHeadPage proc near	; CODE XREF: MiGetPage+451p
					; MiRemovePageAnyColor+13Bp

var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005C3D41 SIZE 00000165 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		mov	esi, edx
		xor	eax, eax
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_24], eax
		mov	[ebp+var_18], ebx
		mov	edi, [esi+8]
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		cmp	edi, offset loc_7FFFFF
		jnz	short loc_4BDC73

loc_4BDC68:				; CODE XREF: MiGetPerfectColorHeadPage+165j
					; MiGetPerfectColorHeadPage+18Bj ...
		xor	eax, eax

loc_4BDC6A:				; CODE XREF: MiGetPerfectColorHeadPage+106251j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4BDC73:				; CODE XREF: MiGetPerfectColorHeadPage+26j
		mov	edx, [ebp+arg_8]
		and	edx, 1
		mov	[ebp+var_10], edx
		lea	esp, [esp+0]

loc_4BDC80:				; CODE XREF: MiGetPerfectColorHeadPage+194j
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[edi*8]
		sub	ecx, edi
		lea	ecx, [eax+ecx*4]
		mov	[ebp+var_C], ecx
		lea	eax, [ecx+10h]
		mov	[ebp+var_8], eax
		test	edx, edx
		jnz	loc_5C3D41
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	dl, al
		mov	eax, [ebp+var_8]
		mov	[ebp+var_1], dl
		lock bts dword ptr [eax], 1Fh
		mov	ecx, [ebp+arg_8]
		setb	al
		test	ecx, 4000h
		jnz	loc_5C3D59
		test	al, al
		jnz	loc_4BDD9D

loc_4BDCD1:				; CODE XREF: MiGetPerfectColorHeadPage+106114j
					; MiGetPerfectColorHeadPage+106122j ...
		mov	eax, [ebp+var_C]
		movzx	eax, byte ptr [eax+16h]
		and	eax, 7
		cmp	eax, [ebp+arg_4]
		jnz	loc_4BDDAA
		mov	[ebp+var_24], 0
		lea	edx, [esi+10h]
		mov	[ebp+var_20], edx
		test	ecx, 4000h
		jnz	loc_5C3D8D
		lea	ecx, [ebp+var_24]
		call	@KxTryToAcquireQueuedSpinLock@8	; KxTryToAcquireQueuedSpinLock(x,x)
		test	eax, eax
		jz	loc_4BDDD9

loc_4BDD0D:				; CODE XREF: MiGetPerfectColorHeadPage+10615Ej
					; MiGetPerfectColorHeadPage+10617Aj
		mov	ecx, [ebp+arg_8]

loc_4BDD10:				; CODE XREF: MiGetPerfectColorHeadPage+10616Aj
		cmp	edi, [esi+8]
		jnz	loc_5C3DBF
		push	ecx
		mov	edx, esi
		mov	ecx, edi
		call	MiUnlinkFreeOrZeroedPage
		test	eax, eax
		jz	loc_5C3E22
		mov	eax, [ebp+var_8]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		cmp	[ebp+var_10], 0
		jnz	short loc_4BDD45
		cmp	dword ptr [esi+8], offset loc_7FFFFF
		jnz	short loc_4BDD8E

loc_4BDD45:				; CODE XREF: MiGetPerfectColorHeadPage+FAj
					; MiGetPerfectColorHeadPage+15Bj
		test	ds:byte_70EFC6,	1
		jnz	loc_5C3E96
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	loc_4BDDFF
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jnz	loc_4BDDF7

loc_4BDD74:				; CODE XREF: MiGetPerfectColorHeadPage+1D1j
					; MiGetPerfectColorHeadPage+106261j
		mov	cl, [ebp+var_1]
		cmp	cl, 21h
		jz	short loc_4BDD82
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4BDD82:				; CODE XREF: MiGetPerfectColorHeadPage+13Aj
		mov	eax, [ebp+var_C]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4BDD8E:				; CODE XREF: MiGetPerfectColorHeadPage+103j
		push	[ebp+arg_0]
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		call	_MiReplenishPageSlist@12 ; MiReplenishPageSlist(x,x,x)
		jmp	short loc_4BDD45
; 

loc_4BDD9D:				; CODE XREF: MiGetPerfectColorHeadPage+8Bj
		mov	cl, dl

loc_4BDD9F:				; CODE XREF: MiGetPerfectColorHeadPage+1AAj
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4BDC68
; 

loc_4BDDAA:				; CODE XREF: MiGetPerfectColorHeadPage+9Ej
		mov	eax, [ebp+var_8]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		cmp	dl, 21h
		jz	short loc_4BDDC2
		mov	cl, dl

loc_4BDDBC:				; CODE XREF: MiGetPerfectColorHeadPage+1061DDj
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4BDDC2:				; CODE XREF: MiGetPerfectColorHeadPage+178j
					; MiGetPerfectColorHeadPage+1061D7j
		mov	edi, [esi+8]
		cmp	edi, offset loc_7FFFFF
		jz	loc_4BDC68
		mov	edx, [ebp+var_10]
		jmp	loc_4BDC80
; 

loc_4BDDD9:				; CODE XREF: MiGetPerfectColorHeadPage+C7j
		mov	eax, [ebp+var_8]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		cmp	cl, 21h
		jnz	short loc_4BDD9F
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4BDDF7:				; CODE XREF: MiGetPerfectColorHeadPage+12Ej
		lea	ecx, [ebp+var_24]
		call	KxWaitForLockChainValid

loc_4BDDFF:				; CODE XREF: MiGetPerfectColorHeadPage+117j
		mov	[ebp+var_24], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4BDD74
MiGetPerfectColorHeadPage endp


;  S U B	R O U T	I N E 


; __fastcall KxTryToAcquireQueuedSpinLock(x, x)
@KxTryToAcquireQueuedSpinLock@8	proc near ; CODE XREF: MiGetPage+72Cp
					; MiGetPerfectColorHeadPage+C0p ...
		test	ds:byte_70EFC6,	21h
		push	esi
		mov	esi, ecx
		jnz	short loc_4BDE3B
		xor	ecx, ecx
		cmp	[edx], ecx
		jnz	short loc_4BDE37
		xor	eax, eax
		lock cmpxchg [edx], esi
		test	eax, eax
		jnz	short loc_4BDE37
		inc	ecx

loc_4BDE33:				; CODE XREF: KxTryToAcquireQueuedSpinLock(x,x)+23j
					; KxTryToAcquireQueuedSpinLock(x,x)+2Cj
		mov	eax, ecx
		pop	esi
		retn
; 

loc_4BDE37:				; CODE XREF: KxTryToAcquireQueuedSpinLock(x,x)+10j
					; KxTryToAcquireQueuedSpinLock(x,x)+1Aj
		pause
		jmp	short loc_4BDE33
; 

loc_4BDE3B:				; CODE XREF: KxTryToAcquireQueuedSpinLock(x,x)+Aj
		call	@KiTryToAcquireQueuedSpinLockInstrumented@8 ; KiTryToAcquireQueuedSpinLockInstrumented(x,x)
		mov	ecx, eax
		jmp	short loc_4BDE33
@KxTryToAcquireQueuedSpinLock@8	endp


;  S U B	R O U T	I N E 


; __stdcall MiUnlockVaSoftWsle(x, x)
_MiUnlockVaSoftWsle@8 proc near		; CODE XREF: MiLockWsle(x,x)+6Fp
					; MiUnlockWsle(x,x,x)+E9p
		movzx	eax, byte ptr [ecx+60h]
		and	eax, 7
		shr	edx, 0Ch
		mov	eax, dword_6D2E68[eax*4]
		add	eax, edx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	ecx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		nop
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		xor	edx, edx
		jmp	_MiUnlockPageTableCharges@8 ; MiUnlockPageTableCharges(x,x)
_MiUnlockVaSoftWsle@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdateZeroFreeBitmap(x, x, x, x)
_MiUpdateZeroFreeBitmap@16 proc	near	; CODE XREF: MiReplenishPageSlist(x,x,x)+57Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, dword_6D06D0
		mov	esi, ecx
		and	edi, eax
		xor	ebx, ebx
		mov	ecx, edi
		inc	ebx
		and	ecx, 1Fh
		shr	edi, 5
		shl	ebx, cl
		mov	cl, byte_6D068C
		shr	eax, cl
		imul	ecx, eax, 50h
		mov	eax, [esi+10h]
		add	ecx, edx
		cmp	[ebp+arg_4], 0
		mov	eax, [eax+ecx*8+184h]
		lea	eax, [eax+edi*4]
		jnz	short loc_4BDED6
		not	ebx
		lock and [eax],	ebx

loc_4BDECF:				; CODE XREF: MiUpdateZeroFreeBitmap(x,x,x,x)+51j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_4BDED6:				; CODE XREF: MiUpdateZeroFreeBitmap(x,x,x,x)+40j
		lock or	[eax], ebx
		jmp	short loc_4BDECF
_MiUpdateZeroFreeBitmap@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPfnReferenceCountIsZero proc near	; CODE XREF: .text:00459401p
					; .text:0045C9A0p ...

; FUNCTION CHUNK AT 005C3EA6 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		mov	esi, [ecx+10h]
		mov	eax, esi
		push	edi
		mov	edi, edx
		and	eax, 3FFFFFFFh
		jnz	loc_5C3EA6
		test	esi, 40000000h
		jnz	short loc_4BDF18
		test	byte ptr [ecx+16h], 10h
		jnz	short loc_4BDF14
		push	4

loc_4BDF08:				; CODE XREF: MiPfnReferenceCountIsZero+3Aj
		pop	edx
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)

loc_4BDF0E:				; CODE XREF: MiPfnReferenceCountIsZero+65j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4BDF14:				; CODE XREF: MiPfnReferenceCountIsZero+28j
		push	8
		jmp	short loc_4BDF08
; 

loc_4BDF18:				; CODE XREF: MiPfnReferenceCountIsZero+22j
		mov	al, [ecx+17h]
		test	al, 10h
		jz	short loc_4BDF24
		and	al, 0EFh
		mov	[ecx+17h], al

loc_4BDF24:				; CODE XREF: MiPfnReferenceCountIsZero+41j
		push	dword ptr [ecx+0Ch]
		xor	edx, edx
		push	dword ptr [ecx+8]
		inc	edx
		mov	ecx, offset _MiSystemPartition
		call	_MiReleasePageFileSpace@16 ; MiReleasePageFileSpace(x,x,x,x)
		push	2
		pop	edx
		mov	ecx, edi
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		jmp	short loc_4BDF0E
MiPfnReferenceCountIsZero endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnLogPageFault(x,	x, x, x)
_PfSnLogPageFault@16 proc near		; CODE XREF: MiMakeSystemCachePteValid+18Ep
					; MiLogRelocationRva+AEp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		push	edi
		test	bl, 4
		jz	short loc_4BDF63
		cmp	dword ptr [esi+10h], 0
		jz	short loc_4BDF63

loc_4BDF5C:				; CODE XREF: PfSnLogPageFault(x,x,x,x)+37j
					; PfSnLogPageFault(x,x,x,x)+66j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4BDF63:				; CODE XREF: PfSnLogPageFault(x,x,x,x)+10j
					; PfSnLogPageFault(x,x,x,x)+16j
		mov	eax, large fs:124h
		mov	[ebp+var_4], eax
		mov	ecx, [eax+80h]
		call	PfSnReferenceProcessTrace
		mov	edi, eax
		test	edi, edi
		jz	short loc_4BDF5C
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		push	ebx
		call	PfSnCheckLoggingForThread
		test	eax, eax
		jz	short loc_4BDF9F
		push	ebx
		push	[ebp+arg_4]
		mov	edx, esi
		mov	ecx, edi
		push	[ebp+arg_0]
		push	dword ptr [esi+0Ch]
		call	PfSnLogPageFaultCommon

loc_4BDF9F:				; CODE XREF: PfSnLogPageFault(x,x,x,x)+46j
		lea	ecx, [edi+104h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	short loc_4BDF5C
_PfSnLogPageFault@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmWaitForCacheManagerPrefetch(x)
_MmWaitForCacheManagerPrefetch@4 proc near ; CODE XREF:	CcPerformReadAhead+2F1p
					; CcFetchDataForRead(x,x,x,x,x,x,x,x)+C8p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	ebx, [esi+3Ch]

loc_4BDFC1:				; CODE XREF: MmWaitForCacheManagerPrefetch(x)+4Aj
		mov	eax, [esi]
		lea	ecx, [esi+48h]
		push	0
		xor	edx, edx
		mov	[esp+1Ch+var_8], eax
		call	_MiPfCompletePrefetchIos@12 ; MiPfCompletePrefetchIos(x,x,x)
		mov	ecx, esi
		mov	[esp+18h+var_4], eax
		call	_MiReleaseReadListResources@4 ;	MiReleaseReadListResources(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [esp+18h+var_4]
		mov	eax, [esp+18h+var_8]
		mov	esi, eax
		test	ecx, ecx
		js	short loc_4BE012

loc_4BDFF4:				; CODE XREF: MmWaitForCacheManagerPrefetch(x)+68j
		test	eax, eax
		jnz	short loc_4BDFC1
		test	bl, 1
		jz	short loc_4BE009
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_4BE009:				; CODE XREF: MmWaitForCacheManagerPrefetch(x)+4Fj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4BE012:				; CODE XREF: MmWaitForCacheManagerPrefetch(x)+46j
		mov	edi, ecx
		jmp	short loc_4BDFF4
_MmWaitForCacheManagerPrefetch@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeImageProtos	proc near	; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+6E2p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 005C3EBC SIZE 00000048 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, [edx+14h]
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_38], edx
		mov	ecx, large fs:124h
		push	edi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_34], eax
		call	_MiGetEffectivePagePriorityThread@4 ; MiGetEffectivePagePriorityThread(x)
		mov	ebx, eax
		mov	[ebp+var_14], ebx
		cmp	ebx, 5
		ja	loc_5C3EB4
		test	ebx, ebx
		jz	short loc_4BE051
		dec	ebx

loc_4BE04E:				; CODE XREF: MiPfnReferenceCountIsZero+105FDBj
		mov	[ebp+var_14], ebx

loc_4BE051:				; CODE XREF: MiInitializeImageProtos+35j
		xor	edi, edi
		mov	byte ptr [ebp+var_1], 21h
		add	esi, 50h
		jz	loc_4BE228

loc_4BE060:				; CODE XREF: MiInitializeImageProtos+20Cj
		test	byte ptr [esi+12h], 2
		mov	eax, [esi+8]
		mov	[ebp+var_C], eax
		jnz	loc_4BE21E
		mov	edx, [esi+4]
		mov	ecx, esi
		push	0FFFFFFFFh
		mov	[ebp+var_30], edx
		call	MiStartingOffset
		mov	ecx, esi
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], edx
		call	_MiEndingOffset@4 ; MiEndingOffset(x)
		mov	ecx, [esi+1Ch]
		mov	esi, [ebp+var_30]
		mov	[ebp+var_20], eax
		mov	[ebp+var_3C], edx
		lea	eax, [esi+ecx*8]
		mov	[ebp+var_40], eax
		cmp	esi, eax
		jnb	loc_4BE208

loc_4BE0A6:				; CODE XREF: MiInitializeImageProtos+1ECj
		test	esi, 0FFFh
		jz	loc_4BE22D
		test	edi, edi
		jz	loc_4BE22D

loc_4BE0BA:				; CODE XREF: MiInitializeImageProtos+229j
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_10]
		add	eax, 1000h
		mov	[ebp+var_30], eax
		adc	ecx, 0
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		ja	loc_4BE26E
		jb	short loc_4BE0E1
		cmp	eax, [ebp+var_34]
		ja	loc_4BE26E

loc_4BE0E1:				; CODE XREF: MiInitializeImageProtos+C0j
		mov	edx, [esi]
		nop
		mov	eax, [esi+4]
		mov	[ebp+var_24], eax
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jnz	loc_4BE1F6
		mov	ecx, edx
		and	ecx, 400h
		mov	eax, ecx
		or	eax, 0
		jz	loc_4BE275

loc_4BE10B:				; CODE XREF: MiInitializeImageProtos+268j
		or	ecx, 0
		jz	loc_4BE1F6
		mov	eax, [ebp+var_2C]
		mov	ecx, offset _MiSystemPartition
		mov	eax, [eax+1Ch]
		shr	eax, 14h
		and	eax, 3Fh
		push	eax
		call	MiGetPageForHeader
		mov	[ebp+var_18], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_4BE1F6
		mov	eax, [ebp+var_38]
		test	byte ptr [eax+6], 5
		jz	loc_5C3ECD
		mov	eax, [eax+0Ch]

loc_4BE147:				; CODE XREF: MiInitializeImageProtos+105EC9j
		mov	ecx, [ebp+var_18]
		xor	edx, edx
		push	80000000h
		mov	[ebp+var_1C], eax
		call	MiMapPageInHyperSpaceWorker
		mov	ecx, [ebp+var_1C]
		mov	edx, eax
		add	ecx, [ebp+var_8]
		push	1000h		; size_t
		push	ecx		; void *
		push	edx		; void *
		mov	[ebp+var_24], edx
		call	_memcpy
		mov	edx, [ebp+var_10]
		add	esp, 0Ch
		cmp	edx, [ebp+var_3C]
		jb	short loc_4BE18D
		mov	eax, [ebp+var_20]
		ja	loc_4BE24A
		cmp	[ebp+var_30], eax
		ja	loc_4BE24A

loc_4BE18D:				; CODE XREF: MiInitializeImageProtos+163j
					; MiInitializeImageProtos+253j
		mov	ecx, [ebp+var_24]
		mov	dl, 21h
		push	80000000h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		imul	eax, [ebp+var_18], 1Ch
		xor	edx, edx
		mov	ecx, [ebp+var_2C]
		push	1
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_24], eax
		call	_MiReferenceControlAreaPfn@12 ;	MiReferenceControlAreaPfn(x,x,x)
		mov	eax, [ebp+var_24]
		and	[ebp+var_8], 0
		add	eax, 10h
		mov	[ebp+var_1C], eax
		lock bts dword ptr [eax], 1Fh
		jb	loc_5C3EE4

loc_4BE1CD:				; CODE XREF: MiInitializeImageProtos+105EE9j
		mov	ecx, [ebp+var_18]
		mov	edx, esi
		push	0FFFFFFFFh
		call	_MiInitializeTransitionPfn@12 ;	MiInitializeTransitionPfn(x,x,x)
		mov	ecx, [ebp+var_24]
		mov	al, [ecx+17h]
		xor	al, bl
		and	al, 7
		xor	[ecx+17h], al
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	eax, [ebp+var_1C]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_4BE1F6:				; CODE XREF: MiInitializeImageProtos+DCj
					; MiInitializeImageProtos+F8j ...
		mov	eax, [ebp+var_30]
		add	esi, 8
		mov	[ebp+var_8], eax

loc_4BE1FF:				; CODE XREF: MiInitializeImageProtos+105EB2j
		cmp	esi, [ebp+var_40]
		jb	loc_4BE0A6

loc_4BE208:				; CODE XREF: MiInitializeImageProtos+8Aj
		mov	eax, [ebp+var_C]

loc_4BE20B:				; CODE XREF: MiInitializeImageProtos+25Dj
		test	edi, edi
		jz	short loc_4BE21E
		mov	dl, byte ptr [ebp+var_1]
		mov	ecx, edi
		call	MiUnlockProtoPoolPage
		mov	eax, [ebp+var_C]
		xor	edi, edi

loc_4BE21E:				; CODE XREF: MiInitializeImageProtos+54j
					; MiInitializeImageProtos+1F7j
		mov	esi, eax
		test	eax, eax
		jnz	loc_4BE060

loc_4BE228:				; CODE XREF: MiInitializeImageProtos+44j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4BE22D:				; CODE XREF: MiInitializeImageProtos+96j
					; MiInitializeImageProtos+9Ej
		test	edi, edi
		jnz	short loc_4BE289

loc_4BE231:				; CODE XREF: MiInitializeImageProtos+27Dj
		lea	edx, [ebp+var_1]
		mov	ecx, esi
		call	MiLockProtoPoolPage
		mov	edi, eax
		test	edi, edi
		jnz	loc_4BE0BA
		jmp	loc_5C3EBC
; 

loc_4BE24A:				; CODE XREF: MiInitializeImageProtos+168j
					; MiInitializeImageProtos+171j
		mov	ecx, [ebp+var_8]
		mov	edx, 1000h
		sub	ecx, eax
		mov	eax, [ebp+var_24]
		add	ecx, edx
		push	ecx		; size_t
		sub	eax, ecx
		add	eax, edx
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_4BE18D
; 

loc_4BE26E:				; CODE XREF: MiInitializeImageProtos+BAj
					; MiInitializeImageProtos+C5j
		xor	eax, eax
		mov	[ebp+var_C], eax
		jmp	short loc_4BE20B
; 

loc_4BE275:				; CODE XREF: MiInitializeImageProtos+EFj
		and	edx, 800h
		or	edx, 0
		jz	loc_4BE10B
		jmp	loc_4BE1F6
; 

loc_4BE289:				; CODE XREF: MiInitializeImageProtos+219j
		mov	dl, byte ptr [ebp+var_1]
		mov	ecx, edi
		call	MiUnlockProtoPoolPage
		jmp	short loc_4BE231
MiInitializeImageProtos	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetPageForHeader proc	near		; CODE XREF: MiInitializeImageProtos+110p
					; MiCreateMdl+46p

var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C3F04 SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		stosd
		stosd
		xor	eax, eax
		inc	eax
		push	eax
		mov	edx, eax
		call	MiObtainFaultCharges
		test	eax, eax
		jz	loc_4BE357
		push	ebx
		mov	ebx, large fs:124h
		lea	edx, [ebp+var_C]
		push	[ebp+arg_0]
		mov	ecx, [ebx+80h]
		add	ecx, 240h
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		mov	ecx, esi
		call	MiGetSystemPage
		mov	edi, eax
		test	edi, edi
		jz	loc_5C3F04
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, ebx
		mov	esi, eax
		call	_MiGetEffectivePagePriorityThread@4 ; MiGetEffectivePagePriorityThread(x)
		mov	ecx, edi
		mov	ebx, eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, ds:_ZeroPte
		mov	dl, al
		and	dword ptr [edi+4], 0
		xor	eax, eax
		mov	[edi+8], ecx
		inc	eax
		mov	ecx, ds:dword_40F9FC
		mov	[edi+0Ch], ecx
		mov	cl, [edi+17h]
		xor	cl, bl
		mov	[edi+14h], ax
		and	cl, 7
		lea	eax, [edi+10h]
		xor	[edi+17h], cl
		mov	ecx, 7FFFFFFFh
		or	dword ptr [eax], 40000000h
		lock and [eax],	ecx
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi

loc_4BE350:				; CODE XREF: MiGetPageForHeader+105C95j
		pop	ebx

loc_4BE351:				; CODE XREF: MiGetPageForHeader+C4j
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_4BE357:				; CODE XREF: MiGetPageForHeader+21j
		or	eax, 0FFFFFFFFh
		jmp	short loc_4BE351
MiGetPageForHeader endp


;  S U B	R O U T	I N E 


MiGetSystemPage	proc near		; CODE XREF: MiGetPageForHeader+48p
					; MiMapNewSession+44p

; FUNCTION CHUNK AT 005C3F30 SIZE 00000021 BYTES

		mov	eax, [edx]
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		push	edi
		inc	esi
		lock xadd [eax], esi
		inc	esi
		mov	edi, [edx+4]
		dec	esi
		and	edi, esi
		mov	esi, 302h
		or	edi, [edx+8]

loc_4BE379:				; CODE XREF: MiGetSystemPage+105BE9j
		push	esi
		mov	edx, edi
		call	MiGetPage
		cmp	eax, 0FFFFFFFFh
		jz	loc_5C3F30
		imul	esi, eax, 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		lea	ecx, [esi+10h]
		mov	edx, 7FFFFFFFh
		and	dword ptr [ecx], 0C0000000h
		lock and [ecx],	edx
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi

loc_4BE3B5:				; CODE XREF: MiGetSystemPage+105BF0j
		pop	edi
		pop	esi
		pop	ebx
		retn
MiGetSystemPage	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiNodeFreeZeroPages(x, x, x)
_MiNodeFreeZeroPages@12	proc near	; CODE XREF: MiReplenishPageSlist(x,x,x)+11Ap
					; MiSignalLargePageRebuild+DEp	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	eax, ecx
		mov	[ebp+var_C], edx
		mov	ecx, [ebp+arg_0]
		mov	ebx, ecx
		shr	ebx, 1
		and	ecx, 1000h
		push	esi
		not	ebx
		mov	[ebp+var_8], eax
		xor	esi, esi
		mov	[ebp+arg_0], ecx
		and	ebx, 1
		add	eax, 1D0h
		push	edi
		mov	edi, esi
		mov	[ebp+var_4], eax

loc_4BE3EE:				; CODE XREF: MiNodeFreeZeroPages(x,x,x)+57j
		add	esi, [eax]
		test	ecx, ecx
		jz	short loc_4BE408
		mov	ecx, [ebp+var_8]
		push	edi
		call	_MiNodeLargeFreeZeroPages@12 ; MiNodeLargeFreeZeroPages(x,x,x)
		mov	ecx, [ebp+arg_0]
		add	esi, eax
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+var_C]

loc_4BE408:				; CODE XREF: MiNodeFreeZeroPages(x,x,x)+38j
		inc	edi
		add	eax, 4
		mov	[ebp+var_4], eax
		cmp	edi, ebx
		jle	short loc_4BE3EE
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiNodeFreeZeroPages@12	endp


;  S U B	R O U T	I N E 


; __stdcall MiUnlockVa(x, x)
_MiUnlockVa@8	proc near		; CODE XREF: .text:004539DCp
					; NtUnlockVirtualMemory(x,x,x,x)+5D4p ...
		mov	eax, edx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		push	esi
		mov	esi, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		shrd	esi, eax, 0Ch
		and	esi, 1FFFFFFh
		imul	eax, esi, 1Ch
		add	eax, ds:_MmPfnDatabase
		push	eax
		call	_MiUnlockWsle@12 ; MiUnlockWsle(x,x,x)
		pop	esi
		retn
_MiUnlockVa@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockPagableImageSection proc near	; CODE XREF: MmUnlockPagableImageSection(x)+Bp
					; IoDeleteDevice+D420Cp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C3F51 SIZE 0000002F BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		cmp	esi, 1
		jz	loc_4BE574
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	loc_4BE574
		mov	ecx, dword_6D07D0
		mov	eax, esi
		shr	eax, 15h
		cmp	esi, ecx
		jb	short loc_4BE4B4
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_4BE574
		cmp	esi, ecx
		jb	short loc_4BE4B4
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_4BE574

loc_4BE4B4:				; CODE XREF: MiLockPagableImageSection+44j
					; MiLockPagableImageSection+55j
		push	2
		pop	edx
		mov	ecx, esi
		call	_MiLookupDataTableEntry@8 ; MiLookupDataTableEntry(x,x)
		mov	edi, eax
		mov	[ebp+var_14], edi
		test	edi, edi
		jz	loc_5C3F51
		mov	eax, [edi+18h]
		push	eax
		mov	[ebp+var_C], eax
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	edx, eax
		mov	eax, esi
		mov	[ebp+var_10], edx
		push	28h
		movzx	ecx, word ptr [edx+6]
		mov	[ebp+var_8], ecx
		movzx	ecx, word ptr [edx+14h]
		sub	eax, ecx
		sub	eax, edx
		sub	eax, 18h
		cdq
		pop	ecx
		idiv	ecx
		mov	ecx, eax
		mov	eax, [ebp+var_8]
		cmp	ecx, eax
		jnb	loc_5C3F5E
		mov	eax, [edi+80h]
		lea	eax, [eax+ecx*4]
		mov	ecx, [esi+8]
		mov	[ebp+var_8], eax
		mov	eax, [esi+10h]
		cmp	eax, ecx
		jb	short loc_4BE589

loc_4BE519:				; CODE XREF: MiLockPagableImageSection+13Bj
		mov	ecx, [esi+0Ch]
		add	ecx, [ebp+var_C]
		mov	edx, ecx
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+var_10]
		shr	edx, 9
		and	edx, offset loc_7FFFF8
		sub	edx, 40000000h
		mov	ecx, [ecx+38h]
		cmp	ecx, 1000h
		ja	short loc_4BE58D

loc_4BE541:				; CODE XREF: MiLockPagableImageSection+142j
		mov	edi, [ebp+var_C]
		add	eax, ecx
		dec	edi
		neg	ecx
		add	eax, edi
		mov	edi, [ebp+var_14]
		and	eax, ecx
		add	eax, 0FFFh
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000008h
		cmp	[ebp+var_4], 1
		jnz	short loc_4BE57D
		push	eax
		push	edx
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		call	_MiLockImageSection@16 ; MiLockImageSection(x,x,x,x)

loc_4BE574:				; CODE XREF: MiLockPagableImageSection+24j
					; MiLockPagableImageSection+31j ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4BE57D:				; CODE XREF: MiLockPagableImageSection+116j
		mov	ecx, [ebp+var_8]
		push	esi
		push	eax
		call	MiUnlockImageSection
		jmp	short loc_4BE574
; 

loc_4BE589:				; CODE XREF: MiLockPagableImageSection+C7j
		mov	eax, ecx
		jmp	short loc_4BE519
; 

loc_4BE58D:				; CODE XREF: MiLockPagableImageSection+EFj
		mov	ecx, 1000h
		jmp	short loc_4BE541
MiLockPagableImageSection endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLookupDataTableEntry(x, x)
_MiLookupDataTableEntry@8 proc near	; CODE XREF: .text:00459B2Cp
					; MiProbeLeafPteAccess(x,x)+29Dp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	bl, 21h
		mov	byte ptr [ebp+var_1], bl
		mov	edx, ecx
		mov	[ebp+var_8], edx
		cmp	edi, 2
		jnz	short loc_4BE615
		lea	ecx, [ebp+var_1]
		call	_MmLockLoadedModuleListShared@4	; MmLockLoadedModuleListShared(x)

loc_4BE5BC:				; CODE XREF: MiLookupDataTableEntry(x,x)+A2j
		mov	edx, [ebp+var_8]
		mov	bl, byte ptr [ebp+var_1]

loc_4BE5C2:				; CODE XREF: MiLookupDataTableEntry(x,x)+84j
		mov	esi, dword_6CF5A0

loc_4BE5C8:				; CODE XREF: MiLookupDataTableEntry(x,x)+7Bj
					; MiLookupDataTableEntry(x,x)+7Fj
		test	esi, esi
		jz	short loc_4BE5DD
		mov	eax, [esi-64h]
		mov	ecx, [esi-6Ch]
		dec	eax
		add	eax, ecx
		cmp	edx, eax
		ja	short loc_4BE60C
		cmp	edx, ecx
		jb	short loc_4BE611

loc_4BE5DD:				; CODE XREF: MiLookupDataTableEntry(x,x)+36j
		lea	eax, [esi-84h]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		cmp	edi, 2
		jnz	short loc_4BE638
		push	offset _PsLoadedModuleSpinLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		cmp	bl, 1Bh
		jnb	short loc_4BE605
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4BE605:				; CODE XREF: MiLookupDataTableEntry(x,x)+67j
					; MiLookupDataTableEntry(x,x)+A7j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4BE60C:				; CODE XREF: MiLookupDataTableEntry(x,x)+43j
		mov	esi, [esi+4]
		jmp	short loc_4BE5C8
; 

loc_4BE611:				; CODE XREF: MiLookupDataTableEntry(x,x)+47j
		mov	esi, [esi]
		jmp	short loc_4BE5C8
; 

loc_4BE615:				; CODE XREF: MiLookupDataTableEntry(x,x)+1Ej
		cmp	edi, 1
		jnz	short loc_4BE5C2
		mov	eax, large fs:124h
		mov	[ebp+var_C], eax
		dec	word ptr [eax+13Ch]
		nop
		push	edi
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceSharedLite
		jmp	short loc_4BE5BC
; 

loc_4BE638:				; CODE XREF: MiLookupDataTableEntry(x,x)+58j
		cmp	edi, 1
		jnz	short loc_4BE605
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite
		mov	ecx, [ebp+var_C]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		jmp	short loc_4BE605
_MiLookupDataTableEntry@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MmLockLoadedModuleListShared(x)
_MmLockLoadedModuleListShared@4	proc near ; CODE XREF: MiLookupDataTableEntry(x,x)+23p
					; RtlPcToFileHeader+Ep	...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[esi], al
		pop	esi
		cmp	al, 1Bh
		jnb	short loc_4BE66C
		mov	cl, 1Bh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)

loc_4BE66C:				; CODE XREF: MmLockLoadedModuleListShared(x)+10j
		push	offset _PsLoadedModuleSpinLock
		call	ExAcquireSpinLockSharedAtDpcLevel
		retn
_MmLockLoadedModuleListShared@4	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 315. ExAcquireSpinLockSharedAtDpcLevel

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExAcquireSpinLockSharedAtDpcLevel
ExAcquireSpinLockSharedAtDpcLevel proc near ; CODE XREF: MiAddWorkingSetEntries+2EBp
					; MmLockLoadedModuleListShared(x)+1Fp ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A808B SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ds:byte_70EFC6,	21h
		mov	ecx, [ebp+arg_0]
		jnz	loc_5A808B
		push	esi
		mov	esi, [ecx]
		and	esi, 7FFFFFFFh
		mov	eax, esi
		lea	edx, [esi+1]
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		pop	esi
		jnz	short loc_4BE6AC

loc_4BE6A8:				; CODE XREF: ExAcquireSpinLockSharedAtDpcLevel+38j
					; ExAcquireSpinLockSharedAtDpcLevel+E9A17j
		pop	ebp
		retn	4
; 

loc_4BE6AC:				; CODE XREF: ExAcquireSpinLockSharedAtDpcLevel+2Aj
		or	dl, 0FFh
		call	ExpWaitForSpinLockSharedAndAcquire
		jmp	short loc_4BE6A8
ExAcquireSpinLockSharedAtDpcLevel endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiStealPage	proc near		; CODE XREF: MiTradePage(x,x)+4F8p

var_184		= dword	ptr -184h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_109		= byte ptr -109h
var_108		= dword	ptr -108h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F2		= byte ptr -0F2h
var_F1		= byte ptr -0F1h
var_F0		= dword	ptr -0F0h
var_E8		= dword	ptr -0E8h
var_D8		= dword	ptr -0D8h
var_C8		= dword	ptr -0C8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C3F80 SIZE 000004B4 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 18Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	[ebp+var_124], edx
		mov	edi, ecx
		mov	[ebp+var_13C], edi
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_F8], eax
		mov	ecx, [ebx+14h]
		xor	eax, eax
		push	50h		; size_t
		push	eax		; int
		mov	[ebp+var_F2], al
		mov	[ebp+var_109], al
		lea	eax, [ebp+var_F0]
		push	eax		; void *
		mov	[ebp+var_14C], ecx
		call	_memset
		mov	eax, [ebx+8]
		xor	edx, edx
		or	[ebp+var_A4], 0FFFFFFFFh
		add	esp, 0Ch
		mov	[ebp+var_F0], eax
		inc	edx
		xor	eax, eax
		and	[ebp+var_144], eax
		and	[ebp+var_148], eax
		mov	[ebp+var_114], eax
		mov	eax, [edi+4]
		or	eax, 80000000h
		mov	[ebp+var_110], eax
		shl	eax, 9
		mov	[ebp+var_118], eax
		mov	esi, eax
		cmp	eax, 0C0000000h
		jnb	loc_4BF132

loc_4BE76A:				; CODE XREF: MiStealPage+A87j
		mov	ecx, [ebp+var_E8]
		or	ecx, edx

loc_4BE772:				; CODE XREF: MiStealPage+A96j
		mov	eax, edi
		mov	[ebp+var_134], 1Ch
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	[ebp+var_134]
		or	[ebp+var_120], 0FFFFFFFFh
		mov	[ebp+var_FC], eax
		mov	eax, [ebp+var_14C]
		mov	[ebp+var_E8], ecx
		test	eax, eax
		jz	short loc_4BE7AB
		or	dword ptr [eax], 0FFFFFFFFh

loc_4BE7AB:				; CODE XREF: MiStealPage+F0j
		and	[ebp+var_140], 0
		cmp	esi, dword_6D07D0
		jnb	loc_4BED7B
		or	ecx, 1000h
		mov	[ebp+var_E8], ecx
		mov	edx, ecx

loc_4BE7CC:				; CODE XREF: MiStealPage+6D4j
					; MiStealPage+6E0j ...
		lea	eax, [ebp+var_F0]
		push	eax
		push	[ebp+var_110]
		test	edx, 1000h
		jz	loc_4BEDF5
		push	[ebp+var_124]
		mov	edx, edi
		call	_MiLockStealUserVm@20 ;	MiLockStealUserVm(x,x,x,x,x)
		mov	esi, eax
		xor	eax, eax
		inc	eax
		cmp	esi, eax
		jnz	loc_4BF35A
		mov	eax, large fs:124h
		and	[ebp+var_11C], 0
		mov	ecx, [ebp+var_C8]
		mov	edx, [ebp+var_F8]
		mov	eax, [eax+80h]
		mov	[ebp+var_140], eax
		mov	eax, [ebp+var_D8]
		mov	[ebp+var_128], eax

loc_4BE830:				; CODE XREF: MiStealPage+79Bj
		mov	eax, [ebp+var_E8]

loc_4BE836:				; CODE XREF: MiStealPage+1058E4j
		cmp	dword ptr [edx+0Ch], 0
		jz	loc_5C3F9F
		movzx	eax, byte ptr [edi+16h]
		shr	eax, 6
		cmp	dword ptr [ebx+10h], 0FFFFFFFFh
		mov	[ebp+var_108], eax
		jnz	loc_5C40B8
		mov	ecx, [ebp+var_FC]
		call	MiSearchNumaNodeTable
		mov	cl, byte_6D068C
		xor	esi, esi
		mov	edx, [eax+4]
		mov	eax, dword_6D06D0
		and	eax, [ebp+var_FC]
		shl	edx, cl
		or	edx, eax
		test	dword ptr [ebx+8], 3000000h
		jnz	loc_5C40D4

loc_4BE889:				; CODE XREF: MiStealPage+105A19j
					; MiStealPage+105A23j
		cmp	[ebp+var_A4], 0FFFFFFFFh
		jnz	loc_5C40DE
		push	esi
		mov	ecx, offset _MiSystemPartition
		call	MiGetPage
		xor	esi, esi
		mov	[ebp+var_120], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_4BEC99
		imul	esi, eax, 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	[ebp+var_124], esi

loc_4BE8C1:				; CODE XREF: MiStealPage+105A93j
		cmp	esi, edi
		jz	loc_4BEC94
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		test	ds:_MiFlags, 8000h
		mov	[ebp+var_F1], al
		jnz	loc_5C414E

loc_4BE8E6:				; CODE XREF: MiStealPage+105AA8j
		mov	ecx, [ebp+var_E8]

loc_4BE8EC:				; CODE XREF: MiStealPage+105AC0j
		and	[ebp+var_130], 0
		xor	eax, eax
		and	[ebp+var_12C], 0
		inc	eax
		cmp	[edi+14h], ax
		jnz	loc_4BEEDA
		test	byte ptr [edi+17h], 8
		jnz	loc_4BEEC2
		test	[edi], al
		jz	loc_4BEEC2

loc_4BE919:				; CODE XREF: MiStealPage+815j
					; MiStealPage+81Ej
		mov	al, [edi+16h]
		and	al, 7
		cmp	al, 6
		jnz	loc_4BEEDA
		test	cl, 20h
		jnz	short loc_4BE949
		mov	eax, [ebp+var_110]
		mov	ecx, [eax]
		mov	[ebp+var_130], ecx
		nop
		mov	eax, [eax+4]
		mov	ecx, [ebp+var_E8]
		mov	[ebp+var_12C], eax

loc_4BE949:				; CODE XREF: MiStealPage+273j
		mov	eax, [ebp+var_C8]
		cmp	eax, 3
		jz	short loc_4BE96D
		lea	edx, [edi+10h]
		mov	eax, [edx]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		ja	loc_4BF18A

loc_4BE967:				; CODE XREF: MiStealPage+ADDj
					; MiStealPage+AF8j
		mov	eax, [ebp+var_C8]

loc_4BE96D:				; CODE XREF: MiStealPage+29Cj
		push	2
		pop	edx
		cmp	eax, edx
		jz	loc_4BE9FF
		test	cl, 20h
		jnz	loc_4BEEF6
		test	cl, 8
		jnz	loc_4BF171

loc_4BE98A:				; CODE XREF: MiStealPage+AC7j
		mov	edx, [ebp+var_130]
		mov	eax, edx
		and	eax, 42h
		or	eax, 0
		jz	loc_4BEDE4

loc_4BE99E:				; CODE XREF: MiStealPage+73Aj
		mov	eax, edx
		test	ecx, 100h
		jnz	loc_4BF4F6
		or	ecx, 40h
		and	eax, 0FFFFFFFEh
		mov	[ebp+var_E8], ecx
		or	eax, 400h
		mov	ecx, [ebp+var_110]
		mov	[ecx], eax
		nop
		mov	eax, [ebp+var_12C]
		mov	[ecx+4], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_148], eax

loc_4BE9D8:				; CODE XREF: MiStealPage+E55j
		push	[ebp+var_11C]
		mov	ecx, [ebp+var_128]
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		mov	ecx, [ebp+var_118]
		mov	edx, eax
		call	KeFlushSingleTb

loc_4BE9F6:				; CODE XREF: MiStealPage+85Dj
		mov	ecx, [ebp+var_E8]

loc_4BE9FC:				; CODE XREF: MiStealPage+734j
		push	2
		pop	edx

loc_4BE9FF:				; CODE XREF: MiStealPage+2BCj
					; MiStealPage+AC1j
		xor	eax, eax
		inc	eax
		cmp	[ebp+var_11C], eax
		jz	loc_4BF151

loc_4BEA0E:				; CODE XREF: MiStealPage+A9Ej
					; MiStealPage+105AD8j
		mov	ecx, esi
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		mov	edx, [ebp+var_108]
		xor	eax, eax
		inc	eax
		mov	ecx, esi
		push	eax
		call	_MiFinalizePageAttribute@12 ; MiFinalizePageAttribute(x,x,x)
		push	2
		pop	eax
		cmp	[ebp+var_C8], eax
		jz	loc_5C4193

loc_4BEA35:				; CODE XREF: MiStealPage+105B2Bj
		push	ecx
		mov	edx, edi
		mov	ecx, esi
		call	_MiCopyPfnEntryEx@12 ; MiCopyPfnEntryEx(x,x,x)
		mov	eax, [edi+18h]
		mov	ecx, offset loc_7FFFFF
		and	eax, ecx
		cmp	eax, [ebp+var_FC]
		jz	loc_4BF382

loc_4BEA55:				; CODE XREF: MiStealPage+CDAj
		lea	eax, [esi+10h]
		mov	ecx, 7FFFFFFFh
		mov	[ebp+var_134], eax
		lock and [eax],	ecx
		mov	edx, [ebp+var_E8]
		test	dl, 20h
		jnz	short loc_4BEAC6
		push	2
		pop	eax
		cmp	[ebp+var_C8], eax
		jz	short loc_4BEAC6
		test	edx, 200h
		jnz	short loc_4BEAA7
		test	dl, 8
		jnz	loc_4BEE8D
		cmp	[ebp+var_11C], 0
		jnz	loc_4BEE8D

loc_4BEA9A:				; CODE XREF: MiStealPage+7DFj
					; MiStealPage+7EBj
		mov	al, [edi+16h]
		push	0FFFFFFFDh
		pop	edx
		and	al, dl
		or	al, 5
		mov	[edi+16h], al

loc_4BEAA7:				; CODE XREF: MiStealPage+3CCj
					; MiStealPage+AB0j ...
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	cl, [ebp+var_F1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [ebp+var_E8]
		mov	[ebp+var_F1], 21h

loc_4BEAC6:				; CODE XREF: MiStealPage+3B9j
					; MiStealPage+3C4j ...
		test	edx, 200h
		jnz	loc_4BF1D5
		and	[ebp+var_138], 0
		mov	[ebp+var_F2], 21h

loc_4BEAE0:				; CODE XREF: MiStealPage+C2Cj
		test	edx, 200h
		jnz	loc_4BEFD3
		cmp	[ebp+var_C8], 3
		jz	loc_4BF1C7

loc_4BEAF9:				; CODE XREF: MiStealPage+B14j
		mov	eax, edx
		and	al, 0Ah
		cmp	al, 8
		jz	loc_4BEFC6

loc_4BEB05:				; CODE XREF: MiStealPage+917j
		cmp	[ebp+var_F1], 21h
		jnz	loc_4BEE5C
		xor	eax, eax
		mov	[ebp+var_108], eax

loc_4BEB1A:				; CODE XREF: MiStealPage+7C2j
		test	edx, 2000h
		jnz	loc_5C42F9

loc_4BEB26:				; CODE XREF: MiStealPage+105C4Ej
		mov	edx, [ebp+var_FC]
		mov	ecx, [ebp+var_120]
		push	eax
		push	[ebp+var_F8]
		call	_MiCopyPage@16	; MiCopyPage(x,x,x,x)
		mov	eax, [ebp+var_108]
		test	al, 4
		jnz	loc_4BEE7D

loc_4BEB4C:				; CODE XREF: MiStealPage+7D2j
		mov	edx, [ebp+var_E8]
		test	dl, 20h
		jnz	short loc_4BEB64
		cmp	[ebp+var_F1], 21h
		jnz	loc_4BEFB4

loc_4BEB64:				; CODE XREF: MiStealPage+49Fj
					; MiStealPage+90Bj ...
		mov	eax, [ebp+var_120]
		xor	ecx, ecx
		and	eax, 1FFFFFFh
		shld	ecx, eax, 0Ch
		shl	eax, 0Ch
		mov	[ebp+var_FC], ecx
		mov	ecx, [ebp+var_12C]
		mov	[ebp+var_F8], eax
		and	ecx, 0FFFFFFE0h
		mov	eax, [ebp+var_130]
		or	[ebp+var_FC], ecx
		and	eax, 0FFFh
		or	[ebp+var_F8], eax
		test	dl, 20h
		jnz	loc_4BEF1B
		test	edx, 400h
		jnz	loc_4BF485
		test	dl, 40h
		jz	loc_4BED16
		mov	esi, [ebp+var_110]
		xor	edx, edx
		mov	ecx, esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5C4356
		mov	ecx, [ebp+var_F8]

loc_4BEBDF:				; CODE XREF: MiStealPage+105CBAj
					; MiStealPage+105CF4j
		mov	eax, [ebp+var_FC]

loc_4BEBE5:				; CODE XREF: MiStealPage+105CCEj
					; MiStealPage+105CD9j
		mov	[esi+4], eax
		nop
		mov	[esi], ecx
		test	edx, edx
		jnz	loc_5C43B2

loc_4BEBF3:				; CODE XREF: MiStealPage+6C0j
					; MiStealPage+E1Ej ...
		mov	edx, [ebp+var_E8]

loc_4BEBF9:				; CODE XREF: MiStealPage+DD5j
		cmp	[ebp+var_148], 0
		jz	loc_4BECED

loc_4BEC06:				; CODE XREF: MiStealPage+65Bj
		mov	ecx, [ebp+var_134]
		mov	esi, 7FFFFFFFh

loc_4BEC11:				; CODE XREF: MiStealPage+8D6j
		test	edx, 200h
		jnz	loc_4BF333
		and	dl, 50h
		cmp	dl, 10h
		jz	loc_4BF182

loc_4BEC29:				; CODE XREF: MiStealPage+ACFj
		mov	cl, [ebp+var_F1]

loc_4BEC2F:				; CODE XREF: MiStealPage+C9Fj
		mov	eax, [edi+18h]
		and	eax, 70000000h
		cmp	eax, 30000000h
		jz	loc_5C43C0

loc_4BEC42:				; CODE XREF: MiStealPage+105D20j
		push	2
		pop	eax
		cmp	[ebp+var_C8], eax
		jz	loc_5C43DB

loc_4BEC51:				; CODE XREF: MiStealPage+105D42j
		cmp	[ebp+var_F1], 21h
		jnz	short loc_4BEC67
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	[ebp+var_F1], al

loc_4BEC67:				; CODE XREF: MiStealPage+5A2j
		and	dword ptr [edi+18h], 0FFFFFFFh
		xor	eax, eax
		and	byte ptr [edi+16h], 0C7h
		and	byte ptr [edi+17h], 0DFh
		mov	[edi+14h], ax
		lea	eax, [edi+10h]
		and	dword ptr [eax], 0C0000000h
		lock and [eax],	esi
		mov	cl, [ebp+var_F1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4BEC94:				; CODE XREF: MiStealPage+20Dj
		xor	eax, eax
		lea	esi, [eax+1]

loc_4BEC99:				; CODE XREF: MiStealPage+1F6j
					; MiStealPage+789j ...
		lea	ecx, [ebp+var_F0]
		call	_MiUnlockStealVm@4 ; MiUnlockStealVm(x)
		mov	eax, [ebp+var_114]
		test	eax, eax
		jnz	loc_5C43FD

loc_4BECB2:				; CODE XREF: MiStealPage+105D4Ej
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		xor	eax, eax
		inc	eax
		cmp	esi, eax
		jnz	loc_5C4409
		mov	ecx, [ebp+var_14C]
		test	ecx, ecx
		jz	short loc_4BECD6
		mov	eax, [ebp+var_120]
		mov	[ecx], eax

loc_4BECD6:				; CODE XREF: MiStealPage+616j
					; MiStealPage+105D63j ...
		mov	eax, esi

loc_4BECD8:				; CODE XREF: MiStealPage+CBBj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	10h
; 

loc_4BECED:				; CODE XREF: MiStealPage+54Aj
		push	[ebp+var_11C]
		mov	ecx, [ebp+var_128]
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		mov	ecx, [ebp+var_118]
		mov	edx, eax
		call	KeFlushSingleTb
		mov	edx, [ebp+var_E8]
		jmp	loc_4BEC06
; 

loc_4BED16:				; CODE XREF: MiStealPage+506j
		test	edx, 200h
		jnz	loc_4BF32D
		and	dl, 50h
		cmp	dl, 10h
		jz	loc_4BF376

loc_4BED2E:				; CODE XREF: MiStealPage+C78j
					; MiStealPage+CC7j
		nop
		mov	edi, [ebp+var_F8]
		mov	ecx, [ebp+var_FC]

loc_4BED3B:				; CODE XREF: MiStealPage+6B0j
					; MiStealPage+6B8j
		mov	eax, [ebp+var_110]
		mov	esi, [eax]
		mov	edx, [eax+4]
		mov	eax, esi
		mov	[ebp+var_124], edx
		nop
		push	ebx
		mov	ebx, edi
		mov	edi, [ebp+var_110]
		lock cmpxchg8b qword ptr [edi]
		pop	ebx
		nop
		mov	edi, [ebp+var_F8]
		cmp	eax, esi
		jnz	short loc_4BED3B
		cmp	edx, [ebp+var_124]
		jnz	short loc_4BED3B
		mov	edi, [ebp+var_13C]
		jmp	loc_4BEBF3
; 

loc_4BED7B:				; CODE XREF: MiStealPage+102j
		mov	eax, dword_6D2E88
		mov	edx, ecx
		mov	[ebp+var_108], eax
		cmp	esi, eax
		jb	loc_4BE7CC
		cmp	esi, dword_6D2E8C
		ja	loc_4BE7CC
		test	cl, 1
		jz	loc_4BF4DF
		or	ecx, 0Ah
		mov	edx, ecx
		cmp	[ebp+var_118], eax
		jb	short loc_4BEDD3
		mov	eax, dword_6D2E90
		test	eax, eax
		jz	loc_5C3F71

loc_4BEDBF:				; CODE XREF: MiLockPagableImageSection+105B2Bj
		add	eax, [ebp+var_108]
		mov	edx, ecx
		cmp	[ebp+var_118], eax
		jb	loc_4BF4E9

loc_4BEDD3:				; CODE XREF: MiStealPage+6FAj
					; MiStealPage+E2Ej ...
		or	edx, 1000h
		mov	[ebp+var_E8], edx
		jmp	loc_4BE7CC
; 

loc_4BEDE4:				; CODE XREF: MiStealPage+2E2j
		test	ecx, 2000h
		jz	loc_4BE9FC
		jmp	loc_4BE99E
; 

loc_4BEDF5:				; CODE XREF: MiStealPage+129j
		mov	dl, byte ptr [ebp+var_124]
		mov	ecx, edi
		call	_MiLockStealSystemVm@16	; MiLockStealSystemVm(x,x,x,x)
		mov	esi, eax
		xor	eax, eax
		inc	eax
		cmp	esi, eax
		jnz	loc_4BF35A
		mov	edx, [ebp+var_D8]
		xor	esi, esi
		mov	ecx, [ebp+var_C8]
		mov	[ebp+var_11C], eax
		mov	[ebp+var_128], edx
		mov	al, [edx+60h]
		mov	edx, [ebp+var_F8]
		and	al, 7
		cmp	al, 7
		jnz	loc_4BEF91
		cmp	[edx+0Ch], esi
		jz	loc_4BEC99
		push	2
		pop	esi

loc_4BEE48:				; CODE XREF: MiStealPage+8F3j
		mov	[ebp+var_11C], esi

loc_4BEE4E:				; CODE XREF: MiStealPage+8E0j
					; MiStealPage+8E8j ...
		cmp	ecx, 3
		jnz	loc_4BE830
		jmp	loc_5C3F80
; 

loc_4BEE5C:				; CODE XREF: MiStealPage+456j
		push	4
		pop	eax
		mov	ecx, esi
		mov	[ebp+var_108], eax
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		mov	edx, [ebp+var_E8]
		mov	eax, [ebp+var_108]
		jmp	loc_4BEB1A
; 

loc_4BEE7D:				; CODE XREF: MiStealPage+490j
		mov	eax, 7FFFFFFFh
		lea	ecx, [esi+10h]
		lock and [ecx],	eax
		jmp	loc_4BEB4C
; 

loc_4BEE8D:				; CODE XREF: MiStealPage+3D1j
					; MiStealPage+3DEj
		mov	eax, edx
		and	eax, 0Ah
		cmp	eax, 0Ah
		jz	loc_4BEA9A
		test	edx, 100h
		jnz	loc_4BEA9A
		cmp	eax, 8
		jz	loc_4BF15F

loc_4BEEB0:				; CODE XREF: MiStealPage+AB6j
		cmp	[ebp+var_C8], 3
		jnz	loc_4BEAC6
		jmp	loc_5C422C
; 

loc_4BEEC2:				; CODE XREF: MiStealPage+255j
					; MiStealPage+25Dj
		push	2
		pop	eax
		cmp	[ebp+var_C8], eax
		jz	loc_4BE919
		test	cl, 26h
		jnz	loc_4BE919

loc_4BEEDA:				; CODE XREF: MiStealPage+24Bj
					; MiStealPage+26Aj ...
		mov	ecx, 7FFFFFFFh

loc_4BEEDF:				; CODE XREF: MiStealPage+105B71j
		lea	eax, [edi+10h]
		lock and [eax],	ecx

loc_4BEEE5:				; CODE XREF: MiStealPage+105ACDj
		mov	cl, [ebp+var_F1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_5C425B
; 

loc_4BEEF6:				; CODE XREF: MiStealPage+2C5j
		mov	edx, [ebp+var_110]
		mov	ecx, edi
		call	_MiPrepareToStealNonPagedPool@8	; MiPrepareToStealNonPagedPool(x,x)
		mov	ecx, edx
		mov	[ebp+var_130], eax
		or	eax, ecx
		mov	[ebp+var_12C], ecx
		jnz	loc_4BE9F6
		jmp	short loc_4BEEDA
; 

loc_4BEF1B:				; CODE XREF: MiStealPage+4F1j
		mov	ecx, esi
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		mov	ecx, [ebp+var_F8]
		mov	eax, [ebp+var_130]
		or	ecx, 20h
		mov	edx, [ebp+var_12C]
		nop
		mov	edi, [ebp+var_110]
		push	ebx
		mov	ebx, ecx
		mov	ecx, [ebp+var_FC]
		lock cmpxchg8b qword ptr [edi]
		pop	ebx
		nop
		mov	edi, [ebp+var_13C]
		cmp	eax, [ebp+var_130]
		jnz	loc_5C4207
		cmp	edx, [ebp+var_12C]
		jnz	loc_5C4207
		mov	ecx, [ebp+var_134]
		mov	esi, 7FFFFFFFh
		lock and [ecx],	esi
		mov	al, [edi+16h]
		push	0FFFFFFFDh
		pop	edx
		and	al, dl
		mov	edx, [ebp+var_E8]
		or	al, 5
		mov	[edi+16h], al
		jmp	loc_4BEC11
; 

loc_4BEF91:				; CODE XREF: MiStealPage+780j
		push	2
		pop	esi
		cmp	al, 3
		jz	loc_4BEE4E
		cmp	al, 1
		jz	loc_4BEE4E
		xor	eax, eax
		inc	eax
		cmp	ecx, eax
		jz	loc_4BEE48
		jmp	loc_4BEE4E
; 

loc_4BEFB4:				; CODE XREF: MiStealPage+4A8j
		mov	al, [edi+16h]
		push	0FFFFFFFDh
		pop	ecx
		and	al, cl
		or	al, 5
		mov	[edi+16h], al
		jmp	loc_4BEB64
; 

loc_4BEFC6:				; CODE XREF: MiStealPage+449j
		cmp	[ebp+var_11C], 0
		jnz	loc_4BEB05

loc_4BEFD3:				; CODE XREF: MiStealPage+430j
					; MiStealPage+B1Aj
		push	[ebp+var_FC]
		mov	edx, [ebp+var_120]
		mov	ecx, [ebp+var_F8]
		call	MiGetPteFromCopyList
		mov	edx, eax
		mov	ecx, edx
		mov	[ebp+var_108], edx
		shl	ecx, 9
		test	[ebp+var_E8], 200h
		jnz	loc_4BF2E7
		mov	eax, large fs:124h
		xor	edi, edi
		mov	esi, [ebp+var_128]
		mov	[ebp+var_17C], esi
		mov	esi, [ebp+var_118]
		mov	[ebp+var_178], esi
		mov	esi, [ebp+var_FC]
		mov	[ebp+var_160], edi
		mov	[ebp+var_15C], edi
		mov	[ebp+var_158], edi
		mov	edi, [ebp+var_120]
		mov	[ebp+var_168], eax
		mov	[ebp+var_170], esi
		mov	[ebp+var_16C], edi
		mov	edi, [ebp+var_13C]
		mov	[ebp+var_174], ecx
		mov	eax, [eax+80h]
		mov	[ebp+var_164], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_F8], eax
		mov	eax, [edi+18h]
		and	eax, offset loc_7FFFFF
		cmp	eax, esi
		mov	esi, [ebp+var_124]
		jz	loc_4BF395
		lea	ecx, [ebp+var_17C]
		call	_MiReplacePageTablePage@4 ; MiReplacePageTablePage(x)

loc_4BF099:				; CODE XREF: MiStealPage+DCAj
		cmp	[ebp+var_160], 0
		jl	loc_5C431B

loc_4BF0A6:				; CODE XREF: MiStealPage+105C6Cj
		mov	ecx, [ebp+var_F8]

loc_4BF0AC:				; CODE XREF: MiStealPage+C4Bj
		mov	edx, [ebp+var_108]

loc_4BF0B2:				; CODE XREF: MiStealPage+105C60j
		mov	eax, ds:_ZeroPte
		mov	[edx], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[edx+4], eax
		mov	eax, ds:_ZeroPte
		mov	[edx+8], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[edx+0Ch], eax
		test	ecx, ecx
		jz	loc_5C4327
		test	[ebp+var_E8], 200h
		jnz	loc_4BF306
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	cl, [edi+16h]
		push	0FFFFFFFDh
		pop	edx
		and	cl, dl
		lea	edx, [edi+10h]
		or	cl, 5
		mov	[edi+16h], cl
		mov	ecx, [edx]
		and	ecx, 0C0000001h
		or	ecx, 1
		mov	[edx], ecx
		mov	ecx, 7FFFFFFFh
		lock and [edx],	ecx
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	[ebp+var_F1], 21h

loc_4BF127:				; CODE XREF: MiStealPage+C72j
		mov	edx, [ebp+var_E8]
		jmp	loc_4BEB64
; 

loc_4BF132:				; CODE XREF: MiStealPage+AEj
		mov	ecx, 0C07FFFFFh

loc_4BF137:				; CODE XREF: MiStealPage+B0Cj
		cmp	esi, ecx
		jbe	short loc_4BF1B3

loc_4BF13B:				; CODE XREF: MiStealPage+B06j
		cmp	eax, ecx
		ja	loc_4BE76A
		mov	ecx, [ebp+var_E8]
		or	ecx, 8
		jmp	loc_4BE772
; 

loc_4BF151:				; CODE XREF: MiStealPage+352j
		test	cl, 4
		jz	loc_4BEA0E
		jmp	loc_5C4188
; 

loc_4BF15F:				; CODE XREF: MiStealPage+7F4j
		cmp	[ebp+var_11C], 0
		jz	loc_4BEAA7
		jmp	loc_4BEEB0
; 

loc_4BF171:				; CODE XREF: MiStealPage+2CEj
		test	ecx, 100h
		jz	loc_4BE9FF
		jmp	loc_4BE98A
; 

loc_4BF182:				; CODE XREF: MiStealPage+56Dj
		lock and [ecx],	esi
		jmp	loc_4BEC29
; 

loc_4BF18A:				; CODE XREF: MiStealPage+2ABj
		xor	eax, eax
		inc	eax
		cmp	[ebp+var_11C], eax
		jnz	loc_4BE967
		test	cl, 10h
		jz	loc_5C417B
		or	ecx, 208h
		mov	[ebp+var_E8], ecx
		jmp	loc_4BE967
; 

loc_4BF1B3:				; CODE XREF: MiStealPage+A83j
		shl	esi, 9
		cmp	esi, 0C0000000h
		jb	loc_4BF13B
		jmp	loc_4BF137
; 

loc_4BF1C7:				; CODE XREF: MiStealPage+43Dj
		test	dl, 4
		jz	loc_4BEAF9
		jmp	loc_4BEFD3
; 

loc_4BF1D5:				; CODE XREF: MiStealPage+416j
		mov	ecx, [ebp+var_118]
		lea	edx, [ebp+var_F2]
		call	MiLockProtoPoolPage
		mov	ecx, eax
		mov	[ebp+var_138], ecx
		test	ecx, ecx
		jz	loc_5C4253
		push	2
		pop	eax
		cmp	[ecx+14h], ax
		ja	loc_5C4248
		mov	edx, [ebp+var_110]
		mov	eax, [edx]
		mov	[ebp+var_130], eax
		nop
		mov	edi, [edx+4]
		and	eax, 42h
		or	eax, 0
		mov	[ebp+var_12C], edi
		mov	edi, [ebp+var_13C]
		jz	loc_4BF2DC
		and	[ebp+var_154], 0
		add	ecx, 10h
		mov	[ebp+var_108], ecx
		lock bts dword ptr [ecx], 1Fh
		jb	loc_5C429E

loc_4BF248:				; CODE XREF: MiStealPage+105C12j
		mov	eax, [ebp+var_138]
		push	2
		pop	edi
		cmp	[eax+14h], di
		mov	edi, [ebp+var_13C]
		ja	loc_5C423A
		mov	eax, [ebp+var_130]
		and	eax, 0FFFFFFBDh
		nop
		mov	ecx, [ebp+var_118]
		mov	[edx], eax
		mov	eax, [ebp+var_12C]
		mov	[edx+4], eax
		xor	eax, eax
		inc	eax
		xor	edx, edx
		push	eax
		call	KeFlushSingleTb
		mov	ecx, [ebp+var_138]
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		mov	esi, [ebp+var_108]
		mov	ecx, eax
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	esi, ecx
		or	esi, edx
		jnz	loc_5C42CD

loc_4BF2AC:				; CODE XREF: MiStealPage+105C28j
		and	[ebp+var_184], 0
		mov	esi, [ebp+var_134]

loc_4BF2B9:				; CODE XREF: MiStealPage+105C3Ej
		lock bts dword ptr [esi], 1Fh
		jb	loc_5C42E3
		mov	esi, [ebp+var_124]
		mov	ecx, esi
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		mov	eax, 7FFFFFFFh
		lea	ecx, [esi+10h]
		lock and [ecx],	eax

loc_4BF2DC:				; CODE XREF: MiStealPage+B71j
		mov	edx, [ebp+var_E8]
		jmp	loc_4BEAE0
; 

loc_4BF2E7:				; CODE XREF: MiStealPage+94Bj
		mov	edx, [ebp+var_FC]
		push	ecx
		push	[ebp+var_120]
		mov	ecx, [ebp+var_118]
		call	MiReplacePageOfProtoPool
		mov	ecx, eax
		jmp	loc_4BF0AC
; 

loc_4BF306:				; CODE XREF: MiStealPage+A2Fj
		mov	al, [edi+16h]
		mov	ecx, esi
		push	0FFFFFFFDh
		pop	edx
		and	al, dl
		or	al, 5
		mov	[edi+16h], al
		mov	eax, [edi+10h]
		and	eax, 0C0000001h
		or	eax, 1
		mov	[edi+10h], eax
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		jmp	loc_4BF127
; 

loc_4BF32D:				; CODE XREF: MiStealPage+666j
		nop
		jmp	loc_4BED2E
; 

loc_4BF333:				; CODE XREF: MiStealPage+561j
		lock and [ecx],	esi
		lea	eax, [edi+10h]
		lock and [eax],	esi
		mov	dl, [ebp+var_F2]
		mov	ecx, [ebp+var_138]
		call	MiUnlockProtoPoolPage
		mov	cl, 21h
		mov	[ebp+var_F1], cl
		jmp	loc_4BEC2F
; 

loc_4BF35A:				; CODE XREF: MiStealPage+143j
					; MiStealPage+753j
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	eax, [edi+10h]
		and	eax, 40000000h
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, esi
		jmp	loc_4BECD8
; 

loc_4BF376:				; CODE XREF: MiStealPage+672j
		mov	ecx, esi
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		jmp	loc_4BED2E
; 

loc_4BF382:				; CODE XREF: MiStealPage+399j
		mov	eax, [esi+18h]
		xor	eax, [ebp+var_120]
		and	eax, ecx
		xor	[esi+18h], eax
		jmp	loc_4BEA55
; 

loc_4BF395:				; CODE XREF: MiStealPage+9D2j
		mov	eax, [ebp+var_128]
		test	byte ptr [eax+63h], 2
		jnz	loc_5C4309
		mov	eax, [ebp+var_140]
		add	eax, 3A8h
		lock bts dword ptr [eax], 1
		jb	loc_5C4309
		mov	edx, [ebp+var_E8]
		mov	eax, [ebp+var_164]
		or	edx, 400h
		mov	[ebp+var_E8], edx
		mov	eax, [eax+194h]
		mov	ecx, [eax+18h]
		mov	eax, [eax+1Ch]
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		cmp	ecx, [ebp+var_FC]
		jz	short loc_4BF418
		xor	eax, eax
		inc	eax
		or	edx, 4000h
		mov	[ebp+var_15C], eax
		mov	eax, [ebp+var_164]
		mov	eax, [eax+304h]
		mov	[ebp+var_158], eax
		mov	[ebp+var_E8], edx

loc_4BF418:				; CODE XREF: MiStealPage+D39j
		push	0
		mov	dl, 21h
		lea	ecx, [ebp+var_D8]
		call	_MiReleaseFaultState@12	; MiReleaseFaultState(x,x,x)
		mov	edx, [ebp+var_15C]
		lea	eax, [ebp+var_17C]
		mov	ecx, [ebp+var_164]
		push	eax
		call	_KeSwapDirectoryTableBase@12 ; KeSwapDirectoryTableBase(x,x,x)
		mov	ecx, [ebp+var_128]
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short loc_4BF459
		lea	eax, [ecx+80h]

loc_4BF459:				; CODE XREF: MiStealPage+D9Bj
		push	eax
		mov	[ebp+var_124], eax
		call	ExAcquireSpinLockExclusive
		mov	eax, [ebp+var_124]
		push	0FFFFFFFDh
		pop	edx
		and	dword ptr [eax+4], 0
		mov	eax, [ebp+var_140]
		add	eax, 3A8h
		lock and [eax],	edx
		jmp	loc_4BF099
; 

loc_4BF485:				; CODE XREF: MiStealPage+4FDj
		test	edx, 4000h
		jz	loc_4BEBF9
		mov	eax, [ebp+var_140]
		mov	edx, [eax+304h]
		test	edx, edx
		jz	loc_5C433C
		mov	eax, edx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	ecx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		sub	ecx, [ebp+var_120]
		neg	ecx
		sbb	ecx, ecx
		not	ecx
		test	ecx, edx
		jnz	loc_4BEBF3
		jmp	loc_5C433C
; 

loc_4BF4DF:				; CODE XREF: MiStealPage+6E9j
		mov	edx, ecx
		or	edx, 0Ch
		jmp	loc_4BEDD3
; 

loc_4BF4E9:				; CODE XREF: MiStealPage+717j
		mov	edx, ecx
		or	edx, 100h
		jmp	loc_4BEDD3
; 

loc_4BF4F6:				; CODE XREF: MiStealPage+2F0j
		and	eax, 0FFFFFFBDh
		nop
		mov	ecx, [ebp+var_110]
		mov	[ecx], eax
		mov	eax, [ebp+var_12C]
		mov	[ecx+4], eax
		jmp	loc_4BE9D8
MiStealPage	endp


;  S U B	R O U T	I N E 


; __stdcall MiUnlockStealVm(x)
_MiUnlockStealVm@4 proc	near		; CODE XREF: MiStealPage+5E9p
					; MiLockStealUserVm(x,x,x,x,x)+244p ...
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		call	_MiUnlockSystemVa@4 ; MiUnlockSystemVa(x)
		cmp	dword ptr [esi+30h], 0
		jz	short loc_4BF538
		lea	ecx, [esi+34h]
		xor	edx, edx
		call	_KeForceDetachProcess@8	; KeForceDetachProcess(x,x)
		mov	ecx, [esi+30h]
		call	MiAttachThreadDone

loc_4BF534:				; CODE XREF: MiUnlockStealVm(x)+2Dj
					; MiUnlockStealVm(x)+40j
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_4BF538:				; CODE XREF: MiUnlockStealVm(x)+10j
		mov	edi, [esi+2Ch]
		test	edi, edi
		jz	short loc_4BF534
		lea	edx, [esi+34h]
		mov	ecx, edi
		call	MmDetachSession
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	short loc_4BF534
_MiUnlockStealVm@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiRemoveWsleList proc near		; CODE XREF: MmUnmapViewInSystemCache+289p
					; MiFreeWsleList+140p

var_50		= dword	ptr -50h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C4434 SIZE 0000013A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_3C], 0
		xor	edx, edx
		xor	eax, eax
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10], edx
		xor	ecx, ecx
		mov	[ebp+var_14], edx
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_20], eax
		mov	[ebp+var_4], ecx
		mov	[ebp+var_18], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_8], eax
		test	edx, edx
		jz	loc_4BF841
		mov	ebx, [ebp+arg_0]
		inc	ebx
		mov	[ebp+var_24], edx
		add	esi, 14h
		mov	[ebp+var_28], ebx
		mov	[ebp+var_C], esi
		lea	esp, [esp+0]

loc_4BF5B0:				; CODE XREF: MiRemoveWsleList+A5j
		mov	dl, [ebx]
		test	dl, 1
		jz	short loc_4BF5FB
		inc	ecx
		mov	[ebp+var_4], ecx
		mov	ecx, [esi]
		cmp	ecx, 0C0000000h
		jnb	loc_4BF78C

loc_4BF5C9:				; CODE XREF: MiRemoveWsleList+232j
		mov	eax, ecx
		mov	[ebp+var_8], 2
		shr	eax, 12h
		and	eax, 3FF8h
		sub	eax, 3FA00000h
		mov	[ebp+var_20], eax

loc_4BF5E2:				; CODE XREF: MiRemoveWsleList+23Fj
		test	dl, 2
		jnz	loc_4BF775

loc_4BF5EB:				; CODE XREF: MiRemoveWsleList+227j
					; MiRemoveWsleList+30Cj
		mov	al, [edi+60h]
		and	al, 7
		cmp	al, 4
		jz	loc_4BF871

loc_4BF5F8:				; CODE XREF: MiRemoveWsleList+338j
					; MiRemoveWsleList+34Aj ...
		mov	ecx, [ebp+var_4]

loc_4BF5FB:				; CODE XREF: MiRemoveWsleList+55j
		add	esi, 4
		add	ebx, 8
		sub	[ebp+var_24], 1
		jnz	short loc_4BF5B0
		mov	ecx, [ebp+var_8]
		mov	ebx, [ebp+var_28]
		test	ecx, ecx
		jz	loc_4BF83E
		mov	al, [edi+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C80
		jz	short loc_4BF629
		lea	eax, [edi+0C0h]

loc_4BF629:				; CODE XREF: MiRemoveWsleList+C1j
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_40], eax
		mov	[ebp+var_44], 0
		jnz	loc_5C4434
		lea	edx, [ebp+var_44]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_4BF8F5

loc_4BF64D:				; CODE XREF: MiRemoveWsleList+3A0j
		mov	edx, [ebp+var_10]
		test	edx, edx
		jnz	loc_4BF84A

loc_4BF658:				; CODE XREF: MiRemoveWsleList+2F2j
					; MiRemoveWsleList+2FBj
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	loc_5C4443

loc_4BF663:				; CODE XREF: MiRemoveWsleList+104EE9j
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	loc_4BF982

loc_4BF66E:				; CODE XREF: MiRemoveWsleList+428j
		mov	eax, [ebp+var_4]
		sub	[edi+48h], eax
		xor	esi, esi
		mov	eax, [ebp+arg_4]
		lea	esp, [esp+0]

loc_4BF680:				; CODE XREF: MiRemoveWsleList+162j
		test	byte ptr [ebx+esi*8], 1
		jz	short loc_4BF6B6
		cmp	ecx, 1
		jz	loc_4BF94F
		mov	eax, [ebp+arg_0]
		dec	dword ptr [edi+40h]
		mov	al, [eax+esi*8]
		and	al, 0Fh
		cmp	al, 8
		jz	short loc_4BF6B3

loc_4BF69E:				; CODE XREF: MiRemoveWsleList+3F3j
		mov	eax, [ebp+arg_0]
		mov	cl, [eax+esi*8]
		and	cl, 0Fh
		movzx	eax, cl
		dec	dword ptr [edi+eax*4+18h]
		cmp	cl, 7
		jz	short loc_4BF6C4

loc_4BF6B3:				; CODE XREF: MiRemoveWsleList+13Cj
					; MiRemoveWsleList+17Ej ...
		mov	eax, [ebp+arg_4]

loc_4BF6B6:				; CODE XREF: MiRemoveWsleList+124j
					; MiRemoveWsleList+3F9j
		inc	esi
		cmp	esi, eax
		jnb	loc_4BF7A4
		mov	ecx, [ebp+var_8]
		jmp	short loc_4BF680
; 

loc_4BF6C4:				; CODE XREF: MiRemoveWsleList+151j
		mov	ecx, dword_6D5D40
		xor	eax, eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	eax, [edi+34h]
		mov	[ebp+var_24], ecx
		cmp	eax, [ecx+30h]
		jnb	short loc_4BF6B3
		lea	eax, [edi+10h]
		cmp	dword_6D5D48, eax
		jz	short loc_4BF6B3
		cmp	dword ptr [eax], 0
		jz	short loc_4BF6B3
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_34], offset dword_6D3540
		mov	[ebp+var_38], 0
		jnz	loc_5C444E
		lea	edx, [ebp+var_38]
		mov	ebx, offset dword_6D3540
		xchg	edx, [ebx]
		mov	ebx, [ebp+var_28]
		test	edx, edx
		jnz	loc_4BF98D

loc_4BF720:				; CODE XREF: MiRemoveWsleList+43Bj
		cmp	byte ptr [ecx+2Dh], 0
		jz	loc_4BF905

loc_4BF72A:				; CODE XREF: MiRemoveWsleList+3A9j
		mov	byte ptr [ecx+2Eh], 1

loc_4BF72E:				; CODE XREF: MiRemoveWsleList+3EAj
		test	ds:byte_70EFC6,	1
		jnz	loc_5C4460
		mov	eax, [ebp+var_38]
		test	eax, eax
		jnz	short loc_4BF75E
		mov	edx, [ebp+var_34]
		lea	eax, [ebp+var_38]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_38]
		cmp	eax, ecx
		jz	loc_4BF6B3
		call	KxWaitForLockChainValid

loc_4BF75E:				; CODE XREF: MiRemoveWsleList+1E0j
		mov	[ebp+var_38], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4BF6B3
; 

loc_4BF775:				; CODE XREF: MiRemoveWsleList+85j
		inc	[ebp+var_10]
		cmp	ecx, 0C0000000h
		jnb	loc_4BF860

loc_4BF784:				; CODE XREF: MiRemoveWsleList+306j
		inc	[ebp+var_14]
		jmp	loc_4BF5EB
; 

loc_4BF78C:				; CODE XREF: MiRemoveWsleList+63j
		cmp	ecx, 0C07FFFFFh
		ja	loc_4BF5C9
		mov	[ebp+var_8], 1
		jmp	loc_4BF5E2
; 

loc_4BF7A4:				; CODE XREF: MiRemoveWsleList+159j
		test	ds:byte_70EFC6,	1
		jnz	loc_5C4477
		mov	eax, [ebp+var_44]
		test	eax, eax
		jnz	loc_4BF8DE
		mov	edx, [ebp+var_40]
		lea	eax, [ebp+var_44]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_44]
		cmp	eax, ecx
		jnz	loc_4BF8D6

loc_4BF7D3:				; CODE XREF: MiRemoveWsleList+390j
					; MiRemoveWsleList+104F22j
		mov	eax, [ebp+var_C]
		xor	esi, esi
		mov	ecx, [ebp+arg_4]
		jmp	short loc_4BF7E0
; 
		align 10h

loc_4BF7E0:				; CODE XREF: MiRemoveWsleList+27Bj
					; MiRemoveWsleList+2DCj
		test	byte ptr [ebx],	1
		jz	short loc_4BF830
		cmp	[ebp+var_8], 2
		mov	edx, [eax]
		mov	al, [edi+60h]
		mov	[ebp+arg_0], edx
		jnz	loc_4BF95E
		movzx	ecx, al
		mov	eax, edx
		and	ecx, 7
		shr	eax, 0Ch
		add	eax, dword_6D2E68[ecx*4]
		mov	cl, [eax]
		and	cl, 0Fh
		cmp	cl, 0Ah
		jz	loc_5C44AB
		mov	byte ptr [eax],	0Ah

loc_4BF81A:				; CODE XREF: MiRemoveWsleList+400j
					; MiRemoveWsleList+41Dj ...
		test	dword ptr ds:byte_70EFC4, 8000000h
		jnz	loc_5C4497

loc_4BF82A:				; CODE XREF: MiRemoveWsleList+104F46j
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_C]

loc_4BF830:				; CODE XREF: MiRemoveWsleList+283j
		inc	esi
		add	eax, 4
		add	ebx, 8
		mov	[ebp+var_C], eax
		cmp	esi, ecx
		jb	short loc_4BF7E0

loc_4BF83E:				; CODE XREF: MiRemoveWsleList+AFj
		mov	eax, [ebp+var_20]

loc_4BF841:				; CODE XREF: MiRemoveWsleList+36j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4BF84A:				; CODE XREF: MiRemoveWsleList+F2j
		sub	[edi+4Ch], edx
		mov	edx, [ebp+var_14]
		test	edx, edx
		jz	loc_4BF658
		sub	[edi+44h], edx
		jmp	loc_4BF658
; 

loc_4BF860:				; CODE XREF: MiRemoveWsleList+21Ej
		cmp	ecx, 0C07FFFFFh
		ja	loc_4BF784
		jmp	loc_4BF5EB
; 

loc_4BF871:				; CODE XREF: MiRemoveWsleList+92j
		mov	eax, ds:_PsNtosImageBase
		test	eax, eax
		jz	short loc_4BF892
		cmp	ecx, ds:_PsNtosImageEnd
		jb	loc_4BF9A0

loc_4BF886:				; CODE XREF: MiRemoveWsleList+442j
		cmp	ecx, ds:_PsHalImageEnd
		jb	loc_4BF9B0

loc_4BF892:				; CODE XREF: MiRemoveWsleList+318j
					; MiRemoveWsleList+456j
		cmp	ecx, dword_6D07D0
		jb	loc_4BF5F8
		mov	eax, ecx
		shr	eax, 15h
		cmp	byte ptr dword_6D3994[eax], 0Ch
		jnz	loc_4BF5F8
		shr	ecx, 9
		mov	edx, 2
		and	ecx, offset loc_7FFFF8
		shl	ecx, 9
		call	_MiLookupDataTableEntry@8 ; MiLookupDataTableEntry(x,x)
		test	eax, eax
		jz	loc_4BF5F8
		inc	[ebp+var_1C]
		jmp	loc_4BF5F8
; 

loc_4BF8D6:				; CODE XREF: MiRemoveWsleList+26Dj
		lea	ecx, [ebp+var_44]
		call	KxWaitForLockChainValid

loc_4BF8DE:				; CODE XREF: MiRemoveWsleList+256j
		mov	[ebp+var_44], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4BF7D3
; 

loc_4BF8F5:				; CODE XREF: MiRemoveWsleList+E7j
		lea	ecx, [ebp+var_44]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_4BF8FD:				; CODE XREF: MiRemoveWsleList+104EDEj
		mov	ecx, [ebp+var_8]
		jmp	loc_4BF64D
; 

loc_4BF905:				; CODE XREF: MiRemoveWsleList+1C4j
		mov	edx, [eax]
		test	edx, edx
		jz	loc_4BF72A
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_5C4470
		cmp	[ecx], eax
		jnz	loc_5C4470
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, dword_6D5D48
		cmp	dword ptr [ecx], offset	dword_6D5D44
		jnz	loc_5C4470
		mov	dword ptr [eax], offset	dword_6D5D44
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	dword_6D5D48, eax
		jmp	loc_4BF72E
; 

loc_4BF94F:				; CODE XREF: MiRemoveWsleList+129j
		test	byte ptr [edi+60h], 7
		jz	loc_4BF69E
		jmp	loc_4BF6B6
; 

loc_4BF95E:				; CODE XREF: MiRemoveWsleList+291j
		test	al, 7
		jnz	loc_4BF81A
		mov	eax, edx
		shl	eax, 9
		cmp	eax, 0C0000000h
		jnb	loc_5C4487

loc_4BF976:				; CODE XREF: MiRemoveWsleList+104F32j
		mov	ecx, edi
		call	_MiPruneSoftwareWsles@8	; MiPruneSoftwareWsles(x,x)
		jmp	loc_4BF81A
; 

loc_4BF982:				; CODE XREF: MiRemoveWsleList+108j
		sub	dword_6CF590, eax
		jmp	loc_4BF66E
; 

loc_4BF98D:				; CODE XREF: MiRemoveWsleList+1BAj
		lea	ecx, [ebp+var_38]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_4BF995:				; CODE XREF: MiRemoveWsleList+104EFBj
		mov	ecx, [ebp+var_24]
		lea	eax, [edi+10h]
		jmp	loc_4BF720
; 

loc_4BF9A0:				; CODE XREF: MiRemoveWsleList+320j
		cmp	ecx, eax
		jb	loc_4BF886

loc_4BF9A8:				; CODE XREF: MiRemoveWsleList+45Cj
		inc	[ebp+var_18]
		jmp	loc_4BF5F8
; 

loc_4BF9B0:				; CODE XREF: MiRemoveWsleList+32Cj
		cmp	ecx, ds:_PsHalImageBase
		jb	loc_4BF892
		jmp	short loc_4BF9A8
MiRemoveWsleList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeFlushSingleTb	proc near		; CODE XREF: .text:00466289p
					; MiClearPageFileHash+F0p ...

var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C456E SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:_HvlEnlightenments
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		xor	ecx, ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], cl
		test	al, 4
		jnz	loc_5C44BB

loc_4BF9E5:				; CODE XREF: MiRemoveWsleList+104F66j
					; MiRemoveWsleList+104FF3j
		push	[ebp+arg_0]
		mov	edx, ebx
		mov	ecx, edi
		call	@KxFlushSingleTb@12 ; KxFlushSingleTb(x,x,x)
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)

loc_4BF9F7:				; CODE XREF: MiRemoveWsleList+104FFCj
					; MiRemoveWsleList+105009j
		and	edi, 0FFFFF000h
		cmp	ds:_VmTbFlushEnabled, 0
		jnz	loc_5C456E

loc_4BFA0A:				; CODE XREF: KeFlushSingleTb+104BBFj
		cmp	_ExTbFlushActive, 0
		jnz	loc_5C4582

loc_4BFA17:				; CODE XREF: KeFlushSingleTb+104BE3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
KeFlushSingleTb	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KxFlushSingleTb(x,	x, x)
@KxFlushSingleTb@12 proc near		; CODE XREF: KeFlushSingleTb+2Ep

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_24], edx
		lea	edi, [ebp+var_14]
		mov	ebx, ecx
		stosd
		mov	[ebp+var_20], ebx
		mov	[ebp+var_28], ebx
		stosd
		stosd
		call	ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()
		cmp	[ebp+arg_0], 0
		mov	[ebp+var_15], al
		jz	short loc_4BFAB8
		mov	esi, ds:_KeNumberProcessors
		xor	edx, edx
		dec	esi
		lea	ecx, [edx+1]

loc_4BFA63:				; CODE XREF: KxFlushSingleTb(x,x,x)+109j
		test	esi, esi
		jz	short loc_4BFA77
		push	ecx
		lea	eax, [ebp+var_28]
		push	eax
		push	ecx
		push	offset _KiFlushTargetSingleTb@16 ; KiFlushTargetSingleTb(x,x,x,x)
		call	_KiIpiSendFlushAwakePacket@24 ;	KiIpiSendFlushAwakePacket(x,x,x,x,x,x)

loc_4BFA77:				; CODE XREF: KxFlushSingleTb(x,x,x)+45j
		invlpg	byte ptr [ebx]
		test	esi, esi
		jz	short loc_4BFA9C
		mov	eax, large fs:20h
		mov	ecx, [eax+2120h]
		test	ecx, ecx
		jz	short loc_4BFA9C
		mov	edi, edi

loc_4BFA90:				; CODE XREF: KxFlushSingleTb(x,x,x)+7Aj
		pause
		mov	ecx, [eax+2120h]
		test	ecx, ecx
		jnz	short loc_4BFA90

loc_4BFA9C:				; CODE XREF: KxFlushSingleTb(x,x,x)+5Cj
					; KxFlushSingleTb(x,x,x)+6Cj
		mov	cl, [ebp+var_15]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4BFAB8:				; CODE XREF: KxFlushSingleTb(x,x,x)+35j
		mov	edx, large fs:20h
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_1C], 0
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, [edx+4]
		mov	ecx, [eax+80h]
		mov	eax, [ecx+58h]
		mov	ebx, [ecx+60h]
		mov	[ebp+var_14], eax
		mov	eax, [ecx+5Ch]
		mov	[ebp+var_10], eax
		mov	eax, [edx+3CCh]
		btr	ebx, eax
		mov	[ebp+var_C], ebx
		lea	edx, [ebp+var_14]
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, ds:_RtlpBitsClearTotal[ebx]
		mov	ebx, [ebp+var_20]
		movzx	esi, cl
		xor	ecx, ecx
		jmp	loc_4BFA63
@KxFlushSingleTb@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLockStealUserVm(x, x, x, x, x)
_MiLockStealUserVm@20 proc near		; CODE XREF: MiStealPage+137p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ebx, edx
		push	edi
		mov	[ebp+var_28], eax
		lea	edi, [ebp+var_34]
		mov	[ebp+var_24], eax
		mov	edx, 7FFFFFFFh
		mov	[ebp+var_18], eax
		stosd
		stosd
		stosd
		lea	eax, [ecx+3F9FD000h]
		cmp	eax, 17h
		jbe	loc_4BFE5C
		mov	edi, ecx
		lea	edx, [ebp+var_18]
		shl	edi, 9
		mov	ecx, ebx
		mov	[ebp+var_C], edi
		call	_MiSoftwareWslePfn@8 ; MiSoftwareWslePfn(x,x)
		lea	ecx, [edi+40000000h]
		mov	edx, offset loc_7FFFFF
		cmp	edx, ecx
		sbb	ecx, ecx
		inc	ecx
		mov	[ebp+var_8], ecx
		xor	ecx, ecx
		inc	ecx
		test	eax, eax
		jnz	short loc_4BFB9C
		mov	dword ptr [esi+28h], 3
		mov	[ebp+var_8], ecx

loc_4BFB9C:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+62j
		mov	eax, ebx
		mov	[ebp+var_4], 2
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, ebx
		mov	[ebp+arg_8], eax
		call	MiGetTopLevelPfn
		mov	ecx, eax
		mov	edx, 7FFFFFFFh
		mov	edi, [ecx]
		shr	edi, 1
		and	edi, 0FFFFFFF8h
		or	edi, 80000000h
		lea	eax, [edi+240h]
		mov	[ebp+var_10], eax
		cmp	ecx, ebx
		jz	short loc_4BFBE2
		lea	eax, [ecx+10h]
		lock and [eax],	edx

loc_4BFBE2:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+ACj
		cmp	edi, ds:_PsIdleProcess
		jz	loc_4BFE5C
		mov	eax, [ebx+18h]
		and	eax, offset loc_7FFFFF
		cmp	eax, [ebp+arg_8]
		jnz	short loc_4BFC0B
		test	dword ptr [edi+3A8h], 1000h
		jnz	loc_4BFE5C

loc_4BFC0B:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+CBj
		mov	eax, large fs:124h
		lea	ecx, [ebx+10h]
		mov	[ebp+var_1C], ecx
		mov	eax, [eax+80h]
		cmp	edi, eax
		jz	loc_4BFCCB
		lea	ecx, [ebp+var_34]
		call	_MiTryToAcquireExpansionLockAtDpc@4 ; MiTryToAcquireExpansionLockAtDpc(x)
		test	eax, eax
		jnz	short loc_4BFC41
		mov	eax, [ebp+var_1C]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		jmp	loc_4BFE62
; 

loc_4BFC41:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+101j
		lea	edx, [edi+240h]
		mov	ecx, edi
		call	_MiPrepareAttachThread@8 ; MiPrepareAttachThread(x,x)
		mov	[ebp+var_1C], eax
		mov	ecx, 7FFFFFFFh
		lea	eax, [ebx+10h]
		lock and [eax],	ecx
		test	ds:byte_70EFC6,	1
		jz	short loc_4BFC72
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_34]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4BFCA1
; 

loc_4BFC72:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+135j
		mov	eax, [ebp+var_34]
		test	eax, eax
		jnz	short loc_4BFC91
		mov	edx, [ebp+var_30]
		lea	eax, [ebp+var_34]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_34]
		cmp	eax, ecx
		jz	short loc_4BFCA1
		call	KxWaitForLockChainValid

loc_4BFC91:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+149j
		xor	ecx, ecx
		mov	[ebp+var_34], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_4BFCA1:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+142j
					; MiLockStealUserVm(x,x,x,x,x)+15Cj
		mov	cl, [ebp+arg_0]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_1C], 0
		jz	loc_4BFE6B
		lea	eax, [edi+240h]
		mov	ecx, edi
		push	0
		lea	edx, [esi+34h]
		mov	[esi+30h], eax
		call	KeForceAttachProcess
		jmp	short loc_4BFCD7
; 

loc_4BFCCB:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+F1j
		lock and [ecx],	edx
		mov	cl, [ebp+arg_0]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4BFCD7:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+19Bj
		mov	edx, [ebp+var_10]
		lea	edi, [esi+18h]
		xor	eax, eax
		cmp	[ebp+var_8], 0
		stosd
		stosd
		stosd
		stosd
		mov	[esi+18h], edx
		jz	short loc_4BFD10
		or	byte ptr [esi+21h], 1
		mov	edi, offset unk_6D3C40
		mov	al, [edx+60h]
		and	al, 7
		cmp	al, 2
		jz	short loc_4BFD04
		lea	edi, [edx+80h]

loc_4BFD04:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+1CEj
		push	edi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [edi+4], 0
		jmp	short loc_4BFD17
; 

loc_4BFD10:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+1BCj
		mov	ecx, edx
		call	MiLockWorkingSetShared

loc_4BFD17:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+1E0j
		mov	[esi+20h], al
		test	byte ptr [esi+8], 8
		jz	short loc_4BFD3F
		xor	edi, edi

loc_4BFD22:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+228j
					; MiLockStealUserVm(x,x,x,x,x)+23Cj
		cmp	[ebp+var_8], 0
		jz	short loc_4BFD7F
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+var_C]
		call	_MiSmallVaStillMapsFrame@8 ; MiSmallVaStillMapsFrame(x,x)
		test	eax, eax
		jz	short loc_4BFD70
		mov	edx, [ebp+arg_8]
		jmp	loc_4BFDBF
; 

loc_4BFD3F:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+1F0j
		mov	ecx, [ebp+var_C]
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_4BFD70
		mov	ecx, edi
		call	_MiVadPagesTradable@4 ;	MiVadPagesTradable(x)
		test	eax, eax
		jnz	short loc_4BFD22
		mov	ecx, [edi+1Ch]
		and	cl, 70h
		cmp	cl, 40h
		jnz	short loc_4BFD6C
		or	dword ptr [esi+8], 800h
		jmp	short loc_4BFD22
; 

loc_4BFD6C:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+233j
					; MiLockStealUserVm(x,x,x,x,x)+309j ...
		and	[ebp+var_4], 0

loc_4BFD70:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+207j
					; MiLockStealUserVm(x,x,x,x,x)+21Dj ...
		mov	ecx, esi
		call	_MiUnlockStealVm@4 ; MiUnlockStealVm(x)
		mov	eax, [ebp+var_4]
		jmp	loc_4BFE6D
; 

loc_4BFD7F:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+1F8j
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_14]
		mov	ecx, [ebp+var_10]
		and	[ebp+var_14], 0
		push	eax
		call	MiLockLowestValidPageTable
		mov	edx, [ebp+var_14]
		mov	[esi+24h], eax
		cmp	edx, [ebp+arg_4]
		jnz	short loc_4BFD70
		mov	ecx, [edx]
		nop
		mov	edx, [edx+4]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_4BFD70
		nop
		shrd	ecx, edx, 0Ch
		mov	edx, [ebp+arg_8]
		and	ecx, 1FFFFFFh
		cmp	ecx, edx
		jnz	short loc_4BFD70

loc_4BFDBF:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+20Cj
		cmp	edx, dword_6D07B0
		ja	short loc_4BFD70
		mov	eax, dword_6D35B8
		mov	ecx, edx
		shr	ecx, 5
		and	edx, 1Fh
		mov	eax, [eax+ecx*4]
		mov	ecx, edx
		shr	eax, cl
		xor	ecx, ecx
		inc	ecx
		and	eax, ecx
		jz	short loc_4BFD70
		mov	ecx, ebx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_4BFD70
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jnz	loc_4BFD70
		test	dword ptr [esi], 800000h
		jz	short loc_4BFE3C
		test	edi, edi
		jz	short loc_4BFE3C
		mov	ecx, [edi+1Ch]
		mov	eax, ecx
		shr	eax, 12h
		and	eax, 3
		cmp	ds:_MiVadPageSizes[eax*4], 10h
		jnz	short loc_4BFE3C
		test	ecx, 100000h
		jz	short loc_4BFE3C
		lea	eax, [esi+4Ch]
		mov	edx, ebx
		push	eax
		mov	ecx, edi
		call	_MiClusterVadActive@12 ; MiClusterVadActive(x,x,x)
		xor	ebx, ebx
		inc	ebx
		cmp	eax, ebx
		jnz	short loc_4BFE3F
		jmp	loc_4BFD6C
; 

loc_4BFE3C:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+2D2j
					; MiLockStealUserVm(x,x,x,x,x)+2D6j ...
		xor	ebx, ebx
		inc	ebx

loc_4BFE3F:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+307j
		test	dword ptr [esi+8], 800h
		jz	short loc_4BFE58
		mov	ecx, [ebp+arg_4]
		call	_MiRotatedToFrameBuffer@4 ; MiRotatedToFrameBuffer(x)
		test	eax, eax
		jnz	loc_4BFD6C

loc_4BFE58:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+318j
		mov	eax, ebx
		jmp	short loc_4BFE6D
; 

loc_4BFE5C:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+32j
					; MiLockStealUserVm(x,x,x,x,x)+BAj ...
		lea	eax, [ebx+10h]
		lock and [eax],	edx

loc_4BFE62:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+10Ej
		mov	cl, [ebp+arg_0]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4BFE6B:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+180j
		xor	eax, eax

loc_4BFE6D:				; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+24Cj
					; MiLockStealUserVm(x,x,x,x,x)+32Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MiLockStealUserVm@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetTopLevelPfn proc near		; CODE XREF: MiGetPagePrivilege(x,x,x)+EAp
					; MiStoreCheckCandidatePage(x,x,x,x,x)+100p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C45A6 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_14], 0
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		mov	esi, ecx
		sub	ecx, ds:_MmPfnDatabase
		stosd
		mov	[ebp+var_20], esi
		stosd
		stosd
		mov	eax, 92492493h
		mov	edi, [esi+18h]
		imul	ecx
		and	edi, offset loc_7FFFFF
		add	edx, ecx
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		cmp	edi, eax
		jz	short loc_4BFF1F
		lea	edx, [ebp+var_10]
		sub	edx, 4
		push	ebx

loc_4BFED5:				; CODE XREF: MiGetTopLevelPfn+9Cj
		mov	eax, ds:_MmPfnDatabase
		mov	ebx, edi
		add	edx, 4
		mov	[ebp+var_1C], edx
		lea	ecx, ds:0[ebx*8]
		sub	ecx, ebx
		lea	esi, [eax+ecx*4]
		mov	eax, [ebp+var_14]
		inc	eax
		mov	[ebp+var_14], eax
		cmp	eax, 3
		ja	loc_5C45A6
		mov	[edx], esi
		lea	edi, [esi+10h]
		mov	[ebp+var_18], 0
		lock bts dword ptr [edi], 1Fh
		jb	short loc_4BFF50

loc_4BFF11:				; CODE XREF: MiGetTopLevelPfn+E8j
		mov	edi, [esi+18h]
		and	edi, offset loc_7FFFFF
		cmp	edi, ebx
		jnz	short loc_4BFED5
		pop	ebx

loc_4BFF1F:				; CODE XREF: MiGetTopLevelPfn+4Cj
		xor	ecx, ecx
		mov	edx, 7FFFFFFFh

loc_4BFF26:				; CODE XREF: MiGetTopLevelPfn+BCj
		mov	eax, [ebp+ecx*4+var_10]
		test	eax, eax
		jz	short loc_4BFF3E
		cmp	eax, esi
		jz	short loc_4BFF38
		add	eax, 10h
		lock and [eax],	edx

loc_4BFF38:				; CODE XREF: MiGetTopLevelPfn+B0j
		inc	ecx
		cmp	ecx, 3
		jb	short loc_4BFF26

loc_4BFF3E:				; CODE XREF: MiGetTopLevelPfn+ACj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4BFF50:				; CODE XREF: MiGetTopLevelPfn+8Fj
					; MiGetTopLevelPfn+DCj	...
		lea	ecx, [ebp+var_18]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_4BFF50
		lock bts dword ptr [edi], 1Fh
		jb	short loc_4BFF50
		mov	edx, [ebp+var_1C]
		jmp	short loc_4BFF11
MiGetTopLevelPfn endp

; 
		align 10h

; __stdcall MiSoftwareWslePfn(x, x)
_MiSoftwareWslePfn@8:			; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+2BAp
					; MiLockStealUserVm(x,x,x,x,x)+45p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+4]
		mov	ebx, edx
		or	edi, 80000000h
		lea	eax, [edi+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	short loc_4BFFCF
		xor	esi, esi
		nop

loc_4BFF90:				; CODE XREF: .text:004BFFCDj
		mov	eax, dword_6D2E68[esi*4]
		test	eax, eax
		jz	short loc_4BFFC9
		lea	ecx, [eax+100000h]
		xor	edx, edx

loc_4BFFA3:				; CODE XREF: .text:004BFFC7j
		shr	eax, 9
		shr	ecx, 9
		and	eax, offset loc_7FFFF8
		and	ecx, offset loc_7FFFF8
		sub	eax, 40000000h
		sub	ecx, 40000000h
		cmp	edi, eax
		jnb	short loc_4BFFD8

loc_4BFFC3:				; CODE XREF: .text:004BFFDAj
		inc	edx
		cmp	edx, 1
		jbe	short loc_4BFFA3

loc_4BFFC9:				; CODE XREF: .text:004BFF99j
		inc	esi
		cmp	esi, 2
		jle	short loc_4BFF90

loc_4BFFCF:				; CODE XREF: .text:004BFF8Bj
		pop	edi
		pop	esi
		mov	eax, 8
		pop	ebx
		retn
; 

loc_4BFFD8:				; CODE XREF: .text:004BFFC1j
		cmp	edi, ecx
		jnb	short loc_4BFFC3
		mov	[ebx], edx
		cmp	esi, 2
		jnz	short loc_4C0025

loc_4BFFE3:				; CODE XREF: .text:004C0034j
		cmp	edi, 0C07FFFFFh
		jbe	short loc_4C002B

loc_4BFFEB:				; CODE XREF: .text:004C0036j
		movzx	eax, byte_6D37A0
		and	eax, 7
		sub	edi, dword_6D2E68[eax*4]
		shl	edi, 0Ch

loc_4BFFFF:				; DATA XREF: .text:off_41BECEo
					; .text:0040578Co ...
		cmp	edi, dword_6D07D0
		jb	short loc_4C0020
		shr	edi, 15h
		mov	al, byte ptr dword_6D3994[edi]
		cmp	al, 8
		jz	short loc_4C0038
		cmp	al, 0Ch
		jz	short loc_4C0043
		cmp	al, 3
		jz	short loc_4C0043
		cmp	al, 6
		jz	short loc_4C004E

loc_4C0020:				; CODE XREF: .text:004C0005j
		mov	esi, 8

loc_4C0025:				; CODE XREF: .text:004BFFE1j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_4C002B:				; CODE XREF: .text:004BFFE9j
		shl	edi, 9
		cmp	edi, 0C0000000h
		jnb	short loc_4BFFE3
		jmp	short loc_4BFFEB
; 

loc_4C0038:				; CODE XREF: .text:004C0012j
		mov	esi, 2
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
; 
byte_4C0042	db 0C3h			; DATA XREF: .text:loc_404C92w
; 

loc_4C0043:				; CODE XREF: .text:004C0016j
					; .text:004C001Aj
		mov	esi, 4
		pop	edi

loc_4C0049:				; DATA XREF: .text:00401180o
					; .text:004011B8o
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_4C004E:				; CODE XREF: .text:004C001Ej
		mov	esi, 3
		pop	edi

loc_4C0054:				; DATA XREF: .text:005A4D04o
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiTryToAcquireExpansionLockAtDpc(x)
_MiTryToAcquireExpansionLockAtDpc@4 proc near ;	CODE XREF: MiLockStealUserVm(x,x,x,x,x)+FAp
					; MiReferenceOwningSession+45p
		and	dword ptr [ecx], 0
		mov	edx, offset dword_6D3540
		mov	[ecx+4], edx
		call	@KxTryToAcquireQueuedSpinLock@8	; KxTryToAcquireQueuedSpinLock(x,x)
		neg	eax
		sbb	eax, eax
		neg	eax
		retn
_MiTryToAcquireExpansionLockAtDpc@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAttachThreadDone proc	near		; CODE XREF: MiUnlockStealVm(x)+1Fp
					; MiTrimSharedPageFromViews(x,x,x,x,x)+B9Fp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		lea	edx, [ebp+var_10]
		mov	esi, ecx
		mov	ecx, offset dword_6D3540
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [esi+60h]
		mov	[ebp+var_4], ecx
		shr	ecx, 8
		mov	al, cl
		and	cl, 0Fh
		shr	al, 4
		dec	al
		shl	al, 4
		or	al, cl
		mov	byte ptr [ebp+var_4+1],	al
		mov	ax, word ptr [ebp+var_4]
		mov	[esi+60h], ax
		mov	ecx, [esi+38h]
		xor	esi, esi
		inc	esi
		test	ecx, ecx
		jnz	short loc_4C010B

loc_4C00C0:				; CODE XREF: MiAttachThreadDone+A0j
		test	ds:byte_70EFC6,	1
		jnz	loc_5C45BA
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_4C00FC
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jnz	short loc_4C00F4

loc_4C00E7:				; CODE XREF: MiAttachThreadDone+97j
					; MiGetTopLevelPfn+104745j
		mov	cl, [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		leave
		retn
; 

loc_4C00F4:				; CODE XREF: MiAttachThreadDone+73j
		lea	ecx, [ebp+var_10]
		call	KxWaitForLockChainValid

loc_4C00FC:				; CODE XREF: MiAttachThreadDone+60j
		mov	[ebp+var_10], 0
		add	eax, 4
		lock xor [eax],	esi
		jmp	short loc_4C00E7
; 

loc_4C010B:				; CODE XREF: MiAttachThreadDone+4Cj
		mov	edx, esi
		call	KeSignalGate
		jmp	short loc_4C00C0
MiAttachThreadDone endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPrepareAttachThread(x, x)
_MiPrepareAttachThread@8 proc near	; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+11Bp
					; MiTrimSharedPageFromViews(x,x,x,x,x)+14Cp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+0FCh]
		mov	ecx, 0C00h
		push	esi
		mov	esi, edx
		and	eax, ecx
		mov	edx, [esi+60h]
		mov	[ebp+var_4], edx
		cmp	eax, ecx
		jb	short loc_4C0167
		cmp	dword ptr [esi+38h], 0
		jnz	short loc_4C0167
		shr	edx, 8
		mov	al, dl
		and	al, 0F0h
		cmp	al, 0F0h
		jz	short loc_4C0167
		cmp	dword ptr [esi+48h], 4
		jbe	short loc_4C0167
		mov	al, dl
		and	dl, 0Fh
		and	al, 0F0h
		add	al, 10h
		or	al, dl
		mov	byte ptr [ebp+var_4+1],	al
		mov	ax, word ptr [ebp+var_4]
		mov	[esi+60h], ax
		xor	eax, eax
		inc	eax

loc_4C0164:				; CODE XREF: MiPrepareAttachThread(x,x)+55j
		pop	esi
		leave
		retn
; 

loc_4C0167:				; CODE XREF: MiPrepareAttachThread(x,x)+1Ej
					; MiPrepareAttachThread(x,x)+24j ...
		xor	eax, eax
		jmp	short loc_4C0164
_MiPrepareAttachThread@8 endp

; 
		align 10h
; Exported entry 744. IoAllocateMdl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoAllocateMdl
IoAllocateMdl	proc near		; CODE XREF: CcZeroDataInCache+76p
					; MiZeroPageWrite+1CEp	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005C45CA SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_0]
		add	esi, 0FFFh
		mov	ebx, edi
		mov	[ebp+var_4], 0
		and	ebx, 0FFFh
		add	esi, ebx
		shr	esi, 0Ch
		cmp	esi, 11h
		ja	loc_4C0252
		mov	eax, large fs:20h
		mov	[ebp+arg_0], eax
		mov	[ebp+var_4], 8
		mov	eax, [eax+5B8h]
		mov	ecx, eax
		mov	[ebp+var_8], eax
		inc	dword ptr [eax+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jnz	short loc_4C01EF
		mov	eax, [ebp+var_8]
		inc	dword ptr [eax+10h]
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+5BCh]
		mov	ecx, eax
		mov	[ebp+var_8], eax
		inc	dword ptr [eax+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jz	loc_4C026F

loc_4C01EF:				; CODE XREF: IoAllocateMdl+59j
					; IoAllocateMdl+118j
		mov	ecx, [ebp+arg_0]
		mov	ecx, [ecx+3CCh]
		mov	[eax], ecx
		test	eax, eax
		jz	loc_4C028E

loc_4C0202:				; CODE XREF: IoAllocateMdl+FBj
		lea	ecx, ds:1Ch[esi*4]
		mov	dword ptr [eax], 0
		mov	[eax+4], cx
		and	edi, 0FFFFF000h
		mov	ecx, [ebp+arg_4]
		mov	[eax+14h], ecx
		mov	ecx, [ebp+var_4]
		mov	[eax+6], cx
		mov	ecx, [ebp+arg_10]
		mov	[eax+10h], edi
		mov	[eax+18h], ebx
		test	ecx, ecx
		jnz	short loc_4C023C

loc_4C0233:				; CODE XREF: IoAllocateMdl+FDj
					; IoAllocateMdl+10446Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_4C023C:				; CODE XREF: IoAllocateMdl+C1j
		cmp	[ebp+arg_8], 0
		jnz	loc_5C45CA
		pop	edi
		pop	esi
		mov	[ecx+4], eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_4C0252:				; CODE XREF: IoAllocateMdl+2Ej
		lea	eax, ds:1Ch[esi*4]

loc_4C0259:				; CODE XREF: IoAllocateMdl+123j
		push	206C644Dh
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_4C0202
		jmp	short loc_4C0233
; 

loc_4C026F:				; CODE XREF: IoAllocateMdl+79j
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+20h]
		inc	dword ptr [ecx+10h]
		push	eax
		mov	eax, [ecx+24h]
		push	eax
		mov	eax, [ecx+1Ch]
		push	eax
		mov	eax, [ecx+28h]
		call	eax
		test	eax, eax
		jnz	loc_4C01EF

loc_4C028E:				; CODE XREF: IoAllocateMdl+8Cj
		mov	eax, 60h
		jmp	short loc_4C0259
IoAllocateMdl	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCopyHeaderIfResident proc near	; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+161p

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C45E2 SIZE 00000041 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_10], edx
		push	edi
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[ebp+var_8], esi

loc_4C02AF:				; CODE XREF: MiCopyHeaderIfResident+104358j
		push	offset dword_6CF3C0
		call	ExAcquireSpinLockExclusive
		mov	esi, [esi+14h]
		mov	bl, al
		test	esi, esi
		jz	short loc_4C02CB
		mov	esi, [esi]
		mov	[ebp+var_24], esi
		test	esi, esi
		jnz	short loc_4C02E0

loc_4C02CB:				; CODE XREF: MiCopyHeaderIfResident+2Aj
		push	offset dword_6CF3C0

loc_4C02D0:				; CODE XREF: MiCopyHeaderIfResident+1B8j
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	edi

loc_4C02D9:				; CODE XREF: MiCopyHeaderIfResident+104388j
		xor	eax, eax

loc_4C02DB:				; CODE XREF: MiCopyHeaderIfResident+19Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4C02E0:				; CODE XREF: MiCopyHeaderIfResident+33j
		lea	eax, [esi+24h]
		push	eax
		mov	[ebp+var_C], eax
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		push	offset dword_6CF3C0
		test	eax, eax
		jz	loc_5C45E2
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		test	byte ptr [esi+1Ch], 3
		jnz	loc_4C044B
		mov	eax, [esi+54h]
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_4C044B
		and	[ebp+var_8], 0
		lea	ecx, [ebp+var_8]
		and	[ebp+var_4], 0
		push	ecx
		lea	ecx, [ebp+var_4]
		push	ecx
		mov	ecx, eax
		call	MiTryLockProtoPoolPageAtDpc
		test	eax, eax
		js	loc_4C044B
		mov	esi, [ebp+var_8]
		mov	al, [esi+16h]
		test	al, 20h
		jnz	loc_5C45FD
		and	al, 0C0h
		cmp	al, 40h
		jnz	loc_5C45FD
		test	[esi+17h], al
		jnz	loc_5C45FD
		mov	ecx, esi
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jnz	loc_5C45FD
		mov	ecx, [ebp+var_14]
		and	[ebp+var_1C], eax
		mov	edx, [ecx]
		nop
		mov	ecx, [ecx+4]
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jnz	loc_4C043A
		mov	eax, dword_6D0700
		mov	edi, dword_6D0704
		mov	[ebp+var_14], eax
		or	eax, edi
		mov	[ebp+var_1C], edi
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], ecx
		jz	short loc_4C03C0
		mov	ecx, edx
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	loc_5C45F3
		mov	edx, [ebp+var_14]
		mov	ecx, [ebp+var_1C]
		not	edx
		and	edx, [ebp+var_8]
		not	ecx
		and	ecx, [ebp+var_C]

loc_4C03C0:				; CODE XREF: MiCopyHeaderIfResident+108j
					; MiCopyHeaderIfResident+104362j
		shrd	edx, ecx, 0Ch
		mov	[ebp+var_C], 1
		and	edx, 3FFFFFFh

loc_4C03D1:				; CODE XREF: MiCopyHeaderIfResident+1B3j
		imul	ecx, [ebp+var_10], 1Ch
		mov	eax, ds:_MmPfnDatabase
		add	eax, 10h
		add	ecx, eax
		mov	eax, [ebp+var_24]
		add	eax, 24h
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_24], eax
		lock bts dword ptr [ecx], 1Fh
		jb	short loc_4C0453
		mov	ecx, [ebp+var_10]
		push	4
		push	0
		call	_MiCopyPage@16	; MiCopyPage(x,x,x,x)
		push	[ebp+var_24]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, 2
		call	edi
		cmp	[ebp+var_C], 1
		jnz	short loc_4C0417
		mov	ecx, esi
		call	MiUpdatePageAttributeStamp

loc_4C0417:				; CODE XREF: MiCopyHeaderIfResident+178j
		mov	ecx, [ebp+var_1C]
		mov	edx, 7FFFFFFFh
		lock and [ecx],	edx
		lea	ecx, [esi+10h]
		lock and [ecx],	edx
		mov	ecx, [ebp+var_4]
		mov	dl, bl
		call	MiUnlockProtoPoolPage
		xor	eax, eax
		inc	eax
		jmp	loc_4C02DB
; 

loc_4C043A:				; CODE XREF: MiCopyHeaderIfResident+E3j
		nop
		shrd	edx, ecx, 0Ch
		and	edx, 1FFFFFFh
		and	[ebp+var_C], 0
		jmp	short loc_4C03D1
; 

loc_4C044B:				; CODE XREF: MiCopyHeaderIfResident+6Cj
					; MiCopyHeaderIfResident+7Aj ...
		push	[ebp+var_C]
		jmp	loc_4C02D0
; 

loc_4C0453:				; CODE XREF: MiCopyHeaderIfResident+15Aj
		push	eax
		jmp	loc_5C4600
MiCopyHeaderIfResident endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFlushDataSection(x, x)
_MiFlushDataSection@8 proc near		; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+E4p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		lea	eax, [ebp-1]
		mov	edi, ecx
		xor	ebx, ebx
		xor	edx, edx
		mov	[ebp+var_1], bl
		push	eax
		inc	edx
		mov	[ebp+var_C], ebx
		mov	ecx, [edi+14h]
		mov	[ebp+var_8], ebx
		mov	[esi], ebx
		call	MiLockSectionControlArea
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_4C0490

loc_4C048B:				; CODE XREF: MiFlushDataSection(x,x)+75j
					; MiFlushDataSection(x,x)+88j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4C0490:				; CODE XREF: MiFlushDataSection(x,x)+2Fj
		cmp	[ecx+34h], ebx
		jnz	short loc_4C04E4
		mov	edx, [ecx+40h]
		mov	eax, [ecx+44h]
		cmp	eax, ebx
		ja	short loc_4C04E4
		cmp	edx, 1
		ja	short loc_4C04E4

loc_4C04A4:				; CODE XREF: MiFlushDataSection(x,x)+90j
		mov	esi, [ecx+30h]
		lea	eax, [ecx+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [edi+14h]
		lea	eax, [ebp+var_C]
		test	esi, esi
		jnz	short loc_4C04D1
		push	1
		push	eax
		push	ecx
		push	ebx
		xor	edx, edx
		call	MmFlushSection
		jmp	short loc_4C048B
; 

loc_4C04D1:				; CODE XREF: MiFlushDataSection(x,x)+67j
		push	eax
		push	ebx
		push	ebx
		push	ebx
		mov	edx, offset _CcFlushForImageSection
		call	_CcFlushCachePriv@24 ; CcFlushCachePriv(x,x,x,x,x,x)
		mov	eax, [ebp+var_C]
		jmp	short loc_4C048B
; 

loc_4C04E4:				; CODE XREF: MiFlushDataSection(x,x)+39j
					; MiFlushDataSection(x,x)+43j ...
		mov	dword ptr [esi], 1
		jmp	short loc_4C04A4
_MiFlushDataSection@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertSubsectionNode(x, x, x)
_MiInsertSubsectionNode@12 proc	near	; CODE XREF: MiAppendSubsectionChain+60p
					; MiCreateDataFileMap+285p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		cmp	[ebp+arg_0], 0
		mov	eax, edx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], eax
		lea	esi, [edi+0A4h]
		jnz	loc_4C05E8
		lea	eax, [edi+24h]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		mov	eax, [ebp+var_4]

loc_4C051C:				; CODE XREF: MiInsertSubsectionNode(x,x,x)+FEj
		mov	ecx, [esi]
		mov	byte ptr [ebp+var_8], 0
		test	ecx, ecx
		jz	loc_4C05B1
		mov	ax, [eax+10h]
		shr	ax, 6
		movzx	eax, ax
		cdq
		mov	edx, [ebp+var_4]
		mov	[ebp+arg_0], eax
		xor	eax, eax
		or	eax, [edx+14h]
		mov	[ebp+var_C], eax

loc_4C0544:				; CODE XREF: MiInsertSubsectionNode(x,x,x)+BFj
		mov	ax, [ecx-18h]
		shr	ax, 6
		movzx	eax, ax
		cdq
		xor	edx, edx
		mov	[ebp+var_10], eax
		or	edx, [ecx-14h]
		mov	eax, [ecx-10h]
		mov	[ebp+var_14], edx
		xor	edx, edx
		add	eax, [ebp+var_14]
		adc	edx, [ebp+var_10]
		add	eax, 0FFFFFFFFh
		adc	edx, 0FFFFFFFFh
		cmp	word ptr [ecx-16h], 10h
		jb	short loc_4C0579
		add	eax, 1
		adc	edx, 0

loc_4C0579:				; CODE XREF: MiInsertSubsectionNode(x,x,x)+85j
		cmp	[ebp+arg_0], edx
		ja	short loc_4C0596
		mov	edx, [ebp+var_C]
		jb	short loc_4C0587
		cmp	edx, eax
		ja	short loc_4C0596

loc_4C0587:				; CODE XREF: MiInsertSubsectionNode(x,x,x)+95j
		mov	eax, [ebp+var_10]
		cmp	[ebp+arg_0], eax
		ja	short loc_4C0596
		jb	short loc_4C05A3
		cmp	edx, [ebp+var_14]
		jb	short loc_4C05A3

loc_4C0596:				; CODE XREF: MiInsertSubsectionNode(x,x,x)+90j
					; MiInsertSubsectionNode(x,x,x)+99j ...
		mov	eax, [ecx+4]
		test	eax, eax
		jnz	short loc_4C05A9
		mov	byte ptr [ebp+var_8], 1
		jmp	short loc_4C05B1
; 

loc_4C05A3:				; CODE XREF: MiInsertSubsectionNode(x,x,x)+A3j
					; MiInsertSubsectionNode(x,x,x)+A8j
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_4C05AD

loc_4C05A9:				; CODE XREF: MiInsertSubsectionNode(x,x,x)+AFj
		mov	ecx, eax
		jmp	short loc_4C0544
; 

loc_4C05AD:				; CODE XREF: MiInsertSubsectionNode(x,x,x)+BBj
		mov	byte ptr [ebp+var_8], 0

loc_4C05B1:				; CODE XREF: MiInsertSubsectionNode(x,x,x)+38j
					; MiInsertSubsectionNode(x,x,x)+B5j
		mov	eax, [ebp+var_4]
		add	eax, 28h
		push	eax
		push	[ebp+var_8]
		push	ecx
		push	esi
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		inc	dword ptr [esi+4]
		mov	eax, [ebp+var_4]
		mov	[esi+8], eax
		cmp	bl, 21h
		jz	short loc_4C05E1
		lea	eax, [edi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4C05E1:				; CODE XREF: MiInsertSubsectionNode(x,x,x)+E2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4C05E8:				; CODE XREF: MiInsertSubsectionNode(x,x,x)+1Cj
		mov	bl, 21h
		jmp	loc_4C051C
_MiInsertSubsectionNode@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 


MiLegacyImageArchitecture proc near	; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+59Bp
					; MiVerifyImageHeader+1E8p ...

; FUNCTION CHUNK AT 005C4623 SIZE 00000011 BYTES

		mov	eax, 14Ch
		cmp	cx, ax
		jnz	loc_5C4623

loc_4C05FE:				; CODE XREF: MiLegacyImageArchitecture+10403Bj
		xor	eax, eax
		inc	eax
		retn
MiLegacyImageArchitecture endp


;  S U B	R O U T	I N E 


; __stdcall IoIsDeviceEjectable(x)
_IoIsDeviceEjectable@4 proc near	; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+64Dp
					; MiCreateImageFileMap(x,x,x,x,x,x,x,x)+74Dp ...
		test	byte ptr [ecx+20h], 4
		setz	al
		bt	_InitWinPEModeType, 1Fh
		setnb	cl
		and	al, cl
		neg	al
		sbb	al, al
		inc	al
		retn
_IoIsDeviceEjectable@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiTradeTransitionPage proc near		; CODE XREF: MiTradePage(x,x)+3DEp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C4634 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		mov	esi, ecx
		mov	al, dl
		push	edi
		xor	edi, edi
		mov	byte ptr [ebp+var_4+3],	al
		lea	ecx, [esi+10h]
		mov	[ebp+var_10], ecx
		cmp	[esi+14h], di
		jnz	loc_4C07B2
		mov	ecx, esi
		call	_MiCanPageMove@4 ; MiCanPageMove(x)
		test	eax, eax
		jz	loc_5C4657
		mov	ecx, esi
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		mov	edx, 7FFFFFFFh
		lea	ecx, [esi+10h]
		lock and [ecx],	edx
		mov	cl, byte ptr [ebp+var_4+3]
		test	eax, eax
		jnz	loc_4C07BC
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		cmp	dword ptr [ebx+0Ch], 0FFFFFFFFh
		mov	[ebp+var_C], eax
		jnz	loc_5C4634
		mov	ecx, eax
		call	MiSearchNumaNodeTable
		mov	cl, byte_6D068C
		mov	edx, [eax+4]
		mov	eax, dword_6D06D0
		and	eax, [ebp+var_C]
		shl	edx, cl
		or	edx, eax
		test	dword ptr [ebx+10h], 3000000h
		mov	eax, 80h
		jnz	loc_5C464D

loc_4C06CE:				; CODE XREF: MiTradeTransitionPage+10402Aj
					; MiTradeTransitionPage+104034j
		push	eax
		mov	ecx, offset _MiSystemPartition
		call	MiGetPage
		mov	[ebp+var_14], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_4C07E9
		imul	eax, 1Ch
		mov	ecx, esi
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_8], eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	byte ptr [ebp+var_4+3],	al
		cmp	[ebp+var_8], esi
		jz	loc_4C07EE
		mov	edx, [ebp+var_C]
		cmp	edx, dword_6D07B0
		ja	loc_4C07C9
		mov	eax, dword_6D35B8
		mov	ecx, edx
		shr	ecx, 5
		and	edx, 1Fh
		mov	eax, [eax+ecx*4]
		mov	ecx, edx
		shr	eax, cl
		and	eax, 1
		jz	loc_4C07C9
		mov	ecx, esi
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jnz	loc_4C07C9
		cmp	[esi+14h], di
		jnz	loc_4C07C9
		mov	ecx, esi
		call	_MiCanPageMove@4 ; MiCanPageMove(x)
		test	eax, eax
		jz	short loc_4C07C9
		mov	al, [esi+16h]
		and	al, 7
		sub	al, 2
		cmp	al, 2
		ja	short loc_4C07C6
		push	dword ptr [ebx+8]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		push	edi
		call	_MiReplaceTransitionPage@16 ; MiReplaceTransitionPage(x,x,x,x)
		mov	edi, [ebp+var_14]

loc_4C0770:				; CODE XREF: MiTradeTransitionPage+1D3j
		mov	eax, ds:_ZeroPte
		lea	ecx, [esi+8]
		mov	[ecx], eax
		mov	eax, ds:dword_40F9FC
		mov	[ecx+4], eax
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		lea	eax, [esi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebx+14h]
		test	eax, eax
		jz	short loc_4C07A4
		mov	[eax], edi

loc_4C07A4:				; CODE XREF: MiTradeTransitionPage+182j
		push	3
		pop	eax

loc_4C07A7:				; CODE XREF: MiTradeTransitionPage+1A6j
					; MiTradeTransitionPage+1C9j ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	10h
; 

loc_4C07B2:				; CODE XREF: MiTradeTransitionPage+2Fj
					; MiTradeTransitionPage+10403Fj
		mov	edx, 7FFFFFFFh
		lock and [ecx],	edx
		mov	cl, al

loc_4C07BC:				; CODE XREF: MiTradeTransitionPage+5Bj
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		jmp	short loc_4C07A7
; 

loc_4C07C6:				; CODE XREF: MiTradeTransitionPage+13Fj
		push	2
		pop	edi

loc_4C07C9:				; CODE XREF: MiTradeTransitionPage+EFj
					; MiTradeTransitionPage+10Cj ...
		mov	eax, [ebp+var_10]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_8]
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		mov	eax, edi
		jmp	short loc_4C07A7
; 

loc_4C07E9:				; CODE XREF: MiTradeTransitionPage+C1j
		xor	eax, eax
		inc	eax
		jmp	short loc_4C07A7
; 

loc_4C07EE:				; CODE XREF: MiTradeTransitionPage+E0j
		or	edi, 0FFFFFFFFh
		jmp	loc_4C0770
MiTradeTransitionPage endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCanPageMove(x)
_MiCanPageMove@4 proc near		; CODE XREF: MiMigratePfn(x,x,x,x)+9Ap
					; MiProbeLeafPteAccess(x,x)+23Bp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		push	edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4C0857
		mov	edi, [ecx+8]
		mov	eax, edi
		mov	edx, [ecx+0Ch]
		and	eax, 400h
		or	eax, 0
		jz	short loc_4C0857
		mov	ecx, dword_6D0700
		mov	eax, ecx
		mov	esi, dword_6D0704
		or	eax, esi
		jz	short loc_4C083B
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4C083B
		not	esi
		and	edx, esi

loc_4C083B:				; CODE XREF: MiCanPageMove(x)+35j
					; MiCanPageMove(x)+3Fj
		mov	ecx, [edx]
		lea	eax, [ecx+50h]
		cmp	edx, eax
		jz	short loc_4C0857
		test	byte ptr [ecx+1Ch], 20h
		jz	short loc_4C0857
		test	dword ptr [ecx+34h], 20000h
		jz	short loc_4C0857
		xor	eax, eax
		jmp	short loc_4C085A
; 

loc_4C0857:				; CODE XREF: MiCanPageMove(x)+11j
					; MiCanPageMove(x)+23j	...
		xor	eax, eax
		inc	eax

loc_4C085A:				; CODE XREF: MiCanPageMove(x)+5Fj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_MiCanPageMove@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiSetOriginalPtePfnFromFreeList(x)
_MiSetOriginalPtePfnFromFreeList@4 proc	near ; CODE XREF: .text:004494DCp
					; MiGetPage+854p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, [esi]
		mov	eax, edx
		mov	ecx, [esi+4]
		or	eax, ecx
		jnz	short loc_4C0882
		push	eax
		push	80h
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[esi], eax
		mov	[esi+4], edx
		pop	esi
		retn
; 

loc_4C0882:				; CODE XREF: MiSetOriginalPtePfnFromFreeList(x)+Ej
		and	edx, 0FFFFFC9Fh
		mov	[esi+4], ecx
		or	edx, 80h
		mov	[esi], edx
		pop	esi
		retn
_MiSetOriginalPtePfnFromFreeList@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreatePrototypePtes proc near		; CODE XREF: MiAddViewsForSection+347p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C4662 SIZE 00000079 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, large fs:124h
		mov	edx, 74536D4Dh
		and	[ebp+var_14], 0
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1C], eax
		mov	ecx, [ebx+0Ch]
		push	edi
		push	0
		mov	edi, [esi]
		shl	ecx, 3
		push	112h
		mov	[ebp+var_8], edi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_5C4662
		mov	edx, [ebx+0Ch]
		xor	ecx, ecx
		inc	ecx
		push	ecx
		push	esi
		mov	ecx, eax
		call	MiInitializePrototypePtes
		xor	eax, eax
		cmp	[edi+20h], eax
		jz	loc_4C0AC8
		lea	edi, [eax+1]

loc_4C0905:				; CODE XREF: MiCreatePrototypePtes+252j
		mov	eax, [ebp+var_8]
		add	eax, 24h
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, esi
		mov	byte ptr [ebp+var_4+3],	al
		call	MiIncrementSubsectionViewCount
		xor	edx, edx
		inc	edx
		cmp	eax, edx
		jz	loc_5C466C
		cmp	edi, edx
		jnz	short loc_4C092E
		or	[esi+10h], dx

loc_4C092E:				; CODE XREF: MiCreatePrototypePtes+92j
		cmp	dword ptr [esi+4], 0
		jnz	loc_4C0B05
		mov	eax, [ebp+var_C]
		mov	ecx, edi
		neg	ecx
		mov	[esi+4], eax
		sbb	ecx, ecx
		add	esi, 28h
		and	ecx, 1Ch
		add	ecx, esi
		call	_MiUpdateSystemProtoPtesTree@8 ; MiUpdateSystemProtoPtesTree(x,x)
		mov	esi, [ebp+var_8]
		lea	ecx, [esi+24h]
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		and	[ebp+var_10], eax
		mov	[ebp+var_C], eax

loc_4C096E:				; CODE XREF: MiCreatePrototypePtes+292j
					; MiCreatePrototypePtes+103DF2j
		test	edi, edi
		jz	short loc_4C098B

loc_4C0972:				; CODE XREF: MiCreatePrototypePtes+FBj
					; MiCreatePrototypePtes+22Dj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_4C0B2D

loc_4C097D:				; CODE XREF: MiCreatePrototypePtes+29Fj
		mov	eax, [ebp+var_10]

loc_4C0980:				; CODE XREF: MiCreatePrototypePtes+103DD1j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_4C098B:				; CODE XREF: MiCreatePrototypePtes+DAj
		xor	eax, eax
		inc	eax
		cmp	[ebp+var_14], eax
		jnz	short loc_4C0972
		mov	ecx, [esi]
		or	edx, 0FFFFFFFFh
		add	ecx, 1Ch
		mov	[ebp+var_14], edx
		mov	[ebp+var_8], ecx
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4C0B4D

loc_4C09B1:				; CODE XREF: MiCreatePrototypePtes+2BFj
		xor	edi, edi
		mov	[ebp+var_18], edi
		test	ecx, 7FFFFFFCh
		jz	loc_4C0ABB
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		cmp	ecx, edx
		push	0FFFFFFFFh
		mov	[ebp+var_30], edx
		mov	[ebp+var_34], esi
		pop	edx
		jb	short loc_4C09EE
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_4C0AED

loc_4C09EE:				; CODE XREF: MiCreatePrototypePtes+149j
		cmp	ecx, [ebp+var_30]
		jb	short loc_4C0A00
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_4C0AED

loc_4C0A00:				; CODE XREF: MiCreatePrototypePtes+15Bj
					; MiCreatePrototypePtes+26Aj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jz	loc_4C0B3A
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_4C0B9E

loc_4C0A41:				; CODE XREF: MiCreatePrototypePtes+310j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_18], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5C46A0
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_4C0A8D:				; CODE XREF: MiCreatePrototypePtes+2ACj
					; MiCreatePrototypePtes+103E1Dj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_34], eax
		jnz	loc_4C0B5A

loc_4C0AA4:				; CODE XREF: MiCreatePrototypePtes+2FDj
					; MiCreatePrototypePtes+103E40j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_4C0ABB
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_4C0BAB

loc_4C0ABB:				; CODE XREF: MiCreatePrototypePtes+126j
					; MiCreatePrototypePtes+217j ...
		mov	ecx, [ebp+var_1C]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_4C0972
; 

loc_4C0AC8:				; CODE XREF: MiCreatePrototypePtes+66j
		inc	eax
		xor	edi, edi
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_1C]
		dec	word ptr [eax+13Eh]
		nop
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		mov	ecx, [ecx]
		add	ecx, 1Ch
		call	ExAcquirePushLockExclusiveEx
		jmp	loc_4C0905
; 

loc_4C0AED:				; CODE XREF: MiCreatePrototypePtes+152j
					; MiCreatePrototypePtes+164j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_14], eax
		jmp	loc_4C0A00
; 

loc_4C0B05:				; CODE XREF: MiCreatePrototypePtes+9Cj
		mov	ecx, esi
		call	MiDecrementSubsectionViewCount
		mov	esi, [ebp+var_8]
		lea	ecx, [esi+24h]
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	[ebp+var_10], 0C000020Ah
		jmp	loc_4C096E
; 

loc_4C0B2D:				; CODE XREF: MiCreatePrototypePtes+E1j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4C097D
; 

loc_4C0B3A:				; CODE XREF: MiCreatePrototypePtes+193j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_4C0A8D
		jmp	loc_5C468D
; 

loc_4C0B4D:				; CODE XREF: MiCreatePrototypePtes+115j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]
		jmp	loc_4C09B1
; 

loc_4C0B5A:				; CODE XREF: MiCreatePrototypePtes+208j
		test	edi, 8000h
		jz	short loc_4C0B6B
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4C0B6B:				; CODE XREF: MiCreatePrototypePtes+2CAj
		test	byte ptr [ebp+var_18+2], 1
		jnz	loc_5C46B8

loc_4C0B75:				; CODE XREF: MiCreatePrototypePtes+103E2Ej
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4C0B89
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4C0B89:				; CODE XREF: MiCreatePrototypePtes+2E6j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4C0AA4
		jmp	loc_5C46C9
; 

loc_4C0B9E:				; CODE XREF: MiCreatePrototypePtes+1A5j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]
		jmp	loc_4C0A41
; 

loc_4C0BAB:				; CODE XREF: MiCreatePrototypePtes+21Fj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4C0ABB
MiCreatePrototypePtes endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiMakeDemandZeroPte(x)
_MiMakeDemandZeroPte@4 proc near	; CODE XREF: MiUpdateLargePageSectionPfns(x,x,x)+40p
					; MiChargeSegmentCommit+105p ...
		and	ecx, 1Fh
		xor	eax, eax
		shld	eax, ecx, 5
		shl	ecx, 5
		push	eax
		push	ecx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		retn
_MiMakeDemandZeroPte@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdateControlAreaCommitCount(x, x)
_MiUpdateControlAreaCommitCount@8 proc near ; CODE XREF: MiSetPagesModified(x,x)+356p
					; MiChargeSegmentCommit+17Dp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		mov	eax, edx
		mov	ecx, offset dword_6D5F64
		lock xadd [ecx], eax
		cmp	dword ptr [edi+20h], 0
		jnz	short loc_4C0C1E
		push	ebx
		push	esi
		lea	esi, [edi+24h]
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	ecx, [edi+48h]
		mov	bl, al
		mov	edx, [ebp+var_4]
		add	edx, ecx
		xor	edx, ecx
		and	edx, 0FFFFFh
		xor	edx, ecx
		push	esi
		mov	[edi+48h], edx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		pop	ebx

loc_4C0C19:				; CODE XREF: MiUpdateControlAreaCommitCount(x,x)+59j
		xor	eax, eax
		pop	edi
		leave
		retn
; 

loc_4C0C1E:				; CODE XREF: MiUpdateControlAreaCommitCount(x,x)+1Bj
		mov	eax, [edi]
		add	[eax+0Ch], edx
		jmp	short loc_4C0C19
_MiUpdateControlAreaCommitCount@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiMakeSubsectionPte(x)
_MiMakeSubsectionPte@4 proc near	; CODE XREF: KiSwitchPriQueue+FCp
					; MiInitializeUnusablePfns(x,x,x,x,x,x,x)+141p	...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		mov	ax, [esi+10h]
		and	ax, 3Eh
		or	ax, 40h
		shr	ax, 1
		movzx	eax, ax
		shld	ecx, esi, 1Bh
		cdq
		shl	esi, 1Bh
		or	edx, ecx
		or	eax, esi
		shld	edx, eax, 5
		shl	eax, 5
		push	edx
		push	eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		pop	esi
		retn
_MiMakeSubsectionPte@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiEncodeProtoFill proc near		; CODE XREF: MiInitializePrototypePtes+ABp

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C46DB SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		shr	edx, 0Ch
		shr	edi, 9
		mov	ecx, offset unk_6D3840
		and	edi, offset loc_7FFFF8
		xor	esi, esi
		sub	edi, 40000000h
		lea	ebx, [edi+edx*8]
		mov	[ebp+var_8], ebx
		call	MiLockWorkingSetShared
		mov	[ebp+var_1], al
		cmp	edi, ebx
		jnb	short loc_4C0CCB
		mov	ebx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_8]

loc_4C0C9C:				; CODE XREF: MiEncodeProtoFill+5Aj
		test	esi, esi
		jz	short loc_4C0CDE
		test	edi, 0FFFh
		jz	loc_5C46DB

loc_4C0CAC:				; CODE XREF: MiEncodeProtoFill+A7j
		mov	[edi], eax
		mov	[edi+4], ebx
		add	edi, 8
		cmp	edi, ecx
		jb	short loc_4C0C9C
		test	esi, esi
		jz	short loc_4C0CC8
		mov	edx, esi
		mov	ecx, offset unk_6D3840
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_4C0CC8:				; CODE XREF: MiEncodeProtoFill+5Ej
		mov	al, [ebp+var_1]

loc_4C0CCB:				; CODE XREF: MiEncodeProtoFill+35j
		mov	dl, al
		mov	ecx, offset unk_6D3840
		call	MiUnlockWorkingSetShared
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4C0CDE:				; CODE XREF: MiEncodeProtoFill+42j
					; MiEncodeProtoFill+103A8Bj
		mov	esi, edi
		mov	ecx, offset unk_6D3840
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		push	0
		mov	edx, esi
		call	MiLockPageTableInternal
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_8]
		jmp	short loc_4C0CAC
MiEncodeProtoFill endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReplaceTransitionPage(x, x, x, x)
_MiReplaceTransitionPage@16 proc near	; CODE XREF: .text:00478D5Cp
					; MiTradeTransitionPage+14Ap ...

var_70		= dword	ptr -70h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		push	ebx
		mov	ebx, ecx
		and	[ebp+var_30], 0
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_18], ebx
		mov	eax, ebx
		mov	[ebp+var_8], edi
		sub	eax, ds:_MmPfnDatabase
		cdq
		push	1Ch
		pop	ecx
		idiv	ecx
		mov	[ebp+var_10], 0FFFFFFh
		mov	[ebp+var_14], eax
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	ecx
		mov	dl, [ebx+16h]
		movzx	ecx, dl
		mov	esi, eax
		and	ecx, 7
		mov	[ebp+var_20], esi
		and	dl, 7
		mov	eax, dword_6D579C[ecx*4]
		mov	[ebp+var_4], eax
		cmp	dl, 3
		jnz	short loc_4C0D93
		mov	eax, [ebx+8]
		and	eax, 400h
		or	eax, 0
		jz	short loc_4C0D93
		mov	edx, [ebx+18h]
		lea	edi, [ebp+var_54]
		xor	eax, eax
		mov	[ebp+var_1C], edx
		push	7
		pop	ecx
		rep stosd
		mov	edi, [ebp+var_8]
		mov	eax, edx
		and	eax, 0F3FFFFFFh
		mov	[ebp+var_3C], eax
		mov	[ebx+18h], eax
		mov	eax, edx
		jmp	short loc_4C0D99
; 

loc_4C0D93:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+5Aj
					; MiReplaceTransitionPage(x,x,x,x)+67j
		mov	eax, [edi+18h]
		mov	[ebp+var_1C], eax

loc_4C0D99:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+8Bj
		shr	eax, 1Ah
		mov	ecx, edi
		and	eax, 3
		mov	[ebp+var_28], eax
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		mov	ecx, edi
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		movzx	edx, byte ptr [ebx+16h]
		neg	eax
		mov	ecx, edi
		sbb	eax, eax
		shr	edx, 6
		and	eax, 4
		mov	[ebp+var_C], eax
		xor	eax, eax
		inc	eax
		push	eax
		call	_MiFinalizePageAttribute@12 ; MiFinalizePageAttribute(x,x,x)
		mov	edx, ebx
		mov	ebx, [ebp+var_8]
		push	ecx
		mov	ecx, ebx
		call	_MiCopyPfnEntryEx@12 ; MiCopyPfnEntryEx(x,x,x)
		xor	eax, eax
		lea	edi, [ebp+var_70]
		push	7
		pop	ecx
		rep stosd
		mov	eax, [ebx+18h]
		mov	edx, offset loc_7FFFFF
		xor	eax, [ebp+var_1C]
		mov	edi, [ebp+var_18]
		and	eax, 0C000000h
		xor	eax, [ebx+18h]
		mov	ecx, [ebp+var_14]
		mov	[ebp+var_58], eax
		mov	[ebx+18h], eax
		mov	eax, [edi+18h]
		and	eax, edx
		cmp	eax, ecx
		jnz	short loc_4C0E15
		mov	eax, [ebx+18h]
		xor	eax, esi
		and	eax, edx
		xor	[ebx+18h], eax

loc_4C0E15:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+103j
		push	6
		push	[ebp+arg_4]
		mov	edx, ecx
		mov	ecx, esi
		call	_MiCopyPage@16	; MiCopyPage(x,x,x,x)
		xor	edx, edx
		lea	eax, [ebp+var_24]
		mov	[ebp+var_24], edx
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, ds:_KiTbFlushTimeStamp
		lea	ecx, [ebx+10h]
		mov	ebx, [ebp+var_4]
		shl	eax, 17h
		xor	eax, [ecx]
		and	eax, 7800000h
		mov	[ebp+var_1C], ecx
		xor	[ecx], eax
		mov	eax, [ebx+4]
		cmp	eax, 2
		jnz	short loc_4C0EB5
		mov	ecx, edi
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		imul	ebx, eax, 14h
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_C]
		mov	[ebp+arg_4], eax
		add	ebx, offset unk_6D5480
		test	byte ptr [edi+17h], 8
		mov	[ebp+var_4], ebx
		jz	short loc_4C0E7A
		or	eax, 2
		mov	[ebp+arg_4], eax

loc_4C0E7A:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+16Cj
		add	ebx, 10h
		mov	[ebp+var_38], edx
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_34], ebx
		jz	short loc_4C0E9B
		mov	edx, ebx
		lea	ecx, [ebp+var_38]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4C1004
; 

loc_4C0E9B:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+184j
		lea	edx, [ebp+var_38]
		xchg	edx, [ebx]
		test	edx, edx
		jz	loc_4C1004
		lea	ecx, [ebp+var_38]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4C1004
; 

loc_4C0EB5:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+14Aj
		mov	[ebp+var_38], edx
		cmp	eax, 3
		jnz	loc_4C0FD7
		mov	eax, [ebp+var_8]
		mov	eax, [eax+8]
		and	eax, 400h
		or	eax, edx
		jnz	loc_4C0F8C
		add	ebx, 10h
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_34], ebx
		jz	short loc_4C0EEF
		mov	edx, ebx
		lea	ecx, [ebp+var_38]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4C0F00
; 

loc_4C0EEF:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+1DBj
		lea	edx, [ebp+var_38]
		xchg	edx, [ebx]
		test	edx, edx
		jz	short loc_4C0F00
		lea	ecx, [ebp+var_38]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_4C0F00:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+1E7j
					; MiReplaceTransitionPage(x,x,x,x)+1F0j
		mov	ecx, [ebp+var_8]
		mov	edx, offset _MiSystemPartition
		call	_MiDetermineModifiedPageListHead@8 ; MiDetermineModifiedPageListHead(x,x)
		mov	[ebp+var_4], eax

loc_4C0F10:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+2ACj
		mov	ebx, [ebp+var_C]

loc_4C0F13:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+2CCj
		mov	[ebp+arg_4], ebx

loc_4C0F16:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+2BEj
					; MiReplaceTransitionPage(x,x,x,x)+2EDj ...
		mov	ebx, [ebp+var_8]
		mov	eax, [edi+10h]
		mov	ecx, [edi]
		and	eax, offset loc_7FFFFF
		mov	[ebp+var_28], ecx
		mov	edx, eax
		mov	[ebx], ecx
		mov	ecx, ebx
		push	0
		mov	[ebp+var_C], eax
		call	_MiSetPfnBlink@12 ; MiSetPfnBlink(x,x,x)
		mov	ecx, [ebp+var_28]
		mov	edx, [ebp+var_10]

loc_4C0F3C:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+331j
		cmp	ecx, offset loc_7FFFFF
		jz	loc_4C104C
		imul	ebx, ecx, 1Ch
		add	ebx, ds:_MmPfnDatabase
		cmp	edx, 0FFFFFFh
		jz	loc_4C103C
		mov	edx, [ebp+arg_4]
		test	dl, 2
		jz	loc_4C103C
		call	_MiIsDecayPfn@4	; MiIsDecayPfn(x)
		cmp	eax, 1
		jnz	loc_4C103C
		mov	eax, [ebx+18h]
		xor	eax, esi
		and	eax, offset loc_7FFFFF
		xor	[ebx+18h], eax
		mov	ebx, [ebp+var_4]
		jmp	loc_4C1055
; 

loc_4C0F8C:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+1C8j
		imul	ebx, [ebp+var_28], 14h
		add	ebx, offset unk_6D56C0
		mov	[ebp+var_4], ebx
		add	ebx, 10h
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_34], ebx
		jz	short loc_4C0FB7

loc_4C0FA8:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+2DEj
		mov	edx, ebx
		lea	ecx, [ebp+var_38]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4C0F10
; 

loc_4C0FB7:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+2A0j
		lea	edx, [ebp+var_38]
		xchg	edx, [ebx]
		mov	ebx, [ebp+var_C]
		mov	[ebp+arg_4], ebx
		test	edx, edx
		jz	loc_4C0F16
		lea	ecx, [ebp+var_38]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4C0F13
; 

loc_4C0FD7:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+1B5j
		add	ebx, 10h
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_34], ebx
		jnz	short loc_4C0FA8
		lea	edx, [ebp+var_38]
		xchg	edx, [ebx]
		mov	ebx, [ebp+var_C]
		mov	[ebp+arg_4], ebx
		test	edx, edx
		jz	loc_4C0F16
		lea	ecx, [ebp+var_38]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		mov	[ebp+arg_4], ebx

loc_4C1004:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+190j
					; MiReplaceTransitionPage(x,x,x,x)+19Cj ...
		mov	edx, [ebp+var_10]
		cmp	edx, 0FFFFFFh
		jz	loc_4C0F16
		mov	eax, [ebp+var_8]
		mov	ebx, [edi+10h]
		mov	ecx, [edi]
		and	ebx, offset loc_7FFFFF
		mov	[ebp+var_C], ebx
		mov	[eax], ecx
		mov	eax, [ebp+var_1C]
		mov	eax, [eax]
		and	eax, 0FF800000h
		or	eax, ebx
		mov	ebx, [ebp+var_1C]
		mov	[ebx], eax
		jmp	loc_4C0F3C
; 

loc_4C103C:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+251j
					; MiReplaceTransitionPage(x,x,x,x)+25Dj ...
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	_MiSetPfnBlink@12 ; MiSetPfnBlink(x,x,x)
		mov	ebx, [ebp+var_4]
		jmp	short loc_4C1052
; 

loc_4C104C:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+23Cj
		mov	ebx, [ebp+var_4]
		mov	[ebx+0Ch], esi

loc_4C1052:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+344j
		mov	edx, [ebp+arg_4]

loc_4C1055:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+281j
		mov	ecx, [ebp+var_C]
		cmp	ecx, offset loc_7FFFFF
		jz	short loc_4C10A3
		imul	eax, ecx, 1Ch
		add	eax, ds:_MmPfnDatabase
		cmp	[ebp+var_10], 0FFFFFFh
		mov	[ebp+var_C], eax
		jz	short loc_4C109F
		test	dl, 2
		jz	short loc_4C109F
		call	_MiIsDecayPfn@4	; MiIsDecayPfn(x)
		cmp	eax, 1
		mov	eax, [ebp+var_C]
		jnz	short loc_4C109F
		push	dword ptr [eax+0Ch]
		mov	ecx, esi
		push	dword ptr [eax+8]
		call	_MiUpdateTransitionPteFrame@12 ; MiUpdateTransitionPteFrame(x,x,x)
		mov	ecx, [ebp+var_C]
		mov	[ecx+8], eax
		mov	[ecx+0Ch], edx
		jmp	short loc_4C10A6
; 

loc_4C109F:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+36Dj
					; MiReplaceTransitionPage(x,x,x,x)+372j ...
		mov	[eax], esi
		jmp	short loc_4C10A6
; 

loc_4C10A3:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+358j
		mov	[ebx+8], esi

loc_4C10A6:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+397j
					; MiReplaceTransitionPage(x,x,x,x)+39Bj
		cmp	[ebp+var_10], 0FFFFFFh
		jz	short loc_4C10EB
		cmp	[ebp+arg_4], 4
		mov	eax, [ebp+arg_0]
		jnb	short loc_4C10BC
		test	eax, eax
		jz	short loc_4C10EB

loc_4C10BC:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+3B0j
		test	eax, eax
		jnz	short loc_4C10EB
		dec	dword ptr [ebx]
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		mov	eax, offset dword_6D5800
		jnz	short loc_4C10D7
		mov	eax, offset dword_6D5940

loc_4C10D7:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+3CAj
		lock dec dword ptr [eax]
		push	0
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		push	0FFFFFFFFh
		inc	edx
		call	MiDecreaseAvailablePages

loc_4C10EB:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+3A7j
					; MiReplaceTransitionPage(x,x,x,x)+3B4j ...
		xor	eax, eax
		inc	eax
		cmp	dword_6D3034, eax
		jnz	short loc_4C116B
		mov	ecx, [ebp+var_14]
		mov	esi, eax
		mov	eax, dword_6D3068
		shr	ecx, 5
		lea	ebx, [eax+ecx*4]
		mov	ecx, [ebp+var_14]
		and	ecx, 1Fh
		mov	[ebp+arg_0], ecx
		lea	eax, [ecx+1]
		cmp	eax, 20h
		ja	short loc_4C1120
		mov	eax, esi
		shl	eax, cl
		lock or	[ebx], eax
		jmp	short loc_4C116E
; 

loc_4C1120:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+40Fj
		test	ecx, ecx
		jz	short loc_4C1160
		push	20h
		xor	eax, eax
		pop	edx
		sub	edx, ecx
		inc	eax
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, [ebp+arg_0]
		dec	eax
		shl	eax, cl
		lock or	[ebx], eax
		xor	esi, esi
		add	ebx, 4
		inc	esi
		sub	esi, edx
		cmp	esi, 20h
		jb	short loc_4C115C
		mov	eax, esi
		shr	eax, 5

loc_4C114B:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+454j
		mov	dword ptr [ebx], 0FFFFFFFFh
		sub	esi, 20h
		add	ebx, 4
		sub	eax, 1
		jnz	short loc_4C114B

loc_4C115C:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+43Ej
		test	esi, esi
		jz	short loc_4C116B

loc_4C1160:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+41Cj
		xor	eax, eax
		mov	ecx, esi
		inc	eax
		shl	eax, cl
		dec	eax
		lock or	[ebx], eax

loc_4C116B:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+3EEj
					; MiReplaceTransitionPage(x,x,x,x)+458j
		xor	esi, esi
		inc	esi

loc_4C116E:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+418j
		test	ds:byte_70EFC6,	1
		jz	short loc_4C1184
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_38]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4C11B0
; 

loc_4C1184:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+46Fj
		mov	eax, [ebp+var_38]
		test	eax, eax
		jnz	short loc_4C11A3
		mov	edx, [ebp+var_34]
		lea	eax, [ebp+var_38]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_38]
		cmp	eax, ecx
		jz	short loc_4C11B0
		call	KxWaitForLockChainValid

loc_4C11A3:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+483j
		mov	[ebp+var_38], 0
		add	eax, 4
		lock xor [eax],	esi

loc_4C11B0:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+47Cj
					; MiReplaceTransitionPage(x,x,x,x)+496j
		mov	al, [edi+16h]
		xor	ecx, ecx
		and	dword ptr [edi+10h], 0FF800000h
		and	al, 0FDh
		and	[ebp+var_2C], 0
		or	al, 5
		mov	[edi+16h], al
		lea	eax, [ebp+var_2C]
		lock or	[eax], ecx
		mov	eax, ds:_KiTbFlushTimeStamp
		mov	ecx, [edi+18h]
		shl	eax, 17h
		and	ecx, offset loc_7FFFFF
		xor	eax, [edi+10h]
		and	eax, 7800000h
		xor	[edi+10h], eax
		cmp	ecx, [ebp+var_14]
		jnz	short loc_4C11F9
		mov	esi, [edi+4]
		or	esi, 80000000h
		jmp	short loc_4C1217
; 

loc_4C11F9:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+4E6j
		or	[ebp+arg_4], esi
		xor	edx, edx
		push	80000000h
		call	MiMapPageInHyperSpaceWorker
		mov	ecx, [edi+4]
		shr	ecx, 3
		and	ecx, 1FFh
		lea	esi, [eax+ecx*8]

loc_4C1217:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+4F1j
		mov	edi, esi
		mov	[ebp+arg_0], esi
		mov	ecx, [edi]
		nop
		mov	eax, [edi+4]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_20]
		call	_MiUpdateTransitionPteFrame@12 ; MiUpdateTransitionPteFrame(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_28], edx
		mov	[ebp+var_14], ebx

loc_4C1234:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+547j
					; MiReplaceTransitionPage(x,x,x,x)+54Cj
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp+var_10], ecx
		nop
		mov	ecx, [ebp+var_28]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [ebp+var_14]
		cmp	eax, esi
		jnz	short loc_4C1234
		cmp	edx, [ebp+var_10]
		jnz	short loc_4C1234
		mov	edx, [ebp+arg_4]
		mov	edi, [ebp+var_18]
		test	dl, 1
		jz	short loc_4C1279
		mov	ecx, [ebp+arg_0]
		mov	ebx, 80000000h
		push	ebx
		mov	dl, 21h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		mov	esi, [edi+4]
		mov	edx, [ebp+arg_4]
		or	esi, ebx
		jmp	short loc_4C127C
; 

loc_4C1279:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+557j
		mov	esi, [ebp+arg_0]

loc_4C127C:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+571j
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_4C12CE
		cmp	esi, dword_6D07D0
		jb	short loc_4C12CE
		mov	eax, esi
		shr	eax, 15h
		cmp	byte ptr dword_6D3994[eax], 5
		jnz	short loc_4C12CE
		mov	edi, [esi-0Ch]
		xor	esi, esi
		mov	ebx, [ebp+var_20]
		and	ebx, 1FFFFFFh
		shld	esi, ebx, 0Ch
		mov	ecx, [edi+18h]
		mov	eax, [edi+1Ch]
		and	ecx, 0FFFh
		shl	ebx, 0Ch
		and	eax, 0FFFFFFE0h
		or	ebx, ecx
		or	esi, eax
		mov	[edi+18h], ebx
		mov	[edi+1Ch], esi
		mov	edi, [ebp+var_18]

loc_4C12CE:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+57Fj
					; MiReplaceTransitionPage(x,x,x,x)+587j ...
		cmp	edx, 8
		jb	short loc_4C12E3
		mov	ecx, [ebp+var_8]
		mov	edx, 800h
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)
		mov	edx, [ebp+arg_4]

loc_4C12E3:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+5CBj
		mov	eax, [ebp+var_1C]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		test	dl, 2
		jz	short loc_4C12F7
		and	byte ptr [edi+17h], 0F7h

loc_4C12F7:				; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+5EBj
		and	dword ptr [edi+18h], 0FFFFFFFh
		and	byte ptr [edi+16h], 0C7h
		and	byte ptr [edi+17h], 0DFh
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiReplaceTransitionPage@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdateTransitionPteFrame(x, x, x)
_MiUpdateTransitionPteFrame@12 proc near ; CODE	XREF: MiMigratePfn(x,x,x,x)+3DEp
					; MiReplaceTransitionPage(x,x,x,x)+389p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, dword_6D0700
		mov	ebx, ecx
		mov	ecx, dword_6D0704
		mov	eax, esi
		or	eax, ecx
		push	edi
		mov	edi, [ebp+arg_4]
		jz	short loc_4C1342
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4C136C
		not	esi
		not	ecx
		and	edx, esi
		and	edi, ecx

loc_4C1342:				; CODE XREF: MiUpdateTransitionPteFrame(x,x,x)+20j
					; MiUpdateTransitionPteFrame(x,x,x)+61j
		and	ebx, 3FFFFFFh
		xor	eax, eax
		shld	eax, ebx, 0Ch
		and	edi, 0FFFFFFC0h
		and	edx, 0FFFh
		shl	ebx, 0Ch
		or	eax, edi
		or	ebx, edx
		push	eax
		push	ebx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_4C136C:				; CODE XREF: MiUpdateTransitionPteFrame(x,x,x)+2Aj
		and	edx, 0FFFFFFEFh
		jmp	short loc_4C1342
_MiUpdateTransitionPteFrame@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCopyPfnEntryEx(x,	x, x)
_MiCopyPfnEntryEx@12 proc near		; CODE XREF: MiMigratePfn(x,x,x,x)+38Ap
					; MiStealPage+384p ...

var_1C		= dword	ptr -1Ch
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_1C]
		mov	esi, edx
		push	7
		pop	ecx
		mov	al, [ebx+17h]
		rep movsd
		mov	edx, [ebp+var_8]
		and	al, 40h
		mov	ecx, [ebp+var_4]
		shr	edx, 18h
		and	dl, 3Fh
		or	dl, al
		mov	eax, ecx
		and	eax, 70000000h
		mov	byte ptr [ebp+var_8+3],	dl
		cmp	eax, 30000000h
		jz	short loc_4C13EB

loc_4C13AD:				; CODE XREF: MiCopyPfnEntryEx(x,x,x)+82j
		mov	cl, [ebx+16h]
		mov	al, byte ptr [ebp+var_8+2]
		and	cl, 0C0h
		and	al, 3Fh
		or	cl, al
		mov	byte ptr [ebp+var_8+2],	cl
		mov	al, byte ptr [ebp+var_8+2]
		and	al, 7
		cmp	al, 6
		jnz	short loc_4C13D7

loc_4C13C6:				; CODE XREF: MiCopyPfnEntryEx(x,x,x)+77j
		push	7
		pop	ecx
		mov	edi, ebx
		lea	esi, [ebp+var_1C]
		rep movsd
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4C13D7:				; CODE XREF: MiCopyPfnEntryEx(x,x,x)+52j
		mov	edx, [ebp+var_C]
		mov	eax, [ebx+10h]
		xor	eax, edx
		and	eax, 7800000h
		xor	edx, eax
		mov	[ebp+var_C], edx
		jmp	short loc_4C13C6
; 

loc_4C13EB:				; CODE XREF: MiCopyPfnEntryEx(x,x,x)+39j
		and	ecx, 8FFFFFFFh
		mov	[ebp+var_4], ecx
		jmp	short loc_4C13AD
_MiCopyPfnEntryEx@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReleaseImageSection(x, x,	x)
_MiReleaseImageSection@12 proc near	; CODE XREF: MiCreateNewSection(x,x)+60Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ecx+14h]
		push	ebx
		push	esi
		push	edi
		lea	esi, [edx+24h]
		mov	[ebp+var_4], edx
		add	eax, 8
		push	esi
		mov	[ebp+var_8], eax
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		mov	eax, [ebp+var_4]
		push	esi
		mov	edi, [eax+2Ch]
		and	dword ptr [eax+2Ch], 0
		and	dword ptr [eax+1Ch], 0FFFFFFFDh
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_8]
		call	KeAbPostRelease
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiReleaseImageSection@12 endp


;  S U B	R O U T	I N E 


; __stdcall IopFreeIrpAndMdls(x)
_IopFreeIrpAndMdls@4 proc near		; CODE XREF: .text:005246FAp
		mov	edi, edi
		push	edi
		mov	edi, ecx
		mov	eax, [edi+4]
		test	eax, eax
		jz	short loc_4C1460
		push	esi

loc_4C1451:				; CODE XREF: IopFreeIrpAndMdls(x)+19j
		mov	esi, [eax]
		push	eax
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		mov	eax, esi
		test	esi, esi
		jnz	short loc_4C1451
		pop	esi

loc_4C1460:				; CODE XREF: IopFreeIrpAndMdls(x)+Aj
		push	edi
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		pop	edi
		retn
_IopFreeIrpAndMdls@4 endp

; 
		align 10h
; Exported entry 834. IoFreeMdl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoFreeMdl(x)
		public _IoFreeMdl@4
_IoFreeMdl@4	proc near		; CODE XREF: IopFreeIrpAndMdls(x)+10p
					; CcZeroDataInCache+FFp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		movzx	eax, word ptr [esi+6]
		mov	ecx, eax
		test	al, 20h
		jnz	short loc_4C14C4

loc_4C1483:				; CODE XREF: IoFreeMdl(x)+62j
		test	cl, 8
		jz	short loc_4C14D4
		mov	edx, large fs:20h
		mov	ecx, [edx+5B8h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	short loc_4C14B8
		inc	dword ptr [ecx+18h]
		mov	ecx, [edx+5BCh]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jnb	short loc_4C14E1

loc_4C14B8:				; CODE XREF: IoFreeMdl(x)+30j
		mov	edx, esi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		pop	esi
		pop	ebp
		retn	4
; 

loc_4C14C4:				; CODE XREF: IoFreeMdl(x)+11j
		mov	eax, [esi+0Ch]
		push	esi
		push	eax
		call	MmUnmapLockedPages
		movzx	ecx, word ptr [esi+6]
		jmp	short loc_4C1483
; 

loc_4C14D4:				; CODE XREF: IoFreeMdl(x)+16j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		pop	ebp
		retn	4
; 

loc_4C14E1:				; CODE XREF: IoFreeMdl(x)+46j
		mov	eax, [ecx+2Ch]
		inc	dword ptr [ecx+18h]
		push	esi
		call	eax
		pop	esi
		pop	ebp
		retn	4
_IoFreeMdl@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiGetLargePage(x, x, x, x, x, x)
_MiGetLargePage@24 proc	near		; CODE XREF: MiResolvePrivateZeroFault(x)+2A1p
					; MiGetPageChain(x,x,x,x,x,x,x)+1D6p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 0C0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		mov	eax, [ebx+8]
		push	esi
		mov	esi, [ebx+0Ch]
		push	edi
		mov	edi, [ebx+10h]
		mov	[ebp-0B4h], eax
		mov	eax, [ebx+14h]
		push	90h		; size_t
		mov	[ebp-0BCh], eax
		lea	eax, [ebp-98h]
		push	0		; int
		push	eax		; void *
		mov	[ebp-0A0h], edx
		mov	[ebp-0ACh], ecx
		mov	[ebp-0A8h], esi
		call	_memset
		mov	cl, byte_6D068C
		add	esp, 0Ch
		mov	eax, [ebp-0ACh]
		shr	esi, cl
		lea	ecx, [esi+esi*4]
		shl	ecx, 7
		add	ecx, [eax+10h]
		mov	[ebp-0B8h], ecx
		cmp	dword ptr [ecx+1DCh], 0
		jnz	short loc_4C1589
		test	byte ptr ds:_MiFlags, 30h
		jnz	short loc_4C15DC

loc_4C1589:				; CODE XREF: MiGetLargePage(x,x,x,x,x,x)+8Ej
		or	edi, 20h
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[ebp-99h], al
		mov	eax, [ebp-0A0h]
		inc	eax
		nop

loc_4C15A0:				; CODE XREF: MiGetLargePage(x,x,x,x,x,x)+EAj
		push	dword ptr [ebp-0B4h]
		mov	ecx, [ebp-0ACh]
		dec	eax
		push	1
		push	dword ptr [ebp-0A8h]
		mov	edx, eax
		mov	[ebp-0B0h], eax
		push	esi
		push	edi
		push	1
		call	_MiGetFreeZeroLargePages@32 ; MiGetFreeZeroLargePages(x,x,x,x,x,x,x,x)
		mov	edx, eax
		mov	[ebp-0A4h], edx
		test	edx, edx
		jnz	short loc_4C15E3
		mov	eax, [ebp-0B0h]
		test	eax, eax
		jnz	short loc_4C15A0

loc_4C15DC:				; CODE XREF: MiGetLargePage(x,x,x,x,x,x)+97j
		xor	eax, eax
		jmp	loc_4C178D
; 

loc_4C15E3:				; CODE XREF: MiGetLargePage(x,x,x,x,x,x)+E0j
		mov	ecx, edx
		call	_MiIsFreshPfnFromZeroedList@4 ;	MiIsFreshPfnFromZeroedList(x)
		mov	ecx, [ebp-0A0h]
		mov	[ebp-0A8h], eax
		mov	eax, [ebp-0B0h]
		cmp	eax, ecx
		jz	short loc_4C1652
		push	edx
		push	ecx
		mov	ecx, [ebp-0B8h]
		push	eax
		call	_MiInsertDemotedPages@20 ; MiInsertDemotedPages(x,x,x,x,x)
		mov	edi, [ebp-0A4h]
		mov	dword ptr [ebp-0B8h], 0
		lea	esi, [edi+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_4C1648
		jmp	short loc_4C1630
; 
		align 10h

loc_4C1630:				; CODE XREF: MiGetLargePage(x,x,x,x,x,x)+138j
					; MiGetLargePage(x,x,x,x,x,x)+14Fj ...
		lea	ecx, [ebp-0B8h]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_4C1630
		lock bts dword ptr [esi], 1Fh
		jb	short loc_4C1630

loc_4C1648:				; CODE XREF: MiGetLargePage(x,x,x,x,x,x)+136j
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		jmp	short loc_4C1664
; 

loc_4C1652:				; CODE XREF: MiGetLargePage(x,x,x,x,x,x)+10Ej
		mov	ecx, [ebp-0ACh]
		push	esi
		call	_MiLargePageMovesComplete@8 ; MiLargePageMovesComplete(x,x)
		mov	edi, [ebp-0A4h]

loc_4C1664:				; CODE XREF: MiGetLargePage(x,x,x,x,x,x)+160j
		mov	cl, [ebp-99h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, edi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	dword ptr [ebp-0A8h], 0
		mov	[ebp-0A4h], ecx
		jz	short loc_4C16C8
		test	byte ptr ds:_MiFlags, 80h
		jz	short loc_4C16C8
		mov	eax, dword_6D30F0
		inc	eax
		mov	dword_6D30F0, eax
		test	ds:_MmPageValidationFrequency, eax
		jnz	short loc_4C16C8
		mov	edx, [ebp-0A0h]
		mov	edx, ds:_MiLargePageSizes[edx*4]
		call	_MiArePageContentsZero@8 ; MiArePageContentsZero(x,x)

loc_4C16C8:				; CODE XREF: MiGetLargePage(x,x,x,x,x,x)+1A8j
					; MiGetLargePage(x,x,x,x,x,x)+1B1j ...
		mov	ecx, edi
		lea	esi, [ebp-98h]
		call	_MiIsFreeZeroPfnCold@4 ; MiIsFreeZeroPfnCold(x)
		test	eax, eax
		jz	short loc_4C173A
		test	ds:_HvlEnlightenments, 200000h
		jz	short loc_4C173A
		mov	eax, [ebp-0BCh]
		test	eax, eax
		jz	short loc_4C16F3
		mov	esi, eax
		jmp	short loc_4C1707
; 

loc_4C16F3:				; CODE XREF: MiGetLargePage(x,x,x,x,x,x)+1FDj
		mov	dword ptr [ebp-98h], 1
		mov	dword ptr [ebp-90h], 10h

loc_4C1707:				; CODE XREF: MiGetLargePage(x,x,x,x,x,x)+201j
		push	dword ptr [ebp-0A0h]
		mov	edx, [ebp-0A4h]
		mov	ecx, esi
		call	_MiAddPageToHeatList@12	; MiAddPageToHeatList(x,x,x)
		cmp	dword ptr [esi+4], 0
		jz	short loc_4C1731
		lea	eax, [ebp-98h]
		cmp	esi, eax
		jnz	short loc_4C1731
		mov	ecx, esi
		call	_MiNotifyPageHeat@4 ; MiNotifyPageHeat(x)

loc_4C1731:				; CODE XREF: MiGetLargePage(x,x,x,x,x,x)+22Ej
					; MiGetLargePage(x,x,x,x,x,x)+238j
		xor	edx, edx
		mov	ecx, edi
		call	_MiSetFreeZeroPfnCold@8	; MiSetFreeZeroPfnCold(x,x)

loc_4C173A:				; CODE XREF: MiGetLargePage(x,x,x,x,x,x)+1E7j
					; MiGetLargePage(x,x,x,x,x,x)+1F3j
		cmp	dword ptr [ebp-0A8h], 0
		jnz	short loc_4C178B
		cmp	dword ptr [esi+4], 0
		jz	short loc_4C1750
		mov	ecx, esi
		call	_MiNotifyPageHeat@4 ; MiNotifyPageHeat(x)

loc_4C1750:				; CODE XREF: MiGetLargePage(x,x,x,x,x,x)+257j
		cmp	dword ptr [ebp-0B0h], 2
		push	dword ptr [ebp-0B4h]
		jnz	short loc_4C176E
		mov	ecx, [ebp-0A4h]
		xor	edx, edx
		call	MiZeroPhysicalPage
		jmp	short loc_4C177B
; 

loc_4C176E:				; CODE XREF: MiGetLargePage(x,x,x,x,x,x)+26Dj
		mov	edx, [ebp-0A0h]
		mov	ecx, edi
		call	MiZeroLargePage

loc_4C177B:				; CODE XREF: MiGetLargePage(x,x,x,x,x,x)+27Cj
		mov	eax, ds:_ZeroPte
		mov	[edi+8], eax
		mov	eax, ds:dword_40F9FC
		mov	[edi+0Ch], eax

loc_4C178B:				; CODE XREF: MiGetLargePage(x,x,x,x,x,x)+251j
		mov	eax, edi

loc_4C178D:				; CODE XREF: MiGetLargePage(x,x,x,x,x,x)+EEj
		mov	ecx, [ebp-4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	10h
_MiGetLargePage@24 endp	; sp =	4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiZeroAndConvertPage(x, x, x, x)
_MiZeroAndConvertPage@16 proc near	; CODE XREF: MiZeroInParallelWorker(x)+145p
					; MiInitializeMdlOneNodeBatchPages+F9138p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+20h+var_8], edx
		mov	eax, edi
		xor	ebx, ebx
		sub	eax, ds:_MmPfnDatabase
		inc	ebx
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		mov	[esp+20h+var_C], eax
		test	[ebp+arg_4], bl
		jnz	short loc_4C17E1
		test	[ebp+arg_4], 2
		jz	short loc_4C17E5
		mov	ecx, edi
		call	_MiIsFreshPfnFromZeroedList@4 ;	MiIsFreshPfnFromZeroedList(x)
		test	eax, eax
		jnz	short loc_4C17E5

loc_4C17E1:				; CODE XREF: MiZeroAndConvertPage(x,x,x,x)+2Cj
		mov	ecx, ebx
		jmp	short loc_4C17E7
; 

loc_4C17E5:				; CODE XREF: MiZeroAndConvertPage(x,x,x,x)+32j
					; MiZeroAndConvertPage(x,x,x,x)+3Dj
		xor	ecx, ecx

loc_4C17E7:				; CODE XREF: MiZeroAndConvertPage(x,x,x,x)+41j
		movzx	eax, byte ptr [edi+16h]
		xor	edx, edx
		mov	esi, [ebp+arg_0]
		shr	eax, 6
		cmp	eax, esi
		mov	[esp+20h+var_4], eax
		mov	eax, [esp+20h+var_8]
		setnz	dl
		cmp	eax, 2
		jz	short loc_4C180C
		mov	ebx, ds:_MiLargePageSizes[eax*4]

loc_4C180C:				; CODE XREF: MiZeroAndConvertPage(x,x,x,x)+61j
		mov	eax, edx
		test	ecx, ecx
		jz	short loc_4C1863
		mov	eax, [esp+20h+var_4]
		mov	[esp+20h+var_10], edx
		cmp	eax, esi
		jz	short loc_4C183F
		lea	eax, [esi+eax*4]
		mov	[esp+20h+var_10], edx
		cmp	dword_6D074C[eax*4], esi
		jnz	short loc_4C183F
		mov	ecx, [esp+20h+var_C]
		mov	edx, ebx
		push	esi
		call	_MiChangePageAttributeContiguous@12 ; MiChangePageAttributeContiguous(x,x,x)
		and	[esp+20h+var_10], 0

loc_4C183F:				; CODE XREF: MiZeroAndConvertPage(x,x,x,x)+7Aj
					; MiZeroAndConvertPage(x,x,x,x)+8Aj
		mov	eax, [esp+20h+var_8]
		push	esi
		cmp	eax, 2
		jnz	short loc_4C1856
		mov	ecx, [esp+24h+var_C]
		xor	edx, edx
		call	MiZeroPhysicalPage
		jmp	short loc_4C185F
; 

loc_4C1856:				; CODE XREF: MiZeroAndConvertPage(x,x,x,x)+A5j
		mov	edx, eax
		mov	ecx, edi
		call	MiZeroLargePage

loc_4C185F:				; CODE XREF: MiZeroAndConvertPage(x,x,x,x)+B2j
		mov	eax, [esp+20h+var_10]

loc_4C1863:				; CODE XREF: MiZeroAndConvertPage(x,x,x,x)+6Ej
		test	eax, eax
		jz	short loc_4C1873
		mov	ecx, [esp+20h+var_C]
		mov	edx, ebx
		push	esi
		call	_MiChangePageAttributeContiguous@12 ; MiChangePageAttributeContiguous(x,x,x)

loc_4C1873:				; CODE XREF: MiZeroAndConvertPage(x,x,x,x)+C3j
		mov	eax, ds:_ZeroPte
		mov	[edi+8], eax
		mov	eax, ds:dword_40F9FC
		mov	[edi+0Ch], eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_MiZeroAndConvertPage@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiZeroLargePage	proc near		; CODE XREF: MiGetLargePage(x,x,x,x,x,x)+286p
					; MiZeroAndConvertPage(x,x,x,x)+B8p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C46EC SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		mov	edi, ds:_MiLargePageSizes[edx*4]
		mov	eax, ebx
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		mov	[esp+28h+var_C], eax
		cmp	eax, dword_6D07B0
		ja	loc_5C46EC
		mov	edx, eax
		mov	ecx, eax
		mov	eax, dword_6D35B8
		and	ecx, 1Fh
		shr	edx, 5
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_5C46EC
		push	4
		mov	edx, ebx
		pop	ecx
		call	_MiMakeProtectionPfnCompatible@8 ; MiMakeProtectionPfnCompatible(x,x)
		mov	esi, eax

loc_4C18EA:				; CODE XREF: MiZeroLargePage+102E63j
		mov	ecx, edi
		call	_MiReserveLowPrioritySystemPtes@4 ; MiReserveLowPrioritySystemPtes(x)
		mov	ebx, eax
		mov	[esp+28h+var_4], ebx
		test	ebx, ebx
		jz	loc_5C46F4
		or	esi, 0A0000000h
		mov	ecx, ebx
		push	esi
		mov	esi, [esp+2Ch+var_C]
		mov	edx, esi
		call	MiMakeValidPte
		xor	ecx, ecx
		mov	[esp+28h+var_14], edx
		mov	[esp+28h+var_8], ecx
		test	edi, edi
		jz	short loc_4C1998
		mov	[esp+28h+var_10], ebx

loc_4C1925:				; CODE XREF: MiZeroLargePage+106j
		and	[esp+28h+var_18], 0
		lea	edx, [esi+ecx]
		mov	ecx, [esp+28h+var_14]
		and	edx, 1FFFFFFh
		xor	esi, esi
		and	eax, 0FFFh
		shld	esi, edx, 0Ch
		and	ecx, 0FFFFFFE0h
		shl	edx, 0Ch
		or	edx, eax
		mov	eax, esi
		or	eax, ecx
		mov	[esp+28h+var_10], edx
		mov	esi, edx
		mov	[esp+28h+var_14], eax
		mov	ecx, ebx
		mov	edx, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	short loc_4C19BE

loc_4C1965:				; CODE XREF: MiZeroLargePage+186j
		mov	eax, [esp+28h+var_18]

loc_4C1969:				; CODE XREF: MiZeroLargePage+149j
					; MiZeroLargePage+15Bj	...
		mov	[ebx+4], edx
		nop
		mov	[ebx], esi
		test	eax, eax
		jz	short loc_4C197C
		push	edx
		push	esi
		mov	ecx, ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_4C197C:				; CODE XREF: MiZeroLargePage+E5j
		mov	ecx, [esp+28h+var_8]
		add	ebx, 8
		mov	esi, [esp+28h+var_C]
		inc	ecx
		mov	eax, [esp+28h+var_10]
		mov	[esp+28h+var_8], ecx
		cmp	ecx, edi
		jb	short loc_4C1925
		mov	ebx, [esp+28h+var_4]

loc_4C1998:				; CODE XREF: MiZeroLargePage+93j
		mov	edx, edi
		mov	ecx, ebx
		shl	edx, 0Ch
		shl	ecx, 9
		call	_KeZeroPages	; KiZeroPages(x,x)
		push	edi
		mov	edx, ebx
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_4C19B5:				; CODE XREF: MiZeroLargePage+102E6Cj
					; MiZeroLargePage+102E88j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4C19BE:				; CODE XREF: MiZeroLargePage+D7j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_4C19FA
		xor	eax, eax
		inc	eax
		cmp	byte ptr word_6D07B8+1,	0
		mov	[esp+28h+var_18], eax
		jnz	short loc_4C1969

loc_4C19D7:				; CODE XREF: MiZeroLargePage+184j
		mov	ecx, [esp+28h+var_10]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		mov	eax, [esp+28h+var_18]
		jz	short loc_4C1969
		mov	edx, [esp+28h+var_14]
		mov	esi, ecx
		or	edx, 80000000h
		jmp	loc_4C1969
; 

loc_4C19FA:				; CODE XREF: MiZeroLargePage+139j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_4C19D7
		jmp	loc_4C1965
MiZeroLargePage	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLockCode(x, x, x,	x)
_MiLockCode@16	proc near		; CODE XREF: MiLockImageSection(x,x,x,x)+4Cp
					; MmResetDriverPaging(x)+8Ep ...

var_E2		= byte ptr -0E2h
var_E1		= byte ptr -0E1h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D6		= byte ptr -0D6h
var_D5		= byte ptr -0D5h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0E4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0E4h+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [esp+0F4h+var_A0]
		mov	ebx, edx
		mov	edi, ecx
		mov	[esp+0F4h+var_C4], ebx
		push	0		; int
		push	eax		; void *
		mov	[esp+0FCh+var_C0], edi
		call	_memset
		mov	esi, ebx
		add	esp, 0Ch
		shl	esi, 9
		mov	ecx, esi
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	loc_4C2037
		xor	ecx, ecx
		xor	edx, edx
		inc	ecx
		mov	ebx, edx
		mov	[esp+0F0h+var_E1], cl
		mov	[esp+0F0h+var_BC], ebx
		cmp	esi, dword_6D07D0
		jb	short loc_4C1AC7
		shr	esi, 15h
		mov	al, byte ptr dword_6D3994[esi]
		cmp	al, cl
		jz	short loc_4C1A9E
		cmp	al, 0Bh
		jz	short loc_4C1A9E
		cmp	al, 6
		jnz	short loc_4C1AC7
		mov	esi, offset unk_6D3840
		jmp	short loc_4C1ACC
; 

loc_4C1A9E:				; CODE XREF: MiLockCode(x,x,x,x)+75j
					; MiLockCode(x,x,x,x)+79j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, [eax+180h]
		mov	[esp+0F0h+var_C8], ecx
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		push	2
		pop	ebx
		xor	ecx, ecx
		mov	[esp+0ECh+var_B8], ebx
		mov	esi, eax
		inc	ecx
		jmp	short loc_4C1AD0
; 

loc_4C1AC7:				; CODE XREF: MiLockCode(x,x,x,x)+68j
					; MiLockCode(x,x,x,x)+7Dj
		mov	esi, offset unk_6D3740

loc_4C1ACC:				; CODE XREF: MiLockCode(x,x,x,x)+84j
		mov	[esp+0F0h+var_C8], edx

loc_4C1AD0:				; CODE XREF: MiLockCode(x,x,x,x)+ADj
		mov	[esp+0F0h+var_D6], dl
		test	edi, edi
		jz	short loc_4C1AF2
		cmp	ebx, 2
		jnz	short loc_4C1AF2
		test	dword ptr [edi+34h], 8000000h
		jnz	short loc_4C1AF2
		test	ds:byte_7051AC,	cl
		jz	short loc_4C1AF2
		mov	[esp+0F0h+var_D6], cl

loc_4C1AF2:				; CODE XREF: MiLockCode(x,x,x,x)+BEj
					; MiLockCode(x,x,x,x)+C3j ...
		mov	edx, [ebp+arg_0]
		mov	ecx, [esp+0F0h+var_C4]
		call	_MiPrefetchDriverPages@8 ; MiPrefetchDriverPages(x,x)
		mov	eax, [esp+0F0h+var_C4]
		or	edi, 0FFFFFFFFh
		mov	[esp+0F0h+var_DC], eax
		mov	ecx, esi
		xor	eax, eax
		mov	[esp+0F0h+var_A0], ebx
		mov	ebx, eax
		mov	[esp+0F0h+var_D4], edi
		mov	[esp+0F0h+var_9C], ax
		mov	[esp+0F0h+var_90], eax
		mov	[esp+0F0h+var_98], 21h
		mov	[esp+0F0h+var_8C], eax
		mov	[esp+0F0h+var_E0], ebx
		call	MiLockWorkingSetShared
		mov	[esp+0F0h+var_E2], al
		mov	eax, [esp+0F0h+var_DC]

loc_4C1B3D:				; CODE XREF: MiLockCode(x,x,x,x)+5C1j
		test	ebx, ebx
		jz	short loc_4C1B5E
		test	eax, 0FFFh
		jnz	short loc_4C1B82
		lea	ecx, [esp+0F0h+var_A0]
		call	MiFlushTbList
		mov	edx, ebx
		mov	ecx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	eax, [esp+0F0h+var_DC]

loc_4C1B5E:				; CODE XREF: MiLockCode(x,x,x,x)+127j
		mov	ebx, eax
		mov	ecx, esi
		shr	ebx, 9
		and	ebx, offset loc_7FFFF8
		sub	ebx, 40000000h
		push	0
		mov	edx, ebx
		mov	[esp+0F4h+var_E0], ebx
		call	MiLockPageTableInternal
		mov	eax, [esp+0F0h+var_DC]

loc_4C1B82:				; CODE XREF: MiLockCode(x,x,x,x)+12Ej
		mov	edi, [eax]
		nop
		mov	ecx, [eax+4]
		mov	edx, eax
		mov	eax, edi
		shl	edx, 9
		and	eax, 1
		mov	[esp+0F0h+var_D0], edx
		or	eax, 0
		jnz	short loc_4C1BE1
		lea	ecx, [esp+0F0h+var_A0]
		call	MiFlushTbList
		mov	edx, ebx
		mov	ecx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [esp+0F0h+var_E2]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		mov	ebx, [esp+0F0h+var_D0]
		xor	eax, eax
		push	eax
		push	eax
		push	ebx
		push	eax
		call	MmAccessFault
		test	eax, eax
		js	loc_4C2050

loc_4C1BCF:				; CODE XREF: MiLockCode(x,x,x,x)+237j
					; MiLockCode(x,x,x,x)+28Dj
		xor	ebx, ebx
		mov	ecx, esi
		mov	[esp+0F0h+var_E0], ebx
		call	MiLockWorkingSetShared
		jmp	loc_4C1FC1
; 

loc_4C1BE1:				; CODE XREF: MiLockCode(x,x,x,x)+181j
		nop
		mov	eax, edi
		shrd	eax, ecx, 0Ch
		and	eax, 1FFFFFFh
		imul	ebx, eax, 1Ch
		mov	[esp+0F0h+var_CC], eax
		add	ebx, ds:_MmPfnDatabase
		test	dword ptr [ebx+18h], 800000h
		jnz	short loc_4C1C54
		mov	eax, [ebx+4]
		test	eax, eax
		js	short loc_4C1C54
		jz	short loc_4C1C54
		lea	ecx, [esp+0F0h+var_A0]
		call	MiFlushTbList
		mov	edx, [esp+0F0h+var_DC]
		mov	ecx, [esp+0F0h+var_D0]
		push	0
		push	0FFFFFFFFh
		call	_MiCopyOnWrite@16 ; MiCopyOnWrite(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	loc_4C1FBD
		mov	edx, [esp+0F0h+var_E0]
		mov	ecx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [esp+0F0h+var_E2]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		mov	edx, edi
		mov	ecx, esi
		call	MiCopyOnWriteCheckConditions
		jmp	loc_4C1BCF
; 

loc_4C1C54:				; CODE XREF: MiLockCode(x,x,x,x)+1E9j
					; MiLockCode(x,x,x,x)+1F0j ...
		mov	ecx, ebx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4C1CAA
		xor	eax, eax
		inc	eax
		cmp	[esp+0F0h+var_C8], 0
		jz	short loc_4C1C6F
		cmp	[esp+0F0h+var_D6], al
		jnz	short loc_4C1CAA

loc_4C1C6F:				; CODE XREF: MiLockCode(x,x,x,x)+24Fj
		test	[ebp+arg_4], al
		jz	short loc_4C1CAA
		lea	ecx, [esp+0F0h+var_A0]
		call	MiFlushTbList
		mov	edx, [esp+0F0h+var_E0]
		mov	ecx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [esp+0F0h+var_E2]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		push	0

loc_4C1C95:				; CODE XREF: MiLockCode(x,x,x,x)+2CCj
		push	[ebp+arg_0]
		mov	edx, [esp+0F8h+var_DC]
		mov	ecx, [esp+0F8h+var_C0]
		call	_MiMakeDriverPagesPrivate@16 ; MiMakeDriverPagesPrivate(x,x,x,x)
		jmp	loc_4C1BCF
; 

loc_4C1CAA:				; CODE XREF: MiLockCode(x,x,x,x)+245j
					; MiLockCode(x,x,x,x)+255j ...
		mov	eax, edi
		xor	ecx, ecx
		and	eax, 800h
		or	eax, ecx
		jnz	short loc_4C1CE6
		and	edi, 200h
		or	edi, ecx
		jz	short loc_4C1CE6
		lea	ecx, [esp+0F0h+var_A0]
		call	MiFlushTbList
		mov	edx, [esp+0F0h+var_E0]
		mov	ecx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [esp+0F0h+var_E2]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		xor	eax, eax
		inc	eax
		push	eax
		jmp	short loc_4C1C95
; 

loc_4C1CE6:				; CODE XREF: MiLockCode(x,x,x,x)+29Dj
					; MiLockCode(x,x,x,x)+2A7j
		mov	[esp+0F0h+var_B8], ecx
		mov	[esp+0F0h+var_B4], ecx
		mov	ecx, esi
		call	MiLocateWsle
		cmp	[esp+0F0h+var_D4], 0FFFFFFFFh
		mov	al, [eax]
		mov	[esp+0F0h+var_D5], al
		jnz	loc_4C1D92
		test	[ebp+arg_4], 2
		jz	short loc_4C1D15
		and	al, 0Fh
		cmp	al, 9
		setnz	al
		jmp	short loc_4C1D1E
; 

loc_4C1D15:				; CODE XREF: MiLockCode(x,x,x,x)+2F2j
		xor	eax, eax
		inc	eax
		cmp	[ebx+14h], ax
		jnz	short loc_4C1D92

loc_4C1D1E:				; CODE XREF: MiLockCode(x,x,x,x)+2FBj
		xor	ecx, ecx
		inc	ecx
		cmp	al, cl
		jnz	short loc_4C1D92
		mov	ecx, dword_6CF55C
		mov	edx, 1FFh
		mov	eax, [esp+0F0h+var_CC]
		and	ecx, edx
		and	eax, edx
		cmp	eax, ecx
		jnb	short loc_4C1D92
		mov	ecx, ebx
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jnz	short loc_4C1D92
		lea	ecx, [esp+0F0h+var_A0]
		call	MiFlushTbList
		mov	edx, [esp+0F0h+var_E0]
		mov	ecx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [esp+0F0h+var_E2]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		push	0
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	MiAllocateDriverPage
		mov	edi, eax
		xor	ebx, ebx
		mov	ecx, esi
		mov	[esp+0F0h+var_D4], edi
		mov	[esp+0F0h+var_E0], ebx
		call	MiLockWorkingSetShared
		mov	cl, al
		mov	[esp+0F0h+var_E2], cl
		jmp	loc_4C1FC9
; 

loc_4C1D92:				; CODE XREF: MiLockCode(x,x,x,x)+2E8j
					; MiLockCode(x,x,x,x)+304j ...
		and	[esp+0F0h+var_B0], 0
		lea	edi, [ebx+10h]
		jmp	short loc_4C1DAB
; 

loc_4C1D9C:				; CODE XREF: MiLockCode(x,x,x,x)+391j
					; MiLockCode(x,x,x,x)+398j
		lea	ecx, [esp+0F0h+var_B0]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_4C1D9C

loc_4C1DAB:				; CODE XREF: MiLockCode(x,x,x,x)+382j
		lock bts dword ptr [edi], 1Fh
		jb	short loc_4C1D9C
		cmp	[esp+0F0h+var_D4], 0FFFFFFFFh
		jz	loc_4C1EE1
		test	[ebp+arg_4], 2
		jz	short loc_4C1DDD
		mov	edx, [esp+0F0h+var_D0]
		mov	ecx, esi
		call	MiLocateWsle
		mov	al, [eax]
		mov	[esp+0F0h+var_D5], al
		and	al, 0Fh
		cmp	al, 9
		setnz	al
		jmp	short loc_4C1DEC
; 

loc_4C1DDD:				; CODE XREF: MiLockCode(x,x,x,x)+3A9j
		xor	eax, eax
		inc	eax
		cmp	[ebx+14h], ax
		jz	loc_4C1EE1
		xor	al, al

loc_4C1DEC:				; CODE XREF: MiLockCode(x,x,x,x)+3C3j
		xor	ecx, ecx
		inc	ecx
		cmp	al, cl
		jnz	loc_4C1EE1
		mov	ecx, ebx
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jnz	loc_4C1EE1
		mov	edx, [esp+0F0h+var_D4]
		mov	eax, edx
		mov	ecx, [esp+0F0h+var_CC]
		and	eax, 1FFh
		and	ecx, 1FFh
		cmp	ecx, eax
		jnb	loc_4C1EE1
		imul	edx, 1Ch
		mov	eax, 7FFFFFFFh
		add	edx, ds:_MmPfnDatabase
		mov	[esp+0F0h+var_CC], edx
		lock and [edi],	eax
		mov	edi, [ebx+4]
		mov	ecx, ebx
		or	edi, 80000000h
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4C1E6A
		mov	eax, [ebx+8]
		and	eax, 400h
		or	eax, 0
		jz	short loc_4C1E6A
		xor	edx, edx
		mov	ecx, edi
		call	MiLockProtoPoolPage
		mov	edx, [esp+0F0h+var_CC]
		mov	edi, eax
		jmp	short loc_4C1E6F
; 

loc_4C1E6A:				; CODE XREF: MiLockCode(x,x,x,x)+432j
					; MiLockCode(x,x,x,x)+43Fj
		xor	eax, eax
		lea	edi, [eax+1]

loc_4C1E6F:				; CODE XREF: MiLockCode(x,x,x,x)+450j
		test	edi, edi
		jz	short loc_4C1EB1
		push	ecx
		push	2
		push	0
		push	[esp+0FCh+var_D0]
		mov	ecx, ebx
		call	_MiTradeActivePage@24 ;	MiTradeActivePage(x,x,x,x,x,x)
		xor	ecx, ecx
		inc	ecx
		cmp	eax, ecx
		jnz	short loc_4C1EB1
		mov	eax, ds:_ZeroPte
		lea	ecx, [ebx+8]
		mov	[ecx], eax
		mov	eax, ds:dword_40F9FC
		mov	[ecx+4], eax
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		mov	ecx, ebx
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		mov	ebx, [esp+0F0h+var_CC]
		or	[esp+0F0h+var_D4], 0FFFFFFFFh

loc_4C1EB1:				; CODE XREF: MiLockCode(x,x,x,x)+459j
					; MiLockCode(x,x,x,x)+470j
		xor	eax, eax
		inc	eax
		cmp	edi, eax
		jbe	short loc_4C1EC1
		mov	dl, 21h
		mov	ecx, edi
		call	MiUnlockProtoPoolPage

loc_4C1EC1:				; CODE XREF: MiLockCode(x,x,x,x)+49Ej
		and	[esp+0F0h+var_A8], 0
		lea	edi, [ebx+10h]
		jmp	short loc_4C1EDA
; 

loc_4C1ECB:				; CODE XREF: MiLockCode(x,x,x,x)+4C0j
					; MiLockCode(x,x,x,x)+4C7j
		lea	ecx, [esp+0F0h+var_A8]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_4C1ECB

loc_4C1EDA:				; CODE XREF: MiLockCode(x,x,x,x)+4B1j
		lock bts dword ptr [edi], 1Fh
		jb	short loc_4C1ECB

loc_4C1EE1:				; CODE XREF: MiLockCode(x,x,x,x)+39Fj
					; MiLockCode(x,x,x,x)+3CCj ...
		test	[ebp+arg_4], 2
		jz	short loc_4C1EFF
		mov	al, [esp+0F0h+var_D5]
		and	al, 0Fh
		cmp	al, 9
		jz	short loc_4C1F2A
		mov	edx, [esp+0F0h+var_DC]
		mov	ecx, esi
		push	ebx
		call	MiRemoveSystemImagePage
		jmp	short loc_4C1F2A
; 

loc_4C1EFF:				; CODE XREF: MiLockCode(x,x,x,x)+4CDj
		cmp	[esp+0F0h+var_BC], 2
		mov	ecx, ebx
		jnz	short loc_4C1F19
		xor	edx, edx
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		test	eax, eax
		jnz	short loc_4C1F2A
		mov	[esp+0F0h+var_E1], al
		jmp	short loc_4C1F2A
; 

loc_4C1F19:				; CODE XREF: MiLockCode(x,x,x,x)+4EEj
		call	_MiAreChargesNeededToLockPage@4	; MiAreChargesNeededToLockPage(x)
		test	eax, eax
		jz	short loc_4C1F26
		or	byte ptr [ebx+17h], 20h

loc_4C1F26:				; CODE XREF: MiLockCode(x,x,x,x)+508j
		inc	word ptr [ebx+14h]

loc_4C1F2A:				; CODE XREF: MiLockCode(x,x,x,x)+4D7j
					; MiLockCode(x,x,x,x)+4E5j ...
		mov	eax, [ebx+8]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_4C1F46
		mov	ecx, ebx
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		mov	[esp+0F0h+var_B8], eax
		mov	[esp+0F0h+var_B4], edx

loc_4C1F46:				; CODE XREF: MiLockCode(x,x,x,x)+51Dj
		mov	eax, [esp+0F0h+var_DC]
		mov	edi, [eax]
		nop
		mov	ecx, [eax+4]
		mov	[esp+0F0h+var_A4], ecx
		mov	ecx, edi
		and	ecx, 800h
		or	ecx, 0
		jz	short loc_4C1F8E
		and	edi, 42h
		or	edi, 0
		jnz	short loc_4C1F8E
		mov	byte ptr [esp+0F0h+var_AC], 0
		mov	ecx, eax
		push	[esp+0F0h+var_AC]
		push	2
		pop	edx
		call	_MiWriteValidPteVolatile@12 ; MiWriteValidPteVolatile(x,x,x)
		mov	edx, [esp+0F0h+var_D0]
		lea	ecx, [esp+0F0h+var_A0]
		xor	eax, eax
		push	edi
		inc	eax
		push	eax
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)

loc_4C1F8E:				; CODE XREF: MiLockCode(x,x,x,x)+547j
					; MiLockCode(x,x,x,x)+54Fj
		lea	eax, [ebx+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	ecx, [esp+0F0h+var_B8]
		mov	eax, ecx
		mov	edx, [esp+0F0h+var_B4]
		or	eax, edx
		jz	short loc_4C1FB8
		xor	eax, eax
		push	edx
		push	ecx
		mov	ecx, offset _MiSystemPartition
		lea	edx, [eax+1]
		call	MiReleasePageFileInfo

loc_4C1FB8:				; CODE XREF: MiLockCode(x,x,x,x)+58Dj
		add	[esp+0F0h+var_DC], 8

loc_4C1FBD:				; CODE XREF: MiLockCode(x,x,x,x)+212j
		mov	ebx, [esp+0F0h+var_E0]

loc_4C1FC1:				; CODE XREF: MiLockCode(x,x,x,x)+1C4j
		mov	cl, [esp+0F0h+var_E2]
		mov	edi, [esp+0F0h+var_D4]

loc_4C1FC9:				; CODE XREF: MiLockCode(x,x,x,x)+375j
		mov	eax, [esp+0F0h+var_DC]
		cmp	eax, [ebp+arg_0]
		ja	short loc_4C1FDF
		xor	edx, edx
		inc	edx
		cmp	[esp+0F0h+var_E1], dl
		jz	loc_4C1B3D

loc_4C1FDF:				; CODE XREF: MiLockCode(x,x,x,x)+5B8j
		cmp	cl, 21h
		jz	short loc_4C2005
		lea	ecx, [esp+0F0h+var_A0]
		call	MiFlushTbList
		test	ebx, ebx
		jz	short loc_4C1FFA
		mov	edx, ebx
		mov	ecx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_4C1FFA:				; CODE XREF: MiLockCode(x,x,x,x)+5D7j
		mov	dl, [esp+0F0h+var_E2]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared

loc_4C2005:				; CODE XREF: MiLockCode(x,x,x,x)+5CAj
		cmp	edi, 0FFFFFFFFh
		jz	short loc_4C2018
		imul	ecx, edi, 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)

loc_4C2018:				; CODE XREF: MiLockCode(x,x,x,x)+5F0j
		cmp	[esp+0F0h+var_E1], 0
		jnz	short loc_4C2037
		mov	edx, [esp+0F0h+var_DC]
		push	ecx
		mov	ecx, [esp+0F4h+var_C4]
		add	edx, 0FFFFFFF0h
		call	_MiUnlockCodePage@12 ; MiUnlockCodePage(x,x,x)
		mov	eax, 0C000009Ah
		jmp	short loc_4C2039
; 

loc_4C2037:				; CODE XREF: MiLockCode(x,x,x,x)+4Dj
					; MiLockCode(x,x,x,x)+605j
		xor	eax, eax

loc_4C2039:				; CODE XREF: MiLockCode(x,x,x,x)+61Dj
		mov	ecx, [esp+0F0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4C2050:				; CODE XREF: MiLockCode(x,x,x,x)+1B1j
		push	eax
		push	edi
		push	ebx
		push	3000h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_MiLockCode@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiRemoveSystemImagePage	proc near	; CODE XREF: MiLockCode(x,x,x,x)+4E0p
					; MiMakeDriverPageStayResident(x,x,x)+AFp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C4719 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		and	[ebp+var_4], 0
		push	esi
		or	byte ptr [eax+17h], 8
		lea	esi, [eax+10h]
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	eax, ds:_PsNtosImageBase
		shl	edx, 9
		test	eax, eax
		jz	short loc_4C209E
		cmp	edx, ds:_PsNtosImageEnd
		jb	short loc_4C20C5

loc_4C2092:				; CODE XREF: MiRemoveSystemImagePage+67j
		cmp	edx, ds:_PsHalImageEnd
		jb	loc_5C4719

loc_4C209E:				; CODE XREF: MiRemoveSystemImagePage+28j
					; MiRemoveSystemImagePage+1026BFj
		mov	eax, offset unk_6CF598

loc_4C20A3:				; CODE XREF: MiRemoveSystemImagePage+1026CAj
		lock dec dword ptr [eax]
		lea	eax, [ebp+var_4]
		push	eax
		push	2
		call	_MiTerminateWsle@16 ; MiTerminateWsle(x,x,x,x)
		and	[ebp+arg_0], 0

loc_4C20B5:				; CODE XREF: MiRemoveSystemImagePage+1026DDj
		lock bts dword ptr [esi], 1Fh
		jb	loc_5C472F
		pop	esi
		leave
		retn	4
; 

loc_4C20C5:				; CODE XREF: MiRemoveSystemImagePage+30j
		cmp	edx, eax
		jb	short loc_4C2092
		jmp	loc_5C4725
MiRemoveSystemImagePage	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiTerminateWsle(x, x, x, x)
_MiTerminateWsle@16 proc near		; CODE XREF: MiRemoveSystemImagePage+4Cp
					; MiDeleteClusterPage(x,x)+3C1p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		shr	edi, 9
		xor	ebx, ebx
		and	edi, offset loc_7FFFF8
		mov	[ebp+var_10], edx
		inc	ebx
		mov	[ebp+var_8], 0Ah
		xor	esi, esi
		mov	ecx, [edi-40000000h]
		nop
		mov	eax, [edi-3FFFFFFCh]
		shrd	ecx, eax, 0Ch
		lea	eax, [edx+40000000h]
		and	ecx, 1FFFFFFh
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		mov	[ebp+var_18], ecx
		cmp	eax, offset loc_7FFFFF
		ja	short loc_4C2133
		mov	eax, [ecx]
		mov	edx, esi
		shr	eax, 1
		and	al, 7
		mov	byte ptr [ebp+var_C], al
		jmp	short loc_4C2197
; 

loc_4C2133:				; CODE XREF: MiTerminateWsle(x,x,x,x)+56j
		mov	eax, [ebp+arg_0]
		and	al, 2
		mov	[ebp+var_14], 1
		movzx	eax, al
		neg	eax
		push	0Ah
		pop	ecx
		sbb	eax, eax
		add	eax, ecx
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_8], eax
		call	MiLocateWsle
		mov	ecx, [ebp+var_18]
		mov	dl, [eax]
		mov	byte ptr [ebp+var_C], dl
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		mov	ebx, eax
		neg	ebx
		sbb	ebx, ebx
		and	dl, 0Fh
		inc	ebx
		cmp	dl, 8
		jnz	short loc_4C2194
		mov	edx, [ebp+var_10]
		push	ecx
		mov	ecx, [ebp+var_4]
		call	_MiUnlockWsle@12 ; MiUnlockWsle(x,x,x)
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_4]
		call	MiLocateWsle
		mov	al, [eax]
		mov	byte ptr [ebp+var_C], al
		mov	eax, [ebp+var_8]
		mov	[ebp+var_8], eax

loc_4C2194:				; CODE XREF: MiTerminateWsle(x,x,x,x)+A2j
		mov	edx, [ebp+var_14]

loc_4C2197:				; CODE XREF: MiTerminateWsle(x,x,x,x)+63j
		test	byte ptr [ebp+arg_0], 3
		jnz	short loc_4C21DB
		push	ds:dword_40F9FC
		push	ds:_ZeroPte
		test	edx, edx
		jnz	short loc_4C21C9
		mov	ecx, [ebp+var_4]
		lea	edx, [edi-40000000h]
		push	esi
		call	MiEvictPageTableLock
		test	eax, eax
		jnz	short loc_4C21D8
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		xor	eax, eax
		jmp	short loc_4C21F8
; 

loc_4C21C9:				; CODE XREF: MiTerminateWsle(x,x,x,x)+DDj
		lea	ecx, [edi-40000000h]
		call	_MI_WRITE_INVALID_PTE_TB_FLUSH_NEEDED@12 ; MI_WRITE_INVALID_PTE_TB_FLUSH_NEEDED(x,x,x)
		test	eax, eax
		jz	short loc_4C21DB

loc_4C21D8:				; CODE XREF: MiTerminateWsle(x,x,x,x)+F0j
		xor	esi, esi
		inc	esi

loc_4C21DB:				; CODE XREF: MiTerminateWsle(x,x,x,x)+CDj
					; MiTerminateWsle(x,x,x,x)+108j
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_10]
		push	ebx
		push	ecx
		push	[ebp+var_C]
		mov	ecx, [ebp+var_4]
		push	1
		call	MiRemoveWsle
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		inc	eax
		mov	[ecx], esi

loc_4C21F8:				; CODE XREF: MiTerminateWsle(x,x,x,x)+F9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiTerminateWsle@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PsRevertToUserPagePriorityThread(x,	x)
_PsRevertToUserPagePriorityThread@8 proc near
					; CODE XREF: SmSetThreadSystemPagePriority(x,x,x):loc_54939Dp
					; MiRelocateImage+447p	...
		dec	word ptr [ecx+13Eh]
		nop
		mov	eax, [ecx+304h]
		and	eax, 0FFFFF1FFh
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_4C2228
		and	eax, 0FFFFFEFFh

loc_4C221D:				; CODE XREF: PsRevertToUserPagePriorityThread(x,x)+2Dj
		mov	[ecx+304h], eax
		jmp	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
; 

loc_4C2228:				; CODE XREF: PsRevertToUserPagePriorityThread(x,x)+16j
		shl	edx, 9
		or	eax, edx
		jmp	short loc_4C221D
_PsRevertToUserPagePriorityThread@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiFreeImageCfgContext(x)
_MiFreeImageCfgContext@4 proc near	; CODE XREF: MiParseImageLoadConfig+276p
					; MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+322p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_4C2248
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+4], 0

loc_4C2248:				; CODE XREF: MiFreeImageCfgContext(x)+Aj
		pop	esi
		retn
_MiFreeImageCfgContext@4 endp


;  S U B	R O U T	I N E 


; __stdcall PsSetSystemPagePriorityThread(x, x)
_PsSetSystemPagePriorityThread@8 proc near
					; CODE XREF: SmSetThreadSystemPagePriority(x,x,x)+1Cp
					; MiRelocateImage+251p	...
		dec	word ptr [ecx+13Eh]
		push	ebx
		push	esi
		nop
		mov	bl, [ecx+305h]
		mov	eax, [ecx+304h]
		shl	edx, 9
		test	bl, 1
		jnz	short loc_4C2282
		or	esi, 0FFFFFFFFh
		or	eax, 100h

loc_4C2270:				; CODE XREF: PsSetSystemPagePriorityThread(x,x)+45j
		or	eax, edx
		mov	[ecx+304h], eax
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_4C2282:				; CODE XREF: PsSetSystemPagePriorityThread(x,x)+1Cj
		movzx	esi, bl
		shr	esi, 1
		and	esi, 7
		and	eax, 0FFFFF1FFh
		jmp	short loc_4C2270
_PsSetSystemPagePriorityThread@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiReleaseFreshPage(x)
_MiReleaseFreshPage@4 proc near		; CODE XREF: .text:0045D828p
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+29Dp ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		xor	edx, edx
		mov	ecx, esi
		mov	bl, al
		call	_MiReturnFreeZeroPage@8	; MiReturnFreeZeroPage(x,x)
		mov	eax, 7FFFFFFFh
		lea	ecx, [esi+10h]
		lock and [ecx],	eax
		pop	esi
		mov	cl, bl
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_MiReleaseFreshPage@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiReturnPfnReferenceCount(x)
_MiReturnPfnReferenceCount@4 proc near	; CODE XREF: MiSectionCreated:loc_5C0AF2p
					; MiIdealClusterPage(x,x,x,x,x,x,x,x)+6D9p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, edi
		mov	bl, al
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	esi, eax
		lea	ecx, [edi+10h]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_MiReturnPfnReferenceCount@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 593. FsRtlMdlReadCompleteDev

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlMdlReadCompleteDev(x, x, x)
		public _FsRtlMdlReadCompleteDev@12
_FsRtlMdlReadCompleteDev@12 proc near

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		call	_CcMdlReadComplete2@8 ;	CcMdlReadComplete2(x,x)
		mov	al, 1
		pop	ebp
		retn	0Ch
_FsRtlMdlReadCompleteDev@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiIsDecayPfn(x)
_MiIsDecayPfn@4	proc near		; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+263p
					; MiReplaceTransitionPage(x,x,x,x)+374p ...
		mov	eax, dword_6D3250
		cmp	ecx, eax
		jnb	short loc_4C2314

loc_4C2311:				; CODE XREF: MiIsDecayPfn(x)+13j
		xor	eax, eax
		retn
; 

loc_4C2314:				; CODE XREF: MiIsDecayPfn(x)+7j
		add	eax, 800h
		cmp	ecx, eax
		jnb	short loc_4C2311
		xor	eax, eax
		inc	eax
		retn
_MiIsDecayPfn@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSetPagingOfDriver proc near		; CODE XREF: MmPageEntireDriver(x)+71p
					; MiEnablePagingOfDriver(x)+41p

var_CC		= dword	ptr -0CCh
var_C6		= byte ptr -0C6h
var_C5		= byte ptr -0C5h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C4742 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0CCh+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		mov	[esp+0DCh+var_C0], eax
		xor	edi, edi
		lea	eax, [esp+0DCh+var_A0]
		mov	[esp+0DCh+var_BC], ecx
		push	edi		; int
		push	eax		; void *
		mov	ebx, edx
		call	_memset
		add	esp, 0Ch
		mov	[esp+0D8h+var_CC], edi
		mov	eax, ebx
		mov	[esp+0D8h+var_98], 21h
		shl	eax, 9
		mov	esi, edi
		mov	[esp+0D8h+var_C4], eax
		mov	eax, [esp+0D8h+var_BC]
		push	2
		pop	ecx
		add	eax, 5Ch
		mov	[esp+0D8h+var_8C], edi
		mov	edx, ecx
		mov	[esp+0D8h+var_AC], eax
		mov	ecx, eax
		call	_MiLockLoaderEntry@8 ; MiLockLoaderEntry(x,x)
		mov	ecx, offset unk_6D3740
		call	MiLockWorkingSetShared
		mov	[esp+0D8h+var_C6], al
		cmp	ebx, [esp+0D8h+var_C0]
		ja	loc_4C24C3

loc_4C23AD:				; CODE XREF: MiSetPagingOfDriver+17Fj
		test	edi, edi
		jz	loc_4C255E
		test	ebx, 0FFFh
		jz	loc_4C255E

loc_4C23C1:				; CODE XREF: MiSetPagingOfDriver+266j
		mov	ecx, [esp+0D8h+var_BC]
		mov	edx, ebx
		call	_MiDriverPageMustStayResident@8	; MiDriverPageMustStayResident(x,x)
		test	al, al
		jnz	loc_4C248E
		mov	ecx, [ebx]
		mov	[esp+0D8h+var_B4], ecx
		nop
		mov	edx, [ebx+4]
		mov	eax, ecx
		and	eax, 1
		mov	[esp+0D8h+var_B0], edx
		or	eax, 0
		jz	loc_4C2520
		nop
		mov	eax, edx
		mov	edx, [esp+0D8h+var_C4]
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	eax, ecx, 1Ch
		mov	ecx, offset unk_6D3740
		add	eax, ds:_MmPfnDatabase
		mov	[esp+0D8h+var_B8], eax
		call	MiLocateWsle
		mov	al, [eax]
		mov	[esp+0D8h+var_C5], al
		and	al, 0Fh
		cmp	al, 9
		jnz	short loc_4C248E
		mov	ecx, [esp+0D8h+var_B8]
		xor	edx, edx
		inc	edx
		movzx	eax, word ptr [ecx+14h]
		cmp	ax, dx
		jnz	loc_5C4742

loc_4C2438:				; CODE XREF: MiSetPagingOfDriver+102436j
		cmp	[esp+0D8h+var_CC], 0
		jz	loc_4C258D

loc_4C2443:				; CODE XREF: MiSetPagingOfDriver+26Fj
		mov	edx, [esp+0D8h+var_C4]
		mov	ecx, offset unk_6D3740
		call	MiLocateWsle
		mov	ecx, eax
		mov	al, [esp+0D8h+var_C5]
		and	al, 0FAh
		or	al, 0Ah
		mov	[ecx], al
		mov	eax, [esp+0D8h+var_B4]
		mov	ecx, [esp+0D8h+var_B0]
		and	eax, 0FFFFFFFEh
		or	eax, 400h
		mov	[esp+0D8h+var_A4], ecx
		mov	[esp+0D8h+var_A8], eax
		mov	[ebx], eax
		nop
		mov	edx, [esp+0D8h+var_C4]
		xor	eax, eax
		push	0
		inc	eax
		mov	[ebx+4], ecx
		push	eax
		lea	ecx, [esp+0E0h+var_A0]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)

loc_4C248E:				; CODE XREF: MiSetPagingOfDriver+ACj
					; MiSetPagingOfDriver+100j ...
		mov	eax, [esp+0D8h+var_CC]

loc_4C2492:				; CODE XREF: MiSetPagingOfDriver+20Bj
					; MiSetPagingOfDriver+213j ...
		add	[esp+0D8h+var_C4], 1000h
		add	ebx, 8
		cmp	ebx, [esp+0D8h+var_C0]
		jbe	loc_4C23AD
		test	eax, eax
		jnz	loc_4C2596

loc_4C24AF:				; CODE XREF: MiSetPagingOfDriver+28Dj
		test	edi, edi
		jz	short loc_4C24BF
		mov	edx, edi
		mov	ecx, offset unk_6D3740
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_4C24BF:				; CODE XREF: MiSetPagingOfDriver+18Fj
		mov	al, [esp+0D8h+var_C6]

loc_4C24C3:				; CODE XREF: MiSetPagingOfDriver+85j
		mov	dl, al
		mov	ecx, offset unk_6D3740
		call	MiUnlockWorkingSetShared
		mov	ecx, [esp+0D8h+var_AC]
		push	2
		pop	eax
		mov	edx, eax
		call	MiUnlockLoaderEntry
		test	esi, esi
		jz	short loc_4C2509
		mov	eax, [esp+0D8h+var_BC]
		mov	eax, [eax+18h]
		cmp	eax, ds:_PsNtosImageBase
		jz	loc_5C475D
		cmp	eax, ds:_PsHalImageBase
		mov	eax, offset unk_6CF598
		jz	loc_5C475D

loc_4C2505:				; CODE XREF: MiSetPagingOfDriver+102440j
		lock xadd [eax], esi

loc_4C2509:				; CODE XREF: MiSetPagingOfDriver+1BDj
		mov	ecx, [esp+0D8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4C2520:				; CODE XREF: MiSetPagingOfDriver+C8j
		mov	eax, [esp+0D8h+var_CC]
		and	ecx, 400h
		or	ecx, 0
		jz	loc_4C2492
		test	eax, eax
		jz	loc_4C2492
		lea	ecx, [esp+0D8h+var_A0]
		call	MiFlushTbList
		push	ecx
		mov	ecx, [esp+0DCh+var_CC]
		lea	edx, [ebx-8]
		call	_MiTrimSystemImagePages@12 ; MiTrimSystemImagePages(x,x,x)
		add	esi, eax
		xor	eax, eax
		mov	[esp+0D8h+var_CC], eax
		jmp	loc_4C2492
; 

loc_4C255E:				; CODE XREF: MiSetPagingOfDriver+8Dj
					; MiSetPagingOfDriver+99j
		cmp	[esp+0D8h+var_CC], 0
		jnz	short loc_4C25B4

loc_4C2565:				; CODE XREF: MiSetPagingOfDriver+2AFj
		test	edi, edi
		jnz	short loc_4C25D3

loc_4C2569:				; CODE XREF: MiSetPagingOfDriver+2BDj
		mov	edi, ebx
		mov	ecx, offset unk_6D3740
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h
		push	0
		mov	edx, edi
		call	MiLockPageTableInternal
		jmp	loc_4C23C1
; 

loc_4C258D:				; CODE XREF: MiSetPagingOfDriver+11Bj
		mov	[esp+0D8h+var_CC], ebx
		jmp	loc_4C2443
; 

loc_4C2596:				; CODE XREF: MiSetPagingOfDriver+187j
		lea	ecx, [esp+0D8h+var_A0]
		call	MiFlushTbList
		mov	edx, [esp+0D8h+var_C0]
		push	ecx
		mov	ecx, [esp+0DCh+var_CC]
		call	_MiTrimSystemImagePages@12 ; MiTrimSystemImagePages(x,x,x)
		add	esi, eax
		jmp	loc_4C24AF
; 

loc_4C25B4:				; CODE XREF: MiSetPagingOfDriver+241j
		lea	ecx, [esp+0D8h+var_A0]
		call	MiFlushTbList
		push	ecx
		mov	ecx, [esp+0DCh+var_CC]
		lea	edx, [ebx-8]
		call	_MiTrimSystemImagePages@12 ; MiTrimSystemImagePages(x,x,x)
		add	esi, eax
		and	[esp+0D8h+var_CC], 0
		jmp	short loc_4C2565
; 

loc_4C25D3:				; CODE XREF: MiSetPagingOfDriver+245j
		mov	edx, edi
		mov	ecx, offset unk_6D3740
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		jmp	short loc_4C2569
MiSetPagingOfDriver endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiDriverPageMustStayResident(x, x)
_MiDriverPageMustStayResident@8	proc near ; CODE XREF: MiSetPagingOfDriver+A5p
					; MiMakeDriverPagesPrivate(x,x,x,x)+35Cp
		mov	eax, [ecx+18h]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	edx, eax
		push	esi
		mov	esi, [ecx+98h]
		add	edx, 40000000h
		sar	edx, 3
		cmp	edx, [esi]
		jnb	short loc_4C2619
		mov	eax, [esi+4]
		mov	ecx, edx
		shr	ecx, 5
		and	edx, 1Fh
		pop	esi
		mov	eax, [eax+ecx*4]
		mov	ecx, edx
		sar	eax, cl
		and	al, 1
		retn
; 

loc_4C2619:				; CODE XREF: MiDriverPageMustStayResident(x,x)+1Fj
		xor	al, al
		pop	esi
		retn
_MiDriverPageMustStayResident@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiTrimSystemImagePages(x, x, x)
_MiTrimSystemImagePages@12 proc	near	; CODE XREF: MiSetPagingOfDriver+22Ap
					; MiSetPagingOfDriver+286p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		mov	eax, edx
		mov	ebx, ecx
		xor	ecx, ecx
		mov	[ebp+var_20], eax
		mov	[ebp+var_10], ecx
		push	esi
		push	edi
		cmp	ebx, eax
		ja	loc_4C27E7

loc_4C263D:				; CODE XREF: MiTrimSystemImagePages(x,x,x)+1C3j
		mov	esi, [ebx]
		nop
		mov	edx, [ebx+4]
		mov	eax, esi
		and	eax, 1
		mov	[ebp+var_C], edx
		or	eax, 0
		jnz	loc_4C27DB
		mov	eax, esi
		and	eax, 400h
		or	eax, 0
		jz	loc_4C27DB
		and	esi, 0FFFFFBFFh
		mov	[ebp+var_24], edx
		or	esi, 1
		mov	[ebp+var_28], esi
		nop
		mov	ecx, esi
		mov	eax, edx
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	edi, ecx, 1Ch
		add	edi, ds:_MmPfnDatabase
		mov	ecx, edi
		mov	[ebp+var_18], edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4C26CE
		mov	eax, [edi+4]
		mov	ecx, eax
		mov	[ebp+var_C], eax
		or	ecx, 80000000h
		xor	eax, eax
		or	eax, 400h
		push	ecx
		push	eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		test	dword ptr [edi+18h], 800000h
		jnz	short loc_4C26F0
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		js	short loc_4C26F0
		jz	short loc_4C26F0
		or	eax, 800h
		jmp	short loc_4C26F0
; 

loc_4C26CE:				; CODE XREF: MiTrimSystemImagePages(x,x,x)+79j
		nop
		mov	edx, [edi+8]
		mov	ecx, esi
		mov	eax, [edi+0Ch]
		shrd	edx, eax, 5
		mov	eax, [ebp+var_C]
		shrd	ecx, eax, 0Ch
		and	edx, 1Fh
		and	ecx, 1FFFFFFh
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)

loc_4C26F0:				; CODE XREF: MiTrimSystemImagePages(x,x,x)+9Ej
					; MiTrimSystemImagePages(x,x,x)+A5j ...
		mov	[ebx], eax
		nop
		xor	eax, eax
		mov	[ebx+4], edx
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_14], eax
		lea	eax, [edi+10h]
		mov	[ebp+var_4], eax
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_4C272B
		mov	edi, eax

loc_4C2710:				; CODE XREF: MiTrimSystemImagePages(x,x,x)+FEj
					; MiTrimSystemImagePages(x,x,x)+105j
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_4C2710
		lock bts dword ptr [edi], 1Fh
		jb	short loc_4C2710
		mov	esi, [ebp+var_28]
		mov	edi, [ebp+var_18]

loc_4C272B:				; CODE XREF: MiTrimSystemImagePages(x,x,x)+EEj
		and	byte ptr [edi+17h], 0F7h
		and	esi, 42h
		or	esi, 0
		jz	short loc_4C2744
		mov	ecx, edi
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], edx

loc_4C2744:				; CODE XREF: MiTrimSystemImagePages(x,x,x)+117j
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4C275A
		mov	ecx, ebx
		call	_MiGetContainingPageTable@4 ; MiGetContainingPageTable(x)
		mov	esi, eax
		jmp	short loc_4C275D
; 

loc_4C275A:				; CODE XREF: MiTrimSystemImagePages(x,x,x)+12Fj
		or	esi, 0FFFFFFFFh

loc_4C275D:				; CODE XREF: MiTrimSystemImagePages(x,x,x)+13Aj
		mov	al, [edi+17h]
		mov	ecx, edi
		and	al, 0FAh
		or	al, 2
		mov	[edi+17h], al
		call	MiDecrementShareCount
		cmp	esi, 0FFFFFFFFh
		jz	short loc_4C27AE
		mov	eax, [ebp+var_4]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		imul	edi, esi, 1Ch
		add	edi, ds:_MmPfnDatabase
		and	[ebp+var_1C], 0
		lea	esi, [edi+10h]
		jmp	short loc_4C279E
; 

loc_4C2790:				; CODE XREF: MiTrimSystemImagePages(x,x,x)+17Ej
					; MiTrimSystemImagePages(x,x,x)+185j
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_4C2790

loc_4C279E:				; CODE XREF: MiTrimSystemImagePages(x,x,x)+170j
		lock bts dword ptr [esi], 1Fh
		jb	short loc_4C2790
		mov	ecx, edi
		call	MiDecrementShareCount
		jmp	short loc_4C27B1
; 

loc_4C27AE:				; CODE XREF: MiTrimSystemImagePages(x,x,x)+153j
		mov	esi, [ebp+var_4]

loc_4C27B1:				; CODE XREF: MiTrimSystemImagePages(x,x,x)+18Ej
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	ecx, [ebp+var_8]
		mov	eax, ecx
		mov	edx, [ebp+var_C]
		or	eax, edx
		jz	short loc_4C27D4
		push	edx
		xor	edx, edx
		push	ecx
		inc	edx
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo

loc_4C27D4:				; CODE XREF: MiTrimSystemImagePages(x,x,x)+1A5j
		mov	ecx, [ebp+var_10]
		inc	ecx
		mov	[ebp+var_10], ecx

loc_4C27DB:				; CODE XREF: MiTrimSystemImagePages(x,x,x)+30j
					; MiTrimSystemImagePages(x,x,x)+40j
		add	ebx, 8
		cmp	ebx, [ebp+var_20]
		jbe	loc_4C263D

loc_4C27E7:				; CODE XREF: MiTrimSystemImagePages(x,x,x)+19j
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	4
_MiTrimSystemImagePages@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetImageProtection(x, x, x, x)
_MiSetImageProtection@16 proc near	; CODE XREF: MmChangeImageProtection(x,x,x,x)+18Ep
					; MmChangeImageProtection(x,x,x,x)+218p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		dec	eax
		add	eax, edx
		shr	edx, 9
		push	esi
		push	edi
		push	[ebp+arg_4]
		shr	eax, 9
		mov	edi, offset loc_7FFFF8
		and	eax, edi
		mov	esi, 40000000h
		sub	eax, esi
		and	edx, edi
		push	eax
		sub	edx, esi
		call	_MiSetSystemCodeProtection@16 ;	MiSetSystemCodeProtection(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_MiSetImageProtection@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetSystemCodeProtection(x, x, x, x)
_MiSetSystemCodeProtection@16 proc near	; CODE XREF: MiSetImageProtection(x,x,x,x)+29p
					; MiProtectSystemImage+1AFp ...

var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A1		= byte ptr -0A1h
var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 100h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_D0], ecx
		push	98h		; size_t
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_F0], esi
		mov	edi, edx
		mov	[ebp+var_EC], esi
		push	esi		; int
		push	eax		; void *
		mov	[ebp+var_BC], edi
		call	_memset
		mov	eax, [ebx+0Ch]
		add	esp, 0Ch
		cmp	eax, 18h
		jz	short loc_4C289C
		test	al, 10h
		jz	short loc_4C289C
		and	eax, 0FFFFFFEFh
		mov	[ebp+var_E8], 1
		mov	[ebx+0Ch], eax
		jmp	short loc_4C28A2
; 

loc_4C289C:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+60j
					; MiSetSystemCodeProtection(x,x,x,x)+64j
		mov	[ebp+var_E8], esi

loc_4C28A2:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+76j
		mov	esi, edi
		shl	esi, 9
		mov	ecx, esi
		mov	[ebp+var_C4], esi
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jz	short loc_4C28C0
		xor	eax, eax
		inc	eax
		jmp	loc_4C2EA1
; 

loc_4C28C0:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+92j
		mov	edx, [ebx+0Ch]
		mov	ecx, edx
		mov	[ebp+var_B8], ecx
		mov	[ebp+var_B4], 2
		cmp	edx, 100h
		jnz	short loc_4C28FB
		mov	ecx, [ebp+var_D0]
		mov	ecx, [ecx+3Ch]
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		xor	edx, edx
		mov	[ebp+var_E4], eax
		mov	[ebp+var_D4], edx
		jmp	short loc_4C2942
; 

loc_4C28FB:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+B7j
		mov	eax, [ebx+8]
		and	[ebp+var_E4], 0
		mov	[ebp+var_D4], eax
		mov	eax, edx
		and	eax, 5
		cmp	al, 5
		jnz	short loc_4C291D
		and	ecx, 0FFFFFFFEh
		mov	[ebp+var_B8], ecx

loc_4C291D:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+EEj
		mov	eax, ecx
		mov	edx, edi
		mov	ecx, [ebp+var_D0]
		shr	eax, 1
		and	eax, 2
		push	eax
		push	dword ptr [ebx+8]
		call	_MiMakeDriverPagesPrivate@16 ; MiMakeDriverPagesPrivate(x,x,x,x)
		test	eax, eax
		jns	short loc_4C2940
		xor	eax, eax
		jmp	loc_4C2EA1
; 

loc_4C2940:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+113j
		xor	edx, edx

loc_4C2942:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+D5j
		mov	ecx, dword_6D07D0
		mov	eax, esi
		shr	eax, 15h
		cmp	esi, ecx
		jb	short loc_4C296E
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_4C2967
		cmp	esi, ecx
		jb	short loc_4C296E
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jnz	short loc_4C296E

loc_4C2967:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+134j
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		jmp	short loc_4C2979
; 

loc_4C296E:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+12Bj
					; MiSetSystemCodeProtection(x,x,x,x)+138j ...
		mov	[ebp+var_B4], edx
		mov	eax, offset unk_6D3740

loc_4C2979:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+148j
		mov	ecx, [ebp+var_B4]
		mov	esi, edx
		mov	[ebp+var_A0], ecx
		mov	ecx, eax
		mov	[ebp+var_A8], eax
		mov	[ebp+var_9C], 0
		mov	[ebp+var_90], edx
		mov	[ebp+var_98], 21h
		mov	[ebp+var_8C], edx
		mov	[ebp+var_B0], esi
		call	MiLockWorkingSetShared
		mov	[ebp+var_A1], al
		cmp	edi, [ebx+8]
		ja	loc_4C2E6F
		xor	eax, eax
		mov	[ebp+var_C0], eax

loc_4C29D0:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+645j
		test	esi, esi
		jz	short loc_4C29F4
		test	edi, 0FFFh
		jnz	short loc_4C2A1A
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList
		mov	ecx, [ebp+var_A8]
		mov	edx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_4C29F4:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+1AEj
		mov	ecx, [ebp+var_A8]
		mov	esi, edi
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		push	0
		mov	edx, esi
		mov	[ebp+var_B0], esi
		call	MiLockPageTableInternal

loc_4C2A1A:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+1B6j
		cmp	edi, [ebp+var_D4]
		jbe	loc_4C2B25
		mov	eax, [ebp+var_D0]
		mov	eax, [eax+18h]
		cdq
		mov	ecx, eax
		mov	esi, edx
		mov	eax, [ebp+var_C4]
		cdq
		sub	eax, ecx
		mov	[ebp+var_C8], eax
		sbb	edx, esi
		mov	esi, [ebp+var_C0]
		mov	[ebp+var_CC], edx
		test	esi, esi
		jnz	short loc_4C2AD0
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList
		mov	edx, [ebp+var_B0]
		mov	ecx, [ebp+var_A8]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [ebp+var_A1]
		mov	ecx, [ebp+var_A8]
		call	MiUnlockWorkingSetShared
		push	[ebp+var_CC]
		mov	ecx, [ebp+var_E4]
		lea	edx, [ebp+var_F0]
		push	[ebp+var_C8]
		call	MiOffsetToProtos
		mov	ecx, [ebp+var_A8]
		mov	[ebp+var_C0], eax
		call	MiLockWorkingSetShared
		mov	edx, [ebp+var_B0]
		mov	ecx, [ebp+var_A8]
		push	esi
		call	MiLockPageTableInternal
		mov	edx, [ebp+var_F0]
		mov	esi, [ebp+var_C0]
		jmp	short loc_4C2AE7
; 

loc_4C2AD0:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+22Fj
		mov	esi, [esi+8]
		xor	edx, edx
		and	[ebp+var_EC], edx
		mov	[ebp+var_C0], esi
		mov	[ebp+var_F0], edx

loc_4C2AE7:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+2AAj
		mov	eax, [esi+24h]
		mov	ecx, [esi+1Ch]
		and	eax, 3FFFFFFFh
		movzx	esi, word ptr [esi+10h]
		sub	ecx, eax
		sub	ecx, edx
		shr	esi, 1
		and	esi, 1Fh
		mov	[ebp+var_B8], esi
		lea	eax, [ecx-1]
		lea	eax, [edi+eax*8]
		mov	[ebp+var_D4], eax
		mov	eax, esi
		and	eax, 5
		cmp	al, 5
		jnz	short loc_4C2B2B
		and	esi, 0FFFFFFFEh
		mov	[ebp+var_B8], esi
		jmp	short loc_4C2B2B
; 

loc_4C2B25:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+1FCj
		mov	esi, [ebp+var_B8]

loc_4C2B2B:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+2F4j
					; MiSetSystemCodeProtection(x,x,x,x)+2FFj
		mov	edx, [edi]
		mov	[ebp+var_CC], edx
		nop
		mov	eax, [edi+4]
		xor	ecx, ecx
		mov	[ebp+var_B4], eax
		mov	[ebp+var_F4], eax
		mov	eax, edx
		and	eax, 1
		mov	[ebp+var_F8], edx
		or	eax, ecx
		jz	loc_4C2D16
		nop
		mov	eax, [ebp+var_B4]
		mov	ecx, edx
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		mov	[ebp+var_DC], ecx
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		mov	[ebp+var_AC], ecx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	loc_4C2E4D
		push	eax
		xor	edx, edx
		call	_MiGetPagePrivilege@12 ; MiGetPagePrivilege(x,x,x)
		test	al, 40h
		jz	short loc_4C2BAC
		test	byte ptr [ebx+0Ch], 6
		jz	short loc_4C2BD0

loc_4C2B9F:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+3AAj
		mov	esi, [ebp+var_B0]
		xor	edi, edi
		jmp	loc_4C2E72
; 

loc_4C2BAC:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+373j
		test	byte ptr ds:_MiFlags+2,	1
		jz	short loc_4C2BD0
		test	byte ptr [ebx+0Ch], 4
		jz	short loc_4C2BD0
		mov	eax, [ebp+var_AC]
		mov	eax, [eax+18h]
		and	eax, 70000000h
		cmp	eax, 30000000h
		jz	short loc_4C2B9F

loc_4C2BD0:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+379j
					; MiSetSystemCodeProtection(x,x,x,x)+38Fj ...
		xor	eax, eax
		mov	[ebp+var_100], eax
		mov	[ebp+var_D8], eax
		mov	[ebp+var_FC], eax
		mov	eax, [ebp+var_AC]
		lea	ecx, [eax+10h]
		mov	[ebp+var_C8], ecx
		lock bts dword ptr [ecx], 1Fh
		jnb	short loc_4C2C1A
		mov	edi, ecx

loc_4C2BFC:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+3E7j
					; MiSetSystemCodeProtection(x,x,x,x)+3EEj
		lea	ecx, [ebp+var_FC]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_4C2BFC
		lock bts dword ptr [edi], 1Fh
		jb	short loc_4C2BFC
		mov	eax, [ebp+var_AC]

loc_4C2C1A:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+3D4j
		mov	eax, [eax+8]
		mov	edx, esi
		and	edx, 1Fh
		xor	ecx, ecx
		shld	ecx, edx, 5
		and	eax, 0FFFFFC1Fh
		shl	edx, 5
		or	edx, eax
		mov	eax, [ebp+var_AC]
		or	[eax+0Ch], ecx
		cmp	[ebp+var_E8], 0
		mov	[eax+8], edx
		jz	short loc_4C2C51
		push	4
		pop	edx
		mov	ecx, eax
		call	_MiMarkPfnVerified@8 ; MiMarkPfnVerified(x,x)

loc_4C2C51:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+421j
		mov	eax, [ebp+var_CC]
		and	eax, 42h
		mov	[ebp+var_E0], eax
		or	eax, 0
		jz	short loc_4C2C74
		mov	ecx, [ebp+var_AC]
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		mov	ecx, eax
		jmp	short loc_4C2C80
; 

loc_4C2C74:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+43Fj
		mov	ecx, [ebp+var_100]
		mov	edx, [ebp+var_D8]

loc_4C2C80:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+44Ej
		mov	eax, [ebp+var_C8]
		mov	edi, 7FFFFFFFh
		lock and [eax],	edi
		mov	edi, [ebp+var_BC]
		mov	eax, ecx
		or	eax, edx
		jz	short loc_4C2CA9
		push	edx
		xor	edx, edx
		push	ecx
		inc	edx
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo

loc_4C2CA9:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+474j
		mov	edx, [ebp+var_DC]
		mov	ecx, edi
		push	esi
		call	MiMakeValidPte
		mov	ecx, eax
		mov	eax, esi
		and	al, 5
		cmp	al, 4
		jnz	short loc_4C2CCF
		mov	eax, [ebp+var_E0]
		or	eax, 0
		jz	short loc_4C2CCF
		or	ecx, 42h

loc_4C2CCF:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+49Bj
					; MiSetSystemCodeProtection(x,x,x,x)+4A6j
		nop
		mov	[edi], ecx
		mov	[edi+4], edx
		test	ds:_MiFlags, 300h
		jz	short loc_4C2CFC
		push	edx
		push	ecx
		push	[ebp+var_B4]
		push	[ebp+var_CC]
		call	_MI_TIGHTER_PERMISSIONS@16 ; MI_TIGHTER_PERMISSIONS(x,x,x,x)
		test	eax, eax
		jz	loc_4C2E4D

loc_4C2CFC:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+4BBj
		mov	edx, [ebp+var_C4]
		lea	ecx, [ebp+var_A0]
		push	0
		push	1
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		jmp	loc_4C2E4D
; 

loc_4C2D16:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+32Ej
		mov	eax, edx
		and	eax, 400h
		or	eax, ecx
		jnz	loc_4C2E4D
		mov	eax, edx
		and	eax, 800h
		or	eax, ecx
		jz	loc_4C2E17
		xor	edx, edx
		mov	ecx, edi
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		test	eax, eax
		jz	loc_4C2E60
		mov	ecx, [edi]
		nop
		mov	edx, [edi+4]
		mov	edi, ecx
		mov	eax, dword_6D0700
		mov	esi, dword_6D0704
		mov	[ebp+var_E0], eax
		or	eax, esi
		mov	[ebp+var_DC], esi
		mov	esi, [ebp+var_B8]
		mov	[ebp+var_D8], edi
		mov	[ebp+var_AC], edx
		jz	short loc_4C2DA6
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4C2D9E
		mov	ecx, [ebp+var_E0]
		mov	edx, [ebp+var_DC]
		not	ecx
		not	edx
		and	ecx, edi
		and	edx, [ebp+var_AC]
		jmp	short loc_4C2DA6
; 

loc_4C2D9E:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+55Ej
		mov	edx, [ebp+var_AC]
		mov	ecx, edi

loc_4C2DA6:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+554j
					; MiSetSystemCodeProtection(x,x,x,x)+578j
		shrd	ecx, edx, 0Ch
		mov	eax, [ebp+var_BC]
		and	esi, 1Fh
		and	ecx, 3FFFFFFh
		xor	edx, edx
		imul	edi, ecx, 1Ch
		shld	edx, esi, 5
		shl	esi, 5
		add	edi, ds:_MmPfnDatabase
		mov	ecx, [edi+8]
		or	[edi+0Ch], edx
		and	ecx, 0FFFFFC1Fh
		or	ecx, esi
		mov	[edi+8], ecx
		mov	ecx, [ebp+var_D8]
		and	ecx, 0FFFFFC1Fh
		or	ecx, esi
		mov	esi, [ebp+var_AC]
		or	esi, edx
		mov	[ebp+var_F8], ecx
		mov	[ebp+var_F4], esi
		mov	[eax], ecx
		nop
		mov	[eax+4], esi
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	edi, [ebp+var_BC]
		jmp	short loc_4C2E4D
; 

loc_4C2E17:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+50Aj
		cmp	dword ptr [ebx+0Ch], 100h
		jz	short loc_4C2E4D
		mov	ecx, esi
		xor	eax, eax
		and	ecx, 1Fh
		and	edx, 0FFFFFC1Fh
		shld	eax, ecx, 5
		shl	ecx, 5
		or	ecx, edx
		or	eax, [ebp+var_B4]
		mov	[ebp+var_F8], ecx
		mov	[ebp+var_F4], eax
		mov	[edi], ecx
		mov	[edi+4], eax

loc_4C2E4D:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+363j
					; MiSetSystemCodeProtection(x,x,x,x)+4D2j ...
		add	edi, 8
		add	[ebp+var_C4], 1000h
		mov	[ebp+var_BC], edi

loc_4C2E60:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+51Bj
		mov	esi, [ebp+var_B0]
		cmp	edi, [ebx+8]
		jbe	loc_4C29D0

loc_4C2E6F:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+19Ej
		xor	edi, edi
		inc	edi

loc_4C2E72:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+383j
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList
		test	esi, esi
		jz	short loc_4C2E8E
		mov	ecx, [ebp+var_A8]
		mov	edx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_4C2E8E:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+65Bj
		mov	dl, [ebp+var_A1]
		mov	ecx, [ebp+var_A8]
		call	MiUnlockWorkingSetShared
		mov	eax, edi

loc_4C2EA1:				; CODE XREF: MiSetSystemCodeProtection(x,x,x,x)+97j
					; MiSetSystemCodeProtection(x,x,x,x)+117j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
_MiSetSystemCodeProtection@16 endp ; sp	=  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MI_TIGHTER_PERMISSIONS(x, x, x, x)
_MI_TIGHTER_PERMISSIONS@16 proc	near	; CODE XREF: MmProtectPool(x,x,x)+71Cp
					; MmProtectPool(x,x,x)+8F7p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_8]
		mov	eax, edx
		mov	ecx, [ebp+arg_0]
		and	eax, 40h
		push	esi
		xor	esi, esi
		or	eax, esi
		jnz	short loc_4C2ED6
		mov	eax, ecx
		and	eax, 40h
		or	eax, esi
		jnz	short loc_4C2F01

loc_4C2ED6:				; CODE XREF: MI_TIGHTER_PERMISSIONS(x,x,x,x)+15j
		cmp	[ebp+arg_C], esi
		jg	short loc_4C2EEC
		jl	short loc_4C2EE1
		cmp	edx, esi
		jnb	short loc_4C2EEC

loc_4C2EE1:				; CODE XREF: MI_TIGHTER_PERMISSIONS(x,x,x,x)+25j
		cmp	[ebp+arg_4], esi
		jg	short loc_4C2F01
		jl	short loc_4C2EEC
		cmp	ecx, esi
		jnb	short loc_4C2F01

loc_4C2EEC:				; CODE XREF: MI_TIGHTER_PERMISSIONS(x,x,x,x)+23j
					; MI_TIGHTER_PERMISSIONS(x,x,x,x)+29j ...
		and	edx, 2
		or	edx, esi
		jnz	short loc_4C2EFA
		and	ecx, 2
		or	ecx, esi
		jnz	short loc_4C2F01

loc_4C2EFA:				; CODE XREF: MI_TIGHTER_PERMISSIONS(x,x,x,x)+3Bj
		xor	eax, eax

loc_4C2EFC:				; CODE XREF: MI_TIGHTER_PERMISSIONS(x,x,x,x)+4Ej
		pop	esi
		pop	ebp
		retn	10h
; 

loc_4C2F01:				; CODE XREF: MI_TIGHTER_PERMISSIONS(x,x,x,x)+1Ej
					; MI_TIGHTER_PERMISSIONS(x,x,x,x)+2Ej ...
		xor	eax, eax
		inc	eax
		jmp	short loc_4C2EFC
_MI_TIGHTER_PERMISSIONS@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakeDriverPagesPrivate(x,	x, x, x)
_MiMakeDriverPagesPrivate@16 proc near	; CODE XREF: MiLockCode(x,x,x,x)+288p
					; MiSetSystemCodeProtection(x,x,x,x)+10Cp ...

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, edx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_1C], eax
		xor	ecx, ecx
		shl	eax, 9
		push	esi
		mov	esi, dword_6D07D0
		mov	edx, eax
		shr	edx, 15h
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_38], ecx
		mov	byte ptr [ebp+var_4+3],	cl
		push	edi
		cmp	eax, esi
		jb	short loc_4C2F7E
		cmp	byte ptr dword_6D3994[edx], 1
		jz	short loc_4C2F5D
		cmp	eax, esi
		jb	short loc_4C2F7E
		cmp	byte ptr dword_6D3994[edx], 0Bh
		jnz	short loc_4C2F7E

loc_4C2F5D:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+48j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	esi, [eax+180h]
		mov	[ebp+var_28], esi
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		mov	edi, eax
		mov	[ebp+var_C], eax
		jmp	short loc_4C2F89
; 

loc_4C2F7E:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+3Fj
					; MiMakeDriverPagesPrivate(x,x,x,x)+4Cj ...
		mov	edi, offset unk_6D3740
		mov	[ebp+var_28], ecx
		mov	[ebp+var_C], edi

loc_4C2F89:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+76j
		mov	eax, [ebp+var_14]
		mov	edx, ecx
		add	eax, 5Ch
		mov	[ebp+var_24], edx
		test	byte ptr [ebx+0Ch], 3
		jnz	short loc_4C2FB5
		test	byte ptr ds:_MiFlags+2,	1
		jz	short loc_4C2FB5
		test	ds:_MiFlags, 8000h
		jz	short loc_4C2FB5
		push	2
		pop	edx
		mov	[ebp+var_24], edx

loc_4C2FB5:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+92j
					; MiMakeDriverPagesPrivate(x,x,x,x)+9Bj ...
		mov	esi, [ebx+0Ch]
		and	esi, 4
		mov	[ebp+var_40], esi
		jz	short loc_4C2FC6
		or	edx, 1
		mov	[ebp+var_24], edx

loc_4C2FC6:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+B8j
		or	[ebp+var_10], 0FFFFFFFFh
		xor	edx, edx
		mov	esi, [ebp+var_1C]
		mov	[ebp+var_8], ecx
		mov	[ebp+var_34], ecx
		mov	ecx, eax
		call	_MiLockLoaderEntry@8 ; MiLockLoaderEntry(x,x)
		mov	ecx, edi
		call	MiLockWorkingSetShared
		mov	ecx, [ebx+8]
		xor	edi, edi
		mov	byte ptr [ebp+var_4+2],	al
		cmp	esi, ecx
		ja	loc_4C33C6
		mov	ecx, edi

loc_4C2FF5:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+438j
		test	ecx, ecx
		jz	short loc_4C300B
		test	esi, 0FFFh
		jnz	short loc_4C302B
		mov	edx, ecx
		mov	ecx, [ebp+var_C]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_4C300B:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+F1j
		mov	ecx, [ebp+var_C]
		mov	eax, esi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		push	edi
		mov	edx, eax
		mov	[ebp+var_8], eax
		call	MiLockPageTableInternal
		mov	ecx, [ebp+var_8]

loc_4C302B:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+F9j
		mov	edx, [esi]
		mov	[ebp+var_48], edx
		nop
		mov	eax, [esi+4]
		mov	[ebp+var_20], eax
		mov	eax, edx
		or	eax, [ebp+var_20]
		jz	loc_4C3338
		mov	eax, edx
		and	eax, 1
		or	eax, edi
		jnz	loc_4C30E1
		mov	eax, edx
		and	eax, 400h
		or	eax, edi
		jz	loc_4C3338
		mov	edx, ecx
		mov	ecx, [ebp+var_C]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [ebp+var_4+2]
		mov	ecx, [ebp+var_C]
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_14]
		xor	edx, edx
		lea	ecx, [ecx+5Ch]
		call	MiUnlockLoaderEntry
		push	edi
		mov	eax, esi
		shl	eax, 9
		push	edi
		push	eax
		push	edi
		mov	[ebp+var_44], eax
		call	MmAccessFault
		mov	[ebp+var_3C], eax
		test	eax, eax
		jns	short loc_4C30AB
		cmp	esi, [ebp+var_1C]
		jz	loc_4C3400
		test	byte ptr [ebx+0Ch], 8
		jz	loc_4C3400

loc_4C30AB:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+190j
		mov	ecx, [ebp+var_14]
		xor	edx, edx
		lea	ecx, [ecx+5Ch]
		call	_MiLockLoaderEntry@8 ; MiLockLoaderEntry(x,x)
		mov	ecx, [ebp+var_C]
		call	MiLockWorkingSetShared
		cmp	[ebp+var_3C], 0
		jl	short loc_4C30D7
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		push	edi
		call	MiLockPageTableInternal
		jmp	loc_4C33A1
; 

loc_4C30D7:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+1BEj
		mov	ecx, edi
		mov	[ebp+var_8], ecx
		jmp	loc_4C3338
; 

loc_4C30E1:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+143j
		nop
		mov	ecx, [ebp+var_20]
		mov	eax, edx
		shrd	eax, ecx, 0Ch
		and	eax, 1FFFFFFh
		imul	ecx, eax, 1Ch
		mov	eax, ds:_MmPfnDatabase
		mov	[ebp+var_30], eax
		add	ecx, eax
		mov	[ebp+var_18], ecx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_4C3335
		test	dword ptr [ecx+18h], (offset loc_7FFFFF+1)
		jnz	short loc_4C3123
		mov	eax, [ecx+4]
		test	eax, eax
		js	short loc_4C3123
		jnz	loc_4C3335

loc_4C3123:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+20Ej
					; MiMakeDriverPagesPrivate(x,x,x,x)+215j
		test	byte ptr [ebx+0Ch], 1
		jz	short loc_4C3146
		mov	eax, edx
		and	eax, 800h
		or	eax, edi
		jnz	loc_4C3335
		and	edx, 200h
		or	edx, edi
		jz	loc_4C3335

loc_4C3146:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+221j
		mov	edx, [ebp+var_18]
		mov	ecx, [ecx+8]
		mov	eax, [edx+0Ch]
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		test	byte ptr ds:_MiFlags+2,	1
		mov	[ebp+var_3C], ecx
		jz	short loc_4C3177
		cmp	[ebp+var_28], 0
		jnz	short loc_4C316E
		test	byte ptr [ebx+0Ch], 2
		jz	short loc_4C3177

loc_4C316E:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+260j
		test	cl, 2
		jnz	loc_4C33A6

loc_4C3177:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+25Aj
					; MiMakeDriverPagesPrivate(x,x,x,x)+266j
		cmp	[ebp+var_40], 0
		jz	short loc_4C3193
		mov	edx, [ebp+var_14]
		test	byte ptr [edx+70h], 1
		mov	edx, [ebp+var_18]
		jnz	short loc_4C3193
		test	byte ptr [edx+17h], 8
		jnz	loc_4C3335

loc_4C3193:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+275j
					; MiMakeDriverPagesPrivate(x,x,x,x)+281j
		mov	eax, [ebp+var_10]
		cmp	eax, 0FFFFFFFFh
		jz	loc_4C3346
		imul	eax, 1Ch
		mov	edx, ecx
		mov	ecx, offset _MiSystemPartition
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_2C]
		push	eax
		call	MiUseSlabAllocatorForDriverPage
		test	eax, eax
		jz	short loc_4C3225
		mov	eax, [ebp+var_20]
		add	eax, [ebp+var_30]
		mov	ecx, eax
		mov	[ebp+var_30], eax
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jz	short loc_4C3234
		push	[ebp+var_3C]
		mov	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_30]
		call	_MiCheckSlabPage@12 ; MiCheckSlabPage(x,x,x)
		test	eax, eax
		jz	short loc_4C3234

loc_4C31DF:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+32Cj
					; MiMakeDriverPagesPrivate(x,x,x,x)+331j
		mov	eax, [ebp+var_10]

loc_4C31E2:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+34Aj
		cmp	eax, 0FFFFFFFFh
		jz	loc_4C3346
		push	[ebp+var_24]
		mov	ecx, esi
		mov	edx, esi
		shl	ecx, 9
		push	eax
		mov	[ebp+var_48], ecx
		call	_MiCopyOnWrite@16 ; MiCopyOnWrite(x,x,x,x)
		cmp	[ebp+var_28], 0
		jz	short loc_4C3252
		cmp	[ebp+var_38], 0
		jnz	short loc_4C3252
		mov	eax, [ebp+var_14]
		mov	ecx, [eax+18h]
		call	_MiSessionLookupImage@4	; MiSessionLookupImage(x)
		mov	[ebp+var_38], eax
		cmp	byte ptr [eax+24h], 0
		jz	short loc_4C3252
		mov	al, 1
		mov	byte ptr [ebp+var_4+3],	al
		jmp	short loc_4C3255
; 

loc_4C3225:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+2B1j
		mov	ecx, [ebp+var_30]
		add	ecx, [ebp+var_20]
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jz	short loc_4C31DF

loc_4C3234:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+2C5j
					; MiMakeDriverPagesPrivate(x,x,x,x)+2D7j
		cmp	[ebp+var_34], esi
		jz	short loc_4C31DF
		mov	ecx, [ebp+var_20]
		add	ecx, ds:_MmPfnDatabase
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_34], esi
		mov	[ebp+var_10], eax
		jmp	short loc_4C31E2
; 

loc_4C3252:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+2FCj
					; MiMakeDriverPagesPrivate(x,x,x,x)+302j ...
		mov	al, byte ptr [ebp+var_4+3]

loc_4C3255:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+31Dj
		test	al, al
		jz	loc_4C3301
		mov	ecx, [ebp+var_14]
		mov	edx, esi
		call	_MiDriverPageMustStayResident@8	; MiDriverPageMustStayResident(x,x)
		test	al, al
		jz	loc_4C3301
		mov	eax, [ebp+var_18]
		add	eax, 10h
		mov	[ebp+var_3C], edi
		mov	[ebp+var_30], eax
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_4C329B
		mov	edi, eax

loc_4C3284:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+38Aj
					; MiMakeDriverPagesPrivate(x,x,x,x)+391j
		lea	ecx, [ebp+var_3C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_4C3284
		lock bts dword ptr [edi], 1Fh
		jb	short loc_4C3284
		xor	edi, edi

loc_4C329B:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+37Aj
		mov	ecx, [ebp+var_18]
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	eax, [ebp+var_30]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		imul	eax, [ebp+var_10], 1Ch
		mov	[ebp+var_44], edi
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_20], eax
		lea	ecx, [eax+10h]
		mov	[ebp+var_30], ecx
		lock bts dword ptr [ecx], 1Fh
		jnb	short loc_4C32E7
		mov	edi, ecx

loc_4C32CD:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+3D3j
					; MiMakeDriverPagesPrivate(x,x,x,x)+3DAj
		lea	ecx, [ebp+var_44]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_4C32CD
		lock bts dword ptr [edi], 1Fh
		jb	short loc_4C32CD
		mov	eax, [ebp+var_20]
		xor	edi, edi

loc_4C32E7:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+3C3j
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		mov	eax, [ebp+var_30]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	eax, [ebp+var_20]
		jmp	short loc_4C330B
; 

loc_4C3301:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+351j
					; MiMakeDriverPagesPrivate(x,x,x,x)+363j
		imul	eax, [ebp+var_10], 1Ch
		add	eax, ds:_MmPfnDatabase

loc_4C330B:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+3F9j
		or	[ebp+var_10], 0FFFFFFFFh
		test	byte ptr ds:_MiFlags+2,	1
		jz	short loc_4C3335
		mov	eax, [eax+18h]
		and	eax, 70000000h
		cmp	eax, 30000000h
		jnz	short loc_4C3335
		push	[ebp+var_48]
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_14]
		call	_MiMakeDriverPageStayResident@12 ; MiMakeDriverPageStayResident(x,x,x)

loc_4C3335:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+201j
					; MiMakeDriverPagesPrivate(x,x,x,x)+217j ...
		mov	ecx, [ebp+var_8]

loc_4C3338:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+136j
					; MiMakeDriverPagesPrivate(x,x,x,x)+152j ...
		add	esi, 8

loc_4C333B:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+49Ej
		cmp	esi, [ebx+8]
		jbe	loc_4C2FF5
		jmp	short loc_4C33B2
; 

loc_4C3346:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+293j
					; MiMakeDriverPagesPrivate(x,x,x,x)+2DFj
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [ebp+var_4+2]
		mov	ecx, [ebp+var_C]
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_14]
		xor	edx, edx
		lea	ecx, [ecx+5Ch]
		call	MiUnlockLoaderEntry
		mov	edx, [ebp+var_3C]
		mov	ecx, offset _MiSystemPartition
		push	edi
		call	MiAllocateDriverPage
		mov	ecx, [ebp+var_14]
		xor	edx, edx
		mov	[ebp+var_10], eax
		lea	ecx, [ecx+5Ch]
		call	_MiLockLoaderEntry@8 ; MiLockLoaderEntry(x,x)
		mov	ecx, [ebp+var_C]
		call	MiLockWorkingSetShared
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		push	edi
		call	MiLockPageTableInternal
		cmp	[ebp+var_10], 0FFFFFFFFh
		jz	short loc_4C33AD

loc_4C33A1:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+1CCj
		mov	ecx, [ebp+var_8]
		jmp	short loc_4C333B
; 

loc_4C33A6:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+26Bj
		mov	edi, 0C0000045h
		jmp	short loc_4C33B2
; 

loc_4C33AD:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+499j
		mov	edi, 0C0000017h

loc_4C33B2:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+43Ej
					; MiMakeDriverPagesPrivate(x,x,x,x)+4A5j
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_4C33C3
		mov	ecx, [ebp+var_C]
		mov	edx, eax
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_4C33C3:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+4B1j
		mov	al, byte ptr [ebp+var_4+2]

loc_4C33C6:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+E7j
		mov	ecx, [ebp+var_C]
		mov	dl, al
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_14]
		xor	edx, edx
		lea	ecx, [ecx+5Ch]
		call	MiUnlockLoaderEntry
		mov	eax, [ebp+var_10]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_4C33F3
		imul	ecx, eax, 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)

loc_4C33F3:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+4DDj
		mov	eax, edi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_4C3400:				; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+195j
					; MiMakeDriverPagesPrivate(x,x,x,x)+19Fj
		push	eax
		push	[ebp+var_48]
		push	[ebp+var_44]
		push	3000h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_MiMakeDriverPagesPrivate@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnlockLoaderEntry proc near		; CODE XREF: MiSetPagingOfDriver+1B6p
					; MiMakeDriverPagesPrivate(x,x,x,x)+175p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C4767 SIZE 00000057 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, large fs:124h
		add	ecx, 38h
		mov	[ebp+var_28], eax
		mov	[ebp+var_8], ecx
		push	esi
		push	edi
		test	edx, edx
		jnz	loc_4C359E
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_C], edx
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4C35D3

loc_4C345D:				; CODE XREF: MiUnlockLoaderEntry+1C7j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	loc_4C3575
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		cmp	ecx, edx
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], esi
		pop	edx
		jb	short loc_4C349A
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_4C3586

loc_4C349A:				; CODE XREF: MiUnlockLoaderEntry+77j
		cmp	ecx, [ebp+var_20]
		jb	short loc_4C34AC
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_4C3586

loc_4C34AC:				; CODE XREF: MiUnlockLoaderEntry+89j
					; MiUnlockLoaderEntry+185j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_4C35C0
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_4C35E0

loc_4C34ED:				; CODE XREF: MiUnlockLoaderEntry+1D4j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5C477A
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_4C3539:				; CODE XREF: MiUnlockLoaderEntry+1B4j
					; MiUnlockLoaderEntry+101378j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jnz	loc_4C35ED

loc_4C3550:				; CODE XREF: MiUnlockLoaderEntry+212j
					; MiUnlockLoaderEntry+101399j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_4C3575
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_4C3631

loc_4C3575:				; CODE XREF: MiUnlockLoaderEntry+54j
					; MiUnlockLoaderEntry+153j ...
		mov	ecx, [ebp+var_28]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4C3586:				; CODE XREF: MiUnlockLoaderEntry+80j
					; MiUnlockLoaderEntry+92j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_C], eax
		jmp	loc_4C34AC
; 

loc_4C359E:				; CODE XREF: MiUnlockLoaderEntry+2Dj
		cmp	edx, 2
		jnz	loc_5C47B2
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	loc_4C363B

loc_4C35B9:				; CODE XREF: MiUnlockLoaderEntry+22Fj
		call	KeAbPostRelease
		jmp	short loc_4C3575
; 

loc_4C35C0:				; CODE XREF: MiUnlockLoaderEntry+C1j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_4C3539
		jmp	loc_5C4767
; 

loc_4C35D3:				; CODE XREF: MiUnlockLoaderEntry+43j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]
		jmp	loc_4C345D
; 

loc_4C35E0:				; CODE XREF: MiUnlockLoaderEntry+D3j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]
		jmp	loc_4C34ED
; 

loc_4C35ED:				; CODE XREF: MiUnlockLoaderEntry+136j
		test	edi, 8000h
		jz	short loc_4C35FE
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4C35FE:				; CODE XREF: MiUnlockLoaderEntry+1DFj
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5C4791

loc_4C3608:				; CODE XREF: MiUnlockLoaderEntry+101387j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4C361C
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4C361C:				; CODE XREF: MiUnlockLoaderEntry+1FBj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4C3550
		jmp	loc_5C47A0
; 

loc_4C3631:				; CODE XREF: MiUnlockLoaderEntry+15Bj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4C3575
; 

loc_4C363B:				; CODE XREF: MiUnlockLoaderEntry+19Fj
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp+var_8]
		jmp	loc_4C35B9
MiUnlockLoaderEntry endp


;  S U B	R O U T	I N E 


; __stdcall MiLockLoaderEntry(x, x)
_MiLockLoaderEntry@8 proc near		; CODE XREF: MiSetPagingOfDriver+6Ep
					; MiMakeDriverPagesPrivate(x,x,x,x)+D1p ...
		mov	edi, edi
		push	ecx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		add	ecx, 38h
		test	edx, edx
		jnz	short loc_4C3667
		call	ExAcquirePushLockExclusiveEx
		pop	ecx
		retn
; 

loc_4C3667:				; CODE XREF: MiLockLoaderEntry(x,x)+16j
		cmp	edx, 2
		jnz	short loc_4C3675
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		pop	ecx
		retn
; 

loc_4C3675:				; CODE XREF: MiLockLoaderEntry(x,x)+22j
		xor	edx, edx
		call	ExAcquireAutoExpandPushLockExclusive
		pop	ecx
		retn
_MiLockLoaderEntry@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1145. KeFlushQueuedDpcs

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeFlushQueuedDpcs
KeFlushQueuedDpcs proc near		; CODE XREF: KeCleanupThreadState(x)+13j
					; CcDeletePartition(x)+55p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C47BE SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		stosd
		lea	edx, [ebp+var_10]
		lea	ecx, [ebp+var_1C]
		stosd
		stosd
		xor	eax, eax
		and	[ebp+var_20], eax
		lea	edi, [ebp+var_10]
		mov	[ebp+var_24], eax
		stosd
		stosd
		stosd
		call	_KiGetDeepIdleProcessors@8 ; KiGetDeepIdleProcessors(x,x)
		mov	eax, [ebp+var_14]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_2C], eax
		pop	edi

loc_4C36C5:				; CODE XREF: KeFlushQueuedDpcs+64j
					; KeFlushQueuedDpcs+101146j
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_4C36EF
		mov	eax, [ebp+var_20]
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	eax, [eax+223Ch]
		test	eax, eax
		jz	short loc_4C36C5
		jmp	loc_5C47BE
; 

loc_4C36EF:				; CODE XREF: KeFlushQueuedDpcs+50j
		push	2
		push	0
		mov	edx, offset KiFlushQueuedDpcsWorker
		lea	ecx, [ebp+var_10]
		call	_KeGenericProcessorCallback@16 ; KeGenericProcessorCallback(x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
KeFlushQueuedDpcs endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiGetDeepIdleProcessors(x, x)
_KiGetDeepIdleProcessors@8 proc	near	; CODE XREF: KeFlushQueuedDpcs+2Fp
					; KeRemoveQueueDpcEx+DC256p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, edx
		xor	ecx, ecx
		lock or	[eax], ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	bl, al
		call	_PoCopyDeepIdleMask@4 ;	PoCopyDeepIdleMask(x)
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	esi
		push	edi
		call	_KeComplementAffinityEx@8 ; KeComplementAffinityEx(x,x)
		push	edi
		push	offset _KeActiveProcessors
		push	edi
		call	_KeAndAffinityEx@12 ; KeAndAffinityEx(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KiGetDeepIdleProcessors@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1227. KeQueryLogicalProcessorRelationship

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeQueryLogicalProcessorRelationship
KeQueryLogicalProcessorRelationship proc near ;	CODE XREF: PAGE:00780739p

var_A4		= dword	ptr -0A4h
var_A0		= word ptr -0A0h
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005C47CF SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, [ebp+arg_C]
		mov	eax, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_98], ecx
		mov	ecx, [ecx]
		mov	[ebp+var_6C], eax
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_70], ecx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_54], esi
		test	eax, eax
		jnz	loc_4C3C93
		mov	eax, ds:_KeNumberProcessors
		mov	ecx, ebx
		dec	eax
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_80], eax

loc_4C37A9:				; CODE XREF: KeQueryLogicalProcessorRelationship+553j
		push	edi
		push	5
		xor	esi, esi
		mov	[ebp+var_94], ecx
		lea	eax, [ebp+var_3C]
		mov	edx, ebx
		pop	edi
		inc	esi

loc_4C37BB:				; CODE XREF: KeQueryLogicalProcessorRelationship+74j
		mov	[eax-4], si
		mov	[eax-2], si
		mov	[eax], ebx
		lea	eax, [eax+0Ch]
		mov	[eax-8], ebx
		sub	edi, 1
		jnz	short loc_4C37BB
		mov	esi, [ebp+var_54]
		lea	edi, [ebp+var_A4]
		xor	eax, eax
		mov	[ebp+var_84], ebx
		inc	eax
		mov	[ebp+var_8C], ebx
		mov	word ptr [ebp+var_90], ax
		mov	word ptr [ebp+var_90+2], ax
		xor	eax, eax
		stosd
		mov	[ebp+var_88], ebx
		stosd
		stosd

loc_4C3801:				; CODE XREF: KeQueryLogicalProcessorRelationship+10Aj
		cmp	ecx, [ebp+var_80]
		ja	short loc_4C3866
		cmp	[ebp+arg_4], 3
		mov	eax, [ebp+var_84]
		mov	edi, ds:_KiProcessorBlock[ecx*4]
		mov	[ebp+var_74], eax
		mov	[ebp+var_68], edi
		jz	loc_4C3928
		cmp	[ebp+arg_4], 0FFFFh
		jz	loc_4C3928

loc_4C3830:				; CODE XREF: KeQueryLogicalProcessorRelationship+1FAj
		cmp	[ebp+arg_4], 0FFFFh
		jz	loc_4C3BFB
		cmp	[ebp+arg_4], ebx
		jz	loc_4C3BFB

loc_4C3846:				; CODE XREF: KeQueryLogicalProcessorRelationship+4C7j
					; KeQueryLogicalProcessorRelationship+534j ...
		cmp	[ebp+arg_4], 2
		jz	loc_4C3AE2
		cmp	[ebp+arg_4], 0FFFFh
		jz	loc_4C3AE2

loc_4C385D:				; CODE XREF: KeQueryLogicalProcessorRelationship+39Fj
					; KeQueryLogicalProcessorRelationship+41Fj
		mov	ecx, [ebp+var_7C]
		inc	ecx
		mov	[ebp+var_7C], ecx
		jmp	short loc_4C3801
; 

loc_4C3866:				; CODE XREF: KeQueryLogicalProcessorRelationship+AAj
		xor	edi, edi
		inc	edi
		cmp	[ebp+arg_4], edi
		jnz	loc_4C3959

loc_4C3872:				; CODE XREF: KeQueryLogicalProcessorRelationship+208j
		movzx	eax, ds:_KeNumberNodes
		mov	[ebp+var_58], eax

loc_4C387C:				; CODE XREF: KeQueryLogicalProcessorRelationship+18Bj
		mov	ecx, ds:_KeNodeBlock[ebx*4]
		mov	eax, [ecx+84h]
		mov	[ebp+var_78], eax
		test	eax, eax
		jz	short loc_4C38E1
		cmp	[ebp+var_6C], 0
		mov	cx, [ecx+88h]
		mov	word ptr [ebp+var_50+2], cx
		jnz	loc_4C3CB2

loc_4C38A5:				; CODE XREF: KeQueryLogicalProcessorRelationship+562j
		push	2Ch
		pop	eax
		add	edx, eax
		cmp	edx, [ebp+var_70]
		ja	loc_4C3CD3
		mov	[esi], edi
		lea	edi, [esi+0Ch]
		mov	[esi+4], eax
		xor	eax, eax
		mov	[esi+8], ebx
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esi+20h]
		stosd
		stosd
		stosd
		mov	ax, word ptr [ebp+var_50+2]
		xor	edi, edi
		mov	[esi+24h], ax
		mov	eax, [ebp+var_78]
		mov	[esi+20h], eax
		add	esi, 2Ch
		inc	edi

loc_4C38E1:				; CODE XREF: KeQueryLogicalProcessorRelationship+134j
					; KeQueryLogicalProcessorRelationship+568j ...
		inc	ebx
		cmp	ebx, [ebp+var_58]
		jb	short loc_4C387C
		mov	[ebp+var_50], edx
		xor	ebx, ebx

loc_4C38EC:				; CODE XREF: KeQueryLogicalProcessorRelationship+206j
		push	4
		pop	edi
		cmp	[ebp+arg_4], edi
		jz	short loc_4C396D
		cmp	[ebp+arg_4], 0FFFFh
		jz	short loc_4C3967

loc_4C38FD:				; CODE XREF: KeQueryLogicalProcessorRelationship+211j
					; KeQueryLogicalProcessorRelationship+254j ...
		mov	eax, [ebp+var_5C]

loc_4C3900:				; CODE XREF: KeQueryLogicalProcessorRelationship+377j
		mov	ecx, [ebp+var_50]
		pop	edi
		test	eax, eax
		jnz	short loc_4C3910
		test	ecx, ecx
		jz	loc_5C47D9

loc_4C3910:				; CODE XREF: KeQueryLogicalProcessorRelationship+1ACj
					; KeQueryLogicalProcessorRelationship+101084j
		mov	edx, [ebp+var_98]
		mov	[edx], ecx

loc_4C3918:				; CODE XREF: KeQueryLogicalProcessorRelationship+10107Aj
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_4C3928:				; CODE XREF: KeQueryLogicalProcessorRelationship+C3j
					; KeQueryLogicalProcessorRelationship+D0j
		lea	esi, [edi+4014h]
		lea	edi, [ebp+var_4C]
		movsd
		movsd
		movsd
		mov	eax, [ebp+var_44]
		and	eax, [ebp+var_88]
		cmp	[ebp+var_6C], ebx
		jnz	loc_4C39FD
		test	eax, eax
		jz	loc_4C39FD
		mov	esi, [ebp+var_54]

loc_4C3951:				; CODE XREF: KeQueryLogicalProcessorRelationship+36Dj
					; KeQueryLogicalProcessorRelationship+383j
		mov	edi, [ebp+var_68]
		jmp	loc_4C3830
; 

loc_4C3959:				; CODE XREF: KeQueryLogicalProcessorRelationship+112j
		cmp	[ebp+arg_4], 0FFFFh
		jnz	short loc_4C38EC
		jmp	loc_4C3872
; 

loc_4C3967:				; CODE XREF: KeQueryLogicalProcessorRelationship+1A1j
		cmp	[ebp+var_6C], 0
		jnz	short loc_4C38FD

loc_4C396D:				; CODE XREF: KeQueryLogicalProcessorRelationship+198j
		mov	cx, ds:_KiActiveGroups
		movzx	eax, cx
		imul	eax, 2Ch
		add	eax, 23h
		and	eax, 0FFFFFFFCh
		add	edx, eax
		mov	[ebp+var_50], edx
		cmp	edx, [ebp+var_70]
		ja	loc_4C3ACC
		mov	[esi+4], eax
		mov	ax, ds:_KiMaximumGroups
		mov	[esi], edi
		lea	edi, [esi+0Ch]
		mov	[esi+8], ax
		xor	eax, eax
		mov	[esi+0Ah], cx
		stosd
		stosd
		stosd
		stosd
		stosd
		test	cx, cx
		jz	loc_4C38FD
		lea	edi, [esi+21h]
		mov	[ebp+var_58], edi

loc_4C39BA:				; CODE XREF: KeQueryLogicalProcessorRelationship+2A1j
		movzx	esi, bx
		push	esi
		call	KeQueryMaximumProcessorCountEx
		push	esi
		mov	[edi-1], al
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	[edi], al
		mov	eax, ds:dword_70E328[ebx*4]
		mov	[edi+27h], eax
		xor	eax, eax
		inc	edi
		inc	ebx
		push	9
		pop	ecx
		rep stosd
		stosw
		mov	edi, [ebp+var_58]
		movzx	eax, ds:_KiActiveGroups
		add	edi, 2Ch
		mov	[ebp+var_58], edi
		cmp	ebx, eax
		jnb	loc_4C38FD
		jmp	short loc_4C39BA
; 

loc_4C39FD:				; CODE XREF: KeQueryLogicalProcessorRelationship+1E6j
					; KeQueryLogicalProcessorRelationship+1EEj
		lea	eax, [ebp+var_90]
		push	eax
		lea	eax, [ebp+var_4C]
		push	eax
		lea	eax, [ebp+var_90]
		push	eax
		call	_KeOrAffinityEx@12 ; KeOrAffinityEx(x,x,x)
		mov	cx, word ptr [ebp+var_4C]
		xor	eax, eax
		mov	edi, ebx
		cmp	ax, cx
		jnb	short loc_4C3A34
		lea	eax, [ebp+var_44]
		movzx	ecx, cx

loc_4C3A27:				; CODE XREF: KeQueryLogicalProcessorRelationship+2D8j
		cmp	[eax], ebx
		jz	short loc_4C3A2C
		inc	edi

loc_4C3A2C:				; CODE XREF: KeQueryLogicalProcessorRelationship+2CFj
		add	eax, 4
		sub	ecx, 1
		jnz	short loc_4C3A27

loc_4C3A34:				; CODE XREF: KeQueryLogicalProcessorRelationship+2C5j
		mov	edx, [ebp+var_50]
		mov	esi, [ebp+var_54]
		movzx	eax, di
		imul	ecx, eax, 0Ch
		add	ecx, 23h
		and	ecx, 0FFFFFFFCh
		add	edx, ecx
		mov	[ebp+var_50], edx
		cmp	edx, [ebp+var_70]
		ja	loc_4C3AD6
		mov	[esi+1Eh], di
		xor	eax, eax
		mov	dword ptr [esi], 3
		lea	edi, [esi+0Ah]
		mov	[esi+4], ecx
		mov	[esi+8], bx
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esi+20h]
		mov	[ebp+var_58], eax
		xor	edi, edi
		mov	eax, ebx
		mov	[ebp+var_64], eax
		cmp	di, word ptr [ebp+var_4C]
		jnb	short loc_4C3AC2
		mov	edx, [ebp+var_58]
		lea	edi, [ebp+var_44]
		mov	[ebp+var_60], edi

loc_4C3A8B:				; CODE XREF: KeQueryLogicalProcessorRelationship+360j
		mov	esi, [edi]
		mov	[ebp+var_58], esi
		test	esi, esi
		jz	short loc_4C3AAC
		mov	edi, edx
		xor	eax, eax
		stosd
		stosd
		stosd
		mov	eax, [ebp+var_64]
		mov	edi, esi
		mov	[edx], edi
		mov	edi, [ebp+var_60]
		mov	[edx+4], ax
		add	edx, 0Ch

loc_4C3AAC:				; CODE XREF: KeQueryLogicalProcessorRelationship+338j
		inc	eax
		add	edi, 4
		mov	[ebp+var_64], eax
		mov	[ebp+var_60], edi
		cmp	ax, word ptr [ebp+var_4C]
		jb	short loc_4C3A8B
		mov	esi, [ebp+var_54]
		mov	edx, [ebp+var_50]

loc_4C3AC2:				; CODE XREF: KeQueryLogicalProcessorRelationship+326j
		add	esi, ecx
		mov	[ebp+var_54], esi
		jmp	loc_4C3951
; 

loc_4C3ACC:				; CODE XREF: KeQueryLogicalProcessorRelationship+22Ej
		mov	eax, 0C0000004h
		jmp	loc_4C3900
; 

loc_4C3AD6:				; CODE XREF: KeQueryLogicalProcessorRelationship+2F4j
		mov	[ebp+var_5C], 0C0000004h
		jmp	loc_4C3951
; 

loc_4C3AE2:				; CODE XREF: KeQueryLogicalProcessorRelationship+F0j
					; KeQueryLogicalProcessorRelationship+FDj
		movzx	eax, byte ptr [edi+3C5h]
		mov	[ebp+var_A0], ax
		mov	[ebp+var_64], ebx
		cmp	[edi+4010h], ebx
		jbe	loc_4C385D
		lea	eax, [edi+3FD5h]
		mov	[ebp+var_60], eax
		lea	ecx, [edi+4038h]
		lea	eax, [ebp+var_38]
		mov	[ebp+var_58], ecx
		mov	[ebp+var_54], eax

loc_4C3B17:				; CODE XREF: KeQueryLogicalProcessorRelationship+41Aj
		mov	edx, [edi+3C8h]
		mov	ecx, [ecx]
		mov	[ebp+var_74], edx
		mov	edx, [ebp+var_50]
		mov	[ebp+var_78], ecx
		test	ecx, ecx
		jz	short loc_4C3B89
		mov	[ebp+var_74], ecx
		add	eax, 0FFFFFFF8h
		mov	[ebp+var_A4], ecx
		lea	ecx, [ebp+var_A4]
		push	ebx
		push	ecx
		push	eax
		call	KeAndGroupAffinityEx
		cmp	[ebp+var_6C], ebx
		jnz	short loc_4C3B7E
		test	eax, eax
		jz	short loc_4C3B7E

loc_4C3B4F:				; CODE XREF: KeQueryLogicalProcessorRelationship+490j
		mov	eax, [ebp+var_54]

loc_4C3B52:				; CODE XREF: KeQueryLogicalProcessorRelationship+49Cj
		inc	[ebp+var_64]
		add	eax, 0Ch
		mov	ecx, [ebp+var_58]
		mov	edx, [ebp+var_64]
		add	ecx, 4
		add	[ebp+var_60], 0Ch
		cmp	edx, [edi+4010h]
		mov	edx, [ebp+var_50]
		mov	[ebp+var_58], ecx
		mov	[ebp+var_54], eax
		jb	short loc_4C3B17
		mov	[ebp+var_54], esi
		jmp	loc_4C385D
; 

loc_4C3B7E:				; CODE XREF: KeQueryLogicalProcessorRelationship+3EFj
					; KeQueryLogicalProcessorRelationship+3F3j
		mov	eax, [ebp+var_54]
		mov	ecx, [ebp+var_78]
		mov	edx, [ebp+var_50]
		or	[eax], ecx

loc_4C3B89:				; CODE XREF: KeQueryLogicalProcessorRelationship+3D0j
		push	34h
		pop	ecx
		add	edx, ecx
		mov	[ebp+var_50], edx
		cmp	edx, [ebp+var_70]
		ja	short loc_4C3BEF
		mov	[esi+4], ecx
		lea	edi, [esi+14h]
		mov	ecx, [ebp+var_60]
		mov	dword ptr [esi], 2
		mov	al, [ecx-1]
		mov	[esi+8], al
		mov	al, [ecx]
		mov	[esi+9], al
		mov	ax, [ecx+1]
		mov	[esi+0Ah], ax
		mov	eax, [ecx+3]
		mov	[esi+0Ch], eax
		mov	eax, [ecx+7]
		mov	[esi+10h], eax
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esi+28h]
		stosd
		stosd
		stosd
		mov	edi, [ebp+var_68]
		movzx	eax, byte ptr [edi+3C5h]
		mov	[esi+2Ch], ax
		mov	eax, [ebp+var_74]
		mov	[esi+28h], eax
		add	esi, 34h
		jmp	loc_4C3B4F
; 

loc_4C3BEF:				; CODE XREF: KeQueryLogicalProcessorRelationship+43Aj
		mov	[ebp+var_5C], 0C0000004h
		jmp	loc_4C3B52
; 

loc_4C3BFB:				; CODE XREF: KeQueryLogicalProcessorRelationship+DDj
					; KeQueryLogicalProcessorRelationship+E6j
		movzx	eax, byte ptr [edi+3C5h]
		mov	[ebp+var_A0], ax
		mov	eax, [edi+402Ch]
		mov	ecx, eax
		and	ecx, [ebp+var_74]
		mov	[ebp+var_A4], eax
		cmp	[ebp+var_6C], ebx
		jnz	short loc_4C3C27
		test	ecx, ecx
		jnz	loc_4C3846

loc_4C3C27:				; CODE XREF: KeQueryLogicalProcessorRelationship+4C3j
		mov	ecx, eax
		or	ecx, [ebp+var_74]
		cmp	[edi+3C8h], eax
		push	2Ch
		mov	[ebp+var_84], ecx
		setnz	al
		pop	ecx
		add	edx, ecx
		mov	[ebp+var_50], edx
		cmp	edx, [ebp+var_70]
		ja	short loc_4C3CC7
		mov	[esi+8], al
		mov	[esi], ebx
		mov	[esi+4], ecx
		mov	al, [edi+3ED0h]
		lea	edi, [esi+0Ah]
		mov	[esi+9], al
		xor	eax, eax
		inc	eax
		mov	[esi+1Eh], ax
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esi+20h]
		stosd
		stosd
		stosd
		mov	edi, [ebp+var_68]
		movzx	eax, byte ptr [edi+3C5h]
		mov	[esi+24h], ax
		mov	eax, [edi+402Ch]
		mov	[esi+20h], eax
		add	esi, ecx
		mov	[ebp+var_54], esi
		jmp	loc_4C3846
; 

loc_4C3C93:				; CODE XREF: KeQueryLogicalProcessorRelationship+3Bj
		push	eax
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		mov	ecx, eax
		mov	[ebp+var_7C], ecx
		cmp	ecx, ds:_KeNumberProcessors
		jnb	loc_5C47CF
		mov	[ebp+var_80], ecx
		jmp	loc_4C37A9
; 

loc_4C3CB2:				; CODE XREF: KeQueryLogicalProcessorRelationship+145j
		mov	ecx, [ebp+var_94]
		shr	eax, cl
		test	al, 1
		jnz	loc_4C38A5
		jmp	loc_4C38E1
; 

loc_4C3CC7:				; CODE XREF: KeQueryLogicalProcessorRelationship+4ECj
		mov	[ebp+var_5C], 0C0000004h
		jmp	loc_4C3846
; 

loc_4C3CD3:				; CODE XREF: KeQueryLogicalProcessorRelationship+153j
		mov	[ebp+var_5C], 0C0000004h
		jmp	loc_4C38E1
KeQueryLogicalProcessorRelationship endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1100. KeAndAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeAndAffinityEx(x, x, x)
		public _KeAndAffinityEx@12
_KeAndAffinityEx@12 proc near		; CODE XREF: KiGetDeepIdleProcessors(x,x)+3Ep
					; PpmParkReportParkedCores+129E9Bp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+8]
		mov	eax, [ebp+arg_4]
		and	ecx, [eax+8]
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_4C3D18
		mov	dword ptr [eax], 10001h
		mov	dword ptr [eax+4], 0
		mov	[eax+8], ecx

loc_4C3D18:				; CODE XREF: KeAndAffinityEx(x,x,x)+16j
		xor	eax, eax
		test	ecx, ecx
		setnz	al
		pop	ebp
		retn	0Ch
_KeAndAffinityEx@12 endp

; 
		align 8
; Exported entry 1114. KeComplementAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeComplementAffinityEx(x, x)
		public _KeComplementAffinityEx@8
_KeComplementAffinityEx@8 proc near	; CODE XREF: KiGetDeepIdleProcessors(x,x)+32p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		inc	eax
		and	dword ptr [ecx+4], 0
		mov	[ecx+2], ax
		mov	[ecx], ax
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+8]
		not	eax
		mov	[ecx+8], eax
		pop	ebp
		retn	8
_KeComplementAffinityEx@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PoCopyDeepIdleMask(x)
_PoCopyDeepIdleMask@4 proc near		; CODE XREF: KiGetDeepIdleProcessors(x,x)+23p
					; PpmCheckContinueExecution+129ED8p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	eax, eax
		inc	eax
		xor	edx, edx
		push	edi
		movzx	edi, ds:_KeNumberNodes
		mov	[esi], ax
		mov	[esi+2], ax
		mov	[esi+4], edx
		mov	[esi+8], edx
		test	edi, edi
		jz	short loc_4C3D85
		mov	ecx, edx

loc_4C3D73:				; CODE XREF: PoCopyDeepIdleMask(x)+35j
		mov	eax, ds:_KeNodeBlock[edx*4]
		or	ecx, [eax+40h]
		inc	edx
		mov	[esi+8], ecx
		cmp	edx, edi
		jb	short loc_4C3D73

loc_4C3D85:				; CODE XREF: PoCopyDeepIdleMask(x)+21j
		pop	edi
		pop	esi
		retn
_PoCopyDeepIdleMask@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1208. KeOrAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeOrAffinityEx(x, x, x)
		public _KeOrAffinityEx@12
_KeOrAffinityEx@12 proc	near		; CODE XREF: KiForwardTick+10Ap
					; KeQueryLogicalProcessorRelationship+2B5p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+8]
		mov	eax, [ebp+arg_4]
		or	ecx, [eax+8]
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_4C3DB7
		xor	edx, edx
		mov	[eax+8], ecx
		inc	edx
		and	dword ptr [eax+4], 0
		mov	[eax+2], dx
		mov	[eax], dx

loc_4C3DB7:				; CODE XREF: KeOrAffinityEx(x,x,x)+16j
		xor	eax, eax
		test	ecx, ecx
		setnz	al
		pop	ebp
		retn	0Ch
_KeOrAffinityEx@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiObtainSessionVa proc near		; CODE XREF: MiReservePoolMemory(x,x,x,x)+35p
					; MiExpandPtes+428p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C47E3 SIZE 00000094 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		mov	eax, [eax+80h]
		mov	[ebp+var_C], esi
		mov	edi, [eax+180h]
		mov	[ebp+var_10], edi

loc_4C3DF8:				; CODE XREF: MiObtainSessionVa+100A75j
		xor	edx, edx
		and	[ebp+var_14], edx
		push	offset dword_6D2E64
		mov	[ebp+var_8], edx
		call	ExAcquireSpinLockExclusive
		mov	edx, dword_6D41D8
		mov	byte ptr [ebp+var_4+3],	al
		test	edx, edx
		jnz	loc_5C47E3

loc_4C3E1B:				; CODE XREF: MiObtainSessionVa+100A2Bj
		mov	eax, dword_6D07C4
		mov	ecx, 400h
		lea	edi, [edi+eax*8]
		lea	esi, dword_6D3D94[eax]
		lea	edi, [edi+3E0h]
		sub	ecx, eax
		jz	loc_5C480E
		mov	edx, [ebp+var_14]

loc_4C3E3F:				; CODE XREF: MiObtainSessionVa+96j
		mov	al, [esi]
		mov	byte ptr [ebp+var_4+2],	al
		cmp	al, 1
		jz	short loc_4C3E5F

loc_4C3E48:				; CODE XREF: MiObtainSessionVa+A7j
		test	al, al
		jz	short loc_4C3E6B
		xor	edx, edx
		mov	[ebp+var_8], edx

loc_4C3E51:				; CODE XREF: MiObtainSessionVa+B4j
		inc	esi
		add	edi, 8
		sub	ecx, 1
		jnz	short loc_4C3E3F
		jmp	loc_5C480E
; 

loc_4C3E5F:				; CODE XREF: MiObtainSessionVa+84j
		mov	eax, [edi]
		or	eax, [edi+4]
		jz	short loc_4C3E6C
		mov	al, byte ptr [ebp+var_4+2]
		jmp	short loc_4C3E48
; 

loc_4C3E6B:				; CODE XREF: MiObtainSessionVa+88j
		inc	edx

loc_4C3E6C:				; CODE XREF: MiObtainSessionVa+A2j
		mov	eax, [ebp+var_8]
		inc	eax
		mov	[ebp+var_8], eax
		cmp	eax, [ebp+var_C]
		jnz	short loc_4C3E51
		inc	esi
		test	ecx, ecx
		jz	loc_5C480E
		mov	ecx, dword_6D4254
		imul	eax, edx, 0FFE00000h
		add	ecx, eax
		mov	eax, dword_6D3D58
		add	eax, edx
		mov	dword_6D4254, ecx
		mov	dword_6D3D58, eax
		cmp	ecx, dword_6D07C8
		jb	loc_4C3F5B

loc_4C3EAD:				; CODE XREF: MiObtainSessionVa+19Fj
		cmp	eax, dword_6D4218
		ja	loc_4C3F51

loc_4C3EB9:				; CODE XREF: MiObtainSessionVa+194j
		mov	eax, esi
		push	0
		sub	eax, offset dword_6D3D94
		push	300h
		mov	[ebp+var_14], eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[ebp+var_C], edx
		mov	edx, [ebp+var_8]
		mov	[ebp+var_10], eax
		test	edx, edx
		jz	short loc_4C3F1F
		mov	ecx, [ebp+var_14]
		lea	ecx, dword_6CF5BC[ecx*4]

loc_4C3EE6:				; CODE XREF: MiObtainSessionVa+15Bj
		dec	esi
		lea	ecx, [ecx-4]
		cmp	byte ptr [esi],	1
		jz	short loc_4C3F09
		mov	byte ptr [esi],	1
		mov	eax, [ecx+2618h]
		and	eax, 80000001h
		or	eax, 1
		mov	[ecx+2618h], eax
		mov	eax, [ebp+var_10]

loc_4C3F09:				; CODE XREF: MiObtainSessionVa+12Bj
		inc	dword ptr [ecx]
		mov	[edi], eax
		nop
		mov	eax, [ebp+var_C]
		mov	[edi+4], eax
		sub	edi, 8
		mov	eax, [ebp+var_10]
		sub	edx, 1
		jnz	short loc_4C3EE6

loc_4C3F1F:				; CODE XREF: MiObtainSessionVa+118j
		push	offset dword_6D2E64
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	ecx, ecx
		call	MiReclaimSystemVa
		sub	esi, offset dword_6D3D94
		lea	eax, [esi-400h]
		shl	eax, 15h

loc_4C3F48:				; CODE XREF: MiObtainSessionVa+100AB0j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4C3F51:				; CODE XREF: MiObtainSessionVa+F1j
		mov	dword_6D4218, eax
		jmp	loc_4C3EB9
; 

loc_4C3F5B:				; CODE XREF: MiObtainSessionVa+E5j
		mov	dword_6D07C8, ecx
		jmp	loc_4C3EAD
MiObtainSessionVa endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReservePoolMemory(x, x, x, x)
_MiReservePoolMemory@16	proc near	; CODE XREF: MmAllocatePoolMemory+EEp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ebp+arg_0]
		shr	esi, 15h
		cmp	edx, 5
		jz	short loc_4C3F90
		cmp	edx, 6
		jnz	short loc_4C3F94
		push	edx

loc_4C3F7E:				; CODE XREF: MiReservePoolMemory(x,x,x,x)+2Cj
		pop	edx
		mov	ecx, esi
		call	MiObtainSystemVa
		mov	ecx, eax

loc_4C3F88:				; CODE XREF: MiReservePoolMemory(x,x,x,x)+3Ej
					; MiReservePoolMemory(x,x,x,x)+5Bj
		mov	eax, ecx

loc_4C3F8A:				; CODE XREF: MiReservePoolMemory(x,x,x,x)+64j
		pop	esi
		pop	ecx
		pop	ebp
		retn	8
; 

loc_4C3F90:				; CODE XREF: MiReservePoolMemory(x,x,x,x)+10j
		push	5
		jmp	short loc_4C3F7E
; 

loc_4C3F94:				; CODE XREF: MiReservePoolMemory(x,x,x,x)+15j
		cmp	edx, 1
		jnz	short loc_4C3FC3

loc_4C3F99:				; CODE XREF: MiReservePoolMemory(x,x,x,x)+60j
		mov	ecx, esi
		call	MiObtainSessionVa
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_4C3F88
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		add	eax, 23E8h
		lock xadd [eax], esi
		jmp	short loc_4C3F88
; 

loc_4C3FC3:				; CODE XREF: MiReservePoolMemory(x,x,x,x)+31j
		cmp	edx, 0Bh
		jz	short loc_4C3F99
		xor	eax, eax
		jmp	short loc_4C3F8A
_MiReservePoolMemory@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiExpandSystemCache proc near		; CODE XREF: MiObtainSystemCacheView+3CBp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C4877 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	eax, edx
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_14], eax
		cmp	dword_6D4254, 4000000h
		push	edi
		mov	[ebp+var_18], ebx
		mov	[eax], esi
		jbe	loc_4C40D6
		push	esi
		push	40h
		mov	edx, 6353694Dh
		mov	ecx, 0C0h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	loc_4C40D6
		movzx	eax, word ptr [ebx]
		lea	edi, [ecx+10h]
		and	eax, 3FFh
		cdq
		mov	ebx, eax
		mov	eax, edx
		shld	eax, ebx, 6
		push	8
		pop	edx
		mov	[ebp+var_10], eax
		shl	ebx, 6
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edx

loc_4C4037:				; CODE XREF: MiExpandSystemCache+8Aj
		mov	ecx, [edi]
		mov	eax, [edi+4]
		and	ecx, 0FFFF003Fh
		or	eax, [ebp+var_10]
		or	ecx, ebx
		sub	[ebp+var_8], 1
		mov	[edi-8], esi
		mov	[edi], ecx
		lea	edi, [edi+18h]
		mov	[edi-14h], eax
		jnz	short loc_4C4037
		xor	ecx, ecx
		inc	ecx
		call	MiObtainSystemVa
		mov	ebx, eax
		push	esi
		test	ebx, ebx
		jz	loc_5C487D
		mov	edi, ebx
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h
		push	8
		push	esi
		mov	ecx, edi
		lea	edx, [edi+0FF8h]
		call	MiMakeZeroedPageTablesEx
		test	eax, eax
		jz	loc_5C4877
		mov	eax, dword_6D07D0
		mov	esi, [ebp+var_18]
		shr	eax, 12h
		and	eax, 3FF8h
		shr	ebx, 12h
		sub	ebx, eax
		mov	eax, [ebp+var_4]
		sar	ebx, 3
		mov	dword_6D0BD4[ebx*4], eax

loc_4C40B6:				; CODE XREF: MiExpandSystemCache+101j
		mov	edx, edi
		lea	ecx, [esi+450h]
		call	_InsertTailListPte@8 ; InsertTailListPte(x,x)
		add	edi, 200h
		sub	[ebp+var_C], 1
		jnz	short loc_4C40B6
		mov	eax, edi

loc_4C40D1:				; CODE XREF: MiExpandSystemCache+10Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4C40D6:				; CODE XREF: MiExpandSystemCache+23j
					; MiExpandSystemCache+42j ...
		xor	eax, eax
		jmp	short loc_4C40D1
MiExpandSystemCache endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreateSystemWsles(x, x, x, x, x)
_MiCreateSystemWsles@20	proc near	; CODE XREF: MiMakeZeroedPageTablesEx+200p
					; MiSessionCreate+50p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		push	esi
		push	edi
		shr	edx, 0Ch
		mov	edi, offset loc_7FFFF8
		movzx	eax, byte ptr [eax+60h]
		and	eax, 7
		shr	ecx, 0Ch
		push	0
		push	[ebp+arg_4]
		mov	esi, dword_6D2E68[eax*4]
		add	edx, esi
		mov	eax, [ebp+arg_0]
		add	ecx, esi
		and	eax, 0FFFFFFF1h
		shr	edx, 9
		or	eax, 260h
		shr	ecx, 9
		push	eax
		mov	eax, 40000000h
		and	edx, edi
		and	ecx, edi
		sub	edx, eax
		sub	ecx, eax
		call	MiMakeZeroedPageTablesEx
		neg	eax
		pop	edi
		sbb	eax, eax
		neg	eax
		pop	esi
		pop	ebp
		retn	0Ch
_MiCreateSystemWsles@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiExpandPtes	proc near		; CODE XREF: MiReservePtes+526p
					; MiReservePtes+65Fp

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= byte ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C488B SIZE 0000013C BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 58h
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_20], edx
		lea	edi, [ebp+var_58]
		add	edx, 1FFh
		mov	esi, ecx
		stosd
		mov	[ebp+var_34], esi
		stosd
		stosd
		cmp	edx, [ebp+var_20]
		jbe	loc_5C4905
		mov	eax, [esi+0Ch]
		mov	[ebp+var_40], eax
		and	eax, 4
		mov	[ebp+var_3C], eax
		neg	eax
		sbb	eax, eax
		xor	ecx, ecx
		and	eax, 0Fh
		xor	edi, edi
		inc	eax
		mov	[ebp+var_14], edi
		mov	[ebp+var_1C], eax
		inc	ecx
		cmp	[ebp+var_20], 200h
		mov	eax, [esi+10h]
		mov	[ebp+var_C], eax
		jnb	loc_4C43F0

loc_4C41A3:				; CODE XREF: MiExpandPtes+2C0j
					; MiExpandPtes+2C9j
		and	edx, 0FFFFFE00h
		mov	eax, edx
		mov	[ebp+var_18], edx
		shr	eax, 9
		mov	[ebp+var_30], eax
		mov	eax, edx
		xor	edx, edx
		div	[ebp+var_1C]
		test	byte ptr [ebp+var_40], 2
		mov	[ebp+var_2C], eax
		jz	loc_4C4558
		mov	edx, [ebp+var_C]
		mov	[ebp+var_40], 10h
		cmp	[ebp+var_14], ecx
		jz	loc_4C457E

loc_4C41DB:				; CODE XREF: MiExpandPtes+44Bj
		cmp	[ebp+var_3C], edi
		jnz	loc_4C43C1

loc_4C41E4:				; CODE XREF: MiExpandPtes+291j
		mov	ecx, [ebp+var_30]
		call	MiObtainSystemVa

loc_4C41EC:				; CODE XREF: MiExpandPtes+42Dj
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	loc_5C4905
		mov	ecx, eax
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		mov	eax, ecx
		mov	[ebp+var_24], ecx
		sub	eax, [esi+8]
		sar	eax, 3
		mov	[ebp+var_30], eax
		cmp	[ebp+var_14], edi
		jnz	loc_4C42F1
		xor	edx, edx
		mov	ecx, large fs:124h
		div	[ebp+var_1C]
		mov	[ebp+var_48], ecx
		mov	[ebp+var_10], eax
		shr	eax, 3
		add	eax, [esi+4]
		test	byte ptr [esi+0Ch], 2
		mov	[ebp+var_3C], eax
		lea	eax, [esi+1Ch]
		mov	[ebp+var_38], eax
		jz	loc_4C4568
		lea	edx, [ebp+var_58]
		mov	ecx, eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)

loc_4C4254:				; CODE XREF: MiExpandPtes+443j
		mov	eax, [ebp+var_10]
		mov	edx, [ebp+var_3C]
		and	eax, 7
		add	eax, [ebp+var_2C]
		mov	ecx, [ebp+var_C]
		push	eax
		call	MiSplitBitmapPages
		mov	edx, eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_4C], edx
		mov	[ebp+var_8], eax
		test	al, 2
		jz	loc_4C440B
		xor	ecx, ecx
		inc	ecx
		cmp	edx, ecx
		jnz	short loc_4C42AD
		mov	eax, [ebp+var_30]
		xor	edx, edx
		add	eax, [ebp+var_18]
		div	[ebp+var_1C]
		cmp	eax, [esi]
		ja	loc_4C4404

loc_4C4296:				; CODE XREF: MiExpandPtes+2D0j
		mov	edx, [ebp+var_10]
		mov	eax, [ebp+var_8]
		cmp	edx, [esi+28h]
		jb	loc_4C45AA
		test	al, 8
		jz	loc_4C45AA

loc_4C42AD:				; CODE XREF: MiExpandPtes+14Bj
					; MiExpandPtes+47Dj
		test	ds:byte_70EFC6,	cl
		jnz	loc_5C488B
		mov	eax, [ebp+var_58]
		test	eax, eax
		jnz	loc_4C459C
		mov	edx, [ebp+var_54]
		lea	eax, [ebp+var_58]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_58]
		cmp	eax, ecx
		jnz	loc_5C489B

loc_4C42DB:				; CODE XREF: MiExpandPtes+46Fj
					; MiExpandPtes+100760j
		mov	cl, [ebp+var_50]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4C42E4:				; CODE XREF: MiExpandPtes+41Dj
		cmp	[ebp+var_4C], 0
		mov	ecx, [ebp+var_24]
		jz	loc_5C48E0

loc_4C42F1:				; CODE XREF: MiExpandPtes+E3j
		mov	eax, [ebp+var_18]
		push	edi
		push	[ebp+var_C]
		dec	eax
		push	[ebp+var_40]
		lea	edx, [ecx+eax*8]
		call	MiMakeZeroedPageTablesEx
		test	eax, eax
		jz	loc_5C490C
		mov	ecx, [ebp+var_2C]
		lea	eax, [esi+30h]
		lock xadd [eax], ecx
		mov	ecx, [ebp+var_2C]
		lea	eax, [esi+20h]
		lock xadd [eax], ecx
		test	byte ptr ds:dword_7051B4, 2
		jnz	loc_5C4917

loc_4C432D:				; CODE XREF: MiExpandPtes+1007E7j
					; MiExpandPtes+100879j
		cmp	[ebp+var_14], 1
		jz	short loc_4C4398
		mov	eax, [ebp+var_18]
		mov	ecx, [ebp+var_20]
		cmp	ecx, eax
		jz	short loc_4C4398
		sub	eax, ecx
		xor	edx, edx
		div	[ebp+var_1C]
		xor	edx, edx
		mov	esi, eax
		mov	eax, [ebp+var_30]
		add	eax, ecx
		div	[ebp+var_1C]
		mov	[ebp+var_18], eax
		mov	edx, eax
		mov	eax, [ebp+var_34]
		shr	edx, 5
		mov	ecx, [eax+4]
		mov	eax, [ebp+var_18]
		and	eax, 1Fh
		mov	[ebp+var_18], eax
		lea	edx, [ecx+edx*4]
		mov	[ebp+var_40], edx
		lea	ecx, [esi+eax]
		cmp	ecx, 20h
		jbe	short loc_4C43A4
		test	eax, eax
		jnz	short loc_4C43CC

loc_4C4379:				; CODE XREF: MiExpandPtes+2B8j
		cmp	esi, 20h
		jb	short loc_4C4390
		mov	eax, esi
		shr	eax, 5

loc_4C4383:				; CODE XREF: MiExpandPtes+258j
		mov	[edx], edi
		sub	esi, 20h
		add	edx, 4
		sub	eax, 1
		jnz	short loc_4C4383

loc_4C4390:				; CODE XREF: MiExpandPtes+246j
		test	esi, esi
		jnz	loc_5C49BB

loc_4C4398:				; CODE XREF: MiExpandPtes+1FBj
					; MiExpandPtes+205j ...
		mov	eax, [ebp+var_24]

loc_4C439B:				; CODE XREF: MiExpandPtes+1007D1j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4C43A4:				; CODE XREF: MiExpandPtes+23Dj
		cmp	esi, 20h
		jz	loc_5C49B4
		xor	eax, eax
		mov	ecx, esi
		inc	eax
		shl	eax, cl
		mov	ecx, [ebp+var_18]
		dec	eax
		shl	eax, cl
		not	eax

loc_4C43BC:				; CODE XREF: MiExpandPtes+10088Cj
		lock and [edx],	eax
		jmp	short loc_4C4398
; 

loc_4C43C1:				; CODE XREF: MiExpandPtes+A8j
		or	edx, 40000000h
		jmp	loc_4C41E4
; 

loc_4C43CC:				; CODE XREF: MiExpandPtes+241j
		push	20h
		xor	edx, edx
		pop	eax
		sub	eax, [ebp+var_18]
		inc	edx
		mov	ecx, eax
		shl	edx, cl
		mov	ecx, [ebp+var_18]
		dec	edx
		shl	edx, cl
		mov	ecx, [ebp+var_40]
		not	edx
		lock and [ecx],	edx
		mov	edx, ecx
		sub	esi, eax
		add	edx, 4
		jmp	short loc_4C4379
; 

loc_4C43F0:				; CODE XREF: MiExpandPtes+67j
		cmp	esi, offset dword_6D35E0
		jnz	loc_4C41A3
		mov	[ebp+var_14], ecx
		jmp	loc_4C41A3
; 

loc_4C4404:				; CODE XREF: MiExpandPtes+15Aj
		mov	[esi], eax
		jmp	loc_4C4296
; 

loc_4C440B:				; CODE XREF: MiExpandPtes+140j
		mov	ecx, [ebp+var_38]
		or	eax, 0FFFFFFFFh
		mov	ecx, [ecx]
		mov	[ebp+var_10], ecx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4C45B8

loc_4C4424:				; CODE XREF: MiExpandPtes+48Aj
		mov	esi, edi
		mov	[ebp+var_3C], esi
		test	ecx, 7FFFFFFCh
		jz	loc_4C4548
		mov	edx, large fs:124h
		mov	eax, ecx
		mov	edi, dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_8], edx
		cmp	ecx, edi
		jb	short loc_4C4474
		xor	ecx, ecx
		mov	[ebp+var_38], eax
		inc	ecx
		cmp	byte ptr dword_6D3994[eax], cl
		jz	loc_4C4586
		mov	ecx, [ebp+var_10]
		cmp	ecx, edi
		jb	short loc_4C4474
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_4C4586

loc_4C4474:				; CODE XREF: MiExpandPtes+316j
					; MiExpandPtes+32Fj
		or	eax, 0FFFFFFFFh

loc_4C4477:				; CODE XREF: MiExpandPtes+461j
		dec	word ptr [edx+13Eh]
		mov	[ebp+var_38], eax
		nop
		inc	byte ptr [edx+1E6h]
		nop
		mov	dl, [edx+1E6h]
		mov	byte ptr [ebp+var_4+2],	dl
		mov	edx, ecx
		mov	ecx, [ebp+var_8]
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_44], ecx
		push	0
		pop	edi
		test	ecx, ecx
		jz	loc_4C460E
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_4C4624

loc_4C44BF:				; CODE XREF: MiExpandPtes+4F6j
		mov	eax, [ecx+2Ch]
		mov	esi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	esi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_44], esi
		mov	[ebp+var_3C], esi
		mov	[ecx+2Ch], eax
		nop
		mov	eax, [ebp+var_8]
		mov	[ecx+10h], edi
		push	30h
		sub	ecx, [eax+1E8h]
		mov	eax, ecx
		cdq
		pop	ecx
		idiv	ecx
		xor	edx, edx
		inc	edx
		mov	ecx, eax
		mov	al, dl
		shl	al, cl
		mov	ecx, [ebp+var_8]
		cmp	byte ptr [ebp+var_4+2],	dl
		jnz	loc_5C48BD
		or	[ecx+1E4h], al

loc_4C450C:				; CODE XREF: MiExpandPtes+4E3j
					; MiExpandPtes+100793j
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, esi
		and	eax, 1FFFFh
		mov	[ebp+var_44], eax
		jnz	loc_4C45C5

loc_4C4523:				; CODE XREF: MiExpandPtes+4D3j
		nop
		mov	ax, [ecx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ecx+13Eh], ax
		test	ax, ax
		jnz	short loc_4C4548
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jnz	loc_4C4636

loc_4C4548:				; CODE XREF: MiExpandPtes+2F9j
					; MiExpandPtes+404j ...
		mov	ecx, [ebp+var_48]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	esi, [ebp+var_34]
		jmp	loc_4C42E4
; 

loc_4C4558:				; CODE XREF: MiExpandPtes+8Cj
		mov	[ebp+var_40], ecx
		mov	ecx, [ebp+var_30]
		call	MiObtainSessionVa
		jmp	loc_4C41EC
; 

loc_4C4568:				; CODE XREF: MiExpandPtes+10Ej
		dec	word ptr [ecx+13Eh]
		nop
		mov	ecx, [eax]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		jmp	loc_4C4254
; 

loc_4C457E:				; CODE XREF: MiExpandPtes+9Fj
		push	0Dh
		pop	edx
		jmp	loc_4C41DB
; 

loc_4C4586:				; CODE XREF: MiExpandPtes+324j
					; MiExpandPtes+338j
		mov	ecx, [edx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_10]
		jmp	loc_4C4477
; 

loc_4C459C:				; CODE XREF: MiExpandPtes+188j
					; MiExpandPtes+100770j
		mov	[ebp+var_58], edi
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4C42DB
; 

loc_4C45AA:				; CODE XREF: MiExpandPtes+169j
					; MiExpandPtes+171j
		or	eax, 8
		mov	[esi+28h], edx
		mov	[esi+0Ch], eax
		jmp	loc_4C42AD
; 

loc_4C45B8:				; CODE XREF: MiExpandPtes+2E8j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_10]
		jmp	loc_4C4424
; 

loc_4C45C5:				; CODE XREF: MiExpandPtes+3E7j
		test	esi, 8000h
		jz	short loc_4C45D7
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [ebp+var_8]

loc_4C45D7:				; CODE XREF: MiExpandPtes+495j
		xor	eax, eax
		inc	eax
		test	byte ptr [ebp+var_3C+2], al
		jnz	short loc_4C4640

loc_4C45DF:				; CODE XREF: MiExpandPtes+511j
		mov	eax, 7FFFh
		test	esi, eax
		jz	short loc_4C4631
		and	esi, eax
		mov	edx, esi
		mov	esi, [ebp+var_8]
		mov	ecx, esi
		call	KiAbThreadUnboostCpuPriority

loc_4C45F6:				; CODE XREF: MiExpandPtes+4FEj
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_5C48CE

loc_4C4606:				; CODE XREF: MiExpandPtes+1007A5j
		mov	ecx, [ebp+var_8]
		jmp	loc_4C4523
; 

loc_4C460E:				; CODE XREF: MiExpandPtes+371j
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_4C450C
		jmp	loc_5C48AB
; 

loc_4C4624:				; CODE XREF: MiExpandPtes+383j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_44]
		jmp	loc_4C44BF
; 

loc_4C4631:				; CODE XREF: MiExpandPtes+4B0j
		mov	esi, [ebp+var_8]
		jmp	short loc_4C45F6
; 

loc_4C4636:				; CODE XREF: MiExpandPtes+40Cj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4C4548
; 

loc_4C4640:				; CODE XREF: MiExpandPtes+4A7j
		mov	edx, eax
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	short loc_4C45DF
MiExpandPtes	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSplitBitmapPages proc	near		; CODE XREF: MiExpandPtes+12Ep
					; MiExpandPtes+10081Fp	...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C49C7 SIZE 00000008 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx

loc_4C4653:				; CODE XREF: .text:0042B030j
		mov	ebx, edx
		push	edi
		cmp	esi, 0Dh
		jz	loc_5C49C7

loc_4C465F:				; CODE XREF: MiSplitBitmapPages+100380j
		mov	edi, 220h
		cmp	esi, 9
		jnz	short loc_4C46A1

loc_4C4669:				; CODE XREF: MiSplitBitmapPages+5Fj
		mov	edi, 230h

loc_4C466E:				; CODE XREF: MiSplitBitmapPages+5Aj
					; MiSplitBitmapPages+64j ...
		mov	edx, [ebp+arg_0]
		mov	ecx, offset loc_7FFFF8
		push	0
		mov	eax, 40000000h
		push	esi
		lea	edx, [edx-1]
		shr	edx, 3
		add	edx, ebx
		shr	ebx, 9
		shr	edx, 9
		and	edx, ecx
		and	ecx, ebx
		push	edi
		sub	edx, eax
		sub	ecx, eax
		call	MiMakeZeroedPageTablesEx
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4C46A1:				; CODE XREF: MiSplitBitmapPages+1Dj
		cmp	esi, 0Eh
		jz	short loc_4C466E
		cmp	esi, 5
		jz	short loc_4C4669
		cmp	esi, 0Fh
		jz	short loc_4C466E
		cmp	esi, 8
		jz	short loc_4C466E
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 1
		ja	short loc_4C466E
		mov	edi, 221h
		jmp	short loc_4C466E
MiSplitBitmapPages endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMakeZeroedPageTablesEx proc near	; CODE XREF: MiCommitPoolMemory+100p
					; MiExpandSystemCache+BBp ...

var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= word ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005C49CF SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 140h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+140h+var_4], eax
		push	esi
		push	edi
		push	4Ch		; size_t
		lea	eax, [esp+14Ch+var_130]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+148h+var_E0]
		push	0D8h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+arg_0]
		add	esp, 0Ch
		push	3
		pop	ecx
		test	dl, 4
		jnz	loc_5C49CF
		test	dl, 2
		jnz	loc_4C4897
		xor	al, al
		test	dl, 20h
		jz	loc_4C48D8

loc_4C4730:				; CODE XREF: MiMakeZeroedPageTablesEx+228j
		and	[esp+148h+var_13C], 0
		shl	al, 2
		shl	esi, 9
		add	esi, 0FFFh
		mov	byte ptr [esp+148h+var_130+2], al
		mov	eax, [ebp+arg_4]
		shl	edi, 9
		mov	[esp+148h+var_138], esi
		mov	esi, offset unk_6D3B40
		mov	[esp+148h+var_C8], eax
		cmp	eax, 9
		jg	loc_4C48F3
		jnz	loc_4C4953

loc_4C476A:				; CODE XREF: MiMakeZeroedPageTablesEx+31Fj
		mov	esi, offset unk_6D3940

loc_4C476F:				; CODE XREF: MiMakeZeroedPageTablesEx+244j
					; MiMakeZeroedPageTablesEx+2A8j ...
		or	[esp+148h+var_C], 0FFFFFFFFh
		mov	ecx, edx
		mov	eax, [ebp+arg_8]
		and	ecx, 40h
		mov	[esp+148h+var_C0], edx
		mov	[esp+148h+var_D4], offset _MiSystemPartition
		mov	[esp+148h+var_C4], eax
		mov	[esp+148h+var_134], ecx
		jnz	loc_4C490F
		mov	edx, ds:_MmPfnDatabase
		cmp	edi, edx
		jb	short loc_4C47C2
		mov	ecx, dword_6D07B0
		inc	ecx
		imul	ecx, 1Ch
		add	ecx, edx
		cmp	edi, ecx
		sbb	ecx, ecx
		not	ecx
		mov	[esp+148h+var_C], ecx

loc_4C47C2:				; CODE XREF: MiMakeZeroedPageTablesEx+E1j
					; MiMakeZeroedPageTablesEx+259j
		push	eax
		lea	edx, [esp+14Ch+var_18]
		mov	ecx, edi
		call	_MiInitializeColorBase@12 ; MiInitializeColorBase(x,x,x)
		mov	ecx, [ebp+arg_0]
		test	cl, cl
		js	short loc_4C47EF
		cmp	[esp+14Ch+var_CC], 2
		jz	short loc_4C47EF
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 4
		jbe	loc_4C48B0

loc_4C47EF:				; CODE XREF: MiMakeZeroedPageTablesEx+110j
					; MiMakeZeroedPageTablesEx+11Aj ...
		mov	eax, 4807h
		mov	[esp+14Ch+var_120], edi
		mov	word ptr [esp+14Ch+var_134], ax
		xor	ecx, ecx
		mov	eax, [esp+14Ch+var_13C]
		mov	[esp+14Ch+var_11C], eax
		mov	eax, [esp+14Ch+var_140]
		mov	[esp+14Ch+var_B8], eax
		lea	eax, [esp+14Ch+var_E4]
		mov	[esp+14Ch+var_AC], ecx
		mov	[esp+14Ch+var_B4], cx
		mov	[esp+14Ch+var_A8], ecx
		mov	[esp+14Ch+var_A4], ecx
		mov	ecx, esi
		mov	[esp+14Ch+var_B0], 21h
		mov	[esp+14Ch+var_F4], offset MiCreateSystemPageTable
		mov	[esp+14Ch+var_F0], offset _MiCreateSystemPageTableTail@4 ; MiCreateSystemPageTableTail(x)
		mov	[esp+14Ch+var_EC], eax
		mov	[esp+14Ch+var_124], esi
		call	MiLockWorkingSetShared
		lea	ecx, [esp+14Ch+var_134]
		mov	byte ptr [esp+14Ch+var_130+2], al
		call	MiWalkPageTables
		mov	dl, byte ptr [esp+14Ch+var_130+2]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		cmp	[esp+14Ch+var_138], 0
		jnz	loc_4C4924

loc_4C4880:				; CODE XREF: MiMakeZeroedPageTablesEx+266j
					; MiMakeZeroedPageTablesEx+288j
		lea	ecx, [esp+14Ch+var_E4]
		call	_MiCleanupPageTablePages@4 ; MiCleanupPageTablePages(x)
		cmp	[esp+14Ch+var_20], 0
		jl	loc_5C49FC

loc_4C4897:				; CODE XREF: MiMakeZeroedPageTablesEx+59j
		xor	eax, eax
		inc	eax

loc_4C489A:				; CODE XREF: MiMakeZeroedPageTablesEx+10035Aj
		mov	ecx, [esp+14Ch+var_8]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4C48B0:				; CODE XREF: MiMakeZeroedPageTablesEx+123j
		cmp	[esp+14Ch+var_138], 0
		jnz	loc_4C47EF
		mov	edx, [esp+14Ch+var_13C]
		push	esi
		push	[ebp+arg_4]
		push	ecx
		mov	ecx, edi
		call	_MiCreateSystemWsles@20	; MiCreateSystemWsles(x,x,x,x,x)
		test	eax, eax
		jnz	loc_4C47EF
		jmp	loc_5C4A1E
; 

loc_4C48D8:				; CODE XREF: MiMakeZeroedPageTablesEx+64j
		mov	[esp+148h+var_BC], 1
		mov	al, 1

loc_4C48E5:				; CODE XREF: MiMakeZeroedPageTablesEx+100312j
		and	edx, 0FFFFFF7Fh
		mov	[ebp+arg_0], edx
		jmp	loc_4C4730
; 

loc_4C48F3:				; CODE XREF: MiMakeZeroedPageTablesEx+98j
		sub	eax, 0Bh
		jz	loc_4C4982
		sub	eax, 1
		jnz	loc_4C49E2

loc_4C4905:				; CODE XREF: MiMakeZeroedPageTablesEx+29Ej
		mov	esi, offset unk_6D3740
		jmp	loc_4C476F
; 

loc_4C490F:				; CODE XREF: MiMakeZeroedPageTablesEx+D3j
		lea	ecx, [esp+148h+var_E0]
		call	_MiSetLeafFillToUninitializedWsle@4 ; MiSetLeafFillToUninitializedWsle(x)
		mov	eax, [esp+148h+var_C4]
		jmp	loc_4C47C2
; 

loc_4C4924:				; CODE XREF: MiMakeZeroedPageTablesEx+1B4j
		cmp	[esp+14Ch+var_CC], 2
		jz	loc_4C4880
		mov	al, [esi+60h]
		mov	ecx, offset unk_6D3C5C
		and	al, 7
		cmp	al, 2
		jz	short loc_4C4946
		lea	ecx, [esi+9Ch]

loc_4C4946:				; CODE XREF: MiMakeZeroedPageTablesEx+278j
		mov	eax, [esp+14Ch+var_D0]
		lock xadd [ecx], eax
		jmp	loc_4C4880
; 

loc_4C4953:				; CODE XREF: MiMakeZeroedPageTablesEx+9Ej
		sub	eax, 1
		jz	short loc_4C49B3
		sub	eax, 1
		jz	loc_5C49DD
		sub	eax, 1
		jz	short loc_4C4905
		sub	eax, ecx
		jz	short loc_4C49D8
		dec	eax
		sub	eax, 1
		jnz	loc_4C476F
		xor	ecx, ecx
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	esi, eax
		jmp	loc_4C476F
; 

loc_4C4982:				; CODE XREF: MiMakeZeroedPageTablesEx+230j
		mov	ecx, dword_6D07D0
		mov	eax, edi
		shr	eax, 15h
		cmp	edi, ecx
		jb	loc_4C476F
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_4C49B3
		cmp	edi, ecx
		jb	loc_4C476F
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jnz	loc_4C476F

loc_4C49B3:				; CODE XREF: MiMakeZeroedPageTablesEx+290j
					; MiMakeZeroedPageTablesEx+2D6j
		mov	eax, large fs:124h
		mov	[esp+148h+var_13C], 2
		mov	eax, [eax+80h]
		mov	esi, [eax+180h]
		add	esi, 0C0h
		jmp	loc_4C476F
; 

loc_4C49D8:				; CODE XREF: MiMakeZeroedPageTablesEx+2A2j
		mov	esi, offset unk_6D3840
		jmp	loc_4C476F
; 

loc_4C49E2:				; CODE XREF: MiMakeZeroedPageTablesEx+239j
		sub	eax, 1
		jz	loc_4C476A
		sub	eax, 1
		jnz	loc_4C476F
		mov	esi, offset unk_6D3A40
		jmp	loc_4C476F
MiMakeZeroedPageTablesEx endp


;  S U B	R O U T	I N E 


; __stdcall MiCleanupPageTablePages(x)
_MiCleanupPageTablePages@4 proc	near	; CODE XREF: MiMakeZeroedPageTablesEx+1BEp
					; MmCreateShadowMapping+140p
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		push	0
		mov	edx, esi
		mov	ecx, [esi+0Ch]
		call	_MiFreeLargeZeroPages@12 ; MiFreeLargeZeroPages(x,x,x)
		mov	edi, [esi+10h]
		test	edi, edi
		jnz	short loc_4C4A20

loc_4C4A18:				; CODE XREF: MiCleanupPageTablePages(x)+27j
					; MiCleanupPageTablePages(x)+42j
		and	dword ptr [esi+10h], 0
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_4C4A20:				; CODE XREF: MiCleanupPageTablePages(x)+18j
		mov	eax, [esi+14h]
		cmp	eax, edi
		jz	short loc_4C4A18
		mov	ecx, [esi+0Ch]
		sub	edi, eax
		mov	edx, edi
		call	MiReturnCommit
		push	dword ptr [esi+18h]
		mov	ecx, [esi+0Ch]
		mov	edx, edi
		call	_MiReturnSystemCharges@12 ; MiReturnSystemCharges(x,x,x)
		jmp	short loc_4C4A18
_MiCleanupPageTablePages@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeLargeZeroPages(x, x, x)
_MiFreeLargeZeroPages@12 proc near	; CODE XREF: MiCleanupPageTablePages(x)+Ep
					; MiPfnRangeIsZero+17Ap ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= byte ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_10], edx
		lea	edi, [ebp+var_20]
		mov	[ebp+var_C], ecx
		stosd
		xor	ebx, ebx
		stosd
		stosd
		stosd
		jmp	short loc_4C4AC2
; 

loc_4C4A60:				; CODE XREF: MiFreeLargeZeroPages(x,x,x)+88j
		mov	eax, [ecx]
		mov	[edx+ebx*4], eax
		cmp	ebx, 2
		jnz	short loc_4C4A71
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		jmp	short loc_4C4ABF
; 

loc_4C4A71:				; CODE XREF: MiFreeLargeZeroPages(x,x,x)+26j
		mov	eax, ecx
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, [ebp+var_C]
		push	1
		push	0
		push	ds:_MiLargePageSizes[ebx*4]
		mov	esi, eax
		mov	edx, esi
		call	MiUpdateLargePageBitMap
		mov	ecx, [ebp+var_8]
		lea	edi, [ebp+var_20]
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		and	[ebp+var_18], 0
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		lea	ecx, [ebp+var_20]
		mov	[ebp+var_14], al
		call	_MiInsertLargePageInNodeList@4 ; MiInsertLargePageInNodeList(x)

loc_4C4ABF:				; CODE XREF: MiFreeLargeZeroPages(x,x,x)+2Dj
		mov	edx, [ebp+var_10]

loc_4C4AC2:				; CODE XREF: MiFreeLargeZeroPages(x,x,x)+1Cj
					; MiFreeLargeZeroPages(x,x,x)+8Ej
		mov	ecx, [edx+ebx*4]
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jnz	short loc_4C4A60
		inc	ebx
		cmp	ebx, 3
		jb	short loc_4C4AC2
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiFreeLargeZeroPages@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 


MiObtainSystemVa proc near		; CODE XREF: MiReservePoolMemory(x,x,x,x)+1Bp
					; MiExpandSystemCache+8Fp ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C4A25 SIZE 000000BD BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, edx
		mov	[ebp-0Ch], ecx
		mov	ecx, eax
		and	eax, 0BFFFFFFFh
		and	ecx, 40000000h
		mov	[ebp-8], eax
		mov	[ebp-10h], ecx
		push	esi
		push	edi
		cmp	eax, 0Dh
		jz	loc_4C4C24

loc_4C4B1E:				; CODE XREF: MiObtainSystemVa+FFF99j
		mov	esi, [ebp-8]

loc_4C4B21:				; CODE XREF: MiObtainSystemVa+14Cj
					; MiObtainSystemVa+FFFE4j
		push	offset dword_6D2E64
		xor	edi, edi
		call	ExAcquireSpinLockExclusive
		mov	edx, dword_6D41D4[esi*4]
		mov	[ebp-1], al
		test	edx, edx
		jnz	loc_5C4A25

loc_4C4B3F:				; CODE XREF: MiObtainSystemVa+FFF51j
		mov	eax, dword_6D07C4
		mov	ecx, 400h
		lea	esi, dword_6D3D94[eax]
		sub	ecx, eax
		jz	loc_5C4A53

loc_4C4B57:				; CODE XREF: MiObtainSystemVa+82j
		cmp	byte ptr [esi],	0
		jz	short loc_4C4B69
		xor	edi, edi

loc_4C4B5E:				; CODE XREF: MiObtainSystemVa+8Fj
		inc	esi
		sub	ecx, 1
		jnz	short loc_4C4B57
		jmp	loc_5C4A53
; 

loc_4C4B69:				; CODE XREF: MiObtainSystemVa+7Aj
		mov	eax, [ebp-0Ch]
		inc	edi
		cmp	edi, eax
		jnz	short loc_4C4B5E
		inc	esi
		test	ecx, ecx
		jz	loc_5C4A53
		mov	edx, [ebp-8]
		imul	eax, 0FFE00000h
		add	dword_6D4254, eax
		mov	eax, [ebp-0Ch]
		add	dword_6D3D54[edx*4], eax
		mov	ecx, dword_6D4254
		mov	eax, dword_6D3D54[edx*4]
		cmp	ecx, dword_6D07C8
		jb	short loc_4C4C15

loc_4C4BA8:				; CODE XREF: MiObtainSystemVa+142j
		cmp	eax, dword_6D4214[edx*4]
		ja	short loc_4C4C0C

loc_4C4BB1:				; CODE XREF: MiObtainSystemVa+133j
		mov	eax, esi
		sub	eax, offset dword_6D3D94
		test	edi, edi
		jz	short loc_4C4BDA
		lea	ecx, dword_6D1BD4[eax*4]

loc_4C4BC3:				; CODE XREF: MiObtainSystemVa+F8j
		dec	esi
		lea	ecx, [ecx-4]
		mov	[esi], dl
		mov	eax, [ecx]
		and	eax, 80000001h
		or	eax, 1
		mov	[ecx], eax
		sub	edi, 1
		jnz	short loc_4C4BC3

loc_4C4BDA:				; CODE XREF: MiObtainSystemVa+DAj
		push	offset dword_6D2E64
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	ecx, ecx
		call	MiReclaimSystemVa
		sub	esi, offset dword_6D3D94
		lea	eax, [esi-400h]
		shl	eax, 15h

loc_4C4C03:				; CODE XREF: MiObtainSystemVa+FFFFDj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4C4C0C:				; CODE XREF: MiObtainSystemVa+CFj
		mov	dword_6D4214[edx*4], eax
		jmp	short loc_4C4BB1
; 

loc_4C4C15:				; CODE XREF: MiObtainSystemVa+C6j
		mov	dword_6D07C8, ecx
		mov	eax, dword_6D3D54[edx*4]
		jmp	short loc_4C4BA8
; 

loc_4C4C24:				; CODE XREF: MiObtainSystemVa+38j
		mov	esi, 9
		mov	[ebp-8], esi
		jmp	loc_4C4B21
MiObtainSystemVa endp

; 
		align 2

;  S U B	R O U T	I N E 


MiReclaimSystemVa proc near		; CODE XREF: MiObtainSessionVa+172p
					; MiObtainSystemVa+10Fp ...

; FUNCTION CHUNK AT 005C4AE2 SIZE 0000000F BYTES

		cmp	ecx, 1
		jz	loc_5C4AE2
		cmp	dword_6D4254, 8000000h
		jbe	loc_5C4AE2
		retn
MiReclaimSystemVa endp


;  S U B	R O U T	I N E 


; __stdcall MiSetLeafFillToUninitializedWsle(x)
_MiSetLeafFillToUninitializedWsle@4 proc near
					; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+326p
					; MiMakeZeroedPageTablesEx+24Dp
		mov	eax, [ecx+0D4h]
		push	4
		pop	edx

loc_4C4C55:				; CODE XREF: MiSetLeafFillToUninitializedWsle(x)+12j
		shl	eax, 8
		or	eax, 0Ah
		sub	edx, 1
		jnz	short loc_4C4C55
		mov	[ecx+0D4h], eax
		retn
_MiSetLeafFillToUninitializedWsle@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1473. MmSizeOfMdl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmSizeOfMdl(x, x)
		public _MmSizeOfMdl@8
_MmSizeOfMdl@8	proc near		; CODE XREF: PopMarkHiberPhase(x)+63p
					; ExLockUserBuffer+1Ep	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		and	ecx, 0FFFh
		add	eax, 0FFFh
		add	eax, ecx
		shr	eax, 0Ch
		lea	eax, ds:1Ch[eax*4]
		pop	ebp
		retn	8
_MmSizeOfMdl@8	endp


;  S U B	R O U T	I N E 


; __stdcall ExUnlockUserBuffer(x)
_ExUnlockUserBuffer@4 proc near		; CODE XREF: ExGetSessionPoolTagInformation+174p
					; PAGE:0083E7CCp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	esi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
_ExUnlockUserBuffer@4 endp ; sp	= -4

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeThawProcess(x, x)
_KeThawProcess@8 proc near		; CODE XREF: PsThawProcess+E4p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_1], dl
		push	esi
		push	edi
		lea	edi, [ebx+2Ch]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[ebp+var_C], 0
		and	[ebp+var_8], 0
		mov	byte ptr [ebp+var_18], al
		mov	eax, large fs:20h
		mov	[ebp+var_10], eax
		lea	eax, [ebx+34h]
		push	eax
		mov	[ebp+var_14], eax
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	eax, [ebx+98h]
		lea	ecx, [ebx+64h]
		mov	esi, [ecx]
		shr	esi, 3
		and	esi, 1
		mov	[ebp+var_1C], ecx
		add	esi, eax
		jz	short loc_4C4D20
		cmp	[ebp+var_1], 0
		jz	short loc_4C4D19
		lock btr dword ptr [ecx], 3
		xor	cl, cl
		call	KiQueryUnbiasedInterruptTime
		sub	eax, [ebx+38h]
		mov	ecx, [ebp+var_1C]
		sbb	edx, [ebx+3Ch]
		mov	[ebp+var_C], eax
		jmp	short loc_4C4D23
; 

loc_4C4D19:				; CODE XREF: KeThawProcess(x,x)+55j
		dec	eax
		mov	[ebx+98h], eax

loc_4C4D20:				; CODE XREF: KeThawProcess(x,x)+4Fj
		mov	edx, [ebp+var_8]

loc_4C4D23:				; CODE XREF: KeThawProcess(x,x)+6Fj
		mov	al, [ebp+var_1]
		test	al, al
		jz	short loc_4C4D38
		test	byte ptr [ecx],	10h
		jz	short loc_4C4D38
		mov	eax, [edi]
		cmp	eax, edi
		jnz	short loc_4C4DA0

loc_4C4D35:				; CODE XREF: KeThawProcess(x,x)+10Dj
		mov	al, [ebp+var_1]

loc_4C4D38:				; CODE XREF: KeThawProcess(x,x)+80j
					; KeThawProcess(x,x)+85j
		cmp	esi, 1
		jnz	short loc_4C4D8B
		mov	esi, [edi]
		mov	ebx, [ebp+var_10]

loc_4C4D42:				; CODE XREF: KeThawProcess(x,x)+B6j
		cmp	esi, edi
		jz	short loc_4C4D6B
		lea	edx, [esi-1D4h]
		test	al, al
		jz	short loc_4C4D60

loc_4C4D50:				; CODE XREF: KeThawProcess(x,x)+BFj
		push	0
		mov	ecx, ebx
		call	_KiThawSingleThread@12 ; KiThawSingleThread(x,x,x)
		mov	al, [ebp+var_1]

loc_4C4D5C:				; CODE XREF: KeThawProcess(x,x)+C1j
		mov	esi, [esi]
		jmp	short loc_4C4D42
; 

loc_4C4D60:				; CODE XREF: KeThawProcess(x,x)+A6j
		test	dword ptr [edx+58h], 200000h
		jz	short loc_4C4D50
		jmp	short loc_4C4D5C
; 

loc_4C4D6B:				; CODE XREF: KeThawProcess(x,x)+9Cj
		push	[ebp+var_14]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		push	[ebp+var_18]
		xor	edx, edx
		mov	ecx, ebx
		push	0
		push	1
		call	KiExitDispatcher
		xor	eax, eax
		inc	eax

loc_4C4D86:				; CODE XREF: KeThawProcess(x,x)+F6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4C4D8B:				; CODE XREF: KeThawProcess(x,x)+93j
		push	[ebp+var_14]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_18]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi
		jmp	short loc_4C4D86
; 

loc_4C4DA0:				; CODE XREF: KeThawProcess(x,x)+8Bj
		mov	ecx, [ebp+var_C]

loc_4C4DA3:				; CODE XREF: KeThawProcess(x,x)+10Bj
		add	[eax-124h], ecx
		adc	[eax-120h], edx
		mov	eax, [eax]
		cmp	eax, edi
		jnz	short loc_4C4DA3
		jmp	loc_4C4D35
_KeThawProcess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiThawSingleThread(x, x, x)
_KiThawSingleThread@12 proc near	; CODE XREF: KeForceResumeProcess(x)+74p
					; KeThawProcess(x,x)+ACp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		lea	edi, [esi+1C4h]
		mov	ecx, edi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		lea	eax, [esi+5Ch]
		test	dword ptr [eax], 4000h
		jz	short loc_4C4E07

loc_4C4DDE:				; CODE XREF: KiThawSingleThread(x,x,x)+53j
		lock btr dword ptr [eax], 0Eh
		cmp	byte ptr [esi+18Ch], 0
		jnz	short loc_4C4DF8
		push	[ebp+arg_0]
		mov	edx, ebx
		mov	ecx, esi
		call	KiResumeThread

loc_4C4DF8:				; CODE XREF: KiThawSingleThread(x,x,x)+30j
					; KiThawSingleThread(x,x,x)+51j
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4C4E07:				; CODE XREF: KiThawSingleThread(x,x,x)+22j
		cmp	byte ptr [ebp+arg_0], 0
		jz	short loc_4C4DF8
		jmp	short loc_4C4DDE
_KiThawSingleThread@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeFreezeProcess	proc near		; CODE XREF: MiReAcquireOutSwappedProcessCommit(x)+FFp
					; PsFreezeProcess+1Ap

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= dword	ptr -5
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_1], dl
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ebx, [edi+34h]
		mov	byte ptr [ebp+var_5], al
		mov	eax, large fs:20h
		push	ebx
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], ebx
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	esi, [edi+64h]
		mov	eax, [edi+98h]
		mov	cl, [ebp+var_1]
		shr	esi, 3
		and	esi, 1
		add	esi, eax
		test	cl, cl
		jz	short loc_4C4EC8
		xor	cl, cl
		call	KiQueryUnbiasedInterruptTime
		mov	[edi+38h], eax
		lea	eax, [edi+64h]
		mov	[edi+3Ch], edx
		lock bts dword ptr [eax], 3
		mov	cl, [ebp+var_1]

loc_4C4E6E:				; CODE XREF: KeFreezeProcess+BFj
		test	esi, esi
		jnz	sub_5C4AF1
		add	edi, 2Ch
		mov	esi, [edi]
		cmp	esi, edi
		jz	short loc_4C4E9F
		mov	ebx, [ebp+var_C]

loc_4C4E82:				; CODE XREF: KeFreezeProcess+8Aj
		lea	edx, [esi-1D4h]
		test	cl, cl
		jz	short loc_4C4EBD

loc_4C4E8C:				; CODE XREF: KeFreezeProcess+B4j
		mov	ecx, ebx
		call	_KiFreezeSingleThread@8	; KiFreezeSingleThread(x,x)
		mov	cl, [ebp+var_1]

loc_4C4E96:				; CODE XREF: KeFreezeProcess+B6j
		mov	esi, [esi]
		cmp	esi, edi
		jnz	short loc_4C4E82
		mov	ebx, [ebp+var_10]

loc_4C4E9F:				; CODE XREF: KeFreezeProcess+6Dj
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		push	[ebp+var_5]
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		push	0
		push	1
		call	KiExitDispatcher
		xor	eax, eax

loc_4C4EB8:				; CODE XREF: sub_5C4AF1+11j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4C4EBD:				; CODE XREF: KeFreezeProcess+7Aj
		test	dword ptr [edx+58h], 200000h
		jz	short loc_4C4E8C
		jmp	short loc_4C4E96
; 

loc_4C4EC8:				; CODE XREF: KeFreezeProcess+44j
		inc	eax
		mov	[edi+98h], eax
		jmp	short loc_4C4E6E
KeFreezeProcess	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiFreezeSingleThread(x, x)
_KiFreezeSingleThread@8	proc near	; CODE XREF: KeStartThread+302p
					; KeFreezeProcess+7Ep
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		lea	eax, [edi+1C4h]
		mov	ecx, eax
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		lea	ebx, [edi+5Ch]
		lock bts dword ptr [ebx], 0Eh
		mov	edx, esi
		mov	ecx, edi
		call	KiSuspendThread
		test	al, al
		jz	short loc_4C4F0F

loc_4C4EFD:				; CODE XREF: KiFreezeSingleThread(x,x)+42j
		mov	ecx, 0FFFFFF7Fh
		lea	eax, [edi+1C4h]
		lock and [eax],	ecx
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4C4F0F:				; CODE XREF: KiFreezeSingleThread(x,x)+29j
		lock btr dword ptr [ebx], 0Eh
		jmp	short loc_4C4EFD
_KiFreezeSingleThread@8	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1813. PsGetProcessSessionIdEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessSessionIdEx(x)
		public _PsGetProcessSessionIdEx@4
_PsGetProcessSessionIdEx@4 proc	near	; CODE XREF: PopGetSettingNotificationName+E8p
					; PopGetSessionId()+Cp	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		pop	ebp
		retn	4
_PsGetProcessSessionIdEx@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiSessionLookupImage(x)
_MiSessionLookupImage@4	proc near	; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+30Ap
					; MiSessionRemoveImage+6Cp ...
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		mov	edx, [eax+34h]

loc_4C4F43:				; CODE XREF: MiSessionLookupImage(x)+32j
					; MiSessionLookupImage(x)+39j
		test	edx, edx
		jz	short loc_4C4F62
		cmp	ecx, [edx+18h]
		ja	short loc_4C4F5D
		mov	eax, [edx+14h]
		and	eax, 0FFFFFFFCh
		cmp	ecx, eax
		jb	short loc_4C4F65
		test	edx, edx
		jz	short loc_4C4F62
		mov	eax, edx
		retn
; 

loc_4C4F5D:				; CODE XREF: MiSessionLookupImage(x)+1Cj
		mov	edx, [edx+4]
		jmp	short loc_4C4F43
; 

loc_4C4F62:				; CODE XREF: MiSessionLookupImage(x)+17j
					; MiSessionLookupImage(x)+2Aj
		xor	eax, eax
		retn
; 

loc_4C4F65:				; CODE XREF: MiSessionLookupImage(x)+26j
		mov	edx, [edx]
		jmp	short loc_4C4F43
_MiSessionLookupImage@4	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IoControlPnpDeviceActionQueue(x)
_IoControlPnpDeviceActionQueue@4 proc near ; CODE XREF:	PopUpdateWakeSourceWorker(x)+5Ap
					; IoDiagTraceDevicesRundown()+5p ...
		mov	edi, edi
		push	ecx
		test	cl, cl
		jz	short loc_4C4F78
		call	PnpLockDeviceActionQueue
		pop	ecx
		retn
; 

loc_4C4F78:				; CODE XREF: IoControlPnpDeviceActionQueue(x)+5j
		call	PnpUnlockDeviceActionQueue
		pop	ecx
		retn
_IoControlPnpDeviceActionQueue@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpLockDeviceActionQueue proc near	; CODE XREF: IoControlPnpDeviceActionQueue(x)+7p
					; IoBuildPoDeviceNotifyList+2Bp ...

; FUNCTION CHUNK AT 005C4B07 SIZE 0000004E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	edi
		mov	edi, offset _PnpSpinLock

loc_4C4F8C:				; CODE XREF: PnpLockDeviceActionQueue+FFBC1j
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeLockTree
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	_PnpEnumerationInProgress, 0
		jnz	loc_5C4B07
		push	offset _PnpEnumerationLock
		mov	_PnpEnumerationInProgress, 1
		call	_KeResetEvent@4	; KeResetEvent(x)
		test	ds:byte_70EFC6,	1
		jnz	loc_5C4B46
		xor	eax, eax
		lock and [edi],	eax

loc_4C4FD3:				; CODE XREF: PnpLockDeviceActionQueue+FFBD0j
		mov	cl, bl
		pop	edi
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
PnpLockDeviceActionQueue endp

; 
		align 10h
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpUnlockDeviceActionQueue proc	near	; CODE XREF: IoControlPnpDeviceActionQueue(x):loc_4C4F78p
					; PopUpdateWakeSourceWorker(x)+71p ...

; FUNCTION CHUNK AT 005C4B55 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _PnpSpinLock
		mov	bl, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		xor	ecx, ecx
		cmp	_PnpEnumerationRequestList, offset _PnpEnumerationRequestList
		jnz	short loc_4C5042
		push	ecx
		push	ecx
		push	offset _PnpEnumerationLock
		mov	_PnpEnumerationInProgress, cl
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_4C501D:				; CODE XREF: PnpUnlockDeviceActionQueue+82j
		test	ds:byte_70EFC6,	1
		jnz	loc_5C4B55
		xor	eax, eax
		lock and [esi],	eax

loc_4C502F:				; CODE XREF: PnpUnlockDeviceActionQueue+FFB7Dj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	ecx, ecx
		inc	ecx
		pop	esi
		pop	ebx
		pop	ebp
		jmp	PpDevNodeUnlockTree
; 

loc_4C5042:				; CODE XREF: PnpUnlockDeviceActionQueue+27j
		push	1
		push	offset _PnpDeviceEnumerationWorkItem
		mov	dword_6CB7D8, offset PnpDeviceActionWorker
		mov	dword_6CB7DC, ecx
		mov	_PnpDeviceEnumerationWorkItem, ecx
		call	ExQueueWorkItem
		jmp	short loc_4C501D
PnpUnlockDeviceActionQueue endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPolicyWorkerThread proc near		; DATA XREF: PoInitSystem+2F0o

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C4B64 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bl, al
		mov	ecx, offset _PopWorkerSpinLock
		mov	[ebp+var_1], bl
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, _PopWorkerStatus
		or	esi, [ebp+arg_0]
		xor	edi, edi

loc_4C5090:				; CODE XREF: PopPolicyWorkerThread+A7j
		mov	edx, _PopWorkerPending
		mov	eax, esi
		mov	_PopWorkerStatus, esi
		and	eax, edx
		jz	short loc_4C510F
		bsf	ebx, eax
		xor	eax, eax
		inc	eax
		mov	[ebp+arg_0], ebx
		mov	ecx, ebx
		shl	eax, cl
		mov	[ebp+var_8], eax
		not	eax
		and	edx, eax
		and	eax, esi
		test	ds:byte_70EFC6,	1
		mov	esi, offset _PopWorkerSpinLock
		mov	_PopWorkerPending, edx
		mov	_PopWorkerStatus, eax
		jnz	loc_5C4B64
		xor	eax, eax
		lock and [esi],	eax

loc_4C50DA:				; CODE XREF: PopPolicyWorkerThread+FFB0Bj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, dword ptr ds:_PopWorkerTypes[ebx*4]
		test	eax, eax
		jz	short loc_4C50F2
		call	eax ; PopPolicyWorkerActionPromote
		or	edi, eax

loc_4C50F2:				; CODE XREF: PopPolicyWorkerThread+86j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	[ebp+var_1], al
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, _PopWorkerStatus
		or	esi, [ebp+var_8]
		jmp	short loc_4C5090
; 

loc_4C510F:				; CODE XREF: PopPolicyWorkerThread+3Aj
		or	edx, edi
		mov	ecx, offset _PopWorkerSpinLock
		test	ds:byte_70EFC6,	1
		mov	_PopWorkerPending, edx
		jnz	loc_5C4B76
		xor	eax, eax
		lock and [ecx],	eax

loc_4C512E:				; CODE XREF: PopPolicyWorkerThread+FFB18j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
PopPolicyWorkerThread endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EmpEvaluateTargetRule proc near		; CODE XREF: EmpEvaluateUpdateRuleEvalState+41p
					; EmClientRuleEvaluate+71p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C4B83 SIZE 00000008 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_30], edx
		push	esi
		push	edi
		push	76654D45h
		mov	ecx, [ebx+4]
		mov	eax, [ebx+8]
		mov	[ebp+var_10], eax
		mov	[ebp+var_34], ecx
		mov	eax, [ecx+24h]
		mov	edi, [ecx+20h]
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_2C], ecx
		push	1000h
		push	ecx
		mov	[ebp+var_14], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_38], esi
		test	esi, esi
		jz	loc_5C4B83
		mov	eax, 1000h
		mov	[ebp+var_C], eax

loc_4C5199:				; CODE XREF: EmpEvaluateTargetRule+FFA48j
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_4]
		mov	[ebp+var_1C], esi
		test	edi, edi
		jz	loc_4C52FD

loc_4C51AA:				; CODE XREF: EmpEvaluateTargetRule+1C1j
		lea	ecx, [eax+edi]
		xor	edx, edx
		mov	eax, [ebx+0Ch]
		div	ecx
		mov	[ebp+var_24], eax
		test	edi, edi
		jz	short loc_4C51D7
		lea	eax, [ebp+var_18]
		mov	ecx, edi
		push	eax
		shl	ecx, 2
		lea	edx, [ebp+var_1C]
		call	EmpAllocatePool
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_4C52DC

loc_4C51D7:				; CODE XREF: EmpEvaluateTargetRule+7Bj
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	loc_4C52F5
		lea	ecx, [ebp+var_18]
		push	ecx
		mov	ecx, eax
		lea	edx, [ebp+var_1C]
		shl	ecx, 2
		call	EmpAllocatePool
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		test	ebx, ebx
		jz	loc_4C5311

loc_4C5200:				; CODE XREF: EmpEvaluateTargetRule+1BAj
		cmp	[ebp+var_24], 0
		jbe	loc_4C52BA

loc_4C520A:				; CODE XREF: EmpEvaluateTargetRule+1CEj
		mov	ecx, [ebp+var_10]
		mov	esi, [ebp+var_4]
		and	[ebp+var_28], 0
		mov	ebx, [ebp+var_8]
		lea	eax, [ecx+edi*4]
		mov	[ebp+var_20], eax

loc_4C521D:				; CODE XREF: EmpEvaluateTargetRule+173j
		xor	edx, edx
		test	edi, edi
		jz	short loc_4C5246
		mov	esi, [ebp+var_14]
		mov	ebx, ecx

loc_4C5228:				; CODE XREF: EmpEvaluateTargetRule+FDj
		mov	ecx, [ebx]
		lea	ebx, [ebx+4]
		mov	eax, _EmpStringTable
		mov	eax, [eax+ecx*4]
		mov	[esi+edx*4], eax
		inc	edx
		cmp	edx, edi
		jb	short loc_4C5228
		mov	ebx, [ebp+var_8]
		mov	esi, [ebp+var_4]
		mov	eax, [ebp+var_20]

loc_4C5246:				; CODE XREF: EmpEvaluateTargetRule+E3j
		lea	ecx, [esi+edi]
		cmp	edi, ecx
		jnb	short loc_4C5265
		mov	ecx, ebx
		mov	edx, eax
		mov	ebx, esi

loc_4C5253:				; CODE XREF: EmpEvaluateTargetRule+122j
		mov	eax, [edx]
		lea	edx, [edx+4]
		mov	[ecx], eax
		lea	ecx, [ecx+4]
		sub	ebx, 1
		jnz	short loc_4C5253
		mov	ebx, [ebp+var_8]

loc_4C5265:				; CODE XREF: EmpEvaluateTargetRule+10Dj
		push	[ebp+var_18]
		mov	eax, [ebp+var_34]
		push	[ebp+var_1C]
		mov	edx, [ebp+var_14]
		push	0
		mov	ecx, [eax+40h]
		push	0
		push	[ebp+arg_0]
		push	[ebp+var_30]
		push	esi
		push	ebx
		push	edi
		call	EmpEvaluateNodeLink
		mov	[ebp+var_2C], eax
		cmp	eax, 2
		jz	short loc_4C52B7
		cmp	eax, 1
		jz	short loc_4C52B7
		mov	ecx, [ebp+var_28]
		lea	edx, [esi+edi]
		mov	eax, [ebp+var_20]
		inc	ecx
		shl	edx, 2
		add	[ebp+var_10], edx
		add	eax, edx
		cmp	ecx, [ebp+var_24]
		mov	[ebp+var_28], ecx
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_20], eax
		jb	loc_4C521D

loc_4C52B7:				; CODE XREF: EmpEvaluateTargetRule+14Ej
					; EmpEvaluateTargetRule+153j
		mov	esi, [ebp+var_38]

loc_4C52BA:				; CODE XREF: EmpEvaluateTargetRule+C6j
		mov	edi, [ebp+var_C]
		test	ebx, ebx
		jz	short loc_4C52CB
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	_EmpFreePool@12	; EmpFreePool(x,x,x)

loc_4C52CB:				; CODE XREF: EmpEvaluateTargetRule+181j
					; EmpEvaluateTargetRule+1D6j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_4C52DC
		push	edi
		mov	edx, esi
		mov	ecx, eax
		call	_EmpFreePool@12	; EmpFreePool(x,x,x)

loc_4C52DC:				; CODE XREF: EmpEvaluateTargetRule+93j
					; EmpEvaluateTargetRule+192j
		test	esi, esi
		jz	short loc_4C52EB
		push	76654D45h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4C52EB:				; CODE XREF: EmpEvaluateTargetRule+1A0j
		mov	eax, [ebp+var_2C]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4C52F5:				; CODE XREF: EmpEvaluateTargetRule+9Ej
		mov	ebx, [ebp+var_8]
		jmp	loc_4C5200
; 

loc_4C52FD:				; CODE XREF: EmpEvaluateTargetRule+66j
		test	eax, eax
		jnz	loc_4C51AA
		mov	[ebp+var_24], 1
		jmp	loc_4C520A
; 

loc_4C5311:				; CODE XREF: EmpEvaluateTargetRule+BCj
		mov	edi, [ebp+var_C]
		jmp	short loc_4C52CB
EmpEvaluateTargetRule endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EmpEvaluateNodeLink proc near		; CODE XREF: EmpEvaluateTargetRule+143p
					; EmpEvaluateNodeLink+6Ep ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 005C4B8B SIZE 00000059 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, [ebp+arg_1C]
		and	[ebp+var_8], 0
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_20]
		mov	[ebp+var_C], ecx
		xor	ecx, ecx
		and	[ebp+var_24], ecx
		push	ebx
		mov	[ebp+var_28], eax
		xor	ebx, ebx
		mov	eax, [ebp+var_C]
		push	esi
		xor	esi, esi
		mov	[ebp+var_10], edx
		push	edi
		mov	eax, [eax]
		xor	edx, edx
		xor	edi, edi
		mov	[ebp+var_20], ecx
		inc	esi
		mov	[ebp+var_4], edx
		test	eax, eax
		jz	short loc_4C53AC
		cmp	eax, esi
		jz	short loc_4C53AC
		cmp	eax, 2
		jnz	short loc_4C53A3
		push	[ebp+arg_20]
		mov	eax, [ebp+var_C]
		push	[ebp+arg_1C]
		mov	edx, [ebp+var_10]
		mov	edi, [eax+4]
		push	dword ptr [edi+8]
		mov	ecx, [edi+4]
		push	dword ptr [edi+0Ch]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	EmpEvaluateNodeLink
		mov	ebx, eax
		cmp	ebx, esi
		jz	short loc_4C53A3
		mov	al, [edi]
		cmp	al, 26h
		jnz	loc_4C55A4
		test	ebx, ebx
		jnz	loc_4C55A9

loc_4C53A1:				; CODE XREF: EmpEvaluateNodeLink+2D7j
		xor	esi, esi

loc_4C53A3:				; CODE XREF: EmpEvaluateNodeLink+45j
					; EmpEvaluateNodeLink+77j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_4C53AC:				; CODE XREF: EmpEvaluateNodeLink+3Cj
					; EmpEvaluateNodeLink+40j
		mov	ecx, [ebp+var_C]
		mov	ecx, [ecx+4]
		test	eax, eax
		jnz	loc_4C555C
		mov	edi, ecx
		cmp	[edi+10h], edx
		jz	short loc_4C53A3
		mov	edx, [edi+2Ch]
		mov	[ebp+var_14], edx
		mov	edx, [edi+24h]
		mov	[ebp+var_1C], edx
		mov	edx, [edi+28h]

loc_4C53D0:				; CODE XREF: EmpEvaluateNodeLink+261j
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_18], edx
		mov	edx, ebx
		mov	ecx, [ecx+8]
		test	ecx, ecx
		mov	[ebp+var_34], ecx
		mov	ecx, [ebp+var_20]
		jnz	loc_4C5544

loc_4C53E9:				; CODE XREF: EmpEvaluateNodeLink+241j
		mov	ecx, [ebp+arg_14]
		mov	[ebp+var_30], ecx
		mov	ecx, [ebp+arg_18]
		mov	[ebp+var_34], ecx
		mov	ecx, [ebp+var_20]

loc_4C53F8:				; CODE XREF: EmpEvaluateNodeLink+23Bj
		cmp	[ebp+var_30], ebx
		jz	loc_5C4B8B
		mov	eax, [ebp+var_1C]
		push	4
		pop	ecx
		test	eax, eax
		jz	short loc_4C543C
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_4C53A3
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_28]
		push	eax
		lea	edx, [ebp+var_2C]
		call	EmpAllocatePool
		mov	edx, eax
		mov	[ebp+var_24], edx
		test	edx, edx
		jz	loc_4C53A3
		push	4
		mov	edx, ebx
		pop	ecx

loc_4C543C:				; CODE XREF: EmpEvaluateNodeLink+F3j
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	short loc_4C5473
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_5C4BDC
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_28]
		push	eax
		lea	edx, [ebp+var_2C]
		call	EmpAllocatePool
		mov	edx, eax
		mov	[ebp+var_4], edx
		test	edx, edx
		jz	loc_5C4BDC

loc_4C5473:				; CODE XREF: EmpEvaluateNodeLink+12Bj
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_4C54B0
		push	4
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_5C4BD4
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_28]
		push	eax
		lea	edx, [ebp+var_2C]
		call	EmpAllocatePool
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5C4BD4
		mov	edx, [ebp+var_4]
		mov	eax, [ebp+var_14]

loc_4C54B0:				; CODE XREF: EmpEvaluateNodeLink+162j
		push	eax
		push	ebx
		push	[ebp+var_18]
		mov	ecx, [ebp+var_30]
		push	edx
		push	[ebp+var_1C]
		mov	edx, [ebp+var_34]
		push	[ebp+var_24]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	[ebp+var_10]
		call	_EmpEvaluateParseNodeMapping@56	; EmpEvaluateParseNodeMapping(x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		test	al, al
		jz	short loc_4C5502
		mov	eax, [ebp+var_C]
		xor	ecx, ecx
		cmp	[eax], ecx
		jnz	loc_4C557C
		push	dword ptr [edi+18h]
		push	[ebp+var_18]
		push	[ebp+var_4]
		push	[ebp+var_1C]
		push	[ebp+var_24]
		push	[ebp+var_14]
		push	ebx
		call	dword ptr [edi+10h]

loc_4C5500:				; CODE XREF: EmpEvaluateNodeLink+289j
		mov	esi, eax

loc_4C5502:				; CODE XREF: EmpEvaluateNodeLink+1C5j
		mov	edi, [ebp+arg_20]
		test	ebx, ebx
		jz	short loc_4C5514
		mov	edx, [ebp+arg_1C]
		mov	ecx, ebx
		push	edi
		call	_EmpFreePool@12	; EmpFreePool(x,x,x)

loc_4C5514:				; CODE XREF: EmpEvaluateNodeLink+1F1j
					; EmpEvaluateNodeLink+FF8C1j
		mov	eax, [ebp+var_4]
		mov	ebx, [ebp+arg_1C]
		test	eax, eax
		jz	short loc_4C5528
		push	edi
		mov	edx, ebx
		mov	ecx, eax
		call	_EmpFreePool@12	; EmpFreePool(x,x,x)

loc_4C5528:				; CODE XREF: EmpEvaluateNodeLink+206j
					; EmpEvaluateNodeLink+FF8C9j
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	loc_4C53A3
		push	[ebp+arg_20]
		mov	edx, ebx
		mov	ecx, eax
		call	_EmpFreePool@12	; EmpFreePool(x,x,x)
		jmp	loc_4C53A3
; 

loc_4C5544:				; CODE XREF: EmpEvaluateNodeLink+CDj
		mov	edx, [ebp+var_C]
		mov	edx, [edx+0Ch]
		test	edx, edx
		mov	[ebp+var_30], edx
		mov	edx, ebx
		jnz	loc_4C53F8
		jmp	loc_4C53E9
; 

loc_4C555C:				; CODE XREF: EmpEvaluateNodeLink+9Ej
		mov	[ebp+var_20], ecx
		cmp	[ecx+14h], dl
		jz	loc_4C53A3
		mov	edx, [ecx+28h]
		mov	[ebp+var_14], edx
		mov	edx, [ecx+20h]
		mov	[ebp+var_1C], edx
		mov	edx, [ecx+24h]
		jmp	loc_4C53D0
; 

loc_4C557C:				; CODE XREF: EmpEvaluateNodeLink+1CEj
		push	[ebp+var_28]
		mov	edx, [ebp+var_24]
		push	[ebp+var_2C]
		push	ecx
		push	ecx
		push	[ebp+var_14]
		mov	ecx, [ebp+var_20]
		push	ebx
		push	[ebp+var_18]
		push	[ebp+var_4]
		mov	ecx, [ecx+40h]
		push	[ebp+var_1C]
		call	EmpEvaluateNodeLink
		jmp	loc_4C5500
; 

loc_4C55A4:				; CODE XREF: EmpEvaluateNodeLink+7Dj
		cmp	ebx, 2
		jz	short loc_4C5601

loc_4C55A9:				; CODE XREF: EmpEvaluateNodeLink+85j
					; EmpEvaluateNodeLink+2EDj
		push	[ebp+arg_20]
		mov	edx, [ebp+var_10]
		push	[ebp+arg_1C]
		mov	ecx, [edi+10h]
		push	dword ptr [edi+14h]
		push	dword ptr [edi+18h]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	EmpEvaluateNodeLink
		cmp	eax, esi
		jz	loc_4C53A3
		mov	cl, [edi]
		cmp	cl, 26h
		jz	short loc_4C55F5

loc_4C55DE:				; CODE XREF: EmpEvaluateNodeLink+2E9j
		cmp	cl, 7Ch
		jnz	loc_4C53A3
		test	ebx, ebx
		jnz	short loc_4C5605
		test	eax, eax
		jz	loc_4C53A1
		jmp	short loc_4C5605
; 

loc_4C55F5:				; CODE XREF: EmpEvaluateNodeLink+2C6j
		test	ebx, ebx
		jz	short loc_4C55FD
		test	eax, eax
		jnz	short loc_4C5605

loc_4C55FD:				; CODE XREF: EmpEvaluateNodeLink+2E1j
		xor	esi, esi
		jmp	short loc_4C55DE
; 

loc_4C5601:				; CODE XREF: EmpEvaluateNodeLink+291j
		cmp	al, 7Ch
		jnz	short loc_4C55A9

loc_4C5605:				; CODE XREF: EmpEvaluateNodeLink+2D3j
					; EmpEvaluateNodeLink+2DDj ...
		push	2
		pop	esi
		jmp	loc_4C53A3
EmpEvaluateNodeLink endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EmpFreePool(x, x, x)
_EmpFreePool@12	proc near		; CODE XREF: EmpEvaluateTargetRule+188p
					; EmpEvaluateTargetRule+199p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	edx, edx
		jz	short loc_4C5628
		cmp	ecx, edx
		jb	short loc_4C5628
		mov	eax, [ebp+arg_0]
		add	eax, edx
		cmp	ecx, eax
		jnb	short loc_4C5628

loc_4C5624:				; CODE XREF: EmpFreePool(x,x,x)+25j
		pop	ebp
		retn	4
; 

loc_4C5628:				; CODE XREF: EmpFreePool(x,x,x)+7j
					; EmpFreePool(x,x,x)+Bj ...
		push	76654D45h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_4C5624
_EmpFreePool@12	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EmpAllocatePool	proc near		; CODE XREF: EmpEvaluateTargetRule+89p
					; EmpEvaluateTargetRule+B0p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C4BE4 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, edx
		lea	esi, [ecx+3]
		and	esi, 0FFFFFFFCh
		push	edi
		mov	eax, [ebx]
		test	eax, eax
		jz	loc_5C4BE4
		mov	edi, [ebp+arg_0]
		mov	edx, [edi]
		cmp	edx, esi
		jb	loc_5C4BE4
		lea	ecx, [eax+esi]
		sub	edx, esi
		mov	[ebx], ecx
		mov	[edi], edx

loc_4C5666:				; CODE XREF: EmpAllocatePool+FF5BBj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
EmpAllocatePool	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EmpEvaluateParseNodeMapping(x, x, x, x, x, x, x, x,	x, x, x, x, x, x)
_EmpEvaluateParseNodeMapping@56	proc near ; CODE XREF: EmpEvaluateNodeLink+1BEp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		xor	ecx, ecx
		test	ebx, ebx
		jz	loc_4C572A
		mov	eax, [ebp+arg_2C]
		push	esi
		mov	esi, [ebp+arg_1C]
		push	edi
		mov	edi, [ebp+arg_24]
		add	edi, esi
		add	eax, edi
		mov	[ebp+var_4], edi
		cmp	edx, eax
		jnz	loc_4C5728
		mov	edx, [ebp+arg_18]
		test	edx, edx
		jz	short loc_4C56CE
		mov	[ebp+arg_18], ecx
		test	esi, esi
		jz	short loc_4C56CE
		mov	edi, ebx
		sub	edi, edx

loc_4C56AD:				; CODE XREF: EmpEvaluateParseNodeMapping(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+5Ej
		mov	eax, [edi+edx]
		cmp	eax, [ebp+arg_4]
		jnb	short loc_4C5728
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+eax*4]
		mov	esi, [ebp+arg_1C]
		mov	[edx], eax
		add	edx, 4
		mov	eax, [ebp+arg_18]
		inc	eax
		mov	[ebp+arg_18], eax
		cmp	eax, esi
		jb	short loc_4C56AD

loc_4C56CE:				; CODE XREF: EmpEvaluateParseNodeMapping(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+32j
					; EmpEvaluateParseNodeMapping(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+39j
		cmp	[ebp+arg_20], ecx
		jz	short loc_4C56F9
		mov	edx, ecx
		cmp	[ebp+arg_24], ecx
		jbe	short loc_4C56F9
		lea	esi, [ebx+esi*4]

loc_4C56DD:				; CODE XREF: EmpEvaluateParseNodeMapping(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+89j
		mov	eax, [esi]
		cmp	eax, [ebp+arg_C]
		jnb	short loc_4C5728
		mov	edi, [ebp+arg_8]
		add	esi, 4
		mov	eax, [edi+eax*4]
		mov	edi, [ebp+arg_20]
		mov	[edi+edx*4], eax
		inc	edx
		cmp	edx, [ebp+arg_24]
		jb	short loc_4C56DD

loc_4C56F9:				; CODE XREF: EmpEvaluateParseNodeMapping(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+63j
					; EmpEvaluateParseNodeMapping(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+6Aj
		mov	edi, [ebp+arg_28]
		test	edi, edi
		jz	short loc_4C5726
		mov	edx, ecx
		cmp	[ebp+arg_2C], ecx
		jbe	short loc_4C5726
		mov	eax, [ebp+var_4]
		lea	esi, [ebx+eax*4]
		mov	ebx, [ebp+arg_10]

loc_4C5710:				; CODE XREF: EmpEvaluateParseNodeMapping(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B6j
		mov	eax, [esi]
		cmp	eax, [ebp+arg_14]
		jnb	short loc_4C5728
		mov	eax, [ebx+eax*4]
		add	esi, 4
		mov	[edi+edx*4], eax
		inc	edx
		cmp	edx, [ebp+arg_2C]
		jb	short loc_4C5710

loc_4C5726:				; CODE XREF: EmpEvaluateParseNodeMapping(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+90j
					; EmpEvaluateParseNodeMapping(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+97j
		mov	cl, 1

loc_4C5728:				; CODE XREF: EmpEvaluateParseNodeMapping(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+27j
					; EmpEvaluateParseNodeMapping(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+45j	...
		pop	edi
		pop	esi

loc_4C572A:				; CODE XREF: EmpEvaluateParseNodeMapping(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+Dj
		mov	al, cl
		pop	ebx
		leave
		retn	30h
_EmpEvaluateParseNodeMapping@56	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall EmpSearchTargetRuleList(x)
_EmpSearchTargetRuleList@4 proc	near	; CODE XREF: EmpUpdateRuleState+79p
					; EmClientQueryRuleState+4Dp ...
		mov	edx, _EmpTargetRuleListHead

loc_4C5738:				; CODE XREF: EmpSearchTargetRuleList(x)+16j
		xor	eax, eax
		test	edx, edx
		jz	short locret_4C574A
		lea	eax, [edx-10h]
		cmp	[eax+4], ecx
		jz	short locret_4C574A
		mov	edx, [edx]
		jmp	short loc_4C5738
; 

locret_4C574A:				; CODE XREF: EmpSearchTargetRuleList(x)+Aj
					; EmpSearchTargetRuleList(x)+12j
		retn
_EmpSearchTargetRuleList@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; int __fastcall EmpSearchRuleDatabase(void *)
_EmpSearchRuleDatabase@4 proc near	; CODE XREF: EmClientQueryRuleState+40p
					; EmClientRuleEvaluate+52p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, _EmpRuleListHead
		mov	ebx, ecx
		push	edi

loc_4C5759:				; CODE XREF: EmpSearchRuleDatabase(x)+28j
		xor	edi, edi
		test	esi, esi
		jz	short loc_4C5776
		push	10h		; size_t
		lea	edi, [esi-18h]
		push	ebx		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_4C5776
		mov	esi, [esi]
		jmp	short loc_4C5759
; 

loc_4C5776:				; CODE XREF: EmpSearchRuleDatabase(x)+11j
					; EmpSearchRuleDatabase(x)+24j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_EmpSearchRuleDatabase@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EmpUpdateRuleState proc	near		; CODE XREF: EmpUpdateRuleState+AEp
					; EmpRuleUpdateWorkerThread+18Ap ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C4BF6 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		push	edi
		xor	edi, edi
		mov	bl, 1
		mov	edx, [esi+28h]
		mov	eax, [esi+10h]
		mov	[ebp+var_4], eax
		test	edx, edx
		jnz	loc_4C583E

loc_4C57A0:				; CODE XREF: EmpUpdateRuleState+D7j
		mov	ecx, [esi+30h]

loc_4C57A3:				; CODE XREF: EmpUpdateRuleState+BDj
		test	ecx, ecx
		jz	short loc_4C57D6
		mov	eax, [ecx-4]
		cmp	dword ptr [eax+10h], 0
		jnz	loc_4C5837

loc_4C57B4:				; CODE XREF: EmpUpdateRuleState+68j
					; EmpUpdateRuleState+CBj
		xor	bl, bl

loc_4C57B6:				; CODE XREF: EmpUpdateRuleState+5Fj
		cmp	[esi+14h], bl
		jnz	short loc_4C581D

loc_4C57BB:				; CODE XREF: EmpUpdateRuleState+B7j
		mov	edi, [ebp+var_4]
		mov	[esi+14h], bl
		test	bl, bl
		jnz	short loc_4C57EA
		mov	dword ptr [esi+10h], 1

loc_4C57CC:				; CODE XREF: EmpUpdateRuleState+80j
					; EmpUpdateRuleState+85j ...
		cmp	[esi+10h], edi
		jnz	short loc_4C580F

loc_4C57D1:				; CODE XREF: EmpUpdateRuleState+9Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4C57D6:				; CODE XREF: EmpUpdateRuleState+29j
		mov	ecx, [esi+34h]

loc_4C57D9:				; CODE XREF: EmpUpdateRuleState+6Cj
		test	ecx, ecx
		jz	short loc_4C57B6
		mov	eax, [ecx-4]
		cmp	byte ptr [eax+14h], 0
		jz	short loc_4C57B4
		mov	ecx, [ecx]
		jmp	short loc_4C57D9
; 

loc_4C57EA:				; CODE XREF: EmpUpdateRuleState+47j
		cmp	edi, 1
		jnz	short loc_4C57F3
		and	dword ptr [esi+10h], 0

loc_4C57F3:				; CODE XREF: EmpUpdateRuleState+71j
		mov	ecx, esi
		call	_EmpSearchTargetRuleList@4 ; EmpSearchTargetRuleList(x)
		test	eax, eax
		jz	short loc_4C57CC
		cmp	dword ptr [eax], 0
		jle	short loc_4C57CC
		mov	edx, [ebp+var_8]
		mov	ecx, eax
		call	EmpEvaluateUpdateRuleEvalState
		jmp	short loc_4C57CC
; 

loc_4C580F:				; CODE XREF: EmpUpdateRuleState+53j
		lea	ebx, [esi+38h]
		mov	edi, [ebx]

loc_4C5814:				; CODE XREF: EmpUpdateRuleState+FF486j
		cmp	edi, ebx
		jz	short loc_4C57D1
		jmp	loc_5C4BF6
; 

loc_4C581D:				; CODE XREF: EmpUpdateRuleState+3Dj
		mov	edi, [esi+1Ch]
		mov	[esi+14h], bl
		jmp	short loc_4C5831
; 

loc_4C5825:				; CODE XREF: EmpUpdateRuleState+B9j
		mov	ecx, [edi-4]
		xor	edx, edx
		call	EmpUpdateRuleState
		mov	edi, [edi]

loc_4C5831:				; CODE XREF: EmpUpdateRuleState+A7j
		test	edi, edi
		jz	short loc_4C57BB
		jmp	short loc_4C5825
; 

loc_4C5837:				; CODE XREF: EmpUpdateRuleState+32j
		mov	ecx, [ecx]
		jmp	loc_4C57A3
; 

loc_4C583E:				; CODE XREF: EmpUpdateRuleState+1Ej
		mov	ecx, [esi+2Ch]

loc_4C5841:				; CODE XREF: EmpUpdateRuleState+DDj
		mov	eax, [ecx]
		cmp	dword ptr [eax+10h], 0
		jle	loc_4C57B4
		inc	edi
		add	ecx, 4
		cmp	edi, edx
		jnb	loc_4C57A0
		jmp	short loc_4C5841
EmpUpdateRuleState endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PipIsDevNodeDNStarted(x)
_PipIsDevNodeDNStarted@4 proc near	; CODE XREF: PipSetDevNodeState+4Cp
					; PipSetDevNodeState+CCp ...
		mov	eax, [ecx+0ACh]
		cmp	eax, 304h
		jle	short loc_4C587B
		cmp	eax, 301h
		jl	short loc_4C587B
		cmp	eax, 30Dh
		jg	short loc_4C587B
		xor	eax, eax
		inc	eax
		retn
; 

loc_4C587B:				; CODE XREF: PipIsDevNodeDNStarted(x)+Bj
					; PipIsDevNodeDNStarted(x)+12j	...
		xor	eax, eax
		retn
_PipIsDevNodeDNStarted@4 endp


;  S U B	R O U T	I N E 


; __stdcall PipAreDriversLoaded(x)
_PipAreDriversLoaded@4 proc near	; CODE XREF: PiControlGetUserFlagsFromDeviceNode+9p
					; IoReportDetectedDevice+26Ap ...
		mov	edx, [ecx+0B0h]
		mov	ecx, [ecx+0ACh]
		jmp	PipAreDriversLoadedWorker
_PipAreDriversLoaded@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


PipAreDriversLoadedWorker proc near	; CODE XREF: PipAreDriversLoaded(x)+Cj
					; PipSetDevNodeState+43p ...

; FUNCTION CHUNK AT 005C4C07 SIZE 0000000C BYTES

		mov	edi, edi

loc_4C5892:				; CODE XREF: PipAreDriversLoadedWorker+FF37Ej
		lea	eax, [ecx-301h]
		cmp	eax, 13h
		ja	short loc_4C58AF
		movzx	eax, ds:byte_4C58C0[eax]
		jmp	ds:off_4C58B4[eax*4]

loc_4C58AB:				; DATA XREF: .text:004C58B8o
		xor	eax, eax
		inc	eax
		retn
; 

loc_4C58AF:				; CODE XREF: PipAreDriversLoadedWorker+Bj
					; PipAreDriversLoadedWorker+14j
					; DATA XREF: ...
		xor	eax, eax
		retn
PipAreDriversLoadedWorker endp

; 
		align 4
off_4C58B4	dd offset loc_4C58AF	; DATA XREF: PipAreDriversLoadedWorker+14r
		dd offset loc_4C58AB
		dd offset loc_5C4C07
byte_4C58C0	db 0			; DATA XREF: PipAreDriversLoadedWorker+Dr
		align 2
		add	[ecx], eax
		add	[ecx], eax
		add	[ecx], eax
		add	[ecx], eax
		add	[ecx], eax
		add	[edx], eax
		add	[ecx], eax
		add	[eax], eax
		add	[eax], eax

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiControlAllocateBufferForUserModeCaller proc near ; CODE XREF:	PiControlGetPropertyData+E6p
					; PiControlGetRelatedDevice+61p ...

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C4C13 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		test	edi, edi
		jz	short loc_4C58FA
		cmp	[ebp+arg_0], 0
		jnz	loc_5C4C13
		mov	eax, [ebp+arg_4]
		mov	[esi], eax

loc_4C58F2:				; CODE XREF: PiControlAllocateBufferForUserModeCaller+29j
					; PiControlAllocateBufferForUserModeCaller+FF368j
		xor	eax, eax

loc_4C58F4:				; CODE XREF: PiControlAllocateBufferForUserModeCaller+FF357j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_4C58FA:				; CODE XREF: PiControlAllocateBufferForUserModeCaller+Dj
		and	dword ptr [esi], 0
		jmp	short loc_4C58F2
PiControlAllocateBufferForUserModeCaller endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopGetConsoleDisplayRequestCount()
_PopGetConsoleDisplayRequestCount@0 proc near ;	CODE XREF: PopPolicySystemIdle()+3Dp

var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_1F		= word ptr -1Fh
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		xor	eax, eax
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_1F], ax
		mov	[ebp+var_1D], bl
		mov	[ebp+var_4], ebx
		cmp	_PsWin32CalloutsEstablished, al
		jz	short loc_4C597A
		call	_RtlGetActiveConsoleId@0 ; RtlGetActiveConsoleId()
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_4C5977
		call	_TtmIsEnabled@0	; TtmIsEnabled()
		test	al, al
		jnz	short loc_4C597F
		xor	eax, eax
		mov	[ebp+var_1D], bl
		mov	[ebp+var_1F], ax
		lea	edx, [ebp+var_24]
		push	4
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], ebx
		pop	ecx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_C]
		push	eax
		push	1
		push	5
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_14], ecx
		pop	ecx
		mov	[ebp+var_24], 2
		mov	[ebp+var_20], bl
		call	PopInvokeWin32Callout
		test	eax, eax
		js	short loc_4C597A

loc_4C5977:				; CODE XREF: PopGetConsoleDisplayRequestCount()+2Cj
		mov	ebx, [ebp+var_4]

loc_4C597A:				; CODE XREF: PopGetConsoleDisplayRequestCount()+1Dj
					; PopGetConsoleDisplayRequestCount()+75j ...
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_4C597F:				; CODE XREF: PopGetConsoleDisplayRequestCount()+35j
		call	_TtmGetSessionDisplayRequiredCount@4 ; TtmGetSessionDisplayRequiredCount(x)
		mov	ebx, eax
		jmp	short loc_4C597A
_PopGetConsoleDisplayRequestCount@0 endp

; [00000005 BYTES: COLLAPSED FUNCTION MmGetNextSession(x). PRESS KEYPAD	"+" TO EXPAND]
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetNextSession(x,	x)
_MiGetNextSession@8 proc near		; CODE XREF: MmGetNextSession(x)j
					; ExpHpCompactSessionPools():loc_4C610Cp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		mov	ebx, ecx
		mov	[ebp+var_8], ebx
		stosd
		stosd
		call	_KeIsExecutingInArbitraryThreadContext@0 ; KeIsExecutingInArbitraryThreadContext()
		test	eax, eax
		jz	short loc_4C59B5
		and	[ebp+var_4], 0
		jmp	short loc_4C59C4
; 

loc_4C59B5:				; CODE XREF: MiGetNextSession(x,x)+1Fj
		mov	eax, large fs:124h
		push	eax
		call	_PsGetThreadServerSilo@4 ; PsGetThreadServerSilo(x)
		mov	[ebp+var_4], eax

loc_4C59C4:				; CODE XREF: MiGetNextSession(x,x)+25j
		xor	edi, edi
		test	ebx, ebx
		jz	short loc_4C59D2
		mov	esi, [ebx+180h]
		jmp	short loc_4C59D4
; 

loc_4C59D2:				; CODE XREF: MiGetNextSession(x,x)+3Aj
		xor	esi, esi

loc_4C59D4:				; CODE XREF: MiGetNextSession(x,x)+42j
		lea	edx, [ebp+var_14]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		test	esi, esi
		jnz	short loc_4C5A40
		mov	esi, dword_6D35C0
		test	esi, esi
		jnz	short loc_4C5A43
		test	ds:byte_70EFC6,	1
		jz	short loc_4C5A05
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4C5A30
; 

loc_4C5A05:				; CODE XREF: MiGetNextSession(x,x)+68j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_4C5A24
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_4C5A30
		call	KxWaitForLockChainValid

loc_4C5A24:				; CODE XREF: MiGetNextSession(x,x)+7Cj
		xor	ecx, ecx
		mov	[ebp+var_14], edi
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_4C5A30:				; CODE XREF: MiGetNextSession(x,x)+75j
					; MiGetNextSession(x,x)+8Fj
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		jmp	loc_4C5AD9
; 

loc_4C5A40:				; CODE XREF: MiGetNextSession(x,x)+55j
		mov	esi, [esi+50h]

loc_4C5A43:				; CODE XREF: MiGetNextSession(x,x)+5Fj
		cmp	esi, offset dword_6D35C0
		jz	short loc_4C5A7E
		mov	ebx, [ebp+var_4]

loc_4C5A4E:				; CODE XREF: MiGetNextSession(x,x)+EBj
		lea	ecx, [esi-50h]
		call	MiSelectSessionAttachProcess
		mov	edi, eax
		test	edi, edi
		jz	short loc_4C5A71
		test	ebx, ebx
		jz	short loc_4C5A7B
		cmp	[esi+2400h], ebx
		jz	short loc_4C5A7B
		mov	ecx, edi
		call	ObfDereferenceObject
		xor	edi, edi

loc_4C5A71:				; CODE XREF: MiGetNextSession(x,x)+CCj
		mov	esi, [esi]
		cmp	esi, offset dword_6D35C0
		jnz	short loc_4C5A4E

loc_4C5A7B:				; CODE XREF: MiGetNextSession(x,x)+D0j
					; MiGetNextSession(x,x)+D8j
		mov	ebx, [ebp+var_8]

loc_4C5A7E:				; CODE XREF: MiGetNextSession(x,x)+BBj
		test	ds:byte_70EFC6,	1
		jz	short loc_4C5A94
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4C5AC3
; 

loc_4C5A94:				; CODE XREF: MiGetNextSession(x,x)+F7j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_4C5AB3
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_4C5AC3
		call	KxWaitForLockChainValid

loc_4C5AB3:				; CODE XREF: MiGetNextSession(x,x)+10Bj
		xor	ecx, ecx
		mov	[ebp+var_14], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_4C5AC3:				; CODE XREF: MiGetNextSession(x,x)+104j
					; MiGetNextSession(x,x)+11Ej
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jz	short loc_4C5AD7
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_4C5AD7:				; CODE XREF: MiGetNextSession(x,x)+140j
		mov	eax, edi

loc_4C5AD9:				; CODE XREF: MiGetNextSession(x,x)+ADj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiGetNextSession@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2109. RtlGetActiveConsoleId

;  S U B	R O U T	I N E 


; __stdcall RtlGetActiveConsoleId()
		public _RtlGetActiveConsoleId@0
_RtlGetActiveConsoleId@0 proc near	; CODE XREF: PopGetConsoleDisplayRequestCount()+1Fp
					; PopPowerButtonWorkCallback(x):loc_658152p ...
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	short loc_4C5AF5
		mov	eax, 0FFDF02D8h
		mov	eax, [eax]
		retn
; 

loc_4C5AF5:				; CODE XREF: RtlGetActiveConsoleId()+7j
		call	_KeIsExecutingInArbitraryThreadContext@0 ; KeIsExecutingInArbitraryThreadContext()
		test	eax, eax
		jnz	short loc_4C5B16
		mov	eax, large fs:124h
		push	eax
		call	_PsGetThreadServerSilo@4 ; PsGetThreadServerSilo(x)
		test	eax, eax
		jz	short loc_4C5B16
		mov	eax, [eax+2F8h]
		jmp	short loc_4C5B1B
; 

loc_4C5B16:				; CODE XREF: RtlGetActiveConsoleId()+18j
					; RtlGetActiveConsoleId()+28j
		mov	eax, offset _PspHostSiloGlobals

loc_4C5B1B:				; CODE XREF: RtlGetActiveConsoleId()+30j
		mov	eax, [eax+28Ch]
		mov	eax, [eax+4]
		retn
_RtlGetActiveConsoleId@0 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1103. KeAreApcsDisabled

;  S U B	R O U T	I N E 


; __stdcall KeAreApcsDisabled()
		public _KeAreApcsDisabled@0
_KeAreApcsDisabled@0 proc near		; CODE XREF: PopDispatchNotificationsToList+D4p
					; PopPolicyWorkerNotify()+35p ...
		mov	eax, large fs:124h
		cmp	dword ptr [eax+13Ch], 0
		setnz	al
		retn
_KeAreApcsDisabled@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopResetIdleTime(x)
_PopResetIdleTime@4 proc near		; CODE XREF: PopSystemRequiredSet(x)+3j
					; PopUserPresentSet:loc_563F25p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	_PopPlatformAoAc, 0
		mov	ecx, esi
		pop	esi
		jnz	_PopHandleSystemIdleReset@4 ; PopHandleSystemIdleReset(x)
		xor	eax, eax
		mov	_PopIsAboutToSleep, al
		mov	dword_6C22A8, eax
		mov	byte_6C22F0, al
		mov	dword_6C22E0, eax
		jmp	$+5
_PopResetIdleTime@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceSystemIdleTimeReset(x)
_PopTraceSystemIdleTimeReset@4 proc near

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_28], ecx
		jz	short loc_4C5BE8
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_SYSTEM_IDLE_TIME_RESET
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_4C5BE5
		push	4
		pop	ecx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_24], eax
		xor	edx, edx
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_20], edx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_18], edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_4C5BE5:				; CODE XREF: PopTraceSystemIdleTimeReset(x)+3Cj
		pop	edi
		pop	esi
		pop	ebx

loc_4C5BE8:				; CODE XREF: PopTraceSystemIdleTimeReset(x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopTraceSystemIdleTimeReset@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExGetSessionPoolTagInfo	proc near	; CODE XREF: ExGetAttachedSessionPoolTagInfo(x,x,x,x)+4Ap
					; EtwpPoolRunDown(x,x)+217p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= byte ptr -50h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C4C41 SIZE 00000086 BYTES

		push	48h
		push	offset dword_6A1EA0
		call	__SEH_prolog4
		mov	[ebp+var_44], edx
		xor	eax, eax
		lea	edi, [ebp+var_58]
		stosd
		stosd
		stosd
		xor	esi, esi
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_38], ecx
		xor	ebx, ebx
		inc	ebx
		mov	ecx, ebx
		call	MmAcquireSessionPoolRundown
		test	eax, eax
		jz	loc_5C4C41
		mov	ecx, _ExpSessionPoolTrackTable
		mov	[ebp+var_1C], ecx
		imul	eax, _ExpSessionPoolTrackTableSize, 30h
		add	eax, ecx
		mov	[ebp+var_24], eax
		lea	edx, [ebp+var_58]
		mov	ecx, offset _ExpTaggedPoolLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		mov	eax, [eax+2428h]
		mov	[ebp+var_28], eax
		test	ds:byte_70EFC6,	bl
		jnz	loc_5C4C4B
		mov	eax, [ebp+var_58]
		test	eax, eax
		jnz	loc_5C4C63
		mov	edx, [ebp+var_54]
		lea	eax, [ebp+var_58]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_58]
		cmp	eax, ecx
		jnz	loc_5C4C5B

loc_4C5C99:				; CODE XREF: ExGetSessionPoolTagInfo+FF062j
					; ExGetSessionPoolTagInfo+FF078j
		mov	cl, [ebp+var_50]
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	ebx
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	loc_4C5DAF
		mov	edi, esi
		mov	[ebp+var_3C], esi

loc_4C5CB4:				; CODE XREF: ExGetSessionPoolTagInfo+262j
		mov	[ebp+ms_exc.disabled], esi
		mov	ebx, [ebp+var_44]

loc_4C5CBA:				; CODE XREF: ExGetSessionPoolTagInfo+153j
					; ExGetSessionPoolTagInfo+15Ej	...
		mov	ecx, [ebp+var_1C]
		cmp	ecx, [ebp+var_24]
		jnb	loc_4C5D74
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_4C5D3B
		inc	[ebp+var_30]
		mov	eax, [ebp+var_34]
		add	eax, 1Ch
		mov	[ebp+var_34], eax
		cmp	eax, 1Ch
		jb	loc_5C4CAB
		cmp	eax, ebx
		ja	loc_4C5D6B
		inc	[ebp+var_2C]
		mov	eax, [ebp+var_1C]
		mov	eax, [eax]
		mov	edx, [ebp+var_38]
		mov	[edx], eax
		mov	ecx, [ebp+var_1C]
		mov	eax, [ecx+20h]
		mov	[edx+4], eax
		mov	eax, [ecx+28h]
		mov	[edx+8], eax
		mov	eax, [ecx+18h]
		mov	[edx+0Ch], eax
		mov	eax, [ecx+8]
		mov	[edx+10h], eax
		mov	eax, [ecx+10h]
		mov	[edx+14h], eax
		mov	eax, [ecx+4]
		mov	[edx+18h], eax
		mov	eax, [edx+8]
		cmp	[edx+4], eax
		jb	loc_5C4CB7

loc_4C5D29:				; CODE XREF: ExGetSessionPoolTagInfo+FF0C6j
		mov	eax, [edx+14h]
		cmp	[edx+10h], eax
		jb	loc_5C4CBF

loc_4C5D35:				; CODE XREF: ExGetSessionPoolTagInfo+FF0CEj
		add	edx, 1Ch
		mov	[ebp+var_38], edx

loc_4C5D3B:				; CODE XREF: ExGetSessionPoolTagInfo+D6j
					; ExGetSessionPoolTagInfo+17Ej
		mov	ecx, [ebp+var_1C]
		add	ecx, 30h
		mov	[ebp+var_1C], ecx
		cmp	ecx, [ebp+var_24]
		jnz	loc_4C5CBA
		mov	eax, [ebp+var_28]
		test	eax, eax
		jz	loc_4C5CBA
		mov	[ebp+var_1C], edi
		imul	eax, 30h
		add	eax, edi
		mov	[ebp+var_24], eax
		mov	[ebp+var_28], esi
		jmp	loc_4C5CBA
; 

loc_4C5D6B:				; CODE XREF: ExGetSessionPoolTagInfo+EFj
		mov	[ebp+var_20], 0C0000004h
		jmp	short loc_4C5D3B
; 

loc_4C5D74:				; CODE XREF: ExGetSessionPoolTagInfo+CCj
					; ExGetSessionPoolTagInfo+FF0BEj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_4C5D7B:				; CODE XREF: sub_5C4CD5+15j
		xor	ecx, ecx
		call	MmAcquireSessionPoolRundown
		test	edi, edi
		jnz	loc_4C5E5B

loc_4C5D8A:				; CODE XREF: ExGetSessionPoolTagInfo+26Ej
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_2C]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_30]
		mov	[ecx], eax
		mov	eax, [ebp+var_20]

loc_4C5D9D:				; CODE XREF: ExGetSessionPoolTagInfo+FF052j
					; ExGetSessionPoolTagInfo+FF089j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4C5DAF:				; CODE XREF: ExGetSessionPoolTagInfo+B5j
		imul	ecx, eax, 30h
		mov	[ebp+var_40], ecx
		mov	eax, large fs:20h
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		push	esi
		or	eax, 80000000h
		push	eax
		push	6F666E49h
		mov	edx, ecx
		mov	ecx, 200h
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		mov	[ebp+var_3C], edi
		test	edi, edi
		jz	loc_5C4C71
		lea	edx, [ebp+var_58]
		mov	ecx, offset _ExpTaggedPoolLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		mov	eax, [eax+2424h]
		mov	[ebp+var_4C], eax
		push	[ebp+var_40]	; size_t
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		test	ds:byte_70EFC6,	1
		jnz	loc_5C4C82
		mov	eax, [ebp+var_58]
		test	eax, eax
		jnz	loc_5C4C9A
		mov	edx, [ebp+var_54]
		lea	eax, [ebp+var_58]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_58]
		cmp	eax, ecx
		jnz	loc_5C4C92

loc_4C5E51:				; CODE XREF: ExGetSessionPoolTagInfo+FF099j
					; ExGetSessionPoolTagInfo+FF0B2j
		mov	cl, [ebp+var_50]
		call	ebx
		jmp	loc_4C5CB4
; 

loc_4C5E5B:				; CODE XREF: ExGetSessionPoolTagInfo+190j
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4C5D8A
ExGetSessionPoolTagInfo	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLockStealSystemVm(x, x, x, x)
_MiLockStealSystemVm@16	proc near	; CODE XREF: MiStealPage+747p

var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1], dl
		mov	ecx, [ebp+arg_0]
		xor	ebx, ebx
		shl	ecx, 9
		mov	[ebp+var_10], ecx
		cmp	ecx, dword_6D07D0
		jnb	short loc_4C5E92
		mov	eax, ebx
		mov	[ebp+var_8], ebx
		jmp	short loc_4C5EA1
; 

loc_4C5E92:				; CODE XREF: MiLockStealSystemVm(x,x,x,x)+21j
		mov	eax, ecx
		shr	eax, 15h
		movzx	eax, byte ptr dword_6D3994[eax]
		mov	[ebp+var_8], eax

loc_4C5EA1:				; CODE XREF: MiLockStealSystemVm(x,x,x,x)+28j
		lea	esi, [ecx+40000000h]
		mov	[ebp+var_C], offset loc_7FFFFF
		cmp	[ebp+var_C], esi
		mov	[ebp+var_1C], esi
		sbb	esi, esi
		inc	esi
		mov	[ebp+var_14], esi
		mov	esi, [ebp+arg_4]
		cmp	eax, 5
		jnz	short loc_4C5EFD
		mov	cl, [edi+17h]
		lea	eax, [edi+10h]
		mov	esi, 7FFFFFFFh
		lock and [eax],	esi
		mov	esi, [ebp+arg_4]
		test	cl, 10h
		mov	cl, dl
		jz	short loc_4C5EE9

loc_4C5EDA:				; CODE XREF: MiLockStealSystemVm(x,x,x,x)+141j
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4C5EE0:				; CODE XREF: MiLockStealSystemVm(x,x,x,x)+169j
					; MiLockStealSystemVm(x,x,x,x)+17Ej ...
		xor	eax, eax

loc_4C5EE2:				; CODE XREF: MiLockStealSystemVm(x,x,x,x)+256j
					; MiLockStealSystemVm(x,x,x,x)+278j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4C5EE9:				; CODE XREF: MiLockStealSystemVm(x,x,x,x)+70j
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		or	dword ptr [esi+8], 20h
		mov	eax, offset unk_6D3B40
		jmp	loc_4C5FF7
; 

loc_4C5EFD:				; CODE XREF: MiLockStealSystemVm(x,x,x,x)+58j
		cmp	eax, 1
		jz	loc_4C5FAE
		cmp	eax, 0Bh
		jz	loc_4C5FAE
		cmp	eax, 6
		jnz	short loc_4C5F35
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		or	dword ptr [esi+8], 10h
		mov	eax, offset unk_6D3840
		jmp	loc_4C5FF7
; 

loc_4C5F35:				; CODE XREF: MiLockStealSystemVm(x,x,x,x)+AAj
		cmp	eax, 0Ch
		jnz	short loc_4C5F5E
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, offset unk_6D3740
		mov	dword ptr [esi+28h], 1
		jmp	loc_4C5FF7
; 

loc_4C5F5E:				; CODE XREF: MiLockStealSystemVm(x,x,x,x)+D0j
		cmp	eax, 9
		jnz	short loc_4C5F9C
		mov	edx, ecx
		call	_MiVaIsPageFileHash@8 ;	MiVaIsPageFileHash(x,x)
		test	eax, eax
		jz	short loc_4C5F99
		push	3
		pop	ecx
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	[ebp+arg_4], eax
		mov	ecx, 7FFFFFFFh
		mov	dword ptr [esi+28h], 2
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+arg_4]
		jmp	short loc_4C5FFA
; 

loc_4C5F99:				; CODE XREF: MiLockStealSystemVm(x,x,x,x)+104j
		mov	dl, [ebp+var_1]

loc_4C5F9C:				; CODE XREF: MiLockStealSystemVm(x,x,x,x)+F9j
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	cl, dl
		jmp	loc_4C5EDA
; 

loc_4C5FAE:				; CODE XREF: MiLockStealSystemVm(x,x,x,x)+98j
					; MiLockStealSystemVm(x,x,x,x)+A1j
		mov	ecx, edi
		call	MiReferenceOwningSession
		mov	[esi+2Ch], eax
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [esi+2Ch]
		test	ecx, ecx
		jz	loc_4C5EE0
		lea	edx, [esi+34h]
		call	MmAttachSession
		test	eax, eax
		jns	short loc_4C5FEB
		mov	[esi+2Ch], ebx
		jmp	loc_4C5EE0
; 

loc_4C5FEB:				; CODE XREF: MiLockStealSystemVm(x,x,x,x)+179j
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		or	dword ptr [esi+8], 80h

loc_4C5FF7:				; CODE XREF: MiLockStealSystemVm(x,x,x,x)+90j
					; MiLockStealSystemVm(x,x,x,x)+C8j ...
		mov	[ebp+arg_4], eax

loc_4C5FFA:				; CODE XREF: MiLockStealSystemVm(x,x,x,x)+12Fj
		mov	edx, [ebp+var_10]
		mov	ecx, eax
		push	esi
		push	[ebp+var_14]
		push	[ebp+var_8]
		call	MiSynchronizeSystemVa
		test	eax, eax
		jz	loc_4C60C5
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		mov	ebx, eax
		mov	eax, [ebp+var_C]
		cmp	[ebp+var_1C], eax
		ja	short loc_4C6041
		mov	ecx, [ebp+var_10]
		mov	edx, ebx
		call	_MiSmallVaStillMapsFrame@8 ; MiSmallVaStillMapsFrame(x,x)
		test	eax, eax
		jnz	short loc_4C606A

loc_4C6039:				; CODE XREF: MiLockStealSystemVm(x,x,x,x)+1EEj
					; MiLockStealSystemVm(x,x,x,x)+200j
		push	2
		pop	ebx
		jmp	loc_4C60C5
; 

loc_4C6041:				; CODE XREF: MiLockStealSystemVm(x,x,x,x)+1C1j
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	edx, [eax]
		nop
		mov	eax, [eax+4]
		mov	[ebp+arg_0], eax
		mov	eax, edx
		and	eax, 1
		or	eax, ecx
		jz	short loc_4C6039
		nop
		mov	eax, [ebp+arg_0]
		shrd	edx, eax, 0Ch
		and	edx, 1FFFFFFh
		cmp	edx, ebx
		jnz	short loc_4C6039

loc_4C606A:				; CODE XREF: MiLockStealSystemVm(x,x,x,x)+1CFj
		mov	eax, [esi+28h]
		cmp	eax, 3
		jz	short loc_4C6088
		cmp	eax, 2
		jz	short loc_4C6088
		test	byte ptr [esi+8], 20h
		jnz	short loc_4C6088
		test	byte ptr [edi],	1
		jz	short loc_4C60C3
		test	byte ptr [edi+17h], 8
		jnz	short loc_4C60C3

loc_4C6088:				; CODE XREF: MiLockStealSystemVm(x,x,x,x)+208j
					; MiLockStealSystemVm(x,x,x,x)+20Dj ...
		cmp	ebx, dword_6D07B0
		ja	short loc_4C60C3
		mov	eax, dword_6D35B8
		mov	ecx, ebx
		shr	ecx, 5
		and	ebx, 1Fh
		mov	eax, [eax+ecx*4]
		mov	ecx, ebx
		shr	eax, cl
		and	eax, 1
		jz	short loc_4C60C3
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_4C60C3
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jnz	short loc_4C60C3
		inc	eax
		jmp	loc_4C5EE2
; 

loc_4C60C3:				; CODE XREF: MiLockStealSystemVm(x,x,x,x)+218j
					; MiLockStealSystemVm(x,x,x,x)+21Ej ...
		xor	ebx, ebx

loc_4C60C5:				; CODE XREF: MiLockStealSystemVm(x,x,x,x)+1A5j
					; MiLockStealSystemVm(x,x,x,x)+1D4j
		mov	ecx, esi
		call	_MiUnlockStealVm@4 ; MiUnlockStealVm(x)
		mov	eax, [ebp+arg_4]
		mov	cl, [eax+60h]
		and	cl, 7
		cmp	cl, 3
		jz	loc_4C5EE0
		mov	eax, ebx
		jmp	loc_4C5EE2
_MiLockStealSystemVm@16	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpHpCompactSessionPools()
_ExpHpCompactSessionPools@0 proc near	; CODE XREF: ExpHpCompactionRoutine(x)+150p

var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		xor	eax, eax
		lea	edi, [esp+2Ch+var_1C]
		pop	ecx
		rep stosd
		xor	ecx, ecx

loc_4C610C:				; CODE XREF: ExpHpCompactSessionPools()+E1j
		call	_MiGetNextSession@8 ; MiGetNextSession(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_4C61CC
		lea	edx, [esp+28h+var_1C]
		mov	ecx, esi
		call	MmAttachSession
		test	eax, eax
		js	loc_4C61C5
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		mov	edi, [eax+1D8h]
		mov	edx, [edi+1C78h]
		test	edx, edx
		jz	short loc_4C6180
		movsx	eax, word ptr [edx+112h]
		mov	cl, [edx+107h]
		mov	ebx, [eax+edx+10Ch]
		add	ebx, [eax+edx+108h]
		mov	eax, [eax+edx+104h]
		shr	eax, cl
		cmp	eax, 8
		ja	short loc_4C617C
		push	8
		pop	eax

loc_4C617C:				; CODE XREF: ExpHpCompactSessionPools()+91j
		cmp	ebx, eax
		ja	short loc_4C61DE

loc_4C6180:				; CODE XREF: ExpHpCompactSessionPools()+68j
					; ExpHpCompactSessionPools()+FFj
		mov	edx, [edi+1C7Ch]
		test	edx, edx
		jz	short loc_4C61BA
		movsx	eax, word ptr [edx+112h]
		mov	cl, [edx+107h]
		mov	edi, [eax+edx+10Ch]
		add	edi, [eax+edx+108h]
		mov	eax, [eax+edx+104h]
		shr	eax, cl
		cmp	eax, 8
		ja	short loc_4C61B6
		push	8
		pop	eax

loc_4C61B6:				; CODE XREF: ExpHpCompactSessionPools()+CBj
		cmp	edi, eax
		ja	short loc_4C61E7

loc_4C61BA:				; CODE XREF: ExpHpCompactSessionPools()+A2j
					; ExpHpCompactSessionPools()+108j
		lea	edx, [esp+28h+var_1C]
		mov	ecx, esi
		call	MmDetachSession

loc_4C61C5:				; CODE XREF: ExpHpCompactSessionPools()+42j
		mov	ecx, esi
		jmp	loc_4C610C
; 

loc_4C61CC:				; CODE XREF: ExpHpCompactSessionPools()+2Fj
		mov	ecx, [esp+28h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4C61DE:				; CODE XREF: ExpHpCompactSessionPools()+98j
		mov	ecx, edx
		call	_RtlpHpHeapCompact@8 ; RtlpHpHeapCompact(x,x)
		jmp	short loc_4C6180
; 

loc_4C61E7:				; CODE XREF: ExpHpCompactSessionPools()+D2j
		mov	ecx, edx
		call	_RtlpHpHeapCompact@8 ; RtlpHpHeapCompact(x,x)
		jmp	short loc_4C61BA
_ExpHpCompactSessionPools@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmDetachSession	proc near		; CODE XREF: MiUnlockStealVm(x)+34p
					; ExpHpCompactSessionPools()+DAp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005C4CEF SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ecx+180h]
		mov	ebx, edx
		push	edi
		lea	edi, [ebp+var_C]
		mov	ecx, offset dword_6D3540
		stosd
		lea	edx, [ebp+var_C]
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		dec	dword ptr [esi+3Ch]
		test	byte ptr [esi+4], 2
		mov	eax, [esi+3Ch]
		jnz	short loc_4C6288

loc_4C6224:				; CODE XREF: MmDetachSession+9Cj
		xor	esi, esi

loc_4C6226:				; CODE XREF: MmDetachSession+9Aj
		xor	edi, edi
		inc	edi
		test	ds:byte_70EFC6,	1
		jnz	loc_5C4CEF
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_4C6279
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	short loc_4C6271

loc_4C6250:				; CODE XREF: MmDetachSession+96j
					; MmDetachSession+FEB0Aj
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	edx, edx
		mov	ecx, ebx
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		test	esi, esi
		jnz	loc_5C4CFF

loc_4C626A:				; CODE XREF: MmDetachSession+FEB19j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
; 

loc_4C6271:				; CODE XREF: MmDetachSession+5Ej
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_4C6279:				; CODE XREF: MmDetachSession+4Bj
		mov	[ebp+var_C], 0
		add	eax, 4
		lock xor [eax],	edi
		jmp	short loc_4C6250
; 

loc_4C6288:				; CODE XREF: MmDetachSession+32j
		test	eax, eax
		jz	short loc_4C6226
		jmp	short loc_4C6224
MmDetachSession	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmAttachSession	proc near		; CODE XREF: MiLockStealSystemVm(x,x,x,x)+172p
					; ExpHpCompactSessionPools()+3Bp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C4D0E SIZE 00000068 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_8], edx
		lea	edi, [ebp+var_14]
		mov	ebx, ecx
		stosd
		lea	edx, [ebp+var_14]
		mov	ecx, offset dword_6D3540
		mov	esi, [ebx+180h]
		stosd
		stosd
		mov	eax, large fs:124h
		mov	edi, [eax+80h]
		mov	eax, [edi+180h]
		mov	[ebp+var_4], eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		test	byte ptr [esi+4], 2
		jnz	loc_5C4D0E
		inc	dword ptr [esi+3Ch]
		test	ds:byte_70EFC6,	1
		jnz	loc_5C4D66
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_4C6341
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jnz	short loc_4C6339

loc_4C6302:				; CODE XREF: MmAttachSession+C3j
					; MmAttachSession+FEAE3j
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_4]
		test	eax, eax
		jnz	short loc_4C6325

loc_4C6312:				; CODE XREF: MmAttachSession+A1j
					; MmAttachSession+A5j ...
		push	[ebp+var_8]
		xor	edx, edx
		mov	ecx, ebx
		call	KiStackAttachProcess
		xor	eax, eax

loc_4C6320:				; CODE XREF: MmAttachSession+FEAD3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4C6325:				; CODE XREF: MmAttachSession+82j
		test	dword ptr [edi+3A8h], 1000h
		jnz	short loc_4C6312
		cmp	eax, esi
		jnz	short loc_4C6312
		mov	ebx, edi
		jmp	short loc_4C6312
; 

loc_4C6339:				; CODE XREF: MmAttachSession+72j
		lea	ecx, [ebp+var_14]
		call	KxWaitForLockChainValid

loc_4C6341:				; CODE XREF: MmAttachSession+5Fj
		xor	ecx, ecx
		mov	[ebp+var_14], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_4C6302
MmAttachSession	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpHeapCompact(x, x)
_RtlpHpHeapCompact@8 proc near		; CODE XREF: ExpHpCompactionRoutine(x)+174p
					; ExpHpCompactionRoutine(x)+18Cp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+0Ch]
		mov	ecx, [edi+0B0h]
		and	esi, 13000003h
		test	ecx, ecx
		jz	short loc_4C6383
		mov	eax, large fs:124h
		cmp	ecx, [eax+2B0h]
		jz	short loc_4C63CF

loc_4C6383:				; CODE XREF: RtlpHpHeapCompact(x,x)+1Fj
					; RtlpHpHeapCompact(x,x)+7Ej
		lea	ebx, [edi+200h]
		lea	ecx, [ebx+40h]
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		test	eax, eax
		jz	short loc_4C639F
		push	eax
		mov	edx, esi
		mov	ecx, ebx
		call	RtlpHpVsContextFreeList

loc_4C639F:				; CODE XREF: RtlpHpHeapCompact(x,x)+3Fj
		lea	ecx, [edi+2C0h]
		mov	edx, esi
		call	RtlpHpLfhContextCompact
		lea	ecx, [edi+100h]
		mov	edx, esi
		call	RtlpHpSegContextCompact
		lea	ecx, [edi+180h]
		mov	edx, esi
		call	RtlpHpSegContextCompact
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4C63CF:				; CODE XREF: RtlpHpHeapCompact(x,x)+2Dj
		or	esi, 1
		jmp	short loc_4C6383
_RtlpHpHeapCompact@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


RtlpHpSegContextCompact	proc near	; CODE XREF: RtlpHpHeapCompact(x,x)+60p
					; RtlpHpHeapCompact(x,x)+6Dp

var_38		= dword	ptr -38h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C4D76 SIZE 000000AF BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		mov	esi, ecx
		mov	[ebp-14h], edx
		lea	eax, [ebp-24h]
		mov	[ebp-8], esi
		push	edi
		mov	[ebp-20h], eax
		cmp	dword ptr [esi+4Ch], 0
		mov	[ebp-24h], eax
		jz	loc_4C65F4
		or	al, 0FFh
		mov	ecx, edx
		and	ecx, 1
		mov	[ebp-1], al
		mov	[ebp-10h], ecx
		jnz	short loc_4C6439
		movzx	edx, byte ptr [esi+1Ch]
		lea	ecx, [esi+40h]
		and	edx, 1
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	[ebp-1], al

loc_4C6439:				; CODE XREF: RtlpHpSegContextCompact+45j
		mov	edx, [esi+44h]
		mov	[ebp-2], al
		lea	eax, [esi+44h]
		mov	[ebp-0Ch], edx
		cmp	edx, eax
		jz	short loc_4C64AB
		lea	esp, [esp+0]

loc_4C6450:				; CODE XREF: RtlpHpSegContextCompact+C3j
		movzx	eax, byte ptr [esi+6]
		shl	eax, 4
		lea	esi, [eax+edx]
		mov	edi, esi
		sub	edi, eax
		add	edi, 1000h
		cmp	esi, edi
		jnb	short loc_4C6496

loc_4C6468:				; CODE XREF: RtlpHpSegContextCompact+B1j
		mov	eax, [esi+0Ch]
		shr	eax, 8
		not	eax
		movzx	ecx, ax
		mov	al, [esi+0Ch]
		not	al
		and	al, 1
		neg	ecx
		sbb	cl, cl
		test	cl, al
		jnz	loc_4C660B

loc_4C6486:				; CODE XREF: RtlpHpSegContextCompact+270j
		movzx	eax, byte ptr [esi+0Fh]
		shl	eax, 4
		add	esi, eax
		cmp	esi, edi
		jb	short loc_4C6468
		mov	edx, [ebp-0Ch]

loc_4C6496:				; CODE XREF: RtlpHpSegContextCompact+86j
		mov	esi, [ebp-8]

loc_4C6499:				; CODE XREF: RtlpHpSegContextCompact+FE9CFj
		mov	edx, [edx]
		lea	eax, [esi+44h]
		mov	[ebp-0Ch], edx
		cmp	edx, eax
		jnz	short loc_4C6450
		mov	al, [ebp-2]
		mov	[ebp-1], al

loc_4C64AB:				; CODE XREF: RtlpHpSegContextCompact+67j
		cmp	dword ptr [ebp-10h], 0
		jnz	loc_4C65F4
		test	byte ptr [esi+1Ch], 1
		lea	ecx, [esi+40h]
		mov	[ebp-0Ch], ecx
		jnz	loc_4C665B
		mov	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4C6692

loc_4C64D8:				; CODE XREF: RtlpHpSegContextCompact+2BAj
		xor	edi, edi
		mov	[ebp-14h], edi
		test	ecx, 7FFFFFFCh
		jz	loc_4C65E8
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		mov	[ebp-1Ch], esi
		cmp	ecx, edx
		jb	short loc_4C6520
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_4C666C
		cmp	ecx, edx
		jb	short loc_4C6520
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_4C666C

loc_4C6520:				; CODE XREF: RtlpHpSegContextCompact+120j
					; RtlpHpSegContextCompact+131j
		or	eax, 0FFFFFFFFh

loc_4C6523:				; CODE XREF: RtlpHpSegContextCompact+29Aj
		dec	word ptr [esi+13Eh]
		mov	[ebp-10h], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	[ebp-1], dl
		mov	edx, ecx
		push	eax
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp-18h], ecx
		test	ecx, ecx
		jz	loc_4C667F
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_4C66E6

loc_4C6567:				; CODE XREF: RtlpHpSegContextCompact+30Ej
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp-14h], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		mov	eax, 2AAAAAABh
		sub	ecx, [esi+1E8h]
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	byte ptr [ebp-1], 1
		jnz	loc_5C4DCE
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al

loc_4C65BA:				; CODE XREF: RtlpHpSegContextCompact+2A7j
					; RtlpHpSegContextCompact+FE9FEj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp-1Ch], eax
		jnz	loc_4C669F

loc_4C65D1:				; CODE XREF: RtlpHpSegContextCompact+2FBj
					; RtlpHpSegContextCompact+FEA21j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_4C65E8
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_4C66F3

loc_4C65E8:				; CODE XREF: RtlpHpSegContextCompact+103j
					; RtlpHpSegContextCompact+1FAj	...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_4C65F4:				; CODE XREF: RtlpHpSegContextCompact+32j
					; RtlpHpSegContextCompact+CFj ...
		mov	esi, [ebp-24h]
		lea	eax, [ebp-24h]
		cmp	esi, eax
		jnz	loc_5C4E06

loc_4C6602:				; CODE XREF: RtlpHpSegContextCompact+FEA40j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4C660B:				; CODE XREF: RtlpHpSegContextCompact+A0j
		mov	ecx, [ebp-8]
		mov	edx, esi
		call	_RtlpHpSegFreeRangeRemove@8 ; RtlpHpSegFreeRangeRemove(x,x)
		mov	al, [esi+0Ch]
		mov	edx, esi
		or	al, 1
		mov	[esi+0Ch], al
		movzx	ecx, byte ptr [esi+0Fh]
		add	ecx, ecx
		mov	al, [esi+ecx*8-4]
		or	al, 1
		mov	[esi+ecx*8-4], al
		lea	eax, [ebp-2]
		mov	ecx, [ebp-8]
		push	eax
		push	1
		push	dword ptr [ebp-14h]
		call	RtlpHpSegPageRangeCoalesce
		mov	ecx, [ebp-8]
		mov	esi, eax
		push	0
		mov	edx, esi
		call	RtlpHpSegFreeRangeInsert
		test	eax, eax
		jz	loc_4C6486
		jmp	loc_5C4D76
; 

loc_4C665B:				; CODE XREF: RtlpHpSegContextCompact+DFj
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_4C65F4
; 

loc_4C666C:				; CODE XREF: RtlpHpSegContextCompact+129j
					; RtlpHpSegContextCompact+13Aj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp-0Ch]
		jmp	loc_4C6523
; 

loc_4C667F:				; CODE XREF: RtlpHpSegContextCompact+16Fj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_4C65BA
		jmp	loc_5C4DBB
; 

loc_4C6692:				; CODE XREF: RtlpHpSegContextCompact+F2j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp-0Ch]
		jmp	loc_4C64D8
; 

loc_4C669F:				; CODE XREF: RtlpHpSegContextCompact+1EBj
		test	edi, 8000h
		jz	short loc_4C66B0
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4C66B0:				; CODE XREF: RtlpHpSegContextCompact+2C5j
		test	byte ptr [ebp-12h], 1
		jnz	loc_5C4DE3

loc_4C66BA:				; CODE XREF: RtlpHpSegContextCompact+FEA0Fj
		test	edi, 7FFFh
		jz	short loc_4C66D1
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4C66D1:				; CODE XREF: RtlpHpSegContextCompact+2E0j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4C65D1
		jmp	loc_5C4DF4
; 

loc_4C66E6:				; CODE XREF: RtlpHpSegContextCompact+181j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp-18h]
		jmp	loc_4C6567
; 

loc_4C66F3:				; CODE XREF: RtlpHpSegContextCompact+202j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4C65E8
RtlpHpSegContextCompact	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall RtlpHpSegFreeRangeRemove(x,	x)
_RtlpHpSegFreeRangeRemove@8 proc near	; CODE XREF: RtlpHpSegContextCompact+230p
					; RtlpHpSegPageRangeCoalesce+163p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		push	esi
		lea	eax, [edi+50h]
		push	eax
		call	RtlRbRemoveNode
		and	dword ptr [esi+4], 0
		and	dword ptr [esi+8], 0
		mov	eax, [esi+0Ch]
		shr	eax, 8
		not	eax
		mov	dword ptr [esi], 0CCDDCCDDh
		movzx	ecx, ax
		movsx	eax, word ptr [edi+12h]
		neg	ecx
		add	edi, 8
		add	eax, edi
		lock xadd [eax], ecx
		pop	edi
		pop	esi
		retn
_RtlpHpSegFreeRangeRemove@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


SmPerformStoreSwapOperation proc near	; CODE XREF: SMKM_STORE_SM_TRAITS___SmStInSwapStore+44p
					; SMKM_STORE_SM_TRAITS___SmStOutSwapStore+1B1p

; FUNCTION CHUNK AT 005C5489 SIZE 0000000B BYTES

		mov	edi, edi
		push	ecx
		cmp	ecx, 3
		jz	loc_5C5489
		mov	eax, large fs:124h
		cmp	ecx, 2
		mov	ecx, [eax+80h]
		jz	short loc_4C6767
		push	edx
		push	dword ptr [edx+8]
		mov	edx, [edx+4]
		call	MmOutSwapVirtualAddresses
		pop	ecx
		retn
; 

loc_4C6767:				; CODE XREF: SmPerformStoreSwapOperation+1Bj
		push	ecx
		call	MmInSwapVirtualAddresses
		pop	ecx
		retn
SmPerformStoreSwapOperation endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLogWsEmptyControl proc near		; CODE XREF: MmProcessWorkingSetControl+131p

var_76		= byte ptr -76h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C5494 SIZE 00000094 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+7Ch+var_4], eax
		and	[esp+7Ch+var_74], 0
		and	[esp+7Ch+var_70], 0
		push	ebx
		push	esi
		mov	esi, dword_6D35BC
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		test	esi, esi
		jz	short loc_4C67C7
		lea	eax, [esp+88h+var_74]
		push	eax
		lea	edx, [esp+8Ch+var_70]
		call	_MiFillLogProcessInfo@12 ; MiFillLogProcessInfo(x,x,x)
		cmp	dword ptr [esi], 5
		jbe	short loc_4C67C7
		push	0
		push	10h
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_5C5494

loc_4C67C7:				; CODE XREF: MiLogWsEmptyControl+2Fj
					; MiLogWsEmptyControl+42j ...
		mov	ecx, [esp+88h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
MiLogWsEmptyControl endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPreUnlockWorkingSetShared proc near	; CODE XREF: MiUnlockWorkingSetShared+EDp
					; MiTrimOrAgeWorkingSet+D264Ep	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005C5528 SIZE 00000116 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_1], dl
		lea	edi, [ebp+var_10]
		mov	esi, ecx
		stosd
		mov	ecx, [esi+60h]
		stosd
		stosd
		mov	eax, large fs:124h
		lea	ebx, [eax+2FCh]
		test	dword ptr [ebx], 400000h
		jnz	loc_4C68DC
		shr	ecx, 18h
		mov	edi, offset unk_6D3C80
		test	cl, 8
		jz	loc_4C68C0
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, edi
		jz	short loc_4C6831
		lea	eax, [esi+0C0h]

loc_4C6831:				; CODE XREF: MiPreUnlockWorkingSetShared+4Dj
		and	[ebp+var_10], 0
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_C], eax
		jnz	loc_5C5528
		lea	edx, [ebp+var_10]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_5C5537

loc_4C6852:				; CODE XREF: MiPreUnlockWorkingSetShared+FED56j
					; MiPreUnlockWorkingSetShared+FED63j
		mov	al, [esi+63h]
		and	al, 0F7h
		mov	[esi+63h], al
		test	ds:byte_70EFC6,	1
		jnz	loc_5C5544
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_4C6973
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jnz	loc_5C5554

loc_4C6889:				; CODE XREF: MiPreUnlockWorkingSetShared+1A7j
					; MiPreUnlockWorkingSetShared+FED73j
		lock bts dword ptr [ebx], 16h
		mov	dl, [ebp+var_1]
		mov	ecx, esi
		call	MiForcedTrim
		test	eax, eax
		jnz	short loc_4C68C0
		test	byte ptr [esi+60h], 40h
		jz	short loc_4C68C0
		mov	ecx, [esi+40h]
		mov	eax, [esi+50h]
		cmp	ecx, eax
		jbe	short loc_4C68C0
		test	byte ptr [esi+4], 0Fh
		mov	dl, [ebp+var_1]
		jz	short loc_4C68B8
		lea	eax, [ecx-1]

loc_4C68B8:				; CODE XREF: MiPreUnlockWorkingSetShared+D7j
		push	eax
		mov	ecx, esi
		call	_MiReduceWs@12	; MiReduceWs(x,x,x)

loc_4C68C0:				; CODE XREF: MiPreUnlockWorkingSetShared+3Ej
					; MiPreUnlockWorkingSetShared+BEj ...
		mov	al, [esi+63h]
		test	al, 4
		jnz	loc_5C5561

loc_4C68CB:				; CODE XREF: MiPreUnlockWorkingSetShared+FEE31j
		test	al, 10h
		jnz	short loc_4C68E1

loc_4C68CF:				; CODE XREF: MiPreUnlockWorkingSetShared+176j
		test	dword ptr [ebx], 400000h
		jz	short loc_4C68DC
		lock btr dword ptr [ebx], 16h

loc_4C68DC:				; CODE XREF: MiPreUnlockWorkingSetShared+2Dj
					; MiPreUnlockWorkingSetShared+F9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4C68E1:				; CODE XREF: MiPreUnlockWorkingSetShared+F1j
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		jz	short loc_4C68F0
		lea	edi, [esi+0C0h]

loc_4C68F0:				; CODE XREF: MiPreUnlockWorkingSetShared+10Cj
		and	[ebp+var_10], 0
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_C], edi
		jnz	loc_5C5612
		lea	edx, [ebp+var_10]
		xchg	edx, [edi]
		test	edx, edx
		jnz	short loc_4C6957

loc_4C690D:				; CODE XREF: MiPreUnlockWorkingSetShared+183j
					; MiPreUnlockWorkingSetShared+FEE40j
		mov	al, [esi+63h]
		and	al, 0EFh
		mov	[esi+63h], al
		test	ds:byte_70EFC6,	1
		jnz	loc_5C5621
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_4C6961
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jnz	loc_5C5631

loc_4C6940:				; CODE XREF: MiPreUnlockWorkingSetShared+195j
					; MiPreUnlockWorkingSetShared+FEE50j
		lock bts dword ptr [ebx], 16h
		push	dword ptr [esi+50h]
		mov	dl, [ebp+var_1]
		mov	ecx, esi
		call	_MiReduceWs@12	; MiReduceWs(x,x,x)
		jmp	loc_4C68CF
; 

loc_4C6957:				; CODE XREF: MiPreUnlockWorkingSetShared+12Fj
		lea	ecx, [ebp+var_10]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	short loc_4C690D
; 

loc_4C6961:				; CODE XREF: MiPreUnlockWorkingSetShared+14Bj
					; MiPreUnlockWorkingSetShared+FEE5Dj
		xor	ecx, ecx
		mov	[ebp+var_10], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	short loc_4C6940
; 

loc_4C6973:				; CODE XREF: MiPreUnlockWorkingSetShared+90j
					; MiPreUnlockWorkingSetShared+FED80j
		xor	ecx, ecx
		mov	[ebp+var_10], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_4C6889
MiPreUnlockWorkingSetShared endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReduceWs(x, x, x)
_MiReduceWs@12	proc near		; CODE XREF: MiPreUnlockWorkingSetShared+DFp
					; MiPreUnlockWorkingSetShared+171p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	7
		mov	ebx, edx
		mov	edi, ecx
		pop	esi

loc_4C6997:				; CODE XREF: MiReduceWs(x,x,x)+3Cj
		mov	eax, [edi+48h]
		cmp	eax, [ebp+arg_0]
		jbe	short loc_4C69C6
		sub	eax, [ebp+arg_0]
		test	esi, esi
		jz	short loc_4C69AE
		mov	edx, [edi+esi*4+18h]
		cmp	edx, eax
		jbe	short loc_4C69B0

loc_4C69AE:				; CODE XREF: MiReduceWs(x,x,x)+1Cj
		mov	edx, eax

loc_4C69B0:				; CODE XREF: MiReduceWs(x,x,x)+24j
		test	edx, edx
		jz	short loc_4C69C3
		push	50h
		push	esi
		push	ebx
		mov	ecx, edi
		call	MiTrimWorkingSet
		test	esi, esi
		jz	short loc_4C69C6

loc_4C69C3:				; CODE XREF: MiReduceWs(x,x,x)+2Aj
		dec	esi
		jmp	short loc_4C6997
; 

loc_4C69C6:				; CODE XREF: MiReduceWs(x,x,x)+15j
					; MiReduceWs(x,x,x)+39j
		mov	dl, bl
		mov	ecx, edi
		call	MiSimpleAging
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_MiReduceWs@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiTrimWorkingSet proc near		; CODE XREF: MiReduceWs(x,x,x)+32p
					; MiTrimOrAgeWorkingSet+409p ...

var_3B4		= dword	ptr -3B4h
var_3B0		= dword	ptr -3B0h
var_3AC		= dword	ptr -3ACh
var_3A8		= dword	ptr -3A8h
var_3A4		= dword	ptr -3A4h
var_3A0		= dword	ptr -3A0h
var_39C		= dword	ptr -39Ch
var_398		= dword	ptr -398h
var_394		= dword	ptr -394h
var_390		= dword	ptr -390h
var_388		= dword	ptr -388h
var_384		= dword	ptr -384h
var_380		= dword	ptr -380h
var_37C		= dword	ptr -37Ch
var_378		= dword	ptr -378h
var_374		= dword	ptr -374h
var_36D		= dword	ptr -36Dh
var_368		= dword	ptr -368h
var_364		= dword	ptr -364h
var_35C		= dword	ptr -35Ch
var_358		= dword	ptr -358h
var_354		= dword	ptr -354h
var_350		= dword	ptr -350h
var_34C		= word ptr -34Ch
var_348		= dword	ptr -348h
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_33C		= dword	ptr -33Ch
var_2B8		= dword	ptr -2B8h
var_224		= dword	ptr -224h
var_220		= byte ptr -220h
var_21E		= byte ptr -21Eh
var_214		= dword	ptr -214h
var_20C		= dword	ptr -20Ch
var_204		= dword	ptr -204h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_CC		= dword	ptr -0CCh
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005C563E SIZE 000001DD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3B8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		push	148h		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_36D+1]
		mov	edi, edx
		mov	esi, ecx
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_374], edi
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_224]
		push	4Ch		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_1D4]
		push	108h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+arg_4]
		add	esp, 0Ch
		mov	ebx, [ebp+arg_8]
		and	edx, 0Fh
		mov	[ebp+var_36D+1], edx
		test	bl, 2
		jnz	loc_5C563E

loc_4C6A4E:				; CODE XREF: MiTrimWorkingSet+FEC71j
		test	bl, 4
		jnz	loc_5C564C

loc_4C6A57:				; CODE XREF: MiTrimWorkingSet+FEC7Fj
		test	bl, 1
		jnz	loc_4C6C2F

loc_4C6A60:				; CODE XREF: MiTrimWorkingSet+265j
		test	bl, 8
		jnz	loc_5C565A

loc_4C6A69:				; CODE XREF: MiTrimWorkingSet+FEC90j
		test	bl, 40h
		jz	short loc_4C6A7A
		or	edx, 1000h
		mov	[ebp+var_36D+1], edx

loc_4C6A7A:				; CODE XREF: MiTrimWorkingSet+96j
		test	bl, 10h
		jz	short loc_4C6AA5
		mov	eax, [esi+48h]
		or	edx, 400h
		mov	[ebp+var_36D+1], edx
		mov	[ebp+var_354], eax
		cmp	edi, eax
		ja	loc_5C566B

loc_4C6A9C:				; CODE XREF: MiTrimWorkingSet+FEC9Bj
		test	bl, 20h
		jnz	loc_5C5676

loc_4C6AA5:				; CODE XREF: MiTrimWorkingSet+A7j
					; MiTrimWorkingSet+FECACj
		cmp	dword_6D3154, 0
		jz	short loc_4C6AB7
		or	edx, 10h
		mov	[ebp+var_36D+1], edx

loc_4C6AB7:				; CODE XREF: MiTrimWorkingSet+D6j
		and	[ebp+var_344], 0
		mov	ecx, esi
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		xor	ecx, ecx
		mov	[ebp+var_350], eax
		test	byte ptr [esi+60h], 7
		mov	[ebp+var_34C], 4
		mov	[ebp+var_340], ecx
		mov	[ebp+var_348], 21h
		mov	[ebp+var_33C], ecx
		jnz	short loc_4C6AFE
		cmp	[esi+1A4h], ecx
		jnz	loc_5C5687

loc_4C6AFE:				; CODE XREF: MiTrimWorkingSet+11Aj
					; MiTrimWorkingSet+FECC7j
		mov	eax, [esi+0Ch]
		mov	[ebp+var_37C], eax
		mov	eax, [ebp+arg_4]
		cmp	eax, 8
		jnb	loc_4C6C59
		push	8
		lea	ebx, [eax+6]
		pop	edi
		lea	ebx, [esi+ebx*4]
		sub	edi, eax

loc_4C6B1E:				; CODE XREF: MiTrimWorkingSet+150j
		add	ecx, [ebx]
		lea	ebx, [ebx+4]
		sub	edi, 1
		jnz	short loc_4C6B1E
		mov	ebx, [ebp+arg_8]
		mov	[ebp+var_358], ecx
		test	ecx, ecx
		jz	loc_4C6C59
		mov	eax, [ebp+var_374]
		mov	[ebp+var_368], eax
		mov	al, byte ptr [ebp+var_36D+1]
		and	al, 0Fh
		mov	[ebp+var_1E4], offset _MiTrimPte@12 ; MiTrimPte(x,x,x)
		mov	[ebp+var_220], al
		lea	eax, [ebp+var_36D+1]
		mov	[ebp+var_1DC], eax
		mov	[ebp+var_1E0], offset MiTrimWorkingSetTail
		mov	[ebp+var_214], esi
		push	16h
		pop	eax
		mov	word ptr [ebp+var_224],	ax
		mov	al, [ebp+arg_0]
		mov	[ebp+var_21E], al
		test	edx, 1000h
		jz	loc_4C6C40
		lea	ecx, [ebp+var_224]
		call	_MiGenerateRandomPte@4 ; MiGenerateRandomPte(x)

loc_4C6BA3:				; CODE XREF: MiTrimWorkingSet+272j
		mov	[ebp+var_204], eax
		test	eax, eax
		jz	loc_4C6C4D

loc_4C6BB1:				; CODE XREF: MiTrimWorkingSet+27Ej
		lea	ecx, [ebp+var_224]
		call	MiWalkPageTables
		and	[ebp+var_378], 0
		and	[ebp+var_37C], 0
		mov	edi, dword_6D35BC
		mov	eax, [ebp+var_364]
		mov	ecx, [ebp+var_35C]
		mov	[ebp+var_374], eax
		mov	[ebp+var_380], ecx
		test	edi, edi
		jz	short loc_4C6C1E
		lea	eax, [ebp+var_378]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_37C]
		call	_MiFillLogProcessInfo@12 ; MiFillLogProcessInfo(x,x,x)
		cmp	dword ptr [edi], 5
		jbe	short loc_4C6C18
		push	0
		push	1
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_5C56A2

loc_4C6C18:				; CODE XREF: MiTrimWorkingSet+22Dj
		mov	eax, [ebp+var_374]

loc_4C6C1E:				; CODE XREF: MiTrimWorkingSet+214j
					; MiTrimWorkingSet+285j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_4C6C2F:				; CODE XREF: MiTrimWorkingSet+84j
		or	edx, 80h
		mov	[ebp+var_36D+1], edx
		jmp	loc_4C6A60
; 

loc_4C6C40:				; CODE XREF: MiTrimWorkingSet+1BCj
		mov	eax, [ebp+var_37C]
		mov	eax, [eax]
		jmp	loc_4C6BA3
; 

loc_4C6C4D:				; CODE XREF: MiTrimWorkingSet+1D5j
		or	[ebp+var_20C], 0FFFFFFFFh
		jmp	loc_4C6BB1
; 

loc_4C6C59:				; CODE XREF: MiTrimWorkingSet+137j
					; MiTrimWorkingSet+15Dj
		xor	eax, eax
		jmp	short loc_4C6C1E
MiTrimWorkingSet endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFillLogProcessInfo(x, x, x)
_MiFillLogProcessInfo@12 proc near	; CODE XREF: MiLogWsEmptyControl+3Ap
					; MiTrimWorkingSet+225p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	al, [ecx+60h]
		push	esi
		and	al, 7
		jnz	short loc_4C6C83
		mov	eax, [ecx-15Ch]
		lea	esi, [ecx-94h]

loc_4C6C77:				; CODE XREF: MiFillLogProcessInfo(x,x,x)+2Bj
					; MiFillLogProcessInfo(x,x,x)+33j
		mov	[edx], eax
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		pop	esi
		pop	ebp
		retn	4
; 

loc_4C6C83:				; CODE XREF: MiFillLogProcessInfo(x,x,x)+Bj
		xor	esi, esi
		cmp	al, 2
		mov	eax, esi
		jnb	short loc_4C6C77
		mov	eax, [ecx-0B8h]
		jmp	short loc_4C6C77
_MiFillLogProcessInfo@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGenerateRandomPte(x)
_MiGenerateRandomPte@4 proc near	; CODE XREF: MiTrimWorkingSet+1C8p
					; MiSimpleAging+FEBA2p	...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		lea	edx, [ebp+var_44]
		call	MiInitializeWalkBounds
		xor	ecx, ecx
		mov	esi, eax
		inc	ecx
		call	ExGenRandom
		mov	edi, eax
		rdtsc
		shrd	eax, edx, 4
		push	0
		push	esi
		shr	edx, 4
		push	edx
		push	eax
		call	__aullrem
		mov	edx, eax
		mov	eax, [ebp+var_40]
		sub	eax, [ebp+var_44]
		inc	eax
		bsr	ecx, eax
		jz	short loc_4C6CE2
		xor	eax, eax
		inc	eax
		shl	eax, cl

loc_4C6CE2:				; CODE XREF: MiGenerateRandomPte(x)+47j
		mov	ecx, [ebp+var_4]
		dec	eax
		and	eax, edi
		xor	ecx, ebp
		add	eax, [ebp+edx*8+var_44]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		pop	edi
		sub	eax, 40000000h
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiGenerateRandomPte@4 endp


;  S U B	R O U T	I N E 


MiInitializeWalkBounds proc near	; CODE XREF: MiGenerateRandomPte(x)+17p

; FUNCTION CHUNK AT 005C581B SIZE 0000005E BYTES

		mov	eax, 800h
		push	esi
		test	[ecx], ax
		jnz	short loc_4C6D78
		mov	eax, [ecx+10h]
		test	byte ptr [eax+60h], 7
		jnz	loc_5C583A
		push	edi
		mov	edi, ds:_MmHighestUserAddress
		xor	esi, esi
		add	edi, 10001h
		mov	ecx, esi

loc_4C6D2D:				; CODE XREF: MiInitializeWalkBounds+4Aj
		mov	[edx+ecx*8], esi
		cmp	ecx, 3
		jz	short loc_4C6D81
		add	esi, 40000000h
		cmp	esi, edi
		ja	short loc_4C6D81

loc_4C6D3F:				; CODE XREF: MiInitializeWalkBounds+7Fj
		lea	eax, [esi-1]
		mov	[edx+ecx*8+4], eax
		inc	ecx
		cmp	esi, edi
		jnb	short loc_4C6D50
		cmp	ecx, 3
		jb	short loc_4C6D2D

loc_4C6D50:				; CODE XREF: MiInitializeWalkBounds+45j
		mov	eax, dword_6D2E88
		mov	[edx+ecx*8], eax
		mov	esi, dword_6D2E90
		pop	edi
		test	esi, esi
		jz	loc_5C5869

loc_4C6D67:				; CODE XREF: MiInitializeWalkBounds+FEB70j
		mov	eax, dword_6D2E88
		dec	eax
		add	eax, esi
		mov	[edx+ecx*8+4], eax

loc_4C6D73:				; CODE XREF: MiInitializeWalkBounds+FEB60j
		lea	eax, [ecx+1]
		pop	esi
		retn
; 

loc_4C6D78:				; CODE XREF: MiInitializeWalkBounds+9j
		xor	esi, esi
		mov	ecx, esi
		jmp	loc_5C581B
; 

loc_4C6D81:				; CODE XREF: MiInitializeWalkBounds+2Fj
					; MiInitializeWalkBounds+39j
		mov	esi, edi
		jmp	short loc_4C6D3F
MiInitializeWalkBounds endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSimpleAging	proc near		; CODE XREF: MiReduceWs(x,x,x)+42p

var_2CC		= dword	ptr -2CCh
var_2C8		= dword	ptr -2C8h
var_2C2		= byte ptr -2C2h
var_2C1		= byte ptr -2C1h
var_2C0		= dword	ptr -2C0h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_200		= dword	ptr -200h
var_1F8		= dword	ptr -1F8h
var_1F2		= byte ptr -1F2h
var_1E8		= dword	ptr -1E8h
var_1E0		= dword	ptr -1E0h
var_1D8		= dword	ptr -1D8h
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C5879 SIZE 000000EF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2CCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	0C4h		; size_t
		xor	ebx, ebx
		mov	[ebp+var_2C2], dl
		lea	eax, [ebp+var_2C0]
		mov	edi, ecx
		push	ebx		; int
		push	eax		; void *
		call	_memset
		push	98h		; size_t
		lea	eax, [ebp+var_A0]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		push	4Ch		; size_t
		lea	eax, [ebp+var_1F8]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		push	108h		; size_t
		lea	eax, [ebp+var_1A8]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	al, [edi+60h]
		add	esp, 30h
		mov	[ebp+var_2C1], al
		test	al, 40h
		jz	short loc_4C6E3E
		mov	eax, [edi+50h]
		xor	edx, edx
		push	5
		pop	ecx
		div	ecx
		mov	ebx, [edi+48h]
		shl	eax, 2
		mov	[ebp+var_2C8], ecx
		cmp	ebx, eax
		jb	short loc_4C6E3E
		mov	eax, [edi+0Ch]
		xor	edx, edx
		mov	esi, [edi+18h]
		mov	eax, [eax+14h]
		mov	[ebp+var_2CC], eax
		lea	ecx, [eax+esi]
		mov	eax, ebx
		div	[ebp+var_2C8]
		shl	eax, 2
		cmp	ecx, eax
		jnb	loc_5C5879

loc_4C6E3E:				; CODE XREF: MiSimpleAging+75j
					; MiSimpleAging+8Fj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
MiSimpleAging	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiEmptyWorkingSetPrivatePagesByVa proc near ; CODE XREF: MiFlushAllPages+8ABC0p
					; MmProcessWorkingSetControl+155p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C5968 SIZE 00000091 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	[ebp+var_28], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_34], edi
		mov	eax, [edi+80h]
		dec	word ptr [edi+13Eh]
		mov	[ebp+var_24], eax
		nop
		lea	esi, [eax+134h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		or	byte ptr [edi+304h], 2
		nop
		mov	eax, [ebp+var_24]
		test	byte ptr [eax+0FCh], 20h
		jnz	loc_5C5968
		mov	eax, [eax+350h]
		xor	esi, esi
		mov	[ebp+var_C], esi
		jmp	short loc_4C6EC6
; 

loc_4C6EBF:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+7Aj
		mov	esi, eax
		mov	[ebp+var_C], eax
		mov	eax, [eax]

loc_4C6EC6:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+6Fj
		test	eax, eax
		jnz	short loc_4C6EBF
		jmp	short loc_4C6ED9
; 

loc_4C6ECC:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+89j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax

loc_4C6ED4:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+25Cj
		mov	[ebp+var_C], esi
		jnz	short loc_4C6ECC

loc_4C6ED9:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+7Cj
					; MiEmptyWorkingSetPrivatePagesByVa+23Aj ...
		test	esi, esi
		jz	loc_4C70DF
		dec	word ptr [edi+13Eh]
		nop
		lea	eax, [esi+18h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_38], eax
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [edi+304h], 80h
		nop
		test	byte ptr [esi+1Ch], 4
		jnz	short loc_4C6F3B
		mov	ecx, esi
		call	_MiVadSupportsPrivateCommit@4 ;	MiVadSupportsPrivateCommit(x)
		test	eax, eax
		jz	short loc_4C6F3B
		call	_MiVadMapsLargeImage@4 ; MiVadMapsLargeImage(x)
		test	eax, eax
		jnz	short loc_4C6F3B
		mov	eax, [esi+10h]
		mov	edx, [ebp+var_28]
		mov	ecx, [ebp+var_2C]
		or	edx, 2
		shl	eax, 0Ch
		or	eax, 0FFFh
		push	eax
		mov	eax, [esi+0Ch]
		shl	eax, 0Ch
		push	eax
		call	_MiEmptyWorkingSetInitiate@16 ;	MiEmptyWorkingSetInitiate(x,x,x,x)

loc_4C6F3B:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+B6j
					; MiEmptyWorkingSetPrivatePagesByVa+C1j ...
		and	byte ptr [edi+304h], 7Fh
		lea	ecx, [esi+18h]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4C711A

loc_4C6F56:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+2D4j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	loc_4C706C
		mov	eax, large fs:124h
		mov	edx, ecx
		mov	[ebp+var_8], eax
		mov	eax, dword_6D07D0
		shr	edx, 15h
		cmp	ecx, eax
		mov	[ebp+var_20], eax
		mov	eax, [ebp+var_8]
		jb	short loc_4C6F91
		cmp	byte ptr dword_6D3994[edx], 1
		jz	loc_4C70AF

loc_4C6F91:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+134j
		cmp	ecx, [ebp+var_20]
		jb	short loc_4C6FA3
		cmp	byte ptr dword_6D3994[edx], 0Bh
		jz	loc_4C70AF

loc_4C6FA3:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+146j
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_20], edx

loc_4C6FA9:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+274j
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	cl, [eax+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, eax
		push	edx
		lea	edx, [esi+18h]
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jz	loc_4C70C7
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_4C7127

loc_4C6FEB:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+2E1j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	eax, [ebp+var_8]
		mov	dword ptr [ecx+10h], 0
		push	30h
		sub	ecx, [eax+1E8h]
		mov	eax, ecx
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5C599C
		mov	eax, [ebp+var_8]
		movzx	ecx, byte ptr [eax+1E4h]
		bts	ecx, edx
		mov	[eax+1E4h], cl

loc_4C703D:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+28Cj
					; MiEmptyWorkingSetPrivatePagesByVa+FEB66j
		nop
		dec	byte ptr [eax+1E6h]
		mov	ecx, edi
		and	ecx, 1FFFFh
		mov	[ebp+var_30], ecx
		jnz	loc_4C7134

loc_4C7055:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+32Ej
		nop
		add	word ptr [eax+13Eh], 1
		jnz	short loc_4C706C
		nop
		add	eax, 70h
		cmp	[eax], eax
		jnz	loc_4C7186

loc_4C706C:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+113j
					; MiEmptyWorkingSetPrivatePagesByVa+210j ...
		mov	edi, [ebp+var_34]
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [esi+4]
		mov	ecx, esi
		test	eax, eax
		jnz	short loc_4C70A4
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		mov	[ebp+var_C], esi
		jz	loc_4C6ED9

loc_4C708E:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+24Cj
		cmp	[esi], ecx
		jz	short loc_4C709C
		mov	ecx, esi
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_4C708E

loc_4C709C:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+242j
		mov	[ebp+var_C], esi
		jmp	loc_4C6ED9
; 

loc_4C70A4:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+22Fj
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jmp	loc_4C6ED4
; 

loc_4C70AF:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+13Dj
					; MiEmptyWorkingSetPrivatePagesByVa+14Fj
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_20], eax
		mov	eax, [ebp+var_8]
		jmp	loc_4C6FA9
; 

loc_4C70C7:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+185j
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jz	loc_5C59DA
		mov	eax, ecx
		jmp	loc_4C703D
; 

loc_4C70DF:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+8Dj
		mov	esi, [ebp+var_24]
		xor	edx, edx
		and	byte ptr [edi+304h], 0FDh
		add	esi, 134h
		push	11h
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	loc_4C7190

loc_4C7101:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+349j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		xor	eax, eax

loc_4C7111:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+FEB49j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4C711A:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+102j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [esi+18h]
		jmp	loc_4C6F56
; 

loc_4C7127:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+197j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]
		jmp	loc_4C6FEB
; 

loc_4C7134:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+201j
		test	edi, 8000h
		jz	short loc_4C7148
		xor	edx, edx
		mov	ecx, eax
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp+var_8]

loc_4C7148:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+2ECj
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5C59B9

loc_4C7152:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+FEB75j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4C7181
		and	edi, eax
		mov	edx, edi
		mov	edi, [ebp+var_8]
		mov	ecx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4C7169:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+336j
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_5C59C8

loc_4C7179:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+FEB87j
		mov	eax, [ebp+var_8]
		jmp	loc_4C7055
; 

loc_4C7181:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+30Bj
		mov	edi, [ebp+var_8]
		jmp	short loc_4C7169
; 

loc_4C7186:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+218j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4C706C
; 

loc_4C7190:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+2ADj
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_4C7101
MiEmptyWorkingSetPrivatePagesByVa endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiEmptyWorkingSetInitiate(x, x, x, x)
_MiEmptyWorkingSetInitiate@16 proc near	; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+E8p
					; MmAdjustWorkingSetSizeEx+2FCp ...

var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E6		= byte ptr -0E6h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= word ptr -98h
var_94		= dword	ptr -94h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0F4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		push	9Ch		; size_t
		mov	[ebp+var_F4], eax
		mov	esi, ecx
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_F0], edx
		push	ebx		; int
		push	eax		; void *
		call	_memset
		push	4Ch		; size_t
		lea	eax, [ebp+var_EC]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 18h
		mov	ecx, esi
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		mov	ecx, [ebp+var_F0]
		mov	[ebp+var_9C], eax
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_A4], eax
		mov	[ebp+var_98], 4
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_94], 21h
		mov	[ebp+var_88], ebx
		mov	[ebp+var_AC], offset _MiEmptyPte@12 ; MiEmptyPte(x,x,x)
		mov	[ebp+var_A8], offset _MiEmptyWorkingSetTail@4 ;	MiEmptyWorkingSetTail(x)
		mov	[ebp+var_DC], esi
		push	6
		pop	eax
		mov	word ptr [ebp+var_EC], ax
		mov	eax, [ebp+var_A0]
		test	cl, 1
		jnz	short loc_4C72D8
		test	cl, 2
		jz	short loc_4C7269
		or	eax, 2

loc_4C7263:				; CODE XREF: MiEmptyWorkingSetInitiate(x,x,x,x)+13Fj
		mov	[ebp+var_A0], eax

loc_4C7269:				; CODE XREF: MiEmptyWorkingSetInitiate(x,x,x,x)+C2j
		test	cl, 4
		jnz	short loc_4C72DD

loc_4C726E:				; CODE XREF: MiEmptyWorkingSetInitiate(x,x,x,x)+14Aj
		mov	eax, [ebp+var_F4]
		mov	ecx, esi
		mov	[ebp+var_D8], edi
		mov	[ebp+var_D4], eax
		call	MiLockWorkingSetShared
		test	byte ptr [esi+60h], 7
		mov	[ebp+var_E6], al
		jnz	short loc_4C72A8
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	byte ptr [eax+0FCh], 20h
		jnz	short loc_4C72E8

loc_4C72A8:				; CODE XREF: MiEmptyWorkingSetInitiate(x,x,x,x)+F5j
		lea	ecx, [ebp+var_EC]
		call	MiWalkPageTables
		cmp	eax, 4
		jz	short loc_4C72E8

loc_4C72B8:				; CODE XREF: MiEmptyWorkingSetInitiate(x,x,x,x)+151j
		mov	dl, [ebp+var_E6]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_4C72D8:				; CODE XREF: MiEmptyWorkingSetInitiate(x,x,x,x)+BDj
		or	eax, 1
		jmp	short loc_4C7263
; 

loc_4C72DD:				; CODE XREF: MiEmptyWorkingSetInitiate(x,x,x,x)+D0j
		or	eax, 4
		mov	[ebp+var_A0], eax
		jmp	short loc_4C726E
; 

loc_4C72E8:				; CODE XREF: MiEmptyWorkingSetInitiate(x,x,x,x)+10Aj
					; MiEmptyWorkingSetInitiate(x,x,x,x)+11Aj
		mov	ebx, 0C000010Ah
		jmp	short loc_4C72B8
_MiEmptyWorkingSetInitiate@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MmStoreFlushOutstandingEvictions()
_MmStoreFlushOutstandingEvictions@0 proc near
					; CODE XREF: SmStoreCompressionStart:loc_7975D5p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, offset unk_6D5118
		push	esi
		call	ExAcquireSpinLockExclusive
		cmp	dword_6D5108, 0
		mov	bl, al
		mov	edi, offset unk_6D5138
		jnz	short loc_4C7316
		push	edi
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_4C7316:				; CODE XREF: MmStoreFlushOutstandingEvictions()+1Ej
		inc	dword_6D5108
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	esi, esi
		push	esi
		push	esi
		push	offset unk_6D5120
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	esi
		push	esi
		push	esi
		push	1Ah
		push	edi
		call	KeWaitForSingleObject
		pop	edi
		pop	esi
		pop	ebx
		retn
_MmStoreFlushOutstandingEvictions@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmQueryProcessWorkingSetSwapPages(x, x)
_MmQueryProcessWorkingSetSwapPages@8 proc near ; CODE XREF: PfpPrivSourceEnum(x,x,x)+501p
					; SmStoreCompressionStop+C8p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		test	byte ptr [esi+2A0h], 7
		jnz	short loc_4C7366
		cmp	dword ptr [esi+2D0h], 2
		ja	short loc_4C736E

loc_4C7366:				; CODE XREF: MmQueryProcessWorkingSetSwapPages(x,x)+13j
		mov	eax, 0C0000225h

loc_4C736B:				; CODE XREF: MmQueryProcessWorkingSetSwapPages(x,x)+6Fj
		pop	esi
		leave
		retn
; 

loc_4C736E:				; CODE XREF: MmQueryProcessWorkingSetSwapPages(x,x)+1Cj
		push	ebx
		push	edi
		push	offset unk_6D50F0
		mov	edi, 0C0000225h
		call	ExAcquireSpinLockExclusive
		test	byte ptr [esi+2A0h], 7
		mov	bl, al
		jnz	short loc_4C73A1
		mov	eax, [esi+2D0h]
		cmp	eax, 2
		jbe	short loc_4C73A1
		mov	eax, [eax]
		xor	edi, edi
		mov	ecx, [ebp+var_4]
		mov	eax, [eax+0Ch]
		mov	[ecx], eax

loc_4C73A1:				; CODE XREF: MmQueryProcessWorkingSetSwapPages(x,x)+40j
					; MmQueryProcessWorkingSetSwapPages(x,x)+4Bj
		push	offset unk_6D50F0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	ebx
		jmp	short loc_4C736B
_MmQueryProcessWorkingSetSwapPages@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmSwapStore proc near ; CODE	XREF: SmSwapStore(x)+57p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		test	dword ptr [edi], 40000h
		jz	loc_5C59EF
		mov	esi, [ebp+arg_0]
		cmp	esi, 1
		jz	short loc_4C73F8
		test	esi, esi
		jz	short loc_4C73F8

loc_4C73E2:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmSwapStore+4Bj
					; SMKM_STORE_MGR_SM_TRAITS___SmSwapStore+5Aj
		mov	edx, esi
		mov	ecx, edi
		call	?SmStSwapStore@?$SMKM_STORE@USM_TRAITS@@@@SGJPAU1@W4_SM_STORE_SWAP_OPERATION@@@Z ; SMKM_STORE<SM_TRAITS>::SmStSwapStore(SMKM_STORE<SM_TRAITS> *,_SM_STORE_SWAP_OPERATION)
		test	eax, eax
		jns	short loc_4C7418

loc_4C73EF:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmSwapStore+47j
					; SMKM_STORE_MGR_SM_TRAITS___SmSwapStore+5Cj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4C73F8:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmSwapStore+22j
					; SMKM_STORE_MGR_SM_TRAITS___SmSwapStore+26j
		push	1
		call	SMKM_STORE_MGR_SM_TRAITS___SmPerformStoreMaintenance
		test	eax, eax
		js	short loc_4C73EF
		test	esi, esi
		jnz	short loc_4C73E2
		push	2
		mov	edx, edi
		mov	ecx, ebx
		call	SMKM_STORE_MGR_SM_TRAITS___SmPerformStoreMaintenance
		test	eax, eax
		jns	short loc_4C73E2
		jmp	short loc_4C73EF
; 

loc_4C7418:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmSwapStore+33j
		cmp	esi, 2
		jz	short loc_4C7421

loc_4C741D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmSwapStore+72j
		xor	eax, eax
		jmp	short loc_4C73EF
; 

loc_4C7421:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmSwapStore+61j
		push	3
		mov	edx, edi
		mov	ecx, ebx
		call	SMKM_STORE_MGR_SM_TRAITS___SmPerformStoreMaintenance
		jmp	short loc_4C741D
SMKM_STORE_MGR_SM_TRAITS___SmSwapStore endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	SMKM_STORE<struct SM_TRAITS>::SmStSwapStore(struct SMKM_STORE<struct SM_TRAITS>	*, enum	 _SM_STORE_SWAP_OPERATION)
?SmStSwapStore@?$SMKM_STORE@USM_TRAITS@@@@SGJPAU1@W4_SM_STORE_SWAP_OPERATION@@@Z proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmSwapStore+2Cp

var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_1C]
		push	6
		pop	ecx
		xor	eax, eax
		mov	esi, edx
		rep stosd
		mov	ecx, [ebx+125Ch]
		lea	eax, [ebp+var_1C]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		sub	esi, 0
		jz	short loc_4C749E
		sub	esi, 1
		jz	short loc_4C7495
		sub	esi, 1
		jnz	short loc_4C74A7
		mov	ecx, ebx
		call	SMKM_STORE_SM_TRAITS___SmStInSwapStore

loc_4C7478:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStSwapStore(SMKM_STORE<SM_TRAITS>	*,_SM_STORE_SWAP_OPERATION)+6Ej
					; SMKM_STORE<SM_TRAITS>::SmStSwapStore(SMKM_STORE<SM_TRAITS> *,_SM_STORE_SWAP_OPERATION)+77j
		mov	esi, eax

loc_4C747A:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStSwapStore(SMKM_STORE<SM_TRAITS>	*,_SM_STORE_SWAP_OPERATION)+7Ej
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_4C7495:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStSwapStore(SMKM_STORE<SM_TRAITS>	*,_SM_STORE_SWAP_OPERATION)+3Cj
		mov	ecx, ebx
		call	SMKM_STORE_SM_TRAITS___SmStOutSwapStore
		jmp	short loc_4C7478
; 

loc_4C749E:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStSwapStore(SMKM_STORE<SM_TRAITS>	*,_SM_STORE_SWAP_OPERATION)+37j
		mov	ecx, ebx
		call	?SmStOutSwapPrepareStore@?$SMKM_STORE@USM_TRAITS@@@@SGJPAU1@@Z ; SMKM_STORE<SM_TRAITS>::SmStOutSwapPrepareStore(SMKM_STORE<SM_TRAITS> *)
		jmp	short loc_4C7478
; 

loc_4C74A7:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStSwapStore(SMKM_STORE<SM_TRAITS>	*,_SM_STORE_SWAP_OPERATION)+41j
		mov	esi, 0C000000Dh
		jmp	short loc_4C747A
?SmStSwapStore@?$SMKM_STORE@USM_TRAITS@@@@SGJPAU1@W4_SM_STORE_SWAP_OPERATION@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmPerformStoreMaintenance proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmSwapStore+40p
					; SMKM_STORE_MGR_SM_TRAITS___SmSwapStore+53p ...

var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C59F9 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 20h
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		push	esi
		push	edi
		push	64576D73h
		push	20h
		push	200h
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5C59F9
		push	8
		xor	eax, eax
		mov	edi, esi
		pop	ecx
		rep stosd
		mov	eax, [esi+4]
		xor	eax, [ebx+8]
		and	eax, 7
		mov	dword ptr [esi], 5
		xor	[esi+4], eax
		lea	eax, [ebp+var_20]
		push	0
		push	0
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_10]
		mov	ecx, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_20]
		mov	edx, [edx+10F0h]
		push	eax
		push	esi
		call	SMKM_STORE_MGR_SM_TRAITS___SmStoreRequest
		mov	edi, eax
		test	edi, edi
		js	short loc_4C7555
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		mov	esi, eax
		lea	eax, [ebp+var_20]
		push	eax
		call	KeWaitForSingleObject
		mov	edi, [ebp+var_10]
		test	edi, edi
		js	short loc_4C755D
		xor	edi, edi

loc_4C7555:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPerformStoreMaintenance+8Bj
		test	esi, esi
		jnz	loc_5C5A03

loc_4C755D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPerformStoreMaintenance+A3j
					; SMKM_STORE_MGR_SM_TRAITS___SmPerformStoreMaintenance+FE550j ...
		mov	eax, edi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
SMKM_STORE_MGR_SM_TRAITS___SmPerformStoreMaintenance endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmStoreRequest proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPerformStoreMaintenance+82p
					; SmProcessResizeRequest(x,x,x,x)+A9p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005C5A10 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	eax, ecx
		mov	ebx, edx
		push	edi
		mov	[ebp+var_4], eax
		call	SmKmStoreReference
		mov	esi, eax
		test	esi, esi
		jz	short loc_4C75AE
		push	[ebp+arg_8]
		mov	edx, esi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	?SmStoreRequestEx@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGJPAU1@PAU?$SMKM_STORE@USM_TRAITS@@@@PAU_SM_WORK_ITEM@1@PAU_KEVENT@@PAU_IO_STATUS_BLOCK@@@Z ;	SMKM_STORE_MGR<SM_TRAITS>::SmStoreRequestEx(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE<SM_TRAITS> *,SMKM_STORE_MGR<SM_TRAITS>::_SM_WORK_ITEM *,_KEVENT *,_IO_STATUS_BLOCK *)
		mov	edi, eax
		test	edi, edi
		js	short loc_4C759D
		xor	esi, esi

loc_4C759D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStoreRequest+2Fj
		test	esi, esi
		jnz	loc_5C5A10

loc_4C75A5:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStoreRequest+49j
					; SMKM_STORE_MGR_SM_TRAITS___SmStoreRequest+FE4BEj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_4C75AE:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStoreRequest+19j
		mov	edi, 0C000000Dh
		jmp	short loc_4C75A5
SMKM_STORE_MGR_SM_TRAITS___SmStoreRequest endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	SMKM_STORE_MGR<struct SM_TRAITS>::SmStoreRequestEx(struct SMKM_STORE_MGR<struct	SM_TRAITS> *, struct SMKM_STORE<struct SM_TRAITS> *, struct SMKM_STORE_MGR<struct SM_TRAITS>::_SM_WORK_ITEM *, struct _KEVENT *, struct	_IO_STATUS_BLOCK *)
?SmStoreRequestEx@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGJPAU1@PAU?$SMKM_STORE@USM_TRAITS@@@@PAU_SM_WORK_ITEM@1@PAU_KEVENT@@PAU_IO_STATUS_BLOCK@@@Z proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStoreRequest+26p
					; SMKM_STORE_MGR<SM_TRAITS>::SmStoreContentsRundown(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE<SM_TRAITS> *)+7Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	ecx, [ebp+arg_8]
		push	esi
		mov	esi, edx
		test	ecx, ecx
		jz	short loc_4C75F0
		and	dword ptr [ecx], 0
		and	dword ptr [ecx+4], 0
		mov	eax, [ebp+arg_4]
		mov	[ecx], eax

loc_4C75D5:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmStoreRequestEx(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE<SM_TRAITS> *,SMKM_STORE_MGR<SM_TRAITS>::_SM_WORK_ITEM *,_KEVENT	*,_IO_STATUS_BLOCK *)+3Cj
		mov	edx, [ebp+arg_0]
		push	0
		mov	[edx+18h], ecx
		mov	ecx, esi
		call	SMKM_STORE_SM_TRAITS___SmStWorkItemQueue
		mov	eax, 103h
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4C75F0:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmStoreRequestEx(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE<SM_TRAITS> *,SMKM_STORE_MGR<SM_TRAITS>::_SM_WORK_ITEM *,_KEVENT	*,_IO_STATUS_BLOCK *)+11j
		xor	ecx, ecx
		jmp	short loc_4C75D5
?SmStoreRequestEx@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGJPAU1@PAU?$SMKM_STORE@USM_TRAITS@@@@PAU_SM_WORK_ITEM@1@PAU_KEVENT@@PAU_IO_STATUS_BLOCK@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_SM_TRAITS___SmStInSwapStore proc near
					; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStSwapStore(SMKM_STORE<SM_TRAITS>	*,_SM_STORE_SWAP_OPERATION)+45p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C5A2D SIZE 0000005E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		lea	ebx, [eax+1254h]
		mov	[ebp+var_4], eax
		mov	esi, [ebx]
		test	esi, esi
		jnz	short loc_4C761A

loc_4C760E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStInSwapStore+2Bj
		mov	edi, 0C00000A3h

loc_4C7613:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStInSwapStore+55j
					; SMKM_STORE_SM_TRAITS___SmStInSwapStore+FE492j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4C761A:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStInSwapStore+18j
		or	edx, 0FFFFFFFFh
		cmp	esi, edx
		jz	short loc_4C760E
		mov	eax, esi
		lock cmpxchg [ebx], edx
		cmp	eax, esi
		jnz	short loc_4C7644
		mov	edx, [esi]
		test	edx, edx
		jz	loc_5C5A2D
		push	2
		pop	ecx
		call	SmPerformStoreSwapOperation
		mov	edi, eax
		jmp	loc_5C5A32
; 

loc_4C7644:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStInSwapStore+35j
		mov	edi, 0C0000476h
		jmp	short loc_4C7613
SMKM_STORE_SM_TRAITS___SmStInSwapStore endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	SMKM_STORE<struct SM_TRAITS>::SmStOutSwapPrepareStore(struct SMKM_STORE<struct SM_TRAITS> *)
?SmStOutSwapPrepareStore@?$SMKM_STORE@USM_TRAITS@@@@SGJPAU1@@Z proc near
					; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStSwapStore(SMKM_STORE<SM_TRAITS>	*,_SM_STORE_SWAP_OPERATION)+72p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	[ebp+var_4], ecx
		lea	ebx, [ecx+1254h]
		or	edx, 0FFFFFFFFh
		xor	eax, eax
		lock cmpxchg [ebx], edx
		test	eax, eax
		jz	short loc_4C7673
		mov	ecx, 0C0000476h

loc_4C766E:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStOutSwapPrepareStore(SMKM_STORE<SM_TRAITS> *)+7Ej
		mov	eax, ecx
		pop	ebx
		leave
		retn
; 

loc_4C7673:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStOutSwapPrepareStore(SMKM_STORE<SM_TRAITS> *)+1Bj
		mov	eax, [ecx+1180h]
		add	eax, 1Fh
		shr	eax, 5
		push	esi
		push	77536D73h
		lea	eax, ds:0Ch[eax*4]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		xor	eax, eax
		test	esi, esi
		jz	short loc_4C76CC
		mov	ecx, [ebp+var_4]
		lea	edx, [esi+4]
		push	edi
		mov	edi, esi
		push	edx
		stosd
		stosd
		stosd
		mov	ecx, [ecx+1180h]
		mov	[edx], ecx
		lea	ecx, [esi+0Ch]
		mov	[edx+4], ecx
		call	_RtlSetAllBits@4 ; RtlSetAllBits(x)
		or	eax, 0FFFFFFFFh
		lock cmpxchg [ebx], esi
		xor	ecx, ecx
		pop	edi

loc_4C76C9:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStOutSwapPrepareStore(SMKM_STORE<SM_TRAITS> *)+87j
		pop	esi
		jmp	short loc_4C766E
; 

loc_4C76CC:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStOutSwapPrepareStore(SMKM_STORE<SM_TRAITS> *)+51j
		mov	ecx, 0C000009Ah
		xchg	eax, [ebx]
		jmp	short loc_4C76C9
?SmStOutSwapPrepareStore@?$SMKM_STORE@USM_TRAITS@@@@SGJPAU1@@Z endp

; 
		align 2

;  S U B	R O U T	I N E 


; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StDmpDummyPageRecordAllocate(struct	ST_STORE<struct	SM_TRAITS>::_ST_DATA_MGR *)
?StDmpDummyPageRecordAllocate@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+437p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		lea	ecx, [esi+6Ch]
		call	_SmHpChunkAlloc@4 ; SmHpChunkAlloc(x)
		mov	edi, eax
		mov	[esi+1A4h], edi
		test	edi, edi
		jz	short loc_4C7710
		xor	eax, eax
		lea	ecx, [esi+6Ch]
		stosd
		stosd
		stosd
		mov	edx, [esi+1A4h]
		call	_SmHpChunkGetId@8 ; SmHpChunkGetId(x,x)
		mov	[esi+1A8h], eax
		xor	eax, eax

loc_4C770C:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmpDummyPageRecordAllocate(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+3Fj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4C7710:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmpDummyPageRecordAllocate(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+19j
		mov	eax, 0C000009Ah
		jmp	short loc_4C770C
?StDmpDummyPageRecordAllocate@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_SM_TRAITS___SmStOutSwapStore	proc near
					; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStSwapStore(SMKM_STORE<SM_TRAITS>	*,_SM_STORE_SWAP_OPERATION)+69p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C5A8B SIZE 00000071 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_44]
		stosd
		mov	esi, ecx
		mov	[ebp+var_4], esi
		stosd
		stosd
		or	eax, 0FFFFFFFFh
		xor	edi, edi
		mov	[ebp+var_8], eax
		mov	[ebp+var_14], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_C], edi
		call	?StDrainReadContextList@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@@Z ; ST_STORE<SM_TRAITS>::StDrainReadContextList(ST_STORE<SM_TRAITS> *)
		lea	edx, [esi+1254h]
		mov	ebx, [edx]
		mov	[ebp+var_34], edx
		test	ebx, ebx
		jz	loc_5C5AE5
		cmp	ebx, 0FFFFFFFFh
		jz	loc_5C5AE5
		or	ecx, 0FFFFFFFFh
		mov	eax, ebx
		lock cmpxchg [edx], ecx
		cmp	eax, ebx
		jnz	loc_5C5A8B
		cmp	[ebx], edi
		jnz	loc_4C7987
		mov	eax, large fs:124h
		mov	[ebp+var_8], edi
		mov	[ebp+var_24], ebx
		mov	[ebp+var_14], 1
		dec	word ptr [eax+13Eh]
		nop
		lea	eax, [esi+10F8h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_30], eax
		call	ExAcquirePushLockSharedEx
		mov	eax, [esi+1180h]
		push	77536D73h
		shl	eax, 2
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	loc_5C5A95
		mov	[ebp+var_2C], edi

loc_4C77D5:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+2AEj
					; SMKM_STORE_SM_TRAITS___SmStOutSwapStore+320j
		mov	eax, [ebx+4]
		mov	[ebp+var_28], eax
		cmp	eax, edi
		jbe	loc_4C787F
		mov	ecx, [ebx+8]
		dec	eax
		shr	eax, 5
		mov	[ebp+var_10], edi
		lea	esi, [ecx+eax*4]
		mov	eax, edi
		shr	eax, 5
		mov	[ebp+var_20], esi
		lea	edx, [ecx+eax*4]
		cmp	edx, esi
		jz	loc_4C7A5D
		mov	esi, edi
		and	esi, 1Fh
		mov	ecx, ds:dword_40BA68[esi*4]
		or	ecx, [edx]
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_4C7A5D
		sub	edi, esi
		add	edx, 4
		mov	esi, [ebp+var_20]
		add	edi, 20h
		mov	[ebp+var_10], edi
		cmp	edx, esi
		jnb	short loc_4C783E

loc_4C782C:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+121j
		cmp	dword ptr [edx], 0FFFFFFFFh
		jnz	short loc_4C783B
		add	edx, 4
		add	edi, 20h
		cmp	edx, esi
		jb	short loc_4C782C

loc_4C783B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+117j
		mov	[ebp+var_10], edi

loc_4C783E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+112j
					; SMKM_STORE_SM_TRAITS___SmStOutSwapStore+348j
		mov	eax, [ebp+var_28]
		cmp	edi, eax
		jnb	short loc_4C7855
		mov	ecx, [ebx+8]

loc_4C7848:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+138j
		bt	[ecx], edi
		jnb	short loc_4C7852
		inc	edi
		cmp	edi, eax
		jb	short loc_4C7848

loc_4C7852:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+133j
		mov	[ebp+var_10], edi

loc_4C7855:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+12Bj
		xor	esi, esi
		cmp	edx, [ebp+var_20]
		jnz	loc_4C7A73

loc_4C7860:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+370j
					; SMKM_STORE_SM_TRAITS___SmStOutSwapStore+393j	...
		mov	edx, [ebx+4]
		lea	eax, [esi+edi]
		cmp	eax, edx
		jb	loc_4C7A3D

loc_4C786E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+32Bj
					; SMKM_STORE_SM_TRAITS___SmStOutSwapStore+340j
		cmp	esi, 0FFFFFFFFh

loc_4C7871:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+334j
					; SMKM_STORE_SM_TRAITS___SmStOutSwapStore+37Fj	...
		ja	loc_5C5ABC

loc_4C7877:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+FE3A7j
		test	esi, esi
		jnz	loc_4C79C0

loc_4C787F:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+C5j
		mov	esi, [ebp+var_30]
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_4C7897
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_4C7897:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+176j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [ebp+var_C]
		xor	edi, edi
		mov	[ebp+var_14], edi
		test	ecx, ecx
		jz	loc_4C7AB0
		mov	eax, [ebp+var_18]
		lea	edx, [ebp+var_44]
		mov	[ebp+var_3C], ecx
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_40], eax
		call	SmPerformStoreSwapOperation
		mov	esi, eax
		mov	[ebp+var_10], esi
		test	esi, esi
		js	loc_5C5AF5
		mov	eax, [ebp+var_44]
		mov	esi, edi
		mov	[ebx], eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_24], edi
		mov	[ebp+var_10], esi

loc_4C78EB:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+FE3D8j
					; SMKM_STORE_SM_TRAITS___SmStOutSwapStore+FE3DFj
		mov	edi, [ebp+var_4]

loc_4C78EE:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+FE3C8j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_4C7949
		cmp	[ebp+var_14], 0
		jnz	short loc_4C7920
		mov	eax, large fs:124h
		mov	[ebp+var_14], 1
		dec	word ptr [eax+13Eh]
		nop
		lea	ecx, [edi+10F8h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebp+var_C]

loc_4C7920:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+1E1j
		xor	edi, edi
		test	eax, eax
		jz	short loc_4C7949
		mov	ebx, [ebp+var_C]
		mov	esi, [ebp+var_4]

loc_4C792C:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+229j
		mov	eax, [ebp+var_1C]
		mov	ecx, esi
		push	2
		sub	esp, 0Ch
		mov	edx, [eax+edi*4]
		call	?SmStUnmapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@KKKPAXK@Z ; SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)
		inc	edi
		cmp	edi, ebx
		jb	short loc_4C792C
		mov	esi, [ebp+var_10]
		mov	ebx, [ebp+var_8]

loc_4C7949:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+1DBj
					; SMKM_STORE_SM_TRAITS___SmStOutSwapStore+20Cj
		cmp	[ebp+var_14], 0
		jz	short loc_4C7983

loc_4C794F:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+FE382j
		mov	edi, [ebp+var_4]
		xor	edx, edx
		push	11h
		add	edi, 10F8h
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_4C796D
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_4C796D:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+24Cj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ebx, [ebp+var_8]

loc_4C7983:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+235j
		xor	edi, edi
		jmp	short loc_4C798C
; 

loc_4C7987:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+63j
		mov	esi, 0C0000021h

loc_4C798C:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+26Dj
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_4C7996

loc_4C7991:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+39Fj
		mov	eax, [ebp+var_34]
		xchg	ebx, [eax]

loc_4C7996:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+277j
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	loc_4C7ABC

loc_4C79A1:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+3ABj
		cmp	[ebp+var_18], 0
		jnz	loc_4C7A65

loc_4C79AB:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+356j
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_4C79B9
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4C79B9:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+298j
					; SMKM_STORE_SM_TRAITS___SmStOutSwapStore+FE378j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4C79C0:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+161j
		add	esi, [ebp+var_10]
		cmp	[ebp+var_10], esi
		jnb	loc_4C77D5
		mov	ecx, [ebp+var_4]

loc_4C79CF:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+31Ej
		mov	eax, [ecx+1184h]
		mov	eax, [eax+edi*4]
		test	eax, 7FFF0000h
		jz	short loc_4C7A33
		test	eax, eax
		js	short loc_4C7A33
		push	4
		push	ecx
		push	0
		mov	edx, edi
		call	?SmStMapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAXPAU1@KKKK@Z ; SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	8
		pop	edx
		call	SmArrayGrow
		test	eax, eax
		jz	loc_5C5AC4
		mov	edx, [ebp+var_C]
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_18]
		mov	[eax+edx*4], edi
		mov	eax, [ebp+var_28]
		mov	[ecx+edx*8], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+117Ch]
		mov	[ecx+edx*8+4], eax
		inc	edx
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_C], edx

loc_4C7A33:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+2C5j
					; SMKM_STORE_SM_TRAITS___SmStOutSwapStore+2C9j
		inc	edi
		cmp	edi, esi
		jb	short loc_4C79CF
		jmp	loc_4C77D5
; 

loc_4C7A3D:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+150j
		mov	ecx, [ebx+8]

loc_4C7A40:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+33Ej
		bt	[ecx], eax
		jb	loc_4C786E
		cmp	esi, 0FFFFFFFFh
		jnb	loc_4C7871
		inc	eax
		inc	esi
		cmp	eax, edx
		jb	short loc_4C7A40
		jmp	loc_4C786E
; 

loc_4C7A5D:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+E5j
					; SMKM_STORE_SM_TRAITS___SmStOutSwapStore+FCj
		mov	edi, [ebp+var_10]
		jmp	loc_4C783E
; 

loc_4C7A65:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+28Dj
		push	edi
		push	[ebp+var_18]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4C79AB
; 

loc_4C7A73:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+142j
		mov	ecx, [edx]
		mov	eax, edi
		and	eax, 1Fh
		mov	[ebp+var_28], eax
		mov	eax, ds:dword_40BA68[eax*4]
		not	eax
		and	eax, ecx
		jnz	loc_4C7860
		push	20h
		pop	esi
		sub	esi, [ebp+var_28]
		cmp	esi, 0FFFFFFFFh
		jnb	loc_4C7871
		mov	ecx, [ebp+var_20]
		add	edx, 4

loc_4C7AA3:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+FE39Fj
		cmp	edx, ecx
		jb	loc_5C5A9F
		jmp	loc_4C7860
; 

loc_4C7AB0:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+19Cj
		mov	esi, 0C00000D9h
		mov	ebx, edi
		jmp	loc_4C7991
; 

loc_4C7ABC:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+283j
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4C79A1
SMKM_STORE_SM_TRAITS___SmStOutSwapStore	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmArrayGrow	proc near		; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+2E8p
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+271p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C5AFC SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		mov	esi, [ebx]
		cmp	ecx, esi
		jb	short loc_4C7B46
		add	esi, esi
		cmp	esi, 8
		jnb	short loc_4C7AEC
		push	8
		pop	esi

loc_4C7AEC:				; CODE XREF: SmArrayGrow+1Fj
		cmp	ecx, esi
		jnb	loc_5C5AFC

loc_4C7AF4:				; CODE XREF: SmArrayGrow+FE03Fj
		mov	eax, esi
		lea	ecx, [ebp+var_4]
		mul	edx
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_4C7B6A
		push	72416D73h
		push	[ebp+var_4]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_4C7B6A
		mov	ebx, [ebx]
		imul	ebx, [ebp+var_8]
		mov	eax, [ebp+var_4]
		sub	eax, ebx
		push	eax		; size_t
		push	0		; int
		lea	eax, [edi+ebx]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		test	ebx, ebx
		jnz	short loc_4C7B50
		mov	ebx, [ebp+arg_4]

loc_4C7B3F:				; CODE XREF: SmArrayGrow+A0j
		mov	eax, [ebp+arg_0]
		mov	[ebx], edi
		mov	[eax], esi

loc_4C7B46:				; CODE XREF: SmArrayGrow+18j
		xor	eax, eax
		inc	eax

loc_4C7B49:				; CODE XREF: SmArrayGrow+A4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4C7B50:				; CODE XREF: SmArrayGrow+72j
		push	ebx		; size_t
		mov	ebx, [ebp+arg_4]
		push	dword ptr [ebx]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	0
		push	dword ptr [ebx]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_4C7B3F
; 

loc_4C7B6A:				; CODE XREF: SmArrayGrow+3Cj
					; SmArrayGrow+54j ...
		xor	eax, eax
		jmp	short loc_4C7B49
SmArrayGrow	endp


;  S U B	R O U T	I N E 


; int __fastcall SMKM_STORE_SM_TRAITS___SmStInitialize(void *)
?SmStInitialize@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@@Z proc near
					; CODE XREF: SmProcessCreateRequest+12Ap
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		push	12C0h		; size_t
		xor	edi, edi
		mov	esi, ecx
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	byte ptr [esi+10F4h], 2
		mov	ecx, esi
		call	?StInitialize@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@@Z ; ST_STORE<SM_TRAITS>::StInitialize(ST_STORE<SM_TRAITS> *)
		lea	eax, [esi+1110h]
		mov	[eax+4], eax
		mov	[eax], edi
		lea	eax, [esi+1118h]
		mov	[eax+4], eax
		mov	[eax], edi
		lea	eax, [esi+1120h]
		mov	[eax+4], eax
		push	edi
		mov	[eax], edi
		lea	eax, [esi+1158h]
		push	edi
		push	eax
		mov	[esi+1108h], edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		lea	eax, [esi+1148h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	1
		lea	eax, [esi+1168h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	44h		; size_t
		add	esi, 1270h
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esi+4]
		push	edi
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		pop	edi
		pop	esi
		pop	ecx
		retn
?SmStInitialize@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall StLcInitialize(x, x, x)
_StLcInitialize@12 proc	near		; CODE XREF: ST_STORE<SM_TRAITS>::StInitialize(ST_STORE<SM_TRAITS> *)+107p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_C], 0
		xor	eax, eax
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	edi, ebx
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_C]
		push	eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	eax, [ebp+arg_0]
		mov	esi, eax
		lea	edi, [eax+80h]
		cmp	eax, edi
		jnb	short loc_4C7C6D

loc_4C7C3D:				; CODE XREF: StLcInitialize(x,x,x)+60j
		push	[ebp+var_8]
		push	[ebp+var_C]
		push	0
		push	dword ptr [esi]
		call	__allmul
		push	0
		push	0F4240h
		push	edx
		push	eax
		call	__alldiv
		and	dword ptr [esi+8], 0
		mov	[esi], eax
		mov	[esi+4], edx
		add	esi, 10h
		cmp	esi, edi
		jb	short loc_4C7C3D
		mov	eax, [ebp+arg_0]

loc_4C7C6D:				; CODE XREF: StLcInitialize(x,x,x)+33j
		or	dword ptr [edi-10h], 0FFFFFFFFh
		or	dword ptr [edi-0Ch], 0FFFFFFFFh
		pop	edi
		pop	esi
		mov	dword ptr [ebx+4], 8
		mov	[ebx+8], eax
		mov	[ebx], eax
		pop	ebx
		leave
		retn	4
_StLcInitialize@12 endp


;  S U B	R O U T	I N E 


; int __fastcall ST_STORE_SM_TRAITS___StLazyWorkMgrInitialize(void *)
?StLazyWorkMgrInitialize@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_LAZY_WORK_MGR@1@@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StInitialize(ST_STORE<SM_TRAITS> *)+112p
		mov	edi, edi
		push	esi
		push	0E0h		; size_t
		mov	esi, ecx
		push	0		; int
		push	esi		; void *
		call	_memset
		lea	ecx, [esi+0A8h]
		add	esp, 0Ch
		or	edx, 0FFFFFFFFh
		mov	eax, esi
		cmp	esi, ecx
		jnb	short loc_4C7CBE

loc_4C7CAC:				; CODE XREF: ST_STORE<SM_TRAITS>::StLazyWorkMgrInitialize(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR *)+34j
		mov	[eax], edx
		mov	[eax+4], edx
		mov	[eax+8], edx
		mov	[eax+0Ch], edx
		add	eax, 18h
		cmp	eax, ecx
		jb	short loc_4C7CAC

loc_4C7CBE:				; CODE XREF: ST_STORE<SM_TRAITS>::StLazyWorkMgrInitialize(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR *)+22j
		mov	eax, [esi+0C0h]
		and	eax, 0FFFFFFFEh
		mov	dword ptr [esi+0C4h], 5
		or	eax, 6
		mov	[ecx], edx
		mov	[esi+0C0h], eax
		mov	[ecx+4], edx
		pop	esi
		retn
?StLazyWorkMgrInitialize@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_LAZY_WORK_MGR@1@@Z endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static struct	B_TREE_HEADER<unsigned long, struct ST_STORE<struct SM_TRAITS>::_ST_REGION_ENTRY>::NODE	* __stdcall B_TREE<unsigned long, struct ST_STORE<struct SM_TRAITS>::_ST_REGION_ENTRY, 4096, struct NP_CONTEXT,	struct ST_STORE<struct SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(struct B_TREE<unsigned long, struct ST_STORE<struct SM_TRAITS>::_ST_REGION_ENTRY, 4096, struct NP_CONTEXT, struct ST_STORE<struct SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *, struct B_TREE<unsigned long, struct	ST_STORE<struct	SM_TRAITS>::_ST_REGION_ENTRY, 4096, struct NP_CONTEXT, struct ST_STORE<struct SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,	unsigned long)
?BTreeFindLeafSiblingEx@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGPAUNODE@?$B_TREE_HEADER@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAUSEARCH_RESULT@1@K@Z proc near
					; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindPreviousEntry(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *)+32p
					; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>	*,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,ulong)+8Ep

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	ebx, edx
		lea	eax, [ebp+var_10]
		mov	edx, [ebp+arg_0]
		mov	esi, ecx
		push	edi
		xor	edi, edi
		and	edx, 1
		push	eax
		mov	ecx, ebx
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		call	?BTreeFindSeperatorIndexEntry@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGKPAUSEARCH_RESULT@1@KPAUPATH_ENTRY@1@@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindSeperatorIndexEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::PATH_ENTRY *)
		test	eax, eax
		jz	loc_4C7D94
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_10]
		push	edi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDescendToSibling
		mov	edx, [ebx+14h]
		lea	ecx, [esi+8]
		and	edx, 1
		mov	[ebp+var_8], eax
		add	edx, edx
		mov	edi, esi
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		mov	eax, [edi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_4C7D9D
		mov	edx, [ebp+var_8]
		mov	edi, [edx]

loc_4C7D40:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+C8j
		test	edi, edi
		jz	short loc_4C7DB1
		test	byte ptr [ebp+arg_0], 2
		jz	short loc_4C7D78
		mov	eax, [ebx]
		mov	ecx, [ebx+0Ch]
		mov	edx, [eax+ecx*8-0Ch]
		mov	ecx, [eax+ecx*8-10h]
		lea	eax, [ecx+8]
		cmp	edx, eax
		jbe	short loc_4C7DAC
		add	edx, 0FFFFFFFCh

loc_4C7D61:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+CDj
		lea	eax, [esi+8]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		mov	eax, [esi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_4C7D78
		mov	ecx, esi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)

loc_4C7D78:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+66j
					; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+8Dj
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_10]
		push	ebx
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDescendToSibling
		mov	esi, [ebx+0Ch]
		lea	ecx, [edi+8]
		mov	edx, [ebx]
		mov	[edx+esi*8-8], edi
		mov	[edx+esi*8-4], ecx

loc_4C7D94:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+2Aj
					; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+D2j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4C7D9D:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+57j
		push	edx
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		call	?NpLeafRefInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAXK@Z ; NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)
		mov	edi, eax
		jmp	short loc_4C7D40
; 

loc_4C7DAC:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+7Aj
		lea	edx, [ecx+4]
		jmp	short loc_4C7D61
; 

loc_4C7DB1:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+60j
		or	edi, 0FFFFFFFFh
		jmp	short loc_4C7D94
?BTreeFindLeafSiblingEx@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGPAUNODE@?$B_TREE_HEADER@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAUSEARCH_RESULT@1@K@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDescendToSibling proc	near
					; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+37p
					; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+9Dp ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C5B0C SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ecx]
		mov	ebx, edx
		mov	edx, [ebp+arg_0]
		push	edi
		mov	edi, [ecx+4]
		test	edx, edx
		jnz	short loc_4C7DF2
		xor	ecx, ecx

loc_4C7DCE:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDescendToSibling+4Aj
		and	ebx, 1
		jnz	short loc_4C7E11
		lea	eax, [esi+8]
		cmp	edi, eax
		lea	eax, [edi-4]
		jbe	short loc_4C7E0C

loc_4C7DDD:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDescendToSibling+59j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDescendToSibling+61j ...
		test	ecx, ecx
		jnz	short loc_4C7E02

loc_4C7DE1:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDescendToSibling+54j
		cmp	byte ptr [esi+2], 2
		jnz	loc_5C5B0C
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4C7DF2:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDescendToSibling+14j
		movzx	eax, byte ptr [esi+2]
		mov	ecx, [edx+0Ch]
		sub	ecx, eax
		mov	eax, [edx]
		lea	ecx, [eax+ecx*8]
		jmp	short loc_4C7DCE
; 

loc_4C7E02:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDescendToSibling+29j
		mov	[ecx], esi
		mov	[ecx+4], edi
		add	ecx, 8
		jmp	short loc_4C7DE1
; 

loc_4C7E0C:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDescendToSibling+25j
		lea	eax, [esi+4]
		jmp	short loc_4C7DDD
; 

loc_4C7E11:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDescendToSibling+1Bj
		lea	eax, [edi+4]
		add	edi, 8
		jmp	short loc_4C7DDD
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDescendToSibling endp

; 
		align 2

;  S U B	R O U T	I N E 


; public: static void __stdcall	ST_STORE<struct	SM_TRAITS>::StQueueCompaction(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, enum  _ST_COMPACTION_CHECK_RESULT)
?StQueueCompaction@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@W4_ST_COMPACTION_CHECK_RESULT@@@Z proc	near
					; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+293p
					; ST_STORE<SM_TRAITS>::StCompactionWorker(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+6Fp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi+1D8h]
		mov	al, [esi+47Ch]
		shr	edi, 1
		and	edi, 1
		cmp	edx, 1
		jz	short loc_4C7E56
		xor	edx, edx
		and	al, 0FEh
		mov	ecx, edx
		or	al, 2

loc_4C7E3E:				; CODE XREF: ST_STORE<SM_TRAITS>::StQueueCompaction(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,_ST_COMPACTION_CHECK_RESULT)+57j
		push	edx
		push	ecx
		mov	ecx, [esi+480h]
		mov	edx, edi
		mov	[esi+47Ch], al
		call	ST_STORE_SM_TRAITS___StLazyWorkMgrQueueWork
		pop	edi
		pop	esi
		retn
; 

loc_4C7E56:				; CODE XREF: ST_STORE<SM_TRAITS>::StQueueCompaction(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,_ST_COMPACTION_CHECK_RESULT)+1Aj
		movzx	ecx, byte ptr [esi+1ACh]
		and	al, 0FDh
		or	al, 1
		neg	ecx
		push	0FFFFFFFEh
		sbb	ecx, ecx
		and	ecx, 172h
		pop	edx
		add	ecx, 1Eh
		jmp	short loc_4C7E3E
?StQueueCompaction@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@W4_ST_COMPACTION_CHECK_RESULT@@@Z endp

; 
		align 4

;  S U B	R O U T	I N E 


; public: static void __stdcall	ST_STORE<struct	SM_TRAITS>::StInitialize(struct	ST_STORE<struct	SM_TRAITS> *)
?StInitialize@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@@Z proc near
					; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStInitialize(SMKM_STORE<SM_TRAITS> *)+21p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		push	10EFh		; size_t
		push	ebx		; int
		lea	eax, [edi+1]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	byte ptr [edi],	2
		lea	esi, [edi+4C8h]
		lea	ecx, [edi+38h]
		mov	edx, esi
		call	?StDmInitialize@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@0@Z ; ST_STORE<SM_TRAITS>::StDmInitialize(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)
		xor	edx, edx
		mov	ecx, esi
		call	?StDmInitialize@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@0@Z ; ST_STORE<SM_TRAITS>::StDmInitialize(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)
		push	30h		; size_t
		lea	eax, [edi+960h]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [edi+9A8h]
		call	_SmCrEncInitialize@4 ; SmCrEncInitialize(x)
		mov	eax, [edi+0A10h]
		push	6
		pop	esi
		and	eax, 0FFFFFFFEh
		mov	dword ptr [edi+0A14h], 3
		or	eax, esi
		push	50Ch		; size_t
		mov	[edi+0A10h], eax
		lea	eax, [edi+0A4Ch]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [edi+0A58h]
		mov	[edi+0A48h], eax
		call	KeQueryInterruptTime
		add	eax, 23C34600h
		lea	ecx, [edi+0F58h]
		mov	[edi+0A50h], eax
		lea	eax, [edi+0F68h]
		adc	edx, ebx
		mov	[edi+0A54h], edx
		push	eax
		mov	dword ptr [eax], 1F4h
		mov	[eax+4], ebx
		mov	dword ptr [eax+10h], 3E8h
		mov	[eax+14h], ebx
		mov	dword ptr [eax+20h], 0BB8h
		mov	[eax+24h], ebx
		mov	dword ptr [eax+30h], 1388h
		mov	[eax+34h], ebx
		mov	dword ptr [eax+40h], 2710h
		mov	[eax+44h], ebx
		mov	dword ptr [eax+50h], 4E20h
		mov	[eax+54h], ebx
		mov	dword ptr [eax+60h], 0C350h
		mov	[eax+64h], ebx
		mov	dword ptr [eax+70h], 186A0h
		mov	[eax+74h], ebx
		call	_StLcInitialize@12 ; StLcInitialize(x,x,x)
		lea	ecx, [edi+0FF0h] ; void	*
		call	?StLazyWorkMgrInitialize@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_LAZY_WORK_MGR@1@@Z ; ST_STORE<SM_TRAITS>::StLazyWorkMgrInitialize(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR *)
		mov	[edi+9A0h], ebx
		mov	[edi+9A4h], ebx
		mov	eax, [edi+10D0h]
		and	eax, 0FFFFFFFEh
		mov	[edi+10D4h], esi
		or	eax, esi
		mov	[edi+10D0h], eax
		pop	edi
		pop	esi
		pop	ebx
		retn
?StInitialize@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@@Z endp


;  S U B	R O U T	I N E 


; public: static void __stdcall	B_TREE<union _SM_PAGE_KEY, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY, 4096, struct NP_CONTEXT, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>>::BTreeSearchResultInit(struct B_TREE<union _SM_PAGE_KEY, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY, 4096, struct NP_CONTEXT, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>>::SEARCH_RESULT *, unsigned long)
?BTreeSearchResultInit@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAUSEARCH_RESULT@1@K@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmInitialize(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+3Cp
					; ST_STORE<SM_TRAITS>::StDmInitialize(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+4Cp ...
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		xor	eax, eax
		mov	edi, esi
		push	6
		pop	ecx
		rep stosd
		test	dl, 1
		jnz	short loc_4C7FCA
		or	dword ptr [esi+0Ch], 0FFFFFFFFh

loc_4C7FCA:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultInit(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)+12j
		test	dl, 2
		jnz	short loc_4C7FD2

loc_4C7FCF:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultInit(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)+24j
		pop	edi
		pop	esi
		retn
; 

loc_4C7FD2:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultInit(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)+1Bj
		or	dword ptr [esi+14h], 1
		jmp	short loc_4C7FCF
?BTreeSearchResultInit@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAUSEARCH_RESULT@1@K@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	ST_STORE<struct	SM_TRAITS>::StDmInitialize(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *)
?StDmInitialize@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@0@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StInitialize(ST_STORE<SM_TRAITS> *)+29p
					; ST_STORE<SM_TRAITS>::StInitialize(ST_STORE<SM_TRAITS>	*)+32p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		xor	eax, eax
		push	484h		; size_t
		push	eax		; int
		mov	[ebp+var_10], eax
		mov	esi, edx
		mov	[ebp+var_C], eax
		lea	eax, [ebx+0Ch]
		push	eax		; void *
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], ebx
		call	_memset
		mov	edi, ebx
		lea	ecx, [ebx+0Ch]
		xor	eax, eax
		add	esp, 0Ch
		xor	edx, edx
		inc	edx
		stosd
		stosd
		stosd
		call	?BTreeSearchResultInit@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAUSEARCH_RESULT@1@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultInit(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)
		xor	eax, eax
		lea	edi, [ebx+24h]
		stosd
		lea	ecx, [ebx+30h]
		stosd
		stosd
		call	?BTreeSearchResultInit@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAUSEARCH_RESULT@1@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultInit(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)
		xor	eax, eax
		lea	edi, [ebx+48h]
		stosd
		lea	ecx, [ebx+54h]
		stosd
		stosd
		call	?BTreeSearchResultInit@?$B_TREE@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_HASH_ENTRY_COMPARATOR@2@@@SGXPAUSEARCH_RESULT@1@K@Z ;	B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeSearchResultInit(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)
		lea	ecx, [ebx+6Ch]	; void *
		mov	[ebp+var_18], 0Ch
		lea	edx, [ebp+var_18]
		mov	[ebp+var_14], 4
		call	_SmHpChunkHeapInitialize@8 ; SmHpChunkHeapInitialize(x,x)
		add	ebx, 314h
		mov	ecx, ebx	; void *
		call	?NpInitialize@NP_CONTEXT@@SGXPAU1@@Z ; NP_CONTEXT::NpInitialize(NP_CONTEXT *)
		mov	ecx, [ebp+var_4]
		and	dword ptr [ecx+358h], 0
		lea	edi, [ecx+36Ch]
		mov	[ecx+368h], esi
		mov	ecx, edi	; void *
		call	?NpInitialize@NP_CONTEXT@@SGXPAU1@@Z ; NP_CONTEXT::NpInitialize(NP_CONTEXT *)
		mov	eax, [ebp+var_4]
		mov	[eax+3C0h], esi
		lea	esi, [eax+3C4h]
		mov	ecx, esi	; void *
		mov	dword ptr [eax+3B0h], 1
		call	?NpInitialize@NP_CONTEXT@@SGXPAU1@@Z ; NP_CONTEXT::NpInitialize(NP_CONTEXT *)
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_8]
		push	6
		mov	[ecx+3C0h], eax
		xor	eax, eax
		inc	eax
		mov	dword ptr [ecx+3B0h], 2
		mov	[ecx+360h], eax
		mov	[ecx+35Ch], eax
		mov	eax, 20000000h
		mov	[ecx+3B8h], eax
		mov	[ecx+3B4h], eax
		xor	eax, eax
		mov	[ecx+410h], eax
		mov	[ecx+414h], eax
		mov	[ecx+40Ch], eax
		lea	eax, [ecx+26Ch]
		mov	dword ptr [ecx+364h], 1FFFFFFFh
		mov	dword ptr [ecx+3BCh], 3FFFFFFFh
		mov	[ecx+8], ebx
		mov	[ecx+2Ch], edi
		mov	[ecx+50h], esi
		pop	edx
		xor	ebx, ebx

loc_4C810E:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmInitialize(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+145j
		mov	[eax+4], ebx
		mov	[eax+8], ebx
		or	dword ptr [eax], 0FFFFFFFFh
		lea	eax, [eax+0Ch]
		sub	edx, 1
		jnz	short loc_4C810E
		push	8
		lea	eax, [ecx+2B4h]
		pop	edx

loc_4C8128:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmInitialize(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+159j
		or	dword ptr [eax], 0FFFFFFFFh
		lea	eax, [eax+0Ch]
		sub	edx, 1
		jnz	short loc_4C8128
		mov	eax, [ecx+1E8h]
		and	eax, 0FFFFFFFEh
		mov	dword ptr [ecx+1ECh], 4
		or	eax, 6
		mov	byte ptr [ecx+1ACh], 2
		mov	[ecx+1E8h], eax
		lea	eax, [ebp+var_10]
		push	eax
		mov	dword ptr [ecx+238h], 0FFFFD8EFh
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		push	ebx
		push	2710h
		push	[ebp+var_C]
		push	[ebp+var_10]
		call	__allmul
		push	ebx
		push	0F4240h
		push	edx
		push	eax
		call	__alldiv
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		mov	[ecx+22Ch], eax
		leave
		retn
?StDmInitialize@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@0@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall NP_CONTEXT__NpInitialize(void *)
?NpInitialize@NP_CONTEXT@@SGXPAU1@@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmInitialize(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+82p
					; ST_STORE<SM_TRAITS>::StDmInitialize(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+9Fp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		push	44h		; size_t
		xor	edi, edi
		mov	esi, ecx
		push	edi		; int
		push	esi		; void *
		call	_memset
		lea	eax, [esi+2Ch]
		mov	[ebp+var_8], edi
		add	esp, 0Ch
		mov	[eax+4], eax
		mov	[eax], edi
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], edi
		push	eax
		call	KeQueryTickCount
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		shrd	eax, ecx, 0Ch
		pop	edi
		mul	ds:_KeMaximumIncrement
		shrd	eax, edx, 11h
		mov	[esi+24h], eax
		pop	esi
		leave
		retn
?NpInitialize@NP_CONTEXT@@SGXPAU1@@Z endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall SmHpChunkHeapInitialize(void *)
_SmHpChunkHeapInitialize@8 proc	near	; CODE XREF: ST_STORE<SM_TRAITS>::StDmInitialize(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+75p
					; ST_STORE_SM_TRAITS___StDmCleanup+F982Fp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	138h		; size_t
		mov	esi, ecx
		mov	ebx, edx
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebx]
		add	esp, 0Ch
		mov	[esi+90h], eax
		xor	edi, edi
		mov	eax, [ebx+4]
		inc	edi
		mov	[esi+94h], eax
		lea	eax, [esi+0A0h]
		push	10h
		mov	[esi+80h], edi
		pop	ecx

loc_4C8222:				; CODE XREF: SmHpChunkHeapInitialize(x,x)+4Bj
		mov	[eax+4], eax
		mov	[eax], eax
		add	eax, 8
		sub	ecx, 1
		jnz	short loc_4C8222
		mov	eax, [ebx+4]
		xor	edx, edx
		or	dword ptr [esi+120h], 0FFFFFFFFh
		lea	ecx, [eax+0Bh]
		neg	eax
		and	ecx, eax
		mov	eax, 1000h
		sub	eax, ecx
		mov	[ebp+var_4], ecx
		div	dword ptr [ebx]
		mov	[esi+124h], eax
		bsr	eax, eax
		mov	[esi+88h], eax
		mov	edx, [esi+124h]
		test	edx, edx
		jz	short loc_4C826E
		lea	eax, [edx-1]
		test	eax, edx
		jz	short loc_4C8274

loc_4C826E:				; CODE XREF: SmHpChunkHeapInitialize(x,x)+83j
		inc	dword ptr [esi+88h]

loc_4C8274:				; CODE XREF: SmHpChunkHeapInitialize(x,x)+8Aj
		mov	ecx, [esi+88h]
		or	eax, 0FFFFFFFFh
		shr	eax, cl
		shl	edi, cl
		lea	ecx, [edx+0Fh]
		mov	[esi+84h], eax
		dec	edi
		mov	eax, [ebp+var_4]
		shr	ecx, 4
		mov	[esi+98h], eax
		bsr	eax, ecx
		mov	[esi+8Ch], edi
		mov	[esi+12Ch], edx
		mov	[esi+128h], eax
		test	ecx, ecx
		jz	short loc_4C82B7
		lea	eax, [ecx-1]
		test	eax, ecx
		jz	short loc_4C82BD

loc_4C82B7:				; CODE XREF: SmHpChunkHeapInitialize(x,x)+CCj
		inc	dword ptr [esi+128h]

loc_4C82BD:				; CODE XREF: SmHpChunkHeapInitialize(x,x)+D3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SmHpChunkHeapInitialize@8 endp


;  S U B	R O U T	I N E 


; public: static void __stdcall	B_TREE<unsigned	long, struct ST_STORE<struct SM_TRAITS>::_ST_HASH_ENTRY, 4096, struct NP_CONTEXT, struct ST_STORE<struct SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeSearchResultInit(struct B_TREE<unsigned long, struct ST_STORE<struct SM_TRAITS>::_ST_HASH_ENTRY, 4096, struct NP_CONTEXT, struct ST_STORE<struct SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *, unsigned long)
?BTreeSearchResultInit@?$B_TREE@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_HASH_ENTRY_COMPARATOR@2@@@SGXPAUSEARCH_RESULT@1@K@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmInitialize(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+5Cp
					; ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+FC359p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		xor	eax, eax
		mov	edi, esi
		push	6
		pop	ecx
		rep stosd
		test	dl, 1
		jz	short loc_4C82DE

loc_4C82D6:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeSearchResultInit(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+20j
		test	dl, 2
		jnz	short loc_4C82E4

loc_4C82DB:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeSearchResultInit(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+26j
		pop	edi
		pop	esi
		retn
; 

loc_4C82DE:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeSearchResultInit(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+12j
		or	dword ptr [esi+0Ch], 0FFFFFFFFh
		jmp	short loc_4C82D6
; 

loc_4C82E4:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeSearchResultInit(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+17j
		or	dword ptr [esi+14h], 1
		jmp	short loc_4C82DB
?BTreeSearchResultInit@?$B_TREE@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_HASH_ENTRY_COMPARATOR@2@@@SGXPAUSEARCH_RESULT@1@K@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmBinaryArrayGrow(x, x, x)
_SmBinaryArrayGrow@12 proc near		; CODE XREF: SmHpBufferAlloc+57p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, edx
		mov	[ebp+var_8], ecx
		push	ebx
		bsr	ebx, eax
		push	esi
		xor	esi, esi
		btc	eax, ebx
		mov	[ebp+var_C], esi
		mov	[ebp+var_C], eax
		cmp	ebx, 20h
		jnb	short loc_4C831A
		push	edi
		mov	edi, [ecx+ebx*4]
		test	edi, edi
		jz	short loc_4C8322

loc_4C8314:				; CODE XREF: SmBinaryArrayGrow(x,x,x)+71j
		imul	esi, eax, 0Ch
		add	esi, edi

loc_4C8319:				; CODE XREF: SmBinaryArrayGrow(x,x,x)+59j
		pop	edi

loc_4C831A:				; CODE XREF: SmBinaryArrayGrow(x,x,x)+20j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4C8322:				; CODE XREF: SmBinaryArrayGrow(x,x,x)+28j
		xor	eax, eax
		mov	ecx, ebx
		inc	eax
		shl	eax, cl
		imul	eax, 0Ch
		push	41426D73h
		push	eax
		push	200h
		mov	[ebp+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_4C8319
		push	[ebp+var_4]	; size_t
		push	esi		; int
		push	edi		; void *
		call	_memset
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		mov	[eax+ebx*4], edi
		mov	eax, [ebp+var_C]
		jmp	short loc_4C8314
_SmBinaryArrayGrow@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmHpBufferAlloc	proc near		; CODE XREF: SmHpChunkAlloc(x)+53p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C5B2B SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		push	42436D73h
		push	1000h
		push	200h
		mov	esi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_4], edx
		test	edx, edx
		jz	loc_4C848E
		mov	eax, [esi+120h]
		mov	[ebp+var_8], eax
		cmp	eax, 0FFFFFFFFh
		jnz	loc_4C846D
		mov	eax, [esi+80h]
		cmp	eax, [esi+84h]
		ja	loc_4C8492
		push	ecx
		mov	edx, eax
		mov	ecx, esi
		call	_SmBinaryArrayGrow@12 ;	SmBinaryArrayGrow(x,x,x)
		mov	edx, [ebp+var_4]
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		jz	loc_4C845E
		mov	eax, [esi+80h]
		mov	[ebp+var_8], eax
		lea	ecx, [eax+1]
		mov	[esi+80h], ecx

loc_4C83DC:				; CODE XREF: SmHpBufferAlloc+12Bj
		xor	eax, eax
		mov	edi, edx
		xor	ecx, ecx
		stosd
		stosd
		stosd
		mov	eax, [ebp+var_8]
		mov	[edx+8], eax
		lea	eax, [edx+1000h]
		mov	[edx+4], edx
		mov	[edx], edx
		mov	[ebx+4], ecx
		mov	[ebx+8], ecx
		mov	[ebx], edx
		mov	edi, [esi+98h]
		mov	[ebp+var_8], ecx
		add	edi, edx
		mov	ecx, [esi+90h]
		mov	[ebp+var_10], eax
		add	ecx, edi
		lea	eax, [ebx+4]
		mov	[ebp+var_4], eax
		cmp	ecx, [ebp+var_10]
		ja	short loc_4C8448
		mov	ebx, eax

loc_4C8421:				; CODE XREF: SmHpBufferAlloc+DFj
		mov	eax, edi
		sub	eax, edx
		inc	[ebp+var_8]
		mov	[ebx], ax
		mov	ebx, edi
		mov	edi, ecx
		lea	eax, [edx+1000h]
		add	ecx, [esi+90h]
		cmp	ecx, eax
		jbe	short loc_4C8421
		mov	[ebp+var_4], ebx
		mov	ebx, [ebp+var_C]
		mov	eax, [ebp+var_4]

loc_4C8448:				; CODE XREF: SmHpBufferAlloc+BFj
		push	[ebp+var_8]
		mov	ecx, 0FFFFh
		mov	edx, ebx
		mov	[eax], cx
		mov	ecx, esi
		call	_SmHpBufferUpdateFullness@12 ; SmHpBufferUpdateFullness(x,x,x)
		xor	edx, edx

loc_4C845E:				; CODE XREF: SmHpBufferAlloc+66j
					; SmHpBufferAlloc+136j
		test	edx, edx
		jnz	loc_5C5B2B

loc_4C8466:				; CODE XREF: SmHpBufferAlloc+132j
					; SmHpBufferAlloc+FD7D5j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_4C846D:				; CODE XREF: SmHpBufferAlloc+3Aj
		and	[ebp+var_10], 0
		bsr	ecx, eax
		btc	eax, ecx
		imul	ebx, eax, 0Ch
		add	ebx, [esi+ecx*4]
		mov	[ebp+var_C], ebx
		mov	eax, [ebx+4]
		mov	[esi+120h], eax
		jmp	loc_4C83DC
; 

loc_4C848E:				; CODE XREF: SmHpBufferAlloc+28j
		xor	ebx, ebx
		jmp	short loc_4C8466
; 

loc_4C8492:				; CODE XREF: SmHpBufferAlloc+4Cj
		xor	ebx, ebx
		jmp	short loc_4C845E
SmHpBufferAlloc	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	ST_STORE<struct	SM_TRAITS>::StLazyWorkMgrRunExpiredWork(struct ST_STORE<struct SM_TRAITS>::_ST_LAZY_WORK_MGR *,	unsigned __int64)
?StLazyWorkMgrRunExpiredWork@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_LAZY_WORK_MGR@1@_K@Z proc near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+522p
					; ST_STORE<SM_TRAITS>::StLazyWorkMgrResetIdle(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR *)+62p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	edx, edx
		push	edi
		xor	edi, edi
		mov	[esp+30h+var_1C], esi
		lea	ebx, [esi+0A8h]
		cmp	esi, ebx
		jnb	short loc_4C84DF

loc_4C84B8:				; CODE XREF: ST_STORE<SM_TRAITS>::StLazyWorkMgrRunExpiredWork(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR *,unsigned	__int64)+47j
		mov	eax, [ecx+8]
		mov	[esp+30h+var_20], eax
		mov	eax, [ecx+0Ch]
		mov	[esp+30h+var_24], eax
		mov	eax, [esp+30h+var_20]
		and	eax, [esp+30h+var_24]
		cmp	eax, 0FFFFFFFFh
		jnz	loc_4C8564

loc_4C84D7:				; CODE XREF: ST_STORE<SM_TRAITS>::StLazyWorkMgrRunExpiredWork(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR *,unsigned	__int64)+ECj
					; ST_STORE<SM_TRAITS>::StLazyWorkMgrRunExpiredWork(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR *,unsigned __int64)+FBj ...
		add	ecx, 18h
		inc	edx
		cmp	ecx, ebx
		jb	short loc_4C84B8

loc_4C84DF:				; CODE XREF: ST_STORE<SM_TRAITS>::StLazyWorkMgrRunExpiredWork(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR *,unsigned	__int64)+20j
		and	[esp+30h+var_10], 0
		lea	ebx, [esp+30h+var_18]
		and	[esp+30h+var_C], 0
		lea	eax, [esi-0FF0h]
		and	[esp+30h+var_8], 0
		xor	ecx, ecx
		and	[esp+30h+var_4], 0
		inc	ecx
		or	[esi+0D8h], ecx
		or	ebx, ecx
		mov	[esp+30h+var_20], eax
		mov	eax, [esi+0D8h]
		mov	[esp+30h+var_18], 6
		mov	[esp+30h+var_14], ecx
		test	edi, edi
		jz	short loc_4C8547
		mov	esi, [esp+30h+var_20]

loc_4C8526:				; CODE XREF: ST_STORE<SM_TRAITS>::StLazyWorkMgrRunExpiredWork(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR *,unsigned	__int64)+A5j
		bsf	eax, edi
		mov	edx, ebx
		mov	ecx, esi
		btr	edi, eax
		mov	[esp+30h+var_C], eax
		call	ST_STORE_SM_TRAITS___StWorkItemProcess
		test	edi, edi
		jnz	short loc_4C8526
		mov	esi, [esp+30h+var_1C]
		mov	eax, [esi+0D8h]

loc_4C8547:				; CODE XREF: ST_STORE<SM_TRAITS>::StLazyWorkMgrRunExpiredWork(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR *,unsigned	__int64)+8Aj
		push	0
		and	eax, 0FFFFFFFEh
		mov	ecx, esi
		push	0
		mov	[esi+0D8h], eax
		call	ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4C8564:				; CODE XREF: ST_STORE<SM_TRAITS>::StLazyWorkMgrRunExpiredWork(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR *,unsigned	__int64)+3Bj
		mov	eax, [ecx+4]
		cmp	eax, [esi+0BCh]
		jb	short loc_4C8597
		ja	short loc_4C857B
		mov	eax, [ecx]
		cmp	eax, [esi+0B8h]
		jbe	short loc_4C8597

loc_4C857B:				; CODE XREF: ST_STORE<SM_TRAITS>::StLazyWorkMgrRunExpiredWork(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR *,unsigned	__int64)+D9j
		mov	eax, [ebp+arg_4]
		cmp	[esp+30h+var_24], eax
		ja	loc_4C84D7
		jb	short loc_4C8597
		mov	eax, [ebp+arg_0]
		cmp	[esp+30h+var_20], eax
		ja	loc_4C84D7

loc_4C8597:				; CODE XREF: ST_STORE<SM_TRAITS>::StLazyWorkMgrRunExpiredWork(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR *,unsigned	__int64)+D7j
					; ST_STORE<SM_TRAITS>::StLazyWorkMgrRunExpiredWork(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR *,unsigned __int64)+E3j ...
		bts	edi, edx
		or	eax, 0FFFFFFFFh
		mov	[ecx], eax
		mov	[ecx+4], eax
		mov	[ecx+8], eax
		mov	[ecx+0Ch], eax
		jmp	loc_4C84D7
?StLazyWorkMgrRunExpiredWork@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_LAZY_WORK_MGR@1@_K@Z endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StCompactionFindEmptiest proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+60p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C5B38 SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, 1FFFh
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_1C], eax
		mov	word ptr [ebp+var_4], ax
		xor	edx, edx
		mov	eax, [ebp+arg_0]
		shl	eax, 2
		push	edi
		mov	[ebp+var_18], esi
		mov	edi, ecx
		mov	ecx, esi
		lea	ebx, [eax+esi]
		shr	eax, 2
		cmp	ebx, esi
		mov	[ebp+var_8], ebx
		sbb	esi, esi
		not	esi
		and	esi, eax
		jbe	short loc_4C85FD
		jmp	short loc_4C85F0
; 
		align 10h

loc_4C85F0:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionFindEmptiest+3Bj
					; ST_STORE_SM_TRAITS___StCompactionFindEmptiest+4Bj
		lea	eax, [ebp+var_4]
		inc	edx
		mov	[ecx], eax
		lea	ecx, [ecx+4]
		cmp	edx, esi
		jb	short loc_4C85F0

loc_4C85FD:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionFindEmptiest+39j
		xor	eax, eax
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_C], eax
		jmp	short loc_4C8610
; 
		align 10h

loc_4C8610:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionFindEmptiest+55j
					; ST_STORE_SM_TRAITS___StCompactionFindEmptiest+81j ...
		inc	esi
		cmp	esi, [edi+1B8h]
		jz	loc_4C86D2
		mov	eax, [edi+240h]
		lea	ebx, [eax+esi*2]
		movzx	eax, word ptr [ebx]
		mov	ecx, eax
		and	ecx, 1FFFh
		jz	short loc_4C8610
		mov	edx, eax
		and	eax, 1FFFh
		cmp	eax, [ebp+arg_4]
		ja	short loc_4C8610
		cmp	byte ptr [edi+1ACh], 0
		jnz	loc_5C5B38
		shr	edx, 0Dh

loc_4C864F:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionFindEmptiest+FD58Aj
		lea	eax, [edx+edx*2]
		cmp	esi, [edi+eax*4+2B4h]
		jz	short loc_4C8610
		mov	eax, [ebp+var_18]
		mov	edx, eax
		mov	[ebp+var_14], eax
		cmp	eax, [ebp+var_8]
		jnb	short loc_4C8610

loc_4C8668:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionFindEmptiest+D5j
		lea	eax, [edx+4]
		mov	[ebp+var_10], eax
		mov	eax, [edx]
		mov	ax, [eax]
		and	ax, word ptr [ebp+var_1C]
		cmp	cx, ax
		jb	short loc_4C8689
		mov	edx, [ebp+var_10]
		mov	[ebp+var_14], edx
		cmp	edx, [ebp+var_8]
		jb	short loc_4C8668
		jmp	short loc_4C8610
; 

loc_4C8689:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionFindEmptiest+CAj
		mov	eax, [ebp+var_8]
		sub	eax, edx
		sub	eax, 4
		push	eax		; size_t
		push	edx		; void *
		push	[ebp+var_10]	; void *
		call	_memmove
		mov	eax, [ebp+var_14]
		add	esp, 0Ch
		mov	ecx, [ebp+arg_0]
		mov	[eax], ebx
		mov	eax, [ebp+var_C]
		cmp	eax, ecx
		jb	short loc_4C86C4

loc_4C86AD:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionFindEmptiest+120j
		mov	eax, [ebp+var_8]
		mov	eax, [eax-4]
		movzx	eax, word ptr [eax]
		and	eax, 1FFFh
		dec	eax
		mov	[ebp+arg_4], eax
		jmp	loc_4C8610
; 

loc_4C86C4:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionFindEmptiest+FBj
		inc	eax
		mov	[ebp+var_C], eax
		cmp	eax, ecx
		jb	loc_4C8610
		jmp	short loc_4C86AD
; 

loc_4C86D2:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionFindEmptiest+67j
		mov	eax, [ebp+var_C]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
ST_STORE_SM_TRAITS___StCompactionFindEmptiest endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StCompactionPickPriority proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+73p

var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C5B3F SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0E0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		push	0C0h		; size_t
		mov	[ebp+var_E0], eax
		xor	ebx, ebx
		lea	eax, [ebp+var_C4]
		mov	[ebp+var_D8], ecx
		push	ebx		; int
		push	eax		; void *
		mov	edi, edx
		call	_memset
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		shl	ecx, 2
		mov	[ebp+var_C8], ebx
		push	4
		lea	eax, [ecx+edi]
		shr	ecx, 2
		cmp	eax, edi
		pop	esi
		sbb	eax, eax
		not	eax
		and	eax, ecx
		mov	[ebp+var_D4], eax
		jbe	short loc_4C87AA
		mov	ebx, [ebp+var_D8]
		mov	ebx, [ebx+1ACh]
		and	ebx, 0FFh
		mov	[ebp+var_D0], ebx

loc_4C875B:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPickPriority+C8j
		test	ebx, ebx
		jnz	loc_5C5B3F
		mov	eax, [edi]
		movzx	edx, word ptr [eax]
		mov	eax, [ebp+var_D4]
		shr	edx, 0Dh

loc_4C8771:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPickPriority+FD463j
		imul	ecx, edx, 18h
		mov	[ebp+var_DC], ecx
		mov	ebx, [ebp+ecx+var_C4]
		cmp	ebx, esi
		mov	[ebp+var_CC], ebx
		mov	ebx, [ebp+var_D0]
		jb	loc_4C8816

loc_4C8795:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPickPriority+179j
		mov	edx, [ebp+var_C8]
		add	edi, esi
		inc	edx
		mov	[ebp+var_C8], edx
		cmp	edx, eax
		jb	short loc_4C875B
		xor	ebx, ebx

loc_4C87AA:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPickPriority+63j
		mov	esi, [ebp+var_D8]
		lea	edx, [ebp+var_18]
		or	eax, 0FFFFFFFFh
		push	7
		mov	[ebp+var_C8], eax
		pop	ecx

loc_4C87BF:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPickPriority+F3j
		mov	edi, [edx-4]
		cmp	edi, 1
		ja	loc_4C885C

loc_4C87CB:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPickPriority+197j
					; ST_STORE_SM_TRAITS___StCompactionPickPriority+1A2j
		sub	edx, 18h
		sub	ecx, 1
		jns	short loc_4C87BF
		imul	edx, eax, 18h
		push	4
		pop	esi
		mov	eax, [ebp+edx+var_C4]
		cmp	eax, esi
		ja	short loc_4C87E6
		mov	esi, eax

loc_4C87E6:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPickPriority+104j
		mov	ecx, esi
		shl	ecx, 2
		push	ecx		; size_t
		lea	ecx, [ebp+var_BC]
		add	ecx, edx
		push	ecx		; void *
		push	[ebp+var_E0]	; void *
		call	_memcpy
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		mov	eax, esi
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_4C8816:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPickPriority+B1j
		mov	eax, [ebp+var_CC]
		mov	ebx, [ebp+var_DC]
		inc	eax
		mov	[ebp+ecx+var_C4], eax
		mov	ecx, [edi]
		movzx	eax, word ptr [ecx]
		and	eax, 1FFFh
		add	[ebp+ebx+var_C0], eax
		mov	ebx, [ebp+var_D0]
		imul	eax, edx, 6
		add	eax, [ebp+var_CC]
		mov	[ebp+eax*4+var_BC], ecx
		mov	eax, [ebp+var_D4]
		jmp	loc_4C8795
; 

loc_4C885C:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPickPriority+E7j
		mov	eax, [esi+1CCh]
		imul	eax, edi
		sub	eax, [edx]
		cmp	ebx, eax
		jnb	short loc_4C887A
		mov	ebx, eax
		mov	eax, ecx
		mov	[ebp+var_C8], eax
		jmp	loc_4C87CB
; 

loc_4C887A:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPickPriority+18Bj
		mov	eax, [ebp+var_C8]
		jmp	loc_4C87CB
ST_STORE_SM_TRAITS___StCompactionPickPriority endp

; 
		align 2

;  S U B	R O U T	I N E 


; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StCompactionWorker(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *)
?StCompactionWorker@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+178p
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	al, [esi+47Ch]
		test	al, 4
		jnz	short loc_4C8901
		and	al, 0FCh
		xor	edx, edx
		mov	[esi+47Ch], al
		call	ST_STORE_SM_TRAITS___StDmCheckForCompaction
		cmp	eax, 2
		jnz	short loc_4C88D7
		mov	al, [esi+47Ch]

loc_4C88B1:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionWorker(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+7Dj
		or	al, 3
		mov	[esi+47Ch], al

loc_4C88B9:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionWorker(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+4Fj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	ST_STORE_SM_TRAITS___StCompactionPerformInMem
		xor	edx, edx
		mov	ecx, esi
		mov	edi, eax
		call	ST_STORE_SM_TRAITS___StDmCheckForCompaction
		test	edi, edi
		js	short loc_4C88DB
		cmp	eax, 2
		jz	short loc_4C88B9

loc_4C88D7:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionWorker(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+23j
		xor	edi, edi
		jmp	short loc_4C88E0
; 

loc_4C88DB:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionWorker(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+4Aj
		cmp	eax, 2
		jz	short loc_4C88FC

loc_4C88E0:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionWorker(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+53j
					; ST_STORE<SM_TRAITS>::StCompactionWorker(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+79j
		and	byte ptr [esi+47Ch], 0FCh
		test	eax, eax
		jnz	short loc_4C88F1

loc_4C88EB:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionWorker(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+74j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_4C88F1:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionWorker(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+63j
		mov	edx, eax
		mov	ecx, esi
		call	?StQueueCompaction@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@W4_ST_COMPACTION_CHECK_RESULT@@@Z ; ST_STORE<SM_TRAITS>::StQueueCompaction(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,_ST_COMPACTION_CHECK_RESULT)
		jmp	short loc_4C88EB
; 

loc_4C88FC:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionWorker(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+58j
		xor	eax, eax
		inc	eax
		jmp	short loc_4C88E0
; 

loc_4C8901:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionWorker(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+Fj
		and	al, 0FBh
		jmp	short loc_4C88B1
?StCompactionWorker@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StCompactionPerformInMem proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionWorker(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+38p
					; ST_STORE_SM_TRAITS___StWorkItemProcess+132091p

var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C5B46 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	80h		; size_t
		lea	eax, [ebp+var_98]
		mov	[ebp+var_A8], edx
		push	0		; int
		push	eax		; void *
		mov	ebx, ecx
		call	_memset
		or	[ebp+var_A0], 0FFFFFFFFh
		lea	edi, [ebp+var_14]
		xor	eax, eax
		lea	edx, [ebp+var_98]
		stosd
		add	esp, 0Ch
		mov	ecx, ebx
		stosd
		stosd
		stosd
		mov	eax, [ebx+1CCh]
		xor	edi, edi
		sub	eax, [ebx+1D0h]
		inc	eax
		push	eax
		push	20h
		call	ST_STORE_SM_TRAITS___StCompactionFindEmptiest
		push	ecx
		lea	ecx, [ebp+var_14]
		push	ecx
		push	eax
		lea	edx, [ebp+var_98]
		mov	ecx, ebx
		call	ST_STORE_SM_TRAITS___StCompactionPickPriority
		mov	esi, [ebp+var_14]
		sub	esi, [ebx+240h]
		sar	esi, 1
		test	dword ptr [ebx+1ACh], 40000h
		mov	[ebp+var_B0], eax
		mov	[ebp+var_9C], esi
		jz	short loc_4C89B6
		mov	ecx, [ebx+1C0h]
		mov	edx, esi
		call	?SmStIsRegionBusy@?$SMKM_STORE@USM_TRAITS@@@@SGKPAU1@K@Z ; SMKM_STORE<SM_TRAITS>::SmStIsRegionBusy(SMKM_STORE<SM_TRAITS> *,ulong)
		test	eax, eax
		jnz	loc_4C8B44

loc_4C89B6:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+99j
		push	20h
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	ST_STORE_SM_TRAITS___StMapAndLockRegion
		mov	[ebp+var_A4], eax
		test	eax, eax
		jz	loc_4C8B52
		cmp	eax, 0FFFFFFFFh
		jz	loc_4C8B44
		push	[ebp+var_A8]
		mov	edx, eax
		mov	ecx, ebx
		push	esi
		push	eax
		push	esi
		call	ST_STORE_SM_TRAITS___StCompactRegions
		mov	esi, eax
		test	esi, esi
		js	loc_4C8AFA
		xor	eax, eax
		inc	eax
		mov	[ebp+var_AC], eax
		cmp	[ebp+var_B0], eax
		jbe	loc_4C8AF6

loc_4C8A0B:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+1EAj
		mov	eax, [ebp+eax*4+var_14]
		mov	esi, eax
		sub	esi, [ebx+240h]
		sar	esi, 1
		test	dword ptr [ebx+1ACh], 40000h
		mov	[ebp+var_B4], eax
		mov	[ebp+var_A0], esi
		jz	short loc_4C8A46
		mov	ecx, [ebx+1C0h]
		mov	edx, esi
		call	?SmStIsRegionBusy@?$SMKM_STORE@USM_TRAITS@@@@SGKPAU1@K@Z ; SMKM_STORE<SM_TRAITS>::SmStIsRegionBusy(SMKM_STORE<SM_TRAITS> *,ulong)
		test	eax, eax
		jnz	loc_4C8B59

loc_4C8A46:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+129j
		push	20h
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	ST_STORE_SM_TRAITS___StMapAndLockRegion
		mov	edi, eax
		test	edi, edi
		jz	loc_4C8B4B
		cmp	edi, 0FFFFFFFFh
		jz	loc_4C8B59
		test	dword ptr [ebx+1ACh], 40000h
		jz	short loc_4C8A8B
		mov	edx, [ebp+var_9C]
		mov	ecx, [ebx+1C0h]
		call	?SmStIsRegionBusy@?$SMKM_STORE@USM_TRAITS@@@@SGKPAU1@K@Z ; SMKM_STORE<SM_TRAITS>::SmStIsRegionBusy(SMKM_STORE<SM_TRAITS> *,ulong)
		test	eax, eax
		jnz	loc_5C5B46

loc_4C8A8B:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+16Aj
		push	[ebp+var_A8]
		mov	edx, edi
		mov	ecx, ebx
		push	[ebp+var_9C]
		push	[ebp+var_A4]
		push	esi
		call	ST_STORE_SM_TRAITS___StCompactRegions
		mov	esi, eax
		mov	ecx, 1FFFh
		mov	eax, [ebp+var_B4]
		push	ecx
		test	[eax], cx
		mov	ecx, ebx
		jz	short loc_4C8B2A
		mov	edx, [ebp+var_9C]
		call	?StUnlockAndUnmapRegion@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@KPAD@Z ; ST_STORE<SM_TRAITS>::StUnlockAndUnmapRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,char *)
		mov	eax, [ebp+var_A0]
		mov	[ebp+var_A4], edi
		mov	[ebp+var_9C], eax

loc_4C8AD9:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+23Cj
		test	esi, esi
		js	short loc_4C8AF8
		mov	eax, [ebp+var_AC]
		inc	eax
		mov	[ebp+var_AC], eax
		cmp	eax, [ebp+var_B0]
		jb	loc_4C8A0B

loc_4C8AF6:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+FFj
		xor	esi, esi

loc_4C8AF8:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+1D5j
					; ST_STORE_SM_TRAITS___StCompactionPerformInMem+258j
		xor	edi, edi

loc_4C8AFA:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+EAj
					; ST_STORE_SM_TRAITS___StCompactionPerformInMem+24Aj ...
		cmp	[ebp+var_A4], 0
		jz	short loc_4C8B11
		mov	edx, [ebp+var_9C]
		push	ecx
		mov	ecx, ebx
		call	?StUnlockAndUnmapRegion@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@KPAD@Z ; ST_STORE<SM_TRAITS>::StUnlockAndUnmapRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,char *)

loc_4C8B11:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+1FBj
		test	edi, edi
		jnz	loc_5C5B50

loc_4C8B19:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+243j
					; ST_STORE_SM_TRAITS___StCompactionPerformInMem+251j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_4C8B2A:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+1B4j
		mov	edx, [ebp+var_A0]
		call	?StUnlockAndUnmapRegion@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@KPAD@Z ; ST_STORE<SM_TRAITS>::StUnlockAndUnmapRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,char *)
		mov	edx, [ebp+var_A0]
		mov	ecx, ebx
		call	ST_STORE_SM_TRAITS___StReleaseRegion
		jmp	short loc_4C8AD9
; 

loc_4C8B44:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+AAj
					; ST_STORE_SM_TRAITS___StCompactionPerformInMem+CEj
		mov	esi, 0C0000708h
		jmp	short loc_4C8B19
; 

loc_4C8B4B:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+151j
		mov	esi, 0C0000055h
		jmp	short loc_4C8AFA
; 

loc_4C8B52:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+C5j
		mov	esi, 0C0000055h
		jmp	short loc_4C8B19
; 

loc_4C8B59:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+13Aj
					; ST_STORE_SM_TRAITS___StCompactionPerformInMem+15Aj
		mov	esi, 0C0000708h
		jmp	short loc_4C8AF8
ST_STORE_SM_TRAITS___StCompactionPerformInMem endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	B_TREE<unsigned	long, struct ST_STORE<struct SM_TRAITS>::_ST_REGION_ENTRY, 4096, struct	NP_CONTEXT, struct ST_STORE<struct SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeSearchResultIterStart(struct B_TREE<unsigned long, struct ST_STORE<struct SM_TRAITS>::_ST_REGION_ENTRY, 4096, struct NP_CONTEXT, struct ST_STORE<struct SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT	*, struct B_TREE<unsigned long,	struct ST_STORE<struct SM_TRAITS>::_ST_REGION_ENTRY, 4096, struct NP_CONTEXT, struct ST_STORE<struct SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,	unsigned long, enum  B_TREE<unsigned long, struct ST_STORE<struct SM_TRAITS>::_ST_REGION_ENTRY,	4096, struct NP_CONTEXT, struct	ST_STORE<struct	SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::_BTREE_ITERATOR_DISPOSITION)
?BTreeSearchResultIterStart@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGJPAUSEARCH_RESULT@1@PAU1@KW4_BTREE_ITERATOR_DISPOSITION@1@@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferProcess+98p
					; ST_STORE_SM_TRAITS___StDmCombineRegion+95p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	eax, edx
		mov	esi, ecx
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		push	esi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey
		mov	edx, eax
		test	edx, edx
		js	short loc_4C8BA3

loc_4C8B7B:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeSearchResultIterStart(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT	*,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,ulong,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::_BTREE_ITERATOR_DISPOSITION)+49j
		mov	ecx, [esi+0Ch]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_4C8BAD
		test	ecx, ecx
		jz	short loc_4C8BAD
		mov	eax, [esi]
		dec	ecx
		lea	ecx, [eax+ecx*8]

loc_4C8B8D:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeSearchResultIterStart(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT	*,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,ulong,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::_BTREE_ITERATOR_DISPOSITION)+50j
		cmp	dword ptr [ecx], 0
		jz	short loc_4C8B9A
		test	edx, edx
		jnz	short loc_4C8B9A
		add	dword ptr [ecx+4], 4

loc_4C8B9A:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeSearchResultIterStart(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT	*,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,ulong,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::_BTREE_ITERATOR_DISPOSITION)+30j
					; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeSearchResultIterStart(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,ulong,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::_BTREE_ITERATOR_DISPOSITION)+34j
		xor	edx, edx

loc_4C8B9C:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeSearchResultIterStart(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT	*,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,ulong,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::_BTREE_ITERATOR_DISPOSITION)+4Bj
		mov	eax, edx
		pop	esi
		pop	ebp
		retn	8
; 

loc_4C8BA3:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeSearchResultIterStart(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT	*,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,ulong,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::_BTREE_ITERATOR_DISPOSITION)+19j
		cmp	edx, 0C0000225h
		jz	short loc_4C8B7B
		jmp	short loc_4C8B9C
; 

loc_4C8BAD:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeSearchResultIterStart(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT	*,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,ulong,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::_BTREE_ITERATOR_DISPOSITION)+21j
					; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeSearchResultIterStart(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,ulong,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::_BTREE_ITERATOR_DISPOSITION)+25j
		lea	ecx, [esi+4]
		jmp	short loc_4C8B8D
?BTreeSearchResultIterStart@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGJPAUSEARCH_RESULT@1@PAU1@KW4_BTREE_ITERATOR_DISPOSITION@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmHpChunkHeapProtect(x, x, x)
_SmHpChunkHeapProtect@12 proc near	; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+19Ap
					; ST_STORE_SM_TRAITS___StDmCleanup+1Fp	...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		inc	esi
		mov	ebx, edx
		cmp	[edi+80h], esi
		jbe	short loc_4C8BF4

loc_4C8BCB:				; CODE XREF: SmHpChunkHeapProtect(x,x,x)+40j
		and	[ebp+var_4], 0
		mov	eax, esi
		bsr	ecx, esi
		btc	eax, ecx
		imul	edx, eax, 0Ch
		add	edx, [edi+ecx*4]
		cmp	dword ptr [edx], 0
		jz	short loc_4C8BEB
		push	[ebp+arg_0]
		push	ebx
		call	SmHpBufferProtectEx

loc_4C8BEB:				; CODE XREF: SmHpChunkHeapProtect(x,x,x)+2Ej
		inc	esi
		cmp	esi, [edi+80h]
		jb	short loc_4C8BCB

loc_4C8BF4:				; CODE XREF: SmHpChunkHeapProtect(x,x,x)+17j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_SmHpChunkHeapProtect@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmCombineBufferProcess proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineRegion+141p
					; ST_STORE_SM_TRAITS___StDmCombineRegion+1D7p

var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C5B63 SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	ebx, ecx
		xor	eax, eax
		push	edi
		mov	ecx, 6
		lea	edi, [ebp+var_24]
		rep stosd
		mov	esi, edx
		lea	ecx, [ebp+var_24]
		lea	edx, [eax+2]
		mov	[ebp+var_4], esi
		call	?BTreeSearchResultInit@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAUSEARCH_RESULT@1@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultInit(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)
		mov	ecx, [ebx+1C0h]
		lea	edi, [ebx+30h]
		mov	edx, esi
		call	SMKM_STORE_SM_TRAITS___SmStCompareRegionData
		mov	esi, eax
		test	esi, esi
		js	loc_4C8DF2
		mov	eax, [ebp+var_4]
		mov	ecx, [ebx+1C8h]
		mov	eax, [eax]
		mov	[ebp+var_8], eax
		mov	edx, [eax]
		lea	esi, [eax+8]
		mov	eax, [esi]
		shl	edx, cl
		mov	ecx, [edi+14h]
		shr	eax, 4
		or	edx, eax
		mov	[ebp+var_4], edx
		test	ecx, 1
		jz	short loc_4C8C7D
		mov	edx, edi
		lea	ecx, [ebx+24h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref
		mov	ecx, [edi+14h]
		mov	edx, [ebp+var_4]

loc_4C8C7D:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferProcess+6Bj
		and	ecx, 0FFFFFFFEh
		mov	[edi+14h], ecx
		mov	eax, [ebx+1A4h]
		push	ecx
		mov	ecx, edi
		mov	[eax], edx
		lea	edx, [ebx+24h]
		mov	eax, [ebx+1A8h]
		push	eax
		call	?BTreeSearchResultIterStart@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGJPAUSEARCH_RESULT@1@PAU1@KW4_BTREE_ITERATOR_DISPOSITION@1@@Z ; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeSearchResultIterStart(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,ulong,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::_BTREE_ITERATOR_DISPOSITION)
		test	eax, eax
		js	loc_5C5B63

loc_4C8CA5:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferProcess+FCF65j
		mov	ecx, [ebp+var_8]
		movzx	eax, word ptr [ecx+6]
		add	eax, ecx
		mov	[ebp+var_4], eax
		cmp	esi, eax
		jnb	loc_4C8DF0
		lea	esp, [esp+0]

loc_4C8CC0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferProcess+1EAj
		cmp	byte ptr [esi+7], 10h
		jnb	loc_4C8DDD
		shr	dword ptr [esi], 4
		lea	ecx, [ecx+0]

loc_4C8CD0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferProcess+124j
		mov	edx, edi
		lea	ecx, [ebx+24h]
		call	?BTreeFindPreviousEntry@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGPAU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@PAU1@PAUSEARCH_RESULT@1@@Z ; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindPreviousEntry(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *)
		mov	ecx, [ebx+0F4h]
		mov	[ebp+var_8], 0
		mov	edi, [eax]
		mov	edx, edi
		shr	edx, cl
		mov	ecx, [ebx+0F8h]
		bsr	eax, edx
		and	ecx, edi
		lea	edi, [ebx+30h]
		imul	ecx, [ebx+0FCh]
		btc	edx, eax
		mov	eax, [ebx+eax*4+6Ch]
		lea	edx, [edx+edx*2]
		mov	edx, [eax+edx*4]
		add	edx, ecx
		add	edx, [ebx+104h]
		mov	[ebp+var_8], edx
		mov	eax, [edx]
		and	eax, [ebx+1C4h]
		cmp	eax, [esi]
		jnz	short loc_4C8CD0
		mov	eax, [edx+4]
		and	eax, 0FFFFF000h
		cmp	eax, 1000h
		ja	loc_4C8E1E
		movzx	eax, byte ptr [esi+7]
		mov	ecx, [ebx+1C8h]
		mov	edx, [esi+eax*8+0Ch]
		mov	eax, [esi+eax*8+8]
		shl	eax, cl
		lea	ecx, [ebx+24h]
		shr	edx, 4
		or	edx, eax
		mov	eax, [ebx+1A4h]
		mov	[eax], edx
		lea	eax, [ebp+var_24]
		mov	edx, [ebx+1A8h]
		push	eax
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey
		test	eax, eax
		js	loc_4C8E1E
		mov	ecx, [ebp+var_18]
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_4C8E08

loc_4C8D80:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferProcess+20Aj
		lea	eax, [ebp+var_1C]

loc_4C8D83:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferProcess+219j
		mov	eax, [eax]
		mov	ecx, [ebx+0F4h]
		mov	[ebp+var_C], 0
		mov	edi, [eax]
		mov	edx, edi
		shr	edx, cl
		mov	ecx, [ebx+0F8h]
		bsr	eax, edx
		and	ecx, edi
		imul	ecx, [ebx+0FCh]
		btc	edx, eax
		mov	eax, [ebx+eax*4+6Ch]
		lea	edx, [edx+edx*2]
		mov	edi, [eax+edx*4]
		add	edi, ecx
		add	edi, [ebx+104h]
		mov	eax, [edi+4]
		and	eax, 0FFFFF000h
		cmp	eax, 0FFFFF000h
		jz	short loc_4C8E1E
		mov	edx, [ebp+var_8]
		mov	ecx, ebx
		push	edi
		lea	edi, [ebx+30h]
		push	edi
		call	ST_STORE_SM_TRAITS___StDmCombinePageRecords

loc_4C8DDD:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferProcess+C4j
					; ST_STORE_SM_TRAITS___StDmCombineBufferProcess+221j
		movzx	eax, byte ptr [esi+6]
		lea	esi, [esi+eax*8]
		add	esi, 8
		cmp	esi, [ebp+var_4]
		jb	loc_4C8CC0

loc_4C8DF0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferProcess+B3j
		xor	esi, esi

loc_4C8DF2:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferProcess+3Dj
		lea	ecx, [ebx+24h]
		push	0
		lea	edx, [ebp+var_24]
		call	?BTreeSearchResultCleanup@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGXPAU1@PAUSEARCH_RESULT@1@K@Z ; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeSearchResultCleanup(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4C8E08:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferProcess+17Aj
		test	ecx, ecx
		jz	loc_4C8D80
		mov	eax, [ebp+var_24]
		lea	eax, [eax+ecx*8]
		add	eax, 0FFFFFFFCh
		jmp	loc_4C8D83
; 

loc_4C8E1E:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferProcess+133j
					; ST_STORE_SM_TRAITS___StDmCombineBufferProcess+16Ej ...
		lea	edi, [ebx+30h]
		jmp	short loc_4C8DDD
ST_STORE_SM_TRAITS___StDmCombineBufferProcess endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsert proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+332p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C5B6A SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		push	edi
		push	[ebp+arg_0]
		mov	edi, ecx
		mov	edx, [esi]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey
		cmp	eax, 0C0000225h
		jnz	loc_5C5B6A
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	esi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx

loc_4C8E4F:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsert+FCD48j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsert+FCD53j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsert endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmCombinePageRecords proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferProcess+1D8p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C5B7C SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	eax, [edi+4]
		and	eax, 0FFFFF000h
		cmp	eax, 1000h
		jnz	loc_5C5B7C

loc_4C8E76:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombinePageRecords+FCD28j
		mov	ebx, [ebp+arg_4]
		lea	ecx, [esi+6Ch]
		mov	edx, ebx
		call	_SmHpChunkGetId@8 ; SmHpChunkGetId(x,x)
		mov	edx, edi
		mov	[ebp+arg_4], eax
		mov	ecx, esi
		call	?StDmPageRecordUnprotect@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@PAU_ST_PAGE_RECORD@1@@Z ; ST_STORE<SM_TRAITS>::StDmPageRecordUnprotect(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_PAGE_RECORD *)
		mov	edx, ebx
		mov	ecx, esi
		call	?StDmPageRecordUnprotect@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@PAU_ST_PAGE_RECORD@1@@Z ; ST_STORE<SM_TRAITS>::StDmPageRecordUnprotect(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_PAGE_RECORD *)
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, esi
		call	ST_STORE_SM_TRAITS___StDmPageRecordRemove
		test	eax, eax
		js	short loc_4C8F12

loc_4C8EA8:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombinePageRecords+BEj
		or	dword ptr [edi], 0FFFFFFFFh
		mov	eax, [ebp+arg_4]
		mov	[edi+4], eax
		mov	ecx, [esi+478h]
		mov	al, [esi+47Dh]
		inc	ecx
		mov	[esi+478h], ecx
		test	al, 3
		jz	short loc_4C8EE9

loc_4C8EC8:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombinePageRecords+99j
					; ST_STORE_SM_TRAITS___StDmCombinePageRecords+BAj
		mov	ecx, [ebx+4]
		mov	edx, 0FFFFF000h
		mov	eax, ecx
		and	eax, edx
		cmp	eax, edx
		jnb	short loc_4C8F16

loc_4C8ED8:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombinePageRecords+C2j
		pop	edi
		lea	eax, [ecx+1000h]
		pop	esi
		mov	[ebx+4], eax
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
; 

loc_4C8EE9:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombinePageRecords+70j
		cmp	ecx, 400h
		jbe	short loc_4C8EC8
		mov	ecx, [esi+480h]
		and	al, 0FDh
		push	0FFFFFFFEh
		push	7530h
		push	5
		or	al, 1
		pop	edx
		mov	[esi+47Dh], al
		call	ST_STORE_SM_TRAITS___StLazyWorkMgrQueueWork
		jmp	short loc_4C8EC8
; 

loc_4C8F12:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombinePageRecords+50j
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	short loc_4C8EA8
; 

loc_4C8F16:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombinePageRecords+80j
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	short loc_4C8ED8
ST_STORE_SM_TRAITS___StDmCombinePageRecords endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmHpChunkFree(x, x)
_SmHpChunkFree@8 proc near		; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+27Bp
					; ST_STORE<SM_TRAITS>::StDmCombinePageEntry(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY *)+7Ep ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, edx
		and	eax, 0FFFFF000h
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [eax+8]
		bsr	eax, esi
		push	1
		btc	esi, eax
		imul	esi, 0Ch
		add	esi, [edi+eax*4]
		mov	ax, [esi+4]
		mov	[edx], ax
		sub	dx, [esi]
		mov	[esi+4], dx
		mov	edx, esi
		call	_SmHpBufferUpdateFullness@12 ; SmHpBufferUpdateFullness(x,x,x)
		movzx	ecx, word ptr [esi+6]
		cmp	ecx, [edi+124h]
		jz	short loc_4C8F68

loc_4C8F5E:				; CODE XREF: SmHpChunkFree(x,x)+5Cj
					; SmHpChunkFree(x,x)+68j
		dec	dword ptr [edi+134h]
		pop	edi
		pop	esi
		leave
		retn
; 

loc_4C8F68:				; CODE XREF: SmHpChunkFree(x,x)+42j
		mov	eax, [edi+130h]
		sub	eax, ecx
		cmp	eax, [edi+12Ch]
		jb	short loc_4C8F5E
		push	ecx
		mov	edx, esi
		mov	ecx, edi
		call	_SmHpBufferCleanup@12 ;	SmHpBufferCleanup(x,x,x)
		jmp	short loc_4C8F5E
_SmHpChunkFree@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StCompactRegions proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+E1p
					; ST_STORE_SM_TRAITS___StCompactionPerformInMem+19Cp ...

var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005C5B83 SIZE 00000079 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0A4h+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		mov	edi, [ebp+arg_8]
		push	58h		; size_t
		mov	[esp+0B4h+var_7C], eax
		lea	eax, [esp+0B4h+var_60]
		push	0		; int
		push	eax		; void *
		mov	[esp+0BCh+var_68], edx
		mov	[esp+0BCh+var_8C], esi
		mov	[esp+0BCh+var_94], edi
		call	_memset
		mov	eax, [ebx+240h]
		add	esp, 0Ch
		mov	[esp+0B0h+var_88], 0
		mov	[esp+0B0h+var_9C], 0
		mov	[esp+0B0h+var_98], 0
		lea	ecx, [eax+esi*2]
		lea	eax, [eax+edi*2]
		mov	[esp+0B0h+var_64], ecx
		mov	[esp+0B0h+var_6C], eax
		cmp	ecx, eax
		jz	loc_4C9572
		movzx	esi, word ptr [eax]
		and	esi, 1FFFh
		mov	[esp+0B0h+var_90], esi
		mov	esi, [esp+0B0h+var_8C]

loc_4C9020:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+5E8j
		mov	edx, [ebx+1A4h]
		mov	ecx, ebx
		call	?StDmPageRecordUnprotect@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@PAU_ST_PAGE_RECORD@1@@Z ; ST_STORE<SM_TRAITS>::StDmPageRecordUnprotect(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_PAGE_RECORD *)
		mov	eax, [ebx+44h]
		lea	edi, [ebx+30h]
		lea	ecx, [ebx+24h]
		mov	[esp+0B0h+var_A0], ecx
		test	al, 1
		jnz	loc_4C9584

loc_4C9042:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+5FEj
		and	eax, 0FFFFFFFEh
		mov	edx, esi
		mov	[edi+14h], eax
		lea	esi, [ebx+24h]
		mov	ecx, [ebx+1C8h]
		mov	eax, [ebx+1A4h]
		shl	edx, cl
		mov	ecx, esi
		push	edi
		mov	[eax], edx
		mov	edx, [ebx+1A8h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey
		mov	edi, eax
		cmp	edi, 0C0000006h
		jz	loc_4C951D
		lea	eax, [ebx+30h]
		lea	edi, [ebx+24h]
		push	eax
		lea	edx, [esp+0B4h+var_9C]
		mov	ecx, edi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult
		mov	esi, [esp+0B0h+var_98]
		nop

loc_4C9090:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+3CBj
					; ST_STORE_SM_TRAITS___StCompactRegions+3E6j
		cmp	[esp+0B0h+var_88], 0
		jnz	loc_4C93C0

loc_4C909B:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+481j
		mov	ecx, [esp+0B0h+var_9C]
		test	ecx, ecx
		jz	loc_4C9517
		movzx	eax, word ptr [ecx]
		add	esi, 4
		add	eax, 2
		mov	[esp+0B0h+var_98], esi
		lea	eax, [ecx+eax*4]
		cmp	esi, eax
		jnb	loc_4C949E

loc_4C90BF:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+546j
		mov	eax, esi

loc_4C90C1:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+5B8j
					; ST_STORE_SM_TRAITS___StCompactRegions+FCC0Fj
		cmp	eax, 0FFFFFFFFh
		jz	loc_5C5BC9
		test	eax, eax
		jz	loc_4C9517
		mov	eax, [eax]
		mov	edx, eax
		mov	ecx, [ebx+0F4h]
		shr	edx, cl
		mov	ecx, [ebx+0F8h]
		mov	[esp+0B0h+var_84], eax
		and	ecx, [esp+0B0h+var_84]
		imul	ecx, [ebx+0FCh]
		bsr	eax, edx
		mov	[esp+0B0h+var_A4], 0
		btc	edx, eax
		mov	eax, [ebx+eax*4+6Ch]
		lea	edx, [edx+edx*2]
		mov	edx, [eax+edx*4]
		add	edx, ecx
		mov	ecx, [ebx+1C4h]
		add	edx, [ebx+104h]
		mov	[esp+0B0h+var_80], edx
		mov	eax, [edx]
		and	ecx, eax
		mov	[esp+0B0h+var_A4], ecx
		mov	ecx, [ebx+1C8h]
		shr	eax, cl
		cmp	eax, [esp+0B0h+var_8C]
		jnz	loc_4C9517
		mov	eax, [edx+4]
		and	eax, 0FFFh
		jbe	loc_4C9494

loc_4C9145:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+509j
		mov	edx, [ebx+1D4h]
		lea	ecx, [edx+0Fh]
		add	ecx, eax
		shr	ecx, 4
		mov	[esp+0B0h+var_70], ecx
		mov	ecx, [ebx+234h]
		mov	ecx, [ecx+4]
		lea	edi, [ecx-1]
		neg	ecx
		add	edi, eax
		and	edi, ecx
		add	edi, edx
		mov	edx, [esp+0B0h+var_8C]
		cmp	[esp+0B0h+var_94], edx
		jnz	loc_4C937B

loc_4C9179:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+401j
					; ST_STORE_SM_TRAITS___StCompactRegions+42Bj
		mov	eax, [esp+0B0h+var_A4]
		mov	ecx, [esp+0B0h+var_90]
		cmp	eax, ecx
		jz	loc_4C9435

loc_4C9189:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+4AFj
		cmp	[esp+0B0h+var_7C], 0
		jz	loc_5C5BF2
		shl	eax, 4
		add	eax, [esp+0B0h+var_68]
		shl	ecx, 4
		add	ecx, [esp+0B0h+var_7C]
		push	edi		; size_t
		push	eax		; void *
		push	ecx		; void *
		cmp	edx, [esp+0BCh+var_94]
		jz	loc_4C948A
		call	_memcpy

loc_4C91B4:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+4FFj
		mov	edi, [esp+0BCh+var_80]
		lea	ecx, [ebx+6Ch]
		mov	eax, edi
		mov	[esp+0BCh+var_A4], 0
		and	eax, 0FFFFF000h
		add	esp, 0Ch
		mov	edx, [eax+8]
		bsr	eax, edx
		push	0
		btc	edx, eax
		push	1
		mov	eax, [ecx+eax*4]
		lea	edx, [edx+edx*2]
		lea	edx, [eax+edx*4]
		call	SmHpBufferProtectEx
		mov	ecx, [ebx+480h]
		mov	edx, 4
		push	7530h
		push	3E8h
		call	ST_STORE_SM_TRAITS___StLazyWorkMgrQueueWork
		mov	edx, [esp+0B0h+var_94]
		lea	eax, [ebx+30h]
		mov	ecx, [ebx+1C8h]
		shl	edx, cl
		lea	ecx, [ebx+24h]
		or	edx, [esp+0B0h+var_90]
		mov	[esp+0B0h+var_74], edx
		mov	edx, [eax+0Ch]
		add	eax, 4
		mov	[esp+0B0h+var_80], edx
		cmp	edx, 0FFFFFFFFh
		mov	edx, eax
		mov	[esp+0B0h+var_A4], eax
		mov	[esp+0B0h+var_78], edx
		jnz	loc_4C9416

loc_4C9239:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+48Bj
					; ST_STORE_SM_TRAITS___StCompactRegions+4A0j
		mov	eax, [esp+0B0h+var_9C]
		cmp	[edx], eax
		jnz	loc_4C94DB
		mov	[edx+4], esi

loc_4C9248:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+582j
					; ST_STORE_SM_TRAITS___StCompactRegions+5D0j
		cmp	[esp+0B0h+var_88], 0
		jz	loc_4C9444

loc_4C9253:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+5DDj
		mov	ecx, [ebx+1A4h]
		lea	edx, [ebx+30h]
		mov	eax, [edi]
		mov	[ecx], eax
		lea	ecx, [ebx+24h]
		mov	eax, [ebx+1A8h]
		push	eax
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey
		lea	edx, [ebx+24h]
		lea	ecx, [esp+0B0h+var_9C]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorCleanup
		mov	eax, [esp+0B0h+var_74]
		lea	ecx, [esp+0B0h+var_60]
		mov	[edi], eax
		xor	esi, esi
		mov	eax, [esp+0B0h+var_84]
		xor	edx, edx
		mov	[esp+0B0h+var_9C], 0
		mov	[esp+0B0h+var_98], esi
		mov	[esp+0B0h+var_A4], eax
		call	?BTreeSearchResultInit@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAUSEARCH_RESULT@1@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultInit(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)
		lea	eax, [esp+0B0h+var_48]
		mov	[esp+0B0h+var_54], edx
		mov	[esp+0B0h+var_60], eax
		lea	edx, [esp+0B0h+var_A4]
		lea	eax, [esp+0B0h+var_60]
		mov	[esp+0B0h+var_50], 8
		push	eax
		lea	ecx, [ebx+24h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsert
		lea	edx, [esp+0B0h+var_60]
		mov	[esp+0B0h+var_A4], eax
		lea	ecx, [ebx+24h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref
		lea	ecx, [ebx+24h]
		cmp	[esp+0B0h+var_A4], esi
		jl	loc_5C5BD3
		mov	edx, [ebx+1A8h]
		lea	eax, [ebx+30h]
		push	eax
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey
		mov	edi, eax
		test	edi, edi
		js	loc_5C5BB6
		lea	edx, [ebx+30h]
		lea	ecx, [ebx+24h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx
		mov	edi, eax
		test	edi, edi
		js	loc_5C5BB6

loc_4C9312:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+FCC34j
		cmp	edi, 0C0000006h
		jz	loc_4C9519

loc_4C931E:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+4F5j
		mov	edx, [esp+0B0h+var_8C]
		cmp	edx, [esp+0B0h+var_94]
		jz	short loc_4C9348
		mov	edi, [esp+0B0h+var_70]
		mov	ecx, ebx
		mov	eax, edi
		push	1
		neg	eax
		push	eax
		call	ST_STORE_SM_TRAITS___StDmpUpdateRegionState
		mov	edx, [esp+0B0h+var_94]
		mov	ecx, ebx
		push	0
		push	edi
		call	ST_STORE_SM_TRAITS___StDmpUpdateRegionState

loc_4C9348:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+396j
					; ST_STORE_SM_TRAITS___StCompactRegions+4A9j
		mov	eax, [esp+0B0h+var_90]
		lea	edi, [ebx+24h]
		add	eax, [esp+0B0h+var_70]
		cmp	[ebp+arg_C], 0
		mov	[esp+0B0h+var_90], eax
		jz	loc_4C9090
		xor	edx, edx
		mov	ecx, ebx
		call	ST_STORE_SM_TRAITS___StDmCheckForCompaction
		cmp	eax, 2
		jnz	loc_4C957D
		lea	edi, [ebx+24h]
		jmp	loc_4C9090
; 

loc_4C937B:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+1E3j
		mov	eax, [esp+0B0h+var_6C]
		movzx	eax, word ptr [eax]
		and	eax, 1FFFh
		add	eax, [esp+0B0h+var_70]
		cmp	eax, [ebx+1CCh]
		jbe	loc_4C9179
		mov	eax, [esp+0B0h+var_64]
		mov	[esp+0B0h+var_6C], eax
		mov	eax, [esp+0B0h+var_68]
		mov	[esp+0B0h+var_94], edx
		mov	[esp+0B0h+var_7C], eax
		mov	[esp+0B0h+var_90], 0
		mov	[esp+0B0h+var_88], 0
		jmp	loc_4C9179
; 

loc_4C93C0:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+105j
		mov	ecx, [ebx+1C8h]
		lea	esi, [ebx+30h]
		mov	eax, [ebx+1A4h]
		mov	edx, [esp+0B0h+var_8C]
		shl	edx, cl
		mov	ecx, edi
		push	esi
		mov	[eax], edx
		mov	edx, [ebx+1A8h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey
		mov	edi, eax
		cmp	edi, 0C0000006h
		jz	loc_4C9519
		lea	edi, [ebx+24h]
		mov	edx, edi
		lea	ecx, [esp+0B0h+var_9C]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorCleanup
		push	esi
		lea	edx, [esp+0B4h+var_9C]
		mov	ecx, edi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult
		mov	esi, [esp+0B0h+var_98]
		jmp	loc_4C909B
; 

loc_4C9416:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+2A3j
		cmp	[esp+0B0h+var_80], 0
		jz	loc_4C9239
		mov	edx, [esp+0B0h+var_80]
		mov	eax, [ebx+30h]
		dec	edx
		lea	edx, [eax+edx*8]
		mov	[esp+0B0h+var_78], edx
		jmp	loc_4C9239
; 

loc_4C9435:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+1F3j
		cmp	edx, [esp+0B0h+var_94]
		jz	loc_4C9348
		jmp	loc_4C9189
; 

loc_4C9444:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+2BDj
		mov	eax, [ebx+1A4h]
		mov	edx, [esp+0B0h+var_74]
		mov	[eax], edx
		lea	edx, [ebx+30h]
		mov	eax, [ebx+1A8h]
		push	eax
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey
		test	eax, eax
		jz	loc_4C9565
		cmp	eax, 0FFFFFFFFh
		jz	loc_5C5BC9
		mov	eax, [esp+0B0h+var_74]
		lea	edx, [ebx+30h]
		push	[esp+0B0h+var_84]
		lea	ecx, [ebx+24h]
		mov	[edi], eax
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey
		jmp	loc_4C931E	; void *
; 

loc_4C948A:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+219j
		call	_memmove
		jmp	loc_4C91B4
; 

loc_4C9494:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+1AFj
		mov	eax, 1000h
		jmp	loc_4C9145
; 

loc_4C949E:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+129j
		test	edi, edi
		jz	loc_5C5B83
		lea	eax, [edi+8]

loc_4C94A9:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+FCBF5j
		mov	eax, [eax]
		lea	edx, [edi+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C5B8A
		mov	eax, edi
		neg	eax
		sbb	eax, eax
		and	eax, edx
		mov	eax, [eax]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_4C9541
		mov	eax, 0D1Eh

loc_4C94CB:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+5B6j
		lea	esi, [eax+8]
		mov	[esp+0B0h+var_9C], eax
		mov	[esp+0B0h+var_98], esi
		jmp	loc_4C90BF
; 

loc_4C94DB:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+2AFj
		lea	edx, [ebx+30h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref
		cmp	dword ptr [ebx+3Ch], 0FFFFFFFFh
		lea	eax, [ebx+30h]
		jz	loc_5C5BA4
		push	eax
		mov	eax, [esp+0B4h+var_9C]
		lea	ecx, [ebx+24h]
		mov	edx, [eax+8]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey
		mov	ecx, [ebx+3Ch]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_4C954D

loc_4C9508:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+5BFj
		mov	eax, [esp+0B0h+var_A4]
		mov	[eax+4], esi

loc_4C950F:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+FCC21j
		lea	ecx, [ebx+24h]
		jmp	loc_4C9248
; 

loc_4C9517:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+111j
					; ST_STORE_SM_TRAITS___StCompactRegions+13Cj ...
		xor	edi, edi

loc_4C9519:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+388j
					; ST_STORE_SM_TRAITS___StCompactRegions+45Dj ...
		mov	esi, [esp+0B0h+var_A0]

loc_4C951D:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+E3j
		mov	edx, esi
		lea	ecx, [esp+0B0h+var_9C]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorCleanup
		mov	ecx, [esp+0B0h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4C9541:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+534j
		mov	eax, [ecx+4]

loc_4C9544:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+FCC07j
		test	eax, eax
		jnz	short loc_4C94CB
		jmp	loc_4C90C1
; 

loc_4C954D:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+576j
		test	ecx, ecx
		jz	short loc_4C9508
		mov	eax, [ebx+30h]
		lea	eax, [eax+ecx*8]
		add	eax, 0FFFFFFF8h
		lea	ecx, [ebx+24h]
		mov	[eax+4], esi
		jmp	loc_4C9248
; 

loc_4C9565:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+4D1j
		mov	[esp+0B0h+var_88], 1
		jmp	loc_4C9253
; 

loc_4C9572:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+79j
		xor	eax, eax
		mov	[esp+0B0h+var_90], eax
		jmp	loc_4C9020
; 

loc_4C957D:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+3DDj
		mov	edi, 8000000Eh
		jmp	short loc_4C9519
; 

loc_4C9584:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+ACj
		mov	edx, edi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref
		mov	eax, [edi+14h]
		jmp	loc_4C9042
ST_STORE_SM_TRAITS___StCompactRegions endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+2DAp
					; ST_STORE_SM_TRAITS___StCompactRegions+4CAp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C5BFC SIZE 0000003D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		xor	eax, eax
		mov	[ebp+var_10], edx
		push	ebx
		push	esi
		mov	esi, [edx+0Ch]
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	eax, [edx]
		lea	edx, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		mov	ecx, [eax+esi*8-8]
		mov	eax, [eax+esi*8-4]
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], ecx
		mov	ecx, edi
		mov	eax, [eax]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_C]
		push	eax
		mov	[ebp+arg_0], esi
		call	?Compare@ST_REGION_ENTRY_COMPARATOR@?$ST_STORE@USM_TRAITS@@@@SGHPAXABK1@Z ; ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR::Compare(void *,ulong const	&,ulong	const &)
		mov	ebx, eax
		mov	eax, [ebp+var_4]
		test	ebx, ebx
		jg	short loc_4C9643
		mov	ecx, [ebp+var_8]
		add	eax, 8
		cmp	ecx, eax
		jbe	short loc_4C961D
		test	ebx, ebx
		jnz	short loc_4C95FE

loc_4C95EF:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+83j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+9Ej ...
		mov	eax, [ebp+var_8]
		mov	[eax], esi
		xor	eax, eax
		inc	eax

loc_4C95F7:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+87j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+FC675j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4C95FE:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+59j
		mov	eax, [ecx-4]
		mov	[ebp+arg_0], esi
		mov	[ebp+var_C], eax

loc_4C9607:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+C8j
		lea	eax, [ebp+arg_0]
		mov	ecx, edi
		push	eax
		lea	edx, [ebp+var_C]
		call	?Compare@ST_REGION_ENTRY_COMPARATOR@?$ST_STORE@USM_TRAITS@@@@SGHPAXABK1@Z ; ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR::Compare(void *,ulong const	&,ulong	const &)
		test	eax, eax
		js	short loc_4C95EF

loc_4C9619:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+173j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+1CCj
		xor	eax, eax
		jmp	short loc_4C95F7
; 

loc_4C961D:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+55j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+BDj
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_18]
		xor	edx, edx
		test	ebx, ebx
		push	eax
		setnle	dl
		call	?BTreeFindSeperatorIndexEntry@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGKPAUSEARCH_RESULT@1@KPAUPATH_ENTRY@1@@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindSeperatorIndexEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::PATH_ENTRY *)
		test	eax, eax
		jz	short loc_4C95EF
		mov	eax, [ebp+var_14]
		mov	ecx, [eax]
		test	ebx, ebx
		jg	short loc_4C965E
		jnz	short loc_4C967A
		mov	[eax], esi
		jmp	short loc_4C95EF
; 

loc_4C9643:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+4Bj
		movzx	ecx, word ptr [eax]
		add	eax, 4
		lea	ecx, [eax+ecx*4]
		mov	eax, [ebp+var_8]
		cmp	eax, ecx
		jnb	short loc_4C961D
		mov	eax, [eax+4]
		mov	[ebp+arg_0], eax
		mov	[ebp+var_C], esi
		jmp	short loc_4C9607
; 

loc_4C965E:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+A7j
		lea	eax, [ebp+arg_0]
		mov	[ebp+arg_0], ecx
		push	eax
		lea	edx, [ebp+var_10]
		mov	[ebp+var_10], esi
		mov	ecx, edi
		call	?Compare@ST_REGION_ENTRY_COMPARATOR@?$ST_STORE@USM_TRAITS@@@@SGHPAXABK1@Z ; ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR::Compare(void *,ulong const	&,ulong	const &)
		test	eax, eax
		js	loc_4C95EF

loc_4C967A:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+A9j
		lea	eax, [edi+8]
		test	ebx, ebx
		jns	loc_4C9719
		mov	[ebp+arg_0], eax

loc_4C9688:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+198j
		xor	edx, edx
		lea	ecx, [ebp+var_18]
		test	ebx, ebx
		push	0
		setnle	dl
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDescendToSibling
		mov	edx, eax
		mov	eax, edi
		neg	eax
		mov	[ebp+var_4], edx
		sbb	eax, eax
		and	eax, [ebp+arg_0]
		mov	ecx, [eax]
		cmp	dword ptr [ecx], 0FFFFFFFFh
		jnz	short loc_4C970C
		mov	ecx, [edx]

loc_4C96B0:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+183j
		test	ecx, ecx
		jz	loc_5C5C06
		lea	edx, [ebp+var_C]
		test	ebx, ebx
		jns	loc_5C5C0E
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_10], esi
		mov	eax, [ecx+eax*4+4]
		mov	ecx, edi
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_10]
		push	eax
		call	?Compare@ST_REGION_ENTRY_COMPARATOR@?$ST_STORE@USM_TRAITS@@@@SGHPAXABK1@Z ; ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR::Compare(void *,ulong const	&,ulong	const &)
		xor	ebx, ebx
		test	eax, eax
		jns	short loc_4C96E7
		mov	eax, [ebp+var_14]
		mov	[eax], esi

loc_4C96E6:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+FC699j
		inc	ebx

loc_4C96E7:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+14Bj
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+FC6A0j
		neg	edi
		sbb	edi, edi
		and	edi, [ebp+arg_0]
		mov	eax, [edi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_4C96FF
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)

loc_4C96FF:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+15Fj
		test	ebx, ebx
		jnz	loc_4C95EF
		jmp	loc_4C9619
; 

loc_4C970C:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+118j
		push	0
		mov	ecx, eax
		call	?NpLeafRefInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAXK@Z ; NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)
		mov	ecx, eax
		jmp	short loc_4C96B0
; 

loc_4C9719:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+EBj
		mov	ecx, edi
		lea	edx, [edi+8]
		neg	ecx
		mov	[ebp+arg_0], edx
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_4C9688
		mov	eax, edi
		neg	eax
		sbb	eax, eax
		and	eax, edx
		mov	eax, [eax]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_4C976B
		mov	eax, [ebp+var_4]
		mov	eax, [eax+4]

loc_4C9747:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+1DCj
		mov	ebx, [eax+8]
		lea	edx, [ebp+var_10]
		lea	eax, [ebp+arg_0]
		mov	[ebp+arg_0], ebx
		push	eax
		mov	ecx, edi
		mov	[ebp+var_10], esi
		call	?Compare@ST_REGION_ENTRY_COMPARATOR@?$ST_STORE@USM_TRAITS@@@@SGHPAXABK1@Z ; ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR::Compare(void *,ulong const	&,ulong	const &)
		test	eax, eax
		jns	loc_4C9619
		jmp	loc_5C5BFC
; 

loc_4C976B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+1ABj
		mov	eax, 0D1Eh
		jmp	short loc_4C9747
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmPageRemove proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+A4p
					; ST_STORE<SM_TRAITS>::StDmRegionEvict(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS *,ulong,ulong,ulong,ulong)+F0p ...

var_6E		= byte ptr -6Eh
var_6D		= byte ptr -6Dh
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5A		= byte ptr -5Ah
var_59		= byte ptr -59h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C5C39 SIZE 000005CD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		sub	esp, 68h
		push	esi
		mov	[esp+6Ch+var_58], ecx
		xor	ecx, ecx
		push	edi
		mov	[esp+70h+var_50], edx
		mov	[esp+70h+var_8], 0
		mov	[esp+70h+var_4], 0
		call	_SmEtwEnabled@4	; SmEtwEnabled(x)
		mov	ecx, [esp+70h+var_58]
		mov	edi, [ecx+20h]
		mov	[esp+70h+var_28], eax
		mov	eax, edx
		mov	edx, [eax+8]
		mov	esi, [eax+4]
		dec	edx
		add	esi, edx
		lea	edx, [ecx+0Ch]
		mov	[esp+70h+var_34], esi
		mov	[esp+70h+var_48], edx
		test	edi, 1
		jnz	loc_5C5C39

loc_4C97D9:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC4CDj
		and	edi, 0FFFFFFFEh
		mov	[edx+14h], edi
		lea	edi, [ecx+30h]
		mov	[esp+70h+var_30], edi
		mov	edi, [edi+14h]
		test	edi, 1
		jnz	loc_5C5C52

loc_4C97F5:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC4EFj
		and	edi, 0FFFFFFFEh
		mov	[esp+70h+var_4C], 0
		mov	[ecx+44h], edi
		mov	[esp+70h+var_3C], 0
		jmp	short loc_4C9814
; 
		align 10h

loc_4C9810:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+28Cj
		mov	ecx, [esp+70h+var_58]

loc_4C9814:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+8Bj
					; ST_STORE_SM_TRAITS___StDmPageRemove+234j ...
		mov	eax, [eax+4]
		push	eax
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		mov	[esp+70h+var_54], eax
		cmp	eax, 0C0000006h
		jz	loc_5C5FDC
		push	[esp+70h+var_48]
		mov	edi, [esp+74h+var_58]
		lea	edx, [esp+74h+var_8]
		mov	ecx, edi
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorFromSearchResult
		mov	ecx, [esp+70h+var_8]
		test	ecx, ecx
		jz	loc_4C9A36
		movzx	eax, word ptr [ecx]
		mov	edx, [esp+70h+var_4]
		inc	eax
		add	edx, 8
		mov	[esp+70h+var_4], edx
		lea	eax, [ecx+eax*8]
		cmp	edx, eax
		jnb	loc_4C9A83
		mov	eax, edx
		mov	[esp+70h+var_44], edx

loc_4C986B:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+33Fj
					; ST_STORE_SM_TRAITS___StDmPageRemove+393j
		cmp	eax, 0FFFFFFFFh
		jz	loc_5C5FE9
		test	eax, eax
		jz	loc_4C9A36
		mov	edi, [eax]
		cmp	esi, edi
		jb	loc_4C9A32
		mov	ecx, [esp+70h+var_58]
		mov	edx, eax
		call	?StDmCombinePageEntry@?$ST_STORE@USM_TRAITS@@@@SGPAU_ST_PAGE_RECORD@1@PAU_ST_DATA_MGR@1@PAU_ST_PAGE_ENTRY@1@@Z ; ST_STORE<SM_TRAITS>::StDmCombinePageEntry(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY *)
		mov	ecx, [esp+70h+var_44]
		mov	edx, eax
		mov	[esp+70h+var_40], edx
		and	edx, 0FFFFF000h
		mov	[esp+70h+var_2C], 0
		push	0
		mov	eax, [ecx+4]
		mov	ecx, [edx+8]
		mov	[esp+74h+var_20], eax
		mov	eax, [esp+74h+var_58]
		add	eax, 6Ch
		mov	[esp+74h+var_38], eax
		mov	edx, [esp+74h+var_38]
		bsr	eax, ecx
		push	1
		btc	ecx, eax
		mov	[esp+78h+var_2C], eax
		mov	eax, [edx+eax*4]
		lea	ecx, [ecx+ecx*2]
		lea	edx, [eax+ecx*4]
		mov	ecx, [esp+78h+var_38]
		call	SmHpBufferProtectEx
		mov	eax, [esp+70h+var_58]
		mov	edx, 4
		push	7530h
		push	3E8h
		mov	ecx, [eax+480h]
		call	ST_STORE_SM_TRAITS___StLazyWorkMgrQueueWork
		mov	ecx, [esp+70h+var_28]
		test	ecx, ecx
		jnz	loc_5C5C95

loc_4C990C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC533j
		mov	ecx, [esp+70h+var_48]
		mov	eax, [ecx+0Ch]
		lea	edx, [ecx+4]
		mov	[esp+70h+var_24], eax
		mov	[esp+70h+var_54], edx
		mov	[esp+70h+var_44], edx
		cmp	eax, 0FFFFFFFFh
		jnz	loc_4C9A17

loc_4C992B:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+299j
					; ST_STORE_SM_TRAITS___StDmPageRemove+2ADj
		mov	eax, [esp+70h+var_8]
		cmp	[edx], eax
		jnz	loc_4C9AC4
		mov	eax, [esp+70h+var_4]
		mov	[edx+4], eax

loc_4C993E:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+383j
					; ST_STORE_SM_TRAITS___StDmPageRemove+3A9j
		mov	edx, [esp+70h+var_58]
		lea	ecx, [esp+70h+var_8]
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorCleanup
		mov	edx, [esp+70h+var_48]
		mov	ecx, [esp+70h+var_58]
		mov	[esp+70h+var_8], 0
		mov	[esp+70h+var_4], 0
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx
		mov	[esp+70h+var_54], eax
		test	eax, eax
		js	loc_5C5FD3
		mov	ecx, [esp+70h+var_58]
		cmp	byte ptr [ecx+1ACh], 0
		jnz	short loc_4C99BA
		mov	eax, [esp+70h+var_40]
		mov	edx, [eax+4]
		mov	eax, edx
		shr	eax, 0Ch
		test	eax, eax
		jz	loc_5C5CB8

loc_4C9995:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC53Aj
		dec	eax
		and	edx, 0FFFh
		shl	eax, 0Ch
		or	eax, edx
		mov	edx, [esp+70h+var_40]
		test	eax, 0FFFFF000h
		mov	[edx+4], eax
		lea	edx, [ecx+0Ch]
		mov	eax, [esp+70h+var_50]
		ja	loc_4C9814

loc_4C99BA:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+1FFj
		mov	edx, [esp+70h+var_20]
		lea	eax, [ecx+30h]
		push	eax
		add	ecx, 24h
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey
		mov	ecx, [esp+70h+var_58]
		mov	[esp+70h+var_54], eax
		test	eax, eax
		js	loc_5C5CBF
		push	[esp+70h+var_30]
		mov	edx, [esp+74h+var_40]
		call	ST_STORE_SM_TRAITS___StDmPageRecordRemove
		mov	[esp+70h+var_54], eax
		test	eax, eax
		js	loc_5C5FDC
		mov	edx, [esp+70h+var_40]
		mov	ecx, [esp+70h+var_38]
		call	_SmHpChunkFree@8 ; SmHpChunkFree(x,x)
		mov	eax, [esp+70h+var_50]
		mov	edx, [esp+70h+var_48]
		test	byte ptr [eax+0Ch], 1
		jz	loc_4C9810
		jmp	loc_5C5D00
; 

loc_4C9A17:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+1A5j
		test	eax, eax
		jz	loc_4C992B
		mov	edx, [esp+70h+var_24]
		mov	eax, [ecx]
		dec	edx
		lea	edx, [eax+edx*8]
		mov	[esp+70h+var_44], edx
		jmp	loc_4C992B
; 

loc_4C9A32:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+100j
		mov	edi, [esp+70h+var_58]

loc_4C9A36:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+C5j
					; ST_STORE_SM_TRAITS___StDmPageRemove+F6j
		mov	esi, [esp+70h+var_4C]
		test	esi, esi
		jnz	loc_5C5FF5

loc_4C9A42:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FCA81j
		mov	ecx, [esp+70h+var_58]
		cmp	byte ptr [ecx+1ACh], 0
		jnz	short loc_4C9A6E
		mov	al, [ecx+47Ch]
		and	al, 3
		cmp	al, 3
		jz	short loc_4C9A6E
		xor	edx, edx
		call	ST_STORE_SM_TRAITS___StDmCheckForCompaction
		mov	ecx, [esp+70h+var_58]
		test	eax, eax
		jnz	loc_4C9B2E

loc_4C9A6E:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+2CDj
					; ST_STORE_SM_TRAITS___StDmPageRemove+2D9j ...
		xor	esi, esi

loc_4C9A70:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC864j
					; ST_STORE_SM_TRAITS___StDmPageRemove+FC870j
		mov	edx, ecx
		lea	ecx, [esp+70h+var_8]
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorCleanup
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4C9A83:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+DFj
		test	edi, edi
		jz	loc_5C5C74
		lea	eax, [edi+8]

loc_4C9A8E:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC4F6j
		mov	eax, [eax]
		lea	edx, [edi+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C5C7B
		mov	eax, edi
		neg	eax
		sbb	eax, eax
		and	eax, edx
		mov	eax, [eax]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_4C9B08
		mov	eax, 0D1Eh

loc_4C9AB0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+38Dj
		mov	[esp+70h+var_8], eax
		add	eax, 8
		mov	[esp+70h+var_4], eax

loc_4C9ABB:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC510j
		mov	[esp+70h+var_44], eax
		jmp	loc_4C986B
; 

loc_4C9AC4:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+1B1j
		mov	edx, ecx
		mov	ecx, [esp+70h+var_58]
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref
		mov	ecx, [esp+70h+var_48]
		mov	eax, [esp+70h+var_8]
		cmp	dword ptr [ecx+0Ch], 0FFFFFFFFh
		jz	short loc_4C9B3E
		mov	eax, [eax+8]
		mov	edx, ecx
		mov	ecx, [esp+70h+var_58]
		push	eax
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		mov	eax, [esp+70h+var_48]
		mov	ecx, [eax+0Ch]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_4C9B18

loc_4C9AF8:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+39Aj
		mov	ecx, [esp+70h+var_54]

loc_4C9AFC:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+3C4j
		mov	eax, [esp+70h+var_4]
		mov	[ecx+4], eax
		jmp	loc_4C993E
; 

loc_4C9B08:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+329j
		mov	eax, [ecx+4]

loc_4C9B0B:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC508j
		test	eax, eax
		jnz	short loc_4C9AB0
		mov	[esp+70h+var_44], eax
		jmp	loc_4C986B
; 

loc_4C9B18:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+376j
		test	ecx, ecx
		jz	short loc_4C9AF8
		mov	eax, [eax]
		dec	ecx
		lea	ecx, [eax+ecx*8]
		mov	eax, [esp+70h+var_4]
		mov	[ecx+4], eax
		jmp	loc_4C993E
; 

loc_4C9B2E:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+2E8j
		mov	edx, eax
		call	?StQueueCompaction@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@W4_ST_COMPACTION_CHECK_RESULT@@@Z ; ST_STORE<SM_TRAITS>::StQueueCompaction(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,_ST_COMPACTION_CHECK_RESULT)
		mov	ecx, [esp+70h+var_58]
		jmp	loc_4C9A6E
; 

loc_4C9B3E:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+35Bj
		mov	ecx, [esp+70h+var_44]
		mov	[ecx], eax
		jmp	short loc_4C9AFC
ST_STORE_SM_TRAITS___StDmPageRemove endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmPageRecordRemove proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmCombinePageRecords+49p
					; ST_STORE_SM_TRAITS___StDmPageRemove+262p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C6206 SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		mov	eax, edx
		xor	edx, edx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], eax
		mov	ebx, eax
		and	ebx, 0FFFFF000h
		push	edi
		mov	ecx, [esi+104h]
		add	ecx, ebx
		sub	eax, ecx
		mov	ecx, [esi+0F4h]
		div	dword ptr [esi+0FCh]
		mov	edx, [ebx+8]
		shl	edx, cl
		mov	ecx, [esi+3Ch]
		add	edx, eax
		mov	[ebp+var_4], edx
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_4C9C59

loc_4C9B98:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+10Bj
		lea	eax, [esi+38h]

loc_4C9B9B:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+11Aj
		mov	eax, [eax]
		cmp	[eax], edx
		jnz	loc_5C6206

loc_4C9BA5:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+FC6B8j
		mov	eax, [esi+68h]
		lea	edi, [esi+54h]
		test	al, 1
		jnz	loc_4C9C87

loc_4C9BB3:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+144j
		mov	edx, [ebp+arg_0]
		lea	ecx, [esi+24h]
		and	eax, 0FFFFFFFEh
		mov	[edi+14h], eax
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx
		mov	[ebp+arg_0], eax
		test	eax, eax
		js	loc_5C620D
		cmp	byte ptr [esi+1ACh], 0
		jnz	loc_5C6234
		mov	edx, [ebp+var_4]
		lea	ecx, [esi+48h]
		push	edi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey
		test	eax, eax
		js	loc_5C621F

loc_4C9BF0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+FC6D1j
		mov	ecx, [edi+0Ch]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_4C9C6F

loc_4C9BF8:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+121j
		lea	eax, [edi+8]

loc_4C9BFB:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+12Bj
		mov	eax, [eax]
		mov	ecx, [ebp+var_4]
		cmp	[eax], ecx
		jnz	loc_5C6226

loc_4C9C08:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+FC6D8j
		mov	edx, edi
		lea	ecx, [esi+48h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx
		mov	edi, eax
		test	edi, edi
		js	loc_5C622D

loc_4C9C1C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+FC6DFj
					; ST_STORE_SM_TRAITS___StDmPageRecordRemove+FC6E7j
		mov	edx, [ebp+var_8]
		mov	ecx, [edx+4]
		and	ecx, 0FFFh
		jbe	short loc_4C9C80

loc_4C9C2A:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+135j
		mov	eax, [esi+1D4h]
		mov	edx, [edx]
		add	eax, 0Fh
		add	eax, ecx
		mov	ecx, [esi+1C8h]
		shr	eax, 4
		neg	eax
		shr	edx, cl
		push	0
		push	eax
		mov	ecx, esi
		call	ST_STORE_SM_TRAITS___StDmpUpdateRegionState
		mov	eax, edi

loc_4C9C50:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+FC6C2j
					; ST_STORE_SM_TRAITS___StDmPageRecordRemove+FC6CAj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4C9C59:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+42j
		test	ecx, ecx
		jz	loc_4C9B98
		mov	eax, [esi+30h]
		lea	eax, [eax+ecx*8]
		add	eax, 0FFFFFFFCh
		jmp	loc_4C9B9B
; 

loc_4C9C6F:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+A6j
		test	ecx, ecx
		jz	short loc_4C9BF8
		mov	eax, [edi]
		lea	eax, [eax+ecx*8]
		add	eax, 0FFFFFFFCh
		jmp	loc_4C9BFB
; 

loc_4C9C80:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+D8j
		mov	ecx, 1000h
		jmp	short loc_4C9C2A
; 

loc_4C9C87:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+5Dj
		mov	edx, edi
		lea	ecx, [esi+48h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref
		mov	eax, [edi+14h]
		jmp	loc_4C9BB3
ST_STORE_SM_TRAITS___StDmPageRecordRemove endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	ST_STORE<struct	SM_TRAITS>::StDmPageRecordUnprotect(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_RECORD *)
?StDmPageRecordUnprotect@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@PAU_ST_PAGE_RECORD@1@@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmCombinePageRecords+34p
					; ST_STORE_SM_TRAITS___StDmCombinePageRecords+3Dp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	edx, 0FFFFF000h
		push	esi
		mov	esi, ecx
		push	0
		mov	edx, [edx+8]
		bsr	eax, edx
		lea	ecx, [esi+6Ch]
		btc	edx, eax
		imul	edx, 0Ch
		push	1
		add	edx, [ecx+eax*4]
		call	SmHpBufferProtectEx
		mov	ecx, [esi+480h]
		push	7530h
		push	3E8h
		push	4
		pop	edx
		call	ST_STORE_SM_TRAITS___StLazyWorkMgrQueueWork
		pop	esi
		leave
		retn
?StDmPageRecordUnprotect@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@PAU_ST_PAGE_RECORD@1@@Z endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmCombineRegion proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmpSinglePageFindSpace(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,char	* *,ulong *)+64p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch

; FUNCTION CHUNK AT 005C623C SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, edx
		push	edi
		mov	eax, [ebx+24Ch]
		mov	[esp+28h+var_10], esi
		mov	[esp+28h+var_14], eax
		test	eax, eax
		jz	loc_4C9EC6
		mov	[esp+28h+var_18], eax
		mov	dword ptr [ebx+24Ch], 0

loc_4C9D16:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineRegion+204j
		mov	[eax], esi
		lea	edi, [esp+28h+var_C]
		mov	dword ptr [eax+4], 81000h
		xor	eax, eax
		mov	ecx, [ebx+1C8h]
		stosd
		shl	esi, cl
		or	esi, [ebx+1C4h]
		mov	ecx, [ebx+44h]
		stosd
		stosd
		test	cl, 1
		jnz	short loc_4C9D4C
		lea	edx, [ebx+30h]
		lea	ecx, [ebx+24h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref
		mov	ecx, [ebx+44h]

loc_4C9D4C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineRegion+5Cj
		or	ecx, 1
		mov	[ebx+44h], ecx
		mov	ecx, ebx
		mov	edx, [ebx+1A4h]
		call	?StDmPageRecordUnprotect@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@PAU_ST_PAGE_RECORD@1@@Z ; ST_STORE<SM_TRAITS>::StDmPageRecordUnprotect(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_PAGE_RECORD *)
		mov	eax, [ebx+1A4h]
		lea	edx, [ebx+24h]
		push	ecx
		lea	ecx, [ebx+30h]
		mov	[eax], esi
		mov	eax, [ebx+1A8h]
		push	eax
		call	?BTreeSearchResultIterStart@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGJPAUSEARCH_RESULT@1@PAU1@KW4_BTREE_ITERATOR_DISPOSITION@1@@Z ; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeSearchResultIterStart(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,ulong,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::_BTREE_ITERATOR_DISPOSITION)
		test	eax, eax
		js	loc_5C623C

loc_4C9D82:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineRegion+1ACj
					; ST_STORE_SM_TRAITS___StDmCombineRegion+FC55Ej
		mov	edi, [esp+28h+var_14]
		jmp	short loc_4C9D90
; 
		align 10h

loc_4C9D90:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineRegion+A6j
					; ST_STORE_SM_TRAITS___StDmCombineRegion+11Fj ...
		lea	edx, [ebx+30h]
		lea	ecx, [ebx+24h]
		call	?BTreeFindPreviousEntry@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGPAU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@PAU1@PAUSEARCH_RESULT@1@@Z ; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindPreviousEntry(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *)
		test	eax, eax
		jz	loc_4C9E91
		mov	edx, [eax]
		mov	eax, edx
		mov	ecx, [ebx+0F4h]
		shr	eax, cl
		bsr	esi, eax
		mov	[esp+28h+var_14], 0
		btc	eax, esi
		mov	esi, [ebx+esi*4+6Ch]
		lea	ecx, [eax+eax*2]
		mov	eax, [ebx+0F8h]
		and	eax, edx
		imul	eax, [ebx+0FCh]
		mov	esi, [esi+ecx*4]
		mov	ecx, [ebx+1C8h]
		add	esi, eax
		add	esi, [ebx+104h]
		mov	eax, [esi]
		shr	eax, cl
		cmp	eax, [esp+28h+var_10]
		jnz	loc_4C9E91
		mov	eax, [esi+4]
		and	eax, 0FFFFF000h
		cmp	eax, 1000h
		ja	short loc_4C9D90
		push	esi
		lea	eax, [esp+2Ch+var_C]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry
		cmp	eax, 80000005h
		jnz	loc_4C9D90
		lea	edx, [esp+28h+var_18]
		mov	ecx, ebx
		call	ST_STORE_SM_TRAITS___StDmCombineBufferProcess
		test	eax, eax
		js	loc_4C9EF1
		mov	eax, [ebx+44h]
		test	al, 1
		jnz	short loc_4C9E43
		lea	edx, [ebx+30h]
		lea	ecx, [ebx+24h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref
		mov	eax, [ebx+44h]

loc_4C9E43:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineRegion+153j
		or	eax, 1
		lea	edx, [ebx+24h]
		mov	[ebx+44h], eax
		mov	ecx, [ebx+1A4h]
		mov	eax, [esi]
		push	ecx
		mov	[ecx], eax
		lea	ecx, [ebx+30h]
		mov	eax, [ebx+1A8h]
		push	eax
		call	?BTreeSearchResultIterStart@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGJPAUSEARCH_RESULT@1@PAU1@KW4_BTREE_ITERATOR_DISPOSITION@1@@Z ; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeSearchResultIterStart(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,ulong,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::_BTREE_ITERATOR_DISPOSITION)
		test	eax, eax
		js	loc_5C6243

loc_4C9E6E:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineRegion+FC565j
		mov	eax, [esp+28h+var_18]
		lea	edi, [esp+28h+var_C]
		mov	ecx, [esp+28h+var_10]
		mov	[esp+28h+var_14], eax
		mov	[eax], ecx
		mov	dword ptr [eax+4], 81000h
		xor	eax, eax
		stosd
		stosd
		stosd
		jmp	loc_4C9D82
; 

loc_4C9E91:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineRegion+BDj
					; ST_STORE_SM_TRAITS___StDmCombineRegion+10Cj
		movzx	ecx, word ptr [edi+6]
		lea	eax, [edi+8]
		add	ecx, edi
		cmp	eax, ecx
		jb	short loc_4C9EB1

loc_4C9E9E:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineRegion+1E4j
		xor	eax, eax

loc_4C9EA0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineRegion+215j
		test	edi, edi
		jz	short loc_4C9EAA
		mov	[ebx+24Ch], edi

loc_4C9EAA:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineRegion+1C2j
					; ST_STORE_SM_TRAITS___StDmCombineRegion+20Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4C9EB1:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineRegion+1BCj
		lea	edx, [esp+28h+var_18]
		mov	ecx, ebx
		call	ST_STORE_SM_TRAITS___StDmCombineBufferProcess
		test	eax, eax
		js	short loc_4C9EF1
		mov	edi, [esp+28h+var_18]
		jmp	short loc_4C9E9E
; 

loc_4C9EC6:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineRegion+22j
		push	74536D73h
		push	1000h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+28h+var_14], eax
		mov	[esp+28h+var_18], eax
		test	eax, eax
		jnz	loc_4C9D16
		mov	eax, 0C000009Ah
		jmp	short loc_4C9EAA
; 

loc_4C9EF1:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineRegion+148j
					; ST_STORE_SM_TRAITS___StDmCombineRegion+1DEj
		mov	edi, [esp+28h+var_18]
		jmp	short loc_4C9EA0
ST_STORE_SM_TRAITS___StDmCombineRegion endp

; 
		align 4

;  S U B	R O U T	I N E 


; public: static struct	ST_STORE<struct	SM_TRAITS>::_ST_REGION_ENTRY * __stdcall B_TREE<unsigned long, struct ST_STORE<struct SM_TRAITS>::_ST_REGION_ENTRY, 4096, struct NP_CONTEXT, struct ST_STORE<struct SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindPreviousEntry(struct B_TREE<unsigned long, struct	ST_STORE<struct	SM_TRAITS>::_ST_REGION_ENTRY, 4096, struct NP_CONTEXT, struct ST_STORE<struct SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *, struct	B_TREE<unsigned	long, struct ST_STORE<struct SM_TRAITS>::_ST_REGION_ENTRY, 4096, struct	NP_CONTEXT, struct ST_STORE<struct SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *)
?BTreeFindPreviousEntry@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGPAU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@PAU1@PAUSEARCH_RESULT@1@@Z proc	near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferProcess+D5p
					; ST_STORE_SM_TRAITS___StDmCombineRegion+B6p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, [edx+0Ch]
		mov	ebx, ecx
		test	esi, esi
		jz	short loc_4C9F4D
		push	edi
		mov	edi, [edx]
		mov	eax, [edi+esi*8-8]
		add	dword ptr [edi+esi*8-4], 0FFFFFFFCh
		add	eax, 8
		mov	ecx, [edi+esi*8-4]
		cmp	ecx, eax
		jb	short loc_4C9F22

loc_4C9F1C:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindPreviousEntry(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *)+42j
					; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindPreviousEntry(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *)+4Fj ...
		pop	edi

loc_4C9F1D:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindPreviousEntry(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *)+57j
		pop	esi
		mov	eax, ecx
		pop	ebx
		retn
; 

loc_4C9F22:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindPreviousEntry(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *)+22j
		push	2
		mov	ecx, ebx
		mov	[edi+esi*8-4], eax
		call	?BTreeFindLeafSiblingEx@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGPAUNODE@?$B_TREE_HEADER@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAUSEARCH_RESULT@1@K@Z ; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)
		mov	edx, eax
		test	edx, edx
		jz	short loc_4C9F49
		or	ecx, 0FFFFFFFFh
		cmp	edx, ecx
		jz	short loc_4C9F1C
		movzx	ecx, word ptr [edx]
		inc	ecx
		lea	ecx, [edx+ecx*4]
		mov	[edi+esi*8-4], ecx
		jmp	short loc_4C9F1C
; 

loc_4C9F49:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindPreviousEntry(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *)+3Bj
		xor	ecx, ecx
		jmp	short loc_4C9F1C
; 

loc_4C9F4D:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindPreviousEntry(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *)+Bj
		xor	ecx, ecx
		jmp	short loc_4C9F1D
?BTreeFindPreviousEntry@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGPAU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@PAU1@PAUSEARCH_RESULT@1@@Z endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineRegion+12Bp

var_60		= dword	ptr -60h
var_50		= dword	ptr -50h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_9		= byte ptr -9
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C624A SIZE 000000CD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		movzx	edi, word ptr [edx+6]
		mov	esi, ecx
		movzx	ecx, word ptr [edx+4]
		add	edi, edx
		add	ecx, edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_10], esi
		mov	[ebp+var_34], 0
		lea	ebx, [edi+8]
		mov	[ebp+var_30], 0
		mov	[ebp+var_20], 0
		mov	[ebp+var_1C], 0
		mov	[ebp+var_28], ecx
		mov	[ebp+var_2C], edi
		cmp	ebx, ecx
		ja	loc_4CA39D
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		mov	[edi], eax
		mov	[edi+4], eax
		test	edi, edi
		jz	short loc_4C9FCE
		mov	eax, [esi+1C4h]
		and	eax, [ecx]
		mov	[edi], eax

loc_4C9FCE:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+62j
		mov	eax, [edi]
		shl	eax, 4
		mov	[edi], eax
		mov	eax, [ecx+4]
		and	eax, 0FFFh
		jbe	loc_4CA255

loc_4C9FE3:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+2FAj
		mov	[edi+4], ax
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+4]
		cmp	eax, [ecx+8]
		jz	loc_4CA1A5

loc_4C9FF6:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+253j
					; ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+25Dj
		mov	ecx, [esi+68h]
		lea	eax, [esi+54h]
		test	cl, 1
		jz	loc_4CA2F3

loc_4CA005:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+3A3j
		mov	edx, [ebp+arg_4]
		or	ecx, 1
		mov	[eax+14h], ecx
		mov	ecx, [esi+1A4h]
		mov	eax, [edx+8]
		mov	[ecx+8], eax
		lea	eax, [esi+54h]
		mov	edx, [esi+1A8h]
		lea	ecx, [esi+48h]
		push	eax
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey
		lea	eax, [esi+54h]
		push	eax
		lea	edx, [ebp+var_20]
		lea	ecx, [esi+48h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult
		mov	edx, [ebp+var_8]
		mov	eax, [esi+240h]
		mov	[ebp+var_14], 0
		mov	ecx, [edx]
		movzx	eax, word ptr [eax+ecx*2]
		shr	eax, 0Dh
		mov	[ebp+var_38], eax

loc_4CA057:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+23Aj
		mov	edx, [ebp+var_20]
		test	edx, edx
		jz	short loc_4CA0D5
		movzx	eax, word ptr [edx]
		mov	ecx, [ebp+var_1C]
		add	eax, 2
		add	ecx, 4
		mov	[ebp+var_1C], ecx
		lea	eax, [edx+eax*4]
		cmp	ecx, eax
		jnb	loc_4CA321

loc_4CA078:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+401j
					; ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+438j ...
		test	ecx, ecx
		jz	short loc_4CA0D5
		mov	esi, [ecx]
		mov	edx, esi
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_18], 0
		mov	ecx, [ecx+0F4h]
		shr	edx, cl
		mov	ecx, [ebp+var_10]
		bsr	eax, edx
		btc	edx, eax
		mov	eax, [ecx+eax*4+6Ch]
		mov	ecx, [ecx+0F8h]
		lea	edx, [edx+edx*2]
		and	ecx, esi
		mov	esi, [ebp+var_10]
		mov	edx, [eax+edx*4]
		imul	ecx, [esi+0FCh]
		add	edx, ecx
		mov	ecx, [ebp+arg_4]
		add	edx, [esi+104h]
		mov	[ebp+var_24], edx
		cmp	edx, ecx
		jz	loc_4CA190
		mov	eax, [edx+8]
		cmp	eax, [ecx+8]
		jz	short loc_4CA119

loc_4CA0D5:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+FCj
					; ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+11Aj ...
		mov	cl, [edi+6]
		mov	[ebp+var_9], cl
		test	cl, cl
		jnz	loc_4CA25F

loc_4CA0E3:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+2AFj
					; ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+2F0j
		xor	ecx, ecx

loc_4CA0E5:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+3BCj
					; ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+442j
		mov	[ebp+var_8], ecx
		lea	ebx, [esi+48h]
		test	ebx, ebx
		jz	loc_5C626F
		lea	eax, [ebx+8]

loc_4CA0F6:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+FC311j
		mov	eax, [eax]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C6276

loc_4CA101:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+FC31Bj
					; ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+FC325j
		mov	eax, ecx

loc_4CA103:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+FC3B2j
		lea	esp, [ebp-60h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4CA119:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+173j
		mov	eax, [edx+4]
		xor	eax, [ecx+4]
		test	eax, 0FFFh
		jnz	short loc_4CA190
		mov	eax, [edx]
		mov	ecx, [esi+1C8h]
		shr	eax, cl
		mov	[ebp+var_18], eax
		mov	eax, [esi+240h]
		mov	ecx, [ebp+var_18]
		movzx	eax, word ptr [eax+ecx*2]
		shr	eax, 0Dh
		cmp	eax, [ebp+var_38]
		jb	short loc_4CA190
		mov	eax, [esi+1C0h]
		mov	eax, [eax+1254h]
		test	eax, eax
		jnz	loc_4CA366

loc_4CA15C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+42Aj
		mov	eax, [edx+4]
		and	eax, 0FFFFF000h
		cmp	eax, 0FFEFF000h
		jnb	short loc_4CA190
		lea	ecx, [ebx+8]
		cmp	ecx, [ebp+var_28]
		ja	loc_4CA39D
		xor	eax, eax
		mov	[ebx], eax
		mov	[ebx+4], eax
		mov	eax, [edx]
		mov	[ebx], eax
		mov	eax, [edx+4]
		shr	eax, 0Ch
		mov	[ebx+4], eax
		mov	ebx, ecx
		inc	byte ptr [edi+6]

loc_4CA190:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+167j
					; ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+1C4j ...
		mov	eax, [ebp+var_14]
		inc	eax
		mov	[ebp+var_14], eax
		cmp	eax, 10h
		jb	loc_4CA057
		jmp	loc_4CA0D5
; 

loc_4CA1A5:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+90j
		mov	eax, [ecx+4]
		mov	ecx, [ebp+arg_0]
		and	eax, 0FFFh
		cmp	[ecx+8], eax
		jnz	loc_4C9FF6
		mov	eax, [ecx]
		test	eax, eax
		jz	loc_4C9FF6
		lea	ecx, [eax+edx]
		lea	eax, [edi+edi]
		sub	eax, ecx
		cmp	eax, [ebp+var_28]
		ja	loc_4CA317
		lea	eax, [ecx+8]
		movzx	ecx, byte ptr [ecx+6]
		lea	edx, [eax+ecx*8]
		cmp	eax, edx
		jnb	short loc_4CA20A
		mov	esi, [ebp+var_8]

loc_4CA1E5:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+2A5j
		mov	ecx, [eax+4]
		cmp	ecx, [edi]
		jz	loc_4CA308

loc_4CA1F0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+3B2j
		mov	ecx, [eax]
		mov	[ebx], ecx
		mov	ecx, [eax+4]
		mov	[ebx+4], ecx
		add	ebx, 8
		inc	byte ptr [edi+6]

loc_4CA200:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+3ACj
		add	eax, 8
		cmp	eax, edx
		jb	short loc_4CA1E5
		mov	esi, [ebp+var_10]

loc_4CA20A:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+280j
		mov	bl, [edi+6]
		test	bl, bl
		jz	loc_4CA0E3

loc_4CA215:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+35Fj
					; ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+FC30Aj
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+arg_0]
		mov	esi, [ebp+arg_0]
		movzx	eax, word ptr [ecx+6]
		mov	[edx], eax
		mov	edx, [ebp+arg_4]
		mov	eax, [edx+8]
		mov	[esi+4], eax
		mov	eax, [edx+4]
		mov	edx, esi
		mov	esi, [ebp+var_10]
		and	eax, 0FFFh
		mov	[edx+8], eax
		movzx	eax, bl
		inc	ax
		shl	ax, 3
		sub	ax, cx
		add	ax, di
		mov	[ecx+6], ax
		jmp	loc_4CA0E3
; 

loc_4CA255:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+7Dj
		mov	eax, 1000h
		jmp	loc_4C9FE3
; 

loc_4CA25F:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+17Dj
		movzx	eax, cl
		neg	eax
		lea	ebx, [ebx+eax*8]
		cmp	cl, 1
		ja	short loc_4CA2C4

loc_4CA26C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+38Ej
		movzx	eax, cl
		lea	eax, [ebx+eax*8]
		mov	[ebp+var_24], eax
		cmp	ebx, eax
		jnb	loc_5C6267
		mov	edi, eax
		nop

loc_4CA280:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+357j
		mov	eax, [ebx]
		lea	edx, [ebx+4]
		xor	ecx, ecx
		mov	[ebp+var_14], eax
		mov	[ebx], ecx
		mov	[ebx+4], ecx
		test	edx, edx
		jz	short loc_4CA2A1
		mov	eax, [esi+1C4h]
		and	eax, [ebp+var_14]
		mov	[edx], eax
		mov	eax, [ebp+var_14]

loc_4CA2A1:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+331j
		mov	ecx, [esi+1C8h]
		shr	eax, cl
		mov	[ebx], eax
		add	ebx, 8
		mov	eax, [edx]
		shl	eax, 4
		mov	[edx], eax
		cmp	ebx, edi
		jb	short loc_4CA280
		mov	edi, [ebp+var_2C]
		mov	bl, [edi+6]
		jmp	loc_4CA215
; 

loc_4CA2C4:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+30Aj
		mov	eax, [ebp+var_8]
		mov	[ebp+var_30], esi
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_34]
		push	eax
		movzx	eax, byte ptr [edi+6]
		push	offset ?StDmCombineTargetCompare@?$ST_STORE@USM_TRAITS@@@@SAHPAXPBX1@Z ; ST_STORE<SM_TRAITS>::StDmCombineTargetCompare(void *,void const *,void	const *)
		push	8
		push	eax
		push	ebx
		call	_qsort_s
		mov	cl, [edi+6]
		add	esp, 14h
		mov	[ebp+var_9], cl
		jmp	loc_4CA26C
; 

loc_4CA2F3:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+9Fj
		mov	edx, eax
		lea	ecx, [esi+48h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref
		mov	ecx, [esi+68h]
		lea	eax, [esi+54h]
		jmp	loc_4CA005
; 

loc_4CA308:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+28Aj
		mov	ecx, [eax]
		cmp	ecx, [esi]
		jz	loc_4CA200
		jmp	loc_4CA1F0
; 

loc_4CA317:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+26Ej
		mov	ecx, 80000005h
		jmp	loc_4CA0E5
; 

loc_4CA321:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+112j
		lea	ecx, [esi+48h]
		test	ecx, ecx
		jz	loc_5C624A
		lea	eax, [ecx+8]

loc_4CA32F:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+FC2ECj
		mov	eax, [eax]
		lea	edi, [ecx+8]
		mov	[ebp+var_18], edi
		mov	edi, [ebp+var_2C]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C6251
		mov	eax, ecx
		neg	eax
		sbb	eax, eax
		and	eax, [ebp+var_18]
		mov	eax, [eax]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_4CA38F
		mov	eax, 0D1Eh

loc_4CA358:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+434j
		lea	ecx, [eax+8]
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], ecx
		jmp	loc_4CA078
; 

loc_4CA366:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+1F6j
		cmp	eax, 0FFFFFFFFh
		jz	loc_4CA190
		mov	eax, [eax+8]
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		sar	eax, cl
		test	al, 1
		jnz	loc_4CA190
		mov	edx, [ebp+var_24]
		jmp	loc_4CA15C
; 

loc_4CA38F:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+3F1j
		mov	eax, [edx+4]

loc_4CA392:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+FC2FAj
		test	eax, eax
		jnz	short loc_4CA358
		xor	ecx, ecx
		jmp	loc_4CA078
; 

loc_4CA39D:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+50j
					; ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+211j
		mov	ecx, 80000005h
		jmp	loc_4CA0E5
ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+D6p

var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C6317 SIZE 000000C9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, edx
		mov	edx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edx+0Ch]
		mov	[ebp+var_14], edi
		cmp	esi, 0FFFFFFFFh
		jz	short loc_4CA411
		test	esi, esi
		jz	short loc_4CA411
		mov	eax, [edx]
		lea	edx, [esi-1]
		lea	edx, [eax+edx*8]

loc_4CA3DB:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+6Cj
		mov	eax, [edx]
		neg	ecx
		mov	[ebx], eax
		mov	eax, [edx+4]
		sbb	ecx, ecx
		mov	[ebx+4], eax
		lea	eax, [edi+8]
		and	ecx, eax
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C6317

loc_4CA3F9:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+FBF73j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+FBF80j ...
		add	dword ptr [ebx+4], 0FFFFFFFCh
		lea	esp, [ebp-3Ch]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_4CA411:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+25j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+29j
		add	edx, 4
		jmp	short loc_4CA3DB
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmpSinglePageAdd	proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmPageAdd+7Ap
					; ST_STORE<SM_TRAITS>::StNpLeafPageOut(NP_CONTEXT::NP_CTX *,void *)+7Ap

var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C63E0 SIZE 0000034E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_40], eax
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		mov	[ebp+var_34], ecx
		mov	ecx, [edx]
		xor	ebx, ebx
		stosd
		xor	esi, esi
		mov	[ebp+var_38], edx
		and	ecx, 7
		mov	[ebp+var_3C], 0
		mov	[ebp+var_28], 0
		stosd
		mov	[ebp+var_20], 0
		stosd
		mov	edi, [ebp+var_34]
		movzx	edx, byte ptr [edi+1ACh]
		mov	eax, edx
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFFF9h
		add	eax, 7
		cmp	eax, ecx
		jb	loc_5C63E0
		mov	edx, ecx

loc_4CA48D:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FBFCAj
		lea	eax, [ebp+var_28]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		mov	eax, [ebp+var_40]
		mov	eax, [eax]
		push	eax
		call	?StDmpSinglePageFindSpace@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@KKPAPADPAK@Z ; ST_STORE<SM_TRAITS>::StDmpSinglePageFindSpace(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,char * *,ulong *)
		mov	[ebp+var_14], eax
		test	eax, eax
		js	loc_4CA70B
		mov	eax, [edi+1C0h]
		test	byte ptr [eax+10F5h], 4
		jz	loc_4CA586
		lea	esi, [eax+10F8h]
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_30], esi
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_4CA4DD
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_4CA4DD:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+B4j
		xor	edi, edi
		mov	[ebp+var_1C], edi
		test	esi, 7FFFFFFCh
		jz	loc_4CA577
		mov	ecx, large fs:124h
		mov	[ebp+var_18], ecx
		cmp	esi, dword_6D07D0
		jb	loc_4CA737
		mov	eax, esi
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jnz	loc_4CA86C

loc_4CA517:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+44Ej
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_18]

loc_4CA525:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+31Aj
		dec	word ptr [ecx+13Eh]
		mov	[ebp+var_24], eax
		nop
		inc	byte ptr [ecx+1E6h]
		nop
		mov	dl, [ecx+1E6h]
		mov	[ebp+var_29], dl
		mov	edx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jnz	loc_4CA73F
		mov	ecx, [ebp+var_18]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_4CA7A0
		push	0
		push	[ebp+var_24]
		push	esi
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4CA577:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+C8j
					; ST_STORE_SM_TRAITS___StDmpSinglePageAdd+3DCj	...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebp+var_34]

loc_4CA586:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+9Aj
		mov	eax, [ebp+var_3C]
		mov	esi, 1
		mov	ecx, [edi+1D4h]
		add	ecx, eax
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+var_38]
		mov	[ebp+var_18], ecx
		mov	edx, [eax+4]
		mov	eax, [eax]
		mov	[ebp+var_1C], edx
		mov	[ebp+var_14], eax
		test	eax, eax
		jns	loc_5C63EF
		mov	eax, [ebp+var_4C]
		mov	eax, [eax+8]
		mov	edx, [eax+14h]

loc_4CA5BB:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FBFE8j
					; ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC028j
		mov	ecx, [ebp+var_28]
		mov	eax, [edi+1C4h]
		and	eax, ecx
		mov	[ebp+var_48], ecx
		mov	ecx, [edi+1CCh]
		sub	ecx, eax
		mov	[ebp+var_20], edx
		mov	[ebp+var_28], ecx
		mov	ecx, [ebp+var_18]
		cmp	[ebp+var_14], ebx
		jge	loc_5C644D
		push	edx		; size_t
		push	[ebp+var_1C]	; void *

loc_4CA5E7:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC0EFj
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_4CA5F0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC0E7j
		cmp	[edi+1A4h], ebx
		jz	loc_4CA855

loc_4CA5FC:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+441j
		mov	ecx, [edi+1C0h]
		xor	esi, esi
		mov	[ebp+var_44], esi
		call	?SmStAcquireStoreLockExclusive@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@@Z ; SMKM_STORE<SM_TRAITS>::SmStAcquireStoreLockExclusive(SMKM_STORE<SM_TRAITS> *)
		lea	ecx, [edi+6Ch]
		call	_SmHpChunkAlloc@4 ; SmHpChunkAlloc(x)
		mov	ebx, eax
		mov	[ebp+var_28], ebx
		test	ebx, ebx
		jz	loc_5C6514
		and	eax, 0FFFFF000h
		lea	ecx, [edi+6Ch]
		push	esi
		push	1
		mov	eax, [eax+8]
		bsr	edx, eax
		btc	eax, edx
		mov	edx, [ecx+edx*4]
		lea	eax, [eax+eax*2]
		lea	edx, [edx+eax*4]
		call	SmHpBufferProtectEx
		mov	eax, [edi+480h]
		mov	cl, 1
		mov	[ebp+var_30], eax
		call	KiQueryUnbiasedInterruptTime
		mov	ecx, eax
		mov	[ebp+var_40], edx
		mov	eax, [ebp+var_30]
		mov	edx, ecx
		add	edx, 11E1A300h
		mov	[ebp+var_24], ecx
		mov	ecx, [ebp+var_40]
		adc	ecx, esi
		mov	[eax+68h], edx
		mov	edx, [ebp+var_40]
		mov	[eax+6Ch], ecx
		mov	ecx, [ebp+var_24]
		mov	dword ptr [eax+60h], (offset loc_98967E+2)
		mov	[eax+64h], esi
		mov	[eax+70h], ecx
		mov	[eax+74h], edx
		test	byte ptr [eax+0D8h], 1
		jnz	short loc_4CA699
		push	edx
		push	ecx
		mov	ecx, eax
		call	ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule

loc_4CA699:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+26Ej
		mov	[ebx+4], esi
		mov	[ebx+8], esi
		mov	eax, [ebp+var_48]
		mov	[ebx], eax
		mov	ecx, [ebp+var_20]
		cmp	ecx, 1000h
		jnb	short loc_4CA6BF
		mov	eax, [ebx+4]
		xor	eax, ecx
		and	eax, 0FFFh
		xor	[ebx+4], eax
		mov	ecx, [ebp+var_20]

loc_4CA6BF:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+28Dj
		mov	eax, [ebp+var_38]
		mov	edx, [ebp+var_18]
		cmp	[eax], esi
		jge	loc_5C651E
		mov	ecx, [ebp+var_4C]
		mov	ecx, [ecx+40h]

loc_4CA6D3:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC24Aj
		mov	[ebx+8], ecx
		mov	ecx, [edi+234h]
		cmp	dword ptr [ecx+0Ch], 0
		jnz	loc_5C666F
		cmp	byte ptr [edi+1ACh], 0
		jnz	loc_5C66E2

loc_4CA6F3:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC2D5j
		push	ebx
		mov	edx, eax
		mov	ecx, edi
		call	ST_STORE_SM_TRAITS___StDmpSinglePageInsert
		mov	[ebp+var_14], eax
		test	eax, eax
		js	short loc_4CA70B
		xor	ebx, ebx
		xor	eax, eax

loc_4CA708:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC0B4j
					; ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC0D5j ...
		mov	[ebp+var_14], eax

loc_4CA70B:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+87j
					; ST_STORE_SM_TRAITS___StDmpSinglePageAdd+2E2j	...
		test	esi, esi
		jnz	loc_5C66FA

loc_4CA713:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC2E8j
		cmp	esi, 2
		jnb	loc_5C670D

loc_4CA71C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC2F7j
		test	ebx, ebx
		jnz	loc_5C671C

loc_4CA724:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC309j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4CA737:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+DEj
					; ST_STORE_SM_TRAITS___StDmpSinglePageAdd+454j
		or	eax, 0FFFFFFFFh
		jmp	loc_4CA525
; 

loc_4CA73F:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+12Fj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], ebx
		jge	short loc_4CA755
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_14]

loc_4CA755:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+32Bj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_1C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	eax, [ebp+var_18]
		mov	[ecx+10h], ebx
		sub	ecx, [eax+1E8h]
		mov	eax, 2AAAAAABh
		imul	ecx
		mov	al, 1
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		shl	al, cl
		cmp	[ebp+var_29], 1
		mov	ecx, [ebp+var_18]
		jnz	short loc_4CA818
		or	[ecx+1E4h], al

loc_4CA7A0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+140j
					; ST_STORE_SM_TRAITS___StDmpSinglePageAdd+404j
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_30], eax
		jz	short loc_4CA7E5
		test	edi, 8000h
		jz	short loc_4CA7C5
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [ebp+var_18]

loc_4CA7C5:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+399j
		test	byte ptr [ebp+var_1C+2], 1
		jz	short loc_4CA7D5
		mov	edx, 1
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4CA7D5:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+3A9j
		test	edi, 7FFFh
		jnz	short loc_4CA829
		mov	edi, [ebp+var_18]
		jmp	short loc_4CA83B
; 

loc_4CA7E2:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+425j
					; ST_STORE_SM_TRAITS___StDmpSinglePageAdd+433j
		mov	ecx, [ebp+var_18]

loc_4CA7E5:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+391j
		nop
		mov	ax, [ecx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ecx+13Eh], ax
		test	ax, ax
		jnz	loc_4CA577
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	loc_4CA577
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4CA577
; 

loc_4CA818:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+378j
		lea	esi, [ecx+222h]
		lock or	[esi], al
		mov	esi, [ebp+var_30]
		jmp	loc_4CA7A0
; 

loc_4CA829:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+3BBj
		and	edi, 7FFFh
		mov	edx, edi
		mov	edi, [ebp+var_18]
		mov	ecx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4CA83B:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+3C0j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_4CA7E2
		push	[ebp+var_30]
		mov	edx, esi
		mov	ecx, edi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	short loc_4CA7E2
; 

loc_4CA855:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+1D6j
		mov	ecx, edi
		call	?StDmpDummyPageRecordAllocate@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z ; ST_STORE<SM_TRAITS>::StDmpDummyPageRecordAllocate(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)
		mov	[ebp+var_14], eax
		test	eax, eax
		jns	loc_4CA5FC
		jmp	loc_4CA70B
; 

loc_4CA86C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+F1j
		cmp	al, 0Bh
		jz	loc_4CA517
		jmp	loc_4CA737
ST_STORE_SM_TRAITS___StDmpSinglePageAdd	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StDmpSinglePageFindSpace(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *,	unsigned long, unsigned	long, char * *,	unsigned long *)
?StDmpSinglePageFindSpace@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@KKPAPADPAK@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+7Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		imul	eax, esi, 0Ch
		lea	ebx, [edi+2B4h]
		add	ebx, eax
		mov	edx, [ebx]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_4CA8D0
		mov	eax, [ebx+4]
		add	eax, [ebp+arg_0]
		cmp	eax, [edi+1CCh]
		ja	short loc_4CA8D0

loc_4CA8A6:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmpSinglePageFindSpace(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,char	* *,ulong *)+78j
					; ST_STORE<SM_TRAITS>::StDmpSinglePageFindSpace(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,char * *,ulong *)+AFj
		mov	esi, [ebx+4]
		mov	ecx, esi
		mov	eax, [ebp+arg_4]
		mov	edx, [ebx]
		shl	ecx, 4
		add	ecx, [ebx+8]
		mov	[eax], ecx
		mov	eax, [ebp+arg_8]
		mov	ecx, [edi+1C8h]
		shl	edx, cl
		or	edx, esi
		mov	[eax], edx
		xor	eax, eax

loc_4CA8C9:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmpSinglePageFindSpace(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,char	* *,ulong *)+BAj
					; ST_STORE<SM_TRAITS>::StDmpSinglePageFindSpace(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,char * *,ulong *)+C7j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_4CA8D0:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmpSinglePageFindSpace(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,char	* *,ulong *)+1Cj
					; ST_STORE<SM_TRAITS>::StDmpSinglePageFindSpace(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,char * *,ulong *)+2Aj
		cmp	byte ptr [edi+1ACh], 0
		jnz	short loc_4CA903
		cmp	edx, 0FFFFFFFFh
		jz	short loc_4CA8F4
		call	ST_STORE_SM_TRAITS___StDmCombineRegion
		test	eax, eax
		js	short loc_4CA8F4
		mov	edx, ebx
		mov	ecx, edi
		call	?StDmReuseCurrentRegion@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_ST_CURRENT_REGION@1@@Z ; ST_STORE<SM_TRAITS>::StDmReuseCurrentRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_CURRENT_REGION *)
		test	eax, eax
		jns	short loc_4CA8A6

loc_4CA8F4:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmpSinglePageFindSpace(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,char	* *,ulong *)+62j
					; ST_STORE<SM_TRAITS>::StDmpSinglePageFindSpace(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,char * *,ulong *)+6Bj
		push	0FFFFFFFFh
		mov	edx, esi
		mov	ecx, edi
		call	ST_STORE_SM_TRAITS___StDmCurrentRegionSet
		test	eax, eax
		js	short loc_4CA938

loc_4CA903:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmpSinglePageFindSpace(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,char	* *,ulong *)+5Dj
					; ST_STORE<SM_TRAITS>::StDmpSinglePageFindSpace(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,char * *,ulong *)+BCj ...
		mov	edx, esi
		mov	ecx, edi
		call	ST_STORE_SM_TRAITS___StRegionFindCompact
		test	eax, eax
		jz	short loc_4CA93C
		sub	eax, [edi+240h]
		sar	eax, 1
		cmp	eax, 0FFFFFFFFh
		jz	short loc_4CA93C
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	ST_STORE_SM_TRAITS___StDmCurrentRegionSet
		test	eax, eax
		jns	loc_4CA8A6
		cmp	eax, 0C000022Dh
		jnz	short loc_4CA8C9
		jmp	short loc_4CA903
; 

loc_4CA938:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmpSinglePageFindSpace(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,char	* *,ulong *)+87j
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	short loc_4CA903
; 

loc_4CA93C:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmpSinglePageFindSpace(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,char	* *,ulong *)+94j
					; ST_STORE<SM_TRAITS>::StDmpSinglePageFindSpace(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,char * *,ulong *)+A1j
		mov	eax, 0C000007Fh
		jmp	short loc_4CA8C9
?StDmpSinglePageFindSpace@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@KKPAPADPAK@Z endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StLazyWorkMgrQueueWork proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+276p
					; ST_STORE<SM_TRAITS>::StQueueCompaction(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,_ST_COMPACTION_CHECK_RESULT)+34p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C672E SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	eax, 0FFDF03B0h
		mov	[ebp+var_18], edx
		push	edi
		mov	[ebp+var_4], ecx
		mov	esi, eax
		mov	[ebp+var_14], 0
		mov	[ebp+var_10], 0

loc_4CA976:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrQueueWork+64j
					; ST_STORE_SM_TRAITS___StLazyWorkMgrQueueWork+69j
		mov	ecx, [eax]
		mov	edi, [eax+4]
		mov	eax, 0FFDF000Ch
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], 0
		mov	ebx, [eax]
		mov	eax, 0FFDF0008h
		mov	edx, [eax]
		mov	eax, 0FFDF0010h
		cmp	ebx, [eax]
		jnz	loc_5C672E

loc_4CA9A3:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrQueueWork+FBE06j
		mov	eax, [esi]
		cmp	ecx, eax
		mov	esi, [esi+4]
		mov	eax, 0FFDF03B0h
		mov	[ebp+var_10], esi
		mov	esi, eax
		jnz	short loc_4CA976
		cmp	edi, [ebp+var_10]
		jnz	short loc_4CA976
		mov	eax, [ebp+var_18]
		sub	edx, ecx
		mov	esi, [ebp+var_4]
		sbb	ebx, edi
		mov	[ebp+var_8], edx
		lea	ecx, [eax+eax*2]
		mov	eax, [ebp+arg_4]
		cmp	eax, 0FFFFFFFFh
		jz	loc_5C675B
		mov	[esi+ecx*8+10h], edx
		mov	edx, 3E8h
		mul	edx
		mov	[esi+ecx*8+14h], ebx
		mov	esi, eax
		mov	edi, edx
		shld	edi, esi, 2
		shl	esi, 2
		add	eax, esi
		adc	edx, edi
		shld	edx, eax, 1
		add	eax, eax
		add	eax, [ebp+var_8]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_0]
		adc	edx, ebx
		mov	[ebp+var_10], edx
		mov	edx, 3E8h
		mul	edx
		mov	esi, eax
		mov	edi, edx
		shld	edi, esi, 2
		shl	esi, 2
		add	eax, esi
		mov	esi, [ebp+var_4]
		adc	edx, edi
		mov	edi, [ebp+var_10]
		shld	edx, eax, 1
		add	eax, eax
		mov	[ebp+arg_0], edx
		mov	[ebp+arg_4], eax
		mov	eax, [ebp+var_18]

loc_4CAA34:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrQueueWork+FBE1Fj
		mov	edx, [ebp+arg_4]
		mov	[esi+ecx*8], edx
		mov	edx, [ebp+arg_0]
		mov	[esi+ecx*8+4], edx
		mov	[esi+ecx*8+8], eax
		mov	[esi+ecx*8+0Ch], edi
		test	byte ptr [esi+0D8h], 1
		mov	edx, [ebp+var_8]
		jnz	short loc_4CAA5E
		push	ebx
		push	edx
		mov	ecx, esi
		call	ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule

loc_4CAA5E:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrQueueWork+103j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
ST_STORE_SM_TRAITS___StLazyWorkMgrQueueWork endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StLazyWorkMgrResetIdle(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR	*)+57p
					; ST_STORE<SM_TRAITS>::StLazyWorkMgrRunExpiredWork(ST_STORE<SM_TRAITS>::_ST_LAZY_WORK_MGR *,unsigned __int64)+C0p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C6774 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], eax
		mov	ecx, [ebp+arg_4]
		or	eax, ecx
		push	edi
		mov	[ebp+var_20], esi
		mov	[ebp+arg_4], ecx
		jz	loc_4CABDD

loc_4CAA94:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+17Aj
		lea	eax, [esi+0A8h]
		mov	[ebp+var_14], 0FFFFFFFFh
		or	edx, 0FFFFFFFFh
		or	edi, 0FFFFFFFFh
		or	ebx, 0FFFFFFFFh
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edi
		mov	ecx, esi
		cmp	esi, eax
		jnb	short loc_4CAADC

loc_4CAAB6:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+67j
		mov	esi, [ecx+8]
		mov	eax, esi
		mov	edx, [ecx+0Ch]
		and	eax, edx
		cmp	eax, 0FFFFFFFFh
		jnz	loc_4CAB65

loc_4CAAC9:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+15Bj
					; ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+168j ...
		mov	esi, [ebp+var_20]
		add	ecx, 18h
		lea	eax, [esi+0A8h]
		cmp	ecx, eax
		jb	short loc_4CAAB6
		mov	edx, [ebp+var_10]

loc_4CAADC:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+44j
		mov	ecx, [ebp+var_14]
		cmp	ecx, [ebp+arg_4]
		ja	short loc_4CAAF3
		jb	loc_5C6774
		cmp	edx, [ebp+var_4]
		jb	loc_5C6774

loc_4CAAF3:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+72j
					; ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+FBD0Aj
		cmp	ebx, [ebp+arg_4]
		ja	short loc_4CAB07
		jb	loc_5C677F
		cmp	edi, [ebp+var_4]
		jb	loc_5C677F

loc_4CAB07:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+86j
					; ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+FBD15j
		mov	[eax], edi
		mov	[eax+4], ebx
		mov	eax, edi
		and	eax, ebx
		cmp	eax, 0FFFFFFFFh
		jz	loc_4CABEF
		cmp	ebx, ecx
		ja	short loc_4CAB23
		jb	short loc_4CAB27
		cmp	edi, edx
		jb	short loc_4CAB27

loc_4CAB23:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+ABj
		mov	edi, edx
		mov	ebx, ecx

loc_4CAB27:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+ADj
					; ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+B1j
		sub	edi, [ebp+var_4]
		mov	eax, edi
		mov	[esi+0B0h], edi
		sbb	ebx, [ebp+arg_4]
		or	eax, ebx
		mov	[esi+0B4h], ebx
		jz	loc_4CAC08

loc_4CAB43:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+193j
		mov	eax, [esi-0FDCh]
		neg	edi
		adc	ebx, 0
		neg	ebx
		mov	[eax+1268h], edi
		pop	edi
		pop	esi
		mov	[eax+126Ch], ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4CAB65:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+53j
		mov	edi, [ebp+var_20]
		mov	eax, [ebp+var_4]
		sub	eax, [edi+0B8h]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_4]
		sbb	eax, [edi+0BCh]
		mov	edi, [ecx+10h]
		mov	[ebp+var_1C], eax
		mov	eax, [ecx+14h]
		mov	[ebp+var_8], eax
		cmp	eax, [ebp+var_1C]
		jb	loc_4CAC19
		ja	short loc_4CABA3
		mov	eax, [ebp+var_18]
		cmp	edi, eax
		jnb	short loc_4CABA3

loc_4CAB9B:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+1ACj
		mov	edi, eax
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_8], eax

loc_4CABA3:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+122j
					; ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+129j
		add	edi, [ecx]
		mov	eax, [ecx+4]
		adc	[ebp+var_8], eax
		mov	eax, [ebp+var_8]
		cmp	eax, [ebp+var_14]
		ja	short loc_4CABC0
		jb	short loc_4CABBA
		cmp	edi, [ebp+var_10]
		jnb	short loc_4CABC0

loc_4CABBA:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+143j
		mov	[ebp+var_10], edi
		mov	[ebp+var_14], eax

loc_4CABC0:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+141j
					; ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+148j
		cmp	edx, ebx
		ja	short loc_4CAC21
		jb	short loc_4CABD1
		mov	edi, [ebp+var_C]
		cmp	esi, edi
		jnb	loc_4CAAC9

loc_4CABD1:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+154j
		mov	edi, esi
		mov	ebx, edx
		mov	[ebp+var_C], edi
		jmp	loc_4CAAC9
; 

loc_4CABDD:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+1Ej
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		mov	[ebp+var_4], eax
		mov	[ebp+arg_4], edx
		jmp	loc_4CAA94
; 

loc_4CABEF:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+A3j
		mov	dword ptr [esi+0B0h], 0
		xor	edi, edi

loc_4CABFB:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+1A7j
		xor	ebx, ebx
		mov	[esi+0B4h], ebx
		jmp	loc_4CAB43
; 

loc_4CAC08:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+CDj
		mov	dword ptr [esi+0B0h], 1
		mov	edi, 1
		jmp	short loc_4CABFB
; 

loc_4CAC19:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+11Cj
		mov	eax, [ebp+var_18]
		jmp	loc_4CAB9B
; 

loc_4CAC21:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+152j
		mov	edi, [ebp+var_C]
		jmp	loc_4CAAC9
ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmHpBufferProtectEx proc near		; CODE XREF: SmHpChunkHeapProtect(x,x,x)+34p
					; ST_STORE_SM_TRAITS___StCompactRegions+253p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C678A SIZE 0000004F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_20], 0
		push	esi
		push	edi
		and	eax, 3
		mov	[ebp+var_4], ebx
		mov	edi, [ebx+8]
		mov	esi, 1
		mov	[ebp+var_1C], 0
		mov	[ebp+var_10], edi
		test	edi, edi
		jnz	short loc_4CAC76
		test	eax, eax
		jz	loc_4CADF0

loc_4CAC6B:				; CODE XREF: SmHpBufferProtectEx+48j
					; SmHpBufferProtectEx+19Dj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4CAC76:				; CODE XREF: SmHpBufferProtectEx+31j
		test	eax, eax
		jz	short loc_4CAC6B
		mov	eax, [ebx]
		mov	edx, 24234428h
		mov	[ebp+var_14], eax
		mov	ecx, eax
		add	eax, 1000h
		mov	esi, 85EBCA77h
		mov	[ebp+var_C], eax
		mov	ebx, 61C8864Fh
		add	eax, 0FFFFFFF0h
		xor	edi, edi
		mov	[ebp+var_8], eax

loc_4CACA0:				; CODE XREF: SmHpBufferProtectEx+C2j
		imul	eax, [ecx], 7A143589h
		sub	edx, eax
		imul	eax, [ecx+4], 7A143589h
		rol	edx, 0Dh
		imul	edx, 9E3779B1h
		sub	esi, eax
		imul	eax, [ecx+8], 7A143589h
		add	ecx, 0Ch
		rol	esi, 0Dh
		mov	[ebp+var_18], ecx
		imul	esi, 9E3779B1h
		sub	edi, eax
		imul	eax, [ecx], 7A143589h
		rol	edi, 0Dh
		add	ecx, 4
		imul	edi, 9E3779B1h
		sub	ebx, eax
		rol	ebx, 0Dh
		imul	ebx, 9E3779B1h
		cmp	ecx, [ebp+var_8]
		jbe	short loc_4CACA0
		rol	ebx, 12h
		rol	edx, 1
		rol	edi, 0Ch
		add	ebx, edi
		rol	esi, 7
		add	ebx, esi
		mov	esi, 1
		lea	eax, [edx+1000h]
		mov	edx, [ebp+arg_0]
		add	eax, ebx
		mov	ebx, [ebp+var_4]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_18]
		add	eax, 8
		mov	[ebp+var_18], eax
		cmp	eax, [ebp+var_C]
		ja	short loc_4CAD53
		mov	edx, [ebp+var_8]
		mov	ebx, eax
		mov	edi, [ebp+var_C]
		nop

loc_4CAD30:				; CODE XREF: SmHpBufferProtectEx+118j
		imul	eax, [ecx], 3D4D51C3h
		mov	ecx, ebx
		lea	ebx, [ecx+4]
		sub	edx, eax
		rol	edx, 11h
		imul	edx, 27D4EB2Fh
		cmp	ebx, edi
		jbe	short loc_4CAD30
		mov	ebx, [ebp+var_4]
		mov	[ebp+var_8], edx
		mov	edx, [ebp+arg_0]

loc_4CAD53:				; CODE XREF: SmHpBufferProtectEx+F5j
		mov	eax, [ebp+var_C]
		sub	eax, ecx
		cmp	[ebp+var_C], ecx
		sbb	edi, edi
		not	edi
		and	edi, eax
		mov	[ebp+var_18], edi
		mov	edi, [ebp+var_10]
		jbe	short loc_4CAD99
		mov	ebx, [ebp+var_8]
		xor	edi, edi
		mov	edx, [ebp+var_18]

loc_4CAD71:				; CODE XREF: SmHpBufferProtectEx+15Bj
		movzx	eax, byte ptr [ecx]
		lea	ecx, [ecx+1]
		imul	eax, 165667B1h
		inc	edi
		add	eax, ebx
		rol	eax, 0Bh
		imul	ebx, eax, 9E3779B1h
		cmp	edi, edx
		jb	short loc_4CAD71
		mov	edx, [ebp+arg_0]
		mov	edi, [ebp+var_10]
		mov	[ebp+var_8], ebx
		mov	ebx, [ebp+var_4]

loc_4CAD99:				; CODE XREF: SmHpBufferProtectEx+137j
		mov	eax, [ebp+var_8]
		shr	eax, 0Fh
		xor	eax, [ebp+var_8]
		imul	ecx, eax, 85EBCA77h
		mov	eax, ecx
		shr	eax, 0Dh
		xor	eax, ecx
		imul	eax, 0C2B2AE3Dh
		mov	ecx, eax
		shr	ecx, 10h
		xor	ecx, eax
		jz	loc_4CAF3E

loc_4CADC2:				; CODE XREF: SmHpBufferProtectEx+310j
		cmp	ecx, edi
		jnz	loc_5C6792
		test	dl, 1
		jz	loc_4CAC6B
		mov	ecx, [ebp+var_14]
		mov	edx, ecx
		push	4
		push	1000h
		call	ExProtectPoolEx
		mov	dword ptr [ebx+8], 0
		jmp	loc_4CAC6B
; 

loc_4CADF0:				; CODE XREF: SmHpBufferProtectEx+35j
		mov	ecx, [ebx]
		mov	edx, ecx
		push	2
		push	1000h
		call	ExProtectPoolEx
		mov	ecx, [ebx]
		mov	edi, 24234428h
		mov	esi, 85EBCA77h
		mov	edx, 61C8864Fh
		lea	eax, [ecx+1000h]
		mov	[ebp+arg_0], eax
		add	eax, 0FFFFFFF0h
		mov	[ebp+arg_4], eax
		xor	ebx, ebx
		jmp	short loc_4CAE30
; 
		lea	esp, [esp+0]
		jmp	short loc_4CAE30
; 
		align 10h

loc_4CAE30:				; CODE XREF: SmHpBufferProtectEx+1F2j
					; SmHpBufferProtectEx+1FBj ...
		imul	eax, [ecx], 7A143589h
		sub	edi, eax
		imul	eax, [ecx+4], 7A143589h
		rol	edi, 0Dh
		imul	edi, 9E3779B1h
		sub	esi, eax
		imul	eax, [ecx+8], 7A143589h
		add	ecx, 0Ch
		rol	esi, 0Dh
		mov	[ebp+var_14], ecx
		imul	esi, 9E3779B1h
		sub	ebx, eax
		imul	eax, [ecx], 7A143589h
		rol	ebx, 0Dh
		add	ecx, 4
		imul	ebx, 9E3779B1h
		sub	edx, eax
		rol	edx, 0Dh
		imul	edx, 9E3779B1h
		cmp	ecx, [ebp+arg_4]
		jbe	short loc_4CAE30
		rol	edx, 12h
		rol	ebx, 0Ch
		rol	edi, 1
		add	edx, ebx
		rol	esi, 7
		add	edi, 1000h
		add	edx, esi
		mov	esi, 1
		add	edx, edi
		mov	edi, [ebp+var_14]
		add	edi, 8
		cmp	edi, [ebp+arg_0]
		ja	short loc_4CAECA
		mov	ebx, [ebp+arg_0]
		mov	edi, edi

loc_4CAEB0:				; CODE XREF: SmHpBufferProtectEx+298j
		imul	eax, [ecx], 3D4D51C3h
		mov	ecx, edi
		lea	edi, [ecx+4]
		sub	edx, eax
		rol	edx, 11h
		imul	edx, 27D4EB2Fh
		cmp	edi, ebx
		jbe	short loc_4CAEB0

loc_4CAECA:				; CODE XREF: SmHpBufferProtectEx+279j
		mov	eax, [ebp+arg_0]
		xor	edi, edi
		sub	eax, ecx
		cmp	[ebp+arg_0], ecx
		sbb	ebx, ebx
		not	ebx
		and	ebx, eax
		mov	[ebp+arg_0], ebx
		mov	ebx, [ebp+var_4]
		jbe	short loc_4CAF0F
		mov	ebx, [ebp+arg_0]
		jmp	short loc_4CAEF0
; 
		align 10h

loc_4CAEF0:				; CODE XREF: SmHpBufferProtectEx+2B5j
					; SmHpBufferProtectEx+2DAj
		movzx	eax, byte ptr [ecx]
		lea	ecx, [ecx+1]
		imul	eax, 165667B1h
		inc	edi
		add	eax, edx
		rol	eax, 0Bh
		imul	edx, eax, 9E3779B1h
		cmp	edi, ebx
		jb	short loc_4CAEF0
		mov	ebx, [ebp+var_4]

loc_4CAF0F:				; CODE XREF: SmHpBufferProtectEx+2B0j
		mov	eax, edx
		shr	eax, 0Fh
		xor	eax, edx
		imul	ecx, eax, 85EBCA77h
		mov	eax, ecx
		shr	eax, 0Dh
		xor	eax, ecx
		imul	eax, 0C2B2AE3Dh
		mov	ecx, eax
		shr	ecx, 10h
		xor	ecx, eax
		mov	[ebx+8], ecx
		jnz	loc_4CAC6B
		jmp	loc_5C678A
; 

loc_4CAF3E:				; CODE XREF: SmHpBufferProtectEx+18Cj
		mov	ecx, esi
		jmp	loc_4CADC2
SmHpBufferProtectEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmpSinglePageInsert proc	near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+2D8p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C67D9 SIZE 000000C6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], edx
		push	edi
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], 0
		mov	ecx, [esi+20h]
		test	ecx, 1
		jnz	loc_5C67C4

loc_4CAF7C:				; CODE XREF: SmHpBufferProtectEx+FBBA4j
		and	ecx, 0FFFFFFFEh
		lea	edi, [esi+24h]
		mov	[esi+20h], ecx
		mov	ecx, [esi+44h]
		mov	[ebp+var_18], edi
		test	ecx, 1
		jnz	loc_4CB135
		mov	[ebp+var_18], edi

loc_4CAF9A:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+1F5j
		and	ecx, 0FFFFFFFEh
		mov	[esi+44h], ecx
		mov	ecx, [esi+68h]
		test	ecx, 1
		jnz	loc_4CB11F

loc_4CAFAF:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+1E0j
		and	ecx, 0FFFFFFFEh
		mov	[ebp+var_1C], 0
		mov	[esi+68h], ecx
		mov	ebx, eax
		mov	ecx, [esi+104h]
		and	ebx, 0FFFFF000h
		add	ecx, ebx
		mov	[ebp+var_20], 0
		sub	eax, ecx
		xor	edx, edx
		div	dword ptr [esi+0FCh]
		mov	edx, [ebx+8]
		lea	ebx, [esi+0Ch]
		mov	ecx, [esi+0F4h]
		shl	edx, cl
		mov	ecx, esi
		add	edx, eax
		mov	eax, [ebp+var_14]
		mov	[ebp+var_10], edx
		mov	[ebp+var_1C], edx
		mov	edx, ebx
		mov	eax, [eax+8]
		push	eax
		mov	[ebp+var_20], eax
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		lea	eax, [ebp+var_20]
		mov	edx, ebx
		push	eax
		mov	ecx, esi
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx
		mov	edi, eax
		test	edi, edi
		js	loc_5C683E
		cmp	byte ptr [esi+1ACh], 0
		mov	ebx, [ebp+var_C]
		mov	[ebp+var_8], 1
		jnz	short loc_4CB04F
		mov	eax, [ebx+4]
		add	eax, 1000h
		mov	[ebx+4], eax
		shr	eax, 0Ch
		cmp	eax, 1
		ja	loc_4CB10D
		test	eax, eax
		jz	loc_5C67D9

loc_4CB04F:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+DEj
					; ST_STORE_SM_TRAITS___StDmpSinglePageInsert+FB88Bj
		mov	edx, [ebp+var_10]
		lea	eax, [esi+30h]
		lea	ecx, [esi+24h]
		mov	[ebp+var_C], edx
		push	eax
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey
		mov	edi, eax
		cmp	edi, 0C0000225h
		jnz	loc_5C67E0
		lea	eax, [ebp+var_C]
		push	eax
		lea	edx, [esi+30h]
		lea	ecx, [esi+24h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx
		mov	edi, eax

loc_4CB080:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+FB899j
		test	edi, edi
		js	loc_5C683B
		cmp	byte ptr [esi+1ACh], 0
		mov	[ebp+var_8], 3
		jnz	short loc_4CB0D3
		mov	eax, [ebp+var_10]
		lea	ecx, [esi+54h]
		push	ecx
		mov	edx, eax
		mov	[ebp+var_10], eax
		lea	ecx, [esi+48h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey
		mov	edi, eax
		cmp	edi, 0C0000225h
		jnz	loc_5C67EE
		lea	eax, [ebp+var_10]
		push	eax
		lea	edx, [esi+54h]
		lea	ecx, [esi+48h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx
		mov	edi, eax

loc_4CB0CB:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+FB8A7j
		test	edi, edi
		js	loc_5C683B

loc_4CB0D3:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+146j
		mov	edx, [ebx]
		mov	ecx, [esi+1C8h]
		shr	edx, cl
		mov	ecx, [ebx+4]
		and	ecx, 0FFFh
		jbe	short loc_4CB118

loc_4CB0E8:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+1CDj
		mov	eax, [esi+1D4h]
		add	eax, 0Fh
		add	eax, ecx
		mov	ecx, esi
		shr	eax, 4
		push	0
		push	eax
		call	ST_STORE_SM_TRAITS___StDmpUpdateRegionState
		test	byte ptr ds:dword_718654, 10h
		jnz	loc_5C67FC

loc_4CB10D:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+F1j
					; ST_STORE_SM_TRAITS___StDmpSinglePageInsert+FB8E6j
		xor	eax, eax

loc_4CB10F:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+FB94Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4CB118:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+196j
		mov	ecx, 1000h
		jmp	short loc_4CB0E8
; 

loc_4CB11F:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+59j
		lea	ecx, [esi+48h]
		lea	edx, [esi+54h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref
		mov	ecx, [esi+68h]
		mov	eax, [ebp+var_C]
		jmp	loc_4CAFAF
; 

loc_4CB135:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+41j
		lea	edx, [esi+30h]
		mov	ecx, edi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref
		mov	ecx, [esi+44h]
		mov	eax, [ebp+var_C]
		jmp	loc_4CAF9A
ST_STORE_SM_TRAITS___StDmpSinglePageInsert endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx proc	near
					; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsert+26p
					; ST_STORE_SM_TRAITS___StDmpSinglePageInsert+129p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C689F SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, [ecx]
		mov	[ebp+var_8], ecx
		push	ebx
		mov	ebx, edx
		push	esi
		test	eax, eax
		jz	loc_4CB3B1
		movzx	eax, byte ptr [eax+2]

loc_4CB16D:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+263j
		lea	edx, [ebx+10h]
		mov	esi, [ebx+0Ch]
		cmp	[edx], eax
		jbe	loc_4CB3B8

loc_4CB17B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+27Dj
		test	esi, esi
		jz	loc_4CB3D2
		mov	eax, [ebx]
		lea	edx, [esi-1]
		lea	edx, [eax+edx*8]

loc_4CB18B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+2A6j
		mov	esi, [edx]
		push	edi
		mov	[ebp+var_14], edx
		mov	al, [esi+3]
		movzx	edi, al
		neg	edi
		mov	[ebp+var_1], al
		mov	eax, [esi]
		sbb	edi, edi
		mov	[ebp+var_10], eax
		shr	[ebp+var_10], 18h
		and	edi, 1FFh
		mov	[ebp+var_24], eax
		add	edi, 1FFh
		movzx	eax, ax
		cmp	eax, edi
		jnb	short loc_4CB204
		mov	eax, [ebp+var_24]

loc_4CB1C0:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+FB793j
		mov	ebx, [ebp+var_8]

loc_4CB1C3:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+18Aj
		cmp	byte ptr [ebp+var_10], 0
		mov	edi, [edx+4]
		movzx	eax, ax
		jz	loc_4CB31A
		lea	eax, ds:8[eax*4]
		sub	eax, edi
		add	eax, esi
		push	eax		; size_t
		lea	eax, [edi+4]
		push	edi		; void *
		push	eax		; void *
		call	_memmove
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, [eax]
		mov	[edi], eax
		inc	dword ptr [ebx+4]

loc_4CB1F6:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+1F0j
		inc	word ptr [esi]
		xor	eax, eax

loc_4CB1FB:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+FB777j
		pop	edi

loc_4CB1FC:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+2E2j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4CB204:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+6Bj
		mov	eax, [edx+4]
		sub	eax, esi
		sub	eax, 8
		cmp	[ebp+var_1], 0
		jz	loc_5C689F
		sar	eax, 2

loc_4CB219:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+FB752j
		mov	[ebp+var_1C], eax
		cmp	esi, [ecx]
		jz	loc_4CB3FB
		mov	edx, ebx
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute
		mov	edx, [ebp+var_14]
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		not	ecx
		and	ecx, 1
		shl	ecx, 4
		mov	eax, [edx-4]
		mov	[ebp+var_18], eax
		mov	edx, [ebp+var_18]
		mov	eax, [esi]
		add	edx, 0FFFFFFF8h
		add	ecx, edx
		mov	edx, [ebp+var_14]
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+var_8]

loc_4CB254:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+2C3j
		mov	[ebp+var_10], eax
		shr	[ebp+var_10], 18h
		movzx	eax, ax
		cmp	eax, edi
		jnb	loc_4CB2FC
		mov	ebx, [ebp+var_20]
		mov	ecx, [ebp+var_1C]
		test	bl, 1
		jz	short loc_4CB2DF
		sub	eax, edi
		and	ebx, 0FFFFFFFEh
		add	ecx, eax
		cmp	byte ptr [ebp+var_10], 0
		jz	loc_5C68A7
		test	ecx, ecx
		jle	loc_4CB418

loc_4CB28A:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+FB759j
		cmp	esi, ebx
		jz	loc_4CB41F

loc_4CB292:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+191j
		mov	ebx, [ebp+var_C]

loc_4CB295:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+1AAj
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+247j ...
		mov	[edx], esi
		cmp	byte ptr [esi+3], 0
		jz	loc_5C68D2
		add	ecx, 2
		lea	edi, [ebx-4]
		lea	eax, [esi+ecx*4]
		mov	[edx+4], eax
		mov	ecx, [edx-8]
		lea	eax, [ecx+8]
		cmp	ebx, eax
		ja	short loc_4CB2BA
		lea	edi, [ecx+4]

loc_4CB2BA:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+165j
		mov	ebx, [ebp+var_8]
		mov	eax, [ebx+8]
		lea	ecx, [ebx+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_4CB2D2
		mov	edx, edi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		mov	edx, [ebp+var_14]

loc_4CB2D2:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+176j
		mov	al, [esi+3]
		mov	[ebp+var_10], eax
		mov	eax, [esi]
		jmp	loc_4CB1C3
; 

loc_4CB2DF:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+11Fj
		cmp	ecx, eax
		jle	short loc_4CB292
		sub	ecx, eax
		cmp	byte ptr [ebp+var_10], 0
		jz	loc_5C68BC

loc_4CB2EF:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+FB76Dj
		mov	esi, ebx
		mov	ebx, [ebp+var_C]
		mov	[edx-4], ebx
		mov	ebx, [ebp+var_18]
		jmp	short loc_4CB295
; 

loc_4CB2FC:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+110j
		cmp	[ebp+var_20], 0
		jz	short loc_4CB350
		cmp	byte ptr [ebp+var_10], 0
		jz	short loc_4CB350
		mov	edi, [edx-8]
		mov	edx, [ebp+var_C]
		lea	eax, [edi+8]
		cmp	edx, eax
		ja	short loc_4CB345
		lea	edx, [edi+4]
		jmp	short loc_4CB348
; 

loc_4CB31A:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+7Dj
		lea	eax, ds:8[eax*8]
		sub	eax, edi
		add	eax, esi
		push	eax		; size_t
		lea	eax, [edi+8]
		push	edi		; void *
		push	eax		; void *
		call	_memmove
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, [ecx]
		mov	[edi], eax
		mov	eax, [ecx+4]
		mov	[edi+4], eax
		jmp	loc_4CB1F6
; 

loc_4CB345:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+1C3j
		add	edx, 0FFFFFFFCh

loc_4CB348:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+1C8j
		mov	eax, [ecx+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_4CB39C

loc_4CB350:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+1B0j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+1B6j ...
		mov	edx, ebx
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild
		mov	edi, eax
		test	edi, edi
		jz	loc_5C68C2
		mov	ecx, [ebx+0Ch]
		mov	eax, [ebx]
		dec	ecx
		mov	ebx, [eax+ecx*8-4]
		lea	edx, [eax+ecx*8]
		mov	eax, [esi]
		movzx	ecx, ax
		mov	[ebp+var_20], ecx
		mov	ecx, [ebp+var_1C]
		mov	[ebp+var_14], edx
		cmp	ecx, [ebp+var_20]
		jle	short loc_4CB3A9
		sub	ecx, [ebp+var_20]
		shr	eax, 18h
		test	al, al
		jz	loc_5C68CC

loc_4CB38F:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+FB77Dj
		lea	eax, [ebx+8]
		mov	esi, edi
		mov	[edx-4], eax
		jmp	loc_4CB295
; 

loc_4CB39C:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+1FEj
		lea	ecx, [ecx+8]
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		mov	ecx, [ebp+var_8]
		jmp	short loc_4CB350
; 

loc_4CB3A9:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+22Fj
		add	ebx, 8
		jmp	loc_4CB295
; 

loc_4CB3B1:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+13j
		xor	eax, eax
		jmp	loc_4CB16D
; 

loc_4CB3B8:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+25j
		push	ebx
		push	edx
		mov	edx, 8
		mov	ecx, eax
		call	SmArrayGrow
		test	eax, eax
		jz	short loc_4CB42D
		mov	ecx, [ebp+var_8]
		jmp	loc_4CB17B
; 

loc_4CB3D2:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+2Dj
		push	1
		mov	edx, 1
		call	?BTreeNewNode@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@KK@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNewNode(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,ulong,ulong)
		mov	ecx, [ebp+var_8]
		mov	[ecx], eax
		test	eax, eax
		jz	short loc_4CB42D
		mov	edx, [ebx]
		mov	[edx], eax
		mov	eax, [ecx]
		add	eax, 8
		mov	[edx+4], eax
		inc	dword ptr [ebx+0Ch]
		jmp	loc_4CB18B
; 

loc_4CB3FB:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+CEj
		mov	eax, [ebp+var_24]
		mov	[ebp+var_C], 0
		mov	[ebp+var_20], 0
		mov	[ebp+var_18], 0
		jmp	loc_4CB254
; 

loc_4CB418:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+134j
		movzx	eax, word ptr [ebx]
		mov	esi, ebx
		add	ecx, eax

loc_4CB41F:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+13Cj
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+FB767j
		mov	ebx, [ebp+var_C]
		mov	[edx-4], ebx
		mov	ebx, [ebp+var_18]
		jmp	loc_4CB295
; 

loc_4CB42D:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+278j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+295j
		mov	eax, 0C000009Ah
		jmp	loc_4CB1FC
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey proc near
					; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeSearchResultIterStart(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT	*,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,ulong,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::_BTREE_ITERATOR_DISPOSITION)+10p
					; ST_STORE_SM_TRAITS___StDmCombineBufferProcess+167p ...

var_48		= dword	ptr -48h
var_3C		= dword	ptr -3Ch
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C68E8 SIZE 00000181 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	[ebp+var_20], edx
		mov	[ebp+var_8], ecx
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	loc_5C68E8
		lea	eax, [ecx+8]

loc_4CB466:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+FB4AAj
		mov	eax, [eax]
		mov	ebx, [ebp+arg_0]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C68EF
		mov	eax, [ebx+0Ch]
		cmp	eax, 0FFFFFFFFh
		jz	loc_4CB614

loc_4CB480:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+FB573j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+FB5A2j ...
		xor	eax, eax
		mov	[ebx+0Ch], eax

loc_4CB485:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+1DBj
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+FB56Bj
		cmp	eax, 0FFFFFFFFh
		jz	loc_4CB620
		mov	eax, [ecx]
		mov	edi, 1
		mov	[ebp+var_C], edi
		test	eax, eax
		jz	loc_4CB631
		movzx	esi, byte ptr [eax+2]

loc_4CB4A4:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+1F3j
		cmp	[ebx+10h], esi
		lea	eax, [ebx+10h]
		jb	loc_5C69F7

loc_4CB4B0:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+FB5D6j
		mov	eax, [ebx]

loc_4CB4B2:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+1E8j
		mov	edx, [ecx]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], edx
		test	edx, edx
		jz	loc_4CB5F1

loc_4CB4C2:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+1ACj
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+FB61Aj
		mov	eax, [edx]
		lea	edi, [edx+8]
		movzx	esi, ax
		or	ebx, 0FFFFFFFFh
		shr	eax, 18h
		mov	[ebp+var_24], edi
		test	al, al
		jz	loc_4CB56F
		test	esi, esi
		jz	short loc_4CB512
		mov	eax, [ebp+var_20]
		mov	[ebp+var_10], eax

loc_4CB4E5:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+CDj
		mov	eax, [ebp+var_24]
		lea	edi, [esi+ebx]
		shr	edi, 1
		lea	edx, [ebp+var_14]
		mov	eax, [eax+edi*4]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_10]
		push	eax
		call	?Compare@ST_REGION_ENTRY_COMPARATOR@?$ST_STORE@USM_TRAITS@@@@SGHPAXABK1@Z ; ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR::Compare(void *,ulong const	&,ulong	const &)
		test	eax, eax
		jns	short loc_4CB56B
		mov	ebx, edi

loc_4CB505:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+12Dj
		mov	ecx, [ebp+var_8]
		lea	eax, [ebx+1]
		cmp	eax, esi
		jnz	short loc_4CB4E5

loc_4CB50F:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+16Aj
		mov	edx, [ebp+var_18]

loc_4CB512:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+9Dj
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+131j
		cmp	byte ptr [edx+3], 0
		jz	loc_4CB5B3
		cmp	[ebp+var_C], 0
		lea	edi, [esi+2]
		mov	eax, [ebp+var_1C]
		lea	edi, [edx+edi*4]
		mov	[eax], edx
		mov	[eax+4], edi
		jz	short loc_4CB53C
		mov	ebx, [ebp+arg_0]
		sub	eax, [ebx]
		sar	eax, 3
		inc	eax
		mov	[ebx+0Ch], eax

loc_4CB53C:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+EEj
		movzx	eax, word ptr [edx]
		cmp	esi, eax
		jnb	loc_4CB5F9
		mov	eax, [ebp+var_20]
		lea	edx, [ebp+var_10]
		mov	[ebp+var_14], eax
		mov	eax, [edi]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_14]
		push	eax
		call	?Compare@ST_REGION_ENTRY_COMPARATOR@?$ST_STORE@USM_TRAITS@@@@SGHPAXABK1@Z ; ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR::Compare(void *,ulong const	&,ulong	const &)
		test	eax, eax
		jnz	loc_4CB5F9
		jmp	loc_4CB5FE
; 

loc_4CB56B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+C1j
		mov	esi, edi
		jmp	short loc_4CB505
; 

loc_4CB56F:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+95j
		test	esi, esi
		jz	short loc_4CB512
		mov	eax, [ebp+var_20]
		mov	[ebp+var_14], eax
		lea	esp, [esp+0]

loc_4CB580:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+168j
		mov	eax, [ebp+var_24]
		lea	edi, [esi+ebx]
		shr	edi, 1
		lea	edx, [ebp+var_10]
		mov	eax, [eax+edi*8]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_14]
		push	eax
		call	?Compare@ST_REGION_ENTRY_COMPARATOR@?$ST_STORE@USM_TRAITS@@@@SGHPAXABK1@Z ; ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR::Compare(void *,ulong const	&,ulong	const &)
		test	eax, eax
		jg	short loc_4CB5AF
		mov	ebx, edi

loc_4CB5A0:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+171j
		mov	ecx, [ebp+var_8]
		lea	eax, [ebx+1]
		cmp	eax, esi
		jnz	short loc_4CB580
		jmp	loc_4CB50F
; 

loc_4CB5AF:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+15Cj
		mov	esi, edi
		jmp	short loc_4CB5A0
; 

loc_4CB5B3:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+D6j
		cmp	[ebp+var_C], 0
		lea	edi, ds:0[esi*8]
		jz	short loc_4CB5D3
		mov	ebx, [ebp+var_1C]
		lea	eax, [edx+8]
		add	eax, edi
		mov	[ebx], edx
		mov	[ebx+4], eax
		add	ebx, 8
		mov	[ebp+var_1C], ebx

loc_4CB5D3:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+17Ej
		test	esi, esi
		jz	short loc_4CB62D
		lea	esi, [edi+edx]

loc_4CB5DA:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+1EFj
		mov	eax, [ecx+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C6A2D

loc_4CB5E6:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+FB5F1j
		mov	edx, [esi+4]
		mov	[ebp+var_18], edx
		jmp	loc_4CB4C2
; 

loc_4CB5F1:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+7Cj
		test	edi, edi
		jz	loc_5C6A1B

loc_4CB5F9:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+101j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+120j ...
		mov	eax, 0C0000225h

loc_4CB5FE:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+126j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+FB5CEj ...
		lea	esp, [ebp-48h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4CB614:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+3Aj
		mov	dword ptr [ebx+4], 0
		jmp	loc_4CB485
; 

loc_4CB620:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+48j
		xor	edi, edi
		lea	eax, [ebx+4]
		mov	[ebp+var_C], edi
		jmp	loc_4CB4B2
; 

loc_4CB62D:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+195j
		mov	esi, edx
		jmp	short loc_4CB5DA
; 

loc_4CB631:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+5Aj
		xor	esi, esi
		jmp	loc_4CB4A4
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+174p
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+D2p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C6A69 SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, [ecx]
		mov	[ebp+var_8], ecx
		push	ebx
		mov	ebx, edx
		push	esi
		test	eax, eax
		jz	loc_4CB8A6
		movzx	eax, byte ptr [eax+2]

loc_4CB65D:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+268j
		lea	edx, [ebx+10h]
		mov	esi, [ebx+0Ch]
		cmp	[edx], eax
		jbe	loc_4CB8AD

loc_4CB66B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+282j
		test	esi, esi
		jz	loc_4CB8C7
		mov	eax, [ebx]
		lea	edx, [esi-1]
		lea	edx, [eax+edx*8]

loc_4CB67B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+2ABj
		mov	esi, [edx]
		push	edi
		mov	[ebp+var_14], edx
		mov	al, [esi+3]
		movzx	edi, al
		neg	edi
		mov	[ebp+var_1], al
		mov	eax, [esi]
		sbb	edi, edi
		mov	[ebp+var_10], eax
		shr	[ebp+var_10], 18h
		and	edi, 1FFh
		mov	[ebp+var_24], eax
		add	edi, 1FFh
		movzx	eax, ax
		cmp	eax, edi
		jnb	short loc_4CB6F4
		mov	eax, [ebp+var_24]

loc_4CB6B0:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+FB46Dj
		mov	ebx, [ebp+var_8]

loc_4CB6B3:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+171j
		cmp	byte ptr [ebp+var_10], 0
		mov	edi, [edx+4]
		movzx	eax, ax
		jz	loc_4CB7D4
		lea	eax, ds:8[eax*4]
		sub	eax, edi
		add	eax, esi
		push	eax		; size_t
		lea	eax, [edi+4]
		push	edi		; void *
		push	eax		; void *
		call	_memmove
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, [eax]
		mov	[edi], eax
		inc	dword ptr [ebx+4]

loc_4CB6E6:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+1BAj
		inc	word ptr [esi]
		xor	eax, eax

loc_4CB6EB:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+FB451j
		pop	edi

loc_4CB6EC:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+2E7j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4CB6F4:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+6Bj
		mov	eax, [edx+4]
		sub	eax, esi
		sub	eax, 8
		cmp	[ebp+var_1], 0
		jz	loc_5C6A69
		sar	eax, 2

loc_4CB709:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+FB42Cj
		mov	[ebp+var_1C], eax
		cmp	esi, [ecx]
		jz	loc_4CB8F0
		mov	edx, ebx
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute
		mov	edx, [ebp+var_14]
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		not	ecx
		and	ecx, 1
		shl	ecx, 4
		mov	eax, [edx-4]
		mov	[ebp+var_18], eax
		mov	edx, [ebp+var_18]
		mov	eax, [esi]
		add	edx, 0FFFFFFF8h
		add	ecx, edx
		mov	edx, [ebp+var_14]
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+var_8]

loc_4CB744:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+2C8j
		mov	[ebp+var_10], eax
		shr	[ebp+var_10], 18h
		movzx	eax, ax
		cmp	eax, edi
		jnb	short loc_4CB7B6
		mov	ebx, [ebp+var_20]
		mov	ecx, [ebp+var_1C]
		test	bl, 1
		jnz	loc_4CB887
		cmp	ecx, eax
		jg	loc_4CB86B

loc_4CB769:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+25Ej
		mov	ebx, [ebp+var_C]

loc_4CB76C:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+211j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+226j ...
		mov	[edx], esi
		cmp	byte ptr [esi+3], 0
		jz	loc_5C6A9C
		add	ecx, 2
		lea	edi, [ebx-4]
		lea	eax, [esi+ecx*4]
		mov	[edx+4], eax
		mov	ecx, [edx-8]
		lea	eax, [ecx+8]
		cmp	ebx, eax
		ja	short loc_4CB791
		lea	edi, [ecx+4]

loc_4CB791:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+14Cj
		mov	ebx, [ebp+var_8]
		mov	eax, [ebx+8]
		lea	ecx, [ebx+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_4CB7A9
		mov	edx, edi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		mov	edx, [ebp+var_14]

loc_4CB7A9:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+15Dj
		mov	al, [esi+3]
		mov	[ebp+var_10], eax
		mov	eax, [esi]
		jmp	loc_4CB6B3
; 

loc_4CB7B6:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+110j
		cmp	[ebp+var_20], 0
		jz	short loc_4CB80A
		cmp	byte ptr [ebp+var_10], 0
		jz	short loc_4CB80A
		mov	edi, [edx-8]
		mov	edx, [ebp+var_C]
		lea	eax, [edi+8]
		cmp	edx, eax
		ja	short loc_4CB7FF
		lea	edx, [edi+4]
		jmp	short loc_4CB802
; 

loc_4CB7D4:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+7Dj
		lea	eax, ds:8[eax*8]
		sub	eax, edi
		add	eax, esi
		push	eax		; size_t
		lea	eax, [edi+8]
		push	edi		; void *
		push	eax		; void *
		call	_memmove
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, [ecx]
		mov	[edi], eax
		mov	eax, [ecx+4]
		mov	[edi+4], eax
		jmp	loc_4CB6E6
; 

loc_4CB7FF:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+18Dj
		add	edx, 0FFFFFFFCh

loc_4CB802:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+192j
		mov	eax, [ecx+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_4CB856

loc_4CB80A:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+17Aj
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+180j ...
		mov	edx, ebx
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild
		mov	edi, eax
		test	edi, edi
		jz	loc_5C6A8C
		mov	ecx, [ebx+0Ch]
		mov	eax, [ebx]
		dec	ecx
		mov	ebx, [eax+ecx*8-4]
		lea	edx, [eax+ecx*8]
		mov	eax, [esi]
		movzx	ecx, ax
		mov	[ebp+var_20], ecx
		mov	ecx, [ebp+var_1C]
		mov	[ebp+var_14], edx
		cmp	ecx, [ebp+var_20]
		jle	short loc_4CB863
		sub	ecx, [ebp+var_20]
		shr	eax, 18h
		test	al, al
		jz	loc_5C6A96

loc_4CB849:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+FB457j
		lea	eax, [ebx+8]
		mov	esi, edi
		mov	[edx-4], eax
		jmp	loc_4CB76C
; 

loc_4CB856:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+1C8j
		lea	ecx, [ecx+8]
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		mov	ecx, [ebp+var_8]
		jmp	short loc_4CB80A
; 

loc_4CB863:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+1F9j
		add	ebx, 8
		jmp	loc_4CB76C
; 

loc_4CB86B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+123j
		sub	ecx, eax
		cmp	byte ptr [ebp+var_10], 0
		jz	loc_5C6A86

loc_4CB877:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+FB447j
		mov	esi, ebx
		mov	ebx, [ebp+var_C]
		mov	[edx-4], ebx
		mov	ebx, [ebp+var_18]
		jmp	loc_4CB76C
; 

loc_4CB887:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+11Bj
		sub	eax, edi
		and	ebx, 0FFFFFFFEh
		add	ecx, eax
		cmp	byte ptr [ebp+var_10], 0
		jz	loc_5C6A71
		test	ecx, ecx
		jle	short loc_4CB90D

loc_4CB89C:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+FB433j
		cmp	esi, ebx
		jnz	loc_4CB769
		jmp	short loc_4CB914
; 

loc_4CB8A6:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+13j
		xor	eax, eax
		jmp	loc_4CB65D
; 

loc_4CB8AD:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+25j
		push	ebx
		push	edx
		mov	edx, 8
		mov	ecx, eax
		call	SmArrayGrow
		test	eax, eax
		jz	short loc_4CB922
		mov	ecx, [ebp+var_8]
		jmp	loc_4CB66B
; 

loc_4CB8C7:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+2Dj
		push	1
		mov	edx, 1
		call	?BTreeNewNode@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@KK@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNewNode(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,ulong,ulong)
		mov	ecx, [ebp+var_8]
		mov	[ecx], eax
		test	eax, eax
		jz	short loc_4CB922
		mov	edx, [ebx]
		mov	[edx], eax
		mov	eax, [ecx]
		add	eax, 8
		mov	[edx+4], eax
		inc	dword ptr [ebx+0Ch]
		jmp	loc_4CB67B
; 

loc_4CB8F0:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+CEj
		mov	eax, [ebp+var_24]
		mov	[ebp+var_C], 0
		mov	[ebp+var_20], 0
		mov	[ebp+var_18], 0
		jmp	loc_4CB744
; 

loc_4CB90D:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+25Aj
		movzx	eax, word ptr [ebx]
		mov	esi, ebx
		add	ecx, eax

loc_4CB914:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+264j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+FB441j
		mov	ebx, [ebp+var_C]
		mov	[edx-4], ebx
		mov	ebx, [ebp+var_18]
		jmp	loc_4CB76C
; 

loc_4CB922:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+27Dj
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+29Aj
		mov	eax, 0C000009Ah
		jmp	loc_4CB6EC
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey	proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+93p
					; ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+C7p ...

var_44		= dword	ptr -44h
var_38		= dword	ptr -38h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C6AB2 SIZE 000001A2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_10], esi
		push	edi
		test	ecx, ecx
		jz	loc_5C6AB2
		lea	eax, [ecx+8]

loc_4CB958:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB184j
		mov	eax, [eax]
		mov	ebx, [ebp+arg_0]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C6AC5
		mov	eax, [ebx+0Ch]
		cmp	eax, 0FFFFFFFFh
		jz	loc_5C6AB9

loc_4CB972:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB25Fj
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB29Dj
		xor	eax, eax
		mov	[ebx+0Ch], eax

loc_4CB977:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB190j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB257j
		cmp	eax, 0FFFFFFFFh
		jz	loc_5C6BD2
		mov	eax, [ecx]
		mov	edi, 1
		mov	[ebp+var_18], edi
		test	eax, eax
		jz	loc_4CBB09
		movzx	esi, byte ptr [eax+2]

loc_4CB996:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+1DBj
		cmp	[ebx+10h], esi
		lea	eax, [ebx+10h]
		jb	loc_5C6BDF

loc_4CB9A2:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB2CEj
		mov	edx, [ebx]
		mov	esi, [ebp+var_10]

loc_4CB9A7:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB2AAj
		mov	eax, [ecx]
		mov	[ebp+var_14], edx
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_4CBB10
		mov	edx, eax
		lea	esp, [esp+0]

loc_4CB9C0:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+1C9j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB315j
		mov	eax, [edx]
		or	ebx, 0FFFFFFFFh
		movzx	edi, ax
		shr	eax, 18h
		test	al, al
		jz	loc_4CBA7D
		test	edi, edi
		jz	short loc_4CBA0E
		mov	[ebp+var_1C], esi
		lea	ebx, [ebx+0]

loc_4CB9E0:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+D9j
		lea	esi, [edi+ebx]
		shr	esi, 1
		mov	eax, [edx+esi*4+8]
		lea	edx, [ebp+var_20]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	?Compare@ST_HASH_ENTRY_COMPARATOR@?$ST_STORE@USM_TRAITS@@@@SGHPAXABK1@Z	; ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR::Compare(void *,ulong const &,ulong const &)
		test	eax, eax
		jns	short loc_4CBA79
		mov	ebx, esi

loc_4CB9FE:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+14Bj
		mov	ecx, [ebp+var_8]
		lea	eax, [ebx+1]
		mov	edx, [ebp+var_C]
		cmp	eax, edi
		jnz	short loc_4CB9E0

loc_4CBA0B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+17Fj
		mov	edx, [ebp+var_C]

loc_4CBA0E:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+A5j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+14Fj
		cmp	byte ptr [edx+3], 0
		jz	loc_4CBAB8
		cmp	[ebp+var_18], 0
		lea	esi, [edi+2]
		mov	eax, [ebp+var_14]
		lea	esi, [edx+esi*4]
		mov	[eax], edx
		mov	[eax+4], esi
		jz	short loc_4CBA38
		mov	ebx, [ebp+arg_0]
		sub	eax, [ebx]
		sar	eax, 3
		inc	eax
		mov	[ebx+0Ch], eax

loc_4CBA38:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FAj
		movzx	eax, word ptr [edx]
		cmp	edi, eax
		jnb	short loc_4CBA5E
		mov	eax, [ebp+var_10]
		lea	edx, [ebp+var_1C]
		mov	[ebp+var_20], eax
		mov	eax, [esi]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_20]
		push	eax
		call	?Compare@ST_HASH_ENTRY_COMPARATOR@?$ST_STORE@USM_TRAITS@@@@SGHPAXABK1@Z	; ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR::Compare(void *,ulong const &,ulong const &)
		test	eax, eax
		jz	loc_4CBAFE

loc_4CBA5E:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+10Dj
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+1E2j	...
		mov	eax, 0C0000225h

loc_4CBA63:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+1D0j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB2C6j ...
		lea	esp, [ebp-44h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4CBA79:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+CAj
		mov	edi, esi
		jmp	short loc_4CB9FE
; 

loc_4CBA7D:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+9Dj
		test	edi, edi
		jz	short loc_4CBA0E
		mov	[ebp+var_20], esi

loc_4CBA84:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+17Dj
		lea	esi, [edi+ebx]
		shr	esi, 1
		mov	eax, [edx+esi*8+8]
		lea	edx, [ebp+var_1C]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_20]
		push	eax
		call	?Compare@ST_HASH_ENTRY_COMPARATOR@?$ST_STORE@USM_TRAITS@@@@SGHPAXABK1@Z	; ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR::Compare(void *,ulong const &,ulong const &)
		test	eax, eax
		jg	short loc_4CBAB4
		mov	ebx, esi

loc_4CBAA2:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+186j
		mov	ecx, [ebp+var_8]
		lea	eax, [ebx+1]
		mov	edx, [ebp+var_C]
		cmp	eax, edi
		jnz	short loc_4CBA84
		jmp	loc_4CBA0B
; 

loc_4CBAB4:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+16Ej
		mov	edi, esi
		jmp	short loc_4CBAA2
; 

loc_4CBAB8:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+E2j
		cmp	[ebp+var_18], 0
		lea	esi, ds:0[edi*8]
		jz	short loc_4CBADE
		mov	edx, [ebp+var_14]
		mov	eax, [ebp+var_C]
		mov	[edx], eax
		add	eax, 8
		add	eax, esi
		mov	[edx+4], eax
		add	edx, 8
		mov	[ebp+var_14], edx
		mov	edx, [ebp+var_C]

loc_4CBADE:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+193j
		test	edi, edi
		jz	short loc_4CBB05
		add	esi, edx

loc_4CBAE4:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+1D7j
		mov	eax, [ecx+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C6C15

loc_4CBAF0:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB2E9j
		mov	edx, [esi+4]
		mov	esi, [ebp+var_10]
		mov	[ebp+var_C], edx
		jmp	loc_4CB9C0
; 

loc_4CBAFE:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+128j
		xor	eax, eax
		jmp	loc_4CBA63
; 

loc_4CBB05:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+1B0j
		mov	esi, edx
		jmp	short loc_4CBAE4
; 

loc_4CBB09:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+5Cj
		xor	esi, esi
		jmp	loc_4CB996
; 

loc_4CBB10:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+81j
		test	edi, edi
		jnz	loc_4CBA5E
		jmp	loc_5C6C03
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmpUpdateRegionState proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+3A5p
					; ST_STORE_SM_TRAITS___StCompactRegions+3B3p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C6C54 SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		mov	eax, [edi+240h]
		movzx	esi, word ptr [eax+edx*2]
		lea	edx, [eax+edx*2]
		mov	eax, esi
		mov	[ebp+var_8], edx
		and	eax, 1FFFh
		cmp	byte ptr [edi+1ACh], 0
		mov	[ebp+var_C], eax
		jnz	loc_5C6C54
		mov	eax, esi
		shr	eax, 0Dh

loc_4CBB5C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpUpdateRegionState+FB136j
		mov	ebx, [ebp+arg_0]
		lea	ecx, [esi+ebx]
		mov	esi, [ebp+var_4]
		mov	[edx], cx
		add	[edi+eax*8+434h], ebx
		lea	eax, [eax+eax*2]
		lea	eax, [eax+0ADh]
		lea	eax, [edi+eax*4]
		mov	[ebp+arg_0], eax
		cmp	[eax], esi
		jz	short loc_4CBBA9
		mov	eax, [ebp+var_C]
		movzx	ecx, word ptr [edx]
		movzx	eax, ax
		and	ecx, 1FFFh
		mov	[ebp+var_4], eax
		mov	eax, [edi+1C4h]
		inc	eax
		shr	eax, 1
		cmp	[ebp+var_4], eax
		jb	short loc_4CBBD0

loc_4CBBA2:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpUpdateRegionState+B4j
		cmp	ecx, eax
		jb	short loc_4CBC01

loc_4CBBA6:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpUpdateRegionState+BCj
					; ST_STORE_SM_TRAITS___StDmpUpdateRegionState+DFj ...
		mov	eax, [ebp+arg_0]

loc_4CBBA9:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpUpdateRegionState+60j
		test	ebx, ebx
		jle	short loc_4CBBBD
		cmp	esi, [eax]
		jnz	short loc_4CBBC7
		add	[eax+4], ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4CBBBD:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpUpdateRegionState+8Bj
		mov	ecx, 1FFFh
		test	[edx], cx
		jz	short loc_4CBC2B

loc_4CBBC7:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpUpdateRegionState+8Fj
					; ST_STORE_SM_TRAITS___StDmpUpdateRegionState+10Fj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4CBBD0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpUpdateRegionState+80j
		cmp	[ebp+var_4], 0
		jz	short loc_4CBBA2
		cmp	ecx, eax
		jnb	short loc_4CBBDE
		test	ecx, ecx
		jnz	short loc_4CBBA6

loc_4CBBDE:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpUpdateRegionState+B8j
		dec	dword ptr [edi+25Ch]
		mov	edx, esi
		shr	edx, 3
		mov	eax, esi
		add	edx, [edi+258h]
		and	eax, 7
		movsx	ecx, byte ptr [edx]
		bts	ecx, eax
		mov	[edx], cl
		mov	edx, [ebp+var_8]
		jmp	short loc_4CBBA6
; 

loc_4CBC01:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpUpdateRegionState+84j
		test	ecx, ecx
		jz	short loc_4CBBA6
		mov	edx, esi
		mov	eax, esi
		shr	edx, 3
		and	eax, 7
		add	edx, [edi+258h]
		movsx	ecx, byte ptr [edx]
		btr	ecx, eax
		mov	[edx], cl
		inc	dword ptr [edi+25Ch]
		mov	edx, [ebp+var_8]
		jmp	loc_4CBBA6
; 

loc_4CBC2B:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpUpdateRegionState+A5j
		cmp	[ebp+arg_4], 0
		jnz	short loc_4CBBC7
		cmp	esi, [eax]
		jz	short loc_4CBBC7
		mov	edx, esi
		mov	ecx, edi
		call	ST_STORE_SM_TRAITS___StReleaseRegion
		jmp	short loc_4CBBC7
ST_STORE_SM_TRAITS___StDmpUpdateRegionState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+BEp
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+E5p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C6C5B SIZE 00000073 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	eax, [ebx]
		test	eax, eax
		jz	loc_4CBE67
		movzx	ecx, byte ptr [eax+2]

loc_4CBC5D:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+229j
		lea	eax, [edi+10h]
		mov	esi, [edi+0Ch]
		cmp	[eax], ecx
		jbe	loc_4CBE6E

loc_4CBC6B:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+23Cj
		test	esi, esi
		jz	loc_4CBE8C
		mov	eax, [edi]
		lea	edx, [esi-1]
		lea	edx, [eax+edx*8]

loc_4CBC7B:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+26Fj
		mov	esi, [edx]
		mov	[ebp+var_14], edx
		mov	ecx, [esi]
		cmp	cx, 1FFh
		jnb	short loc_4CBCCF

loc_4CBC89:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+140j
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+15Cj ...
		movzx	eax, word ptr [esi]
		mov	edi, [edx+4]
		shl	eax, 3
		sub	eax, edi
		add	eax, 8
		add	eax, esi
		cmp	byte ptr [esi+3], 0
		push	eax		; size_t
		push	edi		; void *
		lea	eax, [edi+8]
		push	eax		; void *
		jz	loc_4CBE3B
		call	_memmove
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, [ecx]
		mov	[edi], eax
		mov	eax, [ecx+4]
		mov	[edi+4], eax
		inc	dword ptr [ebx+4]

loc_4CBCC1:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+210j
		inc	word ptr [esi]
		xor	eax, eax

loc_4CBCC6:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+247j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4CBCCF:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+47j
		mov	eax, [edx+4]
		sub	eax, esi
		sub	eax, 8
		sar	eax, 3
		mov	[ebp+var_4], eax
		cmp	esi, [ebx]
		jz	loc_4CBEB4
		mov	edx, edi
		mov	ecx, ebx
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute
		mov	edx, [ebp+var_14]
		mov	[ebp+var_8], eax
		mov	ecx, [edx-4]
		mov	[ebp+var_18], ecx
		test	al, 1
		jz	loc_5C6C5B
		mov	[ebp+var_10], 0FFFFFFF8h

loc_4CBD09:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+FB022j
		mov	eax, [ebp+var_18]
		add	eax, [ebp+var_10]
		mov	ecx, [esi]
		mov	edx, [ebp+var_14]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_4]

loc_4CBD1A:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+289j
		mov	[ebp+var_10], ecx
		shr	[ebp+var_10], 18h
		movzx	ecx, cx
		mov	[ebp+var_1C], ecx
		cmp	ecx, 1FFh
		jnb	loc_4CBDB6
		mov	ecx, [ebp+var_8]
		mov	edi, [ebp+var_1C]
		test	cl, 1
		jz	loc_5C6C9C
		add	edi, 0FFFFFE01h
		and	ecx, 0FFFFFFFEh
		add	eax, edi
		mov	[ebp+var_8], ecx
		cmp	byte ptr [ebp+var_10], 0
		mov	[ebp+var_4], eax
		jz	loc_5C6C75
		test	eax, eax
		jle	loc_5C6C67

loc_4CBD65:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+FB037j
		cmp	esi, ecx
		jz	loc_5C6C8E

loc_4CBD6D:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+FB05Ej
		mov	edi, [ebp+var_C]

loc_4CBD70:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+1F6j
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+FB057j ...
		mov	[edx], esi
		lea	eax, [eax+1]
		mov	cl, [esi+3]
		lea	eax, [esi+eax*8]
		mov	[edx+4], eax
		test	cl, cl
		jz	loc_4CBC89
		mov	ecx, [edx-8]
		lea	eax, [ecx+8]
		cmp	edi, eax
		jbe	short loc_4CBDB1
		add	edi, 0FFFFFFFCh

loc_4CBD93:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+174j
		mov	eax, [ebx+8]
		lea	ecx, [ebx+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CBC89
		mov	edx, edi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		mov	edx, [ebp+var_14]
		jmp	loc_4CBC89
; 

loc_4CBDB1:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+14Ej
		lea	edi, [ecx+4]
		jmp	short loc_4CBD93
; 

loc_4CBDB6:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+EDj
		cmp	[ebp+var_8], 0
		jz	short loc_4CBDE1
		cmp	byte ptr [ebp+var_10], 0
		jz	short loc_4CBDE1
		mov	edx, [edx-8]
		mov	ecx, [ebp+var_C]
		lea	eax, [edx+8]
		cmp	ecx, eax
		jbe	loc_4CBE55
		lea	edx, [ecx-4]

loc_4CBDD6:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+218j
		mov	eax, [ebx+8]
		lea	ecx, [ebx+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_4CBE5D

loc_4CBDE1:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+17Aj
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+180j ...
		mov	edx, edi
		mov	ecx, ebx
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	loc_4CBE82
		mov	ecx, [edi+0Ch]
		mov	eax, [edi]
		dec	ecx
		mov	edi, [eax+ecx*8-4]
		lea	edx, [eax+ecx*8]
		mov	ecx, [esi]
		movzx	eax, cx
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_4]
		mov	[ebp+var_14], edx
		cmp	eax, [ebp+var_1C]
		jle	loc_5C6CC6
		sub	eax, [ebp+var_1C]
		shr	ecx, 18h
		mov	[ebp+var_4], eax
		test	cl, cl
		jz	loc_5C6CBD

loc_4CBE2A:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+FB081j
		mov	esi, [ebp+var_18]
		lea	eax, [edi+8]
		mov	[edx-4], eax
		mov	eax, [ebp+var_4]
		jmp	loc_4CBD70	; void *
; 

loc_4CBE3B:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+63j
		call	_memmove
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, [ecx]
		mov	[edi], eax
		mov	eax, [ecx+4]
		mov	[edi+4], eax
		jmp	loc_4CBCC1
; 

loc_4CBE55:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+18Dj
		add	edx, 4
		jmp	loc_4CBDD6
; 

loc_4CBE5D:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+19Fj
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		jmp	loc_4CBDE1
; 

loc_4CBE67:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+13j
		xor	ecx, ecx
		jmp	loc_4CBC5D
; 

loc_4CBE6E:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+25j
		push	edi
		push	eax
		mov	edx, 8
		call	SmArrayGrow
		test	eax, eax
		jnz	loc_4CBC6B

loc_4CBE82:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+1AFj
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+25Ej
		mov	eax, 0C000009Ah
		jmp	loc_4CBCC6
; 

loc_4CBE8C:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+2Dj
		push	1
		mov	edx, 1
		mov	ecx, ebx
		call	?BTreeNewNode@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@KK@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNewNode(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,ulong,ulong)
		mov	[ebx], eax
		test	eax, eax
		jz	short loc_4CBE82
		mov	edx, [edi]
		mov	[edx], eax
		mov	eax, [ebx]
		add	eax, 8
		mov	[edx+4], eax
		inc	dword ptr [edi+0Ch]
		jmp	loc_4CBC7B
; 

loc_4CBEB4:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+9Fj
		mov	[ebp+var_C], 0
		mov	[ebp+var_8], 0
		mov	[ebp+var_18], 0
		jmp	loc_4CBD1A
B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+98p
					; ST_STORE_SM_TRAITS___StDmPageRemove+367p ...

var_3C		= dword	ptr -3Ch
var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C6CCE SIZE 00000191 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, edx
		mov	edx, ecx
		mov	[ebp+var_14], esi
		mov	[ebp+var_8], edx
		push	edi
		test	edx, edx
		jz	loc_5C6CCE
		lea	eax, [edx+8]

loc_4CBEFD:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAE00j
		mov	eax, [eax]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C6CE1
		mov	eax, [esi+0Ch]
		cmp	eax, 0FFFFFFFFh
		jz	loc_5C6CD5

loc_4CBF14:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAEDBj
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAF17j
		xor	eax, eax
		mov	[esi+0Ch], eax

loc_4CBF19:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAE0Cj
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAECEj
		cmp	eax, 0FFFFFFFFh
		jz	loc_5C6DEC
		mov	eax, [edx]
		mov	[ebp+var_C], 1
		test	eax, eax
		jz	loc_4CC04B
		movzx	ecx, byte ptr [eax+2]

loc_4CBF37:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+17Dj
		cmp	[esi+10h], ecx
		lea	eax, [esi+10h]
		jb	loc_5C6DF9

loc_4CBF43:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAF46j
		mov	edi, [esi]
		mov	eax, 1

loc_4CBF4A:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAF24j
		mov	esi, [edx]
		mov	[ebp+var_10], esi
		test	esi, esi
		jz	loc_4CC052

loc_4CBF57:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+163j
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAF7Fj
		mov	eax, [esi]
		or	edx, 0FFFFFFFFh
		mov	ecx, eax
		shr	ecx, 18h
		mov	[ebp+var_18], ecx
		movzx	ecx, ax
		mov	eax, [ebp+var_18]
		test	al, al
		jz	short loc_4CBFDA
		test	ecx, ecx
		jz	short loc_4CBF89

loc_4CBF72:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+B4j
		lea	eax, [ecx+edx]
		shr	eax, 1
		cmp	[esi+eax*8+8], ebx
		jnb	short loc_4CBFD6
		mov	edx, eax

loc_4CBF7F:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+108j
		lea	eax, [edx+1]
		cmp	eax, ecx
		jnz	short loc_4CBF72

loc_4CBF86:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+129j
		mov	eax, [ebp+var_18]

loc_4CBF89:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+A0j
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+10Cj
		lea	edx, ds:0[ecx*8]
		test	al, al
		jz	short loc_4CC001
		add	edx, 8
		mov	[edi], esi
		add	edx, esi
		cmp	[ebp+var_C], 0
		mov	[edi+4], edx
		jz	short loc_4CBFB0
		mov	eax, [ebp+var_14]
		sub	edi, [eax]
		sar	edi, 3
		inc	edi
		mov	[eax+0Ch], edi

loc_4CBFB0:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+D2j
		movzx	eax, word ptr [esi]
		cmp	ecx, eax
		jb	loc_4CC038

loc_4CBFBB:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+16Aj
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+184j ...
		mov	eax, 0C0000225h

loc_4CBFC0:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+172j
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAF3Ej	...
		lea	esp, [ebp-3Ch]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4CBFD6:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+ABj
		mov	ecx, eax
		jmp	short loc_4CBF7F
; 

loc_4CBFDA:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+9Cj
		test	ecx, ecx
		jz	short loc_4CBF89
		mov	edi, edi

loc_4CBFE0:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+127j
		lea	eax, [ecx+edx]
		shr	eax, 1
		mov	esi, [esi+eax*8+8]
		cmp	esi, ebx
		jnb	short loc_4CBFFB

loc_4CBFED:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey:loc_4CBFFBj
		mov	edx, eax

loc_4CBFEF:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+12Fj
		mov	esi, [ebp+var_10]
		lea	eax, [edx+1]
		cmp	eax, ecx
		jnz	short loc_4CBFE0
		jmp	short loc_4CBF86
; 

loc_4CBFFB:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+11Bj
		jz	short loc_4CBFED
		mov	ecx, eax
		jmp	short loc_4CBFEF
; 

loc_4CC001:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+C2j
		cmp	[ebp+var_C], 0
		jz	short loc_4CC014
		lea	eax, [esi+8]
		mov	[edi], esi
		add	eax, edx
		mov	[edi+4], eax
		add	edi, 8

loc_4CC014:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+135j
		test	ecx, ecx
		jz	short loc_4CC047
		add	edx, esi

loc_4CC01A:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+179j
		mov	ecx, [ebp+var_8]
		add	edx, 4
		add	ecx, 8
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C6E2D

loc_4CC02E:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAF61j
		mov	esi, [edx]
		mov	[ebp+var_10], esi
		jmp	loc_4CBF57
; 

loc_4CC038:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+E5j
		cmp	[edx], ebx
		jnz	loc_4CBFBB
		xor	eax, eax
		jmp	loc_4CBFC0
; 

loc_4CC047:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+146j
		mov	edx, esi
		jmp	short loc_4CC01A
; 

loc_4CC04B:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+5Dj
		xor	ecx, ecx
		jmp	loc_4CBF37
; 

loc_4CC052:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+81j
		test	eax, eax
		jnz	loc_4CBFBB
		jmp	loc_5C6E1B
B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmHpChunkAlloc(x)
_SmHpChunkAlloc@4 proc near		; CODE XREF: ST_STORE<SM_TRAITS>::StDmpDummyPageRecordAllocate(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+Ap
					; ST_STORE_SM_TRAITS___StDmpSinglePageAdd+1EFp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx

loc_4CC06D:				; CODE XREF: SmHpChunkAlloc(x)+5Aj
		mov	eax, [edi+9Ch]
		bsf	esi, eax
		jz	short loc_4CC0B1
		mov	esi, [edi+esi*8+0A0h]
		push	0FFFFFFFFh
		mov	ecx, [esi+8]
		bsr	eax, ecx
		btc	ecx, eax
		imul	edx, ecx, 0Ch
		add	edx, [edi+eax*4]
		movzx	ebx, word ptr [edx+4]
		add	ebx, esi
		mov	cx, [ebx]
		mov	[edx+4], cx
		mov	ecx, edi
		call	_SmHpBufferUpdateFullness@12 ; SmHpBufferUpdateFullness(x,x,x)
		inc	dword ptr [edi+134h]

loc_4CC0AA:				; CODE XREF: SmHpChunkAlloc(x)+5Cj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_4CC0B1:				; CODE XREF: SmHpChunkAlloc(x)+16j
		mov	ecx, edi
		call	SmHpBufferAlloc
		test	eax, eax
		jnz	short loc_4CC06D
		jmp	short loc_4CC0AA
_SmHpChunkAlloc@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmHpBufferUpdateFullness(x,	x, x)
_SmHpBufferUpdateFullness@12 proc near	; CODE XREF: SmHpBufferAlloc+F9p
					; SmHpChunkFree(x,x)+33p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		movzx	eax, word ptr [edx+6]
		mov	[ebp+var_4], edx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	ax, ax
		jz	loc_4CC1E4
		mov	cl, [esi+128h]
		mov	ebx, eax
		shr	ebx, cl

loc_4CC0E7:				; CODE XREF: SmHpBufferUpdateFullness(x,x,x)+127j
		mov	ecx, [ebp+arg_0]
		add	eax, ecx
		mov	[edx+6], ax
		movsx	eax, cx
		add	[esi+130h], eax
		movzx	eax, word ptr [edx+6]
		test	ax, ax
		jz	loc_4CC1EC
		mov	cl, [esi+128h]
		mov	edi, eax
		shr	edi, cl

loc_4CC110:				; CODE XREF: SmHpBufferUpdateFullness(x,x,x)+12Fj
		cmp	ebx, edi
		jnz	short loc_4CC11D

loc_4CC114:				; CODE XREF: SmHpBufferUpdateFullness(x,x,x)+139j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4CC11D:				; CODE XREF: SmHpBufferUpdateFullness(x,x,x)+52j
		push	0
		push	1
		call	SmHpBufferProtectEx
		mov	eax, [ebp+var_4]
		mov	eax, [eax]
		mov	[ebp+arg_0], eax
		test	ebx, ebx
		js	short loc_4CC180
		lea	edx, [esi+0A0h]
		mov	ecx, esi
		lea	edx, [edx+ebx*8]
		push	eax
		call	SmHpUnprotectListNeighbors
		mov	eax, [ebp+arg_0]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_4CC1FE
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_4CC1FE
		mov	[ecx], edx
		mov	[edx+4], ecx
		lea	ecx, [esi+0A0h]
		lea	ecx, [ecx+ebx*8]
		cmp	[ecx], ecx
		jnz	short loc_4CC180
		mov	eax, [esi+9Ch]
		btc	eax, ebx
		mov	[esi+9Ch], eax
		mov	eax, [ebp+arg_0]

loc_4CC180:				; CODE XREF: SmHpBufferUpdateFullness(x,x,x)+70j
					; SmHpBufferUpdateFullness(x,x,x)+ACj
		test	edi, edi
		js	short loc_4CC1F4
		lea	ebx, [esi+0A0h]
		lea	ebx, [ebx+edi*8]
		cmp	[ebx], ebx
		jnz	short loc_4CC1BD
		mov	eax, [esi+9Ch]
		btc	eax, edi
		mov	[esi+9Ch], eax

loc_4CC1A0:				; CODE XREF: SmHpBufferUpdateFullness(x,x,x)+122j
		mov	ecx, [ebx+4]
		cmp	[ecx], ebx
		jnz	short loc_4CC1FE
		mov	eax, [ebp+arg_0]
		pop	edi
		pop	esi
		mov	[eax], ebx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[ebx+4], eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4CC1BD:				; CODE XREF: SmHpBufferUpdateFullness(x,x,x)+CFj
		mov	eax, [ebx+4]
		push	0
		push	1
		mov	[ebp+var_4], 0
		mov	ecx, [eax+8]
		bsr	eax, ecx
		btc	ecx, eax
		mov	eax, [esi+eax*4]
		lea	ecx, [ecx+ecx*2]
		lea	edx, [eax+ecx*4]
		call	SmHpBufferProtectEx
		jmp	short loc_4CC1A0
; 

loc_4CC1E4:				; CODE XREF: SmHpBufferUpdateFullness(x,x,x)+17j
		or	ebx, 0FFFFFFFFh
		jmp	loc_4CC0E7
; 

loc_4CC1EC:				; CODE XREF: SmHpBufferUpdateFullness(x,x,x)+40j
		or	edi, 0FFFFFFFFh
		jmp	loc_4CC110
; 

loc_4CC1F4:				; CODE XREF: SmHpBufferUpdateFullness(x,x,x)+C2j
		mov	[eax+4], eax
		mov	[eax], eax
		jmp	loc_4CC114
; 

loc_4CC1FE:				; CODE XREF: SmHpBufferUpdateFullness(x,x,x)+8Bj
					; SmHpBufferUpdateFullness(x,x,x)+96j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_SmHpBufferUpdateFullness@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+BDp
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeMergeNodes+EEp	...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C6E5F SIZE 0000006E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, [edx+0Ch]
		xor	eax, eax
		mov	[ebp+var_18], eax
		dec	esi
		mov	eax, [edx]
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_4], edx
		mov	[ebp+var_C], ebx
		lea	edi, [eax+esi*8]
		mov	esi, [edi]
		mov	ecx, [edi+4]
		cmp	byte ptr [esi+3], 0
		movzx	eax, word ptr [esi]
		jz	loc_4CC37A
		lea	ebx, [ecx+4]
		mov	[ebp+var_8], 1FFh
		mov	[ebp+var_14], ebx
		lea	eax, ds:4[eax*4]
		mov	ebx, [ebp+var_C]

loc_4CC250:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+187j
		sub	eax, ecx
		add	eax, esi
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	short loc_4CC26B
		push	eax		; size_t
		push	[ebp+var_14]	; void *
		push	ecx		; void *
		call	_memmove
		mov	edx, [ebp+var_4]
		add	esp, 0Ch

loc_4CC26B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+53j
		mov	eax, 0FFFFh
		add	[esi], ax
		cmp	byte ptr [esi+3], 0
		jz	short loc_4CC27C
		dec	dword ptr [ebx+4]

loc_4CC27C:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+71j
		movzx	eax, word ptr [esi]
		cmp	[ebx], esi
		jz	short loc_4CC29B
		cmp	eax, [ebp+var_8]
		jb	short loc_4CC306

loc_4CC288:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+133j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+15Fj ...
		mov	ecx, [edi]
		mov	esi, [edi+4]
		lea	eax, [ecx+8]
		cmp	esi, eax
		jz	short loc_4CC2E5

loc_4CC294:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+97j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+9Cj ...
		xor	eax, eax

loc_4CC296:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+FACBAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4CC29B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+7Bj
		test	eax, eax
		jnz	short loc_4CC294
		cmp	[esi+3], al
		jnz	short loc_4CC294
		mov	eax, [edx+10h]
		lea	eax, ds:0FFFFFFF8h[eax*8]
		push	eax		; size_t
		lea	eax, [edi+8]
		push	eax		; void *
		push	edi		; void *
		call	_memmove
		mov	ecx, [ebp+var_4]
		lea	edi, [ebx+8]
		add	esp, 0Ch
		dec	dword ptr [ecx+0Ch]
		mov	eax, [edi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C6E5F

loc_4CC2D0:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+FAC5Dj
		mov	eax, [esi+4]
		mov	[ebx], eax

loc_4CC2D5:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+FAC79j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+FAC8Dj ...
		movzx	eax, byte ptr [esi+3]
		mov	edx, esi
		push	eax
		mov	ecx, edi
		call	NP_CONTEXT__NpNodeFree
		jmp	short loc_4CC294
; 

loc_4CC2E5:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+8Cj
		cmp	byte ptr [ecx+3], 0
		jz	short loc_4CC294
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_1C]
		push	eax
		xor	edx, edx
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeFindSeperatorIndexEntry
		test	eax, eax
		jz	short loc_4CC294
		mov	ecx, [ebp+var_18]
		mov	edx, [esi]
		mov	[ecx], edx
		jmp	short loc_4CC294
; 

loc_4CC306:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+80j
		mov	ecx, ebx
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5C6EBB
		mov	eax, [esi]
		mov	edx, ebx
		mov	ecx, [ebp+var_8]
		and	eax, 0FFFFh
		and	edx, 1
		mov	[ebp+var_14], edx
		cmp	eax, ecx
		jb	short loc_4CC392
		test	edx, edx
		jnz	loc_4CC3D5

loc_4CC335:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+1E5j
		cmp	byte ptr [esi+3], 0
		jz	loc_4CC288
		mov	eax, [edi-4]
		lea	ecx, [eax+8]
		test	edx, edx
		jnz	loc_4CC3F0

loc_4CC34D:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+1EDj
		mov	edx, [edi-8]
		lea	eax, [edx+8]
		cmp	ecx, eax
		jbe	short loc_4CC375
		lea	edx, [ecx-4]

loc_4CC35A:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+172j
		mov	ecx, [ebp+var_C]
		add	ecx, 8
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CC288
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		jmp	loc_4CC288
; 

loc_4CC375:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+14Fj
		add	edx, 4
		jmp	short loc_4CC35A
; 

loc_4CC37A:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+2Dj
		lea	edx, [ecx+8]
		shl	eax, 3
		mov	[ebp+var_14], edx
		mov	edx, [ebp+var_4]
		mov	[ebp+var_8], 0FFh
		jmp	loc_4CC250
; 

loc_4CC392:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+125j
		mov	esi, [ebp+var_4]
		mov	edx, esi
		mov	ecx, [ebp+var_C]
		push	ebx
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeMergeNodes
		mov	edi, [esi+0Ch]
		mov	eax, [esi]
		dec	edi
		cmp	[ebp+var_14], 0
		lea	edi, [eax+edi*8]
		jz	loc_4CC288
		and	ebx, 0FFFFFFFEh
		mov	[edi], ebx
		cmp	byte ptr [ebx+3], 0
		movzx	eax, word ptr [ebx]
		jz	short loc_4CC3F8
		lea	eax, ds:8[eax*4]

loc_4CC3C8:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+1F9j
		sub	eax, [ebp+var_10]
		add	eax, ebx
		mov	[edi+4], eax
		jmp	loc_4CC288
; 

loc_4CC3D5:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+129j
		sub	eax, ecx
		mov	ecx, [edi+4]
		inc	eax
		cmp	byte ptr [esi+3], 0
		jz	loc_5C6EC5
		lea	eax, [ecx+eax*4]

loc_4CC3E8:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+FACC2j
		mov	[edi+4], eax
		jmp	loc_4CC335
; 

loc_4CC3F0:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+141j
		lea	ecx, [eax-8]
		jmp	loc_4CC34D
; 

loc_4CC3F8:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+1B9j
		lea	eax, ds:8[eax*8]
		jmp	short loc_4CC3C8
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx proc	near
					; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+373p
					; ST_STORE_SM_TRAITS___StDmPageRecordRemove+6Fp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C6ECD SIZE 00000071 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, edx
		mov	[ebp+var_4], ecx
		push	ebx
		push	esi
		mov	[ebp+var_8], eax
		mov	esi, [eax+0Ch]
		mov	eax, [eax]
		dec	esi
		mov	edx, [eax+esi*8+4]
		push	edi
		lea	edi, [eax+esi*8]
		mov	[ebp+var_24], 0
		mov	esi, [edi]
		mov	[ebp+var_20], 0
		cmp	byte ptr [esi+3], 0
		mov	eax, [esi]
		movzx	ebx, ax
		jz	loc_4CC5CE
		lea	ebx, ds:4[ebx*4]
		mov	[ebp+var_C], 1FFh
		lea	ecx, [edx+4]

loc_4CC460:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+1CBj
		sub	ebx, edx
		mov	[ebp+var_10], ecx
		mov	ecx, [ebp+var_4]
		add	ebx, esi
		movzx	eax, ax
		test	ebx, ebx
		jz	short loc_4CC484
		push	ebx		; size_t
		push	[ebp+var_10]	; void *
		push	edx		; void *
		call	_memmove
		movzx	eax, word ptr [esi]
		add	esp, 0Ch
		mov	ecx, [ebp+var_4]

loc_4CC484:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+5Fj
		dec	eax
		mov	[esi], ax
		cmp	byte ptr [esi+3], 0
		jz	short loc_4CC491
		dec	dword ptr [ecx+4]

loc_4CC491:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+7Cj
		mov	eax, [esi]
		mov	edx, eax
		shr	edx, 18h
		movzx	eax, ax
		cmp	[ecx], esi
		jz	short loc_4CC4DE
		cmp	eax, [ebp+var_C]
		jb	loc_4CC532

loc_4CC4A8:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+15Fj
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+187j ...
		mov	ecx, [edi]
		mov	esi, [edi+4]
		lea	eax, [ecx+8]
		cmp	esi, eax
		jz	short loc_4CC4BD

loc_4CC4B4:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+B1j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+C3j ...
		xor	eax, eax

loc_4CC4B6:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+FAB1Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4CC4BD:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+A2j
		cmp	byte ptr [ecx+3], 0
		jz	short loc_4CC4B4
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_24]
		push	eax
		xor	edx, edx
		call	?BTreeFindSeperatorIndexEntry@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGKPAUSEARCH_RESULT@1@KPAUPATH_ENTRY@1@@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindSeperatorIndexEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::PATH_ENTRY *)
		test	eax, eax
		jz	short loc_4CC4B4
		mov	eax, [ebp+var_20]
		mov	ecx, [esi]
		mov	[eax], ecx
		jmp	short loc_4CC4B4
; 

loc_4CC4DE:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+8Dj
		test	eax, eax
		jnz	short loc_4CC4B4
		test	dl, dl
		jnz	short loc_4CC4B4
		mov	ebx, [ebp+var_8]
		mov	eax, [ebx+10h]
		lea	eax, ds:0FFFFFFF8h[eax*8]
		push	eax		; size_t
		lea	eax, [edi+8]
		push	eax		; void *
		push	edi		; void *
		call	_memmove
		dec	dword ptr [ebx+0Ch]
		add	esp, 0Ch
		mov	ebx, [ebp+var_4]
		mov	eax, [ebx+8]
		lea	edi, [ebx+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C6ECD

loc_4CC516:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+FAAC1j
		mov	eax, [esi+4]
		mov	[ebx], eax

loc_4CC51B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+FAADDj
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+FAAF1j ...
		movzx	eax, byte ptr [esi+3]
		mov	edx, esi
		push	eax
		mov	ecx, edi
		call	NP_CONTEXT__NpNodeFree
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4CC532:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+92j
		mov	edx, [ebp+var_8]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute
		mov	edx, eax
		mov	[ebp+var_1C], edx
		test	edx, edx
		jz	loc_5C6F29
		mov	eax, [esi]
		mov	ecx, eax
		shr	ecx, 18h
		mov	[ebp+var_14], ecx
		mov	ecx, edx
		movzx	eax, ax
		and	ecx, 1
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_18], ecx
		cmp	[ebp+var_10], eax
		jb	short loc_4CC5E0
		test	ecx, ecx
		jnz	short loc_4CC5AC

loc_4CC56B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+1B7j
		cmp	byte ptr [esi+3], 0
		jz	loc_4CC4A8
		mov	eax, [edi-4]
		lea	edx, [eax+8]
		test	ecx, ecx
		jnz	short loc_4CC5C9

loc_4CC57F:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+1BCj
		mov	ecx, [edi-8]
		lea	eax, [ecx+8]
		cmp	edx, eax
		jbe	short loc_4CC5A7
		add	edx, 0FFFFFFFCh

loc_4CC58C:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+19Aj
		mov	ecx, [ebp+var_4]
		add	ecx, 8
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CC4A8
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		jmp	loc_4CC4A8
; 

loc_4CC5A7:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+177j
		lea	edx, [ecx+4]
		jmp	short loc_4CC58C
; 

loc_4CC5AC:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+159j
		mov	edx, [ebp+var_10]
		sub	edx, eax
		cmp	byte ptr [ebp+var_14], 0
		mov	eax, [edi+4]
		jz	loc_5C6F33
		lea	eax, [eax+edx*4]
		add	eax, 4

loc_4CC5C4:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+FAB29j
		mov	[edi+4], eax
		jmp	short loc_4CC56B
; 

loc_4CC5C9:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+16Dj
		lea	edx, [eax-8]
		jmp	short loc_4CC57F
; 

loc_4CC5CE:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+39j
		shl	ebx, 3
		lea	ecx, [edx+8]
		mov	[ebp+var_C], 0FFh
		jmp	loc_4CC460
; 

loc_4CC5E0:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+155j
		mov	esi, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		push	edx
		mov	edx, esi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeMergeNodes
		mov	edi, [esi+0Ch]
		mov	eax, [esi]
		dec	edi
		cmp	[ebp+var_18], 0
		lea	edi, [eax+edi*8]
		jz	loc_4CC4A8
		mov	ecx, [ebp+var_1C]
		and	ecx, 0FFFFFFFEh
		mov	[edi], ecx
		cmp	byte ptr [ecx+3], 0
		movzx	eax, word ptr [ecx]
		jz	short loc_4CC625
		lea	eax, ds:8[eax*4]

loc_4CC619:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+21Cj
		sub	eax, ebx
		add	eax, ecx
		mov	[edi+4], eax
		jmp	loc_4CC4A8
; 

loc_4CC625:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+200j
		lea	eax, ds:8[eax*8]
		jmp	short loc_4CC619
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorCleanup proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+1C6p
					; ST_STORE_SM_TRAITS___StDmPageRemove+2F6p ...

var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C6F3E SIZE 000000A2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_10], edx
		neg	ebx
		lea	eax, [edx+8]
		push	esi
		sbb	ebx, ebx
		and	ebx, eax
		push	edi
		mov	eax, [ebx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C6F3E

loc_4CC65C:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorCleanup+FA917j
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorCleanup+FA921j ...
		lea	esp, [ebp-38h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorCleanup endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorFromSearchResult proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+BAp
					; ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+FA7D0p

var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C6FE0 SIZE 000000C9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, edx
		mov	edx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edx+0Ch]
		mov	[ebp+var_14], edi
		cmp	esi, 0FFFFFFFFh
		jz	short loc_4CC6D7
		test	esi, esi
		jz	short loc_4CC6D7
		mov	eax, [edx]
		lea	edx, [esi-1]
		lea	edx, [eax+edx*8]

loc_4CC6A1:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorFromSearchResult+6Cj
		mov	eax, [edx]
		neg	ecx
		mov	[ebx], eax
		mov	eax, [edx+4]
		sbb	ecx, ecx
		mov	[ebx+4], eax
		lea	eax, [edi+8]
		and	ecx, eax
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C6FE0

loc_4CC6BF:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorFromSearchResult+FA976j
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorFromSearchResult+FA983j ...
		add	dword ptr [ebx+4], 0FFFFFFF8h
		lea	esp, [ebp-3Ch]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_4CC6D7:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorFromSearchResult+25j
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorFromSearchResult+29j
		add	edx, 4
		jmp	short loc_4CC6A1
B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorFromSearchResult endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorCleanup proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+2E6p
					; ST_STORE_SM_TRAITS___StCompactRegions+46Cp ...

var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C70A9 SIZE 000000A2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_10], edx
		neg	ebx
		lea	eax, [edx+8]
		push	esi
		sbb	ebx, ebx
		and	ebx, eax
		push	edi
		mov	eax, [ebx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C70A9

loc_4CC70A:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorCleanup+FA9D4j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorCleanup+FA9DEj ...
		lea	esp, [ebp-38h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorCleanup endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmCheckForCompaction proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+208p
					; ST_STORE_SM_TRAITS___StWorkItemProcess+282p ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C714B SIZE 000000C0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		movzx	ebx, byte ptr [ecx+47Ch]
		mov	eax, edx
		and	ebx, 3
		mov	[ebp+var_2C], eax
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], ebx
		push	esi
		push	edi
		test	al, 3
		jnz	short loc_4CC74D
		cmp	ebx, 2
		jz	loc_4CC92D

loc_4CC74D:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+22j
		mov	edx, [ecx+1ACh]
		and	edx, 0FFh
		mov	[ebp+var_38], edx
		jnz	loc_5C714B
		mov	[ebp+var_4], 3
		mov	[ebp+var_10], offset ?ThresholdShiftTableInMem@?1??StDmCheckForCompaction@?$ST_STORE@USM_TRAITS@@@@SG?AW4_ST_COMPACTION_CHECK_RESULT@@PAU_ST_DATA_MGR@2@K@Z@4PAY01EA ; uchar (*	`ST_STORE<SM_TRAITS>::StDmCheckForCompaction(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)'::`2'::ThresholdShiftTableInMem)[2]

loc_4CC770:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+FAA73j
		mov	[ebp+var_24], 0
		mov	[ebp+var_28], 0
		mov	[ebp+var_20], 0
		test	edx, edx
		jnz	loc_5C7198
		mov	[ebp+var_1C], 8

loc_4CC794:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+FAA7Fj
		mov	eax, [ecx+1CCh]
		lea	esi, [ecx+434h]
		mov	ebx, [ecx+1D0h]
		mov	[ebp+var_14], eax
		sub	eax, ebx
		inc	eax
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], eax
		lea	eax, [ecx+2B4h]
		mov	[ebp+var_18], eax
		jmp	short loc_4CC7C0
; 
		align 10h

loc_4CC7C0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+9Bj
					; ST_STORE_SM_TRAITS___StDmCheckForCompaction+F0j
		mov	edi, [esi-4]
		mov	eax, [esi]
		test	edx, edx
		jnz	loc_5C71A4
		mov	ebx, eax

loc_4CC7CF:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+FAA91j
		mov	ecx, [ebp+var_30]
		imul	ecx, edi
		mov	edx, ecx
		sub	edx, eax
		cmp	ecx, eax
		jb	short loc_4CC7E8
		mov	eax, [ebp+var_14]
		cmp	edx, eax
		jnb	loc_4CC8C8

loc_4CC7E8:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+BBj
		xor	eax, eax

loc_4CC7EA:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+1D8j
		mov	ecx, [ebp+var_20]
		add	esi, 8
		add	[ebp+var_18], 0Ch
		add	ecx, edi
		mov	edi, [ebp+var_24]
		mov	edx, [ebp+var_38]
		add	edi, ebx
		mov	ebx, [ebp+var_28]
		add	ebx, eax
		mov	[ebp+var_20], ecx
		sub	[ebp+var_1C], 1
		mov	[ebp+var_24], edi
		mov	[ebp+var_28], ebx
		jnz	short loc_4CC7C0
		test	byte ptr [ebp+var_2C], 2
		mov	edx, [ebp+var_8]
		mov	eax, [edx+1C0h]
		jnz	loc_5C71B6
		mov	eax, [eax+1254h]
		test	eax, eax
		jnz	loc_4CC92D
		cmp	ecx, [ebp+var_4]
		jb	loc_4CC92D
		test	byte ptr [ebp+var_2C], 1
		jnz	loc_4CC931
		cmp	[ebp+var_C], 1
		jz	loc_4CC90A
		mov	eax, [edx+1C0h]
		mov	ecx, [eax+1128h]
		add	ecx, [eax+1260h]
		mov	eax, [eax+112Ch]
		shr	eax, 8
		add	ecx, eax
		jnz	loc_4CC90A
		xor	esi, esi

loc_4CC875:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+1EFj
					; ST_STORE_SM_TRAITS___StDmCheckForCompaction+213j
		mov	eax, [ebp+var_10]
		mov	edx, edi
		mov	cl, [eax+esi*2]
		mov	eax, [ebp+var_C]
		shr	edx, cl
		cmp	eax, 3
		jnz	short loc_4CC897
		mov	ecx, [ebp+var_10]
		mov	eax, edi
		mov	cl, [ecx+esi*2+1]
		shr	eax, cl
		sub	edx, eax
		mov	eax, [ebp+var_C]

loc_4CC897:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+165j
		cmp	ebx, edx
		jbe	short loc_4CC8FD
		mov	eax, [ebp+var_8]
		mov	esi, 2
		cmp	byte ptr [eax+1ACh], 0
		jnz	short loc_4CC8BF
		mov	ecx, [eax+1C0h]
		cmp	byte ptr [ecx+10F6h], 0
		jbe	loc_5C71E2

loc_4CC8BF:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+18Aj
					; ST_STORE_SM_TRAITS___StDmCheckForCompaction+1E8j ...
		mov	eax, esi

loc_4CC8C1:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+20Fj
					; ST_STORE_SM_TRAITS___StDmCheckForCompaction+FAABDj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4CC8C8:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+C2j
		mov	ecx, [ebp+var_18]
		mov	ecx, [ecx]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_4CC8F0
		mov	eax, [ebp+var_8]
		mov	eax, [eax+240h]
		movzx	eax, word ptr [eax+ecx*2]
		and	eax, 1FFFh
		sub	eax, [ebp+var_14]
		dec	eax
		add	eax, [ebp+var_34]
		add	edx, eax
		mov	eax, [ebp+var_14]

loc_4CC8F0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+1B0j
		cmp	edx, eax
		sbb	eax, eax
		not	eax
		and	eax, edx
		jmp	loc_4CC7EA
; 

loc_4CC8FD:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+179j
		cmp	eax, 1
		jz	short loc_4CC906
		test	esi, esi
		jnz	short loc_4CC914

loc_4CC906:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+1E0j
					; ST_STORE_SM_TRAITS___StDmCheckForCompaction+1FDj ...
		xor	esi, esi
		jmp	short loc_4CC8BF
; 

loc_4CC90A:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+12Aj
					; ST_STORE_SM_TRAITS___StDmCheckForCompaction+14Dj
		mov	esi, 1
		jmp	loc_4CC875
; 

loc_4CC914:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+1E4j
		mov	eax, [ebp+var_10]
		mov	cl, [eax]
		shr	edi, cl
		cmp	ebx, edi
		jbe	short loc_4CC906
		mov	esi, 1
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4CC92D:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+27j
					; ST_STORE_SM_TRAITS___StDmCheckForCompaction+10Dj ...
		xor	eax, eax
		jmp	short loc_4CC8C1
; 

loc_4CC931:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+120j
		xor	esi, esi
		jmp	loc_4CC875
ST_STORE_SM_TRAITS___StDmCheckForCompaction endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+1E3p
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes+ECp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C720B SIZE 00000066 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	esi, [edx+0Ch]
		xor	eax, eax
		mov	[ebp+var_14], eax
		dec	esi
		mov	eax, [edx]
		push	edi
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], edx
		lea	edi, [eax+esi*8]
		mov	esi, [edi]
		mov	eax, [edi+4]
		mov	ebx, eax
		add	ebx, 8
		mov	[ebp+var_C], eax
		mov	[ebp+var_C], ebx
		movzx	ecx, word ptr [esi]
		mov	ebx, [ebp+var_8]
		shl	ecx, 3
		sub	ecx, eax
		add	ecx, esi
		mov	[ebp+var_10], ecx
		jz	short loc_4CC989
		push	ecx		; size_t
		push	[ebp+var_C]	; void *
		push	eax		; void *
		call	_memmove
		mov	edx, [ebp+var_4]
		add	esp, 0Ch

loc_4CC989:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+3Fj
		mov	eax, 0FFFFh
		add	[esi], ax
		cmp	byte ptr [esi+3], 0
		jz	short loc_4CC99A
		dec	dword ptr [ebx+4]

loc_4CC99A:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+5Dj
		movzx	eax, word ptr [esi]
		cmp	[ebx], esi
		jz	short loc_4CC9E2
		cmp	eax, 0FFh
		jb	loc_4CCA2C

loc_4CC9AC:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+127j
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+153j ...
		mov	esi, [ebp+var_4]

loc_4CC9AF:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+183j
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+1A0j
		mov	ecx, [edi]
		mov	edi, [edi+4]
		lea	eax, [ecx+8]
		cmp	edi, eax
		jz	short loc_4CC9C2

loc_4CC9BB:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+8Ej
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+9Fj ...
		xor	eax, eax

loc_4CC9BD:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+FA934j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4CC9C2:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+81j
		cmp	byte ptr [ecx+3], 0
		jz	short loc_4CC9BB
		lea	eax, [ebp+var_18]
		xor	edx, edx
		push	eax
		mov	ecx, esi
		call	?BTreeFindSeperatorIndexEntry@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGKPAUSEARCH_RESULT@1@KPAUPATH_ENTRY@1@@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindSeperatorIndexEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::PATH_ENTRY *)
		test	eax, eax
		jz	short loc_4CC9BB
		mov	ecx, [ebp+var_14]
		mov	edx, [edi]
		mov	[ecx], edx
		jmp	short loc_4CC9BB
; 

loc_4CC9E2:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+67j
		test	eax, eax
		jnz	short loc_4CC9BB
		cmp	[esi+3], al
		jnz	short loc_4CC9BB
		mov	eax, [edx+10h]
		lea	eax, ds:0FFFFFFF8h[eax*8]
		push	eax		; size_t
		lea	eax, [edi+8]
		push	eax		; void *
		push	edi		; void *
		call	_memmove
		mov	eax, [ebp+var_4]
		lea	edi, [ebx+8]
		add	esp, 0Ch
		dec	dword ptr [eax+0Ch]
		mov	eax, [edi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C720B

loc_4CCA17:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+FA8D7j
		mov	eax, [esi+4]
		mov	[ebx], eax

loc_4CCA1C:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+FA8F3j
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+FA907j ...
		movzx	eax, byte ptr [esi+3]
		mov	edx, esi
		push	eax
		mov	ecx, edi
		call	NP_CONTEXT__NpNodeFree
		jmp	short loc_4CC9BB
; 

loc_4CCA2C:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+6Ej
		mov	ecx, ebx
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5C7267
		mov	ecx, [esi]
		and	eax, 1
		and	ecx, 0FFFFh
		mov	[ebp+var_C], eax
		cmp	ecx, 0FFh
		jb	short loc_4CCAA0
		test	eax, eax
		jnz	loc_4CCADD

loc_4CCA5B:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+1B6j
		cmp	byte ptr [esi+3], 0
		jz	loc_4CC9AC
		mov	edx, [edi-4]
		lea	ecx, [edx+8]
		test	eax, eax
		jnz	loc_4CCAF3

loc_4CCA73:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+1BEj
		mov	edx, [edi-8]
		lea	eax, [edx+8]
		cmp	ecx, eax
		jbe	short loc_4CCA9B
		lea	edx, [ecx-4]

loc_4CCA80:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+166j
		mov	ecx, [ebp+var_8]
		add	ecx, 8
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CC9AC
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		jmp	loc_4CC9AC
; 

loc_4CCA9B:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+143j
		add	edx, 4
		jmp	short loc_4CCA80
; 

loc_4CCAA0:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+119j
		mov	esi, [ebp+var_4]
		mov	edx, esi
		mov	ecx, [ebp+var_8]
		push	ebx
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes
		mov	edi, [esi+0Ch]
		mov	eax, [esi]
		dec	edi
		cmp	[ebp+var_C], 0
		lea	edi, [eax+edi*8]
		jz	loc_4CC9AF
		and	ebx, 0FFFFFFFEh
		mov	[edi], ebx
		movzx	eax, word ptr [ebx]
		lea	eax, ds:8[eax*8]
		sub	eax, [ebp+var_10]
		add	eax, ebx
		mov	[edi+4], eax
		jmp	loc_4CC9AF
; 

loc_4CCADD:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+11Dj
		mov	eax, [edi+4]
		lea	eax, [eax+ecx*8]
		add	eax, 0FFFFF810h
		mov	[edi+4], eax
		mov	eax, [ebp+var_C]
		jmp	loc_4CCA5B
; 

loc_4CCAF3:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+135j
		lea	ecx, [edx-8]
		jmp	loc_4CCA73
B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static struct	ST_STORE<struct	SM_TRAITS>::_ST_PAGE_RECORD * __stdcall	ST_STORE<struct	SM_TRAITS>::StDmCombinePageEntry(struct	ST_STORE<struct	SM_TRAITS>::_ST_DATA_MGR *, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY *)
?StDmCombinePageEntry@?$ST_STORE@USM_TRAITS@@@@SGPAU_ST_PAGE_RECORD@1@PAU_ST_DATA_MGR@1@PAU_ST_PAGE_ENTRY@1@@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+10Cp
					; ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+9Cp

var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [edx+4]
		mov	eax, ecx
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], eax
		lea	edi, [eax+6Ch]
		lea	esp, [esp+0]

loc_4CCB20:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmCombinePageEntry(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY *)+8Cj
		mov	ecx, [edi+88h]
		mov	eax, ebx
		shr	eax, cl
		bsr	esi, eax
		mov	[ebp+var_C], 0
		btc	eax, esi
		mov	esi, [edi+esi*4]
		lea	ecx, [eax+eax*2]
		mov	eax, [edi+8Ch]
		and	eax, ebx
		imul	eax, [edi+90h]
		mov	esi, [esi+ecx*4]
		add	esi, eax
		add	esi, [edi+98h]
		cmp	dword ptr [esi], 0FFFFFFFFh
		jz	short loc_4CCB6D
		mov	edx, [ebp+var_8]
		mov	eax, esi
		cmp	[edx+4], ebx
		jnz	short loc_4CCB8E

loc_4CCB66:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmCombinePageEntry(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY *)+91j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4CCB6D:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmCombinePageEntry(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY *)+5Aj
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		mov	ebx, [esi+4]
		call	?StDmPageRecordUnprotect@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@PAU_ST_PAGE_RECORD@1@@Z ; ST_STORE<SM_TRAITS>::StDmPageRecordUnprotect(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_PAGE_RECORD *)
		mov	edx, esi
		mov	ecx, edi
		call	_SmHpChunkFree@8 ; SmHpChunkFree(x,x)
		mov	eax, [ebp+var_4]
		dec	dword ptr [eax+478h]
		jmp	short loc_4CCB20
; 

loc_4CCB8E:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmCombinePageEntry(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY *)+64j
		mov	[edx+4], ebx
		jmp	short loc_4CCB66
?StDmCombinePageEntry@?$ST_STORE@USM_TRAITS@@@@SGPAU_ST_PAGE_RECORD@1@PAU_ST_DATA_MGR@1@PAU_ST_PAGE_ENTRY@1@@Z endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferProcess+72p
					; ST_STORE_SM_TRAITS___StCompactRegions+342p ...

var_38		= dword	ptr -38h
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C7271 SIZE 000000C7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		neg	ecx
		mov	[ebp+var_10], esi
		push	edi
		sbb	ecx, ecx
		lea	eax, [esi+8]
		and	ecx, eax
		mov	[ebp+var_14], ecx
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_4CCBE5
		cmp	dword ptr [ebx+0Ch], 0FFFFFFFFh
		jz	short loc_4CCBDF

loc_4CCBC9:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref+60j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref+FA79Fj
		and	dword ptr [ebx+0Ch], 0

loc_4CCBCD:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref+4Fj
		lea	esp, [ebp-38h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_4CCBDF:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref+33j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref+FA6E5j ...
		and	dword ptr [ebx+4], 0
		jmp	short loc_4CCBCD
; 

loc_4CCBE5:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref+2Dj
		mov	edx, [ebx+0Ch]
		cmp	edx, 0FFFFFFFFh
		jz	loc_5C7271
		cmp	edx, 1
		jbe	short loc_4CCBC9
		jmp	loc_5C7315
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult proc	near
					; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+F6p
					; ST_STORE_SM_TRAITS___StCompactRegions+478p ...

var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C7338 SIZE 000000C9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, edx
		mov	edx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edx+0Ch]
		mov	[ebp+var_14], edi
		cmp	esi, 0FFFFFFFFh
		jz	short loc_4CCC65
		test	esi, esi
		jz	short loc_4CCC65
		mov	eax, [edx]
		lea	edx, [esi-1]
		lea	edx, [eax+edx*8]

loc_4CCC2F:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+6Cj
		mov	eax, [edx]
		neg	ecx
		mov	[ebx], eax
		mov	eax, [edx+4]
		sbb	ecx, ecx
		mov	[ebx+4], eax
		lea	eax, [edi+8]
		and	ecx, eax
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C7338

loc_4CCC4D:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+FA740j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+FA74Dj ...
		add	dword ptr [ebx+4], 0FFFFFFFCh
		lea	esp, [ebp-3Ch]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_4CCC65:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+25j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+29j
		add	edx, 4
		jmp	short loc_4CCC2F
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmCombineLazyCleanup proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+21Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C7401 SIZE 00000091 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	cl, [edi+47Dh]
		mov	al, cl
		and	al, 3
		cmp	al, 1
		jnz	loc_5C7401
		and	cl, 0FEh
		mov	edx, edi
		or	cl, 2
		mov	[edi+47Dh], cl
		lea	ecx, [ebp+var_C]
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorAttachEx

loc_4CCCA7:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+FA7D5j
		mov	[ebp+var_4], ebx
		cmp	[edi+478h], ebx
		jbe	loc_5C745E

loc_4CCCB6:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+AAj
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jz	loc_5C745E
		movzx	eax, word ptr [ecx]
		mov	edx, [ebp+var_8]
		inc	eax
		add	edx, 8
		mov	[ebp+var_8], edx
		lea	eax, [ecx+eax*8]
		cmp	edx, eax
		jnb	short loc_4CCD40
		mov	esi, edx

loc_4CCCD7:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+F2j
					; ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+F9j ...
		test	esi, esi
		jz	loc_5C745E
		cmp	[ebp+var_4], 200h
		jb	short loc_4CCD02
		mov	ecx, [edi+1C0h]
		xor	al, al
		cmp	al, [ecx+10F6h]
		sbb	edx, edx
		inc	edx
		call	SmWorkQueueGetDepth
		test	eax, eax
		jnz	short loc_4CCD16

loc_4CCD02:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+7Cj
		mov	edx, esi
		mov	ecx, edi
		call	?StDmCombinePageEntry@?$ST_STORE@USM_TRAITS@@@@SGPAU_ST_PAGE_RECORD@1@PAU_ST_DATA_MGR@1@PAU_ST_PAGE_ENTRY@1@@Z ; ST_STORE<SM_TRAITS>::StDmCombinePageEntry(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY *)
		inc	[ebp+var_4]
		cmp	[edi+478h], ebx
		ja	short loc_4CCCB6

loc_4CCD16:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+96j
		mov	eax, [esi]
		mov	[edi+250h], eax

loc_4CCD1E:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+FA809j
		cmp	[edi+478h], ebx
		ja	loc_5C7478
		and	byte ptr [edi+47Dh], 0FCh

loc_4CCD31:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+FA823j
		mov	edx, edi
		lea	ecx, [ebp+var_C]
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorCleanup
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4CCD40:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+69j
		mov	eax, [edi+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C7444
		mov	eax, [ecx+4]

loc_4CCD4F:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+FA7E7j
		test	eax, eax
		jz	short loc_4CCD61
		lea	esi, [eax+8]
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], esi
		jmp	loc_4CCCD7
; 

loc_4CCD61:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+E7j
		mov	esi, ebx
		jmp	loc_4CCCD7
ST_STORE_SM_TRAITS___StDmCombineLazyCleanup endp


;  S U B	R O U T	I N E 


SmWorkQueueGetDepth proc near		; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+8Fp
					; ST_STORE_SM_TRAITS___StDmCheckForCompaction+FAAC7p ...

; FUNCTION CHUNK AT 005C7492 SIZE 0000000D BYTES

		mov	edi, edi
		push	esi
		mov	esi, [ecx+1128h]
		add	esi, [ecx+1260h]
		test	edx, edx
		jnz	loc_5C7492
		mov	ecx, [ecx+112Ch]
		shr	ecx, 8
		add	esi, ecx

loc_4CCD8A:				; CODE XREF: SmWorkQueueGetDepth+FA732j
		mov	eax, esi
		pop	esi
		retn
SmWorkQueueGetDepth endp


;  S U B	R O U T	I N E 


; __stdcall SmHpChunkGetId(x, x)
_SmHpChunkGetId@8 proc near		; CODE XREF: ST_STORE<SM_TRAITS>::StDmpDummyPageRecordAllocate(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+29p
					; ST_STORE_SM_TRAITS___StDmCombinePageRecords+28p
		mov	edi, edi
		push	esi
		mov	esi, edx
		sub	edx, [ecx+98h]
		and	esi, 0FFFFF000h
		sub	edx, esi
		mov	eax, edx
		xor	edx, edx
		div	dword ptr [ecx+90h]
		mov	edx, [esi+8]
		mov	ecx, [ecx+88h]
		shl	edx, cl
		add	eax, edx
		pop	esi
		retn
_SmHpChunkGetId@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmEtwEnabled(x)
_SmEtwEnabled@4	proc near		; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+27p
					; ST_STORE_SM_TRAITS___StReleaseRegion+56p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_10], 0
		mov	[ebp+var_14], 10h
		mov	[ebp+var_C], 40h
		mov	[ebp+var_8], 80h
		mov	eax, [ebp+ecx*4+var_14]
		and	eax, ds:dword_718654
		mov	ecx, [ebp+var_4]
		neg	eax
		sbb	eax, eax
		xor	ecx, ebp
		and	eax, offset unk_718648
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_SmEtwEnabled@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static unsigned long __stdcall B_TREE<union _SM_PAGE_KEY, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY, 4096, struct NP_CONTEXT,	struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>>::BTreeFindSeperatorIndexEntry(struct B_TREE<union _SM_PAGE_KEY, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY, 4096, struct NP_CONTEXT, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>>::SEARCH_RESULT *, unsigned long, struct	B_TREE<union _SM_PAGE_KEY, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY, 4096, struct NP_CONTEXT, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>>::PATH_ENTRY *)
?BTreeFindSeperatorIndexEntry@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGKPAUSEARCH_RESULT@1@KPAUPATH_ENTRY@1@@Z proc near
					; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+23p
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+97p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ecx]
		push	esi
		mov	esi, [ecx+0Ch]
		add	esi, 0FFFFFFFEh
		mov	[ebp+var_4], edx
		push	edi
		lea	esi, [ebx+esi*8]

loc_4CCE1B:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindSeperatorIndexEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::PATH_ENTRY *)+4Aj
		cmp	esi, ebx
		jb	short loc_4CCE44
		test	edx, edx
		jnz	short loc_4CCE50
		mov	edx, [esi]
		mov	edi, [esi+4]
		lea	eax, [edx+8]
		cmp	edi, eax
		jbe	short loc_4CCE48
		mov	ecx, [ebp+arg_0]
		lea	eax, [edi-8]
		mov	[ecx], edx

loc_4CCE37:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindSeperatorIndexEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::PATH_ENTRY *)+64j
		mov	[ecx+4], eax
		xor	eax, eax
		inc	eax

loc_4CCE3D:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindSeperatorIndexEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::PATH_ENTRY *)+42j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4CCE44:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindSeperatorIndexEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::PATH_ENTRY *)+19j
		xor	eax, eax
		jmp	short loc_4CCE3D
; 

loc_4CCE48:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindSeperatorIndexEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::PATH_ENTRY *)+29j
		mov	edx, [ebp+var_4]

loc_4CCE4B:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindSeperatorIndexEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::PATH_ENTRY *)+58j
		sub	esi, 8
		jmp	short loc_4CCE1B
; 

loc_4CCE50:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindSeperatorIndexEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::PATH_ENTRY *)+1Dj
		mov	ecx, [esi]
		movzx	eax, word ptr [ecx]
		inc	eax
		lea	eax, [ecx+eax*8]
		cmp	[esi+4], eax
		jnb	short loc_4CCE4B
		mov	eax, ecx
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, [esi+4]
		jmp	short loc_4CCE37
?BTreeFindSeperatorIndexEntry@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGKPAUSEARCH_RESULT@1@KPAUPATH_ENTRY@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmHpUnprotectListNeighbors proc	near	; CODE XREF: SmHpBufferUpdateFullness(x,x,x)+7Ep

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C749F SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		mov	[ebp+var_4], ecx
		mov	ebx, edx
		test	edi, edi
		jz	loc_5C749F
		mov	ecx, [edi]
		cmp	ecx, ebx
		jnz	short loc_4CCE9A

loc_4CCE8C:				; CODE XREF: SmHpUnprotectListNeighbors+4Aj
		mov	ecx, [edi+4]
		cmp	ecx, ebx
		jnz	short loc_4CCEB6

loc_4CCE93:				; CODE XREF: SmHpUnprotectListNeighbors+66j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4CCE9A:				; CODE XREF: SmHpUnprotectListNeighbors+20j
		mov	ecx, [ecx+8]
		bsr	eax, ecx
		push	esi
		btc	ecx, eax
		imul	edx, ecx, 0Ch
		mov	ecx, [ebp+var_4]
		push	1
		add	edx, [ecx+eax*4]
		call	SmHpBufferProtectEx
		jmp	short loc_4CCE8C
; 

loc_4CCEB6:				; CODE XREF: SmHpUnprotectListNeighbors+27j
		mov	ecx, [ecx+8]
		bsr	eax, ecx
		btc	ecx, eax
		imul	edx, ecx, 0Ch
		mov	ecx, [ebp+var_4]

loc_4CCEC5:				; CODE XREF: SmHpUnprotectListNeighbors+FA644j
		add	edx, [ecx+eax*4]
		push	esi
		push	1
		call	SmHpBufferProtectEx
		jmp	short loc_4CCE93
SmHpUnprotectListNeighbors endp


;  S U B	R O U T	I N E 


; public: static void __stdcall	ST_STORE<struct	SM_TRAITS>::StReleaseReadContext(struct	ST_STORE<struct	SM_TRAITS> *, void *)
?StReleaseReadContext@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@PAX@Z proc near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReadThread+15Cp
					; SMKM_STORE<SM_TRAITS>::SmStDirectReadCallout(void *)+22p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		mov	edx, [esi+8]
		lea	ecx, [edi+38h]
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref
		mov	edx, [esi+0Ch]
		lea	ecx, [edi+5Ch]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref
		cmp	word ptr [edi+9A4h], 10h
		jnb	short loc_4CCF09
		lea	ecx, [edi+9A0h]
		mov	edx, esi
		pop	edi
		pop	esi
		jmp	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
; 

loc_4CCF09:				; CODE XREF: ST_STORE<SM_TRAITS>::StReleaseReadContext(ST_STORE<SM_TRAITS> *,void *)+26j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
?StReleaseReadContext@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@PAX@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+34Ap
					; ST_STORE<SM_TRAITS>::StReleaseReadContext(ST_STORE<SM_TRAITS>	*,void *)+Ep ...

var_38		= dword	ptr -38h
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C74B3 SIZE 000000C7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		neg	ecx
		mov	[ebp+var_10], esi
		push	edi
		sbb	ecx, ecx
		lea	eax, [esi+8]
		and	ecx, eax
		mov	[ebp+var_14], ecx
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_4CCF5F
		cmp	dword ptr [ebx+0Ch], 0FFFFFFFFh
		jz	short loc_4CCF75

loc_4CCF49:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref+5Aj
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref+FA661j
		and	dword ptr [ebx+0Ch], 0

loc_4CCF4D:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref+65j
		lea	esp, [ebp-38h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_4CCF5F:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref+2Dj
		mov	edx, [ebx+0Ch]
		cmp	edx, 0FFFFFFFFh
		jz	loc_5C74B3
		cmp	edx, 1
		jbe	short loc_4CCF49
		jmp	loc_5C7557
; 

loc_4CCF75:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref+33j
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref+FA5A7j	...
		and	dword ptr [ebx+4], 0
		jmp	short loc_4CCF4D
B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmCurrentRegionSet proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmpSinglePageFindSpace(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,char	* *,ulong *)+80p
					; ST_STORE<SM_TRAITS>::StDmpSinglePageFindSpace(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,char * *,ulong *)+A8p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C757A SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		imul	ecx, edx, 0Ch
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_8], ecx
		mov	ecx, [ecx+esi+2B4h]
		mov	[ebp+var_4], ecx
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_4CD01E
		and	[ebp+arg_0], 0
		or	ebx, edi

loc_4CCFA6:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCurrentRegionSet+D5j
		mov	eax, [ebp+var_8]
		or	dword ptr [eax+esi+2B4h], 0FFFFFFFFh
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_4CCFF5
		cmp	edi, ecx
		jz	short loc_4CCFF5
		cmp	byte ptr [esi+1ACh], 0
		jnz	short loc_4CCFD0
		push	ecx
		mov	edx, ecx
		mov	ecx, esi
		call	?StUnlockAndUnmapRegion@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@KPAD@Z ; ST_STORE<SM_TRAITS>::StUnlockAndUnmapRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,char *)
		mov	ecx, [ebp+var_4]

loc_4CCFD0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCurrentRegionSet+45j
		mov	eax, [esi+240h]
		mov	edx, 1FFFh
		movzx	eax, word ptr [eax+ecx*2]
		test	eax, edx
		jz	loc_4CD0A4
		and	eax, edx
		mov	edx, ecx
		push	eax
		push	0
		mov	ecx, esi
		call	?StDmUpdateRegionsToCompactBitmap@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@KKK@Z ;	ST_STORE<SM_TRAITS>::StDmUpdateRegionsToCompactBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ulong,ulong,ulong)

loc_4CCFF5:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCurrentRegionSet+38j
					; ST_STORE_SM_TRAITS___StDmCurrentRegionSet+3Cj ...
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_4CD056

loc_4CCFFA:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCurrentRegionSet+E5j
					; ST_STORE_SM_TRAITS___StDmCurrentRegionSet+FCj
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+arg_0]
		mov	[eax+esi+2B4h],	edi
		mov	[eax+esi+2B8h],	ebx
		mov	[eax+esi+2BCh],	ecx
		xor	eax, eax

loc_4CD017:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCurrentRegionSet+10Ej
					; ST_STORE_SM_TRAITS___StDmCurrentRegionSet+123j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4CD01E:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCurrentRegionSet+22j
		mov	ebx, [esi+240h]
		mov	ecx, esi
		push	0
		push	edx
		mov	edx, edi
		call	ST_STORE_SM_TRAITS___StMapAndLockRegion
		mov	edx, eax
		mov	[ebp+arg_0], edx
		test	edx, edx
		jz	short loc_4CD09A
		cmp	edx, 0FFFFFFFFh
		jz	loc_5C757A
		movzx	ebx, word ptr [ebx+edi*2]
		and	ebx, 1FFFh
		ja	short loc_4CD07A

loc_4CD04E:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCurrentRegionSet+10Cj
		mov	ecx, [ebp+var_4]
		jmp	loc_4CCFA6
; 

loc_4CD056:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCurrentRegionSet+7Cj
		test	ebx, ebx
		jnz	short loc_4CD08C

loc_4CD05A:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCurrentRegionSet+11Cj
		cmp	byte ptr [esi+1ACh], 0
		jnz	short loc_4CCFFA
		mov	ecx, [esi+480h]
		push	0FFFFFFFEh
		push	1388h
		push	3
		pop	edx
		call	ST_STORE_SM_TRAITS___StLazyWorkMgrQueueWork
		jmp	short loc_4CCFFA
; 

loc_4CD07A:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCurrentRegionSet+D0j
		push	0
		push	edi
		push	edx
		push	edi
		mov	ecx, esi
		call	ST_STORE_SM_TRAITS___StCompactRegions
		test	eax, eax
		jns	short loc_4CD04E
		jmp	short loc_4CD017
; 

loc_4CD08C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCurrentRegionSet+DCj
		push	0
		push	ebx
		mov	edx, edi
		mov	ecx, esi
		call	?StDmUpdateRegionsToCompactBitmap@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@KKK@Z ;	ST_STORE<SM_TRAITS>::StDmUpdateRegionsToCompactBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ulong,ulong,ulong)
		jmp	short loc_4CD05A
; 

loc_4CD09A:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCurrentRegionSet+BBj
		mov	eax, 0C000002Ah
		jmp	loc_4CD017
; 

loc_4CD0A4:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCurrentRegionSet+65j
		mov	edx, ecx
		mov	ecx, esi
		call	ST_STORE_SM_TRAITS___StReleaseRegion
		jmp	loc_4CCFF5
ST_STORE_SM_TRAITS___StDmCurrentRegionSet endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref	proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+13Cp
					; ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+398p ...

var_38		= dword	ptr -38h
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C7584 SIZE 000000C7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		neg	ecx
		mov	[ebp+var_10], esi
		push	edi
		sbb	ecx, ecx
		lea	eax, [esi+8]
		and	ecx, eax
		mov	[ebp+var_14], ecx
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_4CD0FD
		cmp	dword ptr [ebx+0Ch], 0FFFFFFFFh
		jz	short loc_4CD113

loc_4CD0E7:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref+5Aj
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref+FA594j
		and	dword ptr [ebx+0Ch], 0

loc_4CD0EB:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref+65j
		lea	esp, [ebp-38h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_4CD0FD:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref+2Dj
		mov	edx, [ebx+0Ch]
		cmp	edx, 0FFFFFFFFh
		jz	loc_5C7584
		cmp	edx, 1
		jbe	short loc_4CD0E7
		jmp	loc_5C7628
; 

loc_4CD113:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref+33j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref+FA4DAj ...
		and	dword ptr [ebx+4], 0
		jmp	short loc_4CD0EB
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute proc near
					; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+A9p
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+F6p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005C764B SIZE 000000A2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, [edx]
		and	[ebp+var_C], 0
		and	[ebp+var_14], 0
		push	ebx
		push	esi
		mov	esi, [edx+0Ch]
		push	edi
		mov	edi, ecx
		mov	ebx, [eax+esi*8-10h]
		mov	ecx, [eax+esi*8-0Ch]
		mov	edx, [eax+esi*8-8]
		mov	[ebp+var_1C], edx
		movzx	eax, word ptr [ebx]
		inc	eax
		mov	[ebp+var_18], ecx
		lea	eax, [ebx+eax*8]
		cmp	ecx, eax
		jnz	loc_4CD26E
		sub	ecx, 8
		lea	eax, [ebx+8]
		mov	[ebp+var_18], ecx
		lea	edx, [ecx-4]
		cmp	ecx, eax
		jbe	loc_4CD2B9

loc_4CD169:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+1A2j
		lea	eax, [ebp+var_C]
		xor	esi, esi
		mov	[ebp+var_10], eax
		inc	esi
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_14], eax

loc_4CD178:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+162j
		mov	ecx, edi
		lea	eax, [edi+8]
		neg	ecx
		mov	[ebp+var_1C], eax
		lea	eax, [edi+8]
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C764B

loc_4CD194:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+FA535j
		mov	ecx, [ebp+var_10]
		mov	eax, [edx]
		mov	[ecx], eax

loc_4CD19B:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+FA55Dj
		mov	edx, [ebp+var_14]
		or	esi, eax
		mov	ebx, [ebp+var_C]
		mov	ecx, 0FFFFh
		mov	[ebp+var_1C], esi
		mov	edi, [edx]
		mov	eax, [ebx]
		and	edi, ecx
		and	eax, ecx
		mov	[ebp+var_8], edi
		lea	ecx, [eax+edi]
		cmp	ecx, 3FDh
		jnb	loc_4CD267
		cmp	ecx, 1FFh
		jb	loc_4CD267
		shr	ecx, 1
		cmp	eax, edi
		ja	loc_4CD281
		mov	edi, ecx
		mov	[ebp+var_10], ebx
		mov	esi, edx
		sub	edi, eax

loc_4CD1E4:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+172j
		cmp	[ebp+var_8], eax
		sbb	edx, edx
		and	edx, ecx
		mov	[ebp+var_28], edx
		inc	edx
		cmp	[ebp+var_8], eax
		sbb	ecx, ecx
		not	ecx
		lea	edx, [esi+edx*8]
		and	ecx, eax
		mov	[ebp+var_C], edx
		mov	al, [esi+3]
		mov	[ebp+var_24], ecx
		inc	ecx
		mov	[ebp+var_1], al
		mov	eax, [ebp+var_10]
		lea	ecx, [ebx+ecx*8]
		mov	[ebp+var_8], ecx
		cmp	esi, eax
		jz	short loc_4CD291

loc_4CD215:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+19Aj
		cmp	[ebp+var_1], 0
		jz	loc_5C7684
		mov	eax, edi
		shl	eax, 3
		push	eax		; size_t
		push	edx		; void *
		push	ecx		; void *

loc_4CD227:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+FA5CEj
		call	_memcpy
		movzx	eax, di
		add	esp, 0Ch
		add	[ebx], ax
		sub	[esi], ax
		mov	ebx, [ebp+var_14]
		cmp	esi, ebx
		jnz	short loc_4CD256
		mov	ecx, [ebp+var_C]
		movzx	eax, word ptr [esi]
		shl	eax, 3
		push	eax		; size_t
		lea	eax, [ecx+edi*8]
		push	eax		; void *
		push	ecx		; void *
		call	_memmove
		add	esp, 0Ch

loc_4CD256:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+123j
		cmp	byte ptr [ebx+3], 0
		mov	esi, [ebp+var_1C]
		jz	short loc_4CD267
		mov	edx, [ebp+var_18]
		mov	ecx, [ebx+8]
		mov	[edx], ecx

loc_4CD267:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+A5j
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+B1j	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4CD26E:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+35j
		lea	eax, [ebp+var_14]
		mov	[ebp+var_C], edx
		lea	edx, [ecx+4]
		mov	[ebp+var_10], eax
		xor	esi, esi
		jmp	loc_4CD178
; 

loc_4CD281:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+BBj
		mov	esi, ebx
		mov	edi, eax
		mov	ebx, edx
		mov	[ebp+var_10], esi
		sub	edi, ecx
		jmp	loc_4CD1E4
; 

loc_4CD291:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+F9j
		movzx	eax, word ptr [ebx]
		shl	eax, 3
		push	eax		; size_t
		push	ecx		; void *
		lea	eax, [ecx+edi*8]
		push	eax		; void *
		call	_memmove
		mov	al, [esi+3]
		add	esp, 0Ch
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_1], al
		mov	eax, [ebp+var_10]
		jmp	loc_4CD215
; 

loc_4CD2B9:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+49j
		lea	edx, [ebx+4]
		jmp	loc_4CD169
B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StDmReuseCurrentRegion(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, struct ST_STORE<struct SM_TRAITS>::_ST_CURRENT_REGION *)
?StDmReuseCurrentRegion@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_ST_CURRENT_REGION@1@@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmpSinglePageFindSpace(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,char	* *,ulong *)+71p
					; ST_STORE<SM_TRAITS>::StDmpCurrentRegionWrite(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+Fp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [edx]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		mov	eax, [esi+240h]
		movzx	edi, word ptr [eax+ebx*2]
		and	edi, 1FFFh
		test	dword ptr [esi+1ACh], 40000h
		jz	short loc_4CD302
		mov	ecx, [esi+1C0h]
		mov	edx, ebx
		call	?SmStIsRegionBusy@?$SMKM_STORE@USM_TRAITS@@@@SGKPAU1@K@Z ; SMKM_STORE<SM_TRAITS>::SmStIsRegionBusy(SMKM_STORE<SM_TRAITS> *,ulong)
		test	eax, eax
		jnz	short loc_4CD312
		mov	edx, [ebp+var_4]

loc_4CD302:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmReuseCurrentRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_CURRENT_REGION *)+2Aj
		mov	ecx, [esi+1CCh]
		imul	eax, ecx, 3
		shr	eax, 2
		cmp	edi, eax
		jb	short loc_4CD31C

loc_4CD312:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmReuseCurrentRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_CURRENT_REGION *)+3Bj
					; ST_STORE<SM_TRAITS>::StDmReuseCurrentRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_CURRENT_REGION *)+63j
		mov	eax, 0C000007Fh

loc_4CD317:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmReuseCurrentRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_CURRENT_REGION *)+76j
					; ST_STORE<SM_TRAITS>::StDmReuseCurrentRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_CURRENT_REGION *)+7Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4CD31C:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmReuseCurrentRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_CURRENT_REGION *)+4Ej
		sub	ecx, [esi+1D0h]
		inc	ecx
		cmp	edi, ecx
		jnb	short loc_4CD312
		mov	edx, [edx+8]
		mov	ecx, esi
		push	0
		push	ebx
		push	edx
		push	ebx
		call	ST_STORE_SM_TRAITS___StCompactRegions
		test	eax, eax
		js	short loc_4CD317
		mov	ecx, [ebp+var_4]
		mov	[ecx+4], edi
		jmp	short loc_4CD317
?StDmReuseCurrentRegion@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_ST_CURRENT_REGION@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	B_TREE<unsigned	long, struct ST_STORE<struct SM_TRAITS>::_ST_REGION_ENTRY, 4096, struct	NP_CONTEXT, struct ST_STORE<struct SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeSearchResultCleanup(struct B_TREE<unsigned long, struct ST_STORE<struct SM_TRAITS>::_ST_REGION_ENTRY, 4096, struct NP_CONTEXT,	struct ST_STORE<struct SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *, struct B_TREE<unsigned long, struct ST_STORE<struct SM_TRAITS>::_ST_REGION_ENTRY, 4096, struct NP_CONTEXT, struct ST_STORE<struct SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *, unsigned long)
?BTreeSearchResultCleanup@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGXPAU1@PAUSEARCH_RESULT@1@K@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferProcess+1FAp
					; ST_STORE_SM_TRAITS___StDmCleanup+71p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref
		cmp	dword ptr [esi+0Ch], 0FFFFFFFFh
		jnz	short loc_4CD35A

loc_4CD355:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeSearchResultCleanup(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+1Cj
					; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeSearchResultCleanup(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+22j ...
		pop	esi
		pop	ebp
		retn	4
; 

loc_4CD35A:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeSearchResultCleanup(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+11j
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_4CD355
		cmp	[ebp+arg_0], 0
		jnz	short loc_4CD355
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_4CD355
?BTreeSearchResultCleanup@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGXPAU1@PAUSEARCH_RESULT@1@K@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	ST_STORE<struct	SM_TRAITS>::StDmUpdateRegionsToCompactBitmap(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *,	unsigned long, unsigned	long, unsigned long)
?StDmUpdateRegionsToCompactBitmap@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@KKK@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmCurrentRegionSet+74p
					; ST_STORE_SM_TRAITS___StDmCurrentRegionSet+117p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		mov	eax, [esi+1C4h]
		inc	eax
		shr	eax, 1
		cmp	[ebp+arg_0], 0
		jnz	short loc_4CD391

loc_4CD387:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmUpdateRegionsToCompactBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,ulong)+24j
		cmp	[ebp+arg_4], eax
		jb	short loc_4CD3BA

loc_4CD38C:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmUpdateRegionsToCompactBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,ulong)+48j
					; ST_STORE<SM_TRAITS>::StDmUpdateRegionsToCompactBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,ulong)+4Ej ...
		pop	esi
		pop	ebp
		retn	8
; 

loc_4CD391:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmUpdateRegionsToCompactBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,ulong)+15j
		cmp	[ebp+arg_0], eax
		jnb	short loc_4CD387
		cmp	[ebp+arg_4], 0
		jnz	short loc_4CD3DE

loc_4CD39C:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmUpdateRegionsToCompactBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,ulong)+71j
		dec	dword ptr [esi+25Ch]
		mov	ecx, edx
		shr	ecx, 3
		and	edx, 7
		add	ecx, [esi+258h]
		movsx	eax, byte ptr [ecx]
		bts	eax, edx
		mov	[ecx], al
		jmp	short loc_4CD38C
; 

loc_4CD3BA:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmUpdateRegionsToCompactBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,ulong)+1Aj
		cmp	[ebp+arg_4], 0
		jz	short loc_4CD38C
		mov	ecx, edx
		and	edx, 7
		shr	ecx, 3
		add	ecx, [esi+258h]
		movsx	eax, byte ptr [ecx]
		btr	eax, edx
		mov	[ecx], al
		inc	dword ptr [esi+25Ch]
		jmp	short loc_4CD38C
; 

loc_4CD3DE:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmUpdateRegionsToCompactBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,ulong)+2Aj
		cmp	[ebp+arg_4], eax
		jnb	short loc_4CD39C
		jmp	short loc_4CD38C
?StDmUpdateRegionsToCompactBitmap@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@KKK@Z endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StRegionFindCompact proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmpSinglePageFindSpace(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong,char	* *,ulong *)+8Dp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C76ED SIZE 0000006A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	[ebp+var_24], edx
		mov	edx, ecx
		push	ebx
		push	esi
		push	edi
		mov	eax, [edx+1C0h]
		mov	[ebp+var_8], edx
		mov	eax, [eax+1254h]
		test	eax, eax
		jnz	loc_4CD6EE
		mov	esi, [edx+1C4h]
		mov	ecx, [edx+260h]
		inc	esi
		shr	esi, 1

loc_4CD426:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+302j
		mov	eax, [edx+1E4h]
		mov	ebx, 1FFFh
		mov	[ebp+var_28], eax
		mov	ax, [edx+1CCh]
		sub	ax, [edx+1D0h]
		inc	ax
		mov	[ebp+var_C], ecx
		mov	ecx, [edx+240h]
		and	ax, bx
		cmp	dword ptr [edx+25Ch], 0
		mov	word ptr [ebp+var_4], ax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_20], eax
		jz	loc_4CD5B0
		test	esi, esi
		jz	loc_4CD5B0
		xor	ecx, ecx
		mov	[ebp+var_14], ecx
		lea	ebx, [ebx+0]

loc_4CD480:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+1B5j
					; ST_STORE_SM_TRAITS___StRegionFindCompact+FA300j
		mov	ebx, [edx+254h]
		mov	[ebp+var_1C], ebx
		cmp	ebx, ecx
		jbe	loc_4CD5AD
		mov	edx, [edx+258h]
		lea	eax, [ebx-1]
		shr	eax, 5
		mov	esi, ecx
		mov	[ebp+var_18], edx
		lea	edi, [edx+eax*4]
		mov	eax, ecx
		shr	eax, 5
		lea	eax, [edx+eax*4]
		cmp	eax, edi
		jz	short loc_4CD4E2
		mov	ebx, ecx
		and	ebx, 1Fh
		mov	ecx, ds:dword_40BA68[ebx*4]
		or	ecx, [eax]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_4CD4DC
		mov	esi, [ebp+var_14]
		add	eax, 4
		sub	esi, ebx
		add	esi, 20h
		cmp	eax, edi
		jnb	short loc_4CD4DC

loc_4CD4D3:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+29Bj
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CD683

loc_4CD4DC:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+D2j
					; ST_STORE_SM_TRAITS___StRegionFindCompact+E1j	...
		mov	edx, [ebp+var_18]
		mov	ebx, [ebp+var_1C]

loc_4CD4E2:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+BFj
		cmp	esi, ebx
		jnb	short loc_4CD4F0

loc_4CD4E6:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+FEj
		bt	[edx], esi
		jnb	short loc_4CD4F0
		inc	esi
		cmp	esi, ebx
		jb	short loc_4CD4E6

loc_4CD4F0:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+F4j
					; ST_STORE_SM_TRAITS___StRegionFindCompact+F9j
		xor	ebx, ebx
		cmp	eax, edi
		jz	short loc_4CD511
		mov	edx, [eax]
		mov	ecx, esi
		and	ecx, 1Fh
		mov	[ebp+var_1C], ecx
		mov	ecx, ds:dword_40BA68[ecx*4]
		not	ecx
		and	ecx, edx
		jz	loc_4CD6C2

loc_4CD511:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+104j
					; ST_STORE_SM_TRAITS___StRegionFindCompact+2E8j ...
		mov	ecx, [ebp+var_8]
		lea	eax, [ebx+esi]
		mov	edx, [ecx+254h]
		cmp	eax, edx
		jnb	short loc_4CD530
		mov	ecx, [ecx+258h]

loc_4CD527:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+2B3j
		bt	[ecx], eax
		jnb	loc_4CD696

loc_4CD530:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+12Fj
					; ST_STORE_SM_TRAITS___StRegionFindCompact+2A9j ...
		mov	ecx, esi
		mov	[ebp+var_14], ecx
		cmp	ebx, 0FFFFFFFFh
		ja	loc_5C7711

loc_4CD53E:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+FA324j
		test	ebx, ebx
		jz	short loc_4CD5AA
		mov	edx, [ebp+var_10]
		lea	eax, [ebx+esi]
		mov	[ebp+var_1C], eax
		lea	edi, [edx+esi*2]
		cmp	esi, eax
		jnb	loc_5C76ED
		mov	eax, [ebp+var_8]
		mov	esi, [ebp+var_1C]
		mov	ebx, [eax+1ACh]

loc_4CD562:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+1B1j
		test	ebx, 40000h
		jz	short loc_4CD57E
		mov	edx, ecx
		mov	ecx, [eax+1C0h]
		call	?SmStIsRegionBusy@?$SMKM_STORE@USM_TRAITS@@@@SGKPAU1@K@Z ; SMKM_STORE<SM_TRAITS>::SmStIsRegionBusy(SMKM_STORE<SM_TRAITS> *,ulong)
		mov	ecx, [ebp+var_14]
		test	eax, eax
		jnz	short loc_4CD595

loc_4CD57E:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+178j
		test	bl, bl
		jnz	loc_5C7719
		movzx	eax, word ptr [edi]
		shr	eax, 0Dh

loc_4CD58C:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+FA32Bj
		cmp	eax, [ebp+var_24]
		jz	loc_4CD6BE

loc_4CD595:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+18Cj
		mov	eax, [ebp+var_8]
		inc	ecx
		add	edi, 2
		mov	[ebp+var_14], ecx
		cmp	ecx, esi
		jb	short loc_4CD562
		mov	edx, eax
		jmp	loc_4CD480
; 

loc_4CD5AA:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+150j
		mov	edx, [ebp+var_8]

loc_4CD5AD:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+9Bj
		mov	ecx, [ebp+var_10]

loc_4CD5B0:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+77j
					; ST_STORE_SM_TRAITS___StRegionFindCompact+7Fj
		mov	ebx, [ebp+var_28]
		mov	eax, [ebp+var_C]
		mov	[ebp+var_1C], 0
		lea	edi, [ecx+ebx*2]
		lea	esi, [ecx+eax*2]
		test	ebx, ebx
		jz	loc_5C7741
		mov	ebx, [edx+1ACh]

loc_4CD5D1:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+248j
		cmp	esi, edi
		jnb	loc_5C7720

loc_4CD5D9:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+FA337j
		test	ebx, 40000h
		jz	short loc_4CD5F2
		mov	ecx, [edx+1C0h]
		mov	edx, eax
		call	?SmStIsRegionBusy@?$SMKM_STORE@USM_TRAITS@@@@SGKPAU1@K@Z ; SMKM_STORE<SM_TRAITS>::SmStIsRegionBusy(SMKM_STORE<SM_TRAITS> *,ulong)
		test	eax, eax
		jnz	short loc_4CD619

loc_4CD5F2:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+1EFj
		movzx	eax, word ptr [esi]
		mov	ecx, eax
		test	bl, bl
		jnz	loc_5C772C
		mov	edx, eax
		shr	edx, 0Dh

loc_4CD604:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+FA33Ej
		mov	eax, [ebp+var_20]
		and	ecx, 1FFFh
		mov	ax, [eax]
		and	ax, word ptr [ebp+var_2C]
		cmp	cx, ax
		jb	short loc_4CD63A

loc_4CD619:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+200j
					; ST_STORE_SM_TRAITS___StRegionFindCompact+252j ...
		mov	edx, [ebp+var_8]

loc_4CD61C:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+269j
		mov	eax, [ebp+var_1C]
		add	esi, 2
		inc	[ebp+var_C]
		inc	eax
		mov	[ebp+var_1C], eax
		cmp	eax, [ebp+var_28]
		jnb	loc_5C7733
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		jmp	short loc_4CD5D1
; 

loc_4CD63A:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+227j
		cmp	edx, [ebp+var_24]
		jz	short loc_4CD6AE
		test	cx, cx
		jnz	short loc_4CD619
		mov	ecx, [ebp+var_10]
		lea	eax, [edx+edx*2]
		mov	edx, [ebp+var_8]
		mov	eax, [edx+eax*4+2B4h]
		lea	eax, [ecx+eax*2]
		cmp	esi, eax
		jz	short loc_4CD61C
		mov	edx, esi

loc_4CD65D:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+2CCj
					; ST_STORE_SM_TRAITS___StRegionFindCompact+2D0j ...
		mov	eax, [ebp+var_8]
		mov	ecx, edx
		sub	ecx, [ebp+var_10]
		sar	ecx, 1
		inc	ecx
		mov	[eax+260h], ecx
		cmp	ecx, [eax+1E4h]
		jz	loc_5C7748

loc_4CD67A:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+FA362j
		mov	eax, edx

loc_4CD67C:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+FA353j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4CD683:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+E6j
		add	eax, 4
		add	esi, 20h
		cmp	eax, edi
		jb	loc_4CD4D3
		jmp	loc_4CD4DC
; 

loc_4CD696:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+13Aj
		cmp	ebx, 0FFFFFFFFh
		jnb	loc_4CD530
		inc	eax
		inc	ebx
		cmp	eax, edx
		jb	loc_4CD527
		jmp	loc_4CD530
; 

loc_4CD6AE:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+24Dj
		mov	edx, esi
		mov	[ebp+var_20], edx
		test	cx, cx
		jnz	loc_4CD619
		jmp	short loc_4CD65D
; 

loc_4CD6BE:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+19Fj
		mov	edx, edi
		jmp	short loc_4CD65D
; 

loc_4CD6C2:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+11Bj
		mov	ebx, 20h
		sub	ebx, [ebp+var_1C]
		cmp	ebx, 0FFFFFFFFh
		jnb	loc_4CD530
		add	eax, 4
		cmp	eax, edi
		jnb	loc_4CD511
		mov	edi, edi

loc_4CD6E0:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+FA316j
		cmp	dword ptr [eax], 0
		jnz	loc_4CD511
		jmp	loc_5C76F5
; 

loc_4CD6EE:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+21j
		xor	esi, esi
		xor	ecx, ecx
		jmp	loc_4CD426
ST_STORE_SM_TRAITS___StRegionFindCompact endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StReleaseRegion proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+15Fp
					; ST_STORE_SM_TRAITS___StCompactionPerformInMem+237p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C7757 SIZE 000000C6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_8], 0
		push	ebx
		mov	ebx, ecx
		mov	ecx, 1FFFh
		push	esi
		mov	esi, edx
		push	edi
		cmp	byte ptr [ebx+1ACh], 0
		mov	[esp+18h+var_4], esi
		jnz	loc_5C77BE
		mov	edi, [ebx+1C0h]
		test	byte ptr [edi+10F5h], 4
		jz	loc_5C7757
		push	0
		mov	ecx, edi
		call	SMKM_STORE_SM_TRAITS___SmStReleaseVirtualRegion

loc_4CD741:				; CODE XREF: ST_STORE_SM_TRAITS___StReleaseRegion+FA086j
		cmp	eax, 0C00000AEh
		jz	loc_5C7783

loc_4CD74C:				; CODE XREF: ST_STORE_SM_TRAITS___StReleaseRegion+FA096j
		xor	ecx, ecx
		call	_SmEtwEnabled@4	; SmEtwEnabled(x)
		test	eax, eax
		jnz	loc_5C7793

loc_4CD75B:				; CODE XREF: ST_STORE_SM_TRAITS___StReleaseRegion+FA0C1j
		mov	ecx, 1FFFh
		cmp	esi, [ebx+260h]
		jb	short loc_4CD7B0

loc_4CD768:				; CODE XREF: ST_STORE_SM_TRAITS___StReleaseRegion+BEj
					; ST_STORE_SM_TRAITS___StReleaseRegion+FA0D0j
		cmp	byte ptr [ebx+1ACh], 0
		jnz	short loc_4CD7AC
		mov	eax, [ebx+240h]
		movzx	eax, word ptr [eax+esi*2]
		shr	eax, 0Dh

loc_4CD77E:				; CODE XREF: ST_STORE_SM_TRAITS___StReleaseRegion+B6j
		dec	dword ptr [ebx+eax*8+430h]
		cmp	byte ptr [ebx+1ACh], 0
		mov	eax, [ebx+240h]
		jnz	short loc_4CD798
		and	[eax+esi*2], cx

loc_4CD798:				; CODE XREF: ST_STORE_SM_TRAITS___StReleaseRegion+9Aj
		test	byte ptr [ebx+1D8h], 4
		jnz	loc_5C77CD

loc_4CD7A5:				; CODE XREF: ST_STORE_SM_TRAITS___StReleaseRegion+FA0EFj
					; ST_STORE_SM_TRAITS___StReleaseRegion+FA0FCj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4CD7AC:				; CODE XREF: ST_STORE_SM_TRAITS___StReleaseRegion+77j
		xor	eax, eax
		jmp	short loc_4CD77E
; 

loc_4CD7B0:				; CODE XREF: ST_STORE_SM_TRAITS___StReleaseRegion+6Ej
		mov	[ebx+260h], esi
		jmp	short loc_4CD768
ST_STORE_SM_TRAITS___StReleaseRegion endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_SM_TRAITS___SmStReleaseVirtualRegion	proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StReleaseRegion+44p
					; ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+194p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C781D SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, [ecx+1184h]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		lea	esi, [eax+edx*4]
		mov	[ebp+var_C], edx
		mov	eax, [ecx+117Ch]
		push	edi
		mov	edi, [esi]
		and	edi, 7FFF0000h
		mov	[ebp+var_4], ecx
		mov	[ebp+arg_0], eax
		test	bl, 2
		jnz	loc_4CD886

loc_4CD7EF:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReleaseVirtualRegion+D0j
		movzx	eax, word ptr [esi]
		xor	edx, edx
		inc	edx
		and	ebx, edx
		mov	[ebp+var_8], edx
		test	eax, 4000h
		jnz	loc_5C781D
		push	ebx
		mov	edx, esi
		call	?SmStCheckLockInProgressRegionComplete@?$SMKM_STORE@USM_TRAITS@@@@SGKPAU1@PAT_SM_VIRTUAL_REGION@@K@Z ; SMKM_STORE<SM_TRAITS>::SmStCheckLockInProgressRegionComplete(SMKM_STORE<SM_TRAITS> *,_SM_VIRTUAL_REGION *,ulong)
		mov	ecx, [ebp+var_4]

loc_4CD810:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReleaseVirtualRegion+FA06Dj
		mov	edx, [ebp+var_C]
		call	?SmStIsRegionBusy@?$SMKM_STORE@USM_TRAITS@@@@SGKPAU1@K@Z ; SMKM_STORE<SM_TRAITS>::SmStIsRegionBusy(SMKM_STORE<SM_TRAITS> *,ulong)
		test	eax, eax
		jnz	short loc_4CD895
		xor	edx, edx
		cmp	[esi], edx
		jl	short loc_4CD834
		mov	[ebp+var_8], edx
		mov	ecx, edi
		mov	edx, [ebp+arg_0]
		call	_MmStoreDecommitVirtualMemory@8	; MmStoreDecommitVirtualMemory(x,x)
		mov	ecx, [ebp+var_4]
		xor	edx, edx

loc_4CD834:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReleaseVirtualRegion+68j
		cmp	[esi], dx
		jl	short loc_4CD895
		mov	eax, [esi]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_24], eax
		mov	eax, edx
		and	eax, 0FFFFFFFEh
		mov	[esi], edx
		or	eax, [ebp+var_8]
		neg	ebx
		push	3
		mov	[ebp+var_1C], edx
		sbb	ebx, ebx
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], edx
		pop	edx
		and	ebx, edx
		mov	[ebp+var_20], eax
		add	ebx, 8
		mov	[ebp+var_28], edi
		push	ebx
		lea	eax, [ebp+var_28]
		push	eax
		call	SMKM_STORE_SM_TRAITS___SmStHelperSendCommand
		cmp	eax, 0C00000AEh
		jz	short loc_4CD89C
		xor	eax, eax

loc_4CD87F:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReleaseVirtualRegion+DBj
					; SMKM_STORE_SM_TRAITS___SmStReleaseVirtualRegion+E2j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4CD886:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReleaseVirtualRegion+31j
		test	edi, edi
		jnz	loc_4CD7EF
		mov	eax, 40190034h
		jmp	short loc_4CD87F
; 

loc_4CD895:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReleaseVirtualRegion+62j
					; SMKM_STORE_SM_TRAITS___SmStReleaseVirtualRegion+7Fj
		mov	eax, 0C00000AEh
		jmp	short loc_4CD87F
; 

loc_4CD89C:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReleaseVirtualRegion+C3j
		mov	ecx, [ebp+var_C]
		mov	[esi], ecx
		jmp	short loc_4CD87F
SMKM_STORE_SM_TRAITS___SmStReleaseVirtualRegion	endp

; 
		align 4

;  S U B	R O U T	I N E 


; public: static unsigned long __stdcall SMKM_STORE<struct SM_TRAITS>::SmStIsRegionBusy(struct SMKM_STORE<struct SM_TRAITS> *, unsigned	long)
?SmStIsRegionBusy@?$SMKM_STORE@USM_TRAITS@@@@SGKPAU1@K@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+A1p
					; ST_STORE_SM_TRAITS___StCompactionPerformInMem+A3p ...
		mov	eax, [ecx+1184h]
		lea	eax, [eax+edx*4]
		mov	edx, 7FFFh
		test	[eax], dx
		jnz	short loc_4CD8C2
		cmp	[ecx+1258h], eax
		jz	short loc_4CD8C2
		xor	eax, eax
		retn
; 

loc_4CD8C2:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStIsRegionBusy(SMKM_STORE<SM_TRAITS> *,ulong)+11j
					; SMKM_STORE<SM_TRAITS>::SmStIsRegionBusy(SMKM_STORE<SM_TRAITS>	*,ulong)+19j
		xor	eax, eax
		inc	eax
		retn
?SmStIsRegionBusy@?$SMKM_STORE@USM_TRAITS@@@@SGKPAU1@K@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static unsigned long __stdcall SMKM_STORE<struct SM_TRAITS>::SmStCheckLockInProgressRegionComplete(struct SMKM_STORE<struct SM_TRAITS> *, union _SM_VIRTUAL_REGION *,	unsigned long)
?SmStCheckLockInProgressRegionComplete@?$SMKM_STORE@USM_TRAITS@@@@SGKPAU1@PAT_SM_VIRTUAL_REGION@@K@Z proc near
					; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)+89p
					; SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion+EEp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		cmp	[esi+1258h], edx
		jz	short loc_4CD8DE

loc_4CD8D6:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCheckLockInProgressRegionComplete(SMKM_STORE<SM_TRAITS>	*,_SM_VIRTUAL_REGION *,ulong)+34j
		xor	eax, eax
		inc	eax

loc_4CD8D9:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCheckLockInProgressRegionComplete(SMKM_STORE<SM_TRAITS>	*,_SM_VIRTUAL_REGION *,ulong)+38j
		pop	esi
		pop	ebp
		retn	4
; 

loc_4CD8DE:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCheckLockInProgressRegionComplete(SMKM_STORE<SM_TRAITS>	*,_SM_VIRTUAL_REGION *,ulong)+Ej
		mov	edx, [ebp+arg_0]
		lea	ecx, [esi+11D8h]
		call	_SmKmStoreHelperCheckWaitCommand@8 ; SmKmStoreHelperCheckWaitCommand(x,x)
		cmp	eax, 0C0000120h
		jnz	short loc_4CD8FC
		and	dword ptr [esi+1258h], 0
		jmp	short loc_4CD8D6
; 

loc_4CD8FC:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCheckLockInProgressRegionComplete(SMKM_STORE<SM_TRAITS>	*,_SM_VIRTUAL_REGION *,ulong)+2Bj
		xor	eax, eax
		jmp	short loc_4CD8D9
?SmStCheckLockInProgressRegionComplete@?$SMKM_STORE@USM_TRAITS@@@@SGKPAU1@PAT_SM_VIRTUAL_REGION@@K@Z endp


;  S U B	R O U T	I N E 


; public: static void __stdcall	ST_STORE<struct	SM_TRAITS>::StDmInvalidateCurrentRegions(struct	ST_STORE<struct	SM_TRAITS>::_ST_DATA_MGR *)
?StDmInvalidateCurrentRegions@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+1C6p
					; ST_STORE_SM_TRAITS___StWorkItemProcess+1F0p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		movzx	esi, byte ptr [ebx+1ACh]
		neg	esi
		sbb	esi, esi
		and	esi, 0FFFFFFF9h
		add	esi, 8
		xor	edi, edi

loc_4CD91A:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmInvalidateCurrentRegions(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+28j
		push	0FFFFFFFFh
		mov	edx, edi
		mov	ecx, ebx
		call	ST_STORE_SM_TRAITS___StDmCurrentRegionSet
		inc	edi
		cmp	edi, esi
		jb	short loc_4CD91A
		pop	edi
		pop	esi
		pop	ebx
		retn
?StDmInvalidateCurrentRegions@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute proc near
					; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+D6p
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+125p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005C782A SIZE 000000AC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, [edx]
		and	[ebp+var_10], 0
		and	[ebp+var_14], 0
		push	ebx
		push	esi
		mov	esi, [edx+0Ch]
		push	edi
		mov	edi, ecx
		push	8
		mov	edx, [eax+esi*8-8]
		mov	ecx, [eax+esi*8-0Ch]
		mov	ebx, [eax+esi*8-10h]
		xor	eax, eax
		mov	[ebp+var_C], edx
		cmp	[edx+3], al
		pop	edx
		setnz	al
		mov	[ebp+var_20], ecx
		dec	eax
		mov	[ebp+var_18], edx
		and	eax, 0FFFFFE01h
		add	eax, 3FEh
		mov	[ebp+var_24], eax
		movzx	eax, word ptr [ebx]
		inc	eax
		lea	eax, [ebx+eax*8]
		cmp	ecx, eax
		jz	loc_4CDAB9
		mov	eax, [ebp+var_C]
		lea	esi, [ecx+4]
		and	[ebp+var_8], 0
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_1C], eax

loc_4CD998:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+1ADj
		mov	ecx, edi
		lea	eax, [edi+8]
		neg	ecx
		mov	[ebp+var_28], eax
		lea	eax, [edi+8]
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C782A

loc_4CD9B4:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+F9F00j
		mov	ecx, [ebp+var_1C]
		mov	eax, [esi]
		mov	[ecx], eax

loc_4CD9BB:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+F9F2Dj
		mov	edi, [ebp+var_14]
		mov	esi, 0FFFFh
		mov	ebx, [ebp+var_10]
		or	[ebp+var_8], eax
		mov	eax, [edi]
		mov	ecx, [ebx]
		and	eax, esi
		and	ecx, esi
		mov	[ebp+var_C], eax
		lea	esi, [ecx+eax]
		mov	eax, [ebp+var_24]
		cmp	esi, eax
		jb	loc_4CDB1A
		lea	eax, ds:0FFFFFFFFh[eax*2]
		cmp	esi, eax
		jnb	loc_4CDB1A
		shr	esi, 1
		mov	eax, esi
		mov	[ebp+var_10], esi
		cmp	ecx, [ebp+var_C]
		ja	loc_4CDAE0
		sub	esi, ecx
		mov	[ebp+var_1C], ebx

loc_4CDA06:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+1BEj
		cmp	[ebp+var_C], ecx
		push	8
		sbb	edx, edx
		not	edx
		and	edx, ecx
		cmp	[ebp+var_C], ecx
		mov	[ebp+var_24], edx
		sbb	ecx, ecx
		and	ecx, eax
		mov	al, [edi+3]
		mov	[ebp+var_28], ecx
		mov	[ebp+var_1], al
		pop	edx
		test	al, al
		jz	short loc_4CDA2F
		push	4
		pop	edx
		mov	[ebp+var_18], edx

loc_4CDA2F:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+F9j
		mov	eax, [ebp+var_24]
		imul	eax, edx
		mov	[ebp+var_10], edx
		add	eax, 8
		add	eax, ebx
		mov	[ebp+var_10], eax
		mov	eax, ecx
		mov	ecx, edx
		imul	ecx, eax
		mov	eax, [ebp+var_1C]
		add	ecx, 8
		add	ecx, edi
		mov	[ebp+var_C], ecx
		cmp	edi, eax
		jz	loc_4CDAF1
		mov	dl, [ebp+var_1]

loc_4CDA5D:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+1E7j
		test	dl, dl
		jz	loc_5C7866
		mov	eax, esi
		imul	eax, [ebp+var_18]
		push	eax		; size_t
		push	ecx		; void *

loc_4CDA6D:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+F9FA3j
		push	[ebp+var_10]	; void *
		call	_memcpy
		movzx	eax, si
		add	esp, 0Ch
		add	[ebx], ax
		sub	[edi], ax
		mov	ebx, [ebp+var_14]
		cmp	edi, ebx
		jnz	short loc_4CDAA3
		movzx	eax, word ptr [edi]
		imul	eax, [ebp+var_18]
		imul	esi, [ebp+var_18]
		push	eax		; size_t
		mov	eax, [ebp+var_C]
		add	esi, eax
		push	esi		; void *
		push	eax		; void *
		call	_memmove
		add	esp, 0Ch

loc_4CDAA3:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+158j
		cmp	byte ptr [ebx+3], 0
		mov	eax, [ebp+var_8]
		jz	short loc_4CDAB4
		mov	edx, [ebp+var_20]
		mov	ecx, [ebx+8]
		mov	[edx], ecx

loc_4CDAB4:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+17Cj
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+1EFj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4CDAB9:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+51j
		sub	ecx, edx
		lea	eax, [ebx+8]
		mov	[ebp+var_20], ecx
		lea	esi, [ecx-4]
		cmp	ecx, eax
		jbe	short loc_4CDB1F

loc_4CDAC8:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+1F4j
		lea	eax, [ebp+var_10]
		mov	[ebp+var_8], 1
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_14], eax
		jmp	loc_4CD998
; 

loc_4CDAE0:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+CDj
		mov	edi, ebx
		mov	esi, ecx
		mov	ebx, [ebp+var_14]
		sub	esi, eax
		mov	[ebp+var_1C], edi
		jmp	loc_4CDA06
; 

loc_4CDAF1:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+126j
		movzx	eax, word ptr [ebx]
		mov	ecx, [ebp+var_10]
		imul	eax, edx
		push	eax		; size_t
		mov	eax, esi
		imul	eax, edx
		push	ecx		; void *
		add	eax, ecx
		push	eax		; void *
		call	_memmove
		mov	dl, [edi+3]
		add	esp, 0Ch
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_1C]
		jmp	loc_4CDA5D
; 

loc_4CDB1A:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+AEj
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+BDj
		mov	eax, [ebp+var_8]
		jmp	short loc_4CDAB4
; 

loc_4CDB1F:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+198j
		lea	esi, [ebx+4]
		jmp	short loc_4CDAC8
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute proc	near
					; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+D6p
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+102p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005C78D6 SIZE 000000AC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, [edx]
		and	[ebp+var_10], 0
		and	[ebp+var_14], 0
		push	ebx
		push	esi
		mov	esi, [edx+0Ch]
		push	edi
		mov	edi, ecx
		push	8
		mov	edx, [eax+esi*8-8]
		mov	ecx, [eax+esi*8-0Ch]
		mov	ebx, [eax+esi*8-10h]
		xor	eax, eax
		mov	[ebp+var_C], edx
		cmp	[edx+3], al
		pop	edx
		setnz	al
		mov	[ebp+var_20], ecx
		dec	eax
		mov	[ebp+var_18], edx
		and	eax, 0FFFFFE01h
		add	eax, 3FEh
		mov	[ebp+var_24], eax
		movzx	eax, word ptr [ebx]
		inc	eax
		lea	eax, [ebx+eax*8]
		cmp	ecx, eax
		jz	loc_4CDCEA
		mov	eax, [ebp+var_C]
		lea	esi, [ecx+4]
		and	[ebp+var_8], 0
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_1C], eax

loc_4CDB8E:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+1E8j
		mov	ecx, edi
		lea	eax, [edi+8]
		neg	ecx
		mov	[ebp+var_28], eax
		lea	eax, [edi+8]
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C78D6

loc_4CDBAA:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+F9DB6j
		mov	ecx, [ebp+var_1C]
		mov	eax, [esi]
		mov	[ecx], eax

loc_4CDBB1:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+F9DE3j
		mov	edi, [ebp+var_14]
		mov	esi, 0FFFFh
		mov	ebx, [ebp+var_10]
		or	[ebp+var_8], eax
		mov	eax, [edi]
		mov	ecx, [ebx]
		and	eax, esi
		and	ecx, esi
		mov	[ebp+var_C], eax
		lea	esi, [ecx+eax]
		mov	eax, [ebp+var_24]
		cmp	esi, eax
		jb	loc_4CDCE5
		lea	eax, ds:0FFFFFFFFh[eax*2]
		cmp	esi, eax
		jnb	loc_4CDCE5
		shr	esi, 1
		mov	eax, esi
		mov	[ebp+var_10], esi
		cmp	ecx, [ebp+var_C]
		ja	loc_4CDCAB
		sub	esi, ecx
		mov	[ebp+var_1C], ebx

loc_4CDBFC:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+193j
		cmp	[ebp+var_C], ecx
		push	8
		sbb	edx, edx
		not	edx
		and	edx, ecx
		cmp	[ebp+var_C], ecx
		mov	[ebp+var_24], edx
		sbb	ecx, ecx
		and	ecx, eax
		mov	al, [edi+3]
		mov	[ebp+var_28], ecx
		mov	[ebp+var_1], al
		pop	edx
		test	al, al
		jz	short loc_4CDC25
		push	4
		pop	edx
		mov	[ebp+var_18], edx

loc_4CDC25:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+F9j
		mov	eax, [ebp+var_24]
		imul	eax, edx
		mov	[ebp+var_10], edx
		add	eax, 8
		add	eax, ebx
		mov	[ebp+var_10], eax
		mov	eax, ecx
		mov	ecx, edx
		imul	ecx, eax
		mov	eax, [ebp+var_1C]
		add	ecx, 8
		add	ecx, edi
		mov	[ebp+var_C], ecx
		cmp	edi, eax
		jz	short loc_4CDCBC
		mov	dl, [ebp+var_1]

loc_4CDC4F:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+1BCj
		test	dl, dl
		jz	loc_5C7912
		mov	eax, esi
		imul	eax, [ebp+var_18]
		push	eax		; size_t
		push	ecx		; void *

loc_4CDC5F:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+F9E59j
		push	[ebp+var_10]	; void *
		call	_memcpy
		movzx	eax, si
		add	esp, 0Ch
		add	[ebx], ax
		sub	[edi], ax
		mov	ebx, [ebp+var_14]
		cmp	edi, ebx
		jnz	short loc_4CDC95
		movzx	eax, word ptr [edi]
		imul	eax, [ebp+var_18]
		imul	esi, [ebp+var_18]
		push	eax		; size_t
		mov	eax, [ebp+var_C]
		add	esi, eax
		push	esi		; void *
		push	eax		; void *
		call	_memmove
		add	esp, 0Ch

loc_4CDC95:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+154j
		cmp	byte ptr [ebx+3], 0
		mov	eax, [ebp+var_8]
		jz	short loc_4CDCA6
		mov	edx, [ebp+var_20]
		mov	ecx, [ebx+8]
		mov	[edx], ecx

loc_4CDCA6:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+178j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+1C4j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4CDCAB:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+CDj
		mov	edi, ebx
		mov	esi, ecx
		mov	ebx, [ebp+var_14]
		sub	esi, eax
		mov	[ebp+var_1C], edi
		jmp	loc_4CDBFC
; 

loc_4CDCBC:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+126j
		movzx	eax, word ptr [ebx]
		mov	ecx, [ebp+var_10]
		imul	eax, edx
		push	eax		; size_t
		mov	eax, esi
		imul	eax, edx
		push	ecx		; void *
		add	eax, ecx
		push	eax		; void *
		call	_memmove
		mov	dl, [edi+3]
		add	esp, 0Ch
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_1C]
		jmp	loc_4CDC4F
; 

loc_4CDCE5:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+AEj
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+BDj
		mov	eax, [ebp+var_8]
		jmp	short loc_4CDCA6
; 

loc_4CDCEA:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+51j
		sub	ecx, edx
		lea	eax, [ebx+8]
		mov	[ebp+var_20], ecx
		lea	esi, [ecx-4]
		cmp	ecx, eax
		jbe	short loc_4CDD11

loc_4CDCF9:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+1F0j
		lea	eax, [ebp+var_10]
		mov	[ebp+var_8], 1
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_14], eax
		jmp	loc_4CDB8E
; 

loc_4CDD11:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+1D3j
		lea	esi, [ebx+4]
		jmp	short loc_4CDCF9
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild proc near
					; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+1A5p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C7982 SIZE 00000065 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		and	[ebp+var_20], 0
		mov	eax, edx
		push	ebx
		push	esi
		mov	[ebp+var_8], eax
		xor	ebx, ebx
		mov	esi, [eax+0Ch]
		mov	eax, [eax]
		push	edi
		mov	[ebp+var_4], ecx
		lea	eax, [eax+esi*8]
		mov	edi, [eax-8]
		mov	[ebp+var_14], eax
		movzx	eax, byte ptr [edi+2]
		movzx	edx, byte ptr [edi+3]
		push	eax
		call	?BTreeNewNode@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@KK@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNewNode(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,ulong,ulong)
		mov	esi, eax
		test	esi, esi
		jz	loc_4CDE68
		mov	[ebp+var_24], esi
		lea	eax, [edi+8]
		mov	edx, [edi]
		mov	ecx, edx
		shr	ecx, 1
		and	ecx, 7FFFh
		mov	[ebp+var_18], ecx
		lea	eax, [eax+ecx*8]
		mov	[ebp+var_C], eax
		cmp	[edi+3], bl
		jz	loc_5C7982
		test	dl, 1
		jz	short loc_4CDD95
		mov	ecx, [ebp+var_14]
		lea	edx, [eax+8]
		cmp	edx, [ecx-4]
		mov	ecx, [ebp+var_18]
		jnb	short loc_4CDD95
		mov	eax, edx
		inc	ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_18], ecx

loc_4CDD95:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+66j
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+74j
		and	[ebp+var_10], ebx

loc_4CDD98:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+F9C72j
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		movzx	edx, word ptr [edi]
		sub	edx, ecx
		mov	[ebp+var_1C], edx
		cmp	[edi+3], bl
		jz	loc_5C7997
		mov	eax, [ebp+var_4]
		mov	ecx, eax
		add	eax, 8
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C798D
		mov	eax, [edi+4]

loc_4CDDCA:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+F9C7Cj
		jnz	short loc_4CDDCF
		mov	[esi+4], eax

loc_4CDDCF:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild:loc_4CDDCAj
		mov	eax, edx
		shl	eax, 3
		push	eax		; size_t
		push	[ebp+var_C]	; void *
		lea	eax, [esi+8]
		push	eax		; void *
		call	_memcpy

loc_4CDDE1:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+F9CA4j
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		mov	eax, [ebp+var_1C]
		mov	[esi], ax
		cmp	[ecx], edi
		jz	short loc_4CDE70
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_28]
		push	eax
		dec	dword ptr [edx+0Ch]
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx
		mov	edx, [ebp+var_8]
		inc	dword ptr [edx+0Ch]
		mov	ecx, [edx+0Ch]
		test	eax, eax
		js	short loc_4CDE55
		mov	ebx, ecx

loc_4CDE0F:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+1D1j
		mov	cl, [edi+3]
		test	cl, cl
		jz	short loc_4CDE36
		mov	eax, [edx]
		mov	edx, [ebp+var_4]
		mov	ebx, [eax+ebx*8-0Ch]
		mov	eax, [edx+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_4CDE39
		or	dword ptr [ebx+4], 1
		lea	edx, [ebx+4]
		call	?NpGetResidentLeaf@NP_CONTEXT@@SGPAUB_TREE_NODE_HDR@@PAUNP_CTX@1@PAT_NP_LEAF_PTR@@@Z ; NP_CONTEXT::NpGetResidentLeaf(NP_CONTEXT::NP_CTX	*,_NP_LEAF_PTR *)
		mov	cl, [edi+3]

loc_4CDE36:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+FEj
		mov	edx, [ebp+var_4]

loc_4CDE39:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+10Fj
		mov	eax, [ebp+var_18]
		mov	[edi], ax
		test	cl, cl
		jz	short loc_4CDE4E
		mov	eax, [edx+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_4CDE4E
		mov	[edi+4], esi

loc_4CDE4E:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+12Bj
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+133j
		mov	[ebp+var_20], esi
		xor	esi, esi
		xor	ebx, ebx

loc_4CDE55:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+F5j
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+16Bj
		mov	edi, [ebp+var_4]
		test	esi, esi
		jnz	loc_5C79BF

loc_4CDE60:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+F9CB8j
		test	ebx, ebx
		jnz	loc_5C79D3

loc_4CDE68:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+39j
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+F9CCCj
		mov	eax, [ebp+var_20]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4CDE70:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+D9j
		movzx	eax, byte ptr [edi+2]
		xor	edx, edx
		inc	eax
		push	eax
		call	?BTreeNewNode@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@KK@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNewNode(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,ulong,ulong)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_4CDE55
		lea	edx, [ebx+4]
		xor	ecx, ecx
		mov	[edx], edi
		inc	ecx
		mov	eax, [ebp+var_28]
		mov	[ebx+8], eax
		mov	eax, [ebp+var_24]
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+var_4]
		mov	[ebx], cx
		mov	[eax], ebx
		cmp	byte ptr [edi+3], 0
		jz	short loc_4CDEB4
		mov	eax, [eax+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_4CDEB4
		or	[edx], ecx
		call	?NpGetResidentLeaf@NP_CONTEXT@@SGPAUB_TREE_NODE_HDR@@PAUNP_CTX@1@PAT_NP_LEAF_PTR@@@Z ; NP_CONTEXT::NpGetResidentLeaf(NP_CONTEXT::NP_CTX	*,_NP_LEAF_PTR *)

loc_4CDEB4:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+18Dj
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+195j
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_14]
		mov	eax, [edx+10h]
		lea	eax, ds:0FFFFFFF8h[eax*8]
		push	eax		; size_t
		lea	eax, [ecx-8]
		push	eax		; void *
		push	ecx		; void *
		call	_memmove
		mov	ecx, [ebp+var_14]
		lea	eax, [ebx+8]
		mov	edx, [ebp+var_8]
		add	esp, 0Ch
		mov	[ecx-8], ebx
		mov	[ecx-4], eax
		inc	dword ptr [edx+0Ch]
		mov	ebx, [edx+0Ch]
		jmp	loc_4CDE0F
B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static struct	B_TREE_HEADER<union _SM_PAGE_KEY, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY>::NODE * __stdcall B_TREE<union _SM_PAGE_KEY, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY, 4096, struct NP_CONTEXT, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>>::BTreeNewNode(struct B_TREE<union _SM_PAGE_KEY,	struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY, 4096, struct	NP_CONTEXT, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>> *, unsigned long,	unsigned long)
?BTreeNewNode@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@KK@Z proc near
					; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+289p
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+28Ep ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		lea	eax, [ecx+8]
		neg	ecx
		push	ebx
		push	esi
		mov	ebx, edx
		sbb	ecx, ecx
		push	ebx
		and	ecx, eax
		call	NP_CONTEXT__NpNodeAllocate
		mov	esi, eax
		test	esi, esi
		jz	short loc_4CDF23
		push	1000h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	cl, [ebp+arg_0]
		add	esp, 0Ch
		mov	[esi+2], cl
		mov	[esi+3], bl

loc_4CDF23:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNewNode(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,ulong,ulong)+1Cj
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
?BTreeNewNode@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@KK@Z endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NP_CONTEXT__NpNodeAllocate proc	near	; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNewNode(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,ulong,ulong)+13p
					; NP_CONTEXT::NpiLeafPageIn(NP_CONTEXT *,NP_CONTEXT::NP_CTX *,_NP_LEAF_PTR *)+10p

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005C79E7 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	704E6D73h
		mov	ebx, ecx
		push	1000h
		push	200h
		mov	esi, [ebx]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_4CDF77

loc_4CDF52:				; CODE XREF: NP_CONTEXT__NpNodeAllocate+51j
		test	[ebp+arg_0], 1
		jz	short loc_4CDF6E
		test	edi, edi
		jz	loc_5C79E7

loc_4CDF60:				; CODE XREF: NP_CONTEXT__NpNodeAllocate+F9ACEj
		inc	dword ptr [esi+18h]
		mov	eax, [esi+18h]
		cmp	eax, [esi]
		ja	loc_5C79FF

loc_4CDF6E:				; CODE XREF: NP_CONTEXT__NpNodeAllocate+2Aj
					; NP_CONTEXT__NpNodeAllocate+4Fj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4CDF77:				; CODE XREF: NP_CONTEXT__NpNodeAllocate+24j
		test	[ebp+arg_0], 2
		jz	short loc_4CDF6E
		jmp	short loc_4CDF52
NP_CONTEXT__NpNodeAllocate endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild proc near
					; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+202p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C7A0D SIZE 00000090 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		and	[ebp+var_20], 0
		mov	eax, edx
		push	ebx
		push	esi
		mov	[ebp+var_8], eax
		xor	ebx, ebx
		mov	esi, [eax+0Ch]
		mov	eax, [eax]
		push	edi
		mov	[ebp+var_4], ecx
		lea	eax, [eax+esi*8]
		mov	esi, [eax-8]
		mov	[ebp+var_14], eax
		movzx	eax, byte ptr [esi+2]
		movzx	edx, byte ptr [esi+3]
		push	eax
		call	?BTreeNewNode@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@KK@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNewNode(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,ulong,ulong)
		mov	edi, eax
		test	edi, edi
		jz	loc_4CE0BF
		mov	[ebp+var_24], edi
		lea	eax, [esi+8]
		mov	edx, [esi]
		mov	ecx, edx
		shr	ecx, 1
		and	ecx, 7FFFh
		mov	[ebp+var_18], ecx
		cmp	[esi+3], bl
		jz	loc_5C7A2D
		lea	eax, [eax+ecx*4]
		mov	[ebp+var_C], eax
		test	dl, 1
		jnz	loc_5C7A0D

loc_4CDFEC:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+F9A99j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+F9AA8j
		and	[ebp+var_10], ebx

loc_4CDFEF:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+F9AB6j
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		movzx	edx, word ptr [esi]
		sub	edx, ecx
		mov	[ebp+var_1C], edx
		cmp	[esi+3], bl
		jz	loc_5C7A45
		mov	eax, [ebp+var_4]
		mov	ecx, eax
		add	eax, 8
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C7A3B
		mov	eax, [esi+4]

loc_4CE021:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+F9AC0j
		jnz	short loc_4CE026
		mov	[edi+4], eax

loc_4CE026:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild:loc_4CE021j
		mov	eax, edx
		shl	eax, 2
		push	eax		; size_t
		push	[ebp+var_C]	; void *
		lea	eax, [edi+8]
		push	eax		; void *
		call	_memcpy

loc_4CE038:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+F9AE8j
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		mov	eax, [ebp+var_1C]
		mov	[edi], ax
		cmp	[ecx], esi
		jz	short loc_4CE0C7
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_28]
		push	eax
		dec	dword ptr [edx+0Ch]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx
		mov	edx, [ebp+var_8]
		inc	dword ptr [edx+0Ch]
		mov	ecx, [edx+0Ch]
		test	eax, eax
		js	short loc_4CE0AC
		mov	ebx, ecx

loc_4CE066:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+1BEj
		mov	cl, [esi+3]
		test	cl, cl
		jz	loc_5C7A6D
		mov	eax, [edx]
		mov	edx, [eax+ebx*8-0Ch]
		mov	ebx, [ebp+var_4]
		add	edx, 4
		mov	eax, [ebx+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_4CE090
		or	dword ptr [edx], 1
		call	?NpGetResidentLeaf@NP_CONTEXT@@SGPAUB_TREE_NODE_HDR@@PAUNP_CTX@1@PAT_NP_LEAF_PTR@@@Z ; NP_CONTEXT::NpGetResidentLeaf(NP_CONTEXT::NP_CTX	*,_NP_LEAF_PTR *)
		mov	cl, [esi+3]

loc_4CE090:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+103j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+F9AF0j
		mov	eax, [ebp+var_18]
		mov	[esi], ax
		test	cl, cl
		jz	short loc_4CE0A5
		mov	eax, [ebx+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_4CE0A5
		mov	[esi+4], edi

loc_4CE0A5:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+118j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+120j
		mov	[ebp+var_20], edi
		xor	edi, edi
		xor	ebx, ebx

loc_4CE0AC:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+E2j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+158j
		mov	esi, [ebp+var_4]
		test	edi, edi
		jnz	loc_5C7A75

loc_4CE0B7:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+F9B04j
		test	ebx, ebx
		jnz	loc_5C7A89

loc_4CE0BF:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+39j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+F9B18j
		mov	eax, [ebp+var_20]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4CE0C7:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+C6j
		movzx	eax, byte ptr [esi+2]
		xor	edx, edx
		inc	eax
		push	eax
		call	?BTreeNewNode@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@KK@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNewNode(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,ulong,ulong)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_4CE0AC
		lea	edx, [ebx+4]
		xor	ecx, ecx
		mov	[edx], esi
		inc	ecx
		mov	eax, [ebp+var_28]
		mov	[ebx+8], eax
		mov	eax, [ebp+var_24]
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+var_4]
		mov	[ebx], cx
		mov	[eax], ebx
		cmp	byte ptr [esi+3], 0
		jz	short loc_4CE10B
		mov	eax, [eax+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_4CE10B
		or	[edx], ecx
		call	?NpGetResidentLeaf@NP_CONTEXT@@SGPAUB_TREE_NODE_HDR@@PAUNP_CTX@1@PAT_NP_LEAF_PTR@@@Z ; NP_CONTEXT::NpGetResidentLeaf(NP_CONTEXT::NP_CTX	*,_NP_LEAF_PTR *)

loc_4CE10B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+17Aj
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+182j
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_14]
		mov	eax, [edx+10h]
		lea	eax, ds:0FFFFFFF8h[eax*8]
		push	eax		; size_t
		lea	eax, [ecx-8]
		push	eax		; void *
		push	ecx		; void *
		call	_memmove
		mov	ecx, [ebp+var_14]
		lea	eax, [ebx+8]
		mov	edx, [ebp+var_8]
		add	esp, 0Ch
		mov	[ecx-8], ebx
		mov	[ecx-4], eax
		inc	dword ptr [edx+0Ch]
		mov	ebx, [edx+0Ch]
		jmp	loc_4CE066
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes proc near
					; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+171p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C7A9D SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [edx]
		push	ebx
		mov	ebx, [edx+0Ch]
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		mov	edi, [eax+ebx*8-8]
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_10], edx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], ebx
		test	al, 1
		jnz	loc_4CE23F
		mov	esi, edi
		mov	edi, eax

loc_4CE173:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes+100j
		movzx	edx, word ptr [esi]
		mov	[ebp+arg_0], edx
		mov	edx, [ebp+var_8]
		mov	ebx, [edx+ebx*8-0Ch]
		mov	edx, [ebp+arg_0]
		cmp	esi, eax
		jz	loc_4CE249

loc_4CE18B:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes+115j
		cmp	byte ptr [esi+3], 0
		jz	loc_5C7AA7
		mov	eax, ecx
		add	eax, 8
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C7A9D
		mov	eax, [edi+4]

loc_4CE1AE:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes+F995Ej
		jnz	short loc_4CE1B3
		mov	[esi+4], eax

loc_4CE1B3:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes:loc_4CE1AEj
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes+F9974j
		movzx	eax, word ptr [edi]
		inc	edx
		shl	eax, 3
		push	eax		; size_t
		lea	eax, [edi+8]
		push	eax		; void *
		lea	eax, [esi+edx*8]
		push	eax		; void *
		call	_memcpy
		mov	ax, [edi]
		add	esp, 0Ch
		add	ax, word ptr [ebp+arg_0]
		cmp	byte ptr [esi+3], 0
		mov	[esi], ax
		jz	short loc_4CE20C
		mov	eax, [ebp+var_4]
		mov	esi, eax
		add	eax, 8
		neg	esi
		sbb	esi, esi
		add	ebx, 4
		and	esi, eax
		mov	eax, [esi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_4CE20C
		mov	edx, ebx
		mov	ecx, esi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		mov	eax, [esi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_4CE20C
		mov	edx, ebx
		mov	ecx, esi
		call	?NpLeafRemoveInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAX@Z ; NP_CONTEXT::NpLeafRemoveInternal(NP_CONTEXT::NP_CTX *,void	* *)

loc_4CE20C:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes+95j
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes+ADj ...
		mov	esi, [ebp+var_4]
		mov	edx, edi
		movzx	eax, byte ptr [edi+3]
		mov	ecx, esi
		neg	ecx
		push	eax
		lea	eax, [esi+8]
		sbb	ecx, ecx
		and	ecx, eax
		call	NP_CONTEXT__NpNodeFree
		mov	ebx, [ebp+var_10]
		mov	ecx, esi
		mov	edx, ebx
		dec	dword ptr [ebx+0Ch]
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx
		inc	dword ptr [ebx+0Ch]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4CE23F:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes+25j
		and	eax, 0FFFFFFFEh
		mov	esi, eax
		jmp	loc_4CE173
; 

loc_4CE249:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes+41j
		mov	edx, [ebp+var_8]
		sub	ebx, 8
		mov	eax, [ebp+var_C]
		mov	[edx+eax*8-0Ch], ebx
		mov	edx, [ebp+arg_0]
		jmp	loc_4CE18B
B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NP_CONTEXT__NpNodeFree proc near	; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+D8p
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+114p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C7ABD SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		mov	ecx, [ecx]
		jz	short loc_4CE27C
		mov	eax, [ecx+30h]
		dec	dword ptr [ecx+18h]
		mov	eax, [eax]
		cmp	eax, [ecx+4]
		jb	loc_5C7ABD

loc_4CE27C:				; CODE XREF: NP_CONTEXT__NpNodeFree+Bj
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4CE284:				; CODE XREF: NP_CONTEXT__NpNodeFree+F986Aj
		pop	ebp
		retn	4
NP_CONTEXT__NpNodeFree endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	B_TREE<union _SM_PAGE_KEY, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY, 4096, struct NP_CONTEXT, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>>::BTreeSearchResultCleanup(struct B_TREE<union _SM_PAGE_KEY, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY,	4096, struct NP_CONTEXT, struct	B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>> *, struct B_TREE<union _SM_PAGE_KEY,	struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY, 4096, struct	NP_CONTEXT, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>>::SEARCH_RESULT *,	unsigned long)
?BTreeSearchResultCleanup@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUSEARCH_RESULT@1@K@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+59p
					; ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+8Ep

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref
		cmp	dword ptr [esi+0Ch], 0FFFFFFFFh
		jz	short loc_4CE2A1
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_4CE2A6

loc_4CE2A1:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultCleanup(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)+11j
					; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultCleanup(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)+22j ...
		pop	esi
		pop	ebp
		retn	4
; 

loc_4CE2A6:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultCleanup(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)+17j
		cmp	[ebp+arg_0], 0
		jnz	short loc_4CE2A1
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_4CE2A1
?BTreeSearchResultCleanup@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUSEARCH_RESULT@1@K@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmCleanup proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StCleanup(ST_STORE<SM_TRAITS>	*)+13p
					; ST_STORE<SM_TRAITS>::StCleanup(ST_STORE<SM_TRAITS> *)+20p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C7ACD SIZE 000000DF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, edx
		mov	[ebp+var_10], ebx
		push	edi
		xor	edx, edx
		mov	[ebp+var_4], esi
		lea	edi, [ebx+6Ch]
		inc	edx
		push	0
		mov	ecx, edi
		call	_SmHpChunkHeapProtect@12 ; SmHpChunkHeapProtect(x,x,x)
		mov	edx, [ebx+1A4h]
		test	edx, edx
		jnz	loc_4CE491

loc_4CE2E8:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+1E4j
					; ST_STORE_SM_TRAITS___StDmCleanup+F9825j
		mov	eax, [ebx+0FCh]
		mov	ecx, edi
		mov	[ebp+var_C], eax
		mov	eax, [ebx+100h]
		mov	[ebp+var_8], eax
		call	_SmHpChunkHeapCleanup@8	; SmHpChunkHeapCleanup(x,x)
		test	esi, esi
		jnz	loc_5C7AE0

loc_4CE309:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+F9834j
		push	esi
		lea	edx, [ebx+0Ch]
		mov	ecx, ebx
		call	?BTreeSearchResultCleanup@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUSEARCH_RESULT@1@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultCleanup(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>	*,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)
		mov	edx, [ebx]
		test	edx, edx
		jnz	loc_4CE4A5

loc_4CE31E:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+1F6j
		lea	edi, [ebx+24h]
		push	esi
		lea	edx, [ebx+30h]
		mov	ecx, edi
		call	?BTreeSearchResultCleanup@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGXPAU1@PAUSEARCH_RESULT@1@K@Z ; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeSearchResultCleanup(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)
		mov	edx, [edi]
		test	edx, edx
		jnz	loc_4CE4B1

loc_4CE336:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+202j
		lea	ecx, [ebx+48h]
		lea	edx, [ebx+54h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref
		cmp	dword ptr [ebx+60h], 0FFFFFFFFh
		jz	short loc_4CE352
		mov	eax, [ebx+54h]
		test	eax, eax
		jnz	loc_4CE4BD

loc_4CE352:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+8Fj
					; ST_STORE_SM_TRAITS___StDmCleanup+209j ...
		lea	ecx, [ebx+48h]
		mov	edx, [ecx]
		test	edx, edx
		jnz	loc_4CE4D1

loc_4CE35F:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+223j
		test	esi, esi
		jnz	loc_5C7AEF

loc_4CE367:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+F984Fj
		lea	edi, [ebx+314h]
		mov	edx, esi
		mov	ecx, edi
		call	?NpCleanup@NP_CONTEXT@@SGXPAU1@K@Z ; NP_CONTEXT::NpCleanup(NP_CONTEXT *,ulong)
		lea	ecx, [ebx+36Ch]
		mov	edx, esi
		call	?NpCleanup@NP_CONTEXT@@SGXPAU1@K@Z ; NP_CONTEXT::NpCleanup(NP_CONTEXT *,ulong)
		lea	ecx, [ebx+3C4h]
		mov	edx, esi
		call	?NpCleanup@NP_CONTEXT@@SGXPAU1@K@Z ; NP_CONTEXT::NpCleanup(NP_CONTEXT *,ulong)
		test	esi, esi
		jnz	loc_5C7B0A

loc_4CE398:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+F9869j
		xor	edi, edi
		cmp	[ebx+240h], edi
		jz	loc_4CE436
		mov	ecx, ebx
		call	?StDmInvalidateCurrentRegions@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@@Z ; ST_STORE<SM_TRAITS>::StDmInvalidateCurrentRegions(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)
		or	edi, 0FFFFFFFFh

loc_4CE3B0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+112j
					; ST_STORE_SM_TRAITS___StDmCleanup+F9881j
		inc	edi
		cmp	edi, [ebx+1B8h]
		jz	short loc_4CE3CF
		mov	eax, [ebx+240h]
		movzx	eax, word ptr [eax+edi*2]
		test	eax, 1FFFh
		jz	short loc_4CE3B0
		jmp	loc_5C7B24
; 

loc_4CE3CF:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+101j
		test	dword ptr [ebx+1ACh], 40000h
		jz	short loc_4CE3F8
		test	esi, esi
		jnz	short loc_4CE3F8
		lea	esi, [ebx+1DCh]
		push	esi
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	ecx, [esi]
		sub	ecx, eax
		jnz	loc_5C7B3C

loc_4CE3F5:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+F9897j
		mov	esi, [ebp+var_4]

loc_4CE3F8:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+123j
					; ST_STORE_SM_TRAITS___StDmCleanup+127j
		mov	edx, [ebx+240h]
		lea	edi, [ebx+26Ch]
		push	6
		pop	ecx
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], ecx

loc_4CE40D:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+179j
		test	esi, esi
		jnz	loc_5C7B52

loc_4CE415:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+F98B6j
		cmp	dword ptr [edi], 0FFFFFFFFh
		jnz	loc_5C7B71

loc_4CE41E:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+F98A1j
					; ST_STORE_SM_TRAITS___StDmCleanup+F98D5j
		test	esi, esi
		jnz	loc_5C7B90

loc_4CE426:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+F98B0j
					; ST_STORE_SM_TRAITS___StDmCleanup+F98E5j
		add	edi, 0Ch
		sub	ecx, 1
		mov	[ebp+var_4], ecx
		jnz	short loc_4CE40D
		mov	ebx, [ebp+var_10]
		xor	edi, edi

loc_4CE436:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+EAj
		test	esi, esi
		jnz	short loc_4CE48C
		mov	eax, [ebx+24Ch]
		test	eax, eax
		jnz	loc_4CE4DE

loc_4CE448:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+22Fj
		mov	eax, [ebx+1E0h]
		test	eax, eax
		jz	short loc_4CE459
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4CE459:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+19Aj
		mov	eax, [ebx+258h]
		test	eax, eax
		jz	short loc_4CE46A
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4CE46A:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+1ABj
		mov	eax, [ebx+420h]
		test	eax, eax
		jnz	loc_5C7BA0

loc_4CE478:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+F98F1j
		mov	eax, [ebx+424h]
		test	eax, eax
		jnz	short loc_4CE4EA

loc_4CE482:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+23Bj
		mov	eax, [ebx+428h]
		test	eax, eax
		jnz	short loc_4CE4F3

loc_4CE48C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+182j
					; ST_STORE_SM_TRAITS___StDmCleanup+244j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4CE491:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+2Cj
		mov	ecx, edi
		call	_SmHpChunkFree@8 ; SmHpChunkFree(x,x)
		test	esi, esi
		jz	loc_4CE2E8
		jmp	loc_5C7ACD
; 

loc_4CE4A5:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+62j
		mov	ecx, ebx
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeNodeFree
		jmp	loc_4CE31E
; 

loc_4CE4B1:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+7Aj
		mov	ecx, edi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeNodeFree
		jmp	loc_4CE336
; 

loc_4CE4BD:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+96j
		test	esi, esi
		jnz	loc_4CE352
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4CE352
; 

loc_4CE4D1:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+A3j
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeNodeFree
		lea	ecx, [ebx+48h]
		jmp	loc_4CE35F
; 

loc_4CE4DE:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+18Cj
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4CE448
; 

loc_4CE4EA:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+1CAj
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_4CE482
; 

loc_4CE4F3:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+1D4j
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_4CE48C
ST_STORE_SM_TRAITS___StDmCleanup endp


;  S U B	R O U T	I N E 


; public: static void __stdcall	NP_CONTEXT::NpCleanup(struct NP_CONTEXT	*, unsigned long)
?NpCleanup@NP_CONTEXT@@SGXPAU1@K@Z proc	near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+BBp
					; ST_STORE_SM_TRAITS___StDmCleanup+C8p	...
		test	edx, edx
		jnz	short locret_4CE526
		push	esi
		lea	esi, [ecx+2Ch]

loc_4CE504:				; CODE XREF: NP_CONTEXT::NpCleanup(NP_CONTEXT *,ulong)+27j
		mov	ecx, [esi+4]
		cmp	ecx, esi
		jz	short loc_4CE525
		mov	edx, [esi]
		mov	eax, [edx]
		mov	[esi], eax
		cmp	edx, ecx
		jnz	short loc_4CE527
		and	dword ptr [esi], 0
		mov	[esi+4], esi

loc_4CE51B:				; CODE XREF: NP_CONTEXT::NpCleanup(NP_CONTEXT *,ulong)+2Dj
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_4CE504
; 

loc_4CE525:				; CODE XREF: NP_CONTEXT::NpCleanup(NP_CONTEXT *,ulong)+Dj
		pop	esi

locret_4CE526:				; CODE XREF: NP_CONTEXT::NpCleanup(NP_CONTEXT *,ulong)+2j
		retn
; 

loc_4CE527:				; CODE XREF: NP_CONTEXT::NpCleanup(NP_CONTEXT *,ulong)+17j
		dec	dword ptr [ecx]
		jmp	short loc_4CE51B
?NpCleanup@NP_CONTEXT@@SGXPAU1@K@Z endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmHpChunkHeapCleanup(x, x)
_SmHpChunkHeapCleanup@8	proc near	; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+46p
					; ST_STORE_SM_TRAITS___StDmStart+F8691p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		inc	esi
		cmp	[edi+80h], esi
		ja	short loc_4CE55F

loc_4CE542:				; CODE XREF: SmHpChunkHeapCleanup(x,x)+53j
		xor	esi, esi

loc_4CE544:				; CODE XREF: SmHpChunkHeapCleanup(x,x)+23j
		mov	eax, [edi+esi*4]
		test	eax, eax
		jnz	short loc_4CE555

loc_4CE54B:				; CODE XREF: SmHpChunkHeapCleanup(x,x)+31j
		inc	esi
		cmp	esi, 20h
		jb	short loc_4CE544
		pop	edi
		pop	esi
		leave
		retn
; 

loc_4CE555:				; CODE XREF: SmHpChunkHeapCleanup(x,x)+1Dj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_4CE54B
; 

loc_4CE55F:				; CODE XREF: SmHpChunkHeapCleanup(x,x)+14j
					; SmHpChunkHeapCleanup(x,x)+51j
		and	[ebp+var_4], 0
		mov	eax, esi
		bsr	ecx, esi
		btc	eax, ecx
		imul	edx, eax, 0Ch
		add	edx, [edi+ecx*4]
		cmp	dword ptr [edx], 0
		jnz	short loc_4CE581

loc_4CE576:				; CODE XREF: SmHpChunkHeapCleanup(x,x)+5Dj
		inc	esi
		cmp	esi, [edi+80h]
		jb	short loc_4CE55F
		jmp	short loc_4CE542
; 

loc_4CE581:				; CODE XREF: SmHpChunkHeapCleanup(x,x)+48j
		push	ecx
		mov	ecx, edi
		call	_SmHpBufferCleanup@12 ;	SmHpBufferCleanup(x,x,x)
		jmp	short loc_4CE576
_SmHpChunkHeapCleanup@8	endp

; 
		align 4

;  S U B	R O U T	I N E 


; public: static void __stdcall	ST_STORE<struct	SM_TRAITS>::StCleanup(struct ST_STORE<struct SM_TRAITS>	*)
?StCleanup@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@@Z proc near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+DEp
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		xor	edx, edx
		push	edi
		or	dword ptr [esi+0A28h], 1
		lea	ecx, [esi+38h]
		call	ST_STORE_SM_TRAITS___StDmCleanup
		lea	ecx, [esi+4C8h]
		xor	edx, edx
		call	ST_STORE_SM_TRAITS___StDmCleanup
		mov	eax, [esi+2Ch]
		xor	edi, edi
		test	eax, eax
		jz	short loc_4CE5C1
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4CE5C1:				; CODE XREF: ST_STORE<SM_TRAITS>::StCleanup(ST_STORE<SM_TRAITS>	*)+2Cj
		mov	eax, [esi+30h]
		test	eax, eax
		jnz	short loc_4CE612

loc_4CE5C8:				; CODE XREF: ST_STORE<SM_TRAITS>::StCleanup(ST_STORE<SM_TRAITS>	*)+8Dj
		mov	eax, [esi+34h]
		test	eax, eax
		jnz	short loc_4CE61B

loc_4CE5CF:				; CODE XREF: ST_STORE<SM_TRAITS>::StCleanup(ST_STORE<SM_TRAITS>	*)+96j
		mov	eax, [esi+990h]
		test	eax, eax
		jz	short loc_4CE5E0
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4CE5E0:				; CODE XREF: ST_STORE<SM_TRAITS>::StCleanup(ST_STORE<SM_TRAITS>	*)+4Bj
		mov	eax, [esi+0A08h]
		test	eax, eax
		jz	short loc_4CE5F1
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4CE5F1:				; CODE XREF: ST_STORE<SM_TRAITS>::StCleanup(ST_STORE<SM_TRAITS>	*)+5Cj
		lea	ecx, [esi+960h]
		call	_StEtaCleanup@4	; StEtaCleanup(x)
		lea	ecx, [esi+9A8h]
		call	_SmCrEncCleanup@4 ; SmCrEncCleanup(x)
		mov	ecx, esi
		call	?StDrainReadContextList@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@@Z ; ST_STORE<SM_TRAITS>::StDrainReadContextList(ST_STORE<SM_TRAITS> *)
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_4CE612:				; CODE XREF: ST_STORE<SM_TRAITS>::StCleanup(ST_STORE<SM_TRAITS>	*)+3Aj
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_4CE5C8
; 

loc_4CE61B:				; CODE XREF: ST_STORE<SM_TRAITS>::StCleanup(ST_STORE<SM_TRAITS>	*)+41j
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_4CE5CF
?StCleanup@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeMergeNodes proc near
					; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+1D9p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C7BAC SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [edx]
		push	ebx
		mov	ebx, [edx+0Ch]
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		mov	edi, [eax+ebx*8-8]
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_10], edx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], ebx
		test	al, 1
		jnz	loc_4CE721
		mov	esi, edi
		mov	edi, eax

loc_4CE653:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeMergeNodes+102j
		movzx	edx, word ptr [esi]
		mov	[ebp+arg_0], edx
		mov	edx, [ebp+var_8]
		mov	ebx, [edx+ebx*8-0Ch]
		mov	edx, [ebp+arg_0]
		cmp	esi, eax
		jz	loc_4CE72B

loc_4CE66B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeMergeNodes+117j
		cmp	byte ptr [esi+3], 0
		jz	loc_5C7BB6
		mov	eax, ecx
		add	eax, 8
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C7BAC
		mov	eax, [edi+4]

loc_4CE68E:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeMergeNodes+F958Dj
		jnz	short loc_4CE693
		mov	[esi+4], eax

loc_4CE693:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeMergeNodes:loc_4CE68Ej
		movzx	eax, word ptr [edi]
		shl	eax, 2
		add	edx, 2
		push	eax		; size_t
		lea	eax, [edi+8]
		push	eax		; void *
		lea	eax, [esi+edx*4]

loc_4CE6A4:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeMergeNodes+F95B2j
		push	eax		; void *
		call	_memcpy
		mov	ax, [edi]
		add	esp, 0Ch
		add	ax, word ptr [ebp+arg_0]
		cmp	byte ptr [esi+3], 0
		mov	[esi], ax
		jz	short loc_4CE6EE
		mov	eax, [ebp+var_4]
		mov	esi, eax
		add	eax, 8
		neg	esi
		sbb	esi, esi
		add	ebx, 4
		and	esi, eax
		mov	eax, [esi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_4CE6EE
		mov	edx, ebx
		mov	ecx, esi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		mov	eax, [esi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_4CE6EE
		mov	edx, ebx
		mov	ecx, esi
		call	?NpLeafRemoveInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAX@Z ; NP_CONTEXT::NpLeafRemoveInternal(NP_CONTEXT::NP_CTX *,void	* *)

loc_4CE6EE:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeMergeNodes+97j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeMergeNodes+AFj ...
		mov	esi, [ebp+var_4]
		mov	edx, edi
		movzx	eax, byte ptr [edi+3]
		mov	ecx, esi
		neg	ecx
		push	eax
		lea	eax, [esi+8]
		sbb	ecx, ecx
		and	ecx, eax
		call	NP_CONTEXT__NpNodeFree
		mov	ebx, [ebp+var_10]
		mov	ecx, esi
		mov	edx, ebx
		dec	dword ptr [ebx+0Ch]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx
		inc	dword ptr [ebx+0Ch]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4CE721:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeMergeNodes+25j
		and	eax, 0FFFFFFFEh
		mov	esi, eax
		jmp	loc_4CE653
; 

loc_4CE72B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeMergeNodes+41j
		mov	edx, [ebp+var_8]
		sub	ebx, 8
		mov	eax, [ebp+var_C]
		mov	[edx+eax*8-0Ch], ebx
		mov	edx, [ebp+arg_0]
		jmp	loc_4CE66B
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeMergeNodes endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild proc near
					; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+1CCp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C7BDB SIZE 00000090 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		and	[ebp+var_20], 0
		mov	eax, edx
		push	ebx
		push	esi
		mov	[ebp+var_8], eax
		xor	ebx, ebx
		mov	esi, [eax+0Ch]
		mov	eax, [eax]
		push	edi
		mov	[ebp+var_4], ecx
		lea	eax, [eax+esi*8]
		mov	esi, [eax-8]
		mov	[ebp+var_14], eax
		movzx	eax, byte ptr [esi+2]
		movzx	edx, byte ptr [esi+3]
		push	eax
		call	?BTreeNewNode@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@KK@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNewNode(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,ulong,ulong)
		mov	edi, eax
		test	edi, edi
		jz	loc_4CE87F
		mov	[ebp+var_24], edi
		lea	eax, [esi+8]
		mov	edx, [esi]
		mov	ecx, edx
		shr	ecx, 1
		and	ecx, 7FFFh
		mov	[ebp+var_18], ecx
		cmp	[esi+3], bl
		jz	loc_5C7BFB
		lea	eax, [eax+ecx*4]
		mov	[ebp+var_C], eax
		test	dl, 1
		jnz	loc_5C7BDB

loc_4CE7AC:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+F94A7j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+F94B6j
		and	[ebp+var_10], ebx

loc_4CE7AF:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+F94C4j
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		movzx	edx, word ptr [esi]
		sub	edx, ecx
		mov	[ebp+var_1C], edx
		cmp	[esi+3], bl
		jz	loc_5C7C13
		mov	eax, [ebp+var_4]
		mov	ecx, eax
		add	eax, 8
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C7C09
		mov	eax, [esi+4]

loc_4CE7E1:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+F94CEj
		jnz	short loc_4CE7E6
		mov	[edi+4], eax

loc_4CE7E6:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild:loc_4CE7E1j
		mov	eax, edx
		shl	eax, 2
		push	eax		; size_t
		push	[ebp+var_C]	; void *
		lea	eax, [edi+8]
		push	eax		; void *
		call	_memcpy

loc_4CE7F8:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+F94F6j
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		mov	eax, [ebp+var_1C]
		mov	[edi], ax
		cmp	[ecx], esi
		jz	short loc_4CE887
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_28]
		push	eax
		dec	dword ptr [edx+0Ch]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx
		mov	edx, [ebp+var_8]
		inc	dword ptr [edx+0Ch]
		mov	ecx, [edx+0Ch]
		test	eax, eax
		js	short loc_4CE86C
		mov	ebx, ecx

loc_4CE826:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+1BEj
		mov	cl, [esi+3]
		test	cl, cl
		jz	loc_5C7C3B
		mov	eax, [edx]
		mov	edx, [eax+ebx*8-0Ch]
		mov	ebx, [ebp+var_4]
		add	edx, 4
		mov	eax, [ebx+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_4CE850
		or	dword ptr [edx], 1
		call	?NpGetResidentLeaf@NP_CONTEXT@@SGPAUB_TREE_NODE_HDR@@PAUNP_CTX@1@PAT_NP_LEAF_PTR@@@Z ; NP_CONTEXT::NpGetResidentLeaf(NP_CONTEXT::NP_CTX	*,_NP_LEAF_PTR *)
		mov	cl, [esi+3]

loc_4CE850:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+103j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+F94FEj
		mov	eax, [ebp+var_18]
		mov	[esi], ax
		test	cl, cl
		jz	short loc_4CE865
		mov	eax, [ebx+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_4CE865
		mov	[esi+4], edi

loc_4CE865:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+118j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+120j
		mov	[ebp+var_20], edi
		xor	edi, edi
		xor	ebx, ebx

loc_4CE86C:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+E2j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+158j
		mov	esi, [ebp+var_4]
		test	edi, edi
		jnz	loc_5C7C43

loc_4CE877:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+F9512j
		test	ebx, ebx
		jnz	loc_5C7C57

loc_4CE87F:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+39j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+F9526j
		mov	eax, [ebp+var_20]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4CE887:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+C6j
		movzx	eax, byte ptr [esi+2]
		xor	edx, edx
		inc	eax
		push	eax
		call	?BTreeNewNode@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@KK@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNewNode(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,ulong,ulong)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_4CE86C
		lea	edx, [ebx+4]
		xor	ecx, ecx
		mov	[edx], esi
		inc	ecx
		mov	eax, [ebp+var_28]
		mov	[ebx+8], eax
		mov	eax, [ebp+var_24]
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+var_4]
		mov	[ebx], cx
		mov	[eax], ebx
		cmp	byte ptr [esi+3], 0
		jz	short loc_4CE8CB
		mov	eax, [eax+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_4CE8CB
		or	[edx], ecx
		call	?NpGetResidentLeaf@NP_CONTEXT@@SGPAUB_TREE_NODE_HDR@@PAUNP_CTX@1@PAT_NP_LEAF_PTR@@@Z ; NP_CONTEXT::NpGetResidentLeaf(NP_CONTEXT::NP_CTX	*,_NP_LEAF_PTR *)

loc_4CE8CB:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+17Aj
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+182j
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_14]
		mov	eax, [edx+10h]
		lea	eax, ds:0FFFFFFF8h[eax*8]
		push	eax		; size_t
		lea	eax, [ecx-8]
		push	eax		; void *
		push	ecx		; void *
		call	_memmove
		mov	ecx, [ebp+var_14]
		lea	eax, [ebx+8]
		mov	edx, [ebp+var_8]
		add	esp, 0Ch
		mov	[ecx-8], ebx
		mov	[ecx-4], eax
		inc	dword ptr [edx+0Ch]
		mov	ebx, [edx+0Ch]
		jmp	loc_4CE826
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall SmHpBufferCleanup(x, x, x)
_SmHpBufferCleanup@12 proc near		; CODE XREF: SmHpChunkFree(x,x)+63p
					; SmHpChunkHeapCleanup(x,x)+58p
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	ax, [edi+6]
		neg	ax
		movzx	eax, ax
		push	eax
		call	_SmHpBufferUpdateFullness@12 ; SmHpBufferUpdateFullness(x,x,x)
		mov	eax, [edi]
		push	0
		push	eax
		mov	esi, [eax+8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi], 0
		mov	eax, [ebx+120h]
		mov	[edi+4], eax
		pop	edi
		mov	[ebx+120h], esi
		pop	esi
		pop	ebx
		pop	ecx
		retn	4
_SmHpBufferCleanup@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeMergeNodes proc near
					; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+195p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C7C6B SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [edx]
		push	ebx
		mov	ebx, [edx+0Ch]
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		mov	edi, [eax+ebx*8-8]
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_10], edx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], ebx
		test	al, 1
		jnz	loc_4CEA41
		mov	esi, edi
		mov	edi, eax

loc_4CE973:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeMergeNodes+102j
		movzx	edx, word ptr [esi]
		mov	[ebp+arg_0], edx
		mov	edx, [ebp+var_8]
		mov	ebx, [edx+ebx*8-0Ch]
		mov	edx, [ebp+arg_0]
		cmp	esi, eax
		jz	loc_4CEA4B

loc_4CE98B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeMergeNodes+117j
		cmp	byte ptr [esi+3], 0
		jz	loc_5C7C75
		mov	eax, ecx
		add	eax, 8
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5C7C6B
		mov	eax, [edi+4]

loc_4CE9AE:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeMergeNodes+F932Cj
		jnz	short loc_4CE9B3
		mov	[esi+4], eax

loc_4CE9B3:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeMergeNodes:loc_4CE9AEj
		movzx	eax, word ptr [edi]
		shl	eax, 2
		add	edx, 2
		push	eax		; size_t
		lea	eax, [edi+8]
		push	eax		; void *
		lea	eax, [esi+edx*4]

loc_4CE9C4:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeMergeNodes+F9351j
		push	eax		; void *
		call	_memcpy
		mov	ax, [edi]
		add	esp, 0Ch
		add	ax, word ptr [ebp+arg_0]
		cmp	byte ptr [esi+3], 0
		mov	[esi], ax
		jz	short loc_4CEA0E
		mov	eax, [ebp+var_4]
		mov	esi, eax
		add	eax, 8
		neg	esi
		sbb	esi, esi
		add	ebx, 4
		and	esi, eax
		mov	eax, [esi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_4CEA0E
		mov	edx, ebx
		mov	ecx, esi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		mov	eax, [esi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_4CEA0E
		mov	edx, ebx
		mov	ecx, esi
		call	?NpLeafRemoveInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAX@Z ; NP_CONTEXT::NpLeafRemoveInternal(NP_CONTEXT::NP_CTX *,void	* *)

loc_4CEA0E:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeMergeNodes+97j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeMergeNodes+AFj	...
		mov	esi, [ebp+var_4]
		mov	edx, edi
		movzx	eax, byte ptr [edi+3]
		mov	ecx, esi
		neg	ecx
		push	eax
		lea	eax, [esi+8]
		sbb	ecx, ecx
		and	ecx, eax
		call	NP_CONTEXT__NpNodeFree
		mov	ebx, [ebp+var_10]
		mov	ecx, esi
		mov	edx, ebx
		dec	dword ptr [ebx+0Ch]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx
		inc	dword ptr [ebx+0Ch]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4CEA41:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeMergeNodes+25j
		and	eax, 0FFFFFFFEh
		mov	esi, eax
		jmp	loc_4CE973
; 

loc_4CEA4B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeMergeNodes+41j
		mov	edx, [ebp+var_8]
		sub	ebx, 8
		mov	eax, [ebp+var_C]
		mov	[edx+eax*8-0Ch], ebx
		mov	edx, [ebp+arg_0]
		jmp	loc_4CE98B
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeMergeNodes endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiConvertContiguousPages(x,	x, x)
_MiConvertContiguousPages@12 proc near	; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+72Fp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		and	[ebp+var_1C], 0
		and	[ebp+var_18], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], 1
		lea	ecx, [ebp+var_1C]
		mov	esi, edx
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		imul	ebx, esi, 1Ch
		xor	esi, esi
		add	ebx, edi
		cmp	edi, ebx
		jz	loc_4CEB6A

loc_4CEA95:				; CODE XREF: MiConvertContiguousPages(x,x,x)+B6j
		mov	ecx, edi
		call	_MiIsFreeZeroPfnCold@4 ; MiIsFreeZeroPfnCold(x)
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		mov	[ebp+var_10], eax
		call	_MiPfnZeroingNeeded@8 ;	MiPfnZeroingNeeded(x,x)
		mov	[ebp+var_C], eax
		mov	ecx, edi
		neg	eax
		sbb	eax, eax
		not	eax
		and	[ebp+var_8], eax
		call	_MiPageAttributeBatchChangeNeeded@8 ; MiPageAttributeBatchChangeNeeded(x,x)
		test	eax, eax
		jz	short loc_4CEAE5
		and	dword ptr [edi], 0
		xor	eax, eax
		cmp	[ebp+var_10], eax
		jz	short loc_4CEACF
		push	2
		pop	eax
		mov	[edi], eax

loc_4CEACF:				; CODE XREF: MiConvertContiguousPages(x,x,x)+68j
		and	dword ptr [edi+0Ch], 0
		cmp	[ebp+var_C], 0
		mov	[edi+8], esi
		mov	esi, edi
		jz	short loc_4CEB11
		or	eax, 1
		mov	[edi], eax
		jmp	short loc_4CEB11
; 

loc_4CEAE5:				; CODE XREF: MiConvertContiguousPages(x,x,x)+5Ej
		cmp	[ebp+var_C], 0
		jz	short loc_4CEAF9
		mov	eax, [ebp+var_1C]
		mov	[edi+8], eax
		mov	eax, [ebp+var_18]
		mov	[edi+0Ch], eax
		jmp	short loc_4CEB01
; 

loc_4CEAF9:				; CODE XREF: MiConvertContiguousPages(x,x,x)+89j
		and	dword ptr [edi+8], 0
		and	dword ptr [edi+0Ch], 0

loc_4CEB01:				; CODE XREF: MiConvertContiguousPages(x,x,x)+97j
		cmp	[ebp+var_10], 0
		jz	short loc_4CEB11
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	_MiSetFreeZeroPfnCold@8	; MiSetFreeZeroPfnCold(x,x)

loc_4CEB11:				; CODE XREF: MiConvertContiguousPages(x,x,x)+7Cj
					; MiConvertContiguousPages(x,x,x)+83j ...
		add	edi, 1Ch
		cmp	edi, ebx
		jnz	loc_4CEA95
		mov	ebx, [ebp+var_8]
		mov	[ebp+var_8], ebx
		test	esi, esi
		jz	short loc_4CEB6D
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		call	MiChangePageAttributeBatch
		mov	ebx, [ebp+var_18]

loc_4CEB37:				; CODE XREF: MiConvertContiguousPages(x,x,x)+108j
		mov	eax, [esi]
		mov	edi, [esi+8]
		test	al, 1
		jnz	short loc_4CEB4A
		and	dword ptr [esi+8], 0
		and	dword ptr [esi+0Ch], 0
		jmp	short loc_4CEB53
; 

loc_4CEB4A:				; CODE XREF: MiConvertContiguousPages(x,x,x)+DEj
		mov	ecx, [ebp+var_1C]
		mov	[esi+8], ecx
		mov	[esi+0Ch], ebx

loc_4CEB53:				; CODE XREF: MiConvertContiguousPages(x,x,x)+E8j
		test	al, 2
		jz	short loc_4CEB61
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_MiSetFreeZeroPfnCold@8	; MiSetFreeZeroPfnCold(x,x)

loc_4CEB61:				; CODE XREF: MiConvertContiguousPages(x,x,x)+F5j
		and	dword ptr [esi], 0
		mov	esi, edi
		test	edi, edi
		jnz	short loc_4CEB37

loc_4CEB6A:				; CODE XREF: MiConvertContiguousPages(x,x,x)+2Fj
		mov	ebx, [ebp+var_8]

loc_4CEB6D:				; CODE XREF: MiConvertContiguousPages(x,x,x)+C4j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
_MiConvertContiguousPages@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeMdlOneNodeBatchPages proc near ; CODE XREF:	MiInitializeMdlBatchPages(x)+56p
					; MiInitializeMdlBatchPages(x)+7Fp

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C7C9A SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_38], edx
		mov	edx, ecx
		lea	edi, [ebp+var_28]
		push	9
		pop	ecx
		rep stosd
		mov	eax, [edx+4]
		xor	ecx, ecx
		mov	edi, [edx+20h]
		xor	ebx, ebx
		mov	[ebp+var_44], eax
		xor	eax, eax
		and	[ebp+var_34], eax
		and	[ebp+var_30], eax
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_40], ecx
		mov	[ebp+var_48], eax
		test	eax, eax
		jz	short loc_4CEC29
		mov	edx, [ebp+var_44]
		and	edx, 1
		mov	[ebp+var_5C], edx
		jmp	short loc_4CEBCD
; 

loc_4CEBCA:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+97j
		mov	ecx, [ebp+var_40]

loc_4CEBCD:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+52j
		mov	eax, [ebp+var_38]
		mov	[ebp+var_58], ecx
		xor	cl, cl
		mov	[ebp+var_54], ebx
		mov	[ebp+var_29], cl
		mov	eax, [eax]
		imul	esi, eax, 1Ch
		mov	[ebp+var_50], eax
		mov	eax, ds:_MmPfnDatabase
		mov	[ebp+var_4C], eax
		add	esi, eax
		test	edx, edx
		jz	short loc_4CEC42

loc_4CEBF1:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+141j
		movzx	eax, byte ptr [esi+16h]
		shr	eax, 6
		cmp	eax, edi
		jnz	short loc_4CEC6E

loc_4CEBFC:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+10Dj
					; MiInitializeMdlOneNodeBatchPages+209j ...
		mov	esi, [ebp+var_30]

loc_4CEBFF:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+139j
		mov	eax, [ebp+var_34]

loc_4CEC02:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+158j
		add	[ebp+var_38], 4
		sub	[ebp+var_48], 1
		mov	edx, [ebp+var_5C]
		jnz	short loc_4CEBCA
		test	eax, eax
		jnz	loc_4CECD3

loc_4CEC17:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+16Aj
		test	ebx, ebx
		jnz	loc_5C7CB8

loc_4CEC1F:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+F9150j
		cmp	[ebp+var_3C], 0
		jnz	loc_4CED29

loc_4CEC29:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+47j
					; MiInitializeMdlOneNodeBatchPages+1CCj ...
		lea	ecx, [ebp+var_28]
		call	_MiDeleteColorAnchors@4	; MiDeleteColorAnchors(x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_4CEC42:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+79j
		mov	edx, edi
		mov	ecx, esi
		call	_MiPfnZeroingNeeded@8 ;	MiPfnZeroingNeeded(x,x)
		test	eax, eax
		jz	short loc_4CECB4
		cmp	[ebp+var_1C], 0
		jz	loc_4CECE5
		mov	edx, [ebp+var_50]

loc_4CEC5C:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+1AEj
		push	1
		lea	ecx, [ebp+var_28]
		call	_MiInsertMdlPageNeedsZero@12 ; MiInsertMdlPageNeedsZero(x,x,x)
		inc	[ebp+var_3C]
		mov	cl, 1
		mov	[ebp+var_29], cl

loc_4CEC6E:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+84j
		cmp	edi, 3
		jz	loc_4CED5A

loc_4CEC77:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+1E7j
		mov	edx, edi
		mov	ecx, esi
		call	_MiPageAttributeBatchChangeNeeded@8 ; MiPageAttributeBatchChangeNeeded(x,x)
		cmp	eax, 1
		jnz	loc_4CEBFC
		cmp	[ebp+var_29], 0
		jz	short loc_4CECBC
		movzx	eax, byte ptr [esi+16h]
		shr	eax, 6
		lea	eax, [edi+eax*4]
		cmp	dword_6D074C[eax*4], edi
		jz	short loc_4CECBC
		mov	eax, [ebp+var_30]
		and	dword ptr [esi+0Ch], 0
		mov	[esi+8], eax
		mov	[ebp+var_30], esi
		jmp	loc_4CEBFF
; 

loc_4CECB4:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+D7j
		mov	cl, [ebp+var_29]
		jmp	loc_4CEBF1
; 

loc_4CECBC:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+117j
					; MiInitializeMdlOneNodeBatchPages+12Aj
		mov	eax, [ebp+var_34]
		and	dword ptr [esi+0Ch], 0
		mov	[esi+8], eax
		mov	eax, esi
		mov	esi, [ebp+var_30]
		mov	[ebp+var_34], eax
		jmp	loc_4CEC02
; 

loc_4CECD3:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+9Bj
		push	0
		push	0
		mov	edx, edi
		mov	ecx, eax
		call	MiChangePageAttributeBatch
		jmp	loc_4CEC17
; 

loc_4CECE5:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+DDj
		mov	eax, esi
		sub	eax, [ebp+var_4C]
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, eax
		call	MiSearchNumaNodeTable
		lea	ecx, [ebp+var_28]
		mov	eax, [eax+4]
		push	eax
		call	_MiCreateColorAnchors@8	; MiCreateColorAnchors(x,x)
		test	eax, eax
		jz	loc_5C7CA6
		test	byte ptr [ebp+var_44], 8
		mov	[ebp+var_20], edi
		mov	[ebp+var_24], 3
		jnz	loc_5C7C9A

loc_4CED1F:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+F912Bj
		mov	eax, [ebp+var_38]
		mov	edx, [eax]
		jmp	loc_4CEC5C
; 

loc_4CED29:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+ADj
		lea	ecx, [ebp+var_28]
		call	_MiZeroInParallel@4 ; MiZeroInParallel(x)
		test	ebx, ebx
		jnz	loc_5C7CCB

loc_4CED39:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+F9163j
		mov	eax, [ebp+var_40]
		test	eax, eax
		jnz	short loc_4CED84

loc_4CED40:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+21Cj
		test	esi, esi
		jz	loc_4CEC29
		push	0
		push	0
		mov	edx, edi
		mov	ecx, esi
		call	MiChangePageAttributeBatch
		jmp	loc_4CEC29
; 

loc_4CED5A:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+FBj
		cmp	cl, 1
		jnz	loc_4CEC77
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_MiPageAttributeBatchChangeNeeded@8 ; MiPageAttributeBatchChangeNeeded(x,x)
		cmp	eax, 1
		jz	short loc_4CED94
		mov	eax, [ebp+var_58]
		mov	[ebp+var_40], esi

loc_4CED78:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+223j
		mov	[esi+8], eax
		and	dword ptr [esi+0Ch], 0
		jmp	loc_4CEBFC
; 

loc_4CED84:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+1C8j
		push	0
		push	0
		push	3
		pop	edx
		mov	ecx, eax
		call	MiChangePageAttributeBatch
		jmp	short loc_4CED40
; 

loc_4CED94:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+1FAj
		mov	eax, [ebp+var_54]
		mov	ebx, esi
		jmp	short loc_4CED78
MiInitializeMdlOneNodeBatchPages endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPageAttributeBatchChangeNeeded(x,	x)
_MiPageAttributeBatchChangeNeeded@8 proc near
					; CODE XREF: MiConvertContiguousPages(x,x,x)+57p
					; MiInitializeMdlOneNodeBatchPages+105p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		movzx	eax, byte ptr [esi+16h]
		shr	eax, 6
		cmp	eax, edi
		jz	short loc_4CEDF6
		cmp	eax, 1
		jnz	short loc_4CEDC0

loc_4CEDB9:				; CODE XREF: MiPageAttributeBatchChangeNeeded(x,x)+4Dj
		xor	eax, eax
		inc	eax

loc_4CEDBC:				; CODE XREF: MiPageAttributeBatchChangeNeeded(x,x)+5Cj
		pop	edi
		pop	esi
		leave
		retn
; 

loc_4CEDC0:				; CODE XREF: MiPageAttributeBatchChangeNeeded(x,x)+1Bj
		cmp	eax, 3
		jz	short loc_4CEDEB
		mov	ecx, [esi+10h]
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		xor	edx, edx
		shr	ecx, 17h
		and	ecx, 0Fh
		lock or	[eax], edx
		mov	edx, ds:_KiTbFlushTimeStamp
		push	0Fh
		call	_MiTbFlushTimeStampMayNeedFlush@12 ; MiTbFlushTimeStampMayNeedFlush(x,x,x)
		cmp	al, 1
		jz	short loc_4CEDB9

loc_4CEDEB:				; CODE XREF: MiPageAttributeBatchChangeNeeded(x,x)+27j
		push	4
		mov	edx, edi
		mov	ecx, esi
		call	MiChangePageAttribute

loc_4CEDF6:				; CODE XREF: MiPageAttributeBatchChangeNeeded(x,x)+16j
		xor	eax, eax
		jmp	short loc_4CEDBC
_MiPageAttributeBatchChangeNeeded@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertMdlPageNeedsZero(x,	x, x)
_MiInsertMdlPageNeedsZero@12 proc near	; CODE XREF: MiInitializeMdlOneNodeBatchPages+EBp
					; MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+111p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+10h]
		push	esi
		push	edi
		mov	edi, edx
		xor	edx, edx
		lea	esi, [eax+1]
		div	dword ptr [ecx+0Ch]
		mov	[ecx+10h], esi
		imul	edx, 1Ch
		imul	eax, edi, 1Ch
		add	edx, [ecx]
		add	eax, ds:_MmPfnDatabase
		lea	ecx, [edx+14h]
		mov	esi, [ecx+4]
		cmp	[esi], ecx
		jnz	short loc_4CEE3F
		mov	[eax+4], esi
		mov	[eax], ecx
		mov	[esi], eax
		mov	[ecx+4], eax
		mov	eax, [ebp+arg_0]
		add	[edx+10h], eax
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_4CEE3F:				; CODE XREF: MiInsertMdlPageNeedsZero(x,x,x)+2Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_MiInsertMdlPageNeedsZero@12 endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall MiDeleteColorAnchors(x)
_MiDeleteColorAnchors@4	proc near	; CODE XREF: MiInitializeMdlOneNodeBatchPages+B6p
					; MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+1E0p	...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_4CEE59

loc_4CEE4F:				; CODE XREF: MiDeleteColorAnchors(x)+1Dj
		and	dword ptr [esi+0Ch], 0
		and	dword ptr [esi+4], 0
		pop	esi
		retn
; 

loc_4CEE59:				; CODE XREF: MiDeleteColorAnchors(x)+9j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_4CEE4F
_MiDeleteColorAnchors@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_SM_TRAITS___SmStStart proc near ; CODE XREF:	SmProcessCreateRequest+184p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C7CDE SIZE 000000B6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		and	[esp+3Ch+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, [edx]
		mov	ebx, ecx
		mov	[esp+48h+var_34], edx
		mov	esi, 100005h
		mov	[esp+48h+var_30], edi
		mov	ecx, [edi]
		movzx	eax, cl
		mov	[esp+48h+var_38], eax
		cmp	eax, 2
		jnb	loc_5C7CFC
		cmp	dword ptr [edi+14h], 0
		jnz	loc_5C7CFC
		mov	eax, [edi+0Ch]
		test	eax, eax
		jz	loc_5C7CFC
		cmp	eax, 40000h
		ja	loc_5C7CFC
		mov	eax, [edi+8]
		mov	[esp+48h+var_3C], eax
		test	eax, eax
		jz	loc_5C7CFC
		dec	eax
		test	[esp+48h+var_3C], eax
		jnz	loc_5C7CFC
		cmp	[esp+48h+var_38], 1
		jz	loc_5C7CDE

loc_4CEEEA:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+F8E80j
		mov	eax, ecx
		and	eax, 40000h
		mov	[esp+48h+var_3C], eax
		mov	eax, ecx
		and	eax, 0A0000h
		cmp	[esp+48h+var_3C], 0
		jz	loc_5C7CF4

loc_4CEF07:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+F8E92j
		cmp	eax, 0A0000h
		jz	loc_5C7CFC
		test	ecx, 100000h
		jnz	loc_5C7D06

loc_4CEF1E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+F8EA9j
		mov	eax, [edx+10h]
		mov	[ebx+12B4h], eax
		mov	eax, [edx+1Ch]
		mov	[ebx+12B8h], eax
		test	eax, eax
		jnz	short loc_4CEF3E
		mov	dword ptr [ebx+12B8h], 7

loc_4CEF3E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+CEj
		mov	al, [edi]
		mov	[ebx+10F4h], al
		mov	eax, [edi]
		shr	eax, 12h
		shl	al, 2
		xor	al, [ebx+10F5h]
		and	al, 4
		xor	[ebx+10F5h], al
		mov	ecx, [edi]
		mov	al, [ebx+10F5h]
		shr	ecx, 11h
		shl	cl, 3
		xor	cl, al
		and	cl, 8
		xor	cl, al
		mov	[ebx+10F5h], cl
		mov	edx, [edi]
		shr	edx, 13h
		shl	dl, 5
		xor	dl, cl
		and	dl, 20h
		xor	dl, cl
		mov	[ebx+10F5h], dl
		mov	eax, [edi+8]
		mov	[ebx+117Ch], eax
		cmp	byte ptr [edi],	0
		jnz	loc_5C7D54
		test	dl, 4
		jz	loc_4CF064
		lea	edi, [ebx+118Ch]
		mov	ecx, edi	; void *
		call	_SmKmStoreHelperInitialize@4 ; SmKmStoreHelperInitialize(x)
		lea	ecx, [ebx+11D8h] ; void	*
		call	_SmKmStoreHelperInitialize@4 ; SmKmStoreHelperInitialize(x)
		lea	ecx, [ebx+1224h] ; void	*
		call	?SmStReadThreadCtxInitialize@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU_SMKM_STORE_READ_THREAD_CTX@@@Z ;	SMKM_STORE<SM_TRAITS>::SmStReadThreadCtxInitialize(_SMKM_STORE_READ_THREAD_CTX *)
		mov	ecx, [esp+48h+var_34]
		mov	eax, [ecx+14h]
		mov	[ebx+125Ch], eax
		mov	edx, [ecx+18h]
		mov	ecx, edi
		call	_SmKmStoreHelperStart@8	; SmKmStoreHelperStart(x,x)
		test	eax, eax
		js	loc_4CF171
		mov	edx, [esp+48h+var_34]
		lea	ecx, [ebx+11D8h]
		mov	edx, [edx+18h]
		call	_SmKmStoreHelperStart@8	; SmKmStoreHelperStart(x,x)
		test	eax, eax
		js	loc_4CF171
		test	byte ptr [ebx+10F5h], 8
		jnz	loc_5C7D12

loc_4CF010:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+F8EB8j
		push	6C526D73h
		push	28h
		push	200h
		mov	dword ptr [ebx+1220h], offset unk_7185C0
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebx+1188h], edi
		test	edi, edi
		jz	loc_5C7D21
		push	0Ah
		pop	ecx
		xor	eax, eax
		xor	edx, edx
		rep stosd
		mov	ecx, [ebx+117Ch]
		inc	edx
		push	eax
		call	_SmAcquireReleaseCharges@12 ; SmAcquireReleaseCharges(x,x,x)
		test	eax, eax
		jz	loc_5C7D21
		or	byte ptr [ebx+10F5h], 10h
		mov	edi, [esp+48h+var_30]

loc_4CF064:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+13Dj
		mov	eax, [edi+0Ch]
		and	[esp+48h+var_3C], 0
		mov	[ebx+1180h], eax
		shl	eax, 2
		push	67526D73h
		push	eax
		push	200h
		mov	[esp+54h+var_38], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_5C7D21
		mov	[ebx+1184h], eax
		push	[esp+48h+var_38] ; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		test	byte ptr [ebx+10F5h], 4
		jz	loc_5C7D2B

loc_4CF0B3:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+F8F1Fj
		and	[esp+48h+var_8], 0
		mov	esi, edi
		mov	eax, [ebx+1180h]
		lea	edi, [esp+48h+var_2C]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [esp+48h+var_34]
		mov	[esp+48h+var_20], eax
		mov	eax, [esp+48h+var_3C]
		mov	[esp+48h+var_1C], eax
		mov	eax, [esi+0Ch]
		mov	[esp+48h+var_C], eax
		mov	eax, [esp+48h+var_30]
		mov	[esp+48h+var_18], ebx
		cmp	byte ptr [eax],	0
		jnz	loc_5C7D88

loc_4CF0F0:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+F8F2Bj
		mov	ecx, [esi+8]
		lea	edx, [esp+48h+var_2C]
		mov	eax, [esi+4]
		mov	[esp+48h+var_10], ecx
		neg	ecx
		mov	[esp+48h+var_14], eax
		mov	eax, [esp+48h+var_2C]
		sbb	ecx, ecx
		and	ecx, 0FFFFF800h
		and	eax, 0FFFFF7FFh
		add	ecx, 800h
		or	ecx, eax
		mov	[esp+48h+var_2C], ecx
		mov	ecx, ebx
		call	ST_STORE_SM_TRAITS___StStart
		test	eax, eax
		js	short loc_4CF171
		test	byte ptr [ebx+10F5h], 4
		jz	short loc_4CF155
		mov	edx, [esi+18h]
		lea	eax, [ebx+1224h]
		push	eax
		push	offset SMKM_STORE_SM_TRAITS___SmStReadThread
		mov	ecx, ebx
		call	SMKM_STORE_SM_TRAITS___SmStWorkerThreadStartThread
		test	eax, eax
		js	short loc_4CF171
		xor	eax, eax
		test	eax, eax
		js	short loc_4CF171

loc_4CF155:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+2CFj
		mov	edx, [esi+18h]
		lea	eax, [ebx+1178h]
		push	eax
		push	offset SMKM_STORE_SM_TRAITS___SmStWorkerThread
		mov	ecx, ebx
		call	SMKM_STORE_SM_TRAITS___SmStWorkerThreadStartThread
		test	eax, eax
		js	short loc_4CF171
		xor	eax, eax

loc_4CF171:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+17Fj
					; SMKM_STORE_SM_TRAITS___SmStStart+199j ...
		mov	ecx, [esp+48h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
SMKM_STORE_SM_TRAITS___SmStStart endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmStoreHelperStart(x, x)
_SmKmStoreHelperStart@8	proc near	; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+178p
					; SMKM_STORE_SM_TRAITS___SmStStart+192p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	eax, [ebp+var_4]
		push	edi
		push	offset SmKmStoreHelperWorker
		xor	ebx, ebx
		push	ebx
		push	edx
		push	ebx
		push	1FFFFFh
		push	eax
		mov	[ebp+var_4], ebx
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_4CF1D9
		push	ebx
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], ebx
		push	eax
		push	ebx
		push	ebx
		push	1FFFFFh
		push	[ebp+var_4]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		push	ebx
		push	[ebp+var_4]
		mov	esi, eax
		mov	eax, [ebp+var_8]
		mov	[edi], eax
		call	ObCloseHandle

loc_4CF1D9:				; CODE XREF: SmKmStoreHelperStart(x,x)+2Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_SmKmStoreHelperStart@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_SM_TRAITS___SmStWorkerThreadStartThread proc	near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+2E2p
					; SMKM_STORE_SM_TRAITS___SmStStart+302p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	eax, [ebp+var_18]
		push	edi
		push	ebx
		push	ebx
		push	eax
		mov	edi, edx
		mov	[ebp+var_4], ebx
		mov	esi, ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		or	[ebp+var_8], 0FFFFFFFFh
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+arg_0]
		lea	eax, [ebp+var_4]
		mov	[ebp+var_1C], esi
		push	ebx
		push	edi
		push	ebx
		mov	edi, 1FFFFFh
		push	edi
		push	eax
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_4CF26C
		push	ebx
		lea	eax, [ebp+arg_0]
		mov	[ebp+arg_0], ebx
		push	eax
		push	ebx
		push	ebx
		push	edi
		push	[ebp+var_4]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, [ebp+arg_4]
		mov	esi, eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	[ebp+var_4]
		mov	[ecx], eax
		call	ObCloseHandle
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_18]
		mov	[ebp+var_4], ebx
		push	eax
		call	KeWaitForSingleObject
		cmp	[ebp+var_8], ebx
		jl	short loc_4CF27E

loc_4CF26C:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkerThreadStartThread+4Fj
					; SMKM_STORE_SM_TRAITS___SmStWorkerThreadStartThread+A1j
		cmp	[ebp+var_4], ebx
		jnz	sub_5C7D94

loc_4CF275:				; CODE XREF: sub_5C7D94+9j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4CF27E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkerThreadStartThread+8Aj
		mov	esi, [ebp+var_8]
		jmp	short loc_4CF26C
SMKM_STORE_SM_TRAITS___SmStWorkerThreadStartThread endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiZeroInParallel(x)
_MiZeroInParallel@4 proc near		; CODE XREF: MiInitializeMdlOneNodeBatchPages+1B6p
					; MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+192p	...

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		xor	eax, eax
		mov	edx, ecx
		push	ebx
		push	esi
		push	edi
		mov	ecx, [edx]
		lea	edi, [ebp+var_38]
		mov	[ebp+var_14], eax
		lea	esi, [edx+18h]
		mov	[ebp+var_54], eax
		mov	[ebp+var_50], eax
		mov	byte ptr [ebp+var_48+3], al
		stosd
		mov	[ebp+var_10], edx
		stosd
		stosd
		mov	eax, [edx+0Ch]
		lea	edi, [ebp+var_2C]
		mov	[ebp+var_8], eax
		mov	eax, large fs:124h
		mov	ebx, dword_6D06C4
		movsd
		mov	[ebp+var_18], ebx
		xor	ebx, ebx
		mov	[ebp+var_C], eax
		movsd
		movsd
		cmp	[ebp+var_8], ebx
		jbe	short loc_4CF349

loc_4CF2D2:				; CODE XREF: MiZeroInParallel(x)+BDj
		lea	eax, [ecx+14h]
		cmp	[eax], eax
		jnz	short loc_4CF2E1
		mov	dword ptr [ecx], 1
		jmp	short loc_4CF33A
; 

loc_4CF2E1:				; CODE XREF: MiZeroInParallel(x)+53j
		and	dword ptr [ecx], 0
		inc	ebx
		cmp	[ebp+var_2C], 0
		mov	[ebp+var_20], ebx
		jz	short loc_4CF336
		lea	esi, [ebp+var_2C]
		xor	edx, edx
		lea	edi, [ebp+var_38]
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_18]
		mov	[ebp+var_38], edx
		test	edi, edi
		jz	short loc_4CF32B
		mov	esi, [ebp+var_2C]
		mov	bl, dl

loc_4CF308:				; CODE XREF: MiZeroInParallel(x)+9Cj
		bsf	eax, esi
		bts	edx, eax
		mov	[ebp+var_1C], eax
		mov	eax, edx
		not	eax
		and	esi, eax
		jz	short loc_4CF322
		inc	bl
		movzx	eax, bl
		cmp	eax, edi
		jb	short loc_4CF308

loc_4CF322:				; CODE XREF: MiZeroInParallel(x)+93j
		mov	ebx, [ebp+var_20]
		mov	[ebp+var_38], edx
		mov	[ebp+var_2C], esi

loc_4CF32B:				; CODE XREF: MiZeroInParallel(x)+7Dj
		lea	edi, [ecx+4]
		lea	esi, [ebp+var_38]
		movsd
		movsd
		movsd
		jmp	short loc_4CF33A
; 

loc_4CF336:				; CODE XREF: MiZeroInParallel(x)+68j
		and	dword ptr [eax-10h], 0

loc_4CF33A:				; CODE XREF: MiZeroInParallel(x)+5Bj
					; MiZeroInParallel(x)+B0j
		add	ecx, 1Ch
		sub	[ebp+var_8], 1
		jnz	short loc_4CF2D2
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+var_10]

loc_4CF349:				; CODE XREF: MiZeroInParallel(x)+4Cj
		cmp	ebx, 1
		jz	short loc_4CF370
		test	byte ptr [edx+4], 4
		jnz	short loc_4CF370
		test	dword ptr [eax+58h], 400h
		jnz	short loc_4CF370
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jz	short loc_4CF370
		test	byte ptr ds:_MiFlags, 30h
		jnz	short loc_4CF372

loc_4CF370:				; CODE XREF: MiZeroInParallel(x)+C8j
					; MiZeroInParallel(x)+CEj ...
		xor	ebx, ebx

loc_4CF372:				; CODE XREF: MiZeroInParallel(x)+EAj
		mov	eax, [ebp+var_10]
		and	[ebp+var_44], 0
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_40]
		mov	word ptr [ebp+var_48], 107h
		mov	byte ptr [ebp+var_48+2], 4
		mov	[ebp+var_3C], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_50], ebx
		test	ebx, ebx
		jz	short loc_4CF3A4
		push	0Fh
		push	[ebp+var_C]
		call	KeSetPriorityThread
		mov	edi, eax
		jmp	short loc_4CF3A7
; 

loc_4CF3A4:				; CODE XREF: MiZeroInParallel(x)+110j
		or	edi, 0FFFFFFFFh

loc_4CF3A7:				; CODE XREF: MiZeroInParallel(x)+11Ej
		xor	esi, esi
		mov	[ebp+var_54], edi
		test	ebx, ebx
		jz	short loc_4CF40B

loc_4CF3B0:				; CODE XREF: MiZeroInParallel(x)+15Aj
		lea	eax, [ebp+var_54]
		push	eax
		push	offset _MiZeroInParallelWorker@4 ; MiZeroInParallelWorker(x)
		push	0
		push	0
		push	0
		push	1FFFFFh
		lea	eax, [ebp+var_14]
		push	eax
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_4CF3E2
		push	0
		push	[ebp+var_14]
		call	ObCloseHandle
		inc	esi
		cmp	esi, ebx
		jb	short loc_4CF3B0
		jmp	short loc_4CF3FE
; 

loc_4CF3E2:				; CODE XREF: MiZeroInParallel(x)+14Bj
		sub	ebx, esi
		lea	ecx, [ebp+var_50]
		mov	eax, ebx
		neg	eax
		lock xadd [ecx], eax
		cmp	eax, ebx
		jnz	short loc_4CF3FE
		xor	edx, edx
		lea	ecx, [ebp+var_48]
		inc	edx
		call	KeSignalGate

loc_4CF3FE:				; CODE XREF: MiZeroInParallel(x)+15Cj
					; MiZeroInParallel(x)+16Dj
		test	ebx, ebx
		jz	short loc_4CF40B
		push	edi
		push	[ebp+var_C]
		call	KeSetPriorityThread

loc_4CF40B:				; CODE XREF: MiZeroInParallel(x)+12Aj
					; MiZeroInParallel(x)+17Cj
		test	esi, esi
		jz	short loc_4CF41C
		push	ecx
		xor	edx, edx
		lea	ecx, [ebp+var_48]
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		jmp	short loc_4CF425
; 

loc_4CF41C:				; CODE XREF: MiZeroInParallel(x)+189j
		lea	eax, [ebp+var_54]
		push	eax
		call	_MiZeroInParallelWorker@4 ; MiZeroInParallelWorker(x)

loc_4CF425:				; CODE XREF: MiZeroInParallel(x)+196j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiZeroInParallel@4 endp

; 
		align 10h
; Exported entry 1213. KeQueryActiveGroupCount

;  S U B	R O U T	I N E 


; __stdcall KeQueryActiveGroupCount()
		public _KeQueryActiveGroupCount@0
_KeQueryActiveGroupCount@0 proc	near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+D4Ap
					; NtPowerInformation+1295p ...
		mov	ax, ds:_KiActiveGroups
		retn
_KeQueryActiveGroupCount@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; int __fastcall SmKmStoreHelperInitialize(void	*)
_SmKmStoreHelperInitialize@4 proc near	; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+14Bp
					; SMKM_STORE_SM_TRAITS___SmStStart+156p
		mov	edi, edi
		push	esi
		push	edi
		push	4Ch		; size_t
		xor	edi, edi
		mov	esi, ecx
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esi+4]
		push	edi
		push	edi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		lea	eax, [esi+14h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		pop	edi
		pop	esi
		retn
_SmKmStoreHelperInitialize@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreateColorAnchors(x, x)
_MiCreateColorAnchors@8	proc near	; CODE XREF: MiInitializeMdlOneNodeBatchPages+188p
					; MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+DBp ...

var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		xor	esi, esi
		and	[ebp+var_4], esi
		mov	ebx, ecx
		stosd
		stosd
		xor	eax, eax
		xor	edi, edi
		cmp	ax, ds:_KeNumberNodes
		jnb	short loc_4CF4BA
		mov	esi, [ebp+arg_0]

loc_4CF490:				; CODE XREF: MiCreateColorAnchors(x,x)+52j
		push	esi
		call	MiGetClosestNodeWithProcessors
		mov	esi, eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	_KeQueryNodeActiveAffinity@12 ;	KeQueryNodeActiveAffinity(x,x,x)
		mov	eax, [ebp+var_4]
		test	ax, ax
		jnz	short loc_4CF4BD
		movzx	eax, ds:_KeNumberNodes
		inc	edi
		cmp	edi, eax
		jb	short loc_4CF490

loc_4CF4BA:				; CODE XREF: MiCreateColorAnchors(x,x)+25j
		push	2
		pop	eax

loc_4CF4BD:				; CODE XREF: MiCreateColorAnchors(x,x)+46j
		push	esi
		movzx	edi, ax
		call	_MiGetOptimalProcessorWriteCount@8 ; MiGetOptimalProcessorWriteCount(x,x)
		cmp	edi, eax
		jbe	short loc_4CF4CC
		mov	edi, eax

loc_4CF4CC:				; CODE XREF: MiCreateColorAnchors(x,x)+62j
		imul	ecx, edi, 1Ch
		mov	edx, 6C646D4Dh
		push	0
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_4CF515
		test	edi, edi
		jz	short loc_4CF4F9
		lea	eax, [edx+14h]
		mov	ecx, edi

loc_4CF4EC:				; CODE XREF: MiCreateColorAnchors(x,x)+91j
		mov	[eax+4], eax
		mov	[eax], eax
		add	eax, 1Ch
		sub	ecx, 1
		jnz	short loc_4CF4EC

loc_4CF4F9:				; CODE XREF: MiCreateColorAnchors(x,x)+7Fj
		and	dword ptr [ebx+10h], 0
		xor	eax, eax
		and	dword ptr [ebx+4], 0
		inc	eax
		mov	[ebx+0Ch], edi
		lea	edi, [ebx+18h]
		mov	[ebx+14h], esi
		lea	esi, [ebp+var_10]
		movsd
		mov	[ebx], edx
		movsd
		movsd

loc_4CF515:				; CODE XREF: MiCreateColorAnchors(x,x)+7Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiCreateColorAnchors@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetOptimalProcessorWriteCount(x, x)
_MiGetOptimalProcessorWriteCount@8 proc	near ; CODE XREF: MiCreateColorAnchors(x,x)+5Bp
					; MiZeroNodePages+208p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_4CF545
		imul	ecx, eax, 280h
		mov	eax, dword_6D4E50
		add	eax, 228h
		add	eax, ecx

loc_4CF53B:				; CODE XREF: MiGetOptimalProcessorWriteCount(x,x)+2Ej
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_4CF54C

loc_4CF541:				; CODE XREF: MiGetOptimalProcessorWriteCount(x,x)+33j
		pop	ebp
		retn	4
; 

loc_4CF545:				; CODE XREF: MiGetOptimalProcessorWriteCount(x,x)+Bj
		mov	eax, offset unk_6D5C34
		jmp	short loc_4CF53B
; 

loc_4CF54C:				; CODE XREF: MiGetOptimalProcessorWriteCount(x,x)+23j
		xor	eax, eax
		inc	eax
		jmp	short loc_4CF541
_MiGetOptimalProcessorWriteCount@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetClosestNodeWithProcessors proc near ; CODE	XREF: MiCreateColorAnchors(x,x)+2Bp
					; MiComputeIdealDpcGang(x,x)+18p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C7DA2 SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		push	[ebp+arg_0]
		call	_KeQueryNodeActiveAffinity@12 ;	KeQueryNodeActiveAffinity(x,x,x)
		cmp	word ptr [ebp+var_4], 0
		jz	loc_5C7DA2
		mov	eax, [ebp+arg_0]

locret_4CF578:				; CODE XREF: MiGetClosestNodeWithProcessors+F8878j
		leave
		retn	4
MiGetClosestNodeWithProcessors endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KeWaitForGate(x, x, x)
@KeWaitForGate@12 proc near		; CODE XREF: MiUnlinkWorkingSet+118p
					; MiDrainControlAreaWrites(x,x)+62p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	esi, ecx
		lea	edi, [ebx+0E0h]

loc_4CF598:				; CODE XREF: KeWaitForGate(x,x,x)+8Fj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		push	0
		push	[ebp+var_4]
		xor	dl, dl
		mov	[ebx+92h], al
		mov	ecx, ebx
		call	KiBeginThreadWait
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	short loc_4CF60D
		mov	byte ptr [edi+8], 1
		mov	ecx, esi
		mov	byte ptr [edi+9], 4
		mov	[edi+0Ah], ax
		mov	[edi+10h], esi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		xor	edx, edx
		cmp	[esi+4], edx
		jnz	short loc_4CF614
		lea	eax, [esi+8]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_4CF633
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		push	edx
		push	edx
		push	edx
		push	edx
		mov	edx, edi
		mov	byte ptr [ebx+16Bh], 1
		mov	ecx, ebx
		call	KiCommitThreadWait
		cmp	eax, 100h
		jz	short loc_4CF598

loc_4CF60D:				; CODE XREF: KeWaitForGate(x,x,x)+3Bj
					; KeWaitForGate(x,x,x)+B5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4CF614:				; CODE XREF: KeWaitForGate(x,x,x)+58j
		mov	[esi+4], edx
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		mov	ecx, large fs:20h
		push	edx
		mov	edx, ebx
		call	_KiFastExitThreadWait@12 ; KiFastExitThreadWait(x,x,x)
		mov	eax, [ebp+var_8]
		jmp	short loc_4CF60D
; 

loc_4CF633:				; CODE XREF: KeWaitForGate(x,x,x)+62j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
@KeWaitForGate@12 endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StStart proc near	; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+2BFp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C7DE8 SIZE 0000015F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, edx
		push	esi
		xor	esi, esi
		push	edi
		mov	edx, [ebx+8]
		mov	edi, ecx
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], esi
		test	edx, edx
		jz	loc_5C7F3D
		lea	eax, [edx-1]
		test	eax, edx
		jnz	loc_5C7F3D
		lea	eax, [edx-1000h]
		cmp	eax, 1F000h
		ja	loc_5C7F3D
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_5C7E14
		cmp	eax, 40000h
		ja	loc_5C7E14
		mov	ecx, [ebx]
		test	ecx, 100h
		jnz	loc_5C7E14
		movzx	eax, cl
		cmp	eax, 1
		jz	loc_5C7DE8
		test	cl, cl
		jnz	loc_5C7E0B
		cmp	[ebx+10h], esi
		jnz	loc_5C7E14
		cmp	[ebx+24h], esi

loc_4CF6C0:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+F87CEj
		jnz	loc_5C7E14

loc_4CF6C6:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+F87D6j
		cmp	ecx, 200000h
		jnb	loc_5C7E14
		mov	esi, 600h
		mov	eax, ecx
		and	eax, esi
		cmp	eax, esi
		jz	loc_5C7E14
		mov	eax, 10400h
		and	ecx, eax
		cmp	ecx, eax
		jz	loc_5C7E14
		xor	ecx, ecx
		cmp	[ebx+1Ch], ecx
		setz	cl
		xor	eax, eax
		cmp	[ebx+18h], eax
		setz	al
		cmp	eax, ecx
		jnz	loc_5C7E14
		xor	esi, esi
		cmp	edx, 10h
		jbe	short loc_4CF71D

loc_4CF711:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+E3j
		inc	esi
		push	10h
		pop	eax
		mov	ecx, esi
		shl	eax, cl
		cmp	eax, edx
		jb	short loc_4CF711

loc_4CF71D:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+D7j
		xor	eax, eax
		mov	[edi+1Ch], esi
		inc	eax
		mov	ecx, esi
		shl	eax, cl
		mov	[edi+20h], eax
		lea	ecx, [eax-1]
		mov	[edi+18h], ecx
		cmp	dword ptr [ebx+8], 20000h
		jnz	short loc_4CF73C
		mov	[edi+20h], ecx

loc_4CF73C:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+FFj
		cmp	byte ptr [ebx],	0
		jnz	loc_5C7E1E

loc_4CF745:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+F87F6j
		mov	eax, [edi+28h]
		add	eax, 100Fh
		shr	eax, 4
		mov	[edi+24h], eax
		xor	eax, eax
		push	20h
		pop	ecx
		sub	ecx, esi
		inc	eax
		shl	eax, cl
		cmp	[ebx+0Ch], eax
		ja	loc_5C7E33
		push	6
		pop	ecx
		mov	esi, ebx
		rep movsd
		mov	edi, [ebx+0Ch]
		push	74536D73h
		add	edi, edi
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, [ebp+var_10]
		mov	[esi+2Ch], eax
		test	eax, eax
		jz	loc_4CF8D5
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebx]
		add	esp, 0Ch
		cmp	al, 1
		jz	loc_5C7E3D

loc_4CF7A6:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+F885Bj
		and	eax, 10000h
		lea	ecx, [ebp+var_C]
		neg	eax
		push	ecx
		sbb	eax, eax
		lea	ecx, [ebp+var_8]
		add	eax, 4
		movzx	eax, ax
		push	ecx
		push	eax
		mov	[esi+99Ch], ax
		call	_RtlGetCompressionWorkSpaceSize@12 ; RtlGetCompressionWorkSpaceSize(x,x,x)
		test	eax, eax
		js	loc_4CF8D0
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_8]
		mov	[esi+994h], ecx
		mov	[esi+998h], eax
		cmp	eax, ecx
		jbe	loc_5C7E98

loc_4CF7EC:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+F8865j
		test	eax, eax
		jz	short loc_4CF80E
		push	74536D73h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+990h], eax
		test	eax, eax
		jz	loc_4CF8D5

loc_4CF80E:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+1B6j
		mov	edi, [ebx+20h]
		test	edi, edi
		jnz	short loc_4CF82C
		lea	edi, [esi+960h]
		xor	edx, edx
		mov	ecx, edi
		call	StEtaHelper__StartHelper
		test	eax, eax
		js	loc_4CF8D0

loc_4CF82C:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+1DBj
		mov	[esi+958h], edi
		mov	eax, [ebx]
		mov	ecx, [ebx+1Ch]
		test	al, al
		jnz	loc_5C7EA2
		test	ecx, ecx
		jnz	loc_5C7ED7

loc_4CF847:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+F889Aj
		and	eax, 8000h
		mov	ecx, 1000h
		neg	eax
		push	74536D73h
		sbb	eax, eax
		and	eax, ecx
		add	eax, ecx
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+0A08h], eax
		test	eax, eax
		jz	short loc_4CF8D5
		mov	ecx, [ebx]
		xor	edi, edi
		cmp	cl, 1
		jz	loc_5C7EE1
		mov	edx, [ebx+0Ch]

loc_4CF883:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+F88BFj
		mov	eax, ecx
		shr	eax, 8
		and	eax, 1
		test	edi, edi
		jnz	loc_5C7EFC

loc_4CF893:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+F88CAj
		xor	ebx, ebx

loc_4CF895:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+F88D3j
		or	eax, ebx
		test	cl, cl
		jnz	short loc_4CF8AC
		or	eax, 40h
		mov	[ebp+var_4], eax
		test	ecx, 40000h
		jz	short loc_4CF8AF
		or	eax, 60h

loc_4CF8AC:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+261j
		mov	[ebp+var_4], eax

loc_4CF8AF:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+26Fj
		sub	edx, edi
		lea	eax, [ebp+var_4]
		push	edx
		push	ecx
		push	ecx
		push	eax
		lea	edx, [esi+38h]
		mov	ecx, esi
		call	ST_STORE_SM_TRAITS___StDmStart
		test	eax, eax
		js	short loc_4CF8D0
		test	edi, edi
		jnz	loc_5C7F10

loc_4CF8CE:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+F8900j
		xor	eax, eax

loc_4CF8D0:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+194j
					; ST_STORE_SM_TRAITS___StStart+1EEj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4CF8D5:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+152j
					; ST_STORE_SM_TRAITS___StStart+1D0j ...
		mov	eax, 0C000009Ah
		jmp	short loc_4CF8D0
ST_STORE_SM_TRAITS___StStart endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmStart proc near ; CODE	XREF: ST_STORE_SM_TRAITS___StStart+285p
					; ST_STORE_SM_TRAITS___StStart+F88F3p

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005C7F47 SIZE 0000008E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	38h		; size_t
		lea	eax, [ebp+var_40]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		mov	ebx, edx
		mov	[ebp+var_44], esi
		call	_memset
		add	esp, 0Ch
		lea	edx, [ebx+1ACh]
		mov	edi, edx
		push	0Bh
		pop	ecx
		rep movsd
		mov	esi, [ebp+var_44]
		mov	edi, [ebp+arg_0]
		mov	eax, [edi]
		mov	[ebx+1D8h], eax
		lea	eax, [esi+0FE8h]
		mov	ecx, [esi+990h]
		mov	[ebx+484h], eax
		mov	[ebx+200h], ecx
		mov	eax, [esi+958h]
		mov	[ebx+228h], eax
		lea	eax, [esi+9A8h]
		mov	[ebx+234h], eax
		mov	eax, [esi+0A08h]
		mov	[ebx+41Ch], eax
		lea	eax, [esi+0FF0h]
		mov	[ebx+480h], eax
		mov	ax, [esi+99Ch]
		mov	[ebx+224h], ax
		lea	eax, [ebx+0Ch]
		mov	[ebx+20Ch], eax
		lea	eax, [ebx+30h]
		mov	[ebx+210h], eax
		mov	eax, [edx]
		mov	[ebx+208h], ecx
		test	eax, 40000h
		jz	loc_5C7F51
		mov	eax, [esi+0Ch]
		add	eax, 1Fh
		shr	eax, 5
		push	74536D73h
		shl	eax, 2
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_5C7F47
		mov	eax, [esi+0Ch]
		lea	ecx, [ebx+1DCh]
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	eax, [ebx+1ACh]

loc_4CF9D8:				; CODE XREF: ST_STORE_SM_TRAITS___StDmStart+F867Bj
		test	eax, 40000h
		jz	short loc_4CF9E5
		push	ecx
		call	_RtlSetAllBits@4 ; RtlSetAllBits(x)

loc_4CF9E5:				; CODE XREF: ST_STORE_SM_TRAITS___StDmStart+101j
		mov	eax, [esi+0Ch]
		add	eax, 1Fh
		shr	eax, 5
		push	74536D73h
		shl	eax, 2
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_5C7F47
		mov	eax, [esi+0Ch]
		lea	ecx, [ebx+254h]
		push	ecx
		mov	[ecx], eax
		mov	[ecx+4], edx
		call	_RtlSetAllBits@4 ; RtlSetAllBits(x)
		mov	eax, [esi+2Ch]
		mov	[ebx+240h], eax
		mov	eax, [esi+30h]
		mov	[ebx+244h], eax
		mov	eax, [esi+34h]
		xor	esi, esi
		mov	[ebx+248h], eax
		mov	eax, [ebp+arg_C]
		mov	[ebx+1E4h], eax
		mov	eax, [ebx+234h]
		cmp	[eax+0Ch], esi
		jnz	loc_5C7F5C

loc_4CFA54:				; CODE XREF: ST_STORE_SM_TRAITS___StDmStart+F86A3j
		test	byte ptr [edi],	8
		mov	[ebp+var_5C], esi
		jnz	loc_5C7F84
		or	[ebp+var_60], 0FFFFFFFFh

loc_4CFA64:				; CODE XREF: ST_STORE_SM_TRAITS___StDmStart+F86EFj
		lea	ecx, [ebx+314h]
		mov	[ebp+var_58], offset ?StNpEnumBTreeNodes@?$ST_STORE@USM_TRAITS@@@@SGJPAUNP_CTX@NP_CONTEXT@@P6GJPAX1PAK@Z1@Z ; ST_STORE<SM_TRAITS>::StNpEnumBTreeNodes(NP_CONTEXT::NP_CTX *,long	(*)(void *,void	*,ulong	*),void	*)
		lea	edx, [ebp+var_60]
		mov	[ebp+var_54], offset ?StNpLeafPageOut@?$ST_STORE@USM_TRAITS@@@@SGKPAUNP_CTX@NP_CONTEXT@@PAX@Z ;	ST_STORE<SM_TRAITS>::StNpLeafPageOut(NP_CONTEXT::NP_CTX	*,void *)
		mov	[ebp+var_50], offset ?StNpLeafPageIn@?$ST_STORE@USM_TRAITS@@@@SGJPAUNP_CTX@NP_CONTEXT@@PAXK@Z ;	ST_STORE<SM_TRAITS>::StNpLeafPageIn(NP_CONTEXT::NP_CTX *,void *,ulong)
		mov	[ebp+var_4C], offset ?StNpLeafDelete@?$ST_STORE@USM_TRAITS@@@@SGXPAUNP_CTX@NP_CONTEXT@@K@Z ; ST_STORE<SM_TRAITS>::StNpLeafDelete(NP_CONTEXT::NP_CTX *,ulong)
		call	NP_CONTEXT__NpStart
		test	eax, eax
		js	short loc_4CFAB8
		lea	ecx, [ebx+36Ch]
		lea	edx, [ebp+var_60]
		call	NP_CONTEXT__NpStart
		test	eax, eax
		js	short loc_4CFAB8
		lea	ecx, [ebx+3C4h]
		lea	edx, [ebp+var_60]
		call	NP_CONTEXT__NpStart
		test	eax, eax
		js	short loc_4CFAB8
		mov	eax, esi

loc_4CFAB8:				; CODE XREF: ST_STORE_SM_TRAITS___StDmStart+1B4j
					; ST_STORE_SM_TRAITS___StDmStart+1C6j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
ST_STORE_SM_TRAITS___StDmStart endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NP_CONTEXT__NpStart proc near		; CODE XREF: ST_STORE_SM_TRAITS___StDmStart+1ADp
					; ST_STORE_SM_TRAITS___StDmStart+1BFp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C7FD5 SIZE 00000040 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		lea	edx, [ebp+var_8]
		mov	[ebp+var_4], edx
		cmp	dword ptr [edi+4], 0
		ja	loc_5C7FD5

loc_4CFAF1:				; CODE XREF: NP_CONTEXT__NpStart+F853Cj
		mov	esi, [edx]
		lea	ecx, [ebx+2Ch]
		test	esi, esi
		jz	short loc_4CFB21
		mov	eax, [ecx+4]
		add	esi, [eax]
		mov	eax, [ecx]
		mov	[edx], eax
		mov	eax, [ebp+var_8]
		mov	[ecx], eax
		mov	eax, [ecx+4]
		cmp	eax, ecx
		jnz	short loc_4CFB15
		mov	eax, [ebp+var_4]
		mov	[ecx+4], eax

loc_4CFB15:				; CODE XREF: NP_CONTEXT__NpStart+43j
		mov	[eax], esi
		lea	edx, [ebp+var_8]
		and	[ebp+var_8], 0
		mov	[ebp+var_4], edx

loc_4CFB21:				; CODE XREF: NP_CONTEXT__NpStart+2Ej
		push	6
		mov	esi, edi
		mov	edi, ebx
		pop	ecx
		rep movsd
		xor	esi, esi

loc_4CFB2C:				; CODE XREF: NP_CONTEXT__NpStart+95j
		lea	eax, [ebp+var_8]
		cmp	edx, eax
		jz	short loc_4CFB43
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx]
		mov	[ebp+var_8], eax
		cmp	ecx, edx
		jz	short loc_4CFB4A
		dec	dword ptr [edx]
		jmp	short loc_4CFB54
; 

loc_4CFB43:				; CODE XREF: NP_CONTEXT__NpStart+67j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4CFB4A:				; CODE XREF: NP_CONTEXT__NpStart+73j
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], eax

loc_4CFB54:				; CODE XREF: NP_CONTEXT__NpStart+77j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4CFB5C:				; CODE XREF: NP_CONTEXT__NpStart+F8546j
		mov	edx, [ebp+var_4]
		jmp	short loc_4CFB2C
NP_CONTEXT__NpStart endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2327. RtlSetAllBits

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSetAllBits(x)
		public _RtlSetAllBits@4
_RtlSetAllBits@4 proc near		; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+A8p
					; SMKM_STORE<SM_TRAITS>::SmStOutSwapPrepareStore(SMKM_STORE<SM_TRAITS> *)+6Ep ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		push	0FFFFFFFFh
		push	0
		pop	eax
		mov	ecx, [edx]
		test	cl, 1Fh
		setnz	al
		shr	ecx, 5
		add	eax, ecx
		shl	eax, 2
		push	eax
		push	dword ptr [edx+4]
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		pop	ebp
		retn	4
_RtlSetAllBits@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

StEtaHelper__StartHelper proc near	; CODE XREF: ST_STORE_SM_TRAITS___StStart+1E7p
					; SmcCacheStart(x,x,x)+145p

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C8015 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_2C], 1000h
		push	esi
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_30], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], 2000h
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], 4000h
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], 8000h
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], eax
		mov	[ebp+var_4C], esi
		mov	[ebp+var_48], 5F5E100h
		mov	[ebp+var_54], esi
		mov	[ebp+var_50], eax
		mov	[ebp+var_5C], esi
		mov	[ebp+var_58], eax
		push	edi
		mov	edi, 800h
		mov	[ebp+var_34], edi
		test	edx, edx
		jnz	loc_5C8015
		lea	eax, [ebp+var_54]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_5C]

loc_4CFC09:				; CODE XREF: StEtaHelper__StartHelper+F849Ej
		push	40h
		mov	[ebp+var_40], eax
		lea	edx, [ebp+var_44]
		pop	eax
		mov	word ptr [ebp+var_3C], ax
		push	0Fh
		pop	eax
		mov	word ptr [ebp+var_3C+2], ax
		xor	eax, eax
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_3C]
		push	eax
		call	StEtaStart
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
StEtaHelper__StartHelper endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

StEtaStart	proc near		; CODE XREF: StEtaHelper__StartHelper+96p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C8033 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_1C], edx
		mov	ebx, ecx
		xor	esi, esi
		push	eax
		mov	[ebp+var_24], ebx
		mov	[ebp+var_2C], esi
		mov	[ebp+var_28], esi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	eax, [ebp+var_2C]
		or	eax, [ebp+var_28]
		jz	loc_5C8033
		mov	edi, esi
		lea	ecx, [ebx+10h]
		mov	[ebp+var_14], edi
		mov	[ebp+var_18], ecx

loc_4CFC76:				; CODE XREF: StEtaStart+F8j
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+edi*4]
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_4CFD25
		xor	ebx, ebx
		mov	ecx, eax
		inc	ebx
		cmp	dword ptr [eax], 0FFFFFFFFh
		jb	loc_5C803D

loc_4CFC95:				; CODE XREF: StEtaStart+F840Cj
		push	74496D73h
		mov	eax, ebx
		shl	eax, 5
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	loc_5C804B
		mov	ecx, esi
		mov	[ebp+var_8], ecx
		test	ebx, ebx
		jz	short loc_4CFD20
		mov	edi, [ebp+var_10]
		mov	[ebp+var_C], eax

loc_4CFCC4:				; CODE XREF: StEtaStart+DEj
		push	[ebp+var_28]
		push	[ebp+var_2C]
		push	esi
		push	dword ptr [edi+ecx*8+4]
		call	__allmul
		push	esi
		push	0F4240h
		push	edx
		push	eax
		call	__alldiv
		mov	ecx, eax
		mov	eax, [ebp+var_8]
		mov	eax, [edi+eax*8]
		mov	edi, [ebp+var_C]
		mov	[edi+4], esi
		mov	[edi+10h], esi
		mov	[edi+14h], esi
		mov	[edi+18h], esi
		mov	[edi+1Ch], esi
		mov	[edi], eax
		mov	eax, [ebp+var_C]
		mov	edi, [ebp+var_10]
		mov	[eax+8], ecx
		mov	ecx, [ebp+var_8]
		inc	ecx
		mov	[eax+0Ch], edx
		add	eax, 20h
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], eax
		cmp	ecx, ebx
		jb	short loc_4CFCC4
		mov	edi, [ebp+var_14]
		mov	eax, [ebp+var_20]

loc_4CFD20:				; CODE XREF: StEtaStart+82j
		mov	ecx, [ebp+var_18]
		mov	[ecx], eax

loc_4CFD25:				; CODE XREF: StEtaStart+47j
		inc	edi
		add	ecx, 4
		mov	[ebp+var_14], edi
		mov	[ebp+var_18], ecx
		cmp	edi, 2
		jl	loc_4CFC76
		mov	edx, [ebp+arg_0]
		mov	edi, [ebp+var_24]
		mov	ecx, [edx]
		mov	[edi+18h], ecx
		mov	ecx, [edx+4]
		mov	[edi+1Ch], ecx

loc_4CFD49:				; CODE XREF: StEtaStart+F83FEj
					; StEtaStart+F8416j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
StEtaStart	endp


;  S U B	R O U T	I N E 


; int __fastcall SMKM_STORE_SM_TRAITS___SmStReadThreadCtxInitialize(void *)
?SmStReadThreadCtxInitialize@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU_SMKM_STORE_READ_THREAD_CTX@@@Z proc near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+161p
		mov	edi, edi
		push	esi
		push	edi
		push	30h		; size_t
		xor	edi, edi
		mov	esi, ecx
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esi+4]
		push	edi
		push	edi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		lea	eax, [esi+14h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esi+24h]
		mov	[eax+4], eax
		mov	[eax], edi
		mov	[esi+2Ch], edi
		pop	edi
		pop	esi
		retn
?SmStReadThreadCtxInitialize@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU_SMKM_STORE_READ_THREAD_CTX@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmFirstTimeInit	proc near		; CODE XREF: SmProcessCreateRequest+141p

var_60		= dword	ptr -60h
var_4C		= dword	ptr -4Ch
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C8055 SIZE 000000A4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+50h+var_4], eax
		and	[esp+50h+var_40], 0
		xor	eax, eax
		push	esi
		push	edi
		mov	[esp+58h+var_44], ecx
		lea	edi, [esp+58h+var_28]
		push	6
		pop	ecx
		rep stosd
		mov	eax, large fs:124h
		mov	esi, edx
		mov	[esp+58h+var_30], 100003h
		mov	[esp+58h+var_10], 100005h
		mov	[esp+58h+var_C], 100002h
		dec	word ptr [eax+13Ch]
		mov	[esp+58h+var_8], 100014h
		nop
		xor	edx, edx
		mov	ecx, offset unk_718464
		call	ExAcquirePushLockExclusiveEx
		mov	eax, ds:dword_718458
		test	eax, eax
		jz	loc_4D0059
		cmp	eax, esi
		jnz	loc_5C8055

loc_4CFE07:				; CODE XREF: SmFirstTimeInit+2D6j
		mov	eax, ds:dword_718450
		test	al, 8
		jz	loc_4D0065

loc_4CFE14:				; CODE XREF: SmFirstTimeInit+2FAj
		mov	edx, ds:dword_71845C
		test	edx, edx
		jz	loc_4D0089
		xor	edi, edi

loc_4CFE24:				; CODE XREF: SmFirstTimeInit+399j
		mov	ecx, ds:dword_718450
		test	cl, 2
		jz	loc_4D0128

loc_4CFE33:				; CODE XREF: SmFirstTimeInit+3CBj
		test	cl, 10h
		jz	loc_4D015A

loc_4CFE3C:				; CODE XREF: SmFirstTimeInit+3F1j
		mov	eax, ds:dword_718454
		test	eax, eax
		jz	loc_4D0186
		cmp	[esp+58h+var_44], eax
		jnz	loc_5C80EC

loc_4CFE53:				; CODE XREF: SmFirstTimeInit+472j
		mov	eax, ds:dword_718450
		test	al, 20h
		jz	loc_4D0201

loc_4CFE60:				; CODE XREF: SmFirstTimeInit+49Dj
		test	al, 1
		jz	loc_4D022C

loc_4CFE68:				; CODE XREF: SmFirstTimeInit+4CEj
		and	[esp+58h+var_4C], 0

loc_4CFE6D:				; CODE XREF: SmFirstTimeInit+2EDj
					; SmFirstTimeInit+35Cj	...
		or	ecx, 0FFFFFFFFh
		mov	edx, offset unk_718464
		mov	[esp+58h+var_44], ecx
		mov	eax, ecx
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_4CFE94
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	ecx, 0FFFFFFFFh
		mov	edx, offset unk_718464

loc_4CFE94:				; CODE XREF: SmFirstTimeInit+F9j
		xor	edi, edi
		mov	[esp+58h+var_3C], edi
		test	edx, 7FFFFFFCh
		jz	loc_4CFF3A
		mov	esi, large fs:124h
		mov	eax, edx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		mov	[esp+58h+var_38], esi
		cmp	edx, offset unk_718464
		ja	short loc_4CFEE2
		cmp	byte ptr dword_6D3994[eax], 1
		jnz	loc_4D025D

loc_4CFED1:				; CODE XREF: SmFirstTimeInit+4E6j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[esp+58h+var_44], eax

loc_4CFEE2:				; CODE XREF: SmFirstTimeInit+138j
					; SmFirstTimeInit+4D9j	...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	edx, offset unk_718464
		push	ecx
		mov	ecx, esi
		mov	[esp+5Ch+var_45], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[esp+58h+var_2C], ecx
		test	ecx, ecx
		jnz	short loc_4CFF54
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_4CFFB9
		push	ecx
		push	[esp+5Ch+var_44]
		push	offset unk_718464
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4CFF35:				; CODE XREF: SmFirstTimeInit+25Ej
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_4CFF3A:				; CODE XREF: SmFirstTimeInit+116j
					; SmFirstTimeInit+24Cj	...
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [esp+6Ch+var_18]
		mov	eax, [esp+6Ch+var_60]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4CFF54:				; CODE XREF: SmFirstTimeInit+186j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_4CFF6B
		call	KiAbEntryRemoveFromTree
		mov	ecx, [esp+58h+var_2C]

loc_4CFF6B:				; CODE XREF: SmFirstTimeInit+1D6j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+58h+var_3C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[esp+58h+var_45], 1
		mov	edx, eax
		jnz	loc_4D0041
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_4CFFB9:				; CODE XREF: SmFirstTimeInit+190j
					; SmFirstTimeInit+2CAj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+58h+var_38], eax
		jnz	short loc_4CFFED

loc_4CFFCD:				; CODE XREF: SmFirstTimeInit+2A3j
					; SmFirstTimeInit+2B5j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	loc_4CFF3A
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	loc_4CFF3A
		jmp	loc_4CFF35
; 

loc_4CFFED:				; CODE XREF: SmFirstTimeInit+241j
		test	edi, 8000h
		jz	short loc_4CFFFE
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4CFFFE:				; CODE XREF: SmFirstTimeInit+269j
					; DATA XREF: .text:0041B6E0o ...
		test	byte ptr [esp+58h+var_3C+2], 1

loc_4D0003:				; DATA XREF: .text:004255DCo
					; .text:00425E5Co
		jz	short loc_4D000F
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4D000F:				; CODE XREF: SmFirstTimeInit:loc_4D0003j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4D0023

loc_4D0018:				; DATA XREF: FsRtlVolumeDeviceToCorrelationId(x,x)+36o
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4D0023:				; CODE XREF: SmFirstTimeInit+28Cj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_4CFFCD
		push	[esp+58h+var_38]
		mov	edx, offset unk_718464
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	short loc_4CFFCD
; 

loc_4D0041:				; CODE XREF: SmFirstTimeInit+219j
		mov	al, 1
		mov	ecx, edx

loc_4D0045:				; DATA XREF: .text:005A457Co
					; .text:005A5684o
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [esp+58h+var_38]
		jmp	loc_4CFFB9
; 

loc_4D0059:				; CODE XREF: SmFirstTimeInit+6Fj
		mov	eax, esi
		mov	ds:dword_718458, eax
		jmp	loc_4CFE07
; 

loc_4D0065:				; CODE XREF: SmFirstTimeInit+84j
		mov	ecx, offset dword_7185B0
		call	_SmRegistrationCtxStart@4 ; SmRegistrationCtxStart(x)
		mov	esi, eax
		mov	[esp+58h+var_4C], esi
		test	esi, esi
		js	loc_4CFE6D
		or	ds:dword_718450, 8
		jmp	loc_4CFE14
; 

loc_4D0089:				; CODE XREF: SmFirstTimeInit+92j
		call	_MmStoreCheckPagefiles@0 ; MmStoreCheckPagefiles()
		test	eax, eax
		jz	loc_5C8062
		mov	ecx, ds:_PsInitialSystemProcess
		lea	eax, [esp+58h+var_28]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		mov	ecx, ds:_PsInitialSystemProcess
		xor	edi, edi
		mov	edx, offset unk_6B2338
		mov	al, [ecx+3A6h]
		mov	byte ptr [esp+58h+var_3C], al
		lea	eax, [esp+58h+var_40]
		push	eax
		push	edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	[esp+70h+var_3C]
		push	edi
		call	PsCreateMinimalProcess
		mov	esi, eax
		lea	ecx, [esp+58h+var_28]
		xor	edx, edx
		mov	[esp+58h+var_4C], esi
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		test	esi, esi
		js	loc_4CFE6D
		push	edi
		lea	eax, [esp+5Ch+var_34]
		mov	[esp+5Ch+var_34], edi
		push	eax
		push	edi
		push	edi
		push	edi
		push	[esp+6Ch+var_40]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	[esp+58h+var_4C], esi
		test	esi, esi
		js	loc_5C806F
		mov	edx, [esp+58h+var_40]
		mov	eax, [esp+58h+var_34]
		mov	ds:dword_71845C, edx
		mov	ds:dword_718460, eax
		jmp	loc_4CFE24
; 

loc_4D0128:				; CODE XREF: SmFirstTimeInit+A3j
		push	ds:dword_718458
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	?SmStart@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGJPAU1@PAXK@Z ; SMKM_STORE_MGR<SM_TRAITS>::SmStart(SMKM_STORE_MGR<SM_TRAITS> *,void *,ulong)
		mov	esi, eax
		mov	[esp+58h+var_4C], esi
		test	esi, esi
		js	loc_5C807D
		mov	ecx, ds:dword_718450
		or	ecx, 2
		mov	ds:dword_718450, ecx
		jmp	loc_4CFE33
; 

loc_4D015A:				; CODE XREF: SmFirstTimeInit+ACj
		xor	ecx, ecx
		inc	ecx
		call	_MmStoreChargeResidentAvailableForRead@4 ; MmStoreChargeResidentAvailableForRead(x)
		mov	ecx, ds:dword_718450
		shl	eax, 4
		xor	eax, ecx
		and	eax, 10h
		xor	ecx, eax
		mov	ds:dword_718450, ecx
		test	cl, 10h
		jnz	loc_4CFE3C
		jmp	loc_5C80B3
; 

loc_4D0186:				; CODE XREF: SmFirstTimeInit+B9j
		mov	edi, [esp+58h+var_44]
		lea	edx, [esp+58h+var_10]
		mov	ecx, edi
		and	ecx, 0FFFF000h
		or	ecx, 10000300h
		shr	ecx, 8
		mov	[esp+58h+var_30], ecx
		and	ecx, 0FFFF0h
		mov	eax, ecx
		or	ecx, 100002h
		or	eax, 100005h
		mov	[esp+58h+var_C], ecx
		push	3
		mov	ecx, offset unk_7185C0
		mov	[esp+5Ch+var_10], eax
		call	SmFpPreAllocate
		mov	esi, eax
		mov	[esp+58h+var_4C], esi
		test	esi, esi
		js	loc_4CFE6D
		push	1
		lea	edx, [esp+5Ch+var_30]
		mov	ecx, offset unk_718604
		call	SmFpPreAllocate
		mov	esi, eax
		mov	[esp+58h+var_4C], esi
		test	esi, esi
		js	loc_5C80C0
		mov	ds:dword_718454, edi
		jmp	loc_4CFE53
; 

loc_4D0201:				; CODE XREF: SmFirstTimeInit+D0j
		push	ecx
		mov	ecx, offset dword_71846C
		call	_ExAllocatePrivateWorkerPool@12	; ExAllocatePrivateWorkerPool(x,x,x)
		mov	ecx, eax
		mov	[esp+58h+var_4C], ecx
		test	ecx, ecx
		js	loc_4CFE6D
		mov	eax, ds:dword_718450
		or	eax, 20h
		mov	ds:dword_718450, eax
		jmp	loc_4CFE60
; 

loc_4D022C:				; CODE XREF: SmFirstTimeInit+D8j
		mov	eax, ds:dword_718474
		shr	eax, 7
		and	eax, 1
		push	eax
		push	ds:dword_718460
		call	MmStoreRegister
		mov	ecx, eax
		mov	[esp+58h+var_4C], ecx
		test	ecx, ecx
		js	loc_4CFE6D
		or	ds:dword_718450, 1
		jmp	loc_4CFE68
; 

loc_4D025D:				; CODE XREF: SmFirstTimeInit+141j
		cmp	edx, offset unk_718464
		ja	loc_4CFEE2
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_4CFED1
		jmp	loc_4CFEE2
SmFirstTimeInit	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall SSHSupportAllocateNonPaged(x, x)
_SSHSupportAllocateNonPaged@8 proc near	; CODE XREF: SmKmStoreAdd+1AFp
					; SmProcessCreateRequest+119p ...
		mov	edi, edi
		push	edx
		push	ecx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		retn
_SSHSupportAllocateNonPaged@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; public: static void __stdcall	ST_STORE<struct	SM_TRAITS>::StDrainReadContextList(struct ST_STORE<struct SM_TRAITS> *)
?StDrainReadContextList@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@@Z proc near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+4F4p
					; SMKM_STORE_SM_TRAITS___SmStOutSwapStore+2Fp ...
		mov	edi, edi
		push	esi
		add	ecx, 9A0h
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		mov	esi, eax

loc_4D029C:				; CODE XREF: ST_STORE<SM_TRAITS>::StDrainReadContextList(ST_STORE<SM_TRAITS> *)+22j
		test	esi, esi
		jnz	short loc_4D02A2
		pop	esi
		retn
; 

loc_4D02A2:				; CODE XREF: ST_STORE<SM_TRAITS>::StDrainReadContextList(ST_STORE<SM_TRAITS> *)+12j
		mov	ecx, esi
		mov	esi, [esi]
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_4D029C
?StDrainReadContextList@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@@Z endp


;  S U B	R O U T	I N E 


; __stdcall StEtaCleanup(x)
_StEtaCleanup@4	proc near		; CODE XREF: ST_STORE<SM_TRAITS>::StCleanup(ST_STORE<SM_TRAITS>	*)+6Bp
					; SmcCacheCleanup(x,x)+56p
		mov	edi, edi
		push	esi
		push	edi
		push	2
		lea	esi, [ecx+10h]
		pop	edi

loc_4D02BA:				; CODE XREF: StEtaCleanup(x)+1Ej
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_4D02C8
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4D02C8:				; CODE XREF: StEtaCleanup(x)+Ej
		add	esi, 4
		sub	edi, 1
		jnz	short loc_4D02BA
		pop	edi
		pop	esi
		retn
_StEtaCleanup@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmStoreDeleteWhenEmptyWorker(x)
_SmKmStoreDeleteWhenEmptyWorker@4 proc near ; DATA XREF: SmKmStoreDeleteWhenEmpty(x,x,x)+9Ao

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		push	0
		mov	edi, [eax+20h]
		mov	esi, [eax+24h]
		add	eax, 10h
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	edx, esi
		mov	ecx, edi
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		push	ecx
		push	0
		mov	ecx, edi
		mov	edx, [eax]
		mov	edx, [edx+10F0h]
		call	SmKmStoreDelete
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_SmKmStoreDeleteWhenEmptyWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmStoreMgrCallback proc near	; DATA XREF: SmKmInitialize(x,x)+1Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005C80F9 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_8]
		cmp	edi, 1
		jz	short loc_4D0351
		cmp	edi, 7
		jz	short loc_4D037A
		cmp	edi, 2
		jnz	loc_5C80F9
		mov	edx, [esi+10F0h]
		mov	ecx, ebx
		and	edx, 3FFh
		call	SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete
		jmp	short loc_4D0360
; 

loc_4D0351:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStoreMgrCallback+1Aj
		mov	ecx, esi
		call	SMKM_STORE_SM_TRAITS___SmStCleanup
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4D0360:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStoreMgrCallback+3Dj
					; SMKM_STORE_MGR_SM_TRAITS___SmStoreMgrCallback+F7DF7j
		xor	eax, eax

loc_4D0362:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStoreMgrCallback+6Fj
					; SMKM_STORE_MGR_SM_TRAITS___SmStoreMgrCallback+F7DEAj
		mov	ecx, [ebx+468h]
		test	ecx, ecx
		jz	short loc_4D0371
		push	edi
		push	esi
		push	ebx
		call	ecx

loc_4D0371:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStoreMgrCallback+58j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4D037A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStoreMgrCallback+1Fj
		or	byte ptr [esi+10F5h], 2
		jmp	short loc_4D0362
SMKM_STORE_MGR_SM_TRAITS___SmStoreMgrCallback endp

; 
		align 4

;  S U B	R O U T	I N E 


; long __stdcall SmpStoreMgrCallback(struct _SMKM_STORE_LIST *,	void *,	enum  _SMKM_CALLBACK_TYPE)
?SmpStoreMgrCallback@@YGJPAU_SMKM_STORE_LIST@@PAXW4_SMKM_CALLBACK_TYPE@@@Z proc	near
					; DATA XREF: RtlEnumerateGenericTableLikeADirectory+24o
					; PpmUpdatePlatformIdleVeto(x)+122o ...
		xor	eax, eax
		retn	0Ch
?SmpStoreMgrCallback@@YGJPAU_SMKM_STORE_LIST@@PAXW4_SMKM_CALLBACK_TYPE@@@Z endp

; 
		align 10h

;  S U B	R O U T	I N E 


SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete proc	near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStoreMgrCallback+38p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C810E SIZE 000000FD BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		push	esi
		push	edi
		push	40h		; size_t
		lea	eax, [ebp-48h]
		mov	[ebp-7Ch], edx
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		lea	eax, [ebp-48h]
		mov	dword ptr [ebp-5Ch], 0
		mov	[ebp-60h], eax
		add	esp, 0Ch
		xor	eax, eax
		mov	dword ptr [ebp-58h], 0
		mov	[ebp-6Ch], eax
		xor	esi, esi
		mov	eax, large fs:124h
		mov	dword ptr [ebp-4Ch], 0
		mov	dword ptr [ebp-54h], 0
		mov	dword ptr [ebp-50h], 8
		dec	word ptr [eax+13Eh]
		nop
		lea	eax, [edi+0F0h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp-78h], eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+0F4h]
		lea	ecx, [edi+0F4h]
		xor	edi, edi
		mov	[ebp-68h], ecx
		xor	edx, edx
		mov	[ebp-74h], edi
		mov	[ebp-70h], edx
		test	eax, eax
		jz	short loc_4D0453
		cmp	[eax+3], dl
		jnz	short loc_4D0449

loc_4D0441:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+B7j
		mov	eax, [eax+4]
		cmp	[eax+3], dl
		jz	short loc_4D0441

loc_4D0449:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+AFj
		mov	edi, eax
		mov	edx, eax
		mov	[ebp-74h], edi
		mov	[ebp-70h], edx

loc_4D0453:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+AAj
		xor	eax, eax
		jmp	short loc_4D0463
; 
		jmp	short loc_4D0460
; 
		align 10h

loc_4D0460:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+C7j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+10Bj
		mov	eax, [ebp-6Ch]

loc_4D0463:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+C5j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+F7E2Aj
		test	eax, eax
		jnz	loc_5C810E

loc_4D046B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+F7D9Ej
		test	edi, edi
		jz	short loc_4D04B6
		movzx	eax, word ptr [edi]
		add	edx, 8
		inc	eax
		mov	[ebp-70h], edx
		lea	eax, [edi+eax*8]
		cmp	edx, eax
		jnb	short loc_4D04A2
		mov	eax, edx
		jmp	short loc_4D048D
; 

loc_4D0484:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+117j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+124j
		lea	ecx, [eax+8]
		neg	eax
		sbb	eax, eax
		and	eax, ecx

loc_4D048D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+F2j
		test	eax, eax
		jz	short loc_4D04B6
		movzx	ecx, word ptr [eax+4]
		cmp	ecx, [ebp-7Ch]
		mov	ecx, [ebp-68h]
		jnz	short loc_4D0460
		jmp	loc_5C8133
; 

loc_4D04A2:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+EEj
		mov	eax, [edi+4]
		test	eax, eax
		jz	short loc_4D0484
		mov	edi, eax
		lea	edx, [eax+8]
		mov	[ebp-74h], edi
		mov	[ebp-70h], edx
		jmp	short loc_4D0484
; 

loc_4D04B6:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+DDj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+FFj
		mov	edx, [ebp-78h]
		or	eax, 0FFFFFFFFh
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4D0606

loc_4D04CA:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+280j
		xor	edi, edi
		mov	[ebp-68h], edi
		test	edx, 7FFFFFFCh
		jz	loc_4D05D4
		mov	esi, large fs:124h
		mov	eax, edx
		mov	ecx, dword_6D07D0
		shr	eax, 15h
		mov	[ebp-80h], esi
		cmp	edx, ecx
		jb	short loc_4D0512
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_4D05F3
		cmp	edx, ecx
		jb	short loc_4D0512
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_4D05F3

loc_4D0512:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+162j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+173j
		or	eax, 0FFFFFFFFh

loc_4D0515:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+271j
		dec	word ptr [esi+13Eh]
		mov	[ebp-6Ch], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	[ebp-61h], cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp-7Ch], ecx
		test	ecx, ecx
		jz	loc_4D065C
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_4D066F

loc_4D0557:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+2E7j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp-68h], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		mov	eax, 2AAAAAABh
		sub	ecx, [esi+1E8h]
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	byte ptr [ebp-61h], 1
		jnz	loc_5C81D3
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al

loc_4D05AA:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+2D4j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+F7E53j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp-80h], eax
		jnz	short loc_4D0615

loc_4D05BD:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+2C1j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+F7E76j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_4D05D4
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_4D067C

loc_4D05D4:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+145j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+236j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [ebp-4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4D05F3:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+16Bj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+17Cj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, [ebp-78h]
		jmp	loc_4D0515
; 

loc_4D0606:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+134j
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp-78h]
		jmp	loc_4D04CA
; 

loc_4D0615:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+22Bj
		test	edi, 8000h
		jz	short loc_4D0626
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4D0626:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+28Bj
		test	byte ptr [ebp-66h], 1
		jnz	loc_5C81E8

loc_4D0630:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+F7E64j
		test	edi, 7FFFh
		jz	short loc_4D0647
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4D0647:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+2A6j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4D05BD
		jmp	loc_5C81F9
; 

loc_4D065C:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+1AFj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_4D05AA
		jmp	loc_5C81BF
; 

loc_4D066F:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+1C1j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp-7Ch]
		jmp	loc_4D0557
; 

loc_4D067C:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+23Ej
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4D05D4
SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_SM_TRAITS___SmStCleanup proc	near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStoreMgrCallback+41p
					; SmProcessCreateRequest+14E9F7p

var_60		= dword	ptr -60h
var_4C		= dword	ptr -4Ch
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C820B SIZE 00000074 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+58h+var_4], eax
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [esp+60h+var_1C]
		push	6
		xor	eax, eax
		mov	[esp+64h+var_24], esi
		pop	ecx
		or	byte ptr [esi+10F5h], 1
		rep stosd
		mov	ecx, [esi+1178h]
		xor	edi, edi
		test	ecx, ecx
		jz	short loc_4D06F4
		push	1
		push	edi
		lea	eax, [esi+1158h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	edi
		push	edi
		push	edi
		push	edi
		push	dword ptr [esi+1178h]
		call	KeWaitForSingleObject
		mov	ecx, [esi+1178h]
		test	ecx, ecx
		jz	short loc_4D06F4
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag

loc_4D06F4:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+3Aj
					; SMKM_STORE_SM_TRAITS___SmStCleanup+62j
		xor	edx, edx
		lea	ecx, [esi+118Ch]
		inc	edx
		call	_SmKmStoreHelperCheckWaitCommand@8 ; SmKmStoreHelperCheckWaitCommand(x,x)
		mov	al, [esi+10F5h]
		test	al, 4
		jz	short loc_4D074D
		lea	ecx, [esi+1224h]
		call	?SmStReadThreadCtxCleanup@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU_SMKM_STORE_READ_THREAD_CTX@@@Z ; SMKM_STORE<SM_TRAITS>::SmStReadThreadCtxCleanup(_SMKM_STORE_READ_THREAD_CTX *)
		mov	al, [esi+10F5h]
		test	al, 4
		jz	short loc_4D074D
		mov	ecx, [esi+125Ch]
		test	ecx, ecx
		jz	short loc_4D073D
		lea	eax, [esp+60h+var_1C]
		xor	edx, edx
		push	eax
		call	KiStackAttachProcess
		mov	al, [esi+10F5h]

loc_4D073D:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+A3j
		test	al, 4
		jz	short loc_4D074D
		cmp	[esi+1254h], edi
		jnz	loc_4D098E

loc_4D074D:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+84j
					; SMKM_STORE_SM_TRAITS___SmStCleanup+99j ...
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, esi
		call	?SmStAcquireStoreLockExclusive@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@@Z ; SMKM_STORE<SM_TRAITS>::SmStAcquireStoreLockExclusive(SMKM_STORE<SM_TRAITS> *)
		mov	ecx, esi
		call	?StCleanup@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@@Z ; ST_STORE<SM_TRAITS>::StCleanup(ST_STORE<SM_TRAITS> *)
		test	byte ptr [esi+10F5h], 4
		jz	loc_4D08BF
		lea	ecx, [esi+10F8h]
		or	eax, 0FFFFFFFFh
		mov	[esp+60h+var_28], ecx
		mov	[esp+60h+var_44], eax
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4D09AE

loc_4D0795:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+333j
		mov	[esp+60h+var_20], edi
		test	ecx, 7FFFFFFCh
		jz	loc_4D08B3
		mov	eax, large fs:124h
		mov	edx, ecx
		mov	esi, dword_6D07D0
		shr	edx, 15h
		cmp	ecx, esi
		mov	[esp+60h+var_40], esi
		mov	esi, [esp+60h+var_24]
		mov	[esp+60h+var_4C], eax
		jb	short loc_4D07D3
		cmp	byte ptr dword_6D3994[edx], 1
		jz	loc_4D0970

loc_4D07D3:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+13Ej
		cmp	ecx, [esp+60h+var_40]
		jb	short loc_4D07E6
		cmp	byte ptr dword_6D3994[edx], 0Bh
		jz	loc_4D0970

loc_4D07E6:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+151j
					; SMKM_STORE_SM_TRAITS___SmStCleanup+303j
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	dl, [eax+1E6h]
		push	[esp+60h+var_44]
		mov	[esp+64h+var_45], dl
		mov	edx, ecx
		mov	ecx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[esp+60h+var_40], ecx
		test	ecx, ecx
		jz	loc_4D0A0F
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	dword ptr [ecx+10h], 0
		jl	loc_4D0A28

loc_4D082D:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+3ABj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+60h+var_20], edi
		mov	[ecx+2Ch], eax
		nop
		mov	eax, [esp+60h+var_4C]
		mov	dword ptr [ecx+10h], 0
		push	30h
		sub	ecx, [eax+1E8h]
		mov	eax, ecx
		cdq
		pop	ecx
		idiv	ecx
		cmp	[esp+60h+var_45], 1
		mov	edx, eax
		jnz	loc_5C8221
		mov	eax, [esp+60h+var_4C]
		movzx	ecx, byte ptr [eax+1E4h]
		bts	ecx, edx
		mov	[eax+1E4h], cl

loc_4D0883:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+39Dj
					; SMKM_STORE_SM_TRAITS___SmStCleanup+F7BB6j
		nop
		dec	byte ptr [eax+1E6h]
		mov	ecx, edi
		and	ecx, 1FFFFh
		mov	[esp+60h+var_28], ecx
		jnz	loc_4D09BE

loc_4D089C:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+384j
		nop
		add	word ptr [eax+13Eh], 1
		jnz	short loc_4D08B3
		nop
		add	eax, 70h
		cmp	[eax], eax
		jnz	loc_4D0A3C

loc_4D08B3:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+119j
					; SMKM_STORE_SM_TRAITS___SmStCleanup+21Fj ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_4D08BF:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+EAj
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	al, [esi+10F5h]
		test	al, 4
		jz	short loc_4D08EF
		cmp	dword ptr [esi+125Ch], 0
		jz	short loc_4D08EF
		xor	edx, edx
		lea	ecx, [esp+60h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	al, [esi+10F5h]

loc_4D08EF:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+24Dj
					; SMKM_STORE_SM_TRAITS___SmStCleanup+256j
		mov	cl, [esi+10F4h]
		test	cl, cl
		jnz	loc_5C8266
		mov	edi, [esi+1184h]
		test	al, 4
		jz	short loc_4D092F
		mov	eax, [esi+1188h]
		test	eax, eax
		jz	short loc_4D0919
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4D0919:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+289j
		lea	ecx, [esi+118Ch]
		call	_SmKmStoreHelperCleanup@4 ; SmKmStoreHelperCleanup(x)
		lea	ecx, [esi+11D8h]
		call	_SmKmStoreHelperCleanup@4 ; SmKmStoreHelperCleanup(x)

loc_4D092F:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+27Fj
		test	edi, edi
		jz	short loc_4D093B
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4D093B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+2ABj
					; SMKM_STORE_SM_TRAITS___SmStCleanup+F7BE3j ...
		lea	ecx, [esi+1270h]
		call	SmFpCleanup
		test	byte ptr [esi+10F5h], 10h
		jz	short loc_4D095F
		mov	ecx, [esi+117Ch]
		xor	edx, edx
		push	1
		inc	edx
		call	_SmAcquireReleaseCharges@12 ; SmAcquireReleaseCharges(x,x,x)

loc_4D095F:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+2C7j
		mov	ecx, [esp+60h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4D0970:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+147j
					; SMKM_STORE_SM_TRAITS___SmStCleanup+15Aj
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[esp+60h+var_44], eax
		lea	ecx, [esi+10F8h]
		mov	eax, [esp+60h+var_4C]
		jmp	loc_4D07E6
; 

loc_4D098E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+C1j
		mov	edi, [esi+1254h]
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_4D099F
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_4D099F:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+312j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edi, edi
		jmp	loc_4D074D
; 

loc_4D09AE:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+109j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [esi+10F8h]
		jmp	loc_4D0795
; 

loc_4D09BE:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+210j
		test	edi, 8000h
		jz	short loc_4D09D3
		xor	edx, edx
		mov	ecx, eax
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [esp+60h+var_4C]

loc_4D09D3:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+33Ej
		test	byte ptr [esp+60h+var_20+2], 1
		jnz	loc_5C8241

loc_4D09DE:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+F7BC5j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4D0A36
		and	edi, eax
		mov	edx, edi
		mov	edi, [esp+60h+var_4C]
		mov	ecx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4D09F6:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+3B4j
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_5C8250

loc_4D0A06:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+F7BDBj
		mov	eax, [esp+60h+var_4C]
		jmp	loc_4D089C
; 

loc_4D0A0F:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+18Ej
		mov	ecx, [esp+60h+var_4C]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jz	loc_5C820B
		mov	eax, ecx
		jmp	loc_4D0883
; 

loc_4D0A28:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+1A1j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [esp+60h+var_40]
		jmp	loc_4D082D
; 

loc_4D0A36:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+35Fj
		mov	edi, [esp+60h+var_4C]
		jmp	short loc_4D09F6
; 

loc_4D0A3C:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+227j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4D08B3
SMKM_STORE_SM_TRAITS___SmStCleanup endp


;  S U B	R O U T	I N E 


; __stdcall SmKmStoreHelperCleanup(x)
_SmKmStoreHelperCleanup@4 proc near	; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+299p
					; SMKM_STORE_SM_TRAITS___SmStCleanup+2A4p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		cmp	[esi], edi
		jz	short loc_4D0A70
		xor	edx, edx
		inc	edx
		push	edx
		push	edi
		call	_SmKmStoreHelperSendCommand@16 ; SmKmStoreHelperSendCommand(x,x,x,x)
		push	edi
		push	edi
		push	edi
		push	edi
		push	dword ptr [esi]
		call	KeWaitForSingleObject
		mov	ecx, [esi]
		pop	edi
		pop	esi
		jmp	ObfDereferenceObject
; 

loc_4D0A70:				; CODE XREF: SmKmStoreHelperCleanup(x)+Aj
		pop	edi
		pop	esi
		retn
_SmKmStoreHelperCleanup@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


SmFpCleanup	proc near		; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+2BBp
					; SmFirstTimeInit+F833Dp ...

; FUNCTION CHUNK AT 005C827F SIZE 00000058 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		xor	esi, esi

loc_4D0A7D:				; CODE XREF: SmFpCleanup+19j
					; SmFpCleanup+F785Ej
		mov	edi, [ebx+esi*4+14h]
		test	edi, edi
		jnz	loc_5C827F
		inc	esi
		cmp	esi, 6
		jb	short loc_4D0A7D
		pop	edi
		pop	esi
		pop	ebx
		retn
SmFpCleanup	endp

; 
		align 4

;  S U B	R O U T	I N E 


; public: static void __stdcall	SMKM_STORE<struct SM_TRAITS>::SmStReadThreadCtxCleanup(struct _SMKM_STORE_READ_THREAD_CTX *)
?SmStReadThreadCtxCleanup@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU_SMKM_STORE_READ_THREAD_CTX@@@Z proc	near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+8Cp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		cmp	[esi], edi
		jz	short loc_4D0ABF
		push	edi
		push	edi
		lea	eax, [esi+4]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	edi
		push	edi
		push	edi
		push	edi
		push	dword ptr [esi]
		call	KeWaitForSingleObject
		mov	ecx, [esi]
		pop	edi
		pop	esi
		jmp	ObfDereferenceObject
; 

loc_4D0ABF:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStReadThreadCtxCleanup(_SMKM_STORE_READ_THREAD_CTX *)+Aj
		pop	edi
		pop	esi
		retn
?SmStReadThreadCtxCleanup@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU_SMKM_STORE_READ_THREAD_CTX@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmpKeyedStoreSetVaRanges(x,	x, x, x)
_SmpKeyedStoreSetVaRanges@16 proc near	; CODE XREF: SmStoreSetProcessVaRanges(x,x)+4Ep

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, large fs:124h
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], edx
		push	edi
		dec	word ptr [eax+13Ch]
		mov	[ebp+var_8], esi
		nop
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		push	1
		push	0
		lea	edx, [ebp+var_14]
		mov	ecx, esi
		call	_SmpKeyedStoreEntryGet@16 ; SmpKeyedStoreEntryGet(x,x,x,x)
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFE96h
		add	eax, 0C0000225h
		mov	[ebp+var_38], eax
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_C], edx
		mov	eax, edx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_4D0B33
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_4D0B33:				; CODE XREF: SmpKeyedStoreSetVaRanges(x,x,x,x)+68j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	esi, 7FFFFFFCh
		jz	short loc_4D0B77
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, dword_6D07D0
		shr	ecx, 15h
		cmp	eax, edx
		push	0FFFFFFFFh
		mov	[ebp+var_30], edx
		mov	[ebp+var_34], esi
		pop	edx
		jnb	short loc_4D0B8A

loc_4D0B62:				; CODE XREF: SmpKeyedStoreSetVaRanges(x,x,x,x)+CFj
		cmp	eax, [ebp+var_30]
		jb	short loc_4D0BA6
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	short loc_4D0B93
		jmp	short loc_4D0BA6
; 

loc_4D0B72:				; CODE XREF: SmpKeyedStoreSetVaRanges(x,x,x,x)+1BBj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_4D0B77:				; CODE XREF: SmpKeyedStoreSetVaRanges(x,x,x,x)+7Cj
					; SmpKeyedStoreSetVaRanges(x,x,x,x)+1A9j ...
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+var_38]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_4D0B8A:				; CODE XREF: SmpKeyedStoreSetVaRanges(x,x,x,x)+9Ej
		cmp	byte ptr dword_6D3994[ecx], 1
		jnz	short loc_4D0B62

loc_4D0B93:				; CODE XREF: SmpKeyedStoreSetVaRanges(x,x,x,x)+ACj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_8]

loc_4D0BA6:				; CODE XREF: SmpKeyedStoreSetVaRanges(x,x,x,x)+A3j
					; SmpKeyedStoreSetVaRanges(x,x,x,x)+AEj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_4D0BED
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_4D0C4F
		push	ecx
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4D0BED:				; CODE XREF: SmpKeyedStoreSetVaRanges(x,x,x,x)+10Dj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_4D0C03
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_4D0C03:				; CODE XREF: SmpKeyedStoreSetVaRanges(x,x,x,x)+137j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	ecx, eax
		jnz	loc_4D0CD2
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al

loc_4D0C4F:				; CODE XREF: SmpKeyedStoreSetVaRanges(x,x,x,x)+117j
					; SmpKeyedStoreSetVaRanges(x,x,x,x)+220j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_34], eax
		jnz	short loc_4D0C82

loc_4D0C62:				; CODE XREF: SmpKeyedStoreSetVaRanges(x,x,x,x)+1FFj
					; SmpKeyedStoreSetVaRanges(x,x,x,x)+20Ej
		nop
		add	word ptr [esi+13Eh], 1
		jnz	loc_4D0B77
		nop
		lea	ecx, [esi+70h]
		cmp	[ecx], ecx
		jz	loc_4D0B77
		jmp	loc_4D0B72
; 

loc_4D0C82:				; CODE XREF: SmpKeyedStoreSetVaRanges(x,x,x,x)+19Ej
		test	edi, 8000h
		jz	short loc_4D0C93
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4D0C93:				; CODE XREF: SmpKeyedStoreSetVaRanges(x,x,x,x)+1C6j
		test	byte ptr [ebp+var_10+2], 1
		jz	short loc_4D0CA3
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4D0CA3:				; CODE XREF: SmpKeyedStoreSetVaRanges(x,x,x,x)+1D5j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4D0CB7
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4D0CB7:				; CODE XREF: SmpKeyedStoreSetVaRanges(x,x,x,x)+1E8j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_4D0C62
		push	[ebp+var_34]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	short loc_4D0C62
; 

loc_4D0CD2:				; CODE XREF: SmpKeyedStoreSetVaRanges(x,x,x,x)+177j
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_34]
		jmp	loc_4D0C4F
_SmpKeyedStoreSetVaRanges@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmInSwapWorkingSet proc	near		; CODE XREF: PspChangeProcessExecutionState+207p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C82D7 SIZE 000000A4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_14], eax
		mov	esi, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	3
		pop	edx
		mov	[ebp+var_20], esi
		call	EtwTraceWorkingSetSwap
		push	offset unk_6D50F0
		call	ExAcquireSpinLockExclusive
		xor	edi, edi
		mov	[ebp+var_19], al
		inc	edi
		test	byte ptr [esi+2A0h], 7
		jnz	loc_5C8364
		mov	ebx, [esi+2D0h]
		test	ebx, ebx
		jz	loc_5C8364
		cmp	ebx, edi
		jz	loc_5C835A
		cmp	ebx, 2
		jz	loc_4D0E4A
		push	offset unk_6D50F0
		mov	[esi+2D0h], edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_19]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	dword_6D5100, 0
		jz	short loc_4D0D90
		mov	ecx, esi
		call	MiInSwapStore
		xor	edx, edx
		xor	ecx, ecx
		call	_SmStoreSetProcessVaRanges@8 ; SmStoreSetProcessVaRanges(x,x)

loc_4D0D90:				; CODE XREF: MmInSwapWorkingSet+96j
		mov	eax, [ebp+var_20]
		xor	esi, esi
		cmp	[eax+3E4h], esi
		jnz	loc_5C82D7

loc_4D0DA1:				; CODE XREF: MmInSwapWorkingSet+F75F4j
					; MmInSwapWorkingSet+F761Aj ...
		mov	ecx, [ebx]
		push	esi
		call	MiProcessWsInSwapSupport
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	loc_5C8310

loc_4D0DB4:				; CODE XREF: MmInSwapWorkingSet+F7634j
		mov	ecx, [ebx+1Ch]
		test	ecx, ecx
		jz	short loc_4D0DC1
		push	edi
		call	MiProcessWsInSwapSupport

loc_4D0DC1:				; CODE XREF: MmInSwapWorkingSet+D1j
		cmp	dword ptr [ebx+4], 0
		jnz	loc_5C8321
		mov	edx, ebx
		mov	ecx, offset _MiSystemPartition
		call	_MiFreeWorkingSetSwapContext@8 ; MiFreeWorkingSetSwapContext(x,x)

loc_4D0DD7:				; CODE XREF: MmInSwapWorkingSet+F766Dj
		push	offset unk_6D50F0
		call	ExAcquireSpinLockExclusive
		mov	esi, [ebp+var_20]
		mov	[ebp+var_19], al
		test	byte ptr [esi+2A0h], 7
		jnz	short loc_4D0DFF
		cmp	[esi+2D0h], edi
		jnz	short loc_4D0DFF
		and	dword ptr [esi+2D0h], 0

loc_4D0DFF:				; CODE XREF: MmInSwapWorkingSet+106j
					; MmInSwapWorkingSet+10Ej
		xor	ebx, ebx

loc_4D0E01:				; CODE XREF: MmInSwapWorkingSet+167j
					; MmInSwapWorkingSet+F7677j ...
		push	offset unk_6D50F0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_19]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	loc_5C836E

loc_4D0E1F:				; CODE XREF: MmInSwapWorkingSet+F768Ej
		mov	ecx, offset _MiSystemPartition
		call	MiContractWsSwapPageFile
		lea	eax, [ebp+var_18]
		mov	[ebp+var_8], ebx
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	EtwTraceWorkingSetSwap
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_4D0E4A:				; CODE XREF: MmInSwapWorkingSet+70j
		mov	ebx, 0C000010Ah
		jmp	short loc_4D0E01
MmInSwapWorkingSet endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmOutSwapVirtualAddresses proc near	; CODE XREF: SmPerformStoreSwapOperation+24p

var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_91		= byte ptr -91h
var_90		= dword	ptr -90h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_78		= dword	ptr -78h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C837B SIZE 000000AC BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 0B8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebx+8]
		mov	[ebp+var_9C], eax
		mov	eax, [ebx+0Ch]
		push	esi
		mov	esi, edx
		mov	[ebp+var_B4], eax
		xor	eax, eax
		mov	[ebp+var_B8], ecx
		push	edi
		mov	edi, large fs:124h
		lea	edx, [ebp+var_AC]
		mov	ecx, offset _MiSystemPartition
		mov	[ebp+var_A0], esi
		mov	[ebp+var_A4], eax
		mov	[ebp+var_AC], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_B0], edi
		call	MiFindBestOutswapPagefile
		mov	[ebp+var_98], eax
		cmp	eax, 10h
		jz	loc_5C837B
		mov	ecx, [ebp+var_B8]
		lea	eax, [ebp+var_18]
		push	2
		pop	edx
		push	eax
		mov	[ebp+var_18], edx
		call	EtwTraceWorkingSetSwap
		mov	edx, [ebp+var_9C]
		lea	eax, [ebp+var_A4]
		push	eax
		mov	ecx, esi
		call	_MiValidateMemoryRangeEntries@12 ; MiValidateMemoryRangeEntries(x,x,x)
		push	78h		; size_t
		lea	eax, [ebp+var_90]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		dec	word ptr [edi+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset unk_6D50EC
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [ebp+var_A4]

loc_4D0F37:				; CODE XREF: MmOutSwapVirtualAddresses+F7563j
		push	esi
		push	[ebp+var_AC]
		lea	edx, [ebp+var_78]
		push	[ebp+var_98]
		push	ecx
		mov	ecx, offset _MiSystemPartition
		call	_MiReserveWorkingSetSwapSpace@24 ; MiReserveWorkingSetSwapSpace(x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_A8], edi
		test	edi, edi
		js	loc_5C8385
		mov	ecx, esi
		call	_MiAllocateWorkingSetSwapSupport@4 ; MiAllocateWorkingSetSwapSupport(x)
		mov	edi, eax
		mov	[ebp+var_A8], edi
		test	edi, edi
		jz	loc_5C83C0
		mov	ecx, [ebp+var_B8]
		mov	[ebp+var_90], edi
		mov	[ebp+var_84], offset _MiSystemPartition
		lea	eax, [ecx+240h]
		mov	[ebp+var_88], eax
		mov	eax, [ebp+var_B0]
		dec	word ptr [eax+13Eh]
		nop
		lea	eax, [ecx+134h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_98], eax
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp+var_B0]
		or	byte ptr [ecx+304h], 2
		nop
		mov	eax, [ebp+var_A0]
		mov	edx, [ebp+var_9C]
		lea	edx, [eax+edx*8]
		cmp	eax, edx
		jnb	loc_4D106D
		mov	esi, eax
		mov	edi, edx

loc_4D0FE7:				; CODE XREF: MmOutSwapVirtualAddresses+207j
		mov	ecx, [esi]
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_4D1054
		mov	ecx, [edx+1Ch]
		test	cl, 70h
		jnz	short loc_4D1054
		mov	eax, ecx
		and	eax, 100000h
		jz	short loc_4D101B
		test	ecx, 400000h
		jnz	short loc_4D1054
		and	ecx, 0C0000h
		cmp	ecx, 80000h
		jnb	short loc_4D1054

loc_4D101B:				; CODE XREF: MmOutSwapVirtualAddresses+1B1j
		test	eax, eax
		jz	short loc_4D1054
		mov	eax, [esi+4]
		mov	ecx, [esi]
		dec	eax
		add	eax, ecx
		mov	[ebp+var_A0], eax
		shr	eax, 0Ch
		cmp	[edx+10h], eax
		jb	short loc_4D1054
		lea	eax, [ebp+var_90]
		push	eax
		push	[ebp+var_A0]
		push	ecx
		mov	ecx, [ebp+var_B8]
		lea	ecx, [ecx+240h]
		call	_MiOutSwapWorkingSet@20	; MiOutSwapWorkingSet(x,x,x,x,x)

loc_4D1054:				; CODE XREF: MmOutSwapVirtualAddresses+1A0j
					; MmOutSwapVirtualAddresses+1A8j ...
		add	esi, 8
		cmp	esi, edi
		jb	short loc_4D0FE7
		mov	esi, [ebp+var_A4]
		mov	edi, [ebp+var_A8]
		mov	ecx, [ebp+var_B0]

loc_4D106D:				; CODE XREF: MmOutSwapVirtualAddresses+18Bj
		and	byte ptr [ecx+304h], 0FDh
		xor	ecx, ecx
		mov	edx, [ebp+var_98]
		push	11h
		pop	eax
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jnz	loc_4D12EB

loc_4D108C:				; CODE XREF: MmOutSwapVirtualAddresses+4A6j
		mov	ecx, edx
		call	KeAbPostRelease
		mov	ecx, [ebp+var_B0]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		cmp	[edi+8], esi
		jnb	short loc_4D10BA
		mov	ecx, edi
		call	_MiReAllocateWorkingSetSwapSupport@4 ; MiReAllocateWorkingSetSwapSupport(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_4D10BA
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, esi

loc_4D10BA:				; CODE XREF: MmOutSwapVirtualAddresses+24Fj
					; MmOutSwapVirtualAddresses+25Cj
		mov	eax, [ebp+var_B4]
		mov	esi, [edi+0Ch]
		and	[ebp+var_A8], 0
		mov	[ebp+var_A4], esi
		mov	[eax], edi

loc_4D10D2:				; CODE XREF: MmOutSwapVirtualAddresses+F753Aj
					; MmOutSwapVirtualAddresses+F7569j ...
		push	ecx
		lea	edx, [ebp+var_78]
		mov	ecx, offset _MiSystemPartition
		call	_MiFreeReservationRuns@12 ; MiFreeReservationRuns(x,x,x)
		or	ecx, 0FFFFFFFFh
		mov	edx, offset unk_6D50EC
		mov	[ebp+var_A0], ecx
		mov	eax, ecx
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4D1278

loc_4D10FE:				; CODE XREF: MmOutSwapVirtualAddresses+435j
		xor	edi, edi
		mov	[ebp+var_9C], edi
		test	edx, 7FFFFFFCh
		jz	loc_4D1227
		mov	esi, large fs:124h
		mov	eax, edx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_98], esi
		cmp	edx, offset unk_6D50EC
		ja	short loc_4D1154
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_4D128C
		cmp	edx, offset unk_6D50EC
		ja	short loc_4D1154
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_4D128C

loc_4D1154:				; CODE XREF: MmOutSwapVirtualAddresses+2DEj
					; MmOutSwapVirtualAddresses+2F3j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	edx, offset unk_6D50EC
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_91], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_B4], ecx
		test	ecx, ecx
		jz	loc_4D12FD
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_4D1310

loc_4D119E:				; CODE XREF: MmOutSwapVirtualAddresses+4C9j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_9C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_91], 1
		mov	edx, eax
		jnz	loc_5C83E7
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_4D11F0:				; CODE XREF: MmOutSwapVirtualAddresses+4B3j
					; MmOutSwapVirtualAddresses+F75AAj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_B4], eax
		jnz	loc_4D12A4

loc_4D120A:				; CODE XREF: MmOutSwapVirtualAddresses+48Ej
					; MmOutSwapVirtualAddresses+F75D0j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_4D1221
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_4D1320

loc_4D1221:				; CODE XREF: MmOutSwapVirtualAddresses+3C1j
					; MmOutSwapVirtualAddresses+4D3j
		mov	esi, [ebp+var_A4]

loc_4D1227:				; CODE XREF: MmOutSwapVirtualAddresses+2BAj
		mov	ecx, [ebp+var_B0]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+var_28]
		xor	edx, edx
		mov	edi, [ebp+var_A8]
		mov	ecx, [ebp+var_B8]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_24]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_20]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_18]
		push	eax
		mov	[ebp+var_8], edi
		mov	[ebp+var_18], esi
		call	EtwTraceWorkingSetSwap
		mov	eax, edi

loc_4D1263:				; CODE XREF: MmOutSwapVirtualAddresses+F752Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_4D1278:				; CODE XREF: MmOutSwapVirtualAddresses+2A6j
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	ecx, 0FFFFFFFFh
		mov	edx, offset unk_6D50EC
		jmp	loc_4D10FE
; 

loc_4D128C:				; CODE XREF: MmOutSwapVirtualAddresses+2E7j
					; MmOutSwapVirtualAddresses+2FCj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_A0], eax
		jmp	loc_4D1154
; 

loc_4D12A4:				; CODE XREF: MmOutSwapVirtualAddresses+3B2j
		test	edi, 8000h
		jz	short loc_4D12B5
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4D12B5:				; CODE XREF: MmOutSwapVirtualAddresses+458j
		test	byte ptr [ebp+var_9C+2], 1
		jnz	loc_5C8401

loc_4D12C2:				; CODE XREF: MmOutSwapVirtualAddresses+F75B9j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4D12D6
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4D12D6:				; CODE XREF: MmOutSwapVirtualAddresses+477j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4D120A
		jmp	loc_5C8410
; 

loc_4D12EB:				; CODE XREF: MmOutSwapVirtualAddresses+234j
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	edx, [ebp+var_98]
		jmp	loc_4D108C
; 

loc_4D12FD:				; CODE XREF: MmOutSwapVirtualAddresses+334j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_4D11F0
		jmp	loc_5C83CF
; 

loc_4D1310:				; CODE XREF: MmOutSwapVirtualAddresses+346j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_B4]
		jmp	loc_4D119E
; 

loc_4D1320:				; CODE XREF: MmOutSwapVirtualAddresses+3C9j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4D1221
MmOutSwapVirtualAddresses endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiOutSwapKernelStackPage(x,	x, x)
_MiOutSwapKernelStackPage@12 proc near	; CODE XREF: MiOutPageSingleKernelStack+297p

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_6C		= dword	ptr -6Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_88], eax
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, [ebx+1Ch]
		test	esi, esi
		jz	short loc_4D13C8
		mov	eax, [esi+4]
		cmp	eax, [esi+8]
		jbe	short loc_4D13CF
		cmp	dword ptr [ebx+28h], 0
		jz	short loc_4D13CF
		push	78h		; size_t
		lea	eax, [ebp+var_84]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_88]
		lea	edx, [ebp+var_84]
		mov	[ebp+var_84], esi
		mov	ecx, offset unk_6D3A40
		mov	[ebp+var_78], edi
		lea	esi, [ebx+20h]
		mov	[ebp+var_7C], ecx
		lea	edi, [ebp+var_6C]
		movsd
		add	esp, 0Ch
		shl	eax, 9
		movsd
		push	edx
		push	eax
		push	eax
		movsd
		xor	edx, edx
		movsd
		call	_MiOutSwapWorkingSet@20	; MiOutSwapWorkingSet(x,x,x,x,x)
		lea	esi, [ebp+var_6C]
		xor	eax, eax
		lea	edi, [ebx+20h]
		movsd
		movsd
		movsd
		movsd

loc_4D13B7:				; CODE XREF: MiOutSwapKernelStackPage(x,x,x)+A3j
					; MiOutSwapKernelStackPage(x,x,x)+AAj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_4D13C8:				; CODE XREF: MiOutSwapKernelStackPage(x,x,x)+2Aj
		mov	eax, 0C00000ABh
		jmp	short loc_4D13B7
; 

loc_4D13CF:				; CODE XREF: MiOutSwapKernelStackPage(x,x,x)+32j
					; MiOutSwapKernelStackPage(x,x,x)+38j
		mov	eax, 0C0000209h
		jmp	short loc_4D13B7
_MiOutSwapKernelStackPage@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmOutSwapWorkingSet proc near		; CODE XREF: PspChangeProcessExecutionState+1E9p

var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_91		= byte ptr -91h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_78		= dword	ptr -78h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C8427 SIZE 00000284 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 0C8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	eax, ecx
		mov	ecx, large fs:124h
		push	edi
		mov	[ebp+var_A4], eax
		mov	edi, edx
		xor	edx, edx
		mov	[ebp+var_C4], edi
		add	eax, 240h
		mov	[ebp+var_B4], edx
		push	78h		; size_t
		mov	[ebp+var_BC], eax
		mov	esi, edx
		push	edx		; int
		lea	eax, [ebp+var_90]
		mov	[ebp+var_14], edx
		push	eax		; void *
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_A8], ecx
		mov	[ebp+var_AC], esi
		mov	[ebp+var_C8], edx
		mov	[ebp+var_B0], edx
		call	_memset
		and	[ebp+var_18], esi
		add	esp, 0Ch
		mov	[ebp+var_84], offset _MiSystemPartition
		test	edi, edi
		jnz	loc_5C8427

loc_4D1476:				; CODE XREF: MmOutSwapWorkingSet+F7058j
		mov	ecx, [ebp+var_A4]
		call	_SmStoreExistsForProcess@4 ; SmStoreExistsForProcess(x)
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_C0], edi
		test	eax, eax
		jz	short loc_4D149E
		or	[ebp+var_18], 4
		push	2
		pop	esi
		mov	[ebp+var_AC], esi
		mov	[ebp+var_80], edi

loc_4D149E:				; CODE XREF: MmOutSwapWorkingSet+B6j
		mov	ecx, [ebp+var_A4]
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		pop	edx
		call	EtwTraceWorkingSetSwap
		lea	edx, [ebp+var_B4]
		mov	ecx, offset _MiSystemPartition
		call	MiFindBestOutswapPagefile
		mov	[ebp+var_A0], eax
		mov	edx, offset unk_6D50EC
		push	30h
		pop	ecx
		cmp	eax, 10h
		jz	loc_5C8433
		push	0
		push	40h
		mov	edx, 43536D4Dh
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_9C], edi
		test	edi, edi
		jz	loc_5C8442
		mov	eax, [ebp+var_A8]
		or	esi, 1
		mov	[ebp+var_AC], esi
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset unk_6D50EC
		call	ExAcquirePushLockExclusiveEx
		push	offset unk_6D50F0
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+var_BC]
		mov	[ebp+var_91], al
		mov	al, [ecx+60h]
		and	al, 7
		jnz	loc_5C8496
		lea	eax, [ecx+90h]
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	loc_5C8451

loc_4D1549:				; CODE XREF: MmOutSwapWorkingSet+F70C7j
					; MmOutSwapWorkingSet+F70D3j
		push	offset unk_6D50F0
		mov	dword ptr [eax], 1
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	eax, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	cl, [ebp+var_91]
		mov	[ebp+var_B8], eax
		call	eax

loc_4D156C:				; CODE XREF: MmOutSwapWorkingSet+F7133j
		mov	eax, [ebp+var_A4]
		mov	eax, [eax+284h]
		mov	[ebp+var_B0], eax
		test	eax, eax
		jz	loc_5C8616
		cmp	[ebp+var_80], 0FFFFFFFFh
		jnz	loc_5C84AE

loc_4D1590:				; CODE XREF: MmOutSwapWorkingSet+F7144j
		mov	ecx, eax
		call	_MiAllocateWorkingSetSwapSupport@4 ; MiAllocateWorkingSetSwapSupport(x)
		mov	edi, [ebp+var_9C]
		mov	[edi], eax
		test	eax, eax
		jz	loc_5C851F
		cmp	[ebp+var_80], 0FFFFFFFFh
		jnz	loc_5C852E

loc_4D15B1:				; CODE XREF: MmOutSwapWorkingSet+F715Cj
		and	[ebp+var_A0], 0
		cmp	[ebp+var_C4], 0
		jnz	loc_5C8537

loc_4D15C5:				; CODE XREF: MmOutSwapWorkingSet+F7189j
					; MmOutSwapWorkingSet+F719Bj
		mov	eax, [edi]
		mov	ecx, [ebp+var_A4]
		mov	[ebp+var_90], eax
		mov	eax, [edi+4]
		mov	[ebp+var_8C], eax
		cmp	dword ptr [ecx+3E4h], 0
		mov	eax, [ebp+var_BC]
		mov	[ebp+var_88], eax
		jnz	loc_5C8576

loc_4D15F5:				; CODE XREF: MmOutSwapWorkingSet+F71A7j
					; MmOutSwapWorkingSet+F71B4j
		mov	eax, [ebp+var_A8]
		dec	word ptr [eax+13Eh]
		nop
		lea	eax, [ecx+134h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_98], eax
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp+var_A8]
		or	byte ptr [ecx+304h], 2
		nop
		mov	eax, [ebp+var_A4]
		test	byte ptr [eax+0FCh], 20h
		jnz	loc_5C858F
		mov	eax, [eax+350h]
		xor	edi, edi
		jmp	short loc_4D1647
; 

loc_4D1643:				; CODE XREF: MmOutSwapWorkingSet+273j
		mov	edi, eax
		mov	eax, [eax]

loc_4D1647:				; CODE XREF: MmOutSwapWorkingSet+26Bj
		test	eax, eax
		jnz	short loc_4D1643
		test	edi, edi
		jz	short loc_4D16C7
		mov	esi, [ebp+var_BC]

loc_4D1655:				; CODE XREF: MmOutSwapWorkingSet+2E3j
		mov	ecx, edi
		call	_MiVadMapsLargeImage@4 ; MiVadMapsLargeImage(x)
		test	eax, eax
		jnz	short loc_4D168C
		call	_MiVadSupportsPrivateCommit@4 ;	MiVadSupportsPrivateCommit(x)
		test	eax, eax
		jz	short loc_4D168C
		lea	eax, [ebp+var_90]
		mov	edx, edi
		push	eax
		mov	eax, [edi+10h]
		mov	ecx, esi
		shl	eax, 0Ch
		or	eax, 0FFFh
		push	eax
		mov	eax, [edi+0Ch]
		shl	eax, 0Ch
		push	eax
		call	_MiOutSwapWorkingSet@20	; MiOutSwapWorkingSet(x,x,x,x,x)

loc_4D168C:				; CODE XREF: MmOutSwapWorkingSet+288j
					; MmOutSwapWorkingSet+291j
		mov	eax, [edi+4]
		mov	ecx, edi
		test	eax, eax
		jnz	short loc_4D16A5

loc_4D1695:				; CODE XREF: MmOutSwapWorkingSet+2CDj
		mov	edi, [edi+8]
		and	edi, 0FFFFFFFCh
		jz	short loc_4D16B7
		cmp	[edi], ecx
		jz	short loc_4D16B7
		mov	ecx, edi
		jmp	short loc_4D1695
; 

loc_4D16A5:				; CODE XREF: MmOutSwapWorkingSet+2BDj
		mov	edi, eax
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_4D16B7

loc_4D16AD:				; CODE XREF: MmOutSwapWorkingSet+2DFj
		mov	eax, [ecx]
		mov	edi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_4D16AD

loc_4D16B7:				; CODE XREF: MmOutSwapWorkingSet+2C5j
					; MmOutSwapWorkingSet+2C9j ...
		test	edi, edi
		jnz	short loc_4D1655
		mov	esi, [ebp+var_AC]
		mov	ecx, [ebp+var_A8]

loc_4D16C7:				; CODE XREF: MmOutSwapWorkingSet+277j
		and	byte ptr [ecx+304h], 0FDh
		xor	ecx, ecx
		mov	edi, [ebp+var_98]
		push	11h
		pop	eax
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jnz	loc_4D19AF

loc_4D16E6:				; CODE XREF: MmOutSwapWorkingSet+5E0j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_A8]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebp+var_9C]
		mov	eax, [ebp+var_B0]
		mov	ecx, [edi]
		cmp	[ecx+8], eax
		jnb	short loc_4D1733
		call	_MiReAllocateWorkingSetSwapSupport@4 ; MiReAllocateWorkingSetSwapSupport(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_4D172D
		mov	eax, [ebp+var_9C]
		push	0
		push	dword ptr [eax]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_9C]
		mov	[eax], edi

loc_4D172D:				; CODE XREF: MmOutSwapWorkingSet+33Ej
		mov	edi, [ebp+var_9C]

loc_4D1733:				; CODE XREF: MmOutSwapWorkingSet+333j
		mov	ecx, [edi+4]
		test	ecx, ecx
		jnz	loc_5C85D8

loc_4D173E:				; CODE XREF: MmOutSwapWorkingSet+F720Bj
					; MmOutSwapWorkingSet+F723Bj
		mov	eax, [edi]
		mov	ecx, edi
		mov	edx, [ebp+var_A4]
		mov	eax, [eax+0Ch]
		mov	[ebp+var_B0], eax
		call	MiGetKernelStackSwapSupport
		cmp	esi, 2
		jb	short loc_4D1768
		mov	ecx, [edi]
		call	_MiReAllocateWorkingSetSwapSupport@4 ; MiReAllocateWorkingSetSwapSupport(x)
		mov	[ebp+var_C8], eax

loc_4D1768:				; CODE XREF: MmOutSwapWorkingSet+383j
		or	esi, 4
		and	[ebp+var_98], 0
		mov	[ebp+var_AC], esi

loc_4D1778:				; CODE XREF: MmOutSwapWorkingSet+F7153j
					; MmOutSwapWorkingSet+F71FDj ...
		push	offset unk_6D50F0
		call	ExAcquireSpinLockExclusive
		mov	[ebp+var_91], al
		mov	eax, [ebp+var_BC]
		test	byte ptr [eax+60h], 7
		jnz	loc_5C8632
		mov	ecx, [eax+90h]
		cmp	ecx, 1
		jnz	loc_5C8632
		lea	ecx, [eax+90h]
		cmp	esi, 4
		jb	loc_5C862B
		mov	eax, [ebp+var_9C]
		xor	edi, edi
		and	[ebp+var_98], edi

loc_4D17C4:				; CODE XREF: MmOutSwapWorkingSet+F7257j
		mov	[ecx], eax

loc_4D17C6:				; CODE XREF: MmOutSwapWorkingSet+F7266j
		push	offset unk_6D50F0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_91]
		call	[ebp+var_B8]
		push	ecx
		lea	edx, [ebp+var_78]
		mov	ecx, offset _MiSystemPartition
		call	_MiFreeReservationRuns@12 ; MiFreeReservationRuns(x,x,x)

loc_4D17EA:				; CODE XREF: MmOutSwapWorkingSet+F70BBj
		test	edi, edi
		jnz	loc_5C8641

loc_4D17F2:				; CODE XREF: MmOutSwapWorkingSet+F7076j
					; MmOutSwapWorkingSet+F7277j
		or	edi, 0FFFFFFFFh
		mov	edx, offset unk_6D50EC

loc_4D17FA:				; CODE XREF: MmOutSwapWorkingSet+F7067j
		mov	eax, [ebp+var_AC]
		test	al, 1
		jz	loc_4D1944
		mov	eax, edi
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4D19D6

loc_4D1818:				; CODE XREF: MmOutSwapWorkingSet+60Cj
		xor	edi, edi
		mov	[ebp+var_A0], edi
		test	edx, 7FFFFFFCh
		jz	loc_4D1933
		mov	esi, large fs:124h
		mov	eax, edx
		mov	ecx, dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_C4], esi
		cmp	ecx, edx
		ja	short loc_4D1866
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_4D19BB
		cmp	ecx, edx
		ja	short loc_4D1866
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_4D19BB

loc_4D1866:				; CODE XREF: MmOutSwapWorkingSet+470j
					; MmOutSwapWorkingSet+481j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	[ebp+var_C0]
		mov	[ebp+var_91], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_B8], ecx
		test	ecx, ecx
		jz	loc_4D1A2E
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_4D1A41

loc_4D18B0:				; CODE XREF: MmOutSwapWorkingSet+676j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_A0], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_91], 1
		mov	edx, eax
		jnz	loc_5C866B
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_4D1902:				; CODE XREF: MmOutSwapWorkingSet+660j
					; MmOutSwapWorkingSet+F72AAj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_B8], eax
		jnz	loc_4D19E7

loc_4D191C:				; CODE XREF: MmOutSwapWorkingSet+64Dj
					; MmOutSwapWorkingSet+F72D0j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_4D1933
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_4D1A51

loc_4D1933:				; CODE XREF: MmOutSwapWorkingSet+450j
					; MmOutSwapWorkingSet+54Fj ...
		mov	ecx, [ebp+var_A8]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+var_AC]

loc_4D1944:				; CODE XREF: MmOutSwapWorkingSet+42Cj
		mov	esi, [ebp+var_C8]
		test	esi, esi
		jz	short loc_4D1965
		cmp	eax, 4
		jb	short loc_4D195D
		mov	edx, [esi+8]
		mov	ecx, [esi]
		call	_SmStoreSetProcessVaRanges@8 ; SmStoreSetProcessVaRanges(x,x)

loc_4D195D:				; CODE XREF: MmOutSwapWorkingSet+57Bj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4D1965:				; CODE XREF: MmOutSwapWorkingSet+576j
		mov	eax, [ebp+var_B0]
		xor	edx, edx
		mov	esi, [ebp+var_98]
		mov	ecx, [ebp+var_A4]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_28]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_24]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_20]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_18]
		push	eax
		mov	[ebp+var_8], esi
		call	EtwTraceWorkingSetSwap
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4D19AF:				; CODE XREF: MmOutSwapWorkingSet+30Aj
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_4D16E6
; 

loc_4D19BB:				; CODE XREF: MmOutSwapWorkingSet+479j
					; MmOutSwapWorkingSet+48Aj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_C0], eax
		mov	edx, offset unk_6D50EC
		jmp	loc_4D1866
; 

loc_4D19D6:				; CODE XREF: MmOutSwapWorkingSet+43Cj
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, offset unk_6D50EC
		jmp	loc_4D1818
; 

loc_4D19E7:				; CODE XREF: MmOutSwapWorkingSet+540j
		test	edi, 8000h
		jz	short loc_4D19F8
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4D19F8:				; CODE XREF: MmOutSwapWorkingSet+617j
		test	byte ptr [ebp+var_A0+2], 1
		jnz	loc_5C8685

loc_4D1A05:				; CODE XREF: MmOutSwapWorkingSet+F72B9j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4D1A19
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4D1A19:				; CODE XREF: MmOutSwapWorkingSet+636j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4D191C
		jmp	loc_5C8694
; 

loc_4D1A2E:				; CODE XREF: MmOutSwapWorkingSet+4C2j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_4D1902
		jmp	loc_5C8652
; 

loc_4D1A41:				; CODE XREF: MmOutSwapWorkingSet+4D4j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_B8]
		jmp	loc_4D18B0
; 

loc_4D1A51:				; CODE XREF: MmOutSwapWorkingSet+557j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4D1933
MmOutSwapWorkingSet endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiOutSwapWorkingSet(x, x, x, x, x)
_MiOutSwapWorkingSet@20	proc near	; CODE XREF: MmOutSwapVirtualAddresses+1FDp
					; MiOutSwapKernelStackPage(x,x,x)+7Cp ...

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_52		= byte ptr -52h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ebx, edx
		push	edi
		mov	[ebp+var_5C], eax
		mov	edi, ecx
		mov	eax, [ebp+arg_4]
		push	4Ch		; size_t
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_58]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_48], edi
		test	byte ptr [edi+60h], 7
		mov	eax, 81h
		mov	[ebp+var_10], esi
		mov	[ebp+var_18], offset _MiOutSwapWorkingSetPte@12	; MiOutSwapWorkingSetPte(x,x,x)
		mov	word ptr [ebp+var_58], ax
		jnz	short loc_4D1B05
		add	eax, 2
		lea	esi, [edi+80h]
		mov	word ptr [ebp+var_58], ax
		mov	eax, [ebp+var_5C]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+var_60]
		push	esi
		mov	[ebp+var_40], eax
		call	ExAcquireSpinLockExclusive
		and	dword ptr [esi+4], 0
		test	byte ptr [ebx+1Ch], 4
		mov	[ebp+var_52], al
		jnz	short loc_4D1B0B

loc_4D1ADC:				; CODE XREF: MiOutSwapWorkingSet(x,x,x,x,x)+ADj
		lea	ecx, [ebp+var_58]
		call	MiWalkPageTables
		test	byte ptr [edi+60h], 7
		jnz	short loc_4D1AF4
		mov	dl, [ebp+var_52]

loc_4D1AED:				; CODE XREF: MiOutSwapWorkingSet(x,x,x,x,x)+B1j
		mov	ecx, edi
		call	MiUnlockWorkingSetExclusive

loc_4D1AF4:				; CODE XREF: MiOutSwapWorkingSet(x,x,x,x,x)+8Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_4D1B05:				; CODE XREF: MiOutSwapWorkingSet(x,x,x,x,x)+52j
		mov	[ebp+var_52], 21h
		jmp	short loc_4D1ADC
; 

loc_4D1B0B:				; CODE XREF: MiOutSwapWorkingSet(x,x,x,x,x)+7Ej
		mov	dl, al
		jmp	short loc_4D1AED
_MiOutSwapWorkingSet@20	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiReAllocateWorkingSetSwapSupport(x)
_MiReAllocateWorkingSetSwapSupport@4 proc near ; CODE XREF: MmOutSwapVirtualAddresses+253p
					; MmOutSwapWorkingSet+335p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, [edi+8]
		call	_MiAllocateWorkingSetSwapSupport@4 ; MiAllocateWorkingSetSwapSupport(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_4D1B43
		mov	edx, [edi+8]
		mov	[esi+8], edx
		mov	ecx, [edi+0Ch]
		mov	[esi+0Ch], ecx
		mov	ecx, [edi+8]
		shl	ecx, 3
		push	ecx		; size_t
		push	dword ptr [edi]	; void *
		push	dword ptr [esi]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_4D1B43:				; CODE XREF: MiReAllocateWorkingSetSwapSupport(x)+12j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_MiReAllocateWorkingSetSwapSupport@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiAllocateWorkingSetSwapSupport(x)
_MiAllocateWorkingSetSwapSupport@4 proc	near ; CODE XREF: MmOutSwapVirtualAddresses+112p
					; MmOutSwapWorkingSet+1BCp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, 53576D4Dh
		push	0
		push	40h
		lea	ecx, ds:14h[esi*8]
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_4D1B77
		lea	eax, [edx+17h]
		mov	[edx+4], esi
		and	eax, 0FFFFFFFCh
		mov	[edx], eax
		mov	eax, edx
		pop	esi
		retn
; 

loc_4D1B77:				; CODE XREF: MiAllocateWorkingSetSwapSupport(x)+1Ej
		xor	eax, eax
		pop	esi
		retn
_MiAllocateWorkingSetSwapSupport@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetKernelStackSwapSupport proc near	; CODE XREF: MmOutSwapWorkingSet+37Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C86AB SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, dword_6D5D8C
		push	ebx
		push	esi
		push	edi
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_10], edx
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_5C86CE

loc_4D1BA2:				; CODE XREF: MiGetKernelStackSwapSupport+45j
		mov	eax, dword_6D5D94[ebx*4]
		mov	[ebp+var_8], eax
		test	byte ptr [eax+74h], 50h
		jnz	short loc_4D1BBD
		cmp	edi, 0FFFFFFFFh
		jnz	loc_5C86AB

loc_4D1BBB:				; CODE XREF: MiGetKernelStackSwapSupport+F6B4Dj
		mov	edi, ebx

loc_4D1BBD:				; CODE XREF: MiGetKernelStackSwapSupport+34j
					; MiGetKernelStackSwapSupport+F6B47j
		inc	ebx
		cmp	ebx, [ebp+var_C]
		jb	short loc_4D1BA2
		cmp	edi, 0FFFFFFFFh
		jz	loc_5C86CE
		mov	ebx, [ebp+var_10]
		mov	ebx, [ebx+1D8h]
		test	ebx, ebx
		jz	short loc_4D1C39
		mov	eax, 55555555h
		cmp	ebx, eax
		ja	short loc_4D1C40

loc_4D1BE2:				; CODE XREF: MiGetKernelStackSwapSupport+C6j
		lea	ecx, [ebx+ebx]
		call	_MiAllocateWorkingSetSwapSupport@4 ; MiAllocateWorkingSetSwapSupport(x)
		mov	ecx, [ebp+var_4]
		mov	[ecx+1Ch], eax
		test	eax, eax
		jz	short loc_4D1C44
		push	0
		push	0
		lea	esi, [ecx+20h]
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		xor	ecx, ecx
		and	edi, 0Fh
		shld	ecx, edi, 0Ch
		and	eax, 0FFFF0FFFh
		shl	edi, 0Ch
		or	edx, ecx
		or	eax, edi
		mov	[esi+4], edx
		mov	[esi], eax
		mov	edx, esi
		imul	eax, ebx, 3
		mov	ecx, offset _MiSystemPartition
		push	21h
		push	eax
		call	MiFindFreePageFileSpace
		mov	ecx, [ebp+var_4]
		mov	[ecx+28h], eax
		xor	eax, eax

loc_4D1C34:				; CODE XREF: MiGetKernelStackSwapSupport+C2j
					; MiGetKernelStackSwapSupport+CDj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4D1C39:				; CODE XREF: MiGetKernelStackSwapSupport+5Bj
		mov	eax, 0C000010Ah
		jmp	short loc_4D1C34
; 

loc_4D1C40:				; CODE XREF: MiGetKernelStackSwapSupport+64j
		mov	ebx, eax
		jmp	short loc_4D1BE2
; 

loc_4D1C44:				; CODE XREF: MiGetKernelStackSwapSupport+76j
		mov	eax, 0C000009Ah
		jmp	short loc_4D1C34
MiGetKernelStackSwapSupport endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFindBestOutswapPagefile proc near	; CODE XREF: MmOutSwapVirtualAddresses+7Bp
					; MmOutSwapWorkingSet+E5p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C86D8 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		push	edi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], esi
		call	_MiWsSwapPageFileNumber@4 ; MiWsSwapPageFileNumber(x)
		mov	[ebx], eax
		xor	ebx, ebx
		mov	eax, [esi+0F4Ch]
		mov	[ebp+var_4], eax
		push	10h
		pop	edi
		test	eax, eax
		jz	short loc_4D1CBC
		mov	ecx, [ebp+var_4]
		lea	eax, [esi+0F54h]
		mov	[ebp+var_8], eax

loc_4D1C86:				; CODE XREF: MiFindBestOutswapPagefile+62j
		mov	eax, [eax]
		mov	al, [eax+74h]
		and	al, 0D0h
		cmp	al, 80h
		jnz	short loc_4D1C9F
		cmp	edi, 10h
		jnz	loc_5C86D8

loc_4D1C9A:				; CODE XREF: MiFindBestOutswapPagefile+F6AACj
		mov	edi, ebx

loc_4D1C9C:				; CODE XREF: MiFindBestOutswapPagefile+F6AA6j
		mov	ecx, [ebp+var_4]

loc_4D1C9F:				; CODE XREF: MiFindBestOutswapPagefile+43j
		mov	eax, [ebp+var_8]
		inc	ebx
		mov	esi, [ebp+var_C]
		add	eax, 4
		mov	[ebp+var_8], eax
		cmp	ebx, ecx
		jb	short loc_4D1C86
		cmp	edi, 10h
		jz	short loc_4D1CBC

loc_4D1CB5:				; CODE XREF: MiFindBestOutswapPagefile+75j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4D1CBC:				; CODE XREF: MiFindBestOutswapPagefile+2Cj
					; MiFindBestOutswapPagefile+67j
		mov	edi, [ebp+var_10]
		mov	edi, [edi]
		jmp	short loc_4D1CB5
MiFindBestOutswapPagefile endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiWsSwapPageFileNumber(x)
_MiWsSwapPageFileNumber@4 proc near	; CODE XREF: MiFindBestOutswapPagefile+15p
					; MiContractWsSwapPageFileWorker(x)+Fp	...
		mov	edi, edi
		push	esi
		mov	esi, [ecx+0F4Ch]
		xor	edx, edx
		test	esi, esi
		jz	short loc_4D1CE9
		add	ecx, 0F54h

loc_4D1CD9:				; CODE XREF: MiWsSwapPageFileNumber(x)+23j
		mov	eax, [ecx]
		test	byte ptr [eax+74h], 10h
		jnz	short loc_4D1CEE
		inc	edx
		add	ecx, 4
		cmp	edx, esi
		jb	short loc_4D1CD9

loc_4D1CE9:				; CODE XREF: MiWsSwapPageFileNumber(x)+Dj
		push	10h
		pop	eax
		pop	esi
		retn
; 

loc_4D1CEE:				; CODE XREF: MiWsSwapPageFileNumber(x)+1Bj
		mov	eax, edx
		pop	esi
		retn
_MiWsSwapPageFileNumber@4 endp


;  S U B	R O U T	I N E 


MiCanFlushMakeProgress proc near	; CODE XREF: MiFlushAllHintedStorePages(x)+66p
					; MiFlushAllPagesWorker+39p

; FUNCTION CHUNK AT 005C86FD SIZE 0000001F BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		test	edx, edx
		jnz	short loc_4D1D09
		mov	eax, [ecx+10C0h]
		cmp	eax, [ecx+1118h]
		jnz	short loc_4D1D37

loc_4D1D09:				; CODE XREF: MiCanFlushMakeProgress+7j
		mov	edx, [ecx+0F4Ch]
		test	edx, edx
		jz	short loc_4D1D46
		xor	esi, esi
		test	edx, edx
		jz	short loc_4D1D46
		mov	edi, 0F54h

loc_4D1D1E:				; CODE XREF: MiCanFlushMakeProgress+52j
		mov	ebx, [edi+ecx]
		cmp	dword ptr [ebx+0Ch], 0
		jz	short loc_4D1D3E
		movzx	eax, word ptr [ebx+74h]
		test	al, 40h
		jnz	short loc_4D1D3E
		test	al, 10h
		jnz	loc_5C86FD

loc_4D1D37:				; CODE XREF: MiCanFlushMakeProgress+15j
					; MiCanFlushMakeProgress+F6A1Fj
		xor	eax, eax
		inc	eax

loc_4D1D3A:				; CODE XREF: MiCanFlushMakeProgress+56j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4D1D3E:				; CODE XREF: MiCanFlushMakeProgress+33j
					; MiCanFlushMakeProgress+3Bj ...
		inc	esi
		add	edi, 4
		cmp	esi, edx
		jb	short loc_4D1D1E

loc_4D1D46:				; CODE XREF: MiCanFlushMakeProgress+1Fj
					; MiCanFlushMakeProgress+25j
		xor	eax, eax
		jmp	short loc_4D1D3A
MiCanFlushMakeProgress endp


;  S U B	R O U T	I N E 


MiWakeModifiedPageWriter proc near	; CODE XREF: MiInsertPageInList(x,x)+5E3p
					; MiFlushAllHintedStorePages(x)+7Bp ...

; FUNCTION CHUNK AT 005C872F SIZE 0000002E BYTES

		mov	edi, edi
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		push	edi
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_4D1D83
		cmp	[esi+188h], ebx
		jnz	sub_5C871C

loc_4D1D64:				; CODE XREF: sub_5C871C+Ej
		cmp	dword ptr [esi+19Ch], 12h
		jnz	loc_5C872F

loc_4D1D71:				; CODE XREF: MiWakeModifiedPageWriter+3Fj
					; MiWakeModifiedPageWriter+F69F4j ...
		push	ebx
		push	ebx
		lea	eax, [esi+1A4h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4D1D83:				; CODE XREF: MiWakeModifiedPageWriter+Cj
		mov	[esi+1A0h], edx
		jmp	short loc_4D1D71
MiWakeModifiedPageWriter endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFlushAllHintedStorePages(x)
_MiFlushAllHintedStorePages@4 proc near	; CODE XREF: MmStoreFlushAllHintedPages()j

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	edi
		mov	edi, large fs:124h
		mov	eax, dword_6D5100
		test	eax, eax
		jz	loc_4D1E7D
		dec	word ptr [edi+13Eh]
		push	ebx
		push	esi
		nop
		push	12h
		push	edi
		call	KeSetActualBasePriorityThread
		mov	[ebp+var_C], eax
		call	KeQueryInterruptTime
		mov	esi, dword_6D50FC
		push	2
		mov	[ebp+var_4], eax
		mov	eax, offset unk_6D50F8
		mov	[ebp+var_8], edx
		pop	ecx
		lock xadd [eax], ecx
		imul	esi, 14h
		xor	eax, eax
		xor	ebx, ebx
		inc	eax
		cmp	dword_6D5580[esi], ebx
		jz	short loc_4D1E47

loc_4D1DEB:				; CODE XREF: MiFlushAllHintedStorePages(x)+B9j
		mov	edx, eax
		mov	ecx, offset _MiSystemPartition
		call	MiCanFlushMakeProgress
		test	eax, eax
		jz	loc_4D1E82
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _MiSystemPartition
		call	MiWakeModifiedPageWriter
		mov	ecx, offset _MiSystemPartition
		call	MiStoreUpdateMemoryConditions
		push	offset _Mi30Milliseconds
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		call	KeQueryInterruptTime
		sub	eax, [ebp+var_4]
		sbb	edx, [ebp+var_8]
		test	edx, edx
		jb	short loc_4D1E3C
		ja	short loc_4D1E82
		cmp	eax, 2FAF080h
		ja	short loc_4D1E82

loc_4D1E3C:				; CODE XREF: MiFlushAllHintedStorePages(x)+A5j
		push	1
		pop	eax
		cmp	dword_6D5580[esi], ebx
		jnz	short loc_4D1DEB

loc_4D1E47:				; CODE XREF: MiFlushAllHintedStorePages(x)+5Dj
		mov	ebx, eax

loc_4D1E49:				; CODE XREF: MiFlushAllHintedStorePages(x)+F9j
		mov	ecx, offset unk_6D50F8
		lock or	[ecx], eax
		push	0FFFFFFFEh
		pop	eax
		lock xadd [ecx], eax
		push	0
		push	0
		push	offset unk_6D5050
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	[ebp+var_C]
		push	edi
		call	KeSetActualBasePriorityThread
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	esi
		mov	eax, ebx
		pop	ebx

loc_4D1E7A:				; CODE XREF: MiFlushAllHintedStorePages(x)+F4j
		pop	edi
		leave
		retn
; 

loc_4D1E7D:				; CODE XREF: MiFlushAllHintedStorePages(x)+17j
		xor	eax, eax
		inc	eax
		jmp	short loc_4D1E7A
; 

loc_4D1E82:				; CODE XREF: MiFlushAllHintedStorePages(x)+6Dj
					; MiFlushAllHintedStorePages(x)+A7j ...
		xor	eax, eax
		inc	eax
		jmp	short loc_4D1E49
_MiFlushAllHintedStorePages@4 endp

; 
		align 10h
; Exported entry 948. IoReleaseCancelSpinLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoReleaseCancelSpinLock
IoReleaseCancelSpinLock	proc near	; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+22Cp
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+303p ...

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005C876C SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, large fs:20h
		add	esi, 450h
		test	ds:byte_70EFC6,	1
		jnz	loc_5C876C
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_4D1EDA
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_4D1ED3

loc_4D1EC5:				; CODE XREF: IoReleaseCancelSpinLock+5Bj
					; IoReleaseCancelSpinLock+F68E6j
		mov	cl, [ebp+arg_0]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		pop	ebp
		retn	4
; 

loc_4D1ED3:				; CODE XREF: IoReleaseCancelSpinLock+33j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_4D1EDA:				; CODE XREF: IoReleaseCancelSpinLock+24j
		mov	dword ptr [esi], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_4D1EC5
IoReleaseCancelSpinLock	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopDereferenceVpbAndFree proc near	; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+114Ap
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+11BCp ...

; FUNCTION CHUNK AT 005C877B SIZE 00000045 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edx, large fs:20h
		mov	bl, al
		mov	eax, [edx+464h]
		test	ds:byte_70EFC6,	21h
		lea	ecx, [edx+460h]
		jnz	loc_5C877B
		mov	edx, ecx
		xchg	edx, [eax]
		test	edx, edx
		jnz	short loc_4D1F94

loc_4D1F2C:				; CODE XREF: IopDereferenceVpbAndFree+A9j
					; IopDereferenceVpbAndFree+F6892j
		add	dword ptr [esi+14h], 0FFFFFFFFh
		jz	loc_5C8787

loc_4D1F36:				; CODE XREF: IopDereferenceVpbAndFree+F689Dj
					; IopDereferenceVpbAndFree+F68A7j ...
		mov	esi, large fs:20h
		add	esi, 460h
		test	ds:byte_70EFC6,	1
		jnz	loc_5C87A4
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_4D1F81
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_4D1F7A

loc_4D1F65:				; CODE XREF: IopDereferenceVpbAndFree+A2j
					; IopDereferenceVpbAndFree+F68BEj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jnz	loc_5C87B3

loc_4D1F75:				; CODE XREF: IopDereferenceVpbAndFree+F68CBj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
; 

loc_4D1F7A:				; CODE XREF: IopDereferenceVpbAndFree+73j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_4D1F81:				; CODE XREF: IopDereferenceVpbAndFree+64j
		mov	dword ptr [esi], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_4D1F65
; 

loc_4D1F94:				; CODE XREF: IopDereferenceVpbAndFree+3Aj
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	short loc_4D1F2C
IopDereferenceVpbAndFree endp

; 
		align 4
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDecayPfnFullyInitialized proc	near	; CODE XREF: MiDeleteVaTail:loc_455DA6p
					; .text:00478E5Cp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C87C0 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		and	[ebp+var_8], 0
		lea	edi, [ebp+var_14]
		mov	esi, ecx
		stosd
		push	1Ch
		pop	ecx
		stosd
		stosd
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		mov	edi, offset unk_6D54F4
		cdq
		idiv	ecx
		and	[ebp+var_14], 0
		mov	[ebp+var_4], eax
		mov	[ebp+var_10], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_C], al
		jnz	loc_5C87C0
		lea	edx, [ebp+var_14]
		xchg	edx, [edi]
		test	edx, edx
		jnz	loc_4D207F

loc_4D1FF7:				; CODE XREF: MiDecayPfnFullyInitialized+E9j
					; MiDecayPfnFullyInitialized+F682Cj
		mov	edi, dword_6D0700
		mov	eax, edi
		mov	ebx, dword_6D0704
		or	eax, ebx
		mov	ecx, [esi+8]
		mov	edx, [esi+0Ch]
		jz	short loc_4D2021
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4D2021
		not	edi
		not	ebx
		and	ecx, edi
		and	edx, ebx

loc_4D2021:				; CODE XREF: MiDecayPfnFullyInitialized+6Fj
					; MiDecayPfnFullyInitialized+79j
		mov	al, [esi+17h]
		xor	edi, edi
		shrd	ecx, edx, 0Ch
		inc	edi
		and	ecx, 3FFFFFFh
		test	al, 8
		jz	loc_5C87CF
		cmp	ecx, [ebp+var_4]
		jz	short loc_4D20A3
		mov	ebx, [ebp+var_8]

loc_4D2041:				; CODE XREF: MiDecayPfnFullyInitialized+11Aj
					; MiDecayPfnFullyInitialized+F6833j
		and	al, 0F7h
		mov	[esi+17h], al
		test	ds:byte_70EFC6,	1
		jnz	loc_5C87D6
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_4D2094
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jnz	short loc_4D208C

loc_4D206D:				; CODE XREF: MiDecayPfnFullyInitialized+103j
					; MiDecayPfnFullyInitialized+F6843j
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	ebx, edi
		jz	short loc_4D20BA

loc_4D207A:				; CODE XREF: MiDecayPfnFullyInitialized+128j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4D207F:				; CODE XREF: MiDecayPfnFullyInitialized+53j
		lea	ecx, [ebp+var_14]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4D1FF7
; 

loc_4D208C:				; CODE XREF: MiDecayPfnFullyInitialized+CDj
		lea	ecx, [ebp+var_14]
		call	KxWaitForLockChainValid

loc_4D2094:				; CODE XREF: MiDecayPfnFullyInitialized+BAj
		mov	[ebp+var_14], 0
		add	eax, 4
		lock xor [eax],	edi
		jmp	short loc_4D206D
; 

loc_4D20A3:				; CODE XREF: MiDecayPfnFullyInitialized+9Ej
		mov	edx, edi
		mov	ecx, esi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		mov	ecx, esi
		call	_MiRemoveDecayClusterTimer@4 ; MiRemoveDecayClusterTimer(x)
		mov	al, [esi+17h]
		mov	ebx, edi
		jmp	short loc_4D2041
; 

loc_4D20BA:				; CODE XREF: MiDecayPfnFullyInitialized+DAj
		mov	edx, esi
		mov	ecx, offset dword_6D3258
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		jmp	short loc_4D207A
MiDecayPfnFullyInitialized endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiRebuildLargeZeroPage proc near	; CODE XREF: MiRebuildLargePagesThread(x)+48p

var_22		= byte ptr -22h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

; FUNCTION CHUNK AT 005C87E6 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+30h+var_20], ecx
		lea	edi, [esp+30h+var_C]
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	[esp+30h+var_1C], eax

loc_4D20E9:				; CODE XREF: MiRebuildLargeZeroPage+18Ej
		xor	edi, edi
		inc	edi
		mov	ebx, [ecx+0B14h]
		cmp	eax, ebx
		mov	ecx, [ecx+0B18h]
		sbb	esi, esi
		mov	[esp+30h+var_18], ecx
		and	esi, eax
		lea	edx, [ebx-1]

loc_4D2105:				; CODE XREF: MiRebuildLargeZeroPage+1B0j
		and	[esp+30h+var_10], 0
		mov	eax, edx
		sub	eax, esi
		inc	eax
		cmp	eax, edi
		jb	loc_4D22CF
		mov	eax, esi
		shr	eax, 5
		lea	edi, [ecx+eax*4]
		mov	eax, edx
		shr	eax, 5
		lea	eax, [ecx+eax*4]
		mov	ecx, esi
		mov	[esp+30h+var_14], eax
		and	ecx, 1Fh
		xor	eax, eax
		inc	eax
		shl	eax, cl
		mov	ecx, [edi]
		dec	eax
		not	ecx
		or	ecx, eax
		cmp	ecx, 0FFFFFFFFh
		jz	loc_4D227D

loc_4D2145:				; CODE XREF: MiRebuildLargeZeroPage+1C9j
		not	ecx
		bsf	eax, ecx
		mov	ecx, [esp+30h+var_18]
		sub	edi, ecx
		sar	edi, 2
		shl	edi, 5
		add	edi, eax
		mov	[esp+30h+var_10], eax
		cmp	edi, edx
		ja	loc_4D22CF
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_4D217D

loc_4D2169:				; CODE XREF: MiRebuildLargeZeroPage+1E3j
					; MiRebuildLargeZeroPage+20Aj
		test	esi, esi
		jnz	loc_4D2269
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_4D217D
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4D217D:				; CODE XREF: MiRebuildLargeZeroPage+9Fj
					; MiRebuildLargeZeroPage+ACj
		mov	ebx, edi
		shl	ebx, 12h
		mov	ecx, ebx
		call	MiSearchNumaNodeTable
		mov	cl, 2
		mov	eax, [eax+4]
		imul	esi, eax, 280h
		mov	eax, [esp+30h+var_20]
		add	esi, [eax+10h]
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		and	[esp+30h+var_C], 0
		add	esi, 204h
		test	ds:byte_70EFC6,	21h
		mov	[esp+30h+var_21], al
		mov	[esp+30h+var_8], esi
		jnz	loc_5C87E6
		lea	edx, [esp+30h+var_C]
		xchg	edx, [esi]
		test	edx, edx
		jnz	loc_4D2296

loc_4D21CF:				; CODE XREF: MiRebuildLargeZeroPage+1D7j
					; MiRebuildLargeZeroPage+F6729j
		mov	eax, [esp+30h+var_20]
		mov	edx, edi
		shr	edx, 3
		mov	ecx, edi
		and	ecx, 7
		add	edx, [eax+0B18h]
		movsx	eax, byte ptr [edx]
		btr	eax, ecx
		mov	[edx], al
		test	ds:byte_70EFC6,	1
		jnz	loc_5C87F6
		mov	eax, [esp+30h+var_C]
		test	eax, eax
		jnz	loc_4D22B9
		mov	edx, [esp+30h+var_8]
		lea	eax, [esp+30h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+30h+var_C]
		cmp	eax, ecx
		jnz	loc_4D22B0

loc_4D221E:				; CODE XREF: MiRebuildLargeZeroPage+202j
					; MiRebuildLargeZeroPage+F673Aj
		mov	cl, [esp+30h+var_21]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [esp+30h+var_20]
		lea	eax, [edi+1]
		shl	edi, 9
		mov	esi, 200h
		mov	[esp+30h+var_1C], eax
		add	edi, [ecx+0B10h]

loc_4D2241:				; CODE XREF: MiRebuildLargeZeroPage+188j
		cmp	byte ptr [edi],	20h
		jz	short loc_4D225B

loc_4D2246:				; CODE XREF: MiRebuildLargeZeroPage+19Fj
		add	ebx, 200h
		inc	edi
		sub	esi, 1
		jnz	short loc_4D2241
		mov	eax, [esp+30h+var_1C]
		jmp	loc_4D20E9
; 

loc_4D225B:				; CODE XREF: MiRebuildLargeZeroPage+17Cj
		push	ecx
		mov	edx, ebx
		call	_MiCoalesceFreeLargePages@12 ; MiCoalesceFreeLargePages(x,x,x)
		mov	ecx, [esp+30h+var_20]
		jmp	short loc_4D2246
; 

loc_4D2269:				; CODE XREF: MiRebuildLargeZeroPage+A3j
		mov	edx, [esp+30h+var_1C]
		inc	edx
		cmp	edx, ebx
		ja	short loc_4D22D7

loc_4D2272:				; CODE XREF: MiRebuildLargeZeroPage+211j
		xor	edi, edi
		dec	edx
		xor	esi, esi
		inc	edi
		jmp	loc_4D2105
; 

loc_4D227D:				; CODE XREF: MiRebuildLargeZeroPage+77j
		mov	eax, [esp+30h+var_14]

loc_4D2281:				; CODE XREF: MiRebuildLargeZeroPage+1C7j
		add	edi, 4
		cmp	edi, eax
		ja	short loc_4D22A4
		mov	ecx, [edi]
		not	ecx
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_4D2281
		jmp	loc_4D2145
; 

loc_4D2296:				; CODE XREF: MiRebuildLargeZeroPage+101j
		lea	ecx, [esp+30h+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4D21CF
; 

loc_4D22A4:				; CODE XREF: MiRebuildLargeZeroPage+1BEj
		mov	ecx, [esp+30h+var_18]
		or	edi, 0FFFFFFFFh
		jmp	loc_4D2169
; 

loc_4D22B0:				; CODE XREF: MiRebuildLargeZeroPage+150j
		lea	ecx, [esp+30h+var_C]
		call	KxWaitForLockChainValid

loc_4D22B9:				; CODE XREF: MiRebuildLargeZeroPage+136j
		xor	ecx, ecx
		mov	[esp+30h+var_C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_4D221E
; 

loc_4D22CF:				; CODE XREF: MiRebuildLargeZeroPage+49j
					; MiRebuildLargeZeroPage+96j
		or	edi, 0FFFFFFFFh
		jmp	loc_4D2169
; 

loc_4D22D7:				; CODE XREF: MiRebuildLargeZeroPage+1A8j
		mov	edx, ebx
		jmp	short loc_4D2272
MiRebuildLargeZeroPage endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCoalesceFreeLargePages(x,	x, x)
_MiCoalesceFreeLargePages@12 proc near	; CODE XREF: MiRebuildLargeZeroPage+196p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		imul	ebx, edx, 1Ch
		lea	edi, [ebp+var_18]
		mov	[ebp+var_28], edx
		stosd
		mov	esi, ecx
		mov	[ebp+var_2C], esi
		mov	[ebp+var_19], 21h
		add	ebx, ds:_MmPfnDatabase
		stosd
		mov	[ebp+var_24], ebx
		stosd
		stosd
		mov	eax, large fs:124h
		mov	edi, ebx
		and	[ebp+var_30], 0
		mov	ebx, edx
		mov	[ebp+var_34], eax
		dec	word ptr [eax+13Eh]
		nop
		lea	ecx, [esi+6Ch]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		xor	esi, esi

loc_4D2337:				; CODE XREF: MiCoalesceFreeLargePages(x,x,x)+8Dj
		mov	ecx, ebx
		call	_MiIsPfn@4	; MiIsPfn(x)
		test	eax, eax
		jz	short loc_4D236B
		push	ecx
		mov	ecx, [ebp+var_2C]
		mov	edx, edi
		call	_MiLargePfnPromoteCandidate@12 ; MiLargePfnPromoteCandidate(x,x,x)
		test	eax, eax
		jz	short loc_4D236B
		movzx	eax, byte ptr [edi+16h]
		add	ebx, 10h
		shr	eax, 6
		add	edi, 1C0h
		inc	[ebp+eax*4+var_18]
		inc	esi
		cmp	esi, 20h
		jb	short loc_4D2337

loc_4D236B:				; CODE XREF: MiCoalesceFreeLargePages(x,x,x)+64j
					; MiCoalesceFreeLargePages(x,x,x)+73j
		mov	ebx, [ebp+var_24]
		cmp	esi, 20h
		jnz	loc_4D24B1
		xor	edi, edi
		xor	edx, edx
		inc	edi
		xor	esi, esi
		mov	[ebp+var_20], edi
		xor	eax, eax

loc_4D2383:				; CODE XREF: MiCoalesceFreeLargePages(x,x,x)+C9j
		mov	ecx, [ebp+eax*4+var_18]
		test	ecx, ecx
		jz	short loc_4D2391
		test	edx, edx
		jz	short loc_4D2391
		mov	esi, edi

loc_4D2391:				; CODE XREF: MiCoalesceFreeLargePages(x,x,x)+ADj
					; MiCoalesceFreeLargePages(x,x,x)+B1j
		cmp	edx, ecx
		jnb	short loc_4D239E
		mov	edx, ecx
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		jmp	short loc_4D23A1
; 

loc_4D239E:				; CODE XREF: MiCoalesceFreeLargePages(x,x,x)+B7j
		mov	ecx, [ebp+var_20]

loc_4D23A1:				; CODE XREF: MiCoalesceFreeLargePages(x,x,x)+C0j
		inc	eax
		cmp	eax, 4
		jb	short loc_4D2383
		test	esi, esi
		jz	short loc_4D23CE
		mov	esi, ebx
		xor	edi, edi

loc_4D23AF:				; CODE XREF: MiCoalesceFreeLargePages(x,x,x)+F0j
		push	ecx
		mov	ecx, esi
		call	_MiChangePageAttributeLargeFreeZeroPage@12 ; MiChangePageAttributeLargeFreeZeroPage(x,x,x)
		test	eax, eax
		jz	loc_4D24B1
		mov	ecx, [ebp+var_20]
		add	esi, 1C0h
		inc	edi
		cmp	edi, 20h
		jb	short loc_4D23AF

loc_4D23CE:				; CODE XREF: MiCoalesceFreeLargePages(x,x,x)+CDj
		mov	eax, [ebp+var_28]
		mov	esi, ebx
		mov	[ebp+var_24], eax
		xor	edi, edi

loc_4D23D8:				; CODE XREF: MiCoalesceFreeLargePages(x,x,x)+152j
		mov	ecx, eax
		call	_MiIsPfn@4	; MiIsPfn(x)
		test	eax, eax
		jz	short loc_4D2447
		cmp	esi, ebx
		jnz	short loc_4D23F3
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	[ebp+var_19], al
		jmp	short loc_4D23FD
; 

loc_4D23F3:				; CODE XREF: MiCoalesceFreeLargePages(x,x,x)+109j
		lea	eax, [esi+10h]
		lock bts dword ptr [eax], 1Fh
		jb	short loc_4D2447

loc_4D23FD:				; CODE XREF: MiCoalesceFreeLargePages(x,x,x)+115j
		push	ecx
		mov	ecx, [ebp+var_2C]
		mov	edx, esi
		call	_MiLargePfnPromoteCandidate@12 ; MiLargePfnPromoteCandidate(x,x,x)
		lea	ecx, [esi+10h]
		test	eax, eax
		jz	short loc_4D2432
		movzx	eax, byte ptr [ecx+6]
		shr	eax, 6
		cmp	eax, [ebp+var_20]
		jnz	short loc_4D2432
		mov	eax, [ebp+var_24]
		add	esi, 1C0h
		add	eax, 10h
		inc	edi
		mov	[ebp+var_24], eax
		cmp	edi, 20h
		jb	short loc_4D23D8
		jmp	short loc_4D2447
; 

loc_4D2432:				; CODE XREF: MiCoalesceFreeLargePages(x,x,x)+131j
					; MiCoalesceFreeLargePages(x,x,x)+13Dj
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		cmp	esi, ebx
		jnz	short loc_4D2447
		mov	cl, [ebp+var_19]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4D2447:				; CODE XREF: MiCoalesceFreeLargePages(x,x,x)+105j
					; MiCoalesceFreeLargePages(x,x,x)+11Fj	...
		cmp	edi, 20h
		jnz	short loc_4D2463
		mov	esi, [ebp+var_28]
		lea	eax, [ebp+var_30]
		push	eax
		push	ecx
		mov	ecx, esi
		call	_MiLargePagePromote@16 ; MiLargePagePromote(x,x,x,x)
		lea	ecx, [ebx+1C0h]
		jmp	short loc_4D2472
; 

loc_4D2463:				; CODE XREF: MiCoalesceFreeLargePages(x,x,x)+16Ej
		mov	ecx, edi
		neg	ecx
		sbb	ecx, ecx
		and	ecx, ebx
		test	edi, edi
		jz	short loc_4D24B1
		mov	esi, [ebp+var_28]

loc_4D2472:				; CODE XREF: MiCoalesceFreeLargePages(x,x,x)+185j
		imul	eax, edi, 1C0h
		lea	edx, [ebx-1C0h]
		mov	edi, 7FFFFFFFh
		add	edx, eax

loc_4D2485:				; CODE XREF: MiCoalesceFreeLargePages(x,x,x)+1B9j
		lea	eax, [edx+10h]
		lock and [eax],	edi
		cmp	edx, ecx
		jz	short loc_4D2497
		sub	edx, 1C0h
		jmp	short loc_4D2485
; 

loc_4D2497:				; CODE XREF: MiCoalesceFreeLargePages(x,x,x)+1B1j
		mov	cl, [ebp+var_19]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_30], 0
		jz	short loc_4D24B1
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	_MiChangePageHeatImmediate@12 ;	MiChangePageHeatImmediate(x,x,x)

loc_4D24B1:				; CODE XREF: MiCoalesceFreeLargePages(x,x,x)+95j
					; MiCoalesceFreeLargePages(x,x,x)+DDj ...
		mov	edx, [ebp+var_34]
		mov	ecx, [ebp+var_2C]
		call	_MiUnlockDynamicMemoryShared@8 ; MiUnlockDynamicMemoryShared(x,x)
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_MiCoalesceFreeLargePages@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiUnlockDynamicMemoryShared(x, x)
_MiUnlockDynamicMemoryShared@8 proc near ; CODE	XREF: MiCoalesceFreeLargePages(x,x,x)+1DBp
					; MmQueryPfnList+6Cp ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	11h
		mov	ebx, edx
		lea	edi, [ecx+6Ch]
		xor	esi, esi
		pop	eax
		lock cmpxchg [edi], esi
		cmp	eax, 11h
		jnz	short loc_4D24F7

loc_4D24E6:				; CODE XREF: MiUnlockDynamicMemoryShared(x,x)+30j
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		mov	ecx, ebx
		pop	ebx
		jmp	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
; 

loc_4D24F7:				; CODE XREF: MiUnlockDynamicMemoryShared(x,x)+16j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_4D24E6
_MiUnlockDynamicMemoryShared@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWorkerFactoryCompletionPacketRoutine	proc near ; DATA XREF: NtCreateWorkerFactory+10Co

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C8807 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, [ebp+arg_4]
		xor	eax, eax
		push	edi
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [ebp+var_4], al
		jnz	loc_5C8807
		lea	edx, [ebp+var_C]
		xchg	edx, [esi]
		test	edx, edx
		jnz	short loc_4D25B3

loc_4D2537:				; CODE XREF: ExpWorkerFactoryCompletionPacketRoutine+BBj
					; ExpWorkerFactoryCompletionPacketRoutine+F6311j
		xor	edi, edi
		cmp	byte ptr [esi+16h], 0
		jnz	loc_4D2608
		cmp	byte ptr [esi+15h], 0
		jnz	loc_4D25DF
		add	dword ptr [esi+0Ch], 0FFFFFFFFh
		jnz	loc_5C8816

loc_4D2557:				; CODE XREF: ExpWorkerFactoryCompletionPacketRoutine+E2j
					; ExpWorkerFactoryCompletionPacketRoutine+10Dj
		mov	byte ptr [esi+14h], 0

loc_4D255B:				; CODE XREF: ExpWorkerFactoryCompletionPacketRoutine+EDj
					; ExpWorkerFactoryCompletionPacketRoutine+F631Bj
		test	ds:byte_70EFC6,	1
		jnz	loc_5C8820
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_4D259F
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	short loc_4D2597

loc_4D2582:				; CODE XREF: ExpWorkerFactoryCompletionPacketRoutine+B1j
					; ExpWorkerFactoryCompletionPacketRoutine+F632Bj
		mov	cl, byte ptr [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jnz	short loc_4D25C0

loc_4D258F:				; CODE XREF: ExpWorkerFactoryCompletionPacketRoutine+DDj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4D2597:				; CODE XREF: ExpWorkerFactoryCompletionPacketRoutine+80j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_4D259F:				; CODE XREF: ExpWorkerFactoryCompletionPacketRoutine+6Dj
		mov	[ebp+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_4D2582
; 

loc_4D25B3:				; CODE XREF: ExpWorkerFactoryCompletionPacketRoutine+35j
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4D2537
; 

loc_4D25C0:				; CODE XREF: ExpWorkerFactoryCompletionPacketRoutine+8Dj
		mov	eax, [esi+8]
		sub	edi, 1
		jnz	short loc_4D25F2
		mov	ecx, [esi+4]
		xor	edx, edx
		push	0
		push	eax
		push	0
		push	0
		push	0
		push	0
		call	IoSetIoCompletionEx2
		jmp	short loc_4D258F
; 

loc_4D25DF:				; CODE XREF: ExpWorkerFactoryCompletionPacketRoutine+47j
		cmp	[esi+10h], edi
		jz	loc_4D2557
		mov	edi, 1
		jmp	loc_4D255B
; 

loc_4D25F2:				; CODE XREF: ExpWorkerFactoryCompletionPacketRoutine+C6j
		push	eax
		call	_IoFreeMiniCompletionPacket@4 ;	IoFreeMiniCompletionPacket(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4D2608:				; CODE XREF: ExpWorkerFactoryCompletionPacketRoutine+3Dj
		mov	edi, 2
		jmp	loc_4D2557
ExpWorkerFactoryCompletionPacketRoutine	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetFileHashPage proc near		; CODE XREF: MiMapPageFileHash+1DEp

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005C8830 SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ecx+90h]
		mov	ecx, esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_1], 0
		push	2
		xor	edx, edx
		push	80h
		inc	edx
		call	MiAcquireNonPagedResources
		test	eax, eax
		js	short loc_4D268D
		push	200h
		mov	edx, edi
		mov	ecx, esi
		call	MiGetPage
		mov	edi, eax
		cmp	edi, 0FFFFFFFFh
		jz	loc_5C8830
		mov	ebx, 80000000h
		lea	edx, [ebp-1]
		push	ebx
		mov	ecx, edi
		call	MiMapPageInHyperSpaceWorker
		push	0
		mov	esi, eax
		push	1000h
		push	esi
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		mov	dl, [ebp+var_1]
		mov	ecx, esi
		push	ebx
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		lock inc dword_6D3CC4

loc_4D2686:				; CODE XREF: MiGetFileHashPage+F6234j
					; MiGetFileHashPage+F6244j
		mov	eax, edi

loc_4D2688:				; CODE XREF: MiGetFileHashPage+7Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4D268D:				; CODE XREF: MiGetFileHashPage+28j
		or	eax, 0FFFFFFFFh
		jmp	short loc_4D2688
MiGetFileHashPage endp


;  S U B	R O U T	I N E 


; __fastcall ExpFindEmptyEntry(x, x)
@ExpFindEmptyEntry@8 proc near		; CODE XREF: ExpAcquireSharedStarveExclusive+252p
					; ExpAcquireResourceSharedLite+504p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, [ecx+8]
		mov	esi, edi
		test	esi, esi
		jz	short loc_4D26CD
		mov	eax, [esi+4]
		lea	eax, [esi+eax*8]
		add	esi, 8

loc_4D26A8:				; CODE XREF: ExpFindEmptyEntry(x,x)+39j
		cmp	dword ptr [esi], 0
		jnz	short loc_4D26C6
		mov	ecx, large fs:124h
		mov	edx, esi
		sub	edx, edi
		mov	eax, esi
		sar	edx, 3
		mov	[ecx+26Ch], dl

loc_4D26C3:				; CODE XREF: ExpFindEmptyEntry(x,x)+42j
		pop	edi
		pop	esi
		retn
; 

loc_4D26C6:				; CODE XREF: ExpFindEmptyEntry(x,x)+19j
		add	esi, 8
		cmp	esi, eax
		jnz	short loc_4D26A8

loc_4D26CD:				; CODE XREF: ExpFindEmptyEntry(x,x)+Bj
		call	ExpExpandResourceOwnerTable
		xor	eax, eax
		jmp	short loc_4D26C3
@ExpFindEmptyEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpExpandResourceOwnerTable proc near	; CODE XREF: ExpFindEmptyEntry(x,x):loc_4D26CDp
					; ExpAcquireResourceSharedLite+5BDp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C885B SIZE 00000040 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_8], 0
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax+8]
		mov	esi, edx
		mov	[ebp+var_4], eax
		test	edi, edi
		jnz	loc_4D2848
		xor	ebx, ebx
		mov	[ebp+var_C], 3
		mov	[ebp+var_8], 18h

loc_4D2707:				; CODE XREF: ExpExpandResourceOwnerTable+190j
		test	ds:byte_70EFC6,	1
		jnz	loc_5C885B
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_4D2834
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_4D282D

loc_4D2731:				; CODE XREF: ExpExpandResourceOwnerTable+16Dj
					; ExpExpandResourceOwnerTable+F618Fj
		mov	cl, [esi+8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, large fs:20h
		mov	ecx, 200h
		mov	edx, [ebp+var_8]
		push	0
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	61546552h
		call	ExpAllocatePoolWithTagFromNode
		mov	ecx, eax
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jz	loc_5C886A
		mov	eax, [ebp+var_C]
		mov	edx, ebx
		sub	eax, ebx
		shl	eax, 3
		push	eax		; size_t
		lea	eax, [ecx+edx*8]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		add	ecx, 34h
		mov	edx, esi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebp+var_4]
		cmp	edi, [eax+8]
		jnz	loc_4D2892
		test	edi, edi
		jnz	loc_4D2889

loc_4D27AE:				; CODE XREF: ExpExpandResourceOwnerTable+1B6j
		mov	eax, ebx
		shl	eax, 3
		push	eax		; size_t
		push	edi		; void *
		push	[ebp+var_10]	; void *
		call	_memcpy
		mov	ecx, [ebp+var_10]
		add	esp, 0Ch
		mov	eax, [ebp+var_C]
		mov	[ecx+4], eax
		mov	eax, [ebp+var_4]
		mov	[eax+8], ecx
		test	ds:byte_70EFC6,	1
		jnz	loc_5C887D
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_4D2875
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_4D286E

loc_4D27F5:				; CODE XREF: ExpExpandResourceOwnerTable+1AEj
					; ExpExpandResourceOwnerTable+F61B1j
		mov	cl, [esi+8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jnz	loc_4D28CC

loc_4D2806:				; CODE XREF: ExpExpandResourceOwnerTable+1FEj
		test	ebx, ebx
		jnz	short loc_4D280F
		xor	eax, eax
		lea	ebx, [eax+1]

loc_4D280F:				; CODE XREF: ExpExpandResourceOwnerTable+132j
					; ExpExpandResourceOwnerTable+1F1j ...
		mov	eax, large fs:124h
		mov	edx, esi
		mov	ecx, [ebp+var_4]
		mov	[eax+26Ch], bl
		lea	ecx, [ecx+34h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)

loc_4D2828:				; CODE XREF: ExpExpandResourceOwnerTable+17Dj
					; ExpExpandResourceOwnerTable+196j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4D282D:				; CODE XREF: ExpExpandResourceOwnerTable+55j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_4D2834:				; CODE XREF: ExpExpandResourceOwnerTable+42j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_4D2731
; 

loc_4D2848:				; CODE XREF: ExpExpandResourceOwnerTable+1Bj
		mov	ebx, [edi+4]
		lea	eax, [ebx+4]
		mov	[ebp+var_C], eax
		cmp	eax, ebx
		jb	short loc_4D2828
		push	8
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		jns	loc_4D2707
		jmp	short loc_4D2828
; 

loc_4D286E:				; CODE XREF: ExpExpandResourceOwnerTable+11Dj
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_4D2875:				; CODE XREF: ExpExpandResourceOwnerTable+10Aj
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_4D27F5
; 

loc_4D2889:				; CODE XREF: ExpExpandResourceOwnerTable+D2j
		cmp	ebx, [edi+4]
		jz	loc_4D27AE

loc_4D2892:				; CODE XREF: ExpExpandResourceOwnerTable+CAj
		test	ds:byte_70EFC6,	1
		jnz	loc_5C888C
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_4D28D9

loc_4D28A5:				; CODE XREF: ExpExpandResourceOwnerTable+219j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_4D28B4:				; CODE XREF: ExpExpandResourceOwnerTable+210j
					; ExpExpandResourceOwnerTable+F61C0j
		mov	cl, [esi+8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4D280F
; 

loc_4D28CC:				; CODE XREF: ExpExpandResourceOwnerTable+12Aj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4D2806
; 

loc_4D28D9:				; CODE XREF: ExpExpandResourceOwnerTable+1CDj
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_4D28B4
		mov	ecx, esi
		call	KxWaitForLockChainValid
		jmp	short loc_4D28A5
ExpExpandResourceOwnerTable endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiZeroPageWorkMapping proc near		; CODE XREF: MiZeroPage(x,x)+183p
					; MiPageListCollision(x,x)+2Bp

var_B4		= dword	ptr -0B4h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= byte ptr -0A0h
var_9F		= byte ptr -9Fh
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8		= dword	ptr -8
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005C889B SIZE 00000087 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [ebp+var_A4]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_B4], esi
		mov	ebx, ecx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_AC], 1
		test	[ebp+arg_0], 2
		mov	[ebp+var_9C], 21h
		mov	[ebp+var_90], 0
		jz	short loc_4D296A
		test	ebx, ebx
		jz	short loc_4D296A
		mov	[ebp+var_AC], 0

loc_4D296A:				; CODE XREF: MiZeroPageWorkMapping+5Aj
					; MiZeroPageWorkMapping+5Ej
		mov	edi, esi
		shl	edi, 9
		cmp	ebx, 2
		jnz	loc_4D2A31
		mov	ebx, 1
		cmp	edi, 0C0000000h
		jnb	loc_5C889B

loc_4D2989:				; CODE XREF: MiZeroPageWorkMapping+F5FA1j
					; MiZeroPageWorkMapping+F5FAEj
		mov	edx, [ebp+var_98]
		nop

loc_4D2990:				; CODE XREF: MiZeroPageWorkMapping+F1j
		lea	eax, [ebx-1]
		cmp	eax, 3FFh
		ja	loc_5C88B3
		mov	eax, ebx
		mov	[ebp+var_A8], ebx

loc_4D29A6:				; CODE XREF: MiZeroPageWorkMapping+F5FBEj
		sub	ebx, eax
		mov	ecx, edi
		dec	eax
		and	ecx, 0FFFFF000h
		and	eax, 3FFh
		or	eax, ecx
		mov	ecx, [ebp+var_A8]
		mov	[ebp+edx*4+var_90], eax
		mov	edx, [ebp+var_98]
		mov	eax, [ebp+var_A8]
		inc	edx
		add	[ebp+var_94], eax
		shl	ecx, 0Ch
		add	edi, ecx
		mov	[ebp+var_98], edx
		cmp	edx, [ebp+var_9C]
		jz	loc_5C88C3

loc_4D29EF:				; CODE XREF: MiZeroPageWorkMapping+F5FCAj
					; MiZeroPageWorkMapping+F5FFEj
		test	ebx, ebx
		jnz	short loc_4D2990
		mov	eax, 1

loc_4D29F8:				; CODE XREF: MiZeroPageWorkMapping+159j
					; MiZeroPageWorkMapping+1A6j ...
		lea	eax, [esi+eax*8]
		cmp	esi, eax
		jnb	short loc_4D2A15
		nop

loc_4D2A00:				; CODE XREF: MiZeroPageWorkMapping+113j
		mov	dword ptr [esi], 0
		nop
		mov	dword ptr [esi+4], 0
		add	esi, 8
		cmp	esi, eax
		jb	short loc_4D2A00

loc_4D2A15:				; CODE XREF: MiZeroPageWorkMapping+FDj
		cmp	[ebp+var_AC], 0
		jnz	short loc_4D2A5B

loc_4D2A1E:				; CODE XREF: MiZeroPageWorkMapping+166j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4D2A31:				; CODE XREF: MiZeroPageWorkMapping+72j
		mov	eax, ds:_MiLargePageSizes[ebx*4]
		mov	[ebp+var_A8], eax
		cmp	ebx, 1
		jnz	short loc_4D2A68
		push	0
		push	eax
		mov	edx, edi
		lea	ecx, [ebp+var_A4]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	eax, [ebp+var_A8]
		jmp	short loc_4D29F8
; 

loc_4D2A5B:				; CODE XREF: MiZeroPageWorkMapping+11Cj
		lea	ecx, [ebp+var_A4]
		call	MiFlushTbList
		jmp	short loc_4D2A1E
; 

loc_4D2A68:				; CODE XREF: MiZeroPageWorkMapping+141j
		test	ebx, ebx
		jnz	short loc_4D2AA1
		mov	esi, [ebp+var_A8]
		mov	eax, 1
		sub	eax, ebx
		mov	ebx, eax
		jmp	short loc_4D2A80
; 
		align 10h

loc_4D2A80:				; CODE XREF: MiZeroPageWorkMapping+17Bj
					; MiZeroPageWorkMapping+199j
		push	0
		push	esi
		mov	edx, edi
		lea	ecx, [ebp+var_A4]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		shl	edi, 9
		shl	esi, 9
		sub	ebx, 1
		jnz	short loc_4D2A80
		mov	esi, [ebp+var_B4]

loc_4D2AA1:				; CODE XREF: MiZeroPageWorkMapping+16Aj
		mov	eax, 200h
		jmp	loc_4D29F8
MiZeroPageWorkMapping endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MmGetAvailablePagesBelowPriority(x)
_MmGetAvailablePagesBelowPriority@4 proc near ;	CODE XREF: PfSnEndTrace+25Cp
		mov	edx, ecx
		mov	ecx, offset _MiSystemPartition
		jmp	_MiGetAvailablePagesBelowPriority@8 ; MiGetAvailablePagesBelowPriority(x,x)
_MmGetAvailablePagesBelowPriority@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReduceZeroingThreads proc near	; CODE XREF: MiScheduleZeroPageThreads+109p
					; MiReassessZeroThreads+26Ap

var_44		= dword	ptr -44h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C8922 SIZE 00000091 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[ebp+var_2C], edx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		mov	ebx, ecx
		stosd
		mov	[ebp+var_30], ebx
		mov	edx, [ebx+6Ch]
		stosd
		mov	[ebp+var_24], edx
		stosd
		stosd
		mov	eax, dword_6D06C4
		mov	[ebp+var_20], eax
		test	edx, edx
		jz	loc_4D2BC4
		xor	edi, edi
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], edi

loc_4D2AFC:				; CODE XREF: MiReduceZeroingThreads+103j
		mov	eax, [ebx+64h]
		and	[ebp+var_38], 0
		mov	eax, [edi+eax+8]
		lea	edi, [ebp+var_44]
		mov	[ebp+var_34], eax
		and	dword ptr [eax+64h], 0
		lea	esi, [eax+58h]
		movsd
		movsd
		movsd
		mov	eax, [ebp+var_44]
		test	eax, eax
		jz	loc_5C8922
		bsf	eax, eax
		mov	[ebp+var_38], eax

loc_4D2B28:				; CODE XREF: MiReduceZeroingThreads+F5E6Dj
		mov	esi, [ebp+var_34]
		xor	edx, edx
		and	[ebp+var_28], edx
		xor	ecx, ecx
		cmp	[ebp+var_20], ecx
		jbe	short loc_4D2B65
		lea	ebx, _KiProcessorBlock[eax*4]

loc_4D2B3E:				; CODE XREF: MiReduceZeroingThreads+A8j
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_4D2B62
		mov	edi, [eax+4]
		cmp	edi, [eax+0Ch]
		jz	loc_4D2BF0
		cmp	edi, [esi+54h]
		jz	loc_4D2BF6

loc_4D2B59:				; CODE XREF: MiReduceZeroingThreads+139j
					; MiReduceZeroingThreads+145j
		add	ebx, 4
		inc	ecx
		cmp	ecx, [ebp+var_20]
		jb	short loc_4D2B3E

loc_4D2B62:				; CODE XREF: MiReduceZeroingThreads+8Aj
		mov	ebx, [ebp+var_30]

loc_4D2B65:				; CODE XREF: MiReduceZeroingThreads+7Dj
		mov	eax, [ebx+64h]
		mov	edi, [ebp+var_18]
		mov	al, [edi+eax+4]
		and	al, 1
		cmp	edx, ecx
		jz	loc_4D2C02
		test	al, al
		jnz	short loc_4D2BB1
		cmp	[ebp+var_28], 0
		jz	short loc_4D2BA1
		lea	eax, [ecx-1]
		cmp	edx, eax
		jnz	short loc_4D2B9C

loc_4D2B8A:				; CODE XREF: MiReduceZeroingThreads+E7j
		inc	dword ptr [ebx+0CCh]
		inc	[ebp+var_C]
		mov	dword ptr [esi+64h], 2
		jmp	short loc_4D2BB1
; 

loc_4D2B9C:				; CODE XREF: MiReduceZeroingThreads+D0j
		cmp	ecx, 1
		jz	short loc_4D2B8A

loc_4D2BA1:				; CODE XREF: MiReduceZeroingThreads+C9j
		inc	dword ptr [ebx+0C8h]
		inc	[ebp+var_10]
		mov	dword ptr [esi+64h], 1

loc_4D2BB1:				; CODE XREF: MiReduceZeroingThreads+C3j
					; MiReduceZeroingThreads+E2j ...
		add	edi, 1Ch
		sub	[ebp+var_1C], 1
		mov	[ebp+var_18], edi
		jnz	loc_4D2AFC
		mov	edx, [ebp+var_24]

loc_4D2BC4:				; CODE XREF: MiReduceZeroingThreads+36j
		mov	edi, [ebp+var_10]
		test	edi, edi
		jz	short loc_4D2BD2
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	short loc_4D2C1C

loc_4D2BD2:				; CODE XREF: MiReduceZeroingThreads+111j
		cmp	[ebp+arg_0], 0
		jz	loc_4D2CD9

loc_4D2BDC:				; CODE XREF: MiReduceZeroingThreads+231j
					; MiReduceZeroingThreads+F5EF0j
		push	8

loc_4D2BDE:				; CODE XREF: MiReduceZeroingThreads+1EEj
					; MiReduceZeroingThreads+2BDj
		mov	ecx, [ebp+var_4]
		pop	eax
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_4D2BF0:				; CODE XREF: MiReduceZeroingThreads+92j
		inc	edx
		jmp	loc_4D2B59
; 

loc_4D2BF6:				; CODE XREF: MiReduceZeroingThreads+9Bj
		mov	[ebp+var_28], 1
		jmp	loc_4D2B59
; 

loc_4D2C02:				; CODE XREF: MiReduceZeroingThreads+BBj
		test	al, al
		jz	loc_4D2CCE
		inc	dword ptr [ebx+0C0h]
		inc	[ebp+var_8]
		mov	dword ptr [esi+64h], 3
		jmp	short loc_4D2BB1
; 

loc_4D2C1C:				; CODE XREF: MiReduceZeroingThreads+118j
		cmp	edi, eax
		ja	loc_4D2CC7

loc_4D2C24:				; CODE XREF: MiReduceZeroingThreads+211j
		xor	ecx, ecx
		xor	esi, esi
		mov	[ebp+var_18], ecx
		test	edx, edx
		jz	short loc_4D2CA4
		xor	edx, edx
		mov	[ebp+var_28], edx

loc_4D2C34:				; CODE XREF: MiReduceZeroingThreads+207j
		mov	eax, [ebx+64h]
		mov	[ebp+var_1C], eax
		mov	eax, [eax+edx+8]
		cmp	dword ptr [eax+64h], 1
		jnz	short loc_4D2CB2
		mov	ecx, [ebp+var_1C]
		imul	eax, esi, 1Ch
		add	ecx, 8
		add	ecx, eax

loc_4D2C4F:				; CODE XREF: MiReduceZeroingThreads+1A6j
		mov	eax, [ecx]
		cmp	dword ptr [eax+64h], 3
		jz	short loc_4D2C62
		inc	esi
		add	ecx, 1Ch
		cmp	esi, [ebp+var_24]
		jb	short loc_4D2C4F
		jmp	short loc_4D2CAF
; 

loc_4D2C62:				; CODE XREF: MiReduceZeroingThreads+19Dj
		mov	eax, [ebp+var_1C]
		inc	dword ptr [ebx+0D0h]
		push	0
		push	0
		mov	cl, [eax+edx+4]
		mov	eax, [ebx+64h]
		or	cl, 1
		mov	[eax+edx+4], cl
		mov	eax, [ebx+64h]
		imul	edx, esi, 1Ch
		mov	cl, [edx+eax+4]
		mov	eax, [ebx+64h]
		and	cl, 0FEh
		mov	[edx+eax+4], cl
		add	edx, 0Ch
		mov	eax, [ebx+64h]
		add	eax, edx
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		sub	edi, 1
		jnz	short loc_4D2CAB

loc_4D2CA4:				; CODE XREF: MiReduceZeroingThreads+175j
					; MiReduceZeroingThreads+20Dj
		push	7
		jmp	loc_4D2BDE
; 

loc_4D2CAB:				; CODE XREF: MiReduceZeroingThreads+1EAj
		mov	edx, [ebp+var_28]
		inc	esi

loc_4D2CAF:				; CODE XREF: MiReduceZeroingThreads+1A8j
		mov	ecx, [ebp+var_18]

loc_4D2CB2:				; CODE XREF: MiReduceZeroingThreads+18Aj
		inc	ecx
		add	edx, 1Ch
		mov	[ebp+var_18], ecx
		mov	[ebp+var_28], edx
		cmp	ecx, [ebp+var_24]
		jb	loc_4D2C34
		jmp	short loc_4D2CA4
; 

loc_4D2CC7:				; CODE XREF: MiReduceZeroingThreads+166j
		mov	edi, eax
		jmp	loc_4D2C24
; 

loc_4D2CCE:				; CODE XREF: MiReduceZeroingThreads+14Cj
		inc	dword ptr [ebx+0C4h]
		jmp	loc_4D2BB1
; 

loc_4D2CD9:				; CODE XREF: MiReduceZeroingThreads+11Ej
		mov	esi, [ebx+74h]
		xor	edi, edi
		inc	edi
		cmp	esi, edi
		ja	short loc_4D2CEE
		inc	dword ptr [ebx+0D4h]
		jmp	loc_4D2BDC
; 

loc_4D2CEE:				; CODE XREF: MiReduceZeroingThreads+229j
		mov	eax, [ebx+70h]
		cmp	esi, eax
		jbe	loc_5C892A
		inc	dword ptr [ebx+0E0h]
		mov	edi, esi
		sub	edi, eax

loc_4D2D03:				; CODE XREF: MiReduceZeroingThreads+F5E80j
					; MiReduceZeroingThreads+F5EF6j
		xor	edx, edx
		inc	edx

loc_4D2D06:				; CODE XREF: MiReduceZeroingThreads+2B9j
		mov	eax, [ebp+edx*4+var_14]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	short loc_4D2D6D
		xor	ecx, ecx
		mov	[ebp+var_18], ecx
		cmp	[ebp+var_24], ecx
		jbe	short loc_4D2D6D
		xor	esi, esi

loc_4D2D1D:				; CODE XREF: MiReduceZeroingThreads+27Ej
		mov	eax, [ebx+64h]
		mov	[ebp+var_2C], eax
		mov	eax, [esi+eax+8]
		cmp	[eax+64h], edx
		jz	short loc_4D2D3A

loc_4D2D2C:				; CODE XREF: MiReduceZeroingThreads+2CDj
		inc	ecx
		add	esi, 1Ch
		mov	[ebp+var_18], ecx
		cmp	ecx, [ebp+var_24]
		jb	short loc_4D2D1D
		jmp	short loc_4D2D6D
; 

loc_4D2D3A:				; CODE XREF: MiReduceZeroingThreads+272j
		cmp	edx, 1
		jnz	short loc_4D2D7A
		inc	dword ptr [ebx+0D8h]

loc_4D2D45:				; CODE XREF: MiReduceZeroingThreads+2C8j
		mov	eax, [ebp+var_2C]
		mov	cl, [esi+eax+4]
		mov	eax, [ebx+64h]
		or	cl, 1
		mov	[esi+eax+4], cl
		dec	dword ptr [ebx+74h]
		sub	edi, 1
		jz	short loc_4D2D73
		mov	ecx, [ebp+var_1C]
		sub	ecx, 1
		mov	[ebp+var_1C], ecx
		mov	[ebp+edx*4+var_14], ecx
		jnz	short loc_4D2D82

loc_4D2D6D:				; CODE XREF: MiReduceZeroingThreads+257j
					; MiReduceZeroingThreads+261j ...
		inc	edx
		cmp	edx, 2
		jle	short loc_4D2D06

loc_4D2D73:				; CODE XREF: MiReduceZeroingThreads+2A4j
		push	5
		jmp	loc_4D2BDE
; 

loc_4D2D7A:				; CODE XREF: MiReduceZeroingThreads+285j
		inc	dword ptr [ebx+0DCh]
		jmp	short loc_4D2D45
; 

loc_4D2D82:				; CODE XREF: MiReduceZeroingThreads+2B3j
		mov	ecx, [ebp+var_18]
		jmp	short loc_4D2D2C
MiReduceZeroingThreads endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmQuerySystemWorkingSetInformation proc	near ; CODE XREF: PAGE:0077F301p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005C89B3 SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		mov	ebx, ecx
		stosd
		mov	esi, edx
		and	dword ptr [esi+20h], 0
		stosd
		stosd
		lea	eax, [ebx-1]
		sub	eax, 1
		jnz	loc_4D2EA6
		cmp	byte ptr dword_6D5D90, al
		jz	loc_5C89F6
		mov	edi, offset unk_6D5E80

loc_4D2DC0:				; CODE XREF: MmQuerySystemWorkingSetInformation+128j
					; MmQuerySystemWorkingSetInformation+147j
		mov	ecx, edi
		call	MiLockWorkingSetShared
		mov	cl, [edi+60h]
		and	cl, 7
		mov	[ebp+var_1], al
		cmp	cl, 2
		mov	ecx, offset unk_6D3C80
		jnz	loc_4D2EB5

loc_4D2DDE:				; CODE XREF: MmQuerySystemWorkingSetInformation+133j
		and	[ebp+var_10], 0
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_C], ecx
		jnz	loc_5C89B3
		lea	edx, [ebp+var_10]
		xchg	edx, [ecx]
		test	edx, edx
		jnz	loc_4D2ED4

loc_4D2DFF:				; CODE XREF: MmQuerySystemWorkingSetInformation+154j
					; MmQuerySystemWorkingSetInformation+F5C35j
		mov	eax, [edi+40h]
		mov	[esi], eax
		mov	eax, [edi+54h]
		mov	[esi+4], eax
		mov	eax, [edi+4]
		mov	[esi+8], eax
		mov	eax, [edi+3Ch]
		mov	[esi+0Ch], eax
		mov	eax, [edi+50h]
		mov	[esi+10h], eax
		mov	al, [edi+60h]
		test	al, al
		js	loc_5C89C2

loc_4D2E27:				; CODE XREF: MmQuerySystemWorkingSetInformation+F5C41j
		xor	ecx, ecx
		inc	ecx
		test	al, 40h
		jnz	loc_5C89CE

loc_4D2E32:				; CODE XREF: MmQuerySystemWorkingSetInformation+F5C49j
		mov	eax, dword_6D57FC[ebx*4]
		mov	[esi+18h], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5C89D6
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_4D2EE1
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jnz	loc_5C89E6

loc_4D2E6B:				; CODE XREF: MmQuerySystemWorkingSetInformation+166j
					; MmQuerySystemWorkingSetInformation+F5C59j
		mov	dl, [ebp+var_1]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		inc	edx
		call	_MiGetStandbyRepurposed@8 ; MiGetStandbyRepurposed(x,x)
		mov	ecx, [esi]
		mov	edx, [esi+18h]
		mov	[esi+1Ch], eax
		mov	eax, dword_6D5800
		add	eax, ecx
		mov	[esi+14h], eax
		cmp	eax, edx
		ja	short loc_4D2EC0

loc_4D2E98:				; CODE XREF: MmQuerySystemWorkingSetInformation+13Bj
		shl	ecx, 0Ch
		shl	dword ptr [esi+4], 0Ch
		mov	[esi], ecx

loc_4D2EA1:				; CODE XREF: MmQuerySystemWorkingSetInformation+140j
					; MmQuerySystemWorkingSetInformation+F5C77j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4D2EA6:				; CODE XREF: MmQuerySystemWorkingSetInformation+21j
		sub	eax, 1
		jnz	short loc_4D2EC5
		mov	edi, offset unk_6D3840
		jmp	loc_4D2DC0
; 

loc_4D2EB5:				; CODE XREF: MmQuerySystemWorkingSetInformation+50j
		lea	ecx, [edi+0C0h]
		jmp	loc_4D2DDE
; 

loc_4D2EC0:				; CODE XREF: MmQuerySystemWorkingSetInformation+10Ej
		mov	[esi+14h], edx
		jmp	short loc_4D2E98
; 

loc_4D2EC5:				; CODE XREF: MmQuerySystemWorkingSetInformation+121j
		sub	eax, 1
		jnz	short loc_4D2EA1
		mov	edi, offset unk_6D3740
		jmp	loc_4D2DC0
; 

loc_4D2ED4:				; CODE XREF: MmQuerySystemWorkingSetInformation+71j
		lea	ecx, [ebp+var_10]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4D2DFF
; 

loc_4D2EE1:				; CODE XREF: MmQuerySystemWorkingSetInformation+C6j
					; MmQuerySystemWorkingSetInformation+F5C69j
		mov	[ebp+var_10], 0
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4D2E6B
MmQuerySystemWorkingSetInformation endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiPageListCollision(x, x)
_MiPageListCollision@8 proc near	; CODE XREF: MiUnlinkFreeOrZeroedPage+484p
					; MiUnlinkNodeLargePageHelper(x,x,x,x,x)+82p ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		call	_MiStopPageAccessor@4 ;	MiStopPageAccessor(x)
		mov	edx, [eax+10h]
		test	edx, edx
		jnz	short loc_4D2F07

loc_4D2F05:				; CODE XREF: MiPageListCollision(x,x)+1Bj
		pop	esi
		retn
; 

loc_4D2F07:				; CODE XREF: MiPageListCollision(x,x)+Fj
		mov	ecx, [edx]
		and	ecx, 1
		or	ecx, 0
		jz	short loc_4D2F05
		mov	ecx, [eax+20h]
		neg	esi
		sbb	esi, esi
		and	esi, 0FFFFFFFEh
		add	esi, 2
		push	esi
		call	MiZeroPageWorkMapping
		pop	esi
		retn
_MiPageListCollision@8 endp


;  S U B	R O U T	I N E 


MiUpdatePageTableUseCount proc near	; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+5FEp
					; MiExpandSharedZeroCluster+1F8p ...

; FUNCTION CHUNK AT 005C8A04 SIZE 00000014 BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	eax, edi

loc_4D2F30:				; CODE XREF: MiUpdatePageTableUseCount+F5AE5j
		cmp	eax, ds:_MmHighestUserAddress
		ja	loc_5C8A04
		mov	ecx, large fs:124h
		shr	edi, 15h
		mov	ecx, [ecx+80h]
		mov	ecx, [ecx+24Ch]
		lea	ecx, [ecx+edi*2]
		add	ecx, 190h
		call	_MiIncreaseUsedPtesCount@8 ; MiIncreaseUsedPtesCount(x,x)
		xor	eax, eax
		inc	eax

loc_4D2F63:				; CODE XREF: MiUpdatePageTableUseCount+F5AEDj
		pop	edi
		pop	esi
		retn
MiUpdatePageTableUseCount endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiStoreUpdatePagefileHash proc near	; CODE XREF: MiStoreWriteModifiedPages+7F5p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C8A18 SIZE 0000000C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	ecx, ecx
		push	esi
		push	edi
		add	ebx, 1Ch
		mov	[ebp+var_14], 10h
		xor	esi, esi
		mov	[ebp+var_10], ecx
		xor	edi, edi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_24], ebx
		cmp	[ebp+arg_4], ecx
		jbe	loc_4D30BC
		jmp	short loc_4D2FB0
; 
		align 10h

loc_4D2FB0:				; CODE XREF: MiStoreUpdatePagefileHash+33j
					; MiStoreUpdatePagefileHash+125j
		mov	eax, [ebx]
		cmp	eax, dword_6D34E4
		jz	loc_4D30CD
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	eax, [eax+ecx*4]
		mov	cl, 2
		mov	[ebp+var_1C], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edx, [ebp+var_1C]
		mov	[ebp+var_1], al
		mov	[ebp+var_C], 0
		lea	eax, [edx+10h]
		mov	[ebp+var_28], eax
		lock bts dword ptr [eax], 1Fh
		jb	loc_4D3120

loc_4D2FF8:				; CODE XREF: MiStoreUpdatePagefileHash+1CDj
		mov	ecx, [edx+8]
		mov	eax, [edx+0Ch]
		mov	[ebp+var_1C], ecx
		shrd	ecx, eax, 0Ch
		and	ecx, 0Fh
		mov	[ebp+var_C], ecx
		nop
		mov	edx, [edx+0Ch]
		mov	eax, edx
		mov	ecx, [ebp+var_1C]
		shrd	ecx, eax, 2
		mov	[ebp+var_8], edx
		test	cl, 1
		jz	loc_5C8A18
		mov	ecx, dword_6D0700
		mov	eax, ecx
		mov	[ebp+var_24], edx
		mov	edx, dword_6D0704
		or	eax, edx
		mov	[ebp+var_2C], edx
		jz	short loc_4D3054
		mov	edx, [ebp+var_1C]
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4D30C5
		mov	edx, [ebp+var_2C]
		not	edx
		and	edx, [ebp+var_24]
		mov	[ebp+var_8], edx

loc_4D3054:				; CODE XREF: MiStoreUpdatePagefileHash+CAj
					; MiStoreUpdatePagefileHash+15Bj ...
		mov	eax, [ebp+var_28]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_18], 0
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_C]
		jz	loc_4D3114

loc_4D3078:				; CODE XREF: MiStoreUpdatePagefileHash+168j
					; MiStoreUpdatePagefileHash+1ABj
		mov	edx, [ebp+var_14]
		cmp	edx, eax
		mov	eax, [ebp+var_8]
		jnz	short loc_4D30DA
		cmp	eax, esi
		jnz	short loc_4D30DA
		inc	ecx

loc_4D3087:				; CODE XREF: MiStoreUpdatePagefileHash+17Fj
		inc	edi
		mov	[ebp+var_10], ecx
		add	ebx, 4
		inc	esi
		mov	[ebp+var_24], ebx
		cmp	edi, [ebp+arg_4]
		jb	loc_4D2FB0
		mov	eax, [ebp+var_14]
		cmp	eax, 10h
		jz	short loc_4D30BC
		mov	edx, [ebp+arg_0]
		sub	edi, ecx
		push	ecx
		mov	ecx, [ebp+var_18]
		push	[ebp+var_20]
		push	edi
		mov	ecx, [ecx+eax*4+0F54h]
		call	MiMapPageFileHash

loc_4D30BC:				; CODE XREF: MiStoreUpdatePagefileHash+2Dj
					; MiStoreUpdatePagefileHash+131j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4D30C5:				; CODE XREF: MiStoreUpdatePagefileHash+D7j
		mov	eax, [ebp+var_24]
		mov	[ebp+var_8], eax
		jmp	short loc_4D3054
; 

loc_4D30CD:				; CODE XREF: MiStoreUpdatePagefileHash+48j
		mov	eax, 10h
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], eax
		jmp	short loc_4D3078
; 

loc_4D30DA:				; CODE XREF: MiStoreUpdatePagefileHash+110j
					; MiStoreUpdatePagefileHash+114j
		cmp	edx, 10h
		jnz	short loc_4D30F1

loc_4D30DF:				; CODE XREF: MiStoreUpdatePagefileHash+1A2j
		mov	ecx, [ebp+var_C]
		mov	esi, eax
		mov	[ebp+var_14], ecx
		mov	ecx, 1
		mov	[ebp+var_20], eax
		jmp	short loc_4D3087
; 

loc_4D30F1:				; CODE XREF: MiStoreUpdatePagefileHash+16Dj
		mov	edx, [ebp+arg_0]
		mov	eax, edi
		push	ecx
		push	[ebp+var_20]
		sub	eax, ecx
		mov	ecx, [ebp+var_14]
		push	eax
		mov	eax, [ebp+var_18]
		mov	ecx, [eax+ecx*4+0F54h]
		call	MiMapPageFileHash
		mov	eax, [ebp+var_8]
		jmp	short loc_4D30DF
; 

loc_4D3114:				; CODE XREF: MiStoreUpdatePagefileHash+102j
		mov	[ebp+var_18], offset _MiSystemPartition
		jmp	loc_4D3078
; 

loc_4D3120:				; CODE XREF: MiStoreUpdatePagefileHash+82j
		mov	ebx, [ebp+var_28]

loc_4D3123:				; CODE XREF: MiStoreUpdatePagefileHash+1BEj
					; MiStoreUpdatePagefileHash+1C5j
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		cmp	dword ptr [ebx], 0
		jl	short loc_4D3123
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_4D3123
		mov	ebx, [ebp+var_24]
		mov	edx, [ebp+var_1C]
		jmp	loc_4D2FF8
MiStoreUpdatePagefileHash endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapPageFileHash proc near		; CODE XREF: MiGatherPagefilePages+5F8p
					; MiStoreUpdatePagefileHash+147p ...

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005C8A24 SIZE 0000014A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_8], ecx
		lea	edi, [ebp+var_54]
		xor	esi, esi
		mov	ebx, edx
		stosd
		stosd
		stosd
		cmp	[ecx+80h], esi
		jnz	short loc_4D316B

loc_4D3164:				; CODE XREF: MiMapPageFileHash+198j
					; MiMapPageFileHash+1A2j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_4D316B:				; CODE XREF: MiMapPageFileHash+20j
		push	esi
		lea	edx, [ebp+var_54]
		mov	ecx, offset unk_6D3940
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		test	ebx, ebx
		jz	loc_5C8A24
		test	byte ptr [ebx+6], 5
		jnz	short loc_4D3197
		push	0C0000010h
		push	esi
		push	esi
		push	1
		push	esi
		push	ebx
		call	MmMapLockedPagesSpecifyCache

loc_4D3197:				; CODE XREF: MiMapPageFileHash+43j
		mov	eax, [ebp+arg_0]
		add	eax, 7
		lea	eax, [ebx+eax*4]
		mov	[ebp+var_1C], eax

loc_4D31A3:				; CODE XREF: MiMapPageFileHash+F58E5j
		mov	edi, [ebp+var_8]
		lea	eax, [edi+88h]
		mov	[ebp+var_14], eax

loc_4D31AF:				; CODE XREF: MiMapPageFileHash+190j
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+arg_4]
		mov	edx, 1000h
		mov	byte ptr [ebp+arg_0+3],	al
		mov	eax, [edi+80h]
		mov	[ebp+var_2C], eax
		lea	ecx, [eax+ecx*4]
		mov	eax, [ebp+arg_8]
		mov	edi, ecx
		and	ecx, 0FFFh
		shr	edi, 9
		sub	edx, ecx
		and	edi, offset loc_7FFFF8
		shr	edx, 2
		sub	edi, 40000000h
		mov	[ebp+var_10], edx
		cmp	edx, eax
		jbe	short loc_4D31F7
		mov	edx, eax
		mov	[ebp+var_10], eax

loc_4D31F7:				; CODE XREF: MiMapPageFileHash+AEj
		mov	ecx, [edi]
		nop
		mov	eax, [edi+4]
		mov	[ebp+var_34], eax
		mov	eax, ecx
		and	eax, 1
		or	eax, esi
		jz	loc_4D32F8
		nop
		mov	eax, [ebp+var_34]
		mov	edi, dword_6D0700
		mov	esi, dword_6D0704
		shrd	ecx, eax, 0Ch
		push	0
		and	ecx, 1FFFFFFh
		mov	[ebp+var_34], esi
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		mov	[ebp+var_2C], ecx
		mov	eax, [ecx+8]
		mov	ecx, [ecx+0Ch]
		mov	[ebp+var_18], eax
		mov	eax, edi
		or	eax, esi
		mov	[ebp+var_C], ecx
		pop	esi
		jz	loc_5C8A34
		mov	ecx, [ebp+var_18]
		mov	eax, ecx
		and	eax, 10h
		or	eax, esi
		mov	eax, ecx
		jnz	loc_5C8A2C
		mov	ecx, [ebp+var_34]
		not	ecx
		and	ecx, [ebp+var_C]

loc_4D3269:				; CODE XREF: MiMapPageFileHash+F58EDj
					; MiMapPageFileHash+F58F5j
		push	[ebp+var_C]
		push	eax
		xor	eax, eax
		add	ecx, edx
		adc	eax, esi
		push	eax
		push	ecx
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		mov	ecx, [ebp+var_2C]
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], edx
		mov	[ecx+8], eax
		nop
		push	[ebp+var_14]
		mov	[ecx+0Ch], edx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edi, [ebp+var_10]
		mov	edx, ebx
		mov	ecx, [ebp+var_8]
		push	edi
		push	[ebp+arg_4]
		push	[ebp+var_1C]
		call	MiWritePageFileHash

loc_4D32AF:				; CODE XREF: MiMapPageFileHash+381j
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_4D32BC
		lea	eax, [eax+edi*4]
		mov	[ebp+var_1C], eax

loc_4D32BC:				; CODE XREF: MiMapPageFileHash+172j
		mov	eax, [ebp+arg_8]
		add	[ebp+arg_4], edi
		sub	eax, edi
		mov	edi, [ebp+var_8]
		mov	[ebp+arg_8], eax

loc_4D32CA:				; CODE XREF: MiMapPageFileHash+F5A27j
		test	eax, eax
		lea	eax, [edi+88h]
		jnz	loc_4D31AF
		test	ebx, ebx
		jz	loc_4D3164
		test	byte ptr [ebx+6], 1
		jz	loc_4D3164
		push	ebx
		push	dword ptr [ebx+0Ch]
		call	MmUnmapLockedPages
		jmp	loc_4D3164
; 

loc_4D32F8:				; CODE XREF: MiMapPageFileHash+C5j
		push	[ebp+var_14]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_54]
		xor	ecx, ecx
		inc	ecx
		lock xadd [eax], ecx
		inc	ecx
		mov	edx, [ebp+var_50]
		dec	ecx
		and	edx, ecx
		mov	ecx, [ebp+var_8]
		or	edx, [ebp+var_4C]
		call	MiGetFileHashPage
		mov	[ebp+var_18], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_5C8A3C
		imul	eax, 1Ch
		lea	ecx, [ebp+var_38]
		mov	[ebp+var_38], esi
		xor	edx, edx
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_C], eax
		lock or	[ecx], edx
		mov	edx, ds:_KiTbFlushTimeStamp
		mov	ecx, eax
		push	esi
		call	_MiSetPfnTbFlushStamp@12 ; MiSetPfnTbFlushStamp(x,x,x)
		mov	eax, edi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	ecx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	edx, edi
		shrd	ecx, eax, 0Ch
		push	0A00h
		and	ecx, 1FFFFFFh
		push	ecx
		mov	ecx, [ebp+var_18]
		call	MiInitializePfnForOtherProcess
		mov	ecx, [ebp+var_C]
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	[ebp+var_1], al

loc_4D3392:				; CODE XREF: MiMapPageFileHash+F5901j
		push	[ebp+var_14]
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+var_2C]
		mov	byte ptr [ebp+arg_0+3],	al
		mov	eax, [ebp+var_8]
		cmp	ecx, [eax+80h]
		jnz	loc_5C8A48
		mov	eax, [edi]
		mov	[ebp+var_20], eax
		nop
		mov	eax, [edi+4]
		mov	ecx, eax
		mov	edx, dword_6D0700
		mov	[ebp+var_3C], eax
		mov	[ebp+var_24], eax
		mov	eax, dword_6D0704
		mov	[ebp+var_2C], eax
		mov	eax, edx
		or	eax, [ebp+var_2C]
		mov	[ebp+var_34], ecx
		jz	short loc_4D33F3
		mov	ecx, [ebp+var_20]
		mov	eax, ecx
		and	eax, 10h
		or	eax, esi
		jnz	loc_5C8ABF
		mov	ecx, [ebp+var_2C]
		not	ecx
		and	ecx, [ebp+var_34]

loc_4D33F0:				; CODE XREF: MiMapPageFileHash+F5980j
		mov	[ebp+var_24], ecx

loc_4D33F3:				; CODE XREF: MiMapPageFileHash+294j
		mov	edx, [ebp+var_10]
		add	edx, ecx
		cmp	[ebp+var_18], 0FFFFFFFFh
		jz	loc_5C8AC7
		mov	eax, [ebp+var_C]
		mov	ecx, [eax+8]
		mov	eax, [eax+0Ch]
		push	eax
		push	ecx
		push	esi
		push	edx
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], edx
		mov	[ecx+8], eax
		nop
		cmp	[ebp+var_24], 0
		mov	[ecx+0Ch], edx
		jnz	loc_5C8AF6

loc_4D342E:				; CODE XREF: MiMapPageFileHash+F59B8j
		mov	edx, [ebp+var_18]
		mov	ecx, edi
		push	0A0000004h
		call	MiMakeValidPte
		mov	[ebp+var_3C], edx
		mov	ecx, edi
		mov	[ebp+var_18], eax
		mov	[ebp+var_3C], edx
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], edx
		mov	[ebp+var_34], esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5C8AFF
		mov	ecx, [ebp+var_18]

loc_4D3461:				; CODE XREF: MiMapPageFileHash+F59D7j
					; MiMapPageFileHash+F59E4j ...
		mov	[edi+4], edx
		nop
		cmp	[ebp+var_34], 0
		mov	[edi], ecx
		jnz	loc_5C8B55

loc_4D3471:				; CODE XREF: MiMapPageFileHash+F5A1Cj
		mov	edi, [ebp+var_8]
		inc	dword ptr [edi+78h]
		mov	eax, [edi+78h]
		cmp	eax, [edi+7Ch]
		jbe	short loc_4D3482
		mov	[edi+7Ch], eax

loc_4D3482:				; CODE XREF: MiMapPageFileHash+33Bj
		lea	eax, [edi+88h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_C]
		mov	ecx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	[ebp+var_10]
		mov	edx, ebx
		mov	ecx, edi
		push	[ebp+arg_4]
		push	[ebp+var_1C]
		call	MiWritePageFileHash

loc_4D34C0:				; CODE XREF: MiMapPageFileHash+F59AFj
		mov	edi, [ebp+var_10]
		jmp	loc_4D32AF
MiMapPageFileHash endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiComputeZeroClusterMaximum proc near	; CODE XREF: MiResolvePrivateZeroFault(x)+11Ap
					; MiResolvePrivateZeroFault(x)+148p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C8B6E SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	[ebp+var_8], edx
		mov	edx, ecx
		push	edi
		mov	[ebp+var_4], edx
		mov	edi, [edx+0Ch]
		mov	eax, [edx+4]
		mov	ebx, [edx+10h]
		mov	ecx, [eax+edi*8]
		mov	esi, ecx
		mov	eax, [eax+edi*8+4]
		and	esi, 0FFFh
		add	eax, 0FFFh
		add	esi, eax
		mov	eax, [ebp+arg_0]
		shr	esi, 0Ch
		sub	esi, ebx
		shl	ebx, 0Ch
		add	ebx, ecx
		test	eax, eax
		jz	short loc_4D3519
		mov	eax, [eax+10h]
		mov	ecx, ebx
		shr	ecx, 0Ch
		sub	eax, ecx
		inc	eax
		cmp	esi, eax
		ja	short loc_4D3592

loc_4D3519:				; CODE XREF: MiComputeZeroClusterMaximum+40j
					; MiComputeZeroClusterMaximum+CCj
		mov	eax, dword_6D5D40
		mov	ecx, 4E20h
		mov	edx, [eax+4D4h]
		mov	eax, edx
		cmp	edx, ecx
		jbe	loc_5C8B6E

loc_4D3533:				; CODE XREF: MiComputeZeroClusterMaximum+F56A8j
		and	eax, 0FFFFFFFEh
		cmp	eax, ecx
		jbe	loc_5C8B7C
		cmp	edx, ecx
		jbe	loc_5C8B75

loc_4D3546:				; CODE XREF: MiComputeZeroClusterMaximum+F56AFj
		shr	edx, 1

loc_4D3548:				; CODE XREF: MiComputeZeroClusterMaximum+F56B9j
		shr	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiSufficientAvailablePages
		test	eax, eax
		jz	loc_5C8B86

loc_4D355C:				; CODE XREF: MiComputeZeroClusterMaximum+F56C1j
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_4]
		test	byte ptr [eax+60h], 40h
		jnz	short loc_4D3596

loc_4D3568:				; CODE XREF: MiComputeZeroClusterMaximum+E6j
					; MiComputeZeroClusterMaximum+ECj ...
		cmp	byte ptr [edx],	1
		jz	short loc_4D35BF

loc_4D356D:				; CODE XREF: MiComputeZeroClusterMaximum+100j
					; MiComputeZeroClusterMaximum+115j ...
		test	esi, esi
		jz	loc_5C8BA0

loc_4D3575:				; CODE XREF: MiComputeZeroClusterMaximum+F56DBj
		shr	ebx, 0Ch
		mov	eax, 200h
		and	ebx, 1FFh
		sub	eax, ebx
		cmp	esi, eax
		ja	short loc_4D35B6

loc_4D3589:				; CODE XREF: MiComputeZeroClusterMaximum+F0j
		mov	eax, esi

loc_4D358B:				; CODE XREF: MiComputeZeroClusterMaximum+F5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4D3592:				; CODE XREF: MiComputeZeroClusterMaximum+4Fj
		mov	esi, eax
		jmp	short loc_4D3519
; 

loc_4D3596:				; CODE XREF: MiComputeZeroClusterMaximum+9Ej
		cmp	byte ptr [edx],	1
		jz	loc_5C8B8E

loc_4D359F:				; CODE XREF: MiComputeZeroClusterMaximum+F56D3j
		mov	ecx, [eax+40h]
		mov	edi, [eax+50h]
		cmp	ecx, edi
		jnb	short loc_4D35BA
		lea	eax, [ecx+esi]
		cmp	eax, edi
		jbe	short loc_4D3568
		mov	esi, edi
		sub	esi, ecx
		jmp	short loc_4D3568
; 

loc_4D35B6:				; CODE XREF: MiComputeZeroClusterMaximum+BFj
		mov	esi, eax
		jmp	short loc_4D3589
; 

loc_4D35BA:				; CODE XREF: MiComputeZeroClusterMaximum+DFj
		xor	eax, eax
		inc	eax
		jmp	short loc_4D358B
; 

loc_4D35BF:				; CODE XREF: MiComputeZeroClusterMaximum+A3j
		mov	edx, [edx+28h]
		test	edx, 4000h
		jz	short loc_4D356D
		shr	edx, 3
		mov	ecx, offset _MiSystemPartition
		and	edx, 7
		inc	edx
		call	_MiGetAvailablePagesBelowPriority@8 ; MiGetAvailablePagesBelowPriority(x,x)
		cmp	esi, eax
		jbe	short loc_4D356D
		mov	esi, eax
		jmp	short loc_4D356D
MiComputeZeroClusterMaximum endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiComputeAgeDistribution proc near	; CODE XREF: MiComputeSystemTrimCriteria+24Fp
					; .text:00555CA4p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= byte ptr -28h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C8BA8 SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_30]
		stosd
		mov	esi, ecx
		push	8
		pop	ecx
		mov	ebx, [esi+0F00h]
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_24]
		rep stosd
		inc	eax
		xor	edi, edi
		cmp	edx, eax
		jnz	loc_4D370B
		lea	edx, [ebp+var_30]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		lea	edi, [esi+0F04h]
		mov	esi, [edi]
		jmp	short loc_4D3642
; 

loc_4D3635:				; CODE XREF: MiComputeAgeDistribution+60j
		lea	ecx, [esi-10h]
		lea	edx, [ebp+var_24]
		call	MiUpdateClaimDistribution
		mov	esi, [esi]

loc_4D3642:				; CODE XREF: MiComputeAgeDistribution+4Fj
		cmp	esi, edi
		jnz	short loc_4D3635
		push	8
		pop	ecx
		lea	edi, [ebx+4E4h]
		lea	esi, [ebp+var_24]
		rep movsd
		xor	edi, edi
		lea	eax, [ebx+4FCh]
		push	2
		mov	esi, edi
		pop	ecx

loc_4D3661:				; CODE XREF: MiComputeAgeDistribution+85j
		add	esi, [eax]
		lea	eax, [eax+4]
		sub	ecx, 1
		jnz	short loc_4D3661
		mov	[ebx+4E0h], esi
		test	ds:byte_70EFC6,	1
		jnz	loc_5C8BA8
		mov	eax, [ebp+var_30]
		test	eax, eax
		jnz	short loc_4D36FD
		mov	edx, [ebp+var_2C]
		lea	eax, [ebp+var_30]
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_30]
		cmp	eax, ecx
		jnz	loc_5C8BB8

loc_4D369A:				; CODE XREF: MiComputeAgeDistribution+125j
					; MiComputeAgeDistribution+F55CFj
		mov	cl, [ebp+var_28]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4D36A3:				; CODE XREF: MiComputeAgeDistribution+12Dj
		mov	edx, [ebx+4D4h]
		shl	edx, 2
		push	5
		pop	ecx
		cmp	esi, edx
		jnb	short loc_4D36C9
		lea	eax, [ebx+4F8h]

loc_4D36B9:				; CODE XREF: MiComputeAgeDistribution+E3j
		add	esi, [eax]
		inc	edi
		cmp	ecx, 1
		jz	short loc_4D36C9
		dec	ecx
		sub	eax, 4
		cmp	esi, edx
		jb	short loc_4D36B9

loc_4D36C9:				; CODE XREF: MiComputeAgeDistribution+CDj
					; MiComputeAgeDistribution+DBj
		mov	ecx, [ebx+4C4h]
		test	ecx, ecx
		jz	loc_5C8BC5
		imul	eax, edi, 3E8h
		xor	edx, edx
		div	ecx
		mov	ecx, 3E8h
		movzx	eax, ax
		cmp	ax, cx
		ja	short loc_4D3713

loc_4D36EE:				; CODE XREF: MiComputeAgeDistribution+131j
					; MiComputeAgeDistribution+F55E7j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_4D36FD:				; CODE XREF: MiComputeAgeDistribution+9Fj
					; MiComputeAgeDistribution+F55DCj
		xor	ecx, ecx
		mov	[ebp+var_30], edi
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	short loc_4D369A
; 

loc_4D370B:				; CODE XREF: MiComputeAgeDistribution+34j
		mov	esi, [ebx+4E0h]
		jmp	short loc_4D36A3
; 

loc_4D3713:				; CODE XREF: MiComputeAgeDistribution+108j
		mov	eax, ecx
		jmp	short loc_4D36EE
MiComputeAgeDistribution endp

; 
		align 10h

;  S U B	R O U T	I N E 


MiUpdateClaimDistribution proc near	; CODE XREF: MiComputeAgeDistribution+57p
					; .text:00555B16p

; FUNCTION CHUNK AT 005C8BDA SIZE 00000010 BYTES

		mov	edi, edi
		push	esi
		mov	esi, [edx]
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		cmp	byte ptr [edi+62h], 2
		mov	eax, [edi+18h]
		setz	cl
		lea	ecx, ds:1[ecx*2]
		shr	eax, cl
		add	eax, esi
		cmp	eax, esi
		jb	loc_5C8BDA

loc_4D3747:				; CODE XREF: MiUpdateClaimDistribution+F54BDj
		mov	esi, [edx+4]
		mov	[edx], eax
		mov	eax, [edi+1Ch]
		shr	eax, cl
		add	eax, esi
		cmp	eax, esi
		jb	loc_5C8BE2

loc_4D375B:				; CODE XREF: MiUpdateClaimDistribution+F54C5j
		mov	[edx+4], eax
		mov	eax, [edi+20h]
		mov	esi, [edx+8]
		shr	eax, cl
		add	eax, esi
		cmp	eax, esi
		jb	short loc_4D37C7

loc_4D376C:				; CODE XREF: MiUpdateClaimDistribution+AAj
		mov	esi, [edx+0Ch]
		mov	[edx+8], eax
		mov	eax, [edi+24h]
		shr	eax, cl
		add	eax, esi
		cmp	eax, esi
		jb	short loc_4D37CC

loc_4D377D:				; CODE XREF: MiUpdateClaimDistribution+AFj
		mov	esi, [edx+10h]
		mov	[edx+0Ch], eax
		mov	eax, [edi+28h]
		shr	eax, cl
		add	eax, esi
		cmp	eax, esi
		jb	short loc_4D37D1

loc_4D378E:				; CODE XREF: MiUpdateClaimDistribution+B4j
		mov	esi, [edx+14h]
		mov	[edx+10h], eax
		mov	eax, [edi+2Ch]
		shr	eax, cl
		add	eax, esi
		cmp	eax, esi
		jb	short loc_4D37D6

loc_4D379F:				; CODE XREF: MiUpdateClaimDistribution+B9j
		mov	esi, [edx+18h]
		mov	[edx+14h], eax
		mov	eax, [edi+30h]
		shr	eax, cl
		add	eax, esi
		cmp	eax, esi
		jb	short loc_4D37DB

loc_4D37B0:				; CODE XREF: MiUpdateClaimDistribution+BEj
		mov	esi, [edx+1Ch]
		mov	[edx+18h], eax
		mov	eax, [edi+34h]
		shr	eax, cl
		add	eax, esi
		pop	edi
		cmp	eax, esi
		pop	esi
		jb	short loc_4D37E0
		mov	[edx+1Ch], eax
		retn
; 

loc_4D37C7:				; CODE XREF: MiUpdateClaimDistribution+4Aj
		or	eax, 0FFFFFFFFh
		jmp	short loc_4D376C
; 

loc_4D37CC:				; CODE XREF: MiUpdateClaimDistribution+5Bj
		or	eax, 0FFFFFFFFh
		jmp	short loc_4D377D
; 

loc_4D37D1:				; CODE XREF: MiUpdateClaimDistribution+6Cj
		or	eax, 0FFFFFFFFh
		jmp	short loc_4D378E
; 

loc_4D37D6:				; CODE XREF: MiUpdateClaimDistribution+7Dj
		or	eax, 0FFFFFFFFh
		jmp	short loc_4D379F
; 

loc_4D37DB:				; CODE XREF: MiUpdateClaimDistribution+8Ej
		or	eax, 0FFFFFFFFh
		jmp	short loc_4D37B0
; 

loc_4D37E0:				; CODE XREF: MiUpdateClaimDistribution+A1j
		mov	dword ptr [edx+1Ch], 0FFFFFFFFh
		retn
MiUpdateClaimDistribution endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpLookasidePacketCallbackRoutine proc near
					; DATA XREF: AlpcpAllocateCompletionPacketLookaside+5Ao

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C8BEA SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	esi, [edi+8]
		mov	[ebp+var_4], eax

loc_4D3812:				; CODE XREF: AlpcpLookasidePacketCallbackRoutine+E0j
		lea	edx, [ebp+var_10]
		mov	[ebp+arg_4], 0
		mov	ecx, esi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [esi+0Ch]
		test	eax, eax
		jnz	loc_4D38BB
		mov	eax, [esi+10h]
		test	eax, eax
		jnz	loc_5C8BEA
		dec	dword ptr [esi+8]
		xor	ebx, ebx
		mov	eax, [esi+18h]
		mov	[edi], eax
		mov	[esi+18h], edi
		cmp	[esi+8], ebx
		jnz	short loc_4D3854
		cmp	[esi+14h], ebx
		jnz	loc_4D38FC

loc_4D3854:				; CODE XREF: AlpcpLookasidePacketCallbackRoutine+59j
					; AlpcpLookasidePacketCallbackRoutine+CFj ...
		test	ds:byte_70EFC6,	1
		jz	short loc_4D3888
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_4D3868:				; CODE XREF: AlpcpLookasidePacketCallbackRoutine+B0j
					; AlpcpLookasidePacketCallbackRoutine+C9j
		mov	cl, byte ptr [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jnz	short loc_4D38C1

loc_4D3875:				; CODE XREF: AlpcpLookasidePacketCallbackRoutine+107j
		cmp	[ebp+var_4], 0
		jnz	loc_4D3908

loc_4D387F:				; CODE XREF: AlpcpLookasidePacketCallbackRoutine+11Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4D3888:				; CODE XREF: AlpcpLookasidePacketCallbackRoutine+6Bj
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_4D38A7
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jz	short loc_4D3868
		call	KxWaitForLockChainValid

loc_4D38A7:				; CODE XREF: AlpcpLookasidePacketCallbackRoutine+9Dj
		mov	[ebp+var_10], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_4D3868
; 

loc_4D38BB:				; CODE XREF: AlpcpLookasidePacketCallbackRoutine+38j
		dec	eax
		mov	[esi+0Ch], eax
		jmp	short loc_4D3854
; 

loc_4D38C1:				; CODE XREF: AlpcpLookasidePacketCallbackRoutine+83j
		mov	ecx, [esi+1Ch]
		mov	edx, 746C6644h
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jz	loc_4D3812
		mov	edi, [esi+1Ch]
		mov	edx, [esi+20h]
		mov	ecx, [esi+1Ch]
		push	0
		push	ebx
		push	0
		push	0
		push	0
		push	[ebp+arg_4]
		call	IoSetIoCompletionEx2
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	loc_4D3875
; 

loc_4D38FC:				; CODE XREF: AlpcpLookasidePacketCallbackRoutine+5Ej
		mov	[ebp+var_4], 1
		jmp	loc_4D3854
; 

loc_4D3908:				; CODE XREF: AlpcpLookasidePacketCallbackRoutine+89j
		mov	ecx, esi
		call	_AlpcpDeferredFreeCompletionPacketLookaside@4 ;	AlpcpDeferredFreeCompletionPacketLookaside(x)
		jmp	loc_4D387F
AlpcpLookasidePacketCallbackRoutine endp


;  S U B	R O U T	I N E 


MiHandleInPageError proc near		; CODE XREF: MiFinishHardFault(x,x,x,x)+411p
					; MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+2FAp

; FUNCTION CHUNK AT 005C8BFA SIZE 0000000B BYTES

		xor	edx, edx
		push	esi
		inc	edx
		mov	esi, ecx
		call	_MiRestoreTransitionPte@8 ; MiRestoreTransitionPte(x,x)
		mov	ecx, [esi+8]
		mov	eax, ecx
		or	dword ptr [esi+10h], 40000000h
		and	eax, 400h
		or	eax, 0
		mov	edx, [esi+0Ch]
		jz	loc_5C8BFA
		pop	esi
		retn
MiHandleInPageError endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 140. KeReleaseInStackQueuedSpinLockFromDpcLevel

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeReleaseInStackQueuedSpinLockFromDpcLevel
KeReleaseInStackQueuedSpinLockFromDpcLevel proc	near ; CODE XREF: .text:004ACB0Fp
					; .text:004ACB59p ...

; FUNCTION CHUNK AT 005A8098 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	ds:byte_70EFC6,	1
		push	esi
		mov	esi, ecx
		jnz	loc_5A8098
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_4D3986
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_4D397F

loc_4D397B:				; CODE XREF: KeReleaseInStackQueuedSpinLockFromDpcLevel+47j
					; KeReleaseInStackQueuedSpinLockFromDpcLevel+D4750j
		pop	esi
		pop	ecx
		pop	ebp
		retn
; 

loc_4D397F:				; CODE XREF: KeReleaseInStackQueuedSpinLockFromDpcLevel+29j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_4D3986:				; CODE XREF: KeReleaseInStackQueuedSpinLockFromDpcLevel+1Aj
		mov	dword ptr [esi], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_4D397B
KeReleaseInStackQueuedSpinLockFromDpcLevel endp

; 
		align 2

;  S U B	R O U T	I N E 


KxWaitForLockChainValid	proc near	; CODE XREF: IoGetAttachedDeviceReferenceWithTag+69p
					; MiSyncSystemPdes+70p	...

; FUNCTION CHUNK AT 005C8C05 SIZE 00000018 BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi

loc_4D39A2:				; CODE XREF: KxWaitForLockChainValid+1Bj
		inc	esi
		test	ds:_HvlLongSpinCountMask, esi
		jz	loc_5C8C05

loc_4D39AF:				; CODE XREF: KxWaitForLockChainValid+F5272j
		pause

loc_4D39B1:				; CODE XREF: KxWaitForLockChainValid+F527Ej
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_4D39A2
		pop	edi
		pop	esi
		retn
KxWaitForLockChainValid	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertProtectedStandbyPage(x, x)
_MiInsertProtectedStandbyPage@8	proc near ; CODE XREF: .text:004720FEp
					; MiInsertAndUnlockStandbyPages+2Bp ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		xor	eax, eax
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	esi, ebx
		mov	[ebp+var_14], eax
		mov	eax, ds:_MmPfnDatabase
		sub	esi, eax
		mov	[ebp+var_4], eax
		mov	eax, 92492493h
		imul	esi
		push	edi
		add	edx, esi
		mov	edi, ecx
		sar	edx, 4
		mov	esi, edx
		shr	esi, 1Fh
		add	esi, edx
		cmp	byte_6D5872, 0
		mov	[ebp+var_8], esi
		jz	short loc_4D3A24
		mov	eax, dword_6D5BBC
		mov	ecx, esi
		shr	ecx, 9
		mov	edx, ecx
		and	ecx, 1Fh
		shr	edx, 5
		mov	eax, [eax+edx*4]
		sar	eax, cl
		test	al, 1
		jnz	loc_4D3AB0

loc_4D3A24:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+43j
		test	edi, edi
		jz	loc_4D3AB0
		mov	cl, [ebx+17h]
		test	cl, 50h
		jnz	short loc_4D3AB0
		movzx	ecx, cl
		and	ecx, 7
		cmp	ecx, 5
		jnb	short loc_4D3AB0
		mov	ecx, edi
		mov	[ebp+var_18], offset unk_6D54F4
		sub	ecx, [ebp+var_4]
		mov	eax, 92492493h
		imul	ecx
		mov	[ebp+var_1C], 0
		add	edx, ecx
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_10], eax
		jz	short loc_4D3A80
		mov	edx, offset unk_6D54F4
		lea	ecx, [ebp+var_1C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4D3A96
; 

loc_4D3A80:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+AFj
		lea	edx, [ebp+var_1C]
		mov	eax, offset unk_6D54F4
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_4D3A96
		lea	ecx, [ebp+var_1C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_4D3A96:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+BEj
					; MiInsertProtectedStandbyPage(x,x)+CCj
		test	byte ptr [edi+17h], 8
		jnz	short loc_4D3B01
		test	ds:byte_70EFC6,	1
		jz	short loc_4D3AC0
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_4D3AB0:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+5Ej
					; MiInsertProtectedStandbyPage(x,x)+66j ...
		mov	edx, esi
		mov	ecx, ebx
		call	MiPfnReferenceCountIsZero

loc_4D3AB9:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+357j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4D3AC0:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+E3j
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_4D3ADF
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jz	short loc_4D3AB0
		call	KxWaitForLockChainValid

loc_4D3ADF:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+105j
		mov	[ebp+var_1C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		mov	edx, esi
		mov	ecx, ebx
		call	MiPfnReferenceCountIsZero
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4D3B01:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+DAj
		mov	al, [ebx+17h]
		mov	ecx, ebx
		or	al, 8
		mov	[ebx+17h], al
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		mov	eax, offset dword_6D5800
		jnz	short loc_4D3B1E
		mov	eax, offset dword_6D5940

loc_4D3B1E:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+157j
		lock inc dword ptr [eax]
		xor	eax, eax
		mov	esi, 1
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		lock xadd dword_6D5E00,	esi
		inc	esi
		cmp	esi, 420h
		ja	loc_4D3C09
		cmp	esi, 0A0h
		jnz	short loc_4D3B57
		mov	[ebp+var_4], offset unk_6D58D8
		jmp	short loc_4D3B78
; 

loc_4D3B57:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+18Cj
		cmp	esi, 420h
		jnz	short loc_4D3B68
		mov	[ebp+var_4], offset unk_6D58EC
		jmp	short loc_4D3B78
; 

loc_4D3B68:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+19Dj
		cmp	esi, 22h
		jnz	loc_4D3C09
		mov	[ebp+var_4], offset unk_6D58C4

loc_4D3B78:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+195j
					; MiInsertProtectedStandbyPage(x,x)+1A6j
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_24], offset unk_6D58C0
		mov	[ebp+var_28], eax
		jz	short loc_4D3B9A
		mov	edx, offset unk_6D58C0
		lea	ecx, [ebp+var_28]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4D3BB0
; 

loc_4D3B9A:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+1C9j
		lea	edx, [ebp+var_28]
		mov	eax, offset unk_6D58C0
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_4D3BB0
		lea	ecx, [ebp+var_28]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_4D3BB0:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+1D8j
					; MiInsertProtectedStandbyPage(x,x)+1E6j
		push	0
		push	0
		push	[ebp+var_4]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	eax, [ebp+var_4]
		inc	dword ptr [eax+10h]
		test	ds:byte_70EFC6,	1
		jz	short loc_4D3BD8
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4D3C09
; 

loc_4D3BD8:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+209j
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	short loc_4D3BF7
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_28]
		cmp	eax, ecx
		jz	short loc_4D3C09
		call	KxWaitForLockChainValid

loc_4D3BF7:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+21Dj
		mov	[ebp+var_28], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_4D3C09:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+180j
					; MiInsertProtectedStandbyPage(x,x)+1ABj ...
		dec	esi
		cmp	esi, dword_6D596C
		jz	short loc_4D3C1A
		cmp	esi, dword_6D5970
		jnz	short loc_4D3C24

loc_4D3C1A:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+250j
		mov	ecx, offset _MiSystemPartition
		call	MiUpdateAvailableEvents

loc_4D3C24:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+258j
		mov	[ebp+var_C], 0
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, ds:_KiTbFlushTimeStamp
		shl	eax, 17h
		xor	eax, [ebx+10h]
		and	eax, 7800000h
		xor	[ebx+10h], eax
		mov	al, [ebx+16h]
		and	al, 0FAh
		or	al, 2
		mov	[ebx+16h], al
		mov	eax, dword_6D0704
		mov	esi, dword_6D0700
		mov	ecx, [edi+8]
		mov	edx, [edi+0Ch]
		mov	[ebp+var_4], eax
		mov	eax, esi
		or	eax, [ebp+var_4]
		jz	short loc_4D3C80
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4D3C80
		mov	eax, [ebp+var_4]
		not	esi
		not	eax
		and	ecx, esi
		and	edx, eax

loc_4D3C80:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+2A9j
					; MiInsertProtectedStandbyPage(x,x)+2B3j
		mov	eax, [ebx+10h]
		mov	esi, [ebp+var_10]
		and	eax, 0FF800000h
		shrd	ecx, edx, 0Ch
		mov	edx, [edi+18h]
		and	edx, offset loc_7FFFFF
		mov	[ebx], esi
		and	ecx, 3FFFFFFh
		or	eax, edx
		cmp	ecx, esi
		mov	[ebx+10h], eax
		mov	esi, [ebp+var_8]
		jnz	short loc_4D3CC0
		mov	edx, 4
		mov	ecx, esi
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		mov	[edi+8], eax
		mov	[edi+0Ch], edx
		jmp	short loc_4D3CD1
; 

loc_4D3CC0:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+2EAj
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		mov	[eax+ecx*4], esi

loc_4D3CD1:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+2FEj
		mov	eax, [edi+18h]
		xor	eax, esi
		and	eax, offset loc_7FFFFF
		xor	[edi+18h], eax
		inc	dword_6D54E4
		test	ds:byte_70EFC6,	1
		jz	short loc_4D3CFF
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4D3CFF:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+32Bj
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_4D3D22
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jz	loc_4D3AB9
		call	KxWaitForLockChainValid

loc_4D3D22:				; CODE XREF: MiInsertProtectedStandbyPage(x,x)+344j
		mov	[ebp+var_1C], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiInsertProtectedStandbyPage@8	endp

; 
		align 10h
; Exported entry 1212. KePulseEvent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KePulseEvent
KePulseEvent	proc near		; CODE XREF: MiWorkingSetManager(x,x)+1DCp
					; MmResourcesAvailable(x,x,x)+E4p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 004D3E04 SIZE 00000038 BYTES
; FUNCTION CHUNK AT 005C8C1D SIZE 000001EC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	edi
		mov	edi, [ebp+arg_0]
		mov	al, [edi]
		and	al, 7Fh
		mov	[ebp+var_1], al
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+var_18], al
		mov	ecx, edi
		mov	eax, large fs:20h
		mov	[ebp+var_8], eax
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	eax, [edi+4]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jnz	short loc_4D3D99
		cmp	[ebp+var_1], 0
		push	ebx
		lea	ebx, [edi+8]
		mov	dword ptr [edi+4], 1
		mov	eax, [ebx]
		push	esi
		jnz	loc_5C8D49
		cmp	eax, ebx
		jnz	short loc_4D3DC8

loc_4D3D92:				; CODE XREF: KePulseEvent+B1j
		mov	[ebx+4], ebx
		mov	[ebx], ebx

loc_4D3D97:				; CODE XREF: KePulseEvent+F4FEDj
					; KePulseEvent+F5011j
		pop	esi
		pop	ebx

loc_4D3D99:				; CODE XREF: KePulseEvent+34j
		and	dword ptr [edi+4], 0
		mov	ecx, 0FFFFFF7Fh
		lock and [edi],	ecx
		push	[ebp+var_18]
		movzx	edx, [ebp+arg_8]
		push	[ebp+arg_4]
		mov	ecx, [ebp+var_8]
		neg	edx
		push	1
		sbb	edx, edx
		and	edx, 3
		call	KiExitDispatcher
		mov	eax, [ebp+var_1C]
		pop	edi
		leave
		retn	0Ch
; 

loc_4D3DC8:				; CODE XREF: KePulseEvent+50j
					; KePulseEvent+ACj
		mov	esi, eax
		mov	eax, [eax]
		mov	[ebp+var_C], eax
		mov	al, [esi+8]
		cmp	al, 1
		jnz	short loc_4D3DF3
		movzx	eax, word ptr [esi+0Ah]
		push	0
		push	eax

loc_4D3DDD:				; CODE XREF: KePulseEvent+C2j
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	KiTryUnwaitThread

loc_4D3DE7:				; CODE XREF: KePulseEvent+F2j
		mov	eax, [ebp+var_C]
		cmp	eax, ebx
		jnz	short loc_4D3DC8
		mov	edi, [ebp+arg_0]
		jmp	short loc_4D3D92
; 

loc_4D3DF3:				; CODE XREF: KePulseEvent+94j
		cmp	al, 2
		jz	loc_5C8D56
		push	0
		push	100h
		jmp	short loc_4D3DDD
KePulseEvent	endp

; 
; START	OF FUNCTION CHUNK FOR KePulseEvent

loc_4D3E04:				; CODE XREF: KePulseEvent+F503Fj
					; KePulseEvent+F505Aj
		mov	ecx, edi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		lea	ecx, [edi+8]
		cmp	[ecx], ecx
		jnz	loc_5C8D9F
		jmp	loc_5C8DC5
; 

loc_4D3E1B:				; CODE XREF: KePulseEvent+F5072j
					; KePulseEvent+F507Fj
		mov	ecx, [ebp+var_10]
		mov	edx, edi
		push	esi
		call	KiWakeQueueWaiter
		test	al, al
		jz	short loc_4D3E34

loc_4D3E2A:				; CODE XREF: KePulseEvent+F50A7j
					; KePulseEvent+F50AFj ...
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		jmp	short loc_4D3DE7
; 

loc_4D3E34:				; CODE XREF: KePulseEvent+E8j
		lea	ecx, [edi+8]
		jmp	loc_5C8DC5
; END OF FUNCTION CHUNK	FOR KePulseEvent

;  S U B	R O U T	I N E 


; __stdcall MiComputeAgingPercent(x)
_MiComputeAgingPercent@4 proc near	; CODE XREF: .text:005167D1p
		mov	edi, edi
		push	esi
		mov	esi, [ecx+0F00h]
		push	edi
		push	6
		pop	edx
		call	_MiGetAvailablePagesBelowPriority@8 ; MiGetAvailablePagesBelowPriority(x,x)
		xor	edi, edi
		mov	edx, eax
		push	8
		mov	ecx, edi
		lea	eax, [esi+498h]
		pop	edi
		push	ebx

loc_4D3E5E:				; CODE XREF: MiComputeAgingPercent(x)+30j
		mov	ebx, [eax]
		cmp	ebx, edx
		jb	short loc_4D3EE3

loc_4D3E64:				; CODE XREF: MiComputeAgingPercent(x)+ABj
		add	ecx, ebx
		add	eax, 4
		sub	edi, 1
		jnz	short loc_4D3E5E
		shr	ecx, 3
		imul	eax, ecx, 7
		pop	ebx
		add	eax, edx
		shr	eax, 3
		mov	[esi+4B8h], eax
		mov	eax, [esi+58h]
		and	eax, 7
		mov	[esi+eax*4+498h], edx
		inc	dword ptr [esi+58h]
		cmp	edx, ecx
		jnb	short loc_4D3EEC
		mov	eax, [esi+4DCh]
		sub	ecx, edx
		cmp	edx, eax
		jbe	short loc_4D3EF8
		sub	edx, eax
		cmp	ecx, 8
		jb	short loc_4D3EF3

loc_4D3EA7:				; CODE XREF: MiComputeAgingPercent(x)+BAj
		shr	ecx, 3
		mov	eax, edx
		xor	edx, edx
		div	ecx
		mov	ecx, eax
		cmp	ecx, 2
		jb	short loc_4D3EBA
		sub	ecx, 2

loc_4D3EBA:				; CODE XREF: MiComputeAgingPercent(x)+79j
					; MiComputeAgingPercent(x)+BEj
		test	ecx, ecx
		jz	short loc_4D3EFC
		xor	edx, edx
		mov	eax, 1B58h
		div	ecx
		mov	edx, 3E8h
		cmp	eax, edx
		ja	short loc_4D3F03

loc_4D3ED0:				; CODE XREF: MiComputeAgingPercent(x)+C5j
					; MiComputeAgingPercent(x)+C9j
		movzx	edi, ax

loc_4D3ED3:				; CODE XREF: MiComputeAgingPercent(x)+B5j
		mov	[esi+4C4h], ecx
		mov	[esi+4BEh], di
		pop	edi
		pop	esi
		retn
; 

loc_4D3EE3:				; CODE XREF: MiComputeAgingPercent(x)+26j
		mov	ebx, edx
		mov	[eax], edx
		jmp	loc_4D3E64
; 

loc_4D3EEC:				; CODE XREF: MiComputeAgingPercent(x)+56j
		mov	ecx, 0E10h
		jmp	short loc_4D3ED3
; 

loc_4D3EF3:				; CODE XREF: MiComputeAgingPercent(x)+69j
		push	8
		pop	ecx
		jmp	short loc_4D3EA7
; 

loc_4D3EF8:				; CODE XREF: MiComputeAgingPercent(x)+62j
		mov	ecx, edi
		jmp	short loc_4D3EBA
; 

loc_4D3EFC:				; CODE XREF: MiComputeAgingPercent(x)+80j
		mov	eax, 3E8h
		jmp	short loc_4D3ED0
; 

loc_4D3F03:				; CODE XREF: MiComputeAgingPercent(x)+92j
		mov	eax, edx
		jmp	short loc_4D3ED0
_MiComputeAgingPercent@4 endp

; 
		align 4
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiStoreUpdateMemoryConditions proc near	; CODE XREF: MiFlushAllHintedStorePages(x)+85p
					; MiAdjustModifiedPageLoad+92p	...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005C8E09 SIZE 0000007E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+20h+var_C]
		stosd
		lea	edx, [esp+20h+var_C]
		mov	ebx, ecx
		stosd
		lea	ecx, [ebx+0A80h]
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	esi, [ebx+0FC0h]
		mov	ecx, ebx
		call	_MiUseLowIoPriorityForModifiedPages@4 ;	MiUseLowIoPriorityForModifiedPages(x)
		neg	eax
		sbb	eax, eax
		inc	eax
		mov	[esp+20h+var_10], eax
		xor	eax, eax
		inc	eax
		cmp	esi, 0A0h
		jb	loc_5C8E09
		and	[esp+20h+var_14], 0
		cmp	esi, 420h
		jb	loc_5C8E17
		push	8
		pop	edi
		push	6
		pop	edx
		mov	ecx, ebx
		call	_MiGetAvailablePagesBelowPriority@8 ; MiGetAvailablePagesBelowPriority(x,x)
		mov	ecx, [ebx+0F00h]
		mov	ecx, [ecx+4D8h]
		imul	ecx, 3
		cmp	eax, ecx
		jb	loc_4D4027
		mov	ecx, [ebx+1118h]
		lea	edx, [eax+2000h]
		cmp	ecx, edx
		jnb	loc_5C8E21
		push	4

loc_4D3FA2:				; CODE XREF: MiStoreUpdateMemoryConditions+11Fj
		pop	esi

loc_4D3FA3:				; CODE XREF: MiStoreUpdateMemoryConditions+F4F08j
					; MiStoreUpdateMemoryConditions+F4F12j	...
		mov	ecx, [ebx+2DCh]
		call	_KeQueryEffectiveBasePriorityThread@4 ;	KeQueryEffectiveBasePriorityThread(x)
		cmp	eax, edi
		jnz	loc_5C8E31

loc_4D3FB6:				; CODE XREF: MiStoreUpdateMemoryConditions+F4F33j
		cmp	[esp+20h+var_14], 0
		jnz	loc_5C8E42

loc_4D3FC1:				; CODE XREF: MiStoreUpdateMemoryConditions+F4F48j
		mov	edx, [esp+20h+var_10]
		mov	ecx, esi
		call	_SmUpdateMemoryCondition@8 ; SmUpdateMemoryCondition(x,x)
		test	ds:byte_70EFC6,	1
		jnz	loc_5C8E57
		mov	eax, [esp+20h+var_C]
		test	eax, eax
		jnz	short loc_4D4014
		mov	edx, [esp+20h+var_8]
		lea	eax, [esp+20h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+20h+var_C]
		cmp	eax, ecx
		jnz	loc_5C8E68

loc_4D3FFB:				; CODE XREF: MiStoreUpdateMemoryConditions+11Bj
					; MiStoreUpdateMemoryConditions+F4F59j
		mov	cl, [esp+20h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	loc_5C8E76

loc_4D400D:				; CODE XREF: MiStoreUpdateMemoryConditions+F4F78j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4D4014:				; CODE XREF: MiStoreUpdateMemoryConditions+D5j
					; MiStoreUpdateMemoryConditions+F4F67j
		xor	ecx, ecx
		mov	[esp+20h+var_C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	short loc_4D3FFB
; 

loc_4D4027:				; CODE XREF: MiStoreUpdateMemoryConditions+7Cj
		push	2
		jmp	loc_4D3FA2
MiStoreUpdateMemoryConditions endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiComputeSystemTrimCriteria proc near	; CODE XREF: .text:005167DEp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C8E87 SIZE 000000F7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		mov	esi, [ecx+0F00h]
		push	edi
		mov	[ebp+var_14], edx
		xor	edx, edx
		push	6
		mov	eax, [esi+20h]
		mov	[ebp+var_20], edx
		pop	edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], eax
		call	_MiGetAvailablePagesBelowPriority@8 ; MiGetAvailablePagesBelowPriority(x,x)
		mov	ebx, eax
		xor	edx, edx
		inc	edx
		mov	[ebp+var_18], ebx
		call	_MiGetStandbyRepurposed@8 ; MiGetStandbyRepurposed(x,x)
		mov	edi, [esi+4DCh]
		mov	edx, eax
		mov	eax, [esi+24h]
		mov	ecx, edx
		sub	ecx, eax
		mov	[esi+24h], edx
		cmp	eax, edx
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_1C], eax
		cmp	ebx, edi
		jbe	loc_5C8E87
		mov	eax, ebx
		sub	eax, edi
		mov	edi, eax

loc_4D408E:				; CODE XREF: MiComputeSystemTrimCriteria+F4E5Bj
		mov	edx, [esi+58h]
		mov	eax, edi
		and	edx, 7
		shr	eax, 3
		mov	ecx, [esi+edx*4+478h]
		shr	ecx, 3
		sub	eax, ecx
		add	[esi+474h], eax
		mov	[esi+edx*4+478h], edi
		xor	edx, edx
		cmp	dword ptr [esi+3Ch], 4
		mov	eax, edx
		mov	byte ptr [ebp+var_8], dl
		mov	edi, edx
		mov	[ebp+var_4], eax
		jnz	short loc_4D40D9
		cmp	[esi+4C0h], dx
		jz	short loc_4D40D9
		cmp	[esi+4C2h], al
		jnz	loc_5C8E8E

loc_4D40D9:				; CODE XREF: MiComputeSystemTrimCriteria+94j
					; MiComputeSystemTrimCriteria+9Dj ...
		cmp	ebx, 120h
		jbe	loc_5C8E9A

loc_4D40E5:				; CODE XREF: MiComputeSystemTrimCriteria+F4E72j
		mov	ecx, [esi+4DCh]
		cmp	eax, 1
		mov	[ebp+var_24], ecx
		mov	eax, ecx
		jz	short loc_4D4103
		mov	[ebp+var_4], edx
		mov	edx, ebx
		sub	edx, [esi+4CCh]
		shr	eax, 2

loc_4D4103:				; CODE XREF: MiComputeSystemTrimCriteria+C5j
		cmp	ebx, eax
		mov	eax, ecx
		jb	loc_5C8EBB
		shl	eax, 2
		cmp	ebx, eax
		jb	loc_5C8EA5

loc_4D4118:				; CODE XREF: MiComputeSystemTrimCriteria+F4E79j
					; MiComputeSystemTrimCriteria+F4E85j ...
		mov	ecx, [ebp+var_1C]
		mov	eax, ebx
		shr	eax, 2
		cmp	ecx, eax
		jnb	loc_4D42E0

loc_4D4128:				; CODE XREF: MiComputeSystemTrimCriteria+2B6j
					; MiComputeSystemTrimCriteria+2C3j ...
		mov	ecx, [ebp+var_C]
		push	4
		pop	edx
		call	_MiGetStandbyRepurposed@8 ; MiGetStandbyRepurposed(x,x)
		mov	edx, eax
		mov	[ebp+var_28], edx
		test	edi, edi
		jnz	loc_4D433C
		cmp	[ebp+var_4], edi
		jnz	short loc_4D4160
		mov	ecx, edx
		mov	eax, 20000h

loc_4D414C:				; DATA XREF: SmDecompressBuffer+38o
		sub	ecx, [esi+28h]
		cmp	ecx, eax
		ja	loc_4D4312
		cmp	[ebp+var_1C], edi
		jnz	loc_4D42BC

loc_4D4160:				; CODE XREF: MiComputeSystemTrimCriteria+115j
					; MiComputeSystemTrimCriteria+294j ...
		mov	ecx, [ebp+var_24]
		mov	eax, ecx
		shl	eax, 2
		cmp	ebx, eax
		jb	loc_5C8EF5
		shl	ecx, 4
		cmp	ebx, ecx
		jbe	short loc_4D4183
		mov	eax, [esi+4D8h]
		mov	[esi+4DCh], eax

loc_4D4183:				; CODE XREF: MiComputeSystemTrimCriteria+147j
					; MiComputeSystemTrimCriteria+F4EE4j ...
		mov	[esi+4CCh], ebx
		test	edi, edi
		jnz	loc_4D434E
		mov	eax, [esi+4C8h]
		xor	edx, edx
		mov	bl, dl
		push	0Ah
		pop	ecx
		test	eax, eax
		jnz	loc_5C8F44

loc_4D41A6:				; CODE XREF: MiComputeSystemTrimCriteria+F4F24j
		mov	eax, [esi+4D4h]
		shl	eax, 2
		cmp	[esi+4E0h], eax
		jnb	short loc_4D41DD
		cmp	[esi+4BEh], dx
		jnz	loc_4D4277

loc_4D41C4:				; CODE XREF: MiComputeSystemTrimCriteria+26Dj
		mov	eax, [ebp+var_18]
		shr	eax, 4
		cmp	[ebp+var_1C], eax
		jnb	loc_4D4391
		cmp	[ebp+var_20], 1
		jz	loc_4D4398

loc_4D41DD:				; CODE XREF: MiComputeSystemTrimCriteria+187j
					; MiComputeSystemTrimCriteria+267j ...
		movzx	eax, word ptr [esi+4C0h]
		test	ax, ax
		jz	short loc_4D4207
		cmp	[esi+4BEh], ax
		jnb	short loc_4D41F9
		mov	[esi+4BEh], ax

loc_4D41F9:				; CODE XREF: MiComputeSystemTrimCriteria+1C2j
		test	bl, bl
		jnz	short loc_4D4207
		add	bl, 0Ch
		mov	[esi+4BEh], ax

loc_4D4207:				; CODE XREF: MiComputeSystemTrimCriteria+1B9j
					; MiComputeSystemTrimCriteria+1CDj
		mov	ecx, [ebp+var_14]
		xor	edx, edx
		mov	eax, [ebp+var_C]
		push	8
		mov	[ecx], dl
		lea	edi, [ecx+8]
		mov	[ecx+34h], edx
		mov	[ecx+2Ch], edx
		mov	eax, [eax+0FC0h]
		mov	[ecx+28h], eax
		xor	eax, eax
		mov	[ecx+38h], edx
		mov	[ecx+2], bl
		pop	ecx
		rep stosd
		mov	ecx, [ebp+var_10]
		test	bl, bl
		jz	short loc_4D42A0
		movzx	eax, bl
		inc	dword ptr [esi+eax*4+508h]
		or	ecx, 2

loc_4D4244:				; CODE XREF: MiComputeSystemTrimCriteria+28Cj
					; MiComputeSystemTrimCriteria+373j ...
		mov	edi, [ebp+var_14]
		mov	ebx, [ebp+var_18]

loc_4D424A:				; CODE XREF: MiComputeSystemTrimCriteria+35Ej
		test	ebx, ebx
		jz	loc_5C8F77
		mov	eax, [ebp+var_1C]
		cmp	eax, ebx
		jnb	loc_5C8F77
		imul	eax, 64h
		xor	edx, edx
		div	ebx

loc_4D4264:				; CODE XREF: MiComputeSystemTrimCriteria+F4F4Bj
		mov	[edi+3], al
		test	cl, 1
		jnz	short loc_4D4270
		mov	byte ptr [edi+4], 1

loc_4D4270:				; CODE XREF: MiComputeSystemTrimCriteria+23Cj
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn
; 

loc_4D4277:				; CODE XREF: MiComputeSystemTrimCriteria+190j
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		inc	edx
		call	MiComputeAgeDistribution
		movzx	eax, ax
		test	ax, ax
		jz	short loc_4D428C
		mov	bl, 0Bh

loc_4D428C:				; CODE XREF: MiComputeSystemTrimCriteria+25Aj
		mov	[esi+4BEh], ax
		test	bl, bl
		jnz	loc_4D41DD
		jmp	loc_4D41C4
; 

loc_4D42A0:				; CODE XREF: MiComputeSystemTrimCriteria+207j
		cmp	byte ptr [esi+2Fh], 1
		jnz	loc_4D439F
		push	0Ah
		pop	eax
		or	ecx, 80h
		mov	[esi+4BEh], ax
		jmp	short loc_4D4244
; 

loc_4D42BC:				; CODE XREF: MiComputeSystemTrimCriteria+12Cj
		cmp	ecx, 18000h
		jbe	loc_4D4160
		cmp	[esi+4E0h], eax
		jnb	loc_4D4160
		mov	[ebp+var_20], 1
		jmp	loc_4D4160
; 

loc_4D42E0:				; CODE XREF: MiComputeSystemTrimCriteria+F4j
		sub	ecx, eax
		cmp	ecx, edi
		jbe	loc_4D4128
		mov	eax, 2000h
		cmp	edi, eax
		jnb	loc_4D4128
		cmp	[ebp+var_4], 0
		jnz	loc_4D4128
		mov	edi, ecx
		cmp	edi, eax
		jbe	short loc_4D4309
		mov	edi, eax

loc_4D4309:				; CODE XREF: MiComputeSystemTrimCriteria+2D7j
		mov	byte ptr [ebp+var_8], 3
		jmp	loc_4D4128
; 

loc_4D4312:				; CODE XREF: MiComputeSystemTrimCriteria+123j
		mov	eax, [ebp+var_C]
		mov	ecx, [eax+0FC0h]
		cmp	ecx, 100000h
		jnb	short loc_4D4334
		mov	eax, [eax+0F48h]
		shr	eax, 2
		cmp	ecx, eax
		jb	loc_5C8ED6

loc_4D4334:				; CODE XREF: MiComputeSystemTrimCriteria+2F3j
		mov	[esi+28h], edx
		jmp	loc_4D4160
; 

loc_4D433C:				; CODE XREF: MiComputeSystemTrimCriteria+10Cj
		mov	eax, 1000h
		cmp	edi, eax
		jnb	loc_4D4160
		jmp	loc_5C8EE4
; 

loc_4D434E:				; CODE XREF: MiComputeSystemTrimCriteria+15Dj
		mov	ecx, [ebp+var_C]
		call	MiPulseLowAvailableEvent
		mov	al, byte ptr [ebp+var_8]
		cmp	al, 3
		jnz	short loc_4D43AF

loc_4D435D:				; CODE XREF: MiComputeSystemTrimCriteria+385j
		mov	[esi+4C8h], edi

loc_4D4363:				; CODE XREF: MiComputeSystemTrimCriteria+383j
		push	[ebp+var_8]
		or	[ebp+var_10], 1
		mov	edx, [ebp+var_C]
		push	edi
		mov	edi, [ebp+var_14]
		mov	ecx, edi
		call	_MiInitializeTrimCriteria@16 ; MiInitializeTrimCriteria(x,x,x,x)
		mov	eax, [ebp+var_28]
		mov	ecx, [ebp+var_10]
		mov	[esi+28h], eax
		movzx	eax, byte ptr [ebp+var_8]
		inc	dword ptr [esi+eax*4+508h]
		jmp	loc_4D424A
; 

loc_4D4391:				; CODE XREF: MiComputeSystemTrimCriteria+19Fj
		mov	bl, 9
		jmp	loc_4D41DD
; 

loc_4D4398:				; CODE XREF: MiComputeSystemTrimCriteria+1A9j
		mov	bl, 8
		jmp	loc_4D41DD
; 

loc_4D439F:				; CODE XREF: MiComputeSystemTrimCriteria+276j
		test	ecx, ecx
		jnz	loc_4D4244
		push	40h
		pop	ecx
		jmp	loc_4D4244
; 

loc_4D43AF:				; CODE XREF: MiComputeSystemTrimCriteria+32Dj
		cmp	al, 2
		jnz	short loc_4D4363
		jmp	short loc_4D435D
MiComputeSystemTrimCriteria endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiUseLowIoPriorityForModifiedPages(x)
_MiUseLowIoPriorityForModifiedPages@4 proc near
					; CODE XREF: MiStoreUpdateMemoryConditions+30p
					; MiAdjustModifiedPageLoad+1C1p ...
		mov	edi, edi
		push	ebx
		push	edi
		mov	edi, ecx
		cmp	dword ptr [edi+1C4h], 0
		jnz	short loc_4D4424
		cmp	dword ptr [edi+2B8h], 0
		jnz	short loc_4D4424
		push	6
		pop	edx
		call	_MiGetAvailablePagesBelowPriority@8 ; MiGetAvailablePagesBelowPriority(x,x)
		mov	edx, [edi+0F48h]
		mov	ebx, eax
		shr	edx, 2
		imul	ecx, edx, 3
		cmp	[edi+1118h], ecx
		jnb	short loc_4D4424
		cmp	ebx, 40000h
		jbe	short loc_4D4420

loc_4D43F4:				; CODE XREF: MiUseLowIoPriorityForModifiedPages(x)+6Cj
		mov	eax, [edi+0F00h]
		xor	edx, edx
		push	esi
		inc	edx
		mov	ecx, edi
		mov	esi, [eax+24h]
		call	_MiGetStandbyRepurposed@8 ; MiGetStandbyRepurposed(x,x)
		mov	ecx, eax
		sub	ecx, esi
		cmp	esi, eax
		pop	esi
		sbb	edx, edx
		shr	ebx, 2
		and	edx, ecx
		cmp	edx, ebx
		jnb	short loc_4D4424
		xor	eax, eax
		inc	eax

loc_4D441D:				; CODE XREF: MiUseLowIoPriorityForModifiedPages(x)+70j
		pop	edi
		pop	ebx
		retn
; 

loc_4D4420:				; CODE XREF: MiUseLowIoPriorityForModifiedPages(x)+3Cj
		cmp	ebx, edx
		ja	short loc_4D43F4

loc_4D4424:				; CODE XREF: MiUseLowIoPriorityForModifiedPages(x)+Dj
					; MiUseLowIoPriorityForModifiedPages(x)+16j ...
		xor	eax, eax
		jmp	short loc_4D441D
_MiUseLowIoPriorityForModifiedPages@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetAvailablePagesBelowPriority(x,	x)
_MiGetAvailablePagesBelowPriority@8 proc near ;	CODE XREF: MiResolveMappedFileFault+56Dp
					; MiGetHardFaultPages+11Cp ...
		lea	eax, [edx+50h]
		push	esi
		imul	eax, 14h
		lea	esi, [ecx+640h]
		push	edi
		mov	edi, [ecx+5C0h]
		add	edi, [ecx+580h]
		add	eax, ecx
		jmp	short loc_4D444B
; 

loc_4D4446:				; CODE XREF: MiGetAvailablePagesBelowPriority(x,x)+25j
		add	edi, [esi]
		add	esi, 14h

loc_4D444B:				; CODE XREF: MiGetAvailablePagesBelowPriority(x,x)+1Cj
		cmp	esi, eax
		jb	short loc_4D4446
		mov	eax, edi
		pop	edi
		pop	esi
		retn
_MiGetAvailablePagesBelowPriority@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetStandbyRepurposed(x, x)
_MiGetStandbyRepurposed@8 proc near	; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+258p
					; MmQuerySystemWorkingSetInformation+F5p ...
		mov	edi, edi
		push	esi
		push	8
		pop	esi
		xor	eax, eax
		cmp	edx, esi
		jnb	short loc_4D4475
		lea	ecx, [ecx+edx*4]
		add	ecx, 97Ch
		sub	esi, edx

loc_4D446B:				; CODE XREF: MiGetStandbyRepurposed(x,x)+1Fj
		add	eax, [ecx]
		lea	ecx, [ecx+4]
		sub	esi, 1
		jnz	short loc_4D446B

loc_4D4475:				; CODE XREF: MiGetStandbyRepurposed(x,x)+Aj
		pop	esi
		retn
_MiGetStandbyRepurposed@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmUpdateMemoryCondition(x, x)
_SmUpdateMemoryCondition@8 proc	near	; CODE XREF: MiStoreUpdateMemoryConditions+BDp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		movzx	eax, ds:byte_718468
		push	esi
		cmp	eax, ecx
		jnz	short loc_4D449C
		test	ecx, ecx
		jle	short loc_4D449C
		movzx	eax, ds:byte_718469
		cmp	eax, edx
		jnz	short loc_4D449C

loc_4D4499:				; CODE XREF: SmUpdateMemoryCondition(x,x)+4Cj
		pop	esi
		leave
		retn
; 

loc_4D449C:				; CODE XREF: SmUpdateMemoryCondition(x,x)+10j
					; SmUpdateMemoryCondition(x,x)+14j ...
		test	edx, edx
		mov	ds:byte_718468,	cl
		lea	eax, [ebp+var_4]
		setnz	ds:byte_718469
		and	[ebp+var_4], 0
		xor	esi, esi
		lock or	[eax], esi
		push	edx
		mov	edx, ecx
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	?SmUpdateMemoryConditions@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@W4_SMP_MEMORY_CONDITION@@K@Z ;	SMKM_STORE_MGR<SM_TRAITS>::SmUpdateMemoryConditions(SMKM_STORE_MGR<SM_TRAITS> *,_SMP_MEMORY_CONDITION,ulong)
		jmp	short loc_4D4499
_SmUpdateMemoryCondition@8 endp


;  S U B	R O U T	I N E 


; __stdcall KeQueryEffectiveBasePriorityThread(x)
_KeQueryEffectiveBasePriorityThread@4 proc near
					; CODE XREF: MiStoreUpdateMemoryConditions+9Fp
		mov	edi, edi
		push	esi
		xor	edx, edx
		mov	esi, ecx
		call	KiIsThreadRankNonZero
		test	al, al
		jnz	short loc_4D44DF
		movsx	eax, byte ptr [esi+15Bh]
		pop	esi
		retn
; 

loc_4D44DF:				; CODE XREF: KeQueryEffectiveBasePriorityThread(x)+Ej
		xor	eax, eax
		inc	eax
		pop	esi
		retn
_KeQueryEffectiveBasePriorityThread@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeTrimCriteria(x,	x, x, x)
_MiInitializeTrimCriteria@16 proc near	; CODE XREF: MiComputeSystemTrimCriteria+345p

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	dword ptr [ecx+34h], 0
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ecx+2Ch], esi
		mov	byte ptr [ecx],	0
		mov	eax, [edx+0FC0h]
		and	dword ptr [ecx+38h], 0
		add	eax, esi
		push	edi
		mov	[ecx+28h], eax
		lea	edi, [ecx+8]
		mov	al, [ebp+arg_4]
		push	8
		mov	[ecx+2], al
		xor	eax, eax
		pop	ecx
		rep stosd
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_MiInitializeTrimCriteria@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCheckLogPinDriverAddresses proc near	; CODE XREF: MiWorkingSetManager(x,x):loc_4D477Cp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C8F7E SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	dword_6D35BC, 0
		jz	locret_4D45D9
		mov	eax, dword_6C6760
		push	ebx
		xor	ebx, ebx
		push	esi
		inc	ebx
		push	edi
		mov	edi, dword_6C6760
		test	eax, eax
		jz	loc_4D45DB
		cmp	edi, ebx
		jbe	loc_5C8F7E
		cmp	eax, edi
		jb	loc_4D45DB
		mov	esi, dword_6C6764
		lea	ecx, [edi-1]
		mov	eax, ecx
		shr	eax, 5
		mov	edx, [esi]
		lea	eax, [esi+eax*4]
		cmp	esi, eax
		jz	loc_5C8F96
		test	edx, edx
		jmp	short loc_4D457C
; 

loc_4D4579:				; CODE XREF: MiCheckLogPinDriverAddresses+65j
		cmp	dword ptr [esi], 0

loc_4D457C:				; CODE XREF: MiCheckLogPinDriverAddresses+59j
		jnz	short loc_4D45DB
		add	esi, 4
		cmp	esi, eax
		jnz	short loc_4D4579
		not	ecx
		or	eax, 0FFFFFFFFh
		shr	eax, cl
		mov	ecx, [esi]
		and	ecx, eax
		neg	ecx
		sbb	cl, cl
		lea	edx, [ecx+1]

loc_4D4597:				; CODE XREF: MiCheckLogPinDriverAddresses+F4A8Aj
		test	dl, dl
		jz	short loc_4D45DB
		mov	edx, offset unk_6C6868
		xor	ecx, ecx

loc_4D45A2:				; CODE XREF: MiCheckLogPinDriverAddresses+B6j
		xor	esi, esi
		mov	ebx, edx

loc_4D45A6:				; CODE XREF: MiCheckLogPinDriverAddresses+ABj
		and	[ebp+var_4], 0
		mov	edi, ebx

loc_4D45AC:				; CODE XREF: MiCheckLogPinDriverAddresses+A2j
		mov	eax, [edi]
		cmp	eax, [edi+4]
		jnz	short loc_4D4612
		mov	eax, [ebp+var_4]
		add	edi, 8
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, 2
		jb	short loc_4D45AC
		inc	esi
		add	ebx, 10h
		cmp	esi, 2
		jb	short loc_4D45A6
		add	ecx, 20h
		add	edx, 20h
		cmp	ecx, 40h
		jb	short loc_4D45A2

loc_4D45D6:				; CODE XREF: MiCheckLogPinDriverAddresses+CFj
					; MiCheckLogPinDriverAddresses+F2j
		pop	edi
		pop	esi
		pop	ebx

locret_4D45D9:				; CODE XREF: MiCheckLogPinDriverAddresses+Dj
		leave
		retn
; 

loc_4D45DB:				; CODE XREF: MiCheckLogPinDriverAddresses+26j
					; MiCheckLogPinDriverAddresses+36j ...
		xor	eax, eax
		mov	cx, bx
		mov	edx, offset unk_6C68B8
		lock cmpxchg [edx], cx
		cwde
		test	eax, eax
		jnz	short loc_4D45D6
		and	dword_6C68B4, eax
		and	dword_6C68A8, eax
		push	ebx
		push	offset dword_6C68A8
		mov	dword_6C68B0, offset MiLogPinDriverAddressesWorker
		call	ExQueueWorkItem
		jmp	short loc_4D45D6
; 

loc_4D4612:				; CODE XREF: MiCheckLogPinDriverAddresses+93j
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_4D45DB
MiCheckLogPinDriverAddresses endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWorkingSetManager(x, x)
_MiWorkingSetManager@8 proc near	; CODE XREF: KeBalanceSetManager+83p
					; KeBalanceSetManager+143p ...

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_41		= byte ptr -41h
var_40		= dword	ptr -40h
var_3C		= byte ptr -3Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	3Ch		; size_t
		lea	eax, [ebp+var_40]
		mov	[ebp+var_64], edx
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		mov	edi, [esi+0F00h]
		add	esp, 0Ch
		and	[ebp+var_58], 0
		cmp	dword ptr [edi+44h], 0
		jnz	short loc_4D465A
		mov	eax, large fs:124h
		mov	[edi+44h], eax

loc_4D465A:				; CODE XREF: MiWorkingSetManager(x,x)+37j
		xor	edx, edx
		mov	ecx, esi
		call	_MiWakePageZeroing@8 ; MiWakePageZeroing(x,x)
		cmp	esi, offset _MiSystemPartition
		jnz	loc_4D4781
		cmp	dword_6D3450, offset dword_6D3450
		jz	loc_4D477C
		and	[ebp+var_48], 0
		lea	eax, [ebp+var_48]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, ds:_KiCacheFlushTimeStamp
		mov	edx, eax
		mov	ecx, dword_6D3458
		push	0FFFFFFFFh
		mov	[ebp+var_5C], eax
		call	_MiTbFlushTimeStampMayNeedFlush@12 ; MiTbFlushTimeStampMayNeedFlush(x,x,x)
		cmp	al, 1
		jz	loc_4D477C
		lea	eax, [ebp+var_50]
		push	offset unk_6D3440
		mov	[ebp+var_4C], eax
		mov	[ebp+var_50], eax
		call	ExAcquireSpinLockExclusive
		mov	byte ptr [ebp+var_54], al

loc_4D46C0:				; CODE XREF: MiWorkingSetManager(x,x)+11Ej
		mov	eax, dword_6D3450
		cmp	eax, offset dword_6D3450
		jz	short loc_4D4738
		mov	edx, [ebp+var_5C]
		add	eax, 0FFFFFFF4h
		push	0FFFFFFFFh
		mov	[ebp+var_48], eax
		mov	ecx, [eax+1Ch]
		call	_MiTbFlushTimeStampMayNeedFlush@12 ; MiTbFlushTimeStampMayNeedFlush(x,x,x)
		cmp	al, 1
		jz	short loc_4D4738
		mov	ecx, [ebp+var_48]
		lea	eax, [ecx+0Ch]
		mov	edx, [eax]
		mov	[ebp+var_60], edx
		cmp	[edx+4], eax
		jnz	loc_4D4777
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_4D4777
		mov	eax, [ebp+var_60]
		push	ecx
		mov	[edx], eax
		push	offset dword_6D344C
		mov	[eax+4], edx
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		mov	ecx, [ebp+var_50]
		lea	eax, [ebp+var_50]
		dec	dword_6D345C
		cmp	[ecx+4], eax
		jnz	short loc_4D4777
		mov	eax, [ebp+var_48]
		lea	edx, [ebp+var_50]
		add	eax, 0Ch
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[ecx+4], eax
		mov	[ebp+var_50], eax
		jmp	short loc_4D46C0
; 

loc_4D4738:				; CODE XREF: MiWorkingSetManager(x,x)+B2j
					; MiWorkingSetManager(x,x)+C9j
		push	[ebp+var_54]
		push	offset unk_6D3440
		call	ExReleaseSpinLockExclusive

loc_4D4745:				; CODE XREF: MiWorkingSetManager(x,x)+15Dj
		mov	eax, [ebp+var_50]
		lea	ecx, [ebp+var_50]
		cmp	eax, ecx
		jz	short loc_4D477C
		add	eax, 0FFFFFFF4h
		mov	[ebp+var_54], eax
		add	eax, 0Ch
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_4D4777
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_4D4777
		push	0
		push	[ebp+var_54]
		mov	[ecx], edx
		mov	[edx+4], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_4D4745
; 

loc_4D4777:				; CODE XREF: MiWorkingSetManager(x,x)+D9j
					; MiWorkingSetManager(x,x)+E4j	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_4D477C:				; CODE XREF: MiWorkingSetManager(x,x)+61j
					; MiWorkingSetManager(x,x)+8Cj	...
		call	MiCheckLogPinDriverAddresses

loc_4D4781:				; CODE XREF: MiWorkingSetManager(x,x)+51j
		mov	ecx, esi
		call	MiEmptyDecayClusterTimers
		test	byte ptr [esi+4], 18h
		jz	short loc_4D479C
		push	0
		mov	edx, offset _MiFreeSlabEntries@12 ; MiFreeSlabEntries(x,x,x)
		mov	ecx, esi
		call	_MiEnumerateSlabAllocators@12 ;	MiEnumerateSlabAllocators(x,x,x)

loc_4D479C:				; CODE XREF: MiWorkingSetManager(x,x)+174j
		inc	dword ptr [edi+18h]
		mov	eax, [edi+18h]
		cmp	eax, [edi+1Ch]
		jnz	short loc_4D47DD
		mov	eax, [edi+10h]
		and	dword ptr [edi+18h], 0
		inc	eax
		and	eax, 3
		mov	[edi+10h], eax
		lea	ecx, [eax-2]
		and	ecx, 3
		imul	eax, ecx, 14h
		cmp	dword ptr [eax+esi+880h], 0
		jz	short loc_4D47DD
		push	0
		shl	ecx, 4
		lea	eax, [esi+9DCh]
		push	0
		add	eax, ecx
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_4D47DD:				; CODE XREF: MiWorkingSetManager(x,x)+18Dj
					; MiWorkingSetManager(x,x)+1AEj
		cmp	esi, offset _MiSystemPartition
		jnz	short loc_4D47F9
		cmp	[ebp+var_64], 0
		jnz	short loc_4D47F9
		push	0
		push	0
		push	offset unk_6D3548
		call	KePulseEvent

loc_4D47F9:				; CODE XREF: MiWorkingSetManager(x,x)+1CBj
					; MiWorkingSetManager(x,x)+1D1j
		lea	edx, [ebp+var_40]
		mov	[ebp+var_3C], 1
		mov	ecx, esi
		call	MiProcessWorkingSets
		mov	al, [ebp+var_3C]
		cmp	al, 1
		jz	short loc_4D485E
		mov	cl, 1

loc_4D4810:				; CODE XREF: MiWorkingSetManager(x,x)+244j
		cmp	cl, al
		jnz	short loc_4D4820
		mov	[ebp+var_3C], 1
		inc	dword ptr [edi+560h]
		jmp	short loc_4D4844
; 

loc_4D4820:				; CODE XREF: MiWorkingSetManager(x,x)+1FAj
		push	dword ptr [edi+58h]
		mov	edx, [edi+4B8h]
		mov	ecx, esi
		call	MiAdjustModifiedPageLoad
		inc	dword ptr [edi+55Ch]
		mov	ecx, esi
		call	MiScanPagefiles
		mov	[ebp+var_58], 1

loc_4D4844:				; CODE XREF: MiWorkingSetManager(x,x)+206j
		mov	al, [ebp+var_3C]
		lea	edx, [ebp+var_40]
		mov	ecx, esi
		mov	[ebp+var_41], al
		call	MiProcessWorkingSets
		mov	al, [ebp+var_3C]
		mov	cl, [ebp+var_41]
		cmp	al, 1
		jnz	short loc_4D4810

loc_4D485E:				; CODE XREF: MiWorkingSetManager(x,x)+1F4j
		cmp	esi, offset _MiSystemPartition
		jnz	short loc_4D4880
		call	_MiAdjustPteBins@0 ; MiAdjustPteBins()
		call	_MiAdjustCachedStacks@0	; MiAdjustCachedStacks()
		cmp	byte_6CF4BE, 1
		jnz	short loc_4D4880
		xor	ecx, ecx
		call	_MiQueueExtentPfnDeletion@4 ; MiQueueExtentPfnDeletion(x)

loc_4D4880:				; CODE XREF: MiWorkingSetManager(x,x)+24Cj
					; MiWorkingSetManager(x,x)+25Fj
		cmp	[ebp+var_58], 0
		jnz	short loc_4D489D
		push	dword ptr [edi+58h]
		mov	edx, [edi+4B8h]
		mov	ecx, esi
		call	MiAdjustModifiedPageLoad
		mov	ecx, esi
		call	MiScanPagefiles

loc_4D489D:				; CODE XREF: MiWorkingSetManager(x,x)+26Cj
		mov	ecx, esi
		call	MiCheckTrimUnusedPageFileRegions
		mov	eax, [esi+10C0h]
		mov	ecx, [esi+1118h]
		cmp	eax, ecx
		jbe	short loc_4D48CD
		sub	eax, ecx
		cmp	eax, 320h
		jb	short loc_4D48CD
		push	0
		push	0
		lea	eax, [esi+1CCh]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_4D48CD:				; CODE XREF: MiWorkingSetManager(x,x)+29Aj
					; MiWorkingSetManager(x,x)+2A3j
		mov	ecx, esi
		call	MiSignalLargePageRebuild
		mov	ecx, esi
		call	MiScheduleZeroPageThreads
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiWorkingSetManager@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiScheduleZeroPageThreads proc near	; CODE XREF: MiWorkingSetManager(x,x)+2BEp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C8FAD SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_24]
		stosd
		mov	ebx, ecx
		mov	[ebp+var_18], ebx
		cmp	byte ptr [ebx+0DB5h], 0
		stosd
		stosd
		jz	short loc_4D4958
		push	esi
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	[ebp+var_8], eax
		xor	esi, esi
		xor	eax, eax
		mov	[ebp+var_C], edx
		cmp	ax, ds:_KeNumberNodes
		jnb	short loc_4D4957
		xor	ecx, ecx
		mov	[ebp+var_4], ecx

loc_4D492B:				; CODE XREF: MiScheduleZeroPageThreads+6Bj
		mov	ebx, [ebx+10h]
		add	ebx, ecx
		cmp	byte ptr [ebx+272h], 0
		jnz	short loc_4D495C
		inc	dword_6C68EC

loc_4D493F:				; CODE XREF: MiScheduleZeroPageThreads+15Ej
					; MiScheduleZeroPageThreads+F46C9j
		movzx	eax, ds:_KeNumberNodes
		inc	esi
		mov	ebx, [ebp+var_18]
		add	ecx, 280h
		mov	[ebp+var_4], ecx
		cmp	esi, eax
		jb	short loc_4D492B

loc_4D4957:				; CODE XREF: MiScheduleZeroPageThreads+3Aj
		pop	esi

loc_4D4958:				; CODE XREF: MiScheduleZeroPageThreads+1Ej
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_4D495C:				; CODE XREF: MiScheduleZeroPageThreads+4Dj
		mov	edi, [ebx+244h]
		mov	eax, [edi+28h]
		mov	edx, [edi+2Ch]
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], edx
		cmp	[ebp+var_C], edx
		jg	short loc_4D4982
		jl	loc_5C8FAD
		cmp	[ebp+var_8], eax
		jbe	loc_5C8FAD

loc_4D4982:				; CODE XREF: MiScheduleZeroPageThreads+87j
		mov	ecx, [ebp+var_8]
		sub	ecx, eax
		mov	eax, [ebp+var_C]
		push	0
		push	0F4240h
		sbb	eax, edx
		push	eax
		push	ecx
		call	__allmul
		push	dword_6D06EC
		push	dword_6D06E8
		push	edx
		push	eax
		call	__alldiv
		test	edx, edx
		jg	short loc_4D49C2
		jl	loc_4D4A67
		cmp	eax, 10000h
		jb	loc_4D4A67

loc_4D49C2:				; CODE XREF: MiScheduleZeroPageThreads+C5j
		lea	ecx, [edi+10h]
		lea	edx, [ebp+var_24]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	dword ptr [edi+60h], 0
		jz	short loc_4D4A11
		mov	eax, [edi+28h]
		mov	ecx, [edi+2Ch]
		cmp	[ebp+var_10], eax
		jnz	loc_5C8FB8
		cmp	[ebp+var_14], ecx
		jnz	loc_5C8FB8
		xor	eax, eax
		mov	edx, ebx
		inc	eax
		mov	ecx, edi
		push	eax
		call	MiReduceZeroingThreads
		cmp	eax, 7
		jz	short loc_4D4A4D
		inc	dword_6C6900

loc_4D4A03:				; CODE XREF: MiScheduleZeroPageThreads+169j
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	[edi+28h], eax
		mov	[edi+2Ch], edx

loc_4D4A11:				; CODE XREF: MiScheduleZeroPageThreads+E7j
					; MiScheduleZeroPageThreads+F46D4j
		test	ds:byte_70EFC6,	1
		jnz	loc_5C8FC3
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	short loc_4D4A55
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jnz	loc_5C8FD3

loc_4D4A3C:				; CODE XREF: MiScheduleZeroPageThreads+17Bj
					; MiScheduleZeroPageThreads+F46E4j
		mov	cl, [ebp+var_1C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4D4A45:				; CODE XREF: MiScheduleZeroPageThreads+183j
		mov	ecx, [ebp+var_4]
		jmp	loc_4D493F
; 

loc_4D4A4D:				; CODE XREF: MiScheduleZeroPageThreads+111j
		inc	dword_6C68FC
		jmp	short loc_4D4A03
; 

loc_4D4A55:				; CODE XREF: MiScheduleZeroPageThreads+139j
					; MiScheduleZeroPageThreads+F46F1j
		xor	ecx, ecx
		mov	[ebp+var_24], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	short loc_4D4A3C
; 

loc_4D4A67:				; CODE XREF: MiScheduleZeroPageThreads+C7j
					; MiScheduleZeroPageThreads+D2j
		inc	dword_6C68F4
		jmp	short loc_4D4A45
MiScheduleZeroPageThreads endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSignalLargePageRebuild proc near	; CODE XREF: MiWorkingSetManager(x,x)+2B7p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005C8FE0 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		push	edi
		lea	edi, [ebp+var_14]
		mov	ebx, ecx
		stosd
		test	byte ptr [ebx+4], 20h
		stosd
		stosd
		jnz	loc_4D4B44
		call	_MiPageCombiningActive@4 ; MiPageCombiningActive(x)
		xor	ecx, ecx
		inc	ecx
		cmp	eax, ecx
		jz	loc_4D4B44
		push	esi
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		xor	ecx, ecx
		mov	[ebp+var_1], al
		xor	esi, esi
		cmp	cx, ds:_KeNumberNodes
		jnb	loc_4D4B3B

loc_4D4ABB:				; CODE XREF: MiSignalLargePageRebuild+C6j
		and	[ebp+var_14], 0
		imul	edi, esi, 280h
		add	edi, [ebx+10h]
		test	ds:byte_70EFC6,	21h
		lea	eax, [edi+204h]
		mov	[ebp+var_10], eax
		jnz	loc_5C8FE0
		lea	edx, [ebp+var_14]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_4D4BBB

loc_4D4AEB:				; CODE XREF: MiSignalLargePageRebuild+153j
					; MiSignalLargePageRebuild+F457Aj
		cmp	byte ptr [edi+141h], 0
		jnz	short loc_4D4AFD
		sub	byte ptr [edi+140h], 1
		jz	short loc_4D4B48

loc_4D4AFD:				; CODE XREF: MiSignalLargePageRebuild+82j
					; MiSignalLargePageRebuild+110j ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5C8FEF
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	loc_4D4BD0
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jnz	loc_4D4BC8

loc_4D4B2C:				; CODE XREF: MiSignalLargePageRebuild+170j
					; MiSignalLargePageRebuild+F458Aj
		movzx	eax, ds:_KeNumberNodes
		inc	esi
		cmp	esi, eax
		jb	short loc_4D4ABB
		mov	al, [ebp+var_1]

loc_4D4B3B:				; CODE XREF: MiSignalLargePageRebuild+45j
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi

loc_4D4B44:				; CODE XREF: MiSignalLargePageRebuild+18j
					; MiSignalLargePageRebuild+28j
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_4D4B48:				; CODE XREF: MiSignalLargePageRebuild+8Bj
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	_MiNodeFreeZeroPages@12	; MiNodeFreeZeroPages(x,x,x)
		xor	ecx, ecx
		mov	[ebp+var_8], eax
		cmp	[edi+143h], cl
		setnz	cl
		dec	ecx
		and	ecx, 1F00h
		add	ecx, 100h
		cmp	eax, ecx
		jnb	short loc_4D4B85

loc_4D4B72:				; CODE XREF: MiSignalLargePageRebuild+11Cj
					; MiSignalLargePageRebuild+132j ...
		mov	byte ptr [edi+142h], 8
		mov	byte ptr [edi+140h], 8
		jmp	loc_4D4AFD
; 

loc_4D4B85:				; CODE XREF: MiSignalLargePageRebuild+100j
		test	byte ptr ds:_MiFlags, 30h
		jz	short loc_4D4B72
		xor	eax, eax
		mov	ecx, edi
		push	2
		lea	edx, [eax+1]
		call	_MiNodeLargeFreeZeroPages@12 ; MiNodeLargeFreeZeroPages(x,x,x)
		shr	eax, 3
		cmp	eax, [ebp+var_8]
		jnb	short loc_4D4B72
		xor	eax, eax
		mov	ecx, ebx
		push	esi
		lea	edx, [eax+1]
		call	_MiWakeLargePageRebuild@12 ; MiWakeLargePageRebuild(x,x,x)
		test	eax, eax
		jnz	loc_4D4AFD
		jmp	short loc_4D4B72
; 

loc_4D4BBB:				; CODE XREF: MiSignalLargePageRebuild+75j
		lea	ecx, [ebp+var_14]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4D4AEB
; 

loc_4D4BC8:				; CODE XREF: MiSignalLargePageRebuild+B6j
		lea	ecx, [ebp+var_14]
		call	KxWaitForLockChainValid

loc_4D4BD0:				; CODE XREF: MiSignalLargePageRebuild+9Fj
		xor	ecx, ecx
		mov	[ebp+var_14], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_4D4B2C
MiSignalLargePageRebuild endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCheckTrimUnusedPageFileRegions proc near ; CODE XREF:	MiWorkingSetManager(x,x)+287p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C8FFF SIZE 00000057 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		call	_MiNumberWsSwapPagefiles@4 ; MiNumberWsSwapPagefiles(x)
		test	eax, eax
		jz	short loc_4D4C3D
		cmp	dword ptr [esi+288h], 0
		jnz	short loc_4D4C3D
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	edi
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		mov	edi, eax
		mov	ecx, edx
		sub	edi, [esi+290h]
		sbb	ecx, [esi+294h]
		cmp	ecx, 8
		jb	short loc_4D4C3C
		ja	loc_5C8FFF
		cmp	edi, 61C46800h
		jnb	loc_5C8FFF

loc_4D4C3C:				; CODE XREF: MiCheckTrimUnusedPageFileRegions+42j
					; MiCheckTrimUnusedPageFileRegions+F4436j ...
		pop	edi

loc_4D4C3D:				; CODE XREF: MiCheckTrimUnusedPageFileRegions+10j
					; MiCheckTrimUnusedPageFileRegions+19j
		pop	esi
		leave
		retn
MiCheckTrimUnusedPageFileRegions endp


;  S U B	R O U T	I N E 


; __stdcall MiNumberWsSwapPagefiles(x)
_MiNumberWsSwapPagefiles@4 proc	near	; CODE XREF: MiCheckTrimUnusedPageFileRegions+9p
					; MiContractWsSwapPageFile+5p ...
		mov	edi, edi
		push	esi
		mov	esi, [ecx+0F4Ch]
		xor	edx, edx
		test	esi, esi
		jz	short loc_4D4C65
		add	ecx, 0F54h

loc_4D4C55:				; CODE XREF: MiNumberWsSwapPagefiles(x)+23j
		mov	eax, [ecx]
		test	byte ptr [eax+74h], 10h
		jnz	short loc_4D4C69

loc_4D4C5D:				; CODE XREF: MiNumberWsSwapPagefiles(x)+2Aj
		add	ecx, 4
		sub	esi, 1
		jnz	short loc_4D4C55

loc_4D4C65:				; CODE XREF: MiNumberWsSwapPagefiles(x)+Dj
		mov	eax, edx
		pop	esi
		retn
; 

loc_4D4C69:				; CODE XREF: MiNumberWsSwapPagefiles(x)+1Bj
		inc	edx
		jmp	short loc_4D4C5D
_MiNumberWsSwapPagefiles@4 endp


;  S U B	R O U T	I N E 


MiScanPagefiles	proc near		; CODE XREF: MiWorkingSetManager(x,x)+220p
					; MiWorkingSetManager(x,x)+280p

; FUNCTION CHUNK AT 005C9056 SIZE 000000A1 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_MiFreePageFileHashPfns@4 ; MiFreePageFileHashPfns(x)
		mov	edx, 420h
		mov	ecx, esi
		call	MiSufficientAvailablePages
		test	eax, eax
		jz	loc_5C9056

loc_4D4C8A:				; CODE XREF: MiScanPagefiles+F43F2j
		pop	esi
		retn
MiScanPagefiles	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreePageFileHashPfns(x)
_MiFreePageFileHashPfns@4 proc near	; CODE XREF: MiScanPagefiles+5p
					; MiDeletePagefile(x,x)+56p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	eax, ecx
		xor	edx, edx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_14], eax
		mov	edi, [eax+0F4Ch]
		mov	[ebp+var_8], ebx
		mov	[ebp+var_10], edi
		test	edi, edi
		jz	short loc_4D4CD3
		lea	esi, [eax+0F54h]
		mov	[ebp+var_C], esi

loc_4D4CB9:				; CODE XREF: MiFreePageFileHashPfns(x)+41j
		mov	ecx, [esi]
		cmp	[ecx+2Ch], dx
		jnz	short loc_4D4CD8

loc_4D4CC1:				; CODE XREF: MiFreePageFileHashPfns(x)+ABj
		add	esi, 4
		sub	edi, 1
		mov	[ebp+var_C], esi
		mov	[ebp+var_10], edi
		jnz	short loc_4D4CB9
		test	ebx, ebx
		jnz	short loc_4D4D39

loc_4D4CD3:				; CODE XREF: MiFreePageFileHashPfns(x)+22j
					; MiFreePageFileHashPfns(x)+D1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4D4CD8:				; CODE XREF: MiFreePageFileHashPfns(x)+33j
		add	ecx, 28h
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	short loc_4D4D35

loc_4D4CE9:				; CODE XREF: MiFreePageFileHashPfns(x)+A1j
		mov	eax, ecx
		mov	edi, [ecx]
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	esi
		cdq
		idiv	esi
		mov	esi, eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, esi
		mov	bl, al
		call	_MiFreePageFileHashPfn@4 ; MiFreePageFileHashPfn(x)
		mov	ecx, [ebp+var_4]
		mov	eax, 7FFFFFFFh
		add	ecx, 10h
		lock and [ecx],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [ebp+var_8]
		mov	ecx, edi
		inc	ebx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], ebx
		test	edi, edi
		jnz	short loc_4D4CE9
		mov	esi, [ebp+var_C]
		mov	edi, [ebp+var_10]

loc_4D4D35:				; CODE XREF: MiFreePageFileHashPfns(x)+5Bj
		xor	edx, edx
		jmp	short loc_4D4CC1
; 

loc_4D4D39:				; CODE XREF: MiFreePageFileHashPfns(x)+45j
		mov	esi, [ebp+var_14]
		mov	edx, ebx
		mov	ecx, esi
		call	MiReturnCommit
		mov	edx, ebx
		mov	ecx, esi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jnz	short loc_4D4D62

loc_4D4D52:				; CODE XREF: MiFreePageFileHashPfns(x)+E0j
		neg	ebx
		mov	eax, offset dword_6D3CC4
		lock xadd [eax], ebx
		jmp	loc_4D4CD3
; 

loc_4D4D62:				; CODE XREF: MiFreePageFileHashPfns(x)+C4j
		lea	ecx, [esi+1000h]
		lock xadd [ecx], eax
		jmp	short loc_4D4D52
_MiFreePageFileHashPfns@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAdjustModifiedPageLoad proc near	; CODE XREF: MiWorkingSetManager(x,x)+213p
					; MiWorkingSetManager(x,x)+279p

var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C90F7 SIZE 0000007A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		push	edi
		mov	ecx, 4000h
		mov	[ebp+var_10], esi
		mov	eax, [esi+0FC0h]
		mov	edi, eax
		mov	ebx, [esi+1118h]
		shr	edi, 5
		cmp	edi, ecx
		ja	short loc_4D4D9D
		mov	edi, ecx

loc_4D4D9D:				; CODE XREF: MiAdjustModifiedPageLoad+2Bj
		shr	eax, 4
		cmp	eax, edi
		jb	loc_4D4F19

loc_4D4DA8:				; CODE XREF: MiAdjustModifiedPageLoad+1ADj
		mov	eax, [esi+0F00h]
		mov	edx, 4E20h
		mov	ecx, [esi+5C0h]
		and	[ebp+var_4], 0
		add	ecx, [esi+580h]
		mov	eax, [eax+4D4h]
		cmp	eax, edx
		jbe	loc_5C90F7

loc_4D4DD1:				; CODE XREF: MiAdjustModifiedPageLoad+F438Bj
		cmp	ecx, eax
		jbe	short loc_4D4E0C
		mov	eax, ecx
		xor	edx, edx
		push	0Ah
		pop	ecx
		div	ecx
		cmp	ebx, eax
		jnb	short loc_4D4E0C

loc_4D4DE2:				; CODE XREF: MiAdjustModifiedPageLoad+105j
					; MiAdjustModifiedPageLoad+1E1j ...
		test	byte ptr [ebp+arg_0], 7
		mov	eax, [ebp+var_8]
		mov	[esi+1E8h], eax
		jz	loc_4D4E81

loc_4D4DF5:				; CODE XREF: MiAdjustModifiedPageLoad+1A0j
					; MiAdjustModifiedPageLoad+F43FEj
		cmp	dword ptr [esi+2C0h], 0
		jz	short loc_4D4E05
		mov	ecx, esi
		call	MiStoreUpdateMemoryConditions

loc_4D4E05:				; CODE XREF: MiAdjustModifiedPageLoad+8Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4D4E0C:				; CODE XREF: MiAdjustModifiedPageLoad+65j
					; MiAdjustModifiedPageLoad+72j
		cmp	ebx, edi
		jnb	loc_4D4F29
		mov	eax, [esi+1E4h]
		mov	edx, ebx
		shr	eax, 4
		imul	ecx, eax, 0Fh
		shr	edx, 4
		add	edx, ecx
		mov	[esi+1E4h], edx
		cmp	ecx, edx
		ja	short loc_4D4E79
		cmp	ebx, 320h
		jb	loc_4D4F54
		mov	eax, [esi+1E0h]
		cmp	edx, ebx
		ja	loc_4D4F20
		sub	edx, ebx
		add	eax, edx

loc_4D4E4F:				; CODE XREF: MiAdjustModifiedPageLoad+1B6j
		lea	ecx, [eax+ebx]
		mov	[esi+1E0h], ecx
		cmp	eax, ecx
		jg	short loc_4D4E79
		shr	edi, 1
		mov	eax, 7FFFFFFFh
		cmp	edi, 369D03h
		jnb	short loc_4D4E71
		imul	eax, edi, 258h

loc_4D4E71:				; CODE XREF: MiAdjustModifiedPageLoad+FBj
		cmp	ecx, eax
		jl	loc_4D4DE2

loc_4D4E79:				; CODE XREF: MiAdjustModifiedPageLoad+C1j
					; MiAdjustModifiedPageLoad+ECj
		mov	ebx, [ebp+var_4]
		jmp	loc_4D4F2D
; 

loc_4D4E81:				; CODE XREF: MiAdjustModifiedPageLoad+81j
		and	[ebp+var_4], 0
		test	byte ptr [esi+20Ch], 1
		jnz	loc_5C90FE

loc_4D4E92:				; CODE XREF: MiAdjustModifiedPageLoad+F43C0j
					; MiAdjustModifiedPageLoad+F43D9j
		mov	ebx, [esi+0F4Ch]
		test	ebx, ebx
		jz	short loc_4D4F0A
		lea	eax, [esi+0F54h]
		mov	esi, [ebp+var_4]
		mov	[ebp+var_8], eax

loc_4D4EA8:				; CODE XREF: MiAdjustModifiedPageLoad+197j
		mov	edi, [eax]
		test	byte ptr [edi+74h], 40h
		jnz	short loc_4D4EFC
		lea	eax, [edi+88h]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [edi+48h]
		mov	byte ptr [ebp+arg_0+3],	al
		cmp	ecx, [edi+44h]
		jz	short loc_4D4ED0
		mov	ecx, ds:dword_7051C4
		mov	[edi+40h], ecx

loc_4D4ED0:				; CODE XREF: MiAdjustModifiedPageLoad+157j
		mov	ecx, ds:dword_7051C4
		shl	ecx, 2
		mov	[edi+4Ch], ecx
		test	esi, esi
		jnz	loc_5C914C

loc_4D4EE4:				; CODE XREF: MiAdjustModifiedPageLoad+F43E3j
					; MiAdjustModifiedPageLoad+F43EEj
		lea	eax, [edi+88h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_8]

loc_4D4EFC:				; CODE XREF: MiAdjustModifiedPageLoad+140j
		add	eax, 4
		mov	[ebp+var_8], eax
		sub	ebx, 1
		jnz	short loc_4D4EA8
		mov	esi, [ebp+var_10]

loc_4D4F0A:				; CODE XREF: MiAdjustModifiedPageLoad+12Cj
		cmp	[ebp+var_4], 0
		jz	loc_4D4DF5
		jmp	loc_5C9161
; 

loc_4D4F19:				; CODE XREF: MiAdjustModifiedPageLoad+34j
		mov	edi, eax
		jmp	loc_4D4DA8
; 

loc_4D4F20:				; CODE XREF: MiAdjustModifiedPageLoad+D7j
		sub	eax, edx
		add	eax, ebx
		jmp	loc_4D4E4F
; 

loc_4D4F29:				; CODE XREF: MiAdjustModifiedPageLoad+A0j
		mov	ebx, edi
		shr	ebx, 1

loc_4D4F2D:				; CODE XREF: MiAdjustModifiedPageLoad+10Ej
		mov	ecx, esi
		call	_MiUseLowIoPriorityForModifiedPages@4 ;	MiUseLowIoPriorityForModifiedPages(x)
		test	eax, eax
		jz	short loc_4D4F60

loc_4D4F38:				; CODE XREF: MiAdjustModifiedPageLoad+1F5j
		mov	edx, ebx
		mov	ecx, esi
		call	MiWakeModifiedPageWriter
		and	dword ptr [esi+1E0h], 0
		and	dword ptr [esi+1E4h], 0
		jmp	loc_4D4DE2
; 

loc_4D4F54:				; CODE XREF: MiAdjustModifiedPageLoad+C9j
		and	dword ptr [esi+1E0h], 0
		jmp	loc_4D4DE2
; 

loc_4D4F60:				; CODE XREF: MiAdjustModifiedPageLoad+1C8j
		or	ebx, 0FFFFFFFFh
		jmp	short loc_4D4F38
MiAdjustModifiedPageLoad endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopDecrementVpbRefCount	proc near	; CODE XREF: PAGE:0081CA7Ep
					; IoVerifyVolume(x,x)+164p

; FUNCTION CHUNK AT 005C9171 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		test	dl, dl
		jz	loc_5C918C
		push	ebx
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, large fs:20h
		mov	bl, al
		mov	edi, [ecx+464h]
		add	ecx, 460h
		test	ds:byte_70EFC6,	21h
		jnz	loc_5C9171
		mov	edx, ecx
		xchg	edx, [edi]
		test	edx, edx
		jnz	short loc_4D4FFA

loc_4D4FB2:				; CODE XREF: IopDecrementVpbRefCount+8Fj
					; IopDecrementVpbRefCount+F4208j
		mov	eax, [esi+14h]
		dec	eax
		mov	[esi+14h], eax
		mov	edi, [esi+14h]
		mov	esi, large fs:20h
		add	esi, 460h
		test	ds:byte_70EFC6,	1
		jnz	loc_5C917D
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_4D5008
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_4D5001

loc_4D4FEB:				; CODE XREF: IopDecrementVpbRefCount+A9j
					; IopDecrementVpbRefCount+F4217j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	ebx

loc_4D4FF7:				; CODE XREF: IopDecrementVpbRefCount+F4222j
		pop	esi
		pop	ebp
		retn
; 

loc_4D4FFA:				; CODE XREF: IopDecrementVpbRefCount+40j
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	short loc_4D4FB2
; 

loc_4D5001:				; CODE XREF: IopDecrementVpbRefCount+79j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_4D5008:				; CODE XREF: IopDecrementVpbRefCount+6Aj
		mov	dword ptr [esi], 0
		lea	ecx, [eax+4]
		mov	edx, 1
		lock xor [ecx],	edx
		jmp	short loc_4D4FEB
IopDecrementVpbRefCount	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIsPteInStore(x, x, x, x)
_MiIsPteInStore@16 proc	near		; CODE XREF: MiFinishHardFault(x,x,x,x)+58Ep
					; MiUpdatePfnPriority(x,x,x)+60p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	edx, esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	eax, edi
		shrd	edx, eax, 2
		test	dl, 1
		jz	short loc_4D504E
		shrd	esi, edi, 0Ch
		and	esi, 0Fh
		cmp	esi, [ecx+2BCh]
		jnz	short loc_4D504E
		xor	eax, eax
		inc	eax

loc_4D5048:				; CODE XREF: MiIsPteInStore(x,x,x,x)+34j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_4D504E:				; CODE XREF: MiIsPteInStore(x,x,x,x)+18j
					; MiIsPteInStore(x,x,x,x)+27j
		xor	eax, eax
		jmp	short loc_4D5048
_MiIsPteInStore@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiComputeFaultCluster(x, x,	x, x)
_MiComputeFaultCluster@16 proc near	; CODE XREF: MiResolveMappedFileFault+504p
					; MiResolvePageFileFault+C0Dp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_10], ecx
		push	edi
		mov	ecx, [esi+0Ch]
		mov	edx, [esi+10h]
		mov	ebx, edx
		mov	eax, [esi+4]
		mov	edi, [esi+8]
		shl	ebx, 0Ch
		mov	[ebp+var_20], ecx
		add	ebx, [eax+ecx*8]
		mov	ecx, esi
		mov	[ebp+var_24], edx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_14], ebx
		call	_MiAdvanceFaultList@4 ;	MiAdvanceFaultList(x)
		mov	ecx, [esi+0Ch]
		mov	[ebp+var_4], 1
		mov	[ebp+var_18], ecx
		cmp	ecx, edi
		jnb	loc_4D5125
		mov	edi, ebx
		xor	ecx, ecx
		shr	edi, 9
		mov	edx, 100h
		and	edi, offset loc_7FFFF8
		mov	[ebp+var_C], ecx
		sub	edi, 3FFFFFF8h
		mov	[ebp+var_8], edx
		cmp	[ebp+arg_4], ecx
		jnz	loc_4D51A6

loc_4D50C5:				; CODE XREF: MiComputeFaultCluster(x,x,x,x)+15Fj
					; MiComputeFaultCluster(x,x,x,x)+16Aj
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	loc_4D51C1

loc_4D50D0:				; CODE XREF: MiComputeFaultCluster(x,x,x,x)+192j
					; MiComputeFaultCluster(x,x,x,x)+1B1j
		cmp	edx, 1
		jbe	short loc_4D5125
		mov	edx, [ebp+var_18]

loc_4D50D8:				; CODE XREF: MiComputeFaultCluster(x,x,x,x)+D1j
		test	eax, eax
		jz	short loc_4D513B

loc_4D50DC:				; CODE XREF: MiComputeFaultCluster(x,x,x,x)+14Fj
		mov	eax, [esi+4]
		mov	ecx, [esi+10h]
		shl	ecx, 0Ch
		add	ecx, [eax+edx*8]
		mov	eax, ecx
		mov	[ebp+var_18], ecx
		mov	ecx, 0FFFFF000h
		and	eax, ecx
		and	ebx, ecx
		sub	eax, 1000h
		cmp	eax, ebx
		jnz	short loc_4D5125
		inc	[ebp+var_4]
		mov	ecx, esi
		call	_MiAdvanceFaultList@4 ;	MiAdvanceFaultList(x)
		mov	edx, [esi+0Ch]
		cmp	edx, [ebp+var_1C]
		jz	short loc_4D5125
		mov	eax, [ebp+var_4]
		mov	ebx, [ebp+var_18]
		cmp	eax, [ebp+var_8]
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_14], ebx
		jb	short loc_4D50D8

loc_4D5125:				; CODE XREF: MiComputeFaultCluster(x,x,x,x)+46j
					; MiComputeFaultCluster(x,x,x,x)+81j ...
		mov	eax, [ebp+var_20]
		mov	[esi+0Ch], eax
		mov	eax, [ebp+var_24]
		pop	edi
		mov	[esi+10h], eax
		mov	eax, [ebp+var_4]
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4D513B:				; CODE XREF: MiComputeFaultCluster(x,x,x,x)+88j
		test	edi, 0FFFh
		jz	short loc_4D5125
		mov	ebx, [edi]
		nop
		mov	eax, [edi+4]
		xor	edx, edx
		mov	[ebp+var_18], eax
		mov	[ebp+var_2C], eax
		mov	eax, ebx
		and	eax, 1
		mov	[ebp+var_30], ebx
		or	eax, edx
		jnz	short loc_4D5125
		test	ecx, ecx
		jnz	loc_4D51E9
		mov	eax, ebx
		and	eax, 400h
		or	eax, edx
		jnz	short loc_4D5125
		mov	eax, ebx
		and	eax, 800h
		or	eax, edx
		jnz	short loc_4D5125
		lea	ecx, [ebp+var_30]
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		test	eax, eax
		jz	short loc_4D5125
		push	[ebp+var_18]
		mov	ecx, [ebp+var_10]
		push	ebx
		call	_MiIsPteInStore@16 ; MiIsPteInStore(x,x,x,x)
		cmp	[ebp+arg_4], eax
		jnz	short loc_4D5125

loc_4D5198:				; CODE XREF: MiComputeFaultCluster(x,x,x,x)+19Fj
		mov	edx, [esi+0Ch]
		add	edi, 8
		mov	ebx, [ebp+var_14]
		jmp	loc_4D50DC
; 

loc_4D51A6:				; CODE XREF: MiComputeFaultCluster(x,x,x,x)+6Dj
		mov	eax, [ebp+var_10]
		mov	eax, [eax+2C4h]
		cmp	eax, edx
		jnb	loc_4D50C5
		mov	edx, eax
		mov	[ebp+var_8], eax
		jmp	loc_4D50C5
; 

loc_4D51C1:				; CODE XREF: MiComputeFaultCluster(x,x,x,x)+78j
		mov	eax, [eax+10h]
		mov	ecx, ebx
		shr	ecx, 0Ch
		sub	eax, ecx
		inc	eax
		cmp	edx, eax
		jbe	short loc_4D51D5
		mov	edx, eax
		mov	[ebp+var_8], edx

loc_4D51D5:				; CODE XREF: MiComputeFaultCluster(x,x,x,x)+17Cj
		mov	eax, [ebp+arg_0]
		test	dword ptr [eax+20h], 7FFFFFFFh
		jnz	short loc_4D51F8
		mov	ecx, [ebp+var_C]
		jmp	loc_4D50D0
; 

loc_4D51E9:				; CODE XREF: MiComputeFaultCluster(x,x,x,x)+10Dj
		and	ebx, 400h
		or	ebx, edx
		jnz	short loc_4D5198
		jmp	loc_4D5125
; 

loc_4D51F8:				; CODE XREF: MiComputeFaultCluster(x,x,x,x)+18Dj
		xor	eax, eax
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+arg_0], eax
		mov	[ebp+var_C], ecx
		jmp	loc_4D50D0
_MiComputeFaultCluster@16 endp


;  S U B	R O U T	I N E 


; __stdcall MiAdvanceFaultList(x)
_MiAdvanceFaultList@4 proc near		; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+494p
					; MiDispatchFault+5A7p	...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	ebx, [esi+0Ch]
		mov	edi, [esi+4]
		mov	edx, [edi+ebx*8]
		mov	ecx, [edi+ebx*8+4]
		and	edx, 0FFFh
		add	ecx, 0FFFh
		add	ecx, edx
		shr	ecx, 0Ch
		inc	dword ptr [esi+10h]
		cmp	[esi+10h], ecx
		jz	short loc_4D5239

loc_4D5235:				; CODE XREF: MiAdvanceFaultList(x)+40j
					; MiAdvanceFaultList(x)+47j ...
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4D5239:				; CODE XREF: MiAdvanceFaultList(x)+2Bj
		and	dword ptr [esi+10h], 0
		lea	eax, [ebx+1]
		mov	ecx, [esi+8]
		mov	[esi+0Ch], eax
		cmp	eax, ecx
		jnb	short loc_4D5235
		cmp	dword ptr [edi+eax*8+4], 0
		jnz	short loc_4D5235
		mov	[esi+0Ch], ecx
		jmp	short loc_4D5235
_MiAdvanceFaultList@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRestoreTransitionPte(x, x)
_MiRestoreTransitionPte@8 proc near	; CODE XREF: MiInsertPageInList(x,x)+12Fp
					; MiRelinkStandbyPage(x,x)+40p	...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		push	ebx
		xor	eax, eax
		mov	[esp+48h+var_24], edx
		push	esi
		mov	esi, ecx
		mov	[esp+4Ch+var_C], eax
		mov	[esp+4Ch+var_8], eax
		mov	[esp+4Ch+var_4], eax
		mov	[esp+4Ch+var_14], eax
		mov	edx, [esi+18h]
		mov	[esp+4Ch+var_10], eax
		mov	eax, edx
		push	edi
		xor	edi, edi
		mov	[esp+50h+var_30], esi
		and	eax, 70000000h
		mov	[esp+50h+var_44], edi
		lea	ecx, [edi+1]
		cmp	eax, 30000000h
		jnz	short loc_4D52C8
		lea	eax, [esp+50h+var_14]
		mov	edx, ecx
		push	eax
		mov	ecx, esi
		call	_MiGetPagePrivilege@12 ; MiGetPagePrivilege(x,x,x)
		test	eax, eax
		jnz	loc_4D57FC
		and	dword ptr [esi+18h], 8FFFFFFFh
		mov	edx, [esi+18h]

loc_4D52C8:				; CODE XREF: MiRestoreTransitionPte(x,x)+46j
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4D5334
		test	edx, (offset loc_7FFFFF+1)
		jnz	short loc_4D52F1
		mov	eax, [esi+4]
		test	eax, eax
		js	short loc_4D52F1
		jz	short loc_4D52F1
		or	eax, 80000000h
		mov	[esi+4], eax
		jmp	loc_4D53D0
; 

loc_4D52F1:				; CODE XREF: MiRestoreTransitionPte(x,x)+79j
					; MiRestoreTransitionPte(x,x)+80j ...
		mov	eax, [esi+8]
		and	eax, 400h
		or	eax, 0
		jnz	loc_4D53D0
		lea	ecx, [esi+8]
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		test	eax, eax
		jnz	loc_4D53D0
		mov	eax, [esi+0Ch]
		push	eax
		mov	eax, [esi+8]
		push	eax
		call	_MI_IS_RESET_PTE@8 ; MI_IS_RESET_PTE(x,x)
		test	eax, eax
		jz	loc_4D53D0
		lea	ecx, [esi+8]
		call	_MI_CLEAR_RESET_PTE@4 ;	MI_CLEAR_RESET_PTE(x)
		jmp	loc_4D53D0
; 

loc_4D5334:				; CODE XREF: MiRestoreTransitionPte(x,x)+71j
		mov	ecx, [esi+8]
		mov	eax, [esi+0Ch]
		shrd	ecx, eax, 2
		test	cl, 1
		jnz	short loc_4D539C
		push	eax
		mov	eax, [esi+8]
		push	eax
		call	_MI_IS_RESET_PTE@8 ; MI_IS_RESET_PTE(x,x)
		test	eax, eax
		jz	short loc_4D5359
		lea	ecx, [esi+8]
		call	_MI_CLEAR_RESET_PTE@4 ;	MI_CLEAR_RESET_PTE(x)

loc_4D5359:				; CODE XREF: MiRestoreTransitionPte(x,x)+EFj
		mov	ecx, esi
		call	MiGetTopLevelPfn
		mov	edx, [eax]
		shr	edx, 1
		and	edx, 0FFFFFFF8h
		or	edx, 80000000h
		cmp	eax, esi
		jz	short loc_4D537C
		add	eax, 10h
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_4D537C:				; CODE XREF: MiRestoreTransitionPte(x,x)+10Fj
		or	ecx, 0FFFFFFFFh
		lea	eax, [edx+14Ch]
		lock xadd [eax], ecx
		mov	al, [edx+2A3h]
		and	al, 60h
		cmp	al, 40h
		jnz	short loc_4D539C
		lock inc dword ptr [edx+2CCh]

loc_4D539C:				; CODE XREF: MiRestoreTransitionPte(x,x)+E1j
					; MiRestoreTransitionPte(x,x)+133j
		mov	ecx, esi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		mov	eax, [esi+18h]
		add	edx, ecx
		and	eax, offset loc_7FFFFF
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	eax, ecx
		jnz	short loc_4D53D0
		mov	edi, [esi+4]
		or	edi, 80000000h
		mov	[esp+50h+var_44], edi

loc_4D53D0:				; CODE XREF: MiRestoreTransitionPte(x,x)+8Cj
					; MiRestoreTransitionPte(x,x)+9Cj ...
		mov	ebx, [esi+8]
		mov	eax, [esi+0Ch]
		mov	[esp+50h+var_40], ebx
		mov	[esp+50h+var_38], eax
		test	edi, edi
		jz	short loc_4D53ED
		xor	eax, eax
		mov	[esp+50h+var_3C], eax
		jmp	loc_4D552C
; 

loc_4D53ED:				; CODE XREF: MiRestoreTransitionPte(x,x)+180j
		mov	edx, [esi+18h]
		mov	eax, ds:_MmPfnDatabase
		and	edx, offset loc_7FFFFF
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	eax, [eax+ecx*4]
		mov	ecx, 4
		mov	[esp+50h+var_3C], eax
		movzx	eax, byte ptr [eax+16h]
		shr	eax, 6
		test	eax, eax
		jz	short loc_4D542A
		cmp	eax, 3
		jz	short loc_4D542A
		cmp	eax, 2
		jnz	short loc_4D542F
		lea	ecx, [eax+1Ah]
		jmp	short loc_4D542F
; 

loc_4D542A:				; CODE XREF: MiRestoreTransitionPte(x,x)+1B9j
					; MiRestoreTransitionPte(x,x)+1BEj
		mov	ecx, 0Ch

loc_4D542F:				; CODE XREF: MiRestoreTransitionPte(x,x)+1C3j
					; MiRestoreTransitionPte(x,x)+1C8j
		and	ecx, 1Fh
		xor	eax, eax
		shld	eax, edx, 0Ch
		shl	edx, 0Ch
		mov	edi, ds:_MmProtectToPteMask[ecx*8]
		mov	ecx, ds:dword_40B4DC[ecx*8]
		and	edi, 0F7Fh
		and	ecx, 0FFFFFFE0h
		or	edi, edx
		or	ecx, eax
		or	edi, 121h
		mov	al, byte ptr word_6D07B8
		and	edi, 0FFFFFEFFh
		and	al, 1
		movzx	eax, al
		cdq
		mov	ebx, eax
		mov	eax, large fs:20h
		shld	edx, ebx, 8
		or	edx, ecx
		shl	ebx, 8
		mov	ecx, [eax+3D34h]
		or	ebx, edi
		mov	eax, ecx
		or	ebx, 42h
		and	eax, 0FFFh
		and	ecx, 0FFFFF000h
		shl	eax, 0Ch
		xor	edi, edi
		add	ecx, eax
		mov	[esp+50h+var_44], ecx
		shr	ecx, 9
		sub	ecx, 40000000h
		cmp	dword_6D07D0, 0C0000000h
		sbb	eax, eax
		and	eax, 0FFFFFFF8h
		add	eax, 0C0603018h
		cmp	ecx, 0C0603000h
		jb	short loc_4D5501
		cmp	ecx, eax
		jnb	short loc_4D5501
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_4D54E3
		cmp	byte ptr word_6D07B8+1,	0
		mov	edi, 1
		jnz	short loc_4D5501
		jmp	short loc_4D54FB
; 

loc_4D54E3:				; CODE XREF: MiRestoreTransitionPte(x,x)+271j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_4D5501

loc_4D54FB:				; CODE XREF: MiRestoreTransitionPte(x,x)+281j
		or	edx, 80000000h

loc_4D5501:				; CODE XREF: MiRestoreTransitionPte(x,x)+264j
					; MiRestoreTransitionPte(x,x)+268j ...
		mov	[ecx+4], edx
		nop
		mov	[ecx], ebx
		test	edi, edi
		jz	short loc_4D5512
		push	edx
		push	ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_4D5512:				; CODE XREF: MiRestoreTransitionPte(x,x)+2A9j
		mov	eax, [esi+4]
		mov	ecx, [esp+50h+var_44]
		mov	ebx, [esp+50h+var_40]
		shr	eax, 3
		and	eax, 1FFh
		lea	edi, [ecx+eax*8]
		mov	[esp+50h+var_44], edi

loc_4D552C:				; CODE XREF: MiRestoreTransitionPte(x,x)+188j
		nop
		mov	esi, [esp+50h+var_44]

loc_4D5531:				; CODE XREF: MiRestoreTransitionPte(x,x)+2EDj
					; MiRestoreTransitionPte(x,x)+2F3j
		mov	edi, [esi]
		mov	eax, edi
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[esp+50h+var_34], ecx
		nop
		mov	ecx, [esp+50h+var_38]
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, [esp+50h+var_40]
		cmp	eax, edi
		jnz	short loc_4D5531
		cmp	edx, [esp+50h+var_34]
		jnz	short loc_4D5531
		mov	ebx, [esp+50h+var_3C]
		mov	esi, [esp+50h+var_30]
		test	ebx, ebx
		jz	short loc_4D55DA
		mov	eax, large fs:20h
		mov	edi, [esp+50h+var_44]
		mov	[esp+50h+var_38], eax
		shr	edi, 9
		mov	eax, [eax+3D34h]
		and	edi, offset loc_7FFFF8
		mov	ebx, eax
		and	eax, 0FFFFF000h
		and	ebx, 0FFFh
		mov	[esp+50h+var_34], eax
		lea	eax, [ebx+1]
		mov	[esp+50h+var_30], eax
		mov	eax, ds:_ZeroPte
		mov	[edi-40000000h], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[edi-3FFFFFFCh], eax
		cmp	ebx, 0FFh
		jnz	short loc_4D55BA
		call	_MiFlushHyperSpace@0 ; MiFlushHyperSpace()

loc_4D55BA:				; CODE XREF: MiRestoreTransitionPte(x,x)+353j
		mov	eax, [esp+50h+var_38]
		sub	ebx, 0FFh
		neg	ebx
		sbb	ebx, ebx
		and	ebx, [esp+50h+var_30]
		or	ebx, [esp+50h+var_34]
		mov	[eax+3D34h], ebx
		mov	ebx, [esp+50h+var_3C]

loc_4D55DA:				; CODE XREF: MiRestoreTransitionPte(x,x)+2FFj
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4D562A
		mov	ecx, [esi+8]
		mov	eax, ecx
		mov	edx, [esi+0Ch]
		and	eax, 400h
		or	eax, 0
		jz	short loc_4D562A
		mov	eax, dword_6D0704
		mov	edi, dword_6D0700
		mov	[esp+50h+var_3C], eax
		mov	eax, edi
		or	eax, [esp+50h+var_3C]
		jz	short loc_4D5620
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4D5620
		mov	eax, [esp+50h+var_3C]
		not	eax
		and	edx, eax

loc_4D5620:				; CODE XREF: MiRestoreTransitionPte(x,x)+3ACj
					; MiRestoreTransitionPte(x,x)+3B6j
		mov	ecx, [edx]
		push	3
		push	ecx
		call	MiDereferenceControlAreaPfnList

loc_4D562A:				; CODE XREF: MiRestoreTransitionPte(x,x)+383j
					; MiRestoreTransitionPte(x,x)+395j
		test	ebx, ebx
		jz	short loc_4D568D
		mov	[esp+50h+var_28], 0
		lea	edi, [ebx+10h]
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_4D5655

loc_4D5640:				; CODE XREF: MiRestoreTransitionPte(x,x)+3ECj
					; MiRestoreTransitionPte(x,x)+3F3j
		lea	ecx, [esp+50h+var_28]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_4D5640
		lock bts dword ptr [edi], 1Fh
		jb	short loc_4D5640

loc_4D5655:				; CODE XREF: MiRestoreTransitionPte(x,x)+3DEj
		mov	al, [ebx+16h]
		and	al, 7
		cmp	al, 6
		jnz	loc_4D5826
		mov	ecx, [edi]
		mov	edx, ecx
		and	edx, 3FFFFFFFh
		dec	edx
		mov	eax, edx
		xor	eax, ecx
		and	eax, 3FFFFFFFh
		xor	eax, ecx
		mov	[edi], eax
		test	edx, edx
		jnz	short loc_4D5685
		mov	ecx, ebx
		call	_MiPfnShareCountIsZero@8 ; MiPfnShareCountIsZero(x,x)

loc_4D5685:				; CODE XREF: MiRestoreTransitionPte(x,x)+41Cj
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax

loc_4D568D:				; CODE XREF: MiRestoreTransitionPte(x,x)+3CCj
		and	dword ptr [esi+18h], 8FFFFFFFh
		test	byte ptr [esp+50h+var_24], 1
		mov	al, [esi+17h]
		jz	short loc_4D56AA
		and	al, 0F8h
		mov	[esi+17h], al
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4D56AA:				; CODE XREF: MiRestoreTransitionPte(x,x)+43Cj
		test	al, 8
		jz	short loc_4D56B5
		mov	eax, 5
		jmp	short loc_4D56BB
; 

loc_4D56B5:				; CODE XREF: MiRestoreTransitionPte(x,x)+44Cj
		movzx	eax, al
		and	eax, 7

loc_4D56BB:				; CODE XREF: MiRestoreTransitionPte(x,x)+453j
		lea	eax, unk_6D57BC[eax*4]
		lock inc dword ptr [eax]
		and	byte ptr [esi+17h], 0F8h
		cmp	dword_6D3260, 0
		jz	loc_4D57DD
		test	ds:byte_70EFC6,	21h
		mov	[esp+50h+var_8], offset	dword_6D3180
		mov	[esp+50h+var_C], 0
		jz	short loc_4D56FF
		mov	edx, offset dword_6D3180
		lea	ecx, [esp+50h+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4D5717
; 

loc_4D56FF:				; CODE XREF: MiRestoreTransitionPte(x,x)+48Dj
		lea	edx, [esp+50h+var_C]
		mov	eax, offset dword_6D3180
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_4D5717
		lea	ecx, [esp+50h+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_4D5717:				; CODE XREF: MiRestoreTransitionPte(x,x)+49Dj
					; MiRestoreTransitionPte(x,x)+4ACj
		mov	edi, dword_6D3260
		test	edi, edi
		jz	short loc_4D5788
		mov	ebx, [edi+20h]
		mov	ecx, ebx
		and	ecx, 0FFFh
		jz	short loc_4D5756
		sub	esi, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	esi
		add	edx, esi
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		mov	[ebx], eax
		add	dword ptr [edi+20h], 4
		mov	ecx, [edi+20h]
		and	ecx, 0FFFh

loc_4D5756:				; CODE XREF: MiRestoreTransitionPte(x,x)+4CCj
		cmp	ecx, 0C00h
		jnb	short loc_4D5788
		test	ecx, ecx
		jnz	short loc_4D5784
		lea	eax, [esp+50h+var_20]
		mov	[esp+50h+var_20], ecx
		push	eax
		mov	[esp+54h+var_1C], ecx
		call	KeQueryTickCount
		mov	eax, [esp+50h+var_20]
		mov	[edi+18h], eax
		mov	eax, [esp+50h+var_1C]
		mov	[edi+1Ch], eax
		jmp	short loc_4D578E
; 

loc_4D5784:				; CODE XREF: MiRestoreTransitionPte(x,x)+500j
		xor	edi, edi
		jmp	short loc_4D578E
; 

loc_4D5788:				; CODE XREF: MiRestoreTransitionPte(x,x)+4BFj
					; MiRestoreTransitionPte(x,x)+4FCj
		mov	edi, dword_6D3154

loc_4D578E:				; CODE XREF: MiRestoreTransitionPte(x,x)+522j
					; MiRestoreTransitionPte(x,x)+526j
		test	ds:byte_70EFC6,	1
		jz	short loc_4D57A5
		mov	edx, [ebp+4]
		lea	ecx, [esp+50h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4D57E3
; 

loc_4D57A5:				; CODE XREF: MiRestoreTransitionPte(x,x)+535j
		mov	eax, [esp+50h+var_C]
		test	eax, eax
		jnz	short loc_4D57C8
		mov	edx, [esp+50h+var_8]
		lea	eax, [esp+50h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+50h+var_C]
		cmp	eax, ecx
		jz	short loc_4D57E3
		call	KxWaitForLockChainValid

loc_4D57C8:				; CODE XREF: MiRestoreTransitionPte(x,x)+54Bj
		mov	[esp+50h+var_C], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx
		jmp	short loc_4D57E3
; 

loc_4D57DD:				; CODE XREF: MiRestoreTransitionPte(x,x)+470j
		mov	edi, dword_6D3154

loc_4D57E3:				; CODE XREF: MiRestoreTransitionPte(x,x)+543j
					; MiRestoreTransitionPte(x,x)+561j ...
		test	edi, edi
		jz	short loc_4D57F5
		push	0
		push	0
		push	offset unk_6D3264
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)

loc_4D57F5:				; CODE XREF: MiRestoreTransitionPte(x,x)+585j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4D57FC:				; CODE XREF: MiRestoreTransitionPte(x,x)+58j
		sub	esi, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	esi
		push	0
		add	edx, esi
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		push	0
		add	eax, edx
		push	eax
		push	5150Bh
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4D5826:				; CODE XREF: MiRestoreTransitionPte(x,x)+3FCj
		mov	ecx, ebx
		call	_MiBadShareCount@4 ; MiBadShareCount(x)
		int	3		; Trap to Debugger
_MiRestoreTransitionPte@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiWritePageFileHash proc near		; CODE XREF: MiMapPageFileHash+168p
					; MiMapPageFileHash+379p

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4D		= byte ptr -4Dh
var_4C		= dword	ptr -4Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005C9197 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		and	[ebp+var_64], 0
		and	[ebp+var_60], 0
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_58], ecx
		xor	edi, edi
		mov	[ebp+var_54], eax
		test	ebx, ebx
		jz	loc_5C91B4
		test	byte ptr [ebx+6], 5
		jz	loc_5C9197
		mov	esi, [ebx+0Ch]

loc_4D586D:				; CODE XREF: MiWritePageFileHash+F3981j
		test	esi, esi
		jz	short loc_4D5880
		mov	ecx, eax
		sub	ecx, ebx
		sub	ecx, 1Ch
		sar	ecx, 2
		shl	ecx, 0Ch
		add	esi, ecx

loc_4D5880:				; CODE XREF: MiWritePageFileHash+41j
					; MiWritePageFileHash+F3988j
		xor	ebx, ebx

loc_4D5882:				; CODE XREF: MiWritePageFileHash+F4j
		mov	[ebp+var_5C], ebx
		cmp	ebx, [ebp+arg_8]
		jnb	loc_4D5975
		and	[ebp+edi*4+var_4C], 0
		test	eax, eax
		jz	short loc_4D5904
		mov	eax, [eax]
		cmp	eax, dword_6D34E4
		jz	short loc_4D5904
		imul	eax, 1Ch
		xor	edx, edx
		inc	edx
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_68], eax
		mov	ecx, [eax+8]
		mov	eax, [eax+0Ch]
		mov	[ebp+var_64], ecx
		mov	[ebp+var_60], eax
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		test	byte ptr ds:dword_7051B8, dl
		jnz	short loc_4D58E5
		cmp	ecx, 1Fh
		jz	short loc_4D58E5
		mov	eax, ecx
		shr	eax, 3
		cmp	eax, 3
		jz	loc_4D598A

loc_4D58DE:				; CODE XREF: MiWritePageFileHash+167j
		dec	eax
		neg	eax
		sbb	eax, eax
		and	edx, eax

loc_4D58E5:				; CODE XREF: MiWritePageFileHash+9Bj
					; MiWritePageFileHash+A0j ...
		cmp	edx, 1
		jnz	loc_4D599A
		lea	ecx, [ebp+var_64]
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		mov	ecx, [ebp+var_68]
		mov	edx, esi
		call	MiComputePageHash
		mov	[ebp+edi*4+var_4C], eax

loc_4D5904:				; CODE XREF: MiWritePageFileHash+67j
					; MiWritePageFileHash+71j ...
		inc	edi
		cmp	edi, 10h
		jz	short loc_4D5927

loc_4D590A:				; CODE XREF: MiWritePageFileHash+145j
		test	esi, esi
		jz	short loc_4D5914
		add	esi, 1000h

loc_4D5914:				; CODE XREF: MiWritePageFileHash+DEj
		mov	eax, [ebp+var_54]
		test	eax, eax
		jz	short loc_4D5921
		add	eax, 4
		mov	[ebp+var_54], eax

loc_4D5921:				; CODE XREF: MiWritePageFileHash+EBj
		inc	ebx
		jmp	loc_4D5882
; 

loc_4D5927:				; CODE XREF: MiWritePageFileHash+DAj
					; MiWritePageFileHash+149j
		mov	ebx, [ebp+var_58]
		add	ebx, 88h
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	[ebp+var_4D], al
		mov	eax, [ebp+var_58]
		mov	ecx, [eax+80h]
		mov	eax, [ebp+arg_4]
		lea	edx, [ecx+eax*4]
		xor	ecx, ecx
		test	edi, edi
		jz	short loc_4D595C

loc_4D594E:				; CODE XREF: MiWritePageFileHash+12Cj
		mov	eax, [ebp+ecx*4+var_4C]
		inc	ecx
		mov	[edx], eax
		lea	edx, [edx+4]
		cmp	ecx, edi
		jb	short loc_4D594E

loc_4D595C:				; CODE XREF: MiWritePageFileHash+11Ej
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_4D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		add	[ebp+arg_4], edi
		xor	edi, edi
		mov	ebx, [ebp+var_5C]
		jmp	short loc_4D590A
; 

loc_4D5975:				; CODE XREF: MiWritePageFileHash+5Aj
		test	edi, edi
		jnz	short loc_4D5927
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_4D598A:				; CODE XREF: MiWritePageFileHash+AAj
		test	cl, 7
		jz	loc_4D58E5
		xor	edx, edx
		jmp	loc_4D58DE
; 

loc_4D599A:				; CODE XREF: MiWritePageFileHash+BAj
		mov	[ebp+edi*4+var_4C], 2
		jmp	loc_4D5904
MiWritePageFileHash endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiComputePageHash proc near		; CODE XREF: MiWritePageFileHash+CDp
					; MiValidatePagefilePageHash+E7p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005C91BB SIZE 00000053 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_1C], 0
		mov	[ebp+var_18], edi
		mov	esi, ecx
		test	edi, edi
		jz	loc_5C91BB
		mov	[ebp+var_1], 21h

loc_4D59D5:				; CODE XREF: MiComputePageHash+F3842j
		lea	ecx, [esi+8]
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		mov	ecx, [edi+10h]
		mov	ebx, eax
		mov	eax, [edi+8]
		xor	esi, esi
		add	ebx, [edi]
		mov	edx, [edi+18h]
		adc	esi, [edi+4]
		mov	[ebp+var_10], eax
		mov	eax, [edi+0Ch]
		mov	[ebp+var_14], eax
		lea	eax, [edi+10h]
		mov	edi, [edi+1Ch]
		mov	[ebp+var_8], ecx
		mov	ecx, [eax+4]
		mov	[ebp+var_C], ecx

loc_4D5A07:				; CODE XREF: MiComputePageHash+88j
		mov	ecx, [eax+18h]
		add	eax, 20h
		add	ebx, [eax-10h]
		adc	esi, [eax-0Ch]
		add	[ebp+var_10], ecx
		mov	ecx, [eax-4]
		adc	[ebp+var_14], ecx
		mov	ecx, [eax]
		add	[ebp+var_8], ecx
		mov	ecx, [eax+4]
		adc	[ebp+var_C], ecx
		add	edx, [eax+8]
		mov	ecx, [ebp+var_18]
		adc	edi, [eax+0Ch]
		add	ecx, 0FF0h
		cmp	eax, ecx
		jnz	short loc_4D5A07
		add	edx, [ebp+var_8]
		mov	ecx, [ebp+var_1C]
		adc	edi, [ebp+var_C]
		add	edx, [ebp+var_10]
		adc	edi, [ebp+var_14]
		add	ebx, edx
		adc	esi, edi
		test	ecx, ecx
		jnz	loc_5C91F7

loc_4D5A55:				; CODE XREF: MiComputePageHash+F3859j
		add	esi, ebx
		cmp	esi, 3
		jb	short loc_4D5A65
		mov	eax, esi

loc_4D5A5E:				; CODE XREF: MiComputePageHash+BAj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4D5A65:				; CODE XREF: MiComputePageHash+AAj
		mov	eax, 3
		jmp	short loc_4D5A5E
MiComputePageHash endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiExpandSharedZeroCluster proc near	; CODE XREF: MiResolveDemandZeroFault+43Cp

var_80		= dword	ptr -80h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005C920E SIZE 000000A7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		lea	eax, [ebp+var_70]
		mov	ebx, ecx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_10], ebx
		call	_memset
		mov	edx, [ebx+24h]
		add	esp, 0Ch
		mov	edi, [ebx+8]
		mov	ecx, [ebx+20h]
		mov	[ebp+var_40], 0
		mov	[ebp+var_3C], 0
		mov	eax, [edx+44h]
		mov	[ebp+var_14], 0
		mov	[ebp+var_1], 0
		mov	[ebp+var_1C], edx
		mov	[ebp+var_24], edi
		test	eax, eax
		js	loc_5C920E
		mov	[ebp+var_20], 0FFFFFFFFh

loc_4D5ACA:				; CODE XREF: MiExpandSharedZeroCluster+F37B0j
		mov	eax, [edx+1Ch]
		test	eax, 100000h
		jnz	short loc_4D5AE8
		shr	eax, 12h
		and	eax, 3
		cmp	ds:_MiVadPageSizes[eax*4], 10h
		jz	loc_5C9225

loc_4D5AE8:				; CODE XREF: MiExpandSharedZeroCluster+62j
					; MiExpandSharedZeroCluster+F380Dj
		mov	eax, large fs:124h
		push	edx
		mov	edx, [eax+80h]
		add	edx, 240h
		call	MiComputeZeroClusterMaximum
		mov	esi, edi
		mov	[ebp+var_2C], eax
		shr	edi, 9
		xor	ecx, ecx
		and	edi, offset loc_7FFFF8
		shr	esi, 0Ch
		sub	edi, 40000000h
		mov	[ebp+var_C], ecx
		xor	ebx, ebx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_8], edi
		test	eax, eax
		jz	loc_4D5C87
		lea	esp, [esp+0]

loc_4D5B30:				; CODE XREF: MiExpandSharedZeroCluster+18Ej
		mov	edx, [ebp+var_10]
		mov	ecx, edi
		mov	edx, [edx+10h]
		call	_MiIsPteEvaluated@8 ; MiIsPteEvaluated(x,x)
		test	eax, eax
		jnz	loc_4D5C04
		mov	ecx, [ebp+var_1C]
		lea	eax, [ebp+var_14]
		push	eax
		push	4
		mov	edx, esi
		call	MiGetProtoPteAddress
		mov	edi, eax
		test	edi, edi
		jz	loc_4D5C8E
		mov	ecx, [ebp+var_14]
		test	ecx, ecx
		jz	loc_4D5C8E
		mov	edx, [ebp+var_18]
		test	edx, edx
		jz	short loc_4D5B79
		cmp	ecx, edx
		jnz	loc_4D5C8E

loc_4D5B79:				; CODE XREF: MiExpandSharedZeroCluster+FFj
		mov	eax, [ebp+var_10]
		mov	eax, [eax+0Ch]
		xor	eax, edi
		test	eax, 0FFFFF000h
		jnz	loc_4D5C8E
		test	edx, edx
		jz	loc_4D5C77

loc_4D5B94:				; CODE XREF: MiExpandSharedZeroCluster+20Aj
		mov	ecx, [ebp+var_1C]
		mov	eax, esi
		sub	eax, [ecx+0Ch]
		cmp	eax, [ebp+var_20]
		ja	loc_4D5C8E
		mov	ecx, [edi]
		nop
		mov	edx, [edi+4]
		mov	eax, ecx
		and	eax, 1
		mov	[ebp+var_38], ecx
		or	eax, 0
		mov	[ebp+var_34], edx
		jnz	loc_4D5C8E
		mov	eax, ecx
		or	eax, edx
		jz	loc_4D5C8E
		and	ecx, 0C00h
		or	ecx, 0
		jnz	loc_4D5C8E
		lea	ecx, [ebp+var_38]
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		test	eax, eax
		jnz	loc_4D5C8E
		test	ebx, ebx
		jz	loc_4D5C7F

loc_4D5BF0:				; CODE XREF: MiExpandSharedZeroCluster+212j
		mov	edi, [ebp+var_8]
		inc	ebx
		add	edi, 8
		inc	esi
		mov	[ebp+var_8], edi
		cmp	ebx, [ebp+var_2C]
		jb	loc_4D5B30

loc_4D5C04:				; CODE XREF: MiExpandSharedZeroCluster+CFj
					; MiExpandSharedZeroCluster+221j
		mov	[ebp+var_28], ebx
		cmp	ebx, 1
		jbe	short loc_4D5C87
		cmp	[ebp+var_1], 1
		jz	loc_5C9282

loc_4D5C16:				; CODE XREF: MiExpandSharedZeroCluster+F382Aj
		xor	edx, edx
		mov	eax, ebx
		neg	eax
		mov	[ebp+var_8], edx
		lea	esi, [edi+eax*8]

loc_4D5C22:				; CODE XREF: MiExpandSharedZeroCluster+1ECj
		nop
		mov	eax, [ebp+var_10]
		mov	ecx, [eax+10h]
		cmp	ecx, 100h
		jz	loc_5C929F
		call	_MiMakePrototypePteVadLookup@4 ; MiMakePrototypePteVadLookup(x)

loc_4D5C3A:				; CODE XREF: MiExpandSharedZeroCluster+F3840j
		mov	ecx, [esi]
		mov	edi, eax
		mov	[ebp+var_34], edx
		mov	[ebp+var_38], edi
		nop
		or	ecx, [esi+4]
		jnz	short loc_4D5C52
		inc	[ebp+var_8]
		mov	[esi], edi
		mov	[esi+4], edx

loc_4D5C52:				; CODE XREF: MiExpandSharedZeroCluster+1D8j
		add	[ebp+var_C], 8
		add	esi, 8
		sub	ebx, 1
		jnz	short loc_4D5C22
		mov	edx, [ebp+var_8]
		test	edx, edx
		jz	short loc_4D5C6D
		mov	ecx, [ebp+var_24]
		call	MiUpdatePageTableUseCount

loc_4D5C6D:				; CODE XREF: MiExpandSharedZeroCluster+1F3j
		mov	eax, [ebp+var_28]

loc_4D5C70:				; CODE XREF: MiExpandSharedZeroCluster+21Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4D5C77:				; CODE XREF: MiExpandSharedZeroCluster+11Ej
		mov	[ebp+var_18], ecx
		jmp	loc_4D5B94
; 

loc_4D5C7F:				; CODE XREF: MiExpandSharedZeroCluster+17Aj
		mov	[ebp+var_C], edi
		jmp	loc_4D5BF0
; 

loc_4D5C87:				; CODE XREF: MiExpandSharedZeroCluster+B6j
					; MiExpandSharedZeroCluster+19Aj ...
		mov	eax, 1
		jmp	short loc_4D5C70
; 

loc_4D5C8E:				; CODE XREF: MiExpandSharedZeroCluster+E9j
					; MiExpandSharedZeroCluster+F4j ...
		mov	edi, [ebp+var_8]
		jmp	loc_4D5C04
MiExpandSharedZeroCluster endp


;  S U B	R O U T	I N E 


; __stdcall MiIsPteEvaluated(x,	x)
_MiIsPteEvaluated@8 proc near		; CODE XREF: MiExpandSharedZeroCluster+C8p
					; MiGetClusterPage(x,x,x,x,x,x)+2C1p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, [ecx]
		mov	ebx, edx
		push	edi
		nop
		mov	edi, [ecx+4]
		mov	eax, esi
		or	eax, edi
		jnz	short loc_4D5CAF

loc_4D5CA9:				; CODE XREF: MiIsPteEvaluated(x,x)+43j
		xor	eax, eax

loc_4D5CAB:				; CODE XREF: MiIsPteEvaluated(x,x)+48j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4D5CAF:				; CODE XREF: MiIsPteEvaluated(x,x)+11j
		mov	eax, esi
		xor	ecx, ecx
		and	eax, 1
		or	eax, ecx
		jnz	short loc_4D5CDB
		mov	eax, esi
		and	eax, 400h
		or	eax, ecx
		jz	short loc_4D5CDB
		push	edi
		push	esi
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		test	eax, eax
		jz	short loc_4D5CDB
		shrd	esi, edi, 5
		and	esi, 1Fh
		cmp	esi, ebx
		jz	short loc_4D5CA9

loc_4D5CDB:				; CODE XREF: MiIsPteEvaluated(x,x)+22j
					; MiIsPteEvaluated(x,x)+2Dj ...
		xor	eax, eax
		inc	eax
		jmp	short loc_4D5CAB
_MiIsPteEvaluated@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetPagingFileOffset(x)
_MiGetPagingFileOffset@4 proc near	; CODE XREF: MiIssueHardFault(x,x)+43Fp
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+AD9p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, [ecx]
		nop
		mov	edx, [ecx+4]
		mov	ecx, esi
		mov	eax, edx
		shrd	ecx, eax, 2
		test	cl, 1
		jnz	short loc_4D5D00
		xor	eax, eax

loc_4D5CFD:				; CODE XREF: MiGetPagingFileOffset(x)+4Aj
		pop	esi
		leave
		retn
; 

loc_4D5D00:				; CODE XREF: MiGetPagingFileOffset(x)+19j
		mov	ecx, dword_6D0700
		mov	eax, ecx
		push	ebx
		mov	ebx, dword_6D0704
		or	eax, ebx
		push	edi
		mov	edi, edx
		jz	short loc_4D5D26
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4D5D26
		mov	edx, ebx
		not	edx
		and	edx, edi

loc_4D5D26:				; CODE XREF: MiGetPagingFileOffset(x)+34j
					; MiGetPagingFileOffset(x)+3Ej
		pop	edi
		mov	eax, edx
		pop	ebx
		jmp	short loc_4D5CFD
_MiGetPagingFileOffset@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiMakePrototypePteVadLookup(x)
_MiMakePrototypePteVadLookup@4 proc near ; CODE	XREF: MiSplitPrivatePage(x,x,x)+2F7p
					; MiSetReadOnlyOnSectionView(x,x,x,x):loc_47747Ap ...
		and	ecx, 1Fh
		or	eax, 0FFFFFFFFh
		or	ecx, 0F8000020h
		shld	eax, ecx, 5
		shl	ecx, 5
		push	eax
		push	ecx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		retn
_MiMakePrototypePteVadLookup@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiLargePageFreeToZero(x, x,	x, x)
_MiLargePageFreeToZero@16 proc near	; CODE XREF: MiZeroPage(x,x)+3BDp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		lea	eax, ds:0[ecx*8]
		mov	[ebp-4], ecx
		sub	eax, ecx
		mov	[ebp-14h], edx
		push	esi
		mov	esi, ds:_MiLargePageSizes[edx*4]
		push	edi
		mov	edi, ds:_MmPfnDatabase
		mov	dword ptr [ebp-2Ch], 0
		lea	eax, [edi+eax*4]
		mov	ecx, eax
		mov	[ebp-8], eax
		sub	ecx, edi
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiSearchNumaNodeTable
		mov	eax, [eax+4]
		mov	dword ptr [ebp-34h], 0
		lea	ecx, [eax+eax*4]
		shl	ecx, 7
		add	ecx, dword_6D4E50
		test	ds:byte_70EFC6,	21h
		mov	[ebp-10h], ecx
		lea	eax, [ecx+204h]
		mov	[ebp-30h], eax
		jz	short loc_4D5DE9
		mov	edx, eax
		lea	ecx, [ebp-34h]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4D5DFA
; 

loc_4D5DE9:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+8Bj
		lea	edx, [ebp-34h]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_4D5DFA
		lea	ecx, [ebp-34h]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_4D5DFA:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+97j
					; MiLargePageFreeToZero(x,x,x,x)+A0j
		mov	edi, [ebp-8]
		mov	ecx, edi
		call	_MiStopPageAccessor@4 ;	MiStopPageAccessor(x)
		cmp	byte ptr [ebx+0Ch], 0
		jz	loc_4D5F0D
		mov	edi, 1
		cmp	dword_6D3034, edi
		jnz	loc_4D5EB7
		mov	edx, [ebp-4]
		mov	ecx, edx
		mov	eax, dword_6D3068
		and	edx, 1Fh
		shr	ecx, 5
		mov	[ebp-4], edx
		lea	edi, [eax+ecx*4]
		lea	eax, [edx+esi]
		cmp	eax, 20h
		ja	short loc_4D5E5A
		cmp	esi, 20h
		jnz	short loc_4D5E4A
		mov	dword ptr [edi], 0FFFFFFFFh
		jmp	short loc_4D5EB2
; 

loc_4D5E4A:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+F0j
		mov	ecx, esi
		mov	eax, 1
		shl	eax, cl
		mov	ecx, edx
		dec	eax
		shl	eax, cl
		jmp	short loc_4D5EAF
; 

loc_4D5E5A:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+EBj
		test	edx, edx
		jz	short loc_4D5E7D
		mov	edx, 20h
		mov	eax, 1
		sub	edx, [ebp-4]
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, [ebp-4]
		dec	eax
		shl	eax, cl
		lock or	[edi], eax
		sub	esi, edx
		add	edi, 4

loc_4D5E7D:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+10Cj
		cmp	esi, 20h
		jb	short loc_4D5EA1
		mov	eax, esi
		shr	eax, 5
		jmp	short loc_4D5E90
; 
		align 10h

loc_4D5E90:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+137j
					; MiLargePageFreeToZero(x,x,x,x)+14Fj
		mov	dword ptr [edi], 0FFFFFFFFh
		sub	esi, 20h
		add	edi, 4
		sub	eax, 1
		jnz	short loc_4D5E90

loc_4D5EA1:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+130j
		test	esi, esi
		jz	short loc_4D5EB2
		mov	eax, 1
		mov	ecx, esi
		shl	eax, cl
		dec	eax

loc_4D5EAF:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+108j
		lock or	[edi], eax

loc_4D5EB2:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+F8j
					; MiLargePageFreeToZero(x,x,x,x)+153j
		mov	edi, 1

loc_4D5EB7:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+C9j
		test	ds:byte_70EFC6,	1
		jz	short loc_4D5ED6

loc_4D5EC0:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+3F0j
		mov	edx, [ebx+4]
		lea	ecx, [ebp-34h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_4D5ECB:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+19Ej
					; MiLargePageFreeToZero(x,x,x,x)+40Ej
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_4D5ED6:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+16Ej
		mov	eax, [ebp-34h]
		test	eax, eax
		jnz	short loc_4D5EF5
		mov	edx, [ebp-30h]
		lea	eax, [ebp-34h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-34h]
		cmp	eax, ecx
		jz	short loc_4D5ECB
		call	KxWaitForLockChainValid

loc_4D5EF5:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+18Bj
		mov	dword ptr [ebp-34h], 0
		add	eax, 4
		lock xor [eax],	edi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_4D5F0D:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+B8j
		mov	ecx, [edi]
		lea	eax, [edi+4]
		mov	[ebp-20h], eax
		mov	eax, [eax]
		cmp	[ecx+4], edi
		jnz	loc_4D60D9
		cmp	[eax], edi
		jnz	loc_4D60D9
		cmp	dword ptr [ebx+8], 0
		mov	[eax], ecx
		mov	[ecx+4], eax
		jz	short loc_4D5F3F
		mov	edx, 1
		mov	ecx, edi
		call	_MiSetFreeZeroPfnCold@8	; MiSetFreeZeroPfnCold(x,x)

loc_4D5F3F:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+1E1j
		test	byte ptr ds:_MiFlags, 80h
		mov	edi, [ebp-4]
		jz	short loc_4D5F67
		mov	eax, dword_6D30F0
		inc	eax
		mov	dword_6D30F0, eax
		test	ds:_MmPageValidationFrequency, eax
		jnz	short loc_4D5F67
		mov	edx, esi
		mov	ecx, edi
		call	_MiArePageContentsZero@8 ; MiArePageContentsZero(x,x)

loc_4D5F67:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+1F9j
					; MiLargePageFreeToZero(x,x,x,x)+20Cj
		mov	edx, [ebp-14h]
		mov	ecx, [ebp-10h]
		imul	eax, edx, 26h
		mov	[ebp-24h], eax
		dec	dword ptr [ecx+eax*4+4]
		imul	eax, edx, 13h
		cmp	edi, 100000h
		mov	[ebp-28h], eax
		sbb	eax, eax
		neg	eax
		add	eax, [ebp-28h]
		dec	dword ptr [ecx+eax*8+0Ch]
		mov	eax, [ebp-8]
		movzx	eax, byte ptr [eax+16h]
		shr	eax, 6
		mov	[ebp-0Ch], eax
		imul	eax, edx, 98h
		add	eax, ecx
		mov	ecx, ds:_MiLargePageSizes[edx*4]
		mov	[ebp-18h], eax
		xor	edx, edx
		mov	eax, edi
		div	ecx
		mov	ecx, [ebp-14h]
		xor	edx, edx
		div	dword_6D0740[ecx*4]
		cmp	edi, 100000h
		mov	edi, [ebp-18h]
		sbb	ecx, ecx
		and	ecx, 8
		add	ecx, 4
		lea	eax, [edx+edx*2]
		mov	edx, [ebp-0Ch]
		shl	eax, 2
		mov	[ebp-1Ch], eax
		lea	eax, [ecx+edx]
		mov	eax, [edi+eax*4+58h]
		add	eax, [ebp-1Ch]
		dec	dword ptr [eax+8]
		mov	eax, [ebp-24h]
		add	eax, ecx
		mov	ecx, [ebp-10h]
		add	eax, edx
		dec	dword ptr [ecx+eax*4+18h]
		mov	eax, esi
		neg	eax
		mov	ecx, offset dword_6D5400
		lock xadd [ecx], eax
		cmp	dword_6D3034, 1
		mov	edi, [ebp-4]
		jnz	loc_4D60A2
		mov	eax, dword_6D3068
		mov	ecx, edi
		shr	ecx, 5
		lea	edi, [eax+ecx*4]
		mov	ecx, [ebp-4]
		and	ecx, 1Fh
		mov	[ebp-14h], ecx
		lea	eax, [ecx+esi]
		cmp	eax, 20h
		ja	short loc_4D6050
		cmp	esi, 20h
		jnz	short loc_4D603F
		mov	dword ptr [edi], 0FFFFFFFFh
		jmp	short loc_4D60A2
; 

loc_4D603F:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+2E5j
		mov	ecx, esi
		mov	eax, 1
		shl	eax, cl
		mov	ecx, [ebp-14h]
		dec	eax
		shl	eax, cl
		jmp	short loc_4D609F
; 

loc_4D6050:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+2E0j
		test	ecx, ecx
		jz	short loc_4D6076
		mov	edx, 20h
		mov	eax, 1
		sub	edx, ecx
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, [ebp-14h]
		dec	eax
		shl	eax, cl
		lock or	[edi], eax
		mov	ecx, esi
		sub	ecx, edx
		add	edi, 4
		jmp	short loc_4D6078
; 

loc_4D6076:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+302j
		mov	ecx, esi

loc_4D6078:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+324j
		cmp	ecx, 20h
		jb	short loc_4D6093
		mov	eax, ecx
		shr	eax, 5

loc_4D6082:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+341j
		mov	dword ptr [edi], 0FFFFFFFFh
		sub	ecx, 20h
		add	edi, 4
		sub	eax, 1
		jnz	short loc_4D6082

loc_4D6093:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+32Bj
		test	ecx, ecx
		jz	short loc_4D60A2
		mov	eax, 1
		shl	eax, cl
		dec	eax

loc_4D609F:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+2FEj
		lock or	[edi], eax

loc_4D60A2:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+2BEj
					; MiLargePageFreeToZero(x,x,x,x)+2EDj ...
		mov	ecx, [ebp-8]
		mov	edi, [ebp-18h]
		mov	al, [ecx+16h]
		and	al, 0F8h
		cmp	dword ptr [ebp-4], 100000h
		mov	[ecx+16h], al
		sbb	eax, eax
		and	eax, 8
		mov	[ebp-14h], eax
		add	eax, [ebp-0Ch]
		mov	eax, [edi+eax*4+58h]
		add	eax, [ebp-1Ch]
		test	byte ptr ds:_MiFlags, 30h
		mov	edi, [eax+4]
		jnz	short loc_4D60E0
		cmp	[edi], eax
		jz	short loc_4D60EA

loc_4D60D9:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+1CAj
					; MiLargePageFreeToZero(x,x,x,x)+1D2j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_4D60E0:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+383j
		cmp	[edi], eax
		jnz	short loc_4D60D9
		lea	edx, [ecx+4]
		mov	[ebp-20h], edx

loc_4D60EA:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+387j
		mov	edx, eax
		mov	[ebp-18h], ecx
		mov	[ecx], edx
		mov	edx, [ebp-20h]
		mov	[ebp-1Ch], ecx
		mov	ecx, edi
		mov	[edx], ecx
		mov	edx, [ebp-18h]
		mov	ecx, [ebp-8]
		mov	[edi], edx
		mov	edx, [ebp-24h]
		mov	[eax+4], ecx
		inc	dword ptr [eax+8]
		mov	eax, [ebp-14h]
		mov	ecx, [ebp-10h]
		add	eax, edx
		add	eax, [ebp-0Ch]
		inc	dword ptr [ecx+eax*4+18h]
		inc	dword ptr [ecx+edx*4]
		cmp	dword ptr [ebp-4], 100000h
		sbb	eax, eax
		neg	eax
		add	eax, [ebp-28h]
		inc	dword ptr [ecx+eax*8+8]
		mov	eax, offset dword_6D53C0
		lock xadd [eax], esi
		test	ds:byte_70EFC6,	1
		jnz	loc_4D5EC0
		mov	eax, [ebp-34h]
		test	eax, eax
		jnz	short loc_4D6169
		mov	edx, [ebp-30h]
		lea	eax, [ebp-34h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-34h]
		cmp	eax, ecx
		jz	loc_4D5ECB
		call	KxWaitForLockChainValid

loc_4D6169:				; CODE XREF: MiLargePageFreeToZero(x,x,x,x)+3FBj
		mov	dword ptr [ebp-34h], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
_MiLargePageFreeToZero@16 endp ; sp =  4


;  S U B	R O U T	I N E 


; __stdcall MiStopPageAccessor(x)
_MiStopPageAccessor@4 proc near		; CODE XREF: MiPageListCollision(x,x)+5p
					; MiLargePageFreeToZero(x,x,x,x)+AFp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		push	0
		push	80h
		mov	esi, [edi+8]
		and	byte ptr [edi+16h], 0F7h
		and	dword ptr [esi+0Ch], 0
		mov	byte ptr [esi+25h], 1
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[edi+8], eax
		mov	eax, esi
		mov	[edi+0Ch], edx
		pop	edi
		pop	esi
		retn
_MiStopPageAccessor@4 endp


;  S U B	R O U T	I N E 


MiYieldPageTableWalk proc near		; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+3F8p
					; MiWalkPageTablesRecursively(x,x,x)+74Ap ...

; FUNCTION CHUNK AT 005C92B5 SIZE 0000000C BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	al, [esi+2]
		mov	ecx, [esi+44h]
		or	al, 2
		mov	[esi+2], al
		test	ecx, ecx
		jz	short loc_4D61F1
		push	esi
		call	ecx
		mov	edi, eax
		mov	al, [esi+2]

loc_4D61D2:				; CODE XREF: MiYieldPageTableWalk+45j
		and	al, 0FDh
		mov	[esi+2], al
		test	al, 1
		jnz	short loc_4D61EB
		cmp	edi, 3
		jge	short loc_4D61EB
		test	ebx, ebx
		jz	short loc_4D61EB
		mov	ecx, esi
		call	MiReleaseWalkLocks

loc_4D61EB:				; CODE XREF: MiYieldPageTableWalk+27j
					; MiYieldPageTableWalk+2Cj ...
		mov	eax, edi

loc_4D61ED:				; CODE XREF: MiYieldPageTableWalk+F310Aj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4D61F1:				; CODE XREF: MiYieldPageTableWalk+16j
		xor	edi, edi
		cmp	byte ptr [esi+6], 21h
		jnz	short loc_4D61D2
		jmp	loc_5C92B5
MiYieldPageTableWalk endp


;  S U B	R O U T	I N E 


MiReleaseWalkLocks proc	near		; CODE XREF: MiGetNextPageTablePte+C6p
					; MiYieldPageTableWalk+34p ...

; FUNCTION CHUNK AT 005C92C1 SIZE 0000000F BYTES

		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edx, [esi+1Ch]
		mov	edi, [esi+10h]
		test	edx, edx
		jz	short loc_4D621A
		mov	ecx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		and	dword ptr [esi+1Ch], 0

loc_4D621A:				; CODE XREF: MiReleaseWalkLocks+Fj
		movzx	eax, word ptr [esi]
		test	al, 4
		jz	short loc_4D6233
		mov	dl, [esi+6]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared

loc_4D622B:				; CODE XREF: MiReleaseWalkLocks+4Aj
		or	byte ptr [esi+2], 1
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_4D6233:				; CODE XREF: MiReleaseWalkLocks+21j
		test	eax, 400h
		jnz	loc_5C92C1

loc_4D623E:				; CODE XREF: MiReleaseWalkLocks+F30CDj
		mov	dl, [esi+6]
		mov	ecx, edi
		call	MiUnlockWorkingSetExclusive
		jmp	short loc_4D622B
MiReleaseWalkLocks endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiTrimWorkingSetTail proc near		; CODE XREF: .text:0045AF3Ap
					; DATA XREF: MiTrimWorkingSet+193o

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C92D0 SIZE 0000004A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, [edi+10h]
		mov	esi, [edi+48h]

loc_4D625F:				; CODE XREF: MiTrimWorkingSetTail+F30B2j
		mov	edx, esi
		mov	ecx, edi
		call	MiTrimWorkingSetBuildup
		test	byte ptr [esi],	80h
		jnz	short loc_4D6292

loc_4D626D:				; CODE XREF: MiTrimWorkingSetTail+68j
		mov	edx, [esi+0B4h]
		test	edx, edx
		jnz	loc_5C92D0

loc_4D627B:				; CODE XREF: MiTrimWorkingSetTail+F3089j
					; MiTrimWorkingSetTail+F3099j
		test	dword ptr [esi], 800h
		jnz	loc_5C9301

loc_4D6287:				; CODE XREF: MiTrimWorkingSetTail+F30C2j
		xor	eax, eax

loc_4D6289:				; CODE XREF: MiTrimWorkingSetTail+F30CBj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4D6292:				; CODE XREF: MiTrimWorkingSetTail+21j
		mov	edx, [esi+8]
		sub	edx, [esi+0Ch]
		add	[ebx+8], edx
		mov	eax, [esi+8]
		mov	ecx, [esi]
		mov	[esi+0Ch], eax
		and	ecx, 0Fh
		mov	eax, dword_6D5D40
		add	[eax+ecx*4+564h], edx
		jmp	short loc_4D626D
MiTrimWorkingSetTail endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiTrimWorkingSetBuildup	proc near	; CODE XREF: .text:0045AF0Fp
					; MiTrimWorkingSetTail+19p ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C931A SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, [ecx+10h]
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_30], 0
		push	edi
		mov	[ebp+var_24], ebx
		xor	esi, esi
		mov	[ebp+var_2C], 0
		mov	[ebp+var_18], eax

loc_4D62E6:				; CODE XREF: MiTrimWorkingSetBuildup+44j
		mov	[ebp+var_14], esi
		cmp	esi, 2
		jz	short loc_4D6306
		lea	eax, [esi+esi*8]
		lea	ebx, [ebx+eax*8]
		add	ebx, 0B8h
		cmp	byte ptr [ebx+44h], 0
		jnz	short loc_4D6332

loc_4D6300:				; CODE XREF: MiTrimWorkingSetBuildup+229j
		mov	ebx, [ebp+var_24]
		inc	esi
		jmp	short loc_4D62E6
; 

loc_4D6306:				; CODE XREF: MiTrimWorkingSetBuildup+2Cj
		cmp	dword ptr [ebx+28h], 0
		lea	edx, [ebx+1Ch]
		jnz	short loc_4D6316

loc_4D630F:				; CODE XREF: MiTrimWorkingSetBuildup+70j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4D6316:				; CODE XREF: MiTrimWorkingSetBuildup+4Dj
		test	dword ptr [ebx], 100h
		jnz	loc_5C9361
		xor	eax, eax

loc_4D6324:				; CODE XREF: MiTrimWorkingSetBuildup+F30A6j
		mov	ecx, [ebp+var_18]
		push	eax
		call	MiFreeWsleList
		sub	[ebx+8], eax
		jmp	short loc_4D630F
; 

loc_4D6332:				; CODE XREF: MiTrimWorkingSetBuildup+3Ej
		mov	eax, [ebx+40h]
		xor	ecx, ecx
		shr	eax, 9
		and	eax, 0FFFFF000h
		mov	[ebp+var_30], 200h
		shl	eax, 9
		mov	[ebp+var_20], eax
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_C], ecx
		test	esi, esi
		jnz	loc_5C931A
		mov	byte ptr [ebp+var_10], cl
		lea	ecx, [ecx+0]

loc_4D6360:				; CODE XREF: MiTrimWorkingSetBuildup+21Fj
					; MiTrimWorkingSetBuildup+F305Ej
		mov	edi, [ebp+var_30]
		cmp	ecx, edi
		jnb	loc_5C9323
		mov	edx, ecx
		mov	[ebp+var_4], ecx

loc_4D6370:				; CODE XREF: MiTrimWorkingSetBuildup+F3068j
		lea	esi, [edi-1]

loc_4D6373:				; CODE XREF: MiTrimWorkingSetBuildup+F308Cj
		mov	eax, esi
		mov	[ebp+var_1C], 0
		sub	eax, edx
		inc	eax
		cmp	eax, 1
		jb	loc_5C932D
		mov	eax, esi
		mov	ecx, edx
		shr	eax, 5
		and	ecx, 1Fh
		mov	edx, 1
		shl	edx, cl
		dec	edx
		lea	eax, [ebx+eax*4]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_4]
		shr	eax, 5
		lea	eax, [ebx+eax*4]
		mov	[ebp+var_8], eax
		mov	eax, [eax]
		not	eax
		or	eax, edx
		mov	edx, [ebp+var_8]
		cmp	eax, 0FFFFFFFFh
		jz	loc_4D6560

loc_4D63BE:				; CODE XREF: MiTrimWorkingSetBuildup+2B3j
		not	eax
		sub	edx, ebx
		bsf	eax, eax
		sar	edx, 2
		shl	edx, 5
		add	edx, eax
		mov	[ebp+var_8], edx
		cmp	edx, esi
		ja	loc_4D6578
		cmp	edx, 0FFFFFFFFh
		jz	loc_4D657E

loc_4D63E1:				; CODE XREF: MiTrimWorkingSetBuildup+F3077j
		mov	esi, [ebp+var_14]
		cmp	edx, [ebp+var_C]
		jb	loc_4D64E5
		cmp	edx, 0FFFFFFFFh
		jz	loc_4D64E5
		cmp	edx, 200h
		jnb	loc_4D6592
		mov	eax, edx
		lea	ecx, [ebx+3Ch]
		shr	eax, 5
		mov	edi, edx
		mov	[ebp+var_4], edi
		lea	eax, [ebx+eax*4]
		mov	[ebp+var_C], eax
		cmp	eax, ecx
		jz	short loc_4D643B
		mov	ecx, [eax]
		mov	eax, edx
		and	eax, 1Fh
		mov	[ebp+var_1C], eax
		mov	eax, ds:dword_40BA68[eax*4]
		or	eax, ecx
		lea	ecx, [ebx+3Ch]
		cmp	eax, 0FFFFFFFFh
		mov	eax, [ebp+var_C]
		jz	loc_4D6534

loc_4D643B:				; CODE XREF: MiTrimWorkingSetBuildup+157j
					; MiTrimWorkingSetBuildup+287j	...
		cmp	edi, 200h
		jnb	short loc_4D6454

loc_4D6443:				; CODE XREF: MiTrimWorkingSetBuildup+18Fj
		bt	[ebx], edi
		jnb	short loc_4D6451
		inc	edi
		cmp	edi, 200h
		jb	short loc_4D6443

loc_4D6451:				; CODE XREF: MiTrimWorkingSetBuildup+186j
		mov	[ebp+var_4], edi

loc_4D6454:				; CODE XREF: MiTrimWorkingSetBuildup+181j
		xor	edi, edi
		cmp	eax, ecx
		jz	short loc_4D6472
		mov	ecx, [eax]
		mov	eax, [ebp+var_4]
		and	eax, 1Fh
		mov	[ebp+var_1C], eax
		mov	eax, ds:dword_40BA68[eax*4]
		not	eax
		and	eax, ecx
		jz	short loc_4D64EE

loc_4D6472:				; CODE XREF: MiTrimWorkingSetBuildup+198j
					; MiTrimWorkingSetBuildup+24Aj	...
		mov	ecx, [ebp+var_4]
		lea	eax, [edi+ecx]
		cmp	eax, 200h
		jnb	short loc_4D6493
		nop

loc_4D6480:				; CODE XREF: MiTrimWorkingSetBuildup+1D1j
		bt	[ebx], eax
		jb	short loc_4D6493
		cmp	edi, 0FFFFFFFFh
		jnb	short loc_4D6496
		inc	eax
		inc	edi
		cmp	eax, 200h
		jb	short loc_4D6480

loc_4D6493:				; CODE XREF: MiTrimWorkingSetBuildup+1BDj
					; MiTrimWorkingSetBuildup+1C3j	...
		cmp	edi, 0FFFFFFFFh

loc_4D6496:				; CODE XREF: MiTrimWorkingSetBuildup+1C8j
		ja	loc_5C9359

loc_4D649C:				; CODE XREF: MiTrimWorkingSetBuildup+F309Cj
		test	edi, edi
		jz	loc_4D6594

loc_4D64A4:				; CODE XREF: MiTrimWorkingSetBuildup+2D9j
		push	[ebp+var_10]
		sub	ecx, edx
		shl	edx, 0Ch
		add	edx, [ebp+var_20]
		mov	[ebp+var_4], ecx
		push	ecx
		mov	ecx, [ebp+var_18]
		call	MiSetVaAgeList
		push	[ebp+var_4]
		lea	eax, [ebp+var_30]
		push	[ebp+var_8]
		push	eax
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		mov	ecx, [ebp+var_8]
		add	ecx, edi
		add	ecx, [ebp+var_4]
		mov	[ebp+var_C], ecx
		test	edi, edi
		jz	short loc_4D64E5
		cmp	ecx, 200h
		jnz	loc_4D6360

loc_4D64E5:				; CODE XREF: MiTrimWorkingSetBuildup+127j
					; MiTrimWorkingSetBuildup+130j	...
		mov	byte ptr [ebx+44h], 0
		jmp	loc_4D6300
; 

loc_4D64EE:				; CODE XREF: MiTrimWorkingSetBuildup+1B0j
		mov	edi, 20h
		sub	edi, [ebp+var_1C]
		cmp	edi, 0FFFFFFFFh
		jnb	loc_5C9351
		mov	ecx, [ebp+var_C]
		lea	eax, [ebx+3Ch]
		add	ecx, 4
		cmp	ecx, eax
		jnb	loc_4D6472

loc_4D6510:				; CODE XREF: MiTrimWorkingSetBuildup+26Dj
		cmp	dword ptr [ecx], 0
		jnz	loc_4D6472
		add	edi, 20h
		add	ecx, 4
		cmp	edi, 0FFFFFFFFh
		jnb	loc_5C9351
		lea	eax, [ebx+3Ch]
		cmp	ecx, eax
		jb	short loc_4D6510
		jmp	loc_4D6472
; 

loc_4D6534:				; CODE XREF: MiTrimWorkingSetBuildup+175j
		mov	edi, edx
		add	eax, 4
		sub	edi, [ebp+var_1C]
		add	edi, 20h
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], edi
		cmp	eax, ecx
		jnb	loc_4D643B
		lea	ecx, [ecx+0]

loc_4D6550:				; CODE XREF: MiTrimWorkingSetBuildup+2CEj
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_4D6586

loc_4D6555:				; CODE XREF: MiTrimWorkingSetBuildup+2D0j
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], edi
		jmp	loc_4D643B
; 

loc_4D6560:				; CODE XREF: MiTrimWorkingSetBuildup+F8j
		mov	ecx, [ebp+var_1C]

loc_4D6563:				; CODE XREF: MiTrimWorkingSetBuildup+2B1j
		add	edx, 4
		cmp	edx, ecx
		ja	short loc_4D6578
		mov	eax, [edx]
		not	eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_4D6563
		jmp	loc_4D63BE
; 

loc_4D6578:				; CODE XREF: MiTrimWorkingSetBuildup+112j
					; MiTrimWorkingSetBuildup+2A8j
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_8], edx

loc_4D657E:				; CODE XREF: MiTrimWorkingSetBuildup+11Bj
		mov	ecx, [ebp+var_C]
		jmp	loc_5C9333
; 

loc_4D6586:				; CODE XREF: MiTrimWorkingSetBuildup+293j
		add	eax, 4
		add	edi, 20h
		cmp	eax, ecx
		jb	short loc_4D6550
		jmp	short loc_4D6555
; 

loc_4D6592:				; CODE XREF: MiTrimWorkingSetBuildup+13Cj
		xor	edi, edi

loc_4D6594:				; CODE XREF: MiTrimWorkingSetBuildup+1DEj
		mov	ecx, 200h
		jmp	loc_4D64A4
MiTrimWorkingSetBuildup	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSetVaAgeList	proc near		; CODE XREF: .text:00458029p
					; .text:0045811Ep ...

var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005C936B SIZE 0000009B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_C], edx
		shr	esi, 9
		xor	al, al
		push	edi
		xor	edi, edi
		mov	[ebp+var_1], al
		and	esi, offset loc_7FFFF8
		mov	[ebp+var_20], 0
		mov	[ebp+var_8], edi
		mov	ebx, ecx
		cmp	edx, 0C0000000h
		jnb	loc_4D6766

loc_4D65D8:				; CODE XREF: MiSetVaAgeList+1CCj
		mov	cl, [ebx+60h]
		mov	[ebp+var_10], 1

loc_4D65E2:				; CODE XREF: MiSetVaAgeList+1DBj
					; MiSetVaAgeList+F2DD2j
		and	cl, 7
		cmp	cl, 2
		jz	loc_4D6786
		lea	ecx, [ebx+0C0h]

loc_4D65F4:				; CODE XREF: MiSetVaAgeList+1EBj
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_24], ecx
		mov	[ebp+var_28], edi
		jnz	loc_5C9377
		lea	edx, [ebp+var_28]
		xchg	edx, [ecx]
		test	edx, edx
		jnz	loc_4D6810

loc_4D6614:				; CODE XREF: MiSetVaAgeList+27Bj
		cmp	[ebp+arg_4], 8
		mov	edi, [ebp+arg_0]
		jz	loc_4D67B0

loc_4D6621:				; CODE XREF: MiSetVaAgeList+21Ej
		test	edi, edi
		jz	loc_4D6729
		lea	esp, [esp+0]

loc_4D6630:				; CODE XREF: MiSetVaAgeList+1F3j
		cmp	[ebp+var_10], 0
		jz	loc_4D6848
		movzx	eax, byte ptr [ebx+60h]
		mov	edx, [ebp+var_C]
		and	eax, 7
		mov	[ebp+var_14], 0
		mov	ecx, dword_6D2E68[eax*4]
		mov	eax, edx
		shr	eax, 0Ch
		add	eax, ecx
		mov	[ebp+arg_0], eax
		mov	al, [eax]
		mov	cl, al
		mov	[ebp+var_1], al
		and	cl, 0Fh
		cmp	cl, 0Ah
		jz	loc_5C93E5
		mov	dl, cl
		cmp	cl, 8
		jz	loc_4D6798
		xor	ecx, ecx

loc_4D667C:				; CODE XREF: MiSetVaAgeList+1FDj
		mov	[ebp+var_8], ecx

loc_4D667F:				; CODE XREF: MiSetVaAgeList+2E1j
		cmp	dl, 8
		jz	loc_4D67A2

loc_4D6688:				; CODE XREF: MiSetVaAgeList+20Bj
		test	ecx, ecx
		jnz	short loc_4D669C
		movzx	ecx, dl
		dec	dword ptr [ebx+ecx*4+18h]
		cmp	dl, 7
		jz	loc_4D6886

loc_4D669C:				; CODE XREF: MiSetVaAgeList+EAj
					; MiSetVaAgeList+2F3j
		mov	cl, [ebp+arg_4]
		mov	ah, cl
		mov	byte ptr [ebp+arg_0+3],	ah
		test	cl, cl
		jz	short loc_4D66C0
		cmp	cl, 7
		jnb	short loc_4D66C0
		mov	edx, [esi-40000000h]
		nop
		and	edx, 20h
		or	edx, 0
		jnz	loc_4D6898

loc_4D66C0:				; CODE XREF: MiSetVaAgeList+106j
					; MiSetVaAgeList+10Bj ...
		mov	edx, [ebp+var_14]
		test	edx, edx
		jnz	loc_4D6820
		mov	cl, al
		xor	cl, ah
		and	cl, 0Fh
		xor	al, cl
		movzx	ecx, byte ptr [ebx+60h]
		and	ecx, 7
		mov	[ebp+var_1], al
		mov	edx, dword_6D2E68[ecx*4]
		mov	ecx, [ebp+var_C]
		shr	ecx, 0Ch
		add	edx, ecx
		mov	cl, [edx]
		and	cl, 0Fh
		cmp	cl, 0Ah
		jz	loc_5C93D4
		mov	[edx], al

loc_4D66FD:				; CODE XREF: MiSetVaAgeList+294j
		cmp	ah, 8
		jnb	loc_4D67C9
		cmp	[ebp+var_10], 0
		jz	loc_4D6839

loc_4D6710:				; CODE XREF: MiSetVaAgeList+29Dj
		movzx	eax, ah
		inc	dword ptr [ebx+eax*4+18h]
		cmp	byte ptr [ebp+arg_0+3],	7
		jz	loc_4D67FD

loc_4D6721:				; CODE XREF: MiSetVaAgeList:loc_4D67C9j
					; MiSetVaAgeList+235j ...
		sub	edi, 1
		mov	[ebp+arg_0], edi
		jnz	short loc_4D6790

loc_4D6729:				; CODE XREF: MiSetVaAgeList+83j
		test	ds:byte_70EFC6,	1
		jnz	loc_5C93F6
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	loc_4D67E2
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_28]
		cmp	eax, ecx
		jnz	loc_4D67DA

loc_4D6758:				; CODE XREF: MiSetVaAgeList+F2E61j
		mov	eax, 1

loc_4D675D:				; CODE XREF: MiSetVaAgeList+F2E2Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4D6766:				; CODE XREF: MiSetVaAgeList+32j
		cmp	edx, 0C07FFFFFh
		ja	loc_4D65D8
		mov	cl, [ebx+60h]
		mov	[ebp+var_10], edi
		test	cl, 7
		jz	loc_4D65E2
		jmp	loc_5C936B
; 

loc_4D6786:				; CODE XREF: MiSetVaAgeList+48j
		mov	ecx, offset unk_6D3C80
		jmp	loc_4D65F4
; 

loc_4D6790:				; CODE XREF: MiSetVaAgeList+187j
		mov	al, [ebp+var_1]
		jmp	loc_4D6630
; 

loc_4D6798:				; CODE XREF: MiSetVaAgeList+D4j
		mov	ecx, 1
		jmp	loc_4D667C
; 

loc_4D67A2:				; CODE XREF: MiSetVaAgeList+E2j
		mov	ecx, [ebx+0Ch]
		dec	dword ptr [ecx+14h]
		mov	ecx, [ebp+var_8]
		jmp	loc_4D6688
; 

loc_4D67B0:				; CODE XREF: MiSetVaAgeList+7Bj
		mov	ecx, [ebx+0Ch]
		mov	ecx, [ecx+14h]
		add	ecx, 6
		add	ecx, edi
		cmp	[ebx+3Ch], ecx
		jnb	loc_4D6621
		jmp	loc_5C9386
; 

loc_4D67C9:				; CODE XREF: MiSetVaAgeList+160j
		jnz	loc_4D6721
		mov	eax, [ebx+0Ch]
		inc	dword ptr [eax+14h]
		jmp	loc_4D6721
; 

loc_4D67DA:				; CODE XREF: MiSetVaAgeList+1B2j
		lea	ecx, [ebp+var_28]
		call	KxWaitForLockChainValid

loc_4D67E2:				; CODE XREF: MiSetVaAgeList+19Bj
		lea	ecx, [eax+4]
		mov	[ebp+var_28], 0
		mov	eax, 1
		lock xor [ecx],	eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4D67FD:				; CODE XREF: MiSetVaAgeList+17Bj
		mov	eax, 1
		mov	ecx, ebx
		mov	edx, eax
		call	MiVolunteerForTrimFirst
		jmp	loc_4D6721
; 

loc_4D6810:				; CODE XREF: MiSetVaAgeList+6Ej
		lea	ecx, [ebp+var_28]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_4D6818:				; CODE XREF: MiSetVaAgeList+F2DE1j
		mov	al, [ebp+var_1]
		jmp	loc_4D6614
; 

loc_4D6820:				; CODE XREF: MiSetVaAgeList+125j
		mov	eax, [edx]
		movzx	ecx, byte ptr [ebp+arg_0+3]
		add	ecx, ecx
		xor	ecx, eax
		and	ecx, 0Eh
		xor	ecx, eax
		mov	ah, byte ptr [ebp+arg_0+3]
		mov	[edx], ecx
		jmp	loc_4D66FD
; 

loc_4D6839:				; CODE XREF: MiSetVaAgeList+16Aj
		test	byte ptr [ebx+60h], 7
		jz	loc_4D6710
		jmp	loc_4D6721
; 

loc_4D6848:				; CODE XREF: MiSetVaAgeList+94j
		mov	edi, [esi-40000000h]
		nop
		mov	ecx, [esi-3FFFFFFCh]
		shrd	edi, ecx, 0Ch
		mov	ecx, ds:_MmPfnDatabase
		and	edi, 1FFFFFFh
		lea	edx, ds:0[edi*8]
		sub	edx, edi
		mov	edi, [ebp+arg_0]
		lea	ecx, [ecx+edx*4]
		mov	edx, [ecx]
		shr	edx, 1
		mov	[ebp+var_14], ecx
		and	dl, 7
		mov	ecx, [ebp+var_8]
		jmp	loc_4D667F
; 

loc_4D6886:				; CODE XREF: MiSetVaAgeList+F6j
		or	edx, 0FFFFFFFFh
		mov	ecx, ebx
		call	MiVolunteerForTrimFirst
		mov	al, [ebp+var_1]
		jmp	loc_4D669C
; 

loc_4D6898:				; CODE XREF: MiSetVaAgeList+11Aj
		mov	ecx, [ebp+var_C]
		cmp	ecx, ds:_MmHighestUserAddress
		ja	short loc_4D68B6
		test	byte ptr [ebx+60h], 7
		jnz	short loc_4D68B6
		cmp	dword ptr [ebx+1A4h], 0
		jnz	loc_4D66C0

loc_4D68B6:				; CODE XREF: MiSetVaAgeList+301j
					; MiSetVaAgeList+307j
		xor	ah, ah
		mov	byte ptr [ebp+arg_0+3],	ah
		jmp	loc_4D66C0
MiSetVaAgeList	endp

; 

MiVolunteerForTrimFirst:		; CODE XREF: MiSetVaAgeList+266p
					; MiSetVaAgeList+2EBp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ecx+34h]
		push	ebx
		push	esi
		push	edi
		mov	edi, dword_6D5D40
		xor	ebx, ebx
		mov	[ebp-4], ebx
		cmp	eax, [edi+30h]
		jnb	short loc_4D695B
		test	edx, edx
		jle	short loc_4D68E7

loc_4D68E2:				; CODE XREF: .text:004D68F0j
					; .text:004D68F4j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4D68E7:				; CODE XREF: .text:004D68E0j
		lea	esi, [ecx+10h]
		cmp	dword_6D5D48, esi
		jz	short loc_4D68E2
		cmp	[esi], ebx
		jz	short loc_4D68E2
		push	2
		pop	ebx

loc_4D68F9:				; CODE XREF: .text:004D6979j
		and	dword ptr [ebp-0Ch], 0
		mov	eax, offset dword_6D3540
		test	ds:byte_70EFC6,	21h
		mov	[ebp-8], eax
		jnz	loc_5C9406
		lea	edx, [ebp-0Ch]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_5C9415

loc_4D691F:				; CODE XREF: .text:005C9410j
					; .text:005C941Dj
		cmp	byte ptr [edi+2Dh], 0
		jz	short loc_4D697E

loc_4D6925:				; CODE XREF: .text:004D6982j
		xor	ebx, ebx
		inc	ebx
		mov	[edi+2Eh], bl

loc_4D692B:				; CODE XREF: .text:004D69B9j
		test	ds:byte_70EFC6,	1
		jnz	loc_5C9422
		mov	eax, [ebp-0Ch]
		test	eax, eax
		jnz	loc_5C943A
		mov	edx, [ebp-8]
		lea	eax, [ebp-0Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-0Ch]
		cmp	eax, ecx
		jz	short loc_4D68E2
		jmp	loc_5C9432
; 

loc_4D695B:				; CODE XREF: .text:004D68DCj
		test	edx, edx
		js	short loc_4D68E2
		lea	esi, [ecx+10h]
		cmp	dword_6D5D44, esi
		jz	loc_4D68E2
		cmp	[esi], ebx
		jz	loc_4D68E2
		xor	ebx, ebx
		inc	ebx
		jmp	loc_4D68F9
; 

loc_4D697E:				; CODE XREF: .text:004D6923j
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_4D6925
		mov	ecx, [esi+4]
		cmp	[eax+4], esi
		jnz	short loc_4D69D9
		cmp	[ecx], esi
		jnz	short loc_4D69D9
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	eax, offset dword_6D5D44
		cmp	ebx, 1
		jz	short loc_4D69BE
		mov	ecx, dword_6D5D48
		cmp	[ecx], eax
		jnz	short loc_4D69D9
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	dword_6D5D48, esi

loc_4D69B6:				; CODE XREF: .text:004D69D7j
		xor	ebx, ebx
		inc	ebx
		jmp	loc_4D692B
; 

loc_4D69BE:				; CODE XREF: .text:004D699Dj
		mov	ecx, dword_6D5D44
		cmp	[ecx+4], eax
		jnz	short loc_4D69D9
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[ecx+4], esi
		mov	dword_6D5D44, esi
		jmp	short loc_4D69B6
; 

loc_4D69D9:				; CODE XREF: .text:004D698Aj
					; .text:004D698Ej ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dw 0CCCCh
		dd 4 dup(0CCCCCCCCh)
; Exported entry 125. KeAcquireInStackQueuedSpinLockAtDpcLevel

;  S U B	R O U T	I N E 


; __fastcall KeAcquireInStackQueuedSpinLockAtDpcLevel(x, x)
		public @KeAcquireInStackQueuedSpinLockAtDpcLevel@8
@KeAcquireInStackQueuedSpinLockAtDpcLevel@8 proc near ;	CODE XREF: .text:004B5AAEp
					; CcSerializeWithLazyWriter(x,x)+25p ...
		mov	eax, edx
		mov	[eax+4], ecx
		mov	dword ptr [eax], 0
		test	ds:byte_70EFC6,	21h
		jnz	short loc_4D6A0B
		xchg	edx, [ecx]
		test	edx, edx
		jnz	short loc_4D6A14
		retn
; 

loc_4D6A0B:				; CODE XREF: KeAcquireInStackQueuedSpinLockAtDpcLevel(x,x)+12j
		mov	edx, ecx
		mov	ecx, eax
		jmp	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
; 

loc_4D6A14:				; CODE XREF: KeAcquireInStackQueuedSpinLockAtDpcLevel(x,x)+18j
		mov	ecx, eax
		jmp	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
@KeAcquireInStackQueuedSpinLockAtDpcLevel@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KxWaitForLockOwnerShip(x, x)
@KxWaitForLockOwnerShip@8 proc near	; CODE XREF: MmEnforceWorkingSetLimit+197p
					; MiDeleteProcessShadow+1EAp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], 0
		or	dword ptr [esi+4], 1
		mov	[edx], esi

loc_4D6A36:				; CODE XREF: KxWaitForLockOwnerShip(x,x)+23j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi+4]
		test	al, 1
		jnz	short loc_4D6A36
		mov	eax, [ebp+var_4]
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
@KxWaitForLockOwnerShip@8 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 379. ExInitializePushLock
; Exported entry 1178. KeInitializeSpinLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KzInitializeSpinLock(x)
		public _KzInitializeSpinLock@4
_KzInitializeSpinLock@4	proc near	; CODE XREF: VerifierKeInitializeSpinLock(x)+13p
					; VerifierKeInitializeSpinLockNoReboot(x)+11j
					; DATA XREF: ...

arg_0		= dword	ptr  8

		mov	edi, edi	; ExInitializePushLock
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax], 0
		pop	ebp
		retn	4
_KzInitializeSpinLock@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopIncrementDeviceObjectRefCount proc near ; CODE XREF:	IopCompleteUnloadOrDelete+AAp
					; PnpMarkDeviceForRemove(x,x,x)+6Fp ...

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005C944C SIZE 000000A1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		test	dl, dl
		jz	loc_4D6B27
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, large fs:20h
		mov	esi, [ecx+46Ch]
		add	ecx, 468h
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_1], al
		jnz	loc_5C944C
		mov	edx, ecx
		xchg	edx, [esi]
		test	edx, edx
		jnz	short loc_4D6B06

loc_4D6AB3:				; CODE XREF: IopIncrementDeviceObjectRefCount+9Bj
					; IopIncrementDeviceObjectRefCount+F29E3j
		mov	eax, [ebx+4]
		inc	eax
		mov	[ebx+4], eax
		mov	esi, [ebx+4]
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		push	edi
		lea	edi, [eax+468h]
		jnz	loc_5C9458
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_4D6B14
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jnz	short loc_4D6B0D

loc_4D6AEC:				; CODE XREF: IopIncrementDeviceObjectRefCount+B5j
					; IopIncrementDeviceObjectRefCount+F29F2j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi

loc_4D6AF6:				; CODE XREF: IopIncrementDeviceObjectRefCount+BDj
		test	esi, esi
		jle	loc_5C9467
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4D6B06:				; CODE XREF: IopIncrementDeviceObjectRefCount+41j
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	short loc_4D6AB3
; 

loc_4D6B0D:				; CODE XREF: IopIncrementDeviceObjectRefCount+7Aj
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_4D6B14:				; CODE XREF: IopIncrementDeviceObjectRefCount+6Bj
		mov	dword ptr [edi], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_4D6AEC
; 

loc_4D6B27:				; CODE XREF: IopIncrementDeviceObjectRefCount+Cj
		inc	dword ptr [ebx+4]
		mov	esi, [ebx+4]
		jmp	short loc_4D6AF6
IopIncrementDeviceObjectRefCount endp

; 
		align 10h

;  S U B	R O U T	I N E 


IopIncrementVpbRefCount	proc near	; CODE XREF: IopMountInitializeVpb+5Fp
					; IopReferenceVerifyVpb(x,x,x)+39p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		lea	esi, [edi+14h]
		test	dl, dl
		jz	short loc_4D6B52
		push	9
		mov	edx, esi
		pop	ecx
		call	IopInterlockedIncrementUlong

loc_4D6B47:				; CODE XREF: IopIncrementVpbRefCount+26j
		test	eax, eax
		jle	loc_5C9498
		pop	edi
		pop	esi
		retn
; 

loc_4D6B52:				; CODE XREF: IopIncrementVpbRefCount+Bj
		inc	dword ptr [esi]
		mov	eax, [esi]
		jmp	short loc_4D6B47
IopIncrementVpbRefCount	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopInterlockedIncrementUlong proc near	; CODE XREF: IopIncrementVpbRefCount+12p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	bl, al
		xor	eax, eax
		inc	eax
		add	[esi], eax
		mov	eax, [esi]
		mov	edx, large fs:20h
		test	ds:byte_70EFC6,	1
		mov	[ebp+var_4], eax
		lea	esi, [edx+418h]
		lea	esi, [esi+edi*8]
		jnz	loc_5C94DE
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_4D6BBF
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_4D6BB8

loc_4D6BA8:				; CODE XREF: IopInterlockedIncrementUlong+76j
					; IopIncrementDeviceObjectRefCount+F2A78j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4D6BB8:				; CODE XREF: IopInterlockedIncrementUlong+4Ej
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_4D6BBF:				; CODE XREF: IopInterlockedIncrementUlong+3Fj
		lea	ecx, [eax+4]
		mov	dword ptr [esi], 0
		xor	eax, eax
		inc	eax
		lock xor [ecx],	eax
		jmp	short loc_4D6BA8
IopInterlockedIncrementUlong endp


;  S U B	R O U T	I N E 


; __stdcall KeDisableQueueingPriorityIncrement(x, x)
_KeDisableQueueingPriorityIncrement@8 proc near	; CODE XREF: NtCreateWorkerFactory+A2p
		mov	edi, edi
		lock bts dword ptr [ecx], 9
		retn
_KeDisableQueueingPriorityIncrement@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAdjustPteBins()
_MiAdjustPteBins@0 proc	near		; CODE XREF: MiWorkingSetManager(x,x)+24Ep

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+18h+var_4], eax
		push	esi
		xor	esi, esi
		mov	[esp+1Ch+var_10], offset dword_6D35E0
		push	edi
		mov	[esp+20h+var_C], offset	unk_6D33D0
		mov	edi, esi
		mov	[esp+20h+var_8], offset	unk_6D339C

loc_4D6C0C:				; CODE XREF: MiAdjustPteBins()+69j
		mov	eax, [esp+edi*4+20h+var_10]
		mov	[esp+20h+var_14], eax
		test	byte ptr [eax+0Ch], 1
		jz	short loc_4D6C3D
		xor	edx, edx
		mov	ecx, eax
		call	_MiEmptyPteBins@8 ; MiEmptyPteBins(x,x)
		mov	ecx, [esp+20h+var_14]
		call	_MiPteBinsNeedTrimming@4 ; MiPteBinsNeedTrimming(x)
		cmp	eax, 1
		jnz	short loc_4D6C3D
		mov	ecx, [esp+20h+var_14]
		xor	edx, edx
		inc	edx
		call	_MiEmptyPteBins@8 ; MiEmptyPteBins(x,x)

loc_4D6C3D:				; CODE XREF: MiAdjustPteBins()+40j
					; MiAdjustPteBins()+57j
		inc	edi
		cmp	edi, 3
		jb	short loc_4D6C0C
		mov	al, byte_6D340A
		inc	al
		mov	byte_6D340A, al
		test	al, 0Fh
		jnz	short loc_4D6C75

loc_4D6C53:				; CODE XREF: MiAdjustPteBins()+9Bj
		mov	ecx, [esp+esi*4+20h+var_10]
		xor	edx, edx
		push	0Ah
		pop	edi
		mov	eax, [ecx+20h]
		div	edi
		cmp	[ecx+30h], eax
		jbe	short loc_4D6C6F
		push	dword ptr [ecx]
		xor	edx, edx
		call	MiAttemptCoalesce

loc_4D6C6F:				; CODE XREF: MiAdjustPteBins()+8Cj
		inc	esi
		cmp	esi, 3
		jb	short loc_4D6C53

loc_4D6C75:				; CODE XREF: MiAdjustPteBins()+79j
		mov	ecx, [esp+20h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_MiAdjustPteBins@0 endp


;  S U B	R O U T	I N E 


; __stdcall MmGetWorkingSetLeafSize(x)
_MmGetWorkingSetLeafSize@4 proc	near	; CODE XREF: ExpQuerySystemPerformanceInformation+380p
					; ExpQuerySystemPerformanceInformation+391p
		cmp	ecx, 2
		jnz	short loc_4D6CA1
		movzx	eax, byte ptr dword_6D5D90
		neg	eax
		sbb	eax, eax
		and	eax, offset unk_6D5E80
		jz	short loc_4D6CB0

loc_4D6C9D:				; CODE XREF: MmGetWorkingSetLeafSize(x)+28j
		mov	eax, [eax+40h]
		retn
; 

loc_4D6CA1:				; CODE XREF: MmGetWorkingSetLeafSize(x)+3j
		call	_MiTranslateWsType@4 ; MiTranslateWsType(x)
		shl	eax, 8
		add	eax, offset unk_6D3640
		jmp	short loc_4D6C9D
; 

loc_4D6CB0:				; CODE XREF: MmGetWorkingSetLeafSize(x)+15j
		xor	eax, eax
		retn
_MmGetWorkingSetLeafSize@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MmGetSharedCommit()
_MmGetSharedCommit@0 proc near		; CODE XREF: PAGE:0077DD6Cp
					; ExpQuerySystemPerformanceInformation+7E3p
		mov	eax, dword_6D5F64
		retn
_MmGetSharedCommit@0 endp


;  S U B	R O U T	I N E 


; __stdcall MmGetResidentAvailablePages(x)
_MmGetResidentAvailablePages@4 proc near ; CODE	XREF: PAGE:0077DD13p
					; ExpQuerySystemPerformanceInformation+7CCp
		mov	eax, dword_6D3018
		movzx	ecx, cx
		mov	eax, [eax+ecx*4]
		mov	eax, [eax+1000h]
		retn
_MmGetResidentAvailablePages@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExQueryPoolUsage(x,	x, x, x, x, x, x, x)
_ExQueryPoolUsage@32 proc near		; CODE XREF: ExpQuerySystemPerformanceInformation+445p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	_ExHeapQueryPoolUsage@32 ; ExHeapQueryPoolUsage(x,x,x,x,x,x,x,x)
_ExQueryPoolUsage@32 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MmGetSystemPageCounts(x)
_MmGetSystemPageCounts@4 proc near	; CODE XREF: ExpQuerySystemPerformanceInformation+368p
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, offset dword_6CF58C
		mov	edi, ecx
		movsd
		movsd
		movsd
		movsd
		pop	edi
		pop	esi
		retn
_MmGetSystemPageCounts@4 endp


;  S U B	R O U T	I N E 


; __stdcall MmGetNumberOfFreeSystemPtes()
_MmGetNumberOfFreeSystemPtes@0 proc near ; CODE	XREF: MiIssueNoPtesBugcheck(x)+1Ap
					; ExpQuerySystemPerformanceInformation+355p ...
		mov	ecx, offset dword_6D35E0
		call	_MiGetNumberOfCachedPtes@4 ; MiGetNumberOfCachedPtes(x)
		mov	ecx, dword_6D4254
		add	eax, dword_6D3610
		shr	ecx, 0Ch
		add	eax, ecx
		retn
_MmGetNumberOfFreeSystemPtes@0 endp


;  S U B	R O U T	I N E 


; __stdcall MmGetPeakCommitment(x)
_MmGetPeakCommitment@4 proc near	; CODE XREF: PAGE:0077DD59p
					; PAGE:0077DFECp ...
		mov	eax, dword_6D3018
		movzx	ecx, cx
		mov	eax, [eax+ecx*4]
		mov	eax, [eax+0D80h]
		retn
_MmGetPeakCommitment@4 endp


;  S U B	R O U T	I N E 


; __stdcall MmGetTotalCommitLimit(x)
_MmGetTotalCommitLimit@4 proc near	; CODE XREF: PAGE:0077DD44p
					; PAGE:0077DFDFp ...
		mov	eax, dword_6D3018
		movzx	ecx, cx
		mov	eax, [eax+ecx*4]
		mov	eax, [eax+1114h]
		retn
_MmGetTotalCommitLimit@4 endp


;  S U B	R O U T	I N E 


; __stdcall MmGetTotalCommittedPages(x)
_MmGetTotalCommittedPages@4 proc near	; CODE XREF: PAGE:0077DD2Fp
					; PAGE:0077DFD2p ...
		mov	eax, dword_6D3018
		movzx	ecx, cx
		mov	eax, [eax+ecx*4]
		mov	eax, [eax+10BCh]
		retn
_MmGetTotalCommittedPages@4 endp


;  S U B	R O U T	I N E 


; __stdcall MmGetAvailablePages(x)
_MmGetAvailablePages@4 proc near	; CODE XREF: PAGE:0077DCFEp
					; PAGE:0077DFC5p ...
		mov	eax, dword_6D3018
		movzx	ecx, cx
		mov	eax, [eax+ecx*4]
		mov	eax, [eax+0FC0h]
		retn
_MmGetAvailablePages@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExHeapQueryPoolUsage(x, x, x, x, x,	x, x, x)
_ExHeapQueryPoolUsage@32 proc near	; CODE XREF: ExQueryPoolUsage(x,x,x,x,x,x,x,x)+6j

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	ebx, ecx
		xor	ecx, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], edi
		mov	esi, ecx
		mov	[ebx], ecx
		mov	[edi], ecx
		cmp	dword_6D8E70, ecx
		jbe	short loc_4D6DBF
		mov	edx, offset dword_6D8E80

loc_4D6D77:				; CODE XREF: ExHeapQueryPoolUsage(x,x,x,x,x,x,x,x)+6Dj
		push	2
		pop	edi

loc_4D6D7A:				; CODE XREF: ExHeapQueryPoolUsage(x,x,x,x,x,x,x,x)+40j
		mov	ecx, [edx+edi*4]
		mov	eax, [ecx+84h]
		add	[ebx], eax
		mov	eax, [ecx+50h]
		add	[ebx], eax
		inc	edi
		cmp	edi, 3
		jbe	short loc_4D6D7A
		mov	edi, [ebp+var_4]
		xor	ebx, ebx

loc_4D6D95:				; CODE XREF: ExHeapQueryPoolUsage(x,x,x,x,x,x,x,x)+5Bj
		mov	ecx, [edx+ebx*4]
		mov	eax, [ecx+84h]
		add	[edi], eax
		mov	eax, [ecx+50h]
		add	[edi], eax
		inc	ebx
		cmp	ebx, 1
		jbe	short loc_4D6D95
		mov	ebx, [ebp+var_8]
		inc	esi
		add	edx, 20C0h
		cmp	esi, dword_6D8E70
		jb	short loc_4D6D77
		xor	ecx, ecx

loc_4D6DBF:				; CODE XREF: ExHeapQueryPoolUsage(x,x,x,x,x,x,x,x)+22j
		mov	eax, [ebp+arg_0]
		pop	edi
		pop	esi
		pop	ebx
		mov	[eax], ecx
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx
		mov	eax, [ebp+arg_14]
		mov	[eax], ecx
		leave
		retn	18h
_ExHeapQueryPoolUsage@32 endp


;  S U B	R O U T	I N E 


; __stdcall MiPteBinsNeedTrimming(x)
_MiPteBinsNeedTrimming@4 proc near	; CODE XREF: MiReservePtes+514p
					; MiAdjustPteBins()+4Fp
		mov	edi, edi
		push	edi
		mov	edi, ecx
		call	_MiGetNumberOfCachedPtes@4 ; MiGetNumberOfCachedPtes(x)
		mov	ecx, eax
		cmp	ecx, 400h
		jb	short loc_4D6E16
		mov	edx, [edi+28h]
		mov	eax, [edi]
		push	esi
		mov	esi, [edi+30h]
		sub	eax, edx
		push	0Ah
		xor	edx, edx
		add	ecx, esi
		pop	edi
		div	edi
		pop	esi
		cmp	ecx, eax
		jbe	short loc_4D6E16
		xor	eax, eax
		inc	eax
		pop	edi
		retn
; 

loc_4D6E16:				; CODE XREF: MiPteBinsNeedTrimming(x)+12j
					; MiPteBinsNeedTrimming(x)+2Bj
		xor	eax, eax
		pop	edi
		retn
_MiPteBinsNeedTrimming@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetNumberOfCachedPtes(x)
_MiGetNumberOfCachedPtes@4 proc	near	; CODE XREF: MmGetNumberOfFreeSystemPtes()+5p
					; MiPteBinsNeedTrimming(x)+5p ...
		mov	edx, [ecx+2Ch]
		xor	eax, eax
		test	edx, edx
		jz	short locret_4D6E3B
		movzx	ecx, ds:_KeNumberNodes
		test	ecx, ecx
		jz	short locret_4D6E3B
		add	edx, 40h

loc_4D6E31:				; CODE XREF: MiGetNumberOfCachedPtes(x)+1Fj
		add	eax, [edx]
		lea	edx, [edx+48h]
		sub	ecx, 1
		jnz	short loc_4D6E31

locret_4D6E3B:				; CODE XREF: MiGetNumberOfCachedPtes(x)+7j
					; MiGetNumberOfCachedPtes(x)+12j
		retn
_MiGetNumberOfCachedPtes@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiTranslateWsType(x)
_MiTranslateWsType@4 proc near		; CODE XREF: MmGetWorkingSetLeafSize(x):loc_4D6CA1p
					; MiInitializeSystemWorkingSetList+1Ap
		push	2
		pop	eax
		sub	ecx, eax
		jz	short loc_4D6E6D
		sub	ecx, 1
		jnz	short loc_4D6E49
		retn
; 

loc_4D6E49:				; CODE XREF: MiTranslateWsType(x)+Aj
		sub	ecx, 1
		jz	short loc_4D6E69
		sub	ecx, 1
		jz	short loc_4D6E65
		sub	ecx, 1
		jnz	short loc_4D6E5C
		push	4
		pop	eax
		retn
; 

loc_4D6E5C:				; CODE XREF: MiTranslateWsType(x)+1Aj
		sub	ecx, 1
		jnz	short loc_4D6E6D
		push	5
		pop	eax
		retn
; 

loc_4D6E65:				; CODE XREF: MiTranslateWsType(x)+15j
		push	3
		pop	eax
		retn
; 

loc_4D6E69:				; CODE XREF: MiTranslateWsType(x)+10j
		xor	eax, eax
		inc	eax
		retn
; 

loc_4D6E6D:				; CODE XREF: MiTranslateWsType(x)+5j
					; MiTranslateWsType(x)+23j
		xor	eax, eax
		retn
_MiTranslateWsType@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiMaximumCommitmentAvailable(x)
_MiMaximumCommitmentAvailable@4	proc near
					; CODE XREF: ExpQuerySystemPerformanceInformation+3D3p
		mov	eax, dword_6D5BC4
		mov	ecx, dword_6D5EFC
		cmp	ecx, eax
		ja	short loc_4D6E82
		sub	eax, ecx
		retn
; 

loc_4D6E82:				; CODE XREF: MiMaximumCommitmentAvailable(x)+Dj
		xor	eax, eax
		retn
_MiMaximumCommitmentAvailable@4	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 327. ExAllocatePoolWithTagPriority

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExAllocatePoolWithTagPriority
ExAllocatePoolWithTagPriority proc near	; CODE XREF: IopBuildDeviceIoControlRequest+2C5p
					; IopVerifierExAllocatePool+5EE5Ep ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005C94ED SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_C]
		cmp	esi, 20h
		jz	short loc_4D6EB2
		test	byte ptr [ebp+arg_0], 2
		jnz	short loc_4D6EB2
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	esi
		call	_MmResourcesAvailable@12 ; MmResourcesAvailable(x,x,x)
		test	eax, eax
		jz	loc_5C94ED

loc_4D6EB2:				; CODE XREF: ExAllocatePoolWithTagPriority+Cj
					; ExAllocatePoolWithTagPriority+12j ...
		mov	eax, large fs:20h
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		shr	esi, 3
		mov	eax, [eax+338h]
		and	esi, 1
		push	esi
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	[ebp+arg_8]
		call	ExpAllocatePoolWithTagFromNode

loc_4D6EE0:				; CODE XREF: ExAllocatePoolWithTagPriority+F2672j
		pop	esi
		pop	ebp
		retn	10h
ExAllocatePoolWithTagPriority endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmResourcesAvailable(x, x, x)
_MmResourcesAvailable@12 proc near	; CODE XREF: ExAllocatePoolWithTagPriority+1Bp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= byte ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		xor	eax, eax
		mov	[ebp+var_10], ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_1C]
		mov	esi, edx
		stosd
		mov	[ebp+var_C], esi
		stosd
		stosd
		mov	eax, esi
		mov	edi, esi
		and	edi, 0FFFh
		neg	edi
		sbb	edi, edi
		shr	eax, 0Ch
		neg	edi
		xor	edx, edx
		add	edi, eax
		inc	edx
		mov	eax, ecx
		and	eax, edx
		mov	[ebp+var_8], eax
		jnz	short loc_4D6F25
		push	5
		jmp	short loc_4D6F35
; 

loc_4D6F25:				; CODE XREF: MmResourcesAvailable(x,x,x)+39j
		test	cl, 20h
		jz	short loc_4D6F33
		call	_MiSessionPoolVaRemaining@0 ; MiSessionPoolVaRemaining()
		mov	edx, eax
		jmp	short loc_4D6F40
; 

loc_4D6F33:				; CODE XREF: MmResourcesAvailable(x,x,x)+42j
		push	6

loc_4D6F35:				; CODE XREF: MmResourcesAvailable(x,x,x)+3Dj
		pop	ecx
		call	MiFreePoolPagesLeft
		mov	edx, eax
		shl	edx, 0Ch

loc_4D6F40:				; CODE XREF: MmResourcesAvailable(x,x,x)+4Bj
		and	[ebp+var_4], 0
		lea	eax, [esi+80000h]
		cmp	[ebp+arg_0], 10h
		jz	short loc_4D6F56
		lea	eax, [esi+200000h]

loc_4D6F56:				; CODE XREF: MmResourcesAvailable(x,x,x)+68j
		cmp	eax, edx
		ja	short loc_4D6F92
		cmp	[ebp+var_8], 0
		jz	loc_4D6FE8
		mov	ecx, dword_6D5BC4
		mov	esi, ecx
		sub	esi, dword_6D5EFC
		cmp	ecx, dword_6D5EFC
		sbb	eax, eax
		not	eax
		and	eax, esi
		cmp	edi, eax
		jbe	short loc_4D6FE5
		push	0
		push	2
		mov	edx, edi
		mov	ecx, offset _MiSystemPartition
		call	_MiIssuePageExtendRequest@16 ; MiIssuePageExtendRequest(x,x,x,x)

loc_4D6F92:				; CODE XREF: MmResourcesAvailable(x,x,x)+72j
		mov	edi, [ebp+var_4]
		xor	esi, esi
		inc	esi

loc_4D6F98:				; CODE XREF: MmResourcesAvailable(x,x,x)+11Dj
		test	byte ptr [ebp+var_10], 20h
		jnz	loc_4D70A3
		cmp	[ebp+var_8], 0
		jnz	loc_4D7046
		lea	edx, [ebp+var_1C]
		mov	ecx, offset unk_6D58C0
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, dword_6D4ED8
		cmp	dword ptr [ecx+4], 0
		jnz	short loc_4D6FCF
		push	0
		push	0
		push	ecx
		call	KePulseEvent

loc_4D6FCF:				; CODE XREF: MmResourcesAvailable(x,x,x)+DDj
		test	ds:byte_70EFC6,	1
		jz	short loc_4D700F
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4D703B
; 

loc_4D6FE5:				; CODE XREF: MmResourcesAvailable(x,x,x)+9Aj
		mov	esi, [ebp+var_C]

loc_4D6FE8:				; CODE XREF: MmResourcesAvailable(x,x,x)+78j
		lea	eax, [esi+0A00000h]
		cmp	eax, edx
		jb	short loc_4D7005
		cmp	dword_6D5D88, 40000h
		jb	short loc_4D7005
		xor	esi, esi
		inc	esi
		mov	edi, esi
		jmp	short loc_4D6F98
; 

loc_4D7005:				; CODE XREF: MmResourcesAvailable(x,x,x)+10Aj
					; MmResourcesAvailable(x,x,x)+116j
		xor	esi, esi
		lea	eax, [esi+1]
		jmp	loc_4D70A5
; 

loc_4D700F:				; CODE XREF: MmResourcesAvailable(x,x,x)+F0j
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_4D702E
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jz	short loc_4D703B
		call	KxWaitForLockChainValid

loc_4D702E:				; CODE XREF: MmResourcesAvailable(x,x,x)+12Ej
		mov	[ebp+var_1C], 0
		add	eax, 4
		lock xor [eax],	esi

loc_4D703B:				; CODE XREF: MmResourcesAvailable(x,x,x)+FDj
					; MmResourcesAvailable(x,x,x)+141j
		mov	cl, [ebp+var_14]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_4D709E
; 

loc_4D7046:				; CODE XREF: MmResourcesAvailable(x,x,x)+C0j
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset dword_6D35CC
		call	ExAcquirePushLockExclusiveEx
		mov	eax, dword_6D4ED0
		cmp	dword ptr [eax+4], 0
		jnz	short loc_4D7076
		push	0
		push	0
		push	eax
		call	KePulseEvent

loc_4D7076:				; CODE XREF: MmResourcesAvailable(x,x,x)+184j
		or	eax, 0FFFFFFFFh
		mov	ecx, offset dword_6D35CC
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_4D7092
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset dword_6D35CC

loc_4D7092:				; CODE XREF: MmResourcesAvailable(x,x,x)+1A0j
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_4D709E:				; CODE XREF: MmResourcesAvailable(x,x,x)+15Ej
		call	_MiFreeExcessSegments@0	; MiFreeExcessSegments()

loc_4D70A3:				; CODE XREF: MmResourcesAvailable(x,x,x)+B6j
		mov	eax, edi

loc_4D70A5:				; CODE XREF: MmResourcesAvailable(x,x,x)+124j
		pop	edi
		pop	esi
		leave
		retn	4
_MmResourcesAvailable@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


MiFreePoolPagesLeft proc near		; CODE XREF: MiCountSystemPool+25p
					; MmResourcesAvailable(x,x,x)+50p ...

; FUNCTION CHUNK AT 005C9501 SIZE 0000001C BYTES

		mov	edx, dword_6D4254
		mov	eax, dword_6D41D4[ecx*4]
		push	esi
		mov	esi, dword_6D3D54[ecx*4]
		shr	edx, 0Ch
		push	edi
		test	eax, eax
		jnz	loc_5C9501

loc_4D70CD:				; CODE XREF: MiFreePoolPagesLeft+F2464j
					; MiFreePoolPagesLeft+F246Cj
		shl	esi, 9
		cmp	ecx, 5
		jnz	short loc_4D70FC
		mov	edi, dword_6CF344
		mov	eax, dword_6D5E00
		cmp	eax, edx
		jb	short loc_4D7116

loc_4D70E4:				; CODE XREF: MiFreePoolPagesLeft+6Cj
		mov	eax, dword_6D5E40

loc_4D70E9:				; CODE XREF: MiFreePoolPagesLeft+68j
		cmp	eax, edx
		jb	short loc_4D711A

loc_4D70ED:				; CODE XREF: MiFreePoolPagesLeft+70j
		mov	ecx, esi
		sub	ecx, edi
		cmp	edi, esi
		pop	edi
		sbb	eax, eax
		and	eax, ecx
		add	eax, edx
		pop	esi
		retn
; 

loc_4D70FC:				; CODE XREF: MiFreePoolPagesLeft+27j
		mov	ecx, dword_6D35D0
		mov	edi, dword_6D35D4
		sub	ecx, esi
		cmp	esi, dword_6D35D0
		sbb	eax, eax
		and	eax, ecx
		jmp	short loc_4D70E9
; 

loc_4D7116:				; CODE XREF: MiFreePoolPagesLeft+36j
		mov	edx, eax
		jmp	short loc_4D70E4
; 

loc_4D711A:				; CODE XREF: MiFreePoolPagesLeft+3Fj
		mov	edx, eax
		jmp	short loc_4D70ED
MiFreePoolPagesLeft endp


;  S U B	R O U T	I N E 


; __stdcall ExpExTimerAttributesAreValid(x)
_ExpExTimerAttributesAreValid@4	proc near ; CODE XREF: ExAllocateTimerInternal2+Ep
					; NtCreateTimer2+19p
		mov	eax, ecx
		mov	dl, 1
		and	eax, 8000000Eh
		cmp	eax, ecx
		jnz	short loc_4D7148
		and	ecx, 0Eh
		test	ecx, 0FFFFFFF7h
		setnz	al
		test	cl, 8
		setnz	cl
		and	al, cl
		neg	al
		sbb	al, al
		not	al
		and	al, dl
		retn
; 

loc_4D7148:				; CODE XREF: ExpExTimerAttributesAreValid(x)+Bj
		xor	al, al
		retn
_ExpExTimerAttributesAreValid@4	endp

; 
		align 10h
; Exported entry 1180. KeInitializeTimer2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeTimer2(x, x, x,	x)
		public _KeInitializeTimer2@16
_KeInitializeTimer2@16 proc near	; CODE XREF: KiCompleteKernelInit+F9p
					; NtCreateTimer2+BDp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_8]
		mov	word ptr [ecx+2], 0
		call	_KiInitializeTimer2@16 ; KiInitializeTimer2(x,x,x,x)
		pop	ebp
		retn	10h
_KeInitializeTimer2@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInitializeTimer2(x, x, x,	x)
_KiInitializeTimer2@16 proc near	; CODE XREF: ExAllocateTimer+8Ep
					; KeInitializeTimer2(x,x,x,x)+17p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		test	ebx, ebx
		setns	al
		mov	[esi], edi
		add	al, 18h
		mov	[esi], al
		lea	eax, [esi+8]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+4], edi
		mov	[esi+40h], edx
		mov	[esi+44h], eax
		mov	[esi+48h], edi
		mov	[esi+4Ch], edi
		and	bl, 0Eh
		jz	short loc_4D71E0

loc_4D71A9:				; CODE XREF: KiInitializeTimer2(x,x,x,x)+78j
					; KiInitializeTimer2(x,x,x,x)+8Ej ...
		mov	[esi+51h], bl
		mov	eax, edi

loc_4D71AE:				; CODE XREF: KiInitializeTimer2(x,x,x,x)+69j
		cmp	ds:_KiTimer2Combinations[eax], bl
		jnz	short loc_4D71D2
		imul	ecx, edi, 3
		pop	edi
		mov	al, ds:byte_4102E1[ecx]
		mov	[esi+52h], al
		mov	al, ds:byte_4102E2[ecx]
		mov	[esi+53h], al
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_4D71D2:				; CODE XREF: KiInitializeTimer2(x,x,x,x)+44j
		add	eax, 3
		inc	edi
		cmp	eax, 12h
		jb	short loc_4D71AE
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_4D71E0:				; CODE XREF: KiInitializeTimer2(x,x,x,x)+37j
		cmp	large byte ptr fs:131h,	0
		jnz	short loc_4D71A9
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	PsTimerResolutionActive
		test	al, al
		jz	short loc_4D71A9
		mov	bl, 10h
		jmp	short loc_4D71A9
_KiInitializeTimer2@16 endp


;  S U B	R O U T	I N E 


; __stdcall ExpInitializeThreadHistory(x)
_ExpInitializeThreadHistory@4 proc near	; CODE XREF: NtCreateWorkerFactory+1E4p
		and	dword ptr [ecx+68h], 0FFFFFFF8h
		xor	eax, eax
		push	edi
		lea	edi, [ecx+20h]
		stosd
		stosd
		stosd
		stosd
		pop	edi
		retn
_ExpInitializeThreadHistory@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 499. FsRtlCreateSectionForDataScan

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlCreateSectionForDataScan
FsRtlCreateSectionForDataScan proc near

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 005C951D SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		xor	ecx, ecx
		push	ebx
		mov	ebx, [ebp+arg_1C]
		mov	[esp+20h+var_8], ecx
		mov	[esp+20h+var_4], ecx
		mov	[esp+20h+var_18], ecx
		mov	[esp+20h+var_10], ecx
		mov	[esp+20h+var_14], ecx
		mov	[esp+20h+var_C], ecx
		push	esi
		push	edi
		test	ebx, 0FFFFFFF9h
		jnz	loc_5C956E
		test	ebx, ebx
		jz	loc_5C956E
		mov	eax, [ebp+arg_20]
		and	eax, 0FF7FFFFFh
		cmp	eax, 8000000h
		jnz	loc_5C9564
		mov	edi, [ebp+arg_C]
		cmp	[edi+14h], ecx
		jz	loc_5C951D
		mov	eax, large fs:124h
		xor	esi, esi
		inc	esi
		mov	[eax+2D4h], esi
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		lea	eax, [esp+28h+var_C]
		mov	edx, ebx
		push	eax
		lea	eax, [esp+2Ch+var_14]
		mov	ecx, edi
		push	eax
		push	esi
		call	_FsRtlAcquireToCreateMappedSection@20 ;	FsRtlAcquireToCreateMappedSection(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_5C9527
		lea	eax, [esp+28h+var_8]
		push	eax
		push	edi
		call	FsRtlGetFileSize
		mov	esi, eax
		test	esi, esi
		js	short loc_4D731B
		mov	eax, [esp+28h+var_8]
		or	eax, [esp+28h+var_4]
		jz	loc_5C953F
		push	0
		push	0
		push	[esp+30h+var_14]
		push	edi
		push	0

loc_4D72D4:				; CODE XREF: FsRtlCreateSectionForDataScan+F2345j
		push	[ebp+arg_20]
		mov	edx, [ebp+arg_14]
		lea	ecx, [esp+40h+var_18]
		push	ebx
		push	[esp+44h+var_4]
		push	[esp+48h+var_8]
		call	_MmCreateSectionEx@44 ;	MmCreateSectionEx(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000054h
		jz	loc_5C9549
		test	esi, esi
		js	short loc_4D731B
		mov	ecx, [esp+28h+var_18]
		call	_MmGetFileObjectForSection@4 ; MmGetFileObjectForSection(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_4D731B
		mov	ecx, ebx
		call	_CcZeroEndOfLastPage@4 ; CcZeroEndOfLastPage(x)
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_4D731B:				; CODE XREF: FsRtlCreateSectionForDataScan+9Fj
					; FsRtlCreateSectionForDataScan+E2j ...
		push	edi
		call	FsRtlReleaseFile
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, large fs:124h
		xor	ebx, ebx
		mov	[eax+2D4h], ebx
		test	esi, esi
		js	short loc_4D7387
		mov	esi, [esp+28h+var_18]
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		lea	eax, [esp+28h+var_10]
		push	eax
		push	ebx
		push	ebx
		push	[ebp+arg_10]
		push	ebx
		push	esi
		call	_ObInsertObject@24 ; ObInsertObject(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_4D738B
		mov	edx, [ebp+arg_0]
		mov	ecx, [esp+28h+var_10]
		mov	[edx], ecx
		mov	ecx, [ebp+arg_4]
		mov	[ecx], esi
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_4D737C
		mov	eax, [esp+28h+var_8]
		mov	[ecx], eax
		mov	eax, [esp+28h+var_4]
		mov	[ecx+4], eax

loc_4D737C:				; CODE XREF: FsRtlCreateSectionForDataScan+153j
					; FsRtlCreateSectionForDataScan+178j
		mov	eax, edi

loc_4D737E:				; CODE XREF: FsRtlCreateSectionForDataScan+16Fj
					; FsRtlCreateSectionForDataScan+F2308j	...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	28h
; 

loc_4D7387:				; CODE XREF: FsRtlCreateSectionForDataScan+11Cj
					; FsRtlCreateSectionForDataScan+F2320j
		mov	eax, esi
		jmp	short loc_4D737E
; 

loc_4D738B:				; CODE XREF: FsRtlCreateSectionForDataScan+13Ej
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	short loc_4D737C
FsRtlCreateSectionForDataScan endp

; Exported entry 2597. VslGetSecurePciEnabled

;  S U B	R O U T	I N E 


; __stdcall KeIsCetCapable()
		public _KeIsCetCapable@0
_KeIsCetCapable@0 proc near		; CODE XREF: KeResumeClockTimerFromIdle:loc_48CBDFp
					; KeResumeClockTimerFromIdle:loc_5B7E9Fp ...
		xor	al, al
		retn
_KeIsCetCapable@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeCaptureObjectAttributeSecurityDescriptorPresent proc near
					; CODE XREF: SepCreateTokenEx+10Bp
					; NtDuplicateToken+DEp

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	0Ch
		push	offset dword_6A20C0
		call	__SEH_prolog4
		xor	eax, eax
		mov	esi, [ebp+arg_0]
		mov	[esi], al
		test	dl, dl
		jz	short loc_4D73EE
		mov	[ebp+ms_exc.disabled], eax
		test	ecx, ecx
		jz	short loc_4D73D3
		mov	edx, ecx
		test	cl, 3
		jnz	short loc_4D7401
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_4D7406

loc_4D73C6:				; CODE XREF: SeCaptureObjectAttributeSecurityDescriptorPresent+70j
		nop
		mov	al, [edx]
		mov	eax, [ecx+10h]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jnz	short loc_4D73FC

loc_4D73D3:				; CODE XREF: SeCaptureObjectAttributeSecurityDescriptorPresent+1Cj
					; SeCaptureObjectAttributeSecurityDescriptorPresent+67j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_4D73DA:				; CODE XREF: SeCaptureObjectAttributeSecurityDescriptorPresent+58j
					; SeCaptureObjectAttributeSecurityDescriptorPresent+5Dj ...
		xor	eax, eax

loc_4D73DC:				; CODE XREF: sub_5C9586+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4D73EE:				; CODE XREF: SeCaptureObjectAttributeSecurityDescriptorPresent+15j
		test	ecx, ecx
		jz	short loc_4D73DA
		cmp	[ecx+10h], eax
		jz	short loc_4D73DA
		mov	byte ptr [esi],	1
		jmp	short loc_4D73DA
; 

loc_4D73FC:				; CODE XREF: SeCaptureObjectAttributeSecurityDescriptorPresent+39j
		mov	byte ptr [esi],	1
		jmp	short loc_4D73D3
; 

loc_4D7401:				; CODE XREF: SeCaptureObjectAttributeSecurityDescriptorPresent+23j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_4D7406:				; CODE XREF: SeCaptureObjectAttributeSecurityDescriptorPresent+2Cj
		mov	edx, eax
		jmp	short loc_4D73C6
SeCaptureObjectAttributeSecurityDescriptorPresent endp

; 
		align 10h
; Exported entry 547. FsRtlInitializeBaseMcbEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlInitializeBaseMcbEx
FsRtlInitializeBaseMcbEx proc near	; CODE XREF: FsRtlInitializeBaseMcb(x,x)+Dp
					; FsRtlInitializeLargeMcb+15p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h

; FUNCTION CHUNK AT 005C9598 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	bx, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_0]
		and	dword ptr [esi+4], 0
		mov	[esi+8], ax
		mov	[esi+0Ah], bx
		cmp	eax, 1
		jnz	short loc_4D7455
		push	offset _FsRtlFirstPagedMappingLookasideList
		call	_ExAllocateFromPagedLookasideList@4 ; ExAllocateFromPagedLookasideList(x)

loc_4D743C:				; CODE XREF: FsRtlInitializeBaseMcbEx+4Fj
		mov	[esi+0Ch], eax
		test	eax, eax
		jz	loc_5C9598
		mov	dword ptr [esi], 0Fh
		mov	al, 1

loc_4D744F:				; CODE XREF: FsRtlInitializeBaseMcbEx+F2199j
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_4D7455:				; CODE XREF: FsRtlInitializeBaseMcbEx+20j
		mov	ecx, offset _FsRtlFirstNonPagedMappingLookasideList
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		jmp	short loc_4D743C
FsRtlInitializeBaseMcbEx endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 320. ExAllocateFromPagedLookasideList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExAllocateFromPagedLookasideList(x)
		public _ExAllocateFromPagedLookasideList@4
_ExAllocateFromPagedLookasideList@4 proc near ;	CODE XREF: FsRtlInitializeBaseMcbEx+27p
					; FsRtlTruncateBaseMcb(x,x,x)+8Ap ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		inc	dword ptr [esi+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jz	short loc_4D7482

loc_4D747D:				; CODE XREF: ExAllocateFromPagedLookasideList(x)+2Bj
		pop	esi
		pop	ebp
		retn	4
; 

loc_4D7482:				; CODE XREF: ExAllocateFromPagedLookasideList(x)+15j
		push	dword ptr [esi+20h]
		inc	dword ptr [esi+10h]
		push	dword ptr [esi+24h]
		push	dword ptr [esi+1Ch]
		call	dword ptr [esi+28h]
		jmp	short loc_4D747D
_ExAllocateFromPagedLookasideList@4 endp

; 
		align 8
; Exported entry 2519. SeTokenIsRestricted

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeTokenIsRestricted(x)
		public _SeTokenIsRestricted@4
_SeTokenIsRestricted@4 proc near	; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+B41p
					; SepNewTokenAsRestrictedAsProcessToken+37p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+0B0h]
		shr	eax, 4
		and	al, 1
		pop	ebp
		retn	4
_SeTokenIsRestricted@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2520. SeTokenIsWriteRestricted

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeTokenIsWriteRestricted(x)
		public _SeTokenIsWriteRestricted@4
_SeTokenIsWriteRestricted@4 proc near	; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+45p
					; PspAddSchedulingGroupToJobChain+2EDp	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+0B0h]
		shr	eax, 3
		and	al, 1
		pop	ebp
		retn	4
_SeTokenIsWriteRestricted@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpShutdownWorkerFactory(x)
_ExpShutdownWorkerFactory@4 proc near	; CODE XREF: .text:00508443p
					; ExpCloseWorkerFactory(x,x,x,x)+Ep

var_C		= dword	ptr -0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		mov	ecx, [esi+4]
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [esi+68h]
		lea	edi, [esi+20h]
		and	eax, 0FFFFFFFCh
		or	eax, 4
		push	4
		mov	[esi+68h], eax
		pop	ebx

loc_4D74FE:				; CODE XREF: ExpShutdownWorkerFactory(x)+3Ej
		mov	ecx, [edi]
		test	ecx, ecx
		jnz	short loc_4D7570

loc_4D7504:				; CODE XREF: ExpShutdownWorkerFactory(x)+ACj
		add	edi, 4
		sub	ebx, 1
		jnz	short loc_4D74FE
		test	dword ptr [esi+68h], 200h
		jz	short loc_4D751C
		mov	ecx, esi
		call	_ExpLeaveWorkerFactoryAwayMode@4 ; ExpLeaveWorkerFactoryAwayMode(x)

loc_4D751C:				; CODE XREF: ExpShutdownWorkerFactory(x)+47j
		lea	edx, [esi+0D0h]
		lea	edi, [esi+78h]
		cmp	[edx+10h], edi
		jnz	short loc_4D753C
		mov	ecx, edi
		call	_KeDeregisterObjectNotification@8 ; KeDeregisterObjectNotification(x,x)
		test	al, al
		jz	short loc_4D753C
		mov	ecx, esi
		call	ObfDereferenceObject

loc_4D753C:				; CODE XREF: ExpShutdownWorkerFactory(x)+5Cj
					; ExpShutdownWorkerFactory(x)+67j
		mov	eax, [esi+4]
		xor	ebx, ebx
		inc	ebx
		xor	ecx, ecx
		mov	[eax+15h], bl
		mov	eax, [esi+4]
		mov	[esi+4Ch], ecx
		mov	[esi+48h], ecx
		cmp	[eax+10h], ecx
		jnz	short loc_4D757A

loc_4D7555:				; CODE XREF: ExpShutdownWorkerFactory(x)+B1j
		mov	bl, cl

loc_4D7557:				; CODE XREF: ExpShutdownWorkerFactory(x)+B6j
		lea	ecx, [ebp+var_C]
		call	KeReleaseInStackQueuedSpinLock
		push	0
		push	edi
		call	KeCancelTimer2
		test	bl, bl
		jnz	short loc_4D7584

loc_4D756B:				; CODE XREF: ExpShutdownWorkerFactory(x)+CDj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4D7570:				; CODE XREF: ExpShutdownWorkerFactory(x)+36j
		call	ObfDereferenceObject
		and	dword ptr [edi], 0
		jmp	short loc_4D7504
; 

loc_4D757A:				; CODE XREF: ExpShutdownWorkerFactory(x)+87j
		cmp	[eax+14h], cl
		jnz	short loc_4D7555
		mov	[eax+14h], bl
		jmp	short loc_4D7557
; 

loc_4D7584:				; CODE XREF: ExpShutdownWorkerFactory(x)+9Dj
		mov	eax, [esi+4]
		xor	ecx, ecx
		push	dword ptr [eax+8]
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	dword ptr [eax+4]
		call	IoSetIoCompletionEx
		jmp	short loc_4D756B
_ExpShutdownWorkerFactory@4 endp

; 
		align 10h
; Exported entry 1107. KeCancelTimer2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeCancelTimer2
KeCancelTimer2	proc near		; CODE XREF: ExpShutdownWorkerFactory(x)+96p
					; ExpSetTimerObject2+97p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C95AE SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ds:dword_70EFC8
		push	ebx
		push	esi
		push	edi
		push	2
		and	eax, 20000h
		xor	ebx, ebx
		pop	edi
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		mov	[ebp+var_1], al
		call	KiAcquireTimer2LockUnlessDisabled
		test	al, al
		jnz	short loc_4D760F
		mov	ecx, esi
		call	KiAcquireTimer2CollectionLockIfInserted
		test	al, al
		jz	short loc_4D762B
		mov	ecx, esi
		call	KiRemoveTimer2
		test	ds:byte_70EFC6,	1
		jnz	loc_5C95AE
		xor	ecx, ecx
		mov	eax, offset _KiTimer2CollectionLock
		lock and [eax],	ecx

loc_4D7600:				; CODE XREF: KeCancelTimer2+F201Bj
					; KeCancelTimer2+F2027j
		mov	edi, ebx
		mov	bl, 1

loc_4D7604:				; CODE XREF: KeCancelTimer2+8Fj
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		push	edi
		call	_KiUpdateTimer2Flags@12	; KiUpdateTimer2Flags(x,x,x)

loc_4D760F:				; CODE XREF: KeCancelTimer2+35j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_C], 0
		jnz	loc_5C95CC

loc_4D7622:				; CODE XREF: KeCancelTimer2+F202Ej
					; KeCancelTimer2+F203Bj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	8
; 

loc_4D762B:				; CODE XREF: KeCancelTimer2+40j
		test	byte ptr [esi+1], 0Ah
		jz	short loc_4D7604
		jmp	loc_5C95C0
KeCancelTimer2	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeDisableTimer2	proc near		; CODE XREF: ExDeleteTimer+34p
					; PopPowerButtonWorkCallback(x)+B4p ...

var_56		= byte ptr -56h
var_55		= byte ptr -55h
var_54		= byte ptr -54h
var_53		= byte ptr -53h
var_52		= byte ptr -52h
var_51		= byte ptr -51h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= byte ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C95E0 SIZE 00000119 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+5Ch+var_4], eax
		push	ebx
		xor	eax, eax
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		lea	edi, [esp+68h+var_34]
		mov	[esp+68h+var_52], dl
		stosd
		mov	esi, ecx
		push	8
		pop	ecx
		mov	[esp+68h+var_4C], 20h
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+68h+var_44]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+68h+var_28]
		mov	[esp+68h+var_55], al
		rep stosd
		mov	ecx, ds:dword_70EFC8
		mov	edi, eax
		shr	ecx, 11h
		and	ecx, 0FFFFFF01h
		mov	[esp+68h+var_50], eax
		mov	[esp+68h+var_54], al
		mov	[esp+68h+var_48], ecx
		test	ebx, ebx
		jnz	loc_4D7763

loc_4D76A7:				; CODE XREF: KeDisableTimer2+138j
					; KeDisableTimer2+F1FACj ...
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	[esp+68h+var_53], al
		call	KiAcquireTimer2LockUnlessDisabled
		mov	[esp+68h+var_51], al
		test	al, al
		jnz	loc_5C966B
		test	ebx, ebx
		jnz	loc_4D7779

loc_4D76CC:				; CODE XREF: KeDisableTimer2+14Dj
		xor	ebx, ebx
		inc	ebx
		cmp	[esp+68h+var_52], 0
		jz	short loc_4D76EB
		mov	ecx, esi
		call	KiAcquireTimer2CollectionLockIfInserted
		test	al, al
		jnz	short loc_4D773D
		test	byte ptr [esi+1], 0Ah
		jnz	loc_5C9612

loc_4D76EB:				; CODE XREF: KeDisableTimer2+9Ej
		push	6

loc_4D76ED:				; CODE XREF: KeDisableTimer2+12Bj
		mov	ebx, [esp+6Ch+var_48]
		pop	edi
		test	bl, bl
		jnz	loc_5C961F

loc_4D76FA:				; CODE XREF: KeDisableTimer2+F1FF9j
		mov	edx, [esp+68h+var_4C]
		mov	ecx, esi
		push	edi
		call	_KiUpdateTimer2Flags@12	; KiUpdateTimer2Flags(x,x,x)
		mov	cl, [esp+68h+var_53]
		mov	[esp+68h+var_54], al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[esp+68h+var_54], 0
		jz	short loc_4D7788

loc_4D771B:				; CODE XREF: KeDisableTimer2+156j
					; KeDisableTimer2+F2030j ...
		test	bl, bl
		mov	bl, [esp+68h+var_55]
		jnz	loc_5C967E

loc_4D7727:				; CODE XREF: KeDisableTimer2+F204Dj
					; KeDisableTimer2+F20BEj
		mov	ecx, [esp+68h+var_4]
		mov	al, bl
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4D773D:				; CODE XREF: KeDisableTimer2+A9j
		mov	ecx, esi
		call	KiRemoveTimer2
		test	ds:byte_70EFC6,	1
		jnz	loc_5C9600
		xor	ecx, ecx
		mov	eax, offset _KiTimer2CollectionLock
		lock and [eax],	ecx

loc_4D775B:				; CODE XREF: KeDisableTimer2+F1FD7j
					; KeDisableTimer2+F1FE4j
		push	4
		mov	[esp+6Ch+var_55], bl
		jmp	short loc_4D76ED
; 

loc_4D7763:				; CODE XREF: KeDisableTimer2+6Bj
		mov	eax, [ebx+4]
		mov	edi, [ebx]
		mov	[esp+68h+var_50], eax
		test	cl, cl
		jz	loc_4D76A7
		jmp	loc_5C95E0
; 

loc_4D7779:				; CODE XREF: KeDisableTimer2+90j
		mov	eax, [esp+68h+var_50]
		mov	[esi+48h], edi
		mov	[esi+4Ch], eax
		jmp	loc_4D76CC
; 

loc_4D7788:				; CODE XREF: KeDisableTimer2+E3j
		cmp	[ebp+arg_0], 0
		jz	short loc_4D771B
		jmp	loc_5C9634
KeDisableTimer2	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiTriggerForegroundBoostDpc(x, x, x, x)
_KiTriggerForegroundBoostDpc@16	proc near ; DATA XREF: KiCompleteKernelInit+111o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10h
		imul	ecx, ds:_KiForegroundBoostTicks, 249F0h
		lea	eax, [esp+10h+var_10]
		or	[esp+10h+var_8], 0FFFFFFFFh
		xor	edx, edx
		or	[esp+10h+var_4], 0FFFFFFFFh
		push	eax
		xor	eax, eax
		mov	[esp+14h+var_10], edx
		neg	ecx
		mov	[esp+14h+var_C], edx
		push	edx
		push	edx
		adc	eax, edx
		neg	eax
		push	eax
		push	ecx
		push	offset _KiForegroundState
		call	KeSetTimer2
		mov	esp, ebp
		pop	ebp
		retn	10h
_KiTriggerForegroundBoostDpc@16	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiInsertTimer2	proc near		; CODE XREF: KiExpireTimer2+159p
					; KiTimer2Expiration+263p ...

var_2		= byte ptr -2
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C96F9 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	byte ptr [ebp-1], 0
		mov	edi, offset _KiTimer2CollectionLock
		mov	bl, dl
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	eax, [ebp-1]
		mov	dl, bl
		push	eax
		push	[ebp+arg_0]
		mov	ecx, esi
		call	KiInsertTimer2WithCollectionLockHeld
		test	ds:byte_70EFC6,	1
		mov	bl, al
		jnz	loc_5C96F9
		xor	eax, eax
		lock and [edi],	eax

loc_4D781F:				; CODE XREF: KiInsertTimer2+F1F25j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
KiInsertTimer2	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSetTimer2(x, x, x, x)
_NtSetTimer2@16	proc near		; DATA XREF: .text:00580C94o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_4D7846
		push	[ebp+arg_C]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_8]
		call	ExpSetTimer2

loc_4D7842:				; CODE XREF: NtSetTimer2(x,x,x,x)+23j
		pop	ebp
		retn	10h
; 

loc_4D7846:				; CODE XREF: NtSetTimer2(x,x,x,x)+Aj
		mov	eax, 0C00000F0h
		jmp	short loc_4D7842
_NtSetTimer2@16	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpSetTimer2	proc near		; CODE XREF: NtSetTimer2(x,x,x,x)+15p
					; NtCancelTimer2(x,x)+Ep ...

var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C9708 SIZE 00000023 BYTES

		push	40h
		push	offset dword_6A2138
		call	__SEH_prolog4_GS
		mov	[ebp+var_34], edx
		mov	ebx, ecx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_30], eax
		xor	ecx, ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], ecx
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ecx
		test	edx, edx
		jz	short loc_4D78E7
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	short loc_4D78E7
		mov	[ebp+ms_exc.disabled], ecx
		mov	ecx, [ebp+var_34]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_5C9708

loc_4D78A3:				; CODE XREF: ExpSetTimer2+F1EBCj
		nop
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], ecx
		lea	eax, [ebp+var_48]
		mov	[ebp+var_34], eax
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	loc_5C970F

loc_4D78C0:				; CODE XREF: ExpSetTimer2+F1ED8j
		mov	esi, [ebp+var_30]
		test	esi, esi
		jz	short loc_4D78DE
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	short loc_4D7939

loc_4D78D0:				; CODE XREF: ExpSetTimer2+EDj
		lea	edi, [ebp+var_2C]
		movsd
		movsd
		movsd
		movsd
		nop
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_30], eax

loc_4D78DE:				; CODE XREF: ExpSetTimer2+77j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ecx, ecx

loc_4D78E7:				; CODE XREF: ExpSetTimer2+30j
					; ExpSetTimer2+40j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_50], al
		mov	eax, ds:_ExpIRTimerObjectType
		mov	[ebp+var_38], ecx
		push	ecx
		lea	ecx, [ebp+var_38]
		push	ecx
		push	[ebp+var_50]
		push	eax
		push	2
		push	ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_4D7927
		push	[ebp+var_30]
		push	[ebp+var_3C]
		push	[ebp+var_40]
		mov	edx, [ebp+var_34]
		mov	ecx, [ebp+var_38]
		call	ExpSetTimerObject2

loc_4D7927:				; CODE XREF: ExpSetTimer2+C3j
					; sub_5C9739+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4D7939:				; CODE XREF: ExpSetTimer2+80j
		mov	esi, eax
		jmp	short loc_4D78D0
ExpSetTimer2	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpSetTimerObject2 proc	near		; CODE XREF: ExpSetTimer2+D4p
					; .text:005F2555p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005C974B SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	[ebp+arg_0], ebx
		jnz	loc_5C974B
		cmp	edi, ebx
		jnz	loc_5C974B

loc_4D795F:				; CODE XREF: ExpSetTimerObject2+F1E11j
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_4D7973
		call	_ExpTimerSetParametersAreValid@4 ; ExpTimerSetParametersAreValid(x)
		test	al, al
		jz	loc_5C975F

loc_4D7973:				; CODE XREF: ExpSetTimerObject2+26j
		test	edx, edx
		jz	short loc_4D79CA
		mov	eax, [edx]
		mov	edx, [edx+4]
		mov	byte ptr [ebp+arg_8+3],	1
		mov	[ebp+var_4], edx
		mov	dl, byte ptr [ebp+arg_8+3]

loc_4D7986:				; CODE XREF: ExpSetTimerObject2+93j
		mov	[esi+60h], eax
		mov	eax, [ebp+var_4]
		mov	[esi+64h], eax
		mov	[esi+68h], ebx
		mov	[esi+6Ch], ebx
		test	ecx, ecx
		jz	short loc_4D79A5
		mov	eax, [ecx+8]
		mov	[esi+68h], eax
		mov	eax, [ecx+0Ch]
		mov	[esi+6Ch], eax

loc_4D79A5:				; CODE XREF: ExpSetTimerObject2+59j
		test	dl, dl
		jz	short loc_4D79D3
		push	ecx
		push	edi
		push	[ebp+arg_0]
		push	dword ptr [esi+64h]
		push	dword ptr [esi+60h]
		push	esi
		call	KeSetTimer2

loc_4D79BA:				; CODE XREF: ExpSetTimerObject2+9Cj
					; ExpSetTimerObject2+F1E1Cj ...
		mov	ecx, esi
		call	ObfDereferenceObject
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
; 

loc_4D79CA:				; CODE XREF: ExpSetTimerObject2+37j
		mov	dl, bl
		mov	[ebp+var_4], ebx
		mov	eax, ebx
		jmp	short loc_4D7986
; 

loc_4D79D3:				; CODE XREF: ExpSetTimerObject2+69j
		push	ebx
		push	esi
		call	KeCancelTimer2
		jmp	short loc_4D79BA
ExpSetTimerObject2 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiExpireTimer2	proc near		; CODE XREF: KiTimer2Expiration+136p

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_75		= dword	ptr -75h
var_71		= dword	ptr -71h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_61		= byte ptr -61h
var_60		= dword	ptr -60h
var_59		= byte ptr -59h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005C9769 SIZE 00000279 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 98h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_84], eax
		xor	eax, eax
		mov	[ebp+var_34], 0
		test	ds:dword_70EFC8, 20000h
		mov	esi, ecx
		push	edi
		mov	ecx, 8
		mov	[ebp+var_94], eax
		lea	edi, [ebp+var_54]
		mov	[ebp+var_90], eax
		mov	edx, [esi+3Ch]
		rep stosd
		mov	ecx, [esi+38h]
		mov	byte ptr [ebp+var_71], al
		mov	[ebp+var_7C], eax
		mov	[ebp+var_61], al
		mov	eax, [ebx+4]
		mov	[ebp+var_30], 0
		mov	[ebp+var_2C], 0
		mov	[ebp+var_28], 0
		mov	[ebp+var_1C], 0
		mov	[ebp+var_18], 0
		mov	[ebp+var_14], 0
		mov	[ebp+var_10], 0
		mov	[ebp+var_88], eax
		mov	eax, [eax+13Ch]
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_8C], eax
		mov	[ebp+var_24], 0
		mov	[ebp+var_20], 0
		jnz	loc_5C9769
		mov	[ebp+var_59], 0

loc_4D7A9E:				; CODE XREF: KiExpireTimer2+F1DB1j
		mov	eax, ecx
		mov	byte ptr [ebp+var_75], 0
		or	eax, edx
		jnz	short loc_4D7ADD

loc_4D7AA8:				; CODE XREF: KiExpireTimer2+101j
					; KiExpireTimer2+170j
		mov	al, [esi]
		lea	ecx, [esi+8]
		and	al, 7Fh
		mov	dword ptr [esi+4], 1
		cmp	al, 19h
		jnz	loc_4D7E44
		mov	ebx, [ecx]
		cmp	ebx, ecx
		jz	loc_4D7C14

loc_4D7AC8:				; CODE XREF: KiExpireTimer2+F1E43j
		mov	eax, [ebx]
		mov	edi, ebx
		mov	ebx, eax
		mov	ecx, [edi+4]
		cmp	[eax+4], edi
		jz	short loc_4D7B55

loc_4D7AD6:				; CODE XREF: KiExpireTimer2+177j
					; KiExpireTimer2+2A8j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_4D7ADD:				; CODE XREF: KiExpireTimer2+C6j
		test	byte ptr [esi+1], 20h
		jnz	short loc_4D7AA8
		mov	bl, [esi+51h]
		test	bl, 4
		jnz	loc_4D7E26
		mov	edi, [ebp+arg_4]
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_60], edi

loc_4D7AF8:				; CODE XREF: KiExpireTimer2+45Fj
		push	edx
		push	ecx
		push	edi
		push	eax
		lea	ecx, [ebp+var_75]
		mov	[ebp+var_71+1],	eax
		call	KiTimer2ComputeDueTime
		mov	[ebp+var_58], edx
		mov	edi, eax
		test	bl, 0Eh
		jz	loc_4D7D89

loc_4D7B15:				; CODE XREF: KiExpireTimer2+3F9j
					; KiExpireTimer2+F1DB9j ...
		mov	ecx, [esi+30h]
		mov	eax, ecx
		mov	edx, [esi+34h]
		and	eax, edx
		cmp	eax, 0FFFFFFFFh
		jnz	loc_4D7D3F
		mov	eax, [ebp+var_58]

loc_4D7B2B:				; CODE XREF: KiExpireTimer2+37Cj
		mov	[esi+28h], edi
		mov	[esi+2Ch], eax

loc_4D7B31:				; CODE XREF: KiExpireTimer2+F1E11j
					; KiExpireTimer2+F1E28j
		lea	eax, [ebp+var_71]
		xor	dl, dl
		push	eax
		mov	ecx, esi
		call	KiInsertTimer2
		test	al, al
		jz	loc_5C97BC
		mov	[ebp+var_7C], 1

loc_4D7B4D:				; CODE XREF: KiExpireTimer2+F1DE0j
		mov	ebx, [ebp+var_6C]
		jmp	loc_4D7AA8
; 

loc_4D7B55:				; CODE XREF: KiExpireTimer2+F4j
		cmp	[ecx], edi
		jnz	loc_4D7AD6
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	al, [edi+8]
		cmp	al, 1
		jz	loc_4D7D61
		cmp	al, 2
		jnz	loc_5C980D
		mov	byte ptr [edi+9], 5
		mov	eax, [edi+0Ch]
		mov	[ebp+var_58], eax
		add	eax, 8
		mov	dword ptr [edi], 0
		mov	[ebp+var_68], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_71+1],	eax
		mov	eax, [eax+4]
		mov	[ebp+var_60], eax
		jz	short loc_4D7BC1
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, [ebp+var_60]
		mov	edx, edi
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_4D7BC1:				; CODE XREF: KiExpireTimer2+1CAj
		mov	ecx, [ebp+var_58]
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	edx, [ebp+var_68]
		mov	ecx, [ebp+var_58]
		cmp	[edx], edx
		jz	loc_4D7C70
		mov	eax, [ecx+18h]
		cmp	eax, [ecx+1Ch]
		jnb	loc_4D7C70
		mov	eax, [ebp+var_60]
		mov	eax, [eax+0A4h]
		cmp	eax, ecx
		jz	short loc_4D7C64

loc_4D7BF0:				; CODE XREF: KiExpireTimer2+28Ej
		mov	edx, ecx
		mov	ecx, [ebp+var_71+1]
		push	edi
		call	KiWakeQueueWaiter
		mov	ecx, [ebp+var_58]
		test	al, al
		jz	short loc_4D7C70

loc_4D7C02:				; CODE XREF: KiExpireTimer2+2C2j
					; KiExpireTimer2+2CAj ...
		mov	eax, 0FFFFFF7Fh
		lock and [ecx],	eax
		add	dword ptr [esi+4], 0FFFFFFFFh
		jnz	loc_5C981E

loc_4D7C14:				; CODE XREF: KiExpireTimer2+E2j
					; KiExpireTimer2+39Ej ...
		mov	ebx, [esi+40h]
		xor	edi, edi
		mov	edx, [ebp+var_7C]
		mov	ecx, esi
		test	ebx, ebx
		jnz	loc_4D7CC2
		push	4
		call	_KiUpdateTimer2Flags@12	; KiUpdateTimer2Flags(x,x,x)

loc_4D7C2D:				; CODE XREF: KiExpireTimer2+35Aj
		mov	eax, [ebp+var_88]
		mov	ecx, [ebp+var_8C]
		mov	eax, [eax+13Ch]
		cmp	ecx, eax
		jnz	loc_5C9964
		cmp	[ebp+var_59], 0
		jnz	loc_5C9973

loc_4D7C51:				; CODE XREF: KiExpireTimer2+F1FFDj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4D7C64:				; CODE XREF: KiExpireTimer2+20Ej
		mov	eax, [ebp+var_60]
		cmp	byte ptr [eax+18Bh], 0Fh
		jnz	short loc_4D7BF0

loc_4D7C70:				; CODE XREF: KiExpireTimer2+1F1j
					; KiExpireTimer2+1FDj ...
		mov	eax, [ecx+4]
		mov	[ebp+var_60], eax
		inc	eax
		mov	[ecx+4], eax
		lea	eax, [ecx+10h]
		mov	edx, [eax+4]
		mov	[ebp+var_68], edx
		cmp	[edx], eax
		lea	edx, [ecx+8]
		jnz	loc_4D7AD6
		cmp	[ebp+var_60], 0
		mov	ecx, [ebp+var_68]
		mov	[edi+4], ecx
		mov	[edi], eax
		mov	[ecx], edi
		mov	ecx, [ebp+var_58]
		mov	[eax+4], edi
		jnz	loc_4D7C02
		cmp	[edx], edx
		jz	loc_4D7C02
		mov	edx, ecx
		mov	ecx, [ebp+var_71+1]
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		mov	ecx, [ebp+var_58]
		jmp	loc_4D7C02
; 

loc_4D7CC2:				; CODE XREF: KiExpireTimer2+240j
		mov	eax, [esi+44h]
		or	edx, 10h
		push	0
		mov	[ebp+var_68], eax
		call	_KiUpdateTimer2Flags@12	; KiUpdateTimer2Flags(x,x,x)
		mov	eax, [ebp+var_6C]
		cmp	[eax+3B1Ch], edi
		jnz	loc_4D7E11

loc_4D7CE1:				; CODE XREF: KiExpireTimer2+441j
		cmp	[ebp+var_59], 0
		jnz	loc_5C9950

loc_4D7CEB:				; CODE XREF: KiExpireTimer2+F1F7Fj
		mov	ecx, [ebp+var_84]
		mov	edx, ebx
		call	_KiBeginDpcLog@8 ; KiBeginDpcLog(x,x)
		mov	edi, eax
		mov	eax, [ebp+var_6C]
		mov	ecx, eax
		mov	dword ptr [eax+4B0h], 0
		call	KiResetGlobalDpcWatchdogProfiler
		mov	eax, [ebp+var_6C]
		push	[ebp+var_68]
		push	esi
		mov	byte ptr [eax+223Ah], 1
		call	ebx
		mov	eax, [ebp+var_6C]
		mov	ecx, esi
		mov	byte ptr [eax+223Ah], 0
		mov	eax, ds:_KeTickCount
		mov	[edi+8], eax
		call	_KiUnmarkTimer2Running@4 ; KiUnmarkTimer2Running(x)
		mov	edi, [ebp+var_68]
		jmp	loc_4D7C2D
; 

loc_4D7D3F:				; CODE XREF: KiExpireTimer2+142j
		sub	ecx, [esi+28h]
		mov	eax, ecx
		sbb	edx, [esi+2Ch]
		or	eax, edx
		jnz	loc_4D7DE7
		mov	eax, [ebp+var_58]
		mov	ecx, edi
		mov	edx, eax

loc_4D7D56:				; CODE XREF: KiExpireTimer2+42Cj
		mov	[esi+30h], ecx
		mov	[esi+34h], edx
		jmp	loc_4D7B2B
; 

loc_4D7D61:				; CODE XREF: KiExpireTimer2+187j
		movzx	eax, word ptr [edi+0Ah]
		mov	edx, edi
		mov	ecx, [ebp+var_6C]
		push	0
		push	eax
		call	KiTryUnwaitThread
		test	al, al
		jz	loc_5C981E
		add	dword ptr [esi+4], 0FFFFFFFFh
		jz	loc_4D7C14
		jmp	loc_5C981E
; 

loc_4D7D89:				; CODE XREF: KiExpireTimer2+12Fj
		test	ds:_KiVelocityFlags, 2000h
		jz	loc_5C97A1
		mov	edx, [esi+8]
		lea	eax, [esi+8]
		cmp	edx, eax
		jz	short loc_4D7DD6

loc_4D7DA3:				; CODE XREF: KiExpireTimer2+3F4j
		mov	ecx, edx
		mov	edx, [edx]
		mov	[ebp+var_68], ecx
		mov	cl, [ecx+8]
		test	cl, cl
		jz	short loc_4D7DB6
		cmp	cl, 1
		jnz	short loc_4D7DD2

loc_4D7DB6:				; CODE XREF: KiExpireTimer2+3CFj
		mov	eax, [ebp+var_68]
		mov	eax, [eax+0Ch]
		mov	ecx, [eax+150h]
		call	PsTimerResolutionActive
		test	al, al
		jnz	loc_5C9796
		lea	eax, [esi+8]

loc_4D7DD2:				; CODE XREF: KiExpireTimer2+3D4j
		cmp	edx, eax
		jnz	short loc_4D7DA3

loc_4D7DD6:				; CODE XREF: KiExpireTimer2+3C1j
		test	bl, 10h
		jz	loc_4D7B15
		and	bl, 0EFh
		jmp	loc_5C97AD
; 

loc_4D7DE7:				; CODE XREF: KiExpireTimer2+369j
		push	edx
		push	ecx
		push	[ebp+var_60]
		xor	ecx, ecx
		push	[ebp+var_71+1]
		call	KiTimer2ComputeDueTime
		mov	ecx, [esi+3Ch]
		push	ecx
		mov	ecx, [esi+38h]
		push	ecx
		push	edx
		push	eax
		xor	ecx, ecx
		call	KiTimer2ComputeDueTime
		mov	ecx, eax
		mov	eax, [ebp+var_58]
		jmp	loc_4D7D56
; 

loc_4D7E11:				; CODE XREF: KiExpireTimer2+2FBj
		push	2
		push	0
		mov	edx, 1
		mov	ecx, eax
		call	KiProcessThreadWaitList
		jmp	loc_4D7CE1
; 

loc_4D7E26:				; CODE XREF: KiExpireTimer2+109j
		lea	ecx, [ebp+var_94]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	ecx, [esi+38h]
		mov	edi, edx
		mov	bl, [esi+51h]
		mov	[ebp+var_60], edx
		mov	edx, [esi+3Ch]
		jmp	loc_4D7AF8
; 

loc_4D7E44:				; CODE XREF: KiExpireTimer2+D8j
		mov	eax, [ecx]
		cmp	eax, ecx
		jnz	loc_5C982E

loc_4D7E4E:				; CODE XREF: KiExpireTimer2+F1F6Bj
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		jmp	loc_4D7C14
KiExpireTimer2	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiTimer2Expiration proc	near		; CODE XREF: KiRetireDpcList+577p
					; KiTimerExpirationDpc+F8p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2B		= byte ptr -2Bh
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005C99E2 SIZE 00000061 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	[ebp+var_38], eax
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	[ebp-2Ah], dl
		stosd
		xor	edx, edx
		mov	[ebp+var_3C], ecx
		mov	esi, offset _KiNextTimer2DueTime
		mov	[ebp+var_2B], 0
		stosd
		stosd
		stosd
		xor	eax, eax
		nop
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [esi]
		mov	edi, [ebp+arg_4]
		cmp	edi, edx
		jb	short loc_4D7EB0
		mov	ebx, [ebp+arg_0]
		ja	short loc_4D7EC3
		cmp	ebx, eax
		jnb	short loc_4D7EC3

loc_4D7EB0:				; CODE XREF: KiTimer2Expiration+45j
					; KiTimer2Expiration+194j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4D7EC3:				; CODE XREF: KiTimer2Expiration+4Aj
					; KiTimer2Expiration+4Ej
		lea	eax, [ebp+var_34]
		mov	[ebp+var_29], cl
		mov	ecx, offset _KiTimer2CollectionLock
		mov	[ebp+var_30], eax
		mov	[ebp+var_34], eax
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		xor	esi, esi
		mov	[ebp+var_40], 5
		cmp	[ebp+arg_8], 0
		jz	loc_4D8071

loc_4D7EEC:				; CODE XREF: KiTimer2Expiration+233j
					; KiTimer2Expiration+252j
		mov	ebx, esi
		shl	esi, 4
		add	esi, offset unk_6CB144
		jmp	short loc_4D7F00
; 
		align 10h

loc_4D7F00:				; CODE XREF: KiTimer2Expiration+97j
					; KiTimer2Expiration+E2j
		mov	eax, [esi]
		test	al, 1
		jnz	loc_4D8004
		mov	edi, eax

loc_4D7F0C:				; CODE XREF: KiTimer2Expiration+1B5j
		test	edi, edi
		jz	short loc_4D7F3B

loc_4D7F10:				; CODE XREF: KiTimer2Expiration+1F3j
		xor	eax, eax
		cmp	esi, offset unk_6CB164
		setl	al
		dec	eax
		and	eax, 0Ch
		sub	edi, eax
		mov	eax, [ebp+arg_4]
		cmp	eax, [edi+1Ch]
		jb	short loc_4D7F3B
		ja	loc_4D801A
		mov	eax, [ebp+arg_0]
		cmp	eax, [edi+18h]
		jnb	loc_4D801A

loc_4D7F3B:				; CODE XREF: KiTimer2Expiration+AEj
					; KiTimer2Expiration+C7j ...
		inc	ebx
		add	esi, 10h
		cmp	ebx, [ebp+var_40]
		jl	short loc_4D7F00
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _KiTimer2CollectionLock
		jnz	loc_5C9A27
		xor	eax, eax
		lock and [ecx],	eax

loc_4D7F5B:				; CODE XREF: KiTimer2Expiration+F1BCFj
		mov	edi, [ebp+var_34]
		lea	eax, [ebp+var_34]
		mov	ebx, [ebp+var_3C]
		cmp	edi, eax
		jz	short loc_4D7FAC

loc_4D7F68:				; CODE XREF: KiTimer2Expiration+140j
		lea	esi, [edi-10h]
		mov	edi, [edi]
		mov	ecx, esi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	al, [esi+1]
		test	al, 2
		jz	loc_4D80B7
		test	byte ptr [esi+51h], 2
		jnz	loc_4D8098

loc_4D7F89:				; CODE XREF: KiTimer2Expiration+23Cj
					; KiTimer2Expiration+F1BD8j
		push	[ebp+var_38]
		mov	edx, ebx
		mov	ecx, esi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	KiExpireTimer2

loc_4D7F9B:				; CODE XREF: KiTimer2Expiration+27Ej
		lea	eax, [ebp+var_34]
		cmp	edi, eax
		jnz	short loc_4D7F68
		cmp	[ebp+var_29], 0
		jnz	loc_4D80A1

loc_4D7FAC:				; CODE XREF: KiTimer2Expiration+106j
					; KiTimer2Expiration+246j
		cmp	dword ptr [ebx+3B1Ch], 0
		jz	short loc_4D7FC5
		push	2
		push	0
		mov	edx, 1
		mov	ecx, ebx
		call	KiProcessThreadWaitList

loc_4D7FC5:				; CODE XREF: KiTimer2Expiration+153j
		call	KeQueryInterruptTime
		mov	[ebp+var_38], eax
		mov	esi, edx
		xor	eax, eax
		mov	[ebp+var_3C], offset dword_6CB158
		xor	edx, edx
		nop
		mov	edi, [ebp+var_3C]
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_38]
		push	edx
		push	eax
		push	esi
		push	edi
		call	_KiShouldActivateHRTimerClock@16 ; KiShouldActivateHRTimerClock(x,x,x,x)
		test	al, al
		jz	loc_4D7EB0
		call	_KiSendClockInterruptToClockOwner@0 ; KiSendClockInterruptToClockOwner()
		jmp	loc_4D7EB0
; 

loc_4D8004:				; CODE XREF: KiTimer2Expiration+A4j
		cmp	eax, 1
		jz	loc_4D7F3B
		lea	edi, [esi-4]
		or	edi, 1
		xor	edi, eax
		jmp	loc_4D7F0C
; 

loc_4D801A:				; CODE XREF: KiTimer2Expiration+C9j
					; KiTimer2Expiration+D5j
		lea	ecx, [edi-10h]
		call	KiRemoveTimer2
		push	1
		mov	edx, 2
		lea	ecx, [edi-10h]
		call	_KiUpdateTimer2Flags@12	; KiUpdateTimer2Flags(x,x,x)
		mov	eax, [ebp+var_30]
		lea	ecx, [ebp+var_34]
		cmp	[eax], ecx
		jnz	loc_5C9A20
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	eax, [esi]
		mov	[ebp+var_30], edi
		test	al, 1
		jnz	short loc_4D805E
		mov	edi, eax

loc_4D8051:				; CODE XREF: KiTimer2Expiration+20Fj
		test	edi, edi
		jnz	loc_4D7F10
		jmp	loc_4D7F3B
; 

loc_4D805E:				; CODE XREF: KiTimer2Expiration+1EDj
		cmp	eax, 1
		jz	loc_4D7F3B
		lea	edi, [esi-4]
		or	edi, 1
		xor	edi, eax
		jmp	short loc_4D8051
; 

loc_4D8071:				; CODE XREF: KiTimer2Expiration+86j
		test	ds:dword_70EFC8, 20000h
		jnz	loc_5C99E2

loc_4D8081:				; CODE XREF: KiTimer2Expiration+F1BBBj
		cmp	byte ptr [ebp-2Ah], 0
		mov	esi, 1
		jnz	short loc_4D80AB
		mov	[ebp+var_40], 2
		jmp	loc_4D7EEC
; 

loc_4D8098:				; CODE XREF: KiTimer2Expiration+123j
					; KiTimer2Expiration+F1BDEj
		mov	[ebp+var_29], 1
		jmp	loc_4D7F89
; 

loc_4D80A1:				; CODE XREF: KiTimer2Expiration+146j
		call	KiCheckAndRearmForceIdle
		jmp	loc_4D7FAC
; 

loc_4D80AB:				; CODE XREF: KiTimer2Expiration+22Aj
		mov	[ebp+var_40], 3
		jmp	loc_4D7EEC
; 

loc_4D80B7:				; CODE XREF: KiTimer2Expiration+119j
		mov	ecx, esi
		test	al, 8
		jz	short loc_4D80E3
		lea	eax, [ebp+var_2B]
		xor	dl, dl
		push	eax
		call	KiInsertTimer2
		test	al, al
		jz	loc_5C9A34
		push	0
		mov	edx, 1
		mov	ecx, esi

loc_4D80D9:				; CODE XREF: KiTimer2Expiration+287j
		call	_KiUpdateTimer2Flags@12	; KiUpdateTimer2Flags(x,x,x)
		jmp	loc_4D7F9B
; 

loc_4D80E3:				; CODE XREF: KiTimer2Expiration+25Bj
		push	4
		xor	edx, edx
		jmp	short loc_4D80D9
KiTimer2Expiration endp

; 
		align 10h
; Exported entry 1304. KeSetTimer2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeSetTimer2
KeSetTimer2	proc near		; CODE XREF: ExSetTimer+6Ap
					; KiProcessPendingForegroundBoosts+145p ...

var_2E		= byte ptr -2Eh
var_2D		= byte ptr -2Dh
var_2C		= byte ptr -2Ch
var_2B		= byte ptr -2Bh
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005C9A43 SIZE 0000007D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	ecx, [ebp+arg_10]
		push	ebx
		mov	ebx, [ebp+arg_C]
		mov	eax, ebx
		or	eax, ecx
		mov	[esp+38h+var_10], 0
		push	esi
		push	edi
		mov	[esp+40h+var_C], 0
		mov	[esp+40h+var_20], ebx
		mov	[esp+40h+var_1C], ecx
		jnz	loc_4D8313

loc_4D8126:				; CODE XREF: KeSetTimer2+22Aj
					; KeSetTimer2+238j ...
		mov	esi, [ebp+arg_0]
		mov	al, [esi+51h]
		mov	[esp+40h+var_2D], al
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, [ebp+arg_8]
		mov	ebx, [ebp+arg_4]
		mov	[esp+40h+var_29], al
		mov	[esp+40h+var_2C], 0
		test	edi, edi
		jl	short loc_4D8157
		jg	loc_4D8333
		test	ebx, ebx
		jnz	loc_4D8333

loc_4D8157:				; CODE XREF: KeSetTimer2+57j
					; KeSetTimer2+28Ej ...
		test	[esp+40h+var_2D], 4
		jnz	loc_4D839D
		call	KeQueryInterruptTime

loc_4D8167:				; CODE XREF: KeSetTimer2+2B6j
		neg	ebx
		adc	edi, 0
		xor	ecx, ecx
		neg	edi
		push	edi
		push	ebx
		push	edx
		push	eax
		call	KiTimer2ComputeDueTime
		mov	ecx, [ebp+arg_14]
		mov	ebx, eax
		mov	[esp+40h+var_14], ebx
		mov	edi, edx
		mov	[esp+40h+var_18], edi
		mov	[esp+40h+var_28], ebx
		mov	[esp+40h+var_24], edi
		test	ecx, ecx
		jz	short loc_4D81C0
		cmp	byte ptr [esi+52h], 15h
		jz	short loc_4D81C0
		mov	edx, [ecx+8]
		mov	eax, edx
		mov	ecx, [ecx+0Ch]
		and	eax, ecx
		cmp	eax, 0FFFFFFFFh
		jz	loc_4D82D9
		push	ecx
		push	edx
		push	edi
		push	ebx
		xor	ecx, ecx
		call	KiTimer2ComputeDueTime
		mov	[esp+40h+var_28], eax
		mov	[esp+40h+var_24], edx

loc_4D81C0:				; CODE XREF: KeSetTimer2+A2j
					; KeSetTimer2+A8j ...
		xor	bl, bl
		mov	ecx, esi
		mov	[esp+40h+var_2B], bl
		mov	edi, 1
		call	KiAcquireTimer2LockUnlessDisabled
		test	al, al
		jnz	loc_4D82C4
		mov	ecx, esi
		call	KiAcquireTimer2CollectionLockIfInserted
		test	al, al
		jnz	loc_4D82EE
		mov	al, [esi+1]
		test	al, 0Fh
		jnz	loc_4D8424

loc_4D81F4:				; CODE XREF: KeSetTimer2+21Ej
					; KeSetTimer2+341j
		test	ds:_KiVelocityFlags, 2000h
		mov	eax, [esp+40h+var_14]
		mov	[esi+28h], eax
		mov	eax, [esp+40h+var_18]
		mov	[esi+2Ch], eax
		mov	eax, [esp+40h+var_28]
		mov	[esi+30h], eax
		mov	eax, [esp+40h+var_24]
		mov	[esi+34h], eax
		mov	eax, [esp+40h+var_20]
		mov	dl, [esi+51h]
		mov	[esi+38h], eax
		mov	eax, [esp+40h+var_1C]
		mov	[esi+3Ch], eax
		mov	al, [esp+40h+var_2C]
		mov	dword ptr [esi+4], 0
		mov	[esi+50h], al
		jz	loc_4D8409
		test	dl, 0Eh
		jz	loc_4D83D1

loc_4D8248:				; CODE XREF: KeSetTimer2+301j
					; KeSetTimer2+31Cj ...
		mov	byte ptr [esp+16h], 0
		cmp	edi, 1
		jnz	short loc_4D826F
		mov	ecx, offset _KiTimer2CollectionLock
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	eax, [esp+16h]
		mov	dl, 1
		push	eax
		lea	eax, [esp+44h+var_2B]
		mov	ecx, esi
		push	eax
		call	KiInsertTimer2WithCollectionLockHeld

loc_4D826F:				; CODE XREF: KeSetTimer2+160j
		test	ds:dword_70EFC8, 20000h
		mov	ecx, esi
		jnz	loc_5C9AA6
		push	0
		mov	edx, edi
		call	_KiUpdateTimer2Flags@12	; KiUpdateTimer2Flags(x,x,x)
		cmp	edi, 1
		jnz	short loc_4D82A6
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _KiTimer2CollectionLock
		jnz	loc_5C9AB3
		xor	eax, eax
		lock and [ecx],	eax

loc_4D82A6:				; CODE XREF: KeSetTimer2+19Dj
					; KeSetTimer2+F19BEj ...
		call	_KeIsForceIdleEngaged@0	; KeIsForceIdleEngaged()
		test	al, al
		jnz	short loc_4D82C4
		cmp	[esp+40h+var_2B], al
		jnz	loc_4D8383
		test	[esp+40h+var_2D], 4
		jnz	loc_4D83AB

loc_4D82C4:				; CODE XREF: KeSetTimer2+E4j
					; KeSetTimer2+1BDj ...
		mov	cl, [esp+40h+var_29]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, bl
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_4D82D9:				; CODE XREF: KeSetTimer2+B7j
		mov	[esp+40h+var_28], 0FFFFFFFFh
		mov	[esp+40h+var_24], 0FFFFFFFFh
		jmp	loc_4D81C0
; 

loc_4D82EE:				; CODE XREF: KeSetTimer2+F3j
		mov	ecx, esi
		call	KiRemoveTimer2
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _KiTimer2CollectionLock
		jnz	loc_5C9A8C
		xor	eax, eax
		lock and [ecx],	eax

loc_4D830C:				; CODE XREF: KeSetTimer2+33Bj
					; KeSetTimer2+F19A4j
		mov	bl, 1
		jmp	loc_4D81F4
; 

loc_4D8313:				; CODE XREF: KeSetTimer2+30j
		mov	eax, ds:_KeMinimumIncrement
		test	ecx, ecx
		jg	loc_4D8126
		jl	loc_5C9A43
		cmp	ebx, eax
		jnb	loc_4D8126
		jmp	loc_5C9A43
; 

loc_4D8333:				; CODE XREF: KeSetTimer2+59j
					; KeSetTimer2+61j
		test	[esp+40h+var_2D], 4
		mov	[esp+40h+var_2C], 1
		jnz	loc_5C9A54
		mov	edx, 0FFDF0018h
		mov	[esp+40h+var_10], 0
		mov	ecx, 0FFDF0014h
		mov	eax, 0FFDF001Ch
		mov	edx, [edx]
		mov	ecx, [ecx]
		mov	eax, [eax]
		cmp	edx, eax
		jnz	loc_5C9A60

loc_4D8368:				; CODE XREF: KeSetTimer2+F196Bj
					; KeSetTimer2+F1997j
		cmp	edi, edx
		jl	short loc_4D837A
		jg	loc_4D83FC
		cmp	ebx, ecx
		ja	loc_4D83FC

loc_4D837A:				; CODE XREF: KeSetTimer2+27Aj
		xor	ebx, ebx
		xor	edi, edi
		jmp	loc_4D8157
; 

loc_4D8383:				; CODE XREF: KeSetTimer2+1C3j
		call	_KiRequestTimer2Expiration@0 ; KiRequestTimer2Expiration()
		mov	cl, [esp+40h+var_29]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_4D839D:				; CODE XREF: KeSetTimer2+6Cj
		lea	ecx, [esp+40h+var_8]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		jmp	loc_4D8167
; 

loc_4D83AB:				; CODE XREF: KeSetTimer2+1CEj
		push	[esp+40h+var_18]
		push	[esp+44h+var_14]
		call	KeQueryInterruptTime
		push	edx
		push	eax
		call	_KiShouldActivateHRTimerClock@16 ; KiShouldActivateHRTimerClock(x,x,x,x)
		test	al, al
		jz	loc_4D82C4
		call	_KiSendClockInterruptToClockOwner@0 ; KiSendClockInterruptToClockOwner()
		jmp	loc_4D82C4
; 

loc_4D83D1:				; CODE XREF: KeSetTimer2+152j
		mov	eax, large fs:124h
		mov	dh, dl
		and	dh, 10h
		mov	ecx, [eax+80h]
		call	PsTimerResolutionActive
		test	al, al
		jnz	loc_5C9A99
		test	dh, dh
		jz	loc_4D8248
		and	dl, 0EFh
		jmp	short loc_4D8415
; 

loc_4D83FC:				; CODE XREF: KeSetTimer2+27Cj
					; KeSetTimer2+284j
		sub	ecx, ebx
		mov	ebx, ecx
		sbb	edx, edi
		mov	edi, edx
		jmp	loc_4D8157
; 

loc_4D8409:				; CODE XREF: KeSetTimer2+149j
		test	dl, 10h
		jnz	loc_4D8248

loc_4D8412:				; CODE XREF: KeSetTimer2+F19B1j
		or	dl, 10h

loc_4D8415:				; CODE XREF: KeSetTimer2+30Aj
		mov	ecx, esi
		mov	[esi+51h], dl
		call	_KiUpdateTimer2Collections@4 ; KiUpdateTimer2Collections(x)
		jmp	loc_4D8248
; 

loc_4D8424:				; CODE XREF: KeSetTimer2+FEj
		mov	edi, 8
		test	al, 4
		jz	loc_4D830C
		jmp	loc_4D81F4
KeSetTimer2	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiTimer2ComputeDueTime proc near	; CODE XREF: KiExpireTimer2+122p
					; KiExpireTimer2+411p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005C9AC0 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		push	[ebp+arg_C]
		mov	esi, ecx
		lea	ecx, [ebp+var_8]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_RtlULongLongAdd@20 ; RtlULongLongAdd(x,x,x,x,x)
		test	eax, eax
		jnz	loc_5C9AC0
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		mov	edx, [ebp+var_4]
		and	ecx, edx
		cmp	ecx, 0FFFFFFFFh
		jz	loc_5C9AC0
		test	esi, esi
		jnz	short loc_4D8480

loc_4D847B:				; CODE XREF: KiTimer2ComputeDueTime+4Dj
					; KiTimer2ComputeDueTime+F1697j
		pop	esi
		leave
		retn	10h
; 

loc_4D8480:				; CODE XREF: KiTimer2ComputeDueTime+43j
		mov	byte ptr [esi],	0
		jmp	short loc_4D847B
KiTimer2ComputeDueTime endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlULongLongAdd(x, x, x, x,	x)
_RtlULongLongAdd@20 proc near		; CODE XREF: KiTimer2ComputeDueTime+21p
					; PopFxScheduleDeviceIdleTimer(x)+81p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		add	eax, [ebp+arg_8]
		mov	edx, [ebp+arg_4]
		adc	edx, [ebp+arg_C]
		push	esi
		mov	esi, ecx
		cmp	edx, [ebp+arg_4]
		ja	short loc_4D84A6
		jb	short loc_4D84B4
		cmp	eax, [ebp+arg_0]
		jb	short loc_4D84B4

loc_4D84A6:				; CODE XREF: RtlULongLongAdd(x,x,x,x,x)+17j
		xor	ecx, ecx

loc_4D84A8:				; CODE XREF: RtlULongLongAdd(x,x,x,x,x)+38j
		mov	[esi], eax
		mov	eax, ecx
		mov	[esi+4], edx
		pop	esi
		pop	ebp
		retn	10h
; 

loc_4D84B4:				; CODE XREF: RtlULongLongAdd(x,x,x,x,x)+19j
					; RtlULongLongAdd(x,x,x,x,x)+1Ej
		or	eax, 0FFFFFFFFh
		mov	ecx, 0C0000095h
		mov	edx, eax
		jmp	short loc_4D84A8
_RtlULongLongAdd@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiUpdateTimer2Flags(x, x, x)
_KiUpdateTimer2Flags@12	proc near	; CODE XREF: KeCancelTimer2+6Ap
					; KeDisableTimer2+CBp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, ecx
		not	esi
		mov	[ebp+var_4], eax
		and	esi, 1
		xor	bl, bl
		add	esi, 1Eh
		shl	esi, 7
		test	byte ptr [ebp+arg_0], 2
		push	edi
		mov	edi, edx
		jnz	short loc_4D8537

loc_4D84E8:				; CODE XREF: KiUpdateTimer2Flags(x,x,x)+7Dj
		mov	edx, [eax]
		not	esi
		shl	edi, 8
		mov	eax, edx
		mov	[ebp+var_8], edi
		mov	edi, esi
		mov	[ebp+var_C], esi
		and	edi, edx

loc_4D84FB:				; CODE XREF: KiUpdateTimer2Flags(x,x,x)+85j
		or	edi, [ebp+var_8]
		mov	esi, [ebp+var_4]
		mov	ecx, edi
		lock cmpxchg [esi], ecx
		mov	esi, [ebp+var_C]
		cmp	edx, eax
		jnz	short loc_4D853F
		test	byte ptr [ebp+arg_0], 4
		jnz	short loc_4D851D

loc_4D8514:				; CODE XREF: KiUpdateTimer2Flags(x,x,x)+69j
					; KiUpdateTimer2Flags(x,x,x)+75j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
; 

loc_4D851D:				; CODE XREF: KiUpdateTimer2Flags(x,x,x)+52j
		and	edi, 3F00h
		cmp	edi, 2000h
		jnz	short loc_4D8514
		mov	ecx, [ebp+var_4]
		call	KiFinalizeTimer2Disablement
		mov	bl, 1
		jmp	short loc_4D8514
; 

loc_4D8537:				; CODE XREF: KiUpdateTimer2Flags(x,x,x)+26j
		and	esi, 0FFFFF0FFh
		jmp	short loc_4D84E8
; 

loc_4D853F:				; CODE XREF: KiUpdateTimer2Flags(x,x,x)+4Cj
		mov	edi, esi
		mov	edx, eax
		and	edi, eax
		jmp	short loc_4D84FB
_KiUpdateTimer2Flags@12	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAcquireTimer2CollectionLockIfInserted	proc near ; CODE XREF: KeCancelTimer2+39p
					; KeDisableTimer2+A2p ...

; FUNCTION CHUNK AT 005C9AD2 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		xor	bl, bl
		test	byte ptr [esi+1], 1
		jnz	short loc_4D855F

loc_4D8559:				; CODE XREF: KiAcquireTimer2CollectionLockIfInserted+31j
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn
; 

loc_4D855F:				; CODE XREF: KiAcquireTimer2CollectionLockIfInserted+Fj
		push	edi
		mov	edi, offset _KiTimer2CollectionLock
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	byte ptr [esi+1], 1
		jz	loc_5C9AD2
		mov	bl, 1

loc_4D8578:				; CODE XREF: KiAcquireTimer2CollectionLockIfInserted+F159Dj
					; KiAcquireTimer2CollectionLockIfInserted+F15A7j
		pop	edi
		jmp	short loc_4D8559
KiAcquireTimer2CollectionLockIfInserted	endp

; 
		align 4

;  S U B	R O U T	I N E 


KiAcquireTimer2LockUnlessDisabled proc near ; CODE XREF: KeCancelTimer2+2Ep
					; KeDisableTimer2+7Dp ...

; FUNCTION CHUNK AT 005C9AF4 SIZE 00000010 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	al, [esi+1]
		test	al, 20h
		jnz	loc_5C9AF4

loc_4D8591:				; CODE XREF: KiAcquireTimer2LockUnlessDisabled+F1583j
		shr	al, 5
		and	al, 1
		pop	esi
		retn
KiAcquireTimer2LockUnlessDisabled endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiInsertTimer2WithCollectionLockHeld proc near ; CODE XREF: KiInsertTimer2+28p
					; KeSetTimer2+17Ap

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C9B04 SIZE 00000031 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	bh, dl
		mov	bl, 1
		xor	edx, edx
		mov	[ebp+var_2], bh
		push	edi
		mov	edi, ecx
		mov	[eax], dl
		mov	eax, [ebp+arg_4]
		mov	esi, edx
		mov	[ebp+var_10], edi
		mov	[ebp+var_1], bl
		mov	cl, [edi+52h]
		mov	[eax], dl
		cmp	cl, 15h
		jz	loc_4D86E2
		test	cl, 20h
		jz	short loc_4D85E5
		mov	eax, [edi+28h]
		cmp	eax, [edi+30h]
		jnz	short loc_4D85E5
		mov	eax, [edi+2Ch]
		cmp	eax, [edi+34h]
		jz	loc_4D86E2

loc_4D85E5:				; CODE XREF: KiInsertTimer2WithCollectionLockHeld+37j
					; KiInsertTimer2WithCollectionLockHeld+3Fj
		push	edx
		movzx	edx, cl
		mov	al, cl
		and	edx, 7
		and	al, 0EFh
		shl	edx, 4
		mov	ecx, edi
		add	edx, offset _KiTimer2Collections
		mov	[edi+52h], al
		call	KiInsertTimer2IntoCollection
		mov	esi, eax

loc_4D8605:				; CODE XREF: KiInsertTimer2WithCollectionLockHeld+150j
		mov	eax, [edi+30h]
		and	eax, [edi+34h]
		mov	cl, [edi+53h]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_4D864B
		mov	al, cl
		and	cl, 7
		movzx	edx, cl
		and	al, 0EFh
		shl	edx, 4
		mov	ecx, edi
		push	1
		add	edx, offset _KiTimer2Collections
		mov	[edi+53h], al
		call	KiInsertTimer2IntoCollection
		or	esi, eax

loc_4D8634:				; CODE XREF: KiInsertTimer2WithCollectionLockHeld+B9j
		test	esi, esi
		jnz	short loc_4D8653

loc_4D8638:				; CODE XREF: KiInsertTimer2WithCollectionLockHeld+126j
					; KiInsertTimer2WithCollectionLockHeld+131j ...
		test	byte ptr [edi+51h], 4
		jnz	loc_4D86ED

loc_4D8642:				; CODE XREF: KiInsertTimer2WithCollectionLockHeld+164j
					; KiInsertTimer2WithCollectionLockHeld+170j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	8
; 

loc_4D864B:				; CODE XREF: KiInsertTimer2WithCollectionLockHeld+79j
		or	cl, 10h
		mov	[edi+53h], cl
		jmp	short loc_4D8634
; 

loc_4D8653:				; CODE XREF: KiInsertTimer2WithCollectionLockHeld+9Ej
		mov	edx, [edi+2Ch]
		mov	ecx, [edi+28h]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_14], edx
		cmp	dword_6CB194, edx
		jb	short loc_4D86B4
		ja	short loc_4D8671
		cmp	_KiNextTimer2DueTime, ecx
		jbe	short loc_4D86B4

loc_4D8671:				; CODE XREF: KiInsertTimer2WithCollectionLockHeld+CFj
		mov	esi, _KiNextTimer2DueTime
		mov	eax, esi
		mov	edx, dword_6CB194
		mov	[ebp+var_18], edx
		mov	[ebp+var_8], offset _KiNextTimer2DueTime
		nop
		mov	edi, [ebp+var_8]
		mov	ebx, ecx
		mov	ecx, [ebp+var_14]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_10]
		cmp	eax, esi
		jnz	short loc_4D870D
		cmp	edx, [ebp+var_18]
		jnz	short loc_4D870D

loc_4D86A2:				; CODE XREF: KiInsertTimer2WithCollectionLockHeld+F158Aj
		and	[ebp+var_18], 0
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	bl, [ebp+var_1]
		mov	bh, [ebp+var_2]

loc_4D86B4:				; CODE XREF: KiInsertTimer2WithCollectionLockHeld+CDj
					; KiInsertTimer2WithCollectionLockHeld+D7j
		call	KeQueryInterruptTime
		mov	ecx, eax
		cmp	[edi+2Ch], edx
		ja	loc_4D8638
		jb	short loc_4D86CF
		cmp	[edi+28h], ecx
		ja	loc_4D8638

loc_4D86CF:				; CODE XREF: KiInsertTimer2WithCollectionLockHeld+12Cj
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax],	1
		test	bh, bh
		jnz	loc_4D8638
		jmp	loc_5C9B27
; 

loc_4D86E2:				; CODE XREF: KiInsertTimer2WithCollectionLockHeld+2Ej
					; KiInsertTimer2WithCollectionLockHeld+47j
		or	cl, 10h
		mov	[edi+52h], cl
		jmp	loc_4D8605
; 

loc_4D86ED:				; CODE XREF: KiInsertTimer2WithCollectionLockHeld+A4j
		xor	ecx, ecx
		inc	ecx
		lock xadd _KiHrTimerActiveCount, ecx
		inc	ecx
		cmp	ecx, 1
		jnz	loc_4D8642
		mov	eax, [ebp+arg_4]
		mov	byte ptr [eax],	0
		jmp	loc_4D8642
; 

loc_4D870D:				; CODE XREF: KiInsertTimer2WithCollectionLockHeld+103j
					; KiInsertTimer2WithCollectionLockHeld+108j
		mov	edi, [ebp+var_C]
		jmp	loc_5C9B04
KiInsertTimer2WithCollectionLockHeld endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiInsertTimer2IntoCollection proc near	; CODE XREF: KiInsertTimer2WithCollectionLockHeld+66p
					; KiInsertTimer2WithCollectionLockHeld+95p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C9B35 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, edx
		mov	[ebp+var_C], ecx
		lea	eax, [esi+2]
		lea	eax, [esi+eax*2]
		lea	ebx, [ecx+eax*4]
		mov	ecx, [edi+4]
		mov	eax, ecx
		mov	[ebp+var_8], ebx
		and	eax, 1
		test	esi, esi
		jnz	short loc_4D8757
		test	eax, eax
		mov	eax, [edi]
		jz	short loc_4D87C8
		test	eax, eax
		jnz	short loc_4D87C6
		jmp	short loc_4D87C8
; 

loc_4D8757:				; CODE XREF: KiInsertTimer2IntoCollection+29j
		test	eax, eax
		mov	eax, [edi]
		jz	short loc_4D8767
		test	eax, eax
		jz	loc_4D88A6
		xor	eax, edi

loc_4D8767:				; CODE XREF: KiInsertTimer2IntoCollection+3Bj
					; KiInsertTimer2IntoCollection+188j
		movzx	edx, cl
		xor	cl, cl
		and	edx, 1
		test	eax, eax
		jz	loc_4D8823
		mov	ecx, [ebx+14h]
		mov	[ebp+var_4], ecx
		mov	ecx, [ebx+18h]
		mov	[ebp+var_8], ecx

loc_4D8783:				; CODE XREF: KiInsertTimer2IntoCollection+90j
		mov	ecx, [eax+18h]
		mov	esi, [eax+14h]
		cmp	[ebp+var_8], ecx
		jb	short loc_4D87B2
		ja	short loc_4D8795
		cmp	[ebp+var_4], esi
		jb	short loc_4D87B2

loc_4D8795:				; CODE XREF: KiInsertTimer2IntoCollection+6Ej
		mov	ecx, [eax+4]
		test	edx, edx
		jz	short loc_4D87A6
		test	ecx, ecx
		jz	loc_4D88AD
		xor	ecx, eax

loc_4D87A6:				; CODE XREF: KiInsertTimer2IntoCollection+7Aj
		test	ecx, ecx
		jz	loc_4D88AD

loc_4D87AE:				; CODE XREF: KiInsertTimer2IntoCollection+A0j
		mov	eax, ecx
		jmp	short loc_4D8783
; 

loc_4D87B2:				; CODE XREF: KiInsertTimer2IntoCollection+6Cj
					; KiInsertTimer2IntoCollection+73j
		mov	ecx, [eax]
		test	edx, edx
		jz	short loc_4D87BE
		test	ecx, ecx
		jz	short loc_4D87C2
		xor	ecx, eax

loc_4D87BE:				; CODE XREF: KiInsertTimer2IntoCollection+96j
		test	ecx, ecx
		jnz	short loc_4D87AE

loc_4D87C2:				; CODE XREF: KiInsertTimer2IntoCollection+9Aj
		xor	cl, cl
		jmp	short loc_4D8820
; 

loc_4D87C6:				; CODE XREF: KiInsertTimer2IntoCollection+33j
		xor	eax, edi

loc_4D87C8:				; CODE XREF: KiInsertTimer2IntoCollection+2Fj
					; KiInsertTimer2IntoCollection+35j
		movzx	ecx, cl
		and	ecx, 1
		mov	[ebp+var_4], ecx
		xor	cl, cl
		test	eax, eax
		jz	short loc_4D8823
		mov	esi, [ebx+18h]
		mov	ebx, [ebx+1Ch]
		lea	ecx, [ecx+0]

loc_4D87E0:				; CODE XREF: KiInsertTimer2IntoCollection+E3j
		mov	edx, [eax+18h]
		cmp	ebx, [eax+1Ch]
		jb	short loc_4D8805
		ja	short loc_4D87EE
		cmp	esi, edx
		jb	short loc_4D8805

loc_4D87EE:				; CODE XREF: KiInsertTimer2IntoCollection+C8j
		cmp	[ebp+var_4], 0
		mov	ecx, [eax+4]
		jz	short loc_4D87FD
		test	ecx, ecx
		jz	short loc_4D881B
		xor	ecx, eax

loc_4D87FD:				; CODE XREF: KiInsertTimer2IntoCollection+D5j
		test	ecx, ecx
		jz	short loc_4D881B

loc_4D8801:				; CODE XREF: KiInsertTimer2IntoCollection+F5j
		mov	eax, ecx
		jmp	short loc_4D87E0
; 

loc_4D8805:				; CODE XREF: KiInsertTimer2IntoCollection+C6j
					; KiInsertTimer2IntoCollection+CCj
		cmp	[ebp+var_4], 0
		mov	ecx, [eax]
		jz	short loc_4D8813
		test	ecx, ecx
		jz	short loc_4D8817
		xor	ecx, eax

loc_4D8813:				; CODE XREF: KiInsertTimer2IntoCollection+EBj
		test	ecx, ecx
		jnz	short loc_4D8801

loc_4D8817:				; CODE XREF: KiInsertTimer2IntoCollection+EFj
		xor	cl, cl
		jmp	short loc_4D881D
; 

loc_4D881B:				; CODE XREF: KiInsertTimer2IntoCollection+D9j
					; KiInsertTimer2IntoCollection+DFj
		mov	cl, 1

loc_4D881D:				; CODE XREF: KiInsertTimer2IntoCollection+F9j
		mov	ebx, [ebp+var_8]

loc_4D8820:				; CODE XREF: KiInsertTimer2IntoCollection+A4j
					; KiInsertTimer2IntoCollection+18Fj
		mov	esi, [ebp+arg_0]

loc_4D8823:				; CODE XREF: KiInsertTimer2IntoCollection+51j
					; KiInsertTimer2IntoCollection+B5j
		push	ebx
		mov	byte ptr [ebp+arg_0], cl
		push	[ebp+arg_0]
		push	eax
		push	edi
		call	RtlRbInsertNodeEx
		mov	ecx, [edi+4]
		test	cl, 1
		jnz	short loc_4D884A
		mov	eax, ecx

loc_4D883B:				; CODE XREF: KiInsertTimer2IntoCollection+131j
					; KiInsertTimer2IntoCollection+13Aj
		cmp	eax, ebx
		jz	short loc_4D885C
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4D884A:				; CODE XREF: KiInsertTimer2IntoCollection+117j
		cmp	ecx, 1
		jnz	short loc_4D8853
		xor	eax, eax
		jmp	short loc_4D883B
; 

loc_4D8853:				; CODE XREF: KiInsertTimer2IntoCollection+12Dj
		mov	eax, edi
		or	eax, 1
		xor	eax, ecx
		jmp	short loc_4D883B
; 

loc_4D885C:				; CODE XREF: KiInsertTimer2IntoCollection+11Dj
		mov	eax, [ebp+var_C]
		mov	ecx, [eax+esi*8+28h]
		mov	eax, [eax+esi*8+2Ch]
		mov	esi, [edi+8]
		mov	[ebp+var_C], eax
		lea	eax, [edi+8]
		mov	edi, [eax+4]
		mov	edx, edi
		mov	[ebp+arg_0], eax
		mov	eax, esi
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], edi
		nop
		mov	edi, [ebp+arg_0]
		mov	ebx, ecx
		mov	ecx, [ebp+var_C]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_8]
		cmp	eax, esi
		jnz	short loc_4D88B4
		cmp	edx, edi
		jnz	short loc_4D88B4

loc_4D8898:				; CODE XREF: KiInsertTimer2IntoCollection+F142Bj
		pop	edi
		pop	esi
		mov	eax, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4D88A6:				; CODE XREF: KiInsertTimer2IntoCollection+3Fj
		xor	eax, eax
		jmp	loc_4D8767
; 

loc_4D88AD:				; CODE XREF: KiInsertTimer2IntoCollection+7Ej
					; KiInsertTimer2IntoCollection+88j
		mov	cl, 1
		jmp	loc_4D8820
; 

loc_4D88B4:				; CODE XREF: KiInsertTimer2IntoCollection+172j
					; KiInsertTimer2IntoCollection+176j
		mov	edi, [ebp+arg_0]
		jmp	loc_5C9B35
KiInsertTimer2IntoCollection endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiRemoveTimer2	proc near		; CODE XREF: KeCancelTimer2+44p
					; KeDisableTimer2+109p	...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C9B50 SIZE 0000006E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_18], 0
		xor	ecx, ecx
		mov	[ebp+var_14], edi
		mov	ebx, 28h
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		lea	eax, [edi+10h]
		mov	[ebp+var_4], eax
		mov	eax, 0FFFFFFF0h
		sub	eax, edi
		mov	[ebp+var_1C], eax
		lea	eax, [edi+52h]
		mov	edi, [ebp+var_4]
		mov	[ebp+var_2C], eax
		lea	ecx, [ecx+0]

loc_4D8900:				; CODE XREF: KiRemoveTimer2+F1j
		mov	al, [eax+ecx]
		test	al, 10h
		jnz	loc_4D8994
		and	al, 7
		movzx	esi, al
		shl	esi, 4
		add	esi, offset _KiTimer2Collections
		mov	eax, [esi+4]
		test	al, 1
		jnz	loc_4D8A4C
		mov	[ebp+var_8], eax

loc_4D8927:				; CODE XREF: KiRemoveTimer2+198j
					; KiRemoveTimer2+1B8j
		push	edi
		push	esi
		call	RtlRbRemoveNode
		cmp	[ebp+var_8], edi
		jnz	short loc_4D8994
		mov	eax, [esi+4]
		mov	[ebp+var_18], 1
		test	al, 1
		jnz	loc_4D8A5D
		mov	ecx, eax

loc_4D8947:				; CODE XREF: KiRemoveTimer2+1A9j
		test	ecx, ecx
		jz	loc_4D8A7D
		mov	eax, ebx
		sub	eax, [ebp+var_1C]
		sub	eax, edi
		mov	ebx, [eax+ecx-10h]
		mov	edi, [eax+ecx-0Ch]
		lea	eax, [esi+8]
		mov	esi, [eax]
		mov	ecx, [eax+4]
		mov	edx, ecx
		mov	[ebp+var_8], eax
		mov	eax, esi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], ecx
		nop
		mov	ecx, edi
		mov	edi, [ebp+var_8]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_4]
		cmp	eax, esi
		jnz	loc_5C9B50
		cmp	edx, [ebp+var_20]
		jnz	loc_5C9B50

loc_4D8994:				; CODE XREF: KiRemoveTimer2+45j
					; KiRemoveTimer2+71j ...
		mov	eax, [ebp+var_C]
		add	edi, 0Ch
		inc	[ebp+var_10]
		add	eax, 8
		mov	ecx, [ebp+var_10]
		cmp	eax, 38h
		mov	[ebp+var_C], eax
		mov	ebx, eax
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_4], edi
		jb	loc_4D8900
		cmp	[ebp+var_18], 0
		mov	edi, [ebp+var_14]
		jz	short loc_4D8A39
		mov	eax, _KiNextTimer2DueTime
		cmp	eax, [edi+28h]
		jnz	short loc_4D8A39
		mov	eax, dword_6CB194
		cmp	eax, [edi+2Ch]
		jnz	short loc_4D8A39
		or	ebx, 0FFFFFFFFh
		mov	eax, offset unk_6CB148
		or	edi, 0FFFFFFFFh
		mov	ecx, 5

loc_4D89E4:				; CODE XREF: KiRemoveTimer2+139j
		mov	esi, [eax+4]
		mov	edx, [eax]
		cmp	esi, edi
		ja	short loc_4D89F3
		jb	short loc_4D8A46
		cmp	edx, ebx
		jb	short loc_4D8A46

loc_4D89F3:				; CODE XREF: KiRemoveTimer2+12Bj
					; KiRemoveTimer2+18Aj
		add	eax, 10h
		sub	ecx, 1
		jnz	short loc_4D89E4
		mov	esi, _KiNextTimer2DueTime
		mov	eax, esi
		mov	ecx, dword_6CB194
		mov	edx, ecx
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_2C], offset _KiNextTimer2DueTime
		nop
		mov	ecx, edi
		mov	edi, [ebp+var_2C]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_14]
		cmp	eax, esi
		jnz	loc_5C9B8E
		cmp	edx, [ebp+var_28]
		jnz	loc_5C9B8E

loc_4D8A39:				; CODE XREF: KiRemoveTimer2+FEj
					; KiRemoveTimer2+108j ...
		test	byte ptr [edi+51h], 4
		pop	edi
		pop	esi
		pop	ebx
		jnz	short loc_4D8AB4

loc_4D8A42:				; CODE XREF: KiRemoveTimer2+1FBj
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4D8A46:				; CODE XREF: KiRemoveTimer2+12Dj
					; KiRemoveTimer2+131j
		mov	ebx, edx
		mov	edi, esi
		jmp	short loc_4D89F3
; 

loc_4D8A4C:				; CODE XREF: KiRemoveTimer2+5Ej
		cmp	eax, 1
		jnz	short loc_4D8A6E
		mov	[ebp+var_8], 0
		jmp	loc_4D8927
; 

loc_4D8A5D:				; CODE XREF: KiRemoveTimer2+7Fj
		cmp	eax, 1
		jz	short loc_4D8A7D
		mov	ecx, esi
		or	ecx, 1
		xor	ecx, eax
		jmp	loc_4D8947
; 

loc_4D8A6E:				; CODE XREF: KiRemoveTimer2+18Fj
		mov	ecx, esi
		or	ecx, 1
		xor	ecx, eax
		mov	[ebp+var_8], ecx
		jmp	loc_4D8927
; 

loc_4D8A7D:				; CODE XREF: KiRemoveTimer2+89j
					; KiRemoveTimer2+1A0j
		lea	eax, [esi+8]
		mov	esi, [eax]
		mov	ecx, [eax+4]
		mov	edx, ecx
		mov	[ebp+var_8], eax
		mov	eax, esi
		mov	[ebp+var_28], ecx
		nop
		mov	edi, [ebp+var_8]
		or	ebx, 0FFFFFFFFh
		or	ecx, ebx
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_4]
		cmp	eax, esi
		jnz	short loc_4D8AAC
		cmp	edx, [ebp+var_28]
		jz	loc_4D8994

loc_4D8AAC:				; CODE XREF: KiRemoveTimer2+1E1j
		mov	edi, [ebp+var_8]
		jmp	loc_5C9B6E
; 

loc_4D8AB4:				; CODE XREF: KiRemoveTimer2+180j
		lock dec _KiHrTimerActiveCount
		jmp	short loc_4D8A42
KiRemoveTimer2	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiShouldActivateHRTimerClock(x, x, x, x)
_KiShouldActivateHRTimerClock@16 proc near ; CODE XREF:	KiTimer2Expiration+18Dp
					; KeSetTimer2+2CAp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, ds:_KeMaximumIncrement
		xor	eax, eax
		xor	edx, edx
		add	ecx, [ebp+arg_0]
		adc	eax, [ebp+arg_4]
		cmp	[ebp+arg_C], eax
		ja	short loc_4D8ADF
		jb	short loc_4D8AE5
		cmp	[ebp+arg_8], ecx
		jb	short loc_4D8AE5

loc_4D8ADF:				; CODE XREF: KiShouldActivateHRTimerClock(x,x,x,x)+18j
					; KiShouldActivateHRTimerClock(x,x,x,x)+3Dj
		mov	al, dl
		pop	ebp
		retn	10h
; 

loc_4D8AE5:				; CODE XREF: KiShouldActivateHRTimerClock(x,x,x,x)+1Aj
					; KiShouldActivateHRTimerClock(x,x,x,x)+1Fj
		mov	ecx, _KiClockOwnerOneShotRequest
		mov	eax, ecx
		push	esi
		mov	esi, dword_6CADF4
		or	eax, esi
		jnz	short loc_4D8AFD

loc_4D8AF8:				; CODE XREF: KiShouldActivateHRTimerClock(x,x,x,x)+58j
					; KiShouldActivateHRTimerClock(x,x,x,x)+5Ej
		mov	dl, 1

loc_4D8AFA:				; CODE XREF: KiShouldActivateHRTimerClock(x,x,x,x)+42j
					; KiShouldActivateHRTimerClock(x,x,x,x)+49j ...
		pop	esi
		jmp	short loc_4D8ADF
; 

loc_4D8AFD:				; CODE XREF: KiShouldActivateHRTimerClock(x,x,x,x)+38j
		cmp	[ebp+arg_C], esi
		ja	short loc_4D8AFA
		jb	short loc_4D8B09
		cmp	[ebp+arg_8], ecx
		jnb	short loc_4D8AFA

loc_4D8B09:				; CODE XREF: KiShouldActivateHRTimerClock(x,x,x,x)+44j
		sub	ecx, [ebp+arg_8]
		mov	eax, ds:_KeMinimumIncrement
		sbb	esi, [ebp+arg_C]
		cmp	esi, edx
		ja	short loc_4D8AF8
		jb	short loc_4D8AFA
		cmp	ecx, eax
		ja	short loc_4D8AF8
		jmp	short loc_4D8AFA
_KiShouldActivateHRTimerClock@16 endp


;  S U B	R O U T	I N E 


; __stdcall ExpTimerSetParametersAreValid(x)
_ExpTimerSetParametersAreValid@4 proc near ; CODE XREF:	ExSetTimer+4Ap
					; ExpSetTimerObject2+28p
		cmp	dword ptr [ecx], 0
		jnz	short loc_4D8B36
		cmp	dword ptr [ecx+0Ch], 0FFFFFFFFh
		jg	short loc_4D8B33
		jl	short loc_4D8B36
		cmp	dword ptr [ecx+8], 0FFFFFFFFh
		jb	short loc_4D8B36

loc_4D8B33:				; CODE XREF: ExpTimerSetParametersAreValid(x)+9j
		mov	al, 1
		retn
; 

loc_4D8B36:				; CODE XREF: ExpTimerSetParametersAreValid(x)+3j
					; ExpTimerSetParametersAreValid(x)+Bj ...
		xor	al, al
		retn
_ExpTimerSetParametersAreValid@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiUnmarkTimer2Running(x)
_KiUnmarkTimer2Running@4 proc near	; CODE XREF: KiExpireTimer2+352p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, 0FFFFEFFFh
		mov	eax, [ecx]

loc_4D8B46:				; CODE XREF: KiUnmarkTimer2Running(x)+14j
		mov	edx, eax
		and	edx, esi
		lock cmpxchg [ecx], edx
		jnz	short loc_4D8B46
		mov	esi, eax
		and	esi, 2F00h
		mov	edi, 2000h
		cmp	esi, edi
		jz	short loc_4D8B68

loc_4D8B61:				; CODE XREF: KiUnmarkTimer2Running(x)+35j
		pop	edi
		setz	al
		pop	esi
		pop	ecx
		retn
; 

loc_4D8B68:				; CODE XREF: KiUnmarkTimer2Running(x)+25j
		call	KiFinalizeTimer2Disablement
		cmp	esi, edi
		jmp	short loc_4D8B61
_KiUnmarkTimer2Running@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


KiResetGlobalDpcWatchdogProfiler proc near ; CODE XREF:	KeAccumulateTicks+2CFp
					; KiExpireTimer2+329p ...

; FUNCTION CHUNK AT 005C9BBE SIZE 0000002D BYTES

		mov	edx, [ecx+4060h]
		test	edx, edx
		jz	short locret_4D8B88
		cmp	[ecx+4064h], edx
		jnz	loc_5C9BBE

locret_4D8B88:				; CODE XREF: KiResetGlobalDpcWatchdogProfiler+8j
					; KiResetGlobalDpcWatchdogProfiler+F1058j
		retn
KiResetGlobalDpcWatchdogProfiler endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiBeginDpcLog(x, x)
_KiBeginDpcLog@8 proc near		; CODE XREF: KiExpireTimer2+313p
					; KiProcessExpiredTimerList+1631B0p
		mov	edi, edi
		push	esi
		mov	esi, [ecx]
		lea	eax, [esi+1]
		and	esi, 0Fh
		mov	[ecx], eax
		add	ecx, 10h
		imul	eax, esi, 0Ch
		pop	esi
		add	eax, ecx
		mov	[eax], edx
		mov	ecx, ds:_KeTickCount
		mov	[eax+4], ecx
		retn
_KiBeginDpcLog@8 endp


;  S U B	R O U T	I N E 


; __stdcall KiForegroundTimerCallback(x, x)
_KiForegroundTimerCallback@8 proc near	; DATA XREF: KiCompleteKernelInit+E5o
		xor	eax, eax
		xor	edx, edx
		push	eax
		push	eax
		push	eax
		mov	ecx, offset unk_6CB278
		call	KiInsertQueueDpc
		retn	8
_KiForegroundTimerCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiFinalizeTimer2Disablement proc near	; CODE XREF: KiUpdateTimer2Flags(x,x,x)+6Ep
					; KiUnmarkTimer2Running(x):loc_4D8B68p

var_38		= dword	ptr -38h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C9BEB SIZE 0000005E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edx, ecx
		lea	edi, [ebp+var_30]
		push	8
		xor	eax, eax
		mov	[ebp+var_38], edx
		pop	ecx
		mov	esi, [edx+48h]
		xor	ebx, ebx
		rep stosd
		mov	edi, ds:dword_70EFC8
		and	edi, 20000h
		test	esi, esi
		jnz	short loc_4D8C10

loc_4D8BF9:				; CODE XREF: KiFinalizeTimer2Disablement+73j
		test	edi, edi
		jnz	loc_5C9BFF

loc_4D8C01:				; CODE XREF: KiFinalizeTimer2Disablement+F1084j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_4D8C10:				; CODE XREF: KiFinalizeTimer2Disablement+37j
		mov	ebx, [edx+4Ch]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_31], al
		test	edi, edi
		jnz	loc_5C9BEB

loc_4D8C24:				; CODE XREF: KiFinalizeTimer2Disablement+F103Aj
		push	ebx
		call	esi
		mov	cl, [ebp+var_31]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [ebp+var_38]
		jmp	short loc_4D8BF9
KiFinalizeTimer2Disablement endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCancelWaitCompletionPacket proc near	; DATA XREF: .text:005811C8o

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005C9C49 SIZE 00000041 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+28h+var_C]
		stosd
		lea	ecx, [esp+28h+var_1C]
		push	0
		push	ecx
		stosd
		stosd
		mov	eax, large fs:124h
		and	[esp+30h+var_1C], 0
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+30h+var_10], al
		push	[esp+30h+var_10]
		mov	eax, ds:_IopWaitCompletionPacketObjectType
		push	eax
		xor	eax, eax
		inc	eax
		push	eax
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	[esp+28h+var_14], eax
		test	eax, eax
		js	loc_4D8D75
		mov	edi, [esp+28h+var_1C]
		lea	esi, [edi+30h]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [edi+2Ch]
		mov	[esp+28h+var_10], eax
		test	eax, eax
		jz	short loc_4D8CB8
		mov	edx, 746C6644h
		mov	ecx, eax
		call	ObfReferenceObjectWithTag

loc_4D8CB8:				; CODE XREF: NtCancelWaitCompletionPacket+74j
		test	ds:byte_70EFC6,	1
		jnz	loc_5C9C49
		xor	eax, eax
		lock and [esi],	eax

loc_4D8CCA:				; CODE XREF: NtCancelWaitCompletionPacket+F1021j
		mov	cl, bl
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	ebx
		mov	eax, [esp+28h+var_10]
		test	eax, eax
		jz	loc_4D8D7E
		lea	ecx, [eax+28h]
		lea	edx, [esp+28h+var_C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	byte ptr [esp+28h+var_18], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	byte ptr [edi+34h], 0
		jz	loc_4D8D98
		push	[esp+28h+var_18]
		mov	dl, [ebp+arg_4]
		mov	ecx, [esp+2Ch+var_1C]
		call	_IopCancelWaitCompletionPacket@12 ; IopCancelWaitCompletionPacket(x,x,x)
		test	al, al
		jz	loc_4D8DBA
		mov	edi, [esp+28h+var_14]

loc_4D8D23:				; CODE XREF: NtCancelWaitCompletionPacket+17Fj
		test	ds:byte_70EFC6,	1
		jnz	loc_5C9C6B
		mov	eax, [esp+28h+var_C]
		test	eax, eax
		jnz	short loc_4D8D85
		mov	edx, [esp+28h+var_8]
		lea	eax, [esp+28h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+28h+var_C]
		cmp	eax, ecx
		jnz	loc_5C9C7C

loc_4D8D52:				; CODE XREF: NtCancelWaitCompletionPacket+160j
					; NtCancelWaitCompletionPacket+F1041j
		mov	cl, [esp+28h+var_4]
		call	ebx
		mov	ecx, [esp+28h+var_10]
		mov	esi, 746C6644h
		mov	edx, esi
		call	ObfDereferenceObjectWithTag
		mov	ecx, [esp+28h+var_1C]
		mov	edx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, edi

loc_4D8D75:				; CODE XREF: NtCancelWaitCompletionPacket+4Fj
					; NtCancelWaitCompletionPacket+14Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4D8D7E:				; CODE XREF: NtCancelWaitCompletionPacket+A4j
		mov	eax, 0C0000120h
		jmp	short loc_4D8D75
; 

loc_4D8D85:				; CODE XREF: NtCancelWaitCompletionPacket+100j
					; NtCancelWaitCompletionPacket+F104Fj
		xor	ecx, ecx
		mov	[esp+28h+var_C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	short loc_4D8D52
; 

loc_4D8D98:				; CODE XREF: NtCancelWaitCompletionPacket+CBj
		mov	edi, 0C0000120h

loc_4D8D9D:				; CODE XREF: NtCancelWaitCompletionPacket+18Dj
					; NtCancelWaitCompletionPacket+193j
		test	ds:byte_70EFC6,	1
		jnz	loc_5C9C5C
		xor	eax, eax
		lock and [esi],	eax

loc_4D8DAF:				; CODE XREF: NtCancelWaitCompletionPacket+F1030j
		mov	cl, byte ptr [esp+28h+var_18]
		call	ebx
		jmp	loc_4D8D23
; 

loc_4D8DBA:				; CODE XREF: NtCancelWaitCompletionPacket+E3j
		cmp	byte ptr [edi+34h], 0
		mov	edi, 103h
		jnz	short loc_4D8D9D
		mov	edi, [esp+28h+var_14]
		jmp	short loc_4D8D9D
NtCancelWaitCompletionPacket endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ExpLeaveWorkerFactoryAwayMode(x)
_ExpLeaveWorkerFactoryAwayMode@4 proc near ; CODE XREF:	NtReleaseWorkerFactoryWorker+230p
					; ExpWorkerFactoryCheckCreate+1E5p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	dword ptr [esi+68h], 400h
		jz	short loc_4D8DFD
		mov	ecx, [esi+4]
		lea	edx, [esi+0ECh]
		mov	ecx, [ecx+4]
		call	_KeDeregisterObjectNotification@8 ; KeDeregisterObjectNotification(x,x)
		test	al, al
		jz	short loc_4D8DFD
		mov	ecx, esi
		call	ObfDereferenceObject
		and	dword ptr [esi+68h], 0FFFFFBFFh

loc_4D8DFD:				; CODE XREF: ExpLeaveWorkerFactoryAwayMode(x)+Cj
					; ExpLeaveWorkerFactoryAwayMode(x)+21j
		and	dword ptr [esi+68h], 0FFFFFDFFh
		pop	esi
		retn
_ExpLeaveWorkerFactoryAwayMode@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCancelWaitCompletionPacket(x, x,	x)
_IopCancelWaitCompletionPacket@12 proc near ; CODE XREF: NtCancelWaitCompletionPacket+DCp
					; IopCloseWaitCompletionPacket+6Dp

var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		push	edi
		mov	eax, [esi+28h]
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	_ObGetAssociatedWaitObject@4 ; ObGetAssociatedWaitObject(x)
		mov	edx, esi
		mov	ecx, eax
		call	_KeDeregisterObjectNotification@8 ; KeDeregisterObjectNotification(x,x)
		mov	edi, [esi+2Ch]
		test	al, al
		jz	short loc_4D8E62

loc_4D8E30:				; CODE XREF: IopCancelWaitCompletionPacket(x,x,x)+6Bj
		mov	dl, [ebp+arg_0]
		lea	ecx, [esi+30h]
		and	dword ptr [esi+2Ch], 0
		mov	byte ptr [esi+34h], 0
		call	KfReleaseSpinLock
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	al, 1

loc_4D8E5B:				; CODE XREF: IopCancelWaitCompletionPacket(x,x,x)+6Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4D8E62:				; CODE XREF: IopCancelWaitCompletionPacket(x,x,x)+28j
		test	bl, bl
		jz	short loc_4D8E73
		mov	edx, esi
		mov	ecx, edi
		call	_KeRemoveQueueEntry@8 ;	KeRemoveQueueEntry(x,x)
		test	al, al
		jnz	short loc_4D8E30

loc_4D8E73:				; CODE XREF: IopCancelWaitCompletionPacket(x,x,x)+5Ej
		xor	al, al
		jmp	short loc_4D8E5B
_IopCancelWaitCompletionPacket@12 endp

; 
		align 4

; __stdcall KeDeregisterObjectNotification(x, x)
_KeDeregisterObjectNotification@8:	; CODE XREF: ExpShutdownWorkerFactory(x)+60p
					; ExpLeaveWorkerFactoryAwayMode(x)+1Ap	...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		xor	bl, bl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	bh, al
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	al, [esi+9]
		cmp	al, 4
		jnz	short loc_4D8EB2
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_4D8EC8
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_4D8EC8
		mov	[ecx], eax
		inc	bl
		mov	[eax+4], ecx
		mov	byte ptr [esi+9], 5

loc_4D8EB2:				; CODE XREF: .text:004D8E97j
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		retn
; 

loc_4D8EC8:				; CODE XREF: .text:004D8E9Ej
					; .text:004D8EA5j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1307. KeShouldYieldProcessor

;  S U B	R O U T	I N E 


		public KeShouldYieldProcessor
KeShouldYieldProcessor proc near	; CODE XREF: NtGetWriteWatch+393p
					; MiFillPoolCommitPageTable+119p ...

; FUNCTION CHUNK AT 005C9C8A SIZE 00000050 BYTES

		mov	ecx, large fs:20h
		push	ebx
		push	esi
		push	edi
		mov	edx, [ecx+223Ch]
		mov	esi, [ecx+3B0Ch]
		mov	ebx, [ecx+4B0h]
		test	dl, 1
		jnz	loc_5C9C8A
		xor	edi, edi
		test	dl, 1Eh
		jnz	short loc_4D8F28
		mov	al, [ecx+2239h]
		test	al, al
		jnz	short loc_4D8F54
		mov	eax, [ecx+8]
		test	eax, eax
		jnz	short loc_4D8F48
		cmp	esi, 7
		ja	short loc_4D8F5B

loc_4D8F22:				; CODE XREF: KeShouldYieldProcessor+A7j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		retn
; 

loc_4D8F28:				; CODE XREF: KeShouldYieldProcessor+2Aj
		mov	edi, 2

loc_4D8F2D:				; CODE XREF: KeShouldYieldProcessor+72j
					; KeShouldYieldProcessor+79j ...
		test	dword ptr ds:byte_70EFC4, 4000000h
		jnz	loc_5C9CCB

loc_4D8F3D:				; CODE XREF: KeShouldYieldProcessor+F0DF5j
		xor	eax, eax
		test	edi, edi
		pop	edi
		pop	esi
		setnz	al
		pop	ebx
		retn
; 

loc_4D8F48:				; CODE XREF: KeShouldYieldProcessor+3Bj
		cmp	eax, [ecx+4]
		jz	short loc_4D8F82
		mov	edi, 4
		jmp	short loc_4D8F2D
; 

loc_4D8F54:				; CODE XREF: KeShouldYieldProcessor+34j
		mov	edi, 3
		jmp	short loc_4D8F2D
; 

loc_4D8F5B:				; CODE XREF: KeShouldYieldProcessor+40j
					; KeShouldYieldProcessor+A5j
		test	edi, edi
		jnz	loc_5C9CA6

loc_4D8F63:				; CODE XREF: KeShouldYieldProcessor+F0DDBj
		cli
		mov	dword ptr [ecx+3B0Ch], 0
		mov	dword ptr [ecx+4B0h], 0
		call	KiResetGlobalDpcWatchdogProfiler
		sti
		xor	edi, edi
		jmp	short loc_4D8F2D
; 

loc_4D8F82:				; CODE XREF: KeShouldYieldProcessor+6Bj
					; KeShouldYieldProcessor+F0DB2j
		cmp	esi, 7
		ja	short loc_4D8F5B
		jmp	short loc_4D8F22
KeShouldYieldProcessor endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSidInToken(x, x,	x, x, x, x, x)
_SepSidInToken@28 proc near		; CODE XREF: SeTokenIsAdmin+31p
					; SeTokenIsAdmin+14AA75p ...

arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ecx
		xor	ecx, ecx
		cmp	[ebp+arg_8], cl
		setnz	cl
		dec	ecx
		and	ecx, 0FFFFFF78h
		add	ecx, 154h
		add	ecx, eax
		pop	ebp
		jmp	$+5
_SepSidInToken@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SepSidInTokenSidHash(void *,char,char,char,char)
SepSidInTokenSidHash proc near		; CODE XREF: SepCheckForCriticalAceRemoval(x,x,x,x,x)+77p
					; SepMaximumAccessCheck+468p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h
arg_10		= byte ptr  18h

; FUNCTION CHUNK AT 005C9CDA SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	bl, [ebp+arg_4]
		mov	[ebp+var_4], ecx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, edx
		test	bl, bl
		jnz	short loc_4D8FD0
		cmp	[ebp+arg_10], 0
		jnz	loc_5C9CDA

loc_4D8FD0:				; CODE XREF: SepSidInTokenSidHash+16j
					; SepSidInTokenSidHash+F0D2Ej ...
		test	edi, edi
		jnz	short loc_4D902F

loc_4D8FD4:				; CODE XREF: SepSidInTokenSidHash+8Fj
					; SepSidInTokenSidHash+93j
		cmp	[ebp+arg_C], 0
		jnz	short loc_4D9002

loc_4D8FDA:				; CODE XREF: SepSidInTokenSidHash+62j
		push	esi		; void *
		mov	esi, [ebp+var_4]
		push	esi		; int
		call	_RtlSidHashLookup@8 ; RtlSidHashLookup(x,x)
		test	eax, eax
		jnz	short loc_4D8FF1

loc_4D8FE8:				; CODE XREF: SepSidInTokenSidHash+79j
					; SepSidInTokenSidHash+7Dj ...
		xor	al, al

loc_4D8FEA:				; CODE XREF: SepSidInTokenSidHash+52j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_4D8FF1:				; CODE XREF: SepSidInTokenSidHash+38j
		cmp	[ebp+arg_8], 0
		jz	short loc_4D9014

loc_4D8FF7:				; CODE XREF: SepSidInTokenSidHash+69j
					; SepSidInTokenSidHash+75j
		mov	eax, [eax+4]
		test	al, 4
		jz	short loc_4D9025

loc_4D8FFE:				; CODE XREF: SepSidInTokenSidHash+64j
					; SepSidInTokenSidHash+6Fj ...
		mov	al, 1
		jmp	short loc_4D8FEA
; 

loc_4D9002:				; CODE XREF: SepSidInTokenSidHash+2Aj
		push	esi
		push	_SeOwnerRightsSid
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	short loc_4D8FDA
		jmp	short loc_4D8FFE
; 

loc_4D9014:				; CODE XREF: SepSidInTokenSidHash+47j
		cmp	eax, [esi+4]
		jnz	short loc_4D8FF7
		test	byte ptr [eax+4], 10h
		jz	short loc_4D8FFE
		test	bl, bl
		jnz	short loc_4D8FFE
		jmp	short loc_4D8FF7
; 

loc_4D9025:				; CODE XREF: SepSidInTokenSidHash+4Ej
		test	bl, bl
		jz	short loc_4D8FE8
		test	al, 10h
		jz	short loc_4D8FE8
		jmp	short loc_4D8FFE
; 

loc_4D902F:				; CODE XREF: SepSidInTokenSidHash+24j
		push	esi
		push	_SePrincipalSelfSid
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	short loc_4D8FD4
		mov	esi, edi
		jmp	short loc_4D8FD4
SepSidInTokenSidHash endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlSidDominates	proc near		; CODE XREF: SepMandatorySubProcessToken+EE9B2p
					; SepAdjustPrivileges+F2p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C9CFB SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_14], eax
		push	esi
		push	edi
		mov	edi, edx
		mov	byte ptr [eax],	0
		mov	eax, [ebx+2]
		lea	ecx, [ebx+2]
		lea	edx, [ebp+var_C]
		mov	[ebp+var_C], 0
		mov	[ebp+var_8], 1000h
		mov	esi, 2
		mov	[ebp+var_10], ebx
		cmp	eax, [edx]
		jnz	short loc_4D909F
		add	ecx, 4
		mov	esi, 0FFFFFFFEh
		add	edx, 4

loc_4D909F:				; CODE XREF: RtlSidDominates+42j
		mov	al, [ecx]
		cmp	al, [edx]
		jnz	loc_4D91FF
		mov	al, [ecx+1]
		cmp	al, [edx+1]
		jnz	loc_4D91FF
		cmp	esi, 0FFFFFFFEh
		jz	short loc_4D90D2
		mov	al, [ecx+2]
		cmp	al, [edx+2]
		jnz	loc_4D91FF
		mov	al, [ecx+3]
		cmp	al, [edx+3]
		jnz	loc_4D91FF

loc_4D90D2:				; CODE XREF: RtlSidDominates+68j
		xor	eax, eax

loc_4D90D4:				; CODE XREF: RtlSidDominates+1B4j
		test	eax, eax
		jnz	loc_5C9CFB
		lea	ecx, [edi+2]
		lea	edx, [ebp+var_C]
		lea	esi, [eax+2]
		mov	eax, [ecx]
		cmp	eax, [edx]
		jnz	short loc_4D90F6
		add	ecx, 4
		mov	esi, 0FFFFFFFEh
		add	edx, 4

loc_4D90F6:				; CODE XREF: RtlSidDominates+99j
		mov	al, [ecx]
		cmp	al, [edx]
		jnz	loc_4D9209
		mov	al, [ecx+1]
		cmp	al, [edx+1]
		jnz	loc_4D9209
		cmp	esi, 0FFFFFFFEh
		jz	short loc_4D9129
		mov	al, [ecx+2]
		cmp	al, [edx+2]
		jnz	loc_4D9209
		mov	al, [ecx+3]
		cmp	al, [edx+3]
		jnz	loc_4D9209

loc_4D9129:				; CODE XREF: RtlSidDominates+BFj
		xor	eax, eax

loc_4D912B:				; CODE XREF: RtlSidDominates+1BEj
		test	eax, eax
		jnz	loc_5C9CFB
		movzx	ecx, word ptr [edi]
		movzx	edx, word ptr [ebx]
		mov	ax, cx
		shr	ax, 8
		mov	ebx, edx
		shr	ebx, 8
		movzx	eax, ax
		mov	[ebp+var_C], eax
		cmp	dx, cx
		jnz	loc_4D91D7
		mov	edx, [ebp+var_10]
		movzx	eax, bl
		lea	esi, ds:8[eax*4]
		mov	eax, edi
		sub	esi, 4
		jb	short loc_4D9179

loc_4D9168:				; CODE XREF: RtlSidDominates+127j
		mov	ecx, [edx]
		cmp	ecx, [eax]
		jnz	short loc_4D917E
		add	edx, 4
		add	eax, 4
		sub	esi, 4
		jnb	short loc_4D9168

loc_4D9179:				; CODE XREF: RtlSidDominates+116j
		cmp	esi, 0FFFFFFFCh
		jz	short loc_4D91AF

loc_4D917E:				; CODE XREF: RtlSidDominates+11Cj
		mov	cl, [edx]
		cmp	cl, [eax]
		jnz	loc_4D9213
		cmp	esi, 0FFFFFFFDh
		jz	short loc_4D91AF
		mov	cl, [edx+1]
		cmp	cl, [eax+1]
		jnz	short loc_4D9213
		cmp	esi, 0FFFFFFFEh
		jz	short loc_4D91AF
		mov	cl, [edx+2]
		cmp	cl, [eax+2]
		jnz	short loc_4D9213
		cmp	esi, 0FFFFFFFFh
		jz	short loc_4D91AF
		mov	cl, [edx+3]
		cmp	cl, [eax+3]
		jnz	short loc_4D9213

loc_4D91AF:				; CODE XREF: RtlSidDominates+12Cj
					; RtlSidDominates+13Bj	...
		xor	eax, eax

loc_4D91B1:				; CODE XREF: RtlSidDominates+1C8j
		test	eax, eax
		jnz	short loc_4D91D7
		mov	al, 1

loc_4D91B7:				; CODE XREF: RtlSidDominates+189j
		test	al, al
		jz	short loc_4D91DB

loc_4D91BB:				; CODE XREF: RtlSidDominates+19Ej
					; RtlSidDominates+1A9j
		mov	al, 1

loc_4D91BD:				; CODE XREF: RtlSidDominates+1ADj
		mov	ecx, [ebp+var_14]
		mov	[ecx], al
		xor	eax, eax

loc_4D91C4:				; CODE XREF: RtlSidDominates+F0CB0j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4D91D7:				; CODE XREF: RtlSidDominates+FEj
					; RtlSidDominates+163j
		xor	al, al
		jmp	short loc_4D91B7
; 

loc_4D91DB:				; CODE XREF: RtlSidDominates+169j
		test	bl, bl
		jz	short loc_4D921A
		mov	ecx, [ebp+var_10]
		movzx	eax, bl
		mov	ecx, [ecx+eax*4+4]

loc_4D91E9:				; CODE XREF: RtlSidDominates+1CCj
		mov	eax, [ebp+var_C]
		test	al, al
		jz	short loc_4D91BB
		movzx	eax, al
		mov	eax, [edi+eax*4+4]
		cmp	ecx, eax
		jnb	short loc_4D91BB
		xor	al, al
		jmp	short loc_4D91BD
; 

loc_4D91FF:				; CODE XREF: RtlSidDominates+53j
					; RtlSidDominates+5Fj ...
		sbb	eax, eax
		or	eax, 1
		jmp	loc_4D90D4
; 

loc_4D9209:				; CODE XREF: RtlSidDominates+AAj
					; RtlSidDominates+B6j ...
		sbb	eax, eax
		or	eax, 1
		jmp	loc_4D912B
; 

loc_4D9213:				; CODE XREF: RtlSidDominates+132j
					; RtlSidDominates+143j	...
		sbb	eax, eax
		or	eax, 1
		jmp	short loc_4D91B1
; 

loc_4D921A:				; CODE XREF: RtlSidDominates+18Dj
		xor	ecx, ecx
		jmp	short loc_4D91E9
RtlSidDominates	endp


;  S U B	R O U T	I N E 


; __stdcall SepCopyTokenIntegrity(x, x)
_SepCopyTokenIntegrity@8 proc near	; CODE XREF: SeQueryTokenIntegrity(x,x)j
					; AuthzBasepQueryTokenAttributeAndValues(x)+7Cp ...
		mov	edi, edi
		push	esi
		mov	esi, [ecx+0B8h]
		cmp	esi, 0FFFFFFFFh
		jz	short loc_4D9245
		mov	eax, [ecx+94h]
		lea	ecx, [eax+esi*8]
		test	ecx, ecx
		jz	short loc_4D9245
		mov	eax, [ecx]
		mov	[edx], eax
		mov	eax, [ecx+4]

loc_4D9240:				; CODE XREF: SepCopyTokenIntegrity(x,x)+31j
		mov	[edx+4], eax
		pop	esi
		retn
; 

loc_4D9245:				; CODE XREF: SepCopyTokenIntegrity(x,x)+Cj
					; SepCopyTokenIntegrity(x,x)+19j
		mov	eax, _SeUntrustedMandatorySid
		push	60h
		mov	[edx], eax
		pop	eax
		jmp	short loc_4D9240
_SepCopyTokenIntegrity@8 endp

; 
		align 10h
; Exported entry 2433. SeAuditingAnyFileEventsWithContextEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAuditingAnyFileEventsWithContextEx(x, x, x)
		public _SeAuditingAnyFileEventsWithContextEx@12
_SeAuditingAnyFileEventsWithContextEx@12 proc near
					; CODE XREF: SeAuditingAnyFileEventsWithContext(x,x)+Dp

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	short loc_4D9285
		push	esi
		push	1
		mov	dl, 1
		mov	ecx, 82h
		call	SepAdtAuditThisEventWithContext
		mov	[edi], al

loc_4D9285:				; CODE XREF: SeAuditingAnyFileEventsWithContextEx(x,x,x)+12j
		push	esi
		push	1
		mov	dl, 1
		mov	ecx, 75h
		call	SepAdtAuditThisEventWithContext
		test	al, al
		jnz	short loc_4D92B2
		mov	edx, 33h
		push	esi
		lea	ecx, [edx-30h]
		call	SepAdtAuditThisEventByCategoryWithContext
		test	al, al
		jnz	short loc_4D92B2

loc_4D92AA:				; CODE XREF: SeAuditingAnyFileEventsWithContextEx(x,x,x)+54j
		pop	edi
		pop	esi
		mov	esp, ebp

loc_4D92AE:				; CODE XREF: .text:00429660j
		pop	ebp
		retn	0Ch
; 

loc_4D92B2:				; CODE XREF: SeAuditingAnyFileEventsWithContextEx(x,x,x)+36j
					; SeAuditingAnyFileEventsWithContextEx(x,x,x)+48j
		mov	al, 1
		jmp	short loc_4D92AA
_SeAuditingAnyFileEventsWithContextEx@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAuditingEnabledForSubcategory(x,	x, x)
_SepAuditingEnabledForSubcategory@12 proc near
					; CODE XREF: SepAdtAuditPrivilegeUseWithContext+3Dp
					; SepAdtAuditPrivilegeUseWithContext+6Dp ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	byte_6BE5F8[ecx*2], 0
		jnz	short loc_4D92DF

loc_4D92CF:				; CODE XREF: SepAuditingEnabledForSubcategory(x,x,x)+21j
		cmp	byte_6BE5F9[ecx*2], 0
		jnz	short loc_4D92E9

loc_4D92D9:				; CODE XREF: SepAuditingEnabledForSubcategory(x,x,x)+2Dj
		xor	al, al
		pop	ebp
		retn	4
; 

loc_4D92DF:				; CODE XREF: SepAuditingEnabledForSubcategory(x,x,x)+Dj
		test	dl, dl
		jz	short loc_4D92CF

loc_4D92E3:				; CODE XREF: SepAuditingEnabledForSubcategory(x,x,x)+2Fj
		mov	al, 1
		pop	ebp
		retn	4
; 

loc_4D92E9:				; CODE XREF: SepAuditingEnabledForSubcategory(x,x,x)+17j
		cmp	[ebp+arg_0], 0
		jz	short loc_4D92D9
		jmp	short loc_4D92E3
_SepAuditingEnabledForSubcategory@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall SepAuditingForSubCategory(x, x)
_SepAuditingForSubCategory@8 proc near	; CODE XREF: SeAuditingWithTokenForSubcategory+1Ap
		test	dl, dl
		jz	short loc_4D92FE
		mov	al, byte_6BE5F8[ecx*2]
		retn
; 

loc_4D92FE:				; CODE XREF: SepAuditingForSubCategory(x,x)+2j
		mov	al, byte_6BE5F9[ecx*2]
		retn
_SepAuditingForSubCategory@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExAllocateLocallyUniqueId(x)
_ExAllocateLocallyUniqueId@4 proc near	; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+24Ep
					; SeTokenSetNoChildProcessRestricted(x,x,x)+59p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, _ExpLuid
		mov	eax, edi
		mov	esi, dword_6B5B94
		mov	edx, esi
		mov	ebx, ds:_ExpLuidIncrement
		mov	[ebp+var_C], ecx
		add	ebx, edi
		mov	ecx, ds:dword_40AA94
		mov	[ebp+var_4], esi
		adc	ecx, esi
		mov	esi, offset _ExpLuid
		mov	[ebp+var_8], esi
		nop

loc_4D9340:				; CODE XREF: ExAllocateLocallyUniqueId(x)+73j
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [ebp+var_4]
		mov	ebx, eax
		mov	ecx, edx
		cmp	edi, ebx
		jnz	short loc_4D9360
		cmp	esi, ecx
		jnz	short loc_4D9360
		mov	eax, [ebp+var_C]
		mov	[eax], edi
		pop	edi
		mov	[eax+4], esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4D9360:				; CODE XREF: ExAllocateLocallyUniqueId(x)+47j
					; ExAllocateLocallyUniqueId(x)+4Bj
		mov	eax, ebx
		mov	[ebp+var_4], ecx
		mov	edi, ebx
		mov	edx, ecx
		add	ebx, ds:_ExpLuidIncrement
		adc	ecx, ds:dword_40AA94
		nop
		mov	esi, [ebp+var_8]
		jmp	short loc_4D9340
_ExAllocateLocallyUniqueId@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


PsTimerResolutionActive	proc near	; CODE XREF: KiInitializeTimer2(x,x,x,x)+87p
					; KiExpireTimer2+3E2p ...

; FUNCTION CHUNK AT 005C9D05 SIZE 00000013 BYTES

		test	dword ptr [ecx+0FCh], 1000h
		jnz	loc_5C9D05

loc_4D938C:				; CODE XREF: PsTimerResolutionActive+F0993j
		xor	al, al
		retn
PsTimerResolutionActive	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxScheduleDeviceIdleTimer(x)
_PopFxScheduleDeviceIdleTimer@4	proc near ; CODE XREF: PopFxProcessWork+117p
					; PopFxUpdateDeviceIdleTimer+36p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	eax, eax
		mov	[ebp+var_18], edi
		xor	esi, esi
		mov	[ebp+var_8], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		lea	edx, [edi+10h]
		mov	eax, [edx]

loc_4D93B2:				; CODE XREF: PopFxScheduleDeviceIdleTimer(x)+2Aj
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_4D93B2
		test	al, 8
		jnz	loc_4D949C
		mov	eax, [edi+118h]
		mov	[ebp+var_14], eax
		mov	eax, [edi+11Ch]
		mov	[ebp+var_10], eax
		call	KeQueryInterruptTime
		mov	[ebp+var_4], eax
		mov	esi, edx
		lea	eax, [edi+120h]
		mov	edi, eax

loc_4D93E8:				; CODE XREF: PopFxScheduleDeviceIdleTimer(x)+70j
					; PopFxScheduleDeviceIdleTimer(x)+74j
		mov	ebx, [edi]
		mov	eax, ebx
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp+var_C], ebx
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, edx
		mov	edx, [ebp+var_C]
		cmp	eax, edx
		jnz	short loc_4D93E8
		cmp	ebx, ecx
		jnz	short loc_4D93E8
		push	[ebp+var_10]
		push	[ebp+var_14]
		push	ecx
		push	edx
		lea	ecx, [ebp+var_20]
		call	_RtlULongLongAdd@20 ; RtlULongLongAdd(x,x,x,x,x)
		mov	edi, [ebp+var_18]
		test	eax, eax
		js	short loc_4D949C
		cmp	esi, [ebp+var_1C]
		ja	short loc_4D949C
		mov	eax, [ebp+var_4]
		jb	short loc_4D942C
		cmp	eax, [ebp+var_20]
		jnb	short loc_4D949C

loc_4D942C:				; CODE XREF: PopFxScheduleDeviceIdleTimer(x)+95j
		push	esi
		push	eax
		push	[ebp+var_1C]
		lea	ecx, [ebp+var_20]
		push	[ebp+var_20]
		call	_RtlULongLongSub@20 ; RtlULongLongSub(x,x,x,x,x)
		xor	ebx, ebx
		test	eax, eax
		js	short loc_4D9490
		mov	esi, [ebp+var_1C]
		push	ebx
		push	186A0h
		push	esi
		push	[ebp+var_20]
		call	__aulldiv
		push	edx
		push	eax
		lea	ecx, [ebp+var_8]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		jns	short loc_4D9497
		or	edx, 0FFFFFFFFh

loc_4D9465:				; CODE XREF: PopFxScheduleDeviceIdleTimer(x)+10Aj
		mov	ecx, [ebp+var_20]
		lea	eax, [edi+0F8h]
		push	eax
		neg	ecx
		lea	eax, [edi+0D0h]
		push	edx
		adc	esi, ebx
		push	ebx
		neg	esi
		push	esi
		push	ecx
		push	eax
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)
		push	4
		pop	ecx
		lea	eax, [edi+10h]
		lock or	[eax], ecx
		mov	bl, 1

loc_4D9490:				; CODE XREF: PopFxScheduleDeviceIdleTimer(x)+B0j
					; PopFxScheduleDeviceIdleTimer(x)+10Ej
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_4D9497:				; CODE XREF: PopFxScheduleDeviceIdleTimer(x)+D0j
		mov	edx, [ebp+var_8]
		jmp	short loc_4D9465
; 

loc_4D949C:				; CODE XREF: PopFxScheduleDeviceIdleTimer(x)+2Ej
					; PopFxScheduleDeviceIdleTimer(x)+8Bj ...
		xor	ebx, ebx
		jmp	short loc_4D9490
_PopFxScheduleDeviceIdleTimer@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlULongLongToUInt(x, x, x)
_RtlULongLongToUInt@12 proc near	; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+485p
					; EmpEvaluateNodeLink+FCp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	edx, edx
		cmp	[ebp+arg_4], edx
		ja	short loc_4D94BE
		mov	eax, [ebp+arg_0]
		jb	short loc_4D94B6
		cmp	eax, 0FFFFFFFFh
		ja	short loc_4D94BE

loc_4D94B6:				; CODE XREF: RtlULongLongToUInt(x,x,x)+Fj
					; RtlULongLongToUInt(x,x,x)+26j
		mov	[ecx], eax
		mov	eax, edx
		pop	ebp
		retn	8
; 

loc_4D94BE:				; CODE XREF: RtlULongLongToUInt(x,x,x)+Aj
					; RtlULongLongToUInt(x,x,x)+14j
		mov	edx, 0C0000095h
		or	eax, 0FFFFFFFFh
		jmp	short loc_4D94B6
_RtlULongLongToUInt@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlULongLongSub(x, x, x, x,	x)
_RtlULongLongSub@20 proc near		; CODE XREF: PopFxScheduleDeviceIdleTimer(x)+A7p
					; KiAdjustTimer2DueTimes+84181p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	esi
		mov	esi, ecx
		cmp	edx, [ebp+arg_C]
		jb	short loc_4D94F6
		mov	eax, [ebp+arg_0]
		ja	short loc_4D94E2
		cmp	eax, [ebp+arg_8]
		jb	short loc_4D94F6

loc_4D94E2:				; CODE XREF: RtlULongLongSub(x,x,x,x,x)+13j
		xor	ecx, ecx
		sub	eax, [ebp+arg_8]
		sbb	edx, [ebp+arg_C]

loc_4D94EA:				; CODE XREF: RtlULongLongSub(x,x,x,x,x)+38j
		mov	[esi], eax
		mov	eax, ecx
		mov	[esi+4], edx
		pop	esi
		pop	ebp
		retn	10h
; 

loc_4D94F6:				; CODE XREF: RtlULongLongSub(x,x,x,x,x)+Ej
					; RtlULongLongSub(x,x,x,x,x)+18j
		or	eax, 0FFFFFFFFh
		mov	ecx, 0C0000095h
		mov	edx, eax
		jmp	short loc_4D94EA
_RtlULongLongSub@20 endp

; 
		align 8
; Exported entry 1675. PoFxActivateComponent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoFxActivateComponent(x, x,	x)
		public _PoFxActivateComponent@12
_PoFxActivateComponent@12 proc near	; CODE XREF: PopFxActivateDevice+ADp
					; PoFxStartDevicePowerManagement+66p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_8], 1
		jz	short loc_4D951D
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_4D955E

loc_4D951D:				; CODE XREF: PoFxActivateComponent(x,x,x)+9j
		mov	eax, dword ptr [ebp+arg_8]
		and	eax, 3
		cmp	al, 3
		jz	short loc_4D954C
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		cmp	eax, [ecx+23Ch]
		jnb	short loc_4D9562
		mov	edx, [ecx+240h]
		push	0
		push	dword ptr [ebp+arg_8]
		mov	edx, [edx+eax*4]
		call	PopFxActivateComponent
		pop	ebp
		retn	0Ch
; 

loc_4D954C:				; CODE XREF: PoFxActivateComponent(x,x,x)+1Dj
		push	1

loc_4D954E:				; CODE XREF: PoFxActivateComponent(x,x,x)+58j
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]

loc_4D9554:				; CODE XREF: PoFxActivateComponent(x,x,x)+5Fj
		mov	ecx, 614h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_4D955E:				; CODE XREF: PoFxActivateComponent(x,x,x)+13j
		push	0
		jmp	short loc_4D954E
; 

loc_4D9562:				; CODE XREF: PoFxActivateComponent(x,x,x)+2Bj
		push	2
		push	eax
		mov	edx, ecx
		jmp	short loc_4D9554
_PoFxActivateComponent@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxActivateComponent proc near	; CODE XREF: PoFxActivateComponent(x,x,x)+3Bp
					; PopFxActivateComponentWorker+F0701p ...

var_26		= byte ptr -26h
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C9D18 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[esp+34h+var_24], edx
		push	edi
		xor	eax, eax
		lea	edi, [esp+38h+var_20]
		mov	ecx, 8
		rep stosd
		mov	eax, [esi+238h]
		test	al, 1
		jnz	short loc_4D95E7
		mov	ebx, [ebp+arg_0]
		mov	eax, ebx
		and	al, 6
		cmp	al, 4
		jz	short loc_4D95F0
		mov	[esp+38h+var_26], 0

loc_4D95AB:				; CODE XREF: PopFxActivateComponent+93j
		mov	eax, ebx
		lea	ecx, [esp+38h+var_20]
		and	al, 2
		lea	edi, [edx+34h]
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, ecx
		mov	ecx, 1
		lock xadd [edi], ecx
		inc	ecx
		cmp	ecx, 1
		jz	short loc_4D9605
		test	ecx, ecx
		jns	short loc_4D962F

loc_4D95D4:				; CODE XREF: PopFxActivateComponent+AAj
					; PopFxActivateComponent+BDj
		cmp	[esp+38h+var_26], 0
		jz	short loc_4D95E7
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_4D95E7:				; CODE XREF: PopFxActivateComponent+29j
					; PopFxActivateComponent+69j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4D95F0:				; CODE XREF: PopFxActivateComponent+34j
		mov	eax, large fs:124h
		mov	[esp+38h+var_26], 1
		dec	word ptr [eax+13Eh]
		nop
		jmp	short loc_4D95AB
; 

loc_4D9605:				; CODE XREF: PopFxActivateComponent+5Ej
		lock inc dword ptr [edi]
		push	eax
		push	[ebp+arg_4]
		mov	ecx, esi
		call	PopFxActivateComponentWorker

loc_4D9613:				; CODE XREF: PopFxActivateComponent+FBj
		mov	edx, [esp+38h+var_24]

loc_4D9617:				; CODE XREF: PopFxActivateComponent+C5j
		test	bl, 1
		jz	short loc_4D95D4
		push	0
		push	0
		push	0
		push	0
		lea	eax, [edx+40h]
		push	eax
		call	KeWaitForSingleObject
		jmp	short loc_4D95D4
; 

loc_4D962F:				; CODE XREF: PopFxActivateComponent+62j
		test	ecx, 40000000h
		jz	short loc_4D9617
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, [esp+38h+var_24]
		add	esi, 50h
		mov	[esp+38h+var_25], al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	ds:byte_70EFC6,	1
		jnz	loc_5C9D18
		xor	eax, eax
		lock and [esi],	eax

loc_4D9661:				; CODE XREF: PopFxActivateComponent+F07B2j
		mov	cl, [esp+38h+var_25]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_4D9613
PopFxActivateComponent endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxActivateComponentWorker proc near	; CODE XREF: PopFxActivateComponent+9Ep
					; PopFxIdleWorkerTail+119p

var_6		= byte ptr -6
var_5		= byte ptr -5
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C9D27 SIZE 000000B0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		call	PopFxAddRefDevice
		cmp	dword ptr [edi+78h], 0
		ja	loc_5C9D27
		mov	al, 1

loc_4D9691:				; CODE XREF: PopFxActivateComponentWorker+F0764j
		cmp	byte ptr [ebp+arg_0], 0
		jnz	short loc_4D96C1
		test	al, al
		jz	short loc_4D96B8
		push	[ebp+arg_4]
		mov	edx, [edi+10h]
		mov	ecx, ebx
		push	1
		call	PopPluginComponentActive
		cmp	al, 1
		jnz	short loc_4D96B8
		mov	edx, [ebp+arg_4]
		xor	ecx, ecx
		call	PopFxProcessWork

loc_4D96B8:				; CODE XREF: PopFxActivateComponentWorker+2Bj
					; PopFxActivateComponentWorker+3Ej ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4D96C1:				; CODE XREF: PopFxActivateComponentWorker+27j
		push	0
		mov	edx, edi
		mov	ecx, ebx
		call	PopFxCompleteComponentActivation
		jmp	short loc_4D96B8
PopFxActivateComponentWorker endp


;  S U B	R O U T	I N E 


PopFxAddRefDevice proc near		; CODE XREF: PopFxActivateComponentWorker+12p
					; PopFxIdleWorkerTail:loc_4D9E12p ...

; FUNCTION CHUNK AT 005C9DD7 SIZE 000000B2 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		lea	ecx, [esi+80h]
		lock inc dword ptr [ecx]
		cmp	byte ptr [esi+7Ch], 0
		jnz	loc_5C9DD7
		pop	esi
		retn
PopFxAddRefDevice endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 734. IoAcquireRemoveLockEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoAcquireRemoveLockEx
IoAcquireRemoveLockEx proc near		; CODE XREF: PopFxAcpiUnregisterDevice(x,x)+22p
					; ViFilterDispatchGeneric(x,x)+34p ...

arg_0		= dword	ptr  8
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005C9E89 SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	ecx, [edi+4]
		lock inc dword ptr [ecx]
		cmp	byte ptr [edi],	0
		jnz	loc_5C9E89
		xor	esi, esi
		cmp	[ebp+arg_10], 58h
		jz	loc_5C9E04

loc_4D9713:				; CODE XREF: PopFxAddRefDevice+F07B6j
					; IoAcquireRemoveLockEx+F07B6j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	14h
IoAcquireRemoveLockEx endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxProcessWork proc near		; CODE XREF: PopFxDispatchPluginWorkOnce+D7p
					; PopFxActivateComponentWorker+45p ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= byte ptr -38h
var_37		= byte ptr -37h
var_36		= byte ptr -36h
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h

; FUNCTION CHUNK AT 005C9EA9 SIZE 000002CB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		and	[esp+3Ch+var_20], 0
		mov	eax, ecx
		push	ebx
		mov	ebx, edx
		mov	[esp+40h+var_18], eax
		push	esi
		push	edi
		mov	[esp+48h+var_30], ebx
		mov	ecx, [ebx]
		test	ecx, ecx
		js	loc_5C9F4C
		cmp	ecx, 9
		jge	loc_5C9F4C
		mov	edx, ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		or	esi, 0FFFFFFFFh
		mov	ecx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		push	8
		pop	edi
		mov	[esp+48h+var_24], edx
		mov	[esp+48h+var_2C], ecx

loc_4D9768:				; CODE XREF: PopFxProcessWork+159j
		mov	ecx, [ebx]
		mov	[esp+48h+var_37], 0
		cmp	ecx, edi
		ja	loc_4D995D
		jmp	ds:off_4D9AC0[ecx*4]

loc_4D977E:				; DATA XREF: .text:004D9AC8o
		mov	edi, [ebx+4]
		test	eax, eax
		jnz	loc_5C9F4C
		mov	al, [ebx+8]
		mov	ecx, [edi+1Ch]
		mov	[esp+48h+var_36], al
		mov	byte ptr [esp+48h+var_1C], al
		test	ecx, ecx
		jz	short loc_4D97AA
		push	[esp+48h+var_1C]
		mov	dl, 1
		call	PopDiagTraceFxDevicePowerRequirement
		mov	edx, [esp+48h+var_24]

loc_4D97AA:				; CODE XREF: PopFxProcessWork+7Dj
		call	edx
		mov	[esp+48h+var_35], al
		lea	eax, [edi+0C8h]
		mov	ecx, eax
		mov	[esp+48h+var_28], eax
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	[esp+48h+var_36], 0
		lea	edx, [edi+10h]
		jnz	loc_4D9964
		xor	ebx, ebx
		mov	eax, [edx]

loc_4D97D3:				; CODE XREF: PopFxProcessWork+BFj
		mov	ecx, eax
		or	ecx, ebx
		lock cmpxchg [edx], ecx
		jnz	short loc_4D97D3
		mov	ebx, [esp+48h+var_30]
		test	al, al
		js	loc_5C9F6B
		push	0
		xor	dl, dl
		mov	ecx, edi
		call	PopPluginDevicePower
		lea	ecx, [edi+10h]
		mov	eax, 80h
		lock or	[ecx], eax
		cmp	dword ptr [edi+4Ch], 0
		jz	loc_4D9A83
		mov	eax, [edi+14h]
		test	eax, eax
		jnz	loc_5C9F5F
		lea	edx, [edi+18h]
		mov	eax, [edx]
		test	eax, eax
		jnz	loc_5C9F5F
		mov	eax, [ecx]
		test	al, 4
		jnz	loc_5C9F5F
		mov	ecx, edi
		mov	dword ptr [edx], 2
		call	_PopFxScheduleDeviceIdleTimer@4	; PopFxScheduleDeviceIdleTimer(x)
		test	al, al
		jz	loc_5C9EB9

loc_4D9840:				; CODE XREF: PopFxProcessWork+2A8j
					; PopFxProcessWork+2BBj ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5C9EF8
		mov	eax, [esp+48h+var_28]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_4D9856:				; CODE XREF: PopFxProcessWork+F07E8j
		mov	cl, [esp+48h+var_35]
		call	[esp+48h+var_2C]

loc_4D985E:				; CODE XREF: PopFxProcessWork+F0798j
		push	8
		pop	edi

loc_4D9861:				; CODE XREF: PopFxProcessWork+F07F7j
		mov	al, [esp+48h+var_37]

loc_4D9865:				; CODE XREF: PopFxProcessWork+362j
		test	al, al
		jz	loc_4D995D
		mov	eax, [esp+48h+var_18]
		mov	edx, [esp+48h+var_24]
		jmp	loc_4D9768
; 

loc_4D987A:				; CODE XREF: PopFxProcessWork+5Bj
					; DATA XREF: .text:off_4D9AC0o
		mov	edi, [ebx+4]
		test	eax, eax
		jnz	loc_5C9F4C
		mov	ebx, [ebx+8]
		cmp	ebx, [edi+23Ch]
		jnb	loc_5C9F3B
		lfence	eax
		mov	eax, [edi+240h]
		mov	esi, [eax+ebx*4]
		mov	eax, [esi+68h]
		test	eax, eax
		jnz	loc_5C9F90
		cmp	[esi+34h], eax
		jl	loc_5C9F8C
		mov	eax, [esi+34h]
		test	eax, 3FFFFFFFh
		jz	loc_5C9F88
		mov	eax, [esi+58h]
		test	eax, eax
		jnz	loc_5C9F24
		call	edx
		lea	ecx, [esi+90h]
		mov	[esp+48h+var_35], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	ecx, [esi+90h]
		mov	edx, [ecx+0Ch]
		test	edx, edx
		jz	short loc_4D9902
		js	short loc_4D9902
		call	KeQueryInterruptTime
		lea	ecx, [esi+90h]
		mov	[ecx+10h], eax
		mov	[ecx+14h], edx
		mov	byte ptr [ecx+4], 1

loc_4D9902:				; CODE XREF: PopFxProcessWork+1CDj
					; PopFxProcessWork+1CFj
		test	ds:byte_70EFC6,	1
		jnz	loc_5C9F7B
		xor	eax, eax
		lock and [ecx],	eax

loc_4D9914:				; CODE XREF: PopFxProcessWork+F0867j
		mov	cl, [esp+48h+var_35]
		call	[esp+48h+var_2C]
		mov	ecx, [edi+1Ch]
		mov	edx, ebx
		push	1
		call	PopDiagTraceFxComponentLogicalCondition
		mov	eax, [edi+3Ch]
		test	eax, eax
		jz	short loc_4D9935
		push	ebx
		push	dword ptr [edi+64h]
		call	eax

loc_4D9935:				; CODE XREF: PopFxProcessWork+211j
		mov	ecx, [edi+20h]
		push	0
		imul	edx, ebx, 0A8h
		push	ecx
		push	3
		push	2
		add	edx, 88h
		add	edx, ecx
		call	_PopPepProcessEvent@24 ; PopPepProcessEvent(x,x,x,x,x,x)
		push	1
		mov	edx, esi
		mov	ecx, edi
		call	PopFxCompleteComponentActivation

loc_4D995D:				; CODE XREF: PopFxProcessWork+55j
					; PopFxProcessWork+14Bj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4D9964:				; CODE XREF: PopFxProcessWork+ADj
		mov	dword ptr [edi+14h], 2
		mov	ebx, 0FFFFFF7Fh
		mov	eax, [edx]

loc_4D9972:				; CODE XREF: PopFxProcessWork+25Ej
		mov	ecx, eax
		and	ecx, ebx
		lock cmpxchg [edx], ecx
		jnz	short loc_4D9972
		mov	ecx, 80h
		test	al, cl
		jz	loc_5C9F6F
		xor	ebx, ebx
		mov	eax, [edx]

loc_4D998D:				; CODE XREF: PopFxProcessWork+279j
		mov	ecx, eax
		or	ecx, ebx
		lock cmpxchg [edx], ecx
		jnz	short loc_4D998D
		mov	ebx, [esp+48h+var_30]
		test	al, 4
		jz	loc_4D9A9D
		push	0FFFFFFFBh
		pop	eax
		lock and [edx],	eax
		lea	eax, [edi+0D0h]
		mov	dword ptr [edi+18h], 0
		push	eax
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		lea	ecx, [edi+14h]
		lock dec dword ptr [ecx]
		test	al, al
		jz	loc_4D9840
		mov	edx, ebx
		mov	ecx, edi
		call	PopFxCompleteDevicePowerRequired

loc_4D99D3:				; CODE XREF: PopFxProcessWork+395j
		mov	[esp+48h+var_37], al
		jmp	loc_4D9840
; 

loc_4D99DC:				; CODE XREF: PopFxProcessWork+5Bj
					; DATA XREF: .text:004D9AC4o
		mov	edx, [ebx+4]
		mov	[esp+48h+var_28], edx
		test	eax, eax
		jnz	loc_5C9F4C
		mov	ecx, [ebx+8]
		mov	[esp+48h+var_34], ecx
		cmp	ecx, [edx+23Ch]
		jnb	loc_5C9F37
		lfence	eax
		mov	eax, [edx+240h]
		mov	ecx, [eax+ecx*4]
		mov	eax, [ebx+0Ch]
		cmp	eax, [ecx+6Ch]
		jnb	loc_5C9F18
		mov	eax, [ecx+68h]
		mov	edi, [ebx+0Ch]
		cmp	edi, eax
		jz	loc_5C9F33
		test	edi, edi
		jz	short loc_4D9A33
		mov	eax, [ecx+68h]
		test	eax, eax
		jnz	loc_4D9AB6

loc_4D9A33:				; CODE XREF: PopFxProcessWork+30Aj
		mov	eax, [ebx+0Ch]
		lea	edi, [ecx+58h]
		mov	[ecx+68h], eax
		mov	dword ptr [edi], 2
		push	dword ptr [ebx+0Ch]
		push	[esp+4Ch+var_34]
		push	dword ptr [edx+64h]
		call	dword ptr [edx+44h]
		mov	eax, esi
		lock xadd [edi], eax
		mov	edi, [esp+54h+var_34]
		mov	edx, [esp+54h+var_40]
		mov	ecx, [edi+1Ch]
		jnz	loc_5C9EA9
		push	dword ptr [ebx+0Ch]
		call	PopDiagTraceFxComponentIdleState
		mov	edx, [esp+54h+var_40]
		push	ebx
		push	ecx
		mov	ecx, edi
		call	PopPluginComponentIdleState
		push	8
		pop	edi
		jmp	loc_4D9865
; 

loc_4D9A83:				; CODE XREF: PopFxProcessWork+E7j
		mov	ecx, [edi+1Ch]
		xor	dl, dl
		push	0
		call	PopDiagTraceFxDevicePowerRequirement
		push	40h
		lea	eax, [edi+10h]
		pop	ecx
		lock or	[eax], ecx
		jmp	loc_4D9840
; 

loc_4D9A9D:				; CODE XREF: PopFxProcessWork+281j
		mov	eax, [edi+18h]
		test	eax, eax
		jnz	loc_4D9840
		mov	edx, ebx
		mov	ecx, edi
		call	_PopFxDeliverDevicePowerRequired@8 ; PopFxDeliverDevicePowerRequired(x,x)
		jmp	loc_4D99D3
; 

loc_4D9AB6:				; CODE XREF: PopFxProcessWork+311j
		push	2
		jmp	loc_5C9F1A
PopFxProcessWork endp

; 
		align 10h
off_4D9AC0	dd offset loc_4D987A	; DATA XREF: PopFxProcessWork+5Br
		dd offset loc_4D99DC
		dd offset loc_4D977E
		dd offset loc_5C9F95
		dd offset loc_5CA046
		dd offset loc_5CA0A4
		dd offset loc_5CA0DD
		dd offset loc_5CA165
		dd offset loc_5C9F09

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceFxDevicePowerRequirement proc near ; CODE XREF: PopFxProcessWork+85p
					; PopFxProcessWork+36Ep ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005CA174 SIZE 00000043 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		movzx	eax, [ebp+arg_0]
		cmp	dl, 1
		push	ebx
		push	esi
		cdq
		push	edx
		mov	[ebp+var_28], ecx
		push	eax
		jnz	short loc_4D9B4C
		mov	esi, offset _POP_ETW_EVENT_DEVICE_POWER_REQUIREMENT_FROM_PEP
		push	4

loc_4D9B0E:				; CODE XREF: PopDiagTraceFxDevicePowerRequirement+6Fj
		xor	edx, edx
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		cmp	_PopDiagHandleRegistered, 0
		jz	short loc_4D9B3C
		mov	ebx, _PopDiagHandle
		push	edi
		mov	edi, dword_6C1D74
		push	esi
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5CA174

loc_4D9B3B:				; CODE XREF: PopDiagTraceFxDevicePowerRequirement+F06CEj
		pop	edi

loc_4D9B3C:				; CODE XREF: PopDiagTraceFxDevicePowerRequirement+38j
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_4D9B4C:				; CODE XREF: PopDiagTraceFxDevicePowerRequirement+21j
		mov	esi, offset _POP_ETW_EVENT_DEVICE_POWER_REQUIREMENT_TO_DEVICE
		push	5
		jmp	short loc_4D9B0E
PopDiagTraceFxDevicePowerRequirement endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxAddLogEntry(x,	x, x, x, x)
_PopFxAddLogEntry@20 proc near		; CODE XREF: PopDiagTraceFxDevicePowerRequirement+2Cp
					; PopDiagTraceFxDevicePowered+1Ep ...

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, edx
		test	ecx, ecx
		jz	short loc_4D9BD5
		mov	ecx, [ecx+28h]
		test	ecx, ecx
		jz	short loc_4D9BD5
		xor	eax, eax
		push	esi
		inc	eax
		lock xadd [ecx+24Ch], eax
		inc	eax
		dec	eax
		xor	edx, edx
		div	dword ptr [ecx+244h]
		imul	esi, edx, 18h
		add	esi, [ecx+248h]
		call	KeQueryInterruptTime
		mov	[esi], eax
		mov	al, [ebp+arg_0]
		push	0
		mov	[esi+4], edx
		mov	[esi+8], al
		mov	[esi+9], bl
		call	_KeGetCurrentProcessorNumberEx@4 ; KeGetCurrentProcessorNumberEx(x)
		mov	[esi+0Ah], ax
		mov	eax, large fs:124h
		mov	ax, [eax+2ACh]
		mov	[esi+0Ch], ax
		mov	eax, large fs:124h
		mov	ax, [eax+2B0h]
		mov	[esi+0Eh], ax
		mov	eax, [ebp+arg_4]
		mov	[esi+10h], eax
		mov	eax, [ebp+arg_8]
		mov	[esi+14h], eax
		pop	esi

loc_4D9BD5:				; CODE XREF: PopFxAddLogEntry(x,x,x,x,x)+Aj
					; PopFxAddLogEntry(x,x,x,x,x)+11j
		pop	ebx
		pop	ebp
		retn	0Ch
_PopFxAddLogEntry@20 endp

; 
		align 10h
; Exported entry 1152. KeGetCurrentProcessorNumberEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeGetCurrentProcessorNumberEx(x)
		public _KeGetCurrentProcessorNumberEx@4
_KeGetCurrentProcessorNumberEx@4 proc near ; CODE XREF:	PopFxAddLogEntry(x,x,x,x,x)+47p
					; RtlpHpLfhBucketUpdateAffinityMapping+32p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, large fs:20h
		test	edx, edx
		jnz	short loc_4D9BFC

loc_4D9BF2:				; CODE XREF: KeGetCurrentProcessorNumberEx(x)+33j
		mov	eax, [eax+3CCh]
		pop	ebp
		retn	4
; 

loc_4D9BFC:				; CODE XREF: KeGetCurrentProcessorNumberEx(x)+10j
		movzx	ecx, byte ptr [eax+3C5h]
		mov	[edx], cx
		mov	cl, [eax+3C4h]
		mov	[edx+2], cl
		mov	byte ptr [edx+3], 0
		jmp	short loc_4D9BF2
_KeGetCurrentProcessorNumberEx@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxIdleWorker	proc near		; CODE XREF: PopFxIdleComponent+173p
					; PopFxComponentWork+2Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CA1B7 SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ecx+240h]
		push	ebx
		push	esi
		push	edi
		mov	ebx, [eax+edx*4]
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], ebx
		lea	esi, [ebx+34h]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	edi, [ebx+50h]
		mov	[ebp+var_1], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, 80000000h
		mov	ecx, 40000000h
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_4D9CCB
		lea	eax, [ebx+40h]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	esi, [ebp+var_C]
		lea	ecx, [ebx+54h]
		mov	dword ptr [ecx], 2
		xor	ebx, ebx
		mov	eax, [esi+40h]
		test	eax, eax
		jz	short loc_4D9CE8
		push	[ebp+var_8]
		push	dword ptr [esi+64h]
		call	eax
		mov	ecx, [ebp+var_10]
		or	eax, 0FFFFFFFFh
		add	ecx, 54h
		lock xadd [ecx], eax
		jnz	loc_5CA1C6

loc_4D9C96:				; CODE XREF: PopFxIdleWorker+D9j
		mov	bl, 1

loc_4D9C98:				; CODE XREF: PopFxIdleWorker+F05BFj
		test	ds:byte_70EFC6,	1
		jnz	loc_5CA1DA
		xor	eax, eax
		lock and [edi],	eax

loc_4D9CAA:				; CODE XREF: PopFxIdleWorker+F05CEj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bl, bl
		jz	short loc_4D9CC4
		push	[ebp+arg_0]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	PopFxIdleWorkerTail

loc_4D9CC4:				; CODE XREF: PopFxIdleWorker+9Fj
					; PopFxIdleWorker+D0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4D9CCB:				; CODE XREF: PopFxIdleWorker+45j
		test	ds:byte_70EFC6,	1
		jnz	loc_5CA1B7
		xor	eax, eax
		lock and [edi],	eax

loc_4D9CDD:				; CODE XREF: PopFxIdleWorker+F05ABj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_4D9CC4
; 

loc_4D9CE8:				; CODE XREF: PopFxIdleWorker+63j
		push	0FFFFFFFEh
		pop	eax
		lock xadd [ecx], eax
		jmp	short loc_4D9C96
PopFxIdleWorker	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxIdleWorkerTail proc near		; CODE XREF: PopFxIdleWorker+A9p
					; PoFxCompleteIdleCondition+D04C8p

var_E		= byte ptr -0Eh
var_D		= byte ptr -0Dh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CA1E9 SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+20h+var_4], edx
		mov	eax, [edi+240h]
		mov	ebx, [eax+edx*4]
		lea	esi, [ebx+90h]
		call	KeQueryInterruptTime
		mov	[esp+20h+var_C], eax
		mov	[esp+20h+var_8], edx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	[esp+20h+var_D], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_4D9D53
		js	short loc_4D9D53
		push	0
		push	0
		push	[esp+28h+var_8]
		mov	ecx, esi
		push	[esp+2Ch+var_C]
		call	PopFxUpdateAccountingActiveTime
		mov	byte ptr [esi+4], 0

loc_4D9D53:				; CODE XREF: PopFxIdleWorkerTail+46j
					; PopFxIdleWorkerTail+48j
		test	ds:byte_70EFC6,	1
		jnz	loc_5CA1E9
		xor	eax, eax
		lock and [esi],	eax

loc_4D9D65:				; CODE XREF: PopFxIdleWorkerTail+F0501j
		mov	cl, [esp+20h+var_D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [esp+20h+var_4]
		mov	ecx, [edi+1Ch]
		push	0
		call	PopDiagTraceFxComponentLogicalCondition
		push	[esp+20h+var_8]
		lea	ecx, [edi+120h]
		xor	edx, edx
		push	[esp+24h+var_C]
		call	PpmInterlockedUpdateTimeNoFence
		lea	edx, [ebx+34h]
		xor	esi, esi
		mov	eax, [edx]

loc_4D9D99:				; CODE XREF: PopFxIdleWorkerTail+AFj
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_4D9D99
		lea	esi, [ebx+90h]
		mov	ecx, edi
		cmp	eax, 40000000h
		jnz	short loc_4D9E12
		push	[ebp+arg_0]
		mov	edx, [esp+24h+var_4]
		push	0
		call	PopPluginComponentActive
		cmp	al, 1
		jz	short loc_4D9DEC

loc_4D9DC4:				; CODE XREF: PopFxIdleWorkerTail+104j
		xor	esi, esi
		cmp	[ebx+78h], esi
		ja	loc_5CA207

loc_4D9DCF:				; CODE XREF: PopFxIdleWorkerTail+F0529j
		mov	esi, 40000000h
		lea	edx, [ebx+34h]
		xor	ecx, ecx
		mov	eax, esi
		lock cmpxchg [edx], ecx
		cmp	eax, esi
		jnz	short loc_4D9DF8

loc_4D9DE3:				; CODE XREF: PopFxIdleWorkerTail+11Ej
					; PopFxIdleWorkerTail+1A3j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4D9DEC:				; CODE XREF: PopFxIdleWorkerTail+D0j
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		call	PopFxProcessWork
		jmp	short loc_4D9DC4
; 

loc_4D9DF8:				; CODE XREF: PopFxIdleWorkerTail+EFj
		lock inc dword ptr [edx]
		mov	eax, 0BFFFFFFFh
		lock and [edx],	eax
		push	0
		push	0
		mov	edx, ebx
		mov	ecx, edi
		call	PopFxActivateComponentWorker
		jmp	short loc_4D9DE3
; 

loc_4D9E12:				; CODE XREF: PopFxIdleWorkerTail+BEj
		call	PopFxAddRefDevice
		lea	eax, [ebx+34h]
		lock inc dword ptr [eax]
		mov	ecx, 0BFFFFFFFh
		lock and [eax],	ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	[esp+20h+var_D], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_4D9E51
		js	short loc_4D9E51
		mov	eax, [esp+20h+var_C]
		mov	[esi+10h], eax
		mov	eax, [esp+20h+var_8]
		mov	[esi+14h], eax
		mov	byte ptr [esi+4], 1

loc_4D9E51:				; CODE XREF: PopFxIdleWorkerTail+149j
					; PopFxIdleWorkerTail+14Bj
		test	ds:byte_70EFC6,	1
		jnz	loc_5CA1F8
		xor	eax, eax
		lock and [esi],	eax

loc_4D9E63:				; CODE XREF: PopFxIdleWorkerTail+F0510j
		mov	cl, [esp+20h+var_D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [esp+20h+var_4]
		mov	edx, esi
		mov	ecx, [edi+1Ch]
		push	1
		call	PopDiagTraceFxComponentLogicalCondition
		mov	eax, [edi+3Ch]
		test	eax, eax
		jz	short loc_4D9E8A
		push	esi
		push	dword ptr [edi+64h]
		call	eax

loc_4D9E8A:				; CODE XREF: PopFxIdleWorkerTail+190j
		push	1
		mov	edx, ebx
		mov	ecx, edi
		call	PopFxCompleteComponentActivation
		jmp	loc_4D9DE3
PopFxIdleWorkerTail endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceFxComponentLogicalCondition	proc near ; CODE XREF: PopFxProcessWork+207p
					; PopFxIdleWorkerTail+86p ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005CA220 SIZE 00000052 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], ecx
		jz	short loc_4D9EE2
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_COMPONENT_CONDITION
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5CA220

loc_4D9EDF:				; CODE XREF: PopDiagTraceFxComponentLogicalCondition+F03D3j
		pop	edi
		pop	esi
		pop	ebx

loc_4D9EE2:				; CODE XREF: PopDiagTraceFxComponentLogicalCondition+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
PopDiagTraceFxComponentLogicalCondition	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxCompleteComponentActivation proc near ; CODE XREF:	PopFxActivateComponentWorker+59p
					; PopFxProcessWork+23Cp ...

var_12		= byte ptr -12h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005CA272 SIZE 000000CF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	ecx, 80000000h
		lea	eax, [esi+34h]
		lock or	[eax], ecx
		push	0
		push	0
		lea	eax, [esi+40h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		cmp	[ebp+arg_0], 0
		jz	short loc_4D9F2E
		xor	ebx, ebx
		cmp	[esi+84h], ebx
		ja	loc_5CA272

loc_4D9F2E:				; CODE XREF: PopFxCompleteComponentActivation+2Ej
					; PopFxCompleteComponentActivation+F0437j
		mov	edx, [esi+10h]
		mov	ecx, edi
		push	0
		push	1
		call	PopFxIdleComponent
		or	eax, 0FFFFFFFFh
		lock xadd [edi+80h], eax
		dec	eax
		jz	loc_5CA32C

loc_4D9F4E:				; CODE XREF: PopFxCompleteComponentActivation+F044Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
PopFxCompleteComponentActivation endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1681. PoFxIdleComponent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoFxIdleComponent(x, x, x)
		public _PoFxIdleComponent@12
_PoFxIdleComponent@12 proc near		; CODE XREF: PoFxReportDevicePoweredOn+C4p
					; PoFxIdleDevice+A3p ...

var_24		= dword	ptr -24h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		sub	esp, 28h
		xor	eax, eax
		push	edi
		push	8
		pop	ecx
		lea	edi, [ebp+var_24]
		rep stosd
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+arg_8]
		call	PopFxIdleComponent
		pop	edi
		leave
		retn	0Ch
_PoFxIdleComponent@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxIdleComponent proc	near		; CODE XREF: PopFxCompleteComponentActivation+47p
					; PoFxIdleComponent(x,x,x)+20p	...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CA341 SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	[esp+3Ch+var_14], eax
		mov	esi, ecx
		and	eax, 3
		mov	[esp+3Ch+var_28], esi
		mov	[esp+3Ch+var_10], 0
		mov	[esp+3Ch+var_C], 0
		push	edi
		mov	edi, edx
		cmp	al, 3
		jz	loc_4DA066
		cmp	edi, [esi+23Ch]
		jnb	loc_5CA341
		lfence	eax
		mov	eax, [esi+240h]
		mov	[esp+40h+var_2C], 0
		mov	[esp+40h+var_30], 0
		mov	eax, [eax+edi*4]
		mov	[esp+40h+var_20], eax
		lea	ebx, [eax+34h]
		add	eax, 60h
		cmp	_PopFxActiveIdleLevel, 2
		mov	[esp+40h+var_18], ebx
		mov	[esp+40h+var_24], eax
		jz	loc_5CA350
		mov	esi, eax

loc_4DA011:				; CODE XREF: PopFxIdleComponent+9Bj
					; PopFxIdleComponent+9Fj
		mov	ebx, [esi]
		mov	eax, ebx
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[esp+40h+var_1C], ebx
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, edx
		mov	edx, [esp+40h+var_1C]
		cmp	eax, edx
		jnz	short loc_4DA011
		cmp	ebx, ecx
		jnz	short loc_4DA011
		mov	esi, [esp+40h+var_28]
		mov	ebx, [esp+40h+var_18]
		mov	[esp+40h+var_10], edx
		mov	[esp+40h+var_C], ecx

loc_4DA041:				; CODE XREF: PopFxIdleComponent+F03E2j
		mov	eax, [ebx]
		test	eax, 3FFFFFFFh
		jz	loc_5CA377
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		dec	eax
		cmp	eax, 80000000h
		jz	short loc_4DA075

loc_4DA05D:				; CODE XREF: PopFxIdleComponent+178j
					; PopFxIdleComponent+190j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4DA066:				; CODE XREF: PopFxIdleComponent+32j
		push	1
		push	edi
		mov	edx, esi
		mov	ecx, 614h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_4DA075:				; CODE XREF: PopFxIdleComponent+CBj
		mov	ecx, [esp+48h+var_34]
		mov	eax, ecx
		or	eax, [esp+48h+var_38]
		jnz	short loc_4DA094
		lea	ecx, [esp+48h+var_10]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	ecx, eax
		mov	[esp+48h+var_38], edx
		mov	[esp+48h+var_34], ecx

loc_4DA094:				; CODE XREF: PopFxIdleComponent+EFj
		mov	edx, [esp+48h+var_28]
		mov	eax, [edx+38h]
		test	al, 2
		jnz	short loc_4DA0D8
		cmp	_PopFxLowPowerEpoch, 0
		jnz	short loc_4DA0D8
		mov	esi, _PopFxActiveIdleThreshold
		mov	eax, ecx
		sub	eax, [esp+48h+var_18]
		mov	[esp+48h+var_24], eax
		mov	eax, [esp+48h+var_38]
		sbb	eax, [esp+48h+var_14]
		mov	[esp+48h+var_20], esi
		mov	esi, [esp+48h+var_30]
		test	eax, eax
		ja	short loc_4DA0D8
		jb	short loc_4DA10D
		mov	eax, [esp+48h+var_20]
		cmp	[esp+48h+var_24], eax
		jb	short loc_4DA10D

loc_4DA0D8:				; CODE XREF: PopFxIdleComponent+10Dj
					; PopFxIdleComponent+116j ...
		cmp	_PopFxActiveIdleLevel, 1
		jnz	short loc_4DA0F5
		push	[esp+48h+var_38]
		xor	edx, edx
		push	ecx
		mov	ecx, [esp+50h+var_2C]
		call	PpmInterlockedUpdateTimeNoFence
		mov	edx, [esp+48h+var_28]

loc_4DA0F5:				; CODE XREF: PopFxIdleComponent+14Fj
		test	byte ptr [esp+48h+var_1C], 2
		jnz	short loc_4DA163
		push	[ebp+arg_4]
		mov	edx, edi
		mov	ecx, esi
		call	PopFxIdleWorker
		jmp	loc_4DA05D
; 

loc_4DA10D:				; CODE XREF: PopFxIdleComponent+13Cj
					; PopFxIdleComponent+146j
		mov	ecx, 80000001h
		mov	eax, 80000000h
		lock cmpxchg [ebx], ecx
		cmp	eax, 80000000h
		jnz	loc_4DA05D
		mov	ecx, 1
		lea	esi, [edx+3Ch]
		mov	eax, ecx
		lock xadd [esi], eax
		inc	eax
		mov	esi, [esp+48h+var_30]
		cmp	eax, ecx
		jnz	loc_5CA38A
		lock xadd _PopFxResidentComponentCount,	ecx
		inc	ecx
		cmp	ecx, 1
		jnz	loc_4DA05D
		xor	cl, cl
		call	_PopFxArmResidentTimer@4 ; PopFxArmResidentTimer(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4DA163:				; CODE XREF: PopFxIdleComponent+16Aj
		push	ecx
		push	esi
		add	edx, 14h
		call	PopFxQueueWorkOrder
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
PopFxIdleComponent endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmInterlockedUpdateTimeNoFence	proc near ; CODE XREF: PopFxIdleWorkerTail+9Bp
					; PopFxIdleComponent+15Cp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CA39C SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	edi
		mov	edi, edx
		mov	edx, ecx
		mov	[ebp+var_8], edx
		xor	cl, cl
		mov	[ebp+var_C], edi
		mov	[ebp+var_1], cl
		mov	eax, [edx]
		mov	edx, [edx+4]
		cmp	edx, [ebp+arg_4]
		jb	short loc_4DA19F
		ja	short loc_4DA1CC
		cmp	eax, [ebp+arg_0]
		jnb	short loc_4DA1CC

loc_4DA19F:				; CODE XREF: PpmInterlockedUpdateTimeNoFence+20j
		push	ebx
		push	esi

loc_4DA1A1:				; CODE XREF: PpmInterlockedUpdateTimeNoFence+F022Bj
					; PpmInterlockedUpdateTimeNoFence+F0236j
		mov	ecx, [ebp+arg_4]
		mov	esi, eax
		mov	[ebp+var_10], edx
		nop
		mov	ebx, [ebp+arg_0]
		mov	edi, [ebp+var_8]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_C]
		cmp	esi, eax
		jnz	loc_5CA39C
		cmp	[ebp+var_10], edx
		jnz	loc_5CA39C
		mov	cl, 1

loc_4DA1CA:				; CODE XREF: PpmInterlockedUpdateTimeNoFence+F023Fj
		pop	esi
		pop	ebx

loc_4DA1CC:				; CODE XREF: PpmInterlockedUpdateTimeNoFence+22j
					; PpmInterlockedUpdateTimeNoFence+27j
		test	edi, edi
		jnz	short loc_4DA1D7

loc_4DA1D0:				; CODE XREF: PpmInterlockedUpdateTimeNoFence+66j
		mov	al, cl
		pop	edi
		leave
		retn	8
; 

loc_4DA1D7:				; CODE XREF: PpmInterlockedUpdateTimeNoFence+58j
		mov	[edi], eax
		mov	[edi+4], edx
		jmp	short loc_4DA1D0
PpmInterlockedUpdateTimeNoFence	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxUpdateAccountingActiveTime	proc near ; CODE XREF: PopFxIdleWorkerTail+58p
					; PopFxUpdateDeviceAccountingEnhanced+88955p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005CA3BA SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	byte ptr [ecx+4], 0
		jz	loc_4DA26D
		mov	eax, [ecx+10h]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ecx+14h]
		cmp	esi, edi
		jb	short loc_4DA26B
		mov	edx, [ebp+arg_0]
		ja	short loc_4DA205
		cmp	edx, eax
		jbe	short loc_4DA26B

loc_4DA205:				; CODE XREF: PopFxUpdateAccountingActiveTime+21j
		sub	edx, eax
		sbb	esi, edi
		add	[ecx+78h], edx
		adc	[ecx+7Ch], esi
		cmp	esi, [ebp+arg_C]
		ja	short loc_4DA223
		jb	loc_5CA3BA
		cmp	edx, [ebp+arg_8]
		jb	loc_5CA3BA

loc_4DA223:				; CODE XREF: PopFxUpdateAccountingActiveTime+34j
		xor	eax, eax

loc_4DA225:				; CODE XREF: PopFxUpdateAccountingActiveTime+97j
		cmp	esi, ds:dword_40B74C[eax*8]
		ja	short loc_4DA239
		jb	short loc_4DA271
		cmp	edx, ds:_PopFxAccountingBucketLimits[eax*8]
		jb	short loc_4DA271

loc_4DA239:				; CODE XREF: PopFxUpdateAccountingActiveTime+4Ej
		cmp	esi, ds:dword_40B754[eax*8]
		jb	short loc_4DA24D
		ja	short loc_4DA271
		cmp	edx, ds:dword_40B750[eax*8]
		jnb	short loc_4DA271

loc_4DA24D:				; CODE XREF: PopFxUpdateAccountingActiveTime+62j
		add	dword ptr [ecx+eax*8+88h], 1
		adc	dword ptr [ecx+eax*8+8Ch], 0
		add	[ecx+eax*8+0B0h], edx
		adc	[ecx+eax*8+0B4h], esi

loc_4DA26B:				; CODE XREF: PopFxUpdateAccountingActiveTime+1Cj
					; PopFxUpdateAccountingActiveTime+25j ...
		pop	edi
		pop	esi

loc_4DA26D:				; CODE XREF: PopFxUpdateAccountingActiveTime+9j
		pop	ebp
		retn	10h
; 

loc_4DA271:				; CODE XREF: PopFxUpdateAccountingActiveTime+50j
					; PopFxUpdateAccountingActiveTime+59j ...
		inc	eax
		cmp	eax, 5
		jb	short loc_4DA225
		jmp	short loc_4DA26B
PopFxUpdateAccountingActiveTime	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepTryPowerDownDevice(x,	x)
_PopPepTryPowerDownDevice@8 proc near	; CODE XREF: PopPepProcessEvent(x,x,x,x,x,x)+EBp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		xor	ebx, ebx
		lea	eax, [esi+2Ch]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	byte ptr [ebp+var_C], al
		mov	eax, [esi+10h]
		and	eax, 1
		mov	byte ptr [esi+4Dh], 1
		or	eax, ebx
		jnz	short loc_4DA2EE
		cmp	[esi+5Ch], ebx
		jnz	short loc_4DA2EE
		cmp	[esi+58h], bl
		jz	short loc_4DA2EE
		mov	eax, [esi+40h]
		cmp	[eax], ebx
		jnz	short loc_4DA2EE
		mov	eax, [esi+44h]
		cmp	[eax], ebx
		jnz	short loc_4DA2EE
		push	ebx
		lea	edi, [esi+48h]
		xor	edx, edx
		mov	eax, [edi]
		mov	ecx, esi
		push	4
		mov	[ebp+var_8], eax
		call	_PopPepTriggerActivity@16 ; PopPepTriggerActivity(x,x,x,x)
		push	1
		xor	edx, edx
		mov	ecx, esi
		call	PopPepPromoteActivities
		mov	ecx, [ebp+var_4]
		mov	edx, [edi]
		test	ecx, ecx
		jnz	short loc_4DA303

loc_4DA2E6:				; CODE XREF: PopPepTryPowerDownDevice(x,x)+8Fj
		mov	ecx, [ebp+var_8]
		call	_PopPepRequestWork@8 ; PopPepRequestWork(x,x)

loc_4DA2EE:				; CODE XREF: PopPepTryPowerDownDevice(x,x)+2Aj
					; PopPepTryPowerDownDevice(x,x)+2Fj ...
		push	[ebp+var_C]
		xor	edx, edx
		mov	ecx, esi
		push	1
		call	PopPepReleaseActivityLink
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_4DA303:				; CODE XREF: PopPepTryPowerDownDevice(x,x)+6Aj
		mov	eax, [esi+40h]
		cmp	dword ptr [eax], 2
		jnz	short loc_4DA2E6
		push	ecx
		push	edi
		push	4
		lea	eax, [esi+30h]
		xor	edx, edx
		push	eax
		mov	ecx, esi
		call	_PopPepStartActivity@24	; PopPepStartActivity(x,x,x,x,x,x)
		mov	bl, al
		jmp	short loc_4DA2EE
_PopPepTryPowerDownDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPepWork	proc near		; CODE XREF: PopFxDispatchPluginWorkOnce+95p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CA3CB SIZE 00000057 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, large fs:124h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_34], ecx
		push	esi
		dec	word ptr [eax+13Ch]
		push	edi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_2C], ebx
		nop
		xor	edx, edx
		mov	ecx, offset _PopPepDeviceListLock
		call	ExAcquirePushLockSharedEx
		mov	esi, _PopPepLastCheckedDevice
		mov	edx, offset _PopPepLastCheckedDevice
		mov	[ebp+var_3C], esi
		cmp	esi, offset _PopPepDeviceList
		jz	loc_5CA3CB

loc_4DA377:				; CODE XREF: PopPepWork+F00BCj
		mov	edi, [esi+18h]
		cmp	_PopDiagHandleRegistered, bl
		jz	short loc_4DA3A6
		mov	eax, dword_6C1D74
		push	offset _POP_ETW_EVENT_DEFAULT_PEP_WORKER_START
		push	eax
		mov	[ebp+var_30], eax
		mov	eax, _PopDiagHandle
		push	eax
		mov	[ebp+var_20], eax
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5CA3E1

loc_4DA3A6:				; CODE XREF: PopPepWork+60j
					; PopPepWork+F00FDj
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_19], al
		mov	eax, ebx
		mov	[ebp+var_20], ebx

loc_4DA3B6:				; CODE XREF: PopPepWork+142j
		mov	edi, esi

loc_4DA3B8:				; CODE XREF: PopPepWork+135j
		mov	[ebp+var_30], ebx
		lea	ecx, [edi+2Ch]
		push	ecx
		test	eax, eax
		jnz	loc_4DA502
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		test	eax, eax
		jz	short loc_4DA442

loc_4DA3D0:				; CODE XREF: PopPepWork+1EBj
					; PopPepWork+1F4j
		mov	eax, [edi+18h]
		test	eax, eax
		jz	short loc_4DA3DD
		mov	eax, [eax+1Ch]
		mov	[ebp+var_30], eax

loc_4DA3DD:				; CODE XREF: PopPepWork+B5j
		mov	eax, [edi+48h]
		mov	[ebp+var_40], eax
		test	eax, eax
		jz	short loc_4DA3FD
		push	ebx
		lea	ecx, [edi+30h]
		xor	edx, edx
		call	_PopPepGetReadyActivityType@12 ; PopPepGetReadyActivityType(x,x,x)
		mov	ecx, eax
		cmp	ecx, 6
		jnz	loc_4DA520

loc_4DA3FD:				; CODE XREF: PopPepWork+C5j
		mov	ecx, [edi+84h]
		mov	[ebp+var_28], ebx
		test	ecx, ecx
		jz	short loc_4DA434
		lea	eax, [edi+0D0h]
		mov	[ebp+var_24], eax

loc_4DA413:				; CODE XREF: PopPepWork+112j
		lea	edx, [eax-48h]
		mov	[ebp+var_44], edx
		cmp	[eax], ebx
		ja	loc_4DA558
		mov	edx, [ebp+var_28]
		add	eax, 0A8h
		inc	edx
		mov	[ebp+var_24], eax
		mov	[ebp+var_28], edx
		cmp	edx, ecx
		jb	short loc_4DA413

loc_4DA434:				; CODE XREF: PopPepWork+E8j
		cmp	[ebp+var_40], ebx
		ja	short loc_4DA46A
		lea	eax, [edi+2Ch]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel

loc_4DA442:				; CODE XREF: PopPepWork+AEj
		mov	edi, [edi]
		cmp	edi, offset _PopPepDeviceList
		jz	loc_4DA519

loc_4DA450:				; CODE XREF: PopPepWork+1FBj
		mov	eax, [ebp+var_20]
		cmp	edi, esi
		jnz	loc_4DA3B8
		inc	eax
		mov	[ebp+var_20], eax
		cmp	eax, 3
		jb	loc_4DA3B6
		jmp	short loc_4DA4A0
; 

loc_4DA46A:				; CODE XREF: PopPepWork+117j
		push	5
		push	4
		lea	esi, [edi+30h]
		pop	edx
		mov	ecx, esi
		call	_PopPepGetReadyActivityType@12 ; PopPepGetReadyActivityType(x,x,x)
		push	[ebp+var_34]
		lea	ecx, [edi+48h]
		xor	edx, edx
		push	ecx
		push	eax
		push	esi
		mov	ecx, edi
		call	_PopPepStartActivity@24	; PopPepStartActivity(x,x,x,x,x,x)
		mov	bl, al
		lea	eax, [edi+2Ch]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	esi, [ebp+var_3C]
		mov	[ebp+var_2C], 3

loc_4DA4A0:				; CODE XREF: PopPepWork+148j
					; PopPepWork+227j ...
		mov	cl, [ebp+var_19]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	edi, esi
		jnz	loc_4DA54C

loc_4DA4B1:				; CODE XREF: PopPepWork+233j
		push	11h
		xor	edx, edx
		mov	esi, offset _PopPepDeviceListLock
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	loc_4DA58E

loc_4DA4C8:				; CODE XREF: PopPepWork+275j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [ebp+var_38]
		mov	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_30]
		push	eax
		push	[ebp+var_20]
		mov	eax, [ebp+var_28]
		push	eax
		call	PopDiagTraceFxDefaultPepWorkerEnd
		mov	ecx, [ebp+var_4]
		mov	al, bl
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_4DA502:				; CODE XREF: PopPepWork+A1j
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		cmp	[ebp+var_20], 2
		jnz	loc_4DA3D0
		inc	[ebp+var_38]
		jmp	loc_4DA3D0
; 

loc_4DA519:				; CODE XREF: PopPepWork+12Aj
		mov	edi, [edi]
		jmp	loc_4DA450
; 

loc_4DA520:				; CODE XREF: PopPepWork+D7j
		push	[ebp+var_34]
		lea	eax, [edi+48h]
		xor	edx, edx
		push	eax
		push	ecx
		lea	eax, [edi+30h]
		mov	ecx, edi
		push	eax
		call	_PopPepStartActivity@24	; PopPepStartActivity(x,x,x,x,x,x)
		lea	ecx, [edi+2Ch]
		mov	bl, al
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	[ebp+var_2C], 1
		jmp	loc_4DA4A0
; 

loc_4DA54C:				; CODE XREF: PopPepWork+18Bj
		mov	eax, offset _PopPepLastCheckedDevice
		xchg	edi, [eax]
		jmp	loc_4DA4B1
; 

loc_4DA558:				; CODE XREF: PopPepWork+FBj
		lea	ecx, [edx+30h]
		xor	edx, edx
		push	3
		inc	edx
		call	_PopPepGetReadyActivityType@12 ; PopPepGetReadyActivityType(x,x,x)
		push	[ebp+var_34]
		mov	edx, [ebp+var_44]
		push	[ebp+var_24]
		push	eax
		push	ecx
		mov	ecx, edi
		call	_PopPepStartActivity@24	; PopPepStartActivity(x,x,x,x,x,x)
		mov	bl, al
		lea	eax, [edi+2Ch]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	[ebp+var_2C], 2
		jmp	loc_4DA4A0
; 

loc_4DA58E:				; CODE XREF: PopPepWork+1A2j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_4DA4C8
PopPepWork	endp

; 
		align 10h
; Exported entry 445. ExTryAcquireSpinLockExclusiveAtDpcLevel

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		public _ExTryAcquireSpinLockExclusiveAtDpcLevel@4
_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 proc	near
					; CODE XREF: MmDoesFileHaveUserWritableReferences+65p
					; MiReferencePfBackedSection+D4p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ds:byte_70EFC6,	21h
		mov	ecx, [ebp+arg_0]
		jnz	short loc_4DA5C5
		mov	edx, 80000000h
		xor	eax, eax
		lock cmpxchg [ecx], edx
		neg	eax
		sbb	eax, eax
		inc	eax

loc_4DA5C1:				; CODE XREF: ExTryAcquireSpinLockExclusiveAtDpcLevel(x)+2Aj
		pop	ebp
		retn	4
; 

loc_4DA5C5:				; CODE XREF: ExTryAcquireSpinLockExclusiveAtDpcLevel(x)+Fj
		call	@ExpTryAcquireSpinLockExclusiveAtDpcLevelInstrumented@4	; ExpTryAcquireSpinLockExclusiveAtDpcLevelInstrumented(x)
		jmp	short loc_4DA5C1
_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPluginDevicePower proc near		; CODE XREF: PopFxProcessWork+D3p
					; PopFxCompleteDevicePowerRequired+36p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CA422 SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, [ecx+20h]
		call	_PopPepDevicePoweredOn@12 ; PopPepDevicePoweredOn(x,x,x)
		test	al, al
		jz	short loc_4DA5EB
		cmp	[ebp+arg_0], 0
		jz	loc_5CA422

loc_4DA5EB:				; CODE XREF: PopPluginDevicePower+13j
		pop	ecx
		pop	ebp
		retn	4
PopPluginDevicePower endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepDevicePoweredOn(x, x,	x)
_PopPepDevicePoweredOn@12 proc near	; CODE XREF: PopPluginDevicePower+Cp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		test	dl, dl
		jnz	short loc_4DA618
		push	4
		pop	esi

loc_4DA601:				; CODE XREF: PopPepDevicePoweredOn(x,x,x)+2Fj
					; PopPepDevicePoweredOn(x,x,x)+38j ...
		push	[ebp+arg_0]
		xor	edx, edx
		push	ecx
		push	6
		push	esi
		mov	ecx, edi
		call	_PopPepProcessEvent@24 ; PopPepProcessEvent(x,x,x,x,x,x)
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
; 

loc_4DA618:				; CODE XREF: PopPepDevicePoweredOn(x,x,x)+Cj
		xor	esi, esi
		lea	ecx, [edi+54h]
		cmp	[ecx], esi
		jle	short loc_4DA601
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		jnz	short loc_4DA601
		push	1
		push	4
		pop	edx
		mov	ecx, edi
		call	_PopPepUpdateConstraints@12 ; PopPepUpdateConstraints(x,x,x)
		jmp	short loc_4DA601
_PopPepDevicePoweredOn@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPluginComponentActive proc near	; CODE XREF: PopFxActivateComponentWorker+37p
					; PopFxIdleWorkerTail+C9p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, ecx
		push	edi
		test	esi, esi
		jz	short loc_4DA653
		push	8
		pop	ecx
		xor	eax, eax
		mov	edi, esi
		rep stosd

loc_4DA653:				; CODE XREF: PopPluginComponentActive+10j
		mov	ecx, [ebx+20h]
		push	esi
		push	[ebp+arg_0]
		call	PopPepComponentActive
		test	al, al
		jz	short loc_4DA66B
		test	esi, esi
		jz	loc_5CA422

loc_4DA66B:				; CODE XREF: PopPluginComponentActive+29j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
PopPluginComponentActive endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPepComponentActive proc near		; CODE XREF: PopPluginComponentActive+22p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		cmp	byte ptr [esi+4Ch], 0
		jnz	loc_5CA437

loc_4DA68E:				; CODE XREF: PopPluginDevicePower+EFE74j
		push	[ebp+arg_4]
		xor	eax, eax
		lea	edx, [esi+88h]
		test	bl, bl
		push	ecx
		setz	al
		mov	ecx, esi
		lea	eax, ds:2[eax*4]
		push	eax
		xor	eax, eax
		test	bl, bl
		setz	al
		dec	eax
		and	eax, 3
		add	eax, 3
		push	eax
		imul	eax, edi, 0A8h
		add	edx, eax
		call	_PopPepProcessEvent@24 ; PopPepProcessEvent(x,x,x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
PopPepComponentActive endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepProcessEvent(x, x, x,	x, x, x)
_PopPepProcessEvent@24 proc near	; CODE XREF: PopFxProcessWork+231p
					; PopPepDevicePoweredOn(x,x,x)+1Cp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_8]
		xor	ebx, ebx
		push	eax
		push	[ebp+arg_4]
		mov	edi, edx
		mov	byte ptr [ebp+var_8], bl
		push	[ebp+arg_0]
		mov	esi, ecx
		call	PopPepLockActivityLink
		mov	byte ptr [ebp+var_10], al
		mov	eax, [ebp+arg_0]
		cmp	eax, 6
		jz	short loc_4DA70D
		imul	eax, 7Ch
		mov	eax, ds:dword_401214[eax]
		mov	[ebp+var_4], eax
		cmp	eax, 2
		jge	short loc_4DA713

loc_4DA70D:				; CODE XREF: PopPepProcessEvent(x,x,x,x,x,x)+2Cj
		push	2
		pop	eax
		mov	[ebp+var_4], eax

loc_4DA713:				; CODE XREF: PopPepProcessEvent(x,x,x,x,x,x)+3Dj
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	_PopPepCountReadyActivities@12 ; PopPepCountReadyActivities(x,x,x)
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_0]
		cmp	eax, 6
		jz	short loc_4DA732
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	PopPepCompleteActivity

loc_4DA732:				; CODE XREF: PopPepProcessEvent(x,x,x,x,x,x)+58j
		cmp	[ebp+arg_4], 6
		jnz	short loc_4DA7A5

loc_4DA738:				; CODE XREF: PopPepProcessEvent(x,x,x,x,x,x)+E4j
		push	[ebp+var_4]
		mov	edx, edi
		mov	ecx, esi
		call	PopPepPromoteActivities
		push	[ebp+arg_C]
		mov	edx, edi
		mov	ecx, esi
		call	PopPepComponentGetWork
		push	[ebp+var_4]
		mov	edx, edi
		mov	byte ptr [ebp+arg_0+3],	al
		mov	ecx, esi
		call	_PopPepCountReadyActivities@12 ; PopPepCountReadyActivities(x,x,x)
		mov	ecx, [esi+10h]
		and	ecx, 1
		or	ecx, ebx
		jnz	short loc_4DA77E
		test	eax, eax
		jnz	short loc_4DA77E
		cmp	byte ptr [ebp+arg_0+3],	bl
		jnz	short loc_4DA77E
		cmp	[esi+5Ch], ebx
		jnz	short loc_4DA77E
		cmp	[esi+58h], bl
		jz	short loc_4DA77E
		mov	bl, 1

loc_4DA77E:				; CODE XREF: PopPepProcessEvent(x,x,x,x,x,x)+99j
					; PopPepProcessEvent(x,x,x,x,x,x)+9Dj ...
		mov	ecx, [ebp+var_C]
		mov	edx, eax
		call	_PopPepRequestWork@8 ; PopPepRequestWork(x,x)
		push	[ebp+var_8]
		mov	edx, edi
		mov	ecx, esi
		push	[ebp+var_10]
		call	PopPepReleaseActivityLink
		test	bl, bl
		jnz	short loc_4DA7B4
		mov	al, byte ptr [ebp+arg_0+3]

loc_4DA79E:				; CODE XREF: PopPepProcessEvent(x,x,x,x,x,x)+F0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_4DA7A5:				; CODE XREF: PopPepProcessEvent(x,x,x,x,x,x)+68j
		push	ebx
		push	[ebp+arg_4]
		mov	edx, edi
		mov	ecx, esi
		call	_PopPepTriggerActivity@16 ; PopPepTriggerActivity(x,x,x,x)
		jmp	short loc_4DA738
; 

loc_4DA7B4:				; CODE XREF: PopPepProcessEvent(x,x,x,x,x,x)+CBj
		mov	edx, [ebp+arg_C]
		mov	ecx, esi
		call	_PopPepTryPowerDownDevice@8 ; PopPepTryPowerDownDevice(x,x)
		jmp	short loc_4DA79E
_PopPepProcessEvent@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepCountReadyActivities(x, x, x)
_PopPepCountReadyActivities@12 proc near ; CODE	XREF: PopPepProcessEvent(x,x,x,x,x,x)+4Ap
					; PopPepProcessEvent(x,x,x,x,x,x)+8Cp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	edi
		mov	edi, edx
		mov	edx, ecx
		jz	short loc_4DA80A
		cmp	[ebp+arg_0], 2
		mov	eax, [edx+48h]
		jnz	short loc_4DA7E5
		test	edi, edi
		jz	short loc_4DA7E0
		add	eax, [edi+48h]

loc_4DA7E0:				; CODE XREF: PopPepCountReadyActivities(x,x,x)+1Bj
					; PopPepCountReadyActivities(x,x,x)+29j ...
		pop	edi
		pop	ebp
		retn	4
; 

loc_4DA7E5:				; CODE XREF: PopPepCountReadyActivities(x,x,x)+17j
		cmp	[ebp+arg_0], 3
		jnz	short loc_4DA7E0
		mov	ecx, [edx+84h]
		test	ecx, ecx
		jz	short loc_4DA7E0
		add	edx, 0D0h

loc_4DA7FB:				; CODE XREF: PopPepCountReadyActivities(x,x,x)+48j
		add	eax, [edx]
		lea	edx, [edx+0A8h]
		sub	ecx, 1
		jz	short loc_4DA7E0
		jmp	short loc_4DA7FB
; 

loc_4DA80A:				; CODE XREF: PopPepCountReadyActivities(x,x,x)+Ej
		xor	eax, eax
		jmp	short loc_4DA7E0
_PopPepCountReadyActivities@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPepReleaseActivityLink proc near	; CODE XREF: PopPepTryPowerDownDevice(x,x)+7Dp
					; PopPepProcessEvent(x,x,x,x,x,x)+C4p ...

arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005CA445 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	[ebp+arg_0], 1
		push	esi
		mov	esi, ecx
		jnz	loc_5CA445
		xor	eax, eax
		lea	ecx, [esi+30h]

loc_4DA826:				; CODE XREF: PopPepReleaseActivityLink+2Aj
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_4DA831
		cmp	dword ptr [edx], 0
		jnz	short loc_4DA844

loc_4DA831:				; CODE XREF: PopPepReleaseActivityLink+1Cj
		inc	eax
		add	ecx, 4
		cmp	eax, 6
		jb	short loc_4DA826
		cmp	byte ptr [esi+58h], 0
		jz	short loc_4DA844
		mov	byte ptr [esi+4Dh], 0

loc_4DA844:				; CODE XREF: PopPepReleaseActivityLink+21j
					; PopPepReleaseActivityLink+30j
		lea	eax, [esi+2Ch]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel

loc_4DA84D:				; CODE XREF: PopPepReleaseActivityLink+EFC46j
		mov	cl, [ebp+arg_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		pop	ecx
		pop	ebp
		retn	8
PopPepReleaseActivityLink endp


;  S U B	R O U T	I N E 


; __stdcall PopPepRequestWork(x, x)
_PopPepRequestWork@8 proc near		; CODE XREF: PopPepTryPowerDownDevice(x,x)+6Fp
					; PopPepProcessEvent(x,x,x,x,x,x)+B5p ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		cmp	esi, ecx
		ja	short loc_4DA867

loc_4DA865:				; CODE XREF: PopPepRequestWork(x,x)+Dj
					; PopPepRequestWork(x,x)+19j
		pop	esi
		retn
; 

loc_4DA867:				; CODE XREF: PopPepRequestWork(x,x)+7j
		sub	esi, ecx
		jz	short loc_4DA865

loc_4DA86B:				; CODE XREF: PopPepRequestWork(x,x)+1Bj
		push	0
		call	PopFxRequestWorker
		sub	esi, 1
		jz	short loc_4DA865
		jmp	short loc_4DA86B
_PopPepRequestWork@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPepComponentGetWork proc near	; CODE XREF: PopPepProcessEvent(x,x,x,x,x,x)+7Dp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CA459 SIZE 0000003E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		push	esi
		mov	esi, edx
		cmp	[ebp+arg_0], eax
		jnz	short loc_4DA893

loc_4DA88D:				; CODE XREF: PopPepComponentGetWork+76j
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4DA893:				; CODE XREF: PopPepComponentGetWork+11j
		push	edi
		lea	edi, [ebx+48h]
		mov	ecx, [edi]
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jnz	short loc_4DA8F2

loc_4DA8A0:				; CODE XREF: PopPepComponentGetWork+C9j
		test	esi, esi
		jnz	short loc_4DA90C

loc_4DA8A4:				; CODE XREF: PopPepComponentGetWork+97j
		cmp	byte ptr [ebx+4Dh], 1
		jnz	loc_4DA933
		mov	edx, [ebx+84h]
		mov	ecx, eax
		test	edx, edx
		jz	short loc_4DA933
		mov	edi, ebx

loc_4DA8BC:				; CODE XREF: PopPepComponentGetWork+B7j
		cmp	[edi+0D0h], eax
		jbe	short loc_4DA928
		xor	edx, edx
		lea	esi, [edi+0B8h]
		push	3
		inc	edx
		mov	ecx, esi
		call	_PopPepGetReadyActivityType@12 ; PopPepGetReadyActivityType(x,x,x)
		push	[ebp+arg_0]
		lea	ecx, [edi+0D0h]
		push	ecx
		push	eax
		push	esi
		lea	edx, [edi+88h]

loc_4DA8E8:				; CODE XREF: PopPepComponentGetWork+90j
		mov	ecx, ebx
		call	_PopPepStartActivity@24	; PopPepStartActivity(x,x,x,x,x,x)

loc_4DA8EF:				; CODE XREF: PopPepComponentGetWork+C5j
		pop	edi
		jmp	short loc_4DA88D
; 

loc_4DA8F2:				; CODE XREF: PopPepComponentGetWork+24j
		lea	ecx, [ebx+30h]
		xor	edx, edx
		push	eax
		call	_PopPepGetReadyActivityType@12 ; PopPepGetReadyActivityType(x,x,x)
		cmp	eax, 6
		jz	short loc_4DA941
		push	[ebp+arg_0]
		push	edi

loc_4DA906:				; CODE XREF: PopPepComponentGetWork+EFC18j
		xor	edx, edx

loc_4DA908:				; CODE XREF: PopPepComponentGetWork+ACj
		push	eax
		push	ecx
		jmp	short loc_4DA8E8
; 

loc_4DA90C:				; CODE XREF: PopPepComponentGetWork+28j
		lea	edi, [esi+48h]
		cmp	[edi], eax
		jbe	short loc_4DA8A4
		xor	edx, edx
		lea	ecx, [esi+30h]
		push	3
		inc	edx
		call	_PopPepGetReadyActivityType@12 ; PopPepGetReadyActivityType(x,x,x)
		push	[ebp+arg_0]
		mov	edx, esi
		push	edi
		jmp	short loc_4DA908
; 

loc_4DA928:				; CODE XREF: PopPepComponentGetWork+48j
		inc	ecx
		add	edi, 0A8h
		cmp	ecx, edx
		jb	short loc_4DA8BC

loc_4DA933:				; CODE XREF: PopPepComponentGetWork+2Ej
					; PopPepComponentGetWork+3Ej
		cmp	[ebp+var_4], 0
		ja	loc_5CA459

loc_4DA93D:				; CODE XREF: PopPepComponentGetWork+EFBF3j
		xor	eax, eax
		jmp	short loc_4DA8EF
; 

loc_4DA941:				; CODE XREF: PopPepComponentGetWork+86j
		xor	eax, eax
		jmp	loc_4DA8A0
PopPepComponentGetWork endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPepPromoteActivities	proc near	; CODE XREF: PopPepTryPowerDownDevice(x,x)+5Ep
					; PopPepProcessEvent(x,x,x,x,x,x)+71p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CA497 SIZE 00000008 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_4], edx
		push	edi
		mov	edi, ecx
		test	ebx, ebx
		jz	loc_4DA9F0
		test	edx, edx
		jnz	short loc_4DA96E
		cmp	ebx, 2
		jz	loc_5CA497

loc_4DA96E:				; CODE XREF: PopPepPromoteActivities+1Bj
					; PopPepPromoteActivities+EFB52j
		mov	ecx, [edi+30h]
		push	esi
		xor	esi, esi
		test	byte ptr [ecx],	1
		jnz	loc_4DAA24

loc_4DA97D:				; CODE XREF: PopPepPromoteActivities+ECj
		cmp	ebx, 2
		jz	short loc_4DA994
		mov	eax, [edi+84h]
		cmp	ebx, 3
		jnz	short loc_4DAA0A
		mov	ecx, esi
		lea	esi, [eax-1]
		jmp	short loc_4DA999
; 

loc_4DA994:				; CODE XREF: PopPepPromoteActivities+38j
		mov	esi, [edx+8]
		mov	ecx, esi

loc_4DA999:				; CODE XREF: PopPepPromoteActivities+4Aj
					; PopPepPromoteActivities+C8j
		imul	eax, ecx, 0A8h
		lea	ebx, [edi+88h]
		sub	esi, ecx
		add	ebx, eax
		inc	esi
		mov	[ebp+var_8], esi

loc_4DA9AD:				; CODE XREF: PopPepPromoteActivities+8Fj
		push	34h
		xor	esi, esi
		mov	[ebp+var_4], ebx
		pop	eax
		inc	esi
		mov	[ebp+arg_0], eax

loc_4DA9B9:				; CODE XREF: PopPepPromoteActivities+83j
		mov	ecx, [ebx+eax]
		test	byte ptr [ecx],	1
		jnz	short loc_4DA9F6

loc_4DA9C1:				; CODE XREF: PopPepPromoteActivities+C0j
		add	eax, 4
		inc	esi
		mov	[ebp+arg_0], eax
		cmp	eax, 3Ch
		jle	short loc_4DA9B9
		add	ebx, 0A8h
		sub	[ebp+var_8], 1
		jnz	short loc_4DA9AD

loc_4DA9D9:				; CODE XREF: PopPepPromoteActivities+C6j
		push	4
		pop	esi
		lea	ebx, [edi+40h]

loc_4DA9DF:				; CODE XREF: PopPepPromoteActivities+A5j
		mov	ecx, [ebx]
		test	byte ptr [ecx],	1
		jnz	short loc_4DAA12

loc_4DA9E6:				; CODE XREF: PopPepPromoteActivities+DAj
		inc	esi
		add	ebx, 4
		cmp	esi, 5
		jle	short loc_4DA9DF
		pop	esi

loc_4DA9F0:				; CODE XREF: PopPepPromoteActivities+13j
		pop	edi
		pop	ebx
		leave
		retn	4
; 

loc_4DA9F6:				; CODE XREF: PopPepPromoteActivities+77j
		lea	eax, [ebx+48h]
		mov	edx, ebx
		push	eax
		push	esi
		push	ecx
		mov	ecx, edi
		call	PopPepAttemptAcitivityPromotion
		mov	eax, [ebp+arg_0]
		jmp	short loc_4DA9C1
; 

loc_4DAA0A:				; CODE XREF: PopPepPromoteActivities+43j
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_4DA9D9
		jmp	short loc_4DA999
; 

loc_4DAA12:				; CODE XREF: PopPepPromoteActivities+9Cj
		mov	edx, [ebp+var_4]
		lea	eax, [edi+48h]
		push	eax
		push	esi
		push	ecx
		mov	ecx, edi
		call	PopPepAttemptAcitivityPromotion
		jmp	short loc_4DA9E6
; 

loc_4DAA24:				; CODE XREF: PopPepPromoteActivities+2Fj
		lea	eax, [edi+48h]
		push	eax
		push	esi
		push	ecx
		mov	ecx, edi
		call	PopPepAttemptAcitivityPromotion
		mov	edx, [ebp+var_4]
		jmp	loc_4DA97D
PopPepPromoteActivities	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPepLockActivityLink proc near	; CODE XREF: PopPepProcessEvent(x,x,x,x,x,x)+1Ep
					; PopPepComponentSetLatency+3Fp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005CA49F SIZE 00000075 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	eax, edx
		xor	bh, bh
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ecx
		mov	ecx, [ebp+arg_4]
		push	edi
		test	eax, eax
		jz	short loc_4DAA60
		cmp	dword ptr [esi+84h], 1
		jnz	loc_5CA49F

loc_4DAA60:				; CODE XREF: PopPepLockActivityLink+17j
					; PopPepLockActivityLink+EFA71j ...
		lea	eax, [esi+2Ch]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+arg_8]
		mov	bh, 1
		mov	byte ptr [esi+4Dh], 1
		mov	[ecx], al

loc_4DAA74:				; CODE XREF: PopPepLockActivityLink+EFAD5j
		pop	edi
		pop	esi
		mov	al, bh
		pop	ebx
		leave
		retn	0Ch
PopPepLockActivityLink endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPepAttemptAcitivityPromotion	proc near ; CODE XREF: PopPepPromoteActivities+B8p
					; PopPepPromoteActivities+D5p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005CA514 SIZE 0000000B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	[ebp+var_C], edx
		mov	edx, ecx
		mov	ecx, [ebp+arg_4]
		imul	eax, ecx, 7Ch
		push	ebx
		mov	[ebp+var_8], edx
		mov	ebx, ds:dword_401210[eax]
		test	ebx, ebx
		jz	loc_4DAB49
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		mov	al, [edi+10h]
		mov	byte ptr [ebp+var_4], al
		lea	eax, [edx+30h]
		push	[ebp+var_4]
		mov	edx, ecx
		mov	[ebp+var_10], eax
		push	esi
		push	esi
		mov	ecx, eax
		call	_PopPepShouldActivityWait@20 ; PopPepShouldActivityWait(x,x,x,x,x)
		cmp	al, 1
		jz	short loc_4DAB42
		mov	edx, [ebp+var_8]
		cmp	ebx, 2
		jnz	loc_4DAB64
		mov	ecx, [ebp+var_C]
		mov	ecx, [ecx+8]
		mov	esi, ecx
		mov	[ebp+arg_0], ecx

loc_4DAADF:				; CODE XREF: PopPepAttemptAcitivityPromotion+FCj
					; PopPepAttemptAcitivityPromotion+EFA9Cj
		mov	ebx, [ebp+arg_4]
		imul	eax, esi, 0A8h
		add	eax, 0B8h
		add	eax, edx
		mov	[ebp+var_8], eax

loc_4DAAF2:				; CODE XREF: PopPepAttemptAcitivityPromotion+97j
		push	[ebp+var_4]
		mov	edx, ebx
		mov	ecx, eax
		push	3
		push	1
		call	_PopPepShouldActivityWait@20 ; PopPepShouldActivityWait(x,x,x,x,x)
		cmp	al, 1
		jz	short loc_4DAB42
		mov	eax, [ebp+var_8]
		inc	esi
		add	eax, 0A8h
		mov	[ebp+var_8], eax
		cmp	esi, [ebp+arg_0]
		jbe	short loc_4DAAF2

loc_4DAB17:				; CODE XREF: PopPepAttemptAcitivityPromotion+105j
		push	[ebp+var_4]
		mov	ecx, [ebp+var_10]
		mov	edx, ebx
		push	5
		push	4
		call	_PopPepShouldActivityWait@20 ; PopPepShouldActivityWait(x,x,x,x,x)
		cmp	al, 1
		jz	short loc_4DAB42
		mov	eax, [edi]
		and	eax, 0FFFFFFFEh
		or	eax, 2
		mov	[edi], eax
		mov	eax, [edi+4]
		mov	[edi+8], eax
		mov	eax, [ebp+arg_8]
		lock inc dword ptr [eax]

loc_4DAB42:				; CODE XREF: PopPepAttemptAcitivityPromotion+48j
					; PopPepAttemptAcitivityPromotion+86j ...
		pop	edi
		pop	esi

loc_4DAB44:				; CODE XREF: PopPepAttemptAcitivityPromotion+E4j
		pop	ebx
		leave
		retn	0Ch
; 

loc_4DAB49:				; CODE XREF: PopPepAttemptAcitivityPromotion+1Fj
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx]
		and	eax, 0FFFFFFFEh
		or	eax, 2
		mov	[ecx], eax
		mov	eax, [ecx+4]
		mov	[ecx+8], eax
		mov	eax, [ebp+arg_8]
		lock inc dword ptr [eax]
		jmp	short loc_4DAB44
; 

loc_4DAB64:				; CODE XREF: PopPepAttemptAcitivityPromotion+50j
		mov	eax, [edx+84h]
		cmp	ebx, 3
		jz	loc_5CA514
		mov	[ebp+arg_0], esi
		mov	esi, eax
		test	eax, eax
		jz	loc_4DAADF
		mov	ebx, [ebp+arg_4]
		jmp	short loc_4DAB17
PopPepAttemptAcitivityPromotion	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepShouldActivityWait(x,	x, x, x, x)
_PopPepShouldActivityWait@20 proc near	; CODE XREF: PopPepAttemptAcitivityPromotion+41p
					; PopPepAttemptAcitivityPromotion+7Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		mov	eax, offset dword_401260
		imul	ecx, edx, 7Ch
		cmp	[ebp+arg_8], 0
		push	edi
		jnz	short loc_4DABA2
		mov	eax, offset dword_401248

loc_4DABA2:				; CODE XREF: PopPepShouldActivityWait(x,x,x,x,x)+15j
		lea	edi, [ecx+eax]
		mov	ecx, [ebp+arg_0]
		cmp	ecx, [ebp+arg_4]
		jg	short loc_4DABC8
		lea	edx, [esi+ecx*4]
		sub	edi, esi

loc_4DABB2:				; CODE XREF: PopPepShouldActivityWait(x,x,x,x,x)+40j
		mov	esi, [edi+edx]
		test	esi, esi
		jz	short loc_4DABBF
		mov	eax, [edx]
		test	[eax], esi
		jnz	short loc_4DABD0

loc_4DABBF:				; CODE XREF: PopPepShouldActivityWait(x,x,x,x,x)+31j
		inc	ecx
		add	edx, 4
		cmp	ecx, [ebp+arg_4]
		jle	short loc_4DABB2

loc_4DABC8:				; CODE XREF: PopPepShouldActivityWait(x,x,x,x,x)+25j
		xor	al, al

loc_4DABCA:				; CODE XREF: PopPepShouldActivityWait(x,x,x,x,x)+4Cj
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_4DABD0:				; CODE XREF: PopPepShouldActivityWait(x,x,x,x,x)+37j
		mov	al, 1
		jmp	short loc_4DABCA
_PopPepShouldActivityWait@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPepCompleteActivity proc near	; CODE XREF: PopPepProcessEvent(x,x,x,x,x,x)+5Fp

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CA51F SIZE 00000045 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		cmp	esi, 5
		ja	short loc_4DABF1
		imul	eax, esi, 7Ch
		cmp	ds:_ActivityAttributes[eax], 1
		jz	short loc_4DAC1C

loc_4DABF1:				; CODE XREF: PopPepCompleteActivity+Fj
		xor	eax, eax

loc_4DABF3:				; CODE XREF: PopPepCompleteActivity+4Bj
		cmp	eax, 1
		jz	short loc_4DAC21
		mov	ecx, [edx+esi*4+30h]

loc_4DABFC:				; CODE XREF: PopPepCompleteActivity+51j
		mov	eax, [ecx]
		test	al, 4
		jz	loc_5CA51F
		and	eax, 0FFFFFFFBh
		mov	[ecx], eax
		imul	eax, esi, 7Ch
		push	edx
		push	edi
		call	ds:off_401280[eax] ; PopPepCompleteDevicePowerOnActivity(x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_4DAC1C:				; CODE XREF: PopPepCompleteActivity+1Bj
		xor	eax, eax
		inc	eax
		jmp	short loc_4DABF3
; 

loc_4DAC21:				; CODE XREF: PopPepCompleteActivity+22j
		mov	ecx, [edi+esi*4+30h]
		jmp	short loc_4DABFC
PopPepCompleteActivity endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepTriggerActivity(x, x,	x, x)
_PopPepTriggerActivity@16 proc near	; CODE XREF: PopPepTryPowerDownDevice(x,x)+53p
					; PopPepProcessEvent(x,x,x,x,x,x)+DFp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		push	esi
		mov	edi, edx
		call	_PopPepCancelActivities@12 ; PopPepCancelActivities(x,x,x)
		push	esi
		mov	edx, edi
		mov	ecx, ebx
		call	PopPepVerifyActivities
		test	edi, edi
		jz	short loc_4DAC6B
		mov	ecx, [edi+esi*4+30h]

loc_4DAC4F:				; CODE XREF: PopPepTriggerActivity(x,x,x,x)+47j
		mov	eax, [ebp+arg_4]
		or	dword ptr [ecx], 1
		mov	[ecx+4], eax
		imul	ecx, esi, 7Ch
		push	eax
		push	edi
		push	ebx
		call	ds:off_401278[ecx] ; PopPepStartDevicePowerOnActivity(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_4DAC6B:				; CODE XREF: PopPepTriggerActivity(x,x,x,x)+21j
		mov	ecx, [ebx+esi*4+30h]
		jmp	short loc_4DAC4F
_PopPepTriggerActivity@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPepVerifyActivities proc near	; CODE XREF: PopPepTriggerActivity(x,x,x,x)+1Ap

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		cmp	esi, 5
		ja	short loc_4DAC8D
		imul	eax, esi, 7Ch
		cmp	ds:_ActivityAttributes[eax], 1
		jz	short loc_4DAC8F

loc_4DAC8D:				; CODE XREF: PopPepVerifyActivities+Dj
		mov	ecx, edx

loc_4DAC8F:				; CODE XREF: PopPepVerifyActivities+19j
		lea	edi, [ecx+30h]
		xor	ecx, ecx

loc_4DAC94:				; CODE XREF: PopPepVerifyActivities+41j
		mov	edx, [edi+ecx*4]
		test	edx, edx
		jz	short loc_4DACAF
		imul	eax, esi, 1Fh
		add	eax, ecx
		mov	eax, ds:dword_401218[eax*4]
		test	[edx], eax
		jnz	loc_5CA52E

loc_4DACAF:				; CODE XREF: PopPepVerifyActivities+27j
		inc	ecx
		cmp	ecx, 6
		jl	short loc_4DAC94
		pop	edi
		pop	esi
		pop	ebp
		retn	4
PopPepVerifyActivities endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepCancelActivities(x, x, x)
_PopPepCancelActivities@12 proc	near	; CODE XREF: PopPepTriggerActivity(x,x,x,x)+10p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		imul	eax, ebx, 7Ch
		push	edi
		mov	[ebp+var_4], edx
		mov	edi, ecx
		mov	eax, ds:dword_40120C[eax]
		test	eax, eax
		jz	short loc_4DAD3B
		push	esi
		cmp	eax, 1
		jnz	short loc_4DACF3
		lea	esi, [edi+48h]
		mov	edx, ebx
		push	esi
		push	0
		push	0
		lea	ecx, [edi+30h]
		call	_PopPepCancelActivityRange@20 ;	PopPepCancelActivityRange(x,x,x,x,x)
		jmp	short loc_4DAD2B
; 

loc_4DACF3:				; CODE XREF: PopPepCancelActivities(x,x,x)+21j
		cmp	eax, 2
		jnz	short loc_4DAD3A
		cmp	byte ptr [edi+4Dh], 0
		lea	esi, [edi+48h]
		jz	short loc_4DAD13
		push	esi
		push	0
		push	0
		mov	edx, ebx
		lea	ecx, [edi+30h]
		call	_PopPepCancelActivityRange@20 ;	PopPepCancelActivityRange(x,x,x,x,x)
		mov	edx, [ebp+var_4]

loc_4DAD13:				; CODE XREF: PopPepCancelActivities(x,x,x)+43j
		lea	eax, [edx+48h]
		push	eax
		push	3
		lea	ecx, [edx+30h]
		mov	edx, ebx
		push	1
		call	_PopPepCancelActivityRange@20 ;	PopPepCancelActivityRange(x,x,x,x,x)
		cmp	byte ptr [edi+4Dh], 0
		jz	short loc_4DAD3A

loc_4DAD2B:				; CODE XREF: PopPepCancelActivities(x,x,x)+35j
		push	esi
		push	5
		push	4
		mov	edx, ebx
		lea	ecx, [edi+30h]
		call	_PopPepCancelActivityRange@20 ;	PopPepCancelActivityRange(x,x,x,x,x)

loc_4DAD3A:				; CODE XREF: PopPepCancelActivities(x,x,x)+3Aj
					; PopPepCancelActivities(x,x,x)+6Dj
		pop	esi

loc_4DAD3B:				; CODE XREF: PopPepCancelActivities(x,x,x)+1Bj
		pop	edi
		pop	ebx
		leave
		retn	4
_PopPepCancelActivities@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepStartActivity(x, x, x, x, x, x)
_PopPepStartActivity@24	proc near	; CODE XREF: PopPepTryPowerDownDevice(x,x)+9Dp
					; PopPepWork+166p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		push	esi
		lock dec dword ptr [eax]
		mov	esi, [ebp+arg_4]
		push	[ebp+arg_C]
		imul	eax, esi, 7Ch
		push	edx
		push	ecx
		call	ds:off_40127C[eax] ; PopPepStartDevicePowerOnActivity(x,x,x)
		mov	edx, [ebp+arg_0]
		mov	ecx, [edx+esi*4]
		and	dword ptr [ecx], 0FFFFFFFDh
		mov	ecx, [edx+esi*4]
		and	dword ptr [ecx], 0FFFFFFF7h
		mov	ecx, [edx+esi*4]
		pop	esi
		or	dword ptr [ecx], 4
		pop	ebp
		retn	10h
_PopPepStartActivity@24	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepGetReadyActivityType(x, x, x)
_PopPepGetReadyActivityType@12 proc near ; CODE	XREF: PopPepWork+CDp
					; PopPepWork+154p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp

loc_4DAD7F:				; CODE XREF: PopPepGetReadyActivityType(x,x,x)+1Aj
		cmp	edx, [ebp+arg_0]
		jg	short loc_4DAD96
		mov	eax, [ecx+edx*4]
		mov	eax, [eax]
		test	al, 0Ah
		jz	short loc_4DAD93

loc_4DAD8D:				; CODE XREF: PopPepGetReadyActivityType(x,x,x)+1Fj
		mov	eax, edx
		pop	ebp
		retn	4
; 

loc_4DAD93:				; CODE XREF: PopPepGetReadyActivityType(x,x,x)+11j
		inc	edx
		jmp	short loc_4DAD7F
; 

loc_4DAD96:				; CODE XREF: PopPepGetReadyActivityType(x,x,x)+8j
		push	6
		pop	edx
		jmp	short loc_4DAD8D
_PopPepGetReadyActivityType@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepCompleteComponentActiveActivity(x, x)
_PopPepCompleteComponentActiveActivity@8 proc near ; DATA XREF:	.text:004013F4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_4DADEB
		call	KeQueryInterruptTime
		push	dword ptr [esi+5Ch]
		mov	[esi+68h], eax
		mov	ecx, esi
		mov	eax, [esi+9Ch]
		push	dword ptr [esi+58h]
		dec	eax
		mov	[esi+6Ch], edx
		mov	[esi+78h], eax
		call	_PopPepComponentGetResidencyIdleState@12 ; PopPepComponentGetResidencyIdleState(x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		and	dword ptr [esi+4], 0FFFFFFFEh
		push	0
		mov	[esi+80h], eax
		call	_PopPepUpdateIdleState@12 ; PopPepUpdateIdleState(x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_PopPepTryPowerDownComponent@8 ; PopPepTryPowerDownComponent(x,x)

loc_4DADEB:				; CODE XREF: PopPepCompleteComponentActiveActivity(x,x)+Bj
		pop	esi
		pop	ebp
		retn	8
_PopPepCompleteComponentActiveActivity@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopPepTryPowerDownComponent(x, x)
_PopPepTryPowerDownComponent@8 proc near
					; CODE XREF: PopPepCompleteComponentActiveActivity(x,x)+4Ap
					; PopPepCompleteComponentIdleStateChangeActivity+44p
		mov	edi, edi
		push	esi
		xor	esi, esi
		push	edi
		inc	esi
		lea	edi, [edx+34h]

loc_4DADFA:				; CODE XREF: PopPepTryPowerDownComponent(x,x)+18j
		mov	eax, [edi]
		cmp	dword ptr [eax], 0
		jnz	short loc_4DAE21
		inc	esi
		add	edi, 4
		cmp	esi, 3
		jbe	short loc_4DADFA
		mov	eax, [edx+9Ch]
		dec	eax
		cmp	[edx+90h], eax
		jnz	short loc_4DAE21
		and	dword ptr [edx+4], 0FFFFFFFDh
		lock dec dword ptr [ecx+5Ch]

loc_4DAE21:				; CODE XREF: PopPepTryPowerDownComponent(x,x)+Fj
					; PopPepTryPowerDownComponent(x,x)+27j
		pop	edi
		pop	esi
		retn
_PopPepTryPowerDownComponent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepUpdateIdleState(x, x,	x)
_PopPepUpdateIdleState@12 proc near	; CODE XREF: PopPepCompleteComponentActiveActivity(x,x)+40p
					; PopPepTriggerComponentActivatingActivity(x,x,x)+48p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		mov	ecx, esi
		call	PopPepGetComponentPreferedIdleState
		cmp	eax, [esi+90h]
		jnz	short loc_4DAE44

loc_4DAE3E:				; CODE XREF: PopPepUpdateIdleState(x,x,x)+32j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_4DAE44:				; CODE XREF: PopPepUpdateIdleState(x,x,x)+18j
		cmp	[ebp+arg_0], 0
		jnz	short loc_4DAE58

loc_4DAE4A:				; CODE XREF: PopPepUpdateIdleState(x,x,x)+39j
		push	eax
		push	1
		mov	edx, esi
		mov	ecx, edi
		call	_PopPepTriggerActivity@16 ; PopPepTriggerActivity(x,x,x,x)
		jmp	short loc_4DAE3E
; 

loc_4DAE58:				; CODE XREF: PopPepUpdateIdleState(x,x,x)+24j
		or	eax, 80000000h
		jmp	short loc_4DAE4A
_PopPepUpdateIdleState@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPepGetComponentPreferedIdleState proc near ;	CODE XREF: PopPepUpdateIdleState(x,x,x)+Dp

var_8		= dword	ptr -8

; FUNCTION CHUNK AT 005CA564 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ecx+9Ch]
		mov	edx, [ecx+84h]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_8], ecx
		dec	eax
		push	esi
		cmp	eax, edx
		jb	short loc_4DAE81
		mov	eax, edx

loc_4DAE81:				; CODE XREF: PopPepGetComponentPreferedIdleState+1Dj
		mov	esi, eax
		test	eax, eax
		jnz	short loc_4DAE8D

loc_4DAE87:				; CODE XREF: PopPepGetComponentPreferedIdleState+67j
					; PopPepCompleteActivity+EF97Ej ...
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4DAE8D:				; CODE XREF: PopPepGetComponentPreferedIdleState+25j
		push	edi
		push	6
		lea	edi, [ecx+78h]
		pop	ecx

loc_4DAE94:				; CODE XREF: PopPepGetComponentPreferedIdleState+45j
		mov	edx, [edi]
		cmp	edx, esi
		jb	short loc_4DAECE

loc_4DAE9A:				; CODE XREF: PopPepGetComponentPreferedIdleState+70j
		cmp	edx, eax
		jnz	short loc_4DAE9F
		inc	ebx

loc_4DAE9F:				; CODE XREF: PopPepGetComponentPreferedIdleState+3Cj
		add	edi, 4
		sub	ecx, 1
		jnz	short loc_4DAE94
		mov	ecx, [ebp+var_8]
		cmp	ebx, 5
		push	0
		pop	ebx
		pop	edi
		jz	short loc_4DAED2

loc_4DAEB3:				; CODE XREF: PopPepGetComponentPreferedIdleState+78j
					; PopPepGetComponentPreferedIdleState+7Cj
		mov	eax, [ecx+4]
		mov	edx, eax
		and	edx, 4
		jnz	short loc_4DAEC5
		test	bl, bl
		jnz	loc_5CA53D

loc_4DAEC5:				; CODE XREF: PopPepGetComponentPreferedIdleState+5Bj
		test	edx, edx
		jz	short loc_4DAE87
		jmp	loc_5CA564
; 

loc_4DAECE:				; CODE XREF: PopPepGetComponentPreferedIdleState+38j
		mov	esi, edx
		jmp	short loc_4DAE9A
; 

loc_4DAED2:				; CODE XREF: PopPepGetComponentPreferedIdleState+51j
		cmp	[ecx+80h], eax
		jnb	short loc_4DAEB3
		mov	bl, 1
		jmp	short loc_4DAEB3
PopPepGetComponentPreferedIdleState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepComponentGetResidencyIdleState(x, x, x)
_PopPepComponentGetResidencyIdleState@12 proc near
					; CODE XREF: PopPepCompleteComponentActiveActivity(x,x)+2Ap
					; PopPepComponentSetResidency+3Cp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	al, _PopPepLowPowerEpoch
		push	esi
		mov	esi, ecx
		mov	edx, [esi+9Ch]
		dec	edx
		test	al, al
		jnz	short loc_4DAEFA
		test	edx, edx
		jnz	short loc_4DAF01

loc_4DAEFA:				; CODE XREF: PopPepComponentGetResidencyIdleState(x,x,x)+16j
					; PopPepComponentGetResidencyIdleState(x,x,x)+37j ...
		mov	eax, edx
		pop	esi
		pop	ebp
		retn	8
; 

loc_4DAF01:				; CODE XREF: PopPepComponentGetResidencyIdleState(x,x,x)+1Aj
		mov	eax, [esi+0A0h]
		imul	ecx, edx, 18h
		add	eax, 8
		add	ecx, eax

loc_4DAF0F:				; CODE XREF: PopPepComponentGetResidencyIdleState(x,x,x)+48j
		mov	eax, [ecx+4]
		cmp	eax, [ebp+arg_4]
		jb	short loc_4DAEFA
		ja	short loc_4DAF20
		mov	eax, [ecx]
		cmp	eax, [ebp+arg_0]
		jbe	short loc_4DAEFA

loc_4DAF20:				; CODE XREF: PopPepComponentGetResidencyIdleState(x,x,x)+39j
		sub	ecx, 18h
		sub	edx, 1
		jnz	short loc_4DAF0F
		jmp	short loc_4DAEFA
_PopPepComponentGetResidencyIdleState@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepStartDevicePowerOffActivity(x, x, x)
_PopPepStartDevicePowerOffActivity@12 proc near	; DATA XREF: .text:0040146Co

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_8]
		mov	byte ptr [eax+58h], 0
		mov	dword ptr [ecx], 2
		mov	eax, [eax+18h]
		mov	[ecx+4], eax
		mov	al, 1
		mov	byte ptr [ecx+8], 0
		pop	ebp
		retn	0Ch
_PopPepStartDevicePowerOffActivity@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepStartComponentActivatingActivity(x, x, x)
_PopPepStartComponentActivatingActivity@12 proc	near ; DATA XREF: .text:00401374o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		test	edx, edx
		jz	short loc_4DAF74
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+18h]
		mov	[ecx+4], eax
		mov	eax, [edx+8]
		mov	[ecx+8], eax
		mov	al, 1

loc_4DAF74:				; CODE XREF: PopPepStartComponentActivatingActivity(x,x,x)+Cj
		pop	ebp
		retn	0Ch
_PopPepStartComponentActivatingActivity@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepTriggerComponentActiveActivity(x, x, x)
_PopPepTriggerComponentActiveActivity@12 proc near ; DATA XREF:	.text:004013ECo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_4DAF91
		or	dword ptr [eax+4], 1
		mov	eax, [eax+3Ch]
		mov	dword ptr [eax], 4

loc_4DAF91:				; CODE XREF: PopPepTriggerComponentActiveActivity(x,x,x)+Aj
		pop	ebp
		retn	0Ch
_PopPepTriggerComponentActiveActivity@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepTriggerComponentActivatingActivity(x,	x, x)
_PopPepTriggerComponentActivatingActivity@12 proc near ; DATA XREF: .text:00401370o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_4DAFE4
		push	edi
		call	KeQueryInterruptTime
		sub	eax, [esi+68h]
		mov	edi, [esi+64h]
		sbb	edx, [esi+6Ch]
		mov	ecx, [esi+60h]
		cmp	edi, edx
		ja	short loc_4DAFC3
		jb	short loc_4DAFBF
		cmp	ecx, eax
		jnb	short loc_4DAFC3

loc_4DAFBF:				; CODE XREF: PopPepTriggerComponentActivatingActivity(x,x,x)+23j
		mov	eax, ecx
		mov	edx, edi

loc_4DAFC3:				; CODE XREF: PopPepTriggerComponentActivatingActivity(x,x,x)+21j
					; PopPepTriggerComponentActivatingActivity(x,x,x)+27j
		mov	ecx, [ebp+arg_0]
		and	dword ptr [esi+78h], 0
		mov	[esi+5Ch], edx
		mov	edx, esi
		mov	[esi+58h], eax
		call	_PopPepTryPowerUpComponent@8 ; PopPepTryPowerUpComponent(x,x)
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		push	1
		call	_PopPepUpdateIdleState@12 ; PopPepUpdateIdleState(x,x,x)
		pop	edi

loc_4DAFE4:				; CODE XREF: PopPepTriggerComponentActivatingActivity(x,x,x)+Bj
		pop	esi
		pop	ebp
		retn	0Ch
_PopPepTriggerComponentActivatingActivity@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopPepTryPowerUpComponent(x, x)
_PopPepTryPowerUpComponent@8 proc near	; CODE XREF: PopPepTriggerComponentActivatingActivity(x,x,x)+3Cp
					; PopPepTriggerComponentIdleStateChangeActivity(x,x,x)+35p
		mov	eax, [edx+4]
		test	al, 2
		jnz	short locret_4DB01B
		or	eax, 2
		mov	[edx+4], eax
		xor	eax, eax
		inc	eax
		lock xadd [ecx+5Ch], eax
		inc	eax
		cmp	eax, 1
		jnz	short locret_4DB01B
		cmp	byte ptr [ecx+58h], 0
		jnz	short locret_4DB01B
		mov	eax, [ecx+30h]
		xor	edx, edx
		cmp	[eax], edx
		jnz	short locret_4DB01B
		push	edx
		push	edx
		call	_PopPepTriggerActivity@16 ; PopPepTriggerActivity(x,x,x,x)

locret_4DB01B:				; CODE XREF: PopPepTryPowerUpComponent(x,x)+5j
					; PopPepTryPowerUpComponent(x,x)+19j ...
		retn
_PopPepTryPowerUpComponent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepStartDevicePowerOnActivity(x,	x, x)
_PopPepStartDevicePowerOnActivity@12 proc near
					; CODE XREF: PopPepTriggerActivity(x,x,x,x)+36p
					; PopPepStartActivity(x,x,x,x,x,x)+17p
					; DATA XREF: ...

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+arg_0]
		mov	dword ptr [ecx], 2
		mov	eax, [eax+18h]
		mov	[ecx+4], eax
		mov	al, 1
		mov	byte ptr [ecx+8], 1
		pop	ebp
		retn	0Ch
_PopPepStartDevicePowerOnActivity@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepCompleteDevicePowerOnActivity(x, x)
_PopPepCompleteDevicePowerOnActivity@8 proc near ; CODE	XREF: PopPepCompleteActivity+3Cp
					; PopPepTriggerActivity(x,x,x,x)+36p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax+58h], 1
		pop	ebp
		retn	8
_PopPepCompleteDevicePowerOnActivity@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceFxDevicePowered proc near	; CODE XREF: PopFxCompleteDevicePowerRequired+28p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CA57E SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_18], ecx
		push	ebx
		push	ebx
		push	7
		xor	edx, edx
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		cmp	_PopDiagHandleRegistered, bl
		jz	short loc_4DB09D
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_DEVICE_POWERED
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5CA57E

loc_4DB09B:				; CODE XREF: PopDiagTraceFxDevicePowered+EF55Bj
		pop	edi
		pop	esi

loc_4DB09D:				; CODE XREF: PopDiagTraceFxDevicePowered+29j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopDiagTraceFxDevicePowered endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxCompleteDevicePowerRequired proc near ; CODE XREF:	PopFxProcessWork+2B2p
					; PoFxReportDevicePoweredOn+141p ...

var_24		= dword	ptr -24h
var_8		= dword	ptr -8

; FUNCTION CHUNK AT 005CA5AE SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		xor	ebx, ebx
		or	eax, 0FFFFFFFFh
		lock xadd [esi+14h], eax
		dec	eax
		js	loc_5CA5AE
		test	eax, eax
		jnz	short loc_4DB101
		mov	ecx, [esi+1Ch]
		call	PopDiagTraceFxDevicePowered
		test	edi, edi
		jz	short loc_4DB0F0

loc_4DB0DB:				; CODE XREF: PopFxCompleteDevicePowerRequired+55j
		push	edi
		mov	dl, 1
		mov	ecx, esi
		call	PopPluginDevicePower
		mov	bl, al

loc_4DB0E7:				; CODE XREF: PopFxCompleteDevicePowerRequired+59j
					; PopFxCompleteDevicePowerRequired+69j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4DB0F0:				; CODE XREF: PopFxCompleteDevicePowerRequired+2Fj
		mov	ecx, [esi+1Ch]
		xor	edx, edx
		push	ebx
		push	1
		push	10h
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		jmp	short loc_4DB0DB
; 

loc_4DB101:				; CODE XREF: PopFxCompleteDevicePowerRequired+23j
		test	edi, edi
		jz	short loc_4DB0E7
		mov	ecx, [esi+1Ch]
		xor	edx, edx
		push	ebx
		push	ebx
		push	10h
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		jmp	short loc_4DB0E7
PopFxCompleteDevicePowerRequired endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspUnlockProcessListExclusive proc near	; CODE XREF: PspProcessDelete+60p
					; PspInsertProcess+C8p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CA5E4 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_28], ecx
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		mov	eax, edx
		mov	ecx, offset _PspActiveProcessLock
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4DB2A7

loc_4DB150:				; CODE XREF: PspUnlockProcessListExclusive+19Ej
		xor	edi, edi
		mov	[ebp+var_C], edi
		test	ecx, 7FFFFFFCh
		jz	loc_4DB265
		mov	esi, large fs:124h
		mov	eax, dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], eax
		cmp	eax, offset _PspActiveProcessLock
		ja	short loc_4DB1A3
		mov	eax, ecx
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_4DB276
		mov	eax, [ebp+var_20]
		cmp	eax, offset _PspActiveProcessLock
		ja	short loc_4DB1A3
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_4DB276

loc_4DB1A3:				; CODE XREF: PspUnlockProcessListExclusive+65j
					; PspUnlockProcessListExclusive+7Ej ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _PspActiveProcessLock
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_4DB28B
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_4DB29A

loc_4DB1E7:				; CODE XREF: PspUnlockProcessListExclusive+18Cj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	loc_5CA5D3
		or	[esi+1E4h], dl

loc_4DB22D:				; CODE XREF: PspUnlockProcessListExclusive+17Dj
					; PopFxCompleteDevicePowerRequired+EF535j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jnz	short loc_4DB2B9

loc_4DB240:				; CODE XREF: PspUnlockProcessListExclusive+1D8j
					; PspUnlockProcessListExclusive+EF4DDj
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_4DB265
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_4DB2F9

loc_4DB265:				; CODE XREF: PspUnlockProcessListExclusive+45j
					; PspUnlockProcessListExclusive+141j ...
		mov	ecx, [ebp+var_28]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4DB276:				; CODE XREF: PspUnlockProcessListExclusive+70j
					; PspUnlockProcessListExclusive+87j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_8], eax
		jmp	loc_4DB1A3
; 

loc_4DB28B:				; CODE XREF: PspUnlockProcessListExclusive+B9j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_4DB22D
		jmp	loc_5CA5BE
; 

loc_4DB29A:				; CODE XREF: PspUnlockProcessListExclusive+CBj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]
		jmp	loc_4DB1E7
; 

loc_4DB2A7:				; CODE XREF: PspUnlockProcessListExclusive+34j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _PspActiveProcessLock
		jmp	loc_4DB150
; 

loc_4DB2B9:				; CODE XREF: PspUnlockProcessListExclusive+128j
		test	edi, 8000h
		jz	short loc_4DB2CA
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4DB2CA:				; CODE XREF: PspUnlockProcessListExclusive+1A9j
		test	byte ptr [ebp+var_C+2],	1
		jnz	short loc_4DB303

loc_4DB2D0:				; CODE XREF: PspUnlockProcessListExclusive+1FDj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4DB2E4
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4DB2E4:				; CODE XREF: PspUnlockProcessListExclusive+1C1j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4DB240
		jmp	loc_5CA5E4
; 

loc_4DB2F9:				; CODE XREF: PspUnlockProcessListExclusive+149j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4DB265
; 

loc_4DB303:				; CODE XREF: PspUnlockProcessListExclusive+1B8j
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]
		jmp	short loc_4DB2D0
PspUnlockProcessListExclusive endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PspLockProcessListExclusive(x)
_PspLockProcessListExclusive@4 proc near ; CODE	XREF: PspProcessDelete+3Ep
					; PspInsertProcess+74p
		dec	word ptr [ecx+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset _PspActiveProcessLock
		jmp	ExAcquirePushLockExclusiveEx
_PspLockProcessListExclusive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepSetSecurityAttributesToken proc near
					; CODE XREF: SepVerifyDesktopAppxPackageName+DDp
					; SepDesktopAppxSubProcessToken(x,x,x,x,x)+244p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CA5F8 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, [edx]
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[esp+18h+var_4], edx
		mov	[esp+18h+var_C], eax
		push	esi
		push	edi
		mov	edi, ecx
		test	ebx, ebx
		jz	loc_5CA5F8
		mov	ecx, ebx
		call	AuthzBasepValidateSecurityAttributes
		mov	esi, eax
		test	esi, esi
		js	short loc_4DB3C0
		mov	eax, [esp+20h+var_C]
		cmp	eax, 1
		jz	loc_5CA60D

loc_4DB369:				; CODE XREF: AuthzBasepSetSecurityAttributesToken+EF2EEj
		xor	ecx, ecx
		mov	[esp+20h+var_10], ecx
		cmp	[ebx+4], ecx
		jbe	short loc_4DB3C0
		xor	esi, esi
		mov	[esp+20h+var_8], esi

loc_4DB37A:				; CODE XREF: AuthzBasepSetSecurityAttributesToken+CAj
		mov	edx, [ebx+8]
		add	edx, esi
		cmp	eax, 1
		jz	short loc_4DB3A0
		mov	eax, [esp+20h+var_4]
		mov	eax, [eax+ecx*4]
		sub	eax, 0
		jz	short loc_4DB3F6
		dec	eax
		sub	eax, 1
		jz	short loc_4DB3E3
		sub	eax, 1
		jz	short loc_4DB3DA
		sub	eax, 1
		jnz	short loc_4DB3FA

loc_4DB3A0:				; CODE XREF: AuthzBasepSetSecurityAttributesToken+58j
		mov	ecx, edi
		call	_AuthzBasepReplaceSecurityAttribute@8 ;	AuthzBasepReplaceSecurityAttribute(x,x)

loc_4DB3A7:				; CODE XREF: AuthzBasepSetSecurityAttributesToken+B7j
					; AuthzBasepSetSecurityAttributesToken+C0j
		mov	ecx, [esp+18h+var_8]
		mov	esi, eax

loc_4DB3AD:				; CODE XREF: AuthzBasepSetSecurityAttributesToken+CEj
		test	esi, esi
		js	short loc_4DB3C0
		add	dword ptr [esp+18h], 18h
		inc	ecx
		mov	[esp+18h+var_8], ecx
		cmp	ecx, [ebx+4]
		jb	short loc_4DB3EC

loc_4DB3C0:				; CODE XREF: AuthzBasepSetSecurityAttributesToken+30j
					; AuthzBasepSetSecurityAttributesToken+48j ...
		mov	edx, esi
		mov	ecx, edi
		shr	edx, 1Fh
		xor	dl, 1
		call	_AuthzBasepFinaliseSecurityAttributesList@8 ; AuthzBasepFinaliseSecurityAttributesList(x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4DB3DA:				; CODE XREF: AuthzBasepSetSecurityAttributesToken+6Fj
		mov	ecx, edi
		call	AuthzBasepDeleteSecurityAttribute
		jmp	short loc_4DB3A7
; 

loc_4DB3E3:				; CODE XREF: AuthzBasepSetSecurityAttributesToken+6Aj
		mov	ecx, edi
		call	AuthzBasepAddSecurityAttribute
		jmp	short loc_4DB3A7
; 

loc_4DB3EC:				; CODE XREF: AuthzBasepSetSecurityAttributesToken+94j
		mov	eax, [esp+18h+var_4]
		mov	esi, [esp+18h]
		jmp	short loc_4DB37A
; 

loc_4DB3F6:				; CODE XREF: AuthzBasepSetSecurityAttributesToken+64j
		xor	esi, esi
		jmp	short loc_4DB3AD
; 

loc_4DB3FA:				; CODE XREF: AuthzBasepSetSecurityAttributesToken+74j
					; AuthzBasepSetSecurityAttributesToken+EF2D1j
		mov	esi, 0C000000Dh
		jmp	short loc_4DB3C0
AuthzBasepSetSecurityAttributesToken endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepFinaliseSecurityAttributesList(x,	x)
_AuthzBasepFinaliseSecurityAttributesList@8 proc near
					; CODE XREF: AuthzBasepSetSecurityAttributesToken+A0p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_1], dl
		push	esi
		push	edi
		lea	edi, [ebx+10h]

loc_4DB413:				; CODE XREF: AuthzBasepFinaliseSecurityAttributesList(x,x)+31j
					; AuthzBasepFinaliseSecurityAttributesList(x,x)+3Ej
		mov	eax, [edi]
		cmp	eax, edi
		jnz	short loc_4DB41E
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4DB41E:				; CODE XREF: AuthzBasepFinaliseSecurityAttributesList(x,x)+15j
		lea	esi, [eax-8]
		test	dl, dl
		mov	ecx, ebx
		mov	edx, esi
		jz	short loc_4DB442
		call	AuthzBasepCommitSecurityAttributeChanges

loc_4DB42E:				; CODE XREF: AuthzBasepFinaliseSecurityAttributesList(x,x)+45j
		mov	dl, [ebp+var_1]
		test	al, al
		jz	short loc_4DB413
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dl, [ebp+var_1]
		jmp	short loc_4DB413
; 

loc_4DB442:				; CODE XREF: AuthzBasepFinaliseSecurityAttributesList(x,x)+25j
		call	_AuthzBasepRollbackSecurityAttributeChanges@8 ;	AuthzBasepRollbackSecurityAttributeChanges(x,x)
		jmp	short loc_4DB42E
_AuthzBasepFinaliseSecurityAttributesList@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepValidateSecurityAttributes proc near
					; CODE XREF: AuthzBasepSetSecurityAttributesToken+27p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CA61D SIZE 000000DF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		xor	ebx, ebx
		mov	eax, edx
		xor	edx, edx
		mov	[ebp+var_10], eax
		inc	ebx
		push	esi
		mov	esi, edx
		cmp	[ecx], bx
		jnz	loc_5CA61D
		mov	ebx, [eax]
		mov	[ebp+var_1C], ebx
		cmp	[ecx+2], dx
		jnz	loc_5CA61D
		push	edi
		mov	edi, [ecx+4]
		mov	[ebp+var_4], edi
		cmp	ebx, 1
		jz	loc_5CA627
		test	edi, edi
		jz	loc_4DB5C2
		mov	edx, [ecx+8]
		mov	[ebp+var_C], edx
		test	edx, edx
		jz	loc_4DB5C2

loc_4DB49E:				; CODE XREF: AuthzBasepValidateSecurityAttributes+EF1F2j
					; AuthzBasepValidateSecurityAttributes+EF1FAj
		xor	eax, eax
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		test	edi, edi
		jz	loc_4DB537
		mov	[ebp+var_14], 2

loc_4DB4B4:				; CODE XREF: AuthzBasepValidateSecurityAttributes+188j
		imul	eax, ecx, 18h
		add	eax, edx
		xor	edx, edx
		cmp	[eax], dx
		jz	loc_4DB5C2
		cmp	[eax+2], dx
		jz	loc_4DB5C2
		cmp	[eax+4], edx
		jz	loc_4DB5C2
		cmp	[eax+0Ah], dx
		jnz	loc_4DB5C2
		test	dword ptr [eax+0Ch], 0FF00h
		jnz	loc_4DB5C2
		test	ecx, ecx
		jnz	loc_4DB598
		cmp	ebx, 1
		jz	loc_4DB622

loc_4DB4FF:				; CODE XREF: AuthzBasepValidateSecurityAttributes+151j
		xor	ebx, ebx

loc_4DB501:				; CODE XREF: AuthzBasepValidateSecurityAttributes+169j
					; AuthzBasepValidateSecurityAttributes+172j
		movzx	edx, word ptr [eax+8]
		mov	ecx, edx
		test	cx, cx
		jz	loc_5CA6F2
		cmp	cx, word ptr [ebp+var_14]
		ja	short loc_4DB53E
		cmp	[eax+10h], ebx
		jz	short loc_4DB524
		cmp	[eax+14h], ebx
		jz	loc_5CA6F2

loc_4DB524:				; CODE XREF: AuthzBasepValidateSecurityAttributes+CFj
					; AuthzBasepValidateSecurityAttributes+10Dj ...
		test	esi, esi
		js	short loc_4DB537
		mov	ecx, [ebp+var_8]
		inc	ecx
		mov	[ebp+var_8], ecx
		cmp	ecx, edi
		jb	loc_4DB5CC

loc_4DB537:				; CODE XREF: AuthzBasepValidateSecurityAttributes+5Dj
					; AuthzBasepValidateSecurityAttributes+DCj ...
		pop	edi

loc_4DB538:				; CODE XREF: AuthzBasepValidateSecurityAttributes+EF1D8j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4DB53E:				; CODE XREF: AuthzBasepValidateSecurityAttributes+CAj
		cmp	ecx, 3
		jnz	loc_4DB5D7
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jz	short loc_4DB553
		cmp	[eax+14h], ebx
		jz	short loc_4DB5C2

loc_4DB553:				; CODE XREF: AuthzBasepValidateSecurityAttributes+102j
		mov	edx, ebx
		test	ecx, ecx
		jz	short loc_4DB524
		mov	eax, [eax+14h]
		add	eax, 4

loc_4DB55F:				; CODE XREF: AuthzBasepValidateSecurityAttributes+147j
		movzx	edi, word ptr [eax-4]
		test	di, di
		jz	loc_4DB626
		movzx	ebx, word ptr [eax-2]
		test	bx, bx
		jz	loc_4DB626
		cmp	di, bx
		ja	loc_4DB626
		cmp	dword ptr [eax], 0
		jz	loc_4DB626
		inc	edx
		add	eax, 8
		cmp	edx, ecx
		jb	short loc_4DB55F

loc_4DB593:				; CODE XREF: AuthzBasepValidateSecurityAttributes+1CDj
					; AuthzBasepValidateSecurityAttributes+EF2A3j
		mov	edi, [ebp+var_4]
		jmp	short loc_4DB524
; 

loc_4DB598:				; CODE XREF: AuthzBasepValidateSecurityAttributes+A6j
		cmp	ebx, 1
		jz	loc_4DB4FF
		mov	edx, [ebp+var_10]
		mov	ecx, [edx+ecx*4]
		cmp	ecx, 1
		jz	short loc_4DB5C2
		push	2
		pop	edx
		xor	ebx, ebx
		cmp	ecx, edx
		jnz	loc_4DB501

loc_4DB5B9:				; CODE XREF: AuthzBasepValidateSecurityAttributes+1DAj
		cmp	[eax+10h], ebx
		jnz	loc_4DB501

loc_4DB5C2:				; CODE XREF: AuthzBasepValidateSecurityAttributes+40j
					; AuthzBasepValidateSecurityAttributes+4Ej ...
		mov	esi, 0C000000Dh
		jmp	loc_4DB537
; 

loc_4DB5CC:				; CODE XREF: AuthzBasepValidateSecurityAttributes+E7j
		mov	edx, [ebp+var_C]
		mov	ebx, [ebp+var_1C]
		jmp	loc_4DB4B4
; 

loc_4DB5D7:				; CODE XREF: AuthzBasepValidateSecurityAttributes+F7j
		cmp	ecx, 6
		jnz	loc_5CA64F
		mov	edx, [eax+10h]
		test	edx, edx
		jz	short loc_4DB5EC
		cmp	[eax+14h], ebx
		jz	short loc_4DB5C2

loc_4DB5EC:				; CODE XREF: AuthzBasepValidateSecurityAttributes+19Bj
		mov	ecx, ebx
		test	edx, edx
		jz	loc_4DB524
		mov	eax, [eax+14h]
		mov	[ebp+var_18], eax

loc_4DB5FC:				; CODE XREF: AuthzBasepValidateSecurityAttributes+1D6j
		mov	edi, [eax+ecx*8]
		mov	ebx, [eax+ecx*8+4]
		mov	eax, edi
		or	eax, ebx
		jz	short loc_4DB614
		cmp	edi, 1
		jnz	short loc_4DB626
		xor	eax, eax
		cmp	ebx, eax
		jnz	short loc_4DB626

loc_4DB614:				; CODE XREF: AuthzBasepValidateSecurityAttributes+1BDj
		inc	ecx
		cmp	ecx, edx
		jnb	loc_4DB593
		mov	eax, [ebp+var_18]
		jmp	short loc_4DB5FC
; 

loc_4DB622:				; CODE XREF: AuthzBasepValidateSecurityAttributes+AFj
		xor	ebx, ebx
		jmp	short loc_4DB5B9
; 

loc_4DB626:				; CODE XREF: AuthzBasepValidateSecurityAttributes+11Cj
					; AuthzBasepValidateSecurityAttributes+129j ...
		mov	edi, [ebp+var_4]
		jmp	loc_5CA6F2
AuthzBasepValidateSecurityAttributes endp


;  S U B	R O U T	I N E 


AuthzBasepCommitSecurityAttributeChanges proc near
					; CODE XREF: AuthzBasepFinaliseSecurityAttributesList(x,x)+27p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	1
		xor	ebx, ebx
		mov	edi, edx
		push	ebx
		mov	esi, ecx
		call	AuthzBasepRemoveSecurityAttributeFromLists
		mov	eax, [edi+20h]
		mov	ecx, eax
		and	ecx, 1
		test	al, 4
		jnz	short loc_4DB6BE
		test	ecx, ecx
		jnz	short loc_4DB66F
		lea	eax, [esi+4]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_4DB6F0
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi
		or	dword ptr [edi+20h], 1
		inc	dword ptr [esi]

loc_4DB66F:				; CODE XREF: AuthzBasepCommitSecurityAttributeChanges+21j
					; AuthzBasepCommitSecurityAttributeChanges+8Ej	...
		lea	eax, [edi+38h]

loc_4DB672:				; CODE XREF: AuthzBasepCommitSecurityAttributeChanges+71j
		mov	edx, [eax]
		cmp	edx, eax
		jz	short loc_4DB6EA
		mov	esi, [edx+8]
		add	edx, 0FFFFFFF8h
		and	esi, 4
		push	ecx
		setnz	al
		mov	ecx, edi
		movzx	eax, al
		push	eax
		call	_AuthzBasepRemoveSecurityAttributeValueFromLists@16 ; AuthzBasepRemoveSecurityAttributeValueFromLists(x,x,x,x)
		test	esi, esi
		jnz	sub_5CA6FC
		test	byte ptr [edx+10h], 1
		lea	eax, [edi+38h]
		jnz	short loc_4DB672
		lea	eax, [edi+2Ch]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_4DB6F0
		mov	[edx], eax
		mov	[edx+4], ecx
		mov	[ecx], edx
		mov	[eax+4], edx
		or	dword ptr [edx+10h], 1
		inc	dword ptr [edi+24h]
		jmp	short loc_4DB66F
; 

loc_4DB6BE:				; CODE XREF: AuthzBasepCommitSecurityAttributeChanges+1Dj
		test	ecx, ecx
		jz	short loc_4DB6DF
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	short loc_4DB6F0
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	short loc_4DB6F0
		mov	[ecx], eax
		mov	[eax+4], ecx
		and	dword ptr [edi+20h], 0FFFFFFFEh
		test	esi, esi
		jz	short loc_4DB6DF
		dec	dword ptr [esi]

loc_4DB6DF:				; CODE XREF: AuthzBasepCommitSecurityAttributeChanges+92j
					; AuthzBasepCommitSecurityAttributeChanges+ADj
		xor	dl, dl
		mov	ecx, edi
		call	AuthzBasepFreeSecurityAttributeValues
		mov	bl, 1

loc_4DB6EA:				; CODE XREF: AuthzBasepCommitSecurityAttributeChanges+48j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		retn
; 

loc_4DB6F0:				; CODE XREF: AuthzBasepCommitSecurityAttributeChanges+2Bj
					; AuthzBasepCommitSecurityAttributeChanges+7Bj	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
AuthzBasepCommitSecurityAttributeChanges endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepRemoveSecurityAttributeValueFromLists(x, x, x, x)
_AuthzBasepRemoveSecurityAttributeValueFromLists@16 proc near
					; CODE XREF: AuthzBasepCommitSecurityAttributeChanges+5Dp
					; AuthzBasepFreeSecurityAttributeValues+19p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr [edx+10h], 2
		push	esi
		jz	short loc_4DB725
		lea	eax, [edx+8]
		push	edi
		mov	edi, [eax]
		cmp	[edi+4], eax
		jnz	short loc_4DB75F
		mov	esi, [eax+4]
		cmp	[esi], eax
		jnz	short loc_4DB75F
		mov	[esi], edi
		mov	[edi+4], esi
		and	dword ptr [edx+10h], 0FFFFFFFDh
		pop	edi
		test	ecx, ecx
		jz	short loc_4DB725
		dec	dword ptr [ecx+34h]

loc_4DB725:				; CODE XREF: AuthzBasepRemoveSecurityAttributeValueFromLists(x,x,x,x)+Aj
					; AuthzBasepRemoveSecurityAttributeValueFromLists(x,x,x,x)+2Aj
		cmp	[ebp+arg_0], 0
		jnz	short loc_4DB730

loc_4DB72B:				; CODE XREF: AuthzBasepRemoveSecurityAttributeValueFromLists(x,x,x,x)+3Ej
					; AuthzBasepRemoveSecurityAttributeValueFromLists(x,x,x,x)+59j	...
		pop	esi
		pop	ebp
		retn	8
; 

loc_4DB730:				; CODE XREF: AuthzBasepRemoveSecurityAttributeValueFromLists(x,x,x,x)+33j
		test	byte ptr [edx+10h], 1
		jz	short loc_4DB72B
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	short loc_4DB75F
		mov	esi, [edx+4]
		cmp	[esi], edx
		jnz	short loc_4DB75F
		mov	[esi], eax
		mov	[eax+4], esi
		and	dword ptr [edx+10h], 0FFFFFFFEh
		test	ecx, ecx
		jz	short loc_4DB72B
		dec	dword ptr [ecx+24h]
		test	byte ptr [edx+10h], 4
		jz	short loc_4DB72B
		dec	dword ptr [ecx+28h]
		jmp	short loc_4DB72B
; 

loc_4DB75F:				; CODE XREF: AuthzBasepRemoveSecurityAttributeValueFromLists(x,x,x,x)+15j
					; AuthzBasepRemoveSecurityAttributeValueFromLists(x,x,x,x)+1Cj	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_AuthzBasepRemoveSecurityAttributeValueFromLists@16 endp ; AL =	character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepRemoveSecurityAttributeFromLists proc	near
					; CODE XREF: AuthzBasepCommitSecurityAttributeChanges+Ep
					; AuthzBasepDeleteSecurityAttribute+96p ...

var_1C		= dword	ptr -1Ch
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005CA708 SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		push	esi
		jz	short loc_4DB799
		test	byte ptr [edx+20h], 2
		jz	short loc_4DB799
		lea	eax, [edx+8]
		push	edi
		mov	edi, [eax]
		cmp	[edi+4], eax
		jnz	short loc_4DB7A8
		mov	esi, [eax+4]
		cmp	[esi], eax
		jnz	short loc_4DB7A8
		mov	[esi], edi
		mov	[edi+4], esi
		and	dword ptr [edx+20h], 0FFFFFFFDh
		pop	edi
		test	ecx, ecx
		jz	short loc_4DB799
		dec	dword ptr [ecx+0Ch]

loc_4DB799:				; CODE XREF: AuthzBasepRemoveSecurityAttributeFromLists+Aj
					; AuthzBasepRemoveSecurityAttributeFromLists+10j ...
		cmp	[ebp+arg_0], 0
		jnz	loc_5CA708

loc_4DB7A3:				; CODE XREF: AuthzBasepRemoveSecurityAttributeFromLists+EEFA8j
					; AuthzBasepRemoveSecurityAttributeFromLists+EEFCFj ...
		pop	esi
		pop	ebp
		retn	8
; 

loc_4DB7A8:				; CODE XREF: AuthzBasepRemoveSecurityAttributeFromLists+1Bj
					; AuthzBasepRemoveSecurityAttributeFromLists+22j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall AuthzBasepReplaceSecurityAttribute(x, x)
_AuthzBasepReplaceSecurityAttribute@8:	; CODE XREF: AuthzBasepSetSecurityAttributesToken+78p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ecx
		lea	edi, [ebp+var_1C]
		mov	ebx, edx
		mov	[ebp+var_4], eax
		push	6
		pop	ecx
		mov	esi, ebx
		lea	edx, [ebp+var_1C]
		rep movsd
		and	[ebp+var_C], 0
		mov	ecx, eax
		call	AuthzBasepDeleteSecurityAttribute
		lea	ecx, [eax+3FFFFDDBh]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		jl	short loc_4DB7F8
		cmp	dword ptr [ebx+10h], 0
		jz	short loc_4DB7F8
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		call	AuthzBasepAddSecurityAttribute
		mov	ecx, eax

loc_4DB7F8:				; CODE XREF: AuthzBasepRemoveSecurityAttributeFromLists+80j
					; AuthzBasepRemoveSecurityAttributeFromLists+86j
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn
AuthzBasepRemoveSecurityAttributeFromLists endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepAddSecurityAttribute proc near
					; CODE XREF: AuthzBasepSetSecurityAttributesToken+BBp
					; AuthzBasepRemoveSecurityAttributeFromLists+8Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CA740 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, edx
		xor	eax, eax
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		cmp	[esi+10h], eax
		jz	loc_5CA740
		mov	ax, [esi]
		lea	edx, [ebp+var_8]
		mov	word ptr [ebp+var_8], ax
		mov	word ptr [ebp+var_8+2],	ax
		mov	eax, [esi+4]
		mov	[ebp+var_4], eax
		call	_AuthzBasepFindSecurityAttribute@8 ; AuthzBasepFindSecurityAttribute(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_4DB892
		lea	ecx, [ebp+var_8]
		call	_AuthzBasepAllocateSecurityAttribute@4 ; AuthzBasepAllocateSecurityAttribute(x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_4DB88B
		mov	eax, [esi+0Ch]
		mov	[ecx+1Ch], eax
		mov	ax, [esi+8]
		mov	[ecx+18h], ax

loc_4DB85B:				; CODE XREF: AuthzBasepAddSecurityAttribute+96j
		test	byte ptr [ecx+20h], 2
		jnz	short loc_4DB87F
		lea	edx, [edi+10h]
		mov	ebx, [edx+4]
		lea	eax, [ecx+8]
		cmp	[ebx], edx
		jnz	short loc_4DB898
		mov	[eax], edx
		mov	[eax+4], ebx
		mov	[ebx], eax
		mov	[edx+4], eax
		or	dword ptr [ecx+20h], 2
		inc	dword ptr [edi+0Ch]

loc_4DB87F:				; CODE XREF: AuthzBasepAddSecurityAttribute+5Fj
		mov	edx, esi
		call	AuthzBasepAddSecurityAttributeValues

loc_4DB886:				; CODE XREF: AuthzBasepAddSecurityAttribute+90j
					; AuthzBasepAddSecurityAttribute+EEF45j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4DB88B:				; CODE XREF: AuthzBasepAddSecurityAttribute+4Bj
		mov	eax, 0C000009Ah
		jmp	short loc_4DB886
; 

loc_4DB892:				; CODE XREF: AuthzBasepAddSecurityAttribute+3Dj
		and	dword ptr [ecx+20h], 0FFFFFFFBh
		jmp	short loc_4DB85B
; 

loc_4DB898:				; CODE XREF: AuthzBasepAddSecurityAttribute+6Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
AuthzBasepAddSecurityAttribute endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepAddSecurityAttributeValues proc near
					; CODE XREF: AuthzBasepAddSecurityAttribute+81p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CA74A SIZE 000000EC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	ax, [ecx+18h]
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		xor	esi, esi
		cmp	ax, [edi+8]
		jnz	loc_5CA74A
		and	[ebp+var_8], esi
		xor	ebx, ebx
		cmp	[edi+10h], ebx
		jbe	loc_4DB9E0
		xor	edx, edx
		mov	[ebp+var_10], 2
		mov	[ebp+var_C], edx
		mov	[ebp+var_14], 3
		mov	[ebp+var_18], 4
		mov	[ebp+var_1C], 5
		mov	[ebp+var_20], 6

loc_4DB8F4:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+13Cj
		movzx	ecx, word ptr [ecx+18h]
		mov	eax, ecx
		test	ax, ax
		jz	loc_5CA760
		cmp	ax, word ptr [ebp+var_10]
		ja	loc_4DB9EA

loc_4DB90D:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+1B3j
		mov	eax, [edi+14h]
		push	dword ptr [eax+ebx*8+4]
		push	dword ptr [eax+ebx*8]

loc_4DB917:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+15Bj
		mov	edx, ecx
		mov	ecx, [ebp+var_4]
		call	AuthzBasepFindSecurityAttributeValue
		mov	edx, [ebp+var_C]
		mov	esi, eax
		mov	eax, [ebp+var_8]

loc_4DB929:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+EEECAj
		test	eax, eax
		js	loc_4DB9E0
		test	esi, esi
		jnz	loc_5CA777
		movzx	eax, word ptr [edi+8]
		xor	ecx, ecx
		push	3
		pop	esi
		sub	eax, esi
		jz	loc_4DBA31
		sub	eax, 1
		jz	loc_5CA7AC
		sub	eax, 1
		jz	loc_5CA7A0
		sub	eax, 0Bh
		jz	loc_5CA7A0

loc_4DB965:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+19Aj
					; AuthzBasepAddSecurityAttributeValues+EEF09j ...
		call	_AuthzBasepAllocateSecurityAttributeValue@4 ; AuthzBasepAllocateSecurityAttributeValue(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5CA82C
		movzx	ecx, word ptr [edi+8]
		mov	eax, ecx
		test	ax, ax
		jz	short loc_4DB997
		push	2
		pop	edx
		cmp	ax, dx
		ja	short loc_4DB9FE

loc_4DB987:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+1DCj
		mov	ecx, [edi+14h]
		mov	eax, [ecx+ebx*8]
		mov	[esi+18h], eax
		mov	eax, [ecx+ebx*8+4]
		mov	[esi+1Ch], eax

loc_4DB997:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+DFj
					; AuthzBasepAddSecurityAttributeValues+18Ej ...
		test	byte ptr [esi+10h], 2
		jnz	loc_5CA813
		mov	edx, [ebp+var_4]
		lea	eax, [esi+8]
		add	edx, 38h
		mov	ecx, [edx+4]
		cmp	[ecx], edx
		jnz	loc_5CA825
		mov	[eax+4], ecx
		mov	[eax], edx
		mov	[ecx], eax
		mov	ecx, [ebp+var_4]
		mov	[edx+4], eax
		push	2
		pop	eax
		or	[esi+10h], eax
		inc	dword ptr [ecx+34h]

loc_4DB9CB:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+EEEFDj
					; AuthzBasepAddSecurityAttributeValues+EEF78j
		mov	edx, [ebp+var_C]
		inc	ebx
		push	10h
		pop	eax
		add	edx, eax
		mov	[ebp+var_C], edx
		cmp	ebx, [edi+10h]
		jb	loc_4DB8F4

loc_4DB9E0:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+28j
					; AuthzBasepAddSecurityAttributeValues+8Dj
		mov	ebx, [ebp+var_8]

loc_4DB9E3:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+EEEB1j
					; AuthzBasepAddSecurityAttributeValues+EEF82j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_4DB9EA:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+69j
		cmp	ax, word ptr [ebp+var_14]
		jnz	short loc_4DBA3D

loc_4DB9F0:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+1ADj
					; AuthzBasepAddSecurityAttributeValues+EEEBCj
		mov	eax, [edi+14h]
		lea	eax, [eax+ebx*8]

loc_4DB9F6:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+EEED4j
		cdq
		push	edx
		push	eax
		jmp	loc_4DB917
; 

loc_4DB9FE:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+E7j
		push	3
		pop	edx
		cmp	ax, dx
		jnz	short loc_4DBA5C
		mov	eax, [edi+14h]
		lea	ecx, [esi+28h]
		movzx	eax, word ptr [eax+ebx*8]
		mov	[esi+18h], ax
		mov	[esi+1Ah], ax
		mov	[esi+1Ch], ecx
		push	eax		; size_t
		mov	eax, [edi+14h]
		push	dword ptr [eax+ebx*8+4]	; void *

loc_4DBA23:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+EEF3Ej
					; AuthzBasepAddSecurityAttributeValues+EEF70j
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_4DB997
; 

loc_4DBA31:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+A6j
		mov	eax, [edi+14h]
		movzx	ecx, word ptr [eax+ebx*8]
		jmp	loc_4DB965
; 

loc_4DBA3D:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+150j
		cmp	ax, word ptr [ebp+var_18]
		jz	loc_5CA76D
		cmp	ax, word ptr [ebp+var_1C]
		jz	short loc_4DB9F0
		cmp	ax, word ptr [ebp+var_20]
		jz	loc_4DB90D
		jmp	loc_5CA754
; 

loc_4DBA5C:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+166j
		push	4
		pop	edx
		cmp	ax, dx
		jz	loc_5CA7E1
		push	5
		pop	edx
		cmp	ax, dx
		jz	loc_5CA7C5
		push	6
		pop	edx
		cmp	ax, dx
		jz	loc_4DB987
		jmp	loc_5CA7B9
AuthzBasepAddSecurityAttributeValues endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall AuthzBasepAllocateSecurityAttributeValue(x)
_AuthzBasepAllocateSecurityAttributeValue@4 proc near
					; CODE XREF: AuthzBasepAddSecurityAttributeValues:loc_4DB965p
					; .text:00526E80p ...
		mov	edi, edi
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, ecx
		inc	esi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_4DBABC

loc_4DBA99:				; CODE XREF: AuthzBasepAllocateSecurityAttributeValue(x)+3Bj
		push	74416553h
		lea	eax, [edi+28h]
		push	eax
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_4DBAB7
		push	0Ah
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd

loc_4DBAB7:				; CODE XREF: AuthzBasepAllocateSecurityAttributeValue(x)+26j
		pop	edi
		mov	eax, edx
		pop	esi
		retn
; 

loc_4DBABC:				; CODE XREF: AuthzBasepAllocateSecurityAttributeValue(x)+11j
		mov	esi, 200h
		jmp	short loc_4DBA99
_AuthzBasepAllocateSecurityAttributeValue@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepFindSecurityAttributeValue proc near
					; CODE XREF: AuthzBasepAddSecurityAttributeValues+7Ep
					; AuthzBasepDeleteSecurityAttributeValues(x,x,x)+99p ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= word ptr -4
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CA836 SIZE 0000014A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		mov	eax, ecx
		mov	[ebp+var_4], dx
		xor	ebx, ebx
		mov	[ebp+var_20], eax
		push	esi
		push	edi
		movzx	edi, dx
		mov	cl, bl
		lea	edx, [eax+2Ch]
		mov	[ebp+var_28], ebx
		mov	esi, [edx]
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_24], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_1], cl
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], 2
		mov	[ebp+var_10], 3
		mov	[ebp+var_14], 4
		mov	[ebp+var_18], 5
		mov	[ebp+var_1C], 6

loc_4DBB1C:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+FFj
		cmp	esi, edx
		jnz	short loc_4DBB77

loc_4DBB20:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+105j
		mov	esi, [ebp+var_20]
		add	esi, 38h
		mov	[ebp+var_8], esi
		mov	edx, [esi]

loc_4DBB2B:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+B1j
		mov	[ebp+var_C], edx
		test	cl, cl
		jnz	short loc_4DBB36
		cmp	edx, esi
		jnz	short loc_4DBB46

loc_4DBB36:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+6Cj
		movzx	eax, cl
		neg	eax
		pop	edi
		sbb	eax, eax
		pop	esi
		and	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_4DBB46:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+70j
		mov	ebx, [ebp+var_C]
		add	ebx, 0FFFFFFF8h
		test	byte ptr [ebx+10h], 1
		jnz	short loc_4DBB70
		test	di, di
		jz	short loc_4DBB70
		push	2
		pop	edx
		cmp	di, dx
		ja	short loc_4DBBCE

loc_4DBB5F:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+EEE23j
		cmp	eax, [ebx+18h]
		jnz	short loc_4DBB70
		mov	edx, [ebp+arg_4]
		cmp	edx, [ebx+1Ch]
		jz	loc_5CA921

loc_4DBB70:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+8Cj
					; AuthzBasepFindSecurityAttributeValue+91j ...
		mov	edx, [ebp+var_C]
		mov	edx, [edx]
		jmp	short loc_4DBB2B
; 

loc_4DBB77:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+5Aj
		mov	ebx, esi
		test	di, di
		jz	short loc_4DBBBF
		cmp	di, word ptr [ebp+var_C]
		jbe	loc_4DBC0D
		cmp	di, word ptr [ebp+var_10]
		jnz	loc_5CA836
		mov	ecx, [ebp+arg_0]
		lea	edx, [esi+18h]
		mov	ax, [ecx]
		mov	word ptr [ebp+var_28], ax
		mov	word ptr [ebp+var_28+2], ax
		mov	eax, [ecx+4]
		mov	[ebp+var_24], eax

loc_4DBBA9:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+EEDFDj
		push	ecx
		lea	ecx, [ebp+var_28]
		call	AuthzBasepEqualUnicodeString
		mov	edx, [ebp+var_8]
		test	al, al
		mov	eax, [ebp+arg_0]
		jnz	short loc_4DBC1D

loc_4DBBBC:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+EEDB9j
		mov	cl, [ebp+var_1]

loc_4DBBBF:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+B8j
					; AuthzBasepFindSecurityAttributeValue+14Cj ...
		mov	esi, [esi]
		test	cl, cl
		jz	loc_4DBB1C
		jmp	loc_4DBB20
; 

loc_4DBBCE:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+99j
		push	3
		pop	edx
		cmp	di, dx
		jnz	loc_5CA8D1
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebx+18h]
		push	ecx
		mov	ax, [ecx]
		mov	word ptr [ebp+var_28], ax
		mov	word ptr [ebp+var_28+2], ax
		mov	eax, [ecx+4]
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_24], eax
		call	AuthzBasepEqualUnicodeString

loc_4DBBFA:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+EEEACj
		test	al, al
		mov	eax, [ebp+arg_0]
		jnz	loc_5CA921

loc_4DBC05:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+EEE57j
		mov	cl, [ebp+var_1]
		jmp	loc_4DBB70
; 

loc_4DBC0D:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+BEj
					; AuthzBasepFindSecurityAttributeValue+EED82j
		cmp	eax, [esi+18h]
		jnz	short loc_4DBBBF
		mov	eax, [ebp+arg_4]
		cmp	eax, [esi+1Ch]
		mov	eax, [ebp+arg_0]
		jnz	short loc_4DBBBF

loc_4DBC1D:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+F6j
					; AuthzBasepFindSecurityAttributeValue+EEDBFj
		mov	cl, 1
		mov	[ebp+var_1], cl
		jmp	short loc_4DBBBF
AuthzBasepFindSecurityAttributeValue endp


;  S U B	R O U T	I N E 


; __stdcall AuthzBasepAllocateSecurityAttribute(x)
_AuthzBasepAllocateSecurityAttribute@4 proc near
					; CODE XREF: AuthzBasepAddSecurityAttribute+42p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		push	74416553h
		movzx	ecx, word ptr [edi]
		add	ecx, 40h
		call	_AuthzBasepMemAlloc@12 ; AuthzBasepMemAlloc(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_4DBC74
		push	40h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	cx, [edi]
		lea	eax, [esi+40h]
		add	esp, 0Ch
		mov	[esi+14h], eax
		lea	eax, [esi+10h]
		mov	[esi+12h], cx
		push	edi
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		lea	eax, [esi+2Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+38h]
		mov	[eax+4], eax
		mov	[eax], eax

loc_4DBC74:				; CODE XREF: AuthzBasepAllocateSecurityAttribute(x)+1Aj
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_AuthzBasepAllocateSecurityAttribute@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepMemAlloc(x, x, x)
_AuthzBasepMemAlloc@12 proc near	; CODE XREF: AuthzBasepAllocateSecurityAttribute(x)+11p
					; AuthzBasepInitializeResourceClaimsFromSacl+59p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, ecx
		inc	esi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_4DBCA0

loc_4DBC90:				; CODE XREF: AuthzBasepMemAlloc(x,x,x)+2Bj
		push	[ebp+arg_0]
		push	edi
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_4DBCA0:				; CODE XREF: AuthzBasepMemAlloc(x,x,x)+14j
		mov	esi, 200h
		jmp	short loc_4DBC90
_AuthzBasepMemAlloc@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepDeleteSecurityAttribute proc near
					; CODE XREF: AuthzBasepSetSecurityAttributesToken+B2p
					; AuthzBasepRemoveSecurityAttributeFromLists+6Fp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 005CA980 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_8], edx
		push	esi
		mov	[ebp+var_10], eax
		mov	ebx, ecx
		push	edi
		mov	edi, eax
		mov	byte ptr [ebp+var_1], al
		mov	ax, [edx]
		mov	word ptr [ebp+var_10], ax
		mov	word ptr [ebp+var_10+2], ax
		mov	eax, [edx+4]
		lea	edx, [ebp+var_10]
		mov	[ebp+var_C], eax
		call	_AuthzBasepFindSecurityAttribute@8 ; AuthzBasepFindSecurityAttribute(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_4DBCED

loc_4DBCE1:				; CODE XREF: AuthzBasepDeleteSecurityAttribute+4Aj
		mov	edi, 0C0000225h

loc_4DBCE6:				; CODE XREF: AuthzBasepDeleteSecurityAttribute+8Cj
					; AuthzBasepDeleteSecurityAttribute+ACj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4DBCED:				; CODE XREF: AuthzBasepDeleteSecurityAttribute+37j
		mov	eax, [esi+20h]
		test	al, 4
		jnz	short loc_4DBCE1
		test	al, 2
		jnz	short loc_4DBD16
		lea	ecx, [ebx+10h]
		mov	edx, [ecx+4]
		lea	eax, [esi+8]
		cmp	[edx], ecx
		jnz	short loc_4DBD56
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		or	dword ptr [esi+20h], 2
		inc	dword ptr [ebx+0Ch]

loc_4DBD16:				; CODE XREF: AuthzBasepDeleteSecurityAttribute+4Ej
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		cmp	[edx+10h], edi
		jnz	loc_5CA980
		or	dword ptr [esi+20h], 4
		call	_AuthzBasepDeleteAllSecurityAttributeValues@4 ;	AuthzBasepDeleteAllSecurityAttributeValues(x)

loc_4DBD2D:				; CODE XREF: AuthzBasepDeleteSecurityAttribute+EECEFj
					; AuthzBasepDeleteSecurityAttribute+EECF9j
		mov	eax, [esi+20h]
		and	al, 5
		cmp	al, 4
		jnz	short loc_4DBCE6
		push	1
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	AuthzBasepRemoveSecurityAttributeFromLists
		xor	dl, dl
		mov	ecx, esi
		call	AuthzBasepFreeSecurityAttributeValues
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_4DBCE6
; 

loc_4DBD56:				; CODE XREF: AuthzBasepDeleteSecurityAttribute+5Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
AuthzBasepDeleteSecurityAttribute endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepInitSingletonEntry(x, x,	x)
_SepInitSingletonEntry@12 proc near	; CODE XREF: SepAddLuidToIndexEntry+BBp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		call	_SepGetSingletonEntryFromIndexNumber@4 ; SepGetSingletonEntryFromIndexNumber(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_4DBD95
		push	ebx
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+arg_0]
		mov	bl, al
		and	dword ptr [esi+10h], 0
		mov	[esi+8], ecx
		mov	ecx, [ebp+arg_4]
		push	esi
		mov	[esi+0Ch], ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx

loc_4DBD95:				; CODE XREF: SepInitSingletonEntry(x,x,x)+Fj
		pop	esi
		pop	ebp
		retn	8
_SepInitSingletonEntry@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepGetSingletonEntryFromIndexNumber(x)
_SepGetSingletonEntryFromIndexNumber@4 proc near
					; CODE XREF: SepInitSingletonEntry(x,x,x)+6p
					; SepCleanSingletonEntry+3p ...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	_SepSingletonGlobal
		mov	edi, ecx
		xor	esi, esi
		mov	ebx, edi
		shr	ebx, 6
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	edx, _SepSingletonGlobal
		mov	[ebp+var_1], al
		cmp	ebx, [edx+4]
		jnb	short loc_4DBDD1
		mov	ecx, [edx+8]
		and	edi, 3Fh
		imul	esi, edi, 18h
		add	esi, [ecx+ebx*4]

loc_4DBDD1:				; CODE XREF: SepGetSingletonEntryFromIndexNumber(x)+29j
		push	edx
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_SepGetSingletonEntryFromIndexNumber@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepCleanupMarkedForDeletionEntries()
_SepCleanupMarkedForDeletionEntries@0 proc near
					; CODE XREF: SepAddLuidToIndexEntry:loc_79E7B8p

var_14		= dword	ptr -14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:_SeLuidToIndexMapping
		sub	esp, 14h
		push	ebx
		mov	ebx, [eax+4]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_14]
		push	eax
		push	ebx
		call	_RtlInitEnumerationHashTable@8 ; RtlInitEnumerationHashTable(x,x)
		jmp	short loc_4DBE49
; 

loc_4DBE11:				; CODE XREF: SepCleanupMarkedForDeletionEntries()+77j
		push	0
		push	esi
		push	ebx
		call	RtlRemoveEntryHashTable
		test	al, al
		jz	short loc_4DBE49
		mov	ecx, [esi+18h]
		call	SepCleanSingletonEntry
		mov	ecx, [esi+18h]
		mov	edx, ecx
		mov	eax, ds:_SeLuidToIndexMapping
		and	ecx, 7
		shr	edx, 3
		push	0
		push	esi
		add	edx, [eax+0Ch]
		movsx	eax, byte ptr [edx]
		btr	eax, ecx
		mov	[edx], al
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4DBE49:				; CODE XREF: SepCleanupMarkedForDeletionEntries()+27j
					; SepCleanupMarkedForDeletionEntries()+34j ...
		lea	eax, [ebp+var_14]
		push	eax
		push	ebx
		call	RtlEnumerateEntryHashTable
		mov	esi, eax
		test	esi, esi
		jz	short loc_4DBE61
		cmp	byte ptr [esi+20h], 0
		jz	short loc_4DBE49
		jmp	short loc_4DBE11
; 

loc_4DBE61:				; CODE XREF: SepCleanupMarkedForDeletionEntries()+6Fj
		lea	eax, [ebp+var_14]
		push	eax
		push	ebx
		call	_RtlEndEnumerationHashTable@8 ;	RtlEndEnumerationHashTable(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SepCleanupMarkedForDeletionEntries@0 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2178. RtlInsertEntryHashTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlInsertEntryHashTable
RtlInsertEntryHashTable	proc near	; CODE XREF: SepAddLuidToIndexEntry+A2p
					; SepGetCachedHandlesEntry+8Dp	...

var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005CA9A6 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		mov	edi, [ebp+arg_0]
		mov	eax, [ebp+arg_8]
		mov	[ebx+8], eax
		inc	dword ptr [edi+14h]
		test	esi, esi
		jnz	short loc_4DBED3
		push	eax
		lea	edx, [ebp+var_C]
		mov	ecx, edi
		call	_RtlpPopulateContext@12	; RtlpPopulateContext(x,x,x)
		lea	esi, [ebp+var_C]

loc_4DBEAD:				; CODE XREF: RtlInsertEntryHashTable+60j
					; RtlInsertEntryHashTable+EEB3Aj
		mov	eax, [esi]
		cmp	[eax], eax
		jnz	short loc_4DBEB6
		inc	dword ptr [edi+18h]

loc_4DBEB6:				; CODE XREF: RtlInsertEntryHashTable+3Bj
		mov	eax, [esi+4]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_4DBEDD
		mov	[ebx+4], eax
		mov	[ebx], ecx
		pop	edi
		mov	[ecx+4], ebx
		mov	[eax], ebx
		mov	al, 1
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_4DBED3:				; CODE XREF: RtlInsertEntryHashTable+27j
		cmp	dword ptr [esi], 0
		jnz	short loc_4DBEAD
		jmp	loc_5CA9A6
; 

loc_4DBEDD:				; CODE XREF: RtlInsertEntryHashTable+48j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
RtlInsertEntryHashTable	endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpPopulateContext(x, x, x)
_RtlpPopulateContext@12	proc near	; CODE XREF: RtlInsertEntryHashTable+2Fp
					; RtlInitEnumerationHashTable(x,x)+1Dp	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	edx, ebx
		call	_RtlpGetBucketIndex@8 ;	RtlpGetBucketIndex(x,x)
		mov	edx, eax
		mov	ecx, esi
		call	_RtlpGetChainHead@8 ; RtlpGetChainHead(x,x)
		mov	edx, eax
		mov	esi, edx
		mov	ecx, [edx]
		cmp	ecx, edx
		jnz	short loc_4DBF1A

loc_4DBF0B:				; CODE XREF: RtlpPopulateContext(x,x,x)+41j
					; RtlpPopulateContext(x,x,x)+4Dj
		mov	[edi+4], esi
		mov	[edi+8], ebx
		mov	[edi], edx
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4DBF1A:				; CODE XREF: RtlpPopulateContext(x,x,x)+27j
					; RtlpPopulateContext(x,x,x)+4Bj
		mov	eax, [ecx+8]
		test	eax, eax
		jz	short loc_4DBF25
		cmp	eax, ebx
		jnb	short loc_4DBF0B

loc_4DBF25:				; CODE XREF: RtlpPopulateContext(x,x,x)+3Dj
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		cmp	eax, edx
		jnz	short loc_4DBF1A
		jmp	short loc_4DBF0B
_RtlpPopulateContext@12	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2053. RtlEnumerateEntryHashTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlEnumerateEntryHashTable
RtlEnumerateEntryHashTable proc	near	; CODE XREF: SepCleanupMarkedForDeletionEntries()+66p
					; RtlWeaklyEnumerateEntryHashTable(x,x)+6j ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CA9B5 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [esi+10h]

loc_4DBF47:				; CODE XREF: RtlEnumerateEntryHashTable+2Fj
		cmp	edi, [ebx+8]
		jnb	short loc_4DBFC2
		cmp	edi, [esi+10h]
		jz	short loc_4DBF67
		mov	edx, edi
		mov	ecx, ebx
		call	_RtlpGetChainHead@8 ; RtlpGetChainHead(x,x)
		mov	edx, eax
		mov	ecx, edx

loc_4DBF5E:				; CODE XREF: RtlEnumerateEntryHashTable+36j
		mov	ecx, [ecx]
		cmp	ecx, edx
		jnz	short loc_4DBF6E

loc_4DBF64:				; CODE XREF: RtlEnumerateEntryHashTable+EEA8Bj
		inc	edi
		jmp	short loc_4DBF47
; 

loc_4DBF67:				; CODE XREF: RtlEnumerateEntryHashTable+19j
		mov	edx, [esi+0Ch]
		mov	ecx, esi
		jmp	short loc_4DBF5E
; 

loc_4DBF6E:				; CODE XREF: RtlEnumerateEntryHashTable+2Cj
					; RtlEnumerateEntryHashTable+EEA85j
		cmp	dword ptr [ecx+8], 0
		jz	loc_5CA9B5
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_4DBFCB
		mov	ebx, [esi+4]
		cmp	[ebx], esi
		jnz	short loc_4DBFCB
		mov	[ebx], eax
		mov	[eax+4], ebx
		mov	eax, [esi+0Ch]
		mov	ebx, [ebp+arg_0]
		cmp	eax, edx
		jz	short loc_4DBF9D
		cmp	[eax], eax
		jz	short loc_4DBFBD

loc_4DBF99:				; CODE XREF: RtlEnumerateEntryHashTable+8Aj
		cmp	[edx], edx
		jz	short loc_4DBFC6

loc_4DBF9D:				; CODE XREF: RtlEnumerateEntryHashTable+5Dj
					; RtlEnumerateEntryHashTable+93j
		mov	[esi+10h], edi
		mov	[esi+0Ch], edx
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_4DBFCB
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[eax+4], esi
		mov	eax, ecx
		mov	[ecx], esi

loc_4DBFB6:				; CODE XREF: RtlEnumerateEntryHashTable+8Ej
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_4DBFBD:				; CODE XREF: RtlEnumerateEntryHashTable+61j
		dec	dword ptr [ebx+18h]
		jmp	short loc_4DBF99
; 

loc_4DBFC2:				; CODE XREF: RtlEnumerateEntryHashTable+14j
		xor	eax, eax
		jmp	short loc_4DBFB6
; 

loc_4DBFC6:				; CODE XREF: RtlEnumerateEntryHashTable+65j
		inc	dword ptr [ebx+18h]
		jmp	short loc_4DBF9D
; 

loc_4DBFCB:				; CODE XREF: RtlEnumerateEntryHashTable+47j
					; RtlEnumerateEntryHashTable+4Ej ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
RtlEnumerateEntryHashTable endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpGetChainHead(x,	x)
_RtlpGetChainHead@8 proc near		; CODE XREF: RtlpPopulateContext(x,x,x)+1Ap
					; RtlEnumerateEntryHashTable+1Fp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	dword ptr [ecx+8], 80h
		push	esi
		mov	esi, [ecx+20h]
		ja	short loc_4DBFE9

loc_4DBFE3:				; CODE XREF: RtlpGetChainHead(x,x)+26j
		lea	eax, [esi+edx*8]
		pop	esi
		leave
		retn
; 

loc_4DBFE9:				; CODE XREF: RtlpGetChainHead(x,x)+11j
		sub	edx, 0FFFFFF80h
		bsr	eax, edx
		btc	edx, eax
		mov	esi, [esi+eax*4-1Ch]
		jmp	short loc_4DBFE3
_RtlpGetChainHead@8 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpGetBucketIndex(x, x)
_RtlpGetBucketIndex@8 proc near		; CODE XREF: RtlpPopulateContext(x,x,x)+11p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+4]
		shr	edx, cl
		imul	ecx, edx, 41C64E6Dh
		imul	eax, edx, 10DCDh
		mov	edx, [esi+10h]
		add	ecx, 3039h
		shr	ecx, 10h
		inc	eax
		and	eax, 0FFFF0000h
		or	ecx, eax
		mov	eax, edx
		and	eax, ecx
		cmp	eax, [esi+0Ch]
		pop	esi
		jb	short loc_4DC02D
		retn
; 

loc_4DC02D:				; CODE XREF: RtlpGetBucketIndex(x,x)+32j
		lea	eax, [edx+edx]
		or	eax, 1
		and	eax, ecx
		retn
_RtlpGetBucketIndex@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSetTrustLevelForProcessToken(x, x, x)
_SepSetTrustLevelForProcessToken@12 proc near ;	CODE XREF: SeSubProcessToken+23Ep
					; SeExchangePrimaryToken+73p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	al, [edx+3A6h]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, ecx
		lea	ecx, [ebp+arg_0+3]
		mov	byte ptr [ebp+arg_0+3],	al
		mov	byte ptr [edi],	0
		call	SepSidFromProcessProtection
		mov	esi, eax
		mov	eax, [ebx+280h]
		test	eax, eax
		jnz	short loc_4DC070
		test	esi, esi
		jnz	short loc_4DC074

loc_4DC067:				; CODE XREF: SepSetTrustLevelForProcessToken(x,x,x)+59j
		xor	eax, eax

loc_4DC069:				; CODE XREF: SepSetTrustLevelForProcessToken(x,x,x)+49j
					; SepSetTrustLevelForProcessToken(x,x,x)+4Ej
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4DC070:				; CODE XREF: SepSetTrustLevelForProcessToken(x,x,x)+2Bj
		test	esi, esi
		jnz	short loc_4DC086

loc_4DC074:				; CODE XREF: SepSetTrustLevelForProcessToken(x,x,x)+2Fj
					; SepSetTrustLevelForProcessToken(x,x,x)+5Bj
		mov	edx, esi
		mov	ecx, ebx
		call	_SepSetTokenTrust@8 ; SepSetTokenTrust(x,x)
		test	eax, eax
		js	short loc_4DC069
		mov	byte ptr [edi],	1
		jmp	short loc_4DC069
; 

loc_4DC086:				; CODE XREF: SepSetTrustLevelForProcessToken(x,x,x)+3Cj
		push	esi
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	short loc_4DC067
		jmp	short loc_4DC074
_SepSetTrustLevelForProcessToken@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepMandatorySubProcessToken proc near	; CODE XREF: SeSubProcessToken+220p

var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_8D		= dword	ptr -8Dh
var_88		= dword	ptr -88h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CA9C6 SIZE 00000281 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[ebp+var_9C], ecx
		mov	ebx, edx
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		push	esi
		push	edi
		mov	[ebp+var_A0], ecx
		mov	esi, edx
		mov	[ecx], edx
		mov	edi, edx
		test	byte ptr [eax+3A8h], 1
		mov	[ebp+var_98], edx
		mov	byte ptr [ebp+var_8D], dl
		jnz	loc_4DC197
		test	byte ptr [ebx+0BCh], 2
		jz	loc_4DC197
		lea	ecx, [ebp+var_98]
		push	ecx
		push	eax
		call	_PsReferenceProcessFilePointer@8 ; PsReferenceProcessFilePointer(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_4DC1B1
		lea	edi, [ebp+var_88]
		mov	[ebp+var_8D+1],	80h
		push	1
		mov	eax, edi
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_4DC1B1
		mov	ecx, [ebp+var_98]
		lea	eax, [ebp+var_8D+1]
		push	eax
		push	80h
		mov	eax, edi
		push	eax
		push	10h
		pop	edx
		call	_ObQuerySecurityObject@20 ; ObQuerySecurityObject(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	loc_5CA9C6

loc_4DC154:				; CODE XREF: SepMandatorySubProcessToken+EE984j
		test	esi, esi
		js	loc_4DC1EB
		test	edi, edi
		jz	loc_4DC1EB
		movzx	eax, word ptr [edi+2]
		mov	ecx, eax
		test	al, 10h
		jz	short loc_4DC1E7
		test	cx, cx
		mov	ecx, [edi+0Ch]
		jns	short loc_4DC17F
		lea	eax, [ecx+edi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_4DC17F:				; CODE XREF: SepMandatorySubProcessToken+E0j
					; SepMandatorySubProcessToken+155j
		push	0
		push	11h
		push	ecx
		call	_RtlFindAceByType@12 ; RtlFindAceByType(x,x,x)
		mov	[ebp+var_8D+1],	eax
		test	eax, eax
		jnz	loc_5CAA1D

loc_4DC197:				; CODE XREF: SepMandatorySubProcessToken+47j
					; SepMandatorySubProcessToken+54j ...
		mov	eax, [ebp+var_9C]
		test	eax, eax
		jz	short loc_4DC1B1
		test	dword ptr [eax+0B0h], 1000h
		jnz	loc_5CAADB

loc_4DC1B1:				; CODE XREF: SepMandatorySubProcessToken+6Bj
					; SepMandatorySubProcessToken+8Fj ...
		mov	eax, [ebp+var_98]
		test	eax, eax
		jz	short loc_4DC1C2
		mov	ecx, eax
		call	ObfDereferenceObject

loc_4DC1C2:				; CODE XREF: SepMandatorySubProcessToken+125j
		test	edi, edi
		jz	short loc_4DC1D4
		lea	eax, [ebp+var_88]
		cmp	edi, eax
		jnz	loc_5CAC3A

loc_4DC1D4:				; CODE XREF: SepMandatorySubProcessToken+130j
					; SepMandatorySubProcessToken+EEBAEj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_4DC1E7:				; CODE XREF: SepMandatorySubProcessToken+D8j
		xor	ecx, ecx
		jmp	short loc_4DC17F
; 

loc_4DC1EB:				; CODE XREF: SepMandatorySubProcessToken+C2j
					; SepMandatorySubProcessToken+CAj
		xor	esi, esi
		jmp	short loc_4DC197
SepMandatorySubProcessToken endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepDesktopAppxSubProcessToken(x, x,	x, x, x)
_SepDesktopAppxSubProcessToken@20 proc near ; CODE XREF: SeSubProcessToken+1F7p

var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5E		= dword	ptr -5Eh
var_5A		= word ptr -5Ah
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_44		= word ptr -44h
var_42		= word ptr -42h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_2C		= word ptr -2Ch
var_2A		= word ptr -2Ah
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_78], edx
		mov	[ebp+var_74], ecx
		xor	eax, eax
		mov	[ebp+var_58], offset ??_C@_1BO@BOGEHPME@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAS?$AAY?$AAS?$AAA?$AAP?$AAP?$AAI?$AAD@FNODOBFM@
		push	1Ch
		mov	[ebp+var_68], eax
		lea	edi, [ebp+var_54]
		mov	[ebp+var_64], eax
		mov	[ebp+var_94], eax
		mov	[ebp+var_90], eax
		mov	byte ptr [ebp+var_5E+1], al
		pop	eax
		mov	word ptr [ebp+var_5E+2], ax
		xor	eax, eax
		push	1Eh
		pop	edx
		mov	[ebp+var_5A], dx
		stosd
		push	12h
		mov	ebx, [ebp+arg_8]
		stosd
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_88], ecx
		mov	[ebp+var_70], ebx
		stosd
		stosd
		pop	eax
		mov	[ebp+var_44], ax
		lea	edi, [ebp+var_3C]
		push	14h
		pop	eax
		mov	[ebp+var_42], ax
		xor	eax, eax
		mov	[ebp+var_40], offset ??_C@_1BE@BDEKEKBI@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAP?$AAK?$AAG@FNODOBFM@
		stosd
		push	20h
		stosd
		stosd
		stosd
		pop	eax
		mov	[ebp+var_2A], ax
		lea	edi, [ebp+var_24]
		mov	[ebp+var_2C], dx
		xor	eax, eax
		mov	[ebp+var_28], offset ??_C@_1CA@KNFPKGEL@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAP?$AAK?$AAG?$AAH?$AAO?$AAS?$AAT?$AAI?$AAD@FNODOBFM@
		xor	edx, edx
		stosd
		push	edx
		mov	[ecx], dl
		mov	byte ptr [ebp+var_6C], dl
		stosd
		mov	[ebp+var_7C], edx
		mov	[ebp+var_80], edx
		mov	[ebp+var_84], edx
		stosd
		mov	[ebp+var_8C], edx
		mov	byte ptr [ebp+var_5E], dl
		mov	[ebx], dl
		stosd
		lea	eax, [ebp+var_68]
		mov	edi, [ebp+var_74]
		push	eax
		push	edx
		push	edx
		push	edx
		push	edx
		push	edx
		push	edi
		call	RtlQueryPackageClaims
		mov	esi, eax
		test	esi, esi
		jns	short loc_4DC2D0
		cmp	esi, 0C0000225h
		jnz	loc_4DC4F2
		xor	esi, esi

loc_4DC2D0:				; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+D0j
		mov	ecx, [ebp+var_68]
		test	cl, 4
		jz	loc_4DC467
		mov	eax, [ebp+arg_0]
		and	eax, 3
		cmp	al, 3
		jnz	short loc_4DC2F0
		mov	esi, 0C000000Dh
		jmp	loc_4DC4F2
; 

loc_4DC2F0:				; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+F4j
		xor	ebx, ebx
		inc	ebx
		test	byte ptr [ebp+arg_0], bl
		jz	short loc_4DC316
		test	cl, 20h
		jz	short loc_4DC316
		push	0
		lea	edx, [ebp+var_68]
		mov	ecx, edi
		call	_SepDesktopAppModifyTokenBreakaway@12 ;	SepDesktopAppModifyTokenBreakaway(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_4DC4F2
		mov	ecx, [ebp+var_68]

loc_4DC316:				; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+106j
					; SepDesktopAppxSubProcessToken(x,x,x,x,x)+10Bj
		test	byte ptr [ebp+arg_0], 6
		jnz	short loc_4DC321
		test	cl, 20h
		jz	short loc_4DC359

loc_4DC321:				; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+12Aj
		test	byte ptr [ebp+arg_0], 2
		jz	short loc_4DC341
		test	cl, 20h
		jnz	short loc_4DC341
		push	ebx
		lea	edx, [ebp+var_68]
		mov	ecx, edi
		call	_SepDesktopAppModifyTokenBreakaway@12 ;	SepDesktopAppModifyTokenBreakaway(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_4DC4F2

loc_4DC341:				; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+135j
					; SepDesktopAppxSubProcessToken(x,x,x,x,x)+13Aj
		mov	ecx, edi
		call	_SepVerifyDesktopAppPolicyOverrideCaller@4 ; SepVerifyDesktopAppPolicyOverrideCaller(x)
		test	al, al
		jz	short loc_4DC356

loc_4DC34C:				; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+1D4j
		mov	eax, [ebp+var_70]

loc_4DC34F:				; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+272j
		mov	[eax], bl
		jmp	loc_4DC4F2
; 

loc_4DC356:				; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+15Aj
		mov	ecx, [ebp+var_68]

loc_4DC359:				; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+12Fj
		cmp	byte ptr [ebp+var_64], 3
		jnz	short loc_4DC3A5
		test	ecx, 22000h
		jnz	short loc_4DC3A5
		lea	eax, [ebp+var_80]
		mov	byte ptr [ebp+var_6C], bl
		push	eax
		push	4
		lea	eax, [ebp+var_84]
		push	eax
		lea	eax, [ebp+var_7C]
		push	eax
		push	offset unk_6B1F80
		call	_ZwQueryLicenseValue@20	; ZwQueryLicenseValue(x,x,x,x,x)
		test	eax, eax
		js	short loc_4DC3A5
		cmp	[ebp+var_7C], 4
		jnz	short loc_4DC3A5
		cmp	[ebp+var_80], 4
		jnz	short loc_4DC3A5
		cmp	[ebp+var_84], ebx
		setz	al
		dec	al
		and	al, bl
		mov	byte ptr [ebp+var_6C], al

loc_4DC3A5:				; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+16Dj
					; SepDesktopAppxSubProcessToken(x,x,x,x,x)+175j ...
		mov	ecx, [ebp+var_78]
		lea	eax, [ebp+var_5E+1]
		push	eax
		push	[ebp+var_6C]
		mov	edx, edi
		call	_SepVerifyDesktopAppxImage@16 ;	SepVerifyDesktopAppxImage(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_4DC4F2
		cmp	byte ptr [ebp+var_5E+1], 0
		jnz	short loc_4DC34C
		push	3
		pop	ecx
		push	2
		pop	eax
		mov	word ptr [ebp+var_3C], ax
		xor	esi, esi
		mov	word ptr [ebp+var_24], ax
		xor	eax, eax
		mov	word ptr [ebp+var_A0+2], ax
		lea	eax, [ebp-5Ch]
		mov	word ptr [ebp+var_54], cx
		mov	[ebp+var_4C], esi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_34], esi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_1C], esi
		mov	[ebp+var_C], ecx
		mov	word ptr [ebp+var_A0], bx
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_98], eax
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	ebx
		push	dword ptr [edi+30h]
		call	ExAcquireResourceExclusiveLite
		mov	[ebp+var_78], esi
		lea	eax, [ebp+var_78]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [edi+1DCh]
		lea	eax, [ebp+var_A0]
		push	eax
		lea	edx, [ebp+var_14]
		call	AuthzBasepSetSecurityAttributesToken
		lea	ecx, [edi+34h]
		mov	esi, eax
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		and	[ebp+var_74], 0
		lea	eax, [ebp+var_74]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [edi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+var_88]
		jmp	loc_4DC34F
; 

loc_4DC467:				; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+E6j
		test	ecx, 10000h
		jz	short loc_4DC474
		mov	byte ptr [ebx],	1
		jmp	short loc_4DC4F2
; 

loc_4DC474:				; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+27Dj
		mov	ecx, large fs:124h
		lea	eax, [ebp+var_70]
		xor	ebx, ebx
		lea	edx, [ebp+var_8C]
		push	ebx
		push	eax
		lea	eax, [ebp+var_5E]
		push	eax
		call	PsReferenceEffectiveToken
		push	ebx
		mov	edi, eax
		lea	eax, [ebp+var_94]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	edi
		call	RtlQueryPackageClaims
		mov	esi, eax
		inc	ebx
		test	esi, esi
		jns	short loc_4DC4B7
		cmp	esi, 0C0000225h
		jnz	short loc_4DC4CB
		xor	esi, esi

loc_4DC4B7:				; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+2BBj
		test	[ebp+var_94], 10004h
		jz	short loc_4DC4CB
		mov	eax, [ebp+var_88]
		mov	[eax], bl

loc_4DC4CB:				; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+2C3j
					; SepDesktopAppxSubProcessToken(x,x,x,x,x)+2D1j
		test	edi, edi
		jz	short loc_4DC4F2
		cmp	[ebp+var_8C], ebx
		jnz	short loc_4DC4EB
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	edx, edi
		lea	ecx, [eax+12Ch]
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		jmp	short loc_4DC4F2
; 

loc_4DC4EB:				; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+2E5j
		mov	ecx, edi
		call	ObfDereferenceObject

loc_4DC4F2:				; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+D8j
					; SepDesktopAppxSubProcessToken(x,x,x,x,x)+FBj	...
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_SepDesktopAppxSubProcessToken@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AppModelPolicy_GetPolicy_Internal(x, x, x, x, x)
_AppModelPolicy_GetPolicy_Internal@20 proc near
					; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+49p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		xor	ebx, ebx
		push	edi
		mov	edi, [ebp+arg_4]
		push	esi
		push	edi
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ecx
		call	RtlQueryPackageClaims
		mov	ecx, eax
		cmp	ecx, 0C0000225h
		jnz	short loc_4DC538
		mov	[esi], ebx
		mov	ecx, ebx
		mov	[esi+4], ebx
		mov	[edi], ebx

loc_4DC538:				; CODE XREF: AppModelPolicy_GetPolicy_Internal(x,x,x,x,x)+27j
		mov	ebx, [ebp+arg_0]
		and	dword ptr [ebx], 0
		test	ecx, ecx
		js	short loc_4DC55B
		mov	eax, [esi+4]
		mov	edx, [esi]
		mov	[ebp+var_4], eax
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jnz	short loc_4DC564

loc_4DC554:				; CODE XREF: AppModelPolicy_GetPolicy_Internal(x,x,x,x,x)+6Dj
					; AppModelPolicy_GetPolicy_Internal(x,x,x,x,x)+83j
		mov	eax, 2E0000h

loc_4DC559:				; CODE XREF: AppModelPolicy_GetPolicy_Internal(x,x,x,x,x)+8Fj
					; AppModelPolicy_GetPolicy_Internal(x,x,x,x,x)+96j ...
		mov	[ebx], eax

loc_4DC55B:				; CODE XREF: AppModelPolicy_GetPolicy_Internal(x,x,x,x,x)+3Aj
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	0Ch
; 

loc_4DC564:				; CODE XREF: AppModelPolicy_GetPolicy_Internal(x,x,x,x,x)+4Cj
		and	edx, 8
		or	edx, 0
		jnz	short loc_4DC597
		mov	eax, [edi]
		test	eax, 10000h
		jnz	short loc_4DC554
		test	al, 4
		jnz	short loc_4DC59E
		test	eax, 400h
		jnz	short loc_4DC597
		test	eax, 800h
		jnz	short loc_4DC597
		test	al, 40h
		jnz	short loc_4DC554
		test	eax, 1000h
		mov	eax, 2E0000h
		jnz	short loc_4DC559

loc_4DC597:				; CODE XREF: AppModelPolicy_GetPolicy_Internal(x,x,x,x,x)+64j
					; AppModelPolicy_GetPolicy_Internal(x,x,x,x,x)+78j ...
		mov	eax, 2E0001h
		jmp	short loc_4DC559
; 

loc_4DC59E:				; CODE XREF: AppModelPolicy_GetPolicy_Internal(x,x,x,x,x)+71j
		mov	eax, 2E0002h
		jmp	short loc_4DC559
_AppModelPolicy_GetPolicy_Internal@20 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2294. RtlQueryPackageIdentity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlQueryPackageIdentity(x, x, x, x,	x, x)
		public _RtlQueryPackageIdentity@24
_RtlQueryPackageIdentity@24 proc near	; CODE XREF: PopEtGetProcessSidAndPackageIdentity(x,x,x)+8Ep
					; EtwpQueryTokenPackageInfo(x,x,x)+7Fp	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_8]
		push	ebx
		push	eax
		push	ecx
		push	[ebp+arg_10]
		mov	ecx, [ebp+arg_0]
		xor	ebx, ebx
		push	[ebp+arg_C]
		mov	[ebp+var_8], ebx
		push	[ebp+arg_8]
		mov	[ebp+var_4], ebx
		call	_RtlQueryPackageIdentityEx@28 ;	RtlQueryPackageIdentityEx(x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_4DC5DD

loc_4DC5D8:				; CODE XREF: RtlQueryPackageIdentity(x,x,x,x,x,x)+38j
					; RtlQueryPackageIdentity(x,x,x,x,x,x)+46j
		pop	ebx
		leave
		retn	18h
; 

loc_4DC5DD:				; CODE XREF: RtlQueryPackageIdentity(x,x,x,x,x,x)+2Cj
		mov	edx, [ebp+arg_14]
		test	edx, edx
		jz	short loc_4DC5D8
		mov	ecx, [ebp+var_8]
		or	ecx, [ebp+var_4]
		jz	short loc_4DC5EE
		mov	bl, 1

loc_4DC5EE:				; CODE XREF: RtlQueryPackageIdentity(x,x,x,x,x,x)+40j
		mov	[edx], bl
		jmp	short loc_4DC5D8
_RtlQueryPackageIdentity@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlQueryPackageIdentityEx(x, x, x, x, x, x,	x)
_RtlQueryPackageIdentityEx@28 proc near	; CODE XREF: RtlQueryPackageIdentity(x,x,x,x,x,x)+25p
					; PspIdentityBasedJobBreakaway(x,x,x)+BEp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_10]
		xor	ebx, ebx
		push	edi
		push	ebx
		mov	eax, esi
		mov	[ebp+var_C], ebx
		neg	eax
		mov	[ebp+var_8], ebx
		lea	edi, [ebp+var_C]
		sbb	eax, eax
		and	eax, edi
		push	eax
		push	ebx
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	RtlQueryPackageClaims
		test	eax, eax
		jns	short loc_4DC631

loc_4DC62A:				; CODE XREF: RtlQueryPackageIdentityEx(x,x,x,x,x,x,x)+41j
					; RtlQueryPackageIdentityEx(x,x,x,x,x,x,x)+4Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_4DC631:				; CODE XREF: RtlQueryPackageIdentityEx(x,x,x,x,x,x,x)+36j
		test	esi, esi
		jz	short loc_4DC62A
		mov	ecx, [ebp+var_C]
		mov	[esi], ecx
		mov	[esi+4], ebx
		jmp	short loc_4DC62A
_RtlQueryPackageIdentityEx@28 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2293. RtlQueryPackageClaims

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlQueryPackageClaims
RtlQueryPackageClaims proc near		; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+C7p
					; SepDesktopAppxSubProcessToken(x,x,x,x,x)+2B1p ...

var_318		= dword	ptr -318h
var_314		= dword	ptr -314h
var_310		= dword	ptr -310h
var_30C		= dword	ptr -30Ch
var_308		= dword	ptr -308h
var_304		= dword	ptr -304h
var_300		= dword	ptr -300h
var_2FC		= dword	ptr -2FCh
var_2F8		= dword	ptr -2F8h
var_2F0		= dword	ptr -2F0h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 005CAC47 SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 318h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+318h+var_4], eax
		mov	eax, [ebp+arg_0]
		and	[esp+318h+var_30C], 0
		mov	[esp+318h+var_304], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+318h+var_314], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+318h+var_310], eax
		mov	eax, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+arg_1C]
		mov	[esp+31Ch+var_300], eax
		mov	eax, [ebp+arg_10]
		push	edi
		mov	edi, [ebp+arg_18]
		mov	[esp+320h+var_308], eax
		mov	eax, [ebp+arg_14]
		push	2F0h		; size_t
		mov	[esp+324h+var_2FC], eax
		lea	eax, [esp+324h+var_2F8]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [esp+32Ch+var_304]
		lea	eax, [esp+32Ch+var_2F8]
		and	[esp+32Ch+var_318], 0
		add	esp, 0Ch
		push	esi
		push	edi
		push	eax
		call	RtlpQueryPackageIdentityAttributes
		mov	esi, eax
		test	esi, esi
		jns	short loc_4DC6DC

loc_4DC6C6:				; CODE XREF: RtlQueryPackageClaims+DAj
					; RtlQueryPackageClaims+13Fj ...
		mov	ecx, [esp+320h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_4DC6DC:				; CODE XREF: RtlQueryPackageClaims+80j
		mov	ecx, [esp+320h+var_314]
		test	ecx, ecx
		jz	loc_4DC788
		mov	edi, [esp+320h+var_310]
		test	edi, edi
		jz	loc_5CAC47
		mov	eax, [esp+320h+var_2F0]
		push	dword ptr [eax+14h] ; char
		lea	eax, [esp+324h+var_304]
		push	offset ??_C@_17JJNMJOBL@?$AA?$CF?$AAw?$AAZ@FNODOBFM@ ; "%wZ"
		push	800h		; int
		push	eax		; int
		lea	eax, [esp+330h+var_318]
		push	eax		; int
		push	dword ptr [edi]	; size_t
		push	ecx		; int
		call	RtlStringCbPrintfExW
		mov	esi, eax
		add	esp, 1Ch
		test	esi, esi
		js	short loc_4DC6C6
		mov	eax, [esp+320h+var_318]
		sub	eax, [esp+320h+var_314]
		add	eax, 2
		mov	[edi], eax

loc_4DC72D:				; CODE XREF: RtlQueryPackageClaims+149j
		mov	edi, [esp+320h+var_300]
		test	edi, edi
		jz	short loc_4DC775
		mov	eax, [esp+320h+var_2F0]
		mov	eax, [eax+14h]
		add	eax, 8
		push	eax		; char
		push	offset ??_C@_17JJNMJOBL@?$AA?$CF?$AAw?$AAZ@FNODOBFM@ ; "%wZ"
		push	800h		; int
		push	0		; int
		lea	eax, [esp+330h+var_30C]
		push	eax		; int
		mov	eax, [esp+334h+var_308]
		push	dword ptr [eax]	; size_t
		push	edi		; int
		call	RtlStringCbPrintfExW
		mov	esi, eax
		add	esp, 1Ch
		test	esi, esi
		js	short loc_4DC781
		mov	eax, [esp+320h+var_30C]
		mov	ecx, [esp+320h+var_308]
		sub	eax, edi
		add	eax, 2
		mov	[ecx], eax

loc_4DC775:				; CODE XREF: RtlQueryPackageClaims+EFj
		mov	ecx, [esp+320h+var_2FC]
		test	ecx, ecx
		jnz	loc_5CAC51

loc_4DC781:				; CODE XREF: RtlQueryPackageClaims+120j
					; RtlQueryPackageClaims+EE61Dj	...
		mov	eax, esi
		jmp	loc_4DC6C6
; 

loc_4DC788:				; CODE XREF: RtlQueryPackageClaims+9Ej
		cmp	[esp+320h+var_310], 0
		jz	short loc_4DC72D
		jmp	loc_5CAC47
RtlQueryPackageClaims endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpQueryPackageIdentityAttributes proc	near ; CODE XREF: RtlQueryPackageClaims+77p
					; EtwpQueryPsmKey(x,x,x)+2Ep

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005CAC79 SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	eax, ecx
		mov	[ebp+var_4], eax
		push	edi
		test	esi, esi
		jnz	loc_4DC849

loc_4DC7AE:				; CODE XREF: RtlpQueryPackageIdentityAttributes+BCj
		mov	edi, [ebp+arg_4]
		xor	ebx, ebx
		inc	ebx
		mov	byte ptr [ebp+arg_8+3],	1
		test	edi, edi
		jz	loc_5CAC79

loc_4DC7C0:				; CODE XREF: RtlpQueryPackageIdentityAttributes+EE4EDj
		push	2
		pop	ebx

loc_4DC7C3:				; CODE XREF: RtlpQueryPackageIdentityAttributes+EE4E7j
		lea	ecx, [ebp+arg_4]
		push	ecx		; int
		push	2F0h		; size_t
		push	[ebp+arg_0]	; int
		push	ebx		; int
		push	offset dword_4014F0 ; int
		push	eax		; int
		call	_SeQuerySecurityAttributesToken@24 ; SeQuerySecurityAttributesToken(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_4DC816
		cmp	eax, 0C0000225h
		jnz	short loc_4DC80F
		cmp	ebx, 1
		jz	short loc_4DC80F
		mov	ebx, [ebp+var_4]
		lea	eax, [ebp+arg_4]
		push	eax		; int
		push	2F0h		; size_t
		push	[ebp+arg_0]	; int
		push	1		; int
		push	offset dword_4014F0 ; int
		push	ebx		; int
		call	_SeQuerySecurityAttributesToken@24 ; SeQuerySecurityAttributesToken(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_5CAC86

loc_4DC80F:				; CODE XREF: RtlpQueryPackageIdentityAttributes+50j
					; RtlpQueryPackageIdentityAttributes+55j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_4DC816:				; CODE XREF: RtlpQueryPackageIdentityAttributes+49j
		mov	ebx, [ebp+var_4]
		mov	dl, byte ptr [ebp+arg_8+3]

loc_4DC81C:				; CODE XREF: RtlpQueryPackageIdentityAttributes+EE4F4j
		mov	eax, [ebp+arg_0]
		cmp	dword ptr [eax+4], 0
		jz	short loc_4DC855
		test	edi, edi
		jz	short loc_4DC841
		test	dl, dl
		jz	loc_5CAC8D
		mov	eax, [eax+8]
		mov	ecx, [eax+2Ch]
		mov	eax, [ecx]
		mov	[edi], eax
		mov	eax, [ecx+4]
		mov	[edi+4], eax

loc_4DC841:				; CODE XREF: RtlpQueryPackageIdentityAttributes+93j
					; RtlpQueryPackageIdentityAttributes+EE500j
		test	esi, esi
		jnz	short loc_4DC85C

loc_4DC845:				; CODE XREF: RtlpQueryPackageIdentityAttributes+113j
					; RtlpQueryPackageIdentityAttributes+EE51Cj
		xor	eax, eax
		jmp	short loc_4DC80F
; 

loc_4DC849:				; CODE XREF: RtlpQueryPackageIdentityAttributes+14j
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0
		jmp	loc_4DC7AE
; 

loc_4DC855:				; CODE XREF: RtlpQueryPackageIdentityAttributes+8Fj
		mov	eax, 0C0000225h
		jmp	short loc_4DC80F
; 

loc_4DC85C:				; CODE XREF: RtlpQueryPackageIdentityAttributes+AFj
		movzx	eax, dl
		cdq
		shld	edx, eax, 1
		or	[esi+4], edx
		add	eax, eax
		or	eax, 1
		or	[esi], eax
		lea	eax, [ebp+arg_4]
		push	eax		; int
		push	0		; size_t
		push	0		; int
		push	1		; int
		push	offset dword_401058 ; int
		push	ebx		; int
		call	_SeQuerySecurityAttributesToken@24 ; SeQuerySecurityAttributesToken(x,x,x,x,x,x)
		mov	edi, 0C0000023h
		cmp	eax, edi
		jz	loc_5CAC99

loc_4DC890:				; CODE XREF: RtlpQueryPackageIdentityAttributes+EE50Ej
		lea	eax, [ebp+arg_4]
		push	eax		; int
		push	0		; size_t
		push	0		; int
		push	1		; int
		push	offset dword_401050 ; int
		push	ebx		; int
		call	_SeQuerySecurityAttributesToken@24 ; SeQuerySecurityAttributesToken(x,x,x,x,x,x)
		cmp	eax, edi
		jnz	short loc_4DC845
		jmp	loc_5CACA7
RtlpQueryPackageIdentityAttributes endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl RtlStringCbPrintfExW(int,size_t,int,int,int,wchar_t *,char)
RtlStringCbPrintfExW proc near		; CODE XREF: RtlQueryPackageClaims+CEp
					; RtlQueryPackageClaims+114p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= byte ptr  20h

; FUNCTION CHUNK AT 005CACB5 SIZE 000000AC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	[ebp+arg_10]
		mov	edi, [ebp+arg_4]
		shr	edi, 1
		push	ecx
		mov	edx, edi
		mov	ecx, ebx
		call	RtlStringExValidateDestA
		mov	esi, eax
		test	esi, esi
		js	loc_5CAD4F
		test	[ebp+arg_10], 100h
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], edi
		jnz	loc_5CACB5

loc_4DC8ED:				; CODE XREF: RtlStringCbPrintfExW+EE409j
					; RtlStringCbPrintfExW+EE417j
		xor	esi, esi
		test	[ebp+arg_10], 0FFFFE000h
		jnz	loc_5CACCA
		test	edi, edi
		jz	loc_5CAD19
		lea	ecx, [ebp+arg_18]
		mov	[ebp+var_8], esi
		push	ecx		; va_list
		push	eax		; wchar_t *
		lea	eax, [ebp+var_8]
		mov	ecx, ebx	; wchar_t *
		push	eax		; int
		call	sub_4DC96A
		mov	esi, eax
		mov	eax, [ebp+var_8]
		sub	edi, eax
		mov	[ebp+var_4], edi
		lea	ecx, [ebx+eax*2]
		mov	[ebp+var_8], ecx
		test	esi, esi
		js	loc_5CACD8
		test	[ebp+arg_10], 200h
		jnz	loc_5CAD39

loc_4DC93C:				; CODE XREF: RtlStringCbPrintfExW+EE486j
					; RtlStringCbPrintfExW+EE49Cj
		test	esi, esi
		js	loc_5CACD8

loc_4DC944:				; CODE XREF: RtlStringCbPrintfExW+EE454j
					; RtlStringCbPrintfExW+EE466j ...
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_4DC950
		mov	eax, [ebp+var_8]
		mov	[ecx], eax

loc_4DC950:				; CODE XREF: RtlStringCbPrintfExW+9Bj
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	short loc_4DC962
		mov	eax, [ebp+arg_4]
		and	eax, 1
		lea	eax, [eax+edi*2]
		mov	[ecx], eax

loc_4DC962:				; CODE XREF: RtlStringCbPrintfExW+A7j
					; RtlStringCbPrintfExW+EE460j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
RtlStringCbPrintfExW endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall sub_4DC96A(wchar_t *,int,int,wchar_t *,va_list)
sub_4DC96A	proc near		; CODE XREF: RtlStringCbPrintfExW+64p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_8]	; va_list
		lea	esi, [edx-1]
		mov	edi, ecx
		push	[ebp+arg_4]	; wchar_t *
		xor	ebx, ebx
		push	esi		; size_t
		push	edi		; wchar_t *
		call	__vsnwprintf
		add	esp, 10h
		test	eax, eax
		js	short loc_4DC9AF
		cmp	eax, esi
		jz	short loc_4DC9A7
		ja	short loc_4DC9AF
		mov	esi, eax

loc_4DC995:				; CODE XREF: sub_4DC96A+43j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_4DC99E
		mov	[ecx], esi

loc_4DC99E:				; CODE XREF: sub_4DC96A+30j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_4DC9A7:				; CODE XREF: sub_4DC96A+25j
					; sub_4DC96A+4Aj
		xor	eax, eax
		mov	[edi+esi*2], ax
		jmp	short loc_4DC995
; 

loc_4DC9AF:				; CODE XREF: sub_4DC96A+21j
					; sub_4DC96A+27j
		mov	ebx, 80000005h
		jmp	short loc_4DC9A7
sub_4DC96A	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlStringExValidateDestA proc near	; CODE XREF: RtlStringCbPrintfExW+1Ap
					; RtlStringCbCopyExA(x,x,x,x,x,x)+1Ep ...

arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CAD61 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		test	[ebp+arg_4], 100h
		jnz	loc_5CAD61
		test	edx, edx
		jz	short loc_4DC9DA

loc_4DC9CE:				; CODE XREF: RtlStringExValidateDestA+EE3ADj
					; RtlStringExValidateDestA+EE3BBj
		cmp	edx, 7FFFFFFFh
		ja	short loc_4DC9DA

loc_4DC9D6:				; CODE XREF: RtlStringExValidateDestA+29j
		pop	ebp
		retn	8
; 

loc_4DC9DA:				; CODE XREF: RtlStringExValidateDestA+16j
					; RtlStringExValidateDestA+1Ej	...
		mov	eax, 0C000000Dh
		jmp	short loc_4DC9D6
RtlStringExValidateDestA endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PsGetServerSiloGlobals(x)
_PsGetServerSiloGlobals@4 proc near	; CODE XREF: SepRmDispatchDataToLsa+4Bp
					; ExpCenturyDpcRoutine(x,x,x,x)+9p ...
		mov	eax, offset _PspHostSiloGlobals
		test	ecx, ecx
		jnz	short loc_4DC9EC
		retn
; 

loc_4DC9EC:				; CODE XREF: PsGetServerSiloGlobals(x)+7j
		mov	eax, [ecx+2F8h]
		retn
_PsGetServerSiloGlobals@4 endp

; 
		align 8
; Exported entry 1812. PsGetProcessSessionId

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessSessionId(x)
		public _PsGetProcessSessionId@4
_PsGetProcessSessionId@4 proc near	; CODE XREF: EtwQueryProcessTelemetryInfo+1F5p
					; EtwGetProcessAppSessionGuid(x,x)+11p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		lea	ecx, [eax+1]
		neg	ecx
		sbb	ecx, ecx
		and	eax, ecx
		pop	ebp
		retn	4
_PsGetProcessSessionId@4 endp

; 
		align 8
; Exported entry 2118. RtlGetDaclSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetDaclSecurityDescriptor(x, x, x, x)
		public _RtlGetDaclSecurityDescriptor@16
_RtlGetDaclSecurityDescriptor@16 proc near
					; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+316p
					; ExpWnfSpecializeSecurityDescriptor(x)+20p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		cmp	byte ptr [esi],	1
		jnz	short loc_4DCA76
		mov	ax, [esi+2]
		and	ax, 4
		movzx	edx, ax
		mov	eax, [ebp+arg_4]
		test	dx, dx
		setnz	cl
		mov	[eax], cl
		test	dx, dx
		jz	short loc_4DCA6F
		movzx	eax, word ptr [esi+2]
		mov	ecx, eax
		test	al, 4
		jz	short loc_4DCA7D
		test	cx, cx
		mov	ecx, [esi+10h]
		jns	short loc_4DCA5C
		lea	eax, [ecx+esi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_4DCA5C:				; CODE XREF: RtlGetDaclSecurityDescriptor(x,x,x,x)+39j
					; RtlGetDaclSecurityDescriptor(x,x,x,x)+67j
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		mov	cl, [esi+2]
		mov	eax, [ebp+arg_C]
		shr	cl, 3
		and	cl, 1
		mov	[eax], cl

loc_4DCA6F:				; CODE XREF: RtlGetDaclSecurityDescriptor(x,x,x,x)+27j
		xor	eax, eax

loc_4DCA71:				; CODE XREF: RtlGetDaclSecurityDescriptor(x,x,x,x)+63j
		pop	esi
		pop	ebp
		retn	10h
; 

loc_4DCA76:				; CODE XREF: RtlGetDaclSecurityDescriptor(x,x,x,x)+Cj
		mov	eax, 0C0000058h
		jmp	short loc_4DCA71
; 

loc_4DCA7D:				; CODE XREF: RtlGetDaclSecurityDescriptor(x,x,x,x)+31j
		xor	ecx, ecx
		jmp	short loc_4DCA5C
_RtlGetDaclSecurityDescriptor@16 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 673. FsRtlUninitializeBaseMcb

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlUninitializeBaseMcb(x)
		public _FsRtlUninitializeBaseMcb@4
_FsRtlUninitializeBaseMcb@4 proc near	; CODE XREF: FsRtlUninitializeLargeMcb(x)+20p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	dword ptr [eax], 0Fh
		jnz	short loc_4DCAB6
		cmp	word ptr [eax+8], 1
		mov	edx, [eax+0Ch]
		jnz	short loc_4DCAAA
		push	edx
		push	offset _FsRtlFirstPagedMappingLookasideList
		call	_ExFreeToPagedLookasideList@8 ;	ExFreeToPagedLookasideList(x,x)
		jmp	short loc_4DCAC0
; 

loc_4DCAAA:				; CODE XREF: FsRtlUninitializeBaseMcb(x)+15j
		mov	ecx, offset _FsRtlFirstNonPagedMappingLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	short loc_4DCAC0
; 

loc_4DCAB6:				; CODE XREF: FsRtlUninitializeBaseMcb(x)+Bj
		push	0
		push	dword ptr [eax+0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4DCAC0:				; CODE XREF: FsRtlUninitializeBaseMcb(x)+22j
					; FsRtlUninitializeBaseMcb(x)+2Ej
		pop	ebp
		retn	4
_FsRtlUninitializeBaseMcb@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 363. ExFreeToPagedLookasideList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExFreeToPagedLookasideList(x, x)
		public _ExFreeToPagedLookasideList@8
_ExFreeToPagedLookasideList@8 proc near	; CODE XREF: FsRtlUninitializeBaseMcb(x)+1Dp
					; FsRtlAddEntry(x,x,x)+98p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jnb	short loc_4DCAEB
		mov	edx, [ebp+arg_4]
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_4DCAE7:				; CODE XREF: ExFreeToPagedLookasideList(x,x)+2Aj
		pop	ebp
		retn	8
; 

loc_4DCAEB:				; CODE XREF: ExFreeToPagedLookasideList(x,x)+13j
		push	[ebp+arg_4]
		inc	dword ptr [ecx+18h]
		call	dword ptr [ecx+2Ch]
		jmp	short loc_4DCAE7
_ExFreeToPagedLookasideList@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopDeleteFileObjectExtension proc near	; CODE XREF: PAGE:0081CB7Cp
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1335p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005CAD76 SIZE 00000113 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, [eax+7Ch]
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], ebx
		cmp	ebx, _IopRevocationExtension
		jz	short loc_4DCB42
		xor	esi, esi

loc_4DCB20:				; CODE XREF: IopDeleteFileObjectExtension+2Fj
		mov	edi, [ebx+esi*4+4]
		mov	[ebp+var_1C], edi
		test	edi, edi
		jnz	short loc_4DCB49

loc_4DCB2B:				; CODE XREF: IopDeleteFileObjectExtension+79j
					; IopDeleteFileObjectExtension+AAj ...
		inc	esi
		cmp	esi, 9
		jl	short loc_4DCB20
		test	byte ptr [ebx],	2
		jnz	loc_5CAE74

loc_4DCB3A:				; CODE XREF: IopDeleteFileObjectExtension+EE384j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4DCB42:				; CODE XREF: IopDeleteFileObjectExtension+1Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4DCB49:				; CODE XREF: IopDeleteFileObjectExtension+29j
		cmp	esi, 4
		jz	loc_5CAD76
		test	esi, esi
		jz	loc_5CAD9D
		cmp	esi, 5
		jz	loc_4DCC06
		cmp	esi, 1
		jz	short loc_4DCB7B
		cmp	esi, 6
		jnz	short loc_4DCBC7
		mov	edx, edi
		mov	ecx, offset _IopOplockFoExtLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	short loc_4DCB2B
; 

loc_4DCB7B:				; CODE XREF: IopDeleteFileObjectExtension+66j
		mov	eax, [edi+8]
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	short loc_4DCBAF

loc_4DCB85:				; CODE XREF: IopDeleteFileObjectExtension+C5j
		mov	eax, [edi+0Ch]
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	loc_5CADB8

loc_4DCB93:				; CODE XREF: IopDeleteFileObjectExtension+EE338j
		mov	ecx, [edi+4]
		test	ecx, ecx
		jnz	loc_5CAE3D

loc_4DCB9E:				; CODE XREF: IopDeleteFileObjectExtension+E9j
					; IopDeleteFileObjectExtension+EEj ...
		mov	eax, [ebx+esi*4+4]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4DCB2B
; 

loc_4DCBAF:				; CODE XREF: IopDeleteFileObjectExtension+83j
		mov	ebx, [ebp+var_8]

loc_4DCBB2:				; CODE XREF: IopDeleteFileObjectExtension+C0j
		mov	eax, ebx
		mov	ebx, [ebx]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		jnz	short loc_4DCBB2
		mov	ebx, [ebp+var_C]
		jmp	short loc_4DCB85
; 

loc_4DCBC7:				; CODE XREF: IopDeleteFileObjectExtension+6Bj
		cmp	esi, 2
		jz	loc_5CAE47
		cmp	esi, 7
		jnz	short loc_4DCBEB
		mov	eax, [edi+4]
		test	al, 1
		jnz	short loc_4DCBF5

loc_4DCBDC:				; CODE XREF: IopDeleteFileObjectExtension+104j
		mov	ecx, [edi+8]
		mov	edx, 70536F49h

loc_4DCBE4:				; CODE XREF: IopDeleteFileObjectExtension+EE36Fj
		call	ObfDereferenceObjectWithTag
		jmp	short loc_4DCB9E
; 

loc_4DCBEB:				; CODE XREF: IopDeleteFileObjectExtension+D3j
		cmp	esi, 8
		jnz	short loc_4DCB9E
		jmp	loc_5CAE68
; 

loc_4DCBF5:				; CODE XREF: IopDeleteFileObjectExtension+DAj
		and	eax, 0FFFFFFFEh
		mov	[edi+4], eax
		mov	eax, [edi+8]
		push	eax
		call	_PsReleaseSiloHardReference@4 ;	PsReleaseSiloHardReference(x)
		jmp	short loc_4DCBDC
; 

loc_4DCC06:				; CODE XREF: IopDeleteFileObjectExtension+5Dj
		push	edi
		call	_FsRtlFreeExtraCreateParameter@4 ; FsRtlFreeExtraCreateParameter(x)
		jmp	loc_4DCB2B
IopDeleteFileObjectExtension endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ExFreeToNPagedLookasideList(x, x)
_ExFreeToNPagedLookasideList@8 proc near ; CODE	XREF: CcDeleteMbcb+130p
					; .text:004A840Fp ...
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		inc	dword ptr [ecx+18h]
		push	edx
		call	dword ptr [ecx+2Ch]
		retn
_ExFreeToNPagedLookasideList@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KeCleanupThreadState(x)
_KeCleanupThreadState@4	proc near	; CODE XREF: PspThreadDelete+Ep
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	KiAbCleanupThreadState
		cmp	word ptr [esi+220h], 0
		pop	esi
		jnz	KeFlushQueuedDpcs
		retn
_KeCleanupThreadState@4	endp


;  S U B	R O U T	I N E 


KiAbCleanupThreadState proc near	; CODE XREF: KeCleanupThreadState(x)+5p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CAE89 SIZE 00000045 BYTES

		mov	edx, ecx
		push	edi
		test	byte ptr [edx+58h], 1
		jz	short loc_4DCC79
		push	ebx
		push	esi
		xor	esi, esi
		mov	edi, esi

loc_4DCC55:				; CODE XREF: KiAbCleanupThreadState+2Fj
		mov	ebx, [edx+1E8h]
		add	ebx, edi
		mov	ecx, ebx
		call	_KiAbEntryVerifyFree@8 ; KiAbEntryVerifyFree(x,x)
		test	eax, eax
		jnz	loc_5CAE89
		add	edi, 30h
		cmp	edi, 120h
		jb	short loc_4DCC55
		pop	esi
		pop	ebx

loc_4DCC79:				; CODE XREF: KiAbCleanupThreadState+7j
		pop	edi
		retn
KiAbCleanupThreadState endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KiAbEntryVerifyFree(x, x)
_KiAbEntryVerifyFree@8 proc near	; CODE XREF: KiAbCleanupThreadState+19p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+10h]
		test	eax, eax
		jnz	short loc_4DCCB1
		cmp	dword ptr [esi+0Ch], 100h
		jnb	short loc_4DCCB6
		movzx	ecx, byte ptr [esi+0Ch]
		mov	eax, esi
		shl	ecx, 3
		sub	eax, ecx
		cmp	edx, eax
		jnz	short loc_4DCCBA
		mov	eax, [esi+2Ch]
		and	eax, 1FFFFh
		neg	eax
		sbb	eax, eax
		and	eax, 4
		pop	esi
		retn
; 

loc_4DCCB1:				; CODE XREF: KiAbEntryVerifyFree(x,x)+Aj
		xor	eax, eax
		inc	eax
		pop	esi
		retn
; 

loc_4DCCB6:				; CODE XREF: KiAbEntryVerifyFree(x,x)+13j
		push	2
		jmp	short loc_4DCCBC
; 

loc_4DCCBA:				; CODE XREF: KiAbEntryVerifyFree(x,x)+22j
		push	3

loc_4DCCBC:				; CODE XREF: KiAbEntryVerifyFree(x,x)+3Cj
		pop	eax
		pop	esi
		retn
_KiAbEntryVerifyFree@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeFoldProcessStatisticsThread(x)
_KeFoldProcessStatisticsThread@4 proc near ; CODE XREF:	PspThreadDelete+11Cp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, ecx
		push	esi
		push	edi
		mov	esi, [edx+150h]
		mov	eax, [edx+194h]
		add	[esi+9Ch], eax
		mov	eax, [edx+1C0h]
		add	[esi+0A0h], eax
		mov	eax, [edx+170h]
		add	[esi+0A4h], eax
		mov	eax, [edx+30h]
		mov	ecx, [edx+34h]
		add	[esi+88h], eax
		adc	[esi+8Ch], ecx
		mov	eax, [edx+250h]
		add	[esi+0B0h], eax
		mov	eax, [edx+254h]
		adc	[esi+0B4h], eax
		mov	eax, [edx+258h]
		add	[esi+0B8h], eax
		mov	eax, [edx+25Ch]
		adc	[esi+0BCh], eax
		mov	eax, [edx+8Ch]
		add	[esi+90h], eax
		adc	dword ptr [esi+94h], 0
		mov	edi, [edx+388h]
		test	edi, edi
		jz	short loc_4DCDBF
		mov	esi, [esi+3E0h]
		lea	edx, [edi+0C0h]
		push	ebx
		lea	ecx, [esi+110h]
		call	_RtlTimelineBitmapMerge@8 ; RtlTimelineBitmapMerge(x,x)
		mov	ebx, edi
		lea	edx, [edi+80h]
		push	4
		pop	edi
		sub	ebx, esi
		mov	[ebp+var_4], edi

loc_4DCD7B:				; CODE XREF: KeFoldProcessStatisticsThread(x)+FCj
		push	2
		pop	edi

loc_4DCD7E:				; CODE XREF: KeFoldProcessStatisticsThread(x)+F6j
		mov	eax, [ebx+esi]
		mov	ecx, [ebx+esi+4]
		add	[esi], eax
		adc	[esi+4], ecx
		mov	eax, [edx-40h]
		mov	ecx, [edx-3Ch]
		add	[esi+90h], eax
		adc	[esi+94h], ecx
		mov	eax, [edx]
		mov	ecx, [edx+4]
		add	[esi+0D0h], eax
		adc	[esi+0D4h], ecx
		add	esi, 8
		add	edx, 8
		sub	edi, 1
		jnz	short loc_4DCD7E
		sub	[ebp+var_4], 1
		jnz	short loc_4DCD7B
		pop	ebx

loc_4DCDBF:				; CODE XREF: KeFoldProcessStatisticsThread(x)+91j
		pop	edi
		pop	esi
		leave
		retn
_KeFoldProcessStatisticsThread@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall RtlTimelineBitmapMerge(x, x)
_RtlTimelineBitmapMerge@8 proc near	; CODE XREF: KeFoldProcessStatisticsThread(x)+A6p
		mov	eax, [edx]
		push	esi
		mov	esi, ecx
		mov	ecx, [esi]
		cmp	eax, ecx
		ja	short loc_4DCDE0
		sub	ecx, eax
		cmp	ecx, 20h
		jnb	short loc_4DCDDE
		mov	eax, [edx+4]
		shl	eax, cl
		or	[esi+4], eax

loc_4DCDDE:				; CODE XREF: RtlTimelineBitmapMerge(x,x)+10j
		pop	esi
		retn
; 

loc_4DCDE0:				; CODE XREF: RtlTimelineBitmapMerge(x,x)+9j
		push	edi
		mov	edi, eax
		mov	[esi], eax
		sub	edi, ecx
		cmp	edi, 20h
		jb	short loc_4DCDFC
		xor	ecx, ecx
		mov	[esi+4], ecx

loc_4DCDF1:				; CODE XREF: RtlTimelineBitmapMerge(x,x)+40j
		mov	eax, [edx+4]
		or	eax, ecx
		pop	edi
		mov	[esi+4], eax
		pop	esi
		retn
; 

loc_4DCDFC:				; CODE XREF: RtlTimelineBitmapMerge(x,x)+26j
		mov	ecx, edi
		shl	dword ptr [esi+4], cl
		mov	ecx, [esi+4]
		jmp	short loc_4DCDF1
_RtlTimelineBitmapMerge@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopProcessWorkItem proc	near		; DATA XREF: IoAllocateWorkItem(x)+2Ao
					; IoInitializeWorkItem+27o ...

var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CAECE SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		and	[esp+28h+var_1C], 0
		push	esi
		push	edi
		mov	esi, [ebx+10h]
		lea	edi, [esp+30h+var_14]
		stosd
		push	10h		; size_t
		mov	[esp+34h+var_18], esi
		stosd
		stosd
		stosd
		mov	eax, [ebx+14h]
		lea	edi, [ebx+24h]
		push	edi		; void *
		push	offset _GUID_NULL ; void *
		mov	[esp+3Ch+var_20], eax
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_5CAEA9

loc_4DCE5A:				; CODE XREF: KiAbCleanupThreadState+EE283j
		mov	ecx, [ebx+1Ch]
		test	ecx, ecx
		jnz	short loc_4DCED1
		xor	edi, edi

loc_4DCE63:				; CODE XREF: IopProcessWorkItem+D7j
		test	ds:dword_70EFC8, 8000000h
		jnz	loc_5CAECE

loc_4DCE73:				; CODE XREF: IopProcessWorkItem+EE0D4j
		cmp	dword ptr [ebx+20h], 0
		jz	short loc_4DCEED
		push	ebx
		push	dword ptr [ebx+18h]
		mov	ebx, [esp+38h+var_20]
		push	ebx
		call	esi

loc_4DCE84:				; CODE XREF: IopProcessWorkItem+F8j
		test	ds:dword_70EFC8, 8000000h
		jnz	loc_5CAEDF

loc_4DCE94:				; CODE XREF: IopProcessWorkItem+EE0E5j
		mov	ecx, ebx
		call	ObfDereferenceObject
		cmp	[esp+3Ch+var_28], 0
		jnz	loc_5CAEF0

loc_4DCEA6:				; CODE XREF: IopProcessWorkItem+EE0F7j
		test	edi, edi
		jnz	short loc_4DCEDF

loc_4DCEAA:				; CODE XREF: IopProcessWorkItem+E5j
		mov	eax, large fs:124h
		cmp	dword ptr [eax+13Ch], 0
		jnz	loc_5CAF02
		mov	ecx, [esp+3Ch+var_10]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4DCED1:				; CODE XREF: IopProcessWorkItem+59j
		call	PsImpersonateContainerOfThread
		mov	edi, [ebx+1Ch]
		and	dword ptr [ebx+1Ch], 0
		jmp	short loc_4DCE63
; 

loc_4DCEDF:				; CODE XREF: IopProcessWorkItem+A2j
		call	_NtRevertContainerImpersonation@0 ; NtRevertContainerImpersonation()
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	short loc_4DCEAA
; 

loc_4DCEED:				; CODE XREF: IopProcessWorkItem+71j
		mov	eax, [ebx+18h]
		mov	ebx, [esp+30h+var_20]
		push	eax
		cmp	word ptr [ebx],	3
		jnz	short loc_4DCF00
		push	ebx

loc_4DCEFC:				; CODE XREF: IopProcessWorkItem+FCj
		call	esi
		jmp	short loc_4DCE84
; 

loc_4DCF00:				; CODE XREF: IopProcessWorkItem+F3j
		push	0
		jmp	short loc_4DCEFC
IopProcessWorkItem endp


;  S U B	R O U T	I N E 


; __stdcall ObpFilterOperation(x)
_ObpFilterOperation@4 proc near		; CODE XREF: ObCompleteObjectDuplication+9Bp
					; ObDuplicateObject+22Ep
		test	byte ptr [ecx+2Ah], 40h
		jnz	short loc_4DCF0D

loc_4DCF0A:				; CODE XREF: ObpFilterOperation(x)+11j
		xor	al, al
		retn
; 

loc_4DCF0D:				; CODE XREF: ObpFilterOperation(x)+4j
		lea	eax, [ecx+88h]
		cmp	[eax], eax
		jz	short loc_4DCF0A
		mov	al, 1
		retn
_ObpFilterOperation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpTraceThreadRundown proc near	; CODE XREF: EtwpThreadRundownApc(x,x,x,x,x)+17p
					; EtwpTraceThreadRundownWithStack(x,x)+D0p ...

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_81		= byte ptr -81h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= byte ptr -58h
var_57		= byte ptr -57h
var_56		= byte ptr -56h
var_55		= byte ptr -55h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
ms_exc		= CPPEH_RECORD ptr -18h

		push	88h
		push	offset dword_6A2540
		call	__SEH_prolog4_GS
		mov	esi, ecx
		mov	[ebp+var_90], esi
		mov	[ebp+var_8C], 2
		xor	ebx, ebx
		mov	[ebp+var_54], ebx
		mov	eax, [edx+10h]
		mov	[ebp+var_98], eax
		mov	al, [edx+25h]
		mov	[ebp+var_81], al
		mov	eax, [edx+14h]
		mov	[ebp+var_88], eax
		xor	eax, eax
		cmp	[edx+24h], al
		setz	al
		add	eax, 503h
		movzx	eax, ax
		mov	[ebp+var_94], eax
		mov	eax, large fs:124h
		cmp	esi, eax
		jz	short loc_4DCF85
		and	[ebp+var_88], 0FFFFE7FFh

loc_4DCF85:				; CODE XREF: EtwpTraceThreadRundown+5Fj
		mov	eax, [esi+2ACh]
		mov	[ebp+var_80], eax
		mov	eax, [esi+2B0h]
		mov	[ebp+var_7C], eax
		mov	eax, [esi+28h]
		mov	[ebp+var_78], eax
		mov	eax, [esi+24h]
		mov	[ebp+var_74], eax
		mov	eax, [esi+164h]
		mov	[ebp+var_68], eax
		mov	eax, [esi+2DCh]
		mov	[ebp+var_64], eax
		mov	edi, [esi+0A8h]
		mov	[ebp+var_70], ebx
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_60], edi
		mov	[ebp+var_5C], ebx
		mov	al, [esi+15Bh]
		mov	[ebp+var_58], al
		call	_PsGetPagePriorityThread@4 ; PsGetPagePriorityThread(x)
		mov	[ebp+var_57], al
		mov	ecx, esi
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		mov	[ebp+var_56], al
		mov	[ebp+var_55], bl
		mov	al, [esi+304h]
		test	al, 8
		jnz	loc_4DD089

loc_4DCFF3:				; CODE XREF: EtwpTraceThreadRundown+177j
					; EtwpTraceThreadRundown+181j
		test	edi, edi
		jz	short loc_4DD01E
		cmp	[ebp+var_81], bl
		jz	short loc_4DD01E
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [edi+0F60h]
		mov	[ebp+var_5C], eax
		mov	eax, [edi+4]
		mov	[ebp+var_70], eax
		mov	eax, [edi+8]
		mov	[ebp+var_6C], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_4DD01E:				; CODE XREF: EtwpTraceThreadRundown+DBj
					; EtwpTraceThreadRundown+E3j ...
		lea	eax, [ebp+var_80]
		mov	[ebp+var_50], eax
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_48], 2Ch
		mov	[ebp+var_44], ebx
		mov	eax, [esi+394h]
		test	eax, eax
		jnz	short loc_4DD0A0

loc_4DD03B:				; CODE XREF: EtwpTraceThreadRundown+18Bj
		mov	[ebp+var_40], offset _EtwpNull
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], 2
		mov	[ebp+var_34], ebx

loc_4DD04F:				; CODE XREF: EtwpTraceThreadRundown+1B3j
					; EtwpTraceThreadRundown+1D3j
		push	ecx
		push	[ebp+var_88]
		push	[ebp+var_94]
		push	[ebp+var_8C]
		mov	ecx, [ebp+var_98]
		push	dword ptr [ecx]
		push	esi
		lea	edx, [ebp+var_50]
		mov	ecx, [ecx+2E4h]
		call	EtwpLogSystemEventUnsafe
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4DD089:				; CODE XREF: EtwpTraceThreadRundown+D3j
		lea	eax, [esi+294h]
		cmp	[eax], eax
		jz	loc_4DCFF3
		mov	[ebp+var_55], 1
		jmp	loc_4DCFF3
; 

loc_4DD0A0:				; CODE XREF: EtwpTraceThreadRundown+11Fj
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_4DD03B
		movzx	edx, word ptr [eax]
		mov	eax, 800h
		cmp	dx, ax
		jnb	short loc_4DD0B6
		mov	eax, edx

loc_4DD0B6:				; CODE XREF: EtwpTraceThreadRundown+198j
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], ebx
		test	eax, eax
		jz	short loc_4DD0CF
		shr	eax, 1
		cmp	[ecx+eax*2-2], bx
		jz	short loc_4DD04F

loc_4DD0CF:				; CODE XREF: EtwpTraceThreadRundown+1AAj
		mov	[ebp+var_30], offset _EtwpNull
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], 2
		mov	[ebp+var_24], ebx
		mov	[ebp+var_8C], 3
		jmp	loc_4DD04F
EtwpTraceThreadRundown endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpLogSystemEventUnsafe proc near	; CODE XREF: EtwpTraceThreadRundown+15Ap
					; .text:005ADDB2p ...

var_58		= dword	ptr -58h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= dword	ptr -1Dh
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005CAF6D SIZE 0000011E BYTES

		push	48h
		push	offset dword_6A2560
		call	__SEH_prolog4
		mov	[ebp+var_28], edx
		mov	[ebp+var_40], ecx
		xor	eax, eax
		lea	edi, [ebp+var_58]
		stosd
		stosd
		stosd
		xor	ebx, ebx
		mov	byte ptr [ebp+var_1D], bl
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_48], ebx
		lea	eax, [ebp+var_1D]
		push	eax
		push	1
		mov	edx, ecx
		mov	ecx, [ebp+arg_4]
		call	_EtwpOpenLogger@16 ; EtwpOpenLogger(x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_3C], esi
		mov	[ebp+var_34], esi
		test	esi, esi
		jz	loc_4DD25A
		mov	[ebp+var_24], ebx
		cmp	[ebp+arg_8], ebx
		jbe	short loc_4DD155
		mov	ecx, [ebp+var_28]
		add	ecx, 8
		mov	edx, [ebp+arg_8]

loc_4DD148:				; CODE XREF: EtwpLogSystemEventUnsafe+61j
		mov	eax, [ecx]
		add	[ebp+var_24], eax
		lea	ecx, [ecx+10h]
		sub	edx, 1
		jnz	short loc_4DD148

loc_4DD155:				; CODE XREF: EtwpLogSystemEventUnsafe+4Bj
		mov	edi, [ebp+var_24]
		add	edi, 20h
		push	[ebp+arg_10]
		lea	eax, [ebp+var_4C]
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	EtwpReserveTraceBuffer
		mov	edx, eax
		test	edx, edx
		jz	loc_4DD231
		mov	eax, [ebp+arg_10]
		movzx	ecx, al
		or	ecx, 0C0010000h
		mov	[edx], ecx
		mov	ecx, [ebp+var_4C]
		mov	[edx+10h], ecx
		mov	ecx, [ebp+var_48]
		mov	[edx+14h], ecx
		mov	[edx+4], di
		mov	ax, word ptr [ebp+arg_C]
		mov	[edx+6], ax
		mov	edi, [ebp+arg_0]
		mov	eax, [edi+2B0h]
		mov	[edx+8], eax
		mov	eax, [edi+2ACh]
		mov	[edx+0Ch], eax
		mov	eax, [edi+194h]
		mov	[edx+18h], eax
		mov	eax, [edi+1C0h]
		mov	[edx+1Ch], eax
		lea	ecx, [edx+20h]	; void *
		mov	[ebp+var_38], ecx
		test	ecx, ecx
		jz	short loc_4DD231
		mov	[ebp+ms_exc.disabled], ebx
		push	[ebp+var_24]	; int
		push	[ebp+arg_8]	; int
		mov	edx, [ebp+var_28] ; int
		call	_EtwpCopyEventData@16 ;	EtwpCopyEventData(x,x,x,x)
		mov	[ebp+var_30], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_4DD1EB:				; CODE XREF: sub_5CAF50+18j
		test	eax, eax
		jnz	loc_5CAF6D

loc_4DD1F3:				; CODE XREF: EtwpLogSystemEventUnsafe+EDE91j
		test	dword ptr [esi+0Ch], 80000h
		jnz	loc_5CAF88

loc_4DD200:				; CODE XREF: EtwpLogSystemEventUnsafe+EDEAFj
					; EtwpLogSystemEventUnsafe+EDEBFj
		lea	ecx, [ebp+var_58]
		call	_EtwpReleaseTraceBuffer@4 ; EtwpReleaseTraceBuffer(x)
		mov	eax, [esi+258h]
		test	al, al
		js	loc_5CAFB6

loc_4DD216:				; CODE XREF: EtwpLogSystemEventUnsafe+EDEFEj
					; EtwpLogSystemEventUnsafe+EDF06j
		test	eax, 8000h
		jnz	loc_5CAFFD

loc_4DD221:				; CODE XREF: EtwpLogSystemEventUnsafe+EDF16j
					; EtwpLogSystemEventUnsafe+EDF3Ej ...
		test	dword ptr [esi+258h], 4000000h
		jnz	loc_5CB048

loc_4DD231:				; CODE XREF: EtwpLogSystemEventUnsafe+81j
					; EtwpLogSystemEventUnsafe+DCj	...
		cmp	byte ptr [ebp+var_1D], 0
		jz	short loc_4DD25A
		mov	eax, [ebp+var_40]
		mov	eax, [eax+188h]
		xor	edx, edx
		inc	edx
		mov	ecx, [ebp+arg_4]
		mov	ecx, [eax+ecx*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_4DD25A:				; CODE XREF: EtwpLogSystemEventUnsafe+3Fj
					; EtwpLogSystemEventUnsafe+143j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
EtwpLogSystemEventUnsafe endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall EtwpCopyEventData(void	*,int,int,int)
_EtwpCopyEventData@16 proc near		; CODE XREF: EtwpLogSystemEventUnsafe+EAp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		mov	eax, ecx
		cmp	[ebp+arg_0], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		jbe	short loc_4DD2B6
		mov	ebx, [ebp+arg_4]

loc_4DD28A:				; CODE XREF: EtwpCopyEventData(x,x,x,x)+48j
		mov	esi, [edi+8]
		cmp	esi, ebx
		ja	short loc_4DD2BF
		push	esi		; size_t
		push	dword ptr [edi]	; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		mov	ecx, [ebp+var_8]
		add	eax, esi
		sub	ebx, esi
		mov	[ebp+var_4], eax
		inc	ecx
		add	edi, 10h
		mov	[ebp+var_8], ecx
		cmp	ecx, [ebp+arg_0]
		jb	short loc_4DD28A

loc_4DD2B6:				; CODE XREF: EtwpCopyEventData(x,x,x,x)+19j
		xor	eax, eax

loc_4DD2B8:				; CODE XREF: EtwpCopyEventData(x,x,x,x)+58j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4DD2BF:				; CODE XREF: EtwpCopyEventData(x,x,x,x)+23j
		mov	eax, 0C0000004h
		jmp	short loc_4DD2B8
_EtwpCopyEventData@16 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1096. KeAlertThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeAlertThread(x, x)
		public _KeAlertThread@8
_KeAlertThread@8 proc near		; CODE XREF: KeRequestTerminationThread+91p
					; IopCancelIrpsInCurrentThreadListSpecialApc+D0387p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, [ebp+arg_0]
		mov	byte ptr [ebp+var_C], al
		mov	eax, large fs:20h
		and	[ebp+var_4], 0
		mov	[ebp+var_8], eax
		lea	esi, [edi+2Ch]

loc_4DD2F3:				; CODE XREF: KeAlertThread(x,x)+69j
		lock bts dword ptr [esi], 0
		jb	short loc_4DD329
		push	[ebp+arg_4]
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	@KiAlertThread@12 ; KiAlertThread(x,x,x)
		push	[ebp+var_C]
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		push	2
		push	1
		mov	bl, al
		mov	dword ptr [esi], 0
		call	KiExitDispatcher
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	8
; 

loc_4DD329:				; CODE XREF: KeAlertThread(x,x)+2Cj
					; KeAlertThread(x,x)+6Bj
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_4DD2F3
		jmp	short loc_4DD329
_KeAlertThread@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiAlertThread(x, x, x)
@KiAlertThread@12 proc near		; CODE XREF: KeAlertThread(x,x)+36p

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		mov	dl, [ebp+arg_0]
		push	edi
		movsx	edi, dl
		mov	bl, [edi+esi+56h]
		test	bl, bl
		jnz	short loc_4DD361
		mov	al, [esi+90h]
		cmp	al, 5
		jz	short loc_4DD36A

loc_4DD35C:				; CODE XREF: KiAlertThread(x,x,x)+37j
					; KiAlertThread(x,x,x)+3Bj ...
		mov	byte ptr [edi+esi+56h],	1

loc_4DD361:				; CODE XREF: KiAlertThread(x,x,x)+16j
					; KiAlertThread(x,x,x)+5Fj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4DD36A:				; CODE XREF: KiAlertThread(x,x,x)+20j
		mov	al, [esi+54h]
		and	al, 7
		cmp	al, 4
		jz	short loc_4DD35C
		cmp	al, 3
		jz	short loc_4DD35C
		test	byte ptr [esi+58h], 10h
		jz	short loc_4DD35C
		cmp	dl, [esi+93h]
		jg	short loc_4DD35C
		push	0
		push	101h
		mov	edx, esi
		call	KiSignalThread
		or	byte ptr [esi+54h], 80h
		test	al, al
		jnz	short loc_4DD361
		jmp	short loc_4DD35C
@KiAlertThread@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeRequestTerminationThread proc	near	; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+785p
					; PspTerminateThreadByPointer+4Ep ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005CB08B SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		mov	esi, ecx
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 0Fh
		jb	loc_4DD43D
		push	ebx
		push	edi
		lea	ebx, [esi+190h]
		mov	[ebp+var_1], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[ebp+var_10], 0
		lea	edi, [esi+2Ch]
		mov	byte ptr [ebp+var_C], al

loc_4DD3D3:				; CODE XREF: KeRequestTerminationThread+EDCFBj
		lock bts dword ptr [edi], 0
		jb	loc_5CB08B
		mov	eax, large fs:20h
		test	dword ptr [esi+58h], 4000h
		mov	[ebp+var_8], eax
		jz	short loc_4DD415
		cmp	byte ptr [ebx+2Eh], 0
		mov	[ebp+var_1], 1
		jnz	short loc_4DD415
		mov	ecx, ebx
		mov	byte ptr [ebx+2Eh], 1
		call	KiInsertQueueApc
		push	[ebp+var_C]
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		call	_KiSignalThreadForApc@12 ; KiSignalThreadForApc(x,x,x)
		mov	eax, [ebp+var_8]

loc_4DD415:				; CODE XREF: KeRequestTerminationThread+50j
					; KeRequestTerminationThread+5Aj
		push	[ebp+var_C]
		xor	ebx, ebx
		xor	edx, edx
		push	ebx
		push	1
		mov	ecx, eax
		mov	[edi], ebx
		call	KiExitDispatcher
		cmp	[ebp+var_1], bl
		jz	short loc_4DD43B
		push	ebx
		push	esi
		call	_KeAlertThread@8 ; KeAlertThread(x,x)
		mov	ecx, esi
		call	_KeForceResumeThread@4 ; KeForceResumeThread(x)

loc_4DD43B:				; CODE XREF: KeRequestTerminationThread+8Dj
		pop	edi
		pop	ebx

loc_4DD43D:				; CODE XREF: KeRequestTerminationThread+13j
		pop	esi
		leave
		retn
KeRequestTerminationThread endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCancelApcRequired proc near		; CODE XREF: IopCancelIrpsInThreadListForCurrentProcess(x,x)+69p
					; IopCancelSynchronousIrpsForThread(x,x)+14p

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CB09E SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ebx, [esi+350h]
		mov	[ebp+var_1], al
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	edx, [esi+2CCh]
		xor	esi, esi
		mov	ecx, [edx]
		cmp	ecx, edx
		jnz	short loc_4DD495

loc_4DD471:				; CODE XREF: IopCancelApcRequired+74j
					; IopCancelApcRequired+78j ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5CB09E
		xor	eax, eax
		lock and [ebx],	eax

loc_4DD483:				; CODE XREF: IopCancelApcRequired+EDC68j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4DD495:				; CODE XREF: IopCancelApcRequired+2Fj
		mov	eax, [ebp+arg_0]
		inc	esi
		test	eax, eax
		jz	short loc_4DD4C1

loc_4DD49D:				; CODE XREF: IopCancelApcRequired+70j
					; IopCancelApcRequired+83j
		test	byte ptr [ecx-8], 2
		jnz	short loc_4DD4AC
		cmp	[ecx+18h], eax
		jz	short loc_4DD4B6

loc_4DD4A8:				; CODE XREF: IopCancelApcRequired+7Fj
		test	eax, eax
		jz	short loc_4DD4C7

loc_4DD4AC:				; CODE XREF: IopCancelApcRequired+61j
					; IopCancelApcRequired+8Aj
		mov	ecx, [ecx]
		cmp	edx, ecx
		jnz	short loc_4DD49D
		xor	esi, esi
		jmp	short loc_4DD471
; 

loc_4DD4B6:				; CODE XREF: IopCancelApcRequired+66j
		test	edi, edi
		jz	short loc_4DD471
		cmp	[ecx+54h], edi
		jz	short loc_4DD471
		jmp	short loc_4DD4A8
; 

loc_4DD4C1:				; CODE XREF: IopCancelApcRequired+5Bj
		test	edi, edi
		jnz	short loc_4DD49D
		jmp	short loc_4DD471
; 

loc_4DD4C7:				; CODE XREF: IopCancelApcRequired+6Aj
		cmp	[ecx+54h], edi
		jnz	short loc_4DD4AC
		jmp	short loc_4DD471
IopCancelApcRequired endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepEvaluateSetRelationship proc near ; CODE XREF: AuthzBasepEvaluateExpression+6Ep
					; AuthzBasepEvaluateExpression+ED7FDp

var_40		= dword	ptr -40h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CB0AD SIZE 0000027E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_24]
		push	7
		xor	eax, eax
		mov	esi, edx
		pop	ecx
		rep stosd
		push	7
		pop	ecx
		lea	edi, [ebp+var_40]
		mov	[ebp+var_4], eax
		rep stosd
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		xor	edx, edx
		mov	[ebp+var_8], ecx
		and	[eax], ecx
		sub	ebx, ecx
		jz	loc_5CB19F
		sub	ebx, 1
		jnz	loc_5CB0AD
		xor	edi, edi
		inc	edi
		cmp	[esi+0Ch], edi
		jz	short loc_4DD520
		cmp	[esi+28h], edi
		jnz	loc_5CB14D

loc_4DD520:				; CODE XREF: AuthzBasepEvaluateSetRelationship+47j
					; AuthzBasepEvaluateSetRelationship+EDC8Bj
		mov	ebx, [ebp+arg_0]

loc_4DD523:				; CODE XREF: AuthzBasepEvaluateSetRelationship+97j
		mov	ecx, [esi+24h]
		lea	eax, [esi+1Ch]
		mov	[ebp+arg_0], ecx
		lea	edx, [ebp+var_24]
		mov	ecx, eax
		call	AuthzBasepGetNextValue
		mov	edx, eax
		cmp	edx, 8000001Ah
		jz	short loc_4DD570
		test	edx, edx
		js	short loc_4DD56B
		push	4
		pop	eax
		cmp	[esi], ax
		jz	loc_5CB15E

loc_4DD550:				; CODE XREF: AuthzBasepEvaluateSetRelationship+EDCCCj
		push	0
		push	ebx
		mov	edx, esi
		lea	ecx, [ebp+var_24]
		call	AuthzBasepValueInSet
		mov	edx, eax
		test	edx, edx
		js	short loc_4DD56B
		cmp	[ebx], edi
		jz	short loc_4DD523

loc_4DD567:				; CODE XREF: AuthzBasepEvaluateSetRelationship+EDC7Aj
					; AuthzBasepEvaluateSetRelationship+EDD79j ...
		test	edx, edx
		jns	short loc_4DD572

loc_4DD56B:				; CODE XREF: AuthzBasepEvaluateSetRelationship+74j
					; AuthzBasepEvaluateSetRelationship+93j ...
		or	dword ptr [ebx], 0FFFFFFFFh
		jmp	short loc_4DD572
; 

loc_4DD570:				; CODE XREF: AuthzBasepEvaluateSetRelationship+70j
					; AuthzBasepEvaluateSetRelationship+EDC05j
		xor	edx, edx

loc_4DD572:				; CODE XREF: AuthzBasepEvaluateSetRelationship+9Bj
					; AuthzBasepEvaluateSetRelationship+A0j ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	4
AuthzBasepEvaluateSetRelationship endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepValueInSet proc near		; CODE XREF: AuthzBasepEvaluateSetRelationship+8Ap
					; AuthzBasepEvaluateSetRelationship+EDC62p ...

var_58		= dword	ptr -58h
var_4C		= dword	ptr -4Ch
var_3C		= dword	ptr -3Ch
var_38		= byte ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005CB32B SIZE 000000AC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_20]
		and	[ebx], eax
		push	7
		pop	ecx
		rep stosd
		push	7
		pop	ecx
		lea	edi, [ebp+var_58]
		rep movsd
		mov	edi, edx

loc_4DD5A2:				; CODE XREF: AuthzBasepValueInSet+A1j
					; AuthzBasepValueInSet+EDE02j
		mov	eax, [edi+8]
		lea	edx, [ebp+var_3C]
		mov	ecx, edi
		mov	[ebp+var_4], eax
		call	AuthzBasepGetNextValue
		mov	esi, eax
		cmp	esi, 8000001Ah
		jz	short loc_4DD633
		test	esi, esi
		js	short loc_4DD63D
		push	4
		pop	eax
		cmp	word ptr [ebp+var_58], ax
		jz	loc_5CB32B
		mov	ax, word ptr [ebp+var_3C]
		mov	word ptr [ebp+arg_0+2],	ax

loc_4DD5D5:				; CODE XREF: AuthzBasepValueInSet+EDDF9j
		lea	ecx, [ebp+var_58]
		call	AuthzBasepOperandValueTypesCompatible
		test	al, al
		jz	loc_5CB37A
		cmp	[ebp+var_4C], 1
		movzx	ecx, word ptr [ebp+arg_0+2]
		jnz	short loc_4DD637

loc_4DD5EF:				; CODE XREF: AuthzBasepValueInSet+BFj
		movzx	eax, cx
		test	ax, ax
		jz	short loc_4DD61A
		cmp	eax, 2
		jbe	loc_5CB3C6
		cmp	eax, 3
		jnz	loc_5CB38E
		push	ebx
		lea	edx, [ebp+var_58]
		mov	cl, 80h
		call	AuthzBasepCompareUnicodeStringOperands

loc_4DD614:				; CODE XREF: AuthzBasepValueInSet+EDE45j
		mov	esi, eax
		test	esi, esi
		js	short loc_4DD63D

loc_4DD61A:				; CODE XREF: AuthzBasepValueInSet+79j
					; AuthzBasepValueInSet+EDE28j ...
		cmp	dword ptr [ebx], 1
		jnz	short loc_4DD5A2

loc_4DD61F:				; CODE XREF: AuthzBasepValueInSet+EDE0Dj
		test	esi, esi
		js	short loc_4DD63D

loc_4DD623:				; CODE XREF: AuthzBasepValueInSet+B9j
					; AuthzBasepValueInSet+C4j
		mov	ecx, edi
		call	_AuthzBasepRestartOperandValueEnumeration@4 ; AuthzBasepRestartOperandValueEnumeration(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4DD633:				; CODE XREF: AuthzBasepValueInSet+3Ej
					; AuthzBasepValueInSet+EDDC1j
		xor	esi, esi
		jmp	short loc_4DD623
; 

loc_4DD637:				; CODE XREF: AuthzBasepValueInSet+71j
		movzx	ecx, word ptr [ebp+var_58]
		jmp	short loc_4DD5EF
; 

loc_4DD63D:				; CODE XREF: AuthzBasepValueInSet+42j
					; AuthzBasepValueInSet+9Cj ...
		or	dword ptr [ebx], 0FFFFFFFFh
		jmp	short loc_4DD623
AuthzBasepValueInSet endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepGetNextValue proc near	; CODE XREF: AuthzBasepEvaluateSetRelationship+63p
					; AuthzBasepValueInSet+31p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CB3D7 SIZE 00000039 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		push	edi
		cmp	dword ptr [ebx+0Ch], 1
		mov	edi, edx
		mov	eax, [ebx+8]
		mov	edx, esi
		mov	[ebp+var_4], esi
		jz	short loc_4DD69D
		test	eax, eax
		jz	short loc_4DD6B9

loc_4DD663:				; CODE XREF: AuthzBasepGetNextValue+7Aj
		cmp	eax, [ebx+4]
		jnb	short loc_4DD6CE
		mov	ecx, [ebx+10h]
		call	AuthzBasepQuerySecurityAttributeAndValues
		mov	edx, eax
		mov	ax, [ebx]
		mov	[edi], ax
		mov	al, [ebx+4]
		mov	[edi+4], al
		mov	eax, [ebx+14h]
		mov	[edi+14h], eax
		mov	eax, [ebx+10h]
		mov	[edi+10h], eax
		mov	[edi+18h], esi
		mov	eax, [ebx+0Ch]
		mov	[edi+0Ch], eax

loc_4DD693:				; CODE XREF: AuthzBasepGetNextValue+83j
		inc	dword ptr [ebx+8]

loc_4DD696:				; CODE XREF: AuthzBasepGetNextValue+75j
					; AuthzBasepGetNextValue+8Aj ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn
; 

loc_4DD69D:				; CODE XREF: AuthzBasepGetNextValue+1Bj
		cmp	[ebx+4], dl
		jnz	loc_5CB3D7
		test	eax, eax
		jnz	short loc_4DD6C7
		mov	eax, [ebx+14h]
		mov	esi, ebx
		push	7
		pop	ecx
		mov	[ebx+8], eax
		rep movsd
		jmp	short loc_4DD696
; 

loc_4DD6B9:				; CODE XREF: AuthzBasepGetNextValue+1Fj
		cmp	[ebx+4], esi
		jbe	short loc_4DD663
		push	7
		pop	ecx
		mov	esi, ebx
		rep movsd
		jmp	short loc_4DD693
; 

loc_4DD6C7:				; CODE XREF: AuthzBasepGetNextValue+66j
					; AuthzBasepGetNextValue+EDD9Aj
		mov	edx, 8000001Ah
		jmp	short loc_4DD696
; 

loc_4DD6CE:				; CODE XREF: AuthzBasepGetNextValue+24j
		mov	edx, eax
		neg	edx
		sbb	edx, edx
		and	edx, 0BFFFFDF5h
		add	edx, 0C0000225h
		jmp	short loc_4DD696
AuthzBasepGetNextValue endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepCompareUnicodeStringOperands proc near ; CODE	XREF: AuthzBasepValueInSet+93p
					; AuthzBasepEvaluateExpression+ED883p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CB410 SIZE 00000074 BYTES
; FUNCTION CHUNK AT 005CB4AC SIZE 00000061 BYTES

		push	34h
		push	offset dword_6A28A0
		call	__SEH_prolog4
		mov	edi, edx
		mov	[ebp+var_1A], cl
		xor	ebx, ebx
		mov	word ptr [ebp+var_20], bx
		mov	[ebp+var_19], bl
		mov	[ebp+var_40], ebx
		mov	[ebp+var_38], ebx
		mov	esi, [ebp+arg_0]
		mov	[esi], ebx
		lea	edx, [ebp+var_19]
		mov	ecx, edi
		call	_AuthzBasepGetOperandStringCaseForEvaluation@8 ; AuthzBasepGetOperandStringCaseForEvaluation(x,x)
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		js	loc_5CB410
		mov	[ebp+var_2C], ebx
		lea	eax, [ebp+var_44]
		mov	[ebp+var_28], eax
		lea	ecx, [edi+10h]
		mov	[ebp+var_30], ecx
		mov	eax, ebx

loc_4DD72F:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+9Cj
		mov	dl, [ebp+var_19]
		cmp	dword ptr [ecx-4], 1
		jz	loc_4DD807
		test	dl, dl
		jnz	loc_5CB41A

loc_4DD744:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+127j
		setz	dl
		lea	eax, [ebp+eax+var_20]
		push	eax
		push	[ebp+var_28]
		add	ecx, 0FFFFFFF0h
		call	AuthzBasepUnicodeStringFromOperandValue
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		js	loc_5CB502
		mov	dl, [ebp+var_19]

loc_4DD767:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+EDD4Fj
		mov	eax, [ebp+var_2C]
		inc	eax
		mov	[ebp+var_2C], eax
		mov	ecx, [ebp+var_30]
		add	ecx, 1Ch
		mov	[ebp+var_30], ecx
		add	[ebp+var_28], 8
		cmp	eax, 2
		jl	short loc_4DD72F
		mov	al, [ebp+var_1A]
		add	al, 80h
		cmp	al, 1
		ja	loc_5CB4AC
		cmp	dword ptr [edi+0Ch], 2
		jz	short loc_4DD79D
		cmp	dword ptr [edi+28h], 2
		jnz	loc_5CB436

loc_4DD79D:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+AFj
		mov	[ebp+ms_exc.disabled], ebx
		push	ebx
		cmp	dword ptr [edi+28h], 1
		jz	loc_5CB460
		test	dl, dl
		setz	byte ptr [ebp+var_30]
		push	[ebp+var_30]
		lea	eax, [ebp+var_3C]
		push	eax
		lea	eax, [ebp+var_44]

loc_4DD7BB:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+EDD8Ej
		push	eax
		call	RtlIsNameInExpression
		movzx	ecx, al
		mov	[esi], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_4DD7CD:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+EDD79j
		mov	edi, [ebp+var_24]
		cmp	[ebp+var_1A], 81h
		jz	loc_5CB475

loc_4DD7DA:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+EDD33j
					; AuthzBasepCompareUnicodeStringOperands+EDD9Dj ...
		mov	esi, ebx

loc_4DD7DC:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+10Fj
		cmp	byte ptr [ebp+esi+var_20], 0
		jz	short loc_4DD7ED
		push	ebx
		push	[ebp+esi*8+var_40]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4DD7ED:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+FFj
		inc	esi
		cmp	esi, 2
		jl	short loc_4DD7DC
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4DD807:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+54j
		test	dl, dl
		jmp	loc_4DD744
AuthzBasepCompareUnicodeStringOperands endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 569. FsRtlIsNameInExpression

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlIsNameInExpression
RtlIsNameInExpression proc near		; CODE XREF: AuthzBasepCompareUnicodeStringOperands+DAp
					; AuthzBasepCompareFQBNOperands(x,x,x)+1C6p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 004DD898 SIZE 00000006 BYTES

		push	18h
		push	offset dword_6A28C0
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_1D], bl
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ebx
		cmp	byte ptr [ebp+arg_8], bl
		jz	short loc_4DD84E
		cmp	[ebp+arg_C], ebx
		jnz	short loc_4DD84E
		push	ecx
		mov	edx, [ebp+arg_4]
		lea	ecx, [ebp+var_28]
		call	RtlpUpcaseUnicodeStringPrivate
		test	eax, eax
		js	short loc_4DD898
		lea	eax, [ebp+var_28]
		mov	[ebp+arg_4], eax
		mov	byte ptr [ebp+arg_8], bl

loc_4DD84E:				; CODE XREF: RtlIsNameInExpression+1Aj
					; RtlIsNameInExpression+1Fj
		mov	[ebp+ms_exc.disabled], ebx
		push	[ebp+arg_C]
		push	ebx
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	RtlpIsNameInExpressionPrivate
		mov	bl, al
		mov	[ebp+var_1D], bl
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_4DD888
		mov	al, bl
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
RtlIsNameInExpression endp


;  S U B	R O U T	I N E 


sub_4DD888	proc near		; CODE XREF: RtlIsNameInExpression+5Bp
					; sub_5CB50D+3j
		cmp	dword ptr [ebp-24h], 0
		jz	short locret_4DD897
		lea	eax, [ebp-28h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

locret_4DD897:				; CODE XREF: sub_4DD888+4j
		retn
sub_4DD888	endp

; 
; START	OF FUNCTION CHUNK FOR RtlIsNameInExpression

loc_4DD898:				; CODE XREF: RtlIsNameInExpression+2Fj
		push	eax
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
; END OF FUNCTION CHUNK	FOR RtlIsNameInExpression
; 
		dw 0CCCCh
		dd 4 dup(0CCCCCCCCh)
; Exported entry 570. FsRtlIsNameInUnUpcasedExpression

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlIsNameInUnUpcasedExpression
RtlIsNameInUnUpcasedExpression proc near

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005CB515 SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A28E0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_19], 0
		mov	[ebp+var_24], 0
		mov	[ebp+var_20], 0
		mov	[ebp+var_2C], 0
		mov	[ebp+var_28], 0
		mov	[ebp+var_4], 0
		mov	esi, [ebp+arg_C]
		mov	edx, [ebp+arg_4]
		cmp	byte ptr [ebp+arg_8], 0
		jz	short loc_4DD91D
		test	esi, esi
		jz	loc_5CB515

loc_4DD91D:				; CODE XREF: RtlIsNameInUnUpcasedExpression+63j
		mov	ecx, [ebp+arg_0]

loc_4DD920:				; CODE XREF: RtlIsNameInUnUpcasedExpression+EDC98j
		push	esi
		push	1
		push	[ebp+arg_8]
		call	RtlpIsNameInExpressionPrivate
		mov	bl, al
		mov	[ebp+var_19], bl
		mov	[ebp+var_4], 0FFFFFFFEh
		call	sub_4DD952
		mov	al, bl
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
RtlIsNameInUnUpcasedExpression endp


;  S U B	R O U T	I N E 


sub_4DD952	proc near		; CODE XREF: RtlIsNameInUnUpcasedExpression+87p
					; sub_5CB54D+3j

; FUNCTION CHUNK AT 005CB555 SIZE 0000001C BYTES

		cmp	dword ptr [ebp-20h], 0
		jnz	loc_5CB555

loc_4DD95C:				; CODE XREF: sub_4DD952+EDC0Cj
		cmp	dword ptr [ebp-28h], 0
		jnz	loc_5CB563

locret_4DD966:				; CODE XREF: sub_4DD952+EDC1Aj
		retn
sub_4DD952	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpIsNameInExpressionPrivate proc near	; CODE XREF: RtlIsNameInExpression+4Ap
					; RtlIsNameInUnUpcasedExpression+76p

var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005CB571 SIZE 000000C9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, edx
		mov	[ebp+var_64], 0
		push	ebx
		push	esi
		mov	edx, ecx
		mov	[ebp+var_60], eax
		movzx	esi, word ptr [eax]
		mov	[ebp+var_8C], edx
		mov	[ebp+var_6C], 0
		mov	[ebp+var_45], 0
		push	edi
		test	si, si
		jz	loc_5CB62E
		movzx	ecx, word ptr [edx]
		test	cx, cx
		jz	loc_5CB62E
		cmp	ecx, 2
		jnz	short loc_4DD9E2
		mov	eax, [edx+4]
		cmp	word ptr [eax],	2Ah
		jnz	short loc_4DD9E2

loc_4DD9CD:				; CODE XREF: RtlpIsNameInExpressionPrivate+39Cj
					; RtlpIsNameInExpressionPrivate+3EBj
		mov	al, 1

loc_4DD9CF:				; CODE XREF: RtlpIsNameInExpressionPrivate+280j
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4DD9E2:				; CODE XREF: RtlpIsNameInExpressionPrivate+52j
					; RtlpIsNameInExpressionPrivate+5Bj
		mov	eax, [edx+4]
		mov	ebx, ecx
		cmp	word ptr [eax],	2Ah
		jz	loc_4DDCA4

loc_4DD9F1:				; CODE XREF: RtlpIsNameInExpressionPrivate+36Cj
		lea	eax, [ebp+var_24]
		mov	ecx, 1
		mov	[ebp+var_4C], eax
		lea	edi, [ebp+var_44]
		xor	eax, eax
		mov	[ebp+var_50], edi
		mov	word ptr [ebp+var_44], ax
		xor	edx, edx
		lea	eax, [ebx+ebx]
		mov	[ebp+var_78], ecx
		movzx	ebx, ax
		mov	[ebp+var_68], edx
		mov	[ebp+var_7C], ebx
		lea	esp, [esp+0]

loc_4DDA20:				; CODE XREF: RtlpIsNameInExpressionPrivate+1C2j
		mov	eax, [ebp+var_60]
		cmp	dx, [eax]
		jnb	loc_4DDBCB
		mov	eax, [eax+4]
		movzx	ecx, dx
		shr	ecx, 1
		add	edx, 2
		mov	[ebp+var_68], edx
		movzx	eax, word ptr [eax+ecx*2]
		mov	ecx, [ebp+var_78]
		mov	[ebp+var_64], eax

loc_4DDA44:				; CODE XREF: RtlpIsNameInExpressionPrivate+264j
		xor	edx, edx
		xor	ebx, ebx
		mov	[ebp+var_5C], edx
		test	ecx, ecx
		jz	loc_4DDC68

loc_4DDA53:				; CODE XREF: RtlpIsNameInExpressionPrivate+1F6j
		movzx	eax, word ptr [edi+edx*2]
		inc	edx
		inc	eax
		mov	[ebp+var_70], edx
		shr	eax, 1
		movzx	esi, ax
		xor	eax, eax

loc_4DDA63:				; CODE XREF: RtlpIsNameInExpressionPrivate+180j
					; RtlpIsNameInExpressionPrivate+2F3j ...
		mov	ecx, [ebp+var_8C]
		movzx	ecx, word ptr [ecx]
		cmp	si, cx
		jz	loc_4DDB00
		add	esi, eax
		mov	[ebp+var_54], 2
		mov	[ebp+var_84], esi
		lea	eax, [esi+esi]
		movzx	edx, ax
		mov	eax, ecx
		mov	[ebp+var_88], edx
		mov	[ebp+var_80], eax
		cmp	si, cx
		jz	short loc_4DDAF5
		mov	eax, [ebp+var_8C]
		movzx	ecx, si
		shr	ecx, 1
		cmp	[ebp+arg_0], 0
		mov	eax, [eax+4]
		movzx	eax, word ptr [eax+ecx*2]
		mov	[ebp+var_58], eax
		jz	short loc_4DDAC8
		cmp	[ebp+arg_4], 0
		jz	short loc_4DDAC8
		mov	ecx, [ebp+arg_8]
		movzx	eax, ax
		movzx	eax, word ptr [ecx+eax*2]
		mov	[ebp+var_58], eax

loc_4DDAC8:				; CODE XREF: RtlpIsNameInExpressionPrivate+143j
					; RtlpIsNameInExpressionPrivate+149j
		cmp	ebx, 0Eh
		jnb	loc_5CB58F

loc_4DDAD1:				; CODE XREF: RtlpIsNameInExpressionPrivate+EDC23j
					; RtlpIsNameInExpressionPrivate+EDC89j
		cmp	ax, 2Ah
		jnz	loc_4DDB72

loc_4DDADB:				; CODE XREF: RtlpIsNameInExpressionPrivate+28Aj
					; RtlpIsNameInExpressionPrivate+294j ...
		mov	ecx, [ebp+var_4C]
		lea	eax, [edx+3]
		mov	[ecx+ebx*2], dx
		mov	[ecx+ebx*2+2], ax
		add	ebx, 2
		mov	eax, [ebp+var_54]
		jmp	loc_4DDA63
; 

loc_4DDAF5:				; CODE XREF: RtlpIsNameInExpressionPrivate+128j
		mov	eax, [ebp+var_4C]
		mov	ecx, [ebp+var_7C]
		mov	[eax+ebx*2], cx

loc_4DDAFF:				; CODE XREF: RtlpIsNameInExpressionPrivate+256j
					; RtlpIsNameInExpressionPrivate+40Fj ...
		inc	ebx

loc_4DDB00:				; CODE XREF: RtlpIsNameInExpressionPrivate+FFj
					; RtlpIsNameInExpressionPrivate+223j ...
		mov	edx, [ebp+var_70]
		mov	ecx, [ebp+var_78]
		cmp	edx, ecx
		jb	short loc_4DDB37

loc_4DDB0A:				; CODE XREF: RtlpIsNameInExpressionPrivate+1F1j
		test	ebx, ebx
		jz	loc_4DDC68
		cmp	[ebp+var_45], 0
		mov	eax, edi
		mov	edi, [ebp+var_4C]
		mov	ecx, ebx
		mov	ebx, [ebp+var_7C]
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], eax
		mov	[ebp+var_78], ecx
		jnz	loc_4DDBDA
		mov	edx, [ebp+var_68]
		jmp	loc_4DDA20
; 

loc_4DDB37:				; CODE XREF: RtlpIsNameInExpressionPrivate+198j
		mov	edi, [ebp+var_5C]
		mov	esi, [ebp+var_50]
		lea	ecx, [ecx+0]

loc_4DDB40:				; CODE XREF: RtlpIsNameInExpressionPrivate+1ECj
		cmp	edi, ebx
		jnb	short loc_4DDB63
		mov	eax, [ebp+var_4C]
		movzx	eax, word ptr [eax+edi*2]
		jmp	short loc_4DDB50
; 
		align 10h

loc_4DDB50:				; CODE XREF: RtlpIsNameInExpressionPrivate+1DBj
					; RtlpIsNameInExpressionPrivate+1FEj
		cmp	[esi+edx*2], ax
		jb	short loc_4DDB6B

loc_4DDB56:				; CODE XREF: RtlpIsNameInExpressionPrivate+200j
		inc	edi
		mov	[ebp+var_5C], edi
		cmp	edx, ecx
		jb	short loc_4DDB40
		mov	edi, [ebp+var_50]
		jmp	short loc_4DDB0A
; 

loc_4DDB63:				; CODE XREF: RtlpIsNameInExpressionPrivate+1D2j
		mov	edi, [ebp+var_50]
		jmp	loc_4DDA53
; 

loc_4DDB6B:				; CODE XREF: RtlpIsNameInExpressionPrivate+1E4j
		inc	edx
		cmp	edx, ecx
		jb	short loc_4DDB50
		jmp	short loc_4DDB56
; 

loc_4DDB72:				; CODE XREF: RtlpIsNameInExpressionPrivate+165j
		cmp	ax, 3Ch
		jz	short loc_4DDBF5
		add	edx, 4
		cmp	ax, 3Eh
		jz	loc_4DDD60
		cmp	ax, 22h
		jz	loc_4DDC88
		cmp	[ebp+var_45], 0
		jnz	loc_4DDB00
		cmp	ax, 3Fh
		jz	loc_5CB5FE
		mov	ecx, [ebp+var_64]

loc_4DDBA6:				; CODE XREF: RtlpIsNameInExpressionPrivate+329j
		cmp	[ebp+arg_0], 0
		movzx	ecx, cx
		jz	short loc_4DDBB6
		mov	esi, [ebp+arg_8]
		movzx	ecx, word ptr [esi+ecx*2]

loc_4DDBB6:				; CODE XREF: RtlpIsNameInExpressionPrivate+23Dj
		cmp	ax, cx
		jnz	loc_4DDB00
		mov	eax, [ebp+var_4C]
		mov	[eax+ebx*2], dx
		jmp	loc_4DDAFF
; 

loc_4DDBCB:				; CODE XREF: RtlpIsNameInExpressionPrivate+B6j
		mov	[ebp+var_45], 1
		cmp	[edi+ecx*2-2], bx
		jnz	loc_4DDA44

loc_4DDBDA:				; CODE XREF: RtlpIsNameInExpressionPrivate+1B9j
		mov	eax, [ebp+var_6C]
		movzx	esi, word ptr [edi+ecx*2-2]
		test	eax, eax
		jnz	loc_5CB621

loc_4DDBEA:				; CODE XREF: RtlpIsNameInExpressionPrivate+EDCB9j
		cmp	si, bx

loc_4DDBED:				; CODE XREF: RtlpIsNameInExpressionPrivate+EDC1Aj
					; RtlpIsNameInExpressionPrivate+EDCC5j
		setz	al
		jmp	loc_4DD9CF
; 

loc_4DDBF5:				; CODE XREF: RtlpIsNameInExpressionPrivate+206j
		cmp	word ptr [ebp+var_64], 2Eh
		jnz	loc_4DDADB
		cmp	[ebp+var_45], 0
		jnz	loc_4DDADB
		mov	eax, [ebp+var_68]
		movzx	ecx, ax
		mov	eax, [ebp+var_60]
		movzx	eax, word ptr [eax]
		mov	[ebp+var_84], eax
		cmp	word ptr [ebp+var_68], ax
		jnb	short loc_4DDC55
		mov	eax, [ebp+var_60]
		mov	eax, [eax+4]
		mov	[ebp+var_88], eax
		mov	edi, edi

loc_4DDC30:				; CODE XREF: RtlpIsNameInExpressionPrivate+2E3j
		mov	edi, [ebp+var_88]
		movzx	eax, cx
		shr	eax, 1
		cmp	word ptr [edi+eax*2], 2Eh
		mov	edi, [ebp+var_50]
		jz	loc_4DDADB
		add	ecx, 2
		cmp	cx, word ptr [ebp+var_84]
		jb	short loc_4DDC30

loc_4DDC55:				; CODE XREF: RtlpIsNameInExpressionPrivate+2B0j
		mov	ecx, [ebp+var_4C]
		lea	eax, [edx+3]
		mov	[ecx+ebx*2], ax
		inc	ebx
		mov	eax, [ebp+var_54]
		jmp	loc_4DDA63
; 

loc_4DDC68:				; CODE XREF: RtlpIsNameInExpressionPrivate+DDj
					; RtlpIsNameInExpressionPrivate+19Cj
		mov	eax, [ebp+var_6C]
		test	eax, eax
		jnz	loc_5CB614

loc_4DDC73:				; CODE XREF: RtlpIsNameInExpressionPrivate+37Aj
					; RtlpIsNameInExpressionPrivate+3DFj ...
		mov	ecx, [ebp+var_4]
		xor	al, al
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4DDC88:				; CODE XREF: RtlpIsNameInExpressionPrivate+219j
		cmp	[ebp+var_45], 0
		jnz	loc_4DDD84
		mov	ecx, [ebp+var_64]
		cmp	cx, 2Eh
		jnz	loc_4DDBA6
		jmp	loc_4DDD78
; 

loc_4DDCA4:				; CODE XREF: RtlpIsNameInExpressionPrivate+7Bj
		mov	ecx, [edx]
		add	eax, 2
		mov	[ebp+var_74], ecx
		movzx	edx, cx
		shr	ecx, 10h
		mov	ebx, edx
		sub	ecx, 2
		mov	[ebp+var_70], eax
		mov	word ptr [ebp+var_74+2], cx
		mov	eax, [ebp+var_74]
		add	eax, 0FFFFFFFEh
		movzx	ecx, ax
		movzx	edi, ax
		mov	word ptr [ebp+var_74], ax
		lea	eax, [ebp+var_74]
		push	eax
		mov	[ebp+var_58], ecx
		call	_RtlDoesNameContainWildCards@4 ; RtlDoesNameContainWildCards(x)
		test	al, al
		jnz	loc_4DD9F1
		mov	eax, ebx
		add	eax, 0FFFFFFFEh
		cmp	si, ax
		jb	short loc_4DDC73
		mov	eax, [ebp+var_58]
		mov	edx, esi
		movzx	eax, ax
		sub	edx, eax
		shr	edx, 1
		cmp	[ebp+arg_0], 0
		jz	loc_5CB571
		shr	di, 1
		xor	eax, eax
		xor	esi, esi
		cmp	ax, di
		jnb	loc_4DD9CD
		mov	eax, [ebp+var_60]
		mov	eax, [eax+4]
		mov	[ebp+var_5C], eax
		jmp	short loc_4DDD20
; 
		align 10h

loc_4DDD20:				; CODE XREF: RtlpIsNameInExpressionPrivate+3ABj
					; RtlpIsNameInExpressionPrivate+3E9j
		cmp	[ebp+arg_4], 0
		mov	ebx, [ebp+var_5C]
		movzx	ecx, si
		lea	eax, [ecx+edx]
		movzx	eax, word ptr [ebx+eax*2]
		mov	ebx, [ebp+arg_8]
		movzx	eax, word ptr [ebx+eax*2]
		mov	ebx, [ebp+var_70]
		mov	[ebp+var_58], eax
		movzx	eax, word ptr [ebx+ecx*2]
		jz	short loc_4DDD4B
		mov	ecx, [ebp+arg_8]
		movzx	eax, word ptr [ecx+eax*2]

loc_4DDD4B:				; CODE XREF: RtlpIsNameInExpressionPrivate+3D2j
		cmp	word ptr [ebp+var_58], ax
		jnz	loc_4DDC73
		inc	esi
		cmp	si, di
		jb	short loc_4DDD20
		jmp	loc_4DD9CD
; 

loc_4DDD60:				; CODE XREF: RtlpIsNameInExpressionPrivate+20Fj
		cmp	[ebp+var_45], 0
		mov	eax, [ebp+var_54]
		jnz	loc_4DDA63
		cmp	word ptr [ebp+var_64], 2Eh
		jz	loc_4DDA63

loc_4DDD78:				; CODE XREF: RtlpIsNameInExpressionPrivate+32Fj
		mov	eax, [ebp+var_4C]
		mov	[eax+ebx*2], dx
		jmp	loc_4DDAFF
; 

loc_4DDD84:				; CODE XREF: RtlpIsNameInExpressionPrivate+31Cj
		mov	eax, [ebp+var_54]
		jmp	loc_4DDA63
RtlpIsNameInExpressionPrivate endp

; 
		dd 5 dup(0CCCCCCCCh)
; Exported entry 511. FsRtlDoesNameContainWildCards

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlDoesNameContainWildCards(x)
		public _RtlDoesNameContainWildCards@4
_RtlDoesNameContainWildCards@4 proc near ; CODE	XREF: RtlpIsNameInExpressionPrivate+365p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		movzx	eax, word ptr [edx]
		test	ax, ax
		jz	short loc_4DDDD4
		mov	edx, [edx+4]
		shr	eax, 1
		dec	eax
		lea	eax, [edx+eax*2]
		cmp	eax, edx
		jb	short loc_4DDDD4
		lea	ecx, [ecx+0]

loc_4DDDC0:				; CODE XREF: RtlDoesNameContainWildCards(x)+32j
		movzx	ecx, word ptr [eax]
		cmp	ecx, 5Ch
		jz	short loc_4DDDD4
		cmp	ecx, 40h
		jb	short loc_4DDDDA

loc_4DDDCD:				; CODE XREF: RtlDoesNameContainWildCards(x)+44j
		sub	eax, 2
		cmp	eax, edx
		jnb	short loc_4DDDC0

loc_4DDDD4:				; CODE XREF: RtlDoesNameContainWildCards(x)+Ej
					; RtlDoesNameContainWildCards(x)+1Bj ...
		xor	al, al
		pop	ebp
		retn	4
; 

loc_4DDDDA:				; CODE XREF: RtlDoesNameContainWildCards(x)+2Bj
		movzx	ecx, ds:byte_40B788[ecx]
		and	ecx, 8
		jz	short loc_4DDDCD
		mov	al, 1
		pop	ebp
		retn	4
_RtlDoesNameContainWildCards@4 endp


;  S U B	R O U T	I N E 


; __stdcall AuthzBasepGetOperandStringCaseForEvaluation(x, x)
_AuthzBasepGetOperandStringCaseForEvaluation@8 proc near
					; CODE XREF: AuthzBasepCompareUnicodeStringOperands+2Ap
					; AuthzBasepCompareFQBNOperands(x,x,x)+45p
		mov	edi, edi
		push	ebx
		xor	ebx, ebx
		cmp	dword ptr [ecx+0Ch], 1
		push	esi
		mov	esi, edx
		jnz	short loc_4DDDFF
		mov	eax, [ecx+2Ch]
		jmp	short loc_4DDE08
; 

loc_4DDDFF:				; CODE XREF: AuthzBasepGetOperandStringCaseForEvaluation(x,x)+Cj
		cmp	dword ptr [ecx+28h], 1
		mov	eax, [ecx+10h]
		jnz	short loc_4DDE0F

loc_4DDE08:				; CODE XREF: AuthzBasepGetOperandStringCaseForEvaluation(x,x)+11j
		mov	al, [eax+14h]
		and	al, 2
		jmp	short loc_4DDE22
; 

loc_4DDE0F:				; CODE XREF: AuthzBasepGetOperandStringCaseForEvaluation(x,x)+1Aj
		test	byte ptr [eax+14h], 2
		jnz	short loc_4DDE20
		mov	eax, [ecx+2Ch]
		test	byte ptr [eax+14h], 2
		mov	al, bl
		jz	short loc_4DDE22

loc_4DDE20:				; CODE XREF: AuthzBasepGetOperandStringCaseForEvaluation(x,x)+27j
		mov	al, 1

loc_4DDE22:				; CODE XREF: AuthzBasepGetOperandStringCaseForEvaluation(x,x)+21j
					; AuthzBasepGetOperandStringCaseForEvaluation(x,x)+32j
		mov	[esi], al
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		sbb	al, al
		inc	al
		cmp	[esi], bl
		jnz	short loc_4DDE38
		test	al, al
		jz	short loc_4DDE3A

loc_4DDE38:				; CODE XREF: AuthzBasepGetOperandStringCaseForEvaluation(x,x)+46j
		mov	bl, 1

loc_4DDE3A:				; CODE XREF: AuthzBasepGetOperandStringCaseForEvaluation(x,x)+4Aj
		mov	[esi], bl
		xor	eax, eax
		pop	esi
		pop	ebx
		retn
_AuthzBasepGetOperandStringCaseForEvaluation@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepEvaluateExpression proc near	; CODE XREF: .text:005180BAp

var_6		= byte ptr -6
var_5		= byte ptr -5
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CB63A SIZE 000000A1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[esp+14h+var_5], cl
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		cmp	dword ptr [ebx+0Ch], 1
		lea	eax, [ebx+1Ch]
		mov	[edi], esi
		jz	short loc_4DDE68
		mov	eax, ebx

loc_4DDE68:				; CODE XREF: AuthzBasepEvaluateExpression+22j
		movzx	eax, word ptr [eax]
		mov	ecx, ebx
		mov	[esp+18h+var_4], eax
		call	AuthzBasepOperandValueTypesCompatible
		test	al, al
		jnz	short loc_4DDE8D
		mov	esi, 0C00001A2h

loc_4DDE7F:				; CODE XREF: AuthzBasepEvaluateExpression+77j
					; AuthzBasepEvaluateExpression+7Dj ...
		or	dword ptr [edi], 0FFFFFFFFh

loc_4DDE82:				; CODE XREF: AuthzBasepEvaluateExpression+58j
					; AuthzBasepEvaluateExpression+61j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4DDE8D:				; CODE XREF: AuthzBasepEvaluateExpression+36j
		mov	cl, [esp+18h+var_5]
		movzx	eax, cl
		add	eax, 0FFFFFF80h
		cmp	eax, 0Fh
		ja	short loc_4DDE82
		movzx	eax, ds:byte_4DDED6[eax]
		jmp	ds:off_4DDEC2[eax*4]

loc_4DDEAA:				; DATA XREF: .text:004DDECAo
		xor	ecx, ecx
		push	edi
		inc	ecx

loc_4DDEAE:				; CODE XREF: AuthzBasepEvaluateExpression+ED834j
		mov	edx, ebx
		call	AuthzBasepEvaluateSetRelationship
		mov	esi, eax
		test	esi, esi
		js	short loc_4DDE7F

loc_4DDEBB:				; CODE XREF: AuthzBasepEvaluateExpression+ED811j
					; AuthzBasepEvaluateExpression+ED81Cj ...
		test	esi, esi
		jns	short loc_4DDE82
		jmp	short loc_4DDE7F
AuthzBasepEvaluateExpression endp

; 
		align 2
off_4DDEC2	dd offset loc_5CB63A	; DATA XREF: AuthzBasepEvaluateExpression+61r
		dd offset loc_5CB67B
		dd offset loc_4DDEAA
		dd offset loc_5CB672
		dd offset loc_4DDE82
byte_4DDED6	db 0			; DATA XREF: AuthzBasepEvaluateExpression+5Ar
		align 4
		dd 1010101h, 4030402h, 4040404h
; 
		add	al, [ebx]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepOperandValueTypesCompatible proc near	; CODE XREF: AuthzBasepValueInSet+5Cp
					; AuthzBasepEvaluateExpression+2Fp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CB6DB SIZE 0000007A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ecx+0Ch]
		push	ebx
		xor	ebx, ebx
		inc	ebx
		push	esi
		push	edi
		cmp	eax, ebx
		jz	short loc_4DDF03
		cmp	[ecx+28h], ebx
		jnz	loc_5CB6DB

loc_4DDF03:				; CODE XREF: AuthzBasepOperandValueTypesCompatible+12j
		lea	edi, [ecx+1Ch]
		cmp	eax, ebx
		jz	short loc_4DDF5E
		mov	esi, edi
		mov	eax, ecx

loc_4DDF0E:				; CODE XREF: AuthzBasepOperandValueTypesCompatible+7Cj
		movzx	edx, word ptr [esi]
		mov	[ebp+var_8], 10h
		cmp	dx, word ptr [ebp+var_8]
		jz	short loc_4DDF68

loc_4DDF1E:				; CODE XREF: AuthzBasepOperandValueTypesCompatible+88j
		movzx	eax, word ptr [eax]
		cmp	ax, word ptr [ebp+var_8]
		jz	loc_5CB6E7
		mov	[ebp+var_4], 2
		cmp	ax, word ptr [ebp+var_4]
		jz	loc_5CB6FE
		cmp	ax, bx
		jz	loc_5CB6FE

loc_4DDF45:				; CODE XREF: AuthzBasepOperandValueTypesCompatible+ED81Cj
		cmp	eax, 6
		jz	short loc_4DDF70
		cmp	eax, 5
		jz	short loc_4DDF79

loc_4DDF4F:				; CODE XREF: AuthzBasepOperandValueTypesCompatible+99j
					; AuthzBasepOperandValueTypesCompatible:loc_5CB6F3j
		mov	cx, [ecx]
		cmp	cx, [edi]

loc_4DDF55:				; CODE XREF: AuthzBasepOperandValueTypesCompatible+ED7FCj
		jnz	short loc_4DDF64

loc_4DDF57:				; CODE XREF: AuthzBasepOperandValueTypesCompatible+86j
					; AuthzBasepOperandValueTypesCompatible+97j ...
		mov	al, bl

loc_4DDF59:				; CODE XREF: AuthzBasepOperandValueTypesCompatible+80j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4DDF5E:				; CODE XREF: AuthzBasepOperandValueTypesCompatible+22j
		mov	esi, ecx
		mov	eax, edi
		jmp	short loc_4DDF0E
; 

loc_4DDF64:				; CODE XREF: AuthzBasepOperandValueTypesCompatible:loc_4DDF55j
					; AuthzBasepOperandValueTypesCompatible+ED831j	...
		xor	al, al
		jmp	short loc_4DDF59
; 

loc_4DDF68:				; CODE XREF: AuthzBasepOperandValueTypesCompatible+36j
		cmp	byte ptr [esi+4], 0
		jnz	short loc_4DDF57
		jmp	short loc_4DDF1E
; 

loc_4DDF70:				; CODE XREF: AuthzBasepOperandValueTypesCompatible+62j
		cmp	dx, word ptr [ebp+var_4]
		jmp	loc_5CB6F3
; 

loc_4DDF79:				; CODE XREF: AuthzBasepOperandValueTypesCompatible+67j
		cmp	dx, word ptr [ebp+var_8]
		jz	short loc_4DDF57
		jmp	short loc_4DDF4F
AuthzBasepOperandValueTypesCompatible endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall AuthzBasepRestartOperandValueEnumeration(x)
_AuthzBasepRestartOperandValueEnumeration@4 proc near ;	CODE XREF: AuthzBasepValueInSet+A9p
					; AuthzBasepEvaluateSetRelationship+EDDB3p
		xor	edx, edx
		cmp	dword ptr [ecx+0Ch], 1
		mov	[ecx+8], edx
		jz	short locret_4DDFAB
		mov	eax, [ecx+10h]
		test	eax, eax
		jz	short locret_4DDFAB
		mov	[eax+20h], edx
		mov	[eax+24h], edx
		mov	eax, [ecx+10h]
		mov	[eax+28h], edx
		mov	[eax+2Ch], edx
		mov	ecx, [ecx+10h]
		jmp	AuthzBasepQuerySecurityAttributeAndValues
; 

locret_4DDFAB:				; CODE XREF: AuthzBasepRestartOperandValueEnumeration(x)+9j
					; AuthzBasepRestartOperandValueEnumeration(x)+10j
		retn
_AuthzBasepRestartOperandValueEnumeration@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiUpdateSpeculationControl(x)
@KiUpdateSpeculationControl@4 proc near	; CODE XREF: KeOptimizeSpecCtrlSettings(x)+E12p
					; _SwapContext_SaveIpt+2Bp ...

var_42		= byte ptr -42h
var_41		= byte ptr -41h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, ds:_KiSpeculationFeatures
		mov	[esp+44h+var_18], eax
		mov	eax, ds:dword_70E764
		mov	[esp+44h+var_14], eax
		mov	eax, ds:dword_70E768
		mov	[esp+44h+var_10], eax
		mov	eax, ds:dword_70E76C
		push	ebx
		mov	[esp+48h+var_C], eax
		mov	eax, ds:dword_70E770
		push	esi
		mov	esi, ecx
		mov	[esp+4Ch+var_8], eax
		mov	eax, ds:dword_70E774
		push	edi
		mov	edi, large fs:20h
		mov	ecx, [esp+50h+var_14]
		mov	[esp+50h+var_4], eax
		and	ecx, 10h
		xor	eax, eax
		mov	[esp+50h+var_40], esi
		or	eax, ecx
		jz	loc_4DE46F
		cli
		and	byte ptr [edi+21B8h], 61h
		add	esi, 4A0h
		xor	eax, eax
		xor	edx, edx
		nop
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [esi]
		mov	esi, edx
		mov	[esp+50h+var_38], edx
		mov	edx, [esp+50h+var_40]
		mov	ebx, eax
		mov	[esp+50h+var_3C], ebx
		mov	ecx, [edx+3A8h]
		test	ecx, 400000h
		jnz	short loc_4DE05A
		mov	ebx, 1
		xor	esi, esi
		mov	[esp+50h+var_3C], ebx
		mov	[esp+50h+var_38], esi

loc_4DE05A:				; CODE XREF: KiUpdateSpeculationControl(x)+99j
		mov	eax, ds:_KiSpeculationFeatures
		mov	ecx, ds:dword_70E764
		mov	[esp+50h+var_20], eax
		and	ecx, 80000h
		xor	eax, eax
		or	eax, ecx
		jz	short loc_4DE08F
		mov	cl, [edi+21B8h]
		mov	eax, ebx
		or	eax, esi
		jnz	short loc_4DE086
		and	cl, 0BFh
		jmp	short loc_4DE089
; 

loc_4DE086:				; CODE XREF: KiUpdateSpeculationControl(x)+CFj
		or	cl, 40h

loc_4DE089:				; CODE XREF: KiUpdateSpeculationControl(x)+D4j
		mov	[edi+21B8h], cl

loc_4DE08F:				; CODE XREF: KiUpdateSpeculationControl(x)+C3j
		mov	eax, [esp+50h+var_18]
		mov	[esp+50h+var_2C], eax
		and	eax, 1
		or	eax, 0
		jz	short loc_4DE0AE
		mov	ecx, edi
		call	_KiUpdateSpecCtrlEnhancedIBRS@8	; KiUpdateSpecCtrlEnhancedIBRS(x,x)
		sti
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4DE0AE:				; CODE XREF: KiUpdateSpeculationControl(x)+EDj
		mov	eax, [esp+50h+var_14]
		mov	ecx, eax
		movzx	ebx, word ptr [edi+21BAh]
		and	ecx, 40h
		mov	[esp+50h+var_34], eax
		xor	eax, eax
		or	eax, ecx
		mov	[esp+50h+var_41], 0
		jz	short loc_4DE0E0
		cmp	_KiSsbdMsr, 48h
		jnz	short loc_4DE0E0
		or	ebx, 4
		mov	eax, 4
		jmp	short loc_4DE0E2
; 

loc_4DE0E0:				; CODE XREF: KiUpdateSpeculationControl(x)+11Bj
					; KiUpdateSpeculationControl(x)+124j
		xor	eax, eax

loc_4DE0E2:				; CODE XREF: KiUpdateSpeculationControl(x)+12Ej
		mov	esi, edi
		mov	ecx, edi
		mov	[esi+21BCh], ax
		mov	[ecx+21C0h], ax
		mov	eax, [esp+50h+var_2C]
		and	eax, 2000h
		mov	[esp+50h+var_2C], eax
		or	eax, 0
		jz	short loc_4DE112
		mov	eax, 80h
		or	[esi+21BCh], ax

loc_4DE112:				; CODE XREF: KiUpdateSpeculationControl(x)+154j
		mov	ecx, [esp+50h+var_34]
		mov	eax, ecx
		and	eax, 800h
		mov	[esp+50h+var_28], eax
		xor	eax, eax
		or	eax, [esp+50h+var_28]
		jz	short loc_4DE131
		or	word ptr [esi+21BCh], 2

loc_4DE131:				; CODE XREF: KiUpdateSpeculationControl(x)+177j
		and	ecx, 400000h
		xor	eax, eax
		or	eax, ecx
		mov	[esp+50h+var_34], ecx
		mov	eax, 400h
		jz	short loc_4DE14D
		or	[esi+21BCh], ax

loc_4DE14D:				; CODE XREF: KiUpdateSpeculationControl(x)+194j
		mov	eax, [edi+21B0h]
		mov	[esp+50h+var_24], eax
		mov	eax, [edi+21B4h]
		mov	[esp+50h+var_30], eax
		mov	eax, [edx+3A8h]
		mov	ecx, [esp+50h+var_14]
		xor	eax, eax
		mov	edx, ecx
		and	edx, 20h
		mov	[esp+50h+var_20], edx
		or	eax, edx
		mov	edx, [esp+50h+var_18]
		jnz	loc_4DE2B4
		mov	eax, [esp+50h+var_3C]
		or	eax, [esp+50h+var_38]
		jnz	short loc_4DE1CC
		mov	eax, edx
		and	eax, 2
		or	eax, 0
		jz	loc_4DE2D5
		mov	eax, edx
		and	eax, 40h
		or	eax, 0
		jz	short loc_4DE1B1
		or	word ptr [esi+21BCh], 2
		jmp	loc_4DE2D5
; 

loc_4DE1B1:				; CODE XREF: KiUpdateSpeculationControl(x)+1F2j
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jz	loc_4DE2D5
		or	word ptr [esi+21BCh], 1
		jmp	loc_4DE2D5
; 

loc_4DE1CC:				; CODE XREF: KiUpdateSpeculationControl(x)+1DAj
		lea	ecx, [esp+50h+var_18]
		call	_KiIsBranchConfusionMitigationEnabled@4	; KiIsBranchConfusionMitigationEnabled(x)
		test	eax, eax
		jnz	short loc_4DE24A
		lea	ecx, [esp+50h+var_18]
		call	_KiIsSrsoMitigationEnabled@4 ; KiIsSrsoMitigationEnabled(x)
		test	eax, eax
		jnz	short loc_4DE24A
		mov	edx, [esp+50h+var_18]
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		mov	eax, edx
		jz	short loc_4DE216
		or	word ptr [esi+21BCh], 1
		and	eax, 20h
		or	eax, 0
		jnz	loc_4DE2A0
		or	byte ptr [edi+21B8h], 2
		jmp	loc_4DE2A0
; 

loc_4DE216:				; CODE XREF: KiUpdateSpeculationControl(x)+244j
		and	eax, 42h
		cmp	eax, 42h
		jnz	short loc_4DE226
		or	word ptr [esi+21BCh], 2

loc_4DE226:				; CODE XREF: KiUpdateSpeculationControl(x)+26Cj
		mov	cl, [edi+21B8h]
		mov	eax, edx
		or	cl, 8
		and	eax, 8
		or	eax, 0
		mov	[edi+21B8h], cl
		jnz	short loc_4DE2A0
		or	cl, 2
		mov	[edi+21B8h], cl
		jmp	short loc_4DE2A0
; 

loc_4DE24A:				; CODE XREF: KiUpdateSpeculationControl(x)+227j
					; KiUpdateSpeculationControl(x)+234j
		mov	edx, [esp+50h+var_18]
		mov	eax, edx
		mov	cl, [edi+21B8h]
		and	eax, 8
		or	cl, 8
		or	eax, 0
		mov	[edi+21B8h], cl
		jnz	short loc_4DE270
		or	cl, 2
		mov	[edi+21B8h], cl

loc_4DE270:				; CODE XREF: KiUpdateSpeculationControl(x)+2B5j
		mov	eax, edx
		and	eax, 2
		or	eax, 0
		jz	short loc_4DE2A0
		mov	eax, edx
		and	eax, 40h
		or	eax, 0
		jz	short loc_4DE28E
		or	word ptr [esi+21BCh], 2
		jmp	short loc_4DE2A0
; 

loc_4DE28E:				; CODE XREF: KiUpdateSpeculationControl(x)+2D2j
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jz	short loc_4DE2A0
		or	word ptr [esi+21BCh], 1

loc_4DE2A0:				; CODE XREF: KiUpdateSpeculationControl(x)+254j
					; KiUpdateSpeculationControl(x)+261j ...
		test	byte ptr [edi+21B9h], 18h
		mov	ecx, [esp+50h+var_14]
		jz	short loc_4DE2B4
		or	byte ptr [edi+21B8h], 80h

loc_4DE2B4:				; CODE XREF: KiUpdateSpeculationControl(x)+1CCj
					; KiUpdateSpeculationControl(x)+2FBj
		mov	eax, [esp+50h+var_3C]
		or	eax, [esp+50h+var_38]
		jz	short loc_4DE2D5
		and	ecx, 80h
		xor	eax, eax
		or	eax, ecx
		jz	short loc_4DE2D5
		or	word ptr [esi+21BCh], 4
		or	ebx, 4

loc_4DE2D5:				; CODE XREF: KiUpdateSpeculationControl(x)+1E4j
					; KiUpdateSpeculationControl(x)+1FCj ...
		mov	esi, [esp+50h+var_40]
		mov	eax, edx
		and	eax, 42h
		cmp	eax, 42h
		jnz	short loc_4DE308
		mov	ecx, [esp+50h+var_14]
		xor	eax, eax
		and	ecx, 1
		or	eax, ecx
		jnz	short loc_4DE2FC
		test	dword ptr [esi+490h], 40000000h
		jz	short loc_4DE308

loc_4DE2FC:				; CODE XREF: KiUpdateSpeculationControl(x)+33Ej
		mov	ecx, edi
		or	word ptr [ecx+21C0h], 2
		jmp	short loc_4DE30A
; 

loc_4DE308:				; CODE XREF: KiUpdateSpeculationControl(x)+331j
					; KiUpdateSpeculationControl(x)+34Aj
		mov	ecx, edi

loc_4DE30A:				; CODE XREF: KiUpdateSpeculationControl(x)+356j
		xor	eax, eax
		or	eax, [esp+50h+var_28]
		jz	short loc_4DE31A
		or	word ptr [ecx+21C0h], 2

loc_4DE31A:				; CODE XREF: KiUpdateSpeculationControl(x)+360j
		mov	eax, [esp+50h+var_14]
		and	eax, 80h
		mov	[esp+50h+var_40], eax
		xor	eax, eax
		or	eax, [esp+50h+var_40]
		jz	short loc_4DE343
		test	dword ptr [esi+494h], 2000h
		jz	short loc_4DE343
		or	word ptr [ecx+21C0h], 4

loc_4DE343:				; CODE XREF: KiUpdateSpeculationControl(x)+37Dj
					; KiUpdateSpeculationControl(x)+389j
		xor	eax, eax
		or	eax, [esp+50h+var_34]
		jz	short loc_4DE357
		mov	eax, 400h
		or	[ecx+21C0h], ax

loc_4DE357:				; CODE XREF: KiUpdateSpeculationControl(x)+399j
		mov	ecx, [esp+50h+var_24]
		mov	eax, ecx
		or	eax, [esp+50h+var_30]
		jz	loc_4DE3E8
		mov	eax, [esp+50h+var_30]
		cmp	ecx, [esp+50h+var_3C]
		jnz	short loc_4DE377
		cmp	eax, [esp+50h+var_38]
		jz	short loc_4DE3E8

loc_4DE377:				; CODE XREF: KiUpdateSpeculationControl(x)+3BFj
		cmp	ecx, [esi+4A8h]
		jnz	short loc_4DE387
		cmp	eax, [esi+4ACh]
		jz	short loc_4DE3E8

loc_4DE387:				; CODE XREF: KiUpdateSpeculationControl(x)+3CDj
		test	bl, 1
		jz	short loc_4DE3B4
		mov	eax, edx
		and	eax, 2
		or	eax, 0
		jnz	short loc_4DE39B
		and	ebx, 4
		jmp	short loc_4DE3AB
; 

loc_4DE39B:				; CODE XREF: KiUpdateSpeculationControl(x)+3E4j
		mov	eax, edx
		and	eax, 40h
		or	eax, 0
		jz	short loc_4DE3AB
		and	ebx, 4
		or	ebx, 2

loc_4DE3AB:				; CODE XREF: KiUpdateSpeculationControl(x)+3E9j
					; KiUpdateSpeculationControl(x)+3F3j
		test	bl, 1
		jnz	short loc_4DE3C6
		mov	cl, 1
		jmp	short loc_4DE3EC
; 

loc_4DE3B4:				; CODE XREF: KiUpdateSpeculationControl(x)+3DAj
		xor	eax, eax
		or	eax, [esp+50h+var_20]
		mov	eax, edx
		jnz	short loc_4DE3C8
		and	eax, 10h
		or	eax, 0
		jz	short loc_4DE3E8

loc_4DE3C6:				; CODE XREF: KiUpdateSpeculationControl(x)+3FEj
		mov	eax, edx

loc_4DE3C8:				; CODE XREF: KiUpdateSpeculationControl(x)+40Cj
		mov	cl, [edi+21B8h]
		and	eax, 8
		or	cl, 4
		or	eax, 0
		mov	[edi+21B8h], cl
		jnz	short loc_4DE3E8
		or	cl, 10h
		mov	[edi+21B8h], cl

loc_4DE3E8:				; CODE XREF: KiUpdateSpeculationControl(x)+3B1j
					; KiUpdateSpeculationControl(x)+3C5j ...
		mov	cl, [esp+50h+var_41]

loc_4DE3EC:				; CODE XREF: KiUpdateSpeculationControl(x)+402j
		mov	eax, [esp+50h+var_2C]
		or	eax, 0
		jz	short loc_4DE3FB
		or	ebx, 80h

loc_4DE3FB:				; CODE XREF: KiUpdateSpeculationControl(x)+443j
		xor	eax, eax
		or	eax, [esp+50h+var_28]
		jz	short loc_4DE406
		or	ebx, 2

loc_4DE406:				; CODE XREF: KiUpdateSpeculationControl(x)+451j
		xor	eax, eax
		or	eax, [esp+50h+var_34]
		jz	short loc_4DE414
		or	ebx, 400h

loc_4DE414:				; CODE XREF: KiUpdateSpeculationControl(x)+45Cj
		movzx	esi, bx
		test	cl, cl
		jz	short loc_4DE454
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		mov	eax, [esp+50h+var_18]
		and	eax, 8
		or	eax, edx
		jnz	short loc_4DE439
		call	_KiFlushCurrentRsb@0 ; KiFlushCurrentRsb()

loc_4DE439:				; CODE XREF: KiUpdateSpeculationControl(x)+482j
		and	byte ptr [edi+21B8h], 0EBh
		mov	dword ptr [edi+21B0h], 0
		mov	dword ptr [edi+21B4h], 0

loc_4DE454:				; CODE XREF: KiUpdateSpeculationControl(x)+469j
		cmp	bx, [edi+21BAh]
		jz	short loc_4DE46E
		mov	eax, esi
		mov	[edi+21BAh], bx
		cdq
		mov	ecx, 48h
		wrmsr

loc_4DE46E:				; CODE XREF: KiUpdateSpeculationControl(x)+4ABj
		sti

loc_4DE46F:				; CODE XREF: KiUpdateSpeculationControl(x)+5Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
@KiUpdateSpeculationControl@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1989. RtlCompressBuffer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCompressBuffer(x, x, x, x, x, x,	x, x)
		public _RtlCompressBuffer@32
_RtlCompressBuffer@32 proc near		; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC074p
					; EtwpCompressBuffer(x,x)+9Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		movzx	eax, cl
		test	cl, cl
		jz	short loc_4DE4C3
		cmp	eax, 1
		jz	short loc_4DE4C3
		cmp	eax, 4
		ja	short loc_4DE4BC
		push	[ebp+arg_1C]
		and	ecx, 0FF00h
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	ecx
		call	ds:_RtlCompressBufferProcs[eax*4]

loc_4DE4B8:				; CODE XREF: RtlCompressBuffer(x,x,x,x,x,x,x,x)+45j
					; RtlCompressBuffer(x,x,x,x,x,x,x,x)+4Cj
		pop	ebp
		retn	20h
; 

loc_4DE4BC:				; CODE XREF: RtlCompressBuffer(x,x,x,x,x,x,x,x)+17j
		mov	eax, 0C000025Fh
		jmp	short loc_4DE4B8
; 

loc_4DE4C3:				; CODE XREF: RtlCompressBuffer(x,x,x,x,x,x,x,x)+Dj
					; RtlCompressBuffer(x,x,x,x,x,x,x,x)+12j
		mov	eax, 0C000000Dh
		jmp	short loc_4DE4B8
_RtlCompressBuffer@32 endp

; 
		align 10h
; Exported entry 2388. RtlUnsignedMultiplyHigh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlUnsignedMultiplyHigh(x, x, x, x)
		public _RtlUnsignedMultiplyHigh@16
_RtlUnsignedMultiplyHigh@16 proc near	; CODE XREF: HvlGetReferenceTimeUsingTscPage(x)+5Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		mov	eax, [ebp+arg_8]
		mul	[ebp+arg_4]
		push	ebx
		mov	ebx, eax
		mov	[ebp+var_8], edx
		mov	eax, [ebp+arg_0]
		mul	[ebp+arg_C]
		push	esi
		mov	esi, eax
		mov	[ebp+var_4], edx
		mov	eax, [ebp+arg_0]
		mul	[ebp+arg_8]
		mov	eax, [ebp+arg_C]
		push	edi
		xor	edi, edi
		add	edx, esi
		adc	edi, edi
		add	edx, ebx
		adc	edi, 0
		xor	ecx, ecx
		mul	[ebp+arg_4]
		add	eax, edi
		pop	edi
		adc	edx, ecx
		add	eax, [ebp+var_4]
		pop	esi
		adc	edx, ecx
		add	eax, [ebp+var_8]
		pop	ebx
		adc	edx, ecx
		mov	esp, ebp
		pop	ebp
		retn	10h
_RtlUnsignedMultiplyHigh@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiCallInterruptServiceRoutine proc near	; CODE XREF: KiChainedDispatch()+92p
					; KiInterruptDispatch()+50p ...

var_30		= dword	ptr -30h
var_22		= byte ptr -22h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CB755 SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		push	edi
		mov	[esp+30h+var_21], bl
		mov	[esp+30h+var_14], esi
		mov	eax, [esi+2Ch]
		cmp	eax, 0CFh
		jbe	loc_4DE770

loc_4DE558:				; CODE XREF: KiCallInterruptServiceRoutine+243j
					; KiCallInterruptServiceRoutine+250j ...
		cmp	byte ptr [esi+31h], 0
		jz	loc_5CB770
		mov	eax, [esi+0C8h]
		test	eax, eax
		jnz	loc_4DE7EA

loc_4DE570:				; CODE XREF: KiCallInterruptServiceRoutine+2BEj
					; KiCallInterruptServiceRoutine+2D4j
		mov	eax, large fs:20h
		lea	edi, [esi+68h]
		mov	[esp+30h+var_1C], eax
		mov	ecx, [eax+21DCh]
		mov	byte ptr [esi+98h], 1
		mov	[eax+21DCh], edi
		mov	[esp+30h+var_10], ecx
		rdtsc
		mov	[esp+30h+var_C], eax
		mov	ecx, edx
		mov	[esp+30h+var_8], ecx
		mov	[esi+70h], eax
		mov	[esi+74h], ecx
		test	bl, bl
		jnz	loc_4DE7AB

loc_4DE5AE:				; CODE XREF: KiCallInterruptServiceRoutine+290j
					; KiCallInterruptServiceRoutine+29Bj ...
		mov	eax, [esi+0Ch]
		mov	ecx, [esi+18h]
		cmp	eax, offset KiIpiServiceRoutine
		jnz	loc_4DE765
		mov	edx, large fs:20h
		xor	ebx, ebx
		mov	ecx, [esi+54h]
		mov	[esp+30h+var_18], ecx
		mov	[esp+30h+var_20], edx
		lea	eax, [edx+21A0h]
		xchg	ebx, [eax]
		test	bl, 4
		jnz	loc_5CB78B

loc_4DE5E4:				; CODE XREF: KiCallInterruptServiceRoutine+ED266j
		test	bl, 10h
		jnz	loc_4DE86E

loc_4DE5ED:				; CODE XREF: KiCallInterruptServiceRoutine+378j
		cmp	dword ptr [edx+4920h], 0
		lea	ecx, [edx+4920h]
		jnz	loc_4DE6A6

loc_4DE600:				; CODE XREF: KiCallInterruptServiceRoutine+180j
					; KiCallInterruptServiceRoutine+1CFj
		test	bl, 1
		jnz	loc_4DE85A

loc_4DE609:				; CODE XREF: KiCallInterruptServiceRoutine+332j
		test	bl, 2
		jz	short loc_4DE616
		mov	cl, 2
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)

loc_4DE616:				; CODE XREF: KiCallInterruptServiceRoutine+DCj
		mov	bl, 1

loc_4DE618:				; CODE XREF: KiCallInterruptServiceRoutine+23Bj
		cmp	[esp+30h+var_21], 0
		jnz	loc_4DE7D0

loc_4DE623:				; CODE XREF: KiCallInterruptServiceRoutine+2B5j
					; KiCallInterruptServiceRoutine+ED275j
		rdtsc
		mov	ecx, eax
		mov	[esp+30h+var_18], eax
		mov	eax, [esp+30h+var_1C]
		sub	ecx, [esi+70h]
		mov	[esp+30h+var_20], edx
		sbb	edx, [esi+74h]
		mov	edi, [eax+3BDCh]
		cmp	edi, [esi+0A0h]
		jnz	loc_4DE704

loc_4DE64B:				; CODE XREF: KiCallInterruptServiceRoutine+230j
		add	[esi+68h], ecx
		adc	[esi+6Ch], edx
		add	[esi+0A8h], ecx
		mov	ecx, [esp+30h+var_10]
		adc	[esi+0ACh], edx
		cmp	ecx, 1
		jnz	loc_4DE82E

loc_4DE66A:				; CODE XREF: KiCallInterruptServiceRoutine+31Aj
					; KiCallInterruptServiceRoutine+325j
		mov	[eax+21DCh], ecx
		mov	byte ptr [esi+98h], 0
		test	bl, bl
		jz	loc_4DE867
		add	dword ptr [esi+78h], 1
		adc	dword ptr [esi+7Ch], 0
		add	dword ptr [esi+0B0h], 1
		adc	dword ptr [esi+0B4h], 0

loc_4DE695:				; CODE XREF: KiCallInterruptServiceRoutine+ED24Cj
		test	bl, bl
		jz	loc_4DE867
		mov	al, 1

loc_4DE69F:				; CODE XREF: KiCallInterruptServiceRoutine+339j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4DE6A6:				; CODE XREF: KiCallInterruptServiceRoutine+CAj
		xor	eax, eax
		xchg	eax, [ecx]
		mov	[esp+30h+var_18], eax
		test	eax, eax
		jz	loc_4DE600
		mov	edi, [esp+30h+var_20]
		mov	esi, eax
		lea	esp, [esp+0]

loc_4DE6C0:				; CODE XREF: KiCallInterruptServiceRoutine+1BDj
					; KiCallInterruptServiceRoutine+1C9j
		mov	edx, esi
		mov	ecx, esi
		mov	esi, [esi]
		sub	edx, edi
		sub	edx, 5EE0h
		sar	edx, 5
		mov	edx, ds:_KiProcessorBlock[edx*4]
		call	KiIpiProcessRequest
		mov	eax, [edi+4DCh]
		test	eax, eax
		jnz	loc_4DE8B5

loc_4DE6EB:				; CODE XREF: KiCallInterruptServiceRoutine+389j
		test	esi, esi
		jnz	short loc_4DE6C0
		lea	eax, [edi+4920h]
		xchg	esi, [eax]
		test	esi, esi
		jnz	short loc_4DE6C0
		mov	esi, [esp+30h+var_14]
		jmp	loc_4DE600
; 

loc_4DE704:				; CODE XREF: KiCallInterruptServiceRoutine+115j
		mov	eax, edi
		mov	dword ptr [esi+0A8h], 0
		mov	[esi+0A0h], eax
		mov	eax, [esp+30h+var_1C]
		mov	dword ptr [esi+0ACh], 0
		mov	dword ptr [esi+0B0h], 0
		mov	dword ptr [esi+0B4h], 0
		mov	dword ptr [esi+0B8h], 0
		mov	dword ptr [esi+0BCh], 0
		mov	dword ptr [esi+0C0h], 0
		mov	dword ptr [esi+0C4h], 0
		jmp	loc_4DE64B
; 

loc_4DE765:				; CODE XREF: KiCallInterruptServiceRoutine+89j
		push	ecx
		push	esi
		call	eax
		mov	bl, al
		jmp	loc_4DE618
; 

loc_4DE770:				; CODE XREF: KiCallInterruptServiceRoutine+22j
		cmp	eax, 30h
		jb	loc_4DE558
		cmp	ds:_KiForceIdleDisabled, 0
		jnz	loc_4DE558
		mov	eax, _KiForceIdleState
		cmp	eax, 4
		jz	loc_5CB755
		cmp	eax, 2
		jz	loc_5CB766
		cmp	eax, 1
		jnz	loc_4DE558
		jmp	loc_5CB766
; 

loc_4DE7AB:				; CODE XREF: KiCallInterruptServiceRoutine+78j
		test	ds:byte_70EFC6,	21h
		mov	ecx, [esi+24h]
		jnz	loc_5CB781
		lock bts dword ptr [ecx], 0
		jnb	loc_4DE5AE
		call	KxWaitForSpinLockAndAcquire
		jmp	loc_4DE5AE
; 

loc_4DE7D0:				; CODE XREF: KiCallInterruptServiceRoutine+EDj
		test	ds:byte_70EFC6,	1
		mov	eax, [esi+24h]
		jnz	loc_5CB79B
		xor	ecx, ecx
		lock and [eax],	ecx
		jmp	loc_4DE623
; 

loc_4DE7EA:				; CODE XREF: KiCallInterruptServiceRoutine+3Aj
		cmp	byte ptr [eax+0Ch], 0
		jz	loc_4DE570
		movzx	ecx, large byte	ptr fs:51h
		mov	edx, [eax]
		mov	eax, edx
		shr	eax, cl
		test	al, 1
		jnz	loc_4DE570
		mov	[esp+30h+var_4], 0
		test	edx, edx
		jz	loc_4DE8AD
		bsf	ecx, edx

loc_4DE81D:				; CODE XREF: KiCallInterruptServiceRoutine+380j
		mov	edx, [esi+2Ch]
		call	KiIntRedirectQueueRequestOnProcessor
		pop	edi
		pop	esi
		mov	al, 2
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4DE82E:				; CODE XREF: KiCallInterruptServiceRoutine+134j
		mov	edx, [esp+30h+var_18]
		sub	edx, [esp+30h+var_C]
		mov	edi, [esp+30h+var_20]
		sbb	edi, [esp+30h+var_8]
		cmp	byte ptr [ecx+30h], 0
		jz	short loc_4DE84F
		add	[ecx+8], edx
		adc	[ecx+0Ch], edi
		jmp	loc_4DE66A
; 

loc_4DE84F:				; CODE XREF: KiCallInterruptServiceRoutine+312j
		add	[ecx+20h], edx
		adc	[ecx+24h], edi
		jmp	loc_4DE66A
; 

loc_4DE85A:				; CODE XREF: KiCallInterruptServiceRoutine+D3j
		mov	cl, 1
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)
		jmp	loc_4DE609
; 

loc_4DE867:				; CODE XREF: KiCallInterruptServiceRoutine+149j
					; KiCallInterruptServiceRoutine+167j
		xor	al, al
		jmp	loc_4DE69F
; 

loc_4DE86E:				; CODE XREF: KiCallInterruptServiceRoutine+B7j
		mov	ecx, _KiSynchPacket
		mov	eax, [esp+30h+var_18]
		and	ecx, 0FFFFFFFEh
		mov	[edx+2128h], eax
		mov	eax, [ecx+2168h]
		push	eax
		mov	eax, [ecx+2164h]
		push	eax
		mov	eax, [ecx+2160h]
		push	eax
		mov	eax, _KiSynchPacket
		push	eax
		mov	eax, [ecx+2170h]
		call	eax
		mov	edx, [esp+40h+var_30]
		jmp	loc_4DE5ED
; 

loc_4DE8AD:				; CODE XREF: KiCallInterruptServiceRoutine+2E4j
		or	ecx, 0FFFFFFFFh
		jmp	loc_4DE81D
; 

loc_4DE8B5:				; CODE XREF: KiCallInterruptServiceRoutine+1B5j
		lock dec dword ptr [eax+20h]
		jmp	loc_4DE6EB
KiCallInterruptServiceRoutine endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInterruptMessageDispatch(x, x)
_KiInterruptMessageDispatch@8 proc near	; DATA XREF: KeInitializeInterruptEx+96o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax+14h]
		push	[ebp+arg_4]
		push	eax
		call	dword ptr [eax+10h]
		pop	ebp
		retn	8
_KiInterruptMessageDispatch@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiIntRedirectQueueRequestOnProcessor proc near
					; CODE XREF: KiCallInterruptServiceRoutine+2F0p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CB7AA SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_C], 0
		xor	eax, eax
		inc	eax
		push	esi
		mov	word ptr [ebp+var_10], ax
		mov	esi, ecx
		mov	word ptr [ebp+var_10+2], ax
		xor	eax, eax
		bts	eax, esi
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_10]
		push	edx
		push	eax
		push	0
		call	ds:__imp__HalRequestIpiSpecifyVector@12	; HalRequestIpiSpecifyVector(x,x,x)
		test	eax, eax
		js	loc_5CB7AA
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
KiIntRedirectQueueRequestOnProcessor endp

; 
		align 10h
; Exported entry 156. KiEndThreadAccountingPeriod

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KiEndThreadAccountingPeriod
KiEndThreadAccountingPeriod proc near	; CODE XREF: V86_kira_a+6C6p
					; KiDispatchInterrupt(x)+151p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005A80A5 SIZE 000000E0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	[ebp+var_C], edi
		mov	[ebp+var_24], ebx
		mov	al, [edi+2]
		mov	[ebp+var_1], al
		test	al, 10h
		jnz	loc_5A80A5

loc_4DE953:				; CODE XREF: KiEndThreadAccountingPeriod+C97BAj
		test	al, 20h
		jz	short loc_4DE966
		mov	ecx, [edi+388h]
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jnz	short loc_4DE9D0

loc_4DE964:				; CODE XREF: KiEndThreadAccountingPeriod+17Bj
		and	al, 0DFh

loc_4DE966:				; CODE XREF: KiEndThreadAccountingPeriod+25j
		test	al, 40h
		jnz	loc_5A813E

loc_4DE96E:				; CODE XREF: KiEndThreadAccountingPeriod+C9810j
		test	al, 3Eh
		jnz	short loc_4DE97B

loc_4DE972:				; CODE XREF: KiEndThreadAccountingPeriod+99j
					; KiEndThreadAccountingPeriod+C9850j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4DE97B:				; CODE XREF: KiEndThreadAccountingPeriod+40j
		mov	edx, [edi+50h]
		test	edx, edx
		jnz	loc_4DEB47

loc_4DE986:				; CODE XREF: KiEndThreadAccountingPeriod+21Fj
					; KiEndThreadAccountingPeriod+23Dj
		test	byte ptr [edi+2], 8
		jz	short loc_4DE9B8
		mov	edx, [ebx+338h]
		mov	ecx, [edi+164h]
		mov	edx, [edx+84h]
		mov	eax, edx
		and	eax, ecx
		cmp	eax, edx
		jz	short loc_4DE9B8
		mov	eax, [ebp+arg_0]
		add	[ebx+3B70h], eax
		mov	eax, [ebp+arg_4]
		adc	[ebx+3B74h], eax

loc_4DE9B8:				; CODE XREF: KiEndThreadAccountingPeriod+5Aj
					; KiEndThreadAccountingPeriod+74j
		cmp	byte ptr [edi+61h], 0
		jnz	loc_5A8145

loc_4DE9C2:				; CODE XREF: KiEndThreadAccountingPeriod+C9830j
					; KiEndThreadAccountingPeriod+C9844j
		cmp	dword ptr [edi+0F4h], 0
		jz	short loc_4DE972
		jmp	loc_5A8179
; 

loc_4DE9D0:				; CODE XREF: KiEndThreadAccountingPeriod+32j
		mov	esi, [ebx+3EA0h]
		mov	eax, [ebx+3EA4h]
		test	esi, esi
		jz	loc_4DEBA1
		test	eax, eax
		jz	loc_4DEBA1
		cmp	byte ptr [eax+54h], 0
		jnz	loc_5A80EF
		mov	edx, [eax+38h]
		mov	eax, [esi+88h]
		cmp	edx, eax
		jb	short loc_4DEA05
		mov	edx, eax

loc_4DEA05:				; CODE XREF: KiEndThreadAccountingPeriod+D1j
					; KiEndThreadAccountingPeriod+276j ...
		cmp	edx, 4Bh
		jb	loc_4DEBAB
		mov	edx, 3

loc_4DEA13:				; CODE XREF: KiEndThreadAccountingPeriod+285j
		movzx	eax, byte ptr [ebx+3ED0h]
		mov	[ebp+var_18], eax
		mov	[ebp+var_8], edx
		lea	eax, [eax+edx*2]
		lea	edi, [ecx+eax*8]
		mov	ecx, [edi]
		add	ecx, [ebp+arg_0]
		mov	eax, [edi+4]
		adc	eax, [ebp+arg_4]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_1C], eax

loc_4DEA37:				; CODE XREF: KiEndThreadAccountingPeriod+120j
					; KiEndThreadAccountingPeriod+125j
		mov	esi, [edi]
		mov	eax, esi
		mov	edx, [edi+4]
		mov	[ebp+var_20], edx
		nop
		mov	ebx, ecx
		mov	ecx, [ebp+var_1C]
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [ebp+var_10]
		cmp	eax, esi
		jnz	short loc_4DEA37
		cmp	edx, [ebp+var_20]
		jnz	short loc_4DEA37
		mov	edx, [ebp+var_14]
		mov	eax, _KiTimelineBitmapTime
		mov	esi, [edx+0C0h]
		cmp	eax, esi
		ja	loc_4DEB75
		sub	esi, eax
		cmp	esi, 20h
		jnb	short loc_4DEA83
		mov	eax, [edx+0C4h]
		bts	eax, esi
		mov	[edx+0C4h], eax

loc_4DEA83:				; CODE XREF: KiEndThreadAccountingPeriod+142j
					; KiEndThreadAccountingPeriod+265j
		cmp	ds:_KiEfficiencyClassSystem, 0
		mov	edi, [ebp+var_C]
		jnz	short loc_4DEA9C
		cmp	byte ptr [edi+244h], 2
		jz	loc_5A80F7

loc_4DEA9C:				; CODE XREF: KiEndThreadAccountingPeriod+15Dj
					; KiEndThreadAccountingPeriod+C9809j
		cmp	dword ptr [edi+36Ch], 0
		jnz	short loc_4DEAB0

loc_4DEAA5:				; CODE XREF: KiEndThreadAccountingPeriod+212j
		mov	al, [ebp+var_1]
		mov	ebx, [ebp+var_24]
		jmp	loc_4DE964
; 

loc_4DEAB0:				; CODE XREF: KiEndThreadAccountingPeriod+173j
		mov	ecx, [ebp+var_18]
		mov	eax, [ebp+var_8]
		add	ecx, 10h
		lea	eax, [ecx+eax*2]
		mov	ecx, [edx+eax*8]
		add	ecx, [ebp+arg_0]
		lea	edi, [edx+eax*8]
		mov	eax, [edi+4]
		adc	eax, [ebp+arg_4]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_20], eax

loc_4DEAD1:				; CODE XREF: KiEndThreadAccountingPeriod+1BAj
					; KiEndThreadAccountingPeriod+1BFj
		mov	esi, [edi]
		mov	eax, esi
		mov	edx, [edi+4]
		mov	[ebp+var_1C], edx
		nop
		mov	ebx, ecx
		mov	ecx, [ebp+var_20]
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [ebp+var_14]
		cmp	eax, esi
		jnz	short loc_4DEAD1
		cmp	edx, [ebp+var_1C]
		jnz	short loc_4DEAD1
		mov	edi, [ebp+var_C]
		mov	edx, [ebp+var_18]
		mov	eax, [edi+36Ch]
		mov	edi, [ebp+arg_4]
		mov	ecx, [eax+388h]
		mov	eax, [ebp+var_8]
		add	eax, 4
		lea	eax, [edx+eax*2]
		lea	eax, [ecx+eax*8]
		mov	[ebp+var_8], eax

loc_4DEB15:				; CODE XREF: KiEndThreadAccountingPeriod+208j
					; KiEndThreadAccountingPeriod+20Dj
		mov	esi, [eax]
		mov	ebx, esi
		mov	edx, [eax+4]
		mov	ecx, edx
		add	ebx, [ebp+arg_0]
		mov	eax, esi
		mov	[ebp+var_20], edx
		adc	ecx, edi
		nop
		mov	edi, [ebp+var_8]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+arg_4]
		cmp	eax, esi
		mov	eax, [ebp+var_8]
		jnz	short loc_4DEB15
		cmp	edx, [ebp+var_20]
		jnz	short loc_4DEB15
		mov	edi, [ebp+var_C]
		jmp	loc_4DEAA5
; 

loc_4DEB47:				; CODE XREF: KiEndThreadAccountingPeriod+50j
		add	edx, [ebx+3B34h]
		test	edx, edx
		jz	loc_4DE986
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		jmp	short loc_4DEB60
; 
		align 10h

loc_4DEB60:				; CODE XREF: KiEndThreadAccountingPeriod+22Bj
					; KiEndThreadAccountingPeriod+243j
		add	[edx], ecx
		adc	[edx+4], eax
		mov	edx, [edx+0F4h]
		test	edx, edx
		jz	loc_4DE986
		jmp	short loc_4DEB60
; 

loc_4DEB75:				; CODE XREF: KiEndThreadAccountingPeriod+137j
		mov	ecx, eax
		sub	ecx, esi
		cmp	ecx, 20h
		jnb	short loc_4DEB9A
		mov	esi, [edx+0C4h]
		shl	esi, cl
		or	esi, 1

loc_4DEB89:				; CODE XREF: KiEndThreadAccountingPeriod+26Fj
		mov	[edx+0C0h], eax
		mov	[edx+0C4h], esi
		jmp	loc_4DEA83
; 

loc_4DEB9A:				; CODE XREF: KiEndThreadAccountingPeriod+24Cj
		mov	esi, 1
		jmp	short loc_4DEB89
; 

loc_4DEBA1:				; CODE XREF: KiEndThreadAccountingPeriod+AEj
					; KiEndThreadAccountingPeriod+B6j
		mov	edx, 64h
		jmp	loc_4DEA05
; 

loc_4DEBAB:				; CODE XREF: KiEndThreadAccountingPeriod+D8j
		mov	eax, 51EB851Fh
		mul	edx
		shr	edx, 3
		jmp	loc_4DEA13
KiEndThreadAccountingPeriod endp

; 
		align 10h
; Exported entry 152. KiAccumulateCycleStats

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KiAccumulateCycleStats
KiAccumulateCycleStats proc near

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005A8185 SIZE 000000D9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	[ebp+var_8], edi
		mov	ebx, [edi+388h]
		mov	[ebp+var_10], ebx
		test	ebx, ebx
		jz	loc_4DEC66
		call	_PoGetFrequencyBucket@4	; PoGetFrequencyBucket(x)
		movzx	ecx, byte ptr [esi+3ED0h]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_4], eax
		lea	ecx, [ecx+eax*2]
		lea	edi, [ebx+ecx*8]
		mov	ebx, [edi]
		add	ebx, [ebp+arg_0]
		mov	eax, [edi+4]
		adc	eax, [ebp+arg_4]
		mov	[ebp+var_C], ebx
		mov	[ebp+var_18], eax

loc_4DEC0C:				; CODE XREF: KiAccumulateCycleStats+65j
					; KiAccumulateCycleStats+6Aj
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp+var_1C], ecx
		nop
		mov	ecx, [ebp+var_18]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [ebp+var_C]
		cmp	eax, esi
		jnz	short loc_4DEC0C
		cmp	edx, [ebp+var_1C]
		jnz	short loc_4DEC0C
		mov	ebx, [ebp+var_10]
		mov	edx, _KiTimelineBitmapTime
		lea	ecx, [ebx+0C0h]
		call	_RtlTimelineBitmapUpdate@8 ; RtlTimelineBitmapUpdate(x,x)
		cmp	ds:_KiEfficiencyClassSystem, 0
		mov	edi, [ebp+var_8]
		jnz	short loc_4DEC59
		cmp	byte ptr [edi+244h], 2
		jz	loc_5A8185

loc_4DEC59:				; CODE XREF: KiAccumulateCycleStats+8Aj
					; KiAccumulateCycleStats+C9607j
		cmp	dword ptr [edi+36Ch], 0
		jnz	loc_5A81CC

loc_4DEC66:				; CODE XREF: KiAccumulateCycleStats+1Dj
					; KiAccumulateCycleStats+C9699j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
KiAccumulateCycleStats endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdateSessionPdeMaster(x,	x, x)
_MiUpdateSessionPdeMaster@12 proc near	; CODE XREF: .text:004587E3p
					; MiInitializeSystemPageTable+2F7p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_MiVaToSessionPdeMaster@4 ; MiVaToSessionPdeMaster(x)
		push	[ebp+arg_4]
		mov	ecx, eax
		push	[ebp+arg_0]
		call	MI_INTERLOCKED_EXCHANGE_PTE
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		mov	eax, [eax+18h]
		pop	ebp
		retn	8
_MiUpdateSessionPdeMaster@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MI_INTERLOCKED_EXCHANGE_PTE proc near	; CODE XREF: MiCopyOnWrite(x,x,x,x)+9E4p
					; MmUnmapViewInSystemCache+765p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx

loc_4DECA9:				; CODE XREF: MI_INTERLOCKED_EXCHANGE_PTE+25j
					; MI_INTERLOCKED_EXCHANGE_PTE+29j
		mov	eax, [esi]
		mov	edi, [esi+4]
		mov	edx, edi
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_4], eax
		nop
		mov	ebx, [ebp+arg_0]
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, [ebp+var_4]
		cmp	eax, ebx
		jnz	short loc_4DECA9
		cmp	edx, edi
		jnz	short loc_4DECA9
		mov	ecx, esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5CB7C1

loc_4DECD8:				; CODE XREF: KiIntRedirectQueueRequestOnProcessor+ECEF8j
		mov	edx, edi
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
MI_INTERLOCKED_EXCHANGE_PTE endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PoGetFrequencyBucket(x)
_PoGetFrequencyBucket@4	proc near	; CODE XREF: KiAccumulateCycleStats+23p
					; KiAccumulateProcessorCycleStats(x,x,x)+Dp
		xor	dl, dl
		call	_PpmPerfGetCurrentFrequency@8 ;	PpmPerfGetCurrentFrequency(x,x)
		cmp	eax, 4Bh
		jb	short loc_4DECF4
		push	3
		pop	eax
		retn
; 

loc_4DECF4:				; CODE XREF: PoGetFrequencyBucket(x)+Aj
		push	19h
		xor	edx, edx
		pop	ecx
		div	ecx
		retn
_PoGetFrequencyBucket@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCleanWorkingSet(x)
_MiCleanWorkingSet@4 proc near		; CODE XREF: MmCleanProcessAddressSpace+1D9p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		lea	edi, [eax+240h]
		mov	[ebp+var_4], eax
		mov	al, [edi+60h]
		mov	esi, offset unk_6D3C40
		and	al, 7
		cmp	al, 2
		jz	short loc_4DED24
		lea	esi, [edi+80h]

loc_4DED24:				; CODE XREF: MiCleanWorkingSet(x)+20j
		push	esi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [esi+4], 0
		mov	bl, al
		mov	dl, [edi+63h]
		mov	ecx, edi
		mov	eax, [ebp+var_4]
		or	dl, 1
		mov	[edi+63h], dl
		add	dword ptr [eax+14Ch], 0FFFFFFFCh
		call	MiDrainSystemAccessLog
		mov	esi, [edi+3Ch]
		mov	dl, bl
		mov	ecx, edi
		call	MiUnlockWorkingSetExclusive
		pop	edi
		lea	eax, [esi-5]
		pop	esi
		pop	ebx
		leave
		retn
_MiCleanWorkingSet@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDrainSystemAccessLog proc near	; CODE XREF: MiCleanWorkingSet(x)+49p
					; MiCaptureAndResetWorkingSetAccessBits+105p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005CB7D1 SIZE 00000039 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_C], 0
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		lea	edi, [eax+80h]
		mov	al, [eax+60h]
		mov	ebx, offset unk_6D3C40
		and	al, 7
		mov	esi, ebx
		cmp	al, 2
		jz	short loc_4DED8A
		mov	esi, edi

loc_4DED8A:				; CODE XREF: MiDrainSystemAccessLog+28j
		cmp	dword ptr [esi+18h], 0
		jnz	short loc_4DED95

loc_4DED90:				; CODE XREF: MiDrainSystemAccessLog+BAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4DED95:				; CODE XREF: MiDrainSystemAccessLog+30j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_1], al
		mov	cl, [ecx+60h]
		and	cl, 7
		cmp	cl, 2
		jz	short loc_4DEDB0
		mov	ebx, edi

loc_4DEDB0:				; CODE XREF: MiDrainSystemAccessLog+4Ej
		xor	edi, edi
		lea	eax, [ebx+40h]
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], edi
		jnz	loc_5CB7D1
		lea	edx, [ebp+var_14]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_5CB7E0

loc_4DEDD5:				; CODE XREF: MiDrainSystemAccessLog+ECA7Dj
					; MiDrainSystemAccessLog+ECA8Aj
		mov	ecx, [esi+18h]
		test	ecx, ecx
		jz	short loc_4DEDE4
		call	MiEmptyPageAccessLog
		mov	[esi+18h], edi

loc_4DEDE4:				; CODE XREF: MiDrainSystemAccessLog+7Cj
		test	ds:byte_70EFC6,	1
		jnz	loc_5CB7ED
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_4DEE1D
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jnz	loc_5CB7FD

loc_4DEE0F:				; CODE XREF: MiDrainSystemAccessLog+CBj
					; MiDrainSystemAccessLog+ECA9Aj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4DED90
; 

loc_4DEE1D:				; CODE XREF: MiDrainSystemAccessLog+98j
					; MiDrainSystemAccessLog+ECAA7j
		xor	ecx, ecx
		mov	[ebp+var_14], edi
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_4DEE0F
MiDrainSystemAccessLog endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiEmptyPageAccessLog proc near		; CODE XREF: MiDeleteVad(x,x,x)+654p
					; MiDrainSystemAccessLog+7Ep ...

var_54		= dword	ptr -54h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005CB80A SIZE 000000B0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_44], 3
		push	esi
		xor	esi, esi
		mov	[ebp+var_14], ebx
		push	edi
		mov	eax, [ebx+2Ch]
		mov	[ebp+var_20], esi
		mov	[ebp+var_48], esi
		mov	[ebp+var_24], eax
		cmp	eax, 1
		jbe	loc_4DF260
		test	dword ptr [eax+3A8h], 1000h
		jnz	loc_4DF260
		mov	eax, [eax+180h]
		test	eax, eax
		jz	loc_4DF260
		mov	eax, [eax+8]
		mov	[ebp+var_18], eax

loc_4DEE82:				; CODE XREF: MiEmptyPageAccessLog+437j
		xor	ecx, ecx
		xor	edx, edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], edx
		lea	esp, [esp+0]

loc_4DEE90:				; CODE XREF: MiEmptyPageAccessLog+3C6j
		mov	eax, [ebx]
		mov	edi, [ebx+20h]
		mov	[ebp+var_34], eax
		sub	edi, 8
		lea	eax, [ebx+38h]
		mov	[ebp+var_28], 0
		mov	[ebp+var_1C], 0
		cmp	edi, eax
		jb	short loc_4DEEEB

loc_4DEEB0:				; CODE XREF: MiEmptyPageAccessLog+B9j
		mov	eax, [edi]
		mov	ebx, eax
		mov	[ebp+var_38], eax
		and	ebx, 1FFh
		jnz	loc_4DEFCD
		mov	ecx, [edi+4]
		shl	ecx, 9
		xor	ecx, eax
		mov	eax, [edi+4]
		and	ecx, 200h
		shl	eax, 9
		xor	ecx, eax
		mov	[edi], ecx
		mov	ecx, [ebp+var_C]

loc_4DEEDE:				; CODE XREF: MiEmptyPageAccessLog+1A1j
					; MiEmptyPageAccessLog+1F9j
		mov	ebx, [ebp+var_14]
		sub	edi, 8
		lea	eax, [ebx+38h]
		cmp	edi, eax
		jnb	short loc_4DEEB0

loc_4DEEEB:				; CODE XREF: MiEmptyPageAccessLog+7Ej
		cmp	[ebp+var_24], 1
		jbe	short loc_4DEF3A
		mov	eax, [ebx+28h]
		mov	edi, [ebx+24h]
		sub	eax, 4
		add	edi, 4
		mov	[ebp+var_1C], eax
		cmp	edi, eax
		jbe	loc_4DF0EA

loc_4DEF08:				; CODE XREF: MiEmptyPageAccessLog+353j
		mov	edi, [ebp+var_24]
		add	edi, 0FFFFFFE8h
		mov	edx, [edi]
		test	edx, edx
		jz	loc_4DF299

loc_4DEF18:				; CODE XREF: MiEmptyPageAccessLog+463j
		lea	ecx, [edx+1]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	loc_4DF28F
		push	746C6644h
		mov	edx, 1
		mov	ecx, edi
		call	ObpTraceObjectReferenceIfActive

loc_4DEF3A:				; CODE XREF: MiEmptyPageAccessLog+BFj
		lea	eax, [ebp+var_40]
		mov	[ebp+var_40], 0
		push	eax
		mov	[ebp+var_3C], 0
		call	KeQueryTickCount
		mov	eax, [ebp+var_40]
		mov	ecx, offset unk_6FB608
		mov	[ebx+18h], eax
		mov	eax, [ebp+var_3C]
		mov	[ebx+1Ch], eax
		mov	eax, dword_6FB628
		mov	[ebx+8], eax
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_4DF26C
		movzx	edi, word_6FB624
		cmp	edi, dword_6FB61C
		jnb	loc_4DF27A
		mov	edx, ebx
		mov	ecx, offset unk_6FB620
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		cmp	edi, 8
		jnb	loc_4DF1D3

loc_4DEF9F:				; CODE XREF: MiEmptyPageAccessLog+3AAj
					; MiEmptyPageAccessLog+3BEj
		mov	edi, 1

loc_4DEFA4:				; CODE XREF: MiEmptyPageAccessLog+45Aj
		mov	ecx, offset unk_6FB608
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		test	edi, edi
		jz	loc_4DF26C

loc_4DEFB6:				; CODE XREF: MiEmptyPageAccessLog+445j
		mov	eax, [ebp+var_34]
		mov	ebx, eax
		mov	[ebp+var_14], eax
		test	eax, eax
		jnz	loc_4DF1F3

loc_4DEFC6:				; CODE XREF: MiEmptyPageAccessLog+478j
					; MiEmptyPageAccessLog+ECA85j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4DEFCD:				; CODE XREF: MiEmptyPageAccessLog+8Dj
		cmp	[ebp+var_24], 1
		jbe	loc_4DEEDE
		mov	edx, [edi+4]
		mov	[ebp+var_8], edx
		cmp	bx, word ptr [ebp+var_1C]
		jnz	short loc_4DF02E
		mov	eax, edx
		shr	ecx, 0Ah
		sub	eax, [ebp+var_28]
		and	ecx, 1
		sar	eax, 3
		cdq
		shld	edx, eax, 0Ch
		mov	ecx, [ebp+ecx*4+var_48]
		shl	eax, 0Ch
		call	__allshl
		mov	ecx, [ebp+var_C]
		add	ecx, eax
		mov	eax, [ebp+var_10]
		adc	eax, edx
		mov	[ebp+var_10], eax

loc_4DF00F:				; CODE XREF: MiEmptyPageAccessLog+2B5j
		mov	edx, [ebp+var_8]
		mov	[edi+4], eax
		mov	eax, ecx
		xor	eax, [ebp+var_38]
		and	eax, 200h
		mov	[edi], ecx
		xor	[edi], eax
		mov	[ebp+var_C], ecx
		mov	[ebp+var_28], edx
		jmp	loc_4DEEDE
; 

loc_4DF02E:				; CODE XREF: MiEmptyPageAccessLog+1B1j
		mov	ecx, [ebp+var_14]
		mov	eax, ebx
		mov	[ebp+var_28], eax
		and	esi, 0FFFFFBFFh
		shl	eax, 2
		mov	ecx, [ecx+28h]
		sub	ecx, eax
		mov	eax, [ecx]
		mov	[ebp+var_C], eax
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		mov	ecx, [eax+1Ch]
		and	ecx, 20h
		mov	eax, ecx
		shl	eax, 5
		or	esi, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_20], esi
		test	ecx, ecx
		mov	esi, [eax+4]
		mov	ecx, esi
		mov	[ebp+var_1C], esi
		jz	loc_4DF188
		cmp	edx, ecx
		jb	loc_5CB80A
		mov	eax, [eax+1Ch]
		lea	eax, [ecx+eax*8]
		cmp	edx, eax
		mov	eax, [ebp+var_C]
		jnb	loc_5CB80A
		sub	edx, ecx
		sar	edx, 3
		xor	esi, esi

loc_4DF091:				; CODE XREF: MiEmptyPageAccessLog+ECA09j
		mov	eax, [eax+14h]
		xor	ecx, ecx
		shld	esi, edx, 0Ch
		shld	ecx, eax, 9
		shl	edx, 0Ch
		shl	eax, 9
		add	edx, eax
		adc	esi, ecx
		mov	[ebp+var_10], esi

loc_4DF0AB:				; CODE XREF: MiEmptyPageAccessLog+39Ej
		mov	esi, [ebp+var_20]
		mov	eax, edx
		mov	edx, [ebp+var_10]
		mov	ecx, esi
		shr	ecx, 0Ah
		and	ecx, 1
		mov	ecx, [ebp+ecx*4+var_48]
		call	__allshl
		and	eax, 0FFFFFA00h
		mov	[ebp+var_10], edx
		mov	ecx, esi
		and	ecx, 400h
		or	eax, ecx
		mov	ecx, eax
		mov	[ebp+var_C], eax
		or	ecx, [ebp+var_28]
		mov	eax, ebx
		mov	[ebp+var_1C], eax
		mov	eax, edx
		jmp	loc_4DF00F
; 

loc_4DF0EA:				; CODE XREF: MiEmptyPageAccessLog+D2j
		mov	esi, [ebp+var_1C]
		lea	ecx, [ecx+0]

loc_4DF0F0:				; CODE XREF: MiEmptyPageAccessLog+347j
		mov	eax, [edi]
		mov	eax, [eax]
		mov	edx, [eax+20h]
		lea	ebx, [eax+20h]
		mov	[ebp+var_8], eax
		test	dl, 7
		jz	short loc_4DF116

loc_4DF102:				; CODE XREF: MiEmptyPageAccessLog+ECA12j
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	loc_5CB83E

loc_4DF113:				; CODE XREF: MiEmptyPageAccessLog+ECA18j
		mov	eax, [ebp+var_8]

loc_4DF116:				; CODE XREF: MiEmptyPageAccessLog+2D0j
		mov	ebx, edx
		and	edx, 7
		and	ebx, 0FFFFFFF8h
		mov	[ebp+var_2C], ebx
		cmp	edx, 1
		jbe	loc_4DF1FB

loc_4DF12A:				; CODE XREF: MiEmptyPageAccessLog+42Bj
		test	ebx, ebx
		jz	loc_5CB866

loc_4DF132:				; CODE XREF: MiEmptyPageAccessLog+ECA70j
		mov	ecx, [ebp+var_8]
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_38], eax
		mov	ecx, [ecx+20h]
		mov	eax, ecx
		xor	eax, ebx
		cmp	eax, 7
		jnb	loc_4DF2D9
		jmp	short loc_4DF150
; 
		align 10h

loc_4DF150:				; CODE XREF: MiEmptyPageAccessLog+31Bj
					; MiEmptyPageAccessLog+4A3j
		mov	esi, [ebp+var_8]
		lea	edx, [ecx+1]
		mov	eax, ecx
		add	esi, 20h
		lock cmpxchg [esi], edx
		mov	ebx, [ebp+var_2C]
		mov	esi, [ebp+var_1C]
		cmp	eax, ecx
		jnz	loc_4DF2CC

loc_4DF16D:				; CODE XREF: MiEmptyPageAccessLog+4B4j
		mov	eax, [ebp+var_38]
		mov	[edi], eax
		add	edi, 4
		cmp	edi, esi
		jbe	loc_4DF0F0
		mov	esi, [ebp+var_20]
		mov	ebx, [ebp+var_14]
		jmp	loc_4DEF08
; 

loc_4DF188:				; CODE XREF: MiEmptyPageAccessLog+23Bj
		test	ecx, ecx
		jz	loc_4DF2B3
		mov	eax, edx
		sub	eax, ecx
		sar	eax, 3
		cdq
		mov	esi, eax
		mov	eax, edx
		shld	eax, esi, 0Ch
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_C]
		shl	esi, 0Ch

loc_4DF1A9:				; CODE XREF: MiEmptyPageAccessLog+488j
		mov	ax, [eax+10h]
		shr	ax, 6
		movzx	eax, ax
		cdq
		mov	ecx, eax
		xor	edx, edx
		mov	eax, [ebp+var_C]
		or	edx, [eax+14h]
		shld	ecx, edx, 0Ch
		shl	edx, 0Ch
		add	edx, esi
		adc	ecx, [ebp+var_1C]
		mov	[ebp+var_10], ecx
		jmp	loc_4DF0AB
; 

loc_4DF1D3:				; CODE XREF: MiEmptyPageAccessLog+169j
		cmp	dword_6FB610, 0
		jnz	loc_4DEF9F
		push	0
		push	0
		push	offset unk_6FB60C
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_4DEF9F
; 

loc_4DF1F3:				; CODE XREF: MiEmptyPageAccessLog+190j
		mov	ecx, [ebp+var_C]
		jmp	loc_4DEE90
; 

loc_4DF1FB:				; CODE XREF: MiEmptyPageAccessLog+2F4j
		test	edx, edx
		jz	loc_5CB866
		push	ecx
		mov	edx, 7
		mov	ecx, ebx
		call	ObReferenceObjectExWithTag
		mov	edx, [ebp+var_8]
		mov	ecx, [edx+20h]
		mov	eax, ecx
		and	eax, 7
		mov	[ebp+var_28], ecx
		add	eax, 7
		cmp	eax, 7
		ja	loc_4DF2BD
		lea	ebx, [ebx+0]

loc_4DF230:				; CODE XREF: MiEmptyPageAccessLog+ECA2Bj
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	ebx, eax
		jnz	loc_4DF2BD
		mov	esi, [ebp+var_8]
		lea	edx, [ecx+7]
		mov	eax, ecx
		add	esi, 20h
		lock cmpxchg [esi], edx
		mov	esi, [ebp+var_1C]
		cmp	eax, [ebp+var_28]
		jnz	loc_5CB84D

loc_4DF258:				; CODE XREF: MiEmptyPageAccessLog+49Aj
		mov	eax, [ebp+var_8]
		jmp	loc_4DF12A
; 

loc_4DF260:				; CODE XREF: MiEmptyPageAccessLog+28j
					; MiEmptyPageAccessLog+38j ...
		mov	[ebp+var_18], 0FFFFFFFFh
		jmp	loc_4DEE82
; 

loc_4DF26C:				; CODE XREF: MiEmptyPageAccessLog+141j
					; MiEmptyPageAccessLog+180j
		mov	dl, 1
		mov	ecx, ebx
		call	_MmFreeAccessPfnBuffer@8 ; MmFreeAccessPfnBuffer(x,x)
		jmp	loc_4DEFB6
; 

loc_4DF27A:				; CODE XREF: MiEmptyPageAccessLog+154j
		mov	eax, 64h
		mov	ecx, offset unk_6D4480
		lock xadd [ecx], eax
		xor	edi, edi
		jmp	loc_4DEFA4
; 

loc_4DF28F:				; CODE XREF: MiEmptyPageAccessLog+F3j
		mov	edx, eax
		test	eax, eax
		jnz	loc_4DEF18

loc_4DF299:				; CODE XREF: MiEmptyPageAccessLog+E2j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_34]
		mov	eax, esi
		test	esi, esi
		jz	loc_4DEFC6
		jmp	loc_5CB8A5
; 

loc_4DF2B3:				; CODE XREF: MiEmptyPageAccessLog+35Aj
		xor	esi, esi
		mov	[ebp+var_1C], esi
		jmp	loc_4DF1A9
; 

loc_4DF2BD:				; CODE XREF: MiEmptyPageAccessLog+3F4j
					; MiEmptyPageAccessLog+407j ...
		push	ecx
		mov	edx, 7
		mov	ecx, ebx
		call	ObDereferenceObjectExWithTag
		jmp	short loc_4DF258
; 

loc_4DF2CC:				; CODE XREF: MiEmptyPageAccessLog+337j
		mov	ecx, eax
		xor	eax, ebx
		cmp	eax, 7
		jb	loc_4DF150

loc_4DF2D9:				; CODE XREF: MiEmptyPageAccessLog+315j
		push	746C6644h
		push	ebx
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_4DF16D
MiEmptyPageAccessLog endp

; 
		align 10h
; Exported entry 481. FsRtlAreNamesEqual

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlAreNamesEqual
RtlAreNamesEqual proc near

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005CB8BA SIZE 00000076 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		movzx	eax, word ptr [edx]
		mov	esi, eax
		mov	[ebp+var_1], 0
		push	edi
		mov	[ebp+var_C], 0
		mov	[ebp+var_8], 0
		mov	[ebp+var_14], 0
		mov	[ebp+var_10], 0
		cmp	ax, [ecx]
		jnz	short loc_4DF378
		mov	ebx, eax
		shr	ebx, 1
		cmp	byte ptr [ebp+arg_8], 0
		jz	short loc_4DF37C
		mov	edi, [ebp+arg_C]
		test	edi, edi
		jz	loc_5CB8BA
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_4DF36D
		mov	eax, [ecx+4]
		mov	ecx, [edx+4]
		sub	ecx, eax
		mov	[ebp+arg_8], ecx

loc_4DF351:				; CODE XREF: RtlAreNamesEqual+7Bj
		movzx	ecx, word ptr [ecx+eax]
		movzx	edx, word ptr [eax]
		mov	cx, [edi+ecx*2]
		cmp	cx, [edi+edx*2]
		jnz	short loc_4DF378
		mov	ecx, [ebp+arg_8]
		inc	esi
		add	eax, 2
		cmp	esi, ebx
		jb	short loc_4DF351

loc_4DF36D:				; CODE XREF: RtlAreNamesEqual+54j
		mov	al, 1

loc_4DF36F:				; CODE XREF: RtlAreNamesEqual+8Aj
					; RtlAreNamesEqual+EC63Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4DF378:				; CODE XREF: RtlAreNamesEqual+39j
					; RtlAreNamesEqual+70j
		xor	al, al
		jmp	short loc_4DF36F
; 

loc_4DF37C:				; CODE XREF: RtlAreNamesEqual+43j
		mov	bl, [ebp+var_1]
		jmp	loc_5CB8FA
RtlAreNamesEqual endp

; 
		align 10h
; Exported entry 1331. KiIpiServiceRoutine

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KiIpiServiceRoutine
KiIpiServiceRoutine proc near		; DATA XREF: KiCallInterruptServiceRoutine+84o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CB930 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, large fs:20h
		xor	ebx, ebx
		push	edi
		mov	edi, [eax+54h]
		lea	eax, [esi+21A0h]
		xchg	ebx, [eax]
		test	bl, 4
		jnz	loc_5CB930

loc_4DF3BC:				; CODE XREF: KiIpiServiceRoutine+EC5A9j
		test	bl, 10h
		jnz	loc_4DF44D

loc_4DF3C5:				; CODE XREF: KiIpiServiceRoutine+EFj
		cmp	dword ptr [esi+4920h], 0
		lea	edi, [esi+4920h]
		jnz	short loc_4DF3F1

loc_4DF3D4:				; CODE XREF: KiIpiServiceRoutine+6Bj
					; KiIpiServiceRoutine+AFj
		test	bl, 1
		jnz	short loc_4DF443

loc_4DF3D9:				; CODE XREF: KiIpiServiceRoutine+BBj
		test	bl, 2
		jz	short loc_4DF3E6
		mov	cl, 2
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)

loc_4DF3E6:				; CODE XREF: KiIpiServiceRoutine+4Cj
		pop	edi
		pop	esi
		mov	al, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4DF3F1:				; CODE XREF: KiIpiServiceRoutine+42j
		xor	eax, eax
		xchg	eax, [edi]
		mov	[esp+10h+var_4], eax
		test	eax, eax
		jz	short loc_4DF3D4
		lea	ecx, [ecx+0]

loc_4DF400:				; CODE XREF: KiIpiServiceRoutine+B1j
		mov	edi, [esp+10h+var_4]

loc_4DF404:				; CODE XREF: KiIpiServiceRoutine+9Dj
		mov	edx, edi
		mov	ecx, edi
		mov	edi, [edi]
		sub	edx, esi
		sub	edx, 5EE0h
		sar	edx, 5
		mov	edx, ds:_KiProcessorBlock[edx*4]
		call	KiIpiProcessRequest
		mov	eax, [esi+4DCh]
		test	eax, eax
		jnz	short loc_4DF484

loc_4DF42B:				; CODE XREF: KiIpiServiceRoutine+F8j
		test	edi, edi
		jnz	short loc_4DF404
		xor	eax, eax
		lea	edi, [esi+4920h]
		xchg	eax, [edi]
		mov	[esp+10h+var_4], eax
		test	eax, eax
		jz	short loc_4DF3D4
		jmp	short loc_4DF400
; 

loc_4DF443:				; CODE XREF: KiIpiServiceRoutine+47j
		mov	cl, 1
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)
		jmp	short loc_4DF3D9
; 

loc_4DF44D:				; CODE XREF: KiIpiServiceRoutine+2Fj
		mov	ecx, _KiSynchPacket
		and	ecx, 0FFFFFFFEh
		mov	[esi+2128h], edi
		mov	eax, [ecx+2168h]
		push	eax
		mov	eax, [ecx+2164h]
		push	eax
		mov	eax, [ecx+2160h]
		push	eax
		mov	eax, _KiSynchPacket
		push	eax
		mov	eax, [ecx+2170h]
		call	eax
		jmp	loc_4DF3C5
; 

loc_4DF484:				; CODE XREF: KiIpiServiceRoutine+99j
		lock dec dword ptr [eax+20h]
		jmp	short loc_4DF42B
KiIpiServiceRoutine endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiIpiProcessRequest proc near		; CODE XREF: KiCallInterruptServiceRoutine+1A8p
					; KiIpiServiceRoutine+8Cp ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A825E SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		test	ds:dword_70EFC8, 400000h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_28], eax
		mov	esi, ecx
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		jnz	loc_5A825E
		xor	bl, bl

loc_4DF4D5:				; CODE XREF: KiIpiProcessRequest+C8DDFj
		mov	eax, [esi+4]
		and	eax, 0Fh
		mov	[ebp+var_30], eax
		mov	eax, [esi+10h]
		push	eax
		mov	eax, [esi+0Ch]
		push	eax
		mov	eax, [esi+8]
		push	eax
		mov	eax, [esi+14h]
		push	edi
		call	eax
		mov	eax, [esi+14h]
		or	edx, 0FFFFFFFFh
		mov	ecx, [esi+18h]
		mov	[ebp+var_2C], eax
		mov	eax, edx
		lock xadd [ecx], eax
		jz	short loc_4DF51D

loc_4DF504:				; CODE XREF: KiIpiProcessRequest+96j
					; KiIpiProcessRequest+A2j
		test	bl, bl
		jnz	loc_5A8274

loc_4DF50C:				; CODE XREF: KiIpiProcessRequest+C8DF2j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4DF51D:				; CODE XREF: KiIpiProcessRequest+72j
		lock xadd [edi+21A4h], edx
		dec	edx
		jnz	short loc_4DF504
		mov	dword ptr [edi+2120h], 0
		jmp	short loc_4DF504
KiIpiProcessRequest endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiFlushTargetMultipleRangeTb(x, x, x, x)
_KiFlushTargetMultipleRangeTb@16 proc near ; DATA XREF:	KeFlushMultipleRangeTb+184o
					; MiTerminateWsleCluster+5FFo ...

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		push	esi
		push	edi
		mov	edx, [eax]
		mov	eax, [eax+4]
		lea	edi, [edx+eax*4]

loc_4DF552:				; CODE XREF: KiFlushTargetMultipleRangeTb(x,x,x,x)+38j
		mov	eax, [edx]
		mov	esi, 1000h
		mov	ecx, eax
		shr	ecx, 0Ah
		and	ecx, 3
		invlpg	byte ptr [eax]
		lea	ecx, [ecx+ecx*8]
		shl	esi, cl
		mov	ecx, eax
		and	ecx, 3FFh
		jnz	short loc_4DF580

loc_4DF573:				; CODE XREF: KiFlushTargetMultipleRangeTb(x,x,x,x)+4Bj
		add	edx, 4
		cmp	edx, edi
		jb	short loc_4DF552
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
; 

loc_4DF580:				; CODE XREF: KiFlushTargetMultipleRangeTb(x,x,x,x)+31j
					; KiFlushTargetMultipleRangeTb(x,x,x,x)+49j
		invlpg	byte ptr [eax+esi]
		add	eax, esi
		sub	ecx, 1
		jnz	short loc_4DF580
		jmp	short loc_4DF573
_KiFlushTargetMultipleRangeTb@16 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiFlushTargetEntireTb(x, x,	x, x)
_KiFlushTargetEntireTb@16 proc near	; DATA XREF: KxFlushEntireTb(x)+2Eo
		call	_KeFlushCurrentTb@0 ; KeFlushCurrentTb()
		retn	10h
_KiFlushTargetEntireTb@16 endp


;  S U B	R O U T	I N E 


; __stdcall KiFlushTargetProcessTb(x, x, x, x)
_KiFlushTargetProcessTb@16 proc	near	; DATA XREF: KxFlushNonGlobalTb+48o
		mov	eax, cr3
		mov	cr3, eax
		retn	10h
_KiFlushTargetProcessTb@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiFlushTargetSingleTb(x, x,	x, x)
_KiFlushTargetSingleTb@16 proc near	; DATA XREF: KxFlushSingleTb(x,x,x)+4Do

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		mov	eax, [eax]
		invlpg	byte ptr [eax]
		pop	ebp
		retn	10h
_KiFlushTargetSingleTb@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiFlushWriteBuffersTarget(x, x, x, x)
_KiFlushWriteBuffersTarget@16 proc near	; DATA XREF: KeFlushProcessWriteBuffers(x)+4Eo
					; KeQueryTotalCycleTimeThread+B85C4o

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		leave
		retn	10h
_KiFlushWriteBuffersTarget@16 endp


;  S U B	R O U T	I N E 


; __stdcall KiSynchronizeAddressPolicyTarget(x,	x, x, x)
_KiSynchronizeAddressPolicyTarget@16 proc near
					; DATA XREF: KeSynchronizeAddressPolicy(x)+ADo
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	byte ptr [eax+74h], 1
		jnz	short locret_4DF5EC
		mov	eax, large fs:500Ch
		test	al, 2
		jnz	short locret_4DF5EC
		xor	ecx, ecx
		inc	ecx
		call	_KiSetAddressPolicy@4 ;	KiSetAddressPolicy(x)

locret_4DF5EC:				; CODE XREF: KiSynchronizeAddressPolicyTarget(x,x,x,x)+10j
					; KiSynchronizeAddressPolicyTarget(x,x,x,x)+1Aj
		retn	10h
_KiSynchronizeAddressPolicyTarget@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpLfhIncrementDataSlot()
_RtlpLfhIncrementDataSlot@0 proc near	; CODE XREF: RtlpHpLfhSlotAllocate+DBp
					; RtlpHpLfhSlotAllocate+4E3p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, large fs:124h
		push	edi
		mov	ax, [esi+3A2h]
		mov	word ptr [ebp+var_4], ax
		mov	cx, ax
		movzx	edx, byte ptr [ebp+var_4]
		shr	cx, 8
		mov	edi, edx
		cmp	dx, cx
		jz	short loc_4DF638
		lea	ecx, [edi+1]
		xor	ecx, [ebp+var_4]
		movzx	ecx, cl
		xor	ax, cx
		mov	[esi+3A2h], ax
		mov	ax, di
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4DF638:				; CODE XREF: RtlpLfhIncrementDataSlot()+2Aj
		mov	ecx, 1
		call	ExGenRandom
		movzx	edx, ax
		mov	ax, di
		pop	edi
		lea	ecx, [edx+1]
		shl	edx, 8
		movzx	ecx, cl
		or	ecx, edx
		mov	[esi+3A2h], cx
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_RtlpLfhIncrementDataSlot@0 endp

; 
		dd 4 dup(0CCCCCCCCh)
; Exported entry  78. ExTryAcquirePushLockSharedEx

;  S U B	R O U T	I N E 


		public ExTryAcquirePushLockSharedEx
ExTryAcquirePushLockSharedEx proc near

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A8287 SIZE 00000073 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, edx
		mov	edx, ecx
		mov	[ebp-8], edx
		push	esi
		push	edi
		test	eax, 0FFFFFFFCh
		jnz	loc_5A8287
		test	al, 2
		jnz	loc_4DF7DA
		mov	eax, edx
		mov	dword ptr [ebp-24h], 0
		and	eax, 7FFFFFFCh
		mov	[ebp-4], eax
		jz	loc_4DF7DA
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jnz	loc_4DF7A3
		mov	cl, [esi+1E4h]
		mov	dword ptr [ebp-0Ch], 0
		test	cl, cl
		jz	loc_5A8297

loc_4DF6F6:				; CODE XREF: ExTryAcquirePushLockSharedEx+C8C42j
		movzx	eax, cl
		bsf	ecx, eax
		btr	eax, ecx
		mov	[ebp-0Ch], ecx
		mov	[esi+1E4h], al
		lea	edi, [ecx+ecx*2]
		shl	edi, 4
		add	edi, [esi+1E8h]

loc_4DF714:				; CODE XREF: ExTryAcquirePushLockSharedEx+C8C53j
					; ExTryAcquirePushLockSharedEx+C8C63j
		test	edi, edi
		jz	loc_5A82D8
		mov	eax, dword_6D07D0
		mov	ecx, edx
		shr	ecx, 15h
		cmp	edx, eax
		mov	[ebp-20h], eax
		mov	eax, [ebp-4]
		jb	short loc_4DF73D
		cmp	byte ptr dword_6D3994[ecx], 1
		jz	loc_5A82E5

loc_4DF73D:				; CODE XREF: ExTryAcquirePushLockSharedEx+BEj
		cmp	edx, [ebp-20h]
		jb	short loc_4DF74F
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_5A82E5

loc_4DF74F:				; CODE XREF: ExTryAcquirePushLockSharedEx+D0j
		or	ecx, 0FFFFFFFFh

loc_4DF752:				; CODE XREF: ExTryAcquirePushLockSharedEx+C8C85j
		mov	[edi+14h], ecx
		nop
		mov	[edi+10h], eax

loc_4DF759:				; CODE XREF: ExTryAcquirePushLockSharedEx+13Dj
					; ExTryAcquirePushLockSharedEx+C8C70j
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp-24h]
		push	eax
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_4DF77E
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	short loc_4DF7D3

loc_4DF77E:				; CODE XREF: ExTryAcquirePushLockSharedEx+104j
					; ExTryAcquirePushLockSharedEx+168j
		mov	edx, [ebp-8]

loc_4DF781:				; CODE XREF: ExTryAcquirePushLockSharedEx+16Cj
		mov	ecx, 11h
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	short loc_4DF7AF

loc_4DF790:				; CODE XREF: ExTryAcquirePushLockSharedEx+148j
		test	edi, edi
		jz	short loc_4DF798
		or	byte ptr [edi+0Eh], 1

loc_4DF798:				; CODE XREF: ExTryAcquirePushLockSharedEx+122j
		mov	al, 1
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4DF7A3:				; CODE XREF: ExTryAcquirePushLockSharedEx+6Bj
		xor	edi, edi
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_4DF759
; 

loc_4DF7AF:				; CODE XREF: ExTryAcquirePushLockSharedEx+11Ej
		mov	ecx, edx
		call	@ExfTryAcquirePushLockShared@4 ; ExfTryAcquirePushLockShared(x)
		test	al, al
		jnz	short loc_4DF790
		test	edi, edi
		jz	short loc_4DF7C8
		mov	ecx, [ebp-8]
		mov	edx, edi
		call	KeAbPostReleaseEx

loc_4DF7C8:				; CODE XREF: ExTryAcquirePushLockSharedEx+14Cj
		pop	edi
		xor	al, al
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4DF7D3:				; CODE XREF: ExTryAcquirePushLockSharedEx+10Cj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_4DF77E
; 

loc_4DF7DA:				; CODE XREF: ExTryAcquirePushLockSharedEx+31j
					; ExTryAcquirePushLockSharedEx+48j
		xor	edi, edi
		jmp	short loc_4DF781
ExTryAcquirePushLockSharedEx endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry  98. ExfTryAcquirePushLockShared

;  S U B	R O U T	I N E 


; __fastcall ExfTryAcquirePushLockShared(x)
		public @ExfTryAcquirePushLockShared@4
@ExfTryAcquirePushLockShared@4 proc near ; CODE	XREF: .text:0047111Dp
					; PfLockSharedTryAcquire+135p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	bl, bl
		mov	edx, [esi]

loc_4DF7EE:				; CODE XREF: ExfTryAcquirePushLockShared(x)+41j
		mov	eax, edx
		shr	eax, 1
		and	eax, 1
		test	dl, 1
		jz	short loc_4DF806
		test	eax, eax
		jnz	short loc_4DF81E
		test	edx, 0FFFFFFF0h
		jbe	short loc_4DF81E

loc_4DF806:				; CODE XREF: ExfTryAcquirePushLockShared(x)+14j
		mov	ecx, edx
		or	ecx, 1
		test	eax, eax
		jnz	short loc_4DF812
		add	ecx, 10h

loc_4DF812:				; CODE XREF: ExfTryAcquirePushLockShared(x)+29j
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_4DF823
		mov	bl, 1

loc_4DF81E:				; CODE XREF: ExfTryAcquirePushLockShared(x)+18j
					; ExfTryAcquirePushLockShared(x)+20j
		pop	esi
		mov	al, bl
		pop	ebx
		retn
; 

loc_4DF823:				; CODE XREF: ExfTryAcquirePushLockShared(x)+36j
		mov	edx, eax
		jmp	short loc_4DF7EE
@ExfTryAcquirePushLockShared@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepMaximumAccessCheck proc near		; CODE XREF: SepAccessCheck+333p
					; SepAccessCheck+5B3p

var_50		= dword	ptr -50h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= byte ptr  28h
arg_24		= byte ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= byte ptr  34h

; FUNCTION CHUNK AT 005CB93E SIZE 00000299 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ecx
		mov	[ebp+var_40], edx
		mov	ecx, dword ptr [ebp+arg_20]
		push	ebx
		push	esi
		mov	edx, [eax+0B0h]
		and	edx, 2000h
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], 0
		mov	[ebp+var_18], edx
		mov	[ebp+var_28], 0FFFFFFFFh
		push	edi
		test	cl, cl
		jnz	loc_4DFCC4

loc_4DF86B:				; CODE XREF: SepMaximumAccessCheck+499j
					; SepMaximumAccessCheck+4C1j
		mov	eax, [ebp+arg_0]
		movzx	ebx, word ptr [eax+4]
		lea	edi, [eax+8]
		mov	[ebp+var_2C], ebx
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		cmp	[ebp+var_2C], ebx
		jbe	loc_4DFA3A
		mov	esi, [ebp+arg_C]
		lea	esp, [esp+0]

loc_4DF890:				; CODE XREF: SepMaximumAccessCheck+204j
		test	byte ptr [edi+1], 8
		jnz	loc_4DFA21
		mov	al, [edi]
		test	al, al
		jnz	loc_4DFC57
		test	edx, edx
		jz	loc_4DFB2B

loc_4DF8AC:				; CODE XREF: SepMaximumAccessCheck+2FDj
					; SepMaximumAccessCheck+33Aj ...
		mov	eax, dword ptr [ebp+arg_20]
		lea	ebx, [edi+8]
		movzx	eax, al
		neg	eax
		mov	[ebp+var_10], ebx
		sbb	eax, eax
		and	eax, 88h
		lea	esi, [eax+0CCh]
		add	esi, [ebp+var_8]
		cmp	[ebp+arg_2C], 0
		mov	[ebp+var_24], esi
		jnz	loc_5CB93E

loc_4DF8D7:				; CODE XREF: SepMaximumAccessCheck+EC110j
					; SepMaximumAccessCheck+EC12Aj
		cmp	[ebp+arg_C], 0
		jnz	loc_4DFC38

loc_4DF8E1:				; CODE XREF: SepMaximumAccessCheck+416j
					; SepMaximumAccessCheck+422j
		cmp	[ebp+arg_24], 0
		jnz	loc_4DFBDE

loc_4DF8EB:				; CODE XREF: SepMaximumAccessCheck+3BCj
		test	esi, esi
		jz	loc_4DFA1B
		test	ebx, ebx
		jz	loc_4DFA1B
		movzx	eax, byte ptr [ebx+1]
		mov	dl, 0
		mov	byte ptr [ebp+arg_0+3],	dl
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_20], eax
		movzx	eax, word ptr [ebx]
		mov	ecx, eax
		shr	eax, 8
		mov	[ebp+var_14], ecx
		movzx	ecx, byte ptr [ebx+eax*4+4]
		mov	eax, ecx
		and	ecx, 0Fh
		shr	eax, 4
		mov	eax, [esi+eax*4+48h]
		and	eax, [esi+ecx*4+8]
		mov	[ebp+var_1C], eax
		jz	loc_4DFA81
		jmp	short loc_4DF940
; 
		align 10h

loc_4DF940:				; CODE XREF: SepMaximumAccessCheck+107j
					; SepMaximumAccessCheck+24Bj
		mov	cl, al
		test	cl, cl
		jz	loc_4DFA6D
		mov	ebx, [esi+4]
		movzx	edx, dl
		mov	[ebp+var_38], ebx
		mov	[ebp+var_3C], edx
		jmp	short loc_4DF960
; 
		align 10h

loc_4DF960:				; CODE XREF: SepMaximumAccessCheck+126j
					; SepMaximumAccessCheck+22Ej
		movzx	ecx, cl
		mov	[ebp+var_30], ecx
		movzx	eax, ds:_SidHashByteToIndexLookupTable[ecx]
		mov	[ebp+var_34], eax
		add	eax, edx
		mov	edx, [ebx+eax*8]
		lea	ebx, [ebx+eax*8]
		mov	eax, [ebp+var_14]
		cmp	[edx], ax
		jnz	loc_4DFA50
		mov	esi, [ebp+var_20]
		mov	eax, [ebp+var_10]
		sub	esi, 4
		jb	short loc_4DF9A1
		nop

loc_4DF990:				; CODE XREF: SepMaximumAccessCheck+16Fj
		mov	ecx, [eax]
		cmp	ecx, [edx]
		jnz	short loc_4DF9A6
		add	eax, 4
		add	edx, 4
		sub	esi, 4
		jnb	short loc_4DF990

loc_4DF9A1:				; CODE XREF: SepMaximumAccessCheck+15Dj
		cmp	esi, 0FFFFFFFCh
		jz	short loc_4DF9E3

loc_4DF9A6:				; CODE XREF: SepMaximumAccessCheck+164j
		mov	cl, [eax]
		cmp	cl, [edx]
		jnz	loc_4DFE60
		cmp	esi, 0FFFFFFFDh
		jz	short loc_4DF9E3
		mov	cl, [eax+1]
		cmp	cl, [edx+1]
		jnz	loc_4DFE60
		cmp	esi, 0FFFFFFFEh
		jz	short loc_4DF9E3
		mov	cl, [eax+2]
		cmp	cl, [edx+2]
		jnz	loc_4DFE60
		cmp	esi, 0FFFFFFFFh
		jz	short loc_4DF9E3
		mov	al, [eax+3]
		cmp	al, [edx+3]
		jnz	loc_4DFE60

loc_4DF9E3:				; CODE XREF: SepMaximumAccessCheck+174j
					; SepMaximumAccessCheck+183j ...
		xor	eax, eax

loc_4DF9E5:				; CODE XREF: SepMaximumAccessCheck+635j
		test	eax, eax
		jnz	short loc_4DFA4D

loc_4DF9E9:				; CODE XREF: SepMaximumAccessCheck+3A9j
		cmp	[ebp+arg_20], 0
		jnz	short loc_4DF9FB
		mov	eax, [ebp+var_24]
		cmp	ebx, [eax+4]
		jz	loc_4DFBC7

loc_4DF9FB:				; CODE XREF: SepMaximumAccessCheck+1BDj
					; SepMaximumAccessCheck+3A1j
		test	byte ptr [ebx+4], 4
		jz	short loc_4DFA1B

loc_4DFA01:				; CODE XREF: SepMaximumAccessCheck+39Bj
					; SepMaximumAccessCheck+3C2j
		mov	ecx, [ebp+arg_10]
		cmp	ecx, 1
		jnz	loc_5CB95F
		mov	ecx, [ebp+arg_14]
		mov	eax, [ecx+20h]
		not	eax
		and	eax, [edi+4]
		or	[ecx+1Ch], eax

loc_4DFA1B:				; CODE XREF: SepMaximumAccessCheck+BDj
					; SepMaximumAccessCheck+C5j ...
		mov	ebx, [ebp+var_4]

loc_4DFA1E:				; CODE XREF: SepMaximumAccessCheck+520j
					; SepMaximumAccessCheck+EC1E0j	...
		mov	esi, [ebp+arg_C]

loc_4DFA21:				; CODE XREF: SepMaximumAccessCheck+64j
					; SepMaximumAccessCheck+46Fj ...
		movzx	eax, word ptr [edi+2]
		inc	ebx
		mov	ecx, dword ptr [ebp+arg_20]
		add	edi, eax
		mov	edx, [ebp+var_18]
		mov	[ebp+var_4], ebx
		cmp	ebx, [ebp+var_2C]
		jb	loc_4DF890

loc_4DFA3A:				; CODE XREF: SepMaximumAccessCheck+50j
		cmp	[ebp+arg_20], 0
		jnz	loc_4DFCF6

loc_4DFA44:				; CODE XREF: SepMaximumAccessCheck+4CBj
					; SepMaximumAccessCheck+4F0j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	30h
; 

loc_4DFA4D:				; CODE XREF: SepMaximumAccessCheck+1B7j
		mov	ecx, [ebp+var_30]

loc_4DFA50:				; CODE XREF: SepMaximumAccessCheck+14Ej
		mov	eax, [ebp+var_34]
		btc	ecx, eax
		mov	ebx, [ebp+var_38]
		mov	edx, [ebp+var_3C]
		test	cl, cl
		jnz	loc_4DF960
		mov	esi, [ebp+var_24]
		mov	eax, [ebp+var_1C]
		mov	dl, byte ptr [ebp+arg_0+3]

loc_4DFA6D:				; CODE XREF: SepMaximumAccessCheck+114j
		shr	eax, 8
		add	dl, 8
		mov	byte ptr [ebp+arg_0+3],	dl
		mov	[ebp+var_1C], eax
		test	eax, eax
		jnz	loc_4DF940

loc_4DFA81:				; CODE XREF: SepMaximumAccessCheck+101j
		mov	eax, [esi]
		mov	[ebp+var_3C], eax
		cmp	eax, 20h
		jbe	short loc_4DFA1B
		mov	eax, [esi+4]
		mov	ebx, 20h
		mov	edx, [ebp+var_14]
		add	eax, 100h
		mov	[ebp+arg_0], eax
		mov	edi, edi

loc_4DFAA0:				; CODE XREF: SepMaximumAccessCheck+281j
		mov	ecx, [eax]
		cmp	[ecx], dx
		jz	short loc_4DFAB8

loc_4DFAA7:				; CODE XREF: SepMaximumAccessCheck+2F6j
		inc	ebx
		add	eax, 8
		mov	[ebp+arg_0], eax
		cmp	ebx, [ebp+var_3C]
		jb	short loc_4DFAA0
		jmp	loc_4DFA1B
; 

loc_4DFAB8:				; CODE XREF: SepMaximumAccessCheck+275j
		mov	esi, [ebp+var_20]
		mov	edx, [ebp+var_10]
		sub	esi, 4
		jb	short loc_4DFAD4

loc_4DFAC3:				; CODE XREF: SepMaximumAccessCheck+2A2j
		mov	eax, [edx]
		cmp	eax, [ecx]
		jnz	short loc_4DFAD9
		add	edx, 4
		add	ecx, 4
		sub	esi, 4
		jnb	short loc_4DFAC3

loc_4DFAD4:				; CODE XREF: SepMaximumAccessCheck+291j
		cmp	esi, 0FFFFFFFCh
		jz	short loc_4DFB16

loc_4DFAD9:				; CODE XREF: SepMaximumAccessCheck+297j
		mov	al, [edx]
		cmp	al, [ecx]
		jnz	loc_4DFE6A
		cmp	esi, 0FFFFFFFDh
		jz	short loc_4DFB16
		mov	al, [edx+1]
		cmp	al, [ecx+1]
		jnz	loc_4DFE6A
		cmp	esi, 0FFFFFFFEh
		jz	short loc_4DFB16
		mov	al, [edx+2]
		cmp	al, [ecx+2]
		jnz	loc_4DFE6A
		cmp	esi, 0FFFFFFFFh
		jz	short loc_4DFB16
		mov	al, [edx+3]
		cmp	al, [ecx+3]
		jnz	loc_4DFE6A

loc_4DFB16:				; CODE XREF: SepMaximumAccessCheck+2A7j
					; SepMaximumAccessCheck+2B6j ...
		xor	eax, eax

loc_4DFB18:				; CODE XREF: SepMaximumAccessCheck+63Fj
		test	eax, eax
		jz	loc_4DFBD6
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+var_14]
		jmp	loc_4DFAA7
; 

loc_4DFB2B:				; CODE XREF: SepMaximumAccessCheck+76j
		test	cl, cl
		jnz	loc_4DF8AC
		cmp	byte ptr [edi+9], 2
		lea	ebx, [edi+8]
		mov	esi, _SePackagePrefixSid
		jb	short loc_4DFB60
		mov	al, [ebx]
		cmp	al, [esi]
		jnz	short loc_4DFB60
		push	6		; Length
		lea	eax, [esi+2]
		push	eax		; Source2
		lea	eax, [ebx+2]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 6
		jz	loc_4DFBF7

loc_4DFB60:				; CODE XREF: SepMaximumAccessCheck+310j
					; SepMaximumAccessCheck+316j ...
		cmp	byte ptr [ebx+1], 2
		mov	esi, _SeCapabilityPrefixSid
		jb	loc_4DF8AC
		mov	al, [ebx]
		cmp	al, [esi]
		jnz	loc_4DF8AC
		push	6		; Length
		lea	eax, [esi+2]
		push	eax		; Source2
		lea	eax, [ebx+2]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 6
		jnz	loc_4DF8AC
		mov	eax, [ebx+8]
		cmp	eax, [esi+8]
		jnz	loc_4DF8AC

loc_4DFB9E:				; CODE XREF: SepMaximumAccessCheck+5C3j
		mov	eax, [ebp+arg_28]
		or	edx, 0FFFFFFFFh
		mov	ecx, [ebp+var_8]
		lea	esi, [eax+8]
		add	eax, 16h
		push	esi		; int
		push	eax		; int
		mov	eax, [edi+4]
		push	eax		; int
		push	ebx		; void *
		call	_SepMatchCapability@24 ; SepMatchCapability(x,x,x,x,x,x)
		mov	ecx, [ebp+arg_28]
		mov	eax, [esi]
		not	eax
		and	[ecx], eax
		jmp	loc_4DFA1B
; 

loc_4DFBC7:				; CODE XREF: SepMaximumAccessCheck+1C5j
		test	byte ptr [ebx+4], 10h
		jz	loc_4DFA01
		jmp	loc_4DF9FB
; 

loc_4DFBD6:				; CODE XREF: SepMaximumAccessCheck+2EAj
		mov	ebx, [ebp+arg_0]
		jmp	loc_4DF9E9
; 

loc_4DFBDE:				; CODE XREF: SepMaximumAccessCheck+B5j
		mov	eax, _SeOwnerRightsSid
		push	ebx
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	loc_4DF8EB
		jmp	loc_4DFA01
; 

loc_4DFBF7:				; CODE XREF: SepMaximumAccessCheck+32Aj
		mov	eax, [ebx+8]
		cmp	eax, [esi+8]
		jnz	loc_4DFB60

loc_4DFC03:				; CODE XREF: SepMaximumAccessCheck+5B4j
		mov	ecx, [ebp+arg_28]
		or	edx, 0FFFFFFFFh
		lea	eax, [ecx+18h]
		push	eax
		lea	eax, [ecx+10h]
		push	eax
		lea	eax, [ecx+14h]
		push	eax
		lea	esi, [ecx+4]
		push	esi
		lea	eax, [ecx+15h]
		mov	ecx, [ebp+var_8]
		push	eax
		mov	eax, [edi+4]
		push	eax
		push	ebx
		call	SepMatchPackage
		mov	ecx, [ebp+arg_28]
		mov	eax, [esi]
		not	eax
		and	[ecx], eax
		jmp	loc_4DFA1B
; 

loc_4DFC38:				; CODE XREF: SepMaximumAccessCheck+ABj
		mov	eax, _SePrincipalSelfSid
		push	ebx
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	loc_4DF8E1
		mov	ebx, [ebp+arg_C]
		mov	[ebp+var_10], ebx
		jmp	loc_4DF8E1
; 

loc_4DFC57:				; CODE XREF: SepMaximumAccessCheck+6Ej
		cmp	al, 5
		jz	loc_5CB979
		cmp	al, 4
		jz	loc_5CBA8E
		cmp	al, 1
		jnz	loc_4DFD28
		push	0		; char
		push	dword ptr [ebp+arg_24] ; char
		lea	eax, [edi+8]
		mov	edx, esi
		push	dword ptr [ebp+arg_20] ; char
		push	1		; char
		push	eax		; void *
		mov	eax, dword ptr [ebp+arg_20]
		movzx	ecx, al
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 88h
		add	ecx, 0CCh
		add	ecx, [ebp+var_8]
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_4DFA21
		mov	ecx, [ebp+arg_10]
		cmp	ecx, 1
		jnz	loc_5CBAD5
		mov	ecx, [ebp+arg_14]
		mov	eax, [ecx+1Ch]
		not	eax
		and	eax, [edi+4]
		or	[ecx+20h], eax
		jmp	loc_4DFA21
; 

loc_4DFCC4:				; CODE XREF: SepMaximumAccessCheck+35j
		mov	ebx, [ebp+arg_10]
		test	ebx, ebx
		jz	loc_4DF86B
		mov	ecx, [ebp+arg_14]
		mov	edx, ebx
		add	ecx, 1Ch

loc_4DFCD7:				; CODE XREF: SepMaximumAccessCheck+4B9j
		mov	eax, [ecx]
		lea	ecx, [ecx+2Ch]
		mov	[ecx-30h], eax
		mov	dword ptr [ecx-2Ch], 0
		sub	edx, 1
		jnz	short loc_4DFCD7
		mov	ecx, dword ptr [ebp+arg_20]
		mov	edx, [ebp+var_18]
		jmp	loc_4DF86B
; 

loc_4DFCF6:				; CODE XREF: SepMaximumAccessCheck+20Ej
		mov	ebx, [ebp+arg_10]
		test	ebx, ebx
		jz	loc_4DFA44
		mov	edx, [ebp+arg_1C]
		mov	ecx, [ebp+arg_14]
		not	edx
		add	ecx, 1Ch
		lea	esp, [esp+0]

loc_4DFD10:				; CODE XREF: SepMaximumAccessCheck+4F6j
		mov	eax, [ecx]
		lea	ecx, [ecx+2Ch]
		or	eax, edx
		and	eax, [ecx-30h]
		mov	[ecx-2Ch], eax
		sub	ebx, 1
		jz	loc_4DFA44
		jmp	short loc_4DFD10
; 

loc_4DFD28:				; CODE XREF: SepMaximumAccessCheck+439j
		cmp	al, 6
		jz	loc_5CBADE
		cmp	al, 9
		jnz	loc_4DFA21
		movzx	eax, byte ptr [edi+9]
		lea	esi, ds:8[eax*4]
		movzx	eax, word ptr [edi+2]
		mov	ecx, eax
		sub	eax, esi
		sub	eax, 8
		test	eax, eax
		jle	loc_4DFA1E
		cmp	[ebp+arg_4], 0
		mov	eax, ecx
		jnz	loc_4DFE3F

loc_4DFD62:				; CODE XREF: SepMaximumAccessCheck+617j
					; SepMaximumAccessCheck+62Bj
		movzx	eax, ax
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+var_8]
		mov	eax, [eax+27Ch]
		test	eax, eax
		jnz	loc_5CBBA5
		xor	ecx, ecx
		xor	edx, edx
		xor	ebx, ebx
		mov	[ebp+arg_0], ecx

loc_4DFD82:				; CODE XREF: SepMaximumAccessCheck+EC390j
		lea	eax, [ebp+var_28]
		push	eax
		push	dword ptr [ebp+arg_20]
		mov	eax, [ebp+var_3C]
		movzx	eax, ax
		push	0
		sub	eax, esi
		sub	eax, 8
		push	eax
		lea	eax, [edi+8]
		add	eax, esi
		push	eax
		mov	eax, [ebp+arg_8]
		push	ecx
		push	edx
		push	ebx
		mov	ebx, [ebp+var_8]
		mov	ecx, ebx
		push	[ebp+arg_0]
		mov	eax, [eax]
		push	eax
		mov	edx, [ebx+1DCh]
		call	AuthzBasepEvaluateAceCondition
		cmp	[ebp+var_28], 1
		jnz	loc_4DFA1B
		cmp	[ebp+var_18], 0
		mov	eax, dword ptr [ebp+arg_20]
		jnz	loc_5CBBC5
		test	al, al
		jnz	loc_5CBBCD
		lea	ebx, [edi+8]
		mov	ecx, ebx
		call	_SepIsPackageSid@4 ; SepIsPackageSid(x)
		test	al, al
		jnz	loc_4DFC03
		mov	ecx, ebx
		call	SepIsCapabilitySid
		test	al, al
		jnz	loc_4DFB9E
		mov	eax, dword ptr [ebp+arg_20]
		mov	ebx, [ebp+var_8]

loc_4DFDFF:				; CODE XREF: SepMaximumAccessCheck+EC397j
		mov	ecx, 0CCh

loc_4DFE04:				; CODE XREF: SepMaximumAccessCheck+EC3A2j
		push	dword ptr [ebp+arg_2C] ; char
		mov	esi, [ebp+arg_C]
		add	ecx, ebx
		push	dword ptr [ebp+arg_24] ; char
		mov	edx, esi
		push	eax		; char
		push	0		; char
		lea	eax, [edi+8]
		push	eax		; void *
		call	SepSidInTokenSidHash
		test	al, al
		jz	short loc_4DFE74
		mov	edx, [ebp+arg_10]
		push	1

loc_4DFE26:				; CODE XREF: SepMaximumAccessCheck+EC2A9j
		mov	eax, [edi+4]
		mov	ecx, [ebp+arg_14]
		push	eax
		push	[ebp+var_4]
		push	0
		call	AuthzBasepAddAccessTypeList
		mov	ebx, [ebp+var_4]
		jmp	loc_4DFA21
; 

loc_4DFE3F:				; CODE XREF: SepMaximumAccessCheck+52Cj
		mov	eax, ecx
		mov	ecx, [ebp+arg_8]
		cmp	dword ptr [ecx], 0
		jnz	loc_4DFD62
		mov	edx, ecx
		mov	ecx, [ebp+arg_4]
		call	AuthzBasepInitializeResourceClaimsFromSacl
		movzx	eax, word ptr [edi+2]
		jmp	loc_4DFD62
; 

loc_4DFE60:				; CODE XREF: SepMaximumAccessCheck+17Aj
					; SepMaximumAccessCheck+18Bj ...
		sbb	eax, eax
		or	eax, 1
		jmp	loc_4DF9E5
; 

loc_4DFE6A:				; CODE XREF: SepMaximumAccessCheck+2ADj
					; SepMaximumAccessCheck+2BEj ...
		sbb	eax, eax
		or	eax, 1
		jmp	loc_4DFB18
; 

loc_4DFE74:				; CODE XREF: SepMaximumAccessCheck+5EFj
					; SepMaximumAccessCheck+EC370j
		mov	ebx, [ebp+var_4]
		jmp	loc_4DFA21
SepMaximumAccessCheck endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepMatchPackage	proc near		; CODE XREF: SepMaximumAccessCheck+3F5p
					; SepNormalAccessCheck+7C4p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005CBBD7 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		mov	edx, [ebp+arg_0]
		cmp	dword ptr [edx+8], 2
		jnz	short loc_4DFE93
		cmp	byte ptr [edx+1], 2
		jz	short loc_4DFEC8

loc_4DFE93:				; CODE XREF: SepMatchPackage+Fj
		mov	eax, [ebp+arg_10]
		mov	byte ptr [eax],	1
		test	dword ptr [ecx+0B0h], 4000h
		jz	short loc_4DFEC3
		push	edx
		push	dword ptr [ecx+1E0h]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	short loc_4DFEC3

loc_4DFEB5:				; CODE XREF: SepMatchPackage+68j
		and	esi, [ebp+arg_4]

loc_4DFEB8:				; CODE XREF: SepMatchPackage+5Ej
		mov	eax, [ebp+arg_C]
		or	[eax], esi
		mov	eax, [ebp+arg_8]

loc_4DFEC0:				; CODE XREF: SepMatchPackage+EBD63j
		mov	byte ptr [eax],	1

loc_4DFEC3:				; CODE XREF: SepMatchPackage+27j
					; SepMatchPackage+37j ...
		pop	esi
		pop	ebp
		retn	1Ch
; 

loc_4DFEC8:				; CODE XREF: SepMatchPackage+15j
		mov	eax, [edx+0Ch]
		cmp	eax, 1
		jnz	short loc_4DFEE1
		and	esi, [ebp+arg_4]
		call	SepCanTokenMatchAllPackageSid
		test	al, al
		jnz	short loc_4DFEB8
		jmp	loc_5CBBD7
; 

loc_4DFEE1:				; CODE XREF: SepMatchPackage+52j
		cmp	eax, 2
		jz	short loc_4DFEB5
		jmp	short loc_4DFEC3
SepMatchPackage	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SepMatchCapability(void	*,int,int,int)
_SepMatchCapability@24 proc near	; CODE XREF: SepMaximumAccessCheck+384p
					; SepNormalAccessCheck+62Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	eax, eax
		mov	esi, edx
		push	eax		; char
		push	eax		; char
		push	1		; char
		push	eax		; char
		push	[ebp+arg_0]	; void *
		add	ecx, 1ECh
		xor	edx, edx
		call	SepSidInTokenSidHash
		test	al, al
		jz	short loc_4DFF19
		mov	eax, [ebp+arg_C]
		and	esi, [ebp+arg_4]
		or	[eax], esi
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	1

loc_4DFF19:				; CODE XREF: SepMatchCapability(x,x,x,x,x,x)+21j
		pop	esi
		pop	ebp
		retn	10h
_SepMatchCapability@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepInitializeResourceClaimsFromSacl proc	near ; CODE XREF: SepMaximumAccessCheck+622p
					; SepNormalAccessCheck+74Fp ...

var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CBBE4 SIZE 0000015B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 134h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_11C], ecx
		lea	edi, [ebp+var_134]
		mov	[ebp+var_128], edx
		stosd
		xor	esi, esi
		and	[ebp+var_118], esi
		push	74416553h
		push	18h
		stosd
		pop	ecx
		mov	[ebp+var_124], 2
		mov	[ebp+var_10C], 100h
		stosd
		lea	edi, [ebp+var_108]
		call	_AuthzBasepMemAlloc@12 ; AuthzBasepMemAlloc(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5CBBE4
		and	[ebx], esi
		lea	eax, [ebx+4]
		and	[ebx+0Ch], esi
		xor	ecx, ecx
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ebx+10h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [ebp+var_11C]
		mov	[ebp+var_110], ecx
		lea	edx, [eax+8]
		mov	[ebp+var_114], edx
		cmp	cx, [eax+4]
		jnb	short loc_4E001E

loc_4DFFB8:				; CODE XREF: AuthzBasepInitializeResourceClaimsFromSacl+E4j
		test	edi, edi
		jz	short loc_4DFFCA
		lea	eax, [ebp+var_108]
		cmp	edi, eax
		jnz	loc_5CBBEE

loc_4DFFCA:				; CODE XREF: AuthzBasepInitializeResourceClaimsFromSacl+9Cj
					; AuthzBasepInitializeResourceClaimsFromSacl+EBCE4j
		mov	[ebp+var_10C], 100h
		lea	edi, [ebp+var_108]
		cmp	byte ptr [edx],	12h
		jz	loc_5CBC07

loc_4DFFE3:				; CODE XREF: AuthzBasepInitializeResourceClaimsFromSacl+EBCEDj
					; AuthzBasepInitializeResourceClaimsFromSacl+EBDF1j
		movzx	eax, word ptr [edx+2]
		inc	ecx
		add	edx, eax
		mov	[ebp+var_110], ecx
		mov	eax, [ebp+var_11C]
		mov	[ebp+var_114], edx
		movzx	eax, word ptr [eax+4]

loc_4E0000:				; DATA XREF: .text:off_5A4D00o
		cmp	ecx, eax
		jb	short loc_4DFFB8

loc_4E0004:				; CODE XREF: AuthzBasepInitializeResourceClaimsFromSacl+EBD71j
					; AuthzBasepInitializeResourceClaimsFromSacl+EBDB8j ...
		test	edi, edi
		jz	short loc_4E0016
		lea	eax, [ebp+var_108]
		cmp	edi, eax
		jnz	loc_5CBD1E

loc_4E0016:				; CODE XREF: AuthzBasepInitializeResourceClaimsFromSacl+E8j
					; AuthzBasepInitializeResourceClaimsFromSacl+EBE08j
		test	esi, esi
		js	loc_5CBD2B

loc_4E001E:				; CODE XREF: AuthzBasepInitializeResourceClaimsFromSacl+98j
		mov	eax, [ebp+var_128]
		mov	[eax], ebx

loc_4E0026:				; CODE XREF: AuthzBasepInitializeResourceClaimsFromSacl+EBCCBj
					; AuthzBasepInitializeResourceClaimsFromSacl+EBE1Cj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
AuthzBasepInitializeResourceClaimsFromSacl endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepAddAccessTypeList proc near	; CODE XREF: SepMaximumAccessCheck+602p
					; SepNormalAccessCheck+732p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005CBD3F SIZE 0000014D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	[ebp+var_8], edx
		xor	edx, edx

loc_4E0049:				; DATA XREF: .text:005A456Co
					; .text:005A5674o
		mov	[ebp+var_C], ecx
		mov	[ebp+var_1], dl
		push	esi
		push	edi
		sub	eax, edx
		jnz	short loc_4E0099
		mov	esi, [ebp+arg_0]
		mov	edi, [ebp+arg_8]
		mov	eax, edi
		imul	ebx, esi, 2Ch
		not	eax
		add	ebx, ecx
		mov	ecx, [ebx+18h]
		and	eax, ecx
		mov	[ebx+18h], eax
		cmp	ecx, eax
		jz	short loc_4E0092
		push	edx

loc_4E0071:				; CODE XREF: AuthzBasepAddAccessTypeList+90j
		mov	edx, 10000h

loc_4E0076:				; CODE XREF: AuthzBasepAddAccessTypeList+EBD71j
		push	dword ptr [ebx+28h]
		and	ecx, edi
		push	[ebp+arg_4]
		call	AuthzBasepSetAccessReasons

loc_4E0083:				; CODE XREF: AuthzBasepAddAccessTypeList+EBD3Dj
		mov	al, [ebp+var_1]

loc_4E0086:				; CODE XREF: AuthzBasepAddAccessTypeList+94j
		mov	ecx, [ebp+var_8]
		cmp	ecx, 1
		jnz	loc_5CBDAE

loc_4E0092:				; CODE XREF: AuthzBasepAddAccessTypeList+36j
					; AuthzBasepAddAccessTypeList+EBD0Fj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_4E0099:				; CODE XREF: AuthzBasepAddAccessTypeList+1Bj
		sub	eax, 1
		jnz	loc_5CBD3F
		mov	esi, [ebp+arg_0]
		mov	edi, [ebp+arg_8]
		imul	ebx, esi, 2Ch
		add	ebx, ecx
		mov	edx, [ebx+20h]
		mov	ecx, [ebx+1Ch]
		not	edx
		mov	eax, edx
		and	eax, edi
		or	eax, ecx
		mov	[ebx+1Ch], eax
		cmp	ecx, eax
		jz	short loc_4E00CA
		not	ecx
		push	0
		and	ecx, edx
		jmp	short loc_4E0071
; 

loc_4E00CA:				; CODE XREF: AuthzBasepAddAccessTypeList+88j
					; AuthzBasepAddAccessTypeList+EBD2Cj ...
		mov	al, 1
		jmp	short loc_4E0086
AuthzBasepAddAccessTypeList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepSetAccessReasons proc	near	; CODE XREF: AuthzBasepAddAccessTypeList+46p
					; AuthzBasepAddAccessTypeList+EBE37p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 005CBE8C SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		xor	edi, edi
		inc	edi
		test	esi, esi
		jnz	short loc_4E00E5

loc_4E00DF:				; CODE XREF: AuthzBasepSetAccessReasons+EBDDEj
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_4E00E5:				; CODE XREF: AuthzBasepSetAccessReasons+Fj
		push	ebx
		mov	bl, [ebp+arg_8]
		jmp	loc_5CBE8C
AuthzBasepSetAccessReasons endp


;  S U B	R O U T	I N E 


SepIsCapabilitySid proc	near		; CODE XREF: SepMaximumAccessCheck+5BCp
					; SepNormalAccessCheck+6D3p ...

; FUNCTION CHUNK AT 005CBEB1 SIZE 00000013 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, _SeCapabilityPrefixSid
		cmp	byte ptr [esi+1], 2
		jb	short loc_4E011E
		mov	al, [esi]
		cmp	al, [edi]
		jnz	short loc_4E011E
		push	6		; Length
		lea	eax, [edi+2]
		push	eax		; Source2
		lea	eax, [esi+2]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 6
		jz	loc_5CBEB1

loc_4E011E:				; CODE XREF: SepIsCapabilitySid+10j
					; SepIsCapabilitySid+16j ...
		xor	al, al

loc_4E0120:				; CODE XREF: SepIsCapabilitySid+EBDD1j
		pop	edi
		pop	esi
		retn
SepIsCapabilitySid endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall SepIsPackageSid(x)
_SepIsPackageSid@4 proc	near		; CODE XREF: SepMaximumAccessCheck+5ADp
					; SepNormalAccessCheck+6C4p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, _SePackagePrefixSid
		cmp	byte ptr [esi+1], 2
		jb	short loc_4E0150
		mov	al, [esi]
		cmp	al, [edi]
		jnz	short loc_4E0150
		push	6		; Length
		lea	eax, [edi+2]
		push	eax		; Source2
		lea	eax, [esi+2]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 6
		jz	short loc_4E0155

loc_4E0150:				; CODE XREF: SepIsPackageSid(x)+10j
					; SepIsPackageSid(x)+16j ...
		xor	al, al

loc_4E0152:				; CODE XREF: SepIsPackageSid(x)+3Bj
		pop	edi
		pop	esi
		retn
; 

loc_4E0155:				; CODE XREF: SepIsPackageSid(x)+2Aj
		mov	eax, [esi+8]
		cmp	eax, [edi+8]
		jnz	short loc_4E0150
		mov	al, 1
		jmp	short loc_4E0152
_SepIsPackageSid@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTraceContextSwap proc near		; CODE XREF: KiSwapThread+B39p
					; _SwapContext_NoNpxLoad+DBp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CBEC4 SIZE 00000080 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		mov	eax, ecx
		mov	ebx, edx
		push	esi
		push	edi
		mov	[esp+18h+var_C], eax
		mov	edi, [eax+390h]
		cmp	edi, 0FFFFFFFDh
		jnz	loc_4E0229
		mov	eax, [eax+150h]
		mov	edi, [eax+3A0h]

loc_4E01A1:				; CODE XREF: EtwTraceContextSwap+C1j
					; EtwTraceContextSwap+EBD5Dj
		mov	esi, [ebx+390h]
		cmp	esi, 0FFFFFFFDh
		jnz	short loc_4E021F
		mov	esi, [ebx+150h]
		mov	esi, [esi+3A0h]

loc_4E01B8:				; CODE XREF: EtwTraceContextSwap+B7j
					; EtwTraceContextSwap+EBD74j
		test	edi, edi
		jnz	loc_5CBEF2
		mov	eax, offset _PspHostSiloGlobals

loc_4E01C5:				; CODE XREF: EtwTraceContextSwap+EBD88j
		mov	eax, [eax+1F0h]
		mov	[esp+18h+var_8], eax
		test	esi, esi
		jnz	short loc_4E0236
		mov	eax, offset _PspHostSiloGlobals

loc_4E01D8:				; CODE XREF: EtwTraceContextSwap+CCj
		mov	eax, [eax+1F0h]
		mov	[esp+18h+var_4], eax
		mov	eax, ds:_EtwpHostSiloState
		add	eax, 0A68h
		jz	short loc_4E01F4
		test	byte ptr [eax+4], 4
		jnz	short loc_4E023E

loc_4E01F4:				; CODE XREF: EtwTraceContextSwap+7Cj
					; EtwTraceContextSwap+D5j
		mov	edx, [esp+18h+var_C]
		mov	ecx, ds:_EtwpHostSiloState
		push	ebx
		call	EtwpLogContextSwapEvent
		cmp	edi, esi
		jnz	short loc_4E0247
		test	edi, edi
		jnz	loc_5CBEFD

loc_4E0210:				; CODE XREF: EtwTraceContextSwap+EBD9Dj
					; EtwTraceContextSwap+EBDA5j ...
		test	esi, esi
		jnz	loc_5CBF2B

loc_4E0218:				; CODE XREF: EtwTraceContextSwap+EBDC1j
					; EtwTraceContextSwap+EBDCFj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4E021F:				; CODE XREF: EtwTraceContextSwap+3Aj
		test	esi, esi
		jnz	loc_5CBEDB
		jmp	short loc_4E01B8
; 

loc_4E0229:				; CODE XREF: EtwTraceContextSwap+1Fj
		test	edi, edi
		jnz	loc_5CBEC4
		jmp	loc_4E01A1
; 

loc_4E0236:				; CODE XREF: EtwTraceContextSwap+61j
		mov	eax, [esi+2F8h]
		jmp	short loc_4E01D8
; 

loc_4E023E:				; CODE XREF: EtwTraceContextSwap+82j
		mov	ecx, ebx
		call	_EtwpCoverageSamplerContextSwap@4 ; EtwpCoverageSamplerContextSwap(x)
		jmp	short loc_4E01F4
; 

loc_4E0247:				; CODE XREF: EtwTraceContextSwap+96j
		mov	ecx, [esp+18h+var_8]
		jmp	loc_5CBF0B
EtwTraceContextSwap endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpLogContextSwapEvent	proc near	; CODE XREF: EtwTraceContextSwap+8Fp
					; EtwTraceContextSwap+EBDB1p ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CBF44 SIZE 0000031B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_10], edx
		xor	eax, eax
		push	esi
		push	edi
		mov	esi, [ebx+924h]
		xor	edi, edi
		bsf	ecx, esi
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_C], edi
		jz	loc_4E0374
		mov	eax, ds:__imp__KeQueryPerformanceCounter@4 ; KeQueryPerformanceCounter(x)
		mov	[ebp+var_14], eax

loc_4E0290:				; CODE XREF: EtwpLogContextSwapEvent+11Ej
		lea	eax, [esi-1]
		mov	edx, ecx
		and	esi, eax
		shl	edx, 5
		lea	eax, [ebx+948h]
		add	eax, edx
		jz	loc_4E036B
		test	byte ptr [eax+4], 4
		jz	loc_4E036B
		movzx	ecx, byte ptr [ebx+ecx*2+914h]
		cmp	ecx, [ebx+8]
		jnb	loc_5CBF44
		lfence	eax
		mov	eax, [ebx+18Ch]
		mov	ecx, [eax+ecx*4]

loc_4E02CF:				; CODE XREF: EtwpLogContextSwapEvent+EBCF9j
		mov	[ebp+var_8], ecx
		test	cl, 1
		jnz	loc_4E036B
		test	dword ptr [edx+ebx+94Ch], 100h
		jz	loc_5CBF95
		mov	ecx, [ecx+7Ch]
		mov	eax, edi
		mov	edi, [ebp+var_8]
		mov	edx, 1
		shl	edx, cl
		not	eax
		mov	[ebp+var_18], edx
		test	eax, edx
		jz	short loc_4E0337
		mov	eax, [edi+20h]
		cmp	eax, 1
		jnz	loc_5CBF4E
		push	0
		call	[ebp+var_14]

loc_4E0315:				; CODE XREF: EtwpLogContextSwapEvent+EBD13j
					; EtwpLogContextSwapEvent+EBD36j ...
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_24]
		push	eax
		mov	eax, [edi+7Ch]
		mov	[ebp+var_20], edx
		mov	edx, [ebp+arg_0]
		push	eax
		call	EtwpCCSwapTrace
		mov	eax, [ebp+var_C]
		or	eax, [ebp+var_18]
		mov	[ebp+var_C], eax

loc_4E0337:				; CODE XREF: EtwpLogContextSwapEvent+B2j
					; EtwpLogContextSwapEvent+EBF19j
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	short loc_4E0368
		mov	ecx, [edi+258h]
		test	cl, cl
		js	loc_5CC16E

loc_4E034C:				; CODE XREF: EtwpLogContextSwapEvent+EBF2Bj
					; EtwpLogContextSwapEvent+EBF47j
		test	ecx, 8000h
		jnz	loc_5CC19C

loc_4E0358:				; CODE XREF: EtwpLogContextSwapEvent+EBF57j
					; EtwpLogContextSwapEvent+EBF8Bj ...
		test	dword ptr [edi+258h], 4000000h
		jnz	loc_5CC1F5

loc_4E0368:				; CODE XREF: EtwpLogContextSwapEvent+ECj
					; EtwpLogContextSwapEvent+EBFB0j ...
		mov	edi, [ebp+var_C]

loc_4E036B:				; CODE XREF: EtwpLogContextSwapEvent+52j
					; EtwpLogContextSwapEvent+5Cj ...
		bsf	ecx, esi
		jnz	loc_4E0290

loc_4E0374:				; CODE XREF: EtwpLogContextSwapEvent+32j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
EtwpLogContextSwapEvent	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpCCSwapTrace	proc near		; CODE XREF: EtwpLogContextSwapEvent+D9p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, large fs:20h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_14], edx
		push	esi
		mov	ecx, [eax+4054h]
		mov	eax, [ebp+arg_0]
		push	edi
		mov	[ebp+var_8], ebx
		mov	[ebp+var_1C], 0
		mov	esi, [ecx+eax*4+128h]
		mov	[ebp+var_18], 0
		mov	[ebp+var_C], ecx
		test	esi, esi
		jz	loc_4E0536
		cmp	dword ptr [esi], 0
		lea	edi, [esi+18h]
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		jz	loc_4E069B
		sub	ecx, [esi+8]
		sbb	edx, [esi+0Ch]
		mov	[ebp+var_4], edx

loc_4E03DF:				; CODE XREF: EtwpCCSwapTrace+349j
		mov	ebx, [ebx+2B0h]
		xor	edx, edx
		mov	[ebp+var_10], ebx
		test	ebx, ebx
		jz	short loc_4E0416
		mov	edi, edi

loc_4E03F0:				; CODE XREF: EtwpCCSwapTrace+81j
		mov	eax, [edi]
		cmp	eax, ebx
		jz	short loc_4E0416
		test	eax, eax
		jz	short loc_4E0405
		inc	edx
		add	edi, 4
		cmp	edx, 10h
		jb	short loc_4E03F0
		jmp	short loc_4E0416
; 

loc_4E0405:				; CODE XREF: EtwpCCSwapTrace+78j
		mov	eax, [ebp+var_8]
		mov	[esi+edx*4+18h], ebx
		mov	al, [eax+15Bh]
		mov	[edx+esi+58h], al

loc_4E0416:				; CODE XREF: EtwpCCSwapTrace+6Cj
					; EtwpCCSwapTrace+74j ...
		mov	eax, ds:_KeTickCount
		sub	eax, [esi+4]
		cmp	edx, 10h
		jz	loc_4E0641
		cmp	eax, 1F4h
		ja	loc_4E0641
		mov	eax, [esi]
		add	eax, 8
		cmp	eax, 400h
		ja	loc_4E0641
		mov	eax, [ebp+var_4]
		test	eax, eax
		jl	short loc_4E045B
		jg	loc_4E0641
		cmp	ecx, 40000000h
		ja	loc_4E0641

loc_4E045B:				; CODE XREF: EtwpCCSwapTrace+C7j
		mov	ebx, [ebp+var_C]
		mov	edi, [ebp+arg_0]
		cmp	byte ptr [ebx+edi+120h], 0
		mov	ebx, [ebp+var_10]
		jnz	loc_4E0641

loc_4E0472:				; CODE XREF: EtwpCCSwapTrace+316j
		test	ebx, ebx
		jz	loc_4E053F
		mov	edi, [ebp+var_14]
		cmp	dword ptr [edi+2B0h], 0
		jnz	loc_4E05F5
		mov	[ebp+arg_0], 0

loc_4E0491:				; CODE XREF: EtwpCCSwapTrace+283j
		mov	eax, [ebp+var_8]
		movsx	ebx, byte ptr [eax+87h]
		movsx	eax, byte ptr [edx+esi+58h]
		mov	edi, ebx
		sub	edi, eax
		cmp	[ebp+arg_0], 1
		ja	loc_4E0589
		mov	eax, [ebp+var_4]
		test	eax, eax
		jg	loc_4E0589
		jl	short loc_4E04C7
		cmp	ecx, 20000h
		jnb	loc_4E0589

loc_4E04C7:				; CODE XREF: EtwpCCSwapTrace+139j
		cmp	edi, 7
		ja	loc_4E0589
		mov	eax, [ebp+var_8]
		and	edi, 7
		shl	ecx, 9
		and	edx, 0Fh
		or	ecx, edi
		shl	ecx, 4
		or	ecx, edx
		shl	ecx, 2
		or	ecx, 2
		cmp	byte ptr [eax+90h], 5
		mov	[ebp+var_1C], ecx
		jnz	short loc_4E0567
		movzx	ecx, byte ptr [eax+18Bh]
		mov	eax, [ebp+var_1C]
		shl	ecx, 9
		xor	ecx, eax
		and	ecx, 7E00h
		xor	eax, ecx

loc_4E050C:				; CODE XREF: EtwpCCSwapTrace+207j
		mov	[ebp+var_1C], eax
		mov	edi, 4

loc_4E0514:				; CODE XREF: EtwpCCSwapTrace+1E5j
					; EtwpCCSwapTrace+270j	...
		push	edi		; size_t
		lea	eax, [ebp+var_1C]
		push	eax		; void *
		mov	eax, [esi]
		add	eax, esi
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+arg_4]
		add	esp, 0Ch
		add	[esi], edi
		mov	eax, [ecx]
		mov	[esi+8], eax
		mov	eax, [ecx+4]
		mov	[esi+0Ch], eax

loc_4E0536:				; CODE XREF: EtwpCCSwapTrace+3Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4E053F:				; CODE XREF: EtwpCCSwapTrace+F4j
		test	eax, eax
		jg	loc_4E0608
		jl	short loc_4E0555
		cmp	ecx, 4000h
		jnb	loc_4E0608

loc_4E0555:				; CODE XREF: EtwpCCSwapTrace+1C7j
		lea	eax, ds:0[ecx*4]
		mov	edi, 2
		mov	word ptr [ebp+var_1C], ax
		jmp	short loc_4E0514
; 

loc_4E0567:				; CODE XREF: EtwpCCSwapTrace+173j
		movzx	ecx, byte ptr [eax+90h]
		mov	eax, [ebp+var_1C]
		shl	ecx, 9
		and	eax, 0FFFF81FFh
		sub	ecx, 2E01h
		and	ecx, 7E00h
		or	eax, ecx
		jmp	short loc_4E050C
; 

loc_4E0589:				; CODE XREF: EtwpCCSwapTrace+128j
					; EtwpCCSwapTrace+133j	...
		lea	eax, ds:0[ecx*4]
		mov	ecx, [ebp+var_18]
		xor	ecx, edx
		or	eax, 3
		and	ecx, 0Fh
		mov	[ebp+var_1C], eax
		xor	ecx, [ebp+var_18]
		mov	eax, [ebp+arg_0]
		cmp	eax, 1FFFFh
		jnb	loc_5CC255

loc_4E05AF:				; CODE XREF: EtwpLogContextSwapEvent+EC00Aj
		and	ebx, 1Fh
		shl	eax, 5
		or	ebx, eax
		and	ecx, 3FFh
		mov	eax, [ebp+var_8]
		shl	ebx, 0Ah
		or	ebx, ecx
		mov	[ebp+var_18], ebx
		cmp	byte ptr [eax+90h], 5
		jnz	short loc_4E061F
		movzx	ecx, byte ptr [eax+18Bh]
		mov	eax, [ebp+var_18]
		shl	ecx, 4
		xor	ecx, eax
		and	ecx, 3F0h
		xor	eax, ecx

loc_4E05E8:				; CODE XREF: EtwpCCSwapTrace+2BFj
		mov	[ebp+var_18], eax
		mov	edi, 8
		jmp	loc_4E0514
; 

loc_4E05F5:				; CODE XREF: EtwpCCSwapTrace+104j
		mov	eax, ds:_KeTickCount
		sub	eax, [edi+138h]
		mov	[ebp+arg_0], eax
		jmp	loc_4E0491
; 

loc_4E0608:				; CODE XREF: EtwpCCSwapTrace+1C1j
					; EtwpCCSwapTrace+1CFj
		lea	eax, ds:0[ecx*4]
		mov	edi, 4
		or	eax, 1
		mov	[ebp+var_1C], eax
		jmp	loc_4E0514
; 

loc_4E061F:				; CODE XREF: EtwpCCSwapTrace+24Fj
		movzx	ecx, byte ptr [eax+90h]
		mov	eax, [ebp+var_18]
		shl	ecx, 4
		and	eax, 0FFFFFC0Fh
		sub	ecx, 171h
		and	ecx, 3F0h
		or	eax, ecx
		jmp	short loc_4E05E8
; 

loc_4E0641:				; CODE XREF: EtwpCCSwapTrace+A1j
					; EtwpCCSwapTrace+ACj ...
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_EtwpCCSwapFlush@8 ; EtwpCCSwapFlush(x,x)
		mov	edx, [ebp+arg_4]
		lea	edi, [esi+18h]
		mov	eax, ds:_KeTickCount
		push	40h		; size_t
		push	0		; int
		mov	ecx, [edx]
		mov	edx, [edx+4]
		push	edi		; void *
		mov	[esi+4], eax
		mov	[esi+8], ecx
		mov	[esi+0Ch], edx
		mov	dword ptr [esi], 68h
		mov	[esi+10h], ecx
		mov	[esi+14h], edx
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	ecx, [ebp+var_C]
		mov	byte ptr [ecx+eax+120h], 0
		xor	eax, eax
		xor	ecx, ecx
		mov	[ebp+var_4], eax
		mov	[edi], ebx
		xor	edx, edx
		jmp	loc_4E0472
; 

loc_4E069B:				; CODE XREF: EtwpCCSwapTrace+50j
		mov	eax, ds:_KeTickCount
		push	40h		; size_t
		push	0		; int
		push	edi		; void *
		mov	[esi+4], eax
		mov	[esi+8], ecx
		mov	[esi+0Ch], edx
		mov	dword ptr [esi], 68h
		mov	[esi+10h], ecx
		mov	[esi+14h], edx
		call	_memset
		add	esp, 0Ch
		xor	ecx, ecx
		xor	eax, eax
		mov	[ebp+var_4], eax
		jmp	loc_4E03DF
EtwpCCSwapTrace	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCCSwapFlush(x, x)
_EtwpCCSwapFlush@8 proc	near		; CODE XREF: EtwpCCSwapTrace+2C6p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		lea	eax, [ecx+10h]
		push	ebx
		mov	[ebp+var_18], eax
		mov	ebx, edx
		mov	eax, [ecx]
		xor	edx, edx
		sub	eax, 10h
		mov	byte ptr [ebp+var_1C], dl
		mov	[ebp+var_10], eax
		mov	eax, ds:_EtwpHostSiloState
		push	esi
		push	edi
		mov	[ebp+var_14], edx
		mov	esi, [eax+924h]
		mov	[ebp+var_C], edx

loc_4E0709:				; CODE XREF: EtwpCCSwapFlush(x,x)+57j
					; EtwpCCSwapFlush(x,x)+5Ej ...
		bsf	ecx, esi
		jz	short loc_4E0780
		mov	edx, ds:_EtwpHostSiloState
		lea	eax, [esi-1]
		and	esi, eax
		mov	eax, ecx
		shl	eax, 5
		add	eax, 948h
		add	eax, edx
		jz	short loc_4E0709
		mov	eax, [eax+4]
		test	al, 4
		jz	short loc_4E0709
		test	eax, 100h
		jz	short loc_4E0709
		movzx	edi, byte ptr [edx+ecx*2+914h]
		lea	eax, [ebp+var_1C]
		push	eax
		push	0
		mov	ecx, edi
		call	_EtwpOpenLogger@16 ; EtwpOpenLogger(x,x,x,x)
		test	eax, eax
		jz	short loc_4E0709
		cmp	[eax+7Ch], ebx
		jnz	short loc_4E076E
		mov	edx, ds:_EtwpHostSiloState
		lea	ecx, [ebp+var_18]
		push	202h
		push	525h
		push	1
		push	edi
		call	EtwpLogKernelEvent

loc_4E076E:				; CODE XREF: EtwpCCSwapFlush(x,x)+83j
		push	[ebp+var_1C]
		mov	edx, ds:_EtwpHostSiloState
		mov	ecx, edi
		call	_EtwpCloseLogger@12 ; EtwpCloseLogger(x,x,x)
		jmp	short loc_4E0709
; 

loc_4E0780:				; CODE XREF: EtwpCCSwapFlush(x,x)+3Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpCCSwapFlush@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCloseLogger(x, x, x)
_EtwpCloseLogger@12 proc near		; CODE XREF: EtwpOpenLogger(x,x,x,x)+6Fp
					; EtwpCCSwapFlush(x,x)+ABp ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		mov	eax, ecx
		jnz	short loc_4E07A1

loc_4E079D:				; CODE XREF: EtwpCloseLogger(x,x,x)+2Ej
		pop	ebp
		retn	4
; 

loc_4E07A1:				; CODE XREF: EtwpCloseLogger(x,x,x)+Bj
		mov	ecx, [edx+188h]
		xor	edx, edx
		inc	edx
		mov	ecx, [ecx+eax*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	short loc_4E079D
_EtwpCloseLogger@12 endp

; 
		dd 4 dup(0CCCCCCCCh)
; Exported entry 155. KiCheckForSListAddress

;  S U B	R O U T	I N E 


; __fastcall KiCheckForSListAddress(x)
		public @KiCheckForSListAddress@4
@KiCheckForSListAddress@4 proc near	; CODE XREF: .text:0052DF97p
					; Dr_kite_a+3B4p
		test	byte ptr [ecx+6Ch], 1
		mov	eax, [ecx+68h]
		jz	short loc_4E07E4

loc_4E07D9:				; CODE XREF: KiCheckForSListAddress(x)+1Bj
		mov	edx, ds:_KeUserPopEntrySListResume
		cmp	eax, edx
		jnb	short loc_4E0803

locret_4E07E3:				; CODE XREF: KiCheckForSListAddress(x)+22j
					; KiCheckForSListAddress(x)+29j ...
		retn
; 

loc_4E07E4:				; CODE XREF: KiCheckForSListAddress(x)+7j
		test	dword ptr [ecx+70h], 20000h
		jnz	short loc_4E07D9
		cmp	eax, offset _ExpInterlockedPopEntrySListResume
		jb	short locret_4E07E3
		cmp	eax, offset _ExpInterlockedPopEntrySListEnd
		ja	short locret_4E07E3
		mov	dword ptr [ecx+68h], offset _ExpInterlockedPopEntrySListResume
		retn
; 

loc_4E0803:				; CODE XREF: KiCheckForSListAddress(x)+11j
		cmp	eax, ds:_KeUserPopEntrySListEnd
		ja	short locret_4E07E3
		mov	[ecx+68h], edx
		retn
@KiCheckForSListAddress@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiStoreEvictPageFile proc near		; CODE XREF: MiStoreEvictThread+145p

var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CC25F SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		xor	eax, eax
		mov	[ebp+var_8], ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_28]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	edi, ecx
		cmp	dword ptr [edi+70h], 0
		movzx	eax, word ptr [edi+74h]
		mov	[ebp+var_10], eax
		jz	loc_4E09CC
		lea	edx, [ebp+var_28]
		call	_MiRefPageFileSpaceBitmaps@8 ; MiRefPageFileSpaceBitmaps(x,x)
		mov	edx, [ebp+var_1C]
		xor	esi, esi
		cmp	edx, esi
		jbe	loc_4E09B8

loc_4E0850:				; CODE XREF: MiStoreEvictPageFile+132j
		mov	ecx, [ebp+var_18]
		lea	eax, [edx-1]
		shr	eax, 5
		lea	edi, [ecx+eax*4]
		mov	eax, esi
		shr	eax, 5
		lea	eax, [ecx+eax*4]
		cmp	eax, edi
		jz	short loc_4E0885
		mov	ebx, esi
		and	ebx, 1Fh
		mov	ecx, ds:dword_40BA68[ebx*4]
		or	ecx, [eax]
		cmp	ecx, 0FFFFFFFFh
		jz	loc_4E094A

loc_4E087F:				; CODE XREF: MiStoreEvictPageFile+144j
					; MiStoreEvictPageFile+153j ...
		mov	ecx, [ebp+var_18]
		mov	edx, [ebp+var_1C]

loc_4E0885:				; CODE XREF: MiStoreEvictPageFile+56j
		cmp	esi, edx
		jnb	short loc_4E089A
		lea	esp, [esp+0]

loc_4E0890:				; CODE XREF: MiStoreEvictPageFile+88j
		bt	[ecx], esi
		jnb	short loc_4E089A
		inc	esi
		cmp	esi, edx
		jb	short loc_4E0890

loc_4E089A:				; CODE XREF: MiStoreEvictPageFile+77j
					; MiStoreEvictPageFile+83j
		xor	ebx, ebx
		cmp	eax, edi
		jz	short loc_4E08BE
		mov	edx, [eax]
		mov	ecx, esi
		and	ecx, 1Fh
		mov	[ebp+var_C], ecx
		mov	ecx, ds:dword_40BA68[ecx*4]
		not	ecx
		and	ecx, edx
		jz	loc_4E0978

loc_4E08BB:				; CODE XREF: MiStoreEvictPageFile+17Ej
					; MiStoreEvictPageFile+187j ...
		mov	edx, [ebp+var_1C]

loc_4E08BE:				; CODE XREF: MiStoreEvictPageFile+8Ej
		lea	eax, [ebx+esi]
		cmp	eax, edx
		jnb	short loc_4E08D8
		mov	ecx, [ebp+var_18]

loc_4E08C8:				; CODE XREF: MiStoreEvictPageFile+C6j
		bt	[ecx], eax
		jb	short loc_4E08D8
		cmp	ebx, 0FFFFFFFFh
		jnb	short loc_4E08DB
		inc	eax
		inc	ebx
		cmp	eax, edx
		jb	short loc_4E08C8

loc_4E08D8:				; CODE XREF: MiStoreEvictPageFile+B3j
					; MiStoreEvictPageFile+BBj
		cmp	ebx, 0FFFFFFFFh

loc_4E08DB:				; CODE XREF: MiStoreEvictPageFile+C0j
					; MiStoreEvictPageFile+173j ...
		ja	loc_5CC25F

loc_4E08E1:				; CODE XREF: MiStoreEvictPageFile+EBA52j
		test	ebx, ebx
		jz	loc_4E09B5
		mov	eax, [ebp+var_10]
		lea	edx, [ebp+var_C]
		mov	ecx, esi
		shl	eax, 1Ch
		and	ecx, 0FFFFFFFh
		mov	[ebp+var_C], 0
		or	ecx, eax
		mov	[ebp+var_14], ecx
		lea	ecx, [ebp+var_14]
		call	?SmKeyConvert@@YGJPAT_MM_STORE_KEY@@PAT_SM_PAGE_KEY@@@Z	; SmKeyConvert(_MM_STORE_KEY *,_SM_PAGE_KEY *)
		mov	eax, [ebp+var_C]
		lea	edx, [ebp+var_4]
		push	ecx
		push	ebx
		mov	[ebp+var_4], eax
		call	SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict
		mov	edi, ebx
		sub	edi, eax
		jnz	loc_4E09D3

loc_4E0928:				; CODE XREF: MiStoreEvictPageFile+1D2j
		mov	edi, [ebp+var_8]
		mov	edx, esi
		push	ebx
		mov	ecx, edi
		call	_MiStoreSetPageFileRunEvicted@12 ; MiStoreSetPageFileRunEvicted(x,x,x)
		cmp	dword ptr [edi+70h], 0
		jz	short loc_4E09B8
		mov	edx, [ebp+var_1C]
		add	esi, ebx
		cmp	edx, esi
		ja	loc_4E0850
		jmp	short loc_4E09B8
; 

loc_4E094A:				; CODE XREF: MiStoreEvictPageFile+69j
		sub	esi, ebx
		add	eax, 4
		add	esi, 20h
		cmp	eax, edi
		jnb	loc_4E087F
		lea	ebx, [ebx+0]

loc_4E0960:				; CODE XREF: MiStoreEvictPageFile+161j
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_4E087F
		add	eax, 4
		add	esi, 20h
		cmp	eax, edi
		jb	short loc_4E0960
		jmp	loc_4E087F
; 

loc_4E0978:				; CODE XREF: MiStoreEvictPageFile+A5j
		mov	ebx, 20h
		sub	ebx, [ebp+var_C]
		cmp	ebx, 0FFFFFFFFh
		jnb	loc_4E08DB
		add	eax, 4
		cmp	eax, edi
		jnb	loc_4E08BB

loc_4E0994:				; CODE XREF: MiStoreEvictPageFile+19Ej
		cmp	dword ptr [eax], 0
		jnz	loc_4E08BB
		add	ebx, 20h
		add	eax, 4
		cmp	ebx, 0FFFFFFFFh
		jnb	loc_4E08DB
		cmp	eax, edi
		jb	short loc_4E0994
		jmp	loc_4E08BB
; 

loc_4E09B5:				; CODE XREF: MiStoreEvictPageFile+D3j
		mov	edi, [ebp+var_8]

loc_4E09B8:				; CODE XREF: MiStoreEvictPageFile+3Aj
					; MiStoreEvictPageFile+129j ...
		push	0
		lea	edx, [ebp+var_28]
		mov	ecx, edi
		call	_MiDerefPageFileSpaceBitmaps@12	; MiDerefPageFileSpaceBitmaps(x,x,x)
		test	eax, eax
		jnz	loc_5CC267

loc_4E09CC:				; CODE XREF: MiStoreEvictPageFile+25j
					; MiStoreEvictPageFile+EBA5Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4E09D3:				; CODE XREF: MiStoreEvictPageFile+112j
					; MiStoreEvictPageFile+1D8j
		add	[ebp+var_4], eax
		lea	edx, [ebp+var_4]
		push	ecx
		push	edi
		call	SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict
		sub	edi, eax
		jz	loc_4E0928
		jmp	short loc_4E09D3
MiStoreEvictPageFile endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiStoreSetPageFileRunEvicted(x, x, x)
_MiStoreSetPageFileRunEvicted@12 proc near ; CODE XREF:	MiStoreEvictPageFile+120p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	eax, ecx
		push	esi
		push	edi
		mov	[ebp+var_4], eax
		mov	edi, edx
		add	eax, 88h
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+var_4]
		mov	bl, al
		mov	esi, [ebp+arg_0]
		push	esi
		push	edi
		mov	ecx, [ecx+38h]
		add	ecx, 0Ch
		push	ecx
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		mov	eax, [ebp+var_4]
		push	esi
		push	edi
		mov	edi, eax
		sub	[eax+70h], esi
		mov	eax, [edi+38h]
		add	eax, 4
		push	eax
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		add	[edi+0Ch], esi
		lea	eax, [edi+88h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiStoreSetPageFileRunEvicted@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; long __stdcall SmKeyConvert(union _MM_STORE_KEY *, union _SM_PAGE_KEY	*)
?SmKeyConvert@@YGJPAT_MM_STORE_KEY@@PAT_SM_PAGE_KEY@@@Z	proc near
					; CODE XREF: MiIssueHardFaultIo+CDp
					; MiStoreWriteModifiedPages+374p ...
		mov	ecx, [ecx]
		mov	eax, ecx
		push	esi
		mov	esi, 0F0000000h
		and	eax, esi
		cmp	eax, esi
		pop	esi
		jz	short loc_4E0A66
		mov	[edx], ecx
		xor	eax, eax
		retn
; 

loc_4E0A66:				; CODE XREF: SmKeyConvert(_MM_STORE_KEY	*,_SM_PAGE_KEY *)+Fj
		mov	eax, 0C0000429h
		retn
?SmKeyConvert@@YGJPAT_MM_STORE_KEY@@PAT_SM_PAGE_KEY@@@Z	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDerefPageFileSpaceBitmaps(x, x, x)
_MiDerefPageFileSpaceBitmaps@12	proc near
					; CODE XREF: MiBuildReservationCluster(x,x,x,x)+84Dp
					; MiStoreWriteModifiedPages+851p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	[ebp+arg_0], 0
		lea	eax, [ecx+88h]
		push	ebx
		push	esi
		push	edi
		mov	edi, [edx]
		mov	[ebp+var_4], eax
		jnz	short loc_4E0ABA
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		mov	eax, [ebp+var_4]

loc_4E0A91:				; CODE XREF: MiDerefPageFileSpaceBitmaps(x,x,x)+50j
		dec	dword ptr [edi]
		cmp	[ebp+arg_0], 0
		mov	esi, [edi]
		jnz	short loc_4E0AA9
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4E0AA9:				; CODE XREF: MiDerefPageFileSpaceBitmaps(x,x,x)+2Dj
		neg	esi
		sbb	esi, esi
		not	esi
		and	esi, edi
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4E0ABA:				; CODE XREF: MiDerefPageFileSpaceBitmaps(x,x,x)+18j
		xor	bl, bl
		jmp	short loc_4E0A91
_MiDerefPageFileSpaceBitmaps@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRefPageFileSpaceBitmaps(x, x)
_MiRefPageFileSpaceBitmaps@8 proc near	; CODE XREF: MiBuildReservationCluster(x,x,x,x)+7Ep
					; MiStoreWriteModifiedPages+5C1p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], esi
		mov	[ebp+var_C], edi
		lea	eax, [esi+88h]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		mov	eax, [esi+38h]
		push	5
		pop	ecx
		mov	esi, eax
		mov	[ebp+var_8], eax
		inc	dword ptr [eax]
		rep movsd
		mov	ecx, [ebp+var_4]
		mov	esi, [ecx]
		lea	eax, [ecx+88h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_8]
		pop	edi
		mov	[ecx+4], esi
		mov	[ecx+0Ch], esi
		pop	esi
		mov	[ecx], eax
		pop	ebx
		leave
		retn
_MiRefPageFileSpaceBitmaps@8 endp

; 
		dd 5 dup(0CCCCCCCCh)
; Exported entry 888. IoGetTransactionParameterBlock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetTransactionParameterBlock(x)
		public _IoGetTransactionParameterBlock@4
_IoGetTransactionParameterBlock@4 proc near ; CODE XREF: IopTrackLink+1302FDp
					; IopTrackLink+130315p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+7Ch]
		test	eax, eax
		jnz	short loc_4E0B45

loc_4E0B3F:				; CODE XREF: IoGetTransactionParameterBlock(x)+1Bj
		xor	eax, eax
		pop	ebp
		retn	4
; 

loc_4E0B45:				; CODE XREF: IoGetTransactionParameterBlock(x)+Dj
		cmp	eax, _IopRevocationExtension
		jz	short loc_4E0B3F
		mov	eax, [eax+4]
		pop	ebp
		retn	4
_IoGetTransactionParameterBlock@4 endp

; 
		align 10h
; Exported entry 1060. IoWithinStackLimits

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoWithinStackLimits
IoWithinStackLimits proc near

var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CC274 SIZE 00000031 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		sub	esp, 10h
		mov	edx, [ebp+arg_0]
		mov	cl, large fs:235Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		add	edi, edx
		test	cl, 1
		jnz	loc_5CC274

loc_4E0B89:				; CODE XREF: IoWithinStackLimits+EB71Ej
		mov	ecx, [eax+28h]
		mov	[ebp+var_10], ecx
		mov	ecx, [eax+24h]
		mov	eax, [eax+20h]
		mov	esi, [ebp+var_10]

loc_4E0B98:				; CODE XREF: IoWithinStackLimits+6Aj
		cmp	edx, ecx
		jnb	short loc_4E0BB0

loc_4E0B9C:				; CODE XREF: IoWithinStackLimits+52j
		cmp	dword ptr [eax+10h], 0
		lea	ebx, [eax+10h]
		jnz	short loc_4E0BC2

loc_4E0BA5:				; CODE XREF: IoWithinStackLimits+EB72Cj
					; IoWithinStackLimits+EB73Aj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4E0BB0:				; CODE XREF: IoWithinStackLimits+3Aj
		cmp	edi, esi
		ja	short loc_4E0B9C

loc_4E0BB4:				; CODE XREF: IoWithinStackLimits+EB740j
		pop	edi
		pop	esi
		mov	eax, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4E0BC2:				; CODE XREF: IoWithinStackLimits+43j
		mov	esi, [ebx]
		mov	ecx, [ebx+4]
		mov	eax, [ebx+0Ch]
		jmp	short loc_4E0B98
IoWithinStackLimits endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpxLookupFunctionTable proc near	; CODE XREF: RtlUnwind+16Bp
					; RtlDispatchException+149p

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005CC2A5 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	esi, ecx
		mov	dword ptr [ebx+4], 0
		mov	dword ptr [ebx+8], 0
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[ebp+var_1], al
		cmp	al, 1Bh
		jnb	short loc_4E0C00
		mov	cl, 1Bh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)

loc_4E0C00:				; CODE XREF: RtlpxLookupFunctionTable+26j
		test	ds:byte_70EFC6,	21h
		jnz	loc_5CC2A5
		mov	edx, ds:_PsLoadedModuleSpinLock
		mov	edi, offset _PsLoadedModuleSpinLock
		and	edx, 7FFFFFFFh
		mov	eax, edx
		lea	ecx, [edx+1]
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_4E0CA3

loc_4E0C2B:				; CODE XREF: RtlpxLookupFunctionTable+DDj
					; RtlpxLookupFunctionTable+EB6E2j
		mov	eax, _PsLoadedModuleList
		test	eax, eax
		jz	short loc_4E0C9F
		cmp	eax, offset _PsLoadedModuleList
		jz	short loc_4E0C9F
		jmp	short loc_4E0C40
; 
		align 10h

loc_4E0C40:				; CODE XREF: RtlpxLookupFunctionTable+6Bj
					; RtlpxLookupFunctionTable+CDj
		mov	ecx, [eax+18h]
		mov	edi, [eax+20h]
		lea	edx, [edi+ecx]
		cmp	esi, edx
		jnb	short loc_4E0C96
		cmp	esi, ecx
		jb	short loc_4E0C96
		mov	esi, [eax+8]
		mov	eax, [eax+0Ch]
		mov	[ebx], esi
		mov	[ebx+4], ecx
		mov	[ebx+8], edi
		mov	[ebx+0Ch], eax

loc_4E0C62:				; CODE XREF: RtlpxLookupFunctionTable+D1j
		test	ds:byte_70EFC6,	1
		jnz	loc_5CC2B7
		mov	ecx, 0BFFFFFFFh
		mov	eax, offset _PsLoadedModuleSpinLock
		lock and [eax],	ecx
		lock dec dword ptr [eax]

loc_4E0C7F:				; CODE XREF: RtlpxLookupFunctionTable+EB6F4j
		mov	cl, [ebp+var_1]
		cmp	cl, 1Bh
		jnb	short loc_4E0C8D
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4E0C8D:				; CODE XREF: RtlpxLookupFunctionTable+B5j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4E0C96:				; CODE XREF: RtlpxLookupFunctionTable+7Bj
					; RtlpxLookupFunctionTable+7Fj
		mov	eax, [eax]
		cmp	eax, offset _PsLoadedModuleList
		jnz	short loc_4E0C40

loc_4E0C9F:				; CODE XREF: RtlpxLookupFunctionTable+62j
					; RtlpxLookupFunctionTable+69j
		xor	esi, esi
		jmp	short loc_4E0C62
; 

loc_4E0CA3:				; CODE XREF: RtlpxLookupFunctionTable+59j
		or	dl, 0FFh
		mov	ecx, edi
		call	ExpWaitForSpinLockSharedAndAcquire
		jmp	loc_4E0C2B
RtlpxLookupFunctionTable endp

; 
		align 10h

;  S U B	R O U T	I N E 


ExpWaitForSpinLockSharedAndAcquire proc	near ; CODE XREF: MiCountSharedPages(x,x,x)+9Fp
					; .text:00452E93p ...

; FUNCTION CHUNK AT 005CC2C9 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	bl, dl
		mov	edi, ecx
		xor	esi, esi
		jmp	short loc_4E0CD0
; 
		align 10h

loc_4E0CD0:				; CODE XREF: ExpWaitForSpinLockSharedAndAcquire+Bj
					; ExpWaitForSpinLockSharedAndAcquire+62j
		mov	edx, [edi]
		test	edx, edx
		jns	short loc_4E0D11

loc_4E0CD6:				; CODE XREF: ExpWaitForSpinLockSharedAndAcquire+4Fj
		test	edx, 40000000h
		jz	short loc_4E0D2A

loc_4E0CDE:				; CODE XREF: ExpWaitForSpinLockSharedAndAcquire+7Aj
		cmp	bl, 0FFh
		jz	short loc_4E0CEB
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4E0CEB:				; CODE XREF: ExpWaitForSpinLockSharedAndAcquire+21j
		inc	esi
		test	ds:_HvlLongSpinCountMask, esi
		jz	loc_5CC2C9

loc_4E0CF8:				; CODE XREF: ExpWaitForSpinLockSharedAndAcquire+EB610j
		pause

loc_4E0CFA:				; CODE XREF: ExpWaitForSpinLockSharedAndAcquire+EB61Cj
		cmp	bl, 0FFh
		jz	short loc_4E0D09
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al

loc_4E0D09:				; CODE XREF: ExpWaitForSpinLockSharedAndAcquire+3Dj
		mov	eax, [edi]

loc_4E0D0B:				; CODE XREF: ExpWaitForSpinLockSharedAndAcquire+7Cj
		mov	edx, eax
		test	eax, eax
		js	short loc_4E0CD6

loc_4E0D11:				; CODE XREF: ExpWaitForSpinLockSharedAndAcquire+14j
		lea	ecx, [edx+1]
		mov	eax, edx
		and	ecx, 0BFFFFFFFh
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_4E0CD0
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_4E0D2A:				; CODE XREF: ExpWaitForSpinLockSharedAndAcquire+1Cj
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_4E0CDE
		jmp	short loc_4E0D0B
ExpWaitForSpinLockSharedAndAcquire endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepIsSModeEnabled()
_SepIsSModeEnabled@0 proc near		; CODE XREF: MiReduceShareCount:loc_5D4BC2p
					; SeSecurityModelQueryInformation(x,x,x):loc_9D9122p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], 0
		push	eax
		push	4
		lea	eax, [ebp+var_4]
		mov	[ebp+var_8], 0
		push	eax
		push	0
		xor	edx, edx
		mov	ecx, 0CDh
		call	_SeCodeIntegrityQueryPolicyInformation@24 ; SeCodeIntegrityQueryPolicyInformation(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_4E0D81
		test	[ebp+var_4], 0A0000000h
		jz	short loc_4E0D81
		mov	al, 1

loc_4E0D7D:				; CODE XREF: SepIsSModeEnabled()+43j
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4E0D81:				; CODE XREF: SepIsSModeEnabled()+30j
					; SepIsSModeEnabled()+39j
		xor	al, al
		jmp	short loc_4E0D7D
_SepIsSModeEnabled@0 endp

; 
		align 10h
; Exported entry 394. ExIsResourceAcquiredExclusiveLite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExIsResourceAcquiredExclusiveLite
ExIsResourceAcquiredExclusiveLite proc near
					; CODE XREF: HvCheckAndUpdateHiveBackupTimeStamp+1894CEp

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CC2E1 SIZE 0000003E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		movzx	ecx, word ptr [esi+0Eh]
		mov	eax, ecx
		and	eax, 1
		jnz	loc_5CC2E1

loc_4E0DA8:				; CODE XREF: ExIsResourceAcquiredExclusiveLite+EB554j
		test	ax, ax
		jnz	short loc_4E0DD1

loc_4E0DAD:				; CODE XREF: ExIsResourceAcquiredExclusiveLite+49j
		movzx	eax, word ptr [esi+0Eh]
		test	al, 1
		jnz	short loc_4E0DE0
		xor	cl, cl
		test	al, al
		js	short loc_4E0DC2

loc_4E0DBB:				; CODE XREF: ExIsResourceAcquiredExclusiveLite+3Bj
					; ExIsResourceAcquiredExclusiveLite+3Fj
		mov	al, cl

loc_4E0DBD:				; CODE XREF: ExIsResourceAcquiredExclusiveLite+56j
		pop	esi
		pop	ebp
		retn	4
; 

loc_4E0DC2:				; CODE XREF: ExIsResourceAcquiredExclusiveLite+29j
		mov	eax, large fs:124h
		cmp	[esi+18h], eax
		jnz	short loc_4E0DBB
		mov	cl, 1
		jmp	short loc_4E0DBB
; 

loc_4E0DD1:				; CODE XREF: ExIsResourceAcquiredExclusiveLite+1Bj
					; DATA XREF: .text:00429CE0o
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jbe	short loc_4E0DAD
		jmp	loc_5CC2FB
; 

loc_4E0DE0:				; CODE XREF: ExIsResourceAcquiredExclusiveLite+23j
		push	esi
		call	_ExIsFastResourceHeldExclusive@4 ; ExIsFastResourceHeldExclusive(x)
		jmp	short loc_4E0DBD
ExIsResourceAcquiredExclusiveLite endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2010. RtlCreateAtomTableEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlCreateAtomTableEx
RtlCreateAtomTableEx proc near		; CODE XREF: RtlCreateAtomTable(x,x)+Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], ecx
		cmp	[eax], ecx
		jnz	loc_4E0E94
		mov	ebx, [ebp+arg_0]
		cmp	ebx, 1
		ja	short loc_4E0E18
		push	25h
		pop	ebx

loc_4E0E18:				; CODE XREF: RtlCreateAtomTableEx+25j
		push	1Ch
		pop	esi
		lea	eax, [ebx-1]
		mul	esi
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_4E0E96
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		mov	edx, esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_4E0E94
		mov	ecx, [ebp+var_4]
		mov	edx, 546D7441h
		call	RtlpAllocateAtom
		mov	esi, eax
		test	esi, esi
		jz	short loc_4E0E9D
		push	[ebp+var_4]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+14h], ebx
		mov	ecx, esi
		call	_RtlpInitializeHandleTableForAtomTable@4 ; RtlpInitializeHandleTableForAtomTable(x)
		mov	ecx, esi
		test	al, al
		jz	loc_5CC310
		call	_RtlpInitializeLockAtomTable@4 ; RtlpInitializeLockAtomTable(x)
		mov	eax, [ebp+arg_4]
		mov	[esi+10h], eax
		mov	eax, [ebp+arg_8]
		mov	dword ptr [esi], 6D6F7441h
		mov	dword ptr [esi+4], 1
		mov	[eax], esi

loc_4E0E94:				; CODE XREF: RtlCreateAtomTableEx+19j
					; RtlCreateAtomTableEx+52j ...
		mov	eax, edi

loc_4E0E96:				; CODE XREF: RtlCreateAtomTableEx+3Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_4E0E9D:				; CODE XREF: RtlCreateAtomTableEx+65j
		mov	edi, 0C0000017h
		jmp	short loc_4E0E94
RtlCreateAtomTableEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpAllocateAtomTableEntry proc	near	; CODE XREF: RtlAddAtomToAtomTableEx+D2p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CC31F SIZE 0000000C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	1Ch
		pop	esi
		mov	[ebp+var_8], edx
		lea	eax, [ebp+var_4]
		mov	edx, ecx
		mov	[ebp+var_4], esi
		push	eax
		mov	ecx, esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_4E0F55
		mov	ecx, [ebp+var_4]
		mov	edx, 416D7441h
		call	RtlpAllocateAtom
		mov	esi, eax
		test	esi, esi
		jz	short loc_4E0F55
		and	dword ptr [esi], 0
		lea	edi, [esi+8]
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		inc	eax
		and	ecx, 2
		mov	[esi+14h], ax
		mov	[esi+16h], cx
		and	dword ptr [esi+10h], 0
		mov	[edi+4], edi
		mov	[edi], edi
		call	RtlpQueryLowBoxId
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_4E0F1A
		mov	eax, edi

loc_4E0F0C:				; CODE XREF: RtlpAllocateAtomTableEntry+AAj
		mov	ecx, [ebp+var_8]
		mov	[ecx], eax
		mov	eax, esi

loc_4E0F13:				; CODE XREF: RtlpAllocateAtomTableEntry+B3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4E0F1A:				; CODE XREF: RtlpAllocateAtomTableEntry+64j
		push	10h
		mov	edx, 4C6D7441h
		pop	ecx
		call	RtlpAllocateAtom
		test	eax, eax
		jz	loc_5CC31F
		xor	ecx, ecx
		mov	[eax+8], ebx
		mov	[eax+0Eh], cx
		inc	ecx
		mov	[eax+0Ch], cx
		mov	ecx, [edi]
		cmp	[ecx+4], edi
		jnz	short loc_4E0F50
		mov	[eax], ecx
		mov	[eax+4], edi
		mov	[ecx+4], eax
		mov	[edi], eax
		jmp	short loc_4E0F0C
; 

loc_4E0F50:				; CODE XREF: RtlpAllocateAtomTableEntry+9Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_4E0F55:				; CODE XREF: RtlpAllocateAtomTableEntry+22j
					; RtlpAllocateAtomTableEntry+39j ...
		xor	eax, eax
		jmp	short loc_4E0F13
RtlpAllocateAtomTableEntry endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlULongPtrAdd(x, x, x)
_RtlULongPtrAdd@12 proc	near		; CODE XREF: RtlCreateAtomTableEx+49p
					; RtlpAllocateAtomTableEntry+1Bp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		lea	eax, [ecx+edx]
		cmp	eax, ecx
		jb	short loc_4E0F7A
		mov	edx, eax

loc_4E0F68:				; CODE XREF: RtlULongPtrAdd(x,x,x)+23j
		cmp	eax, ecx
		mov	ecx, [ebp+arg_0]
		sbb	eax, eax
		and	eax, 0C0000095h
		mov	[ecx], edx
		pop	ebp
		retn	4
; 

loc_4E0F7A:				; CODE XREF: RtlULongPtrAdd(x,x,x)+Aj
		or	edx, 0FFFFFFFFh
		jmp	short loc_4E0F68
_RtlULongPtrAdd@12 endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1131. KeEnterGuardedRegion

;  S U B	R O U T	I N E 


; __stdcall KeEnterGuardedRegion()
		public _KeEnterGuardedRegion@0
_KeEnterGuardedRegion@0	proc near	; CODE XREF: ObCreateObjectTypeEx+36Dp
					; sub_A1D230+27p ...
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		retn
_KeEnterGuardedRegion@0	endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 509. FsRtlDissectName

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlDissectName(x, x, x, x)
		public _RtlDissectName@16
_RtlDissectName@16 proc	near

arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		push	esi
		movzx	esi, [ebp+arg_0]
		shr	esi, 1
		mov	[eax], ecx
		mov	[eax+4], ecx
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		mov	[eax+4], ecx
		jz	short loc_4E1049
		push	edi
		mov	edi, [ebp+arg_4]
		xor	eax, eax
		movzx	ecx, word ptr [edi]
		cmp	ecx, 5Ch
		mov	edx, ecx
		mov	[ebp+arg_4], edx
		setz	al
		cmp	eax, esi
		jnb	short loc_4E0FF4

loc_4E0FE8:				; CODE XREF: RtlDissectName(x,x,x,x)+42j
		cmp	word ptr [edi+eax*2], 5Ch
		jz	short loc_4E0FF4
		inc	eax
		cmp	eax, esi
		jb	short loc_4E0FE8

loc_4E0FF4:				; CODE XREF: RtlDissectName(x,x,x,x)+36j
					; RtlDissectName(x,x,x,x)+3Dj
		xor	ecx, ecx
		cmp	edx, 5Ch
		push	ebx
		setz	cl
		movzx	ebx, ax
		mov	dx, bx
		sub	dx, cx
		mov	ecx, [ebp+arg_8]
		add	dx, dx
		mov	[ecx], dx
		mov	[ecx+2], dx
		xor	ecx, ecx
		cmp	word ptr [ebp+arg_4], 5Ch
		mov	edx, [ebp+arg_8]
		setnz	cl
		dec	ecx
		and	ecx, 2
		add	ecx, edi
		mov	[edx+4], ecx
		cmp	eax, esi
		jnb	short loc_4E1047
		mov	edx, [ebp+arg_C]
		sub	esi, ebx
		inc	eax
		lea	ecx, ds:0FFFFFFFEh[esi*2]
		lea	eax, [edi+eax*2]
		mov	[edx], cx
		mov	[edx+2], cx
		mov	[edx+4], eax

loc_4E1047:				; CODE XREF: RtlDissectName(x,x,x,x)+7Bj
		pop	ebx
		pop	edi

loc_4E1049:				; CODE XREF: RtlDissectName(x,x,x,x)+1Ej
		pop	esi
		pop	ebp
		retn	10h
_RtlDissectName@16 endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 589. FsRtlLookupPerFileObjectContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlLookupPerFileObjectContext
FsRtlLookupPerFileObjectContext	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005CC32B SIZE 00000041 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		test	eax, eax
		jz	short loc_4E1074
		mov	eax, [eax+7Ch]
		test	eax, eax
		jnz	short loc_4E107B

loc_4E1074:				; CODE XREF: FsRtlLookupPerFileObjectContext+Bj
					; FsRtlLookupPerFileObjectContext+21j ...
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_4E107B:				; CODE XREF: FsRtlLookupPerFileObjectContext+12j
		cmp	eax, _IopRevocationExtension
		jz	short loc_4E1074
		mov	esi, [eax+10h]
		test	esi, esi
		jz	short loc_4E1074
		mov	eax, large fs:124h
		push	ebx
		push	edi
		xor	edi, edi
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebp+arg_8]
		lea	edx, [esi+4]
		test	eax, eax
		jnz	loc_5CC32B
		mov	ecx, [ebp+arg_4]
		mov	eax, [edx]
		test	ecx, ecx
		jz	short loc_4E10FF
		cmp	eax, edx
		jz	short loc_4E10C7

loc_4E10C0:				; CODE XREF: FsRtlLookupPerFileObjectContext+9Dj
		cmp	[eax+8], ecx
		jnz	short loc_4E10F7

loc_4E10C5:				; CODE XREF: FsRtlLookupPerFileObjectContext+A3j
		mov	edi, eax

loc_4E10C7:				; CODE XREF: FsRtlLookupPerFileObjectContext+5Ej
					; FsRtlLookupPerFileObjectContext+9Bj ...
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		mov	eax, large fs:124h
		nop
		add	word ptr [eax+13Ch], 1
		jz	short loc_4E10EA

loc_4E10E1:				; CODE XREF: FsRtlLookupPerFileObjectContext+90j
					; FsRtlLookupPerFileObjectContext+EB2FCj ...
		mov	eax, edi
		pop	edi
		pop	ebx
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_4E10EA:				; CODE XREF: FsRtlLookupPerFileObjectContext+7Fj
		nop
		lea	ecx, [eax+70h]
		cmp	[ecx], ecx
		jz	short loc_4E10E1
		jmp	loc_5CC354
; 

loc_4E10F7:				; CODE XREF: FsRtlLookupPerFileObjectContext+63j
		mov	eax, [eax]
		cmp	eax, edx
		jz	short loc_4E10C7
		jmp	short loc_4E10C0
; 

loc_4E10FF:				; CODE XREF: FsRtlLookupPerFileObjectContext+5Aj
		cmp	eax, edx
		jz	short loc_4E10C7
		jmp	short loc_4E10C5
FsRtlLookupPerFileObjectContext	endp

; 
		align 10h
; Exported entry 2080. RtlFindClearRuns

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlFindClearRuns
RtlFindClearRuns proc near		; CODE XREF: RtlFindLongestRunClear+12p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005CC36C SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	ecx, [ebp+arg_0]
		push	ebx
		mov	ebx, 0
		push	esi
		mov	eax, [ecx]
		mov	edx, eax
		mov	esi, [ecx+4]
		and	edx, 7
		mov	ecx, 0
		mov	[ebp+var_18], edx
		setnz	bl
		mov	[ebp+arg_0], ecx
		shr	eax, 3
		add	ebx, eax
		mov	[ebp+var_14], ecx
		push	edi
		mov	[ebp+var_28], ebx
		mov	edi, ecx
		mov	eax, ecx
		jz	short loc_4E11B6
		lea	edx, [ebx-1]
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], edx

loc_4E1155:				; CODE XREF: RtlFindClearRuns+62j
		mov	bl, [esi]
		inc	esi
		mov	[ebp+var_24], esi
		cmp	eax, edx
		jz	loc_4E128C

loc_4E1163:				; CODE XREF: RtlFindClearRuns+180j
					; RtlFindClearRuns+192j
		test	bl, bl
		jnz	short loc_4E11C1
		add	edi, 8

loc_4E116A:				; CODE XREF: RtlFindClearRuns+F7j
		add	[ebp+var_4], 8
		inc	eax
		cmp	eax, [ebp+var_28]
		jb	short loc_4E1155
		mov	ecx, [ebp+arg_0]
		test	edi, edi
		jz	short loc_4E11B6
		mov	ebx, [ebp+arg_4]
		cmp	ecx, [ebp+arg_8]
		jnb	loc_4E1395
		inc	ecx
		mov	[ebp+arg_0], ecx

loc_4E118B:				; CODE XREF: RtlFindClearRuns+289j
		add	ecx, 0FFFFFFFEh
		cmp	[ebp+arg_C], 0
		jz	short loc_4E11A8
		lea	edx, [ecx+1]
		lea	edx, [ebx+edx*8]
		lea	ebx, [ebx+0]

loc_4E11A0:				; CODE XREF: RtlFindClearRuns+280j
		test	ecx, ecx
		jns	loc_4E1378

loc_4E11A8:				; CODE XREF: RtlFindClearRuns+82j
					; RtlFindClearRuns+26Bj
		mov	eax, [ebp+var_14]
		mov	[ebx+ecx*8+0Ch], edi
		mov	[ebx+ecx*8+8], eax
		mov	ecx, [ebp+arg_0]

loc_4E11B6:				; CODE XREF: RtlFindClearRuns+3Aj
					; RtlFindClearRuns+69j	...
		mov	eax, ecx

loc_4E11B8:				; CODE XREF: RtlFindClearRuns+EB26Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4E11C1:				; CODE XREF: RtlFindClearRuns+55j
		movzx	edx, bl
		mov	[ebp+var_10], edx
		movzx	ecx, ds:_RtlpBitsClearLow[edx]
		mov	[ebp+var_20], ecx
		add	edi, ecx
		mov	ecx, [ebp+var_4]
		jnz	short loc_4E120C

loc_4E11D8:				; CODE XREF: RtlFindClearRuns+114j
					; RtlFindClearRuns+171j ...
		movzx	edi, ds:_RtlpBitsClearHigh[edx]
		mov	edx, offset dword_40AA50
		sub	ecx, edi
		sub	edx, edi
		add	ecx, 8
		mov	[ebp+var_14], ecx
		mov	ecx, [ebp+var_20]
		mov	cl, ds:byte_40BA58[ecx]
		or	cl, [edx]
		or	bl, cl
		cmp	bl, 0FFh
		jnz	loc_4E12A7

loc_4E1204:				; CODE XREF: RtlFindClearRuns+1C1j
					; RtlFindClearRuns+25Dj
		mov	edx, [ebp+var_C]
		jmp	loc_4E116A
; 

loc_4E120C:				; CODE XREF: RtlFindClearRuns+C6j
		mov	ecx, [ebp+arg_8]
		cmp	[ebp+arg_0], ecx
		jb	short loc_4E1228
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		cmp	[edx+ecx*8-4], edi
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_10]
		jnb	short loc_4E11D8
		jmp	short loc_4E122B
; 

loc_4E1228:				; CODE XREF: RtlFindClearRuns+102j
		inc	[ebp+arg_0]

loc_4E122B:				; CODE XREF: RtlFindClearRuns+116j
		mov	edx, [ebp+arg_0]
		mov	bh, [ebp+arg_C]
		add	edx, 0FFFFFFFEh
		mov	[ebp+var_8], edx
		test	bh, bh
		jz	short loc_4E1266
		mov	ecx, edx
		mov	edx, [ebp+arg_4]
		lea	edx, [edx+ecx*8]
		add	edx, 8

loc_4E1246:				; CODE XREF: RtlFindClearRuns+154j
		test	ecx, ecx
		js	short loc_4E1266
		cmp	[edx-4], edi
		jnb	short loc_4E1266
		mov	ecx, [edx-8]
		mov	[edx], ecx
		mov	ecx, [edx-4]
		mov	[edx+4], ecx
		mov	ecx, [ebp+var_8]
		dec	ecx
		sub	edx, 8
		mov	[ebp+var_8], ecx
		jmp	short loc_4E1246
; 

loc_4E1266:				; CODE XREF: RtlFindClearRuns+129j
					; RtlFindClearRuns+138j ...
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+arg_4]
		mov	[edx+ecx*8+0Ch], edi
		mov	edi, ecx
		mov	ecx, [ebp+var_14]
		mov	[edx+edi*8+8], ecx
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_10]
		test	bh, bh
		jnz	loc_4E11D8
		jmp	loc_5CC36C
; 

loc_4E128C:				; CODE XREF: RtlFindClearRuns+4Dj
		cmp	[ebp+var_18], 0
		jz	loc_4E1163
		mov	edx, [ebp+var_18]
		or	bl, ds:byte_40AA48[edx]
		mov	edx, [ebp+var_C]
		jmp	loc_4E1163
; 

loc_4E12A7:				; CODE XREF: RtlFindClearRuns+EEj
		mov	ecx, [ebp+arg_0]
		lea	ecx, ds:0FFFFFFFCh[ecx*8]
		add	ecx, [ebp+arg_4]
		mov	[ebp+var_8], ecx

loc_4E12B7:				; CODE XREF: RtlFindClearRuns+263j
		mov	edx, [ebp+arg_8]
		movzx	ecx, bl
		mov	[ebp+var_20], ecx
		cmp	[ebp+arg_0], edx
		jb	short loc_4E12DA
		mov	edx, [ebp+var_8]
		movzx	ecx, ds:_RtlpBitsClearAnywhere[ecx]
		cmp	[edx], ecx
		jnb	loc_4E1204
		mov	ecx, [ebp+var_20]

loc_4E12DA:				; CODE XREF: RtlFindClearRuns+1B3j
		mov	cl, ds:_RtlpBitsClearAnywhere[ecx]
		movzx	ecx, cl
		mov	[ebp+var_1C], ecx
		mov	bh, ds:byte_40BA58[ecx]
		xor	ecx, ecx
		mov	[ebp+var_20], ecx
		test	bh, bl
		jz	short loc_4E12FF

loc_4E12F5:				; CODE XREF: RtlFindClearRuns+1EAj
		add	bh, bh
		inc	ecx
		test	bh, bl
		jnz	short loc_4E12F5
		mov	[ebp+var_20], ecx

loc_4E12FF:				; CODE XREF: RtlFindClearRuns+1E3j
		mov	ecx, [ebp+arg_0]
		cmp	ecx, [ebp+arg_8]
		jnb	short loc_4E130F
		inc	ecx
		add	[ebp+var_8], 8
		mov	[ebp+arg_0], ecx

loc_4E130F:				; CODE XREF: RtlFindClearRuns+1F5j
		add	ecx, 0FFFFFFFEh
		cmp	[ebp+arg_C], 0
		mov	[ebp+var_10], ecx
		jz	short loc_4E1344
		mov	edx, [ebp+var_8]
		mov	esi, [ebp+var_1C]
		add	edx, 0FFFFFFFCh

loc_4E1324:				; CODE XREF: RtlFindClearRuns+232j
		test	ecx, ecx
		js	short loc_4E1344
		cmp	[edx-4], esi
		jnb	short loc_4E1344
		mov	ecx, [edx-8]
		mov	[edx], ecx
		mov	ecx, [edx-4]
		mov	[edx+4], ecx
		mov	ecx, [ebp+var_10]
		dec	ecx
		sub	edx, 8
		mov	[ebp+var_10], ecx
		jmp	short loc_4E1324
; 

loc_4E1344:				; CODE XREF: RtlFindClearRuns+209j
					; RtlFindClearRuns+216j ...
		mov	esi, [ebp+arg_4]
		mov	edx, [ebp+var_1C]
		mov	[esi+ecx*8+0Ch], edx
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_20]
		add	ecx, [ebp+var_4]
		cmp	[ebp+arg_C], 0
		mov	[esi+edx*8+8], ecx
		mov	esi, [ebp+var_24]
		jz	loc_5CC382

loc_4E1368:				; CODE XREF: RtlFindClearRuns+EB27Ej
		or	bl, bh
		cmp	bl, 0FFh
		jz	loc_4E1204
		jmp	loc_4E12B7
; 

loc_4E1378:				; CODE XREF: RtlFindClearRuns+92j
		cmp	[edx-4], edi
		jnb	loc_4E11A8
		mov	eax, [edx-8]
		dec	ecx
		mov	[edx], eax
		mov	eax, [edx-4]
		mov	[edx+4], eax
		sub	edx, 8
		jmp	loc_4E11A0
; 

loc_4E1395:				; CODE XREF: RtlFindClearRuns+71j
		cmp	[ebx+ecx*8-4], edi
		jb	loc_4E118B
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
RtlFindClearRuns endp

; 
		align 10h
; Exported entry 527. FsRtlGetIoAtEof

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlGetIoAtEof
FsRtlGetIoAtEof	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= byte ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 005CC393 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	edx, large fs:124h
		push	esi
		mov	esi, [eax]
		cmp	esi, edx
		jz	loc_5CC393
		mov	ecx, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_C]
		test	edi, edi
		jl	short loc_4E13E1
		jg	short loc_4E13DB
		test	ecx, ecx
		jb	short loc_4E13E1

loc_4E13DB:				; CODE XREF: FsRtlGetIoAtEof+25j
		add	ecx, [ebp+arg_10]
		adc	edi, [ebp+arg_14]

loc_4E13E1:				; CODE XREF: FsRtlGetIoAtEof+23j
					; FsRtlGetIoAtEof+29j
		test	esi, esi
		jnz	short loc_4E13FD
		mov	ecx, 1
		mov	[eax], edx
		mov	[eax+16h], cx
		mov	eax, [ebp+arg_1C]
		pop	edi
		mov	[eax], cl
		xor	eax, eax

loc_4E13F8:				; CODE XREF: FsRtlGetIoAtEof+EAFEFj
		pop	esi
		pop	ebp
		retn	20h
; 

loc_4E13FD:				; CODE XREF: FsRtlGetIoAtEof+33j
		cmp	[ebp+arg_18], 0
		jz	short loc_4E141E
		mov	edx, [ebp+arg_4]
		push	edi
		push	ecx
		mov	ecx, eax
		call	FsRtlpWaitForIoAtEof
		mov	cl, al
		mov	eax, [ebp+arg_1C]
		pop	edi
		pop	esi
		mov	[eax], cl
		xor	eax, eax
		pop	ebp
		retn	20h
; 

loc_4E141E:				; CODE XREF: FsRtlGetIoAtEof+51j
		pop	edi
		mov	eax, 0C0000054h
		pop	esi
		pop	ebp
		retn	20h
FsRtlGetIoAtEof	endp

; 
		align 10h
; Exported entry 463. FsRtlAcquireEofLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlAcquireEofLock
FsRtlAcquireEofLock proc near

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CC3A4 SIZE 00000069 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, large fs:124h
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		mov	[ebp+var_18], 0
		mov	eax, [eax+0Ch]
		mov	edi, [eax+28h]
		mov	eax, edi
		and	eax, 7FFFFFFCh
		mov	[ebp+var_14], eax
		jz	loc_5CC3A4
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jnz	loc_4E15D1
		mov	cl, [esi+1E4h]
		mov	[ebp+var_10], 0
		test	cl, cl
		jz	loc_5CC3AB

loc_4E14A1:				; CODE XREF: FsRtlAcquireEofLock+EAF96j
		movzx	eax, cl
		bsf	ecx, eax
		btr	eax, ecx
		mov	[ebp+var_10], ecx
		mov	[esi+1E4h], al
		lea	edx, [ecx+ecx*2]
		shl	edx, 4
		add	edx, [esi+1E8h]
		mov	[ebp+var_8], edx
		jz	loc_5CC3E7
		mov	ecx, dword_6D07D0
		mov	eax, edi
		shr	eax, 15h
		cmp	edi, ecx
		jb	short loc_4E14F5
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_5CC3F4
		cmp	edi, ecx
		jb	short loc_4E14F5
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_5CC3F4

loc_4E14F5:				; CODE XREF: FsRtlAcquireEofLock+A5j
					; FsRtlAcquireEofLock+B6j
		or	eax, 0FFFFFFFFh

loc_4E14F8:				; CODE XREF: FsRtlAcquireEofLock+EAFCFj
		mov	[edx+14h], eax
		nop
		mov	eax, [ebp+var_14]
		mov	[edx+10h], eax

loc_4E1502:				; CODE XREF: FsRtlAcquireEofLock+EAFBFj
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp+var_18]
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_4E152D
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	loc_4E15FA

loc_4E152D:				; CODE XREF: FsRtlAcquireEofLock+EFj
					; FsRtlAcquireEofLock+1CFj
		mov	esi, [ebp+var_8]

loc_4E1530:				; CODE XREF: FsRtlAcquireEofLock+EAF76j
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	cl, al
		mov	[ebp+var_1], cl
		lock btr dword ptr [edi], 0
		jnb	loc_4E1604

loc_4E1548:				; CODE XREF: FsRtlAcquireEofLock+1E0j
		test	esi, esi
		jz	short loc_4E1550
		or	byte ptr [esi+0Eh], 1

loc_4E1550:				; CODE XREF: FsRtlAcquireEofLock+11Aj
		mov	eax, large fs:124h
		cmp	[ebp+var_C], 0
		mov	[edi+4], eax
		movzx	eax, cl
		mov	[edi+1Ch], eax
		jz	short loc_4E156B
		mov	eax, [ebp+var_C]
		lock inc dword ptr [eax]

loc_4E156B:				; CODE XREF: FsRtlAcquireEofLock+133j
		mov	ecx, [ebp+arg_0]
		mov	esi, 1
		mov	edx, [ebp+var_1C]
		mov	eax, [ecx]
		cmp	eax, edx
		jz	loc_5CC404
		test	eax, eax
		jnz	short loc_4E15E9
		mov	[ecx], edx
		mov	[ecx+16h], si

loc_4E158A:				; CODE XREF: FsRtlAcquireEofLock+1C8j
					; FsRtlAcquireEofLock+EAFD8j
		mov	eax, [ebp+arg_4]
		mov	[ebp+arg_0], eax
		cmp	[ebp+arg_0], 0
		jz	short loc_4E159C
		mov	eax, [ebp+arg_0]
		lock inc dword ptr [eax]

loc_4E159C:				; CODE XREF: FsRtlAcquireEofLock+164j
		mov	eax, [ecx+0Ch]
		mov	edi, [eax+28h]
		mov	al, [edi+1Ch]
		mov	byte ptr [ebp+arg_0+3],	al
		xor	eax, eax
		mov	dword ptr [edi+4], 0
		lock cmpxchg [edi], esi
		test	eax, eax
		jnz	short loc_4E1615

loc_4E15B9:				; CODE XREF: FsRtlAcquireEofLock+1EEj
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4E15D1:				; CODE XREF: FsRtlAcquireEofLock+56j
		push	0
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	edi
		push	esi
		push	192h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4E15E9:				; CODE XREF: FsRtlAcquireEofLock+152j
		mov	edx, [ebp+arg_4]
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		call	FsRtlpWaitForIoAtEof
		mov	ecx, [ebp+arg_0]
		jmp	short loc_4E158A
; 

loc_4E15FA:				; CODE XREF: FsRtlAcquireEofLock+F7j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4E152D
; 

loc_4E1604:				; CODE XREF: FsRtlAcquireEofLock+112j
		mov	edx, esi
		mov	ecx, edi
		call	_ExpAcquireFastMutexContended@8	; ExpAcquireFastMutexContended(x,x)
		mov	cl, [ebp+var_1]
		jmp	loc_4E1548
; 

loc_4E1615:				; CODE XREF: FsRtlAcquireEofLock+187j
		mov	edx, eax
		mov	ecx, edi
		call	_ExpReleaseFastMutexContended@8	; ExpReleaseFastMutexContended(x,x)
		jmp	short loc_4E15B9
FsRtlAcquireEofLock endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlpWaitForIoAtEof proc near		; CODE XREF: FsRtlGetIoAtEof+5Ap
					; FsRtlAcquireEofLock+1C0p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CC40D SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		xor	eax, eax
		mov	[esp+44h+var_38], edx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[esp+4Ch+var_30], eax
		mov	[esp+4Ch+var_2C], eax
		mov	[esp+4Ch+var_28], eax
		mov	[esp+4Ch+var_24], eax
		mov	[esp+4Ch+var_20], eax
		mov	[esp+4Ch+var_1C], eax
		mov	[esp+4Ch+var_4], eax
		mov	eax, large fs:124h
		mov	ecx, eax
		mov	ebx, [esi]
		push	edi
		mov	[esp+50h+var_34], esi
		mov	[esp+50h+var_3C], eax
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		mov	edi, eax
		mov	[esp+50h+var_40], eax
		cmp	edi, 2
		jl	short loc_4E167B
		push	2
		pop	edi
		mov	[esp+50h+var_40], edi

loc_4E167B:				; CODE XREF: FsRtlpWaitForIoAtEof+52j
		cmp	edi, 1
		jle	short loc_4E1696
		cmp	byte ptr [esi+14h], 0
		jnz	short loc_4E1696
		mov	ecx, ebx
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		cmp	eax, 2
		jl	loc_4E17E7

loc_4E1696:				; CODE XREF: FsRtlpWaitForIoAtEof+5Ej
					; FsRtlpWaitForIoAtEof+64j ...
		mov	eax, [esp+50h+var_3C]
		mov	ecx, offset _KiInitialProcess
		cmp	[eax+150h], ecx
		jz	loc_5CC40D
		movsx	edi, byte ptr [eax+87h]

loc_4E16B2:				; CODE XREF: FsRtlpWaitForIoAtEof+EADF0j
		cmp	edi, 0Fh
		jge	loc_4E17BB

loc_4E16BB:				; CODE XREF: FsRtlpWaitForIoAtEof+19Ej
		cmp	edi, [esi+10h]
		jle	short loc_4E16DE
		mov	[esi+10h], edi
		cmp	[ebx+150h], ecx
		jz	loc_5CC415
		movsx	eax, byte ptr [ebx+87h]

loc_4E16D6:				; CODE XREF: FsRtlpWaitForIoAtEof+EADF8j
		cmp	edi, eax
		jg	loc_4E17AD

loc_4E16DE:				; CODE XREF: FsRtlpWaitForIoAtEof+9Ej
					; FsRtlpWaitForIoAtEof+196j
		mov	eax, [esi+8]
		lea	edx, [esi+4]
		mov	ebx, [esp+50h+var_40]
		cmp	eax, edx
		jnz	loc_4E1806

loc_4E16F0:				; CODE XREF: FsRtlpWaitForIoAtEof+1FCj
		push	0
		push	1
		lea	eax, [esp+58h+var_28]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [esp+50h+var_3C]
		mov	[esp+50h+var_10], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+50h+var_14], eax
		lea	eax, [esi+4]
		mov	ecx, [eax+4]
		mov	[esp+50h+var_C], edi
		mov	edi, [ebp+arg_0]
		mov	[esp+50h+var_8], ebx
		mov	[esp+50h+var_18], edi
		cmp	[ecx], eax
		jnz	loc_4E1840
		lea	edx, [esp+50h+var_30]
		mov	[esp+50h+var_30], eax
		mov	[esp+50h+var_2C], ecx
		mov	[ecx], edx
		mov	ecx, edx
		mov	[eax+4], ecx
		mov	eax, [esp+50h+var_38]
		mov	[esp+50h+var_40], eax
		cmp	[esp+50h+var_40], 0
		jz	short loc_4E1753
		mov	eax, [esp+50h+var_40]
		lock inc dword ptr [eax]

loc_4E1753:				; CODE XREF: FsRtlpWaitForIoAtEof+12Aj
		mov	ecx, [esi+0Ch]
		mov	ecx, [ecx+28h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+60h+var_28]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esp+50h+var_38]
		mov	ecx, [esi+0Ch]
		mov	[esp+50h+var_38], eax
		mov	ecx, [ecx+28h]
		call	ExAcquireFastMutex
		xor	edx, edx
		cmp	[esp+50h+var_38], edx
		jz	short loc_4E1790
		mov	eax, [esp+50h+var_38]
		lock inc dword ptr [eax]

loc_4E1790:				; CODE XREF: FsRtlpWaitForIoAtEof+167j
		mov	ecx, [ebp+arg_4]
		cmp	ecx, edx
		jl	short loc_4E179D
		jg	short loc_4E17D4
		cmp	edi, edx
		jnb	short loc_4E17D4

loc_4E179D:				; CODE XREF: FsRtlpWaitForIoAtEof+175j
					; FsRtlpWaitForIoAtEof+1BAj ...
		cmp	ebx, 2
		jl	short loc_4E17C3

loc_4E17A2:				; CODE XREF: FsRtlpWaitForIoAtEof+1A8j
					; FsRtlpWaitForIoAtEof+1ADj ...
		mov	al, 1

loc_4E17A4:				; CODE XREF: FsRtlpWaitForIoAtEof+1C5j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4E17AD:				; CODE XREF: FsRtlpWaitForIoAtEof+B8j
		mov	edx, edi
		mov	ecx, ebx
		call	KeSetPriorityBoost
		jmp	loc_4E16DE
; 

loc_4E17BB:				; CODE XREF: FsRtlpWaitForIoAtEof+95j
		push	0Fh
		pop	edi
		jmp	loc_4E16BB
; 

loc_4E17C3:				; CODE XREF: FsRtlpWaitForIoAtEof+180j
		cmp	[esp+50h+var_8], 2
		jl	short loc_4E17A2
		cmp	[esi+14h], dl
		jnz	short loc_4E17A2
		jmp	loc_5CC41D
; 

loc_4E17D4:				; CODE XREF: FsRtlpWaitForIoAtEof+177j
					; FsRtlpWaitForIoAtEof+17Bj
		mov	eax, [esi+0Ch]
		cmp	ecx, [eax+24h]
		jg	short loc_4E179D
		jl	short loc_4E17E3
		cmp	edi, [eax+20h]
		ja	short loc_4E179D

loc_4E17E3:				; CODE XREF: FsRtlpWaitForIoAtEof+1BCj
		xor	al, al
		jmp	short loc_4E17A4
; 

loc_4E17E7:				; CODE XREF: FsRtlpWaitForIoAtEof+70j
		push	0
		push	0
		xor	dl, dl
		call	PsBoostThreadIoEx
		push	0
		mov	edx, edi
		mov	ecx, ebx
		call	IoBoostThreadIoPriority
		mov	byte ptr [esi+14h], 1
		jmp	loc_4E1696
; 

loc_4E1806:				; CODE XREF: FsRtlpWaitForIoAtEof+CAj
					; FsRtlpWaitForIoAtEof+21Aj
		mov	ecx, [eax+24h]
		cmp	ecx, edi
		mov	[esp+50h+var_40], ecx
		mov	ecx, [eax+28h]
		jl	short loc_4E1821
		cmp	ecx, ebx
		jl	short loc_4E1825

loc_4E1818:				; CODE XREF: FsRtlpWaitForIoAtEof+218j
		mov	esi, [esp+50h+var_34]
		jmp	loc_4E16F0
; 

loc_4E1821:				; CODE XREF: FsRtlpWaitForIoAtEof+1F2j
		mov	[esp+50h+var_40], edi

loc_4E1825:				; CODE XREF: FsRtlpWaitForIoAtEof+1F6j
		mov	esi, [esp+50h+var_40]
		mov	[eax+24h], esi
		cmp	ebx, ecx
		jg	short loc_4E183C

loc_4E1830:				; CODE XREF: FsRtlpWaitForIoAtEof+21Ej
		mov	[eax+28h], ecx
		mov	eax, [eax+4]
		cmp	eax, edx
		jz	short loc_4E1818
		jmp	short loc_4E1806
; 

loc_4E183C:				; CODE XREF: FsRtlpWaitForIoAtEof+20Ej
		mov	ecx, ebx
		jmp	short loc_4E1830
; 

loc_4E1840:				; CODE XREF: FsRtlpWaitForIoAtEof+104j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall SepConvertTokenPrivileges(x, x)
_SepConvertTokenPrivileges@8:		; CODE XREF: SeQueryInformationToken(x,x,x)+20Bp
					; NtQueryInformationToken(x,x,x,x,x)+6A1p
		mov	edi, edi
		push	esi
		mov	esi, edx
		lea	edx, [esi+4]
		call	_SepConvertTokenPrivilegesToLuidAndAttributes@8	; SepConvertTokenPrivilegesToLuidAndAttributes(x,x)
		mov	[esi], eax
		pop	esi
		retn
FsRtlpWaitForIoAtEof endp ; sp = -54h

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepConvertTokenPrivilegesToLuidAndAttributes(x, x)
_SepConvertTokenPrivilegesToLuidAndAttributes@8	proc near
					; CODE XREF: FsRtlpWaitForIoAtEof+22Ep
					; SepCopyTokenAccessInformation(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+355p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_4], edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], eax
		xor	esi, esi

loc_4E1877:				; CODE XREF: SepConvertTokenPrivilegesToLuidAndAttributes(x,x)+84j
		mov	eax, 1
		xor	edx, edx
		mov	ecx, esi
		call	__allshl
		mov	ecx, [edi+40h]
		mov	ebx, eax
		mov	eax, [edi+44h]
		and	ecx, ebx
		and	eax, edx
		mov	[ebp+var_C], edx
		or	ecx, eax
		jz	short loc_4E18E0
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		cdq
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	ecx, [edi+48h]
		mov	eax, [edi+4Ch]
		and	ecx, ebx
		mov	edx, [ebp+var_C]
		and	eax, edx
		or	ecx, eax
		mov	[ebp+var_C], 2
		jz	short loc_4E18F4

loc_4E18BB:				; CODE XREF: SepConvertTokenPrivilegesToLuidAndAttributes(x,x)+9Bj
		mov	ecx, [edi+50h]
		mov	eax, [edi+54h]
		and	ecx, ebx
		and	eax, edx
		or	ecx, eax
		jz	short loc_4E18F0
		mov	eax, 1

loc_4E18CE:				; CODE XREF: SepConvertTokenPrivilegesToLuidAndAttributes(x,x)+92j
		mov	ecx, [ebp+var_4]
		or	eax, [ebp+var_C]
		inc	[ebp+var_8]
		mov	[ecx+8], eax
		add	ecx, 0Ch
		mov	[ebp+var_4], ecx

loc_4E18E0:				; CODE XREF: SepConvertTokenPrivilegesToLuidAndAttributes(x,x)+36j
		inc	esi
		cmp	esi, 24h
		jbe	short loc_4E1877
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4E18F0:				; CODE XREF: SepConvertTokenPrivilegesToLuidAndAttributes(x,x)+67j
		xor	eax, eax
		jmp	short loc_4E18CE
; 

loc_4E18F4:				; CODE XREF: SepConvertTokenPrivilegesToLuidAndAttributes(x,x)+59j
		mov	[ebp+var_C], 0
		jmp	short loc_4E18BB
_SepConvertTokenPrivilegesToLuidAndAttributes@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepGetInternalSecurityAttributeValueCopyoutBufferSize proc near
					; CODE XREF: AuthzBasepGetInternalSecurityAttributesCopyoutBufferSize+84p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CC433 SIZE 0000007D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	esi, ecx
		mov	eax, [ebx]
		lea	edi, [eax+7]
		and	edi, 0FFFFFFF8h
		mov	[ebp+var_8], edi
		cmp	edi, eax
		jb	loc_5CC433
		mov	eax, [esi+24h]
		push	28h
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_4], edi
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_4E1967
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, edi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_4E1967
		movzx	edx, word ptr [esi+18h]
		mov	eax, edx
		test	ax, ax
		jz	short loc_4E199A
		cmp	eax, 2
		ja	short loc_4E196E

loc_4E195E:				; CODE XREF: AuthzBasepGetInternalSecurityAttributeValueCopyoutBufferSize+80j
					; AuthzBasepGetInternalSecurityAttributeValueCopyoutBufferSize+A1j ...
		test	ecx, ecx
		js	short loc_4E1967
		mov	eax, [ebp+var_4]
		mov	[ebx], eax

loc_4E1967:				; CODE XREF: AuthzBasepGetInternalSecurityAttributeValueCopyoutBufferSize+3Aj
					; AuthzBasepGetInternalSecurityAttributeValueCopyoutBufferSize+4Ej ...
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn
; 

loc_4E196E:				; CODE XREF: AuthzBasepGetInternalSecurityAttributeValueCopyoutBufferSize+5Ej
		cmp	eax, 3
		jnz	loc_5CC43D
		lea	edi, [esi+2Ch]
		mov	esi, [edi]

loc_4E197C:				; CODE XREF: AuthzBasepGetInternalSecurityAttributeValueCopyoutBufferSize+9Aj
		cmp	esi, edi
		jz	short loc_4E195E
		movzx	edx, word ptr [esi+18h]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_4E1967
		mov	esi, [esi]
		jmp	short loc_4E197C
; 

loc_4E199A:				; CODE XREF: AuthzBasepGetInternalSecurityAttributeValueCopyoutBufferSize+59j
					; AuthzBasepGetInternalSecurityAttributeValueCopyoutBufferSize+EAB55j
		mov	ecx, 0C000000Dh
		jmp	short loc_4E195E
AuthzBasepGetInternalSecurityAttributeValueCopyoutBufferSize endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepTokenPrivilegeCount(x)
_SepTokenPrivilegeCount@4 proc near	; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+16Dp
					; SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+17Cp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+44h]
		push	ebx
		mov	ebx, [ecx+40h]
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], eax
		xor	esi, esi

loc_4E19C6:				; CODE XREF: SepTokenPrivilegeCount(x)+32j
		mov	eax, 1
		xor	edx, edx
		mov	ecx, esi
		call	__allshl
		and	edx, [ebp+var_4]
		and	eax, ebx
		or	eax, edx
		jz	short loc_4E19DE
		inc	edi

loc_4E19DE:				; CODE XREF: SepTokenPrivilegeCount(x)+2Bj
		inc	esi
		cmp	esi, 24h
		jbe	short loc_4E19C6
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_SepTokenPrivilegeCount@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall SeQueryMandatoryPolicyToken(x, x)
_SeQueryMandatoryPolicyToken@8 proc near
					; CODE XREF: SepCopyTokenAccessInformation(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+C0p
					; NtQueryInformationToken(x,x,x,x,x)+2462p
		mov	eax, [ecx+0BCh]
		mov	[edx], eax
		xor	eax, eax
		retn
_SeQueryMandatoryPolicyToken@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepCopyoutInternalSecurityAttributeValues(x,	x, x, x, x)
_AuthzBasepCopyoutInternalSecurityAttributeValues@20 proc near
					; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributes(x,x,x)+160p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		mov	[ebp+var_C], edx
		mov	ebx, ecx
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		add	edx, ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], ebx
		mov	[ebp+var_1C], edx
		push	edi
		cmp	edx, ecx
		jnb	short loc_4E1A28

loc_4E1A1E:				; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributeValues(x,x,x,x,x)+43j
					; AuthzBasepCopyoutInternalSecurityAttributeValues(x,x,x,x,x)+B1j ...
		mov	esi, 80000005h
		jmp	loc_4E1B9B
; 

loc_4E1A28:				; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributeValues(x,x,x,x,x)+22j
		mov	eax, [ebp+arg_8]
		lea	edi, [ecx+7]
		imul	ebx, [ebx+24h],	28h
		and	[eax], esi
		mov	eax, edi
		and	eax, 0FFFFFFF8h
		add	eax, ebx
		cmp	eax, edx
		ja	short loc_4E1A1E
		and	edi, 0FFFFFFF8h
		mov	eax, edi
		add	edi, ebx
		mov	ebx, [ebp+var_8]
		add	ebx, 2Ch
		mov	[ebp+var_18], ebx
		mov	ecx, [ebx]
		mov	[ebp+arg_4], ecx
		cmp	ecx, ebx
		jz	loc_4E1B93
		lea	ebx, [eax+18h]

loc_4E1A5F:				; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributeValues(x,x,x,x,x)+18Bj
		mov	eax, [ebp+var_8]
		and	dword ptr [ebx-8], 0
		movzx	esi, word ptr [eax+18h]
		mov	eax, esi
		test	ax, ax
		jz	loc_4E1B8A
		cmp	eax, 2
		jbe	loc_4E1B4D
		cmp	eax, 3
		jz	loc_4E1B17
		cmp	eax, 4
		jz	short loc_4E1ACA
		cmp	eax, 5
		jz	short loc_4E1AA3
		cmp	eax, 6
		jz	loc_4E1B4D
		cmp	esi, 10h
		jnz	loc_4E1B8A

loc_4E1AA3:				; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributeValues(x,x,x,x,x)+95j
		mov	eax, [ecx+1Ch]
		lea	esi, [eax+edi]
		cmp	esi, edx
		ja	loc_4E1A1E
		push	eax		; size_t
		mov	[ebx+4], eax
		mov	[ebx], edi
		push	dword ptr [ecx+18h] ; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edi, esi
		jmp	loc_4E1B58
; 

loc_4E1ACA:				; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributeValues(x,x,x,x,x)+90j
		movzx	eax, word ptr [ecx+20h]
		mov	esi, eax
		add	eax, edi
		mov	[ebp+var_10], esi
		lea	esi, [ecx+20h]
		mov	[ebp+var_14], eax
		cmp	eax, edx
		ja	loc_4E1A1E
		mov	eax, [ecx+18h]
		and	[ebp+var_24], 0
		mov	[ebx], eax
		mov	eax, [ecx+1Ch]
		mov	[ebx+4], eax
		mov	eax, [ebp+var_10]
		mov	word ptr [ebp+var_24+2], ax
		lea	eax, [ebp+var_24]
		push	esi
		push	eax
		mov	[ebp+var_20], edi
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		mov	eax, [ebp+var_24]
		mov	edi, [ebp+var_14]
		mov	[ebx+8], eax
		mov	eax, [ebp+var_20]
		mov	[ebx+0Ch], eax
		jmp	short loc_4E1B58
; 

loc_4E1B17:				; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributeValues(x,x,x,x,x)+87j
		add	ecx, 18h
		movzx	esi, word ptr [ecx]
		lea	eax, [edi+esi]
		mov	[ebp+var_14], eax
		cmp	eax, edx
		ja	loc_4E1A1E
		and	[ebp+var_24], 0
		lea	eax, [ebp+var_24]
		push	ecx
		push	eax
		mov	word ptr [ebp+var_24+2], si
		mov	[ebp+var_20], edi
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		mov	eax, [ebp+var_24]
		mov	edi, [ebp+var_14]
		mov	[ebx], eax
		mov	eax, [ebp+var_20]
		jmp	short loc_4E1B55
; 

loc_4E1B4D:				; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributeValues(x,x,x,x,x)+7Ej
					; AuthzBasepCopyoutInternalSecurityAttributeValues(x,x,x,x,x)+9Aj
		mov	eax, [ecx+18h]
		mov	[ebx], eax
		mov	eax, [ecx+1Ch]

loc_4E1B55:				; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributeValues(x,x,x,x,x)+151j
		mov	[ebx+4], eax

loc_4E1B58:				; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributeValues(x,x,x,x,x)+CBj
					; AuthzBasepCopyoutInternalSecurityAttributeValues(x,x,x,x,x)+11Bj
		mov	ecx, [ebp+var_C]
		lea	edx, [ebx-18h]
		add	ecx, 2Ch
		call	_AuthzBasepProbeAndInsertTailList@8 ; AuthzBasepProbeAndInsertTailList(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_4E1B9B
		mov	eax, [ebp+var_C]
		add	ebx, 28h
		mov	ecx, [ebp+arg_4]
		inc	dword ptr [eax+24h]
		mov	ecx, [ecx]
		mov	[ebp+arg_4], ecx
		cmp	ecx, [ebp+var_18]
		jz	short loc_4E1B8F
		mov	edx, [ebp+var_1C]
		jmp	loc_4E1A5F
; 

loc_4E1B8A:				; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributeValues(x,x,x,x,x)+75j
					; AuthzBasepCopyoutInternalSecurityAttributeValues(x,x,x,x,x)+A3j
		mov	esi, 0C000000Dh

loc_4E1B8F:				; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributeValues(x,x,x,x,x)+186j
		test	esi, esi
		js	short loc_4E1B9B

loc_4E1B93:				; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributeValues(x,x,x,x,x)+5Cj
		mov	eax, [ebp+arg_8]
		sub	edi, [ebp+arg_0]
		mov	[eax], edi

loc_4E1B9B:				; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributeValues(x,x,x,x,x)+29j
					; AuthzBasepCopyoutInternalSecurityAttributeValues(x,x,x,x,x)+170j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_AuthzBasepCopyoutInternalSecurityAttributeValues@20 endp

; 
		align 10h
; Exported entry 838. IoGetActivityIdIrp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoGetActivityIdIrp
IoGetActivityIdIrp proc	near		; CODE XREF: IoPropagateActivityIdToThread+E8B2Ap
					; EtwpTraceIo+DA921p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CC4B0 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, [edx+68h]
		nop
		cmp	byte ptr [edx+27h], 0
		jl	short loc_4E1BD0
		test	eax, eax
		jz	short loc_4E1BD0
		test	byte ptr [eax+2], 1
		jnz	loc_5CC4B0

loc_4E1BD0:				; CODE XREF: IoGetActivityIdIrp+10j
					; IoGetActivityIdIrp+14j
		mov	eax, 0C0000225h

loc_4E1BD5:				; CODE XREF: IoGetActivityIdIrp+EA91Fj
		pop	ebp
		retn	8
IoGetActivityIdIrp endp

; 
		align 10h
; Exported entry 224. CcRemapBcb

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcRemapBcb
CcRemapBcb	proc near

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CC4D4 SIZE 0000005F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	edx, 2FAh
		and	eax, 0FFFFFFFEh
		movzx	ecx, word ptr [eax]
		cmp	cx, dx
		jz	short loc_4E1C46
		mov	edx, 2FDh
		cmp	cx, dx
		jz	short loc_4E1C41

loc_4E1C02:				; CODE XREF: CcRemapBcb+64j
					; CcRemapBcb+6Cj
		cmp	word ptr [eax+8], 1
		lea	edx, [eax+8]
		jb	loc_5CC4FE
		push	esi
		mov	esi, [eax+4]
		cmp	dword ptr [esi+4], 1
		jb	loc_5CC4E9
		mov	ecx, 1
		lock xadd [edx], ecx
		inc	ecx
		movzx	ecx, cx
		test	cx, cx
		jz	loc_5CC4D4
		cmp	ecx, 1
		jz	short loc_4E1C4E

loc_4E1C39:				; CODE XREF: CcRemapBcb+75j
		or	eax, 1
		pop	esi
		pop	ebp
		retn	4
; 

loc_4E1C41:				; CODE XREF: CcRemapBcb+20j
		mov	eax, [eax+30h]
		jmp	short loc_4E1C02
; 

loc_4E1C46:				; CODE XREF: CcRemapBcb+16j
		mov	ecx, [eax+10h]
		mov	eax, [ecx+30h]
		jmp	short loc_4E1C02
; 

loc_4E1C4E:				; CODE XREF: CcRemapBcb+57j
		lock inc dword ptr [esi+180h]
		jmp	short loc_4E1C39
CcRemapBcb	endp

; 
		align 10h
; Exported entry  54. ExReleaseAutoExpandPushLockShared

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExReleaseAutoExpandPushLockShared
ExReleaseAutoExpandPushLockShared proc near ; CODE XREF: MiLockAweVadsShared(x)+35p
					; MiProtectAweRegion(x,x,x,x,x)+FDp ...

var_20		= dword	ptr -20h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CC533 SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		mov	ebx, edx
		mov	[esp+10h+var_8], 0
		mov	[esp+10h+var_4], 0
		push	esi
		push	edi
		test	ebx, 0FFFFFFFCh
		jnz	short loc_4E1CEA
		mov	eax, ecx
		and	eax, ebx
		test	al, 2
		jnz	short loc_4E1CEA
		mov	esi, ecx
		and	esi, 0FFFFFFFCh
		test	cl, 1
		jz	loc_5CC514
		mov	eax, [esi+4]
		mov	ecx, [esi+8]
		mov	edi, ecx
		mov	[esp+18h+var_C], ecx
		cmp	edi, 80000000h
		jnb	short loc_4E1CFA

loc_4E1CB2:				; CODE XREF: ExReleaseAutoExpandPushLockShared+9Cj
					; ExReleaseAutoExpandPushLockShared+BDj ...
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jnz	short loc_4E1D1F

loc_4E1CC2:				; CODE XREF: ExReleaseAutoExpandPushLockShared+120j
		cmp	edi, 80000000h
		jnb	short loc_4E1CD7
		add	edi, 100000h
		mov	[esp+18h+var_C], edi
		mov	[esi+8], edi

loc_4E1CD7:				; CODE XREF: ExReleaseAutoExpandPushLockShared+68j
					; ExReleaseAutoExpandPushLockShared+E2j ...
		test	bl, 2
		jnz	short loc_4E1CE3
		mov	ecx, esi
		call	KeAbPostRelease

loc_4E1CE3:				; CODE XREF: ExReleaseAutoExpandPushLockShared+7Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4E1CEA:				; CODE XREF: ExReleaseAutoExpandPushLockShared+26j
					; ExReleaseAutoExpandPushLockShared+2Ej
		push	0
		push	0
		push	ecx
		push	ebx
		push	152h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4E1CFA:				; CODE XREF: ExReleaseAutoExpandPushLockShared+50j
		test	al, 3
		jnz	short loc_4E1CB2
		movzx	eax, di
		cmp	eax, ds:_ExpAeCycleCountThreshold
		jnb	loc_5CC533

loc_4E1D0D:				; CODE XREF: ExReleaseAutoExpandPushLockShared+EA8DFj
					; ExReleaseAutoExpandPushLockShared+EA8EDj
		shr	edi, 2
		and	edi, 3FF33FFFh
		mov	[esp+2Ch+var_20], edi
		mov	[esi+8], edi
		jmp	short loc_4E1CB2
; 

loc_4E1D1F:				; CODE XREF: ExReleaseAutoExpandPushLockShared+60j
		mov	ecx, esi
		test	ds:_ExpAeSamplingPeriodMask, edi
		jz	short loc_4E1D4D
		xor	edx, edx
		call	ExfReleasePushLockSharedEx
		mov	eax, [esi+8]
		lea	ecx, [esp+18h+var_C]
		mov	[esp+18h+var_C], eax
		call	_ExpAeUpdateStatsAfterSharedRelease@4 ;	ExpAeUpdateStatsAfterSharedRelease(x)
		test	al, al
		jz	short loc_4E1CD7
		mov	eax, [esp+18h+var_C]
		mov	[esi+8], eax
		jmp	short loc_4E1CD7
; 

loc_4E1D4D:				; CODE XREF: ExReleaseAutoExpandPushLockShared+C7j
		lea	edx, [esp+18h+var_8]
		call	ExfReleasePushLockSharedEx
		mov	eax, [esp+18h+var_8]
		or	eax, [esp+18h+var_4]
		jz	loc_4E1CD7
		mov	eax, [esi+8]
		lea	ecx, [esp+18h+var_C]
		push	[esp+18h+var_4]
		mov	[esp+1Ch+var_C], eax
		push	[esp+1Ch+var_8]
		call	_ExpAeUpdateStatsAfterMeasurement@12 ; ExpAeUpdateStatsAfterMeasurement(x,x,x)
		mov	edi, [esp+18h+var_C]
		jmp	loc_4E1CC2
ExReleaseAutoExpandPushLockShared endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExfReleasePushLockSharedEx proc	near	; CODE XREF: ExReleaseAutoExpandPushLockShared+CBp
					; ExReleaseAutoExpandPushLockShared+F1p

var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CC55F SIZE 00000071 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		mov	esi, edx
		mov	ebx, ecx
		mov	[ebp+var_4], ebx
		stosd
		stosd
		stosd
		test	esi, esi
		jnz	short loc_4E1DD4

loc_4E1DA5:				; CODE XREF: ExfReleasePushLockSharedEx+56j
		mov	ecx, [ebx]
		test	cl, 2
		jnz	loc_5CC55F

loc_4E1DB0:				; CODE XREF: ExfReleasePushLockSharedEx+68j
		mov	edx, ecx
		lea	eax, [ecx-10h]
		and	edx, 0FFFFFFF0h
		sub	edx, 10h
		neg	edx
		sbb	edx, edx
		and	edx, eax
		mov	eax, ecx
		lock cmpxchg [ebx], edx
		cmp	eax, ecx
		jnz	short loc_4E1DEA
		test	esi, esi
		jnz	short loc_4E1DDE

loc_4E1DCF:				; CODE XREF: ExfReleasePushLockSharedEx+62j
					; ExfReleasePushLockSharedEx+EA7FAj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4E1DD4:				; CODE XREF: ExfReleasePushLockSharedEx+1Dj
		lea	ecx, [ebp+var_18]
		call	_ExpAeStartMeasurement@8 ; ExpAeStartMeasurement(x,x)
		jmp	short loc_4E1DA5
; 

loc_4E1DDE:				; CODE XREF: ExfReleasePushLockSharedEx+47j
		mov	edx, esi
		lea	ecx, [ebp+var_18]
		call	_ExpAeStopMeasurement@8	; ExpAeStopMeasurement(x,x)
		jmp	short loc_4E1DCF
; 

loc_4E1DEA:				; CODE XREF: ExfReleasePushLockSharedEx+43j
		mov	ecx, eax
		test	al, 2
		jz	short loc_4E1DB0
		jmp	loc_5CC55F
ExfReleasePushLockSharedEx endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ExpAeUpdateStatsAfterSharedRelease(x)
_ExpAeUpdateStatsAfterSharedRelease@4 proc near
					; CODE XREF: ExReleaseAutoExpandPushLockShared+DBp
		mov	eax, [ecx]
		cmp	eax, 80000000h
		jnb	short loc_4E1E09
		add	eax, 100000h
		mov	[ecx], eax
		mov	al, 1
		retn
; 

loc_4E1E09:				; CODE XREF: ExpAeUpdateStatsAfterSharedRelease(x)+7j
		xor	al, al
		retn
_ExpAeUpdateStatsAfterSharedRelease@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExpAeStopMeasurement(x, x)
_ExpAeStopMeasurement@8	proc near	; CODE XREF: ExfReleasePushLockSharedEx+5Dp
		mov	edi, edi
		push	esi
		mov	esi, [ecx+0Ch]
		push	edi
		mov	edi, edx
		rdtsc
		mov	esi, [esi+8Ch]
		cmp	esi, [ecx+8]
		jnz	short loc_4E1E2C
		sub	eax, [ecx]
		mov	[edi], eax
		sbb	edx, [ecx+4]
		mov	[edi+4], edx

loc_4E1E2C:				; CODE XREF: ExpAeStopMeasurement(x,x)+14j
		pop	edi
		pop	esi
		retn
_ExpAeStopMeasurement@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall ExpAeStartMeasurement(x, x)
_ExpAeStartMeasurement@8 proc near	; CODE XREF: ExfReleasePushLockSharedEx+51p
		mov	eax, large fs:124h
		push	esi
		mov	esi, edx
		mov	[ecx+0Ch], eax
		mov	eax, [eax+8Ch]
		mov	[ecx+8], eax
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0
		rdtsc
		mov	[ecx], eax
		mov	[ecx+4], edx
		pop	esi
		retn
_ExpAeStartMeasurement@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpAeUpdateStatsAfterMeasurement(x,	x, x)
_ExpAeUpdateStatsAfterMeasurement@12 proc near
					; CODE XREF: ExReleaseAutoExpandPushLockShared+117p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi]
		cmp	edi, 80000000h
		jnb	short loc_4E1E8C
		movzx	ecx, ds:_ExpAeCycleCountScaler
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		call	__aullshr
		mov	ecx, 1FFh
		test	edx, edx
		jnz	short loc_4E1E92
		cmp	eax, ecx
		ja	short loc_4E1E92

loc_4E1E88:				; CODE XREF: ExpAeUpdateStatsAfterMeasurement(x,x,x)+3Ej
		add	eax, edi
		mov	[esi], eax

loc_4E1E8C:				; CODE XREF: ExpAeUpdateStatsAfterMeasurement(x,x,x)+11j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_4E1E92:				; CODE XREF: ExpAeUpdateStatsAfterMeasurement(x,x,x)+2Cj
					; ExpAeUpdateStatsAfterMeasurement(x,x,x)+30j
		mov	eax, ecx
		jmp	short loc_4E1E88
_ExpAeUpdateStatsAfterMeasurement@12 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 514. FsRtlFastUnlockAll

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlFastUnlockAll(x, x, x,	x)
		public _FsRtlFastUnlockAll@16
_FsRtlFastUnlockAll@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	0
		push	[ebp+arg_8]
		call	FsRtlPrivateFastUnlockAll
		pop	ebp
		retn	10h
_FsRtlFastUnlockAll@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlPrivateFastUnlockAll proc near	; CODE XREF: FsRtlFastUnlockAll(x,x,x,x)+15p
					; FsRtlProcessFileLock+81D8Cp ...

var_3E		= byte ptr -3Eh
var_3D		= byte ptr -3Dh
var_36		= byte ptr -36h
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005CC5D0 SIZE 000002A2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, [ecx+0Ch]
		push	ebx
		xor	ebx, ebx
		mov	[esp+40h+var_1C], edx
		mov	[esp+40h+var_14], ebx
		mov	[esp+40h+var_10], ebx
		mov	[esp+40h+var_C], ebx
		mov	[esp+40h+var_18], ebx
		mov	[esp+40h+var_30], eax
		push	esi
		push	edi
		test	eax, eax
		jz	loc_4E204E
		lea	esi, [eax+10h]
		mov	[edx+48h], ebx
		mov	[esp+48h+var_24], esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bl, al
		mov	ecx, esi
		mov	[esp+48h+var_36], bl
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	byte ptr [esp+48h+var_2C], bl
		mov	ebx, [esi+4]
		test	ebx, ebx
		jz	loc_4E2028

loc_4E1F19:				; CODE XREF: FsRtlPrivateFastUnlockAll+254j
					; FsRtlPrivateFastUnlockAll+EA727j
		mov	eax, [ebx+4]
		test	eax, eax
		jnz	loc_5CC5DF
		xor	al, al
		mov	[esp+48h+var_35], al

loc_4E1F2A:				; CODE XREF: FsRtlPrivateFastUnlockAll+10Bj
		push	ebx
		call	_RtlRealSuccessor@4 ; RtlRealSuccessor(x)
		mov	[esp+48h+var_20], eax
		lea	edx, [ebx-10h]
		mov	edi, [edx]
		xor	eax, eax
		mov	[esp+48h+var_8], eax
		mov	ecx, eax
		mov	[esp+48h+var_4], eax
		mov	[esp+48h+var_10], eax
		mov	[esp+48h+var_C], eax
		mov	eax, edx
		mov	[esp+48h+var_34], ecx
		mov	[esp+48h+var_28], eax
		test	edi, edi
		jz	short loc_4E1FB2

loc_4E1F5B:				; CODE XREF: FsRtlPrivateFastUnlockAll+EAj
		mov	esi, [esp+48h+var_1C]
		cmp	[edi+20h], esi
		mov	esi, [esp+48h+var_24]
		mov	[esp+48h+var_18], edi
		jz	loc_4E2055

loc_4E1F70:				; CODE XREF: FsRtlPrivateFastUnlockAll+1A4j
					; FsRtlPrivateFastUnlockAll+EA736j
		mov	[esp+48h+var_28], edi

loc_4E1F74:				; CODE XREF: FsRtlPrivateFastUnlockAll+204j
		mov	ecx, [esp+48h+var_34]
		test	ecx, ecx
		jnz	short loc_4E1F9C
		mov	ecx, [edi+2Ch]
		mov	eax, [edi+28h]
		cmp	ecx, [esp+48h+var_C]
		jb	short loc_4E1F98
		ja	short loc_4E1F90
		cmp	eax, [esp+48h+var_10]
		jbe	short loc_4E1F98

loc_4E1F90:				; CODE XREF: FsRtlPrivateFastUnlockAll+CEj
		mov	[esp+48h+var_10], eax
		mov	[esp+48h+var_C], ecx

loc_4E1F98:				; CODE XREF: FsRtlPrivateFastUnlockAll+CCj
					; FsRtlPrivateFastUnlockAll+D4j
		mov	ecx, [esp+48h+var_34]

loc_4E1F9C:				; CODE XREF: FsRtlPrivateFastUnlockAll+C0j
		mov	eax, [esp+48h+var_28]
		mov	edi, [eax]
		test	edi, edi
		jnz	short loc_4E1F5B

loc_4E1FA6:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA748j
		mov	eax, [esp+48h+var_34]
		test	eax, eax
		jnz	loc_4E20C3

loc_4E1FB2:				; CODE XREF: FsRtlPrivateFastUnlockAll+9Fj
					; FsRtlPrivateFastUnlockAll+222j ...
		cmp	[esp+48h+var_35], 0
		jnz	loc_5CC607

loc_4E1FBD:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA7D5j
		mov	ecx, [esp+48h+var_20]

loc_4E1FC1:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA7B3j
					; FsRtlPrivateFastUnlockAll+EA7BEj
		mov	ebx, ecx
		test	ecx, ecx
		jnz	loc_4E1F2A

loc_4E1FCB:				; CODE XREF: FsRtlPrivateFastUnlockAll+24Ej
		mov	edi, [esi+8]
		test	edi, edi
		jnz	loc_4E20E3

loc_4E1FD6:				; CODE XREF: FsRtlPrivateFastUnlockAll+247j
		lea	eax, [esi+0Ch]

loc_4E1FD9:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA9A4j
		mov	[esp+48h+var_34], eax

loc_4E1FDD:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA99Dj
		mov	ebx, [eax]
		test	ebx, ebx
		jnz	loc_5CC70B
		push	[esp+48h+var_2C]
		mov	ecx, [esp+4Ch+var_30]
		mov	edx, esi
		call	FsRtlPrivateCheckWaitingLocks
		mov	ecx, [esp+48h+var_30]
		call	_FsRtlPrivateResetLowestLockOffset@4 ; FsRtlPrivateResetLowestLockOffset(x)
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jnz	loc_5CC863
		xor	eax, eax
		lock and [esi],	eax

loc_4E2013:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA9B3j
		mov	cl, [esp+48h+var_36]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax

loc_4E201F:				; CODE XREF: FsRtlPrivateFastUnlockAll+199j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4E2028:				; CODE XREF: FsRtlPrivateFastUnlockAll+59j
		cmp	dword ptr [esi+8], 0
		jnz	loc_4E2106
		test	ds:byte_70EFC6,	1
		jnz	loc_5CC5D0
		xor	eax, eax
		lock and [esi],	eax

loc_4E2044:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA720j
		mov	cl, [esp+48h+var_36]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4E204E:				; CODE XREF: FsRtlPrivateFastUnlockAll+2Dj
		mov	eax, 0C000007Eh
		jmp	short loc_4E201F
; 

loc_4E2055:				; CODE XREF: FsRtlPrivateFastUnlockAll+B0j
		mov	edx, [ebp+arg_0]
		cmp	[edi+24h], edx
		lea	edx, [ebx-10h]
		jnz	loc_4E1F70
		cmp	[ebp+arg_8], 0
		jnz	loc_5CC5E6

loc_4E206E:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA73Cj
		test	ecx, ecx
		jnz	short loc_4E2076
		mov	[esp+48h+var_34], eax

loc_4E2076:				; CODE XREF: FsRtlPrivateFastUnlockAll+1B6j
		mov	ecx, [edi+2Ch]
		mov	eax, [edi+28h]
		cmp	ecx, [esp+48h+var_4]
		ja	short loc_4E208A
		jb	short loc_4E2092
		cmp	eax, [esp+48h+var_8]
		jbe	short loc_4E2092

loc_4E208A:				; CODE XREF: FsRtlPrivateFastUnlockAll+1C6j
		mov	[esp+48h+var_8], eax
		mov	[esp+48h+var_4], ecx

loc_4E2092:				; CODE XREF: FsRtlPrivateFastUnlockAll+1C8j
					; FsRtlPrivateFastUnlockAll+1CEj
		mov	ecx, [esp+48h+var_28]
		mov	eax, [ecx]
		cmp	eax, [edx+1Ch]
		jz	short loc_4E2113

loc_4E209D:				; CODE XREF: FsRtlPrivateFastUnlockAll+25Cj
		mov	eax, [edi]
		mov	[ecx], eax
		mov	eax, [esp+48h+var_30]
		cmp	dword ptr [eax+0Ch], 0
		jnz	loc_5CC5FB
		mov	edx, edi
		mov	ecx, offset _FsRtlSharedLockLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		lea	edx, [ebx-10h]
		jmp	loc_4E1F74
; 

loc_4E20C3:				; CODE XREF: FsRtlPrivateFastUnlockAll+F2j
		cmp	dword ptr [edx], 0
		jz	short loc_4E2118
		lea	ecx, [esp+48h+var_10]
		mov	edx, eax
		push	ecx
		lea	ecx, [esp+4Ch+var_8]
		push	ecx
		lea	ecx, [ebx-10h]
		call	FsRtlSplitLocks
		jmp	loc_4E1FB2
; 

loc_4E20E1:				; CODE XREF: FsRtlPrivateFastUnlockAll+22Ej
		mov	edi, eax

loc_4E20E3:				; CODE XREF: FsRtlPrivateFastUnlockAll+116j
		mov	eax, [edi+4]
		test	eax, eax
		jnz	short loc_4E20E1

loc_4E20EA:				; CODE XREF: FsRtlPrivateFastUnlockAll+245j
		push	edi
		call	_RtlRealSuccessor@4 ; RtlRealSuccessor(x)
		mov	ebx, eax
		mov	eax, [esp+48h+var_1C]
		cmp	[edi+28h], eax
		jz	short loc_4E2133

loc_4E20FB:				; CODE XREF: FsRtlPrivateFastUnlockAll+27Fj
					; FsRtlPrivateFastUnlockAll+2AEj ...
		mov	edi, ebx
		test	ebx, ebx
		jnz	short loc_4E20EA
		jmp	loc_4E1FD6
; 

loc_4E2106:				; CODE XREF: FsRtlPrivateFastUnlockAll+172j
		test	ebx, ebx
		jz	loc_4E1FCB
		jmp	loc_4E1F19
; 

loc_4E2113:				; CODE XREF: FsRtlPrivateFastUnlockAll+1E1j
		mov	[edx+1Ch], ecx
		jmp	short loc_4E209D
; 

loc_4E2118:				; CODE XREF: FsRtlPrivateFastUnlockAll+20Cj
		push	ebx
		call	_RtlDelete@4	; RtlDelete(x)
		lea	edx, [ebx-10h]
		mov	[esi+4], eax
		mov	ecx, offset _FsRtlLockTreeNodeLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	loc_4E1FB2
; 

loc_4E2133:				; CODE XREF: FsRtlPrivateFastUnlockAll+23Fj
		mov	eax, [ebp+arg_0]
		cmp	[edi+2Ch], eax
		jnz	short loc_4E20FB
		cmp	[ebp+arg_8], 0
		jnz	loc_5CC694

loc_4E2145:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA7E6j
		push	edi
		call	_RtlDelete@4	; RtlDelete(x)
		mov	[esi+8], eax
		mov	eax, [esp+48h+var_30]
		cmp	dword ptr [eax+0Ch], 0
		jnz	loc_5CC6A5

loc_4E215C:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA83Bj
					; FsRtlPrivateFastUnlockAll+EA84Cj
		mov	edx, edi
		mov	ecx, offset _FsRtlExclusiveLockLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	short loc_4E20FB
FsRtlPrivateFastUnlockAll endp

; 
		align 10h
; Exported entry 2311. RtlRealSuccessor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlRealSuccessor(x)
		public _RtlRealSuccessor@4
_RtlRealSuccessor@4 proc near		; CODE XREF: FsRtlPrivateFastUnlockAll+71p
					; FsRtlPrivateFastUnlockAll+231p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, [edx+8]
		test	eax, eax
		jnz	short loc_4E219F
		mov	ecx, [edx]

loc_4E2181:				; CODE XREF: RtlRealSuccessor(x)+2Bj
		cmp	[ecx+8], edx
		jz	short loc_4E2197
		mov	eax, [ecx+4]
		sub	eax, edx
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, ecx

loc_4E2193:				; CODE XREF: RtlRealSuccessor(x)+34j
		pop	ebp
		retn	4
; 

loc_4E2197:				; CODE XREF: RtlRealSuccessor(x)+14j
		mov	edx, ecx
		mov	ecx, [ecx]
		jmp	short loc_4E2181
; 

loc_4E219D:				; CODE XREF: RtlRealSuccessor(x)+36j
		mov	eax, ecx

loc_4E219F:				; CODE XREF: RtlRealSuccessor(x)+Dj
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_4E2193
		jmp	short loc_4E219D
_RtlRealSuccessor@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlRemoveNodeFromTunnel(x, x, x, x)
_FsRtlRemoveNodeFromTunnel@16 proc near	; CODE XREF: FsRtlDeleteKeyFromTunnelCache(x,x,x)+96p
					; FsRtlPruneTunnelCache(x,x)+79p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, edx
		mov	ebx, ecx
		test	edi, edi
		jz	short loc_4E21C0
		cmp	byte ptr [edi],	0
		jnz	short loc_4E21FA

loc_4E21C0:				; CODE XREF: FsRtlRemoveNodeFromTunnel(x,x,x,x)+11j
		lea	eax, [ebx+20h]
		push	eax
		push	esi
		call	_RtlDeleteNoSplay@8 ; RtlDeleteNoSplay(x,x)

loc_4E21CA:				; CODE XREF: FsRtlRemoveNodeFromTunnel(x,x,x,x)+5Ej
		lea	eax, [esi+0Ch]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_4E2208
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_4E2208
		mov	[ecx], edx
		mov	eax, 0FFFFh
		mov	[edx+4], ecx
		mov	ecx, esi
		mov	edx, [ebp+arg_0]
		add	[ebx+2Ch], ax
		call	FsRtlFreeTunnelNode
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_4E21FA:				; CODE XREF: FsRtlRemoveNodeFromTunnel(x,x,x,x)+16j
		push	esi
		call	_RtlDelete@4	; RtlDelete(x)
		mov	[ebx+20h], eax
		mov	byte ptr [edi],	0
		jmp	short loc_4E21CA
; 

loc_4E2208:				; CODE XREF: FsRtlRemoveNodeFromTunnel(x,x,x,x)+2Aj
					; FsRtlRemoveNodeFromTunnel(x,x,x,x)+31j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_FsRtlRemoveNodeFromTunnel@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlCompareNodeAndKey proc near	; CODE XREF: PAGE:007AE124p
					; FsRtlFindInTunnelCacheEx+58p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 005CC872 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+20h]
		push	esi
		mov	esi, [ecx+24h]
		mov	[ebp+var_4], edx
		cmp	esi, [ebp+arg_4]
		jb	short loc_4E225E
		ja	short loc_4E2263
		cmp	eax, [ebp+arg_0]
		ja	short loc_4E2263
		cmp	esi, [ebp+arg_4]
		ja	short loc_4E2236
		jb	short loc_4E225E
		cmp	eax, [ebp+arg_0]
		jb	short loc_4E225E

loc_4E2236:				; CODE XREF: FsRtlCompareNodeAndKey+1Fj
		push	ebx
		push	edi
		mov	edi, [ecx+28h]
		lea	esi, [ecx+34h]
		lea	ebx, [ecx+2Ch]
		mov	eax, esi
		and	edi, 2
		jnz	short loc_4E224A
		mov	eax, ebx

loc_4E224A:				; CODE XREF: FsRtlCompareNodeAndKey+38j
		push	1
		push	edx
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jz	short loc_4E2268

loc_4E2257:				; CODE XREF: FsRtlCompareNodeAndKey+5Ej
					; FsRtlCompareNodeAndKey+EA675j
		pop	edi
		pop	ebx

loc_4E2259:				; CODE XREF: FsRtlCompareNodeAndKey+53j
					; FsRtlCompareNodeAndKey+58j
		pop	esi
		leave
		retn	0Ch
; 

loc_4E225E:				; CODE XREF: FsRtlCompareNodeAndKey+13j
					; FsRtlCompareNodeAndKey+21j ...
		or	eax, 0FFFFFFFFh
		jmp	short loc_4E2259
; 

loc_4E2263:				; CODE XREF: FsRtlCompareNodeAndKey+15j
					; FsRtlCompareNodeAndKey+1Aj
		xor	eax, eax
		inc	eax
		jmp	short loc_4E2259
; 

loc_4E2268:				; CODE XREF: FsRtlCompareNodeAndKey+47j
		cmp	[ebp+arg_8], 0
		jz	short loc_4E2257
		jmp	loc_5CC872
FsRtlCompareNodeAndKey endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall FsRtlEmptyFreePoolList(x)
_FsRtlEmptyFreePoolList@4 proc near	; CODE XREF: FsRtlDeleteKeyFromTunnelCache(x,x,x)+ACp
					; PAGE:007AE255p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx

loc_4E2279:				; CODE XREF: FsRtlEmptyFreePoolList(x)+2Aj
		mov	ecx, [esi]
		cmp	ecx, esi
		jnz	short loc_4E2281
		pop	esi
		retn
; 

loc_4E2281:				; CODE XREF: FsRtlEmptyFreePoolList(x)+9j
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_4E22A0
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	short loc_4E22A0
		mov	[eax], edx
		add	ecx, 0FFFFFFF4h
		mov	[edx+4], eax
		xor	edx, edx
		call	FsRtlFreeTunnelNode
		jmp	short loc_4E2279
; 

loc_4E22A0:				; CODE XREF: FsRtlEmptyFreePoolList(x)+12j
					; FsRtlEmptyFreePoolList(x)+19j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_FsRtlEmptyFreePoolList@4 endp


FsRtlFreeTunnelNode:			; CODE XREF: FsRtlRemoveNodeFromTunnel(x,x,x,x)+46p
					; FsRtlEmptyFreePoolList(x)+25p ...
		test	edx, edx
		jnz	short loc_4E22BC
		test	byte ptr [ecx+28h], 1
		jz	loc_5CC888
		push	edx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
; 

loc_4E22BC:				; CODE XREF: .text:004E22A8j
		mov	eax, [edx]
		add	ecx, 0Ch
		cmp	[eax+4], edx
		jnz	short loc_4E22D1
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[eax+4], ecx
		mov	[edx], ecx
		retn
; 

loc_4E22D1:				; CODE XREF: .text:004E22C4j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dw 0CCCCh
		align 10h
; Exported entry 2035. RtlDeleteNoSplay

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlDeleteNoSplay(x,	x)
		public _RtlDeleteNoSplay@8
_RtlDeleteNoSplay@8 proc near		; CODE XREF: FsRtlRemoveNodeFromTunnel(x,x,x,x)+1Dp
					; FsRtlPrivateInsertSharedLock+EA267p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	dword ptr [esi+4], 0
		jnz	short loc_4E2357

loc_4E22F3:				; CODE XREF: RtlDeleteNoSplay(x,x)+7Bj
					; RtlDeleteNoSplay(x,x)+90j
		mov	ecx, [esi+4]
		test	ecx, ecx
		jnz	short loc_4E2323
		mov	ecx, [esi+8]
		test	ecx, ecx
		jnz	short loc_4E2323
		mov	ecx, [esi]
		cmp	ecx, esi
		jz	short loc_4E2341
		xor	eax, eax
		cmp	[ecx+4], esi
		setnz	al
		lea	eax, ds:4[eax*4]
		mov	dword ptr [eax+ecx], 0

loc_4E231D:				; CODE XREF: RtlDeleteNoSplay(x,x)+5Fj
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_4E2323:				; CODE XREF: RtlDeleteNoSplay(x,x)+18j
					; RtlDeleteNoSplay(x,x)+1Fj
		mov	edx, [esi]
		cmp	edx, esi
		jz	short loc_4E234D
		xor	eax, eax
		cmp	[edx+4], esi
		setnz	al
		lea	eax, ds:4[eax*4]
		mov	[eax+edx], ecx
		mov	eax, [esi]
		mov	[ecx], eax
		jmp	short loc_4E231D
; 

loc_4E2341:				; CODE XREF: RtlDeleteNoSplay(x,x)+25j
		mov	dword ptr [edi], 0
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_4E234D:				; CODE XREF: RtlDeleteNoSplay(x,x)+47j
		mov	[ecx], ecx
		mov	[edi], ecx
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_4E2357:				; CODE XREF: RtlDeleteNoSplay(x,x)+11j
		cmp	dword ptr [esi+8], 0
		jz	short loc_4E22F3
		push	esi
		call	_RtlSubtreePredecessor@4 ; RtlSubtreePredecessor(x)
		cmp	[esi], esi
		jz	short loc_4E2372

loc_4E2367:				; CODE XREF: RtlDeleteNoSplay(x,x)+94j
		mov	edx, esi
		mov	ecx, eax
		call	SwapSplayLinks
		jmp	short loc_4E22F3
; 

loc_4E2372:				; CODE XREF: RtlDeleteNoSplay(x,x)+85j
		mov	[edi], eax
		jmp	short loc_4E2367
_RtlDeleteNoSplay@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2031. RtlDeleteElementGenericTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlDeleteElementGenericTable(x, x)
		public _RtlDeleteElementGenericTable@8
_RtlDeleteElementGenericTable@8	proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	eax
		call	FindNodeOrParent
		test	eax, eax
		jz	short loc_4E23E2
		cmp	eax, 1
		jnz	short loc_4E23E2
		push	edi
		mov	edi, [ebp+var_4]
		push	edi
		call	_RtlDelete@4	; RtlDelete(x)
		mov	[esi], eax
		lea	eax, [edi+0Ch]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_4E23DD
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_4E23DD
		mov	[ecx], edx
		mov	[edx+4], ecx
		lea	ecx, [esi+4]
		dec	dword ptr [esi+14h]
		and	dword ptr [esi+10h], 0
		push	edi
		push	esi
		mov	[esi+0Ch], ecx
		call	dword ptr [esi+20h]
		mov	al, 1
		pop	edi

loc_4E23D8:				; CODE XREF: RtlDeleteElementGenericTable(x,x)+68j
		pop	esi
		leave
		retn	8
; 

loc_4E23DD:				; CODE XREF: RtlDeleteElementGenericTable(x,x)+39j
					; RtlDeleteElementGenericTable(x,x)+40j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_4E23E2:				; CODE XREF: RtlDeleteElementGenericTable(x,x)+1Ej
					; RtlDeleteElementGenericTable(x,x)+23j
		xor	al, al
		jmp	short loc_4E23D8
_RtlDeleteElementGenericTable@8	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2174. RtlInsertElementGenericTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlInsertElementGenericTable(int,void *,size_t,int)
		public _RtlInsertElementGenericTable@16
_RtlInsertElementGenericTable@16 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		and	[ebp+var_4], 0
		push	eax
		call	FindNodeOrParent
		push	eax		; int
		push	[ebp+var_4]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; size_t
		push	[ebp+arg_4]	; void *
		push	[ebp+arg_0]	; int
		call	RtlInsertElementGenericTableFull
		leave
		retn	10h
_RtlInsertElementGenericTable@16 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2176. RtlInsertElementGenericTableFull

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlInsertElementGenericTableFull(int,void *,size_t,int,int,int)
		public RtlInsertElementGenericTableFull
RtlInsertElementGenericTableFull proc near
					; CODE XREF: RtlInsertElementGenericTable(x,x,x,x)+29p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005CC894 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_14]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		cmp	ebx, 1
		jz	loc_4E24CB
		mov	eax, [ebp+arg_8]
		lea	ecx, [eax+18h]
		cmp	ecx, eax
		jb	loc_5CC894
		push	ecx
		push	edi
		call	dword ptr [edi+1Ch]
		mov	esi, eax
		test	esi, esi
		jz	loc_5CC894
		and	dword ptr [esi+4], 0
		lea	ecx, [edi+4]
		and	dword ptr [esi+8], 0
		lea	eax, [esi+0Ch]
		mov	[esi], esi
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_4E24D0
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		inc	dword ptr [edi+14h]
		test	ebx, ebx
		jz	short loc_4E24C7
		mov	eax, [ebp+arg_10]
		cmp	ebx, 2
		jz	short loc_4E24B8
		mov	[eax+8], esi

loc_4E248B:				; CODE XREF: RtlInsertElementGenericTableFull+97j
		mov	[esi], eax

loc_4E248D:				; CODE XREF: RtlInsertElementGenericTableFull+A5j
		push	[ebp+arg_8]	; size_t
		lea	eax, [esi+18h]
		push	[ebp+arg_4]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_4E249F:				; CODE XREF: RtlInsertElementGenericTableFull+AAj
		push	esi
		call	_RtlSplay@4	; RtlSplay(x)
		mov	ecx, [ebp+arg_C]
		mov	[edi], eax
		test	ecx, ecx
		jnz	short loc_4E24BD

loc_4E24AE:				; CODE XREF: RtlInsertElementGenericTableFull+A1j
		lea	eax, [esi+18h]

loc_4E24B1:				; CODE XREF: RtlInsertElementGenericTableFull+EA47Cj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	18h
; 

loc_4E24B8:				; CODE XREF: RtlInsertElementGenericTableFull+62j
		mov	[eax+4], esi
		jmp	short loc_4E248B
; 

loc_4E24BD:				; CODE XREF: RtlInsertElementGenericTableFull+88j
		cmp	ebx, 1
		setnz	al
		mov	[ecx], al
		jmp	short loc_4E24AE
; 

loc_4E24C7:				; CODE XREF: RtlInsertElementGenericTableFull+5Aj
		mov	[edi], esi
		jmp	short loc_4E248D
; 

loc_4E24CB:				; CODE XREF: RtlInsertElementGenericTableFull+11j
		mov	esi, [ebp+arg_10]
		jmp	short loc_4E249F
; 

loc_4E24D0:				; CODE XREF: RtlInsertElementGenericTableFull+49j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
RtlInsertElementGenericTableFull endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlPrivateInsertExclusiveLock	proc near ; CODE XREF: FsRtlPrivateInsertLock+9Bp

var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005CC8A5 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		lea	eax, [ebp-1]
		push	eax
		mov	edi, ecx
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [esi+30h]
		xor	ebx, ebx
		push	eax
		mov	ecx, [edi+8]
		lea	edx, [esi+10h]
		mov	[ebp+var_8], ebx
		mov	[ebp+var_1], bl
		call	FsRtlFindFirstOverlappingExclusiveNode
		mov	[esi], esi
		mov	[esi+4], ebx
		mov	[esi+8], ebx
		test	eax, eax
		jnz	loc_5CC8A5
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	short loc_4E2522
		mov	[edi+8], esi

loc_4E251D:				; CODE XREF: FsRtlPrivateInsertExclusiveLock+56j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4E2522:				; CODE XREF: FsRtlPrivateInsertExclusiveLock+42j
		cmp	[ebp+var_1], bl
		jnz	short loc_4E252E

loc_4E2527:				; CODE XREF: FsRtlPrivateInsertExclusiveLock+EA3D2j
		mov	[eax+8], esi

loc_4E252A:				; CODE XREF: FsRtlPrivateInsertExclusiveLock+5Bj
		mov	[esi], eax
		jmp	short loc_4E251D
; 

loc_4E252E:				; CODE XREF: FsRtlPrivateInsertExclusiveLock+4Fj
					; FsRtlPrivateInsertExclusiveLock+EA3DBj ...
		mov	[eax+4], esi
		jmp	short loc_4E252A
FsRtlPrivateInsertExclusiveLock	endp

; 
		align 10h
; Exported entry 634. FsRtlPrivateLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlPrivateLock
FsRtlPrivateLock proc near		; CODE XREF: FsRtlProcessFileLock+C8p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= byte ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= byte ptr  20h
arg_1C		= byte ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

; FUNCTION CHUNK AT 005CC8C2 SIZE 000000D2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A29C0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 48h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_19], 0
		xor	bl, bl
		mov	[ebp+var_1A], bl
		mov	[ebp+var_20], 0
		mov	[ebp+var_24], 0
		mov	[ebp+var_1B], 0FFh
		mov	ecx, 0Ah
		xor	eax, eax
		lea	edi, [ebp+var_58]
		rep stosd
		mov	[ebp+var_4], eax
		mov	[ebp+var_2C], 1
		cmp	[ebp+arg_24], eax
		setz	dl
		mov	esi, [ebp+arg_0]
		mov	edi, [esi+0Ch]
		mov	[ebp+var_20], edi
		test	edi, edi
		jz	loc_4E26BF

loc_4E25BA:				; CODE XREF: FsRtlPrivateLock+198j
		mov	eax, [ebp+arg_8]
		mov	ecx, [eax]
		mov	[ebp+arg_8], ecx
		mov	edx, [eax+4]
		mov	[ebp+var_58], ecx
		mov	[ebp+var_54], edx
		mov	eax, [ebp+arg_C]
		mov	esi, [eax]
		mov	[ebp+var_28], esi
		mov	eax, [eax+4]
		mov	[ebp+arg_0], eax
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], eax
		mov	eax, ecx
		add	eax, esi
		mov	ecx, edx
		adc	ecx, [ebp+arg_0]
		add	eax, 0FFFFFFFFh
		mov	[ebp+arg_C], eax
		adc	ecx, 0FFFFFFFFh
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], ecx
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_40], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_3C], eax
		mov	al, [ebp+arg_1C]
		mov	[ebp+var_48], al
		lea	esi, [edi+10h]
		mov	[ebp+var_24], esi
		cmp	ecx, edx
		ja	short loc_4E262B
		jb	loc_5CC8CD
		mov	eax, [ebp+arg_8]
		cmp	[ebp+arg_C], eax
		jb	loc_5CC8CD

loc_4E262B:				; CODE XREF: FsRtlPrivateLock+D7j
					; FsRtlPrivateLock+EA393j
		mov	bl, 1
		mov	[ebp+var_1A], bl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bh, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	[ebp+var_1B], bh
		lea	edx, [ebp+var_58]
		mov	ecx, esi
		cmp	[ebp+arg_1C], 0
		jnz	short loc_4E26A3
		call	FsRtlPrivateCheckForSharedLockAccess

loc_4E2652:				; CODE XREF: FsRtlPrivateLock+168j
		test	al, al
		jz	short loc_4E26AA
		lea	eax, [ebp+var_58]
		push	eax
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		call	FsRtlPrivateInsertLock
		test	al, al
		jz	loc_5CC98C
		mov	eax, [ebp+arg_20]
		mov	dword ptr [eax], 0

loc_4E2675:				; CODE XREF: FsRtlPrivateLock+17Dj
					; FsRtlPrivateLock+EA3A2j ...
		mov	[ebp+var_19], 1

loc_4E2679:				; CODE XREF: FsRtlPrivateLock+EA388j
					; FsRtlPrivateLock+EA447j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	[ebp+var_2C], 0
		call	sub_4E26DD
		mov	al, [ebp+var_19]
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	30h
; 

loc_4E26A3:				; CODE XREF: FsRtlPrivateLock+10Bj
		call	FsRtlPrivateCheckForExclusiveLockAccess
		jmp	short loc_4E2652
; 

loc_4E26AA:				; CODE XREF: FsRtlPrivateLock+114j
		cmp	[ebp+arg_18], 0
		jz	loc_5CC8E7
		mov	eax, [ebp+arg_20]
		mov	dword ptr [eax], 0C0000055h
		jmp	short loc_4E2675
; 

loc_4E26BF:				; CODE XREF: FsRtlPrivateLock+74j
		mov	ecx, esi
		call	FsRtlPrivateInitializeFileLock
		test	al, al
		jz	loc_5CC8C2
		mov	byte ptr [esi+8], 1
		mov	edi, [esi+0Ch]
		mov	[ebp+var_20], edi
		jmp	loc_4E25BA
FsRtlPrivateLock endp


;  S U B	R O U T	I N E 


sub_4E26DD	proc near		; CODE XREF: FsRtlPrivateLock+147p
					; sub_5CC994+9j

; FUNCTION CHUNK AT 005CC9A2 SIZE 0000002D BYTES

		test	bl, bl
		jz	short loc_4E2700
		test	ds:byte_70EFC6,	1
		jnz	loc_5CC9A2
		xor	eax, eax
		lock and [esi],	eax

loc_4E26F3:				; CODE XREF: sub_4E26DD+EA2D3j
		mov	cl, [ebp-1Bh]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	byte ptr [ebp-1Ah], 0

loc_4E2700:				; CODE XREF: sub_4E26DD+2j
		cmp	dword ptr [ebp-2Ch], 0
		jnz	short locret_4E270D
		mov	ebx, [ebp+2Ch]
		test	ebx, ebx
		jnz	short loc_4E270E

locret_4E270D:				; CODE XREF: sub_4E26DD+27j
					; sub_4E26DD+3Aj ...
		retn
; 

loc_4E270E:				; CODE XREF: sub_4E26DD+2Ej
		mov	esi, [ebp+28h]
		cmp	dword ptr [esi], 103h
		jz	short locret_4E270D
		mov	dword ptr [ebp-28h], 0
		mov	edx, 746C6644h
		mov	ecx, [ebp+0Ch]
		call	ObfReferenceObjectWithTag
		push	dword ptr [ebp+0Ch]
		lea	eax, [ebp-28h]
		push	eax
		mov	eax, [esi]
		push	eax
		push	ebx
		mov	edx, [ebp+30h]
		mov	ecx, [edi+8]
		call	FsRtlCompleteLockIrpReal
		mov	ebx, [ebp-28h]
		test	ebx, ebx
		js	loc_5CC9B5

loc_4E274E:				; CODE XREF: sub_4E26DD+EA2DBj
					; sub_4E26DD+EA2EDj
		mov	ecx, [ebp+0Ch]
		call	ObfDereferenceObject
		mov	[esi], ebx
		jmp	short locret_4E270D
sub_4E26DD	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlPrivateInsertLock proc near	; CODE XREF: FsRtlPrivateLock+11Fp
					; FsRtlPrivateCheckWaitingLocks+E983Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CC9CF SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_C], edx
		cmp	byte ptr [esi+10h], 0
		jnz	short loc_4E27D1
		mov	ecx, offset _FsRtlSharedLockLookasideList
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_5CC9DC
		lea	edx, [eax+8]
		push	0Ah
		mov	edi, edx
		mov	[ebp+var_4], edx
		pop	ecx
		rep movsd
		lea	ecx, [ebx+10h]
		mov	edx, eax
		call	FsRtlPrivateInsertSharedLock
		test	al, al
		jz	loc_5CC9CF

loc_4E27A7:				; CODE XREF: FsRtlPrivateInsertLock+A0j
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_4]
		mov	[ecx+48h], eax
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		mov	eax, [eax+4]
		cmp	eax, [ebx+4]
		ja	short loc_4E27C8
		jb	short loc_4E27C3
		cmp	ecx, [ebx]
		jnb	short loc_4E27C8

loc_4E27C3:				; CODE XREF: FsRtlPrivateInsertLock+63j
		mov	[ebx], ecx
		mov	[ebx+4], eax

loc_4E27C8:				; CODE XREF: FsRtlPrivateInsertLock+61j
					; FsRtlPrivateInsertLock+67j
		mov	al, 1

loc_4E27CA:				; CODE XREF: FsRtlPrivateInsertLock+EA284j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4E27D1:				; CODE XREF: FsRtlPrivateInsertLock+17j
		mov	ecx, offset _FsRtlExclusiveLockLookasideList
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		test	eax, eax
		jz	loc_5CC9DC
		lea	edx, [eax+10h]
		push	0Ah
		mov	edi, edx
		mov	[ebp+var_4], edx
		pop	ecx
		rep movsd
		lea	ecx, [ebx+10h]
		mov	edx, eax
		call	FsRtlPrivateInsertExclusiveLock
		jmp	short loc_4E27A7
FsRtlPrivateInsertLock endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlPrivateInsertSharedLock proc near	; CODE XREF: FsRtlPrivateInsertLock+40p

var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005CC9E3 SIZE 000000B9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_C], 0
		add	ecx, 4
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ecx
		mov	ecx, [ecx]
		lea	edx, [ebp-1]
		push	edx
		lea	edx, [ebp+var_C]
		mov	[ebp+var_1], 0
		push	edx
		lea	eax, [edi+28h]
		push	eax
		lea	edx, [edi+8]
		call	FsRtlFindFirstOverlappingSharedNode
		mov	esi, eax
		mov	[ebp+var_14], esi
		test	esi, esi
		jnz	short loc_4E2896
		mov	ecx, offset _FsRtlLockTreeNodeLookasideList
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	edx, eax
		test	edx, edx
		jz	loc_5CC9E3
		xor	ebx, ebx
		mov	[edx+1Ch], edi
		lea	ecx, [edx+10h]
		mov	[edx+4], bl
		mov	[ecx], ecx
		mov	[ecx+4], ebx
		mov	[ecx+8], ebx
		mov	[edx], edi
		mov	eax, [edi+28h]
		mov	[edx+8], eax
		mov	eax, [edi+2Ch]
		mov	[edx+0Ch], eax
		mov	eax, [ebp+var_C]
		mov	[edi], ebx
		test	eax, eax
		jz	short loc_4E288A
		cmp	[ebp+var_1], bl
		jz	loc_5CC9EA
		mov	[eax+4], ecx

loc_4E2880:				; CODE XREF: FsRtlPrivateInsertSharedLock+EA1F1j
		push	ecx
		mov	[ecx], eax
		call	_RtlSplay@4	; RtlSplay(x)
		mov	ecx, eax

loc_4E288A:				; CODE XREF: FsRtlPrivateInsertSharedLock+76j
		mov	edx, [ebp+var_8]
		mov	[edx], ecx

loc_4E288F:				; CODE XREF: FsRtlPrivateInsertSharedLock+107j
					; FsRtlPrivateInsertSharedLock+EA29Bj
		mov	al, 1

loc_4E2891:				; CODE XREF: FsRtlPrivateInsertSharedLock+EA1E9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4E2896:				; CODE XREF: FsRtlPrivateInsertSharedLock+38j
		mov	ecx, [esi-10h]
		lea	edx, [esi-10h]
		test	ecx, ecx
		jz	short loc_4E28D8
		mov	eax, [edi+8]
		mov	[ebp+var_C], eax
		mov	eax, [edi+0Ch]
		mov	esi, eax

loc_4E28AB:				; CODE XREF: FsRtlPrivateInsertSharedLock+114j
		mov	ebx, [ecx+0Ch]
		mov	eax, [ecx+8]
		cmp	esi, ebx
		ja	short loc_4E28BC
		jb	short loc_4E28D5
		cmp	[ebp+var_C], eax
		jb	short loc_4E28D5

loc_4E28BC:				; CODE XREF: FsRtlPrivateInsertSharedLock+B7j
		cmp	[ebp+var_C], eax
		jnz	short loc_4E290A
		cmp	esi, ebx
		jnz	short loc_4E290A
		mov	eax, [edi+10h]
		or	eax, [edi+14h]
		jz	short loc_4E28D5
		mov	eax, [ecx+10h]
		or	eax, [ecx+14h]
		jz	short loc_4E290A

loc_4E28D5:				; CODE XREF: FsRtlPrivateInsertSharedLock+B9j
					; FsRtlPrivateInsertSharedLock+BEj ...
		mov	esi, [ebp+var_14]

loc_4E28D8:				; CODE XREF: FsRtlPrivateInsertSharedLock+A2j
		mov	eax, [edx]
		test	eax, eax
		jz	short loc_4E2914

loc_4E28DE:				; CODE XREF: FsRtlPrivateInsertSharedLock+11Dj
		mov	[edi], eax
		push	esi
		mov	[edx], edi
		call	_RtlSplay@4	; RtlSplay(x)
		mov	edx, [ebp+var_8]
		mov	[edx], eax
		mov	ecx, [edi+2Ch]
		mov	eax, [edi+28h]
		cmp	ecx, [esi-4]
		jb	short loc_4E28FF
		ja	short loc_4E291B
		cmp	eax, [esi-8]
		ja	short loc_4E291B

loc_4E28FF:				; CODE XREF: FsRtlPrivateInsertSharedLock+FAj
					; FsRtlPrivateInsertSharedLock+EA201j ...
		cmp	byte ptr [esi-0Ch], 0
		jz	short loc_4E288F
		jmp	loc_5CCA89
; 

loc_4E290A:				; CODE XREF: FsRtlPrivateInsertSharedLock+C3j
					; FsRtlPrivateInsertSharedLock+C7j ...
		mov	edx, ecx
		mov	ecx, [ecx]
		test	ecx, ecx
		jnz	short loc_4E28AB
		jmp	short loc_4E28D5
; 

loc_4E2914:				; CODE XREF: FsRtlPrivateInsertSharedLock+E0j
		mov	[esi+0Ch], edi
		mov	eax, [edx]
		jmp	short loc_4E28DE
; 

loc_4E291B:				; CODE XREF: FsRtlPrivateInsertSharedLock+FCj
					; FsRtlPrivateInsertSharedLock+101j
		mov	[esi-8], eax
		mov	[esi-4], ecx
		jmp	loc_5CCA74
FsRtlPrivateInsertSharedLock endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 516. FsRtlFastUnlockSingle

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlFastUnlockSingle
FsRtlFastUnlockSingle proc near		; CODE XREF: FsRtlProcessFileLock+5Bp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005CCA9C SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, [edi+0Ch]
		test	esi, esi
		jz	loc_5CCA9C
		mov	eax, [ebp+arg_8]
		mov	ecx, [eax]
		mov	[ebp+arg_0], ecx
		mov	ecx, [eax+4]
		mov	eax, [ebp+arg_C]
		mov	edx, [eax]
		mov	ebx, edx
		add	ebx, [ebp+arg_0]
		mov	eax, [eax+4]
		mov	[ebp+var_4], eax
		adc	eax, ecx
		add	ebx, 0FFFFFFFFh
		adc	eax, 0FFFFFFFFh
		cmp	eax, ecx
		ja	short loc_4E2971
		jb	short loc_4E29BA
		cmp	ebx, [ebp+arg_0]
		jb	short loc_4E29BA

loc_4E2971:				; CODE XREF: FsRtlFastUnlockSingle+3Cj
					; FsRtlFastUnlockSingle+91j
		mov	ebx, [ebp+arg_8]
		mov	ecx, esi
		mov	edx, [ebp+arg_4]
		push	1
		push	0
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	ebx
		call	FsRtlFastUnlockSingleExclusive
		test	eax, eax
		jz	short loc_4E29B6
		mov	edx, [ebp+arg_4]
		mov	ecx, [edi+0Ch]
		push	1
		push	0
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	ebx
		call	FsRtlFastUnlockSingleShared

loc_4E29AF:				; CODE XREF: FsRtlFastUnlockSingle+8Cj
					; FsRtlFastUnlockSingle+98j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
; 

loc_4E29B6:				; CODE XREF: FsRtlFastUnlockSingle+65j
		xor	eax, eax
		jmp	short loc_4E29AF
; 

loc_4E29BA:				; CODE XREF: FsRtlFastUnlockSingle+3Ej
					; FsRtlFastUnlockSingle+43j
		or	edx, [ebp+var_4]
		jz	short loc_4E2971
		mov	eax, 0C00001A1h
		jmp	short loc_4E29AF
FsRtlFastUnlockSingle endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlFastUnlockSingleExclusive proc near ; CODE	XREF: FsRtlFastUnlockSingle+5Ep
					; FsRtlPrivateRemoveLock(x,x,x)+2Bp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= byte ptr  20h

; FUNCTION CHUNK AT 005CCAA6 SIZE 0000009C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_14], edx
		push	edi
		mov	edi, [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_8], edi
		lea	esi, [ebx+10h]
		mov	[ebp+var_C], eax
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	byte ptr [ebp+arg_0+3],	al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	al, byte ptr [ebp+arg_0+3]
		mov	ecx, [esi+8]
		mov	byte ptr [ebp+var_10], al
		test	ecx, ecx
		jnz	short loc_4E2A31

loc_4E2A0A:				; CODE XREF: FsRtlFastUnlockSingleExclusive+98j
					; FsRtlFastUnlockSingleExclusive+EA0E9j ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5CCB33
		xor	eax, eax
		lock and [esi],	eax

loc_4E2A1C:				; CODE XREF: FsRtlFastUnlockSingleExclusive+EA177j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, 0C000007Eh

loc_4E2A2A:				; CODE XREF: FsRtlFastUnlockSingleExclusive+164j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_4E2A31:				; CODE XREF: FsRtlFastUnlockSingleExclusive+42j
		mov	eax, [ebp+arg_4]
		push	0
		mov	edx, [eax]
		mov	eax, [eax+4]
		add	edx, edi
		pop	edi
		adc	eax, [ebp+var_C]
		sub	edx, 1
		push	edi
		sbb	eax, edi
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], eax
		lea	edx, [ebp+var_24]
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		call	FsRtlFindFirstOverlappingExclusiveNode

loc_4E2A5A:				; CODE XREF: FsRtlFastUnlockSingleExclusive+EA100j
		mov	edi, eax
		test	edi, edi
		jz	short loc_4E2A0A
		mov	edx, [ebp+var_14]
		cmp	[edi+28h], edx
		jnz	loc_5CCAA6
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_8]
		cmp	[edi+2Ch], eax
		jnz	loc_5CCAA9
		mov	eax, [ebp+arg_C]
		cmp	[edi+24h], eax
		jnz	loc_5CCAA9
		cmp	[edi+10h], ecx
		jnz	loc_5CCAA9
		mov	eax, [edi+14h]
		cmp	eax, [ebp+var_C]
		jnz	loc_5CCAA9
		mov	ecx, [ebp+arg_4]
		mov	eax, [edi+18h]
		cmp	eax, [ecx]
		jnz	loc_5CCAA6
		mov	eax, [edi+1Ch]
		cmp	eax, [ecx+4]
		jnz	loc_5CCAA6
		lea	eax, [edi+10h]
		cmp	[edx+48h], eax
		jnz	short loc_4E2AC2
		and	dword ptr [edx+48h], 0

loc_4E2AC2:				; CODE XREF: FsRtlFastUnlockSingleExclusive+F6j
		push	edi
		call	_RtlDelete@4	; RtlDelete(x)
		mov	[esi+8], eax
		mov	eax, [ebx]
		cmp	eax, [edi+10h]
		jnz	short loc_4E2AE1
		mov	eax, [ebx+4]
		cmp	eax, [edi+14h]
		jnz	short loc_4E2AE1
		mov	ecx, ebx
		call	_FsRtlPrivateResetLowestLockOffset@4 ; FsRtlPrivateResetLowestLockOffset(x)

loc_4E2AE1:				; CODE XREF: FsRtlFastUnlockSingleExclusive+10Aj
					; FsRtlFastUnlockSingleExclusive+112j
		cmp	[ebp+arg_14], 0
		jnz	short loc_4E2AF1
		cmp	dword ptr [ebx+0Ch], 0
		jnz	loc_5CCACB

loc_4E2AF1:				; CODE XREF: FsRtlFastUnlockSingleExclusive+11Fj
					; FsRtlFastUnlockSingleExclusive+EA148j
		mov	edx, edi
		mov	ecx, offset _FsRtlExclusiveLockLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		cmp	[ebp+arg_18], 0
		jz	short loc_4E2B0D
		cmp	dword ptr [esi+0Ch], 0
		jnz	loc_5CCB13

loc_4E2B0D:				; CODE XREF: FsRtlFastUnlockSingleExclusive+13Bj
					; FsRtlFastUnlockSingleExclusive+EA159j
		test	ds:byte_70EFC6,	1
		jnz	loc_5CCB24
		xor	eax, eax
		lock and [esi],	eax

loc_4E2B1F:				; CODE XREF: FsRtlFastUnlockSingleExclusive+EA168j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		jmp	loc_4E2A2A
FsRtlFastUnlockSingleExclusive endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlFastUnlockSingleShared proc near	; CODE XREF: FsRtlFastUnlockSingle+7Ep
					; FsRtlPrivateRemoveLock(x,x,x):loc_60182Dp

var_3A		= byte ptr -3Ah
var_39		= byte ptr -39h
var_32		= byte ptr -32h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= byte ptr  20h

; FUNCTION CHUNK AT 005CCB42 SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	esi, [eax]
		lea	ebx, [ecx+10h]
		mov	edi, [eax+4]
		mov	[esp+40h+var_24], edx
		mov	[esp+40h+var_30], ecx
		mov	[esp+40h+var_28], esi
		mov	[esp+40h+var_2C], edi
		mov	[esp+40h+var_20], esi
		mov	[esp+40h+var_1C], edi
		mov	[esp+40h+var_18], ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, ebx
		mov	[esp+40h+var_31], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	al, [esp+40h+var_31]
		mov	ecx, [ebx+4]
		mov	byte ptr [esp+40h+var_14], al
		test	ecx, ecx
		jz	loc_4E2D1D
		mov	eax, [ebp+arg_4]
		push	0
		push	0
		mov	edx, [eax]
		mov	eax, [eax+4]
		add	edx, esi
		adc	eax, edi
		sub	edx, 1
		mov	[esp+48h+var_10], edx
		lea	edx, [esp+48h+var_20]
		sbb	eax, 0
		mov	[esp+48h+var_C], eax
		lea	eax, [esp+48h+var_10]
		push	eax
		call	FsRtlFindFirstOverlappingSharedNode
		mov	[esp+40h+var_10], eax
		test	eax, eax
		jz	loc_4E2D1D
		mov	esi, [eax-10h]
		lea	edi, [eax-10h]
		mov	[esp+40h+var_8], 0
		mov	ecx, edi
		mov	[esp+40h+var_4], 0
		mov	[esp+40h+var_20], ecx
		test	esi, esi
		jz	loc_5CCB7C
		mov	edx, [ebp+arg_4]
		jmp	short loc_4E2BF0
; 
		align 10h

loc_4E2BF0:				; CODE XREF: FsRtlFastUnlockSingleShared+B8j
					; FsRtlFastUnlockSingleShared+252j
		mov	eax, [esp+40h+var_24]
		cmp	[esi+20h], eax
		jnz	loc_4E2D40
		mov	eax, [ebp+arg_8]
		cmp	[esi+24h], eax
		jnz	loc_4E2D40
		mov	eax, [ebp+arg_C]
		cmp	[esi+1Ch], eax
		jnz	loc_4E2D40
		mov	eax, [esi+8]
		cmp	eax, [esp+40h+var_28]
		jnz	loc_4E2D40
		mov	eax, [esi+0Ch]
		cmp	eax, [esp+40h+var_2C]
		jnz	loc_4E2D40
		mov	eax, [esi+10h]
		cmp	eax, [edx]
		jnz	loc_4E2D40
		mov	eax, [esi+14h]
		cmp	eax, [edx+4]
		jnz	loc_4E2D40
		mov	eax, [esp+40h+var_24]
		lea	ebx, [esi+8]
		cmp	[eax+48h], ebx
		jnz	short loc_4E2C59
		mov	dword ptr [eax+48h], 0

loc_4E2C59:				; CODE XREF: FsRtlFastUnlockSingleShared+120j
		mov	eax, [ecx]
		cmp	eax, [edi+1Ch]
		jnz	short loc_4E2C63
		mov	[edi+1Ch], ecx

loc_4E2C63:				; CODE XREF: FsRtlFastUnlockSingleShared+12Ej
		mov	eax, [esi]
		mov	[ecx], eax
		cmp	ecx, edi
		jnz	short loc_4E2CA5
		cmp	dword ptr [edi], 0
		jnz	short loc_4E2C8E
		push	[esp+40h+var_10]
		call	_RtlDelete@4	; RtlDelete(x)
		mov	ecx, [esp+40h+var_18]
		mov	edx, edi
		mov	[ecx+4], eax
		mov	ecx, offset _FsRtlLockTreeNodeLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		xor	edi, edi

loc_4E2C8E:				; CODE XREF: FsRtlFastUnlockSingleShared+13Ej
		mov	ecx, [esp+40h+var_30]
		mov	eax, [ecx]
		cmp	eax, [ebx]
		jnz	short loc_4E2CA5
		mov	eax, [ecx+4]
		cmp	eax, [ebx+4]
		jnz	short loc_4E2CA5
		call	_FsRtlPrivateResetLowestLockOffset@4 ; FsRtlPrivateResetLowestLockOffset(x)

loc_4E2CA5:				; CODE XREF: FsRtlFastUnlockSingleShared+139j
					; FsRtlFastUnlockSingleShared+166j ...
		test	edi, edi
		jnz	short loc_4E2D07

loc_4E2CA9:				; CODE XREF: FsRtlFastUnlockSingleShared+1EBj
		cmp	[ebp+arg_14], 0
		mov	edi, [esp+40h+var_30]
		jnz	loc_5CCB52
		cmp	dword ptr [edi+0Ch], 0
		jnz	loc_4E2D8D
		lea	ebx, [edi+10h]

loc_4E2CC4:				; CODE XREF: FsRtlFastUnlockSingleShared+2A1j
					; FsRtlFastUnlockSingleShared+EA026j
		mov	edx, esi
		mov	ecx, offset _FsRtlSharedLockLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		cmp	[ebp+arg_18], 0
		jz	short loc_4E2CE0
		cmp	dword ptr [ebx+0Ch], 0
		jnz	loc_5CCB5B

loc_4E2CE0:				; CODE XREF: FsRtlFastUnlockSingleShared+1A4j
					; FsRtlFastUnlockSingleShared+EA038j
		test	ds:byte_70EFC6,	1
		jnz	loc_5CCB6D
		xor	eax, eax
		lock and [ebx],	eax

loc_4E2CF2:				; CODE XREF: FsRtlFastUnlockSingleShared+EA047j
		mov	cl, [esp+40h+var_31]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax

loc_4E2CFE:				; CODE XREF: FsRtlFastUnlockSingleShared+20Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_4E2D07:				; CODE XREF: FsRtlFastUnlockSingleShared+177j
		mov	edx, [esp+40h+var_20]
		lea	eax, [esp+40h+var_8]
		push	eax
		lea	eax, [esi+28h]
		mov	ecx, edi
		push	eax
		call	FsRtlSplitLocks
		jmp	short loc_4E2CA9
; 

loc_4E2D1D:				; CODE XREF: FsRtlFastUnlockSingleShared+53j
					; FsRtlFastUnlockSingleShared+8Bj
		test	ds:byte_70EFC6,	1
		jnz	loc_5CCB89

loc_4E2D2A:				; CODE XREF: FsRtlFastUnlockSingleShared+EA053j
		xor	eax, eax
		lock and [ebx],	eax

loc_4E2D2F:				; CODE XREF: FsRtlFastUnlockSingleShared+EA063j
		mov	cl, [esp+40h+var_31]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, 0C000007Eh
		jmp	short loc_4E2CFE
; 

loc_4E2D40:				; CODE XREF: FsRtlFastUnlockSingleShared+C7j
					; FsRtlFastUnlockSingleShared+D3j ...
		mov	eax, [esi+0Ch]
		cmp	eax, [esp+40h+var_2C]
		jb	short loc_4E2D5C
		ja	loc_5CCB7C
		mov	eax, [esi+8]
		cmp	eax, [esp+40h+var_28]
		ja	loc_5CCB7C

loc_4E2D5C:				; CODE XREF: FsRtlFastUnlockSingleShared+217j
		mov	ecx, [esi+2Ch]
		mov	eax, [esi+28h]
		cmp	[esp+40h+var_4], ecx
		ja	short loc_4E2D78
		jb	short loc_4E2D70
		cmp	[esp+40h+var_8], eax
		jnb	short loc_4E2D78

loc_4E2D70:				; CODE XREF: FsRtlFastUnlockSingleShared+238j
		mov	[esp+40h+var_8], eax
		mov	[esp+40h+var_4], ecx

loc_4E2D78:				; CODE XREF: FsRtlFastUnlockSingleShared+236j
					; FsRtlFastUnlockSingleShared+23Ej
		mov	ecx, esi
		mov	[esp+40h+var_20], esi
		mov	esi, [esi]
		test	esi, esi
		jnz	loc_4E2BF0
		jmp	loc_5CCB7C
; 

loc_4E2D8D:				; CODE XREF: FsRtlFastUnlockSingleShared+18Bj
		test	ds:byte_70EFC6,	1
		jnz	loc_5CCB42
		xor	ecx, ecx
		lea	eax, [edi+10h]
		lock and [eax],	ecx

loc_4E2DA2:				; CODE XREF: FsRtlFastUnlockSingleShared+EA01Dj
		mov	cl, [esp+40h+var_31]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [edi+0Ch]
		push	ebx
		push	[ebp+arg_10]
		call	eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ebx, [edi+10h]
		mov	[esp+48h+var_39], al
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	al, [esp+48h+var_39]
		mov	byte ptr [esp+48h+var_1C], al
		jmp	loc_4E2CC4
FsRtlFastUnlockSingleShared endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlFindFirstOverlappingSharedNode proc near ;	CODE XREF: FsRtlPrivateInsertSharedLock+2Cp
					; FsRtlFastUnlockSingleShared+80p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005CCB98 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, ecx
		mov	[ebp+var_18], edx
		test	edi, edi
		jz	short loc_4E2DFD
		mov	dword ptr [edi], 0

loc_4E2DFD:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+15j
		mov	edx, [ebp+arg_8]
		test	edx, edx
		jnz	loc_4E2EBA

loc_4E2E08:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+DDj
		xor	eax, eax
		mov	[ebp+var_14], eax
		test	esi, esi
		jz	short loc_4E2E87

loc_4E2E11:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+A2j
		mov	ecx, [ebp+var_18]
		lea	eax, [esi-10h]
		mov	ebx, [eax]
		mov	[ebp+var_4], ebx
		mov	edi, [ecx]
		mov	[ebp+var_8], edi
		mov	edi, [ecx+4]
		cmp	[eax+0Ch], edi
		mov	[ebp+var_10], edi
		mov	edi, [ebp+arg_4]
		jb	loc_4E2ED6
		ja	short loc_4E2E41
		mov	ecx, [eax+8]
		cmp	ecx, [ebp+var_8]
		jb	loc_4E2ED6

loc_4E2E41:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+53j
		mov	ecx, [ebp+var_4]
		mov	ebx, [ebx+8]
		mov	ecx, [ecx+0Ch]
		mov	[ebp+var_C], ecx
		mov	ecx, ebx
		or	ecx, [ebp+var_C]
		jz	short loc_4E2EC2

loc_4E2E54:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+F1j
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_0]
		mov	edx, [edx+4]
		cmp	[ebp+var_C], edx
		mov	ecx, [ecx]
		mov	[ebp+var_4], edx
		mov	edx, [ebp+arg_8]
		ja	short loc_4E2E70
		jb	short loc_4E2E94
		cmp	ebx, ecx
		jbe	short loc_4E2E94

loc_4E2E70:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+88j
					; FsRtlFindFirstOverlappingSharedNode+12Aj ...
		test	edi, edi
		jz	short loc_4E2E76
		mov	[edi], esi

loc_4E2E76:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+92j
		test	edx, edx
		jz	short loc_4E2E7D
		mov	byte ptr [edx],	1

loc_4E2E7D:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+98j
		mov	esi, [esi+4]

loc_4E2E80:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+122j
		test	esi, esi
		jnz	short loc_4E2E11

loc_4E2E84:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+D3j
		mov	eax, [ebp+var_14]

loc_4E2E87:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+2Fj
					; FsRtlFindFirstOverlappingSharedNode+D1j
		pop	edi
		pop	esi
		pop	ebx
		test	eax, eax
		jnz	short loc_4E2EB5

loc_4E2E8E:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+D8j
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4E2E94:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+8Aj
					; FsRtlFindFirstOverlappingSharedNode+8Ej
		and	ecx, [ebp+var_4]
		cmp	ecx, 0FFFFFFFFh
		jz	loc_5CCB98

loc_4E2EA0:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+E9DC4j
		mov	ecx, [ebp+var_10]
		cmp	[ebp+var_C], ecx
		jb	short loc_4E2EAF
		ja	short loc_4E2F07
		cmp	ebx, [ebp+var_8]
		ja	short loc_4E2F07

loc_4E2EAF:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+C6j
					; FsRtlFindFirstOverlappingSharedNode+E9DDBj
		test	esi, esi
		jnz	short loc_4E2E87
		jmp	short loc_4E2E84
; 

loc_4E2EB5:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+ACj
		add	eax, 10h
		jmp	short loc_4E2E8E
; 

loc_4E2EBA:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+22j
		mov	byte ptr [edx],	0
		jmp	loc_4E2E08
; 

loc_4E2EC2:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+72j
		mov	ecx, [ebp+var_4]
		mov	edi, [ebp+var_4]
		mov	ecx, [ecx+10h]
		or	ecx, [edi+14h]
		mov	edi, [ebp+arg_4]
		jnz	short loc_4E2E54
		mov	ebx, [ebp+var_4]

loc_4E2ED6:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+4Dj
					; FsRtlFindFirstOverlappingSharedNode+5Bj
		mov	edi, [ebp+arg_0]
		mov	ecx, [ebx+28h]
		cmp	ecx, [edi]
		mov	edi, [ebp+arg_4]
		jnz	short loc_4E2EF5
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebx+2Ch]
		cmp	ecx, [edx+4]
		mov	edx, [ebp+arg_8]
		jz	loc_5CCBA9

loc_4E2EF5:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+101j
					; FsRtlFindFirstOverlappingSharedNode+E9DCFj ...
		test	edi, edi
		jz	short loc_4E2EFB
		mov	[edi], esi

loc_4E2EFB:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+117j
		test	edx, edx
		jnz	short loc_4E2F0F

loc_4E2EFF:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+132j
		mov	esi, [esi+8]
		jmp	loc_4E2E80
; 

loc_4E2F07:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+C8j
					; FsRtlFindFirstOverlappingSharedNode+CDj
		mov	[ebp+var_14], eax
		jmp	loc_4E2E70
; 

loc_4E2F0F:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+11Dj
		mov	byte ptr [edx],	0
		jmp	short loc_4E2EFF
FsRtlFindFirstOverlappingSharedNode endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlPrivateCheckForSharedLockAccess proc near ; CODE XREF: FsRtlPrivateLock+10Dp
					; FsRtlPrivateCheckWaitingLocks+E9791p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CCBC6 SIZE 0000005F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		mov	eax, ecx
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_C], eax
		inc	ebx
		mov	ecx, [eax+8]
		push	esi
		mov	esi, edx
		test	ecx, ecx
		jnz	short loc_4E2F39

loc_4E2F33:				; CODE XREF: FsRtlPrivateCheckForSharedLockAccess+44j
					; FsRtlPrivateCheckForSharedLockAccess+54j
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_4E2F39:				; CODE XREF: FsRtlPrivateCheckForSharedLockAccess+1Dj
		push	edi
		push	0
		lea	eax, [ebp+var_4]
		push	eax
		lea	edi, [esi+20h]
		push	edi
		call	FsRtlFindFirstOverlappingExclusiveNode
		mov	ecx, eax
		test	ecx, ecx
		jnz	loc_5CCBC6

loc_4E2F53:				; CODE XREF: FsRtlPrivateCheckForSharedLockAccess+E9CBDj
					; FsRtlPrivateCheckForSharedLockAccess+E9CC8j ...
		cmp	[ebp+var_4], 0
		pop	edi
		jz	short loc_4E2F33
		push	[ebp+var_4]
		call	_RtlSplay@4	; RtlSplay(x)
		mov	ecx, [ebp+var_C]
		mov	[ecx+8], eax
		jmp	short loc_4E2F33
FsRtlPrivateCheckForSharedLockAccess endp

; 
		align 10h
; Exported entry 2028. RtlDelete

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlDelete(x)
		public _RtlDelete@4
_RtlDelete@4	proc near		; CODE XREF: FsRtlPrivateFastUnlockAll+25Fp
					; FsRtlPrivateFastUnlockAll+28Cp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi+4]
		test	ecx, ecx
		jnz	short loc_4E2FB7

loc_4E2F80:				; CODE XREF: RtlDelete(x)+63j
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_4E2F96

loc_4E2F87:				; CODE XREF: RtlDelete(x)+61j
		mov	edx, [esi]
		cmp	edx, esi
		jnz	short loc_4E2FD5
		mov	[ecx], ecx
		mov	eax, ecx

loc_4E2F91:				; CODE XREF: RtlDelete(x)+2Cj
					; RtlDelete(x)+45j
		pop	esi
		pop	ebp
		retn	4
; 

loc_4E2F96:				; CODE XREF: RtlDelete(x)+15j
		mov	ecx, [esi]
		xor	eax, eax
		cmp	ecx, esi
		jz	short loc_4E2F91
		cmp	[ecx+4], esi
		push	ecx
		setnz	al
		lea	eax, ds:4[eax*4]
		and	dword ptr [eax+ecx], 0

loc_4E2FB0:				; CODE XREF: RtlDelete(x)+7Cj
		call	_RtlSplay@4	; RtlSplay(x)
		jmp	short loc_4E2F91
; 

loc_4E2FB7:				; CODE XREF: RtlDelete(x)+Ej
		cmp	dword ptr [esi+8], 0
		jz	short loc_4E2FCF
		push	esi
		call	_RtlSubtreePredecessor@4 ; RtlSubtreePredecessor(x)
		mov	edx, esi
		mov	ecx, eax
		call	SwapSplayLinks
		mov	ecx, [esi+4]

loc_4E2FCF:				; CODE XREF: RtlDelete(x)+4Bj
		test	ecx, ecx
		jnz	short loc_4E2F87
		jmp	short loc_4E2F80
; 

loc_4E2FD5:				; CODE XREF: RtlDelete(x)+1Bj
		xor	eax, eax
		cmp	[edx+4], esi
		setnz	al
		lea	eax, ds:4[eax*4]
		mov	[eax+edx], ecx
		mov	eax, [esi]
		mov	[ecx], eax
		push	eax
		jmp	short loc_4E2FB0
_RtlDelete@4	endp


;  S U B	R O U T	I N E 


; __stdcall FsRtlPrivateResetLowestLockOffset(x)
_FsRtlPrivateResetLowestLockOffset@4 proc near ; CODE XREF: FsRtlPrivateFastUnlockAll+140p
					; FsRtlFastUnlockSingleExclusive+116p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	edx, edx
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_4E301E

loc_4E2FFC:				; CODE XREF: FsRtlPrivateResetLowestLockOffset(x)+65j
		mov	ecx, [eax+4]
		test	ecx, ecx
		jnz	short loc_4E3051
		mov	edx, [eax-10h]
		mov	eax, [esi+18h]
		test	eax, eax
		jnz	short loc_4E302E
		add	edx, 8

loc_4E3010:				; CODE XREF: FsRtlPrivateResetLowestLockOffset(x)+57j
					; FsRtlPrivateResetLowestLockOffset(x)+61j
		mov	ecx, edx

loc_4E3012:				; CODE XREF: FsRtlPrivateResetLowestLockOffset(x)+4Cj
					; FsRtlPrivateResetLowestLockOffset(x)+59j ...
		mov	eax, [ecx]
		mov	ecx, [ecx+4]

loc_4E3017:				; CODE XREF: FsRtlPrivateResetLowestLockOffset(x)+3Cj
		mov	[esi], eax
		mov	[esi+4], ecx
		pop	esi
		retn
; 

loc_4E301E:				; CODE XREF: FsRtlPrivateResetLowestLockOffset(x)+Cj
		mov	eax, [esi+18h]
		test	eax, eax
		jnz	short loc_4E302E
		or	eax, 0FFFFFFFFh
		mov	ecx, eax
		jmp	short loc_4E3017
; 

loc_4E302C:				; CODE XREF: FsRtlPrivateResetLowestLockOffset(x)+45j
		mov	eax, ecx

loc_4E302E:				; CODE XREF: FsRtlPrivateResetLowestLockOffset(x)+1Dj
					; FsRtlPrivateResetLowestLockOffset(x)+35j
		mov	ecx, [eax+4]
		test	ecx, ecx
		jnz	short loc_4E302C
		lea	ecx, [eax+10h]
		test	edx, edx
		jz	short loc_4E3012
		mov	eax, [ecx+4]
		add	edx, 8
		cmp	eax, [edx+4]
		ja	short loc_4E3010
		jb	short loc_4E3012
		mov	eax, [ecx]
		cmp	eax, [edx]
		jb	short loc_4E3012
		jmp	short loc_4E3010
; 

loc_4E3051:				; CODE XREF: FsRtlPrivateResetLowestLockOffset(x)+13j
		mov	eax, ecx
		jmp	short loc_4E2FFC
_FsRtlPrivateResetLowestLockOffset@4 endp

; 
		align 10h
; Exported entry 2245. RtlLookupElementGenericTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlLookupElementGenericTable(x, x)
		public _RtlLookupElementGenericTable@8
_RtlLookupElementGenericTable@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, [edi]
		test	esi, esi
		jz	short loc_4E30A1
		mov	ebx, [ebp+arg_4]

loc_4E3074:				; CODE XREF: RtlLookupElementGenericTable(x,x)+3Fj
		lea	eax, [esi+18h]
		push	eax
		mov	eax, [edi+18h]
		push	ebx
		push	edi
		call	eax
		test	eax, eax
		jz	short loc_4E30A5
		cmp	eax, 1
		jz	short loc_4E309A
		push	esi
		call	_RtlSplay@4	; RtlSplay(x)
		mov	[edi], eax
		lea	eax, [esi+18h]

loc_4E3093:				; CODE XREF: RtlLookupElementGenericTable(x,x)+43j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_4E309A:				; CODE XREF: RtlLookupElementGenericTable(x,x)+26j
		mov	esi, [esi+8]

loc_4E309D:				; CODE XREF: RtlLookupElementGenericTable(x,x)+48j
		test	esi, esi
		jnz	short loc_4E3074

loc_4E30A1:				; CODE XREF: RtlLookupElementGenericTable(x,x)+Fj
		xor	eax, eax
		jmp	short loc_4E3093
; 

loc_4E30A5:				; CODE XREF: RtlLookupElementGenericTable(x,x)+21j
		mov	esi, [esi+4]
		jmp	short loc_4E309D
_RtlLookupElementGenericTable@8	endp

; 
		align 10h
; Exported entry 2347. RtlSplay

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSplay(x)
		public _RtlSplay@4
_RtlSplay@4	proc near		; CODE XREF: RtlInsertElementGenericTableFull+7Cp
					; FsRtlPrivateInsertSharedLock+87p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		cmp	ecx, eax
		jnz	short loc_4E30C2

loc_4E30BE:				; CODE XREF: RtlSplay(x)+3Aj
		pop	ebp
		retn	4
; 

loc_4E30C2:				; CODE XREF: RtlSplay(x)+Cj
		push	esi
		push	edi

loc_4E30C4:				; CODE XREF: RtlSplay(x)+36j
		mov	esi, [ecx+4]
		mov	edx, [ecx]
		cmp	esi, eax
		jnz	short loc_4E30EC
		cmp	edx, ecx
		jnz	short loc_4E3109
		mov	edx, [eax+8]
		mov	[ecx+4], edx
		test	edx, edx
		jnz	short loc_4E3105

loc_4E30DB:				; CODE XREF: RtlSplay(x)+57j
		mov	[eax+8], ecx
		mov	[ecx], eax
		mov	[eax], eax

loc_4E30E2:				; CODE XREF: RtlSplay(x)+53j
					; RtlSplay(x)+90j ...
		mov	ecx, [eax]
		cmp	ecx, eax
		jnz	short loc_4E30C4
		pop	edi
		pop	esi
		jmp	short loc_4E30BE
; 

loc_4E30EC:				; CODE XREF: RtlSplay(x)+1Bj
		cmp	edx, ecx
		jnz	short loc_4E3142
		mov	edx, [eax+4]
		mov	[ecx+8], edx
		test	edx, edx
		jz	short loc_4E30FC
		mov	[edx], ecx

loc_4E30FC:				; CODE XREF: RtlSplay(x)+48j
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[eax], eax
		jmp	short loc_4E30E2
; 

loc_4E3105:				; CODE XREF: RtlSplay(x)+29j
		mov	[edx], ecx
		jmp	short loc_4E30DB
; 

loc_4E3109:				; CODE XREF: RtlSplay(x)+1Fj
		cmp	[edx+4], ecx
		jnz	loc_4E31DD
		mov	esi, [eax+8]
		mov	[ecx+4], esi
		test	esi, esi
		jz	short loc_4E311E
		mov	[esi], ecx

loc_4E311E:				; CODE XREF: RtlSplay(x)+6Aj
		mov	esi, [ecx+8]
		mov	[edx+4], esi
		test	esi, esi
		jz	short loc_4E312A
		mov	[esi], edx

loc_4E312A:				; CODE XREF: RtlSplay(x)+76j
		mov	esi, [edx]
		cmp	esi, edx
		jnz	loc_4E31CA
		mov	[eax], eax

loc_4E3136:				; CODE XREF: RtlSplay(x)+128j
		mov	[eax+8], ecx
		mov	[ecx], eax
		mov	[ecx+8], edx
		mov	[edx], ecx
		jmp	short loc_4E30E2
; 

loc_4E3142:				; CODE XREF: RtlSplay(x)+3Ej
		cmp	[edx+8], ecx
		jnz	short loc_4E3186
		mov	[edx+8], esi
		test	esi, esi
		jz	short loc_4E3150
		mov	[esi], edx

loc_4E3150:				; CODE XREF: RtlSplay(x)+9Cj
		mov	esi, [eax+4]
		mov	[ecx+8], esi
		test	esi, esi
		jz	short loc_4E315C
		mov	[esi], ecx

loc_4E315C:				; CODE XREF: RtlSplay(x)+A8j
		mov	esi, [edx]
		cmp	esi, edx
		jz	loc_4E3219
		mov	[eax], esi
		mov	edi, [edx]
		cmp	[edi+4], edx
		lea	esi, [edi+4]
		jz	short loc_4E3175
		lea	esi, [edi+8]

loc_4E3175:				; CODE XREF: RtlSplay(x)+C0j
		mov	[esi], eax
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		jmp	loc_4E30E2
; 

loc_4E3186:				; CODE XREF: RtlSplay(x)+95j
		mov	esi, [eax+4]
		mov	[ecx+8], esi
		test	esi, esi
		jnz	loc_4E322A

loc_4E3194:				; CODE XREF: RtlSplay(x)+17Cj
		mov	esi, [eax+8]
		mov	[edx+4], esi
		test	esi, esi
		jz	short loc_4E31A0
		mov	[esi], edx

loc_4E31A0:				; CODE XREF: RtlSplay(x)+ECj
		mov	esi, [edx]
		cmp	esi, edx
		jz	loc_4E3235
		mov	[eax], esi
		mov	edi, [edx]
		cmp	[edi+4], edx
		lea	esi, [edi+4]
		jz	short loc_4E31B9
		lea	esi, [edi+8]

loc_4E31B9:				; CODE XREF: RtlSplay(x)+104j
		mov	[esi], eax
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[eax+8], edx
		mov	[edx], eax
		jmp	loc_4E30E2
; 

loc_4E31CA:				; CODE XREF: RtlSplay(x)+7Ej
		mov	[eax], esi
		mov	edi, [edx]
		cmp	[edi+4], edx
		lea	esi, [edi+4]
		jnz	short loc_4E3246

loc_4E31D6:				; CODE XREF: RtlSplay(x)+199j
		mov	[esi], eax
		jmp	loc_4E3136
; 

loc_4E31DD:				; CODE XREF: RtlSplay(x)+5Cj
		mov	esi, [eax+4]
		mov	[edx+8], esi
		test	esi, esi
		jnz	short loc_4E3231

loc_4E31E7:				; CODE XREF: RtlSplay(x)+183j
		mov	esi, [eax+8]
		mov	[ecx+4], esi
		test	esi, esi
		jz	short loc_4E31F3
		mov	[esi], ecx

loc_4E31F3:				; CODE XREF: RtlSplay(x)+13Fj
		mov	esi, [edx]
		cmp	esi, edx
		jz	short loc_4E324B
		mov	[eax], esi
		mov	edi, [edx]
		cmp	[edi+4], edx
		lea	esi, [edi+4]
		jz	short loc_4E3208
		lea	esi, [edi+8]

loc_4E3208:				; CODE XREF: RtlSplay(x)+153j
		mov	[esi], eax
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[eax+8], ecx
		mov	[ecx], eax
		jmp	loc_4E30E2
; 

loc_4E3219:				; CODE XREF: RtlSplay(x)+B0j
		mov	[eax], eax
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		jmp	loc_4E30E2
; 

loc_4E322A:				; CODE XREF: RtlSplay(x)+DEj
		mov	[esi], ecx
		jmp	loc_4E3194
; 

loc_4E3231:				; CODE XREF: RtlSplay(x)+135j
		mov	[esi], edx
		jmp	short loc_4E31E7
; 

loc_4E3235:				; CODE XREF: RtlSplay(x)+F4j
		mov	[eax], eax
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[eax+8], edx
		mov	[edx], eax
		jmp	loc_4E30E2
; 

loc_4E3246:				; CODE XREF: RtlSplay(x)+124j
		lea	esi, [edi+8]
		jmp	short loc_4E31D6
; 

loc_4E324B:				; CODE XREF: RtlSplay(x)+147j
		mov	[eax], eax
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[eax+8], ecx
		mov	[ecx], eax
		jmp	loc_4E30E2
_RtlSplay@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlFindFirstOverlappingExclusiveNode proc near
					; CODE XREF: FsRtlPrivateInsertExclusiveLock+28p
					; FsRtlFastUnlockSingleExclusive+8Fp ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005CCC25 SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, edx
		mov	[ebp+var_14], edi
		test	esi, esi
		jz	short loc_4E3275
		and	dword ptr [esi], 0

loc_4E3275:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+14j
		mov	edx, [ebp+arg_8]
		test	edx, edx
		jnz	loc_4E3306

loc_4E3280:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+ADj
		xor	eax, eax
		mov	[ebp+var_4], eax
		test	ecx, ecx
		jz	short loc_4E3300
		push	ebx

loc_4E328A:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+E2j
		mov	ebx, [ecx+34h]
		mov	eax, [ecx+30h]
		mov	edi, [edi]
		mov	[ebp+var_10], ebx
		mov	ebx, [ebp+var_14]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], eax
		mov	ebx, [ebx+4]
		cmp	[ebp+var_10], ebx
		jb	short loc_4E330E
		ja	short loc_4E32AC
		cmp	eax, edi
		jb	short loc_4E330E

loc_4E32AC:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+4Aj
		mov	eax, [ecx+10h]
		mov	esi, [ecx+14h]
		mov	[ebp+var_C], eax
		or	eax, esi
		mov	[ebp+var_8], esi
		mov	esi, [ebp+arg_4]
		jz	loc_4E335C

loc_4E32C3:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+106j
		mov	edx, [ebp+arg_0]
		mov	eax, [edx]
		mov	edx, [edx+4]
		cmp	[ebp+var_8], edx
		mov	[ebp+var_10], edx
		mov	edx, [ebp+arg_8]
		ja	short loc_4E3343
		jb	short loc_4E32DD
		cmp	[ebp+var_C], eax
		ja	short loc_4E3343

loc_4E32DD:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+7Aj
		and	eax, [ebp+var_10]
		cmp	eax, 0FFFFFFFFh
		jz	loc_5CCC25

loc_4E32E9:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+E99D3j
		cmp	[ebp+var_8], ebx
		jb	short loc_4E32F5
		ja	short loc_4E336D
		cmp	[ebp+var_C], edi
		ja	short loc_4E336D

loc_4E32F5:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+90j
					; FsRtlFindFirstOverlappingExclusiveNode+E0j
		mov	eax, [ebp+var_4]
		pop	ebx
		test	ecx, ecx
		jz	short loc_4E3300
		mov	eax, [ebp+var_1C]

loc_4E3300:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+2Bj
					; FsRtlFindFirstOverlappingExclusiveNode+9Fj
		pop	edi
		pop	esi
		leave
		retn	0Ch
; 

loc_4E3306:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+1Ej
		mov	byte ptr [edx],	0
		jmp	loc_4E3280
; 

loc_4E330E:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+48j
					; FsRtlFindFirstOverlappingExclusiveNode+4Ej ...
		mov	esi, [ebp+arg_0]
		cmp	eax, [esi]
		mov	esi, [ebp+arg_4]
		jnz	short loc_4E332A
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+var_10]
		cmp	eax, [edx+4]
		mov	edx, [ebp+arg_8]
		jz	loc_5CCC34

loc_4E332A:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+BAj
					; FsRtlFindFirstOverlappingExclusiveNode+E99DBj ...
		test	esi, esi
		jz	short loc_4E3330
		mov	[esi], ecx

loc_4E3330:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+D0j
		test	edx, edx
		jnz	short loc_4E3352

loc_4E3334:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+F9j
		mov	ecx, [ecx+8]

loc_4E3337:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+F4j
		mov	edi, [ebp+var_14]
		test	ecx, ecx
		jz	short loc_4E32F5
		jmp	loc_4E328A
; 

loc_4E3343:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+78j
					; FsRtlFindFirstOverlappingExclusiveNode+7Fj ...
		test	esi, esi
		jz	short loc_4E3349
		mov	[esi], ecx

loc_4E3349:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+E9j
		test	edx, edx
		jnz	short loc_4E3357

loc_4E334D:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+FEj
					; FsRtlFindFirstOverlappingExclusiveNode+E99F5j ...
		mov	ecx, [ecx+4]
		jmp	short loc_4E3337
; 

loc_4E3352:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+D6j
		mov	byte ptr [edx],	0
		jmp	short loc_4E3334
; 

loc_4E3357:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+EFj
		mov	byte ptr [edx],	1
		jmp	short loc_4E334D
; 

loc_4E335C:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+61j
		mov	eax, [ecx+18h]
		or	eax, [ecx+1Ch]
		jnz	loc_4E32C3
		mov	eax, [ebp+var_18]
		jmp	short loc_4E330E
; 

loc_4E336D:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+92j
					; FsRtlFindFirstOverlappingExclusiveNode+97j
		mov	[ebp+var_4], ecx
		jmp	short loc_4E3343
FsRtlFindFirstOverlappingExclusiveNode endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlPrivateCheckForExclusiveLockAccess	proc near ; CODE XREF: FsRtlPrivateLock:loc_4E26A3p
					; FsRtlPrivateCheckWaitingLocks+E9785p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CCC6E SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	eax, eax
		mov	esi, edx
		mov	[ebp+var_4], eax
		mov	ecx, [edi+4]
		test	ecx, ecx
		jz	short loc_4E33B2
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	ebx, [esi+20h]
		push	ebx
		call	FsRtlFindFirstOverlappingSharedNode
		test	eax, eax
		jnz	short loc_4E33E9

loc_4E339D:				; CODE XREF: FsRtlPrivateCheckForExclusiveLockAccess+88j
					; FsRtlPrivateCheckForExclusiveLockAccess+E9908j
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_4E33B2
		push	eax
		call	_RtlSplay@4	; RtlSplay(x)
		mov	[edi+4], eax
		xor	eax, eax
		mov	[ebp+var_4], eax

loc_4E33B2:				; CODE XREF: FsRtlPrivateCheckForExclusiveLockAccess+17j
					; FsRtlPrivateCheckForExclusiveLockAccess+30j
		mov	ecx, [edi+8]
		test	ecx, ecx
		jnz	short loc_4E33C4

loc_4E33B9:				; CODE XREF: FsRtlPrivateCheckForExclusiveLockAccess+6Aj
		test	eax, eax
		jnz	short loc_4E33DE

loc_4E33BD:				; CODE XREF: FsRtlPrivateCheckForExclusiveLockAccess+75j
		mov	al, 1

loc_4E33BF:				; CODE XREF: FsRtlPrivateCheckForExclusiveLockAccess+98j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4E33C4:				; CODE XREF: FsRtlPrivateCheckForExclusiveLockAccess+45j
		push	0
		lea	eax, [ebp+var_4]
		mov	edx, esi
		push	eax
		lea	eax, [esi+20h]
		push	eax
		call	FsRtlFindFirstOverlappingExclusiveNode
		test	eax, eax
		jnz	short loc_4E340C

loc_4E33D9:				; CODE XREF: FsRtlPrivateCheckForExclusiveLockAccess+E9913j
		mov	eax, [ebp+var_4]
		jmp	short loc_4E33B9
; 

loc_4E33DE:				; CODE XREF: FsRtlPrivateCheckForExclusiveLockAccess+49j
		push	eax
		call	_RtlSplay@4	; RtlSplay(x)
		mov	[edi+8], eax
		jmp	short loc_4E33BD
; 

loc_4E33E9:				; CODE XREF: FsRtlPrivateCheckForExclusiveLockAccess+29j
		lea	ecx, [eax-10h]
		cmp	byte ptr [ecx+4], 0
		jnz	sub_5CCC5F
		mov	ecx, [ecx]

loc_4E33F8:				; CODE XREF: sub_5CCC5F+Aj
		test	ecx, ecx
		jz	short loc_4E339D
		mov	eax, [esi+8]
		or	eax, [esi+0Ch]
		jz	loc_5CCC6E

loc_4E3408:				; CODE XREF: FsRtlPrivateCheckForExclusiveLockAccess+A0j
					; FsRtlPrivateCheckForExclusiveLockAccess+E9902j ...
		xor	al, al
		jmp	short loc_4E33BF
; 

loc_4E340C:				; CODE XREF: FsRtlPrivateCheckForExclusiveLockAccess+65j
		mov	ecx, [esi+8]
		or	ecx, [esi+0Ch]
		jnz	short loc_4E3408
		jmp	loc_5CCC7F
FsRtlPrivateCheckForExclusiveLockAccess	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FindNodeOrParent proc near		; CODE XREF: RtlDeleteElementGenericTable(x,x)+17p
					; RtlInsertElementGenericTable(x,x,x,x)+14p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		mov	esi, [ebx]
		test	esi, esi
		jz	short loc_4E346C
		push	edi
		xor	edi, edi
		inc	edi

loc_4E3431:				; CODE XREF: FindNodeOrParent+34j
		lea	eax, [esi+18h]
		push	eax
		push	edx
		push	ebx
		call	dword ptr [ebx+18h]
		test	eax, eax
		jz	short loc_4E3461
		cmp	eax, edi
		jnz	short loc_4E3453
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_4E3450

loc_4E3449:				; CODE XREF: FindNodeOrParent+4Cj
		mov	edx, [ebp+var_4]
		mov	esi, eax
		jmp	short loc_4E3431
; 

loc_4E3450:				; CODE XREF: FindNodeOrParent+2Dj
		push	3

loc_4E3452:				; CODE XREF: FindNodeOrParent+50j
		pop	edi

loc_4E3453:				; CODE XREF: FindNodeOrParent+26j
		mov	ecx, [ebp+arg_0]
		mov	eax, edi
		pop	edi
		mov	[ecx], esi

loc_4E345B:				; CODE XREF: FindNodeOrParent+54j
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4E3461:				; CODE XREF: FindNodeOrParent+22j
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_4E3449
		push	2
		jmp	short loc_4E3452
; 

loc_4E346C:				; CODE XREF: FindNodeOrParent+11j
		xor	eax, eax
		jmp	short loc_4E345B
FindNodeOrParent endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SwapSplayLinks	proc near		; CODE XREF: RtlDeleteNoSplay(x,x)+8Bp
					; RtlDelete(x)+57p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CCC90 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	edi, [esi]
		cmp	edi, esi
		jz	loc_5CCC90
		mov	ecx, [edx]
		mov	eax, edi
		cmp	ecx, esi
		jz	loc_5CCC90

loc_4E3493:				; CODE XREF: SwapSplayLinks+E982Aj
		cmp	eax, edx
		jz	short loc_4E34F4
		lea	edi, [eax+4]
		mov	ebx, [edi]
		cmp	ecx, edx
		jnz	loc_4E3526
		cmp	ebx, esi
		jz	short loc_4E34AB
		lea	edi, [eax+8]

loc_4E34AB:				; CODE XREF: SwapSplayLinks+36j
		mov	[edi], edx
		mov	eax, [esi]
		mov	[edx], eax
		mov	[esi], esi

loc_4E34B3:				; CODE XREF: SwapSplayLinks+DCj
		mov	ecx, [esi+4]
		mov	eax, [edx+4]
		mov	[esi+4], eax
		mov	eax, [edx+8]
		mov	[edx+4], ecx
		mov	ecx, [esi+8]
		mov	[esi+8], eax
		mov	[edx+8], ecx
		mov	eax, [esi+4]

loc_4E34CE:				; CODE XREF: SwapSplayLinks+B0j
					; SwapSplayLinks+FFj
		test	eax, eax
		jz	short loc_4E34D4
		mov	[eax], esi

loc_4E34D4:				; CODE XREF: SwapSplayLinks+60j
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_4E34DD
		mov	[eax], esi

loc_4E34DD:				; CODE XREF: SwapSplayLinks+69j
		mov	eax, [edx+4]
		pop	edi
		pop	esi
		pop	ebx
		test	eax, eax
		jnz	short loc_4E3522

loc_4E34E7:				; CODE XREF: SwapSplayLinks+B4j
		mov	eax, [edx+8]
		test	eax, eax
		jnz	loc_5CCC9F
		leave
		retn
; 

loc_4E34F4:				; CODE XREF: SwapSplayLinks+25j
		cmp	ecx, edx
		jnz	short loc_4E3551
		mov	eax, esi

loc_4E34FA:				; CODE XREF: SwapSplayLinks+F5j
		mov	[esi], eax
		mov	ecx, [esi+4]
		mov	eax, [edx+4]
		mov	[esi+4], eax
		mov	eax, [edx+8]
		mov	[edx+4], ecx
		mov	ecx, [esi+8]
		mov	[esi+8], eax
		mov	[edx+8], ecx
		mov	eax, [esi+4]
		cmp	eax, esi
		jnz	short loc_4E356C
		mov	[esi+4], edx
		mov	eax, edx
		jmp	short loc_4E34CE
; 

loc_4E3522:				; CODE XREF: SwapSplayLinks+75j
		mov	[eax], edx
		jmp	short loc_4E34E7
; 

loc_4E3526:				; CODE XREF: SwapSplayLinks+2Ej
		cmp	ebx, esi
		jz	short loc_4E352D
		lea	edi, [eax+8]

loc_4E352D:				; CODE XREF: SwapSplayLinks+B8j
		lea	ebx, [ecx+4]
		mov	eax, [ebx]
		mov	[ebp+var_4], eax
		cmp	eax, edx
		jz	short loc_4E3567
		lea	ebx, [ecx+8]
		mov	ecx, [ebx]

loc_4E353E:				; CODE XREF: SwapSplayLinks+FAj
		mov	eax, [edi]
		mov	[edi], ecx
		mov	[ebx], eax
		mov	ecx, [esi]
		mov	eax, [edx]
		mov	[esi], eax
		mov	[edx], ecx
		jmp	loc_4E34B3
; 

loc_4E3551:				; CODE XREF: SwapSplayLinks+86j
		xor	eax, eax
		cmp	[ecx+4], edx
		setnz	al
		lea	eax, ds:4[eax*4]
		mov	[eax+ecx], esi
		mov	eax, [edx]
		jmp	short loc_4E34FA
; 

loc_4E3567:				; CODE XREF: SwapSplayLinks+C7j
		mov	ecx, [ebp+var_4]
		jmp	short loc_4E353E
; 

loc_4E356C:				; CODE XREF: SwapSplayLinks+A9j
		mov	[esi+8], edx
		jmp	loc_4E34CE
SwapSplayLinks	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2352. RtlSubtreePredecessor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSubtreePredecessor(x)
		public _RtlSubtreePredecessor@4
_RtlSubtreePredecessor@4 proc near	; CODE XREF: RtlDeleteNoSplay(x,x)+7Ep
					; RtlDelete(x)+4Ep

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+4]
		test	eax, eax
		jz	short loc_4E3598

loc_4E3589:				; CODE XREF: RtlSubtreePredecessor(x)+1Cj
		mov	ecx, [eax+8]
		test	ecx, ecx
		jnz	short loc_4E3594

loc_4E3590:				; CODE XREF: RtlSubtreePredecessor(x)+20j
		pop	ebp
		retn	4
; 

loc_4E3594:				; CODE XREF: RtlSubtreePredecessor(x)+14j
		mov	eax, ecx
		jmp	short loc_4E3589
; 

loc_4E3598:				; CODE XREF: RtlSubtreePredecessor(x)+Dj
		xor	eax, eax
		jmp	short loc_4E3590
_RtlSubtreePredecessor@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlPrivateCheckWaitingLocks proc near	; CODE XREF: FsRtlPrivateFastUnlockAll+137p
					; FsRtlFastUnlockSingleExclusive+EA154p ...

var_42		= byte ptr -42h
var_41		= byte ptr -41h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= byte ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005CCCA3 SIZE 00000206 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		and	[esp+44h+var_34], 0
		lea	eax, [edx+0Ch]
		push	ebx
		mov	ebx, [eax]
		push	esi
		push	edi
		mov	[esp+50h+var_3C], edx
		mov	[esp+50h+var_30], ecx
		mov	[esp+50h+var_40], eax

loc_4E35C0:				; CODE XREF: FsRtlPrivateCheckWaitingLocks+E9908j
		test	ebx, ebx
		jnz	loc_5CCCA3
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
FsRtlPrivateCheckWaitingLocks endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlSplitLocks	proc near		; CODE XREF: FsRtlPrivateFastUnlockAll+21Dp
					; FsRtlFastUnlockSingleShared+1E6p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CCEA9 SIZE 000000F6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], edx
		xor	eax, eax
		xor	ecx, ecx
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		push	edi
		mov	[ebp+var_8], eax
		cmp	[esi+4], al
		jnz	loc_5CCEA9
		cmp	dword ptr [esi], 0
		mov	eax, [ebp+arg_0]
		mov	edi, [eax]
		mov	eax, [eax+4]
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_18], edi
		mov	ecx, [eax+4]
		mov	ebx, [eax]
		mov	[ebp+var_4], ecx
		jz	short loc_4E3681
		cmp	[ebp+arg_0], ecx
		jb	short loc_4E3681
		ja	short loc_4E3620
		cmp	edi, ebx
		jbe	short loc_4E3681

loc_4E3620:				; CODE XREF: FsRtlSplitLocks+48j
					; FsRtlSplitLocks+E98EBj
		mov	eax, [esi+0Ch]
		cmp	eax, [ebp+arg_0]
		jb	short loc_4E3637
		ja	loc_5CCEC2
		cmp	[esi+8], edi
		ja	loc_5CCEC2

loc_4E3637:				; CODE XREF: FsRtlSplitLocks+54j
		and	[ebp+arg_4], 0

loc_4E363B:				; CODE XREF: FsRtlSplitLocks+E98F7j
		mov	edi, [edx]
		test	edi, edi
		jz	short loc_4E367B
		and	[ebp+var_10], 0
		mov	eax, edi
		and	[ebp+var_14], 0

loc_4E364B:				; CODE XREF: FsRtlSplitLocks+A7j
		cmp	[esi], eax
		jnz	short loc_4E3688
		mov	eax, [edi+8]
		mov	ebx, [edi+28h]
		mov	ecx, [edi+2Ch]
		mov	[ebp+var_10], eax
		mov	eax, [edi+0Ch]
		mov	[ebp+var_14], eax

loc_4E3661:				; CODE XREF: FsRtlSplitLocks+EFj
		cmp	[ebp+arg_4], 0
		mov	[ebp+var_4], ecx
		jnz	short loc_4E3670
		mov	[esi+0Ch], ecx
		mov	[esi+8], ebx

loc_4E3670:				; CODE XREF: FsRtlSplitLocks+96j
					; FsRtlSplitLocks+E3j ...
		mov	[ebp+var_C], edi
		mov	edi, [edi]
		mov	eax, edi
		test	edi, edi
		jnz	short loc_4E364B

loc_4E367B:				; CODE XREF: FsRtlSplitLocks+6Dj
		mov	[esi+8], ebx
		mov	[esi+0Ch], ecx

loc_4E3681:				; CODE XREF: FsRtlSplitLocks+41j
					; FsRtlSplitLocks+46j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4E3688:				; CODE XREF: FsRtlSplitLocks+7Bj
		mov	eax, [edi+0Ch]
		mov	edx, [edi+8]
		mov	[ebp+var_1C], eax
		cmp	eax, ecx
		jb	short loc_4E36A3
		ja	loc_5CCECE
		cmp	edx, ebx
		ja	loc_5CCECE

loc_4E36A3:				; CODE XREF: FsRtlSplitLocks+C1j
					; FsRtlSplitLocks+E990Fj ...
		cmp	[ebp+arg_4], 0
		jnz	loc_5CCF7C

loc_4E36AD:				; CODE XREF: FsRtlSplitLocks+E99B6j
					; FsRtlSplitLocks+E99C8j
		mov	edx, [edi+2Ch]
		mov	eax, [edi+28h]
		cmp	ecx, edx
		ja	short loc_4E3670
		jb	short loc_4E36BD
		cmp	ebx, eax
		jnb	short loc_4E3670

loc_4E36BD:				; CODE XREF: FsRtlSplitLocks+E5j
		mov	ebx, eax
		mov	ecx, edx
		jmp	short loc_4E3661
FsRtlSplitLocks	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlPrivateInitializeFileLock proc near ; CODE	XREF: FsRtlPrivateLock+181p

var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 005CCF9F SIZE 0000001C BYTES

		push	10h
		push	offset dword_6A29E0
		call	__SEH_prolog4
		mov	[ebp+var_1A], dl
		mov	esi, ecx
		xor	ebx, ebx
		mov	[ebp+var_19], bl
		mov	ecx, offset _FsRtlCreateLockInfo
		call	ExAcquireFastMutex
		mov	[ebp+ms_exc.disabled], ebx
		cmp	[esi+0Ch], ebx
		jnz	short loc_4E372A
		mov	ecx, offset _FsRtlLockInfoLookasideList
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_5CCF9F
		or	dword ptr [ecx], 0FFFFFFFFh
		or	dword ptr [ecx+4], 0FFFFFFFFh
		mov	[ecx+10h], ebx
		mov	[ecx+14h], ebx
		mov	[ecx+18h], ebx
		mov	[ecx+1Ch], ebx
		mov	[ecx+20h], ebx
		mov	eax, [esi]
		mov	[ecx+8], eax
		mov	eax, [esi+4]
		mov	[ecx+0Ch], eax
		mov	[esi+28h], ebx
		mov	[esi+38h], ebx
		mov	[esi+0Ch], ecx

loc_4E372A:				; CODE XREF: FsRtlPrivateInitializeFileLock+26j
		mov	bl, 1

loc_4E372C:				; CODE XREF: FsRtlPrivateInitializeFileLock+E98DFj
		mov	[ebp+var_19], bl
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_4E374D
		mov	al, bl
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
FsRtlPrivateInitializeFileLock endp


;  S U B	R O U T	I N E 


sub_4E374D	proc near		; CODE XREF: FsRtlPrivateInitializeFileLock+72p
					; FsRtlPrivateInitializeFileLock+E98F2j
		mov	ecx, offset _FsRtlCreateLockInfo
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		retn
sub_4E374D	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 468. FsRtlAddLargeMcbEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlAddLargeMcbEntry
FsRtlAddLargeMcbEntry proc near		; CODE XREF: FsRtlAddMcbEntry(x,x,x,x)+16p

var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		push	0Ch
		push	offset dword_6A2A00
		call	__SEH_prolog4
		mov	[ebp+var_19], 0
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi]
		call	ExAcquireFastMutex
		and	[ebp+ms_exc.disabled], 0
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		lea	eax, [esi+4]
		push	eax
		call	_FsRtlAddBaseMcbEntry@28 ; FsRtlAddBaseMcbEntry(x,x,x,x,x,x,x)
		mov	bl, al
		mov	[ebp+var_19], bl
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_4E37BC
		mov	al, bl
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
FsRtlAddLargeMcbEntry endp


;  S U B	R O U T	I N E 


sub_4E37BC	proc near		; CODE XREF: FsRtlAddLargeMcbEntry+45p
					; sub_5CCFBB+6j
		mov	ecx, [esi]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		retn
sub_4E37BC	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 670. FsRtlTruncateLargeMcb

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlTruncateLargeMcb(x, x,	x)
		public _FsRtlTruncateLargeMcb@12
_FsRtlTruncateLargeMcb@12 proc near	; CODE XREF: FsRtlTruncateMcb(x,x)+Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi]
		call	ExAcquireFastMutex
		push	[ebp+arg_8]
		lea	eax, [esi+4]
		push	[ebp+arg_4]
		push	eax
		call	_FsRtlTruncateBaseMcb@12 ; FsRtlTruncateBaseMcb(x,x,x)
		mov	ecx, [esi]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	esi
		pop	ebp
		retn	0Ch
_FsRtlTruncateLargeMcb@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 669. FsRtlTruncateBaseMcb

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlTruncateBaseMcb(x, x, x)
		public _FsRtlTruncateBaseMcb@12
_FsRtlTruncateBaseMcb@12 proc near	; CODE XREF: FsRtlTruncateLargeMcb(x,x,x)+1Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+arg_8], eax
		test	edi, edi
		jnz	short loc_4E3816
		mov	[esi+4], eax
		jmp	short loc_4E3855
; 

loc_4E3816:				; CODE XREF: FsRtlTruncateBaseMcb(x,x,x)+15j
		cmp	[esi+4], eax
		jbe	short loc_4E3855
		lea	eax, [ebp+arg_8]
		mov	ecx, esi
		push	eax
		lea	edx, [edi-1]
		call	_FsRtlFindLargeIndex@12	; FsRtlFindLargeIndex(x,x,x)
		test	al, al
		jz	short loc_4E3855
		mov	edx, [esi+0Ch]
		mov	ecx, [ebp+arg_8]
		cmp	dword ptr [edx+ecx*8+4], 0FFFFFFFFh
		jnz	short loc_4E383F
		mov	[esi+4], ecx
		jmp	short loc_4E3855
; 

loc_4E383F:				; CODE XREF: FsRtlTruncateBaseMcb(x,x,x)+3Ej
		lea	eax, [ecx+1]
		mov	[esi+4], eax
		cmp	ecx, eax
		jnb	short loc_4E3855
		test	eax, eax
		jz	short loc_4E3855
		cmp	[edx+ecx*8], edi
		jbe	short loc_4E3855
		mov	[edx+ecx*8], edi

loc_4E3855:				; CODE XREF: FsRtlTruncateBaseMcb(x,x,x)+1Aj
					; FsRtlTruncateBaseMcb(x,x,x)+1Fj ...
		mov	ecx, [esi]
		mov	eax, ecx
		mov	ebx, [esi+4]
		shr	eax, 2
		cmp	ebx, eax
		jnb	short loc_4E38D0
		push	0Fh
		pop	eax
		cmp	ecx, eax
		jbe	short loc_4E38D0
		add	ebx, ebx
		cmp	ebx, eax
		jnb	short loc_4E3872
		mov	ebx, eax

loc_4E3872:				; CODE XREF: FsRtlTruncateBaseMcb(x,x,x)+74j
		movzx	ecx, word ptr [esi+8]
		cmp	ebx, eax
		jnz	short loc_4E3897
		cmp	ecx, 1
		jnz	short loc_4E388B
		push	offset _FsRtlFirstPagedMappingLookasideList
		call	_ExAllocateFromPagedLookasideList@4 ; ExAllocateFromPagedLookasideList(x)
		jmp	short loc_4E38A8
; 

loc_4E388B:				; CODE XREF: FsRtlTruncateBaseMcb(x,x,x)+83j
		mov	ecx, offset _FsRtlFirstNonPagedMappingLookasideList
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		jmp	short loc_4E38A8
; 

loc_4E3897:				; CODE XREF: FsRtlTruncateBaseMcb(x,x,x)+7Ej
		push	6D695346h
		mov	eax, ebx
		shl	eax, 3
		push	eax
		push	ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)

loc_4E38A8:				; CODE XREF: FsRtlTruncateBaseMcb(x,x,x)+8Fj
					; FsRtlTruncateBaseMcb(x,x,x)+9Bj
		mov	edi, eax
		test	edi, edi
		jz	short loc_4E38D0
		mov	eax, [esi+4]
		shl	eax, 3
		push	eax		; size_t
		push	dword ptr [esi+0Ch] ; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	0
		push	dword ptr [esi+0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+0Ch], edi
		mov	[esi], ebx

loc_4E38D0:				; CODE XREF: FsRtlTruncateBaseMcb(x,x,x)+67j
					; FsRtlTruncateBaseMcb(x,x,x)+6Ej ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_FsRtlTruncateBaseMcb@12 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 466. FsRtlAddBaseMcbEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlAddBaseMcbEntry(x, x, x, x, x,	x, x)
		public _FsRtlAddBaseMcbEntry@28
_FsRtlAddBaseMcbEntry@28 proc near	; CODE XREF: FsRtlAddLargeMcbEntry+34p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	FsRtlAddBaseMcbEntryEx
		test	eax, eax
		setns	al
		pop	ebp
		retn	1Ch
_FsRtlAddBaseMcbEntry@28 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 650. FsRtlRemoveBaseMcbEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlRemoveBaseMcbEntry
FsRtlRemoveBaseMcbEntry	proc near	; CODE XREF: FsRtlRemoveLargeMcbEntry(x,x,x,x,x)+27p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005CCFC6 SIZE 000000D0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	ecx, [ebp+arg_4]
		mov	eax, ecx
		mov	edx, [ebp+arg_10]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		xor	ebx, ebx
		or	eax, esi
		mov	[ebp+var_8], edx
		mov	edx, [ebp+arg_C]
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], esi
		mov	[ebp+arg_8], edx
		jz	loc_4E3A50

loc_4E393F:				; CODE XREF: FsRtlRemoveBaseMcbEntry+14Bj
					; FsRtlRemoveBaseMcbEntry+161j
		cmp	[ebp+arg_10], ebx

loc_4E3942:				; CODE XREF: FsRtlRemoveBaseMcbEntry+1A2j
		jl	loc_4E3A74
		jg	short loc_4E3952
		cmp	edx, ebx
		jbe	loc_4E3A74

loc_4E3952:				; CODE XREF: FsRtlRemoveBaseMcbEntry+3Ej
		lea	eax, [ebp+var_10]
		mov	edx, ecx
		push	eax
		mov	ecx, edi
		call	_FsRtlFindLargeIndex@12	; FsRtlFindLargeIndex(x,x,x)
		test	al, al
		jz	loc_4E3A74
		mov	esi, [ebp+var_10]
		test	esi, esi
		jz	loc_4E3B43
		mov	eax, [edi+0Ch]
		mov	ecx, [eax+esi*8-8]

loc_4E3979:				; CODE XREF: FsRtlRemoveBaseMcbEntry+23Bj
		mov	eax, [ebp+var_4]
		cmp	ecx, eax
		jnz	loc_4E3AB1
		cmp	ebx, [ebp+var_C]
		jnz	loc_4E3AB1
		mov	ecx, [edi+0Ch]
		mov	edx, [ecx+esi*8]
		mov	[ebp+arg_10], edx
		dec	edx
		mov	[ebp+var_1C], edx
		mov	edx, [ebp+arg_8]
		add	eax, edx
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_C]
		adc	eax, [ebp+var_8]
		cmp	ebx, eax
		jg	loc_4E3AB4
		jl	short loc_4E39BE
		mov	eax, [ebp+var_1C]
		cmp	eax, [ebp+var_18]
		jnb	loc_4E3AB4

loc_4E39BE:				; CODE XREF: FsRtlRemoveBaseMcbEntry+A6j
		mov	eax, ebx
		test	esi, esi
		jz	short loc_4E39C8
		mov	eax, [ecx+esi*8-8]

loc_4E39C8:				; CODE XREF: FsRtlRemoveBaseMcbEntry+B8j
		sub	[ebp+arg_10], eax
		mov	eax, [ebp+arg_10]
		add	[ebp+var_4], eax
		adc	[ebp+var_C], ebx
		sub	edx, eax
		mov	eax, [ebp+var_8]
		sbb	eax, ebx
		mov	[ebp+arg_8], edx
		cmp	dword ptr [ecx+esi*8+4], 0FFFFFFFFh
		mov	[ebp+var_8], eax
		jz	loc_4E3AA7
		mov	eax, [edi+4]
		dec	eax
		mov	[ebp+arg_10], eax
		cmp	esi, eax
		jz	loc_4E3A7D
		test	esi, esi
		jz	loc_4E3B9E
		mov	eax, [ecx+esi*8-4]
		mov	[ebp+var_1C], eax
		cmp	eax, 0FFFFFFFFh
		jnz	loc_4E3B79

loc_4E3A13:				; CODE XREF: FsRtlRemoveBaseMcbEntry+28Bj
					; FsRtlRemoveBaseMcbEntry+30Ej
		mov	eax, [ecx+esi*8-4]
		mov	[ebp+var_1C], eax
		cmp	eax, 0FFFFFFFFh
		jnz	loc_4E3C20

loc_4E3A23:				; CODE XREF: FsRtlRemoveBaseMcbEntry+32Cj
		test	esi, esi
		jz	loc_4E3C3C

loc_4E3A2B:				; CODE XREF: FsRtlRemoveBaseMcbEntry+E96C4j
		mov	eax, [ecx+esi*8-4]
		mov	[ebp+var_1C], eax
		cmp	eax, 0FFFFFFFFh
		jnz	loc_5CCFD3

loc_4E3A3B:				; CODE XREF: FsRtlRemoveBaseMcbEntry+E96BEj
					; FsRtlRemoveBaseMcbEntry+E96E5j
		cmp	esi, [ebp+arg_10]
		jnb	short loc_4E3A95
		cmp	dword ptr [ecx+esi*8+0Ch], 0FFFFFFFFh
		jz	short loc_4E3A95
		or	dword ptr [ecx+esi*8+4], 0FFFFFFFFh
		push	1
		jmp	short loc_4E3A97
; 

loc_4E3A50:				; CODE XREF: FsRtlRemoveBaseMcbEntry+2Fj
		mov	esi, [edi+4]
		test	esi, esi
		jz	loc_4E393F
		mov	eax, [edi+0Ch]
		mov	eax, [eax+esi*8-8]
		cmp	[ebp+arg_10], ebx
		jg	short loc_4E3A71
		jl	short loc_4E3A74
		cmp	edx, eax
		jb	loc_4E393F

loc_4E3A71:				; CODE XREF: FsRtlRemoveBaseMcbEntry+15Bj
		mov	[edi+4], ebx

loc_4E3A74:				; CODE XREF: FsRtlRemoveBaseMcbEntry:loc_4E3942j
					; FsRtlRemoveBaseMcbEntry+42j ...
		mov	al, 1

loc_4E3A76:				; CODE XREF: FsRtlRemoveBaseMcbEntry+38Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_4E3A7D:				; CODE XREF: FsRtlRemoveBaseMcbEntry+EBj
		test	esi, esi
		jz	loc_4E3C07
		mov	eax, [ecx+esi*8-4]
		mov	[ebp+arg_10], eax
		cmp	eax, 0FFFFFFFFh
		jnz	loc_4E3BEF

loc_4E3A95:				; CODE XREF: FsRtlRemoveBaseMcbEntry+134j
					; FsRtlRemoveBaseMcbEntry+13Bj	...
		push	2

loc_4E3A97:				; CODE XREF: FsRtlRemoveBaseMcbEntry+144j
		lea	edx, [esi-1]

loc_4E3A9A:				; CODE XREF: FsRtlRemoveBaseMcbEntry+301j
		mov	ecx, edi
		call	_FsRtlRemoveLargeEntry@12 ; FsRtlRemoveLargeEntry(x,x,x)
		mov	edx, [ebp+arg_8]

loc_4E3AA4:				; CODE XREF: FsRtlRemoveBaseMcbEntry+2A4j
		mov	eax, [ebp+var_8]

loc_4E3AA7:				; CODE XREF: FsRtlRemoveBaseMcbEntry+DCj
		mov	ecx, [ebp+var_4]

loc_4E3AAA:				; CODE XREF: FsRtlRemoveBaseMcbEntry+234j
		cmp	eax, ebx
		jmp	loc_4E3942
; 

loc_4E3AB1:				; CODE XREF: FsRtlRemoveBaseMcbEntry+74j
					; FsRtlRemoveBaseMcbEntry+7Dj
		mov	edx, [ebp+arg_8]

loc_4E3AB4:				; CODE XREF: FsRtlRemoveBaseMcbEntry+A0j
					; FsRtlRemoveBaseMcbEntry+AEj
		test	esi, esi
		jz	loc_4E3BB3
		mov	eax, [edi+0Ch]
		mov	eax, [eax+esi*8-8]

loc_4E3AC3:				; CODE XREF: FsRtlRemoveBaseMcbEntry+2ABj
		mov	ecx, [edi+0Ch]
		cmp	eax, [ebp+var_4]
		jnz	short loc_4E3AD0
		cmp	ebx, [ebp+var_C]
		jz	short loc_4E3B4A

loc_4E3AD0:				; CODE XREF: FsRtlRemoveBaseMcbEntry+1BFj
		mov	edi, [ebp+var_4]
		mov	eax, [ecx+esi*8]
		add	edi, edx
		mov	[ebp+var_18], edi
		mov	edi, [ebp+var_C]
		adc	edi, [ebp+var_8]
		mov	[ebp+var_1C], edi
		mov	edi, [ecx+esi*8+4]
		mov	[ebp+var_14], edi
		mov	edi, [ebp+arg_0]
		cmp	ebx, [ebp+var_1C]
		jl	short loc_4E3B08
		jg	loc_5CCFF4
		lea	edx, [eax-1]
		cmp	edx, [ebp+var_18]
		mov	edx, [ebp+arg_8]
		jnb	loc_5CCFF4

loc_4E3B08:				; CODE XREF: FsRtlRemoveBaseMcbEntry+1E7j
		sub	eax, [ebp+var_4]
		cmp	[ebp+var_14], 0FFFFFFFFh
		mov	[ebp+arg_10], eax
		jz	short loc_4E3B26
		mov	eax, [edi+4]
		dec	eax
		cmp	esi, eax
		jb	loc_4E3C4D

loc_4E3B20:				; CODE XREF: FsRtlRemoveBaseMcbEntry+34Aj
		mov	eax, [ebp+arg_10]
		sub	[ecx+esi*8], eax

loc_4E3B26:				; CODE XREF: FsRtlRemoveBaseMcbEntry+208j
					; FsRtlRemoveBaseMcbEntry+380j
		mov	ecx, [ebp+var_4]
		add	ecx, eax
		adc	[ebp+var_C], ebx
		sub	edx, eax
		mov	eax, [ebp+var_8]
		mov	[ebp+arg_8], edx
		sbb	eax, ebx

loc_4E3B38:				; CODE XREF: FsRtlRemoveBaseMcbEntry+E9768j
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], eax
		jmp	loc_4E3AAA
; 

loc_4E3B43:				; CODE XREF: FsRtlRemoveBaseMcbEntry+62j
		mov	ecx, ebx
		jmp	loc_4E3979
; 

loc_4E3B4A:				; CODE XREF: FsRtlRemoveBaseMcbEntry+1C4j
		cmp	dword ptr [ecx+esi*8+4], 0FFFFFFFFh
		jz	loc_4E3A74
		test	esi, esi
		jz	short loc_4E3BBA
		mov	eax, [ecx+esi*8-4]
		mov	[ebp+arg_0], eax
		cmp	eax, 0FFFFFFFFh
		jnz	loc_5CD077

loc_4E3B69:				; CODE XREF: FsRtlRemoveBaseMcbEntry+E9787j
		add	[ecx+esi*8-8], edx
		mov	eax, [edi+0Ch]
		add	[eax+esi*8+4], edx
		jmp	loc_4E3A74
; 

loc_4E3B79:				; CODE XREF: FsRtlRemoveBaseMcbEntry+103j
		lea	eax, [esi-1]
		test	eax, eax
		jz	loc_4E3C8F
		mov	eax, [ecx+esi*8-10h]
		mov	[ebp+var_14], eax

loc_4E3B8B:				; CODE XREF: FsRtlRemoveBaseMcbEntry+388j
		mov	eax, [ecx+esi*8-8]
		sub	eax, [ebp+var_14]
		add	eax, [ebp+var_1C]
		jz	loc_4E3A13
		mov	eax, [ebp+arg_10]

loc_4E3B9E:				; CODE XREF: FsRtlRemoveBaseMcbEntry+F3j
		cmp	esi, eax
		jnb	short loc_4E3C16
		cmp	dword ptr [ecx+esi*8+0Ch], 0FFFFFFFFh
		jz	short loc_4E3C16
		or	dword ptr [ecx+esi*8+4], 0FFFFFFFFh
		jmp	loc_4E3AA4
; 

loc_4E3BB3:				; CODE XREF: FsRtlRemoveBaseMcbEntry+1ACj
		mov	eax, ebx
		jmp	loc_4E3AC3
; 

loc_4E3BBA:				; CODE XREF: FsRtlRemoveBaseMcbEntry+24Dj
					; FsRtlRemoveBaseMcbEntry+E9781j
		push	1
		mov	edx, esi
		mov	ecx, edi
		call	_FsRtlAddEntry@12 ; FsRtlAddEntry(x,x,x)
		test	al, al
		jz	loc_4E3C97
		mov	eax, [edi+0Ch]
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+var_4]
		add	ecx, edx
		or	dword ptr [eax+esi*8+4], 0FFFFFFFFh
		mov	eax, [edi+0Ch]
		mov	[eax+esi*8], ecx
		mov	eax, [edi+0Ch]
		add	[eax+esi*8+0Ch], edx
		jmp	loc_4E3A74
; 

loc_4E3BEF:				; CODE XREF: FsRtlRemoveBaseMcbEntry+185j
		lea	eax, [esi-1]
		mov	edx, ebx
		test	eax, eax
		jnz	short loc_4E3C10

loc_4E3BF8:				; CODE XREF: FsRtlRemoveBaseMcbEntry+30Aj
		mov	eax, [ecx+esi*8-8]
		sub	eax, edx
		add	eax, [ebp+arg_10]
		jz	loc_4E3A95

loc_4E3C07:				; CODE XREF: FsRtlRemoveBaseMcbEntry+175j
					; FsRtlRemoveBaseMcbEntry+335j	...
		push	1
		mov	edx, esi
		jmp	loc_4E3A9A
; 

loc_4E3C10:				; CODE XREF: FsRtlRemoveBaseMcbEntry+2ECj
		mov	edx, [ecx+esi*8-10h]
		jmp	short loc_4E3BF8
; 

loc_4E3C16:				; CODE XREF: FsRtlRemoveBaseMcbEntry+296j
					; FsRtlRemoveBaseMcbEntry+29Dj
		test	esi, esi
		jnz	loc_4E3A13
		jmp	short loc_4E3C3C
; 

loc_4E3C20:				; CODE XREF: FsRtlRemoveBaseMcbEntry+113j
		lea	eax, [esi-1]
		mov	edx, ebx
		test	eax, eax
		jz	short loc_4E3C2D
		mov	edx, [ecx+esi*8-10h]

loc_4E3C2D:				; CODE XREF: FsRtlRemoveBaseMcbEntry+31Dj
		mov	eax, [ecx+esi*8-8]
		sub	eax, edx
		add	eax, [ebp+var_1C]
		jz	loc_4E3A23

loc_4E3C3C:				; CODE XREF: FsRtlRemoveBaseMcbEntry+11Bj
					; FsRtlRemoveBaseMcbEntry+314j
		cmp	esi, [ebp+arg_10]
		jnb	short loc_4E3C07
		cmp	dword ptr [ecx+esi*8+0Ch], 0FFFFFFFFh
		jz	short loc_4E3C07
		jmp	loc_5CCFC6
; 

loc_4E3C4D:				; CODE XREF: FsRtlRemoveBaseMcbEntry+210j
		mov	eax, [ecx+esi*8+0Ch]
		cmp	eax, 0FFFFFFFFh
		jz	loc_4E3B20
		push	1
		lea	edx, [esi+1]
		mov	ecx, edi
		call	_FsRtlAddEntry@12 ; FsRtlAddEntry(x,x,x)
		test	al, al
		jz	short loc_4E3C97
		mov	eax, [edi+0Ch]
		mov	edx, [ebp+arg_8]
		or	dword ptr [eax+esi*8+0Ch], 0FFFFFFFFh
		mov	ecx, [edi+0Ch]
		mov	eax, [ecx+esi*8]
		mov	[ecx+esi*8+8], eax
		mov	eax, [edi+0Ch]
		mov	ecx, [ebp+arg_10]
		sub	[eax+esi*8], ecx
		mov	eax, ecx
		jmp	loc_4E3B26
; 

loc_4E3C8F:				; CODE XREF: FsRtlRemoveBaseMcbEntry+274j
		mov	[ebp+var_14], ebx
		jmp	loc_4E3B8B
; 

loc_4E3C97:				; CODE XREF: FsRtlRemoveBaseMcbEntry+2BDj
					; FsRtlRemoveBaseMcbEntry+35Ej	...
		xor	al, al
		jmp	loc_4E3A76
FsRtlRemoveBaseMcbEntry	endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 467. FsRtlAddBaseMcbEntryEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlAddBaseMcbEntryEx
FsRtlAddBaseMcbEntryEx proc near	; CODE XREF: FsRtlAddBaseMcbEntry(x,x,x,x,x,x,x)+1Ap

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005CD096 SIZE 000000FC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		mov	ecx, [esi+4]
		mov	[ebp+var_4], ecx
		add	ecx, 0FFFFFFFFh
		js	short loc_4E3CFD
		jmp	short loc_4E3CD0
; 
		align 10h

loc_4E3CD0:				; CODE XREF: FsRtlAddBaseMcbEntryEx+1Bj
					; FsRtlAddBaseMcbEntryEx+4Bj
		mov	esi, [esi+0Ch]
		lea	eax, [ecx+ebx]
		cdq
		sub	eax, edx
		mov	edi, eax
		sar	edi, 1
		jz	short loc_4E3CE8
		mov	eax, [esi+edi*8-8]
		cmp	[ebp+arg_4], eax
		jb	short loc_4E3D4A

loc_4E3CE8:				; CODE XREF: FsRtlAddBaseMcbEntryEx+2Dj
		mov	eax, [esi+edi*8]
		mov	ebx, [ebp+arg_4]
		dec	eax
		cmp	ebx, eax
		jbe	short loc_4E3D4F
		lea	ebx, [edi+1]

loc_4E3CF6:				; CODE XREF: FsRtlAddBaseMcbEntryEx+9Dj
		mov	esi, [ebp+arg_0]
		cmp	ebx, ecx
		jle	short loc_4E3CD0

loc_4E3CFD:				; CODE XREF: FsRtlAddBaseMcbEntryEx+19j
		mov	ebx, [ebp+arg_4]

loc_4E3D00:				; CODE XREF: FsRtlAddBaseMcbEntryEx+294j
		mov	eax, [ebp+var_4]
		mov	edi, eax
		mov	[ebp+var_8], edi
		test	eax, eax
		jnz	loc_4E3DA4

loc_4E3D10:				; CODE XREF: FsRtlAddBaseMcbEntryEx+100j
					; FsRtlAddBaseMcbEntryEx+118j
		test	edi, edi
		jnz	loc_4E3EC7

loc_4E3D18:				; CODE XREF: FsRtlAddBaseMcbEntryEx+220j
					; FsRtlAddBaseMcbEntryEx+24Fj
		test	ebx, ebx
		jnz	loc_4E3E6B

loc_4E3D20:				; CODE XREF: FsRtlAddBaseMcbEntryEx+1CCj
		push	1
		mov	edx, edi
		mov	ecx, esi
		call	_FsRtlAddEntry@12 ; FsRtlAddEntry(x,x,x)
		test	al, al
		jz	loc_5CD188
		mov	eax, [esi+0Ch]
		mov	ecx, [ebp+arg_C]
		mov	[eax+edi*8+4], ecx
		mov	eax, [esi+0Ch]
		mov	ecx, [ebp+arg_14]
		add	ecx, ebx
		mov	[eax+edi*8], ecx
		jmp	short loc_4E3D99
; 

loc_4E3D4A:				; CODE XREF: FsRtlAddBaseMcbEntryEx+36j
		lea	ecx, [edi-1]
		jmp	short loc_4E3CF6
; 

loc_4E3D4F:				; CODE XREF: FsRtlAddBaseMcbEntryEx+41j
		mov	eax, [ebp+arg_14]
		lea	ecx, [esi+edi*8]
		mov	edx, [ecx+4]
		dec	eax
		add	eax, ebx
		mov	[ebp+arg_8], 0
		mov	[ebp+var_C], eax
		cmp	edx, 0FFFFFFFFh
		jz	loc_4E3F21
		test	edi, edi
		jz	loc_4E3F1A
		mov	esi, [ecx-8]

loc_4E3D79:				; CODE XREF: FsRtlAddBaseMcbEntryEx+26Cj
		mov	eax, edx
		sub	eax, esi
		add	eax, ebx
		cmp	[ebp+arg_C], eax
		jnz	loc_5CD0E8
		mov	eax, [ecx]
		mov	esi, [ebp+var_C]
		mov	[ebp+arg_C], eax
		dec	eax
		cmp	esi, eax
		ja	loc_5CD096

loc_4E3D99:				; CODE XREF: FsRtlAddBaseMcbEntryEx+98j
					; FsRtlAddBaseMcbEntryEx+44Fj ...
		xor	eax, eax

loc_4E3D9B:				; CODE XREF: FsRtlAddBaseMcbEntryEx+E943Dj
					; FsRtlAddBaseMcbEntryEx+E94DDj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_4E3DA4:				; CODE XREF: FsRtlAddBaseMcbEntryEx+5Aj
		mov	eax, [esi+0Ch]
		mov	[ebp+var_10], eax
		mov	eax, [eax+edi*8-8]
		cmp	eax, ebx
		jbe	loc_4E3D10
		lea	eax, [ebp+var_8]
		mov	edx, ebx
		push	eax
		mov	ecx, esi
		call	_FsRtlFindLargeIndex@12	; FsRtlFindLargeIndex(x,x,x)
		mov	edi, [ebp+var_8]
		test	al, al
		jz	loc_4E3D10
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+arg_14]
		lea	edx, [ecx+edi*8]
		add	eax, ebx
		mov	[ebp+var_C], eax
		dec	eax
		cmp	dword ptr [edx+4], 0FFFFFFFFh
		mov	[ebp+arg_8], eax
		jnz	loc_5CD0E8
		test	edi, edi
		jz	short loc_4E3DF7
		cmp	[edx-8], ebx
		ja	loc_5CD0E8

loc_4E3DF7:				; CODE XREF: FsRtlAddBaseMcbEntryEx+13Cj
		mov	eax, [edx]
		mov	[ebp+var_10], eax
		dec	eax
		mov	[ebp+var_8], eax
		cmp	[ebp+arg_8], eax
		ja	loc_5CD0E8
		test	edi, edi
		jz	loc_4E3F59
		mov	eax, [edx-8]

loc_4E3E14:				; CODE XREF: FsRtlAddBaseMcbEntryEx+2ABj
		cmp	eax, ebx
		mov	eax, [ebp+var_8]
		jnb	loc_4E3F60
		cmp	[ebp+arg_8], eax
		jnb	loc_4E3F60
		push	2
		mov	edx, edi
		mov	ecx, esi
		call	_FsRtlAddEntry@12 ; FsRtlAddEntry(x,x,x)
		test	al, al
		jz	loc_5CD188
		mov	eax, [esi+0Ch]
		mov	ecx, [ebp+arg_C]
		mov	dword ptr [eax+edi*8+4], 0FFFFFFFFh
		mov	eax, [esi+0Ch]
		mov	[eax+edi*8], ebx
		mov	eax, [esi+0Ch]
		mov	[eax+edi*8+0Ch], ecx
		mov	eax, [esi+0Ch]
		mov	ecx, [ebp+var_C]
		mov	[eax+edi*8+8], ecx
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_4E3E6B:				; CODE XREF: FsRtlAddBaseMcbEntryEx+6Aj
		test	edi, edi
		jz	loc_4E3F49
		mov	eax, [esi+0Ch]
		mov	eax, [eax+edi*8-8]

loc_4E3E7A:				; CODE XREF: FsRtlAddBaseMcbEntryEx+29Bj
		cmp	eax, ebx
		jz	loc_4E3D20
		push	2
		mov	edx, edi
		mov	ecx, esi
		call	_FsRtlAddEntry@12 ; FsRtlAddEntry(x,x,x)
		test	al, al
		jz	loc_5CD188
		mov	eax, [esi+0Ch]
		mov	ecx, [ebp+arg_C]
		mov	dword ptr [eax+edi*8+4], 0FFFFFFFFh
		mov	eax, [esi+0Ch]
		mov	[eax+edi*8], ebx
		mov	eax, [esi+0Ch]
		mov	[eax+edi*8+0Ch], ecx
		mov	eax, [esi+0Ch]
		mov	ecx, [ebp+arg_14]
		add	ecx, ebx
		mov	[eax+edi*8+8], ecx
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_4E3EC7:				; CODE XREF: FsRtlAddBaseMcbEntryEx+62j
		mov	ecx, [esi+0Ch]
		mov	edx, [ecx+edi*8-8]
		cmp	edx, ebx
		jnz	loc_4E3D18
		mov	eax, [ecx+edi*8-4]
		mov	[ebp+arg_8], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_5CD181
		lea	eax, [edi-1]
		test	eax, eax
		jz	short loc_4E3F50
		mov	eax, [ecx+edi*8-10h]
		mov	[ebp+arg_0], eax

loc_4E3EF4:				; CODE XREF: FsRtlAddBaseMcbEntryEx+2A7j
		mov	eax, [ebp+arg_8]
		sub	eax, [ebp+arg_0]
		add	eax, edx

loc_4E3EFC:				; CODE XREF: FsRtlAddBaseMcbEntryEx+E94D3j
		cmp	eax, [ebp+arg_C]
		jnz	loc_4E3D18
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+arg_14]
		pop	edi
		pop	esi
		add	[ecx+eax*8-8], edx
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_4E3F1A:				; CODE XREF: FsRtlAddBaseMcbEntryEx+C0j
		xor	esi, esi
		jmp	loc_4E3D79
; 

loc_4E3F21:				; CODE XREF: FsRtlAddBaseMcbEntryEx+B8j
		lea	ecx, [ebp+arg_8]
		mov	edx, eax
		push	ecx
		mov	ecx, [ebp+arg_0]
		call	_FsRtlFindLargeIndex@12	; FsRtlFindLargeIndex(x,x,x)
		test	al, al
		jz	short loc_4E3F41
		mov	ecx, [ebp+arg_8]
		lea	eax, [ecx-1]
		cmp	edi, eax
		jz	loc_5CD0C9

loc_4E3F41:				; CODE XREF: FsRtlAddBaseMcbEntryEx+281j
					; FsRtlAddBaseMcbEntryEx+E9414j ...
		mov	esi, [ebp+arg_0]
		jmp	loc_4E3D00
; 

loc_4E3F49:				; CODE XREF: FsRtlAddBaseMcbEntryEx+1BDj
		xor	eax, eax
		jmp	loc_4E3E7A
; 

loc_4E3F50:				; CODE XREF: FsRtlAddBaseMcbEntryEx+23Bj
		mov	[ebp+arg_0], 0
		jmp	short loc_4E3EF4
; 

loc_4E3F59:				; CODE XREF: FsRtlAddBaseMcbEntryEx+15Bj
		xor	eax, eax
		jmp	loc_4E3E14
; 

loc_4E3F60:				; CODE XREF: FsRtlAddBaseMcbEntryEx+169j
					; FsRtlAddBaseMcbEntryEx+172j
		test	edi, edi
		jz	loc_4E4060
		mov	esi, [edx-8]
		mov	[ebp+var_8], esi

loc_4E3F6E:				; CODE XREF: FsRtlAddBaseMcbEntryEx+3B7j
		mov	esi, [ebp+arg_0]
		cmp	[ebp+var_8], ebx
		jnz	short loc_4E3FC9
		cmp	[ebp+arg_8], eax
		jnb	short loc_4E3FC9
		test	edi, edi
		jz	loc_4E4175
		mov	ebx, [edx-4]
		cmp	ebx, 0FFFFFFFFh
		jz	loc_5CD0FF
		lea	eax, [edi-1]
		test	eax, eax
		jz	loc_4E418F
		mov	ecx, [ecx+edi*8-10h]

loc_4E3F9E:				; CODE XREF: FsRtlAddBaseMcbEntryEx+4E1j
		mov	eax, [edx-8]
		sub	eax, ecx
		add	eax, ebx

loc_4E3FA5:				; CODE XREF: FsRtlAddBaseMcbEntryEx+4C7j
					; FsRtlAddBaseMcbEntryEx+E9451j
		mov	ebx, [ebp+arg_C]
		cmp	eax, ebx
		jnz	loc_4E40DC
		test	edi, edi
		jz	loc_5CD106
		mov	eax, [ebp+arg_14]
		add	[edx-8], eax
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_4E3FC9:				; CODE XREF: FsRtlAddBaseMcbEntryEx+2C4j
					; FsRtlAddBaseMcbEntryEx+2C9j
		test	edi, edi
		jz	loc_4E406C
		mov	esi, [edx-8]
		mov	[ebp+var_C], esi

loc_4E3FD7:				; CODE XREF: FsRtlAddBaseMcbEntryEx+3C3j
		cmp	[ebp+var_C], ebx
		jnb	short loc_4E4014
		cmp	[ebp+arg_8], eax
		jnz	short loc_4E4014
		mov	eax, [ebp+var_4]
		dec	eax
		cmp	edi, eax
		jnb	loc_5CD128
		mov	ecx, [edx+0Ch]

loc_4E3FF0:				; CODE XREF: FsRtlAddBaseMcbEntryEx+E947Bj
		mov	eax, [ebp+arg_C]
		add	eax, [ebp+arg_14]
		mov	esi, [ebp+arg_0]
		cmp	ecx, eax
		jnz	short loc_4E4078
		mov	ecx, [ebp+arg_C]
		mov	[edx], ebx
		mov	eax, [esi+0Ch]
		mov	[eax+edi*8+0Ch], ecx
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_4E4014:				; CODE XREF: FsRtlAddBaseMcbEntryEx+32Aj
					; FsRtlAddBaseMcbEntryEx+32Fj
		test	edi, edi
		jnz	loc_4E40B1
		xor	eax, eax

loc_4E401E:				; CODE XREF: FsRtlAddBaseMcbEntryEx+427j
					; FsRtlAddBaseMcbEntryEx+4D6j ...
		mov	ebx, [ebp+var_4]
		dec	ebx
		cmp	eax, [ebp+arg_C]
		jz	loc_4E4130

loc_4E402B:				; CODE XREF: FsRtlAddBaseMcbEntryEx+496j
		cmp	edi, ebx
		jnb	loc_5CD14D
		mov	ebx, [edx+0Ch]

loc_4E4036:				; CODE XREF: FsRtlAddBaseMcbEntryEx+E94A0j
		mov	eax, [ebp+arg_C]
		add	eax, [ebp+arg_14]
		mov	esi, [ebp+arg_0]
		cmp	ebx, eax
		jz	loc_5CD155
		test	edi, edi
		jnz	loc_4E4104

loc_4E404F:				; CODE XREF: FsRtlAddBaseMcbEntryEx+475j
		mov	eax, [ebp+arg_C]
		pop	edi
		pop	esi
		mov	[edx+4], eax
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_4E4060:				; CODE XREF: FsRtlAddBaseMcbEntryEx+2B2j
		mov	[ebp+var_8], 0
		jmp	loc_4E3F6E
; 

loc_4E406C:				; CODE XREF: FsRtlAddBaseMcbEntryEx+31Bj
		mov	[ebp+var_C], 0
		jmp	loc_4E3FD7
; 

loc_4E4078:				; CODE XREF: FsRtlAddBaseMcbEntryEx+34Bj
		push	1
		mov	edx, edi
		mov	ecx, esi
		call	_FsRtlAddEntry@12 ; FsRtlAddEntry(x,x,x)
		test	al, al
		jz	loc_5CD188
		mov	eax, [esi+0Ch]
		mov	ecx, [ebp+arg_C]
		mov	dword ptr [eax+edi*8+4], 0FFFFFFFFh
		mov	eax, [esi+0Ch]
		mov	[eax+edi*8], ebx
		mov	eax, [esi+0Ch]
		mov	[eax+edi*8+0Ch], ecx
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_4E40B1:				; CODE XREF: FsRtlAddBaseMcbEntryEx+366j
		mov	eax, [edx-4]
		mov	[ebp+arg_8], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_5CD130
		lea	eax, [edi-1]
		test	eax, eax
		jz	loc_4E417C
		mov	eax, [edx-8]
		mov	ebx, [ecx+edi*8-10h]
		sub	eax, ebx
		add	eax, [ebp+arg_8]
		jmp	loc_4E401E
; 

loc_4E40DC:				; CODE XREF: FsRtlAddBaseMcbEntryEx+2FAj
		push	1
		mov	edx, edi
		mov	ecx, esi
		call	_FsRtlAddEntry@12 ; FsRtlAddEntry(x,x,x)
		test	al, al
		jz	loc_5CD188
		mov	eax, [esi+0Ch]
		mov	ecx, [ebp+var_C]
		mov	[eax+edi*8+4], ebx
		mov	eax, [esi+0Ch]
		mov	[eax+edi*8], ecx
		jmp	loc_4E3D99
; 

loc_4E4104:				; CODE XREF: FsRtlAddBaseMcbEntryEx+399j
		mov	ebx, [edx-4]
		cmp	ebx, 0FFFFFFFFh
		jz	loc_4E419F
		lea	eax, [edi-1]
		test	eax, eax
		jz	short loc_4E418B
		mov	ecx, [ecx+edi*8-10h]

loc_4E411B:				; CODE XREF: FsRtlAddBaseMcbEntryEx+4DDj
		mov	eax, [edx-8]
		sub	eax, ecx
		add	eax, ebx

loc_4E4122:				; CODE XREF: FsRtlAddBaseMcbEntryEx+4F1j
		cmp	eax, [ebp+arg_C]
		jnz	loc_4E404F
		jmp	loc_5CD16B
; 

loc_4E4130:				; CODE XREF: FsRtlAddBaseMcbEntryEx+375j
		cmp	edi, ebx
		jnb	short loc_4E4196
		mov	eax, [edx+0Ch]
		mov	[ebp+arg_8], eax

loc_4E413A:				; CODE XREF: FsRtlAddBaseMcbEntryEx+4EDj
		mov	eax, [ebp+arg_C]
		add	eax, [ebp+arg_14]
		mov	esi, [ebp+arg_0]
		cmp	[ebp+arg_8], eax
		jnz	loc_4E402B
		mov	ecx, [esi+0Ch]
		test	edi, edi
		jz	loc_5CD137
		mov	eax, [ecx+edi*8+8]
		mov	edx, edi
		mov	[ecx+edi*8-8], eax
		mov	ecx, esi
		push	2
		call	_FsRtlRemoveLargeEntry@12 ; FsRtlRemoveLargeEntry(x,x,x)
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_4E4175:				; CODE XREF: FsRtlAddBaseMcbEntryEx+2CDj
		xor	eax, eax
		jmp	loc_4E3FA5
; 

loc_4E417C:				; CODE XREF: FsRtlAddBaseMcbEntryEx+415j
		mov	eax, [edx-8]
		xor	ebx, ebx
		sub	eax, ebx
		add	eax, [ebp+arg_8]
		jmp	loc_4E401E
; 

loc_4E418B:				; CODE XREF: FsRtlAddBaseMcbEntryEx+465j
		xor	ecx, ecx
		jmp	short loc_4E411B
; 

loc_4E418F:				; CODE XREF: FsRtlAddBaseMcbEntryEx+2E4j
		xor	ecx, ecx
		jmp	loc_4E3F9E
; 

loc_4E4196:				; CODE XREF: FsRtlAddBaseMcbEntryEx+482j
		mov	[ebp+arg_8], 0FFFFFFFFh
		jmp	short loc_4E413A
; 

loc_4E419F:				; CODE XREF: FsRtlAddBaseMcbEntryEx+45Aj
		xor	eax, eax
		jmp	loc_4E4122
FsRtlAddBaseMcbEntryEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlAddEntry(x, x,	x)
_FsRtlAddEntry@12 proc near		; CODE XREF: FsRtlRemoveBaseMcbEntry+2B6p
					; FsRtlRemoveBaseMcbEntry+357p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	[ebp+var_8], ebx
		mov	ecx, [esi+4]
		add	eax, ecx
		mov	edi, [esi]
		cmp	eax, edi
		jbe	loc_4E4266
		and	[ebp+var_4], 0
		cmp	edi, 800h
		jnb	short loc_4E41D9
		add	edi, edi
		jmp	short loc_4E41DF
; 

loc_4E41D9:				; CODE XREF: FsRtlAddEntry(x,x,x)+2Dj
		add	edi, 800h

loc_4E41DF:				; CODE XREF: FsRtlAddEntry(x,x,x)+31j
		push	8
		pop	ecx
		mov	eax, edi
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_4E429B
		movzx	eax, word ptr [esi+8]
		push	6D695346h
		push	[ebp+var_4]
		push	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_4E429B
		mov	eax, [esi+4]
		shl	eax, 3
		push	eax		; size_t
		push	dword ptr [esi+0Ch] ; void *
		push	ebx		; void *
		call	_memcpy
		mov	eax, [esi+0Ch]
		add	esp, 0Ch
		cmp	dword ptr [esi], 0Fh
		jnz	short loc_4E4253
		xor	ecx, ecx
		inc	ecx
		cmp	[esi+8], cx
		jnz	short loc_4E4245
		push	eax
		push	offset _FsRtlFirstPagedMappingLookasideList
		call	_ExFreeToPagedLookasideList@8 ;	ExFreeToPagedLookasideList(x,x)
		jmp	short loc_4E425B
; 

loc_4E4245:				; CODE XREF: FsRtlAddEntry(x,x,x)+90j
		mov	edx, eax
		mov	ecx, offset _FsRtlFirstNonPagedMappingLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	short loc_4E425B
; 

loc_4E4253:				; CODE XREF: FsRtlAddEntry(x,x,x)+87j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4E425B:				; CODE XREF: FsRtlAddEntry(x,x,x)+9Dj
					; FsRtlAddEntry(x,x,x)+ABj
		mov	ecx, [esi+4]
		mov	[esi+0Ch], ebx
		mov	ebx, [ebp+var_8]
		mov	[esi], edi

loc_4E4266:				; CODE XREF: FsRtlAddEntry(x,x,x)+1Dj
		cmp	ebx, ecx
		jnb	short loc_4E428B
		mov	edx, [esi+0Ch]
		sub	ecx, ebx
		shl	ecx, 3
		push	ecx		; size_t
		mov	ecx, [ebp+arg_0]
		add	ecx, ebx
		lea	eax, [edx+ebx*8]
		push	eax		; void *
		lea	ecx, [edx+ecx*8]
		push	ecx		; void *
		call	_memmove
		mov	ecx, [esi+4]
		add	esp, 0Ch

loc_4E428B:				; CODE XREF: FsRtlAddEntry(x,x,x)+C2j
		add	ecx, [ebp+arg_0]
		xor	eax, eax
		mov	[esi+4], ecx
		inc	eax

loc_4E4294:				; CODE XREF: FsRtlAddEntry(x,x,x)+FDj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4E429B:				; CODE XREF: FsRtlAddEntry(x,x,x)+4Cj
					; FsRtlAddEntry(x,x,x)+68j
		test	byte ptr [esi+0Ah], 1
		jnz	short loc_4E42A5
		xor	al, al
		jmp	short loc_4E4294
; 

loc_4E42A5:				; CODE XREF: FsRtlAddEntry(x,x,x)+F9j
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger
_FsRtlAddEntry@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlFindLargeIndex(x, x, x)
_FsRtlFindLargeIndex@12	proc near	; CODE XREF: FsRtlTruncateBaseMcb(x,x,x)+2Ap
					; FsRtlRemoveBaseMcbEntry+50p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ecx
		mov	[ebp+var_4], edx
		push	ebx
		push	esi
		push	edi
		mov	ebx, [eax+4]
		xor	edi, edi
		mov	[ebp+var_8], eax
		lea	esi, [ebx-1]
		test	esi, esi
		js	short loc_4E42F9

loc_4E42CE:				; CODE XREF: FsRtlFindLargeIndex(x,x,x)+47j
		lea	eax, [esi+edi]
		cdq
		sub	eax, edx
		mov	ecx, eax
		mov	eax, [ebp+var_8]
		sar	ecx, 1
		mov	edx, [eax+0Ch]
		jz	short loc_4E42E9
		mov	eax, [edx+ecx*8-8]
		cmp	[ebp+var_4], eax
		jb	short loc_4E4302

loc_4E42E9:				; CODE XREF: FsRtlFindLargeIndex(x,x,x)+2Ej
		mov	eax, [edx+ecx*8]
		dec	eax
		cmp	[ebp+var_4], eax
		jbe	short loc_4E4307
		lea	edi, [ecx+1]

loc_4E42F5:				; CODE XREF: FsRtlFindLargeIndex(x,x,x)+55j
		cmp	edi, esi
		jle	short loc_4E42CE

loc_4E42F9:				; CODE XREF: FsRtlFindLargeIndex(x,x,x)+1Cj
		mov	eax, [ebp+arg_0]
		mov	[eax], ebx
		xor	al, al
		jmp	short loc_4E430E
; 

loc_4E4302:				; CODE XREF: FsRtlFindLargeIndex(x,x,x)+37j
		lea	esi, [ecx-1]
		jmp	short loc_4E42F5
; 

loc_4E4307:				; CODE XREF: FsRtlFindLargeIndex(x,x,x)+40j
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	al, 1

loc_4E430E:				; CODE XREF: FsRtlFindLargeIndex(x,x,x)+50j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_FsRtlFindLargeIndex@12	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlRemoveLargeEntry(x, x,	x)
_FsRtlRemoveLargeEntry@12 proc near	; CODE XREF: FsRtlRemoveBaseMcbEntry+192p
					; FsRtlAddBaseMcbEntryEx+4B5p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, ecx
		mov	eax, [esi+4]
		lea	ebx, [edx+edi]
		cmp	ebx, eax
		jnb	short loc_4E434B
		mov	ecx, [esi+0Ch]
		sub	eax, edx
		sub	eax, edi
		shl	eax, 3
		push	eax		; size_t
		lea	eax, [ecx+ebx*8]
		push	eax		; void *
		lea	eax, [ecx+edx*8]
		push	eax		; void *
		call	_memmove
		mov	eax, [esi+4]
		add	esp, 0Ch

loc_4E434B:				; CODE XREF: FsRtlRemoveLargeEntry(x,x,x)+15j
		sub	eax, edi
		pop	edi
		mov	[esi+4], eax
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_FsRtlRemoveLargeEntry@12 endp

; 
		align 10h
; Exported entry 528. FsRtlGetNextBaseMcbEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlGetNextBaseMcbEntry(x,	x, x, x, x)
		public _FsRtlGetNextBaseMcbEntry@20
_FsRtlGetNextBaseMcbEntry@20 proc near	; CODE XREF: FsRtlGetNextLargeMcbEntry(x,x,x,x,x)+21p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		xor	cl, cl
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	edi, [eax+4]
		jnb	short loc_4E43CD
		test	edi, edi
		jz	short loc_4E43D1
		mov	ecx, [eax+0Ch]
		mov	ecx, [ecx+edi*8-8]

loc_4E437E:				; CODE XREF: FsRtlGetNextBaseMcbEntry(x,x,x,x,x)+73j
		mov	edx, [ebp+arg_8]
		mov	[edx], ecx
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_4E43D9
		xor	ecx, ecx

loc_4E438A:				; CODE XREF: FsRtlGetNextBaseMcbEntry(x,x,x,x,x)+7Cj
		mov	[edx+4], ecx
		xor	edx, edx
		mov	ecx, [eax+0Ch]
		push	esi
		mov	esi, [ebp+arg_C]
		mov	ecx, [ecx+edi*8+4]
		cmp	ecx, 0FFFFFFFFh
		setnz	dl
		mov	[esi], ecx
		dec	edx
		mov	[esi+4], edx
		pop	esi
		test	edi, edi
		jz	short loc_4E43D5
		mov	ecx, [eax+0Ch]
		mov	edx, [ecx+edi*8-8]

loc_4E43B2:				; CODE XREF: FsRtlGetNextBaseMcbEntry(x,x,x,x,x)+77j
		mov	eax, [eax+0Ch]
		mov	ecx, [eax+edi*8]
		mov	eax, [ebp+arg_10]
		sub	ecx, edx
		mov	[eax], ecx
		mov	dword ptr [eax+4], 0
		mov	al, 1

loc_4E43C8:				; CODE XREF: FsRtlGetNextBaseMcbEntry(x,x,x,x,x)+6Fj
		pop	edi
		pop	ebp
		retn	14h
; 

loc_4E43CD:				; CODE XREF: FsRtlGetNextBaseMcbEntry(x,x,x,x,x)+11j
		mov	al, cl
		jmp	short loc_4E43C8
; 

loc_4E43D1:				; CODE XREF: FsRtlGetNextBaseMcbEntry(x,x,x,x,x)+15j
		xor	ecx, ecx
		jmp	short loc_4E437E
; 

loc_4E43D5:				; CODE XREF: FsRtlGetNextBaseMcbEntry(x,x,x,x,x)+49j
		xor	edx, edx
		jmp	short loc_4E43B2
; 

loc_4E43D9:				; CODE XREF: FsRtlGetNextBaseMcbEntry(x,x,x,x,x)+26j
		or	ecx, 0FFFFFFFFh
		jmp	short loc_4E438A
_FsRtlGetNextBaseMcbEntry@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoAsynchronousPageWrite	proc near	; CODE XREF: MiGatherPagefilePages+63Dp
					; MiGatherMappedPages+383p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 005CD192 SIZE 00000082 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		mov	eax, [ebx+14h]
		test	eax, eax
		jz	short loc_4E43FE
		cmp	dword ptr [eax+4], 0
		jnz	loc_4E44D5

loc_4E43FE:				; CODE XREF: IoAsynchronousPageWrite+14j
					; IoAsynchronousPageWrite+110j
		push	ebx
		call	IoGetRelatedDeviceObject
		push	dword ptr [ebp+4]
		mov	edi, eax
		push	0
		mov	ecx, edi
		mov	dl, [edi+30h]
		call	IopAllocateIrpExReturn
		mov	esi, eax
		test	esi, esi
		jz	loc_5CD192

loc_4E441F:				; CODE XREF: IoAsynchronousPageWrite+E8DE9j
		mov	eax, [ebp+arg_20]
		test	eax, eax
		jz	short loc_4E4428
		mov	[eax], esi

loc_4E4428:				; CODE XREF: IoAsynchronousPageWrite+46j
		or	byte ptr [esi+27h], 20h
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+var_4]
		inc	eax
		mov	edx, [esi+60h]
		shl	eax, 11h
		or	eax, 3
		mov	[esi+4], ecx
		mov	[esi+8], eax
		mov	eax, large fs:124h
		mov	[esi+50h], eax
		mov	[esi+64h], ebx
		mov	eax, [ecx+18h]
		add	eax, [ecx+10h]
		mov	[esi+3Ch], eax
		mov	eax, [ebp+arg_1C]
		mov	[esi+28h], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+30h], eax
		mov	eax, [ebp+arg_8]
		mov	[esi+34h], eax
		mov	byte ptr [esi+20h], 0
		mov	byte ptr [edx-24h], 4
		mov	eax, [ecx+14h]
		mov	ecx, [ebp+arg_0]
		mov	[edx-20h], eax
		mov	eax, [ecx]
		mov	[edx-18h], eax
		mov	eax, [ecx+4]
		mov	ecx, esi
		mov	[edx-14h], eax
		mov	al, [ebp+arg_14]
		or	[edx-22h], al
		mov	[edx-0Ch], ebx
		mov	edx, [ebp+arg_18]
		test	edx, edx
		jnz	short loc_4E44F3
		mov	edx, large fs:124h
		call	IoSetDiskIoAttributionFromThread

loc_4E44A3:				; CODE XREF: IoAsynchronousPageWrite+126j
		mov	ecx, esi
		call	IopQueueThreadIrp
		cmp	[ebp+arg_10], 0
		jnz	loc_5CD1D7

loc_4E44B4:				; CODE XREF: IoAsynchronousPageWrite+E8E03j
		mov	edx, esi
		mov	ecx, edi
		call	IofCallDriver
		mov	esi, 0C0000000h
		mov	edx, eax
		and	edx, esi
		cmp	edx, esi
		jz	loc_5CD1E6

loc_4E44CE:				; CODE XREF: IoAsynchronousPageWrite+E8DF4j
					; IoAsynchronousPageWrite+E8E31j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_4E44D5:				; CODE XREF: IoAsynchronousPageWrite+1Aj
		inc	large dword ptr	fs:674h
		mov	eax, [edx+14h]
		add	eax, 0FFFh
		shr	eax, 0Ch
		add	large fs:678h, eax
		jmp	loc_4E43FE
; 

loc_4E44F3:				; CODE XREF: IoAsynchronousPageWrite+B7j
		mov	eax, large fs:124h
		mov	edx, [edx+0Ch]
		push	0
		push	eax
		call	IopSetDiskIoAttributionExtension
		jmp	short loc_4E44A3
IoAsynchronousPageWrite	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopQueryVpbFlagsSafe proc near		; CODE XREF: IopMountVolume+C0p
					; IopMountVolume+13CA87p

; FUNCTION CHUNK AT 005CD214 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	9
		mov	esi, ecx
		xor	edi, edi
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	bl, al
		mov	eax, [esi+24h]
		test	eax, eax
		jz	short loc_4E4527
		movzx	edi, word ptr [eax+4]

loc_4E4527:				; CODE XREF: IopQueryVpbFlagsSafe+1Bj
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+460h]
		jnz	loc_5CD214
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5CD22A
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5CD223

loc_4E455D:				; CODE XREF: IopQueryVpbFlagsSafe+E8D18j
					; IopQueryVpbFlagsSafe+E8D33j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ax, di
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
IopQueryVpbFlagsSafe endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopWaitForLockAlertable	proc near	; CODE XREF: IopWaitAndAcquireFileObjectLock+3Dp
					; IopMountVolume+97p ...

var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005CD23E SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	bl, [ebp+arg_0]
		mov	bh, dl
		test	bl, bl
		push	esi
		setz	al
		mov	esi, ecx
		dec	al
		and	al, bh
		push	edi
		mov	[ebp+var_4], eax
		mov	edi, 2FCh

loc_4E458F:				; CODE XREF: IopWaitForLockAlertable+63j
		test	bl, bl
		jnz	short loc_4E459B
		mov	[ebp+arg_0], bl
		cmp	bh, 1
		jnz	short loc_4E459F

loc_4E459B:				; CODE XREF: IopWaitForLockAlertable+23j
		mov	[ebp+arg_0], 1

loc_4E459F:				; CODE XREF: IopWaitForLockAlertable+2Bj
		push	0
		push	dword ptr [ebp+arg_0]
		push	eax
		push	0
		push	esi
		call	KeWaitForSingleObject
		cmp	eax, 101h
		jz	short loc_4E45BB

loc_4E45B4:				; CODE XREF: IopWaitForLockAlertable+6Aj
					; IopWaitForLockAlertable+E8CE3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4E45BB:				; CODE XREF: IopWaitForLockAlertable+44j
		mov	eax, large fs:124h
		mov	eax, [eax+edi]
		test	bl, bl
		jnz	loc_5CD23E
		test	al, 1
		mov	eax, [ebp+var_4]
		jz	short loc_4E458F
		mov	eax, 0C000004Bh
		jmp	short loc_4E45B4
IopWaitForLockAlertable	endp

; 
		align 10h
; Exported entry 1425. MmIsThisAnNtAsSystem

;  S U B	R O U T	I N E 


; __stdcall MmIsThisAnNtAsSystem()
		public _MmIsThisAnNtAsSystem@0
_MmIsThisAnNtAsSystem@0	proc near	; CODE XREF: IopMountVolume+4Fp
					; PsChangeQuantumTable+32p ...
		mov	al, byte ptr ds:dword_7051D4
		retn
_MmIsThisAnNtAsSystem@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAllocateIrpWithExtension(x, x, x, x)
_IopAllocateIrpWithExtension@16	proc near ; CODE XREF: IoAllocateIrp+1756E2p
					; IopAllocateIrpExReturn+C6B80j ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	[ebp+arg_4]
		add	dl, 2
		push	[ebp+arg_0]
		movzx	eax, dl
		push	eax
		push	0
		call	IopAllocateIrpPrivate
		mov	esi, eax
		test	esi, esi
		jz	short loc_4E4622
		add	dword ptr [esi+60h], 0FFFFFFB8h
		mov	eax, [esi+60h]
		add	byte ptr [esi+23h], 0FEh
		add	byte ptr [esi+22h], 0FEh
		mov	[esi+68h], eax
		call	IopIsActivityTracingEnabled
		test	al, al
		jnz	short loc_4E462A

loc_4E4622:				; CODE XREF: IopAllocateIrpWithExtension(x,x,x,x)+1Fj
					; IopAllocateIrpWithExtension(x,x,x,x)+4Bj
		mov	eax, esi
		pop	esi
		pop	ecx
		pop	ebp
		retn	8
; 

loc_4E462A:				; CODE XREF: IopAllocateIrpWithExtension(x,x,x,x)+3Aj
		mov	ecx, esi
		call	_IopInitActivityIdIrp@4	; IopInitActivityIdIrp(x)
		jmp	short loc_4E4622
_IopAllocateIrpWithExtension@16	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopFreeIrpExtension(x, x, x)
_IopFreeIrpExtension@12	proc near	; CODE XREF: .text:00524865p
					; IopFreeIrp+173p ...

var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		and	[esp+4+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	al, [esi+27h]
		mov	ebx, [esi+68h]
		test	al, al
		jns	short loc_4E4660
		and	dword ptr [esi+68h], 0
		and	al, 7Fh
		mov	[esi+27h], al
		jmp	loc_4E46F8
; 

loc_4E4660:				; CODE XREF: IopFreeIrpExtension(x,x,x)+1Cj
		test	ebx, ebx
		jz	loc_4E46F8
		push	5
		pop	edx
		cmp	edi, edx
		jz	short loc_4E4674
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_4E4681

loc_4E4674:				; CODE XREF: IopFreeIrpExtension(x,x,x)+39j
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jz	short loc_4E4681
		and	dword ptr [ebx+20h], 0

loc_4E4681:				; CODE XREF: IopFreeIrpExtension(x,x,x)+3Ej
					; IopFreeIrpExtension(x,x,x)+47j
		push	9
		pop	edx
		cmp	edi, edx
		jz	short loc_4E468D
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_4E46C3

loc_4E468D:				; CODE XREF: IopFreeIrpExtension(x,x,x)+52j
		mov	ecx, esi
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jz	short loc_4E46BE
		mov	eax, [esi+8]
		test	eax, 200h
		jz	short loc_4E46AF
		mov	ecx, esi
		call	_IopFreeCopyObjectsFromIrp@4 ; IopFreeCopyObjectsFromIrp(x)
		mov	byte ptr [esi+21h], 1
		jmp	short loc_4E46BE
; 

loc_4E46AF:				; CODE XREF: IopFreeIrpExtension(x,x,x)+6Cj
		test	eax, 100h
		jz	short loc_4E46BE
		mov	[esp+10h+var_4], offset	_IopCopyCompleteReadIrp@12 ; IopCopyCompleteReadIrp(x,x,x)

loc_4E46BE:				; CODE XREF: IopFreeIrpExtension(x,x,x)+62j
					; IopFreeIrpExtension(x,x,x)+79j ...
		cmp	edi, 0FFFFFFFFh
		jz	short loc_4E46CF

loc_4E46C3:				; CODE XREF: IopFreeIrpExtension(x,x,x)+57j
		movzx	eax, word ptr [ebx+2]
		btr	eax, edi
		movzx	eax, ax
		jmp	short loc_4E46D1
; 

loc_4E46CF:				; CODE XREF: IopFreeIrpExtension(x,x,x)+8Dj
		xor	eax, eax

loc_4E46D1:				; CODE XREF: IopFreeIrpExtension(x,x,x)+99j
		mov	[ebx+2], ax
		test	ax, ax
		jnz	short loc_4E46F8
		test	byte ptr [esi+27h], 40h
		jz	short loc_4E46F8
		cmp	[ebp+arg_0], al
		jz	short loc_4E46F8
		push	58707249h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+68h], 0
		and	byte ptr [esi+27h], 0BFh

loc_4E46F8:				; CODE XREF: IopFreeIrpExtension(x,x,x)+27j
					; IopFreeIrpExtension(x,x,x)+2Ej ...
		mov	eax, [esp+10h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_IopFreeIrpExtension@12	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 925. IoQueueWorkItem

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoQueueWorkItem(x, x, x, x)
		public _IoQueueWorkItem@16
_IoQueueWorkItem@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_4]
		and	dword ptr [ecx+20h], 0
		call	IopQueueWorkItemProlog
		mov	edx, [ebp+arg_8]
		mov	ecx, eax
		call	ExQueueWorkItemFromIo
		pop	ebp
		retn	10h
_IoQueueWorkItem@16 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 913. IoPropagateActivityIdToThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoPropagateActivityIdToThread
IoPropagateActivityIdToThread proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005CD256 SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jnz	loc_5CD256
		mov	eax, 0C0000225h

loc_4E4750:				; CODE XREF: IoPropagateActivityIdToThread+E8B49j
		pop	ebp
		retn	0Ch
IoPropagateActivityIdToThread endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 908. IoMakeAssociatedIrpEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoMakeAssociatedIrpEx(x, x,	x)
		public _IoMakeAssociatedIrpEx@12
_IoMakeAssociatedIrpEx@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	IoMakeAssociatedIrpPriv
		pop	ebp
		retn	0Ch
_IoMakeAssociatedIrpEx@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 926. IoQueueWorkItemEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoQueueWorkItemEx(x, x, x, x)
		public _IoQueueWorkItemEx@16
_IoQueueWorkItemEx@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	IopQueueWorkItemProlog
		mov	edx, [ebp+arg_8]
		mov	ecx, eax
		call	ExQueueWorkItemFromIo
		pop	ebp
		retn	10h
_IoQueueWorkItemEx@16 endp

; 
		align 4

;  S U B	R O U T	I N E 


ExQueueWorkItemFromIo proc near		; CODE XREF: IoQueueWorkItem(x,x,x,x)+1Cp
					; IoQueueWorkItemEx(x,x,x,x)+18p ...

; FUNCTION CHUNK AT 005CD282 SIZE 0000003F BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	ExpValidateWorkItem
		cmp	esi, 7
		jnb	short loc_4E47D0
		mov	edx, ds:_ExpBuiltinPriorities[esi*4]

loc_4E47B1:				; CODE XREF: ExQueueWorkItemFromIo+3Bj
		mov	eax, ds:_PspSystemPartition
		push	1
		push	0FFFFFFFFh
		push	edx
		mov	ecx, [eax+8]
		mov	edx, edi
		call	ExpQueueWorkItem
		test	al, al
		jz	loc_5CD282
		pop	edi
		pop	esi
		retn
; 

loc_4E47D0:				; CODE XREF: ExQueueWorkItemFromIo+10j
		lea	edx, [esi-20h]
		jmp	short loc_4E47B1
ExQueueWorkItemFromIo endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopQueueWorkItemProlog proc near	; CODE XREF: IoQueueWorkItem(x,x,x,x)+12p
					; IoQueueWorkItemEx(x,x,x,x)+Ep ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		mov	ebx, ecx
		call	IopIsActivityTracingEnabled
		test	al, al
		jnz	loc_5CD293

loc_4E47F6:				; CODE XREF: ExQueueWorkItemFromIo+E8B03j
		lea	edi, [ebx+24h]

loc_4E47F9:				; CODE XREF: ExQueueWorkItemFromIo+E8B1Aj
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd

loc_4E47FF:				; CODE XREF: ExQueueWorkItemFromIo+E8B24j
		mov	eax, large fs:235Ch
		mov	edi, 746C6644h
		test	eax, 10001h
		jz	short loc_4E4830

loc_4E4811:				; CODE XREF: IopQueueWorkItemProlog+93j
					; IopQueueWorkItemProlog+9Ej ...
		mov	ecx, [ebx+14h]
		mov	edx, edi
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+var_8]
		mov	[ebx+10h], eax
		mov	eax, [ebp+arg_0]
		pop	edi
		mov	[ebx+18h], eax
		mov	eax, ebx
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4E4830:				; CODE XREF: IopQueueWorkItemProlog+39j
		mov	esi, large fs:124h
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	_PsGetWorkOnBehalfThread@8 ; PsGetWorkOnBehalfThread(x,x)
		mov	[ebx+1Ch], eax
		test	eax, eax
		jnz	short loc_4E4876
		mov	eax, large fs:124h
		cmp	_PopEnergyEstimationEnabled, 0
		mov	eax, [eax+80h]
		jz	short loc_4E486B

loc_4E485D:				; CODE XREF: IopQueueWorkItemProlog+9Cj
		mov	edx, edi
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	[ebx+1Ch], esi
		jmp	short loc_4E4811
; 

loc_4E486B:				; CODE XREF: IopQueueWorkItemProlog+85j
		cmp	dword ptr [eax+158h], 0
		jnz	short loc_4E485D
		jmp	short loc_4E4811
; 

loc_4E4876:				; CODE XREF: IopQueueWorkItemProlog+70j
		cmp	[ebp+var_4], 0
		jnz	short loc_4E4811
		mov	edx, edi
		mov	ecx, eax
		call	ObfReferenceObjectWithTag
		jmp	short loc_4E4811
IopQueueWorkItemProlog endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoMakeAssociatedIrpPriv	proc near	; CODE XREF: IoMakeAssociatedIrpEx(x,x,x)+Ep
					; IoMakeAssociatedIrp(x,x)+Dp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= byte ptr  8
arg_3		= byte ptr  0Bh

; FUNCTION CHUNK AT 005CD2C1 SIZE 00000068 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_2], 0
		mov	edi, ecx
		call	IopIsActivityTracingEnabled
		push	6
		pop	ebx
		test	al, al
		jnz	loc_5CD2C1

loc_4E48AB:				; CODE XREF: IoMakeAssociatedIrpPriv+E8A48j
		mov	edx, ebx
		mov	ecx, edi
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jnz	short loc_4E48DB
		push	8
		pop	edx
		mov	ecx, edi
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jnz	short loc_4E48DB
		test	esi, esi
		jz	loc_5CD2D5
		test	dword ptr [esi+1Ch], 8000000h
		jz	loc_5CD2D5

loc_4E48DB:				; CODE XREF: IoMakeAssociatedIrpPriv+2Ej
					; IoMakeAssociatedIrpPriv+3Cj ...
		mov	cl, [ebp+arg_0]
		add	cl, 2
		mov	[ebp+var_2], 1

loc_4E48E5:				; CODE XREF: IoMakeAssociatedIrpPriv+E8A50j
		mov	esi, large fs:20h
		movsx	eax, cl
		mov	[ebp+var_18], eax
		imul	eax, 24h
		push	70h
		pop	edx
		mov	[ebp+arg_3], cl
		mov	[ebp+var_1], 0
		add	eax, edx
		mov	[ebp+var_10], esi
		mov	dl, byte ptr _IopLargeIrpStackLocations
		movzx	eax, ax
		movzx	ebx, ax
		mov	[ebp+var_14], eax
		mov	al, byte ptr _IopMediumIrpStackLocations
		mov	[ebp+var_8], ebx
		cmp	cl, dl
		jg	loc_4E4A90
		mov	[ebp+var_1], 4
		cmp	cl, 1
		jz	loc_5CD2DD
		push	70h
		cmp	cl, al
		pop	ecx
		jle	loc_5CD2EB
		movsx	ax, dl
		mov	ebx, 5B0h
		mov	[ebp+var_C], 10h

loc_4E494B:				; CODE XREF: IoMakeAssociatedIrpPriv+E8A71j
		movzx	eax, ax
		imul	eax, 24h
		add	ax, cx
		movzx	eax, ax
		mov	[ebp+var_8], eax

loc_4E495A:				; CODE XREF: IoMakeAssociatedIrpPriv+E8A5Ej
		mov	ebx, [ebx+esi]
		mov	ecx, ebx
		inc	dword ptr [ebx+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_4E4A56

loc_4E4971:				; CODE XREF: IoMakeAssociatedIrpPriv+1ECj
					; IoMakeAssociatedIrpPriv+1F5j
		test	byte ptr _IopIrpStackProfilerFlags, 3
		jz	loc_5CD2FE
		test	esi, esi
		jz	loc_4E4A8D
		mov	eax, [ebp+var_14]
		movzx	eax, ax
		cmp	[esi+1Ch], eax
		jb	loc_4E4A82
		movzx	ebx, word ptr [esi+1Ch]

loc_4E4999:				; CODE XREF: IoMakeAssociatedIrpPriv+E8A79j
		test	esi, esi
		jz	loc_4E4A90

loc_4E49A1:				; CODE XREF: IoMakeAssociatedIrpPriv+21Fj
		movzx	eax, bx
		push	eax		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		imul	edx, [ebp+var_18], 24h
		add	esp, 0Ch
		mov	[esi+2], bx
		push	6
		pop	eax
		mov	[esi], ax
		add	edx, 70h
		mov	al, [ebp+arg_3]
		add	edx, esi
		mov	[esi+22h], al
		inc	al
		mov	[esi+23h], al
		mov	eax, large fs:124h
		mov	al, [eax+16Ah]
		or	dword ptr [esi+8], 8
		mov	[esi+26h], al
		lea	eax, [esi+10h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	al, [ebp+var_1]
		mov	[esi+60h], edx
		mov	ecx, [edi+8]
		or	[esi+27h], al
		and	ecx, 0E0002h
		or	[esi+8], ecx
		cmp	[ebp+var_2], 0
		mov	eax, [edi+50h]
		mov	[esi+50h], eax
		mov	[esi+0Ch], edi
		jz	short loc_4E4A1E
		add	byte ptr [esi+23h], 0FEh
		lea	eax, [edx-48h]
		add	byte ptr [esi+22h], 0FEh
		mov	[esi+60h], eax
		mov	[esi+68h], eax

loc_4E4A1E:				; CODE XREF: IoMakeAssociatedIrpPriv+183j
		call	IopIsActivityTracingEnabled
		test	al, al
		jnz	loc_5CD306

loc_4E4A2B:				; CODE XREF: IoMakeAssociatedIrpPriv+E8A89j
					; IoMakeAssociatedIrpPriv+E8A9Cj
		push	6
		pop	eax
		mov	edx, eax
		mov	ecx, edi
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jnz	loc_4E4AC1

loc_4E4A3F:				; CODE XREF: IoMakeAssociatedIrpPriv+24Bj
		push	8
		pop	edx
		mov	ecx, edi
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jnz	short loc_4E4AAF

loc_4E4A4D:				; CODE XREF: IoMakeAssociatedIrpPriv+237j
		mov	eax, esi

loc_4E4A4F:				; CODE XREF: IoMakeAssociatedIrpPriv+225j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4E4A56:				; CODE XREF: IoMakeAssociatedIrpPriv+E3j
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		inc	dword ptr [ebx+10h]
		mov	ebx, [eax+ecx+5A4h]
		mov	ecx, ebx
		inc	dword ptr [ebx+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_4E4971
		inc	dword ptr [ebx+10h]
		jmp	loc_4E4971
; 

loc_4E4A82:				; CODE XREF: IoMakeAssociatedIrpPriv+107j
		inc	dword ptr [ebx+14h]
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4E4A8D:				; CODE XREF: IoMakeAssociatedIrpPriv+F8j
		mov	ebx, [ebp+var_8]

loc_4E4A90:				; CODE XREF: IoMakeAssociatedIrpPriv+95j
					; IoMakeAssociatedIrpPriv+113j
		push	20707249h
		movzx	eax, bx
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_4E49A1
		jmp	short loc_4E4A4F
; 

loc_4E4AAF:				; CODE XREF: IoMakeAssociatedIrpPriv+1C3j
		mov	eax, [edi+68h]
		mov	ecx, esi
		push	dword ptr [eax+34h]
		push	dword ptr [eax+30h]
		call	_IopSetDriverFlagsExtension@12 ; IopSetDriverFlagsExtension(x,x,x)
		jmp	short loc_4E4A4D
; 

loc_4E4AC1:				; CODE XREF: IoMakeAssociatedIrpPriv+1B1j
		mov	edx, [edi+68h]
		mov	ecx, esi
		push	1
		push	dword ptr [esi+50h]
		mov	edx, [edx+0Ch]
		call	IopSetDiskIoAttributionExtension
		jmp	loc_4E4A3F
IoMakeAssociatedIrpPriv	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 866. IoGetFsTrackOffsetState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoGetFsTrackOffsetState
IoGetFsTrackOffsetState	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005CD329 SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	5
		pop	edx
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jnz	loc_5CD329
		mov	eax, 0C0000225h

loc_4E4AFE:				; CODE XREF: IoGetFsTrackOffsetState+E8866j
		pop	esi
		pop	ebp
		retn	0Ch
IoGetFsTrackOffsetState	endp

; 
		align 10h
; Exported entry 973. IoReuseIrp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoReuseIrp(x, x)
		public _IoReuseIrp@8
_IoReuseIrp@8	proc near		; CODE XREF: PopAllocateIrp+F8p
					; PopPrepareIoctl(x,x,x,x,x,x)+12p ...

var_2C		= byte ptr -2Ch
var_2B		= byte ptr -2Bh
var_2A		= byte ptr -2Ah
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		xor	eax, eax
		test	byte ptr _MmVerifierData, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	[esp+38h+var_28], eax
		mov	[esp+38h+var_24], eax
		mov	[esp+38h+var_20], eax
		mov	[esp+38h+var_1C], eax
		mov	[esp+38h+var_2B], al
		jz	short loc_4E4B5E
		mov	edx, [ebp+4]
		mov	ecx, esi
		push	1
		call	_VfIoInitializeIrp@12 ;	VfIoInitializeIrp(x,x,x)
		mov	ecx, esi
		call	_IovpLogStackTrace@4 ; IovpLogStackTrace(x)

loc_4E4B5E:				; CODE XREF: IoReuseIrp(x,x)+39j
		mov	al, [esi+27h]
		xor	edx, edx
		and	al, 6Dh
		mov	ecx, esi
		mov	[esp+38h+var_29], al
		mov	al, [esi+22h]
		mov	[esp+38h+var_2A], al
		movzx	eax, word ptr [esi+2]
		mov	[esp+38h+var_18], eax
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		mov	edi, [esi+68h]
		mov	ebx, edi
		test	al, al
		jz	short loc_4E4BA9
		mov	eax, [edi+10h]
		mov	[esp+38h+var_28], eax
		mov	eax, [edi+14h]
		mov	[esp+38h+var_24], eax
		mov	eax, [edi+18h]
		mov	[esp+38h+var_20], eax
		mov	eax, [edi+1Ch]
		mov	[esp+38h+var_1C], eax
		mov	[esp+38h+var_2B], 1

loc_4E4BA9:				; CODE XREF: IoReuseIrp(x,x)+76j
		mov	al, [esi+27h]
		test	al, al
		jns	short loc_4E4BC0
		and	al, 7Fh
		mov	dword ptr [esi+68h], 0
		mov	[esi+27h], al
		xor	edi, edi
		jmp	short loc_4E4C08
; 

loc_4E4BC0:				; CODE XREF: IoReuseIrp(x,x)+9Ej
		test	ebx, ebx
		jz	short loc_4E4C08
		mov	edx, 5
		mov	ecx, esi
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jz	short loc_4E4BDB
		mov	dword ptr [ebx+20h], 0

loc_4E4BDB:				; CODE XREF: IoReuseIrp(x,x)+C2j
		mov	edx, 9
		mov	ecx, esi
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jz	short loc_4E4BFF
		test	dword ptr [esi+8], 200h
		jz	short loc_4E4BFF
		mov	ecx, esi
		call	_IopFreeCopyObjectsFromIrp@4 ; IopFreeCopyObjectsFromIrp(x)
		mov	byte ptr [esi+21h], 1

loc_4E4BFF:				; CODE XREF: IoReuseIrp(x,x)+D9j
					; IoReuseIrp(x,x)+E2j
		xor	eax, eax
		mov	[ebx+2], ax
		mov	edi, [esi+68h]

loc_4E4C08:				; CODE XREF: IoReuseIrp(x,x)+AEj
					; IoReuseIrp(x,x)+B2j
		mov	ebx, [esp+38h+var_18]
		movzx	eax, bx
		push	eax		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	cl, [esp+44h+var_2A]
		mov	eax, 6
		mov	[esi], ax
		add	esp, 0Ch
		mov	al, cl
		mov	[esi+2], bx
		inc	al
		mov	[esi+22h], cl
		mov	[esi+23h], al
		mov	eax, large fs:124h
		mov	al, [eax+16Ah]
		mov	[esi+26h], al
		lea	eax, [esi+10h]
		mov	[eax+4], eax
		mov	[eax], eax
		movsx	eax, cl
		lea	eax, [eax+eax*8]

loc_4E4C52:				; DATA XREF: AllocateMemory+24o
		lea	eax, [eax+1Ch]
		lea	eax, [esi+eax*4]
		mov	[esi+60h], eax
		mov	al, [esp+38h+var_29]
		mov	[esi+27h], al
		mov	eax, [ebp+arg_4]
		mov	[esi+18h], eax
		test	edi, edi
		jz	loc_4E4D09
		cmp	[esp+38h+var_2B], 1
		mov	[esi+68h], edi
		jnz	short loc_4E4C85
		lea	eax, [esp+38h+var_28]
		push	eax
		push	esi
		call	_IoSetActivityIdIrp@8 ;	IoSetActivityIdIrp(x,x)

loc_4E4C85:				; CODE XREF: IoReuseIrp(x,x)+168j
		call	IopIsActivityTracingEnabled
		test	al, al
		jz	short loc_4E4D09
		xor	edx, edx
		mov	ecx, esi
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jz	short loc_4E4CA9
		mov	ecx, offset _IoTrace_KernelIo_ReuseIrp
		call	_IopIsActivityTracingEventEnabled@4 ; IopIsActivityTracingEventEnabled(x)
		test	al, al
		jz	short loc_4E4D09

loc_4E4CA9:				; CODE XREF: IoReuseIrp(x,x)+189j
		xor	eax, eax
		mov	[esp+38h+var_14], eax
		mov	[esp+38h+var_10], eax
		mov	[esp+38h+var_C], eax
		mov	[esp+38h+var_8], eax
		lea	eax, [esp+38h+var_14]
		push	eax
		push	3
		call	EtwActivityIdControl
		mov	ecx, offset _IoTrace_KernelIo_ReuseIrp
		call	_IopIsActivityTracingEventEnabled@4 ; IopIsActivityTracingEventEnabled(x)
		test	al, al
		jz	short loc_4E4CFE
		push	0
		push	0
		lea	eax, [esp+40h+var_14]
		push	eax
		lea	eax, [edi+10h]
		push	eax
		mov	eax, dword_6CCFD4
		push	0
		push	0
		push	0
		push	offset _IoTrace_KernelIo_ReuseIrp
		push	eax
		mov	eax, _IoTraceHandle
		push	eax
		call	EtwWriteEx

loc_4E4CFE:				; CODE XREF: IoReuseIrp(x,x)+1C3j
		lea	eax, [esp+38h+var_14]
		push	eax
		push	esi
		call	_IoSetActivityIdIrp@8 ;	IoSetActivityIdIrp(x,x)

loc_4E4D09:				; CODE XREF: IoReuseIrp(x,x)+15Aj
					; IoReuseIrp(x,x)+17Cj	...
		mov	ecx, [esp+38h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_IoReuseIrp@8	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 898. IoIrpHasFsTrackOffsetExtensionType

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoIrpHasFsTrackOffsetExtensionType(x)
		public _IoIrpHasFsTrackOffsetExtensionType@4
_IoIrpHasFsTrackOffsetExtensionType@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	5
		pop	edx
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		pop	ebp
		retn	4
_IoIrpHasFsTrackOffsetExtensionType@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall IopIrpHasExtensionType(x, x)
_IopIrpHasExtensionType@8 proc near	; CODE XREF: IopFreeIrpExtension(x,x,x):loc_4E4674p
					; IopFreeIrpExtension(x,x,x)+5Bp ...
		mov	eax, [ecx+68h]
		push	esi
		mov	esi, edx
		nop
		cmp	byte ptr [ecx+27h], 0
		jl	short loc_4E4D6A
		test	eax, eax
		jz	short loc_4E4D62
		movzx	edx, word ptr [eax+2]
		mov	ecx, esi
		mov	eax, 1
		shl	eax, cl
		test	edx, eax
		jnz	short loc_4E4D66

loc_4E4D62:				; CODE XREF: IopIrpHasExtensionType(x,x)+Fj
					; IopIrpHasExtensionType(x,x)+2Dj
		xor	al, al
		pop	esi
		retn
; 

loc_4E4D66:				; CODE XREF: IopIrpHasExtensionType(x,x)+20j
					; IopIrpHasExtensionType(x,x)+2Fj
		mov	al, 1
		pop	esi
		retn
; 

loc_4E4D6A:				; CODE XREF: IopIrpHasExtensionType(x,x)+Bj
		cmp	esi, 2
		jnz	short loc_4E4D62
		jmp	short loc_4E4D66
_IopIrpHasExtensionType@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 899. IoIsActivityTracingEnabled

;  S U B	R O U T	I N E 


; __stdcall IoIsActivityTracingEnabled()
		public _IoIsActivityTracingEnabled@0
_IoIsActivityTracingEnabled@0 proc near
		jmp	IopIsActivityTracingEnabled
_IoIsActivityTracingEnabled@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


IopIsActivityTracingEnabled proc near	; CODE XREF: IopAllocateIrpWithExtension(x,x,x,x)+33p
					; IopQueueWorkItemProlog+13p ...

; FUNCTION CHUNK AT 005CD349 SIZE 00000010 BYTES

		test	byte ptr _IopFunctionPointerMask, 4
		jnz	loc_5CD349

loc_4E4D89:				; CODE XREF: IopIsActivityTracingEnabled+E85D4j
		xor	al, al
		retn
IopIsActivityTracingEnabled endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1018. IoSynchronousPageWrite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSynchronousPageWrite(x, x, x, x, x)
		public _IoSynchronousPageWrite@20
_IoSynchronousPageWrite@20 proc	near	; CODE XREF: SmKmStoreFileWriteHeader(x,x,x,x)+120p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	IoSynchronousPageWriteEx
		pop	ecx
		pop	ebp
		retn	14h
_IoSynchronousPageWrite@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoSynchronousPageWriteEx proc near	; CODE XREF: IoSynchronousPageWrite(x,x,x,x,x)+19p
					; MiZeroPageWrite+12Fp	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005CD359 SIZE 00000045 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		mov	eax, [ebx+14h]
		test	eax, eax
		jz	short loc_4E4DEB
		cmp	dword ptr [eax+4], 0
		jz	short loc_4E4DEB
		inc	large dword ptr	fs:674h
		mov	eax, [edx+14h]
		add	eax, 0FFFh
		shr	eax, 0Ch
		add	large fs:678h, eax

loc_4E4DEB:				; CODE XREF: IoSynchronousPageWriteEx+14j
					; IoSynchronousPageWriteEx+1Aj
		push	ebx
		call	IoGetRelatedDeviceObject
		push	dword ptr [ebp+4]
		mov	edi, eax
		push	0
		mov	ecx, edi
		mov	dl, [edi+30h]
		call	IopAllocateIrpExReturn
		mov	esi, eax
		test	esi, esi
		jz	loc_5CD359

loc_4E4E0C:				; CODE XREF: IoSynchronousPageWriteEx+E85D8j
		mov	eax, [esi+60h]
		or	byte ptr [esi+27h], 20h
		sub	eax, 24h
		mov	ecx, large fs:124h
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_4]
		mov	[esi+4], eax
		mov	dword ptr [esi+8], 43h
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		mov	edx, eax
		cmp	edx, 2
		jl	short loc_4E4EB8

loc_4E4E39:				; CODE XREF: IoSynchronousPageWriteEx+118j
					; IoSynchronousPageWriteEx+14Dj
		mov	ecx, [ebp+var_4]
		lea	eax, [edx+1]
		mov	edx, [ebp+var_8]
		shl	eax, 11h
		or	eax, 43h
		mov	byte ptr [esi+20h], 0
		mov	[esi+8], eax
		mov	eax, [ebp+arg_10]
		mov	[esi+28h], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+2Ch], eax
		mov	eax, [ecx+18h]
		add	eax, [ecx+10h]
		mov	[esi+3Ch], eax
		mov	eax, large fs:124h
		mov	[esi+50h], eax
		mov	[esi+64h], ebx
		mov	byte ptr [edx],	4
		mov	eax, [ecx+14h]
		mov	ecx, [ebp+arg_0]
		mov	[edx+4], eax
		mov	eax, [ecx]
		mov	[edx+0Ch], eax
		mov	eax, [ecx+4]
		mov	ecx, esi
		mov	[edx+10h], eax
		mov	al, [ebp+arg_8]
		or	[edx+2], al
		mov	eax, [ebp+arg_C]
		mov	[edx+18h], ebx
		mov	edx, [esi+50h]
		test	eax, eax
		jnz	short loc_4E4F08
		call	IoSetDiskIoAttributionFromThread

loc_4E4EA1:				; CODE XREF: IoSynchronousPageWriteEx+15Dj
		mov	ecx, esi
		call	IopQueueThreadIrp
		mov	edx, esi
		mov	ecx, edi
		call	IofCallDriver

loc_4E4EB1:				; CODE XREF: IoSynchronousPageWriteEx+E85E3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_4E4EB8:				; CODE XREF: IoSynchronousPageWriteEx+81j
		mov	ecx, large fs:124h
		test	dword ptr [ecx+58h], 400h
		jz	short loc_4E4ED3

loc_4E4EC8:				; CODE XREF: IoSynchronousPageWriteEx+124j
					; IoSynchronousPageWriteEx+133j ...
		inc	_IoPagingWriteLowPriorityCount
		jmp	loc_4E4E39
; 

loc_4E4ED3:				; CODE XREF: IoSynchronousPageWriteEx+110j
		cmp	byte ptr [ecx+15Ah], 1
		jz	short loc_4E4EC8
		mov	eax, large fs:124h
		test	byte ptr [eax+304h], 40h
		jnz	short loc_4E4EC8
		mov	eax, large fs:124h
		cmp	dword ptr [eax+2D4h], 2
		jz	short loc_4E4EC8
		inc	_IoPagingWriteLowPriorityBumpedCount
		push	2
		pop	edx
		jmp	loc_4E4E39
; 

loc_4E4F08:				; CODE XREF: IoSynchronousPageWriteEx+E4j
		push	0
		push	edx
		mov	edx, [eax+0Ch]
		call	IopSetDiskIoAttributionExtension
		jmp	short loc_4E4EA1
IoSynchronousPageWriteEx endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopSetDiskIoAttributionExtension proc near
					; CODE XREF: IoUpdateIrpIoAttributionHandle(x,x)+14p
					; IoPageReadEx+209p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005CD39E SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	6
		mov	[ebp+var_4], edx
		pop	edx
		call	IopAllocateIrpExtension
		mov	esi, eax
		test	esi, esi
		jz	short loc_4E4F5E
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+150h]
		test	dword ptr [ecx+3A8h], 1000h
		jnz	short loc_4E4F50

loc_4E4F43:				; CODE XREF: IopSetDiskIoAttributionExtension+41j
					; IopSetDiskIoAttributionExtension+E8495j ...
		mov	eax, [ebp+var_4]
		mov	[esi+0Ch], eax
		xor	eax, eax

loc_4E4F4B:				; CODE XREF: IopSetDiskIoAttributionExtension+4Dj
		pop	esi
		leave
		retn	8
; 

loc_4E4F50:				; CODE XREF: IopSetDiskIoAttributionExtension+2Bj
		cmp	dword ptr [ecx+158h], 0
		jz	short loc_4E4F43
		jmp	loc_5CD39E
; 

loc_4E4F5E:				; CODE XREF: IopSetDiskIoAttributionExtension+16j
		mov	eax, 0C000009Ah
		jmp	short loc_4E4F4B
IopSetDiskIoAttributionExtension endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 914. IoPropagateIrpExtension

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoPropagateIrpExtension(x, x, x)
		public _IoPropagateIrpExtension@12
_IoPropagateIrpExtension@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	0
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	IoPropagateIrpExtensionEx
		pop	ebp
		retn	0Ch
_IoPropagateIrpExtension@12 endp

; 
		align 10h
; Exported entry 915. IoPropagateIrpExtensionEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoPropagateIrpExtensionEx
IoPropagateIrpExtensionEx proc near	; CODE XREF: IoPropagateIrpExtension(x,x,x)+12p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005CD3CB SIZE 00000110 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [esi+68h]
		mov	[ebp+arg_0], edi
		test	edi, edi
		jz	loc_4E5065
		cmp	byte ptr [esi+27h], 0
		jl	loc_4E508F
		mov	ebx, [ebp+arg_10]
		test	bl, 2
		jz	short loc_4E4FCC
		nop
		cmp	byte ptr [esi+27h], 0
		jl	short loc_4E4FCC
		test	byte ptr [edi+2], 1
		jnz	loc_5CD3CB

loc_4E4FCC:				; CODE XREF: IoPropagateIrpExtensionEx+29j
					; IoPropagateIrpExtensionEx+30j ...
		test	bl, 1
		jz	short loc_4E4FED
		mov	eax, [esi+68h]
		nop
		cmp	byte ptr [esi+27h], 0
		jl	loc_5CD3FC
		test	eax, eax
		jz	short loc_4E4FED
		test	byte ptr [eax+2], 4
		jnz	loc_5CD3FC

loc_4E4FED:				; CODE XREF: IoPropagateIrpExtensionEx+3Fj
					; IoPropagateIrpExtensionEx+51j ...
		test	bl, 4
		jz	short loc_4E500A
		mov	eax, [esi+68h]
		nop
		cmp	byte ptr [esi+27h], 0
		jl	short loc_4E500A
		test	eax, eax
		jz	short loc_4E500A
		test	byte ptr [eax+2], 20h
		jnz	loc_5CD414

loc_4E500A:				; CODE XREF: IoPropagateIrpExtensionEx+60j
					; IoPropagateIrpExtensionEx+6Aj ...
		test	bl, 8
		jz	short loc_4E5027
		mov	eax, [esi+68h]
		nop
		cmp	byte ptr [esi+27h], 0
		jl	short loc_4E5027
		test	eax, eax
		jz	short loc_4E5027
		test	byte ptr [eax+2], 40h
		jnz	loc_4E50AE

loc_4E5027:				; CODE XREF: IoPropagateIrpExtensionEx+7Dj
					; IoPropagateIrpExtensionEx+87j ...
		mov	[ebp+arg_0], edi
		test	bl, 10h
		jz	short loc_4E5047
		mov	eax, [esi+68h]
		nop
		cmp	byte ptr [esi+27h], 0
		jl	short loc_4E5047
		test	eax, eax
		jz	short loc_4E5047
		test	byte ptr [eax+2], 80h
		jnz	loc_5CD45E

loc_4E5047:				; CODE XREF: IoPropagateIrpExtensionEx+9Dj
					; IoPropagateIrpExtensionEx+A7j ...
		test	bl, 20h
		jz	short loc_4E5065
		mov	eax, [esi+68h]
		nop
		cmp	byte ptr [esi+27h], 0
		jl	short loc_4E5065
		test	eax, eax
		jz	short loc_4E5065
		mov	ecx, 100h
		test	[eax+2], cx
		jnz	short loc_4E506E

loc_4E5065:				; CODE XREF: IoPropagateIrpExtensionEx+13j
					; IoPropagateIrpExtensionEx+BAj ...
		xor	eax, eax

loc_4E5067:				; CODE XREF: IoPropagateIrpExtensionEx+13Fj
					; IoPropagateIrpExtensionEx+E8546j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
; 

loc_4E506E:				; CODE XREF: IoPropagateIrpExtensionEx+D3j
		mov	ecx, [ebp+arg_4]
		mov	edx, 8
		call	IopAllocateIrpExtension
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_4E50CA
		mov	eax, [edi+30h]
		mov	[ecx+30h], eax
		mov	eax, [edi+34h]
		mov	[ecx+34h], eax
		jmp	short loc_4E5065
; 

loc_4E508F:				; CODE XREF: IoPropagateIrpExtensionEx+1Dj
		test	byte ptr [ebp+arg_10], 1
		jz	short loc_4E5065
		mov	ecx, [ebp+arg_4]
		mov	edx, 2
		call	IopAllocateIrpExtension
		mov	[eax+4], edi
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
; 

loc_4E50AE:				; CODE XREF: IoPropagateIrpExtensionEx+91j
		mov	eax, large fs:124h
		mov	edi, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		push	1
		push	eax
		mov	edx, [edi+0Ch]
		call	IopSetDiskIoAttributionExtension
		jmp	loc_4E5027
; 

loc_4E50CA:				; CODE XREF: IoPropagateIrpExtensionEx+EFj
					; IoPropagateIrpExtensionEx+E8449j ...
		mov	eax, 0C000009Ah
		jmp	short loc_4E5067
IoPropagateIrpExtensionEx endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopSetDriverFlagsExtension(x, x, x)
_IopSetDriverFlagsExtension@12 proc near ; CODE	XREF: IoPageReadEx+1ACp
					; IoMakeAssociatedIrpPriv+232p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	8
		pop	edx
		call	IopAllocateIrpExtension
		mov	edx, eax
		test	edx, edx
		jz	short loc_4E5101
		mov	ecx, [ebp+arg_4]
		mov	eax, ecx
		shr	eax, 10h
		mov	[edx+36h], ax
		mov	eax, [ebp+arg_0]
		mov	[edx+30h], eax
		xor	eax, eax
		mov	[edx+34h], cx

loc_4E50FD:				; CODE XREF: IopSetDriverFlagsExtension(x,x,x)+34j
		pop	ebp
		retn	8
; 

loc_4E5101:				; CODE XREF: IopSetDriverFlagsExtension(x,x,x)+11j
		mov	eax, 0C000009Ah
		jmp	short loc_4E50FD
_IopSetDriverFlagsExtension@12 endp


;  S U B	R O U T	I N E 


IopAllocateIrpExtension	proc near	; CODE XREF: IopSetDiskIoAttributionExtension+Dp
					; IoPropagateIrpExtensionEx+E6p ...

; FUNCTION CHUNK AT 005CD4DB SIZE 00000058 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	esi, [edi+68h]
		test	esi, esi
		jz	short loc_4E5133
		cmp	byte ptr [edi+27h], 0
		jl	loc_5CD4DB
		movzx	eax, word ptr [esi+2]
		bts	eax, ebx
		mov	[esi+2], ax

loc_4E512D:				; CODE XREF: IopAllocateIrpExtension+37j
					; IopAllocateIrpExtension+4Ej ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_4E5133:				; CODE XREF: IopAllocateIrpExtension+Ej
		cmp	ebx, 2
		jnz	short loc_4E5141
		or	byte ptr [edi+27h], 80h

loc_4E513C:				; CODE XREF: IopAllocateIrpExtension+E83D6j
		lea	esi, [edi+64h]
		jmp	short loc_4E512D
; 

loc_4E5141:				; CODE XREF: IopAllocateIrpExtension+2Ej
		push	58707249h
		push	48h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_4E512D
		push	48h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		xor	edx, edx
		inc	edx
		mov	eax, edx
		mov	ecx, ebx
		shl	ax, cl
		mov	[esi+2], ax
		mov	[edi+68h], esi
		or	byte ptr [edi+27h], 40h
		or	[esi], dx
		jmp	short loc_4E512D
IopAllocateIrpExtension	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopMountInitializeVpb proc near		; CODE XREF: IopMountVolume+2DBp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005CD533 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	9
		mov	esi, ecx
		mov	[ebp+var_4], edx
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	edi, [esi+24h]
		mov	bl, al
		xor	eax, eax
		inc	eax
		cmp	[ebp+arg_0], 0
		mov	ecx, eax
		mov	[edi+4], ax
		jz	short loc_4E51B1
		push	11h
		pop	ecx
		mov	[edi+4], cx

loc_4E51B1:				; CODE XREF: IopMountInitializeVpb+28j
		cmp	[ebp+arg_4], 0
		movzx	eax, cx
		jz	short loc_4E51C1
		or	eax, 20h
		mov	[edi+4], ax

loc_4E51C1:				; CODE XREF: IopMountInitializeVpb+38j
		mov	eax, [ebp+var_4]
		xor	dl, dl
		mov	cl, [eax+30h]
		mov	eax, [edi+8]
		inc	cl
		mov	[eax+30h], cl
		mov	ecx, edi
		mov	eax, [edi+8]
		mov	eax, [eax+0B0h]
		mov	[eax+28h], edi
		call	IopIncrementVpbRefCount
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+460h]
		jnz	loc_5CD533
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5CD549
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5CD542

loc_4E521A:				; CODE XREF: IopMountInitializeVpb+E83BDj
					; IopMountInitializeVpb+E83D8j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
IopMountInitializeVpb endp

; 
		align 10h
; Exported entry 1168. KeInitializeEnumerationContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeEnumerationContext(x, x)
		public _KeInitializeEnumerationContext@8
_KeInitializeEnumerationContext@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		mov	ecx, [ebp+arg_4]
		mov	[edx+8], ax
		mov	eax, [ecx+8]
		mov	[edx+4], eax
		mov	[edx], ecx
		pop	ebp
		retn	8
_KeInitializeEnumerationContext@8 endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 993. IoSetIoCompletionEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoSetIoCompletionEx
IoSetIoCompletionEx proc near		; CODE XREF: ExpShutdownWorkerFactory(x)+C8p
					; PspNotificationPacketCallback+AFp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005CD55D SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_18]
		test	esi, esi
		jz	loc_4E5346
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	[esi+0Ch], eax
		mov	eax, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[esi+10h], eax
		mov	eax, [ebp+arg_C]
		mov	[esi+14h], eax
		mov	eax, [ebp+arg_10]
		lea	ebx, [edi+8]
		mov	[esi+18h], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+arg_8], al
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+arg_14], eax
		mov	eax, [eax+4]
		mov	[ebp+arg_4], eax
		jnz	loc_5CD55D

loc_4E52B9:				; CODE XREF: IoSetIoCompletionEx+E8312j
		mov	ecx, edi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		cmp	[ebx], ebx
		jz	short loc_4E52EC
		mov	eax, [edi+18h]
		cmp	eax, [edi+1Ch]
		jnb	short loc_4E52EC
		mov	ecx, [ebp+arg_4]
		mov	eax, [ecx+0A4h]
		cmp	eax, edi
		jz	loc_4E5381

loc_4E52DD:				; CODE XREF: IoSetIoCompletionEx+128j
		mov	ecx, [ebp+arg_14]
		mov	edx, edi
		push	esi
		call	KiWakeQueueWaiter
		test	al, al
		jnz	short loc_4E5311

loc_4E52EC:				; CODE XREF: IoSetIoCompletionEx+62j
					; IoSetIoCompletionEx+6Aj ...
		mov	edx, [edi+4]
		lea	eax, [edx+1]
		mov	[edi+4], eax
		lea	eax, [edi+10h]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_4E5333
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		test	edx, edx
		jnz	short loc_4E5311
		cmp	[ebx], ebx
		jnz	short loc_4E533A

loc_4E5311:				; CODE XREF: IoSetIoCompletionEx+8Aj
					; IoSetIoCompletionEx+ABj ...
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_14]
		xor	edx, edx
		push	0
		push	1
		call	KiExitDispatcher
		pop	edi
		pop	ebx
		xor	eax, eax

loc_4E532E:				; CODE XREF: IoSetIoCompletionEx+138j
		pop	esi
		pop	ebp
		retn	1Ch
; 

loc_4E5333:				; CODE XREF: IoSetIoCompletionEx+9Dj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_4E533A:				; CODE XREF: IoSetIoCompletionEx+AFj
		mov	ecx, [ebp+arg_14]
		mov	edx, edi
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		jmp	short loc_4E5311
; 

loc_4E5346:				; CODE XREF: IoSetIoCompletionEx+Bj
		mov	dl, byte ptr [ebp+arg_14]
		mov	cl, 1
		call	IopAllocateMiniCompletionPacket
		mov	edx, eax
		test	edx, edx
		jz	short loc_4E5393
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	[edx+0Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[edx+10h], eax
		mov	eax, [ebp+arg_C]
		push	0
		mov	[edx+14h], eax
		mov	eax, [ebp+arg_10]
		push	0
		mov	[edx+18h], eax
		call	KeInsertQueueEx
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	1Ch
; 

loc_4E5381:				; CODE XREF: IoSetIoCompletionEx+77j
		cmp	byte ptr [ecx+18Bh], 0Fh
		jnz	loc_4E52DD
		jmp	loc_4E52EC
; 

loc_4E5393:				; CODE XREF: IoSetIoCompletionEx+F4j
		mov	eax, 0C000009Ah
		jmp	short loc_4E532E
IoSetIoCompletionEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeInsertQueueEx	proc near		; CODE XREF: IoSetIoCompletionEx2+158p
					; IoSetIoCompletionEx+115p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005CD577 SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+var_C], al
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_8], eax
		mov	edi, [eax+4]
		jnz	loc_5CD577

loc_4E53CE:				; CODE XREF: KeInsertQueueEx+E81F1j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	loc_5CD590

loc_4E53D9:				; CODE XREF: KeInsertQueueEx+E8209j
		mov	eax, [edi+36Ch]
		test	eax, eax
		jnz	short loc_4E53E5
		mov	eax, edi

loc_4E53E5:				; CODE XREF: KeInsertQueueEx+47j
		cmp	[ebp+arg_4], 0
		jnz	loc_5CD5A8

loc_4E53EF:				; CODE XREF: KeInsertQueueEx+E8226j
		mov	[ebp+var_1], 0

loc_4E53F3:				; CODE XREF: KeInsertQueueEx+E8220j
		mov	ecx, esi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	eax, [esi+4]
		lea	edx, [esi+8]
		mov	[ebp+var_10], eax
		cmp	[edx], edx
		jz	short loc_4E545C
		mov	eax, [esi+18h]
		cmp	eax, [esi+1Ch]
		jnb	loc_5CD5C5

loc_4E5413:				; CODE XREF: KeInsertQueueEx+E8235j
		mov	eax, [edi+0A4h]
		cmp	eax, esi
		jz	short loc_4E5492

loc_4E541D:				; CODE XREF: KeInsertQueueEx+FFj
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		push	ebx
		call	KiWakeQueueWaiter
		test	al, al
		jz	short loc_4E5459

loc_4E542C:				; CODE XREF: KeInsertQueueEx+E1j
					; KeInsertQueueEx+E5j ...
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		push	[ebp+var_C]
		movzx	edx, [ebp+arg_4]
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_8]
		neg	edx
		push	1
		sbb	edx, edx
		and	edx, 3
		call	KiExitDispatcher
		mov	eax, [ebp+var_10]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4E5459:				; CODE XREF: KeInsertQueueEx+90j
		lea	edx, [esi+8]

loc_4E545C:				; CODE XREF: KeInsertQueueEx+6Bj
					; KeInsertQueueEx+101j	...
		mov	edi, [esi+4]
		lea	eax, [edi+1]
		mov	[esi+4], eax
		lea	eax, [esi+10h]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_4E548D
		mov	[ebx], eax
		mov	[ebx+4], ecx
		mov	[ecx], ebx
		mov	[eax+4], ebx
		test	edi, edi
		jnz	short loc_4E542C
		cmp	[edx], edx
		jz	short loc_4E542C
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		jmp	short loc_4E542C
; 

loc_4E548D:				; CODE XREF: KeInsertQueueEx+D3j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_4E5492:				; CODE XREF: KeInsertQueueEx+81j
		cmp	byte ptr [edi+18Bh], 0Fh
		jnz	short loc_4E541D
		jmp	short loc_4E545C
KeInsertQueueEx	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFindPageFileWriteCluster proc	near	; CODE XREF: MiGatherPagefilePages+5AAp
					; MiGatherPagefilePages+66Ap

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CD5D4 SIZE 000000E2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		lea	edi, [ebp+var_3C]
		mov	[ebp+var_1C], edx
		stosd
		mov	ebx, ecx
		mov	esi, [esi]
		xor	ecx, ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx
		stosd
		mov	[ebp+var_8], esi
		stosd
		stosd
		stosd
		mov	eax, [edx]
		push	eax
		push	ecx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	cx, [ebx+74h]
		mov	edi, eax
		and	cx, 0Fh
		mov	esi, edx
		movzx	eax, cx
		and	edi, 0FFFF0FFFh
		mov	ecx, [ebx+90h]
		cdq
		shld	edx, eax, 0Ch
		shl	eax, 0Ch
		or	esi, edx
		or	edi, eax
		mov	[ebp+var_14], esi
		mov	eax, [ebp+arg_4]
		lea	edx, [ebp+var_18]
		neg	eax
		mov	[ebp+var_18], edi
		mov	edi, [ebp+var_8]
		sbb	eax, eax
		and	eax, 6
		add	eax, 20h
		push	eax
		push	edi
		call	MiFindFreePageFileSpace
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_5CD5D4
		mov	eax, dword_6D0704
		mov	edx, dword_6D0700
		mov	edi, [ebp+var_14]
		mov	ebx, edi
		mov	esi, [ebp+var_18]
		mov	[ebp+arg_4], eax
		mov	eax, edx
		or	eax, [ebp+arg_4]
		jz	short loc_4E5550
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4E5550
		mov	edi, [ebp+arg_4]
		not	edi
		and	edi, ebx

loc_4E5550:				; CODE XREF: MiFindPageFileWriteCluster+9Fj
					; MiFindPageFileWriteCluster+A9j ...
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	eax, [ebp+var_1C]
		mov	[eax], edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
MiFindPageFileWriteCluster endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiBitmapsCachedEntryLengthChanged proc near
					; CODE XREF: MiInvalidatePageFileBitmapsCache+42p
					; MiInvalidatePageFileBitmapsCache+13Ep

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CD6B6 SIZE 00000043 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], esi
		push	edi
		mov	edi, edx
		test	ebx, ebx
		jnz	loc_5CD6B6
		mov	edx, [edi]
		mov	ecx, edi
		test	edx, edx
		jnz	short loc_4E5599
		mov	edx, [edi+8]

loc_4E5588:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+35j
		and	edx, 0FFFFFFFCh
		jz	short loc_4E55AA
		cmp	[edx+4], ecx
		jz	short loc_4E55AA
		mov	ecx, edx
		mov	edx, [edx+8]
		jmp	short loc_4E5588
; 

loc_4E5599:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+21j
		cmp	dword ptr [edx+4], 0
		jz	short loc_4E55AA

loc_4E559F:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+46j
		mov	eax, [edx+4]
		mov	edx, eax
		cmp	dword ptr [eax+4], 0
		jnz	short loc_4E559F

loc_4E55AA:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+29j
					; MiBitmapsCachedEntryLengthChanged+2Ej ...
		test	edx, edx
		jz	short loc_4E55C0

loc_4E55AE:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+E8185j
		mov	eax, [edx+1Ch]
		mov	ecx, [edi+1Ch]
		test	ebx, ebx
		jnz	loc_5CD6EC
		cmp	eax, ecx
		jnb	short loc_4E55C7

loc_4E55C0:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+4Aj
					; MiBitmapsCachedEntryLengthChanged+D8j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4E55C7:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+5Cj
					; MiBitmapsCachedEntryLengthChanged+E818Cj
		push	edi
		add	esi, 54h
		push	esi
		call	RtlRbRemoveNode
		test	byte ptr [esi+4], 1
		mov	ecx, [esi]
		jz	short loc_4E55DF
		test	ecx, ecx
		jz	short loc_4E563C
		xor	ecx, esi

loc_4E55DF:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+75j
					; MiBitmapsCachedEntryLengthChanged+DCj
		movzx	edx, byte ptr [esi+4]
		and	edx, 1
		mov	byte ptr [ebp+arg_0], 0
		test	ecx, ecx
		jz	short loc_4E562F
		mov	ebx, [edi+1Ch]

loc_4E55F1:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+B1j
		cmp	ebx, [ecx+1Ch]
		jb	short loc_4E5615
		ja	short loc_4E5600
		mov	eax, [edi+18h]
		cmp	eax, [ecx+18h]
		jb	short loc_4E5615

loc_4E5600:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+94j
		mov	eax, [ecx+4]
		test	edx, edx
		jz	short loc_4E560D
		test	eax, eax
		jz	short loc_4E562B
		xor	eax, ecx

loc_4E560D:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+A3j
		test	eax, eax
		jz	short loc_4E562B

loc_4E5611:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+C1j
		mov	ecx, eax
		jmp	short loc_4E55F1
; 

loc_4E5615:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+92j
					; MiBitmapsCachedEntryLengthChanged+9Cj
		mov	eax, [ecx]
		test	edx, edx
		jz	short loc_4E5621
		test	eax, eax
		jz	short loc_4E5625
		xor	eax, ecx

loc_4E5621:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+B7j
		test	eax, eax
		jnz	short loc_4E5611

loc_4E5625:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+BBj
		mov	byte ptr [ebp+arg_0], 0
		jmp	short loc_4E562F
; 

loc_4E562B:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+A7j
					; MiBitmapsCachedEntryLengthChanged+ADj
		mov	byte ptr [ebp+arg_0], 1

loc_4E562F:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+8Aj
					; MiBitmapsCachedEntryLengthChanged+C7j
		push	edi
		push	[ebp+arg_0]
		push	ecx
		push	esi
		call	RtlRbInsertNodeEx
		jmp	short loc_4E55C0
; 

loc_4E563C:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+79j
		xor	ecx, ecx
		jmp	short loc_4E55DF
MiBitmapsCachedEntryLengthChanged endp

; 

MiRescanPageFileBitmapPortion:		; CODE XREF: .text:00481C60p
					; MiRescanPagefileBitmaps(x)+59p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, [ebp+8]
		and	dword ptr [ebp-10h], 0
		push	ebx
		push	esi
		mov	esi, [ebp+10h]
		mov	ebx, ecx
		push	edi
		mov	edi, eax
		mov	[ebp-18h], ebx
		and	edi, 1Fh
		mov	esi, [esi]
		sub	eax, edi
		mov	ecx, eax
		mov	[ebp+8], eax
		mov	eax, [edx+4]
		shr	ecx, 5
		lea	eax, [eax+ecx*4]
		mov	[ebp-1Ch], eax
		mov	eax, [ebp+0Ch]
		add	eax, edi
		mov	[ebp-20h], eax

loc_4E567C:				; CODE XREF: .text:004E57D0j
		lea	eax, [ebp-10h]
		mov	edx, edi
		push	eax
		push	0FFFFFFFFh
		push	ecx
		lea	ecx, [ebp-20h]
		call	_RtlFindNextClearRunUlong@20 ; RtlFindNextClearRunUlong(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_4E569F
		mov	eax, [ebp+10h]
		pop	edi
		mov	[eax], esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_4E569F:				; CODE XREF: .text:004E5691j
		mov	ecx, [ebp-10h]
		mov	eax, [ebp+8]
		add	eax, ecx
		mov	[ebp-14h], eax
		lea	eax, [ecx+edi]
		mov	[ebp-0Ch], eax
		mov	eax, [esi+1Ch]
		cmp	edi, eax
		jbe	loc_5CD74B
		test	eax, eax
		jnz	loc_5CD6F9
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_4E57EE
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_4E57EE
		mov	[ecx], eax
		mov	[eax+4], ecx

loc_4E56DE:				; CODE XREF: .text:005CD71Fj
		mov	eax, [ebp-14h]
		lea	edx, [ebx+54h]
		mov	[esi+1Ch], edi
		mov	[esi+18h], eax
		test	byte ptr [edx+4], 1
		mov	ecx, [edx]
		jnz	loc_4E57D5

loc_4E56F6:				; CODE XREF: .text:004E57DBj
					; .text:004E57E2j
		movzx	edx, byte ptr [edx+4]
		and	edx, 1
		mov	byte ptr [ebp+0Ch], 0
		test	ecx, ecx
		jz	short loc_4E5743

loc_4E5705:				; CODE XREF: .text:004E5727j
		cmp	edi, [ecx+1Ch]
		jb	short loc_4E5729
		ja	short loc_4E5714
		mov	eax, [ebp-14h]
		cmp	eax, [ecx+18h]
		jb	short loc_4E5729

loc_4E5714:				; CODE XREF: .text:004E570Aj
		mov	eax, [ecx+4]
		test	edx, edx
		jz	short loc_4E5721
		test	eax, eax
		jz	short loc_4E573F
		xor	eax, ecx

loc_4E5721:				; CODE XREF: .text:004E5719j
		test	eax, eax
		jz	short loc_4E573F

loc_4E5725:				; CODE XREF: .text:004E5737j
		mov	ecx, eax
		jmp	short loc_4E5705
; 

loc_4E5729:				; CODE XREF: .text:004E5708j
					; .text:004E5712j
		mov	eax, [ecx]
		test	edx, edx
		jz	short loc_4E5735
		test	eax, eax
		jz	short loc_4E5739
		xor	eax, ecx

loc_4E5735:				; CODE XREF: .text:004E572Dj
		test	eax, eax
		jnz	short loc_4E5725

loc_4E5739:				; CODE XREF: .text:004E5731j
		mov	byte ptr [ebp+0Ch], 0
		jmp	short loc_4E5743
; 

loc_4E573F:				; CODE XREF: .text:004E571Dj
					; .text:004E5723j
		mov	byte ptr [ebp+0Ch], 1

loc_4E5743:				; CODE XREF: .text:004E5703j
					; .text:004E573Dj
		push	esi
		push	dword ptr [ebp+0Ch]
		lea	eax, [ebx+54h]
		push	ecx
		push	eax
		call	RtlRbInsertNodeEx
		lea	edx, [ebx+5Ch]
		test	byte ptr [edx+4], 1
		mov	ecx, [edx]
		jz	short loc_4E5766
		test	ecx, ecx
		jz	loc_4E57E7
		xor	ecx, edx

loc_4E5766:				; CODE XREF: .text:004E575Aj
					; .text:004E57E9j
		movzx	edi, byte ptr [edx+4]
		and	edi, 1
		mov	byte ptr [ebp-8], 0
		test	ecx, ecx
		jz	short loc_4E57AF
		mov	ebx, [esi+18h]

loc_4E5778:				; CODE XREF: .text:004E5790j
		cmp	ebx, [ecx+0Ch]
		jb	short loc_4E5792
		mov	eax, [ecx+4]
		test	edi, edi
		jz	short loc_4E578A
		test	eax, eax
		jz	short loc_4E57A8
		xor	eax, ecx

loc_4E578A:				; CODE XREF: .text:004E5782j
		test	eax, eax
		jz	short loc_4E57A8

loc_4E578E:				; CODE XREF: .text:004E57A0j
		mov	ecx, eax
		jmp	short loc_4E5778
; 

loc_4E5792:				; CODE XREF: .text:004E577Bj
		mov	eax, [ecx]
		test	edi, edi
		jz	short loc_4E579E
		test	eax, eax
		jz	short loc_4E57A2
		xor	eax, ecx

loc_4E579E:				; CODE XREF: .text:004E5796j
		test	eax, eax
		jnz	short loc_4E578E

loc_4E57A2:				; CODE XREF: .text:004E579Aj
		mov	byte ptr [ebp-8], 0
		jmp	short loc_4E57AC
; 

loc_4E57A8:				; CODE XREF: .text:004E5786j
					; .text:004E578Cj
		mov	byte ptr [ebp-8], 1

loc_4E57AC:				; CODE XREF: .text:004E57A6j
		mov	ebx, [ebp-18h]

loc_4E57AF:				; CODE XREF: .text:004E5773j
		lea	eax, [esi+0Ch]
		push	eax
		push	dword ptr [ebp-8]
		push	ecx
		push	edx
		call	RtlRbInsertNodeEx
		inc	dword ptr [ebx+44h]
		lea	eax, [ebx+64h]
		mov	esi, [eax]
		cmp	esi, eax
		jz	loc_5CD724

loc_4E57CD:				; CODE XREF: .text:005CD735j
					; .text:005CD73Fj ...
		mov	edi, [ebp-0Ch]
		jmp	loc_4E567C
; 

loc_4E57D5:				; CODE XREF: .text:004E56F0j
		test	ecx, ecx
		jz	short loc_4E57E0
		xor	ecx, edx
		jmp	loc_4E56F6
; 

loc_4E57E0:				; CODE XREF: .text:004E57D7j
		xor	ecx, ecx
		jmp	loc_4E56F6
; 

loc_4E57E7:				; CODE XREF: .text:004E575Ej
		xor	ecx, ecx
		jmp	loc_4E5766
; 

loc_4E57EE:				; CODE XREF: .text:004E56C8j
					; .text:004E56D3j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlLengthCurrentClearRunBackward(x,	x, x)
_RtlLengthCurrentClearRunBackward@12 proc near ; CODE XREF: .text:00481C0Fp
					; .text:00481D76p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, edx
		and	edx, 1Fh
		push	ebx
		mov	ebx, [ecx+4]
		mov	ecx, 1Fh
		shr	eax, 5
		sub	ecx, edx
		lea	eax, [ebx+eax*4]
		mov	[ebp+var_4], ecx
		mov	ecx, ds:dword_40BA68[edx*4]
		mov	edx, [eax]
		push	esi
		mov	esi, 0
		push	edi
		mov	edi, [ebp+arg_0]
		and	edx, ecx
		jz	short loc_4E585C

loc_4E5836:				; CODE XREF: RtlLengthCurrentClearRunBackward(x,x,x)+79j
		push	0
		push	edx
		call	RtlFindMostSignificantBit
		movsx	eax, al
		mov	ecx, 1Fh
		sub	ecx, eax
		add	esi, ecx

loc_4E584A:				; CODE XREF: RtlLengthCurrentClearRunBackward(x,x,x)+6Dj
					; RtlLengthCurrentClearRunBackward(x,x,x)+7Dj
		sub	esi, [ebp+var_4]
		cmp	esi, edi
		ja	short loc_4E5881
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4E585C:				; CODE XREF: RtlLengthCurrentClearRunBackward(x,x,x)+34j
		mov	ecx, [ebp+var_4]
		neg	ecx

loc_4E5861:				; CODE XREF: RtlLengthCurrentClearRunBackward(x,x,x)+77j
		add	esi, 20h
		add	ecx, 20h
		cmp	esi, edi
		jnb	short loc_4E587B

loc_4E586B:				; CODE XREF: RtlLengthCurrentClearRunBackward(x,x,x)+7Fj
		cmp	eax, ebx
		jz	short loc_4E584A
		mov	edx, [eax-4]
		sub	eax, 4
		test	edx, edx
		jz	short loc_4E5861
		jmp	short loc_4E5836
; 

loc_4E587B:				; CODE XREF: RtlLengthCurrentClearRunBackward(x,x,x)+69j
		cmp	ecx, edi
		jnb	short loc_4E584A
		jmp	short loc_4E586B
; 

loc_4E5881:				; CODE XREF: RtlLengthCurrentClearRunBackward(x,x,x)+4Fj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_RtlLengthCurrentClearRunBackward@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlFindNextClearRunUlong(x,	x, x, x, x)
_RtlFindNextClearRunUlong@20 proc near	; CODE XREF: .text:004E5688p
					; MiFindFreePageFileSpaceForward+47p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		cmp	[ebp+arg_4], 20h
		push	ebx
		jb	loc_4E59EF
		mov	ebx, [ecx]
		cmp	ebx, 20h
		jb	loc_4E59EF
		lea	eax, [ebx-20h]
		cmp	edx, eax
		ja	loc_4E59EF
		mov	ecx, [ecx+4]
		mov	eax, edx
		shr	eax, 5
		push	esi
		push	edi
		mov	[ebp+var_14], ecx
		lea	esi, [ecx+eax*4]
		lea	eax, [ebx-1]
		shr	eax, 5
		and	ebx, 1Fh
		mov	[ebp+var_18], ebx
		lea	eax, [ecx+eax*4]
		mov	[ebp+var_8], eax
		jz	short loc_4E58E3
		sub	eax, 4
		mov	[ebp+var_8], eax

loc_4E58E3:				; CODE XREF: RtlFindNextClearRunUlong(x,x,x,x,x)+4Bj
		and	edx, 1Fh
		mov	edi, ds:dword_40BA68[edx*4]
		or	edi, [esi]
		xor	ecx, ecx
		mov	[ebp+var_C], ecx

loc_4E58F4:				; CODE XREF: RtlFindNextClearRunUlong(x,x,x,x,x)+79j
					; RtlFindNextClearRunUlong(x,x,x,x,x)+115j
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_4E590B

loc_4E58F9:				; CODE XREF: RtlFindNextClearRunUlong(x,x,x,x,x)+A0j
		xor	ebx, ebx
		cmp	esi, eax
		jnb	loc_4E59AB
		mov	edi, [esi+4]
		add	esi, 4
		jmp	short loc_4E58F4
; 

loc_4E590B:				; CODE XREF: RtlFindNextClearRunUlong(x,x,x,x,x)+67j
		mov	ebx, esi
		sub	ebx, [ebp+var_14]
		sar	ebx, 2
		shl	ebx, 5
		mov	[ebp+var_C], ebx
		test	edi, edi
		jz	short loc_4E593B
		push	0
		push	edi
		call	RtlFindMostSignificantBit
		movsx	eax, al
		cmp	eax, 1Fh
		jnz	short loc_4E5932
		mov	eax, [ebp+var_8]
		jmp	short loc_4E58F9
; 

loc_4E5932:				; CODE XREF: RtlFindNextClearRunUlong(x,x,x,x,x)+9Bj
		inc	eax
		add	ebx, eax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_C], ebx

loc_4E593B:				; CODE XREF: RtlFindNextClearRunUlong(x,x,x,x,x)+8Bj
		and	ebx, 1Fh
		mov	[ebp+var_10], ebx
		mov	ecx, ds:dword_40BA68[ebx*4]
		xor	ebx, ebx
		not	ecx
		and	ecx, edi
		mov	edi, ecx
		cmp	esi, eax
		ja	short loc_4E59C5
		xor	dl, dl
		mov	[ebp+var_1], dl
		test	ecx, ecx
		jnz	short loc_4E597F
		mov	ecx, [ebp+var_10]
		neg	ecx

loc_4E5962:				; CODE XREF: RtlFindNextClearRunUlong(x,x,x,x,x)+EDj
		add	ebx, 20h
		add	ecx, 20h
		cmp	ebx, [ebp+arg_4]
		jnb	loc_4E59F3

loc_4E5971:				; CODE XREF: RtlFindNextClearRunUlong(x,x,x,x,x)+168j
		cmp	esi, eax
		jz	short loc_4E59C5
		mov	edi, [esi+4]
		add	esi, 4
		test	edi, edi
		jz	short loc_4E5962

loc_4E597F:				; CODE XREF: RtlFindNextClearRunUlong(x,x,x,x,x)+CBj
		push	0
		push	edi
		call	_RtlFindLeastSignificantBit@8 ;	RtlFindLeastSignificantBit(x,x)
		mov	dl, [ebp+var_1]

loc_4E598A:				; CODE XREF: RtlFindNextClearRunUlong(x,x,x,x,x)+15Dj
		movsx	eax, al
		add	ebx, eax
		mov	eax, [ebp+var_8]

loc_4E5992:				; CODE XREF: RtlFindNextClearRunUlong(x,x,x,x,x)+13Cj
					; RtlFindNextClearRunUlong(x,x,x,x,x)+166j
		sub	ebx, [ebp+var_10]
		mov	ecx, [ebp+arg_4]
		cmp	ebx, ecx
		ja	short loc_4E59FD

loc_4E599C:				; CODE XREF: RtlFindNextClearRunUlong(x,x,x,x,x)+16Fj
		cmp	ebx, 20h
		jnb	short loc_4E59AB
		xor	ebx, ebx
		test	dl, dl
		jz	loc_4E58F4

loc_4E59AB:				; CODE XREF: RtlFindNextClearRunUlong(x,x,x,x,x)+6Dj
					; RtlFindNextClearRunUlong(x,x,x,x,x)+10Fj
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_C]
		pop	edi
		pop	esi
		mov	[eax], ecx
		mov	eax, [ebp+arg_4]
		cmp	ebx, eax
		ja	short loc_4E5A01

loc_4E59BC:				; CODE XREF: RtlFindNextClearRunUlong(x,x,x,x,x)+173j
		mov	eax, ebx

loc_4E59BE:				; CODE XREF: RtlFindNextClearRunUlong(x,x,x,x,x)+161j
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4E59C5:				; CODE XREF: RtlFindNextClearRunUlong(x,x,x,x,x)+C2j
					; RtlFindNextClearRunUlong(x,x,x,x,x)+E3j
		mov	ecx, [ebp+var_18]
		mov	dl, 1
		test	ecx, ecx
		jz	short loc_4E5992
		test	ebx, ebx
		jz	short loc_4E59D8
		mov	edi, [esi+4]
		add	esi, 4

loc_4E59D8:				; CODE XREF: RtlFindNextClearRunUlong(x,x,x,x,x)+140j
		mov	eax, ds:dword_40BA68[ecx*4]
		not	eax
		or	edi, eax
		push	0
		push	edi
		call	_RtlFindLeastSignificantBit@8 ;	RtlFindLeastSignificantBit(x,x)
		mov	dl, 1
		jmp	short loc_4E598A
; 

loc_4E59EF:				; CODE XREF: RtlFindNextClearRunUlong(x,x,x,x,x)+Dj
					; RtlFindNextClearRunUlong(x,x,x,x,x)+18j ...
		xor	eax, eax
		jmp	short loc_4E59BE
; 

loc_4E59F3:				; CODE XREF: RtlFindNextClearRunUlong(x,x,x,x,x)+DBj
		cmp	ecx, [ebp+arg_4]
		jnb	short loc_4E5992
		jmp	loc_4E5971
; 

loc_4E59FD:				; CODE XREF: RtlFindNextClearRunUlong(x,x,x,x,x)+10Aj
		mov	ebx, ecx
		jmp	short loc_4E599C
; 

loc_4E5A01:				; CODE XREF: RtlFindNextClearRunUlong(x,x,x,x,x)+12Aj
		mov	ebx, eax
		jmp	short loc_4E59BC
_RtlFindNextClearRunUlong@20 endp

; 
		align 10h
; Exported entry 2088. RtlFindMostSignificantBit

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlFindMostSignificantBit
RtlFindMostSignificantBit proc near	; CODE XREF: RtlLengthCurrentClearRunBackward(x,x,x)+39p
					; RtlFindNextClearRunUlong(x,x,x,x,x)+90p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CD75C SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		or	eax, esi
		jnz	short loc_4E5A7F
		mov	eax, edx
		and	eax, 0FFFF0000h
		or	eax, 0
		mov	eax, edx
		jz	short loc_4E5A5B
		and	eax, 0FF000000h
		or	eax, 0
		jz	short loc_4E5A6F
		mov	bl, 18h

loc_4E5A3D:				; CODE XREF: RtlFindMostSignificantBit+5Dj
					; RtlFindMostSignificantBit+61j ...
		mov	eax, edx
		movzx	ecx, bl
		mov	edx, esi
		call	__aullshr
		movzx	eax, al
		pop	esi
		sub	bl, ds:_RtlpBitsClearHigh[eax]
		lea	eax, [ebx+7]
		pop	ebx
		pop	ebp
		retn	8
; 

loc_4E5A5B:				; CODE XREF: RtlFindMostSignificantBit+1Fj
		and	eax, 0FF00h
		or	eax, 0
		jnz	short loc_4E5A73
		mov	eax, edx
		or	eax, esi
		jz	short loc_4E5A77
		xor	bl, bl
		jmp	short loc_4E5A3D
; 

loc_4E5A6F:				; CODE XREF: RtlFindMostSignificantBit+29j
		mov	bl, 10h
		jmp	short loc_4E5A3D
; 

loc_4E5A73:				; CODE XREF: RtlFindMostSignificantBit+53j
		mov	bl, 8
		jmp	short loc_4E5A3D
; 

loc_4E5A77:				; CODE XREF: RtlFindMostSignificantBit+59j
		pop	esi
		or	al, 0FFh
		pop	ebx
		pop	ebp
		retn	8
; 

loc_4E5A7F:				; CODE XREF: RtlFindMostSignificantBit+11j
		mov	ecx, esi
		xor	eax, eax
		and	ecx, 0FFFF0000h
		or	eax, ecx
		mov	ecx, esi
		jnz	loc_5CD75C
		and	ecx, 0FF00h
		xor	eax, eax
		or	eax, ecx
		jnz	short loc_4E5AA3
		mov	bl, 20h
		jmp	short loc_4E5A3D
; 

loc_4E5AA3:				; CODE XREF: RtlFindMostSignificantBit+8Dj
		mov	bl, 28h
		jmp	short loc_4E5A3D
RtlFindMostSignificantBit endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFindFreePageFileSpace	proc near	; CODE XREF: MiReservePageFileSpace+233p
					; MiGetKernelStackSwapSupport+ABp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CD776 SIZE 000000D8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		or	[ebp+var_C], 0FFFFFFFFh
		and	[ebp+var_1C], 0
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_20], edx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, ds:_MmBadPointer
		test	bl, 10h
		jz	loc_4E5BA2

loc_4E5AD2:				; CODE XREF: MiFindFreePageFileSpace+15Cj
		mov	edi, [esi+0F54h]
		mov	ecx, edi
		call	MiPageFileLargestBitmapsRun
		mov	ebx, eax
		mov	eax, [esi+0F4Ch]
		cmp	eax, 1
		jbe	short loc_4E5B28
		add	esi, 0F58h
		dec	eax
		mov	[ebp+var_24], esi
		mov	[ebp+var_18], eax

loc_4E5AF9:				; CODE XREF: MiFindFreePageFileSpace+7Ej
		movzx	eax, word ptr [edi+74h]
		mov	esi, [esi]
		test	al, 10h
		jnz	loc_5CD781

loc_4E5B07:				; CODE XREF: MiFindFreePageFileSpace+E7CDDj
		test	al, 20h
		jnz	loc_5CD796

loc_4E5B0F:				; CODE XREF: MiFindFreePageFileSpace+E7CF4j
		test	byte ptr [esi+74h], 30h
		jz	loc_5CD7A1

loc_4E5B19:				; CODE XREF: MiFindFreePageFileSpace+E7D02j
					; MiFindFreePageFileSpace+E7D0Cj
		mov	esi, [ebp+var_24]
		add	esi, 4
		sub	[ebp+var_18], 1
		mov	[ebp+var_24], esi
		jnz	short loc_4E5AF9

loc_4E5B28:				; CODE XREF: MiFindFreePageFileSpace+42j
		mov	ebx, [ebp+arg_4]

loc_4E5B2B:				; CODE XREF: MiFindFreePageFileSpace+156j
		mov	ecx, ebx
		lea	esi, [edi+88h]
		xor	eax, eax
		mov	[ebp+var_24], esi
		and	ecx, 4
		mov	[ebp+var_14], ecx

loc_4E5B3E:				; CODE XREF: MiFindFreePageFileSpace+E7DA1j
		and	[ebp+var_8], 0
		and	[ebp+var_10], 0
		test	ecx, ecx
		jnz	loc_4E5DBE
		test	bl, 1
		jz	loc_4E5D7B

loc_4E5B57:				; CODE XREF: MiFindFreePageFileSpace+2D5j
		push	esi
		call	ExAcquireSpinLockExclusive

loc_4E5B5D:				; CODE XREF: MiFindFreePageFileSpace+2E8j
		mov	[ebp+var_1], al

loc_4E5B60:				; CODE XREF: MiFindFreePageFileSpace+31Aj
		test	byte ptr [edi+77h], 1
		jnz	loc_4E5DDE
		mov	ecx, [ebp+var_C]
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_4E5C09

loc_4E5B76:				; CODE XREF: MiFindFreePageFileSpace+2C8j
					; MiFindFreePageFileSpace+E7D1Aj
		mov	eax, ebx
		and	eax, 8
		mov	[ebp+var_18], eax

loc_4E5B7E:				; CODE XREF: MiFindFreePageFileSpace+39Fj
		test	eax, eax
		jnz	loc_4E5E00
		lea	ecx, [edi+54h]
		test	byte ptr [ecx+4], 1
		mov	eax, [ecx]
		jz	loc_4E5CD6
		test	eax, eax
		jnz	loc_4E5CD4
		jmp	loc_4E5CD6
; 

loc_4E5BA2:				; CODE XREF: MiFindFreePageFileSpace+24j
		mov	ecx, [edx]
		mov	eax, [edx+4]
		shrd	ecx, eax, 0Ch
		mov	eax, ebx
		and	ecx, 0Fh
		and	al, 65h
		mov	edi, [esi+ecx*4+0F54h]
		cmp	al, 1
		jnz	short loc_4E5BD0
		mov	ecx, edi
		call	MiPageFileLargestBitmapsRun
		cmp	eax, [ebp+arg_0]
		jb	loc_5CD776
		mov	edx, [ebp+var_20]

loc_4E5BD0:				; CODE XREF: MiFindFreePageFileSpace+113j
		mov	eax, [edx+4]
		mov	ecx, dword_6D0700
		mov	ebx, [edx]
		mov	edx, dword_6D0704
		mov	[ebp+var_C], eax
		mov	eax, ecx
		or	eax, edx
		jz	short loc_4E5BF8
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jz	loc_4E5D63

loc_4E5BF8:				; CODE XREF: MiFindFreePageFileSpace+140j
					; MiFindFreePageFileSpace+2C0j
		mov	ebx, [ebp+arg_4]

loc_4E5BFB:				; CODE XREF: MiFindFreePageFileSpace+E7CD4j
		test	bl, 10h
		jz	loc_4E5B2B
		jmp	loc_4E5AD2
; 

loc_4E5C09:				; CODE XREF: MiFindFreePageFileSpace+C8j
		mov	eax, [edi+38h]
		cmp	ecx, [eax+0Ch]
		jnb	loc_5CD7B9
		push	ebx
		push	[ebp+arg_0]
		mov	edx, ecx
		mov	ecx, edi
		call	_MiCheckHintedPageFileSpace@16 ; MiCheckHintedPageFileSpace(x,x,x,x)
		mov	esi, eax
		cmp	esi, [ebp+arg_0]
		jnz	loc_4E5D6D

loc_4E5C2D:				; CODE XREF: MiFindFreePageFileSpace+2CEj
		mov	eax, [ebp+var_C]
		jmp	short loc_4E5C47
; 

loc_4E5C32:				; CODE XREF: MiFindFreePageFileSpace+23Cj
		mov	eax, edx

loc_4E5C34:				; CODE XREF: MiFindFreePageFileSpace+292j
					; MiFindFreePageFileSpace+2A9j
		cmp	dword ptr [eax+1Ch], 0FFFFFFFFh
		jz	loc_4E5E1E

loc_4E5C3E:				; CODE XREF: MiFindFreePageFileSpace+E7D81j
		mov	eax, [eax+18h]
		mov	esi, [ebp+arg_0]

loc_4E5C44:				; CODE XREF: MiFindFreePageFileSpace+371j
		mov	[ebp+var_C], eax

loc_4E5C47:				; CODE XREF: MiFindFreePageFileSpace+188j
		test	esi, esi
		jz	loc_4E5DDB
		test	bl, 1
		jz	short loc_4E5C6C
		push	esi
		push	eax
		mov	eax, [edi+38h]
		add	eax, 0Ch
		mov	[ebp+var_1C], 2
		push	eax
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		sub	[edi+18h], esi

loc_4E5C6C:				; CODE XREF: MiFindFreePageFileSpace+1AAj
		test	bl, 2
		mov	ebx, [ebp+var_1C]
		jnz	loc_4E5DC7

loc_4E5C78:				; CODE XREF: MiFindFreePageFileSpace+32Ej
		test	ebx, ebx
		jz	short loc_4E5C8B
		mov	edx, [ebp+var_C]
		push	ecx
		push	[ebp+var_8]
		mov	ecx, edi
		push	esi
		call	MiInvalidatePageFileBitmapsCache

loc_4E5C8B:				; CODE XREF: MiFindFreePageFileSpace+1D2j
		cmp	[ebp+var_14], 0
		jnz	short loc_4E5CB0
		cmp	[ebp+var_10], 0
		lea	eax, [edi+88h]
		push	eax
		jnz	loc_4E5D95
		call	ExReleaseSpinLockExclusiveFromDpcLevel

loc_4E5CA7:				; CODE XREF: MiFindFreePageFileSpace+2F2j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4E5CB0:				; CODE XREF: MiFindFreePageFileSpace+1E7j
		mov	eax, [ebp+var_20]
		mov	ecx, edi
		mov	edx, [ebp+var_C]
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		push	ebx
		call	_MiTransferSoftwarePte@20 ; MiTransferSoftwarePte(x,x,x,x,x)
		mov	ecx, [ebp+var_20]
		mov	[ecx], eax
		mov	eax, esi
		mov	[ecx+4], edx

loc_4E5CCD:				; CODE XREF: MiFindFreePageFileSpace+353j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4E5CD4:				; CODE XREF: MiFindFreePageFileSpace+EFj
		xor	eax, ecx

loc_4E5CD6:				; CODE XREF: MiFindFreePageFileSpace+E7j
					; MiFindFreePageFileSpace+F5j
		movzx	esi, byte ptr [ecx+4]
		xor	edx, edx
		and	esi, 1
		mov	[ebp+var_8], edx
		test	eax, eax
		jz	loc_4E5C32

loc_4E5CEA:				; CODE XREF: MiFindFreePageFileSpace+2A4j
		mov	ecx, [eax+1Ch]
		cmp	[ebp+arg_0], ecx
		jb	short loc_4E5D3F
		ja	short loc_4E5D5E
		cmp	[eax+18h], edx
		ja	short loc_4E5D3F
		mov	ecx, [eax]
		mov	[ebp+var_8], eax
		test	esi, esi
		jnz	loc_4E5DAF

loc_4E5D06:				; CODE XREF: MiFindFreePageFileSpace+309j
					; MiFindFreePageFileSpace+311j
		xor	edx, edx
		test	ecx, ecx
		jz	short loc_4E5D4E
		mov	ebx, [ebp+arg_0]

loc_4E5D0F:				; CODE XREF: MiFindFreePageFileSpace+284j
		cmp	ebx, [ecx+1Ch]
		jb	short loc_4E5D22
		ja	loc_4E5DA7
		cmp	dword ptr [ecx+18h], 0
		ja	short loc_4E5D22
		mov	edx, ecx

loc_4E5D22:				; CODE XREF: MiFindFreePageFileSpace+26Aj
					; MiFindFreePageFileSpace+276j
		mov	eax, [ecx]

loc_4E5D24:				; CODE XREF: MiFindFreePageFileSpace+302j
		test	esi, esi
		jnz	short loc_4E5D9F

loc_4E5D28:				; CODE XREF: MiFindFreePageFileSpace+2F9j
		mov	ecx, eax

loc_4E5D2A:				; CODE XREF: MiFindFreePageFileSpace+2FDj
		test	ecx, ecx
		jnz	short loc_4E5D0F
		mov	ebx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_4E5D4E
		mov	eax, edx
		mov	[ebp+var_8], eax
		jmp	loc_4E5C34
; 

loc_4E5D3F:				; CODE XREF: MiFindFreePageFileSpace+248j
					; MiFindFreePageFileSpace+24Fj
		mov	ecx, [eax]
		mov	[ebp+var_8], eax

loc_4E5D44:				; CODE XREF: MiFindFreePageFileSpace+2B9j
		test	esi, esi
		jnz	short loc_4E5D56

loc_4E5D48:				; CODE XREF: MiFindFreePageFileSpace+2B0j
		mov	eax, ecx

loc_4E5D4A:				; CODE XREF: MiFindFreePageFileSpace+2B4j
		test	eax, eax
		jnz	short loc_4E5CEA

loc_4E5D4E:				; CODE XREF: MiFindFreePageFileSpace+262j
					; MiFindFreePageFileSpace+28Bj
		mov	eax, [ebp+var_8]
		jmp	loc_4E5C34
; 

loc_4E5D56:				; CODE XREF: MiFindFreePageFileSpace+29Ej
		test	ecx, ecx
		jz	short loc_4E5D48
		xor	eax, ecx
		jmp	short loc_4E5D4A
; 

loc_4E5D5E:				; CODE XREF: MiFindFreePageFileSpace+24Aj
		mov	ecx, [eax+4]
		jmp	short loc_4E5D44
; 

loc_4E5D63:				; CODE XREF: MiFindFreePageFileSpace+14Aj
		not	edx
		and	[ebp+var_C], edx
		jmp	loc_4E5BF8
; 

loc_4E5D6D:				; CODE XREF: MiFindFreePageFileSpace+17Fj
		test	bl, 40h
		jz	loc_4E5B76
		jmp	loc_4E5C2D
; 

loc_4E5D7B:				; CODE XREF: MiFindFreePageFileSpace+A9j
		test	eax, eax
		jnz	loc_4E5B57
		push	esi
		mov	[ebp+var_10], 1
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		jmp	loc_4E5B5D
; 

loc_4E5D95:				; CODE XREF: MiFindFreePageFileSpace+1F4j
		call	ExReleaseSpinLockSharedFromDpcLevel
		jmp	loc_4E5CA7
; 

loc_4E5D9F:				; CODE XREF: MiFindFreePageFileSpace+27Ej
		test	eax, eax
		jz	short loc_4E5D28
		xor	ecx, eax
		jmp	short loc_4E5D2A
; 

loc_4E5DA7:				; CODE XREF: MiFindFreePageFileSpace+26Cj
		mov	eax, [ecx+4]
		jmp	loc_4E5D24
; 

loc_4E5DAF:				; CODE XREF: MiFindFreePageFileSpace+258j
		test	ecx, ecx
		jz	loc_4E5D06
		xor	ecx, eax
		jmp	loc_4E5D06
; 

loc_4E5DBE:				; CODE XREF: MiFindFreePageFileSpace+A0j
		mov	[ebp+var_1], 0
		jmp	loc_4E5B60
; 

loc_4E5DC7:				; CODE XREF: MiFindFreePageFileSpace+1CAj
		mov	edx, [ebp+var_C]
		or	ebx, 1
		push	ecx
		push	esi
		mov	ecx, edi
		call	_MiSetPageFileAllocationBits@16	; MiSetPageFileAllocationBits(x,x,x,x)
		jmp	loc_4E5C78
; 

loc_4E5DDB:				; CODE XREF: MiFindFreePageFileSpace+1A1j
					; MiFindFreePageFileSpace+E7D21j ...
		mov	esi, [ebp+var_24]

loc_4E5DDE:				; CODE XREF: MiFindFreePageFileSpace+BCj
					; MiFindFreePageFileSpace+E7D14j
		cmp	[ebp+var_14], 0
		jnz	short loc_4E5DF9
		cmp	[ebp+var_10], 0
		push	esi
		jnz	short loc_4E5E4C
		call	ExReleaseSpinLockExclusiveFromDpcLevel

loc_4E5DF0:				; CODE XREF: MiFindFreePageFileSpace+3A9j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4E5DF9:				; CODE XREF: MiFindFreePageFileSpace+33Aj
		xor	eax, eax
		jmp	loc_4E5CCD
; 

loc_4E5E00:				; CODE XREF: MiFindFreePageFileSpace+D8j
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		push	ebx
		push	[ebp+arg_0]
		mov	[ebp+var_18], edx
		lea	edx, [ebp+var_18]
		call	MiFindFreePageFileSpaceForward
		mov	esi, eax
		mov	eax, [ebp+var_18]
		jmp	loc_4E5C44
; 

loc_4E5E1E:				; CODE XREF: MiFindFreePageFileSpace+190j
		mov	esi, [edi+50h]
		cmp	esi, [ebp+arg_0]
		jb	loc_5CD7C7
		cmp	esi, 20h
		jb	loc_5CD7C7

loc_4E5E33:				; CODE XREF: MiFindFreePageFileSpace+E7D63j
					; MiFindFreePageFileSpace+E7D75j
		cmp	[ebp+var_10], 0
		jnz	loc_5CD82E
		mov	ecx, edi
		call	_MiRescanPagefileBitmaps@4 ; MiRescanPagefileBitmaps(x)
		mov	eax, [ebp+var_18]
		jmp	loc_4E5B7E
; 

loc_4E5E4C:				; CODE XREF: MiFindFreePageFileSpace+341j
		call	ExReleaseSpinLockSharedFromDpcLevel
		jmp	short loc_4E5DF0
MiFindFreePageFileSpace	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPageFileLargestBitmapsRun proc near	; CODE XREF: MiGatherPagefilePages+114p
					; MiFindFreePageFileSpace+32p ...

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005CD84E SIZE 00000009 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		xor	esi, esi
		lea	eax, [ebx+88h]
		push	eax
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	[ebp+var_1], al
		lea	eax, [ebx+54h]
		test	byte ptr [eax+4], 1
		mov	ecx, [eax]
		jz	short loc_4E5E85
		test	ecx, ecx
		jnz	short loc_4E5E83
		mov	ecx, esi
		jmp	short loc_4E5E85
; 

loc_4E5E83:				; CODE XREF: MiPageFileLargestBitmapsRun+29j
		xor	ecx, eax

loc_4E5E85:				; CODE XREF: MiPageFileLargestBitmapsRun+25j
					; MiPageFileLargestBitmapsRun+2Dj
		movzx	edx, byte ptr [eax+4]
		mov	edi, esi
		and	edx, 1
		jmp	short loc_4E5E92
; 

loc_4E5E90:				; CODE XREF: MiPageFileLargestBitmapsRun+4Dj
					; MiPageFileLargestBitmapsRun+51j
		mov	ecx, eax

loc_4E5E92:				; CODE XREF: MiPageFileLargestBitmapsRun+3Aj
					; MiPageFileLargestBitmapsRun+55j
		test	ecx, ecx
		jz	short loc_4E5F07
		cmp	dword ptr [ecx+1Ch], 0FFFFFFFFh
		jnb	short loc_4E5EAB
		mov	eax, [ecx+4]

loc_4E5E9F:				; CODE XREF: MiPageFileLargestBitmapsRun+E79FEj
		test	edx, edx
		jz	short loc_4E5E90
		test	eax, eax
		jz	short loc_4E5E90
		xor	ecx, eax
		jmp	short loc_4E5E92
; 

loc_4E5EAB:				; CODE XREF: MiPageFileLargestBitmapsRun+46j
		cmp	[ecx+18h], esi
		ja	loc_5CD84E

loc_4E5EB4:				; CODE XREF: MiPageFileLargestBitmapsRun+B5j
		mov	edx, [ecx]
		test	edx, edx
		jnz	short loc_4E5ECE
		mov	edx, [ecx+8]

loc_4E5EBD:				; CODE XREF: MiPageFileLargestBitmapsRun+78j
		and	edx, 0FFFFFFFCh
		jz	short loc_4E5EDD
		cmp	[edx+4], ecx
		jz	short loc_4E5EDD
		mov	ecx, edx
		mov	edx, [edx+8]
		jmp	short loc_4E5EBD
; 

loc_4E5ECE:				; CODE XREF: MiPageFileLargestBitmapsRun+64j
		cmp	[edx+4], esi
		jz	short loc_4E5EDD

loc_4E5ED3:				; CODE XREF: MiPageFileLargestBitmapsRun+87j
		mov	eax, [edx+4]
		mov	edx, eax
		cmp	[eax+4], esi
		jnz	short loc_4E5ED3

loc_4E5EDD:				; CODE XREF: MiPageFileLargestBitmapsRun+6Cj
					; MiPageFileLargestBitmapsRun+71j ...
		test	edx, edx
		jz	short loc_4E5EE4
		mov	esi, [edx+1Ch]

loc_4E5EE4:				; CODE XREF: MiPageFileLargestBitmapsRun+8Bj
		mov	eax, [ebx+50h]
		cmp	esi, eax
		jbe	short loc_4E5F0B

loc_4E5EEB:				; CODE XREF: MiPageFileLargestBitmapsRun+B9j
		lea	ecx, [ebx+88h]
		push	ecx
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4E5F07:				; CODE XREF: MiPageFileLargestBitmapsRun+40j
		mov	ecx, edi
		jmp	short loc_4E5EB4
; 

loc_4E5F0B:				; CODE XREF: MiPageFileLargestBitmapsRun+95j
		mov	esi, eax
		jmp	short loc_4E5EEB
MiPageFileLargestBitmapsRun endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInvalidatePageFileBitmapsCache proc near ; CODE XREF:	MiGatherPagefilePages+55Ap
					; MiFindFreePageFileSpace+1DEp	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CD857 SIZE 00000062 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edi
		test	esi, esi
		jz	short loc_4E5F5E
		mov	ebx, [ebp+arg_0]

loc_4E5F29:				; CODE XREF: MiInvalidatePageFileBitmapsCache+AAj
		mov	ecx, [esi+18h]
		cmp	ecx, edx
		jnz	loc_4E5FF7

loc_4E5F34:				; CODE XREF: MiInvalidatePageFileBitmapsCache+F7j
		mov	ebx, [esi+1Ch]
		mov	eax, [ebp+arg_0]
		sub	ebx, eax
		mov	[esi+1Ch], ebx
		cmp	ecx, edx
		jnz	short loc_4E5F48
		add	eax, ecx
		mov	[esi+18h], eax

loc_4E5F48:				; CODE XREF: MiInvalidatePageFileBitmapsCache+31j
		test	ebx, ebx
		jz	short loc_4E5FC3

loc_4E5F4C:				; CODE XREF: MiInvalidatePageFileBitmapsCache+E79A4j
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	MiBitmapsCachedEntryLengthChanged

loc_4E5F57:				; CODE XREF: MiInvalidatePageFileBitmapsCache+68j
					; MiInvalidatePageFileBitmapsCache+8Aj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_4E5F5E:				; CODE XREF: MiInvalidatePageFileBitmapsCache+14j
		lea	eax, [edi+5Ch]
		test	byte ptr [eax+4], 1
		mov	esi, [eax]
		jz	short loc_4E5F6F
		test	esi, esi
		jz	short loc_4E5FBF
		xor	esi, eax

loc_4E5F6F:				; CODE XREF: MiInvalidatePageFileBitmapsCache+57j
					; MiInvalidatePageFileBitmapsCache+B1j
		movzx	ecx, byte ptr [eax+4]
		and	ecx, 1
		test	esi, esi
		jz	short loc_4E5F57
		mov	ebx, [ebp+arg_0]
		lea	eax, [edx+ebx]
		mov	[ebp+arg_4], eax

loc_4E5F83:				; CODE XREF: MiInvalidatePageFileBitmapsCache+88j
		mov	eax, [esi+0Ch]
		mov	[ebp+var_8], eax
		cmp	[ebp+arg_4], eax
		ja	short loc_4E5F9C
		mov	eax, [esi]

loc_4E5F90:				; CODE XREF: MiInvalidatePageFileBitmapsCache+99j
		test	ecx, ecx
		jnz	short loc_4E5FAB

loc_4E5F94:				; CODE XREF: MiInvalidatePageFileBitmapsCache+9Dj
		mov	esi, eax

loc_4E5F96:				; CODE XREF: MiInvalidatePageFileBitmapsCache+A1j
		test	esi, esi
		jnz	short loc_4E5F83
		jmp	short loc_4E5F57
; 

loc_4E5F9C:				; CODE XREF: MiInvalidatePageFileBitmapsCache+7Cj
		mov	eax, [esi+10h]
		add	eax, [ebp+var_8]
		cmp	edx, eax
		jb	short loc_4E5FB3
		mov	eax, [esi+4]
		jmp	short loc_4E5F90
; 

loc_4E5FAB:				; CODE XREF: MiInvalidatePageFileBitmapsCache+82j
		test	eax, eax
		jz	short loc_4E5F94
		xor	esi, eax
		jmp	short loc_4E5F96
; 

loc_4E5FB3:				; CODE XREF: MiInvalidatePageFileBitmapsCache+94j
		test	esi, esi
		jz	short loc_4E5F57
		add	esi, 0FFFFFFF4h
		jmp	loc_4E5F29
; 

loc_4E5FBF:				; CODE XREF: MiInvalidatePageFileBitmapsCache+5Bj
		xor	esi, esi
		jmp	short loc_4E5F6F
; 

loc_4E5FC3:				; CODE XREF: MiInvalidatePageFileBitmapsCache+3Aj
		push	esi
		lea	eax, [edi+54h]
		push	eax
		call	RtlRbRemoveNode
		lea	eax, [esi+0Ch]
		push	eax
		lea	eax, [edi+5Ch]
		push	eax
		call	RtlRbRemoveNode
		mov	eax, [edi+68h]
		add	edi, 64h
		cmp	[eax], edi
		jnz	loc_4E6132
		mov	[esi], edi
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[edi+4], esi
		jmp	loc_4E5F57
; 

loc_4E5FF7:				; CODE XREF: MiInvalidatePageFileBitmapsCache+1Ej
		mov	eax, [esi+1Ch]
		lea	edi, [edx+ebx]
		add	eax, ecx
		mov	[ebp+arg_4], edi
		cmp	edi, eax
		mov	edi, [ebp+var_4]
		jz	loc_4E5F34
		sub	eax, edx
		sub	edx, ecx
		lea	ecx, [edi+64h]
		sub	eax, ebx
		mov	ebx, [ecx]
		cmp	ebx, ecx
		jz	loc_5CD88D
		cmp	[ebx+4], ecx
		jnz	loc_4E6132
		mov	edi, [ebx]
		cmp	[edi+4], ebx
		jnz	loc_4E6132
		mov	[ecx], edi
		mov	[edi+4], ecx
		mov	ecx, [ebp+arg_4]
		mov	edi, [ebp+var_4]
		mov	[ebx+18h], ecx
		mov	ecx, edi
		mov	[ebx+1Ch], eax
		mov	[esi+1Ch], edx
		mov	edx, esi
		push	0
		call	MiBitmapsCachedEntryLengthChanged
		lea	edx, [edi+54h]
		test	byte ptr [edx+4], 1
		mov	ecx, [edx]
		jnz	loc_5CD857

loc_4E6062:				; CODE XREF: MiInvalidatePageFileBitmapsCache+E794Dj
					; MiInvalidatePageFileBitmapsCache+E7954j
		movzx	esi, byte ptr [edx+4]
		and	esi, 1
		mov	byte ptr [ebp+arg_0], 0
		test	ecx, ecx
		jz	short loc_4E60BF
		mov	eax, [ebx+1Ch]
		mov	[ebp+arg_4], eax

loc_4E6077:				; CODE XREF: MiInvalidatePageFileBitmapsCache+194j
		mov	eax, [ecx+1Ch]
		cmp	[ebp+arg_4], eax
		jb	short loc_4E60A6
		ja	short loc_4E6089
		mov	eax, [ebx+18h]
		cmp	eax, [ecx+18h]
		jb	short loc_4E60A6

loc_4E6089:				; CODE XREF: MiInvalidatePageFileBitmapsCache+16Fj
		mov	eax, [ecx+4]
		test	esi, esi
		jz	short loc_4E609A
		test	eax, eax
		jz	loc_5CD869
		xor	eax, ecx

loc_4E609A:				; CODE XREF: MiInvalidatePageFileBitmapsCache+17Ej
		test	eax, eax
		jz	loc_5CD869

loc_4E60A2:				; CODE XREF: MiInvalidatePageFileBitmapsCache+1A8j
		mov	ecx, eax
		jmp	short loc_4E6077
; 

loc_4E60A6:				; CODE XREF: MiInvalidatePageFileBitmapsCache+16Dj
					; MiInvalidatePageFileBitmapsCache+177j
		mov	eax, [ecx]
		test	esi, esi
		jz	short loc_4E60B6
		test	eax, eax
		jz	loc_5CD872
		xor	eax, ecx

loc_4E60B6:				; CODE XREF: MiInvalidatePageFileBitmapsCache+19Aj
		test	eax, eax
		jnz	short loc_4E60A2
		jmp	loc_5CD872
; 

loc_4E60BF:				; CODE XREF: MiInvalidatePageFileBitmapsCache+15Fj
					; MiInvalidatePageFileBitmapsCache+E795Dj ...
		push	ebx
		push	[ebp+arg_0]
		push	ecx
		push	edx
		call	RtlRbInsertNodeEx
		add	edi, 5Ch
		test	byte ptr [edi+4], 1
		mov	ecx, [edi]
		jnz	loc_5CD87B

loc_4E60D9:				; CODE XREF: MiInvalidatePageFileBitmapsCache+E7971j
					; MiInvalidatePageFileBitmapsCache+E7978j
		movzx	edx, byte ptr [edi+4]
		and	edx, 1
		mov	byte ptr [ebp+arg_0], 0
		test	ecx, ecx
		jz	short loc_4E6119
		mov	esi, [ebx+18h]

loc_4E60EB:				; CODE XREF: MiInvalidatePageFileBitmapsCache+1F3j
		cmp	esi, [ecx+0Ch]
		jb	short loc_4E6105
		mov	eax, [ecx+4]
		test	edx, edx
		jz	short loc_4E60FD
		test	eax, eax
		jz	short loc_4E612C
		xor	eax, ecx

loc_4E60FD:				; CODE XREF: MiInvalidatePageFileBitmapsCache+1E5j
		test	eax, eax
		jz	short loc_4E612C

loc_4E6101:				; CODE XREF: MiInvalidatePageFileBitmapsCache+203j
		mov	ecx, eax
		jmp	short loc_4E60EB
; 

loc_4E6105:				; CODE XREF: MiInvalidatePageFileBitmapsCache+1DEj
		mov	eax, [ecx]
		test	edx, edx
		jz	short loc_4E6111
		test	eax, eax
		jz	short loc_4E6115
		xor	eax, ecx

loc_4E6111:				; CODE XREF: MiInvalidatePageFileBitmapsCache+1F9j
		test	eax, eax
		jnz	short loc_4E6101

loc_4E6115:				; CODE XREF: MiInvalidatePageFileBitmapsCache+1FDj
		mov	byte ptr [ebp+arg_0], 0

loc_4E6119:				; CODE XREF: MiInvalidatePageFileBitmapsCache+1D6j
					; MiInvalidatePageFileBitmapsCache+220j
		lea	eax, [ebx+0Ch]
		push	eax
		push	[ebp+arg_0]
		push	ecx
		push	edi
		call	RtlRbInsertNodeEx
		jmp	loc_4E5F57
; 

loc_4E612C:				; CODE XREF: MiInvalidatePageFileBitmapsCache+1E9j
					; MiInvalidatePageFileBitmapsCache+1EFj
		mov	byte ptr [ebp+arg_0], 1
		jmp	short loc_4E6119
; 

loc_4E6132:				; CODE XREF: MiInvalidatePageFileBitmapsCache+D2j
					; MiInvalidatePageFileBitmapsCache+113j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
MiInvalidatePageFileBitmapsCache endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCheckHintedPageFileSpace(x, x, x,	x)
_MiCheckHintedPageFileSpace@16 proc near ; CODE	XREF: MiFindFreePageFileSpace+175p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], eax
		push	esi
		mov	edx, [eax+38h]
		mov	ecx, ebx
		mov	esi, [ebp+arg_4]
		and	ecx, 1Fh
		push	edi
		mov	edi, ebx
		mov	eax, [edx+10h]
		shr	edi, 5
		mov	eax, [eax+edi*4]
		sar	eax, cl
		test	al, 1
		jnz	short loc_4E61A6
		mov	eax, [edx+8]
		mov	eax, [eax+edi*4]
		sar	eax, cl
		test	al, 1
		jnz	short loc_4E61A6
		push	[ebp+arg_0]
		lea	ecx, [edx+0Ch]
		mov	edx, ebx
		call	RtlLengthCurrentClearRunForward
		and	esi, 40h
		cmp	eax, [ebp+arg_0]
		jnz	short loc_4E61A2

loc_4E6185:				; CODE XREF: MiCheckHintedPageFileSpace(x,x,x,x)+6Cj
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		push	eax
		mov	ecx, [ecx+38h]
		add	ecx, 4
		call	RtlLengthCurrentClearRunForward
		cmp	eax, [ebp+arg_0]
		jnz	short loc_4E61AA

loc_4E619B:				; CODE XREF: MiCheckHintedPageFileSpace(x,x,x,x)+70j
					; MiCheckHintedPageFileSpace(x,x,x,x)+76j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4E61A2:				; CODE XREF: MiCheckHintedPageFileSpace(x,x,x,x)+4Bj
		test	esi, esi
		jnz	short loc_4E6185

loc_4E61A6:				; CODE XREF: MiCheckHintedPageFileSpace(x,x,x,x)+2Aj
					; MiCheckHintedPageFileSpace(x,x,x,x)+36j ...
		xor	eax, eax
		jmp	short loc_4E619B
; 

loc_4E61AA:				; CODE XREF: MiCheckHintedPageFileSpace(x,x,x,x)+61j
		test	esi, esi
		jz	short loc_4E61A6
		jmp	short loc_4E619B
_MiCheckHintedPageFileSpace@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlLengthCurrentClearRunForward	proc near ; CODE XREF: .text:00481BE8p
					; .text:00481D2Dp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CD8B9 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		mov	esi, [ecx+4]
		mov	ecx, [ecx]
		push	edi
		mov	edi, edx
		mov	eax, edi
		shr	eax, 5
		lea	edx, [esi+eax*4]
		lea	eax, [ecx-1]
		shr	eax, 5
		and	ecx, 1Fh
		mov	[ebp+var_8], ecx
		lea	ebx, [esi+eax*4]
		mov	[ebp+var_4], ebx
		jnz	short loc_4E6252

loc_4E61DE:				; CODE XREF: RtlLengthCurrentClearRunForward+A8j
		mov	ecx, [edx]
		and	edi, 1Fh
		xor	esi, esi
		mov	eax, ds:dword_40BA68[edi*4]
		not	eax
		and	ecx, eax
		cmp	edx, ebx
		mov	ebx, [ebp+arg_0]
		ja	short loc_4E625A
		test	ecx, ecx
		jz	short loc_4E6219

loc_4E61FB:				; CODE XREF: RtlLengthCurrentClearRunForward+8Ej
		push	0
		push	ecx

loc_4E61FE:				; CODE XREF: RtlLengthCurrentClearRunForward+E771Ej
		call	_RtlFindLeastSignificantBit@8 ;	RtlFindLeastSignificantBit(x,x)
		movsx	eax, al
		add	esi, eax

loc_4E6208:				; CODE XREF: RtlLengthCurrentClearRunForward+93j
					; RtlLengthCurrentClearRunForward+AFj
		sub	esi, edi
		cmp	esi, ebx
		ja	short loc_4E6247
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4E6219:				; CODE XREF: RtlLengthCurrentClearRunForward+49j
		mov	eax, edi
		xor	ecx, ecx
		neg	eax
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_4]

loc_4E6225:				; CODE XREF: RtlLengthCurrentClearRunForward+8Cj
		add	[ebp+arg_0], 20h
		add	esi, 20h
		cmp	esi, ebx
		jnb	short loc_4E6240

loc_4E6230:				; CODE XREF: RtlLengthCurrentClearRunForward+95j
		cmp	edx, eax
		jz	short loc_4E625A
		mov	ecx, [edx+4]
		add	edx, 4
		test	ecx, ecx
		jz	short loc_4E6225
		jmp	short loc_4E61FB
; 

loc_4E6240:				; CODE XREF: RtlLengthCurrentClearRunForward+7Ej
		cmp	[ebp+arg_0], ebx
		jnb	short loc_4E6208
		jmp	short loc_4E6230
; 

loc_4E6247:				; CODE XREF: RtlLengthCurrentClearRunForward+5Cj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4E6252:				; CODE XREF: RtlLengthCurrentClearRunForward+2Cj
		sub	ebx, 4
		mov	[ebp+var_4], ebx
		jmp	short loc_4E61DE
; 

loc_4E625A:				; CODE XREF: RtlLengthCurrentClearRunForward+45j
					; RtlLengthCurrentClearRunForward+82j
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_4E6208
		jmp	loc_5CD8B9
RtlLengthCurrentClearRunForward	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetPageFileAllocationBits(x, x, x, x)
_MiSetPageFileAllocationBits@16	proc near ; CODE XREF: MiGatherPagefilePages+210p
					; MiFindFreePageFileSpace+329p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		push	esi
		push	edx
		mov	eax, [edi+38h]
		add	eax, 4
		push	eax
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		sub	[edi+0Ch], esi
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_MiSetPageFileAllocationBits@16	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakePageFilePte(x, x)
_MiMakePageFilePte@8 proc near		; CODE XREF: MiReserveWorkingSetSwapSpaceRuns(x,x,x,x,x,x)+3Ep

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		push	0
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		pop	ebp
		retn	8
_MiMakePageFilePte@8 endp

; 
		align 10h

AuthzBasepFreeSecurityAttributesList:	; CODE XREF: SepVerifyDesktopAppxPackageName+180p
					; SeAccessCheckWithHintWithAdminlessChecks+BC3p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx

loc_4E62AB:				; CODE XREF: .text:004E633Aj
		mov	esi, [ebx+4]
		lea	eax, [ebx+4]
		cmp	esi, eax
		jz	loc_4E633F
		test	byte ptr [esi+20h], 1
		jz	short loc_4E62E0
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_4E634B
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_4E634B
		mov	[ecx], eax
		mov	[eax+4], ecx
		and	dword ptr [esi+20h], 0FFFFFFFEh
		test	ebx, ebx
		jz	short loc_4E62E0
		dec	dword ptr [ebx]

loc_4E62E0:				; CODE XREF: .text:004E62BDj
					; .text:004E62DCj
		lea	edi, [esi+2Ch]

loc_4E62E3:				; CODE XREF: .text:004E6322j
		mov	eax, [edi]
		cmp	eax, edi
		jz	short loc_4E6324
		mov	ecx, [eax+10h]
		test	cl, 2
		jnz	loc_5CD8D3

loc_4E62F5:				; CODE XREF: .text:005CD902j
		test	cl, 1
		jz	short loc_4E631A
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_4E634B
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_4E634B
		mov	[edx], ecx
		mov	[ecx+4], edx
		and	dword ptr [eax+10h], 0FFFFFFFEh
		dec	dword ptr [esi+24h]
		test	byte ptr [eax+10h], 4
		jnz	short loc_4E6346

loc_4E631A:				; CODE XREF: .text:004E62F8j
					; .text:004E6349j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_4E62E3
; 

loc_4E6324:				; CODE XREF: .text:004E62E7j
		mov	eax, [esi+38h]
		lea	edi, [esi+38h]
		cmp	eax, edi
		jnz	loc_5CD907

loc_4E6332:				; CODE XREF: .text:005CD92Ej
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4E62AB
; 

loc_4E633F:				; CODE XREF: .text:004E62B3j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4E6346:				; CODE XREF: .text:004E6318j
		dec	dword ptr [esi+28h]
		jmp	short loc_4E631A
; 

loc_4E634B:				; CODE XREF: .text:004E62C4j
					; .text:004E62CFj ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dw 0CCCCh
		align 8
; Exported entry 2277. RtlOwnerAcesPresent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlOwnerAcesPresent(x)
		public _RtlOwnerAcesPresent@4
_RtlOwnerAcesPresent@4 proc near	; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+960p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		xor	cl, cl
		call	RtlpOwnerAcesPresent
		pop	ebp
		retn	4
_RtlOwnerAcesPresent@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpOwnerAcesPresent proc near		; CODE XREF: RtlOwnerAcesPresent(x)+Ap
					; SeComputeCreatorDeniedRights(x,x,x,x)+75p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005CD933 SIZE 00000045 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ds:_SeExports
		mov	[ebp+var_1], cl
		push	ebx
		push	esi
		mov	esi, [eax+188h]
		mov	[ebp+var_8], esi
		push	edi
		test	edx, edx
		jz	short loc_4E63F4
		movzx	eax, word ptr [edx+4]
		lea	edi, [edx+8]
		xor	ebx, ebx
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_4E63F4

loc_4E63A0:				; CODE XREF: RtlpOwnerAcesPresent+82j
		mov	al, [edi+1]
		mov	[ebp+var_2], al
		test	al, 8
		jnz	short loc_4E63E8
		mov	al, [edi]
		cmp	al, 5
		jnb	loc_4E646E

loc_4E63B4:				; CODE XREF: RtlpOwnerAcesPresent+100j
		cmp	al, 0Bh
		jnb	loc_5CD933

loc_4E63BC:				; CODE XREF: RtlpOwnerAcesPresent+E75C7j
		cmp	al, 0Fh
		jnb	loc_5CD93C

loc_4E63C4:				; CODE XREF: RtlpOwnerAcesPresent+E75CEj
		cmp	al, 4
		jz	loc_5CD95F
		cmp	al, 8
		ja	loc_4E647B

loc_4E63D4:				; CODE XREF: RtlpOwnerAcesPresent+10Dj
					; RtlpOwnerAcesPresent+E7603j
		mov	ecx, 8

loc_4E63D9:				; CODE XREF: RtlpOwnerAcesPresent+E75EAj
					; RtlpOwnerAcesPresent+E75F4j
		lea	eax, [edi+ecx]
		test	eax, eax
		jz	short loc_4E63E8
		movzx	ecx, word ptr [eax]
		cmp	cx, [esi]
		jz	short loc_4E63FD

loc_4E63E8:				; CODE XREF: RtlpOwnerAcesPresent+38j
					; RtlpOwnerAcesPresent+6Ej ...
		movzx	eax, word ptr [edi+2]
		inc	ebx
		add	edi, eax
		cmp	ebx, [ebp+var_C]
		jb	short loc_4E63A0

loc_4E63F4:				; CODE XREF: RtlpOwnerAcesPresent+1Ej
					; RtlpOwnerAcesPresent+2Ej
		pop	edi
		pop	esi
		xor	al, al
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4E63FD:				; CODE XREF: RtlpOwnerAcesPresent+76j
		mov	edx, [ebp+var_8]
		shr	ecx, 8
		lea	esi, ds:8[ecx*4]
		sub	esi, 4
		jb	short loc_4E6421
		nop

loc_4E6410:				; CODE XREF: RtlpOwnerAcesPresent+AFj
		mov	ecx, [eax]
		cmp	ecx, [edx]
		jnz	short loc_4E6426
		add	eax, 4
		add	edx, 4
		sub	esi, 4
		jnb	short loc_4E6410

loc_4E6421:				; CODE XREF: RtlpOwnerAcesPresent+9Dj
		cmp	esi, 0FFFFFFFCh
		jz	short loc_4E6453

loc_4E6426:				; CODE XREF: RtlpOwnerAcesPresent+A4j
		mov	cl, [eax]
		cmp	cl, [edx]
		jnz	short loc_4E648F
		cmp	esi, 0FFFFFFFDh
		jz	short loc_4E6453
		mov	cl, [eax+1]
		cmp	cl, [edx+1]
		jnz	short loc_4E648F
		cmp	esi, 0FFFFFFFEh
		jz	short loc_4E6453
		mov	cl, [eax+2]
		cmp	cl, [edx+2]
		jnz	short loc_4E648F
		cmp	esi, 0FFFFFFFFh
		jz	short loc_4E6453
		mov	al, [eax+3]
		cmp	al, [edx+3]
		jnz	short loc_4E648F

loc_4E6453:				; CODE XREF: RtlpOwnerAcesPresent+B4j
					; RtlpOwnerAcesPresent+BFj ...
		xor	eax, eax

loc_4E6455:				; CODE XREF: RtlpOwnerAcesPresent+124j
		test	eax, eax
		jz	short loc_4E645E

loc_4E6459:				; CODE XREF: RtlpOwnerAcesPresent+11Bj
		mov	esi, [ebp+var_8]
		jmp	short loc_4E63E8
; 

loc_4E645E:				; CODE XREF: RtlpOwnerAcesPresent+E7j
		mov	cl, [ebp+var_1]
		test	cl, cl
		jnz	short loc_4E6488

loc_4E6465:				; CODE XREF: RtlpOwnerAcesPresent+11Dj
		pop	edi
		pop	esi
		mov	al, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4E646E:				; CODE XREF: RtlpOwnerAcesPresent+3Ej
		cmp	al, 8
		ja	loc_4E63B4
		jmp	loc_5CD944
; 

loc_4E647B:				; CODE XREF: RtlpOwnerAcesPresent+5Ej
		cmp	al, 0Ah
		jbe	loc_4E63D4
		jmp	loc_5CD969
; 

loc_4E6488:				; CODE XREF: RtlpOwnerAcesPresent+F3j
		test	[ebp+var_2], cl
		jz	short loc_4E6459
		jmp	short loc_4E6465
; 

loc_4E648F:				; CODE XREF: RtlpOwnerAcesPresent+BAj
					; RtlpOwnerAcesPresent+C7j ...
		sbb	eax, eax
		or	eax, 1
		jmp	short loc_4E6455
RtlpOwnerAcesPresent endp

; 

PspRemoveProperty:			; CODE XREF: PsSetThreadProperty(x,x,x)+32p
					; PsSetJobProperty(x,x,x)+5Cp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ebx, [edi+8]
		mov	[ebp-1], al
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, esi
		mov	ecx, edi
		call	_PspFindPropertySetEntry@8 ; PspFindPropertySetEntry(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_4E64DF
		mov	eax, [ebp+8]
		test	eax, eax
		jnz	short loc_4E651F

loc_4E64CC:				; CODE XREF: .text:004E6524j
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	short loc_4E6526
		cmp	[eax], esi
		jnz	short loc_4E6526
		mov	[eax], ecx
		mov	[ecx+4], eax

loc_4E64DF:				; CODE XREF: .text:004E64C3j
		test	ds:byte_70EFC6,	1
		jnz	loc_5CD978
		xor	eax, eax
		lock and [ebx],	eax

loc_4E64F1:				; CODE XREF: .text:005CD982j
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_4E6516
		mov	ecx, [esi+0Ch]
		mov	edx, 72507350h
		call	ObfDereferenceObjectWithTag
		push	50737050h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4E6516:				; CODE XREF: .text:004E64FCj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	4
; 

loc_4E651F:				; CODE XREF: .text:004E64CAj
		mov	ecx, [esi+0Ch]
		mov	[eax], ecx
		jmp	short loc_4E64CC
; 

loc_4E6526:				; CODE XREF: .text:004E64D4j
					; .text:004E64D8j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		align 10h
; Exported entry 1915. PsSetThreadProperty

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSetThreadProperty(x, x, x)
		public _PsSetThreadProperty@12
_PsSetThreadProperty@12	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	_PspValidateThread@4 ; PspValidateThread(x)
		test	eax, eax
		js	short loc_4E655B
		cmp	[ebp+arg_8], 0
		lea	ecx, [esi+370h]
		mov	edx, [ebp+arg_4]
		jz	short loc_4E6560
		push	[ebp+arg_8]
		call	PspInsertProperty

loc_4E655B:				; CODE XREF: PsSetThreadProperty(x,x,x)+12j
					; PsSetThreadProperty(x,x,x)+37j
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_4E6560:				; CODE XREF: PsSetThreadProperty(x,x,x)+21j
		push	0
		call	PspRemoveProperty
		jmp	short loc_4E655B
_PsSetThreadProperty@12	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PspValidateThread(x)
_PspValidateThread@4 proc near		; CODE XREF: PsSetThreadProperty(x,x,x)+Bp
		mov	eax, large fs:20h
		push	esi
		mov	esi, ecx
		cmp	esi, [eax+0Ch]
		jz	short loc_4E65CA
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_4E65A9
		lea	eax, [esi-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		cmp	eax, ds:_PsThreadType
		jnz	short loc_4E65C3

loc_4E65A9:				; CODE XREF: PspValidateThread(x)+16j
		cmp	esi, large fs:124h
		jnz	short loc_4E65BF
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jnz	short loc_4E65CA

loc_4E65BF:				; CODE XREF: PspValidateThread(x)+46j
		xor	eax, eax
		pop	esi
		retn
; 

loc_4E65C3:				; CODE XREF: PspValidateThread(x)+3Dj
		mov	eax, 0C000000Dh
		pop	esi
		retn
; 

loc_4E65CA:				; CODE XREF: PspValidateThread(x)+Cj
					; PspValidateThread(x)+53j
		mov	eax, 0C00000BBh
		pop	esi
		retn
_PspValidateThread@4 endp

; 
		align 2

PspInsertProperty:			; CODE XREF: PsSetThreadProperty(x,x,x)+26p
					; PsSetJobProperty(x,x,x)+53p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		push	50737050h
		push	10h
		push	200h
		mov	[ebp-0Ch], edx
		mov	ebx, ecx
		xor	edi, edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5CD987
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp-1], al
		lea	eax, [ebx+8]
		mov	ecx, eax
		mov	[ebp-8], eax
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, [ebp-0Ch]
		mov	ecx, ebx
		call	_PspFindPropertySetEntry@8 ; PspFindPropertySetEntry(x,x)
		test	eax, eax
		jnz	short loc_4E6676
		mov	ecx, [ebp+8]
		mov	[esi+8], edx
		mov	[esi+0Ch], ecx
		mov	eax, [ebx]
		cmp	[eax+4], ebx
		jnz	short loc_4E667D
		mov	[esi], eax
		mov	edx, 72507350h
		mov	[esi+4], ebx
		mov	[eax+4], esi
		mov	[ebx], esi
		call	ObfReferenceObjectWithTag

loc_4E6647:				; CODE XREF: .text:004E667Bj
		test	ds:byte_70EFC6,	1
		jnz	loc_5CD991
		mov	eax, [ebp-8]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_4E665C:				; CODE XREF: .text:005CD99Cj
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		js	loc_5CD9A1

loc_4E666D:				; CODE XREF: .text:005CD98Cj
					; .text:005CD9ACj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4E6676:				; CODE XREF: .text:004E6621j
		mov	edi, 0C0000035h
		jmp	short loc_4E6647
; 

loc_4E667D:				; CODE XREF: .text:004E6631j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dw 0CCCCh
		align 10h
; Exported entry 1831. PsGetThreadProperty

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsGetThreadProperty
PsGetThreadProperty proc near

var_1C		= dword	ptr -1Ch
var_A		= byte ptr -0Ah
var_9		= byte ptr -9
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005CD9B1 SIZE 00000050 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		test	[ebp+arg_8], 0FFFFFFFEh
		push	edi
		jnz	loc_4E67F3
		mov	eax, large fs:20h
		mov	esi, [ebp+arg_0]
		cmp	esi, [eax+0Ch]
		jz	loc_4E67F3
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_4E66F4
		lea	eax, [esi-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		cmp	eax, ds:_PsThreadType
		jnz	loc_4E67F3

loc_4E66F4:				; CODE XREF: PsGetThreadProperty+37j
		mov	eax, large fs:124h
		cmp	esi, eax
		jnz	short loc_4E670F
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jnz	loc_4E67F3

loc_4E670F:				; CODE XREF: PsGetThreadProperty+6Cj
		lea	edi, [esi+378h]
		mov	[esp+18h+var_8], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	[esp+18h+var_9], al
		jnz	loc_5CD9B1
		lock bts dword ptr [edi], 0
		jb	loc_5CD9BD

loc_4E673B:				; CODE XREF: PsGetThreadProperty+E7328j
					; PsGetThreadProperty+E7334j
		mov	eax, [esi+370h]
		lea	ecx, [esi+370h]
		xor	edi, edi
		cmp	eax, ecx
		jz	short loc_4E6788
		mov	edx, [ebp+arg_4]

loc_4E6750:				; CODE XREF: PsGetThreadProperty+15Ej
		cmp	[eax+8], edx
		jnz	loc_4E67E8
		mov	edi, eax
		test	eax, eax
		jz	short loc_4E6788
		mov	ecx, [eax+0Ch]
		add	ecx, 0FFFFFFE8h
		mov	[esp+18h+var_4], ecx
		cmp	ds:_ObpTraceFlags, ebx
		jnz	loc_5CD9C9

loc_4E6775:				; CODE XREF: PsGetThreadProperty+E734Bj
		mov	eax, 1
		lock xadd [ecx], eax
		inc	eax
		cmp	eax, 1
		jle	loc_5CD9E0

loc_4E6788:				; CODE XREF: PsGetThreadProperty+BBj
					; PsGetThreadProperty+CDj ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5CD9F0
		mov	eax, [esp+18h+var_8]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_4E679E:				; CODE XREF: PsGetThreadProperty+E736Cj
		mov	cl, [esp+18h+var_9]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	short loc_4E67BA
		mov	ebx, [edi+0Ch]

loc_4E67AF:				; CODE XREF: PsGetThreadProperty+12Ej
					; PsGetThreadProperty+149j ...
		mov	eax, ebx

loc_4E67B1:				; CODE XREF: PsGetThreadProperty+165j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4E67BA:				; CODE XREF: PsGetThreadProperty+11Aj
		test	byte ptr [ebp+arg_8], 1
		jnz	short loc_4E67AF
		mov	eax, [esi+390h]
		cmp	eax, 0FFFFFFFDh
		jnz	short loc_4E67D7
		mov	eax, [esi+150h]
		mov	eax, [eax+158h]

loc_4E67D7:				; CODE XREF: PsGetThreadProperty+139j
		test	eax, eax
		jz	short loc_4E67AF
		push	[ebp+arg_4]
		push	eax
		call	_PsGetJobProperty@8 ; PsGetJobProperty(x,x)
		mov	ebx, eax
		jmp	short loc_4E67AF
; 

loc_4E67E8:				; CODE XREF: PsGetThreadProperty+C3j
		mov	eax, [eax]
		cmp	eax, ecx
		jz	short loc_4E6788
		jmp	loc_4E6750
; 

loc_4E67F3:				; CODE XREF: PsGetThreadProperty+17j
					; PsGetThreadProperty+29j ...
		xor	eax, eax
		jmp	short loc_4E67B1
PsGetThreadProperty endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1787. PsGetJobProperty

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetJobProperty(x,	x)
		public _PsGetJobProperty@8
_PsGetJobProperty@8 proc near		; CODE XREF: PsGetThreadProperty+14Fp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	esi, [ebp+arg_0]
		cmp	al, 2
		jnb	short loc_4E683B
		lea	eax, [esi-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		cmp	eax, ds:_PsJobType
		jnz	short loc_4E6851

loc_4E683B:				; CODE XREF: PsGetJobProperty(x,x)+16j
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, esi
		call	PspGetJobProperty
		mov	eax, [ebp+var_4]

loc_4E684C:				; CODE XREF: PsGetJobProperty(x,x)+57j
		pop	esi
		leave
		retn	8
; 

loc_4E6851:				; CODE XREF: PsGetJobProperty(x,x)+3Dj
		xor	eax, eax
		jmp	short loc_4E684C
_PsGetJobProperty@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspGetJobProperty proc near		; CODE XREF: PsGetJobProperty(x,x)+48p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CDA01 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10h
		and	[esp+10h+var_4], 0
		push	esi
		mov	esi, ecx
		mov	[esp+14h+var_8], edx
		push	edi
		mov	edi, 0C0000225h
		test	esi, esi
		jz	short loc_4E689B

loc_4E6877:				; CODE XREF: PspGetJobProperty+53j
		lea	eax, [esp+18h+var_4]
		push	eax
		lea	ecx, [esi+2FCh]
		call	PspGetProperty
		mov	edi, eax
		test	edi, edi
		jns	loc_5CDA01
		mov	esi, [esi+244h]
		test	esi, esi
		jnz	short loc_4E68A5

loc_4E689B:				; CODE XREF: PspGetJobProperty+1Fj
					; PspGetJobProperty+E71B4j
		mov	eax, edi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4E68A5:				; CODE XREF: PspGetJobProperty+43j
		mov	edx, [esp+18h+var_8]
		jmp	short loc_4E6877
PspGetJobProperty endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspGetProperty	proc near		; CODE XREF: PspGetJobProperty+2Cp

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CDA0F SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		xor	ebx, ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [edi+8]
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, esi
		mov	ecx, edi
		call	_PspFindPropertySetEntry@8 ; PspFindPropertySetEntry(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_5CDA0F

loc_4E68E0:				; CODE XREF: PspGetProperty+E7170j
		test	ds:byte_70EFC6,	1
		jnz	loc_5CDA21
		xor	ecx, ecx
		lea	eax, [edi+8]
		lock and [eax],	ecx

loc_4E68F5:				; CODE XREF: PspGetProperty+E7180j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jnz	short loc_4E6910
		mov	ebx, 0C0000225h

loc_4E6907:				; CODE XREF: PspGetProperty+6Cj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
; 

loc_4E6910:				; CODE XREF: PspGetProperty+54j
		mov	ecx, [ebp+arg_0]
		mov	edx, [esi+0Ch]
		mov	[ecx], edx
		jmp	short loc_4E6907
PspGetProperty	endp


;  S U B	R O U T	I N E 


; __stdcall PspFindPropertySetEntry(x, x)
_PspFindPropertySetEntry@8 proc	near	; CODE XREF: .text:004E64BAp
					; .text:004E661Ap ...
		mov	eax, [ecx]
		push	esi
		xor	esi, esi

loc_4E691F:				; CODE XREF: PspFindPropertySetEntry(x,x)+18j
		cmp	eax, ecx
		jnz	short loc_4E6927

loc_4E6923:				; CODE XREF: PspFindPropertySetEntry(x,x)+14j
		mov	eax, esi
		pop	esi
		retn
; 

loc_4E6927:				; CODE XREF: PspFindPropertySetEntry(x,x)+7j
		cmp	[eax+8], edx
		jnz	short loc_4E6930
		mov	esi, eax
		jmp	short loc_4E6923
; 

loc_4E6930:				; CODE XREF: PspFindPropertySetEntry(x,x)+10j
		mov	eax, [eax]
		jmp	short loc_4E691F
_PspFindPropertySetEntry@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeWaitForAlertByThreadId proc near	; CODE XREF: NtWaitForAlertByThreadId+5Bp
					; RtlpRunOnceWaitForInit(x,x)+6Dp

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CDA31 SIZE 000000D0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		push	esi
		mov	esi, large fs:124h
		mov	ebx, edx
		xor	edx, edx
		mov	[ebp+var_2], cl
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_34], esi
		lea	eax, [esi+5Ch]
		lock btr dword ptr [eax], 4
		jb	loc_4E6B8A
		test	ebx, ebx
		jnz	loc_4E6AFF

loc_4E6977:				; CODE XREF: KeWaitForAlertByThreadId+1C4j
		btr	dword ptr [esi+58h], 2
		mov	[ebp+var_40], edx
		setb	al
		mov	[ebp+var_3C], edx
		mov	[ebp+var_1], al
		test	al, al
		jnz	short loc_4E699B
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[esi+92h], al
		mov	al, [ebp+var_1]

loc_4E699B:				; CODE XREF: KeWaitForAlertByThreadId+4Aj
		push	edi
		test	ebx, ebx
		jnz	loc_4E6B0F
		xor	edi, edi

loc_4E69A6:				; CODE XREF: KeWaitForAlertByThreadId+203j
		mov	byte ptr [ebp+var_24], al
		lea	eax, [esi+2Ch]
		mov	[ebp+var_14], edi
		mov	[ebp+var_38], eax

loc_4E69B2:				; CODE XREF: KeWaitForAlertByThreadId+218j
		mov	dl, [esi+92h]
		lea	ebx, [esi+2Ch]
		mov	[ebp+var_1], dl
		mov	edi, edi

loc_4E69C0:				; CODE XREF: KeWaitForAlertByThreadId+E714Cj
		mov	al, [ebp+var_2]
		and	dword ptr [esi+58h], 0FFFFFFEFh
		mov	byte ptr [esi+54h], 0
		mov	[esi+93h], al
		mov	[ebp+var_28], 0
		jmp	short loc_4E69E0
; 
		align 10h

loc_4E69E0:				; CODE XREF: KeWaitForAlertByThreadId+98j
					; KeWaitForAlertByThreadId+28Ej
		lock bts dword ptr [ebx], 0
		jb	loc_4E6BC0
		cmp	byte ptr [esi+85h], 0
		mov	dl, [ebp+var_1]
		jnz	loc_5CDA4D

loc_4E69FB:				; CODE XREF: KeWaitForAlertByThreadId+E7115j
					; KeWaitForAlertByThreadId+E711Ej
		test	byte ptr [esi+86h], 2
		lea	ebx, [esi+5Ch]
		jnz	loc_4E6B5D

loc_4E6A0B:				; CODE XREF: KeWaitForAlertByThreadId+221j
		mov	byte ptr [esi+90h], 5
		mov	byte ptr [esi+18Bh], 25h
		mov	eax, ds:_KeTickCount
		mov	[esi+138h], eax
		mov	dword ptr [esi+2Ch], 0
		lock btr dword ptr [ebx], 4
		jb	loc_4E6B97
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_2C], 0
		mov	[ebp+var_28], 0
		cmp	edi, 2
		jz	short loc_4E6AA1
		test	edi, edi
		jnz	loc_5CDA91

loc_4E6A5D:				; CODE XREF: KeWaitForAlertByThreadId+1A2j
					; KeWaitForAlertByThreadId+1B4j
		mov	ebx, [ebp+arg_0]
		push	0
		push	ecx
		push	edx
		mov	[esi+0F0h], ebx
		lea	edx, [esi+0E0h]
		mov	byte ptr [esi+0E9h], 5
		mov	ecx, esi
		push	edi
		mov	byte ptr [esi+16Bh], 1
		call	KiCommitThreadWait
		mov	byte ptr [esi+18Bh], 0
		cmp	eax, 100h
		jz	loc_4E6B48

loc_4E6A98:				; CODE XREF: KeWaitForAlertByThreadId+276j
		pop	edi

loc_4E6A99:				; CODE XREF: KeWaitForAlertByThreadId+E70F6j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4E6AA1:				; CODE XREF: KeWaitForAlertByThreadId+113j
		xor	cl, cl
		call	KiQueryUnbiasedInterruptTime
		mov	ecx, eax
		mov	eax, edx
		sub	ecx, [esi+0B0h]
		mov	edx, [ebp+var_C]
		sbb	eax, [esi+0B4h]
		push	0
		push	edx
		mov	[ebp+var_18], ecx
		mov	edx, 2
		mov	ecx, [ebp+var_8]
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_10], eax
		call	KiGetDueTimeWithThreadTimerDelay
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_20], eax
		mov	eax, edx
		mov	edx, [ebp+var_8]

loc_4E6ADF:				; CODE XREF: KeWaitForAlertByThreadId+E71B2j
		cmp	[ebp+var_10], eax
		jb	loc_4E6A5D
		ja	loc_5CDAF7
		mov	eax, [ebp+var_18]
		cmp	eax, [ebp+var_20]
		jbe	loc_4E6A5D
		jmp	loc_5CDAF7
; 

loc_4E6AFF:				; CODE XREF: KeWaitForAlertByThreadId+31j
		mov	eax, [ebx]
		or	eax, [ebx+4]
		jnz	loc_4E6977
		jmp	loc_5CDA31
; 

loc_4E6B0F:				; CODE XREF: KeWaitForAlertByThreadId+5Ej
		cmp	dword ptr [ebx+4], 0
		jge	loc_5CDA3B
		xor	cl, cl
		call	KiQueryUnbiasedInterruptTime
		mov	edi, [esi+0B0h]
		add	edi, [ebx]
		mov	ecx, [esi+0B4h]
		adc	ecx, [ebx+4]
		sub	eax, edi
		mov	[ebp+var_8], eax
		mov	edi, 2
		mov	al, [ebp+var_1]
		sbb	edx, ecx

loc_4E6B40:				; CODE XREF: KeWaitForAlertByThreadId+E7108j
		mov	[ebp+var_C], edx
		jmp	loc_4E69A6
; 

loc_4E6B48:				; CODE XREF: KeWaitForAlertByThreadId+152j
		mov	byte ptr [ebp+var_24], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[esi+92h], al
		jmp	loc_4E69B2
; 

loc_4E6B5D:				; CODE XREF: KeWaitForAlertByThreadId+C5j
		cmp	[ebp+var_2], 0
		jz	loc_4E6A0B
		mov	eax, [ebp+var_38]
		mov	dword ptr [eax], 0
		mov	ecx, large fs:20h
		call	KiCheckForThreadDispatch
		pop	edi
		pop	esi
		mov	eax, 0C0h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4E6B8A:				; CODE XREF: KeWaitForAlertByThreadId+29j
		pop	esi
		mov	eax, 101h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4E6B97:				; CODE XREF: KeWaitForAlertByThreadId+F0j
		mov	edi, 101h

loc_4E6B9C:				; CODE XREF: KeWaitForAlertByThreadId+E71BCj
		push	[ebp+var_24]
		mov	ecx, large fs:20h
		mov	edx, esi
		mov	byte ptr [esi+18Bh], 0
		call	_KiFastExitThreadWait@12 ; KiFastExitThreadWait(x,x,x)
		mov	eax, edi
		jmp	loc_4E6A98
; 
		jmp	short loc_4E6BC0
; 
		align 10h

loc_4E6BC0:				; CODE XREF: KeWaitForAlertByThreadId+A5j
					; KeWaitForAlertByThreadId+27Bj ...
		lea	ecx, [ebp+var_28]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_4E6BC0
		jmp	loc_4E69E0
KeWaitForAlertByThreadId endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiGetDueTimeWithThreadTimerDelay proc near ; CODE XREF:	KiCheckDueTimeExpired+4Ap
					; KeWaitForAlertByThreadId+18Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005CDB01 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jnz	short loc_4E6C25

loc_4E6BE0:				; CODE XREF: KiGetDueTimeWithThreadTimerDelay+54j
		cmp	edx, 2
		jnz	short loc_4E6C1B
		mov	edx, [ecx+240h]
		cmp	byte ptr [ecx+93h], 0
		jz	short loc_4E6C1B
		cmp	dword ptr [ecx+13Ch], 0
		jnz	short loc_4E6C1B
		cmp	byte ptr [ecx+92h], 0
		jnz	short loc_4E6C1B
		cmp	byte ptr [ecx+84h], 0
		jnz	short loc_4E6C1B
		test	eax, eax
		jnz	short loc_4E6C2A

loc_4E6C13:				; CODE XREF: KiGetDueTimeWithThreadTimerDelay+59j
		test	edx, edx
		jnz	loc_5CDB01

loc_4E6C1B:				; CODE XREF: KiGetDueTimeWithThreadTimerDelay+Fj
					; KiGetDueTimeWithThreadTimerDelay+1Ej	...
		mov	edx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]

loc_4E6C21:				; CODE XREF: KiGetDueTimeWithThreadTimerDelay+E6F38j
		pop	ebp
		retn	0Ch
; 

loc_4E6C25:				; CODE XREF: KiGetDueTimeWithThreadTimerDelay+Aj
		mov	byte ptr [eax],	0
		jmp	short loc_4E6BE0
; 

loc_4E6C2A:				; CODE XREF: KiGetDueTimeWithThreadTimerDelay+3Dj
		mov	byte ptr [eax],	1
		jmp	short loc_4E6C13
KiGetDueTimeWithThreadTimerDelay endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeGetTrustLabelAce(x)
_SeGetTrustLabelAce@4 proc near		; CODE XREF: SepVerifyDesktopAppxImage(x,x,x,x)+118p
					; MiAllowImageMap(x,x,x,x)+126p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		movzx	ebx, word ptr [edi+2]
		mov	edx, ebx
		and	edx, 10h

loc_4E6C48:				; CODE XREF: SeGetTrustLabelAce(x)+22j
		test	dx, dx
		jnz	short loc_4E6C5B

loc_4E6C4D:				; CODE XREF: SeGetTrustLabelAce(x)+3Ej
					; SeGetTrustLabelAce(x)+53j ...
		xor	eax, eax

loc_4E6C4F:				; CODE XREF: SeGetTrustLabelAce(x)+7Dj
		inc	esi
		test	eax, eax
		jnz	short loc_4E6C48

loc_4E6C54:				; CODE XREF: SeGetTrustLabelAce(x)+7Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4E6C5B:				; CODE XREF: SeGetTrustLabelAce(x)+1Bj
		mov	ecx, [edi+0Ch]
		test	bx, bx
		jns	short loc_4E6C6C
		lea	eax, [ecx+edi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_4E6C6C:				; CODE XREF: SeGetTrustLabelAce(x)+31j
		test	ecx, ecx
		jz	short loc_4E6C4D
		lea	eax, [ecx+8]
		mov	[ebp+var_4], 0
		movzx	ecx, word ptr [ecx+4]
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jz	short loc_4E6C4D
		mov	ecx, [ebp+var_4]

loc_4E6C88:				; CODE XREF: SeGetTrustLabelAce(x)+73j
		cmp	ecx, esi
		jb	short loc_4E6C91
		cmp	byte ptr [eax],	14h
		jz	short loc_4E6CA5

loc_4E6C91:				; CODE XREF: SeGetTrustLabelAce(x)+5Aj
		inc	ecx
		mov	[ebp+var_4], ecx
		movzx	ecx, word ptr [eax+2]
		add	eax, ecx
		mov	ecx, [ebp+var_4]
		cmp	ecx, [ebp+var_8]
		jnb	short loc_4E6C4D
		jmp	short loc_4E6C88
; 

loc_4E6CA5:				; CODE XREF: SeGetTrustLabelAce(x)+5Fj
		test	byte ptr [eax+1], 8
		mov	esi, ecx
		jz	short loc_4E6C54
		jmp	short loc_4E6C4F
_SeGetTrustLabelAce@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepLocateTokenTrustLevel(x)
_SepLocateTokenTrustLevel@4 proc near	; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+7FAp
					; SeAccessCheckWithHintWithAdminlessChecks+C2Cp ...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ecx+8]
		push	edi
		mov	edi, [ecx]
		mov	[ebp+var_1], 0
		test	edi, edi
		jnz	short loc_4E6CCF

loc_4E6CC5:				; CODE XREF: SepLocateTokenTrustLevel(x)+38j
					; SepLocateTokenTrustLevel(x)+3Cj
		mov	eax, [esi+280h]
		pop	edi
		pop	esi
		leave
		retn
; 

loc_4E6CCF:				; CODE XREF: SepLocateTokenTrustLevel(x)+13j
		mov	edx, [edi+280h]
		lea	eax, [ebp-1]
		mov	ecx, [esi+280h]
		push	eax
		call	_RtlSidDominatesForTrust@12 ; RtlSidDominatesForTrust(x,x,x)
		cmp	[ebp+var_1], 0
		jz	short loc_4E6CC5
		mov	esi, edi
		jmp	short loc_4E6CC5
_SepLocateTokenTrustLevel@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAttachSession	proc near		; CODE XREF: MiTrimOrAgeWorkingSet+359p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005CDB11 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		mov	ecx, offset dword_6D3540
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	eax, [eax+80h]
		mov	[eax+180h], esi
		call	MiAttachTrimmerToSession
		xor	esi, esi
		inc	esi
		test	ds:byte_70EFC6,	1
		jnz	loc_5CDB11
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_4E6D84
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	short loc_4E6D7C

loc_4E6D52:				; CODE XREF: MiAttachSession+A3j
					; MiAttachSession+E6E2Ej
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, dword_6D5D4C
		or	edx, 0FFFFFFFFh
		call	MiCompareTbFlushTimeStamp
		test	al, al
		jnz	short loc_4E6D71

loc_4E6D6D:				; CODE XREF: MiAttachSession+8Cj
		pop	edi
		pop	esi
		leave
		retn
; 

loc_4E6D71:				; CODE XREF: MiAttachSession+7Dj
		xor	edx, edx
		mov	ecx, esi
		call	KeFlushTb
		jmp	short loc_4E6D6D
; 

loc_4E6D7C:				; CODE XREF: MiAttachSession+62j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_4E6D84:				; CODE XREF: MiAttachSession+4Fj
		mov	[ebp+var_C], 0
		add	eax, 4
		lock xor [eax],	esi
		jmp	short loc_4E6D52
MiAttachSession	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCompareTbFlushTimeStamp proc near	; CODE XREF: MiFlushTbAsNeeded+189p
					; MiAttachSession+76p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CDB21 SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	edx, ds:_KiTbFlushTimeStamp
		mov	eax, edx
		sub	eax, edi
		and	eax, ebx
		cmp	eax, 2
		jbe	short loc_4E6DC7

loc_4E6DC0:				; CODE XREF: MiCompareTbFlushTimeStamp+3Fj
					; MiCompareTbFlushTimeStamp+E6DB2j ...
		xor	al, al

loc_4E6DC2:				; CODE XREF: MiCompareTbFlushTimeStamp+4Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4E6DC7:				; CODE XREF: MiCompareTbFlushTimeStamp+2Aj
		mov	esi, edi
		and	esi, 1

loc_4E6DCC:				; CODE XREF: MiCompareTbFlushTimeStamp+E6DD3j
		test	esi, esi
		jnz	short loc_4E6DD5
		cmp	eax, 2
		jnb	short loc_4E6DC0

loc_4E6DD5:				; CODE XREF: MiCompareTbFlushTimeStamp+3Aj
		test	dl, 1
		jnz	loc_5CDB21
		mov	al, 1
		jmp	short loc_4E6DC2
MiCompareTbFlushTimeStamp endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAttachTrimmerToSession proc near	; CODE XREF: MiAttachSession+35p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CDB72 SIZE 00000062 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, 0C0602000h
		lea	ebx, [ecx+3E0h]
		xor	esi, esi
		jmp	short loc_4E6E10
; 
		align 10h

loc_4E6E10:				; CODE XREF: MiAttachTrimmerToSession+18j
					; MiAttachTrimmerToSession+3Bj
		mov	al, byte ptr dword_6D3D94[esi]
		cmp	al, 1
		jz	short loc_4E6E34
		cmp	al, 0Bh
		jz	short loc_4E6E34

loc_4E6E1E:				; CODE XREF: MiAttachTrimmerToSession+88j
					; MiAttachTrimmerToSession+95j	...
		inc	esi
		add	ebx, 8
		add	edi, 8
		cmp	esi, 400h
		jb	short loc_4E6E10
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4E6E34:				; CODE XREF: MiAttachTrimmerToSession+28j
					; MiAttachTrimmerToSession+2Cj
		mov	edx, [ebx]
		mov	[ebp+var_C], 0
		mov	[ebp+var_8], 0
		nop
		mov	ecx, [ebx+4]
		mov	eax, edx
		and	eax, 1
		mov	[ebp+var_4], ecx
		or	eax, 0
		jz	short loc_4E6E7F
		mov	ecx, edi
		mov	[ebp+var_8], 0
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5CDB72
		mov	eax, [ebp+var_4]
		xor	ecx, ecx

loc_4E6E70:				; CODE XREF: MiAttachTrimmerToSession+E6D9Aj
					; MiAttachTrimmerToSession+E6DA5j ...
		mov	[edi+4], eax
		nop
		mov	[edi], edx
		test	ecx, ecx
		jz	short loc_4E6E1E
		jmp	loc_5CDBC6
; 

loc_4E6E7F:				; CODE XREF: MiAttachTrimmerToSession+63j
		mov	[edi], edx
		nop
		mov	[edi+4], ecx
		jmp	short loc_4E6E1E
MiAttachTrimmerToSession endp

; 
		align 10h
; Exported entry 1782. PsGetCurrentThreadWin32ThreadAndEnterCriticalRegion

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetCurrentThreadWin32ThreadAndEnterCriticalRegion(x)
		public _PsGetCurrentThreadWin32ThreadAndEnterCriticalRegion@4
_PsGetCurrentThreadWin32ThreadAndEnterCriticalRegion@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		mov	ecx, [ebp+arg_0]
		mov	edx, [eax+2ACh]
		mov	[ecx], edx
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [eax+124h]
		pop	ebp
		retn	4
_PsGetCurrentThreadWin32ThreadAndEnterCriticalRegion@4 endp

; 
		align 10h
; Exported entry 348. ExEnterCriticalRegionAndAcquireResourceShared

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExEnterCriticalRegionAndAcquireResourceShared
ExEnterCriticalRegionAndAcquireResourceShared proc near

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CDBD4 SIZE 0000007A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+arg_0]
		movzx	ecx, word ptr [esi+0Eh]
		mov	eax, ecx
		mov	edx, ecx
		and	eax, 1
		jnz	loc_5CDBD4

loc_4E6EE8:				; CODE XREF: ExEnterCriticalRegionAndAcquireResourceShared+E6D17j
		test	ax, ax
		jnz	short loc_4E6F0B

loc_4E6EED:				; CODE XREF: ExEnterCriticalRegionAndAcquireResourceShared+E6D89j
		mov	dl, 1
		test	cl, dl
		mov	ecx, esi
		jnz	short loc_4E6F25
		call	ExpAcquireResourceSharedLite

loc_4E6EFA:				; CODE XREF: ExEnterCriticalRegionAndAcquireResourceShared+6Aj
		mov	eax, large fs:124h
		pop	esi
		mov	eax, [eax+124h]
		pop	ebp
		retn	4
; 

loc_4E6F0B:				; CODE XREF: ExEnterCriticalRegionAndAcquireResourceShared+2Bj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, large fs:124h
		cmp	al, 1
		ja	loc_5CDBEE
		jmp	loc_5CDC02
; 

loc_4E6F25:				; CODE XREF: ExEnterCriticalRegionAndAcquireResourceShared+33j
		call	_ExpFastResourceLegacyAcquireShared@8 ;	ExpFastResourceLegacyAcquireShared(x,x)
		jmp	short loc_4E6EFA
ExEnterCriticalRegionAndAcquireResourceShared endp

; 
		dd 5 dup(0CCCCCCCCh)
; Exported entry 159. ObReferenceObjectSafe

;  S U B	R O U T	I N E 


; __fastcall ObReferenceObjectSafe(x)
		public @ObReferenceObjectSafe@4
@ObReferenceObjectSafe@4 proc near	; CODE XREF: AlpcpFlushMessagesPort(x)+72p
					; AlpcpFlushMessagesPort(x)+C0p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	esi
		lea	esi, [ecx-18h]
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_4E6F78
		lea	esp, [esp+0]

loc_4E6F50:				; CODE XREF: ObReferenceObjectSafe(x)+36j
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jnz	short loc_4E6F72
		push	746C6644h
		mov	edx, 1
		mov	ecx, esi
		call	ObpTraceObjectReferenceIfActive
		mov	al, 1
		pop	esi
		retn
; 

loc_4E6F72:				; CODE XREF: ObReferenceObjectSafe(x)+1Bj
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_4E6F50

loc_4E6F78:				; CODE XREF: ObReferenceObjectSafe(x)+Aj
		xor	al, al
		pop	esi
		retn
@ObReferenceObjectSafe@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiPriQueueThreadPriorityChanged	proc near ; CODE XREF: KeSetActualBasePriorityThread+21Ap
					; KeSetPriorityAndQuantumProcess+16A14Bp ...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_1], 0
		push	edi
		mov	edx, [esi+14Ch]
		movsx	ebx, byte ptr [esi+15Bh]
		movzx	edi, dl
		cmp	edi, ebx
		jnz	short loc_4E6FAB

loc_4E6F9F:				; CODE XREF: KiPriQueueThreadPriorityChanged+64j
		mov	dword ptr [esi+2Ch], 0

loc_4E6FA6:				; CODE XREF: KiPriQueueThreadPriorityChanged+8Ej
					; sub_5CDC4E+Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4E6FAB:				; CODE XREF: KiPriQueueThreadPriorityChanged+21j
		and	edx, 100h
		jnz	short loc_4E6FD1
		mov	eax, [esi+0A4h]
		lock dec dword ptr [eax+edi*4+110h]
		lock inc dword ptr [eax+ebx*4+110h]
		cmp	ebx, edi
		jge	short loc_4E6FD1
		mov	[ebp+var_1], 1

loc_4E6FD1:				; CODE XREF: KiPriQueueThreadPriorityChanged+35j
					; KiPriQueueThreadPriorityChanged+4Fj
		movzx	eax, bl
		or	eax, edx
		cmp	[ebp+var_1], 0
		mov	[esi+14Ch], eax
		jz	short loc_4E6F9F
		lock bts dword ptr [ecx], 7
		setb	al
		neg	al
		push	0
		sbb	al, al
		pop	ebx
		mov	[esi+2Ch], ebx
		add	al, 1
		jz	short loc_4E7011
		call	KiActivateWaiterPriQueue

loc_4E6FFD:				; CODE XREF: KiPriQueueThreadPriorityChanged+9Fj
		mov	ecx, large fs:20h
		cmp	[ecx+3B1Ch], ebx
		jz	short loc_4E6FA6
		jmp	sub_5CDC4E
; 

loc_4E7011:				; CODE XREF: KiPriQueueThreadPriorityChanged+7Aj
		mov	edx, ecx
		mov	ecx, esi
		push	ebx
		call	KiActivateWaiterQueueWithNoLocks
		jmp	short loc_4E6FFD
KiPriQueueThreadPriorityChanged	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiSwitchQueue(x, x, x)
@KiSwitchQueue@12 proc near		; CODE XREF: KeRemoveQueueEx+439p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		mov	edx, [ebp+arg_0]
		lea	esi, [ebx+140h]
		test	edx, edx
		jnz	short loc_4E706B

loc_4E7037:				; CODE XREF: KiSwitchQueue(x,x,x)+53j
		mov	[ebx+0A4h], edi
		lock inc dword ptr [edi+18h]
		mov	ecx, edi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		lea	eax, [edi+20h]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_4E7073
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4E706B:				; CODE XREF: KiSwitchQueue(x,x,x)+17j
		push	esi
		call	KiActivateWaiterQueueWithNoLocks
		jmp	short loc_4E7037
; 

loc_4E7073:				; CODE XREF: KiSwitchQueue(x,x,x)+32j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
@KiSwitchQueue@12 endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiActivateWaiterQueueWithNoLocks proc near ; CODE XREF:	KeTerminateThread+8Fp
					; KiPriQueueThreadPriorityChanged+9Ap ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CDC5D SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		shr	edi, 4
		and	edi, 3Fh
		shl	edi, 6
		add	edi, offset _KiObjectRundownLocks
		push	edi
		call	ExAcquireSpinLockSharedAtDpcLevel
		mov	esi, [ebx+0A4h]
		test	esi, esi
		jz	short loc_4E70B9
		mov	ecx, esi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	eax, [ebx+0A4h]
		test	eax, eax
		jz	loc_4E7149

loc_4E70B9:				; CODE XREF: KiActivateWaiterQueueWithNoLocks+2Aj
					; KiActivateWaiterQueueWithNoLocks+DBj
		push	edi
		call	ExReleaseSpinLockSharedFromDpcLevel
		test	esi, esi
		jz	short loc_4E7102
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_4E70F3
		mov	al, [esi]
		and	al, 7Fh
		cmp	al, 15h
		jz	short loc_4E7110
		lock dec dword ptr [esi+18h]

loc_4E70D6:				; CODE XREF: KiActivateWaiterQueueWithNoLocks+CFj
		mov	ecx, [edi]
		mov	eax, [edi+4]
		cmp	[ecx+4], edi
		jnz	short loc_4E7158
		cmp	[eax], edi
		jnz	short loc_4E7158
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	dword ptr [ebx+0A4h], 0

loc_4E70F3:				; CODE XREF: KiActivateWaiterQueueWithNoLocks+50j
		mov	al, [esi]
		mov	ecx, esi
		and	al, 7Fh
		cmp	al, 15h
		jz	short loc_4E7109
		call	KiActivateWaiterKQueue

loc_4E7102:				; CODE XREF: KiActivateWaiterQueueWithNoLocks+49j
					; KiActivateWaiterQueueWithNoLocks+96j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4E7109:				; CODE XREF: KiActivateWaiterQueueWithNoLocks+83j
		call	KiActivateWaiterPriQueue
		jmp	short loc_4E7102
; 

loc_4E7110:				; CODE XREF: KiActivateWaiterQueueWithNoLocks+58j
		and	[ebp+var_4], 0
		lea	edi, [ebx+2Ch]

loc_4E7117:				; CODE XREF: KiActivateWaiterQueueWithNoLocks+E6BF3j
		lock bts dword ptr [edi], 0
		jb	loc_5CDC5D
		movzx	ecx, byte ptr [ebx+14Ch]
		mov	eax, ecx
		or	eax, 100h
		mov	[ebx+14Ch], eax
		lock dec dword ptr [esi+ecx*4+110h]
		mov	dword ptr [edi], 0
		mov	edi, [ebp+arg_0]
		jmp	short loc_4E70D6
; 

loc_4E7149:				; CODE XREF: KiActivateWaiterQueueWithNoLocks+3Bj
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		xor	esi, esi
		jmp	loc_4E70B9
; 

loc_4E7158:				; CODE XREF: KiActivateWaiterQueueWithNoLocks+66j
					; KiActivateWaiterQueueWithNoLocks+6Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
KiActivateWaiterQueueWithNoLocks endp


;  S U B	R O U T	I N E 


KiActivateWaiterKQueue proc near	; CODE XREF: KiActivateWaiterQueueWithNoLocks+85p

; FUNCTION CHUNK AT 005CDC70 SIZE 0000001A BYTES

		mov	edi, edi
		push	edi
		mov	edi, ecx
		mov	eax, [edi+18h]
		cmp	eax, [edi+1Ch]
		jnb	short loc_4E7178
		push	ebx
		lea	ebx, [edi+10h]
		push	esi
		mov	esi, [ebx]
		cmp	esi, ebx
		jnz	short loc_4E7182

loc_4E7176:				; CODE XREF: KiActivateWaiterKQueue+29j
					; KiActivateWaiterKQueue+5Bj ...
		pop	esi
		pop	ebx

loc_4E7178:				; CODE XREF: KiActivateWaiterKQueue+Bj
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		pop	edi
		retn
; 

loc_4E7182:				; CODE XREF: KiActivateWaiterKQueue+16j
		lea	eax, [edi+8]
		cmp	[eax], eax
		jz	short loc_4E7176
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	short loc_4E71BB
		cmp	[eax], esi
		jnz	short loc_4E71BB
		mov	[eax], ecx
		mov	edx, edi
		mov	[ecx+4], eax
		mov	ecx, large fs:20h
		and	dword ptr [esi], 0
		push	esi
		call	KiWakeQueueWaiter
		test	al, al
		jz	loc_5CDC70
		dec	dword ptr [edi+4]
		jmp	short loc_4E7176
; 

loc_4E71BB:				; CODE XREF: KiActivateWaiterKQueue+33j
					; KiActivateWaiterKQueue+37j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
KiActivateWaiterKQueue endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiActivateWaiterPriQueue proc near	; CODE XREF: KiPriQueueThreadPriorityChanged+7Cp
					; KiActivateWaiterQueueWithNoLocks:loc_4E7109p	...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CDC8A SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx
		lea	eax, [esi+8]
		cmp	[eax], eax
		jz	short loc_4E71DA
		cmp	dword ptr [esi+4], 0
		jnz	short loc_4E71E5

loc_4E71DA:				; CODE XREF: KiActivateWaiterPriQueue+12j
					; KiActivateWaiterPriQueue+37j
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		pop	esi
		leave
		retn
; 

loc_4E71E5:				; CODE XREF: KiActivateWaiterPriQueue+18j
		push	edi
		push	0FFFFFFFFh
		lea	edx, [ebp+var_4]
		call	KiAttemptFastRemovePriQueue
		mov	edi, eax
		test	edi, edi
		jnz	short loc_4E71F9

loc_4E71F6:				; CODE XREF: KiActivateWaiterPriQueue+56j
		pop	edi
		jmp	short loc_4E71DA
; 

loc_4E71F9:				; CODE XREF: KiActivateWaiterPriQueue+34j
		mov	ecx, large fs:20h
		mov	edx, esi
		push	ebx
		mov	ebx, [ebp+var_4]
		push	ebx
		push	edi
		call	@KiWakePriQueueWaiter@16 ; KiWakePriQueueWaiter(x,x,x,x)
		test	al, al
		jz	loc_5CDC8A

loc_4E7215:				; CODE XREF: KiActivateWaiterPriQueue+E6AE9j
		pop	ebx
		jmp	short loc_4E71F6
KiActivateWaiterPriQueue endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAttemptFastRemovePriQueue proc near	; CODE XREF: KeRemovePriQueue+17Bp
					; KiActivateWaiterPriQueue+2Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CDCAE SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		lea	ebx, [ecx+190h]
		mov	[ebp+var_8], edx
		push	edi
		mov	[ebp+var_4], ecx
		lea	esi, [ecx+110h]
		xor	edi, edi
		mov	eax, 20h
		mov	edx, ebx

loc_4E7246:				; CODE XREF: KiAttemptFastRemovePriQueue+43j
		mov	ecx, [edx-4]
		lea	edx, [edx-4]
		dec	eax
		sub	esi, 8
		add	edi, ecx
		cmp	eax, [ebp+arg_0]
		jz	short loc_4E72A3

loc_4E7257:				; CODE XREF: KiAttemptFastRemovePriQueue+84j
		cmp	edi, [ebx]
		jnb	short loc_4E7265
		mov	ecx, [esi]
		cmp	ecx, esi
		jnz	short loc_4E7269
		test	eax, eax
		jg	short loc_4E7246

loc_4E7265:				; CODE XREF: KiAttemptFastRemovePriQueue+39j
		xor	ebx, ebx
		jmp	short loc_4E7298
; 

loc_4E7269:				; CODE XREF: KiAttemptFastRemovePriQueue+3Fj
		mov	ebx, ecx
		mov	ecx, [ebp+var_4]
		cmp	dword ptr [ebx], 0
		jz	loc_5CDCAE
		dec	dword ptr [ecx+4]
		mov	edx, [ebx]
		cmp	[edx+4], ebx
		jnz	short loc_4E72A6
		mov	ecx, [ebx+4]
		cmp	[ecx], ebx
		jnz	short loc_4E72A6
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, [ebp+var_8]
		mov	dword ptr [ebx], 0
		mov	[ecx], eax

loc_4E7298:				; CODE XREF: KiAttemptFastRemovePriQueue+47j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4E72A3:				; CODE XREF: KiAttemptFastRemovePriQueue+35j
		dec	edi
		jmp	short loc_4E7257
; 

loc_4E72A6:				; CODE XREF: KiAttemptFastRemovePriQueue+5Fj
					; KiAttemptFastRemovePriQueue+66j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

PopFxRequestWorker:			; CODE XREF: PopPepRequestWork(x,x)+11p
					; DATA XREF: PopFxRegisterPluginEx(x,x,x,x)+363o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, offset _PopFxSystemWorkPool
		test	esi, esi
		jnz	short loc_4E7321

loc_4E72C2:				; CODE XREF: KiAttemptFastRemovePriQueue+104j
		xor	ebx, ebx
		lea	eax, [edi+24h]
		push	ebx
		push	1
		push	ebx
		push	eax
		call	KeReleaseSemaphore
		test	esi, esi
		jnz	loc_5CDCC5

loc_4E72D9:				; CODE XREF: KiAttemptFastRemovePriQueue+E6AB3j
		mov	edx, ebx
		lea	ebx, [edi+38h]

loc_4E72DE:				; CODE XREF: KiAttemptFastRemovePriQueue+FDj
		xor	esi, esi
		mov	ecx, edx
		inc	esi
		shl	esi, cl
		mov	eax, [ebx]

loc_4E72E7:				; CODE XREF: KiAttemptFastRemovePriQueue+CFj
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [ebx], ecx
		jnz	short loc_4E72E7
		test	eax, esi
		jnz	short loc_4E7319
		mov	eax, ds:_PspSystemPartition
		push	0
		push	30h
		mov	ecx, [eax+8]
		imul	eax, edx, 14h
		lea	edx, [edi+40h]
		add	edx, eax
		call	ExpTryQueueWorkItem
		test	al, al
		jz	short loc_4E7326

loc_4E7312:				; CODE XREF: KiAttemptFastRemovePriQueue+FFj
					; KiAttemptFastRemovePriQueue+10Bj ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4E7319:				; CODE XREF: KiAttemptFastRemovePriQueue+D3j
		inc	edx
		cmp	edx, 4
		jb	short loc_4E72DE
		jmp	short loc_4E7312
; 

loc_4E7321:				; CODE XREF: KiAttemptFastRemovePriQueue+A0j
		lea	edi, [esi+4Ch]
		jmp	short loc_4E72C2
; 

loc_4E7326:				; CODE XREF: KiAttemptFastRemovePriQueue+F0j
		not	esi
		lock and [ebx],	esi
		jmp	short loc_4E7312
KiAttemptFastRemovePriQueue endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1257. KeReleaseSemaphore

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeReleaseSemaphore
KeReleaseSemaphore proc	near		; CODE XREF: KiAttemptFastRemovePriQueue+ACp
					; AlpcpSignal+180p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005CDCD8 SIZE 00000008 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, large fs:20h
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		mov	byte ptr [ebp+var_14], al
		mov	[ebp+var_4], edi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	eax, [ebp+arg_8]
		mov	ebx, [esi+4]
		add	eax, ebx
		cmp	eax, [esi+10h]
		jg	loc_4E7514
		cmp	eax, ebx
		jl	loc_4E7514
		mov	[esi+4], eax
		mov	edx, 0FFFFFF7Fh
		test	ebx, ebx
		jnz	short loc_4E73E3
		mov	eax, [esi+8]
		lea	ecx, [esi+8]
		cmp	eax, ecx
		jz	short loc_4E73E3

loc_4E7397:				; CODE XREF: KeReleaseSemaphore+210j
		mov	edi, eax
		mov	eax, [eax]
		mov	[ebp+var_18], eax
		mov	ecx, [edi+4]
		cmp	[eax+4], edi
		jz	short loc_4E740C

loc_4E73A6:				; CODE XREF: KeReleaseSemaphore+CEj
					; KeReleaseSemaphore+19Ej
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_4E73AD:				; CODE XREF: KeReleaseSemaphore+D0j
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	al, [edi+8]
		cmp	al, 1
		jnz	short loc_4E7412
		movzx	eax, word ptr [edi+0Ah]
		mov	edx, edi
		mov	edi, [ebp+var_4]
		mov	ecx, edi
		push	0
		push	eax
		call	KiTryUnwaitThread
		test	al, al
		jz	loc_4E7542
		add	dword ptr [esi+4], 0FFFFFFFFh
		jnz	loc_4E7542

loc_4E73DE:				; CODE XREF: KeReleaseSemaphore+172j
					; KeReleaseSemaphore+20Aj
		mov	edx, 0FFFFFF7Fh

loc_4E73E3:				; CODE XREF: KeReleaseSemaphore+4Bj
					; KeReleaseSemaphore+55j
		lock and [esi],	edx
		cmp	[ebp+arg_C], 0
		jnz	loc_4E750A
		xor	edx, edx

loc_4E73F2:				; CODE XREF: KeReleaseSemaphore+1CFj
		push	[ebp+var_14]
		mov	ecx, edi
		push	[ebp+arg_4]
		push	1
		call	KiExitDispatcher
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4E740C:				; CODE XREF: KeReleaseSemaphore+64j
		cmp	[ecx], edi
		jnz	short loc_4E73A6
		jmp	short loc_4E73AD
; 

loc_4E7412:				; CODE XREF: KeReleaseSemaphore+77j
		cmp	al, 2
		jnz	loc_4E752F
		mov	byte ptr [edi+9], 5
		mov	eax, [edi+0Ch]
		mov	[ebp+arg_8], eax
		add	eax, 8
		mov	dword ptr [edi], 0
		mov	[ebp+var_C], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_10], eax
		mov	eax, [eax+4]
		mov	[ebp+var_8], eax
		jz	short loc_4E7466
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_4E7466:				; CODE XREF: KeReleaseSemaphore+10Fj
		mov	ecx, [ebp+arg_8]
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+arg_8]
		cmp	[edx], edx
		jz	short loc_4E74C9
		mov	eax, [ecx+18h]
		cmp	eax, [ecx+1Ch]
		jnb	short loc_4E74C9
		mov	eax, [ebp+var_8]
		mov	eax, [eax+0A4h]
		cmp	eax, ecx
		jz	short loc_4E74BD

loc_4E748D:				; CODE XREF: KeReleaseSemaphore+187j
		mov	edx, ecx
		mov	ecx, [ebp+var_10]
		push	edi
		call	KiWakeQueueWaiter
		mov	ecx, [ebp+arg_8]
		test	al, al
		jz	loc_5CDCD8

loc_4E74A3:				; CODE XREF: KeReleaseSemaphore+1B5j
					; KeReleaseSemaphore+1B9j ...
		mov	edi, 0FFFFFF7Fh
		lock and [ecx],	edi
		add	dword ptr [esi+4], 0FFFFFFFFh
		mov	edi, [ebp+var_4]
		jz	loc_4E73DE
		jmp	loc_4E7542
; 

loc_4E74BD:				; CODE XREF: KeReleaseSemaphore+14Bj
		mov	eax, [ebp+var_8]
		cmp	byte ptr [eax+18Bh], 0Fh
		jnz	short loc_4E748D

loc_4E74C9:				; CODE XREF: KeReleaseSemaphore+136j
					; KeReleaseSemaphore+13Ej ...
		mov	eax, [ecx+4]
		mov	[ebp+var_8], eax
		inc	eax
		mov	[ecx+4], eax
		lea	eax, [ecx+10h]
		mov	esi, [eax+4]
		mov	[ebp+var_C], esi
		cmp	[esi], eax
		jnz	loc_4E73A6
		cmp	[ebp+var_8], 0
		mov	[edi+4], esi
		mov	[edi], eax
		mov	[esi], edi
		mov	esi, [ebp+arg_0]
		mov	[eax+4], edi
		jnz	short loc_4E74A3
		cmp	[edx], edx
		jz	short loc_4E74A3
		mov	edx, ecx
		mov	ecx, [ebp+var_10]
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		mov	ecx, [ebp+arg_8]
		jmp	short loc_4E74A3
; 

loc_4E750A:				; CODE XREF: KeReleaseSemaphore+AAj
		mov	edx, 3
		jmp	loc_4E73F2
; 

loc_4E7514:				; CODE XREF: KeReleaseSemaphore+33j
					; KeReleaseSemaphore+3Bj
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		mov	cl, byte ptr [ebp+var_14]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0C0000047h
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_4E752F:				; CODE XREF: KeReleaseSemaphore+D4j
		push	0
		mov	edx, edi
		mov	edi, [ebp+var_4]
		push	100h
		mov	ecx, edi
		call	KiTryUnwaitThread

loc_4E7542:				; CODE XREF: KeReleaseSemaphore+8Ej
					; KeReleaseSemaphore+98j ...
		mov	eax, [ebp+var_18]
		lea	ecx, [esi+8]
		cmp	eax, ecx
		jz	loc_4E73DE
		jmp	loc_4E7397
KeReleaseSemaphore endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 448. ExTryQueueWorkItem

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExTryQueueWorkItem(x, x)
		public _ExTryQueueWorkItem@8
_ExTryQueueWorkItem@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:_PspSystemPartition
		mov	edx, [ebp+arg_0]
		push	0
		push	[ebp+arg_4]
		mov	ecx, [eax+8]
		call	ExpTryQueueWorkItem
		pop	ebp
		retn	8
_ExTryQueueWorkItem@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpTryQueueWorkItem proc near		; CODE XREF: KiAttemptFastRemovePriQueue+E9p
					; ExTryQueueWorkItem(x,x)+15p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CDCE0 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_10], 0
		mov	eax, edx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	bl, bl
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], eax
		mov	edx, esi
		mov	[ebp+var_8], edi
		mov	ecx, eax
		call	ExpValidateWorkItem
		cmp	esi, 7
		jb	loc_5CDCE0
		lea	eax, [esi-20h]
		mov	[ebp+arg_0], eax

loc_4E75AE:				; CODE XREF: ExpTryQueueWorkItem+E6772j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bh, al
		mov	eax, large fs:20h
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		mov	[ebp+var_C], eax
		movzx	edx, ax
		cmp	ax, ds:_KeNumberNodes
		jnb	short loc_4E7625

loc_4E75D8:				; CODE XREF: ExpTryQueueWorkItem+EFj
		mov	ecx, edx
		call	_KeIsNodeInitialized@4 ; KeIsNodeInitialized(x)
		test	al, al
		jz	loc_5CDCEF
		movzx	eax, dx
		mov	esi, ds:_KeNodeBlock[eax*4]

loc_4E75F1:				; CODE XREF: ExpTryQueueWorkItem+E6779j
		push	[ebp+arg_4]
		mov	edx, esi
		mov	ecx, edi
		call	_ExpIsPoolReadyForWork@12 ; ExpIsPoolReadyForWork(x,x,x)
		test	al, al
		jz	short loc_4E764D
		push	[ebp+arg_4]
		mov	edx, esi
		mov	ecx, edi
		call	_ExpPartitionGetQueue@12 ; ExpPartitionGetQueue(x,x,x)
		mov	edx, [ebp+var_4]
		mov	edi, eax
		push	2
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, edi
		call	KeInsertPriQueue
		mov	bl, al
		test	bl, bl
		jz	short loc_4E7636

loc_4E7625:				; CODE XREF: ExpTryQueueWorkItem+5Ej
					; ExpTryQueueWorkItem+EDj
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	8
; 

loc_4E7636:				; CODE XREF: ExpTryQueueWorkItem+ABj
		or	dword ptr [edi+1B0h], 80000000h
		mov	edx, esi
		push	edi
		mov	edi, [ebp+var_8]
		mov	ecx, edi
		call	_ExpPartitionCreateThreadIfNecessary@12	; ExpPartitionCreateThreadIfNecessary(x,x,x)

loc_4E764D:				; CODE XREF: ExpTryQueueWorkItem+87j
		mov	eax, [ebp+var_C]
		lea	edx, [ebp+var_10]
		movzx	ecx, ax
		call	MmGetNextNode
		movzx	edx, ax
		cmp	dx, ds:_KeNumberNodes
		jnb	short loc_4E7625
		jmp	loc_4E75D8
ExpTryQueueWorkItem endp


;  S U B	R O U T	I N E 


; __stdcall KeIsNodeInitialized(x)
_KeIsNodeInitialized@4 proc near	; CODE XREF: .text:0044E7BEp
					; ExpTryQueueWorkItem+62p ...
		movzx	ecx, cx
		imul	eax, ecx, 140h
		add	eax, offset _KiNodeInit
		cmp	ds:_KeNodeBlock[ecx*4],	eax
		setnz	al
		retn
_KeIsNodeInitialized@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeInsertPriQueue proc near		; CODE XREF: ExpTryQueueWorkItem+A2p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005CDCF6 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_10], edx
		push	esi
		push	edi
		mov	[ebp+var_1], 0
		lea	esi, [ebx+8]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+var_14], al
		mov	ecx, ebx
		mov	eax, large fs:20h
		mov	[ebp+var_8], eax
		mov	edi, [eax+4]
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		cmp	[esi], esi
		jz	loc_4E774C
		mov	eax, [edi+0A4h]
		cmp	eax, ebx
		jz	short loc_4E7743

loc_4E76D5:				; CODE XREF: KeInsertPriQueue+BAj
		mov	edi, [ebp+arg_0]
		lea	esi, [ebx+190h]
		mov	eax, 20h
		xor	edx, edx

loc_4E76E5:				; CODE XREF: KeInsertPriQueue+6Aj
		mov	ecx, [esi-4]
		lea	esi, [esi-4]
		add	edx, ecx
		dec	eax
		mov	ecx, [ebx+190h]
		cmp	edx, ecx
		jnb	short loc_4E774F
		cmp	eax, edi
		jg	short loc_4E76E5
		cmp	edx, ecx
		jnb	short loc_4E774F
		mov	esi, [ebp+var_8]
		mov	edx, ebx
		push	edi
		push	[ebp+var_10]
		mov	ecx, esi
		call	@KiWakePriQueueWaiter@16 ; KiWakePriQueueWaiter(x,x,x,x)
		mov	[ebp+var_1], al
		test	al, al
		jz	short loc_4E7752
		mov	edx, [ebp+arg_8]

loc_4E771A:				; CODE XREF: KeInsertPriQueue+C8j
					; KeInsertPriQueue+E668Bj
		mov	eax, 0FFFFFF7Fh
		lock and [ebx],	eax
		test	dl, 1
		jnz	short loc_4E775F
		xor	edx, edx

loc_4E7729:				; CODE XREF: KeInsertPriQueue+D4j
		push	[ebp+var_14]
		mov	ecx, esi
		push	0
		push	1
		call	KiExitDispatcher
		mov	al, [ebp+var_1]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4E7743:				; CODE XREF: KeInsertPriQueue+43j
		cmp	byte ptr [edi+18Bh], 0Fh
		jnz	short loc_4E76D5

loc_4E774C:				; CODE XREF: KeInsertPriQueue+35j
		mov	edi, [ebp+arg_0]

loc_4E774F:				; CODE XREF: KeInsertPriQueue+66j
					; KeInsertPriQueue+6Ej
		mov	esi, [ebp+var_8]

loc_4E7752:				; CODE XREF: KeInsertPriQueue+85j
		mov	edx, [ebp+arg_8]
		test	dl, 2
		jnz	short loc_4E771A
		jmp	loc_5CDCF6
; 

loc_4E775F:				; CODE XREF: KeInsertPriQueue+95j
		mov	edx, 3
		jmp	short loc_4E7729
KeInsertPriQueue endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpPartitionGetQueue(x, x, x)
_ExpPartitionGetQueue@12 proc near	; CODE XREF: ExpTryQueueWorkItem+90p
					; ExpLegacyWorkerInitialization+58p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+4]
		movzx	edx, word ptr [edx+8Ah]
		mov	ecx, [eax+edx*4]
		mov	eax, [ebp+arg_0]
		mov	ecx, [ecx+eax*4]
		mov	al, cl
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, ecx
		pop	ebp
		retn	4
_ExpPartitionGetQueue@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiWakePriQueueWaiter(x, x,	x, x)
@KiWakePriQueueWaiter@16 proc near	; CODE XREF: KiActivateWaiterPriQueue+48p
					; KeInsertPriQueue+7Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		lea	edi, [edx+8]
		mov	ebx, ecx
		mov	esi, [edi]

loc_4E77A1:				; CODE XREF: KiWakePriQueueWaiter(x,x,x,x)+40j
		mov	eax, [esi]
		mov	edx, esi
		mov	esi, eax
		cmp	[eax+4], edx
		jnz	short loc_4E77D6
		mov	ecx, [edx+4]
		cmp	[ecx], edx
		jnz	short loc_4E77D6
		push	[ebp+arg_4]
		mov	[ecx], eax
		push	[ebp+arg_0]
		mov	[eax+4], ecx
		mov	ecx, ebx
		call	KiTryUnwaitThreadWithPriority
		test	al, al
		jz	short loc_4E77D0

loc_4E77C9:				; CODE XREF: KiWakePriQueueWaiter(x,x,x,x)+42j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_4E77D0:				; CODE XREF: KiWakePriQueueWaiter(x,x,x,x)+35j
		cmp	esi, edi
		jnz	short loc_4E77A1
		jmp	short loc_4E77C9
; 

loc_4E77D6:				; CODE XREF: KiWakePriQueueWaiter(x,x,x,x)+18j
					; KiWakePriQueueWaiter(x,x,x,x)+1Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
@KiWakePriQueueWaiter@16 endp


;  S U B	R O U T	I N E 


MmGetNextNode	proc near		; CODE XREF: ExpTryQueueWorkItem+DEp
					; KiSwapThread+D08p ...

; FUNCTION CHUNK AT 005CDD20 SIZE 0000000E BYTES

		inc	dword ptr [edx]
		mov	eax, [edx]
		movzx	edx, ds:_KeNumberNodes
		cmp	eax, edx
		jnz	loc_5CDD20
		or	eax, 0FFFFFFFFh
		retn
MmGetNextNode	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpPartitionCreateThreadIfNecessary(x, x, x)
_ExpPartitionCreateThreadIfNecessary@12	proc near ; CODE XREF: ExpTryQueueWorkItem+D0p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	ecx, [ebp+arg_0]
		mov	edx, [ecx+1B4h]
		call	_ExpNewThreadNecessary@8 ; ExpNewThreadNecessary(x,x)
		test	al, al
		jnz	short loc_4E7817

loc_4E7811:				; CODE XREF: ExpPartitionCreateThreadIfNecessary(x,x,x)+3Dj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_4E7817:				; CODE XREF: ExpPartitionCreateThreadIfNecessary(x,x,x)+1Bj
		movzx	ecx, word ptr [esi+8Ah]
		mov	eax, [edi+8]
		push	0
		push	0
		mov	eax, [eax+ecx*4]
		add	eax, 8
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_4E7811
_ExpPartitionCreateThreadIfNecessary@12	endp

; 
		align 10h
; Exported entry 887. IoGetTopLevelIrp

;  S U B	R O U T	I N E 


; __stdcall IoGetTopLevelIrp()
		public _IoGetTopLevelIrp@0
_IoGetTopLevelIrp@0 proc near		; CODE XREF: MiCreateImageOrDataSection+13Bp
					; FsRtlCopyRead(x,x,x,x,x,x,x,x)+Cp ...
		mov	eax, large fs:124h
		mov	eax, [eax+2D4h]
		retn
_IoGetTopLevelIrp@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDetachProcessFromSession proc	near	; CODE XREF: MiTrimOrAgeWorkingSet+370p
					; MiDereferenceSessionFinal+11Fp

var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CDD2E SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		lea	edx, [ebp+var_10]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		mov	esi, ecx
		stosd
		mov	ecx, offset dword_6D3540
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	esi, 1
		jnz	short loc_4E789A
		mov	ecx, dword_6D05D4
		mov	eax, [ecx+120h]
		mov	[ebp+var_4], eax
		shr	eax, 8
		and	al, 0FDh
		or	al, 4
		mov	byte ptr [ebp+var_4+1],	al
		mov	ax, word ptr [ebp+var_4]
		mov	[ecx+120h], ax

loc_4E789A:				; CODE XREF: MiDetachProcessFromSession+24j
		xor	eax, eax
		lea	esp, [esp+0]

loc_4E78A0:				; CODE XREF: MiDetachProcessFromSession+66j
		mov	cl, byte ptr dword_6D3D94[eax]
		cmp	cl, 1
		jz	short loc_4E7922
		cmp	cl, 0Bh
		jz	short loc_4E7922

loc_4E78B0:				; CODE XREF: MiDetachProcessFromSession+EDj
		inc	eax
		cmp	eax, 400h
		jb	short loc_4E78A0
		pop	edi
		cmp	esi, 1
		pop	esi
		jnz	short loc_4E78EA
		mov	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, ds:_KiTbFlushTimeStamp
		mov	dword_6D5D4C, eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[eax+180h], ecx

loc_4E78EA:				; CODE XREF: MiDetachProcessFromSession+6Dj
		test	ds:byte_70EFC6,	1
		jnz	loc_5CDD2E
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_4E7942
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jnz	loc_5CDD3E

loc_4E7915:				; CODE XREF: MiDetachProcessFromSession+104j
					; MiDetachProcessFromSession+E64E9j
		mov	cl, [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4E7922:				; CODE XREF: MiDetachProcessFromSession+59j
					; MiDetachProcessFromSession+5Ej
		mov	ecx, ds:_ZeroPte
		mov	ds:0C0602000h[eax*8], ecx
		nop
		mov	ecx, ds:dword_40F9FC
		mov	ds:0C0602004h[eax*8], ecx
		jmp	loc_4E78B0
; 

loc_4E7942:				; CODE XREF: MiDetachProcessFromSession+ACj
					; MiDetachProcessFromSession+E64F6j
		mov	[ebp+var_10], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_4E7915
MiDetachProcessFromSession endp

; 
		align 10h
; Exported entry 1793. PsGetPermanentSiloContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsGetPermanentSiloContext
PsGetPermanentSiloContext proc near	; CODE XREF: VrpHandleIoctlUnloadDynamicallyLoadedHives+7Dp
					; VrpHandleIoctlCreateNamespaceNode+149p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005A82FA SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_4E79A1
		mov	edx, ds:dword_717F7C

loc_4E7972:				; CODE XREF: PsGetPermanentSiloContext+47j
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+arg_4]
		mov	dword ptr [ecx], 0
		cmp	eax, 20h
		jnb	loc_5A82FA

loc_4E7987:				; CODE XREF: PsGetPermanentSiloContext+C09B2j
		mov	eax, [edx+eax*8+4]
		test	eax, 0FFFFFFFEh
		jz	short loc_4E79A9
		test	al, 1
		jz	short loc_4E79B2
		and	eax, 0FFFFFFFEh
		mov	[ecx], eax
		xor	eax, eax

loc_4E799D:				; CODE XREF: PsGetPermanentSiloContext+57j
					; PsGetPermanentSiloContext+C09BCj
		pop	ebp
		retn	0Ch
; 

loc_4E79A1:				; CODE XREF: PsGetPermanentSiloContext+Aj
		mov	edx, [eax+308h]
		jmp	short loc_4E7972
; 

loc_4E79A9:				; CODE XREF: PsGetPermanentSiloContext+30j
					; PsGetPermanentSiloContext+C09ACj
		mov	eax, 0C0000225h
		pop	ebp
		retn	0Ch
; 

loc_4E79B2:				; CODE XREF: PsGetPermanentSiloContext+34j
		mov	eax, 0C00000BBh
		jmp	short loc_4E799D
PsGetPermanentSiloContext endp

; 
		align 10h
; Exported entry 580. FsRtlLookupBaseMcbEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlLookupBaseMcbEntry(x, x, x, x,	x, x, x, x)
		public _FsRtlLookupBaseMcbEntry@32
_FsRtlLookupBaseMcbEntry@32 proc near	; CODE XREF: FsRtlLookupLargeMcbEntry(x,x,x,x,x,x,x,x)+37p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	ebx, ebx
		push	edi
		mov	edi, [ecx+4]
		sub	edi, 1
		js	short loc_4E79FD

loc_4E79D8:				; CODE XREF: FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+3Bj
		lea	eax, [edi+ebx]
		cdq
		sub	eax, edx
		mov	edx, [ecx+0Ch]
		sar	eax, 1
		jz	short loc_4E79EB
		cmp	esi, [edx+eax*8-8]
		jb	short loc_4E7A60

loc_4E79EB:				; CODE XREF: FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+23j
		mov	ecx, [edx+eax*8]
		dec	ecx
		cmp	esi, ecx
		jbe	short loc_4E7A01
		lea	ebx, [eax+1]

loc_4E79F6:				; CODE XREF: FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+A3j
		mov	ecx, [ebp+arg_0]
		cmp	ebx, edi
		jle	short loc_4E79D8

loc_4E79FD:				; CODE XREF: FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+16j
		xor	al, al
		jmp	short loc_4E7A59
; 

loc_4E7A01:				; CODE XREF: FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+31j
		mov	edi, [ebp+arg_C]
		test	edi, edi
		jz	short loc_4E7A27
		mov	ecx, [edx+eax*8+4]
		lea	edx, [edx+eax*8]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_4E7A6E
		test	eax, eax
		jnz	short loc_4E7A65
		xor	edx, edx

loc_4E7A1A:				; CODE XREF: FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+A8j
		sub	ecx, edx
		mov	dword ptr [edi+4], 0
		add	ecx, esi
		mov	[edi], ecx

loc_4E7A27:				; CODE XREF: FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+46j
					; FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+BBj
		mov	edx, [ebp+arg_10]
		mov	edi, [ebp+arg_0]
		test	edx, edx
		jz	short loc_4E7A42
		mov	ecx, [edi+0Ch]
		mov	ecx, [ecx+eax*8]
		sub	ecx, esi
		mov	dword ptr [edx+4], 0
		mov	[edx], ecx

loc_4E7A42:				; CODE XREF: FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+6Fj
		mov	edx, [ebp+arg_14]
		test	edx, edx
		jnz	short loc_4E7A7D

loc_4E7A49:				; CODE XREF: FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+D2j
					; FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+100j
		mov	edx, [ebp+arg_18]
		test	edx, edx
		jnz	short loc_4E7A94

loc_4E7A50:				; CODE XREF: FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+EBj
		mov	ecx, [ebp+arg_1C]
		test	ecx, ecx
		jnz	short loc_4E7A6A

loc_4E7A57:				; CODE XREF: FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+ACj
		mov	al, 1

loc_4E7A59:				; CODE XREF: FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	20h
; 

loc_4E7A60:				; CODE XREF: FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+29j
		lea	edi, [eax-1]
		jmp	short loc_4E79F6
; 

loc_4E7A65:				; CODE XREF: FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+56j
		mov	edx, [edx-8]
		jmp	short loc_4E7A1A
; 

loc_4E7A6A:				; CODE XREF: FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+95j
		mov	[ecx], eax
		jmp	short loc_4E7A57
; 

loc_4E7A6E:				; CODE XREF: FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+52j
		mov	dword ptr [edi], 0FFFFFFFFh
		mov	dword ptr [edi+4], 0FFFFFFFFh
		jmp	short loc_4E7A27
; 

loc_4E7A7D:				; CODE XREF: FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+87j
		mov	ecx, [edi+0Ch]
		mov	ecx, [ecx+eax*8+4]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_4E7AB3
		mov	[edx], ecx
		mov	dword ptr [edx+4], 0
		jmp	short loc_4E7A49
; 

loc_4E7A94:				; CODE XREF: FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+8Ej
		mov	ecx, [edi+0Ch]
		test	eax, eax
		jnz	short loc_4E7AAD
		xor	esi, esi

loc_4E7A9D:				; CODE XREF: FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+F1j
		mov	ecx, [ecx+eax*8]
		sub	ecx, esi
		mov	dword ptr [edx+4], 0
		mov	[edx], ecx
		jmp	short loc_4E7A50
; 

loc_4E7AAD:				; CODE XREF: FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+D9j
		mov	esi, [ecx+eax*8-8]
		jmp	short loc_4E7A9D
; 

loc_4E7AB3:				; CODE XREF: FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)+C7j
		mov	dword ptr [edx], 0FFFFFFFFh
		mov	dword ptr [edx+4], 0FFFFFFFFh
		jmp	short loc_4E7A49
_FsRtlLookupBaseMcbEntry@32 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiUnlockPageTableInternal(x, x)
_MiUnlockPageTableInternal@8 proc near	; CODE XREF: MiMakeHyperRangeAccessible+184p
					; MiComputePageCommitment(x,x,x,x,x,x)+2A0p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	eax, [edx+3FA00000h]
		sar	eax, 3
		add	eax, eax
		mov	esi, eax
		mov	cl, [edi+60h]
		and	esi, 1Fh
		and	cl, 7
		cmp	cl, 2
		jnb	short loc_4E7B27
		shr	eax, 5
		test	cl, cl
		jnz	short loc_4E7B67
		mov	ebx, [edi+0Ch]
		add	ebx, 0D90h

loc_4E7B02:				; CODE XREF: MiUnlockPageTableInternal(x,x)+9Dj
		lea	ebx, [ebx+eax*4]

loc_4E7B05:				; CODE XREF: MiUnlockPageTableInternal(x,x)+71j
					; MiUnlockPageTableInternal(x,x)+95j
		mov	edx, [ebx]
		mov	ecx, esi
		mov	edi, 2
		mov	eax, edx
		shl	edi, cl
		mov	ecx, edx
		not	edi
		btr	ecx, esi
		and	ecx, edi
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	short loc_4E7B80

loc_4E7B23:				; CODE XREF: MiUnlockPageTableInternal(x,x)+BFj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4E7B27:				; CODE XREF: MiUnlockPageTableInternal(x,x)+20j
		cmp	edx, 0C0603018h
		jz	short loc_4E7B4F
		cmp	edx, 0C0603010h
		jz	short loc_4E7B43

loc_4E7B37:				; CODE XREF: MiUnlockPageTableInternal(x,x)+7Dj
					; MiUnlockPageTableInternal(x,x)+A2j
		shr	eax, 5
		lea	ebx, unk_6D2C54[eax*4]
		jmp	short loc_4E7B05
; 

loc_4E7B43:				; CODE XREF: MiUnlockPageTableInternal(x,x)+65j
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_4E7B37

loc_4E7B4F:				; CODE XREF: MiUnlockPageTableInternal(x,x)+5Dj
		cmp	cl, 7
		jnz	short loc_4E7B6F
		mov	ebx, offset unk_6D2E58

loc_4E7B59:				; CODE XREF: MiUnlockPageTableInternal(x,x)+A9j
		mov	esi, 0C0603018h
		sub	esi, edx
		sar	esi, 3
		add	esi, esi
		jmp	short loc_4E7B05
; 

loc_4E7B67:				; CODE XREF: MiUnlockPageTableInternal(x,x)+27j
		lea	ebx, [edi+120h]
		jmp	short loc_4E7B02
; 

loc_4E7B6F:				; CODE XREF: MiUnlockPageTableInternal(x,x)+82j
		cmp	cl, 5
		jnz	short loc_4E7B37
		mov	ebx, offset unk_6D2E54
		jmp	short loc_4E7B59
; 
		jmp	short loc_4E7B80
; 
		align 10h

loc_4E7B80:				; CODE XREF: MiUnlockPageTableInternal(x,x)+51j
					; MiUnlockPageTableInternal(x,x)+ABj ...
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, esi
		and	ecx, edi
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jz	short loc_4E7B23
		jmp	short loc_4E7B80
_MiUnlockPageTableInternal@8 endp

; 
		align 10h
; Exported entry  32. ExAcquireRundownProtection

;  S U B	R O U T	I N E 


; __fastcall ExfAcquireRundownProtection(x)
		public @ExfAcquireRundownProtection@4
@ExfAcquireRundownProtection@4 proc near
					; CODE XREF: ExAcquireRundownProtectionCacheAware(x)+2Cj
					; ExAcquireRundownProtection(x):loc_5219B9j
		mov	edx, [ecx]
		push	esi
		test	dl, 1
		jnz	short loc_4E7BB9

loc_4E7BA8:				; CODE XREF: ExfAcquireRundownProtection(x)+21j
		lea	esi, [edx+2]
		mov	eax, edx
		lock cmpxchg [ecx], esi
		cmp	eax, edx
		jnz	short loc_4E7BBD
		mov	al, 1
		pop	esi
		retn
; 

loc_4E7BB9:				; CODE XREF: ExfAcquireRundownProtection(x)+6j
					; ExfAcquireRundownProtection(x)+23j
		xor	al, al
		pop	esi
		retn
; 

loc_4E7BBD:				; CODE XREF: ExfAcquireRundownProtection(x)+13j
		mov	edx, eax
		test	al, 1
		jz	short loc_4E7BA8
		jmp	short loc_4E7BB9
@ExfAcquireRundownProtection@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ExAdjustLookasideDepth()
_ExAdjustLookasideDepth@0 proc near	; CODE XREF: KeBalanceSetManager:loc_56DFF6p
		mov	eax, _ExpScanCount
		sub	eax, 0
		jz	short loc_4E7BE1
		sub	eax, 1
		jz	short loc_4E7C09
		sub	eax, 1
		jnz	short loc_4E7BF0
		call	_ExpScanSystemLookasideList@0 ;	ExpScanSystemLookasideList()
		jmp	short loc_4E7BF0
; 

loc_4E7BE1:				; CODE XREF: ExAdjustLookasideDepth()+8j
		mov	edx, offset _ExNPagedLookasideLock
		mov	ecx, offset _ExNPagedLookasideListHead

loc_4E7BEB:				; CODE XREF: ExAdjustLookasideDepth()+4Dj
		call	ExpScanGeneralLookasideList

loc_4E7BF0:				; CODE XREF: ExAdjustLookasideDepth()+12j
					; ExAdjustLookasideDepth()+19j
		mov	eax, _ExpScanCount
		inc	eax
		mov	_ExpScanCount, eax
		cmp	eax, 3
		jz	short loc_4E7C01
		retn
; 

loc_4E7C01:				; CODE XREF: ExAdjustLookasideDepth()+38j
		and	_ExpScanCount, 0
		retn
; 

loc_4E7C09:				; CODE XREF: ExAdjustLookasideDepth()+Dj
		mov	edx, offset _ExPagedLookasideLock
		mov	ecx, offset _ExPagedLookasideListHead
		jmp	short loc_4E7BEB
_ExAdjustLookasideDepth@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpScanGeneralLookasideList proc near	; CODE XREF: ExAdjustLookasideDepth():loc_4E7BEBp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005CDD4B SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	[ebp+var_C], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, [ebx]
		cmp	esi, ebx
		jz	short loc_4E7C9A
		mov	edi, 0FFFFh
		lea	ecx, [ecx+0]

loc_4E7C50:				; CODE XREF: ExpScanGeneralLookasideList+75j
		mov	eax, [esi-20h]
		mov	edx, eax
		sub	edx, [esi+0Ch]
		mov	[esi+0Ch], eax
		mov	eax, [esi-24h]
		mov	ecx, eax
		sub	ecx, [esi+8]
		mov	[esi+8], eax
		movzx	eax, word ptr [esi-26h]
		cmp	ax, di
		jz	short loc_4E7C91
		movzx	edi, word ptr [esi-28h]
		mov	[ebp+var_8], eax
		cmp	ecx, 4Bh
		jnb	short loc_4E7CBC
		sub	edi, 0Ah
		cmp	edi, 4
		jge	short loc_4E7C88
		mov	edi, 4

loc_4E7C88:				; CODE XREF: ExpScanGeneralLookasideList+61j
					; ExpScanGeneralLookasideList+B1j ...
		mov	[esi-28h], di
		mov	edi, 0FFFFh

loc_4E7C91:				; CODE XREF: ExpScanGeneralLookasideList+4Dj
		mov	esi, [esi]
		cmp	esi, ebx
		jnz	short loc_4E7C50
		mov	edi, [ebp+var_C]

loc_4E7C9A:				; CODE XREF: ExpScanGeneralLookasideList+26j
		test	ds:byte_70EFC6,	1
		jnz	loc_5CDD4B
		xor	eax, eax
		lock and [edi],	eax

loc_4E7CAC:				; CODE XREF: ExpScanGeneralLookasideList+E6135j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4E7CBC:				; CODE XREF: ExpScanGeneralLookasideList+59j
		imul	eax, edx, 3E8h
		xor	edx, edx
		div	ecx
		mov	edx, eax
		cmp	edx, 5
		jnb	short loc_4E7CDA
		dec	edi
		cmp	edi, 4
		jge	short loc_4E7C88
		mov	edi, 4
		jmp	short loc_4E7C88
; 

loc_4E7CDA:				; CODE XREF: ExpScanGeneralLookasideList+ABj
		mov	eax, [ebp+var_8]
		movzx	eax, ax
		mov	ecx, eax
		mov	[ebp+var_8], eax
		sub	ecx, edi
		mov	eax, 10624DD3h
		imul	ecx, edx
		mul	ecx
		shr	edx, 7
		add	edx, 5
		cmp	edx, 1Eh
		ja	short loc_4E7D0C

loc_4E7CFC:				; CODE XREF: ExpScanGeneralLookasideList+F1j
		mov	eax, [ebp+var_8]
		add	edi, edx
		cmp	edi, eax
		jle	short loc_4E7C88
		mov	edi, eax
		jmp	loc_4E7C88
; 

loc_4E7D0C:				; CODE XREF: ExpScanGeneralLookasideList+DAj
		mov	edx, 1Eh
		jmp	short loc_4E7CFC
ExpScanGeneralLookasideList endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpScanSystemLookasideList()
_ExpScanSystemLookasideList@0 proc near	; CODE XREF: ExAdjustLookasideDepth()+14p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		imul	ebx, ds:_KeNumberProcessors, 3
		mov	eax, _ExpPoolScanCount
		push	esi
		push	edi
		push	9
		pop	edi
		cmp	eax, ds:_KeNumberProcessors
		jz	loc_4E7E13
		mov	eax, _ExpPoolScanCount
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	[ebp+var_4], eax
		lea	esi, [eax+5A0h]

loc_4E7D4D:				; CODE XREF: ExpScanSystemLookasideList()+56j
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_4E7D64
		mov	eax, [ecx+10h]
		mov	edx, eax
		sub	edx, [ecx+3Ch]
		push	ebx
		mov	[ecx+3Ch], eax
		call	_ExpComputeLookasideDepth@12 ; ExpComputeLookasideDepth(x,x,x)

loc_4E7D64:				; CODE XREF: ExpScanSystemLookasideList()+3Dj
		add	esi, 8
		sub	edi, 1
		jnz	short loc_4E7D4D
		mov	esi, [ebp+var_4]
		push	20h
		add	esi, 65Ch
		pop	edi

loc_4E7D78:				; CODE XREF: ExpScanSystemLookasideList()+E0j
		mov	eax, [esi-2Ch]
		mov	ecx, eax
		sub	ecx, [esi]
		mov	edx, [esi-30h]
		sub	edx, [esi-4]
		sub	edx, ecx
		mov	[esi], eax
		push	ebx
		lea	ecx, [esi-3Ch]
		call	_ExpComputeLookasideDepth@12 ; ExpComputeLookasideDepth(x,x,x)
		mov	eax, [esi+8D4h]
		mov	ecx, eax
		sub	ecx, [esi+900h]
		mov	edx, [esi+8D0h]
		sub	edx, [esi+8FCh]
		sub	edx, ecx
		mov	[esi+900h], eax
		push	ebx
		lea	ecx, [esi+8C4h]
		call	_ExpComputeLookasideDepth@12 ; ExpComputeLookasideDepth(x,x,x)
		mov	eax, [esi+11D4h]
		mov	ecx, eax
		sub	ecx, [esi+1200h]
		mov	edx, [esi+11D0h]
		sub	edx, [esi+11FCh]
		sub	edx, ecx
		mov	[esi+1200h], eax
		push	ebx
		lea	ecx, [esi+11C4h]
		call	_ExpComputeLookasideDepth@12 ; ExpComputeLookasideDepth(x,x,x)
		lea	esi, [esi+48h]
		sub	edi, 1
		jnz	short loc_4E7D78

loc_4E7DF6:				; CODE XREF: ExpScanSystemLookasideList()+12Aj
		call	_ExHeapLookasideRebalance@0 ; ExHeapLookasideRebalance()
		mov	eax, _ExpPoolScanCount
		pop	edi
		inc	eax
		pop	esi
		mov	_ExpPoolScanCount, eax
		pop	ebx
		cmp	eax, ds:_KeNumberProcessors
		ja	short loc_4E7E40
		leave
		retn
; 

loc_4E7E13:				; CODE XREF: ExpScanSystemLookasideList()+1Ej
		mov	eax, large fs:20h
		lea	esi, [eax+5A4h]

loc_4E7E1F:				; CODE XREF: ExpScanSystemLookasideList()+128j
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_4E7E36
		mov	eax, [ecx+10h]
		mov	edx, eax
		sub	edx, [ecx+3Ch]
		push	ebx
		mov	[ecx+3Ch], eax
		call	_ExpComputeLookasideDepth@12 ; ExpComputeLookasideDepth(x,x,x)

loc_4E7E36:				; CODE XREF: ExpScanSystemLookasideList()+10Fj
		add	esi, 8
		sub	edi, 1
		jnz	short loc_4E7E1F
		jmp	short loc_4E7DF6
; 

loc_4E7E40:				; CODE XREF: ExpScanSystemLookasideList()+FBj
		and	_ExpPoolScanCount, 0
		leave
		retn
_ExpScanSystemLookasideList@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpComputeLookasideDepth(x,	x, x)
_ExpComputeLookasideDepth@12 proc near	; CODE XREF: ExpScanSystemLookasideList()+4Bp
					; ExpScanSystemLookasideList()+79p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		mov	ecx, 0FFFFh
		push	edi
		mov	eax, [esi+0Ch]
		mov	edi, eax
		sub	edi, [esi+38h]
		mov	[esi+38h], eax
		movzx	eax, word ptr [esi+0Ah]
		cmp	ax, cx
		jz	short loc_4E7E8B
		movzx	ecx, word ptr [esi+8]
		push	ebx
		mov	ebx, eax
		imul	eax, [ebp+arg_0], 19h
		cmp	edi, eax
		jnb	short loc_4E7E91
		sub	ecx, 0Ah

loc_4E7E7E:				; CODE XREF: ExpComputeLookasideDepth(x,x,x)+59j
		cmp	ecx, 4
		jge	short loc_4E7E86
		push	4
		pop	ecx

loc_4E7E86:				; CODE XREF: ExpComputeLookasideDepth(x,x,x)+37j
					; ExpComputeLookasideDepth(x,x,x)+79j ...
		mov	[esi+8], cx
		pop	ebx

loc_4E7E8B:				; CODE XREF: ExpComputeLookasideDepth(x,x,x)+20j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_4E7E91:				; CODE XREF: ExpComputeLookasideDepth(x,x,x)+2Fj
		imul	eax, edx, 3E8h
		xor	edx, edx
		div	edi
		mov	edx, eax
		cmp	edx, 5
		jnb	short loc_4E7EA5
		dec	ecx
		jmp	short loc_4E7E7E
; 

loc_4E7EA5:				; CODE XREF: ExpComputeLookasideDepth(x,x,x)+56j
		mov	edi, ebx
		mov	ebx, 7D0h
		mov	eax, edi
		sub	eax, ecx
		imul	eax, edx
		xor	edx, edx
		div	ebx
		add	eax, 5
		cmp	eax, 1Eh
		ja	short loc_4E7EC9

loc_4E7EBF:				; CODE XREF: ExpComputeLookasideDepth(x,x,x)+82j
		add	ecx, eax
		cmp	ecx, edi
		jle	short loc_4E7E86
		mov	ecx, edi
		jmp	short loc_4E7E86
; 

loc_4E7EC9:				; CODE XREF: ExpComputeLookasideDepth(x,x,x)+73j
		push	1Eh
		pop	eax
		jmp	short loc_4E7EBF
_ExpComputeLookasideDepth@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExHeapLookasideRebalance()
_ExHeapLookasideRebalance@0 proc near	; CODE XREF: ExpScanSystemLookasideList():loc_4E7DF6p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], esi
		cmp	dword_6D8E70, esi
		jbe	short loc_4E7F17
		push	ebx
		push	edi
		mov	edi, offset unk_6D8EC0

loc_4E7EE9:				; CODE XREF: ExHeapLookasideRebalance()+45j
		push	2
		mov	ebx, edi
		pop	esi

loc_4E7EEE:				; CODE XREF: ExHeapLookasideRebalance()+30j
		mov	ecx, ebx
		call	RtlpDynamicLookasideRebalance
		add	ebx, 1040h
		sub	esi, 1
		jnz	short loc_4E7EEE
		mov	esi, [ebp+var_4]
		add	edi, 20C0h
		inc	esi
		mov	[ebp+var_4], esi
		cmp	esi, dword_6D8E70
		jb	short loc_4E7EE9
		pop	edi
		pop	ebx

loc_4E7F17:				; CODE XREF: ExHeapLookasideRebalance()+12j
		pop	esi
		leave
		retn
_ExHeapLookasideRebalance@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpDynamicLookasideRebalance proc near	; CODE XREF: ExHeapLookasideRebalance()+22p

var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CDD5A SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 210h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	eax, ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_20C], eax
		mov	ebx, [eax+8]
		test	ebx, ebx
		jz	short loc_4E7FBD
		mov	ecx, [eax]
		lea	esi, [eax+4Ch]
		mov	[ebp+var_208], ecx
		mov	ecx, [eax+4]
		mov	[ebp+var_210], ecx
		lea	ecx, [ecx+0]

loc_4E7F60:				; CODE XREF: RtlpDynamicLookasideRebalance+9Bj
		mov	eax, 1
		xor	edx, edx
		mov	ecx, edi
		call	__allshl
		and	edx, [ebp+var_210]
		and	eax, [ebp+var_208]
		jnz	loc_4E808C
		test	edx, edx
		jnz	loc_4E808C

loc_4E7F88:				; CODE XREF: RtlpDynamicLookasideRebalance+171j
		mov	ecx, [esi]
		sub	ecx, [esi+10h]
		add	ecx, edx
		cmp	ecx, edx
		jb	loc_5CDD5A

loc_4E7F97:				; CODE XREF: RtlpDynamicLookasideRebalance+E5E3Dj
		mov	eax, [esi+8]
		sub	eax, [esi+18h]
		add	eax, ecx
		cmp	eax, ecx
		jb	loc_5CDD62

loc_4E7FA7:				; CODE XREF: RtlpDynamicLookasideRebalance+E5E45j
		mov	[ebp+edi*8+var_204], edi
		add	esi, 40h
		mov	[ebp+edi*8+var_200], eax
		inc	edi
		cmp	edi, ebx
		jb	short loc_4E7F60

loc_4E7FBD:				; CODE XREF: RtlpDynamicLookasideRebalance+27j
		push	offset _RtlpDynamicLookasideBucketCompare ; int	__cdecl	(*)(const void *,const void *)
		push	8		; size_t
		lea	eax, [ebp+var_204]
		push	ebx		; size_t
		push	eax		; void *
		call	_qsort
		mov	ecx, [ebp+var_20C]
		xor	edi, edi
		add	esp, 10h
		mov	[ebp+var_208], edi
		xor	ebx, ebx
		xor	esi, esi
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_210], eax
		test	eax, eax
		jz	short loc_4E800E

loc_4E7FF3:				; CODE XREF: RtlpDynamicLookasideRebalance+E0j
		cmp	[ebp+esi*8+var_200], 19h
		jnb	short loc_4E8066

loc_4E7FFD:				; CODE XREF: RtlpDynamicLookasideRebalance+163j
		inc	esi
		cmp	esi, eax
		jb	short loc_4E7FF3
		mov	ecx, [ebp+var_20C]
		mov	[ebp+var_208], edi

loc_4E800E:				; CODE XREF: RtlpDynamicLookasideRebalance+D1j
		xor	esi, esi
		mov	[ecx], ebx
		mov	[ecx+4], edi
		cmp	[ecx+8], esi
		jbe	short loc_4E8055
		lea	edi, [ecx+40h]
		lea	ecx, [ecx+0]

loc_4E8020:				; CODE XREF: RtlpDynamicLookasideRebalance+133j
		mov	eax, 1
		xor	edx, edx
		mov	ecx, esi
		call	__allshl
		and	edx, [ebp+var_208]
		and	eax, ebx
		jnz	short loc_4E8088
		test	edx, edx
		jnz	short loc_4E8088
		lea	edx, [eax+1]

loc_4E803F:				; CODE XREF: RtlpDynamicLookasideRebalance+16Aj
		mov	ecx, edi
		call	RtlpLookasideAdjustDepth
		mov	eax, [ebp+var_20C]
		inc	esi
		add	edi, 40h
		cmp	esi, [eax+8]
		jb	short loc_4E8020

loc_4E8055:				; CODE XREF: RtlpDynamicLookasideRebalance+F8j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4E8066:				; CODE XREF: RtlpDynamicLookasideRebalance+DBj
		mov	ecx, [ebp+esi*8+var_204]
		mov	eax, 1
		xor	edx, edx
		call	__allshl
		or	ebx, eax
		mov	eax, [ebp+var_210]
		or	edi, edx
		jmp	loc_4E7FFD
; 

loc_4E8088:				; CODE XREF: RtlpDynamicLookasideRebalance+116j
					; RtlpDynamicLookasideRebalance+11Aj
		xor	edx, edx
		jmp	short loc_4E803F
; 

loc_4E808C:				; CODE XREF: RtlpDynamicLookasideRebalance+5Aj
					; RtlpDynamicLookasideRebalance+62j
		mov	edx, 1
		jmp	loc_4E7F88
RtlpDynamicLookasideRebalance endp


;  S U B	R O U T	I N E 


RtlpLookasideAdjustDepth proc near	; CODE XREF: RtlpDynamicLookasideRebalance+121p

; FUNCTION CHUNK AT 005CDD6A SIZE 00000007 BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, [edi+0Ch]
		mov	esi, eax
		sub	esi, [edi+1Ch]
		mov	[edi+1Ch], eax
		mov	eax, [edi+10h]
		mov	ecx, eax
		sub	ecx, [edi+20h]
		mov	[edi+20h], eax
		mov	eax, [edi+14h]
		mov	[edi+24h], eax
		test	edx, edx
		jz	short loc_4E80C5
		xor	ecx, ecx

loc_4E80BE:				; CODE XREF: RtlpLookasideAdjustDepth+61j
		mov	[edi+8], cx
		pop	edi
		pop	esi
		retn
; 

loc_4E80C5:				; CODE XREF: RtlpLookasideAdjustDepth+24j
		cmp	ecx, esi
		ja	loc_5CDD6A

loc_4E80CD:				; CODE XREF: RtlpLookasideAdjustDepth+E5CD6j
		test	esi, esi
		jz	short loc_4E8128

loc_4E80D1:				; CODE XREF: RtlpLookasideAdjustDepth+95j
		imul	eax, ecx, 3E8h
		xor	edx, edx
		movzx	ecx, word ptr [edi+8]
		push	ebx
		movzx	ebx, word ptr [edi+0Ah]
		div	esi
		mov	edx, eax
		cmp	esi, 19h
		jb	short loc_4E8123
		cmp	edx, 5
		jnb	short loc_4E80FE
		dec	ecx

loc_4E80F1:				; CODE XREF: RtlpLookasideAdjustDepth+90j
		cmp	ecx, 4
		jle	short loc_4E80F9

loc_4E80F6:				; CODE XREF: RtlpLookasideAdjustDepth+66j
					; RtlpLookasideAdjustDepth+87j	...
		pop	ebx
		jmp	short loc_4E80BE
; 

loc_4E80F9:				; CODE XREF: RtlpLookasideAdjustDepth+5Ej
		push	4
		pop	ecx
		jmp	short loc_4E80F6
; 

loc_4E80FE:				; CODE XREF: RtlpLookasideAdjustDepth+58j
		mov	eax, ebx
		mov	esi, 7D0h
		sub	eax, ecx
		imul	eax, edx
		xor	edx, edx
		div	esi
		add	eax, 5
		cmp	eax, 1Eh
		jb	short loc_4E8119
		push	1Eh
		pop	eax

loc_4E8119:				; CODE XREF: RtlpLookasideAdjustDepth+7Ej
		add	ecx, eax
		cmp	ecx, ebx
		jl	short loc_4E80F6
		mov	ecx, ebx
		jmp	short loc_4E80F6
; 

loc_4E8123:				; CODE XREF: RtlpLookasideAdjustDepth+53j
		sub	ecx, 0Ah
		jmp	short loc_4E80F1
; 

loc_4E8128:				; CODE XREF: RtlpLookasideAdjustDepth+39j
		xor	esi, esi
		inc	esi
		jmp	short loc_4E80D1
RtlpLookasideAdjustDepth endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 351. ExEnterPriorityRegionAndAcquireResourceShared

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExEnterPriorityRegionAndAcquireResourceShared
ExEnterPriorityRegionAndAcquireResourceShared proc near

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CDD71 SIZE 0000007B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, large fs:124h
		xor	dl, dl
		push	edi
		push	0
		push	0
		mov	ecx, esi
		call	PsBoostThreadIoEx
		dec	word ptr [esi+13Ch]
		nop
		mov	edi, [ebp+arg_0]
		movzx	edx, word ptr [edi+0Eh]
		mov	ecx, edx
		mov	eax, edx
		and	ecx, 1
		jnz	loc_5CDD71

loc_4E8177:				; CODE XREF: ExEnterPriorityRegionAndAcquireResourceShared+E5C34j
		test	cx, cx
		jnz	short loc_4E8195

loc_4E817C:				; CODE XREF: ExEnterPriorityRegionAndAcquireResourceShared+E5CA7j
		mov	dl, 1
		mov	ecx, edi
		test	al, dl
		jnz	short loc_4E81B1
		call	ExpAcquireResourceSharedLite

loc_4E8189:				; CODE XREF: ExEnterPriorityRegionAndAcquireResourceShared+76j
		mov	eax, [esi+124h]
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_4E8195:				; CODE XREF: ExEnterPriorityRegionAndAcquireResourceShared+3Aj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	cl, al
		mov	eax, large fs:124h
		cmp	cl, 1
		ja	loc_5CDD8B
		jmp	loc_5CDD9F
; 

loc_4E81B1:				; CODE XREF: ExEnterPriorityRegionAndAcquireResourceShared+42j
		call	_ExpFastResourceLegacyAcquireShared@8 ;	ExpFastResourceLegacyAcquireShared(x,x)
		jmp	short loc_4E8189
ExEnterPriorityRegionAndAcquireResourceShared endp

; 
		align 10h
; Exported entry  66. ExReleaseRundownProtection

;  S U B	R O U T	I N E 


; __fastcall ExfReleaseRundownProtection(x)
		public @ExfReleaseRundownProtection@4
@ExfReleaseRundownProtection@4 proc near ; CODE	XREF: ExReleaseRundownProtection(x)+14j
		mov	edx, [ecx]
		push	esi
		test	dl, 1
		jnz	short loc_4E81D7

loc_4E81C8:				; CODE XREF: ExfReleaseRundownProtection(x)+40j
		lea	esi, [edx-2]
		mov	eax, edx
		lock cmpxchg [ecx], esi
		cmp	eax, edx
		jnz	short loc_4E81FC

loc_4E81D5:				; CODE XREF: ExfReleaseRundownProtection(x)+21j
					; ExfReleaseRundownProtection(x)+2Bj
		pop	esi
		retn
; 

loc_4E81D7:				; CODE XREF: ExfReleaseRundownProtection(x)+6j
					; ExfReleaseRundownProtection(x)+42j
		and	edx, 0FFFFFFFEh
		or	eax, 0FFFFFFFFh
		lock xadd [edx], eax
		jnz	short loc_4E81D5
		lea	eax, [edx+14h]
		lock btr dword ptr [eax], 0
		jb	short loc_4E81D5
		push	0
		push	0
		add	edx, 4
		push	edx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	esi
		retn
; 

loc_4E81FC:				; CODE XREF: ExfReleaseRundownProtection(x)+13j
		mov	edx, eax
		test	al, 1
		jz	short loc_4E81C8
		jmp	short loc_4E81D7
@ExfReleaseRundownProtection@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepPrivilegesToBitmask(x, x, x, x, x)
_SepPrivilegesToBitmask@20 proc	near	; CODE XREF: SepTokenFromAccessInformation(x,x)+4Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	edi
		mov	edi, edx
		mov	dword ptr [ebx], 0
		mov	dword ptr [ebx+4], 0
		mov	dword ptr [eax], 0
		mov	dword ptr [eax+4], 0
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 0
		mov	dword ptr [eax+4], 0
		test	edi, edi
		jz	short loc_4E8294
		push	esi
		lea	esi, [ecx+8]

loc_4E8251:				; CODE XREF: SepPrivilegesToBitmask(x,x,x,x,x)+81j
		mov	ecx, [esi-8]
		lea	eax, [ecx-2]
		cmp	eax, 22h
		ja	short loc_4E828B
		mov	eax, 1
		xor	edx, edx
		call	__allshl
		or	[ebx+4], edx
		mov	ecx, eax
		or	[ebx], ecx
		mov	eax, [esi]
		test	al, 2
		jz	short loc_4E827F
		mov	eax, [ebp+arg_4]
		or	[eax], ecx
		or	[eax+4], edx
		mov	eax, [esi]

loc_4E827F:				; CODE XREF: SepPrivilegesToBitmask(x,x,x,x,x)+63j
		test	al, 1
		jz	short loc_4E828B
		mov	eax, [ebp+arg_8]
		or	[eax], ecx
		or	[eax+4], edx

loc_4E828B:				; CODE XREF: SepPrivilegesToBitmask(x,x,x,x,x)+4Aj
					; SepPrivilegesToBitmask(x,x,x,x,x)+71j
		add	esi, 0Ch
		sub	edi, 1
		jnz	short loc_4E8251
		pop	esi

loc_4E8294:				; CODE XREF: SepPrivilegesToBitmask(x,x,x,x,x)+3Bj
		pop	edi
		pop	ebx
		pop	ebp
		retn	0Ch
_SepPrivilegesToBitmask@20 endp

; 
		align 10h
; Exported entry 1835. PsGetThreadWin32Thread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetThreadWin32Thread(x)
		public _PsGetThreadWin32Thread@4
_PsGetThreadWin32Thread@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+124h]
		pop	ebp
		retn	4
_PsGetThreadWin32Thread@4 endp

; 
		align 8
; Exported entry 1281. KeSaveFloatingPointState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSaveFloatingPointState(x)
		public _KeSaveFloatingPointState@4
_KeSaveFloatingPointState@4 proc near	; CODE XREF: VerifierKeSaveFloatingPointState(x)+6j
					; DATA XREF: PAGEVRFD:_pXdvKeSaveFloatingPointStateo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		push	0
		push	3
		call	KeSaveExtendedProcessorState
		pop	ebp
		retn	4
_KeSaveFloatingPointState@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1280. KeSaveExtendedProcessorState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeSaveExtendedProcessorState
KeSaveExtendedProcessorState proc near	; CODE XREF: KeSaveFloatingPointState(x)+Cp

var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005CDDEC SIZE 0000007D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ds:dword_70E754
		mov	edx, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, 400000h
		mov	[ebp+var_4], eax
		push	edi
		mov	edi, ds:_KeFeatureBits
		mov	eax, edi
		and	eax, ebx
		or	eax, 0
		jz	short loc_4E832A
		mov	ecx, ds:0FFDF03D8h
		mov	eax, ds:0FFDF03DCh
		not	ecx
		not	eax
		and	ecx, edx
		and	eax, esi
		or	ecx, eax

loc_4E8313:				; CODE XREF: KeSaveExtendedProcessorState+5Fj
		push	esi
		push	edx
		jnz	loc_5CDDEC
		mov	ecx, [ebp+arg_8]
		call	KeSaveExtendedAndSupervisorState
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_4E832A:				; CODE XREF: KeSaveExtendedProcessorState+2Aj
		mov	eax, edx
		and	eax, 0FFFFFFFCh
		or	eax, esi
		jmp	short loc_4E8313
KeSaveExtendedProcessorState endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeSaveExtendedAndSupervisorState proc near ; CODE XREF:	KeSaveExtendedProcessorState+4Cp
					; PopHandleNextState(x,x)+9Ap ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CDE69 SIZE 000000AD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	[ebp+var_8], esi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	edi, large fs:124h
		mov	bl, al
		cmp	bl, 2
		ja	loc_5CDDFC
		mov	eax, ds:_KeFeatureBits
		mov	[ebp+var_14], eax
		and	eax, 400000h
		or	eax, 0
		jz	loc_5CDE55
		cmp	bl, 2
		jz	loc_4E8504

loc_4E8387:				; CODE XREF: KeSaveExtendedAndSupervisorState+1CBj
		mov	ecx, ds:0FFDF03D8h
		mov	eax, ds:0FFDF03DCh
		not	ecx
		mov	edx, [ebp+arg_0]
		not	eax
		and	eax, [ebp+arg_4]
		and	ecx, edx
		or	ecx, eax
		jnz	loc_5CDE3B

loc_4E83A6:				; CODE XREF: KeSaveExtendedProcessorState+E5B92j
		test	bl, bl
		jnz	loc_4E8516
		test	byte ptr [edi+84h], 1
		jnz	loc_4E8516
		xor	bh, bh

loc_4E83BD:				; CODE XREF: KeSaveExtendedAndSupervisorState+1DAj
		mov	ecx, ds:0FFDF03D8h
		mov	eax, ds:0FFDF03DCh
		or	ecx, 3
		or	edx, ecx
		mov	ecx, [ebp+arg_4]
		or	ecx, eax
		mov	[ebp+var_C], edx
		mov	eax, [edi+10Ch]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_14], eax
		test	eax, eax
		jnz	loc_4E84F1

loc_4E83E9:				; CODE XREF: KeSaveExtendedAndSupervisorState+1B9j
		mov	eax, edx
		or	eax, ecx
		jz	loc_5CDE80
		cmp	bl, 2
		jnb	loc_4E851F

loc_4E83FC:				; CODE XREF: KeSaveExtendedAndSupervisorState+E5B66j
					; KeSaveExtendedAndSupervisorState+E5B72j
		mov	eax, ds:0FFDF03E8h

loc_4E8401:				; CODE XREF: KeSaveExtendedAndSupervisorState+E5B7Dj
		mov	[ebp+arg_4], eax
		cmp	eax, 240h
		jb	loc_5CDEC2

loc_4E840F:				; CODE XREF: KeSaveExtendedAndSupervisorState+E5B8Aj
		push	76615358h
		add	eax, 3Fh
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+18h], eax
		test	eax, eax
		jz	loc_5CDF0C
		mov	ecx, [ebp+arg_4]
		add	eax, 3Fh
		and	eax, 0FFFFFFC0h
		mov	[esi+8], ecx
		push	40h		; size_t
		mov	[esi+10h], eax
		add	eax, 200h
		push	0		; int
		push	eax		; void *
		call	_memset

loc_4E844B:				; CODE XREF: KeSaveExtendedAndSupervisorState+223j
		mov	ecx, [ebp+var_10]
		add	esp, 0Ch
		mov	edx, [ebp+var_C]

loc_4E8454:				; CODE XREF: KeSaveExtendedAndSupervisorState+E5B55j
		mov	[esi+14h], edi
		mov	[esi+1Ch], bh
		mov	[esi], edx
		mov	[esi+4], ecx
		cmp	bl, 1
		jnb	short loc_4E846C
		dec	word ptr [edi+13Eh]
		nop

loc_4E846C:				; CODE XREF: KeSaveExtendedAndSupervisorState+122j
		mov	eax, [edi+10Ch]
		mov	[esi+0Ch], eax
		mov	eax, edx
		or	eax, ecx
		jz	short loc_4E84BA
		mov	eax, ds:_KeFeatureBits
		and	eax, 400000h
		or	eax, 0
		jz	loc_5CDEFF
		cmp	bl, 2
		jz	loc_4E8568

loc_4E8497:				; CODE XREF: KeSaveExtendedAndSupervisorState+22Fj
		push	ecx
		mov	ecx, [esi+10h]
		push	edx
		call	RtlXSave

loc_4E84A1:				; CODE XREF: KeSaveExtendedAndSupervisorState+E5BBAj
					; KeSaveExtendedAndSupervisorState+E5BC7j
		mov	[ebp+arg_4], 27Fh
		cli
		fninit
		fldcw	word ptr [ebp+arg_4]
		mov	[ebp+arg_4], 1F80h
		ldmxcsr	[ebp+arg_4]
		sti

loc_4E84BA:				; CODE XREF: KeSaveExtendedAndSupervisorState+139j
		mov	[edi+10Ch], esi
		cmp	bl, 1
		jnb	short loc_4E84E6
		nop
		movsx	eax, word ptr [edi+13Eh]
		inc	eax
		mov	[edi+13Eh], ax
		test	ax, ax
		jnz	short loc_4E84E6
		nop
		lea	eax, [edi+70h]
		cmp	[eax], eax
		jnz	loc_4E857A

loc_4E84E6:				; CODE XREF: KeSaveExtendedAndSupervisorState+183j
					; KeSaveExtendedAndSupervisorState+198j ...
		xor	eax, eax

loc_4E84E8:				; CODE XREF: KeSaveExtendedAndSupervisorState+E5BD1j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4E84F1:				; CODE XREF: KeSaveExtendedAndSupervisorState+A3j
		mov	al, [eax+1Ch]
		mov	byte ptr [ebp+arg_4+3],	al
		cmp	al, bh
		jbe	loc_4E83E9
		jmp	loc_5CDE69
; 

loc_4E8504:				; CODE XREF: KeSaveExtendedAndSupervisorState+41j
		test	byte ptr ds:0FFDF03ECh,	2
		jz	loc_4E8387
		jmp	loc_5CDE10
; 

loc_4E8516:				; CODE XREF: KeSaveExtendedAndSupervisorState+68j
					; KeSaveExtendedAndSupervisorState+75j	...
		mov	bh, bl
		inc	bh
		jmp	loc_4E83BD
; 

loc_4E851F:				; CODE XREF: KeSaveExtendedAndSupervisorState+B6j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	loc_5CDE9A

loc_4E852A:				; CODE XREF: KeSaveExtendedAndSupervisorState+E5B5Dj
		mov	esi, large fs:20h
		push	40h		; size_t
		push	0		; int
		mov	eax, [esi+4170h]
		add	eax, 200h
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+var_8]
		mov	eax, ds:_KeXStateLength
		mov	[ecx+8], eax
		mov	dword ptr [ecx+18h], 0
		mov	eax, [esi+4170h]
		mov	esi, ecx
		mov	[esi+10h], eax
		jmp	loc_4E844B
; 

loc_4E8568:				; CODE XREF: KeSaveExtendedAndSupervisorState+151j
		test	byte ptr ds:0FFDF03ECh,	2
		jz	loc_4E8497
		jmp	loc_5CDECF
; 

loc_4E857A:				; CODE XREF: KeSaveExtendedAndSupervisorState+1A0j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4E84E6
KeSaveExtendedAndSupervisorState endp

; 

RtlXSave:				; CODE XREF: KeContextFromKframes+358p
					; KeSaveExtendedAndSupervisorState+15Cp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr ds:0FFDF03ECh,	2
		push	edi
		mov	edi, ecx
		jnz	loc_5CDF16
		mov	eax, [ebp+8]
		mov	edx, [ebp+0Ch]
		and	eax, 6
		cmp	eax, 4
		mov	eax, [ebp+8]
		jnz	short near ptr dword_4E85C0
		mov	ecx, [edi+1Ch]
		push	esi
		mov	esi, [edi+18h]
; 
		db 0Fh,	0AEh, 27h
; 
		mov	[edi+18h], esi
		mov	[edi+1Ch], ecx
		pop	esi

loc_4E85BB:				; CODE XREF: .text:005CDF22j
		pop	edi
		pop	ebp
		retn	8
; 
dword_4E85C0	dd 0EB27AE0Fh, 0CCCCCCF6h, 2 dup(0CCCCCCCCh) ; CODE XREF: .text:004E85A8j
; Exported entry 1781. PsGetCurrentThreadWin32Thread

;  S U B	R O U T	I N E 


; __stdcall PsGetCurrentThreadWin32Thread()
		public _PsGetCurrentThreadWin32Thread@0
_PsGetCurrentThreadWin32Thread@0 proc near
		mov	eax, large fs:124h
		mov	eax, [eax+124h]
		retn
_PsGetCurrentThreadWin32Thread@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCallDriverReference proc near	; CODE XREF: .text:00522756p
					; NtQueryInformationFile(x,x,x,x,x)+7A2p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005CDF27 SIZE 00000081 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	bl, [ebp+arg_0]
		mov	[ebp+var_1C], ecx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_20], esi
		push	edi
		mov	edi, edx
		test	bl, bl
		jz	loc_4E86E4

loc_4E860B:				; CODE XREF: IopCallDriverReference+110j
		mov	eax, [esi+7Ch]
		test	eax, eax
		jnz	loc_4E869F

loc_4E8616:				; CODE XREF: IopCallDriverReference+C3j
		mov	edx, large fs:124h
		mov	ecx, edx
		call	_PsGetBaseIoPriorityThread@4 ; PsGetBaseIoPriorityThread(x)
		cmp	eax, 2
		jl	loc_4E8702

loc_4E862D:				; CODE XREF: IopCallDriverReference+129j
					; IopCallDriverReference+136j ...
		mov	ecx, [edi+8]
		and	ecx, 0FFF1FFFFh
		inc	eax

loc_4E8637:				; CODE XREF: IopCallDriverReference+E5956j
		shl	eax, 11h
		or	eax, ecx
		mov	[edi+8], eax
		shr	eax, 11h
		and	eax, 7
		jz	loc_5CDF3B
		dec	eax
		cmp	eax, 2
		jl	loc_4E8726

loc_4E8655:				; CODE XREF: IopCallDriverReference+14Bj
					; IopCallDriverReference+158j ...
		cmp	byte ptr [edi+20h], 0
		jz	short loc_4E86AE

loc_4E865B:				; CODE XREF: IopCallDriverReference+E1j
					; IopCallDriverReference+EAj
		cmp	eax, 2
		jl	loc_4E8743

loc_4E8664:				; CODE XREF: IopCallDriverReference+D1j
					; IopCallDriverReference+102j ...
		cmp	byte ptr [edi+27h], 0
		jl	short loc_4E867A
		mov	edx, [edi+68h]
		test	edx, edx
		jz	short loc_4E867A
		test	byte ptr [edx],	2
		jnz	loc_5CDF5B

loc_4E867A:				; CODE XREF: IopCallDriverReference+88j
					; IopCallDriverReference+8Fj
		mov	ecx, [ebp+var_1C]
		mov	edx, edi
		call	IofCallDriver
		mov	edi, eax

loc_4E8686:				; CODE XREF: IopCallDriverReference+E59C3j
		test	bl, bl
		jz	short loc_4E86F5

loc_4E868A:				; CODE XREF: IopCallDriverReference+120j
		mov	ecx, [ebp+var_8]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4E869F:				; CODE XREF: IopCallDriverReference+30j
		cmp	dword ptr [eax+28h], 0
		jz	loc_4E8616
		jmp	loc_5CDF27
; 

loc_4E86AE:				; CODE XREF: IopCallDriverReference+79j
		cmp	eax, 2
		jge	short loc_4E8664
		mov	ecx, [edi+50h]
		test	ecx, ecx
		jz	short loc_4E86CC
		test	dword ptr [ecx+58h], 400h
		jnz	short loc_4E865B
		test	byte ptr [ecx+300h], 80h
		jnz	short loc_4E865B

loc_4E86CC:				; CODE XREF: IopCallDriverReference+D8j
		mov	eax, [edi+8]
		inc	_IoKernelIssuedIoBoostedCount
		and	eax, 0FFF1FFFFh
		or	eax, 60000h
		mov	[edi+8], eax
		jmp	short loc_4E8664
; 

loc_4E86E4:				; CODE XREF: IopCallDriverReference+25j
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		jmp	loc_4E860B
; 

loc_4E86F5:				; CODE XREF: IopCallDriverReference+A8j
		push	746C6644h
		push	esi
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	short loc_4E868A
; 

loc_4E8702:				; CODE XREF: IopCallDriverReference+47j
		cmp	edx, large fs:124h
		jnz	loc_4E862D
		cmp	dword ptr [edx+32Ch], 0
		jz	loc_4E862D
		mov	eax, 2
		jmp	loc_4E862D
; 

loc_4E8726:				; CODE XREF: IopCallDriverReference+6Fj
		mov	ecx, [edi+50h]
		test	ecx, ecx
		jz	loc_4E8655
		cmp	dword ptr [ecx+32Ch], 0
		jz	loc_4E8655
		jmp	loc_5CDF3B
; 

loc_4E8743:				; CODE XREF: IopCallDriverReference+7Ej
		mov	eax, [ebp+arg_8]
		sub	eax, 0
		jz	loc_5CDF50
		sub	eax, 1
		jnz	loc_4E8664
		jmp	loc_5CDF45
IopCallDriverReference endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 190. CcCopyWriteWontFlush

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcCopyWriteWontFlush
CcCopyWriteWontFlush proc near		; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+61p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005CDFA8 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		cmp	[ebp+arg_8], 1000000h
		push	ebx
		push	edi
		mov	edi, [ebp+arg_0]
		jnb	short loc_4E87E4
		mov	edx, [edi+2Ch]
		test	dl, 10h
		jnz	short loc_4E87E4
		mov	ebx, large fs:124h
		mov	ecx, ebx
		call	_PsGetBaseIoPriorityThread@4 ; PsGetBaseIoPriorityThread(x)
		cmp	eax, 2
		jl	short loc_4E87CE

loc_4E87A1:				; CODE XREF: CcCopyWriteWontFlush+67j
					; CcCopyWriteWontFlush+70j
		test	eax, eax
		jle	short loc_4E87E4

loc_4E87A5:				; CODE XREF: CcCopyWriteWontFlush+72j
		xor	eax, eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	eax, ds:_PspSystemPartition
		mov	ecx, [eax+4]
		test	edx, 1000000h
		jnz	loc_5CDFA8

loc_4E87C4:				; CODE XREF: CcCopyWriteWontFlush+7Fj
					; CcCopyWriteWontFlush+E584Aj
		mov	al, 1

loc_4E87C6:				; CODE XREF: CcCopyWriteWontFlush+81j
		pop	edi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4E87CE:				; CODE XREF: CcCopyWriteWontFlush+2Fj
		mov	ecx, large fs:124h
		cmp	ebx, ecx
		jnz	short loc_4E87A1
		cmp	dword ptr [ebx+32Ch], 0
		jz	short loc_4E87A1
		jmp	short loc_4E87A5
; 

loc_4E87E4:				; CODE XREF: CcCopyWriteWontFlush+14j
					; CcCopyWriteWontFlush+1Cj ...
		xor	edx, edx
		mov	ecx, edi
		call	CcIsFileObjectDirectMapped
		test	al, al
		jnz	short loc_4E87C4
		jmp	short loc_4E87C6
CcCopyWriteWontFlush endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PsGetBaseIoPriorityThread(x)
_PsGetBaseIoPriorityThread@4 proc near	; CODE XREF: CcMapAndCopyInToCache+1F9p
					; IopCallDriverReference+3Fp ...
		mov	eax, [ecx+2FCh]
		mov	ecx, [ecx+150h]
		shr	eax, 9
		and	eax, 7
		test	dword ptr [ecx+0FCh], 100000h
		jnz	short loc_4E881F
		retn
; 

loc_4E881F:				; CODE XREF: PsGetBaseIoPriorityThread(x)+1Cj
		xor	eax, eax
		retn
_PsGetBaseIoPriorityThread@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcIsFileObjectDirectMapped proc	near	; CODE XREF: CcCanIWriteStreamEx+232p
					; CcCopyWriteWontFlush+78p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CDFC5 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4], ecx
		lea	edi, [ebp+var_10]
		xor	ecx, ecx
		stosd
		mov	esi, edx
		inc	ecx
		xor	bl, bl
		stosd
		stosd
		and	esi, ecx
		jnz	short loc_4E8853
		lea	edx, [ebp+var_10]
		mov	ecx, offset _CcMasterLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		xor	ecx, ecx
		inc	ecx

loc_4E8853:				; CODE XREF: CcIsFileObjectDirectMapped+1Fj
		mov	eax, [ebp+var_4]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_4E886D
		mov	eax, [eax+4]
		test	eax, eax
		jz	short loc_4E886D
		test	dword ptr [eax+60h], 40000000h
		jnz	short loc_4E88BE

loc_4E886D:				; CODE XREF: CcIsFileObjectDirectMapped+39j
					; CcIsFileObjectDirectMapped+40j ...
		test	esi, esi
		jnz	short loc_4E88A5
		test	ds:byte_70EFC6,	1
		jnz	loc_5CDFC5
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_4E88AC
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jnz	loc_5CDFD5

loc_4E889C:				; CODE XREF: CcIsFileObjectDirectMapped+9Aj
					; CcIsFileObjectDirectMapped+E57AEj
		mov	cl, [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4E88A5:				; CODE XREF: CcIsFileObjectDirectMapped+4Dj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_4E88AC:				; CODE XREF: CcIsFileObjectDirectMapped+61j
					; CcIsFileObjectDirectMapped+E57BBj
		lea	ecx, [eax+4]
		mov	[ebp+var_10], 0
		xor	eax, eax
		inc	eax
		lock xor [ecx],	eax
		jmp	short loc_4E889C
; 

loc_4E88BE:				; CODE XREF: CcIsFileObjectDirectMapped+49j
		mov	bl, cl
		jmp	short loc_4E886D
CcIsFileObjectDirectMapped endp

; 
		align 10h
; Exported entry 189. CcCopyWriteEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcCopyWriteEx
CcCopyWriteEx	proc near		; CODE XREF: CcCopyWrite(x,x,x,x,x)+16p
					; CcFastCopyWrite(x,x,x,x)+22p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005CDFE2 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	edx, large fs:124h
		mov	[ebp+var_20], 0
		mov	[ebp+var_1C], 0
		mov	eax, [edx+2FCh]
		mov	ecx, [edx+150h]
		shr	eax, 9
		and	eax, 7
		test	dword ptr [ecx+0FCh], 100000h
		jnz	loc_4E8AC4

loc_4E890F:				; CODE XREF: CcCopyWriteEx+1F6j
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	edi
		cmp	eax, 2
		jb	loc_4E8A89

loc_4E891D:				; CODE XREF: CcCopyWriteEx+1C0j
					; CcCopyWriteEx+1CDj
		test	eax, eax
		jz	loc_4E8AAF

loc_4E8925:				; CODE XREF: CcCopyWriteEx+1D3j
		mov	edi, [ebp+arg_0]
		test	byte ptr [edi+2Ch], 10h
		jnz	loc_4E8AB2

loc_4E8932:				; CODE XREF: CcCopyWriteEx+1E4j
		mov	eax, [edi+14h]
		mov	ecx, 2
		mov	edx, [ebp+arg_8]
		push	esi
		mov	eax, [eax+4]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+arg_4], ecx
		mov	esi, [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_C], eax
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], eax
		test	esi, 0FFFh
		jz	loc_4E8A65

loc_4E8964:				; CODE XREF: CcCopyWriteEx+19Bj
					; CcCopyWriteEx+1A9j
		lea	eax, [esi+edx]
		test	eax, 0FFFh
		jz	loc_4E8A7E

loc_4E8972:				; CODE XREF: CcCopyWriteEx+1B4j
		mov	ecx, [edi+0Ch]
		and	esi, 0FFFFF000h
		test	byte ptr [ecx+4], 40h
		jz	loc_5CDFE2
		mov	ecx, [ecx+28h]
		xor	edx, edx
		push	0
		mov	[ebp+var_4], ecx
		call	KeAbPreAcquire
		mov	cl, 1
		mov	ebx, eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [ebp+var_4]
		mov	dl, al
		mov	byte ptr [ebp+arg_0+3],	dl
		lock btr dword ptr [ecx], 0
		jnb	loc_4E8ACB

loc_4E89B1:				; CODE XREF: CcCopyWriteEx+208j
		test	ebx, ebx
		jz	short loc_4E89B9
		or	byte ptr [ebx+0Eh], 1

loc_4E89B9:				; CODE XREF: CcCopyWriteEx+E3j
		mov	eax, large fs:124h
		mov	[ecx+4], eax
		movzx	eax, dl
		mov	[ecx+1Ch], eax
		mov	ecx, [edi+0Ch]
		mov	eax, [ecx+20h]
		mov	[ebp+var_18], eax
		mov	eax, [ecx+24h]
		mov	[ebp+var_14], eax
		mov	ebx, [ecx+28h]
		mov	ecx, 1
		mov	al, [ebx+1Ch]
		mov	byte ptr [ebp+arg_0+3],	al
		xor	eax, eax
		mov	dword ptr [ebx+4], 0
		lock cmpxchg [ebx], ecx
		test	eax, eax
		jnz	loc_4E8ADD

loc_4E89FA:				; CODE XREF: CcCopyWriteEx+216j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [ebp+var_14]
		mov	eax, [ebp+var_18]
		mov	edx, [ebp+arg_8]
		mov	ebx, [ebp+arg_C]

loc_4E8A16:				; CODE XREF: CcCopyWriteEx+E571Ej
		sub	eax, esi
		pop	esi
		sbb	ecx, [ebp+var_C]
		test	ecx, ecx
		jl	loc_4E8AA8
		jg	loc_5CDFF3
		test	eax, eax
		jz	short loc_4E8AA8
		test	ecx, ecx
		jnz	loc_5CDFF3
		cmp	eax, 1000h
		mov	eax, [ebp+arg_4]
		ja	short loc_4E8A43
		or	eax, 6

loc_4E8A43:				; CODE XREF: CcCopyWriteEx+16Ej
					; CcCopyWriteEx+1DDj ...
		push	[ebp+arg_14]
		lea	ecx, [ebp+var_18]
		push	ebx
		push	ecx
		mov	ecx, [ebp+var_10]
		push	edi
		push	eax
		push	edx
		mov	edx, [ebp+arg_10]
		lea	eax, [ebp+var_20]
		push	eax
		call	CcMapAndCopyInToCache
		pop	edi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_4E8A65:				; CODE XREF: CcCopyWriteEx+8Ej
		cmp	edx, 1000h
		jb	loc_4E8964
		mov	ecx, 3
		mov	[ebp+arg_4], ecx
		jmp	loc_4E8964
; 

loc_4E8A7E:				; CODE XREF: CcCopyWriteEx+9Cj
		or	ecx, 4
		mov	[ebp+arg_4], ecx
		jmp	loc_4E8972
; 

loc_4E8A89:				; CODE XREF: CcCopyWriteEx+47j
		cmp	edx, large fs:124h
		jnz	loc_4E891D
		cmp	dword ptr [edx+32Ch], 0
		jz	loc_4E891D
		jmp	loc_4E8925
; 

loc_4E8AA8:				; CODE XREF: CcCopyWriteEx+14Ej
					; CcCopyWriteEx+15Cj
		mov	eax, 7
		jmp	short loc_4E8A43
; 

loc_4E8AAF:				; CODE XREF: CcCopyWriteEx+4Fj
		mov	edi, [ebp+arg_0]

loc_4E8AB2:				; CODE XREF: CcCopyWriteEx+5Cj
		test	bl, bl
		jnz	loc_4E8932
		pop	edi
		xor	al, al
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_4E8AC4:				; CODE XREF: CcCopyWriteEx+39j
		xor	eax, eax
		jmp	loc_4E890F
; 

loc_4E8ACB:				; CODE XREF: CcCopyWriteEx+DBj
		mov	edx, ebx
		call	_ExpAcquireFastMutexContended@8	; ExpAcquireFastMutexContended(x,x)
		mov	ecx, [ebp+var_4]
		mov	dl, byte ptr [ebp+arg_0+3]
		jmp	loc_4E89B1
; 

loc_4E8ADD:				; CODE XREF: CcCopyWriteEx+124j
		mov	edx, eax
		mov	ecx, ebx
		call	_ExpReleaseFastMutexContended@8	; ExpReleaseFastMutexContended(x,x)
		jmp	loc_4E89FA
CcCopyWriteEx	endp

; 
		align 10h
; Exported entry 1196. KeIsEmptyAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeIsEmptyAffinityEx(x)
		public _KeIsEmptyAffinityEx@4
_KeIsEmptyAffinityEx@4 proc near	; CODE XREF: RtlUpdateSwapReference(x,x)+56p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		cmp	[ecx+8], eax
		setz	al
		pop	ebp
		retn	4
_KeIsEmptyAffinityEx@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl MiTbFlushSort(const void *,const void *)
_MiTbFlushSort	proc near		; DATA XREF: MiRevertValidPte+4BEo
					; MiTerminateWsleCluster+7C3o ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	eax, [eax]
		mov	ecx, [ecx]
		cmp	eax, ecx
		jb	short loc_4E8B2C
		jbe	short loc_4E8B31
		mov	eax, 1
		pop	ebp
		retn
; 

loc_4E8B2C:				; CODE XREF: _MiTbFlushSort+11j
		or	eax, 0FFFFFFFFh
		pop	ebp
		retn
; 

loc_4E8B31:				; CODE XREF: _MiTbFlushSort+13j
		xor	eax, eax
		pop	ebp
		retn
_MiTbFlushSort	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiInSwapSingleProcess(x, x, x)
@KiInSwapSingleProcess@12 proc near	; CODE XREF: KeReadyThread(x)+32p
					; KiStackAttachProcess+260p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		xor	ebx, ebx
		mov	ecx, edi
		inc	ebx
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	eax, [edi+7Ch]
		test	al, 7
		jz	short loc_4E8B95
		mov	edx, edi
		mov	ecx, esi
		call	KiRequestProcessInSwap
		mov	edx, large fs:20h
		cmp	esi, [edx+4]
		jnz	short loc_4E8B8A
		mov	cl, [ebp+arg_0]
		mov	[esi+92h], cl
		mov	ecx, esi
		push	0
		mov	byte ptr [esi+18Bh], 17h
		call	KiSwapThread

loc_4E8B81:				; CODE XREF: KiInSwapSingleProcess(x,x,x)+5Dj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4E8B8A:				; CODE XREF: KiInSwapSingleProcess(x,x,x)+30j
					; KiInSwapSingleProcess(x,x,x)+69j
		mov	cl, [ebp+arg_0]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_4E8B81
; 

loc_4E8B95:				; CODE XREF: KiInSwapSingleProcess(x,x,x)+1Bj
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		xor	bl, bl
		jmp	short loc_4E8B8A
@KiInSwapSingleProcess@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiRequestProcessInSwap proc near	; CODE XREF: KiReadyThread+FBp
					; KiInSwapSingleProcess(x,x,x)+21p ...

var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		mov	eax, ds:_KeTickCount
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], 0
		push	edi
		mov	edi, edx
		xor	dl, dl
		mov	[ebp+var_1], dl
		mov	[esi+138h], eax
		lea	ebx, [esi+2Ch]
		lea	esp, [esp+0]

loc_4E8BE0:				; CODE XREF: KiRequestProcessInSwap+E4j
		lock bts dword ptr [ebx], 0
		jb	loc_4E8C86
		lea	eax, [esi+5Ch]
		mov	byte ptr [esi+90h], 9
		test	dword ptr [eax], 1000h
		jnz	loc_4E8C99

loc_4E8C01:				; CODE XREF: KiRequestProcessInSwap+EEj
		lea	eax, [edi+4Ch]
		mov	dword ptr [ebx], 0
		mov	ecx, [eax+4]
		add	esi, 9Ch
		cmp	[ecx], eax
		jnz	loc_5A7ED6
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		lea	ecx, [edi+7Ch]
		mov	[eax+4], esi
		mov	eax, [ecx]
		and	al, 7
		cmp	al, 1
		jz	short loc_4E8C7A
		mov	dl, [ebp+var_1]

loc_4E8C33:				; CODE XREF: KiRequestProcessInSwap+D4j
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		test	dl, dl
		jnz	short loc_4E8C46

loc_4E8C3F:				; CODE XREF: KiRequestProcessInSwap+B9j
					; KiRequestProcessInSwap+C8j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4E8C46:				; CODE XREF: KiRequestProcessInSwap+8Dj
		mov	ecx, edi
		call	MmNotifyProcessInSwapTrigger
		mov	eax, _KiProcessInSwapListHead
		mov	esi, offset _KiProcessInSwapListHead

loc_4E8C57:				; CODE XREF: KiRequestProcessInSwap+B5j
		mov	[edi+54h], eax
		lea	ecx, [edi+54h]
		mov	edx, eax
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_4E8C57
		test	eax, eax
		jnz	short loc_4E8C3F
		push	eax
		push	0Ah
		push	offset _KiSwapEvent
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_4E8C3F
; 

loc_4E8C7A:				; CODE XREF: KiRequestProcessInSwap+7Ej
		mov	eax, 3
		lock xor [ecx],	eax
		mov	dl, 1
		jmp	short loc_4E8C33
; 

loc_4E8C86:				; CODE XREF: KiRequestProcessInSwap+35j
					; KiRequestProcessInSwap+E2j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_4E8C86
		jmp	loc_4E8BE0
; 

loc_4E8C99:				; CODE XREF: KiRequestProcessInSwap+4Bj
		lock btr dword ptr [eax], 0Ch
		jmp	loc_4E8C01
KiRequestProcessInSwap endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmNotifyProcessInSwapTrigger proc near	; CODE XREF: KiRequestProcessInSwap+98p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CDFFE SIZE 000000A2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+68h+var_4], eax
		push	esi
		push	edi
		mov	edi, ecx
		mov	al, [edi+2A3h]
		and	al, 60h
		cmp	al, 40h
		jz	loc_5CDFFE

loc_4E8CCE:				; CODE XREF: MmNotifyProcessInSwapTrigger+E5362j
					; MmNotifyProcessInSwapTrigger+E536Bj ...
		mov	ecx, [esp+70h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
MmNotifyProcessInSwapTrigger endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall OBJECT_HEADER_TO_HANDLE_INFO(x)
_OBJECT_HEADER_TO_HANDLE_INFO@4	proc near ; CODE XREF: ObpReleaseHandleInfo+Cp
					; ObpInsertHandleCount(x)+22p ...
		mov	al, [ecx+0Eh]
		test	al, 4
		jz	short loc_4E8CF9
		movzx	eax, al
		and	eax, 7
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax

loc_4E8CF6:				; CODE XREF: OBJECT_HEADER_TO_HANDLE_INFO(x)+1Bj
		mov	eax, ecx
		retn
; 

loc_4E8CF9:				; CODE XREF: OBJECT_HEADER_TO_HANDLE_INFO(x)+5j
		xor	ecx, ecx
		jmp	short loc_4E8CF6
_OBJECT_HEADER_TO_HANDLE_INFO@4	endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1861. PsLeavePriorityRegion

;  S U B	R O U T	I N E 


; __stdcall PsLeavePriorityRegion()
		public _PsLeavePriorityRegion@0
_PsLeavePriorityRegion@0 proc near
		mov	ecx, large fs:124h
		mov	dl, 1
		push	0
		push	0
		call	PsBoostThreadIoEx
		retn
_PsLeavePriorityRegion@0 endp ;	sp = -8

; 
		align 10h
; Exported entry 1092. KeAddProcessorAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeAddProcessorAffinityEx(x,	x)
		public _KeAddProcessorAffinityEx@8
_KeAddProcessorAffinityEx@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		mov	ecx, [edx+8]
		bts	ecx, eax
		mov	[edx+8], ecx
		pop	ebp
		retn	8
_KeAddProcessorAffinityEx@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 491. FsRtlCheckLockForWriteAccess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlCheckLockForWriteAccess(x, x)
		public _FsRtlCheckLockForWriteAccess@8
_FsRtlCheckLockForWriteAccess@8	proc near

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	esi, [ebx+0Ch]
		test	esi, esi
		jz	short loc_4E8DA0
		cmp	dword ptr [esi+18h], 0
		jz	short loc_4E8DA9

loc_4E8D69:				; CODE XREF: FsRtlCheckLockForWriteAccess(x,x)+5Fj
		mov	edi, [ebp+arg_4]
		and	[ebp+var_8], 0
		mov	edi, [edi+60h]
		mov	[ebp+var_4], edi
		mov	eax, [edi+4]
		mov	edx, [edi+0Ch]
		mov	ecx, [edi+10h]
		mov	[ebp+arg_0], eax
		mov	[ebp+var_C], eax
		xor	eax, eax
		add	[ebp+arg_0], edx
		mov	[ebp+var_14], edx
		adc	eax, ecx
		mov	[ebp+var_10], ecx
		cmp	eax, [esi+4]
		jb	short loc_4E8DA0
		ja	short loc_4E8DB1
		mov	eax, [ebp+arg_0]
		cmp	eax, [esi]
		ja	short loc_4E8DB1

loc_4E8DA0:				; CODE XREF: FsRtlCheckLockForWriteAccess(x,x)+13j
					; FsRtlCheckLockForWriteAccess(x,x)+47j ...
		mov	al, 1

loc_4E8DA2:				; CODE XREF: FsRtlCheckLockForWriteAccess(x,x)+85j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4E8DA9:				; CODE XREF: FsRtlCheckLockForWriteAccess(x,x)+19j
		cmp	dword ptr [esi+14h], 0
		jnz	short loc_4E8D69
		jmp	short loc_4E8DA0
; 

loc_4E8DB1:				; CODE XREF: FsRtlCheckLockForWriteAccess(x,x)+49j
					; FsRtlCheckLockForWriteAccess(x,x)+50j
		mov	esi, [ebp+var_4]
		push	[ebp+arg_4]
		mov	edi, [edi+8]
		mov	esi, [esi+18h]
		call	_IoGetRequestorProcess@4 ; IoGetRequestorProcess(x)
		push	eax
		push	esi
		push	edi
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		push	ebx
		call	FsRtlFastCheckLockForWrite
		jmp	short loc_4E8DA2
_FsRtlCheckLockForWriteAccess@8	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 513. FsRtlFastCheckLockForWrite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlFastCheckLockForWrite
FsRtlFastCheckLockForWrite proc	near	; CODE XREF: FsRtlCheckLockForWriteAccess(x,x)+80p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005CE0A0 SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		sub	esp, 18h
		push	edi
		mov	edi, [eax+0Ch]
		test	edi, edi
		jz	loc_4E8EF5
		cmp	dword ptr [edi+14h], 0
		jnz	short loc_4E8E01
		cmp	dword ptr [edi+18h], 0
		jz	loc_4E8EF5

loc_4E8E01:				; CODE XREF: FsRtlFastCheckLockForWrite+1Bj
		mov	eax, [ebp+arg_8]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	eax, ecx
		or	eax, edx
		jz	loc_4E8EF5
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [eax]
		mov	ebx, [eax+4]
		mov	[ebp+var_8], esi
		mov	[ebp+var_18], esi
		add	esi, ecx
		mov	ecx, ebx
		mov	[ebp+var_4], ebx
		adc	ecx, edx
		mov	[ebp+var_14], ebx
		xor	ebx, ebx
		inc	ebx
		sub	esi, ebx
		mov	[ebp+arg_8], esi
		sbb	ecx, 0
		mov	[ebp+var_10], esi
		mov	[ebp+arg_4], ecx
		lea	esi, [edi+10h]
		mov	[ebp+var_C], ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	byte ptr [ebp+arg_0+3],	al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, [ebp+arg_4]
		cmp	edx, [edi+4]
		ja	short loc_4E8E8A
		jb	short loc_4E8E67
		mov	ecx, [ebp+arg_8]
		cmp	ecx, [edi]
		jnb	short loc_4E8E8D

loc_4E8E67:				; CODE XREF: FsRtlFastCheckLockForWrite+84j
					; FsRtlFastCheckLockForWrite+110j
		test	ds:byte_70EFC6,	bl
		jnz	loc_5CE0A0
		xor	eax, eax
		lock and [esi],	eax

loc_4E8E78:				; CODE XREF: FsRtlFastCheckLockForWrite+E52D0j
					; FsRtlFastCheckLockForWrite+E531Ej
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		mov	al, bl
		pop	ebx

loc_4E8E85:				; CODE XREF: FsRtlFastCheckLockForWrite+11Dj
		pop	edi
		leave
		retn	18h
; 

loc_4E8E8A:				; CODE XREF: FsRtlFastCheckLockForWrite+82j
		mov	ecx, [ebp+arg_8]

loc_4E8E8D:				; CODE XREF: FsRtlFastCheckLockForWrite+8Bj
		mov	eax, [ebp+arg_10]
		mov	edi, [ebp+arg_14]
		mov	eax, [eax+48h]
		test	eax, eax
		jz	loc_5CE0AF
		mov	edi, [ebp+var_4]
		cmp	edi, [eax+4]
		mov	edi, [ebp+arg_14]
		ja	short loc_4E8EBD
		jb	loc_5CE0AF
		mov	ecx, [ebp+var_8]
		cmp	ecx, [eax]
		mov	ecx, [ebp+arg_8]
		jb	loc_5CE0AF

loc_4E8EBD:				; CODE XREF: FsRtlFastCheckLockForWrite+CDj
		cmp	edx, [eax+24h]
		jb	short loc_4E8ED1
		ja	loc_5CE0AF
		cmp	ecx, [eax+20h]
		ja	loc_5CE0AF

loc_4E8ED1:				; CODE XREF: FsRtlFastCheckLockForWrite+E6j
		mov	ecx, [ebp+arg_C]
		cmp	[eax+14h], ecx
		jnz	loc_5CE0AF
		cmp	[eax+1Ch], edi
		jnz	loc_5CE0AF
		cmp	byte ptr [eax+10h], 0
		jnz	loc_4E8E67
		jmp	loc_5CE0AF
; 

loc_4E8EF5:				; CODE XREF: FsRtlFastCheckLockForWrite+11j
					; FsRtlFastCheckLockForWrite+21j ...
		mov	al, 1
		jmp	short loc_4E8E85
FsRtlFastCheckLockForWrite endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 490. FsRtlCheckLockForReadAccess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlCheckLockForReadAccess(x, x)
		public _FsRtlCheckLockForReadAccess@8
_FsRtlCheckLockForReadAccess@8 proc near

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	esi, [ebx+0Ch]
		test	esi, esi
		jz	short loc_4E8F19
		cmp	dword ptr [esi+18h], 0
		jnz	short loc_4E8F22

loc_4E8F19:				; CODE XREF: FsRtlCheckLockForReadAccess(x,x)+13j
					; FsRtlCheckLockForReadAccess(x,x)+52j	...
		mov	al, 1

loc_4E8F1B:				; CODE XREF: FsRtlCheckLockForReadAccess(x,x)+7Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4E8F22:				; CODE XREF: FsRtlCheckLockForReadAccess(x,x)+19j
		mov	edi, [ebp+arg_4]
		and	[ebp+var_8], 0
		mov	edi, [edi+60h]
		mov	[ebp+var_4], edi
		mov	eax, [edi+4]
		mov	edx, [edi+0Ch]
		mov	ecx, [edi+10h]
		mov	[ebp+arg_0], eax
		mov	[ebp+var_C], eax
		xor	eax, eax
		add	[ebp+arg_0], edx
		mov	[ebp+var_14], edx
		adc	eax, ecx
		mov	[ebp+var_10], ecx
		cmp	eax, [esi+4]
		ja	short loc_4E8F59
		jb	short loc_4E8F19
		mov	eax, [ebp+arg_0]
		cmp	eax, [esi]
		jbe	short loc_4E8F19

loc_4E8F59:				; CODE XREF: FsRtlCheckLockForReadAccess(x,x)+50j
		mov	esi, [ebp+var_4]
		push	[ebp+arg_4]
		mov	edi, [edi+8]
		mov	esi, [esi+18h]
		call	_IoGetRequestorProcess@4 ; IoGetRequestorProcess(x)
		push	eax
		push	esi
		push	edi
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		push	ebx
		call	FsRtlFastCheckLockForRead
		jmp	short loc_4E8F1B
_FsRtlCheckLockForReadAccess@8 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 512. FsRtlFastCheckLockForRead

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlFastCheckLockForRead
FsRtlFastCheckLockForRead proc near	; CODE XREF: FsRtlCheckLockForReadAccess(x,x)+78p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005CE0FD SIZE 0000004A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		sub	esp, 18h
		push	edi
		mov	edi, [eax+0Ch]
		test	edi, edi
		jz	short loc_4E8F9B
		cmp	dword ptr [edi+18h], 0
		jnz	short loc_4E8FA2

loc_4E8F9B:				; CODE XREF: FsRtlFastCheckLockForRead+11j
					; FsRtlFastCheckLockForRead+2Cj
		mov	al, 1

loc_4E8F9D:				; CODE XREF: FsRtlFastCheckLockForRead+9Ej
		pop	edi
		leave
		retn	18h
; 

loc_4E8FA2:				; CODE XREF: FsRtlFastCheckLockForRead+17j
		mov	eax, [ebp+arg_8]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	eax, ecx
		or	eax, edx
		jz	short loc_4E8F9B
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		lea	esi, [edi+10h]
		mov	ebx, [eax]
		add	ecx, ebx
		mov	eax, [eax+4]
		adc	edx, eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_18], ebx
		xor	ebx, ebx
		inc	ebx
		mov	[ebp+var_4], eax
		sub	ecx, ebx
		mov	[ebp+var_14], eax
		mov	[ebp+arg_8], ecx
		sbb	edx, 0
		mov	[ebp+var_10], ecx
		mov	[ebp+arg_4], edx
		mov	[ebp+var_C], edx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	byte ptr [ebp+arg_0+3],	al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, [ebp+arg_4]
		cmp	edx, [edi+4]
		ja	short loc_4E9025
		jb	short loc_4E9002
		mov	ecx, [ebp+arg_8]
		cmp	ecx, [edi]
		jnb	short loc_4E9028

loc_4E9002:				; CODE XREF: FsRtlFastCheckLockForRead+77j
					; FsRtlFastCheckLockForRead+F9j
		test	ds:byte_70EFC6,	bl
		jnz	loc_5CE0FD
		xor	eax, eax
		lock and [esi],	eax

loc_4E9013:				; CODE XREF: FsRtlFastCheckLockForRead+E5185j
					; FsRtlFastCheckLockForRead+E51C0j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		mov	al, bl
		pop	ebx
		jmp	loc_4E8F9D
; 

loc_4E9025:				; CODE XREF: FsRtlFastCheckLockForRead+75j
		mov	ecx, [ebp+arg_8]

loc_4E9028:				; CODE XREF: FsRtlFastCheckLockForRead+7Ej
		mov	eax, [ebp+arg_10]
		mov	edi, [ebp+arg_14]
		mov	eax, [eax+48h]
		test	eax, eax
		jz	loc_5CE10C
		mov	edi, [ebp+var_4]
		cmp	edi, [eax+4]
		mov	edi, [ebp+arg_14]
		ja	short loc_4E9058
		jb	loc_5CE10C
		mov	edi, [ebp+var_8]
		cmp	edi, [eax]
		mov	edi, [ebp+arg_14]
		jb	loc_5CE10C

loc_4E9058:				; CODE XREF: FsRtlFastCheckLockForRead+C0j
		cmp	edx, [eax+24h]
		jb	short loc_4E906C
		ja	loc_5CE10C
		cmp	ecx, [eax+20h]
		ja	loc_5CE10C

loc_4E906C:				; CODE XREF: FsRtlFastCheckLockForRead+D9j
		mov	ecx, [ebp+arg_C]
		cmp	[eax+14h], ecx
		jnz	loc_5CE10C
		cmp	[eax+1Ch], edi
		jz	short loc_4E9002
		jmp	loc_5CE10C
FsRtlFastCheckLockForRead endp

; 
		align 10h
; Exported entry 879. IoGetRequestorProcess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetRequestorProcess(x)
		public _IoGetRequestorProcess@4
_IoGetRequestorProcess@4 proc near	; CODE XREF: FsRtlCheckLockForWriteAccess(x,x)+6Fp
					; FsRtlCheckLockForReadAccess(x,x)+67p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	dword ptr [eax+8], 2000h
		mov	ecx, [eax+50h]
		jnz	short loc_4E90B9
		test	ecx, ecx
		jz	short loc_4E90D1
		mov	al, [eax+26h]
		test	al, al
		jnz	short loc_4E90C3
		mov	eax, [ecx+150h]

loc_4E90B5:				; CODE XREF: IoGetRequestorProcess(x)+43j
		pop	ebp
		retn	4
; 

loc_4E90B9:				; CODE XREF: IoGetRequestorProcess(x)+12j
		mov	eax, [eax+30h]
		and	eax, 0FFFFFFFCh
		pop	ebp
		retn	4
; 

loc_4E90C3:				; CODE XREF: IoGetRequestorProcess(x)+1Dj
		cmp	al, 1
		jnz	short loc_4E90D1
		mov	eax, [ecx+80h]
		pop	ebp
		retn	4
; 

loc_4E90D1:				; CODE XREF: IoGetRequestorProcess(x)+16j
					; IoGetRequestorProcess(x)+35j
		xor	eax, eax
		jmp	short loc_4E90B5
_IoGetRequestorProcess@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


ObReferenceObjectExWithTag proc	near	; CODE XREF: MiReferenceControlAreaFile+4Dp
					; MiLogPageAccess(x,x)+230p ...

; FUNCTION CHUNK AT 005A8321 SIZE 00000020 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		push	746C6644h
		lea	esi, [ebx-18h]
		mov	edi, edx
		mov	ecx, esi
		call	ObpTraceObjectReferenceIfActive
		mov	eax, edi
		lock xadd [esi], eax
		test	eax, eax
		jle	loc_5A8321
		add	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn	4
ObReferenceObjectExWithTag endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpOplockBreakByCacheFlags(x, x,	x, x, x, x, x, x, x, x,	x, x, x, x, x)
_FsRtlpOplockBreakByCacheFlags@60 proc near ; CODE XREF: FsRtlCheckOplockEx2+696p
					; FsRtlOplockBreakToNoneEx(x,x,x,x,x,x)+A6p ...

var_4C		= dword	ptr -4Ch
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1F		= byte ptr -1Fh
var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
var_1C		= byte ptr -1Ch
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h

		push	3Ch
		push	offset dword_6A2C18
		call	__SEH_prolog4
		mov	[ebp+var_2C], edx
		mov	ebx, ecx
		xor	ecx, ecx
		mov	[ebp+var_24], ecx
		xor	eax, eax
		lea	edi, [ebp+var_4C]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_1A], cl
		mov	[ebp+var_1C], cl
		mov	byte ptr [ebp+var_34], cl
		xor	eax, eax
		inc	eax
		mov	[ebp+var_19], al
		mov	edx, [ebp+arg_4]
		and	edx, 8
		mov	[ebp+var_30], edx
		mov	esi, [ebp+arg_C]
		mov	edi, 5000h
		cmp	esi, 7000h
		jz	short loc_4E9188
		cmp	esi, edi
		jz	short loc_4E9188
		cmp	esi, 4000h
		jz	short loc_4E9188
		cmp	esi, 2000h
		jz	short loc_4E9188
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_4E917E
		mov	dword ptr [ecx+18h], 0C00000E3h
		mov	dl, al
		call	IofCompleteRequest

loc_4E917E:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+60j
		mov	eax, 0C00000E3h
		jmp	loc_4E9B1A
; 

loc_4E9188:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+45j
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+49j ...
		test	ebx, ebx
		jz	loc_4E9B18
		mov	[ebp+ms_exc.disabled], ecx
		mov	eax, [ebx+48h]
		cmp	eax, 1
		jz	loc_4E9B09
		test	eax, esi
		jz	loc_4E9B09
		test	edx, edx
		jnz	short loc_4E91CE
		push	[ebp+arg_4]
		mov	edx, [ebx+4]
		mov	eax, [ebp+var_2C]
		mov	ecx, [eax+18h]
		call	FsRtlpOplockKeysEqual
		test	al, al
		jz	short loc_4E91CB
		mov	eax, [ebp+var_24]

loc_4E91C3:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+9F6j
		mov	[ebp+var_24], eax
		jmp	loc_4E9B0C
; 

loc_4E91CB:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B0j
		mov	ecx, [ebp+var_24]

loc_4E91CE:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+9Bj
		mov	eax, [ebx+48h]
		test	al, 40h
		jz	short loc_4E91EA
		test	[ebp+arg_4], 10010000h
		jz	short loc_4E91EA

loc_4E91DE:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+18Aj
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+631j ...
		mov	[ebp+var_24], 0C0000909h
		jmp	loc_4E9B0C
; 

loc_4E91EA:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+C5j
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+CEj
		mov	edx, eax
		and	edx, 1F0FFDFh
		cmp	edx, 105040h
		ja	loc_4E99D8
		jz	loc_4E99B5
		sub	edx, 1000h
		jz	loc_4E96F6
		sub	edx, 10h
		jz	loc_4E96F6
		sub	edx, 1FF0h
		jz	loc_4E976C
		sub	edx, 2040h
		jz	loc_4E9530
		sub	edx, 2000h
		jz	loc_4E9315
		sub	edx, 3FC0h
		jz	loc_4E96F6
		sub	edx, 0F8000h
		jnz	loc_4E9A19
		mov	[ebp+var_1D], cl
		mov	eax, esi
		and	eax, 1000h
		mov	[ebp+arg_C], eax
		jz	short loc_4E92C4
		lea	eax, [ebx+24h]
		mov	edi, [eax]

loc_4E9269:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1A7j
		mov	[ebp+var_28], edi
		cmp	edi, eax
		jz	short loc_4E92B7
		cmp	[ebp+var_30], 0
		jnz	short loc_4E928B
		push	[ebp+arg_4]
		mov	edx, [edi+0Ch]
		mov	eax, [ebp+var_2C]
		mov	ecx, [eax+18h]
		call	FsRtlpOplockKeysEqual
		test	al, al
		jnz	short loc_4E92B0

loc_4E928B:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+166j
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1D], al
		test	[ebp+arg_4], 10010000h
		jnz	loc_4E91DE
		and	dword ptr [edi+18h], 0FF0FFFFFh
		mov	eax, [edi+18h]
		or	eax, (offset loc_7FFFFF+1)
		mov	[edi+18h], eax

loc_4E92B0:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+17Bj
		mov	edi, [edi]
		lea	eax, [ebx+24h]
		jmp	short loc_4E9269
; 

loc_4E92B7:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+160j
		mov	ecx, ebx
		call	FsRtlpComputeShareableOplockState
		mov	cl, [ebp+var_1D]
		mov	eax, [ebp+arg_C]

loc_4E92C4:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+154j
		test	esi, 2000h
		jz	loc_4E9657
		test	cl, cl
		jz	short loc_4E92E1

loc_4E92D4:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1EFj
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+201j ...
		xor	edx, edx
		inc	edx

loc_4E92D7:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8C5j
		mov	al, dl
		mov	[ebp+var_1B], al
		jmp	loc_4E965D
; 

loc_4E92E1:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1C4j
		test	eax, eax
		jnz	loc_4E9657
		lea	edi, [ebx+24h]
		mov	esi, [edi]

loc_4E92EE:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+205j
		mov	[ebp+var_28], esi
		cmp	esi, edi
		jz	loc_4E9657
		cmp	[ebp+var_30], 0
		jnz	short loc_4E92D4
		push	dword ptr [esi+0Ch]
		mov	eax, [ebp+var_2C]
		push	dword ptr [eax+18h]
		call	_FsRtlOplockKeysEqual@8	; FsRtlOplockKeysEqual(x,x)
		test	al, al
		jz	short loc_4E92D4
		mov	esi, [esi]
		jmp	short loc_4E92EE
; 

loc_4E9315:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+129j
		cmp	esi, 4000h
		jnz	loc_4E93EC
		mov	edi, [ebx]
		mov	[ebp+arg_C], edi
		lea	esi, [edi+25h]
		push	esi
		call	_IoAcquireCancelSpinLock@4 ; IoAcquireCancelSpinLock(x)
		xor	ecx, ecx
		lea	eax, [edi+38h]
		xchg	ecx, [eax]
		movzx	eax, byte ptr [esi]
		push	eax
		call	IoReleaseCancelSpinLock
		cmp	byte ptr [edi+24h], 0
		jz	short loc_4E938A
		mov	ecx, [ebp+var_24]
		push	ecx
		xor	edx, edx
		mov	ecx, ebx
		call	FsRtlpModifyThreadPriorities
		xor	edx, edx
		mov	ecx, ebx
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		mov	eax, [ebp+var_24]
		mov	[ebx+10h], al
		mov	ecx, [ebx]
		cmp	[ecx+1Ch], ebx
		jnz	short loc_4E936D
		mov	[ecx+1Ch], eax
		mov	ecx, [ebx]

loc_4E936D:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+258j
		mov	dword ptr [ecx+18h], 0C0000120h
		xor	eax, eax
		lea	edx, [eax+1]
		mov	ecx, [ebx]
		call	IofCompleteRequest
		mov	ecx, [ebp+var_24]
		mov	[ebx], ecx
		jmp	loc_4E962F
; 

loc_4E938A:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+235j
		mov	edx, [edi+0Ch]
		push	6
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd
		inc	eax
		mov	[edx], ax
		push	18h
		pop	ecx
		mov	[edx+2], cx
		mov	eax, [ebx+48h]
		shr	eax, 0Ch
		and	eax, 7
		mov	[edx+4], eax
		mov	dword ptr [edx+8], 3
		xor	eax, eax
		inc	eax
		or	[edx+0Ch], eax
		mov	eax, [ebp+arg_C]
		mov	[eax+1Ch], ecx
		mov	eax, [ebx]
		mov	ecx, [ebp+var_24]
		mov	[eax+18h], ecx
		xor	eax, eax
		lea	edx, [eax+1]
		mov	ecx, [ebx]
		call	IofCompleteRequest
		mov	eax, [ebp+var_24]
		mov	[ebx], eax
		mov	eax, [ebx+48h]
		and	eax, 20h
		or	eax, 507040h

loc_4E93E4:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+393j
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+41Dj ...
		mov	[ebx+48h], eax
		jmp	loc_4E92D4
; 

loc_4E93EC:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+20Dj
		cmp	esi, 2000h
		jnz	loc_4E94A6
		mov	edi, [ebx]
		mov	[ebp+arg_C], edi
		lea	esi, [edi+25h]
		push	esi
		call	_IoAcquireCancelSpinLock@4 ; IoAcquireCancelSpinLock(x)
		xor	ecx, ecx
		lea	eax, [edi+38h]
		xchg	ecx, [eax]
		movzx	eax, byte ptr [esi]
		push	eax
		call	IoReleaseCancelSpinLock
		cmp	byte ptr [edi+24h], 0
		jnz	loc_4E95F0
		mov	edx, [edi+0Ch]
		push	6
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd
		inc	eax
		mov	[edx], ax
		push	18h
		pop	ecx
		mov	[edx+2], cx
		mov	eax, [ebx+48h]
		shr	eax, 0Ch
		and	eax, 7
		mov	[edx+4], eax
		mov	dword ptr [edx+8], 5
		mov	eax, [edx+0Ch]
		xor	esi, esi
		inc	esi
		or	eax, esi
		mov	[edx+0Ch], eax
		mov	esi, [ebp+var_2C]
		cmp	byte ptr [esi],	0
		jnz	short loc_4E9477
		or	eax, 2
		mov	[edx+0Ch], eax
		mov	eax, [esi+4]
		mov	eax, [eax+4]
		mov	eax, [eax+14h]
		mov	[edx+10h], eax
		mov	ax, [esi+0Eh]
		mov	[edx+14h], ax

loc_4E9477:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+34Dj
		mov	eax, [ebp+arg_C]
		mov	[eax+1Ch], ecx
		mov	eax, [ebx]
		mov	ecx, [ebp+var_24]
		mov	[eax+18h], ecx
		xor	eax, eax
		lea	edx, [eax+1]
		mov	ecx, [ebx]
		call	IofCompleteRequest
		mov	eax, [ebp+var_24]
		mov	[ebx], eax
		mov	eax, [ebx+48h]
		and	eax, 20h
		or	eax, 307040h
		jmp	loc_4E93E4
; 

loc_4E94A6:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2E4j
		and	esi, edi
		cmp	esi, edi
		jnz	loc_4E9657
		mov	edi, [ebx]
		mov	[ebp+arg_C], edi
		lea	esi, [edi+25h]
		push	esi
		call	_IoAcquireCancelSpinLock@4 ; IoAcquireCancelSpinLock(x)
		xor	ecx, ecx
		lea	eax, [edi+38h]
		xchg	ecx, [eax]
		movzx	eax, byte ptr [esi]
		push	eax
		call	IoReleaseCancelSpinLock
		cmp	byte ptr [edi+24h], 0
		jnz	loc_4E95F0
		mov	edx, [edi+0Ch]
		push	6
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd
		inc	eax
		mov	[edx], ax
		push	18h
		pop	ecx
		mov	[edx+2], cx
		mov	eax, [ebx+48h]
		shr	eax, 0Ch
		and	eax, 7
		mov	[edx+4], eax
		xor	eax, eax
		inc	eax
		or	[edx+0Ch], eax
		mov	eax, [ebp+arg_C]
		mov	[eax+1Ch], ecx
		mov	eax, [ebx]
		mov	ecx, [ebp+var_24]
		mov	[eax+18h], ecx
		xor	eax, eax
		lea	edx, [eax+1]
		mov	ecx, [ebx]
		call	IofCompleteRequest
		mov	eax, [ebp+var_24]
		mov	[ebx], eax
		mov	eax, [ebx+48h]

loc_4E9523:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+992j
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+9A9j
		and	eax, 20h
		or	eax, offset loc_807040
		jmp	loc_4E93E4
; 

loc_4E9530:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+11Dj
		mov	eax, esi
		and	eax, edi
		cmp	eax, edi
		jnz	loc_4E95BC
		mov	edi, [ebx]
		mov	[ebp+arg_C], edi
		lea	esi, [edi+25h]
		push	esi
		call	_IoAcquireCancelSpinLock@4 ; IoAcquireCancelSpinLock(x)
		xor	ecx, ecx
		lea	eax, [edi+38h]
		xchg	ecx, [eax]
		movzx	eax, byte ptr [esi]
		push	eax
		call	IoReleaseCancelSpinLock
		cmp	byte ptr [edi+24h], 0
		jnz	loc_4E95F0
		mov	edx, [edi+0Ch]
		push	6
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd
		inc	eax
		mov	[edx], ax
		push	18h
		pop	ecx
		mov	[edx+2], cx
		mov	eax, [ebx+48h]
		shr	eax, 0Ch
		and	eax, 7
		mov	[edx+4], eax
		xor	eax, eax
		inc	eax
		or	[edx+0Ch], eax
		mov	eax, [ebp+arg_C]
		mov	[eax+1Ch], ecx
		mov	eax, [ebx]
		mov	ecx, [ebp+var_24]
		mov	[eax+18h], ecx
		xor	eax, eax
		lea	edx, [eax+1]
		mov	ecx, [ebx]
		call	IofCompleteRequest
		mov	eax, [ebp+var_24]
		mov	[ebx], eax
		mov	eax, [ebx+48h]
		and	eax, 20h
		or	eax, 805040h
		jmp	loc_4E93E4
; 

loc_4E95BC:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+428j
		test	esi, 4000h
		jz	loc_4E9657
		mov	edi, [ebx]
		mov	[ebp+arg_C], edi
		lea	esi, [edi+25h]
		push	esi
		call	_IoAcquireCancelSpinLock@4 ; IoAcquireCancelSpinLock(x)
		xor	ecx, ecx
		lea	eax, [edi+38h]
		xchg	ecx, [eax]
		movzx	eax, byte ptr [esi]
		push	eax
		call	IoReleaseCancelSpinLock
		cmp	byte ptr [edi+24h], 0
		jz	loc_4E969B

loc_4E95F0:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+30Cj
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3C4j ...
		push	[ebp+var_24]
		xor	edx, edx
		mov	ecx, ebx
		call	FsRtlpModifyThreadPriorities
		xor	edx, edx
		mov	ecx, ebx
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		mov	eax, [ebp+var_24]
		mov	[ebx+10h], al
		mov	ecx, [ebx]
		cmp	[ecx+1Ch], ebx
		jnz	short loc_4E9617
		mov	[ecx+1Ch], eax
		mov	ecx, [ebx]

loc_4E9617:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+502j
		xor	eax, eax
		mov	dword ptr [ecx+18h], 0C0000120h
		lea	edx, [eax+1]
		mov	ecx, [ebx]
		call	IofCompleteRequest
		mov	eax, [ebp+var_24]
		mov	[ebx], eax

loc_4E962F:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+277j
		mov	ecx, [ebx+4]
		call	ObfDereferenceObject
		mov	ecx, [ebp+var_24]
		mov	[ebx+4], ecx
		xor	edx, edx
		mov	eax, [ebx+48h]
		inc	edx
		and	eax, 20h
		or	eax, edx
		mov	[ebx+48h], eax

loc_4E964B:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+58Bj
		lea	eax, [ebx+2Ch]
		mov	edx, [eax]
		cmp	edx, eax
		jnz	short loc_4E968F
		mov	byte ptr [ebp+var_34], cl

loc_4E9657:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1BCj
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1D5j ...
		xor	edx, edx
		inc	edx

loc_4E965A:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8BFj
		mov	al, [ebp+var_1A]

loc_4E965D:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1CEj
		mov	cl, [ebp+var_19]
		test	al, al
		jz	loc_4E9B0C
		test	byte ptr [ebp+arg_4], dl
		jz	loc_4E9ABC
		mov	eax, [ebx+48h]
		test	eax, 10000h
		jz	short loc_4E9683
		or	eax, 20000h
		mov	[ebx+48h], eax

loc_4E9683:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+56Bj
		mov	[ebp+var_24], 108h
		jmp	loc_4E9B0C
; 

loc_4E968F:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+544j
		mov	ecx, edx
		call	_FsRtlpRemoveAndCompleteWaitingIrp@4 ; FsRtlpRemoveAndCompleteWaitingIrp(x)
		mov	ecx, [ebp+var_24]
		jmp	short loc_4E964B
; 

loc_4E969B:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4DCj
		mov	edx, [edi+0Ch]
		push	6
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd
		inc	eax
		mov	[edx], ax
		push	18h
		pop	ecx
		mov	[edx+2], cx
		mov	eax, [ebx+48h]
		shr	eax, 0Ch
		and	eax, 7
		mov	[edx+4], eax
		xor	eax, eax
		inc	eax
		mov	[edx+8], eax
		or	[edx+0Ch], eax
		mov	eax, [ebp+arg_C]
		mov	[eax+1Ch], ecx
		mov	eax, [ebx]
		mov	ecx, [ebp+var_24]
		mov	[eax+18h], ecx
		xor	eax, eax
		lea	edx, [eax+1]
		mov	ecx, [ebx]
		call	IofCompleteRequest
		mov	eax, [ebp+var_24]
		mov	[ebx], eax
		mov	eax, [ebx+48h]
		and	eax, 20h
		or	eax, 105040h
		jmp	loc_4E93E4
; 

loc_4E96F6:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+FCj
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+105j ...
		test	esi, 1000h
		jz	short loc_4E9759
		lea	eax, [ebx+14h]
		mov	edi, [eax]

loc_4E9703:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+628j
		mov	[ebp+var_28], edi
		cmp	edi, eax
		jz	short loc_4E9759
		mov	edx, [edi+8]
		cmp	dword ptr [edx+0Ch], 90240h
		jnz	short loc_4E9734
		cmp	[ebp+var_30], 0
		jnz	short loc_4E9738
		push	[ebp+arg_4]
		mov	edx, [edx+18h]
		mov	eax, [ebp+var_2C]
		mov	ecx, [eax+18h]
		call	FsRtlpOplockKeysEqual
		test	al, al
		jz	short loc_4E9738

loc_4E9731:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+649j
		lea	eax, [ebx+14h]

loc_4E9734:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+606j
		mov	edi, [edi]
		jmp	short loc_4E9703
; 

loc_4E9738:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+60Cj
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+621j
		test	[ebp+arg_4], 10010000h
		jnz	loc_4E91DE
		mov	edi, [edi+4]
		mov	[ebp+var_28], edi
		push	[ebp+var_24]
		xor	edx, edx
		mov	ecx, [edi]
		call	_FsRtlpRemoveAndCompleteReadOnlyIrp@12 ; FsRtlpRemoveAndCompleteReadOnlyIrp(x,x,x)
		jmp	short loc_4E9731
; 

loc_4E9759:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+5EEj
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+5FAj
		mov	eax, [ebx+48h]
		and	eax, 1F0FFDFh
		cmp	eax, 0B000h
		jnz	loc_4E99A2

loc_4E976C:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+111j
		cmp	esi, 2000h
		jnz	loc_4E9842
		lea	eax, [ebx+1Ch]
		mov	edi, [eax]

loc_4E977D:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+72Fj
		mov	[ebp+var_28], edi
		cmp	edi, eax
		jz	loc_4E9956
		cmp	[ebp+var_30], 0
		jnz	short loc_4E97A4
		push	dword ptr [edi+0Ch]
		mov	eax, [ebp+var_2C]
		push	dword ptr [eax+18h]
		call	_FsRtlOplockKeysEqual@8	; FsRtlOplockKeysEqual(x,x)
		test	al, al
		jnz	loc_4E9838

loc_4E97A4:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+67Ej
		test	[ebp+arg_4], 10010000h
		jnz	loc_4E91DE
		mov	ecx, [ebp+var_24]
		xor	eax, eax
		lea	edx, [eax+1]
		cmp	[edi+1Ch], ecx
		jz	short loc_4E97C6
		mov	[ebp+var_1A], dl
		mov	[ebp+var_1B], dl
		jmp	short loc_4E9838
; 

loc_4E97C6:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+6AEj
		mov	edi, [edi+4]
		mov	[ebp+var_28], edi
		mov	[ebp+var_3C], edx
		mov	eax, ecx
		mov	[ebp+var_38], ecx
		mov	esi, [ebp+var_2C]
		cmp	byte ptr [esi],	0
		mov	esi, [ebp+arg_C]
		jnz	short loc_4E97FB
		push	3
		pop	edx
		mov	[ebp+var_3C], edx
		mov	esi, [ebp+var_2C]
		mov	eax, [esi+4]
		mov	eax, [eax+4]
		mov	eax, [eax+14h]
		movzx	esi, word ptr [esi+0Eh]
		mov	[ebp+var_38], esi
		mov	esi, [ebp+arg_C]

loc_4E97FB:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+6CFj
		push	[ebp+var_38]
		push	eax
		push	edx
		push	1000h
		push	ecx
		mov	edx, ebx
		mov	ecx, [edi]
		call	_FsRtlpRemoveAndCompleteRHIrp@28 ; FsRtlpRemoveAndCompleteRHIrp(x,x,x,x,x,x,x)
		test	al, al
		jz	short loc_4E982F
		mov	al, byte ptr [ebp+var_24]
		mov	[ebp+var_19], al
		mov	[ebp+var_1E], al
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1A], al
		mov	[ebp+var_1B], al
		cmp	[ebp+var_30], 0
		setnz	byte ptr [ebp+var_34]
		jmp	short loc_4E9838
; 

loc_4E982F:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+703j
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1C], al
		mov	[ebp+var_1F], al

loc_4E9838:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+690j
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+6B6j ...
		mov	edi, [edi]
		lea	eax, [ebx+1Ch]
		jmp	loc_4E977D
; 

loc_4E9842:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+664j
		mov	eax, esi
		mov	ecx, 5000h
		and	eax, ecx
		cmp	eax, ecx
		jnz	loc_4E9956
		lea	eax, [ebx+24h]
		mov	edi, [eax]

loc_4E9858:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7A1j
		mov	[ebp+var_28], edi
		cmp	edi, eax
		jz	short loc_4E98B1
		cmp	[ebp+var_30], 0
		jnz	short loc_4E987A
		push	[ebp+arg_4]
		mov	edx, [edi+0Ch]
		mov	eax, [ebp+var_2C]
		mov	ecx, [eax+18h]
		call	FsRtlpOplockKeysEqual
		test	al, al
		jnz	short loc_4E98AA

loc_4E987A:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+755j
		test	[ebp+arg_4], 10010000h
		jnz	loc_4E91DE
		and	dword ptr [edi+18h], 0FF0FFFFFh
		mov	eax, [edi+18h]
		or	eax, (offset loc_7FFFFF+1)
		mov	[edi+18h], eax
		test	esi, 2000h
		jz	short loc_4E98AA
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1A], al
		mov	[ebp+var_1B], al

loc_4E98AA:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+76Aj
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+791j
		mov	edi, [edi]
		lea	eax, [ebx+24h]
		jmp	short loc_4E9858
; 

loc_4E98B1:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+74Fj
		lea	eax, [ebx+1Ch]
		mov	edi, [eax]

loc_4E98B6:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+843j
		mov	[ebp+var_28], edi
		cmp	edi, eax
		jz	loc_4E9956
		cmp	[ebp+var_30], 0
		jnz	short loc_4E98DC
		push	[ebp+arg_4]
		mov	edx, [edi+0Ch]
		mov	eax, [ebp+var_2C]
		mov	ecx, [eax+18h]
		call	FsRtlpOplockKeysEqual
		test	al, al
		jnz	short loc_4E994C

loc_4E98DC:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7B7j
		test	[ebp+arg_4], 10010000h
		jnz	loc_4E91DE
		mov	ecx, [ebp+var_24]
		cmp	[edi+1Ch], ecx
		jz	short loc_4E9904
		test	esi, 2000h
		jz	short loc_4E994C
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1A], al
		mov	[ebp+var_1B], al
		jmp	short loc_4E994C
; 

loc_4E9904:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7E1j
		mov	edi, [edi+4]
		mov	[ebp+var_28], edi
		push	ecx
		push	ecx
		xor	eax, eax
		inc	eax
		push	eax
		push	ecx
		push	ecx
		mov	edx, ebx
		mov	ecx, [edi]
		call	_FsRtlpRemoveAndCompleteRHIrp@28 ; FsRtlpRemoveAndCompleteRHIrp(x,x,x,x,x,x,x)
		test	al, al
		jz	short loc_4E9943
		mov	al, byte ptr [ebp+var_24]
		mov	[ebp+var_19], al
		mov	[ebp+var_1E], al
		test	esi, 2000h
		jz	short loc_4E9939
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1A], al
		mov	[ebp+var_1B], al

loc_4E9939:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+820j
		cmp	[ebp+var_30], 0
		setnz	byte ptr [ebp+var_34]
		jmp	short loc_4E994C
; 

loc_4E9943:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+80Fj
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1C], al
		mov	[ebp+var_1F], al

loc_4E994C:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7CCj
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7E9j ...
		mov	edi, [edi]
		lea	eax, [ebx+1Ch]
		jmp	loc_4E98B6
; 

loc_4E9956:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+674j
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+73Fj ...
		cmp	[ebp+var_1C], 0
		jz	short loc_4E9963
		mov	ecx, ebx
		call	FsRtlpReleaseIrpsWaitingForRH

loc_4E9963:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+84Cj
		cmp	[ebp+var_1A], 0
		jnz	short loc_4E99A2
		lea	eax, [ebx+24h]
		mov	edi, [eax]
		cmp	edi, eax
		jz	short loc_4E99A2
		test	esi, 2000h
		jz	short loc_4E99A2
		cmp	[ebp+var_30], 0
		jnz	short loc_4E9999

loc_4E9980:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8A5j
		mov	[ebp+var_28], edi
		cmp	edi, eax
		jz	short loc_4E99A2
		mov	eax, [ebp+var_2C]
		push	dword ptr [eax+18h]
		push	dword ptr [edi+0Ch]
		call	_FsRtlOplockKeysEqual@8	; FsRtlOplockKeysEqual(x,x)
		test	al, al
		jnz	short loc_4E99AE

loc_4E9999:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+870j
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1A], al
		mov	[ebp+var_1B], al

loc_4E99A2:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+658j
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+859j ...
		mov	ecx, ebx
		call	FsRtlpComputeShareableOplockState
		jmp	loc_4E9657
; 

loc_4E99AE:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+889j
		mov	edi, [edi]
		lea	eax, [ebx+24h]
		jmp	short loc_4E9980
; 

loc_4E99B5:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+F0j
		test	esi, 1000h
		jz	short loc_4E99C8
		and	eax, 20h
		or	eax, 805040h
		mov	[ebx+48h], eax

loc_4E99C8:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8ADj
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8FDj
		xor	edx, edx
		inc	edx
		test	esi, edi
		jz	loc_4E965A
		jmp	loc_4E92D7
; 

loc_4E99D8:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+EAj
		mov	ecx, 107040h
		cmp	edx, ecx
		jz	loc_4E9A94
		cmp	edx, 307040h
		jz	loc_4E9AA5
		cmp	edx, 507040h
		jz	loc_4E9A82
		cmp	edx, offset loc_803000
		jz	short loc_4E9A29
		cmp	edx, 805040h
		jz	short loc_4E99C8
		cmp	edx, offset loc_807040
		jz	loc_4E92D4

loc_4E9A19:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+141j
		test	eax, 1000000h
		jz	loc_4E9657
		jmp	loc_4E92D4
; 

loc_4E9A29:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8F5j
		test	esi, 3000h
		jz	loc_4E9657
		test	[ebp+arg_4], 10010000h
		jnz	loc_4E91DE
		test	esi, 2000h
		jz	loc_4E9657
		lea	edi, [ebx+24h]
		mov	esi, [edi]

loc_4E9A53:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+972j
		mov	[ebp+var_28], esi
		cmp	esi, edi
		jz	loc_4E9657
		cmp	[ebp+var_30], 0
		jnz	loc_4E92D4
		push	dword ptr [esi+0Ch]
		mov	eax, [ebp+var_2C]
		push	dword ptr [eax+18h]
		call	_FsRtlOplockKeysEqual@8	; FsRtlOplockKeysEqual(x,x)
		test	al, al
		jz	loc_4E92D4
		mov	esi, [esi]
		jmp	short loc_4E9A53
; 

loc_4E9A82:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8E9j
		cmp	esi, 2000h
		jnz	short loc_4E9A94

loc_4E9A8A:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+99Dj
		and	eax, 20h
		or	eax, ecx
		jmp	loc_4E93E4
; 

loc_4E9A94:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8D1j
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+97Aj
		test	esi, 1000h
		jz	loc_4E92D4
		jmp	loc_4E9523
; 

loc_4E9AA5:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8DDj
		cmp	esi, 4000h
		jz	short loc_4E9A8A
		and	esi, edi
		cmp	esi, edi
		jnz	loc_4E92D4
		jmp	loc_4E9523
; 

loc_4E9ABC:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+55Dj
		test	cl, cl
		jz	short loc_4E9AD3
		push	edx
		xor	edx, edx
		mov	ecx, ebx
		call	FsRtlpModifyThreadPriorities
		xor	edx, edx
		mov	ecx, ebx
		call	FsRtlpOplockSendModernAppTermination

loc_4E9AD3:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+9B0j
		mov	eax, [ebp+arg_2C]
		mov	ecx, [ebp+var_24]
		mov	[eax], cl
		push	[ebp+arg_30]
		push	[ebp+arg_28]
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+var_34]
		lea	eax, [ebp+var_4C]
		push	eax
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	_FsRtlpWaitOnIrp@48 ; FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)
		jmp	loc_4E91C3
; 

loc_4E9B09:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8Bj
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+93j
		mov	[ebp+var_24], ecx

loc_4E9B0C:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B8j
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+D7j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_4E9B2C

loc_4E9B18:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7Cj
		mov	eax, ecx

loc_4E9B1A:				; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+75j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	34h
_FsRtlpOplockBreakByCacheFlags@60 endp


;  S U B	R O U T	I N E 


sub_4E9B2C	proc near		; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A05p
					; DATA XREF: .text:006A2C30o
		mov	ecx, [ebp-24h]
		retn
sub_4E9B2C	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlpOplockKeysEqual proc near		; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A9p
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+174p ...

var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005CE147 SIZE 0000020C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		push	edi
		mov	edi, edx
		inc	ebx
		test	[ebp+arg_0], 40h
		mov	[ebp+var_4], edi
		jnz	loc_5CE147

loc_4E9B4D:				; CODE XREF: FsRtlpOplockKeysEqual+E46DDj
		test	esi, esi
		jz	short loc_4E9B55
		test	edi, edi
		jnz	short loc_4E9B5E

loc_4E9B55:				; CODE XREF: FsRtlpOplockKeysEqual+1Fj
					; FsRtlpOplockKeysEqual+44j ...
		xor	al, al

loc_4E9B57:				; CODE XREF: FsRtlpOplockKeysEqual+4Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4E9B5E:				; CODE XREF: FsRtlpOplockKeysEqual+23j
		cmp	esi, edi
		jz	short loc_4E9B7D
		push	esi
		call	_IoGetOplockKeyContextEx@4 ; IoGetOplockKeyContextEx(x)
		push	edi
		mov	esi, eax
		call	_IoGetOplockKeyContextEx@4 ; IoGetOplockKeyContextEx(x)
		mov	ecx, eax
		test	esi, esi
		jz	short loc_4E9B55
		jmp	loc_5CE212
; 

loc_4E9B7B:				; CODE XREF: FsRtlpOplockKeysEqual+E4710j
					; FsRtlpOplockKeysEqual+E471Ej	...
		xor	bl, bl

loc_4E9B7D:				; CODE XREF: FsRtlpOplockKeysEqual+30j
					; FsRtlpOplockKeysEqual+E4818j
		mov	al, bl
		jmp	short loc_4E9B57
FsRtlpOplockKeysEqual endp

; 
		align 10h
; Exported entry 732. IoAcquireCancelSpinLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoAcquireCancelSpinLock(x)
		public _IoAcquireCancelSpinLock@4
_IoAcquireCancelSpinLock@4 proc	near	; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+21Cp
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2F3p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, large fs:20h
		mov	bl, al
		mov	eax, [ecx+454h]
		add	ecx, 450h
		test	ds:byte_70EFC6,	21h
		jnz	short loc_4E9BD3
		mov	edx, ecx
		xchg	edx, [eax]
		test	edx, edx
		jnz	short loc_4E9BCC

loc_4E9BC2:				; CODE XREF: IoAcquireCancelSpinLock(x)+41j
					; IoAcquireCancelSpinLock(x)+4Aj
		mov	eax, [ebp+arg_0]
		mov	[eax], bl
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4E9BCC:				; CODE XREF: IoAcquireCancelSpinLock(x)+30j
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	short loc_4E9BC2
; 

loc_4E9BD3:				; CODE XREF: IoAcquireCancelSpinLock(x)+28j
		mov	edx, eax
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4E9BC2
_IoAcquireCancelSpinLock@4 endp


;  S U B	R O U T	I N E 


; __stdcall PspIsParentProcess(x, x)
_PspIsParentProcess@8 proc near		; CODE XREF: PspThreadOpen+27p
					; PspProcessOpen(x,x,x,x,x,x)+24p
		mov	eax, [edx+170h]
		push	ebx
		xor	bl, bl
		cmp	eax, [ecx+0E4h]
		jz	short loc_4E9BF1

loc_4E9BED:				; CODE XREF: PspIsParentProcess(x,x)+21j
					; PspIsParentProcess(x,x)+31j ...
		mov	al, bl
		pop	ebx
		retn
; 

loc_4E9BF1:				; CODE XREF: PspIsParentProcess(x,x)+Fj
		mov	eax, [edx+3ECh]
		cmp	eax, [ecx+3ECh]
		jb	short loc_4E9BED
		ja	short loc_4E9C0F
		mov	eax, [edx+3E8h]
		cmp	eax, [ecx+3E8h]
		jbe	short loc_4E9BED

loc_4E9C0F:				; CODE XREF: PspIsParentProcess(x,x)+23j
		mov	bl, 1
		jmp	short loc_4E9BED
_PspIsParentProcess@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall NtFlushProcessWriteBuffers()
_NtFlushProcessWriteBuffers@0 proc near	; DATA XREF: .text:0058103Co
		xor	cl, cl
		call	_KeFlushProcessWriteBuffers@4 ;	KeFlushProcessWriteBuffers(x)
		xor	eax, eax
		retn
_NtFlushProcessWriteBuffers@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeFlushProcessWriteBuffers(x)
_KeFlushProcessWriteBuffers@4 proc near	; CODE XREF: KeSetPriorityAndQuantumProcess+A5p
					; NtFlushProcessWriteBuffers()+2p ...

var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		mov	bl, cl
		stosd
		stosd
		call	ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()
		mov	esi, large fs:20h
		mov	bh, al
		xor	edi, edi
		mov	[ebp+var_11], bh
		test	bl, bl
		jz	short loc_4E9CA9
		mov	eax, ds:_KeNumberProcessors
		mov	edi, 1
		dec	eax
		xor	edx, edx

loc_4E9C64:				; CODE XREF: KeFlushProcessWriteBuffers(x)+E6j
		test	eax, eax
		jz	short loc_4E9C90
		push	0
		push	0
		push	0
		push	offset _KiFlushWriteBuffersTarget@16 ; KiFlushWriteBuffersTarget(x,x,x,x)
		mov	ecx, edi
		call	_KiIpiSendPacket@24 ; KiIpiSendPacket(x,x,x,x,x,x)
		mov	eax, [esi+2120h]
		test	eax, eax
		jz	short loc_4E9C90

loc_4E9C84:				; CODE XREF: KeFlushProcessWriteBuffers(x)+6Ej
		pause
		mov	eax, [esi+2120h]
		test	eax, eax
		jnz	short loc_4E9C84

loc_4E9C90:				; CODE XREF: KeFlushProcessWriteBuffers(x)+46j
					; KeFlushProcessWriteBuffers(x)+62j
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4E9CA9:				; CODE XREF: KeFlushProcessWriteBuffers(x)+35j
		mov	ecx, [esi+4]
		mov	ecx, [ecx+80h]
		mov	eax, [ecx+58h]
		mov	ebx, [ecx+60h]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+5Ch]
		mov	[ebp+var_C], eax
		mov	eax, [esi+3CCh]
		btr	ebx, eax
		mov	[ebp+var_8], ebx
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		mov	bh, [ebp+var_11]
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		lea	edx, [ebp+var_10]
		movzx	eax, cl
		jmp	loc_4E9C64
_KeFlushProcessWriteBuffers@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiGetNextTimer2ExpirationDueTime proc near
					; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+E2p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CE353 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	[ebp+var_14], edx
		mov	[ebp+var_4], 0FFFFFFFFh
		mov	[ebp+var_8], 0FFFFFFFFh
		mov	[ebp+var_C], 0FFFFFFFFh
		mov	[ebp+var_10], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		test	cl, cl
		jnz	loc_5CE353
		mov	esi, 2

loc_4E9D47:				; CODE XREF: KiGetNextTimer2ExpirationDueTime+E4648j
		mov	eax, [ebp+arg_4]
		mov	byte ptr [eax],	0
		lea	ecx, [ecx+0]

loc_4E9D50:				; CODE XREF: KiGetNextTimer2ExpirationDueTime+78j
		mov	edi, esi
		xor	eax, eax
		shl	edi, 4
		xor	edx, edx
		add	edi, offset unk_6CB148
		nop
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		cmp	esi, 2
		jz	short loc_4E9DAF
		cmp	edx, [ebp+var_10]
		ja	short loc_4E9D84
		jb	short loc_4E9D79
		cmp	eax, [ebp+var_C]
		jnb	short loc_4E9D84

loc_4E9D79:				; CODE XREF: KiGetNextTimer2ExpirationDueTime+62j
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], edx
		cmp	esi, 4
		jz	short loc_4E9DC3

loc_4E9D84:				; CODE XREF: KiGetNextTimer2ExpirationDueTime+60j
					; KiGetNextTimer2ExpirationDueTime+67j	...
		inc	esi
		cmp	esi, 4
		jle	short loc_4E9D50
		mov	ecx, [ebp+var_14]
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		mov	[ecx], eax
		mov	eax, [ebp+var_8]
		mov	[ecx+4], eax
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_C]
		pop	ebx
		mov	[eax], ecx
		mov	ecx, [ebp+var_10]
		mov	[eax+4], ecx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4E9DAF:				; CODE XREF: KiGetNextTimer2ExpirationDueTime+5Bj
		cmp	edx, [ebp+var_8]
		ja	short loc_4E9D84
		jb	short loc_4E9DBB
		cmp	eax, [ebp+var_4]
		jnb	short loc_4E9D84

loc_4E9DBB:				; CODE XREF: KiGetNextTimer2ExpirationDueTime+A4j
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], edx
		jmp	short loc_4E9D84
; 

loc_4E9DC3:				; CODE XREF: KiGetNextTimer2ExpirationDueTime+72j
		mov	eax, [ebp+arg_4]
		mov	byte ptr [eax],	1
		jmp	short loc_4E9D84
KiGetNextTimer2ExpirationDueTime endp

; 
		align 10h
; Exported entry 1274. KeRestoreExtendedProcessorState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRestoreExtendedProcessorState(x)
		public _KeRestoreExtendedProcessorState@4
_KeRestoreExtendedProcessorState@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	KeRestoreExtendedAndSupervisorState
		pop	ebp
		retn	4
_KeRestoreExtendedProcessorState@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1275. KeRestoreFloatingPointState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRestoreFloatingPointState(x)
		public _KeRestoreFloatingPointState@4
_KeRestoreFloatingPointState@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	KeRestoreExtendedAndSupervisorState
		xor	eax, eax
		pop	ebp
		retn	4
_KeRestoreFloatingPointState@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeRestoreExtendedAndSupervisorState proc near
					; CODE XREF: KeRestoreExtendedProcessorState(x)+8p
					; KeRestoreFloatingPointState(x)+8p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CE35D SIZE 0000009C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	edi, large fs:124h
		mov	bl, al
		cmp	bl, 2
		ja	loc_5CE35D
		test	bl, bl
		jnz	loc_4E9F34
		test	byte ptr [edi+84h], 1
		jnz	loc_4E9F34

loc_4E9E3A:				; CODE XREF: KeRestoreExtendedAndSupervisorState+138j
		mov	cl, [esi+1Ch]
		cmp	cl, al
		jnz	loc_5CE371
		mov	eax, [esi+14h]
		cmp	eax, edi
		jnz	loc_5CE387
		cmp	bl, 1
		jnb	short loc_4E9E5D
		dec	word ptr [edi+13Eh]
		nop

loc_4E9E5D:				; CODE XREF: KeRestoreExtendedAndSupervisorState+53j
		mov	eax, [esi+0Ch]
		mov	[edi+10Ch], eax
		mov	eax, [esi+4]
		mov	ecx, [esi]
		mov	[ebp+var_4], eax
		mov	eax, ds:_KeFeatureBits
		mov	edx, eax
		and	edx, 400000h
		mov	[ebp+var_C], eax
		mov	eax, edx
		mov	[ebp+var_8], ecx
		or	eax, 0
		jz	loc_5CE3B3
		cmp	bl, 2
		jz	loc_4E9F3D

loc_4E9E95:				; CODE XREF: KeRestoreExtendedAndSupervisorState+144j
		mov	ecx, ds:0FFDF03D8h
		mov	eax, ds:0FFDF03DCh

loc_4E9EA0:				; CODE XREF: KeRestoreExtendedAndSupervisorState+E45AEj
		not	ecx
		not	eax
		and	ecx, [ebp+var_8]
		and	eax, [ebp+var_4]
		or	ecx, eax
		mov	ecx, [ebp+var_8]
		jnz	loc_5CE3C1

loc_4E9EB5:				; CODE XREF: KeRestoreExtendedAndSupervisorState+E45BBj
		mov	eax, ecx
		or	eax, [ebp+var_4]
		jz	short loc_4E9EDA
		or	edx, 0
		jz	loc_5CE3EB
		cmp	bl, 2
		jz	loc_4E9F4F

loc_4E9ECE:				; CODE XREF: KeRestoreExtendedAndSupervisorState+156j
		push	[ebp+var_4]
		push	ecx
		mov	ecx, [esi+10h]
		call	_RtlXRestore@12	; RtlXRestore(x,x,x)

loc_4E9EDA:				; CODE XREF: KeRestoreExtendedAndSupervisorState+BAj
					; KeRestoreExtendedAndSupervisorState+E45F4j
		cmp	bl, 1
		jnb	short loc_4E9EF2
		nop
		add	word ptr [edi+13Eh], 1
		jnz	short loc_4E9EF2
		nop
		lea	eax, [edi+70h]
		cmp	[eax], eax
		jnz	short loc_4E9F2D

loc_4E9EF2:				; CODE XREF: KeRestoreExtendedAndSupervisorState+DDj
					; KeRestoreExtendedAndSupervisorState+E8j ...
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_4E9F26
		push	76615358h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [esi], 0
		mov	dword ptr [esi+4], 0
		mov	dword ptr [esi+8], 0
		mov	dword ptr [esi+18h], 0
		mov	dword ptr [esi+10h], 0

loc_4E9F26:				; CODE XREF: KeRestoreExtendedAndSupervisorState+F7j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4E9F2D:				; CODE XREF: KeRestoreExtendedAndSupervisorState+F0j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_4E9EF2
; 

loc_4E9F34:				; CODE XREF: KeRestoreExtendedAndSupervisorState+27j
					; KeRestoreExtendedAndSupervisorState+34j
		mov	al, bl
		inc	al
		jmp	loc_4E9E3A
; 

loc_4E9F3D:				; CODE XREF: KeRestoreExtendedAndSupervisorState+8Fj
		test	byte ptr ds:0FFDF03ECh,	2
		jz	loc_4E9E95
		jmp	loc_5CE397
; 

loc_4E9F4F:				; CODE XREF: KeRestoreExtendedAndSupervisorState+C8j
		test	byte ptr ds:0FFDF03ECh,	2
		jz	loc_4E9ECE
		jmp	loc_5CE3DA
KeRestoreExtendedAndSupervisorState endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlXRestore(x, x, x)
_RtlXRestore@12	proc near		; CODE XREF: KeContextToKframes+468p
					; KeRestoreExtendedAndSupervisorState+D5p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		cmp	[edi+20Ch], ecx
		jg	short loc_4E9F7F
		jl	short loc_4E9FAA
		cmp	[edi+208h], ecx
		jb	short loc_4E9FAA

loc_4E9F7F:				; CODE XREF: RtlXRestore(x,x,x)+11j
		mov	eax, [ebp+arg_0]
		and	eax, 6
		cmp	eax, 4
		jnz	short loc_4E9FAA
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		push	esi
		mov	esi, [edi+18h]
		stmxcsr	[ebp+var_4]
		mov	ecx, [ebp+var_4]
		mov	[edi+18h], ecx
		lfence	dword ptr [edi]
		mov	[edi+18h], esi
		pop	esi

loc_4E9FA5:				; CODE XREF: RtlXRestore(x,x,x)+51j
		pop	edi
		leave
		retn	8
; 

loc_4E9FAA:				; CODE XREF: RtlXRestore(x,x,x)+13j
					; RtlXRestore(x,x,x)+1Bj ...
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		lfence	dword ptr [edi]
		jmp	short loc_4E9FA5
_RtlXRestore@12	endp

; 
		align 10h
; Exported entry 1769. PsGetCurrentProcessWin32Process

;  S U B	R O U T	I N E 


; __stdcall PsGetCurrentProcessWin32Process()
		public _PsGetCurrentProcessWin32Process@0
_PsGetCurrentProcessWin32Process@0 proc	near
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+154h]
		retn
_PsGetCurrentProcessWin32Process@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCompressTbFlushList proc near		; CODE XREF: MiRevertValidPte+4D4p
					; MiTerminateWsleCluster+7E0p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CE3F9 SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		mov	esi, 1
		mov	[ebp+var_14], ecx
		lea	eax, [ecx+14h]
		mov	[ebp+var_C], 0
		cmp	[ecx+0Ch], esi
		jbe	short loc_4EA06F
		push	ebx
		push	edi
		lea	edi, [ecx+18h]

loc_4EA005:				; CODE XREF: MiCompressTbFlushList+84j
		mov	ebx, [edi]
		mov	edx, ebx
		shr	edx, 0Ah
		and	edx, 3
		mov	[ebp+var_4], 1000h
		lea	ecx, [edx+edx*8]
		shl	[ebp+var_4], cl
		mov	ecx, [eax]
		mov	[ebp+var_8], ecx
		shr	ecx, 0Ah
		and	ecx, 3
		cmp	edx, ecx
		jnz	short loc_4EA053
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		and	ecx, 3FFh
		and	edx, 0FFFFF000h
		mov	[ebp+var_10], ecx
		inc	ecx
		imul	ecx, [ebp+var_4]
		sub	edx, ecx
		mov	ecx, [ebp+var_8]
		and	ecx, 0FFFFF000h
		sub	edx, ecx
		jz	short loc_4EA074

loc_4EA053:				; CODE XREF: MiCompressTbFlushList+49j
					; MiCompressTbFlushList+9Dj
		add	eax, 4
		mov	[eax], ebx

loc_4EA058:				; CODE XREF: MiCompressTbFlushList+CDj
					; MiCompressTbFlushList+E4446j
		mov	edx, [ebp+var_14]
		inc	esi
		add	edi, 4
		mov	ecx, [edx+0Ch]
		cmp	esi, ecx
		jb	short loc_4EA005
		mov	eax, [ebp+var_C]
		pop	edi
		pop	ebx
		test	eax, eax
		jnz	short loc_4EA0AF

loc_4EA06F:				; CODE XREF: MiCompressTbFlushList+1Ej
					; MiCompressTbFlushList+D4j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4EA074:				; CODE XREF: MiCompressTbFlushList+71j
		mov	edx, [ebp+var_10]
		cmp	edx, 3FFh
		jz	short loc_4EA053
		mov	ecx, ebx
		and	ecx, 3FFh
		inc	ecx
		add	ecx, edx
		cmp	ecx, 3FFh
		ja	loc_5CE3F9
		mov	edx, [ebp+var_8]
		lea	ecx, [edx+1]
		add	ecx, ebx
		xor	ecx, edx
		and	ecx, 3FFh
		xor	ecx, edx
		inc	[ebp+var_C]
		mov	[eax], ecx
		jmp	short loc_4EA058
; 

loc_4EA0AF:				; CODE XREF: MiCompressTbFlushList+8Dj
		sub	ecx, eax
		mov	[edx+0Ch], ecx
		jmp	short loc_4EA06F
MiCompressTbFlushList endp


;  S U B	R O U T	I N E 


; __stdcall KiRequestTimer2Expiration()
_KiRequestTimer2Expiration@0 proc near	; CODE XREF: KeSetTimer2:loc_4D8383p
					; KiAdjustTimer2DueTimes:loc_55EFCBp
		mov	edi, edi
		push	esi
		mov	esi, _KiClockTimerOwner
		push	edi
		push	8
		pop	edx
		mov	edi, ds:_KiProcessorBlock[esi*4]
		lea	ecx, [edi+223Ch]
		call	_KiSetDpcRequestFlag@8 ; KiSetDpcRequestFlag(x,x)
		movzx	eax, ax
		test	al, 29h
		jnz	short loc_4EA0FA
		mov	eax, large fs:20h
		cmp	eax, edi
		pop	edi
		jz	short loc_4EA0F1
		mov	ecx, esi
		mov	dl, 2
		pop	esi
		jmp	_KiSendSoftwareInterrupt@8 ; KiSendSoftwareInterrupt(x,x)
; 

loc_4EA0F1:				; CODE XREF: KiRequestTimer2Expiration()+2Fj
		mov	cl, 2
		pop	esi
		jmp	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)
; 

loc_4EA0FA:				; CODE XREF: KiRequestTimer2Expiration()+24j
		pop	edi
		pop	esi
		retn
_KiRequestTimer2Expiration@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiSendSoftwareInterrupt(x, x)
_KiSendSoftwareInterrupt@8 proc	near	; CODE XREF: KiApplyForegroundBoostThread+101p
					; KiSignalThreadForApc(x,x,x)+CAp ...
		mov	eax, ds:_KiProcessorBlock[ecx*4]
		push	esi
		movzx	esi, dl
		add	eax, 21A0h
		lock or	[eax], esi
		mov	eax, large fs:20h
		push	edx
		push	ecx
		inc	dword ptr [eax+40B4h]
		call	ds:__imp__HalSendSoftwareInterrupt@8 ; HalSendSoftwareInterrupt(x,x)
		pop	esi
		retn
_KiSendSoftwareInterrupt@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiRemoveThreadFromAnyReadyQueue(x, x, x, x)
_KiRemoveThreadFromAnyReadyQueue@16 proc near
					; CODE XREF: KiRescheduleThreadAfterAffinityChange+68p
					; KiSetPriorityThread+1F2p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	eax, edx
		mov	edx, [ebp+arg_0]
		test	dword ptr [edx+58h], 2000h
		jnz	short loc_4EA15F
		cmp	dword ptr [edx+148h], 0
		jge	short loc_4EA152
		mov	ecx, eax
		call	_KiRemoveThreadFromSharedReadyQueue@12 ; KiRemoveThreadFromSharedReadyQueue(x,x,x)

loc_4EA14E:				; CODE XREF: KiRemoveThreadFromAnyReadyQueue(x,x,x,x)+35j
					; KiRemoveThreadFromAnyReadyQueue(x,x,x,x)+43j
		pop	ebp
		retn	8
; 

loc_4EA152:				; CODE XREF: KiRemoveThreadFromAnyReadyQueue(x,x,x,x)+1Dj
		add	edx, 9Ch
		call	_KiRemoveThreadFromReadyQueue@12 ; KiRemoveThreadFromReadyQueue(x,x,x)
		jmp	short loc_4EA14E
; 

loc_4EA15F:				; CODE XREF: KiRemoveThreadFromAnyReadyQueue(x,x,x,x)+14j
		push	edx
		mov	edx, [edx+230h]
		call	_KiRemoveThreadFromScbQueue@16 ; KiRemoveThreadFromScbQueue(x,x,x,x)
		jmp	short loc_4EA14E
_KiRemoveThreadFromAnyReadyQueue@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiRemoveThreadFromSharedReadyQueue(x, x, x)
_KiRemoveThreadFromSharedReadyQueue@12 proc near
					; CODE XREF: KiRemoveThreadFromAnyReadyQueue(x,x,x,x)+21p
					; KiSetThreadSchedulingGroup+170E5Cp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		lea	edi, [edx+9Ch]
		mov	esi, ecx
		mov	ecx, [edi]
		mov	eax, [edi+4]
		cmp	[ecx+4], edi
		jnz	short loc_4EA1BF
		cmp	[eax], edi
		jnz	short loc_4EA1BF
		mov	[eax], ecx
		mov	[ecx+4], eax
		cmp	eax, ecx
		jnz	short loc_4EA1A0
		mov	ecx, [esi+4]
		mov	eax, [ebp+arg_0]
		btc	ecx, eax
		mov	[esi+4], ecx

loc_4EA1A0:				; CODE XREF: KiRemoveThreadFromSharedReadyQueue(x,x,x)+24j
		dec	dword ptr [esi+134h]
		mov	eax, [edx+39Ch]
		sub	[esi+138h], eax
		pop	edi
		sbb	dword ptr [esi+13Ch], 0
		pop	esi
		pop	ebp
		retn	4
; 

loc_4EA1BF:				; CODE XREF: KiRemoveThreadFromSharedReadyQueue(x,x,x)+17j
					; KiRemoveThreadFromSharedReadyQueue(x,x,x)+1Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_KiRemoveThreadFromSharedReadyQueue@12 endp ; AL = character to	display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiPrepareReadyThreadForRescheduling(x, x, x)
_KiPrepareReadyThreadForRescheduling@12	proc near
					; CODE XREF: KiRescheduleThreadAfterAffinityChange+74p
					; KiSetPriorityThread+211p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		lea	eax, [edx-1]
		push	esi
		mov	esi, ecx
		cmp	eax, 0Dh
		ja	short loc_4EA1E8
		mov	eax, ds:_KeTickCount
		add	eax, 0FFFFFED4h
		cmp	eax, [esi+138h]
		jnb	short loc_4EA203

loc_4EA1E8:				; CODE XREF: KiPrepareReadyThreadForRescheduling(x,x,x)+10j
					; KiPrepareReadyThreadForRescheduling(x,x,x)+57j
		mov	ecx, esi
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		mov	ecx, [ebp+arg_0]
		lea	edx, [esi+9Ch]
		pop	esi
		mov	eax, [ecx]
		mov	[edx], eax
		mov	[ecx], edx
		leave
		retn	4
; 

loc_4EA203:				; CODE XREF: KiPrepareReadyThreadForRescheduling(x,x,x)+22j
					; KiPrepareReadyThreadForRescheduling(x,x,x)+5Bj
		mov	eax, [esi+34h]
		mov	ecx, [esi+30h]
		cmp	eax, [esi+38h]
		jnz	short loc_4EA21D
		push	eax
		push	ecx
		push	0Fh
		mov	edx, esi
		xor	ecx, ecx
		call	KiSetPriorityBoost
		jmp	short loc_4EA1E8
; 

loc_4EA21D:				; CODE XREF: KiPrepareReadyThreadForRescheduling(x,x,x)+48j
		pause
		jmp	short loc_4EA203
_KiPrepareReadyThreadForRescheduling@12	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExCpuSetResourceManagerAccessCheck(x)
_ExCpuSetResourceManagerAccessCheck@4 proc near	; CODE XREF: PAGE:00781DDFp
					; PAGE:007AA50Bp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+28h+var_10]
		stosd
		xor	esi, esi
		mov	ebx, ecx
		mov	[esp+28h+var_14], esi
		mov	[esp+28h+var_18], esi
		stosd
		stosd
		stosd
		test	bl, bl
		jz	short loc_4EA2AF
		push	ebx
		push	ds:dword_A949F4
		push	ds:_SeIncreaseBasePriorityPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_4EA2AF
		mov	eax, large fs:124h
		lea	ecx, [esp+28h+var_10]
		push	ecx
		push	dword ptr [eax+80h]
		push	eax
		call	SeCaptureSubjectContextEx
		push	esi
		lea	eax, [esp+2Ch+var_18]
		mov	ecx, offset _ExpCpuSetSecurityDescriptor
		push	eax
		lea	eax, [esp+30h+var_14]
		push	eax
		push	ebx
		push	offset _ExpRestrictedGenericMapping
		push	esi
		push	esi
		push	1
		push	esi
		lea	eax, [esp+4Ch+var_10]
		push	eax
		push	7
		pop	edx
		call	SeAccessCheckWithHintWithAdminlessChecks
		lea	eax, [esp+28h+var_10]
		push	eax
		call	SeReleaseSubjectContext
		mov	eax, [esp+28h+var_18]
		jmp	short loc_4EA2B1
; 

loc_4EA2AF:				; CODE XREF: ExCpuSetResourceManagerAccessCheck(x)+26j
					; ExCpuSetResourceManagerAccessCheck(x)+3Cj
		xor	eax, eax

loc_4EA2B1:				; CODE XREF: ExCpuSetResourceManagerAccessCheck(x)+8Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_ExCpuSetResourceManagerAccessCheck@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeSetSystemAllowedCpuSets proc near	; CODE XREF: PAGE:007B48D3p
					; KiInitializeReservedCpuSets+2534Bp

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CE42B SIZE 00000008 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, edx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], eax
		mov	edx, esi
		mov	ecx, eax
		call	_KiValidateCpuSetMasks@8 ; KiValidateCpuSetMasks(x,x)
		test	eax, eax
		js	loc_4EA363
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_1], al
		cmp	esi, 1
		jnb	loc_5CE42B

loc_4EA2EA:				; CODE XREF: KeSetSystemAllowedCpuSets+E4176j
		push	ebx
		push	edi
		mov	ecx, offset _KiCpuSetLock
		xor	ebx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, offset _KiCpuSetSequence
		call	RtlWriteAcquireTickLock
		mov	edi, ds:dword_70E328
		mov	edx, [ebp+arg_0]
		test	esi, esi
		jnz	short loc_4EA36D
		mov	ecx, edx
		neg	ecx
		sbb	ecx, ecx
		not	ecx
		and	ecx, edi

loc_4EA319:				; CODE XREF: KeSetSystemAllowedCpuSets+BAj
		mov	eax, ds:_KiReservedCpuSets
		not	eax
		and	ecx, eax
		mov	ds:_KiSystemAllowedCpuSets[edx*4], ecx
		and	ecx, edi
		cmp	ecx, edi
		jnz	short loc_4EA368

loc_4EA32F:				; CODE XREF: KeSetSystemAllowedCpuSets+B3j
		test	edx, edx
		jnz	short loc_4EA339
		mov	ds:_KiRestrictedSystemCpuSetsActive, ebx

loc_4EA339:				; CODE XREF: KeSetSystemAllowedCpuSets+79j
		mov	ecx, ds:_KiCpuSetSequence
		mov	eax, ds:dword_70E6F4
		add	ecx, 1
		mov	dl, [ebp+var_1]
		adc	eax, 0
		mov	ds:_KiCpuSetSequence, ecx
		xor	ecx, ecx
		mov	ds:dword_70E6F4, eax
		call	KeCpuSetReportParkedProcessors
		pop	edi
		xor	eax, eax
		pop	ebx

loc_4EA363:				; CODE XREF: KeSetSystemAllowedCpuSets+1Aj
		pop	esi
		leave
		retn	4
; 

loc_4EA368:				; CODE XREF: KeSetSystemAllowedCpuSets+75j
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_4EA32F
; 

loc_4EA36D:				; CODE XREF: KeSetSystemAllowedCpuSets+55j
		mov	ecx, [ebp+var_8]
		mov	ecx, [ecx]
		jmp	short loc_4EA319
KeSetSystemAllowedCpuSets endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeCpuSetReportParkedProcessors proc near ; CODE	XREF: KeSetSystemAllowedCpuSets+A2p
					; PpmParkReportMask+12A0A3p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005CE433 SIZE 0000011F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_1], dl
		mov	[ebp+var_14], ebx
		mov	eax, offset _KiCpuSetLock
		push	edi
		movzx	edi, ds:_KiActiveGroups
		mov	[ebp+var_40], edi
		test	ebx, ebx
		jnz	loc_5CE433

loc_4EA39E:				; CODE XREF: KeCpuSetReportParkedProcessors+E40C6j
		xor	esi, esi
		xor	edx, edx
		mov	[ebp+var_2C], esi
		mov	[ebp+var_8], edx
		test	edi, edi
		jz	short loc_4EA423
		xor	eax, eax
		mov	[ebp+var_C], eax

loc_4EA3B1:				; CODE XREF: KeCpuSetReportParkedProcessors+AAj
		mov	ecx, ds:dword_70E328[eax*4]
		mov	[ebp+var_10], ecx
		test	ebx, ebx
		jnz	loc_5CE43F
		mov	edi, ds:_KiNonParkedCpuSets[eax*4]
		mov	[ebp+var_1C], edi
		mov	[ebp+eax*4+var_30], edi

loc_4EA3D1:				; CODE XREF: KeCpuSetReportParkedProcessors+E40EDj
		mov	esi, edi
		mov	[ebp+var_2C], 1
		and	esi, ecx
		mov	ebx, esi
		xor	ebx, ecx
		test	esi, esi
		jz	short loc_4EA404

loc_4EA3E4:				; CODE XREF: KeCpuSetReportParkedProcessors+85j
		mov	eax, ds:_KiCpuSetAffinitiesShadow
		xor	edx, edx
		bsf	ecx, esi
		inc	edx
		shl	edx, cl
		xor	esi, edx
		mov	[ebp+var_38], ecx
		mov	[eax+ecx*4], edx
		jnz	short loc_4EA3E4
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		mov	edx, [ebp+var_8]

loc_4EA404:				; CODE XREF: KeCpuSetReportParkedProcessors+6Ej
		test	ebx, ebx
		jnz	loc_5CE466

loc_4EA40C:				; CODE XREF: KeCpuSetReportParkedProcessors+E41CCj
		mov	ebx, [ebp+var_14]

loc_4EA40F:				; CODE XREF: KeCpuSetReportParkedProcessors+E40E7j
		mov	edi, [ebp+var_40]
		inc	edx
		movzx	eax, dx
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], eax
		cmp	eax, edi
		jb	short loc_4EA3B1
		mov	esi, [ebp+var_2C]

loc_4EA423:				; CODE XREF: KeCpuSetReportParkedProcessors+36j
		and	[ebp+var_34], 0
		test	esi, esi
		jz	short loc_4EA48E
		mov	ecx, offset _KiCpuSetSequence
		call	RtlWriteAcquireTickLock
		xor	edx, edx
		test	edi, edi
		jz	short loc_4EA450
		xor	ecx, ecx

loc_4EA43D:				; CODE XREF: KeCpuSetReportParkedProcessors+DAj
		mov	eax, [ebp+ecx*4+var_30]
		inc	edx
		mov	ds:_KiNonParkedCpuSets[ecx*4], eax
		movzx	ecx, dx
		cmp	ecx, edi
		jb	short loc_4EA43D

loc_4EA450:				; CODE XREF: KeCpuSetReportParkedProcessors+C5j
		push	ds:_KiCpuSetAffinitySize ; size_t
		push	ds:_KiCpuSetAffinitiesShadow ; void *
		push	ds:_KiCpuSetAffinities ; void *
		call	_memcpy
		mov	eax, ds:_KiCpuSetSequence
		lea	ecx, [ebp+var_34]
		mov	edx, ds:dword_70E6F4
		add	esp, 0Ch
		add	eax, 1
		mov	ds:_KiCpuSetSequence, eax
		adc	edx, 0
		mov	ds:dword_70E6F4, edx
		call	KiUpdateGlobalCpuSetConfiguration

loc_4EA48E:				; CODE XREF: KeCpuSetReportParkedProcessors+B5j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _KiCpuSetLock
		jnz	loc_5CE545
		xor	eax, eax
		lock and [ecx],	eax

loc_4EA4A5:				; CODE XREF: KeCpuSetReportParkedProcessors+E41D9j
		mov	esi, large fs:20h
		lea	edx, [ebp+var_34]
		mov	ecx, esi
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		mov	dl, [ebp+var_1]
		mov	ecx, esi
		call	KiCheckForThreadDispatch
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
KeCpuSetReportParkedProcessors endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiUpdateGlobalCpuSetConfiguration proc near ; CODE XREF: KeCpuSetReportParkedProcessors+115p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CE552 SIZE 000000FD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		xor	eax, eax
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], eax
		cmp	ds:_KeNumberProcessors,	eax
		jbe	locret_4EA587
		push	ebx
		push	esi
		push	edi

loc_4EA4E5:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+B8j
		mov	edi, ds:_KiProcessorBlock[eax*4]
		mov	ecx, ds:_KiCpuSetSequence
		mov	eax, [edi+0Ch]
		lea	ebx, [edi+2224h]
		mov	[eax+160h], ecx

loc_4EA501:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+E40DDj
		and	[ebp+var_10], 0

loc_4EA505:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+FAj
		lock bts dword ptr [ebx], 0
		jb	loc_4EA5B4
		mov	esi, [edi+4]
		xor	edx, edx
		mov	ecx, esi
		call	_KiTryToAcquireThreadLock@8 ; KiTryToAcquireThreadLock(x,x)
		test	al, al
		jz	loc_5CE552

loc_4EA524:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+E40C9j
		mov	ebx, [esi+16Ch]
		mov	ecx, esi
		and	[ebp+var_8], 0
		call	_KiCheckThreadAffinity@4 ; KiCheckThreadAffinity(x)
		test	eax, eax
		jz	short loc_4EA589

loc_4EA539:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+ECj
					; KiUpdateGlobalCpuSetConfiguration+106j
		mov	ecx, [esi+16Ch]
		mov	dword ptr [esi+2Ch], 0
		test	ds:dword_70EFD0, 8000000h
		jnz	loc_5CE5C8

loc_4EA556:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+E4110j
		mov	ebx, [edi+8]
		test	ebx, ebx
		jnz	short loc_4EA5D1

loc_4EA55D:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+114j
					; KiUpdateGlobalCpuSetConfiguration+E4162j
		xor	ecx, ecx
		lea	eax, [edi+2224h]
		lock and [eax],	ecx
		cmp	[ebp+var_8], ecx
		jnz	loc_5CE62D

loc_4EA571:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+E4177j
					; KiUpdateGlobalCpuSetConfiguration+E4184j
		mov	eax, [ebp+var_C]
		inc	eax
		mov	[ebp+var_C], eax
		cmp	eax, ds:_KeNumberProcessors
		jb	loc_4EA4E5
		pop	edi
		pop	esi
		pop	ebx

locret_4EA587:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+16j
		leave
		retn
; 

loc_4EA589:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+71j
		mov	ecx, esi
		call	KiComputeThreadAffinity
		mov	al, [esi+90h]
		cmp	al, 2
		jnz	short loc_4EA5C8

loc_4EA59A:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+104j
		push	[ebp+var_4]
		lea	edx, [esi+164h]
		mov	ecx, esi
		push	0
		push	edi
		push	2
		call	KiRescheduleThreadAfterAffinityChange
		mov	[ebp+var_8], eax
		jmp	short loc_4EA539
; 

loc_4EA5B4:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+44j
					; KiUpdateGlobalCpuSetConfiguration+100j
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jz	loc_4EA505
		jmp	short loc_4EA5B4
; 

loc_4EA5C8:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+D2j
		cmp	al, 5
		jz	short loc_4EA59A
		jmp	loc_4EA539
; 

loc_4EA5D1:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+95j
		mov	ecx, ebx
		call	_KiCheckThreadAffinity@4 ; KiCheckThreadAffinity(x)
		test	eax, eax
		jnz	short loc_4EA55D
		jmp	loc_5CE5DB
KiUpdateGlobalCpuSetConfiguration endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1285. KeSetAffinityThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetLegacyAffinityThread(x, x)
		public _KeSetLegacyAffinityThread@8
_KeSetLegacyAffinityThread@8 proc near	; CODE XREF: NtSetInformationThread+8C2p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	ebx, ebx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, [edi+150h]
		mov	[ebp+var_18], eax
		test	esi, esi
		jz	loc_4EA698
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_1C], ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_11], al
		mov	eax, large fs:20h
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_18]
		add	eax, 34h
		push	eax
		mov	[ebp+var_20], eax
		call	ExAcquireSpinLockSharedAtDpcLevel
		movzx	eax, word ptr [edi+158h]
		mov	ecx, eax
		mov	word ptr [ebp+var_C], ax
		mov	eax, ds:dword_70E328[ecx*4]
		and	esi, eax
		jz	short loc_4EA67A
		mov	eax, [ebp+var_18]
		mov	eax, [eax+ecx*4+48h]
		and	eax, esi
		cmp	eax, esi
		jnz	short loc_4EA67A
		mov	ebx, [edi+154h]
		lea	eax, [ebp+var_10]
		push	eax
		lea	edx, [ebp+var_1C]
		mov	[ebp+var_10], esi
		mov	ecx, edi
		call	KiSetAffinityThread

loc_4EA67A:				; CODE XREF: KeSetLegacyAffinityThread(x,x)+6Ej
					; KeSetLegacyAffinityThread(x,x)+7Bj
		push	[ebp+var_20]
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	ecx, [ebp+var_24]
		lea	edx, [ebp+var_1C]
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		mov	dl, [ebp+var_11]
		mov	ecx, [ebp+var_24]
		call	KiCheckForThreadDispatch

loc_4EA698:				; CODE XREF: KeSetLegacyAffinityThread(x,x)+28j
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_KeSetLegacyAffinityThread@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSetAffinityThread proc near		; CODE XREF: KeSetLegacyAffinityThread(x,x)+8Fp
					; KeSetAffinityThread(x,x)+5Fp	...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= word ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CE64F SIZE 00000070 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		mov	[ebp+var_24], edx
		stosd
		mov	esi, ecx
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_20], eax
		lea	edi, [esi+2Ch]
		mov	[ebp+var_18], eax
		mov	[ebp+var_2C], eax

loc_4EA6DF:				; CODE XREF: KiSetAffinityThread+E3FB1j
		lock bts dword ptr [edi], 0
		jb	loc_5CE64F
		mov	eax, [esi+16Ch]
		mov	edx, ebx
		mov	[ebp+var_30], eax
		mov	eax, [esi+88h]
		mov	[ebp+var_34], eax
		mov	ax, [ebx+4]
		mov	[esi+158h], ax
		mov	eax, [ebx]
		mov	[esi+154h], eax
		mov	eax, [esi+88h]
		mov	[ebp+var_14], eax
		mov	ecx, ds:_KiProcessorBlock[eax*4]
		mov	[ebp+var_1C], ecx
		call	_KiPrcbInGroupAffinity@8 ; KiPrcbInGroupAffinity(x,x)
		test	eax, eax
		jnz	short loc_4EA772
		mov	ecx, ebx
		call	KeSelectNodeForAffinity
		mov	ecx, eax
		lea	edx, [ebp+var_10]
		mov	ax, [ebx+4]
		mov	[ebp+var_C], ax
		mov	eax, [ecx+84h]
		and	eax, [ebx]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_1C]
		add	eax, 3CCh
		push	eax
		push	0
		call	_KeSelectIdealProcessor@16 ; KeSelectIdealProcessor(x,x,x,x)
		movzx	eax, ax
		mov	[ebp+var_14], eax
		mov	[esi+88h], eax
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	[ebp+var_1C], eax

loc_4EA772:				; CODE XREF: KiSetAffinityThread+7Fj
		xor	edi, edi
		test	byte ptr [esi+58h], 8
		mov	[ebp+var_28], edi
		jnz	short loc_4EA7F9
		lea	eax, [ebp+var_20]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_28]
		call	KiAcquireThreadStateLock
		mov	byte ptr [ebp+var_18], al
		mov	ecx, esi
		mov	ax, [ebx+4]
		mov	[esi+168h], ax
		mov	eax, [ebx]
		mov	[esi+164h], eax
		call	KiComputeThreadAffinity
		test	eax, eax
		jnz	loc_5CE662
		mov	eax, [ebp+var_14]
		mov	ecx, esi
		mov	[esi+16Ch], eax
		call	KiUpdateNodeAffinitizedFlag
		mov	ecx, [ebp+var_1C]
		mov	edx, esi
		call	_KiUpdateSharedReadyQueueAffinityThread@8 ; KiUpdateSharedReadyQueueAffinityThread(x,x)

loc_4EA7CA:				; CODE XREF: KiSetAffinityThread+E3FCDj
		push	[ebp+var_24]
		mov	edi, [ebp+var_28]
		mov	edx, ebx
		push	[ebp+var_20]
		mov	ecx, esi
		push	edi
		push	[ebp+var_18]
		call	KiRescheduleThreadAfterAffinityChange
		mov	[ebp+var_18], eax
		test	edi, edi
		jz	short loc_4EA7F2
		xor	eax, eax
		lea	ecx, [edi+2224h]
		lock and [ecx],	eax

loc_4EA7F2:				; CODE XREF: KiSetAffinityThread+139j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	short loc_4EA868

loc_4EA7F9:				; CODE XREF: KiSetAffinityThread+CFj
					; KiSetAffinityThread+1C1j
		cmp	[ebp+var_18], 0
		mov	ecx, [esi+16Ch]
		mov	eax, [esi+88h]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_24], eax
		mov	dword ptr [esi+2Ch], 0
		jz	short loc_4EA82D
		movzx	eax, large byte	ptr fs:51h
		mov	ecx, [edi+3CCh]
		cmp	eax, ecx
		jnz	short loc_4EA85F

loc_4EA82A:				; CODE XREF: KiSetAffinityThread+1BAj
		mov	ecx, [ebp+var_14]

loc_4EA82D:				; CODE XREF: KiSetAffinityThread+16Aj
		mov	edi, 8000000h
		test	ds:dword_70EFD0, edi
		jnz	loc_5CE67E

loc_4EA83E:				; CODE XREF: KiSetAffinityThread+E3FE8j
					; KiSetAffinityThread+E4000j
		test	dword ptr ds:byte_70EFC4, 1000h
		jnz	loc_5CE6B1

loc_4EA84E:				; CODE XREF: KiSetAffinityThread+E400Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_4EA85F:				; CODE XREF: KiSetAffinityThread+17Cj
		mov	dl, 2
		call	_KiSendSoftwareInterrupt@8 ; KiSendSoftwareInterrupt(x,x)
		jmp	short loc_4EA82A
; 

loc_4EA868:				; CODE XREF: KiSetAffinityThread+14Bj
		xor	ecx, ecx
		lock and [eax],	ecx
		jmp	short loc_4EA7F9
KiSetAffinityThread endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiRescheduleThreadAfterAffinityChange proc near
					; CODE XREF: KiUpdateGlobalCpuSetConfiguration+E4p
					; KiSetAffinityThread+12Fp ...

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005CE6BF SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, ecx
		sub	eax, 1
		jz	short loc_4EA8C9
		sub	eax, 1
		jnz	short loc_4EA8B8
		mov	ecx, [ebp+arg_4]
		call	_KiPrcbInGroupAffinity@8 ; KiPrcbInGroupAffinity(x,x)
		test	eax, eax
		jnz	short loc_4EA8C1
		mov	al, [edi+90h]
		cmp	al, 2
		jnz	short loc_4EA8EB
		lea	eax, [edi+5Ch]
		lock bts dword ptr [eax], 0Ch
		cmp	dword ptr [ecx+8], 0
		jnz	short loc_4EA8C1
		mov	edx, [ebp+arg_C]
		call	KiSelectNextThread
		xor	eax, eax
		inc	eax
		jmp	short loc_4EA8C3
; 

loc_4EA8B8:				; CODE XREF: KiRescheduleThreadAfterAffinityChange+15j
		sub	eax, 1
		jz	loc_5CE6BF

loc_4EA8C1:				; CODE XREF: KiRescheduleThreadAfterAffinityChange+21j
					; KiRescheduleThreadAfterAffinityChange+39j ...
		xor	eax, eax

loc_4EA8C3:				; CODE XREF: KiRescheduleThreadAfterAffinityChange+46j
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
; 

loc_4EA8C9:				; CODE XREF: KiRescheduleThreadAfterAffinityChange+10j
		movsx	esi, byte ptr [edi+87h]
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		push	esi
		push	edi
		call	_KiRemoveThreadFromAnyReadyQueue@16 ; KiRemoveThreadFromAnyReadyQueue(x,x,x,x)
		push	[ebp+arg_C]
		mov	edx, esi
		mov	ecx, edi
		call	_KiPrepareReadyThreadForRescheduling@12	; KiPrepareReadyThreadForRescheduling(x,x,x)
		jmp	short loc_4EA8C1
; 

loc_4EA8EB:				; CODE XREF: KiRescheduleThreadAfterAffinityChange+2Bj
		or	byte ptr [edi+54h], 8
		jmp	short loc_4EA8C1
KiRescheduleThreadAfterAffinityChange endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeSelectNodeForAffinity	proc near	; CODE XREF: KiSetIdealNodeProcessByGroup(x,x,x)+66p
					; KiSetAffinityThread+83p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CE6F1 SIZE 000000A8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	dx, ds:_KeNumberNodes
		push	ebx
		mov	ebx, ecx
		cmp	dx, 1
		jnz	loc_5CE6F1
		mov	eax, ds:_KeNodeBlock

loc_4EA911:				; CODE XREF: KeSelectNodeForAffinity+E3EA2j
		pop	ebx
		leave
		retn
KeSelectNodeForAffinity	endp


;  S U B	R O U T	I N E 


; __stdcall KiValidateCpuSetMasks(x, x)
_KiValidateCpuSetMasks@8 proc near	; CODE XREF: KeSetSystemAllowedCpuSets+13p
					; KeSetCpuSetsProcess(x,x,x,x)+1Dp ...
		movzx	eax, ds:_KiMaximumGroups
		push	esi
		push	edi
		mov	edi, ecx
		cmp	edx, eax
		ja	short loc_4EA94D
		xor	esi, esi
		test	edx, edx
		jnz	short loc_4EA92E

loc_4EA929:				; CODE XREF: KiValidateCpuSetMasks(x,x)+35j
		xor	eax, eax

loc_4EA92B:				; CODE XREF: KiValidateCpuSetMasks(x,x)+3Ej
		pop	edi
		pop	esi
		retn
; 

loc_4EA92E:				; CODE XREF: KiValidateCpuSetMasks(x,x)+13j
					; KiValidateCpuSetMasks(x,x)+37j
		mov	ecx, ds:dword_70E328[esi*4]
		xor	eax, eax
		not	ecx
		not	eax
		and	ecx, [edi+esi*8]
		and	eax, [edi+esi*8+4]
		or	ecx, eax
		jnz	short loc_4EA94D
		inc	esi
		cmp	esi, edx
		jnb	short loc_4EA929
		jmp	short loc_4EA92E
; 

loc_4EA94D:				; CODE XREF: KiValidateCpuSetMasks(x,x)+Dj
					; KiValidateCpuSetMasks(x,x)+30j
		mov	eax, 0C00001AFh
		jmp	short loc_4EA92B
_KiValidateCpuSetMasks@8 endp


;  S U B	R O U T	I N E 


; __stdcall PfpRpControlRequestVerify(x)
_PfpRpControlRequestVerify@4 proc near	; CODE XREF: PfpRpControlRequest+60p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		push	0
		pop	eax
		mov	edx, eax
		mov	esi, [edi+8]
		lea	ecx, [edi+14h]
		add	esi, [edi+4]
		jnz	short loc_4EA98B

loc_4EA96A:				; CODE XREF: PfpRpControlRequestVerify(x)+43j
		mov	esi, [edi+10h]
		add	ecx, 3
		add	esi, [edi+0Ch]
		and	ecx, 0FFFFFFFCh
		mov	edx, eax
		test	esi, esi
		jz	short loc_4EA988

loc_4EA97C:				; CODE XREF: PfpRpControlRequestVerify(x)+32j
		cmp	[ecx], eax
		jz	short loc_4EA9A0
		add	ecx, 4
		inc	edx
		cmp	edx, esi
		jb	short loc_4EA97C

loc_4EA988:				; CODE XREF: PfpRpControlRequestVerify(x)+26j
					; PfpRpControlRequestVerify(x)+4Aj ...
		pop	edi
		pop	esi
		retn
; 

loc_4EA98B:				; CODE XREF: PfpRpControlRequestVerify(x)+14j
					; PfpRpControlRequestVerify(x)+41j
		cmp	[ecx], eax
		jz	short loc_4EA999
		add	ecx, 8
		inc	edx
		cmp	edx, esi
		jb	short loc_4EA98B
		jmp	short loc_4EA96A
; 

loc_4EA999:				; CODE XREF: PfpRpControlRequestVerify(x)+39j
		mov	eax, 3E8h
		jmp	short loc_4EA988
; 

loc_4EA9A0:				; CODE XREF: PfpRpControlRequestVerify(x)+2Aj
		mov	eax, 7D0h
		jmp	short loc_4EA988
_PfpRpControlRequestVerify@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


PfVolumeSupportedForPrefetch proc near	; CODE XREF: PfpVolumeOpenAndVerify+11Ep

; FUNCTION CHUNK AT 005CE799 SIZE 0000000D BYTES

		mov	eax, [ecx]
		cmp	eax, 7
		jnz	loc_5CE799

loc_4EA9B3:				; CODE XREF: PfVolumeSupportedForPrefetch+E3DF4j
		mov	eax, [ecx+4]
		test	al, 10h
		jnz	short loc_4EA9CA
		test	al, 1
		jnz	short loc_4EA9CE
		not	al
		movzx	eax, al
		shr	eax, 3
		and	eax, 4
		retn
; 

loc_4EA9CA:				; CODE XREF: PfVolumeSupportedForPrefetch+10j
		push	2
		jmp	short loc_4EA9D0
; 

loc_4EA9CE:				; CODE XREF: PfVolumeSupportedForPrefetch+14j
		push	3

loc_4EA9D0:				; CODE XREF: PfVolumeSupportedForPrefetch+24j
		pop	eax
		retn
PfVolumeSupportedForPrefetch endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmRereferenceProcessObject(x, x, x,	x)
_SmRereferenceProcessObject@16 proc near
					; CODE XREF: SmProcessStoreMemoryPriorityRequest+8Ap

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_PsProcessType
		lea	edx, [ebp+var_4]
		and	[ebp+var_4], 0
		push	0
		push	edx
		push	[ebp+arg_0]
		push	eax
		push	2000h
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_4]
		mov	[edx], ecx
		leave
		retn	8
_SmRereferenceProcessObject@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiProcessWsInSwapSupport proc near	; CODE XREF: MmInSwapWorkingSet+BCp
					; MmInSwapWorkingSet+D4p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CE7A6 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ecx+8]
		push	ebx
		push	esi
		mov	esi, [ecx]
		push	edi
		mov	[ebp+var_4], esi
		lea	ebx, [esi+eax*8]
		xor	eax, eax
		mov	[ebp+var_8], ebx
		cmp	esi, ebx
		jnb	short loc_4EAA4C

loc_4EAA20:				; CODE XREF: MiProcessWsInSwapSupport+36j
		mov	edi, [esi+4]
		shr	edi, 0Ch
		lea	ecx, [edi+eax]
		cmp	ecx, 1000h
		jnb	short loc_4EAA53
		mov	eax, ecx

loc_4EAA33:				; CODE XREF: MiProcessWsInSwapSupport+90j
		add	esi, 8
		cmp	esi, ebx
		jb	short loc_4EAA20
		test	eax, eax
		jz	short loc_4EAA4C
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_4]
		lea	edx, [esi-8]
		call	_MiProcessWsInSwapRanges@12 ; MiProcessWsInSwapRanges(x,x,x)

loc_4EAA4C:				; CODE XREF: MiProcessWsInSwapSupport+1Cj
					; MiProcessWsInSwapSupport+3Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4EAA53:				; CODE XREF: MiProcessWsInSwapSupport+2Dj
		mov	edx, 1000h
		sub	edx, eax
		test	byte ptr [ebp+arg_0], 4
		jnz	loc_5CE7A6

loc_4EAA64:				; CODE XREF: MiProcessWsInSwapSupport+E3DC7j
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_4]
		mov	eax, edx
		shl	eax, 0Ch
		sub	edi, edx
		mov	edx, esi
		mov	[esi+4], eax
		call	_MiProcessWsInSwapRanges@12 ; MiProcessWsInSwapRanges(x,x,x)
		test	edi, edi
		jz	short loc_4EAA94
		mov	eax, [esi+4]
		add	[esi], eax
		shl	edi, 0Ch
		mov	[esi+4], edi
		mov	[ebp+var_4], esi
		sub	esi, 8

loc_4EAA90:				; CODE XREF: MiProcessWsInSwapSupport+98j
		xor	eax, eax
		jmp	short loc_4EAA33
; 

loc_4EAA94:				; CODE XREF: MiProcessWsInSwapSupport+7Bj
		lea	eax, [esi+8]
		mov	[ebp+var_4], eax
		jmp	short loc_4EAA90
MiProcessWsInSwapSupport endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiProcessWsInSwapRanges(x, x, x)
_MiProcessWsInSwapRanges@12 proc near	; CODE XREF: MiProcessWsInSwapSupport+45p
					; MiProcessWsInSwapSupport+74p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, edx
		mov	esi, ecx
		mov	eax, 103Dh
		and	edi, 2
		jnz	short loc_4EAAEE

loc_4EAAB5:				; CODE XREF: MiProcessWsInSwapRanges(x,x,x)+66j
		test	byte ptr [ebp+arg_0], 4
		jnz	short loc_4EAB12

loc_4EAABB:				; CODE XREF: MiProcessWsInSwapRanges(x,x,x)+7Bj
		mov	ecx, [esi]
		mov	edx, ebx
		cmp	ecx, dword_6D07D0
		push	eax
		sbb	ecx, ecx
		sub	edx, esi
		sar	edx, 3
		push	esi
		inc	edx
		call	MmPrefetchVirtualMemory
		test	edi, edi
		jnz	short loc_4EAB04

loc_4EAAD8:				; CODE XREF: MiProcessWsInSwapRanges(x,x,x)+74j
		test	byte ptr [ebp+arg_0], 1
		jnz	short loc_4EAAE7
		mov	edx, ebx
		mov	ecx, esi
		call	_MiReleaseOutSwapReservations@8	; MiReleaseOutSwapReservations(x,x)

loc_4EAAE7:				; CODE XREF: MiProcessWsInSwapRanges(x,x,x)+40j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4EAAEE:				; CODE XREF: MiProcessWsInSwapRanges(x,x,x)+17j
		mov	edx, large fs:124h
		mov	eax, 333Dh
		dec	word ptr [edx+13Eh]
		nop
		jmp	short loc_4EAAB5
; 

loc_4EAB04:				; CODE XREF: MiProcessWsInSwapRanges(x,x,x)+3Aj
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	short loc_4EAAD8
; 

loc_4EAB12:				; CODE XREF: MiProcessWsInSwapRanges(x,x,x)+1Dj
		or	eax, 20000h
		jmp	short loc_4EAABB
_MiProcessWsInSwapRanges@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReleaseOutSwapReservations(x, x)
_MiReleaseOutSwapReservations@8	proc near ; CODE XREF: MiProcessWsInSwapRanges(x,x,x)+46p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		lea	eax, [ebp+var_44]
		mov	[ebp+var_8], ecx
		mov	ebx, edx
		mov	edi, ecx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_4], ebx
		call	_memset
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], 1000h
		xor	ecx, ecx
		mov	[ebp+var_40], eax
		inc	ecx
		mov	word ptr [ebp+var_44], 3
		xor	edx, edx
		mov	[ebp+var_3C], ecx
		lea	eax, [ebp+var_44]
		mov	[ebp+var_14], edx
		or	eax, ecx
		mov	[ebp+var_38], edx
		add	esp, 0Ch
		mov	[ebp+var_34], edx
		mov	[ebp+var_C], eax
		cmp	edi, ebx
		ja	short loc_4EABA8
		mov	eax, ebx

loc_4EAB71:				; CODE XREF: MiReleaseOutSwapReservations(x,x)+8Cj
		mov	esi, [edi]
		mov	ebx, [edi+4]
		add	ebx, esi
		cmp	esi, ebx
		jnb	short loc_4EAB9E
		mov	edi, [ebp+var_C]

loc_4EAB7F:				; CODE XREF: MiReleaseOutSwapReservations(x,x)+7Cj
		push	edi
		push	edx
		push	esi
		push	edx
		mov	[ebp+var_14], esi
		call	MmAccessFault
		add	esi, 1000h
		push	0
		pop	edx
		cmp	esi, ebx
		jb	short loc_4EAB7F
		mov	edi, [ebp+var_8]
		mov	eax, [ebp+var_4]

loc_4EAB9E:				; CODE XREF: MiReleaseOutSwapReservations(x,x)+60j
		add	edi, 8
		mov	[ebp+var_8], edi
		cmp	edi, eax
		jbe	short loc_4EAB71

loc_4EABA8:				; CODE XREF: MiReleaseOutSwapReservations(x,x)+53j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiReleaseOutSwapReservations@8	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1627. ObIsKernelHandle

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObIsKernelHandle(x)
		public _ObIsKernelHandle@4
_ObIsKernelHandle@4 proc near		; CODE XREF: MmPrefetchVirtualMemory+F2p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	dl, dl
		call	_ObpIsKernelHandle@8 ; ObpIsKernelHandle(x,x)
		pop	ebp
		retn	4
_ObIsKernelHandle@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PFP_GET_CURRENT_TICK_COUNT_MS()
_PFP_GET_CURRENT_TICK_COUNT_MS@0 proc near ; CODE XREF:	PfPowerActionNotify:loc_71FC23p
					; PfpScenCtxPrefetchWait+988Cp	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	esi
		push	edi
		push	eax
		call	KeQueryTickCount
		mov	ecx, ds:0FFDF0004h
		mov	eax, [ebp+var_4]
		mul	ecx
		mov	esi, eax
		mov	edi, edx
		mov	eax, [ebp+var_8]
		mul	ecx
		shld	edi, esi, 8
		shrd	eax, edx, 18h
		shl	esi, 8
		shr	edx, 18h
		add	eax, esi
		adc	edx, edi
		pop	edi
		pop	esi
		leave
		retn
_PFP_GET_CURRENT_TICK_COUNT_MS@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmSetTrimWhileAgingState(x)
_MmSetTrimWhileAgingState@4 proc near	; CODE XREF: PfSetSuperfetchInformation+260p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	ecx, ecx

loc_4EAC12:				; CODE XREF: MmSetTrimWhileAgingState(x)+24j
		call	_PsGetNextPartition@4 ;	PsGetNextPartition(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_4EAC22
		pop	esi
		pop	ebp
		retn	4
; 

loc_4EAC22:				; CODE XREF: MmSetTrimWhileAgingState(x)+11j
		push	[ebp+arg_0]
		mov	ecx, [esi]
		call	MiSetTrimWhileAgingState
		mov	ecx, esi
		jmp	short loc_4EAC12
_MmSetTrimWhileAgingState@4 endp


;  S U B	R O U T	I N E 


; __stdcall PsGetNextPartition(x)
_PsGetNextPartition@4 proc near		; CODE XREF: MmSetTrimWhileAgingState(x):loc_4EAC12p
					; MmFlushAllPagesEx(x,x,x):loc_5547A6p	...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx

loc_4EAC39:				; CODE XREF: PsGetNextPartition(x)+34j
		call	_PsGetNextPartitionUnsafe@4 ; PsGetNextPartitionUnsafe(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_4EAC51
		mov	ecx, esi
		call	PsReferencePartitionSafe
		test	al, al
		jz	short loc_4EAC62
		mov	ebx, esi

loc_4EAC51:				; CODE XREF: PsGetNextPartition(x)+12j
		test	edi, edi
		jz	short loc_4EAC5C
		mov	ecx, edi
		call	PsDereferencePartition

loc_4EAC5C:				; CODE XREF: PsGetNextPartition(x)+23j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		retn
; 

loc_4EAC62:				; CODE XREF: PsGetNextPartition(x)+1Dj
		mov	ecx, esi
		jmp	short loc_4EAC39
_PsGetNextPartition@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 200. CcGetDirtyPages

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcGetDirtyPages(x, x, x, x)
		public _CcGetDirtyPages@16
_CcGetDirtyPages@16 proc near

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_8]
		lea	edx, [ebp+var_18]
		and	[ebp+var_8], 0
		mov	ecx, offset CcGetDirtyPagesHelper
		and	[ebp+var_4], 0
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_4]
		push	1
		mov	[ebp+var_14], eax
		call	CcForEachPartition
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_4]
		leave
		retn	10h
_CcGetDirtyPages@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcForEachPartition proc	near		; CODE XREF: CcGetDirtyPages(x,x,x,x)+32p
					; CcNotifyWriteBehind(x)+Dp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005CE7CE SIZE 00000061 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_C], ecx
		xor	edi, edi
		xor	bh, bh
		mov	[ebp+var_8], edx
		xor	ecx, ecx

loc_4EACC5:				; CODE XREF: CcForEachPartition+A3j
		call	_PsGetNextPartitionUnsafe@4 ; PsGetNextPartitionUnsafe(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_4EAD56
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bl, al
		mov	ecx, offset _CcGlobalPartitionLock
		mov	[ebp+var_1], bl
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_4EAD12
		mov	edi, ecx
		cmp	byte ptr [edi+28Ah], 2
		jnb	loc_5CE7CE
		xor	eax, eax
		inc	eax
		lock xadd [edi+28Ch], eax
		inc	eax
		cmp	eax, 1
		jle	short loc_4EAD5D

loc_4EAD10:				; CODE XREF: CcForEachPartition+B4j
		mov	bh, 1

loc_4EAD12:				; CODE XREF: CcForEachPartition+40j
					; CcForEachPartition+E3B24j ...
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _CcGlobalPartitionLock
		jnz	loc_5CE811
		xor	eax, eax
		lock and [ecx],	eax

loc_4EAD29:				; CODE XREF: CcForEachPartition+E3B6Bj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bh, bh
		jz	short loc_4EAD4F
		push	[ebp+var_8]
		push	edi
		call	[ebp+var_C]
		mov	ecx, edi
		mov	bl, al
		call	CcDereferencePartition
		xor	bh, bh
		test	bl, bl
		jz	loc_5CE81E

loc_4EAD4F:				; CODE XREF: CcForEachPartition+85j
		mov	ecx, esi
		jmp	loc_4EACC5
; 

loc_4EAD56:				; CODE XREF: CcForEachPartition+20j
					; CcForEachPartition+E3B7Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4EAD5D:				; CODE XREF: CcForEachPartition+60j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_4EAD10
CcForEachPartition endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetNextPartitionUnsafe(x)
_PsGetNextPartitionUnsafe@4 proc near	; CODE XREF: PsGetNextPartition(x):loc_4EAC39p
					; CcForEachPartition:loc_4EACC5p ...

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	offset _PspActivePartitionListLock
		mov	edi, ecx
		xor	ebx, ebx
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	esi, _PspActivePartitionListHead
		mov	[ebp+var_1], al
		test	edi, edi
		jz	short loc_4EAD8C
		mov	esi, [edi+14h]

loc_4EAD8C:				; CODE XREF: PsGetNextPartitionUnsafe(x)+23j
					; PsGetNextPartitionUnsafe(x)+75j
		cmp	esi, offset _PspActivePartitionListHead
		jz	short loc_4EADAD
		lea	eax, [esi-14h]
		mov	edx, 6E457350h
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jz	short loc_4EADD7
		mov	ebx, [ebp+var_8]

loc_4EADAD:				; CODE XREF: PsGetNextPartitionUnsafe(x)+2Ej
		push	offset _PspActivePartitionListLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	short loc_4EADD0
		mov	edx, 6E457350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_4EADD0:				; CODE XREF: PsGetNextPartitionUnsafe(x)+5Ej
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_4EADD7:				; CODE XREF: PsGetNextPartitionUnsafe(x)+44j
		mov	esi, [esi]
		jmp	short loc_4EAD8C
_PsGetNextPartitionUnsafe@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


PsDereferencePartition proc near	; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+4BFp
					; .text:00463213p ...

; FUNCTION CHUNK AT 005CE82F SIZE 00000021 BYTES

		or	eax, 0FFFFFFFFh
		lock xadd [ecx+0Ch], eax
		dec	eax
		test	eax, eax
		jle	loc_5CE82F
		retn
PsDereferencePartition endp


;  S U B	R O U T	I N E 


PsReferencePartitionSafe proc near	; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+4A9p
					; .text:004631B4p ...

; FUNCTION CHUNK AT 005CE850 SIZE 0000000E BYTES

		mov	edi, edi
		push	esi
		lea	esi, [ecx+0Ch]
		mov	edx, [esi]
		lea	ecx, [edx+1]

loc_4EADF9:				; CODE XREF: PsReferencePartitionSafe+27j
		cmp	ecx, 1
		jbe	loc_5CE850
		mov	eax, edx
		lock cmpxchg [esi], ecx
		mov	ecx, eax
		cmp	ecx, edx
		jnz	short loc_4EAE12
		mov	al, 1
		pop	esi
		retn
; 

loc_4EAE12:				; CODE XREF: PsReferencePartitionSafe+1Ej
		mov	edx, ecx
		inc	ecx
		jmp	short loc_4EADF9
PsReferencePartitionSafe endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnlockDynamicMemoryExclusive proc near ; CODE	XREF: MiInsertPartitionPages(x,x,x,x,x)+F9p
					; MiInsertPartitionPages(x,x,x,x,x)+331p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CE85E SIZE 0000004B BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	[ebp+var_28], edx
		add	ecx, 6Ch
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_8], ecx
		push	esi
		push	edi
		mov	[ebp+var_C], edx
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4EAF91

loc_4EAE53:				; CODE XREF: MiUnlockDynamicMemoryExclusive+181j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	loc_4EAF59
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		cmp	ecx, edx
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], esi
		pop	edx
		jb	short loc_4EAE90
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_4EAF6A

loc_4EAE90:				; CODE XREF: MiUnlockDynamicMemoryExclusive+69j
		cmp	ecx, [ebp+var_20]
		jb	short loc_4EAEA2
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_4EAF6A

loc_4EAEA2:				; CODE XREF: MiUnlockDynamicMemoryExclusive+7Bj
					; MiUnlockDynamicMemoryExclusive+165j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_4EAF82
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_4EAF9E

loc_4EAEE3:				; CODE XREF: MiUnlockDynamicMemoryExclusive+18Ej
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5CE871
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_4EAF2F:				; CODE XREF: MiUnlockDynamicMemoryExclusive+172j
					; MiUnlockDynamicMemoryExclusive+E3A6Bj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jnz	short loc_4EAFAB

loc_4EAF42:				; CODE XREF: MiUnlockDynamicMemoryExclusive+1CCj
					; MiUnlockDynamicMemoryExclusive+E3A8Cj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_4EAF59
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_4EAFEF

loc_4EAF59:				; CODE XREF: MiUnlockDynamicMemoryExclusive+46j
					; MiUnlockDynamicMemoryExclusive+133j ...
		mov	ecx, [ebp+var_28]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4EAF6A:				; CODE XREF: MiUnlockDynamicMemoryExclusive+72j
					; MiUnlockDynamicMemoryExclusive+84j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_C], eax
		jmp	loc_4EAEA2
; 

loc_4EAF82:				; CODE XREF: MiUnlockDynamicMemoryExclusive+B3j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_4EAF2F
		jmp	loc_5CE85E
; 

loc_4EAF91:				; CODE XREF: MiUnlockDynamicMemoryExclusive+35j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]
		jmp	loc_4EAE53
; 

loc_4EAF9E:				; CODE XREF: MiUnlockDynamicMemoryExclusive+C5j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]
		jmp	loc_4EAEE3
; 

loc_4EAFAB:				; CODE XREF: MiUnlockDynamicMemoryExclusive+128j
		test	edi, 8000h
		jz	short loc_4EAFBC
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4EAFBC:				; CODE XREF: MiUnlockDynamicMemoryExclusive+199j
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5CE888

loc_4EAFC6:				; CODE XREF: MiUnlockDynamicMemoryExclusive+E3A7Aj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4EAFDA
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4EAFDA:				; CODE XREF: MiUnlockDynamicMemoryExclusive+1B5j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4EAF42
		jmp	loc_5CE897
; 

loc_4EAFEF:				; CODE XREF: MiUnlockDynamicMemoryExclusive+13Bj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4EAF59
MiUnlockDynamicMemoryExclusive endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetNodeChannelPageCounts(x, x, x,	x, x, x)
_MiGetNodeChannelPageCounts@24 proc near ; CODE	XREF: MiGetChannelInformation+93p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		imul	esi, [ebp+arg_0], 280h
		push	edi
		add	esi, [ecx+10h]
		mov	[ebp+var_8], esi
		cmp	edx, 1
		jnz	short loc_4EB01F
		mov	ebx, [esi+1DCh]
		jmp	short loc_4EB026
; 

loc_4EB01F:				; CODE XREF: MiGetNodeChannelPageCounts(x,x,x,x,x,x)+1Bj
		mov	ebx, [esi+edx*4+1D8h]

loc_4EB026:				; CODE XREF: MiGetNodeChannelPageCounts(x,x,x,x,x,x)+23j
		mov	eax, [esi+1D0h]
		mov	ecx, [esi+1D4h]
		mov	[ebp+arg_0], ebx
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], ecx

loc_4EB03B:				; CODE XREF: MiGetNodeChannelPageCounts(x,x,x,x,x,x)+7Fj
		mov	edx, eax
		mov	[ebp+var_4], esi
		mov	edi, ecx
		xor	ebx, ebx

loc_4EB044:				; CODE XREF: MiGetNodeChannelPageCounts(x,x,x,x,x,x)+6Ej
		mov	ecx, ds:_MiLargePageSizes[ebx]
		add	ebx, 4
		mov	eax, [esi]
		lea	esi, [esi+98h]
		imul	eax, ecx
		add	edx, eax
		mov	eax, [esi-94h]
		imul	eax, ecx
		add	edi, eax
		cmp	ebx, 8
		jb	short loc_4EB044
		mov	esi, [ebp+var_8]
		lea	eax, [edx+edi]
		cmp	eax, [ebp+arg_0]
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		ja	short loc_4EB03B
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		mov	eax, [ebp+arg_4]
		pop	edi
		pop	esi
		pop	ebx
		mov	[eax], edx
		mov	eax, [ebp+arg_C]
		or	dword ptr [eax], 0FFFFFFFFh
		leave
		retn	10h
_MiGetNodeChannelPageCounts@24 endp


;  S U B	R O U T	I N E 


; __stdcall MiLockDynamicMemoryExclusive(x, x)
_MiLockDynamicMemoryExclusive@8	proc near ; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+E6p
					; MiInsertPartitionPages(x,x,x,x,x)+1F4p ...
		dec	word ptr [edx+13Eh]
		nop
		add	ecx, 6Ch
		xor	edx, edx
		jmp	ExAcquirePushLockExclusiveEx
_MiLockDynamicMemoryExclusive@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSetTrimWhileAgingState proc near	; CODE XREF: MmSetTrimWhileAgingState(x)+1Dp
					; MiInitializeWorkingSetManagerParameters+12Dp

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CE8A9 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		lea	ebx, [ecx+1040h]
		mov	al, [ebx+60h]
		push	esi
		mov	esi, [ecx+0F00h]
		and	al, 7
		push	edi
		mov	edi, offset unk_6D3C40
		cmp	al, 2
		jnz	loc_5CE8A9

loc_4EB0CA:				; CODE XREF: MiSetTrimWhileAgingState+E380Bj
		push	edi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [edi+4], 0
		mov	ah, al
		mov	ecx, [ebp+arg_0]
		movzx	edi, cl
		mov	edx, edi
		sub	edx, 0
		jz	short loc_4EB13C
		sub	edx, 1
		jz	loc_5CE8C7
		sub	edx, 1
		jz	loc_5CE8B4
		sub	edx, 1
		jz	short loc_4EB12C
		sub	edx, 1
		jnz	short loc_4EB10A
		mov	dword ptr [esi+38h], 5DC00h

loc_4EB106:				; CODE XREF: MiSetTrimWhileAgingState+9Cj
		and	dword ptr [esi+34h], 0

loc_4EB10A:				; CODE XREF: MiSetTrimWhileAgingState+59j
					; MiSetTrimWhileAgingState+96j	...
		mov	al, byte ptr [ebp+arg_0+2]
		mov	dl, ah
		mov	[esi+4C2h], ch
		mov	ecx, ebx
		mov	[esi+3Ch], edi
		mov	[esi+4C3h], al
		call	MiUnlockWorkingSetExclusive
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4EB12C:				; CODE XREF: MiSetTrimWhileAgingState+54j
		mov	dword ptr [esi+38h], 32000h
		mov	dword ptr [esi+34h], 3200h
		jmp	short loc_4EB10A
; 

loc_4EB13C:				; CODE XREF: MiSetTrimWhileAgingState+3Dj
		and	dword ptr [esi+38h], 0
		jmp	short loc_4EB106
MiSetTrimWhileAgingState endp

; 
		align 8
; Exported entry 427. ExReleaseSpinLockShared

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExReleaseSpinLockShared
ExReleaseSpinLockShared	proc near	; CODE XREF: PopPepPlatformStateRegistered(x)+617p

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ds:byte_70EFC6,	1
		jnz	loc_5A8331
		mov	eax, [ebp+arg_0]
		mov	ecx, 0BFFFFFFFh
		lock and [eax],	ecx
		lock dec dword ptr [eax]

loc_4EB168:				; CODE XREF: ObReferenceObjectExWithTag+BF25Cj
		mov	cl, [ebp+arg_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebp
		retn	8
ExReleaseSpinLockShared	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCapturePageFileInfoInline(x, x, x)
_MiCapturePageFileInfoInline@12	proc near ; CODE XREF: MiCaptureDirtyBitToPfn(x)+35p
					; MiRevertValidPte+563p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	eax, [esi+4]
		mov	ecx, eax
		mov	edi, [esi]
		mov	edx, edi
		shrd	edx, ecx, 2
		mov	[ebp+var_4], eax
		test	dl, 1
		jnz	short loc_4EB1D1
		cmp	[ebp+arg_0], 0
		jnz	short loc_4EB1B7

loc_4EB1AA:				; CODE XREF: MiCapturePageFileInfoInline(x,x,x)+40j
		pop	edi
		pop	esi
		xor	eax, eax
		xor	edx, edx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4EB1B7:				; CODE XREF: MiCapturePageFileInfoInline(x,x,x)+28j
		mov	ecx, edi
		shrd	ecx, eax, 1
		test	cl, 1
		jz	short loc_4EB1AA
		nop
		mov	edx, [esi+4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4EB1D1:				; CODE XREF: MiCapturePageFileInfoInline(x,x,x)+22j
		nop
		mov	edx, [esi+4]
		test	ebx, ebx
		jz	short loc_4EB1E1
		and	dword ptr [esi], 0FFFFFFFBh
		mov	eax, edx
		mov	[esi+4], eax

loc_4EB1E1:				; CODE XREF: MiCapturePageFileInfoInline(x,x,x)+57j
		cmp	[ebp+arg_0], 0
		jz	short loc_4EB1F2

loc_4EB1E7:				; CODE XREF: MiCapturePageFileInfoInline(x,x,x)+75j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4EB1F2:				; CODE XREF: MiCapturePageFileInfoInline(x,x,x)+65j
		and	edi, 0FFFFFFFDh
		jmp	short loc_4EB1E7
_MiCapturePageFileInfoInline@12	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 534. FsRtlGetSupportedFeatures

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlGetSupportedFeatures(x, x)
		public _FsRtlGetSupportedFeatures@8
_FsRtlGetSupportedFeatures@8 proc near	; CODE XREF: IopQueryInformation(x,x,x,x,x)+53p
					; IopCopyOffloadCapable+25p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		mov	[ecx], eax
		mov	edx, _FltMgrCallbacks
		test	edx, edx
		jz	short loc_4EB219
		push	ecx
		push	[ebp+arg_0]
		call	dword ptr [edx+8]

loc_4EB219:				; CODE XREF: FsRtlGetSupportedFeatures(x,x)+14j
		pop	ebp
		retn	8
_FsRtlGetSupportedFeatures@8 endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1762. PsEnterPriorityRegion

;  S U B	R O U T	I N E 


; __stdcall PsEnterPriorityRegion()
		public _PsEnterPriorityRegion@0
_PsEnterPriorityRegion@0 proc near
		mov	ecx, large fs:124h
		xor	dl, dl
		push	0
		push	0
		call	PsBoostThreadIoEx
		retn
_PsEnterPriorityRegion@0 endp ;	sp = -8

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiPreprocessAccessViolation proc near	; CODE XREF: Dr_kite_a+3CFp

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005CE8D7 SIZE 000000CD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	[ebp+var_1], 0
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, al
		cmp	bl, 1
		jnb	short loc_4EB272
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al

loc_4EB272:				; CODE XREF: KiPreprocessAccessViolation+16j
		mov	ecx, [ebp+arg_0]
		mov	edx, [ecx+6Ch]
		test	dl, 1
		jnz	short loc_4EB2CF
		test	dword ptr [ecx+70h], 20000h
		jnz	short loc_4EB2CF
		xor	bh, bh

loc_4EB288:				; CODE XREF: KiPreprocessAccessViolation+81j
		mov	eax, [ecx+68h]
		push	esi
		test	bh, bh
		jnz	loc_5CE90C
		cmp	eax, offset _ExpInterlockedPopEntrySListFault
		jz	loc_5CE8D7
		cmp	eax, offset _KiSystemServiceCopyArguments@0 ; KiSystemServiceCopyArguments()
		jz	loc_5CE8DE
		cmp	eax, offset _KiSystemServiceAccessTeb@0	; KiSystemServiceAccessTeb()
		jz	loc_5CE8DE

loc_4EB2B5:				; CODE XREF: KiPreprocessAccessViolation+E36CCj
					; KiPreprocessAccessViolation+E3723j ...
		mov	bh, [ebp+var_1]

loc_4EB2B8:				; CODE XREF: KiPreprocessAccessViolation+E36A2j
					; KiPreprocessAccessViolation+E36B7j ...
		pop	esi
		cmp	bl, 1
		jnb	short loc_4EB2C6
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4EB2C6:				; CODE XREF: KiPreprocessAccessViolation+6Cj
		mov	al, bh
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4EB2CF:				; CODE XREF: KiPreprocessAccessViolation+2Bj
					; KiPreprocessAccessViolation+34j
		mov	bh, 1
		jmp	short loc_4EB288
KiPreprocessAccessViolation endp

; 
		align 10h
; Exported entry 1185. KeInsertDeviceQueue

		public KeInsertDeviceQueue
KeInsertDeviceQueue:			; CODE XREF: IoStartPacket+3Bp
					; IoAllocateController(x,x,x,x)+22p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+8]
		xor	bl, bl
		push	edi
		lea	edi, [ebp-0Ch]
		stosd
		lea	ecx, [esi+0Ch]
		stosd
		stosd
		call	_KiIsDpcThreadActive@0 ; KiIsDpcThreadActive()
		test	eax, eax
		jnz	loc_5CE9A4
		test	ds:byte_70EFC6,	21h
		mov	[ebp-8], ecx
		mov	[ebp-0Ch], eax
		jnz	loc_5CE9B1
		lea	edx, [ebp-0Ch]
		xchg	edx, [ecx]
		test	edx, edx
		jnz	short loc_4EB38C

loc_4EB324:				; CODE XREF: .text:004EB394j
					; .text:005CE9ACj ...
		mov	al, [esi+10h]
		cmp	al, 1
		mov	byte ptr [esi+10h], 1
		mov	eax, [ebp+0Ch]
		jz	short loc_4EB374

loc_4EB332:				; CODE XREF: .text:004EB38Aj
		mov	[eax+0Ch], bl
		call	_KiIsDpcThreadActive@0 ; KiIsDpcThreadActive()
		test	eax, eax
		jnz	loc_5CE9C0
		test	ds:byte_70EFC6,	1
		jnz	loc_5CEA15
		mov	eax, [ebp-0Ch]
		test	eax, eax
		jnz	short loc_4EB39E
		mov	edx, [ebp-8]
		lea	eax, [ebp-0Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-0Ch]
		cmp	eax, ecx
		jnz	short loc_4EB396

loc_4EB369:				; CODE XREF: .text:004EB3B0j
					; .text:005CEA10j ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4EB374:				; CODE XREF: .text:004EB330j
		mov	ecx, [esi+8]
		add	esi, 4
		cmp	[ecx], esi
		jnz	short loc_4EB3B2
		mov	[eax], esi
		mov	bl, 1
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[esi+4], eax
		jmp	short loc_4EB332
; 

loc_4EB38C:				; CODE XREF: .text:004EB322j
		lea	ecx, [ebp-0Ch]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	short loc_4EB324
; 

loc_4EB396:				; CODE XREF: .text:004EB367j
		lea	ecx, [ebp-0Ch]
		call	KxWaitForLockChainValid

loc_4EB39E:				; CODE XREF: .text:004EB354j
		mov	dword ptr [ebp-0Ch], 0
		lea	ecx, [eax+4]
		mov	edx, 1
		lock xor [ecx],	edx
		jmp	short loc_4EB369
; 

loc_4EB3B2:				; CODE XREF: .text:004EB37Cj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		align 10h
; Exported entry 1262. KeRemoveDeviceQueue

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeRemoveDeviceQueue
KeRemoveDeviceQueue proc near		; CODE XREF: IopStartNextPacket+22p
					; IoFreeController(x)+Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CEA25 SIZE 00000081 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		lea	ecx, [esi+0Ch]
		stosd
		stosd
		xor	edi, edi
		call	_KiIsDpcThreadActive@0 ; KiIsDpcThreadActive()
		test	eax, eax
		jnz	loc_5CEA25
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], edi
		jnz	loc_5CEA32
		lea	edx, [ebp+var_C]
		xchg	edx, [ecx]
		test	edx, edx
		jnz	loc_4EB488

loc_4EB407:				; CODE XREF: KeRemoveDeviceQueue+D0j
					; KeRemoveDeviceQueue+E366Dj ...
		mov	ecx, [esi+4]
		lea	eax, [esi+4]
		cmp	ecx, eax
		jnz	short loc_4EB453
		mov	byte ptr [esi+10h], 0

loc_4EB415:				; CODE XREF: KeRemoveDeviceQueue+AAj
		call	_KiIsDpcThreadActive@0 ; KiIsDpcThreadActive()
		test	eax, eax
		jnz	loc_5CEA41
		test	ds:byte_70EFC6,	1
		jnz	loc_5CEA96
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_4EB474
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	short loc_4EB46C

loc_4EB449:				; CODE XREF: KeRemoveDeviceQueue+C6j
					; KeRemoveDeviceQueue+E36D1j ...
		mov	eax, edi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4EB453:				; CODE XREF: KeRemoveDeviceQueue+4Fj
		mov	edi, ecx
		mov	ecx, [edi]
		cmp	[edi+4], eax
		jnz	short loc_4EB495
		cmp	[ecx+4], edi
		jnz	short loc_4EB495
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	byte ptr [edi+0Ch], 0
		jmp	short loc_4EB415
; 

loc_4EB46C:				; CODE XREF: KeRemoveDeviceQueue+87j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_4EB474:				; CODE XREF: KeRemoveDeviceQueue+74j
		mov	[ebp+var_C], 0
		lea	ecx, [eax+4]
		mov	edx, 1
		lock xor [ecx],	edx
		jmp	short loc_4EB449
; 

loc_4EB488:				; CODE XREF: KeRemoveDeviceQueue+41j
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4EB407
; 

loc_4EB495:				; CODE XREF: KeRemoveDeviceQueue+9Aj
					; KeRemoveDeviceQueue+9Fj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
KeRemoveDeviceQueue endp		; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall KiIsDpcThreadActive()
_KiIsDpcThreadActive@0 proc near	; CODE XREF: .text:004EB2FBp
					; .text:004EB335p ...
		mov	eax, large fs:20h
		mov	eax, [eax+223Ch]
		shr	eax, 10h
		and	eax, 1
		retn
_KiIsDpcThreadActive@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFlushValidPteFromTb(x, x,	x, x)
_MiFlushValidPteFromTb@16 proc near	; CODE XREF: MiTransformValidPteInPlace+68p
					; MiTransformValidPteInPlace+2B922p

var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_A0]
		push	ebx		; int
		push	eax		; void *
		mov	edi, edx
		mov	esi, ecx
		call	_memset
		mov	eax, 0C0000000h
		add	esp, 0Ch
		mov	ecx, esi
		cmp	esi, eax
		jb	short loc_4EB4FD

loc_4EB4EE:				; CODE XREF: MiFlushValidPteFromTb(x,x,x,x)+4Bj
		cmp	ecx, 0C07FFFFFh
		ja	short loc_4EB4FD
		shl	ecx, 9
		cmp	ecx, eax
		jnb	short loc_4EB4EE

loc_4EB4FD:				; CODE XREF: MiFlushValidPteFromTb(x,x,x,x)+3Cj
					; MiFlushValidPteFromTb(x,x,x,x)+44j
		call	MiRealVaToFlushType
		mov	[ebp+var_A0], eax
		lea	ecx, [ebp+var_A0]
		mov	eax, [ebp+arg_0]
		mov	edx, edi
		and	eax, 80h
		mov	[ebp+var_9C], bx
		or	eax, ebx
		mov	[ebp+var_90], ebx
		mov	[ebp+var_98], 21h
		mov	[ebp+var_8C], ebx
		push	esi
		jnz	short loc_4EB55B
		call	_MiInsertRecursiveTbFlushEntries@12 ; MiInsertRecursiveTbFlushEntries(x,x,x)

loc_4EB53F:				; CODE XREF: MiFlushValidPteFromTb(x,x,x,x)+B0j
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_4EB55B:				; CODE XREF: MiFlushValidPteFromTb(x,x,x,x)+88j
		call	_MiInsertLargeTbFlushEntry@12 ;	MiInsertLargeTbFlushEntry(x,x,x)
		jmp	short loc_4EB53F
_MiFlushValidPteFromTb@16 endp


;  S U B	R O U T	I N E 


MiRealVaToFlushType proc near		; CODE XREF: MiFlushValidPteFromTb(x,x,x,x):loc_4EB4FDp
					; MiDbgReleaseAddress(x,x,x):loc_6342E8p ...

; FUNCTION CHUNK AT 005CEAD6 SIZE 00000022 BYTES

		cmp	ecx, dword_6D07D0
		jb	short loc_4EB590
		mov	edx, dword_6D2E88
		cmp	ecx, edx
		jnb	loc_5CEAD6

loc_4EB578:				; CODE XREF: MiRealVaToFlushType+E3591j
		shr	ecx, 15h
		mov	al, byte ptr dword_6D3994[ecx]
		cmp	al, 0Bh
		jz	short loc_4EB58C
		cmp	al, 1
		jz	short loc_4EB58C
		xor	eax, eax
		retn
; 

loc_4EB58C:				; CODE XREF: MiRealVaToFlushType+21j
					; MiRealVaToFlushType+25j
		push	2
		pop	eax
		retn
; 

loc_4EB590:				; CODE XREF: MiRealVaToFlushType+6j
					; MiRealVaToFlushType+E358Bj
		xor	eax, eax
		inc	eax
		retn
MiRealVaToFlushType endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDeleteNonPagedPoolPte	proc near	; DATA XREF: MiClearNonPagedPtes+9Bo

var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005CEAF8 SIZE 000000F6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	[esp+20h+var_8], 0
		mov	[esp+20h+var_4], 0
		mov	edx, [esi]
		nop
		mov	ecx, [esi+4]
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jz	loc_4EB72F
		mov	eax, [ebp+arg_8]
		cmp	eax, 1
		jg	loc_4EB72F
		mov	ebx, 1
		mov	edi, eax
		test	eax, eax
		jnz	loc_4EB760

loc_4EB5F0:				; CODE XREF: MiDeleteNonPagedPoolPte+1C6j
		mov	edi, [ebp+arg_0]
		mov	eax, edx
		and	eax, 80h
		or	eax, 0
		mov	edi, [edi+48h]
		jnz	loc_5CEAF8
		nop
		mov	eax, ds:_MmPfnDatabase
		shrd	edx, ecx, 0Ch
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	ebx, [eax+ecx*4]
		mov	ecx, [ebp+arg_8]
		cmp	ecx, 1
		jz	loc_4EB76E
		test	byte ptr [edi+0A4h], 1
		jz	loc_4EB72F
		mov	eax, ds:_ZeroPte
		mov	[esi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[esi+4], eax
		test	byte ptr [ebx+17h], 10h
		jnz	short loc_4EB657
		inc	dword ptr [edi+0ACh]

loc_4EB657:				; CODE XREF: MiDeleteNonPagedPoolPte+AFj
		cmp	dword ptr [edi+0A8h], 0
		jz	loc_4EB740

loc_4EB664:				; CODE XREF: MiDeleteNonPagedPoolPte+1B0j
					; MiDeleteNonPagedPoolPte+220j
		inc	dword ptr [edi+0A8h]
		lea	edx, [ebx+10h]
		mov	[esp+20h+var_8], 0
		lock bts dword ptr [edx], 1Fh
		jb	loc_5CEB69

loc_4EB680:				; CODE XREF: MiDeleteNonPagedPoolPte+E35EBj
		test	byte ptr [edi+0A4h], 2
		jnz	short loc_4EB6A0
		movzx	eax, word ptr [ebx+14h]
		cmp	eax, 1
		jnz	loc_5CEB90
		mov	al, [ebx+16h]
		and	al, 0FDh
		or	al, 5
		mov	[ebx+16h], al

loc_4EB6A0:				; CODE XREF: MiDeleteNonPagedPoolPte+E7j
		test	ecx, ecx
		jnz	loc_4EB7C5
		test	byte ptr [edi+0A4h], 2
		jnz	short loc_4EB6BF
		mov	eax, [edi+98h]
		mov	[ebx], eax
		mov	[edi+98h], ebx

loc_4EB6BF:				; CODE XREF: MiDeleteNonPagedPoolPte+10Fj
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		xor	edx, edx
		xor	ecx, ecx
		test	dword ptr [edi+0A0h], 40000000h
		mov	[esp+20h+var_10], edx
		mov	[esp+20h+var_C], ecx
		jnz	short loc_4EB6F6
		lea	ecx, [esp+20h+var_10]
		call	_MiInitializeTbFlushStamps@4 ; MiInitializeTbFlushStamps(x)
		mov	edx, [esp+20h+var_10]
		mov	[esi], edx
		nop
		mov	ecx, [esp+20h+var_C]
		mov	[esi+4], ecx

loc_4EB6F6:				; CODE XREF: MiDeleteNonPagedPoolPte+13Dj
		mov	eax, dword_6D0704
		mov	ebx, dword_6D0700
		mov	[esp+20h+var_10], eax
		mov	eax, ebx
		or	eax, [esp+20h+var_10]
		mov	[esp+20h+var_8], ecx
		jz	short loc_4EB725
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4EB73A
		mov	ecx, [esp+20h+var_10]
		not	ecx
		and	ecx, [esp+20h+var_8]

loc_4EB725:				; CODE XREF: MiDeleteNonPagedPoolPte+16Fj
					; MiDeleteNonPagedPoolPte+19Ej
		xor	eax, eax
		or	eax, ecx
		jz	loc_4EB7EA

loc_4EB72F:				; CODE XREF: MiDeleteNonPagedPoolPte+2Fj
					; MiDeleteNonPagedPoolPte+3Bj ...
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4EB73A:				; CODE XREF: MiDeleteNonPagedPoolPte+179j
		mov	ecx, [esp+20h+var_8]
		jmp	short loc_4EB725
; 

loc_4EB740:				; CODE XREF: MiDeleteNonPagedPoolPte+BEj
		mov	ecx, esi
		call	_MiGetContainingPageTable@4 ; MiGetContainingPageTable(x)
		mov	ecx, [ebp+arg_8]
		mov	[edi+0B0h], eax
		jmp	loc_4EB664
; 
		jmp	short loc_4EB760
; 
		align 10h

loc_4EB760:				; CODE XREF: MiDeleteNonPagedPoolPte+4Aj
					; MiDeleteNonPagedPoolPte+1B5j	...
		shl	ebx, 9
		sub	edi, 1
		jz	loc_4EB5F0
		jmp	short loc_4EB760
; 

loc_4EB76E:				; CODE XREF: MiDeleteNonPagedPoolPte+88j
		mov	eax, [ebx+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jnz	short loc_4EB72F
		push	ds:dword_40F9FC
		mov	edx, esi
		mov	ecx, offset unk_6D3B40
		push	ds:_ZeroPte
		push	2
		call	MiEvictPageTableLock
		test	eax, eax
		jz	short loc_4EB72F
		mov	eax, esi
		shl	eax, 9
		cmp	dword ptr [edi+0B4h], 0
		jnz	short loc_4EB7AD
		mov	[edi+0B4h], eax

loc_4EB7AD:				; CODE XREF: MiDeleteNonPagedPoolPte+205j
		mov	ecx, [ebp+arg_8]
		mov	[edi+0B8h], eax
		mov	dword ptr [edi+0B0h], 0FFFFFFFFh
		jmp	loc_4EB664
; 

loc_4EB7C5:				; CODE XREF: MiDeleteNonPagedPoolPte+102j
		mov	eax, [edi+9Ch]
		mov	[ebx], eax
		mov	eax, 7FFFFFFFh
		mov	[edi+9Ch], ebx
		lock and [edx],	eax
		mov	edx, ecx
		mov	ecx, edi
		push	esi
		call	_MiInsertRecursiveTbFlushEntries@12 ; MiInsertRecursiveTbFlushEntries(x,x,x)
		jmp	loc_4EB72F
; 

loc_4EB7EA:				; CODE XREF: MiDeleteNonPagedPoolPte+189j
		push	0
		shl	esi, 9
		mov	ecx, edi
		push	1
		mov	edx, esi
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
MiDeleteNonPagedPoolPte	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeTbFlushStamps(x)
_MiInitializeTbFlushStamps@4 proc near	; CODE XREF: .text:0047ABC9p
					; MiDeleteSystemPagableVm(x,x,x,x,x,x)+44Dp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edx, [esi]
		nop
		mov	eax, [esi+4]
		lea	ecx, [ebp+var_4]
		and	[ebp+var_4], 0
		xor	edi, edi
		lock or	[ecx], edi
		push	eax
		mov	eax, ds:_KiTbFlushTimeStamp
		push	edx
		push	edi
		push	eax
		call	MiSetPteTimeStamp
		mov	[esi], eax
		nop
		pop	edi
		mov	[esi+4], edx
		pop	esi
		leave
		retn
_MiInitializeTbFlushStamps@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSetPteTimeStamp proc near		; CODE XREF: MiInitializeTbFlushStamps(x)+25p

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_8]
		mov	eax, ecx
		mov	edx, [ebp+arg_C]
		or	eax, edx
		jnz	loc_5CEBC0
		xor	ecx, ecx

loc_4EB851:				; CODE XREF: MiDeleteNonPagedPoolPte+E3649j
		xor	eax, eax
		or	eax, [ebp+arg_0]
		push	eax
		push	ecx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		pop	ebp
		retn	10h
MiSetPteTimeStamp endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertRecursiveTbFlushEntries(x, x, x)
_MiInsertRecursiveTbFlushEntries@12 proc near
					; CODE XREF: MiFlushValidPteFromTb(x,x,x,x)+8Ap
					; MiDeleteNonPagedPoolPte+240p	...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], eax
		inc	edi
		test	edx, edx
		js	short loc_4EB898
		push	ebx
		lea	ebx, [edx+1]

loc_4EB87D:				; CODE XREF: MiInsertRecursiveTbFlushEntries(x,x,x)+33j
		push	0
		shl	esi, 9
		mov	ecx, eax
		push	edi
		mov	edx, esi
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	eax, [ebp+var_4]
		shl	edi, 9
		sub	ebx, 1
		jnz	short loc_4EB87D
		pop	ebx

loc_4EB898:				; CODE XREF: MiInsertRecursiveTbFlushEntries(x,x,x)+15j
		pop	edi
		pop	esi
		leave
		retn	4
_MiInsertRecursiveTbFlushEntries@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 


ST_STORE_SM_TRAITS___StSufficientSpaceForAdd proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+85p

; FUNCTION CHUNK AT 005CEBEE SIZE 00000036 BYTES

		cmp	byte ptr [ecx+1E4h], 0
		push	ebx
		push	esi
		push	edi
		lea	edi, [ecx+38h]
		mov	ebx, edx
		jnz	short loc_4EB8DF
		mov	esi, 8

loc_4EB8B6:				; CODE XREF: ST_STORE_SM_TRAITS___StSufficientSpaceForAdd+44j
		xor	ecx, ecx
		lea	eax, [edi+430h]
		mov	edi, edi

loc_4EB8C0:				; CODE XREF: ST_STORE_SM_TRAITS___StSufficientSpaceForAdd+28j
		add	ecx, [eax]
		lea	eax, [eax+8]
		sub	esi, 1
		jnz	short loc_4EB8C0
		cmp	[edi+1E4h], ecx
		jbe	loc_5CEBEE

loc_4EB8D6:				; CODE XREF: ST_STORE_SM_TRAITS___StSufficientSpaceForAdd+E336Aj
					; ST_STORE_SM_TRAITS___StSufficientSpaceForAdd+E3377j
		mov	eax, 1

loc_4EB8DB:				; CODE XREF: ST_STORE_SM_TRAITS___StSufficientSpaceForAdd+E337Fj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4EB8DF:				; CODE XREF: ST_STORE_SM_TRAITS___StSufficientSpaceForAdd+Fj
		mov	esi, 1
		jmp	short loc_4EB8B6
ST_STORE_SM_TRAITS___StSufficientSpaceForAdd endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipCompleteGuidIrpWithError proc near	; CODE XREF: WmipReceiveNotifications+E31D6p
					; WmipDeleteMethod(x)+73p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005CEC24 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		mov	ecx, offset _WmipCancelSpinLock
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	esi, [esi+30h]
		test	esi, esi
		jnz	short loc_4EB94E

loc_4EB90E:				; CODE XREF: WmipCompleteGuidIrpWithError+7Cj
		test	ds:byte_70EFC6,	1
		jnz	loc_5CEC24
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_5CEC3C
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5CEC34

loc_4EB93D:				; CODE XREF: WmipCompleteGuidIrpWithError+E3349j
					; WmipCompleteGuidIrpWithError+E3366j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jnz	short loc_4EB964

loc_4EB94A:				; CODE XREF: WmipCompleteGuidIrpWithError+8Ej
		pop	edi
		pop	esi
		leave
		retn
; 

loc_4EB94E:				; CODE XREF: WmipCompleteGuidIrpWithError+26j
		mov	ecx, esi
		call	_WmipClearIrpObjectList@4 ; WmipClearIrpObjectList(x)
		xor	ecx, ecx
		lea	eax, [esi+38h]
		xchg	ecx, [eax]
		neg	ecx
		sbb	ecx, ecx
		and	esi, ecx
		jmp	short loc_4EB90E
; 

loc_4EB964:				; CODE XREF: WmipCompleteGuidIrpWithError+62j
		xor	dl, dl
		mov	dword ptr [esi+18h], 0C0000008h
		mov	ecx, esi
		call	IofCompleteRequest
		jmp	short loc_4EB94A
WmipCompleteGuidIrpWithError endp


;  S U B	R O U T	I N E 


; __stdcall WmipAlign(x, x)
_WmipAlign@8	proc near		; CODE XREF: WmipInsertStaticNames+3Ap
					; WmipQueryAllData+274p ...
		mov	eax, [edx]
		dec	ecx
		push	esi
		lea	esi, [eax+ecx]
		cmp	esi, eax
		jb	short loc_4EB98B
		not	ecx
		mov	al, 1
		and	ecx, esi
		mov	[edx], ecx
		pop	esi
		retn
; 

loc_4EB98B:				; CODE XREF: WmipAlign(x,x)+9j
		xor	al, al
		pop	esi
		retn
_WmipAlign@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStringCbCatW(x, x, x)
_RtlStringCbCatW@12 proc near		; CODE XREF: sub_5EC64A+115p
					; sub_5EC64A+127p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, edx
		xor	edx, edx
		shr	esi, 1
		mov	eax, esi
		mov	[ebp+var_4], edx
		neg	eax
		push	edi
		sbb	eax, eax
		mov	edi, ecx
		and	eax, 3FFFFFF3h
		add	eax, 0C000000Dh
		test	esi, esi
		jz	short loc_4EB9C5
		lea	eax, [ebp+var_4]
		mov	edx, esi
		push	eax
		call	sub_4EBA32
		mov	edx, [ebp+var_4]

loc_4EB9C5:				; CODE XREF: RtlStringCbCatW(x,x,x)+25j
		test	eax, eax
		js	short loc_4EB9DA
		push	ecx
		push	[ebp+arg_0]
		sub	esi, edx
		push	ecx
		lea	ecx, [edi+edx*2]
		mov	edx, esi
		call	RtlStringCopyWorkerW

loc_4EB9DA:				; CODE XREF: RtlStringCbCatW(x,x,x)+37j
		pop	edi
		pop	esi
		leave
		retn	4
_RtlStringCbCatW@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlStringCopyWorkerW proc near		; CODE XREF: RtlStringCbCatW(x,x,x)+45p
					; RtlStringCbCopyW(x,x,x)+20p ...

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	edx, edx
		jz	short loc_4EBA2D
		mov	eax, [ebp+arg_4]
		push	esi
		push	edi
		mov	esi, 7FFFFFFEh
		sub	eax, ecx

loc_4EB9F5:				; CODE XREF: RtlStringCopyWorkerW+2Cj
		test	esi, esi
		jz	short loc_4EBA0E
		movzx	edi, word ptr [eax+ecx]
		test	di, di
		jz	short loc_4EBA0E
		mov	[ecx], di
		add	ecx, 2
		dec	esi
		sub	edx, 1
		jnz	short loc_4EB9F5

loc_4EBA0E:				; CODE XREF: RtlStringCopyWorkerW+17j
					; RtlStringCopyWorkerW+20j
		pop	edi
		pop	esi
		test	edx, edx
		jz	short loc_4EBA2D

loc_4EBA14:				; CODE XREF: RtlStringCopyWorkerW+50j
		neg	edx
		sbb	edx, edx
		and	edx, 7FFFFFFBh
		xor	eax, eax
		mov	[ecx], ax
		lea	eax, [edx-7FFFFFFBh]
		pop	ebp
		retn	0Ch
; 

loc_4EBA2D:				; CODE XREF: RtlStringCopyWorkerW+7j
					; RtlStringCopyWorkerW+32j
		sub	ecx, 2
		jmp	short loc_4EBA14
RtlStringCopyWorkerW endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_4EBA32	proc near		; CODE XREF: RtlStringCbCatW(x,x,x)+2Dp
					; RtlStringCbLengthW(x,x,x)+15p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, edx
		test	edx, edx
		jz	short loc_4EBA4E

loc_4EBA41:				; CODE XREF: sub_4EBA32+1Aj
		cmp	[ecx], di
		jz	short loc_4EBA4E
		add	ecx, 2
		sub	edx, 1
		jnz	short loc_4EBA41

loc_4EBA4E:				; CODE XREF: sub_4EBA32+Dj
					; sub_4EBA32+12j
		mov	ecx, [ebp+arg_0]
		mov	eax, edx
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFFF3h
		add	eax, 0C000000Dh
		test	ecx, ecx
		jz	short loc_4EBA6D
		test	edx, edx
		jz	short loc_4EBA73
		sub	esi, edx
		mov	[ecx], esi

loc_4EBA6D:				; CODE XREF: sub_4EBA32+31j
					; sub_4EBA32+43j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_4EBA73:				; CODE XREF: sub_4EBA32+35j
		mov	[ecx], edi
		jmp	short loc_4EBA6D
sub_4EBA32	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1972. RtlCheckPortableOperatingSystem

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlCheckPortableOperatingSystem
RtlCheckPortableOperatingSystem	proc near

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CEC51 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	esi
		push	offset ??_C@_1O@BMELCLLB@?$AAM?$AAi?$AAn?$AAi?$AAN?$AAT@FNODOBFM@
		xor	esi, esi
		push	2
		mov	[ebp+var_4], esi
		call	_RtlCheckRegistryKey@8 ; RtlCheckRegistryKey(x,x)
		test	eax, eax
		jns	loc_5CEC51
		push	38h		; size_t
		lea	eax, [ebp+var_3C]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_38], 124h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_34], offset ??_C@_1DA@IFMDNCPF@?$AAP?$AAo?$AAr?$AAt?$AAa?$AAb?$AAl?$AAe?$AAO?$AAp?$AAe?$AAr?$AAa?$AAt?$AAi@FNODOBFM@ ;	"PortableOperatingSystem"
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_2C], 4000000h
		push	esi
		push	esi
		push	eax
		push	esi
		push	2
		call	_RtlQueryRegistryValuesEx@20 ; RtlQueryRegistryValuesEx(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_4EBAE5
		mov	esi, 0C0000225h

loc_4EBAE5:				; CODE XREF: RtlCheckPortableOperatingSystem+62j
		test	esi, esi
		jns	loc_5CEC51

loc_4EBAED:				; CODE XREF: RtlCheckPortableOperatingSystem+E31E1j
		mov	eax, esi
		pop	esi
		leave
		retn	4
RtlCheckPortableOperatingSystem	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipReceiveNotifications proc near	; CODE XREF: WmipIoControl+254p

var_CC		= byte ptr -0CCh
var_CB		= byte ptr -0CBh
var_CA		= byte ptr -0CAh
var_C9		= byte ptr -0C9h
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= byte ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CEC62 SIZE 00000130 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0CCh+var_4], eax
		mov	eax, [ebp+arg_0]
		and	[esp+0CCh+var_AC], 0
		and	[esp+0CCh+var_C0], 0
		mov	[esp+0CCh+var_C8], ecx
		mov	[esp+0CCh+var_A8], eax
		mov	eax, [ecx]
		xor	ecx, ecx
		push	ebx
		push	esi
		mov	esi, [edx]
		inc	ecx
		mov	[esp+0D4h+var_8C], edx
		mov	[esp+0D4h+var_BC], 0C000000Dh
		mov	[esp+0D4h+var_94], esi
		mov	[esp+0D4h+var_C4], eax
		push	edi
		cmp	eax, 10h
		ja	loc_5CEC62
		lea	ebx, [esp+0D8h+var_88]

loc_4EBB50:				; CODE XREF: WmipReceiveNotifications+E3181j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		xor	edx, edx
		mov	eax, edx
		mov	[esp+0D8h+var_CA], dl
		mov	ecx, edx
		mov	edi, edx
		mov	[esp+0D8h+var_CB], dl
		mov	[esp+0D8h+var_C9], dl
		mov	[esp+0D8h+var_B0], eax
		mov	[esp+0D8h+var_B4], ecx
		mov	[esp+0D8h+var_90], edi
		mov	[esp+0D8h+var_B8], edx
		cmp	[esp+0D8h+var_C4], eax
		jbe	loc_4EBC37

loc_4EBB8E:				; CODE XREF: WmipReceiveNotifications+139j
		mov	ecx, [esp+0D8h+var_C8]
		mov	eax, ds:_WmipGuidObjectType
		and	[esp+0D8h+var_98], 0
		push	0
		mov	ecx, [ecx+edx*8+8]
		lea	edx, [esp+0DCh+var_98]
		push	edx
		xor	edx, edx
		inc	edx
		push	edx
		push	eax
		push	4
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	[esp+0D8h+var_BC], eax
		test	eax, eax
		js	loc_4EBD2A
		mov	ecx, [esp+0D8h+var_98]
		xor	edx, edx
		mov	eax, edx
		test	edi, edi
		jz	short loc_4EBBDA

loc_4EBBCC:				; CODE XREF: WmipReceiveNotifications+E4j
		cmp	ecx, [ebx+eax*8]
		jz	loc_5CEC85
		inc	eax
		cmp	eax, edi
		jb	short loc_4EBBCC

loc_4EBBDA:				; CODE XREF: WmipReceiveNotifications+D6j
		xor	eax, eax
		inc	eax
		cmp	[ecx+30h], edx
		jnz	loc_5CEC98

loc_4EBBE6:				; CODE XREF: WmipReceiveNotifications+E31A8j
		mov	[ebx+edi*8], ecx
		inc	edi
		mov	[esp+0D8h+var_90], edi
		cmp	[ecx+3Ch], edx
		jnz	loc_5CECA1

loc_4EBBF7:				; CODE XREF: WmipReceiveNotifications+E31B0j
					; WmipReceiveNotifications+E31BAj
		cmp	[ecx+50h], edx
		jnz	loc_4EBD75

loc_4EBC00:				; CODE XREF: WmipReceiveNotifications+284j
					; WmipReceiveNotifications+28Ej
		mov	eax, [ecx+48h]
		add	eax, 7
		and	eax, 0FFFFFFF8h
		add	[esp+0D8h+var_B0], eax
		mov	eax, [ecx+5Ch]
		mov	ecx, [esp+0D8h+var_B4]
		add	eax, 7
		and	eax, 0FFFFFFF8h
		add	ecx, eax
		mov	[esp+0D8h+var_B4], ecx

loc_4EBC20:				; CODE XREF: WmipReceiveNotifications+E319Fj
		mov	edx, [esp+0D8h+var_B8]
		inc	edx
		mov	[esp+0D8h+var_B8], edx
		cmp	edx, [esp+0D8h+var_C4]
		jb	loc_4EBB8E
		mov	eax, [esp+0D8h+var_B0]

loc_4EBC37:				; CODE XREF: WmipReceiveNotifications+94j
		lea	edx, [ecx+eax]
		xor	eax, eax
		inc	eax
		mov	[esp+0D8h+var_B8], edx
		cmp	[esp+0D8h+var_C9], al
		jz	loc_5CECB3

loc_4EBC4B:				; CODE XREF: WmipReceiveNotifications+E31C7j
					; WmipReceiveNotifications+E31ECj
		mov	cl, [esp+0D8h+var_CB]
		mov	al, cl
		or	al, [esp+0D8h+var_CA]
		jnz	loc_4EBD87
		mov	esi, [esp+0D8h+var_A8]
		lea	edi, [esp+0D8h+var_A4]
		xor	eax, eax
		xor	edx, edx
		stosd
		lea	ecx, [esi+40h]
		mov	[ecx+4], ecx
		stosd
		mov	[ecx], ecx
		stosd
		mov	edi, [esp+0D8h+var_90]
		test	edi, edi
		jz	short loc_4EBCA1

loc_4EBC7A:				; CODE XREF: WmipReceiveNotifications+1ABj
		mov	eax, [ebx+edx*8]
		mov	[eax+30h], esi
		add	eax, 34h
		mov	esi, [ecx+4]
		cmp	[esi], ecx
		jnz	loc_4EBDEB
		mov	[eax+4], esi
		inc	edx
		mov	[eax], ecx
		mov	[esi], eax
		mov	esi, [esp+0D8h+var_A8]
		mov	[ecx+4], eax
		cmp	edx, edi
		jb	short loc_4EBC7A

loc_4EBCA1:				; CODE XREF: WmipReceiveNotifications+184j
		mov	eax, [esi+60h]
		lea	edx, [esp+0D8h+var_A4]
		xor	ecx, ecx
		mov	[esp+0D8h+var_BC], 103h
		inc	ecx
		mov	[esp+0D8h+var_CB], 0
		or	[eax+3], cl
		mov	ecx, offset _WmipCancelSpinLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		lea	ecx, [esi+38h]
		mov	eax, offset WmipNotificationIrpCancel
		xchg	eax, [ecx]
		cmp	byte ptr [esi+24h], 0
		jnz	loc_5CED12

loc_4EBCD9:				; CODE XREF: WmipReceiveNotifications+E3236j
		xor	eax, eax
		inc	eax

loc_4EBCDC:				; CODE XREF: WmipReceiveNotifications+E3243j
		test	ds:byte_70EFC6,	al
		jnz	loc_5CED3C
		mov	eax, [esp+0D8h+var_A4]
		test	eax, eax
		jnz	loc_5CED56
		mov	edx, [esp+0D8h+var_A0]
		lea	eax, [esp+0D8h+var_A4]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+0D8h+var_A4]
		cmp	eax, ecx
		jnz	loc_5CED4D

loc_4EBD0E:				; CODE XREF: WmipReceiveNotifications+E3254j
					; WmipReceiveNotifications+E3273j
		mov	cl, [esp+0D8h+var_9C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[esp+0D8h+var_CB], 0
		jnz	loc_5CED6C

loc_4EBD23:				; CODE XREF: WmipReceiveNotifications+E328Cj
		mov	ecx, [esp+0D8h+var_8C]
		and	dword ptr [ecx], 0

loc_4EBD2A:				; CODE XREF: WmipReceiveNotifications+C6j
					; WmipReceiveNotifications+2DDj
		push	0
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		xor	esi, esi
		test	edi, edi
		jz	short loc_4EBD4E

loc_4EBD3C:				; CODE XREF: WmipReceiveNotifications+258j
		mov	ecx, [ebx+esi*8]
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag
		inc	esi
		cmp	esi, edi
		jb	short loc_4EBD3C

loc_4EBD4E:				; CODE XREF: WmipReceiveNotifications+246j
		lea	eax, [esp+0D8h+var_88]
		cmp	ebx, eax
		jnz	loc_5CED85

loc_4EBD5A:				; CODE XREF: WmipReceiveNotifications+E3299j
		mov	eax, [esp+0D8h+var_BC]

loc_4EBD5E:				; CODE XREF: WmipReceiveNotifications+E318Cj
		mov	ecx, [esp+0D8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4EBD75:				; CODE XREF: WmipReceiveNotifications+106j
		cmp	[ecx+5Ch], edx
		jz	loc_4EBC00
		mov	[esp+0D8h+var_CA], al
		jmp	loc_4EBC00
; 

loc_4EBD87:				; CODE XREF: WmipReceiveNotifications+161j
		cmp	edx, esi
		ja	short loc_4EBDD6
		test	cl, cl
		jnz	loc_5CECE5
		mov	ecx, [esp+0D8h+var_C8]

loc_4EBD97:				; CODE XREF: WmipReceiveNotifications+E3219j
		cmp	[esp+0D8h+var_CA], 0
		jz	short loc_4EBDB9
		push	0		; char
		lea	eax, [esp+0DCh+var_AC]
		mov	edx, edi
		push	eax		; int
		lea	eax, [esp+0E0h+var_C0]
		push	eax		; int
		push	ecx		; int
		push	ecx		; void *
		mov	ecx, ebx
		call	WmipCopyFromEventQueues
		sub	esi, [esp+0D8h+var_C0]

loc_4EBDB9:				; CODE XREF: WmipReceiveNotifications+2A8j
		mov	eax, [esp+0D8h+var_AC]
		test	eax, eax
		jz	short loc_4EBDC5
		and	dword ptr [eax+0Ch], 0

loc_4EBDC5:				; CODE XREF: WmipReceiveNotifications+2CBj
		mov	eax, [esp+0D8h+var_94]
		sub	eax, esi

loc_4EBDCB:				; CODE XREF: WmipReceiveNotifications+2F5j
		mov	ecx, [esp+0D8h+var_8C]
		mov	[ecx], eax
		jmp	loc_4EBD2A
; 

loc_4EBDD6:				; CODE XREF: WmipReceiveNotifications+295j
		mov	ecx, [esp+0D8h+var_C8]
		push	38h
		pop	eax
		mov	[ecx], eax
		mov	dword ptr [ecx+2Ch], 20h
		mov	[ecx+30h], edx
		jmp	short loc_4EBDCB
; 

loc_4EBDEB:				; CODE XREF: WmipReceiveNotifications+194j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
WmipReceiveNotifications endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCancelIrpsInCurrentThreadList proc near
					; CODE XREF: IopCancelIrpsInCurrentThreadListApcRoutine(x,x,x)+1Bp
					; IopCancelIrpsInThreadList(x,x)+28p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005CED92 SIZE 00000060 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_C], ecx
		push	edi
		mov	esi, edx
		mov	[ebp+var_8], ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	edi, [esi+350h]
		mov	[ebp+var_1], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	ecx, [esi+2CCh]
		mov	eax, [ecx]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], eax
		cmp	ecx, eax
		jz	short loc_4EBEA9
		mov	ebx, [ebp+arg_0]

loc_4EBE30:				; CODE XREF: IopCancelIrpsInCurrentThreadList+B4j
		lea	esi, [eax-10h]
		movsx	ecx, byte ptr [esi+22h]
		movsx	eax, byte ptr [esi+23h]
		add	ecx, 2
		cmp	eax, ecx
		jge	short loc_4EBE99
		cmp	[ebp+arg_4], 0
		jnz	loc_5CED92
		test	byte ptr [esi+8], 2
		jnz	short loc_4EBE99
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jz	short loc_4EBE5E
		cmp	[esi+64h], ecx
		jnz	short loc_4EBE99

loc_4EBE5E:				; CODE XREF: IopCancelIrpsInCurrentThreadList+67j
		test	ebx, ebx
		jz	short loc_4EBE67
		cmp	[esi+28h], ebx
		jnz	short loc_4EBE99

loc_4EBE67:				; CODE XREF: IopCancelIrpsInCurrentThreadList+70j
					; IopCancelIrpsInCurrentThreadList+E2FCFj ...
		xor	eax, eax
		inc	eax
		mov	[ebp+var_8], eax
		test	ds:byte_70EFC6,	al
		jnz	loc_5CEDD4
		xor	eax, eax
		lock and [edi],	eax

loc_4EBE7E:				; CODE XREF: IopCancelIrpsInCurrentThreadList+E2FEEj
		mov	cl, 1
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	esi
		call	IoCancelIrp
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)

loc_4EBE99:				; CODE XREF: IopCancelIrpsInCurrentThreadList+50j
					; IopCancelIrpsInCurrentThreadList+60j	...
		mov	eax, [ebp+var_10]
		mov	eax, [eax]
		mov	[ebp+var_10], eax
		cmp	[ebp+var_14], eax
		jnz	short loc_4EBE30
		mov	ebx, [ebp+var_8]

loc_4EBEA9:				; CODE XREF: IopCancelIrpsInCurrentThreadList+3Bj
		test	ds:byte_70EFC6,	1
		jnz	loc_5CEDE3
		xor	eax, eax
		lock and [edi],	eax

loc_4EBEBB:				; CODE XREF: IopCancelIrpsInCurrentThreadList+E2FFDj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
IopCancelIrpsInCurrentThreadList endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 761. IoCancelIrp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoCancelIrp
IoCancelIrp	proc near		; CODE XREF: IopCancelIrpsInCurrentThreadList+97p
					; IopCancelIrpsInFileObjectList+FBp ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CEDF2 SIZE 000000D1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	_ViVerifierEnabled, 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		jnz	loc_5CEDF2

loc_4EBEEA:				; CODE XREF: IoCancelIrp+E2F33j
					; IoCancelIrp+E2F40j
		push	7
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	bl, al
		lea	ecx, [esi+38h]
		xor	eax, eax
		xor	edi, edi
		inc	eax
		mov	[esi+24h], al
		xchg	edi, [ecx]
		test	edi, edi
		jz	loc_5CEE68
		mov	al, [esi+22h]
		inc	al
		cmp	[esi+23h], al
		jg	loc_5CEE17
		cmp	_ViVerifierEnabled, 0
		mov	[esi+25h], bl
		jnz	loc_5CEE31

loc_4EBF27:				; CODE XREF: IoCancelIrp+E2F72j
		mov	eax, [esi+60h]
		push	esi
		push	dword ptr [eax+14h]
		call	edi

loc_4EBF30:				; CODE XREF: IoCancelIrp+E2F86j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jz	loc_5CEE5D

loc_4EBF3E:				; CODE XREF: IoCancelIrp+E2F8Ej
		xor	ecx, ecx
		inc	ecx
		mov	al, cl

loc_4EBF43:				; CODE XREF: IoCancelIrp+E2FECj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
IoCancelIrp	endp ; sp = -8


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpOplockRHIrpCancelRoutine(x, x)
_FsRtlpOplockRHIrpCancelRoutine@8 proc near
					; DATA XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x):loc_53C4DAo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		xor	dl, dl
		push	1
		call	FsRtlpCancelOplockRHIrp
		pop	ebp
		retn	8
_FsRtlpOplockRHIrpCancelRoutine@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlpCancelOplockRHIrp	proc near	; CODE XREF: FsRtlpOplockRHIrpCancelRoutine(x,x)+Cp
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+993p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
var_1C		= byte ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005CEEC3 SIZE 0000001B BYTES

		push	1Ch
		push	offset dword_6A3050
		call	__SEH_prolog4
		mov	[ebp+var_1C], dl
		mov	edi, [ecx+1Ch]
		mov	[ebp+var_28], edi
		xor	esi, esi
		lea	eax, [ecx+38h]
		xchg	esi, [eax]
		mov	al, [ecx+25h]
		mov	[ebp+var_1D], al
		mov	eax, large fs:20h
		lea	esi, [eax+450h]
		test	ds:byte_70EFC6,	1
		jnz	loc_5CEEC3
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_4EC056
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5CEED2

loc_4EBFB8:				; CODE XREF: FsRtlpCancelOplockRHIrp+E2F6Dj
		xor	ebx, ebx

loc_4EBFBA:				; CODE XREF: FsRtlpCancelOplockRHIrp+103j
		mov	cl, [ebp+var_1D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	cl, bl
		mov	[ebp+var_1D], cl
		cmp	[ebp+var_1C], 0
		jnz	short loc_4EBFD8
		mov	ecx, [edi+4Ch]
		call	ExAcquireFastMutex
		mov	cl, bl

loc_4EBFD8:				; CODE XREF: FsRtlpCancelOplockRHIrp+6Cj
		mov	[ebp+ms_exc.disabled], ebx
		lea	eax, [edi+1Ch]
		mov	esi, [eax]

loc_4EBFE0:				; CODE XREF: FsRtlpCancelOplockRHIrp+B7j
		mov	[ebp+var_24], esi
		cmp	esi, eax
		jz	short loc_4EC019
		cmp	[esi+1Ch], ebx
		jnz	short loc_4EC015
		mov	eax, [esi+8]
		cmp	byte ptr [eax+24h], 0
		jz	short loc_4EC012
		mov	esi, [esi+4]
		mov	[ebp+var_24], esi
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	0C0000120h
		mov	edx, edi
		mov	ecx, [esi]
		call	_FsRtlpRemoveAndCompleteRHIrp@28 ; FsRtlpRemoveAndCompleteRHIrp(x,x,x,x,x,x,x)
		mov	cl, 1
		mov	[ebp+var_1E], cl

loc_4EC012:				; CODE XREF: FsRtlpCancelOplockRHIrp+93j
		lea	eax, [edi+1Ch]

loc_4EC015:				; CODE XREF: FsRtlpCancelOplockRHIrp+8Aj
		mov	esi, [esi]
		jmp	short loc_4EBFE0
; 

loc_4EC019:				; CODE XREF: FsRtlpCancelOplockRHIrp+85j
		test	cl, cl
		jz	short loc_4EC038
		cmp	[ebp+arg_0], 0
		jz	short loc_4EC02D
		mov	ecx, edi
		call	FsRtlpReleaseIrpsWaitingForRH
		lea	eax, [edi+1Ch]

loc_4EC02D:				; CODE XREF: FsRtlpCancelOplockRHIrp+C1j
		cmp	[eax], eax
		jnz	short loc_4EC038
		mov	ecx, edi
		call	FsRtlpComputeShareableOplockState

loc_4EC038:				; CODE XREF: FsRtlpCancelOplockRHIrp+BBj
					; FsRtlpCancelOplockRHIrp+CFj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_4EC068
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4EC056:				; CODE XREF: FsRtlpCancelOplockRHIrp+3Fj
					; FsRtlpCancelOplockRHIrp+E2F79j
		xor	ebx, ebx
		mov	[esi], ebx
		xor	ecx, ecx
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4EBFBA
FsRtlpCancelOplockRHIrp	endp


;  S U B	R O U T	I N E 


sub_4EC068	proc near		; CODE XREF: FsRtlpCancelOplockRHIrp+DFp
					; sub_5CEEDE+3j
		cmp	byte ptr [ebp-1Ch], 0
		jnz	short locret_4EC076
		mov	ecx, [edi+4Ch]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

locret_4EC076:				; CODE XREF: sub_4EC068+4j
		retn
sub_4EC068	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlpReleaseIrpsWaitingForRH proc near	; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+850p
					; FsRtlpCancelOplockRHIrp+C5p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005CEEE6 SIZE 00000083 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_1], 1
		push	esi
		lea	ecx, [ebx+2Ch]
		mov	esi, [ecx]
		cmp	esi, ecx
		jnz	short loc_4EC095

loc_4EC091:				; CODE XREF: FsRtlpReleaseIrpsWaitingForRH+E2EECj
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4EC095:				; CODE XREF: FsRtlpReleaseIrpsWaitingForRH+17j
		lea	eax, [ebx+24h]
		push	edi
		jmp	loc_5CEEE6
FsRtlpReleaseIrpsWaitingForRH endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlCancelNotify proc near		; CODE XREF: FsRtlNotifySetCancelRoutine+DA50Ap
					; DATA XREF: FsRtlNotifySetCancelRoutine+28o

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 004EC1EC SIZE 00000006 BYTES
; FUNCTION CHUNK AT 005CEF69 SIZE 0000016A BYTES
; FUNCTION CHUNK AT 005CF12E SIZE 00000088 BYTES

		push	48h
		push	offset dword_6A3070
		call	__SEH_prolog4
		xor	edi, edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_38], edi
		mov	edx, [ebp+arg_4]
		mov	eax, [edx+1Ch]
		mov	[ebp+var_50], eax
		mov	[ebp+var_28], eax
		xor	ecx, ecx
		lea	eax, [edx+38h]
		xchg	ecx, [eax]
		mov	[edx+1Ch], edi
		mov	al, [edx+25h]
		mov	[ebp+var_19], al
		mov	eax, large fs:20h
		lea	esi, [eax+450h]
		test	ds:byte_70EFC6,	1
		jnz	loc_5CEF69
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5CEF7F
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5CEF78

loc_4EC104:				; CODE XREF: FsRtlCancelNotify+E2ED5j
		xor	ebx, ebx
		inc	ebx

loc_4EC107:				; CODE XREF: FsRtlCancelNotify+E2EECj
		mov	cl, [ebp+var_19]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [ebp+var_28]
		mov	esi, [eax]
		mov	[ebp+var_40], esi
		mov	[ebp+var_44], esi
		mov	eax, large fs:124h
		mov	[ebp+var_30], eax
		cmp	eax, [esi+20h]
		jz	short loc_4EC144
		mov	ecx, esi
		call	ExAcquireFastMutexUnsafe
		mov	eax, [ebp+var_30]
		mov	[esi+20h], eax

loc_4EC144:				; CODE XREF: FsRtlCancelNotify+97j
		inc	dword ptr [esi+24h]
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, [ebp+arg_4]
		lea	edx, [ecx+58h]
		mov	eax, [edx]
		test	eax, eax
		jz	short loc_4EC16F
		mov	esi, [edx+4]
		cmp	[eax+4], edx
		jnz	loc_4EC1EC
		cmp	[esi], edx
		jnz	loc_4EC1EC
		mov	[esi], eax
		mov	[eax+4], esi

loc_4EC16F:				; CODE XREF: FsRtlCancelNotify+B6j
		mov	eax, [ecx+60h]
		mov	[ebp+var_54], eax
		or	byte ptr [eax+3], 1
		mov	esi, [ebp+var_28]
		mov	eax, [esi+30h]
		test	eax, eax
		jnz	loc_5CEF8F

loc_4EC187:				; CODE XREF: FsRtlCancelNotify+E2EF4j
					; FsRtlCancelNotify+E2F2Dj ...
		mov	dword ptr [ecx+18h], 0C0000120h
		mov	dl, bl
		call	IofCompleteRequest
		lea	eax, [esi+44h]
		lock dec dword ptr [eax]
		cmp	[eax], edi
		jz	loc_5CF165

loc_4EC1A3:				; CODE XREF: FsRtlCancelNotify+E3113j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_40]
		call	sub_4EC1C4
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
FsRtlCancelNotify endp


;  S U B	R O U T	I N E 


sub_4EC1C4	proc near		; CODE XREF: FsRtlCancelNotify+10Fp
					; sub_5CF1B6+5j

; FUNCTION CHUNK AT 005CF1C0 SIZE 00000012 BYTES

		sub	dword ptr [eax+24h], 1
		jnz	short loc_4EC1D4
		mov	[eax+20h], edi
		mov	ecx, eax
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)

loc_4EC1D4:				; CODE XREF: sub_4EC1C4+4j
		mov	esi, [ebp-34h]
		test	esi, esi
		jnz	loc_5CF1C0

loc_4EC1DF:				; CODE XREF: sub_4EC1C4+E3009j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		retn
sub_4EC1C4	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlCancelNotify

loc_4EC1EC:				; CODE XREF: FsRtlCancelNotify+BEj
					; FsRtlCancelNotify+C6j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
; END OF FUNCTION CHUNK	FOR FsRtlCancelNotify

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipNotificationIrpCancel proc near	; DATA XREF: WmipReceiveNotifications+1D4o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CF1D2 SIZE 00000063 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		xor	ebx, ebx
		mov	eax, offset _WmipCancelSpinLock
		test	ds:byte_70EFC6,	21h
		push	esi
		push	edi
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], ebx
		jnz	loc_5CF1D2
		lea	edx, [ebp+var_C]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_5CF1E1

loc_4EC227:				; CODE XREF: WmipNotificationIrpCancel+E2FEAj
					; WmipNotificationIrpCancel+E2FF7j
		mov	edi, [ebp+arg_4]
		mov	ecx, edi
		call	_WmipClearIrpObjectList@4 ; WmipClearIrpObjectList(x)
		xor	esi, esi
		inc	esi
		test	ds:byte_70EFC6,	1
		jnz	loc_5CF1EE
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_4EC2BB
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5CF1FE

loc_4EC25F:				; CODE XREF: WmipNotificationIrpCancel+D2j
					; WmipNotificationIrpCancel+E3007j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		mov	bl, [edi+25h]
		lea	esi, [eax+450h]
		jnz	loc_5CF20B
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5CF221
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5CF21A

loc_4EC298:				; CODE XREF: WmipNotificationIrpCancel+E3023j
					; WmipNotificationIrpCancel+E303Ej
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		and	dword ptr [edi+1Ch], 0
		xor	dl, dl
		mov	ecx, edi
		mov	dword ptr [edi+18h], 0C0000120h
		call	IofCompleteRequest
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4EC2BB:				; CODE XREF: WmipNotificationIrpCancel+54j
					; WmipNotificationIrpCancel+E3014j
		mov	[ebp+var_C], ebx
		add	eax, 4
		lock xor [eax],	esi
		jmp	short loc_4EC25F
WmipNotificationIrpCancel endp

; 

; __stdcall WmipClearIrpObjectList(x)
_WmipClearIrpObjectList@4:		; CODE XREF: WmipCompleteGuidIrpWithError+6Ap
					; WmipNotificationIrpCancel+3Ap ...
		mov	edi, edi
		push	esi
		lea	esi, [ecx+40h]
		mov	ecx, [esi]
		cmp	ecx, esi
		jz	short loc_4EC2F5
		push	edi

loc_4EC2D3:				; CODE XREF: .text:004EC2F2j
		mov	edx, ecx
		mov	eax, ecx
		mov	ecx, [ecx]
		and	dword ptr [eax-4], 0
		mov	edi, [edx]
		cmp	[edi+4], edx
		jnz	short loc_4EC2F7
		mov	eax, [edx+4]
		cmp	[eax], edx
		jnz	short loc_4EC2F7
		mov	[eax], edi
		mov	[edi+4], eax
		cmp	ecx, esi
		jnz	short loc_4EC2D3
		pop	edi

loc_4EC2F5:				; CODE XREF: .text:004EC2D0j
		pop	esi
		retn
; 

loc_4EC2F7:				; CODE XREF: .text:004EC2E2j
					; .text:004EC2E9j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 0CCCCCCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl MiModifiedWriterNoReservationSort(const void *,const void	*)
_MiModifiedWriterNoReservationSort proc	near
					; DATA XREF: MiFillNoReservationCluster(x,x,x)+1AFo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	edx, ds:_MmPfnDatabase
		push	esi
		mov	eax, [eax]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, [ebp+arg_4]
		mov	eax, [eax]
		lea	esi, [edx+ecx*4]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, [esi+18h]
		and	eax, offset loc_7FFFFF
		lea	edx, [edx+ecx*4]
		mov	ecx, [edx+18h]
		and	ecx, offset loc_7FFFFF
		cmp	eax, ecx
		jb	short loc_4EC364
		ja	short loc_4EC35C
		mov	eax, [edx+4]
		mov	ecx, [esi+4]
		or	eax, 80000000h
		or	ecx, 80000000h
		cmp	ecx, eax
		jb	short loc_4EC364
		jbe	short loc_4EC369

loc_4EC35C:				; CODE XREF: _MiModifiedWriterNoReservationSort+43j
		mov	eax, 1

loc_4EC361:				; CODE XREF: _MiModifiedWriterNoReservationSort+67j
					; _MiModifiedWriterNoReservationSort+6Bj
		pop	esi
		pop	ebp
		retn
; 

loc_4EC364:				; CODE XREF: _MiModifiedWriterNoReservationSort+41j
					; _MiModifiedWriterNoReservationSort+58j
		or	eax, 0FFFFFFFFh
		jmp	short loc_4EC361
; 

loc_4EC369:				; CODE XREF: _MiModifiedWriterNoReservationSort+5Aj
		xor	eax, eax
		jmp	short loc_4EC361
_MiModifiedWriterNoReservationSort endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static int __stdcall ST_STORE<struct SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR::Compare(void *, unsigned	long const &, unsigned long const &)
?Compare@ST_REGION_ENTRY_COMPARATOR@?$ST_STORE@USM_TRAITS@@@@SGHPAXABK1@Z proc near
					; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+3Fp
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+7Cp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [edx]
		mov	edx, eax
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_C], eax
		push	esi
		push	edi
		mov	[ebp+var_4], ebx
		mov	eax, [ebx+0D4h]
		mov	ecx, [ebx+0D0h]
		mov	[ebp+var_8], eax
		mov	eax, [ebx+0D8h]
		mov	[ebp+var_10], eax
		mov	eax, [ebx+0E0h]
		shr	edx, cl
		bsr	edi, edx
		mov	[ebp+var_14], 0
		mov	[ebp+var_14], eax
		btc	edx, edi
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_18], 0
		lea	edx, [edx+edx*2]
		mov	eax, [eax]
		mov	ebx, eax
		shr	ebx, cl
		mov	ecx, [ebp+var_8]
		and	ecx, [ebp+var_C]
		imul	ecx, [ebp+var_10]
		bsr	esi, ebx
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_4]
		btc	ebx, esi
		mov	eax, [eax+edi*4+48h]
		pop	edi
		add	ecx, [eax+edx*4]
		mov	edx, [ebp+var_14]
		mov	eax, [ecx+edx]
		lea	ecx, [ebx+ebx*2]
		mov	ebx, [ebp+var_8]
		and	ebx, [ebp+arg_0]
		imul	ebx, [ebp+var_10]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+esi*4+48h]
		pop	esi
		add	ebx, [eax+ecx*4]
		mov	eax, [ebx+edx]
		pop	ebx
		cmp	[ebp+var_14], eax
		jb	short loc_4EC41C
		ja	short loc_4EC425
		xor	eax, eax
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4EC41C:				; CODE XREF: ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR::Compare(void *,ulong const &,ulong const &)+A0j
		or	eax, 0FFFFFFFFh
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4EC425:				; CODE XREF: ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR::Compare(void *,ulong const &,ulong const &)+A2j
		mov	eax, 1
		mov	esp, ebp
		pop	ebp
		retn	4
?Compare@ST_REGION_ENTRY_COMPARATOR@?$ST_STORE@USM_TRAITS@@@@SGHPAXABK1@Z endp

; 
		dd 4 dup(0CCCCCCCCh)
; Exported entry  67. ExReleaseRundownProtectionCacheAware

;  S U B	R O U T	I N E 


		public ExReleaseRundownProtectionCacheAware
ExReleaseRundownProtectionCacheAware proc near

; FUNCTION CHUNK AT 005CF235 SIZE 0000002E BYTES

		movzx	eax, large byte	ptr fs:51h
		xor	edx, edx
		push	ebx
		push	esi
		mov	esi, ecx
		div	dword ptr [esi+0Ch]
		imul	edx, [esi+8]
		add	edx, [esi]
		jmp	short loc_4EC460
; 
		align 10h

loc_4EC460:				; CODE XREF: ExReleaseRundownProtectionCacheAware+17j
					; ExReleaseRundownProtectionCacheAware+36j ...
		mov	ebx, [edx]
		test	bl, 1
		jnz	loc_5CF235
		lea	ecx, [ebx-2]
		mov	eax, ebx
		lock cmpxchg [edx], ecx
		cmp	eax, ebx
		jnz	short loc_4EC460

loc_4EC478:				; CODE XREF: ExReleaseRundownProtectionCacheAware+E2E0Bj
					; ExReleaseRundownProtectionCacheAware+E2E1Ej
		pop	esi
		pop	ebx
		retn
ExReleaseRundownProtectionCacheAware endp

; 
		align 10h
; Exported entry  33. ExAcquireRundownProtectionCacheAware

;  S U B	R O U T	I N E 


; __fastcall ExAcquireRundownProtectionCacheAware(x)
		public @ExAcquireRundownProtectionCacheAware@4
@ExAcquireRundownProtectionCacheAware@4	proc near
		movzx	eax, large byte	ptr fs:51h
		xor	edx, edx
		div	dword ptr [ecx+0Ch]
		push	esi
		imul	edx, [ecx+8]
		add	edx, [ecx]
		mov	esi, [edx]
		and	esi, 0FFFFFFFEh
		mov	eax, esi
		lea	ecx, [esi+2]
		lock cmpxchg [edx], ecx
		cmp	eax, esi
		pop	esi
		jnz	short loc_4EC4AA
		mov	al, 1
		retn
; 

loc_4EC4AA:				; CODE XREF: ExAcquireRundownProtectionCacheAware(x)+25j
		mov	ecx, edx
		jmp	@ExfAcquireRundownProtection@4 ; ExfAcquireRundownProtection(x)
@ExAcquireRundownProtectionCacheAware@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertDemotedPages(x, x, x, x, x)
_MiInsertDemotedPages@20 proc near	; CODE XREF: MiGetLargePage(x,x,x,x,x,x)+119p
					; MiDemoteLargeFreePage(x,x,x,x,x)+82p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	ebx, ebx
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], ecx
		cmp	eax, edi
		jz	short loc_4EC502
		lea	ecx, [ecx+0]

loc_4EC4E0:				; CODE XREF: MiInsertDemotedPages(x,x,x,x,x)+40j
		lea	esi, [eax+1]
		cmp	esi, edi
		jnz	short loc_4EC4EC
		mov	ebx, 1

loc_4EC4EC:				; CODE XREF: MiInsertDemotedPages(x,x,x,x,x)+25j
		push	ebx
		push	eax
		push	[ebp+arg_8]
		call	_MiInsertLargePageChain@20 ; MiInsertLargePageChain(x,x,x,x,x)
		mov	edx, [ebp+var_4]
		mov	eax, esi
		mov	ecx, [ebp+var_8]
		cmp	eax, edi
		jnz	short loc_4EC4E0

loc_4EC502:				; CODE XREF: MiInsertDemotedPages(x,x,x,x,x)+1Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_MiInsertDemotedPages@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertLargePageChain(x, x, x, x, x)
_MiInsertLargePageChain@20 proc	near	; CODE XREF: MiInsertDemotedPages(x,x,x,x,x)+31p

var_5C		= dword	ptr -5Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= byte ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		push	ebx
		xor	eax, eax
		mov	ebx, edx
		push	esi
		push	edi
		lea	edi, [ebp+var_30]
		mov	esi, ecx
		stosd
		mov	ecx, ebx
		mov	[ebp+var_18], esi
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_40]
		stosd
		stosd
		stosd
		stosd
		call	_MiIsFreshPfnFromZeroedList@4 ;	MiIsFreshPfnFromZeroedList(x)
		neg	eax
		mov	ecx, ebx
		sbb	eax, eax
		inc	eax
		mov	[ebp+var_1C], eax
		call	_MiIsFreeZeroPfnCold@4 ; MiIsFreeZeroPfnCold(x)
		mov	edi, [ebp+arg_4]
		xor	edx, edx
		inc	edx
		mov	[ebp+var_20], eax
		mov	ecx, ds:_MiLargePageSizes[edi*4]
		cmp	edi, edx
		jnz	short loc_4EC5AA
		mov	eax, [ebp+var_1C]
		xor	esi, esi
		push	esi
		push	esi
		push	eax
		push	edx
		mov	ecx, ebx
		call	_MiConvertEntireLargePageToSmall@24 ; MiConvertEntireLargePageToSmall(x,x,x,x,x,x)

loc_4EC569:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+20Bj
		xor	edi, edi
		inc	edi

loc_4EC56C:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+2E1j
		cmp	[ebp+arg_8], 0
		jz	loc_4EC866
		test	byte ptr [ebp+var_38], 2
		jnz	loc_4EC803
		mov	eax, [ebp+var_18]
		add	eax, 204h
		mov	[ebp+var_30], esi
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_2C], eax
		jz	loc_4EC7F2
		mov	edx, eax
		lea	ecx, [ebp+var_30]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4EC803
; 

loc_4EC5AA:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+4Bj
		mov	eax, ds:dword_4102F8[edi*4]
		xor	edx, edx
		mov	[ebp+var_14], eax
		mov	eax, ecx
		div	[ebp+var_14]
		mov	[ebp+arg_4], 1Ch
		mov	[ebp+var_10], eax
		mov	eax, ebx
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	[ebp+arg_4]
		sub	eax, [ebp+var_14]
		add	eax, ecx
		sub	ecx, [ebp+var_14]
		imul	ecx, 1Ch
		mov	[ebp+var_8], eax
		add	ebx, ecx
		mov	ecx, ebx
		mov	[ebp+var_C], ebx
		call	_MiLockPageAtDpc@4 ; MiLockPageAtDpc(x)
		mov	eax, [ebp+var_8]
		mov	[ebp+var_40], eax
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_3C], eax
		lea	eax, [esi+204h]
		xor	esi, esi
		mov	[ebp+var_34], 2
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_38], 3
		mov	[ebp+var_24], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_30], esi
		jz	short loc_4EC628
		mov	edx, eax
		lea	ecx, [ebp+var_30]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4EC639
; 

loc_4EC628:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+10Ej
		lea	edx, [ebp+var_30]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_4EC639
		lea	ecx, [ebp+var_30]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_4EC639:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+11Aj
					; MiInsertLargePageChain(x,x,x,x,x)+123j
		not	edi
		sub	edi, 2
		and	edi, 3
		shl	edi, 18h
		mov	[ebp+arg_4], edi

loc_4EC647:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+288j
					; MiInsertLargePageChain(x,x,x,x,x)+2B7j ...
		mov	cl, [ebx+16h]
		mov	edx, [ebp+var_20]
		mov	al, cl
		and	al, 7
		cmp	al, 6
		jnz	short loc_4EC671
		and	cl, 0FDh
		or	cl, 5
		mov	[ebx+16h], cl
		mov	ecx, ebx
		call	_MiSetFreeZeroPfnCold@8	; MiSetFreeZeroPfnCold(x,x)
		mov	al, [ebx+16h]
		and	al, 0FEh
		or	al, 6
		mov	[ebx+16h], al
		jmp	short loc_4EC678
; 

loc_4EC671:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+147j
		mov	ecx, ebx
		call	_MiSetFreeZeroPfnCold@8	; MiSetFreeZeroPfnCold(x,x)

loc_4EC678:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+163j
		xor	eax, eax
		lea	edi, [ebp+var_5C]
		push	7
		pop	ecx
		rep stosd
		mov	eax, [ebx+18h]
		xor	edi, edi
		and	eax, 0FCFFFFFFh
		inc	edi
		or	eax, [ebp+arg_4]
		mov	[ebp+var_44], eax
		mov	[ebx+18h], eax
		cmp	[ebp+var_10], edi
		jnz	short loc_4EC6A4
		cmp	[ebp+arg_0], esi
		jnz	loc_4EC7E2

loc_4EC6A4:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+18Dj
		mov	eax, [ebp+var_8]
		mov	[ebp+var_40], eax
		mov	eax, [ebp+var_18]
		cmp	[eax+214h], esi
		jnz	short loc_4EC6BD
		mov	ebx, [ebp+var_38]
		or	ebx, 2
		jmp	short loc_4EC701
; 

loc_4EC6BD:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+1A7j
		test	ds:byte_70EFC6,	1
		jz	short loc_4EC6D3
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_30]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4EC6FB
; 

loc_4EC6D3:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+1B8j
		mov	eax, [ebp+var_30]
		test	eax, eax
		jnz	short loc_4EC6F2
		mov	edx, [ebp+var_2C]
		lea	eax, [ebp+var_30]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_30]
		cmp	eax, ecx
		jz	short loc_4EC6FB
		call	KxWaitForLockChainValid

loc_4EC6F2:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+1CCj
		mov	[ebp+var_30], esi
		add	eax, 4
		lock xor [eax],	edi

loc_4EC6FB:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+1C5j
					; MiInsertLargePageChain(x,x,x,x,x)+1DFj
		mov	ebx, [ebp+var_38]
		and	ebx, 0FFFFFFFDh

loc_4EC701:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+1AFj
		mov	eax, ebx
		mov	[ebp+var_38], ebx
		lea	ecx, [ebp+var_40]
		mov	[ebp+var_1C], eax
		mov	edi, ebx
		call	_MiInsertLargePageInNodeList@4 ; MiInsertLargePageInNodeList(x)
		sub	[ebp+var_10], 1
		jz	loc_4EC569
		mov	ecx, [ebp+var_14]
		sub	[ebp+var_8], ecx
		imul	eax, ecx, -1Ch
		add	[ebp+var_C], eax
		test	bl, 2
		jz	short loc_4EC78B
		mov	ecx, ebx
		mov	ebx, [ebp+var_C]
		lea	eax, [ebx+10h]
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_4EC791
		test	ds:byte_70EFC6,	1
		jz	short loc_4EC753
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_30]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4EC77E
; 

loc_4EC753:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+238j
		mov	eax, [ebp+var_30]
		test	eax, eax
		jnz	short loc_4EC772
		mov	edx, [ebp+var_2C]
		lea	eax, [ebp+var_30]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_30]
		cmp	eax, ecx
		jz	short loc_4EC77E
		call	KxWaitForLockChainValid

loc_4EC772:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+24Cj
		xor	ecx, ecx
		mov	[ebp+var_30], esi
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_4EC77E:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+245j
					; MiInsertLargePageChain(x,x,x,x,x)+25Fj
		mov	ecx, [ebp+var_38]
		and	ecx, 0FFFFFFFDh
		mov	[ebp+var_38], ecx
		mov	edi, ecx
		jmp	short loc_4EC791
; 

loc_4EC78B:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+220j
		mov	ebx, [ebp+var_C]
		mov	ecx, [ebp+var_1C]

loc_4EC791:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+22Fj
					; MiInsertLargePageChain(x,x,x,x,x)+27Dj
		test	cl, 2
		jnz	loc_4EC647
		or	edi, 2
		mov	ecx, ebx
		mov	[ebp+var_38], edi
		call	_MiLockPageAtDpc@4 ; MiLockPageAtDpc(x)
		test	ds:byte_70EFC6,	21h
		mov	eax, [ebp+var_24]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_30], esi
		jz	short loc_4EC7C8
		mov	edx, eax
		lea	ecx, [ebp+var_30]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4EC647
; 

loc_4EC7C8:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+2ABj
		lea	edx, [ebp+var_30]
		xchg	edx, [eax]
		test	edx, edx
		jz	loc_4EC647
		lea	ecx, [ebp+var_30]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4EC647
; 

loc_4EC7E2:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+192j
		mov	ecx, 7FFFFFFFh
		lea	eax, [ebx+10h]
		lock and [eax],	ecx
		jmp	loc_4EC56C
; 

loc_4EC7F2:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+89j
		lea	edx, [ebp+var_30]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_4EC803
		lea	ecx, [ebp+var_30]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_4EC803:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+6Ej
					; MiInsertLargePageChain(x,x,x,x,x)+99j ...
		mov	eax, [ebp+var_18]
		mov	edi, [eax+1F8h]
		dec	dword ptr [eax+1F4h]
		mov	[eax+1F8h], esi
		test	ds:byte_70EFC6,	1
		jz	short loc_4EC82E
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_30]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4EC859
; 

loc_4EC82E:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+313j
		mov	eax, [ebp+var_30]
		test	eax, eax
		jnz	short loc_4EC84D
		mov	edx, [ebp+var_2C]
		lea	eax, [ebp+var_30]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_30]
		cmp	eax, ecx
		jz	short loc_4EC859
		call	KxWaitForLockChainValid

loc_4EC84D:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+327j
		xor	ecx, ecx
		mov	[ebp+var_30], esi
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_4EC859:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+320j
					; MiInsertLargePageChain(x,x,x,x,x)+33Aj
		test	edi, edi
		jz	short loc_4EC8AA
		mov	ecx, edi
		call	_MiWakeLargePageWaiters@4 ; MiWakeLargePageWaiters(x)
		jmp	short loc_4EC8AA
; 

loc_4EC866:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+64j
		test	byte ptr [ebp+var_38], 2
		jz	short loc_4EC8AA
		test	ds:byte_70EFC6,	1
		jz	short loc_4EC882
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_30]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4EC8AA
; 

loc_4EC882:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+367j
		mov	eax, [ebp+var_30]
		test	eax, eax
		jnz	short loc_4EC8A1
		mov	edx, [ebp+var_2C]
		lea	eax, [ebp+var_30]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_30]
		cmp	eax, ecx
		jz	short loc_4EC8AA
		call	KxWaitForLockChainValid

loc_4EC8A1:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+37Bj
		mov	[ebp+var_30], esi
		add	eax, 4
		lock xor [eax],	edi

loc_4EC8AA:				; CODE XREF: MiInsertLargePageChain(x,x,x,x,x)+34Fj
					; MiInsertLargePageChain(x,x,x,x,x)+358j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MiInsertLargePageChain@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPruneSoftwareWsles(x, x)
_MiPruneSoftwareWsles@8	proc near	; CODE XREF: .text:00459AD0p
					; MiRemoveWsleList+418p ...

var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		shr	edx, 9
		sub	esp, 1Ch
		sub	edx, 40000000h
		and	edx, 0FFFFFFC0h
		mov	eax, edx
		push	ebx
		push	esi
		shl	eax, 12h
		mov	ebx, ecx
		mov	esi, 8
		push	edi
		cmp	eax, dword_6D2E88
		jz	loc_4EC97B

loc_4EC8EF:				; CODE XREF: MiPruneSoftwareWsles(x,x)+CFj
		shl	esi, 3
		lea	ecx, [esi+edx]
		cmp	edx, ecx
		jnb	short loc_4EC913
		lea	esp, [esp+0]

loc_4EC900:				; CODE XREF: MiPruneSoftwareWsles(x,x)+4Fj
		mov	eax, [edx]
		and	eax, 1
		or	eax, 0
		jnz	short loc_4EC911
		add	edx, 8
		cmp	edx, ecx
		jb	short loc_4EC900

loc_4EC911:				; CODE XREF: MiPruneSoftwareWsles(x,x)+48j
		cmp	edx, ecx

loc_4EC913:				; CODE XREF: MiPruneSoftwareWsles(x,x)+37j
		jz	short loc_4EC91C

loc_4EC915:				; CODE XREF: MiPruneSoftwareWsles(x,x)+AFj
					; MiPruneSoftwareWsles(x,x)+B5j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4EC91C:				; CODE XREF: MiPruneSoftwareWsles(x,x):loc_4EC913j
		xor	eax, eax
		lea	edi, [ebp+var_18]
		mov	ecx, 6
		sub	edx, esi
		rep stosd
		mov	cl, [ebx+60h]
		mov	al, cl
		shl	edx, 12h
		and	al, 7
		cmp	al, 2
		jz	short loc_4EC994
		lea	esi, [ebx+0A0h]

loc_4EC93E:				; CODE XREF: MiPruneSoftwareWsles(x,x)+D9j
		movzx	eax, cl
		mov	ecx, ebx
		and	eax, 7
		shr	edx, 0Ch
		add	edx, dword_6D2E68[eax*4]
		lea	eax, [ebp+var_18]
		push	eax
		push	100h
		push	0
		lea	eax, [edx+0FFFh]
		push	eax
		push	edx
		mov	dl, 2
		call	_MiDeletePagablePteRange@28 ; MiDeletePagablePteRange(x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jz	short loc_4EC915
		test	byte ptr [ebx+60h], 7
		jnz	short loc_4EC915
		sub	[esi], ecx
		jmp	short loc_4EC915
; 

loc_4EC97B:				; CODE XREF: MiPruneSoftwareWsles(x,x)+29j
		mov	esi, dword_6D2E68
		shr	esi, 12h
		sub	esi, edx
		sub	esi, 3FA00000h
		sar	esi, 3
		jmp	loc_4EC8EF
; 

loc_4EC994:				; CODE XREF: MiPruneSoftwareWsles(x,x)+76j
		mov	esi, offset unk_6D3C60
		jmp	short loc_4EC93E
_MiPruneSoftwareWsles@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMakeProtoTransition proc near		; CODE XREF: .text:00473446p
					; MiWsleFree(x,x,x,x,x)+4A6p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CF263 SIZE 0000008F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ecx+8]
		push	edi
		nop
		mov	edx, [ecx+18h]
		mov	edi, 4
		mov	eax, [ecx+0Ch]
		and	edx, offset loc_7FFFFF
		shrd	esi, eax, 5
		mov	eax, [ecx+4]
		mov	[ebp+var_8], eax
		and	esi, 1Fh
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		movzx	eax, byte ptr [eax+ecx*4+16h]
		shr	eax, 6
		test	eax, eax
		jz	loc_5CF26D
		cmp	eax, 3
		jz	loc_5CF26D
		cmp	eax, 2
		jz	loc_5CF263

loc_4EC9FD:				; CODE XREF: MiMakeProtoTransition+E28C8j
					; MiMakeProtoTransition+E28D2j
		or	edi, 0A0000000h
		xor	ecx, ecx
		push	edi
		call	MiMakeValidPte
		mov	ecx, large fs:20h
		mov	ebx, eax
		mov	edi, [ecx+3D34h]
		mov	ecx, edi
		and	ecx, 0FFFh
		and	edi, 0FFFFF000h
		shl	ecx, 0Ch
		add	edi, ecx
		mov	ecx, edi
		shr	ecx, 9
		sub	ecx, 40000000h
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5CF277

loc_4ECA45:				; CODE XREF: MiMakeProtoTransition+E2927j
					; MiMakeProtoTransition+E2935j	...
		xor	eax, eax

loc_4ECA47:				; CODE XREF: MiMakeProtoTransition+E28EFj
					; MiMakeProtoTransition+E2900j	...
		mov	[ecx+4], edx
		nop
		mov	[ecx], ebx
		test	eax, eax
		jnz	loc_5CF2E6

loc_4ECA55:				; CODE XREF: MiMakeProtoTransition+E294Dj
		mov	eax, [ebp+var_8]
		shr	eax, 3
		and	eax, 1FFh
		mov	ecx, [edi+eax*8]
		lea	edi, [edi+eax*8]
		nop
		mov	eax, [edi+4]
		nop
		shrd	ecx, eax, 0Ch
		mov	edx, esi
		and	ecx, 1FFFFFFh
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], edx
		mov	[edi], eax
		nop
		mov	[edi+4], edx
		mov	eax, large fs:20h
		shr	edi, 9
		mov	[ebp+var_4], eax
		and	edi, offset loc_7FFFF8
		mov	ebx, [eax+3D34h]
		mov	esi, ebx
		and	esi, 0FFFh
		and	ebx, 0FFFFF000h
		lea	eax, [esi+1]
		mov	[ebp+var_8], eax
		mov	eax, ds:_ZeroPte
		mov	[edi-40000000h], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[edi-3FFFFFFCh], eax
		cmp	esi, 0FFh
		jz	short loc_4ECAF2

loc_4ECAD3:				; CODE XREF: MiMakeProtoTransition+157j
		mov	eax, [ebp+var_4]
		sub	esi, 0FFh
		neg	esi
		pop	edi
		sbb	esi, esi
		and	esi, [ebp+var_8]
		or	esi, ebx
		mov	[eax+3D34h], esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4ECAF2:				; CODE XREF: MiMakeProtoTransition+131j
		call	_MiFlushHyperSpace@0 ; MiFlushHyperSpace()
		jmp	short loc_4ECAD3
MiMakeProtoTransition endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWaitForResource proc	near		; CODE XREF: ExpAcquireSharedStarveExclusive+386p
					; ExpAcquireResourceExclusiveLite+299p	...

var_44		= dword	ptr -44h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CF302 SIZE 00000094 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A30E0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	edi, edx
		mov	[ebp+var_20], edi
		mov	esi, ecx
		mov	[ebp+var_24], esi
		inc	large dword ptr	fs:41E8h
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		inc	dword ptr [esi+24h]
		mov	[ebp+var_34], 0FFB3B4C0h
		mov	[ebp+var_30], 0FFFFFFFFh
		lea	esp, [esp+0]

loc_4ECB60:				; CODE XREF: ExpWaitForResource+CFj
					; ExpWaitForResource+D4j
		lea	eax, [ebp+var_34]
		push	eax
		push	0
		push	0
		push	1Bh
		lea	eax, [edi+0Ch]
		push	eax
		call	KeWaitForSingleObject
		cmp	eax, 102h
		jz	short loc_4ECB8E
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4ECB8E:				; CODE XREF: ExpWaitForResource+78j
		inc	ebx
		mov	[ebp+var_2C], ebx
		test	dword ptr ds:byte_70EFC4, 20000h
		jnz	sub_5CF2F2

loc_4ECBA2:				; CODE XREF: sub_5CF2F2+Bj
		mov	ecx, [ebp+var_1C]
		inc	ecx
		mov	[ebp+var_1C], ecx
		mov	eax, _ExpTimeout
		mov	[ebp+var_34], eax
		mov	eax, dword_6BB4FC
		mov	[ebp+var_30], eax
		mov	eax, _ExResourceTimeoutCount
		test	eax, eax
		jz	short loc_4ECBCA
		cmp	ecx, eax
		ja	loc_5CF302

loc_4ECBCA:				; CODE XREF: ExpWaitForResource+C0j
					; ExpWaitForResource+E2891j ...
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_4ECB60
		push	esi
		call	eax
		jmp	short loc_4ECB60
ExpWaitForResource endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 656. FsRtlRemovePerFileObjectContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlRemovePerFileObjectContext
FsRtlRemovePerFileObjectContext	proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005CF3BA SIZE 0000003D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], esi
		test	ecx, ecx
		jz	loc_4ECC85
		push	esi
		lea	edx, [ebp+var_4]
		call	_IoGetFileObjectFilterContext@12 ; IoGetFileObjectFilterContext(x,x,x)
		cmp	[ebp+var_4], esi
		jz	loc_4ECC85
		mov	eax, large fs:124h
		push	ebx
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [ebp+var_4]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		jnz	loc_5CF3BA
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	loc_5CF3E3
		lea	ecx, [edi+4]
		mov	eax, [ecx]

loc_4ECC3C:				; CODE XREF: FsRtlRemovePerFileObjectContext+A2j
		cmp	eax, ecx
		jz	short loc_4ECC5E
		cmp	[eax+8], edx
		jnz	short loc_4ECC7C

loc_4ECC45:				; CODE XREF: FsRtlRemovePerFileObjectContext+E27F6j
		mov	esi, eax

loc_4ECC47:				; CODE XREF: FsRtlRemovePerFileObjectContext+E2816j
		test	esi, esi
		jz	short loc_4ECC5E
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_4ECC80
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_4ECC80
		mov	[ecx], eax
		mov	[eax+4], ecx

loc_4ECC5E:				; CODE XREF: FsRtlRemovePerFileObjectContext+62j
					; FsRtlRemovePerFileObjectContext+6Dj ...
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	ebx

loc_4ECC77:				; CODE XREF: FsRtlRemovePerFileObjectContext+ABj
		pop	esi
		leave
		retn	0Ch
; 

loc_4ECC7C:				; CODE XREF: FsRtlRemovePerFileObjectContext+67j
		mov	eax, [eax]
		jmp	short loc_4ECC3C
; 

loc_4ECC80:				; CODE XREF: FsRtlRemovePerFileObjectContext+74j
					; FsRtlRemovePerFileObjectContext+7Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_4ECC85:				; CODE XREF: FsRtlRemovePerFileObjectContext+11j
					; FsRtlRemovePerFileObjectContext+23j
		xor	eax, eax
		jmp	short loc_4ECC77
FsRtlRemovePerFileObjectContext	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 558. FsRtlInsertPerFileObjectContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlInsertPerFileObjectContext
FsRtlInsertPerFileObjectContext	proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CF3F7 SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		test	edi, edi
		jz	loc_5CF3F7
		push	1
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	_IoGetFileObjectFilterContext@12 ; IoGetFileObjectFilterContext(x,x,x)
		test	eax, eax
		js	loc_4ECD40
		push	esi
		cmp	[ebp+var_4], ebx
		jnz	short loc_4ECCF7
		push	58434F46h
		push	0Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_4], esi
		test	esi, esi
		jz	short loc_4ECD46
		lea	eax, [esi+4]
		mov	[esi], ebx
		push	1
		mov	edx, esi
		mov	[eax+4], eax
		mov	ecx, edi
		mov	[eax], eax
		call	_IoChangeFileObjectFilterContext@12 ; IoChangeFileObjectFilterContext(x,x,x)
		test	eax, eax
		js	loc_5CF401

loc_4ECCF7:				; CODE XREF: FsRtlInsertPerFileObjectContext+30j
					; FsRtlInsertPerFileObjectContext+E2788j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+var_4]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		lea	ecx, [esi+4]
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_4ECD4D
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[edx+4], eax
		xor	edx, edx
		mov	[ecx], eax
		mov	ecx, esi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	eax, eax

loc_4ECD3F:				; CODE XREF: FsRtlInsertPerFileObjectContext+BDj
					; FsRtlInsertPerFileObjectContext+E2793j
		pop	esi

loc_4ECD40:				; CODE XREF: FsRtlInsertPerFileObjectContext+26j
					; FsRtlInsertPerFileObjectContext+E276Ej
		pop	edi
		pop	ebx
		leave
		retn	8
; 

loc_4ECD46:				; CODE XREF: FsRtlInsertPerFileObjectContext+4Aj
		mov	eax, 0C000009Ah
		jmp	short loc_4ECD3F
; 

loc_4ECD4D:				; CODE XREF: FsRtlInsertPerFileObjectContext+8Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
FsRtlInsertPerFileObjectContext	endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetFileObjectFilterContext(x, x, x)
_IoGetFileObjectFilterContext@12 proc near ; CODE XREF:	FsRtlRemovePerFileObjectContext+1Bp
					; FsRtlInsertPerFileObjectContext+1Fp ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	eax, [esi+7Ch]
		test	eax, eax
		jz	short loc_4ECD79

loc_4ECD64:				; CODE XREF: IoGetFileObjectFilterContext(x,x,x)+3Dj
		cmp	eax, _IopRevocationExtension
		jz	short loc_4ECD91
		mov	eax, [eax+10h]

loc_4ECD6F:				; CODE XREF: IoGetFileObjectFilterContext(x,x,x)+41j
		mov	[edi], eax
		xor	eax, eax

loc_4ECD73:				; CODE XREF: IoGetFileObjectFilterContext(x,x,x)+48j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_4ECD79:				; CODE XREF: IoGetFileObjectFilterContext(x,x,x)+10j
		cmp	[ebp+arg_0], 0
		jz	short loc_4ECD95
		xor	edx, edx
		call	IopAllocateFileObjectExtension
		test	eax, eax
		js	short loc_4ECD97
		mov	eax, [esi+7Ch]
		test	eax, eax
		jnz	short loc_4ECD64

loc_4ECD91:				; CODE XREF: IoGetFileObjectFilterContext(x,x,x)+18j
		xor	eax, eax
		jmp	short loc_4ECD6F
; 

loc_4ECD95:				; CODE XREF: IoGetFileObjectFilterContext(x,x,x)+2Bj
		xor	eax, eax

loc_4ECD97:				; CODE XREF: IoGetFileObjectFilterContext(x,x,x)+36j
		and	dword ptr [edi], 0
		jmp	short loc_4ECD73
_IoGetFileObjectFilterContext@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoChangeFileObjectFilterContext(x, x, x)
_IoChangeFileObjectFilterContext@12 proc near
					; CODE XREF: FsRtlInsertPerFileObjectContext+5Cp
					; FsRtlPTeardownPerFileObjectContexts(x)+27p

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+7Ch]
		push	esi
		xor	esi, esi
		test	eax, eax
		jz	short loc_4ECDE2
		cmp	eax, _IopRevocationExtension
		jz	short loc_4ECDB5
		mov	esi, eax

loc_4ECDB5:				; CODE XREF: IoChangeFileObjectFilterContext(x,x,x)+15j
		add	esi, 10h
		cmp	[ebp+arg_0], 0
		jz	short loc_4ECDCF
		xor	eax, eax
		lock cmpxchg [esi], edx
		test	eax, eax

loc_4ECDC6:				; CODE XREF: IoChangeFileObjectFilterContext(x,x,x)+3Dj
		jnz	short loc_4ECDDB
		xor	eax, eax

loc_4ECDCA:				; CODE XREF: IoChangeFileObjectFilterContext(x,x,x)+44j
					; IoChangeFileObjectFilterContext(x,x,x)+4Bj
		pop	esi
		pop	ebp
		retn	4
; 

loc_4ECDCF:				; CODE XREF: IoChangeFileObjectFilterContext(x,x,x)+20j
		xor	ecx, ecx
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jmp	short loc_4ECDC6
; 

loc_4ECDDB:				; CODE XREF: IoChangeFileObjectFilterContext(x,x,x):loc_4ECDC6j
		mov	eax, 0C0000021h
		jmp	short loc_4ECDCA
; 

loc_4ECDE2:				; CODE XREF: IoChangeFileObjectFilterContext(x,x,x)+Dj
		mov	eax, 0C000000Dh
		jmp	short loc_4ECDCA
_IoChangeFileObjectFilterContext@12 endp

; 
		align 10h
; Exported entry 871. IoGetIoAttributionHandle

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetIoAttributionHandle(x,	x)
		public _IoGetIoAttributionHandle@8
_IoGetIoAttributionHandle@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+68h]
		nop
		cmp	byte ptr [ecx+27h], 0
		jl	short loc_4ECE0C
		test	eax, eax
		jz	short loc_4ECE0C
		test	byte ptr [eax+2], 40h
		jnz	short loc_4ECE15

loc_4ECE0C:				; CODE XREF: IoGetIoAttributionHandle(x,x)+10j
					; IoGetIoAttributionHandle(x,x)+14j
		mov	eax, 0C0000225h
		pop	ebp
		retn	8
; 

loc_4ECE15:				; CODE XREF: IoGetIoAttributionHandle(x,x)+1Aj
		mov	eax, [ecx+68h]
		mov	ecx, [eax+0Ch]
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		xor	eax, eax
		pop	ebp
		retn	8
_IoGetIoAttributionHandle@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPageTableHasValidWsles proc near	; CODE XREF: MiComputeMaximumFaultCluster+9Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CF426 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], 0
		mov	esi, edx
		mov	ebx, 1
		and	esi, 0FFFFF000h
		shl	esi, 9
		mov	al, [edi+60h]
		and	al, 7
		cmp	al, 2
		jz	loc_5CF426
		lea	eax, [edi+0C0h]

loc_4ECE67:				; CODE XREF: MiPageTableHasValidWsles+E25FBj
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], 0
		jnz	loc_5CF430
		lea	edx, [ebp+var_C]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_4ECF46

loc_4ECE8B:				; CODE XREF: MiPageTableHasValidWsles+11Ej
					; MiPageTableHasValidWsles+E260Aj
		movzx	eax, byte ptr [edi+60h]
		and	eax, 7
		shr	esi, 0Ch
		mov	eax, dword_6D2E68[eax*4]
		add	esi, eax
		mov	ecx, esi
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_4ECF26
		xor	ecx, ecx
		jmp	short loc_4ECEB0
; 
		align 10h

loc_4ECEB0:				; CODE XREF: MiPageTableHasValidWsles+7Bj
					; MiPageTableHasValidWsles+AFj
		mov	al, [esi]
		and	al, 0Fh
		cmp	al, 8
		jbe	short loc_4ECEE4
		mov	al, [esi+1]
		and	al, 0Fh
		cmp	al, 8
		jbe	short loc_4ECEE3
		mov	al, [esi+2]
		and	al, 0Fh
		cmp	al, 8
		jbe	short loc_4ECF1C
		mov	al, [esi+3]
		and	al, 0Fh
		cmp	al, 8
		jbe	short loc_4ECF21
		add	ecx, 4
		add	esi, 4
		cmp	ecx, 200h
		jb	short loc_4ECEB0
		jmp	short loc_4ECEE4
; 

loc_4ECEE3:				; CODE XREF: MiPageTableHasValidWsles+8Fj
		inc	ecx

loc_4ECEE4:				; CODE XREF: MiPageTableHasValidWsles+86j
					; MiPageTableHasValidWsles+B1j	...
		cmp	ecx, 200h
		jz	short loc_4ECF26

loc_4ECEEC:				; CODE XREF: MiPageTableHasValidWsles+F8j
		test	ds:byte_70EFC6,	1
		jnz	loc_5CF43F
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_4ECF32
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	short loc_4ECF2A

loc_4ECF13:				; CODE XREF: MiPageTableHasValidWsles+114j
					; MiPageTableHasValidWsles+E261Aj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4ECF1C:				; CODE XREF: MiPageTableHasValidWsles+98j
		add	ecx, 2
		jmp	short loc_4ECEE4
; 

loc_4ECF21:				; CODE XREF: MiPageTableHasValidWsles+A1j
		add	ecx, 3
		jmp	short loc_4ECEE4
; 

loc_4ECF26:				; CODE XREF: MiPageTableHasValidWsles+77j
					; MiPageTableHasValidWsles+BAj
		xor	ebx, ebx
		jmp	short loc_4ECEEC
; 

loc_4ECF2A:				; CODE XREF: MiPageTableHasValidWsles+E1j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_4ECF32:				; CODE XREF: MiPageTableHasValidWsles+CEj
		mov	[ebp+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_4ECF13
; 

loc_4ECF46:				; CODE XREF: MiPageTableHasValidWsles+55j
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4ECE8B
MiPageTableHasValidWsles endp

; 
		align 10h
; Exported entry 872. IoGetIoPriorityHint

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetIoPriorityHint(x)
		public _IoGetIoPriorityHint@4
_IoGetIoPriorityHint@4 proc near	; CODE XREF: IoRetrievePriorityInfo(x,x,x,x)+16Fp
					; IopSynchronousServiceTail(x,x,x,x,x,x,x)+272p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+8]
		shr	eax, 11h
		and	eax, 7
		jz	short loc_4ECF8D
		dec	eax
		cmp	eax, 2
		jl	short loc_4ECF7D

loc_4ECF79:				; CODE XREF: IoGetIoPriorityHint(x)+22j
					; IoGetIoPriorityHint(x)+2Bj ...
		pop	ebp
		retn	4
; 

loc_4ECF7D:				; CODE XREF: IoGetIoPriorityHint(x)+17j
		mov	ecx, [ecx+50h]
		test	ecx, ecx
		jz	short loc_4ECF79
		cmp	dword ptr [ecx+32Ch], 0
		jz	short loc_4ECF79

loc_4ECF8D:				; CODE XREF: IoGetIoPriorityHint(x)+11j
		mov	eax, 2
		jmp	short loc_4ECF79
_IoGetIoPriorityHint@4 endp

; 
		dd 2 dup(0CCCCCCCCh)
; Exported entry 249. CcZeroData

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcZeroData
CcZeroData	proc near		; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+30Fp
					; FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+296p

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= byte ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005CF44F SIZE 00000170 BYTES

		push	4Ch
		push	offset dword_6A3120
		call	__SEH_prolog4
		mov	eax, [ebp+arg_4]
		mov	ebx, [eax]
		mov	ecx, [eax+4]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ecx
		xor	edx, edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_44], edx
		mov	[ebp+var_1A], dl
		mov	[ebp+var_24], edx
		mov	[ebp+var_1B], dl
		xor	eax, eax
		lea	edi, [ebp+var_5C]
		stosd
		stosd
		stosd
		mov	edi, [ebp+arg_0]
		test	byte ptr [edi+2Ch], 10h
		jnz	loc_4ED17A
		cmp	[edi+18h], edx
		mov	[ebp+var_19], dl
		jz	loc_4ED17A

loc_4ECFEB:				; CODE XREF: CcZeroData+1E2j
		mov	eax, [ebp+arg_8]
		mov	esi, [eax]
		sub	esi, ebx
		mov	eax, [eax+4]
		sbb	eax, ecx
		mov	[ebp+var_28], eax
		mov	[ebp+ms_exc.disabled], edx
		lea	edx, [ebp+var_5C]
		mov	ecx, offset _CcMasterLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, edi
		call	_CcGetPartitionFromFileObject@4	; CcGetPartitionFromFileObject(x)
		mov	[ebp+var_24], eax
		xor	edx, edx
		inc	edx
		mov	ecx, edx
		lock xadd [eax+28Ch], ecx
		inc	ecx
		cmp	ecx, edx
		jle	loc_5CF44F

loc_4ED02A:				; CODE XREF: CcZeroData+E24B8j
		mov	[ebp+var_1B], dl
		test	ds:byte_70EFC6,	dl
		jnz	loc_5CF459
		mov	eax, [ebp+var_5C]
		test	eax, eax
		jnz	loc_5CF47D
		mov	edx, [ebp+var_58]
		lea	eax, [ebp+var_5C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_5C]
		cmp	eax, ecx
		jnz	loc_5CF469

loc_4ED05B:				; CODE XREF: CcZeroData+E24C8j
		mov	edi, [ebp+var_3C]
		mov	ebx, [ebp+var_40]

loc_4ED061:				; CODE XREF: CcZeroData+E24F1j
		mov	cl, [ebp+var_54]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_19], 0
		jnz	loc_4ED183
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jl	short loc_4ED08D
		jg	loc_4ED183
		cmp	esi, 200000h
		ja	loc_4ED183

loc_4ED08D:				; CODE XREF: CcZeroData+DDj
		mov	eax, [ebp+var_24]
		mov	eax, [eax+4]
		mov	eax, [eax]
		mov	eax, [eax+0FC0h]
		cmp	eax, 800h
		jb	loc_5CF492

loc_4ED0A6:				; CODE XREF: CcZeroData+1EBj
					; CcZeroData+E24F8j ...
		push	[ebp+arg_0]
		call	IoGetRelatedDeviceObject
		movzx	eax, word ptr [eax+0ACh]
		mov	[ebp+var_38], eax
		test	eax, eax
		jz	loc_5CF4B1
		push	[ebp+arg_0]
		call	IoGetRelatedDeviceObject
		movzx	eax, word ptr [eax+0ACh]
		dec	eax

loc_4ED0D0:				; CODE XREF: CcZeroData+E2517j
		mov	[ebp+var_20], eax
		cmp	[ebp+var_19], 0
		jnz	loc_4ED18F

loc_4ED0DD:				; CODE XREF: CcZeroData+201j
		mov	eax, [ebp+var_24]
		mov	eax, [eax+4]
		mov	eax, [eax]
		mov	edx, [eax+0FC0h]
		mov	ecx, [ebp+var_28]
		cmp	edx, 800h
		jb	loc_5CF523

loc_4ED0FA:				; CODE XREF: CcZeroData+E2589j
					; CcZeroData+E2597j
		mov	eax, [ebp+var_20]

loc_4ED0FD:				; CODE XREF: CcZeroData+E25A2j
		cmp	edx, 800h
		jb	loc_5CF56A

loc_4ED109:				; CODE XREF: CcZeroData+E25DEj
		test	ecx, ecx
		jl	short loc_4ED11F
		jg	loc_5CF587
		cmp	esi, 200000h
		ja	loc_5CF587

loc_4ED11F:				; CODE XREF: CcZeroData+16Fj
					; CcZeroData+E25D0j ...
		test	esi, esi
		jz	short loc_4ED136
		push	[ebp+arg_C]
		push	esi
		lea	edx, [ebp+var_40]
		mov	ecx, [ebp+arg_0]
		call	CcZeroDataInCache
		test	al, al
		jz	short loc_4ED159

loc_4ED136:				; CODE XREF: CcZeroData+185j
		add	ebx, esi
		mov	[ebp+var_40], ebx
		adc	edi, 0
		mov	[ebp+var_3C], edi

loc_4ED141:				; CODE XREF: CcZeroData+1FFj
		mov	eax, [ebp+arg_8]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		cmp	edi, edx
		jl	short loc_4ED1A2
		jg	short loc_4ED153
		cmp	ebx, ecx
		jb	short loc_4ED1A2

loc_4ED153:				; CODE XREF: CcZeroData+1B1j
					; CcZeroData+23Aj
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1A], al

loc_4ED159:				; CODE XREF: CcZeroData+198j
					; CcZeroData+1F1j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_4ED1DB
		mov	al, [ebp+var_1A]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_4ED17A:				; CODE XREF: CcZeroData+3Dj
					; CcZeroData+49j
		mov	[ebp+var_19], 1
		jmp	loc_4ECFEB
; 

loc_4ED183:				; CODE XREF: CcZeroData+D2j
					; CcZeroData+DFj ...
		cmp	byte ptr [ebp+arg_C], 0
		jnz	loc_4ED0A6
		jmp	short loc_4ED159
; 

loc_4ED18F:				; CODE XREF: CcZeroData+13Bj
		test	ebx, eax
		jnz	loc_5CF4B8

loc_4ED197:				; CODE XREF: CcZeroData+E2579j
		cmp	[ebp+var_19], 0
		jnz	short loc_4ED141
		jmp	loc_4ED0DD
; 

loc_4ED1A2:				; CODE XREF: CcZeroData+1AFj
					; CcZeroData+1B5j
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], edx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], edx
		mov	eax, [ebp+var_20]
		add	ecx, eax
		mov	[ebp+var_48], ecx
		adc	edx, 0
		mov	[ebp+var_44], edx
		not	eax
		and	ecx, eax
		mov	[ebp+var_48], ecx
		push	[ebp+var_38]
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_40]
		push	eax
		push	[ebp+arg_0]
		call	_CcZeroDataOnDisk@16 ; CcZeroDataOnDisk(x,x,x,x)
		jmp	loc_4ED153
CcZeroData	endp


;  S U B	R O U T	I N E 


sub_4ED1DB	proc near		; CODE XREF: CcZeroData+1C4p
					; sub_5CF5BFj
		cmp	byte ptr [ebp-1Bh], 0
		jz	short locret_4ED1E9
		mov	ecx, [ebp-24h]
		call	CcDereferencePartition

locret_4ED1E9:				; CODE XREF: sub_4ED1DB+4j
		retn
sub_4ED1DB	endp


;  S U B	R O U T	I N E 


; __stdcall CcGetPartitionFromFileObject(x)
_CcGetPartitionFromFileObject@4	proc near ; CODE XREF: CcZeroData+70p
					; CcDeferWrite(x,x,x,x,x,x)+52p
		mov	eax, [ecx+14h]
		test	eax, eax
		jz	short loc_4ED1FC
		mov	ecx, [eax+4]
		test	ecx, ecx
		jnz	CcGetPartition

loc_4ED1FC:				; CODE XREF: CcGetPartitionFromFileObject(x)+5j
		mov	eax, ds:_PspSystemPartition
		mov	eax, [eax+4]
		retn
_CcGetPartitionFromFileObject@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcZeroDataInCache proc near		; CODE XREF: CcZeroData+191p
					; CcZeroData+E254Fp

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005CF5C4 SIZE 00000021 BYTES

		push	38h
		push	offset dword_6A3140
		call	__SEH_prolog4
		mov	[ebp+var_38], ecx
		xor	ebx, ebx
		mov	edi, ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ebx
		mov	eax, [edx]
		mov	[ebp+var_48], eax
		mov	eax, [edx+4]
		mov	[ebp+var_44], eax
		mov	[ebp+var_24], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_19], 1
		mov	[ebp+var_28], ebx
		mov	[ebp+ms_exc.disabled], ebx

loc_4ED23D:				; CODE XREF: CcZeroDataInCache+112j
		lea	eax, [ebp+var_40]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		movzx	eax, [ebp+arg_4]
		push	eax
		push	1
		push	ebx
		mov	eax, [ebp+arg_0]
		sub	eax, edi
		push	eax
		lea	edx, [ebp+var_48]
		call	CcPinFileData
		test	al, al
		jz	loc_5CF5C4
		mov	eax, [ebp+var_40]
		sub	eax, [ebp+var_48]
		mov	[ebp+var_30], eax
		add	edi, eax
		mov	[ebp+var_34], edi
		push	ebx
		push	ebx
		push	ebx
		push	eax
		push	[ebp+var_2C]
		call	IoAllocateMdl
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	loc_5CF5D1
		mov	eax, large fs:124h
		mov	bl, [eax+309h]
		movzx	eax, bl
		add	eax, 2
		mov	[ebp+var_28], eax
		mov	eax, large fs:124h
		mov	byte ptr [eax+309h], 1
		push	0
		push	0
		push	[ebp+var_20]
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	eax, large fs:124h
		mov	[eax+309h], bl
		xor	ebx, ebx
		mov	[ebp+var_28], ebx
		mov	eax, [ebp+var_40]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_44], eax
		push	ecx
		mov	edx, [ebp+var_30]
		mov	ecx, [ebp+var_2C]
		call	MmSetAddressRangeModifiedEx
		push	ebx
		push	[ebp+var_24]
		call	CcSetDirtyPinnedData
		push	ebx
		xor	dl, dl
		mov	ecx, [ebp+var_24]
		call	CcUnpinFileDataEx
		mov	[ebp+var_24], ebx
		push	[ebp+var_20]
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	[ebp+var_20]
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		mov	esi, ebx
		mov	[ebp+var_20], esi
		mov	edi, [ebp+var_34]
		cmp	[ebp+arg_0], edi
		mov	ecx, [ebp+var_38]
		ja	loc_4ED23D

loc_4ED31E:				; CODE XREF: CcZeroDataInCache+E23C6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_4ED33F
		mov	al, [ebp+var_19]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
CcZeroDataInCache endp


;  S U B	R O U T	I N E 


sub_4ED33F	proc near		; CODE XREF: CcZeroDataInCache+11Fp
					; CcZeroDataInCache+E23DAj

; FUNCTION CHUNK AT 005CF5E5 SIZE 00000027 BYTES

		cmp	dword ptr [ebp-28h], 0
		jnz	loc_5CF5E5

loc_4ED349:				; CODE XREF: sub_4ED33F+E22BBj
		mov	ecx, [ebp-24h]
		test	ecx, ecx
		jnz	loc_5CF5FF

loc_4ED354:				; CODE XREF: sub_4ED33F+E22C8j
		test	esi, esi
		jnz	short loc_4ED359
		retn
; 

loc_4ED359:				; CODE XREF: sub_4ED33F+17j
		push	esi
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		retn
sub_4ED33F	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1469. MmSetAddressRangeModified

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmSetAddressRangeModified(x, x)
		public _MmSetAddressRangeModified@8
_MmSetAddressRangeModified@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ecx
		mov	ecx, [ebp+arg_0]
		call	MmSetAddressRangeModifiedEx
		pop	ebp
		retn	8
_MmSetAddressRangeModified@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmSetAddressRangeModifiedEx proc near	; CODE XREF: .text:004ACDFBp
					; CcZeroDataInCache+D8p ...

var_D8		= byte ptr -0D8h
var_D7		= byte ptr -0D7h
var_D6		= dword	ptr -0D6h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CF60C SIZE 000000B7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0DCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0DCh+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [esp+0ECh+var_A0]
		mov	byte ptr [esp+0ECh+var_D6], 0
		push	0		; int
		push	eax		; void *
		mov	edi, edx
		mov	ebx, ecx
		call	_memset
		add	esp, 0Ch
		mov	[esp+0E8h+var_D7], 0
		mov	ecx, 4
		call	_MiMakeProtectionMask@4	; MiMakeProtectionMask(x)
		mov	[esp+0E8h+var_BC], eax
		mov	esi, ebx
		lea	eax, [edi-1]
		shr	esi, 9
		add	eax, ebx
		mov	[esp+0E8h+var_98], 21h
		shr	eax, 9
		and	esi, offset loc_7FFFF8
		and	eax, offset loc_7FFFF8
		mov	[esp+0E8h+var_8C], 0
		sub	eax, 40000000h
		mov	[esp+0E8h+var_D6+2], 0
		mov	[esp+0E8h+var_A8], eax
		sub	esi, 40000000h
		lea	eax, [esp+0E8h+var_D6]
		mov	[esp+0E8h+var_D0], 0
		push	eax
		mov	edx, esi
		mov	ecx, offset unk_6D5E80
		and	ebx, 0FFFFF000h
		call	_MiLockWorkingSetOptimal@12 ; MiLockWorkingSetOptimal(x,x,x)
		mov	[esp+0E8h+var_A4], eax

loc_4ED431:				; CODE XREF: MmSetAddressRangeModifiedEx+F5j
		mov	edi, [esi]
		mov	[esp+0E8h+var_B0], 0
		mov	[esp+0E8h+var_AC], 0
		nop
		mov	ecx, [esi+4]
		mov	eax, edi
		and	eax, 1
		mov	[esp+0E8h+var_C0], ecx
		or	eax, 0
		mov	[esp+0E8h+var_B8], edi
		mov	[esp+0E8h+var_B4], ecx
		jnz	short loc_4ED4B7
		cmp	[esp+0E8h+var_BC], 2
		jz	loc_5CF69F

loc_4ED468:				; CODE XREF: MmSetAddressRangeModifiedEx+1CFj
					; MmSetAddressRangeModifiedEx+1FEj ...
		add	esi, 8
		add	ebx, 1000h
		cmp	esi, [esp+0E8h+var_A8]
		jbe	short loc_4ED431
		lea	ecx, [esp+0E8h+var_A0]
		call	MiFlushTbList
		mov	edx, [esp+0E8h+var_A4]
		mov	ecx, offset unk_6D5E80
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [esp+0E8h+var_D6]
		mov	ecx, offset unk_6D5E80
		call	MiUnlockWorkingSetShared
		mov	ecx, [esp+0E8h+var_4]
		mov	al, [esp+0E8h+var_D7]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4ED4B7:				; CODE XREF: MmSetAddressRangeModifiedEx+DBj
		mov	[esp+0E8h+var_B0], 0
		mov	[esp+0E8h+var_C8], 0
		mov	[esp+0E8h+var_C4], 0
		nop
		mov	eax, ecx
		mov	edx, edi
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		lea	eax, [eax+ecx*4]
		mov	ecx, eax
		mov	[esp+0E8h+var_CC], eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [esp+0E8h+var_CC]
		mov	byte ptr [esp+0E8h+var_D6+1], al
		test	byte ptr [ecx+16h], 10h
		jz	short loc_4ED583
		mov	eax, [ecx+8]
		and	eax, 400h
		or	eax, 0
		jz	short loc_4ED583

loc_4ED515:				; CODE XREF: MmSetAddressRangeModifiedEx+214j
		lea	eax, [ecx+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, byte ptr [esp+0E8h+var_D6+1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [esp+0E8h+var_C8]
		mov	eax, ecx
		mov	edx, [esp+0E8h+var_C4]
		or	eax, edx
		jnz	loc_5CF60C

loc_4ED53C:				; CODE XREF: MmSetAddressRangeModifiedEx+E229Aj
		cmp	[esp+0E8h+var_BC], 2
		jz	loc_5CF61F

loc_4ED547:				; CODE XREF: MmSetAddressRangeModifiedEx+E22A9j
		mov	eax, edi
		and	eax, 42h
		or	eax, 0
		jz	loc_4ED468
		mov	edx, [esp+0E8h+var_C0]
		and	edi, 0FFFFFFBDh
		mov	[esp+0E8h+var_B8], edi
		mov	[esp+0E8h+var_B4], edx
		nop
		mov	[esi], edi
		mov	[esi+4], edx
		mov	[esp+0E8h+var_D7], 1

loc_4ED56F:				; CODE XREF: MmSetAddressRangeModifiedEx+E231Aj
		push	0
		push	1
		mov	edx, ebx
		lea	ecx, [esp+0F0h+var_A0]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		jmp	loc_4ED468
; 

loc_4ED583:				; CODE XREF: MmSetAddressRangeModifiedEx+186j
					; MmSetAddressRangeModifiedEx+193j
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		mov	ecx, [esp+0E8h+var_CC]
		mov	[esp+0E8h+var_C8], eax
		mov	[esp+0E8h+var_C4], edx
		jmp	loc_4ED515
MmSetAddressRangeModifiedEx endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 250. CcZeroDataOnDisk

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcZeroDataOnDisk(x,	x, x, x)
		public _CcZeroDataOnDisk@16
_CcZeroDataOnDisk@16 proc near		; CODE XREF: CcZeroData+235p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edx
		mov	esi, [eax]
		mov	eax, [eax+4]
		sub	esi, ecx
		mov	ecx, _CcMaxZeroTransferSize
		sbb	eax, edx
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], eax
		cmp	eax, ebx
		jl	short loc_4ED5DA
		jg	short loc_4ED5FA
		cmp	esi, ecx
		jnb	short loc_4ED5FA

loc_4ED5DA:				; CODE XREF: CcZeroDataOnDisk(x,x,x,x)+34j
		mov	eax, ebx

loc_4ED5DC:				; CODE XREF: CcZeroDataOnDisk(x,x,x,x)+7Cj
					; CcZeroDataOnDisk(x,x,x,x)+85j
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	MmZeroPageWrite
		test	eax, eax
		js	short loc_4ED625
		pop	esi
		test	bl, bl
		pop	ebx
		jnz	short loc_4ED62B

locret_4ED5F6:				; CODE XREF: CcZeroDataOnDisk(x,x,x,x)+94j
		leave
		retn	10h
; 

loc_4ED5FA:				; CODE XREF: CcZeroDataOnDisk(x,x,x,x)+36j
					; CcZeroDataOnDisk(x,x,x,x)+3Aj
		xor	eax, eax
		inc	eax
		lock xadd _CcAggressiveZeroCount, eax
		inc	eax
		cmp	eax, _CcAggressiveZeroThreshold
		jle	short loc_4ED61C
		lock dec _CcAggressiveZeroCount
		mov	eax, 10000h
		jmp	short loc_4ED5DC
; 

loc_4ED61C:				; CODE XREF: CcZeroDataOnDisk(x,x,x,x)+6Ej
		mov	eax, _CcMaxZeroTransferSize
		mov	bl, 1
		jmp	short loc_4ED5DC
; 

loc_4ED625:				; CODE XREF: CcZeroDataOnDisk(x,x,x,x)+50j
		push	eax
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_4ED62B:				; CODE XREF: CcZeroDataOnDisk(x,x,x,x)+56j
		lock dec _CcAggressiveZeroCount
		jmp	short locret_4ED5F6
_CcZeroDataOnDisk@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmZeroPageWrite	proc near		; CODE XREF: CcZeroDataOnDisk(x,x,x,x)+49p
					; MiZeroPageFile(x)+14Cp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CF6C3 SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax]
		xor	esi, esi
		mov	eax, [eax+4]
		mov	[esp+18h+var_C], edx
		mov	[esp+18h+var_8], ecx
		mov	[esp+18h+var_4], eax

loc_4ED658:				; CODE XREF: MmZeroPageWrite+E20C5j
		test	eax, eax
		jnz	short loc_4ED676
		test	edi, edi
		jz	short loc_4ED66B
		push	[ebp+arg_4]
		push	edi
		call	MiZeroPageWrite
		mov	esi, eax

loc_4ED66B:				; CODE XREF: MmZeroPageWrite+2Aj
					; MmZeroPageWrite+E20A0j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4ED676:				; CODE XREF: MmZeroPageWrite+26j
		xor	ebx, ebx
		jmp	loc_5CF6C3
MmZeroPageWrite	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiZeroPageWrite	proc near		; CODE XREF: MmZeroPageWrite+30p
					; MmZeroPageWrite+E2097p

var_9C		= dword	ptr -9Ch
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CF6FE SIZE 0000004A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_7C], edx
		lea	edi, [ebp+var_9C]
		mov	[ebp+var_84], ecx
		stosd
		push	5Ch		; size_t
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_68]
		xor	edi, edi
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, [ebp+arg_4]
		mov	esi, edi
		mov	ebx, ecx
		lea	edx, [ecx+0FFFh]
		shr	edx, 0Ch
		mov	[ebp+var_6C], edx
		test	eax, eax
		jnz	loc_4ED86C

loc_4ED6DA:				; CODE XREF: MiZeroPageWrite+1F0j
					; MiZeroPageWrite+1F8j
		cmp	ebx, 10000h
		ja	loc_4ED847

loc_4ED6E6:				; CODE XREF: MiZeroPageWrite+1D8j
		add	ebx, 0FFFh
		shr	ebx, 0Ch
		test	esi, esi
		jnz	loc_4ED85B
		cmp	ebx, 10h
		ja	loc_5CF6FE

loc_4ED700:				; CODE XREF: MiZeroPageWrite+E2083j
		mov	eax, edi
		lea	esi, [ebp+var_68]

loc_4ED705:				; CODE XREF: MiZeroPageWrite+1E1j
		or	eax, 4002h
		mov	[ebp+var_74], edi
		mov	[ebp+var_80], eax
		mov	edi, ebx

loc_4ED712:				; CODE XREF: MiZeroPageWrite+1A8j
		cmp	edi, edx
		ja	loc_4ED87B

loc_4ED71A:				; CODE XREF: MiZeroPageWrite+1FFj
		mov	ecx, edi
		shl	ecx, 0Ch
		mov	[ebp+var_70], ecx
		cmp	edx, edi
		jnz	short loc_4ED736
		mov	eax, [ebp+arg_0]
		mov	ebx, edx
		and	eax, 0FFFh
		jnz	loc_4ED882

loc_4ED736:				; CODE XREF: MiZeroPageWrite+A6j
					; MiZeroPageWrite+210j
		lea	eax, [ecx+0FFFh]
		mov	[esi+14h], ecx
		shr	eax, 0Ch
		lea	ecx, [esi+1Ch]
		xor	edx, edx
		mov	[esi], edx
		mov	[esi+10h], edx
		mov	[esi+18h], edx
		lea	eax, ds:1Ch[eax*4]
		mov	[esi+4], ax
		mov	eax, [ebp+var_80]
		mov	[esi+6], ax
		test	edi, edi
		jz	short loc_4ED776
		mov	edx, edi

loc_4ED767:				; CODE XREF: MiZeroPageWrite+F6j
		mov	eax, dword_6D34F0
		mov	[ecx], eax
		lea	ecx, [ecx+4]
		sub	edx, 1
		jnz	short loc_4ED767

loc_4ED776:				; CODE XREF: MiZeroPageWrite+E5j
		push	edx
		push	edx
		lea	eax, [ebp+var_9C]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	ecx, ecx
		lea	eax, [ebp+var_8C]
		push	eax
		push	ecx
		push	ecx
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_8C], ecx
		push	eax
		push	[ebp+var_7C]
		mov	[ebp+var_88], ecx
		mov	edx, esi
		mov	ecx, [ebp+var_84]
		call	IoSynchronousPageWriteEx
		mov	ecx, eax
		mov	[ebp+var_78], ecx
		test	ecx, ecx
		js	short loc_4ED7D7
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	13h
		lea	eax, [ebp+var_9C]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [ebp+var_8C]
		mov	[ebp+var_78], eax

loc_4ED7D7:				; CODE XREF: MiZeroPageWrite+13Bj
		movzx	eax, word ptr [esi+6]
		mov	ecx, eax
		test	eax, 200h
		jnz	loc_5CF706

loc_4ED7E8:				; CODE XREF: MiZeroPageWrite+E2093j
		test	cl, 1
		jz	short loc_4ED7F6
		push	esi
		push	dword ptr [esi+0Ch]
		call	MmUnmapLockedPages

loc_4ED7F6:				; CODE XREF: MiZeroPageWrite+16Dj
		mov	ecx, [ebp+var_78]
		test	ecx, ecx
		js	loc_5CF716
		mov	ecx, [ebp+var_7C]
		mov	eax, [ebp+var_70]
		mov	edx, [ebp+var_6C]
		add	[ecx], eax
		mov	eax, [ebp+var_74]
		adc	dword ptr [ecx+4], 0
		sub	edx, edi
		mov	[ebp+var_6C], edx
		test	eax, eax
		jnz	loc_5CF73F
		cmp	edi, ebx
		jb	short loc_4ED893

loc_4ED824:				; CODE XREF: MiZeroPageWrite+217j
					; MiZeroPageWrite+E20BCj ...
		test	edx, edx
		jnz	loc_4ED712

loc_4ED82C:				; CODE XREF: MiZeroPageWrite+E20A8j
					; MiZeroPageWrite+E20B1j
		lea	eax, [ebp+var_68]
		cmp	esi, eax
		jnz	short loc_4ED864

loc_4ED833:				; CODE XREF: MiZeroPageWrite+1ECj
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_78]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_4ED847:				; CODE XREF: MiZeroPageWrite+62j
		push	edi
		push	edi
		push	edi
		push	ebx
		push	edi
		call	IoAllocateMdl
		mov	edx, [ebp+var_6C]
		mov	esi, eax
		jmp	loc_4ED6E6
; 

loc_4ED85B:				; CODE XREF: MiZeroPageWrite+73j
		movzx	eax, word ptr [esi+6]
		jmp	loc_4ED705
; 

loc_4ED864:				; CODE XREF: MiZeroPageWrite+1B3j
		push	esi
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		jmp	short loc_4ED833
; 

loc_4ED86C:				; CODE XREF: MiZeroPageWrite+56j
		cmp	ecx, eax
		jbe	loc_4ED6DA
		mov	ebx, eax
		jmp	loc_4ED6DA
; 

loc_4ED87B:				; CODE XREF: MiZeroPageWrite+96j
		mov	edi, edx
		jmp	loc_4ED71A
; 

loc_4ED882:				; CODE XREF: MiZeroPageWrite+B2j
		or	eax, ecx
		sub	eax, 1000h
		mov	ecx, eax
		mov	[ebp+var_70], eax
		jmp	loc_4ED736
; 

loc_4ED893:				; CODE XREF: MiZeroPageWrite+1A4j
		mov	edi, ebx
		jmp	short loc_4ED824
MiZeroPageWrite	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUpdatePrefetchPriority proc near	; CODE XREF: .text:00465E0Cp
					; MiPrefetchJumpVad(x,x,x)+D2p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CF748 SIZE 00000091 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ebx
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		push	edi
		mov	edi, [ecx+28h]
		and	edi, 7
		mov	eax, [esi-40000000h]
		nop
		mov	edx, [esi-3FFFFFFCh]
		mov	ecx, eax
		and	ecx, 1
		or	ecx, 0
		jz	loc_5CF795
		nop
		shrd	eax, edx, 0Ch
		and	eax, 1FFFFFFh
		cmp	eax, dword_6D07B0
		ja	short loc_4ED91F
		mov	edx, dword_6D35B8
		mov	esi, eax
		shr	esi, 5
		mov	ecx, eax
		and	ecx, 1Fh
		mov	edx, [edx+esi*4]
		shr	edx, cl
		and	edx, 1
		jz	short loc_4ED91F
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	esi, [eax+ecx*4]
		movzx	eax, byte ptr [esi+17h]
		and	eax, 7
		cmp	eax, edi
		jnz	short loc_4ED928

loc_4ED91F:				; CODE XREF: MiUpdatePrefetchPriority+47j
					; MiUpdatePrefetchPriority+61j	...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4ED928:				; CODE XREF: MiUpdatePrefetchPriority+7Dj
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	loc_5CF769
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		cmp	dword ptr [eax+74h], 0
		jnz	loc_5CF748

loc_4ED94F:				; CODE XREF: MiUpdatePrefetchPriority+E1EBEj
					; MiUpdatePrefetchPriority+E1ED6j
		mov	[ebp+arg_0], 0
		lea	ebx, [esi+10h]
		lock bts dword ptr [ebx], 1Fh
		jb	loc_5CF77B

loc_4ED964:				; CODE XREF: MiUpdatePrefetchPriority+E1EF0j
					; MiUpdatePrefetchPriority+E1F34j
		mov	ecx, esi
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		cmp	eax, edi
		jz	short loc_4ED978
		push	0
		mov	edx, edi
		call	_MiUpdatePfnPriority@12	; MiUpdatePfnPriority(x,x,x)

loc_4ED978:				; CODE XREF: MiUpdatePrefetchPriority+CDj
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		jmp	short loc_4ED91F
MiUpdatePrefetchPriority endp

; 
		align 10h
; Exported entry 2129. RtlGetNextEntryHashTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlGetNextEntryHashTable
RtlGetNextEntryHashTable proc near	; CODE XREF: SepRmReferenceFindCap(x,x)+64p
					; SepFindMatchingCachedHandlesEntry+12839Ap ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CF7D9 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	esi
		push	edi
		mov	ecx, [eax+4]
		mov	edi, [eax]
		mov	esi, [ecx]
		mov	edx, [esi]
		cmp	edx, edi
		jz	short loc_4ED9C3
		mov	ecx, [ebp+arg_0]
		cmp	dword ptr [ecx+1Ch], 0
		jnz	short loc_4ED9C7

loc_4ED9B0:				; CODE XREF: RtlGetNextEntryHashTable+E1E5Cj
		mov	ecx, [edx+8]
		cmp	ecx, [eax+8]
		jnz	short loc_4ED9C3
		mov	[eax+4], esi
		mov	eax, edx

loc_4ED9BD:				; CODE XREF: RtlGetNextEntryHashTable+35j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_4ED9C3:				; CODE XREF: RtlGetNextEntryHashTable+15j
					; RtlGetNextEntryHashTable+26j
		xor	eax, eax
		jmp	short loc_4ED9BD
; 

loc_4ED9C7:				; CODE XREF: RtlGetNextEntryHashTable+1Ej
		push	ebx
		mov	ebx, edx
		jmp	loc_5CF7D9
RtlGetNextEntryHashTable endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiIsPdeOrAboveAccessible(x)
_MiIsPdeOrAboveAccessible@4 proc near	; CODE XREF: MiGetNextPageTablePte+2C1p
					; .text:00467E0Dp ...
		mov	edi, edi
		push	ebx
		mov	ebx, [ecx]
		push	esi
		nop
		mov	esi, [ecx+4]
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jnz	short loc_4ED9EA
		mov	eax, ebx
		or	eax, esi
		jnz	short loc_4ED9F2

loc_4ED9EA:				; CODE XREF: MiIsPdeOrAboveAccessible(x)+12j
					; MiIsPdeOrAboveAccessible(x)+2Cj ...
		mov	eax, 1

loc_4ED9EF:				; CODE XREF: MiIsPdeOrAboveAccessible(x)+48j
		pop	esi
		pop	ebx
		retn
; 

loc_4ED9F2:				; CODE XREF: MiIsPdeOrAboveAccessible(x)+18j
		mov	eax, ebx
		and	eax, 400h
		or	eax, 0
		jnz	short loc_4ED9EA
		mov	eax, ebx
		and	eax, 800h
		or	eax, 0
		jz	short loc_4EDA1A
		shrd	ebx, esi, 5
		and	ebx, 1Fh
		cmp	bl, 18h
		jnz	short loc_4ED9EA

loc_4EDA16:				; CODE XREF: MiIsPdeOrAboveAccessible(x)+5Ej
		xor	eax, eax
		jmp	short loc_4ED9EF
; 

loc_4EDA1A:				; CODE XREF: MiIsPdeOrAboveAccessible(x)+38j
		push	0
		push	200h
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		cmp	ebx, eax
		jnz	short loc_4ED9EA
		cmp	esi, edx
		jnz	short loc_4ED9EA
		jmp	short loc_4EDA16
_MiIsPdeOrAboveAccessible@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiApplyStraddleFixups(x, x,	x, x, x, x)
_MiApplyStraddleFixups@24 proc near	; CODE XREF: MiPerformFixups+96p

var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		push	esi
		push	edi
		mov	[ebp+var_18], ebx
		mov	esi, [edx+8]
		mov	[ebp+var_24], edx
		test	esi, esi
		jnz	short loc_4EDA69

loc_4EDA56:				; CODE XREF: MiApplyStraddleFixups(x,x,x,x,x,x)+65j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4EDA69:				; CODE XREF: MiApplyStraddleFixups(x,x,x,x,x,x)+24j
		mov	edi, [ebp+arg_0]
		lea	esp, [esp+0]

loc_4EDA70:				; CODE XREF: MiApplyStraddleFixups(x,x,x,x,x,x)+63j
		mov	ecx, [esi+4]
		mov	eax, ecx
		and	eax, 0FFFFF000h
		cmp	eax, edi
		jz	short loc_4EDA97
		mov	ebx, [esi+8]
		mov	eax, ebx
		and	eax, 0FFFFF000h
		cmp	eax, edi
		jz	short loc_4EDB06

loc_4EDA8C:				; CODE XREF: MiApplyStraddleFixups(x,x,x,x,x,x)+8Cj
					; MiApplyStraddleFixups(x,x,x,x,x,x)+D4j
		mov	ebx, [ebp+var_18]

loc_4EDA8F:				; CODE XREF: MiApplyStraddleFixups(x,x,x,x,x,x)+FCj
					; MiApplyStraddleFixups(x,x,x,x,x,x)+116j
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_4EDA70
		jmp	short loc_4EDA56
; 

loc_4EDA97:				; CODE XREF: MiApplyStraddleFixups(x,x,x,x,x,x)+4Cj
		and	ecx, 0FFFh
		jz	loc_4EDB27
		add	ecx, ebx
		mov	[ebp+var_20], 0
		mov	eax, ecx
		mov	ebx, 1000h
		and	eax, 0FFFh
		sub	ebx, eax

loc_4EDABA:				; CODE XREF: MiApplyStraddleFixups(x,x,x,x,x,x)+F5j
		test	ecx, ecx
		jz	short loc_4EDA8C
		test	[ebp+arg_C], 1
		mov	eax, [esi+10h]
		mov	[ebp+var_1C], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_14], eax
		jnz	loc_4EDB5A
		cmp	[ebp+arg_8], 0
		jnz	short loc_4EDB4B

loc_4EDADA:				; CODE XREF: MiApplyStraddleFixups(x,x,x,x,x,x)+128j
		mov	eax, [ebp+arg_4]

loc_4EDADD:				; CODE XREF: MiApplyStraddleFixups(x,x,x,x,x,x)+12Dj
		cdq
		add	eax, [ebp+var_1C]
		mov	[ebp+var_10], eax
		adc	edx, [ebp+var_14]
		mov	[ebp+var_C], edx
		test	ebx, ebx
		jz	short loc_4EDB01
		mov	eax, [ebp+var_20]
		lea	edx, [ebp+var_10]
		add	eax, edx
		push	ebx		; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_4EDB01:				; CODE XREF: MiApplyStraddleFixups(x,x,x,x,x,x)+BCj
		mov	edx, [ebp+var_24]
		jmp	short loc_4EDA8C
; 

loc_4EDB06:				; CODE XREF: MiApplyStraddleFixups(x,x,x,x,x,x)+5Aj
		mov	eax, [ebp+var_18]
		and	ecx, 0FFFh
		mov	[ebp+var_14], eax
		and	ebx, 0FFFh
		mov	eax, 1000h
		sub	eax, ecx
		mov	ecx, [ebp+var_14]
		mov	[ebp+var_20], eax
		jmp	short loc_4EDABA
; 

loc_4EDB27:				; CODE XREF: MiApplyStraddleFixups(x,x,x,x,x,x)+6Dj
		cmp	word ptr [esi+0Ch], 3
		jnz	loc_4EDA8F
		mov	ecx, [esi+8]
		mov	eax, [ebp+arg_4]
		and	ecx, 0FFFh
		shr	eax, 10h
		add	[ecx+ebx-2], ax
		jmp	loc_4EDA8F
; 

loc_4EDB4B:				; CODE XREF: MiApplyStraddleFixups(x,x,x,x,x,x)+A8j
		mov	eax, [ebp+arg_8]
		cdq
		add	[ebp+var_1C], eax
		adc	edx, [ebp+var_14]
		mov	[ebp+var_14], edx
		jmp	short loc_4EDADA
; 

loc_4EDB5A:				; CODE XREF: MiApplyStraddleFixups(x,x,x,x,x,x)+9Ej
		mov	eax, [edx+18h]
		jmp	loc_4EDADD
_MiApplyStraddleFixups@24 endp

; 
		align 10h
; Exported entry 573. FsRtlIsPagingFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlIsPagingFile(x)
		public _FsRtlIsPagingFile@4
_FsRtlIsPagingFile@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+0Ch]
		test	eax, eax
		jz	short loc_4EDB85
		test	byte ptr [eax+6], 8
		jnz	short loc_4EDB8B

loc_4EDB85:				; CODE XREF: FsRtlIsPagingFile(x)+Dj
		xor	eax, eax
		pop	ebp
		retn	4
; 

loc_4EDB8B:				; CODE XREF: FsRtlIsPagingFile(x)+13j
		mov	eax, 1
		pop	ebp
		retn	4
_FsRtlIsPagingFile@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcNotifyOfMappedWriteComplete proc near	; CODE XREF: MiWriteComplete+5EBp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005CF7F1 SIZE 00000076 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ecx+4]
		xor	eax, eax
		push	edi
		lea	edi, [ebp+var_10]
		mov	byte ptr [ebp+var_4], 0
		stosd
		mov	ecx, esi
		mov	ebx, edx
		stosd
		stosd
		call	CcGetPartition
		mov	edi, eax
		call	_MmGetControlAreaPartition@4 ; MmGetControlAreaPartition(x)
		cmp	edi, [eax+4]
		jnz	loc_5CF849
		mov	edx, [ebp+arg_0]
		test	edx, edx
		js	loc_5CF7F1

loc_4EDBD2:				; CODE XREF: CcNotifyOfMappedWriteComplete+E1C66j
					; CcNotifyOfMappedWriteComplete+E1C72j
		mov	eax, [esi+2Ch]
		mov	edx, ebx
		mov	ecx, [esi+28h]
		mov	[ebp+arg_0], eax
		xor	eax, eax
		add	edx, [ebp+arg_4]
		adc	eax, [ebp+arg_8]
		cmp	eax, [ebp+arg_0]
		jl	short loc_4EDBF8
		jg	loc_5CF80B
		cmp	edx, ecx
		ja	loc_5CF80B

loc_4EDBF8:				; CODE XREF: CcNotifyOfMappedWriteComplete+54j
					; CcNotifyOfMappedWriteComplete+E1C93j
		test	ebx, ebx
		jz	short loc_4EDC0C
		push	[ebp+var_4]
		lea	edx, [ebp+arg_4]
		mov	ecx, esi
		push	0
		push	ebx
		call	CcReleaseByteRangeFromWrite

loc_4EDC0C:				; CODE XREF: CcNotifyOfMappedWriteComplete+66j
					; CcNotifyOfMappedWriteComplete+E1C7Dj	...
		lea	eax, [edi+204h]
		cmp	[eax], eax
		jnz	short loc_4EDC7C

loc_4EDC16:				; CODE XREF: CcNotifyOfMappedWriteComplete+EFj
		lea	ecx, [edi+40h]
		lea	edx, [ebp+var_10]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		dec	dword ptr [esi+16Ch]
		push	ecx
		mov	ecx, esi
		call	CcDecrementOpenCount
		test	ds:byte_70EFC6,	1
		jnz	loc_5CF82C
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_4EDC6A
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jnz	loc_5CF83C

loc_4EDC5A:				; CODE XREF: CcNotifyOfMappedWriteComplete+E6j
					; CcNotifyOfMappedWriteComplete+E1CA3j
		mov	cl, [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_4EDC6A:				; CODE XREF: CcNotifyOfMappedWriteComplete+ADj
					; CcNotifyOfMappedWriteComplete+E1CB0j
		xor	ecx, ecx
		mov	[ebp+var_10], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	short loc_4EDC5A
; 

loc_4EDC7C:				; CODE XREF: CcNotifyOfMappedWriteComplete+80j
		mov	ecx, edi
		call	_CcPostDeferredWrites@4	; CcPostDeferredWrites(x)
		jmp	short loc_4EDC16
CcNotifyOfMappedWriteComplete endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 185. CcCoherencyFlushAndPurgeCache

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcCoherencyFlushAndPurgeCache(x, x,	x, x, x)
		public _CcCoherencyFlushAndPurgeCache@20
_CcCoherencyFlushAndPurgeCache@20 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_10]
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_10]
		xor	ebx, ebx
		shr	esi, 1
		and	esi, 1
		and	eax, 1
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		jz	short loc_4EDD06
		or	esi, 2
		test	byte ptr [ebp+arg_10], 4
		jz	short loc_4EDCF5

loc_4EDCBA:				; CODE XREF: CcCoherencyFlushAndPurgeCache(x,x,x,x,x)+74j
		mov	edi, ebx

loc_4EDCBC:				; CODE XREF: CcCoherencyFlushAndPurgeCache(x,x,x,x,x)+89j
		mov	esi, [ebp+arg_C]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	esi
		push	ebx
		push	ebx
		push	[ebp+arg_8]
		mov	[esi], edi
		call	_CcFlushCachePriv@24 ; CcFlushCachePriv(x,x,x,x,x,x)
		mov	eax, [esi]
		test	eax, eax
		js	short loc_4EDCEE
		cmp	[ebp+var_4], ebx
		jz	short loc_4EDD15

loc_4EDCDD:				; CODE XREF: CcCoherencyFlushAndPurgeCache(x,x,x,x,x)+A5j
		test	eax, eax
		js	short loc_4EDCEE
		mov	eax, 115h
		cmp	edi, eax
		jz	short loc_4EDD31
		test	bl, bl
		jnz	short loc_4EDD31

loc_4EDCEE:				; CODE XREF: CcCoherencyFlushAndPurgeCache(x,x,x,x,x)+4Cj
					; CcCoherencyFlushAndPurgeCache(x,x,x,x,x)+55j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_4EDCF5:				; CODE XREF: CcCoherencyFlushAndPurgeCache(x,x,x,x,x)+2Ej
		mov	ecx, edi
		call	_MmOnlySystemCacheViewsPresent@4 ; MmOnlySystemCacheViewsPresent(x)
		test	al, al
		jnz	short loc_4EDCBA
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]

loc_4EDD06:				; CODE XREF: CcCoherencyFlushAndPurgeCache(x,x,x,x,x)+25j
		push	esi
		mov	edx, ecx
		mov	ecx, edi
		push	eax
		call	_MmTrimSection@16 ; MmTrimSection(x,x,x,x)
		mov	edi, eax
		jmp	short loc_4EDCBC
; 

loc_4EDD15:				; CODE XREF: CcCoherencyFlushAndPurgeCache(x,x,x,x,x)+51j
		push	4
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	CcPurgeCacheSection
		neg	al
		sbb	al, al
		inc	al
		mov	bl, al
		mov	eax, [esi]
		jmp	short loc_4EDCDD
; 

loc_4EDD31:				; CODE XREF: CcCoherencyFlushAndPurgeCache(x,x,x,x,x)+5Ej
					; CcCoherencyFlushAndPurgeCache(x,x,x,x,x)+62j
		mov	[esi], eax
		jmp	short loc_4EDCEE
_CcCoherencyFlushAndPurgeCache@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmOnlySystemCacheViewsPresent(x)
_MmOnlySystemCacheViewsPresent@4 proc near
					; CODE XREF: CcCoherencyFlushAndPurgeCache(x,x,x,x,x)+6Dp

var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		lea	eax, [ebp-1]
		mov	[ebp+var_1], 0
		xor	edx, edx
		push	eax
		inc	edx
		call	MiLockSectionControlArea
		mov	edx, eax
		test	edx, edx
		jz	short loc_4EDD73
		mov	ecx, [edx+14h]
		cmp	ecx, [edx+30h]
		lea	ecx, [edx+24h]
		push	ebx
		push	ecx
		setz	bl
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_4EDD73:				; CODE XREF: MmOnlySystemCacheViewsPresent(x)+1Aj
		mov	al, 1
		leave
		retn
_MmOnlySystemCacheViewsPresent@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmTrimSection(x, x,	x, x)
_MmTrimSection@16 proc near		; CODE XREF: CcCoherencyFlushAndPurgeCache(x,x,x,x,x)+82p
					; CcPurgeCacheSection+E0615p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	eax, eax
		and	[esp+2Ch+var_20], eax
		mov	ebx, ecx
		and	[esp+2Ch+var_1C], eax
		and	esi, 1
		test	byte ptr [ebp+arg_4], 2
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+30h+var_18]
		rep stosd
		jz	short loc_4EDDAA
		or	esi, 20h

loc_4EDDAA:				; CODE XREF: MmTrimSection(x,x,x,x)+2Dj
		test	edx, edx
		jnz	short loc_4EDDF2

loc_4EDDAE:				; CODE XREF: MmTrimSection(x,x,x,x)+8Bj
		lea	eax, [esp+30h+var_18]
		cmp	esi, 20h
		push	eax
		sbb	eax, eax
		mov	ecx, ebx
		inc	eax
		push	eax
		push	[ebp+arg_0]
		call	_MiComputeFlushRange@20	; MiComputeFlushRange(x,x,x,x,x)
		test	eax, eax
		jz	short loc_4EDE05
		push	esi
		xor	edx, edx
		lea	ecx, [esp+34h+var_18]
		call	MiTrimSection
		push	[esp+30h+var_8]
		mov	edx, [esp+34h+var_C]
		mov	esi, eax
		mov	ecx, [esp+34h+var_18]
		call	_MiFlushRelease@12 ; MiFlushRelease(x,x,x)
		mov	eax, esi

loc_4EDDE9:				; CODE XREF: MmTrimSection(x,x,x,x)+8Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4EDDF2:				; CODE XREF: MmTrimSection(x,x,x,x)+34j
		mov	eax, [edx]
		mov	[esp+30h+var_20], eax
		mov	eax, [edx+4]
		lea	edx, [esp+30h+var_20]
		mov	[esp+30h+var_1C], eax
		jmp	short loc_4EDDAE
; 

loc_4EDE05:				; CODE XREF: MmTrimSection(x,x,x,x)+4Ej
		xor	eax, eax
		jmp	short loc_4EDDE9
_MmTrimSection@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiTrimSharedPage proc near		; CODE XREF: .text:00478C67p
					; MiTradePage(x,x)+4DFp

var_2E		= byte ptr -2Eh
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CF867 SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, [ebp+arg_0]
		and	[esp+34h+var_24], 0
		and	[esp+34h+var_20], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+40h+var_2D], dl
		mov	esi, eax
		shr	esi, 12h
		and	esi, 1
		mov	ebx, [edi+4]
		or	ebx, 80000000h
		mov	[esp+40h+var_1C], ebx
		test	eax, 80000h
		jnz	loc_5CF85F

loc_4EDE4B:				; CODE XREF: CcNotifyOfMappedWriteComplete+E1CCEj
		test	eax, 20000h
		jnz	loc_5CF867

loc_4EDE56:				; CODE XREF: MiTrimSharedPage+E1A60j
		test	eax, 10000000h
		jnz	loc_5CF86F

loc_4EDE61:				; CODE XREF: MiTrimSharedPage+E1A68j
		mov	ecx, eax
		and	ecx, (offset loc_7FFFFF+1)
		mov	[esp+40h+var_28], ecx
		jnz	loc_5CF877

loc_4EDE73:				; CODE XREF: MiTrimSharedPage+E1A70j
		test	eax, 3000000h
		jnz	loc_5CF87F

loc_4EDE7E:				; CODE XREF: MiTrimSharedPage+E1A78j
		mov	eax, [edi+8]
		and	eax, 400h
		or	eax, 0
		jz	loc_4EDF71
		lea	eax, [esp+40h+var_24]
		xor	edx, edx
		push	eax
		lea	eax, [esp+44h+var_20]
		mov	ecx, edi
		push	eax
		call	_MiPreventControlAreaDeletion@16 ; MiPreventControlAreaDeletion(x,x,x,x)
		mov	[esp+40h+var_2C], eax
		test	eax, eax
		jz	loc_4EDFAE
		mov	eax, [edi+8]
		mov	ecx, dword_6D0700
		mov	edx, dword_6D0704
		mov	ebx, [edi+0Ch]
		mov	[esp+40h+var_28], eax
		mov	eax, ecx
		or	eax, edx
		jz	short loc_4EDEDA
		mov	eax, [esp+40h+var_28]
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4EDEDA
		not	edx
		and	ebx, edx

loc_4EDEDA:				; CODE XREF: MiTrimSharedPage+BEj
					; MiTrimSharedPage+CAj
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	cl, [esp+40h+var_2D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [esp+40h+var_24]
		call	_MiReleaseControlAreaWaiters@4 ; MiReleaseControlAreaWaiters(x)

loc_4EDEF8:				; CODE XREF: MiTrimSharedPage+E1A93j
		mov	eax, [esp+40h+var_2C]

loc_4EDEFC:				; CODE XREF: MiTrimSharedPage+192j
					; MiTrimSharedPage+E1A81j
		and	[esp+40h+var_4], 0
		lea	ecx, [esp+40h+var_18]
		xor	edx, edx
		mov	[esp+40h+var_18], eax
		mov	eax, [esp+40h+var_1C]
		inc	edx
		push	esi
		mov	[esp+44h+var_14], eax
		mov	[esp+44h+var_10], eax
		mov	[esp+44h+var_C], ebx
		mov	[esp+44h+var_8], ebx
		call	MiTrimSection
		test	eax, eax
		jnz	loc_4EDFB2
		mov	al, [edi+16h]
		and	al, 7
		cmp	al, 6
		jz	short loc_4EDFB2

loc_4EDF37:				; CODE XREF: MiTrimSharedPage+1B5j
		mov	ecx, [esp+40h+var_20]
		test	ecx, ecx
		jz	short loc_4EDF44
		call	_MiDecrementSubsection@4 ; MiDecrementSubsection(x)

loc_4EDF44:				; CODE XREF: MiTrimSharedPage+133j
		mov	ecx, [esp+40h+var_2C]
		xor	edx, edx
		call	_MiDecrementModifiedWriteCount@8 ; MiDecrementModifiedWriteCount(x,x)
		test	eax, eax
		jnz	short loc_4EDFC4

loc_4EDF53:				; CODE XREF: MiTrimSharedPage+1C1j
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	cl, [edi+16h]
		and	cl, 7
		cmp	cl, 6
		jz	short loc_4EDFAE
		push	2
		pop	eax

loc_4EDF68:				; CODE XREF: MiTrimSharedPage+1A6j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4EDF71:				; CODE XREF: MiTrimSharedPage+7Fj
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, ebx
		call	MiReferencePfBackedSection
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_4EDFA7
		cmp	[esp+40h+var_28], 0
		mov	eax, [ebx]
		mov	[esp+40h+var_2C], eax
		jz	loc_4EDEFC
		jmp	loc_5CF887
; 

loc_4EDFA7:				; CODE XREF: MiTrimSharedPage+185j
					; MiTrimSharedPage+E1AA6j ...
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)

loc_4EDFAE:				; CODE XREF: MiTrimSharedPage+9Ej
					; MiTrimSharedPage+159j
		xor	eax, eax
		jmp	short loc_4EDF68
; 

loc_4EDFB2:				; CODE XREF: MiTrimSharedPage+11Ej
					; MiTrimSharedPage+12Bj
		xor	edx, edx
		lea	ecx, [esp+40h+var_18]
		push	esi
		inc	edx
		call	MiTrimSection
		jmp	loc_4EDF37
; 

loc_4EDFC4:				; CODE XREF: MiTrimSharedPage+147j
		mov	ecx, eax
		call	_MiReleaseControlAreaWaiters@4 ; MiReleaseControlAreaWaiters(x)
		jmp	short loc_4EDF53
MiTrimSharedPage endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiTrimSection	proc near		; CODE XREF: MmTrimSection(x,x,x,x)+57p
					; MiTrimSharedPage+117p ...

var_3A		= byte ptr -3Ah
var_39		= byte ptr -39h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005CF8C2 SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, ecx
		mov	[esp+40h+var_4], edx
		push	esi
		push	edi
		and	eax, 1
		mov	[esp+48h+var_30], ebx
		mov	edi, [ebx+0Ch]
		mov	ecx, [ebx+4]
		mov	[esp+48h+var_8], ecx
		mov	[esp+48h+var_2C], edi
		mov	esi, [edi]
		mov	[esp+48h+var_18], eax
		jnz	loc_5CF8C2

loc_4EE006:				; CODE XREF: MiTrimSection+E18FEj
		mov	edx, ecx
		mov	ecx, edi
		push	0FFFFFFFFh
		call	MiStartingOffset
		mov	ecx, [ebx+10h]
		mov	[esp+48h+var_20], edx
		mov	edx, [ebx+8]
		push	0FFFFFFFFh
		mov	[esp+4Ch+var_1C], eax
		call	MiStartingOffset
		add	eax, 1000h
		mov	ecx, edx
		mov	[esp+48h+var_24], eax
		adc	ecx, 0
		and	[esp+48h+var_38], 0
		mov	[esp+48h+var_28], ecx
		mov	ecx, large fs:124h
		dec	word ptr [ecx+13Eh]
		nop
		lea	ecx, [esi+3Ch]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lea	eax, [esi+24h]
		push	eax
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		cmp	dword ptr [esi+14h], 0
		mov	[esp+48h+var_39], al
		jz	loc_5CF8DC
		mov	eax, [esi+4]
		mov	[esp+48h+var_C], eax
		lea	eax, [esi+24h]
		push	eax
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [esp+48h+var_39]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	byte ptr [esi+1Ch], 20h
		jnz	short loc_4EE0F5
		cmp	dword ptr [esi+20h], 0
		jz	short loc_4EE0F5
		mov	ecx, [ebx+10h]
		mov	eax, ebx

loc_4EE098:				; CODE XREF: MiTrimSection+225j
		xor	ebx, ebx
		inc	ebx
		mov	[esp+48h+var_34], ebx
		cmp	edi, [eax+0Ch]
		jnz	loc_4EE19A

loc_4EE0A8:				; CODE XREF: MiTrimSection+1CEj
					; MiTrimSection+219j
		cmp	[esp+48h+var_18], 0
		jnz	short loc_4EE0B5
		test	byte ptr [ebp+arg_0], 20h
		jz	short loc_4EE0C8

loc_4EE0B5:				; CODE XREF: MiTrimSection+DFj
		mov	edx, eax
		mov	ecx, edi
		call	_MiAnyProtosAreMapped@8	; MiAnyProtosAreMapped(x,x)
		neg	eax
		sbb	eax, eax
		and	ebx, eax
		mov	[esp+48h+var_34], ebx

loc_4EE0C8:				; CODE XREF: MiTrimSection+E5j
		test	ebx, ebx
		jz	short loc_4EE0E6
		lea	ecx, [edi+34h]
		mov	eax, [ecx]
		mov	[esp+48h+var_10], ecx
		mov	[esp+48h+var_14], eax
		cmp	eax, ecx
		jnz	short loc_4EE153

loc_4EE0DD:				; CODE XREF: MiTrimSection+1BBj
		cmp	ebx, 2
		jz	loc_4EE1F8

loc_4EE0E6:				; CODE XREF: MiTrimSection+FCj
					; MiTrimSection+20Fj ...
		mov	eax, [esp+48h+var_30]
		mov	ecx, [eax+10h]
		cmp	edi, ecx
		jnz	loc_4EE1EC

loc_4EE0F5:				; CODE XREF: MiTrimSection+BDj
					; MiTrimSection+C3j
		mov	ebx, [esp+48h+var_C]
		lea	edi, [esi+4]

loc_4EE0FC:				; CODE XREF: MiTrimSection+154j
		mov	ecx, esi
		cmp	ebx, edi
		jz	short loc_4EE130
		push	[esp+48h+var_28]
		mov	edx, ebx
		push	[esp+4Ch+var_24]
		push	[esp+50h+var_20]
		push	[esp+54h+var_1C]
		push	[ebp+arg_0]
		call	MiViewMayContainPage
		test	eax, eax
		jnz	short loc_4EE124

loc_4EE120:				; CODE XREF: MiTrimSection+160j
		mov	ebx, [ebx]
		jmp	short loc_4EE0FC
; 

loc_4EE124:				; CODE XREF: MiTrimSection+150j
		mov	ecx, [esp+48h+var_38]
		mov	[eax], ecx
		mov	[esp+48h+var_38], eax
		jmp	short loc_4EE120
; 

loc_4EE130:				; CODE XREF: MiTrimSection+132j
		call	_MiUnlockControlAreaFileObjectShared@4 ; MiUnlockControlAreaFileObjectShared(x)
		push	[esp+48h+var_8]
		mov	edx, [esp+4Ch+var_4]
		mov	ecx, [esp+4Ch+var_38]
		push	esi
		push	[ebp+arg_0]
		call	_MiTrimSharedPageFromViews@20 ;	MiTrimSharedPageFromViews(x,x,x,x,x)

loc_4EE14A:				; CODE XREF: MiTrimSection+E1909j
					; MiTrimSection+E192Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4EE153:				; CODE XREF: MiTrimSection+10Dj
		mov	edi, [esp+48h+var_14]
		mov	ebx, [esp+48h+var_10]

loc_4EE15B:				; CODE XREF: MiTrimSection+1B1j
		push	[esp+48h+var_28]
		mov	edx, edi
		mov	ecx, esi
		push	[esp+4Ch+var_24]
		push	[esp+50h+var_20]
		push	[esp+54h+var_1C]
		push	[ebp+arg_0]
		call	MiViewMayContainPage
		test	eax, eax
		jnz	short loc_4EE18E

loc_4EE17B:				; CODE XREF: MiTrimSection+1CAj
		mov	edi, [edi]
		cmp	edi, ebx
		jnz	short loc_4EE15B
		mov	edi, [esp+48h+var_2C]
		mov	ebx, [esp+48h+var_34]
		jmp	loc_4EE0DD
; 

loc_4EE18E:				; CODE XREF: MiTrimSection+1ABj
		mov	ecx, [esp+48h+var_38]
		mov	[eax], ecx
		mov	[esp+48h+var_38], eax
		jmp	short loc_4EE17B
; 

loc_4EE19A:				; CODE XREF: MiTrimSection+D4j
		cmp	edi, ecx
		jz	loc_4EE0A8
		lea	eax, [esi+24h]
		push	eax
		call	ExAcquireSpinLockExclusive
		cmp	dword ptr [edi+40h], 0
		mov	[esp+48h+var_39], al
		jz	short loc_4EE204
		mov	ecx, edi
		call	_MiReferenceSubsection@8 ; MiReferenceSubsection(x,x)
		cmp	eax, 1
		jle	short loc_4EE204
		push	2
		pop	ebx

loc_4EE1C4:				; CODE XREF: MiTrimSection+238j
		lea	eax, [esi+24h]
		mov	[esp+48h+var_34], ebx
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+48h+var_39]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jz	loc_4EE0E6
		mov	eax, [esp+48h+var_30]
		jmp	loc_4EE0A8
; 

loc_4EE1EC:				; CODE XREF: MiTrimSection+121j
		mov	edi, [edi+8]
		mov	[esp+48h+var_2C], edi
		jmp	loc_4EE098
; 

loc_4EE1F8:				; CODE XREF: MiTrimSection+112j
		mov	ecx, edi
		call	_MiDecrementSubsection@4 ; MiDecrementSubsection(x)
		jmp	loc_4EE0E6
; 

loc_4EE204:				; CODE XREF: MiTrimSection+1E5j
					; MiTrimSection+1F1j
		xor	ebx, ebx
		jmp	short loc_4EE1C4
MiTrimSection	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiViewMayContainPage proc near		; CODE XREF: MiTrimSection+149p
					; MiTrimSection+1A4p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005CF8FD SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		or	[ebp+var_8], 0FFFFFFFFh
		and	[ebp+var_14], 0
		push	ebx
		push	esi
		mov	esi, [edx+8]
		mov	ebx, ecx
		mov	ecx, [ebp+arg_4]
		mov	eax, esi
		and	eax, 3
		mov	[ebp+var_18], edx
		mov	[ebp+var_4], ebx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+arg_0], ecx
		sub	eax, 0
		jz	loc_4EE354
		sub	eax, 1
		jnz	loc_4EE3A2
		mov	ecx, [edx-0Ch]
		mov	eax, esi
		and	eax, 0FFFFFFFEh
		and	edi, 20h
		test	byte ptr [ebx+1Ch], 20h
		mov	[ebp+var_14], eax
		jnz	loc_4EE3E1
		test	edi, edi
		jnz	loc_4EE38A

loc_4EE266:				; CODE XREF: MiViewMayContainPage+18Fj
		mov	edx, [edx-8]
		push	0FFFFFFFFh
		call	MiStartingOffset
		mov	ecx, [ebp+var_18]
		mov	ebx, edx
		mov	edi, [ecx-28h]
		mov	esi, [ecx-2Ch]
		sub	edi, esi
		inc	edi
		xor	ecx, ecx
		shl	edi, 0Ch
		add	edi, eax
		adc	ecx, ebx

loc_4EE287:				; CODE XREF: MiViewMayContainPage+1EAj
		shl	esi, 0Ch

loc_4EE28A:				; CODE XREF: MiViewMayContainPage+177j
					; MiViewMayContainPage+1C3j
		mov	edx, [ebp+var_4]

loc_4EE28D:				; CODE XREF: MiViewMayContainPage+2D0j
		test	byte ptr [edx+1Ch], 20h
		jnz	loc_4EE3D0
		cmp	[ebp+arg_8], ecx
		ja	short loc_4EE2A3
		jb	short loc_4EE2AC
		cmp	[ebp+arg_0], edi
		jb	short loc_4EE2AC

loc_4EE2A3:				; CODE XREF: MiViewMayContainPage+92j
					; MiViewMayContainPage+A7j ...
		xor	eax, eax

loc_4EE2A5:				; CODE XREF: MiViewMayContainPage+147j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_4EE2AC:				; CODE XREF: MiViewMayContainPage+94j
					; MiViewMayContainPage+99j
		cmp	[ebp+arg_10], ebx
		jb	short loc_4EE2A3
		mov	edx, [ebp+arg_C]
		ja	short loc_4EE2BA
		cmp	edx, eax
		jbe	short loc_4EE2A3

loc_4EE2BA:				; CODE XREF: MiViewMayContainPage+ACj
		mov	[ebp+var_4], eax
		cmp	[ebp+arg_8], ebx
		jb	short loc_4EE2D8
		ja	short loc_4EE2C9
		cmp	[ebp+arg_4], eax
		jb	short loc_4EE2D8

loc_4EE2C9:				; CODE XREF: MiViewMayContainPage+BAj
		mov	ebx, [ebp+arg_0]
		sub	[ebp+arg_0], eax
		add	esi, [ebp+arg_0]
		mov	[ebp+var_4], ebx
		mov	ebx, [ebp+arg_8]

loc_4EE2D8:				; CODE XREF: MiViewMayContainPage+B8j
					; MiViewMayContainPage+BFj
		mov	eax, [ebp+arg_10]
		cmp	eax, ecx
		ja	loc_4EE3F7
		jb	short loc_4EE2ED
		cmp	edx, edi
		ja	loc_4EE3F7

loc_4EE2ED:				; CODE XREF: MiViewMayContainPage+DBj
					; MiViewMayContainPage+1F1j
		sub	edx, [ebp+var_4]
		lea	eax, [edx+esi]

loc_4EE2F3:				; CODE XREF: MiViewMayContainPage+1D4j
		push	0
		push	40h
		push	20h
		mov	edx, 6156694Dh
		mov	[ebp+arg_0], eax
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_4EE34D
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_14]
		mov	[edi+0Ch], eax
		mov	eax, [ebp+var_4]
		mov	[edi+10h], eax
		mov	eax, [ebp+var_8]
		mov	[edi+18h], eax
		mov	eax, [ebp+var_18]
		mov	[edi+8], esi
		mov	[edi+4], ecx
		mov	[edi+14h], ebx
		mov	eax, [eax+8]
		and	eax, 3
		mov	[edi+1Ch], eax
		test	ecx, ecx
		jz	short loc_4EE34D
		mov	edx, 746C6644h
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jz	loc_5CF917

loc_4EE34D:				; CODE XREF: MiViewMayContainPage+103j
					; MiViewMayContainPage+131j ...
		mov	eax, edi
		jmp	loc_4EE2A5
; 

loc_4EE354:				; CODE XREF: MiViewMayContainPage+2Fj
		mov	eax, [edx+10h]
		mov	ebx, [edx+14h]
		and	eax, 0FFFF0000h
		mov	edi, [edx+10h]
		shld	ebx, eax, 2
		shl	eax, 2
		and	edi, 3Fh
		jnz	loc_5CF90F
		mov	edi, 40000h

loc_4EE377:				; CODE XREF: MiViewMayContainPage+E170Aj
		xor	ecx, ecx
		add	edi, eax
		adc	ecx, ebx
		test	esi, esi
		jnz	loc_4EE28A
		jmp	loc_4EE2A3
; 

loc_4EE38A:				; CODE XREF: MiViewMayContainPage+58j
		mov	eax, [edx-1Ch]
		and	eax, 280h
		cmp	eax, 200h
		jz	loc_4EE266
		jmp	loc_4EE2A3
; 

loc_4EE3A2:				; CODE XREF: MiViewMayContainPage+38j
		sub	eax, 1
		jnz	short loc_4EE3FE
		mov	eax, [edx+0Ch]
		and	esi, 0FFFFFFFDh
		cmp	eax, 0FFFFFFFFh
		jz	short loc_4EE3B5
		mov	[ebp+var_8], eax

loc_4EE3B5:				; CODE XREF: MiViewMayContainPage+1A8j
		mov	eax, [edx-1Ch]
		xor	ecx, ecx
		mov	ebx, [edx-18h]
		mov	edi, [edx-14h]
		shld	ebx, eax, 0Ch
		shl	eax, 0Ch
		add	edi, eax
		adc	ecx, ebx
		jmp	loc_4EE28A
; 

loc_4EE3D0:				; CODE XREF: MiViewMayContainPage+89j
		and	[ebp+var_4], 0
		lea	eax, [esi+1000h]
		xor	ebx, ebx
		jmp	loc_4EE2F3
; 

loc_4EE3E1:				; CODE XREF: MiViewMayContainPage+50j
		test	edi, edi
		jnz	loc_4EE2A3
		mov	esi, [edx-2Ch]
		xor	eax, eax
		xor	ebx, ebx
		xor	ecx, ecx
		jmp	loc_4EE287
; 

loc_4EE3F7:				; CODE XREF: MiViewMayContainPage+D5j
					; MiViewMayContainPage+DFj
		mov	edx, edi
		jmp	loc_4EE2ED
; 

loc_4EE3FE:				; CODE XREF: MiViewMayContainPage+19Dj
		sub	eax, 1
		jnz	loc_4EE2A3
		mov	edi, [edx+0Ch]
		and	esi, 0FFFFFFFCh
		and	[ebp+var_1C], eax
		sub	edi, esi
		mov	ecx, [edx+10h]
		inc	edi
		test	byte ptr [ebx+1Ch], 20h
		mov	[ebp+var_8], ecx
		jz	loc_4EE4DD
		add	ebx, 50h
		cmp	esi, dword_6D07D0
		jb	short loc_4EE441
		mov	eax, esi
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	short loc_4EE447
		cmp	al, 0Bh
		jz	short loc_4EE447

loc_4EE441:				; CODE XREF: MiViewMayContainPage+224j
		push	0FFFFFFFEh
		pop	ecx
		mov	[ebp+var_8], ecx

loc_4EE447:				; CODE XREF: MiViewMayContainPage+233j
					; MiViewMayContainPage+237j
		test	ebx, ebx
		jz	loc_4EE2A3

loc_4EE44F:				; CODE XREF: MiViewMayContainPage+28Cj
		mov	edx, [ebx+4]
		push	ecx
		mov	ecx, ebx
		call	MiStartingOffset
		mov	ecx, ebx
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], edx
		call	MiEndingOffsetWithLock
		mov	ecx, eax
		mov	eax, [ebp+arg_8]
		cmp	eax, [ebp+var_10]
		jb	short loc_4EE486
		mov	eax, [ebp+arg_0]
		ja	short loc_4EE47B
		cmp	eax, [ebp+var_C]
		jb	short loc_4EE486

loc_4EE47B:				; CODE XREF: MiViewMayContainPage+26Cj
		cmp	[ebp+arg_8], edx
		jb	short loc_4EE496
		ja	short loc_4EE486
		cmp	eax, ecx
		jb	short loc_4EE496

loc_4EE486:				; CODE XREF: MiViewMayContainPage+267j
					; MiViewMayContainPage+271j ...
		mov	ebx, [ebx+8]
		test	ebx, ebx
		jz	loc_4EE2A3
		mov	ecx, [ebp+var_8]
		jmp	short loc_4EE44F
; 

loc_4EE496:				; CODE XREF: MiViewMayContainPage+276j
					; MiViewMayContainPage+27Cj
		mov	edx, [ebx+4]
		mov	ecx, eax
		sub	ecx, [ebp+var_C]
		mov	eax, [ebp+arg_8]
		sbb	eax, [ebp+var_10]
		shrd	ecx, eax, 0Ch
		mov	eax, [ebx+1Ch]
		lea	ecx, [edx+ecx*8]
		lea	eax, [edx+eax*8]
		cmp	ecx, eax
		jnb	loc_4EE2A3
		test	byte ptr [ebx+12h], 2
		mov	edx, [ebp+var_4]
		jnz	loc_5CF8FD

loc_4EE4C6:				; CODE XREF: MiViewMayContainPage+E1702j
		sub	ecx, [edx+54h]
		sar	ecx, 3
		shl	ecx, 0Ch
		add	esi, ecx

loc_4EE4D1:				; CODE XREF: MiViewMayContainPage+2D7j
		mov	ecx, [ebp+var_1C]
		xor	eax, eax
		xor	ebx, ebx
		jmp	loc_4EE28D
; 

loc_4EE4DD:				; CODE XREF: MiViewMayContainPage+215j
		mov	edx, ebx
		jmp	short loc_4EE4D1
MiViewMayContainPage endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiTrimSharedPageFromViews(x, x, x, x, x)
_MiTrimSharedPageFromViews@20 proc near	; CODE XREF: MiTrimSection+177p

var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= byte ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1AD		= byte ptr -1ADh
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_18C		= dword	ptr -18Ch
var_154		= dword	ptr -154h
var_150		= word ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_BC		= dword	ptr -0BCh
var_B8		= word ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 230h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		push	6
		mov	ebx, ecx
		mov	[ebp+var_204], eax
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_200], edx
		xor	edx, edx
		lea	edi, [ebp+var_20]
		mov	esi, 98h
		mov	[ebp+var_214], edx
		push	esi		; size_t
		rep stosd
		push	edx		; int
		lea	eax, [ebp+var_154]
		mov	[ebp+var_210], edx
		push	eax		; void *
		mov	[ebp+var_218], edx
		mov	[ebp+var_1CC], edx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_BC]
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		lea	edi, [ebp+var_1EC]
		stosd
		add	esp, 0Ch
		stosd
		push	50h		; size_t
		push	0		; int
		stosd
		lea	eax, [ebp+var_1A4]
		push	eax		; void *
		call	_memset
		mov	eax, large fs:124h
		xor	ecx, ecx
		mov	[ebp+var_1D0], eax
		add	esp, 0Ch
		xor	eax, eax
		mov	[ebp+var_1AD], 21h
		mov	[ebp+var_1D4], eax
		mov	[ebp+var_1A8], ecx
		mov	[ebp+var_1B8], ecx
		test	ebx, ebx
		jz	loc_4EF0F8

loc_4EE5A6:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+BE3j
		and	[ebp+var_1C4], 0
		mov	eax, ebx
		mov	ebx, [ebx]
		xor	edx, edx
		and	[ebp+var_1E0], 0
		and	[ebp+var_1FC], 0
		mov	edi, [eax+14h]
		mov	esi, [eax+8]
		mov	[ebp+var_208], ebx
		mov	ebx, [eax+0Ch]
		mov	[ebp+var_1DC], edx
		mov	edx, [eax+4]
		mov	[ebp+var_1F8], ebx
		mov	ebx, [eax+10h]
		mov	[ebp+var_1C8], eax
		mov	[ebp+var_1BC], edx
		mov	[ebp+var_1C0], edi
		test	edx, edx
		jz	loc_4EE705
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	edx, eax
		jz	loc_4EE6FF
		lea	edx, [ebp+var_1EC]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebp+var_1BC]
		mov	ecx, eax
		lea	edx, [eax+240h]
		call	_MiPrepareAttachThread@8 ; MiPrepareAttachThread(x,x)
		mov	[ebp+var_1E0], eax
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_4EE654
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1EC]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4EE692
; 

loc_4EE654:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+160j
		mov	eax, [ebp+var_1EC]
		test	eax, eax
		jnz	short loc_4EE67F
		mov	edx, [ebp+var_1E8]
		lea	eax, [ebp+var_1EC]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1EC]
		cmp	eax, ecx
		jz	short loc_4EE692
		call	KxWaitForLockChainValid

loc_4EE67F:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+17Aj
		xor	ecx, ecx
		mov	[ebp+var_1EC], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_4EE692:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+170j
					; MiTrimSharedPageFromViews(x,x,x,x,x)+196j
		mov	cl, [ebp+var_1E4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_1E0], 0
		jz	loc_4EEFD6
		mov	ecx, [ebp+var_1BC]
		lea	edx, [ebp+var_20]
		push	0
		call	KeForceAttachProcess

loc_4EE6BB:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+2E2j
					; MiTrimSharedPageFromViews(x,x,x,x,x)+2F2j ...
		mov	ecx, [ebp+var_1B8]

loc_4EE6C1:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+229j
		add	ebx, 0FFFFF000h
		mov	edx, 1000h
		mov	[ebp+var_1AC], ebx
		adc	edi, 0FFFFFFFFh
		sub	esi, edx
		mov	eax, esi
		mov	[ebp+var_1C0], edi
		xor	edi, edi
		shr	eax, 0Ch
		add	esi, edx
		mov	[ebp+var_1D8], edi
		cmp	esi, [ebp+var_1F8]
		jnb	loc_4EEFD6
		mov	edx, ebx
		jmp	loc_4EE8E6
; 

loc_4EE6FF:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+128j
		mov	eax, [ebp+var_1C8]

loc_4EE705:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+114j
		mov	eax, [eax+1Ch]
		cmp	eax, 2
		jb	short loc_4EE6C1
		mov	ecx, [ebp+var_1C8]
		mov	ecx, [ecx+18h]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_4EE740
		mov	[ebp+var_1C4], offset unk_6CF5A4

loc_4EE725:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+261j
		mov	ecx, [ebp+var_1C8]

loc_4EE72B:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+2C0j
		cmp	eax, 3
		jnz	loc_4EE7E8
		cmp	esi, dword_6D07D0
		jnb	short loc_4EE7A4
		xor	eax, eax
		jmp	short loc_4EE7B0
; 

loc_4EE740:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+237j
		cmp	ecx, 0FFFFFFFEh
		jz	short loc_4EE725
		call	_MmGetSessionById@4 ; MmGetSessionById(x)
		mov	[ebp+var_1DC], eax
		test	eax, eax
		jz	loc_4EEFD6
		lea	edx, [ebp+var_20]
		mov	ecx, eax
		call	MmAttachSession
		test	eax, eax
		jns	short loc_4EE77E
		mov	ecx, [ebp+var_1DC]
		call	_MmQuitNextSession@4 ; MmQuitNextSession(x)
		xor	edx, edx
		mov	[ebp+var_1DC], edx
		jmp	loc_4EEFD6
; 

loc_4EE77E:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+282j
		mov	eax, large fs:124h
		mov	ecx, [ebp+var_1C8]
		mov	eax, [eax+80h]
		mov	edx, [eax+180h]
		mov	eax, [ecx+1Ch]
		add	edx, 70h
		mov	[ebp+var_1C4], edx
		jmp	short loc_4EE72B
; 

loc_4EE7A4:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+258j
		mov	eax, esi
		shr	eax, 15h
		movzx	eax, byte ptr dword_6D3994[eax]

loc_4EE7B0:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+25Cj
		cmp	dword ptr [ecx+18h], 0FFFFFFFEh
		jnz	short loc_4EE7CF
		xor	ecx, ecx
		inc	ecx
		cmp	eax, ecx
		jz	loc_4EEFD6
		cmp	eax, 0Bh
		jnz	loc_4EE6BB
		jmp	loc_4EEFD6
; 

loc_4EE7CF:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+2D2j
		xor	ecx, ecx
		inc	ecx
		cmp	eax, ecx
		jz	loc_4EE6BB
		cmp	eax, 0Bh
		jz	loc_4EE6BB
		jmp	loc_4EEFD6
; 

loc_4EE7E8:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+24Cj
		test	byte ptr [ebp+arg_0], 6
		jnz	loc_4EEFD6
		mov	edi, [ebp+var_1D0]
		dec	word ptr [edi+13Eh]
		nop
		mov	eax, [ebp+var_1C4]
		xor	edx, edx
		mov	ecx, [eax+4]
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebp+var_1C4]
		mov	ecx, [eax+8]
		test	ecx, ecx
		jz	short loc_4EE846

loc_4EE81D:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+35Cj
		mov	edi, [ecx+34h]
		mov	edx, edi
		mov	eax, [ecx+18h]
		and	edx, 0FFFFF000h
		add	eax, edx
		cmp	esi, eax
		jnb	short loc_4EE839
		cmp	esi, edx
		jnb	short loc_4EE86F
		mov	ecx, [ecx]
		jmp	short loc_4EE83C
; 

loc_4EE839:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+34Dj
		mov	ecx, [ecx+4]

loc_4EE83C:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+355j
		test	ecx, ecx
		jnz	short loc_4EE81D

loc_4EE840:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+38Fj
		mov	edi, [ebp+var_1D0]

loc_4EE846:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+339j
		mov	ecx, [ebp+var_1C4]
		xor	edx, edx
		push	11h
		pop	eax
		mov	esi, [ecx+4]
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_4EE864
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_4EE864:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+379j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, edi
		jmp	short loc_4EE8AE
; 

loc_4EE86F:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+351j
		test	ecx, ecx
		jz	short loc_4EE840
		mov	eax, [ecx+20h]
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_1CC], eax
		cmp	[eax], edx
		jz	short loc_4EE8B8

loc_4EE883:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+3E8j
		mov	eax, [ebp+var_1C4]
		xor	edx, edx
		push	11h
		mov	esi, [eax+4]
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_4EE8A1
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_4EE8A1:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+3B6j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_1D0]

loc_4EE8AE:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+38Bj
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_4EEFD6
; 

loc_4EE8B8:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+39Fj
		mov	eax, [ecx+10h]
		and	edi, 0FFFFF000h
		shl	eax, 0Ch
		sub	eax, ebx
		add	eax, esi
		cmp	eax, edi
		jnz	short loc_4EE883
		mov	edi, [ebp+var_1C0]
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1FC], eax
		jmp	loc_4EE6BB
; 

loc_4EE8E0:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+AEEj
		mov	ecx, [ebp+var_1B8]

loc_4EE8E6:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+218j
		mov	ebx, eax
		inc	eax
		add	edx, 1000h
		mov	[ebp+var_1B4], eax
		mov	[ebp+var_1AC], edx
		adc	[ebp+var_1C0], 0
		mov	edx, [ebp+var_1A8]
		test	edx, edx
		jz	loc_4EE99E
		mov	eax, esi
		shr	eax, 12h
		and	eax, 3FF8h
		sub	eax, 3FA00000h
		cmp	eax, ecx
		jz	short loc_4EE99E
		cmp	[ebp+var_148], 0
		mov	edi, edx
		jz	short loc_4EE94B
		push	0
		lea	edx, [ebp+var_154]
		mov	ecx, edi
		call	MiFreeWsleList
		test	eax, eax
		jz	short loc_4EE94B
		mov	[ebp+var_1D4], 115h

loc_4EE94B:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+44Aj
					; MiTrimSharedPageFromViews(x,x,x,x,x)+45Dj
		lea	ecx, [ebp+var_BC]
		call	MiFlushTbList
		cmp	[ebp+var_1BC], 0
		jnz	short loc_4EE96C
		lea	ecx, [ebp+var_1A4]
		call	_MiUnlockSystemVa@4 ; MiUnlockSystemVa(x)
		jmp	short loc_4EE98A
; 

loc_4EE96C:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+47Bj
		mov	edx, [ebp+var_1B8]
		test	edx, edx
		jz	short loc_4EE97D
		mov	ecx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_4EE97D:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+492j
		mov	dl, [ebp+var_1AD]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared

loc_4EE98A:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+488j
		mov	edi, [ebp+var_1D8]
		xor	edx, edx
		mov	[ebp+var_1B8], edx
		mov	[ebp+var_1A8], edx

loc_4EE99E:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+428j
					; MiTrimSharedPageFromViews(x,x,x,x,x)+43Fj
		mov	eax, [ebp+var_1BC]
		test	eax, eax
		jnz	loc_4EEBAD
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_1F4], ecx
		test	edx, edx
		jnz	loc_4EEAEE
		cmp	esi, dword_6D07D0
		jb	short loc_4EE9FA
		mov	eax, esi
		shr	eax, 15h
		movzx	edx, byte ptr dword_6D3994[eax]
		cmp	edx, 8
		jnz	short loc_4EE9E2
		xor	ecx, ecx

loc_4EE9D8:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+511j
					; MiTrimSharedPageFromViews(x,x,x,x,x)+516j
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		jmp	loc_4EEA67
; 

loc_4EE9E2:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+4F2j
		cmp	edx, ecx
		jz	short loc_4EEA62
		cmp	edx, 0Bh
		jz	short loc_4EEA62
		cmp	edx, 6
		jnz	short loc_4EE9F5
		push	2
		pop	ecx
		jmp	short loc_4EE9D8
; 

loc_4EE9F5:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+50Cj
		cmp	edx, 0Ch
		jz	short loc_4EE9D8

loc_4EE9FA:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+4E1j
					; MiTrimSharedPageFromViews(x,x,x,x,x)+58Dj ...
		mov	edi, [ebp+var_1BC]

loc_4EEA00:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+B7Fj
		xor	eax, eax
		inc	eax
		cmp	[ebp+var_1FC], eax
		jnz	short loc_4EEA3B
		mov	eax, [ebp+var_1C4]
		xor	edx, edx
		push	11h
		mov	esi, [eax+4]
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_4EEA29
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_4EEA29:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+53Ej
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_1D0]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_4EEA3B:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+527j
		mov	ebx, [ebp+var_1DC]
		test	ebx, ebx
		jz	loc_4EF066
		lea	edx, [ebp+var_20]
		mov	ecx, ebx
		call	MmDetachSession
		mov	ecx, ebx
		call	_MmQuitNextSession@4 ; MmQuitNextSession(x)
		xor	ebx, ebx
		inc	ebx
		jmp	loc_4EF086
; 

loc_4EEA62:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+502j
					; MiTrimSharedPageFromViews(x,x,x,x,x)+507j
		call	_MiGetSessionVm@0 ; MiGetSessionVm()

loc_4EEA67:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+4FBj
		mov	[ebp+var_1A8], eax
		test	eax, eax
		jz	short loc_4EE9FA
		lea	ecx, [ebp+var_1A4]
		push	ecx
		push	0
		push	edx
		mov	edx, esi
		mov	ecx, eax
		call	MiSynchronizeSystemVa
		test	eax, eax
		jz	loc_4EEFD6
		mov	edx, [ebp+var_18C]
		xor	ebx, ebx
		inc	ebx
		mov	[ebp+var_1A8], edx
		test	byte ptr [ebp+arg_0], bl
		jz	short loc_4EEAD5
		mov	ecx, edx
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		and	[ebp+var_B0], 0
		and	[ebp+var_AC], 0
		and	[ebp+var_A8], 0
		mov	[ebp+var_BC], eax
		mov	[ebp+var_B8], 0
		mov	[ebp+var_B4], 21h

loc_4EEAD5:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+5BCj
		mov	ecx, esi
		shr	ecx, 12h
		and	ecx, 3FF8h
		sub	ecx, 3FA00000h
		mov	[ebp+var_1B8], ecx
		jmp	short loc_4EEAF1
; 

loc_4EEAEE:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+4D5j
		xor	ebx, ebx
		inc	ebx

loc_4EEAF1:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+60Aj
		cmp	esi, dword_6D07D0
		jnb	short loc_4EEAFD
		xor	eax, eax
		jmp	short loc_4EEB09
; 

loc_4EEAFD:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+615j
		mov	eax, esi
		shr	eax, 15h
		movzx	eax, byte ptr dword_6D3994[eax]

loc_4EEB09:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+619j
		mov	ecx, [ebp+var_1C8]
		cmp	dword ptr [ecx+1Ch], 0
		jnz	loc_4EED65
		cmp	eax, 8
		jnz	loc_4EEFDC
		mov	ecx, esi
		call	_MiGetSystemCacheReverseMap@4 ;	MiGetSystemCacheReverseMap(x)
		mov	edx, eax
		test	edx, edx
		jz	loc_4EEFD6
		mov	ecx, [ebp+var_1A8]
		cmp	ecx, offset unk_6D5E80
		jnz	loc_4EEFD6
		mov	ecx, [edx+8]
		test	ecx, ecx
		jz	loc_4EEFD6
		mov	eax, [edx+0Ch]
		mov	[ebp+var_1CC], eax
		test	al, bl
		jz	short loc_4EEB66
		and	eax, 0FFFFFFFEh
		mov	[ebp+var_1CC], eax

loc_4EEB66:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+679j
		mov	ebx, [ebp+arg_4]
		cmp	[eax], ebx
		jnz	loc_4EEFD6
		test	cl, 3
		mov	ecx, [edx+10h]
		mov	edx, [edx+14h]
		jnz	short loc_4EEB89
		and	ecx, 0FFFF0000h
		shld	edx, ecx, 2
		shl	ecx, 2

loc_4EEB89:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+698j
		mov	eax, esi
		xor	edi, edi
		and	eax, 3FFFFh
		add	eax, ecx
		adc	edi, edx
		cmp	eax, [ebp+var_1AC]
		jnz	loc_4EEFD6
		cmp	edi, [ebp+var_1C0]
		jmp	loc_4EED5F
; 

loc_4EEBAD:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+4C4j
		and	[ebp+var_1F4], 0
		test	edx, edx
		jnz	short loc_4EEC11
		lea	ecx, [eax+240h]
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1A8], ecx
		test	byte ptr [ebp+arg_0], al
		jz	short loc_4EEBFC
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		mov	[ebp+var_B0], edx
		mov	[ebp+var_BC], eax
		mov	[ebp+var_B8], dx
		mov	[ebp+var_AC], edx
		mov	[ebp+var_B4], 21h
		mov	[ebp+var_A8], edx
		jmp	short loc_4EEBFE
; 

loc_4EEBFC:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+6E8j
		xor	edx, edx

loc_4EEBFE:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+718j
		mov	edi, edx
		mov	[ebp+var_1D8], edi
		call	MiLockWorkingSetShared
		mov	[ebp+var_1AD], al

loc_4EEC11:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+6D4j
		test	edi, edi
		jz	short loc_4EEC25
		mov	ecx, [ebp+var_1B4]
		cmp	ecx, [edi+0Ch]
		jb	short loc_4EEC25
		cmp	ecx, [edi+10h]
		jbe	short loc_4EEC70

loc_4EEC25:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+731j
					; MiTrimSharedPageFromViews(x,x,x,x,x)+73Cj
		mov	ecx, esi
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	edi, eax
		mov	[ebp+var_1D8], edi
		test	edi, edi
		jz	loc_4EEFD6
		mov	ecx, [edi+1Ch]
		test	ecx, 100000h
		jnz	loc_4EEFD6
		mov	edx, [ebp+arg_4]
		test	byte ptr [edx+1Ch], 20h
		jnz	short loc_4EEC5D
		test	cl, 70h
		jnz	loc_4EEFD6

loc_4EEC5D:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+770j
		mov	eax, [edi+2Ch]
		mov	[ebp+var_1CC], eax
		cmp	[eax], edx
		jnz	loc_4EEFD6
		jmp	short loc_4EEC73
; 

loc_4EEC70:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+741j
		mov	edx, [ebp+arg_4]

loc_4EEC73:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+78Cj
		test	byte ptr [edx+1Ch], 20h
		jz	short loc_4EECAA
		mov	ecx, [edi+30h]
		mov	esi, [ebp+var_204]
		cmp	esi, ecx
		jb	loc_4EEFD6
		mov	eax, [edi+10h]
		mov	edx, [edi+0Ch]
		sub	eax, edx
		inc	eax
		lea	eax, [ecx+eax*8]
		cmp	esi, eax
		jnb	loc_4EEFD6
		sub	esi, ecx
		sar	esi, 3
		add	esi, edx
		shl	esi, 0Ch
		jmp	short loc_4EECF6
; 

loc_4EECAA:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+795j
		lea	eax, [ebp+var_1CC]
		mov	edx, esi
		push	eax
		push	0
		shr	edx, 0Ch
		mov	ecx, edi
		call	MiGetProtoPteAddress
		test	eax, eax
		jz	loc_4EEFD6
		mov	ecx, [ebp+var_1CC]
		test	ecx, ecx
		jz	loc_4EEFD6
		push	0FFFFFFFFh
		mov	edx, eax
		call	MiStartingOffset
		cmp	[ebp+var_1AC], eax
		jnz	loc_4EEFD6
		cmp	[ebp+var_1C0], edx
		jnz	loc_4EEFD6

loc_4EECF6:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+7C6j
		mov	edx, esi
		mov	ecx, offset loc_7FFFF8
		shr	edx, 9
		and	edx, ecx
		sub	edx, 40000000h
		mov	edi, edx
		shr	edi, 9
		and	edi, ecx
		mov	ecx, [ebp+var_1B8]
		add	edi, 0C0000000h
		cmp	ecx, edi
		jz	short loc_4EED65
		test	ecx, ecx
		jz	short loc_4EED43
		mov	edx, [ebp+var_1AC]
		sub	esi, 1000h
		add	edx, 0FFFFF000h
		mov	eax, ebx
		adc	[ebp+var_1C0], 0FFFFFFFFh
		jmp	loc_4EEFBE
; 

loc_4EED43:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+83Fj
		mov	ecx, [ebp+var_1A8]
		lea	eax, [ebp+var_218]
		push	eax
		call	MiLockLowestValidPageTable
		mov	ecx, eax
		mov	[ebp+var_1B8], ecx
		cmp	ecx, edi

loc_4EED5F:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+6C6j
		jnz	loc_4EEFD6

loc_4EED65:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+631j
					; MiTrimSharedPageFromViews(x,x,x,x,x)+83Bj
		and	[ebp+var_224], 0
		mov	eax, esi
		and	[ebp+var_220], 0
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_1F0], eax
		mov	edi, [eax]
		nop
		mov	edx, [eax+4]
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_220], edx
		mov	eax, edi
		mov	[ebp+var_214], edi
		and	eax, ecx
		mov	[ebp+var_210], edx
		or	eax, 0
		jz	loc_4EEFB2
		nop
		mov	ecx, edi
		mov	eax, edx
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	ebx, ecx, 1Ch
		add	ebx, ds:_MmPfnDatabase
		test	byte ptr [ebp+arg_0], 8
		jz	short loc_4EEDE6
		mov	eax, edi
		and	eax, 42h
		or	eax, 0
		jnz	loc_4EEFB2
		test	byte ptr [ebx+16h], 10h
		jnz	loc_4EEFB2

loc_4EEDE6:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+8EAj
		mov	eax, [ebx+0Ch]
		mov	ecx, ebx
		mov	edx, [ebx+8]
		mov	[ebp+var_228], eax
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_4EEFB2
		xor	eax, eax
		and	edx, 400h
		inc	eax
		test	byte ptr [ebp+arg_0], al
		jz	short loc_4EEE87
		or	edx, 0
		jz	loc_4EEFB2
		mov	eax, edi
		and	eax, 42h
		or	eax, 0
		jz	loc_4EEFB2
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	cl, [ebx+16h]
		mov	dl, al
		test	cl, 10h
		jnz	short loc_4EEE3B
		or	cl, 10h
		mov	[ebx+16h], cl

loc_4EEE3B:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+951j
		mov	ecx, 7FFFFFFFh
		lea	eax, [ebx+10h]
		lock and [eax],	ecx
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_220]
		and	edi, 0FFFFFFBDh
		mov	[ebp+var_214], edi
		mov	[ebp+var_210], eax
		nop
		mov	edx, [ebp+var_1F0]
		lea	ecx, [ebp+var_BC]
		push	0
		mov	[edx], edi
		mov	[edx+4], eax
		xor	eax, eax
		inc	eax
		mov	edx, esi
		push	eax
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		jmp	loc_4EEFB2
; 

loc_4EEE87:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+92Bj
		or	edx, 0
		jnz	short loc_4EEE99
		mov	eax, [ebp+arg_4]
		test	byte ptr [eax+1Ch], 80h
		jnz	loc_4EEFB2

loc_4EEE99:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+9A8j
		mov	edi, [ebp+var_1A8]
		mov	edx, esi
		mov	ecx, edi
		call	MiLocateWsle
		mov	ecx, [ebp+var_1C8]
		mov	al, [eax]
		and	al, 0Fh
		cmp	dword ptr [ecx+1Ch], 3
		jnz	short loc_4EEEC0
		cmp	al, 9
		jz	loc_4EEFB2

loc_4EEEC0:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+9D4j
		cmp	al, 8
		jz	loc_4EEF72
		test	byte ptr [ebp+arg_0], 10h
		jnz	loc_4EEF72
		cmp	dword_6D3154, 0
		jz	short loc_4EEEE8
		mov	edx, [ebp+var_1F0]
		mov	ecx, edi
		call	MI_WSLE_LOG_ACCESS

loc_4EEEE8:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+9F7j
		cmp	[ebp+var_148], 0
		jnz	short loc_4EEF26
		mov	ecx, edi
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		and	[ebp+var_148], 0
		and	[ebp+var_144], 0
		and	[ebp+var_140], 0
		mov	[ebp+var_154], eax
		mov	[ebp+var_150], 4
		mov	[ebp+var_14C], 21h

loc_4EEF26:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+A0Dj
		xor	eax, eax
		lea	ecx, [ebp+var_154]
		push	0
		inc	eax
		mov	edx, esi
		push	eax
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	eax, [ebp+var_148]
		cmp	eax, [ebp+var_14C]
		jnz	short loc_4EEFB2
		push	0
		lea	edx, [ebp+var_154]
		mov	ecx, edi
		call	MiFreeWsleList
		mov	edx, [ebp+var_1AC]
		test	eax, eax
		mov	eax, [ebp+var_1B4]
		jz	short loc_4EEFBE
		mov	[ebp+var_1D4], 115h
		jmp	short loc_4EEFBE
; 

loc_4EEF72:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+9E0j
					; MiTrimSharedPageFromViews(x,x,x,x,x)+9EAj
		test	byte ptr [ebp+arg_0], 8
		jnz	short loc_4EEFA8
		cmp	[ebp+var_200], 0
		jz	short loc_4EEFA8
		mov	al, [edi+60h]
		and	al, 7
		cmp	al, 2
		jz	short loc_4EEFA8
		mov	eax, [ebp+arg_0]
		mov	edx, ebx
		push	[ebp+var_1F4]
		and	eax, 40h
		mov	ecx, edi
		shl	eax, 0Ah
		push	eax
		push	esi
		call	_MiReplaceLockedPage@20	; MiReplaceLockedPage(x,x,x,x,x)
		test	eax, eax
		jnz	short loc_4EEFB2

loc_4EEFA8:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+A94j
					; MiTrimSharedPageFromViews(x,x,x,x,x)+A9Dj ...
		mov	[ebp+var_1D4], 115h

loc_4EEFB2:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+8C8j
					; MiTrimSharedPageFromViews(x,x,x,x,x)+8F4j ...
		mov	edx, [ebp+var_1AC]
		mov	eax, [ebp+var_1B4]

loc_4EEFBE:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+85Cj
					; MiTrimSharedPageFromViews(x,x,x,x,x)+A82j ...
		mov	edi, [ebp+var_1D8]
		add	esi, 1000h
		cmp	esi, [ebp+var_1F8]
		jb	loc_4EE8E0

loc_4EEFD6:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+1C3j
					; MiTrimSharedPageFromViews(x,x,x,x,x)+210j ...
		mov	edx, [ebp+var_1A8]

loc_4EEFDC:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+63Aj
		test	edx, edx
		jz	loc_4EE9FA
		cmp	[ebp+var_148], 0
		mov	ebx, [ebp+var_1A8]
		jz	short loc_4EF010
		push	0
		lea	edx, [ebp+var_154]
		mov	ecx, ebx
		call	MiFreeWsleList
		test	eax, eax
		jz	short loc_4EF010
		mov	[ebp+var_1D4], 115h

loc_4EF010:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+B0Fj
					; MiTrimSharedPageFromViews(x,x,x,x,x)+B22j
		lea	ecx, [ebp+var_BC]
		call	MiFlushTbList
		mov	edi, [ebp+var_1BC]
		test	edi, edi
		jnz	short loc_4EF032
		lea	ecx, [ebp+var_1A4]
		call	_MiUnlockSystemVa@4 ; MiUnlockSystemVa(x)
		jmp	short loc_4EF052
; 

loc_4EF032:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+B41j
		mov	eax, [ebp+var_1B8]
		test	eax, eax
		jz	short loc_4EF045
		mov	edx, eax
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_4EF045:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+B58j
		mov	dl, [ebp+var_1AD]
		mov	ecx, ebx
		call	MiUnlockWorkingSetShared

loc_4EF052:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+B4Ej
		and	[ebp+var_1B8], 0
		xor	ecx, ecx
		mov	[ebp+var_1A8], ecx
		jmp	loc_4EEA00
; 

loc_4EF066:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+561j
		xor	ebx, ebx
		inc	ebx
		cmp	[ebp+var_1E0], ebx
		jnz	short loc_4EF086
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		call	_KeForceDetachProcess@8	; KeForceDetachProcess(x,x)
		lea	ecx, [edi+240h]
		call	MiAttachThreadDone

loc_4EF086:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+57Bj
					; MiTrimSharedPageFromViews(x,x,x,x,x)+B8Dj
		test	edi, edi
		jz	short loc_4EF091
		mov	ecx, edi
		call	ObfDereferenceObject

loc_4EF091:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+BA6j
		push	0
		push	[ebp+var_1C8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[ebp+var_200], ebx
		jnz	short loc_4EF0B5
		mov	eax, [ebp+var_204]
		mov	eax, [eax]
		and	eax, ebx
		or	eax, 0
		jz	short loc_4EF0CA

loc_4EF0B5:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+BC2j
		mov	ebx, [ebp+var_208]
		test	ebx, ebx
		jz	short loc_4EF0F2
		mov	ecx, [ebp+var_1B8]
		jmp	loc_4EE5A6
; 

loc_4EF0CA:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+BD1j
		mov	edi, [ebp+var_208]
		jmp	short loc_4EF0EA
; 

loc_4EF0D2:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+C0Aj
		mov	esi, edi
		mov	edi, [edi]
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_4EF0E2
		call	ObfDereferenceObject

loc_4EF0E2:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+BF9j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4EF0EA:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+BEEj
		test	edi, edi
		jnz	short loc_4EF0D2
		xor	eax, eax
		jmp	short loc_4EF0F8
; 

loc_4EF0F2:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+BDBj
		mov	eax, [ebp+var_1D4]

loc_4EF0F8:				; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+BEj
					; MiTrimSharedPageFromViews(x,x,x,x,x)+C0Ej
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_MiTrimSharedPageFromViews@20 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiUnlockControlAreaFileObjectShared(x)
_MiUnlockControlAreaFileObjectShared@4 proc near ; CODE	XREF: MiTrimSection:loc_4EE130p
					; MiTrimSection+E1923p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, large fs:124h
		lea	esi, [ecx+3Ch]
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_4EF136

loc_4EF126:				; CODE XREF: MiUnlockControlAreaFileObjectShared(x)+33j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, edi
		pop	edi
		pop	esi
		jmp	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
; 

loc_4EF136:				; CODE XREF: MiUnlockControlAreaFileObjectShared(x)+1Aj
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_4EF126
_MiUnlockControlAreaFileObjectShared@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPreventControlAreaDeletion(x, x, x, x)
_MiPreventControlAreaDeletion@16 proc near ; CODE XREF:	MiTrimSharedPage+93p
					; MiPurgeBadFileOnlyPages()+15Cp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_4]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_4], edx
		mov	edx, dword_6D0704
		mov	[eax], ebx
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, [ecx+8]
		push	edi
		mov	edi, [ecx+0Ch]
		mov	ecx, dword_6D0700
		mov	[eax], ebx
		mov	eax, ecx
		or	eax, edx
		jz	short loc_4EF17D
		mov	eax, esi
		and	eax, 10h
		or	eax, ebx
		jnz	short loc_4EF17D
		not	edx
		and	edi, edx

loc_4EF17D:				; CODE XREF: MiPreventControlAreaDeletion(x,x,x,x)+2Ej
					; MiPreventControlAreaDeletion(x,x,x,x)+37j
		test	byte ptr [edi+12h], 2
		jnz	short loc_4EF1E0
		mov	esi, [edi]
		lea	ebx, [esi+24h]
		push	ebx
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	ecx, [esi+1Ch]
		mov	eax, ecx
		shr	eax, 1
		or	eax, ecx
		test	al, 1
		jnz	short loc_4EF1EA
		test	cl, 20h
		jnz	short loc_4EF1B2
		test	byte ptr [edi+12h], 1
		jnz	short loc_4EF1EA
		mov	ecx, edi
		call	_MiReferenceSubsection@8 ; MiReferenceSubsection(x,x)
		mov	eax, [ebp+arg_0]
		mov	[eax], edi

loc_4EF1B2:				; CODE XREF: MiPreventControlAreaDeletion(x,x,x,x)+5Ej
		push	4
		pop	edx
		mov	ecx, esi
		call	_MiBuildWakeList@8 ; MiBuildWakeList(x,x)
		mov	ecx, [ebp+arg_4]
		inc	dword ptr [esi+28h]
		mov	[ecx], eax
		mov	ecx, esi
		call	_MiRemoveUnusedSegment@4 ; MiRemoveUnusedSegment(x)
		cmp	[ebp+var_4], 1
		jz	short loc_4EF1E4

loc_4EF1D1:				; CODE XREF: MiPreventControlAreaDeletion(x,x,x,x)+A8j
					; MiPreventControlAreaDeletion(x,x,x,x)+ACj
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	eax, esi

loc_4EF1D9:				; CODE XREF: MiPreventControlAreaDeletion(x,x,x,x)+A2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4EF1E0:				; CODE XREF: MiPreventControlAreaDeletion(x,x,x,x)+41j
		xor	eax, eax
		jmp	short loc_4EF1D9
; 

loc_4EF1E4:				; CODE XREF: MiPreventControlAreaDeletion(x,x,x,x)+8Fj
		or	dword ptr [esi+1Ch], 4
		jmp	short loc_4EF1D1
; 

loc_4EF1EA:				; CODE XREF: MiPreventControlAreaDeletion(x,x,x,x)+59j
					; MiPreventControlAreaDeletion(x,x,x,x)+64j
		xor	esi, esi
		jmp	short loc_4EF1D1
_MiPreventControlAreaDeletion@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAnyProtosAreMapped(x, x)
_MiAnyProtosAreMapped@8	proc near	; CODE XREF: MiTrimSection+EBp

var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		xor	ebx, ebx
		mov	byte ptr [ebp+var_1], 21h
		push	esi
		push	edi
		mov	[ebp+var_8], ebx
		cmp	ecx, [edx+0Ch]
		jnz	loc_4EF291
		mov	esi, [edx+4]

loc_4EF20E:				; CODE XREF: MiAnyProtosAreMapped(x,x)+A6j
		cmp	ecx, [edx+10h]
		jnz	loc_4EF299
		mov	edi, [edx+8]
		add	edi, 8

loc_4EF21D:				; CODE XREF: MiAnyProtosAreMapped(x,x)+B1j
		cmp	esi, edi
		jnb	short loc_4EF28A

loc_4EF221:				; CODE XREF: MiAnyProtosAreMapped(x,x)+92j
		lea	edx, [ebp+var_1]
		mov	ecx, esi
		call	MiCheckProtoPtePageState
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_4EF2A4
		mov	eax, esi
		mov	ecx, 0FFFFF000h
		and	eax, ecx
		mov	edx, edi
		add	eax, 1000h
		cmp	edi, eax
		jbe	short loc_4EF24F
		mov	edx, esi
		and	edx, ecx
		add	edx, 1000h

loc_4EF24F:				; CODE XREF: MiAnyProtosAreMapped(x,x)+55j
					; MiAnyProtosAreMapped(x,x)+75j
		cmp	esi, edx
		jnb	short loc_4EF26A
		mov	ecx, [esi]
		nop
		xor	eax, eax
		inc	eax
		and	ecx, eax
		or	ecx, 0
		jnz	short loc_4EF265
		add	esi, 8
		jmp	short loc_4EF24F
; 

loc_4EF265:				; CODE XREF: MiAnyProtosAreMapped(x,x)+70j
		mov	[ebp+var_8], eax
		mov	esi, edi

loc_4EF26A:				; CODE XREF: MiAnyProtosAreMapped(x,x)+63j
		mov	dl, byte ptr [ebp+var_1]
		cmp	dl, 21h
		jz	short loc_4EF27E
		mov	ecx, ebx
		call	MiUnlockProtoPoolPage
		mov	dl, 21h
		mov	byte ptr [ebp+var_1], dl

loc_4EF27E:				; CODE XREF: MiAnyProtosAreMapped(x,x)+82j
					; MiAnyProtosAreMapped(x,x)+C5j
		cmp	esi, edi
		jb	short loc_4EF221
		cmp	dl, 21h
		jnz	short loc_4EF2B5

loc_4EF287:				; CODE XREF: MiAnyProtosAreMapped(x,x)+CEj
		mov	ebx, [ebp+var_8]

loc_4EF28A:				; CODE XREF: MiAnyProtosAreMapped(x,x)+31j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_4EF291:				; CODE XREF: MiAnyProtosAreMapped(x,x)+17j
		mov	esi, [ecx+4]
		jmp	loc_4EF20E
; 

loc_4EF299:				; CODE XREF: MiAnyProtosAreMapped(x,x)+23j
		mov	eax, [ecx+1Ch]
		lea	edi, [esi+eax*8]
		jmp	loc_4EF21D
; 

loc_4EF2A4:				; CODE XREF: MiAnyProtosAreMapped(x,x)+41j
		mov	dl, byte ptr [ebp+var_1]
		and	esi, 0FFFFF000h
		add	esi, 1000h
		jmp	short loc_4EF27E
; 

loc_4EF2B5:				; CODE XREF: MiAnyProtosAreMapped(x,x)+97j
		mov	ecx, ebx
		call	MiUnlockProtoPoolPage
		jmp	short loc_4EF287
_MiAnyProtosAreMapped@8	endp


;  S U B	R O U T	I N E 


; __stdcall MiDecrementSubsection(x)
_MiDecrementSubsection@4 proc near	; CODE XREF: MiTrimSharedPage+135p
					; MiTrimSection+22Cp ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi]
		add	esi, 24h
		push	esi
		call	ExAcquireSpinLockExclusive
		push	ecx
		mov	edx, edi
		mov	ecx, edi
		mov	bl, al
		call	_MiDecrementSubsections@12 ; MiDecrementSubsections(x,x,x)
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		pop	edi
		pop	esi
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_MiDecrementSubsection@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcPurgeAndClearCacheSection proc near	; CODE XREF: CcSetFileSizesEx+302p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 005CF926 SIZE 00000019 BYTES
; FUNCTION CHUNK AT 005CF963 SIZE 0000006E BYTES

		push	40h
		push	offset dword_6A3198
		call	__SEH_prolog4
		mov	eax, edx
		mov	[ebp+var_20], eax
		mov	edi, ecx
		mov	[ebp+var_3C], edi
		xor	esi, esi
		mov	[ebp+var_48], esi
		mov	[ebp+var_44], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], 1
		test	dword ptr [edi+60h], 2000h
		jnz	loc_5CF926

loc_4EF329:				; CODE XREF: CcPurgeAndClearCacheSection+E064Cj
		lea	ecx, [edi+44h]
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_4EF398
		mov	ecx, edi
		call	_CcSlowReferenceSharedCacheMapFileObject@4 ; CcSlowReferenceSharedCacheMapFileObject(x)
		mov	ebx, eax
		mov	[ebp+var_28], eax

loc_4EF343:				; CODE XREF: CcPurgeAndClearCacheSection+ADj
		mov	ecx, 0FFFh
		mov	eax, [ebp+var_20]
		test	[eax], ecx
		jnz	short loc_4EF3AA

loc_4EF34F:				; CODE XREF: CcPurgeAndClearCacheSection+176j
		push	esi
		push	esi
		push	eax
		push	dword ptr [ebx+14h]
		call	CcPurgeCacheSection
		mov	[ebp+var_19], al
		add	edi, 44h
		mov	ecx, [edi]
		mov	edx, ecx
		xor	edx, ebx
		cmp	edx, 7
		jnb	short loc_4EF39D

loc_4EF36B:				; CODE XREF: CcPurgeAndClearCacheSection+E06CEj
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jnz	loc_5CF9B5

loc_4EF37C:				; CODE XREF: CcPurgeAndClearCacheSection+BAj
		cmp	[ebp+var_19], 0
		jz	loc_5CF9C7

loc_4EF386:				; CODE XREF: CcPurgeAndClearCacheSection+E06DEj
		mov	eax, esi

loc_4EF388:				; CODE XREF: CcPurgeAndClearCacheSection+E0641j
					; CcPurgeAndClearCacheSection+E06BCj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4EF398:				; CODE XREF: CcPurgeAndClearCacheSection+47j
		mov	[ebp+var_28], ebx
		jmp	short loc_4EF343
; 

loc_4EF39D:				; CODE XREF: CcPurgeAndClearCacheSection+7Bj
					; CcPurgeAndClearCacheSection+E06D4j
		push	746C6644h
		push	ebx
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	short loc_4EF37C
; 

loc_4EF3AA:				; CODE XREF: CcPurgeAndClearCacheSection+5Fj
		mov	edx, [eax]
		mov	[ebp+var_48], edx
		mov	eax, [eax+4]
		mov	[ebp+var_34], eax
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_20], eax
		mov	[ebp+var_38], eax
		cmp	[edi+6Ch], esi
		jz	loc_5CF992
		cmp	[edi+40h], esi
		jz	loc_5CF992
		mov	eax, edx
		and	eax, ecx
		mov	ecx, 1000h
		sub	ecx, eax
		mov	[ebp+var_24], ecx
		push	[ebp+var_34]
		push	edx
		push	esi
		push	1
		lea	eax, [ebp+var_34]
		push	eax
		lea	edx, [ebp+var_30]
		mov	ecx, edi
		call	CcGetVirtualAddress
		mov	[ebp+var_34], eax
		mov	[ebp+ms_exc.disabled], esi
		push	[ebp+var_24]	; size_t
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_4EF410:				; CODE XREF: sub_5CF943+1Bj
		cmp	[ebp+var_2C], 0
		jz	short loc_4EF447
		mov	eax, [ebp+var_44]
		cmp	eax, [edi+2Ch]
		jl	short loc_4EF430
		jg	loc_5CF963
		mov	eax, [ebp+var_48]
		cmp	eax, [edi+28h]
		ja	loc_5CF963

loc_4EF430:				; CODE XREF: CcPurgeAndClearCacheSection+12Ej
		push	esi
		push	[ebp+var_24]
		lea	edx, [ebp+var_48]
		mov	ecx, edi
		call	CcSetDirtyInMask

loc_4EF43E:				; CODE XREF: CcPurgeAndClearCacheSection+E068Fj
		mov	eax, [ebp+var_24]
		add	[ebp+var_48], eax
		adc	[ebp+var_44], esi

loc_4EF447:				; CODE XREF: CcPurgeAndClearCacheSection+126j
		mov	ecx, [ebp+var_30]
		mov	edx, [ecx+4]
		mov	[ebp+var_3C], edx
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+8], eax
		dec	eax
		movzx	eax, ax
		test	ax, ax
		jz	short loc_4EF469

loc_4EF461:				; CODE XREF: CcPurgeAndClearCacheSection+18Dj
					; CcPurgeAndClearCacheSection+E06C2j
		mov	eax, [ebp+var_20]
		jmp	loc_4EF34F
; 

loc_4EF469:				; CODE XREF: CcPurgeAndClearCacheSection+171j
		mov	eax, [edx+74h]
		test	eax, eax
		jnz	loc_5CF982

loc_4EF474:				; CODE XREF: CcPurgeAndClearCacheSection+E069Fj
		lock dec dword ptr [edx+180h]
		jmp	short loc_4EF461
CcPurgeAndClearCacheSection endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 222. CcPurgeCacheSection

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcPurgeCacheSection
CcPurgeCacheSection proc near		; CODE XREF: CcUnmapAndPurge(x,x)+65p
					; CcZeroEndOfLastPage(x)+A0p ...

var_3A		= dword	ptr -3Ah
var_26		= dword	ptr -26h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005CF9D1 SIZE 000001BA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		and	[esp+30h+var_26+2], 0
		lea	edx, [esp+30h+var_C]
		xor	eax, eax
		mov	byte ptr [esp+30h+var_26], 0
		push	esi
		push	edi
		lea	edi, [esp+38h+var_C]
		xor	ecx, ecx
		stosd
		mov	[esp+38h+var_20], ecx
		mov	ecx, offset _CcMasterLock
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+38h+var_18]
		stosd
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		inc	eax
		mov	esi, [esi+4]
		mov	[esp+38h+var_1C], esi
		test	esi, esi
		jz	loc_4EF681
		mov	ecx, esi
		call	CcGetPartition
		test	dword ptr [esi+60h], 2000h
		mov	edi, eax
		mov	ebx, [ebp+arg_4]
		mov	[esp+38h+var_20], edi
		jnz	loc_5CF9D1

loc_4EF4F2:				; CODE XREF: CcPurgeCacheSection+E05B4j
		lea	ecx, [edi+40h]
		lea	edx, [esp+38h+var_18]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		inc	dword ptr [esi+4]
		xor	eax, eax
		inc	dword ptr [esi+178h]
		inc	eax
		test	ds:byte_70EFC6,	al
		jnz	loc_5CFA3B
		mov	eax, [esp+38h+var_18]
		test	eax, eax
		jnz	loc_4EF71C
		mov	edx, [esp+38h+var_14]
		lea	eax, [esp+38h+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+38h+var_18]
		cmp	eax, ecx
		jnz	loc_5CFA4C

loc_4EF53C:				; CODE XREF: CcPurgeCacheSection+2ABj
					; CcPurgeCacheSection+E05C5j
		mov	cl, [esp+38h+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		inc	eax

loc_4EF549:				; CODE XREF: CcPurgeCacheSection+206j
		test	ds:byte_70EFC6,	al
		jnz	loc_5CFA5A
		mov	eax, [esp+38h+var_C]
		test	eax, eax
		jnz	loc_4EF6F3
		mov	edx, [esp+38h+var_8]
		lea	eax, [esp+38h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+38h+var_C]
		cmp	eax, ecx
		jnz	loc_4EF6EA

loc_4EF57B:				; CODE XREF: CcPurgeCacheSection+282j
					; CcPurgeCacheSection+E05E4j
		mov	cl, [esp+38h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_4EF5C8
		call	_MmGetControlAreaPartition@4 ; MmGetControlAreaPartition(x)
		mov	eax, [eax+4]
		cmp	edi, eax
		jnz	loc_5CFB13
		xor	eax, eax
		inc	eax
		test	[ebp+arg_C], al
		jnz	loc_5CFA6B

loc_4EF5A5:				; CODE XREF: CcPurgeCacheSection+E060Aj
		test	[ebp+arg_C], 8
		mov	edx, ebx
		push	0
		jnz	loc_5CFA91
		push	eax
		push	0
		push	[ebp+arg_8]
		mov	ecx, esi
		call	CcUnmapVacbArray

loc_4EF5C0:				; CODE XREF: CcPurgeCacheSection+E061Cj
		test	ebx, ebx
		jnz	loc_4EF68D

loc_4EF5C8:				; CODE XREF: CcPurgeCacheSection+105j
		mov	eax, [esp+38h+var_26+2]

loc_4EF5CC:				; CODE XREF: CcPurgeCacheSection+212j
		mov	edi, dword ptr [ebp+arg_C]
		and	edi, 4
		jnz	loc_4EF6DE

loc_4EF5D8:				; CODE XREF: CcPurgeCacheSection+263j
		neg	edi
		lea	ecx, [esp+38h+var_26]
		push	ecx
		mov	ecx, [ebp+arg_0]
		sbb	edi, edi
		push	eax
		push	[ebp+arg_8]
		and	edi, 6
		mov	edx, ebx
		dec	edi
		call	MmPurgeSection
		mov	byte ptr [esp+38h+var_26+1], al
		test	al, al
		jz	loc_4EF732

loc_4EF5FF:				; CODE XREF: CcPurgeCacheSection+2CFj
		test	esi, esi
		jz	short loc_4EF674
		cmp	[ebp+arg_8], 0
		jnz	short loc_4EF61D
		test	ebx, ebx
		jnz	loc_4EF699
		and	[esi+0F0h], ebx
		and	[esi+0F4h], ebx

loc_4EF61D:				; CODE XREF: CcPurgeCacheSection+185j
					; CcPurgeCacheSection+222j ...
		mov	ecx, [esp+38h+var_20]
		lea	edx, [esp+38h+var_18]
		add	ecx, 40h
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		push	ecx
		mov	ecx, esi
		call	CcDecrementOpenCount
		xor	ebx, ebx
		inc	ebx
		test	ds:byte_70EFC6,	bl
		jnz	loc_5CFB6C
		mov	eax, [esp+38h+var_18]
		test	eax, eax
		jnz	loc_4EF709
		mov	edx, [esp+38h+var_14]
		lea	eax, [esp+38h+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+38h+var_18]
		cmp	eax, ecx
		jnz	loc_5CFB7D

loc_4EF66A:				; CODE XREF: CcPurgeCacheSection+295j
					; CcPurgeCacheSection+E06F6j
		mov	cl, [esp+38h+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4EF674:				; CODE XREF: CcPurgeCacheSection+17Fj
		mov	al, byte ptr [esp+38h+var_26+1]

loc_4EF678:				; CODE XREF: CcPurgeCacheSection+E05ADj
					; CcPurgeCacheSection+E068Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4EF681:				; CODE XREF: CcPurgeCacheSection+4Dj
		mov	ebx, [ebp+arg_4]
		mov	edi, [esp+38h+var_20]
		jmp	loc_4EF549
; 

loc_4EF68D:				; CODE XREF: CcPurgeCacheSection+140j
		xor	eax, eax
		inc	eax
		mov	[esp+38h+var_26+2], eax
		jmp	loc_4EF5CC
; 

loc_4EF699:				; CODE XREF: CcPurgeCacheSection+189j
		mov	ecx, [ebx+4]
		mov	eax, [ebx]
		cmp	ecx, [esi+0F4h]
		jg	loc_4EF61D
		jl	short loc_4EF6B8
		cmp	eax, [esi+0F0h]
		jnb	loc_4EF61D

loc_4EF6B8:				; CODE XREF: CcPurgeCacheSection+228j
		add	eax, 3FFFFh
		adc	ecx, 0
		and	eax, 0FFFC0000h
		add	eax, 40000h
		mov	[esi+0F0h], eax
		adc	ecx, 0
		mov	[esi+0F4h], ecx
		jmp	loc_4EF61D
; 

loc_4EF6DE:				; CODE XREF: CcPurgeCacheSection+150j
		or	eax, 2
		mov	[esp+38h+var_26+2], eax
		jmp	loc_4EF5D8
; 

loc_4EF6EA:				; CODE XREF: CcPurgeCacheSection+F3j
		lea	ecx, [esp+38h+var_C]
		call	KxWaitForLockChainValid

loc_4EF6F3:				; CODE XREF: CcPurgeCacheSection+D9j
		xor	edx, edx
		mov	[esp+38h+var_C], 0
		add	eax, 4
		inc	edx
		lock xor [eax],	edx
		jmp	loc_4EF57B
; 

loc_4EF709:				; CODE XREF: CcPurgeCacheSection+1C8j
					; CcPurgeCacheSection+E0704j
		mov	[esp+38h+var_18], 0
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_4EF66A
; 

loc_4EF71C:				; CODE XREF: CcPurgeCacheSection+9Aj
					; CcPurgeCacheSection+E05D3j
		xor	edx, edx
		mov	[esp+38h+var_18], 0
		add	eax, 4
		inc	edx
		lock xor [eax],	edx
		jmp	loc_4EF53C
; 

loc_4EF732:				; CODE XREF: CcPurgeCacheSection+177j
		mov	esi, [esp+38h+var_26+2]

loc_4EF736:				; CODE XREF: CcPurgeCacheSection+E06DFj
		cmp	[ebp+arg_8], 0
		jnz	short loc_4EF74D
		push	ebx
		push	[ebp+arg_0]
		call	_MmCanFileBeTruncated@8	; MmCanFileBeTruncated(x,x)
		test	al, al
		jnz	loc_5CFB28

loc_4EF74D:				; CODE XREF: CcPurgeCacheSection+2B8j
					; CcPurgeCacheSection+E06AAj ...
		mov	esi, [esp+38h+var_1C]
		jmp	loc_4EF5FF
CcPurgeCacheSection endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 204. CcGetFlushedValidData

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcGetFlushedValidData
CcGetFlushedValidData proc near		; CODE XREF: CcWriteBehindInternal+3E4p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005CFB8B SIZE 00000227 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	esi, [ebp+arg_0]
		lea	edi, [esp+30h+var_C]
		stosd
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+30h+var_18]
		stosd
		stosd
		stosd
		xor	edi, edi
		cmp	[ebp+arg_4], 0
		jz	loc_5CFB8B
		mov	esi, [esi+4]
		mov	[esp+30h+var_20], esi

loc_4EF798:				; CODE XREF: CcGetFlushedValidData+E0567j
		mov	ecx, esi
		call	CcGetPartition
		mov	ebx, eax
		mov	[esp+30h+var_1C], ebx
		call	_MmGetControlAreaPartition@4 ; MmGetControlAreaPartition(x)
		cmp	[eax+4], ebx
		jnz	loc_5CFD8B
		mov	edi, [esi+28h]
		xor	eax, eax
		mov	ebx, [esi+2Ch]
		cmp	[esi+4Ch], eax
		jnz	short loc_4EF7D7

loc_4EF7C0:				; CODE XREF: CcGetFlushedValidData+B5j
					; CcGetFlushedValidData+E0599j	...
		cmp	[ebp+arg_4], 0
		jz	loc_5CFD0E

loc_4EF7CA:				; CODE XREF: CcGetFlushedValidData+E062Aj
		mov	eax, edi
		mov	edx, ebx

loc_4EF7CE:				; CODE XREF: CcGetFlushedValidData+E04A1j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4EF7D7:				; CODE XREF: CcGetFlushedValidData+62j
		mov	ecx, [esi+68h]
		test	ecx, ecx
		jz	short loc_4EF7FC
		cmp	[ecx+8], eax
		jz	short loc_4EF7FC
		push	eax
		push	eax
		call	_CcFindBitmapRangeToClean@12 ; CcFindBitmapRangeToClean(x,x,x)
		xor	ebx, ebx
		mov	edi, [eax+10h]
		add	edi, [eax+8]
		adc	ebx, [eax+0Ch]
		shld	ebx, edi, 0Ch
		shl	edi, 0Ch

loc_4EF7FC:				; CODE XREF: CcGetFlushedValidData+80j
					; CcGetFlushedValidData+85j
		lea	edx, [esi+10h]
		mov	eax, [edx]
		lea	ecx, [eax-10h]
		cmp	eax, edx
		jnz	loc_5CFCC8

loc_4EF80C:				; CODE XREF: CcGetFlushedValidData+E058Cj
		lea	eax, [ecx+10h]
		cmp	eax, edx
		jz	short loc_4EF7C0
		jmp	loc_5CFCED
CcGetFlushedValidData endp


;  S U B	R O U T	I N E 


; __stdcall MmGetControlAreaPartition(x)
_MmGetControlAreaPartition@4 proc near	; CODE XREF: CcNotifyOfMappedWriteComplete+25p
					; CcPurgeCacheSection+107p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, offset dword_6CF3C0
		push	esi
		call	ExAcquireSpinLockExclusive
		push	esi
		mov	bl, al
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, dword_6D4EA4
		pop	esi
		pop	ebx
		retn
_MmGetControlAreaPartition@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcFindBitmapRangeToClean(x,	x, x)
_CcFindBitmapRangeToClean@12 proc near	; CODE XREF: CcAcquireByteRangeForWrite+13Bp
					; CcAcquireByteRangeForWrite+7E1p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		or	dword ptr [ecx+20h], 0FFFFFFFFh
		or	dword ptr [ecx+24h], 0FFFFFFFFh
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [ecx+10h]
		mov	ecx, [edi]

loc_4EF85B:				; CODE XREF: CcFindBitmapRangeToClean(x,x,x)+49j
		cmp	ecx, edi
		jz	short loc_4EF883
		mov	edx, [ecx+14h]
		xor	eax, eax
		add	edx, [ecx+8]
		adc	eax, [ecx+0Ch]
		cmp	ebx, eax
		jg	short loc_4EF887
		jl	short loc_4EF874
		cmp	esi, edx
		ja	short loc_4EF887

loc_4EF874:				; CODE XREF: CcFindBitmapRangeToClean(x,x,x)+2Ej
		cmp	dword ptr [ecx+18h], 0
		jz	short loc_4EF887
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		pop	ebp
		retn	8
; 

loc_4EF883:				; CODE XREF: CcFindBitmapRangeToClean(x,x,x)+1Dj
		xor	esi, esi
		xor	ebx, ebx

loc_4EF887:				; CODE XREF: CcFindBitmapRangeToClean(x,x,x)+2Cj
					; CcFindBitmapRangeToClean(x,x,x)+32j ...
		mov	ecx, [ecx]
		jmp	short loc_4EF85B
_CcFindBitmapRangeToClean@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcReleaseByteRangeFromWrite proc near	; CODE XREF: .text:004AD108p
					; CcNotifyOfMappedWriteComplete+73p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 005CFDB2 SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, edx
		mov	[ebp+var_8], ecx
		xor	edx, edx
		xor	ecx, ecx
		push	edi
		test	esi, esi
		jnz	short loc_4EF8B3
		cmp	[ebp+arg_8], cl
		jnz	short loc_4EF91F

loc_4EF8AC:				; CODE XREF: CcReleaseByteRangeFromWrite+8Fj
					; CcReleaseByteRangeFromWrite+A3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_4EF8B3:				; CODE XREF: CcReleaseByteRangeFromWrite+19j
		mov	eax, 2FDh
		cmp	[esi], ax
		jnz	loc_5CFDC0

loc_4EF8C1:				; CODE XREF: CcReleaseByteRangeFromWrite+8Aj
					; CcReleaseByteRangeFromWrite+91j
		mov	edi, [esi+10h]
		cmp	[esi], ax
		jnz	short loc_4EF90C
		mov	eax, [esi+8]
		mov	[ebp+arg_4], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_8]
		mov	eax, [eax+60h]
		test	eax, 200h
		jz	short loc_4EF8F1
		shr	eax, 1
		mov	ecx, esi
		and	al, 1
		push	2
		mov	dl, al
		call	CcUnpinFileDataEx

loc_4EF8F1:				; CODE XREF: CcReleaseByteRangeFromWrite+54j
		cmp	[ebp+arg_8], 0
		jnz	loc_5CFDD5

loc_4EF8FB:				; CODE XREF: CcReleaseByteRangeFromWrite+E0551j
		push	0
		mov	dl, 1
		mov	ecx, esi
		call	CcUnpinFileDataEx
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]

loc_4EF90C:				; CODE XREF: CcReleaseByteRangeFromWrite+3Bj
		lea	esi, [edi-10h]
		mov	eax, 2FDh
		cmp	[ebx], edx
		jnz	short loc_4EF8C1
		cmp	[ebx+4], ecx
		jz	short loc_4EF8AC
		jmp	short loc_4EF8C1
; 

loc_4EF91F:				; CODE XREF: CcReleaseByteRangeFromWrite+1Ej
		mov	edi, [ebx]
		mov	eax, [ebp+arg_0]
		test	eax, eax
		mov	ebx, [ebx+4]

loc_4EF929:				; CODE XREF: CcReleaseByteRangeFromWrite+115j
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], edi
		jz	loc_4EF8AC
		mov	ecx, eax
		xor	eax, eax
		add	ecx, edi
		push	0
		adc	eax, ebx
		sub	ecx, 1
		push	1000000h
		sbb	eax, 0
		push	eax
		push	ecx
		call	__alldiv
		push	0
		push	1000000h
		push	ebx
		push	edi
		mov	dword ptr [ebp+arg_8], eax
		mov	esi, edx
		call	__alldiv
		cmp	edx, esi
		jg	short loc_4EF977
		jl	loc_5CFD9F
		cmp	eax, dword ptr [ebp+arg_8]
		jb	loc_5CFD9F

loc_4EF977:				; CODE XREF: CcReleaseByteRangeFromWrite+DAj
		mov	esi, [ebp+arg_0]

loc_4EF97A:				; CODE XREF: CcGetFlushedValidData+E0651j
		push	0
		cmp	esi, 1000000h
		ja	loc_5CFDB2
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_14]
		push	esi
		call	CcSetDirtyInMask
		mov	eax, [ebp+arg_0]
		add	edi, esi
		adc	ebx, 0
		sub	eax, esi
		mov	[ebp+arg_0], eax
		jmp	short loc_4EF929
CcReleaseByteRangeFromWrite endp

; 
		align 8
; Exported entry 1384. MmCanFileBeTruncated

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmCanFileBeTruncated(x, x)
		public _MmCanFileBeTruncated@8
_MmCanFileBeTruncated@8	proc near	; CODE XREF: CcPurgeCacheSection+2BEp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	edx, [ebp+arg_4]
		xor	ecx, ecx
		mov	byte ptr [ebp+var_1], cl
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		push	ebx
		test	edx, edx
		jz	short loc_4EF9D1
		mov	eax, [edx]
		mov	[ebp+var_10], eax
		mov	eax, [edx+4]
		lea	edx, [ebp+var_10]
		mov	[ebp+var_C], eax

loc_4EF9D1:				; CODE XREF: MmCanFileBeTruncated(x,x)+19j
		lea	eax, [ebp+var_1]
		push	eax
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		call	MiCanFileBeTruncatedInternal
		mov	bl, byte ptr [ebp+var_1]
		cmp	bl, 21h
		jz	short loc_4EFA03
		test	eax, eax
		jz	short loc_4EF9FC
		add	eax, 24h
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4EF9FC:				; CODE XREF: MmCanFileBeTruncated(x,x)+41j
		mov	al, 1

loc_4EF9FE:				; CODE XREF: MmCanFileBeTruncated(x,x)+5Dj
		pop	ebx
		leave
		retn	8
; 

loc_4EFA03:				; CODE XREF: MmCanFileBeTruncated(x,x)+3Dj
		xor	al, al
		jmp	short loc_4EF9FE
_MmCanFileBeTruncated@8	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCanFileBeTruncatedInternal proc near	; CODE XREF: MmPurgeSection+5Fp
					; MmCanFileBeTruncated(x,x)+32p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005CFDE2 SIZE 0000006D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	edi, ecx
		mov	esi, offset dword_6CF3C0

loc_4EFA1C:				; CODE XREF: MiCanFileBeTruncatedInternal+E0400j
		cmp	dword ptr [edi+8], 0
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	21h
		jnz	loc_4EFB2D
		push	esi
		call	ExAcquireSpinLockExclusive
		cmp	dword ptr [edi+8], 0
		mov	bl, al
		jnz	loc_5CFDE2

loc_4EFA3E:				; CODE XREF: MiCanFileBeTruncatedInternal+13Dj
		mov	esi, [edi]
		test	esi, esi
		jz	short loc_4EFA9D
		lea	eax, [esi+24h]
		push	eax
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		test	eax, eax
		jz	loc_5CFDF5
		push	offset dword_6CF3C0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	eax, [esi+1Ch]
		mov	ecx, eax
		shr	ecx, 1
		or	ecx, eax
		test	cl, 1
		jnz	loc_4EFB06
		mov	ecx, [esi+40h]
		xor	edx, edx
		mov	eax, [esi+44h]
		cmp	eax, edx
		ja	loc_5CFE0D
		cmp	ecx, 1
		ja	loc_5CFE0D

loc_4EFA8A:				; CODE XREF: MiCanFileBeTruncatedInternal+E0409j
					; MiCanFileBeTruncatedInternal+E0418j
		cmp	[esi+18h], edx
		jnz	short loc_4EFAB9

loc_4EFA8F:				; CODE XREF: MiCanFileBeTruncatedInternal+114j
					; MiCanFileBeTruncatedInternal+120j ...
		mov	eax, [ebp+arg_8]
		mov	[eax], bl
		mov	eax, esi

loc_4EFA96:				; CODE XREF: MiCanFileBeTruncatedInternal+AFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_4EFA9D:				; CODE XREF: MiCanFileBeTruncatedInternal+3Aj
		push	offset dword_6CF3C0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	0

loc_4EFAB5:				; CODE XREF: MiCanFileBeTruncatedInternal+10Fj
					; MiCanFileBeTruncatedInternal+12Fj
		xor	eax, eax
		jmp	short loc_4EFA96
; 

loc_4EFAB9:				; CODE XREF: MiCanFileBeTruncatedInternal+85j
		cmp	[ebp+arg_0], 1
		jz	short loc_4EFB19

loc_4EFABF:				; CODE XREF: MiCanFileBeTruncatedInternal+11Ej
		mov	edi, [ebp+var_4]
		test	edi, edi
		jz	short loc_4EFB06
		lea	eax, [esi+50h]
		cmp	[esi+20h], edx
		jz	short loc_4EFAD8
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_MiFindLastSubsection@8	; MiFindLastSubsection(x,x)

loc_4EFAD8:				; CODE XREF: MiCanFileBeTruncatedInternal+C4j
					; MiCanFileBeTruncatedInternal+144j
		mov	ecx, [eax+8]
		test	ecx, ecx
		jnz	short loc_4EFB4A
		mov	ecx, eax
		call	_MiEndingOffset@4 ; MiEndingOffset(x)
		mov	ecx, [edi]
		mov	[ebp+arg_4], eax
		mov	eax, [edi+4]
		cmp	eax, edx
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+arg_4]
		jb	short loc_4EFB06
		ja	loc_5CFE25
		cmp	ecx, eax
		jnb	loc_5CFE25

loc_4EFB06:				; CODE XREF: MiCanFileBeTruncatedInternal+63j
					; MiCanFileBeTruncatedInternal+BCj ...
		lea	eax, [esi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_4EFAB5
; 

loc_4EFB19:				; CODE XREF: MiCanFileBeTruncatedInternal+B5j
		cmp	[esi+14h], edx
		jz	loc_4EFA8F
		cmp	[ebp+arg_4], 1
		jnz	short loc_4EFABF
		jmp	loc_4EFA8F
; 

loc_4EFB2D:				; CODE XREF: MiCanFileBeTruncatedInternal+1Ej
					; MiCanFileBeTruncatedInternal+E03E8j
		push	1
		push	edi
		call	MmFlushImageSection
		test	al, al
		jz	loc_4EFAB5
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		jmp	loc_4EFA3E
; 

loc_4EFB4A:				; CODE XREF: MiCanFileBeTruncatedInternal+D5j
		mov	eax, ecx
		jmp	short loc_4EFAD8
MiCanFileBeTruncatedInternal endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnlockControlAreaSectionExtend proc near ; CODE XREF:	MmExtendSection+19Fp
					; MmExtendSection+1E1p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CFE4F SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, edx
		push	ebx
		push	esi
		mov	[ebp+var_4], eax
		mov	eax, [eax+4]
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], eax
		call	KeAbPostRelease
		lea	esi, [edi+24h]
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		mov	bl, al
		mov	edx, [edx+4]
		call	_MiBuildWakeList@8 ; MiBuildWakeList(x,x)
		push	esi
		mov	edi, eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	short loc_4EFBA9
		mov	eax, [ebp+var_4]

loc_4EFB99:				; CODE XREF: MiUnlockControlAreaSectionExtend+59j
		mov	esi, [edi]
		cmp	edi, eax
		jnz	loc_5CFE4F

loc_4EFBA3:				; CODE XREF: MiUnlockControlAreaSectionExtend+E030Fj
		mov	edi, esi
		test	esi, esi
		jnz	short loc_4EFB99

loc_4EFBA9:				; CODE XREF: MiUnlockControlAreaSectionExtend+46j
		cmp	[ebp+var_8], 10h
		mov	ecx, large fs:124h
		pop	edi
		pop	esi
		pop	ebx
		jnz	short loc_4EFBC0
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		leave
		retn
; 

loc_4EFBC0:				; CODE XREF: MiUnlockControlAreaSectionExtend+69j
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		leave
		retn
MiUnlockControlAreaSectionExtend endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockControlAreaSectionExtend proc near ; CODE	XREF: MmExtendSection+9Ap
					; MmExtendSection+1FFp	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005CFE62 SIZE 0000007A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		sub	esp, 0Ch
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	esi, ecx
		cmp	dword ptr [ebx+4], 10h
		jnz	short loc_4EFC57
		dec	word ptr [eax+13Eh]

loc_4EFBEA:				; CODE XREF: MiLockControlAreaSectionExtend+96j
		nop
		lea	ecx, [ebx+14h]
		mov	[ebp+var_C], ecx

loc_4EFBF1:				; CODE XREF: MiLockControlAreaSectionExtend+E030Fj
		lea	eax, [esi+24h]

loc_4EFBF4:				; CODE XREF: MiLockControlAreaSectionExtend+E02F5j
		and	[ebp+var_8], 0
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	edi, [esi+2Ch]
		mov	[ebp+var_1], al
		test	edi, edi
		jnz	short loc_4EFC60

loc_4EFC08:				; CODE XREF: MiLockControlAreaSectionExtend+E02A7j
					; MiLockControlAreaSectionExtend+E02BDj ...
		mov	eax, [ebp+var_C]
		and	dword ptr [ebx+10h], 0
		mov	word ptr [ebx+0Ch], 107h
		mov	byte ptr [ebx+0Eh], 4
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [esi+2Ch]
		mov	[ebx], eax
		mov	[esi+2Ch], ebx
		test	edi, edi
		jnz	loc_5CFE97
		push	edi
		xor	edx, edx
		mov	ecx, esi
		call	KeAbPreAcquire
		test	eax, eax
		jz	short loc_4EFC40
		or	byte ptr [eax+0Eh], 1

loc_4EFC40:				; CODE XREF: MiLockControlAreaSectionExtend+72j
		lea	eax, [esi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4EFC57:				; CODE XREF: MiLockControlAreaSectionExtend+19j
		dec	word ptr [eax+13Ch]
		jmp	short loc_4EFBEA
; 

loc_4EFC60:				; CODE XREF: MiLockControlAreaSectionExtend+3Ej
		mov	eax, [ebx+4]
		jmp	loc_5CFE62
MiLockControlAreaSectionExtend endp


;  S U B	R O U T	I N E 


; __stdcall MiFindLastSubsection(x, x)
_MiFindLastSubsection@8	proc near	; CODE XREF: MiComputeDataFlushRange(x,x,x,x,x,x)+151p
					; MiCanFileBeTruncatedInternal+CBp ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		cmp	edx, 1
		jnz	short loc_4EFC97
		mov	bl, 21h

loc_4EFC76:				; CODE XREF: MiFindLastSubsection(x,x)+3Aj
		mov	ecx, [esi+0A4h]
		xor	eax, eax
		jmp	short loc_4EFC85
; 

loc_4EFC80:				; CODE XREF: MiFindLastSubsection(x,x)+1Fj
		mov	eax, ecx
		mov	ecx, [ecx+4]

loc_4EFC85:				; CODE XREF: MiFindLastSubsection(x,x)+16j
		test	ecx, ecx
		jnz	short loc_4EFC80
		lea	edi, [eax-28h]
		cmp	bl, 21h
		jnz	short loc_4EFCA4

loc_4EFC91:				; CODE XREF: MiFindLastSubsection(x,x)+4Dj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4EFC97:				; CODE XREF: MiFindLastSubsection(x,x)+Aj
		lea	eax, [esi+24h]
		push	eax
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	bl, al
		jmp	short loc_4EFC76
; 

loc_4EFCA4:				; CODE XREF: MiFindLastSubsection(x,x)+27j
		lea	ecx, [esi+24h]
		push	ecx
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_4EFC91
_MiFindLastSubsection@8	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAppendSubsectionChain	proc near	; CODE XREF: MiExtendSection+21Ep
					; MiExtendSection+396p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005CFEDC SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_C], edx
		push	esi
		mov	esi, [edx+8]
		push	edi
		mov	eax, [ebx]
		mov	[ebp+var_8], eax
		add	eax, 24h
		push	eax
		mov	[ebp+var_10], eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		xor	edi, edi
		mov	[ebp+var_1], al
		inc	edx
		cmp	[ecx+18h], edi
		jnz	short loc_4EFD41
		cmp	[esi+4], edi
		jnz	loc_5CFEDC

loc_4EFCF5:				; CODE XREF: MiAppendSubsectionChain+96j
					; MiAppendSubsectionChain+ABj ...
		mov	edx, [ebp+var_C]
		and	word ptr [ebx+12h], 0Fh
		mov	eax, [edx+18h]
		and	dword ptr [ebx+24h], 0C0000000h
		mov	[ebx+18h], eax
		mov	eax, [edx+8]
		mov	esi, eax
		mov	[ebx+8], eax
		jmp	short loc_4EFD23
; 

loc_4EFD14:				; CODE XREF: MiAppendSubsectionChain+6Dj
		push	1
		mov	edx, esi
		call	_MiInsertSubsectionNode@12 ; MiInsertSubsectionNode(x,x,x)
		mov	esi, [esi+8]
		mov	ecx, [ebp+var_8]

loc_4EFD23:				; CODE XREF: MiAppendSubsectionChain+5Aj
		test	esi, esi
		jnz	short loc_4EFD14

loc_4EFD27:				; CODE XREF: MiAppendSubsectionChain+92j
		push	[ebp+var_10]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4EFD41:				; CODE XREF: MiAppendSubsectionChain+32j
		test	[ebp+arg_0], 1
		jnz	short loc_4EFD4C
		xor	edi, edi
		inc	edi
		jmp	short loc_4EFD27
; 

loc_4EFD4C:				; CODE XREF: MiAppendSubsectionChain+8Dj
		test	esi, esi
		jz	short loc_4EFCF5
		mov	eax, 40000000h

loc_4EFD55:				; CODE XREF: MiAppendSubsectionChain+ADj
		or	[esi+12h], dx
		test	[ecx+1Ch], eax
		jnz	short loc_4EFD67

loc_4EFD5E:				; CODE XREF: MiAppendSubsectionChain+B2j
		mov	esi, [esi+8]
		test	esi, esi
		jz	short loc_4EFCF5
		jmp	short loc_4EFD55
; 

loc_4EFD67:				; CODE XREF: MiAppendSubsectionChain+A4j
		or	[esi+24h], eax
		jmp	short loc_4EFD5E
MiAppendSubsectionChain	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdateLastSubsectionSize(x, x, x)
_MiUpdateLastSubsectionSize@12 proc near ; CODE	XREF: MmExtendSection+1D1p
					; MmExtendSection+3A7p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	eax, [esi]
		mov	[ebp+var_8], eax
		add	eax, 24h
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_1], al
		test	edi, edi
		jz	short loc_4EFDA7
		mov	ecx, [esi+24h]
		mov	edx, ecx
		sub	edx, edi
		xor	edx, ecx
		and	edx, 3FFFFFFFh
		xor	edx, ecx
		mov	[esi+24h], edx

loc_4EFDA7:				; CODE XREF: MiUpdateLastSubsectionSize(x,x,x)+25j
		mov	ecx, [ebx]
		mov	eax, [ebx+4]
		shrd	ecx, eax, 0Ch
		sub	ecx, [esi+14h]
		mov	[esi+18h], ecx
		mov	cx, [esi+12h]
		mov	ax, [ebx]
		and	cx, 0Fh
		shl	ax, 4
		or	cx, ax
		mov	[esi+12h], cx
		mov	esi, [ebp+var_8]
		lea	eax, [esi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	loc_4EFE71
		mov	eax, [esi]
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_14], eax
		mov	edx, ecx
		lea	esi, [eax+10h]
		mov	eax, ecx
		mov	[ebp+var_C], esi
		nop
		mov	ebx, ecx
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, eax
		mov	esi, edx
		mov	eax, edi
		mov	edx, 1000h
		mov	edi, [ebp+var_C]
		mul	edx
		mov	ebx, eax
		mov	eax, edx
		add	ebx, ecx
		mov	[ebp+var_8], ebx
		adc	eax, esi
		mov	[ebp+var_10], eax

loc_4EFE20:				; CODE XREF: MiUpdateLastSubsectionSize(x,x,x)+CDj
					; MiUpdateLastSubsectionSize(x,x,x)+D2j
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp+var_C], ecx
		nop
		mov	ecx, [ebp+var_10]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [ebp+var_8]
		cmp	eax, esi
		jnz	short loc_4EFE20
		cmp	edx, [ebp+var_C]
		jnz	short loc_4EFE20
		mov	ebx, [ebp+var_14]
		mov	ecx, 3FFh
		movzx	esi, word ptr [ebx+8]
		mov	eax, esi
		and	eax, ecx
		xor	ecx, ecx
		or	ecx, [ebx+4]
		add	ecx, [ebp+arg_0]
		cdq
		adc	eax, 0
		mov	[ebx+4], ecx
		xor	ax, si
		mov	ecx, 3FFh
		and	ax, cx
		xor	ax, si
		mov	[ebx+8], ax

loc_4EFE71:				; CODE XREF: MiUpdateLastSubsectionSize(x,x,x)+77j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	4
_MiUpdateLastSubsectionSize@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetSubsectionBase(x, x, x)
_MiSetSubsectionBase@12	proc near	; CODE XREF: MiExtendSection+34Fp
					; MiAllocateFileExtents(x,x,x,x,x)+506p

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		mov	esi, [edi]
		lea	ebx, [esi+24h]
		push	ebx
		call	ExAcquireSpinLockExclusive
		test	byte ptr [esi+1Ch], 20h
		mov	[ebp+var_1], al
		jnz	short loc_4EFEA4
		mov	ecx, edi
		call	MiIncrementSubsectionViewCount

loc_4EFEA4:				; CODE XREF: MiSetSubsectionBase(x,x,x)+21j
		mov	eax, [ebp+var_8]
		or	word ptr [edi+10h], 1
		and	dword ptr [edi+20h], 3FFFFFFFh
		push	ebx
		mov	[edi+4], eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiSetSubsectionBase@12	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1395. MmFlushImageSection

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmFlushImageSection
MmFlushImageSection proc near		; CODE XREF: MiCanFileBeTruncatedInternal+128p

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005CFF07 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, offset dword_6CF3C0
		xor	ebx, ebx

loc_4EFEE2:				; CODE XREF: MmFlushImageSection+E0049j
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	[ebp+var_1], al
		cmp	[ebp+arg_4], ebx
		jnz	short loc_4EFF31
		mov	eax, [ebp+arg_0]
		mov	esi, [eax]
		test	esi, esi
		jz	short loc_4EFF31
		lea	edi, [esi+24h]
		push	edi
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		test	eax, eax
		jz	loc_5CFF07
		cmp	[esi+18h], ebx
		jnz	short loc_4EFF55
		test	byte ptr [esi+1Ch], 2
		jnz	short loc_4EFF55
		mov	ecx, [esi+40h]
		mov	eax, [esi+44h]
		cmp	eax, ebx
		jb	short loc_4EFF26
		ja	short loc_4EFF55
		cmp	ecx, 1
		ja	short loc_4EFF55

loc_4EFF26:				; CODE XREF: MmFlushImageSection+4Bj
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	edi, offset dword_6CF3C0

loc_4EFF31:				; CODE XREF: MmFlushImageSection+1Cj
					; MmFlushImageSection+25j
		mov	esi, [ebp+arg_0]
		mov	esi, [esi+8]
		test	esi, esi
		jnz	short loc_4EFF67
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	bl, 1

loc_4EFF43:				; CODE XREF: MmFlushImageSection+93j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, bl

loc_4EFF4E:				; CODE XREF: MmFlushImageSection+B8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4EFF55:				; CODE XREF: MmFlushImageSection+3Bj
					; MmFlushImageSection+41j ...
		push	offset dword_6CF3C0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		jmp	short loc_4EFF43
; 

loc_4EFF67:				; CODE XREF: MmFlushImageSection+67j
		lea	eax, [esi+24h]
		push	eax
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		test	eax, eax
		jz	loc_5CFF0C
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	dl, [ebp+var_1]
		push	ecx
		push	ebx
		mov	ecx, esi
		call	MiAttemptSectionDelete
		jmp	short loc_4EFF4E
MmFlushImageSection endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1396. MmForceSectionClosed

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmForceSectionClosed(x, x)
		public _MmForceSectionClosed@8
_MmForceSectionClosed@8	proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		cmp	[ebp+arg_4], bl
		setnz	bl
		lea	ebx, ds:1[ebx*4]
		mov	edx, ebx
		call	MiForceSectionClosed
		test	eax, eax
		jz	short loc_4EFFC0

loc_4EFFB5:				; CODE XREF: MmForceSectionClosed(x,x)+3Ej
		cmp	eax, 2
		pop	ebx
		setnz	al
		pop	ebp
		retn	8
; 

loc_4EFFC0:				; CODE XREF: MmForceSectionClosed(x,x)+21j
		mov	ecx, [ebp+arg_0]
		and	ebx, 0FFFFFFFEh
		or	ebx, 2
		mov	edx, ebx
		call	MiForceSectionClosed
		jmp	short loc_4EFFB5
_MmForceSectionClosed@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiForceSectionClosed proc near		; CODE XREF: MmForceSectionClosed(x,x)+1Ap
					; MmForceSectionClosed(x,x)+39p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005CFF20 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		mov	edi, edx
		mov	[ebp+var_4], esi
		and	edi, 1

loc_4EFFEA:				; CODE XREF: MiForceSectionClosed+DFF5Ej
		push	offset dword_6CF3C0
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		test	edi, edi
		jz	short loc_4F0051
		mov	esi, [esi]

loc_4EFFFC:				; CODE XREF: MiForceSectionClosed+82j
		test	esi, esi
		jz	short loc_4F003B
		lea	eax, [esi+24h]
		push	eax
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		push	offset dword_6CF3C0
		test	eax, eax
		jz	loc_5CFF20
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	eax, [ebp+var_8]
		mov	dl, bl
		push	ecx
		and	eax, 4
		mov	ecx, esi
		push	eax
		call	MiAttemptSectionDelete
		xor	ecx, ecx
		test	al, al
		setz	cl
		lea	eax, [ecx+1]

loc_4F0036:				; CODE XREF: MiForceSectionClosed:loc_4F004Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4F003B:				; CODE XREF: MiForceSectionClosed+2Cj
		push	offset dword_6CF3C0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl

loc_4F0047:				; DATA XREF: .text:005A49CEo
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax

loc_4F004F:				; DATA XREF: .text:??_C@_1BC@PIAIECI@?$AAP?$AAO?$AAS?$AAT?$AAT?$AAi?$AAm?$AAe@FNODOBFM@o
		jmp	short loc_4F0036
; 

loc_4F0051:				; CODE XREF: MiForceSectionClosed+26j
		mov	esi, [esi+8]
		jmp	short loc_4EFFFC
MiForceSectionClosed endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAttemptSectionDelete proc near	; CODE XREF: MmFlushImageSection+B3p
					; MiForceSectionClosed+55p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= word ptr -10h
var_D		= byte ptr -0Dh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005CFF35 SIZE 0000004D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp

loc_4F005B:				; DATA XREF: .text:??_C@_1EC@POCPCOCD@?$AA?2?$AAO?$AAS?$AAD?$AAa?$AAt?$AAa?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAW?$AAi?$AAn@FNODOBFM@o
		sub	esp, 20h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		xor	ecx, ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_D], cl
		cmp	[esi+0Ch], ecx
		jz	short loc_4F0097

loc_4F0071:				; CODE XREF: MiAttemptSectionDelete+44j
					; MiAttemptSectionDelete+4Bj
		test	[ebp+arg_0], 4
		jz	short loc_4F007E
		or	dword ptr [esi+1Ch], 40000h

loc_4F007E:				; CODE XREF: MiAttemptSectionDelete+1Fj
		lea	eax, [esi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	al, al

loc_4F0091:				; CODE XREF: MiAttemptSectionDelete+78j
					; MiAttemptSectionDelete+DFF27j
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4F0097:				; CODE XREF: MiAttemptSectionDelete+19j
		cmp	[esi+14h], ecx
		jnz	short loc_4F0071
		mov	eax, [esi+1Ch]
		test	al, 2
		jnz	short loc_4F0071
		test	al, 1
		jnz	loc_5CFF35
		mov	ecx, esi
		call	_MiRemoveUnusedSegment@4 ; MiRemoveUnusedSegment(x)
		mov	eax, dword ptr [ebp+arg_0]
		mov	dl, bl
		shr	eax, 2
		mov	ecx, esi
		and	al, 1
		mov	dword ptr [esi+14h], 1
		movzx	eax, al
		push	eax
		call	MiCleanSection
		jmp	short loc_4F0091
MiAttemptSectionDelete endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1279. KeRundownQueue

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRundownQueue(x)
		public _KeRundownQueue@4
_KeRundownQueue@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		call	_KeRundownQueueEx@8 ; KeRundownQueueEx(x,x)
		pop	ebp
		retn	4
_KeRundownQueue@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopDeleteIoCompletionInternal proc near	; CODE XREF: IopDeleteIoCompletion(x)+Ap
					; IopCloseIoCompletion(x,x,x,x)+10p

var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005CFF82 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		and	[esp+1Ch+var_14], 0
		xor	eax, eax
		and	[esp+1Ch+var_10], 0
		mov	[esp+1Ch+var_19], dl
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[esp+24h+var_18], esi
		push	edi
		lea	edi, [esp+28h+var_C]
		stosd
		stosd
		stosd
		test	dl, dl
		jz	short loc_4F018D
		lea	ecx, [esi+28h]
		lea	edx, [esp+28h+var_C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		xor	ebx, ebx
		inc	ebx
		xor	dl, dl
		mov	[esi+2Ch], bl

loc_4F012D:				; CODE XREF: IopDeleteIoCompletionInternal+A8j
		mov	ecx, esi
		call	_KeRundownQueueEx@8 ; KeRundownQueueEx(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_4F0194

loc_4F013A:				; CODE XREF: IopDeleteIoCompletionInternal+10Cj
					; IopDeleteIoCompletionInternal+131j
		cmp	[esp+28h+var_19], 0
		jz	short loc_4F017E
		test	ds:byte_70EFC6,	1
		jnz	loc_5CFF82
		mov	eax, [esp+28h+var_C]
		test	eax, eax
		jnz	loc_5CFF9C
		mov	edx, [esp+28h+var_8]
		lea	eax, [esp+28h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+28h+var_C]
		cmp	eax, ecx
		jnz	loc_5CFF93

loc_4F0174:				; CODE XREF: IopDeleteIoCompletionInternal+DFEA4j
					; IopDeleteIoCompletionInternal+DFEC0j
		mov	cl, [esp+28h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4F017E:				; CODE XREF: IopDeleteIoCompletionInternal+55j
		test	esi, esi
		jnz	loc_4F0220

loc_4F0186:				; CODE XREF: IopDeleteIoCompletionInternal+143j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4F018D:				; CODE XREF: IopDeleteIoCompletionInternal+2Dj
		xor	ebx, ebx
		inc	ebx
		mov	dl, bl
		jmp	short loc_4F012D
; 

loc_4F0194:				; CODE XREF: IopDeleteIoCompletionInternal+4Ej
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_4F0232
		mov	[esp+28h+var_14], eax
		lea	ecx, [esp+28h+var_14]
		mov	[esp+28h+var_10], esi
		mov	[eax+4], ecx
		mov	eax, ecx
		mov	[esi], eax
		mov	esi, [esp+28h+var_14]
		cmp	esi, eax
		jz	short loc_4F01EC
		mov	edi, [esp+28h+var_18]

loc_4F01BE:				; CODE XREF: IopDeleteIoCompletionInternal+FCj
		mov	ecx, esi
		mov	esi, [esi]
		cmp	byte ptr [ecx+8], 2
		jnz	short loc_4F01E0
		mov	eax, [ecx+4]
		cmp	[esi+4], ecx
		jnz	short loc_4F0232
		cmp	[eax], ecx
		jnz	short loc_4F0232
		mov	[eax], esi
		mov	edx, edi
		mov	[esi+4], eax
		call	_IopFreeWaitCompletionPacket@8 ; IopFreeWaitCompletionPacket(x,x)

loc_4F01E0:				; CODE XREF: IopDeleteIoCompletionInternal+DCj
		lea	eax, [esp+28h+var_14]
		cmp	esi, eax
		jnz	short loc_4F01BE
		mov	esi, [esp+28h+var_14]

loc_4F01EC:				; CODE XREF: IopDeleteIoCompletionInternal+CEj
		lea	eax, [esp+28h+var_14]
		cmp	esi, eax
		jnz	short loc_4F01FB
		xor	esi, esi
		jmp	loc_4F013A
; 

loc_4F01FB:				; CODE XREF: IopDeleteIoCompletionInternal+108j
		mov	eax, [esp+28h+var_10]
		lea	ecx, [esp+28h+var_14]
		cmp	[esi+4], ecx
		jnz	short loc_4F0232
		cmp	[eax], ecx
		jnz	short loc_4F0232
		mov	[eax], esi
		mov	[esi+4], eax
		mov	eax, ecx
		mov	[esp+28h+var_10], eax
		mov	[esp+28h+var_14], eax
		jmp	loc_4F013A
; 

loc_4F0220:				; CODE XREF: IopDeleteIoCompletionInternal+96j
		mov	eax, [esi+4]
		mov	ecx, esi
		and	dword ptr [eax], 0
		call	_IopFreeCompletionListPackets@8	; IopFreeCompletionListPackets(x,x)
		jmp	loc_4F0186
; 

loc_4F0232:				; CODE XREF: IopDeleteIoCompletionInternal+AFj
					; IopDeleteIoCompletionInternal+E4j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
IopDeleteIoCompletionInternal endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRundownQueueEx(x,	x)
_KeRundownQueueEx@8 proc near		; CODE XREF: KeRundownQueue(x)+Ap
					; IopDeleteIoCompletionInternal+45p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	byte ptr [ebp+var_4], al
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		lea	eax, [edi+10h]
		mov	esi, [eax]
		cmp	esi, eax
		jnz	short loc_4F02A0
		xor	esi, esi

loc_4F0260:				; CODE XREF: KeRundownQueueEx(x,x)+82j
		push	ebx
		push	1
		lea	eax, [edi+18h]
		mov	ecx, edi
		push	eax
		lea	edx, [edi+20h]
		call	KeRundownQueueCommon
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		test	bl, bl
		jz	short loc_4F0284
		mov	ecx, edi
		call	_KiAcquireReleaseObjectRundownLockExclusive@4 ;	KiAcquireReleaseObjectRundownLockExclusive(x)

loc_4F0284:				; CODE XREF: KeRundownQueueEx(x,x)+43j
		push	[ebp+var_4]
		mov	ecx, large fs:20h
		xor	edx, edx
		push	0
		push	1
		call	KiExitDispatcher
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4F02A0:				; CODE XREF: KeRundownQueueEx(x,x)+24j
		and	dword ptr [edi+4], 0
		mov	ecx, [eax+4]
		cmp	[esi+4], eax
		jnz	short loc_4F02BC
		cmp	[ecx], eax
		jnz	short loc_4F02BC
		mov	[ecx], esi
		mov	[esi+4], ecx
		mov	[eax+4], eax
		mov	[eax], eax
		jmp	short loc_4F0260
; 

loc_4F02BC:				; CODE XREF: KeRundownQueueEx(x,x)+72j
					; KeRundownQueueEx(x,x)+76j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_KeRundownQueueEx@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeRundownQueueCommon proc near		; CODE XREF: KeRundownQueueEx(x,x)+34p
					; KeRundownPriQueue(x)+2Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 005CFFAF SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		lock bts dword ptr [edx], 8
		cmp	[ebp+arg_8], 0
		jz	short loc_4F0302

loc_4F02DE:				; CODE XREF: KeRundownQueueCommon+132j
		mov	esi, [ebx]
		cmp	esi, ebx
		jnz	loc_4F03C0
		xor	eax, eax
		cmp	[ebp+arg_4], eax
		jbe	short loc_4F02FF
		mov	ecx, [ebp+arg_0]

loc_4F02F2:				; CODE XREF: KeRundownQueueCommon+3Bj
		mov	dword ptr [ecx+eax*4], 0
		inc	eax
		cmp	eax, [ebp+arg_4]
		jb	short loc_4F02F2

loc_4F02FF:				; CODE XREF: KeRundownQueueCommon+2Bj
		mov	edx, [ebp+var_4]

loc_4F0302:				; CODE XREF: KeRundownQueueCommon+1Aj
		mov	ecx, large fs:20h
		lea	edi, [edx+8]
		mov	eax, [edi]
		mov	[ebp+var_4], ecx
		cmp	eax, edi
		jnz	short loc_4F0321

loc_4F0315:				; CODE XREF: KeRundownQueueCommon+153j
		mov	[edi+4], edi
		mov	[edi], edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_4F0321:				; CODE XREF: KeRundownQueueCommon+51j
					; KeRundownQueueCommon+15Cj
		mov	esi, eax
		mov	eax, [eax]
		mov	[ebp+arg_0], eax
		mov	al, [esi+8]
		cmp	al, 1
		jz	loc_5CFFAF
		cmp	al, 2
		jnz	loc_5CFFB8
		mov	byte ptr [esi+9], 5
		mov	ebx, [esi+0Ch]
		and	dword ptr [esi], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+arg_4], eax
		mov	eax, [eax+4]
		mov	dword ptr [ebp+arg_8], eax
		jz	short loc_4F037B
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, dword ptr [ebp+arg_8]
		mov	edx, esi
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_4F037B:				; CODE XREF: KeRundownQueueCommon+A2j
		mov	ecx, ebx
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		lea	ecx, [ebx+8]
		cmp	[ecx], ecx
		jz	short loc_4F03A7
		mov	eax, [ebx+18h]
		cmp	eax, [ebx+1Ch]
		jnb	short loc_4F03A7
		mov	edx, dword ptr [ebp+arg_8]
		mov	eax, [edx+0A4h]
		cmp	eax, ebx
		jnz	short loc_4F03F9
		cmp	byte ptr [edx+18Bh], 0Fh
		jnz	short loc_4F03F9

loc_4F03A7:				; CODE XREF: KeRundownQueueCommon+C5j
					; KeRundownQueueCommon+CDj ...
		mov	eax, [ebx+4]
		mov	dword ptr [ebp+arg_8], eax
		inc	eax
		mov	[ebx+4], eax
		lea	eax, [ebx+10h]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jz	short loc_4F0423

loc_4F03BB:				; CODE XREF: KeRundownQueueCommon+106j
					; KeRundownQueueCommon+10Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_4F03C0:				; CODE XREF: KeRundownQueueCommon+20j
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	short loc_4F03BB
		cmp	[eax], esi
		jnz	short loc_4F03BB
		and	[ebp+var_8], 0
		lea	edi, [esi-114h]
		mov	[eax], ecx
		mov	[ecx+4], eax

loc_4F03DD:				; CODE XREF: KeRundownQueueCommon+18Dj
		lock bts dword ptr [edi], 0
		jb	short loc_4F0443
		mov	dword ptr [esi-9Ch], 0
		mov	dword ptr [edi], 0
		jmp	loc_4F02DE
; 

loc_4F03F9:				; CODE XREF: KeRundownQueueCommon+DAj
					; KeRundownQueueCommon+E3j
		mov	ecx, [ebp+arg_4]
		mov	edx, ebx
		push	esi
		call	KiWakeQueueWaiter
		test	al, al
		jz	short loc_4F0453

loc_4F0408:				; CODE XREF: KeRundownQueueCommon+16Fj
					; KeRundownQueueCommon+173j ...
		mov	eax, 0FFFFFF7Fh
		lock and [ebx],	eax

loc_4F0410:				; CODE XREF: KeRundownQueueCommon+DFD04j
		mov	eax, [ebp+arg_0]
		cmp	eax, edi
		jz	loc_4F0315
		mov	ecx, [ebp+var_4]
		jmp	loc_4F0321
; 

loc_4F0423:				; CODE XREF: KeRundownQueueCommon+F7j
		cmp	dword ptr [ebp+arg_8], 0
		mov	[esi], eax
		mov	[esi+4], edx
		mov	[edx], esi
		mov	[eax+4], esi
		jnz	short loc_4F0408
		cmp	[ecx], ecx
		jz	short loc_4F0408
		mov	ecx, [ebp+arg_4]
		mov	edx, ebx
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		jmp	short loc_4F0408
; 

loc_4F0443:				; CODE XREF: KeRundownQueueCommon+120j
					; KeRundownQueueCommon+18Fj
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_4F03DD
		jmp	short loc_4F0443
; 

loc_4F0453:				; CODE XREF: KeRundownQueueCommon+144j
		lea	ecx, [ebx+8]
		jmp	loc_4F03A7
KeRundownQueueCommon endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopFreeWaitCompletionPacket(x, x)
_IopFreeWaitCompletionPacket@8 proc near ; CODE	XREF: IopDeleteIoCompletionInternal+F1p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax+28h]
		lea	esi, [eax+30h]
		mov	ecx, esi
		mov	[ebp+var_4], eax
		mov	ebx, edx
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	ecx, [ebp+var_4]
		mov	dl, al
		and	dword ptr [ecx+2Ch], 0
		mov	byte ptr [ecx+34h], 0
		mov	ecx, esi
		call	KfReleaseSpinLock
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopFreeWaitCompletionPacket@8 endp


;  S U B	R O U T	I N E 


IopDropIrp	proc near		; CODE XREF: IopInsertIrpInCompletionQueue+1C7p
					; .text:005251B8p ...

; FUNCTION CHUNK AT 005CFFCB SIZE 0000001C BYTES

		mov	edi, edi
		push	ebx
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		test	byte ptr [edi+8], 20h
		jz	short loc_4F04C0
		push	0
		push	dword ptr [edi+0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4F04C0:				; CODE XREF: IopDropIrp+Cj
		mov	eax, [edi+4]
		test	eax, eax
		jnz	short loc_4F0520

loc_4F04C7:				; CODE XREF: IopDropIrp+88j
		mov	ecx, [edi+2Ch]
		test	ecx, ecx
		jnz	loc_5CFFCB

loc_4F04D2:				; CODE XREF: IopDropIrp+DFB25j
					; IopDropIrp+DFB2Fj ...
		mov	eax, [edi+8]
		test	eax, 2000h
		jz	short loc_4F04E8
		mov	edx, ebx
		mov	ecx, edi
		call	IopDequeueIrpFromFileObject
		mov	eax, [edi+8]

loc_4F04E8:				; CODE XREF: IopDropIrp+32j
		mov	ecx, eax
		test	ebx, ebx
		jz	short loc_4F0500
		test	al, al
		js	short loc_4F0500
		xor	edx, edx
		push	ecx
		inc	edx
		mov	ecx, ebx
		call	ObDereferenceObjectExWithTag
		mov	ecx, [edi+8]

loc_4F0500:				; CODE XREF: IopDropIrp+44j
					; IopDropIrp+48j
		test	ecx, 8000h
		jz	short loc_4F0517
		lea	ecx, [edi+30h]
		or	edx, 0FFFFFFFFh
		call	IopInterlockedAdd
		test	eax, eax
		jnz	short loc_4F051D

loc_4F0517:				; CODE XREF: IopDropIrp+5Ej
		push	edi
		call	_IoFreeIrp@4	; IoFreeIrp(x)

loc_4F051D:				; CODE XREF: IopDropIrp+6Dj
		pop	edi
		pop	ebx
		retn
; 

loc_4F0520:				; CODE XREF: IopDropIrp+1Dj
		push	esi

loc_4F0521:				; CODE XREF: IopDropIrp+85j
		mov	esi, [eax]
		push	eax
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		mov	eax, esi
		test	esi, esi
		jnz	short loc_4F0521
		pop	esi
		jmp	short loc_4F04C7
IopDropIrp	endp

; 
		align 10h

IopDequeueIrpFromFileObject:		; CODE XREF: IopDropIrp+38p
					; .text:00522C07p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		add	esi, 70h
		mov	bl, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [edi+10h]
		lea	edx, [edi+10h]
		mov	ecx, [edx+4]
		cmp	[eax+4], edx
		jnz	short loc_4F05B8
		cmp	[ecx], edx
		jnz	short loc_4F05B8
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	ecx, [edi+30h]
		mov	[edx+4], edx
		and	ecx, 0FFFFFFFCh
		mov	[edx], edx
		mov	edx, 70436F49h
		call	ObfDereferenceObjectWithTag
		mov	eax, [edi+8]
		and	eax, 0FFFFDFFFh
		or	eax, 8000h
		mov	[edi+8], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5CFFE7
		xor	eax, eax
		lock and [esi],	eax

loc_4F05AC:				; CODE XREF: .text:005CFFF1j
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_4F05B8:				; CODE XREF: .text:004F056Aj
					; .text:004F056Ej
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		dd 4 dup(0CCCCCCCCh)
; Exported entry 994. IoSetIoPriorityHint

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetIoPriorityHint(x, x)
		public _IoSetIoPriorityHint@8
_IoSetIoPriorityHint@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		cmp	eax, 5
		jnb	short loc_4F05F9
		mov	edx, [ebp+arg_0]
		lea	ecx, [eax+1]
		shl	ecx, 11h
		mov	eax, [edx+8]
		and	eax, 0FFF1FFFFh
		or	ecx, eax
		xor	eax, eax
		mov	[edx+8], ecx

loc_4F05F5:				; CODE XREF: IoSetIoPriorityHint(x,x)+2Ej
		pop	ebp
		retn	8
; 

loc_4F05F9:				; CODE XREF: IoSetIoPriorityHint(x,x)+Bj
		mov	eax, 0C000000Dh
		jmp	short loc_4F05F5
_IoSetIoPriorityHint@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlULongPtrSub(x, x, x)
_RtlULongPtrSub@12 proc	near		; CODE XREF: DbgkpTriageDumpSnapData(x,x,x,x,x,x)+CFp
					; IopFillTriageDumpDataBlocks(x,x,x,x)+9Fp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		cmp	ecx, edx
		jb	short loc_4F0621
		mov	esi, ecx
		sub	esi, edx

loc_4F060E:				; CODE XREF: RtlULongPtrSub(x,x,x)+24j
		cmp	ecx, edx
		mov	ecx, [ebp+arg_0]
		sbb	eax, eax
		and	eax, 0C0000095h
		mov	[ecx], esi
		pop	esi
		pop	ebp
		retn	4
; 

loc_4F0621:				; CODE XREF: RtlULongPtrSub(x,x,x)+8j
		or	esi, 0FFFFFFFFh
		jmp	short loc_4F060E
_RtlULongPtrSub@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 


sub_4F0630	proc near		; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+5B2p
					; IopTrackLink+C5p ...

; FUNCTION CHUNK AT 005CFFF6 SIZE 00000060 BYTES

		cmp	_ViVerifierEnabled, 0
		jnz	loc_5CFFF6

loc_4F063D:				; CODE XREF: sub_4F0630+DF9D9j
		push	20206F49h
		push	edx
		push	ecx
		call	ExAllocatePoolWithQuotaTag

locret_4F0649:				; CODE XREF: sub_4F0630+DF9FBj
		retn
sub_4F0630	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIsValidProcessTrustLabelSid(x)
_RtlIsValidProcessTrustLabelSid@4 proc near
					; CODE XREF: SepReconcileTrustSidWithProcessProtection(x,x,x,x)+33p
					; SepReconcileTrustSidWithProcessProtection(x,x,x,x)+40p ...

var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], 0
		mov	[ebp+var_8], 1300h
		cmp	byte ptr [esi+1], 2
		jnz	short loc_4F06E1
		cmp	byte ptr [esi],	1
		jnz	short loc_4F06E1
		mov	ecx, [esi+2]
		lea	edx, [esi+2]
		lea	eax, [ebp+var_C]
		push	edi
		mov	edi, 2
		cmp	ecx, [eax]
		jnz	short loc_4F069B
		add	edx, 4
		mov	edi, 0FFFFFFFEh
		add	eax, 4

loc_4F069B:				; CODE XREF: RtlIsValidProcessTrustLabelSid(x)+3Ej
		mov	cl, [edx]
		cmp	cl, [eax]
		jnz	short loc_4F06E5
		mov	cl, [edx+1]
		cmp	cl, [eax+1]
		jnz	short loc_4F06E5
		cmp	edi, 0FFFFFFFEh
		jz	short loc_4F06BE
		mov	cl, [edx+2]
		cmp	cl, [eax+2]
		jnz	short loc_4F06E5
		mov	cl, [edx+3]
		cmp	cl, [eax+3]
		jnz	short loc_4F06E5

loc_4F06BE:				; CODE XREF: RtlIsValidProcessTrustLabelSid(x)+5Cj
		xor	eax, eax

loc_4F06C0:				; CODE XREF: RtlIsValidProcessTrustLabelSid(x)+9Aj
		pop	edi
		test	eax, eax
		jnz	short loc_4F06E1
		cmp	[esi+8], eax
		jz	short loc_4F06DB

loc_4F06CA:				; CODE XREF: RtlIsValidProcessTrustLabelSid(x)+8Fj
		mov	al, 1

loc_4F06CC:				; CODE XREF: RtlIsValidProcessTrustLabelSid(x)+93j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4F06DB:				; CODE XREF: RtlIsValidProcessTrustLabelSid(x)+78j
		cmp	dword ptr [esi+0Ch], 0
		jz	short loc_4F06CA

loc_4F06E1:				; CODE XREF: RtlIsValidProcessTrustLabelSid(x)+26j
					; RtlIsValidProcessTrustLabelSid(x)+2Bj ...
		xor	al, al
		jmp	short loc_4F06CC
; 

loc_4F06E5:				; CODE XREF: RtlIsValidProcessTrustLabelSid(x)+4Fj
					; RtlIsValidProcessTrustLabelSid(x)+57j ...
		sbb	eax, eax
		or	eax, 1
		jmp	short loc_4F06C0
_RtlIsValidProcessTrustLabelSid@4 endp

; 

; __stdcall RtlpTreeDoubleRotateNodes(x, x, x, x, x)
_RtlpTreeDoubleRotateNodes@20:		; CODE XREF: .text:0047017Ap
					; RtlAvlInsertNodeEx(x,x,x,x)+108p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+8]
		mov	[ebp-8], ecx
		mov	ecx, [ebp+0Ch]
		mov	esi, [edi]
		test	ecx, ecx
		jnz	short loc_4F0708
		mov	esi, [edi+4]

loc_4F0708:				; CODE XREF: .text:004F0703j
		mov	eax, [esi+8]
		and	eax, 0FFFFFFFCh
		cmp	eax, edi
		jnz	loc_4F0813
		mov	ebx, ecx
		xor	ebx, 1
		cmp	[edi+ebx*4], esi
		jnz	loc_4F0813
		cmp	[edx+ecx*4], edi
		jnz	loc_4F0813
		mov	eax, [edi+8]
		and	eax, 0FFFFFFFCh
		cmp	eax, edx
		jnz	loc_4F0813
		mov	[edx+ecx*4], esi
		mov	eax, [esi+8]
		and	eax, 3
		or	eax, edx
		mov	[esi+8], eax
		mov	eax, [esi+ecx*4]
		mov	[ebp+8], eax
		test	eax, eax
		jnz	short loc_4F07C4

loc_4F0753:				; CODE XREF: .text:004F07E5j
		mov	[edi+ebx*4], eax
		mov	[esi+ecx*4], edi
		mov	eax, [edi+8]
		and	eax, 3
		or	eax, esi
		mov	[edi+8], eax
		mov	eax, [esi+8]
		and	eax, 0FFFFFFFCh
		cmp	eax, edx
		jnz	loc_4F0813
		mov	eax, ebx
		xor	eax, 1
		mov	[ebp+0Ch], eax
		mov	eax, [edx+eax*4]
		cmp	eax, esi
		jnz	loc_4F0813
		mov	ecx, [edx+8]
		and	ecx, 0FFFFFFFCh
		jz	short loc_4F0808
		cmp	[ecx+4], edx
		jnz	short loc_4F0800
		mov	[ecx+4], esi

loc_4F0795:				; CODE XREF: .text:004F0806j
					; .text:004F0811j
		mov	eax, [esi+8]
		and	eax, 3
		or	eax, ecx
		mov	[esi+8], eax
		mov	edi, [esi+ebx*4]
		test	edi, edi
		jnz	short loc_4F07EA

loc_4F07A7:				; CODE XREF: .text:004F07FEj
		mov	eax, [ebp+0Ch]
		mov	[edx+eax*4], edi
		mov	eax, esi
		mov	[esi+ebx*4], edx
		mov	ecx, [edx+8]
		and	ecx, 3
		pop	edi
		or	ecx, esi
		pop	esi
		mov	[edx+8], ecx
		pop	ebx
		leave
		retn	0Ch
; 

loc_4F07C4:				; CODE XREF: .text:004F0751j
		mov	eax, [eax+8]
		mov	[ebp-4], eax
		and	eax, 0FFFFFFFCh
		cmp	eax, esi
		jnz	short loc_4F0813
		mov	eax, [ebp-4]
		mov	ecx, [ebp+8]
		and	eax, 3
		or	eax, edi
		mov	[ecx+8], eax
		mov	ecx, [ebp+0Ch]
		mov	eax, [ebp+8]
		jmp	loc_4F0753
; 

loc_4F07EA:				; CODE XREF: .text:004F07A5j
		mov	ecx, [edi+8]
		mov	eax, ecx
		and	eax, 0FFFFFFFCh
		cmp	eax, esi
		jnz	short loc_4F0813
		and	ecx, 3
		or	ecx, edx
		mov	[edi+8], ecx
		jmp	short loc_4F07A7
; 

loc_4F0800:				; CODE XREF: .text:004F0790j
		cmp	[ecx], edx
		jnz	short loc_4F0813
		mov	[ecx], esi
		jmp	short loc_4F0795
; 

loc_4F0808:				; CODE XREF: .text:004F078Bj
		mov	eax, [ebp-8]
		cmp	[eax], edx
		jnz	short loc_4F0813
		mov	[eax], esi
		jmp	short loc_4F0795
; 

loc_4F0813:				; CODE XREF: .text:004F0710j
					; .text:004F071Ej ...
		push	1Dh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 2 dup(0CCCCCCCCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_4F0820	proc near		; CODE XREF: PAGE:0081D979p
					; IopSetEaOrQuotaInformationFile(x,x,x,x,x)+338p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		test	dl, dl
		jz	short loc_4F0831
		mov	dl, 1

loc_4F0831:				; CODE XREF: sub_4F0820+Dj
		test	eax, eax
		jz	short loc_4F083A
		mov	eax, 1

loc_4F083A:				; CODE XREF: sub_4F0820+13j
		push	eax
		call	_MiProbeAndLockPages@12	; MiProbeAndLockPages(x,x,x)
		test	byte ptr ds:_MmTrackLockedPages, 1
		jnz	loc_5D003C

loc_4F084D:				; CODE XREF: sub_4F0630+DFA21j
		pop	esi
		pop	ebp
		retn	0Ch
sub_4F0820	endp ; sp = -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiComparePteProtections(x, x, x, x,	x)
_MiComparePteProtections@20 proc near	; CODE XREF: MiCheckSecuredVad+EFp
					; MiSecureVad(x,x,x,x,x,x)+39p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[esp+24h+var_10], ecx
		mov	[esp+24h+var_C], esi
		mov	[esp+24h+var_14], esi
		mov	[esp+24h+var_18], esi
		mov	[esp+24h+var_4], esi
		mov	[esp+24h+var_8], esi
		mov	ebx, [eax+80h]
		push	edi
		mov	edi, edx
		lea	ecx, [ebx+240h]
		call	MiLockWorkingSetShared
		mov	byte ptr [esp+28h+var_1C], al
		cmp	edi, [ebp+arg_0]
		ja	short loc_4F08FD

loc_4F089C:				; CODE XREF: MiComparePteProtections(x,x,x,x,x)+A5j
		mov	edx, [ebp+arg_0]
		lea	eax, [esp+28h+var_14]
		push	eax
		lea	eax, [esp+2Ch+var_C]
		mov	ecx, edi
		push	eax
		lea	eax, [esp+30h+var_8]
		push	eax
		lea	eax, [esp+34h+var_4]
		push	eax
		lea	eax, [esp+38h+var_18]
		push	eax
		push	esi
		push	[esp+40h+var_10]
		push	[esp+44h+var_1C]
		call	_MiQueryAddressState@40	; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [esp+28h+var_18]
		test	ecx, ecx
		jz	short loc_4F0926

loc_4F08D0:				; CODE XREF: MiComparePteProtections(x,x,x,x,x)+EBj
		cmp	[ebp+arg_8], 1
		jz	short loc_4F091A
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_4F091F
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	eax, 10h
		jz	short loc_4F091F
		cmp	[ebp+arg_4], 1
		jnz	short loc_4F0915
		test	cl, 7

loc_4F08EE:				; CODE XREF: MiComparePteProtections(x,x,x,x,x)+C6j
		jz	short loc_4F091F

loc_4F08F0:				; CODE XREF: MiComparePteProtections(x,x,x,x,x)+CBj
		mov	edi, [esp+28h+var_C]
		cmp	edi, [ebp+arg_0]
		jbe	short loc_4F089C

loc_4F08F9:				; CODE XREF: MiComparePteProtections(x,x,x,x,x)+D2j
		mov	al, byte ptr [esp+28h+var_1C]

loc_4F08FD:				; CODE XREF: MiComparePteProtections(x,x,x,x,x)+48j
		mov	dl, al
		lea	ecx, [ebx+240h]
		call	MiUnlockWorkingSetShared
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4F0915:				; CODE XREF: MiComparePteProtections(x,x,x,x,x)+97j
		test	cl, 4
		jmp	short loc_4F08EE
; 

loc_4F091A:				; CODE XREF: MiComparePteProtections(x,x,x,x,x)+82j
		cmp	ecx, [ebp+arg_4]
		jz	short loc_4F08F0

loc_4F091F:				; CODE XREF: MiComparePteProtections(x,x,x,x,x)+87j
					; MiComparePteProtections(x,x,x,x,x)+91j ...
		mov	esi, 0C0000045h
		jmp	short loc_4F08F9
; 

loc_4F0926:				; CODE XREF: MiComparePteProtections(x,x,x,x,x)+7Cj
		cmp	[esp+28h+var_14], esi
		jnz	short loc_4F091F
		mov	eax, [esp+28h+var_10]
		mov	ecx, [eax+1Ch]
		shr	ecx, 7
		and	ecx, 1Fh
		mov	[esp+28h+var_18], ecx
		jnz	short loc_4F08D0
		jmp	short loc_4F091F
_MiComparePteProtections@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAccessCheck	proc near		; CODE XREF: MiDispatchFault+3FAp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005D0056 SIZE 00000193 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		cmp	byte ptr [ebp+arg_0], 1
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		jz	loc_5D0056

loc_4F0967:				; CODE XREF: MiAccessCheck+DF72Cj
		mov	ebx, [edi]
		nop
		mov	eax, [edi+4]
		mov	[ebp+arg_0], eax
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jnz	loc_5D0081
		test	edx, edx
		jz	short loc_4F0985
		lea	edx, [eax+1]

loc_4F0985:				; CODE XREF: MiAccessCheck+30j
		mov	esi, [ebp+arg_4]
		mov	eax, esi
		and	eax, 7
		movsx	ecx, ds:_MiReadWrite[eax]
		movsx	eax, dl
		sub	ecx, eax
		cmp	ecx, 0Ah
		jl	short loc_4F09B7
		mov	eax, esi
		and	eax, 0FFFFFFF8h
		cmp	eax, 10h
		jz	loc_5D00AC

loc_4F09AC:				; CODE XREF: MiAccessCheck+DF733j
					; MiAccessCheck+DF743j	...
		xor	eax, eax

loc_4F09AE:				; CODE XREF: MiAccessCheck+6Cj
					; MiAccessCheck+DF894j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4F09B7:				; CODE XREF: MiAccessCheck+4Cj
					; MiAccessCheck+DF71Aj	...
		mov	eax, 0C0000005h
		jmp	short loc_4F09AE
MiAccessCheck	endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 2187. RtlIntersectBitMaps

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlIntersectBitMaps
RtlIntersectBitMaps proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D01E9 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ecx, [esi]
		mov	eax, [edi]
		cmp	ecx, eax
		jb	short loc_4F09E7
		mov	ecx, eax

loc_4F09E7:				; CODE XREF: RtlIntersectBitMaps+13j
		test	ecx, ecx
		jz	short loc_4F0A0B
		push	ebx
		xor	ebx, ebx
		mov	edi, edi

loc_4F09F0:				; CODE XREF: RtlIntersectBitMaps+DF828j
		mov	eax, [edi+4]
		cmp	ecx, 20h
		jnb	loc_5D01E9
		mov	esi, [esi+4]
		or	edx, 0FFFFFFFFh
		shl	edx, cl
		or	edx, [ebx+eax]
		and	[esi+ebx], edx

loc_4F0A0A:				; CODE XREF: RtlIntersectBitMaps+DF82Ej
		pop	ebx

loc_4F0A0B:				; CODE XREF: RtlIntersectBitMaps+19j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
RtlIntersectBitMaps endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVsFreeChunkRemove(x, x, x)
_RtlpHpVsFreeChunkRemove@12 proc near	; CODE XREF: RtlpHpVsChunkSplit+98Ap
					; RtlpHpVsChunkCoalesce(x,x,x,x)+2F3p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_10], 0
		lea	eax, [esi+4]
		mov	[ebp+var_C], 0
		push	eax
		lea	eax, [ecx+8]
		push	eax
		call	RtlRbRemoveNode
		lea	eax, [ebp+var_10]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+arg_0]
		mov	ecx, esi
		push	eax
		call	_RtlpHpVsChunkComputeCost@16 ; RtlpHpVsChunkComputeCost(x,x,x,x)
		mov	edx, [ebp+var_10]
		mov	ebx, [ebp+var_C]
		not	edx
		movzx	eax, dl
		not	ebx
		shr	edx, 8
		pop	edi
		pop	esi
		mov	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		mov	[ebp+var_4], edx
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	byte ptr [ebp+arg_0+3],	cl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		pop	ebx
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_4]
		add	cl, dl
		movzx	edx, cl
		mov	ecx, eax
		shr	ecx, 8
		movzx	eax, al
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, byte ptr [ebp+arg_0+3]
		movzx	eax, cl
		add	edx, eax
		mov	eax, [ebp+var_8]
		sub	[eax+1Ch], edx
		mov	esp, ebp
		pop	ebp
		retn	4
_RtlpHpVsFreeChunkRemove@12 endp

; 
		align 10h
; Exported entry 492. FsRtlCheckOplock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlCheckOplock(x,	x, x, x, x)
		public _FsRtlCheckOplock@20
_FsRtlCheckOplock@20 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ecx, esi
		push	ebx
		mov	edx, edi
		call	FsRtlpOplockStoreKeyForDeleteOperation
		cmp	[esi], ebx
		jnz	short loc_4F0B22
		test	edi, edi
		jz	short loc_4F0B19
		mov	eax, [edi+60h]
		cmp	[eax], bl
		jz	short loc_4F0B22

loc_4F0B19:				; CODE XREF: FsRtlCheckOplock(x,x,x,x,x)+20j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	14h
; 

loc_4F0B22:				; CODE XREF: FsRtlCheckOplock(x,x,x,x,x)+1Cj
					; FsRtlCheckOplock(x,x,x,x,x)+27j
		mov	eax, [edi+60h]
		cmp	[eax], bl
		jnz	short loc_4F0B3B
		mov	eax, [eax+8]
		mov	ebx, eax
		shr	ebx, 8
		and	ebx, 1
		test	eax, 10000h
		jnz	short loc_4F0B5D

loc_4F0B3B:				; CODE XREF: FsRtlCheckOplock(x,x,x,x,x)+37j
					; FsRtlCheckOplock(x,x,x,x,x)+73j
		push	0
		push	0
		push	0
		push	0
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	0
		push	ebx
		push	edi
		push	esi
		call	FsRtlCheckOplockEx2
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
; 

loc_4F0B5D:				; CODE XREF: FsRtlCheckOplock(x,x,x,x,x)+49j
		or	ebx, 10000000h
		jmp	short loc_4F0B3B
_FsRtlCheckOplock@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAddToReservationCluster proc near	; CODE XREF: MiBuildReservationCluster(x,x,x,x)+830p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005D0203 SIZE 00000127 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		movzx	eax, word ptr [ecx+74h]
		and	eax, 0Fh
		mov	[ebp+var_1C], edx
		mov	edx, [ecx+90h]
		xor	ecx, ecx
		imul	eax, 14h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], edx
		mov	[ebp+var_24], eax
		mov	[ebp+var_4], ecx
		cmp	[ebp+arg_0], ecx
		jz	loc_4F0CCC
		mov	ebx, [ebp+arg_4]

loc_4F0B9B:				; CODE XREF: MiAddToReservationCluster+133j
		mov	eax, [eax+edx+748h]
		mov	[ebp+var_20], eax
		cmp	eax, offset loc_7FFFFF
		jz	loc_4F0CCC
		imul	edi, eax, 1Ch
		xor	esi, esi
		add	edi, ds:_MmPfnDatabase
		mov	ecx, edi
		mov	[ebp+var_8], edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	edi, [ebp+var_24]
		mov	cl, al
		mov	edx, [ebp+var_10]
		mov	eax, [ebp+var_20]
		mov	byte ptr [ebp+arg_4+3],	cl
		cmp	eax, [edi+edx+748h]
		mov	edi, [ebp+var_8]
		jnz	loc_5D0203
		mov	eax, [edi+8]
		mov	edx, dword_6D0700
		mov	ecx, [edi+0Ch]
		mov	[ebp+var_C], eax
		mov	eax, dword_6D0704
		mov	[ebp+var_14], eax
		mov	eax, edx
		or	eax, [ebp+var_14]
		mov	[ebp+var_18], ecx
		jz	short loc_4F0C1D
		mov	eax, [ebp+var_C]
		and	eax, 10h
		or	eax, esi
		jnz	short loc_4F0C1D
		mov	eax, [ebp+var_14]
		not	edx
		and	[ebp+var_C], edx
		not	eax
		and	ecx, eax
		mov	[ebp+var_18], ecx

loc_4F0C1D:				; CODE XREF: MiAddToReservationCluster+9Cj
					; MiAddToReservationCluster+A6j
		cmp	ecx, ebx
		jnz	short loc_4F0C9E

loc_4F0C21:				; CODE XREF: MiAddToReservationCluster+DF6D8j
		mov	eax, [ebp+var_1C]
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+4]
		mov	eax, [eax+edx*4]
		sar	eax, cl
		test	al, 1
		jnz	loc_5D031A
		test	esi, esi
		jnz	loc_5D0243

loc_4F0C44:				; CODE XREF: MiAddToReservationCluster+DF77Ej
		xor	edx, edx
		mov	ecx, edi
		call	MiReferencePageForModifiedWrite
		mov	[ebp+var_18], eax
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_4]
		test	edx, edx
		jz	short loc_4F0CCC
		mov	edi, [ebp+arg_8]
		test	esi, esi
		jnz	loc_5D02F5

loc_4F0C79:				; CODE XREF: MiAddToReservationCluster+DF79Aj
					; MiAddToReservationCluster+DF7AFj
		mov	eax, [ebp+var_20]
		mov	[edi], eax
		add	edi, 4
		inc	ecx
		mov	[ebp+arg_8], edi
		inc	ebx
		mov	[ebp+var_4], ecx
		cmp	edx, 3
		jz	short loc_4F0CD5

loc_4F0C8E:				; CODE XREF: MiAddToReservationCluster+174j
					; MiAddToReservationCluster+DF6B1j
		cmp	ecx, [ebp+arg_0]
		jz	short loc_4F0CCC
		mov	edx, [ebp+var_10]
		mov	eax, [ebp+var_24]
		jmp	loc_4F0B9B
; 

loc_4F0C9E:				; CODE XREF: MiAddToReservationCluster+B9j
		mov	esi, ecx
		lea	edx, [edi+8]
		mov	ecx, [ebp+var_10]
		sub	esi, ebx
		call	_MI_IS_PTE_IN_WS_SWAP_SET@8 ; MI_IS_PTE_IN_WS_SWAP_SET(x,x)
		test	eax, eax
		jnz	loc_5D021C

loc_4F0CB5:				; CODE XREF: MiAddToReservationCluster+DF6BBj
					; MiAddToReservationCluster+DF6C4j ...
		lea	eax, [edi+10h]

loc_4F0CB8:				; CODE XREF: MiAddToReservationCluster+DF78Aj
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_4F0CC0:				; CODE XREF: MiAddToReservationCluster+DF7BFj
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_4]

loc_4F0CCC:				; CODE XREF: MiAddToReservationCluster+2Cj
					; MiAddToReservationCluster+44j ...
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	10h
; 

loc_4F0CD5:				; CODE XREF: MiAddToReservationCluster+126j
		cmp	ecx, 10h
		jnb	short loc_4F0CCC
		jmp	short loc_4F0C8E
MiAddToReservationCluster endp


;  S U B	R O U T	I N E 


; __stdcall MI_IS_PTE_IN_WS_SWAP_SET(x,	x)
_MI_IS_PTE_IN_WS_SWAP_SET@8 proc near	; CODE XREF: .text:004733D8p
					; MiWriteCompletePfn+F7p ...
		mov	edi, edi
		push	ebx
		mov	ebx, [edx]
		push	esi
		mov	esi, [edx+4]
		mov	edx, ebx
		mov	eax, esi
		shrd	edx, eax, 0Ch
		and	edx, 0Fh
		mov	eax, [ecx+edx*4+0F54h]
		movzx	eax, word ptr [eax+74h]
		test	al, 10h
		jnz	short loc_4F0D17
		shrd	ebx, esi, 1
		push	5
		test	bl, 1
		pop	edx
		setnz	cl
		bt	ax, dx
		setb	al
		test	cl, al
		jz	short loc_4F0D1D

loc_4F0D17:				; CODE XREF: MI_IS_PTE_IN_WS_SWAP_SET(x,x)+21j
		xor	eax, eax
		inc	eax

loc_4F0D1A:				; CODE XREF: MI_IS_PTE_IN_WS_SWAP_SET(x,x)+43j
		pop	esi
		pop	ebx
		retn
; 

loc_4F0D1D:				; CODE XREF: MI_IS_PTE_IN_WS_SWAP_SET(x,x)+39j
		xor	eax, eax
		jmp	short loc_4F0D1A
_MI_IS_PTE_IN_WS_SWAP_SET@8 endp

; 
		align 10h
; Exported entry 1219. KeQueryDpcWatchdogInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryDpcWatchdogInformation(x)
		public _KeQueryDpcWatchdogInformation@4
_KeQueryDpcWatchdogInformation@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, large fs:20h
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jb	short loc_4F0D8C
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	[eax], ecx
		mov	[eax+4], ecx
		mov	[eax+8], ecx
		mov	[eax+0Ch], ecx
		mov	[eax+10h], ecx
		mov	ecx, [esi+4D0h]
		test	ecx, ecx
		jz	short loc_4F0D6F
		mov	[eax], ecx
		sub	ecx, [esi+4B0h]
		mov	[eax+4], ecx

loc_4F0D6F:				; CODE XREF: KeQueryDpcWatchdogInformation(x)+32j
		mov	ecx, [esi+3B08h]
		test	ecx, ecx
		jz	short loc_4F0D85
		mov	[eax+8], ecx
		sub	ecx, [esi+3B0Ch]
		mov	[eax+0Ch], ecx

loc_4F0D85:				; CODE XREF: KeQueryDpcWatchdogInformation(x)+47j
		xor	eax, eax

loc_4F0D87:				; CODE XREF: KeQueryDpcWatchdogInformation(x)+61j
		pop	esi
		pop	ebp
		retn	4
; 

loc_4F0D8C:				; CODE XREF: KeQueryDpcWatchdogInformation(x)+15j
		mov	eax, 0C0000001h
		jmp	short loc_4F0D87
_KeQueryDpcWatchdogInformation@4 endp

; 
		align 10h
; Exported entry 1844. PsIsCurrentThreadPrefetching

;  S U B	R O U T	I N E 


; __stdcall PsIsCurrentThreadPrefetching()
		public _PsIsCurrentThreadPrefetching@0
_PsIsCurrentThreadPrefetching@0	proc near
					; CODE XREF: MiShareExistingControlArea:loc_78C073p
					; MiCreateImageFileMap(x,x,x,x,x,x,x,x)+122p
		mov	eax, large fs:124h
		mov	al, [eax+304h]
		shr	al, 6
		and	al, 1
		retn
_PsIsCurrentThreadPrefetching@0	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnlockStoreLockedPages proc near	; CODE XREF: SmKmUnlockMdl+34p
					; MmStoreProbeAndLockPages:loc_4A5541p

var_16		= byte ptr -16h
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D032A SIZE 00000031 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	edx, [ecx+18h]
		add	edx, [ecx+10h]
		mov	eax, [ecx+14h]
		and	edx, 0FFFh
		add	eax, 0FFFh
		mov	[esp+1Ch+var_C], ecx
		add	eax, edx
		push	ebx
		push	esi
		shr	eax, 0Ch
		xor	esi, esi
		push	edi
		lea	edi, [ecx+1Ch]
		lea	eax, [edi+eax*4]
		mov	[esp+28h+var_4], eax
		jmp	short loc_4F0E00
; 
		align 10h

loc_4F0E00:				; CODE XREF: MiUnlockStoreLockedPages+37j
					; MiUnlockStoreLockedPages+D0j
		mov	eax, [edi]
		cmp	eax, 0FFFFFFFFh
		jz	loc_4F0E96
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	ebx, [eax+ecx*4]
		mov	cl, 2
		mov	[esp+28h+var_8], ebx
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esp+28h+var_15], al
		lea	eax, [ebx+10h]
		mov	[esp+28h+var_10], 0
		mov	[esp+28h+var_14], eax
		lock bts dword ptr [eax], 1Fh
		jb	short loc_4F0EA6

loc_4F0E42:				; CODE XREF: MiUnlockStoreLockedPages+DF584j
		test	byte ptr [ebx+16h], 10h
		jz	short loc_4F0EAF
		or	esi, 2

loc_4F0E4B:				; CODE XREF: MiUnlockStoreLockedPages+F2j
		push	esi
		mov	ecx, ebx
		call	MiWriteCompletePfn
		mov	ebx, eax
		mov	eax, edx
		mov	ecx, ebx
		mov	[esp+28h+var_8], eax
		or	ecx, eax
		jnz	short loc_4F0EB4
		mov	[esp+28h+var_10], ecx

loc_4F0E65:				; CODE XREF: MiUnlockStoreLockedPages+FCj
		mov	eax, [esp+28h+var_14]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [esp+28h+var_15]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [esp+28h+var_8]
		mov	eax, ebx
		or	eax, edx
		jnz	loc_5D0349

loc_4F0E89:				; CODE XREF: MiUnlockStoreLockedPages+DF596j
		add	edi, 4
		cmp	edi, [esp+28h+var_4]
		jb	loc_4F0E00

loc_4F0E96:				; CODE XREF: MiUnlockStoreLockedPages+45j
		mov	eax, [esp+28h+var_C]
		pop	edi
		pop	esi
		pop	ebx
		and	word ptr [eax+6], 0FFFDh
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4F0EA6:				; CODE XREF: MiUnlockStoreLockedPages+80j
		mov	ebx, [esp+28h+var_14]
		jmp	loc_5D032A
; 

loc_4F0EAF:				; CODE XREF: MiUnlockStoreLockedPages+86j
		and	esi, 0FFFFFFFDh
		jmp	short loc_4F0E4B
; 

loc_4F0EB4:				; CODE XREF: MiUnlockStoreLockedPages+9Fj
		mov	[esp+28h+var_10], offset _MiSystemPartition
		jmp	short loc_4F0E65
MiUnlockStoreLockedPages endp


;  S U B	R O U T	I N E 


; __stdcall MiAdjustFaultList(x)
_MiAdjustFaultList@4 proc near		; CODE XREF: MiDispatchFault+3A7p
		mov	edx, [ecx+8]
		and	edx, 0FFFFFFFEh
		mov	eax, [edx+0Ch]
		cmp	eax, [edx+8]
		jnb	short locret_4F0EF9
		mov	ecx, [ecx]
		push	ebx
		push	esi
		push	edi
		mov	edi, [edx+4]
		mov	ebx, 0FFFFF000h
		and	ecx, ebx
		mov	esi, [edi+eax*8]
		cmp	ecx, esi
		jb	short loc_4F0EF6
		mov	eax, [edi+eax*8+4]
		add	eax, esi
		cmp	ecx, eax
		jnb	short loc_4F0EF6
		and	esi, ebx
		sub	ecx, esi
		shr	ecx, 0Ch
		mov	[edx+10h], ecx

loc_4F0EF6:				; CODE XREF: MiAdjustFaultList(x)+22j
					; MiAdjustFaultList(x)+2Cj
		pop	edi
		pop	esi
		pop	ebx

locret_4F0EF9:				; CODE XREF: MiAdjustFaultList(x)+Cj
		retn
_MiAdjustFaultList@4 endp

; 
		align 10h
; Exported entry 1020. IoThreadToProcess
; Exported entry 1829. PsGetThreadProcess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoThreadToProcess(x)
		public _IoThreadToProcess@4
_IoThreadToProcess@4 proc near		; CODE XREF: AlpcpCreateSecurityContext+12p
					; PAGE:0081D276p ...

arg_0		= dword	ptr  8

		mov	edi, edi	; IoThreadToProcess
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+150h]
		pop	ebp
		retn	4
_IoThreadToProcess@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepDeReferenceLogonSessionDirect(x)
_SepDeReferenceLogonSessionDirect@4 proc near ;	CODE XREF: SepLinkLogonSessions+8205Bp
					; SepStopReferencingLogonSession(x)+18p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [esi+14h]
		mov	ecx, [edi]
		lea	edx, [ecx-1]

loc_4F0F25:				; CODE XREF: SepDeReferenceLogonSessionDirect(x)+2Aj
		test	edx, edx
		jle	short loc_4F0F3E
		mov	eax, ecx
		lock cmpxchg [edi], edx
		mov	edx, eax
		cmp	edx, ecx
		jnz	short loc_4F0F39

loc_4F0F35:				; CODE XREF: SepDeReferenceLogonSessionDirect(x)+45j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_4F0F39:				; CODE XREF: SepDeReferenceLogonSessionDirect(x)+21j
		mov	ecx, edx
		dec	edx
		jmp	short loc_4F0F25
; 

loc_4F0F3E:				; CODE XREF: SepDeReferenceLogonSessionDirect(x)+15j
		jnz	short loc_4F0F59

loc_4F0F40:				; CODE XREF: SepDeReferenceLogonSessionDirect(x)+4Cj
		mov	eax, [esi+4]
		lea	ecx, [ebp+var_8]
		mov	edx, [esi+58h]
		mov	[ebp+var_8], eax
		mov	eax, [esi+8]
		mov	[ebp+var_4], eax
		call	SepDeReferenceLogonSession
		jmp	short loc_4F0F35
; 

loc_4F0F59:				; CODE XREF: SepDeReferenceLogonSessionDirect(x):loc_4F0F3Ej
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_4F0F40
_SepDeReferenceLogonSessionDirect@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepConvertToOwnTokenClaims proc	near	; CODE XREF: SepStopReferencingLogonSession(x)+7p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D035B SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, 8000h
		test	[esi+0B0h], edi
		jnz	short loc_4F0F89
		mov	ecx, [esi+27Ch]
		test	ecx, ecx
		jnz	loc_5D035B

loc_4F0F89:				; CODE XREF: SepConvertToOwnTokenClaims+19j
		xor	eax, eax

loc_4F0F8B:				; CODE XREF: SepConvertToOwnTokenClaims+DF407j
					; SepConvertToOwnTokenClaims+DF41Ej
		pop	edi
		pop	esi
		leave
		retn
SepConvertToOwnTokenClaims endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 368. ExGetFirmwareType

;  S U B	R O U T	I N E 


; __stdcall ExGetFirmwareType()
		public _ExGetFirmwareType@0
_ExGetFirmwareType@0 proc near
		mov	eax, dword_6BBFD0
		retn
_ExGetFirmwareType@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpInsertPoolTrackerExpansion proc near	; CODE XREF: ExpInsertPoolTrackerExpansion+29Bp
					; ExpInsertPoolTrackerExpansion+2DEp ...

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 004F1177 SIZE 00000178 BYTES
; FUNCTION CHUNK AT 005D0383 SIZE 00000485 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+58h+var_28], ecx
		lea	edi, [esp+58h+var_18]
		mov	esi, edx
		stosd
		lea	edx, [esp+58h+var_18]
		mov	ecx, offset _ExpTaggedPoolLock
		mov	[esp+58h+var_40], esi
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebp+arg_0]
		and	eax, 20h
		mov	[esp+58h+var_1C], eax
		jz	loc_5D0383
		mov	eax, _ExpSessionPoolTrackTableSize
		mov	edi, _ExpSessionPoolTrackTable
		mov	[esp+58h+var_34], eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		mov	edx, [eax+2424h]
		mov	ebx, [eax+2428h]

loc_4F1006:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF404j
		xor	ecx, ecx
		mov	[esp+58h+var_38], edx
		mov	[esp+58h+var_3C], edi
		test	ebx, ebx
		jz	short loc_4F1049
		mov	eax, edx

loc_4F1016:				; CODE XREF: ExpInsertPoolTrackerExpansion+9Dj
		mov	esi, [eax]
		cmp	esi, [esp+58h+var_28]
		mov	edi, [esp+58h+var_3C]
		mov	[esp+58h+var_24], esi
		mov	esi, [esp+58h+var_40]
		jz	short loc_4F1049
		cmp	[esp+58h+var_24], 0
		jz	short loc_4F103B
		inc	ecx
		add	eax, 30h
		cmp	ecx, ebx
		jb	short loc_4F1016
		jmp	short loc_4F1049
; 

loc_4F103B:				; CODE XREF: ExpInsertPoolTrackerExpansion+95j
		mov	esi, [esp+58h+var_28]
		imul	eax, ecx, 30h
		mov	[eax+edx], esi
		mov	esi, [esp+58h+var_40]

loc_4F1049:				; CODE XREF: ExpInsertPoolTrackerExpansion+78j
					; ExpInsertPoolTrackerExpansion+8Ej ...
		cmp	ecx, ebx
		jz	short loc_4F10AD
		imul	eax, ecx, 30h
		xor	ebx, ebx
		inc	ebx
		add	eax, edx
		test	byte ptr [ebp+arg_0], bl
		jz	loc_5D03A3
		add	[eax+20h], ebx
		adc	dword ptr [eax+24h], 0
		add	[eax+18h], esi

loc_4F1068:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF413j
		test	ds:byte_70EFC6,	bl
		jnz	loc_5D03B2
		mov	eax, [esp+58h+var_18]
		test	eax, eax
		jnz	loc_5D03CC
		mov	edx, [esp+58h+var_14]
		lea	eax, [esp+58h+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+58h+var_18]
		cmp	eax, ecx
		jnz	loc_5D03C3

loc_4F109A:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF424j
					; ExpInsertPoolTrackerExpansion+DF440j
		mov	cl, [esp+58h+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4F10A4:				; CODE XREF: ExpInsertPoolTrackerExpansion+2A0j
					; ExpInsertPoolTrackerExpansion+DF869j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4F10AD:				; CODE XREF: ExpInsertPoolTrackerExpansion+B1j
		mov	esi, [esp+58h+var_34]
		imul	eax, esi, 30h
		mov	eax, [eax+edi-30h]
		test	eax, eax
		jnz	loc_5D03DF
		imul	eax, ebx, 30h
		xor	edx, edx
		push	30h
		pop	esi
		mov	[esp+58h+var_20], eax
		lea	ebx, [eax+0FFFh]
		and	ebx, 0FFFFF000h
		mov	[esp+58h+var_2C], ebx
		lea	ecx, [ebx+1000h]
		mov	eax, ecx
		mov	[esp+58h+var_30], ecx
		div	esi
		mov	edx, ecx
		mov	[esp+58h+var_24], eax
		call	_ExAllocateHeapPages@8 ; ExAllocateHeapPages(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5D0705
		mov	ecx, [esp+58h+var_38]
		test	ecx, ecx
		jnz	loc_5D04C2

loc_4F110B:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF533j
		mov	ebx, [esp+58h+var_30]
		mov	eax, ebx
		mov	ecx, [esp+58h+var_20]
		sub	eax, ecx
		push	eax		; size_t
		push	0		; int
		lea	eax, [ecx+esi]
		push	eax		; void *
		call	_memset
		mov	ecx, [esp+64h+var_24]
		add	esp, 0Ch
		cmp	[esp+58h+var_1C], 0
		jz	loc_5D04D2
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		mov	[eax+2424h], esi
		mov	[eax+2428h], ecx

loc_4F1153:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF544j
		xor	eax, eax
		lea	edi, [esp+58h+var_C]
		stosd
		mov	ecx, 6C6F6F50h
		mov	[esp+58h+var_48], ecx
		stosd
		stosd
		mov	eax, ds:_PoolHitTag
		cmp	eax, ecx
		jz	loc_5D04E3
		jmp	loc_5D04E4
ExpInsertPoolTrackerExpansion endp

; 
; START	OF FUNCTION CHUNK FOR ExpInsertPoolTrackerExpansion

loc_4F1177:				; CODE XREF: ExpInsertPoolTrackerExpansion+2B3j
		mov	[edx+esi], eax

loc_4F117A:				; CODE XREF: ExpInsertPoolTrackerExpansion+2CFj
					; ExpInsertPoolTrackerExpansion+350j
		imul	esi, edi, 30h

loc_4F117D:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF5C6j
		mov	eax, [edx+esi]
		mov	ecx, [esp+58h+var_48]
		mov	[esp+58h+var_24], esi
		cmp	eax, ecx
		jnz	loc_4F123F
		lea	eax, [esi+8]
		xor	edi, edi
		add	eax, edx
		inc	edi
		mov	[esp+58h+var_3C], eax

loc_4F119C:				; CODE XREF: ExpInsertPoolTrackerExpansion+228j
					; ExpInsertPoolTrackerExpansion+22Ej
		mov	esi, [eax]
		mov	ebx, esi
		mov	edx, [eax+4]
		add	ebx, edi
		mov	ecx, edx
		mov	[esp+58h+var_1C], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		mov	edi, [esp+58h+var_3C]
		lock cmpxchg8b qword ptr [edi]
		push	1
		cmp	eax, esi
		mov	eax, [esp+5Ch+var_3C]
		pop	edi
		jnz	short loc_4F119C
		cmp	edx, [esp+58h+var_1C]
		jnz	short loc_4F119C
		mov	ecx, [esp+58h+var_34]
		mov	eax, [esp+58h+var_24]
		add	ecx, 4
		add	eax, ecx
		mov	ecx, [esp+58h+var_30]
		lock xadd [eax], ecx
		xor	ebx, ebx
		inc	ebx

loc_4F11E2:				; CODE XREF: ExpInsertPoolTrackerExpansion+2E3j
		test	ds:byte_70EFC6,	bl
		jnz	loc_5D0592
		mov	eax, [esp+58h+var_18]
		test	eax, eax
		jnz	loc_5D05AC
		mov	edx, [esp+58h+var_14]
		lea	eax, [esp+58h+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+58h+var_18]
		cmp	eax, ecx
		jnz	loc_5D05A3

loc_4F1214:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF604j
					; ExpInsertPoolTrackerExpansion+DF620j
		mov	cl, [esp+58h+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [esp+58h+var_38]
		test	ebx, ebx
		jnz	loc_5D05BF

loc_4F122A:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF728j
		push	[ebp+arg_0]
		mov	edx, [esp+5Ch+var_40]
		mov	ecx, [esp+5Ch+var_28]
		call	ExpInsertPoolTrackerExpansion
		jmp	loc_4F10A4
; 

loc_4F123F:				; CODE XREF: ExpInsertPoolTrackerExpansion+1F0j
		test	eax, eax
		jnz	short loc_4F1260
		mov	eax, _PoolTrackTable
		mov	eax, [esi+eax]
		test	eax, eax
		jnz	loc_4F1177
		mov	eax, [esp+58h+var_1C]
		dec	eax
		cmp	edi, eax
		jnz	short loc_4F1282
		mov	ecx, [esp+58h+var_48]

loc_4F1260:				; CODE XREF: ExpInsertPoolTrackerExpansion+2A7j
		inc	edi
		and	edi, [esp+58h+var_20]
		cmp	edi, [esp+58h+var_3C]
		jnz	loc_4F117A
		mov	edx, [esp+58h+var_30]
		push	200h
		call	ExpInsertPoolTrackerExpansion
		jmp	loc_4F11E2
; 

loc_4F1282:				; CODE XREF: ExpInsertPoolTrackerExpansion+2C0j
		lea	edx, [esp+58h+var_C]
		mov	ecx, offset _ExpTaggedPoolLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, _PoolTrackTable
		cmp	dword ptr [esi+ecx], 0
		jnz	short loc_4F12AA
		mov	eax, [esp+58h+var_48]
		mov	[esi+ecx], eax
		mov	ecx, [esp+58h+var_34]
		mov	[ecx+esi], eax

loc_4F12AA:				; CODE XREF: ExpInsertPoolTrackerExpansion+300j
		test	ds:byte_70EFC6,	bl
		jnz	loc_5D0565
		mov	eax, [esp+58h+var_C]
		test	eax, eax
		jnz	loc_5D057F
		mov	edx, [esp+58h+var_8]
		lea	eax, [esp+58h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+58h+var_C]
		cmp	eax, ecx
		jnz	loc_5D0576

loc_4F12DC:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF5D7j
					; ExpInsertPoolTrackerExpansion+DF5F3j
		mov	cl, [esp+58h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [esp+58h+var_34]
		jmp	loc_4F117A
; END OF FUNCTION CHUNK	FOR ExpInsertPoolTrackerExpansion
; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipRawSMBiosTableHandler proc near	; DATA XREF: WmipRegisterFirmwareProviders()+2Do

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D0808 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edi
		test	esi, esi
		jz	loc_5D0808
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_4F1365
		cmp	eax, 1
		jnz	loc_5D0808
		push	edi
		lea	edx, [ebp+var_4]
		xor	ecx, ecx
		call	WmipGetSMBiosTableData
		mov	edx, 0C0000023h
		cmp	eax, edx
		jnz	short loc_4F1380
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_4F1380
		add	ecx, 8
		cmp	[esi+0Ch], ecx
		jnb	short loc_4F1344
		mov	[esi+0Ch], ecx
		mov	eax, edx

loc_4F1340:				; CODE XREF: WmipRawSMBiosTableHandler+73j
					; WmipRawSMBiosTableHandler+87j ...
		pop	edi
		pop	esi
		leave
		retn
; 

loc_4F1344:				; CODE XREF: WmipRawSMBiosTableHandler+49j
		lea	edi, [esi+10h]
		push	edi
		lea	ecx, [edi+8]
		lea	edx, [ebp+var_4]
		call	WmipGetSMBiosTableData
		mov	ecx, [ebp+var_4]
		test	eax, eax
		js	short loc_4F135D
		mov	[edi+4], ecx

loc_4F135D:				; CODE XREF: WmipRawSMBiosTableHandler+68j
		add	ecx, 8
		mov	[esi+0Ch], ecx
		jmp	short loc_4F1340
; 

loc_4F1365:				; CODE XREF: WmipRawSMBiosTableHandler+1Dj
		mov	eax, [esi+0Ch]
		push	4
		pop	ecx
		mov	[esi+0Ch], ecx
		cmp	eax, ecx
		jb	short loc_4F1379
		mov	[esi+10h], edi
		xor	eax, eax
		jmp	short loc_4F1340
; 

loc_4F1379:				; CODE XREF: WmipRawSMBiosTableHandler+80j
		mov	eax, 0C0000023h
		jmp	short loc_4F1340
; 

loc_4F1380:				; CODE XREF: WmipRawSMBiosTableHandler+3Aj
					; WmipRawSMBiosTableHandler+41j
		mov	[esi+0Ch], edi
		jmp	short loc_4F1340
WmipRawSMBiosTableHandler endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1371. MmAllocateContiguousNodeMemory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmAllocateContiguousNodeMemory
MmAllocateContiguousNodeMemory proc near ; CODE	XREF: MiPaeAllocatePage+28p
					; MmAllocateContiguousMemorySpecifyCacheNode(x,x,x,x,x,x,x,x,x)+38p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D0812 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		mov	eax, [ebx+10h]
		push	esi
		mov	esi, [ebx+0Ch]
		shrd	esi, eax, 0Ch
		mov	eax, 0FFFh
		push	edi
		test	[ebx+0Ch], eax
		jnz	loc_5D0812

loc_4F13BB:				; CODE XREF: MmAllocateContiguousNodeMemory+DF489j
		mov	edi, [ebx+1Ch]
		test	edi, eax
		jnz	short loc_4F1437
		mov	ecx, [ebx+24h]
		call	_MiMakeProtectionMask@4	; MiMakeProtectionMask(x)
		test	dword ptr [ebx+24h], 100h
		mov	edx, eax
		jnz	short loc_4F1437
		cmp	edx, 0FFFFFFFFh
		jz	short loc_4F1437
		mov	ecx, edx
		and	cl, 5
		cmp	cl, 4
		jnz	short loc_4F1437
		test	dl, 2
		jnz	short loc_4F1425

loc_4F13E9:				; CODE XREF: MmAllocateContiguousNodeMemory+A6j
					; MmAllocateContiguousNodeMemory+DF497j
		mov	eax, [ebx+20h]
		mov	ecx, [ebx+14h]
		shrd	edi, eax, 0Ch
		mov	eax, [ebx+18h]
		shrd	ecx, eax, 0Ch
		mov	eax, dword_6D07B0
		cmp	ecx, eax
		jbe	short loc_4F1405
		mov	ecx, eax

loc_4F1405:				; CODE XREF: MmAllocateContiguousNodeMemory+77j
		cmp	esi, ecx
		ja	short loc_4F1437
		push	ecx
		push	dword ptr [ebx+28h]
		push	edx
		push	edi
		push	ecx
		mov	ecx, [ebx+8]
		mov	edx, esi
		call	MiAllocateContiguousMemory

loc_4F141A:				; CODE XREF: MmAllocateContiguousNodeMemory+AFj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	24h
; 

loc_4F1425:				; CODE XREF: MmAllocateContiguousNodeMemory+5Dj
		shr	eax, 3
		cmp	eax, 1
		jz	short loc_4F1437
		cmp	eax, 3
		jnz	short loc_4F13E9
		jmp	loc_5D0818
; 

loc_4F1437:				; CODE XREF: MmAllocateContiguousNodeMemory+36j
					; MmAllocateContiguousNodeMemory+49j ...
		xor	eax, eax
		jmp	short loc_4F141A
MmAllocateContiguousNodeMemory endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocateContiguousMemory proc	near	; CODE XREF: MmAllocateContiguousNodeMemory+8Bp
					; MmAllocateContiguousMemory(x,x,x)+2Ap

var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005D0826 SIZE 00000193 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+9Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+0A8h+var_8C], eax
		mov	eax, [ebp+arg_4]
		push	0
		mov	[esp+0ACh+var_90], edx
		mov	[esp+0ACh+var_6C], edi
		mov	[esp+0ACh+var_88], eax
		mov	[esp+0ACh+var_84], ebx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	[esp+0ACh+var_60], eax
		xor	esi, esi
		or	eax, 0FFFFFFFFh
		mov	[esp+0ACh+var_64], edx
		mov	[esp+0ACh+var_6C], eax
		mov	[esp+0ACh+var_98], eax
		xor	eax, eax
		cmp	ds:_MmProtectFreedNonPagedPool,	eax
		mov	[esp+0ACh+var_9C], esi
		setnz	al
		and	edi, 0FFFh
		neg	edi
		mov	[esp+0ACh+var_84], eax
		mov	eax, [esp+0ACh+var_70]
		sbb	edi, edi
		shr	eax, 0Ch
		neg	edi
		add	edi, eax
		mov	[esp+0ACh+var_68], edi
		test	bl, 2
		jnz	loc_4F1722

loc_4F14CC:				; CODE XREF: MiAllocateContiguousMemory+2EDj
					; MiAllocateContiguousMemory+DF3F1j
		mov	eax, [esp+0ACh+var_8C]
		test	eax, eax
		jnz	loc_4F170F

loc_4F14D8:				; CODE XREF: MiAllocateContiguousMemory+2D7j
		mov	ecx, [esp+0ACh+var_94]
		xor	ebx, ebx
		mov	edx, [esp+0ACh+var_90]
		cmp	ecx, edx
		ja	loc_4F1719
		lea	eax, [ecx+edi]
		cmp	eax, ecx
		jbe	loc_4F1719
		dec	eax
		cmp	eax, edx
		ja	loc_4F1719
		mov	ecx, [esp+0ACh+var_88]
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		xor	ecx, ecx
		mov	[esp+0ACh+var_78], eax
		mov	ax, ds:_KeNumberNodes
		inc	ecx
		cmp	cx, ax
		sbb	ecx, ecx
		and	ecx, [ebp+arg_C]
		mov	[esp+0ACh+var_74], ecx
		cmp	ecx, 80000000h
		jz	loc_5D0832
		movzx	eax, ax
		mov	esi, ecx
		cmp	ecx, eax
		jnb	loc_4F173E

loc_4F1539:				; CODE XREF: MiAllocateContiguousMemory+DF416j
		movzx	edx, ds:_KeNumberNodes
		mov	eax, dword_6D0698
		mov	ecx, edx
		imul	ecx, esi
		cmp	[esp+0ACh+var_74], 80000000h
		lea	ebx, [eax+ecx*4]
		jz	loc_5D0857
		push	4
		pop	eax

loc_4F155E:				; CODE XREF: MiAllocateContiguousMemory+DF420j
		add	eax, ebx
		test	byte ptr [esp+0ACh+var_88], 2
		mov	[esp+0ACh+var_80], eax
		mov	eax, 200h
		mov	[esp+0ACh+var_7C], eax
		jnz	loc_4F1734
		cmp	[esp+0ACh+var_84], 0
		jnz	short loc_4F15C2
		xor	ecx, ecx
		inc	ecx
		cmp	[esp+0ACh+var_78], ecx
		jnz	short loc_4F15C2
		cmp	ds:_MmProtectFreedNonPagedPool,	0
		jnz	short loc_4F15C2
		cmp	edi, eax
		ja	short loc_4F15C2

loc_4F1595:				; CODE XREF: MiAllocateContiguousMemory+184j
		mov	eax, [ebx]
		mov	edx, [esp+0ACh+var_90]
		mov	ecx, [esp+0ACh+var_94]
		push	eax
		push	[esp+0B0h+var_70]
		push	[esp+0B4h+var_8C]
		call	ExAllocateContiguousHeapPool
		mov	[esp+0ACh+var_9C], eax
		test	eax, eax
		jnz	loc_5D0861
		add	ebx, 4
		cmp	ebx, [esp+0ACh+var_80]
		jnz	short loc_4F1595

loc_4F15C2:				; CODE XREF: MiAllocateContiguousMemory+141j
					; MiAllocateContiguousMemory+14Aj ...
		movzx	ecx, ds:_KeNumberNodes
		mov	ebx, 8100000h
		mov	eax, dword_6D0698
		imul	ecx, esi
		lea	esi, [eax+ecx*4]

loc_4F15D9:				; CODE XREF: MiAllocateContiguousMemory+DF43Ej
		mov	eax, [esi]
		lea	ecx, [esp+0ACh+var_98]
		mov	edx, [esp+0ACh+var_94]
		push	ecx
		push	0
		push	ebx
		push	80000000h
		push	eax
		push	[esp+0C0h+var_78]
		mov	ecx, offset _MiSystemPartition
		push	edi
		push	[esp+0C8h+var_8C]
		push	[esp+0CCh+var_90]
		call	_MiFindContiguousPages@44 ; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_5D086B
		mov	eax, [esp+0ACh+var_98]
		mov	ecx, 1000h
		mul	ecx
		mov	esi, edi
		push	edx
		mov	edx, [esp+0B0h+var_88]
		push	eax
		push	[esp+0B4h+var_84]
		shl	esi, 0Ch
		mov	ecx, esi
		call	MiMapContiguousMemory
		mov	ebx, eax
		mov	[esp+0ACh+var_9C], ebx
		test	ebx, ebx
		jz	short loc_4F164F
		push	[esp+0ACh+var_84]
		mov	edx, ebx
		push	[esp+0B0h+var_7C]
		push	esi
		call	ExInsertPoolTag
		test	eax, eax
		jz	loc_5D087F

loc_4F164F:				; CODE XREF: MiAllocateContiguousMemory+1F9j
					; MiAllocateContiguousMemory+DF45Ej
		imul	eax, [esp+0ACh+var_98],	1Ch
		imul	ecx, edi, 1Ch
		add	eax, ds:_MmPfnDatabase
		add	ecx, eax
		test	ebx, ebx
		jz	loc_5D089F
		mov	esi, ebx
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h

loc_4F1678:				; CODE XREF: MiAllocateContiguousMemory+DF465j
		mov	ebx, eax
		mov	edi, ecx

loc_4F167C:				; CODE XREF: MiAllocateContiguousMemory+277j
		mov	ecx, ebx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	cl, al
		mov	[ebx+4], esi
		mov	eax, [ebx+18h]
		mov	edx, 7FFFFFFFh
		and	eax, 0FFFFFFFDh
		or	eax, (offset loc_7FFFFA+3)
		mov	[ebx+18h], eax
		lea	eax, [ebx+10h]
		lock and [eax],	edx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		add	ebx, 1Ch
		test	esi, esi
		jz	short loc_4F16B1
		add	esi, 8

loc_4F16B1:				; CODE XREF: MiAllocateContiguousMemory+270j
		cmp	ebx, edi
		jb	short loc_4F167C
		mov	ebx, [esp+0ACh+var_9C]
		mov	edi, [esp+0ACh+var_68]
		test	ebx, ebx
		jz	loc_5D08B7
		test	ds:byte_70EFC4,	1
		jnz	loc_5D08A6

loc_4F16D2:				; CODE XREF: MiAllocateContiguousMemory+DF476j
					; MiAllocateContiguousMemory+DF491j
		xor	ebx, ebx

loc_4F16D4:				; CODE XREF: MiAllocateContiguousMemory+DF42Aj
					; MiAllocateContiguousMemory+DF484j
		mov	esi, [esp+0ACh+var_9C]

loc_4F16D8:				; CODE XREF: MiAllocateContiguousMemory+2E4j
					; MiAllocateContiguousMemory+304j
		push	offset _KERNEL_MEM_EVENT_CONT_ALLOCATION
		push	dword_6BC304
		push	_EtwpMemoryProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5D08D2

loc_4F16F6:				; CODE XREF: MiAllocateContiguousMemory+DF578j
		mov	ecx, [esp+0ACh+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_4F170F:				; CODE XREF: MiAllocateContiguousMemory+96j
		xor	ebx, ebx
		cmp	edi, eax
		jbe	loc_4F14D8

loc_4F1719:				; CODE XREF: MiAllocateContiguousMemory+A8j
					; MiAllocateContiguousMemory+B3j ...
		mov	eax, [ebp+arg_C]
		mov	[esp+0ACh+var_74], eax
		jmp	short loc_4F16D8
; 

loc_4F1722:				; CODE XREF: MiAllocateContiguousMemory+8Aj
		test	byte ptr ds:_MiFlags+2,	1
		jz	loc_4F14CC
		jmp	loc_5D0826
; 

loc_4F1734:				; CODE XREF: MiAllocateContiguousMemory+136j
		and	[esp+0ACh+var_7C], 0
		jmp	loc_4F15C2
; 

loc_4F173E:				; CODE XREF: MiAllocateContiguousMemory+F7j
		mov	esi, ebx
		jmp	short loc_4F16D8
MiAllocateContiguousMemory endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExInsertPoolTag	proc near		; CODE XREF: MiAllocateContiguousMemory+206p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= byte ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D09B9 SIZE 000000A0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		xor	ecx, ecx
		mov	eax, edx
		test	byte ptr [ebp+arg_8], 1
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	[ebp+var_8], eax
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx
		mov	byte ptr [ebp+var_4], cl
		jnz	loc_5D09B9

loc_4F176A:				; CODE XREF: ExInsertPoolTag+DF281j
					; ExInsertPoolTag+DF2BFj
		lea	ebx, [esi+0FFFh]
		cmp	esi, ebx
		jnb	loc_5D0A52
		push	[ebp+var_4]
		and	ebx, 0FFFFF000h
		mov	esi, 546E6F43h
		push	ecx
		push	[ebp+arg_4]
		mov	edx, esi
		mov	[ebp+var_20], ebx
		push	ebx
		mov	ecx, eax
		call	ExpAddTagForBigPages
		test	eax, eax
		jz	loc_5D0A52
		xor	eax, eax
		mov	[ebp+arg_8], esi
		lea	edi, [ebp+var_34]
		stosd
		stosd
		stosd
		mov	eax, ds:_PoolHitTag
		cmp	eax, esi
		jz	loc_5D0A06

loc_4F17B7:				; CODE XREF: ExInsertPoolTag+DF2C5j
		test	ds:byte_70EFC4,	41h
		jnz	loc_5D0A0C

loc_4F17C4:				; CODE XREF: ExInsertPoolTag+DF2DEj
		mov	eax, [ebp+arg_4]
		and	eax, 20h
		mov	[ebp+var_4], eax
		jnz	loc_4F18D6
		movzx	eax, large byte	ptr fs:51h
		mov	edx, _PoolTrackTableMask
		mov	esi, _ExPoolTagTables[eax*4]
		mov	eax, _PoolTrackTableSize

loc_4F17ED:				; CODE XREF: ExInsertPoolTag+1A5j
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		movzx	ecx, al
		shl	ecx, 2
		movzx	eax, ah
		xor	ecx, eax
		mov	[ebp+var_C], edx
		movzx	eax, byte ptr [ebp+arg_8+2]
		shl	ecx, 2
		xor	ecx, eax
		mov	[ebp+var_18], esi
		movzx	eax, byte ptr [ebp+arg_8+3]
		shl	ecx, 2
		xor	ecx, eax
		imul	ecx, 9E5Fh
		sar	ecx, 2
		and	ecx, edx
		imul	edx, ecx, 30h
		mov	[ebp+var_10], ecx
		mov	[ebp+var_1C], ecx
		lea	edi, [edx+esi]

loc_4F182D:				; CODE XREF: ExInsertPoolTag+162j
		mov	eax, [edi]
		mov	esi, [ebp+arg_8]
		mov	[ebp+arg_0], edi
		mov	[ebp+var_14], edx
		cmp	eax, esi
		jnz	short loc_4F1888
		test	byte ptr [ebp+arg_4], 1
		jz	short loc_4F18A6
		lea	eax, [edi+20h]
		mov	[ebp+arg_4], eax
		mov	edi, eax

loc_4F184A:				; CODE XREF: ExInsertPoolTag+125j
					; ExInsertPoolTag+12Aj
		mov	esi, [edi]
		xor	eax, eax
		mov	edx, [edi+4]
		inc	eax
		mov	ebx, esi
		mov	[ebp+arg_4], edx
		add	ebx, eax
		mov	ecx, edx
		mov	eax, esi
		adc	ecx, 0
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_4F184A
		cmp	edx, [ebp+arg_4]
		jnz	short loc_4F184A
		push	18h

loc_4F1870:				; CODE XREF: ExInsertPoolTag+192j
		mov	edi, [ebp+arg_0]
		mov	edx, [ebp+var_20]
		pop	eax
		lea	ecx, [edi+eax]
		lock xadd [ecx], edx

loc_4F187E:				; CODE XREF: ExInsertPoolTag+246j
		xor	eax, eax
		inc	eax

loc_4F1881:				; CODE XREF: ExInsertPoolTag+DF312j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_4F1888:				; CODE XREF: ExInsertPoolTag+F8j
		test	eax, eax
		jz	short loc_4F18EC

loc_4F188C:				; CODE XREF: ExInsertPoolTag+1C5j
		inc	ecx
		and	ecx, [ebp+var_C]
		mov	[ebp+var_10], ecx
		cmp	ecx, [ebp+var_1C]
		jz	loc_4F197C

loc_4F189C:				; CODE XREF: ExInsertPoolTag+1D3j
					; ExInsertPoolTag+1D7j	...
		mov	edi, [ebp+var_18]
		imul	edx, ecx, 30h
		add	edi, edx
		jmp	short loc_4F182D
; 

loc_4F18A6:				; CODE XREF: ExInsertPoolTag+FEj
		lea	eax, [edi+8]
		mov	[ebp+arg_4], eax
		mov	edi, eax

loc_4F18AE:				; CODE XREF: ExInsertPoolTag+189j
					; ExInsertPoolTag+18Ej
		mov	esi, [edi]
		xor	eax, eax
		mov	edx, [edi+4]
		inc	eax
		mov	ebx, esi
		mov	[ebp+arg_4], edx
		add	ebx, eax
		mov	ecx, edx
		mov	eax, esi
		adc	ecx, 0
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_4F18AE
		cmp	edx, [ebp+arg_4]
		jnz	short loc_4F18AE
		push	4
		jmp	short loc_4F1870
; 

loc_4F18D6:				; CODE XREF: ExInsertPoolTag+8Bj
		mov	esi, _ExpSessionPoolTrackTable
		mov	edx, _ExpSessionPoolTrackTableMask
		mov	eax, _ExpSessionPoolTrackTableSize
		jmp	loc_4F17ED
; 

loc_4F18EC:				; CODE XREF: ExInsertPoolTag+148j
		cmp	[ebp+var_4], 0
		jnz	short loc_4F1901
		mov	eax, _PoolTrackTable
		mov	eax, [edx+eax]
		test	eax, eax
		jnz	short loc_4F1917
		mov	esi, [ebp+arg_8]

loc_4F1901:				; CODE XREF: ExInsertPoolTag+1AEj
		mov	eax, [ebp+var_8]
		dec	eax
		cmp	ecx, eax
		jz	short loc_4F188C
		cmp	[ebp+var_4], 0
		jz	short loc_4F191B
		xor	eax, eax
		lock cmpxchg [edi], esi
		jmp	short loc_4F189C
; 

loc_4F1917:				; CODE XREF: ExInsertPoolTag+1BAj
		mov	[edi], eax
		jmp	short loc_4F189C
; 

loc_4F191B:				; CODE XREF: ExInsertPoolTag+1CBj
		lea	edx, [ebp+var_34]
		mov	ecx, offset _ExpTaggedPoolLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edx, _PoolTrackTable
		mov	ecx, [ebp+var_14]
		cmp	dword ptr [ecx+edx], 0
		jnz	short loc_4F193C
		mov	[ecx+edx], esi
		mov	[edi], esi

loc_4F193C:				; CODE XREF: ExInsertPoolTag+1F3j
		test	ds:byte_70EFC6,	1
		jnz	loc_5D0A25
		mov	eax, [ebp+var_34]
		test	eax, eax
		jnz	loc_5D0A3D
		mov	edx, [ebp+var_30]
		lea	eax, [ebp+var_34]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_34]
		cmp	eax, ecx
		jnz	loc_5D0A35

loc_4F196B:				; CODE XREF: ExInsertPoolTag+DF2EEj
					; ExInsertPoolTag+DF30Bj
		mov	cl, [ebp+var_2C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_10]
		jmp	loc_4F189C
; 

loc_4F197C:				; CODE XREF: ExInsertPoolTag+154j
		push	[ebp+arg_4]
		mov	edx, ebx
		mov	ecx, esi
		call	ExpInsertPoolTrackerExpansion
		jmp	loc_4F187E
ExInsertPoolTag	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1432. MmMapIoSpace
; Exported entry 1441. MmMapVideoDisplay

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmMapIoSpace(x, x, x, x)
		public _MmMapIoSpace@16
_MmMapIoSpace@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi	; MmMapIoSpace
		push	ebp
		mov	ebp, esp
		movzx	ecx, [ebp+arg_C]
		cmp	ecx, 6
		jnb	short loc_4F19CE
		push	40h
		pop	eax
		cmp	ecx, 1
		jz	short loc_4F19BB
		xor	eax, eax
		cmp	ecx, 2
		setnz	al
		dec	eax
		and	eax, 1C4h
		add	eax, 240h

loc_4F19BB:				; CODE XREF: MmMapIoSpace(x,x,x,x)+14j
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_MmMapIoSpaceEx@16 ; MmMapIoSpaceEx(x,x,x,x)

loc_4F19CA:				; CODE XREF: MmMapIoSpace(x,x,x,x)+3Ej
		pop	ebp
		retn	10h
; 

loc_4F19CE:				; CODE XREF: MmMapIoSpace(x,x,x,x)+Cj
		xor	eax, eax
		jmp	short loc_4F19CA
_MmMapIoSpace@16 endp

; 
		align 8
; Exported entry 1433. MmMapIoSpaceEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmMapIoSpaceEx(x, x, x, x)
		public _MmMapIoSpaceEx@16
_MmMapIoSpaceEx@16 proc	near		; CODE XREF: MmMapIoSpace(x,x,x,x)+33p
					; BgpFwLibraryEnable+ACp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	ecx, [ebp+arg_C]
		call	_MiMakeProtectionMask@4	; MiMakeProtectionMask(x)
		test	al, 2
		jz	short loc_4F19F6
		mov	ecx, eax
		and	ecx, 0FFFFFFF8h
		cmp	ecx, 18h
		jz	short loc_4F1A0E

loc_4F19F6:				; CODE XREF: MmMapIoSpaceEx(x,x,x,x)+12j
					; MmMapIoSpaceEx(x,x,x,x)+38j
		push	[ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		mov	edx, eax
		push	[ebp+arg_0]
		push	0
		call	MiMapContiguousMemory

loc_4F1A08:				; CODE XREF: MmMapIoSpaceEx(x,x,x,x)+3Cj
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_4F1A0E:				; CODE XREF: MmMapIoSpaceEx(x,x,x,x)+1Cj
		test	al, 7
		jz	short loc_4F19F6
		xor	eax, eax
		jmp	short loc_4F1A08
_MmMapIoSpaceEx@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapContiguousMemory proc near		; CODE XREF: MiAllocateContiguousMemory+1ECp
					; MmMapIoSpaceEx(x,x,x,x)+2Bp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D0A59 SIZE 000000B5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_34], ecx
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_4C], edx
		mov	[ebp+var_30], eax
		push	esi
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_50], esi
		push	edi
		cmp	ebx, 0FFFFFFFFh
		jz	loc_4F1BA3
		cmp	ebx, 18h
		jz	loc_4F1BA3
		mov	eax, ebx
		and	eax, 5
		cmp	al, 5
		jz	loc_4F1BA3
		mov	eax, ebx
		and	eax, 0FFFFFFF8h
		cmp	eax, 10h
		jz	loc_4F1BA3
		mov	eax, ecx
		mov	edi, esi
		add	eax, edx
		push	0
		pop	ecx
		adc	ecx, esi
		mov	[ebp+var_2C], ecx
		mov	ecx, edx
		cmp	[ebp+var_2C], esi
		ja	short loc_4F1A92
		jb	loc_5D0A59
		cmp	eax, edx
		jbe	loc_5D0A59

loc_4F1A92:				; CODE XREF: MiMapContiguousMemory+6Cj
					; MiMapContiguousMemory+DF04Cj
		mov	esi, [ebp+var_34]
		mov	eax, edx
		and	eax, 0FFFh
		add	esi, 0FFFh
		add	esi, eax
		mov	[ebp+var_44], eax
		shrd	ecx, edi, 0Ch
		shr	esi, 0Ch
		mov	[ebp+var_3C], esi
		mov	[ebp+var_38], ecx
		cmp	ecx, 2000000h
		jnb	loc_5D0A67

loc_4F1AC0:				; CODE XREF: MiMapContiguousMemory+DF05Aj
		test	bl, 2
		jz	short loc_4F1AD2
		test	byte ptr ds:_MiFlags+2,	1
		jnz	loc_5D0A75

loc_4F1AD2:				; CODE XREF: MiMapContiguousMemory+ADj
					; MiMapContiguousMemory+DF062j
		and	[ebp+var_2C], 0
		test	edx, 1FFFFFh
		jz	loc_4F1B6A

loc_4F1AE2:				; CODE XREF: MiMapContiguousMemory+15Bj
					; MiMapContiguousMemory+16Aj ...
		mov	edi, [ebp+var_30]
		mov	eax, esi
		and	edi, 1
		mov	[ebp+var_40], esi
		mov	[ebp+var_48], edi
		jnz	loc_5D0A7D

loc_4F1AF6:				; CODE XREF: MiMapContiguousMemory+DF06Dj
		mov	edx, eax
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		mov	esi, eax
		test	esi, esi
		jz	loc_4F1BA3
		test	byte ptr [ebp+var_30], 2
		mov	eax, edi
		jnz	loc_5D0A88

loc_4F1B18:				; CODE XREF: MiMapContiguousMemory+DF075j
		mov	edx, [ebp+var_3C]
		lea	ecx, [ebp+var_2C]
		push	ecx
		push	eax
		push	ebx
		push	[ebp+var_38]
		mov	ecx, esi
		call	_MiFillSystemPtes@24 ; MiFillSystemPtes(x,x,x,x,x,x)
		test	eax, eax
		js	loc_5D0A90
		shl	esi, 9
		add	esi, [ebp+var_44]

loc_4F1B39:				; CODE XREF: MiMapContiguousMemory+183j
		mov	edi, [ebp+var_2C]
		and	edi, 1
		jnz	short loc_4F1B61

loc_4F1B41:				; CODE XREF: MiMapContiguousMemory+152j
		test	byte ptr ds:dword_7051B4, 1
		jnz	loc_5D0AA4

loc_4F1B4E:				; CODE XREF: MiMapContiguousMemory+DF0F3j
		mov	eax, esi

loc_4F1B50:				; CODE XREF: MiMapContiguousMemory+18Fj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_4F1B61:				; CODE XREF: MiMapContiguousMemory+129j
		mov	ecx, esi
		call	_MiMappingHasIoReferences@4 ; MiMappingHasIoReferences(x)
		jmp	short loc_4F1B41
; 

loc_4F1B6A:				; CODE XREF: MiMapContiguousMemory+C6j
		cmp	[ebp+var_34], 200000h
		jb	loc_4F1AE2
		mov	eax, [ebp+var_30]
		and	eax, 1
		mov	[ebp+var_48], eax
		jnz	loc_4F1AE2
		lea	eax, [ebp+var_2C]
		mov	edx, esi
		push	eax
		push	[ebp+var_30]
		push	ebx
		call	MiMapContiguousMemoryLarge
		mov	esi, eax
		test	esi, esi
		jnz	short loc_4F1B39
		mov	esi, [ebp+var_3C]
		jmp	loc_4F1AE2
; 

loc_4F1BA3:				; CODE XREF: MiMapContiguousMemory+2Fj
					; MiMapContiguousMemory+38j ...
		xor	eax, eax
		jmp	short loc_4F1B50
MiMapContiguousMemory endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiMappingHasIoReferences(x)
_MiMappingHasIoReferences@4 proc near	; CODE XREF: MmMapLockedPagesSpecifyCache+176p
					; MiMapContiguousMemory+14Dp ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, 40000000h
		push	edi
		shr	esi, 9
		mov	edi, offset loc_7FFFF8
		and	esi, edi
		sub	esi, ebx
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	short loc_4F1BEC

loc_4F1BC9:				; CODE XREF: MiMappingHasIoReferences(x)+4Ej
		mov	edi, [esi]
		nop
		mov	ecx, [esi+4]

loc_4F1BCF:				; CODE XREF: MiMappingHasIoReferences(x)+56j
		mov	ebx, edi
		mov	eax, edi
		or	ebx, 200h
		mov	edx, ecx
		nop
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, edi
		jnz	short loc_4F1BFA
		cmp	edx, ecx
		jnz	short loc_4F1BFA
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4F1BEC:				; CODE XREF: MiMappingHasIoReferences(x)+1Fj
					; MiMappingHasIoReferences(x)+50j
		shr	esi, 9
		and	esi, edi
		sub	esi, ebx
		sub	eax, 1
		jz	short loc_4F1BC9
		jmp	short loc_4F1BEC
; 

loc_4F1BFA:				; CODE XREF: MiMappingHasIoReferences(x)+3Aj
					; MiMappingHasIoReferences(x)+3Ej
		mov	edi, eax
		mov	ecx, edx
		jmp	short loc_4F1BCF
_MiMappingHasIoReferences@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExAllocateContiguousHeapPool proc near	; CODE XREF: MiAllocateContiguousMemory+16Cp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D0B0E SIZE 0000022B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_C], edx
		mov	edx, [ebp+arg_8]
		mov	esi, ecx
		push	ebx
		mov	ecx, 200h
		mov	[ebp+var_4], ebx
		call	ExGetHeapFromType
		mov	edi, eax
		mov	eax, dword_6D3018
		mov	ecx, [eax]
		cmp	esi, [ecx+0F40h]
		ja	loc_5D0D1D
		mov	eax, [ecx+0F44h]
		cmp	[ebp+var_C], eax
		jb	loc_5D0D1D
		cmp	[ebp+arg_0], ebx
		jnz	short loc_4F1C65

loc_4F1C4C:				; CODE XREF: ExAllocateContiguousHeapPool+6Cj
		mov	al, [edi+109h]
		and	al, 7
		cmp	al, 1
		jnb	loc_5D0B0E

loc_4F1C5C:				; CODE XREF: ExAllocateContiguousHeapPool+DEF17j
					; ExAllocateContiguousHeapPool+DEF53j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
; 

loc_4F1C65:				; CODE XREF: ExAllocateContiguousHeapPool+4Aj
		cmp	[ebp+arg_0], 200h
		jnb	short loc_4F1C4C
		jmp	loc_5D0D1D
ExAllocateContiguousHeapPool endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExGetHeapFromType proc near		; CODE XREF: ExAllocateContiguousHeapPool+1Ep
					; ExAllocateHeapPages(x,x)+11p	...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D0D39 SIZE 0000004C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	edx, 80000000h
		jz	short loc_4F1CC9

loc_4F1C81:				; CODE XREF: ExGetHeapFromType+68j
		cmp	edx, dword_6D8E70
		sbb	eax, eax
		and	eax, edx
		imul	edx, eax, 20C0h
		add	edx, offset dword_6D8E80
		test	ecx, ecx
		js	loc_5D0D39
		mov	eax, ecx
		and	eax, 21h
		cmp	al, 21h
		jz	loc_5D0D51
		test	cl, 1
		jnz	short loc_4F1CDE
		xor	eax, eax
		test	ecx, 200h
		jz	short loc_4F1CBC
		inc	eax

loc_4F1CBC:				; CODE XREF: ExGetHeapFromType+45j
					; ExGetHeapFromType+6Dj
		cmp	[ebp+arg_0], 0
		jnz	short loc_4F1CE3
		mov	eax, [edx+eax*4]

loc_4F1CC5:				; CODE XREF: ExGetHeapFromType+76j
					; ExGetHeapFromType+DF0CEj ...
		pop	ebp
		retn	4
; 

loc_4F1CC9:				; CODE XREF: ExGetHeapFromType+Bj
		mov	eax, large fs:20h
		mov	eax, [eax+338h]
		movzx	edx, word ptr [eax+8Ah]
		jmp	short loc_4F1C81
; 

loc_4F1CDE:				; CODE XREF: ExGetHeapFromType+3Bj
		push	2
		pop	eax
		jmp	short loc_4F1CBC
; 

loc_4F1CE3:				; CODE XREF: ExGetHeapFromType+4Cj
		mov	eax, dword_6F9A80[eax*4]
		jmp	short loc_4F1CC5
ExGetHeapFromType endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmpKeyedStoreReference(x, x, x, x)
_SmpKeyedStoreReference@16 proc	near	; CODE XREF: SmpPageWrite(x,x,x,x,x,x,x)+37p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		or	ebx, 0FFFFFFFFh
		mov	[ebp+var_10], edx
		dec	word ptr [eax+13Ch]
		mov	edi, ecx
		nop
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	esi, [edi+10h]
		test	esi, esi
		jz	short loc_4F1D23
		mov	eax, [esi+4]
		cmp	eax, [ebp+arg_0]
		jz	short loc_4F1D6F

loc_4F1D23:				; CODE XREF: SmpKeyedStoreReference(x,x,x,x)+2Dj
		mov	eax, [edi+14h]
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_C], edx
		cmp	edx, eax
		jnz	short loc_4F1D85

loc_4F1D30:				; CODE XREF: SmpKeyedStoreReference(x,x,x,x)+85j
					; SmpKeyedStoreReference(x,x,x,x)+97j
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jz	short loc_4F1D45
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_4F1D45:				; CODE XREF: SmpKeyedStoreReference(x,x,x,x)+50j
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_4F1D5A:				; CODE XREF: SmpKeyedStoreReference(x,x,x,x)+F1j
		xor	esi, esi

loc_4F1D5C:				; CODE XREF: SmpKeyedStoreReference(x,x,x,x)+100j
		test	esi, esi
		jnz	loc_4F1DF1
		mov	edx, [ebp+var_C]

loc_4F1D67:				; CODE XREF: SmpKeyedStoreReference(x,x,x,x)+B4j
		mov	[edi+14h], edx
		xor	esi, esi

loc_4F1D6C:				; CODE XREF: SmpKeyedStoreReference(x,x,x,x)+108j
		or	ebx, 0FFFFFFFFh

loc_4F1D6F:				; CODE XREF: SmpKeyedStoreReference(x,x,x,x)+35j
		test	esi, esi
		jz	short loc_4F1D30
		movzx	edx, word ptr [esi+8]
		mov	ecx, [ebp+var_10]
		call	SmKmStoreReference
		movzx	ebx, word ptr [esi+8]
		jmp	short loc_4F1D30
; 

loc_4F1D85:				; CODE XREF: SmpKeyedStoreReference(x,x,x,x)+42j
		mov	esi, [edi+8]
		mov	eax, ebx
		mov	ecx, esi
		shr	esi, 5
		and	ecx, 1Fh
		shl	eax, cl
		mov	ebx, eax
		mov	[ebp+var_8], eax
		and	ebx, edx
		mov	[ebp+var_4], ebx
		test	esi, esi
		jz	short loc_4F1D67
		movzx	eax, bl
		add	eax, offset unk_B15DCB
		mov	[ebp+var_14], ebx
		imul	ecx, eax, 25h
		movzx	eax, bh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+3]
		imul	edx, ecx, 25h
		lea	ecx, [esi-1]
		add	edx, eax
		mov	eax, [edi+0Ch]
		and	ecx, edx
		lea	esi, [eax+ecx*4]
		mov	ecx, [ebp+var_8]

loc_4F1DD5:				; CODE XREF: SmpKeyedStoreReference(x,x,x,x)+FEj
		mov	esi, [esi]
		test	esi, 1
		jnz	loc_4F1D5A
		mov	eax, [esi+4]
		and	eax, ecx
		cmp	ebx, eax
		jnz	short loc_4F1DD5
		jmp	loc_4F1D5C
; 

loc_4F1DF1:				; CODE XREF: SmpKeyedStoreReference(x,x,x,x)+72j
		mov	[edi+10h], esi
		jmp	loc_4F1D6C
_SmpKeyedStoreReference@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlFxToFnFrame	proc near		; CODE XREF: KeContextFromKframes+339p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005D0D85 SIZE 0000005C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_8], 8
		push	edi
		mov	edi, ecx
		mov	[ebp+var_14], esi
		push	7
		movzx	eax, word ptr [esi]
		xor	ecx, ecx
		pop	ebx
		mov	[edi], eax
		movzx	eax, word ptr [esi+2]
		mov	[edi+4], eax
		mov	eax, [esi+8]
		mov	[edi+0Ch], eax
		movzx	edx, word ptr [esi+6]
		movzx	eax, word ptr [esi+0Ch]
		shl	edx, 10h
		or	edx, eax
		mov	[ebp+var_18], edi
		mov	[edi+10h], edx
		mov	eax, [esi+10h]
		mov	[edi+14h], eax
		movzx	eax, word ptr [esi+14h]
		mov	[edi+18h], eax
		add	edi, 1Ch
		mov	al, [esi+4]
		mov	[ebp+var_1], al
		movzx	eax, word ptr [esi+2]
		shr	eax, 0Bh
		and	eax, 7
		mov	[ebp+var_10], edi
		sub	ebx, eax
		add	esi, 20h
		mov	al, [ebp+var_1]
		push	8
		mov	[ebp+var_C], esi
		pop	edx

loc_4F1E6E:				; CODE XREF: RtlFxToFnFrame+A7j
		movsd
		shl	ecx, 2
		movsd
		movsw
		test	al, al
		js	loc_5D0D85
		or	ecx, 3

loc_4F1E80:				; CODE XREF: RtlFxToFnFrame+DEFB0j
					; RtlFxToFnFrame+DEFBFj ...
		mov	esi, [ebp+var_C]
		add	al, al
		mov	edi, [ebp+var_10]
		dec	ebx
		add	esi, 10h
		mov	[ebp+var_1], al
		add	edi, 0Ah
		mov	[ebp+var_C], esi
		and	ebx, 7
		mov	[ebp+var_10], edi
		sub	edx, 1
		mov	[ebp+var_8], edx
		jnz	short loc_4F1E6E
		movzx	eax, cx
		mov	ecx, [ebp+var_18]
		pop	edi
		pop	esi
		pop	ebx
		mov	[ecx+8], eax
		leave
		retn
RtlFxToFnFrame	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __fastcall KiGetIsrStackToSwitch(x)
@KiGetIsrStackToSwitch@4 proc near	; CODE XREF: KiChainedDispatch()+23p
					; KiInterruptDispatch()+1Fp
		mov	edx, large fs:43BCh
		lea	eax, [edx-3000h]
		cmp	eax, ecx
		jbe	short loc_4F1ECF

loc_4F1EC3:				; CODE XREF: KiGetIsrStackToSwitch(x)+1Fj
		mov	eax, _KiBugCheckActive
		test	al, 3
		jnz	short loc_4F1ED3
		mov	eax, edx
		retn
; 

loc_4F1ECF:				; CODE XREF: KiGetIsrStackToSwitch(x)+Fj
		cmp	ecx, edx
		jnb	short loc_4F1EC3

loc_4F1ED3:				; CODE XREF: KiGetIsrStackToSwitch(x)+18j
		xor	eax, eax
		retn
@KiGetIsrStackToSwitch@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2328. RtlSetBit

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSetBit(x, x)
		public _RtlSetBit@8
_RtlSetBit@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	edx, ecx
		mov	eax, [ebp+arg_0]
		and	ecx, 7
		shr	edx, 3
		add	edx, [eax+4]
		movsx	eax, byte ptr [edx]
		bts	eax, ecx
		mov	[edx], al
		pop	ebp
		retn	8
_RtlSetBit@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpDeleteMutant(x)
_ExpDeleteMutant@4 proc	near		; DATA XREF: ExpMutantInitialization()+92o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	KeDeleteMutant
		pop	ebp
		retn	4
_ExpDeleteMutant@4 endp

; 
		align 10h

KeDeleteMutant:				; CODE XREF: ExpDeleteMutant(x)+8p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		xor	eax, eax
		mov	esi, ecx
		push	edi
		mov	edi, large fs:124h
		mov	ebx, eax
		mov	[ebp-1Ch], eax
		mov	[ebp-1], al
		mov	[ebp-18h], edi
		mov	[ebp-24h], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp-2Ch], al
		mov	ecx, esi
		mov	eax, large fs:20h
		mov	[ebp-0Ch], eax
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	eax, [esi+4]
		or	byte ptr [esi+1Ch], 1
		mov	dword ptr [esi+4], 1
		test	eax, eax
		jle	short loc_4F1F8F
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax

loc_4F1F67:				; CODE XREF: .text:004F2009j
		push	dword ptr [ebp-2Ch]
		mov	ecx, [ebp-0Ch]
		xor	edx, edx
		push	1
		push	1
		call	KiExitDispatcher
		cmp	byte ptr [ebp-1], 0
		jnz	loc_5D0F43

loc_4F1F82:				; CODE XREF: .text:005D0F4Ej
					; .text:005D0F61j
		cmp	ebx, edi
		jz	loc_4F200E

loc_4F1F8A:				; CODE XREF: .text:004F2012j
					; .text:005D0F6Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4F1F8F:				; CODE XREF: .text:004F1F5Dj
		xor	eax, eax
		lea	edi, [ebp-3Ch]
		stosd
		stosd
		stosd
		stosd
		mov	eax, [esi]
		and	dword ptr [ebp-20h], 0
		mov	[ebp-3Ch], eax
		mov	[ebp-3Ah], bl
		mov	eax, [ebp-3Ch]
		mov	[esi], eax
		mov	ebx, [esi+18h]
		movzx	eax, byte ptr [esi+1Dh]
		mov	[ebp-1Ch], eax
		mov	[ebp-8], ebx
		lea	edi, [ebx+2Ch]

loc_4F1FB9:				; CODE XREF: .text:004F2029j
		lock bts dword ptr [edi], 0
		jb	short loc_4F201D
		lea	eax, [esi+10h]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_4F202D
		cmp	[ecx], eax
		jnz	short loc_4F202D
		mov	[ecx], edx
		mov	[edx+4], ecx
		test	byte ptr [esi+1Ch], 2
		jnz	loc_5D0DE1

loc_4F1FE0:				; CODE XREF: .text:005D0DE8j
					; .text:005D0DFAj
		lea	ecx, [esi+8]
		mov	dword ptr [edi], 0
		and	dword ptr [esi+18h], 0
		mov	edx, 0FFFFFF7Fh
		mov	eax, [ecx]
		cmp	eax, ecx
		jnz	loc_5D0DFF

loc_4F1FFC:				; CODE XREF: .text:005D0F3Ej
		lock and [esi],	edx
		mov	ecx, esi
		call	_KiAcquireReleaseObjectRundownLockExclusive@4 ;	KiAcquireReleaseObjectRundownLockExclusive(x)
		mov	edi, [ebp-18h]
		jmp	loc_4F1F67
; 

loc_4F200E:				; CODE XREF: .text:004F1F84j
		cmp	dword ptr [ebp-1Ch], 0
		jz	loc_4F1F8A
		jmp	loc_5D0F66
; 

loc_4F201D:				; CODE XREF: .text:004F1FBEj
					; .text:004F202Bj
		lea	ecx, [ebp-20h]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_4F1FB9
		jmp	short loc_4F201D
; 

loc_4F202D:				; CODE XREF: .text:004F1FCBj
					; .text:004F1FCFj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dw 0CCCCh
		align 8
; Exported entry 2356. RtlTestBit

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlTestBit(x, x)
		public _RtlTestBit@8
_RtlTestBit@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	edx, ecx
		shr	edx, 3
		and	cl, 7
		mov	eax, [eax+4]
		mov	al, [edx+eax]
		sar	al, cl
		and	al, 1
		pop	ebp
		retn	8
_RtlTestBit@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiStoreMarkLockedPagesModified proc near ; CODE	XREF: MmStoreProbeAndLockPages+102p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005D0F72 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	edx, [ecx+18h]
		add	edx, [ecx+10h]
		mov	eax, [ecx+14h]
		and	edx, 0FFFh
		add	eax, 0FFFh
		add	eax, edx
		push	ebx
		shr	eax, 0Ch
		push	esi
		lea	esi, [ecx+1Ch]
		push	edi
		lea	eax, [esi+eax*4]
		mov	[ebp+var_14], eax
		cmp	esi, eax
		jnb	short loc_4F20F1

loc_4F208B:				; CODE XREF: MiStoreMarkLockedPagesModified+95j
		imul	edi, [esi], 1Ch
		mov	cl, 2
		add	edi, ds:_MmPfnDatabase
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		and	[ebp+var_8], 0
		lea	ebx, [edi+10h]
		mov	[ebp+var_1], al

loc_4F20A6:				; CODE XREF: MiStoreMarkLockedPagesModified+DEF26j
		lock bts dword ptr [ebx], 1Fh
		jb	loc_5D0F72
		xor	edx, edx
		lea	ecx, [edi+8]
		push	0
		inc	edx
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	cl, [edi+16h]
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], edx
		test	cl, 10h
		jz	short loc_4F20F6

loc_4F20CC:				; CODE XREF: MiStoreMarkLockedPagesModified+A2j
		mov	eax, 7FFFFFFFh
		lock and [ebx],	eax
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_C]
		mov	eax, ecx
		mov	edx, [ebp+var_10]
		or	eax, edx
		jnz	short loc_4F20FE

loc_4F20E9:				; CODE XREF: MiStoreMarkLockedPagesModified+B2j
		add	esi, 4
		cmp	esi, [ebp+var_14]
		jb	short loc_4F208B

loc_4F20F1:				; CODE XREF: MiStoreMarkLockedPagesModified+2Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4F20F6:				; CODE XREF: MiStoreMarkLockedPagesModified+70j
		or	cl, 10h
		mov	[edi+16h], cl
		jmp	short loc_4F20CC
; 

loc_4F20FE:				; CODE XREF: MiStoreMarkLockedPagesModified+8Dj
		push	edx
		push	ecx
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo
		jmp	short loc_4F20E9
MiStoreMarkLockedPagesModified endp

; 

; __stdcall MiMarkPfnVerified(x, x)
_MiMarkPfnVerified@8:			; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+76Cp
					; .text:0047D9D8p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		mov	edi, eax
		test	bl, 4
		jz	short loc_4F2138
		mov	byte ptr [ebp-1], 21h
		jmp	short loc_4F2142
; 

loc_4F2138:				; CODE XREF: .text:004F2130j
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	[ebp-1], al

loc_4F2142:				; CODE XREF: .text:004F2136j
		mov	edx, 30000000h
		test	bl, 2
		jz	short loc_4F216A
		mov	ecx, [esi+18h]
		and	ecx, 70000000h
		cmp	ecx, edx
		jnz	short loc_4F215C
		and	ebx, 0FFFFFFFDh

loc_4F215C:				; CODE XREF: .text:004F2157j
		test	bl, 2
		jz	short loc_4F216A
		test	byte ptr ds:_MiFlags+2,	1
		jnz	short loc_4F21CB

loc_4F216A:				; CODE XREF: .text:004F214Aj
					; .text:004F215Fj
		mov	ecx, [esi+18h]
		mov	eax, ecx
		and	eax, 70000000h
		cmp	eax, edx
		jz	short loc_4F2191
		mov	eax, [esi+8]
		and	ecx, 0BFFFFFFFh
		or	ecx, edx
		and	eax, 400h
		or	eax, 0
		mov	[esi+18h], ecx
		jz	short loc_4F2191
		nop

loc_4F2191:				; CODE XREF: .text:004F2176j
					; .text:004F218Ej
		test	bl, 1
		jz	short loc_4F21AD
		test	byte ptr ds:_MiFlags+2,	1
		jz	short loc_4F21AD
		lea	eax, [ebp-0Ch]
		xor	edx, edx
		push	eax
		inc	edx
		mov	ecx, esi
		call	_MiGetPagePrivilege@12 ; MiGetPagePrivilege(x,x,x)

loc_4F21AD:				; CODE XREF: .text:004F2194j
					; .text:004F219Dj
		mov	cl, [ebp-1]
		cmp	cl, 21h
		jz	short loc_4F21C6
		mov	edx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	edx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4F21C6:				; CODE XREF: .text:004F21B3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4F21CB:				; CODE XREF: .text:004F2168j
		push	0
		push	0
		push	edi
		push	5150Ch
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryBasePriorityThread(x)
_KeQueryBasePriorityThread@4 proc near	; CODE XREF: NtQueryInformationThread+373p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, [edi+150h]
		mov	[ebp+var_C], ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_1], al
		lea	eax, [ebx+34h]
		push	eax
		mov	[ebp+var_10], eax
		call	ExAcquireSpinLockSharedAtDpcLevel
		and	[ebp+var_8], 0
		lea	ebx, [edi+2Ch]

loc_4F2210:				; CODE XREF: KeQueryBasePriorityThread(x)+87j
		lock bts dword ptr [ebx], 0
		jb	short loc_4F2257
		mov	eax, [ebp+var_C]
		movsx	esi, byte ptr [edi+15Bh]
		movsx	eax, byte ptr [eax+68h]
		sub	esi, eax
		mov	al, [edi+18Dh]
		test	al, al
		jnz	short loc_4F224F

loc_4F2231:				; CODE XREF: KeQueryBasePriorityThread(x)+77j
		push	[ebp+var_10]
		mov	dword ptr [ebx], 0
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4F224F:				; CODE XREF: KeQueryBasePriorityThread(x)+51j
		movsx	esi, al
		shl	esi, 4
		jmp	short loc_4F2231
; 

loc_4F2257:				; CODE XREF: KeQueryBasePriorityThread(x)+37j
					; KeQueryBasePriorityThread(x)+85j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_4F2257
		jmp	short loc_4F2210
_KeQueryBasePriorityThread@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall SepDereferenceLuidToIndexEntry(x)
_SepDereferenceLuidToIndexEntry@4 proc near ; CODE XREF: SepSetProcessUniqueAttribute(x)+3Ep
					; SepRefDerefLuidToIndexEntryIfNecessary(x,x)+Cj
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+0Ch], eax
		dec	eax
		test	eax, eax
		jle	short loc_4F2276
		retn
; 

loc_4F2276:				; CODE XREF: SepDereferenceLuidToIndexEntry(x)+Bj
		jnz	short loc_4F227D
		mov	byte ptr [ecx+20h], 1
		retn
; 

loc_4F227D:				; CODE XREF: SepDereferenceLuidToIndexEntry(x):loc_4F2276j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		retn
_SepDereferenceLuidToIndexEntry@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CfgAddressToBitState proc near		; CODE XREF: MiValidateUserCallTarget+Ep
					; MiValidateExportSuppressedUserCallTarget(x,x)+3p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	18h
		push	offset dword_6A3338
		call	__SEH_prolog4
		mov	edi, edx
		mov	esi, ecx
		and	[ebp+ms_exc.disabled], 0
		shr	esi, 4
		add	esi, esi
		and	[ebp+var_1C], 0
		mov	eax, esi
		shr	eax, 3
		mov	ecx, esi
		and	ecx, 7
		mov	[ebp+var_1C], ecx
		mov	al, [eax+edi]
		sar	al, cl
		and	al, 1
		movzx	edx, al
		mov	[ebp+var_24], edx
		lea	ecx, [esi+1]
		and	[ebp+var_20], 0
		mov	eax, ecx
		shr	eax, 3
		and	ecx, 7
		mov	[ebp+var_20], ecx
		mov	al, [eax+edi]
		sar	al, cl
		and	al, 1
		movzx	eax, al
		mov	[ebp+var_28], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		add	eax, eax
		or	eax, edx

loc_4F22E5:				; CODE XREF: sub_5D0F89+Cj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
CfgAddressToBitState endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiIsProcessCfgExportSuppressionEnabled()
_MiIsProcessCfgExportSuppressionEnabled@0 proc near
					; CODE XREF: MiCfgMarkValidEntries:loc_7C080Ap
					; MiValidateExportSuppressedUserCallTarget(x,x)+Dp ...
		call	_MiIsProcessCfgEnabled@0 ; MiIsProcessCfgEnabled()
		test	eax, eax
		jz	short loc_4F231A
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	byte ptr [eax+490h], 2
		jz	short loc_4F231A
		xor	eax, eax
		inc	eax
		retn
; 

loc_4F231A:				; CODE XREF: MiIsProcessCfgExportSuppressionEnabled()+7j
					; MiIsProcessCfgExportSuppressionEnabled()+1Cj
		xor	eax, eax
		retn
_MiIsProcessCfgExportSuppressionEnabled@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExfWaitForRundownProtectionRelease proc	near
					; CODE XREF: ExWaitForRundownProtectionRelease(x)+15j

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D0F9A SIZE 00000082 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	[esp+30h+var_14], eax
		lea	edi, [esp+30h+var_18]
		mov	[esp+30h+var_10], eax
		mov	ebx, ecx
		mov	[esp+30h+var_C], eax
		mov	esi, edx
		mov	[esp+30h+var_8], eax
		inc	eax
		mov	[esp+30h+var_4], eax
		or	edi, eax

loc_4F234D:				; CODE XREF: ExfWaitForRundownProtectionRelease+D2j
		shr	esi, 1
		mov	eax, edx
		mov	ecx, edi
		mov	[esp+30h+var_18], esi
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	loc_4F23EC
		test	esi, esi
		jz	short loc_4F23E5
		and	[esp+30h+var_24], 0
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_5D0F9A
		mov	esi, _ExpSpinCycleCount
		xor	eax, eax
		inc	eax
		cmp	ds:0FFDF036Ah, ax
		jbe	short loc_4F23BA
		cmp	byte ptr ds:0FFDF0297h,	0
		jnz	loc_5D0FB1
		movzx	ecx, word ptr ds:0FFDF02D6h
		xor	edx, edx
		mov	eax, esi
		div	ecx
		xor	edx, edx

loc_4F23A8:				; CODE XREF: ExfWaitForRundownProtectionRelease+9Aj
		mov	ecx, [esp+30h+var_4]
		test	cl, 1
		jz	short loc_4F23E5
		cmp	edx, eax
		jz	short loc_4F23BA
		pause
		inc	edx
		jmp	short loc_4F23A8
; 

loc_4F23BA:				; CODE XREF: ExfWaitForRundownProtectionRelease+6Cj
					; ExfWaitForRundownProtectionRelease+95j ...
		push	0
		xor	esi, esi
		lea	eax, [esp+34h+var_14]
		inc	esi
		push	esi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+30h+var_4]
		lock btr dword ptr [eax], 0
		jnb	short loc_4F23E5
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+40h+var_14]
		push	eax
		call	KeWaitForSingleObject

loc_4F23E5:				; CODE XREF: ExfWaitForRundownProtectionRelease+47j
					; ExfWaitForRundownProtectionRelease+91j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_4F23EC:				; CODE XREF: ExfWaitForRundownProtectionRelease+3Fj
		mov	edx, eax
		mov	esi, eax
		jmp	loc_4F234D
ExfWaitForRundownProtectionRelease endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 678. FsRtlUpdateDiskCounters

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlUpdateDiskCounters(x, x, x, x)
		public _FsRtlUpdateDiskCounters@16
_FsRtlUpdateDiskCounters@16 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		or	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:20h
		mov	[ebp+var_8], edi
		jz	short loc_4F2443
		lea	eax, [edi+4158h]
		mov	edi, eax

loc_4F241E:				; CODE XREF: FsRtlUpdateDiskCounters(x,x,x,x)+3Fj
					; FsRtlUpdateDiskCounters(x,x,x,x)+44j
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		mov	eax, esi
		add	ebx, [ebp+arg_0]
		mov	ecx, edx
		mov	[ebp+var_4], edx
		adc	ecx, [ebp+arg_4]
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_4F241E
		cmp	edx, [ebp+var_4]
		jnz	short loc_4F241E
		mov	edi, [ebp+var_8]

loc_4F2443:				; CODE XREF: FsRtlUpdateDiskCounters(x,x,x,x)+1Aj
		mov	eax, [ebp+arg_8]
		or	eax, [ebp+arg_C]
		jnz	short loc_4F2452

loc_4F244B:				; CODE XREF: FsRtlUpdateDiskCounters(x,x,x,x)+8Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_4F2452:				; CODE XREF: FsRtlUpdateDiskCounters(x,x,x,x)+4Fj
		lea	eax, [edi+4160h]
		mov	[ebp+arg_4], eax

loc_4F245B:				; CODE XREF: FsRtlUpdateDiskCounters(x,x,x,x)+87j
					; FsRtlUpdateDiskCounters(x,x,x,x)+8Dj
		mov	esi, [eax]
		mov	ebx, esi
		mov	edi, [eax+4]
		mov	ecx, edi
		add	ebx, [ebp+arg_8]
		mov	eax, esi
		mov	[ebp+var_8], edi
		mov	edx, edi
		adc	ecx, [ebp+arg_C]
		nop
		mov	edi, [ebp+arg_4]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_8]
		cmp	eax, esi
		mov	eax, [ebp+arg_4]
		jnz	short loc_4F245B
		cmp	edx, edi
		jz	short loc_4F244B
		jmp	short loc_4F245B
_FsRtlUpdateDiskCounters@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakeTransitionPteValid(x)
_MiMakeTransitionPteValid@4 proc near	; CODE XREF: MiIssueHardFault(x,x)+405p
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+D72p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	edx, [eax]
		mov	[ebp+var_8], eax
		nop
		mov	esi, [eax+4]
		mov	ecx, edx
		mov	eax, dword_6D0704
		mov	edi, esi
		mov	ebx, dword_6D0700
		mov	[ebp+var_4], eax
		mov	eax, ebx
		or	eax, [ebp+var_4]
		jz	short loc_4F24CF
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4F24CF
		mov	esi, [ebp+var_4]
		mov	edx, ebx
		not	edx
		not	esi
		and	edx, ecx
		and	esi, edi

loc_4F24CF:				; CODE XREF: MiMakeTransitionPteValid(x)+2Cj
					; MiMakeTransitionPteValid(x)+36j
		shrd	ecx, edi, 5
		shrd	edx, esi, 0Ch
		and	ecx, 1Fh
		push	ecx
		mov	ecx, [ebp+var_8]
		and	edx, 3FFFFFFh
		call	MiMakeValidPte
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiMakeTransitionPteValid@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 806. IoCsqInsertIrp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCsqInsertIrp(x, x, x)
		public _IoCsqInsertIrp@12
_IoCsqInsertIrp@12 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	IoCsqInsertIrpEx
		pop	ebp
		retn	0Ch
_IoCsqInsertIrp@12 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 807. IoCsqInsertIrpEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoCsqInsertIrpEx
IoCsqInsertIrpEx proc near		; CODE XREF: IoCsqInsertIrp(x,x,x)+10p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005D101C SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_8]
		xor	eax, eax
		mov	byte ptr [ebp+var_4], al
		mov	[ebp+var_8], eax
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		test	ebx, ebx
		jnz	short loc_4F2587
		mov	[edi+4Ch], esi

loc_4F2534:				; CODE XREF: IoCsqInsertIrpEx+84j
		mov	[esi+1Ch], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		call	dword ptr [esi+10h]
		cmp	dword ptr [esi], 3
		mov	eax, [esi+4]
		jnz	short loc_4F2581
		push	[ebp+arg_C]
		push	edi
		push	esi
		call	eax
		mov	[ebp+var_8], eax
		test	eax, eax
		js	short loc_4F2570

loc_4F2555:				; CODE XREF: IoCsqInsertIrpEx+73j
		mov	eax, [edi+60h]
		lea	ecx, [edi+38h]
		or	byte ptr [eax+3], 1
		mov	eax, offset IopCsqCancelRoutine
		xchg	eax, [ecx]
		cmp	byte ptr [edi+24h], 0
		jnz	loc_5D101C

loc_4F2570:				; CODE XREF: IoCsqInsertIrpEx+41j
					; IoCsqInsertIrpEx+DEB10j
		push	[ebp+var_4]
		push	esi
		call	dword ptr [esi+14h]

loc_4F2577:				; CODE XREF: IoCsqInsertIrpEx+DEB33j
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_4F2581:				; CODE XREF: IoCsqInsertIrpEx+33j
		push	edi
		push	esi
		call	eax
		jmp	short loc_4F2555
; 

loc_4F2587:				; CODE XREF: IoCsqInsertIrpEx+1Dj
		mov	[edi+4Ch], ebx
		mov	[ebx+4], edi
		mov	[ebx+8], esi
		mov	dword ptr [ebx], 1
		jmp	short loc_4F2534
IoCsqInsertIrpEx endp


;  S U B	R O U T	I N E 


; __stdcall IopUpdateWriteTransferCount(x, x)
_IopUpdateWriteTransferCount@8 proc near ; CODE	XREF: IopUpdateIrpTransferCount(x,x)+16j
					; IopWriteFile(x,x,x,x,x,x,x,x,x,x,x)+F9p
		cmp	_IoCountOperations, 1
		push	esi
		mov	esi, ecx
		jnz	short loc_4F25D9
		test	edx, edx
		jnz	short loc_4F25B4
		mov	eax, large fs:124h
		mov	edx, [eax+150h]

loc_4F25B4:				; CODE XREF: IopUpdateWriteTransferCount(x,x)+Ej
		lea	eax, [edx+210h]
		lock add [eax],	ecx
		jnb	short loc_4F25C4
		lock adc dword ptr [eax+4], 0

loc_4F25C4:				; CODE XREF: IopUpdateWriteTransferCount(x,x)+25j
		mov	eax, large fs:20h
		add	eax, 510h
		lock add [eax],	esi
		jnb	short loc_4F25D9
		lock adc dword ptr [eax+4], 0

loc_4F25D9:				; CODE XREF: IopUpdateWriteTransferCount(x,x)+Aj
					; IopUpdateWriteTransferCount(x,x)+3Aj
		pop	esi
		retn
_IopUpdateWriteTransferCount@8 endp

; 
		align 10h
; Exported entry 2505. SeSetAuditParameter

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeSetAuditParameter
SeSetAuditParameter proc near		; CODE XREF: CmpReportAuditVirtualizationEvent(x,x)+CDp
					; CmpReportAuditVirtualizationEvent(x,x)+1A4p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005D104A SIZE 00000086 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ecx, ecx
		mov	ebx, ecx
		test	esi, esi
		jz	short loc_4F265D
		mov	eax, [ebp+arg_4]
		push	edi
		cmp	eax, 23h
		ja	short loc_4F2669
		movzx	eax, ds:byte_4F269C[eax]
		mov	edi, [ebp+arg_8]
		jmp	ds:off_4F2670[eax*4]

loc_4F260C:				; DATA XREF: .text:004F2680o
		mov	ecx, [ebp+arg_C]
		imul	edx, edi, 14h
		push	8
		mov	eax, [ecx]
		mov	[edx+esi+20h], eax
		mov	eax, [ecx+4]
		mov	[edx+esi+24h], eax

loc_4F2621:				; CODE XREF: SeSetAuditParameter+67j
					; SeSetAuditParameter+DEABBj
		pop	ebx

loc_4F2622:				; CODE XREF: SeSetAuditParameter+25j
					; SeSetAuditParameter+7Bj ...
		mov	ecx, [ebp+arg_4]
		imul	eax, edi, 14h
		mov	[eax+esi+18h], ecx
		mov	[eax+esi+1Ch], ebx
		xor	eax, eax

loc_4F2632:				; CODE XREF: SeSetAuditParameter+8Ej
					; SeSetAuditParameter+DEA6Fj
		pop	edi

loc_4F2633:				; CODE XREF: SeSetAuditParameter+82j
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_4F2639:				; CODE XREF: SeSetAuditParameter+25j
					; DATA XREF: .text:004F2678o
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]

loc_4F263E:				; CODE XREF: SeSetAuditParameter+87j
		imul	ecx, edi, 14h
		push	4
		mov	[ecx+esi+20h], eax
		jmp	short loc_4F2621
; 

loc_4F2649:				; CODE XREF: SeSetAuditParameter+25j
					; DATA XREF: .text:004F2674o
		mov	ecx, [ebp+arg_C]
		movzx	ebx, word ptr [ecx]
		add	ebx, 8

loc_4F2652:				; CODE XREF: SeSetAuditParameter+DEA82j
					; SeSetAuditParameter+DEAD7j ...
		lea	eax, [edi+2]
		imul	eax, 14h
		mov	[eax+esi], ecx
		jmp	short loc_4F2622
; 

loc_4F265D:				; CODE XREF: SeSetAuditParameter+10j
		mov	eax, 0C000000Dh
		jmp	short loc_4F2633
; 

loc_4F2664:				; CODE XREF: SeSetAuditParameter+25j
					; DATA XREF: .text:004F268Co
		mov	eax, [ebp+arg_C]
		jmp	short loc_4F263E
; 

loc_4F2669:				; CODE XREF: SeSetAuditParameter+19j
					; SeSetAuditParameter+25j
					; DATA XREF: ...
		mov	eax, 0C000000Dh
		jmp	short loc_4F2632
SeSetAuditParameter endp

; 
off_4F2670	dd offset loc_4F2622	; DATA XREF: SeSetAuditParameter+25r
		dd offset loc_4F2649
		dd offset loc_4F2639
		dd offset loc_5D1054
		dd offset loc_4F260C
		dd offset loc_5D104A
		dd offset loc_5D1067
		dd offset loc_4F2664
		dd offset loc_5D108D
		dd offset loc_5D10A0
		dd offset loc_4F2669
byte_4F269C	db 0			; DATA XREF: SeSetAuditParameter+1Br
		db 2 dup(1), 2
		dd 5000403h, 7020506h, 4040804h, 5040505h, 9040205h, 2040A0Ah
		dd 0A0A0A09h, 4010A0Ah

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpVaMgrRegionAllocate proc near	; CODE XREF: RtlpHpVaMgrAlloc+204p

var_18		= dword	ptr -18h
var_C		= word ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D10D0 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		mov	esi, ecx
		lea	edx, [ebp+var_8]
		push	edi
		movzx	eax, word ptr [esi+14h]
		shl	eax, 14h
		push	eax
		mov	[ebp+var_8], eax
		call	_RtlpHpVaMgrAllocAligned@12 ; RtlpHpVaMgrAllocAligned(x,x,x)
		mov	edx, eax
		mov	[ebp+var_4], edx
		test	edx, edx
		jz	short loc_4F271D
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		mov	ecx, esi
		stosd
		stosd
		stosd
		mov	ax, [esi+14h]
		mov	[ebp+var_C], ax
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlpHpVaMgrRangeCreate
		mov	esi, eax
		mov	ecx, esi
		neg	ecx
		sbb	ecx, ecx
		not	ecx
		and	[ebp+var_4], ecx
		jnz	loc_5D10D0

loc_4F2717:				; CODE XREF: RtlpHpVaMgrRegionAllocate+5Fj
					; RtlpHpVaMgrRegionAllocate+DEA20j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_4F271D:				; CODE XREF: RtlpHpVaMgrRegionAllocate+26j
		xor	esi, esi
		jmp	short loc_4F2717
RtlpHpVaMgrRegionAllocate endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpSegSegmentAllocate proc near	; CODE XREF: RtlpHpSegPageRangeAllocate+5E3p
					; RtlpHpSegContextReserve+838E5p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D10E5 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		and	[esp+1Ch+var_14], 0
		lea	eax, [edx+1]
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_0]
		mov	edx, eax
		mov	[esp+2Ch+var_18], eax
		mov	esi, ecx
		call	RtlpHpSegMgrAllocate
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_4F27FE
		mov	edx, [esi]
		mov	eax, [esi+20h]
		not	edx
		mov	ecx, [esi+1Ch]
		inc	edx
		push	eax
		push	ecx
		mov	[esp+30h+var_4], edx
		call	_RtlpHpEnvGetHeapManager@8 ; RtlpHpEnvGetHeapManager(x,x)
		mov	edi, ebx
		lea	ecx, [eax+4]
		xor	eax, eax
		cmp	edx, 100000h
		setnz	al
		sub	edi, [ecx]
		inc	eax
		shr	edi, 14h
		mov	[esp+28h+var_10], eax
		add	edi, edi
		mov	eax, edx
		shr	eax, 14h
		add	eax, eax
		add	eax, edi
		mov	[esp+28h+var_C], eax
		cmp	edi, eax
		jnb	short loc_4F27BF
		lea	eax, [ecx+4]
		mov	[esp+28h+var_8], eax

loc_4F279C:				; CODE XREF: RtlpHpSegSegmentAllocate+97j
		push	[esp+28h+var_10]
		mov	edx, edi
		push	ecx
		mov	ecx, eax
		call	RtlCSparseBitmapBitmaskWrite
		test	eax, eax
		js	short loc_4F2802
		mov	eax, [esp+28h+var_8]
		add	edi, 2
		cmp	edi, [esp+28h+var_C]
		jb	short loc_4F279C
		mov	edx, [esp+28h+var_4]

loc_4F27BF:				; CODE XREF: RtlpHpSegSegmentAllocate+71j
		movsx	eax, word ptr [esi+12h]
		mov	[esp+28h+var_14], 1
		add	eax, esi
		shr	edx, 0Ch
		lock xadd [eax], edx
		movsx	eax, word ptr [esi+12h]
		mov	edx, [esp+28h+var_18]
		add	eax, 4
		mov	ecx, edx
		add	eax, esi
		lock xadd [eax], ecx
		mov	edi, ebx
		xor	ebx, ebx

loc_4F27EB:				; CODE XREF: RtlpHpSegSegmentAllocate+E6j
		test	ebx, ebx
		jnz	loc_5D10E5

loc_4F27F3:				; CODE XREF: RtlpHpSegSegmentAllocate+DEj
					; RtlpHpSegSegmentAllocate+DE9D1j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4F27FE:				; CODE XREF: RtlpHpSegSegmentAllocate+2Aj
		xor	edi, edi
		jmp	short loc_4F27F3
; 

loc_4F2802:				; CODE XREF: RtlpHpSegSegmentAllocate+8Aj
		mov	edx, [esp+28h+var_18]
		xor	edi, edi
		jmp	short loc_4F27EB
RtlpHpSegSegmentAllocate endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlCSparseBitmapBitmaskWrite proc near	; CODE XREF: RtlpHpSegSegmentAllocate+83p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D10F8 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		and	[esp+1Ch+var_14], 0
		xor	eax, eax
		and	[esp+1Ch+var_10], 0
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+28h+var_C]
		mov	[esp+28h+var_18], ecx
		stosd
		mov	ebx, edx
		stosd
		stosd
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	loc_5D10F8
		lea	eax, [esp+28h+var_14]
		shr	edx, 0Fh
		push	eax
		lea	eax, [esp+2Ch+var_C]
		push	eax
		call	RtlpCSparseBitmapPageCommit
		mov	esi, eax
		test	esi, esi
		js	short loc_4F28A9
		mov	eax, [esp+28h+var_18]
		mov	ecx, ebx
		shr	ecx, 5
		push	3
		pop	esi
		mov	eax, [eax+4]
		lea	eax, [eax+ecx*4]
		movzx	ecx, bl
		mov	edx, [eax]
		and	ecx, 1Fh
		shl	esi, cl
		mov	ebx, eax
		shl	edi, cl
		not	esi
		mov	ecx, esi
		mov	[esp+28h+var_18], eax
		and	ecx, edx

loc_4F287E:				; CODE XREF: RtlCSparseBitmapBitmaskWrite+BEj
		mov	eax, edx
		or	ecx, edi
		lock cmpxchg [ebx], ecx
		cmp	edx, eax
		jnz	short loc_4F28C2
		xor	esi, esi
		lea	ecx, [esp+28h+var_C]
		call	RtlpCSparseBitmapUnlock
		mov	eax, [esp+28h+var_10]
		cmp	byte ptr [eax+18h], 0
		jz	short loc_4F28B4
		mov	cl, byte ptr [esp+28h+var_14]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4F28A9:				; CODE XREF: RtlCSparseBitmapBitmaskWrite+48j
					; RtlCSparseBitmapBitmaskWrite+B6j
		mov	eax, esi

loc_4F28AB:				; CODE XREF: RtlCSparseBitmapBitmaskWrite+DE8F7j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4F28B4:				; CODE XREF: RtlCSparseBitmapBitmaskWrite+93j
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	short loc_4F28A9
; 

loc_4F28C2:				; CODE XREF: RtlCSparseBitmapBitmaskWrite+7Ej
		mov	ecx, esi
		mov	edx, eax
		and	ecx, eax
		jmp	short loc_4F287E
RtlCSparseBitmapBitmaskWrite endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpVaMgrAlloc proc near		; CODE XREF: RtlpHpAllocVA+17Ep

var_50		= dword	ptr -50h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D1106 SIZE 00000048 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_30], 0
		mov	eax, edx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_24], eax
		mov	ecx, 100000h
		mov	[ebp+var_40], esi
		mov	edx, [eax]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		mov	ecx, 200000h
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		push	edi
		mov	edi, [ebx+8]
		test	edx, edx
		jz	loc_5D1106

loc_4F2921:				; CODE XREF: RtlpHpVaMgrAlloc+DE83Ej
		movzx	eax, word ptr [esi+14h]
		mov	cl, [esi+1Ah]
		shl	eax, 14h
		shr	eax, 1
		cmp	edx, eax
		ja	loc_4F29CF
		shr	edx, 14h
		mov	[ebp+var_24], edx
		movzx	edx, cl
		mov	ecx, esi
		and	edx, 1
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	edx, [ebp+var_24]
		mov	ecx, esi
		mov	[ebp+var_15], al
		lea	eax, [ebp+var_30]
		push	eax
		shr	edi, 14h
		push	edi
		call	RtlpHpVaMgrRangeFind
		mov	edi, eax
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_34], eax
		test	edi, edi
		jz	loc_4F2A8E
		push	edi
		lea	eax, [esi+4]
		push	eax
		call	RtlRbRemoveNode
		cmp	[ebp+var_30], edi
		jnz	loc_5D1124

loc_4F2980:				; CODE XREF: RtlpHpVaMgrAlloc+224j
					; RtlpHpVaMgrAlloc+DE87Fj
		mov	eax, [esi+0Ch]
		mov	edx, edi
		push	0
		sub	edx, [eax+14h]
		mov	ecx, [eax+0Ch]
		shr	edx, cl
		mov	ecx, esi
		shl	edx, 14h
		add	edx, [eax+4]
		mov	[ebp+var_20], edx
		mov	edx, edi
		call	_RtlpHpVaMgrRangeMarkAllocated@12 ; RtlpHpVaMgrRangeMarkAllocated(x,x,x)
		mov	eax, [ebp+var_24]
		cmp	[edi+0Ch], ax
		ja	loc_4F2AA5

loc_4F29AE:				; CODE XREF: RtlpHpVaMgrAlloc+1F1j
		mov	eax, [ebp+var_20]
		mov	[ebp+var_28], eax
		test	byte ptr [esi+1Ah], 1
		jz	loc_4F2A5B
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_15]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_4F2A41
; 

loc_4F29CF:				; CODE XREF: RtlpHpVaMgrAlloc+65j
		movzx	eax, cl
		shr	eax, 1
		and	eax, 3
		mov	eax, [ebp+eax*4+var_14]
		cmp	edi, eax
		ja	short loc_4F29E1
		mov	edi, eax

loc_4F29E1:				; CODE XREF: RtlpHpVaMgrAlloc+113j
		lea	ecx, [edx-1]
		dec	edx
		add	ecx, edi
		lea	eax, [edi-1]
		and	ecx, eax
		mov	eax, edi
		sub	eax, ecx
		mov	ecx, esi
		add	eax, edx
		lea	edx, [ebp+var_2C]
		push	edi
		mov	[ebp+var_2C], eax
		call	_RtlpHpVaMgrAllocAligned@12 ; RtlpHpVaMgrAllocAligned(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		jz	short loc_4F2A44
		xor	eax, eax
		lea	edi, [ebp+var_50]
		stosd
		mov	edx, ecx
		mov	ecx, esi
		stosd
		stosd
		mov	al, [esi+18h]
		mov	byte ptr [ebp+var_50+1], al
		mov	eax, [ebp+var_2C]
		shr	eax, 14h
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_50]
		push	eax
		mov	byte ptr [ebp+var_50], 5
		call	RtlpHpVaMgrRangeCreate
		test	eax, eax
		jz	loc_5D110D
		mov	ecx, [ebp+var_24]
		mov	eax, [ebp+var_2C]
		mov	[ecx], eax

loc_4F2A41:				; CODE XREF: RtlpHpVaMgrAlloc+103j
					; RtlpHpVaMgrAlloc+1C2j
		mov	ecx, [ebp+var_28]

loc_4F2A44:				; CODE XREF: RtlpHpVaMgrAlloc+13Dj
					; RtlpHpVaMgrAlloc+DE855j
		mov	eax, ecx
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_4F2A5B:				; CODE XREF: RtlpHpVaMgrAlloc+EEj
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_4F2A6F
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_4F2A6F:				; CODE XREF: RtlpHpVaMgrAlloc+19Cj
		xor	edi, edi
		mov	[ebp+var_24], edi
		test	esi, 7FFFFFFCh
		jnz	loc_4F2B38

loc_4F2A80:				; CODE XREF: RtlpHpVaMgrAlloc+3A1j
					; RtlpHpVaMgrAlloc+3ADj ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	short loc_4F2A41
; 

loc_4F2A8E:				; CODE XREF: RtlpHpVaMgrAlloc+9Dj
		test	byte ptr [esi+1Ah], 1
		jz	short loc_4F2AF3
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_15]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_4F2ACC
; 

loc_4F2AA5:				; CODE XREF: RtlpHpVaMgrAlloc+DEj
		movzx	eax, ax
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	_RtlpHpVaMgrRangeSplit@12 ; RtlpHpVaMgrRangeSplit(x,x,x)
		mov	edx, eax
		mov	ecx, esi
		call	_RtlpHpVaMgrFree@8 ; RtlpHpVaMgrFree(x,x)
		jmp	loc_4F29AE
; 

loc_4F2AC0:				; CODE XREF: RtlpHpVaMgrAlloc+245j
					; RtlpHpVaMgrAlloc+52Dj ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_4F2ACC:				; CODE XREF: RtlpHpVaMgrAlloc+1D9j
		mov	ecx, esi
		call	RtlpHpVaMgrRegionAllocate
		mov	edi, eax
		test	edi, edi
		jz	loc_5D111D
		movzx	edx, byte ptr [esi+1Ah]
		mov	ecx, esi
		and	edx, 1
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	[ebp+var_15], al
		jmp	loc_4F2980
; 

loc_4F2AF3:				; CODE XREF: RtlpHpVaMgrAlloc+1C8j
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_4F2B04
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_4F2B04:				; CODE XREF: RtlpHpVaMgrAlloc+231j
		xor	edi, edi
		mov	[ebp+var_3C], edi
		test	esi, 7FFFFFFCh
		jz	short loc_4F2AC0
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	edx, dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_1C], eax
		cmp	esi, edx
		jnb	loc_4F2CDD

loc_4F2B2D:				; CODE XREF: RtlpHpVaMgrAlloc+5B4j
					; RtlpHpVaMgrAlloc+5C7j
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_38], ecx
		jmp	loc_4F2CFD
; 

loc_4F2B38:				; CODE XREF: RtlpHpVaMgrAlloc+1B0j
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	edx, dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_1C], eax
		cmp	esi, edx
		jb	short loc_4F2B6E
		cmp	byte ptr dword_6D3994[ecx], 1
		jnz	loc_4F2E62

loc_4F2B5D:				; CODE XREF: RtlpHpVaMgrAlloc+5A7j
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_34], eax
		mov	eax, [ebp+var_1C]

loc_4F2B6E:				; CODE XREF: RtlpHpVaMgrAlloc+284j
					; RtlpHpVaMgrAlloc+59Aj ...
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	cl, [eax+1E6h]
		mov	edx, esi
		mov	[ebp+var_15], cl
		mov	ecx, [ebp+var_34]
		push	ecx
		mov	ecx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_4F2BB1
		mov	ecx, [ebp+var_1C]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jz	loc_4F2C87
		mov	eax, ecx
		jmp	short loc_4F2C19
; 

loc_4F2BB1:				; CODE XREF: RtlpHpVaMgrAlloc+2D0j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_4F2BC7
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_4F2BC7:				; CODE XREF: RtlpHpVaMgrAlloc+2F3j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_24], edi
		mov	[ecx+2Ch], eax
		nop
		mov	eax, [ebp+var_1C]
		mov	dword ptr [ecx+10h], 0
		push	30h
		sub	ecx, [eax+1E8h]
		mov	eax, ecx
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_15], 1
		mov	edx, eax
		jnz	loc_4F2C98
		mov	eax, [ebp+var_1C]
		movzx	ecx, byte ptr [eax+1E4h]
		bts	ecx, edx
		mov	[eax+1E4h], cl

loc_4F2C19:				; CODE XREF: RtlpHpVaMgrAlloc+2E5j
					; RtlpHpVaMgrAlloc+3E6j
		nop
		dec	byte ptr [eax+1E6h]
		mov	ecx, edi
		and	ecx, 1FFFFh
		mov	[ebp+var_20], ecx
		jz	short loc_4F2C62
		test	edi, 8000h
		jz	short loc_4F2C41
		xor	edx, edx
		mov	ecx, eax
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp+var_1C]

loc_4F2C41:				; CODE XREF: RtlpHpVaMgrAlloc+369j
		test	byte ptr [ebp+var_24+2], 1
		jz	short loc_4F2C51
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4F2C51:				; CODE XREF: RtlpHpVaMgrAlloc+37Bj
		mov	eax, 7FFFh
		test	edi, eax
		jnz	short loc_4F2CB5
		mov	edi, [ebp+var_1C]
		jmp	short loc_4F2CC3
; 

loc_4F2C5F:				; CODE XREF: RtlpHpVaMgrAlloc+403j
					; RtlpHpVaMgrAlloc+411j
		mov	eax, [ebp+var_1C]

loc_4F2C62:				; CODE XREF: RtlpHpVaMgrAlloc+361j
		nop
		add	word ptr [eax+13Eh], 1
		jnz	loc_4F2A80
		nop
		add	eax, 70h
		cmp	[eax], eax
		jz	loc_4F2A80
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4F2A80
; 

loc_4F2C87:				; CODE XREF: RtlpHpVaMgrAlloc+2DDj
		push	0
		push	[ebp+var_34]

loc_4F2C8C:				; CODE XREF: RtlpHpVaMgrAlloc+54Ej
		push	esi
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4F2C98:				; CODE XREF: RtlpHpVaMgrAlloc+336j
		mov	esi, [ebp+var_1C]
		mov	al, 1
		mov	ecx, edx
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_40]
		mov	eax, [ebp+var_1C]
		jmp	loc_4F2C19
; 

loc_4F2CB5:				; CODE XREF: RtlpHpVaMgrAlloc+38Ej
		and	edi, eax
		mov	edx, edi
		mov	edi, [ebp+var_1C]
		mov	ecx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4F2CC3:				; CODE XREF: RtlpHpVaMgrAlloc+393j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_4F2C5F
		push	[ebp+var_20]
		mov	edx, esi
		mov	ecx, edi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	short loc_4F2C5F
; 

loc_4F2CDD:				; CODE XREF: RtlpHpVaMgrAlloc+25Dj
		cmp	byte ptr dword_6D3994[ecx], 1
		jnz	loc_4F2E7C

loc_4F2CEA:				; CODE XREF: RtlpHpVaMgrAlloc+5C1j
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_1C]

loc_4F2CFD:				; CODE XREF: RtlpHpVaMgrAlloc+269j
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	dl, [eax+1E6h]
		mov	[ebp+var_15], dl
		mov	edx, esi
		push	ecx
		mov	ecx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_4F2D3D
		mov	ecx, [ebp+var_1C]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jz	loc_4F2E13
		mov	eax, ecx
		jmp	short loc_4F2DA5
; 

loc_4F2D3D:				; CODE XREF: RtlpHpVaMgrAlloc+45Cj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_4F2D53
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_4F2D53:				; CODE XREF: RtlpHpVaMgrAlloc+47Fj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_3C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	eax, [ebp+var_1C]
		mov	dword ptr [ecx+10h], 0
		push	30h
		sub	ecx, [eax+1E8h]
		mov	eax, ecx
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_15], 1
		mov	edx, eax
		jnz	loc_4F2E1D
		mov	eax, [ebp+var_1C]
		movzx	ecx, byte ptr [eax+1E4h]
		bts	ecx, edx
		mov	[eax+1E4h], cl

loc_4F2DA5:				; CODE XREF: RtlpHpVaMgrAlloc+471j
					; RtlpHpVaMgrAlloc+56Bj
		nop
		dec	byte ptr [eax+1E6h]
		mov	ecx, edi
		and	ecx, 1FFFFh
		mov	[ebp+var_20], ecx
		jz	short loc_4F2DEE
		test	edi, 8000h
		jz	short loc_4F2DCD
		xor	edx, edx
		mov	ecx, eax
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp+var_1C]

loc_4F2DCD:				; CODE XREF: RtlpHpVaMgrAlloc+4F5j
		test	byte ptr [ebp+var_3C+2], 1
		jz	short loc_4F2DDD
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4F2DDD:				; CODE XREF: RtlpHpVaMgrAlloc+507j
		mov	eax, 7FFFh
		test	edi, eax
		jnz	short loc_4F2E3A
		mov	edi, [ebp+var_1C]
		jmp	short loc_4F2E48
; 

loc_4F2DEB:				; CODE XREF: RtlpHpVaMgrAlloc+588j
					; RtlpHpVaMgrAlloc+596j
		mov	eax, [ebp+var_1C]

loc_4F2DEE:				; CODE XREF: RtlpHpVaMgrAlloc+4EDj
		nop
		add	word ptr [eax+13Eh], 1
		jnz	loc_4F2AC0
		nop
		add	eax, 70h
		cmp	[eax], eax
		jz	loc_4F2AC0
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4F2AC0
; 

loc_4F2E13:				; CODE XREF: RtlpHpVaMgrAlloc+469j
		push	0
		push	[ebp+var_38]
		jmp	loc_4F2C8C
; 

loc_4F2E1D:				; CODE XREF: RtlpHpVaMgrAlloc+4C2j
		mov	esi, [ebp+var_1C]
		mov	al, 1
		mov	ecx, edx
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_40]
		mov	eax, [ebp+var_1C]
		jmp	loc_4F2DA5
; 

loc_4F2E3A:				; CODE XREF: RtlpHpVaMgrAlloc+51Aj
		and	edi, eax
		mov	edx, edi
		mov	edi, [ebp+var_1C]
		mov	ecx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4F2E48:				; CODE XREF: RtlpHpVaMgrAlloc+51Fj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_4F2DEB
		push	[ebp+var_20]
		mov	edx, esi
		mov	ecx, edi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	short loc_4F2DEB
; 

loc_4F2E62:				; CODE XREF: RtlpHpVaMgrAlloc+28Dj
		cmp	esi, edx
		jb	loc_4F2B6E
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_4F2B5D
		jmp	loc_4F2B6E
; 

loc_4F2E7C:				; CODE XREF: RtlpHpVaMgrAlloc+41Aj
		cmp	esi, edx
		jb	loc_4F2B2D
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_4F2CEA
		jmp	loc_4F2B2D
RtlpHpVaMgrAlloc endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVaMgrRangeMarkAllocated(x, x,	x)
_RtlpHpVaMgrRangeMarkAllocated@12 proc near ; CODE XREF: RtlpHpVaMgrAlloc+D2p
					; RtlpHpVaMgrAlloc+DE860p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		xor	eax, eax
		mov	edi, edx
		cmp	[ebp+arg_0], 0
		stosd
		stosd
		stosd
		setnz	al
		pop	edi
		lea	eax, ds:1[eax*4]
		mov	[edx], al
		mov	al, [ecx+18h]
		mov	[edx+1], al
		pop	ebp
		retn	4
_RtlpHpVaMgrRangeMarkAllocated@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpVaMgrRangeFind proc near		; CODE XREF: RtlpHpVaMgrAlloc+8Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D114E SIZE 00000092 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ecx
		movzx	ecx, dx
		push	ebx
		mov	[ebp+var_4], eax
		add	eax, 4
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], ecx
		push	edi
		test	byte ptr [eax+4], 1
		mov	ecx, [eax]
		movzx	ebx, dx
		jz	short loc_4F2EEE
		test	ecx, ecx
		jnz	short loc_4F2EEC
		mov	ecx, esi
		jmp	short loc_4F2EEE
; 

loc_4F2EEC:				; CODE XREF: RtlpHpVaMgrRangeFind+28j
		xor	ecx, eax

loc_4F2EEE:				; CODE XREF: RtlpHpVaMgrRangeFind+24j
					; RtlpHpVaMgrRangeFind+2Cj
		movzx	edx, byte ptr [eax+4]
		mov	edi, esi
		xor	eax, eax
		inc	eax
		and	edx, eax
		jmp	short loc_4F2EFD
; 

loc_4F2EFB:				; CODE XREF: RtlpHpVaMgrRangeFind+59j
					; RtlpHpVaMgrRangeFind+5Dj
		mov	ecx, eax

loc_4F2EFD:				; CODE XREF: RtlpHpVaMgrRangeFind+3Bj
					; RtlpHpVaMgrRangeFind+61j
		test	ecx, ecx
		jz	short loc_4F2F21
		movzx	eax, word ptr [ecx+0Ch]
		cmp	bx, ax
		jb	short loc_4F2F11
		jbe	short loc_4F2F23
		mov	eax, [ecx+4]
		jmp	short loc_4F2F15
; 

loc_4F2F11:				; CODE XREF: RtlpHpVaMgrRangeFind+4Aj
		mov	eax, [ecx]
		mov	edi, ecx

loc_4F2F15:				; CODE XREF: RtlpHpVaMgrRangeFind+51j
		test	edx, edx
		jz	short loc_4F2EFB
		test	eax, eax
		jz	short loc_4F2EFB
		xor	ecx, eax
		jmp	short loc_4F2EFD
; 

loc_4F2F21:				; CODE XREF: RtlpHpVaMgrRangeFind+41j
		mov	ecx, edi

loc_4F2F23:				; CODE XREF: RtlpHpVaMgrRangeFind+4Cj
		test	ecx, ecx
		jz	short loc_4F2F3E
		mov	ax, word ptr [ebp+arg_0]
		xor	edx, edx
		inc	edx
		mov	esi, ecx
		cmp	ax, dx
		ja	loc_5D114E
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx

loc_4F2F3E:				; CODE XREF: RtlpHpVaMgrRangeFind+67j
					; RtlpHpVaMgrRangeFind+DE2FDj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
RtlpHpVaMgrRangeFind endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpMetadataAlloc(x, x, x, x, x)
_RtlpHpMetadataAlloc@20	proc near	; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+31p
					; RtlpHpHeapAllocate+171p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_8]
		push	edi
		push	esi
		mov	[esp+28h+var_C], edx
		mov	[esp+28h+var_14], ecx
		call	_RtlpHpMetadataHeapCtxGet@8 ; RtlpHpMetadataHeapCtxGet(x,x)
		mov	[esp+20h+var_8], esi
		xor	ebx, ebx
		cmp	byte ptr [esp+20h+var_8+1], 2
		mov	[esp+20h+var_10], eax
		mov	byte ptr [esp+20h+var_8+3], bl
		jnb	short loc_4F2FE3

loc_4F2F80:				; CODE XREF: RtlpHpMetadataAlloc(x,x,x,x,x)+A0j
		push	ebx
		push	[esp+24h+var_8]
		mov	ecx, eax
		call	_RtlpHpMetadataHeapStart@12 ; RtlpHpMetadataHeapStart(x,x,x)
		test	eax, eax
		js	short loc_4F2FAC
		mov	ecx, [esp+20h+var_10]
		mov	edx, [esp+20h+var_14]
		mov	ecx, [ecx]
		cmp	[ebp+arg_0], ebx
		jnz	short loc_4F2FB7
		push	ebx
		push	1000000h
		call	RtlpHpAllocateHeap

loc_4F2FAA:				; CODE XREF: RtlpHpMetadataAlloc(x,x,x,x,x)+99j
		mov	ebx, eax

loc_4F2FAC:				; CODE XREF: RtlpHpMetadataAlloc(x,x,x,x,x)+46j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4F2FB7:				; CODE XREF: RtlpHpMetadataAlloc(x,x,x,x,x)+55j
		lea	esi, [ecx+100h]
		cmp	edx, [ecx+10Ch]
		ja	short loc_4F2FEA

loc_4F2FC5:				; CODE XREF: RtlpHpMetadataAlloc(x,x,x,x,x)+A8j
		mov	ecx, [esp+20h+var_C]
		cmp	ecx, edx
		sbb	eax, eax
		and	eax, 4000000h
		add	eax, 1000000h
		push	eax
		push	ecx
		push	edx
		mov	ecx, esi
		call	RtlpHpSegAlloc
		jmp	short loc_4F2FAA
; 

loc_4F2FE3:				; CODE XREF: RtlpHpMetadataAlloc(x,x,x,x,x)+36j
		mov	byte ptr [esp+20h+var_8+1], 2
		jmp	short loc_4F2F80
; 

loc_4F2FEA:				; CODE XREF: RtlpHpMetadataAlloc(x,x,x,x,x)+7Bj
		lea	esi, [ecx+180h]
		jmp	short loc_4F2FC5
_RtlpHpMetadataAlloc@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpMetadataHeapStart(x, x, x)
_RtlpHpMetadataHeapStart@12 proc near	; CODE XREF: RtlpHpMetadataAlloc(x,x,x,x,x)+3Fp
					; RtlHpHeapManagerStart+83DBDp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_4F3003
		xor	eax, eax

loc_4F2FFF:				; CODE XREF: RtlpHpMetadataHeapStart(x,x,x)+25j
		pop	ebp
		retn	8
; 

loc_4F3003:				; CODE XREF: RtlpHpMetadataHeapStart(x,x,x)+9j
		push	0
		lea	eax, [ebp+arg_0]
		push	eax
		push	offset _RtlpHpMetadataHeapCreate@12 ; RtlpHpMetadataHeapCreate(x,x,x)
		lea	eax, [ecx+4]
		push	eax
		call	RtlRunOnceExecuteOnce
		jmp	short loc_4F2FFF
_RtlpHpMetadataHeapStart@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLargeAlloc(x,	x, x, x)
_RtlpHpLargeAlloc@16 proc near		; CODE XREF: RtlpHpAllocateHeap+16Fp
					; ExAllocateHeapPool+BBF48p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_24], edx
		xor	eax, eax
		mov	edi, eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], eax
		push	dword ptr [esi+4]
		mov	[ebp+var_20], eax
		push	dword ptr [esi]
		mov	[ebp+var_18], eax
		push	eax
		push	14h
		pop	ecx
		mov	edx, ecx
		mov	[ebp+var_14], edi
		mov	[ebp+var_4], eax
		call	_RtlpHpMetadataAlloc@20	; RtlpHpMetadataAlloc(x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_4F335E
		xor	eax, eax
		mov	edi, ebx
		mov	ecx, 1FFFFFh
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		test	dword ptr [esi+0Ch], 4000000h
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_8], eax
		jz	short loc_4F3094
		lea	eax, [edi-1]
		and	eax, ecx
		sub	ecx, eax
		mov	eax, edi
		shr	eax, 2
		cmp	ecx, eax
		jnb	short loc_4F3091
		xor	eax, eax
		inc	eax
		mov	[ebp+var_8], eax
		jmp	short loc_4F3094
; 

loc_4F3091:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+6Dj
					; RtlpHpLargeAlloc(x,x,x,x)+1D1j
		mov	eax, [ebp+var_8]

loc_4F3094:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+5Dj
					; RtlpHpLargeAlloc(x,x,x,x)+75j
		xor	edx, edx
		mov	[ebp+arg_0], edx
		test	eax, eax
		jz	short loc_4F30B6
		lea	ecx, [edi-1]
		mov	eax, edi
		and	ecx, 1FFFFFh
		sub	eax, ecx
		mov	ecx, 200000h
		add	eax, 1FFFFFh
		jmp	short loc_4F30DD
; 

loc_4F30B6:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+81j
		mov	eax, [esi]
		shr	eax, 8
		cmp	al, 2
		jnb	short loc_4F30D4
		mov	eax, edi
		and	eax, 0FFFFFh
		dec	eax
		cmp	eax, 0FEFFFh
		ja	short loc_4F30D4
		xor	edx, edx
		inc	edx
		mov	[ebp+arg_0], edx

loc_4F30D4:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+A3j
					; RtlpHpLargeAlloc(x,x,x,x)+B2j
		mov	eax, edx
		xor	ecx, ecx
		shl	eax, 0Ch
		add	eax, edi

loc_4F30DD:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+9Aj
		mov	[ebp+var_C], eax
		cmp	eax, edi
		jb	loc_4F334B
		mov	eax, [esi+0Ch]
		lea	edx, [ebp+var_C]
		push	dword ptr [esi+4]
		and	eax, 40000000h
		push	dword ptr [esi]
		neg	eax
		sbb	eax, eax
		and	eax, 3Ch
		add	eax, 4
		push	eax
		push	2000h
		push	ecx
		lea	ecx, [ebp+var_4]
		call	RtlpHpAllocVA
		test	eax, eax
		js	loc_4F3347
		push	dword ptr [esi+4]
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_28]
		push	dword ptr [esi]
		lea	edx, [ebp+var_18]
		push	eax
		call	_RtlpHpQueryVA@20 ; RtlpHpQueryVA(x,x,x,x,x)
		mov	eax, [ebp+var_18]
		mov	[eax], esi
		lea	eax, [edi+0FFFh]
		mov	edx, [esi+84h]
		add	edx, [esi+50h]
		shr	eax, 0Ch
		mov	ecx, eax
		mov	[ebp+var_1C], eax
		lea	eax, [esi+18h]
		shl	ecx, 0Ch
		push	eax
		push	esi
		shl	edx, 0Ch
		mov	[ebp+var_10], ecx
		call	RtlpHpHeapCheckCommitLimit
		test	eax, eax
		jz	loc_4F334B
		cmp	[ebp+var_8], 0
		mov	ecx, 1000h
		jz	short loc_4F318A
		mov	edx, [ebp+var_10]
		mov	eax, 1FFFFFh
		lea	ecx, [edx-1]
		and	ecx, eax
		sub	eax, ecx
		mov	ecx, 20001000h
		add	edx, eax
		mov	[ebp+var_10], edx
		jmp	short loc_4F319A
; 

loc_4F318A:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+153j
		test	[ebp+arg_4], 2
		jz	short loc_4F319A
		mov	[ebp+var_20], 40001000h
		mov	ecx, [ebp+var_20]

loc_4F319A:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+16Ej
					; RtlpHpLargeAlloc(x,x,x,x)+174j
		mov	eax, [esi+0Ch]
		lea	edx, [ebp+var_10]
		push	dword ptr [esi+4]
		and	eax, 40000000h
		push	dword ptr [esi]
		neg	eax
		sbb	eax, eax
		and	eax, 3Ch
		add	eax, 4
		push	eax
		push	ecx
		push	0
		lea	ecx, [ebp+var_4]
		call	RtlpHpAllocVA
		test	eax, eax
		jns	short loc_4F31F0
		cmp	[ebp+var_8], 0
		jz	loc_4F334B
		push	dword ptr [esi+4]
		and	[ebp+var_8], 0
		lea	edx, [ebp+var_C]
		push	dword ptr [esi]
		lea	ecx, [ebp+var_4]
		push	8000h
		call	_RtlpHpFreeVA@20 ; RtlpHpFreeVA(x,x,x,x,x)
		and	[ebp+var_4], 0
		jmp	loc_4F3091
; 

loc_4F31F0:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+1A8j
		cmp	[ebp+var_8], 0
		jz	short loc_4F320A
		test	[ebp+arg_4], 2
		jz	short loc_4F320A
		push	edi		; size_t
		push	0		; int
		push	[ebp+var_4]	; void *
		call	_memset
		add	esp, 0Ch

loc_4F320A:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+1DAj
					; RtlpHpLargeAlloc(x,x,x,x)+1E0j
		mov	eax, [ebp+var_4]
		mov	ecx, [ebx+10h]
		mov	[ebx+0Ch], eax
		and	ecx, 0FFDh
		mov	eax, [ebp+var_1C]
		shl	eax, 0Ch
		or	ecx, eax
		mov	eax, [ebp+arg_0]
		add	eax, eax
		and	ecx, 0FFFFFFFDh
		or	ecx, eax
		mov	[ebx+10h], ecx
		bsf	eax, [ebp+var_C]
		shl	eax, 2
		xor	eax, ecx
		and	eax, 0FCh
		xor	eax, ecx
		mov	[ebx+10h], eax
		mov	eax, [ebp+var_1C]
		shl	eax, 0Ch
		sub	eax, [ebp+var_24]
		mov	[ebx+0Ch], ax
		and	dword ptr [ebp+arg_4], 1
		jnz	short loc_4F3267
		movzx	edx, byte ptr [esi]
		lea	ecx, [esi+40h]
		and	edx, 1
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	byte ptr [ebp+arg_0+3],	al
		jmp	short loc_4F326B
; 

loc_4F3267:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+238j
		mov	byte ptr [ebp+arg_0+3],	0FFh

loc_4F326B:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+24Bj
		lea	edx, [esi+44h]
		test	byte ptr [edx+4], 1
		mov	ecx, [edx]
		jz	short loc_4F3280
		test	ecx, ecx
		jz	short loc_4F327E
		xor	ecx, edx
		jmp	short loc_4F3280
; 

loc_4F327E:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+25Ej
		xor	ecx, ecx

loc_4F3280:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+25Aj
					; RtlpHpLargeAlloc(x,x,x,x)+262j
		movzx	edi, byte ptr [edx+4]
		and	edi, 1
		mov	byte ptr [ebp+var_8], 0
		test	ecx, ecx
		jz	short loc_4F32CB

loc_4F328F:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+2ABj
		mov	eax, [ecx+0Ch]
		and	eax, 0FFFF0000h
		cmp	[ebp+var_4], eax
		jb	short loc_4F32B3
		mov	eax, [ecx+4]
		test	edi, edi
		jz	short loc_4F32A9
		test	eax, eax
		jz	short loc_4F32AD
		xor	eax, ecx

loc_4F32A9:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+287j
		test	eax, eax
		jnz	short loc_4F32C3

loc_4F32AD:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+28Bj
		mov	byte ptr [ebp+var_8], 1
		jmp	short loc_4F32CB
; 

loc_4F32B3:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+280j
		mov	eax, [ecx]
		test	edi, edi
		jz	short loc_4F32BF
		test	eax, eax
		jz	short loc_4F32C7
		xor	eax, ecx

loc_4F32BF:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+29Dj
		test	eax, eax
		jz	short loc_4F32C7

loc_4F32C3:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+291j
		mov	ecx, eax
		jmp	short loc_4F328F
; 

loc_4F32C7:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+2A1j
					; RtlpHpLargeAlloc(x,x,x,x)+2A7j
		mov	byte ptr [ebp+var_8], 0

loc_4F32CB:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+273j
					; RtlpHpLargeAlloc(x,x,x,x)+297j
		push	ebx
		push	[ebp+var_8]
		push	ecx
		push	edx
		call	RtlRbInsertNodeEx
		cmp	dword ptr [ebp+arg_4], 0
		jnz	short loc_4F331C
		test	byte ptr [esi],	1
		lea	edi, [esi+40h]
		jnz	short loc_4F330D
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_4F32F8
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_4F32F8:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+2D5j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	short loc_4F331C
; 

loc_4F330D:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+2C8j
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4F331C:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+2C0j
					; RtlpHpLargeAlloc(x,x,x,x)+2F1j
		mov	eax, [ebp+var_C]
		cdq
		and	edx, 0FFFh
		lea	ecx, [edx+eax]
		sar	ecx, 0Ch
		lea	eax, [esi+4Ch]
		lock xadd [eax], ecx
		mov	ecx, [ebp+var_1C]
		lea	eax, [esi+50h]
		lock xadd [eax], ecx
		mov	edi, [ebp+var_4]
		xor	ebx, ebx
		and	[ebp+var_4], ebx
		jmp	short loc_4F334E
; 

loc_4F3347:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+F9j
		and	[ebp+var_4], 0

loc_4F334B:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+C8j
					; RtlpHpLargeAlloc(x,x,x,x)+144j ...
		mov	edi, [ebp+var_14]

loc_4F334E:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+32Bj
		test	ebx, ebx
		jz	short loc_4F335E
		push	dword ptr [esi+4]
		mov	ecx, ebx
		push	dword ptr [esi]
		call	_RtlpHpMetadataFree@12 ; RtlpHpMetadataFree(x,x,x)

loc_4F335E:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+3Aj
					; RtlpHpLargeAlloc(x,x,x,x)+336j
		cmp	[ebp+var_4], 0
		jz	short loc_4F3379
		push	dword ptr [esi+4]
		lea	edx, [ebp+var_C]
		push	dword ptr [esi]
		lea	ecx, [ebp+var_4]
		push	8000h
		call	_RtlpHpFreeVA@20 ; RtlpHpFreeVA(x,x,x,x,x)

loc_4F3379:				; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+348j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_RtlpHpLargeAlloc@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpLargeFree	proc near		; CODE XREF: ExFreeHeapPool+744p
					; RtlpHpFreeHeap+11FF9Ep

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D11E0 SIZE 00000243 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		push	esi
		mov	esi, ecx
		mov	[ebp+var_18], edx
		xor	ecx, ecx
		mov	[ebp+var_10], esi
		push	edi
		xor	edi, edi
		inc	ecx
		and	[ebx+8], ecx
		mov	[ebp+var_1C], edi
		jnz	loc_5D11E0
		movzx	edx, byte ptr [esi]
		and	edx, ecx
		lea	ecx, [esi+40h]
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		xor	ecx, ecx
		mov	byte ptr [ebp+var_4+3],	al
		inc	ecx

loc_4F33CA:				; CODE XREF: RtlpHpLargeFree+DDE62j
		lea	eax, [esi+44h]
		mov	esi, [eax]
		mov	[ebp+var_20], eax
		test	[eax+4], cl
		jz	short loc_4F33E4
		test	esi, esi
		jnz	short loc_4F33E2
		mov	esi, edi
		mov	[ebp+var_8], edi
		jmp	short loc_4F33E7
; 

loc_4F33E2:				; CODE XREF: RtlpHpLargeFree+57j
		xor	esi, eax

loc_4F33E4:				; CODE XREF: RtlpHpLargeFree+53j
		mov	[ebp+var_8], esi

loc_4F33E7:				; CODE XREF: RtlpHpLargeFree+5Ej
		movzx	edx, byte ptr [eax+4]
		and	edx, ecx
		mov	[ebp+var_14], edx
		mov	edx, [ebp+var_18]
		test	esi, esi
		jz	loc_5D11E9

loc_4F33FB:				; CODE XREF: RtlpHpLargeFree+94j
		mov	eax, [esi+0Ch]
		and	eax, 0FFFF0000h
		cmp	edx, eax
		jnb	short loc_4F341A
		mov	eax, [esi]

loc_4F3409:				; CODE XREF: RtlpHpLargeFree+299j
		cmp	[ebp+var_14], edi
		jnz	loc_4F3609

loc_4F3412:				; CODE XREF: RtlpHpLargeFree+289j
		mov	esi, eax

loc_4F3414:				; CODE XREF: RtlpHpLargeFree+291j
		test	esi, esi
		jnz	short loc_4F33FB
		jmp	short loc_4F3420
; 

loc_4F341A:				; CODE XREF: RtlpHpLargeFree+83j
		ja	loc_4F3618

loc_4F3420:				; CODE XREF: RtlpHpLargeFree+96j
		mov	eax, [ebp+var_20]
		mov	[ebp+var_8], esi
		test	esi, esi
		jz	loc_5D11E9
		push	esi
		push	eax
		call	RtlRbRemoveNode
		cmp	[ebx+8], edi
		jnz	loc_4F357F
		mov	eax, [ebp+var_10]
		test	byte ptr [eax],	1
		lea	ecx, [eax+40h]
		mov	[ebp+var_14], ecx
		jnz	loc_4F3620
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_C], edx
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4F365F

loc_4F3466:				; CODE XREF: RtlpHpLargeFree+2E5j
		mov	[ebp+var_20], edi
		test	ecx, 7FFFFFFCh
		jz	loc_4F3573
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		cmp	ecx, edx
		push	0FFFFFFFFh
		mov	[ebp+var_30], edx
		mov	[ebp+var_34], esi
		pop	edx
		jb	short loc_4F34A1
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_4F3634

loc_4F34A1:				; CODE XREF: RtlpHpLargeFree+110j
		cmp	ecx, [ebp+var_30]
		jb	short loc_4F34B3
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_4F3634

loc_4F34B3:				; CODE XREF: RtlpHpLargeFree+122j
					; RtlpHpLargeFree+2C5j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jz	loc_4F364C
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_4F36B2

loc_4F34F4:				; CODE XREF: RtlpHpLargeFree+338j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_20], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		cdq
		push	30h
		pop	ecx
		idiv	ecx
		mov	edx, eax
		xor	eax, eax
		inc	eax
		cmp	byte ptr [ebp+var_4+3],	al
		jnz	loc_5D13EE
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_4F3542:				; CODE XREF: RtlpHpLargeFree+2D2j
					; RtlpHpLargeFree+DE07Cj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_34], eax
		jnz	loc_4F366C

loc_4F3559:				; CODE XREF: RtlpHpLargeFree+325j
					; RtlpHpLargeFree+DE09Cj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_4F3570
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_4F36BF

loc_4F3570:				; CODE XREF: RtlpHpLargeFree+1E0j
					; RtlpHpLargeFree+342j
		mov	esi, [ebp+var_8]

loc_4F3573:				; CODE XREF: RtlpHpLargeFree+EDj
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_4F357F:				; CODE XREF: RtlpHpLargeFree+B6j
					; RtlpHpLargeFree+2ADj
		mov	ecx, [esi+10h]
		mov	edx, ecx
		mov	edi, [ebp+var_10]
		mov	eax, ecx
		shr	edx, 1
		shr	eax, 0Ch
		and	edx, 1
		add	edx, eax
		shr	ecx, 2
		push	dword ptr [edi+4]
		xor	eax, eax
		shl	edx, 0Ch
		push	dword ptr [edi]
		and	ecx, 3Fh
		inc	eax
		shl	eax, cl
		lea	ecx, [edx-1]
		mov	[ebp+var_34], eax
		add	ecx, eax
		dec	edx
		dec	eax
		and	ecx, eax
		mov	eax, [ebp+var_34]
		sub	eax, ecx
		lea	ecx, [ebp+var_18]
		add	eax, edx
		lea	edx, [ebp+var_1C]
		push	8000h
		mov	[ebp+var_1C], eax
		call	_RtlpHpFreeVA@20 ; RtlpHpFreeVA(x,x,x,x,x)
		mov	ecx, [esi+10h]
		lea	eax, [edi+50h]
		shr	ecx, 0Ch
		neg	ecx
		lock xadd [eax], ecx
		mov	edi, [ebp+var_1C]
		mov	esi, edi
		mov	eax, [ebp+var_10]
		shr	esi, 0Ch
		neg	esi
		lea	edx, [eax+4Ch]
		lock xadd [edx], esi
		push	dword ptr [eax+4]
		mov	ecx, [ebp+var_8]
		push	dword ptr [eax]
		call	_RtlpHpMetadataFree@12 ; RtlpHpMetadataFree(x,x,x)

loc_4F35FC:				; CODE XREF: RtlpHpLargeFree+DE067j
		mov	eax, edi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_4F3609:				; CODE XREF: RtlpHpLargeFree+8Aj
		test	eax, eax
		jz	loc_4F3412
		xor	esi, eax
		jmp	loc_4F3414
; 

loc_4F3618:				; CODE XREF: RtlpHpLargeFree:loc_4F341Aj
		mov	eax, [esi+4]
		jmp	loc_4F3409
; 

loc_4F3620:				; CODE XREF: RtlpHpLargeFree+C8j
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4F357F
; 

loc_4F3634:				; CODE XREF: RtlpHpLargeFree+119j
					; RtlpHpLargeFree+12Bj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_14]
		mov	edx, eax
		mov	[ebp+var_C], eax
		jmp	loc_4F34B3
; 

loc_4F364C:				; CODE XREF: RtlpHpLargeFree+15Aj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_4F3542
		jmp	loc_5D12BA
; 

loc_4F365F:				; CODE XREF: RtlpHpLargeFree+DEj
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_14]
		jmp	loc_4F3466
; 

loc_4F366C:				; CODE XREF: RtlpHpLargeFree+1D1j
		test	edi, 8000h
		jz	short loc_4F367D
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4F367D:				; CODE XREF: RtlpHpLargeFree+2F0j
		xor	eax, eax
		inc	eax
		test	byte ptr [ebp+var_20+2], al
		jnz	loc_5D1403

loc_4F3689:				; CODE XREF: RtlpHpLargeFree+DE08Aj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4F369D
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4F369D:				; CODE XREF: RtlpHpLargeFree+30Ej
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4F3559
		jmp	loc_5D1411
; 

loc_4F36B2:				; CODE XREF: RtlpHpLargeFree+16Cj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]
		jmp	loc_4F34F4
; 

loc_4F36BF:				; CODE XREF: RtlpHpLargeFree+1E8j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4F3570
RtlpHpLargeFree	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLargeAllocGetOwner(x,	x, x)
_RtlpHpLargeAllocGetOwner@12 proc near	; CODE XREF: ExFreeHeapPool+784p
					; sub_5BD067+17p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_4]
		and	[ebp+var_4], 0
		lea	eax, [ebp+arg_4]
		push	[ebp+arg_0]
		lea	edx, [ebp+var_4]
		push	eax
		call	_RtlpHpQueryVA@20 ; RtlpHpQueryVA(x,x,x,x,x)
		mov	eax, [ebp+var_4]
		mov	eax, [eax]
		leave
		retn	8
_RtlpHpLargeAllocGetOwner@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpMetadataFree(x, x, x)
_RtlpHpMetadataFree@12 proc near	; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+33Fp
					; RtlpHpLargeFree+275p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	edx, ecx
		push	[ebp+arg_0]
		call	_RtlpHpMetadataHeapCtxGet@8 ; RtlpHpMetadataHeapCtxGet(x,x)
		push	0
		push	0
		push	1000000h
		mov	ecx, [eax]
		call	RtlpHpFreeHeap
		pop	ebp
		retn	8
_RtlpHpMetadataFree@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpVaMgrCtxFree proc	near		; CODE XREF: RtlpHpFreeVA(x,x,x,x,x)+64p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D1423 SIZE 00000082 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, [ebx+8]
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10], edx
		mov	edx, [edx]
		mov	eax, [eax]
		shr	eax, 14h
		sub	edx, [edi+4]
		lea	ecx, [edi+8]
		shr	edx, 14h
		mov	[ebp+var_8], eax
		call	_RtlSparseArrayElementAllocated@8 ; RtlSparseArrayElementAllocated(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5D1423
		movzx	eax, byte ptr [esi+1]
		add	edi, 3Ch
		mov	cl, [esi]
		imul	eax, 1Ch
		add	edi, eax
		mov	[ebp+var_C], edi
		test	cl, 4
		jz	short loc_4F378B
		and	cl, 0FEh
		mov	[esi], cl

loc_4F3777:				; CODE XREF: RtlpHpVaMgrCtxFree+141j
		mov	edx, esi
		mov	ecx, edi
		call	_RtlpHpVaMgrRangeFree@8	; RtlpHpVaMgrRangeFree(x,x)

loc_4F3780:				; CODE XREF: RtlpHpVaMgrCtxFree+13Bj
					; RtlpHpVaMgrCtxFree+DDD42j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_4F378B:				; CODE XREF: RtlpHpVaMgrCtxFree+5Aj
		mov	ah, [edi+1Ah]
		mov	al, ah
		mov	ch, ah
		and	al, 6
		cmp	al, 4
		jnb	short loc_4F37AF
		mov	edx, [ebx+8]
		mov	ecx, [ebp+var_10]
		push	4000h
		call	MmFreePoolMemory
		mov	ah, [edi+1Ah]
		mov	cl, [esi]
		mov	ch, ah

loc_4F37AF:				; CODE XREF: RtlpHpVaMgrCtxFree+80j
		mov	[ebp+var_10], esi
		test	cl, 2
		jnz	loc_5D145D
		and	cl, 4
		setz	al
		shr	ah, 4
		and	al, ah
		test	al, 1
		jnz	short loc_4F383B
		test	cl, cl
		jnz	loc_5D1470
		movzx	edx, word ptr [esi+0Ch]

loc_4F37D6:				; CODE XREF: RtlpHpVaMgrCtxFree+DDD5Dj
		mov	eax, [ebp+var_8]
		cmp	eax, edx
		jnz	loc_5D1478

loc_4F37E1:				; CODE XREF: RtlpHpVaMgrCtxFree+128j
					; RtlpHpVaMgrCtxFree+DDD64j
		test	cl, cl
		jnz	loc_5D147F
		movzx	edx, word ptr [esi+0Ch]

loc_4F37ED:				; CODE XREF: RtlpHpVaMgrCtxFree+DDD6Cj
		cmp	eax, edx
		jb	loc_5D1487
		xor	eax, eax

loc_4F37F7:				; CODE XREF: RtlpHpVaMgrCtxFree+DDD76j
		mov	[ebp+var_8], eax

loc_4F37FA:				; CODE XREF: RtlpHpVaMgrCtxFree+DDD55j
		movzx	edx, ch
		mov	ecx, edi
		and	edx, 1
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	byte ptr [ebp+var_4+3],	al
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	loc_5D1491

loc_4F3815:				; CODE XREF: RtlpHpVaMgrCtxFree+DDD8Aj
		mov	edx, [ebp+var_10]
		mov	ecx, edi
		call	_RtlpHpVaMgrFree@8 ; RtlpHpVaMgrFree(x,x)
		test	byte ptr [edi+1Ah], 1
		mov	esi, eax
		mov	[ebp+var_10], esi
		jz	short loc_4F385C
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_4F384F
; 

loc_4F383B:				; CODE XREF: RtlpHpVaMgrCtxFree+B2j
		mov	eax, [ebp+var_8]
		jmp	short loc_4F37E1
; 

loc_4F3840:				; CODE XREF: RtlpHpVaMgrCtxFree+16Ej
					; RtlpHpVaMgrCtxFree+289j
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebp+var_C]

loc_4F384F:				; CODE XREF: RtlpHpVaMgrCtxFree+123j
		test	esi, esi
		jz	loc_4F3780
		jmp	loc_4F3777
; 

loc_4F385C:				; CODE XREF: RtlpHpVaMgrCtxFree+112j
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_8], edx
		mov	ecx, edx
		lock xadd [edi], ecx
		and	cl, 6
		cmp	cl, 2
		jnz	short loc_4F3877
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_4F3877:				; CODE XREF: RtlpHpVaMgrCtxFree+158j
		mov	eax, [ebp+var_C]
		xor	edi, edi
		mov	[ebp+var_14], edi
		test	eax, 7FFFFFFCh
		jz	short loc_4F3840
		mov	esi, large fs:124h
		mov	ecx, eax
		mov	edx, dword_6D07D0
		shr	ecx, 15h
		cmp	eax, edx
		push	0FFFFFFFFh
		mov	[ebp+var_30], edx
		mov	[ebp+var_34], esi
		pop	edx
		jb	short loc_4F390C
		cmp	byte ptr dword_6D3994[ecx], 1
		jnz	short loc_4F390C

loc_4F38AE:				; CODE XREF: RtlpHpVaMgrCtxFree+202j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_C]

loc_4F38C1:				; CODE XREF: RtlpHpVaMgrCtxFree+1F9j
					; RtlpHpVaMgrCtxFree+204j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_4F391C
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_4F397E
		push	ecx
		push	[ebp+var_8]
		push	[ebp+var_C]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4F390C:				; CODE XREF: RtlpHpVaMgrCtxFree+18Dj
					; RtlpHpVaMgrCtxFree+196j
		cmp	eax, [ebp+var_30]
		jb	short loc_4F38C1
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	short loc_4F38AE
		jmp	short loc_4F38C1
; 

loc_4F391C:				; CODE XREF: RtlpHpVaMgrCtxFree+1D4j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_4F3932
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_4F3932:				; CODE XREF: RtlpHpVaMgrCtxFree+212j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_14], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_4F3A03
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_4F397E:				; CODE XREF: RtlpHpVaMgrCtxFree+1DEj
					; RtlpHpVaMgrCtxFree+2FFj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_34], eax
		jnz	short loc_4F39A4

loc_4F3991:				; CODE XREF: RtlpHpVaMgrCtxFree+2CDj
					; RtlpHpVaMgrCtxFree+2DCj
		nop
		add	word ptr [esi+13Eh], 1
		jz	short loc_4F39F4

loc_4F399C:				; CODE XREF: RtlpHpVaMgrCtxFree+2E4j
					; RtlpHpVaMgrCtxFree+2EBj
		mov	esi, [ebp+var_10]
		jmp	loc_4F3840
; 

loc_4F39A4:				; CODE XREF: RtlpHpVaMgrCtxFree+279j
		test	edi, 8000h
		jz	short loc_4F39B5
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4F39B5:				; CODE XREF: RtlpHpVaMgrCtxFree+294j
		test	byte ptr [ebp+var_14+2], 1
		jz	short loc_4F39C5
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4F39C5:				; CODE XREF: RtlpHpVaMgrCtxFree+2A3j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4F39D9
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4F39D9:				; CODE XREF: RtlpHpVaMgrCtxFree+2B6j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_4F3991
		push	[ebp+var_34]
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	short loc_4F3991
; 

loc_4F39F4:				; CODE XREF: RtlpHpVaMgrCtxFree+284j
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_4F399C
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_4F399C
; 

loc_4F3A03:				; CODE XREF: RtlpHpVaMgrCtxFree+252j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_34]
		jmp	loc_4F397E
RtlpHpVaMgrCtxFree endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpQueryVA(x, x,	x, x, x)
_RtlpHpQueryVA@20 proc near		; CODE XREF: RtlpHpLargeAlloc(x,x,x,x)+10Ep
					; RtlpHpLargeAllocGetOwner(x,x,x)+17p ...

var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	esi
		push	edi
		push	[ebp+arg_8]
		lea	edi, [ebp+var_14]
		mov	esi, edx
		push	[ebp+arg_4]
		stosd
		mov	edx, ecx
		stosd
		stosd
		stosd
		stosd
		call	_RtlpHpEnvGetHeapManager@8 ; RtlpHpEnvGetHeapManager(x,x)
		lea	ecx, [ebp+var_14]
		push	ecx
		lea	ecx, [eax+30h]
		call	RtlpHpVaMgrCtxQuery
		test	esi, esi
		jz	short loc_4F3A52
		mov	eax, [ebp+var_8]
		mov	[esi], eax

loc_4F3A52:				; CODE XREF: RtlpHpQueryVA(x,x,x,x,x)+31j
		mov	ecx, [ebp+arg_0]
		pop	edi
		pop	esi
		test	ecx, ecx
		jz	short loc_4F3A60
		mov	eax, [ebp+var_4]
		mov	[ecx], eax

loc_4F3A60:				; CODE XREF: RtlpHpQueryVA(x,x,x,x,x)+3Fj
		mov	eax, [ebp+var_14]
		leave
		retn	0Ch
_RtlpHpQueryVA@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpVaMgrCtxQuery proc near		; CODE XREF: RtlpHpQueryVA(x,x,x,x,x)+2Ap

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D14A5 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		sub	edx, [edi+4]
		lea	ecx, [edi+8]
		shr	edx, 14h
		call	_RtlSparseArrayElementAllocated@8 ; RtlSparseArrayElementAllocated(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5D14A5
		test	byte ptr [esi],	4
		jz	short loc_4F3ACE
		mov	eax, [esi+0Ch]

loc_4F3A94:				; CODE XREF: RtlpHpVaMgrCtxQuery+6Aj
		mov	edx, [ebp+arg_0]
		shl	eax, 14h
		mov	[edx], eax
		movzx	eax, byte ptr [esi+1]
		imul	ecx, eax, 1Ch
		mov	dword ptr [edx+10h], 8
		movzx	eax, byte ptr [ecx+edi+56h]
		shr	eax, 1
		and	eax, 3
		mov	[edx+4], eax
		movzx	eax, byte ptr [ecx+edi+55h]
		mov	[edx+8], eax
		lea	eax, [esi+4]
		mov	[edx+0Ch], eax
		xor	eax, eax

loc_4F3AC7:				; CODE XREF: RtlpHpVaMgrCtxQuery+DDA52j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4F3ACE:				; CODE XREF: RtlpHpVaMgrCtxQuery+27j
		movzx	eax, word ptr [esi+0Ch]
		jmp	short loc_4F3A94
RtlpHpVaMgrCtxQuery endp


;  S U B	R O U T	I N E 


; __stdcall RtlSparseArrayElementAllocated(x, x)
_RtlSparseArrayElementAllocated@8 proc near ; CODE XREF: RtlpHpVaMgrCtxFree+37p
					; RtlpHpVaMgrCtxQuery+15p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		push	8
		pop	eax
		mov	ecx, [edi+4]
		shl	eax, cl
		shl	edx, cl
		lea	ecx, [edi+8]
		push	eax
		shl	edx, 3
		call	RtlCSparseBitmapFindBitSetCapped
		cmp	eax, 0FFFFFFFFh
		jz	short loc_4F3B04
		mov	ecx, [edi+4]
		shl	esi, cl
		add	esi, [edi+0Ch]
		mov	eax, esi

loc_4F3B01:				; CODE XREF: RtlSparseArrayElementAllocated(x,x)+32j
		pop	edi
		pop	esi
		retn
; 

loc_4F3B04:				; CODE XREF: RtlSparseArrayElementAllocated(x,x)+21j
		xor	eax, eax
		jmp	short loc_4F3B01
_RtlSparseArrayElementAllocated@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlCSparseBitmapFindBitSetCapped proc near
					; CODE XREF: RtlSparseArrayElementAllocated(x,x)+19p
					; RtlSparseArrayElementFindCapped(x,x,x)+21p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D14BF SIZE 00000041 BYTES
; FUNCTION CHUNK AT 005D1517 SIZE 00000044 BYTES

		push	2Ch
		push	offset dword_6A3380
		call	__SEH_prolog4
		mov	[ebp+var_30], edx
		mov	[ebp+var_20], ecx
		and	[ebp+var_3C], 0
		and	[ebp+var_38], 0
		mov	edi, 8000h
		mov	ebx, [ebp+arg_0]

loc_4F3B2A:				; CODE XREF: RtlCSparseBitmapFindBitSetCapped+DDA1Ej
		mov	[ebp+var_34], edx
		test	ebx, ebx
		jz	loc_4F3C14
		mov	ecx, edx
		and	ecx, 7FFFh
		mov	[ebp+var_1C], ecx
		mov	esi, ebx
		mov	[ebp+var_28], esi
		lea	eax, [ecx+ebx]
		test	ebx, ebx
		js	loc_5D14BF
		cmp	eax, edi
		jg	loc_5D14CD

loc_4F3B58:				; CODE XREF: RtlCSparseBitmapFindBitSetCapped+DD9B9j
					; RtlCSparseBitmapFindBitSetCapped+DD9CCj
		mov	edi, edx
		shr	edi, 0Fh
		mov	eax, edi
		shr	eax, 0Fh
		mov	ecx, [ebp+var_20]
		bt	[ecx+20h], eax
		mov	ecx, [ebp+var_1C]
		jnb	loc_5D152B
		mov	eax, [ebp+var_20]
		mov	eax, [eax]
		bt	[eax], edi
		mov	edi, 8000h
		jnb	loc_5D151C
		mov	eax, edx
		cdq
		idiv	edi
		mov	edi, eax
		cmp	esi, 1
		jle	short loc_4F3C07
		mov	eax, esi

loc_4F3B93:				; CODE XREF: RtlCSparseBitmapFindBitSetCapped+102j
		add	eax, ecx
		mov	edx, edi
		shl	edx, 0Ch
		mov	ecx, [ebp+var_20]
		add	edx, [ecx+4]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], edx
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, [ebp+var_1C]
		and	[ebp+var_24], 0
		mov	eax, ecx
		shr	eax, 3
		and	ecx, 7
		mov	[ebp+var_24], ecx
		mov	al, [eax+edx]
		sar	al, cl
		test	al, 1
		jz	loc_5D14D9
		xor	eax, eax

loc_4F3BCB:				; CODE XREF: RtlCSparseBitmapFindBitSetCapped+DD9E2j
					; RtlCSparseBitmapFindBitSetCapped+DD9F3j
		mov	[ebp+var_2C], eax
		mov	[ebp+var_24], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cdq
		mov	ecx, eax
		xor	ecx, edx
		sub	ecx, edx
		mov	eax, esi
		cdq
		xor	eax, edx
		sub	eax, edx
		cmp	ecx, eax
		jge	short loc_4F3C0C
		shl	edi, 0Fh
		add	edi, [ebp+var_24]
		add	edi, [ebp+var_1C]

loc_4F3BF3:				; CODE XREF: RtlCSparseBitmapFindBitSetCapped+10Fj
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4F3C07:				; CODE XREF: RtlCSparseBitmapFindBitSetCapped+87j
		xor	eax, eax
		inc	eax
		jmp	short loc_4F3B93
; 

loc_4F3C0C:				; CODE XREF: RtlCSparseBitmapFindBitSetCapped+E0j
		mov	edx, [ebp+var_30]
		jmp	loc_5D1517
; 

loc_4F3C14:				; CODE XREF: RtlCSparseBitmapFindBitSetCapped+27j
		or	edi, 0FFFFFFFFh
		jmp	short loc_4F3BF3
RtlCSparseBitmapFindBitSetCapped endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpMetadataHeapCtxGet(x,	x)
_RtlpHpMetadataHeapCtxGet@8 proc near	; CODE XREF: RtlpHpMetadataAlloc(x,x,x,x,x)+1Ep
					; RtlpHpMetadataFree(x,x,x)+Dp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	ecx
		call	_RtlpHpEnvGetHeapManager@8 ; RtlpHpEnvGetHeapManager(x,x)
		shr	ecx, 8
		cmp	cl, 2
		jnb	short loc_4F3C42
		movzx	ecx, cl

loc_4F3C36:				; CODE XREF: RtlpHpMetadataHeapCtxGet(x,x)+2Bj
		lea	eax, [eax+ecx*8]
		add	eax, 1C50h
		pop	ebp
		retn	8
; 

loc_4F3C42:				; CODE XREF: RtlpHpMetadataHeapCtxGet(x,x)+17j
		push	2
		pop	ecx
		jmp	short loc_4F3C36
_RtlpHpMetadataHeapCtxGet@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpEnvGetHeapManager(x, x)
_RtlpHpEnvGetHeapManager@8 proc	near	; CODE XREF: RtlpHpFreeHeap+92p
					; RtlpHpGetOwnerHeap+3Ap ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	al, [ebp+arg_0]
		and	al, 6
		cmp	al, 4
		jz	short loc_4F3C5F
		mov	eax, offset _ExPoolState

loc_4F3C5B:				; CODE XREF: RtlpHpEnvGetHeapManager(x,x)+2Fj
		pop	ebp
		retn	8
; 

loc_4F3C5F:				; CODE XREF: RtlpHpEnvGetHeapManager(x,x)+Cj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		mov	eax, [eax+1D8h]
		jmp	short loc_4F3C5B
_RtlpHpEnvGetHeapManager@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVaMgrRangeFree(x, x)
_RtlpHpVaMgrRangeFree@8	proc near	; CODE XREF: RtlpHpVaMgrCtxFree+65p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	eax, [edi+0Ch]
		sub	esi, [eax+14h]
		mov	ecx, [eax+0Ch]
		shr	esi, cl
		shl	esi, 14h
		add	esi, [eax+4]
		test	byte ptr [edx],	4
		mov	[ebp+var_8], esi
		jz	short loc_4F3CC4
		mov	eax, [edx+0Ch]

loc_4F3CA3:				; CODE XREF: RtlpHpVaMgrRangeFree(x,x)+4Ej
		shl	eax, 14h
		mov	ecx, edi
		mov	[ebp+var_4], eax
		call	_RtlpHpVaMgrRangeCleanup@8 ; RtlpHpVaMgrRangeCleanup(x,x)
		push	8000h
		lea	edx, [ebp+var_4]
		lea	ecx, [ebp+var_8]
		call	_RtlpHpEnvFreeVA@12 ; RtlpHpEnvFreeVA(x,x,x)
		pop	edi
		pop	esi
		leave
		retn
; 

loc_4F3CC4:				; CODE XREF: RtlpHpVaMgrRangeFree(x,x)+24j
		movzx	eax, word ptr [edx+0Ch]
		jmp	short loc_4F3CA3
_RtlpHpVaMgrRangeFree@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVaMgrRangeCleanup(x, x)
_RtlpHpVaMgrRangeCleanup@8 proc	near	; CODE XREF: RtlpHpVaMgrRangeFree(x,x)+31p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ecx
		mov	al, [edi]
		movzx	edx, al
		mov	[ebp+var_4], edx
		test	al, 4
		jz	short loc_4F3D45
		mov	ebx, [edi+0Ch]

loc_4F3CE9:				; CODE XREF: RtlpHpVaMgrRangeCleanup(x,x)+7Fj
		mov	esi, [ecx+0Ch]
		mov	edx, edi
		push	8
		pop	eax
		shl	ebx, 4
		mov	ecx, [esi+0Ch]
		add	ebx, edi
		sub	edx, [esi+14h]
		shr	edx, cl
		shl	eax, cl
		shl	edx, cl
		lea	ecx, [esi+10h]
		push	eax
		shl	edx, 3
		call	RtlCSparseBitmapBitsClear
		test	byte ptr [ebp+var_4], 4
		jz	short loc_4F3D3C

loc_4F3D14:				; CODE XREF: RtlpHpVaMgrRangeCleanup(x,x)+79j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4F3D19:				; CODE XREF: RtlpHpVaMgrRangeCleanup(x,x)+77j
		mov	eax, [ebp+var_8]
		mov	edx, edi
		push	8
		mov	esi, [eax+0Ch]
		pop	eax
		mov	ecx, [esi+0Ch]
		sub	edx, [esi+14h]
		shr	edx, cl
		shl	eax, cl
		shl	edx, cl
		lea	ecx, [esi+10h]
		push	eax
		shl	edx, 3
		call	RtlCSparseBitmapBitsClear

loc_4F3D3C:				; CODE XREF: RtlpHpVaMgrRangeCleanup(x,x)+48j
		add	edi, 10h
		cmp	edi, ebx
		jb	short loc_4F3D19
		jmp	short loc_4F3D14
; 

loc_4F3D45:				; CODE XREF: RtlpHpVaMgrRangeCleanup(x,x)+1Aj
		movzx	ebx, word ptr [edi+0Ch]
		jmp	short loc_4F3CE9
_RtlpHpVaMgrRangeCleanup@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlCSparseBitmapBitsClear proc near	; CODE XREF: RtlpHpVaMgrRangeCleanup(x,x)+3Fp
					; RtlpHpVaMgrRangeCleanup(x,x)+6Dp ...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D155B SIZE 0000005B BYTES
; FUNCTION CHUNK AT 005D15CE SIZE 0000003A BYTES

		push	44h
		push	offset dword_6A33A0
		call	__SEH_prolog4
		mov	eax, edx
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], ecx
		xor	ebx, ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ebx
		mov	ecx, [ebp+arg_0]

loc_4F3D6B:				; CODE XREF: RtlCSparseBitmapBitsClear+199j
		test	ecx, ecx
		jz	loc_4F3E1D
		mov	edi, eax
		and	edi, 7FFFh
		mov	[ebp+var_48], edi
		mov	esi, ecx
		mov	[ebp+var_20], esi
		lea	edx, [edi+ecx]
		test	ecx, ecx
		js	loc_5D155B
		cmp	edx, 8000h
		jg	loc_5D1569

loc_4F3D9A:				; CODE XREF: RtlCSparseBitmapBitsClear+DD811j
					; RtlCSparseBitmapBitsClear+DD827j
		mov	[ebp+var_44], esi
		shr	eax, 0Fh
		mov	[ebp+var_38], eax
		shr	eax, 0Fh
		mov	edx, [ebp+var_2C]
		bt	[edx+20h], eax
		jnb	loc_5D15CE
		mov	eax, [edx]
		mov	edx, [ebp+var_38]
		bt	[eax], edx
		jnb	loc_4F3ED8
		shl	edx, 0Ch
		mov	eax, [ebp+var_2C]
		add	edx, [eax+4]
		mov	[ebp+var_50], 8000h
		mov	[ebp+var_4C], edx
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, esi
		mov	[ebp+var_34], ecx
		mov	[ebp+var_1C], ebx
		mov	eax, edi
		shr	eax, 5
		lea	edx, [edx+eax*4]
		mov	[ebp+var_1C], edx
		mov	eax, edi
		and	eax, 1Fh
		mov	[ebp+var_24], eax
		add	eax, esi
		cmp	eax, 20h
		jbe	loc_4F3EEE
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	loc_5D1578

loc_4F3E08:				; CODE XREF: RtlCSparseBitmapBitsClear+CFj
		cmp	ecx, 20h
		jb	short loc_4F3E2F
		mov	[edx], ebx
		add	edx, 4
		sub	ecx, 20h

loc_4F3E15:				; CODE XREF: RtlCSparseBitmapBitsClear+DD850j
		mov	[ebp+var_1C], edx
		mov	[ebp+var_34], ecx
		jmp	short loc_4F3E08
; 

loc_4F3E1D:				; CODE XREF: RtlCSparseBitmapBitsClear+21j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4F3E2F:				; CODE XREF: RtlCSparseBitmapBitsClear+BFj
		test	ecx, ecx
		jnz	loc_5D15A1

loc_4F3E37:				; CODE XREF: RtlCSparseBitmapBitsClear+1B9j
					; RtlCSparseBitmapBitsClear+1C0j
		cmp	esi, 200h
		jge	loc_5D15AB
		and	edi, 0FFFFFE00h
		mov	[ebp+var_3C], edi
		mov	[ebp+var_28], ebx
		mov	eax, [ebp+var_50]
		mov	edi, [ebp+var_3C]
		cmp	edi, eax
		jnb	loc_4F3EEA
		sub	eax, edi
		cmp	eax, 200h
		jb	loc_4F3EEA
		lea	edx, [edi+1FFh]
		mov	eax, edi
		shr	eax, 5
		mov	ecx, [ebp+var_4C]
		lea	esi, [ecx+eax*4]
		mov	[ebp+var_28], esi
		shr	edx, 5
		lea	edx, [ecx+edx*4]
		mov	eax, [esi]
		mov	[ebp+var_24], eax
		cmp	esi, edx
		jz	short loc_4F3EA9
		or	eax, 0FFFFFFFFh
		mov	ecx, edi
		shl	eax, cl
		test	[ebp+var_24], eax

loc_4F3E97:				; CODE XREF: RtlCSparseBitmapBitsClear+15Bj
		jnz	short loc_4F3EEA
		add	esi, 4
		mov	[ebp+var_28], esi
		mov	eax, [esi]
		cmp	esi, edx
		jz	short loc_4F3EA9
		test	eax, eax
		jmp	short loc_4F3E97
; 

loc_4F3EA9:				; CODE XREF: RtlCSparseBitmapBitsClear+13Fj
					; RtlCSparseBitmapBitsClear+157j
		xor	eax, eax
		inc	eax

loc_4F3EAC:				; CODE XREF: RtlCSparseBitmapBitsClear+1A0j
		mov	[ebp+var_40], eax
		mov	esi, [ebp+var_20]

loc_4F3EB2:				; CODE XREF: RtlCSparseBitmapBitsClear+DD865j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	eax, eax
		jz	short loc_4F3ED5
		xor	eax, eax
		cmp	[ebp+var_44], 8000h
		setz	al
		push	eax
		mov	edx, [ebp+var_38]
		mov	ecx, [ebp+var_2C]
		call	RtlpCSparseBitmapPageDecommit

loc_4F3ED5:				; CODE XREF: RtlCSparseBitmapBitsClear+16Fj
					; sub_5D15BA+Fj
		mov	ecx, [ebp+arg_0]

loc_4F3ED8:				; CODE XREF: RtlCSparseBitmapBitsClear+6Fj
					; RtlCSparseBitmapBitsClear+DD895j ...
		mov	eax, [ebp+var_30]
		add	eax, esi
		mov	[ebp+var_30], eax
		sub	ecx, esi
		mov	[ebp+arg_0], ecx
		jmp	loc_4F3D6B
; 

loc_4F3EEA:				; CODE XREF: RtlCSparseBitmapBitsClear+10Bj
					; RtlCSparseBitmapBitsClear+118j ...
		mov	eax, ebx
		jmp	short loc_4F3EAC
; 

loc_4F3EEE:				; CODE XREF: RtlCSparseBitmapBitsClear+ABj
		cmp	esi, 20h
		jz	short loc_4F3F0A
		xor	eax, eax
		inc	eax
		mov	ecx, esi
		shl	eax, cl
		dec	eax
		mov	ecx, [ebp+var_24]
		shl	eax, cl
		not	eax

loc_4F3F02:				; CODE XREF: RtlCSparseBitmapBitsClear+DD85Aj
		lock and [edx],	eax
		jmp	loc_4F3E37
; 

loc_4F3F0A:				; CODE XREF: RtlCSparseBitmapBitsClear+1A5j
		mov	[edx], ebx
		jmp	loc_4F3E37
RtlCSparseBitmapBitsClear endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpCSparseBitmapPageDecommit proc near	; CODE XREF: RtlCSparseBitmapBitsClear+184p

var_6C		= dword	ptr -6Ch
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D1608 SIZE 0000002A BYTES
; FUNCTION CHUNK AT 005D164F SIZE 00000079 BYTES

		push	5Ch
		push	offset dword_6A33C0
		call	__SEH_prolog4
		mov	[ebp+var_1C], edx
		mov	[ebp+var_24], ecx
		xor	esi, esi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], esi
		xor	eax, eax
		lea	edi, [ebp+var_6C]
		stosd
		stosd
		stosd
		mov	[ebp+var_38], esi
		mov	edi, [ecx+8]
		mov	[ebp+var_3C], edi
		mov	eax, [ecx+4]
		mov	[ebp+var_58], edi
		mov	[ebp+var_54], eax
		mov	ebx, edx
		shl	ebx, 0Fh
		mov	[ebp+var_44], ebx
		mov	edi, 8000h
		mov	[ebp+var_28], edi
		mov	eax, [ebp+var_3C]
		sub	eax, ebx
		cmp	eax, edi
		jbe	loc_4F415D

loc_4F3F66:				; CODE XREF: RtlpCSparseBitmapPageDecommit+250j
		call	_RtlCSparseBitmapEnterLockingRegion@4 ;	RtlCSparseBitmapEnterLockingRegion(x)
		mov	[ebp+var_60], eax
		mov	[ebp+var_5C], edx

loc_4F3F71:				; CODE XREF: RtlpCSparseBitmapPageDecommit+DD763j
		cmp	[ebp+arg_0], 0
		jnz	loc_4F403C
		mov	[ebp+ms_exc.disabled], esi
		mov	[ebp+var_20], esi
		mov	eax, [ebp+var_58]
		cmp	ebx, eax
		jnb	short loc_4F3FE7
		cmp	edi, 1
		jbe	loc_5D1608
		sub	eax, ebx
		cmp	eax, edi
		jb	short loc_4F3FE7
		lea	eax, [ebx-1]
		add	eax, edi
		mov	[ebp+var_3C], eax
		mov	eax, ebx
		shr	eax, 5
		mov	ecx, [ebp+var_54]
		lea	edx, [ecx+eax*4]
		mov	[ebp+var_20], edx
		lea	eax, [ebx-1]
		add	eax, edi
		shr	eax, 5
		lea	eax, [ecx+eax*4]
		mov	[ebp+arg_0], eax
		mov	edx, [edx]
		cmp	[ebp+var_20], eax
		jz	loc_5D161F
		or	eax, 0FFFFFFFFh
		mov	ecx, ebx
		shl	eax, cl
		test	edx, eax
		jnz	short loc_4F3FE7
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+arg_0]

loc_4F3FD7:				; CODE XREF: RtlpCSparseBitmapPageDecommit+D3j
		add	eax, 4
		mov	[ebp+var_20], eax
		mov	edx, [eax]
		cmp	eax, ecx
		jz	short loc_4F4029
		test	edx, edx
		jz	short loc_4F3FD7

loc_4F3FE7:				; CODE XREF: RtlpCSparseBitmapPageDecommit+74j
					; RtlpCSparseBitmapPageDecommit+83j ...
		mov	edx, esi

loc_4F3FE9:				; CODE XREF: RtlpCSparseBitmapPageDecommit+128j
					; RtlpCSparseBitmapPageDecommit+DD708j
		mov	[ebp+var_40], edx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_4F3FF3:				; CODE XREF: sub_5D1636+14j
		test	edx, edx
		jnz	short loc_4F403C

loc_4F3FF7:				; CODE XREF: RtlpCSparseBitmapPageDecommit+171j
					; RtlpCSparseBitmapPageDecommit+17Cj ...
		cmp	[ebp+var_38], 0
		jnz	loc_4F4139

loc_4F4001:				; CODE XREF: RtlpCSparseBitmapPageDecommit+246j
					; RtlpCSparseBitmapPageDecommit+DD7A5j	...
		mov	eax, [ebp+var_5C]
		cmp	byte ptr [eax+18h], 0
		jz	loc_4F4167
		mov	cl, byte ptr [ebp+var_60]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4F4017:				; CODE XREF: RtlpCSparseBitmapPageDecommit+261j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4F4029:				; CODE XREF: RtlpCSparseBitmapPageDecommit+CFj
		mov	ecx, [ebp+var_3C]
		not	ecx
		or	eax, 0FFFFFFFFh
		shr	eax, cl

loc_4F4033:				; CODE XREF: RtlpCSparseBitmapPageDecommit+DD71Bj
		and	edx, eax
		neg	edx
		sbb	edx, edx
		inc	edx
		jmp	short loc_4F3FE9
; 

loc_4F403C:				; CODE XREF: RtlpCSparseBitmapPageDecommit+63j
					; RtlpCSparseBitmapPageDecommit+E3j
		mov	[ebp+arg_0], esi
		lea	eax, [ebp+var_6C]
		push	eax
		xor	edx, edx
		inc	edx
		mov	edi, [ebp+var_24]
		mov	ecx, edi
		call	_RtlpCSparseBitmapLock@12 ; RtlpCSparseBitmapLock(x,x,x)
		mov	edx, [edi+10h]
		mov	[ebp+var_2C], edx
		mov	ecx, edi
		add	ecx, 10h
		mov	[ebp+var_3C], ecx
		cmp	edx, 0FFFFFFFFh
		jnz	loc_5D164F
		mov	eax, [ebp+var_1C]
		mov	[ecx], eax
		lea	ecx, [ebp+var_6C]
		call	RtlpCSparseBitmapUnlock
		mov	[ebp+var_38], 1
		mov	eax, [edi]
		mov	edx, [ebp+var_1C]
		bt	[eax], edx
		jnb	loc_4F3FF7
		mov	eax, [ebp+var_58]
		cmp	ebx, eax
		jnb	loc_4F3FF7
		mov	ecx, [ebp+var_28]
		cmp	ecx, 1
		jbe	loc_5D167A
		sub	eax, ebx
		cmp	eax, ecx
		jb	loc_4F3FF7
		lea	eax, [ecx-1]
		add	eax, ebx
		mov	[ebp+var_28], eax
		mov	eax, ebx
		shr	eax, 5
		mov	edx, [ebp+var_54]
		lea	edi, [edx+eax*4]
		mov	eax, [ebp+var_28]
		shr	eax, 5
		lea	edx, [edx+eax*4]
		mov	eax, [edi]
		mov	[ebp+arg_0], eax
		or	eax, 0FFFFFFFFh
		cmp	edi, edx
		jz	loc_5D1692
		mov	ecx, ebx
		shl	eax, cl
		test	[ebp+arg_0], eax
		jmp	short loc_4F40E1
; 

loc_4F40DF:				; CODE XREF: RtlpCSparseBitmapPageDecommit+1DAj
		cmp	[edi], esi

loc_4F40E1:				; CODE XREF: RtlpCSparseBitmapPageDecommit+1CBj
		jnz	loc_4F3FF7
		add	edi, 4
		cmp	edi, edx
		jnz	short loc_4F40DF
		mov	ecx, [ebp+var_28]
		not	ecx
		or	eax, 0FFFFFFFFh
		shr	eax, cl
		and	eax, [edi]

loc_4F40FA:				; CODE XREF: RtlpCSparseBitmapPageDecommit+DD790j
		neg	eax
		mov	edx, [ebp+var_1C]
		mov	edi, [ebp+var_24]
		sbb	al, al

loc_4F4104:				; CODE XREF: RtlpCSparseBitmapPageDecommit+DD77Bj
		inc	al
		test	al, al
		jz	loc_4F3FF7
		mov	eax, [edi]
		lock btr [eax],	edx
		shl	edx, 0Ch
		add	edx, [edi+4]
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], 1000h
		push	40004000h
		lea	edx, [ebp+var_30]
		lea	ecx, [ebp+var_34]
		call	_RtlpHpEnvFreeVA@12 ; RtlpHpEnvFreeVA(x,x,x)
		jmp	loc_4F3FF7
; 

loc_4F4139:				; CODE XREF: RtlpCSparseBitmapPageDecommit+E9j
		mov	eax, [ebp+var_24]
		mov	dword ptr [eax+10h], 0FFFFFFFFh
		cmp	byte ptr [eax+18h], 0
		jz	loc_5D16A7
		mov	[ebp+var_50], esi
		xor	ecx, ecx
		lea	eax, [ebp+var_50]
		lock or	[eax], ecx
		jmp	loc_4F4001
; 

loc_4F415D:				; CODE XREF: RtlpCSparseBitmapPageDecommit+4Ej
		mov	edi, eax
		mov	[ebp+var_28], eax
		jmp	loc_4F3F66
; 

loc_4F4167:				; CODE XREF: RtlpCSparseBitmapPageDecommit+F6j
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_4F4017
RtlpCSparseBitmapPageDecommit endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpVaMgrRangeCreate proc near	; CODE XREF: RtlpHpVaMgrRegionAllocate+3Fp
					; RtlpHpVaMgrAlloc+162p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D16C8 SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, edx
		push	edi
		mov	edx, ecx
		mov	[ebp+var_4], eax
		xor	edi, edi
		mov	[ebp+var_8], edx
		test	byte ptr [esi],	4
		jz	short loc_4F41C8
		mov	ecx, [esi+0Ch]

loc_4F419A:				; CODE XREF: RtlpHpVaMgrRangeCreate+54j
		mov	[ebp+arg_0], ecx
		mov	ecx, [edx+0Ch]
		mov	edx, eax
		push	esi		; void *
		sub	edx, [ecx+4]
		add	ecx, 8
		shr	edx, 14h
		call	RtlSparseArrayElementAllocate
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		jz	short loc_4F422F
		test	byte ptr [ebx],	4
		jz	short loc_4F41CE

loc_4F41BF:				; CODE XREF: RtlpHpVaMgrRangeCreate+7Ej
					; RtlpHpVaMgrRangeCreate+B0j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
; 

loc_4F41C8:				; CODE XREF: RtlpHpVaMgrRangeCreate+1Dj
		movzx	ecx, word ptr [esi+0Ch]
		jmp	short loc_4F419A
; 

loc_4F41CE:				; CODE XREF: RtlpHpVaMgrRangeCreate+45j
		mov	ecx, [ebp+var_8]
		xor	edi, edi
		or	byte ptr [esi],	2
		inc	edi
		add	[ebp+var_4], 100000h
		mov	al, [ecx+18h]
		mov	[esi+1], al
		and	dword ptr [esi+4], 0
		and	dword ptr [esi+8], 0
		mov	dword ptr [esi+0Ch], 89ABCDEFh
		cmp	[ebp+arg_0], edi
		jbe	short loc_4F41BF
		mov	ebx, [ebp+var_4]

loc_4F41FB:				; CODE XREF: RtlpHpVaMgrRangeCreate+A8j
		mov	ecx, [ecx+0Ch]
		mov	edx, ebx
		push	esi		; void *
		sub	edx, [ecx+4]
		add	ecx, 8
		shr	edx, 14h
		call	RtlSparseArrayElementAllocate
		test	eax, eax
		jz	short loc_4F4222
		mov	ecx, [ebp+var_8]
		inc	edi
		add	ebx, 100000h
		cmp	edi, [ebp+arg_0]
		jb	short loc_4F41FB

loc_4F4222:				; CODE XREF: RtlpHpVaMgrRangeCreate+99j
		mov	ebx, [ebp+var_C]

loc_4F4225:				; CODE XREF: RtlpHpVaMgrRangeCreate+B9j
		cmp	edi, [ebp+arg_0]
		jnb	short loc_4F41BF
		jmp	loc_5D16C8
; 

loc_4F422F:				; CODE XREF: RtlpHpVaMgrRangeCreate+40j
		xor	ebx, ebx
		jmp	short loc_4F4225
RtlpHpVaMgrRangeCreate endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlSparseArrayElementAllocate(void *)
RtlSparseArrayElementAllocate proc near	; CODE XREF: RtlpHpVaMgrRangeCreate+34p
					; RtlpHpVaMgrRangeCreate+92p

var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D16FE SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_C], 0
		xor	eax, eax
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	esi, ecx
		stosd
		mov	ebx, [esi+4]
		mov	ecx, ebx
		stosd
		shl	edx, cl
		lea	ecx, [esi+8]
		stosd
		lea	eax, [ebp+var_C]
		mov	edi, [esi+0Ch]
		add	edi, edx
		shl	edx, 3
		push	eax
		lea	eax, [ebp+var_18]
		shr	edx, 0Fh
		push	eax
		call	RtlpCSparseBitmapPageCommit
		test	eax, eax
		js	short loc_4F42B2
		xor	eax, eax
		mov	ecx, ebx
		inc	eax
		shl	eax, cl
		push	eax		; size_t
		push	[ebp+arg_0]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	ecx, [ebp+var_18]
		call	RtlpCSparseBitmapUnlock
		mov	eax, [ebp+var_8]
		cmp	byte ptr [eax+18h], 0
		jz	loc_5D16FE
		mov	cl, byte ptr [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4F42A9:				; CODE XREF: RtlSparseArrayElementAllocate+80j
					; RtlSparseArrayElementAllocate+DD4D6j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4F42B2:				; CODE XREF: RtlSparseArrayElementAllocate+41j
		xor	edi, edi
		jmp	short loc_4F42A9
RtlSparseArrayElementAllocate endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpCSparseBitmapUnlock	proc near	; CODE XREF: RtlCSparseBitmapBitmaskWrite+86p
					; RtlpCSparseBitmapPageDecommit+15Dp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D170F SIZE 0000004B BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	edx, ecx
		push	esi
		push	edi
		mov	eax, [edx+8]
		mov	esi, [edx]
		cmp	byte ptr [eax+18h], 0
		lea	ecx, [eax+0Ch]
		mov	[ebp+var_8], ecx
		jz	short loc_4F430F
		mov	al, [edx+4]
		mov	byte ptr [ebp+var_4+3],	al
		push	ecx
		cmp	esi, 1
		jz	short loc_4F4308
		call	ExReleaseSpinLockSharedFromDpcLevel

loc_4F42F6:				; CODE XREF: RtlpCSparseBitmapUnlock+57j
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4F42FF:				; CODE XREF: RtlpCSparseBitmapUnlock+81j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4F4308:				; CODE XREF: RtlpCSparseBitmapUnlock+39j
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		jmp	short loc_4F42F6
; 

loc_4F430F:				; CODE XREF: RtlpCSparseBitmapUnlock+2Dj
		cmp	esi, 1
		jz	short loc_4F4339
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	loc_4F44C4

loc_4F4326:				; CODE XREF: RtlpCSparseBitmapUnlock+216j
		call	KeAbPostRelease

loc_4F432B:				; CODE XREF: RtlpCSparseBitmapUnlock+A8j
					; RtlpCSparseBitmapUnlock+1DFj	...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	short loc_4F42FF
; 

loc_4F4339:				; CODE XREF: RtlpCSparseBitmapUnlock+5Cj
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_C], edx
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_4F4353
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]

loc_4F4353:				; CODE XREF: RtlpCSparseBitmapUnlock+93j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	short loc_4F432B
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		cmp	ecx, edx
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], esi
		pop	edx
		jb	short loc_4F4388
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_4F4396

loc_4F4388:				; CODE XREF: RtlpCSparseBitmapUnlock+C7j
		cmp	ecx, [ebp+var_20]
		jb	short loc_4F43A9
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jnz	short loc_4F43A9

loc_4F4396:				; CODE XREF: RtlpCSparseBitmapUnlock+D0j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_C], eax

loc_4F43A9:				; CODE XREF: RtlpCSparseBitmapUnlock+D5j
					; RtlpCSparseBitmapUnlock+DEj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_4F44B1
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_4F43EE
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_4F43EE:				; CODE XREF: RtlpCSparseBitmapUnlock+12Ej
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5D1722
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_4F443A:				; CODE XREF: RtlpCSparseBitmapUnlock+203j
					; RtlpCSparseBitmapUnlock+DD47Ej
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jz	short loc_4F448C
		test	edi, 8000h
		jz	short loc_4F445E
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4F445E:				; CODE XREF: RtlpCSparseBitmapUnlock+19Dj
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5D1739

loc_4F4468:				; CODE XREF: RtlpCSparseBitmapUnlock+DD48Dj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4F447C
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4F447C:				; CODE XREF: RtlpCSparseBitmapUnlock+1B9j
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_5D1748

loc_4F448C:				; CODE XREF: RtlpCSparseBitmapUnlock+195j
					; RtlpCSparseBitmapUnlock+DD49Fj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	loc_4F432B
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	loc_4F432B
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4F432B
; 

loc_4F44B1:				; CODE XREF: RtlpCSparseBitmapUnlock+11Cj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_4F443A
		jmp	loc_5D170F
; 

loc_4F44C4:				; CODE XREF: RtlpCSparseBitmapUnlock+6Aj
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp+var_8]
		jmp	loc_4F4326
RtlpCSparseBitmapUnlock	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpCSparseBitmapPageCommit proc near	; CODE XREF: RtlCSparseBitmapBitmaskWrite+3Fp
					; RtlSparseArrayElementAllocate+3Ap

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D175A SIZE 00000099 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		mov	ebx, edx
		xor	edx, edx
		push	esi
		mov	esi, ecx
		mov	[esp+1Ch+var_4], ebx
		mov	eax, ebx
		mov	[esp+1Ch+var_C], edx
		shr	eax, 0Fh
		push	edi
		bt	[esi+20h], eax
		mov	[esp+20h+var_10], edx
		mov	[esp+20h+var_8], eax
		jnb	loc_5D175A

loc_4F4505:				; CODE XREF: RtlpCSparseBitmapPageCommit+DD2CFj
		mov	ecx, esi
		call	_RtlCSparseBitmapEnterLockingRegion@4 ;	RtlCSparseBitmapEnterLockingRegion(x)
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		mov	[ecx+4], edx

loc_4F4514:				; CODE XREF: RtlpCSparseBitmapPageCommit+DD2EAj
		push	[ebp+arg_0]
		xor	edx, edx
		mov	ecx, esi
		call	_RtlpCSparseBitmapLock@12 ; RtlpCSparseBitmapLock(x,x,x)
		cmp	[esi+10h], ebx
		jz	loc_5D17A6
		mov	eax, [esi]
		bt	[eax], ebx
		jnb	short loc_4F453D

loc_4F4530:				; CODE XREF: RtlpCSparseBitmapPageCommit+B2j
		xor	edi, edi

loc_4F4532:				; CODE XREF: RtlpCSparseBitmapPageCommit+DD2BEj
					; RtlpCSparseBitmapPageCommit+DD311j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4F453D:				; CODE XREF: RtlpCSparseBitmapPageCommit+5Cj
		xor	ecx, ecx
		mov	[esp+20h+var_10], 1000h
		push	ecx
		mov	eax, ebx
		lea	edx, [esp+24h+var_10]
		shl	eax, 0Ch
		add	eax, [esi+4]
		push	ecx
		mov	[esp+28h+var_C], eax
		movzx	eax, byte ptr [esi+1Ah]
		push	eax
		movzx	eax, byte ptr [esi+19h]
		push	eax
		push	4
		push	40001000h
		push	ecx
		lea	ecx, [esp+3Ch+var_C]
		call	RtlpHpEnvAllocVA
		mov	edi, eax
		test	edi, edi
		js	loc_5D17C1
		mov	eax, [esi]
		lock bts [eax],	ebx
		jmp	short loc_4F4530
RtlpCSparseBitmapPageCommit endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpCSparseBitmapLock(x, x,	x)
_RtlpCSparseBitmapLock@12 proc near	; CODE XREF: RtlpCSparseBitmapPageDecommit+139p
					; RtlpCSparseBitmapPageCommit+49p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		cmp	byte ptr [edi+18h], 0
		lea	ecx, [edi+0Ch]
		jz	short loc_4F45BF
		push	ecx
		cmp	esi, 1
		jz	short loc_4F45B8
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)

loc_4F45A5:				; CODE XREF: RtlpCSparseBitmapLock(x,x,x)+37j
		mov	cl, al

loc_4F45A7:				; CODE XREF: RtlpCSparseBitmapLock(x,x,x)+56j
		mov	eax, [ebp+arg_0]
		mov	[eax+4], cl
		mov	[eax+8], edi
		pop	edi
		mov	[eax], esi
		pop	esi
		pop	ebp
		retn	4
; 

loc_4F45B8:				; CODE XREF: RtlpCSparseBitmapLock(x,x,x)+18j
		call	ExAcquireSpinLockExclusive
		jmp	short loc_4F45A5
; 

loc_4F45BF:				; CODE XREF: RtlpCSparseBitmapLock(x,x,x)+12j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		cmp	esi, 1
		jz	short loc_4F45DE
		call	ExAcquirePushLockSharedEx

loc_4F45D9:				; CODE XREF: RtlpCSparseBitmapLock(x,x,x)+5Dj
		or	cl, 0FFh
		jmp	short loc_4F45A7
; 

loc_4F45DE:				; CODE XREF: RtlpCSparseBitmapLock(x,x,x)+4Cj
		call	ExAcquirePushLockExclusiveEx
		jmp	short loc_4F45D9
_RtlpCSparseBitmapLock@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCSparseBitmapEnterLockingRegion(x)
_RtlCSparseBitmapEnterLockingRegion@4 proc near
					; CODE XREF: RtlpCSparseBitmapPageDecommit:loc_4F3F66p
					; RtlpCSparseBitmapPageCommit+35p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], esi
		cmp	byte ptr [esi+18h], 0
		jz	short loc_4F4610
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	byte ptr [ebp+var_8], al

loc_4F4608:				; CODE XREF: RtlCSparseBitmapEnterLockingRegion(x)+3Fj
		mov	eax, [ebp+var_8]
		mov	edx, esi
		pop	esi
		leave
		retn
; 

loc_4F4610:				; CODE XREF: RtlCSparseBitmapEnterLockingRegion(x)+15j
		mov	eax, large fs:124h
		mov	byte ptr [ebp+var_8], 0FFh
		dec	word ptr [eax+13Eh]
		nop
		mov	esi, [ebp+var_4]
		jmp	short loc_4F4608
_RtlCSparseBitmapEnterLockingRegion@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVaMgrAllocAligned(x, x, x)
_RtlpHpVaMgrAllocAligned@12 proc near	; CODE XREF: RtlpHpVaMgrRegionAllocate+1Ap
					; RtlpHpVaMgrAlloc+131p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	edi, ecx
		mov	al, [edi+1Ah]
		movzx	esi, al
		shr	esi, 1
		and	esi, 3
		cmp	esi, 2
		sbb	ecx, ecx
		and	ecx, 0DFFFF000h
		add	ecx, 20003000h
		test	al, 8
		jnz	short loc_4F4679

loc_4F4656:				; CODE XREF: RtlpHpVaMgrAllocAligned(x,x,x)+57j
		movzx	eax, byte ptr [edi+19h]
		push	eax
		mov	eax, [edi+0Ch]
		push	ecx
		push	esi
		push	dword ptr [eax]
		push	4
		push	ecx
		push	[ebp+arg_0]
		lea	ecx, [ebp+var_4]
		call	RtlpHpEnvAllocVA
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_4F4679:				; CODE XREF: RtlpHpVaMgrAllocAligned(x,x,x)+2Cj
		or	ecx, 40000h
		jmp	short loc_4F4656
_RtlpHpVaMgrAllocAligned@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpSegMgrAllocate proc near		; CODE XREF: RtlpHpSegSegmentAllocate+21p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D17F3 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_C]
		xor	edi, edi
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], edi
		push	eax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_C], edi
		mov	esi, edx
		mov	[ebp+var_4], edi
		mov	edx, [ebp+arg_0]
		mov	ebx, ecx
		push	eax
		call	RtlpHpSegMgrReserve
		test	eax, eax
		js	short loc_4F46F0
		push	[ebp+arg_0]	; int
		mov	ecx, ebx
		push	40001000h	; int
		push	esi		; int
		push	esi		; size_t
		mov	esi, [ebp+var_4]
		mov	edx, esi
		push	edi		; int
		call	RtlpHpSegMgrCommit
		test	eax, eax
		js	short loc_4F46DF
		mov	eax, [ebp+var_8]
		cmp	eax, [ebp+var_C]
		jb	loc_5D17F3

loc_4F46DB:				; CODE XREF: RtlpHpSegMgrAllocate+DD17Aj
		mov	edi, esi
		xor	esi, esi

loc_4F46DF:				; CODE XREF: RtlpHpSegMgrAllocate+4Bj
					; RtlpHpSegMgrAllocate+71j
		test	esi, esi
		jnz	loc_5D1801

loc_4F46E7:				; CODE XREF: RtlpHpSegMgrAllocate+DD18Aj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4F46F0:				; CODE XREF: RtlpHpSegMgrAllocate+30j
		mov	esi, [ebp+var_4]
		jmp	short loc_4F46DF
RtlpHpSegMgrAllocate endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpSegMgrReserve proc near		; CODE XREF: RtlpHpSegMgrAllocate+29p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D1811 SIZE 0000049E BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 58h
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], edx
		push	edi
		xor	edi, edi
		mov	[ebp+var_18], esi
		mov	[ebp+var_34], edi
		mov	edx, edi
		mov	eax, [esi]
		not	eax
		inc	eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_C], eax
		lea	eax, [esi+5Ch]
		mov	[ebp+var_30], eax
		cmp	[eax], edi
		jnz	loc_5D1811
		cmp	[eax+4], edi
		jnz	loc_5D1811

loc_4F4743:				; CODE XREF: RtlpHpSegMgrReserve+DD33Fj
					; RtlpHpSegMgrReserve+DD570j
		mov	[ebp+var_10], edx
		test	edx, edx
		jnz	short loc_4F4799

loc_4F474A:				; CODE XREF: RtlpHpSegMgrReserve+DD326j
		mov	al, [esi+9]
		and	al, 7
		cmp	al, 1
		jnb	loc_5D1C6B

loc_4F4757:				; CODE XREF: RtlpHpSegMgrReserve+DD57Dj
					; RtlpHpSegMgrReserve+DD586j
		mov	eax, [esi+24h]
		mov	eax, [eax+0Ch]
		and	eax, 40000000h
		neg	eax
		sbb	eax, eax
		and	eax, 3Ch
		add	eax, 4
		push	dword ptr [esi+20h]
		lea	edx, [ebp+var_C]
		push	dword ptr [esi+1Ch]
		lea	ecx, [ebp+var_10]
		push	eax
		push	2000h
		push	[ebp+var_C]
		call	RtlpHpAllocVA
		mov	[ebp+var_34], eax
		test	eax, eax
		js	short loc_4F47CD
		mov	eax, [ebp+var_1C]
		cmp	eax, [ebp+var_C]
		jb	loc_5D1C81

loc_4F4799:				; CODE XREF: RtlpHpSegMgrReserve+52j
					; RtlpHpSegMgrReserve+DD599j
		mov	eax, [ebx+0Ch]
		mov	ecx, [ebp+var_1C]
		mov	[ebp+var_34], edi
		mov	[eax], ecx
		mov	ecx, [ebx+10h]
		mov	eax, [ebp+var_C]
		mov	[ecx], eax
		mov	ecx, [ebx+8]
		mov	eax, [ebp+var_10]
		mov	[ebp+var_10], edi
		mov	[ecx], eax

loc_4F47B7:				; CODE XREF: RtlpHpSegMgrReserve+DAj
		test	edi, edi
		jnz	loc_5D1C94

loc_4F47BF:				; CODE XREF: RtlpHpSegMgrReserve+DD5B4j
		mov	eax, [ebp+var_34]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	0Ch
; 

loc_4F47CD:				; CODE XREF: RtlpHpSegMgrReserve+95j
		mov	edi, [ebp+var_10]
		jmp	short loc_4F47B7
RtlpHpSegMgrReserve endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVaMgrFree(x, x)
_RtlpHpVaMgrFree@8 proc	near		; CODE XREF: RtlpHpVaMgrAlloc+1ECp
					; RtlpHpVaMgrCtxFree+104p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	RtlpHpVaMgrRangeCoalesce
		mov	edi, eax
		movzx	ebx, word ptr [edi+0Ch]
		cmp	bx, [esi+14h]
		jz	short loc_4F4850
		lea	edx, [esi+4]
		test	byte ptr [edx+4], 1
		mov	eax, [edx]
		jz	short loc_4F47FF
		test	eax, eax
		jz	short loc_4F47FF
		xor	eax, edx

loc_4F47FF:				; CODE XREF: RtlpHpVaMgrFree(x,x)+25j
					; RtlpHpVaMgrFree(x,x)+29j
		movzx	esi, byte ptr [edx+4]
		and	esi, 1
		mov	byte ptr [ebp+var_4], 0
		test	eax, eax
		jz	short loc_4F4843

loc_4F480E:				; CODE XREF: RtlpHpVaMgrFree(x,x)+55j
		cmp	bx, [eax+0Ch]
		jb	short loc_4F4829
		mov	ecx, [eax+4]
		test	esi, esi
		jz	short loc_4F4821
		test	ecx, ecx
		jz	short loc_4F483F
		xor	ecx, eax

loc_4F4821:				; CODE XREF: RtlpHpVaMgrFree(x,x)+47j
		test	ecx, ecx
		jz	short loc_4F483F

loc_4F4825:				; CODE XREF: RtlpHpVaMgrFree(x,x)+65j
		mov	eax, ecx
		jmp	short loc_4F480E
; 

loc_4F4829:				; CODE XREF: RtlpHpVaMgrFree(x,x)+40j
		mov	ecx, [eax]
		test	esi, esi
		jz	short loc_4F4835
		test	ecx, ecx
		jz	short loc_4F4839
		xor	ecx, eax

loc_4F4835:				; CODE XREF: RtlpHpVaMgrFree(x,x)+5Bj
		test	ecx, ecx
		jnz	short loc_4F4825

loc_4F4839:				; CODE XREF: RtlpHpVaMgrFree(x,x)+5Fj
		mov	byte ptr [ebp+var_4], 0
		jmp	short loc_4F4843
; 

loc_4F483F:				; CODE XREF: RtlpHpVaMgrFree(x,x)+4Bj
					; RtlpHpVaMgrFree(x,x)+51j
		mov	byte ptr [ebp+var_4], 1

loc_4F4843:				; CODE XREF: RtlpHpVaMgrFree(x,x)+3Aj
					; RtlpHpVaMgrFree(x,x)+6Bj
		push	edi
		push	[ebp+var_4]
		push	eax
		push	edx
		call	RtlRbInsertNodeEx
		xor	edi, edi

loc_4F4850:				; CODE XREF: RtlpHpVaMgrFree(x,x)+1Aj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_RtlpHpVaMgrFree@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpVaMgrRangeCoalesce proc near	; CODE XREF: RtlpHpVaMgrFree(x,x)+Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D1CAF SIZE 00000009 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	ebx, esi
		mov	[ebp+var_4], edi
		movzx	eax, word ptr [edi+14h]
		and	byte ptr [esi],	0FEh
		shl	eax, 4
		mov	edx, eax
		neg	edx
		and	edx, esi
		add	edx, eax
		movzx	eax, word ptr [esi+0Ch]
		mov	[ebp+var_C], eax
		movzx	eax, word ptr [esi+0Eh]
		shl	eax, 4
		sub	ebx, eax
		mov	[ebp+var_8], edx
		cmp	ebx, esi
		jnb	short loc_4F489A
		test	byte ptr [ebx],	1
		jz	short loc_4F4905

loc_4F489A:				; CODE XREF: RtlpHpVaMgrRangeCoalesce+3Bj
					; RtlpHpVaMgrRangeCoalesce+DEj
		movzx	eax, word ptr [esi+0Ch]
		mov	ebx, eax
		mov	ecx, eax
		shl	ebx, 4
		add	ebx, esi
		cmp	ebx, edx
		jb	short loc_4F48C0

loc_4F48AB:				; CODE XREF: RtlpHpVaMgrRangeCoalesce+6Dj
					; RtlpHpVaMgrRangeCoalesce+A2j
		movzx	eax, cx
		shl	eax, 4
		add	eax, esi
		cmp	cx, word ptr [ebp+var_C]
		ja	short loc_4F48FC

loc_4F48B9:				; CODE XREF: RtlpHpVaMgrRangeCoalesce+A6j
					; RtlpHpVaMgrRangeCoalesce+DD45Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4F48C0:				; CODE XREF: RtlpHpVaMgrRangeCoalesce+51j
		test	byte ptr [ebx],	1
		mov	ecx, eax
		jnz	short loc_4F48AB
		push	ebx
		lea	eax, [edi+4]
		push	eax
		call	RtlRbRemoveNode
		mov	ax, [ebx+0Ch]
		mov	edi, ebx
		add	[esi+0Ch], ax
		xor	eax, eax
		mov	edx, [ebp+var_8]
		stosd
		stosd
		stosd
		mov	eax, [ebp+var_4]
		mov	byte ptr [ebx],	2
		mov	al, [eax+18h]
		mov	[ebx+1], al
		mov	dword ptr [ebx+0Ch], 89ABCDEFh
		movzx	ecx, word ptr [esi+0Ch]
		jmp	short loc_4F48AB
; 

loc_4F48FC:				; CODE XREF: RtlpHpVaMgrRangeCoalesce+5Fj
		cmp	eax, edx
		jnb	short loc_4F48B9
		jmp	loc_5D1CAF
; 

loc_4F4905:				; CODE XREF: RtlpHpVaMgrRangeCoalesce+40j
		push	ebx
		lea	eax, [edi+4]
		push	eax
		call	RtlRbRemoveNode
		mov	ax, [esi+0Ch]
		mov	edi, esi
		add	[ebx+0Ch], ax
		xor	eax, eax
		mov	edx, [ebp+var_8]
		stosd
		stosd
		stosd
		mov	edi, [ebp+var_4]
		mov	byte ptr [esi],	2
		mov	al, [edi+18h]
		mov	[esi+1], al
		mov	dword ptr [esi+0Ch], 89ABCDEFh
		mov	esi, ebx
		jmp	loc_4F489A
RtlpHpVaMgrRangeCoalesce endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVaMgrRangeSplit(x, x,	x)
_RtlpHpVaMgrRangeSplit@12 proc near	; CODE XREF: RtlpHpVaMgrAlloc+1E3p
					; RtlpHpVaMgrAlloc+DE86Ep ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, eax
		push	esi
		movzx	esi, ax
		push	edi
		mov	edi, edx
		shl	ebx, 4
		add	ebx, edi
		mov	ax, [edi+0Ch]
		sub	ax, si
		mov	[ebx+0Eh], si
		mov	[ebx+0Ch], ax
		mov	[edi+0Ch], si
		mov	al, [ebx]
		movzx	esi, word ptr [ebx+0Ch]
		and	al, 0FDh
		or	al, 1
		mov	[ebx], al
		mov	eax, [edi+4]
		mov	[ebx+4], eax
		mov	eax, [edi+8]
		mov	[ebx+8], eax
		mov	eax, esi
		movzx	edx, word ptr [ecx+14h]
		shl	edx, 4
		mov	ecx, edx
		shl	eax, 4
		neg	ecx
		add	eax, ebx
		and	ecx, edi
		add	ecx, edx
		cmp	eax, ecx
		jb	short loc_4F49A1

loc_4F4998:				; CODE XREF: RtlpHpVaMgrRangeSplit(x,x,x)+69j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4F49A1:				; CODE XREF: RtlpHpVaMgrRangeSplit(x,x,x)+5Aj
		mov	[eax+0Eh], si
		jmp	short loc_4F4998
_RtlpHpVaMgrRangeSplit@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static int __cdecl ST_STORE<struct SM_TRAITS>::StDmCombineTargetCompare(void *, void const *,	void const *)
?StDmCombineTargetCompare@?$ST_STORE@USM_TRAITS@@@@SAHPAXPBX1@Z	proc near
					; DATA XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+377o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_8]
		mov	eax, [edx+4]
		mov	ecx, [esi+4]
		cmp	eax, ecx
		jnz	short loc_4F49F5
		mov	eax, [ebp+arg_0]
		push	ebx
		push	edi
		mov	edi, [edx]
		mov	eax, [eax+4]
		mov	edx, [esi]
		mov	ebx, [eax+1C4h]
		mov	ecx, ebx
		and	ecx, edi
		and	ebx, edx
		mov	[ebp+arg_4], ecx
		mov	ecx, [eax+1C8h]
		shr	edi, cl
		shr	edx, cl
		cmp	edi, edx
		jnz	short loc_4F49FF

loc_4F49E7:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmCombineTargetCompare(void	*,void const *,void const *)+62j
		cmp	[ebp+arg_4], ebx
		sbb	eax, eax
		and	eax, 0FFFFFFFEh
		inc	eax

loc_4F49F0:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmCombineTargetCompare(void	*,void const *,void const *)+67j
					; ST_STORE<SM_TRAITS>::StDmCombineTargetCompare(void *,void const *,void const *)+6Cj
		pop	edi
		pop	ebx

loc_4F49F2:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmCombineTargetCompare(void	*,void const *,void const *)+55j
		pop	esi
		pop	ebp
		retn
; 

loc_4F49F5:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmCombineTargetCompare(void	*,void const *,void const *)+14j
		cmp	ecx, eax
		sbb	eax, eax
		and	eax, 0FFFFFFFEh
		inc	eax
		jmp	short loc_4F49F2
; 

loc_4F49FF:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmCombineTargetCompare(void	*,void const *,void const *)+3Dj
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		cmp	edi, eax
		jz	short loc_4F4A11
		cmp	edx, eax
		jnz	short loc_4F49E7
		or	eax, 0FFFFFFFFh
		jmp	short loc_4F49F0
; 

loc_4F4A11:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmCombineTargetCompare(void	*,void const *,void const *)+5Ej
		xor	eax, eax
		inc	eax
		jmp	short loc_4F49F0
?StDmCombineTargetCompare@?$ST_STORE@USM_TRAITS@@@@SAHPAXPBX1@Z	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDeletePartialVad proc	near		; CODE XREF: MiFreeVadRange+C0p

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D1CB8 SIZE 000005F7 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 98h
		and	[ebp+var_70], 0
		xor	eax, eax
		and	[ebp+var_60], 0
		and	[ebp+var_68], 0
		and	[ebp+var_C], 0
		and	[ebp+var_18], 0
		and	[ebp+var_5C], 0
		and	[ebp+var_6C], 0
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_14], edx
		push	6
		pop	ecx
		lea	edi, [ebp+var_8C]
		mov	[ebp+var_58], esi
		rep stosd
		mov	eax, [ebx+8]
		sub	eax, edx
		mov	byte ptr [ebp+var_4+3],	0
		inc	eax
		shr	eax, 0Ch
		mov	[ebp+var_64], eax
		mov	eax, large fs:124h
		mov	[ebp+var_74], eax
		mov	eax, [eax+80h]
		mov	[ebp+var_8], eax
		add	eax, 240h
		mov	[ebp+var_30], eax
		mov	eax, [esi+1Ch]
		test	eax, 100000h
		jz	loc_5D1CC4
		push	28h
		and	al, 70h
		pop	ecx
		mov	[ebp+var_10], ecx
		cmp	al, 40h
		jz	loc_5D1CB8

loc_4F4AAE:				; CODE XREF: MiDeletePartialVad+DD2A9j
					; MiDeletePartialVad+DD2C0j ...
		cmp	dword ptr [ebx+0Ch], 3
		jz	loc_5D1D02

loc_4F4AB8:				; CODE XREF: MiDeletePartialVad+DD44Cj
					; MiDeletePartialVad+DD458j ...
		mov	eax, [ebx+8]
		mov	ecx, offset loc_7FFFF8
		mov	edi, [ebp+var_14]
		mov	edx, 40000000h
		and	[ebp+var_68], 0
		shr	eax, 9
		and	eax, ecx
		shr	edi, 9
		sub	eax, edx
		and	edi, ecx
		mov	ecx, [esi+1Ch]
		sub	edi, edx
		mov	[ebp+var_20], eax
		mov	eax, ecx
		and	al, 70h
		cmp	al, 10h
		jz	loc_5D1EB2
		and	cl, 70h
		cmp	cl, 40h
		jz	loc_5D1EB2

loc_4F4AF8:				; CODE XREF: MiDeletePartialVad+DD4B8j
		mov	eax, [ebp+var_74]
		dec	word ptr [eax+13Eh]
		nop
		mov	eax, [ebp+var_8]
		xor	edx, edx
		add	eax, 138h
		mov	ecx, eax
		mov	[ebp+var_24], eax
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esi+20h]
		mov	edx, 0FFFFDh
		and	ecx, 7FFFFFFFh
		mov	[ebp+var_50], ecx
		cmp	ecx, edx
		jz	short loc_4F4B34
		test	ecx, ecx
		jnz	loc_4F4EB1

loc_4F4B34:				; CODE XREF: MiDeletePartialVad+114j
		mov	eax, ecx
		sub	eax, edx
		mov	edx, [ebp+var_30]
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	ecx, offset unk_6D3C40
		mov	[ebp+var_50], eax
		mov	edi, ecx
		xor	eax, eax
		mov	[ebp+var_54], ecx
		mov	[ebp+var_20], eax
		lea	eax, [edx+60h]
		mov	[ebp+var_28], eax
		mov	al, [eax]
		and	al, 7
		cmp	al, 2
		jz	short loc_4F4B67
		lea	edi, [edx+80h]

loc_4F4B67:				; CODE XREF: MiDeletePartialVad+149j
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	byte ptr [ebp+var_2C], al
		mov	byte ptr [ebp+var_4+2],	al

loc_4F4B73:				; CODE XREF: MiDeletePartialVad+DD511j
		and	dword ptr [edi+4], 0
		mov	edi, [ebp+var_20]

loc_4F4B7A:				; CODE XREF: MiDeletePartialVad+4F6j
		mov	eax, [ebx+0Ch]
		cmp	eax, 1
		jnz	loc_4F4F11
		cmp	[ebp+var_10], 28h
		jnz	loc_5D1F2C

loc_4F4B90:				; CODE XREF: MiDeletePartialVad+DD51Aj
					; MiDeletePartialVad+DD530j
		mov	edx, [ebp+var_50]
		mov	ecx, [esi+20h]
		sub	edx, edi
		mov	eax, ecx
		mov	edi, 0FFFFDh
		and	eax, 7FFFFFFFh
		cmp	eax, edi
		jz	loc_5D1F4B
		mov	eax, ecx
		xor	eax, edx
		and	eax, 7FFFFFFFh
		xor	ecx, eax

loc_4F4BB7:				; CODE XREF: MiDeletePartialVad+DD53Dj
		mov	edx, [ebx+8]
		mov	[esi+20h], ecx
		mov	ecx, esi
		lea	edx, [edx+1]
		shr	edx, 0Ch
		sub	edx, [esi+0Ch]
		call	MiAdvanceVadView
		cmp	[ebp+var_10], 28h
		jnz	loc_5D1F58

loc_4F4BD7:				; CODE XREF: MiDeletePartialVad+DD546j
					; MiDeletePartialVad+DD55Cj
		xor	eax, eax
		mov	edi, esi
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_34], eax

loc_4F4BE4:				; CODE XREF: MiDeletePartialVad+55Ej
		mov	dl, byte ptr [ebp+var_4+2]
		mov	ecx, [ebp+var_30]
		call	MiUnlockWorkingSetExclusive
		mov	edx, [ebx+8]
		lea	eax, [ebp+var_8C]
		mov	ecx, [ebp+var_14]
		push	eax
		push	[ebp+var_6C]
		call	_MiDeleteVirtualAddresses@16 ; MiDeleteVirtualAddresses(x,x,x,x)
		mov	ecx, [ebp+var_28]
		mov	al, [ecx]
		and	al, 7
		cmp	al, 2
		jz	loc_5D215B
		mov	eax, [ebp+var_8]
		add	eax, 2C0h
		mov	[ebp+var_54], eax

loc_4F4C1E:				; CODE XREF: MiDeletePartialVad+DD74Aj
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	eax, [ebp+var_54]
		and	dword ptr [eax+4], 0
		cmp	[ebp+var_34], 0
		jnz	loc_5D2165

loc_4F4C35:				; CODE XREF: MiDeletePartialVad+DD757j
		mov	edx, [ebx+8]
		lea	eax, [ebp+var_70]
		mov	ecx, [ebp+var_14]
		push	eax
		push	[ebp+var_2C]
		call	MiCaptureDeleteHierarchy
		mov	dl, byte ptr [ebp+var_4+2]
		mov	ecx, [ebp+var_30]
		call	MiUnlockWorkingSetExclusive
		mov	ecx, [ebp+var_1C]
		test	ecx, ecx
		jnz	short loc_4F4C7C
		mov	ecx, [esi]
		mov	edx, esi
		mov	[ebp+var_1C], ecx
		test	ecx, ecx
		jz	loc_4F4E62
		cmp	dword ptr [ecx+4], 0
		jz	short loc_4F4C7C

loc_4F4C6E:				; CODE XREF: MiDeletePartialVad+261j
		mov	eax, [ecx+4]
		mov	ecx, eax
		cmp	dword ptr [eax+4], 0
		jnz	short loc_4F4C6E

loc_4F4C79:				; CODE XREF: MiDeletePartialVad+45Ej
					; MiDeletePartialVad+46Ej
		mov	[ebp+var_1C], ecx

loc_4F4C7C:				; CODE XREF: MiDeletePartialVad+241j
					; MiDeletePartialVad+256j ...
		test	edi, edi
		jz	loc_4F4F9C

loc_4F4C84:				; CODE XREF: MiDeletePartialVad+595j
					; MiDeletePartialVad+59Dj ...
		cmp	dword ptr [ebx+10h], 0
		jnz	short loc_4F4C97
		mov	edx, [ebx+8]
		push	edi
		push	ecx
		mov	ecx, [ebp+var_14]
		call	MiClearVadBits

loc_4F4C97:				; CODE XREF: MiDeletePartialVad+272j
		mov	edx, [ebx+8]
		lea	eax, [ebp+var_70]
		mov	ecx, [ebp+var_14]
		push	eax
		mov	eax, [ebp+var_1C]
		push	esi
		push	edi
		push	eax
		push	[ebp+var_8]
		call	_MiReturnPageTablePageCommitment@28 ; MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_24]
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_6C], edx
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4F4FC0

loc_4F4CC8:				; CODE XREF: MiDeletePartialVad+5B5j
		xor	edi, edi
		mov	[ebp+var_54], edi
		test	ecx, 7FFFFFFCh
		jz	loc_5D21A8
		mov	esi, large fs:124h
		mov	eax, dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_34], esi
		mov	[ebp+var_50], eax
		cmp	[ebp+var_24], eax
		jb	short loc_4F4D17
		mov	eax, ecx
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_4F4E89
		mov	eax, [ebp+var_50]
		cmp	[ebp+var_24], eax
		jb	short loc_4F4D17
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_4F4E89

loc_4F4D17:				; CODE XREF: MiDeletePartialVad+2DBj
					; MiDeletePartialVad+2F2j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, [ebp+var_24]
		mov	byte ptr [ebp+var_4+2],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_50], ecx
		test	ecx, ecx
		jz	loc_4F4E9E
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_4F4FDD

loc_4F4D59:				; CODE XREF: MiDeletePartialVad+5CFj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_54], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+2],	1
		jnz	loc_5D2185
		or	[esi+1E4h], dl

loc_4F4D9F:				; CODE XREF: MiDeletePartialVad+490j
					; MiDeletePartialVad+DD77Bj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_70], eax
		jnz	loc_4F4FF4

loc_4F4DB6:				; CODE XREF: MiDeletePartialVad+613j
					; MiDeletePartialVad+DD78Dj
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_4F4DDB
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_4F4FEA

loc_4F4DDB:				; CODE XREF: MiDeletePartialVad+3B7j
					; MiDeletePartialVad+5D9j
		mov	edi, [ebp+var_C]
		mov	esi, [ebp+var_58]

loc_4F4DE1:				; CODE XREF: MiDeletePartialVad+DD795j
		mov	ecx, [ebp+var_74]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebx+10h]
		test	eax, eax
		jnz	loc_5D21B0

loc_4F4DF4:				; CODE XREF: MiDeletePartialVad+DD7BBj
		mov	ecx, [ebp+var_60]
		test	ecx, ecx
		jnz	loc_5D21D6

loc_4F4DFF:				; CODE XREF: MiDeletePartialVad+DD7C7j
					; MiDeletePartialVad+DD7E3j
		mov	ecx, [ebp+var_20]
		sub	ecx, [ebp+var_84]
		mov	eax, ecx
		sub	eax, [ebp+var_88]
		mov	[ebp+var_74], eax
		test	ecx, ecx
		jnz	loc_4F4F79

loc_4F4E1B:				; CODE XREF: MiDeletePartialVad+570j
		test	eax, eax
		jnz	loc_4F4F8B

loc_4F4E23:				; CODE XREF: MiDeletePartialVad+581j
		cmp	[ebp+var_10], 28h
		jnz	loc_5D21FE

loc_4F4E2D:				; CODE XREF: MiDeletePartialVad+DD7F1j
					; MiDeletePartialVad+DD80Ej
		cmp	[ebp+var_68], 0
		jnz	loc_5D2229

loc_4F4E37:				; CODE XREF: MiDeletePartialVad+DD831j
					; MiDeletePartialVad+DD847j ...
		mov	edx, [ebp+var_14]
		xor	eax, eax
		cmp	[ebx+10h], eax
		mov	ecx, esi
		setnz	al
		push	eax
		push	dword ptr [ebx+8]
		call	MiFinishVadDeletion
		test	edi, edi
		jnz	loc_5D2271

loc_4F4E55:				; CODE XREF: MiDeletePartialVad+DD85Ej
					; MiDeletePartialVad+DD894j
		xor	eax, eax

loc_4F4E57:				; CODE XREF: MiDeletePartialVad+DD2D1j
					; MiDeletePartialVad+DD425j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	0Ch
; 

loc_4F4E62:				; CODE XREF: MiDeletePartialVad+24Cj
		mov	ecx, [esi+8]
		and	ecx, 0FFFFFFFCh
		mov	[ebp+var_1C], ecx
		jz	loc_4F4C7C

loc_4F4E71:				; CODE XREF: MiDeletePartialVad+46Cj
		cmp	[ecx+4], edx
		jz	loc_4F4C79
		mov	edx, ecx
		mov	ecx, [ecx+8]
		and	ecx, 0FFFFFFFCh
		jnz	short loc_4F4E71
		jmp	loc_4F4C79
; 

loc_4F4E89:				; CODE XREF: MiDeletePartialVad+2E6j
					; MiDeletePartialVad+2FBj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_6C], eax
		jmp	loc_4F4D17
; 

loc_4F4E9E:				; CODE XREF: MiDeletePartialVad+32Bj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_4F4D9F
		jmp	loc_5D2172
; 

loc_4F4EB1:				; CODE XREF: MiDeletePartialVad+118j
		mov	eax, [ebp+var_30]
		add	eax, 60h
		cmp	[ebp+var_10], 28h
		mov	[ebp+var_28], eax
		jnz	loc_5D1EDA
		mov	al, [eax]
		mov	ecx, offset unk_6D3C40
		and	al, 7
		mov	[ebp+var_54], ecx
		cmp	al, 2
		jz	loc_5D1ED3
		mov	edi, [ebp+var_8]
		add	edi, 2C0h

loc_4F4EE1:				; CODE XREF: MiDeletePartialVad+DD4BFj
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	edx, [ebx+8]
		mov	ecx, [ebp+var_14]
		and	dword ptr [edi+4], 0
		push	0
		push	4
		mov	byte ptr [ebp+var_34], al
		push	[ebp+var_34]
		mov	byte ptr [ebp+var_4+2],	al
		push	esi
		mov	byte ptr [ebp+var_2C], al
		call	_MiComputePageCommitment@24 ; MiComputePageCommitment(x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_20], edi
		jmp	loc_4F4B7A
; 

loc_4F4F11:				; CODE XREF: MiDeletePartialVad+16Aj
		mov	edx, [ebp+var_50]
		sub	edx, edi
		mov	[ebp+var_50], edx
		cmp	eax, 2
		jnz	loc_5D1FDC
		mov	ecx, [esi+20h]
		mov	edi, 0FFFFDh
		mov	eax, ecx
		and	eax, 7FFFFFFFh
		cmp	eax, edi
		jz	loc_5D1F77
		mov	eax, ecx
		xor	eax, edx
		and	eax, 7FFFFFFFh
		xor	ecx, eax

loc_4F4F44:				; CODE XREF: MiDeletePartialVad+DD569j
		mov	edi, [ebp+var_10]
		mov	al, byte ptr [ebp+var_4+3]
		mov	[esi+20h], ecx
		cmp	edi, 28h
		jnz	loc_5D1F84

loc_4F4F56:				; CODE XREF: MiDeletePartialVad+DD570j
					; MiDeletePartialVad+DD592j
		mov	edx, [ebp+var_14]
		dec	edx
		shr	edx, 0Ch
		mov	[esi+10h], edx
		cmp	edi, 28h
		jnz	loc_5D1FAD

loc_4F4F69:				; CODE XREF: MiDeletePartialVad+DD599j
		mov	eax, [ebp+var_C]
		mov	[ebp+var_34], eax

loc_4F4F6F:				; CODE XREF: MiDeletePartialVad+DD5C1j
		xor	edi, edi

loc_4F4F71:				; CODE XREF: MiDeletePartialVad+DD740j
		mov	[ebp+var_1C], esi
		jmp	loc_4F4BE4
; 

loc_4F4F79:				; CODE XREF: MiDeletePartialVad+3FFj
		mov	edx, ecx
		mov	ecx, [ebp+var_8]
		call	_MiReturnFullProcessCharges@8 ;	MiReturnFullProcessCharges(x,x)
		mov	eax, [ebp+var_74]
		jmp	loc_4F4E1B
; 

loc_4F4F8B:				; CODE XREF: MiDeletePartialVad+407j
		mov	edx, eax
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit
		jmp	loc_4F4E23
; 

loc_4F4F9C:				; CODE XREF: MiDeletePartialVad+268j
		mov	edi, [esi+4]
		mov	edx, esi
		test	edi, edi
		jnz	short loc_4F4FD2
		mov	edi, [esi+8]

loc_4F4FA8:				; CODE XREF: MiDeletePartialVad+5A8j
		and	edi, 0FFFFFFFCh
		jz	loc_4F4C84
		cmp	[edi], edx
		jz	loc_4F4C84
		mov	edx, edi
		mov	edi, [edi+8]
		jmp	short loc_4F4FA8
; 

loc_4F4FC0:				; CODE XREF: MiDeletePartialVad+2ACj
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_24]
		or	edx, 0FFFFFFFFh
		jmp	loc_4F4CC8
; 

loc_4F4FD0:				; CODE XREF: MiDeletePartialVad+5C0j
		mov	edi, eax

loc_4F4FD2:				; CODE XREF: MiDeletePartialVad+58Dj
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_4F4FD0
		jmp	loc_4F4C84
; 

loc_4F4FDD:				; CODE XREF: MiDeletePartialVad+33Dj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_50]
		jmp	loc_4F4D59
; 

loc_4F4FEA:				; CODE XREF: MiDeletePartialVad+3BFj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4F4DDB
; 

loc_4F4FF4:				; CODE XREF: MiDeletePartialVad+39Aj
		test	edi, 8000h
		jz	short loc_4F5005
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4F5005:				; CODE XREF: MiDeletePartialVad+5E4j
		test	byte ptr [ebp+var_54+2], 1
		jnz	short loc_4F5034

loc_4F500B:				; CODE XREF: MiDeletePartialVad+62Ej
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4F501F
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4F501F:				; CODE XREF: MiDeletePartialVad+5FCj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4F4DB6
		jmp	loc_5D2196
; 

loc_4F5034:				; CODE XREF: MiDeletePartialVad+5F3j
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]
		jmp	short loc_4F500B
MiDeletePartialVad endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiClearVadBits	proc near		; CODE XREF: MiDeletePartialVad+27Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D22AF SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		shr	edi, 10h
		mov	ebx, 0FFFF0000h
		shr	esi, 10h
		test	eax, eax
		jz	short loc_4F5073
		mov	eax, [eax+10h]
		shl	eax, 0Ch
		xor	eax, ecx
		test	eax, ebx
		jz	short loc_4F50DE

loc_4F5073:				; CODE XREF: MiClearVadBits+1Fj
					; MiClearVadBits+99j
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_4F508A
		mov	eax, [ecx+0Ch]
		shl	eax, 0Ch
		xor	eax, edx
		test	eax, ebx
		jz	loc_5D22AF

loc_4F508A:				; CODE XREF: MiClearVadBits+32j
					; MiClearVadBits+DD276j
		mov	eax, large fs:124h
		xor	edx, edx
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], edx
		mov	eax, [eax+80h]
		mov	ebx, [eax+24Ch]
		add	ebx, 18h
		lea	eax, [ebx+48h]
		mov	[ebp+var_C], eax
		cmp	[eax], edx
		jbe	short loc_4F50D7

loc_4F50B1:				; CODE XREF: MiClearVadBits+8Fj
		lea	eax, [ebp+var_8]
		mov	edx, edi
		push	eax
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, ebx
		push	esi
		call	MiClearVadCellBits
		mov	ecx, [ebp+var_C]
		add	ebx, 24h
		mov	eax, [ebp+var_4]
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, [ecx]
		mov	ecx, [ebp+arg_4]
		jb	short loc_4F50B1

loc_4F50D7:				; CODE XREF: MiClearVadBits+69j
					; MiClearVadBits+DD26Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4F50DE:				; CODE XREF: MiClearVadBits+2Bj
		inc	edi
		jmp	short loc_4F5073
MiClearVadBits	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiClearVadCellBits proc	near		; CODE XREF: MiClearVadBits+78p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005D22C1 SIZE 00000047 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	edx, [edi+4]
		sub	edx, dword_6D2E88
		test	esi, esi
		jz	loc_5D22C1

loc_4F5101:				; CODE XREF: MiClearVadCellBits+DD1E1j
					; MiClearVadCellBits+DD1EAj
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_8], esi
		cmp	esi, ecx
		ja	loc_4F520D
		shl	edx, 3
		mov	[ebp+var_10], edx
		cmp	ecx, edx
		jb	loc_4F520D
		push	ebx
		mov	ebx, [edi]
		add	ebx, edx
		cmp	esi, ebx
		jnb	loc_4F520C
		cmp	esi, edx
		jb	loc_5D22D1

loc_4F5132:				; CODE XREF: MiClearVadCellBits+DD1F1j
		cmp	[ebp+var_8], edx
		sbb	eax, eax
		neg	eax
		mov	[ebp+var_8], eax
		cmp	ecx, ebx
		jnb	loc_5D22D8

loc_4F5144:				; CODE XREF: MiClearVadCellBits+DD200j
		mov	eax, ecx
		xor	ebx, ebx
		sub	eax, esi
		sub	ecx, edx
		inc	eax
		mov	[ebp+arg_0], ecx
		mov	ecx, [ebp+arg_C]
		sub	esi, edx
		mov	[ebp+var_C], eax
		mov	eax, [edi+20h]
		sub	eax, edx
		cmp	[ecx], ebx
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_4], eax
		jnz	short loc_4F5185
		push	[ebp+var_C]
		push	esi
		push	edi
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		mov	ecx, [ebp+arg_0]
		cmp	[ebp+var_8], ebx
		jnz	short loc_4F5182
		mov	eax, [ebp+arg_C]
		mov	dword ptr [eax], 1

loc_4F5182:				; CODE XREF: MiClearVadCellBits+95j
		mov	eax, [ebp+var_4]

loc_4F5185:				; CODE XREF: MiClearVadCellBits+83j
		mov	edx, [edi+8]
		cmp	edx, eax
		mov	[ebp+var_C], edx
		mov	edx, [ebp+var_10]
		mov	[ebp+arg_C], 1
		jb	loc_5D22E7
		cmp	[edi+10h], eax
		jb	loc_5D22E7

loc_4F51A6:				; CODE XREF: MiClearVadCellBits+DD208j
		cmp	[ebp+var_C], esi
		ja	short loc_4F5213

loc_4F51AB:				; CODE XREF: MiClearVadCellBits+13Cj
					; MiClearVadCellBits+DD218j ...
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_4F5225
		mov	ecx, [ecx+10h]
		shl	ecx, 0Ch
		or	ecx, 0FFFh
		add	ecx, 0FFFFh
		shr	ecx, 10h
		mov	eax, ecx
		sub	eax, edx
		cmp	edx, ecx
		sbb	ebx, ebx
		and	ebx, eax
		jz	short loc_4F5225

loc_4F51D3:				; CODE XREF: MiClearVadCellBits+145j
					; MiClearVadCellBits+14Aj
		cmp	[ebp+arg_C], 0
		jz	short loc_4F51E0
		mov	eax, [ebp+var_4]
		cmp	ebx, eax
		jb	short loc_4F522E

loc_4F51E0:				; CODE XREF: MiClearVadCellBits+F5j
					; MiClearVadCellBits+14Ej
		cmp	ebx, [ebp+arg_0]
		ja	short loc_4F520C
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_4F5236
		mov	eax, [eax+0Ch]
		mov	esi, [edi]
		shr	eax, 4
		movzx	ecx, ax
		lea	eax, [esi+edx]
		cmp	ecx, eax
		ja	short loc_4F5232
		sub	ecx, edx

loc_4F5200:				; CODE XREF: MiClearVadCellBits+152j
					; MiClearVadCellBits+156j
		cmp	ebx, [edi+10h]
		jnb	short loc_4F520C
		sub	ecx, ebx
		cmp	ecx, [edi+0Ch]
		jnb	short loc_4F5220

loc_4F520C:				; CODE XREF: MiClearVadCellBits+42j
					; MiClearVadCellBits+101j ...
		pop	ebx

loc_4F520D:				; CODE XREF: MiClearVadCellBits+27j
					; MiClearVadCellBits+35j
		pop	edi
		pop	esi
		leave
		retn	10h
; 

loc_4F5213:				; CODE XREF: MiClearVadCellBits+C7j
		cmp	esi, eax
		jb	loc_5D22EF

loc_4F521B:				; CODE XREF: MiClearVadCellBits+DD210j
		mov	[edi+8], esi
		jmp	short loc_4F51AB
; 

loc_4F5220:				; CODE XREF: MiClearVadCellBits+128j
		mov	[edi+10h], ebx
		jmp	short loc_4F520C
; 

loc_4F5225:				; CODE XREF: MiClearVadCellBits+CEj
					; MiClearVadCellBits+EFj
		test	edx, edx
		jnz	short loc_4F51D3
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_4F51D3
; 

loc_4F522E:				; CODE XREF: MiClearVadCellBits+FCj
		mov	ebx, eax
		jmp	short loc_4F51E0
; 

loc_4F5232:				; CODE XREF: MiClearVadCellBits+11Aj
		mov	ecx, esi
		jmp	short loc_4F5200
; 

loc_4F5236:				; CODE XREF: MiClearVadCellBits+108j
		mov	ecx, [edi]
		jmp	short loc_4F5200
MiClearVadCellBits endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCaptureDeleteHierarchy proc near	; CODE XREF: MiDeletePartialVad+22Cp
					; MiDeleteEmptyPageTableCommit(x)+18Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D2308 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_4]
		push	ebx
		push	edi
		mov	[ebp+var_C], edx
		and	dword ptr [eax], 0
		xor	ebx, ebx

loc_4F524F:				; CODE XREF: MiCaptureDeleteHierarchy+55j
		shr	ecx, 12h
		and	ecx, 3FF8h
		sub	ecx, 3FA00000h
		xor	edi, edi
		mov	[ebp+var_4], ecx

loc_4F5263:				; CODE XREF: MiCaptureDeleteHierarchy+4Cj
		mov	eax, [ebp+edi*4+var_4]
		mov	[ebp+var_8], eax
		mov	edx, [eax]
		nop
		mov	eax, [eax+4]
		mov	ecx, edx
		or	ecx, eax
		jz	short loc_4F5297
		and	edx, 1
		or	edx, 0
		jz	loc_5D2308

loc_4F5282:				; CODE XREF: MiCaptureDeleteHierarchy+DD0D0j
					; MiCaptureDeleteHierarchy+DD0EAj
		inc	edi
		cmp	edi, 1
		jb	short loc_4F5263

loc_4F5288:				; CODE XREF: MiCaptureDeleteHierarchy+6Bj
		mov	ecx, [ebp+var_C]
		inc	ebx
		cmp	ebx, 2
		jb	short loc_4F524F
		pop	edi
		pop	ebx
		leave
		retn	8
; 

loc_4F5297:				; CODE XREF: MiCaptureDeleteHierarchy+3Aj
		neg	edi
		mov	al, 1
		mov	ecx, edi
		shl	al, cl
		mov	ecx, [ebp+arg_4]
		mov	[ebx+ecx], al
		jmp	short loc_4F5288
MiCaptureDeleteHierarchy endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteVirtualAddresses(x,	x, x, x)
_MiDeleteVirtualAddresses@16 proc near	; CODE XREF: MiDeletePartialVad+1E9p
					; MiDeleteFinalPageTables+17245Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [eax+80h]
		mov	eax, [ebp+arg_0]
		push	esi
		or	eax, 80h
		push	eax
		push	0
		push	edx
		push	ecx
		lea	ecx, [edi+240h]
		mov	dl, 21h
		call	_MiDeletePagablePteRange@28 ; MiDeletePagablePteRange(x,x,x,x,x,x,x)
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jnz	short loc_4F52E6

loc_4F52E0:				; CODE XREF: MiDeleteVirtualAddresses(x,x,x,x)+4Aj
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_4F52E6:				; CODE XREF: MiDeleteVirtualAddresses(x,x,x,x)+36j
		neg	ecx
		lea	eax, [edi+14Ch]
		lock xadd [eax], ecx
		jmp	short loc_4F52E0
_MiDeleteVirtualAddresses@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAdvanceVadView proc near		; CODE XREF: MiDeletePartialVad+1B2p
					; MiDeletePartialVad+DD3ADp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D2329 SIZE 000000A8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	edi, [esi+0Ch]
		add	edi, ebx
		test	dword ptr [esi+1Ch], 100000h
		jz	loc_5D2329

loc_4F5315:				; CODE XREF: MiAdvanceVadView+DD0D8j
		mov	[esi+0Ch], edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiAdvanceVadView endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReduceMdl(x)
_MiReduceMdl@4	proc near		; CODE XREF: MiPfPutPagesInTransition+3A8p
					; MiResolvePageFileFault:loc_54BA53p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ecx+18h]
		add	eax, [ecx+10h]
		mov	edx, [ecx+14h]
		and	eax, 0FFFh
		mov	[ebp+var_8], edx
		add	edx, 0FFFh
		add	edx, eax
		mov	[ebp+var_C], ecx
		push	ebx
		shr	edx, 0Ch
		lea	ebx, [ecx+1Ch]
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_14], ebx
		lea	ecx, [edx-1]
		mov	[ebp+var_10], edi
		mov	eax, edi
		test	ecx, ecx
		mov	ecx, [ebp+var_C]
		mov	esi, ebx
		mov	[ebp+var_4], eax
		jz	short loc_4F537F
		mov	ebx, eax
		lea	ecx, [edx-1]

loc_4F5369:				; CODE XREF: MiReduceMdl(x)+B9j
		mov	eax, [esi]
		cmp	eax, dword_6D34EC
		jz	short loc_4F53D0

loc_4F5373:				; CODE XREF: MiReduceMdl(x)+BBj
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_4], ebx
		mov	eax, [ebp+var_4]
		lea	ebx, [ecx+1Ch]

loc_4F537F:				; CODE XREF: MiReduceMdl(x)+44j
		test	eax, eax
		jnz	short loc_4F53DB

loc_4F5383:				; CODE XREF: MiReduceMdl(x)+EBj
		lea	esi, [edx+6]
		lea	esi, [ecx+esi*4]
		mov	eax, [esi]
		cmp	eax, dword_6D34EC
		jz	short loc_4F540E

loc_4F5393:				; CODE XREF: MiReduceMdl(x)+152j
		mov	eax, 4000h
		or	[ecx+6], ax
		mov	si, [ecx+6]
		test	edx, edx
		jz	short loc_4F53BC

loc_4F53A4:				; CODE XREF: MiReduceMdl(x)+9Cj
		mov	eax, [ebx]
		cmp	eax, dword_6D34EC
		jz	short loc_4F53C4
		mov	eax, [ebp+var_10]
		add	ebx, 4
		inc	eax
		mov	[ebp+var_10], eax
		cmp	eax, edx
		jb	short loc_4F53A4

loc_4F53BC:				; CODE XREF: MiReduceMdl(x)+84j
					; MiReduceMdl(x)+B0j
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4F53C4:				; CODE XREF: MiReduceMdl(x)+8Ej
		and	esi, 0FFFFBFFFh
		mov	[ecx+6], si
		jmp	short loc_4F53BC
; 

loc_4F53D0:				; CODE XREF: MiReduceMdl(x)+53j
		inc	ebx
		add	esi, 4
		inc	edi
		cmp	edi, ecx
		jb	short loc_4F5369
		jmp	short loc_4F5373
; 

loc_4F53DB:				; CODE XREF: MiReduceMdl(x)+63j
		imul	eax, -4
		add	[ecx+4], ax
		mov	eax, [ebp+var_4]
		shl	eax, 0Ch
		sub	[ebp+var_8], eax
		sub	ebx, esi
		mov	eax, [ebp+var_8]
		mov	[ecx+14h], eax
		mov	[ebp+var_8], ebx

loc_4F53F6:				; CODE XREF: MiReduceMdl(x)+E3j
		mov	eax, [esi]
		inc	edi
		mov	[ebx+esi], eax
		lea	esi, [esi+4]
		cmp	edi, edx
		jb	short loc_4F53F6
		sub	edx, [ebp+var_4]
		lea	ebx, [ecx+1Ch]
		jmp	loc_4F5383
; 

loc_4F540E:				; CODE XREF: MiReduceMdl(x)+73j
		add	word ptr [ecx+4], 0FFFCh
		mov	ax, [ecx+4]
		mov	edi, [ecx+14h]
		mov	[ebp+var_8], eax
		test	edi, 0FFFh
		jnz	short loc_4F547F
		add	edi, 0FFFFF000h

loc_4F542B:				; CODE XREF: MiReduceMdl(x)+167j
		sub	esi, 4
		mov	[ecx+14h], edi
		lea	eax, [ecx+1Ch]
		xor	ebx, ebx
		cmp	esi, eax
		jz	short loc_4F5466
		mov	ecx, [ebp+var_14]

loc_4F543D:				; CODE XREF: MiReduceMdl(x)+15Dj
		mov	eax, [esi]
		cmp	eax, dword_6D34EC
		jz	short loc_4F5475

loc_4F5447:				; CODE XREF: MiReduceMdl(x)+15Fj
		mov	ecx, [ebp+var_C]
		test	ebx, ebx
		jz	short loc_4F5466
		mov	esi, [ebp+var_8]
		mov	eax, ebx
		shl	eax, 2
		sub	esi, eax
		mov	eax, ebx
		shl	eax, 0Ch
		sub	edi, eax
		mov	[ecx+4], si
		mov	[ecx+14h], edi

loc_4F5466:				; CODE XREF: MiReduceMdl(x)+11Aj
					; MiReduceMdl(x)+12Ej
		or	eax, 0FFFFFFFFh
		sub	eax, ebx
		lea	ebx, [ecx+1Ch]
		add	edx, eax
		jmp	loc_4F5393
; 

loc_4F5475:				; CODE XREF: MiReduceMdl(x)+127j
		sub	esi, 4
		inc	ebx
		cmp	esi, ecx
		jnz	short loc_4F543D
		jmp	short loc_4F5447
; 

loc_4F547F:				; CODE XREF: MiReduceMdl(x)+105j
		and	edi, 0FFFFF000h
		jmp	short loc_4F542B
_MiReduceMdl@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiZeroAndFlushPtes proc	near		; CODE XREF: MmUnmapLockedPages+107p
					; .text:0047FE59p ...

var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= byte ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_118		= dword	ptr -118h
var_10C		= dword	ptr -10Ch
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D23D1 SIZE 000001A6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 174h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [ebp+var_120]
		mov	[ebp+var_130], edx
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		xor	eax, eax
		lea	edi, [ebp+var_140]
		stosd
		add	esp, 0Ch
		mov	ecx, esi
		stosd
		stosd
		mov	eax, esi
		and	eax, 0FFFFF000h
		mov	edi, esi
		mov	[ebp+var_128], eax
		xor	eax, eax
		shr	edi, 9
		inc	eax
		and	edi, offset loc_7FFFF8
		mov	[ebp+var_124], eax
		sub	edi, 40000000h
		mov	ebx, eax
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		mov	[ebp+var_134], eax
		test	eax, eax
		jg	loc_5D23D1

loc_4F5507:				; CODE XREF: MiZeroAndFlushPtes+DCF68j
		xor	eax, eax
		mov	[ebp+var_118], 21h
		push	eax
		mov	esi, eax
		mov	[ebp+var_12C], eax
		mov	ebx, eax
		mov	[ebp+var_148], esi
		push	300h
		mov	[ebp+var_14C], ebx
		mov	[ebp+var_10C], eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [ebp+var_124]
		mov	[ebp+var_154], edx
		mov	edx, [ebp+var_130]
		mov	[ebp+var_150], eax

loc_4F5552:				; CODE XREF: MiZeroAndFlushPtes+DD0A2j
		mov	eax, edx
		xor	edx, edx
		div	ecx
		mov	[ebp+var_130], edx
		lea	eax, [edi+eax*8]
		mov	[ebp+var_15C], eax
		cmp	edi, eax
		jnb	loc_5D24FE
		mov	eax, ecx
		xor	edx, edx
		shl	eax, 0Ch
		inc	edx
		mov	[ebp+var_158], eax

loc_4F557D:				; CODE XREF: MiZeroAndFlushPtes+1BFj
		and	[ebp+var_168], 0
		and	[ebp+var_164], 0
		mov	ecx, [edi]
		nop
		mov	eax, [edi+4]
		mov	[ebp+var_170], ecx
		mov	[ebp+var_16C], eax
		nop
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		mov	[ebp+var_144], ecx
		mov	ecx, [ebp+var_134]
		cmp	ecx, edx
		jz	loc_5D23F5
		jge	loc_5D24A5
		mov	eax, ds:_ZeroPte
		mov	[edi], eax
		nop
		mov	eax, ds:dword_40F9FC

loc_4F55CF:				; CODE XREF: MiZeroAndFlushPtes+DD02Cj
		mov	[edi+4], eax
		jge	loc_5D2492
		push	ecx
		push	edx
		mov	edx, [ebp+var_128]
		lea	ecx, [ebp+var_120]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)

loc_4F55EB:				; CODE XREF: MiZeroAndFlushPtes+DD018j
		mov	eax, [ebp+var_144]
		cmp	eax, dword_6D07B0
		jbe	loc_4F56D2

loc_4F55FD:				; CODE XREF: MiZeroAndFlushPtes+26Fj
		mov	ecx, [ebp+var_12C]
		test	ecx, ecx
		jz	loc_4F56A9
		mov	edx, [ebp+ecx*8+var_8C]
		cmp	edx, eax
		jnz	loc_4F56A9
		mov	eax, [ebp+var_124]
		add	eax, edx
		mov	[ebp+ecx*8+var_8C], eax

loc_4F5629:				; CODE XREF: MiZeroAndFlushPtes+23Fj
					; MiZeroAndFlushPtes+DD071j
		xor	edx, edx
		inc	edx

loc_4F562C:				; CODE XREF: MiZeroAndFlushPtes+263j
		mov	eax, [ebp+var_128]
		add	edi, 8
		add	eax, [ebp+var_158]
		mov	[ebp+var_128], eax
		cmp	edi, [ebp+var_15C]
		jb	loc_4F557D
		mov	edx, [ebp+var_130]

loc_4F5653:				; CODE XREF: MiZeroAndFlushPtes+DD07Cj
		test	edx, edx
		jnz	loc_5D2509
		test	esi, esi
		jnz	loc_5D252F

loc_4F5663:				; CODE XREF: MiZeroAndFlushPtes+DD0EAj
		lea	ecx, [ebp+var_120]
		call	MiFlushTbList
		mov	esi, [ebp+var_12C]
		test	esi, esi
		jz	short loc_4F569A
		xor	ebx, ebx

loc_4F567A:				; CODE XREF: MiZeroAndFlushPtes+210j
		mov	edx, [ebp+ebx*8+var_88]
		mov	eax, [ebp+ebx*8+var_84]
		sub	eax, edx
		push	eax
		xor	eax, eax
		lea	ecx, [eax+1]
		call	MiDereferenceIoPages
		inc	ebx
		cmp	ebx, esi
		jb	short loc_4F567A

loc_4F569A:				; CODE XREF: MiZeroAndFlushPtes+1EEj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_4F56A9:				; CODE XREF: MiZeroAndFlushPtes+17Dj
					; MiZeroAndFlushPtes+18Cj
		mov	[ebp+ecx*8+var_88], eax
		add	eax, [ebp+var_124]
		mov	[ebp+ecx*8+var_84], eax
		inc	ecx
		mov	[ebp+var_12C], ecx
		cmp	ecx, 10h
		jnz	loc_4F5629
		jmp	loc_5D24B9
; 

loc_4F56D2:				; CODE XREF: MiZeroAndFlushPtes+16Fj
		mov	edx, eax
		mov	ecx, eax
		mov	eax, dword_6D35B8
		and	ecx, 1Fh
		shr	edx, 5
		mov	eax, [eax+edx*4]
		xor	edx, edx
		shr	eax, cl
		inc	edx
		and	eax, edx
		jnz	loc_4F562C
		mov	eax, [ebp+var_144]
		jmp	loc_4F55FD
MiZeroAndFlushPtes endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiIoSpaceRunIsConstant proc near	; CODE XREF: .text:0047FD43p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D2577 SIZE 00000048 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		test	edi, edi
		jnz	short loc_4F5743
		mov	ebx, esi

loc_4F5714:				; CODE XREF: MiIoSpaceRunIsConstant+4Aj
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		mov	byte ptr [ebp+arg_0+3],	al
		call	MiIoSpaceIsConstant
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	short loc_4F5748

loc_4F5730:				; CODE XREF: MiIoSpaceRunIsConstant+4Ej
					; MiIoSpaceRunIsConstant+DCEB1j ...
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4F5743:				; CODE XREF: MiIoSpaceRunIsConstant+14j
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_4F5714
; 

loc_4F5748:				; CODE XREF: MiIoSpaceRunIsConstant+32j
		test	edi, edi
		jz	short loc_4F5730
		jmp	loc_5D25B5
MiIoSpaceRunIsConstant endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDereferenceIoPages proc near		; CODE XREF: .text:00472261p
					; .text:0047A6ACp ...

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D25BF SIZE 00000074 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		mov	eax, ecx
		mov	ebx, edx
		mov	ecx, [ebp+arg_0]
		and	ebx, 1FFFFFFh
		push	esi
		push	edi
		lea	esi, dword_6D3444[eax*4]
		mov	[ebp+var_28], ebx
		xor	edi, edi
		mov	[ebp+var_8], ebx
		dec	eax
		mov	[ebp+var_14], ecx
		neg	eax
		mov	[ebp+var_18], edi
		push	offset unk_6D3440
		sbb	eax, eax
		mov	[ebp+var_34], esi
		not	eax
		and	eax, offset dword_6D344C
		mov	[ebp+var_38], eax
		call	ExAcquireSpinLockExclusive
		mov	[ebp+var_1], al

loc_4F579E:				; CODE XREF: MiDereferenceIoPages+57j
		mov	esi, [esi]

loc_4F57A0:				; CODE XREF: MiDereferenceIoPages+A0j
		test	esi, esi
		jz	short loc_4F57B4
		mov	eax, [esi+14h]
		cmp	ebx, eax
		jb	short loc_4F579E
		add	eax, 200h
		cmp	ebx, eax
		jnb	short loc_4F57EF

loc_4F57B4:				; CODE XREF: MiDereferenceIoPages+50j
		cmp	[ebp+arg_0], edi
		jz	loc_4F58B8

loc_4F57BD:				; CODE XREF: MiDereferenceIoPages+160j
		test	esi, esi
		jz	loc_5D2610
		mov	edx, [esi+4]
		mov	ecx, esi
		mov	[ebp+var_10], edx
		test	edx, edx
		jnz	short loc_4F57F4
		mov	edx, [esi+8]
		and	edx, 0FFFFFFFCh
		mov	[ebp+var_10], edx
		jz	short loc_4F5805

loc_4F57DC:				; CODE XREF: MiDereferenceIoPages+96j
		cmp	[edx], ecx
		jz	short loc_4F57EA
		mov	ecx, edx
		mov	edx, [edx+8]
		and	edx, 0FFFFFFFCh
		jnz	short loc_4F57DC

loc_4F57EA:				; CODE XREF: MiDereferenceIoPages+8Cj
		mov	[ebp+var_10], edx
		jmp	short loc_4F5805
; 

loc_4F57EF:				; CODE XREF: MiDereferenceIoPages+60j
		mov	esi, [esi+4]
		jmp	short loc_4F57A0
; 

loc_4F57F4:				; CODE XREF: MiDereferenceIoPages+7Dj
		mov	ecx, [edx]
		test	ecx, ecx
		jz	short loc_4F5805

loc_4F57FA:				; CODE XREF: MiDereferenceIoPages+B1j
		mov	eax, [ecx]
		mov	[ebp+var_10], ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_4F57FA

loc_4F5805:				; CODE XREF: MiDereferenceIoPages+88j
					; MiDereferenceIoPages+9Bj ...
		mov	ecx, [ebp+var_8]
		mov	ebx, esi
		mov	eax, [esi+14h]
		and	ecx, 1FFFFFFh
		mov	edx, [esi+18h]
		sub	ecx, eax
		mov	[ebp+var_2C], ecx
		add	eax, 200h
		mov	[ebp+var_30], edx
		lea	ecx, [edx+ecx*2]
		mov	edx, [ebp+var_10]
		mov	[ebp+var_1C], ecx
		mov	ecx, [ebp+var_8]
		add	ecx, [ebp+var_14]
		cmp	ecx, eax
		ja	loc_5D25BF
		mov	eax, [ebp+var_2C]
		add	eax, [ebp+var_14]
		add	eax, eax

loc_4F5842:				; CODE XREF: MiDereferenceIoPages+DCE72j
		mov	ecx, [ebp+var_30]
		add	ecx, eax
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_30], ecx
		cmp	eax, ecx
		jnb	loc_5D25FE
		mov	edi, [ebp+var_8]

loc_4F5858:				; CODE XREF: MiDereferenceIoPages+154j
		mov	ax, [eax]
		mov	word ptr [ebp+var_C], ax
		mov	ecx, [ebp+var_C]
		test	ecx, 3FFFh
		jz	loc_5D2625
		lea	eax, [ecx-1]
		xor	eax, ecx
		mov	ecx, [ebp+var_1C]
		and	eax, 3FFFh
		xor	word ptr [ebp+var_C], ax
		test	[ebp+var_C], 3FFFh
		mov	ax, word ptr [ebp+var_C]
		mov	[ecx], ax
		jz	short loc_4F58D6

loc_4F588F:				; CODE XREF: MiDereferenceIoPages+1A9j
					; MiDereferenceIoPages+223j
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_14]
		add	eax, 2
		inc	edi
		mov	[ebp+var_1C], eax
		dec	ecx
		mov	[ebp+var_8], edi
		mov	[ebp+var_14], ecx
		cmp	eax, [ebp+var_30]
		jb	short loc_4F5858
		mov	edi, [ebp+var_18]
		mov	edx, [ebp+var_10]

loc_4F58AE:				; CODE XREF: MiDereferenceIoPages+DCEAFj
		mov	esi, edx
		test	ecx, ecx
		jnz	loc_4F57BD

loc_4F58B8:				; CODE XREF: MiDereferenceIoPages+65j
		push	offset unk_6D3440
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4F58CB:				; CODE XREF: MiDereferenceIoPages+209j
		test	edi, edi
		jnz	short loc_4F5946
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4F58D6:				; CODE XREF: MiDereferenceIoPages+13Bj
		mov	edx, [ebx+1Ch]
		mov	eax, 200h
		cmp	eax, edx
		sbb	ecx, ecx
		xor	eax, eax
		neg	ecx
		test	edx, edx
		setz	al
		or	ecx, eax
		jnz	loc_5D2606
		lea	eax, [edx-1]
		mov	[ebx+1Ch], eax
		test	eax, eax
		jnz	short loc_4F588F
		push	ebx
		push	[ebp+var_34]
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		mov	edi, [ebp+var_38]
		test	edi, edi
		jz	short loc_4F5919
		mov	ecx, ebx
		call	_MiAnyIoNodePagesCached@4 ; MiAnyIoNodePagesCached(x)
		cmp	eax, 1
		jz	short loc_4F597A

loc_4F5919:				; CODE XREF: MiDereferenceIoPages+1B9j
					; MiDereferenceIoPages+DCEA7j
		test	ebx, ebx
		jz	short loc_4F5972
		mov	eax, [ebp+var_18]
		mov	edx, [ebx+14h]
		mov	byte ptr [ebp+var_24], 0
		test	eax, eax
		jz	short loc_4F5964

loc_4F592B:				; CODE XREF: MiDereferenceIoPages+1E7j
		cmp	edx, [eax+14h]
		jb	short loc_4F593B
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_4F5960

loc_4F5937:				; CODE XREF: MiDereferenceIoPages+1EDj
		mov	eax, ecx
		jmp	short loc_4F592B
; 

loc_4F593B:				; CODE XREF: MiDereferenceIoPages+1DCj
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_4F5937
		mov	byte ptr [ebp+var_24], cl
		jmp	short loc_4F5964
; 

loc_4F5946:				; CODE XREF: MiDereferenceIoPages+17Bj
		push	edi
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [ebp+var_18]
		jmp	loc_4F58CB
; 

loc_4F5960:				; CODE XREF: MiDereferenceIoPages+1E3j
		mov	byte ptr [ebp+var_24], 1

loc_4F5964:				; CODE XREF: MiDereferenceIoPages+1D7j
					; MiDereferenceIoPages+1F2j
		push	esi
		push	[ebp+var_24]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)

loc_4F5972:				; CODE XREF: MiDereferenceIoPages+1C9j
		mov	edi, [ebp+var_8]
		jmp	loc_4F588F
; 

loc_4F597A:				; CODE XREF: MiDereferenceIoPages+1C5j
		and	[ebp+var_3C], 0
		lea	eax, [ebp+var_3C]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, ds:_KiCacheFlushTimeStamp
		mov	edx, offset dword_6D3450
		mov	[ebx+1Ch], eax
		cmp	dword_6D3450, edx
		jnz	short loc_4F59A0
		mov	dword_6D3458, eax

loc_4F59A0:				; CODE XREF: MiDereferenceIoPages+247j
		mov	ecx, dword_6D3454
		lea	eax, [ebx+0Ch]
		cmp	[ecx], edx
		jz	loc_5D25C9
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_4F59B6:				; CODE XREF: MiDereferenceIoPages+272j
					; MiDereferenceIoPages+DCE8Ej
		cmp	edx, [eax+14h]
		jb	short loc_4F59C6
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_4F59D4

loc_4F59C2:				; CODE XREF: MiDereferenceIoPages+278j
		mov	eax, ecx
		jmp	short loc_4F59B6
; 

loc_4F59C6:				; CODE XREF: MiDereferenceIoPages+267j
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_4F59C2
		mov	byte ptr [ebp+var_20], cl
		jmp	loc_5D25E6
; 

loc_4F59D4:				; CODE XREF: MiDereferenceIoPages+26Ej
		mov	byte ptr [ebp+var_20], 1
		jmp	loc_5D25E6
MiDereferenceIoPages endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReferenceIoPages proc	near		; CODE XREF: MiProbeLockFrame(x)+4D1p
					; .text:0047FD91p ...

var_AA		= byte ptr -0AAh
var_A9		= byte ptr -0A9h
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_4C		= dword	ptr -4Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005D2633 SIZE 000000B5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0ACh+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	esi, edx
		push	5Ch
		pop	eax
		push	eax		; size_t
		lea	eax, [esp+0BCh+var_68]
		mov	[esp+0BCh+var_9C], ecx
		push	0		; int
		push	eax		; void *
		mov	[esp+0C4h+var_7C], edi
		mov	[esp+0C4h+var_70], ebx
		call	_memset
		add	esp, 0Ch
		xor	ecx, ecx
		test	edi, edi
		jnz	loc_4F5CA8

loc_4F5A2E:				; CODE XREF: MiReferenceIoPages+2CCj
		test	ebx, ebx
		jz	short loc_4F5A34
		mov	[ebx], ecx

loc_4F5A34:				; CODE XREF: MiReferenceIoPages+52j
		or	eax, 0FFFFFFFFh
		mov	[esp+0B8h+var_74], ecx
		mov	[esp+0B8h+var_78], eax
		mov	edi, ecx
		mov	eax, [esp+0B8h+var_9C]
		and	esi, 1FFFFFFh
		mov	[esp+0B8h+var_90], ecx
		mov	ebx, esi
		mov	[esp+0B8h+var_8C], ecx
		push	2
		lea	ecx, dword_6D3444[eax*4]
		mov	[esp+0BCh+var_88], ebx
		dec	eax
		mov	[esp+0BCh+var_84], ecx
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, offset dword_6D344C
		mov	[esp+0BCh+var_80], eax
		pop	eax
		mov	cl, al
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		cmp	[esp+0B8h+var_9C], 1
		mov	[esp+0B8h+var_A9], al
		jnz	short loc_4F5A9C
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	MiIoSpaceIsConstant
		test	eax, eax
		jnz	loc_5D2633

loc_4F5A9C:				; CODE XREF: MiReferenceIoPages+AAj
		mov	eax, [ebp+arg_4]

loc_4F5A9F:				; CODE XREF: MiReferenceIoPages+DCC58j
		push	offset unk_6D3440
		mov	[esp+0BCh+var_A0], eax
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		cmp	[ebp+arg_0], 0
		jz	loc_4F5C6C

loc_4F5AB7:				; CODE XREF: MiReferenceIoPages+27Cj
		mov	eax, [esp+0B8h+var_84]
		mov	byte ptr [esp+0B8h+var_94], 0
		mov	ebx, [eax]
		test	ebx, ebx
		jnz	loc_4F5D5E

loc_4F5ACA:				; CODE XREF: MiReferenceIoPages+3A9j
					; MiReferenceIoPages+3B3j
		mov	eax, [esp+0B8h+var_80]
		test	eax, eax
		jz	short loc_4F5AE3
		mov	edx, esi
		mov	ecx, eax
		call	MiRemoveUnmappedIoNode
		mov	[esp+0B8h+var_A8], eax
		test	eax, eax
		jnz	short loc_4F5B1D

loc_4F5AE3:				; CODE XREF: MiReferenceIoPages+F2j
		push	0
		push	40h
		mov	edx, 6F49694Dh
		mov	ecx, 420h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		mov	[esp+0B8h+var_A8], ecx
		test	ecx, ecx
		jz	loc_5D26A7
		mov	eax, esi
		and	eax, 0FFFFFE00h
		mov	[ecx+14h], eax
		lea	eax, [ecx+20h]
		mov	[ecx+18h], eax
		call	_MiInitializeIoPageNodeArray@4 ; MiInitializeIoPageNodeArray(x)
		mov	eax, [esp+0B8h+var_A8]

loc_4F5B1D:				; CODE XREF: MiReferenceIoPages+103j
		push	eax
		push	[esp+0BCh+var_94]
		push	ebx
		push	[esp+0C4h+var_84]
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		mov	ebx, [esp+0B8h+var_A8]

loc_4F5B30:				; CODE XREF: MiReferenceIoPages+38Ej
		mov	eax, [esp+0B8h+var_70]
		test	eax, eax
		jz	short loc_4F5B3F
		cmp	dword ptr [eax], 0
		jnz	short loc_4F5B3F
		mov	[eax], ebx

loc_4F5B3F:				; CODE XREF: MiReferenceIoPages+158j
					; MiReferenceIoPages+15Dj
		mov	eax, [ebx+14h]
		mov	ecx, esi
		mov	edx, [ebx+18h]
		sub	ecx, eax
		mov	[esp+0B8h+var_98], edx
		lea	edx, [edx+ecx*2]
		mov	[esp+0B8h+var_A8], edx
		lea	edx, [eax+200h]
		mov	eax, [ebp+arg_0]
		test	edx, edx
		jz	short loc_4F5B6E
		add	eax, esi
		cmp	eax, edx
		ja	loc_4F5CD6
		mov	eax, [ebp+arg_0]

loc_4F5B6E:				; CODE XREF: MiReferenceIoPages+181j
		add	eax, ecx
		add	eax, eax

loc_4F5B72:				; CODE XREF: MiReferenceIoPages+2FDj
		add	eax, [esp+0B8h+var_98]
		mov	ecx, [esp+0B8h+var_A8]
		mov	[esp+0B8h+var_6C], eax
		cmp	ecx, eax
		jnb	loc_4F5C4B

loc_4F5B86:				; CODE XREF: MiReferenceIoPages+267j
		mov	ax, [ecx]
		mov	word ptr [esp+0B8h+var_A4], ax
		mov	dx, word ptr [esp+0B8h+var_A4]
		movzx	ecx, dx
		mov	eax, ecx
		and	eax, 3FFFh
		cmp	eax, 3FFFh
		jz	loc_5D268E
		mov	eax, [esp+0B8h+var_A4]
		shr	ecx, 0Eh
		mov	[esp+0B8h+var_98], eax
		test	eax, 3FFFh
		jnz	loc_4F5CAF
		inc	dword ptr [ebx+1Ch]
		cmp	ecx, [esp+0B8h+var_A0]
		jz	loc_4F5CCB
		cmp	[esp+0B8h+var_80], 0
		jz	short loc_4F5BE5
		and	eax, 0C000h
		mov	ecx, 4000h
		cmp	ax, cx
		jz	loc_4F5CE0

loc_4F5BE5:				; CODE XREF: MiReferenceIoPages+1F2j
					; MiReferenceIoPages+307j ...
		mov	edx, [esp+0B8h+var_A0]
		shl	edx, 0Eh
		mov	word ptr [esp+0B8h+var_A4], dx
		mov	eax, [esp+0B8h+var_A4]
		mov	[esp+0B8h+var_98], eax

loc_4F5BF9:				; CODE XREF: MiReferenceIoPages+2DDj
					; MiReferenceIoPages+2E8j ...
		mov	eax, [esp+0B8h+var_7C]
		test	eax, eax
		jz	short loc_4F5C12
		mov	eax, [eax]
		movzx	ecx, dx
		shr	ecx, 0Eh
		bts	eax, ecx
		mov	ecx, [esp+0B8h+var_7C]
		mov	[ecx], eax

loc_4F5C12:				; CODE XREF: MiReferenceIoPages+221j
		mov	ecx, [esp+0B8h+var_98]
		push	2
		lea	eax, [ecx+1]
		xor	eax, ecx
		mov	ecx, [esp+0BCh+var_A8]
		and	eax, 3FFFh
		xor	dx, ax
		mov	word ptr [esp+0BCh+var_A4], dx
		mov	ax, word ptr [esp+0BCh+var_A4]
		mov	[ecx], ax
		pop	eax
		add	ecx, eax
		inc	esi
		dec	[ebp+arg_0]
		mov	[esp+0B8h+var_A8], ecx
		cmp	ecx, [esp+0B8h+var_6C]
		jb	loc_4F5B86

loc_4F5C4B:				; CODE XREF: MiReferenceIoPages+1A2j
		cmp	[esp+0B8h+var_90], 0
		jnz	loc_5D2682

loc_4F5C56:				; CODE XREF: MiReferenceIoPages+DCCABj
		cmp	[ebp+arg_0], 0
		jnz	loc_4F5AB7
		mov	ebx, [esp+0B8h+var_88]

loc_4F5C64:				; CODE XREF: MiReferenceIoPages+DCCC4j
		test	edi, edi
		jnz	loc_4F5D1A

loc_4F5C6C:				; CODE XREF: MiReferenceIoPages+D3j
					; MiReferenceIoPages+37Bj
		push	offset unk_6D3440
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+0B8h+var_A9]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esp+0B8h+var_78]
		cmp	eax, 0FFFFFFFFh
		jnz	loc_5D26D5

loc_4F5C8D:				; CODE XREF: MiReferenceIoPages+DCD05j
		mov	eax, [esp+0B8h+var_74]

loc_4F5C91:				; CODE XREF: MiReferenceIoPages+DCCF2j
		mov	ecx, [esp+0B8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_4F5CA8:				; CODE XREF: MiReferenceIoPages+4Aj
		mov	[edi], ecx
		jmp	loc_4F5A2E
; 

loc_4F5CAF:				; CODE XREF: MiReferenceIoPages+1DAj
		cmp	ecx, [esp+0B8h+var_A0]
		jnz	short loc_4F5CC0
		inc	dword_6D3460
		jmp	loc_4F5BF9
; 

loc_4F5CC0:				; CODE XREF: MiReferenceIoPages+2D5j
		inc	dword_6D3464
		jmp	loc_4F5BF9
; 

loc_4F5CCB:				; CODE XREF: MiReferenceIoPages+1E7j
		inc	dword_6D346C
		jmp	loc_4F5BF9
; 

loc_4F5CD6:				; CODE XREF: MiReferenceIoPages+187j
		mov	eax, 400h
		jmp	loc_4F5B72
; 

loc_4F5CE0:				; CODE XREF: MiReferenceIoPages+201j
		cmp	[esp+0B8h+var_90], 0
		jnz	loc_4F5BE5
		inc	dword_6D3470
		test	edi, edi
		jnz	loc_5D263B
		lea	edi, [esp+0B8h+var_68]
		lea	ecx, [esp+0B8h+var_4C]

loc_4F5D01:				; CODE XREF: MiReferenceIoPages+DCC61j
		mov	[ecx], esi
		lea	eax, [edi+5Ch]
		add	ecx, 4
		mov	[esp+0B8h+var_8C], ecx
		cmp	ecx, eax
		jnz	loc_4F5BE5
		jmp	loc_5D2644
; 

loc_4F5D1A:				; CODE XREF: MiReferenceIoPages+288j
		mov	ecx, [esp+0B8h+var_8C]
		xor	edx, edx
		sub	ecx, edi
		mov	[edi], edx
		sub	ecx, 1Ch
		mov	[edi+10h], edx
		sar	ecx, 2
		shl	ecx, 0Ch
		mov	eax, ecx
		mov	[edi+18h], edx
		shr	eax, 0Ch
		inc	dword_6D3468
		push	2
		mov	[edi+14h], ecx
		lea	eax, ds:1Ch[eax*4]
		mov	[edi+4], ax
		pop	eax
		push	ecx
		mov	[edi+6], ax
		call	_MiFlushCacheMdl@12 ; MiFlushCacheMdl(x,x,x)
		jmp	loc_4F5C6C
; 

loc_4F5D5E:				; CODE XREF: MiReferenceIoPages+E6j
					; MiReferenceIoPages+39Dj
		mov	eax, [ebx+14h]
		cmp	esi, eax
		jb	short loc_4F5D7D
		add	eax, 200h
		cmp	esi, eax
		jb	loc_4F5B30
		mov	eax, [ebx+4]
		test	eax, eax
		jz	short loc_4F5D8C

loc_4F5D79:				; CODE XREF: MiReferenceIoPages+3A3j
		mov	ebx, eax
		jmp	short loc_4F5D5E
; 

loc_4F5D7D:				; CODE XREF: MiReferenceIoPages+385j
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_4F5D79
		mov	byte ptr [esp+0B8h+var_94], al
		jmp	loc_4F5ACA
; 

loc_4F5D8C:				; CODE XREF: MiReferenceIoPages+399j
		mov	byte ptr [esp+0B8h+var_94], 1
		jmp	loc_4F5ACA
MiReferenceIoPages endp


;  S U B	R O U T	I N E 


MiIoSpaceIsConstant proc near		; CODE XREF: MiIoSpaceRunIsConstant+28p
					; MiReferenceIoPages+B1p ...

; FUNCTION CHUNK AT 005D26E8 SIZE 00000015 BYTES

		mov	eax, dword_6D347C
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [edx-1]
		add	edi, esi
		jmp	short loc_4F5DA8
; 

loc_4F5DA6:				; CODE XREF: MiIoSpaceIsConstant+1Bj
		mov	eax, [eax]

loc_4F5DA8:				; CODE XREF: MiIoSpaceIsConstant+Ej
					; MiIoSpaceIsConstant+34j
		test	eax, eax
		jz	short loc_4F5DC2
		mov	edx, [eax+0Ch]
		cmp	edi, edx
		jb	short loc_4F5DA6
		mov	ecx, [eax+10h]
		cmp	esi, ecx
		ja	short loc_4F5DC7
		test	eax, eax
		jnz	loc_5D26E8

loc_4F5DC2:				; CODE XREF: MiIoSpaceIsConstant+14j
					; MiIoSpaceIsConstant+DC962j
		xor	eax, eax

loc_4F5DC4:				; CODE XREF: MiIoSpaceIsConstant+DC954j
					; MiIoSpaceIsConstant+DC95Cj
		pop	edi
		pop	esi
		retn
; 

loc_4F5DC7:				; CODE XREF: MiIoSpaceIsConstant+22j
		mov	eax, [eax+4]
		jmp	short loc_4F5DA8
MiIoSpaceIsConstant endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiRemoveUnmappedIoNode proc near	; CODE XREF: MiReferenceIoPages+F8p
					; MiMakeIoRangePermanent(x)+FBp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D26FD SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ecx]
		jmp	short loc_4F5DD9
; 

loc_4F5DD7:				; CODE XREF: MiRemoveUnmappedIoNode+16j
		mov	esi, [esi]

loc_4F5DD9:				; CODE XREF: MiRemoveUnmappedIoNode+9j
					; MiRemoveUnmappedIoNode+2Dj
		test	esi, esi
		jz	short loc_4F5DF1
		mov	eax, [esi+14h]
		cmp	edx, eax
		jb	short loc_4F5DD7
		add	eax, 200h
		cmp	edx, eax
		jnb	short loc_4F5DF6
		test	esi, esi
		jnz	short loc_4F5DFB

loc_4F5DF1:				; CODE XREF: MiRemoveUnmappedIoNode+Fj
		xor	eax, eax

loc_4F5DF3:				; CODE XREF: MiRemoveUnmappedIoNode+8Dj
		pop	esi
		leave
		retn
; 

loc_4F5DF6:				; CODE XREF: MiRemoveUnmappedIoNode+1Fj
		mov	esi, [esi+4]
		jmp	short loc_4F5DD9
; 

loc_4F5DFB:				; CODE XREF: MiRemoveUnmappedIoNode+23j
		push	esi
		push	ecx
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		lea	ecx, [esi+0Ch]
		cmp	dword_6D3450, ecx
		jnz	short loc_4F5E1A
		mov	eax, [ecx]
		cmp	eax, offset dword_6D3450
		jnz	loc_5D26FD

loc_4F5E1A:				; CODE XREF: MiRemoveUnmappedIoNode+3Fj
					; MiRemoveUnmappedIoNode+DC939j
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_4F5E64
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	short loc_4F5E64
		and	[ebp+var_4], 0
		xor	ecx, ecx
		mov	[eax], edx
		mov	[edx+4], eax
		lea	eax, [ebp+var_4]
		lock or	[eax], ecx
		mov	edx, ds:_KiCacheFlushTimeStamp
		mov	ecx, [esi+1Ch]
		push	0FFFFFFFFh
		call	_MiTbFlushTimeStampMayNeedFlush@12 ; MiTbFlushTimeStampMayNeedFlush(x,x,x)
		test	al, al
		jz	short loc_4F5E5B

loc_4F5E4D:				; CODE XREF: MiRemoveUnmappedIoNode+96j
		and	dword ptr [esi+1Ch], 0
		mov	eax, esi
		dec	dword_6D345C
		jmp	short loc_4F5DF3
; 

loc_4F5E5B:				; CODE XREF: MiRemoveUnmappedIoNode+7Fj
		mov	ecx, esi
		call	_MiInitializeIoPageNodeArray@4 ; MiInitializeIoPageNodeArray(x)
		jmp	short loc_4F5E4D
; 

loc_4F5E64:				; CODE XREF: MiRemoveUnmappedIoNode+53j
					; MiRemoveUnmappedIoNode+5Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
MiRemoveUnmappedIoNode endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeIoPageNodeArray(x)
_MiInitializeIoPageNodeArray@4 proc near ; CODE	XREF: MiReferenceIoPages+136p
					; MiRemoveUnmappedIoNode+91p

var_4		= word ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ecx+18h]
		lea	edx, [ecx+400h]
		jmp	short loc_4F5E95
; 

loc_4F5E7B:				; CODE XREF: MiInitializeIoPageNodeArray(x)+2Dj
		mov	ax, [ecx]
		mov	[ebp+var_4], ax
		mov	eax, 0C000h
		or	[ebp+var_4], ax
		mov	ax, [ebp+var_4]
		mov	[ecx], ax
		add	ecx, 2

loc_4F5E95:				; CODE XREF: MiInitializeIoPageNodeArray(x)+Fj
		cmp	ecx, edx
		jb	short loc_4F5E7B
		leave
		retn
_MiInitializeIoPageNodeArray@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAnyIoNodePagesCached(x)
_MiAnyIoNodePagesCached@4 proc near	; CODE XREF: MiDereferenceIoPages+1BDp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ecx+18h]
		push	esi
		lea	edx, [ecx+400h]

loc_4F5EAC:				; CODE XREF: MiAnyIoNodePagesCached(x)+30j
		cmp	ecx, edx
		jnb	short loc_4F5ECE
		mov	ax, [ecx]
		mov	esi, 4000h
		mov	word ptr [ebp+var_4], ax
		mov	eax, [ebp+var_4]
		and	eax, 0C000h
		cmp	ax, si
		jz	short loc_4F5ED3
		add	ecx, 2
		jmp	short loc_4F5EAC
; 

loc_4F5ECE:				; CODE XREF: MiAnyIoNodePagesCached(x)+12j
		xor	eax, eax

loc_4F5ED0:				; CODE XREF: MiAnyIoNodePagesCached(x)+3Aj
		pop	esi
		leave
		retn
; 

loc_4F5ED3:				; CODE XREF: MiAnyIoNodePagesCached(x)+2Bj
		xor	eax, eax
		inc	eax
		jmp	short loc_4F5ED0
_MiAnyIoNodePagesCached@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 809. IoCsqRemoveNextIrp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCsqRemoveNextIrp(x, x)
		public _IoCsqRemoveNextIrp@8
_IoCsqRemoveNextIrp@8 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	edi
		xor	ebx, ebx
		push	eax
		push	esi
		mov	byte ptr [ebp+var_4], bl
		mov	[esi+1Ch], ebx
		call	dword ptr [esi+10h]
		push	[ebp+arg_4]
		push	ebx

loc_4F5EFE:				; CODE XREF: IoCsqRemoveNextIrp(x,x)+62j
		push	esi
		call	dword ptr [esi+0Ch]
		mov	edi, eax
		test	edi, edi
		jz	short loc_4F5F33
		xor	edx, edx
		lea	ecx, [edi+38h]
		xchg	edx, [ecx]
		test	edx, edx
		jz	short loc_4F5F3C
		push	edi
		push	esi
		call	dword ptr [esi+8]
		mov	eax, [edi+4Ch]
		cmp	dword ptr [eax], 1
		jz	short loc_4F5F37

loc_4F5F20:				; CODE XREF: IoCsqRemoveNextIrp(x,x)+5Cj
		mov	[edi+4Ch], ebx

loc_4F5F23:				; CODE XREF: IoCsqRemoveNextIrp(x,x)+57j
		push	[ebp+var_4]
		push	esi
		call	dword ptr [esi+14h]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4F5F33:				; CODE XREF: IoCsqRemoveNextIrp(x,x)+28j
		mov	edi, ebx
		jmp	short loc_4F5F23
; 

loc_4F5F37:				; CODE XREF: IoCsqRemoveNextIrp(x,x)+40j
		mov	[eax+4], ebx
		jmp	short loc_4F5F20
; 

loc_4F5F3C:				; CODE XREF: IoCsqRemoveNextIrp(x,x)+33j
		push	[ebp+arg_4]
		push	edi
		jmp	short loc_4F5EFE
_IoCsqRemoveNextIrp@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl RtlpDynamicLookasideBucketCompare(const void *,const void	*)
_RtlpDynamicLookasideBucketCompare proc	near
					; DATA XREF: RtlpDynamicLookasideRebalance:loc_4E7FBDo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax+4]
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+4]
		cmp	eax, ecx
		ja	short loc_4F5F5D
		sbb	eax, eax
		neg	eax
		pop	ebp
		retn
; 

loc_4F5F5D:				; CODE XREF: _RtlpDynamicLookasideBucketCompare+13j
		or	eax, 0FFFFFFFFh
		pop	ebp
		retn
_RtlpDynamicLookasideBucketCompare endp

; 
		align 8
; Exported entry 884. IoGetSiloParameters

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetSiloParameters(x)
		public _IoGetSiloParameters@4
_IoGetSiloParameters@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+7Ch]
		test	eax, eax
		jnz	short loc_4F5F7D

loc_4F5F77:				; CODE XREF: IoGetSiloParameters(x)+1Bj
		xor	eax, eax

loc_4F5F79:				; CODE XREF: IoGetSiloParameters(x)+20j
		pop	ebp
		retn	4
; 

loc_4F5F7D:				; CODE XREF: IoGetSiloParameters(x)+Dj
		cmp	eax, _IopRevocationExtension
		jz	short loc_4F5F77
		mov	eax, [eax+20h]
		jmp	short loc_4F5F79
_IoGetSiloParameters@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiUserPdeOrAbove(x)
_MiUserPdeOrAbove@4 proc near		; CODE XREF: .text:0045D42Ep
					; .text:loc_45E4CCp ...
		mov	eax, ds:_MmHighestUserAddress
		mov	edx, 0C0600000h
		push	ebx
		shr	eax, 12h
		mov	ebx, 40000000h
		push	esi
		and	eax, 3FF8h
		xor	esi, esi
		push	edi
		sub	eax, 3FA00000h
		mov	edi, offset loc_7FFFF8
		inc	esi

loc_4F5FB1:				; CODE XREF: MiUserPdeOrAbove(x)+48j
		cmp	ecx, eax
		ja	short loc_4F5FC0
		cmp	ecx, edx
		jb	short loc_4F5FC0
		xor	eax, eax
		inc	eax

loc_4F5FBC:				; CODE XREF: MiUserPdeOrAbove(x)+4Cj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4F5FC0:				; CODE XREF: MiUserPdeOrAbove(x)+29j
					; MiUserPdeOrAbove(x)+2Dj
		shr	edx, 9
		shr	eax, 9
		and	edx, edi
		and	eax, edi
		sub	edx, ebx
		sub	eax, ebx
		inc	esi
		cmp	esi, 2
		jb	short loc_4F5FB1
		xor	eax, eax
		jmp	short loc_4F5FBC
_MiUserPdeOrAbove@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1979. RtlClearBit

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlClearBit(x, x)
		public _RtlClearBit@8
_RtlClearBit@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	edx, ecx
		mov	eax, [ebp+arg_0]
		and	ecx, 7
		shr	edx, 3
		add	edx, [eax+4]
		movsx	eax, byte ptr [edx]
		btr	eax, ecx
		mov	[edx], al
		pop	ebp
		retn	8
_RtlClearBit@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiQueryLeafPte(x, x, x)
_MiQueryLeafPte@12 proc	near		; DATA XREF: MiGetWorkingSetInfoEx+B2o

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		mov	eax, [ebp+arg_0]
		mov	ecx, dword_6D2E88
		push	esi
		mov	esi, [ebp+arg_4]
		mov	edx, esi
		shl	edx, 9
		mov	[esp+1Ch+var_4], edx
		push	edi
		mov	edi, [eax+48h]
		cmp	edx, ecx
		jb	short loc_4F6046
		mov	eax, dword_6D2E90
		test	eax, eax
		jnz	short loc_4F603C
		mov	eax, 2000h
		mov	dword_6D2E90, eax

loc_4F603C:				; CODE XREF: MiQueryLeafPte(x,x,x)+30j
		add	eax, ecx
		cmp	edx, eax
		jb	loc_4F61C7

loc_4F6046:				; CODE XREF: MiQueryLeafPte(x,x,x)+27j
		cmp	[ebp+arg_8], 1
		jge	loc_4F61C7
		and	[esp+20h+var_10], 0
		mov	ecx, [esi]
		nop
		mov	esi, [esi+4]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_4F61C7
		nop
		shrd	ecx, esi, 0Ch
		and	ecx, 1FFFFFFh
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		test	byte ptr [edi],	1
		mov	[esp+20h+var_10], ecx
		jz	loc_4F6199
		inc	dword ptr [edi+8]
		mov	esi, [edi+8]
		mov	[esp+20h+var_14], esi
		cmp	esi, [edi+0Ch]
		jnb	loc_4F61AD
		mov	eax, [edi+4]
		mov	[esp+20h+var_18], eax
		push	1Ch
		mov	eax, [eax+esi*4-4]
		xor	eax, edx
		and	eax, 0FFFh
		xor	eax, edx
		mov	edx, [esp+24h+var_18]
		mov	[edx+esi*4-4], eax
		mov	eax, ecx
		sub	eax, ds:_MmPfnDatabase
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, eax
		call	MiSearchNumaNodeTable
		mov	ecx, [esp+20h+var_18]
		mov	eax, [eax+4]
		shl	eax, 9
		xor	eax, [ecx+esi*4-4]
		and	eax, 0E00h
		xor	[ecx+esi*4-4], eax
		mov	edx, [ecx+esi*4-4]
		mov	ecx, [esp+20h+var_10]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		mov	esi, eax
		mov	eax, [esp+20h+var_18]
		shl	esi, 8
		xor	esi, edx
		and	esi, 100h
		xor	esi, edx
		mov	edx, [esp+20h+var_14]
		mov	[eax+edx*4-4], esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4F6170
		test	byte ptr [edi],	2
		jz	short loc_4F6129
		and	esi, 0FFFFF1FFh
		or	esi, 0E0h
		jmp	short loc_4F6145
; 

loc_4F6129:				; CODE XREF: MiQueryLeafPte(x,x,x)+119j
		mov	eax, [ecx+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 7
		jb	short loc_4F6139
		push	7
		pop	eax

loc_4F6139:				; CODE XREF: MiQueryLeafPte(x,x,x)+134j
		shl	eax, 5
		xor	eax, esi
		and	eax, 0E0h
		xor	esi, eax

loc_4F6145:				; CODE XREF: MiQueryLeafPte(x,x,x)+127j
		mov	edi, [esp+20h+var_18]
		push	ecx
		mov	ecx, [ebp+arg_0]
		mov	[edi+edx*4-4], esi
		mov	edx, [esp+24h+var_4]
		mov	ecx, [ecx+10h]
		call	_MiGetPfnProtection@12 ; MiGetPfnProtection(x,x,x)
		mov	edx, [esp+20h+var_14]
		mov	ecx, [edi+edx*4-4]
		xor	ecx, eax
		and	ecx, 1Fh
		xor	ecx, [edi+edx*4-4]
		jmp	short loc_4F6193
; 

loc_4F6170:				; CODE XREF: MiQueryLeafPte(x,x,x)+114j
		mov	edi, [esp+20h+var_18]
		and	esi, 0FFFFFF1Fh
		mov	eax, [esp+20h+var_10]
		mov	[edi+edx*4-4], esi
		mov	ecx, [ecx+8]
		mov	eax, [eax+0Ch]
		shrd	ecx, eax, 5
		xor	ecx, esi
		and	ecx, 1Fh
		xor	ecx, esi

loc_4F6193:				; CODE XREF: MiQueryLeafPte(x,x,x)+16Ej
		mov	[edi+edx*4-4], ecx
		jmp	short loc_4F61C7
; 

loc_4F6199:				; CODE XREF: MiQueryLeafPte(x,x,x)+84j
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4F61C7
		inc	dword ptr [edi+8]
		mov	eax, [edi+8]
		cmp	eax, [edi+0Ch]
		jb	short loc_4F61B2

loc_4F61AD:				; CODE XREF: MiQueryLeafPte(x,x,x)+97j
		push	4
		pop	eax
		jmp	short loc_4F61C9
; 

loc_4F61B2:				; CODE XREF: MiQueryLeafPte(x,x,x)+1ABj
		imul	esi, eax, 18h
		add	esi, [edi+4]
		lea	edx, [esi-18h]
		call	_MiIdentifyPfnWrapper@8	; MiIdentifyPfnWrapper(x,x)
		mov	eax, [esp+20h+var_4]
		mov	[esi-8], eax

loc_4F61C7:				; CODE XREF: MiQueryLeafPte(x,x,x)+40j
					; MiQueryLeafPte(x,x,x)+4Aj ...
		xor	eax, eax

loc_4F61C9:				; CODE XREF: MiQueryLeafPte(x,x,x)+1B0j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_MiQueryLeafPte@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetPfnProtection(x, x, x)
_MiGetPfnProtection@12 proc near	; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+FCFp
					; MiQueryLeafPte(x,x,x)+158p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, edx
		call	MiLocateWsle
		mov	ecx, esi
		mov	al, [eax]
		mov	byte ptr [ebp+var_4], al
		push	[ebp+var_4]
		call	_MiGetWsleProtection@8 ; MiGetWsleProtection(x,x)
		test	eax, eax
		jnz	short loc_4F6250
		mov	edx, [ebp+arg_0]
		mov	esi, [edx+8]
		nop
		mov	eax, [edx+0Ch]
		shrd	esi, eax, 5
		and	esi, 1Fh
		test	dword ptr [edx+18h], 800000h
		jnz	short loc_4F6220
		mov	eax, [edx+4]
		test	eax, eax
		js	short loc_4F6220
		jz	short loc_4F6220
		mov	eax, ds:_MmMakeProtectNotWriteCopy[esi*4]
		jmp	short loc_4F6250
; 

loc_4F6220:				; CODE XREF: MiGetPfnProtection(x,x,x)+3Aj
					; MiGetPfnProtection(x,x,x)+41j ...
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		cmp	dword ptr [ecx+148h], 0
		jz	short loc_4F624E
		mov	edx, [edx+4]
		or	edx, 80000000h
		call	_MiLocateCloneAddress@8	; MiLocateCloneAddress(x,x)
		test	eax, eax
		jz	short loc_4F624E
		mov	esi, ds:_MmMakeProtectNotWriteCopy[esi*4]

loc_4F624E:				; CODE XREF: MiGetPfnProtection(x,x,x)+61j
					; MiGetPfnProtection(x,x,x)+73j
		mov	eax, esi

loc_4F6250:				; CODE XREF: MiGetPfnProtection(x,x,x)+20j
					; MiGetPfnProtection(x,x,x)+4Cj
		pop	esi
		leave
		retn	4
_MiGetPfnProtection@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWakePageZeroing(x, x)
_MiWakePageZeroing@8 proc near		; CODE XREF: MiInsertLargePageInNodeList(x)+416p
					; MiWorkingSetManager(x,x)+46p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_1], 21h
		lea	edi, [ebp+var_18]
		mov	esi, edx
		stosd
		mov	ebx, ecx
		mov	[ebp+var_C], esi
		stosd
		stosd
		test	esi, esi
		jnz	short loc_4F628C
		movzx	eax, ds:_KeNumberNodes
		mov	edx, [ebx+10h]
		imul	ecx, eax, 280h
		add	ecx, edx
		jmp	short loc_4F629C
; 

loc_4F628C:				; CODE XREF: MiWakePageZeroing(x,x)+20j
		test	byte ptr [ebx+4], 40h
		jnz	loc_4F63CE
		lea	ecx, [esi+280h]

loc_4F629C:				; CODE XREF: MiWakePageZeroing(x,x)+34j
		mov	eax, [ebx+0DD0h]
		test	eax, eax
		jnz	loc_4F63CE
		cmp	edx, ecx
		jnb	loc_4F63CE
		sub	ecx, edx
		lea	esi, [edx+272h]
		xor	edx, edx
		lea	eax, [ecx-1]
		mov	ecx, 280h
		div	ecx
		xor	ecx, ecx
		inc	ecx
		lea	edi, [eax+1]
		mov	[ebp+var_8], edi
		mov	edi, [ebp+var_C]
		mov	eax, [ebp+var_8]

loc_4F62D5:				; CODE XREF: MiWakePageZeroing(x,x)+172j
		cmp	byte ptr [esi],	0
		jnz	loc_4F63BC
		test	edi, edi
		jz	short loc_4F631A
		push	ecx
		mov	edx, ecx
		lea	ecx, [esi-272h]
		call	_MiNodeLargeFreeZeroPages@12 ; MiNodeLargeFreeZeroPages(x,x,x)
		cmp	eax, 400h
		jb	loc_4F63B6
		xor	eax, eax
		lea	ecx, [esi-272h]
		push	0
		lea	edx, [eax+1]
		call	_MiNodeLargeFreeZeroPages@12 ; MiNodeLargeFreeZeroPages(x,x,x)
		cmp	eax, 100000h
		jnb	loc_4F63B6
		jmp	short loc_4F6325
; 

loc_4F631A:				; CODE XREF: MiWakePageZeroing(x,x)+8Aj
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_1], al

loc_4F6325:				; CODE XREF: MiWakePageZeroing(x,x)+C2j
		cmp	byte ptr [ebx+0DB5h], 0
		jz	loc_4F63D3
		mov	eax, [esi-2Eh]
		lea	edx, [ebp+var_18]
		mov	[ebp+var_C], eax
		lea	ecx, [eax+10h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	byte ptr [esi],	0
		jnz	short loc_4F6358
		mov	ecx, [ebp+var_C]
		xor	eax, eax
		push	2
		inc	eax
		pop	edx
		mov	[esi], al
		call	_MiWakeZeroingThreads@8	; MiWakeZeroingThreads(x,x)

loc_4F6358:				; CODE XREF: MiWakePageZeroing(x,x)+F0j
		test	ds:byte_70EFC6,	1
		jz	short loc_4F636E
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4F639D
; 

loc_4F636E:				; CODE XREF: MiWakePageZeroing(x,x)+109j
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	short loc_4F638D
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jz	short loc_4F639D
		call	KxWaitForLockChainValid

loc_4F638D:				; CODE XREF: MiWakePageZeroing(x,x)+11Dj
		xor	ecx, ecx
		mov	[ebp+var_18], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_4F639D:				; CODE XREF: MiWakePageZeroing(x,x)+116j
					; MiWakePageZeroing(x,x)+130j
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4F63A6:				; CODE XREF: MiWakePageZeroing(x,x)+1DEj
					; MiWakePageZeroing(x,x)+1FBj
		xor	ecx, ecx
		inc	ecx

loc_4F63A9:				; CODE XREF: MiWakePageZeroing(x,x)+216j
		test	edi, edi
		jnz	short loc_4F63B9
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4F63B6:				; CODE XREF: MiWakePageZeroing(x,x)+9Fj
					; MiWakePageZeroing(x,x)+BCj
		xor	ecx, ecx
		inc	ecx

loc_4F63B9:				; CODE XREF: MiWakePageZeroing(x,x)+155j
		mov	eax, [ebp+var_8]

loc_4F63BC:				; CODE XREF: MiWakePageZeroing(x,x)+82j
		add	esi, 280h
		sub	eax, 1
		mov	[ebp+var_8], eax
		jnz	loc_4F62D5

loc_4F63CE:				; CODE XREF: MiWakePageZeroing(x,x)+3Aj
					; MiWakePageZeroing(x,x)+4Ej ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4F63D3:				; CODE XREF: MiWakePageZeroing(x,x)+D6j
		and	[ebp+var_18], 0
		lea	eax, [ebx+0A80h]
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_14], eax
		jz	short loc_4F63F5
		mov	edx, eax
		lea	ecx, [ebp+var_18]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_4F6406
; 

loc_4F63F5:				; CODE XREF: MiWakePageZeroing(x,x)+191j
		lea	edx, [ebp+var_18]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_4F6406
		lea	ecx, [ebp+var_18]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_4F6406:				; CODE XREF: MiWakePageZeroing(x,x)+19Dj
					; MiWakePageZeroing(x,x)+1A6j
		cmp	byte ptr [esi],	0
		jnz	short loc_4F6420
		xor	eax, eax
		inc	eax
		push	0
		mov	[esi], al
		lea	eax, [ebx+0DA4h]
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_4F6420:				; CODE XREF: MiWakePageZeroing(x,x)+1B3j
		test	ds:byte_70EFC6,	1
		jz	short loc_4F6439
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4F63A6
; 

loc_4F6439:				; CODE XREF: MiWakePageZeroing(x,x)+1D1j
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	short loc_4F645C
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jz	loc_4F63A6
		call	KxWaitForLockChainValid

loc_4F645C:				; CODE XREF: MiWakePageZeroing(x,x)+1E8j
		xor	ecx, ecx
		mov	[ebp+var_18], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_4F63A9
_MiWakePageZeroing@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWakeZeroingThreads(x, x)
_MiWakeZeroingThreads@8	proc near	; CODE XREF: .text:00470DD9p
					; MiWakePageZeroing(x,x)+FDp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, edx
		mov	ecx, eax
		and	ecx, 1
		mov	[ebp+var_8], ecx
		mov	ebx, [edi+6Ch]
		jnz	short loc_4F6498
		mov	eax, [edi+70h]
		test	eax, eax
		jz	short loc_4F6496
		mov	ebx, eax

loc_4F6496:				; CODE XREF: MiWakeZeroingThreads(x,x)+20j
		mov	eax, edx

loc_4F6498:				; CODE XREF: MiWakeZeroingThreads(x,x)+19j
		mov	esi, [edi+64h]
		test	ebx, ebx
		jz	short loc_4F64DD
		and	eax, 4
		add	esi, 4
		mov	[ebp+var_4], eax

loc_4F64A8:				; CODE XREF: MiWakeZeroingThreads(x,x)+69j
		test	eax, eax
		jnz	short loc_4F64E2

loc_4F64AC:				; CODE XREF: MiWakeZeroingThreads(x,x)+73j
		test	ecx, ecx
		jnz	short loc_4F64B6
		mov	al, [esi]
		test	al, 4
		jz	short loc_4F64D2

loc_4F64B6:				; CODE XREF: MiWakeZeroingThreads(x,x)+3Cj
		mov	al, [esi]
		test	al, 1
		jz	short loc_4F64D2
		and	byte ptr [esi],	0FEh
		lea	eax, [esi+8]
		inc	dword ptr [edi+74h]
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [ebp+var_8]

loc_4F64D2:				; CODE XREF: MiWakeZeroingThreads(x,x)+42j
					; MiWakeZeroingThreads(x,x)+48j
		mov	eax, [ebp+var_4]
		add	esi, 1Ch
		sub	ebx, 1
		jnz	short loc_4F64A8

loc_4F64DD:				; CODE XREF: MiWakeZeroingThreads(x,x)+2Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4F64E2:				; CODE XREF: MiWakeZeroingThreads(x,x)+38j
		or	byte ptr [esi],	2
		jmp	short loc_4F64AC
_MiWakeZeroingThreads@8	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl KiIntSteerLoadCompare(const void *,const void *)
_KiIntSteerLoadCompare proc near	; DATA XREF: KiIntSteerCalculateDistribution:loc_4865F1o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	eax, [eax]
		mov	esi, [eax+9Ch]
		mov	ecx, [eax+98h]
		mov	eax, [ebp+arg_4]
		mov	eax, [eax]
		mov	edx, [eax+98h]
		mov	eax, [eax+9Ch]
		cmp	esi, eax
		ja	short loc_4F6524
		jb	short loc_4F652A
		cmp	ecx, edx
		jb	short loc_4F652A
		cmp	esi, eax
		jb	short loc_4F652F
		ja	short loc_4F6524
		cmp	ecx, edx
		jbe	short loc_4F652F

loc_4F6524:				; CODE XREF: _KiIntSteerLoadCompare+2Aj
					; _KiIntSteerLoadCompare+36j
		or	eax, 0FFFFFFFFh

loc_4F6527:				; CODE XREF: _KiIntSteerLoadCompare+45j
					; _KiIntSteerLoadCompare+49j
		pop	esi
		pop	ebp
		retn
; 

loc_4F652A:				; CODE XREF: _KiIntSteerLoadCompare+2Cj
					; _KiIntSteerLoadCompare+30j
		xor	eax, eax
		inc	eax
		jmp	short loc_4F6527
; 

loc_4F652F:				; CODE XREF: _KiIntSteerLoadCompare+34j
					; _KiIntSteerLoadCompare+3Aj
		xor	eax, eax
		jmp	short loc_4F6527
_KiIntSteerLoadCompare endp

; 
		align 8
; Exported entry 999. IoSetMasterIrpStatus

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetMasterIrpStatus(x, x)
		public _IoSetMasterIrpStatus@8
_IoSetMasterIrpStatus@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, 80000016h
		add	edi, 18h

loc_4F654A:				; CODE XREF: IoSetMasterIrpStatus(x,x)+53j
		mov	edx, [edi]
		cmp	[ebp+arg_4], ebx
		jz	short loc_4F6580
		cmp	edx, ebx
		jz	short loc_4F657A
		cmp	edx, 40000035h
		jz	short loc_4F6580
		cmp	[ebp+arg_4], 40000035h
		jz	short loc_4F657A
		mov	eax, [ebp+arg_4]
		mov	ecx, edx
		and	ecx, 0C0000000h
		and	eax, 0C0000000h
		cmp	eax, ecx
		ja	short loc_4F6580

loc_4F657A:				; CODE XREF: IoSetMasterIrpStatus(x,x)+1Bj
					; IoSetMasterIrpStatus(x,x)+2Cj ...
		pop	edi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_4F6580:				; CODE XREF: IoSetMasterIrpStatus(x,x)+17j
					; IoSetMasterIrpStatus(x,x)+23j ...
		mov	ecx, [ebp+arg_4]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	edx, eax
		jnz	short loc_4F654A
		jmp	short loc_4F657A
_IoSetMasterIrpStatus@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopPostProcessIrp proc near		; CODE XREF: IoRemoveIoCompletion+1E4p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D270A SIZE 00000064 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_20], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_24], edx
		push	6
		pop	ecx
		lea	edi, [ebp+var_1C]
		and	[esi+34h], eax
		mov	ebx, [esi+30h]
		rep stosd
		mov	eax, large fs:124h
		lea	edi, [esi+64h]
		and	ebx, 0FFFFFFFCh
		cmp	ebx, [eax+80h]
		jnz	loc_5D270A
		lea	eax, [ebp+var_20]
		push	eax
		push	edi
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [esi+40h]
		push	eax
		call	_IopCompleteRequest@20 ; IopCompleteRequest(x,x,x,x,x)

loc_4F65E9:				; CODE XREF: IopPostProcessIrp+DC1BEj
					; IopPostProcessIrp+DC1D9j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
IopPostProcessIrp endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 373. ExInitializeAutoExpandPushLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExInitializeAutoExpandPushLock(x, x)
		public _ExInitializeAutoExpandPushLock@8
_ExInitializeAutoExpandPushLock@8 proc near ; CODE XREF: MmInitializeProcessAddressSpace+7Ap
					; MmInitializeHandBuiltProcess+38p ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		test	[ebp+arg_4], 1
		mov	[eax+4], ecx
		mov	[eax+8], ecx
		jz	short loc_4F661A

loc_4F6614:				; CODE XREF: ExInitializeAutoExpandPushLock(x,x)+23j
		mov	[eax], ecx
		pop	ebp
		retn	8
; 

loc_4F661A:				; CODE XREF: ExInitializeAutoExpandPushLock(x,x)+14j
		mov	dword ptr [eax+4], 4
		jmp	short loc_4F6614
_ExInitializeAutoExpandPushLock@8 endp

; 
		align 8
; Exported entry 286. EtwActivityIdControl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public EtwActivityIdControl
EtwActivityIdControl proc near		; CODE XREF: IoReuseIrp(x,x)+1B2p
					; IoSetActivityIdIrp(x,x)+46p ...

var_30		= dword	ptr -30h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D276E SIZE 0000001A BYTES

		push	20h
		push	offset dword_6A3400
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_1C], ecx
		mov	eax, [ebp+arg_0]
		cmp	eax, 3
		jnz	short loc_4F665E
		mov	ecx, [ebp+arg_4]
		call	_EtwpCreateActivityId@4	; EtwpCreateActivityId(x)

loc_4F6649:				; CODE XREF: EtwActivityIdControl+77j
		mov	eax, [ebp+var_1C]

loc_4F664C:				; CODE XREF: EtwActivityIdControl+85j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4F665E:				; CODE XREF: EtwActivityIdControl+17j
		mov	[ebp+ms_exc.disabled], ecx
		mov	edx, large fs:124h
		test	dword ptr [edx+58h], 400h
		jnz	short loc_4F6680
		cmp	byte ptr [edx+16Ah], 1
		jz	short loc_4F6680
		mov	ecx, [edx+0A8h]

loc_4F6680:				; CODE XREF: EtwActivityIdControl+47j
					; EtwActivityIdControl+50j
		test	ecx, ecx
		jz	short loc_4F66A1
		add	ecx, 0F50h
		sub	eax, 1
		jnz	short loc_4F66AF
		mov	esi, ecx

loc_4F6691:				; CODE XREF: EtwActivityIdControl+DC15Bj
		mov	edi, [ebp+arg_4]

loc_4F6694:				; CODE XREF: EtwActivityIdControl+B0j
		movsd
		movsd
		movsd
		movsd

loc_4F6698:				; CODE XREF: EtwActivityIdControl+A9j
					; EtwActivityIdControl+B9j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_4F6649
; 

loc_4F66A1:				; CODE XREF: EtwActivityIdControl+5Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C00000BBh
		jmp	short loc_4F664C
; 

loc_4F66AF:				; CODE XREF: EtwActivityIdControl+65j
		sub	eax, 1
		jz	short loc_4F66D3
		dec	eax
		sub	eax, 1
		jz	loc_5D276E
		sub	eax, 1
		jnz	short loc_4F66DA
		mov	esi, ecx
		mov	edi, [ebp+arg_4]
		movsd
		movsd
		movsd
		movsd
		call	_EtwpCreateActivityId@4	; EtwpCreateActivityId(x)
		jmp	short loc_4F6698
; 

loc_4F66D3:				; CODE XREF: EtwActivityIdControl+8Aj
		mov	esi, [ebp+arg_4]
		mov	edi, ecx
		jmp	short loc_4F6694
; 

loc_4F66DA:				; CODE XREF: EtwActivityIdControl+99j
		mov	[ebp+var_1C], 0C000000Dh
		jmp	short loc_4F6698
EtwActivityIdControl endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCreateActivityId(x)
_EtwpCreateActivityId@4	proc near	; CODE XREF: EtwActivityIdControl+1Cp
					; EtwActivityIdControl+A4p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, large fs:20h
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax+4054h]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_14], eax
		lea	edi, [eax+8]

loc_4F6704:				; CODE XREF: EtwpCreateActivityId(x)+46j
					; EtwpCreateActivityId(x)+4Bj
		mov	esi, [edi]
		mov	ecx, esi
		mov	edx, [edi+4]
		add	ecx, 1
		mov	eax, edx
		mov	[ebp+var_8], edx
		adc	eax, 0
		mov	[ebp+var_10], ecx
		mov	[ebp+var_4], eax
		mov	eax, esi
		nop
		mov	ebx, ecx
		mov	ecx, [ebp+var_4]
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_4F6704
		cmp	edx, [ebp+var_8]
		jnz	short loc_4F6704
		mov	edi, [ebp+var_C]
		mov	eax, [ebp+var_10]
		mov	[edi+0Ch], ecx
		mov	ecx, [ebp+var_14]
		mov	[edi+8], eax
		mov	eax, [ecx]
		mov	[edi], eax
		mov	eax, [ecx+4]
		mov	[edi+4], eax
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpCreateActivityId@4	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry  52. ExReInitializeRundownProtectionCacheAware

;  S U B	R O U T	I N E 


; __fastcall ExReInitializeRundownProtectionCacheAware(x)
		public @ExReInitializeRundownProtectionCacheAware@4
@ExReInitializeRundownProtectionCacheAware@4 proc near
					; CODE XREF: NtQueryPerformanceCounter+325p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	@ExRundownCompletedCacheAware@4	; ExRundownCompletedCacheAware(x)
		mov	edi, [esi+0Ch]
		xor	ebx, ebx
		test	edi, edi
		jz	short loc_4F6781

loc_4F6769:				; CODE XREF: ExReInitializeRundownProtectionCacheAware(x)+2Bj
		xor	edx, edx
		mov	eax, ebx
		div	edi
		xor	ecx, ecx
		imul	edx, [esi+8]
		add	edx, [esi]
		xchg	ecx, [edx]
		mov	edi, [esi+0Ch]
		inc	ebx
		cmp	ebx, edi
		jb	short loc_4F6769

loc_4F6781:				; CODE XREF: ExReInitializeRundownProtectionCacheAware(x)+13j
		pop	edi
		pop	esi
		pop	ebx
		retn
@ExReInitializeRundownProtectionCacheAware@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry  71. ExRundownCompletedCacheAware

;  S U B	R O U T	I N E 


; __fastcall ExRundownCompletedCacheAware(x)
		public @ExRundownCompletedCacheAware@4
@ExRundownCompletedCacheAware@4	proc near
					; CODE XREF: ExReInitializeRundownProtectionCacheAware(x)+7p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, [esi+0Ch]
		test	edi, edi
		jz	short loc_4F67B3

loc_4F679A:				; CODE XREF: ExRundownCompletedCacheAware(x)+27j
		xor	edx, edx
		mov	eax, ebx
		div	edi
		xor	ecx, ecx
		imul	edx, [esi+8]
		inc	ecx
		add	edx, [esi]
		xchg	ecx, [edx]
		mov	edi, [esi+0Ch]
		inc	ebx
		cmp	ebx, edi
		jb	short loc_4F679A

loc_4F67B3:				; CODE XREF: ExRundownCompletedCacheAware(x)+Ej
		pop	edi
		pop	esi
		pop	ebx
		retn
@ExRundownCompletedCacheAware@4	endp

; 
		align 4

;  S U B	R O U T	I N E 


EtwpClearPartitionContext proc near	; CODE XREF: NtQueryPerformanceCounter+300p

; FUNCTION CHUNK AT 005D27A4 SIZE 0000000D BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi]
		test	ecx, ecx
		jnz	loc_5D27A4

loc_4F67C7:				; CODE XREF: EtwpClearPartitionContext+DBFF4j
		xor	eax, eax
		pop	esi
		retn
EtwpClearPartitionContext endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpFreeTraceBuffer proc near		; CODE XREF: EtwpAdjustSiloTraceBuffers(x)+D7p
					; EtwpFreeTraceBufferPool(x)+48p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	dword ptr [ecx+378h], 0
		push	esi
		mov	esi, edx
		jnz	short loc_4F67FA
		test	dword ptr [ecx+258h], 20000000h
		jnz	sub_5D27B1
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4F67F7:				; CODE XREF: EtwpFreeTraceBuffer+33j
					; sub_5D27B1+4Aj
		pop	esi
		leave
		retn
; 

loc_4F67FA:				; CODE XREF: EtwpFreeTraceBuffer+11j
		call	_EtwpFreePartitionMemory@8 ; EtwpFreePartitionMemory(x,x)
		jmp	short loc_4F67F7
EtwpFreeTraceBuffer endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpFreeCompression proc near		; CODE XREF: NtQueryPerformanceCounter+168p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D2800 SIZE 000001E8 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		push	esi
		mov	esi, ecx
		push	edi
		push	0
		mov	[ebp+var_C], esi
		lea	eax, [esi+31Ch]
		push	eax
		call	KeRemoveQueueDpcEx
		mov	eax, [esi+308h]
		test	eax, eax
		jnz	loc_5D2800

loc_4F683F:				; CODE XREF: EtwpFreeCompression+DC1D4j
		mov	eax, [esi+304h]
		test	eax, eax
		jnz	loc_5D29DB

loc_4F684D:				; CODE XREF: EtwpFreeCompression+DC1E1j
		mov	ecx, esi
		call	EtwpFreePlaceholderList
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
EtwpFreeCompression endp ; sp =	 4

; 
		align 2

;  S U B	R O U T	I N E 


EtwpCancelPendingStackwalkApcs proc near ; CODE	XREF: NtQueryPerformanceCounter+D4p

; FUNCTION CHUNK AT 005D29E8 SIZE 0000005F BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		cmp	[edi+29Ch], ebx
		ja	short loc_4F6889

loc_4F686F:				; CODE XREF: EtwpCancelPendingStackwalkApcs+DC1BBj
		push	0
		lea	eax, [edi+26Ch]
		push	eax
		call	KeRemoveQueueDpcEx
		test	al, al
		jnz	loc_5D2A1E

loc_4F6885:				; CODE XREF: EtwpCancelPendingStackwalkApcs+DC1E4j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4F6889:				; CODE XREF: EtwpCancelPendingStackwalkApcs+Fj
		xor	esi, esi
		jmp	loc_5D29E8
EtwpCancelPendingStackwalkApcs endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1268. KeRemoveQueueDpc

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRemoveQueueDpc(x)
		public _KeRemoveQueueDpc@4
_KeRemoveQueueDpc@4 proc near		; CODE XREF: KiCalibrateTimeAdjustment+273p
					; NtQueryPerformanceCounter+180p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_0]
		call	KeRemoveQueueDpcEx
		pop	ebp
		retn	4
_KeRemoveQueueDpc@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1269. KeRemoveQueueDpcEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeRemoveQueueDpcEx
KeRemoveQueueDpcEx proc	near		; CODE XREF: EtwpFreeCompression+2Ap
					; EtwpCancelPendingStackwalkApcs+1Ap ...

var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= word ptr -24h
var_22		= word ptr -22h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005D2A47 SIZE 00000175 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	esi, [ebp+arg_0]
		push	8
		pop	ecx
		lea	edi, [ebp+var_58]
		xor	bl, bl
		rep stosd
		lea	edi, [ebp+var_38]
		mov	[ebp+var_18], ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		and	[ebp+var_1C], eax
		lea	edi, [ebp+var_10]
		mov	[ebp+var_22], ax
		stosd
		stosd
		stosd
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	ecx, [esi+1Ch]
		mov	[ebp+var_11], al
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	loc_5D2A47

loc_4F6900:				; CODE XREF: KeRemoveQueueDpcEx+DC241j
		test	al, al
		jz	short loc_4F6905
		sti

loc_4F6905:				; CODE XREF: KeRemoveQueueDpcEx+54j
		cmp	[ebp+arg_4], 0
		jnz	loc_5D2AF4

loc_4F690F:				; CODE XREF: KeRemoveQueueDpcEx+DC24Aj
					; KeRemoveQueueDpcEx+DC309j
		mov	ecx, [ebp+var_4]
		mov	al, bl
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
KeRemoveQueueDpcEx endp


;  S U B	R O U T	I N E 


EtwpFreePlaceholderList	proc near	; CODE XREF: EtwpFreeCompression+4Dp
					; EtwpInitializeCompression(x)+F3p

; FUNCTION CHUNK AT 005D2BBC SIZE 00000018 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx

loc_4F6927:				; CODE XREF: EtwpFreePlaceholderList+DC2ADj
		mov	edx, [esi+318h]
		test	edx, edx
		jnz	loc_5D2BBC
		pop	esi
		retn
EtwpFreePlaceholderList	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry  84. ExWaitForRundownProtectionReleaseCacheAware

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExWaitForRundownProtectionReleaseCacheAware(x)
		public @ExWaitForRundownProtectionReleaseCacheAware@4
@ExWaitForRundownProtectionReleaseCacheAware@4 proc near
					; CODE XREF: MiDrainCrossPartitionUsage(x)+174p
					; RawVerifyVolume(x,x)+C6p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		lea	edx, [ebp+var_18]
		xor	eax, eax
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_18]
		push	6
		pop	ecx
		rep stosd
		mov	ecx, esi
		call	@ExpMarkRundownProtectionActiveCacheAware@8 ; ExpMarkRundownProtectionActiveCacheAware(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_4F6966

loc_4F6962:				; CODE XREF: ExWaitForRundownProtectionReleaseCacheAware(x)+47j
					; ExWaitForRundownProtectionReleaseCacheAware(x)+56j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_4F6966:				; CODE XREF: ExWaitForRundownProtectionReleaseCacheAware(x)+24j
		xor	edi, edi
		shr	esi, 1
		push	edi
		push	1
		lea	eax, [ebp+var_14]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, esi
		lea	ecx, [ebp+var_18]
		lock xadd [ecx], eax
		neg	esi
		cmp	eax, esi
		jz	short loc_4F6962
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_14]
		push	eax
		call	KeWaitForSingleObject
		jmp	short loc_4F6962
@ExWaitForRundownProtectionReleaseCacheAware@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExpMarkRundownProtectionActiveCacheAware(x, x)
@ExpMarkRundownProtectionActiveCacheAware@8 proc near
					; CODE XREF: ExWaitForRundownProtectionReleaseCacheAware(x)+1Bp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		push	edi
		mov	ecx, [ebx+0Ch]
		mov	edi, edx
		mov	[ebp+var_4], esi
		mov	eax, esi
		test	ecx, ecx
		jz	short loc_4F69D0
		or	edi, 1

loc_4F69B2:				; CODE XREF: ExpMarkRundownProtectionActiveCacheAware(x,x)+3Aj
		xor	edx, edx
		div	ecx
		mov	ecx, edi
		imul	edx, [ebx+8]
		add	edx, [ebx]
		xchg	ecx, [edx]
		mov	eax, [ebp+var_4]
		add	esi, ecx
		mov	ecx, [ebx+0Ch]
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, ecx
		jb	short loc_4F69B2

loc_4F69D0:				; CODE XREF: ExpMarkRundownProtectionActiveCacheAware(x,x)+19j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
@ExpMarkRundownProtectionActiveCacheAware@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSkipEntirePagefileRegions(x, x, x, x, x)
_MiSkipEntirePagefileRegions@20	proc near
					; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+556p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ecx+30h]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+2Ch]
		mov	esi, edx
		sub	esi, [ecx+0Ch]
		mov	ecx, edi
		push	0
		pop	ebx
		sub	eax, [edi+4]
		sar	eax, 3
		cdq
		add	eax, esi
		mov	[ebp+var_8], eax
		adc	edx, ebx
		mov	[ebp+var_4], edx
		lea	edx, [ebp+var_8]
		call	_MiLocatePagefileSubsection@8 ;	MiLocatePagefileSubsection(x,x)
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		cmp	[edx+4], ebx
		jnz	short loc_4F6A2D
		mov	eax, [ebp+var_8]

loc_4F6A19:				; CODE XREF: MiSkipEntirePagefileRegions(x,x,x,x,x)+6Fj
		mov	esi, [edx+1Ch]
		sub	esi, eax
		mov	eax, [ebp+arg_4]
		sub	eax, ecx
		sar	eax, 3
		cmp	esi, eax
		jb	short loc_4F6A36

loc_4F6A2A:				; CODE XREF: MiSkipEntirePagefileRegions(x,x,x,x,x)+68j
		mov	ecx, [ebp+arg_4]

loc_4F6A2D:				; CODE XREF: MiSkipEntirePagefileRegions(x,x,x,x,x)+3Cj
					; MiSkipEntirePagefileRegions(x,x,x,x,x)+6Dj
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	0Ch
; 

loc_4F6A36:				; CODE XREF: MiSkipEntirePagefileRegions(x,x,x,x,x)+50j
		mov	edx, [edx+8]
		lea	ecx, [ecx+esi*8]
		mov	eax, ebx
		test	edx, edx
		jz	short loc_4F6A2A
		cmp	[edx+4], ebx
		jnz	short loc_4F6A2D
		jmp	short loc_4F6A19
_MiSkipEntirePagefileRegions@20	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IopUpdateWriteOperationCount()
_IopUpdateWriteOperationCount@0	proc near
					; CODE XREF: IopWriteFile(x,x,x,x,x,x,x,x,x,x,x)+EFp
					; IopSynchronousServiceTail(x,x,x,x,x,x,x):loc_821C18p
		xor	ecx, ecx
		inc	ecx
		cmp	_IoCountOperations, ecx
		jnz	short locret_4F6A77
		mov	eax, large fs:124h
		mov	eax, [eax+150h]
		add	eax, 1F8h
		lock add [eax],	ecx
		jnb	short loc_4F6A70
		lock adc dword ptr [eax+4], 0

loc_4F6A70:				; CODE XREF: IopUpdateWriteOperationCount()+1Fj
		inc	large dword ptr	fs:620h

locret_4F6A77:				; CODE XREF: IopUpdateWriteOperationCount()+9j
		retn
_IopUpdateWriteOperationCount@0	endp


;  S U B	R O U T	I N E 


; __stdcall MiDeleteParentDecayNode(x)
_MiDeleteParentDecayNode@4 proc	near	; CODE XREF: .text:0045EF72p
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+55Dp
		mov	edi, edi
		push	esi
		mov	esi, [ecx+10h]
		push	edi
		and	esi, offset loc_7FFFFF
		imul	edi, esi, 1Ch
		mov	ecx, esi
		push	4
		pop	edx
		add	edi, ds:_MmPfnDatabase
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		mov	[edi+8], eax
		mov	ecx, edi
		mov	eax, [edi+18h]
		mov	[edi+0Ch], edx
		and	eax, 0FF800000h
		xor	edx, edx
		or	eax, esi
		inc	edx
		mov	[edi+18h], eax
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		mov	ecx, edi
		call	_MiRemoveDecayClusterTimer@4 ; MiRemoveDecayClusterTimer(x)
		mov	al, [edi+17h]
		test	al, 8
		jnz	short loc_4F6AD1
		mov	edx, edi
		mov	ecx, offset dword_6D3258
		pop	edi
		pop	esi
		jmp	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
; 

loc_4F6AD1:				; CODE XREF: MiDeleteParentDecayNode(x)+49j
		and	al, 0F7h
		mov	[edi+17h], al
		pop	edi
		pop	esi
		retn
_MiDeleteParentDecayNode@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiRemoveDecayClusterTimer(x)
_MiRemoveDecayClusterTimer@4 proc near	; CODE XREF: MiDecayPfnFullyInitialized+110p
					; MiDeleteParentDecayNode(x)+3Fp ...
		mov	eax, [ecx+4]
		mov	edx, eax
		push	ebx
		push	esi
		movzx	esi, byte ptr [ecx+16h]
		mov	ebx, 7FFFh
		push	edi
		shr	edx, 1
		mov	edi, eax
		and	edx, ebx
		shr	esi, 6
		shr	edi, 11h
		cmp	edx, ebx
		jnz	short loc_4F6B3A
		mov	ecx, dword_6D585C[esi*4]
		xor	ecx, eax
		and	ecx, 1FFFFh
		xor	ecx, eax
		mov	dword_6D585C[esi*4], ecx

loc_4F6B13:				; CODE XREF: MiRemoveDecayClusterTimer(x)+81j
		cmp	edi, ebx
		jz	short loc_4F6B5D
		mov	ecx, dword_6D3250
		add	ecx, edi
		imul	edx, ecx, 1Ch
		add	edx, ds:_MmPfnDatabase
		mov	ecx, [edx+4]
		xor	ecx, eax
		and	ecx, 0FFFEh
		xor	[edx+4], ecx

loc_4F6B36:				; CODE XREF: MiRemoveDecayClusterTimer(x)+99j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4F6B3A:				; CODE XREF: MiRemoveDecayClusterTimer(x)+1Fj
		mov	ecx, dword_6D3250
		add	ecx, edx
		imul	edx, ecx, 1Ch
		add	edx, ds:_MmPfnDatabase
		mov	ecx, [edx+4]
		xor	ecx, eax
		and	ecx, 1FFFFh
		xor	ecx, eax
		mov	[edx+4], ecx
		jmp	short loc_4F6B13
; 

loc_4F6B5D:				; CODE XREF: MiRemoveDecayClusterTimer(x)+3Bj
		mov	ecx, dword_6D585C[esi*4]
		xor	ecx, eax
		and	ecx, 0FFFEh
		xor	dword_6D585C[esi*4], ecx
		jmp	short loc_4F6B36
_MiRemoveDecayClusterTimer@4 endp

; 
		align 10h
; Exported entry 370. ExGetPreviousMode
; Exported entry 1156. KeGetPreviousMode
; Exported entry 1775. PsGetCurrentThreadPreviousMode

;  S U B	R O U T	I N E 


; __stdcall PsGetCurrentThreadPreviousMode()
		public _PsGetCurrentThreadPreviousMode@0
_PsGetCurrentThreadPreviousMode@0 proc near ; CODE XREF: VrpPostEnumerateKey(x,x)+9Ap
					; VrpPostQueryKey+3Fp ...
		mov	eax, large fs:124h ; ExGetPreviousMode
					; KeGetPreviousMode
		mov	al, [eax+15Ah]
		retn
_PsGetCurrentThreadPreviousMode@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInSwapKernelStacks(x)
_KiInSwapKernelStacks@4	proc near	; CODE XREF: KeSwapProcessOrStack(x)+74p

var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx

loc_4F6B9B:				; CODE XREF: KiInSwapKernelStacks(x)+5Ej
		xor	eax, eax
		lea	edi, [ebp+var_10]
		test	byte ptr ds:_MiFlags, 40h
		lea	esi, [ebx-9Ch]
		mov	ebx, [ebx]
		stosd
		stosd
		stosd
		stosd
		jz	short loc_4F6BDB
		push	1
		lea	edx, [ebp+var_10]
		mov	ecx, esi
		call	_KeGetNextKernelStackSegment@12	; KeGetNextKernelStackSegment(x,x,x)

loc_4F6BC1:				; CODE XREF: KiInSwapKernelStacks(x)+4Bj
		lea	edx, [ebp+var_10]
		mov	ecx, esi
		call	MiInPageSingleKernelStack
		push	0
		lea	edx, [ebp+var_10]
		mov	ecx, esi
		call	_KeGetNextKernelStackSegment@12	; KeGetNextKernelStackSegment(x,x,x)
		test	al, al
		jnz	short loc_4F6BC1

loc_4F6BDB:				; CODE XREF: KiInSwapKernelStacks(x)+25j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 11h
		mov	ecx, esi
		call	KiFastReadyThread
		test	ebx, ebx
		jnz	short loc_4F6B9B
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KiInSwapKernelStacks@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiOutSwapKernelStacks proc near		; CODE XREF: KeSwapProcessOrStack(x):loc_568912p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D2BD4 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	eax, _KiLastProcessor
		xor	edi, edi
		mov	esi, ds:_KiProcessorBlock[eax*4]
		mov	eax, ds:_KeTickCount
		sub	eax, _KiStackProtectTime
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[ebp+var_28], edi
		lea	ebx, [esi+3B28h]
		mov	[ebp+var_19], al

loc_4F6C44:				; CODE XREF: KiOutSwapKernelStacks+DBFEEj
		lock bts dword ptr [ebx], 0
		jb	loc_5D2BD4
		lea	ebx, [esi+3B2Ch]
		mov	esi, [ebx]
		mov	[ebp+var_24], ebx

loc_4F6C5A:				; CODE XREF: KiOutSwapKernelStacks+DBj
		cmp	esi, ebx
		jz	short loc_4F6CD1
		cmp	edi, 5
		jnb	short loc_4F6CD1
		mov	eax, [ebp+var_2C]
		lea	edx, [esi-9Ch]
		mov	esi, [esi]
		cmp	eax, [edx+138h]
		jb	short loc_4F6CD1
		cmp	byte ptr [edx+87h], 19h
		jge	short loc_4F6C99
		lea	ecx, [edx+5Ch]
		lock btr dword ptr [ecx], 11h
		lock bts dword ptr [ecx], 14h
		mov	eax, edx
		jb	loc_4F6D3D

loc_4F6C94:				; CODE XREF: KiOutSwapKernelStacks+14Cj
		mov	[ebp+edi*4+var_18], eax
		inc	edi

loc_4F6C99:				; CODE XREF: KiOutSwapKernelStacks+89j
		lea	eax, [edx+9Ch]
		mov	ecx, [eax]
		mov	ebx, ecx
		mov	[ebp+var_20], ecx
		mov	ecx, [eax+4]
		cmp	[ebx+4], eax
		mov	ebx, [ebp+var_24]
		jnz	loc_4F6D53
		cmp	[ecx], eax
		jnz	loc_4F6D53
		mov	eax, [ebp+var_20]
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	dword ptr [edx+1B4h], 0
		jmp	short loc_4F6C5A
; 

loc_4F6CD1:				; CODE XREF: KiOutSwapKernelStacks+68j
					; KiOutSwapKernelStacks+6Dj ...
		mov	eax, [ebp+var_30]
		xor	edx, edx
		add	eax, 3B28h
		lock and [eax],	edx
		mov	cl, [ebp+var_19]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	_KiLastProcessor
		push	0FFFFh
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		cmp	_KiLastProcessor, eax
		jz	short loc_4F6D4A

loc_4F6CFF:				; CODE XREF: KiOutSwapKernelStacks+138j
					; KiOutSwapKernelStacks+15Dj
		test	edi, edi
		jz	short loc_4F6D2E
		mov	esi, [ebp+edi*4-1Ch]
		dec	edi
		mov	ebx, esi
		and	ebx, 1
		jnz	short loc_4F6D45

loc_4F6D0F:				; CODE XREF: KiOutSwapKernelStacks+154j
		mov	ecx, esi
		call	_KiWaitForContextSwap@4	; KiWaitForContextSwap(x)
		test	ebx, ebx
		jnz	short loc_4F6D25
		mov	ecx, [esi+80h]
		call	@KiDecrementProcessStackCount@4	; KiDecrementProcessStackCount(x)

loc_4F6D25:				; CODE XREF: KiOutSwapKernelStacks+124j
		mov	ecx, esi
		call	_MmOutPageKernelStack@4	; MmOutPageKernelStack(x)
		jmp	short loc_4F6CFF
; 

loc_4F6D2E:				; CODE XREF: KiOutSwapKernelStacks+10Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_4F6D3D:				; CODE XREF: KiOutSwapKernelStacks+9Aj
		or	eax, 1
		jmp	loc_4F6C94
; 

loc_4F6D45:				; CODE XREF: KiOutSwapKernelStacks+119j
		and	esi, 0FFFFFFFEh
		jmp	short loc_4F6D0F
; 

loc_4F6D4A:				; CODE XREF: KiOutSwapKernelStacks+109j
		and	_KiLastProcessor, 0
		jmp	short loc_4F6CFF
; 

loc_4F6D53:				; CODE XREF: KiOutSwapKernelStacks+BBj
					; KiOutSwapKernelStacks+C3j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
KiOutSwapKernelStacks endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmOutPageKernelStack(x)
_MmOutPageKernelStack@4	proc near	; CODE XREF: KiOutSwapKernelStacks+133p

var_A0		= dword	ptr -0A0h
var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	98h		; size_t
		lea	eax, [ebp+var_A0]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		test	byte ptr ds:_MiFlags, 40h
		jz	short loc_4F6DBE
		and	[ebp+var_8C], 0
		lea	eax, [ebp+var_A0]
		push	eax
		mov	edx, offset MiOutPageSingleKernelStack
		mov	[ebp+var_98], 21h
		mov	ecx, esi
		call	_KeEnumerateKernelStackSegments@12 ; KeEnumerateKernelStackSegments(x,x,x)
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList

loc_4F6DBE:				; CODE XREF: MmOutPageKernelStack(x)+35j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MmOutPageKernelStack@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspReaper	proc near		; DATA XREF: PspInitPhase0+693o

; FUNCTION CHUNK AT 005D2BE7 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		push	edi
		mov	eax, offset _PsReaperListHead

loc_4F6DDB:				; CODE XREF: PspReaper+73j
		xor	esi, esi
		inc	esi
		xchg	esi, [eax]

loc_4F6DE0:				; CODE XREF: PspReaper+80j
		lea	edi, [esi-29Ch]
		mov	ecx, edi
		call	KeDeleteThread
		mov	eax, [edi+354h]
		test	eax, eax
		jnz	loc_5D2BE7

loc_4F6DFB:				; CODE XREF: PspReaper+DBE2Aj
		or	eax, 0FFFFFFFFh
		lock xadd [edi+338h], eax
		jnz	short loc_4F6E1A
		push	0
		mov	edx, offset _PspDeleteKernelStack@12 ; PspDeleteKernelStack(x,x,x)
		mov	ecx, edi
		call	_KeEnumerateKernelStackSegments@12 ; KeEnumerateKernelStackSegments(x,x,x)
		and	dword ptr [edi+20h], 0

loc_4F6E1A:				; CODE XREF: PspReaper+3Aj
		mov	esi, [esi]
		mov	edx, 746C6644h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		test	esi, esi
		jnz	short loc_4F6E49

loc_4F6E2C:				; CODE XREF: PspReaper+82j
		xor	eax, eax
		xor	ecx, ecx
		inc	eax
		mov	edx, offset _PsReaperListHead
		lock cmpxchg [edx], ecx
		cmp	eax, 1
		mov	eax, edx
		jnz	short loc_4F6DDB
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4F6E49:				; CODE XREF: PspReaper+5Ej
		cmp	esi, 1
		jnz	short loc_4F6DE0
		jmp	short loc_4F6E2C
PspReaper	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeEnumerateKernelStackSegments(x, x, x)
_KeEnumerateKernelStackSegments@12 proc	near ; CODE XREF: MmOutPageKernelStack(x)+56p
					; PspReaper+45p ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[esp+40h+var_30], eax
		lea	edi, [esp+40h+var_24]
		xor	eax, eax
		mov	[esp+40h+var_2C], edx
		stosd
		lea	edx, [esp+40h+var_24]
		push	1
		mov	[esp+44h+var_28], ecx
		stosd
		stosd
		stosd
		call	_KeGetNextKernelStackSegment@12	; KeGetNextKernelStackSegment(x,x,x)

loc_4F6E8D:				; CODE XREF: KeEnumerateKernelStackSegments(x,x,x)+6Aj
		lea	esi, [esp+40h+var_24]
		lea	edi, [esp+40h+var_14]
		movsd
		lea	edx, [esp+40h+var_24]
		push	0
		movsd
		movsd
		movsd
		call	_KeGetNextKernelStackSegment@12	; KeGetNextKernelStackSegment(x,x,x)
		push	[esp+40h+var_30]
		mov	bl, al
		lea	eax, [esp+44h+var_14]
		push	eax
		push	ecx
		call	[esp+4Ch+var_2C]
		mov	ecx, [esp+4Ch+var_34]
		test	bl, bl
		jnz	short loc_4F6E8D
		mov	ecx, [esp+4Ch+var_10]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_KeEnumerateKernelStackSegments@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeGetNextKernelStackSegment(x, x, x)
_KeGetNextKernelStackSegment@12	proc near ; CODE XREF: KiInSwapKernelStacks(x)+2Ep
					; KiInSwapKernelStacks(x)+44p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jnz	short loc_4F6EEE
		mov	eax, [edx+0Ch]
		push	esi
		lea	esi, [eax+10h]
		cmp	dword ptr [esi], 0
		jnz	short loc_4F6F09
		xor	al, al

loc_4F6EE9:				; CODE XREF: KeGetNextKernelStackSegment(x,x,x)+43j
		pop	esi

loc_4F6EEA:				; CODE XREF: KeGetNextKernelStackSegment(x,x,x)+37j
		pop	ebp
		retn	4
; 

loc_4F6EEE:				; CODE XREF: KeGetNextKernelStackSegment(x,x,x)+9j
		mov	eax, [ecx+28h]
		mov	[edx], eax
		mov	eax, [ecx+24h]
		mov	[edx+4], eax
		mov	eax, [ecx+48h]
		mov	[edx+8], eax
		mov	eax, [ecx+20h]
		mov	[edx+0Ch], eax
		mov	al, 1
		jmp	short loc_4F6EEA
; 

loc_4F6F09:				; CODE XREF: KeGetNextKernelStackSegment(x,x,x)+15j
		push	edi
		mov	edi, edx
		mov	al, 1
		movsd
		movsd
		movsd
		movsd
		pop	edi
		jmp	short loc_4F6EE9
_KeGetNextKernelStackSegment@12	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeDeleteThread	proc near		; CODE XREF: PspReaper+1Cp

; FUNCTION CHUNK AT 005D2BFB SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	esi, ecx
		call	_KiWaitForContextSwap@4	; KiWaitForContextSwap(x)
		mov	ecx, [esi+80h]
		call	@KiDecrementProcessStackCount@4	; KiDecrementProcessStackCount(x)
		lea	edi, [esi+228h]
		cmp	dword ptr [edi], 1
		jnz	short loc_4F6F3E
		pop	edi
		pop	esi
		pop	ebp
		retn
; 

loc_4F6F3E:				; CODE XREF: KeDeleteThread+22j
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset dword_6CB2C0
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [edi]
		cmp	ecx, 1
		jz	short loc_4F6F72
		cmp	dword ptr [esi+22Ch], 0
		jz	short loc_4F6F72
		mov	eax, [edi+4]
		cmp	[ecx+4], edi
		jnz	short loc_4F6F95
		cmp	[eax], edi
		jnz	short loc_4F6F95
		mov	[eax], ecx
		mov	[ecx+4], eax

loc_4F6F72:				; CODE XREF: KeDeleteThread+40j
					; KeDeleteThread+49j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset dword_6CB2C0
		jnz	loc_5D2BFB
		xor	eax, eax
		lock and [ecx],	eax

loc_4F6F89:				; CODE XREF: KeDeleteThread+DBCEDj
		mov	cl, bl
		pop	ebx
		pop	edi
		pop	esi
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_4F6F95:				; CODE XREF: KeDeleteThread+51j
					; KeDeleteThread+55j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
KeDeleteThread	endp			; AL = character to display


;  S U B	R O U T	I N E 


; __fastcall KiDecrementProcessStackCount(x)
@KiDecrementProcessStackCount@4	proc near ; CODE XREF: KiSuspendThread+192p
					; KiOutSwapKernelStacks+12Cp ...
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		push	0FFFFFFF8h
		pop	eax
		lea	edi, [esi+7Ch]
		lock xadd [edi], eax
		and	eax, 0FFFFFFF8h
		cmp	eax, 8
		jz	short loc_4F6FB5
		pop	edi
		pop	esi
		retn
; 

loc_4F6FB5:				; CODE XREF: KiDecrementProcessStackCount(x)+16j
		push	ebx
		xor	bl, bl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	bh, al
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	edx, [edi]
		test	dl, 7
		jnz	short loc_4F6FD5
		lea	ecx, [esi+2Ch]
		cmp	[ecx], ecx
		jnz	short loc_4F6FEC

loc_4F6FD5:				; CODE XREF: KiDecrementProcessStackCount(x)+32j
					; KiDecrementProcessStackCount(x)+55j ...
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		test	bl, bl
		jnz	short loc_4F7009

loc_4F6FE1:				; CODE XREF: KiDecrementProcessStackCount(x)+8Bj
					; KiDecrementProcessStackCount(x)+9Aj
		mov	cl, bh
		pop	ebx
		pop	edi
		pop	esi
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_4F6FEC:				; CODE XREF: KiDecrementProcessStackCount(x)+39j
					; KiDecrementProcessStackCount(x)+69j
		cmp	edx, 8
		jnb	short loc_4F6FD5
		mov	ecx, edx
		and	edx, 0FFFFFFFBh
		or	edx, 3
		mov	eax, ecx
		lock cmpxchg [edi], edx
		mov	edx, eax
		cmp	edx, ecx
		jnz	short loc_4F6FEC
		mov	bl, 1
		jmp	short loc_4F6FD5
; 

loc_4F7009:				; CODE XREF: KiDecrementProcessStackCount(x)+45j
		mov	eax, _KiProcessOutSwapListHead

loc_4F700E:				; CODE XREF: KiDecrementProcessStackCount(x)+87j
		mov	[esi+54h], eax
		lea	ecx, [esi+54h]
		mov	edx, eax
		mov	edi, offset _KiProcessOutSwapListHead
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_4F700E
		test	eax, eax
		jnz	short loc_4F6FE1
		push	eax
		push	0Ah
		push	offset _KiSwapEvent
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_4F6FE1
@KiDecrementProcessStackCount@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInPageSingleKernelStack proc near	; CODE XREF: KiInSwapKernelStacks(x)+38p

var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_9C		= dword	ptr -9Ch
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_81		= byte ptr -81h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D2C08 SIZE 0000006D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ECh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	esi, edx
		push	30h		; size_t
		push	eax		; int
		lea	eax, [ebp+var_EC]
		mov	[ebp+var_BC], esi
		mov	ebx, ecx
		push	eax		; void *
		mov	[ebp+var_90], ebx
		call	_memset
		mov	eax, [ebx+16Ch]
		add	esp, 0Ch
		mov	edi, [esi]
		mov	edx, offset loc_7FFFF8
		mov	ecx, 40000000h
		sub	edi, 1000h
		shr	edi, 9
		mov	eax, ds:_KiProcessorBlock[eax*4]
		and	edi, edx
		sub	edi, ecx
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		inc	eax
		mov	[ebp+var_A4], eax
		mov	eax, [esi+4]
		shr	eax, 9
		and	eax, edx
		sub	eax, ecx
		mov	[ebp+var_A8], eax
		xor	eax, eax
		mov	[ebp+var_B4], eax
		mov	eax, [esi+8]
		sub	eax, 4
		shr	eax, 9
		and	eax, edx
		sub	eax, ecx
		xor	ecx, ecx
		mov	ebx, ecx
		mov	esi, [eax]
		nop
		mov	eax, [eax+4]
		push	ecx
		push	80h
		mov	[ebp+var_88], eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, eax
		mov	eax, edx
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_94], eax
		cmp	esi, ecx
		jnz	short loc_4F7108
		cmp	[ebp+var_88], eax
		jz	short loc_4F7118

loc_4F7108:				; CODE XREF: MiInPageSingleKernelStack+C8j
		and	esi, 800h
		xor	eax, eax
		or	esi, eax
		jz	loc_4F73BF

loc_4F7118:				; CODE XREF: MiInPageSingleKernelStack+D0j
					; MiInPageSingleKernelStack+393j
		xor	esi, esi
		push	esi
		push	300h
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		push	esi
		push	3E0h
		mov	[ebp+var_88], eax
		mov	[ebp+var_AC], edx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	esi, [ebp+var_A8]
		mov	[ebp+var_B0], eax
		mov	[ebp+var_9C], edx
		cmp	esi, edi
		ja	short loc_4F71A2
		mov	edx, [ebp+var_94]

loc_4F7158:				; CODE XREF: MiInPageSingleKernelStack+161j
		mov	ecx, [esi]
		nop
		mov	eax, [esi+4]
		cmp	ecx, [ebp+var_8C]
		jnz	short loc_4F716A
		cmp	eax, edx
		jz	short loc_4F7192

loc_4F716A:				; CODE XREF: MiInPageSingleKernelStack+12Ej
		cmp	ecx, [ebp+var_88]
		jnz	short loc_4F717A
		cmp	eax, [ebp+var_AC]
		jz	short loc_4F7192

loc_4F717A:				; CODE XREF: MiInPageSingleKernelStack+13Aj
		cmp	ecx, [ebp+var_B0]
		jnz	loc_4F735B
		cmp	eax, [ebp+var_9C]
		jnz	loc_4F735B

loc_4F7192:				; CODE XREF: MiInPageSingleKernelStack+132j
					; MiInPageSingleKernelStack+142j ...
		add	esi, 8
		cmp	esi, edi
		jbe	short loc_4F7158

loc_4F7199:				; CODE XREF: MiInPageSingleKernelStack+350j
		cmp	ebx, 1
		ja	loc_4F73CE

loc_4F71A2:				; CODE XREF: MiInPageSingleKernelStack+11Aj
					; MiInPageSingleKernelStack+3A6j
		mov	esi, [ebp+var_A4]
		lea	edx, [ebp+var_EC]
		shl	esi, 19h
		mov	ebx, edi
		xor	eax, eax
		shl	ebx, 9
		or	esi, 2
		mov	[ebp+var_8C], eax
		or	edx, 1
		mov	[ebp+var_88], ebx
		mov	[ebp+var_A4], esi
		mov	[ebp+var_7C], 1000h
		mov	[ebp+var_B8], edx

loc_4F71DD:				; CODE XREF: MiInPageSingleKernelStack+320j
		cmp	edi, [ebp+var_A8]
		jb	loc_4F738B
		mov	ecx, [edi]
		nop
		mov	eax, [edi+4]
		mov	[ebp+var_9C], eax
		mov	eax, 3E0h
		and	ecx, eax
		cmp	ecx, eax
		jnz	loc_5D2C30
		xor	ecx, ecx
		mov	[ebp+var_80], ebx
		push	edx
		push	ecx
		lea	eax, [ebp+var_80]
		mov	word ptr [ebp+var_EC], 4
		push	ebx
		mov	[ebp+var_E8], eax
		mov	eax, [ebp+var_90]
		push	esi
		mov	[ebp+var_E4], 1
		mov	[ebp+var_E0], ecx
		mov	[ebp+var_DC], ecx
		mov	[ebp+var_D8], eax
		call	MmAccessFault
		mov	eax, [edi]
		and	eax, 1
		or	eax, 0
		jz	loc_4F73E1
		xor	ebx, ebx

loc_4F7256:				; CODE XREF: MiInPageSingleKernelStack+DBBE2j
		mov	esi, [edi]
		mov	[ebp+var_9C], ebx
		nop
		mov	eax, [edi+4]
		mov	[ebp+var_B0], eax
		nop
		mov	ecx, esi
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	eax, ecx, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	ecx, eax
		mov	[ebp+var_94], eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [edi]
		mov	[ebp+var_81], al
		nop
		mov	edx, [edi+4]
		mov	[ebp+var_9C], edx
		mov	edx, [ebp+var_94]
		add	edx, 10h
		mov	[ebp+var_AC], edx
		cmp	esi, ecx
		jnz	loc_5D2C08
		mov	ecx, [ebp+var_9C]
		cmp	[ebp+var_B0], ecx
		jnz	loc_5D2C08
		mov	edx, [ebp+var_90]
		mov	ecx, [ebp+var_94]
		call	_MiSetPfnKernelStack@8 ; MiSetPfnKernelStack(x,x)
		mov	eax, [ecx+18h]
		and	eax, 0AFFFFFFFh
		or	eax, 20000000h
		mov	[ecx+18h], eax
		mov	al, [ecx+17h]
		and	al, 0FDh
		or	al, 5
		mov	[ecx+17h], al
		call	_MiReleaseWsSwapReservationPfn@4 ; MiReleaseWsSwapReservationPfn(x)
		mov	esi, eax
		mov	[ebp+var_9C], edx
		mov	eax, [ebp+var_AC]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [ebp+var_81]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_9C]
		mov	ecx, esi
		or	ecx, eax
		mov	ebx, [ebp+var_88]
		jnz	loc_5D2C1D

loc_4F732E:				; CODE XREF: MiInPageSingleKernelStack+DBBF5j
		mov	eax, [ebp+var_8C]
		sub	ebx, 1000h
		mov	esi, [ebp+var_A4]
		sub	edi, 8
		inc	eax
		mov	[ebp+var_88], ebx
		mov	[ebp+var_8C], eax

loc_4F7350:				; CODE XREF: MiInPageSingleKernelStack+3B1j
		mov	edx, [ebp+var_B8]
		jmp	loc_4F71DD
; 

loc_4F735B:				; CODE XREF: MiInPageSingleKernelStack+14Aj
					; MiInPageSingleKernelStack+156j
		and	ecx, 800h
		xor	eax, eax
		or	ecx, eax
		jnz	loc_4F7192
		mov	eax, esi
		mov	[ebp+ebx*8+var_7C], 1000h
		shl	eax, 9
		mov	[ebp+ebx*8+var_80], eax
		inc	ebx
		cmp	ebx, 0Fh
		jnz	loc_4F7192
		jmp	loc_4F7199
; 

loc_4F738B:				; CODE XREF: MiInPageSingleKernelStack+1ADj
		test	ds:byte_70EFC4,	1
		jnz	loc_5D2C61

loc_4F7398:				; CODE XREF: MiInPageSingleKernelStack+DBC3Aj
		mov	esi, [ebp+var_BC]
		mov	ecx, [ebp+var_90]
		mov	eax, [esi+8]
		cmp	[eax-4], ecx
		jnz	loc_5D2C43
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_4F73BF:				; CODE XREF: MiInPageSingleKernelStack+DCj
		mov	[ebp+var_B4], 1
		jmp	loc_4F7118
; 

loc_4F73CE:				; CODE XREF: MiInPageSingleKernelStack+166j
		push	2Dh
		push	1
		lea	edx, [ebp+var_80]
		mov	ecx, ebx
		call	MiPrefetchVirtualMemory
		jmp	loc_4F71A2
; 

loc_4F73E1:				; CODE XREF: MiInPageSingleKernelStack+218j
		mov	eax, [ebp+var_8C]
		jmp	loc_4F7350
MiInPageSingleKernelStack endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReleaseWsSwapReservationPfn(x)
_MiReleaseWsSwapReservationPfn@4 proc near ; CODE XREF:	MiAllocateWsle(x,x,x,x,x,x,x,x)+5A2p
					; MiInPageSingleKernelStack+2BBp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		mov	[ebp+var_4], edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_4F7452
		lea	ebx, [esi+8]
		mov	edx, [ebx]
		mov	ecx, edx
		mov	eax, [ebx+4]
		mov	[ebp+var_8], eax
		shrd	ecx, eax, 1
		test	cl, 1
		jnz	short loc_4F7425
		shrd	edx, eax, 2
		test	dl, 1
		jz	short loc_4F7452

loc_4F7425:				; CODE XREF: MiReleaseWsSwapReservationPfn(x)+2Ej
		mov	al, [esi+16h]
		test	al, 8
		jnz	short loc_4F7448
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		push	edx
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	ecx, [ebx+4]
		mov	edi, eax
		and	dword ptr [ebx], 0FFFFFFFDh
		mov	[ebx+4], ecx
		mov	al, [esi+16h]
		mov	[ebp+var_4], edx

loc_4F7448:				; CODE XREF: MiReleaseWsSwapReservationPfn(x)+3Ej
		mov	edx, [ebp+var_4]
		or	al, 10h
		mov	[esi+16h], al
		jmp	short loc_4F7454
; 

loc_4F7452:				; CODE XREF: MiReleaseWsSwapReservationPfn(x)+18j
					; MiReleaseWsSwapReservationPfn(x)+37j
		mov	edx, edi

loc_4F7454:				; CODE XREF: MiReleaseWsSwapReservationPfn(x)+64j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiReleaseWsSwapReservationPfn@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnNameQueryWorker(x)
_PfSnNameQueryWorker@4 proc near	; DATA XREF: PfSnGetFileInformation+1D0o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	ebx, [esi+180h]

loc_4F7472:				; CODE XREF: PfSnNameQueryWorker(x)+69j
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	edi, [esi+16Ch]
		mov	byte ptr [ebp+arg_0], al
		push	[ebp+arg_0]
		push	ebx
		test	edi, edi
		jz	short loc_4F74C7
		mov	eax, [edi]
		mov	[esi+16Ch], eax
		and	dword ptr [edi], 0
		call	ExReleaseSpinLockExclusive
		mov	edi, [edi+4]
		lea	eax, [ebp+var_4]
		push	eax
		mov	eax, dword_6D4928
		push	edi
		push	dword ptr [esi+100h]
		call	dword ptr [eax+8]
		test	eax, eax
		js	short loc_4F74BE
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		push	edi
		call	PfSnVolumeKeyQuery

loc_4F74BE:				; CODE XREF: PfSnNameQueryWorker(x)+55j
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	short loc_4F7472
; 

loc_4F74C7:				; CODE XREF: PfSnNameQueryWorker(x)+2Bj
		and	dword ptr [esi+17Ch], 0
		call	ExReleaseSpinLockExclusive
		lea	ecx, [esi+104h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PfSnNameQueryWorker@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 425. ExReleaseSpinLockExclusive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExReleaseSpinLockExclusive
ExReleaseSpinLockExclusive proc	near	; CODE XREF: MiWorkingSetManager(x,x)+128p
					; PfSnNameQueryWorker(x)+38p ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005A8341 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ds:byte_70EFC6,	1
		jnz	loc_5A8341
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 0

loc_4F7505:				; CODE XREF: ExReleaseSpinLockExclusive+B0E62j
		mov	cl, [ebp+arg_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebp
		retn	8
ExReleaseSpinLockExclusive endp

; 
		align 8
; Exported entry 1991. RtlComputeCrc32

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlComputeCrc32(x, x, x)
		public _RtlComputeCrc32@12
_RtlComputeCrc32@12 proc near		; CODE XREF: SmDecompressBuffer+16CE95p
					; SmDecompressBuffer+16CE9Bp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		not	ecx
		cmp	[ebp+arg_8], edx
		jbe	short loc_4F7547
		push	esi
		mov	esi, [ebp+arg_4]

loc_4F752D:				; CODE XREF: RtlComputeCrc32(x,x,x)+2Cj
		movzx	eax, byte ptr [edx+esi]
		xor	eax, ecx
		shr	ecx, 8
		movzx	eax, al
		xor	ecx, ds:_RtlCrc32Table[eax*4]
		inc	edx
		cmp	edx, [ebp+arg_8]
		jb	short loc_4F752D
		pop	esi

loc_4F7547:				; CODE XREF: RtlComputeCrc32(x,x,x)+Fj
		not	ecx
		mov	eax, ecx
		pop	ebp
		retn	0Ch
_RtlComputeCrc32@12 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1795. PsGetProcessCreateTimeQuadPart

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessCreateTimeQuadPart(x)
		public _PsGetProcessCreateTimeQuadPart@4
_PsGetProcessCreateTimeQuadPart@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, [edx+100h]
		mov	edx, [edx+104h]
		pop	ebp
		retn	4
_PsGetProcessCreateTimeQuadPart@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFaultInProbeAddress proc near		; CODE XREF: .text:00464DB8p
					; MiLockPageLeafPageTable+357p	...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D2C75 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_40], 2
		xor	edx, edx
		mov	[ebp+var_28], edx
		mov	esi, edx
		mov	[ebp+var_24], edx
		mov	ebx, [edi]
		mov	ecx, ebx
		mov	eax, [edi+4]
		and	ecx, 0FFFFF000h
		sub	eax, ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_10]
		mov	[ebp+var_20], edx
		mov	[ebp+var_3C], eax
		inc	ecx
		lea	eax, [ebp+var_40]
		mov	[ebp+var_1C], edx
		or	eax, ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_4], eax
		mov	eax, [edi+38h]
		mov	[ebp+var_14], edx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_4F75E4
		push	2
		pop	esi
		cmp	eax, 3
		jz	short loc_4F7625
		mov	eax, [edi+28h]
		and	eax, 0Fh
		cmp	al, 6
		jz	short loc_4F760F

loc_4F75E4:				; CODE XREF: MiFaultInProbeAddress+64j
					; MiFaultInProbeAddress+A9j ...
		mov	ecx, edi
		call	_MiUnlockProbePacketWorkingSet@4 ; MiUnlockProbePacketWorkingSet(x)
		push	[ebp+var_4]
		push	0
		push	ebx
		push	esi
		call	MmAccessFault
		mov	[ebp+var_4], eax
		test	eax, eax
		js	short loc_4F7629

loc_4F75FE:				; CODE XREF: MiFaultInProbeAddress+C4j
					; MiFaultInProbeAddress+D0j
		mov	esi, [ebp+var_4]

loc_4F7601:				; CODE XREF: MiFaultInProbeAddress+DB715j
		mov	ecx, edi
		call	_MiLockProbePacketWorkingSet@4 ; MiLockProbePacketWorkingSet(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4F760F:				; CODE XREF: MiFaultInProbeAddress+76j
		cmp	ebx, dword_6D07D0
		jb	short loc_4F75E4
		mov	eax, ebx
		shr	eax, 15h
		cmp	byte ptr dword_6D3994[eax], 0Ch
		jnz	short loc_4F75E4

loc_4F7625:				; CODE XREF: MiFaultInProbeAddress+6Cj
		mov	esi, edx
		jmp	short loc_4F75E4
; 

loc_4F7629:				; CODE XREF: MiFaultInProbeAddress+90j
		mov	eax, [edi+28h]
		and	al, 0Fh
		cmp	al, 1
		jnz	short loc_4F75FE
		mov	esi, [edi+34h]
		cmp	dword ptr [esi+3D4h], 0
		jz	short loc_4F75FE
		jmp	loc_5D2C75
MiFaultInProbeAddress endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiLockProbePacketWorkingSet(x)
_MiLockProbePacketWorkingSet@4 proc near ; CODE	XREF: .text:00464CAAp
					; .text:00464D4Ap ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+3Ch]
		and	dword ptr [esi+28h], 0FFFFFFCFh
		call	MiLockWorkingSetShared
		mov	ecx, [esi+28h]
		mov	[esi+2Ch], al
		mov	eax, ecx
		and	al, 0Fh
		cmp	al, 1
		jnz	short loc_4F766F
		mov	eax, [esi+34h]
		cmp	dword ptr [eax+148h], 0
		jnz	short loc_4F7671

loc_4F766F:				; CODE XREF: MiLockProbePacketWorkingSet(x)+1Dj
		pop	esi
		retn
; 

loc_4F7671:				; CODE XREF: MiLockProbePacketWorkingSet(x)+29j
		or	ecx, 10h
		mov	[esi+28h], ecx
		pop	esi
		retn
_MiLockProbePacketWorkingSet@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiUnlockProbePacketWorkingSet(x)
_MiUnlockProbePacketWorkingSet@4 proc near ; CODE XREF:	MiProbeAndLockComplete+Bp
					; .text:00464CA1p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, [esi+10h]
		test	edx, edx
		jz	short loc_4F7692
		mov	ecx, [esi+3Ch]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		and	dword ptr [esi+10h], 0

loc_4F7692:				; CODE XREF: MiUnlockProbePacketWorkingSet(x)+Aj
		mov	dl, [esi+2Ch]
		mov	ecx, [esi+3Ch]
		pop	esi
		jmp	MiUnlockWorkingSetShared
_MiUnlockProbePacketWorkingSet@4 endp


;  S U B	R O U T	I N E 


NLS_DOWNCASE	proc near		; CODE XREF: RtlDowncaseUnicodeString+4Ap
					; RtlDowncaseUnicodeChar(x)+8p

; FUNCTION CHUNK AT 005D2C86 SIZE 0000002A BYTES

		mov	edi, edi
		push	esi
		cmp	cx, 41h
		jb	short loc_4F76C5
		cmp	cx, 5Ah
		jbe	short loc_4F76CA
		mov	esi, ds:_Nls844UnicodeLowercaseTable
		test	esi, esi
		jz	short loc_4F76C5
		mov	eax, 0C0h
		cmp	cx, ax
		jnb	loc_5D2C86

loc_4F76C5:				; CODE XREF: NLS_DOWNCASE+7j
					; NLS_DOWNCASE+17j
		mov	ax, cx
		pop	esi
		retn
; 

loc_4F76CA:				; CODE XREF: NLS_DOWNCASE+Dj
		lea	eax, [ecx+20h]
		pop	esi
		retn
NLS_DOWNCASE	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2100. RtlFreeHeap

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlFreeHeap
RtlFreeHeap	proc near		; CODE XREF: RtlpAllocateHeapInternal+DB7D9p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D2CB0 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	short loc_4F770E
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	loc_5D2CB0

loc_4F76ED:				; CODE XREF: RtlFreeHeap+DB5ECj
		cmp	dword ptr [esi+8], 0DDEEDDEEh
		mov	edx, edi
		jz	loc_5D2CC5
		push	ecx
		push	ecx
		push	[ebp+arg_4]
		mov	ecx, esi
		call	RtlpFreeHeapInternal

loc_4F7708:				; CODE XREF: RtlFreeHeap+DB5FBj
		pop	esi

loc_4F7709:				; CODE XREF: RtlFreeHeap+3Dj
		pop	edi
		pop	ebp
		retn	0Ch
; 

loc_4F770E:				; CODE XREF: RtlFreeHeap+Bj
		xor	eax, eax
		inc	eax
		jmp	short loc_4F7709
RtlFreeHeap	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpFreeHeapInternal proc near		; CODE XREF: RtlFreeHeap+2Fp
					; RtlpHpFreeWithExceptionProtection(x,x,x)+15p

var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D2CD4 SIZE 00000156 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, ecx
		mov	eax, edx
		push	esi
		mov	[ebp+var_4], eax
		cmp	dword ptr [ebx+8], 0CCDDCCDDh
		jnz	loc_5D2CD4
		and	[ebp+var_8], 0
		mov	ecx, [ebp+arg_0]
		call	RtlpHpConvertFlagsToSegmentFlags
		or	eax, [ebx+0Ch]
		lea	ecx, [ebp+var_8]
		push	ecx
		push	eax
		push	[ebp+var_4]
		lea	ecx, [ebx+40h]
		xor	edx, edx
		call	RtlpHpVsContextFree
		mov	esi, eax

loc_4F7755:				; CODE XREF: RtlpFreeHeapInternal+DB711j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
RtlpFreeHeapInternal endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1952. RtlAllocateHeap

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlAllocateHeap
RtlAllocateHeap	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D2E2A SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	loc_5D2E2A

loc_4F7773:				; CODE XREF: RtlAllocateHeap+DB6D8j
		cmp	dword ptr [esi+8], 0DDEEDDEEh
		mov	edx, [ebp+arg_8]
		jz	loc_5D2E3F
		push	ecx
		push	[ebp+arg_4]
		mov	ecx, esi
		call	RtlpAllocateHeapInternal

loc_4F778E:				; CODE XREF: RtlAllocateHeap+DB6E7j
		pop	esi
		pop	ebp
		retn	0Ch
RtlAllocateHeap	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpAllocateHeapInternal proc near	; CODE XREF: RtlAllocateHeap+27p
					; RtlpHpAllocWithExceptionProtection(x,x,x)+14p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D2E4E SIZE 00000146 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	esi, edx
		cmp	dword ptr [ebx+8], 0CCDDCCDDh
		jnz	loc_5D2E4E
		mov	ecx, [ebp+arg_0]
		call	RtlpHpConvertFlagsToSegmentFlags
		push	eax
		mov	edx, esi
		mov	ecx, ebx
		call	_RtlpHpFixedHeapAlloc@12 ; RtlpHpFixedHeapAlloc(x,x,x)
		mov	edi, eax

loc_4F77C4:				; CODE XREF: RtlpAllocateHeapInternal+DB789j
					; RtlpAllocateHeapInternal+DB7CFj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
RtlpAllocateHeapInternal endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpFixedHeapAlloc(x, x, x)
_RtlpHpFixedHeapAlloc@12 proc near	; CODE XREF: RtlpAllocateHeapInternal+29p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	edx, 20000h
		ja	short loc_4F77EF
		mov	eax, [ecx+0Ch]
		add	ecx, 40h
		or	eax, [ebp+arg_0]
		push	eax
		push	edx
		call	RtlpHpVsContextAllocate

loc_4F77EB:				; CODE XREF: RtlpHpFixedHeapAlloc(x,x,x)+23j
		pop	ebp
		retn	4
; 

loc_4F77EF:				; CODE XREF: RtlpHpFixedHeapAlloc(x,x,x)+Bj
		xor	eax, eax
		jmp	short loc_4F77EB
_RtlpHpFixedHeapAlloc@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpVsContextAllocate	proc near	; CODE XREF: RtlpHpFixedHeapAlloc(x,x,x)+18p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D2F94 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	eax, eax
		push	esi
		push	edi
		and	[ebp+var_14], 0
		lea	edi, [ebp+var_10]
		stosd
		mov	esi, ecx
		mov	ecx, [ebp+arg_0]
		stosd
		stosd
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	ebx
		push	ecx
		mov	ecx, esi
		call	RtlpHpVsContextAllocateInternal
		cmp	[ebp+var_14], 0
		mov	edi, eax
		jnz	loc_5D2F94

loc_4F783A:				; CODE XREF: RtlpHpVsContextAllocate+DB7A3j
					; RtlpHpVsContextAllocate+DB7B4j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
RtlpHpVsContextAllocate	endp

; 
		align 2

;  S U B	R O U T	I N E 


RtlpHpConvertFlagsToSegmentFlags proc near ; CODE XREF:	RtlpFreeHeapInternal+25p
					; RtlpAllocateHeapInternal+1Fp

; FUNCTION CHUNK AT 005D2FAD SIZE 00000050 BYTES

		test	ecx, ecx
		jnz	loc_5D2FAD
		xor	eax, eax

locret_4F7858:				; CODE XREF: RtlpHpConvertFlagsToSegmentFlags+DB7A3j
		retn
RtlpHpConvertFlagsToSegmentFlags endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlTimelineBitmapUpdateRange(x, x, x)
_RtlTimelineBitmapUpdateRange@12 proc near
					; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+2AAp
					; PoEnergyContextUpdateComponentPower(x,x,x,x)+588p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, [eax]
		mov	[ebp+var_4], eax
		mov	eax, [eax+4]
		push	edi
		mov	edi, edx
		cmp	esi, ebx
		jbe	short loc_4F78A8
		mov	ecx, esi
		xor	edx, edx
		sub	ecx, ebx
		inc	edx
		mov	ebx, esi
		cmp	ecx, 20h
		jb	short loc_4F78A4
		xor	eax, eax

loc_4F7886:				; CODE XREF: RtlTimelineBitmapUpdateRange(x,x,x)+4Cj
					; RtlTimelineBitmapUpdateRange(x,x,x)+5Cj
		or	eax, edx

loc_4F7888:				; CODE XREF: RtlTimelineBitmapUpdateRange(x,x,x)+39j
		cmp	edi, esi
		jnb	short loc_4F7895
		add	edx, edx
		jz	short loc_4F7895
		or	eax, edx
		inc	edi
		jmp	short loc_4F7888
; 

loc_4F7895:				; CODE XREF: RtlTimelineBitmapUpdateRange(x,x,x)+30j
					; RtlTimelineBitmapUpdateRange(x,x,x)+34j
		mov	ecx, [ebp+var_4]
		mov	[ecx], ebx
		mov	[ecx+4], eax

loc_4F789D:				; CODE XREF: RtlTimelineBitmapUpdateRange(x,x,x)+55j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4F78A4:				; CODE XREF: RtlTimelineBitmapUpdateRange(x,x,x)+28j
		shl	eax, cl
		jmp	short loc_4F7886
; 

loc_4F78A8:				; CODE XREF: RtlTimelineBitmapUpdateRange(x,x,x)+1Aj
		mov	ecx, ebx
		sub	ecx, esi
		cmp	ecx, 20h
		jnb	short loc_4F789D
		xor	edx, edx
		inc	edx
		shl	edx, cl
		jmp	short loc_4F7886
_RtlTimelineBitmapUpdateRange@12 endp


;  S U B	R O U T	I N E 


AuthzBasepEqualUnicodeString proc near	; CODE XREF: AuthzBasepFindSecurityAttributeValue+E9p
					; AuthzBasepFindSecurityAttributeValue+131p ...

; FUNCTION CHUNK AT 005D2FFD SIZE 0000000E BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_5D2FFD
		push	1
		push	esi
		push	edi
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)

loc_4F78D7:				; CODE XREF: AuthzBasepEqualUnicodeString+DB74Ej
		pop	edi
		pop	esi
		retn	4
AuthzBasepEqualUnicodeString endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReplacePageTablePage(x)
_MiReplacePageTablePage@4 proc near	; CODE XREF: MiStealPage+9DEp
					; MmStealTopLevelPage+5Dp

var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 104h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [ebp+var_A0]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_E4], esi
		call	_memset
		mov	ecx, [esi+10h]
		add	esp, 0Ch
		mov	edi, [esi+0Ch]
		mov	eax, [esi+8]
		and	[ebp+var_A4], 0
		and	[ebp+var_B0], 0
		mov	edx, [esi+4]
		mov	[ebp+var_D0], ecx
		imul	ecx, 1Ch
		imul	ebx, edi, 1Ch
		mov	dword ptr [esi+1Ch], 0C0000001h
		mov	[ebp+var_D4], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_AC], edx
		add	ecx, ds:_MmPfnDatabase
		add	ebx, ds:_MmPfnDatabase
		mov	[ebp+var_C0], ecx
		xor	ecx, ecx
		mov	[ebp+var_C8], edi
		mov	[ebp+var_A8], edi
		mov	[ebp+var_DC], ebx
		mov	[ebp+var_C4], ecx
		mov	[ebp+var_E0], ecx
		mov	[ebp+var_B8], ecx
		cmp	[esi+20h], eax
		jnz	short loc_4F79D7
		mov	eax, [esi+18h]
		mov	ecx, [eax+304h]
		test	ecx, ecx
		jz	loc_4F80B6
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		call	_MI_READ_PTE_LOCK_FREE@4 ; MI_READ_PTE_LOCK_FREE(x)
		mov	[ebp+var_100], eax
		mov	[ebp+var_FC], edx
		nop
		shrd	eax, edx, 0Ch
		and	eax, 1FFFFFFh
		cmp	eax, edi
		jnz	loc_4F80B6
		mov	edx, [ebp+var_AC]
		xor	eax, eax
		inc	eax

loc_4F79D7:				; CODE XREF: MiReplacePageTablePage(x)+ADj
		mov	ecx, eax
		mov	eax, [ebx+18h]
		and	eax, offset loc_7FFFFF
		mov	ebx, 0C0000000h
		cmp	eax, edi
		jnz	short loc_4F7A19
		xor	eax, eax
		inc	eax
		mov	[ebp+var_BC], eax
		cmp	[esi+20h], eax
		jnz	short loc_4F7A76
		mov	eax, [esi+18h]
		mov	eax, [eax+194h]
		mov	ebx, [eax+18h]
		mov	eax, [eax+1Ch]
		shrd	ebx, eax, 0Ch
		and	ebx, 1FFFFFFh
		mov	[ebp+var_A8], ebx
		jmp	short loc_4F7A76
; 

loc_4F7A19:				; CODE XREF: MiReplacePageTablePage(x)+10Cj
		and	[ebp+var_BC], 0
		mov	eax, edx
		mov	esi, 0C07FFFFFh
		cmp	edx, ebx
		jb	short loc_4F7A36

loc_4F7A2B:				; CODE XREF: MiReplacePageTablePage(x)+158j
		cmp	eax, esi
		ja	short loc_4F7A36
		shl	eax, 9
		cmp	eax, ebx
		jnb	short loc_4F7A2B

loc_4F7A36:				; CODE XREF: MiReplacePageTablePage(x)+14Dj
					; MiReplacePageTablePage(x)+151j
		cmp	eax, ds:_MmHighestUserAddress
		jbe	short loc_4F7A76
		cmp	eax, dword_6D2E88
		jb	short loc_4F7A4E
		cmp	eax, dword_6D2E8C
		jbe	short loc_4F7A76

loc_4F7A4E:				; CODE XREF: MiReplacePageTablePage(x)+168j
		cmp	eax, ebx
		jb	short loc_4F7A56
		cmp	eax, esi
		jbe	short loc_4F7A76

loc_4F7A56:				; CODE XREF: MiReplacePageTablePage(x)+174j
		cmp	eax, dword_6D07D0
		jb	short loc_4F7A74
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	short loc_4F7A6F
		cmp	al, 0Bh
		jnz	short loc_4F7A74

loc_4F7A6F:				; CODE XREF: MiReplacePageTablePage(x)+18Dj
		push	2
		pop	ecx
		jmp	short loc_4F7A76
; 

loc_4F7A74:				; CODE XREF: MiReplacePageTablePage(x)+180j
					; MiReplacePageTablePage(x)+191j
		xor	ecx, ecx

loc_4F7A76:				; CODE XREF: MiReplacePageTablePage(x)+11Aj
					; MiReplacePageTablePage(x)+13Bj ...
		mov	eax, [ebp+var_D4]
		mov	edi, edx
		mov	[ebp+var_A0], ecx
		xor	ecx, ecx
		mov	[ebp+var_9C], cx
		mov	[ebp+var_90], ecx
		mov	[ebp+var_98], 21h
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_B4], edi
		mov	[ebp+var_D8], eax
		mov	[ebp+var_CC], ecx

loc_4F7AB5:				; CODE XREF: MiReplacePageTablePage(x)+24Fj
					; MiReplacePageTablePage(x)+373j
		mov	ecx, edi
		call	_MI_READ_PTE_LOCK_FREE@4 ; MI_READ_PTE_LOCK_FREE(x)
		mov	ebx, edx
		mov	edi, eax
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		and	ecx, edx
		or	ecx, 0
		jnz	loc_4F7B6D
		and	eax, 400h
		or	eax, 0
		jnz	loc_4F7C04
		mov	eax, edi
		and	eax, 800h
		or	eax, 0
		jz	loc_4F7C04
		mov	edi, [ebp+var_B4]
		xor	ebx, ebx
		cmp	[ebp+var_A4], ebx
		setnz	bl
		lea	eax, [edi+200000h]
		shl	eax, 9
		cmp	eax, offset loc_7FFFFF
		ja	short loc_4F7B1E
		mov	ecx, edi
		call	_MiIsPdeOrAboveAccessible@4 ; MiIsPdeOrAboveAccessible(x)
		test	eax, eax
		jz	loc_4F80A9

loc_4F7B1E:				; CODE XREF: MiReplacePageTablePage(x)+231j
		mov	edx, ebx
		mov	ecx, edi
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_4F7AB5
		mov	ecx, edi
		call	_MI_READ_PTE_LOCK_FREE@4 ; MI_READ_PTE_LOCK_FREE(x)
		mov	edi, eax
		mov	ebx, edx
		mov	eax, [esi+18h]
		mov	ecx, eax
		and	ecx, offset loc_7FFFFF
		cmp	ecx, [ebp+var_A8]
		jz	short loc_4F7B58
		test	eax, (offset loc_7FFFFF+1)
		jz	short loc_4F7B58
		inc	[ebp+var_B8]

loc_4F7B58:				; CODE XREF: MiReplacePageTablePage(x)+26Dj
					; MiReplacePageTablePage(x)+274j
		test	byte ptr [esi+16h], 20h
		jnz	loc_4F7C8F
		inc	[ebp+var_A4]
		jmp	loc_4F7C01
; 

loc_4F7B6D:				; CODE XREF: MiReplacePageTablePage(x)+1EEj
		inc	[ebp+var_B0]
		and	eax, 80h
		or	eax, 0
		jnz	short loc_4F7BCF
		nop
		mov	esi, edi
		mov	eax, ebx
		shrd	esi, eax, 0Ch
		and	esi, 1FFFFFFh
		cmp	esi, dword_6D34E4
		jnz	short loc_4F7B9C
		inc	[ebp+var_E0]
		jmp	short loc_4F7BD5
; 

loc_4F7B9C:				; CODE XREF: MiReplacePageTablePage(x)+2B6j
		cmp	esi, dword_6D07B0
		ja	short loc_4F7BD5
		mov	eax, dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_4F7BD5
		mov	eax, ds:_MmPfnDatabase
		imul	ecx, esi, 1Ch
		test	dword ptr [ecx+eax+18h], (offset loc_7FFFFF+1)
		jz	short loc_4F7BD5

loc_4F7BCF:				; CODE XREF: MiReplacePageTablePage(x)+29Fj
		inc	[ebp+var_C4]

loc_4F7BD5:				; CODE XREF: MiReplacePageTablePage(x)+2BEj
					; MiReplacePageTablePage(x)+2C6j ...
		mov	eax, [ebp+var_C8]
		cmp	[ebp+var_A8], eax
		jz	short loc_4F7C1F
		mov	eax, [ebp+var_E4]
		mov	ecx, [ebp+var_CC]
		sar	ecx, 3
		mov	eax, [eax+24h]
		lea	ecx, [eax+ecx*8]
		call	_MI_READ_PTE_LOCK_FREE@4 ; MI_READ_PTE_LOCK_FREE(x)
		mov	edi, eax
		mov	ebx, edx

loc_4F7C01:				; CODE XREF: MiReplacePageTablePage(x)+28Cj
		xor	edx, edx
		inc	edx

loc_4F7C04:				; CODE XREF: MiReplacePageTablePage(x)+1FCj
					; MiReplacePageTablePage(x)+20Cj
		mov	eax, [ebp+var_C8]
		cmp	[ebp+var_A8], eax
		jz	short loc_4F7C1F
		mov	eax, edi
		and	eax, edx
		or	eax, 0
		jnz	short loc_4F7C1F
		xor	edi, edi
		xor	ebx, ebx

loc_4F7C1F:				; CODE XREF: MiReplacePageTablePage(x)+305j
					; MiReplacePageTablePage(x)+334j ...
		mov	eax, [ebp+var_D8]
		add	[ebp+var_CC], 8
		mov	[eax], edi
		mov	edi, [ebp+var_B4]
		add	edi, 8
		mov	[eax+4], ebx
		add	eax, 8
		mov	[ebp+var_B4], edi
		mov	[ebp+var_D8], eax
		test	edi, 0FFFh
		jnz	loc_4F7AB5
		mov	eax, [ebp+var_A4]
		mov	ebx, [ebp+var_DC]
		test	eax, eax
		jnz	short loc_4F7C97
		and	[ebp+var_D8], eax
		lea	esi, [ebx+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_4F7CA4

loc_4F7C75:				; CODE XREF: MiReplacePageTablePage(x)+3A8j
					; MiReplacePageTablePage(x)+3AFj
		lea	ecx, [ebp+var_D8]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_4F7C75
		lock bts dword ptr [esi], 1Fh
		jb	short loc_4F7C75
		jmp	short loc_4F7C9E
; 

loc_4F7C8F:				; CODE XREF: MiReplacePageTablePage(x)+280j
		lea	eax, [esi+10h]
		jmp	loc_4F809B
; 

loc_4F7C97:				; CODE XREF: MiReplacePageTablePage(x)+387j
		mov	ecx, ebx
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)

loc_4F7C9E:				; CODE XREF: MiReplacePageTablePage(x)+3B1j
		mov	eax, [ebp+var_A4]

loc_4F7CA4:				; CODE XREF: MiReplacePageTablePage(x)+397j
		lea	edi, [ebx+10h]
		mov	edx, [edi]
		mov	esi, edx
		and	esi, 3FFFFFFFh
		cmp	[ebp+var_BC], 0
		jnz	short loc_4F7CE0
		sub	eax, [ebp+var_E0]
		sub	eax, [ebp+var_B8]
		sub	eax, [ebp+var_C4]
		mov	ecx, [ebp+var_B0]
		inc	ecx
		add	ecx, eax
		movzx	eax, dx
		cmp	eax, ecx
		jnz	loc_4F7FF7

loc_4F7CE0:				; CODE XREF: MiReplacePageTablePage(x)+3DCj
		xor	eax, eax
		inc	eax
		cmp	[ebx+14h], ax
		jnz	loc_4F7FF7
		cmp	esi, 10000h
		jnb	loc_4F7FF7
		mov	ebx, [ebp+var_C0]
		mov	ecx, ebx
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		lea	ecx, [ebx+10h]
		mov	eax, [ecx]
		and	eax, 0C0000000h
		or	eax, esi
		mov	[ecx], eax
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		lock and [edi],	eax
		cmp	[ebp+var_A4], 0
		mov	eax, [ebp+var_AC]
		mov	ebx, eax
		jz	loc_4F7E1E

loc_4F7D34:				; CODE XREF: MiReplacePageTablePage(x)+536j
		mov	ecx, ebx
		call	_MI_READ_PTE_LOCK_FREE@4 ; MI_READ_PTE_LOCK_FREE(x)
		mov	esi, eax
		xor	eax, eax
		inc	eax
		mov	ecx, esi
		and	ecx, eax
		or	ecx, 0
		jnz	loc_4F7E08
		mov	eax, esi
		and	eax, 400h
		or	eax, ecx
		jnz	loc_4F7E08
		mov	eax, esi
		and	eax, 800h
		or	eax, ecx
		jz	loc_4F7E08
		mov	eax, dword_6D0700
		mov	ecx, esi
		mov	edi, dword_6D0704
		mov	[ebp+var_BC], eax
		or	eax, edi
		mov	[ebp+var_DC], edi
		mov	edi, edx
		mov	[ebp+var_C0], edx
		jz	short loc_4F7DB7
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4F7DB0
		mov	esi, [ebp+var_BC]
		mov	edx, [ebp+var_DC]
		not	esi
		not	edx
		and	esi, ecx
		and	edx, edi
		jmp	short loc_4F7DB7
; 

loc_4F7DB0:				; CODE XREF: MiReplacePageTablePage(x)+4BCj
		mov	esi, ecx
		mov	edx, edi
		and	esi, 0FFFFFFEFh

loc_4F7DB7:				; CODE XREF: MiReplacePageTablePage(x)+4B2j
					; MiReplacePageTablePage(x)+4D2j
		shrd	esi, edx, 0Ch
		mov	edi, offset loc_7FFFFF
		and	esi, 3FFFFFFh
		imul	ecx, esi, 1Ch
		mov	esi, [ebp+var_A8]
		add	ecx, ds:_MmPfnDatabase
		mov	edx, [ecx+18h]
		mov	eax, edx
		and	eax, edi
		cmp	eax, esi
		jnz	short loc_4F7DF7
		cmp	esi, [ebp+var_C8]
		jnz	short loc_4F7DF7
		mov	eax, [ebp+var_D0]
		xor	eax, edx
		and	eax, edi
		xor	eax, edx
		mov	[ecx+18h], eax

loc_4F7DF7:				; CODE XREF: MiReplacePageTablePage(x)+502j
					; MiReplacePageTablePage(x)+50Aj
		dec	[ebp+var_A4]
		lea	eax, [ecx+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_4F7E08:				; CODE XREF: MiReplacePageTablePage(x)+46Bj
					; MiReplacePageTablePage(x)+47Aj ...
		add	ebx, 8
		cmp	[ebp+var_A4], 0
		jnz	loc_4F7D34
		mov	eax, [ebp+var_AC]

loc_4F7E1E:				; CODE XREF: MiReplacePageTablePage(x)+452j
		cmp	[ebp+var_B0], 0
		jz	loc_4F7FDD
		and	[ebp+var_B8], 0
		sub	[ebp+var_D4], eax

loc_4F7E38:				; CODE XREF: MiReplacePageTablePage(x)+6FBj
		mov	ecx, eax
		call	_MI_READ_PTE_LOCK_FREE@4 ; MI_READ_PTE_LOCK_FREE(x)
		mov	ebx, edx
		mov	esi, eax
		xor	edx, edx
		mov	[ebp+var_F0], esi
		inc	edx
		mov	[ebp+var_EC], ebx
		mov	ecx, esi
		and	ecx, edx
		or	ecx, 0
		jz	loc_4F7FBA
		dec	[ebp+var_B0]
		nop
		mov	edi, esi
		mov	eax, ebx
		shrd	edi, eax, 0Ch
		and	edi, 1FFFFFFh
		cmp	edi, dword_6D07B0
		ja	loc_4F7F40
		mov	eax, dword_6D35B8
		mov	edx, edi
		shr	edx, 5
		mov	ecx, edi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		xor	edx, edx
		shr	eax, cl
		inc	edx
		and	eax, edx
		jz	loc_4F7F40
		cmp	edi, [ebp+var_A8]
		jz	loc_4F7F40
		and	[ebp+var_CC], 0
		imul	edi, 1Ch
		add	edi, ds:_MmPfnDatabase
		mov	[ebp+var_C0], edi
		lea	ecx, [edi+10h]
		mov	[ebp+var_BC], ecx
		lock bts dword ptr [ecx], 1Fh
		jnb	short loc_4F7F03
		mov	edi, ecx

loc_4F7ED3:				; CODE XREF: MiReplacePageTablePage(x)+606j
					; MiReplacePageTablePage(x)+60Dj
		lea	ecx, [ebp+var_CC]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_4F7ED3
		lock bts dword ptr [edi], 1Fh
		jb	short loc_4F7ED3
		mov	ebx, [ebp+var_EC]
		mov	esi, [ebp+var_F0]
		mov	edi, [ebp+var_C0]
		mov	ecx, [ebp+var_BC]

loc_4F7F03:				; CODE XREF: MiReplacePageTablePage(x)+5F3j
		mov	edx, [edi+18h]
		mov	eax, edx
		and	eax, offset loc_7FFFFF
		cmp	eax, [ebp+var_A8]
		jnz	short loc_4F7F35
		mov	eax, [ebp+var_C8]
		cmp	[ebp+var_A8], eax
		jnz	short loc_4F7F35
		mov	eax, edx
		xor	eax, [ebp+var_D0]
		and	eax, offset loc_7FFFFF
		xor	eax, edx
		mov	[edi+18h], eax

loc_4F7F35:				; CODE XREF: MiReplacePageTablePage(x)+637j
					; MiReplacePageTablePage(x)+645j
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		xor	edx, edx
		inc	edx

loc_4F7F40:				; CODE XREF: MiReplacePageTablePage(x)+59Ej
					; MiReplacePageTablePage(x)+5BDj ...
		mov	eax, [ebp+var_C8]
		cmp	[ebp+var_A8], eax
		jz	short loc_4F7F6F
		mov	eax, [ebp+var_E4]
		mov	ecx, [ebp+var_B8]
		sar	ecx, 3
		mov	eax, [eax+24h]
		lea	ecx, [eax+ecx*8]
		call	_MI_READ_PTE_LOCK_FREE@4 ; MI_READ_PTE_LOCK_FREE(x)
		mov	ebx, edx
		mov	esi, eax
		xor	edx, edx
		inc	edx

loc_4F7F6F:				; CODE XREF: MiReplacePageTablePage(x)+670j
		mov	eax, esi
		and	eax, edx
		or	eax, 0
		jz	short loc_4F7FBA
		or	esi, 20h
		mov	[ebp+var_EC], ebx
		mov	[ebp+var_F0], esi
		nop
		mov	eax, [ebp+var_AC]
		mov	ecx, [ebp+var_D4]
		mov	[ecx+eax], esi
		mov	[ecx+eax+4], ebx
		test	ds:_MiFlags, 300h
		jnz	short loc_4F7FC0
		push	0
		push	edx
		mov	edx, eax
		lea	ecx, [ebp+var_A0]
		shl	edx, 9
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)

loc_4F7FBA:				; CODE XREF: MiReplacePageTablePage(x)+57Dj
					; MiReplacePageTablePage(x)+69Aj
		mov	eax, [ebp+var_AC]

loc_4F7FC0:				; CODE XREF: MiReplacePageTablePage(x)+6C9j
		add	[ebp+var_B8], 8
		add	eax, 8
		cmp	[ebp+var_B0], 0
		mov	[ebp+var_AC], eax
		jnz	loc_4F7E38

loc_4F7FDD:				; CODE XREF: MiReplacePageTablePage(x)+549j
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList
		mov	eax, [ebp+var_E4]
		and	dword ptr [eax+1Ch], 0
		jmp	loc_4F80C4
; 

loc_4F7FF7:				; CODE XREF: MiReplacePageTablePage(x)+3FEj
					; MiReplacePageTablePage(x)+40Bj ...
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		jmp	loc_4F80A3
; 

loc_4F8004:				; CODE XREF: MiReplacePageTablePage(x)+7D4j
		sub	edi, 8
		mov	ecx, edi
		mov	[ebp+var_B4], edi
		call	_MI_READ_PTE_LOCK_FREE@4 ; MI_READ_PTE_LOCK_FREE(x)
		mov	esi, eax
		xor	eax, eax
		inc	eax
		mov	ecx, esi
		and	ecx, eax
		or	ecx, 0
		jnz	loc_4F80A9
		mov	eax, esi
		and	eax, 400h
		or	eax, ecx
		jnz	short loc_4F80A9
		mov	eax, esi
		and	eax, 800h
		or	eax, ecx
		jz	short loc_4F80A9
		mov	eax, dword_6D0704
		mov	ecx, esi
		mov	ebx, dword_6D0700
		mov	edi, edx
		mov	[ebp+var_D0], eax
		mov	eax, ebx
		or	eax, [ebp+var_D0]
		jz	short loc_4F807E
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4F8077
		mov	edx, [ebp+var_D0]
		mov	esi, ebx
		not	esi
		not	edx
		and	esi, ecx
		and	edx, edi
		jmp	short loc_4F807E
; 

loc_4F8077:				; CODE XREF: MiReplacePageTablePage(x)+787j
		mov	esi, ecx
		mov	edx, edi
		and	esi, 0FFFFFFEFh

loc_4F807E:				; CODE XREF: MiReplacePageTablePage(x)+77Dj
					; MiReplacePageTablePage(x)+799j
		mov	eax, ds:_MmPfnDatabase
		dec	[ebp+var_A4]
		add	eax, 10h
		shrd	esi, edx, 0Ch
		and	esi, 3FFFFFFh
		imul	ecx, esi, 1Ch
		add	eax, ecx

loc_4F809B:				; CODE XREF: MiReplacePageTablePage(x)+3B6j
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_4F80A3:				; CODE XREF: MiReplacePageTablePage(x)+723j
		mov	edi, [ebp+var_B4]

loc_4F80A9:				; CODE XREF: MiReplacePageTablePage(x)+23Cj
					; MiReplacePageTablePage(x)+744j ...
		cmp	[ebp+var_A4], 0
		jnz	loc_4F8004

loc_4F80B6:				; CODE XREF: MiReplacePageTablePage(x)+BAj
					; MiReplacePageTablePage(x)+ECj
		mov	ecx, [ebp+var_C0]
		lea	ecx, [ecx+8]
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)

loc_4F80C4:				; CODE XREF: MiReplacePageTablePage(x)+716j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiReplacePageTablePage@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxResidentTimeoutRoutine(x)
_PopFxResidentTimeoutRoutine@4 proc near ; DATA	XREF: PoFxInitPowerManagement+9o

var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		sub	esp, 20h
		dec	word ptr [eax+13Ch]
		push	ebx
		push	edi
		nop
		mov	ebx, offset _PopFxDeviceListLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	edi, offset _PopFxDeviceList
		cmp	_PopFxDeviceList, edi
		jz	short loc_4F8186
		push	esi
		lea	ecx, [ebp+var_20]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	esi, _PopFxDeviceList
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], edx
		mov	[ebp+var_4], esi
		cmp	esi, edi
		jz	short loc_4F8185

loc_4F8123:				; CODE XREF: PopFxResidentTimeoutRoutine(x)+AAj
		xor	edi, edi
		cmp	[esi+23Ch], edi
		jbe	short loc_4F8173

loc_4F812D:				; CODE XREF: PopFxResidentTimeoutRoutine(x)+9Dj
		mov	eax, [esi+240h]
		mov	eax, [eax+edi*4]
		mov	[ebp+var_C], eax
		lea	esi, [eax+60h]

loc_4F813C:				; CODE XREF: PopFxResidentTimeoutRoutine(x)+81j
					; PopFxResidentTimeoutRoutine(x)+85j
		mov	ebx, [esi]
		mov	eax, ebx
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_18], ecx
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, [ebp+var_8]
		cmp	eax, ebx
		jnz	short loc_4F813C
		cmp	edx, ecx
		jnz	short loc_4F813C
		mov	edx, [ebp+var_C]
		mov	esi, [ebp+var_4]
		add	edx, 3Ch
		mov	eax, [edx]
		test	eax, eax
		jg	short loc_4F81B4

loc_4F816A:				; CODE XREF: PopFxResidentTimeoutRoutine(x)+F3j
					; PopFxResidentTimeoutRoutine(x)+F9j ...
		inc	edi
		cmp	edi, [esi+23Ch]
		jb	short loc_4F812D

loc_4F8173:				; CODE XREF: PopFxResidentTimeoutRoutine(x)+57j
		mov	esi, [esi]
		mov	[ebp+var_4], esi
		cmp	esi, offset _PopFxDeviceList
		jnz	short loc_4F8123
		mov	ebx, offset _PopFxDeviceListLock

loc_4F8185:				; CODE XREF: PopFxResidentTimeoutRoutine(x)+4Dj
		pop	esi

loc_4F8186:				; CODE XREF: PopFxResidentTimeoutRoutine(x)+31j
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [ebx], ecx
		cmp	eax, 11h
		jnz	short loc_4F81E8

loc_4F8194:				; CODE XREF: PopFxResidentTimeoutRoutine(x)+11Bj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	cl, 1
		call	_PopFxArmResidentTimer@4 ; PopFxArmResidentTimer(x)
		pop	edi
		pop	ebx
		leave
		retn	4
; 

loc_4F81B4:				; CODE XREF: PopFxResidentTimeoutRoutine(x)+94j
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_14]
		sub	ecx, ebx
		mov	ebx, _PopFxActiveIdleThreshold
		sbb	eax, [ebp+var_18]
		test	eax, eax
		jb	short loc_4F816A
		ja	short loc_4F81CF
		cmp	ecx, ebx
		jb	short loc_4F816A

loc_4F81CF:				; CODE XREF: PopFxResidentTimeoutRoutine(x)+F5j
		lock dec dword ptr [edx]
		lock dec _PopFxResidentComponentCount
		push	0
		push	1
		mov	edx, edi
		mov	ecx, esi
		call	PopFxIdleComponent
		jmp	short loc_4F816A
; 

loc_4F81E8:				; CODE XREF: PopFxResidentTimeoutRoutine(x)+BEj
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_4F8194
_PopFxResidentTimeoutRoutine@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopFxArmResidentTimer(x)
_PopFxArmResidentTimer@4 proc near	; CODE XREF: PopFxIdleComponent+1C5p
					; PopFxResidentTimeoutRoutine(x)+D5p ...
		mov	edi, edi
		push	ebx
		push	edi
		mov	edi, offset _PopFxResidentTimerLock
		mov	bl, cl
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	bh, al
		test	bl, bl
		jz	short loc_4F8210
		mov	_PopFxResidentTimerArmed, 0

loc_4F8210:				; CODE XREF: PopFxArmResidentTimer(x)+15j
		cmp	_PopFxResidentTimerArmed, 0
		jnz	short loc_4F8256
		mov	eax, _PopFxResidentComponentCount
		test	eax, eax
		jle	short loc_4F8256
		push	esi
		mov	esi, _PopFxActiveIdleTimeout
		push	0FFFFFFFFh
		push	0FFFFD8F0h
		push	0
		push	esi
		mov	_PopFxResidentTimerArmed, 1
		call	__allmul
		push	offset _PopFxResidentDpc
		shr	esi, 1
		push	esi
		push	0
		push	edx
		push	eax
		push	offset _PopFxResidentTimer
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)
		pop	esi

loc_4F8256:				; CODE XREF: PopFxArmResidentTimer(x)+25j
					; PopFxArmResidentTimer(x)+2Ej
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		pop	edi
		mov	cl, bh
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_PopFxArmResidentTimer@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlCSparseBitmapBitmaskRead proc near	; CODE XREF: RtlpHpFreeHeap+A3p
					; RtlpHpGetOwnerHeap+4Dp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	10h
		push	offset dword_6A34D8
		call	__SEH_prolog4
		mov	[ebp+var_1C], edx
		mov	esi, ecx
		shr	edx, 0Fh
		mov	eax, edx
		shr	eax, 0Fh
		bt	[esi+20h], eax
		jnb	short loc_4F82CD
		mov	eax, [esi]
		bt	[eax], edx
		push	0
		pop	eax
		setb	al
		inc	eax

loc_4F8291:				; CODE XREF: RtlCSparseBitmapBitmaskRead+69j
		cmp	eax, 2
		jnz	short loc_4F82D1
		mov	ecx, [ebp+var_1C]
		shr	ecx, 5
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [esi+4]
		mov	eax, [eax+ecx*4]

loc_4F82A6:				; CODE XREF: sub_5D300F+5j
		mov	[ebp+var_20], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_1C]
		and	ecx, 1Fh
		shr	eax, cl
		and	eax, 3

loc_4F82BB:				; CODE XREF: RtlCSparseBitmapBitmaskRead+6Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4F82CD:				; CODE XREF: RtlCSparseBitmapBitmaskRead+1Dj
		xor	eax, eax
		jmp	short loc_4F8291
; 

loc_4F82D1:				; CODE XREF: RtlCSparseBitmapBitmaskRead+2Ej
		xor	eax, eax
		jmp	short loc_4F82BB
RtlCSparseBitmapBitmaskRead endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry   8. ExAcquireAutoExpandPushLockExclusive

;  S U B	R O U T	I N E 


		public ExAcquireAutoExpandPushLockExclusive
ExAcquireAutoExpandPushLockExclusive proc near
					; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+21Dp
					; MiLockLoaderEntry(x,x)+2Fp ...

; FUNCTION CHUNK AT 005D3019 SIZE 0000001E BYTES

		mov	edi, edi
		push	ecx
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, ecx
		test	edx, 0FFFFFFFCh
		jnz	loc_5D3019
		test	dl, 2
		jnz	short loc_4F82FE
		push	esi
		xor	edx, edx
		call	KeAbPreAcquire
		mov	esi, eax

loc_4F82FE:				; CODE XREF: ExAcquireAutoExpandPushLockExclusive+18j
		lock bts dword ptr [edi], 0
		jb	short loc_4F831D

loc_4F8305:				; CODE XREF: ExAcquireAutoExpandPushLockExclusive+4Dj
		mov	ecx, [edi+4]
		test	cl, 1
		jnz	loc_5D3027

loc_4F8311:				; CODE XREF: ExAcquireAutoExpandPushLockExclusive+DAD58j
		test	esi, esi
		jz	short loc_4F8319
		or	byte ptr [esi+0Eh], 1

loc_4F8319:				; CODE XREF: ExAcquireAutoExpandPushLockExclusive+39j
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_4F831D:				; CODE XREF: ExAcquireAutoExpandPushLockExclusive+29j
		push	edi
		mov	edx, esi
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx
		jmp	short loc_4F8305
ExAcquireAutoExpandPushLockExclusive endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 548. FsRtlInitializeEofLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlInitializeEofLock(x, x)
		public _FsRtlInitializeEofLock@8
_FsRtlInitializeEofLock@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		push	edi
		push	6
		pop	ecx
		mov	edi, edx
		rep stosd
		mov	eax, [ebp+arg_4]
		mov	[edx+0Ch], eax
		lea	eax, [edx+4]
		mov	[eax+4], eax
		mov	[eax], eax
		pop	edi
		pop	ebp
		retn	8
_FsRtlInitializeEofLock@8 endp

; 
		align 8
; Exported entry 1855. PsIsThreadTerminating

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsIsThreadTerminating(x)
		public _PsIsThreadTerminating@4
_PsIsThreadTerminating@4 proc near	; CODE XREF: IopCloseFile(x,x,x,x)+E1p
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+DE3p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+2FCh]
		and	al, 1
		pop	ebp
		retn	4
_PsIsThreadTerminating@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 360. ExFreeCacheAwareRundownProtection

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExFreeCacheAwareRundownProtection(x)
		public _ExFreeCacheAwareRundownProtection@4
_ExFreeCacheAwareRundownProtection@4 proc near
					; CODE XREF: MiDeletePartitionResources(x)+7B5p
					; RawCleanupVcb+3Ap ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	0
		push	dword ptr [esi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		pop	ebp
		retn	4
_ExFreeCacheAwareRundownProtection@4 endp

; 
		align 8
; Exported entry  59. ExReleaseFastMutexUnsafeAndLeaveCriticalRegion

;  S U B	R O U T	I N E 


; __fastcall ExReleaseFastMutexUnsafeAndLeaveCriticalRegion(x)
		public @ExReleaseFastMutexUnsafeAndLeaveCriticalRegion@4
@ExReleaseFastMutexUnsafeAndLeaveCriticalRegion@4 proc near
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	edx, edx
		inc	edx
		xor	eax, eax
		and	dword ptr [esi+4], 0
		lock cmpxchg [esi], edx
		test	eax, eax
		jnz	short loc_4F83C2

loc_4F83AE:				; CODE XREF: ExReleaseFastMutexUnsafeAndLeaveCriticalRegion(x)+31j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		pop	esi
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
; 

loc_4F83C2:				; CODE XREF: ExReleaseFastMutexUnsafeAndLeaveCriticalRegion(x)+14j
		mov	edx, eax
		call	_ExpReleaseFastMutexContended@8	; ExpReleaseFastMutexContended(x,x)
		jmp	short loc_4F83AE
@ExReleaseFastMutexUnsafeAndLeaveCriticalRegion@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmQueryWorkingSetInformation(x, x, x, x, x,	x)
_MmQueryWorkingSetInformation@24 proc near
					; CODE XREF: SmKmVirtualLockContextIncreaseWsMin(x,x,x)+6Ep
					; SmKmVirtualLockContextIncreaseWsMin(x,x,x)+EDp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		mov	esi, ecx
		push	edi
		and	dword ptr [ebx], 0
		mov	edi, edx
		mov	eax, [eax+80h]
		add	eax, 240h
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	MiLockWorkingSetShared
		mov	ecx, [ebp+var_4]
		mov	byte ptr [ebp+arg_C+3],	al
		mov	eax, [ebp+arg_4]
		mov	ecx, [ecx+54h]
		shl	ecx, 0Ch
		mov	[esi], ecx
		mov	esi, [ebp+var_4]
		mov	ecx, [esi+40h]
		shl	ecx, 0Ch
		mov	[edi], ecx
		mov	edx, [esi+44h]
		mov	ecx, [ebp+arg_0]
		shl	edx, 0Ch
		mov	[ecx], edx
		mov	ecx, [esi+3Ch]
		shl	ecx, 0Ch
		mov	[eax], ecx
		mov	eax, [ebp+arg_8]
		mov	ecx, [esi+50h]
		shl	ecx, 0Ch
		mov	[eax], ecx
		mov	al, [esi+60h]
		test	al, al
		js	short loc_4F8457

loc_4F843B:				; CODE XREF: MmQueryWorkingSetInformation(x,x,x,x,x,x)+91j
		test	al, 40h
		jnz	short loc_4F8452

loc_4F843F:				; CODE XREF: MmQueryWorkingSetInformation(x,x,x,x,x,x)+89j
		mov	dl, byte ptr [ebp+arg_C+3]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	10h
; 

loc_4F8452:				; CODE XREF: MmQueryWorkingSetInformation(x,x,x,x,x,x)+71j
		or	dword ptr [ebx], 1
		jmp	short loc_4F843F
; 

loc_4F8457:				; CODE XREF: MmQueryWorkingSetInformation(x,x,x,x,x,x)+6Dj
		or	dword ptr [ebx], 4
		mov	al, [esi+60h]
		jmp	short loc_4F843B
_MmQueryWorkingSetInformation@24 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiCreateDecayPfn()
_MiCreateDecayPfn@0 proc near		; CODE XREF: .text:00458999p
					; .text:00478B60p ...
		mov	edi, edi
		push	edi
		mov	ecx, offset dword_6D3258
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_4F84DD
		sub	eax, ds:_MmPfnDatabase
		push	ebx
		push	esi
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		push	4
		mov	esi, eax
		pop	edx
		mov	ecx, esi
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		mov	ecx, [edi+18h]
		xor	ecx, esi
		mov	[edi+8], eax
		and	ecx, offset loc_7FFFFF
		mov	[edi+0Ch], edx
		xor	[edi+18h], ecx
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		or	byte ptr [edi+17h], 8
		mov	bl, al
		mov	cl, [edi+17h]
		and	cl, 0FDh
		or	cl, 5
		push	4
		mov	[edi+17h], cl
		mov	ecx, edi
		pop	edx
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		pop	ebx
		mov	eax, edi
		pop	edi
		retn
; 

loc_4F84DD:				; CODE XREF: MiCreateDecayPfn()+11j
		xor	eax, eax
		pop	edi
		retn
_MiCreateDecayPfn@0 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2262. RtlNtStatusToDosErrorNoTeb

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlNtStatusToDosErrorNoTeb
RtlNtStatusToDosErrorNoTeb proc	near	; CODE XREF: RtlNtStatusToDosError+45p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D3037 SIZE 00000066 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_4F84F8
		xor	eax, eax

loc_4F84F4:				; CODE XREF: RtlNtStatusToDosErrorNoTeb+26j
					; RtlNtStatusToDosErrorNoTeb+A4j ...
		pop	ebp
		retn	4
; 

loc_4F84F8:				; CODE XREF: RtlNtStatusToDosErrorNoTeb+Aj
		cmp	ecx, 103h
		jz	loc_5D3037
		mov	eax, ecx
		test	ecx, 20000000h
		jnz	short loc_4F84F4
		and	eax, 0FF0000h
		cmp	eax, 70000h
		jz	loc_5D3041

loc_4F851E:				; CODE XREF: RtlNtStatusToDosErrorNoTeb+DAB6Cj
		mov	eax, ecx
		and	eax, 0F0000000h
		cmp	eax, 0D0000000h
		jz	short loc_4F858F

loc_4F852C:				; CODE XREF: RtlNtStatusToDosErrorNoTeb+AFj
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, 134h
		push	edi

loc_4F8536:				; CODE XREF: RtlNtStatusToDosErrorNoTeb+7Aj
		lea	edx, [esi+ebx]
		mov	edi, ecx
		shr	edx, 1
		mov	eax, ds:_RtlpRunTable[edx*8]
		sub	edi, eax
		cmp	ecx, eax
		jb	short loc_4F855B
		movzx	eax, ds:byte_40C184[edx*8]
		cmp	edi, eax
		jb	short loc_4F8567
		lea	esi, [edx+1]
		jmp	short loc_4F855E
; 

loc_4F855B:				; CODE XREF: RtlNtStatusToDosErrorNoTeb+62j
		lea	ebx, [edx-1]

loc_4F855E:				; CODE XREF: RtlNtStatusToDosErrorNoTeb+73j
		cmp	esi, ebx
		jbe	short loc_4F8536
		jmp	loc_5D3060
; 

loc_4F8567:				; CODE XREF: RtlNtStatusToDosErrorNoTeb+6Ej
		cmp	ds:byte_40C185[edx*8], 1
		movzx	eax, ds:word_40C186[edx*8]
		jnz	loc_5D3080
		add	eax, edi
		movzx	eax, ds:_RtlpStatusTable[eax*2]

loc_4F8587:				; CODE XREF: RtlNtStatusToDosErrorNoTeb+DAB8Bj
					; RtlNtStatusToDosErrorNoTeb+DAB95j ...
		pop	edi
		pop	esi
		pop	ebx
		jmp	loc_4F84F4
; 

loc_4F858F:				; CODE XREF: RtlNtStatusToDosErrorNoTeb+44j
		and	ecx, 0CFFFFFFFh
		jmp	short loc_4F852C
RtlNtStatusToDosErrorNoTeb endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry  53. ExReleaseAutoExpandPushLockExclusive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExReleaseAutoExpandPushLockExclusive
ExReleaseAutoExpandPushLockExclusive proc near
					; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+42Fp
					; MiUnlockAweVadsExclusive(x)+19p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D309D SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		push	esi
		mov	esi, ecx
		test	ebx, 0FFFFFFFCh
		jnz	loc_5D309D
		mov	ecx, [esi+4]
		test	cl, 1
		jnz	loc_5D30AD
		mov	eax, [esi+8]
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_4], eax
		call	_ExpAeUpdateStatsForExclusiveRelease@4 ; ExpAeUpdateStatsForExclusiveRelease(x)
		test	al, al
		jz	short loc_4F85D8
		mov	eax, [ebp+var_4]
		mov	[esi+8], eax

loc_4F85D8:				; CODE XREF: ExReleaseAutoExpandPushLockExclusive+34j
					; ExReleaseAutoExpandPushLockExclusive+DAB19j
		push	2
		pop	edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		test	bl, 2
		jnz	short loc_4F85EE
		mov	ecx, esi
		call	KeAbPostRelease

loc_4F85EE:				; CODE XREF: ExReleaseAutoExpandPushLockExclusive+49j
		pop	esi
		pop	ebx
		leave
		retn
ExReleaseAutoExpandPushLockExclusive endp


;  S U B	R O U T	I N E 


; __stdcall ExpAeUpdateStatsForExclusiveRelease(x)
_ExpAeUpdateStatsForExclusiveRelease@4 proc near
					; CODE XREF: ExReleaseAutoExpandPushLockExclusive+2Dp
					; ExTryAcquireAutoExpandPushLockExclusive(x,x)+75p
		mov	edx, [ecx]
		mov	eax, edx
		push	esi
		mov	esi, 0F0000h
		and	eax, esi
		cmp	eax, esi
		pop	esi
		jnb	short loc_4F860E
		lea	eax, [edx+10000h]
		mov	[ecx], eax
		mov	al, 1
		retn
; 

loc_4F860E:				; CODE XREF: ExpAeUpdateStatsForExclusiveRelease(x)+Fj
		xor	al, al
		retn
_ExpAeUpdateStatsForExclusiveRelease@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiQueueCoreWorkingSetEntries(x, x, x)
_MiQueueCoreWorkingSetEntries@12 proc near ; CODE XREF:	.text:0045E9FFp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	bl, [esi+9]
		mov	al, bl
		and	al, 5
		cmp	al, 4
		jnz	loc_4F86B1
		test	bl, 2
		jnz	short loc_4F86B1
		movzx	eax, word ptr [esi+6]
		test	ax, ax
		jz	short loc_4F866F
		movzx	ecx, word ptr [esi+4]
		add	ecx, eax
		mov	eax, edi
		shr	eax, 3
		and	eax, 1FFh
		cmp	ecx, eax
		jnz	short loc_4F8668
		mov	ecx, [ebp+arg_0]
		and	bl, 10h
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4F8664
		test	bl, bl
		jz	short loc_4F866F
		jmp	short loc_4F8668
; 

loc_4F8664:				; CODE XREF: MiQueueCoreWorkingSetEntries(x,x,x)+4Aj
		test	bl, bl
		jnz	short loc_4F866F

loc_4F8668:				; CODE XREF: MiQueueCoreWorkingSetEntries(x,x,x)+3Bj
					; MiQueueCoreWorkingSetEntries(x,x,x)+50j
		mov	ecx, esi
		call	_MiEmptyDeferredWorkingSetEntries@4 ; MiEmptyDeferredWorkingSetEntries(x)

loc_4F866F:				; CODE XREF: MiQueueCoreWorkingSetEntries(x,x,x)+27j
					; MiQueueCoreWorkingSetEntries(x,x,x)+4Ej ...
		movzx	ecx, word ptr [esi+6]
		xor	ebx, ebx
		inc	ebx
		test	cx, cx
		jnz	short loc_4F86A8
		mov	dl, [esi+9]
		mov	ecx, [ebp+arg_0]
		shr	edi, 3
		and	edi, 1FFh
		mov	[esi+6], bx
		mov	[esi+4], di
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_4F86A0
		and	dl, 0EFh
		jmp	short loc_4F86A3
; 

loc_4F86A0:				; CODE XREF: MiQueueCoreWorkingSetEntries(x,x,x)+87j
		or	dl, 10h

loc_4F86A3:				; CODE XREF: MiQueueCoreWorkingSetEntries(x,x,x)+8Cj
		mov	[esi+9], dl
		jmp	short loc_4F86AD
; 

loc_4F86A8:				; CODE XREF: MiQueueCoreWorkingSetEntries(x,x,x)+67j
		inc	ecx
		mov	[esi+6], cx

loc_4F86AD:				; CODE XREF: MiQueueCoreWorkingSetEntries(x,x,x)+94j
		mov	eax, ebx
		jmp	short loc_4F86B3
; 

loc_4F86B1:				; CODE XREF: MiQueueCoreWorkingSetEntries(x,x,x)+15j
					; MiQueueCoreWorkingSetEntries(x,x,x)+1Ej
		xor	eax, eax

loc_4F86B3:				; CODE XREF: MiQueueCoreWorkingSetEntries(x,x,x)+9Dj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_MiQueueCoreWorkingSetEntries@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiStoreSetEvictPageFile(x, x)
_MiStoreSetEvictPageFile@8 proc	near	; CODE XREF: MiReleasePageFileInfo+23Ep
		mov	eax, [ecx+38h]
		push	esi
		mov	esi, edx
		and	edx, 7
		shr	esi, 3
		add	esi, [eax+10h]
		push	edi
		mov	edi, [ecx+90h]
		movsx	eax, byte ptr [esi]
		btr	eax, edx
		mov	[esi], al
		inc	dword ptr [ecx+70h]
		cmp	dword ptr [ecx+70h], 100h
		jz	short loc_4F86F7
		mov	edx, 0A0h
		mov	ecx, edi
		call	MiSufficientAvailablePages
		test	eax, eax
		jz	short loc_4F86F7

loc_4F86F4:				; CODE XREF: MiStoreSetEvictPageFile(x,x)+4Dj
		pop	edi
		pop	esi
		retn
; 

loc_4F86F7:				; CODE XREF: MiStoreSetEvictPageFile(x,x)+28j
					; MiStoreSetEvictPageFile(x,x)+38j
		push	0
		push	0
		lea	eax, [edi+2E0h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_4F86F4
_MiStoreSetEvictPageFile@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 116. IoGetPagingIoPriority

;  S U B	R O U T	I N E 


; __fastcall IoGetPagingIoPriority(x)
		public @IoGetPagingIoPriority@4
@IoGetPagingIoPriority@4 proc near
		mov	eax, [ecx+8]
		test	al, 2
		jz	short loc_4F8726
		shr	eax, 11h
		and	eax, 7
		jz	short loc_4F8722
		cmp	eax, 5
		jz	short loc_4F8729

loc_4F8722:				; CODE XREF: IoGetPagingIoPriority(x)+Dj
		xor	eax, eax
		inc	eax
		retn
; 

loc_4F8726:				; CODE XREF: IoGetPagingIoPriority(x)+5j
		xor	eax, eax
		retn
; 

loc_4F8729:				; CODE XREF: IoGetPagingIoPriority(x)+12j
		push	2
		pop	eax
		retn
@IoGetPagingIoPriority@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 304. ExAcquireCacheAwarePushLockExclusive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExAcquireCacheAwarePushLockExclusive(x)
		public _ExAcquireCacheAwarePushLockExclusive@4
_ExAcquireCacheAwarePushLockExclusive@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	esi
		push	0
		call	KeAbPreAcquire
		push	[ebp+arg_0]
		mov	ecx, [ebp+arg_0]
		mov	esi, eax
		mov	edx, esi
		call	@ExfAcquireCacheAwarePushLockExclusiveEx@12 ; ExfAcquireCacheAwarePushLockExclusiveEx(x,x,x)
		test	esi, esi
		jz	short loc_4F875B
		or	byte ptr [esi+0Eh], 1

loc_4F875B:				; CODE XREF: ExAcquireCacheAwarePushLockExclusive(x)+23j
		pop	esi
		pop	ebp
		retn	4
_ExAcquireCacheAwarePushLockExclusive@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExfAcquireCacheAwarePushLockExclusiveEx(x,	x, x)
@ExfAcquireCacheAwarePushLockExclusiveEx@12 proc near
					; CODE XREF: ExAcquireCacheAwarePushLockExclusive(x)+1Cp
					; ExAcquireCacheAwarePushLockExclusiveEx(x,x)+1Fp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, [ecx]
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		lea	edi, [ecx+4]
		lea	esi, [ecx+80h]
		lock bts dword ptr [eax], 0
		jnb	short loc_4F8798
		mov	ecx, [ecx]

loc_4F8782:				; CODE XREF: ExfAcquireCacheAwarePushLockExclusiveEx(x,x,x)+57j
		push	[ebp+arg_0]
		call	ExfAcquirePushLockExclusiveEx
		jmp	short loc_4F8798
; 

loc_4F878C:				; CODE XREF: ExfAcquireCacheAwarePushLockExclusiveEx(x,x,x)+43j
		sub	esi, 4
		mov	eax, [esi]
		lock bts dword ptr [eax], 0
		jb	short loc_4F87B3

loc_4F8798:				; CODE XREF: ExfAcquireCacheAwarePushLockExclusiveEx(x,x,x)+1Ej
					; ExfAcquireCacheAwarePushLockExclusiveEx(x,x,x)+2Aj ...
		cmp	edi, esi
		jnb	short loc_4F87AA
		mov	eax, [edi]
		lock bts dword ptr [eax], 0
		jb	short loc_4F878C
		add	edi, 4
		jmp	short loc_4F8798
; 

loc_4F87AA:				; CODE XREF: ExfAcquireCacheAwarePushLockExclusiveEx(x,x,x)+3Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4F87B3:				; CODE XREF: ExfAcquireCacheAwarePushLockExclusiveEx(x,x,x)+36j
		mov	ecx, [esi]
		mov	edx, ebx
		jmp	short loc_4F8782
@ExfAcquireCacheAwarePushLockExclusiveEx@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpTraceIo	proc near		; DATA XREF: EtwpEnableKernelTrace+201o

var_7E		= byte ptr -7Eh
var_7D		= byte ptr -7Dh
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D30BA SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+84h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		push	6
		pop	ecx
		mov	eax, [esi+60h]
		lea	edi, [esp+90h+var_70]
		mov	[esp+90h+var_78], eax
		xor	eax, eax
		rep stosd
		push	30h		; size_t
		xor	edi, edi
		lea	eax, [esp+94h+var_58]
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	ebx, [esi+50h]
		add	esp, 0Ch
		test	ebx, ebx
		jz	loc_5D30BA
		push	ebx
		call	_PsGetThreadServerSilo@4 ; PsGetThreadServerSilo(x)
		mov	[esp+90h+var_74], eax

loc_4F8815:				; CODE XREF: EtwpTraceIo+DA904j
		mov	edx, [esp+90h+var_78]
		mov	ecx, [esi+8]
		mov	[esp+90h+var_78], ecx
		mov	al, [edx]
		mov	[esp+90h+var_7D], al
		cmp	al, 9
		jz	loc_4F89B2
		xor	eax, eax
		mov	[esp+90h+var_54], ecx
		cmp	[esp+90h+var_7D], 3
		mov	[esp+90h+var_3C], esi
		setnz	al
		add	eax, 10Ah
		movzx	edi, ax
		mov	eax, [ebp+arg_4]
		mov	[esp+90h+var_58], eax
		mov	eax, [esi+1Ch]
		mov	[esp+90h+var_50], eax
		mov	eax, [edx+0Ch]
		mov	[esp+90h+var_48], eax
		mov	eax, [edx+10h]
		mov	[esp+90h+var_44], eax
		mov	eax, [edx+4]
		mov	[esp+90h+var_38], eax
		mov	eax, [edx+8]
		and	[esp+90h+var_4C], 0
		mov	[esp+90h+var_7C], edi
		mov	[esp+90h+var_34], eax
		test	ebx, ebx
		jz	loc_5D30C3
		mov	eax, [ebx+2B0h]

loc_4F8889:				; CODE XREF: EtwpTraceIo+DA90Cj
		mov	ecx, [ebp+arg_0]
		mov	[esp+90h+var_30], eax
		mov	eax, ecx
		and	eax, 0FFFF0000h
		cmp	eax, 56530000h
		jz	loc_4F89FF
		and	ecx, 0FFFFFFh
		cmp	ecx, 535242h
		jz	loc_4F898B
		cmp	ecx, offset loc_536D64
		jz	loc_4F898B

loc_4F88C0:				; CODE XREF: EtwpTraceIo+1D9j
					; EtwpTraceIo+24Dj
		mov	eax, [esp+90h+var_78]
		test	al, 8
		jnz	loc_4F8998
		mov	ecx, [esi+64h]
		test	ecx, ecx
		jz	short loc_4F8945

loc_4F88D3:				; CODE XREF: EtwpTraceIo+1A4j
					; EtwpTraceIo+1C0j ...
		mov	eax, [ecx+0Ch]
		xor	edi, edi
		mov	[esp+90h+var_40], eax

loc_4F88DC:				; CODE XREF: EtwpTraceIo+1CCj
		lea	eax, [esp+90h+var_58]
		mov	[esp+90h+var_20], 2Ch
		mov	[esp+90h+var_28], eax
		mov	eax, [esp+90h+var_7C]
		movzx	ecx, ax
		mov	[esp+90h+var_7C], ecx

loc_4F88F7:				; CODE XREF: EtwpTraceIo+240j
		push	offset byte_401803
		push	ecx
		mov	ecx, [esp+98h+var_74]
		lea	edx, [esp+98h+var_28]
		mov	[esp+98h+var_1C], edi
		mov	[esp+98h+var_24], edi
		mov	edi, 100h
		push	edi
		push	1
		call	EtwTraceSiloKernelEvent
		mov	eax, ds:_EtwpHostSiloState
		add	eax, 0A48h
		jz	short loc_4F892E
		test	[eax], edi
		jnz	loc_5D30CB

loc_4F892E:				; CODE XREF: EtwpTraceIo+16Aj
					; EtwpTraceIo+DA941j
		mov	ecx, [esp+90h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4F8945:				; CODE XREF: EtwpTraceIo+117j
		mov	al, [esi+23h]
		movsx	edi, byte ptr [esi+22h]
		mov	[esp+90h+var_7D], al
		movzx	eax, al
		cmp	eax, edi
		jg	short loc_4F8980
		add	edx, 18h

loc_4F895A:				; CODE XREF: EtwpTraceIo+1BCj
		mov	ecx, [edx]
		test	ecx, ecx
		jnz	loc_4F88D3
		mov	al, [esp+90h+var_7D]
		add	edx, 24h
		inc	al
		mov	[esp+90h+var_7D], al
		movzx	eax, al
		cmp	eax, edi
		jle	short loc_4F895A

loc_4F8978:				; CODE XREF: EtwpTraceIo+1F6j
		test	ecx, ecx
		jnz	loc_4F88D3

loc_4F8980:				; CODE XREF: EtwpTraceIo+19Bj
					; EtwpTraceIo+1E3j
		xor	edi, edi
		mov	[esp+90h+var_40], edi
		jmp	loc_4F88DC
; 

loc_4F898B:				; CODE XREF: EtwpTraceIo+F4j
					; EtwpTraceIo+100j
		mov	[esp+90h+var_4C], 2
		jmp	loc_4F88C0
; 

loc_4F8998:				; CODE XREF: EtwpTraceIo+10Cj
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_4F8980
		mov	ecx, [eax+64h]
		test	ecx, ecx
		jnz	loc_4F88D3
		mov	eax, [eax+60h]
		mov	ecx, [eax+18h]
		jmp	short loc_4F8978
; 

loc_4F89B2:				; CODE XREF: EtwpTraceIo+6Ej
		mov	eax, [ebp+arg_4]
		mov	ecx, 10Eh
		mov	[esp+90h+var_70], eax
		mov	eax, [esp+90h+var_78]
		mov	[esp+90h+var_6C], eax
		mov	eax, [edx+4]
		mov	[esp+90h+var_68], eax
		mov	eax, [edx+8]
		mov	[esp+90h+var_7C], ecx
		mov	[esp+90h+var_64], eax
		mov	[esp+90h+var_60], esi
		test	ebx, ebx
		jz	short loc_4F8A0C
		mov	eax, [ebx+2B0h]

loc_4F89E6:				; CODE XREF: EtwpTraceIo+255j
		mov	[esp+90h+var_5C], eax
		lea	eax, [esp+90h+var_70]
		mov	[esp+90h+var_28], eax
		mov	[esp+90h+var_20], 18h
		jmp	loc_4F88F7
; 

loc_4F89FF:				; CODE XREF: EtwpTraceIo+E2j
		mov	[esp+90h+var_4C], 1
		jmp	loc_4F88C0
; 

loc_4F8A0C:				; CODE XREF: EtwpTraceIo+224j
		or	eax, 0FFFFFFFFh
		jmp	short loc_4F89E6
EtwpTraceIo	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiInsertDecayClusterTimer(x)
_MiInsertDecayClusterTimer@4 proc near	; CODE XREF: MiInsertPageInList(x,x)+702p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, dword_6D586C
		push	edi
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, [esi+16h]
		mov	cl, bl
		and	dl, 3Fh
		shl	cl, 6
		or	dl, cl
		mov	edi, eax
		sub	edi, dword_6D3250
		mov	[esi+16h], dl
		mov	eax, dword_6D585C[ebx*4]
		mov	edx, eax
		shr	edx, 1
		and	edx, 7FFFh
		mov	ecx, edx
		or	ecx, 0FFFF0000h
		add	ecx, ecx
		mov	[esi+4], ecx
		mov	esi, edi
		shl	esi, 11h
		cmp	edx, 7FFFh
		jz	short loc_4F8AA7
		mov	ecx, dword_6D3250
		add	ecx, edx
		imul	edx, ecx, 1Ch
		add	edx, ds:_MmPfnDatabase
		mov	ecx, [edx+4]
		and	ecx, 1FFFFh
		or	ecx, esi
		mov	[edx+4], ecx

loc_4F8A8F:				; CODE XREF: MiInsertDecayClusterTimer(x)+9Cj
		lea	ecx, [edi+edi]
		xor	ecx, eax
		and	ecx, 0FFFEh
		pop	edi
		xor	ecx, eax
		pop	esi
		mov	dword_6D585C[ebx*4], ecx
		pop	ebx
		retn
; 

loc_4F8AA7:				; CODE XREF: MiInsertDecayClusterTimer(x)+5Cj
		and	eax, 1FFFFh
		or	eax, esi
		jmp	short loc_4F8A8F
_MiInsertDecayClusterTimer@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceFileName(x, x, x, x, x, x)
_EtwpTraceFileName@24 proc near		; DATA XREF: .data:_EtwpFileIoNotifyRoutineso
					; EtwpEnableKernelTrace+1EBo

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		xor	ebx, ebx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_40], ebx
		test	edi, edi
		jnz	short loc_4F8AF7
		call	_KeIsExecutingInArbitraryThreadContext@0 ; KeIsExecutingInArbitraryThreadContext()
		test	eax, eax
		jz	short loc_4F8AE7
		mov	edi, ebx
		jmp	short loc_4F8AFD
; 

loc_4F8AE7:				; CODE XREF: EtwpTraceFileName(x,x,x,x,x,x)+31j
		mov	eax, large fs:124h
		push	eax
		call	_PsGetThreadServerSilo@4 ; PsGetThreadServerSilo(x)
		mov	edi, eax
		jmp	short loc_4F8AFD
; 

loc_4F8AF7:				; CODE XREF: EtwpTraceFileName(x,x,x,x,x,x)+28j
		mov	edi, [edi+3A0h]

loc_4F8AFD:				; CODE XREF: EtwpTraceFileName(x,x,x,x,x,x)+35j
					; EtwpTraceFileName(x,x,x,x,x,x)+45j
		mov	edx, [ebp+arg_8]
		mov	eax, 2000h
		movzx	ecx, word ptr [edx]
		cmp	ecx, eax
		jbe	short loc_4F8B0E
		mov	ecx, eax

loc_4F8B0E:				; CODE XREF: EtwpTraceFileName(x,x,x,x,x,x)+5Aj
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_34], eax
		mov	eax, [edx+4]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_14], eax
		mov	eax, ds:_EtwpHostSiloState
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		mov	ebx, [ebp+arg_14]
		mov	[ebp+var_2C], 4
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_C], 2
		add	eax, 0A48h
		jz	loc_4F8BDC
		test	dword ptr [eax], 200h
		jz	short loc_4F8BDC
		mov	eax, 420h
		cmp	bx, ax
		jnz	short loc_4F8BB4
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	0
		push	offset _KFileEvt_NameCreate
		push	dword_6BC314
		push	_EtwpFileProvRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_4F8B8C:				; CODE XREF: EtwpTraceFileName(x,x,x,x,x,x)+134j
		push	offset byte_401802
		push	ebx
		push	200h
		push	3
		lea	edx, [ebp+var_34]
		mov	ecx, edi
		call	EtwTraceSiloKernelEvent

loc_4F8BA3:				; CODE XREF: EtwpTraceFileName(x,x,x,x,x,x)+13Cj
					; EtwpTraceFileName(x,x,x,x,x,x)+157j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_4F8BB4:				; CODE XREF: EtwpTraceFileName(x,x,x,x,x,x)+BCj
		mov	eax, 423h
		cmp	bx, ax
		jnz	short loc_4F8BDC
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	0
		push	offset _KFileEvt_NameDelete
		push	dword_6BC314
		push	_EtwpFileProvRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_4F8BDC:				; CODE XREF: EtwpTraceFileName(x,x,x,x,x,x)+A6j
					; EtwpTraceFileName(x,x,x,x,x,x)+B2j ...
		mov	ecx, 424h
		cmp	bx, cx
		jnz	short loc_4F8B8C
		test	esi, esi
		jz	short loc_4F8BF2
		cmp	esi, edi
		jnz	short loc_4F8BA3
		test	esi, esi
		jnz	short loc_4F8BF9

loc_4F8BF2:				; CODE XREF: EtwpTraceFileName(x,x,x,x,x,x)+138j
		mov	eax, offset _PspHostSiloGlobals
		jmp	short loc_4F8BFF
; 

loc_4F8BF9:				; CODE XREF: EtwpTraceFileName(x,x,x,x,x,x)+140j
		mov	eax, [esi+2F8h]

loc_4F8BFF:				; CODE XREF: EtwpTraceFileName(x,x,x,x,x,x)+147j
		mov	edx, [eax+1F0h]
		test	edx, edx
		jz	short loc_4F8BA3
		push	offset byte_401802
		push	ecx
		push	3
		push	[ebp+arg_10]
		lea	ecx, [ebp+var_34]
		call	EtwpLogKernelEvent
		jmp	short loc_4F8BA3
_EtwpTraceFileName@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlNotifySetCancelRoutine proc near	; CODE XREF: FsRtlNotifyFilterChangeDirectory+DAp
					; FsRtlNotifyCompleteIrp+16p ...

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005D3100 SIZE 0000004D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	7
		mov	esi, ecx
		mov	edi, edx
		pop	ecx
		xor	ebx, ebx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[esi+25h], al
		test	edi, edi
		jnz	short loc_4F8C9C
		cmp	[esi+24h], bl
		jnz	loc_5D3126
		mov	ecx, offset FsRtlCancelNotify
		lea	eax, [esi+38h]
		xchg	ecx, [eax]
		mov	al, [esi+25h]
		mov	[ebp+var_1], al
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+450h]
		jnz	loc_5D3132
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_4F8CFE
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5D3141

loc_4F8C8C:				; CODE XREF: FsRtlNotifySetCancelRoutine+EBj
					; FsRtlNotifySetCancelRoutine+DA51Ej
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4F8C95:				; CODE XREF: FsRtlNotifySetCancelRoutine+D3j
					; FsRtlNotifySetCancelRoutine+DEj ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_4F8C9C:				; CODE XREF: FsRtlNotifySetCancelRoutine+1Dj
		xor	ecx, ecx
		lea	eax, [esi+38h]
		xchg	ecx, [eax]
		mov	al, [esi+25h]
		mov	[ebp+var_1], al
		mov	eax, large fs:20h
		mov	[esi+1Ch], ebx
		test	ds:byte_70EFC6,	1
		mov	[ebp+var_8], ecx
		lea	esi, [eax+450h]
		jnz	loc_5D3100
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5D3116
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5D310F

loc_4F8CE5:				; CODE XREF: FsRtlNotifySetCancelRoutine+DA4ECj
					; FsRtlNotifySetCancelRoutine+DA503j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_8], ebx
		jz	short loc_4F8C95
		lock dec dword ptr [edi+44h]
		xor	eax, eax
		lea	ebx, [eax+1]
		jmp	short loc_4F8C95
; 

loc_4F8CFE:				; CODE XREF: FsRtlNotifySetCancelRoutine+55j
					; FsRtlNotifySetCancelRoutine+DA52Aj
		xor	ecx, ecx
		mov	[esi], ebx
		inc	ecx
		lea	edx, [eax+4]
		lock xor [edx],	ecx
		jmp	short loc_4F8C8C
FsRtlNotifySetCancelRoutine endp

; 
		align 10h
; Exported entry 1748. PsChargePoolQuota

; __stdcall PsChargePoolQuota(x, x, x)
		public _PsChargePoolQuota@12
_PsChargePoolQuota@12:			; CODE XREF: VdmpDelayInterrupt(x)+262p
					; FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+501p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	dword ptr [ebp+10h]
		push	dword ptr [ebp+0Ch]
		push	dword ptr [ebp+8]
		call	_PsChargeProcessPoolQuota@12 ; PsChargeProcessPoolQuota(x,x,x)
		test	eax, eax
		js	short loc_4F8D2B
		pop	ebp
		retn	0Ch
; 

loc_4F8D2B:				; CODE XREF: .text:004F8D25j
		push	eax
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
; 
		db 3 dup(0CCh)
		align 8
; Exported entry 1751. PsChargeProcessPoolQuota

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsChargeProcessPoolQuota(x,	x, x)
		public _PsChargeProcessPoolQuota@12
_PsChargeProcessPoolQuota@12 proc near	; CODE XREF: .text:004F8D1Ep
					; FsRtlCancelNotify+E2FECp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		cmp	edx, ds:_PsInitialSystemProcess
		jz	short loc_4F8D60
		cmp	[ebp+arg_4], 1
		push	[ebp+arg_8]
		mov	ecx, [edx+188h]
		setz	al
		push	eax
		call	@PspChargeQuota@16 ; PspChargeQuota(x,x,x,x)

loc_4F8D60:				; CODE XREF: PsChargeProcessPoolQuota(x,x,x)+10j
		pop	ebp
		retn	0Ch
_PsChargeProcessPoolQuota@12 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1198. KeIsExecutingDpc

;  S U B	R O U T	I N E 


; __stdcall KeIsExecutingDpc()
		public _KeIsExecutingDpc@0
_KeIsExecutingDpc@0 proc near		; CODE XREF: .text:loc_52E353p
		mov	eax, large fs:235Ch
		and	eax, 10001h
		retn
_KeIsExecutingDpc@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMakeProtoLeafValid proc near		; CODE XREF: MiSplitPrivatePage(x,x,x)+44Bp
					; .text:0045144Dp ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005D314D SIZE 00000035 BYTES

		push	28h
		push	offset dword_6A36D0
		call	__SEH_prolog4
		mov	[ebp+var_30], edx
		mov	edi, ecx
		mov	[ebp+var_2C], edi
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		add	eax, 240h
		mov	[ebp+var_1C], eax
		mov	eax, edi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_20], eax
		mov	eax, edi
		shl	eax, 9
		mov	[ebp+var_24], eax

loc_4F8DB8:				; CODE XREF: MiMakeProtoLeafValid+97j
					; MiMakeProtoLeafValid+DA3F4j ...
		mov	ecx, [edi]
		nop
		mov	eax, [edi+4]
		mov	[ebp+var_34], eax
		and	ecx, 1
		or	ecx, 0
		jnz	short loc_4F8E39
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_1C]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [ebp+arg_0]
		mov	ecx, [ebp+var_1C]
		call	MiUnlockWorkingSetShared
		xor	ebx, ebx
		and	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+var_24]
		mov	al, [eax]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_4F8DF0:				; CODE XREF: sub_4F8E4B+10j
		mov	ecx, [ebp+var_1C]
		call	MiLockWorkingSetShared
		mov	[ebp+arg_0], al
		push	0
		push	dword ptr [ebp+arg_0]
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	MiMakeSystemAddressValid
		test	ebx, ebx
		jns	short loc_4F8DB8
		cmp	ebx, 0C0000005h
		jnz	loc_5D316F
		cmp	[ebp+var_30], 18h
		jnz	loc_5D314D
		mov	eax, ebx

loc_4F8E27:				; CODE XREF: MiMakeProtoLeafValid+C5j
					; MiMakeProtoLeafValid+DA407j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4F8E39:				; CODE XREF: MiMakeProtoLeafValid+51j
					; MiMakeProtoLeafValid+DA3E5j
		xor	eax, eax
		jmp	short loc_4F8E27
MiMakeProtoLeafValid endp


;  S U B	R O U T	I N E 


sub_4F8E3D	proc near		; DATA XREF: .text:006A36E4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_4F8E3D	endp


;  S U B	R O U T	I N E 


sub_4F8E4B	proc near		; DATA XREF: .text:006A36E8o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-28h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-2Ch]
		jmp	short loc_4F8DF0
sub_4F8E4B	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 582. FsRtlLookupLastBaseMcbEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlLookupLastBaseMcbEntry(x, x, x)
		public _FsRtlLookupLastBaseMcbEntry@12
_FsRtlLookupLastBaseMcbEntry@12	proc near
					; CODE XREF: FsRtlLookupLastLargeMcbEntry(x,x,x)+28p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		xor	edx, edx
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_4F8EBF
		push	ebx
		push	edi
		mov	edi, [esi+0Ch]
		or	ebx, 0FFFFFFFFh
		mov	eax, [edi+ecx*8-4]
		mov	[ebp+arg_0], eax
		cmp	eax, ebx
		jz	short loc_4F8EA0
		lea	eax, [ecx-1]
		mov	ebx, edx
		test	eax, eax
		jz	short loc_4F8E94
		mov	ebx, [edi+ecx*8-10h]

loc_4F8E94:				; CODE XREF: FsRtlLookupLastBaseMcbEntry(x,x,x)+2Cj
		mov	eax, [edi+ecx*8-8]
		sub	eax, ebx
		mov	ebx, [ebp+arg_0]
		dec	ebx
		add	ebx, eax

loc_4F8EA0:				; CODE XREF: FsRtlLookupLastBaseMcbEntry(x,x,x)+23j
		mov	eax, [ebp+arg_8]
		pop	edi
		mov	[eax], ebx
		mov	[eax+4], edx
		mov	eax, [esi+0Ch]
		mov	ecx, [esi+4]
		pop	ebx
		mov	ecx, [eax+ecx*8-8]
		mov	eax, [ebp+arg_4]
		dec	ecx
		mov	[eax+4], edx
		mov	dl, 1
		mov	[eax], ecx

loc_4F8EBF:				; CODE XREF: FsRtlLookupLastBaseMcbEntry(x,x,x)+10j
		mov	al, dl
		pop	esi
		pop	ebp
		retn	0Ch
_FsRtlLookupLastBaseMcbEntry@12	endp


;  S U B	R O U T	I N E 


; __stdcall RtlpSampleLFGRng(x)
_RtlpSampleLFGRng@4 proc near		; CODE XREF: .text:00485711p
		mov	edx, [ecx+0E0h]
		push	esi
		mov	esi, [ecx+0DCh]
		lea	eax, [esi+1]
		sub	esi, 36h
		neg	esi
		sbb	esi, esi
		and	esi, eax
		lea	eax, [edx+1]
		sub	edx, 36h
		neg	edx
		sbb	edx, edx
		and	edx, eax
		mov	eax, [ecx+esi*4]
		sub	eax, [ecx+edx*4]
		mov	[ecx+esi*4], eax
		mov	[ecx+0DCh], esi
		mov	[ecx+0E0h], edx
		pop	esi
		retn
_RtlpSampleLFGRng@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcWaitForUninitializeCacheMap proc near	; CODE XREF: MiCreateImageOrDataSection+F0p
					; MiCreateImageOrDataSection+F7C95p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= byte ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= byte ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 004F91B1 SIZE 00000005 BYTES
; FUNCTION CHUNK AT 005D3182 SIZE 000000AA BYTES
; FUNCTION CHUNK AT 005D3236 SIZE 000000F6 BYTES

		push	68h
		push	offset dword_6A3718
		call	__SEH_prolog4
		mov	esi, ecx
		mov	[ebp+var_28], esi
		xor	eax, eax
		lea	edi, [ebp+var_78]
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	ebx, ebx
		mov	[ebp+var_1B], bl
		mov	[ebp+var_19], bl
		mov	[ebp+var_20], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		xor	eax, eax
		lea	edi, [ebp+var_64]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_4C]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_58]
		stosd
		stosd
		stosd
		mov	[ebp+var_24], ebx
		mov	[ebp+var_1A], bl
		mov	eax, [esi+14h]
		cmp	[eax+4], ebx
		jnz	short loc_4F8F64

loc_4F8F54:				; CODE XREF: CcWaitForUninitializeCacheMap+14Ej
					; CcWaitForUninitializeCacheMap+177j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4F8F64:				; CODE XREF: CcWaitForUninitializeCacheMap+50j
		push	ebx
		push	ebx
		lea	eax, [ebp+var_74]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	edx, [ebp+var_64]
		mov	ecx, offset _CcMasterLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [esi+14h]
		mov	esi, [eax+4]
		test	esi, esi
		jz	loc_4F9189
		mov	ecx, esi
		call	CcGetPartition
		mov	edi, eax
		mov	[ebp+var_24], edi
		lea	eax, [edi+40h]
		mov	[ebp+var_48], eax
		mov	[ebp+var_4C], ebx
		test	ds:byte_70EFC6,	21h
		jnz	loc_5D3182
		lea	edx, [ebp+var_4C]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_5D3191

loc_4F8FB9:				; CODE XREF: CcWaitForUninitializeCacheMap+DA28Aj
					; CcWaitForUninitializeCacheMap+DA297j
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_1A], cl
		lea	eax, [esi+90h]
		cmp	[eax], eax
		jz	loc_4F9084

loc_4F8FCD:				; CODE XREF: CcWaitForUninitializeCacheMap+18Aj
					; CcWaitForUninitializeCacheMap+1BFj ...
		cmp	[ebp+var_1A], bl
		jz	short loc_4F9000
		test	ds:byte_70EFC6,	cl
		jnz	loc_5D31E3
		mov	eax, [ebp+var_4C]
		test	eax, eax
		jnz	loc_4F9191
		mov	edx, [ebp+var_48]
		lea	eax, [ebp+var_4C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_4C]
		cmp	eax, ecx
		jnz	loc_5D31F3

loc_4F9000:				; CODE XREF: CcWaitForUninitializeCacheMap+CEj
					; CcWaitForUninitializeCacheMap+298j ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5D3203
		mov	eax, [ebp+var_64]
		test	eax, eax
		jnz	loc_5D321B
		mov	edx, [ebp+var_60]
		lea	eax, [ebp+var_64]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_64]
		cmp	eax, ecx
		jnz	loc_5D3213

loc_4F902F:				; CODE XREF: CcWaitForUninitializeCacheMap+DA30Cj
					; CcWaitForUninitializeCacheMap+DA325j
		mov	cl, [ebp+var_5C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_19], bl
		jnz	loc_4F90C6
		mov	edi, [ebp+var_20]

loc_4F9044:				; CODE XREF: CcWaitForUninitializeCacheMap+1F4j
		test	edi, edi
		jnz	loc_4F919F

loc_4F904C:				; CODE XREF: CcWaitForUninitializeCacheMap+2A4j
		cmp	[ebp+var_1B], 0
		jz	loc_4F8F54
		mov	[ebp+var_40], 9A5F4400h
		mov	[ebp+var_3C], 0FFFFFFFEh
		lea	eax, [ebp+var_40]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_74]
		push	eax
		call	KeWaitForSingleObject
		cmp	eax, 102h
		jnz	loc_4F8F54
		jmp	loc_5D3236
; 

loc_4F9084:				; CODE XREF: CcWaitForUninitializeCacheMap+C5j
		mov	eax, [esi+60h]
		test	eax, 100h
		jnz	loc_4F8FCD
		mov	[ebp+var_1B], cl
		or	eax, 10000h
		mov	[esi+60h], eax
		mov	eax, [esi+0B0h]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_78]
		or	eax, ecx
		mov	[esi+0B0h], eax
		mov	eax, [esi+60h]
		test	al, 20h
		jnz	short loc_4F90FB
		or	eax, 20h
		mov	[esi+60h], eax
		mov	[ebp+var_19], cl
		jmp	loc_4F8FCD
; 

loc_4F90C6:				; CODE XREF: CcWaitForUninitializeCacheMap+139j
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, large fs:124h
		mov	[ebp+var_2C], eax
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [ebp+var_20]
		mov	[ebp+var_30], edi
		lea	edx, [ebp+var_34]
		mov	ecx, esi
		call	CcWriteBehind
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_4F91AB
		jmp	loc_4F9044
; 

loc_4F90FB:				; CODE XREF: CcWaitForUninitializeCacheMap+1B4j
		cmp	[esi+160h], ebx
		jz	loc_4F8FCD
		sub	edi, 0FFFFFF80h
		mov	[ebp+var_54], edi
		mov	[ebp+var_58], ebx
		test	ds:byte_70EFC6,	21h
		jnz	loc_5D319E
		lea	edx, [ebp+var_58]
		xchg	edx, [edi]
		test	edx, edx
		jnz	loc_5D31AA

loc_4F912A:				; CODE XREF: CcWaitForUninitializeCacheMap+DA2B3j
		mov	eax, [esi+160h]
		test	eax, eax
		jz	short loc_4F915B
		and	eax, 0FFFFFFFEh
		mov	[ebp+var_20], eax
		mov	edi, [eax]
		mov	edx, [eax+4]
		cmp	[edi+4], eax
		jnz	short loc_4F91B1
		cmp	[edx], eax
		jnz	short loc_4F91B1
		mov	[edx], edi
		mov	[edi+4], edx
		mov	[eax+4], ebx
		mov	[eax], ebx
		mov	[esi+160h], ebx
		mov	[ebp+var_19], cl

loc_4F915B:				; CODE XREF: CcWaitForUninitializeCacheMap+230j
		test	ds:byte_70EFC6,	cl
		jnz	loc_5D31BA
		mov	eax, [ebp+var_58]
		test	eax, eax
		jnz	loc_5D31D5
		mov	edx, [ebp+var_54]
		lea	eax, [ebp+var_58]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_58]
		cmp	eax, ecx
		jnz	loc_5D31CA

loc_4F9189:				; CODE XREF: CcWaitForUninitializeCacheMap+82j
					; CcWaitForUninitializeCacheMap+DA2C3j
		xor	ecx, ecx
		inc	ecx
		jmp	loc_4F8FCD
; 

loc_4F9191:				; CODE XREF: CcWaitForUninitializeCacheMap+E1j
					; CcWaitForUninitializeCacheMap+DA2FCj
		mov	[ebp+var_4C], ebx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4F9000
; 

loc_4F919F:				; CODE XREF: CcWaitForUninitializeCacheMap+144j
		mov	ecx, edi
		call	_CcFreeWorkQueueEntry@4	; CcFreeWorkQueueEntry(x)
		jmp	loc_4F904C
CcWaitForUninitializeCacheMap endp


;  S U B	R O U T	I N E 


sub_4F91AB	proc near		; CODE XREF: CcWaitForUninitializeCacheMap+1EFp
					; sub_5D322C+5j
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		retn
sub_4F91AB	endp

; 
; START	OF FUNCTION CHUNK FOR CcWaitForUninitializeCacheMap

loc_4F91B1:				; CODE XREF: CcWaitForUninitializeCacheMap+240j
					; CcWaitForUninitializeCacheMap+244j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
; END OF FUNCTION CHUNK	FOR CcWaitForUninitializeCacheMap ; AL = character to display
; 
		dw 0CCCCh
		dd 0CCCCCCCCh
; Exported entry 1852. PsIsSystemProcess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsIsSystemProcess(x)
		public _PsIsSystemProcess@4
_PsIsSystemProcess@4 proc near		; CODE XREF: MiUpdateLargePageSectionPfns(x,x,x)+13Ep
					; MiZeroWithSystemPtes(x,x,x)+15Cp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+3A8h]
		shr	eax, 0Ch
		and	al, 1
		pop	ebp
		retn	4
_PsIsSystemProcess@4 endp

; 
		align 8
; Exported entry 1837. PsGetWin32KFilterSet

;  S U B	R O U T	I N E 


; __stdcall PsGetWin32KFilterSet()
		public _PsGetWin32KFilterSet@0
_PsGetWin32KFilterSet@0	proc near	; CODE XREF: PAGE:0083E16Fp
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+438h]
		retn
_PsGetWin32KFilterSet@0	endp

; 
		align 4

;  S U B	R O U T	I N E 


KiMoveApcState	proc near		; CODE XREF: .text:0051BB59p

; FUNCTION CHUNK AT 005A8351 SIZE 00000024 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, [esi+10h]
		mov	[edx+10h], eax
		mov	al, [esi+14h]
		mov	[edx+14h], al
		mov	al, [esi+15h]
		mov	[edx+15h], al
		mov	al, [esi+16h]
		mov	[edx+16h], al
		mov	ecx, [esi]
		cmp	ecx, esi
		jnz	loc_5A8351
		mov	[edx+4], edx
		mov	[edx], edx
		mov	byte ptr [edx+15h], 0

loc_4F921D:				; CODE XREF: KiMoveApcState+AF172j
		lea	eax, [esi+8]
		mov	edi, [eax]
		lea	ecx, [edx+8]
		cmp	edi, eax
		jnz	loc_5A8363
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		mov	byte ptr [edx+16h], 0

loc_4F9236:				; CODE XREF: KiMoveApcState+AF184j
		pop	edi
		pop	esi
		retn
KiMoveApcState	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiFaultListPagesRemaining(x)
_MiFaultListPagesRemaining@4 proc near	; CODE XREF: MiComputeMaximumFaultCluster+2Fp
		mov	eax, [ecx+8]
		test	al, 1
		jz	short loc_4F9249
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	2
		jz	short loc_4F924D

loc_4F9249:				; CODE XREF: MiFaultListPagesRemaining(x)+5j
		xor	eax, eax
		inc	eax
		retn
; 

loc_4F924D:				; CODE XREF: MiFaultListPagesRemaining(x)+Dj
		xor	edx, edx
		push	edi
		mov	edi, [eax+0Ch]
		inc	edx
		cmp	edi, [eax+8]
		jnb	short loc_4F9295
		mov	eax, [eax+4]
		mov	ecx, [ecx]
		push	esi
		mov	esi, [eax+edi*8]
		cmp	ecx, esi
		jb	short loc_4F9294
		mov	edi, [eax+edi*8+4]
		lea	eax, [edi+esi]
		cmp	ecx, eax
		jnb	short loc_4F9294
		mov	edx, 0FFFFF000h
		mov	eax, esi
		and	ecx, edx
		and	eax, edx
		and	esi, 0FFFh
		lea	edx, [edi+0FFFh]
		sub	ecx, eax
		add	edx, esi
		shr	ecx, 0Ch
		shr	edx, 0Ch
		sub	edx, ecx

loc_4F9294:				; CODE XREF: MiFaultListPagesRemaining(x)+2Aj
					; MiFaultListPagesRemaining(x)+35j
		pop	esi

loc_4F9295:				; CODE XREF: MiFaultListPagesRemaining(x)+1Dj
		mov	eax, edx
		pop	edi
		retn
_MiFaultListPagesRemaining@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpDynamicLookasideFlush(x, x)
_RtlpDynamicLookasideFlush@8 proc near	; CODE XREF: ExpHpCompactionRoutine(x)+6Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	eax, ecx
		xor	ecx, ecx
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		xor	esi, esi
		mov	edi, [eax]
		mov	ebx, [eax+4]
		not	edi
		mov	[ebp+var_4], ecx
		not	ebx

loc_4F92BA:				; CODE XREF: RtlpDynamicLookasideFlush(x,x)+67j
		mov	eax, edi
		or	eax, ebx
		jz	short loc_4F9316
		and	[ebp+var_C], 0
		test	edi, edi
		jnz	short loc_4F9303
		bsf	edx, ebx
		setnz	al
		movzx	eax, al
		test	eax, eax
		jz	short loc_4F92DB
		lea	ecx, [edx+20h]

loc_4F92D8:				; CODE XREF: RtlpDynamicLookasideFlush(x,x)+6Cj
		mov	[ebp+var_4], ecx

loc_4F92DB:				; CODE XREF: RtlpDynamicLookasideFlush(x,x)+39j
		xor	eax, eax
		xor	edx, edx
		inc	eax
		call	__allshl
		mov	ecx, [ebp+var_4]
		xor	edi, eax
		xor	ebx, edx
		inc	ecx
		shl	ecx, 6
		add	ecx, [ebp+var_8]
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		test	esi, esi
		jnz	short loc_4F9308
		mov	esi, eax

loc_4F92FE:				; CODE XREF: RtlpDynamicLookasideFlush(x,x)+72j
		mov	ecx, [ebp+var_4]
		jmp	short loc_4F92BA
; 

loc_4F9303:				; CODE XREF: RtlpDynamicLookasideFlush(x,x)+2Cj
		bsf	ecx, edi
		jmp	short loc_4F92D8
; 

loc_4F9308:				; CODE XREF: RtlpDynamicLookasideFlush(x,x)+60j
					; RtlpDynamicLookasideFlush(x,x)+7Aj
		mov	ecx, eax
		test	eax, eax
		jz	short loc_4F92FE
		mov	eax, [eax]
		mov	[ecx], esi
		mov	esi, ecx
		jmp	short loc_4F9308
; 

loc_4F9316:				; CODE XREF: RtlpDynamicLookasideFlush(x,x)+24j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_RtlpDynamicLookasideFlush@8 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 433. ExSetResourceOwnerPointerEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExSetResourceOwnerPointerEx
ExSetResourceOwnerPointerEx proc near

var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D332C SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	byte ptr [ecx+0Eh], 1
		jnz	loc_5D332C
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		call	ExpSetResourceOwnerPointerEx
		pop	ebp
		retn	0Ch
ExSetResourceOwnerPointerEx endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpSetResourceOwnerPointerEx proc near	; CODE XREF: ExSetResourceOwnerPointerEx+18p
					; ExSetResourceOwnerPointer+17p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= byte ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D3351 SIZE 00000130 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		stosd
		mov	ebx, ecx
		mov	ecx, large fs:124h
		mov	esi, edx
		mov	[ebp+var_8], ecx
		lea	edx, [ebp+var_1C]
		mov	[ebp+var_C], esi
		stosd
		lea	ecx, [ebx+34h]
		stosd
		mov	eax, dword ptr ds:byte_70EFC4
		and	eax, 20000h
		mov	[ebp+var_10], eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		movzx	ecx, word ptr [ebx+0Eh]
		test	cl, cl
		js	loc_4F950A
		xor	edi, edi
		lea	eax, [ebp+var_1C]
		push	edi
		push	edi
		push	edi
		push	eax
		mov	edx, esi
		mov	ecx, ebx
		call	@ExpFindCurrentThread@24 ; ExpFindCurrentThread(x,x,x,x,x,x)
		mov	[ebp+var_4], eax
		mov	ecx, edi
		mov	eax, [ebp+var_8]
		test	al, 3
		jnz	short loc_4F93B1
		movzx	ecx, byte ptr [eax+26Ch]

loc_4F93B1:				; CODE XREF: ExpSetResourceOwnerPointerEx+64j
		push	ecx
		push	edi
		push	edi
		lea	ecx, [ebp+var_1C]
		mov	edx, eax
		push	ecx
		mov	ecx, ebx
		call	@ExpFindCurrentThread@24 ; ExpFindCurrentThread(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5D3351
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		inc	edx
		and	eax, edx
		cmp	[ebp+var_4], edi
		jnz	loc_4F946E
		test	eax, eax
		jz	loc_4F94D9
		mov	eax, [ebp+var_C]
		mov	edx, eax
		mov	ecx, [ebp+var_8]
		and	edx, 0FFFFFFFCh
		mov	[ebp+arg_0], edx
		cmp	edx, ecx
		jnz	loc_5D3436
		mov	ecx, [ebp+arg_0]
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag
		or	dword ptr [esi+4], 2

loc_4F940B:				; CODE XREF: ExpSetResourceOwnerPointerEx+1A2j
					; ExpSetResourceOwnerPointerEx+DA11Aj
		mov	eax, [ebp+var_C]
		mov	[esi], eax
		mov	eax, 4258h

loc_4F9415:				; CODE XREF: ExpSetResourceOwnerPointerEx+190j
		inc	dword ptr fs:[eax]
		mov	esi, 10140h
		cmp	[ebp+var_10], edi
		jnz	short loc_4F9425
		add	esi, 0FFFFFFC0h

loc_4F9425:				; CODE XREF: ExpSetResourceOwnerPointerEx+DCj
					; ExpSetResourceOwnerPointerEx+224j
		test	ds:byte_70EFC6,	1
		jnz	loc_5D3463
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	loc_4F94F9
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jnz	loc_4F94F1

loc_4F9454:				; CODE XREF: ExpSetResourceOwnerPointerEx+1C1j
					; ExpSetResourceOwnerPointerEx+DA12Aj
		mov	cl, [ebp+var_14]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_10], 0
		jnz	loc_5D3473

loc_4F9467:				; CODE XREF: ExpSetResourceOwnerPointerEx+DA138j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4F946E:				; CODE XREF: ExpSetResourceOwnerPointerEx+92j
		test	eax, eax
		jz	loc_4F956D
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		and	eax, 0FFFFFFFCh
		cmp	eax, ecx
		jnz	loc_5D33A8
		mov	eax, [esi+4]
		test	al, dl
		jnz	loc_5D33AD

loc_4F9492:				; CODE XREF: ExpSetResourceOwnerPointerEx+DA08Aj
		mov	ecx, [ebp+var_4]
		test	al, 4
		jnz	loc_5D33D3

loc_4F949D:				; CODE XREF: ExpSetResourceOwnerPointerEx+DA0ABj
		test	byte ptr [ecx+4], 2
		jz	loc_5D33F4

loc_4F94A7:				; CODE XREF: ExpSetResourceOwnerPointerEx+DA0C3j
					; ExpSetResourceOwnerPointerEx+DA0EDj
		mov	eax, [esi+4]
		mov	[ebp+arg_0], eax

loc_4F94AD:				; CODE XREF: ExpSetResourceOwnerPointerEx+239j
		mov	edx, [ebp+var_4]
		mov	ecx, [edx+4]
		mov	eax, ecx
		xor	eax, [ebp+arg_0]
		and	ecx, 0FFFFFFF8h
		add	ecx, [ebp+arg_0]
		and	eax, 7
		xor	eax, ecx
		mov	[edx+4], eax
		mov	eax, 425Ch
		and	dword ptr [esi+4], 7
		mov	[esi], edi
		dec	dword ptr [ebx+20h]
		jmp	loc_4F9415
; 

loc_4F94D9:				; CODE XREF: ExpSetResourceOwnerPointerEx+9Aj
		mov	eax, [esi+4]
		test	al, dl
		jnz	loc_5D343C

loc_4F94E4:				; CODE XREF: ExpSetResourceOwnerPointerEx+DA108j
		test	al, 4
		jz	loc_4F940B
		jmp	loc_5D3451
; 

loc_4F94F1:				; CODE XREF: ExpSetResourceOwnerPointerEx+10Aj
		lea	ecx, [ebp+var_1C]
		call	KxWaitForLockChainValid

loc_4F94F9:				; CODE XREF: ExpSetResourceOwnerPointerEx+F3j
		xor	edx, edx
		mov	[ebp+var_1C], edi
		add	eax, 4
		inc	edx
		lock xor [eax],	edx
		jmp	loc_4F9454
; 

loc_4F950A:				; CODE XREF: ExpSetResourceOwnerPointerEx+42j
		xor	eax, eax
		inc	eax
		test	cl, al
		jnz	loc_5D333E
		cmp	_ExpResourceEnforceOwnerTransfer, 0
		jnz	loc_5D333E
		mov	ecx, [ebp+var_8]

loc_4F9525:				; CODE XREF: ExSetResourceOwnerPointerEx+DA022j
		xor	edi, edi
		test	byte ptr [ebp+arg_0], al
		jz	loc_5D3372
		mov	eax, esi
		and	eax, 0FFFFFFFCh
		cmp	eax, ecx
		jnz	loc_5D3362
		mov	edx, 746C6644h
		mov	ecx, eax
		call	ObfReferenceObjectWithTag
		or	dword ptr [ebx+1Ch], 2

loc_4F954D:				; CODE XREF: ExpSetResourceOwnerPointerEx+DA04Bj
					; ExpSetResourceOwnerPointerEx+DA05Fj
		mov	eax, [ebp+var_10]
		mov	[ebx+18h], esi
		mov	esi, 10100h
		inc	large dword ptr	fs:4254h
		neg	eax
		sbb	eax, eax
		and	eax, 20h
		add	esi, eax
		jmp	loc_4F9425
; 

loc_4F956D:				; CODE XREF: ExpSetResourceOwnerPointerEx+12Cj
		mov	eax, [esi+4]
		mov	[ebp+arg_0], eax
		test	al, dl
		jnz	loc_5D340C

loc_4F957B:				; CODE XREF: ExpSetResourceOwnerPointerEx+DA0DBj
		test	al, 4
		jz	loc_4F94AD
		jmp	loc_5D3424
ExpSetResourceOwnerPointerEx endp


;  S U B	R O U T	I N E 


; __stdcall SmIsCompressionProcess(x)
_SmIsCompressionProcess@4 proc near	; CODE XREF: ExpGetProcessInformation+793p
					; ExpGetProcessInformation+8A6p ...
		xor	eax, eax
		cmp	ecx, ds:dword_718460
		setz	al
		retn
_SmIsCompressionProcess@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1318. KeTestAlertThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeTestAlertThread
KeTestAlertThread proc near		; CODE XREF: .text:0052E254p
					; NtContinue(x,x)+92p ...

var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005D3481 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, large fs:124h
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[ebp+var_4], 0
		lea	edi, [esi+2Ch]
		mov	bh, al

loc_4F95B9:				; CODE XREF: KeTestAlertThread+D9EF5j
		lock bts dword ptr [edi], 0
		jb	loc_5D3481
		mov	cl, [ebp+arg_0]
		movsx	eax, cl
		mov	bl, [eax+esi+56h]
		test	bl, bl
		jnz	short loc_4F95FE
		cmp	cl, 1
		jnz	short loc_4F95DE
		lea	eax, [esi+78h]
		cmp	[eax], eax
		jnz	short loc_4F95F5

loc_4F95DE:				; CODE XREF: KeTestAlertThread+3Bj
					; KeTestAlertThread+62j ...
		mov	cl, bh
		mov	dword ptr [edi], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
; 

loc_4F95F5:				; CODE XREF: KeTestAlertThread+42j
		or	byte ptr [esi+86h], 2
		jmp	short loc_4F95DE
; 

loc_4F95FE:				; CODE XREF: KeTestAlertThread+36j
		mov	byte ptr [eax+esi+56h],	0
		jmp	short loc_4F95DE
KeTestAlertThread endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfpRpIsRehashNeeded(x, x)
_PfpRpIsRehashNeeded@8 proc near	; CODE XREF: PfpRpRehashIfNeeded+1Ap
					; PfpRpFileKeyUpdate+71p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+4]
		and	[ebp+var_4], 0
		shr	eax, 5
		push	esi
		push	edi
		mov	edi, edx
		lea	esi, [eax+eax]
		cmp	[ecx], esi
		jnb	short loc_4F9627

loc_4F9621:				; CODE XREF: PfpRpIsRehashNeeded(x,x)+32j
		xor	eax, eax

loc_4F9623:				; CODE XREF: PfpRpIsRehashNeeded(x,x)+40j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_4F9627:				; CODE XREF: PfpRpIsRehashNeeded(x,x)+19j
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_4F9621
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_4F9648

loc_4F9641:				; CODE XREF: PfpRpIsRehashNeeded(x,x)+45j
		mov	[edi], eax
		xor	eax, eax
		inc	eax
		jmp	short loc_4F9623
; 

loc_4F9648:				; CODE XREF: PfpRpIsRehashNeeded(x,x)+39j
		push	40h
		pop	eax
		jmp	short loc_4F9641
_PfpRpIsRehashNeeded@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KxSetTimeStampBusy(x)
_KxSetTimeStampBusy@4 proc near		; CODE XREF: KxFlushEntireTb(x)+1Ap
					; KeInvalidateAllCaches+31p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	eax, [esi]
		mov	ebx, eax

loc_4F9660:				; CODE XREF: KxSetTimeStampBusy(x)+39j
					; KxSetTimeStampBusy(x)+3Ej
		test	al, 1
		jnz	short loc_4F9671
		lock bts dword ptr [esi], 0
		jb	short loc_4F9671
		mov	al, 1

loc_4F966D:				; CODE XREF: KxSetTimeStampBusy(x)+42j
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4F9671:				; CODE XREF: KxSetTimeStampBusy(x)+14j
					; KxSetTimeStampBusy(x)+1Bj
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		mov	ecx, eax
		sub	ecx, ebx
		cmp	ecx, 3
		jge	short loc_4F968E
		cmp	ecx, 2
		jl	short loc_4F9660
		test	bl, 1
		jnz	short loc_4F9660

loc_4F968E:				; CODE XREF: KxSetTimeStampBusy(x)+34j
		xor	al, al
		jmp	short loc_4F966D
_KxSetTimeStampBusy@4 endp

; 
		align 8
; Exported entry 950. IoReleaseRemoveLockEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoReleaseRemoveLockEx
IoReleaseRemoveLockEx proc near		; CODE XREF: PoFxPrepareDevice(x,x)+122p
					; ViFilterDeviceUsageNotificationCompletion(x,x,x)+B5p	...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D3494 SIZE 000000E8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_14], 0
		and	[ebp+var_10], 0
		push	ebx
		or	ebx, 0FFFFFFFFh
		cmp	[ebp+arg_8], 58h
		push	edi
		mov	edi, [ebp+arg_0]
		jz	loc_5D3494

loc_4F96BA:				; CODE XREF: IoReleaseRemoveLockEx+D9ECDj
		lock xadd [edi+4], ebx
		dec	ebx
		jz	loc_5D356A

loc_4F96C6:				; CODE XREF: IoReleaseRemoveLockEx+D9EDFj
		pop	edi
		pop	ebx
		leave
		retn	0Ch
IoReleaseRemoveLockEx endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2264. RtlNumberGenericTableElementsAvl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlNumberGenericTableElementsAvl(x)
		public _RtlNumberGenericTableElementsAvl@4
_RtlNumberGenericTableElementsAvl@4 proc near ;	CODE XREF: PiUpdateDriverDBCache+9Ap
					; PiDmGetObjectCount(x)+27p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+18h]
		pop	ebp
		retn	4
_RtlNumberGenericTableElementsAvl@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopInvalidDeviceRequest(x, x)
_IopInvalidDeviceRequest@8 proc	near	; DATA XREF: ViDifCaptureIoCallbacks(x)+34o
					; ViDifCaptureIoCallbacks(x)+52o ...

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		xor	dl, dl
		mov	dword ptr [ecx+18h], 0C0000010h
		call	IofCompleteRequest
		mov	eax, 0C0000010h
		pop	ebp
		retn	8
_IopInvalidDeviceRequest@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpCopyXStateChunk proc near		; CODE XREF: RtlpCopyExtendedContext(x,x,x,x,x,x)+82p
					; RtlCopyContext+151533p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D357C SIZE 00000081 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	40h
		pop	edi
		mov	eax, [esi+14h]
		mov	ebx, edi
		mov	[ebp+var_1], cl
		mov	[ebp+var_30], eax
		cmp	eax, edi
		jb	loc_4F986F
		mov	eax, [ebp+arg_8]
		mov	ecx, [eax+14h]
		mov	[ebp+var_34], ecx
		cmp	ecx, edi
		jb	loc_4F986F
		mov	eax, [eax+10h]
		add	[ebp+arg_4], eax
		xor	eax, eax
		mov	esi, [esi+10h]
		push	edi		; size_t
		add	esi, edx
		mov	[ebp+var_14], eax
		push	eax		; int
		push	esi		; void *
		mov	[ebp+var_28], esi
		call	_memset
		mov	edx, ds:0FFDF0708h
		mov	ecx, 0FFDF03D8h
		mov	eax, ds:0FFDF070Ch
		add	esp, 0Ch
		or	edx, [ecx]
		or	eax, [ecx+4]
		mov	ecx, [ebp+arg_4]
		and	edx, [ecx]
		and	eax, [ecx+4]
		and	edx, 0FFFFFFFCh
		mov	[esi], edx
		mov	[esi+4], eax
		test	byte ptr ds:0FFDF03ECh,	2
		mov	[ebp+arg_8], eax
		mov	[ebp+arg_0], edx
		jnz	loc_5D357C
		xor	ecx, ecx
		xor	esi, esi
		mov	[ebp+var_20], esi
		mov	eax, ecx
		mov	[ebp+var_24], esi
		mov	esi, [ebp+var_28]

loc_4F979C:				; CODE XREF: RtlpCopyXStateChunk+D9EBAj
		cmp	[ebp+var_1], 1
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], eax
		mov	[esi+8], eax
		mov	[esi+0Ch], ecx
		jnz	short loc_4F97C3
		push	2
		pop	ecx
		mov	esi, 234h
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], esi

loc_4F97BC:				; CODE XREF: RtlpCopyXStateChunk+162j
		mov	eax, edx
		or	eax, [ebp+arg_8]
		jnz	short loc_4F97CC

loc_4F97C3:				; CODE XREF: RtlpCopyXStateChunk+AAj
					; RtlpCopyXStateChunk+168j
		xor	eax, eax

loc_4F97C5:				; CODE XREF: RtlpCopyXStateChunk+172j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_4F97CC:				; CODE XREF: RtlpCopyXStateChunk+BFj
		xor	eax, eax
		xor	edx, edx
		inc	eax
		call	__allshl
		cmp	byte ptr [ebp+var_14], 0
		mov	[ebp+var_8], eax
		mov	[ebp+var_2C], edx
		jnz	loc_5D35C1
		mov	eax, [ebp+var_C]
		mov	ecx, ds:0FFDF03F0h[eax*8]
		mov	edi, ds:0FFDF03F4h[eax*8]
		add	edi, 0FFFFFE00h
		add	edi, ecx
		lea	ebx, [ecx-200h]

loc_4F9805:				; CODE XREF: RtlpCopyXStateChunk+D9EEEj
		mov	eax, [ebp+var_8]

loc_4F9808:				; CODE XREF: RtlpCopyXStateChunk+D9EF6j
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		mov	eax, [ebp+var_2C]
		and	ecx, edx
		and	eax, [ebp+arg_8]
		or	ecx, eax
		jz	short loc_4F9851
		cmp	edi, [ebp+var_30]
		ja	short loc_4F986F
		cmp	edi, [ebp+var_34]
		ja	short loc_4F986F
		mov	eax, edi
		sub	eax, ebx
		push	eax		; size_t
		mov	eax, [ebp+arg_4]
		add	eax, ebx
		push	eax		; void *
		mov	eax, [ebp+var_28]
		add	eax, ebx
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		mov	edx, [ebp+arg_0]
		not	eax
		mov	ecx, [ebp+var_2C]
		and	edx, eax
		not	ecx
		mov	[ebp+arg_0], edx
		and	[ebp+arg_8], ecx

loc_4F9851:				; CODE XREF: RtlpCopyXStateChunk+115j
		mov	ecx, [ebp+var_C]
		add	esi, 4
		inc	ecx
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], ecx
		cmp	esi, 32Ch
		jb	loc_4F97BC
		jmp	loc_4F97C3
; 

loc_4F986F:				; CODE XREF: RtlpCopyXStateChunk+1Ej
					; RtlpCopyXStateChunk+2Fj ...
		mov	eax, 80000005h
		jmp	loc_4F97C5
RtlpCopyXStateChunk endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCheckInitiatorHint(x, x)
_IopCheckInitiatorHint@8 proc near	; CODE XREF: IopAllocRealFileObject+2B3p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

		push	20h
		push	offset dword_6A37A8
		call	__SEH_prolog4
		mov	ebx, edx
		mov	edi, ecx
		xor	ecx, ecx
		mov	[ebp+var_20], ecx
		mov	esi, large fs:124h
		test	dword ptr [esi+58h], 400h
		jnz	short loc_4F98B0
		cmp	byte ptr [esi+16Ah], 1
		jz	short loc_4F98B0
		mov	esi, [esi+0A8h]
		jmp	short loc_4F98B2
; 

loc_4F98B0:				; CODE XREF: IopCheckInitiatorHint(x,x)+23j
					; IopCheckInitiatorHint(x,x)+2Cj
		mov	esi, ecx

loc_4F98B2:				; CODE XREF: IopCheckInitiatorHint(x,x)+34j
		mov	[ebp+ms_exc.disabled], ecx
		mov	eax, [esi+24h]
		or	eax, 1
		cmp	eax, [esi+6B8h]
		jnz	loc_4F999B
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_2C], al
		push	[ebp+var_2C]
		push	ecx
		call	RtlIsSandboxedToken
		test	al, al
		jnz	loc_4F999B
		mov	ecx, [esi+6B4h]
		mov	[ebp+var_19], cl
		and	ecx, 0FFFFFFFEh
		mov	eax, ds:_PsProcessType
		xor	esi, esi
		mov	[ebp+var_24], esi
		push	esi
		lea	edx, [ebp+var_24]
		push	edx
		push	1
		push	eax
		push	1
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		js	loc_4F999B
		mov	[ebp+var_28], esi
		push	esi		; int
		lea	eax, [ebp+var_28]
		push	eax		; int
		push	1		; char
		push	10h		; size_t
		xor	edx, edx
		inc	edx
		mov	ecx, edi
		call	IopGetSetSpecificExtension
		mov	[ebp+var_20], eax
		test	eax, eax
		js	short loc_4F997A
		test	ebx, ebx
		jz	short loc_4F9952
		push	ebx
		call	_IoGetInitiatorProcess@4 ; IoGetInitiatorProcess(x)
		mov	ecx, [ebp+var_24]
		cmp	eax, ecx
		jz	short loc_4F9952
		mov	[ebp+var_20], 0C000000Dh
		call	ObfDereferenceObject

loc_4F9952:				; CODE XREF: IopCheckInitiatorHint(x,x)+BDj
					; IopCheckInitiatorHint(x,x)+CAj
		cmp	[ebp+var_20], esi
		jl	short loc_4F999B
		mov	ecx, [ebp+var_28]
		mov	eax, [ebp+var_24]
		mov	[ecx+4], eax
		test	[ebp+var_19], 1
		jz	short loc_4F999B
		or	dword ptr [edi+2Ch], 20000000h
		push	esi
		push	8
		pop	edx
		mov	ecx, edi
		call	IopSetFileObjectExtensionFlag
		jmp	short loc_4F999B
; 

loc_4F997A:				; CODE XREF: IopCheckInitiatorHint(x,x)+B9j
		mov	ecx, [ebp+var_24]
		call	ObfDereferenceObject
		jmp	short loc_4F999B
; 

loc_4F9984:				; DATA XREF: .text:006A37BCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_4F9992:				; DATA XREF: .text:006A37C0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_30]
		mov	[ebp+var_20], eax

loc_4F999B:				; CODE XREF: IopCheckInitiatorHint(x,x)+47j
					; IopCheckInitiatorHint(x,x)+67j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopCheckInitiatorHint@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1144. KeFlushIoBuffers

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeFlushIoBuffers
KeFlushIoBuffers proc near		; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+2EBp

var_44		= dword	ptr -44h
var_40		= byte ptr -40h
var_3C		= dword	ptr -3Ch
var_32		= byte ptr -32h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D35FD SIZE 000000D9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		push	8
		pop	ecx
		lea	edi, [esp+40h+var_28]
		rep stosd
		mov	eax, _KiSystemFullyCoherent
		test	eax, eax
		jz	loc_5D35FD

loc_4F99EE:				; CODE XREF: KeFlushIoBuffers+D9C60j
					; KeFlushIoBuffers+D9CE4j ...
		mov	ecx, [esp+40h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
KeFlushIoBuffers endp

; 
		align 8
; Exported entry 1774. PsGetCurrentThreadId

;  S U B	R O U T	I N E 


; __stdcall PsGetCurrentThreadId()
		public _PsGetCurrentThreadId@0
_PsGetCurrentThreadId@0	proc near	; CODE XREF: PnpWatchdogEtwWrite(x,x):loc_97EFCBp
					; PoShutdownBugCheck(x,x,x,x,x,x)+61p ...
		mov	eax, large fs:124h
		mov	eax, [eax+2B0h]
		retn
_PsGetCurrentThreadId@0	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1148. KeGenericCallDpc

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeGenericCallDpc(x,	x)
		public _KeGenericCallDpc@8
_KeGenericCallDpc@8 proc near		; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+3BDp
					; KeSwapDirectoryTableBase(x,x,x)+34p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		mov	edx, offset _KiGenericCallDpcWorker@8 ;	KiGenericCallDpcWorker(x,x)
		mov	[ebp+var_8], eax
		xor	ecx, ecx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_8]
		push	1
		push	eax
		call	_KeGenericProcessorCallback@16 ; KeGenericProcessorCallback(x,x,x,x)
		leave
		retn	8
_KeGenericCallDpc@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnlinkStandbyPfn proc	near		; CODE XREF: .text:0047C873p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005D36D6 SIZE 00000061 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_14], edx
		push	esi
		push	edi
		mov	[ebp+var_8], ebx
		mov	edi, [ebx]
		nop
		mov	esi, [ebx+4]
		mov	ecx, edi
		mov	eax, dword_6D0700
		mov	edx, esi
		mov	ebx, dword_6D0704
		mov	[ebp+var_C], eax
		or	eax, ebx
		mov	[ebp+var_10], ebx
		mov	ebx, [ebp+var_8]
		jz	short loc_4F9A91
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4F9A91
		mov	edi, [ebp+var_C]
		mov	esi, [ebp+var_10]
		not	edi
		not	esi
		and	edi, ecx
		and	esi, edx

loc_4F9A91:				; CODE XREF: MiUnlinkStandbyPfn+33j
					; MiUnlinkStandbyPfn+3Dj
		shrd	edi, esi, 0Ch
		and	edi, 3FFFFFFh
		imul	esi, edi, 1Ch
		add	esi, ds:_MmPfnDatabase
		test	byte ptr [esi+16h], 20h
		jnz	loc_4F9B55
		xor	edx, edx
		mov	ecx, esi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		test	eax, eax
		jz	loc_5D36D6
		mov	al, [esi+16h]
		inc	word ptr [esi+14h]
		and	al, 0FEh
		or	al, 6
		mov	[esi+16h], al
		mov	eax, [esi+10h]
		and	eax, 0C0000001h
		or	eax, 1
		test	byte ptr [ebp+var_14], 2
		mov	[esi+10h], eax
		jnz	short loc_4F9B3D

loc_4F9AE1:				; CODE XREF: MiUnlinkStandbyPfn+103j
					; MiUnlinkStandbyPfn+10Fj
		mov	ecx, [esi+8]
		nop
		mov	eax, [esi+0Ch]
		shrd	ecx, eax, 5
		mov	al, [esi+16h]
		mov	[ebp+var_1], al
		and	ecx, 7
		movzx	eax, al
		shr	eax, 6
		test	eax, eax
		jz	short loc_4F9B5A
		cmp	eax, 2
		jz	short loc_4F9B5F

loc_4F9B04:				; CODE XREF: MiUnlinkStandbyPfn+119j
					; MiUnlinkStandbyPfn+11Ej
		push	ecx
		mov	edx, edi
		xor	ecx, ecx
		call	MiMakeValidPte
		mov	edi, eax
		mov	ecx, ebx
		mov	al, [ebp+var_1]
		or	edi, 42h
		or	al, 10h
		mov	[esi+16h], al
		xor	esi, esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5D36E7

loc_4F9B2C:				; CODE XREF: MiUnlinkStandbyPfn+D9CB6j
					; MiUnlinkStandbyPfn+D9CD4j ...
		mov	[ebx+4], edx
		nop
		mov	[ebx], edi
		test	esi, esi
		jnz	short loc_4F9B64

loc_4F9B36:				; CODE XREF: MiUnlinkStandbyPfn+127j
		xor	eax, eax

loc_4F9B38:				; CODE XREF: MiUnlinkStandbyPfn+114j
					; MiUnlinkStandbyPfn+D9C9Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4F9B3D:				; CODE XREF: MiUnlinkStandbyPfn+9Bj
		mov	ecx, esi
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		cmp	eax, 2
		jbe	short loc_4F9AE1
		mov	al, [esi+17h]
		and	al, 0FAh
		or	al, 2
		mov	[esi+17h], al
		jmp	short loc_4F9AE1
; 

loc_4F9B55:				; CODE XREF: MiUnlinkStandbyPfn+64j
		push	2
		pop	eax
		jmp	short loc_4F9B38
; 

loc_4F9B5A:				; CODE XREF: MiUnlinkStandbyPfn+B9j
		or	ecx, 8
		jmp	short loc_4F9B04
; 

loc_4F9B5F:				; CODE XREF: MiUnlinkStandbyPfn+BEj
		or	ecx, 18h
		jmp	short loc_4F9B04
; 

loc_4F9B64:				; CODE XREF: MiUnlinkStandbyPfn+F0j
		push	edx
		push	edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	short loc_4F9B36
MiUnlinkStandbyPfn endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpLfhSubsegmentIncBlockCounts proc near ; CODE XREF: RtlpHpLfhSlotAllocate+BB4p
					; RtlpHpLfhSlotAllocate+10EEp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D3737 SIZE 00000087 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		cmp	dword ptr [ebx+14h], 0
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edi
		jz	loc_5D3737
		mov	eax, [ebx+18h]
		mov	al, [eax]
		mov	byte ptr [ebp+var_4+3],	al

loc_4F9BA4:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+D9BCDj
		movzx	ecx, byte ptr [edi+1Ch]
		mov	edx, [ebx+8]
		mov	esi, edx
		movzx	eax, word ptr [edi+1Eh]
		dec	edx
		add	eax, edi
		shr	esi, cl
		lea	edi, [esi+esi]
		mov	[ebp+var_10], edi
		add	edi, eax
		mov	eax, [ebx+0Ch]
		add	eax, edx
		or	edx, 0FFFFFFFFh
		shr	eax, cl
		sub	eax, esi
		mov	[ebp+var_2C], edx
		inc	eax
		mov	[ebp+var_C], edx
		xor	esi, esi
		lea	eax, [edi+eax*2]
		mov	[ebp+var_28], eax
		xor	eax, eax
		mov	[ebp+var_8], eax
		cmp	edi, [ebp+var_28]
		jnb	short loc_4F9C5C

loc_4F9BE3:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+AEj
		mov	ax, [edi]
		movzx	edx, ax

loc_4F9BE9:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+D9BF4j
					; RtlpHpLfhSubsegmentIncBlockCounts+D9C11j
		test	dx, dx
		jg	loc_5D3767
		cmp	dword ptr [ebx+14h], 0
		jz	loc_5D3740
		mov	ecx, [ebp+var_8]
		test	dx, dx
		jnz	loc_5D3784
		dec	ecx
		mov	[ebp+var_8], ecx

loc_4F9C0C:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+D9C23j
					; RtlpHpLfhSubsegmentIncBlockCounts+D9C2Cj
		lea	eax, [edx+1]
		mov	[edi], ax

loc_4F9C12:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+D9C34j
		add	[ebp+var_10], 2
		add	edi, 2
		cmp	edi, [ebp+var_28]
		jb	short loc_4F9BE3
		test	ecx, ecx
		jz	short loc_4F9C4E
		test	byte ptr _RtlpHpLfhPerfFlags, 20h
		jz	short loc_4F9C4E
		mov	eax, [ebp+var_20]
		mov	cl, [eax+1Ch]
		mov	eax, [ebp+var_8]
		shl	eax, cl
		mov	ecx, 1000h
		cdq
		idiv	ecx
		mov	edx, [ebp+var_24]
		movsx	ecx, word ptr [edx+1Eh]
		add	ecx, 0Ch
		add	ecx, edx
		lock xadd [ecx], eax

loc_4F9C4E:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+B2j
					; RtlpHpLfhSubsegmentIncBlockCounts+BBj
		mov	ecx, [ebp+var_C]
		or	edx, 0FFFFFFFFh
		cmp	ecx, edx
		jnz	loc_5D37A7

loc_4F9C5C:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+73j
		mov	eax, [ebx+14h]

loc_4F9C5F:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+D9C4Bj
		test	eax, eax
		jz	short loc_4F9C84
		mov	eax, [ebp+var_24]
		mov	ecx, [ebp+var_20]
		add	ecx, 0Ch
		mov	[ebp+var_8], ecx
		cmp	byte ptr [eax+1Dh], 0
		jz	short loc_4F9C92
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4F9C84:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+F3j
					; RtlpHpLfhSubsegmentIncBlockCounts+154j
		mov	eax, [ebp+var_C]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	14h
; 

loc_4F9C92:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+105j
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_4F9CA9
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]
		or	edx, 0FFFFFFFFh

loc_4F9CA9:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+12Ej
		xor	edi, edi
		mov	[ebp+var_24], edi
		test	ecx, 7FFFFFFCh
		jnz	short loc_4F9CC4

loc_4F9CB6:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+26Aj
					; RtlpHpLfhSubsegmentIncBlockCounts+276j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	short loc_4F9C84
; 

loc_4F9CC4:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+146j
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	[ebp+var_28], esi
		mov	esi, dword_6D07D0
		shr	eax, 15h
		cmp	ecx, esi
		mov	[ebp+var_20], esi
		mov	esi, [ebp+var_28]
		jb	short loc_4F9D4A
		cmp	byte ptr dword_6D3994[eax], 1
		jnz	short loc_4F9D4A

loc_4F9CEC:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+1E8j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_2C], eax

loc_4F9CFF:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+1DFj
					; RtlpHpLfhSubsegmentIncBlockCounts+1EAj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_4F9D5A
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_4F9DBC
		push	ecx
		push	[ebp+var_2C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_4F9D4A:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+173j
					; RtlpHpLfhSubsegmentIncBlockCounts+17Cj
		cmp	ecx, [ebp+var_20]
		jb	short loc_4F9CFF
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	short loc_4F9CEC
		jmp	short loc_4F9CFF
; 

loc_4F9D5A:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+1BAj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_4F9D70
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_4F9D70:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+1F8j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_24], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_4F9E44
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_4F9DBC:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+1C4j
					; RtlpHpLfhSubsegmentIncBlockCounts+2E8j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_2C], eax
		jnz	short loc_4F9DF4

loc_4F9DCF:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+2C5j
					; RtlpHpLfhSubsegmentIncBlockCounts+2D4j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	loc_4F9CB6
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	loc_4F9CB6
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4F9CB6
; 

loc_4F9DF4:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+25Fj
		test	edi, 8000h
		jz	short loc_4F9E05
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4F9E05:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+28Cj
		test	byte ptr [ebp+var_24+2], 1
		jz	short loc_4F9E15
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4F9E15:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+29Bj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4F9E29
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4F9E29:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+2AEj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_4F9DCF
		push	[ebp+var_2C]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	short loc_4F9DCF
; 

loc_4F9E44:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+238j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_28]
		jmp	loc_4F9DBC
RtlpHpLfhSubsegmentIncBlockCounts endp

; 
		align 10h
; Exported entry 672. FsRtlTryToAcquireHeaderMutex

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlTryToAcquireHeaderMutex(x, x)
		public _FsRtlTryToAcquireHeaderMutex@8
_FsRtlTryToAcquireHeaderMutex@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+0Ch]
		mov	ecx, [ecx+28h]
		call	@ExTryToAcquireFastMutex@4 ; ExTryToAcquireFastMutex(x)
		test	al, al
		jz	short loc_4F9E83
		cmp	[ebp+arg_4], 0
		jz	short loc_4F9E83
		mov	ecx, [ebp+arg_4]
		lock inc dword ptr [ecx]

loc_4F9E83:				; CODE XREF: FsRtlTryToAcquireHeaderMutex(x,x)+15j
					; FsRtlTryToAcquireHeaderMutex(x,x)+1Bj
		pop	ebp
		retn	8
_FsRtlTryToAcquireHeaderMutex@8	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 144. KeTryToAcquireGuardedMutex

;  S U B	R O U T	I N E 


; __fastcall KeTryToAcquireGuardedMutex(x)
		public @KeTryToAcquireGuardedMutex@4
@KeTryToAcquireGuardedMutex@4 proc near
		mov	edi, edi
		push	ecx
		call	@ExTryToAcquireFastMutex@4 ; ExTryToAcquireFastMutex(x)
		pop	ecx
		retn
@KeTryToAcquireGuardedMutex@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry  80. ExTryToAcquireFastMutex
; Exported entry 106. ExiTryToAcquireFastMutex

;  S U B	R O U T	I N E 


; __fastcall ExTryToAcquireFastMutex(x)
		public @ExTryToAcquireFastMutex@4
@ExTryToAcquireFastMutex@4 proc	near	; CODE XREF: FsRtlTryToAcquireHeaderMutex(x,x)+Ep
					; KeTryToAcquireGuardedMutex(x)+3p ...
		mov	edi, edi	; ExTryToAcquireFastMutex
		push	ecx
		push	esi
		push	edi
		push	1
		xor	edx, edx
		mov	edi, ecx
		call	KeAbPreAcquire
		mov	cl, 1
		mov	esi, eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		lock btr dword ptr [edi], 0
		jnb	short loc_4F9EDB
		test	esi, esi
		jz	short loc_4F9EC5
		or	byte ptr [esi+0Eh], 1

loc_4F9EC5:				; CODE XREF: ExTryToAcquireFastMutex(x)+23j
		mov	ecx, large fs:124h
		mov	[edi+4], ecx
		movzx	ecx, al
		mov	al, 1
		mov	[edi+1Ch], ecx

loc_4F9ED7:				; CODE XREF: ExTryToAcquireFastMutex(x)+58j
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_4F9EDB:				; CODE XREF: ExTryToAcquireFastMutex(x)+1Fj
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_4F9EF0
		mov	edx, esi
		mov	ecx, edi
		call	KeAbPostReleaseEx

loc_4F9EF0:				; CODE XREF: ExTryToAcquireFastMutex(x)+49j
		pause
		xor	al, al
		jmp	short loc_4F9ED7
@ExTryToAcquireFastMutex@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnActiveTraceGetNext proc near	; CODE XREF: PfSnNameRemoveAll(x):loc_7C59D9p

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005D37BE SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset dword_6D4958
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	esi, [edi+8]
		test	edi, edi
		jz	short loc_4F9F6D

loc_4F9F1B:				; CODE XREF: PfSnActiveTraceGetNext+7Cj
		mov	esi, [esi]

loc_4F9F1D:				; CODE XREF: PfSnActiveTraceGetNext+85j
		cmp	esi, offset _PfSnGlobals
		jz	short loc_4F9F74
		lea	ebx, [esi-4]
		lea	ecx, [ebx+104h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_4F9F78

loc_4F9F37:				; CODE XREF: PfSnActiveTraceGetNext+80j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset dword_6D4958
		jnz	loc_5D37BE
		xor	eax, eax
		lock and [ecx],	eax

loc_4F9F4E:				; CODE XREF: PfSnActiveTraceGetNext+D98D0j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	short loc_4F9F66
		lea	ecx, [edi+104h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_4F9F66:				; CODE XREF: PfSnActiveTraceGetNext+63j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_4F9F6D:				; CODE XREF: PfSnActiveTraceGetNext+23j
		mov	esi, offset dword_6D4954
		jmp	short loc_4F9F1B
; 

loc_4F9F74:				; CODE XREF: PfSnActiveTraceGetNext+2Dj
		xor	ebx, ebx
		jmp	short loc_4F9F37
; 

loc_4F9F78:				; CODE XREF: PfSnActiveTraceGetNext+3Fj
		mov	esi, [esi+4]
		jmp	short loc_4F9F1D
PfSnActiveTraceGetNext endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnNameRemove(x, x)
_PfSnNameRemove@8 proc near		; CODE XREF: PfSnNameRemoveAll(x)+19p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		push	edi
		mov	[ebp+var_10], esi
		lea	ebx, [esi+180h]
		push	ebx
		call	ExAcquireSpinLockExclusive
		lea	edi, [esi+164h]
		mov	[ebp+var_1], al
		test	byte ptr [edi+4], 1
		mov	esi, [edi]
		jz	short loc_4F9FB8
		test	esi, esi
		jz	short loc_4F9FB8
		xor	esi, edi

loc_4F9FB8:				; CODE XREF: PfSnNameRemove(x,x)+32j
					; PfSnNameRemove(x,x)+36j
		movzx	ecx, byte ptr [edi+4]
		and	ecx, 1
		test	esi, esi
		jz	short loc_4F9FDF
		mov	edx, [ebp+var_8]

loc_4F9FC6:				; CODE XREF: PfSnNameRemove(x,x)+57j
		cmp	[esi+0Ch], edx
		jbe	short loc_4F9FD9
		mov	eax, [esi]

loc_4F9FCD:				; CODE XREF: PfSnNameRemove(x,x)+83j
		test	ecx, ecx
		jnz	short loc_4F9FF6

loc_4F9FD1:				; CODE XREF: PfSnNameRemove(x,x)+7Aj
		mov	esi, eax

loc_4F9FD3:				; CODE XREF: PfSnNameRemove(x,x)+7Ej
		test	esi, esi
		jnz	short loc_4F9FC6
		jmp	short loc_4F9FDF
; 

loc_4F9FD9:				; CODE XREF: PfSnNameRemove(x,x)+4Bj
		jb	short loc_4F9FFE
		test	esi, esi
		jnz	short loc_4FA003

loc_4F9FDF:				; CODE XREF: PfSnNameRemove(x,x)+43j
					; PfSnNameRemove(x,x)+59j
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4F9FEE:				; CODE XREF: PfSnNameRemove(x,x)+B5j
		mov	eax, [ebp+var_C]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4F9FF6:				; CODE XREF: PfSnNameRemove(x,x)+51j
		test	eax, eax
		jz	short loc_4F9FD1
		xor	esi, eax
		jmp	short loc_4F9FD3
; 

loc_4F9FFE:				; CODE XREF: PfSnNameRemove(x,x):loc_4F9FD9j
		mov	eax, [esi+4]
		jmp	short loc_4F9FCD
; 

loc_4FA003:				; CODE XREF: PfSnNameRemove(x,x)+5Fj
		push	esi
		push	edi
		call	RtlRbRemoveNode
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_10]
		mov	edx, [ebp+var_8]
		call	_PfSnNamesCacheRemove@8	; PfSnNamesCacheRemove(x,x)
		push	0
		push	esi
		mov	[ebp+var_C], 1
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_4F9FEE
_PfSnNameRemove@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PfSnNamesCacheRemove(x, x)
_PfSnNamesCacheRemove@8	proc near	; CODE XREF: PfSnNameRemove(x,x)+A1p
		add	ecx, 154h
		push	esi
		xor	esi, esi
		lea	eax, [ecx+10h]
		cmp	eax, ecx
		sbb	eax, eax
		and	eax, 0FFFFFFFCh
		add	eax, 4
		jz	short loc_4FA05A

loc_4FA04E:				; CODE XREF: PfSnNamesCacheRemove(x,x)+22j
		cmp	[ecx], edx
		jz	short loc_4FA05C

loc_4FA052:				; CODE XREF: PfSnNamesCacheRemove(x,x)+29j
		add	ecx, 4
		inc	esi
		cmp	esi, eax
		jb	short loc_4FA04E

loc_4FA05A:				; CODE XREF: PfSnNamesCacheRemove(x,x)+16j
		pop	esi
		retn
; 

loc_4FA05C:				; CODE XREF: PfSnNamesCacheRemove(x,x)+1Aj
		and	dword ptr [ecx], 0
		jmp	short loc_4FA052
_PfSnNamesCacheRemove@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiNoFaultFound	proc near		; CODE XREF: .text:004B029Cp
					; MiRaisedIrqlFault+135p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005D37CB SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ecx
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], eax
		push	ebx
		mov	ebx, [ebp+arg_C]
		mov	ecx, [eax+4]
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_4], eax
		mov	eax, ebx
		push	esi
		xor	esi, esi
		and	eax, 20h
		or	eax, esi
		mov	edx, esi
		push	edi
		mov	edi, esi
		jz	short loc_4FA109
		mov	eax, [ebp+arg_4]
		test	al, 1
		jnz	short loc_4FA0F8

loc_4FA097:				; CODE XREF: MiNoFaultFound+9Cj
		test	ds:_MiFlags, 300h
		jz	loc_5D37CB

loc_4FA0A7:				; CODE XREF: MiNoFaultFound+9Ej
					; MiNoFaultFound+B6j ...
		test	cl, 2
		jz	short loc_4FA0C5
		mov	ecx, ebx
		and	ecx, 42h
		mov	eax, ecx
		or	eax, esi
		jnz	short loc_4FA102

loc_4FA0B7:				; CODE XREF: MiNoFaultFound+A3j
		cmp	ecx, 40h
		jnz	short loc_4FA0BF
		xor	edi, edi
		inc	edi

loc_4FA0BF:				; CODE XREF: MiNoFaultFound+58j
		xor	edx, edx
		or	ebx, 62h
		inc	edx

loc_4FA0C5:				; CODE XREF: MiNoFaultFound+48j
					; MiNoFaultFound+A5j
		mov	ecx, [ebp+var_4]
		test	edx, edx
		jz	short loc_4FA0E7
		mov	eax, [ebp+arg_C]
		mov	edx, [ebp+arg_10]
		nop
		mov	esi, [ebp+var_8]
		lock cmpxchg8b qword ptr [esi]
		push	0
		pop	esi
		cmp	eax, [ebp+arg_C]
		jnz	short loc_4FA11A
		cmp	edx, [ebp+arg_10]
		jnz	short loc_4FA11A

loc_4FA0E7:				; CODE XREF: MiNoFaultFound+68j
		test	edi, edi
		jnz	loc_5D37D3

loc_4FA0EF:				; CODE XREF: MiNoFaultFound+D977Bj
					; MiNoFaultFound+D979Fj
		mov	eax, edi

loc_4FA0F1:				; CODE XREF: MiNoFaultFound+BAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_4FA0F8:				; CODE XREF: MiNoFaultFound+33j
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	5
		jnz	short loc_4FA097
		jmp	short loc_4FA0A7
; 

loc_4FA102:				; CODE XREF: MiNoFaultFound+53j
		cmp	ecx, 40h
		jz	short loc_4FA0B7
		jmp	short loc_4FA0C5
; 

loc_4FA109:				; CODE XREF: MiNoFaultFound+2Cj
		mov	ebx, [ebp+arg_C]
		xor	edx, edx
		mov	eax, [ebp+arg_10]
		or	ebx, 20h
		mov	[ebp+var_4], eax
		inc	edx
		jmp	short loc_4FA0A7
; 

loc_4FA11A:				; CODE XREF: MiNoFaultFound+7Ej
					; MiNoFaultFound+83j
		xor	eax, eax
		jmp	short loc_4FA0F1
MiNoFaultFound	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockSetPfnPriority proc near		; CODE XREF: .text:0045804Fp
					; .text:0045896Ap ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D3806 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		lea	esi, [edi+10h]

loc_4FA132:				; CODE XREF: MiLockSetPfnPriority+D96F6j
		lock bts dword ptr [esi], 1Fh
		jb	loc_5D3806
		mov	al, [edi+17h]
		xor	al, bl
		and	al, 7
		xor	[edi+17h], al
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiLockSetPfnPriority endp


;  S U B	R O U T	I N E 


sub_4FA154	proc near		; CODE XREF: .text:005222A7p
					; PAGE:007F62A4p ...

; FUNCTION CHUNK AT 005D3819 SIZE 000000CC BYTES
; FUNCTION CHUNK AT 005D3969 SIZE 00000008 BYTES

		cmp	_ViVerifierEnabled, 0
		jnz	loc_5D3819

loc_4FA161:				; CODE XREF: sub_4FA154+D96D8j
		push	20206F49h
		push	edx
		push	200h
		call	ExAllocatePoolWithQuotaTag

locret_4FA171:				; CODE XREF: sub_4FA154+D96FEj
		retn
sub_4FA154	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUpdateLargePageBitMap	proc near	; CODE XREF: MiFreeMdlPageRun(x,x,x)+A3p
					; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+71Ep ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D38E5 SIZE 00000084 BYTES
; FUNCTION CHUNK AT 005D3971 SIZE 000001F8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_14], ecx
		lea	edi, [ebp+var_28]
		mov	esi, edx
		stosd
		mov	[ebp+var_10], esi
		stosd
		stosd
		mov	edi, [ebp+arg_0]
		cmp	edi, 200h
		jb	loc_4FA229
		and	[ebp+var_C], 0
		xor	eax, eax
		inc	eax
		push	ebx

loc_4FA1A3:				; CODE XREF: MiUpdateLargePageBitMap+D9985j
		dec	eax
		mov	[ebp+var_8], eax
		lea	ebx, ds:0B04h[eax*8]
		add	ebx, ecx
		cmp	dword ptr [ebx], 0
		jz	short loc_4FA220
		mov	ecx, ds:_MiLargePageSizes[eax*4]
		xor	edx, edx
		mov	eax, esi
		mov	[ebp+var_4], ecx
		div	ecx
		add	ecx, [ebp+var_10]
		xor	edx, edx
		mov	esi, eax
		lea	eax, [edi-1]
		add	eax, ecx
		mov	ecx, [ebp+var_4]
		neg	ecx
		and	eax, ecx
		div	[ebp+var_4]
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		mov	edi, ecx
		mov	[ebp+var_18], ecx
		sub	edi, esi
		mov	[ebp+arg_0], edi
		cmp	[ebp+arg_8], edx
		jz	short loc_4FA253
		mov	eax, [ebx]
		cmp	[ebp+arg_4], edx
		jz	short loc_4FA22F
		cmp	esi, eax
		jnb	loc_5D38E5
		cmp	edi, edx
		ja	loc_5D38EC
		jnz	loc_5D38E5
		mov	eax, [ebx+4]
		bt	[eax], esi
		setb	dl
		neg	dl
		sbb	dl, dl

loc_4FA219:				; CODE XREF: MiUpdateLargePageBitMap+D97B9j
		inc	dl

loc_4FA21B:				; CODE XREF: MiUpdateLargePageBitMap+DCj
					; sub_4FA154+D974Fj ...
		cmp	dl, 1
		jnz	short loc_4FA250

loc_4FA220:				; CODE XREF: MiUpdateLargePageBitMap+41j
					; MiUpdateLargePageBitMap+10Aj	...
		xor	ebx, ebx
		inc	ebx
		cmp	[ebp+var_C], ebx
		jz	short loc_4FA283

loc_4FA228:				; CODE XREF: MiUpdateLargePageBitMap+149j
		pop	ebx

loc_4FA229:				; CODE XREF: MiUpdateLargePageBitMap+23j
		pop	edi
		pop	esi
		leave
		retn	0Ch
; 

loc_4FA22F:				; CODE XREF: MiUpdateLargePageBitMap+82j
		cmp	esi, eax
		jnb	loc_5D38E5
		cmp	edi, edx
		ja	loc_5D3863
		jnz	loc_5D38E5
		mov	eax, [ebx+4]
		bt	[eax], esi
		setb	dl
		jmp	short loc_4FA21B
; 

loc_4FA250:				; CODE XREF: MiUpdateLargePageBitMap+ACj
		xor	edx, edx
		inc	edx

loc_4FA253:				; CODE XREF: MiUpdateLargePageBitMap+7Bj
		cmp	[ebp+var_C], 0
		jnz	short loc_4FA269
		mov	[ebp+var_C], edx
		mov	ecx, offset unk_6D07C0
		lea	edx, [ebp+var_28]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)

loc_4FA269:				; CODE XREF: MiUpdateLargePageBitMap+E5j
		cmp	[ebp+arg_4], 1
		push	edi
		push	esi
		push	ebx
		jnz	short loc_4FA2C0
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)

loc_4FA277:				; CODE XREF: MiUpdateLargePageBitMap+153j
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_4FA220
		jmp	loc_5D3971
; 

loc_4FA283:				; CODE XREF: MiUpdateLargePageBitMap+B4j
		test	ds:byte_70EFC6,	1
		jnz	loc_5D3B3F
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	loc_5D3B57
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_28]
		cmp	eax, ecx
		jnz	loc_5D3B4F

loc_4FA2B2:				; CODE XREF: MiUpdateLargePageBitMap+D99D8j
					; MiUpdateLargePageBitMap+D99F2j
		mov	cl, [ebp+var_20]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4FA228
; 

loc_4FA2C0:				; CODE XREF: MiUpdateLargePageBitMap+FEj
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		jmp	short loc_4FA277
MiUpdateLargePageBitMap	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpDoQueryKeyName proc near		; CODE XREF: CmpQueryKeyName+1Dp

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_70		= dword	ptr -70h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3D		= byte ptr -3Dh
var_3C		= dword	ptr -3Ch
var_37		= byte ptr -37h
var_36		= byte ptr -36h
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D3B69 SIZE 00000059 BYTES
; FUNCTION CHUNK AT 005D3BF2 SIZE 0000003F BYTES

		push	7Ch
		push	offset dword_6A3838
		call	__SEH_prolog4_GS
		mov	esi, ecx
		mov	[ebp+var_50], esi
		mov	[ebp+var_70], esi
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_48], eax
		xor	edx, edx
		mov	[ebp+var_64], edx
		mov	[ebp+var_60], edx
		push	7
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_8C]
		rep stosd
		mov	ebx, edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_35], dl
		mov	[ebp+var_37], dl
		mov	byte ptr [ebp+var_44], dl
		push	6
		pop	ecx
		lea	edi, [ebp+var_34]
		rep stosd
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_58], eax
		mov	[ebp+var_5C], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		cmp	_CmpCallBackCount, edx
		jz	loc_4FA523
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredSharedLite
		test	eax, eax
		jnz	loc_4FA523
		mov	[ebp+var_8C], esi
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_88], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_84], eax
		mov	eax, [ebp+var_48]
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	esi
		push	30h
		push	ecx
		lea	edx, [ebp+var_8C]
		push	2Fh
		pop	ecx
		call	_CmpCallCallBacks@24 ; CmpCallCallBacks(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_5D3B69
		xor	eax, eax
		inc	eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_37], al
		mov	esi, [ebp+var_50]

loc_4FA392:				; CODE XREF: CmpDoQueryKeyName+262j
		lea	ecx, [ebp+var_34]
		call	CmpAttachToRegistryProcess
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ebx, [esi+8]
		mov	[ebp+var_54], ebx
		test	bl, 1
		jnz	loc_5D3B80
		test	byte ptr [esi+1Ch], 2
		jnz	short loc_4FA3C1
		mov	ecx, ebx
		call	_CmpLockKcbShared@4 ; CmpLockKcbShared(x)
		mov	al, byte ptr [ebp+var_44]
		mov	[ebp+var_35], al

loc_4FA3C1:				; CODE XREF: CmpDoQueryKeyName+EAj
					; CmpDoQueryKeyName+D98BEj
		xor	edx, edx
		mov	ecx, esi
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	loc_5D3BF2
		cmp	_CmpVEEnabled, 0
		jz	short loc_4FA3EA
		test	dword ptr [ebx+68h], 1000000h
		jnz	loc_5D3B8B

loc_4FA3EA:				; CODE XREF: CmpDoQueryKeyName+113j
		mov	ecx, ebx
		call	_CmpConstructName@4 ; CmpConstructName(x)
		mov	edi, eax

loc_4FA3F3:				; CODE XREF: CmpDoQueryKeyName+D98D4j
		mov	[ebp+var_3C], edi

loc_4FA3F6:				; CODE XREF: CmpDoQueryKeyName+D98DCj
		mov	al, [ebp+var_35]
		test	edi, edi
		jz	loc_5D3BA9
		test	al, al
		jz	short loc_4FA40C
		mov	ecx, ebx
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)

loc_4FA40C:				; CODE XREF: CmpDoQueryKeyName+13Bj
		xor	al, al
		mov	[ebp+var_35], al
		mov	[ebp+var_36], al
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		lea	ecx, [ebp+var_34]
		call	_CmpDetachFromRegistryProcess@4	; CmpDetachFromRegistryProcess(x)
		xor	cl, cl
		mov	[ebp+var_44], ecx
		mov	[ebp+var_3D], cl
		mov	esi, [ebp+var_48]
		cmp	[ebp+arg_4], 8
		jbe	loc_5D3BB3
		mov	edx, [ebp+var_4C]
		add	edx, 8
		mov	eax, [edi+4]
		mov	[ebp+var_68], eax
		movzx	ecx, word ptr [edi]
		add	ecx, 2
		lea	eax, [ecx+8]
		mov	[esi], eax
		mov	eax, [ebp+arg_4]
		add	eax, 0FFFFFFF8h
		cmp	ecx, eax
		ja	loc_4FA50E
		xor	esi, esi

loc_4FA45D:				; CODE XREF: CmpDoQueryKeyName+253j
		sub	ecx, 2
		mov	[ebp+var_48], ecx
		and	[ebp+ms_exc.disabled], 0
		push	ecx		; size_t
		push	[ebp+var_68]	; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_48]
		shr	eax, 1
		mov	edx, [ebp+var_4C]
		add	edx, 8
		xor	ecx, ecx
		mov	[edx+eax*2], cx
		mov	ecx, [ebp+var_48]
		movzx	eax, cx
		mov	ecx, [ebp+var_4C]
		mov	[ecx], ax
		mov	[ecx+2], ax
		mov	[ecx+4], edx
		mov	edi, [ebp+var_3C]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	al, [ebp+var_36]

loc_4FA4A5:				; CODE XREF: CmpDoQueryKeyName+259j
					; CmpDoQueryKeyName+D98ABj ...
		test	al, al
		jnz	loc_5D3BFD

loc_4FA4AD:				; CODE XREF: CmpDoQueryKeyName+D993Cj
		mov	ebx, [ebp+var_44]
		test	bl, bl
		jnz	loc_5D3C09

loc_4FA4B8:				; CODE XREF: CmpDoQueryKeyName+D9948j
					; CmpDoQueryKeyName+D9956j
		cmp	[ebp+var_37], 0
		jz	short loc_4FA4D5
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_8C]
		push	eax
		push	esi
		mov	edx, [ebp+var_50]
		push	30h
		pop	ecx
		call	_CmPostCallbackNotification@20 ; CmPostCallbackNotification(x,x,x,x,x)

loc_4FA4D5:				; CODE XREF: CmpDoQueryKeyName+1F4j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	[ebp+var_60], 0
		jnz	loc_5D3C23
		test	edi, edi
		jz	short loc_4FA4FA
		push	624E4D43h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4FA4FA:				; CODE XREF: CmpDoQueryKeyName+225j
					; CmpDoQueryKeyName+D9964j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_4FA50E:				; CODE XREF: CmpDoQueryKeyName+18Dj
		mov	ecx, eax
		mov	esi, 0C0000004h
		mov	al, [ebp+var_35]
		cmp	ecx, 2
		jnb	loc_4FA45D
		jmp	short loc_4FA4A5
; 

loc_4FA523:				; CODE XREF: CmpDoQueryKeyName+68j
					; CmpDoQueryKeyName+7Aj
		mov	[ebp+var_44], 1
		jmp	loc_4FA392
CmpDoQueryKeyName endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MmGetCurrentProcessorColor()
_MmGetCurrentProcessorColor@0 proc near	; CODE XREF: MiMapViewOfImageSection+13Bp
					; MiReserveUserMemory+85p ...
		mov	eax, large fs:20h
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		retn
_MmGetCurrentProcessorColor@0 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1151. KeGetCurrentNodeNumber

;  S U B	R O U T	I N E 


; __stdcall KeGetCurrentNodeNumber()
		public _KeGetCurrentNodeNumber@0
_KeGetCurrentNodeNumber@0 proc near
		mov	eax, large fs:20h
		mov	eax, [eax+338h]
		mov	ax, [eax+8Ah]
		retn
_KeGetCurrentNodeNumber@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpLfhBucketUpdateAffinityMapping proc near ; CODE XREF: RtlpHpLfhSlotAllocate+E2Cp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_14		= dword	ptr -14h
var_E		= byte ptr -0Eh
var_D		= byte ptr -0Dh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D3C31 SIZE 000000AD BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		push	0
		mov	[ebp+var_40], edi
		mov	[ebp+var_4C], esi
		call	_KeGetCurrentProcessorNumberEx@4 ; KeGetCurrentProcessorNumberEx(x)
		mov	ecx, eax
		mov	al, [esi+1Ch]
		and	ecx, 7
		movzx	edx, al
		mov	[ebp+var_44], ecx
		cmp	ecx, edx
		jnb	loc_5D3C31

loc_4FA5AB:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+D96EAj
		mov	eax, [edi+30h]
		mov	edx, large fs:124h
		mov	al, [ecx+eax]
		mov	[ebp+var_E], al
		movzx	eax, byte ptr [edx+3A1h]
		cmp	eax, ecx
		jz	short loc_4FA5DF
		mov	[edx+3A1h], cl

loc_4FA5CC:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+252j
					; RtlpHpLfhBucketUpdateAffinityMapping+266j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4FA5DF:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+66j
		movzx	edx, byte ptr [esi+1Dh]
		lea	esi, [edi+2Ch]
		and	[ebp+var_C], 0
		mov	ecx, esi
		and	[ebp+var_8], 0
		mov	[ebp+var_3C], esi
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	cl, [ebp+var_E]
		mov	[ebp+var_D], al
		mov	eax, [edi+30h]
		mov	edi, [ebp+var_44]
		mov	[ebp+var_38], eax
		cmp	cl, [eax+edi]
		jnz	short loc_4FA674
		mov	ecx, [ebp+var_4C]
		movzx	edx, byte ptr [ecx+1Ch]
		xor	ecx, ecx
		mov	[ebp+var_34], edx
		test	edx, edx
		jz	short loc_4FA62E
		mov	esi, eax

loc_4FA61E:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+CBj
		movzx	eax, byte ptr [esi+ecx]
		inc	byte ptr [ebp+eax+var_C]
		inc	ecx
		cmp	ecx, edx
		jb	short loc_4FA61E
		mov	esi, [ebp+var_3C]

loc_4FA62E:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+BCj
		movzx	eax, [ebp+var_E]
		cmp	byte ptr [ebp+eax+var_C], 1
		jz	short loc_4FA674
		inc	eax
		mov	[ebp+var_48], eax
		mov	ecx, eax
		cmp	eax, edx
		jnb	short loc_4FA655

loc_4FA643:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+296j
		mov	al, byte ptr [ebp+ecx+var_C]
		mov	[ebp+var_E], al
		test	al, al
		mov	eax, [ebp+var_48]
		jnz	loc_4FA7E1

loc_4FA655:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+E3j
					; RtlpHpLfhBucketUpdateAffinityMapping+29Cj
		cmp	byte ptr [ebp+eax+var_C], 0
		jnz	loc_4FA7FF
		mov	eax, [ebp+var_40]
		mov	cl, [eax+29h]
		cmp	cl, 1Eh
		jnb	loc_4FA80A
		inc	cl
		mov	[eax+29h], cl

loc_4FA674:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+ACj
					; RtlpHpLfhBucketUpdateAffinityMapping+D9j ...
		mov	eax, [ebp+var_4C]
		cmp	byte ptr [eax+1Dh], 0
		jnz	loc_4FA7B5
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_38], ecx
		mov	eax, ecx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4FA9FA

loc_4FA697:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+4A3j
		xor	edi, edi
		mov	[ebp+var_34], edi
		test	esi, 7FFFFFFCh
		jz	loc_4FA7A4
		mov	eax, [ebp+var_3C]
		mov	edx, eax
		mov	esi, large fs:124h
		mov	ecx, dword_6D07D0
		shr	edx, 15h
		cmp	eax, ecx
		push	0FFFFFFFFh
		mov	[ebp+var_30], ecx
		mov	[ebp+var_40], esi
		pop	ecx
		jb	short loc_4FA6D7
		cmp	byte ptr dword_6D3994[edx], 1
		jz	loc_4FA7C9

loc_4FA6D7:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+16Aj
		cmp	eax, [ebp+var_30]
		jb	short loc_4FA6E9
		cmp	byte ptr dword_6D3994[edx], 0Bh
		jz	loc_4FA7C9

loc_4FA6E9:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+17Cj
					; RtlpHpLfhBucketUpdateAffinityMapping+27Ej
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	[ebp+var_D], dl
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jz	loc_4FA9CF
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_4FAAE8

loc_4FA72A:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+592j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_34], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_D], 1
		mov	edx, eax
		jnz	loc_5D3CA6
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_4FA776:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+479j
					; RtlpHpLfhBucketUpdateAffinityMapping+D975Aj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_50], eax
		jnz	loc_4FAA63

loc_4FA78D:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+53Ej
					; RtlpHpLfhBucketUpdateAffinityMapping+D977Bj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_4FA7A4
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_4FAAF5

loc_4FA7A4:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+144j
					; RtlpHpLfhBucketUpdateAffinityMapping+238j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_4FA5CC
; 

loc_4FA7B5:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+11Dj
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4FA5CC
; 

loc_4FA7C9:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+173j
					; RtlpHpLfhBucketUpdateAffinityMapping+185j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_3C]
		jmp	loc_4FA6E9
; 

loc_4FA7E1:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+F1j
		mov	dl, [ebp+var_E]
		cmp	dl, byte ptr [ebp+eax+var_C]
		mov	edx, [ebp+var_34]
		jb	loc_4FAAA7

loc_4FA7F1:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+54Ej
		inc	ecx
		cmp	ecx, edx
		jb	loc_4FA643
		jmp	loc_4FA655
; 

loc_4FA7FF:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+FCj
		mov	ecx, [ebp+var_38]
		mov	[ecx+edi], al
		jmp	loc_4FA674
; 

loc_4FA80A:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+10Bj
		mov	eax, [ebp+var_4C]
		cmp	byte ptr [eax+1Dh], 0
		jz	loc_4FA899
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4FA826:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+46Cj
		and	[ebp+var_34], 0
		mov	esi, [ebp+var_40]
		mov	ecx, [ebp+var_48]
		push	2
		pop	eax
		mov	esi, [esi+34h]
		mov	word ptr [ebp+var_34], ax
		mov	eax, ecx
		mov	edx, [ebp+var_34]
		shl	eax, 2
		mov	[ebp+var_30], eax
		add	esi, eax
		xor	eax, eax
		lock cmpxchg [esi], edx
		test	eax, eax
		jnz	loc_4FA5CC
		mov	esi, [ebp+var_40]
		mov	edx, esi
		push	ecx
		mov	ecx, [ebp+var_4C]
		call	_RtlpHpLfhBucketAllocateSlot@12	; RtlpHpLfhBucketAllocateSlot(x,x,x)
		mov	ecx, [esi+34h]
		mov	edx, [ebp+var_30]
		mov	[edx+ecx], eax
		test	eax, eax
		jz	loc_4FA5CC
		and	[ebp+var_50], 0
		lea	eax, [ebp+var_50]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [ebp+var_48]
		mov	al, cl
		inc	al
		mov	[esi+2], al
		mov	eax, [esi+30h]
		mov	[edi+eax], cl
		mov	byte ptr [esi+29h], 0
		jmp	loc_4FA5CC
; 

loc_4FA899:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+2B3j
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_38], ecx
		mov	eax, ecx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4FAA06

loc_4FA8AF:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+4AFj
		xor	edi, edi
		mov	[ebp+var_34], edi
		test	esi, 7FFFFFFCh
		jz	loc_4FA9BB
		mov	eax, large fs:124h
		mov	edx, esi
		mov	ecx, dword_6D07D0
		shr	edx, 15h
		cmp	esi, ecx
		push	0FFFFFFFFh
		mov	[ebp+var_30], ecx
		mov	[ebp+var_14], eax
		pop	ecx
		jb	short loc_4FA8EB
		cmp	byte ptr dword_6D3994[edx], 1
		jz	loc_4FA9E2

loc_4FA8EB:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+37Ej
		cmp	esi, [ebp+var_30]
		jb	short loc_4FA8FD
		cmp	byte ptr dword_6D3994[edx], 0Bh
		jz	loc_4FA9E2

loc_4FA8FD:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+390j
					; RtlpHpLfhBucketUpdateAffinityMapping+497j
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	dl, [eax+1E6h]
		mov	[ebp+var_D], dl
		mov	edx, esi
		push	ecx
		mov	ecx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jz	loc_4FAAB1
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_4FAAC9

loc_4FA93E:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+573j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_34], edi
		mov	[ecx+2Ch], eax
		nop
		mov	eax, [ebp+var_14]
		mov	dword ptr [ecx+10h], 0
		push	30h
		sub	ecx, [eax+1E8h]
		mov	eax, ecx
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_D], 1
		mov	edx, eax
		jnz	loc_5D3C69
		mov	eax, [ebp+var_14]
		movzx	ecx, byte ptr [eax+1E4h]
		bts	ecx, edx
		mov	[eax+1E4h], cl

loc_4FA990:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+566j
					; RtlpHpLfhBucketUpdateAffinityMapping+D9723j
		nop
		dec	byte ptr [eax+1E6h]
		mov	ecx, edi
		and	ecx, 1FFFFh
		mov	[ebp+var_30], ecx
		jnz	short loc_4FAA12

loc_4FA9A4:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+500j
		nop
		add	word ptr [eax+13Eh], 1
		jnz	short loc_4FA9BB
		nop
		add	eax, 70h
		cmp	[eax], eax
		jnz	loc_4FAADE

loc_4FA9BB:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+35Cj
					; RtlpHpLfhBucketUpdateAffinityMapping+44Fj ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebp+var_44]
		jmp	loc_4FA826
; 

loc_4FA9CF:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+1B4j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_4FA776
		jmp	loc_5D3C56
; 

loc_4FA9E2:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+387j
					; RtlpHpLfhBucketUpdateAffinityMapping+399j
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_14]
		jmp	loc_4FA8FD
; 

loc_4FA9FA:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+133j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_4FA697
; 

loc_4FAA06:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+34Bj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_4FA8AF
; 

loc_4FAA12:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+444j
		test	edi, 8000h
		jz	short loc_4FAA26
		xor	edx, edx
		mov	ecx, eax
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp+var_14]

loc_4FAA26:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+4BAj
		test	byte ptr [ebp+var_34+2], 1
		jnz	loc_5D3C86

loc_4FAA30:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+D9732j
		mov	eax, 7FFFh
		test	edi, eax
		jz	loc_4FAAD6
		and	edi, eax
		mov	edx, edi
		mov	edi, [ebp+var_14]
		mov	ecx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4FAA4B:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+57Bj
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_5D3C95

loc_4FAA5B:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+D9743j
		mov	eax, [ebp+var_14]
		jmp	loc_4FA9A4
; 

loc_4FAA63:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+229j
		test	edi, 8000h
		jz	short loc_4FAA74
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4FAA74:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+50Bj
		test	byte ptr [ebp+var_34+2], 1
		jnz	loc_5D3CBD

loc_4FAA7E:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+D9769j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4FAA92
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4FAA92:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+527j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4FA78D
		jmp	loc_5D3CCC
; 

loc_4FAAA7:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+28Dj
		mov	eax, ecx
		mov	[ebp+var_48], eax
		jmp	loc_4FA7F1
; 

loc_4FAAB1:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+3C8j
		mov	ecx, [ebp+var_14]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jz	loc_5D3C4D
		mov	eax, ecx
		jmp	loc_4FA990
; 

loc_4FAAC9:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+3DAj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]
		jmp	loc_4FA93E
; 

loc_4FAAD6:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+4D9j
		mov	edi, [ebp+var_14]
		jmp	loc_4FAA4B
; 

loc_4FAADE:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+457j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4FA9BB
; 

loc_4FAAE8:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+1C6j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]
		jmp	loc_4FA72A
; 

loc_4FAAF5:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+240j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4FA7A4
RtlpHpLfhBucketUpdateAffinityMapping endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLfhBucketAllocateSlot(x, x, x)
_RtlpHpLfhBucketAllocateSlot@12	proc near
					; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+300p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, _RtlpHpLfhPerfFlags
		push	ebx
		mov	ebx, ecx
		shr	eax, 0Ah
		push	esi
		push	edi
		and	eax, 1
		mov	[ebp+var_4], edx
		mov	edi, [ebx+14h]
		xor	edi, _RtlpHpHeapGlobals
		mov	esi, [ebx]
		xor	edi, ebx
		inc	eax
		shl	eax, 6
		push	eax
		push	esi
		call	edi
		mov	esi, eax
		test	esi, esi
		jz	short loc_4FAB4F
		push	8
		pop	ecx
		xor	eax, eax
		mov	edi, esi
		rep stosd
		mov	eax, [ebp+var_4]
		mov	ecx, esi
		push	ebx
		push	[ebp+arg_0]
		movzx	edx, byte ptr [eax+1]
		call	_RtlpHpLfhOwnerInitialize@16 ; RtlpHpLfhOwnerInitialize(x,x,x,x)

loc_4FAB4F:				; CODE XREF: RtlpHpLfhBucketAllocateSlot(x,x,x)+32j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_RtlpHpLfhBucketAllocateSlot@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpLfhContextAllocate proc near	; CODE XREF: RtlpHpAllocateHeap+146p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D3CDE SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	edx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, ecx
		cmp	ebx, edx
		jnz	loc_5D3CDE

loc_4FAB70:				; CODE XREF: RtlpHpLfhContextAllocate+D9189j
		lea	eax, [edx+7]
		shr	eax, 3
		movzx	esi, ds:_RtlpLfhBucketIndexMap[eax]
		mov	eax, [edi+esi*4+80h]
		test	al, 1
		jz	short loc_4FABA0
		push	1
		call	_RtlpHpLfhBucketUpdateStats@12 ; RtlpHpLfhBucketUpdateStats(x,x,x)
		test	eax, eax
		jnz	short loc_4FABA0
		or	esi, 0FFFFFFFFh

loc_4FAB96:				; CODE XREF: RtlpHpLfhContextAllocate+9Fj
					; RtlpHpLfhContextAllocate+A5j	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
; 

loc_4FABA0:				; CODE XREF: RtlpHpLfhContextAllocate+2Ej
					; RtlpHpLfhContextAllocate+39j
		mov	eax, [edi+esi*4+80h]
		mov	esi, _RtlpHpLfhPerfFlags
		movzx	edx, byte ptr [edi+1Ch]
		shr	esi, 0Ah
		and	esi, 1
		mov	[ebp+arg_0], eax
		inc	esi
		lea	ecx, [edx-1]
		shl	esi, 6
		and	ecx, 3
		mov	eax, esi
		sub	eax, ecx
		add	edx, 3
		mov	ecx, [ebp+arg_0]
		add	edx, eax
		cmp	byte ptr [ecx+2], 1
		jnz	loc_5D3CE6
		xor	al, al

loc_4FABDC:				; CODE XREF: RtlpHpLfhContextAllocate+D91A0j
		push	[ebp+arg_4]
		movzx	eax, al
		push	ebx
		lea	eax, [edx+eax*4]
		mov	edx, ecx
		mov	eax, [eax+ecx]
		mov	ecx, edi
		push	eax
		call	RtlpHpLfhSlotAllocate
		mov	esi, eax
		test	esi, esi
		jz	short loc_4FAB96
		test	byte ptr [ebp+arg_4], 2
		jz	short loc_4FAB96
		jmp	loc_5D3CFD
RtlpHpLfhContextAllocate endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLfhBucketUpdateStats(x, x, x)
_RtlpHpLfhBucketUpdateStats@12 proc near ; CODE	XREF: RtlpHpSegFree+94p
					; RtlpHpLfhContextAllocate+32p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		lea	eax, [edx+7]
		shr	eax, 3
		push	esi
		push	edi
		mov	esi, ecx
		movzx	edi, ds:_RtlpLfhBucketIndexMap[eax]
		mov	eax, [esi+edi*4+80h]
		test	al, 1
		jz	short loc_4FAC4C
		push	[ebp+arg_0]
		mov	edx, edi
		call	RtlpLfhBucketUsageUpdate
		cmp	[ebp+arg_0], 0
		jz	short loc_4FAC4C
		shr	eax, 10h
		mov	cl, al
		and	cl, 1Fh
		cmp	cl, 10h
		ja	short loc_4FAC5E
		mov	ecx, 0FF00h
		cmp	ax, cx
		ja	short loc_4FAC5E

loc_4FAC4C:				; CODE XREF: RtlpHpLfhBucketUpdateStats(x,x,x)+1Fj
					; RtlpHpLfhBucketUpdateStats(x,x,x)+2Fj ...
		mov	eax, [esi+edi*4+80h]
		not	eax
		pop	edi
		and	eax, 1
		pop	esi
		pop	ebp
		retn	4
; 

loc_4FAC5E:				; CODE XREF: RtlpHpLfhBucketUpdateStats(x,x,x)+3Cj
					; RtlpHpLfhBucketUpdateStats(x,x,x)+46j
		mov	edx, edi
		mov	ecx, esi
		call	RtlpHpLfhBucketActivate
		jmp	short loc_4FAC4C
_RtlpHpLfhBucketUpdateStats@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpLfhBucketUsageUpdate proc near	; CODE XREF: RtlpHpLfhBucketUpdateStats(x,x,x)+26p

var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D3D0E SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		add	edx, 20h
		push	edi
		lea	edi, [ecx+edx*4]
		mov	ecx, [edi]
		mov	edx, ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], edx
		test	cl, 1
		jz	short loc_4FACC5
		push	ebx
		push	esi

loc_4FAC8A:				; CODE XREF: RtlpLfhBucketUsageUpdate+D90B1j
		cmp	[ebp+arg_0], 0
		jz	short loc_4FACCC
		mov	ebx, ecx
		shr	ebx, 10h
		mov	al, bl
		mov	esi, ebx
		and	al, 1Fh
		cmp	al, 10h
		ja	short loc_4FACC3
		mov	eax, 0FF00h
		cmp	bx, ax
		ja	short loc_4FACC3
		lea	eax, [esi+21h]

loc_4FACAC:				; CODE XREF: RtlpLfhBucketUsageUpdate+6Cj
		mov	word ptr [ebp+var_4+2],	ax
		mov	edx, [ebp+var_4]

loc_4FACB3:				; CODE XREF: RtlpLfhBucketUsageUpdate+69j
		mov	esi, edx
		mov	eax, ecx
		lock cmpxchg [edi], esi
		cmp	eax, ecx
		jnz	loc_5D3D0E

loc_4FACC3:				; CODE XREF: RtlpLfhBucketUsageUpdate+33j
					; RtlpLfhBucketUsageUpdate+3Dj	...
		pop	esi
		pop	ebx

loc_4FACC5:				; CODE XREF: RtlpLfhBucketUsageUpdate+1Cj
		mov	eax, edx
		pop	edi
		leave
		retn	4
; 

loc_4FACCC:				; CODE XREF: RtlpLfhBucketUsageUpdate+24j
		mov	eax, [ebp+var_C+2]
		cmp	ax, 1
		jbe	short loc_4FACB3
		dec	eax
		jmp	short loc_4FACAC
RtlpLfhBucketUsageUpdate endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpLfhBucketActivate	proc near	; CODE XREF: RtlpHpLfhBucketUpdateStats(x,x,x)+5Ep

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D3D26 SIZE 0000000B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	esi
		mov	eax, edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_14], eax
		mov	[ebp+var_1C], edi
		lea	esi, [eax+20h]
		lea	esi, [edi+esi*4]
		mov	ecx, [esi]
		mov	al, cl
		and	al, 3
		cmp	al, 1
		jnz	loc_4FAE1D
		mov	eax, ecx
		mov	[ebp+var_8], ecx
		or	eax, 2
		mov	word ptr [ebp+var_8], ax
		mov	eax, ecx
		mov	edx, [ebp+var_8]
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jnz	loc_4FAE1D
		mov	eax, _RtlpHpLfhPerfFlags
		mov	esi, eax
		shr	esi, 0Ah
		and	esi, 1
		push	ebx
		movzx	ebx, byte ptr [edi+1Ch]
		mov	[ebp+var_8], ebx
		lea	ecx, [esi+1]
		shl	ecx, 6
		mov	[ebp+var_4], ecx
		lea	edx, [ebx-1]
		and	edx, 3
		sub	ecx, edx
		add	ecx, 3
		add	ecx, ebx
		mov	[ebp+var_18], ecx
		lea	edx, [ecx+ebx*4]
		lea	ecx, [edx-1]
		and	ecx, 3Fh
		sub	edx, ecx
		lea	ecx, [edx+3Fh]
		mov	[ebp+var_C], ecx
		test	esi, esi
		jnz	loc_5D3D26

loc_4FAD64:				; CODE XREF: RtlpHpLfhBucketActivate+D9054j
		test	eax, 200h
		jnz	short loc_4FAD71
		xor	ebx, ebx
		inc	ebx
		mov	[ebp+var_8], ebx

loc_4FAD71:				; CODE XREF: RtlpHpLfhBucketActivate+91j
		mov	eax, [edi]
		mov	esi, ebx
		imul	esi, [ebp+var_4]
		add	esi, ecx
		mov	ecx, [edi+14h]
		xor	ecx, _RtlpHpHeapGlobals
		push	esi
		xor	ecx, edi
		push	eax
		call	ecx
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_4FAE1C
		xor	eax, eax
		push	esi		; size_t
		push	eax		; int
		push	ebx		; void *
		mov	[ebp+var_10], eax
		call	_memset
		mov	edx, [ebp+var_14]
		add	esp, 0Ch
		mov	ecx, ebx
		push	edi
		call	_RtlpHpLfhBucketInitialize@12 ;	RtlpHpLfhBucketInitialize(x,x,x)
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_C]
		add	eax, ebx
		mov	[ebx+30h], eax
		add	ecx, ebx
		mov	eax, [ebp+var_18]
		add	eax, ebx
		mov	[ebp+var_C], ecx
		cmp	[ebp+var_8], 0
		mov	[ebx+34h], eax
		jbe	short loc_4FAE12
		xor	edx, edx

loc_4FADCF:				; CODE XREF: RtlpHpLfhBucketActivate+138j
		mov	eax, [ebx+34h]
		push	8
		mov	[eax+edx*4], ecx
		mov	eax, [ebx+34h]
		pop	ecx
		mov	esi, [eax+edx*4]
		xor	eax, eax
		mov	edi, esi
		rep stosd
		mov	edi, [ebp+var_1C]
		mov	ecx, esi
		push	edi
		push	edx
		movzx	edx, byte ptr [ebx+1]
		call	_RtlpHpLfhOwnerInitialize@16 ; RtlpHpLfhOwnerInitialize(x,x,x,x)
		mov	edx, [ebp+var_10]
		mov	eax, [ebx+30h]
		inc	byte ptr [ebx+2]
		mov	ecx, [ebp+var_C]
		add	ecx, [ebp+var_4]
		mov	[edx+eax], dl
		inc	edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		cmp	edx, [ebp+var_8]
		jb	short loc_4FADCF

loc_4FAE12:				; CODE XREF: RtlpHpLfhBucketActivate+F3j
		mov	eax, [ebp+var_14]
		mov	[edi+eax*4+80h], ebx

loc_4FAE1C:				; CODE XREF: RtlpHpLfhBucketActivate+B6j
		pop	ebx

loc_4FAE1D:				; CODE XREF: RtlpHpLfhBucketActivate+22j
					; RtlpHpLfhBucketActivate+3Fj
		pop	edi
		pop	esi
		leave
		retn
RtlpHpLfhBucketActivate	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLfhBucketInitialize(x, x, x)
_RtlpHpLfhBucketInitialize@12 proc near	; CODE XREF: RtlpHpLfhBucketActivate+D2p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	ebx
		push	0FFFFFFFFh
		mov	esi, ecx
		xor	edi, edi
		call	_RtlpHpLfhOwnerInitialize@16 ; RtlpHpLfhOwnerInitialize(x,x,x,x)
		cmp	byte ptr [ebx+1Dh], 0
		mov	[esi+2Ch], edi
		movzx	eax, byte ptr [esi+1]
		movzx	edi, ds:_RtlpBucketBlockSizes[eax*2]
		lea	eax, [edi-1]
		test	eax, edi
		jz	short loc_4FAE8C
		movzx	eax, word ptr [ebx+20h]
		xor	edx, edx
		bsf	ebx, eax
		xor	eax, eax
		add	ebx, 12h
		inc	eax
		mov	ecx, ebx
		call	__allshl
		push	0
		pop	ecx
		add	eax, edi
		push	ecx
		adc	edx, ecx
		sub	eax, 1
		push	edi
		sbb	edx, ecx
		push	edx
		push	eax
		call	__alldiv
		mov	[esi+24h], eax
		mov	[esi+28h], bl

loc_4FAE85:				; CODE XREF: RtlpHpLfhBucketInitialize(x,x,x)+70j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4FAE8C:				; CODE XREF: RtlpHpLfhBucketInitialize(x,x,x)+30j
		bsf	eax, edi
		mov	[esi+28h], al
		jmp	short loc_4FAE85
_RtlpHpLfhBucketInitialize@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLfhOwnerInitialize(x,	x, x, x)
_RtlpHpLfhOwnerInitialize@16 proc near	; CODE XREF: RtlpHpLfhBucketAllocateSlot(x,x,x)+4Ap
					; RtlpHpLfhBucketActivate+117p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	esi, ecx
		xor	eax, eax
		push	7
		pop	ecx
		mov	edi, esi
		rep stosd
		mov	eax, [ebp+arg_0]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_4FAED1
		mov	[esi+2], al

loc_4FAEB1:				; CODE XREF: RtlpHpLfhOwnerInitialize(x,x,x,x)+40j
		mov	eax, [ebp+arg_4]
		mov	[esi+1], dl
		lea	eax, [esi+0Ch]
		and	dword ptr [esi+8], 0
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+14h]
		pop	edi
		mov	[eax+4], eax
		mov	[eax], eax
		pop	esi
		pop	ebp
		retn	8
; 

loc_4FAED1:				; CODE XREF: RtlpHpLfhOwnerInitialize(x,x,x,x)+18j
		mov	byte ptr [esi],	1
		jmp	short loc_4FAEB1
_RtlpHpLfhOwnerInitialize@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpSegLfhExtendContext(x, x)
_RtlpHpSegLfhExtendContext@8 proc near	; DATA XREF: RtlpHpHeapCreate+151o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ecx+24h]
		call	RtlpHpHeapExtendContext
		pop	ebp
		retn	8
_RtlpHpSegLfhExtendContext@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpHeapExtendContext	proc near	; CODE XREF: RtlpHpSegLfhExtendContext(x,x)+Ep

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005D3D31 SIZE 000003CB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		and	[ebp+var_18], 0
		and	[ebp+var_28], 0
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10], edx
		mov	[ebp+var_20], edi
		movzx	edx, byte ptr [edi]
		lea	esi, [edi+0B4h]
		and	edx, 1
		mov	[ebp+var_C], esi
		mov	ecx, esi
		call	RtlpHpAcquireReleaseLockExclusive
		or	[ebp+var_1C], 0FFFFFFFFh
		lea	eax, [edi+0B8h]
		mov	[ebp+var_14], eax

loc_4FAF2B:				; CODE XREF: RtlpHpHeapExtendContext+220j
		mov	edi, [eax]
		mov	edx, [ebp+var_20]

loc_4FAF30:				; CODE XREF: RtlpHpHeapExtendContext+D8E49j
		mov	ecx, [ebp+var_10]
		add	ecx, edi
		cmp	ecx, [edx+0BCh]
		ja	short loc_4FAF5D
		mov	eax, edi
		lea	esi, [edx+0B8h]
		lock cmpxchg [esi], ecx
		lea	esi, [edx+0B4h]
		cmp	eax, edi
		jnz	loc_5D3D31

loc_4FAF57:				; CODE XREF: RtlpHpHeapExtendContext+D91F5j
					; RtlpHpHeapExtendContext+D9209j
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn
; 

loc_4FAF5D:				; CODE XREF: RtlpHpHeapExtendContext+4Dj
		mov	edi, edx
		mov	ecx, esi
		movzx	edx, byte ptr [edi]
		and	edx, 1
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	ecx, [ebp+var_10]
		mov	edx, [edi+0B8h]
		add	ecx, edx
		mov	[ebp+var_1], al
		mov	eax, [edi+0BCh]
		mov	[ebp+var_30], eax
		cmp	ecx, eax
		jbe	loc_5D3D3C
		push	dword ptr [edi+4]
		sub	edx, eax
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_10]
		push	dword ptr [edi]
		add	eax, 0FFFh
		add	eax, edx
		and	eax, 0FFFFF000h
		test	byte ptr [edi+16h], 1
		mov	[ebp+var_18], eax
		jnz	loc_4FB13C
		push	4
		push	1000h
		push	0
		lea	edx, [ebp+var_18]
		lea	ecx, [ebp+var_28]
		call	RtlpHpAllocVA

loc_4FAFC5:				; CODE XREF: RtlpHpHeapExtendContext+25Bj
		mov	cl, [edi]
		and	cl, 1
		test	eax, eax
		js	loc_5D3F37
		mov	eax, [ebp+var_18]
		add	[edi+0BCh], eax
		test	cl, cl
		jnz	loc_4FB12B
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4FB14E

loc_4FAFF4:				; CODE XREF: RtlpHpHeapExtendContext+267j
		xor	edi, edi
		mov	[ebp+var_24], edi
		test	esi, 7FFFFFFCh
		jz	loc_4FB0FF
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	edx, dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_8], eax
		cmp	esi, edx
		jb	short loc_4FB03B
		cmp	byte ptr dword_6D3994[ecx], 1
		jz	loc_4FB113
		cmp	esi, edx
		jb	short loc_4FB03B
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_4FB113

loc_4FB03B:				; CODE XREF: RtlpHpHeapExtendContext+12Dj
					; RtlpHpHeapExtendContext+13Ej
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_2C], ecx

loc_4FB041:				; CODE XREF: RtlpHpHeapExtendContext+238j
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	dl, [eax+1E6h]
		mov	[ebp+var_1], dl
		mov	edx, esi
		push	ecx
		mov	ecx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jz	loc_4FB1B1
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_4FB1C9

loc_4FB082:				; CODE XREF: RtlpHpHeapExtendContext+2E3j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_24], edi
		mov	[ecx+2Ch], eax
		nop
		mov	eax, [ebp+var_8]
		mov	dword ptr [ecx+10h], 0
		push	30h
		sub	ecx, [eax+1E8h]
		mov	eax, ecx
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_1], 1
		mov	edx, eax
		jnz	loc_5D3EEF
		mov	eax, [ebp+var_8]
		movzx	ecx, byte ptr [eax+1E4h]
		bts	ecx, edx
		mov	[eax+1E4h], cl

loc_4FB0D4:				; CODE XREF: RtlpHpHeapExtendContext+2D6j
					; RtlpHpHeapExtendContext+D9019j
		nop
		dec	byte ptr [eax+1E6h]
		mov	ecx, edi
		and	ecx, 1FFFFh
		mov	[ebp+var_30], ecx
		jnz	short loc_4FB15A

loc_4FB0E8:				; CODE XREF: RtlpHpHeapExtendContext+2B4j
					; RtlpHpHeapExtendContext+D8F95j
		nop
		add	word ptr [eax+13Eh], 1
		jnz	short loc_4FB0FF
		nop
		add	eax, 70h
		cmp	[eax], eax
		jnz	loc_4FB1A7

loc_4FB0FF:				; CODE XREF: RtlpHpHeapExtendContext+111j
					; RtlpHpHeapExtendContext+203j	...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_4FB10B:				; CODE XREF: RtlpHpHeapExtendContext+24Cj
		mov	eax, [ebp+var_14]
		jmp	loc_4FAF2B
; 

loc_4FB113:				; CODE XREF: RtlpHpHeapExtendContext+136j
					; RtlpHpHeapExtendContext+147j
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+var_8]
		jmp	loc_4FB041
; 

loc_4FB12B:				; CODE XREF: RtlpHpHeapExtendContext+EFj
					; RtlpHpHeapExtendContext+D8E51j
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_4FB10B
; 

loc_4FB13C:				; CODE XREF: RtlpHpHeapExtendContext+BDj
		mov	edx, [ebp+var_30]
		mov	ecx, edi
		push	1
		push	eax
		call	RtlpHpMetadataCommit
		jmp	loc_4FAFC5
; 

loc_4FB14E:				; CODE XREF: RtlpHpHeapExtendContext+100j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_4FAFF4
; 

loc_4FB15A:				; CODE XREF: RtlpHpHeapExtendContext+1F8j
		test	edi, 8000h
		jz	short loc_4FB16E
		xor	edx, edx
		mov	ecx, eax
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp+var_8]

loc_4FB16E:				; CODE XREF: RtlpHpHeapExtendContext+272j
		test	byte ptr [ebp+var_24+2], 1
		jnz	loc_5D3F0C

loc_4FB178:				; CODE XREF: RtlpHpHeapExtendContext+D9028j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4FB1D6
		and	edi, eax
		mov	edx, edi
		mov	edi, [ebp+var_8]
		mov	ecx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4FB18F:				; CODE XREF: RtlpHpHeapExtendContext+2EBj
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_5D3EDE

loc_4FB19F:				; CODE XREF: RtlpHpHeapExtendContext+D8FE5j
					; RtlpHpHeapExtendContext+D8FFCj
		mov	eax, [ebp+var_8]
		jmp	loc_4FB0E8
; 

loc_4FB1A7:				; CODE XREF: RtlpHpHeapExtendContext+20Bj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4FB0FF
; 

loc_4FB1B1:				; CODE XREF: RtlpHpHeapExtendContext+17Cj
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jz	loc_5D3F1B
		mov	eax, ecx
		jmp	loc_4FB0D4
; 

loc_4FB1C9:				; CODE XREF: RtlpHpHeapExtendContext+18Ej
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]
		jmp	loc_4FB082
; 

loc_4FB1D6:				; CODE XREF: RtlpHpHeapExtendContext+291j
		mov	edi, [ebp+var_8]
		jmp	short loc_4FB18F
RtlpHpHeapExtendContext	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpAcquireReleaseLockExclusive proc near ; CODE XREF: RtlpHpHeapExtendContext+2Bp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D40FC SIZE 0000005F BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], esi
		push	edi
		test	edx, edx
		jnz	loc_4FB34A
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		call	ExAcquirePushLockExclusiveEx
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_C], edx
		mov	eax, edx
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_5D40FC

loc_4FB22C:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+D8F22j
					; RtlpHpAcquireReleaseLockExclusive+D8F2Fj
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	esi, 7FFFFFFCh
		jz	loc_4FB335
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, dword_6D07D0
		shr	ecx, 15h
		cmp	eax, edx
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], esi
		pop	edx
		jb	short loc_4FB26C
		cmp	byte ptr dword_6D3994[ecx], 1
		jz	loc_4FB364

loc_4FB26C:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+81j
		cmp	eax, [ebp+var_20]
		jb	short loc_4FB27E
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_4FB364

loc_4FB27E:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+93j
					; RtlpHpAcquireReleaseLockExclusive+19Bj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_4FB37C
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_4FB3CF

loc_4FB2BF:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+1FBj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5D4123
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_4FB30B:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+1A8j
					; RtlpHpAcquireReleaseLockExclusive+D8F59j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jnz	short loc_4FB38B

loc_4FB31E:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+1E8j
					; RtlpHpAcquireReleaseLockExclusive+D8F7Aj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_4FB335
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_4FB3DC

loc_4FB335:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+5Bj
					; RtlpHpAcquireReleaseLockExclusive+14Bj ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_4FB341:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+186j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4FB34A:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+23j
		push	esi
		call	ExAcquireSpinLockExclusive
		push	esi
		mov	byte ptr [ebp+var_4+3],	al
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_4FB341
; 

loc_4FB364:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+8Aj
					; RtlpHpAcquireReleaseLockExclusive+9Cj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_8]
		jmp	loc_4FB27E
; 

loc_4FB37C:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+CBj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_4FB30B
		jmp	loc_5D4110
; 

loc_4FB38B:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+140j
		test	edi, 8000h
		jz	short loc_4FB39C
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4FB39C:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+1B5j
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5D413A

loc_4FB3A6:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+D8F68j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4FB3BA
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4FB3BA:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+1D1j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4FB31E
		jmp	loc_5D4149
; 

loc_4FB3CF:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+DDj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]
		jmp	loc_4FB2BF
; 

loc_4FB3DC:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+153j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4FB335
RtlpHpAcquireReleaseLockExclusive endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopVerifyDeviceObjectOnStack proc near	; CODE XREF: IopCheckTopDeviceHint+23p

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005D415B SIZE 0000006E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	bl, [ebp+arg_0]
		xor	bh, bh
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	bl, bl
		jz	short loc_4FB405
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	bh, al

loc_4FB405:				; CODE XREF: IopVerifyDeviceObjectOnStack+13j
					; IopVerifyDeviceObjectOnStack+6Fj
		cmp	esi, edi
		jnz	short loc_4FB450
		xor	eax, eax
		inc	eax
		test	bl, bl
		jz	short loc_4FB449
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+468h]
		jnz	loc_5D41BA
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_4FB463
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_4FB45C

loc_4FB43E:				; CODE XREF: IopVerifyDeviceObjectOnStack+8Cj
					; IopVerifyDeviceObjectOnStack+D8DDEj
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		inc	eax

loc_4FB449:				; CODE XREF: IopVerifyDeviceObjectOnStack+28j
					; IopVerifyDeviceObjectOnStack+D8DCFj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4FB450:				; CODE XREF: IopVerifyDeviceObjectOnStack+21j
		mov	esi, [esi+10h]
		test	esi, esi
		jnz	short loc_4FB405
		jmp	loc_5D415B
; 

loc_4FB45C:				; CODE XREF: IopVerifyDeviceObjectOnStack+56j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_4FB463:				; CODE XREF: IopVerifyDeviceObjectOnStack+47j
		lea	ecx, [eax+4]
		mov	dword ptr [esi], 0
		xor	eax, eax
		inc	eax
		lock xor [ecx],	eax
		jmp	short loc_4FB43E
IopVerifyDeviceObjectOnStack endp


;  S U B	R O U T	I N E 


CmpGetCachedFullKCBName	proc near	; CODE XREF: CmpConstructAndCacheName+1Ap
					; CmpConstructAndCacheName+65p	...
		mov	eax, [ecx+0A0h]
		mov	ecx, eax
		and	ecx, 1
		jnz	short loc_4FB488

loc_4FB481:				; CODE XREF: CmpGetCachedFullKCBName+17j
		test	edx, edx
		jz	short locret_4FB487
		mov	[edx], cl

locret_4FB487:				; CODE XREF: CmpGetCachedFullKCBName+Fj
		retn
; 

loc_4FB488:				; CODE XREF: CmpGetCachedFullKCBName+Bj
		and	eax, 0FFFFFFFEh
		jmp	short loc_4FB481
CmpGetCachedFullKCBName	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcGetVacbLargeOffset(x, x, x)
_CcGetVacbLargeOffset@12 proc near	; CODE XREF: CcGetVirtualAddressIfMapped(x,x,x,x,x)+82p
					; CcGetVacbMiss+1DFp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ecx+40h]
		push	ebx
		mov	ebx, [ecx+18h]
		push	esi
		push	edi
		push	19h
		mov	[ebp+var_C], eax
		xor	edi, edi
		mov	eax, [ecx+1Ch]
		pop	esi
		mov	[ebp+var_8], eax

loc_4FB4AD:				; CODE XREF: CcGetVacbLargeOffset(x,x,x)+37j
					; CcGetVacbLargeOffset(x,x,x)+3Bj
		mov	[ebp+var_4], esi
		xor	eax, eax
		add	esi, 7
		inc	eax
		xor	edx, edx
		mov	ecx, esi
		inc	edi
		call	__allshl
		cmp	[ebp+var_8], edx
		jl	short loc_4FB4CB
		jg	short loc_4FB4AD
		cmp	ebx, eax
		ja	short loc_4FB4AD

loc_4FB4CB:				; CODE XREF: CcGetVacbLargeOffset(x,x,x)+35j
		mov	ebx, [ebp+arg_0]
		mov	eax, ebx
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_4]
		mov	[ebp+arg_4], edx
		call	__allshr
		mov	esi, [ebp+var_C]

loc_4FB4E1:				; CODE XREF: CcGetVacbLargeOffset(x,x,x)+8Cj
		mov	esi, [esi+eax*4]
		test	esi, esi
		jz	short loc_4FB51C
		test	edi, edi
		jz	short loc_4FB51C
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		inc	eax
		xor	edx, edx
		dec	edi
		call	__allshl
		mov	ecx, [ebp+arg_4]
		sub	eax, 1
		sbb	edx, 0
		sub	[ebp+var_4], 7
		and	ecx, edx
		and	ebx, eax
		mov	[ebp+arg_4], ecx
		mov	edx, ecx
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		call	__allshr
		jmp	short loc_4FB4E1
; 

loc_4FB51C:				; CODE XREF: CcGetVacbLargeOffset(x,x,x)+58j
					; CcGetVacbLargeOffset(x,x,x)+5Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_CcGetVacbLargeOffset@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2502. SeReportSecurityEventWithSubCategory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeReportSecurityEventWithSubCategory
SeReportSecurityEventWithSubCategory proc near
					; CODE XREF: SeReportSecurityEvent(x,x,x,x)+1Ep
					; CmpReportAuditVirtualizationEvent(x,x)+25Dp

var_2BE		= byte ptr -2BEh
var_2BD		= byte ptr -2BDh
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2A8		= dword	ptr -2A8h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_290		= word ptr -290h
var_28E		= word ptr -28Eh
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_250		= dword	ptr -250h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005D41C9 SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2C4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2C4h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		xor	eax, eax
		push	edi
		lea	edi, [esp+2D0h+var_2B0]
		mov	[esp+2D0h+var_2B4], esi
		stosd
		xor	ecx, ecx
		mov	ebx, ecx
		stosd
		stosd
		stosd
		cmp	[ebp+arg_0], ecx
		jnz	loc_5D421C
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	loc_5D421C
		cmp	[eax+4], ecx
		jz	loc_5D421C
		cmp	[eax], cx
		jz	loc_5D421C
		test	esi, esi
		jz	loc_5D421C
		mov	eax, [ebp+arg_10]
		cmp	eax, 64h
		jb	loc_5D421C
		cmp	eax, 9Fh
		ja	loc_5D421C
		cmp	dword ptr [esi+8], 1Ch
		ja	loc_5D421C
		test	byte ptr [esi+12h], 18h
		jz	loc_5D421C
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	edi, [ebp+arg_8]
		mov	[esp+2D0h+var_2BD], al
		cmp	al, 2
		jb	short loc_4FB60E
		movzx	ecx, word ptr [esi+12h]
		push	8
		pop	eax
		cmp	cx, ax
		mov	eax, [ebp+arg_10]
		jz	loc_5D41D0
		mov	al, byte_6BE5F9[eax*2]

loc_4FB5E2:				; CODE XREF: SeReportSecurityEventWithSubCategory+D8CADj
		test	al, al
		jnz	loc_5D41DC

loc_4FB5EA:				; CODE XREF: SeReportSecurityEventWithSubCategory+13Aj
					; SeReportSecurityEventWithSubCategory+1FFj
		cmp	[esp+2D0h+var_2BD], 2
		jb	loc_4FB72E

loc_4FB5F5:				; CODE XREF: SeReportSecurityEventWithSubCategory+206j
					; SeReportSecurityEventWithSubCategory+20Ej ...
		xor	eax, eax

loc_4FB5F7:				; CODE XREF: SeReportSecurityEventWithSubCategory+D8CF7j
		mov	ecx, [esp+2D0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_4FB60E:				; CODE XREF: SeReportSecurityEventWithSubCategory+9Cj
		test	edi, edi
		jnz	loc_5D41C9
		lea	eax, [esp+2D0h+var_2B0]
		push	eax
		call	SeCaptureSubjectContext
		mov	eax, [esp+2D0h+var_2B0]
		test	eax, eax
		jnz	short loc_4FB62C
		mov	eax, [esp+2D0h+var_2A8]

loc_4FB62C:				; CODE XREF: SeReportSecurityEventWithSubCategory+FCj
		mov	eax, [eax+94h]
		mov	ebx, [eax]

loc_4FB634:				; CODE XREF: SeReportSecurityEventWithSubCategory+D8CA1j
		movzx	ecx, word ptr [esi+12h]
		lea	edx, [esp+2D0h+var_2B0]
		mov	eax, ebx
		sub	eax, edi
		neg	eax
		sbb	eax, eax
		and	eax, edx
		cmp	ecx, 10h
		push	eax
		setz	al
		movzx	eax, al
		push	eax
		push	8
		pop	eax
		cmp	cx, ax
		mov	ecx, [ebp+arg_10]
		setz	dl
		call	SepAdtAuditThisEventWithContext
		test	al, al
		jz	short loc_4FB5EA
		movzx	eax, word ptr [esi+12h]

loc_4FB66A:				; CODE XREF: SeReportSecurityEventWithSubCategory+D8CB8j
					; SeReportSecurityEventWithSubCategory+D8CC4j
		push	298h		; size_t
		mov	[esp+2D4h+var_2BC], eax
		lea	eax, [esp+2D4h+var_2A0]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [esi+4]
		add	esp, 0Ch
		mov	edx, [ebp+arg_10]
		mov	[esp+2D0h+var_2B8], eax
		mov	[esp+2D0h+var_29C], eax
		mov	eax, [esi]
		mov	[esp+2D0h+var_2A0], eax
		mov	eax, [esp+2D0h+var_2BC]
		mov	[esp+2D0h+var_28E], ax
		movzx	eax, byte ptr [ebx+1]
		push	2
		pop	ecx
		mov	[esp+2D0h+var_290], dx
		lea	eax, ds:8[eax*4]
		mov	[esp+2D0h+var_288], 4
		mov	[esp+2D0h+var_284], eax
		xor	eax, eax
		inc	eax
		mov	[esp+2D0h+var_278], ebx
		mov	[esp+2D0h+var_274], eax
		mov	[esp+2D0h+var_270], 18h
		mov	[esp+2D0h+var_264], offset _SeSubsystemName
		mov	[esp+2D0h+var_298], ecx
		cmp	edx, 7Bh
		jz	loc_5D41F3
		mov	eax, [esp+2D0h+var_28C]
		or	eax, 8
		cmp	[esp+2D0h+var_2B8], 5FFh
		mov	[esp+2D0h+var_28C], eax
		jb	short loc_4FB74D

loc_4FB6FB:				; CODE XREF: SeReportSecurityEventWithSubCategory+229j
					; SeReportSecurityEventWithSubCategory+D8CEDj
		mov	esi, [esi+8]
		imul	eax, esi, 14h
		push	eax		; size_t
		mov	eax, [esp+2D4h+var_2B4]
		add	eax, 18h
		push	eax		; void *
		imul	eax, ecx, 14h
		lea	ecx, [esp+2D8h+var_288]
		add	eax, ecx
		push	eax		; void *
		call	_memcpy
		add	[esp+2DCh+var_298], esi
		lea	ecx, [esp+2DCh+var_2A0]
		add	esp, 0Ch
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)
		jmp	loc_4FB5EA
; 

loc_4FB72E:				; CODE XREF: SeReportSecurityEventWithSubCategory+C5j
		test	ebx, ebx
		jz	loc_4FB5F5
		cmp	ebx, edi
		jz	loc_4FB5F5
		lea	eax, [esp+2D0h+var_2B0]
		push	eax
		call	SeReleaseSubjectContext
		jmp	loc_4FB5F5
; 

loc_4FB74D:				; CODE XREF: SeReportSecurityEventWithSubCategory+1CFj
		or	eax, ecx
		mov	[esp+2D0h+var_28C], eax
		jmp	short loc_4FB6FB
SeReportSecurityEventWithSubCategory endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiUnlockPage(x, x)
_MiUnlockPage@8	proc near		; CODE XREF: .text:0047DB69p
					; MmSetPfnListInfo(x,x,x)+1C6p	...
		mov	eax, 7FFFFFFFh
		add	ecx, 10h
		lock and [ecx],	eax
		mov	cl, dl
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_MiUnlockPage@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoIsKernelPagingRead(x)
_IoIsKernelPagingRead@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	8
		pop	edx
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jnz	short loc_4FB78D
		xor	eax, eax

loc_4FB783:				; CODE XREF: IoIsKernelPagingRead(x)+2Aj
		not	eax
		and	eax, 1
		pop	esi
		pop	ebp
		retn	4
; 

loc_4FB78D:				; CODE XREF: IoIsKernelPagingRead(x)+15j
		mov	eax, [esi+68h]
		movzx	eax, word ptr [eax+34h]
		jmp	short loc_4FB783
_IoIsKernelPagingRead@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall wil_details_FeatureReporting_RecordUsageInCache(x, x, x, x)
_wil_details_FeatureReporting_RecordUsageInCache@16 proc near
					; CODE XREF: wil_details_FeatureReporting_ReportUsageToServiceDirect(x,x,x,x,x)+34p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, edx
		push	edi
		mov	edx, ecx
		mov	[ebp+var_10], ebx
		push	6
		xor	eax, eax
		mov	[ebp+var_8], edx
		mov	edi, esi
		pop	ecx
		rep stosd
		cmp	ebx, 7
		ja	loc_4FB869
		movzx	eax, ds:byte_4FB8EE[ebx]
		jmp	ds:off_4FB8E2[eax*4]

loc_4FB7CE:				; DATA XREF: .text:004FB8EAo
		xor	esi, esi
		dec	ebx
		sub	ebx, 1
		jz	short loc_4FB7F1
		sub	ebx, 1
		jz	short loc_4FB7ED
		sub	ebx, 3
		jz	short loc_4FB7E9
		sub	ebx, 1
		jnz	short loc_4FB7F4
		push	10h
		jmp	short loc_4FB7F3
; 

loc_4FB7E9:				; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+48j
		push	4
		jmp	short loc_4FB7F3
; 

loc_4FB7ED:				; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+43j
		push	8
		jmp	short loc_4FB7F3
; 

loc_4FB7F1:				; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+3Ej
		push	2

loc_4FB7F3:				; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+51j
					; wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+55j	...
		pop	esi

loc_4FB7F4:				; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+4Dj
		mov	ecx, [edx]
		mov	ebx, edx
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_4], ecx

loc_4FB7FE:				; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+95j
		mov	eax, esi
		xor	edx, edx
		or	eax, ecx
		cmp	eax, ecx
		mov	[ebp+arg_8], eax
		setz	dl
		mov	[edi+10h], edx
		test	edx, edx
		jnz	short loc_4FB819
		or	eax, 1
		mov	[ebp+arg_8], eax

loc_4FB819:				; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+7Bj
		push	eax
		lea	edx, [ebp+var_4]
		mov	ecx, ebx
		call	_wil_atomic_uint32_compare_exchange_relaxed@12 ; wil_atomic_uint32_compare_exchange_relaxed(x,x,x)
		test	eax, eax
		jnz	short loc_4FB82D
		mov	ecx, [ebp+var_4]
		jmp	short loc_4FB7FE
; 

loc_4FB82D:				; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+90j
		test	byte ptr [ebp+arg_8], 1
		jz	short loc_4FB83E
		test	byte ptr [ebp+var_4], 1
		jnz	short loc_4FB83E
		xor	eax, eax
		inc	eax
		jmp	short loc_4FB840
; 

loc_4FB83E:				; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+9Bj
					; wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+A1j
		xor	eax, eax

loc_4FB840:				; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+A6j
		mov	esi, edi
		mov	[esi], eax
		jmp	loc_4FB8D8
; 

loc_4FB849:				; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+31j
					; DATA XREF: .text:off_4FB8E2o
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		push	esi
		push	[ebp+arg_8]
		call	_wil_details_FeatureReporting_IncrementUsageInCache@16 ; wil_details_FeatureReporting_IncrementUsageInCache(x,x,x,x)
		jmp	short loc_4FB8D8
; 

loc_4FB859:				; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+31j
					; DATA XREF: .text:004FB8E6o
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		push	esi
		push	[ebp+arg_8]
		call	_wil_details_FeatureReporting_IncrementOpportunityInCache@16 ; wil_details_FeatureReporting_IncrementOpportunityInCache(x,x,x,x)
		jmp	short loc_4FB8D8
; 

loc_4FB869:				; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+24j
		lea	edi, [ebx-140h]
		cmp	edi, 40h
		jnb	short loc_4FB8C9
		lea	eax, [edx+4]
		mov	ebx, edi
		mov	[ebp+arg_0], eax
		and	ebx, 3Fh
		mov	eax, [eax]
		mov	[ebp+var_C], eax
		shl	ebx, 5

loc_4FB887:				; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+128j
		test	al, 10h
		jz	short loc_4FB89C
		mov	ecx, eax
		shr	ecx, 5
		and	ecx, 3Fh
		cmp	ecx, edi
		jnz	short loc_4FB89C
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_4FB89E
; 

loc_4FB89C:				; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+F3j
					; wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+FFj
		xor	ecx, ecx

loc_4FB89E:				; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+104j
		and	eax, 0FFFFF81Fh
		mov	[esi+10h], ecx
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_C]
		or	eax, ebx
		or	eax, 10h
		push	eax
		call	_wil_atomic_uint32_compare_exchange_relaxed@12 ; wil_atomic_uint32_compare_exchange_relaxed(x,x,x)
		test	eax, eax
		jnz	short loc_4FB8C0
		mov	eax, [ebp+var_C]
		jmp	short loc_4FB887
; 

loc_4FB8C0:				; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+123j
		cmp	dword ptr [esi+10h], 0
		mov	ebx, [ebp+var_10]
		jnz	short loc_4FB8D8

loc_4FB8C9:				; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+DCj
		mov	ecx, [ebp+arg_8]
		mov	[esi+4], ecx
		mov	ecx, [ebp+arg_4]
		mov	[esi+8], ebx
		mov	[esi+0Ch], ecx

loc_4FB8D8:				; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+AEj
					; wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+C1j	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_wil_details_FeatureReporting_RecordUsageInCache@16 endp

; 
		align 2
off_4FB8E2	dd offset loc_4FB849	; DATA XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+31r
		dd offset loc_4FB859
		dd offset loc_4FB7CE
byte_4FB8EE	db 0			; DATA XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+2Ar
		db 1
		dd 1000202h, 0CCCC0202h, 0CCCCCCCCh
; Exported entry 677. FsRtlUninitializeOplock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlUninitializeOplock
FsRtlUninitializeOplock	proc near

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 004FB9D4 SIZE 00000009 BYTES
; FUNCTION CHUNK AT 005D4226 SIZE 000001F7 BYTES

		push	10h
		push	offset dword_6A3918
		call	__SEH_prolog4
		mov	eax, [ebp+arg_0]
		mov	ebx, [eax]
		test	ebx, ebx
		jnz	short loc_4FB923

loc_4FB911:				; CODE XREF: FsRtlUninitializeOplock+9Fj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4FB923:				; CODE XREF: FsRtlUninitializeOplock+13j
		mov	[ebp+var_20], ebx
		xor	edi, edi
		mov	[eax], edi
		mov	ecx, [ebx+4Ch]
		call	ExAcquireFastMutexUnsafe
		mov	[ebp+ms_exc.disabled], edi

loc_4FB935:				; CODE XREF: FsRtlUninitializeOplock+D8983j
		lea	eax, [ebx+2Ch]
		mov	esi, [eax]
		mov	[ebp+var_1C], esi
		cmp	esi, eax
		jnz	loc_5D4226

loc_4FB945:				; CODE XREF: FsRtlUninitializeOplock+D8A20j
		lea	edx, [ebx+14h]
		mov	ecx, [edx]
		mov	[ebp+arg_0], ecx
		cmp	ecx, edx
		jnz	loc_5D4284

loc_4FB955:				; CODE XREF: FsRtlUninitializeOplock+D8A73j
					; FsRtlUninitializeOplock+D8A8Bj
		lea	eax, [ebx+1Ch]
		mov	esi, [eax]
		cmp	esi, eax
		jnz	loc_5D4321

loc_4FB962:				; CODE XREF: FsRtlUninitializeOplock+CDj
		lea	eax, [ebx+24h]
		mov	esi, [eax]
		cmp	esi, eax
		jnz	short loc_4FB9A0
		mov	eax, [ebx]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jnz	loc_5D438C

loc_4FB978:				; CODE XREF: FsRtlUninitializeOplock+D8B1Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_4FB9CB
		mov	eax, [ebx+44h]
		test	eax, eax
		jnz	short loc_4FB9D4

loc_4FB98B:				; CODE XREF: FsRtlUninitializeOplock+DFj
		push	edi
		push	dword ptr [ebx+4Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4FB911
; 

loc_4FB9A0:				; CODE XREF: FsRtlUninitializeOplock+6Dj
		mov	ecx, esi
		call	_FsRtlpOplockDequeueRH@4 ; FsRtlpOplockDequeueRH(x)
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	FsRtlpModifyThreadPriorities
		mov	ecx, [esi+0Ch]
		call	ObfDereferenceObject
		mov	edx, esi
		mov	ecx, ebx
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_4FB962
FsRtlUninitializeOplock	endp


;  S U B	R O U T	I N E 


sub_4FB9CB	proc near		; CODE XREF: FsRtlUninitializeOplock+83p
					; sub_5D441D+5j
		mov	ecx, [ebx+4Ch]
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		retn
sub_4FB9CB	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlUninitializeOplock

loc_4FB9D4:				; CODE XREF: FsRtlUninitializeOplock+8Dj
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_4FB98B
; END OF FUNCTION CHUNK	FOR FsRtlUninitializeOplock
; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIssueSynchronousFlush(x, x, x, x,	x, x, x)
_MiIssueSynchronousFlush@28 proc near	; CODE XREF: MiFlushSectionInternal+818p

var_14		= dword	ptr -14h
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		mov	esi, edx
		stosd
		mov	ebx, ecx
		push	0
		push	0
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_14]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [ebp+var_14]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	edi, [ebp+arg_10]
		lea	eax, [ebp+var_14]
		push	edi
		push	[ebp+arg_C]
		mov	edx, esi
		mov	ecx, ebx
		push	[ebp+arg_8]
		push	eax
		lea	eax, [ebp+arg_0]
		push	eax
		call	IoSynchronousPageWriteEx
		test	eax, eax
		js	short loc_4FBA42
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	13h
		lea	eax, [ebp+var_14]
		push	eax
		call	KeWaitForSingleObject

loc_4FBA3B:				; CODE XREF: MiIssueSynchronousFlush(x,x,x,x,x,x,x)+66j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_4FBA42:				; CODE XREF: MiIssueSynchronousFlush(x,x,x,x,x,x,x)+4Bj
		mov	[edi], eax
		jmp	short loc_4FBA3B
_MiIssueSynchronousFlush@28 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1175. KeInitializeQueue

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeQueue(x, x)
		public _KeInitializeQueue@8
_KeInitializeQueue@8 proc near		; CODE XREF: NtCreateIoCompletion+72p
					; EtwpCreateUmReplyObject+5Cp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ecx, ecx
		lea	eax, [esi+8]
		mov	word ptr [esi],	4
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+10h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+20h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [ebp+arg_4]
		mov	byte ptr [esi+2], 0Ah
		mov	[esi+4], ecx
		mov	[esi+18h], ecx
		test	eax, eax
		jz	short loc_4FBA8D

loc_4FBA85:				; CODE XREF: KeInitializeQueue(x,x)+4Bj
		mov	[esi+1Ch], eax
		pop	esi
		pop	ebp
		retn	8
; 

loc_4FBA8D:				; CODE XREF: KeInitializeQueue(x,x)+37j
		push	0FFFFh
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		jmp	short loc_4FBA85
_KeInitializeQueue@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMakeImageReadOnly proc near		; CODE XREF: MiCreateNewSection(x,x)+4F7p
					; MiCreateNewSection(x,x)+586p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 005D4427 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		mov	bl, 21h
		push	edi
		mov	byte ptr [ebp+var_1], bl
		lea	edi, [ecx+50h]

loc_4FBAB1:				; CODE XREF: MiMakeImageReadOnly+2Dj
		mov	[ebp+var_10], edi
		test	edi, edi
		jz	short loc_4FBAC9
		movzx	ecx, word ptr [edi+10h]
		mov	al, cl
		and	al, 3Eh
		cmp	al, 2
		jnz	short loc_4FBACE

loc_4FBAC4:				; CODE XREF: MiMakeImageReadOnly+B0j
					; MiMakeImageReadOnly+C5j
		mov	edi, [edi+8]
		jmp	short loc_4FBAB1
; 

loc_4FBAC9:				; CODE XREF: MiMakeImageReadOnly+1Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4FBACE:				; CODE XREF: MiMakeImageReadOnly+28j
		mov	esi, [edi+4]
		and	ecx, 0FFC3h
		mov	eax, [edi+1Ch]
		or	ecx, 2
		mov	[edi+10h], cx
		lea	eax, [esi+eax*8]
		mov	[ebp+var_14], eax
		cmp	esi, eax
		jnb	short loc_4FBB47
		mov	edi, [ebp+var_C]

loc_4FBAEE:				; CODE XREF: MiMakeImageReadOnly+A8j
		test	esi, 0FFFh
		jz	loc_4FBBA0
		cmp	bl, 21h
		jz	loc_4FBBA0

loc_4FBB03:				; CODE XREF: MiMakeImageReadOnly+125j
		xor	edx, edx
		mov	ecx, esi
		call	MiLockLeafPage
		mov	ecx, [esi]
		mov	edx, eax
		nop
		mov	eax, [esi+4]
		mov	[ebp+var_8], eax
		mov	eax, ecx
		test	edx, edx
		jnz	short loc_4FBB64
		and	eax, 400h
		or	eax, edx
		jz	loc_4FBBC4
		and	ecx, 0FFFFFC3Fh
		or	ecx, 20h
		mov	[esi], ecx
		nop
		mov	eax, [ebp+var_8]
		mov	[esi+4], eax

loc_4FBB3C:				; CODE XREF: MiMakeImageReadOnly+104j
					; MiMakeImageReadOnly+131j ...
		add	esi, 8
		cmp	esi, [ebp+var_14]
		jb	short loc_4FBAEE
		mov	edi, [ebp+var_10]

loc_4FBB47:				; CODE XREF: MiMakeImageReadOnly+4Fj
		cmp	bl, 21h
		jz	loc_4FBAC4
		mov	ecx, [ebp+var_C]
		mov	dl, bl
		call	MiUnlockProtoPoolPage
		mov	bl, 21h
		mov	byte ptr [ebp+var_1], bl
		jmp	loc_4FBAC4
; 

loc_4FBB64:				; CODE XREF: MiMakeImageReadOnly+81j
		and	eax, 1
		or	eax, 0
		jnz	short loc_4FBB93
		and	ecx, 0FFFFFC3Fh
		or	ecx, 20h
		mov	[esi], ecx
		nop
		mov	eax, [ebp+var_8]
		mov	[esi+4], eax
		mov	ecx, [edx+8]
		mov	eax, [edx+0Ch]
		and	ecx, 0FFFFFC3Fh
		or	ecx, 20h
		mov	[edx+0Ch], eax
		mov	[edx+8], ecx

loc_4FBB93:				; CODE XREF: MiMakeImageReadOnly+D0j
		mov	ecx, 7FFFFFFFh
		lea	eax, [edx+10h]
		lock and [eax],	ecx
		jmp	short loc_4FBB3C
; 

loc_4FBBA0:				; CODE XREF: MiMakeImageReadOnly+5Aj
					; MiMakeImageReadOnly+63j
		cmp	bl, 21h
		jnz	short loc_4FBBD6

loc_4FBBA5:				; CODE XREF: MiMakeImageReadOnly+145j
					; MiMakeImageReadOnly+D8999j
		lea	edx, [ebp+var_1]
		mov	ecx, esi
		call	MiLockProtoPoolPage
		mov	edi, eax
		mov	[ebp+var_C], edi
		test	edi, edi
		jz	loc_5D4427
		mov	bl, byte ptr [ebp+var_1]
		jmp	loc_4FBB03
; 

loc_4FBBC4:				; CODE XREF: MiMakeImageReadOnly+8Aj
		mov	edx, [ebp+var_8]
		mov	eax, ecx
		or	eax, edx
		jz	loc_4FBB3C
		jmp	loc_5D4438
; 

loc_4FBBD6:				; CODE XREF: MiMakeImageReadOnly+109j
		mov	dl, bl
		mov	ecx, edi
		call	MiUnlockProtoPoolPage
		jmp	short loc_4FBBA5
MiMakeImageReadOnly endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiTryDeleteTransitionPte(x,	x)
_MiTryDeleteTransitionPte@8 proc near	; CODE XREF: .text:00453B92p
					; .text:004723BFp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, ecx
		mov	edx, [esi]
		nop
		and	edx, 400h
		or	edx, 0
		jnz	short loc_4FBC13
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		test	eax, eax
		jz	short loc_4FBC13
		push	1
		push	21h
		mov	edx, eax
		mov	ecx, esi
		call	MiDeleteTransitionPte
		jmp	short loc_4FBC16
; 

loc_4FBC13:				; CODE XREF: MiTryDeleteTransitionPte(x,x)+17j
					; MiTryDeleteTransitionPte(x,x)+20j
		xor	eax, eax
		inc	eax

loc_4FBC16:				; CODE XREF: MiTryDeleteTransitionPte(x,x)+2Fj
		pop	esi
		leave
		retn
_MiTryDeleteTransitionPte@8 endp

; 
		align 2

CcInitializeVolumeCacheMap:		; CODE XREF: CcInitializeCacheMapEx+703p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, [ecx+8]
		xor	eax, eax
		mov	[ebp-4], edx
		push	esi
		push	edi
		lea	edi, [ebp-10h]
		stosd
		stosd
		stosd
		test	ebx, ebx
		jz	short loc_4FBCA0
		mov	ebx, [ebx+8]

loc_4FBC3A:				; CODE XREF: .text:004FBCA3j
		lea	edx, [ebp-10h]
		mov	ecx, offset _CcMasterLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, _CcVolumeCacheMapList
		mov	edi, offset _CcVolumeCacheMapList

loc_4FBC51:				; CODE XREF: .text:004FBC9Ej
		cmp	eax, edi
		jz	short loc_4FBCBF
		lea	esi, [eax-0Ch]
		cmp	[esi+8], ebx
		jnz	short loc_4FBC9C
		inc	dword ptr [esi+4]
		test	ds:byte_70EFC6,	1
		jnz	loc_5D444B
		mov	eax, [ebp-10h]
		test	eax, eax
		jnz	short loc_4FBCAD
		mov	edx, [ebp-0Ch]
		lea	eax, [ebp-10h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-10h]
		cmp	eax, ecx
		jnz	short loc_4FBCA5

loc_4FBC87:				; CODE XREF: .text:004FBCBDj
					; .text:005D4456j
		mov	cl, [ebp-8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4FBC90:				; CODE XREF: .text:004FBDB8j
					; .text:004FBDC3j
		mov	eax, [ebp-4]
		mov	[eax], esi

loc_4FBC95:				; CODE XREF: .text:005D44F0j
		xor	eax, eax

loc_4FBC97:				; CODE XREF: .text:005D448Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4FBC9C:				; CODE XREF: .text:004FBC5Bj
		mov	eax, [eax]
		jmp	short loc_4FBC51
; 

loc_4FBCA0:				; CODE XREF: .text:004FBC35j
		mov	ebx, [ecx+4]
		jmp	short loc_4FBC3A
; 

loc_4FBCA5:				; CODE XREF: .text:004FBC85j
		lea	ecx, [ebp-10h]
		call	KxWaitForLockChainValid

loc_4FBCAD:				; CODE XREF: .text:004FBC72j
		xor	ecx, ecx
		mov	dword ptr [ebp-10h], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_4FBC87
; 

loc_4FBCBF:				; CODE XREF: .text:004FBC53j
		xor	esi, esi
		inc	esi
		test	ds:byte_70EFC6,	1
		jnz	loc_5D445B
		mov	eax, [ebp-10h]
		test	eax, eax
		jnz	loc_5D4473
		mov	edx, [ebp-0Ch]
		lea	eax, [ebp-10h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-10h]
		cmp	eax, ecx
		jnz	loc_5D446B

loc_4FBCF1:				; CODE XREF: .text:005D4466j
					; .text:005D4480j
		mov	cl, [ebp-8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	6D566343h
		mov	eax, 90h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5D4485
		push	90h
		push	0
		push	esi
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [esi], (offset loc_9002F3+5)
		inc	dword ptr [esi+4]
		lea	edx, [ebp-10h]
		mov	ecx, offset _CcMasterLock
		mov	[esi+8], ebx
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, _CcVolumeCacheMapList

loc_4FBD47:				; CODE XREF: .text:004FBD5Ej
		cmp	eax, edi
		jz	short loc_4FBD60
		lea	edi, [eax-0Ch]
		cmp	[edi+8], ebx
		jz	loc_5D448F
		mov	eax, [eax]
		mov	edi, offset _CcVolumeCacheMapList
		jmp	short loc_4FBD47
; 

loc_4FBD60:				; CODE XREF: .text:004FBD49j
		mov	ecx, dword_6CE6B4
		lea	eax, [esi+0Ch]
		cmp	[ecx], edi
		jnz	short loc_4FBDC8
		mov	[eax], edi
		mov	[eax+4], ecx
		mov	[ecx], eax
		test	ds:byte_70EFC6,	1
		mov	dword_6CE6B4, eax
		jnz	loc_5D44F5
		mov	eax, [ebp-10h]
		test	eax, eax
		jnz	loc_5D450D
		mov	edx, [ebp-0Ch]
		lea	eax, [ebp-10h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-10h]
		cmp	eax, ecx
		jnz	loc_5D4505

loc_4FBDA8:				; CODE XREF: .text:005D4500j
					; .text:005D451Dj
		mov	cl, [ebp-8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	_CcRegistryWatchInitComplete, 0
		jnz	loc_4FBC90
		call	CcSetupWatchForRegistryChanges
		jmp	loc_4FBC90
; 

loc_4FBDC8:				; CODE XREF: .text:004FBD6Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		db 2 dup(0CCh)
; 
; Exported entry 236. CcSetLogHandleForFileEx

		public CcSetLogHandleForFileEx
CcSetLogHandleForFileEx:
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 84h
		push	ebx
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [esp+1Ch]
		stosd
		stosd
		stosd
		mov	eax, [ebp+8]
		xor	edi, edi
		mov	[esp+18h], edi
		mov	eax, [eax+14h]
		mov	ebx, [eax+4]
		cmp	[ebx+4], edi
		jz	loc_5D4571
		mov	ecx, ebx
		call	CcGetPartition
		test	dword ptr [ebx+60h], 2000000h
		mov	esi, eax
		jnz	loc_5D4563
		lea	edx, [esp+1Ch]
		mov	ecx, offset _CcMasterLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		test	ds:byte_70EFC6,	21h
		lea	ecx, [esi+40h]
		mov	[esp+14h], ecx
		mov	[esp+10h], edi
		jnz	loc_5D4522
		lea	edx, [esp+10h]
		xchg	edx, [ecx]
		test	edx, edx
		jnz	loc_4FBF8C

loc_4FBE4E:				; CODE XREF: .text:004FBF95j
					; .text:005D452Dj
		cmp	[ebx+98h], edi
		jnz	loc_4FBF49

loc_4FBE5A:				; CODE XREF: .text:004FBF67j
		cmp	[ebp+0Ch], edi
		jz	loc_4FBF9A
		lea	eax, [ebx+50h]
		cmp	[ebx+4Ch], edi
		jnz	loc_4FBF6C
		lea	ecx, [esi+10h]

loc_4FBE72:				; CODE XREF: .text:004FBF6Fj
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_4FC010
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		mov	edi, [ebx+164h]
		cmp	dword ptr [edi+18h], 0
		jz	loc_4FBFAC

loc_4FBE97:				; CODE XREF: .text:004FC00Bj
		mov	edx, [ebx+164h]
		mov	esi, 1000000h
		mov	eax, [ebx+60h]
		add	edx, 18h
		mov	[ebx+98h], edx
		test	eax, esi
		jnz	short loc_4FBEBD
		mov	ecx, [ebx+4Ch]
		test	ecx, ecx
		jnz	loc_5D4532

loc_4FBEBD:				; CODE XREF: .text:004FBEB0j
					; .text:005D453Cj
		or	eax, esi
		xor	edi, edi
		mov	[ebx+60h], eax

loc_4FBEC4:				; CODE XREF: .text:004FBFA7j
		xor	esi, esi
		inc	esi
		test	ds:byte_70EFC6,	1
		jnz	loc_5D4541
		mov	eax, [esp+10h]
		test	eax, eax
		jnz	loc_4FBF7D
		mov	edx, [esp+14h]
		lea	eax, [esp+10h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+10h]
		cmp	eax, ecx
		jnz	short loc_4FBF74

loc_4FBEF6:				; CODE XREF: .text:004FBF87j
					; .text:005D454Dj
		test	ds:byte_70EFC6,	1
		jnz	loc_5D4552
		mov	eax, [esp+1Ch]
		test	eax, eax
		jnz	short loc_4FBF3D
		mov	edx, [esp+20h]
		lea	eax, [esp+1Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+1Ch]
		cmp	eax, ecx
		jnz	short loc_4FBF34

loc_4FBF21:				; CODE XREF: .text:004FBF47j
					; .text:005D455Ej
		mov	cl, [esp+24h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_4FBF34:				; CODE XREF: .text:004FBF1Fj
		lea	ecx, [esp+1Ch]
		call	KxWaitForLockChainValid

loc_4FBF3D:				; CODE XREF: .text:004FBF09j
		mov	[esp+1Ch], edi
		add	eax, 4
		lock xor [eax],	esi
		jmp	short loc_4FBF21
; 

loc_4FBF49:				; CODE XREF: .text:004FBE54j
		lea	eax, [ebx+50h]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_4FC010
		cmp	[ecx], eax
		jnz	loc_4FC010
		mov	[ecx], edx
		mov	[edx+4], ecx
		jmp	loc_4FBE5A
; 

loc_4FBF6C:				; CODE XREF: .text:004FBE69j
		lea	ecx, [esi+30h]
		jmp	loc_4FBE72
; 

loc_4FBF74:				; CODE XREF: .text:004FBEF4j
		lea	ecx, [esp+10h]
		call	KxWaitForLockChainValid

loc_4FBF7D:				; CODE XREF: .text:004FBEDAj
		mov	[esp+10h], edi
		add	eax, 4
		lock xor [eax],	esi
		jmp	loc_4FBEF6
; 

loc_4FBF8C:				; CODE XREF: .text:004FBE48j
		lea	ecx, [esp+10h]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4FBE4E
; 

loc_4FBF9A:				; CODE XREF: .text:004FBE5Dj
		and	dword ptr [ebx+60h], 0FEFFFFFFh
		mov	[ebx+98h], edi
		jmp	loc_4FBEC4
; 

loc_4FBFAC:				; CODE XREF: .text:004FBE91j
		push	68h
		lea	eax, [esp+2Ch]
		push	0
		push	eax
		call	_memset
		mov	eax, [ebp+14h]
		add	esp, 0Ch
		or	dword ptr [esp+80h], 0FFFFFFFFh
		or	dword ptr [esp+84h], 0FFFFFFFFh
		mov	esi, [ebp+18h]
		mov	[esp+30h], eax
		mov	eax, [ebp+10h]
		mov	[esp+2Ch], eax
		mov	eax, [ebp+0Ch]
		mov	[esp+28h], eax
		test	esi, esi
		jz	short loc_4FBFFF
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	edi, [ebx+164h]
		mov	[esp+78h], esi

loc_4FBFFF:				; CODE XREF: .text:004FBFE7j
		push	1Ah
		add	edi, 18h
		lea	esi, [esp+2Ch]
		pop	ecx
		rep movsd
		jmp	loc_4FBE97
; 

loc_4FC010:				; CODE XREF: .text:004FBE77j
					; .text:004FBF54j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		db 2 dup(0CCh)
; Exported entry 333. ExConvertExclusiveToSharedLite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExConvertExclusiveToSharedLite
ExConvertExclusiveToSharedLite proc near ; CODE	XREF: FsRtlAcquireFileForModWriteEx+1193C1p
					; PspAllocateAndQueryNotificationChannel+9Ap ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D4585 SIZE 0000004A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		movzx	eax, word ptr [esi+0Eh]
		mov	ecx, eax
		mov	edx, eax
		and	ecx, 1
		jnz	loc_5D4585

loc_4FC034:				; CODE XREF: ExConvertExclusiveToSharedLite+D856Dj
		test	cx, cx
		jnz	short loc_4FC049

loc_4FC039:				; CODE XREF: ExConvertExclusiveToSharedLite+D85B0j
		mov	ecx, esi
		test	al, 1
		jnz	short loc_4FC063
		call	ExpConvertExclusiveToSharedLite

loc_4FC044:				; CODE XREF: ExConvertExclusiveToSharedLite+4Ej
		pop	esi
		pop	ebp
		retn	4
; 

loc_4FC049:				; CODE XREF: ExConvertExclusiveToSharedLite+1Dj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	edx, large fs:124h
		cmp	al, 1
		ja	loc_5D45A5
		jmp	loc_5D45B1
; 

loc_4FC063:				; CODE XREF: ExConvertExclusiveToSharedLite+23j
		call	_ExpFastResourceLegacyConvertExclusiveToShared@4 ; ExpFastResourceLegacyConvertExclusiveToShared(x)
		jmp	short loc_4FC044
ExConvertExclusiveToSharedLite endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpConvertExclusiveToSharedLite	proc near ; CODE XREF: ExConvertExclusiveToSharedLite+25p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D45CF SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		lea	edx, [ebp+var_10]
		mov	esi, ecx
		stosd
		lea	ecx, [esi+34h]
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edi, [esi+28h]
		mov	eax, 0FF7Fh
		and	[esi+0Eh], ax
		mov	eax, [esi+10h]
		and	dword ptr [esi+10h], 0
		and	dword ptr [esi+28h], 0
		add	[esi+20h], edi
		test	ds:byte_70EFC6,	1
		mov	bl, [esi+0Fh]
		mov	[ebp+var_4], eax
		jnz	loc_5D45CF
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_4FC117
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jnz	short loc_4FC10F

loc_4FC0D1:				; CODE XREF: ExpConvertExclusiveToSharedLite+BDj
					; ExpConvertExclusiveToSharedLite+D8570j
		mov	cl, [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		xor	edx, edx
		lea	ecx, [ebp+var_4]
		call	KeWakeWaitChain
		test	edi, edi
		jnz	short loc_4FC0F6

loc_4FC0EA:				; CODE XREF: ExpConvertExclusiveToSharedLite+8Ej
					; ExpConvertExclusiveToSharedLite+A3j
		inc	large dword ptr	fs:41F4h
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4FC0F6:				; CODE XREF: ExpConvertExclusiveToSharedLite+7Ej
		test	bl, bl
		jz	short loc_4FC0EA
		mov	eax, large fs:124h
		mov	edx, 0FF00h
		push	eax
		mov	ecx, esi
		call	ExpApplyPriorityBoost
		jmp	short loc_4FC0EA
; 

loc_4FC10F:				; CODE XREF: ExpConvertExclusiveToSharedLite+65j
		lea	ecx, [ebp+var_10]
		call	KxWaitForLockChainValid

loc_4FC117:				; CODE XREF: ExpConvertExclusiveToSharedLite+52j
		xor	ecx, ecx
		mov	[ebp+var_10], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_4FC0D1
ExpConvertExclusiveToSharedLite	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmpArmDelayedCloseTimer()
_CmpArmDelayedCloseTimer@0 proc	near	; CODE XREF: PAGE:007C6C93j
					; PAGE:0081800Ap
		xor	eax, eax
		mov	ecx, offset _CmpDelayCloseWorkItemActive
		inc	eax
		xchg	eax, [ecx]
		test	eax, eax
		jnz	short locret_4FC144
		push	1
		push	offset _CmpDelayCloseWorkItem
		call	ExQueueWorkItem

locret_4FC144:				; CODE XREF: CmpArmDelayedCloseTimer()+Cj
		retn
_CmpArmDelayedCloseTimer@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


sub_4FC146	proc near		; CODE XREF: IopAllocateFileObjectExtension+5Cp
					; IopSetLockOperationProcess+50p ...

; FUNCTION CHUNK AT 005D45DF SIZE 00000038 BYTES

		cmp	_ViVerifierEnabled, 0
		jnz	loc_5D45DF

loc_4FC153:				; CODE XREF: sub_4FC146+D84ACj
		push	20206F49h
		push	edx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		retn
sub_4FC146	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPaeCheckProcessShadow	proc near	; CODE XREF: MiGetVadWakeList+184p
					; MiDeleteVad(x,x,x)+2CDp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D4617 SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, large fs:124h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_14], ecx
		cmp	dword_6D07D0, 0C0000000h
		mov	eax, [eax+80h]
		push	esi
		sbb	esi, esi
		push	edi
		mov	edx, [eax+194h]
		add	esi, 3
		lea	edi, [edx+20h]

loc_4FC198:				; CODE XREF: MiPaeCheckProcessShadow+8Bj
		mov	eax, [edx]
		mov	[ebp+var_4], eax
		nop
		mov	eax, [edx+4]
		and	[ebp+var_C], 0
		and	[ebp+var_8], 0
		mov	ecx, [edi]
		mov	[ebp+var_10], eax
		nop
		mov	eax, [edi+4]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_4]
		and	eax, 1
		or	eax, 0
		jz	loc_5D4617
		or	[ebp+var_4], 20h
		or	ecx, 20h
		mov	eax, [ebp+var_4]
		cmp	eax, ecx
		jnz	loc_5D4632
		mov	eax, [ebp+var_10]
		cmp	eax, [ebp+var_8]
		mov	eax, [ebp+var_4]
		jnz	loc_5D4632

loc_4FC1E5:				; CODE XREF: MiPaeCheckProcessShadow+D84B8j
		inc	ebx
		add	edx, 8
		add	edi, 8
		sub	esi, 1
		jnz	short loc_4FC198
		or	eax, 0FFFFFFFFh

loc_4FC1F4:				; CODE XREF: MiPaeCheckProcessShadow+D84E5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiPaeCheckProcessShadow	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpWaitForSingleObject(x,	x, x, x, x)
_AlpcpWaitForSingleObject@20 proc near	; CODE XREF: AlpcpCompleteDeferSignalRequestAndWait(x,x,x,x,x)+2Bp
					; PAGE:0082FE20p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	esi
		push	edi
		call	KeWaitForSingleObject
		mov	ecx, large fs:124h
		mov	esi, eax
		dec	word ptr [ecx+13Ch]
		nop
		cmp	_AlpcpLogEnabled, 0
		jnz	short loc_4FC23C

loc_4FC234:				; CODE XREF: AlpcpWaitForSingleObject(x,x,x,x,x)+49j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_4FC23C:				; CODE XREF: AlpcpWaitForSingleObject(x,x,x,x,x)+38j
		mov	ecx, esi
		call	_AlpcpLogUnwait@4 ; AlpcpLogUnwait(x)
		jmp	short loc_4FC234
_AlpcpWaitForSingleObject@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeFlushCurrentTbOnly proc near		; CODE XREF: .text:00453EBBp
					; MiAgeWorkingSetTail+FDp ...

var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D464E SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_8], 0
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		mov	byte ptr [ebp+var_4], 0
		stosd
		mov	esi, ecx
		mov	edx, esi
		mov	cl, 1
		stosd
		stosd
		call	KiHypercallForLocalFlush
		mov	ecx, esi
		test	al, al
		jnz	loc_5D464E
		call	KiFlushCurrentTbOnly

loc_4FC27A:				; CODE XREF: KeFlushCurrentTbOnly+D8429j
		pop	edi
		pop	esi
		leave
		retn
KeFlushCurrentTbOnly endp


;  S U B	R O U T	I N E 


KiFlushCurrentTbOnly proc near		; CODE XREF: KeFlushCurrentTbOnly+2Fp
					; KeFlushTb+12A239p

; FUNCTION CHUNK AT 005D4674 SIZE 00000016 BYTES

		cmp	ds:_KiKvaShadow, 0
		jz	loc_5D4674
		sub	ecx, 0
		jnz	short loc_4FC297

loc_4FC290:				; CODE XREF: KiFlushCurrentTbOnly+21j
					; KiFlushCurrentTbOnly+D8407j
		mov	eax, cr3
		mov	cr3, eax
		retn
; 

loc_4FC297:				; CODE XREF: KiFlushCurrentTbOnly+10j
		sub	ecx, 1
		jz	short loc_4FC2A1
		sub	ecx, 1
		jz	short loc_4FC290

loc_4FC2A1:				; CODE XREF: KiFlushCurrentTbOnly+1Cj
					; KiFlushCurrentTbOnly+D83F8j ...
		jmp	_KeFlushCurrentTb@0 ; KeFlushCurrentTb()
KiFlushCurrentTbOnly endp


;  S U B	R O U T	I N E 


KiHypercallForLocalFlush proc near	; CODE XREF: KeFlushCurrentTbOnly+20p

; FUNCTION CHUNK AT 005D468A SIZE 0000001E BYTES

		mov	eax, ds:_HvlEnlightenments
		test	eax, (offset loc_7FFFFF+1)
		jnz	loc_5D468A

loc_4FC2B6:				; CODE XREF: KiHypercallForLocalFlush+D83EAj
					; KiHypercallForLocalFlush+D83F9j
		xor	al, al
		retn
KiHypercallForLocalFlush endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiSelectActiveTimerTable(x,	x)
_KiSelectActiveTimerTable@8 proc near	; CODE XREF: KiRetireDpcList+417p
					; KiSetSystemTimeDpc+60p ...
		cmp	ds:_KiSerializeTimerExpiration,	0
		jz	short loc_4FC2DE
		test	dl, dl
		jz	short loc_4FC2D0
		cmp	byte ptr [ecx+3D0h], 0
		jz	short loc_4FC2DB

loc_4FC2D0:				; CODE XREF: KiSelectActiveTimerTable(x,x)+Bj
		mov	eax, ds:_KiProcessorBlock
		add	eax, 2260h
		retn
; 

loc_4FC2DB:				; CODE XREF: KiSelectActiveTimerTable(x,x)+14j
		xor	eax, eax
		retn
; 

loc_4FC2DE:				; CODE XREF: KiSelectActiveTimerTable(x,x)+7j
		lea	eax, [ecx+2260h]
		retn
_KiSelectActiveTimerTable@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiHyperPage(x)
_MiHyperPage@4	proc near		; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+27Fp
					; MiActivePageClaimCandidate(x,x,x,x)+467p
		mov	eax, dword_6D2E8C
		mov	edx, dword_6D2E88
		push	esi
		push	edi
		shr	eax, 9
		mov	edi, offset loc_7FFFF8
		shr	edx, 9
		and	eax, edi
		mov	esi, 40000000h
		and	edx, edi
		push	ecx
		sub	eax, esi
		sub	edx, esi
		push	eax
		call	_MiPageInRange@16 ; MiPageInRange(x,x,x,x)
		pop	edi
		pop	esi
		retn
_MiHyperPage@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPageInRange(x, x,	x, x)
_MiPageInRange@16 proc near		; CODE XREF: MiHyperPage(x)+27p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+4]
		mov	ecx, 0C0000000h
		push	esi
		xor	esi, esi
		or	eax, 80000000h
		jmp	short loc_4FC342
; 

loc_4FC32D:				; CODE XREF: MiPageInRange(x,x,x,x)+2Ej
		cmp	eax, 0C07FFFFFh
		ja	short loc_4FC346
		cmp	eax, edx
		jnb	short loc_4FC34D

loc_4FC338:				; CODE XREF: MiPageInRange(x,x,x,x)+3Aj
		inc	esi
		shl	eax, 9
		and	edx, 0FFFFF000h

loc_4FC342:				; CODE XREF: MiPageInRange(x,x,x,x)+15j
		cmp	eax, ecx
		jnb	short loc_4FC32D

loc_4FC346:				; CODE XREF: MiPageInRange(x,x,x,x)+1Cj
		xor	eax, eax

loc_4FC348:				; CODE XREF: MiPageInRange(x,x,x,x)+44j
		pop	esi
		pop	ebp
		retn	8
; 

loc_4FC34D:				; CODE XREF: MiPageInRange(x,x,x,x)+20j
		cmp	eax, [ebp+arg_0]
		ja	short loc_4FC338
		xor	eax, eax
		test	esi, esi
		setnz	al
		inc	eax
		jmp	short loc_4FC348
_MiPageInRange@16 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1963. RtlAreBitsSet

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlAreBitsSet(x, x,	x)
		public _RtlAreBitsSet@12
_RtlAreBitsSet@12 proc near		; CODE XREF: MiReleaseDriverPtes+ACp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		mov	eax, [ecx]
		cmp	esi, eax
		jnb	loc_4FC409
		push	edi
		mov	edi, [ebp+arg_8]
		cmp	edi, 1
		jbe	short loc_4FC3FC
		sub	eax, esi
		cmp	eax, edi
		jb	loc_4FC40D
		mov	ecx, [ecx+4]
		mov	eax, esi
		shr	eax, 5
		push	ebx
		lea	ebx, [edi-1]
		add	ebx, esi
		lea	edx, [ecx+eax*4]
		mov	[ebp+arg_4], ebx
		mov	eax, ebx
		mov	ebx, [edx]
		shr	eax, 5
		lea	eax, [ecx+eax*4]
		mov	[ebp+arg_0], eax
		cmp	edx, eax
		jnz	short loc_4FC3CC
		push	20h
		pop	ecx
		sub	ecx, edi
		or	eax, 0FFFFFFFFh
		shr	eax, cl
		mov	ecx, esi
		shl	eax, cl
		and	ebx, eax
		cmp	ebx, eax

loc_4FC3C2:				; CODE XREF: RtlAreBitsSet(x,x,x)+98j
		setz	al

loc_4FC3C5:				; CODE XREF: RtlAreBitsSet(x,x,x)+89j
		pop	ebx

loc_4FC3C6:				; CODE XREF: RtlAreBitsSet(x,x,x)+A5j
					; RtlAreBitsSet(x,x,x)+ADj
		pop	edi

loc_4FC3C7:				; CODE XREF: RtlAreBitsSet(x,x,x)+A9j
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_4FC3CC:				; CODE XREF: RtlAreBitsSet(x,x,x)+4Cj
		or	edi, 0FFFFFFFFh
		mov	ecx, esi
		mov	eax, edi
		shl	eax, cl
		and	ebx, eax
		cmp	ebx, eax
		jnz	short loc_4FC3E9
		mov	eax, [ebp+arg_0]

loc_4FC3DE:				; CODE XREF: RtlAreBitsSet(x,x,x)+85j
		add	edx, 4
		cmp	edx, eax
		jz	short loc_4FC3ED
		cmp	[edx], edi
		jz	short loc_4FC3DE

loc_4FC3E9:				; CODE XREF: RtlAreBitsSet(x,x,x)+77j
		xor	al, al
		jmp	short loc_4FC3C5
; 

loc_4FC3ED:				; CODE XREF: RtlAreBitsSet(x,x,x)+81j
		mov	ecx, [ebp+arg_4]
		mov	eax, [edx]
		not	ecx
		shr	edi, cl
		and	eax, edi
		cmp	eax, edi
		jmp	short loc_4FC3C2
; 

loc_4FC3FC:				; CODE XREF: RtlAreBitsSet(x,x,x)+1Dj
		jnz	short loc_4FC40D
		mov	eax, [ecx+4]
		bt	[eax], esi
		setb	al
		jmp	short loc_4FC3C6
; 

loc_4FC409:				; CODE XREF: RtlAreBitsSet(x,x,x)+10j
		xor	al, al
		jmp	short loc_4FC3C7
; 

loc_4FC40D:				; CODE XREF: RtlAreBitsSet(x,x,x)+23j
					; RtlAreBitsSet(x,x,x):loc_4FC3FCj
		xor	al, al
		jmp	short loc_4FC3C6
_RtlAreBitsSet@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAccessCheckByType(x, x, x, x, x, x, x, x,	x, x, x)
_NtAccessCheckByType@44	proc near	; DATA XREF: .text:005812A4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_28]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_24]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_SeAccessCheckByType@48	; SeAccessCheckByType(x,x,x,x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	2Ch
_NtAccessCheckByType@44	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall KeCopyExceptionRecord(void *)
_KeCopyExceptionRecord@8 proc near	; CODE XREF: DbgkForwardException+F4p
					; DbgkpSendErrorMessage+1E8p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	50h		; size_t
		mov	edi, ecx
		mov	ebx, edx
		push	0		; int
		push	edi		; void *
		mov	[ebp+var_4], edi
		call	_memset
		push	5
		pop	ecx
		mov	esi, ebx
		rep movsd
		mov	eax, [ebx+10h]
		shl	eax, 2
		push	eax		; size_t
		lea	eax, [ebx+14h]
		push	eax		; void *
		mov	eax, [ebp+var_4]
		add	eax, 14h
		push	eax		; void *
		call	_memcpy
		add	esp, 18h
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KeCopyExceptionRecord@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 212. CcIsThereDirtyLoggedPages

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcIsThereDirtyLoggedPages
CcIsThereDirtyLoggedPages proc near

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D46A8 SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		lea	edx, [ebp+var_18]
		xor	eax, eax
		mov	ecx, offset _CcMasterLock
		push	ebx
		push	edi
		lea	edi, [ebp+var_18]
		xor	bl, bl
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, ds:_PspSystemPartition
		mov	edi, offset _CcVolumeCacheMapList
		mov	ecx, _CcVolumeCacheMapList
		mov	edx, [eax+4]
		cmp	ecx, edi
		jz	short loc_4FC541
		mov	eax, [ebp+arg_0]
		push	esi

loc_4FC4CE:				; CODE XREF: CcIsThereDirtyLoggedPages+52j
		lea	esi, [ecx-0Ch]
		cmp	[esi+8], eax
		jz	short loc_4FC4DE
		mov	ecx, [ecx]
		xor	esi, esi
		cmp	ecx, edi
		jnz	short loc_4FC4CE

loc_4FC4DE:				; CODE XREF: CcIsThereDirtyLoggedPages+4Aj
		test	esi, esi
		jz	short loc_4FC540
		and	[ebp+var_C], 0
		lea	eax, [edx+40h]
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_8], eax
		jnz	loc_4FC5D5
		lea	edx, [ebp+var_C]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_4FC591

loc_4FC506:				; CODE XREF: CcIsThereDirtyLoggedPages+10Fj
					; CcIsThereDirtyLoggedPages+155j
		mov	edx, [esi+24h]
		test	edx, edx
		jnz	short loc_4FC579
		cmp	[esi+88h], edx
		jnz	short loc_4FC579

loc_4FC515:				; CODE XREF: CcIsThereDirtyLoggedPages+105j
		test	ds:byte_70EFC6,	1
		jnz	loc_5D46A8
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_4FC5C0
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	short loc_4FC5B8

loc_4FC540:				; CODE XREF: CcIsThereDirtyLoggedPages+56j
					; CcIsThereDirtyLoggedPages+146j ...
		pop	esi

loc_4FC541:				; CODE XREF: CcIsThereDirtyLoggedPages+3Ej
		test	ds:byte_70EFC6,	1
		jnz	loc_5D46B8
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	short loc_4FC5A6
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jnz	short loc_4FC59E

loc_4FC568:				; CODE XREF: CcIsThereDirtyLoggedPages+12Cj
					; CcIsThereDirtyLoggedPages+D8239j
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	al, bl
		pop	ebx
		leave
		retn	8
; 

loc_4FC579:				; CODE XREF: CcIsThereDirtyLoggedPages+81j
					; CcIsThereDirtyLoggedPages+89j
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_4FC58A
		mov	eax, [esi+88h]
		add	eax, edx
		mov	[ecx], eax

loc_4FC58A:				; CODE XREF: CcIsThereDirtyLoggedPages+F4j
		xor	eax, eax
		lea	ebx, [eax+1]
		jmp	short loc_4FC515
; 

loc_4FC591:				; CODE XREF: CcIsThereDirtyLoggedPages+76j
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4FC506
; 

loc_4FC59E:				; CODE XREF: CcIsThereDirtyLoggedPages+DCj
		lea	ecx, [ebp+var_18]
		call	KxWaitForLockChainValid

loc_4FC5A6:				; CODE XREF: CcIsThereDirtyLoggedPages+C9j
		lea	ecx, [eax+4]
		mov	[ebp+var_18], 0
		xor	eax, eax
		inc	eax
		lock xor [ecx],	eax
		jmp	short loc_4FC568
; 

loc_4FC5B8:				; CODE XREF: CcIsThereDirtyLoggedPages+B4j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_4FC5C0:				; CODE XREF: CcIsThereDirtyLoggedPages+9Dj
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_4FC540
; 

loc_4FC5D5:				; CODE XREF: CcIsThereDirtyLoggedPages+69j
		mov	edx, eax
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4FC506
CcIsThereDirtyLoggedPages endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtWorkerFactoryWorkerReady proc	near	; DATA XREF: .text:00580B88o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D46C8 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+20h+var_C]
		stosd
		lea	ecx, [esp+20h+var_14]
		push	0
		push	ecx
		stosd
		stosd
		mov	eax, large fs:124h
		and	[esp+28h+var_14], 0
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+28h+var_10], al
		push	[esp+28h+var_10]
		mov	eax, ds:_ExpWorkerFactoryObjectType
		push	eax
		push	10h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_4FC6A5
		mov	esi, [esp+20h+var_14]
		lea	edx, [esp+20h+var_C]
		mov	ecx, [esi+4]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [esi+60h]
		test	eax, eax
		jz	loc_5D46C8
		dec	eax
		mov	[esi+60h], eax
		mov	eax, [esi+58h]
		test	eax, eax
		jz	short loc_4FC6CF
		dec	eax
		inc	dword ptr [esi+50h]
		inc	dword ptr [esi+54h]
		mov	[esi+58h], eax

loc_4FC660:				; CODE XREF: NtWorkerFactoryWorkerReady+F0j
					; NtWorkerFactoryWorkerReady+D80E9j
		test	ds:byte_70EFC6,	1
		jnz	loc_5D46D2
		mov	eax, [esp+20h+var_C]
		test	eax, eax
		jnz	short loc_4FC6BC
		mov	edx, [esp+20h+var_8]
		lea	eax, [esp+20h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+20h+var_C]
		cmp	eax, ecx
		jnz	short loc_4FC6AF

loc_4FC68B:				; CODE XREF: NtWorkerFactoryWorkerReady+D80FAj
		mov	esi, [esp+20h+var_14]

loc_4FC68F:				; CODE XREF: NtWorkerFactoryWorkerReady+E9j
		mov	cl, [esp+20h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_4FC6A5:				; CODE XREF: NtWorkerFactoryWorkerReady+4Aj
		mov	eax, edi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4FC6AF:				; CODE XREF: NtWorkerFactoryWorkerReady+A5j
		lea	ecx, [esp+20h+var_C]
		call	KxWaitForLockChainValid
		mov	esi, [esp+20h+var_14]

loc_4FC6BC:				; CODE XREF: NtWorkerFactoryWorkerReady+8Fj
		xor	ecx, ecx
		mov	[esp+20h+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_4FC68F
; 

loc_4FC6CF:				; CODE XREF: NtWorkerFactoryWorkerReady+70j
		mov	edi, 0C000010Ah
		jmp	short loc_4FC660
NtWorkerFactoryWorkerReady endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiWaitForAllObjects proc near		; CODE XREF: KeWaitForMultipleObjects+70Dp

var_15A		= byte ptr -15Ah
var_159		= byte ptr -159h
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005D46E3 SIZE 000001B7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 15Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+15Ch+var_4], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		push	esi
		push	edi
		mov	[esp+168h+var_128], eax
		mov	ebx, edx
		xor	eax, eax
		mov	[esp+168h+var_144], ebx
		push	0FCh		; size_t
		push	eax		; int
		mov	[esp+170h+var_120], eax
		mov	esi, ecx
		mov	[esp+170h+var_11C], eax
		lea	eax, [esp+170h+var_10C]
		push	eax		; void *
		mov	[esp+174h+var_150], esi
		call	_memset
		mov	eax, [ebx]
		add	esp, 0Ch
		and	[esp+168h+var_12C], 0
		mov	[esp+168h+var_110], eax
		xor	eax, eax
		inc	eax
		cmp	esi, eax
		jbe	short loc_4FC75E
		lea	ecx, [esp+168h+var_110]

loc_4FC73B:				; CODE XREF: KiWaitForAllObjects+86j
		mov	edx, [ebx+eax*4]
		mov	edi, eax
		mov	ebx, [ecx]
		mov	[esp+168h+var_140], edx
		cmp	ebx, edx
		ja	loc_4FC9EB

loc_4FC74E:				; CODE XREF: KiWaitForAllObjects+32Ej
		mov	ebx, [esp+168h+var_144]
		inc	eax
		add	ecx, 4
		mov	[esp+edi*4+168h+var_110], edx
		cmp	eax, esi
		jb	short loc_4FC73B

loc_4FC75E:				; CODE XREF: KiWaitForAllObjects+5Fj
		mov	ebx, large fs:124h
		lea	eax, [esp+168h+var_12C]
		mov	edx, [ebp+arg_C]
		mov	ecx, ebx
		push	eax
		lea	eax, [esp+16Ch+var_120]
		mov	[esp+16Ch+var_140], ebx
		push	eax
		push	0
		call	_KiCheckWaitNext@20 ; KiCheckWaitNext(x,x,x,x,x)
		mov	byte ptr [esp+168h+var_130], al

loc_4FC783:				; CODE XREF: KiWaitForAllObjects+266j
		push	[ebp+arg_8]
		mov	dl, [ebp+arg_4]
		mov	ecx, ebx
		push	[ebp+arg_0]
		call	KiBeginThreadWait
		mov	edi, eax
		test	edi, edi
		jnz	loc_4FC98D
		mov	eax, large fs:20h
		and	[esp+168h+var_148], edi
		and	[esp+168h+var_158], edi
		mov	edi, [esp+168h+var_110]
		mov	ecx, edi
		mov	[esp+168h+var_154], eax
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	ecx, [esp+168h+var_150]
		xor	esi, esi
		inc	esi
		cmp	ecx, esi
		jbe	short loc_4FC7DF

loc_4FC7C5:				; CODE XREF: KiWaitForAllObjects+107j
		mov	eax, [esp+esi*4+168h+var_110]
		cmp	eax, edi
		jz	short loc_4FC7DA
		mov	edi, eax
		mov	ecx, edi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	ecx, [esp+168h+var_150]

loc_4FC7DA:				; CODE XREF: KiWaitForAllObjects+F5j
		inc	esi
		cmp	esi, ecx
		jb	short loc_4FC7C5

loc_4FC7DF:				; CODE XREF: KiWaitForAllObjects+EDj
		xor	edi, edi
		test	ecx, ecx
		jz	short loc_4FC825
		mov	esi, [esp+168h+var_128]
		add	esi, 9

loc_4FC7EC:				; CODE XREF: KiWaitForAllObjects+14Dj
		mov	eax, [esp+168h+var_144]
		xor	ebx, ebx
		mov	edx, [eax+edi*4]
		mov	[esi+1], bx
		mov	ebx, [esp+168h+var_140]
		mov	byte ptr [esi-1], 0
		mov	byte ptr [esi],	4
		test	ebx, ebx
		jz	short loc_4FC80B
		mov	[esi+3], ebx

loc_4FC80B:				; CODE XREF: KiWaitForAllObjects+130j
		mov	[esi+7], edx
		add	esi, 18h
		mov	edx, [eax+edi*4]
		mov	al, [edx]
		and	al, 7Fh
		cmp	al, 2
		jz	loc_4FC9A6

loc_4FC820:				; CODE XREF: KiWaitForAllObjects+2D4j
					; KiWaitForAllObjects+D8025j
		inc	edi
		cmp	edi, ecx
		jb	short loc_4FC7EC

loc_4FC825:				; CODE XREF: KiWaitForAllObjects+10Dj
		xor	esi, esi
		and	[ebx+94h], esi
		mov	[ebx+248h], esi

loc_4FC833:				; CODE XREF: KiWaitForAllObjects+179j
		mov	eax, [esp+168h+var_144]
		mov	edx, [eax+esi*4]
		mov	al, [edx]
		and	al, 7Fh
		cmp	al, 2
		jz	loc_4FC9B5
		cmp	dword ptr [edx+4], 0
		jle	short loc_4FC851

loc_4FC84C:				; CODE XREF: KiWaitForAllObjects+300j
					; KiWaitForAllObjects+D806Bj
		inc	esi
		cmp	esi, ecx
		jb	short loc_4FC833

loc_4FC851:				; CODE XREF: KiWaitForAllObjects+174j
					; KiWaitForAllObjects+30Aj ...
		cmp	esi, ecx
		jz	loc_4FC941
		push	[esp+168h+var_11C]
		mov	edx, [esp+16Ch+var_12C]
		mov	ecx, ebx
		push	[esp+16Ch+var_120]
		call	KiCheckDueTimeExpired
		mov	edx, [esp+168h+var_150]
		test	eax, eax
		jnz	loc_5D4878
		xor	edi, edi
		test	edx, edx
		jz	short loc_4FC8A5
		mov	eax, [esp+168h+var_128]

loc_4FC882:				; CODE XREF: KiWaitForAllObjects+1CDj
		mov	ecx, [eax+10h]
		add	ecx, 8
		mov	esi, [ecx+4]
		cmp	[esi], ecx
		jnz	loc_4FCA50
		mov	[eax], ecx
		inc	edi
		mov	[eax+4], esi
		mov	[esi], eax
		mov	[ecx+4], eax
		add	eax, 18h
		cmp	edi, edx
		jb	short loc_4FC882

loc_4FC8A5:				; CODE XREF: KiWaitForAllObjects+1A6j
		lea	ecx, [esp+168h+var_110]
		call	@KiUnlockKobjectArray@8	; KiUnlockKobjectArray(x,x)
		mov	ecx, [esp+168h+var_148]
		xor	esi, esi
		and	[esp+168h+var_154], esi
		mov	eax, ecx
		mov	[ebx+16Bh], dl
		mov	edx, [esp+168h+var_158]
		or	eax, edx
		mov	[esp+168h+var_138], esi
		jnz	loc_5D4746

loc_4FC8D0:				; CODE XREF: KiWaitForAllObjects+375j
		mov	edx, [esp+168h+var_128]
		mov	ecx, ebx
		push	0
		push	[esp+16Ch+var_11C]
		push	[esp+170h+var_120]
		push	[esp+174h+var_12C]
		call	KiCommitThreadWait
		mov	edi, eax
		mov	[esp+168h+var_124], edi
		test	edi, edi
		js	short loc_4FC8FC
		cmp	edi, 3Fh
		jle	loc_5D47B7

loc_4FC8FC:				; CODE XREF: KiWaitForAllObjects+21Bj
		lea	eax, [edi-80h]
		cmp	eax, 3Fh
		jbe	loc_5D47B7
		mov	[esp+168h+var_159], 0

loc_4FC90D:				; CODE XREF: KiWaitForAllObjects+D80E6j
		mov	eax, esi
		mov	dword ptr [ebx+248h], 0
		or	eax, [esp+168h+var_154]
		jnz	loc_5D47C1

loc_4FC923:				; CODE XREF: KiWaitForAllObjects+D819Dj
		cmp	edi, 100h
		jnz	short loc_4FC98D
		mov	byte ptr [esp+168h+var_130], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebx+92h], al
		jmp	loc_4FC783
; 

loc_4FC941:				; CODE XREF: KiWaitForAllObjects+17Dj
		xor	esi, esi
		test	ecx, ecx
		jz	short loc_4FC963
		mov	edi, [esp+168h+var_154]

loc_4FC94B:				; CODE XREF: KiWaitForAllObjects+28Bj
		mov	eax, [esp+168h+var_144]
		mov	edx, ebx
		push	edi
		mov	ecx, [eax+esi*4]
		call	KiWaitSatisfyAny
		mov	ecx, [esp+168h+var_150]
		inc	esi
		cmp	esi, ecx
		jb	short loc_4FC94B

loc_4FC963:				; CODE XREF: KiWaitForAllObjects+26Fj
		mov	edx, ecx
		lea	ecx, [esp+168h+var_110]
		call	@KiUnlockKobjectArray@8	; KiUnlockKobjectArray(x,x)
		mov	edi, [ebx+94h]
		mov	edx, ebx
		push	[esp+168h+var_130]
		mov	ecx, [esp+16Ch+var_154]
		mov	dword ptr [ebx+248h], 0
		call	_KiFastExitThreadWait@12 ; KiFastExitThreadWait(x,x,x)

loc_4FC98D:				; CODE XREF: KiWaitForAllObjects+C1j
					; KiWaitForAllObjects+253j ...
		mov	ecx, [esp+168h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_4FC9A6:				; CODE XREF: KiWaitForAllObjects+144j
		test	byte ptr [edx+1Ch], 2
		jz	loc_4FC820
		jmp	loc_5D46E3
; 

loc_4FC9B5:				; CODE XREF: KiWaitForAllObjects+16Aj
		mov	edi, [esp+168h+var_154]
		mov	al, [edi+223Ah]
		mov	ecx, [edx+18h]
		cmp	ebx, ecx
		mov	[esp+168h+var_14C], ecx
		mov	ecx, [esp+168h+var_150]
		jz	loc_5D4700

loc_4FC9D2:				; CODE XREF: KiWaitForAllObjects+D802Dj
					; KiWaitForAllObjects+D803Aj
		cmp	dword ptr [edx+4], 0
		jg	loc_4FC84C
		cmp	ebx, [esp+168h+var_14C]
		jnz	loc_4FC851
		jmp	loc_5D4738
; 

loc_4FC9EB:				; CODE XREF: KiWaitForAllObjects+72j
		mov	edx, ecx

loc_4FC9ED:				; CODE XREF: KiWaitForAllObjects+328j
		mov	[edx+4], ebx
		lea	edx, [edx-4]
		sub	edi, 1
		jz	short loc_4FCA00
		mov	ebx, [edx]
		cmp	ebx, [esp+168h+var_140]
		ja	short loc_4FC9ED

loc_4FCA00:				; CODE XREF: KiWaitForAllObjects+320j
		mov	edx, [esp+168h+var_140]
		jmp	loc_4FC74E
; 

loc_4FCA09:				; CODE XREF: KiWaitForAllObjects+D8086j
					; KiWaitForAllObjects+D8093j ...
		xor	eax, eax
		xor	edx, edx
		inc	eax
		call	__allshl
		mov	ecx, edx
		mov	[esp+168h+var_114], eax
		mov	[esp+168h+var_124], ecx
		not	eax
		and	[esp+168h+var_148], eax
		not	ecx
		and	[esp+168h+var_158], ecx
		xor	edx, edx
		mov	ecx, [esp+168h+var_134]
		push	0
		mov	ecx, [ebx+ecx*4]
		call	KeAbPreAcquire
		mov	esi, [esp+168h+var_138]
		mov	edi, eax
		test	edi, edi
		jnz	loc_5D477B

loc_4FCA47:				; CODE XREF: KiWaitForAllObjects+D80DCj
		mov	ebx, [esp+168h+var_140]
		jmp	loc_4FC8D0
; 

loc_4FCA50:				; CODE XREF: KiWaitForAllObjects+1B7j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
KiWaitForAllObjects endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiWaitSatisfyAny proc near		; CODE XREF: KiWaitForAllObjects+27Fp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D489A SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		call	_KiWaitSatisfyOther@4 ;	KiWaitSatisfyOther(x)
		test	al, al
		jnz	short loc_4FCA75
		mov	al, [esi]
		and	al, 7Fh
		cmp	al, 2
		jz	short loc_4FCA7C

loc_4FCA75:				; CODE XREF: KiWaitSatisfyAny+15j
					; KiWaitSatisfyAny+2Aj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4FCA7C:				; CODE XREF: KiWaitSatisfyAny+1Dj
		sub	dword ptr [esi+4], 1
		jnz	short loc_4FCA75
		and	[ebp+var_4], 0
		lea	edi, [ebx+2Ch]

loc_4FCA89:				; CODE XREF: KiWaitSatisfyAny+D7E52j
		lock bts dword ptr [edi], 0
		jb	loc_5D489A
		push	[ebp+arg_0]
		mov	edx, ebx
		mov	ecx, esi
		call	_KiWaitSatisfyMutant@12	; KiWaitSatisfyMutant(x,x,x)
		mov	dword ptr [edi], 0
		test	byte ptr [esi+1Ch], 2
		jz	short loc_4FCA75
		jmp	loc_5D48AD
KiWaitSatisfyAny endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiWaitSatisfyOther(x)
_KiWaitSatisfyOther@4 proc near		; CODE XREF: KiWaitSatisfyAny+Ep
					; KeRegisterObjectNotification+79p
		mov	dl, [ecx]
		mov	al, dl
		push	ebx
		mov	bl, 1
		and	al, 7
		cmp	al, bl
		jz	short loc_4FCAD2
		and	dl, 7Fh
		cmp	dl, 5
		jnz	short loc_4FCACE
		dec	dword ptr [ecx+4]

loc_4FCACA:				; CODE XREF: KiWaitSatisfyOther(x)+1Ej
					; KiWaitSatisfyOther(x)+24j
		mov	al, bl
		pop	ebx
		retn
; 

loc_4FCACE:				; CODE XREF: KiWaitSatisfyOther(x)+13j
		xor	bl, bl
		jmp	short loc_4FCACA
; 

loc_4FCAD2:				; CODE XREF: KiWaitSatisfyOther(x)+Bj
		and	dword ptr [ecx+4], 0
		jmp	short loc_4FCACA
_KiWaitSatisfyOther@4 endp


;  S U B	R O U T	I N E 


; __fastcall KiUnlockKobjectArray(x, x)
@KiUnlockKobjectArray@8	proc near	; CODE XREF: KiWaitForAllObjects+1D3p
					; KiWaitForAllObjects+293p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, 0FFFFFF7Fh
		mov	esi, [edi]
		lock and [esi],	ebx
		xor	eax, eax
		inc	eax
		cmp	edx, eax
		jbe	short loc_4FCB01

loc_4FCAF0:				; CODE XREF: KiUnlockKobjectArray(x,x)+27j
		mov	ecx, [edi+eax*4]
		cmp	ecx, esi
		jz	short loc_4FCAFC
		mov	esi, ecx
		lock and [esi],	ebx

loc_4FCAFC:				; CODE XREF: KiUnlockKobjectArray(x,x)+1Dj
		inc	eax
		cmp	eax, edx
		jb	short loc_4FCAF0

loc_4FCB01:				; CODE XREF: KiUnlockKobjectArray(x,x)+16j
		pop	edi
		pop	esi
		pop	ebx
		retn
@KiUnlockKobjectArray@8	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall FsRtlpClearOwner(x,	x)
_FsRtlpClearOwner@8 proc near		; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+248p
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4F2p ...
		test	edx, edx
		jz	short loc_4FCB25
		mov	eax, [edx+14h]
		and	dword ptr [edx+14h], 0
		and	dword ptr [edx+10h], 0

loc_4FCB15:				; CODE XREF: FsRtlpClearOwner(x,x)+2Aj
		test	eax, eax
		jz	short locret_4FCB24
		push	746C6644h
		push	eax
		call	ObDereferenceObjectDeferDeleteWithTag

locret_4FCB24:				; CODE XREF: FsRtlpClearOwner(x,x)+11j
		retn
; 

loc_4FCB25:				; CODE XREF: FsRtlpClearOwner(x,x)+2j
		mov	eax, [ecx+0Ch]
		and	dword ptr [ecx+0Ch], 0
		and	dword ptr [ecx+8], 0
		jmp	short loc_4FCB15
_FsRtlpClearOwner@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSystemThreadStartup proc near	; DATA XREF: PspAllocateThread+448o

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	0Ch
		push	offset dword_6A39E0
		call	__SEH_prolog4
		mov	ecx, large fs:0
		mov	eax, ds:_KiI386ExceptionChainTerminator
		mov	[ecx], eax
		xor	cl, cl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, large fs:124h
		mov	ecx, esi
		call	_PspDisablePrimaryTokenExchange@4 ; PspDisablePrimaryTokenExchange(x)
		mov	eax, [esi+2FCh]
		xor	eax, 1
		and	eax, 3
		cmp	al, 3
		jnz	short loc_4FCB83
		and	[ebp+ms_exc.disabled], 0
		push	[ebp+arg_4]
		call	[ebp+arg_0]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_4FCB83:				; CODE XREF: PspSystemThreadStartup+3Ej
		push	1
		push	0
		push	esi
		call	PspTerminateThreadByPointer
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
PspSystemThreadStartup endp

; 
		retn

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiZeroInParallelWorker(x)
_MiZeroInParallelWorker@4 proc near	; CODE XREF: MiZeroInParallel(x)+19Cp
					; DATA XREF: MiZeroInParallel(x)+130o

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, large fs:124h
		mov	[esp+48h+var_1C], edi
		mov	ecx, [esi+8]
		mov	[esp+48h+var_10], ecx
		mov	eax, [ecx]
		mov	[esp+48h+var_20], eax
		xor	eax, eax
		mov	[esp+48h+var_18], eax
		mov	eax, [ecx+0Ch]
		mov	[esp+48h+var_28], eax
		mov	eax, [ecx+8]
		mov	[esp+48h+var_24], eax
		or	eax, 0FFFFFFFFh
		mov	[esp+48h+var_14], eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jz	short loc_4FCC12
		xor	edx, edx
		mov	ecx, edi
		call	_PsQueryThreadStartAddress@8 ; PsQueryThreadStartAddress(x,x)
		cmp	eax, offset _KiExecuteDpc@4 ; KiExecuteDpc(x)
		jz	short loc_4FCC12
		mov	eax, [esi]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_4FCC18
		push	eax
		push	edi
		call	KeSetPriorityThread
		mov	[esp+48h+var_14], eax
		jmp	short loc_4FCC18
; 

loc_4FCC12:				; CODE XREF: MiZeroInParallelWorker(x)+4Cj
					; MiZeroInParallelWorker(x)+5Cj
		xor	edi, edi
		mov	[esp+48h+var_1C], edi

loc_4FCC18:				; CODE XREF: MiZeroInParallelWorker(x)+63j
					; MiZeroInParallelWorker(x)+70j
		xor	esi, esi
		xor	ecx, ecx
		and	[esp+48h+var_34], esi
		xor	ebx, ebx
		mov	[esp+48h+var_2C], esi
		mov	[esp+48h+var_3C], ecx
		cmp	[esp+48h+var_28], ecx
		jbe	loc_4FCDD9
		mov	ecx, [esp+48h+var_20]
		add	ecx, 14h
		mov	[esp+48h+var_38], ecx

loc_4FCC3F:				; CODE XREF: MiZeroInParallelWorker(x)+222j
		lea	edx, [ecx-14h]
		mov	eax, [edx]
		test	eax, eax
		jnz	loc_4FCDB6
		inc	eax
		lock xadd [edx], eax
		inc	eax
		cmp	eax, 1
		jnz	loc_4FCDB6
		test	edi, edi
		jz	short loc_4FCC86
		lea	esi, [ecx-10h]
		sub	esp, 0Ch
		lea	edi, [esp+54h+var_C]
		movsd
		movsd
		movsd
		mov	edi, esp
		lea	esi, [esp+54h+var_C]
		movsd
		movsd
		movsd
		call	_MiSetIdealProcessorThread@12 ;	MiSetIdealProcessorThread(x,x,x)
		mov	esi, [esp+48h+var_2C]
		mov	ecx, [esp+48h+var_38]
		mov	[esp+48h+var_18], eax

loc_4FCC86:				; CODE XREF: MiZeroInParallelWorker(x)+BDj
		mov	edi, [ecx]
		mov	[esp+48h+var_20], edi
		cmp	edi, ecx
		jz	loc_4FCD91

loc_4FCC94:				; CODE XREF: MiZeroInParallelWorker(x)+1E7j
		test	dword ptr [edi+18h], (offset loc_7FFFFF+1)
		push	2
		pop	edx
		jz	short loc_4FCCBF
		mov	ecx, edi
		call	_MiGetPfnPageSizeIndex@4 ; MiGetPfnPageSizeIndex(x)
		mov	edx, eax
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_4FCCB1
		push	2
		pop	edx

loc_4FCCB1:				; CODE XREF: MiZeroInParallelWorker(x)+10Cj
		cmp	edx, 2
		jnb	short loc_4FCCBF
		mov	ecx, ds:_MiLargePageSizes[edx*4]
		jmp	short loc_4FCCC2
; 

loc_4FCCBF:				; CODE XREF: MiZeroInParallelWorker(x)+FEj
					; MiZeroInParallelWorker(x)+114j
		xor	ecx, ecx
		inc	ecx

loc_4FCCC2:				; CODE XREF: MiZeroInParallelWorker(x)+11Dj
		mov	[esp+48h+var_30], ecx
		cmp	edx, 1
		ja	short loc_4FCCEF
		movzx	eax, byte ptr [edi+16h]
		shr	eax, 6
		cmp	eax, [esp+48h+var_24]
		jz	short loc_4FCCEF
		mov	eax, [esp+48h+var_10]
		mov	ecx, edi
		push	dword ptr [eax+4]
		push	[esp+4Ch+var_24]
		call	_MiZeroAndConvertPage@16 ; MiZeroAndConvertPage(x,x,x,x)
		jmp	loc_4FCD74
; 

loc_4FCCEF:				; CODE XREF: MiZeroInParallelWorker(x)+129j
					; MiZeroInParallelWorker(x)+136j
		test	esi, esi
		jz	short loc_4FCD16
		mov	eax, [esp+48h+var_3C]
		cmp	eax, ecx
		jnb	short loc_4FCD12
		push	ebx
		mov	edx, esi
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		mov	ecx, [esp+4Ch+var_34]
		xor	esi, esi
		mov	eax, [esp+4Ch+var_40]

loc_4FCD12:				; CODE XREF: MiZeroInParallelWorker(x)+159j
		test	esi, esi
		jnz	short loc_4FCD59

loc_4FCD16:				; CODE XREF: MiZeroInParallelWorker(x)+151j
		mov	ebx, [esp+4Ch+var_3C]
		mov	eax, 100h
		mov	ebx, [ebx-4]
		cmp	ebx, eax
		jbe	short loc_4FCD28
		mov	ebx, eax

loc_4FCD28:				; CODE XREF: MiZeroInParallelWorker(x)+184j
		cmp	ebx, ecx
		jnb	short loc_4FCD2E
		mov	ebx, ecx

loc_4FCD2E:				; CODE XREF: MiZeroInParallelWorker(x)+18Aj
		mov	edi, [esp+4Ch+var_34]

loc_4FCD32:				; CODE XREF: MiZeroInParallelWorker(x)+1A9j
		mov	ecx, ebx
		call	_MiReserveLowPrioritySystemPtes@4 ; MiReserveLowPrioritySystemPtes(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_4FCD4B
		mov	eax, edi
		shr	ebx, 1
		neg	eax
		and	ebx, eax
		cmp	ebx, edi
		jnb	short loc_4FCD32

loc_4FCD4B:				; CODE XREF: MiZeroInParallelWorker(x)+19Dj
		mov	edi, [esp+4Ch+var_24]
		mov	eax, ebx
		mov	[esp+4Ch+var_38], esi
		mov	[esp+4Ch+var_40], eax

loc_4FCD59:				; CODE XREF: MiZeroInParallelWorker(x)+174j
		mov	ecx, [esp+4Ch+var_38]
		mov	edx, eax
		push	edi
		call	_MiZeroWithSystemPtes@12 ; MiZeroWithSystemPtes(x,x,x)
		mov	ecx, [esp+4Ch+var_38]
		sub	[esp+4Ch+var_40], eax
		lea	ecx, [ecx+eax*8]
		mov	[esp+4Ch+var_38], ecx

loc_4FCD74:				; CODE XREF: MiZeroInParallelWorker(x)+14Aj
		mov	ecx, [esp+4Ch+var_3C]
		mov	edi, [edi]
		mov	eax, [esp+4Ch+var_34]
		mov	[esp+4Ch+var_24], edi
		sub	[ecx-4], eax
		cmp	edi, ecx
		jnz	loc_4FCC94
		mov	[esp+4Ch+var_30], esi

loc_4FCD91:				; CODE XREF: MiZeroInParallelWorker(x)+EEj
		mov	edi, [esp+4Ch+var_20]
		test	edi, edi
		jz	short loc_4FCDB6
		mov	eax, [esp+4Ch+var_1C]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_4FCDB6
		mov	ecx, large fs:124h
		mov	edx, eax
		push	0
		call	KeSetIdealProcessorThreadEx
		mov	ecx, [esp+4Ch+var_3C]

loc_4FCDB6:				; CODE XREF: MiZeroInParallelWorker(x)+A6j
					; MiZeroInParallelWorker(x)+B5j ...
		add	ecx, 1Ch
		sub	[esp+4Ch+var_2C], 1
		mov	[esp+4Ch+var_3C], ecx
		jnz	loc_4FCC3F
		test	esi, esi
		jz	short loc_4FCDD9
		push	ebx
		mov	edx, esi
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_4FCDD9:				; CODE XREF: MiZeroInParallelWorker(x)+8Ej
					; MiZeroInParallelWorker(x)+22Aj
		mov	ecx, [ebp+arg_0]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+4], eax
		jnz	short loc_4FCDF1
		xor	edx, edx
		add	ecx, 0Ch
		inc	edx
		call	KeSignalGate

loc_4FCDF1:				; CODE XREF: MiZeroInParallelWorker(x)+244j
		mov	eax, [esp+50h+var_1C]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_4FCE01
		push	eax
		push	edi
		call	KeSetPriorityThread

loc_4FCE01:				; CODE XREF: MiZeroInParallelWorker(x)+258j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MiZeroInParallelWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetIdealProcessorThread(x, x, x)
_MiSetIdealProcessorThread@12 proc near	; CODE XREF: .text:0046F522p
					; MiZeroInParallelWorker(x)+D5p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_20], 0
		xor	eax, eax
		push	esi
		push	edi
		lea	esi, [ebp+arg_0]
		lea	edi, [ebp+var_10]
		movsd
		movsd
		movsd
		cmp	[ebp+var_10], 0
		lea	edi, [ebp+var_1C]
		stosd
		stosd
		stosd
		jz	loc_4FCEC7
		mov	esi, large fs:124h
		cmp	dword ptr [esi+150h], offset _KiInitialProcess
		jz	short loc_4FCEBD
		movsx	eax, byte ptr [esi+87h]

loc_4FCE57:				; CODE XREF: MiSetIdealProcessorThread(x,x,x)+B6j
		cmp	eax, 10h
		jge	short loc_4FCEB8
		push	10h
		push	esi
		call	KeSetPriorityThread
		mov	edi, eax

loc_4FCE66:				; CODE XREF: MiSetIdealProcessorThread(x,x,x)+B1j
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	KeSetSystemGroupAffinityThread
		lea	eax, [ebp+var_1C]
		push	eax
		call	KeRevertToUserGroupAffinityThread
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_4FCEC2
		bsf	edx, eax

loc_4FCE86:				; CODE XREF: MiSetIdealProcessorThread(x,x,x)+BBj
		push	ebx
		lea	eax, [ebp+var_20]
		mov	ecx, esi
		push	eax
		call	KeSetIdealProcessorThreadEx
		mov	ebx, eax
		cmp	edi, 0FFFFFFFFh
		jz	short loc_4FCEA0
		push	edi
		push	esi
		call	KeSetPriorityThread

loc_4FCEA0:				; CODE XREF: MiSetIdealProcessorThread(x,x,x)+8Dj
		test	ebx, ebx
		pop	ebx
		js	short loc_4FCEC7
		mov	eax, [ebp+var_20]

loc_4FCEA8:				; CODE XREF: MiSetIdealProcessorThread(x,x,x)+C0j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_4FCEB8:				; CODE XREF: MiSetIdealProcessorThread(x,x,x)+50j
		or	edi, 0FFFFFFFFh
		jmp	short loc_4FCE66
; 

loc_4FCEBD:				; CODE XREF: MiSetIdealProcessorThread(x,x,x)+44j
		xor	eax, eax
		inc	eax
		jmp	short loc_4FCE57
; 

loc_4FCEC2:				; CODE XREF: MiSetIdealProcessorThread(x,x,x)+77j
		or	edx, 0FFFFFFFFh
		jmp	short loc_4FCE86
; 

loc_4FCEC7:				; CODE XREF: MiSetIdealProcessorThread(x,x,x)+2Dj
					; MiSetIdealProcessorThread(x,x,x)+99j
		or	eax, 0FFFFFFFFh
		jmp	short loc_4FCEA8
_MiSetIdealProcessorThread@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeSetIdealProcessorThreadEx proc near	; CODE XREF: MiZeroInParallelWorker(x)+20Dp
					; MiSetIdealProcessorThread(x,x,x)+83p	...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D48FB SIZE 00000087 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_10], 0
		and	[ebp+var_14], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_C], 0C0000001h
		mov	esi, ecx
		mov	eax, ds:_KiProcessorBlock[edi*4]
		mov	[ebp+var_8], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[ebp+var_1C], 0
		lea	ebx, [esi+2Ch]
		mov	[ebp+var_1], al

loc_4FCF04:				; CODE XREF: KeSetIdealProcessorThreadEx+D7A3Dj
		lock bts dword ptr [ebx], 0
		jb	loc_5D48FB
		mov	eax, large fs:124h
		mov	ebx, [esi+16Ch]
		mov	ecx, [esi+88h]
		mov	[ebp+var_20], ebx
		mov	[ebp+var_24], ecx
		cmp	esi, eax
		jnz	loc_5D490E

loc_4FCF2F:				; CODE XREF: KeSetIdealProcessorThreadEx+D7A46j
		mov	ecx, [ebp+var_8]
		lea	edx, [esi+164h]
		mov	[ebp+var_18], ebx
		call	_KiPrcbInGroupAffinity@8 ; KiPrcbInGroupAffinity(x,x)
		test	eax, eax
		jz	loc_5D4940
		lea	eax, [ebp+var_14]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_10]
		call	KiAcquireThreadStateLock
		test	byte ptr [esi+58h], 8
		mov	[esi+16Ch], edi
		jnz	short loc_4FCF68
		mov	[esi+88h], edi

loc_4FCF68:				; CODE XREF: KeSetIdealProcessorThreadEx+94j
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	_KiUpdateSharedReadyQueueAffinityThread@8 ; KiUpdateSharedReadyQueueAffinityThread(x,x)
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_4FCF83
		xor	ecx, ecx
		add	eax, 2224h
		lock and [eax],	ecx

loc_4FCF83:				; CODE XREF: KeSetIdealProcessorThreadEx+ABj
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_4FCFD0

loc_4FCF8A:				; CODE XREF: KeSetIdealProcessorThreadEx+109j
		mov	ebx, [esi+16Ch]
		xor	edi, edi

loc_4FCF92:				; CODE XREF: KeSetIdealProcessorThreadEx+D7A6Fj
					; KeSetIdealProcessorThreadEx+D7A79j
		mov	eax, [esi+88h]
		mov	dword ptr [esi+2Ch], 0
		test	ds:dword_70EFD0, 8000000h
		mov	[ebp+var_C], eax
		jnz	loc_5D494A

loc_4FCFB2:				; CODE XREF: KeSetIdealProcessorThreadEx+D7A9Bj
					; KeSetIdealProcessorThreadEx+D7AB1j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_4FCFC7
		mov	edx, [ebp+var_18]
		mov	[ecx], edx

loc_4FCFC7:				; CODE XREF: KeSetIdealProcessorThreadEx+F4j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4FCFD0:				; CODE XREF: KeSetIdealProcessorThreadEx+BCj
		xor	ecx, ecx
		lock and [eax],	ecx
		jmp	short loc_4FCF8A
KeSetIdealProcessorThreadEx endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeSignalGate	proc near		; CODE XREF: MiReturnWsToExpansionList+3Cj
					; KiRetireDpcList+6DEp	...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D4982 SIZE 000000F1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	edi
		mov	[ebp+var_18], edx
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+var_14], al
		mov	ecx, edi
		mov	eax, large fs:20h
		mov	[ebp+var_4], eax
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		cmp	dword ptr [edi+4], 0
		mov	ecx, 0FFFFFF7Fh
		jnz	short loc_4FD068
		lea	eax, [edi+8]
		mov	dword ptr [edi+4], 1
		push	ebx
		mov	ebx, [eax]
		cmp	ebx, eax
		jz	short loc_4FD067
		push	esi

loc_4FD01C:				; CODE XREF: KeSignalGate+ADj
		mov	eax, [ebx]
		mov	esi, ebx
		mov	ebx, eax
		mov	[ebp+var_10], ebx
		mov	ecx, [esi+4]
		cmp	[eax+4], esi
		jz	short loc_4FD032

loc_4FD02D:				; CODE XREF: KeSignalGate+5Cj
					; KeSignalGate+D7A42j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_4FD032:				; CODE XREF: KeSignalGate+53j
		cmp	[ecx], esi
		jnz	short loc_4FD02D
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	al, [esi+8]
		cmp	al, 1
		jnz	loc_5D4982
		movzx	eax, word ptr [esi+0Ah]
		mov	edx, esi
		mov	ecx, [ebp+var_4]
		push	0
		push	eax
		call	KiTryUnwaitThread
		mov	ecx, 0FFFFFF7Fh
		test	al, al
		jz	short loc_4FD080
		sub	dword ptr [edi+4], 1
		jnz	short loc_4FD080

loc_4FD066:				; CODE XREF: KeSignalGate+AFj
					; KeSignalGate+D7A72j
		pop	esi

loc_4FD067:				; CODE XREF: KeSignalGate+41j
		pop	ebx

loc_4FD068:				; CODE XREF: KeSignalGate+30j
		lock and [edi],	ecx
		push	[ebp+var_14]
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		push	[ebp+var_18]
		push	1
		call	KiExitDispatcher
		pop	edi
		leave
		retn
; 

loc_4FD080:				; CODE XREF: KeSignalGate+86j
					; KeSignalGate+8Cj ...
		lea	eax, [edi+8]
		cmp	ebx, eax
		jnz	short loc_4FD01C
		jmp	short loc_4FD066
KeSignalGate	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_SM_TRAITS___SmStWorkerThread	proc near
					; DATA XREF: SMKM_STORE_SM_TRAITS___SmStStart+2FBo

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	8
		push	offset dword_6A3A00
		call	__SEH_prolog4
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx]
		mov	[ebp+arg_0], eax
		and	[ebp+ms_exc.disabled], 0
		call	SMKM_STORE_SM_TRAITS___SmStWorker

loc_4FD0A7:				; CODE XREF: sub_5D4A81+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
SMKM_STORE_SM_TRAITS___SmStWorkerThread	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_SM_TRAITS___SmStReadThread proc near
					; DATA XREF: SMKM_STORE_SM_TRAITS___SmStStart+2DBo

var_16		= byte ptr -16h
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D4A89 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		push	0Ch
		push	eax
		mov	esi, [edi]
		mov	[esp+30h+var_10], esi
		lea	ebx, [esi+1224h]
		call	KeSetActualBasePriorityThread
		mov	ecx, esi
		call	ST_STORE_SM_TRAITS___StAcquireReadContext
		mov	[esp+28h+var_C], eax
		neg	eax
		sbb	esi, esi
		and	esi, 3FFFFF66h
		add	esi, 0C000009Ah
		push	0
		push	0
		lea	eax, [edi+4]
		mov	[edi+14h], esi
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		test	esi, esi
		js	loc_4FD20E
		lea	eax, [ebx+14h]
		mov	[esp+28h+var_8], eax
		lea	eax, [ebx+4]
		mov	[esp+28h+var_4], eax

loc_4FD12C:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReadThread+F0j
		xor	esi, esi

loc_4FD12E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReadThread+148j
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	1
		lea	eax, [esp+40h+var_8]
		push	eax
		push	2
		call	KeWaitForMultipleObjects
		sub	eax, esi
		jnz	loc_4FD205
		push	[esp+28h+var_8]
		call	_KeResetEvent@4	; KeResetEvent(x)
		lea	edi, [ebx+24h]

loc_4FD155:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReadThread+138j
		lea	esi, [ebx+2Ch]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	[esp+28h+var_15], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, [edi+4]
		cmp	edx, edi
		jz	loc_4FD1FD
		mov	esi, [edi]
		mov	[esp+28h+var_14], esi
		mov	eax, [esi]
		and	eax, 0FFFFFFF8h
		mov	[edi], eax
		cmp	esi, edx
		jnz	loc_4FD22A
		and	dword ptr [edi], 0
		mov	[edi+4], edi

loc_4FD18F:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReadThread+143j
					; SMKM_STORE_SM_TRAITS___SmStReadThread+17Cj
		test	ds:byte_70EFC6,	1
		jnz	loc_5D4A89
		xor	ecx, ecx
		lea	eax, [ebx+2Ch]
		lock and [eax],	ecx

loc_4FD1A4:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReadThread+D79D4j
		mov	cl, [esp+28h+var_15]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	loc_4FD12C
		push	1
		push	0
		push	ebx
		push	3
		pop	edx
		mov	ecx, offset unk_718604
		call	SmFpAllocate
		push	[esp+28h+var_C]
		mov	edx, [esp+2Ch+var_14]
		mov	esi, eax
		mov	ecx, [esp+2Ch+var_10]
		call	SMKM_STORE_SM_TRAITS___SmStDirectReadIssue
		mov	edx, [esp+28h+var_14]
		mov	ecx, [esp+28h+var_10]
		push	eax
		call	SMKM_STORE_SM_TRAITS___SmStDirectReadComplete
		push	esi
		push	ebx
		push	3
		pop	edx
		mov	ecx, offset unk_718604
		call	SmFpFree
		jmp	loc_4FD155
; 

loc_4FD1FD:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReadThread+AEj
		xor	esi, esi
		mov	[esp+28h+var_14], esi
		jmp	short loc_4FD18F
; 

loc_4FD205:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReadThread+83j
		sub	eax, 1
		jnz	loc_4FD12E

loc_4FD20E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReadThread+58j
		mov	eax, [esp+28h+var_C]
		test	eax, eax
		jz	short loc_4FD221
		mov	ecx, [esp+28h+var_10]
		mov	edx, eax
		call	?StReleaseReadContext@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@PAX@Z ; ST_STORE<SM_TRAITS>::StReleaseReadContext(ST_STORE<SM_TRAITS> *,void *)

loc_4FD221:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReadThread+154j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_4FD22A:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReadThread+C3j
		mov	ecx, [edx]
		mov	eax, ecx
		shr	eax, 3
		and	ecx, 7
		dec	eax
		shl	eax, 3
		or	ecx, eax
		mov	[edx], ecx
		jmp	loc_4FD18F
SMKM_STORE_SM_TRAITS___SmStReadThread endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StAcquireReadContext proc near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReadThread+2Dp
					; SMKM_STORE_SM_TRAITS___SmStDirectRead+61p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D4A99 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], esi
		lea	ecx, [esi+9A0h]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_4FD266

loc_4FD260:				; CODE XREF: ST_STORE_SM_TRAITS___StAcquireReadContext+CFj
					; ST_STORE_SM_TRAITS___StAcquireReadContext+D7859j
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_4FD266:				; CODE XREF: ST_STORE_SM_TRAITS___StAcquireReadContext+1Cj
		test	dword ptr [esi+1E4h], 40000h
		mov	ecx, [esi+994h]
		lea	eax, [ecx+0E8h]
		jz	short loc_4FD284
		lea	eax, [ecx+10E8h]

loc_4FD284:				; CODE XREF: ST_STORE_SM_TRAITS___StAcquireReadContext+3Aj
		push	74536D73h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5D4A99
		push	edi
		xor	eax, eax
		mov	edi, ebx
		push	8
		pop	ecx
		rep stosd
		lea	eax, [ebx+2Fh]
		and	eax, 0FFFFFFF0h
		cmp	dword ptr [esi+994h], 0
		jnz	loc_5D4AA0

loc_4FD2BB:				; CODE XREF: ST_STORE_SM_TRAITS___StAcquireReadContext+D7867j
		lea	esi, [eax+3]
		xor	edx, edx
		and	esi, 0FFFFFFFCh
		mov	ecx, esi
		mov	[ebx+8], esi
		lea	edi, [esi+5Bh]
		and	edi, 0FFFFFFFCh
		mov	[ebx+0Ch], edi
		call	?BTreeSearchResultInit@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAUSEARCH_RESULT@1@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultInit(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)
		and	[esi+0Ch], edx
		lea	eax, [esi+18h]
		mov	ecx, edi
		mov	[esi], eax
		mov	dword ptr [esi+10h], 8
		call	?BTreeSearchResultInit@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAUSEARCH_RESULT@1@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultInit(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)
		and	[edi+0Ch], edx
		lea	eax, [edi+18h]
		mov	[edi], eax
		mov	eax, [ebp+var_4]
		mov	dword ptr [edi+10h], 8
		test	dword ptr [eax+1E4h], 40000h
		jz	short loc_4FD310
		lea	ecx, [edi+58h]
		mov	[ebx+14h], ecx

loc_4FD310:				; CODE XREF: ST_STORE_SM_TRAITS___StAcquireReadContext+C6j
		pop	edi
		jmp	loc_4FD260
ST_STORE_SM_TRAITS___StAcquireReadContext endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReplenishLocalCommit proc near	; CODE XREF: MiChargeCommit+1FCp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D4AAE SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		mov	edx, [ebp+arg_0]
		mov	eax, edx
		mov	ecx, [ebp+arg_4]
		add	ecx, edx
		mov	[ebp+arg_0], ecx
		lea	ebx, [edi+10BCh]
		mov	esi, ecx
		lock cmpxchg [ebx], esi
		mov	ebx, [ebp+arg_4]
		cmp	eax, edx
		jnz	short loc_4FD38A
		mov	eax, [edi+0D94h]
		cmp	ecx, eax
		jnb	loc_5D4AAE

loc_4FD352:				; CODE XREF: MiReplenishLocalCommit+D779Aj
		mov	eax, [edi+0D90h]
		cmp	ecx, eax
		jnb	short loc_4FD399

loc_4FD35C:				; CODE XREF: MiReplenishLocalCommit+85j
					; MiReplenishLocalCommit+D77ACj
		cmp	ecx, [edi+0D80h]
		ja	short loc_4FD391

loc_4FD364:				; CODE XREF: MiReplenishLocalCommit+81j
		mov	esi, [ebp+var_4]
		add	esi, 3D2Ch
		mov	edx, [esi]
		lea	eax, [edx+ebx]

loc_4FD372:				; CODE XREF: MiReplenishLocalCommit+90j
		cmp	eax, 200h
		ja	loc_5D4AC7
		lea	ecx, [edx+ebx]
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_4FD3A2

loc_4FD38A:				; CODE XREF: MiReplenishLocalCommit+2Cj
					; MiReplenishLocalCommit+D77D9j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4FD391:				; CODE XREF: MiReplenishLocalCommit+4Cj
		mov	[edi+0D80h], ecx
		jmp	short loc_4FD364
; 

loc_4FD399:				; CODE XREF: MiReplenishLocalCommit+44j
		cmp	edx, eax
		jnb	short loc_4FD35C
		jmp	loc_5D4AB6
; 

loc_4FD3A2:				; CODE XREF: MiReplenishLocalCommit+72j
		mov	edx, eax
		add	eax, ebx
		jmp	short loc_4FD372
MiReplenishLocalCommit endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 209. CcIsCacheManagerCallbackNeeded

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcIsCacheManagerCallbackNeeded(x)
		public _CcIsCacheManagerCallbackNeeded@4
_CcIsCacheManagerCallbackNeeded@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jnz	short loc_4FD3BF

loc_4FD3B9:				; CODE XREF: CcIsCacheManagerCallbackNeeded(x)+18j
		xor	al, al

loc_4FD3BB:				; CODE XREF: CcIsCacheManagerCallbackNeeded(x)+1Cj
		pop	ebp
		retn	4
; 

loc_4FD3BF:				; CODE XREF: CcIsCacheManagerCallbackNeeded(x)+9j
		cmp	[ebp+arg_0], 0C000A008h
		jnz	short loc_4FD3B9
		mov	al, 1
		jmp	short loc_4FD3BB
_CcIsCacheManagerCallbackNeeded@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiVaIsPageFileHash(x, x)
_MiVaIsPageFileHash@8 proc near		; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+2DBp
					; MiLockStealSystemVm(x,x,x,x)+FDp ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, dword_6D5D8C
		xor	ecx, ecx
		mov	ebx, edx
		test	edi, edi
		jz	short loc_4FD3F9

loc_4FD3DF:				; CODE XREF: MiVaIsPageFileHash(x,x)+2Bj
		mov	esi, dword_6D5D94[ecx*4]
		mov	edx, [esi+80h]
		test	edx, edx
		jz	short loc_4FD3F4
		cmp	ebx, edx
		jnb	short loc_4FD3FF

loc_4FD3F4:				; CODE XREF: MiVaIsPageFileHash(x,x)+22j
					; MiVaIsPageFileHash(x,x)+3Bj
		inc	ecx
		cmp	ecx, edi
		jb	short loc_4FD3DF

loc_4FD3F9:				; CODE XREF: MiVaIsPageFileHash(x,x)+11j
		xor	eax, eax

loc_4FD3FB:				; CODE XREF: MiVaIsPageFileHash(x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4FD3FF:				; CODE XREF: MiVaIsPageFileHash(x,x)+26j
		mov	eax, [esi+4]
		lea	eax, [edx+eax*4]
		cmp	ebx, eax
		jnb	short loc_4FD3F4
		mov	eax, esi
		jmp	short loc_4FD3FB
_MiVaIsPageFileHash@8 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1295. KeSetKernelStackSwapEnable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetKernelStackSwapEnable(x)
		public _KeSetKernelStackSwapEnable@4
_KeSetKernelStackSwapEnable@4 proc near	; CODE XREF: ExpWorkerThread+272p
					; ExpWorkerThread+2F3p	...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		mov	cl, [ebp+arg_0]
		add	eax, 5Ch
		mov	edx, [eax]
		shr	edx, 6
		and	dl, 1
		cmp	cl, dl
		jz	short loc_4FD438
		test	cl, cl
		jnz	short loc_4FD43E
		lock btr dword ptr [eax], 6

loc_4FD438:				; CODE XREF: KeSetKernelStackSwapEnable(x)+1Bj
					; KeSetKernelStackSwapEnable(x)+31j
		mov	al, dl
		pop	ebp
		retn	4
; 

loc_4FD43E:				; CODE XREF: KeSetKernelStackSwapEnable(x)+1Fj
		lock bts dword ptr [eax], 6
		jmp	short loc_4FD438
_KeSetKernelStackSwapEnable@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ObpSafeInterlockedAddNoFence(x, x)
_ObpSafeInterlockedAddNoFence@8	proc near ; CODE XREF: PspThreadFromTicket(x,x)+D7p
					; PspReferenceCidTableEntry+BBp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, [ecx]
		test	edi, edi
		jz	short loc_4FD468

loc_4FD450:				; CODE XREF: ObpSafeInterlockedAddNoFence(x,x)+20j
		lea	esi, [edi+edx]
		mov	eax, edi
		lock cmpxchg [ecx], esi
		cmp	eax, edi
		jnz	short loc_4FD462
		mov	al, 1

loc_4FD45F:				; CODE XREF: ObpSafeInterlockedAddNoFence(x,x)+24j
		pop	edi
		pop	esi
		retn
; 

loc_4FD462:				; CODE XREF: ObpSafeInterlockedAddNoFence(x,x)+15j
		mov	edi, eax
		test	eax, eax
		jnz	short loc_4FD450

loc_4FD468:				; CODE XREF: ObpSafeInterlockedAddNoFence(x,x)+8j
		xor	al, al
		jmp	short loc_4FD45F
_ObpSafeInterlockedAddNoFence@8	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1805. PsGetProcessPeb

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessPeb(x)
		public _PsGetProcessPeb@4
_PsGetProcessPeb@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+17Ch]
		pop	ebp
		retn	4
_PsGetProcessPeb@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SiValidateSystemPartition proc near	; CODE XREF: SiGetBootDeviceName+103p

var_CC		= dword	ptr -0CCh
var_AB		= byte ptr -0ABh
var_3C		= dword	ptr -3Ch
var_32		= byte ptr -32h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 005D4B0B SIZE 00000078 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		push	90h		; size_t
		lea	eax, [ebp+var_CC]
		mov	edi, edx
		push	0		; int
		push	eax		; void *
		mov	ebx, ecx
		call	_memset
		and	[ebp+var_C], 0
		lea	edx, [ebp+var_CC]
		add	esp, 0Ch
		mov	ecx, ebx
		call	_SiGetDiskPartitionInformation@8 ; SiGetDiskPartitionInformation(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_4FD502
		mov	eax, [ebp+var_CC]
		test	edi, edi
		jnz	loc_5D4B0B

loc_4FD4DB:				; CODE XREF: SiValidateSystemPartition+D7689j
		mov	esi, 0C0000001h
		cmp	eax, 1
		jz	loc_5D4B1D
		test	eax, eax
		jnz	short loc_4FD502
		cmp	[ebp+var_AB], al
		jz	short loc_4FD502

loc_4FD4F5:				; CODE XREF: SiValidateSystemPartition+D76B7j
		xor	edx, edx
		mov	esi, edx
		cmp	[ebp+arg_8], dl
		jnz	loc_5D4B40

loc_4FD502:				; CODE XREF: SiValidateSystemPartition+47j
					; SiValidateSystemPartition+67j ...
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
SiValidateSystemPartition endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeCaptureAtomTableCallout()
_SeCaptureAtomTableCallout@0 proc near	; CODE XREF: PsConvertToGuiThread:loc_7C8AA3p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	ecx, large fs:124h
		lea	eax, [ebp+var_C]
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	edx, [ebp+var_10]
		push	ebx
		push	eax
		lea	eax, [ebp-1]
		mov	[ebp+var_1], bl
		push	eax
		mov	[ebp+var_8], ebx
		call	PsReferenceEffectiveToken
		mov	esi, eax
		test	dword ptr [esi+0B0h], 4000h
		jnz	short loc_4FD559

loc_4FD54E:				; CODE XREF: SeCaptureAtomTableCallout()+4Cj
					; SeCaptureAtomTableCallout()+6Cj ...
		mov	ecx, esi
		call	ObfDereferenceObject
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4FD559:				; CODE XREF: SeCaptureAtomTableCallout()+36j
		mov	ecx, [esi+274h]
		cmp	[ecx+18h], ebx
		jnz	short loc_4FD54E
		mov	ecx, large fs:124h
		mov	eax, [ecx+80h]
		mov	eax, [eax+158h]
		test	eax, eax
		jz	short loc_4FD584
		test	byte ptr [eax+0CCh], 20h
		jnz	short loc_4FD54E

loc_4FD584:				; CODE XREF: SeCaptureAtomTableCallout()+63j
		push	ebx
		push	ebx
		lea	eax, [ebp+var_8]
		push	eax
		push	2
		call	PsInvokeWin32Callout
		mov	edx, [ebp+var_8]
		test	edx, edx
		jz	short loc_4FD54E
		mov	ecx, [esi+274h]
		xor	eax, eax
		add	ecx, 18h
		lock cmpxchg [ecx], edx
		test	eax, eax
		jnz	short loc_4FD54E
		mov	eax, [ebp+var_8]
		lock inc dword ptr [eax+4]
		jmp	short loc_4FD54E
_SeCaptureAtomTableCallout@0 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1804. PsGetProcessJob

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessJob(x)
		public _PsGetProcessJob@4
_PsGetProcessJob@4 proc	near		; CODE XREF: AlpcpDispatchNewMessage(x)+12Ap
					; AlpcpDispatchConnectionRequest+14B19Fp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+158h]
		pop	ebp
		retn	4
_PsGetProcessJob@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1791. PsGetJobUIRestrictionsClass

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetJobUIRestrictionsClass(x)
		public _PsGetJobUIRestrictionsClass@4
_PsGetJobUIRestrictionsClass@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+0CCh]
		pop	ebp
		retn	4
_PsGetJobUIRestrictionsClass@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExpApplyPrewaitBoost(x)
_ExpApplyPrewaitBoost@4	proc near	; CODE XREF: ExpAcquireSharedStarveExclusive+372p
					; ExAcquireResourceExclusiveLite+227p ...
		mov	edi, edi
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	ecx, ebx
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		cmp	eax, 1
		jle	short loc_4FD609
		test	byte ptr [edi+0Eh], 4
		jnz	short loc_4FD609
		push	4
		pop	esi

loc_4FD609:				; CODE XREF: ExpApplyPrewaitBoost(x)+1Aj
					; ExpApplyPrewaitBoost(x)+20j
		test	byte ptr [edi+0Eh], 2
		jnz	short loc_4FD612
		or	esi, 2

loc_4FD612:				; CODE XREF: ExpApplyPrewaitBoost(x)+29j
		movsx	ecx, byte ptr [ebx+87h]
		movzx	eax, byte ptr [edi+0Fh]
		cmp	ecx, eax
		jle	short loc_4FD627
		or	esi, 0FF00h

loc_4FD627:				; CODE XREF: ExpApplyPrewaitBoost(x)+3Bj
		test	esi, esi
		jz	short loc_4FD635
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	ExpApplyPriorityBoost

loc_4FD635:				; CODE XREF: ExpApplyPrewaitBoost(x)+45j
		pop	edi
		pop	esi
		pop	ebx
		retn
_ExpApplyPrewaitBoost@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDeleteNonPagedPoolTail proc near	; DATA XREF: MiClearNonPagedPtes+A2o

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D4B83 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	esi, [eax+48h]
		xor	edi, edi
		mov	ecx, [esi+0B4h]
		test	ecx, ecx
		jnz	short loc_4FD6AF

loc_4FD654:				; CODE XREF: MiDeleteNonPagedPoolTail+86j
		mov	ecx, esi
		call	MiFlushTbList
		cmp	[esi+0A8h], edi
		jnz	short loc_4FD66C

loc_4FD663:				; CODE XREF: MiDeleteNonPagedPoolTail+73j
					; MiDeleteNonPagedPoolTail+8Ej
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4FD66C:				; CODE XREF: MiDeleteNonPagedPoolTail+27j
		mov	eax, [esi+0B0h]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_4FD6C2
		imul	ebx, eax, 1Ch
		mov	[ebp+arg_0], edi
		add	ebx, ds:_MmPfnDatabase
		lea	edi, [ebx+10h]

loc_4FD686:				; CODE XREF: MiDeleteNonPagedPoolTail+D7557j
		lock bts dword ptr [edi], 1Fh
		jb	loc_5D4B83
		mov	edx, [esi+0A8h]
		mov	ecx, ebx
		call	MiReduceShareCount
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		and	dword ptr [esi+0A8h], 0
		jmp	short loc_4FD663
; 

loc_4FD6AF:				; CODE XREF: MiDeleteNonPagedPoolTail+18j
		mov	edx, [esi+0B8h]
		call	MiReplicatePteChange
		mov	[esi+0B4h], edi
		jmp	short loc_4FD654
; 

loc_4FD6C2:				; CODE XREF: MiDeleteNonPagedPoolTail+3Bj
		mov	[esi+0A8h], edi
		jmp	short loc_4FD663
MiDeleteNonPagedPoolTail endp


;  S U B	R O U T	I N E 


MiReduceShareCount proc	near		; CODE XREF: .text:004736AFp
					; MiDeleteNonPagedPoolTail+5Fp

; FUNCTION CHUNK AT 005D4B96 SIZE 0000003B BYTES

		mov	edi, edi
		push	ebx
		mov	bl, [ecx+16h]
		mov	al, bl
		and	al, 7
		cmp	al, 6
		jnz	loc_5D4B96
		neg	edx
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		pop	ebx
		test	eax, eax
		jz	short loc_4FD6EC
		push	2
		pop	eax
		retn
; 

loc_4FD6EC:				; CODE XREF: MiReduceShareCount+1Cj
		xor	edx, edx
		jmp	_MiPfnShareCountIsZero@8 ; MiPfnShareCountIsZero(x,x)
MiReduceShareCount endp

; 
		align 8
; Exported entry 1817. PsGetProcessWin32Process

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessWin32Process(x)
		public _PsGetProcessWin32Process@4
_PsGetProcessWin32Process@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+154h]
		pop	ebp
		retn	4
_PsGetProcessWin32Process@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExAllocatePoolEx(x,	x, x, x)
_ExAllocatePoolEx@16 proc near		; CODE XREF: VerifierExAllocatePoolEx(x,x,x,x)+2Aj
					; DATA XREF: ExInitializeLookasideListExInternal+DEo ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:20h
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	[ebp+arg_8]
		call	ExpAllocatePoolWithTagFromNode
		pop	ebp
		retn	10h
_ExAllocatePoolEx@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCheckThreadHistory(x)
_ExpCheckThreadHistory@4 proc near	; CODE XREF: ExpWorkerFactoryCheckCreate+E8p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[ebp+var_1C], ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ecx+68h]
		and	al, 7
		cmp	al, 4
		jz	short loc_4FD795
		mov	edi, large fs:124h
		xor	eax, eax
		mov	[ebp+var_20], eax
		mov	dh, al
		mov	bl, al

loc_4FD776:				; CODE XREF: ExpCheckThreadHistory(x)+4Dj
		movsx	eax, bl
		mov	ecx, [ecx+eax*4+20h]
		test	ecx, ecx
		jnz	short loc_4FD7A6

loc_4FD781:				; CODE XREF: ExpCheckThreadHistory(x)+6Cj
					; ExpCheckThreadHistory(x)+75j	...
		mov	ecx, [ebp+var_1C]
		inc	bl
		cmp	bl, 4
		jl	short loc_4FD776
		movsx	edi, dh
		lea	eax, [edi-3]
		test	eax, eax
		jns	short loc_4FD7F6

loc_4FD795:				; CODE XREF: ExpCheckThreadHistory(x)+28j
					; ExpCheckThreadHistory(x)+10Fj
		xor	al, al

loc_4FD797:				; CODE XREF: ExpCheckThreadHistory(x)+120j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_4FD7A6:				; CODE XREF: ExpCheckThreadHistory(x)+43j
		cmp	ecx, edi
		jz	short loc_4FD781
		cmp	byte ptr [ecx+90h], 5
		jnz	short loc_4FD781
		mov	dl, [ecx+54h]
		and	dl, 7
		cmp	dl, 1
		jnz	loc_4FD861

loc_4FD7C2:				; CODE XREF: ExpCheckThreadHistory(x)+128j
		cmp	byte ptr [ecx+16Bh], 1
		jnz	short loc_4FD781
		mov	eax, [ebp+var_1C]
		mov	esi, [ecx+0F0h]
		mov	eax, [eax+4]
		cmp	esi, [eax+4]
		jz	short loc_4FD781
		lea	eax, [ecx+1C4h]
		cmp	dl, 4
		jz	short loc_4FD85A
		cmp	esi, eax
		jz	short loc_4FD85A
		movsx	eax, dh
		inc	dh
		mov	[ebp+eax*4+var_14], esi
		jmp	short loc_4FD781
; 

loc_4FD7F6:				; CODE XREF: ExpCheckThreadHistory(x)+57j
		mov	bl, 1

loc_4FD7F8:				; CODE XREF: ExpCheckThreadHistory(x)+115j
		movsx	esi, bl
		mov	eax, edi
		sub	eax, esi
		mov	bh, 1
		mov	cl, bl
		cmp	eax, 2
		jl	short loc_4FD841
		mov	eax, [ebp+var_20]
		movsx	eax, al
		mov	edx, [ebp+eax*4+var_14]
		mov	eax, esi
		mov	[ebp+var_24], edx

loc_4FD817:				; CODE XREF: ExpCheckThreadHistory(x)+103j
		cmp	edx, [ebp+eax*4+var_14]
		jz	short loc_4FD853

loc_4FD81D:				; CODE XREF: ExpCheckThreadHistory(x)+11Cj
		inc	cl
		mov	edx, edi
		movsx	eax, cl
		sub	edx, eax
		mov	[ebp+var_15], cl
		mov	[ebp+var_1C], eax
		push	3
		movsx	eax, bh
		pop	ecx
		sub	ecx, eax
		mov	eax, [ebp+var_1C]
		cmp	ecx, edx
		mov	cl, [ebp+var_15]
		mov	edx, [ebp+var_24]
		jle	short loc_4FD817

loc_4FD841:				; CODE XREF: ExpCheckThreadHistory(x)+CAj
		inc	byte ptr [ebp+var_20]
		lea	eax, [edi-3]
		inc	bl
		cmp	esi, eax
		jg	loc_4FD795
		jmp	short loc_4FD7F8
; 

loc_4FD853:				; CODE XREF: ExpCheckThreadHistory(x)+DFj
		inc	bh
		cmp	bh, 3
		jl	short loc_4FD81D

loc_4FD85A:				; CODE XREF: ExpCheckThreadHistory(x)+A9j
					; ExpCheckThreadHistory(x)+ADj
		mov	al, 1
		jmp	loc_4FD797
; 

loc_4FD861:				; CODE XREF: ExpCheckThreadHistory(x)+80j
		cmp	dl, 4
		jz	loc_4FD7C2
		jmp	loc_4FD781
_ExpCheckThreadHistory@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


SeIsSModeAdminlessEnabled proc near	; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+D4Cp
					; NtQueryInformationToken(x,x,x,x,x)+192Ep ...
		mov	edi, edi
		push	ecx
		call	_SepIsAdminlessEnforcementModeEnabled@0	; SepIsAdminlessEnforcementModeEnabled()
		cmp	al, 1
		jz	loc_5D4BC2

loc_4FD880:				; CODE XREF: MiReduceShareCount+D74FFj
		xor	al, al
		pop	ecx
		retn
SeIsSModeAdminlessEnabled endp


;  S U B	R O U T	I N E 


; __stdcall SepIsAdminlessEnforcementModeEnabled()
_SepIsAdminlessEnforcementModeEnabled@0	proc near ; CODE XREF: SeIsSModeAdminlessEnabled+3p
					; SeSecurityModelQueryInformation(x,x,x)+27p
		mov	edi, edi
		push	ecx
		cmp	_SeAdminlessEnforcementModeEnabled, 0
		jnz	short loc_4FD899
		call	_Feature_SModeAdminless__private_ReportDeviceUsage@0 ; Feature_SModeAdminless__private_ReportDeviceUsage()
		xor	al, al
		pop	ecx
		retn
; 

loc_4FD899:				; CODE XREF: SepIsAdminlessEnforcementModeEnabled()+Aj
		mov	al, 1
		pop	ecx
		retn
_SepIsAdminlessEnforcementModeEnabled@0	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1983. RtlCompareAltitudes

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlCompareAltitudes
RtlCompareAltitudes proc near		; CODE XREF: CmpInsertCallbackInListByAltitude+98p
					; ObpInsertCallbackByAltitude+A9BEDp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D4BD1 SIZE 000000CD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		mov	ax, [edx]
		xor	esi, esi
		mov	edx, [edx+4]
		shr	ax, 1
		push	edi
		movzx	edi, ax
		mov	ax, [ecx]
		shr	ax, 1
		movzx	ebx, ax
		mov	eax, [ecx+4]
		mov	ecx, esi
		mov	[ebp+arg_0], eax
		xor	eax, eax
		mov	[ebp+var_4], edi
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_8], edx
		cmp	ax, di
		jnb	short loc_4FD8F7
		push	2Eh
		pop	ebx

loc_4FD8E5:				; CODE XREF: RtlCompareAltitudes+50j
		movzx	eax, cx
		cmp	[edx+eax*2], bx
		jz	short loc_4FD8F4
		inc	ecx
		cmp	cx, di
		jb	short loc_4FD8E5

loc_4FD8F4:				; CODE XREF: RtlCompareAltitudes+4Aj
		mov	ebx, [ebp+arg_4]

loc_4FD8F7:				; CODE XREF: RtlCompareAltitudes+3Ej
		xor	eax, eax
		movzx	ecx, cx
		mov	[ebp+var_C], ecx
		mov	edx, esi
		cmp	ax, bx
		jnb	short loc_4FD91E
		mov	edi, [ebp+arg_0]
		push	2Eh
		pop	ecx

loc_4FD90C:				; CODE XREF: RtlCompareAltitudes+77j
		movzx	eax, dx
		cmp	[edi+eax*2], cx
		jz	short loc_4FD91B
		inc	edx
		cmp	dx, bx
		jb	short loc_4FD90C

loc_4FD91B:				; CODE XREF: RtlCompareAltitudes+71j
		mov	ecx, [ebp+var_C]

loc_4FD91E:				; CODE XREF: RtlCompareAltitudes+62j
		mov	edi, [ebp+var_4]
		mov	eax, esi
		and	[ebp+var_18], eax
		movzx	ebx, dx
		mov	[ebp+var_10], ebx
		movzx	edx, cx
		cmp	word ptr [ebp+var_18], cx
		jnb	short loc_4FD952
		mov	ebx, [ebp+var_8]
		push	30h
		pop	esi

loc_4FD93B:				; CODE XREF: RtlCompareAltitudes+D7342j
		cmp	[ebx], si
		jz	loc_5D4BD1

loc_4FD944:				; CODE XREF: RtlCompareAltitudes+D7348j
		mov	[ebp+var_8], ebx
		xor	esi, esi
		mov	ebx, [ebp+var_10]
		mov	[ebp+var_4], edi
		mov	[ebp+var_C], ecx

loc_4FD952:				; CODE XREF: RtlCompareAltitudes+91j
		movzx	eax, bx
		xor	edx, edx
		mov	[ebp+var_18], eax
		mov	eax, esi
		cmp	dx, bx
		jnb	short loc_4FD982
		mov	edx, [ebp+arg_4]
		mov	edi, [ebp+arg_0]
		push	30h
		pop	ecx

loc_4FD96A:				; CODE XREF: RtlCompareAltitudes+1DEj
		cmp	[edi], cx
		jz	loc_4FDA66

loc_4FD973:				; CODE XREF: RtlCompareAltitudes+1D8j
		mov	ecx, [ebp+var_C]
		mov	[ebp+arg_0], edi
		mov	edi, [ebp+var_4]
		mov	[ebp+arg_4], edx
		mov	[ebp+var_10], ebx

loc_4FD982:				; CODE XREF: RtlCompareAltitudes+BDj
		cmp	cx, bx
		jz	short loc_4FD997
		cmp	bx, cx

loc_4FD98A:				; CODE XREF: RtlCompareAltitudes+127j
					; RtlCompareAltitudes+D73E8j
		sbb	eax, eax
		and	eax, 2
		dec	eax

loc_4FD990:				; CODE XREF: RtlCompareAltitudes+1B9j
					; RtlCompareAltitudes+D73F7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4FD997:				; CODE XREF: RtlCompareAltitudes+E3j
		xor	eax, eax
		mov	edx, esi
		cmp	ax, cx
		jnb	short loc_4FD9D1

loc_4FD9A0:				; CODE XREF: RtlCompareAltitudes+12Dj
		mov	edi, [ebp+var_8]
		mov	esi, [ebp+arg_0]
		movzx	eax, dx
		push	0
		movzx	edi, word ptr [edi+eax*2]
		mov	[ebp+var_18], edi
		movzx	edi, word ptr [esi+eax*2]
		mov	eax, [ebp+var_18]
		cmp	ax, di
		mov	[ebp+var_14], edi
		mov	edi, [ebp+var_4]
		pop	esi
		jz	short loc_4FD9CB
		cmp	word ptr [ebp+var_14], ax
		jmp	short loc_4FD98A
; 

loc_4FD9CB:				; CODE XREF: RtlCompareAltitudes+121j
		inc	edx
		cmp	dx, cx
		jb	short loc_4FD9A0

loc_4FD9D1:				; CODE XREF: RtlCompareAltitudes+FCj
		sub	edi, ecx
		dec	edi
		movzx	edi, di
		mov	[ebp+var_14], edi
		test	di, di
		jns	short loc_4FD9E4
		mov	edi, esi
		mov	[ebp+var_14], edi

loc_4FD9E4:				; CODE XREF: RtlCompareAltitudes+13Bj
		mov	eax, [ebp+arg_4]
		sub	eax, ebx
		dec	eax
		movzx	edx, ax
		mov	[ebp+var_18], edx
		test	dx, dx
		jns	short loc_4FD9FA
		mov	edx, esi
		mov	[ebp+var_18], edx

loc_4FD9FA:				; CODE XREF: RtlCompareAltitudes+151j
		mov	eax, [ebp+var_4]
		test	ax, ax
		jz	short loc_4FDA12
		dec	eax
		movzx	eax, ax
		mov	[ebp+var_4], eax
		cmp	ax, cx
		ja	loc_5D4BEF

loc_4FDA12:				; CODE XREF: RtlCompareAltitudes+15Ej
					; RtlCompareAltitudes+D7376j
		mov	eax, [ebp+arg_4]
		test	ax, ax
		jz	short loc_4FDA2A
		dec	eax
		movzx	eax, ax
		mov	[ebp+arg_4], eax
		cmp	ax, bx
		ja	loc_5D4C1D

loc_4FDA2A:				; CODE XREF: RtlCompareAltitudes+176j
					; RtlCompareAltitudes+D73A1j
		movzx	eax, cx
		mov	ecx, [ebp+var_8]
		add	ecx, 2
		lea	eax, [ecx+eax*2]
		mov	ecx, [ebp+arg_0]
		mov	[ebp+arg_4], eax
		add	ecx, 2
		movzx	eax, bx
		lea	eax, [ecx+eax*2]
		mov	[ebp+arg_0], eax
		movsx	eax, di
		mov	[ebp+var_18], eax
		test	eax, eax
		jg	loc_5D4C48

loc_4FDA56:				; CODE XREF: RtlCompareAltitudes+D73B3j
					; RtlCompareAltitudes+D73D5j
		xor	eax, eax
		cmp	di, dx
		jz	loc_4FD990
		jmp	loc_5D4C8F
; 

loc_4FDA66:				; CODE XREF: RtlCompareAltitudes+CBj
		inc	eax
		add	edi, 2
		add	ebx, 0FFFFh
		add	edx, 0FFFFh
		cmp	ax, word ptr [ebp+var_18]
		jnb	loc_4FD973
		jmp	loc_4FD96A
RtlCompareAltitudes endp

; 
		align 4
		db 2 dup(0CCh)
; 
; Exported entry  90. ExfInterlockedInsertHeadList

; __fastcall ExfInterlockedInsertHeadList(x, x,	x)
		public @ExfInterlockedInsertHeadList@12
@ExfInterlockedInsertHeadList@12:	; CODE XREF: CcCanIWrite+1166A7p
					; CcDeferWrite(x,x,x,x,x,x)+12Fp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	ecx, [ebp+8]
		call	ExpAcquireSpinLockDisabled
		mov	esi, [edi]
		mov	cl, al
		cmp	[esi+4], edi
		jnz	short loc_4FDACF
		mov	eax, [ebp+8]
		xor	edx, edx
		mov	[ebx], esi
		mov	[ebx+4], edi
		mov	[esi+4], ebx
		mov	[edi], ebx
		lock and [eax],	edx
		test	cl, cl
		jz	short loc_4FDABE
		sti

loc_4FDABE:				; CODE XREF: .text:004FDABBj
		mov	eax, esi
		sub	eax, edi
		neg	eax
		pop	edi
		sbb	eax, eax
		and	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4FDACF:				; CODE XREF: .text:004FDAA5j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; 
; Exported entry  91. ExfInterlockedInsertTailList

; __fastcall ExfInterlockedInsertTailList(x, x,	x)
		public @ExfInterlockedInsertTailList@12
@ExfInterlockedInsertTailList@12:	; CODE XREF: IoWMIWriteEvent+A7p
					; CcCanIWrite:loc_5C038Ep ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	ecx, [ebp+8]
		call	ExpAcquireSpinLockDisabled
		mov	esi, [edi+4]
		mov	cl, al
		cmp	[esi], edi
		jnz	short loc_4FDB1F
		mov	eax, [ebp+8]
		xor	edx, edx
		mov	[ebx], edi
		mov	[ebx+4], esi
		mov	[esi], ebx
		mov	[edi+4], ebx
		lock and [eax],	edx
		test	cl, cl
		jz	short loc_4FDB0E
		sti

loc_4FDB0E:				; CODE XREF: .text:004FDB0Bj
		mov	eax, esi
		sub	eax, edi
		neg	eax
		pop	edi
		sbb	eax, eax
		and	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4FDB1F:				; CODE XREF: .text:004FDAF5j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry  94. ExfInterlockedRemoveHeadList

;  S U B	R O U T	I N E 


; __fastcall ExfInterlockedRemoveHeadList(x, x)
		public @ExfInterlockedRemoveHeadList@8
@ExfInterlockedRemoveHeadList@8	proc near ; CODE XREF: PopFxProcessWorkPool+16D97Bp
					; ExInterlockedRemoveHeadList(x,x)j ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		mov	ecx, ebx
		xor	esi, esi
		call	ExpAcquireSpinLockDisabled
		mov	cl, al
		mov	eax, [edi]
		cmp	eax, edi
		jnz	short loc_4FDB54

loc_4FDB44:				; CODE XREF: ExfInterlockedRemoveHeadList(x,x)+3Dj
		xor	eax, eax
		lock and [ebx],	eax
		test	cl, cl
		jz	short loc_4FDB4E
		sti

loc_4FDB4E:				; CODE XREF: ExfInterlockedRemoveHeadList(x,x)+21j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_4FDB54:				; CODE XREF: ExfInterlockedRemoveHeadList(x,x)+18j
		mov	esi, eax
		mov	eax, [esi]
		cmp	[esi+4], edi
		jnz	short loc_4FDB69
		cmp	[eax+4], esi
		jnz	short loc_4FDB69
		mov	[edi], eax
		mov	[eax+4], edi
		jmp	short loc_4FDB44
; 

loc_4FDB69:				; CODE XREF: ExfInterlockedRemoveHeadList(x,x)+31j
					; ExfInterlockedRemoveHeadList(x,x)+36j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
@ExfInterlockedRemoveHeadList@8	endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpAcquireSpinLockDisabled proc	near	; CODE XREF: .text:004FDA99p
					; .text:004FDAE9p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D4C9E SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	bl, al

loc_4FDB83:				; CODE XREF: ExpAcquireSpinLockDisabled+D7144j
		lock bts dword ptr [esi], 0
		jb	loc_5D4C9E
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
ExpAcquireSpinLockDisabled endp


;  S U B	R O U T	I N E 


AuthzBasepEvaluateAttribute proc near	; CODE XREF: .text:00517DB7p
					; .text:00518204p ...

; FUNCTION CHUNK AT 005D4CB7 SIZE 00000039 BYTES

		xor	edx, edx
		test	ecx, ecx
		jz	short loc_4FDBD0
		mov	eax, [ecx+18h]
		test	eax, eax
		jz	short loc_4FDBCD
		cmp	eax, 1
		ja	short loc_4FDBD5
		push	esi
		movzx	esi, word ptr [ecx+10h]
		mov	eax, esi
		test	ax, ax
		jz	short loc_4FDBCC
		cmp	eax, 6
		jnz	loc_5D4CB7

loc_4FDBBB:				; CODE XREF: AuthzBasepEvaluateAttribute+D7126j
		mov	ecx, [ecx+1Ch]
		test	ecx, ecx
		jz	short loc_4FDBCC
		mov	eax, [ecx]
		or	eax, [ecx+4]

loc_4FDBC7:				; CODE XREF: AuthzBasepEvaluateAttribute+D7145j
		jz	short loc_4FDBCC
		xor	edx, edx
		inc	edx

loc_4FDBCC:				; CODE XREF: AuthzBasepEvaluateAttribute+1Cj
					; AuthzBasepEvaluateAttribute+2Cj ...
		pop	esi

loc_4FDBCD:				; CODE XREF: AuthzBasepEvaluateAttribute+Bj
					; AuthzBasepEvaluateAttribute+3Fj ...
		mov	eax, edx
		retn
; 

loc_4FDBD0:				; CODE XREF: AuthzBasepEvaluateAttribute+4j
		or	edx, 0FFFFFFFFh
		jmp	short loc_4FDBCD
; 

loc_4FDBD5:				; CODE XREF: AuthzBasepEvaluateAttribute+10j
		xor	edx, edx
		inc	edx
		jmp	short loc_4FDBCD
AuthzBasepEvaluateAttribute endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReferenceExistingControlArea proc near ; CODE	XREF: MiCreateImageOrDataSection+1FDp

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005D4CF0 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1], 0
		push	edi
		mov	eax, [esi+20h]
		movzx	edx, byte ptr [esi+0Bh]
		not	edx
		and	edx, 1
		mov	ecx, [eax+14h]
		lea	eax, [ebp-1]
		push	eax
		call	MiLockSectionControlArea
		test	eax, eax
		jz	short loc_4FDC39
		test	byte ptr [eax+1Ch], 3
		lea	edi, [eax+24h]
		jnz	loc_5D4CF0
		mov	edx, eax
		mov	ecx, esi
		call	_MiReferenceActiveControlArea@8	; MiReferenceActiveControlArea(x,x)
		push	edi
		mov	esi, eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, esi
		call	_MiReleaseControlAreaWaiters@4 ; MiReleaseControlAreaWaiters(x)
		xor	eax, eax

loc_4FDC35:				; CODE XREF: MiReferenceExistingControlArea+64j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_4FDC39:				; CODE XREF: MiReferenceExistingControlArea+29j
					; MiReferenceExistingControlArea+D7125j
		mov	eax, 0C0000001h
		jmp	short loc_4FDC35
MiReferenceExistingControlArea endp


;  S U B	R O U T	I N E 


; __stdcall KiAbTryDecrementIoWaiterCounts(x, x)
_KiAbTryDecrementIoWaiterCounts@8 proc near ; CODE XREF: KiAbEntryRemoveFromTree+2FCp
					; KiAbEntryRemoveFromTree+3B2p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	al, [esi+0Fh]
		test	al, 2
		jz	short loc_4FDC7A
		movzx	eax, word ptr [edx+2Eh]
		mov	cx, ax
		shr	cx, 1
		dec	cx
		add	cx, cx
		xor	cx, ax
		push	edi
		mov	edi, 1FEh
		and	cx, di
		xor	cx, ax
		mov	[edx+2Eh], cx
		mov	al, [esi+0Fh]
		and	al, 0FDh
		mov	[esi+0Fh], al
		mov	al, [esi+0Fh]
		pop	edi

loc_4FDC7A:				; CODE XREF: KiAbTryDecrementIoWaiterCounts(x,x)+Aj
		test	al, 4
		jz	short loc_4FDCA4
		movzx	ecx, word ptr [edx+2Eh]
		mov	ax, cx
		and	ecx, 1FFh
		shr	ax, 9
		dec	ax
		shl	ax, 9
		or	ax, cx
		mov	[edx+2Eh], ax
		mov	al, [esi+0Fh]
		and	al, 0FBh
		mov	[esi+0Fh], al

loc_4FDCA4:				; CODE XREF: KiAbTryDecrementIoWaiterCounts(x,x)+3Cj
		pop	esi
		retn
_KiAbTryDecrementIoWaiterCounts@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiLockDynamicMemoryShared(x, x)
_MiLockDynamicMemoryShared@8 proc near	; CODE XREF: MmQueryPfnList+26p
					; MiGetPhysicalMemoryRanges+11B428p ...
		dec	word ptr [edx+13Eh]
		nop
		add	ecx, 6Ch
		xor	edx, edx
		jmp	ExAcquirePushLockSharedEx
_MiLockDynamicMemoryShared@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 559. FsRtlInsertPerStreamContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlInsertPerStreamContext
FsRtlInsertPerStreamContext proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D4D04 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_4FDD3E
		test	byte ptr [esi+6], 2
		jz	short loc_4FDD3E
		mov	al, [esi+7]
		and	al, 0F0h
		push	edi
		cmp	al, 10h
		jb	loc_5D4D04
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [esi+34h]
		call	ExAcquirePushLockExclusiveEx

loc_4FDCF7:				; CODE XREF: FsRtlInsertPerStreamContext+D704Ej
		lea	ecx, [esi+2Ch]
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_4FDD39
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[edx+4], eax
		mov	[ecx], eax
		mov	al, [esi+7]
		and	al, 0F0h
		cmp	al, 10h
		jb	loc_5D4D11
		xor	edx, edx
		lea	ecx, [esi+34h]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_4FDD31:				; CODE XREF: FsRtlInsertPerStreamContext+D705Bj
		xor	eax, eax
		pop	edi

loc_4FDD34:				; CODE XREF: FsRtlInsertPerStreamContext+85j
		pop	esi
		pop	ebp
		retn	8
; 

loc_4FDD39:				; CODE XREF: FsRtlInsertPerStreamContext+41j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_4FDD3E:				; CODE XREF: FsRtlInsertPerStreamContext+Bj
					; FsRtlInsertPerStreamContext+11j
		mov	eax, 0C0000010h
		jmp	short loc_4FDD34
FsRtlInsertPerStreamContext endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcMapDataForOverwrite proc near		; CODE XREF: CcPreparePinWrite+49p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= byte ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D4D1E SIZE 0000003E BYTES

		push	38h
		push	offset dword_6A3AD0
		call	__SEH_prolog4
		mov	eax, edx
		mov	[ebp+var_28], eax
		mov	[ebp+var_2C], ecx
		and	[ebp+var_20], 0
		mov	eax, [eax]
		and	eax, 0FFFh
		mov	edx, [ebp+arg_0]
		add	edx, 0FFFh
		add	eax, edx
		shr	eax, 0Ch
		mov	[ebp+var_24], eax
		mov	esi, large fs:124h
		mov	[ebp+var_38], esi
		xor	ebx, ebx
		inc	ebx
		mov	[ebp+var_19], bl
		xor	eax, eax
		lea	edi, [ebp+var_48]
		stosd
		stosd
		stosd
		mov	eax, [ecx+14h]
		mov	edi, [eax+4]
		test	dword ptr [edi+60h], 20000h
		jz	loc_4FDE78

loc_4FDDA1:				; CODE XREF: CcMapDataForOverwrite+183j
		mov	ecx, [esi+2F4h]
		movzx	eax, byte ptr [esi+308h]
		lea	ebx, [eax+ecx*4]
		mov	[ebp+var_34], ebx
		mov	edi, [ebp+arg_8]
		push	edi
		lea	eax, [ebp+var_20]
		push	eax
		push	1
		push	[ebp+arg_0]
		mov	edx, [ebp+var_28]
		mov	ecx, [ebp+var_2C]
		call	CcMapDataCommon
		and	[ebp+ms_exc.disabled], 0
		xor	edx, edx
		inc	edx
		mov	[ebp+var_3C], edx
		mov	eax, [edi]
		mov	[ebp+var_30], eax
		mov	edi, [ebp+var_24]

loc_4FDDDE:				; CODE XREF: CcMapDataForOverwrite+E8j
		mov	[ebp+arg_0], eax
		test	edi, edi
		jz	short loc_4FDE30
		mov	[ebp+var_19], dl
		mov	[esi+308h], dl
		dec	edi
		cmp	edi, [esi+2F4h]
		jbe	short loc_4FDE06
		cmp	edi, 0Fh
		jbe	short loc_4FDE70
		mov	dword ptr [esi+2F4h], 0Fh

loc_4FDE06:				; CODE XREF: CcMapDataForOverwrite+AFj
					; CcMapDataForOverwrite+130j
		lea	ecx, [ebp+var_19]
		push	ecx
		push	5
		mov	ecx, eax
		call	_MmCheckCachedPageStates@16 ; MmCheckCachedPageStates(x,x,x,x)
		cmp	[ebp+var_19], 0
		jz	loc_5D4D48

loc_4FDE1D:				; CODE XREF: CcMapDataForOverwrite+D7011j
		mov	eax, [ebp+arg_0]
		add	eax, 1000h
		mov	[ebp+var_30], eax
		mov	[ebp+var_24], edi
		xor	edx, edx
		inc	edx
		jmp	short loc_4FDDDE
; 

loc_4FDE30:				; CODE XREF: CcMapDataForOverwrite+9Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+var_3C], 0
		call	sub_4FDECE
		mov	eax, large fs:124h
		mov	eax, [eax+328h]
		add	large fs:690h, eax
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_20]
		mov	[ecx], eax
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_4FDE70:				; CODE XREF: CcMapDataForOverwrite+B4j
		mov	[esi+2F4h], edi
		jmp	short loc_4FDE06
; 

loc_4FDE78:				; CODE XREF: CcMapDataForOverwrite+55j
		mov	ecx, edi
		call	CcGetPartition
		lea	ecx, [eax+40h]
		lea	edx, [ebp+var_48]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		or	dword ptr [edi+60h], 20000h
		test	ds:byte_70EFC6,	1
		jnz	loc_5D4D1E
		mov	eax, [ebp+var_48]
		test	eax, eax
		jnz	loc_5D4D36
		mov	edx, [ebp+var_44]
		lea	eax, [ebp+var_48]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_48]
		cmp	eax, ecx
		jnz	loc_5D4D2E

loc_4FDEC0:				; CODE XREF: CcMapDataForOverwrite+D6FE3j
					; CcMapDataForOverwrite+D6FFDj
		mov	cl, [ebp+var_40]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4FDDA1
CcMapDataForOverwrite endp


;  S U B	R O U T	I N E 


sub_4FDECE	proc near		; CODE XREF: CcMapDataForOverwrite+F8p
					; sub_5D4D5C+6j

; FUNCTION CHUNK AT 005D4D67 SIZE 00000015 BYTES

		mov	al, bl
		and	al, 3
		mov	[esi+308h], al
		shr	ebx, 2
		mov	[esi+2F4h], ebx
		cmp	dword ptr [ebp-3Ch], 0
		jnz	loc_5D4D67

locret_4FDEEB:				; CODE XREF: sub_4FDECE+D6E9Ej
		retn
sub_4FDECE	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepConstrainByMandatory	proc near	; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+85Cp
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+11B9p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005D4D7C SIZE 000000A4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	dword ptr [ecx+8], 0
		push	ebx
		mov	ebx, edx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_4], ebx
		jz	short loc_4FDF14
		cmp	byte ptr [ecx+5], 0
		jz	short loc_4FDF1A
		cmp	byte ptr [ecx+4], 0
		jz	short loc_4FDF1A
		cmp	byte ptr [ecx+6], 0
		jz	short loc_4FDF1A

loc_4FDF14:				; CODE XREF: SepConstrainByMandatory+14j
					; SepConstrainByMandatory+44j ...
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_4FDF1A:				; CODE XREF: SepConstrainByMandatory+1Aj
					; SepConstrainByMandatory+20j ...
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jnz	loc_5D4DAD
		mov	edx, [ebp+arg_0]
		mov	ecx, [ecx]
		mov	eax, [edx]
		and	ecx, eax
		cmp	ecx, eax
		jz	short loc_4FDF14
		mov	eax, [ebp+arg_4]
		mov	[edx], ecx
		test	ebx, 2000000h
		jz	loc_5D4D92
		test	ecx, ecx
		jz	loc_5D4D7C
		and	dword ptr [eax], 0
		test	esi, esi
		jz	short loc_4FDF14
		mov	byte ptr [esi],	1
		jmp	short loc_4FDF14
SepConstrainByMandatory	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetImageProtoProtection proc near	; CODE XREF: .text:00455AC8p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D4E20 SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	eax, ecx
		mov	ebx, edx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], eax
		push	edi
		mov	edi, [eax+2Ch]
		mov	edx, esi
		jmp	short loc_4FDF90
; 

loc_4FDF72:				; CODE XREF: MiGetImageProtoProtection+3Aj
		test	byte ptr [edi+12h], 2
		jnz	loc_5D4E20

loc_4FDF7C:				; CODE XREF: MiGetImageProtoProtection+D6ED4j
		mov	edx, [edi+4]

loc_4FDF7F:				; CODE XREF: MiGetImageProtoProtection+D6EFAj
		cmp	ebx, edx
		jb	short loc_4FDF8D
		mov	eax, [edi+1Ch]
		lea	eax, [edx+eax*8]
		cmp	ebx, eax
		jb	short loc_4FDF94

loc_4FDF8D:				; CODE XREF: MiGetImageProtoProtection+29j
		mov	edi, [edi+8]

loc_4FDF90:				; CODE XREF: MiGetImageProtoProtection+18j
		test	edi, edi
		jnz	short loc_4FDF72

loc_4FDF94:				; CODE XREF: MiGetImageProtoProtection+33j
		mov	eax, [edi+24h]
		sub	ebx, edx
		mov	ecx, [edi+1Ch]
		and	eax, 3FFFFFFFh
		sub	ecx, eax
		sar	ebx, 3
		cmp	ebx, ecx
		jnb	short loc_4FDFC4
		mov	esi, [ebp+var_8]
		mov	esi, [esi+1Ch]
		shr	esi, 7
		and	esi, 1Fh
		cmp	esi, 7
		jnz	short loc_4FDFC4
		movzx	esi, word ptr [edi+10h]
		shr	esi, 1
		and	esi, 1Fh

loc_4FDFC4:				; CODE XREF: MiGetImageProtoProtection+50j
					; MiGetImageProtoProtection+61j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
MiGetImageProtoProtection endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MI_PROTO_FORMAT_COMBINED(x,	x)
_MI_PROTO_FORMAT_COMBINED@8 proc near	; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+20Ep
					; .text:00455A4Ep ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	[ebp+arg_4]
		mov	esi, [ebp+arg_0]
		push	esi
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		test	eax, eax
		jz	short loc_4FDFE9
		xor	al, al

loc_4FDFE4:				; CODE XREF: MI_PROTO_FORMAT_COMBINED(x,x)+27j
					; MI_PROTO_FORMAT_COMBINED(x,x)+2Bj
		pop	esi
		pop	ebp
		retn	8
; 

loc_4FDFE9:				; CODE XREF: MI_PROTO_FORMAT_COMBINED(x,x)+14j
		and	esi, 800h
		xor	eax, eax
		or	esi, eax
		jz	short loc_4FDFE4
		mov	al, 1
		jmp	short loc_4FDFE4
_MI_PROTO_FORMAT_COMBINED@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnlockFlushMdl proc near		; CODE XREF: MiFlushSectionInternal+829p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D4E57 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		movzx	eax, word ptr [esi+6]
		mov	ecx, eax
		test	eax, 200h
		jnz	loc_5D4E57

loc_4FE017:				; CODE XREF: MiUnlockFlushMdl+D6E68j
		test	cl, 1
		jz	short loc_4FE025
		push	esi
		push	dword ptr [esi+0Ch]
		call	MmUnmapLockedPages

loc_4FE025:				; CODE XREF: MiUnlockFlushMdl+20j
		mov	edx, [esi+18h]
		lea	ecx, [esi+1Ch]
		add	edx, [esi+10h]
		mov	eax, [esi+14h]
		and	edx, 0FFFh
		push	[ebp+arg_0]
		add	eax, 0FFFh
		add	eax, edx
		shr	eax, 0Ch
		lea	edx, [ecx+eax*4]
		call	MiUnlockMdlWritePages
		xor	edx, edx
		mov	ecx, edi
		call	_MiDecrementModifiedWriteCount@8 ; MiDecrementModifiedWriteCount(x,x)
		test	eax, eax
		jnz	short loc_4FE060

loc_4FE059:				; CODE XREF: MiUnlockFlushMdl+6Dj
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
; 

loc_4FE060:				; CODE XREF: MiUnlockFlushMdl+5Dj
		mov	ecx, eax
		call	_MiReleaseControlAreaWaiters@4 ; MiReleaseControlAreaWaiters(x)
		jmp	short loc_4FE059
MiUnlockFlushMdl endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiGetProcessorFlushList(x)
_MiGetProcessorFlushList@4 proc	near	; CODE XREF: MmUnmapViewInSystemCache+D4p
		mov	eax, large fs:20h
		push	ebx
		xor	ebx, ebx
		mov	eax, [eax+4D4h]
		mov	edx, [eax]
		mov	ecx, [eax+0Ch]
		mov	[edx+0Ch], ebx
		mov	[edx], ebx
		mov	[edx+4], bx
		mov	[edx+10h], ebx
		mov	[edx+14h], ebx
		mov	[edx+8], ecx
		pop	ebx
		retn
_MiGetProcessorFlushList@4 endp


;  S U B	R O U T	I N E 


MiAllowGuardFault proc near		; CODE XREF: .text:loc_46804Dp
					; MiResolveProtoPteFault(x,x,x)+9CCp ...

; FUNCTION CHUNK AT 005D4E67 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		push	edi
		cmp	byte ptr [ebx+16Ah], 1
		jz	short loc_4FE0DB
		mov	esi, ecx
		mov	edi, ecx
		and	esi, 0FFFFFFFEh
		and	edi, 1
		jnz	loc_5D4E67

loc_4FE0B7:				; CODE XREF: MiAllowGuardFault+D6DDAj
		test	edi, edi
		jnz	loc_5D4E71
		xor	edx, edx
		call	@KeInvalidAccessAllowed@8 ; KeInvalidAccessAllowed(x,x)
		cmp	al, 1
		jz	loc_5D4E7F

loc_4FE0CE:				; CODE XREF: MiAllowGuardFault+D6DE7j
					; MiAllowGuardFault+D6DFEj
		test	byte ptr [ebx+58h], 20h
		jnz	short loc_4FE0DB
		xor	eax, eax
		inc	eax

loc_4FE0D7:				; CODE XREF: MiAllowGuardFault+4Bj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_4FE0DB:				; CODE XREF: MiAllowGuardFault+13j
					; MiAllowGuardFault+40j ...
		xor	eax, eax
		jmp	short loc_4FE0D7
MiAllowGuardFault endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __fastcall KeInvalidAccessAllowed(x, x)
@KeInvalidAccessAllowed@8 proc near	; CODE XREF: .text:00465E82p
					; .text:004B03FFp ...
		test	dl, 1
		jnz	short loc_4FE10B
		test	ecx, ecx
		jz	short loc_4FE10B
		test	byte ptr [ecx+6Ch], 1
		jz	short loc_4FE0FB

loc_4FE0EF:				; CODE XREF: KeInvalidAccessAllowed(x,x)+29j
		mov	eax, ds:_KeUserPopEntrySListFault

loc_4FE0F4:				; CODE XREF: KeInvalidAccessAllowed(x,x)+27j
		cmp	[ecx+68h], eax
		setz	al
		retn
; 

loc_4FE0FB:				; CODE XREF: KeInvalidAccessAllowed(x,x)+Dj
		test	dword ptr [ecx+70h], 20000h
		mov	eax, offset _ExpInterlockedPopEntrySListFault
		jz	short loc_4FE0F4
		jmp	short loc_4FE0EF
; 

loc_4FE10B:				; CODE XREF: KeInvalidAccessAllowed(x,x)+3j
					; KeInvalidAccessAllowed(x,x)+7j
		xor	al, al
		retn
@KeInvalidAccessAllowed@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReadyFlushMdlToWrite proc near	; CODE XREF: MiFlushSectionInternal+7AAp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005D4E95 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ds:_MmPfnDatabase
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		imul	esi, [ebx+1Ch],	1Ch
		mov	ecx, edi
		push	0FFFFFFFFh
		mov	edx, [esi+eax+4]
		and	dword ptr [ebx+18h], 0
		or	edx, 80000000h
		call	MiStartingOffset
		mov	ecx, edi
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], edx
		call	MiEndingOffsetWithLock
		mov	cx, [ebx+6]
		or	cx, 2
		test	[ebp+arg_0], 8
		movzx	esi, cx
		mov	[ebx+6], cx
		jnz	loc_5D4E95

loc_4FE162:				; CODE XREF: MiReadyFlushMdlToWrite+D6D91j
		mov	eax, [ebx+14h]
		mov	edx, [ebp+var_8]
		shl	eax, 2
		shr	eax, 0Ch
		pop	edi
		add	eax, 1Ch
		mov	[ebx+4], ax
		mov	eax, [ebp+var_4]
		pop	esi
		pop	ebx
		leave
		retn	4
MiReadyFlushMdlToWrite endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall IopCloseFileObjectExtension(x)
_IopCloseFileObjectExtension@4 proc near ; CODE	XREF: IopCloseFile(x,x,x,x)+3A9p
					; IoCancelFileOpen(x,x)+E7p
		mov	eax, [ecx+7Ch]
		cmp	eax, _IopRevocationExtension
		jz	short locret_4FE192
		mov	eax, [eax+20h]
		test	eax, eax
		jnz	short loc_4FE193

locret_4FE192:				; CODE XREF: IopCloseFileObjectExtension(x)+9j
		retn
; 

loc_4FE193:				; CODE XREF: IopCloseFileObjectExtension(x)+10j
		push	dword ptr [eax+8]
		and	dword ptr [eax+4], 0FFFFFFFEh
		call	_PsReleaseSiloHardReference@4 ;	PsReleaseSiloHardReference(x)
		retn
_IopCloseFileObjectExtension@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVsChunkSetUnusedBytes(x, x, x, x)
_RtlpHpVsChunkSetUnusedBytes@16	proc near ; CODE XREF: RtlpHpVsContextAllocateInternal+1F7p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 1
		push	esi
		mov	byte ptr [ecx+edx-1], 0
		movzx	esi, word ptr [ecx+edx-2]
		jz	short loc_4FE1CF
		mov	eax, esi
		xor	eax, [ebp+arg_0]
		and	eax, 1FFFh
		xor	eax, esi
		movzx	eax, ax

loc_4FE1C5:				; CODE XREF: RtlpHpVsChunkSetUnusedBytes(x,x,x,x)+38j
		mov	[ecx+edx-2], ax
		pop	esi
		pop	ebp
		retn	8
; 

loc_4FE1CF:				; CODE XREF: RtlpHpVsChunkSetUnusedBytes(x,x,x,x)+14j
		or	esi, 8000h
		movzx	eax, si
		jmp	short loc_4FE1C5
_RtlpHpVsChunkSetUnusedBytes@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpTraceImageUnloadApc	proc near	; DATA XREF: PerfLogImageUnload+D0o

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D4EA4 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		xor	eax, eax
		push	esi
		push	edi
		mov	[esp+30h+var_8], eax
		mov	[esp+30h+var_4], eax
		mov	[esp+30h+var_20], eax
		call	_KeAreAllApcsDisabled@0	; KeAreAllApcsDisabled()
		test	al, al
		jnz	loc_5D4EA4

loc_4FE203:				; CODE XREF: EtwpTraceImageUnloadApc+D6CCCj
		mov	esi, [ebp+arg_0]
		mov	eax, _FltMgrCallbacks
		mov	ecx, [esi+30h]
		test	eax, eax
		jz	loc_5D4EAB
		lea	edx, [esp+30h+var_20]
		push	edx
		lea	edx, [esp+34h+var_8]
		push	edx
		push	400h
		push	ecx
		call	dword ptr [eax+0Ch]

loc_4FE229:				; CODE XREF: EtwpTraceImageUnloadApc+D6CD6j
		mov	ecx, [esi+44h]
		mov	edx, [esi+50h]
		mov	edi, [esi+4Ch]
		mov	ebx, [esi+48h]
		mov	[esp+40h+var_2C], ecx
		mov	ecx, [esi+40h]
		mov	[esp+40h+var_28], ecx
		mov	ecx, [esi+3Ch]
		mov	[esp+40h+var_24], ecx
		mov	ecx, [esi+38h]
		mov	[esp+40h+var_20], ecx
		mov	ecx, [esi+34h]
		mov	[esp+40h+var_1C], ecx
		test	eax, eax
		js	short loc_4FE2A7
		lea	ecx, [esp+40h+var_18]

loc_4FE25D:				; CODE XREF: EtwpTraceImageUnloadApc+D3j
		push	0
		push	edx
		mov	edx, [esp+48h+var_1C]
		push	edi
		push	ebx
		push	[esp+50h+var_2C]
		push	[esp+54h+var_28]
		push	[esp+58h+var_24]
		push	[esp+5Ch+var_20]
		call	_EtwpTraceImageUnload@40 ; EtwpTraceImageUnload(x,x,x,x,x,x,x,x,x,x)
		cmp	[esp+40h+var_30], 0
		jz	short loc_4FE28E
		mov	eax, _FltMgrCallbacks
		push	[esp+40h+var_30]
		call	dword ptr [eax+10h]

loc_4FE28E:				; CODE XREF: EtwpTraceImageUnloadApc+A6j
		mov	ecx, [esi+30h]
		call	ObfDereferenceObject
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_4FE2A7:				; CODE XREF: EtwpTraceImageUnloadApc+7Dj
		mov	ecx, [esi+30h]
		add	ecx, 30h
		jmp	short loc_4FE25D
EtwpTraceImageUnloadApc	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmEventIdleStateChange	proc near	; CODE XREF: PoIdle(x)+427p
					; PpmTracePerfIdleRundown(x,x,x)+8Cp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D4EB5 SIZE 0000004C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		test	ds:dword_70EFD0, 8000h
		jnz	loc_5D4EB5

loc_4FE2D2:				; CODE XREF: PpmEventIdleStateChange+D6C4Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PpmEventIdleStateChange	endp


;  S U B	R O U T	I N E 


; __stdcall _GetBaseTypeSize(x)
__GetBaseTypeSize@4 proc near		; CODE XREF: _PnpValidatePropertyData+38p
		and	ecx, 0FFFh
		cmp	ecx, 19h
		ja	short loc_4FE307
		movzx	eax, ds:byte_4FE32E[ecx]
		jmp	ds:off_4FE312[eax*4]

loc_4FE2F7:				; DATA XREF: .text:004FE31Ao
		push	2
		pop	eax
		retn
; 

loc_4FE2FB:				; CODE XREF: _GetBaseTypeSize(x)+12j
					; DATA XREF: .text:004FE31Eo
		push	4
		pop	eax
		retn
; 

loc_4FE2FF:				; CODE XREF: _GetBaseTypeSize(x)+12j
					; DATA XREF: .text:004FE316o
		xor	eax, eax
		inc	eax
		retn
; 

loc_4FE303:				; CODE XREF: _GetBaseTypeSize(x)+12j
					; DATA XREF: .text:004FE322o
		push	8
		pop	eax
		retn
; 

loc_4FE307:				; CODE XREF: _GetBaseTypeSize(x)+9j
					; _GetBaseTypeSize(x)+12j
					; DATA XREF: ...
		xor	eax, eax
		retn
; 

loc_4FE30A:				; CODE XREF: _GetBaseTypeSize(x)+12j
					; DATA XREF: .text:004FE326o
		push	10h
		pop	eax
		retn
; 

loc_4FE30E:				; CODE XREF: _GetBaseTypeSize(x)+12j
					; DATA XREF: .text:004FE32Ao
		push	14h
		pop	eax
		retn
__GetBaseTypeSize@4 endp

; 
off_4FE312	dd offset loc_4FE307	; DATA XREF: _GetBaseTypeSize(x)+12r
		dd offset loc_4FE2FF
		dd offset loc_4FE2F7
		dd offset loc_4FE2FB
		dd offset loc_4FE303
		dd offset loc_4FE30A
		dd offset loc_4FE30E
byte_4FE32E	db 0			; DATA XREF: _GetBaseTypeSize(x)+Br
		align 10h
		add	[ecx], eax
		add	al, [edx]
		add	eax, [ebx]
		add	al, 4
		add	eax, ds:4040405h[eax]
		add	[edx], eax
		add	[edx], eax
		push	es
		add	eax, [ebx]
		add	eax, [edx]

;  S U B	R O U T	I N E 


; __stdcall _IsFixedSizeType(x)
__IsFixedSizeType@4 proc near		; CODE XREF: _PnpValidatePropertyData+72p
					; _PnpValidatePropertyData+1C1p
		and	ecx, 0FFFh
		cmp	ecx, 12h
		jnb	short loc_4FE356

loc_4FE353:				; CODE XREF: _IsFixedSizeType(x)+1Bj
		mov	al, 1
		retn
; 

loc_4FE356:				; CODE XREF: _IsFixedSizeType(x)+9j
		cmp	ecx, 14h
		ja	short loc_4FE35E

loc_4FE35B:				; CODE XREF: _IsFixedSizeType(x)+19j
		xor	al, al
		retn
; 

loc_4FE35E:				; CODE XREF: _IsFixedSizeType(x)+11j
		cmp	ecx, 19h
		jz	short loc_4FE35B
		jmp	short loc_4FE353
__IsFixedSizeType@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStringCbLengthW(x, x, x)
_RtlStringCbLengthW@12 proc near	; CODE XREF: AslpFileVerBlockGetValueOffset(x,x,x)+2Ap
					; AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+77p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		xor	eax, eax
		mov	[ebp+var_4], eax
		test	ecx, ecx
		jz	short loc_4FE39A
		lea	eax, [ebp+var_4]
		shr	edx, 1
		push	eax
		call	sub_4EBA32
		mov	edx, eax
		mov	eax, [ebp+var_4]

loc_4FE385:				; CODE XREF: RtlStringCbLengthW(x,x,x)+39j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_4FE394
		test	edx, edx
		js	short loc_4FE3A1
		add	eax, eax
		mov	[ecx], eax

loc_4FE394:				; CODE XREF: RtlStringCbLengthW(x,x,x)+24j
					; RtlStringCbLengthW(x,x,x)+3Ej
		mov	eax, edx
		leave
		retn	4
; 

loc_4FE39A:				; CODE XREF: RtlStringCbLengthW(x,x,x)+Dj
		mov	edx, 0C000000Dh
		jmp	short loc_4FE385
; 

loc_4FE3A1:				; CODE XREF: RtlStringCbLengthW(x,x,x)+28j
		and	dword ptr [ecx], 0
		jmp	short loc_4FE394
_RtlStringCbLengthW@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlUnicodeStringInitWorker proc	near	; CODE XREF: RtlUnicodeStringInit(x,x)+4p
					; PopCapabilityCheck(x)+1Fp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	ebx, edx
		mov	[edi], esi
		mov	[edi+4], esi
		test	ebx, ebx
		jz	short loc_4FE3E9
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], esi
		push	eax
		mov	ecx, ebx
		call	RtlStringLengthWorkerW
		mov	esi, eax
		test	esi, esi
		js	short loc_4FE3E9
		test	edi, edi
		jz	short loc_4FE3F2
		mov	ecx, [ebp+var_4]
		mov	[edi+4], ebx
		lea	eax, [ecx+ecx]
		mov	[edi], ax
		add	eax, 2
		mov	[edi+2], ax

loc_4FE3E9:				; CODE XREF: RtlUnicodeStringInitWorker+16j
					; RtlUnicodeStringInitWorker+2Aj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4FE3F2:				; CODE XREF: RtlUnicodeStringInitWorker+2Ej
		mov	esi, 0C000000Dh
		jmp	short loc_4FE3E9
RtlUnicodeStringInitWorker endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlStringLengthWorkerW proc near	; CODE XREF: RtlUnicodeStringInitWorker+21p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, 7FFFh
		push	edi
		mov	edx, esi
		xor	edi, edi

loc_4FE40B:				; CODE XREF: RtlStringLengthWorkerW+1Cj
		cmp	[ecx], di
		jz	short loc_4FE418
		add	ecx, 2
		sub	edx, 1
		jnz	short loc_4FE40B

loc_4FE418:				; CODE XREF: RtlStringLengthWorkerW+14j
		mov	ecx, [ebp+arg_0]
		mov	eax, edx
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFFF3h
		add	eax, 0C000000Dh
		test	ecx, ecx
		jz	short loc_4FE437
		test	edx, edx
		jz	short loc_4FE43D
		sub	esi, edx
		mov	[ecx], esi

loc_4FE437:				; CODE XREF: RtlStringLengthWorkerW+33j
					; RtlStringLengthWorkerW+45j
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_4FE43D:				; CODE XREF: RtlStringLengthWorkerW+37j
		mov	[ecx], edi
		jmp	short loc_4FE437
RtlStringLengthWorkerW endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiChargePartitionResidentAvailable proc	near ; CODE XREF: MiFlushSectionInternal+A1Cp
					; MiLockPageTablePage(x,x)+135p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D4F01 SIZE 000000D0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	esi
		mov	esi, edx
		mov	edx, ecx
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_10], esi
		mov	[ebp+var_4], edx
		lea	eax, [esi+ecx]
		cmp	eax, esi
		jb	loc_4FE516

loc_4FE463:				; CODE XREF: MiChargePartitionResidentAvailable+D7j
		push	ebx
		lea	ebx, [edx+1000h]
		xor	edx, edx
		push	edi
		mov	edi, [ebx]
		mov	[ebp+var_14], ebx
		cmp	edi, 400h
		jl	loc_5D4F0E

loc_4FE47E:				; CODE XREF: MiChargePartitionResidentAvailable+D6AD3j
					; MiChargePartitionResidentAvailable+D6B2Dj
		test	edi, edi
		jle	loc_5D4FA2
		lea	eax, [esi+ecx]

loc_4FE489:				; CODE XREF: MiChargePartitionResidentAvailable+D6B5Aj
		cmp	eax, edi
		ja	loc_5D4F74

loc_4FE491:				; CODE XREF: MiChargePartitionResidentAvailable+D6B35j
		mov	ecx, edi
		mov	eax, edi
		sub	ecx, esi
		lock cmpxchg [ebx], ecx
		cmp	eax, edi
		jnz	loc_5D4F92
		sub	edi, esi
		xor	ebx, ebx
		mov	esi, 400h
		cmp	edi, esi
		setl	bl
		add	ebx, 2
		cmp	[ebp+var_4], offset _MiSystemPartition
		mov	[ebp+arg_0], ebx
		jnz	short loc_4FE50D
		mov	eax, large fs:20h
		lea	edx, [eax+3D30h]
		mov	ecx, [edx]
		cmp	ecx, 0FFFFFFFFh
		jz	loc_5D4FB5
		cmp	ecx, 40h
		jnb	short loc_4FE50D

loc_4FE4DC:				; CODE XREF: MiChargePartitionResidentAvailable+D6B8Aj
		cmp	edi, esi
		jle	short loc_4FE50D
		mov	esi, [ebp+var_4]
		mov	edx, 80h
		sub	edx, ecx
		mov	eax, edi
		mov	ecx, edi
		add	esi, 1000h
		sub	ecx, edx
		lock cmpxchg [esi], ecx
		mov	ebx, [ebp+arg_0]
		cmp	eax, edi
		jnz	short loc_4FE50D
		mov	ecx, [ebp+var_4]
		call	MiReturnResavailToPrcb
		test	eax, eax
		jnz	short loc_4FE524

loc_4FE50D:				; CODE XREF: MiChargePartitionResidentAvailable+7Cj
					; MiChargePartitionResidentAvailable+98j ...
		mov	eax, ebx

loc_4FE50F:				; CODE XREF: MiChargePartitionResidentAvailable+D6B4Bj
					; MiChargePartitionResidentAvailable+D6B6Ej
		pop	edi
		pop	ebx

loc_4FE511:				; CODE XREF: MiChargePartitionResidentAvailable+D6AC7j
		pop	esi
		leave
		retn	4
; 

loc_4FE516:				; CODE XREF: MiChargePartitionResidentAvailable+1Bj
		cmp	ecx, 0FFFFFFFFh
		jz	loc_4FE463
		jmp	loc_5D4F01
; 

loc_4FE524:				; CODE XREF: MiChargePartitionResidentAvailable+C9j
		lock xadd [esi], eax
		jmp	short loc_4FE50D
MiChargePartitionResidentAvailable endp

; 
		align 10h
; Exported entry 2309. RtlRbReplaceNode

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlRbReplaceNode
RtlRbReplaceNode proc near		; CODE XREF: KiAbEntryRemoveFromTree+27Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D4FD1 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	esi, ebx
		mov	edi, edx
		movsd
		movsd
		movsd
		mov	esi, [edx]
		test	esi, esi
		jnz	short loc_4FE5A8
		mov	ebx, [ecx+4]
		test	bl, 1
		jnz	loc_5D4FD1
		mov	eax, ebx

loc_4FE55C:				; CODE XREF: RtlRbReplaceNode+D6AA8j
					; RtlRbReplaceNode+D6AB4j
		mov	ebx, [ebp+arg_4]
		cmp	eax, ebx
		jnz	short loc_4FE570
		test	byte ptr [ecx+4], 1
		jnz	loc_5D4FE9
		mov	[ecx+4], edx

loc_4FE570:				; CODE XREF: RtlRbReplaceNode+31j
					; RtlRbReplaceNode+83j	...
		mov	esi, [edx+4]
		test	esi, esi
		jnz	short loc_4FE59B

loc_4FE577:				; CODE XREF: RtlRbReplaceNode+76j
		mov	eax, [edx+8]
		and	eax, 0FFFFFFFCh
		jnz	short loc_4FE58E
		test	byte ptr [ecx+4], 1
		jnz	short loc_4FE5B5
		mov	[ecx], edx

loc_4FE587:				; CODE XREF: RtlRbReplaceNode+64j
					; RtlRbReplaceNode+69j	...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_4FE58E:				; CODE XREF: RtlRbReplaceNode+4Dj
		cmp	[eax], ebx
		jnz	short loc_4FE596
		mov	[eax], edx
		jmp	short loc_4FE587
; 

loc_4FE596:				; CODE XREF: RtlRbReplaceNode+60j
		mov	[eax+4], edx
		jmp	short loc_4FE587
; 

loc_4FE59B:				; CODE XREF: RtlRbReplaceNode+45j
		mov	eax, [esi+8]
		and	eax, 3
		or	eax, edx
		mov	[esi+8], eax
		jmp	short loc_4FE577
; 

loc_4FE5A8:				; CODE XREF: RtlRbReplaceNode+1Cj
		mov	eax, [esi+8]
		and	eax, 3
		or	eax, edx
		mov	[esi+8], eax
		jmp	short loc_4FE570
; 

loc_4FE5B5:				; CODE XREF: RtlRbReplaceNode+53j
		mov	eax, ecx
		xor	eax, edx
		mov	[ecx], eax
		jmp	short loc_4FE587
RtlRbReplaceNode endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 301. EtwWriteTransfer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwWriteTransfer(x,	x, x, x, x, x, x)
		public _EtwWriteTransfer@28
_EtwWriteTransfer@28 proc near		; CODE XREF: FlushEventEntry+40p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_18]
		xor	eax, eax
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	EtwWriteEx
		pop	ebp
		retn	1Ch
_EtwWriteTransfer@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPteNeedsCommitCharge(x, x)
_MiPteNeedsCommitCharge@8 proc near	; CODE XREF: MiCountSharedPages(x,x,x)+1F5p
					; MiCountSharedPages(x,x,x)+258p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+1Ch]
		mov	eax, esi
		and	al, 70h
		cmp	al, 20h
		jz	short loc_4FE618

loc_4FE603:				; CODE XREF: MiPteNeedsCommitCharge(x,x)+3Aj
					; MiPteNeedsCommitCharge(x,x)+55j
		mov	eax, [edi+1Ch]
		mov	ecx, 280h
		and	eax, ecx
		cmp	eax, ecx

loc_4FE60F:				; CODE XREF: MiPteNeedsCommitCharge(x,x)+5Ej
		jz	short loc_4FE64A
		xor	eax, eax
		inc	eax

loc_4FE614:				; CODE XREF: MiPteNeedsCommitCharge(x,x)+62j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_4FE618:				; CODE XREF: MiPteNeedsCommitCharge(x,x)+17j
		and	esi, 0F80h
		cmp	esi, 80h
		jz	short loc_4FE603
		lea	eax, [ebp+var_4]
		shr	edx, 3
		push	eax
		push	4
		and	edx, 0FFFFFh
		call	MiGetProtoPteAddress
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_4FE603
		mov	al, [eax+10h]
		and	al, 0Ah
		cmp	al, 0Ah
		jmp	short loc_4FE60F
; 

loc_4FE64A:				; CODE XREF: MiPteNeedsCommitCharge(x,x):loc_4FE60Fj
		xor	eax, eax
		jmp	short loc_4FE614
_MiPteNeedsCommitCharge@8 endp


;  S U B	R O U T	I N E 


KiReduceByEffectiveIdleSmtSet proc near	; CODE XREF: KiChooseTargetProcessor+1BDp
					; KiTryLocalThreadSchedule+F8p	...

; FUNCTION CHUNK AT 005A8375 SIZE 00000044 BYTES

		mov	eax, [ecx+338h]
		push	ebx
		push	esi
		mov	ebx, edx
		mov	edx, [eax+0Ch]
		mov	esi, [ecx+3C8h]
		not	esi
		and	esi, [ecx+402Ch]
		mov	eax, [ebx]
		and	eax, esi
		jnz	short loc_4FE674

loc_4FE66F:				; CODE XREF: KiReduceByEffectiveIdleSmtSet+2Aj
					; KiReduceByEffectiveIdleSmtSet+33j ...
		xor	al, al

loc_4FE671:				; CODE XREF: KiReduceByEffectiveIdleSmtSet+A9D66j
		pop	esi
		pop	ebx
		retn
; 

loc_4FE674:				; CODE XREF: KiReduceByEffectiveIdleSmtSet+1Fj
		and	eax, edx
		cmp	eax, esi
		jnz	short loc_4FE66F
		test	byte ptr [ecx+223Ch], 1
		jnz	short loc_4FE66F
		jmp	loc_5A8375
KiReduceByEffectiveIdleSmtSet endp


;  S U B	R O U T	I N E 


; __stdcall ExReleaseExtensionTable(x)
_ExReleaseExtensionTable@4 proc	near	; CODE XREF: BCryptEncrypt(x,x,x,x,x,x,x,x,x,x)+45p
					; VmpPrefetchVirtualAddresses(x,x,x)+1CCp ...
		add	ecx, 24h
		jmp	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
_ExReleaseExtensionTable@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExGetExtensionTable(x)
_ExGetExtensionTable@4 proc near	; CODE XREF: IopIoRateStartRateControl+4Ep
					; IoStopIoRateControl(x)+Bp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_4FE6AA
		lea	ecx, [esi+24h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_4FE6AA
		mov	eax, [esi+2Ch]
		pop	esi
		retn
; 

loc_4FE6AA:				; CODE XREF: ExGetExtensionTable(x)+7j
					; ExGetExtensionTable(x)+13j
		xor	eax, eax
		pop	esi
		retn
_ExGetExtensionTable@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiResumeClockTimer proc	near		; CODE XREF: KeResumeClockTimer()+3p
					; KeResumeClockTimerSafe()+20p	...

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_2C		= byte ptr  34h
arg_2D		= byte ptr  35h
arg_2E		= dword	ptr  36h
arg_32		= word ptr  3Ah
arg_34		= dword	ptr  3Ch
arg_38		= dword	ptr  40h
arg_3C		= dword	ptr  44h
arg_40		= dword	ptr  48h
arg_44		= dword	ptr  4Ch
arg_48		= dword	ptr  50h
arg_4C		= dword	ptr  54h
arg_50		= dword	ptr  58h

; FUNCTION CHUNK AT 004FE737 SIZE 00000028 BYTES
; FUNCTION CHUNK AT 005D4FF9 SIZE 000000B5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		xor	eax, eax
		push	ebx
		mov	bl, al
		mov	[esp+58h+var_48], eax
		mov	[esp+58h+var_44], eax
		mov	[esp+58h+var_50], eax
		mov	[esp+58h+var_4C], eax
		mov	eax, large fs:20h
		mov	ecx, ds:_KiClockState
		push	esi
		push	edi
		mov	eax, [eax+3CCh]
		mov	byte ptr [esp+60h+var_54], bl
		mov	[esp+60h+var_3C], ecx
		cmp	eax, _KiClockTimerOwner
		jnz	short loc_4FE705
		mov	bl, 1
		mov	byte ptr [esp+60h+var_54], bl
		jmp	short loc_4FE70D
; 

loc_4FE705:				; CODE XREF: KiResumeClockTimer+4Dj
		cmp	ds:_KiClockTimerPerCpu,	bl
		jz	short loc_4FE725

loc_4FE70D:				; CODE XREF: KiResumeClockTimer+55j
		call	off_6B1388	; SymCryptFatalIntercept(x)
		push	[esp+60h+var_54]
		call	off_6B1384	; KeSetDmaIoCoherency(x)
		test	bl, bl
		jnz	loc_5D4FF9

loc_4FE725:				; CODE XREF: KiResumeClockTimer+5Dj
					; KiResumeClockTimer+AFj
		mov	ecx, [esp+64h+var_8]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
KiResumeClockTimer endp

; 
; START	OF FUNCTION CHUNK FOR KiResumeClockTimer

loc_4FE737:				; CODE XREF: KiResumeClockTimer+D6981j
					; KiResumeClockTimer+D6990j
		test	ds:dword_70EFC8, 100000h
		jnz	loc_5D5043

loc_4FE747:				; CODE XREF: KiResumeClockTimer+D69FBj
		mov	eax, ds:_KeTimeIncrement
		xor	ecx, ecx
		add	eax, esi
		mov	_KiClockTimerNextTickTime, eax
		adc	ecx, edi
		mov	dword_6CABA4, ecx
		jmp	short loc_4FE725
; END OF FUNCTION CHUNK	FOR KiResumeClockTimer
; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1149. KeGetClockOwner

;  S U B	R O U T	I N E 


; __stdcall KeGetClockOwner()
		public _KeGetClockOwner@0
_KeGetClockOwner@0 proc	near
		mov	eax, _KiClockTimerOwner
		retn
_KeGetClockOwner@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSetClockIntervalOneShot(x, x, x, x)
_KiSetClockIntervalOneShot@16 proc near	; CODE XREF: KiCheckForTimerExpiration+3B9p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_0]
		mov	_KiClockOwnerOneShotRequest, edi
		mov	dword_6CADF4, esi
		call	_KiSetClockIntervalToMinimumRequested@0	; KiSetClockIntervalToMinimumRequested()
		push	1
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	esi
		push	edi
		call	_KiGetClockIntervalOneShot@16 ;	KiGetClockIntervalOneShot(x,x,x,x)
		mov	edx, 534F5248h
		mov	ecx, eax
		call	PoTraceSystemTimerResolutionKernel
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
_KiSetClockIntervalOneShot@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoTraceSystemTimerResolutionKernel proc	near
					; CODE XREF: KiSetClockIntervalOneShot(x,x,x,x)+34p
					; KiSetClockInterval+177F3Fp ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005D50AE SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	[ebp+arg_0], 0
		push	esi
		mov	[ebp+var_2C], edx
		mov	esi, offset _POP_ETW_EVENT_KERNEL_STRS_INTERNAL
		mov	[ebp+var_28], ecx
		jz	short loc_4FE806

loc_4FE7CE:				; CODE XREF: PoTraceSystemTimerResolutionKernel+61j
		cmp	_PopDiagHandleRegistered, 0
		jz	short loc_4FE7F7
		push	ebx
		mov	ebx, _PopDiagHandle
		push	edi
		mov	edi, dword_6C1D74
		push	esi
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5D50AE

loc_4FE7F5:				; CODE XREF: PoTraceSystemTimerResolutionKernel+D6936j
		pop	edi
		pop	ebx

loc_4FE7F7:				; CODE XREF: PoTraceSystemTimerResolutionKernel+2Bj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_4FE806:				; CODE XREF: PoTraceSystemTimerResolutionKernel+22j
		mov	esi, offset _POP_ETW_EVENT_KERNEL_STRS
		jmp	short loc_4FE7CE
PoTraceSystemTimerResolutionKernel endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSetClockIntervalToMinimumRequested()
_KiSetClockIntervalToMinimumRequested@0	proc near ; CODE XREF: KiSetClockInterval+8Dp
					; KeClockInterruptNotify+269p ...

var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, dword_6FB70C
		sub	esp, 10h
		push	ebx
		xor	ebx, ebx
		push	esi
		test	cl, 1
		jnz	short loc_4FE892
		mov	eax, ecx

loc_4FE827:				; CODE XREF: KiSetClockIntervalToMinimumRequested()+8Bj
					; KiSetClockIntervalToMinimumRequested()+9Aj
		mov	esi, [eax+10h]
		mov	cl, bl
		push	edi
		mov	edi, _KiClockOwnerOneShotRequest
		mov	eax, edi
		mov	edx, dword_6CADF4
		or	eax, edx
		mov	[ebp+var_1], cl
		mov	[ebp+var_8], edx
		jz	short loc_4FE867
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		lea	ecx, [ebp+var_10]
		mov	bl, al
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		push	edx
		push	eax
		push	[ebp+var_8]
		push	edi
		call	_KiGetClockIntervalOneShot@16 ;	KiGetClockIntervalOneShot(x,x,x,x)
		cmp	eax, esi
		jnb	short loc_4FE8B4
		mov	esi, eax
		mov	cl, 1

loc_4FE867:				; CODE XREF: KiSetClockIntervalToMinimumRequested()+35j
					; KiSetClockIntervalToMinimumRequested()+A9j
		cmp	_KiClockOwnerOneShotRequestState, 2
		pop	edi
		jz	short loc_4FE881
		cmp	esi, _KiLastRequestedTimeIncrement
		jz	short loc_4FE8AD
		cmp	esi, ds:_KeTimeIncrement
		jz	short loc_4FE8AD

loc_4FE881:				; CODE XREF: KiSetClockIntervalToMinimumRequested()+61j
		mov	dl, cl
		mov	ecx, esi
		call	KiSetClockTickRate

loc_4FE88A:				; CODE XREF: KiSetClockIntervalToMinimumRequested()+A4j
		pop	esi
		test	bl, bl
		pop	ebx
		jnz	short loc_4FE89B
		leave
		retn
; 

loc_4FE892:				; CODE XREF: KiSetClockIntervalToMinimumRequested()+15j
		cmp	ecx, 1
		jnz	short loc_4FE89E
		mov	eax, ebx
		jmp	short loc_4FE827
; 

loc_4FE89B:				; CODE XREF: KiSetClockIntervalToMinimumRequested()+80j
		sti
		leave
		retn
; 

loc_4FE89E:				; CODE XREF: KiSetClockIntervalToMinimumRequested()+87j
		mov	eax, offset _KiClockIntervalRequests
		or	eax, 1
		xor	eax, ecx
		jmp	loc_4FE827
; 

loc_4FE8AD:				; CODE XREF: KiSetClockIntervalToMinimumRequested()+69j
					; KiSetClockIntervalToMinimumRequested()+71j
		mov	eax, ds:_KeTimeIncrement
		jmp	short loc_4FE88A
; 

loc_4FE8B4:				; CODE XREF: KiSetClockIntervalToMinimumRequested()+53j
		mov	cl, [ebp+var_1]
		jmp	short loc_4FE867
_KiSetClockIntervalToMinimumRequested@0	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSetClockTickRate proc	near		; CODE XREF: KiSetClockIntervalToMinimumRequested()+77p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_1B		= byte ptr -1Bh
var_1A		= dword	ptr -1Ah
var_16		= word ptr -16h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D50E5 SIZE 00000093 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, ds:_KiClockState
		mov	al, dl
		push	esi
		mov	esi, ecx
		mov	[ebp+var_2D], al
		xor	ecx, ecx
		mov	[ebp+var_44], esi
		push	edi
		test	al, al
		mov	[ebp+var_38], ecx
		lea	eax, [ebp+var_38]
		mov	[ebp+var_34], ecx
		push	eax
		push	ecx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ecx
		mov	_KiLastRequestedTimeIncrement, esi
		push	esi
		jz	loc_4FE9E3
		push	1
		call	off_6B1390	; ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete(x,x,x,x)
		xor	eax, eax
		inc	eax

loc_4FE90C:				; CODE XREF: KiSetClockTickRate+132j
		mov	cl, 1
		mov	_KiClockOwnerOneShotRequestState, eax
		call	KiSetPendingTick
		cmp	ebx, 2
		jz	loc_5D50E5

loc_4FE921:				; CODE XREF: KiSetClockTickRate+D6834j
		test	ds:dword_70EFC8, 100000h
		jnz	loc_5D50F3

loc_4FE931:				; CODE XREF: KiSetClockTickRate+D6889j
		mov	eax, [ebp+var_38]
		and	[ebp+var_3C], 0
		mov	ds:_KeTimeIncrement, eax
		mov	edi, ds:0FFDF000Ch
		mov	ebx, ds:0FFDF0008h
		cmp	edi, ds:0FFDF0010h
		jnz	loc_5D5148

loc_4FE955:				; CODE XREF: KiSetClockTickRate+D68AEj
		mov	edx, ds:_KeTimeIncrement
		xor	ecx, ecx
		mov	eax, edx
		add	eax, ebx
		mov	_KiClockTimerNextTickTime, eax
		adc	ecx, edi
		mov	dword_6CABA4, ecx
		cmp	edx, dword_6CAB74
		jb	short loc_4FE9F1

loc_4FE976:				; CODE XREF: KiSetClockTickRate+13Dj
		cmp	edx, dword_6CAB70
		ja	loc_5D516D

loc_4FE982:				; CODE XREF: KiSetClockTickRate+D68B9j
		cmp	esi, dword_6CAB7C
		jb	short loc_4FE9FC

loc_4FE98A:				; CODE XREF: KiSetClockTickRate+148j
		cmp	esi, dword_6CAB78
		ja	short loc_4FEA04

loc_4FE992:				; CODE XREF: KiSetClockTickRate+150j
		mov	eax, _KiClockIncrementTraceCount
		mov	esi, eax
		shl	esi, 5
		add	esi, offset _KiClockIncrementTrace
		inc	eax
		and	eax, 0Fh
		mov	_KiClockIncrementTraceCount, eax
		mov	eax, _KiLastRequestedTimeIncrement
		push	0
		mov	[esi], edx
		mov	[esi+4], eax
		mov	[esi+8], ebx
		mov	[esi+0Ch], edi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, [ebp+var_4]
		mov	[esi+10h], eax
		xor	ecx, ebp
		mov	al, [ebp+var_2D]
		pop	edi
		mov	[esi+18h], al
		mov	eax, ds:_KeTimeIncrement
		mov	[esi+14h], edx
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_4FE9E3:				; CODE XREF: KiSetClockTickRate+41j
		push	ecx
		call	off_6B1390	; ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete(x,x,x,x)
		xor	eax, eax
		jmp	loc_4FE90C
; 

loc_4FE9F1:				; CODE XREF: KiSetClockTickRate+BAj
		mov	dword_6CAB74, edx
		jmp	loc_4FE976
; 

loc_4FE9FC:				; CODE XREF: KiSetClockTickRate+CEj
		mov	dword_6CAB7C, esi
		jmp	short loc_4FE98A
; 

loc_4FEA04:				; CODE XREF: KiSetClockTickRate+D6j
		mov	dword_6CAB78, esi
		jmp	short loc_4FE992
KiSetClockTickRate endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiRestoreClockTickRate proc near	; CODE XREF: KeClockInterruptNotify+215p
					; KeResumeClockTimerFromIdle+297p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D5178 SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	_KiClockOwnerOneShotRequestState, 0
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		jnz	loc_5D5178
		mov	eax, _KiLastRequestedTimeIncrement
		xor	ecx, ecx
		push	edi
		push	ecx
		push	eax
		mov	[esi+4], ecx
		push	ecx

loc_4FEA32:				; CODE XREF: KiRestoreClockTickRate+D678Ej
		mov	[esi], eax
		call	off_6B1390	; ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete(x,x,x,x)
		mov	cl, 1
		call	KiSetPendingTick
		pop	edi
		pop	esi
		pop	ebp
		retn	8
KiRestoreClockTickRate endp ; sp = -10h

; 
		align 4

;  S U B	R O U T	I N E 


KiSetPendingTick proc near		; CODE XREF: KeResumeClockTimerFromIdle+375p
					; KiSetClockTickRate+59p ...

; FUNCTION CHUNK AT 005D519F SIZE 0000001E BYTES

		mov	edi, edi
		push	ebx
		mov	bl, cl
		and	bl, 1
		cmp	ds:_KiClockTimerPerCpu,	0
		jz	loc_5D519F
		mov	edx, large fs:20h
		mov	al, [edx+3D1h]
		and	al, 0FEh
		or	al, bl
		mov	[edx+3D1h], al
		pop	ebx
		retn
KiSetPendingTick endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiGetClockIntervalOneShot(x, x, x, x)
_KiGetClockIntervalOneShot@16 proc near	; CODE XREF: KiSetClockIntervalOneShot(x,x,x,x)+28p
					; KiSetClockIntervalToMinimumRequested()+4Cp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ds:_KeMinimumIncrement
		xor	eax, eax
		mov	ecx, esi
		add	ecx, [ebp+arg_8]
		adc	eax, [ebp+arg_C]
		cmp	[ebp+arg_4], eax
		mov	eax, [ebp+arg_0]
		ja	short loc_4FEA9A
		jb	short loc_4FEAA9
		cmp	eax, ecx
		jbe	short loc_4FEAA9

loc_4FEA9A:				; CODE XREF: KiGetClockIntervalOneShot(x,x,x,x)+1Cj
		mov	ecx, esi
		dec	eax
		sub	ecx, [ebp+arg_8]
		xor	edx, edx
		add	eax, ecx
		div	esi
		imul	esi, eax

loc_4FEAA9:				; CODE XREF: KiGetClockIntervalOneShot(x,x,x,x)+1Ej
					; KiGetClockIntervalOneShot(x,x,x,x)+22j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	10h
_KiGetClockIntervalOneShot@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDirtySystemCachePte(x, x,	x, x)
_MiDirtySystemCachePte@16 proc near	; CODE XREF: .text:0047C35Bp

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		mov	eax, esi
		xor	ecx, ecx
		and	eax, 42h
		mov	[ebp+var_1], cl
		or	eax, ecx
		push	edi
		mov	edi, edx
		jnz	short loc_4FEB2D
		and	esi, 800h
		or	esi, ecx
		jz	short loc_4FEB2D
		lea	eax, [ebp-1]
		mov	ecx, ebx
		push	eax
		call	_MiLockWorkingSetOptimal@12 ; MiLockWorkingSetOptimal(x,x,x)
		mov	edx, [edi]
		mov	esi, eax
		nop
		mov	eax, [edi+4]
		mov	ecx, edx
		and	ecx, 1
		mov	[ebp+arg_4], eax
		or	ecx, 0
		jz	short loc_4FEB1A
		mov	eax, edx
		and	eax, 42h
		or	eax, 0
		jnz	short loc_4FEB1A
		mov	eax, edx
		and	eax, 800h
		or	eax, 0
		jz	short loc_4FEB1A
		or	edx, 62h
		nop
		mov	eax, [ebp+arg_4]
		mov	[edi], edx
		mov	[edi+4], eax

loc_4FEB1A:				; CODE XREF: MiDirtySystemCachePte(x,x,x,x)+46j
					; MiDirtySystemCachePte(x,x,x,x)+50j ...
		mov	edx, esi
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [ebp+var_1]
		mov	ecx, ebx
		call	MiUnlockWorkingSetShared

loc_4FEB2D:				; CODE XREF: MiDirtySystemCachePte(x,x,x,x)+1Cj
					; MiDirtySystemCachePte(x,x,x,x)+26j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiDirtySystemCachePte@16 endp


;  S U B	R O U T	I N E 


; __stdcall MiIsLowestPageTablePage(x)
_MiIsLowestPageTablePage@4 proc	near	; CODE XREF: .text:004B8F8Bp
		mov	al, [ecx+16h]
		and	al, 7
		cmp	al, 6
		jnz	short loc_4FEB6F
		test	dword ptr [ecx+10h], 3FFFFFFFh
		jz	short loc_4FEB6F
		mov	ecx, [ecx+4]
		mov	edx, offset loc_7FFFFF
		or	ecx, 80000000h
		lea	eax, [ecx+40000000h]
		cmp	eax, edx
		ja	short loc_4FEB6F
		shl	ecx, 9
		lea	eax, [ecx+40000000h]
		cmp	eax, edx
		ja	short loc_4FEB6F
		xor	eax, eax
		inc	eax
		retn
; 

loc_4FEB6F:				; CODE XREF: MiIsLowestPageTablePage(x)+7j
					; MiIsLowestPageTablePage(x)+10j ...
		xor	eax, eax
		retn
_MiIsLowestPageTablePage@4 endp


;  S U B	R O U T	I N E 


KiEspToTrapFrame proc near		; CODE XREF: KiDispatchException+54Fp
					; KiSetupForInstrumentationReturn+167DAEp ...

; FUNCTION CHUNK AT 005D51BD SIZE 00000042 BYTES

		mov	edi, edi
		push	ebx
		call	KiEspFromTrapFrame
		mov	ebx, [ecx+6Ch]
		test	bl, 1
		jz	loc_5D51BD

loc_4FEB86:				; CODE XREF: KiEspToTrapFrame+D6652j
		mov	[ecx+74h], edx

loc_4FEB89:				; CODE XREF: KiEspToTrapFrame+D6672j
		pop	ebx
		retn
KiEspToTrapFrame endp

; 
		align 4

;  S U B	R O U T	I N E 


KiEspFromTrapFrame proc	near		; CODE XREF: KiEspToTrapFrame+3p
					; KiSetupForInstrumentationReturn+167D7Fp ...

; FUNCTION CHUNK AT 005D51FF SIZE 0000001C BYTES

		mov	eax, [ecx+6Ch]
		test	al, 1
		jz	loc_5D51FF

loc_4FEB97:				; CODE XREF: KiEspFromTrapFrame+D667Aj
		mov	eax, [ecx+74h]
		retn
KiEspFromTrapFrame endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiQueryStateMatches(x, x, x, x, x)
_MiQueryStateMatches@20	proc near	; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+513p
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+8C1p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	edx, [ecx+10h]
		jnz	short loc_4FEBC5
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_4FEBB9

loc_4FEBAD:				; CODE XREF: MiQueryStateMatches(x,x,x,x,x)+27j
		cmp	eax, [ecx+14h]
		jnz	short loc_4FEBC5
		xor	eax, eax
		inc	eax

loc_4FEBB5:				; CODE XREF: MiQueryStateMatches(x,x,x,x,x)+2Bj
		pop	ebp
		retn	0Ch
; 

loc_4FEBB9:				; CODE XREF: MiQueryStateMatches(x,x,x,x,x)+Fj
		mov	eax, ds:_MmProtectToValue[eax*4]
		or	eax, [ebp+arg_4]
		jmp	short loc_4FEBAD
; 

loc_4FEBC5:				; CODE XREF: MiQueryStateMatches(x,x,x,x,x)+8j
					; MiQueryStateMatches(x,x,x,x,x)+14j
		xor	eax, eax
		jmp	short loc_4FEBB5
_MiQueryStateMatches@20	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 341. ExDeletePagedLookasideList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExDeletePagedLookasideList(x)
		public _ExDeletePagedLookasideList@4
_ExDeletePagedLookasideList@4 proc near	; CODE XREF: FsRtlDeleteExtraCreateParameterLookasideList(x,x)+Ep

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, offset _ExPagedLookasideLock
		call	ExpRemoveGeneralLookaside
		mov	ecx, [ebp+arg_0]
		call	_ExpFlushGeneralLookaside@8 ; ExpFlushGeneralLookaside(x,x)
		pop	ebp
		retn	4
_ExDeletePagedLookasideList@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExpFlushGeneralLookaside(x,	x)
_ExpFlushGeneralLookaside@8 proc near	; CODE XREF: ExDeletePagedLookasideList(x)+15p
					; ExDeleteNPagedLookasideList(x)+15p
		mov	edi, edi
		push	edi
		mov	edi, ecx
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		test	eax, eax
		jz	short loc_4FEC08
		push	esi

loc_4FEBFB:				; CODE XREF: ExpFlushGeneralLookaside(x,x)+19j
		mov	esi, [eax]
		push	eax
		call	dword ptr [edi+2Ch]
		mov	eax, esi
		test	esi, esi
		jnz	short loc_4FEBFB
		pop	esi

loc_4FEC08:				; CODE XREF: ExpFlushGeneralLookaside(x,x)+Cj
		xor	eax, eax
		pop	edi
		retn
_ExpFlushGeneralLookaside@8 endp ; sp =	-4

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 339. ExDeleteLookasideListEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExDeleteLookasideListEx(x)
		public _ExDeleteLookasideListEx@4
_ExDeleteLookasideListEx@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, offset _ExNPagedLookasideLock
		test	byte ptr [esi+1Ch], 1
		jz	short loc_4FEC2B
		mov	ecx, offset _ExPagedLookasideLock

loc_4FEC2B:				; CODE XREF: ExDeleteLookasideListEx(x)+12j
		mov	edx, esi
		call	ExpRemoveGeneralLookaside
		push	esi
		call	_ExFlushLookasideListEx@4 ; ExFlushLookasideListEx(x)
		pop	esi
		pop	ebp
		retn	4
_ExDeleteLookasideListEx@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 357. ExFlushLookasideListEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExFlushLookasideListEx(x)
		public _ExFlushLookasideListEx@4
_ExFlushLookasideListEx@4 proc near	; CODE XREF: ExDeleteLookasideListEx(x)+21p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		test	eax, eax
		jz	short loc_4FEC65
		push	esi

loc_4FEC57:				; CODE XREF: ExFlushLookasideListEx(x)+20j
		mov	esi, [eax]
		push	edi
		push	eax
		call	dword ptr [edi+2Ch]
		mov	eax, esi
		test	esi, esi
		jnz	short loc_4FEC57
		pop	esi

loc_4FEC65:				; CODE XREF: ExFlushLookasideListEx(x)+12j
		pop	edi
		pop	ebp
		retn	4
_ExFlushLookasideListEx@4 endp ; sp = -8


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExFreePoolEx(x, x)
_ExFreePoolEx@8	proc near		; DATA XREF: ExInitializeLookasideListExInternal+EDo
					; ViLookasideTrackListEx(x,x)+Do

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	ecx, [ebp+arg_0]
		call	ExFreeHeapPool
		mov	esp, ebp
		pop	ebp
		retn	8
_ExFreePoolEx@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpRemoveGeneralLookaside proc near	; CODE XREF: ExDeletePagedLookasideList(x)+Dp
					; ExDeleteLookasideListEx(x)+1Bp ...

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D521B SIZE 00000069 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	esi, [ebx+30h]
		mov	ecx, [esi]
		mov	edx, [esi+4]
		cmp	[ecx+4], esi
		jnz	short loc_4FECE0
		cmp	[edx], esi
		jnz	short loc_4FECE0
		mov	[edx], ecx
		mov	[ecx+4], edx
		test	ds:byte_70EFC6,	1
		jnz	loc_5D521B
		xor	eax, eax
		lock and [edi],	eax

loc_4FECC5:				; CODE XREF: ExpRemoveGeneralLookaside+D65A5j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		mov	[ebx+8], ax
		mov	eax, ds:_MmBadPointer
		pop	edi
		mov	[esi], eax
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4FECE0:				; CODE XREF: ExpRemoveGeneralLookaside+28j
					; ExpRemoveGeneralLookaside+2Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

MiExtendPageFilesIfNecessary:		; CODE XREF: MiChargeCommit+18Ep
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		mov	eax, esi
		xor	edx, edx
		push	0Ah
		pop	ecx
		div	ecx
		mov	edx, eax
		imul	eax, edx, 9
		cmp	edi, eax
		jnb	loc_5D522A

loc_4FED0B:				; CODE XREF: ExpRemoveGeneralLookaside+D65B7j
					; ExpRemoveGeneralLookaside:loc_5D523Fj ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
ExpRemoveGeneralLookaside endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MI_PAGEFILE_WRITE(x, x, x, x, x)
_MI_PAGEFILE_WRITE@20 proc near		; CODE XREF: MiGatherPagefilePages+49Ap
					; MiWriteComplete+437p

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, [esi+54h]
		mov	ecx, [eax+90h]
		xor	eax, eax
		inc	eax
		lock xadd [ecx+113Ch], eax
		inc	eax
		and	eax, 1Fh
		imul	edi, eax, 50h
		mov	eax, [ebp+arg_8]
		cmp	[ebp+arg_4], 0
		push	8
		mov	[edi+ecx+1140h], eax
		mov	eax, large fs:124h
		mov	al, [eax+87h]
		mov	[edi+ecx+1146h], al
		mov	al, [ebp+arg_0]
		mov	[edi+ecx+1147h], al
		setnz	al
		mov	[edi+ecx+1148h], al
		sub	esi, 0FFFFFF80h
		mov	eax, [edx]
		mov	[edi+ecx+1150h], eax
		mov	eax, [edx+4]
		mov	[edi+ecx+1154h], eax
		mov	ax, [ecx]
		mov	[edi+ecx+1144h], ax
		mov	eax, [ecx+0FC0h]
		mov	[edi+ecx+1158h], eax
		mov	eax, [ecx+10C0h]
		mov	[edi+ecx+115Ch], eax
		mov	eax, [ecx+1118h]
		mov	[edi+ecx+1160h], eax
		mov	eax, [ecx+1100h]
		mov	[edi+ecx+1164h], eax
		mov	eax, [ecx+700h]
		mov	[edi+ecx+1168h], eax
		add	ecx, 116Ch
		add	edi, ecx
		pop	ecx
		rep movsd
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
_MI_PAGEFILE_WRITE@20 endp


;  S U B	R O U T	I N E 


; __stdcall SepReleaseOrderedReadLocks(x, x)
_SepReleaseOrderedReadLocks@8 proc near	; CODE XREF: NtCompareTokens+1FCp
		mov	ecx, [ecx+30h]
		push	esi
		mov	esi, edx
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		pop	esi
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_SepReleaseOrderedReadLocks@8 endp


;  S U B	R O U T	I N E 


; __stdcall SepAcquireOrderedReadLocks(x, x)
_SepAcquireOrderedReadLocks@8 proc near	; CODE XREF: SepIsSiblingTokenByPointer+83p
					; NtCompareTokens+B3p ...
		mov	edi, edi
		push	ecx
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		dec	word ptr [eax+13Ch]
		nop
		push	1
		cmp	edi, esi
		jnb	short loc_4FEE40
		push	dword ptr [edi+30h]
		call	ExAcquireResourceSharedLite
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [esi+30h]

loc_4FEE34:				; CODE XREF: SepAcquireOrderedReadLocks(x,x)+5Bj
		push	1
		push	eax
		call	ExAcquireResourceSharedLite
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_4FEE40:				; CODE XREF: SepAcquireOrderedReadLocks(x,x)+1Bj
		push	dword ptr [esi+30h]
		call	ExAcquireResourceSharedLite
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [edi+30h]
		jmp	short loc_4FEE34
_SepAcquireOrderedReadLocks@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcAmILowPriorityWriter proc near	; CODE XREF: .text:004ACD51p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D5284 SIZE 0000004A BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		push	edi
		mov	byte ptr [ebp+var_4+3],	0
		call	CcGetPartition
		mov	esi, eax
		xor	edx, edx
		lea	eax, [esi+280h]
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		cmp	[esi+270h], eax
		jnz	short loc_4FEEA7
		mov	byte ptr [ebp+var_4+3],	1

loc_4FEEA7:				; CODE XREF: CcAmILowPriorityWriter+45j
		or	edx, 0FFFFFFFFh
		lea	ecx, [esi+280h]
		mov	[ebp+var_C], edx
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_4FEFF8

loc_4FEEC3:				; CODE XREF: CcAmILowPriorityWriter+1A4j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	loc_4FEFC5
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		cmp	ecx, edx
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], esi
		pop	edx
		jb	short loc_4FEF00
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_4FEFD1

loc_4FEF00:				; CODE XREF: CcAmILowPriorityWriter+95j
		cmp	ecx, [ebp+var_20]
		jb	short loc_4FEF12
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_4FEFD1

loc_4FEF12:				; CODE XREF: CcAmILowPriorityWriter+A7j
					; CcAmILowPriorityWriter+188j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	byte ptr [ebp+var_4+2],	al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_4FEFE9
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_4FF005

loc_4FEF53:				; CODE XREF: CcAmILowPriorityWriter+1B1j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		cmp	byte ptr [ebp+var_4+2],	1
		mov	ecx, eax
		jnz	loc_5D5298
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al

loc_4FEF9F:				; CODE XREF: CcAmILowPriorityWriter+195j
					; CcAmILowPriorityWriter+D644Cj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jnz	short loc_4FF019

loc_4FEFB2:				; CODE XREF: CcAmILowPriorityWriter+1F6j
					; CcAmILowPriorityWriter+D646Dj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_4FEFC5
		nop
		lea	ecx, [esi+70h]
		cmp	[ecx], ecx
		jnz	short loc_4FF012

loc_4FEFC5:				; CODE XREF: CcAmILowPriorityWriter+72j
					; CcAmILowPriorityWriter+15Fj ...
		mov	al, byte ptr [ebp+var_4+3]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_4FEFD1:				; CODE XREF: CcAmILowPriorityWriter+9Ej
					; CcAmILowPriorityWriter+B0j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_C], eax
		jmp	loc_4FEF12
; 

loc_4FEFE9:				; CODE XREF: CcAmILowPriorityWriter+DFj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_4FEF9F
		jmp	loc_5D5284
; 

loc_4FEFF8:				; CODE XREF: CcAmILowPriorityWriter+61j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]
		jmp	loc_4FEEC3
; 

loc_4FF005:				; CODE XREF: CcAmILowPriorityWriter+F1j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]
		jmp	loc_4FEF53
; 

loc_4FF012:				; CODE XREF: CcAmILowPriorityWriter+167j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_4FEFC5
; 

loc_4FF019:				; CODE XREF: CcAmILowPriorityWriter+154j
		test	edi, 8000h
		jz	short loc_4FF02A
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_4FF02A:				; CODE XREF: CcAmILowPriorityWriter+1C3j
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5D52AD

loc_4FF034:				; CODE XREF: CcAmILowPriorityWriter+D645Bj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_4FF048
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_4FF048:				; CODE XREF: CcAmILowPriorityWriter+1DFj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4FEFB2
		jmp	loc_5D52BC
CcAmILowPriorityWriter endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiImageUnused	proc near		; CODE XREF: MiCheckControlArea+1D3p
					; MiRelocateImageAgain+151A9Dp

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D52CE SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		xor	eax, eax
		mov	edx, [ebp+arg_0]
		mov	esi, ecx
		mov	edi, edx
		stosd
		stosd
		stosd
		stosd
		mov	eax, [esi+38h]
		or	dword ptr [edx], 0FFFFFFFFh
		cmp	dword ptr [eax+10h], 0
		jz	short loc_4FF0A7
		lea	edi, [esi+24h]
		cmp	ebx, 1
		jnz	loc_5D52CE
		mov	bl, 21h

loc_4FF08F:				; CODE XREF: MiImageUnused+D627Bj
		mov	eax, [esi+30h]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_4FF0AE

loc_4FF097:				; CODE XREF: MiImageUnused+74j
		and	dword ptr [esi+34h], 0FFBFFFFFh
		cmp	bl, 21h
		jnz	loc_5D52DE

loc_4FF0A7:				; CODE XREF: MiImageUnused+21j
					; MiImageUnused+D628Ej
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_4FF0AE:				; CODE XREF: MiImageUnused+37j
		mov	ecx, [esi+34h]
		mov	[edx], eax
		movzx	eax, cx
		mov	[edx+4], eax
		mov	eax, ecx
		shr	eax, 14h
		and	eax, 3
		mov	[edx+0Ch], eax
		mov	eax, [esi+1Ch]
		test	eax, 10000000h
		jnz	short loc_4FF0D4

loc_4FF0CE:				; CODE XREF: MiImageUnused+8Bj
		or	dword ptr [esi+30h], 0FFFFFFFFh
		jmp	short loc_4FF097
; 

loc_4FF0D4:				; CODE XREF: MiImageUnused+6Ej
		and	eax, 0EFFFFFFFh
		shr	ecx, 10h
		and	cl, 1
		mov	[esi+1Ch], eax
		mov	[edx+9], cl
		mov	byte ptr [edx+8], 1
		jmp	short loc_4FF0CE
MiImageUnused	endp

; 
		align 10h
; Exported entry 1187. KeInsertQueue

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeInsertQueue
KeInsertQueue	proc near		; CODE XREF: FsRtlpPostStackOverflow(x,x,x,x)+74p
					; IopPassiveInterruptDpc(x,x,x,x)+11p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005D52F1 SIZE 00000080 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	ebx, [esi+8]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, [ebp+arg_4]
		mov	byte ptr [ebp+var_8], al
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+arg_0], eax
		mov	eax, [eax+4]
		mov	[ebp+var_4], eax
		jnz	loc_5D52F1

loc_4FF12B:				; CODE XREF: KeInsertQueue+D6216j
		mov	ecx, esi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	eax, [esi+4]
		mov	[ebp+arg_4], eax
		cmp	[ebx], ebx
		jz	short loc_4FF187
		mov	eax, [esi+18h]
		cmp	eax, [esi+1Ch]
		jnb	short loc_4FF187
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+0A4h]
		cmp	eax, esi
		jz	loc_5D530B

loc_4FF155:				; CODE XREF: KeInsertQueue+D6228j
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		push	edi
		call	KiWakeQueueWaiter
		test	al, al
		jz	short loc_4FF187

loc_4FF164:				; CODE XREF: KeInsertQueue+B6j
					; KeInsertQueue+BAj ...
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		push	[ebp+var_8]
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	0
		push	1
		call	KiExitDispatcher
		mov	eax, [ebp+arg_4]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_4FF187:				; CODE XREF: KeInsertQueue+4Aj
					; KeInsertQueue+52j ...
		mov	edx, [esi+4]
		lea	eax, [edx+1]
		mov	[esi+4], eax
		lea	eax, [esi+10h]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_4FF1B8
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi
		test	edx, edx
		jnz	short loc_4FF164
		cmp	[ebx], ebx
		jz	short loc_4FF164
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		jmp	short loc_4FF164
; 

loc_4FF1B8:				; CODE XREF: KeInsertQueue+A8j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall KdTrap(x, x, x, x, x, x)
_KdTrap@24:				; CODE XREF: KiDispatchException+36Ap
					; KiDispatchException+10DF78p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	_KdpDebugRoutineSelect,	0
		jnz	short loc_4FF1D2
		pop	ebp
		jmp	KdpStub
; 

loc_4FF1D2:				; CODE XREF: KeInsertQueue+DAj
		pop	ebp
		jmp	_KdpTrap@24	; KdpTrap(x,x,x,x,x,x)
; 

KdpStub:				; CODE XREF: KeInsertQueue+DDj
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		cmp	dword ptr [esi], 80000003h
		jz	short loc_4FF207

loc_4FF1F0:				; CODE XREF: KeInsertQueue+11Bj
					; KeInsertQueue+132j
		cmp	_KdPitchDebugger, 1
		jnz	loc_5D531D
		xor	al, al

loc_4FF1FF:				; CODE XREF: KeInsertQueue+13Fj
					; KeInsertQueue+D626Dj	...
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	10h
; 

loc_4FF207:				; CODE XREF: KeInsertQueue+FEj
		cmp	dword ptr [esi+10h], 0
		jbe	short loc_4FF1F0
		mov	edx, [esi+14h]
		cmp	edx, 3
		jz	short loc_4FF224
		cmp	edx, 4
		jz	short loc_4FF224
		cmp	edx, 5
		jz	short loc_4FF224
		cmp	edx, 1
		jnz	short loc_4FF1F0

loc_4FF224:				; CODE XREF: KeInsertQueue+123j
					; KeInsertQueue+128j ...
		mov	ecx, [ebp+arg_4]
		mov	al, 1
		inc	dword ptr [ecx+0B8h]
		jmp	short loc_4FF1FF
KeInsertQueue	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCompleteSystemCacheViewFlush(x)
_MiCompleteSystemCacheViewFlush@4 proc near ; CODE XREF: MiObtainSystemCacheView+3B4p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		lea	eax, [ecx+18h]
		mov	ecx, [eax]
		push	esi
		push	edi
		mov	[ebp+var_4], eax
		nop
		mov	ebx, [eax+4]
		mov	edi, ecx
		mov	esi, dword_6D0700
		mov	eax, esi
		mov	edx, dword_6D0704
		or	eax, edx
		jz	short loc_4FF26D
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_4FF28E
		mov	ecx, esi
		not	ecx
		and	ecx, edi

loc_4FF26D:				; CODE XREF: MiCompleteSystemCacheViewFlush(x)+29j
					; MiCompleteSystemCacheViewFlush(x)+5Fj
		push	0
		push	ecx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, eax
		mov	esi, edx
		mov	eax, edi
		mov	edx, ebx
		nop
		mov	ebx, ecx
		mov	ecx, esi
		mov	esi, [ebp+var_4]
		lock cmpxchg8b qword ptr [esi]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4FF28E:				; CODE XREF: MiCompleteSystemCacheViewFlush(x)+33j
		and	ecx, 0FFFFFFEFh
		jmp	short loc_4FF26D
_MiCompleteSystemCacheViewFlush@4 endp

; 
		align 8
; Exported entry 1994. RtlContractHashTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlContractHashTable
RtlContractHashTable proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D5371 SIZE 000000D9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		push	esi
		mov	esi, [ebp+arg_0]
		mov	edx, [esi+8]
		cmp	edx, 80h
		jnz	loc_5D5371

loc_4FF2B6:				; CODE XREF: RtlContractHashTable+D60DDj
		xor	al, al

loc_4FF2B8:				; CODE XREF: RtlContractHashTable+D61ADj
		pop	esi
		leave
		retn	4
RtlContractHashTable endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 376. ExInitializeLookasideListEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExInitializeLookasideListEx(x, x, x, x, x, x, x, x)
		public _ExInitializeLookasideListEx@32
_ExInitializeLookasideListEx@32	proc near ; CODE XREF: CmpInitializeRegistryProcess()+123p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ExInitializeLookasideListExInternal
		pop	ebp
		retn	20h
_ExInitializeLookasideListEx@32	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExInitializeLookasideListExInternal proc near
					; CODE XREF: ExInitializeLookasideListEx(x,x,x,x,x,x,x,x)+1Fp
					; VmInitSystem(x)+67p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 005D544A SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_1C]
		mov	edx, [ebp+arg_20]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	cx, cx
		jnz	loc_4FF453
		mov	ecx, 100h

loc_4FF308:				; CODE XREF: ExInitializeLookasideListExInternal+177j
		mov	eax, edx
		neg	eax
		push	4
		sbb	eax, eax
		not	eax
		and	eax, ecx
		movzx	eax, ax
		mov	[ebp+arg_0], eax
		pop	eax
		cmp	[ebp+arg_14], eax
		jbe	loc_4FF476

loc_4FF324:				; CODE XREF: ExInitializeLookasideListExInternal+18Fj
		mov	edx, [ebp+arg_10]
		mov	eax, edx
		lea	ecx, [edx-1]
		and	ecx, edx
		neg	ecx
		sbb	cl, cl
		and	eax, 0FFFFFFFCh
		inc	cl
		neg	eax
		sbb	al, al
		inc	al
		test	cl, al
		jz	loc_5D5478
		xor	eax, eax
		test	dl, 1
		jnz	loc_4FF47E
		test	edx, edx
		jnz	loc_4FF46E
		mov	edx, eax

loc_4FF35A:				; CODE XREF: ExInitializeLookasideListExInternal+187j
		mov	ecx, [ebp+arg_C]
		test	ecx, 0FFFFFC18h
		jnz	loc_5D546E
		mov	eax, ecx
		and	eax, 3
		cmp	al, 3
		jz	loc_5D546E
		push	ebx
		test	cl, 1
		jz	loc_4FF444
		mov	edi, offset _ExPagedLookasideListHead
		mov	ebx, offset _ExPagedLookasideLock

loc_4FF38A:				; CODE XREF: ExInitializeLookasideListExInternal+164j
		xor	eax, eax
		or	edx, ecx
		mov	ecx, [ebp+arg_4]
		mov	[esi], eax
		mov	[esi+4], eax
		mov	ax, _ExMinimumLookasideDepth
		mov	[esi+8], ax
		mov	eax, [ebp+arg_0]
		mov	[esi+0Ah], ax
		xor	eax, eax
		mov	[esi+0Ch], eax
		mov	[esi+10h], eax
		mov	[esi+14h], eax
		mov	[esi+18h], eax
		mov	eax, [ebp+arg_18]
		mov	[esi+20h], eax
		mov	eax, [ebp+arg_14]
		mov	[esi+1Ch], edx
		mov	[esi+24h], eax
		test	ecx, ecx
		jnz	short loc_4FF3CD
		mov	ecx, offset _ExAllocatePoolEx@16 ; ExAllocatePoolEx(x,x,x,x)

loc_4FF3CD:				; CODE XREF: ExInitializeLookasideListExInternal+DCj
		mov	eax, [ebp+arg_8]
		mov	[esi+28h], ecx
		test	eax, eax
		jnz	short loc_4FF3DC
		mov	eax, offset _ExFreePoolEx@8 ; ExFreePoolEx(x,x)

loc_4FF3DC:				; CODE XREF: ExInitializeLookasideListExInternal+EBj
		mov	[esi+2Ch], eax
		xor	eax, eax
		mov	[esi+38h], eax
		mov	[esi+3Ch], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, ebx
		mov	byte ptr [ebp+arg_14+3], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	[ebp+arg_20], 0
		jnz	loc_5D544A
		xor	eax, eax
		cmp	_ExMinimumLookasideDepth, ax
		jz	short loc_4FF482

loc_4FF40C:				; CODE XREF: ExInitializeLookasideListExInternal+19Fj
					; ExInitializeLookasideListExInternal+D6170j
		mov	eax, [edi+4]
		add	esi, 30h
		cmp	[eax], edi
		jnz	short loc_4FF48B
		mov	[esi], edi
		mov	[esi+4], eax
		mov	[eax], esi
		test	ds:byte_70EFC6,	1
		mov	[edi+4], esi
		jnz	loc_5D545F
		xor	eax, eax
		lock and [ebx],	eax

loc_4FF432:				; CODE XREF: ExInitializeLookasideListExInternal+D617Fj
		mov	cl, byte ptr [ebp+arg_14+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		pop	ebx

loc_4FF43E:				; CODE XREF: ExInitializeLookasideListExInternal+182j
					; ExInitializeLookasideListExInternal+D6189j ...
		pop	edi
		pop	esi
		pop	ebp
		retn	24h
; 

loc_4FF444:				; CODE XREF: ExInitializeLookasideListExInternal+90j
		mov	edi, offset _ExNPagedLookasideListHead
		mov	ebx, offset _ExNPagedLookasideLock
		jmp	loc_4FF38A
; 

loc_4FF453:				; CODE XREF: ExInitializeLookasideListExInternal+13j
		lea	eax, [ecx-100h]
		mov	edi, 300h
		cmp	ax, di
		jbe	loc_4FF308
		mov	eax, 0C00000F6h
		jmp	short loc_4FF43E
; 

loc_4FF46E:				; CODE XREF: ExInitializeLookasideListExInternal+68j
		push	8

loc_4FF470:				; CODE XREF: ExInitializeLookasideListExInternal+196j
		pop	edx
		jmp	loc_4FF35A
; 

loc_4FF476:				; CODE XREF: ExInitializeLookasideListExInternal+34j
		mov	[ebp+arg_14], eax
		jmp	loc_4FF324
; 

loc_4FF47E:				; CODE XREF: ExInitializeLookasideListExInternal+60j
		push	10h
		jmp	short loc_4FF470
; 

loc_4FF482:				; CODE XREF: ExInitializeLookasideListExInternal+120j
		mov	dword ptr [esi+8], 0FFFF0000h
		jmp	short loc_4FF40C
; 

loc_4FF48B:				; CODE XREF: ExInitializeLookasideListExInternal+12Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
ExInitializeLookasideListExInternal endp ; AL =	character to display


; __stdcall KeTimeOutQueueWaiters(x, x,	x, x)
_KeTimeOutQueueWaiters@16:		; CODE XREF: .text:0052A2F5p
					; ExpWorkerFactoryManagerThread+136p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, ds:_KeTickCount
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+0Ch], edx
		push	edi
		push	ds:_KeMaximumIncrement
		mov	ebx, ecx
		mov	[esp+18h], eax
		push	dword ptr [ebp+0Ch]
		push	dword ptr [ebp+8]
		call	__aulldiv
		mov	[esp+14h], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, ebx
		mov	[esp+18h], al
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	esi, [ebx+0Ch]
		lea	edx, [ebx+8]
		cmp	esi, edx
		jz	short loc_4FF53C
		mov	ecx, [esp+0Ch]
		lea	eax, [ebx+8]

loc_4FF4E7:				; CODE XREF: .text:004FF53Aj
		cmp	edi, ecx
		jnb	short loc_4FF53C
		mov	edx, esi
		mov	esi, [esi+4]
		cmp	byte ptr [edx+8], 3
		jnz	short loc_4FF538
		mov	eax, [edx+0Ch]
		mov	ecx, [esp+10h]
		sub	ecx, [eax+138h]
		cmp	ecx, [esp+14h]
		jb	short loc_4FF53C
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	short loc_4FF565
		cmp	[esi], edx
		jnz	short loc_4FF565
		mov	ecx, large fs:20h
		push	0
		mov	[esi], eax
		push	102h
		mov	[eax+4], esi
		call	KiTryUnwaitThread
		mov	ecx, [esp+0Ch]
		test	al, al
		lea	eax, [ebx+8]
		jz	short loc_4FF538
		inc	edi

loc_4FF538:				; CODE XREF: .text:004FF4F4j
					; .text:004FF535j
		cmp	esi, eax
		jnz	short loc_4FF4E7

loc_4FF53C:				; CODE XREF: .text:004FF4DEj
					; .text:004FF4E9j ...
		mov	eax, 0FFFFFF7Fh
		lock and [ebx],	eax
		push	dword ptr [esp+18h]
		mov	ecx, large fs:20h
		xor	edx, edx
		push	0
		push	1
		call	KiExitDispatcher
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_4FF565:				; CODE XREF: .text:004FF50Ej
					; .text:004FF512j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dw 0CCCCh
		align 10h
; Exported entry 903. IoIsSystemThread
; Exported entry 1853. PsIsSystemThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsIsSystemThread(x)
		public _PsIsSystemThread@4
_PsIsSystemThread@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi	; IoIsSystemThread
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+58h]
		shr	eax, 0Ah
		and	al, 1
		pop	ebp
		retn	4
_PsIsSystemThread@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmGetImageFileSignatureInformation proc	near ; DATA XREF: .text:004037ECo

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D5482 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	ecx, [eax+14h]
		mov	[ebp+var_1], bl
		test	ecx, ecx
		jz	short loc_4FF5AC
		lea	eax, [ebp-1]
		xor	edx, edx
		push	eax
		call	MiLockSectionControlArea
		mov	esi, eax
		test	esi, esi
		jnz	short loc_4FF5B4

loc_4FF5AC:				; CODE XREF: MmGetImageFileSignatureInformation+15j
		xor	al, al

loc_4FF5AE:				; CODE XREF: MmGetImageFileSignatureInformation+6Fj
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4FF5B4:				; CODE XREF: MmGetImageFileSignatureInformation+26j
		test	byte ptr [esi+1Ch], 3
		push	edi
		lea	edi, [esi+24h]
		jnz	loc_5D5482
		inc	dword ptr [esi+0Ch]
		mov	ecx, esi
		call	_MiRemoveUnusedSegment@4 ; MiRemoveUnusedSegment(x)
		inc	dword ptr [esi+18h]
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esi]
		xor	edx, edx
		inc	edx
		mov	ecx, esi
		mov	bl, [eax+0Bh]
		shr	bl, 4
		call	_MiDereferenceControlAreaBySection@8 ; MiDereferenceControlAreaBySection(x,x)

loc_4FF5F0:				; CODE XREF: MmGetImageFileSignatureInformation+D5F0Dj
		mov	al, bl
		pop	edi
		jmp	short loc_4FF5AE
MmGetImageFileSignatureInformation endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCaptureWriteWatchDirtyBit(x, x, x)
_MiCaptureWriteWatchDirtyBit@12	proc near ; CODE XREF: MiRevertValidPte+534p
					; .text:00474CD3p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr [ecx+0FCh], 20h
		push	esi
		mov	esi, edx
		jnz	short loc_4FF62F
		push	edi
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jnz	short loc_4FF61C
		mov	ecx, esi
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_4FF62E

loc_4FF61C:				; CODE XREF: MiCaptureWriteWatchDirtyBit(x,x,x)+17j
		mov	eax, [edi+1Ch]
		test	al, 4
		jnz	short loc_4FF62E
		mov	ecx, 300000h
		and	eax, ecx
		cmp	eax, ecx
		jz	short loc_4FF634

loc_4FF62E:				; CODE XREF: MiCaptureWriteWatchDirtyBit(x,x,x)+24j
					; MiCaptureWriteWatchDirtyBit(x,x,x)+2Bj ...
		pop	edi

loc_4FF62F:				; CODE XREF: MiCaptureWriteWatchDirtyBit(x,x,x)+Fj
		pop	esi
		pop	ebp
		retn	4
; 

loc_4FF634:				; CODE XREF: MiCaptureWriteWatchDirtyBit(x,x,x)+36j
		push	ebx
		mov	ebx, [edi+24h]

loc_4FF638:				; CODE XREF: MiCaptureWriteWatchDirtyBit(x,x,x)+8Bj
		test	ebx, ebx
		jz	short loc_4FF642
		test	byte ptr [ebx+24h], 4
		jz	short loc_4FF67F

loc_4FF642:				; CODE XREF: MiCaptureWriteWatchDirtyBit(x,x,x)+44j
		mov	ecx, edi
		call	_MiGetVadMandatoryPageSize@4 ; MiGetVadMandatoryPageSize(x)
		shr	esi, 0Ch
		mov	ecx, eax
		sub	esi, [edi+0Ch]
		xor	edx, edx
		mov	eax, esi
		div	ecx
		mov	ecx, edi
		mov	esi, eax
		call	MiLockVadCore
		mov	edx, esi
		and	esi, 7
		shr	edx, 3
		add	edx, [ebx+8]
		movsx	ecx, byte ptr [edx]
		bts	ecx, esi
		mov	[edx], cl
		mov	dl, 2
		mov	ecx, edi
		call	MiUnlockVadCore
		pop	ebx
		jmp	short loc_4FF62E
; 

loc_4FF67F:				; CODE XREF: MiCaptureWriteWatchDirtyBit(x,x,x)+4Aj
		mov	ebx, [ebx]
		jmp	short loc_4FF638
_MiCaptureWriteWatchDirtyBit@12	endp

; 
		align 4

;  S U B	R O U T	I N E 


MiUnlockVadCore	proc near		; CODE XREF: NtGetWriteWatch+9F4p
					; MiCaptureWriteWatchDirtyBit(x,x,x)+81p ...

; FUNCTION CHUNK AT 005D5496 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		lea	edi, [ecx+1Ch]
		mov	bl, dl
		mov	esi, [edi]
		mov	ecx, esi
		and	ecx, 0FFFFFFFCh
		mov	eax, esi
		lock cmpxchg [edi], ecx
		cmp	eax, esi
		jnz	loc_5D5496

loc_4FF6A3:				; CODE XREF: MiUnlockVadCore+D5E21j
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
MiUnlockVadCore	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpDeleteTimer	proc near		; DATA XREF: ExpTimerInitialization()+81o

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D54AA SIZE 000003B4 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 48h
		push	esi
		push	edi
		mov	edi, [ebx+8]
		xor	edx, edx
		lea	esi, [edi+94h]
		mov	[ebp+var_28], esi
		cmp	[esi], edx
		jnz	loc_5D54AA

loc_4FF6E0:				; CODE XREF: ExpDeleteTimer+D6197j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	esi, [edi+28h]
		mov	byte ptr [ebp+var_28], al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	ecx, [edi+9Ch]
		cmp	dword ptr [ecx], 0
		jnz	short loc_4FF72A
		test	ds:byte_70EFC6,	1
		jnz	loc_5D584F
		xor	eax, eax
		lock and [esi],	eax

loc_4FF710:				; CODE XREF: ExpDeleteTimer+D61ABj
		mov	cl, byte ptr [ebp+var_28]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_4FF719:				; CODE XREF: ExpDeleteTimer+8Bj
		push	edi
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_4FF72A:				; CODE XREF: ExpDeleteTimer+4Ej
		push	[ebp+var_28]
		lea	edx, [edi+0A0h]
		push	esi
		call	_PsRemoveVirtualizedTimer@16 ; PsRemoveVirtualizedTimer(x,x,x,x)
		jmp	short loc_4FF719
ExpDeleteTimer	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsRemoveVirtualizedTimer(x,	x, x, x)
_PsRemoveVirtualizedTimer@16 proc near	; CODE XREF: ExpDeleteTimer+86p

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	edx, 54567350h
		mov	ebx, [esi]
		mov	ecx, ebx
		call	ObfReferenceObjectWithTag
		mov	ecx, [ebp+arg_0]
		call	@KefReleaseSpinLockFromDpcLevel@4 ; KefReleaseSpinLockFromDpcLevel(x)
		lea	ecx, [ebx+454h]
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [ebp+arg_0]
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	dword ptr [esi], 0
		jz	short loc_4FF795
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	short loc_4FF7C4
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	short loc_4FF7C4
		mov	[ecx], eax
		mov	edx, 54567350h
		mov	[eax+4], ecx
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_4FF795:				; CODE XREF: PsRemoveVirtualizedTimer(x,x,x,x)+38j
		mov	ecx, [ebp+arg_0]
		call	@KefReleaseSpinLockFromDpcLevel@4 ; KefReleaseSpinLockFromDpcLevel(x)
		lea	ecx, [ebx+454h]
		call	@KefReleaseSpinLockFromDpcLevel@4 ; KefReleaseSpinLockFromDpcLevel(x)
		mov	cl, [ebp+arg_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, 54567350h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_4FF7C4:				; CODE XREF: PsRemoveVirtualizedTimer(x,x,x,x)+3Fj
					; PsRemoveVirtualizedTimer(x,x,x,x)+46j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_PsRemoveVirtualizedTimer@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepGetConstantOperand proc near	; CODE XREF: .text:00518145p
					; AuthzBasepGetNextValue+EDDACp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D585E SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	eax, edx
		xor	edx, edx
		mov	[ebp+var_4], eax
		xor	ecx, ecx
		mov	[esi+4], dl
		inc	ebx
		mov	[esi], cx
		mov	[esi+8], edx
		mov	[esi+0Ch], ebx
		mov	[esi+10h], edx
		mov	[esi+14h], edx
		mov	[esi+18h], edx
		mov	cl, [edi]
		test	cl, cl
		jz	short loc_4FF842
		cmp	cl, 4
		jbe	loc_5D5891
		cmp	cl, 10h
		jnz	loc_5D585E

loc_4FF811:				; CODE XREF: AuthzBasepGetConstantOperand+D6097j
					; AuthzBasepGetConstantOperand+D60ABj
		dec	eax
		cmp	eax, 4
		jb	short loc_4FF850
		cmp	cl, 10h
		jnz	loc_5D587A
		push	3
		pop	eax
		mov	[esi], ax

loc_4FF826:				; CODE XREF: AuthzBasepGetConstantOperand+D60B9j
					; AuthzBasepGetConstantOperand+D60C2j
		mov	eax, [ebp+var_4]
		mov	ecx, [edi+1]
		add	eax, 0FFFFFFFBh
		mov	[esi+14h], ecx
		push	5
		pop	ebx
		cmp	eax, ecx
		jb	short loc_4FF850
		lea	eax, [edi+5]
		mov	[esi+18h], eax
		lea	ebx, [ecx+5]

loc_4FF842:				; CODE XREF: AuthzBasepGetConstantOperand+33j
					; AuthzBasepGetConstantOperand+8Bj ...
		mov	ecx, [ebp+arg_4]
		mov	eax, edx
		pop	edi
		pop	esi
		mov	[ecx], ebx
		pop	ebx
		leave
		retn	8
; 

loc_4FF850:				; CODE XREF: AuthzBasepGetConstantOperand+4Bj
					; AuthzBasepGetConstantOperand+6Dj ...
		mov	edx, 0C00001A2h
		jmp	short loc_4FF842
AuthzBasepGetConstantOperand endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ExGetHandleAttributes(x, x)
_ExGetHandleAttributes@8 proc near	; CODE XREF: ObQueryObjectAuditingByHandle+74p
					; ObQueryHandleEntryInformation(x,x)+11p ...
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		and	eax, 6
		test	ecx, 4000000h
		jnz	short loc_4FF878

loc_4FF868:				; CODE XREF: ExGetHandleAttributes(x,x)+23j
		test	ecx, 2000000h
		jnz	short loc_4FF873

loc_4FF870:				; CODE XREF: ExGetHandleAttributes(x,x)+1Ej
		and	eax, edx
		retn
; 

loc_4FF873:				; CODE XREF: ExGetHandleAttributes(x,x)+16j
		or	eax, 1
		jmp	short loc_4FF870
; 

loc_4FF878:				; CODE XREF: ExGetHandleAttributes(x,x)+Ej
		or	eax, 8
		jmp	short loc_4FF868
_ExGetHandleAttributes@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetClosestImplicitNode proc near	; CODE XREF: MiInPagePageTable+23Ap
					; MiAddPhysicalMemoryChunks(x,x,x,x)+6Ap ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D58B4 SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	loc_5D58B4

loc_4FF88E:				; CODE XREF: MiGetClosestImplicitNode+D6053j
					; MiGetClosestImplicitNode+D605Cj
		pop	ebp
		retn	4
MiGetClosestImplicitNode endp

; 
		align 8
; Exported entry 239. CcSetReadAheadGranularity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcSetReadAheadGranularity(x, x)
		public _CcSetReadAheadGranularity@8
_CcSetReadAheadGranularity@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		dec	ecx
		mov	eax, [eax+18h]
		mov	[eax+4], ecx
		pop	ebp
		retn	8
_CcSetReadAheadGranularity@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAttemptFastRemoveQueue proc near	; CODE XREF: KeRemoveQueueEx+457p
					; KeRemoveQueueEx+5C7p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D58DF SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		lea	ebx, [ecx+10h]
		mov	[ebp+var_4], edx
		mov	eax, [ebx]
		xor	esi, esi
		push	edi

loc_4FF8C1:				; CODE XREF: KiAttemptFastRemoveQueue+4Dj
		dec	dword ptr [ecx+4]
		mov	edx, [eax]
		test	edx, edx
		jz	loc_5D58DF
		cmp	[edx+4], eax
		jnz	short loc_4FF8FF
		mov	edi, [eax+4]
		cmp	[edi], eax
		jnz	short loc_4FF8FF
		mov	[edi], edx
		mov	[edx+4], edi
		mov	edx, [ebp+var_4]
		and	dword ptr [eax], 0
		mov	[edx+esi*4], eax
		inc	esi
		mov	eax, [ebx]
		cmp	eax, ebx
		jnz	short loc_4FF8F8

loc_4FF8EF:				; CODE XREF: KiAttemptFastRemoveQueue+4Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_4FF8F8:				; CODE XREF: KiAttemptFastRemoveQueue+3Fj
		cmp	esi, [ebp+arg_0]
		jb	short loc_4FF8C1
		jmp	short loc_4FF8EF
; 

loc_4FF8FF:				; CODE XREF: KiAttemptFastRemoveQueue+23j
					; KiAttemptFastRemoveQueue+2Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
KiAttemptFastRemoveQueue endp		; AL = character to display


; __stdcall RtlpHpVsSubsegmentCleanup(x, x)
_RtlpHpVsSubsegmentCleanup@8:		; CODE XREF: RtlpHpVsChunkSplit+A54p
					; RtlpHpVsContextFreeList+297p	...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, edx
		mov	[ebp-0Ch], ecx
		push	esi
		push	edi
		mov	esi, [ebx]
		mov	edx, [ebx+4]
		xor	esi, ebx
		xor	edx, ebx
		lea	edi, [esi+4]
		mov	eax, [edi]
		xor	eax, esi
		cmp	eax, ebx
		jnz	loc_4FF9C7
		mov	eax, [edx]
		xor	eax, edx
		cmp	eax, ebx
		jnz	loc_4FF9C7
		xor	esi, edx
		mov	[edx], esi
		mov	[edi], esi
		mov	edx, [ebx+8]
		mov	ebx, [ebx+0Ch]
		not	edx
		movzx	eax, dl
		not	ebx
		shr	edx, 8
		mov	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		mov	[ebp-8], edx
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	[ebp-1], cl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp-8]
		add	cl, dl
		movzx	edx, cl
		mov	ecx, eax
		shr	ecx, 8
		movzx	eax, al
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, [ebp-1]
		movzx	eax, cl
		add	edx, eax
		mov	eax, [ebp-0Ch]
		neg	edx
		add	eax, 18h
		lock xadd [eax], edx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4FF9C7:				; CODE XREF: .text:004FF926j
					; .text:004FF932j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1828. PsGetThreadId

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetThreadId(x)
		public _PsGetThreadId@4
_PsGetThreadId@4 proc near		; CODE XREF: PfpScenCtxServiceThreadSet+17p
					; PfSnBeginTrace+170205p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+2B0h]
		pop	ebp
		retn	4
_PsGetThreadId@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 747. IoAllocateWorkItem

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoAllocateWorkItem(x)
		public _IoAllocateWorkItem@4
_IoAllocateWorkItem@4 proc near		; CODE XREF: PnpDeviceCompletionRequestDestroy(x)+15p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	34h
		pop	edx
		mov	ecx, 200h
		call	IopVerifierExAllocatePool
		test	eax, eax
		jz	short loc_4FFA1E
		mov	ecx, [ebp+arg_0]
		and	dword ptr [eax+1Ch], 0
		and	dword ptr [eax], 0
		mov	[eax+14h], ecx
		mov	dword ptr [eax+20h], 1
		mov	dword ptr [eax+8], offset IopProcessWorkItem
		mov	[eax+0Ch], eax

loc_4FFA1E:				; CODE XREF: IoAllocateWorkItem(x)+14j
		pop	ebp
		retn	4
_IoAllocateWorkItem@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQuerySchedulingGroupReadyTime(x)
_KeQuerySchedulingGroupReadyTime@4 proc	near
					; CODE XREF: PspQueryJobHierarchyAccountingInformation+3AEp
					; sub_759647+7F1p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, ds:_KeNumberProcessors
		xor	edi, edi
		mov	[ebp+var_1], al
		xor	ebx, ebx
		xor	eax, eax
		mov	[ebp+var_18], ecx
		mov	[ebp+var_8], eax
		test	ecx, ecx
		jz	short loc_4FFA9B
		sub	esi, 0FFFFFF80h
		mov	[ebp+var_C], esi

loc_4FFA54:				; CODE XREF: KeQuerySchedulingGroupReadyTime(x)+77j
		mov	esi, ds:_KiProcessorBlock[eax*4]
		add	esi, 2224h
		and	[ebp+var_10], 0
		mov	[ebp+var_14], esi

loc_4FFA68:				; CODE XREF: KeQuerySchedulingGroupReadyTime(x)+99j
		lock bts dword ptr [esi], 0
		jb	short loc_4FFAAD
		mov	esi, [ebp+var_C]
		add	edi, [esi+38h]
		adc	ebx, [esi+3Ch]
		test	byte ptr [esi+5Ch], 1
		jnz	short loc_4FFABD

loc_4FFA7E:				; CODE XREF: KeQuerySchedulingGroupReadyTime(x)+AAj
		mov	eax, [ebp+var_14]
		xor	ecx, ecx
		lock and [eax],	ecx
		mov	eax, [ebp+var_8]
		add	esi, 100h
		inc	eax
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], eax
		cmp	eax, [ebp+var_18]
		jb	short loc_4FFA54

loc_4FFA9B:				; CODE XREF: KeQuerySchedulingGroupReadyTime(x)+2Aj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		mov	edx, ebx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4FFAAD:				; CODE XREF: KeQuerySchedulingGroupReadyTime(x)+4Bj
					; KeQuerySchedulingGroupReadyTime(x)+97j
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_4FFAAD
		jmp	short loc_4FFA68
; 

loc_4FFABD:				; CODE XREF: KeQuerySchedulingGroupReadyTime(x)+5Aj
		call	KeQueryInterruptTime
		sub	eax, [esi+40h]
		sbb	edx, [esi+44h]
		add	edi, eax
		adc	ebx, edx
		jmp	short loc_4FFA7E
_KeQuerySchedulingGroupReadyTime@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteEmptySubsections(x)
_MiDeleteEmptySubsections@4 proc near	; CODE XREF: MiDereferenceSegmentThread+ADp
					; MiDereferenceSegmentThread+EDp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	[ebp+var_4], esi
		lea	edi, [esi+340h]
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		lea	eax, [esi+434h]

loc_4FFAF2:				; CODE XREF: MiDeleteEmptySubsections(x)+C9j
		mov	esi, [eax]
		cmp	esi, eax
		jz	loc_4FFB9C
		mov	eax, [esi-34h]
		add	eax, 24h
		push	eax
		mov	[ebp+var_C], eax
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		test	eax, eax
		jz	loc_4FFBB9
		test	byte ptr [esi-22h], 8
		jz	loc_4FFBC9
		mov	eax, [esi-30h]
		lea	ecx, [esi+10h]
		xor	edx, edx
		mov	[ebp+var_8], eax
		call	_MiUpdateSystemProtoPtesTree@8 ; MiUpdateSystemProtoPtesTree(x,x)
		and	dword ptr [esi-30h], 0
		mov	edx, [esi]
		cmp	[edx+4], esi
		jnz	loc_4FFBCD
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_4FFBCD
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, 0FFF7h
		and	[esi-22h], cx
		lea	ecx, [esi-34h]
		mov	[esi+4], esi
		mov	[esi], esi
		call	_MiReduceUnusedSubsectionCount@4 ; MiReduceUnusedSubsectionCount(x)
		mov	esi, [ebp+var_8]

loc_4FFB65:				; CODE XREF: MiDeleteEmptySubsections(x)+FDj
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		push	[ebp+var_C]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_4FFB87
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_4FFB87:				; CODE XREF: MiDeleteEmptySubsections(x)+AFj
					; MiDeleteEmptySubsections(x)+F9j
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		mov	eax, [ebp+var_4]
		add	eax, 434h
		jmp	loc_4FFAF2
; 

loc_4FFB9C:				; CODE XREF: MiDeleteEmptySubsections(x)+28j
		mov	eax, [ebp+var_4]
		push	edi
		and	dword ptr [eax+380h], 0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4FFBB9:				; CODE XREF: MiDeleteEmptySubsections(x)+3Fj
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_4FFB87
; 

loc_4FFBC9:				; CODE XREF: MiDeleteEmptySubsections(x)+49j
		xor	esi, esi
		jmp	short loc_4FFB65
; 

loc_4FFBCD:				; CODE XREF: MiDeleteEmptySubsections(x)+68j
					; MiDeleteEmptySubsections(x)+73j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_MiDeleteEmptySubsections@4 endp	; AL = character to display


;  S U B	R O U T	I N E 


ObpDeferObjectDeletion proc near	; CODE XREF: ObfDereferenceObject+98p
					; ObfDereferenceObjectWithTag+ABp ...

; FUNCTION CHUNK AT 005D58F5 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, _ObpRemoveObjectList
		mov	ebx, offset _ObpRemoveObjectList
		push	edi
		mov	edi, ecx
		mov	eax, esi
		mov	edx, edi
		mov	[edi+4], esi
		lock cmpxchg [ebx], edx

loc_4FFBEF:				; CODE XREF: ObpDeferObjectDeletion+5Bj
		cmp	eax, esi
		jnz	short loc_4FFC22
		pop	edi
		test	esi, esi
		pop	esi
		pop	ebx
		jnz	short locret_4FFC21
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	loc_5D58F5
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		ja	loc_5D58F5
		push	0
		push	offset _ObpRemoveObjectWorkItem
		call	ExQueueWorkItem

locret_4FFC21:				; CODE XREF: ObpDeferObjectDeletion+26j
		retn
; 

loc_4FFC22:				; CODE XREF: ObpDeferObjectDeletion+1Fj
		mov	esi, eax
		mov	[edi+4], eax
		mov	ecx, edi
		lock cmpxchg [ebx], ecx
		jmp	short loc_4FFBEF
ObpDeferObjectDeletion endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2466. SeFreePrivileges

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeFreePrivileges(x)
		public _SeFreePrivileges@4
_SeFreePrivileges@4 proc near		; CODE XREF: ObCheckObjectAccess+FEp
					; CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+36Fp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	4
_SeFreePrivileges@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2120. RtlGetElementGenericTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlGetElementGenericTable
RtlGetElementGenericTable proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D5907 SIZE 0000004C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	ecx, [eax+1]
		mov	[ebp+arg_0], ecx
		mov	edx, ecx
		mov	esi, [edi+10h]
		mov	ecx, [edi+0Ch]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_4FFC74

loc_4FFC6C:				; CODE XREF: RtlGetElementGenericTable+2Dj
		xor	eax, eax

loc_4FFC6E:				; CODE XREF: RtlGetElementGenericTable+36j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_4FFC74:				; CODE XREF: RtlGetElementGenericTable+1Ej
		mov	eax, [edi+14h]
		cmp	edx, eax
		ja	short loc_4FFC6C
		cmp	edx, esi
		jnz	short loc_4FFC84

loc_4FFC7F:				; CODE XREF: RtlGetElementGenericTable+63j
		lea	eax, [ecx+0Ch]
		jmp	short loc_4FFC6E
; 

loc_4FFC84:				; CODE XREF: RtlGetElementGenericTable+31j
		jb	loc_5D5907
		push	ebx
		mov	ebx, edx
		sub	eax, edx
		sub	ebx, esi
		inc	eax
		cmp	ebx, eax
		ja	loc_5D593B
		test	ebx, ebx
		jz	short loc_4FFCA5

loc_4FFC9E:				; CODE XREF: RtlGetElementGenericTable+57j
		mov	ecx, [ecx]
		sub	ebx, 1
		jnz	short loc_4FFC9E

loc_4FFCA5:				; CODE XREF: RtlGetElementGenericTable+50j
					; RtlGetElementGenericTable+D5CF4j ...
		pop	ebx

loc_4FFCA6:				; CODE XREF: RtlGetElementGenericTable+D5CC5j
					; RtlGetElementGenericTable+D5CD3j ...
		mov	eax, [ebp+arg_0]
		mov	[edi+0Ch], ecx
		mov	[edi+10h], eax
		jmp	short loc_4FFC7F
RtlGetElementGenericTable endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpFreeCompletionPacketLookaside(x)
_AlpcpFreeCompletionPacketLookaside@4 proc near	; CODE XREF: AlpcpDeletePort(x)+112p
					; AlpcpInitializeCompletionList+2E3p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	ebx, ecx
		stosd
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		xor	esi, esi
		cmp	[ebx+8], esi
		jnz	short loc_4FFD34
		inc	esi
		mov	edi, esi

loc_4FFCD9:				; CODE XREF: AlpcpFreeCompletionPacketLookaside(x)+88j
		test	ds:byte_70EFC6,	1
		jz	short loc_4FFD06
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_4FFCED:				; CODE XREF: AlpcpFreeCompletionPacketLookaside(x)+6Cj
					; AlpcpFreeCompletionPacketLookaside(x)+80j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	short loc_4FFD01
		mov	ecx, ebx
		call	_AlpcpDeferredFreeCompletionPacketLookaside@4 ;	AlpcpDeferredFreeCompletionPacketLookaside(x)

loc_4FFD01:				; CODE XREF: AlpcpFreeCompletionPacketLookaside(x)+46j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4FFD06:				; CODE XREF: AlpcpFreeCompletionPacketLookaside(x)+2Ej
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_4FFD25
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_4FFCED
		call	KxWaitForLockChainValid

loc_4FFD25:				; CODE XREF: AlpcpFreeCompletionPacketLookaside(x)+59j
		mov	[ebp+var_C], 0
		add	eax, 4
		lock xor [eax],	esi
		jmp	short loc_4FFCED
; 

loc_4FFD34:				; CODE XREF: AlpcpFreeCompletionPacketLookaside(x)+22j
		xor	edi, edi
		inc	esi
		mov	[ebx+14h], esi
		jmp	short loc_4FFCD9
_AlpcpFreeCompletionPacketLookaside@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCreateSecurityCheck(x, x, x, x, x, x, x,	x, x, x, x)
_IopCreateSecurityCheck@44 proc	near	; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+4F2p
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+6B9p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= byte ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	eax, ecx
		mov	[ebp+var_C], edx
		xor	ecx, ecx
		mov	[ebp+var_4], eax
		cmp	[ebp+arg_8], 1
		push	esi
		push	edi
		mov	[ebp+var_8], ecx
		mov	esi, ecx
		jz	short loc_4FFD78
		mov	eax, [eax+20h]
		test	eax, 40001h
		jnz	short loc_4FFD75
		cmp	_IopRequireDeviceAccessCheck, ecx
		jz	short loc_4FFD78
		test	eax, 100000h
		jz	short loc_4FFD78

loc_4FFD75:				; CODE XREF: IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)+28j
		push	2
		pop	esi

loc_4FFD78:				; CODE XREF: IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)+1Ej
					; IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)+30j ...
		mov	ebx, [ebp+arg_1C]
		dec	word ptr [ebx+13Ch]
		nop
		push	1
		push	offset _IopSecurityResource
		call	ExAcquireResourceSharedLite
		mov	edi, [ebp+arg_0]
		lea	eax, [edi+1Ch]
		push	eax
		call	_SeLockSubjectContext@4	; SeLockSubjectContext(x)
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_10]
		mov	eax, ds:_IoFileObjectType
		push	1
		add	eax, 34h
		push	eax
		lea	eax, [ebp+arg_C]
		push	eax
		push	0
		mov	eax, esi
		or	eax, [ebp+arg_4]
		push	eax
		push	1
		lea	eax, [edi+1Ch]
		push	eax
		mov	eax, [ebp+var_4]
		push	dword ptr [eax+98h]
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		cmp	[ebp+arg_C], 0
		mov	byte ptr [ebp+arg_8], al
		jz	short loc_4FFDEC
		push	[ebp+arg_C]
		push	edi
		call	SeAppendPrivileges
		push	0
		push	[ebp+arg_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	al, byte ptr [ebp+arg_8]

loc_4FFDEC:				; CODE XREF: IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)+98j
		mov	ecx, [ebp+arg_10]
		test	esi, esi
		jz	short loc_4FFDFC
		test	[ebp+arg_4], esi
		jnz	short loc_4FFDFC
		not	esi
		and	[ecx], esi

loc_4FFDFC:				; CODE XREF: IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)+B5j
					; IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)+BAj
		cmp	[ebp+arg_20], 0
		jz	short loc_4FFE17
		test	al, al
		jz	short loc_4FFE17
		mov	eax, [ecx]
		or	[edi+14h], eax
		mov	eax, [ecx]
		or	eax, 2000000h
		not	eax
		and	[edi+10h], eax

loc_4FFE17:				; CODE XREF: IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)+C4j
					; IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)+C8j
		mov	edx, [ebp+var_C]
		xor	esi, esi
		test	edx, edx
		jz	short loc_4FFE40
		lea	eax, [edi+0Ah]
		push	eax
		mov	eax, [ebp+var_4]
		push	1
		push	[ebp+arg_8]
		push	esi
		push	edi
		push	dword ptr [eax+98h]
		push	[ebp+arg_14]
		push	edx
		push	[ebp+arg_18]
		call	_SeOpenObjectAuditAlarm@36 ; SeOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x)

loc_4FFE40:				; CODE XREF: IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)+E2j
		lea	eax, [edi+1Ch]
		push	eax
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)
		mov	ecx, offset _IopSecurityResource
		call	ExReleaseResourceLite
		nop
		add	word ptr [ebx+13Ch], 1
		jnz	short loc_4FFE74
		nop
		lea	eax, [ebx+70h]
		cmp	[eax], eax
		jz	short loc_4FFE74
		cmp	[ebx+13Eh], si
		jnz	short loc_4FFE74
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_4FFE74:				; CODE XREF: IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)+120j
					; IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)+128j ...
		mov	al, byte ptr [ebp+arg_8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
_IopCreateSecurityCheck@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute	proc near
					; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+A8p
					; B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx:loc_499B45p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005D5953 SIZE 00000069 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	ecx, [edx+0Ch]
		mov	eax, [edx]
		push	ebx
		push	esi
		push	edi
		mov	edx, [eax+ecx*8-10h]
		mov	ebx, [eax+ecx*8-0Ch]
		mov	esi, [eax+ecx*8-8]
		xor	ecx, ecx
		mov	[ebp+var_14], ecx
		movzx	eax, word ptr [edx]
		inc	eax
		lea	eax, [edx+eax*8]
		cmp	ebx, eax
		jnz	loc_4FFFA4
		sub	ebx, 8
		lea	eax, [edx+8]
		cmp	ebx, eax
		lea	eax, [ebx-4]
		jbe	loc_4FFFF1

loc_4FFEBF:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+176j
		xor	ecx, ecx
		mov	[ebp+var_20], esi
		lea	edx, [ebp+var_1C]
		inc	ecx

loc_4FFEC8:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+12Fj
		mov	eax, [eax]
		or	ecx, eax
		mov	[edx], eax
		mov	eax, 0FFFFh
		mov	edx, [ebp+var_20]
		mov	[ebp+var_28], ecx
		mov	ecx, [ebp+var_1C]
		mov	[ebp+var_1C], ecx
		mov	edi, [edx]
		and	edi, eax
		mov	esi, [ecx]
		and	esi, eax
		lea	eax, [esi+edi]
		cmp	eax, 3FDh
		jnb	loc_4FFF9C
		cmp	eax, 1FFh
		jb	loc_4FFF9C
		shr	eax, 1
		cmp	esi, edi
		ja	loc_4FFFB2
		mov	edi, edx
		mov	[ebp+var_10], ecx
		xor	edx, edx
		mov	[ebp+var_18], edx
		mov	edx, esi
		mov	esi, eax
		mov	[ebp+var_14], edx
		mov	eax, [ebp+var_18]
		sub	esi, edx

loc_4FFF20:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+143j
		lea	eax, [eax+1]
		lea	edx, [edi+eax*8]
		mov	eax, [ebp+var_14]
		inc	eax
		mov	[ebp+var_8], edx
		mov	dl, [edi+3]
		mov	[ebp+var_1], dl
		mov	edx, [ebp+var_8]
		lea	eax, [ecx+eax*8]
		mov	[ebp+var_C], eax
		cmp	edi, [ebp+var_10]
		jz	loc_4FFFC6

loc_4FFF45:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+16Ej
		cmp	[ebp+var_1], 0
		jz	loc_5D5953
		mov	eax, esi
		shl	eax, 3
		mov	[ebp+var_24], eax

loc_4FFF57:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+D5B39j
		push	eax		; size_t
		mov	eax, [ebp+var_C]
		push	edx		; void *
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+var_1C]
		add	esp, 0Ch
		movzx	eax, si
		mov	esi, [ebp+var_20]
		add	[ecx], ax
		sub	[edi], ax
		cmp	edi, esi
		jnz	short loc_4FFF91
		movzx	eax, word ptr [edi]
		mov	ecx, [ebp+var_8]
		shl	eax, 3
		push	eax		; size_t
		mov	eax, [ebp+var_24]
		add	eax, ecx
		push	eax		; void *
		push	ecx		; void *
		call	_memmove
		add	esp, 0Ch

loc_4FFF91:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+F8j
		cmp	byte ptr [esi+3], 0
		jz	short loc_4FFF9C
		mov	ecx, [esi+8]
		mov	[ebx], ecx

loc_4FFF9C:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+71j
					; B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+7Cj ...
		mov	eax, [ebp+var_28]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_4FFFA4:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+2Aj
		mov	[ebp+var_1C], esi
		lea	eax, [ebx+4]
		lea	edx, [ebp+var_20]
		jmp	loc_4FFEC8
; 

loc_4FFFB2:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+86j
		mov	edi, ecx
		mov	[ebp+var_1C], edx
		mov	ecx, edx
		mov	[ebp+var_18], eax
		sub	esi, eax
		mov	[ebp+var_10], edi
		jmp	loc_4FFF20
; 

loc_4FFFC6:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+C1j
		movzx	eax, word ptr [ecx]
		shl	eax, 3
		push	eax		; size_t
		mov	eax, [ebp+var_C]
		push	eax		; void *
		lea	eax, [eax+esi*8]
		push	eax		; void *
		call	_memmove
		mov	al, [edi+3]
		add	esp, 0Ch
		mov	ecx, [ebp+var_1C]
		mov	edx, [ebp+var_8]
		mov	[ebp+var_1], al
		mov	eax, [ebp+var_C]
		jmp	loc_4FFF45
; 

loc_4FFFF1:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+3Bj
		lea	eax, [edx+4]
		jmp	loc_4FFEBF
B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCheckFatalAccessViolation proc near	; CODE XREF: .text:00467DB2p
					; .text:004681AAp

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D59BC SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi

loc_500000:				; DATA XREF: .text:00412EAEo
					; NtGetWriteWatch+2CDo	...
		mov	esi, ecx
		cmp	esi, 10000h
		jnb	short loc_50000F

loc_50000A:				; CODE XREF: MiCheckFatalAccessViolation+1Bj
					; MiCheckFatalAccessViolation+1Fj ...
		pop	esi
		pop	ebp
		retn	8
; 

loc_50000F:				; CODE XREF: MiCheckFatalAccessViolation+Ej
		cmp	esi, ds:_MmHighestUserAddress
		ja	short loc_50000A
		test	edx, edx
		jnz	short loc_50000A
		test	[ebp+arg_0], 2
		jz	short loc_50000A
		jmp	loc_5D59BC
MiCheckFatalAccessViolation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpGetEntireXStateAreaLength proc near	; CODE XREF: RtlGetExtendedContextLength2+72p
					; KiDispatchException+5EAp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D59F7 SIZE 00000069 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		test	byte ptr ds:0FFDF03ECh,	2
		push	esi
		jnz	loc_5D59F7

loc_50003C:				; DATA XREF: ApiSetResolveToHost+30o
					; .text:005A49BEo
		mov	esi, ds:0FFDF03E8h

loc_500042:				; CODE XREF: RtlpGetEntireXStateAreaLength+D5A35j
		mov	eax, esi
		pop	esi
		leave
		retn	8
RtlpGetEntireXStateAreaLength endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetPageFileSectionForReservation proc	near
					; CODE XREF: MiBuildReservationCluster(x,x,x,x)+250p
					; MiReservePageFileSpace+34Dp

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D5A60 SIZE 0000000C BYTES

		mov	edi, edi
		push	ebp

loc_50004D:				; DATA XREF: .text:00401188o
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	MiReferencePfBackedSection
		mov	edx, eax
		test	edx, edx
		jnz	short loc_50006A

loc_500061:				; CODE XREF: MiGetPageFileSectionForReservation+D5A1Dj
		xor	eax, eax

loc_500063:				; CODE XREF: MiGetPageFileSectionForReservation+56j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_50006A:				; CODE XREF: MiGetPageFileSectionForReservation+15j
		mov	eax, [edx]
		mov	[esi], eax
		mov	eax, edi

loc_500070:				; DATA XREF: .text:005A3C7Co
		and	eax, 0FFFFF000h
		mov	[esi+8], eax
		lea	ebx, [eax+0FF8h]
		mov	[esi+0Ch], ebx
		mov	ecx, [edx+4]
		cmp	eax, ecx
		jb	short loc_5000BD

loc_500088:				; CODE XREF: MiGetPageFileSectionForReservation+76j
		mov	eax, [edx+1Ch]
		dec	eax
		lea	eax, [ecx+eax*8]
		cmp	ebx, eax
		ja	short loc_5000B8

loc_500093:				; CODE XREF: MiGetPageFileSectionForReservation+71j
		cmp	[ebp+arg_0], 0
		jnz	short loc_5000A2
		and	dword ptr [esi+4], 0

loc_50009D:				; CODE XREF: MiGetPageFileSectionForReservation+67j
		xor	eax, eax
		inc	eax
		jmp	short loc_500063
; 

loc_5000A2:				; CODE XREF: MiGetPageFileSectionForReservation+4Dj
		lea	edx, [esi+10h]
		mov	ecx, edi
		call	MiLockProtoPoolPage
		mov	[esi+4], eax
		test	eax, eax
		jnz	short loc_50009D
		jmp	loc_5D5A60
; 

loc_5000B8:				; CODE XREF: MiGetPageFileSectionForReservation+47j
		mov	[esi+0Ch], eax
		jmp	short loc_500093
; 

loc_5000BD:				; CODE XREF: MiGetPageFileSectionForReservation+3Cj
		mov	[esi+8], ecx
		jmp	short loc_500088
MiGetPageFileSectionForReservation endp

; 
		align 8
; Exported entry 1449. MmMdlPageContentsState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmMdlPageContentsState(x, x)
		public _MmMdlPageContentsState@8
_MmMdlPageContentsState@8 proc near	; CODE XREF: SmKmIssueVolumeIo(x,x,x,x,x)+88p
					; MdlInvariantPostProcessing1(x,x,x)+56p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 2
		mov	ecx, [ebp+arg_0]
		movzx	eax, word ptr [ecx+6]
		jz	short loc_5000F3
		cmp	[ebp+arg_4], 1
		jnz	short loc_5000FB
		or	eax, 4000h

loc_5000E5:				; CODE XREF: MmMdlPageContentsState(x,x)+38j
		movzx	eax, ax
		mov	[ecx+6], ax
		mov	eax, [ebp+arg_4]

loc_5000EF:				; CODE XREF: MmMdlPageContentsState(x,x)+31j
		pop	ebp
		retn	8
; 

loc_5000F3:				; CODE XREF: MmMdlPageContentsState(x,x)+10j
		shr	eax, 0Eh
		and	eax, 1
		jmp	short loc_5000EF
; 

loc_5000FB:				; CODE XREF: MmMdlPageContentsState(x,x)+16j
		and	eax, 0FFFFBFFFh
		jmp	short loc_5000E5
_MmMdlPageContentsState@8 endp


;  S U B	R O U T	I N E 


wil_details_MapReportingKind proc near	; CODE XREF: wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)+19p

; FUNCTION CHUNK AT 005D5A6C SIZE 00000075 BYTES

		mov	eax, ecx
		sub	eax, 0
		jz	short loc_500131
		sub	eax, 1
		jz	loc_5D5AD6
		sub	eax, 1
		jz	loc_5D5AC7
		sub	eax, 1
		jnz	loc_5D5A6C
		test	edx, edx
		setz	al
		lea	eax, ds:2[eax*4]
		retn
; 

loc_500131:				; CODE XREF: wil_details_MapReportingKind+5j
					; wil_details_MapReportingKind+D597Fj
		mov	eax, 0FFh
		retn
wil_details_MapReportingKind endp

; 
		align 4

;  S U B	R O U T	I N E 


SepFreeTokenCapabilities proc near	; CODE XREF: NtCreateTokenEx+6B3p
					; NtCreateTokenEx+6D4p	...

; FUNCTION CHUNK AT 005D5AE1 SIZE 00000016 BYTES

		cmp	_SepTokenCapabilitySidSharingEnabled, 0
		push	esi
		mov	esi, ecx
		jnz	loc_5D5AE1

loc_500148:				; CODE XREF: SepFreeTokenCapabilities+D59BAj
		push	0
		push	dword ptr [esi+1E4h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
SepFreeTokenCapabilities endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1306. KeSetTimerEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetTimerEx(x, x, x, x, x)
		public _KeSetTimerEx@20
_KeSetTimerEx@20 proc near		; CODE XREF: VdmpDelayInterrupt(x)+35Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_C]
		push	[ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_10]
		push	0
		call	KiSetTimerEx
		pop	ebp
		retn	14h
_KeSetTimerEx@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeLogAccessFailure proc	near		; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+806p
					; SeAccessCheckWithHintWithAdminlessChecks+C38p ...

var_264		= dword	ptr -264h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= byte ptr -208h
var_207		= byte ptr -207h
var_206		= byte ptr -206h
var_205		= dword	ptr -205h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h
arg_14		= byte ptr  1Ch

; FUNCTION CHUNK AT 005D5AF7 SIZE 000009E5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 264h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_234], 1
		push	ebx
		push	edi
		mov	edi, [ebp+arg_8]
		mov	ebx, ecx
		mov	[ebp+var_24C], ebx
		mov	[ebp+var_20C], edi
		mov	[ebp+var_230], eax
		mov	[ebp+var_21C], eax
		mov	[ebp+var_206], al
		mov	[ebp+var_208], al
		mov	[ebp+var_218], eax
		mov	[ebp+var_238], eax
		mov	[ebp+var_23C], eax
		mov	[ebp+var_224], eax
		mov	[ebp+var_244], eax
		mov	[ebp+var_240], eax
		mov	[ebp+var_207], al
		mov	[ebp+var_22C], eax
		mov	[ebp+var_228], eax
		mov	[ebp+var_214], eax
		mov	byte ptr [ebp+var_205],	al
		mov	[ebp+var_220], eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_500234
		mov	eax, _EtwKernelProvRegHandle
		or	eax, dword_6BC12C
		jz	short loc_500234
		cmp	byte_6D7060, 0
		jnz	loc_5D5AF7

loc_500234:				; CODE XREF: SeLogAccessFailure+9Cj
					; SeLogAccessFailure+A9j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
SeLogAccessFailure endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1858. PsIsWin32KFilterEnabled

;  S U B	R O U T	I N E 


; __stdcall PsIsWin32KFilterEnabled()
		public _PsIsWin32KFilterEnabled@0
_PsIsWin32KFilterEnabled@0 proc	near
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+490h]
		shr	eax, 0Eh
		and	al, 1
		retn
_PsIsWin32KFilterEnabled@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiExpandFlushMdl(x,	x)
_MiExpandFlushMdl@8 proc near		; CODE XREF: MiFlushSectionInternal+952p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ecx
		push	ebx
		mov	[ebp+var_4], eax
		push	esi
		mov	ebx, [eax+14h]
		mov	eax, 0FFFFEh
		push	edi
		cmp	ebx, eax
		jz	short loc_5002C8
		lea	esi, [ebx+ebx]
		cmp	esi, ebx
		jbe	short loc_5002C8
		cmp	esi, eax
		ja	short loc_5002C8
		cmp	esi, edx
		ja	short loc_5002C4

loc_50028B:				; CODE XREF: MiExpandFlushMdl(x,x)+64j
		push	0
		lea	ecx, ds:1Ch[esi*4]
		mov	edx, 6C466D4Dh
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_5002C8
		lea	ecx, ds:1Ch[ebx*4]
		push	ecx		; size_t
		push	[ebp+var_4]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[edi+18h], esi
		mov	eax, edi

loc_5002BF:				; CODE XREF: MiExpandFlushMdl(x,x)+68j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_5002C4:				; CODE XREF: MiExpandFlushMdl(x,x)+27j
		mov	esi, edx
		jmp	short loc_50028B
; 

loc_5002C8:				; CODE XREF: MiExpandFlushMdl(x,x)+18j
					; MiExpandFlushMdl(x,x)+1Fj ...
		xor	eax, eax
		jmp	short loc_5002BF
_MiExpandFlushMdl@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVsContextAddSubsegment(x, x)
_RtlpHpVsContextAddSubsegment@8	proc near ; CODE XREF: RtlpHpVsContextAllocateInternal+28Cp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, edx
		push	edi
		lea	edx, [ebx+10h]
		lea	eax, [edx+4]
		mov	edi, [eax]
		lea	ecx, [esi+18h]
		xor	edi, edx
		mov	[ebp+var_4], eax
		mov	eax, [edi]
		xor	eax, edi
		cmp	eax, edx
		jnz	short loc_50033E
		xor	edx, esi
		mov	eax, edi
		xor	eax, esi
		mov	[esi], edx
		mov	[esi+4], eax
		mov	[edi], eax
		mov	eax, [ebp+var_4]
		mov	[eax], edx
		test	byte ptr [ebx+98h], 1
		jz	short loc_50032F
		lea	eax, [ecx+10h]
		test	eax, 0FFFh
		jz	short loc_50032F
		push	ecx
		mov	edx, esi
		call	_RtlpHpVsChunkAlignSplit@12 ; RtlpHpVsChunkAlignSplit(x,x,x)
		test	eax, eax
		jz	short loc_50032C
		push	eax
		mov	edx, esi
		mov	ecx, ebx
		call	_RtlpHpVsFreeChunkInsert@12 ; RtlpHpVsFreeChunkInsert(x,x,x)

loc_50032C:				; CODE XREF: RtlpHpVsContextAddSubsegment(x,x)+54j
		lea	ecx, [esi+18h]

loc_50032F:				; CODE XREF: RtlpHpVsContextAddSubsegment(x,x)+3Ej
					; RtlpHpVsContextAddSubsegment(x,x)+48j
		push	ecx
		mov	edx, esi
		mov	ecx, ebx
		call	_RtlpHpVsFreeChunkInsert@12 ; RtlpHpVsFreeChunkInsert(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_50033E:				; CODE XREF: RtlpHpVsContextAddSubsegment(x,x)+23j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_RtlpHpVsContextAddSubsegment@8	endp


;  S U B	R O U T	I N E 


; __stdcall KiCheckKeepAlive(x)
_KiCheckKeepAlive@4 proc near		; CODE XREF: KeAccumulateTicks+22Cp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, dword_6B5A60
		xor	bl, bl
		mov	eax, esi
		shr	eax, cl
		test	al, 1
		jz	short loc_50037A
		mov	edx, dword_6B5A6C
		mov	eax, edx
		shr	eax, cl
		test	al, 1
		jz	short loc_50037F
		btr	esi, ecx
		btr	edx, ecx
		mov	dword_6B5A60, esi
		inc	bl

loc_500374:				; CODE XREF: KiCheckKeepAlive(x)+3Ej
		mov	dword_6B5A6C, edx

loc_50037A:				; CODE XREF: KiCheckKeepAlive(x)+12j
		pop	esi
		mov	al, bl
		pop	ebx
		retn
; 

loc_50037F:				; CODE XREF: KiCheckKeepAlive(x)+20j
		bts	edx, ecx
		jmp	short loc_500374
_KiCheckKeepAlive@4 endp


;  S U B	R O U T	I N E 


CmpHasKcbBeenMirrored proc near		; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+199p
		mov	eax, [ecx+68h]
		shr	eax, 17h
		and	al, 1
		retn
CmpHasKcbBeenMirrored endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLockNestedPageAtDpcInline(x)
_MiLockNestedPageAtDpcInline@4 proc near ; CODE	XREF: MiHandleCollidedFault(x,x,x,x,x,x)+A6p
					; MiBuildReservationCluster(x,x,x,x)+20Bp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		lea	esi, [ecx+10h]

loc_50039C:				; CODE XREF: MiLockNestedPageAtDpcInline(x)+24j
		lock bts dword ptr [esi], 1Fh
		jb	short loc_5003A6
		pop	esi
		leave
		retn
; 

loc_5003A6:				; CODE XREF: MiLockNestedPageAtDpcInline(x)+13j
					; MiLockNestedPageAtDpcInline(x)+26j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jns	short loc_50039C
		jmp	short loc_5003A6
_MiLockNestedPageAtDpcInline@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1830. PsGetThreadProcessId

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetThreadProcessId(x)
		public _PsGetThreadProcessId@4
_PsGetThreadProcessId@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+2ACh]
		pop	ebp
		retn	4
_PsGetThreadProcessId@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockPageTableRange proc near		; CODE XREF: MmStoreAllocateVirtualMemory+108p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D64DC SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax+80h]
		mov	esi, edx
		mov	eax, ecx
		mov	[ebp+var_14], ecx
		mov	ecx, offset loc_7FFFF8
		shr	eax, 9
		and	eax, ecx
		shr	esi, 9
		and	esi, ecx
		mov	[ebp+var_10], eax
		add	edi, 240h
		sub	esi, 40000000h
		mov	ecx, edi
		mov	[ebp+var_8], edi
		lea	ebx, [eax-40000000h]
		mov	[ebp+var_C], esi
		call	MiLockWorkingSetShared
		mov	byte ptr [ebp+var_4], al
		cmp	ebx, esi
		ja	short loc_500495

loc_500424:				; CODE XREF: MiLockPageTableRange+C2j
		push	0
		push	[ebp+var_4]
		mov	edi, ebx
		xor	edx, edx
		shr	edi, 9
		mov	ecx, ebx
		push	0
		and	edi, offset loc_7FFFF8
		call	MiMakeSystemAddressValid
		mov	ecx, [edi-40000000h]
		nop
		mov	eax, [edi-3FFFFFFCh]
		shrd	ecx, eax, 0Ch
		push	2
		and	ecx, 1FFFFFFh
		imul	ecx, 1Ch
		pop	edx
		add	ecx, ds:_MmPfnDatabase
		call	_MiLockPageTablePage@8 ; MiLockPageTablePage(x,x)
		lea	edx, [edi-40000000h]
		mov	esi, eax
		mov	edi, [ebp+var_8]
		mov	ecx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		test	esi, esi
		jz	loc_5D64DC
		and	ebx, 0FFFFF000h
		add	ebx, 1000h
		cmp	ebx, [ebp+var_C]
		jbe	short loc_500424
		mov	al, byte ptr [ebp+var_4]

loc_500495:				; CODE XREF: MiLockPageTableRange+54j
		mov	dl, al
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		xor	eax, eax

loc_5004A0:				; CODE XREF: MiLockPageTableRange+D6137j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiLockPageTableRange endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakeSecureExclusive(x)
_MiMakeSecureExclusive@4 proc near	; CODE XREF: MmStoreAllocateVirtualMemory+CBp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		mov	[ebp+var_8], ecx
		push	ebx
		push	esi
		mov	[ebp+var_4], eax
		mov	esi, eax
		mov	eax, large fs:124h
		mov	ebx, offset unk_6D3C40
		push	edi
		mov	edi, [eax+80h]
		mov	al, [edi+2A0h]
		and	al, 7
		cmp	al, 2
		jz	short loc_5004DE
		lea	ebx, [edi+2C0h]

loc_5004DE:				; CODE XREF: MiMakeSecureExclusive(x)+30j
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+var_8]
		and	[ebx+4], esi
		mov	ecx, [ecx+24h]

loc_5004ED:				; CODE XREF: MiMakeSecureExclusive(x)+59j
		test	ecx, ecx
		jz	short loc_500501
		cmp	dword ptr [ecx+24h], 2
		jnz	short loc_5004FD
		test	esi, esi
		jnz	short loc_50050C
		mov	esi, ecx

loc_5004FD:				; CODE XREF: MiMakeSecureExclusive(x)+4Fj
		mov	ecx, [ecx]
		jmp	short loc_5004ED
; 

loc_500501:				; CODE XREF: MiMakeSecureExclusive(x)+49j
		or	dword ptr [esi+4], 20h
		mov	[ebp+var_4], 1

loc_50050C:				; CODE XREF: MiMakeSecureExclusive(x)+53j
		mov	dl, al
		lea	ecx, [edi+240h]
		call	MiUnlockWorkingSetExclusive
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiMakeSecureExclusive@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1267. KeRemoveQueue

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRemoveQueue(x, x,	x)
		public _KeRemoveQueue@12
_KeRemoveQueue@12 proc near		; CODE XREF: ExpWorkerFactoryManagerThread+1Cp
					; FsRtlWorkerThread+28p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	1
		push	eax
		push	[ebp+arg_8]
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	KeRemoveQueueEx
		mov	eax, [ebp+var_4]
		leave
		retn	0Ch
_KeRemoveQueue@12 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1818. PsGetProcessWin32WindowStation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessWin32WindowStation(x)
		public _PsGetProcessWin32WindowStation@4
_PsGetProcessWin32WindowStation@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+16Ch]
		pop	ebp
		retn	4
_PsGetProcessWin32WindowStation@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2166. RtlInitializeBitMap

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlInitializeBitMap(x, x, x)
		public _RtlInitializeBitMap@12
_RtlInitializeBitMap@12	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_8]
		mov	[ecx], eax
		mov	eax, [ebp+arg_4]
		mov	[ecx+4], eax
		pop	ebp
		retn	0Ch
_RtlInitializeBitMap@12	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoIsIoPriorityBoostActive(x)
_IoIsIoPriorityBoostActive@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		cmp	[ecx+330h], eax
		setnz	al
		pop	ebp
		retn	4
_IoIsIoPriorityBoostActive@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SleepstudyHelperBlockerActiveReference proc near ; DATA	XREF: .data:006B35C0o

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D650A SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_5005F7
		push	ebx

loc_5005A8:				; CODE XREF: SleepstudyHelperBlockerActiveReference+48j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		inc	dword ptr [esi+8]
		cmp	dword ptr [esi+8], 1
		jz	short loc_5005EC

loc_5005C0:				; CODE XREF: SleepstudyHelperBlockerActiveReference+5Bj
		test	ds:byte_70EFC6,	1
		jnz	loc_5D650A
		xor	eax, eax
		lock and [esi],	eax

loc_5005D2:				; CODE XREF: SleepstudyHelperBlockerActiveReference+D5F7Aj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [esi+118h]
		test	esi, esi
		jnz	short loc_5005A8
		xor	eax, eax
		pop	ebx

loc_5005E7:				; CODE XREF: SleepstudyHelperBlockerActiveReference+62j
		pop	esi
		pop	ebp
		retn	4
; 

loc_5005EC:				; CODE XREF: SleepstudyHelperBlockerActiveReference+24j
		mov	dl, 1
		mov	ecx, esi
		call	SshpSetBlockerActive
		jmp	short loc_5005C0
; 

loc_5005F7:				; CODE XREF: SleepstudyHelperBlockerActiveReference+Bj
		mov	eax, 0C000000Dh
		jmp	short loc_5005E7
SleepstudyHelperBlockerActiveReference endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SleepstudyHelperBlockerActiveDereference proc near ; DATA XREF:	.data:006B35BCo

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D6519 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_500658
		push	ebx

loc_50060C:				; CODE XREF: SleepstudyHelperBlockerActiveDereference+45j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		sub	dword ptr [esi+8], 1
		jz	short loc_50064D

loc_500621:				; CODE XREF: SleepstudyHelperBlockerActiveDereference+58j
		test	ds:byte_70EFC6,	1
		jnz	loc_5D6519
		xor	eax, eax
		lock and [esi],	eax

loc_500633:				; CODE XREF: SleepstudyHelperBlockerActiveDereference+D5F25j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [esi+118h]
		test	esi, esi
		jnz	short loc_50060C
		xor	eax, eax
		pop	ebx

loc_500648:				; CODE XREF: SleepstudyHelperBlockerActiveDereference+5Fj
		pop	esi
		pop	ebp
		retn	4
; 

loc_50064D:				; CODE XREF: SleepstudyHelperBlockerActiveDereference+21j
		xor	dl, dl
		mov	ecx, esi
		call	SshpSetBlockerActive
		jmp	short loc_500621
; 

loc_500658:				; CODE XREF: SleepstudyHelperBlockerActiveDereference+Bj
		mov	eax, 0C000000Dh
		jmp	short loc_500648
SleepstudyHelperBlockerActiveDereference endp

; 
		align 10h

;  S U B	R O U T	I N E 


SshpSetBlockerActive proc near		; CODE XREF: SleepstudyHelperBlockerActiveReference+56p
					; SleepstudyHelperBlockerActiveDereference+53p	...

; FUNCTION CHUNK AT 005D6528 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		test	dl, dl
		setnz	bl
		mov	ecx, [esi+4]
		mov	eax, ecx
		and	eax, 1
		mov	edx, ecx
		cmp	ebx, eax
		jz	short loc_500684
		test	cl, 2
		jnz	loc_5D6528

loc_500684:				; CODE XREF: SshpSetBlockerActive+19j
					; SshpSetBlockerActive+D5EDBj
		and	edx, 0FFFFFFFEh
		or	edx, ebx
		mov	[esi+4], edx
		pop	esi
		pop	ebx
		retn
SshpSetBlockerActive endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiBoostUnmapPfn(x)
_MiBoostUnmapPfn@4 proc	near		; CODE XREF: .text:00458990p
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_5006AD
		test	byte ptr [ecx+16h], 10h
		jnz	short loc_5006AD
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		cmp	eax, 5
		jnb	short loc_5006AD
		xor	eax, eax
		inc	eax
		retn
; 

loc_5006AD:				; CODE XREF: MiBoostUnmapPfn(x)+7j
					; MiBoostUnmapPfn(x)+Dj ...
		xor	eax, eax
		retn
_MiBoostUnmapPfn@4 endp


;  S U B	R O U T	I N E 


; __stdcall PpmPerfMinimumPerfReached()
_PpmPerfMinimumPerfReached@0 proc near	; CODE XREF: PpmCheckMakeupSkippedChecks+2Ap
		mov	ecx, ds:_PpmPerfDomainHead
		mov	dl, 1
		cmp	ecx, offset _PpmPerfDomainHead
		jz	short loc_5006F3
		push	ebx
		push	esi
		push	edi

loc_5006C3:				; CODE XREF: PpmPerfMinimumPerfReached()+3Ej
		mov	edi, [ecx+1Ch]
		test	edi, edi
		jz	short loc_5006E6
		mov	esi, [ecx+24h]
		mov	ebx, [ecx+150h]
		add	esi, 28h

loc_5006D6:				; CODE XREF: PpmPerfMinimumPerfReached()+34j
		cmp	ebx, [esi]
		lea	esi, [esi+78h]
		sbb	al, al
		not	al
		and	dl, al
		sub	edi, 1
		jnz	short loc_5006D6

loc_5006E6:				; CODE XREF: PpmPerfMinimumPerfReached()+18j
		mov	ecx, [ecx]
		cmp	ecx, offset _PpmPerfDomainHead
		jnz	short loc_5006C3
		pop	edi
		pop	esi
		pop	ebx

loc_5006F3:				; CODE XREF: PpmPerfMinimumPerfReached()+Ej
		mov	al, dl
		retn
_PpmPerfMinimumPerfReached@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiBeginProcessClean proc near		; CODE XREF: MiReAcquireOutSwappedProcessCommit(x)+F6p
					; MmCleanProcessAddressSpace+48p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D6540 SIZE 00000053 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ecx
		mov	[ebp+var_38], edx
		lea	ecx, [edx+0FCh]
		mov	[ebp+var_C], eax
		test	byte ptr [ecx],	20h
		push	esi
		push	edi
		lea	edi, [edx+240h]
		mov	[ebp+var_14], ecx
		jnz	loc_5D6540
		dec	word ptr [eax+13Eh]
		nop
		lea	esi, [edx+134h]
		xor	edx, edx
		mov	ecx, esi
		mov	[ebp+var_8], esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_C]
		or	byte ptr [ecx+304h], 1
		nop
		mov	al, [edi+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short loc_50076B
		lea	eax, [edi+80h]

loc_50076B:				; CODE XREF: MiBeginProcessClean+6Dj
		push	eax
		mov	[ebp+var_10], eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+var_10]
		mov	ah, al
		push	20h
		pop	edx
		and	dword ptr [ecx+4], 0
		mov	ecx, [ebp+var_14]
		lock or	[ecx], edx
		mov	dl, [edi+63h]
		and	dl, 60h
		cmp	dl, 60h
		jz	short loc_500799
		mov	al, [edi+63h]
		and	al, 9Fh
		mov	[edi+63h], al

loc_500799:				; CODE XREF: MiBeginProcessClean+99j
		mov	dl, ah
		mov	ecx, edi
		call	MiUnlockWorkingSetExclusive
		mov	eax, [ebp+var_C]
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_10], edx
		and	byte ptr [eax+304h], 0FEh
		mov	eax, edx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_50092B

loc_5007C2:				; CODE XREF: MiBeginProcessClean+23Cj
		xor	edi, edi
		mov	[ebp+var_14], edi
		test	esi, 7FFFFFFCh
		jz	loc_5008CF
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, dword_6D07D0
		shr	ecx, 15h
		cmp	eax, edx
		push	0FFFFFFFFh
		mov	[ebp+var_30], edx
		mov	[ebp+var_34], esi
		pop	edx
		jb	short loc_500802
		cmp	byte ptr dword_6D3994[ecx], 1
		jz	loc_5008F6

loc_500802:				; CODE XREF: MiBeginProcessClean+FDj
		cmp	eax, [ebp+var_30]
		jb	short loc_500814
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_5008F6

loc_500814:				; CODE XREF: MiBeginProcessClean+10Fj
					; MiBeginProcessClean+213j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jz	loc_50090E
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_500937

loc_500855:				; CODE XREF: MiBeginProcessClean+249j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_14], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5D655B
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_5008A1:				; CODE XREF: MiBeginProcessClean+220j
					; MiBeginProcessClean+D5E77j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_34], eax
		jnz	loc_500944

loc_5008B8:				; CODE XREF: MiBeginProcessClean+287j
					; MiBeginProcessClean+D5E98j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_5008CF
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_500988

loc_5008CF:				; CODE XREF: MiBeginProcessClean+D7j
					; MiBeginProcessClean+1CBj ...
		mov	ecx, [ebp+var_C]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [ebp+var_38]
		call	_MiOutlawInswaps@4 ; MiOutlawInswaps(x)
		mov	esi, eax
		cmp	esi, 2
		ja	short loc_50091D

loc_5008E6:				; CODE XREF: MiBeginProcessClean+233j
		xor	eax, eax
		test	esi, esi
		setnz	al

loc_5008ED:				; CODE XREF: MiBeginProcessClean+D5E4Dj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_5008F6:				; CODE XREF: MiBeginProcessClean+106j
					; MiBeginProcessClean+118j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_8]
		jmp	loc_500814
; 

loc_50090E:				; CODE XREF: MiBeginProcessClean+147j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_5008A1
		jmp	loc_5D6548
; 

loc_50091D:				; CODE XREF: MiBeginProcessClean+1EEj
		mov	edx, esi
		mov	ecx, offset _MiSystemPartition
		call	_MiFreeWorkingSetSwapContext@8 ; MiFreeWorkingSetSwapContext(x,x)
		jmp	short loc_5008E6
; 

loc_50092B:				; CODE XREF: MiBeginProcessClean+C6j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_5007C2
; 

loc_500937:				; CODE XREF: MiBeginProcessClean+159j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]
		jmp	loc_500855
; 

loc_500944:				; CODE XREF: MiBeginProcessClean+1BCj
		test	edi, 8000h
		jz	short loc_500955
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_500955:				; CODE XREF: MiBeginProcessClean+254j
		test	byte ptr [ebp+var_14+2], 1
		jnz	loc_5D6572

loc_50095F:				; CODE XREF: MiBeginProcessClean+D5E86j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_500973
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_500973:				; CODE XREF: MiBeginProcessClean+270j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_5008B8
		jmp	loc_5D6581
; 

loc_500988:				; CODE XREF: MiBeginProcessClean+1D3j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_5008CF
MiBeginProcessClean endp


;  S U B	R O U T	I N E 


; __stdcall MiOutlawInswaps(x)
_MiOutlawInswaps@4 proc	near		; CODE XREF: MiBeginProcessClean+1E4p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	offset unk_6D50F0
		mov	esi, ecx
		call	ExAcquireSpinLockExclusive
		mov	cl, [esi+2A0h]
		mov	bl, al
		and	cl, 7
		jnz	short loc_5009E0
		mov	edi, [esi+2D0h]

loc_5009B6:				; CODE XREF: MiOutlawInswaps(x)+50j
		add	esi, 2C0h
		cmp	cl, 2
		jz	short loc_5009E4

loc_5009C1:				; CODE XREF: MiOutlawInswaps(x)+57j
		push	offset unk_6D50F0
		mov	dword ptr [esi+10h], 2
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_5009E0:				; CODE XREF: MiOutlawInswaps(x)+1Cj
		xor	edi, edi
		jmp	short loc_5009B6
; 

loc_5009E4:				; CODE XREF: MiOutlawInswaps(x)+2Dj
		mov	esi, offset unk_6D3C40
		jmp	short loc_5009C1
_MiOutlawInswaps@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_5009EC	proc near		; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+57p
					; CmKeyBodyRemapToVirtual(x,x,x,x,x)+F1p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	KCBIsVirtualizable
		test	al, al
		jz	short loc_500A18
		mov	eax, large fs:124h
		push	[ebp+arg_0]
		mov	cl, [eax+15Ah]
		call	CmpIsSystemEntity
		neg	al
		sbb	al, al
		inc	al

loc_500A14:				; CODE XREF: sub_5009EC+2Ej
		pop	ebp
		retn	4
; 

loc_500A18:				; CODE XREF: sub_5009EC+Cj
		xor	al, al
		jmp	short loc_500A14
sub_5009EC	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 424. ExReleaseResourceForThreadLite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExReleaseResourceForThreadLite
ExReleaseResourceForThreadLite proc near ; CODE	XREF: CcUnpinDataForThread(x,x)+43p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D6593 SIZE 00000069 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		movzx	eax, word ptr [edi+0Eh]
		mov	ecx, eax
		mov	edx, eax
		and	ecx, 1
		jnz	loc_5D6593

loc_500A3D:				; CODE XREF: ExReleaseResourceForThreadLite+D5B73j
		xor	esi, esi
		test	cx, cx
		jnz	short loc_500A5C

loc_500A44:				; CODE XREF: ExReleaseResourceForThreadLite+D5BBDj
		test	al, 1
		jnz	loc_5D65E4
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		call	ExpReleaseResourceForThreadLite

loc_500A56:				; CODE XREF: ExReleaseResourceForThreadLite+D5BD5j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_500A5C:				; CODE XREF: ExReleaseResourceForThreadLite+20j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, large fs:124h
		cmp	al, 2
		ja	loc_5D65B3
		jmp	loc_5D65BF
ExReleaseResourceForThreadLite endp


;  S U B	R O U T	I N E 


SilentFailAccessCheck proc near		; CODE XREF: CmpVEPerformOpenAccessCheck(x,x,x,x,x,x)+2Cp
		test	byte ptr [ecx+68h], 40h
		jnz	short loc_500AA3
		mov	eax, [ecx+10h]
		test	byte ptr [eax+980h], 10h
		jz	short loc_500AA3
		mov	eax, large fs:124h
		push	edx
		xor	edx, edx
		mov	cl, [eax+15Ah]
		call	CmpIsSystemEntity
		neg	al
		sbb	al, al
		inc	al
		retn
; 

loc_500AA3:				; CODE XREF: SilentFailAccessCheck+4j
					; SilentFailAccessCheck+10j
		xor	al, al
		retn
SilentFailAccessCheck endp


;  S U B	R O U T	I N E 


; __stdcall MiLocateExclusiveSecure(x)
_MiLocateExclusiveSecure@4 proc	near	; CODE XREF: MiAddSecureEntry+D7p
		mov	eax, [ecx+24h]

loc_500AA9:				; CODE XREF: MiLocateExclusiveSecure(x)+18j
		test	eax, eax
		jz	short loc_500AB9
		cmp	dword ptr [eax+24h], 2
		jnz	short loc_500ABC
		test	byte ptr [eax+4], 20h
		jnz	short locret_500ABB

loc_500AB9:				; CODE XREF: MiLocateExclusiveSecure(x)+5j
		xor	eax, eax

locret_500ABB:				; CODE XREF: MiLocateExclusiveSecure(x)+11j
		retn
; 

loc_500ABC:				; CODE XREF: MiLocateExclusiveSecure(x)+Bj
		mov	eax, [eax]
		jmp	short loc_500AA9
_MiLocateExclusiveSecure@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReduceMappedFileReadBehind proc near	; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+22Ap

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D65FC SIZE 00000008 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	ebx, ecx
		push	1
		push	esi
		push	ebx
		mov	[ebp+var_4], esi
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		xor	edi, edi
		test	esi, esi
		jz	loc_500BA1

loc_500AE9:				; CODE XREF: MiReduceMappedFileReadBehind+11Cj
		mov	eax, [ebx]
		mov	[ebp+var_10], eax
		cmp	eax, edi
		jbe	loc_500BA1
		mov	ecx, [ebx+4]
		dec	eax
		shr	eax, 5
		lea	esi, [ecx+eax*4]
		mov	eax, edi
		shr	eax, 5
		mov	[ebp+var_C], esi
		lea	edx, [ecx+eax*4]
		cmp	edx, esi
		jz	short loc_500B3E
		mov	esi, edi
		and	esi, 1Fh
		mov	ecx, ds:dword_40BA68[esi*4]
		or	ecx, [edx]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_500B3E
		sub	edi, esi
		mov	esi, [ebp+var_C]
		add	edi, 20h
		add	edx, 4

loc_500B2D:				; CODE XREF: MiReduceMappedFileReadBehind+7Cj
		cmp	edx, esi
		jnb	short loc_500B3E
		cmp	dword ptr [edx], 0FFFFFFFFh
		jnz	short loc_500B3E
		add	edx, 4
		add	edi, 20h
		jmp	short loc_500B2D
; 

loc_500B3E:				; CODE XREF: MiReduceMappedFileReadBehind+4Dj
					; MiReduceMappedFileReadBehind+60j ...
		mov	eax, [ebp+var_10]
		cmp	edi, eax
		jnb	short loc_500B52
		mov	ecx, [ebx+4]

loc_500B48:				; CODE XREF: MiReduceMappedFileReadBehind+90j
		bt	[ecx], edi
		jnb	short loc_500B52
		inc	edi
		cmp	edi, eax
		jb	short loc_500B48

loc_500B52:				; CODE XREF: MiReduceMappedFileReadBehind+83j
					; MiReduceMappedFileReadBehind+8Bj
		xor	esi, esi
		cmp	edx, [ebp+var_C]
		jz	short loc_500B70
		mov	ecx, [edx]
		mov	eax, edi
		and	eax, 1Fh
		mov	[ebp+var_10], eax
		mov	eax, ds:dword_40BA68[eax*4]
		not	eax
		and	eax, ecx
		jz	short loc_500BE1

loc_500B70:				; CODE XREF: MiReduceMappedFileReadBehind+97j
					; MiReduceMappedFileReadBehind+134j ...
		mov	edx, [ebx]
		lea	eax, [esi+edi]
		cmp	eax, edx
		jnb	short loc_500B8C
		mov	ecx, [ebx+4]

loc_500B7C:				; CODE XREF: MiReduceMappedFileReadBehind+CAj
		bt	[ecx], eax
		jb	short loc_500B8C
		cmp	esi, 0FFFFFFFFh
		jnb	short loc_500B8F
		inc	eax
		inc	esi
		cmp	eax, edx
		jb	short loc_500B7C

loc_500B8C:				; CODE XREF: MiReduceMappedFileReadBehind+B7j
					; MiReduceMappedFileReadBehind+BFj
		cmp	esi, 0FFFFFFFFh

loc_500B8F:				; CODE XREF: MiReduceMappedFileReadBehind+C4j
					; MiReduceMappedFileReadBehind+12Aj ...
		ja	loc_5D65FC

loc_500B95:				; CODE XREF: MiReduceMappedFileReadBehind+D5B3Fj
		test	esi, esi
		jz	short loc_500B9E
		cmp	edi, [ebp+var_4]
		jb	short loc_500BB4

loc_500B9E:				; CODE XREF: MiReduceMappedFileReadBehind+D7j
					; MiReduceMappedFileReadBehind+111j
		mov	esi, [ebp+var_4]

loc_500BA1:				; CODE XREF: MiReduceMappedFileReadBehind+23j
					; MiReduceMappedFileReadBehind+30j ...
		push	1
		push	esi
		push	ebx
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_500BB4:				; CODE XREF: MiReduceMappedFileReadBehind+DCj
		mov	eax, [ebp+arg_0]
		sub	eax, [ebp+var_8]
		cmp	esi, eax
		ja	short loc_500C13

loc_500BBE:				; CODE XREF: MiReduceMappedFileReadBehind+155j
		push	esi
		push	edi
		push	ebx
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		mov	eax, [ebp+var_8]
		add	eax, esi
		mov	[ebp+var_8], eax
		cmp	eax, [ebp+arg_0]
		jz	short loc_500B9E
		add	edi, esi
		mov	esi, [ebp+var_4]
		cmp	edi, esi
		jnb	short loc_500BA1
		jmp	loc_500AE9
; 

loc_500BE1:				; CODE XREF: MiReduceMappedFileReadBehind+AEj
		push	20h
		pop	esi
		sub	esi, [ebp+var_10]
		cmp	esi, 0FFFFFFFFh
		jnb	short loc_500B8F
		mov	ecx, [ebp+var_C]
		add	edx, 4

loc_500BF2:				; CODE XREF: MiReduceMappedFileReadBehind+14Cj
		cmp	edx, ecx
		jnb	loc_500B70
		cmp	dword ptr [edx], 0
		jnz	loc_500B70
		add	esi, 20h
		add	edx, 4
		cmp	esi, 0FFFFFFFFh
		jb	short loc_500BF2
		jmp	loc_500B8F
; 

loc_500C13:				; CODE XREF: MiReduceMappedFileReadBehind+FCj
		mov	esi, eax
		jmp	short loc_500BBE
MiReduceMappedFileReadBehind endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspReturnResourceQuota proc near	; CODE XREF: PspReturnQuota+108p
					; ObpFreeObject+100FCFp ...

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D6604 SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	byte ptr [ebp+var_1], 0
		imul	esi, edi, 1Ch
		mov	ebx, edx
		lea	edx, [ebp+var_1]
		add	esi, offset _PspQuotaExpansionDescriptors
		mov	ecx, esi
		call	@PspLockQuotaExpansion@8 ; PspLockQuotaExpansion(x,x)
		cmp	[ebp+arg_0], 0
		jbe	short loc_500C49
		push	[ebp+arg_0]
		push	edi
		call	dword ptr [esi+10h]

loc_500C49:				; CODE XREF: PspReturnResourceQuota+28j
		cmp	[ebp+arg_4], 0
		jnz	loc_5D6604

loc_500C53:				; CODE XREF: PspReturnResourceQuota+D5A02j
		mov	dl, byte ptr [ebp+var_1]
		mov	ecx, esi
		call	PspUnlockQuotaExpansion
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
PspReturnResourceQuota endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmReturnPoolQuota(x, x)
_MmReturnPoolQuota@8 proc near		; DATA XREF: PspInitializeQuotaExpansionDescriptor(x,x,x,x,x,x)+21o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 1
		mov	eax, [ebp+arg_4]
		jnz	short loc_500C7C
		sub	dword_6CF38C, eax

loc_500C78:				; CODE XREF: MmReturnPoolQuota(x,x)+1Ej
		pop	ebp
		retn	8
; 

loc_500C7C:				; CODE XREF: MmReturnPoolQuota(x,x)+Cj
		sub	dword_6CF390, eax
		jmp	short loc_500C78
_MmReturnPoolQuota@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspExpandQuota	proc near		; CODE XREF: PspChargeQuota(x,x,x,x)+E9p
					; ExAllocatePoolWithQuotaTag+2A2p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	byte ptr [ebp+var_1], 0
		push	edi
		imul	edi, ebx, 1Ch
		mov	esi, edx
		lea	edx, [ebp+var_1]
		add	edi, offset _PspQuotaExpansionDescriptors
		mov	ecx, edi
		call	@PspLockQuotaExpansion@8 ; PspLockQuotaExpansion(x,x)
		lea	eax, [esi+40h]
		mov	esi, [eax]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_0]
		add	eax, [ebp+arg_4]
		cmp	eax, esi
		jbe	short loc_500CE3
		lea	eax, [ebp+var_8]
		push	eax
		push	0
		push	esi
		push	ebx
		call	dword ptr [edi+0Ch]
		test	al, al
		jz	loc_5D6624

loc_500CD3:				; CODE XREF: PspReturnResourceQuota+D5A26j
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		sub	eax, esi
		mov	esi, eax
		lock xadd [ecx], esi
		add	esi, eax

loc_500CE3:				; CODE XREF: PspExpandQuota+3Aj
		mov	dl, byte ptr [ebp+var_1]
		mov	ecx, edi
		call	PspUnlockQuotaExpansion
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		mov	al, 1

loc_500CF4:				; CODE XREF: PspReturnResourceQuota+D5A3Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
PspExpandQuota	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmRaisePoolQuota(x,	x, x, x)
_MmRaisePoolQuota@16 proc near		; DATA XREF: PspInitializeQuotaExpansionDescriptor(x,x,x,x,x,x)+1Ao

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 1
		push	esi
		mov	esi, [ebp+arg_8]
		jnz	short loc_500D51
		test	esi, esi
		jnz	short loc_500D14
		mov	esi, 80000h

loc_500D14:				; CODE XREF: MmRaisePoolQuota(x,x,x,x)+11j
		push	6
		pop	ecx
		call	MiFreePoolPagesLeft
		mov	ecx, eax
		mov	eax, 100000h
		cmp	esi, eax
		jnb	short loc_500D88

loc_500D27:				; CODE XREF: MmRaisePoolQuota(x,x,x,x)+8Ej
		shr	eax, 0Ch
		cmp	ecx, eax
		jbe	short loc_500D90
		mov	eax, dword_6CF38C
		lea	ecx, [eax+esi]
		cmp	ecx, eax
		jb	short loc_500D90
		mov	dword_6CF38C, ecx

loc_500D40:				; CODE XREF: MmRaisePoolQuota(x,x,x,x)+8Aj
		mov	ecx, [ebp+arg_C]
		mov	al, 1
		mov	edx, [ebp+arg_4]
		add	edx, esi
		mov	[ecx], edx

loc_500D4C:				; CODE XREF: MmRaisePoolQuota(x,x,x,x)+96j
		pop	esi
		pop	ebp
		retn	10h
; 

loc_500D51:				; CODE XREF: MmRaisePoolQuota(x,x,x,x)+Dj
		test	esi, esi
		jnz	short loc_500D5A
		mov	esi, 10000h

loc_500D5A:				; CODE XREF: MmRaisePoolQuota(x,x,x,x)+57j
		push	5
		pop	ecx
		call	MiFreePoolPagesLeft
		mov	ecx, eax
		mov	eax, 100000h
		cmp	esi, eax
		jnb	short loc_500D8C

loc_500D6D:				; CODE XREF: MmRaisePoolQuota(x,x,x,x)+92j
		shr	eax, 0Ch
		cmp	ecx, eax
		jbe	short loc_500D90
		mov	eax, dword_6CF390
		lea	ecx, [eax+esi]
		cmp	ecx, eax
		jb	short loc_500D90
		mov	dword_6CF390, ecx
		jmp	short loc_500D40
; 

loc_500D88:				; CODE XREF: MmRaisePoolQuota(x,x,x,x)+29j
		mov	eax, esi
		jmp	short loc_500D27
; 

loc_500D8C:				; CODE XREF: MmRaisePoolQuota(x,x,x,x)+6Fj
		mov	eax, esi
		jmp	short loc_500D6D
; 

loc_500D90:				; CODE XREF: MmRaisePoolQuota(x,x,x,x)+30j
					; MmRaisePoolQuota(x,x,x,x)+3Cj ...
		xor	al, al
		jmp	short loc_500D4C
_MmRaisePoolQuota@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspUnlockQuotaExpansion	proc near	; CODE XREF: PspReturnResourceQuota+40p
					; PspExpandQuota+64p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D665A SIZE 00000061 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		cmp	dword ptr [ecx], 0
		mov	al, dl
		push	esi
		lea	edx, [ecx+8]
		mov	byte ptr [ebp+var_4+3],	al
		push	edi
		mov	[ebp+var_8], edx
		jnz	loc_500F03
		mov	eax, large fs:124h
		mov	[ebp+var_28], eax
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_C], eax
		lock xadd [edx], eax
		test	al, 2
		jnz	loc_5D666D

loc_500DDF:				; CODE XREF: PspUnlockQuotaExpansion+D58DBj
					; PspUnlockQuotaExpansion+D58EBj
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	edx, 7FFFFFFCh
		jz	loc_500EF2
		mov	esi, large fs:124h
		mov	ecx, edx
		mov	eax, dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], eax
		cmp	edx, eax
		jb	short loc_500E2E
		mov	eax, ecx
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_500F1F
		mov	eax, [ebp+var_20]
		cmp	edx, eax
		jb	short loc_500E2E
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_500F1F

loc_500E2E:				; CODE XREF: PspUnlockQuotaExpansion+75j
					; PspUnlockQuotaExpansion+8Bj
		or	eax, 0FFFFFFFFh

loc_500E31:				; CODE XREF: PspUnlockQuotaExpansion+199j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_500F32
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_500F45

loc_500E70:				; CODE XREF: PspUnlockQuotaExpansion+1B9j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	loc_5D6698
		or	[esi+1E4h], dl

loc_500EB6:				; CODE XREF: PspUnlockQuotaExpansion+1A6j
					; PspUnlockQuotaExpansion+D5910j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jnz	loc_500F52

loc_500ECD:				; CODE XREF: PspUnlockQuotaExpansion+1F3j
					; PspUnlockQuotaExpansion+D5922j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_500EF2
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_500F92

loc_500EF2:				; CODE XREF: PspUnlockQuotaExpansion+56j
					; PspUnlockQuotaExpansion+150j	...
		mov	ecx, [ebp+var_28]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_500EFA:				; CODE XREF: PspUnlockQuotaExpansion+189j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_500F03:				; CODE XREF: PspUnlockQuotaExpansion+2Aj
		test	ds:byte_70EFC6,	1
		jnz	loc_5D665A
		xor	ecx, ecx
		lock and [edx],	ecx

loc_500F15:				; CODE XREF: PspUnlockQuotaExpansion+D58D4j
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_500EFA
; 

loc_500F1F:				; CODE XREF: PspUnlockQuotaExpansion+80j
					; PspUnlockQuotaExpansion+94j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_C], eax
		jmp	loc_500E31
; 

loc_500F32:				; CODE XREF: PspUnlockQuotaExpansion+C4j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_500EB6
		jmp	loc_5D6684
; 

loc_500F45:				; CODE XREF: PspUnlockQuotaExpansion+D6j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]
		jmp	loc_500E70
; 

loc_500F52:				; CODE XREF: PspUnlockQuotaExpansion+133j
		test	edi, 8000h
		jz	short loc_500F63
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_500F63:				; CODE XREF: PspUnlockQuotaExpansion+1C4j
		test	byte ptr [ebp+var_10+2], 1
		jnz	short loc_500F9C

loc_500F69:				; CODE XREF: PspUnlockQuotaExpansion+218j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_500F7D
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_500F7D:				; CODE XREF: PspUnlockQuotaExpansion+1DCj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_500ECD
		jmp	loc_5D66A9
; 

loc_500F92:				; CODE XREF: PspUnlockQuotaExpansion+158j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_500EF2
; 

loc_500F9C:				; CODE XREF: PspUnlockQuotaExpansion+1D3j
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]
		jmp	short loc_500F69
PspUnlockQuotaExpansion	endp


;  S U B	R O U T	I N E 


; __fastcall PspLockQuotaExpansion(x, x)
@PspLockQuotaExpansion@8 proc near	; CODE XREF: PspReturnResourceQuota+1Fp
					; PspExpandQuota+25p ...
		cmp	dword ptr [ecx], 0
		push	esi
		push	edi
		mov	esi, edx
		lea	edi, [ecx+8]
		jnz	short loc_500FD6
		mov	eax, large fs:124h
		mov	byte ptr [esi],	0
		dec	word ptr [eax+13Eh]
		nop
		mov	ecx, edi
		xor	edx, edx
		pop	edi
		pop	esi
		jmp	ExAcquirePushLockExclusiveEx
; 

loc_500FD6:				; CODE XREF: PspLockQuotaExpansion(x,x)+Aj
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	[esi], bl
		pop	ebx
		pop	edi
		pop	esi
		retn
@PspLockQuotaExpansion@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockAddressSpaceToo proc near		; CODE XREF: MiPrepareVadDelete+A7p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D66BB SIZE 00000079 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		mov	esi, large fs:124h
		push	edi
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], esi
		dec	word ptr [esi+13Eh]
		nop
		and	[ebp+var_20], 0
		lea	edx, [ecx+134h]
		mov	eax, edx
		mov	[ebp+var_10], edx
		and	eax, 7FFFFFFCh
		mov	[ebp+var_14], 0FFFFFFFFh
		mov	[ebp+var_18], eax
		jz	loc_5D66BB
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jnz	short loc_5010DF
		mov	cl, [esi+1E4h]
		and	[ebp+var_1C], 0
		test	cl, cl
		jz	loc_501138

loc_501072:				; CODE XREF: MiLockAddressSpaceToo+163j
		movzx	ecx, cl
		bsf	eax, ecx
		imul	edi, eax, 30h
		btr	ecx, eax
		mov	[ebp+var_1C], eax
		mov	[esi+1E4h], cl
		add	edi, [esi+1E8h]

loc_50108D:				; CODE XREF: MiLockAddressSpaceToo+D56E0j
		test	edi, edi
		jz	short loc_5010E1
		mov	ecx, dword_6D07D0
		mov	eax, edx
		shr	eax, 15h
		cmp	edx, ecx
		jb	short loc_5010BE
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_5D66D1
		cmp	edx, ecx
		jb	short loc_5010BE
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_5D66D1

loc_5010BE:				; CODE XREF: MiLockAddressSpaceToo+B2j
					; MiLockAddressSpaceToo+C3j
		or	eax, 0FFFFFFFFh

loc_5010C1:				; CODE XREF: MiLockAddressSpaceToo+D56F0j
		mov	[edi+14h], eax
		nop
		mov	eax, [ebp+var_18]
		mov	[edi+10h], eax
		jmp	short loc_5010E9
; 

loc_5010CD:				; CODE XREF: MiLockAddressSpaceToo+155j
		xor	edi, edi
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_5D66C2

loc_5010DF:				; CODE XREF: MiLockAddressSpaceToo+72j
		xor	edi, edi

loc_5010E1:				; CODE XREF: MiLockAddressSpaceToo+A3j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h

loc_5010E9:				; CODE XREF: MiLockAddressSpaceToo+DFj
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp+var_20]
		push	eax
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_501112
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_50132D

loc_501112:				; CODE XREF: MiLockAddressSpaceToo+118j
					; MiLockAddressSpaceToo+346j
		mov	esi, [ebp+var_C]
		mov	edx, [ebp+var_10]

loc_501118:				; CODE XREF: MiLockAddressSpaceToo+D56D1j
		lock bts dword ptr [edx], 0
		jb	short loc_501154
		test	edi, edi
		jz	short loc_501127
		or	byte ptr [edi+0Eh], 1

loc_501127:				; CODE XREF: MiLockAddressSpaceToo+135j
		or	byte ptr [esi+304h], 1
		nop

loc_50112F:				; CODE XREF: MiLockAddressSpaceToo+32Dj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_501138:				; CODE XREF: MiLockAddressSpaceToo+80j
		lea	ecx, [esi+222h]
		cmp	byte ptr [ecx],	0
		jz	short loc_5010CD
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [esi+1E4h]
		or	cl, al
		jmp	loc_501072
; 

loc_501154:				; CODE XREF: MiLockAddressSpaceToo+131j
		test	edi, edi
		jz	short loc_501162
		mov	ecx, [ebp+var_10]
		mov	edx, edi
		call	KeAbPostReleaseEx

loc_501162:				; CODE XREF: MiLockAddressSpaceToo+16Aj
		mov	edx, [ebp+var_8]
		or	eax, 0FFFFFFFFh
		and	byte ptr [esi+304h], 7Fh
		add	edx, 18h
		mov	[ebp+var_8], edx
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_501189
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp+var_8]

loc_501189:				; CODE XREF: MiLockAddressSpaceToo+191j
		xor	edi, edi
		mov	[ebp+var_18], edi
		test	edx, 7FFFFFFCh
		jz	loc_5D672C
		mov	esi, large fs:124h
		mov	eax, edx
		mov	ecx, dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_28], esi
		cmp	edx, ecx
		jb	loc_501337
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_5011D5
		cmp	edx, ecx
		jb	loc_501337
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jnz	loc_501337

loc_5011D5:				; CODE XREF: MiLockAddressSpaceToo+1D2j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_14], eax

loc_5011E3:				; CODE XREF: MiLockAddressSpaceToo+34Ej
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jz	loc_50133F
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_501226
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_24]

loc_501226:				; CODE XREF: MiLockAddressSpaceToo+230j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_18], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5D66F5
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_501272:				; CODE XREF: MiLockAddressSpaceToo+35Bj
					; MiLockAddressSpaceToo+D571Bj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_28], eax
		jz	loc_501352
		test	edi, 8000h
		jz	short loc_50129A
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_50129A:				; CODE XREF: MiLockAddressSpaceToo+2A3j
		test	byte ptr [ebp+var_18+2], 1
		jnz	loc_5D670C

loc_5012A4:				; CODE XREF: MiLockAddressSpaceToo+D572Aj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5012B8
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5012B8:				; CODE XREF: MiLockAddressSpaceToo+2BFj
		test	dword ptr ds:byte_70EFC4, 200h
		mov	edi, [ebp+var_8]
		jnz	loc_5D671B

loc_5012CB:				; CODE XREF: MiLockAddressSpaceToo+369j
					; MiLockAddressSpaceToo+D573Bj
		nop
		add	word ptr [esi+13Eh], 1
		jz	short loc_50131E

loc_5012D6:				; CODE XREF: MiLockAddressSpaceToo+338j
					; MiLockAddressSpaceToo+33Fj
		mov	esi, [ebp+var_C]

loc_5012D9:				; CODE XREF: MiLockAddressSpaceToo+D5743j
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		dec	word ptr [esi+13Eh]
		nop
		mov	ecx, [ebp+var_10]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [esi+304h], 1
		nop
		dec	word ptr [esi+13Eh]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [esi+304h], 80h
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_50112F
; 

loc_50131E:				; CODE XREF: MiLockAddressSpaceToo+2E8j
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_5012D6
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_5012D6
; 

loc_50132D:				; CODE XREF: MiLockAddressSpaceToo+120j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_501112
; 

loc_501337:				; CODE XREF: MiLockAddressSpaceToo+1C5j
					; MiLockAddressSpaceToo+1D6j ...
		or	eax, 0FFFFFFFFh
		jmp	loc_5011E3
; 

loc_50133F:				; CODE XREF: MiLockAddressSpaceToo+21Ej
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_501272
		jmp	loc_5D66E1
; 

loc_501352:				; CODE XREF: MiLockAddressSpaceToo+297j
		mov	edi, [ebp+var_8]
		jmp	loc_5012CB
MiLockAddressSpaceToo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReduceMappedFileReadAhead(x, x, x)
_MiReduceMappedFileReadAhead@12	proc near
					; CODE XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x)+240p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		mov	eax, edx
		push	ebx
		push	edi
		push	1
		mov	ebx, ecx
		mov	[ebp+var_8], eax
		push	eax
		push	ebx
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		mov	edi, [ebx]
		sub	edi, 1
		jz	short loc_5013AD
		push	esi

loc_50137F:				; CODE XREF: MiReduceMappedFileReadAhead(x,x,x)+67j
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		push	ebx
		call	RtlFindLastBackwardRunClear
		mov	edi, [ebp+var_4]
		mov	esi, eax
		mov	eax, [ebp+arg_0]
		cmp	esi, eax
		jbe	short loc_50139F
		sub	esi, eax
		add	edi, esi
		mov	esi, eax
		mov	[ebp+var_4], edi

loc_50139F:				; CODE XREF: MiReduceMappedFileReadAhead(x,x,x)+3Aj
		push	esi
		push	edi
		push	ebx
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		sub	[ebp+arg_0], esi
		jnz	short loc_5013BE

loc_5013AC:				; CODE XREF: MiReduceMappedFileReadAhead(x,x,x)+69j
		pop	esi

loc_5013AD:				; CODE XREF: MiReduceMappedFileReadAhead(x,x,x)+22j
		push	1
		push	[ebp+var_8]
		push	ebx
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		pop	edi
		pop	ebx
		leave
		retn	4
; 

loc_5013BE:				; CODE XREF: MiReduceMappedFileReadAhead(x,x,x)+50j
		sub	edi, 1
		jnz	short loc_50137F
		jmp	short loc_5013AC
_MiReduceMappedFileReadAhead@12	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2084. RtlFindLastBackwardRunClear

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlFindLastBackwardRunClear
RtlFindLastBackwardRunClear proc near	; CODE XREF: MiReduceMappedFileReadAhead(x,x,x)+2Bp
					; MiAttemptPageFileReductionApc(x,x,x)+1AAp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D6734 SIZE 0000000C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		cmp	[ebx], esi
		jbe	loc_5D6734
		mov	ebx, [ebx+4]
		mov	eax, esi
		shr	eax, 5
		lea	edx, [ebx+eax*4]
		cmp	edx, ebx
		jz	short loc_501403
		mov	eax, esi
		and	eax, 1Fh
		mov	eax, ds:dword_40BA6C[eax*4]
		not	eax
		or	eax, [edx]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_50145F

loc_501403:				; CODE XREF: RtlFindLastBackwardRunClear+22j
					; RtlFindLastBackwardRunClear+52j ...
		cmp	esi, 0FFFFFFFFh
		jz	short loc_50141E
		mov	eax, esi
		mov	ecx, esi
		shr	eax, 5
		and	ecx, 1Fh
		mov	eax, [ebx+eax*4]
		sar	eax, cl
		test	al, 1
		jz	short loc_50141E
		dec	esi
		jmp	short loc_501403
; 

loc_50141E:				; CODE XREF: RtlFindLastBackwardRunClear+3Cj
					; RtlFindLastBackwardRunClear+4Fj
		mov	eax, esi
		and	eax, 1Fh
		push	edi
		mov	edi, esi
		mov	eax, ds:dword_40BA68[eax*4]
		test	[edx], eax
		jz	short loc_501477

loc_501431:				; CODE XREF: RtlFindLastBackwardRunClear+80j
					; RtlFindLastBackwardRunClear+B8j ...
		cmp	edi, 0FFFFFFFFh
		jz	short loc_50144C
		mov	eax, edi
		mov	ecx, edi
		shr	eax, 5
		and	ecx, 1Fh
		mov	eax, [ebx+eax*4]
		sar	eax, cl
		test	al, 1
		jnz	short loc_50144C
		dec	edi
		jmp	short loc_501431
; 

loc_50144C:				; CODE XREF: RtlFindLastBackwardRunClear+6Aj
					; RtlFindLastBackwardRunClear+7Dj
		mov	ecx, [ebp+arg_8]
		lea	edx, [edi+1]
		sub	esi, edi
		mov	eax, esi
		pop	edi
		mov	[ecx], edx

loc_501459:				; CODE XREF: RtlFindLastBackwardRunClear+D5371j
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_50145F:				; CODE XREF: RtlFindLastBackwardRunClear+37j
		and	esi, 0FFFFFFE0h
		dec	esi
		sub	edx, 4

loc_501466:				; CODE XREF: RtlFindLastBackwardRunClear+ABj
		cmp	edx, ebx
		jbe	short loc_501403
		cmp	dword ptr [edx], 0FFFFFFFFh
		jnz	short loc_501403
		sub	edx, 4
		sub	esi, 20h
		jmp	short loc_501466
; 

loc_501477:				; CODE XREF: RtlFindLastBackwardRunClear+65j
		mov	edi, esi
		and	edi, 0FFFFFFE0h
		dec	edi
		sub	edx, 4

loc_501480:				; CODE XREF: RtlFindLastBackwardRunClear+C5j
		cmp	edx, ebx
		jbe	short loc_501431
		cmp	dword ptr [edx], 0
		jnz	short loc_501431
		sub	edx, 4
		sub	edi, 20h
		jmp	short loc_501480
RtlFindLastBackwardRunClear endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopSetTypeSpecificFoExtension(x, x,	x)
_IopSetTypeSpecificFoExtension@12 proc near ; CODE XREF: IopGetSetSpecificExtension+86p
					; IoSetOplockKeyContext(x,x,x)+C1p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	edx, 8
		ja	short loc_5014BA
		lea	ecx, [ecx+edx*4]
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_0]
		add	ecx, 4
		lock cmpxchg [ecx], esi
		neg	eax
		pop	esi
		sbb	eax, eax
		and	eax, 0C0000001h

loc_5014B6:				; CODE XREF: IopSetTypeSpecificFoExtension(x,x,x)+2Dj
		pop	ebp
		retn	4
; 

loc_5014BA:				; CODE XREF: IopSetTypeSpecificFoExtension(x,x,x)+8j
		mov	eax, 0C000000Dh
		jmp	short loc_5014B6
_IopSetTypeSpecificFoExtension@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiChooseLowestRankedThread proc	near	; CODE XREF: KiGroupSchedulingQuantumEnd+237p
					; KiGroupSchedulingQuantumEnd+2D0p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D6740 SIZE 0000006C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, [ebx+50h]
		mov	[ebp+var_C], esi
		test	edi, edi
		jz	short loc_50153C
		add	edi, [esi+3B34h]
		mov	[ebp+var_10], edi
		jz	short loc_50153C
		mov	eax, large fs:20h
		xor	ecx, ecx
		cmp	esi, eax
		jnz	loc_5D6740

loc_5014F6:				; CODE XREF: KiChooseLowestRankedThread+D528Aj
		mov	byte ptr [ebp+var_8], 1

loc_5014FA:				; CODE XREF: KiChooseLowestRankedThread+D5284j
		push	ecx
		push	[ebp+var_8]
		mov	edx, edi
		push	ecx
		mov	ecx, ebx
		call	_KiGetThreadEffectiveRankNonZero@20 ; KiGetThreadEffectiveRankNonZero(x,x,x,x,x)
		test	eax, eax
		jz	short loc_50153C
		xor	ecx, ecx
		mov	edx, esi
		inc	ecx
		call	KiSelectReadyThread
		test	eax, eax
		jnz	short loc_50153E
		mov	eax, [edi+0F8h]
		add	esi, 3CE8h
		xor	edx, edx
		inc	edx
		mov	ecx, [eax+60h]
		mov	eax, [esi+4]
		mov	[ebp+var_8], ecx
		test	al, dl
		jnz	short loc_501545
		mov	esi, eax

loc_501538:				; CODE XREF: KiChooseLowestRankedThread+8Bj
		test	esi, esi
		jnz	short loc_50154F

loc_50153C:				; CODE XREF: KiChooseLowestRankedThread+17j
					; KiChooseLowestRankedThread+22j ...
		xor	eax, eax

loc_50153E:				; CODE XREF: KiChooseLowestRankedThread+56j
					; KiChooseLowestRankedThread+C2j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_501545:				; CODE XREF: KiChooseLowestRankedThread+72j
		cmp	eax, edx
		jz	short loc_50153C
		or	esi, edx
		xor	esi, eax
		jmp	short loc_501538
; 

loc_50154F:				; CODE XREF: KiChooseLowestRankedThread+78j
		lea	edi, [esi-50h]
		cmp	[edi+60h], ecx
		jb	short loc_5015C8
		jnz	short loc_50153C
		movsx	eax, byte ptr [ebx+87h]
		cmp	[ebp+arg_0], eax
		jl	loc_5D6776
		mov	eax, [ebp+arg_0]

loc_50156C:				; CODE XREF: KiChooseLowestRankedThread+D52B7j
		mov	ebx, [ebp+var_C]

loc_50156F:				; CODE XREF: KiChooseLowestRankedThread+D52E5j
		push	eax
		mov	edx, edi
		mov	ecx, ebx
		call	_KiSelectThreadFromSchedulingGroup@12 ;	KiSelectThreadFromSchedulingGroup(x,x,x)
		mov	edx, [ebp+var_10]
		cmp	edi, edx
		jnz	short loc_50158C
		mov	cl, 1

loc_501582:				; CODE XREF: KiChooseLowestRankedThread+D52CEj
		test	eax, eax
		jnz	short loc_50153E
		test	cl, cl
		jnz	short loc_50153C
		jmp	short loc_5015AA
; 

loc_50158C:				; CODE XREF: KiChooseLowestRankedThread+BCj
		mov	byte ptr [ebp+var_1], 0
		test	eax, eax
		jnz	short loc_50153E
		lea	ecx, [edi+0ECh]
		test	byte ptr [ecx+4], 1
		mov	eax, [ecx]
		jnz	short loc_5015F4

loc_5015A2:				; CODE XREF: KiChooseLowestRankedThread+138j
		test	eax, eax
		jnz	loc_5D677E

loc_5015AA:				; CODE XREF: KiChooseLowestRankedThread+C8j
					; KiChooseLowestRankedThread+134j
		mov	eax, [esi+4]
		mov	ecx, esi
		test	eax, eax
		jz	short loc_5015E4

loc_5015B3:				; CODE XREF: KiChooseLowestRankedThread+F7j
		mov	esi, eax
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5015B3

loc_5015BB:				; CODE XREF: KiChooseLowestRankedThread+128j
					; KiChooseLowestRankedThread+12Cj
		test	esi, esi
		jz	loc_50153C
		jmp	loc_5D6795
; 

loc_5015C8:				; CODE XREF: KiChooseLowestRankedThread+93j
		xor	ebx, ebx

loc_5015CA:				; CODE XREF: KiChooseLowestRankedThread+D52AFj
		cmp	[edi+5Eh], bx
		jz	loc_5D6751
		mov	ecx, [ebp+var_C]
		mov	edx, edi
		push	ebx
		call	_KiSelectThreadFromSchedulingGroup@12 ;	KiSelectThreadFromSchedulingGroup(x,x,x)
		jmp	loc_50153E
; 

loc_5015E4:				; CODE XREF: KiChooseLowestRankedThread+EFj
					; KiChooseLowestRankedThread+130j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jz	short loc_5015BB
		cmp	[esi], ecx
		jz	short loc_5015BB
		mov	ecx, esi
		jmp	short loc_5015E4
; 

loc_5015F4:				; CODE XREF: KiChooseLowestRankedThread+DEj
		test	eax, eax
		jz	short loc_5015AA
		xor	eax, ecx
		jmp	short loc_5015A2
KiChooseLowestRankedThread endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLockProtoPage(x, x, x)
_MiLockProtoPage@12 proc near		; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+350p
					; MiGetWorkingSetInfoList(x,x,x,x)+AC9p ...

var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax+80h]
		mov	edi, ecx
		mov	[ebp+var_4], eax
		test	edx, edx
		jz	short loc_501675
		shr	edx, 9
		and	edx, offset loc_7FFFF8
		mov	ecx, [edx-40000000h]
		nop
		mov	eax, [edx-3FFFFFFCh]
		nop
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	esi, ecx, 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, esi
		mov	bl, al
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	eax, 7FFFFFFFh
		lea	ecx, [esi+10h]
		lock and [ecx],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jnz	short loc_501697
		xor	eax, eax

loc_50166E:				; CODE XREF: MiLockProtoPage(x,x,x)+99j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_501675:				; CODE XREF: MiLockProtoPage(x,x,x)+1Dj
					; MiLockProtoPage(x,x,x)+9Ej
		mov	dl, [ebp+arg_0]
		lea	esi, [eax+240h]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		mov	ecx, edi
		call	MiMakeProtoAddressValid
		mov	ecx, esi
		call	MiLockWorkingSetShared
		mov	eax, edi
		jmp	short loc_50166E
; 

loc_501697:				; CODE XREF: MiLockProtoPage(x,x,x)+6Ej
		mov	eax, [ebp+var_4]
		jmp	short loc_501675
_MiLockProtoPage@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMakeProtoAddressValid	proc near	; CODE XREF: MiLockProtoPage(x,x,x)+8Bp

var_12		= byte ptr -12h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D67AC SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	eax, ecx
		mov	esi, eax
		mov	[esp+1Ch+var_4], eax
		shr	esi, 9
		push	edi
		and	esi, offset loc_7FFFF8

loc_5016BB:				; CODE XREF: MiMakeProtoAddressValid+57j
					; MiMakeProtoAddressValid+70j ...
		and	[esp+20h+var_10], 0
		and	[esp+20h+var_C], 0
		mov	edi, [esi-40000000h]
		nop
		mov	ecx, [esi-3FFFFFFCh]
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	loc_5017AB
		nop
		mov	ebx, edi
		shrd	ebx, ecx, 0Ch
		and	ebx, 1FFFFFFh
		cmp	ebx, dword_6D07B0
		ja	short loc_5016BB
		mov	eax, dword_6D35B8
		mov	edx, ebx
		shr	edx, 5
		mov	ecx, ebx
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_5016BB
		and	edi, 200h
		or	edi, 0
		jnz	loc_5017AB
		imul	edi, ebx, 1Ch
		add	edi, ds:_MmPfnDatabase
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		and	[esp+20h+var_10], 0
		mov	dl, al
		and	[esp+20h+var_C], 0
		mov	ecx, [esi-40000000h]
		mov	[esp+20h+var_11], dl
		nop
		mov	eax, [esi-3FFFFFFCh]
		mov	[esp+20h+var_10], eax
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_5D67AC
		mov	eax, ecx
		and	eax, 200h
		or	eax, 0
		jnz	loc_5D67AC
		nop
		mov	eax, [esp+20h+var_10]
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		cmp	ebx, ecx
		jnz	loc_5D67AC
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		lea	ecx, [edi+10h]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	cl, [esp+20h+var_11]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5017AB:				; CODE XREF: MiMakeProtoAddressValid+3Ej
					; MiMakeProtoAddressValid+7Bj ...
		push	0
		push	0
		push	[esp+28h+var_4]
		push	2
		call	MmAccessFault
		jmp	loc_5016BB
MiMakeProtoAddressValid	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1802. PsGetProcessImageFileName

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessImageFileName(x)
		public _PsGetProcessImageFileName@4
_PsGetProcessImageFileName@4 proc near	; CODE XREF: ObCheckRefTraceProcess+14A910p
					; PiUEventHandleVetoEvent(x,x,x,x,x)+110p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		add	eax, 1ACh
		pop	ebp
		retn	4
_PsGetProcessImageFileName@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IopSymlinkGetECP(x,	x)
_IopSymlinkGetECP@8 proc near		; CODE XREF: IopSymlinkRememberJunction+125p
					; IopGraftName(x,x,x)+64p ...
		push	0
		push	edx
		push	(offset	loc_A3F6CF+1)
		push	ecx
		call	_FsRtlFindExtraCreateParameter@16 ; FsRtlFindExtraCreateParameter(x,x,x,x)
		retn
_IopSymlinkGetECP@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KeQueryCycleTimeStatsProcessor(x, x)
_KeQueryCycleTimeStatsProcessor@8 proc near ; CODE XREF: PAGE:00781B6Dp
					; PopEtIsrDpcQuery(x,x)+71p
		mov	edi, edi
		push	esi
		push	edi
		push	4
		add	ecx, 3B98h
		pop	edi

loc_5017F3:				; CODE XREF: KeQueryCycleTimeStatsProcessor(x,x)+28j
		push	2
		pop	esi

loc_5017F6:				; CODE XREF: KeQueryCycleTimeStatsProcessor(x,x)+23j
		mov	eax, [ecx]
		mov	[edx], eax
		mov	eax, [ecx+4]
		add	ecx, 8

loc_501800:				; DATA XREF: EtwpEnumerateAddressSpace+162435o
					; EtwTraceThreadSetName:loc_76296Do
		mov	[edx+4], eax
		add	edx, 8
		sub	esi, 1
		jnz	short loc_5017F6
		sub	edi, 1
		jnz	short loc_5017F3
		pop	edi
		pop	esi
		retn
_KeQueryCycleTimeStatsProcessor@8 endp

; 
		align 8
; Exported entry 1393. MmDisableModifiedWriteOfSection

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmDisableModifiedWriteOfSection(x)
		public _MmDisableModifiedWriteOfSection@4
_MmDisableModifiedWriteOfSection@4 proc	near ; CODE XREF: CcInitializeCacheMapEx+955p

var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp-1]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_1], 0
		inc	ebx
		push	eax
		mov	edx, ebx
		call	MiLockSectionControlArea
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_501863
		cmp	dword ptr [ecx+14h], 0
		mov	eax, [ecx+1Ch]
		jnz	short loc_501867
		or	eax, 8
		mov	[ecx+1Ch], eax

loc_50184A:				; CODE XREF: MmDisableModifiedWriteOfSection(x)+56j
		lea	eax, [ecx+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, bl

loc_50185E:				; CODE XREF: MmDisableModifiedWriteOfSection(x)+4Dj
		pop	ebx
		leave
		retn	4
; 

loc_501863:				; CODE XREF: MmDisableModifiedWriteOfSection(x)+21j
		xor	al, al
		jmp	short loc_50185E
; 

loc_501867:				; CODE XREF: MmDisableModifiedWriteOfSection(x)+2Aj
		shr	eax, 3
		and	al, 1
		mov	bl, al
		jmp	short loc_50184A
_MmDisableModifiedWriteOfSection@4 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpGetContextFlagsLocation(x, x)
_RtlpGetContextFlagsLocation@8 proc near ; CODE	XREF: RtlCopyContext+2Ep
					; RtlCopyContext+3Bp
		mov	eax, ecx
		retn
_RtlpGetContextFlagsLocation@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ObpReferenceNamedObject(x)
_ObpReferenceNamedObject@4 proc	near	; CODE XREF: ObpInsertOrLocateNamedObject+27Fp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, 746C6644h
		lea	ecx, [esi+18h]
		call	ObfReferenceObjectWithTag
		movzx	eax, byte ptr [esi+0Eh]
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	esi, eax
		add	esi, 0Ch
		lock inc dword ptr [esi]
		pop	esi
		retn
_ObpReferenceNamedObject@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfLogDeleteHelper(x, x, x, x)
_PfLogDeleteHelper@16 proc near		; CODE XREF: PfFileInfoNotify+5F9p
					; PfFileInfoNotify+752p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		push	18h
		mov	ebx, edx
		mov	edi, ecx
		push	eax
		lea	edx, [ebp+var_4]
		mov	ecx, offset unk_6D4320
		call	PfFbLogEntryReserve
		mov	esi, eax
		test	esi, esi
		js	short loc_501918
		mov	esi, [ebp+var_8]
		and	edi, 3
		mov	eax, [ebp+arg_4]
		shl	eax, 2
		or	edi, eax
		mov	[esi+10h], edi
		mov	[esi+14h], ebx
		mov	eax, [esi]
		and	eax, 800000C3h
		or	eax, 0C3h
		mov	[esi], eax
		call	_PFP_GET_CURRENT_TIME@0	; PFP_GET_CURRENT_TIME()
		mov	ecx, [ebp+var_4]
		mov	[esi+4], eax
		mov	eax, [ebp+arg_0]
		push	18h
		mov	[esi+8], eax

loc_501902:				; DATA XREF: EtwTraceProcessTerminate(x)+26o
					; EtwTraceInswapProcess(x)+2Co	...
		call	_PfFbLogEntryComplete@12 ; PfFbLogEntryComplete(x,x,x)
		xor	ecx, ecx
		xor	esi, esi

loc_50190B:				; CODE XREF: PfLogDeleteHelper(x,x,x,x)+7Dj
		test	ecx, ecx
		jnz	short loc_50191D

loc_50190F:				; CODE XREF: PfLogDeleteHelper(x,x,x,x)+86j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_501918:				; CODE XREF: PfLogDeleteHelper(x,x,x,x)+2Dj
		mov	ecx, [ebp+var_4]
		jmp	short loc_50190B
; 

loc_50191D:				; CODE XREF: PfLogDeleteHelper(x,x,x,x)+6Fj
		push	0
		call	_PfFbLogEntryComplete@12 ; PfFbLogEntryComplete(x,x,x)
		jmp	short loc_50190F
_PfLogDeleteHelper@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCreateEventKey(x)
_EtwpCreateEventKey@4 proc near		; CODE XREF: .text:0052907Cp
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+E8Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:20h
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax+4054h]
		mov	[ebp+var_C], ecx
		add	edi, 8
		mov	[ebp+var_8], eax

loc_501946:				; CODE XREF: EtwpCreateEventKey(x)+40j
					; EtwpCreateEventKey(x)+44j
		mov	eax, [edi]
		mov	ebx, eax
		mov	esi, [edi+4]
		add	ebx, 1
		mov	ecx, esi
		mov	[ebp+var_4], eax
		adc	ecx, 0
		mov	edx, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, edx
		mov	edx, [ebp+var_4]
		cmp	eax, edx
		jnz	short loc_501946
		cmp	ecx, esi
		jnz	short loc_501946
		mov	ecx, [ebp+var_8]
		xor	eax, eax
		pop	edi
		mov	ecx, [ecx+3CCh]
		shl	ecx, 10h
		add	edx, 1
		adc	esi, eax
		or	eax, edx
		mov	edx, [ebp+var_C]
		and	esi, 0FFFFh
		or	ecx, esi
		pop	esi
		pop	ebx
		mov	[edx], eax
		mov	[edx+4], ecx
		leave
		retn
_EtwpCreateEventKey@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLfhBucketGetSubsegment(x, x)
_RtlpHpLfhBucketGetSubsegment@8	proc near ; CODE XREF: RtlpHpLfhSlotAllocate+EDAp

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ecx
		mov	[ebp+var_10], edx
		push	esi
		push	edi
		mov	[ebp+var_14], eax
		lea	edi, [eax+0Ch]
		cmp	[edi], edi
		jnz	short loc_5019CC
		xor	eax, eax

loc_5019C3:				; CODE XREF: RtlpHpLfhBucketGetSubsegment(x,x)+75j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_5019CC:				; CODE XREF: RtlpHpLfhBucketGetSubsegment(x,x)+29j
		lea	esi, [eax+8]
		mov	ecx, esi
		mov	[ebp+var_8], esi
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	edx, [edi]
		mov	byte ptr [ebp+var_4+3],	al
		cmp	edx, edi
		jz	loc_501BDB
		mov	ecx, [ebp+var_14]
		push	2
		call	RtlpHpLfhOwnerMoveSubsegment
		mov	[ebp+var_C], eax

loc_5019F3:				; CODE XREF: RtlpHpLfhBucketGetSubsegment(x,x)+249j
		cmp	[ebp+var_10], 0
		jz	short loc_501A0D
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+3]

loc_501A02:				; DATA XREF: EtwTraceAutoBoostClearFloor(x,x,x)+2Co
					; EtwTraceAutoBoostEntryExhaustion(x,x)+26o ...
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_501A08:				; CODE XREF: RtlpHpLfhBucketGetSubsegment(x,x)+A9j
		mov	eax, [ebp+var_C]
		jmp	short loc_5019C3
; 

loc_501A0D:				; CODE XREF: RtlpHpLfhBucketGetSubsegment(x,x)+61j
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_10], edx
		mov	eax, edx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_501A26
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_501A26:				; CODE XREF: RtlpHpLfhBucketGetSubsegment(x,x)+87j
		xor	edi, edi
		mov	[ebp+var_14], edi
		test	esi, 7FFFFFFCh
		jnz	short loc_501A41

loc_501A33:				; CODE XREF: RtlpHpLfhBucketGetSubsegment(x,x)+1C2j
					; RtlpHpLfhBucketGetSubsegment(x,x)+1CEj ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	short loc_501A08
; 

loc_501A41:				; CODE XREF: RtlpHpLfhBucketGetSubsegment(x,x)+9Bj
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, dword_6D07D0
		shr	ecx, 15h
		cmp	eax, edx
		push	0FFFFFFFFh
		mov	[ebp+var_30], edx
		mov	[ebp+var_34], esi
		pop	edx
		jb	short loc_501ACA
		cmp	byte ptr dword_6D3994[ecx], 1
		jnz	short loc_501ACA

loc_501A6C:				; CODE XREF: RtlpHpLfhBucketGetSubsegment(x,x)+140j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_8]

loc_501A7F:				; CODE XREF: RtlpHpLfhBucketGetSubsegment(x,x)+137j
					; RtlpHpLfhBucketGetSubsegment(x,x)+142j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_501ADA
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_501B3C
		push	ecx
		push	[ebp+var_10]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_501ACA:				; CODE XREF: RtlpHpLfhBucketGetSubsegment(x,x)+CBj
					; RtlpHpLfhBucketGetSubsegment(x,x)+D4j
		cmp	eax, [ebp+var_30]
		jb	short loc_501A7F
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	short loc_501A6C
		jmp	short loc_501A7F
; 

loc_501ADA:				; CODE XREF: RtlpHpLfhBucketGetSubsegment(x,x)+112j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_501AF0
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_501AF0:				; CODE XREF: RtlpHpLfhBucketGetSubsegment(x,x)+150j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_14], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_501BC4
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_501B3C:				; CODE XREF: RtlpHpLfhBucketGetSubsegment(x,x)+11Cj
					; RtlpHpLfhBucketGetSubsegment(x,x)+240j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_34], eax
		jnz	short loc_501B74

loc_501B4F:				; CODE XREF: RtlpHpLfhBucketGetSubsegment(x,x)+21Dj
					; RtlpHpLfhBucketGetSubsegment(x,x)+22Cj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	loc_501A33
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	loc_501A33
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_501A33
; 

loc_501B74:				; CODE XREF: RtlpHpLfhBucketGetSubsegment(x,x)+1B7j
		test	edi, 8000h
		jz	short loc_501B85
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_501B85:				; CODE XREF: RtlpHpLfhBucketGetSubsegment(x,x)+1E4j
		test	byte ptr [ebp+var_14+2], 1
		jz	short loc_501B95
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_501B95:				; CODE XREF: RtlpHpLfhBucketGetSubsegment(x,x)+1F3j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_501BA9
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_501BA9:				; CODE XREF: RtlpHpLfhBucketGetSubsegment(x,x)+206j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_501B4F
		push	[ebp+var_34]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	short loc_501B4F
; 

loc_501BC4:				; CODE XREF: RtlpHpLfhBucketGetSubsegment(x,x)+190j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_34]
		jmp	loc_501B3C
; 

loc_501BDB:				; CODE XREF: RtlpHpLfhBucketGetSubsegment(x,x)+4Aj
		and	[ebp+var_C], 0
		jmp	loc_5019F3
_RtlpHpLfhBucketGetSubsegment@8	endp


;  S U B	R O U T	I N E 


; __stdcall CcAllocateInitializeMbcb()
_CcAllocateInitializeMbcb@0 proc near	; CODE XREF: .text:loc_4A8556p
		mov	edi, edi
		push	esi
		push	edi
		push	624D6343h
		mov	edi, 88h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_501C3E
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, 2FBh
		lea	ecx, [esi+10h]
		mov	[esi], ax
		add	esp, 0Ch
		lea	eax, [esi+28h]
		mov	[eax], ecx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[ecx+4], eax
		lea	eax, [esi+48h]
		or	dword ptr [esi+38h], 0FFFFFFFFh
		or	dword ptr [esi+20h], 0FFFFFFFFh
		or	dword ptr [esi+24h], 0FFFFFFFFh
		mov	[esi+44h], eax
		mov	eax, esi

loc_501C3B:				; CODE XREF: CcAllocateInitializeMbcb()+5Cj
		pop	edi
		pop	esi
		retn
; 

loc_501C3E:				; CODE XREF: CcAllocateInitializeMbcb()+1Dj
		xor	eax, eax
		jmp	short loc_501C3B
_CcAllocateInitializeMbcb@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIsNextScheduledScbThread(x, x, x)
_KiIsNextScheduledScbThread@12 proc near ; CODE	XREF: KiDirectSwitchThread+9BEp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+3CECh]
		add	ecx, 3CE8h
		test	al, 1
		jnz	short loc_501C63
		mov	ecx, eax

loc_501C59:				; CODE XREF: KiIsNextScheduledScbThread(x,x,x)+2Bj
		test	ecx, ecx
		jnz	short loc_501C6F

loc_501C5D:				; CODE XREF: KiIsNextScheduledScbThread(x,x,x)+24j
		mov	al, 1

loc_501C5F:				; CODE XREF: KiIsNextScheduledScbThread(x,x,x)+3Cj
					; KiIsNextScheduledScbThread(x,x,x)+41j
		pop	ebp
		retn	4
; 

loc_501C63:				; CODE XREF: KiIsNextScheduledScbThread(x,x,x)+13j
		cmp	eax, 1
		jz	short loc_501C5D
		or	ecx, 1
		xor	ecx, eax
		jmp	short loc_501C59
; 

loc_501C6F:				; CODE XREF: KiIsNextScheduledScbThread(x,x,x)+19j
		cmp	[ecx+10h], edx
		jnz	short loc_501C80
		movzx	eax, word ptr [ecx+0Eh]
		cmp	eax, [ebp+arg_0]
		setb	al
		jmp	short loc_501C5F
; 

loc_501C80:				; CODE XREF: KiIsNextScheduledScbThread(x,x,x)+30j
		setnbe	al
		jmp	short loc_501C5F
_KiIsNextScheduledScbThread@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiSegSsToTrapFrame(x, x)
_KiSegSsToTrapFrame@8 proc near		; CODE XREF: KiDispatchException+547p
		test	dword ptr [ecx+70h], 20000h
		movzx	eax, dx
		jnz	short loc_501C9B
		test	byte ptr [ecx+6Ch], 1
		jz	short locret_501C9E
		or	eax, 3

loc_501C9B:				; CODE XREF: KiSegSsToTrapFrame(x,x)+Aj
		mov	[ecx+78h], eax

locret_501C9E:				; CODE XREF: KiSegSsToTrapFrame(x,x)+10j
		retn
_KiSegSsToTrapFrame@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1616. ObDereferenceObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObDereferenceObject(x)
		public _ObDereferenceObject@4
_ObDereferenceObject@4 proc near	; CODE XREF: ObpDeleteNameCheck+1A3p
					; ObReferenceObjectByNameEx+26Ap ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag
		pop	ebp
		retn	4
_ObDereferenceObject@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopIrpStackProfilerDpcRoutine(x, x,	x, x)
_IopIrpStackProfilerDpcRoutine@16 proc near ; DATA XREF: INIT:00AC29ABo

var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	0A0h		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_A4]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, ebx
		mov	edi, ebx
		mov	[ebp+var_A8], eax
		mov	esi, ebx
		cmp	ds:_KeNumberProcessors,	ebx
		jbe	short loc_501D5D

loc_501CFD:				; CODE XREF: IopIrpStackProfilerDpcRoutine(x,x,x,x)+9Bj
		mov	ecx, esi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		test	eax, eax
		jz	short loc_501D4E
		mov	ecx, [eax+4658h]
		lea	edx, [eax+4608h]
		sub	ecx, [eax+46ACh]
		add	edi, ecx
		mov	ecx, ebx
		push	4
		adc	[ebp+var_A8], ebx
		mov	[ebp+var_AC], edi
		pop	edi

loc_501D2D:				; CODE XREF: IopIrpStackProfilerDpcRoutine(x,x,x,x)+8Cj
		mov	eax, [edx]
		sub	eax, [edx+54h]
		add	[ebp+ecx*8+var_A4], eax
		adc	[ebp+ecx*8+var_A0], ebx
		inc	ecx
		add	edx, edi
		cmp	ecx, 14h
		jl	short loc_501D2D
		mov	edi, [ebp+var_AC]

loc_501D4E:				; CODE XREF: IopIrpStackProfilerDpcRoutine(x,x,x,x)+4Cj
		inc	esi
		cmp	esi, ds:_KeNumberProcessors
		jb	short loc_501CFD
		mov	eax, [ebp+var_A8]

loc_501D5D:				; CODE XREF: IopIrpStackProfilerDpcRoutine(x,x,x,x)+41j
		mov	ecx, _IopIrpStackProfilerSampleSize
		cmp	eax, ebx
		ja	short loc_501D75
		jb	loc_501E0A
		cmp	edi, ecx
		jbe	loc_501E0A

loc_501D75:				; CODE XREF: IopIrpStackProfilerDpcRoutine(x,x,x,x)+ABj
		mov	edx, _IopIrpStackProfilerMinSizeThreshold
		mov	ecx, ebx

loc_501D7D:				; CODE XREF: IopIrpStackProfilerDpcRoutine(x,x,x,x)+DBj
		cmp	[ebp+ecx*8+var_A0], ebx
		ja	short loc_501D97
		jb	short loc_501D91
		cmp	[ebp+ecx*8+var_A4], edx
		ja	short loc_501D97

loc_501D91:				; CODE XREF: IopIrpStackProfilerDpcRoutine(x,x,x,x)+CCj
		inc	ecx
		cmp	ecx, 14h
		jl	short loc_501D7D

loc_501D97:				; CODE XREF: IopIrpStackProfilerDpcRoutine(x,x,x,x)+CAj
					; IopIrpStackProfilerDpcRoutine(x,x,x,x)+D5j
		cmp	ecx, 14h
		jz	short loc_501E0A
		lea	ecx, [ebp+var_A4]
		call	IopProcessIrpStackProfiler
		mov	eax, _IopIrpStackProfilerMinSizeThreshold
		mov	ecx, 1900h
		add	eax, eax
		mov	_IopIrpStackProfilerMinSizeThreshold, eax
		cmp	eax, ecx
		jbe	short loc_501DC2
		mov	_IopIrpStackProfilerMinSizeThreshold, ecx

loc_501DC2:				; CODE XREF: IopIrpStackProfilerDpcRoutine(x,x,x,x)+100j
		mov	eax, _IopIrpStackProfilerSampleSize
		mov	ecx, 7D00h
		add	eax, eax
		mov	_IopIrpStackProfilerSampleSize,	eax
		cmp	eax, ecx
		jbe	short loc_501DDD
		mov	_IopIrpStackProfilerSampleSize,	ecx

loc_501DDD:				; CODE XREF: IopIrpStackProfilerDpcRoutine(x,x,x,x)+11Bj
		cmp	ds:_KeNumberProcessors,	ebx
		jbe	short loc_501E0A

loc_501DE5:				; CODE XREF: IopIrpStackProfilerDpcRoutine(x,x,x,x)+14Ej
		mov	ecx, ebx
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		test	eax, eax
		jz	short loc_501E01
		push	15h
		lea	esi, [eax+4608h]
		lea	edi, [eax+465Ch]
		pop	ecx
		rep movsd

loc_501E01:				; CODE XREF: IopIrpStackProfilerDpcRoutine(x,x,x,x)+134j
		inc	ebx

loc_501E02:				; DATA XREF: EtwTraceDpcEnqueueEvent(x,x,x,x,x,x)+3Eo
		cmp	ebx, ds:_KeNumberProcessors
		jb	short loc_501DE5

loc_501E0A:				; CODE XREF: IopIrpStackProfilerDpcRoutine(x,x,x,x)+ADj
					; IopIrpStackProfilerDpcRoutine(x,x,x,x)+B5j ...
		push	4
		mov	eax, offset _IopIrpStackProfilerFlags
		pop	ecx
		lock or	[eax], ecx
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_IopIrpStackProfilerDpcRoutine@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopProcessIrpStackProfiler proc	near	; CODE XREF: IopIrpStackProfilerDpcRoutine(x,x,x,x)+E8p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D67C4 SIZE 0000000B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		xor	esi, esi
		mov	eax, ecx
		test	byte ptr _IopIrpStackProfilerFlags, 1
		mov	edx, esi
		mov	ecx, _IopMediumIrpStackLocations
		mov	ebx, esi
		push	edi
		mov	edi, _IopLargeIrpStackLocations
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], ecx
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		jz	short loc_501EA7
		push	0Ah
		pop	eax

loc_501E60:				; CODE XREF: IopProcessIrpStackProfiler+60j
		mov	esi, [ebp+var_4]
		mov	ecx, [esi+eax*8]
		mov	esi, [esi+eax*8+4]
		mov	[ebp+var_18], ecx
		mov	[ebp+var_1C], esi
		cmp	esi, ebx
		jb	short loc_501E82
		ja	loc_501F0F
		cmp	ecx, edx
		ja	loc_501F0F

loc_501E82:				; CODE XREF: IopProcessIrpStackProfiler+4Cj
					; IopProcessIrpStackProfiler+F1j
		inc	eax
		cmp	eax, 14h
		jb	short loc_501E60
		mov	eax, _IopIrpStackProfilerMinSizeThreshold
		xor	esi, esi
		mov	ecx, [ebp+var_8]
		cmp	ebx, esi
		ja	short loc_501EA4
		jb	loc_5D67C4
		cmp	edx, eax
		jb	loc_5D67C4

loc_501EA4:				; CODE XREF: IopProcessIrpStackProfiler+6Ej
					; IopProcessIrpStackProfiler+D49A4j
		mov	eax, [ebp+var_4]

loc_501EA7:				; CODE XREF: IopProcessIrpStackProfiler+35j
		test	byte ptr _IopIrpStackProfilerFlags, 2
		jz	short loc_501EFA
		push	2
		pop	ebx
		cmp	edi, ebx
		jbe	short loc_501EFA
		mov	edx, esi
		mov	[ebp+var_1C], edx

loc_501EBC:				; CODE XREF: IopProcessIrpStackProfiler+D2j
		mov	eax, [eax+ebx*8]
		mov	ecx, ebx
		add	[ebp+var_10], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+ebx*8+4]
		adc	[ebp+var_C], eax
		xor	eax, eax
		push	[ebp+var_C]
		sub	ecx, edi
		push	[ebp+var_10]
		sbb	eax, edx
		push	eax
		push	ecx
		call	__allmul
		cmp	edx, [ebp+var_14]
		jg	short loc_501EEC
		jl	short loc_501F1C
		cmp	eax, esi
		jb	short loc_501F1C

loc_501EEC:				; CODE XREF: IopProcessIrpStackProfiler+BEj
		mov	ecx, [ebp+var_8]

loc_501EEF:				; CODE XREF: IopProcessIrpStackProfiler+100j
		mov	edx, [ebp+var_1C]
		inc	ebx
		mov	eax, [ebp+var_4]
		cmp	ebx, edi
		jb	short loc_501EBC

loc_501EFA:				; CODE XREF: IopProcessIrpStackProfiler+88j
					; IopProcessIrpStackProfiler+8Fj
		cmp	_IopLargeIrpStackLocations, edi
		jnz	short loc_501F30

loc_501F02:				; CODE XREF: IopProcessIrpStackProfiler+110j
		pop	edi
		pop	esi
		pop	ebx
		cmp	_IopMediumIrpStackLocations, ecx
		jnz	short loc_501F28
		leave
		retn
; 

loc_501F0F:				; CODE XREF: IopProcessIrpStackProfiler+4Ej
					; IopProcessIrpStackProfiler+56j
		mov	edx, [ebp+var_18]
		mov	edi, eax
		mov	ebx, [ebp+var_1C]
		jmp	loc_501E82
; 

loc_501F1C:				; CODE XREF: IopProcessIrpStackProfiler+C0j
					; IopProcessIrpStackProfiler+C4j
		mov	ecx, ebx
		mov	[ebp+var_14], edx
		mov	[ebp+var_8], ecx
		mov	esi, eax
		jmp	short loc_501EEF
; 

loc_501F28:				; CODE XREF: IopProcessIrpStackProfiler+E5j
		mov	_IopMediumIrpStackLocations, ecx
		leave
		retn
; 

loc_501F30:				; CODE XREF: IopProcessIrpStackProfiler+DAj
		mov	_IopLargeIrpStackLocations, edi
		jmp	short loc_501F02
IopProcessIrpStackProfiler endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiEntropyDpcRoutine(x, x, x, x)
_KiEntropyDpcRoutine@16	proc near	; DATA XREF: KiInitPrcb(x,x)+267o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, [edi]
		nop
		shr	esi, 0Ah
		dec	esi
		and	esi, 1
		cmp	esi, [edi+124h]
		jz	short loc_501F70
		mov	eax, esi
		shl	eax, 7
		add	eax, 4
		push	80h
		add	eax, edi
		push	eax
		call	ds:_KiEntropyTimingRoutine
		mov	[edi+124h], esi

loc_501F70:				; CODE XREF: KiEntropyDpcRoutine(x,x,x,x)+1Aj
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
_KiEntropyDpcRoutine@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPaeInitializeProcessShadow(x, x)
_MiPaeInitializeProcessShadow@8	proc near ; CODE XREF: MiInitializePageDirectoryPages+1F8p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ecx+194h]
		push	esi
		push	edi
		push	8
		lea	edi, [ebx+20h]
		mov	[ebp+var_4], edx
		pop	ecx
		mov	esi, ebx
		rep movsd
		cmp	dword_6D07D0, 0C0000000h
		mov	edi, 1FFFFFFh
		jnb	short loc_501FCD
		mov	esi, dword_6D0624
		xor	edx, edx
		mov	ecx, [ebx+30h]
		and	esi, edi
		mov	eax, [ebx+34h]
		and	ecx, 0FFFh
		shld	edx, esi, 0Ch
		and	eax, 0FFFFFFE0h
		shl	esi, 0Ch
		or	esi, ecx
		or	edx, eax
		mov	[ebx+30h], esi
		mov	[ebx+34h], edx

loc_501FCD:				; CODE XREF: MiPaeInitializeProcessShadow(x,x)+2Bj
		mov	esi, [ebp+var_4]
		xor	edx, edx
		mov	ecx, [ebx+38h]
		and	esi, edi
		mov	eax, [ebx+3Ch]
		and	ecx, 0FFFh
		shld	edx, esi, 0Ch
		and	eax, 0FFFFFFE0h
		shl	esi, 0Ch
		or	esi, ecx
		or	edx, eax
		pop	edi
		mov	[ebx+38h], esi
		pop	esi
		mov	[ebx+3Ch], edx
		pop	ebx
		leave
		retn
_MiPaeInitializeProcessShadow@8	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiQueryPfn(x, x)
_MiQueryPfn@8	proc near		; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+B0Dp
					; MiGetWorkingSetInfoList(x,x,x,x)+B91p
		imul	ecx, 1Ch
		push	esi
		mov	esi, edx
		add	ecx, ds:_MmPfnDatabase
		test	byte ptr [ecx+17h], 40h
		jnz	short loc_502055
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jnz	short loc_502055

loc_502015:				; CODE XREF: MiQueryPfn(x,x)+62j
		mov	edx, [esi+4]
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		shl	eax, 18h
		xor	eax, edx
		and	eax, 7000000h
		xor	eax, edx
		xor	edx, edx
		mov	[esi+4], eax
		mov	cl, [ecx+16h]
		and	cl, 7
		cmp	cl, 3
		setz	dl
		and	eax, 0F7FFFFFFh
		shl	edx, 1Bh
		or	edx, eax
		and	edx, 0FF7FFFFFh
		or	edx, 400000h
		mov	[esi+4], edx
		pop	esi
		retn
; 

loc_502055:				; CODE XREF: MiQueryPfn(x,x)+10j
					; MiQueryPfn(x,x)+19j
		or	dword ptr [esi+4], 80000000h
		jmp	short loc_502015
_MiQueryPfn@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiContextToNpxFrame proc near		; CODE XREF: KiInitializeContextThread+18Fp
					; KeContextToKframes+262p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D67CF SIZE 000001A1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, edx
		mov	edx, ecx
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	ecx, 10040h
		mov	[ebp+var_1C], eax
		and	eax, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		cmp	eax, ecx
		jz	short loc_5020E6

loc_502081:				; CODE XREF: KiContextToNpxFrame+ADj
		mov	eax, [ebp+var_1C]
		mov	ecx, 10020h
		and	eax, ecx
		mov	byte ptr [ebp+arg_8+3],	0
		cmp	eax, ecx
		jnz	short loc_5020CE
		push	48h
		lea	esi, [edx+0CCh]
		mov	edi, ebx
		pop	ecx
		rep movsd
		mov	eax, ds:_KiMxCsrMask
		and	[ebx+18h], eax
		mov	eax, ds:_KeFeatureBits
		and	eax, 400000h
		or	eax, 0
		jz	short loc_5020CA
		mov	eax, [ebx+204h]
		or	dword ptr [ebx+200h], 3
		mov	[ebx+204h], eax

loc_5020CA:				; CODE XREF: KiContextToNpxFrame+57j
		mov	byte ptr [ebp+arg_8+3],	1

loc_5020CE:				; CODE XREF: KiContextToNpxFrame+33j
		mov	eax, [ebp+var_1C]
		mov	ecx, 10008h
		and	eax, ecx
		cmp	eax, ecx
		jz	short loc_502110

loc_5020DC:				; CODE XREF: KiContextToNpxFrame+CBj
					; KiContextToNpxFrame+E0j
		mov	al, byte ptr [ebp+arg_8+3]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_5020E6:				; CODE XREF: KiContextToNpxFrame+21j
		mov	ecx, [ebp+arg_0]
		lea	esi, [edx+0CCh]
		add	esi, [edx+2DCh]
		and	ecx, 0FFFFFFFCh
		mov	edx, [ebp+arg_4]
		mov	eax, ecx
		or	eax, edx
		mov	[ebp+var_C], esi
		jnz	loc_5D67CF

loc_502108:				; CODE XREF: KiContextToNpxFrame+D48A2j
					; KiContextToNpxFrame+D48BAj ...
		mov	edx, [ebp+var_4]
		jmp	loc_502081
; 

loc_502110:				; CODE XREF: KiContextToNpxFrame+7Cj
		add	edx, 1Ch
		mov	ecx, ebx
		call	_RtlFnToFxFrame@8 ; RtlFnToFxFrame(x,x)
		mov	ecx, ds:_KeFeatureBits
		and	ecx, 400000h
		or	ecx, 0
		jz	short loc_5020DC
		mov	ecx, [ebx+204h]
		or	dword ptr [ebx+200h], 1
		mov	[ebx+204h], ecx
		jmp	short loc_5020DC
KiContextToNpxFrame endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlFnToFxFrame(x, x)
_RtlFnToFxFrame@8 proc near		; CODE XREF: KiContextToNpxFrame+B7p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	ax, [edx]
		mov	[ecx], ax
		mov	ax, [edx+4]
		mov	[ecx+2], ax
		mov	eax, [edx+0Ch]
		mov	[ecx+8], eax
		mov	ax, [edx+10h]
		mov	[ecx+0Ch], ax
		mov	ax, [edx+12h]
		mov	[ecx+6], ax
		mov	eax, [edx+14h]
		mov	[ecx+10h], eax
		mov	ax, [edx+18h]
		mov	[ecx+14h], ax
		movzx	eax, word ptr [edx+8]
		push	ebx
		mov	[ebp+var_C], eax
		xor	bl, bl
		lea	eax, [ecx+20h]
		mov	[ebp+var_10], ecx
		mov	ecx, [ebp+var_C]
		add	edx, 1Ch
		push	esi
		push	edi
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], 8

loc_50219C:				; CODE XREF: RtlFnToFxFrame(x,x)+8Aj
		mov	edi, eax
		mov	esi, edx
		mov	eax, ecx
		movsd
		movsd
		movsw
		mov	esi, 0C000h
		and	eax, esi
		cmp	ax, si
		setnz	al
		add	bl, bl
		add	bl, al
		shl	ecx, 2
		mov	eax, [ebp+var_4]
		add	edx, 0Ah
		add	eax, 10h
		sub	[ebp+var_8], 1
		mov	[ebp+var_4], eax
		jnz	short loc_50219C
		mov	ecx, [ebp+var_10]
		pop	edi
		pop	esi
		mov	[ecx+4], bl
		pop	ebx
		leave
		retn
_RtlFnToFxFrame@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; public: static void __stdcall	SMKM_STORE_MGR<struct SM_TRAITS>::SmDrainSList(union _SLIST_HEADER *, unsigned long)
?SmDrainSList@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAT_SLIST_HEADER@@K@Z proc near
					; CODE XREF: MiWriteComplete+4ECp
					; MiModifiedPageWriter+280p ...
		mov	edi, edi
		push	edi
		xor	edi, edi
		test	edx, edx
		jnz	short loc_5021E9
		cmp	[ecx+4], di
		jnz	short loc_5021E9
		pop	edi
		retn
; 

loc_5021E9:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmDrainSList(_SLIST_HEADER *,ulong)+7j
					; SMKM_STORE_MGR<SM_TRAITS>::SmDrainSList(_SLIST_HEADER	*,ulong)+Dj
		push	esi
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		mov	esi, eax
		jmp	short loc_5021FE
; 

loc_5021F3:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmDrainSList(_SLIST_HEADER *,ulong)+28j
		mov	ecx, esi
		mov	esi, [esi]
		push	edi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5021FE:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmDrainSList(_SLIST_HEADER *,ulong)+19j
		test	esi, esi
		jnz	short loc_5021F3
		pop	esi
		pop	edi
		retn
?SmDrainSList@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAT_SLIST_HEADER@@K@Z endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcAdjustThrottle proc near		; CODE XREF: CcLazyWriteScan+1D3p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D6970 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	ecx, [ebx+0Ch]
		mov	esi, [ebx]
		mov	edi, [ebx+4]
		mov	[ebp+var_8], ecx
		mov	ecx, [ebx+8]
		mov	[ebp+var_14], ecx
		mov	ecx, [edx]
		mov	[ebp+var_C], ecx
		mov	ecx, [edx+4]
		mov	[ebp+var_18], ecx
		mov	ecx, [edx+8]
		mov	edx, [eax+1E8h]
		sub	ecx, [ebp+arg_4]
		mov	[ebp+arg_0], edx
		mov	edx, [eax+1ECh]
		mov	eax, [ebp+arg_0]
		or	eax, edx
		mov	[ebp+var_10], esi
		jnz	loc_5022EE

loc_502258:				; CODE XREF: CcAdjustThrottle+11Dj
		mov	edx, 200h
		mov	eax, ecx
		cmp	ecx, edx
		jnb	short loc_502265
		mov	ecx, edx

loc_502265:				; CODE XREF: CcAdjustThrottle+5Bj
		cmp	eax, edx
		setb	dl
		shr	ecx, 2
		cmp	ecx, esi
		ja	loc_5D6970

loc_502275:				; CODE XREF: CcAdjustThrottle+D476Cj
		mov	eax, esi
		sub	eax, [ebp+var_8]
		imul	eax, 3
		shr	eax, 2
		add	eax, [ebp+var_8]
		cmp	[ebp+var_C], eax
		jnb	loc_5D6977
		cmp	edi, esi
		jnb	short loc_5022C7
		push	edx
		push	ecx
		mov	edx, edi
		lea	ecx, [ebp+var_10]
		call	_CcAdjustCurrentThresholdWrtTop@16 ; CcAdjustCurrentThresholdWrtTop(x,x,x,x)
		mov	esi, [ebp+var_10]

loc_50229F:				; CODE XREF: CcAdjustThrottle+CAj
					; CcAdjustThrottle+CFj	...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		mov	[ebx], esi
		mov	edx, ebx
		shr	eax, 2
		shr	esi, 1
		add	eax, esi
		mov	[ebx+4], edi
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+var_14]
		mov	[ebx+8], eax
		call	CcAdjustTopBottomThresholds
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_5022C7:				; CODE XREF: CcAdjustThrottle+88j
		mov	edx, [ebp+var_C]
		mov	eax, esi
		sub	eax, ecx
		cmp	edx, eax
		jnb	short loc_50229F
		cmp	[ebp+var_18], esi
		ja	short loc_50229F
		mov	eax, esi
		sub	eax, edx
		mov	edx, edi
		shr	eax, 3
		sub	edx, esi
		cmp	eax, ecx
		jbe	short loc_502331
		cmp	edx, eax
		ja	short loc_50233C

loc_5022EA:				; CODE XREF: CcAdjustThrottle+12Dj
		mov	esi, edi
		jmp	short loc_50229F
; 

loc_5022EE:				; CODE XREF: CcAdjustThrottle+4Cj
		xor	eax, eax
		mov	[ebp+arg_4], eax
		cmp	edx, eax
		ja	short loc_502328
		mov	eax, [ebp+arg_0]
		jb	short loc_502301
		cmp	eax, 0FFFFFFFFh
		ja	short loc_502328

loc_502301:				; CODE XREF: CcAdjustThrottle+F4j
		cmp	[ebp+arg_4], edx
		jb	short loc_502328
		ja	short loc_50230C
		cmp	ecx, eax
		jbe	short loc_502328

loc_50230C:				; CODE XREF: CcAdjustThrottle+100j
		mov	eax, [ebp+var_4]
		sub	ecx, [eax+1E8h]
		xor	edx, edx

loc_502317:				; CODE XREF: CcAdjustThrottle+129j
		mov	[eax+1E8h], edx
		mov	[eax+1ECh], edx
		jmp	loc_502258
; 

loc_502328:				; CODE XREF: CcAdjustThrottle+EFj
					; CcAdjustThrottle+F9j	...
		mov	eax, [ebp+var_4]
		xor	edx, edx
		mov	ecx, edx
		jmp	short loc_502317
; 

loc_502331:				; CODE XREF: CcAdjustThrottle+DEj
		cmp	edx, ecx
		jbe	short loc_5022EA
		add	esi, ecx
		jmp	loc_50229F
; 

loc_50233C:				; CODE XREF: CcAdjustThrottle+E2j
		add	esi, eax
		jmp	loc_50229F
CcAdjustThrottle endp

; 
		align 4

;  S U B	R O U T	I N E 


CcAdjustTopBottomThresholds proc near	; CODE XREF: CcAdjustThrottle+B5p

; FUNCTION CHUNK AT 005D698B SIZE 00000039 BYTES

		mov	edi, edi
		push	ebx
		movzx	ebx, byte ptr ds:dword_7051D4
		push	esi
		mov	esi, ecx
		push	edi
		mov	ecx, [esi+1D8h]
		add	ecx, [esi+1E0h]
		mov	eax, [esi+1DCh]
		adc	eax, [esi+1E4h]
		shrd	ecx, eax, 1
		mov	eax, 200h
		mov	edi, ecx
		mov	[edx+4], ecx
		shr	edi, 2
		mov	[edx+8], edi
		cmp	edi, eax
		jb	short loc_50239F
		mov	eax, edi

loc_502384:				; CODE XREF: CcAdjustTopBottomThresholds+5Ej
		cmp	ecx, eax
		jb	short loc_502390
		test	ebx, ebx
		jnz	loc_5D698B

loc_502390:				; CODE XREF: CcAdjustTopBottomThresholds+42j
		mov	[edx+4], eax
		test	ebx, ebx
		jnz	loc_5D698B

loc_50239B:				; CODE XREF: CcAdjustTopBottomThresholds+D4653j
					; CcAdjustTopBottomThresholds+D467Bj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_50239F:				; CODE XREF: CcAdjustTopBottomThresholds+3Cj
		mov	[edx+8], eax
		jmp	short loc_502384
CcAdjustTopBottomThresholds endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcAdjustCurrentThresholdWrtTop(x, x, x, x)
_CcAdjustCurrentThresholdWrtTop@16 proc	near ; CODE XREF: CcAdjustThrottle+91p

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, [ecx]
		cmp	edi, edx
		jbe	short loc_5023CC
		push	esi
		mov	esi, edi
		sub	esi, edx
		cmp	[ebp+arg_4], 0
		jz	short loc_5023D1
		mov	eax, esi
		shr	eax, 2
		cmp	eax, 5000h
		ja	short loc_5023DF

loc_5023C7:				; CODE XREF: CcAdjustCurrentThresholdWrtTop(x,x,x,x)+34j
					; CcAdjustCurrentThresholdWrtTop(x,x,x,x)+39j ...
		sub	edi, esi
		mov	[ecx], edi
		pop	esi

loc_5023CC:				; CODE XREF: CcAdjustCurrentThresholdWrtTop(x,x,x,x)+Aj
		pop	edi
		pop	ebp
		retn	8
; 

loc_5023D1:				; CODE XREF: CcAdjustCurrentThresholdWrtTop(x,x,x,x)+15j
		mov	eax, edi
		sub	eax, [ebp+arg_0]
		cmp	eax, edx
		jb	short loc_5023C7
		mov	esi, [ebp+arg_0]
		jmp	short loc_5023C7
; 

loc_5023DF:				; CODE XREF: CcAdjustCurrentThresholdWrtTop(x,x,x,x)+21j
		mov	esi, eax
		jmp	short loc_5023C7
_CcAdjustCurrentThresholdWrtTop@16 endp

; 
		align 8
; Exported entry 2132. RtlGetNtProductType

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetNtProductType(x)
		public _RtlGetNtProductType@4
_RtlGetNtProductType@4 proc near	; CODE XREF: IoFillDumpHeader(x,x,x,x,x,x,x,x)+21Bp
					; KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+17Fp	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	short loc_502429
		cmp	ds:0FFDF0268h, al
		jz	short loc_502407
		mov	ecx, ds:0FFDF0264h
		jmp	short loc_502458
; 

loc_502407:				; CODE XREF: RtlGetNtProductType(x)+15j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	esi, [ebp+arg_0]
		cmp	al, 1
		ja	short loc_50241F
		mov	ecx, esi
		call	_RtlpGetNtProductTypeFromRegistry@4 ; RtlpGetNtProductTypeFromRegistry(x)
		test	eax, eax
		jns	short loc_50245D

loc_50241F:				; CODE XREF: RtlGetNtProductType(x)+2Aj
		mov	dword ptr [esi], 1
		xor	al, al
		jmp	short loc_50245F
; 

loc_502429:				; CODE XREF: RtlGetNtProductType(x)+Dj
		call	_KeIsExecutingInArbitraryThreadContext@0 ; KeIsExecutingInArbitraryThreadContext()
		test	eax, eax
		jnz	short loc_50244A
		mov	eax, large fs:124h
		push	eax
		call	_PsGetThreadServerSilo@4 ; PsGetThreadServerSilo(x)
		test	eax, eax
		jz	short loc_50244A
		mov	eax, [eax+2F8h]
		jmp	short loc_50244F
; 

loc_50244A:				; CODE XREF: RtlGetNtProductType(x)+48j
					; RtlGetNtProductType(x)+58j
		mov	eax, offset _PspHostSiloGlobals

loc_50244F:				; CODE XREF: RtlGetNtProductType(x)+60j
		mov	eax, [eax+28Ch]
		mov	ecx, [eax+10h]

loc_502458:				; CODE XREF: RtlGetNtProductType(x)+1Dj
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_50245D:				; CODE XREF: RtlGetNtProductType(x)+35j
		mov	al, 1

loc_50245F:				; CODE XREF: RtlGetNtProductType(x)+3Fj
		pop	esi
		pop	ebp
		retn	4
_RtlGetNtProductType@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1017. IoSynchronousCallDriver

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSynchronousCallDriver(x, x)
		public _IoSynchronousCallDriver@8
_IoSynchronousCallDriver@8 proc	near	; CODE XREF: FsRtlGetFileExtents(x,x,x,x,x,x,x)+AAp
					; IoForwardIrpSynchronously(x,x)+25p ...

var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_10]
		xor	edi, edi
		push	edi
		push	edi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	esi, [ebp+arg_4]
		lea	ecx, [ebp+var_10]
		mov	edx, esi
		mov	eax, [esi+60h]
		mov	[eax-4], ecx
		mov	ecx, [ebp+arg_0]
		mov	dword ptr [eax-8], offset _SmKmGenericCompletion@12 ; SmKmGenericCompletion(x,x,x)
		mov	byte ptr [eax-21h], 0E0h
		call	IofCallDriver
		cmp	eax, 103h
		jz	short loc_5024B8

loc_5024B2:				; CODE XREF: IoSynchronousCallDriver(x,x)+5Fj
		pop	edi
		pop	esi
		leave
		retn	8
; 

loc_5024B8:				; CODE XREF: IoSynchronousCallDriver(x,x)+46j
		push	edi
		push	edi
		push	edi
		push	5
		lea	eax, [ebp+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esi+18h]
		jmp	short loc_5024B2
_IoSynchronousCallDriver@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnTraceTimerRoutine proc near		; DATA XREF: PfSnBeginTrace+8Co

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D69C4 SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	ebx, ebx
		push	edi
		mov	[esp+10h+var_4], ebx
		lea	edi, [esi+118h]
		cmp	[edi], ebx
		jnz	loc_5025BD
		mov	edx, [esi+0F0h]
		mov	eax, [esi+0F8h]
		cmp	edx, eax
		jg	loc_5D69C4

loc_502503:				; CODE XREF: PfSnTraceTimerRoutine+D44FAj
		mov	eax, [esi+0E8h]
		cmp	eax, edx
		jg	loc_5D69CB

loc_502511:				; CODE XREF: PfSnTraceTimerRoutine+D4501j
		mov	ecx, edx
		sub	ecx, eax
		mov	eax, [esi+0ECh]
		mov	[esi+eax*4+0C0h], ecx
		lea	eax, [esp+10h+var_4]
		inc	dword ptr [esi+0ECh]
		mov	ecx, esi
		mov	[esi+0E8h], edx
		xor	edx, edx
		push	eax
		inc	edx
		call	PfSnTraceGetLogEntry
		test	eax, eax
		js	loc_5D69D2
		mov	ecx, [esp+10h+var_4]
		push	4
		pop	edx
		and	dword ptr [ecx], 7
		mov	[ecx+4], ebx
		mov	eax, [ecx]
		and	eax, 0FFFFFFFCh
		or	eax, edx
		mov	[ecx], eax
		mov	eax, [esi+0ECh]
		cmp	eax, dword_6D4854
		jge	short loc_5025D1
		lea	ebx, [esi+0B8h]
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	dword ptr [edi], 0
		jnz	short loc_5025AB
		lea	ecx, [esi+104h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_5025AB
		mov	eax, [esi+94h]
		xor	edx, edx
		mov	ecx, [esi+90h]
		push	eax
		push	ecx
		lea	eax, [esi+98h]
		push	eax
		push	0
		lea	ecx, [esi+68h]
		call	KiSetTimerEx

loc_5025AB:				; CODE XREF: PfSnTraceTimerRoutine+ADj
					; PfSnTraceTimerRoutine+BCj
		test	ds:byte_70EFC6,	1
		jnz	loc_5D69E0
		xor	eax, eax
		lock and [ebx],	eax

loc_5025BD:				; CODE XREF: PfSnTraceTimerRoutine+1Dj
					; PfSnTraceTimerRoutine+10Dj ...
		lea	ecx, [esi+104h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_5025D1:				; CODE XREF: PfSnTraceTimerRoutine+9Bj
		xor	eax, eax
		lock cmpxchg [edi], edx

loc_5025D7:				; CODE XREF: PfSnTraceTimerRoutine+D450Fj
		test	eax, eax
		jnz	short loc_5025BD
		push	1
		lea	eax, [esi+108h]
		push	eax
		call	ExQueueWorkItem
		jmp	short loc_5025BD
PfSnTraceTimerRoutine endp

; 
		align 10h
; Exported entry 2357. RtlTimeFieldsToTime

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlTimeFieldsToTime(x, x)
		public _RtlTimeFieldsToTime@8
_RtlTimeFieldsToTime@8 proc near	; CODE XREF: ExUpdateSystemTimeFromCmos+6Fp
					; ExpRefreshTimeZoneInformation(x)+5FEp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ecx
		mov	ecx, [ebp+arg_0]
		call	RtlpTimeFieldsToTime
		pop	ebp
		retn	8
_RtlTimeFieldsToTime@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpTimeFieldsToTime proc near		; CODE XREF: RtlTimeFieldsToTime(x,x)+Cp
					; SeMakeSystemToken+7Fp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D69EF SIZE 000000BA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, _ExLeapSecondData
		xor	eax, eax
		mov	[ebp+var_10], eax
		mov	ebx, edx
		mov	[ebp+var_C], eax
		push	edi
		test	esi, esi
		jz	short loc_50266A
		cmp	[esi], al
		jz	short loc_50266A
		mov	edi, [esi+4]
		xor	edx, edx
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_14], edi
		lock or	[eax], edx
		lea	edx, [ebp+var_10]
		call	_RtlpTimeFieldsToTimeNoLeapSeconds@8 ; RtlpTimeFieldsToTimeNoLeapSeconds(x,x)
		test	al, al
		jz	short loc_502666
		and	[ebp+var_4], 0
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		test	edi, edi
		jnz	loc_5D69EF

loc_502658:				; CODE XREF: RtlpTimeFieldsToTime+D4425j
					; RtlpTimeFieldsToTime+D442Fj ...
		mov	[ebx], ecx
		mov	al, 1
		mov	[ebx+4], edx

loc_50265F:				; CODE XREF: RtlpTimeFieldsToTime+62j
					; RtlpTimeFieldsToTime+69j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_502666:				; CODE XREF: RtlpTimeFieldsToTime+3Ej
					; RtlpTimeFieldsToTime+D448Aj ...
		xor	al, al
		jmp	short loc_50265F
; 

loc_50266A:				; CODE XREF: RtlpTimeFieldsToTime+1Dj
					; RtlpTimeFieldsToTime+21j
		call	_RtlpTimeFieldsToTimeNoLeapSeconds@8 ; RtlpTimeFieldsToTimeNoLeapSeconds(x,x)
		jmp	short loc_50265F
RtlpTimeFieldsToTime endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpTimeFieldsToTimeNoLeapSeconds(x, x)
_RtlpTimeFieldsToTimeNoLeapSeconds@8 proc near ; CODE XREF: RtlpTimeFieldsToTime+37p
					; RtlpTimeFieldsToTime:loc_50266Ap ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		movzx	eax, word ptr [ecx+2]
		push	ebx
		movsx	ebx, word ptr [ecx]
		push	esi
		mov	[ebp+var_20], edx
		push	edi
		movzx	edi, word ptr [ecx+4]
		movsx	esi, ax
		dec	esi
		movsx	edx, di
		dec	edx
		mov	[ebp+var_1C], edx
		movsx	edx, word ptr [ecx+6]
		mov	[ebp+var_C], edx
		movsx	edx, word ptr [ecx+8]
		mov	[ebp+var_10], edx
		movsx	edx, word ptr [ecx+0Ah]
		movsx	ecx, word ptr [ecx+0Ch]
		mov	[ebp+var_18], ecx
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_14], edx
		cmp	ax, cx
		jl	loc_50281B
		cmp	di, cx
		jl	loc_50281B
		lea	edi, [ebx-641h]
		cmp	edi, 722Ah
		ja	loc_50281B
		cmp	esi, 0Bh
		ja	loc_50281B
		xor	edx, edx
		mov	[ebp+var_4], 190h
		mov	eax, ebx
		mov	[ebp+var_8], 64h
		div	[ebp+var_4]
		test	edx, edx
		jz	loc_5027F5
		xor	edx, edx
		mov	eax, ebx
		div	[ebp+var_8]
		test	edx, edx
		jz	short loc_502713
		test	bl, 3
		jz	loc_5027F5

loc_502713:				; CODE XREF: RtlpTimeFieldsToTimeNoLeapSeconds(x,x)+96j
		xor	eax, eax

loc_502715:				; CODE XREF: RtlpTimeFieldsToTimeNoLeapSeconds(x,x)+185j
		test	eax, eax
		jnz	loc_5027FC
		movsx	ecx, ds:word_410E32[esi*2]
		movsx	eax, ds:_NormalYearDaysPrecedingMonth[esi*2]

loc_50272D:				; CODE XREF: RtlpTimeFieldsToTimeNoLeapSeconds(x,x)+19Aj
		sub	ecx, eax
		mov	eax, [ebp+var_1C]
		cwde
		cmp	eax, ecx
		jge	loc_50281B
		cmp	[ebp+var_C], 17h
		ja	loc_50281B
		cmp	[ebp+var_10], 3Bh
		ja	loc_50281B
		cmp	[ebp+var_14], 3Bh
		ja	loc_50281B
		cmp	[ebp+var_18], 3E7h
		ja	loc_50281B
		xor	edx, edx
		mov	eax, edi
		div	[ebp+var_4]
		xor	edx, edx
		mov	ecx, eax
		mov	eax, edi
		div	[ebp+var_8]
		xor	edx, edx
		sub	ecx, eax
		imul	eax, edi, 16Dh
		shr	edi, 2
		add	ecx, eax
		add	edi, ecx
		lea	ecx, [ebx-640h]
		mov	eax, ecx
		div	[ebp+var_4]
		test	edx, edx
		jz	short loc_502811
		mov	eax, ecx
		xor	edx, edx
		push	64h
		pop	ecx
		div	ecx
		test	edx, edx
		jz	short loc_5027A8
		test	bl, 3
		jz	short loc_502811

loc_5027A8:				; CODE XREF: RtlpTimeFieldsToTimeNoLeapSeconds(x,x)+12Fj
		movzx	edx, ds:_NormalYearDaysPrecedingMonth[esi*2]

loc_5027B0:				; CODE XREF: RtlpTimeFieldsToTimeNoLeapSeconds(x,x)+1A7j
		imul	eax, [ebp+var_C], 3Ch
		push	2710h
		add	eax, [ebp+var_10]
		imul	eax, 3Ch
		add	eax, [ebp+var_14]
		imul	ecx, eax, 3E8h
		movsx	eax, dx
		mov	edx, 5265C00h
		add	eax, edi
		add	eax, [ebp+var_1C]
		imul	edx
		add	ecx, [ebp+var_18]
		add	eax, ecx
		adc	edx, 0
		push	edx
		push	eax
		call	_RtlExtendedIntegerMultiply@12 ; RtlExtendedIntegerMultiply(x,x,x)
		mov	ecx, [ebp+var_20]
		mov	[ecx], eax
		mov	al, 1
		mov	[ecx+4], edx

loc_5027F0:				; CODE XREF: RtlpTimeFieldsToTimeNoLeapSeconds(x,x)+1ABj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_5027F5:				; CODE XREF: RtlpTimeFieldsToTimeNoLeapSeconds(x,x)+87j
					; RtlpTimeFieldsToTimeNoLeapSeconds(x,x)+9Bj
		mov	eax, ecx
		jmp	loc_502715
; 

loc_5027FC:				; CODE XREF: RtlpTimeFieldsToTimeNoLeapSeconds(x,x)+A5j
		movsx	ecx, ds:word_410E16[esi*2]
		movsx	eax, ds:_LeapYearDaysPrecedingMonth[esi*2]
		jmp	loc_50272D
; 

loc_502811:				; CODE XREF: RtlpTimeFieldsToTimeNoLeapSeconds(x,x)+122j
					; RtlpTimeFieldsToTimeNoLeapSeconds(x,x)+134j
		movzx	edx, ds:_LeapYearDaysPrecedingMonth[esi*2]
		jmp	short loc_5027B0
; 

loc_50281B:				; CODE XREF: RtlpTimeFieldsToTimeNoLeapSeconds(x,x)+46j
					; RtlpTimeFieldsToTimeNoLeapSeconds(x,x)+4Fj ...
		xor	al, al
		jmp	short loc_5027F0
_RtlpTimeFieldsToTimeNoLeapSeconds@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1710. PoQueryWatchdogTime

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoQueryWatchdogTime
PoQueryWatchdogTime proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D6AA9 SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_1], 0
		lea	edi, [ebp+var_10]
		or	esi, 0FFFFFFFFh
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		or	edi, 0FFFFFFFFh
		test	eax, eax
		jz	loc_5D6AA9
		mov	eax, [eax+0B0h]
		mov	ebx, [eax+14h]

loc_502855:				; CODE XREF: PoQueryWatchdogTime+D4287j
		lea	edx, [ebp+var_10]
		mov	ecx, offset _PopIrpLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [ebx+98h]
		mov	edx, (offset loc_98967E+2)
		test	ecx, ecx
		jnz	loc_502944

loc_502875:				; CODE XREF: PoQueryWatchdogTime+131j
					; PoQueryWatchdogTime+159j
		mov	ecx, [ebx+0A0h]
		test	ecx, ecx
		jnz	loc_502905

loc_502883:				; CODE XREF: PoQueryWatchdogTime+F2j
					; PoQueryWatchdogTime+107j ...
		xor	ebx, ebx
		inc	ebx
		test	ds:byte_70EFC6,	bl
		jnz	loc_5D6AB0
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_502982
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jnz	loc_5D6AC0

loc_5028B4:				; CODE XREF: PoQueryWatchdogTime+16Bj
					; PoQueryWatchdogTime+D4297j
		mov	cl, [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi
		and	eax, edi
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_5028D0

loc_5028C6:				; CODE XREF: PoQueryWatchdogTime+DFj
					; PoQueryWatchdogTime+D42AFj
		mov	al, [ebp+var_1]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_5028D0:				; CODE XREF: PoQueryWatchdogTime+A0j
		mov	cl, bl
		mov	[ebp+var_1], bl
		call	KiQueryUnbiasedInterruptTime
		cmp	edx, edi
		jb	short loc_5028EC
		ja	loc_5D6ACD
		cmp	eax, esi
		ja	loc_5D6ACD

loc_5028EC:				; CODE XREF: PoQueryWatchdogTime+B8j
		sub	esi, eax
		push	0
		push	(offset	loc_98967E+2)
		sbb	edi, edx
		push	edi
		push	esi
		call	__aulldiv
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		jmp	short loc_5028C6
; 

loc_502905:				; CODE XREF: PoQueryWatchdogTime+59j
		movsx	eax, byte ptr [ecx+22h]
		add	eax, 3
		imul	eax, 24h
		mov	ecx, [eax+ecx]
		cmp	byte ptr [ecx+74h], 0
		jz	loc_502883
		call	_PopComputeWatchdogTimeout@4 ; PopComputeWatchdogTimeout(x)
		mul	edx
		add	eax, [ecx+18h]
		adc	edx, [ecx+1Ch]
		cmp	edx, edi
		ja	loc_502883
		jb	short loc_50293B
		cmp	eax, esi
		jnb	loc_502883

loc_50293B:				; CODE XREF: PoQueryWatchdogTime+10Dj
		mov	esi, eax
		mov	edi, edx
		jmp	loc_502883
; 

loc_502944:				; CODE XREF: PoQueryWatchdogTime+4Bj
		movsx	eax, byte ptr [ecx+22h]
		add	eax, 3
		imul	eax, 24h
		mov	ecx, [eax+ecx]
		cmp	byte ptr [ecx+74h], 0
		jz	loc_502875
		call	_PopComputeWatchdogTimeout@4 ; PopComputeWatchdogTimeout(x)
		mul	edx
		add	eax, [ecx+18h]
		adc	edx, [ecx+1Ch]
		cmp	edx, 0FFFFFFFFh
		jb	short loc_502974
		ja	short loc_502978
		cmp	eax, 0FFFFFFFFh
		jnb	short loc_502978

loc_502974:				; CODE XREF: PoQueryWatchdogTime+147j
		mov	esi, eax
		mov	edi, edx

loc_502978:				; CODE XREF: PoQueryWatchdogTime+149j
					; PoQueryWatchdogTime+14Ej
		mov	edx, (offset loc_98967E+2)
		jmp	loc_502875
; 

loc_502982:				; CODE XREF: PoQueryWatchdogTime+73j
					; PoQueryWatchdogTime+D42A4j
		mov	[ebp+var_10], 0
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_5028B4
PoQueryWatchdogTime endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiGenericCallDpcWorker(x, x)
_KiGenericCallDpcWorker@8 proc near	; DATA XREF: KeGenericCallDpc(x,x)+Ao

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	ebx, ebx
		push	edi
		inc	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		push	0FFFFh
		mov	[ebp+var_1], al
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	edi, [ebp+arg_4]
		mov	esi, eax
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_10], esi
		cmp	esi, ebx
		jbe	short loc_5029F4

loc_5029C7:				; CODE XREF: KiGenericCallDpcWorker(x,x)+5Ej
		mov	ecx, ds:_KiProcessorBlock[ebx*4]
		lea	edx, [ebp+var_8]
		mov	eax, [edi]
		add	ecx, 3AE0h
		push	0
		push	0
		mov	[ecx+0Ch], eax
		mov	eax, [edi+4]
		mov	[ecx+10h], eax
		lea	eax, [ebp+var_10]
		push	eax
		call	KiInsertQueueDpc
		inc	ebx
		cmp	ebx, esi
		jb	short loc_5029C7

loc_5029F4:				; CODE XREF: KiGenericCallDpcWorker(x,x)+31j
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	dword ptr [edi+4]
		mov	eax, [ebp+arg_0]
		add	eax, 3AE0h
		push	eax
		call	dword ptr [edi]
		and	[ebp+arg_4], 0
		pop	edi
		pop	esi
		pop	ebx
		jmp	short loc_502A1B
; 

loc_502A13:				; CODE XREF: KiGenericCallDpcWorker(x,x)+8Cj
		lea	ecx, [ebp+arg_4]
		call	KeYieldProcessorEx

loc_502A1B:				; CODE XREF: KiGenericCallDpcWorker(x,x)+7Dj
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	short loc_502A13
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn	8
_KiGenericCallDpcWorker@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeAbCrossThreadDeleteNopDpcRoutine(x, x, x,	x)
_KeAbCrossThreadDeleteNopDpcRoutine@16 proc near
					; DATA XREF: KeAbCrossThreadDelete(x,x)+266o
					; EtwpUpdateFilterData(x,x,x,x,x)+6C3o	...

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		lock dec dword ptr [eax]
		pop	ebp
		retn	10h
_KeAbCrossThreadDeleteNopDpcRoutine@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeSetExecuteOptions proc near		; CODE XREF: PAGE:007A858Cp

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005D6AD8 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		test	ebx, 0FFFFFF80h
		jnz	loc_5D6AD8
		push	esi
		mov	esi, 0C0000022h
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_1], al
		lea	eax, [edi+34h]
		push	eax
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	al, [edi+6Bh]
		test	al, 8
		jnz	short loc_502AAD
		and	al, 0FEh
		test	bl, 1
		jz	short loc_502A82
		and	al, 0FDh
		or	al, 1

loc_502A82:				; CODE XREF: KeSetExecuteOptions+3Cj
		test	bl, 4
		jz	short loc_502A89
		or	al, 4

loc_502A89:				; CODE XREF: KeSetExecuteOptions+45j
		test	bl, 2
		jnz	short loc_502AC6

loc_502A8E:				; CODE XREF: KeSetExecuteOptions+88j
		test	bl, 10h
		jnz	short loc_502ACE

loc_502A93:				; CODE XREF: KeSetExecuteOptions+90j
		test	bl, 20h
		jnz	short loc_502AD2

loc_502A98:				; CODE XREF: KeSetExecuteOptions+94j
		test	bl, 40h
		jnz	short loc_502AD6

loc_502A9D:				; CODE XREF: KeSetExecuteOptions+98j
		test	bl, 8
		jz	short loc_502AA4
		or	al, 8

loc_502AA4:				; CODE XREF: KeSetExecuteOptions+60j
		test	al, 2
		jnz	short loc_502ACA

loc_502AA8:				; CODE XREF: KeSetExecuteOptions+8Cj
		mov	[edi+6Bh], al
		xor	esi, esi

loc_502AAD:				; CODE XREF: KeSetExecuteOptions+35j
		lea	ecx, [edi+34h]
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi
		pop	esi

loc_502AC2:				; CODE XREF: KeSetExecuteOptions+D409Dj
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_502AC6:				; CODE XREF: KeSetExecuteOptions+4Cj
		or	al, 2
		jmp	short loc_502A8E
; 

loc_502ACA:				; CODE XREF: KeSetExecuteOptions+66j
		or	al, 30h
		jmp	short loc_502AA8
; 

loc_502ACE:				; CODE XREF: KeSetExecuteOptions+51j
		or	al, 10h
		jmp	short loc_502A93
; 

loc_502AD2:				; CODE XREF: KeSetExecuteOptions+56j
		or	al, 20h
		jmp	short loc_502A98
; 

loc_502AD6:				; CODE XREF: KeSetExecuteOptions+5Bj
		or	al, 40h
		jmp	short loc_502A9D
KeSetExecuteOptions endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmQueryCommitReleaseState proc near	; CODE XREF: PAGE:0083EACDp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= byte ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D6AE2 SIZE 000000E5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[esp+58h+var_28], eax
		mov	eax, [ebp+arg_4]
		push	esi
		push	edi
		mov	[esp+60h+var_24], eax
		lea	edi, [esp+60h+var_1C]
		mov	eax, [ebp+arg_8]
		mov	[esp+60h+var_20], eax
		xor	eax, eax
		mov	[esp+60h+var_2C], edx
		mov	edx, ecx
		push	6
		pop	ecx
		rep stosd
		lea	edi, [esp+60h+var_4C]
		mov	[esp+60h+var_40], edx
		stosd
		lea	esi, [edx+240h]
		stosd
		stosd
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		jz	loc_5D6AE2
		lea	eax, [esi+8Ch]
		lea	ebx, [esi+94h]
		mov	[esp+60h+var_3C], eax
		lea	ecx, [esi+88h]

loc_502B4D:				; CODE XREF: MmQueryCommitReleaseState+D401Aj
		mov	ecx, [ecx]
		xor	edi, edi
		mov	eax, [esi+60h]
		mov	[esp+60h+var_30], ecx
		xor	ecx, ecx
		inc	ecx
		mov	[esp+60h+var_50], eax
		mov	[esp+60h+var_38], edi
		cmp	ds:dword_7051F0, ecx
		jz	short loc_502BC4
		nop
		shr	eax, 18h
		and	al, 60h
		cmp	al, 40h
		jz	loc_5D6AF9

loc_502B79:				; CODE XREF: MmQueryCommitReleaseState+D4091j
					; MmQueryCommitReleaseState+D40E8j
		mov	dl, byte ptr [esp+60h+var_50+3]
		mov	al, dl
		and	al, 60h
		cmp	al, 40h
		sbb	ecx, ecx
		not	ecx
		and	ecx, [esp+60h+var_30]

loc_502B8B:				; CODE XREF: MmQueryCommitReleaseState+F0j
		and	dl, 60h
		cmp	dl, 20h
		mov	edx, [esp+60h+var_2C]
		sbb	eax, eax
		inc	eax
		mov	[edx], eax
		mov	eax, [esp+60h+var_28]
		mov	[eax], ecx
		mov	eax, [esp+60h+var_24]
		mov	ecx, [esp+60h+var_20]
		mov	[eax], edi
		mov	eax, [esp+60h+var_38]
		pop	edi
		mov	[ecx], eax
		mov	ecx, [esp+5Ch+var_4]
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_502BC4:				; CODE XREF: MmQueryCommitReleaseState+8Fj
		mov	dl, byte ptr [esp+60h+var_50+3]
		mov	ecx, edi
		jmp	short loc_502B8B
MmQueryCommitReleaseState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSkipFractionalPagefileRegion(x, x, x)
_MiSkipFractionalPagefileRegion@12 proc	near
					; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+69Bp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [edx+4]
		push	esi
		mov	esi, [edx+1Ch]
		push	edi
		lea	edx, [eax+esi*8]
		mov	esi, [ebp+arg_0]
		mov	eax, edx
		sub	eax, ecx
		sar	eax, 3
		cmp	eax, esi
		jbe	short loc_502BEF
		lea	edx, [ecx+esi*8]

loc_502BEF:				; CODE XREF: MiSkipFractionalPagefileRegion(x,x,x)+1Ej
					; MiSkipFractionalPagefileRegion(x,x,x)+61j
		mov	esi, ecx
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		mov	edi, [esi-40000000h]
		nop
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	short loc_502C17

loc_502C0B:				; CODE XREF: MiSkipFractionalPagefileRegion(x,x,x)+54j
					; MiSkipFractionalPagefileRegion(x,x,x)+63j
		pop	edi
		pop	esi
		cmp	ecx, edx
		ja	short loc_502C31

loc_502C11:				; CODE XREF: MiSkipFractionalPagefileRegion(x,x,x)+67j
		mov	eax, ecx
		leave
		retn	4
; 

loc_502C17:				; CODE XREF: MiSkipFractionalPagefileRegion(x,x,x)+3Dj
		and	edi, 3E0h
		or	edi, 0
		jnz	short loc_502C0B
		lea	ecx, [esi-3FFFFFF8h]
		shl	ecx, 9
		cmp	ecx, edx
		jb	short loc_502BEF
		jmp	short loc_502C0B
; 

loc_502C31:				; CODE XREF: MiSkipFractionalPagefileRegion(x,x,x)+43j
		mov	ecx, edx
		jmp	short loc_502C11
_MiSkipFractionalPagefileRegion@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 755. IoBuildAsynchronousFsdRequest

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoBuildAsynchronousFsdRequest(x, x,	x, x, x, x)
		public _IoBuildAsynchronousFsdRequest@24
_IoBuildAsynchronousFsdRequest@24 proc near ; CODE XREF: sub_8F9D61+15p
					; sub_8F9DD2+16p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	dword ptr [ebp+4] ; int
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; size_t
		push	[ebp+arg_8]	; void *
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		call	IopBuildAsynchronousFsdRequest
		pop	ebp
		retn	18h
_IoBuildAsynchronousFsdRequest@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IopBuildAsynchronousFsdRequest(int,int,void *,size_t,int,int,int)
IopBuildAsynchronousFsdRequest proc near
					; CODE XREF: IoBuildAsynchronousFsdRequest(x,x,x,x,x,x)+1Ap
					; IopBuildSynchronousFsdRequest(x,x,x,x,x,x,x,x)+1Cp
					; DATA XREF: ...

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005D6BC7 SIZE 00000016 BYTES

		push	0Ch
		push	offset dword_6A3E10
		call	__SEH_prolog4
		mov	ebx, [ebp+arg_0]
		push	[ebp+arg_18]
		push	0
		mov	eax, [ebp+arg_4]
		mov	dl, [eax+30h]
		mov	ecx, eax
		call	IopAllocateIrpExReturn
		mov	esi, eax
		mov	[ebp+arg_0], esi
		test	esi, esi
		jz	loc_502DAC
		mov	eax, large fs:124h
		mov	[esi+50h], eax
		mov	edi, [esi+60h]
		mov	[edi-24h], bl
		cmp	ebx, 9
		jz	short loc_502CFA
		cmp	ebx, 1Bh
		jz	short loc_502CFA
		cmp	ebx, 10h
		jz	short loc_502CFA
		cmp	ebx, 16h
		jz	short loc_502CFA
		mov	edx, [ebp+arg_4]
		mov	eax, [edx+1Ch]
		test	al, 4
		jnz	loc_502D7B
		test	al, 10h
		jnz	short loc_502D2E
		mov	eax, [ebp+arg_8]
		mov	[esi+3Ch], eax

loc_502CC7:				; CODE XREF: IopBuildAsynchronousFsdRequest+10Ej
		mov	eax, [ebp+arg_C]
		mov	[edi-20h], eax
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	short loc_502CDF
		mov	eax, [ecx]
		mov	[edi-18h], eax
		mov	eax, [ecx+4]
		mov	[edi-14h], eax

loc_502CDF:				; CODE XREF: IopBuildAsynchronousFsdRequest+74j
		mov	eax, [edx+2Ch]
		cmp	eax, 7
		jb	short loc_502CFA
		cmp	eax, 9
		ja	loc_502D71

loc_502CF0:				; CODE XREF: IopBuildAsynchronousFsdRequest+118j
		mov	edx, [esi+50h]
		mov	ecx, esi
		call	IoSetDiskIoAttributionFromThread

loc_502CFA:				; CODE XREF: IopBuildAsynchronousFsdRequest+40j
					; IopBuildAsynchronousFsdRequest+45j ...
		mov	ecx, [esi+50h]
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		inc	eax
		mov	ecx, [esi+8]
		and	ecx, 0FFF1FFFFh
		shl	eax, 11h
		or	ecx, eax
		mov	[esi+8], ecx
		mov	eax, [ebp+arg_14]
		mov	[esi+28h], eax
		mov	eax, esi

loc_502D1C:				; CODE XREF: IopBuildAsynchronousFsdRequest+150j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_502D2E:				; CODE XREF: IopBuildAsynchronousFsdRequest+61j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		mov	eax, [ebp+arg_C]
		push	eax
		push	[ebp+arg_8]
		call	IoAllocateMdl
		mov	ecx, eax
		mov	[esi+4], ecx
		test	ecx, ecx
		jz	short loc_502DA6
		and	[ebp+ms_exc.disabled], 0
		movzx	eax, byte ptr [edi-24h]
		push	eax
		push	[ebp+arg_4]
		xor	eax, eax
		cmp	ebx, 3
		setz	al
		push	eax
		call	IopProbeAndLockPages
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_502D69:				; CODE XREF: IopBuildAsynchronousFsdRequest+146j
		mov	edx, [ebp+arg_4]
		jmp	loc_502CC7
; 

loc_502D71:				; CODE XREF: IopBuildAsynchronousFsdRequest+8Cj
		cmp	eax, 24h
		jnz	short loc_502CFA
		jmp	loc_502CF0
; 

loc_502D7B:				; CODE XREF: IopBuildAsynchronousFsdRequest+59j
		mov	edx, [ebp+arg_C]
		mov	ecx, 204h
		call	IopVerifierExAllocatePool
		mov	[esi+0Ch], eax
		test	eax, eax
		jz	short loc_502DA6
		cmp	ebx, 4
		jz	loc_5D6BC7
		mov	eax, [ebp+arg_8]
		mov	[esi+3Ch], eax
		push	70h

loc_502DA0:				; CODE XREF: IopBuildAsynchronousFsdRequest+D3F7Aj
		pop	eax
		mov	[esi+8], eax
		jmp	short loc_502D69
; 

loc_502DA6:				; CODE XREF: IopBuildAsynchronousFsdRequest+E8j
					; IopBuildAsynchronousFsdRequest+12Fj
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)

loc_502DAC:				; CODE XREF: IopBuildAsynchronousFsdRequest+28j
					; sub_5D6BE1+20j
		xor	eax, eax
		jmp	loc_502D1C
IopBuildAsynchronousFsdRequest endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopProbeAndLockPages proc near		; CODE XREF: IopBuildAsynchronousFsdRequest+FFp
					; IopBuildDeviceIoControlRequest+28Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D6C06 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	[ebp+arg_0]
		mov	esi, ecx
		push	0
		push	esi
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		test	byte ptr ds:_MmTrackLockedPages, 1
		jnz	loc_5D6C06

loc_502DD4:				; CODE XREF: IopProbeAndLockPages+D3E67j
		pop	esi
		pop	ebp
		retn	0Ch
IopProbeAndLockPages endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ExpRemoveCurrentThreadFromThreadHistory(x)
_ExpRemoveCurrentThreadFromThreadHistory@4 proc	near ; CODE XREF: .text:0052A5D8p
					; .text:0052AB8Fp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+68h]
		and	al, 7
		cmp	al, 4
		jz	short loc_502E0E
		mov	ecx, large fs:124h
		xor	al, al
		push	edi

loc_502DF2:				; CODE XREF: ExpRemoveCurrentThreadFromThreadHistory(x)+25j
		movzx	edi, al
		cmp	[esi+edi*4+20h], ecx
		jz	short loc_502E03
		inc	al
		cmp	al, 4
		jb	short loc_502DF2
		jmp	short loc_502E0D
; 

loc_502E03:				; CODE XREF: ExpRemoveCurrentThreadFromThreadHistory(x)+1Fj
		call	ObfDereferenceObject
		and	dword ptr [esi+edi*4+20h], 0

loc_502E0D:				; CODE XREF: ExpRemoveCurrentThreadFromThreadHistory(x)+27j
		pop	edi

loc_502E0E:				; CODE XREF: ExpRemoveCurrentThreadFromThreadHistory(x)+Cj
		pop	esi
		retn
_ExpRemoveCurrentThreadFromThreadHistory@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAddMdlPageToTradeBlock(x,	x, x)
_MiAddMdlPageToTradeBlock@12 proc near	; CODE XREF: MiTradePage(x,x)+5A9p
					; MiTradePage(x,x):loc_4B692Fp	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+24h]
		test	esi, esi
		jz	short loc_502E3E
		mov	eax, [esi+14h]
		shr	eax, 0Ch
		mov	[esi+eax*4+1Ch], edx
		add	dword ptr [esi+14h], 1000h
		cmp	[ebp+arg_0], 0
		jz	short loc_502E44

loc_502E37:				; CODE XREF: MiAddMdlPageToTradeBlock(x,x,x)+49j
		mov	dword ptr [esi+0Ch], 1

loc_502E3E:				; CODE XREF: MiAddMdlPageToTradeBlock(x,x,x)+Ej
					; MiAddMdlPageToTradeBlock(x,x,x)+47j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_502E44:				; CODE XREF: MiAddMdlPageToTradeBlock(x,x,x)+25j
		imul	ecx, edx, 1Ch
		mov	edx, [edi+14h]
		add	ecx, ds:_MmPfnDatabase
		call	_MiPfnZeroingNeeded@8 ;	MiPfnZeroingNeeded(x,x)
		test	eax, eax
		jz	short loc_502E3E
		jmp	short loc_502E37
_MiAddMdlPageToTradeBlock@12 endp

; 
		align 10h
; Exported entry 837. IoFreeWorkItem

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoFreeWorkItem
IoFreeWorkItem	proc near		; CODE XREF: PnpDeviceCompletionRequestDestroyWorkItem(x,x,x)+1Cp

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D6C20 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		push	eax
		cmp	[ecx], eax
		jnz	loc_5D6C20
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	4
IoFreeWorkItem	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 680. FsRtlValidateReparsePointBuffer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlValidateReparsePointBuffer(x, x)
		public _FsRtlValidateReparsePointBuffer@8
_FsRtlValidateReparsePointBuffer@8 proc	near
					; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+10Cp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		push	8
		pop	eax
		cmp	edx, eax
		jb	loc_502FF7
		cmp	edx, 4000h
		ja	loc_502FF7
		mov	esi, [ebp+arg_4]
		mov	ecx, [esi]
		test	ecx, 0FFF0000h
		jnz	loc_5030DB
		cmp	ecx, 2
		jbe	loc_5030DB
		mov	eax, ecx
		and	eax, 0C0000000h
		cmp	eax, 40000000h
		jz	loc_5030DB
		mov	edi, 30000000h
		mov	eax, ecx
		and	eax, edi
		cmp	eax, edi
		jz	loc_5030DB
		cmp	ecx, 0A0000019h
		jz	loc_5030DB
		movzx	ebx, word ptr [esi+4]
		mov	eax, ebx
		mov	[ebp+var_8], eax
		lea	edi, [eax+8]
		add	eax, 18h
		cmp	edi, edx
		jz	short loc_502F0F
		cmp	eax, edx
		jnz	loc_502FF7
		cmp	edi, edx
		jnz	short loc_502F17

loc_502F0F:				; CODE XREF: FsRtlValidateReparsePointBuffer(x,x)+7Fj
		test	ecx, ecx
		jns	loc_502FF7

loc_502F17:				; CODE XREF: FsRtlValidateReparsePointBuffer(x,x)+8Bj
		and	[ebp+arg_0], 0
		cmp	eax, edx
		jnz	short loc_502F7F
		test	ecx, ecx
		js	short loc_502F6B
		mov	eax, [ebp+arg_0]
		cmp	[esi+8], eax
		jnz	short loc_502F6B
		cmp	[esi+0Ch], ax
		jnz	short loc_502F6B
		cmp	[esi+0Eh], ax
		jnz	short loc_502F6B
		cmp	byte ptr [esi+10h], 0
		jnz	short loc_502F6B
		cmp	byte ptr [esi+11h], 0
		jnz	short loc_502F6B
		cmp	byte ptr [esi+12h], 0
		jnz	short loc_502F6B
		cmp	byte ptr [esi+13h], 0
		jnz	short loc_502F6B
		cmp	byte ptr [esi+14h], 0
		jnz	short loc_502F6B
		cmp	byte ptr [esi+15h], 0
		jnz	short loc_502F6B
		cmp	byte ptr [esi+16h], 0
		jnz	short loc_502F6B
		cmp	byte ptr [esi+17h], 0
		jz	loc_502FF7

loc_502F6B:				; CODE XREF: FsRtlValidateReparsePointBuffer(x,x)+9Fj
					; FsRtlValidateReparsePointBuffer(x,x)+A7j ...
		cmp	ecx, 0A0000003h
		jz	loc_502FF7
		cmp	ecx, 0A000000Ch
		jz	short loc_502FF7

loc_502F7F:				; CODE XREF: FsRtlValidateReparsePointBuffer(x,x)+9Bj
		cmp	ecx, 0A0000003h
		jnz	short loc_503003
		mov	eax, [ebp+arg_0]
		push	8
		mov	[ebp+arg_4], eax
		mov	[ebp+var_4], eax
		pop	eax
		cmp	bx, ax
		jb	short loc_502FF7
		movzx	edi, word ptr [esi+0Ah]
		lea	eax, [ebp+arg_4]
		mov	dx, [esi+0Eh]
		mov	ecx, edi
		push	eax
		call	_RtlUShortAdd@12 ; RtlUShortAdd(x,x,x)
		test	eax, eax
		jnz	short loc_502FFC
		movzx	edx, word ptr [ebp+arg_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	0Ch
		pop	ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jnz	short loc_502FFC
		mov	ebx, [ebp+arg_0]
		lea	eax, [ebp+arg_0]
		push	eax
		push	2
		pop	edx
		mov	ecx, edi
		mov	[ebp+arg_0], ebx
		call	_RtlUShortAdd@12 ; RtlUShortAdd(x,x,x)
		test	eax, eax
		jnz	short loc_502FFC
		cmp	[esi+8], bx
		jnz	short loc_502FF7
		mov	ax, [esi+0Ch]
		cmp	ax, word ptr [ebp+arg_0]
		jnz	short loc_502FF7
		mov	eax, [ebp+var_8]
		cmp	eax, [ebp+var_4]
		jz	loc_5030D4

loc_502FF7:				; CODE XREF: FsRtlValidateReparsePointBuffer(x,x)+13j
					; FsRtlValidateReparsePointBuffer(x,x)+1Fj ...
		mov	eax, 0C0000278h

loc_502FFC:				; CODE XREF: FsRtlValidateReparsePointBuffer(x,x)+12Bj
					; FsRtlValidateReparsePointBuffer(x,x)+13Fj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_503003:				; CODE XREF: FsRtlValidateReparsePointBuffer(x,x)+103j
		cmp	ecx, 0A000000Ch
		jnz	loc_5030D4
		mov	eax, [ebp+arg_0]
		mov	[ebp+arg_4], eax
		mov	[ebp+arg_0], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		cmp	ebx, 0Ch
		jb	short loc_502FF7
		movzx	eax, word ptr [esi+8]
		lea	ecx, [ebp+arg_4]
		movzx	ebx, word ptr [esi+0Ah]
		push	ecx
		mov	edx, ebx
		mov	[ebp+var_10], eax
		mov	ecx, eax
		call	_RtlUShortAdd@12 ; RtlUShortAdd(x,x,x)
		test	eax, eax
		jnz	short loc_502FFC
		movzx	eax, word ptr [esi+0Eh]
		lea	edx, [ebp+arg_0]
		movzx	ecx, word ptr [esi+0Ch]
		push	edx
		mov	edx, eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_14], ecx
		call	_RtlUShortAdd@12 ; RtlUShortAdd(x,x,x)
		test	eax, eax
		jnz	short loc_502FFC
		movzx	edx, word ptr [ebp+arg_0]
		lea	eax, [ebp+var_8]
		push	eax
		push	14h
		pop	ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jnz	short loc_502FFC
		movzx	edx, word ptr [ebp+arg_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	14h
		pop	ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jnz	loc_502FFC
		cmp	edi, [ebp+var_4]
		jb	loc_502FF7
		cmp	edi, [ebp+var_8]
		jb	loc_502FF7
		test	bx, bx
		jz	loc_502FF7
		mov	eax, [ebp+var_C]
		test	ax, ax
		jz	loc_502FF7
		test	bl, 1
		jnz	loc_502FF7
		test	al, 1
		jnz	loc_502FF7
		test	byte ptr [ebp+var_10], 1
		jnz	loc_502FF7
		test	byte ptr [ebp+var_14], 1
		jnz	loc_502FF7

loc_5030D4:				; CODE XREF: FsRtlValidateReparsePointBuffer(x,x)+16Fj
					; FsRtlValidateReparsePointBuffer(x,x)+187j
		xor	eax, eax
		jmp	loc_502FFC
; 

loc_5030DB:				; CODE XREF: FsRtlValidateReparsePointBuffer(x,x)+30j
					; FsRtlValidateReparsePointBuffer(x,x)+39j ...
		mov	eax, 0C0000276h
		jmp	loc_502FFC
_FsRtlValidateReparsePointBuffer@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlUShortAdd(x, x, x)
_RtlUShortAdd@12 proc near		; CODE XREF: FsRtlValidateReparsePointBuffer(x,x)+124p
					; FsRtlValidateReparsePointBuffer(x,x)+150p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		lea	eax, [ecx+edx]
		movzx	edx, ax
		push	esi
		movzx	esi, cx
		push	edi
		movzx	edi, ax
		cmp	ax, cx
		jb	short loc_503114

loc_5030FE:				; CODE XREF: RtlUShortAdd(x,x,x)+33j
		mov	ecx, [ebp+arg_0]
		cmp	di, si
		pop	edi
		sbb	eax, eax
		and	eax, 0C0000095h
		mov	[ecx], dx
		pop	esi
		pop	ebp
		retn	4
; 

loc_503114:				; CODE XREF: RtlUShortAdd(x,x,x)+16j
		mov	edx, 0FFFFh
		jmp	short loc_5030FE
_RtlUShortAdd@12 endp

; 
		align 10h
; Exported entry 157. KiEntropyQueueDpc

;  S U B	R O U T	I N E 


; __fastcall KiEntropyQueueDpc(x)
		public @KiEntropyQueueDpc@4
@KiEntropyQueueDpc@4 proc near		; CODE XREF: V86_kira_a+72Bp
		cmp	ds:_KiEntropyTimingRoutine, 0
		jz	short locret_50313B
		xor	eax, eax
		add	ecx, 4278h
		push	eax
		push	eax
		push	eax
		xor	edx, edx
		call	KiInsertQueueDpc

locret_50313B:				; CODE XREF: KiEntropyQueueDpc(x)+7j
		retn
@KiEntropyQueueDpc@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInitializeUserApc(x, x, x, x, x, x, x)
_KiInitializeUserApc@28	proc near	; CODE XREF: .text:0052E330p

var_36C		= dword	ptr -36Ch
var_368		= dword	ptr -368h
var_364		= dword	ptr -364h
var_360		= dword	ptr -360h
var_35C		= dword	ptr -35Ch
var_358		= dword	ptr -358h
var_354		= dword	ptr -354h
var_350		= dword	ptr -350h
var_34C		= dword	ptr -34Ch
var_348		= dword	ptr -348h
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_74		= dword	ptr -74h
var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

		push	35Ch
		push	offset dword_6A3E30
		call	__SEH_prolog4_GS
		mov	esi, edx
		mov	[ebp+var_364], esi
		mov	edi, ecx
		mov	[ebp+var_36C], edi
		mov	[ebp+var_368], esi
		push	50h		; size_t
		xor	ebx, ebx
		push	ebx		; int
		lea	eax, [ebp+var_74]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		test	dword ptr [esi+70h], 20000h
		jnz	loc_50338B
		push	2C8h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_340]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_344], 10017h
		lea	eax, [ebp+var_344]
		push	eax
		push	edi
		push	esi
		call	KeContextFromKframes
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, [ebp+var_280]
		lea	edx, [ecx-8]
		and	edx, 0FFFFFFFCh
		mov	[ebp+var_35C], edx
		lea	eax, [edx-10h]
		mov	[ebp+var_360], eax
		lea	ebx, [edx-28h]
		mov	[ebp+var_358], ebx
		lea	eax, [ebx-2CCh]
		mov	[ebp+var_350], eax
		add	ebx, 0FFFFFD20h
		mov	[ebp+var_34C], ebx
		sub	ecx, ebx
		mov	[ebp+var_354], ecx
		jz	short loc_503230
		cmp	ecx, 1000h
		jnb	short loc_503230
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_503209
		mov	byte ptr [eax],	0

loc_503209:				; CODE XREF: KiInitializeUserApc(x,x,x,x,x,x,x)+C8j
		mov	al, [ebx]
		mov	ebx, [ebp+var_34C]
		mov	[ebx], al
		mov	ecx, [ebp+var_354]
		cmp	ecx, 4
		jbe	short loc_503239
		dec	ecx
		and	ecx, 0FFFFFFFCh
		mov	al, [ecx+ebx]
		mov	[ecx+ebx], al
		mov	ebx, [ebp+var_34C]
		jmp	short loc_503239
; 

loc_503230:				; CODE XREF: KiInitializeUserApc(x,x,x,x,x,x,x)+B7j
					; KiInitializeUserApc(x,x,x,x,x,x,x)+BFj
		push	4		; size_t
		push	ecx		; void *
		push	ebx		; void *
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_503239:				; CODE XREF: KiInitializeUserApc(x,x,x,x,x,x,x)+E0j
					; KiInitializeUserApc(x,x,x,x,x,x,x)+F2j
		mov	ecx, 0B3h
		lea	esi, [ebp+var_344]
		mov	edi, [ebp+var_350]
		rep movsd
		mov	edi, 0FFFFFD34h
		mov	ecx, [ebp+var_358]
		mov	[ecx], edi
		mov	edx, [ebp+var_35C]
		mov	eax, edx
		mov	esi, [ebp+var_350]
		sub	eax, esi
		mov	[ecx+4], eax
		mov	[ecx+8], edi
		mov	dword ptr [ecx+0Ch], 2CCh
		and	dword ptr [ecx+10h], 0
		and	dword ptr [ecx+14h], 0
		xor	eax, eax
		mov	ecx, [ebp+var_360]
		mov	edi, ecx
		stosd
		stosd
		stosd
		stosd
		test	[ebp+arg_10], 4
		jz	short loc_50329D
		mov	eax, [ebp+arg_8]
		mov	[ecx], eax
		mov	[edx-0Ch], esi
		mov	[ebp+arg_8], ecx

loc_50329D:				; CODE XREF: KiInitializeUserApc(x,x,x,x,x,x,x)+154j
		mov	eax, [ebp+arg_0]
		mov	[ebx], eax
		mov	eax, [ebp+arg_4]
		mov	[ebx+4], eax
		mov	eax, [ebp+arg_8]
		mov	[ebx+8], eax
		mov	eax, [ebp+arg_C]
		mov	[ebx+0Ch], eax
		mov	eax, dword ptr [ebp+arg_10]
		mov	[ebx+10h], eax
		mov	ecx, [ebp+var_364]
		mov	dword ptr [ecx+6Ch], 1Bh
		push	23h
		pop	eax
		mov	[ecx+78h], eax
		mov	[ecx+34h], eax
		mov	[ecx+30h], eax
		mov	dword ptr [ecx+50h], 3Bh
		xor	edx, edx
		mov	[ecx+2Ch], edx
		mov	eax, [ebp+var_284]
		and	eax, 3F4DD7h
		or	eax, 200h
		mov	[ecx+70h], eax
		mov	[ecx+74h], ebx
		mov	eax, ds:_KeUserApcDispatcher
		mov	[ecx+68h], eax
		mov	[ecx+64h], edx
		push	edx
		push	ecx
		call	KiSetupForInstrumentationReturn
		jmp	short loc_503384
; 

loc_503309:				; DATA XREF: .text:006A3E44o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	[ebp+var_348], eax
		push	50h		; size_t
		push	0		; int
		lea	eax, [ebp+var_74]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	esi, [ebp+var_348]
		push	5
		pop	ecx
		lea	edi, [ebp+var_74]
		rep movsd
		mov	eax, [ebp+var_348]
		mov	eax, [eax+10h]
		shl	eax, 2
		push	eax		; size_t
		mov	eax, [ebp+var_348]
		add	eax, 14h
		push	eax		; void *
		lea	eax, [ebp+var_60]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax
		inc	eax
		retn
; 

loc_503359:				; DATA XREF: .text:006A3E48o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_368]
		mov	eax, [esi+68h]
		mov	[ebp+var_68], eax
		xor	cl, cl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	1
		push	1
		push	esi
		push	[ebp+var_36C]
		lea	eax, [ebp+var_74]
		push	eax
		call	KiDispatchException

loc_503384:				; CODE XREF: KiInitializeUserApc(x,x,x,x,x,x,x)+1CBj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_50338B:				; CODE XREF: KiInitializeUserApc(x,x,x,x,x,x,x)+3Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_KiInitializeUserApc@28	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1871. PsQueryProcessCommandLine

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsQueryProcessCommandLine
PsQueryProcessCommandLine proc near	; CODE XREF: PAGE:0083E818p
					; SeAuditProcessCreation+8E463p ...

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005D6C39 SIZE 00000007 BYTES
; FUNCTION CHUNK AT 005D6C87 SIZE 0000000A BYTES

		push	5Ch
		push	offset dword_6A3E50
		call	__SEH_prolog4_GS
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_4C], esi
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_5C], edx
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_58], eax
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		xor	ebx, ebx
		mov	[ebp+var_60], ebx
		lea	ecx, [esi+0F0h]
		mov	[ebp+var_68], ecx
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	[ebp+var_35], al
		test	al, al
		jz	loc_50354B
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_44], ebx
		lea	eax, [ebp+var_34]
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	KiStackAttachProcess
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [esi+17Ch]
		mov	[ebp+var_6C], eax
		test	eax, eax
		jz	loc_50355F
		mov	eax, [eax+10h]
		mov	[ebp+var_50], eax
		mov	ecx, eax
		add	ecx, 40h
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_5D6C32

loc_50342A:				; CODE XREF: IoFreeWorkItem+D3DD4j
		nop
		mov	eax, [ecx]
		mov	[ebp+var_40], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_3C], eax
		mov	esi, [ebp+var_44]

loc_503439:				; CODE XREF: PsQueryProcessCommandLine+1C5j
		mov	eax, [ebp+var_40]
		sar	eax, 10h
		test	ax, ax
		jz	short loc_50346C
		test	byte ptr [ebp+var_3C], 1
		jnz	loc_50356C
		movzx	edx, word ptr [ebp+var_40+2]
		mov	ecx, [ebp+var_3C]
		add	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	loc_5D6C39
		cmp	edx, ecx
		jb	loc_5D6C39

loc_50346C:				; CODE XREF: PsQueryProcessCommandLine+A0j
					; PsQueryProcessCommandLine+D3899j
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi

loc_503472:				; CODE XREF: sub_5D6C4E+11j
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		test	esi, esi
		js	loc_503529
		mov	eax, [ebp+var_40]
		test	ax, ax
		jz	loc_5D6C87
		mov	cx, word ptr [ebp+var_40+2]
		cmp	ax, cx
		ja	loc_5D6C87
		test	al, 1
		jnz	loc_5D6C87
		test	cl, 1
		jnz	loc_5D6C87
		cmp	[ebp+var_3C], 0
		jz	loc_5D6C87
		movzx	esi, cx
		lea	ecx, [esi+8]
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_58]
		test	eax, eax
		jz	short loc_5034CE
		mov	[eax], ecx

loc_5034CE:				; CODE XREF: PsQueryProcessCommandLine+128j
		cmp	[ebp+arg_8], ecx
		jb	short loc_503552
		mov	ax, word ptr [ebp+var_40]
		mov	edx, [ebp+var_5C]
		mov	[edx], ax
		mov	cx, word ptr [ebp+var_40+2]
		mov	[edx+2], cx
		mov	eax, edx
		add	eax, 8
		mov	[ebp+var_48], eax
		xor	ax, ax
		cmp	ax, cx
		sbb	eax, eax
		mov	ecx, [ebp+var_48]
		and	eax, ecx
		mov	[edx+4], eax
		mov	[ebp+ms_exc.disabled], edi
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		lea	edx, [ebp+var_60]
		push	edx
		push	[ebp+arg_C]
		push	esi
		push	ecx
		push	eax
		push	[ebp+var_3C]
		push	[ebp+var_4C]
		call	MmCopyVirtualMemory
		mov	esi, eax
		test	esi, esi
		js	short loc_503529
		mov	esi, ebx

loc_503529:				; CODE XREF: PsQueryProcessCommandLine+DCj
					; PsQueryProcessCommandLine+183j ...
		cmp	[ebp+var_35], 0
		jz	short loc_503537
		mov	ecx, [ebp+var_68]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_503537:				; CODE XREF: PsQueryProcessCommandLine+18Bj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_50354B:				; CODE XREF: PsQueryProcessCommandLine+40j
		mov	esi, 0C000010Ah
		jmp	short loc_503529
; 

loc_503552:				; CODE XREF: PsQueryProcessCommandLine+12Fj
		mov	esi, 0C0000004h
		mov	[ebp+var_44], esi
		mov	[ebp+ms_exc.disabled], edi
		jmp	short loc_503529
; 

loc_50355F:				; CODE XREF: PsQueryProcessCommandLine+6Aj
		mov	esi, 0C0000225h
		mov	[ebp+var_44], esi
		jmp	loc_503439
; 

loc_50356C:				; CODE XREF: PsQueryProcessCommandLine+A6j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger
PsQueryProcessCommandLine endp


;  S U B	R O U T	I N E 


; __stdcall SeSetTokenTrustLink(x, x)
_SeSetTokenTrustLink@8 proc near	; CODE XREF: PsImpersonateClient+1CFp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	edx, 746C6644h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag
		mov	[esi+284h], edi
		pop	edi
		pop	esi
		retn
_SeSetTokenTrustLink@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmStoreActionNotify proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DEVICE_FAIL_TYPE,long)+F3p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D6C91 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		cmp	ecx, 1
		jz	short loc_5035CA
		cmp	ecx, 2
		jnz	loc_5D6C91
		mov	edx, [edx+10F0h]
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		and	edx, 3FFh
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		xor	eax, eax

loc_5035C6:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStoreActionNotify+58j
					; SMKM_STORE_MGR_SM_TRAITS___SmStoreActionNotify+D371Fj ...
		pop	ebp
		retn	8
; 

loc_5035CA:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStoreActionNotify+Bj
		mov	edx, [edx+10F0h]
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	SmKmStoreReference
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFE77h
		add	eax, 0C0000189h
		jmp	short loc_5035C6
SMKM_STORE_MGR_SM_TRAITS___SmStoreActionNotify endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiInsertQueueInternal proc near		; CODE XREF: KiWakeOtherQueueWaiters(x,x)+B5p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A83B9 SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		and	dword ptr [edi], 0
		lea	ebx, [esi+8]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_8], eax
		mov	eax, [eax+4]
		mov	[ebp+var_4], eax
		jnz	loc_5A83B9

loc_503623:				; CODE XREF: KiInsertQueueInternal+A4DE4j
		mov	ecx, esi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		cmp	[ebx], ebx
		jz	short loc_503663
		mov	eax, [esi+18h]
		cmp	eax, [esi+1Ch]
		jnb	short loc_503663
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+0A4h]
		cmp	eax, esi
		jz	loc_5A83D3

loc_503647:				; CODE XREF: KiInsertQueueInternal+A4DF6j
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		push	edi
		call	KiWakeQueueWaiter
		test	al, al
		jz	short loc_503663

loc_503656:				; CODE XREF: KiInsertQueueInternal+98j
					; KiInsertQueueInternal+9Cj ...
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_503663:				; CODE XREF: KiInsertQueueInternal+42j
					; KiInsertQueueInternal+4Aj ...
		mov	edx, [esi+4]
		lea	eax, [edx+1]
		mov	[esi+4], eax
		lea	eax, [esi+10h]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_503694
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi
		test	edx, edx
		jnz	short loc_503656
		cmp	[ebx], ebx
		jz	short loc_503656
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		jmp	short loc_503656
; 

loc_503694:				; CODE XREF: KiInsertQueueInternal+8Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall MiReleasePushLockUnordered(x, x, x,	x)
_MiReleasePushLockUnordered@16:		; CODE XREF: .text:00471314p
					; .text:004714CCp
		mov	edi, edi
		push	esi
		push	11h
		mov	esi, ecx
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_5036B2
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_5036B2:				; CODE XREF: KiInsertQueueInternal+C1j
		mov	ecx, esi
		call	KeAbPostRelease
		pop	esi
		retn	8
KiInsertQueueInternal endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiChangePageAttributeContiguous(x, x, x)
_MiChangePageAttributeContiguous@12 proc near ;	CODE XREF: MiZeroAndConvertPage(x,x,x,x)+93p
					; MiZeroAndConvertPage(x,x,x,x)+CCp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		imul	esi, ecx, 1Ch
		xor	eax, eax
		imul	ebx, edx, 1Ch
		inc	eax
		push	edi
		mov	[ebp+var_C], eax
		mov	[ebp+var_1], 21h
		add	esi, ds:_MmPfnDatabase
		add	ebx, esi
		mov	[ebp+var_18], ebx
		cmp	esi, ebx
		jnb	loc_503851

loc_5036EC:				; CODE XREF: MiChangePageAttributeContiguous(x,x,x)+18Aj
		xor	edi, edi
		mov	[ebp+var_14], esi
		and	[ebp+var_10], edi
		xor	edx, edx
		inc	edx
		mov	[ebp+var_8], edx
		cmp	esi, ebx
		jnb	loc_50379F

loc_503702:				; CODE XREF: MiChangePageAttributeContiguous(x,x,x)+A9j
		cmp	edi, 1000h
		jnb	short loc_503769
		test	edi, edi
		jnz	short loc_50371D
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	edx, [ebp+var_8]
		mov	[ebp+var_1], al
		jmp	short loc_503727
; 

loc_50371D:				; CODE XREF: MiChangePageAttributeContiguous(x,x,x)+4Ej
		lea	eax, [esi+10h]
		lock bts dword ptr [eax], 1Fh
		jb	short loc_503769

loc_503727:				; CODE XREF: MiChangePageAttributeContiguous(x,x,x)+5Dj
		mov	al, [esi+16h]
		mov	ecx, esi
		and	al, 0C0h
		sub	al, 0C0h
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, edx
		mov	[ebp+var_8], eax
		call	MiAbortCombineScan
		cmp	[ebp+var_C], 0
		jz	short loc_50375C
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_MiPfnZeroingNeeded@8 ;	MiPfnZeroingNeeded(x,x)
		neg	eax
		sbb	eax, eax
		not	eax
		and	[ebp+var_C], eax

loc_50375C:				; CODE XREF: MiChangePageAttributeContiguous(x,x,x)+89j
		mov	edx, [ebp+var_8]
		inc	edi
		push	1Ch
		pop	eax
		add	esi, eax
		cmp	esi, ebx
		jb	short loc_503702

loc_503769:				; CODE XREF: MiChangePageAttributeContiguous(x,x,x)+4Aj
					; MiChangePageAttributeContiguous(x,x,x)+67j
		test	edx, edx
		jnz	short loc_50379F
		inc	dword_6D06D8
		push	2
		pop	edx
		push	4
		pop	ecx
		call	KeFlushTb
		cmp	edi, dword_6D06E4
		jb	short loc_50379C
		xor	esi, esi
		inc	esi
		cmp	[ebp+arg_0], esi
		jz	short loc_50379C
		inc	dword_6D06DC
		call	KeInvalidateAllCaches
		mov	[ebp+var_10], esi

loc_50379C:				; CODE XREF: MiChangePageAttributeContiguous(x,x,x)+C6j
					; MiChangePageAttributeContiguous(x,x,x)+CEj
		mov	edx, [ebp+var_8]

loc_50379F:				; CODE XREF: MiChangePageAttributeContiguous(x,x,x)+3Ej
					; MiChangePageAttributeContiguous(x,x,x)+ADj
		mov	esi, [ebp+var_14]
		and	[ebp+var_14], 0
		test	edi, edi
		jz	loc_503832
		mov	bl, byte ptr [ebp+arg_0]
		shl	bl, 6

loc_5037B4:				; CODE XREF: MiChangePageAttributeContiguous(x,x,x)+16Fj
		mov	al, [esi+16h]
		movzx	ecx, al
		and	al, 3Fh
		or	al, bl
		shr	ecx, 6
		cmp	[ebp+var_10], 0
		mov	[esi+16h], al
		jnz	short loc_5037FF
		test	edx, edx
		jnz	short loc_5037FF
		cmp	[ebp+arg_0], 1
		jz	short loc_5037FF
		cmp	ecx, [ebp+arg_0]
		jz	short loc_5037FF
		cmp	ecx, 1
		jnz	short loc_5037FF
		push	[ebp+arg_0]
		mov	eax, esi
		inc	dword_6D06E0
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		xor	edx, edx
		inc	edx
		mov	ecx, eax
		call	_MiFlushCacheForAttributeChange@12 ; MiFlushCacheForAttributeChange(x,x,x)

loc_5037FF:				; CODE XREF: MiChangePageAttributeContiguous(x,x,x)+10Aj
					; MiChangePageAttributeContiguous(x,x,x)+10Ej ...
		push	1
		xor	edx, edx
		mov	ecx, esi
		call	_MiSetPfnTbFlushStamp@12 ; MiSetPfnTbFlushStamp(x,x,x)
		mov	edx, [ebp+var_14]
		lea	eax, [edi-1]
		cmp	edx, eax
		jnb	short loc_50381F
		lea	eax, [esi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_50381F:				; CODE XREF: MiChangePageAttributeContiguous(x,x,x)+154j
		push	1Ch
		pop	eax
		add	esi, eax
		inc	edx
		mov	[ebp+var_14], edx
		cmp	edx, edi
		mov	edx, [ebp+var_8]
		jb	short loc_5037B4
		mov	ebx, [ebp+var_18]

loc_503832:				; CODE XREF: MiChangePageAttributeContiguous(x,x,x)+EAj
		lea	ecx, [esi-0Ch]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	esi, ebx
		jb	loc_5036EC
		mov	eax, [ebp+var_C]

loc_503851:				; CODE XREF: MiChangePageAttributeContiguous(x,x,x)+28j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiChangePageAttributeContiguous@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiTryLockNestedPageAtDpcInline(x)
_MiTryLockNestedPageAtDpcInline@4 proc near ; CODE XREF: MiDeleteClusterPage(x,x)+13Ap
					; MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+302p
		lea	eax, [ecx+10h]
		lock bts dword ptr [eax], 1Fh
		push	0
		pop	eax
		setnb	al
		retn
_MiTryLockNestedPageAtDpcInline@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiFlushEntireTbDueToAttributeChange()
_MiFlushEntireTbDueToAttributeChange@0 proc near ; CODE	XREF: PAGE:00793918p
					; MiRemovePhysicalMemory(x,x,x)+272p
		mov	edi, edi
		push	ecx
		inc	dword_6D06D8
		push	2
		pop	edx
		push	4
		pop	ecx
		call	KeFlushTb
		pop	ecx
		retn
_MiFlushEntireTbDueToAttributeChange@0 endp


;  S U B	R O U T	I N E 


KiPollFreezeExecution proc near		; CODE XREF: KeResumeClockTimerFromIdle:loc_48CB5Ep
					; KiIpiGenericCallTarget:loc_561F5Dp ...

; FUNCTION CHUNK AT 005D6CBE SIZE 00000017 BYTES

		mov	eax, large fs:20h
		push	ebx
		lea	ecx, [eax+21A0h]
		mov	eax, [ecx]
		test	al, 4
		jnz	loc_5D6CBE
		xor	bl, bl
		pause

loc_503899:				; CODE XREF: KiPollFreezeExecution+D3452j
		mov	al, bl
		pop	ebx
		retn
KiPollFreezeExecution endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetNextPageTableTail(x)
_MiGetNextPageTableTail@4 proc near	; DATA XREF: MiGetNextPageTable+ADo
					; MiIsCfgBitMapPageShared(x,x)+12Ao ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+0Ch]
		test	ecx, ecx
		jnz	short loc_5038B5

loc_5038AE:				; CODE XREF: MiGetNextPageTableTail(x)+1Cj
		xor	eax, eax
		pop	ecx
		pop	ebp
		retn	4
; 

loc_5038B5:				; CODE XREF: MiGetNextPageTableTail(x)+Ej
		call	MiFlushTbList
		jmp	short loc_5038AE
_MiGetNextPageTableTail@4 endp


;  S U B	R O U T	I N E 


KiGetAllocatedXSaveArea	proc near	; CODE XREF: KeContextToKframes:loc_446158p
					; KeContextFromKframes:loc_4B4EE5p

; FUNCTION CHUNK AT 005D6CD5 SIZE 0000000D BYTES

		mov	eax, [ecx+10Ch]
		test	eax, eax
		jnz	loc_5D6CD7
		retn
KiGetAllocatedXSaveArea	endp

; 
		align 10h
; Exported entry 2027. RtlDecompressFragmentEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlDecompressFragmentEx(x, x, x, x,	x, x, x, x, x)
		public _RtlDecompressFragmentEx@36
_RtlDecompressFragmentEx@36 proc near

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, [ebp+arg_0]
		test	ax, ax
		jz	short loc_503912
		cmp	eax, 1
		jz	short loc_503912
		cmp	eax, 4
		ja	short loc_50390B
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	ds:_RtlDecompressFragmentProcs[eax*4]

loc_503907:				; CODE XREF: RtlDecompressFragmentEx(x,x,x,x,x,x,x,x,x)+40j
					; RtlDecompressFragmentEx(x,x,x,x,x,x,x,x,x)+47j
		pop	ebp
		retn	24h
; 

loc_50390B:				; CODE XREF: RtlDecompressFragmentEx(x,x,x,x,x,x,x,x,x)+16j
		mov	eax, 0C000025Fh
		jmp	short loc_503907
; 

loc_503912:				; CODE XREF: RtlDecompressFragmentEx(x,x,x,x,x,x,x,x,x)+Cj
					; RtlDecompressFragmentEx(x,x,x,x,x,x,x,x,x)+11j
		mov	eax, 0C000000Dh
		jmp	short loc_503907
_RtlDecompressFragmentEx@36 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2023. RtlDecompressBufferEx2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlDecompressBufferEx2(x, x, x, x, x, x, x,	x)
		public _RtlDecompressBufferEx2@32
_RtlDecompressBufferEx2@32 proc	near

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, [ebp+arg_0]
		test	ax, ax
		jz	short loc_50395D
		cmp	eax, 1
		jz	short loc_50395D
		cmp	eax, 4
		ja	short loc_503956
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	ds:_RtlDecompressBufferProcs[eax*4]

loc_503952:				; CODE XREF: RtlDecompressBufferEx2(x,x,x,x,x,x,x,x)+3Dj
					; RtlDecompressBufferEx2(x,x,x,x,x,x,x,x)+44j
		pop	ebp
		retn	20h
; 

loc_503956:				; CODE XREF: RtlDecompressBufferEx2(x,x,x,x,x,x,x,x)+16j
		mov	eax, 0C000025Fh
		jmp	short loc_503952
; 

loc_50395D:				; CODE XREF: RtlDecompressBufferEx2(x,x,x,x,x,x,x,x)+Cj
					; RtlDecompressBufferEx2(x,x,x,x,x,x,x,x)+11j
		mov	eax, 0C000000Dh
		jmp	short loc_503952
_RtlDecompressBufferEx2@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LZNT1DecompressChunkNewThread(x, x,	x, x, x, x)
_LZNT1DecompressChunkNewThread@24 proc near ; CODE XREF: RtlDecompressFragmentLZNT1+129p
					; RtlDecompressBufferLZNT1+B9p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		mov	eax, ds:_MmUserProbeAddress
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], ecx
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	esi, eax
		jbe	short loc_503A00
		cmp	edi, eax
		jbe	short loc_503A00
		mov	eax, ebx
		sub	eax, esi
		cmp	eax, [ebp+arg_C]
		jl	short loc_503A00
		mov	ecx, offset _RtlLznt1DecompressChunkLookaside
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_503A00
		mov	eax, [ebp+arg_8]
		and	dword ptr [ecx], 0
		mov	[ecx+1Ch], eax
		lea	eax, [ecx+24h]
		mov	[ecx+20h], eax
		mov	eax, [ebp+var_4]
		mov	dword ptr [ecx+8], offset LZNT1DecompressChunkWorkItem
		mov	[ecx+0Ch], ecx
		mov	[ecx+10h], esi
		mov	[ecx+14h], ebx
		mov	[ecx+18h], edi
		mov	[ecx+28h], eax
		lock inc dword ptr [eax+10h]
		mov	eax, large fs:124h
		cmp	dword ptr [eax+150h], offset _KiInitialProcess
		jz	short loc_5039FB
		movsx	eax, byte ptr [eax+87h]

loc_5039E8:				; CODE XREF: LZNT1DecompressChunkNewThread(x,x,x,x,x,x)+9Aj
		add	eax, 20h
		push	eax
		push	ecx
		call	ExQueueWorkItem
		xor	eax, eax

loc_5039F4:				; CODE XREF: LZNT1DecompressChunkNewThread(x,x,x,x,x,x)+ABj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_5039FB:				; CODE XREF: LZNT1DecompressChunkNewThread(x,x,x,x,x,x)+7Bj
		xor	eax, eax
		inc	eax
		jmp	short loc_5039E8
; 

loc_503A00:				; CODE XREF: LZNT1DecompressChunkNewThread(x,x,x,x,x,x)+20j
					; LZNT1DecompressChunkNewThread(x,x,x,x,x,x)+24j ...
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_8]
		push	edi
		push	ebx
		push	esi
		call	_LZNT1DecompressChunk@20 ; LZNT1DecompressChunk(x,x,x,x,x)
		jmp	short loc_5039F4
_LZNT1DecompressChunkNewThread@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFinalizeImageHeaderPage proc near	; CODE XREF: MiCreateNewSection(x,x)+5DAp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D6CE2 SIZE 00000099 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, dword_6D0704
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], eax
		mov	ecx, dword_6D0700
		mov	eax, ecx
		or	eax, edx
		mov	esi, [edi+8]
		mov	ebx, [edi+0Ch]
		jz	short loc_503A48
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_503A48
		not	edx
		and	ebx, edx

loc_503A48:				; CODE XREF: MiFinalizeImageHeaderPage+26j
					; MiFinalizeImageHeaderPage+30j
		push	dword ptr [edi+0Ch]
		lea	eax, [ebp+var_4]
		mov	edx, ebx
		push	dword ptr [edi+8]
		mov	ecx, offset _MiSystemPartition
		xor	esi, esi
		push	eax
		call	MiUseSlabAllocator
		test	eax, eax
		jnz	loc_5D6CE2

loc_503A68:				; CODE XREF: MiFinalizeImageHeaderPage+D32F1j
					; MiFinalizeImageHeaderPage+D32FAj ...
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, edi
		mov	bl, al
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		test	esi, esi
		jnz	loc_5D6D3F

loc_503A80:				; CODE XREF: MiFinalizeImageHeaderPage+D3333j
					; MiFinalizeImageHeaderPage+D3364j
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jnz	short loc_503A9C

loc_503A97:				; CODE XREF: MiFinalizeImageHeaderPage+91j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_503A9C:				; CODE XREF: MiFinalizeImageHeaderPage+83j
		mov	ecx, esi
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		jmp	short loc_503A97
MiFinalizeImageHeaderPage endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmRemoveExecuteGrants()
_MmRemoveExecuteGrants@0 proc near	; CODE XREF: PAGE:007A85A7p

var_F0		= dword	ptr -0F0h
var_EA		= byte ptr -0EAh
var_E0		= dword	ptr -0E0h
var_D8		= dword	ptr -0D8h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0F0h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0F0h+var_4], eax
		push	ebx
		push	esi
		push	98h		; size_t
		xor	ebx, ebx
		lea	eax, [esp+0FCh+var_A0]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+0F8h+var_F0]
		push	4Ch		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		mov	esi, [eax+80h]
		mov	eax, 8006h
		mov	word ptr [esp+0F8h+var_F0], ax
		add	esi, 240h
		lea	eax, [esp+0F8h+var_A0]
		mov	[esp+0F8h+var_B0], offset _MiRevokeExecutePte@12 ; MiRevokeExecutePte(x,x,x)
		mov	[esp+0F8h+var_A8], eax
		mov	ecx, esi
		mov	eax, dword_6D07D0
		dec	eax
		mov	[esp+0F8h+var_AC], offset _MiRevokeExecuteTail@4 ; MiRevokeExecuteTail(x)
		mov	[esp+0F8h+var_E0], esi
		mov	[esp+0F8h+var_D8], eax
		mov	[esp+0F8h+var_A0], 1
		mov	[esp+0F8h+var_9C], bx
		mov	[esp+0F8h+var_90], ebx
		mov	[esp+0F8h+var_98], 21h
		mov	[esp+0F8h+var_8C], ebx
		call	MiLockWorkingSetShared
		lea	ecx, [esp+0F8h+var_F0]
		mov	[esp+0F8h+var_EA], al
		call	MiWalkPageTables
		mov	dl, [esp+0F8h+var_EA]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		lea	ecx, [esp+0F8h+var_A0]
		call	MiFlushTbList
		mov	ecx, [esp+0F8h+var_4]
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_MmRemoveExecuteGrants@0 endp


;  S U B	R O U T	I N E 


MiMakePagefileWriterEntryAvailable proc	near ; CODE XREF: MiGatherPagefilePages+6F5p
					; MiWriteComplete+47Ep	...

; FUNCTION CHUNK AT 005D6D7B SIZE 00000016 BYTES

		mov	eax, [ecx+54h]
		mov	edx, [ecx+78h]
		push	esi
		mov	esi, 800h
		add	edx, 220h
		test	[eax+74h], si
		pop	esi
		jnz	loc_5D6D7B
		mov	eax, [edx+4]
		cmp	[eax], edx
		jnz	short loc_503BB3
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	[edx+4], ecx
		retn
; 

loc_503BB3:				; CODE XREF: MiMakePagefileWriterEntryAvailable+22j
					; MiMakePagefileWriterEntryAvailable+D31FCj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall MiApplyBytestreamFixup(x, x, x)
_MiApplyBytestreamFixup@12:		; CODE XREF: MiSwitchBaseAddress+75p
					; MiSwitchBaseAddress+84p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+8]
		mov	ecx, edx
		cdq
		add	[ecx], eax
		adc	[ecx+4], edx
		pop	ebp
		retn	4
MiMakePagefileWriterEntryAvailable endp

; 
		dd 5 dup(0CCCCCCCCh)
; Exported entry 616. FsRtlNumberOfRunsInBaseMcb
; Exported entry 1243. KeReadStateEvent
; Exported entry 1244. KeReadStateMutant
; Exported entry 1245. KeReadStateMutex
; Exported entry 1246. KeReadStateQueue
; Exported entry 1247. KeReadStateSemaphore

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeReadStateSemaphore(x)
		public _KeReadStateSemaphore@4
_KeReadStateSemaphore@4	proc near	; CODE XREF: .text:0052A4FFp
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+DEDp ...

arg_0		= dword	ptr  8

		mov	edi, edi	; FsRtlNumberOfRunsInBaseMcb
					; KeReadStateEvent
					; KeReadStateMutant
					; KeReadStateMutex
					; KeReadStateQueue
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+4]
		pop	ebp
		retn	4
_KeReadStateSemaphore@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpRemovePoolTrackerExpansion proc near	; CODE XREF: ExFreeHeapPool+7E9p
					; ExpInsertPoolTrackerExpansion+DF764p	...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D6D91 SIZE 0000014A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_C], ecx
		lea	edi, [ebp+var_18]
		mov	esi, edx
		stosd
		lea	edx, [ebp+var_18]
		mov	ecx, offset _ExpTaggedPoolLock
		mov	[ebp+var_8], esi
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ebx, [ebp+arg_0]
		and	ebx, 20h
		mov	[ebp+var_4], ebx
		jz	loc_5D6D91
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		mov	edx, [eax+2424h]
		mov	ecx, [eax+2428h]

loc_503C45:				; CODE XREF: ExpRemovePoolTrackerExpansion+D31ADj
		xor	eax, eax
		test	ecx, ecx
		jz	loc_5D6DDB
		mov	edi, edx

loc_503C51:				; CODE XREF: ExpRemovePoolTrackerExpansion+72j
		mov	ebx, [edi]
		cmp	ebx, [ebp+var_C]
		jz	short loc_503C6C
		test	ebx, ebx
		jz	short loc_503C64
		inc	eax
		add	edi, 30h
		cmp	eax, ecx
		jb	short loc_503C51

loc_503C64:				; CODE XREF: ExpRemovePoolTrackerExpansion+6Aj
		mov	ebx, [ebp+var_4]
		jmp	loc_5D6DDB
; 

loc_503C6C:				; CODE XREF: ExpRemovePoolTrackerExpansion+66j
		imul	eax, 30h
		xor	edi, edi
		inc	edi
		add	eax, edx
		test	byte ptr [ebp+arg_0], 1
		jz	loc_5D6DA2
		add	[eax+28h], edi
		adc	dword ptr [eax+2Ch], 0
		sub	[eax+18h], esi

loc_503C88:				; CODE XREF: ExpRemovePoolTrackerExpansion+D31BCj
		test	ds:byte_70EFC6,	1
		jnz	loc_5D6DB1
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	loc_5D6DC9
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jnz	loc_5D6DC1

loc_503CB7:				; CODE XREF: ExpRemovePoolTrackerExpansion+D31CCj
					; ExpRemovePoolTrackerExpansion+D31E6j
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_503CC0:				; CODE XREF: ExpRemovePoolTrackerExpansion+D32E6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
ExpRemovePoolTrackerExpansion endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUnlockPageTableRange(x, x)
_MiUnlockPageTableRange@8 proc near	; CODE XREF: MiLockPageTableRange+D612Dp
					; MmStoreFreeVirtualMemory(x)+2Ep

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax+80h]
		mov	ebx, edx
		shr	ebx, 12h
		mov	esi, ecx
		add	edi, 240h
		and	ebx, 3FF8h
		mov	ecx, edi
		sub	ebx, 3FA00000h
		call	MiLockWorkingSetShared
		shr	esi, 12h
		and	esi, 3FF8h
		mov	[ebp+var_1], al
		sub	esi, 3FA00000h
		cmp	esi, ebx
		ja	short loc_503D52

loc_503D13:				; CODE XREF: MiUnlockPageTableRange(x,x)+85j
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	MiLockPageTableInternal
		mov	ecx, [esi]
		nop
		mov	eax, [esi+4]
		shrd	ecx, eax, 0Ch
		push	2
		and	ecx, 1FFFFFFh
		imul	ecx, 1Ch
		pop	edx
		add	ecx, ds:_MmPfnDatabase
		call	_MiUnlockPageTableCharges@8 ; MiUnlockPageTableCharges(x,x)
		mov	edx, esi
		mov	ecx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		add	esi, 8
		cmp	esi, ebx
		jbe	short loc_503D13
		mov	al, [ebp+var_1]

loc_503D52:				; CODE XREF: MiUnlockPageTableRange(x,x)+49j
		mov	dl, al
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiUnlockPageTableRange@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreateSystemPageTableTail(x)
_MiCreateSystemPageTableTail@4 proc near ; DATA	XREF: MiMakeZeroedPageTablesEx+182o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+48h]
		add	ecx, 2Ch
		call	MiFlushTbList
		xor	eax, eax
		pop	ecx
		pop	ebp
		retn	4
_MiCreateSystemPageTableTail@4 endp

; 
		align 10h
; Exported entry 1776. PsGetCurrentThreadProcess

;  S U B	R O U T	I N E 


; __stdcall PsGetCurrentThreadProcess()
		public _PsGetCurrentThreadProcess@0
_PsGetCurrentThreadProcess@0 proc near	; CODE XREF: SeCheckForCriticalAceRemoval+65p
					; CmpCheckKeySecurityDescriptorAccess+6Cp ...
		mov	eax, large fs:124h
		mov	eax, [eax+150h]
		retn
_PsGetCurrentThreadProcess@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiGetNextClockOwner proc near		; CODE XREF: KeResumeClockTimerFromIdle+212p

; FUNCTION CHUNK AT 005D6EDB SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	ds:_KiClockTimerPerCpu,	0
		push	esi
		mov	esi, ecx
		jz	short loc_503DC9
		mov	edx, offset _KiClockOwnerAllowedCpuSetVersion
		mov	ecx, offset _KiClockOwnerAllowedCpuSet
		call	KeQuerySystemAllowedCpuSetAffinity
		mov	eax, dword_6CAE08
		mov	ecx, [esi+3CCh]
		shr	eax, cl
		test	al, 1
		jz	loc_5D6EDB

loc_503DC4:				; CODE XREF: KiGetNextClockOwner+D3167j
		mov	eax, ecx

loc_503DC6:				; CODE XREF: KiGetNextClockOwner+41j
					; KiGetNextClockOwner+D3161j
		pop	esi
		leave
		retn
; 

loc_503DC9:				; CODE XREF: KiGetNextClockOwner+10j
		mov	eax, [esi+3CCh]
		jmp	short loc_503DC6
KiGetNextClockOwner endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmGenericCompletion(x, x,	x)
_SmKmGenericCompletion@12 proc near	; DATA XREF: IoSynchronousCallDriver(x,x)+31o
					; WmipForwardWmiIrp+D4o ...

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	0
		push	[ebp+arg_8]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	eax, 0C0000016h
		pop	ebp
		retn	0Ch
_SmKmGenericCompletion@12 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2491. SeQuerySecurityAttributesTokenAccessInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeQuerySecurityAttributesTokenAccessInformation
SeQuerySecurityAttributesTokenAccessInformation	proc near

var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005D6EFA SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2BCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2BCh+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_14]
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		mov	edi, [ebp+arg_4]
		push	2A8h		; size_t
		mov	[esp+2CCh+var_2B8], eax
		lea	eax, [esp+2CCh+var_2B0]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		cmp	[ebp+arg_10], 0
		jz	loc_5D6EFA
		test	esi, esi
		jz	short loc_503E8A

loc_503E43:				; CODE XREF: SeQuerySecurityAttributesTokenAccessInformation+D3110j
		lea	eax, [esp+2C8h+var_2B4]
		push	eax
		push	2A8h
		lea	eax, [esp+2D0h+var_2B0]
		push	eax
		push	[esp+2D4h+var_2B8]
		call	_SeTokenFromAccessInformation@16 ; SeTokenFromAccessInformation(x,x,x,x)
		test	eax, eax
		js	short loc_503E73
		push	ebx		; int
		push	[ebp+arg_10]	; size_t
		lea	ecx, [esp+2D0h+var_2B0]
		push	esi		; size_t
		push	0		; int
		push	[ebp+arg_8]	; int
		push	edi		; int
		call	SepInternalQuerySecurityAttributesTokenEx

loc_503E73:				; CODE XREF: SeQuerySecurityAttributesTokenAccessInformation+6Bj
					; SeQuerySecurityAttributesTokenAccessInformation+9Dj
		mov	ecx, [esp+2C8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_503E8A:				; CODE XREF: SeQuerySecurityAttributesTokenAccessInformation+4Fj
					; SeQuerySecurityAttributesTokenAccessInformation+D310Aj
		mov	eax, 0C000000Dh
		jmp	short loc_503E73
SeQuerySecurityAttributesTokenAccessInformation	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2516. SeTokenFromAccessInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeTokenFromAccessInformation(x, x, x, x)
		public _SeTokenFromAccessInformation@16
_SeTokenFromAccessInformation@16 proc near
					; CODE XREF: SeQuerySecurityAttributesTokenAccessInformation+64p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, 2A8h
		cmp	[ebp+arg_8], ecx
		jb	short loc_503EB6
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	_SepTokenFromAccessInformation@8 ; SepTokenFromAccessInformation(x,x)
		xor	eax, eax

loc_503EB2:				; CODE XREF: SeTokenFromAccessInformation(x,x,x,x)+2Aj
		pop	ebp
		retn	10h
; 

loc_503EB6:				; CODE XREF: SeTokenFromAccessInformation(x,x,x,x)+Dj
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		mov	eax, 0C0000023h
		jmp	short loc_503EB2
_SeTokenFromAccessInformation@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeTokenGetNoChildProcessRestricted(x, x, x,	x)
_SeTokenGetNoChildProcessRestricted@16 proc near ; CODE	XREF: SeSubProcessToken+F9p
					; PspGetNoChildProcessRestrictedPolicy+2Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	edi, edx
		mov	esi, ecx
		nop
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceSharedLite
		mov	ecx, [esi+30h]
		mov	ebx, [esi+0B0h]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, ebx
		mov	ecx, ebx
		shr	eax, 13h
		and	al, 1
		shr	ecx, 14h
		mov	[edi], al
		and	cl, 1
		mov	eax, [ebp+arg_0]
		shr	ebx, 15h
		pop	edi
		and	bl, 1
		mov	[eax], cl
		mov	eax, [ebp+arg_4]
		pop	esi
		mov	[eax], bl
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
_SeTokenGetNoChildProcessRestricted@16 endp


;  S U B	R O U T	I N E 


ExReturnPoolQuota proc near		; CODE XREF: IopFreeIrp+187p
					; IopFreeMiniCompletionPacket(x)+7Dp

; FUNCTION CHUNK AT 005D6F07 SIZE 00000034 BYTES

		mov	eax, _ExpSpecialAllocations
		push	esi
		mov	esi, ecx
		test	eax, eax
		jnz	loc_5D6F07

loc_503F3A:				; CODE XREF: ExReturnPoolQuota+D2FF1j
		add	esi, 0FFFFFFF8h
		push	ebx
		movzx	ebx, word ptr [esi+2]
		shr	ebx, 9
		test	bl, 8
		jz	short loc_503F93
		push	edi
		mov	ecx, esi
		call	ExpGetBilledProcess
		mov	edi, eax
		test	edi, edi
		jz	short loc_503F92
		movzx	edx, word ptr [esi+2]
		mov	eax, 1FFh
		and	edx, eax
		mov	ecx, edx
		test	bl, 4
		jnz	loc_5D6F20

loc_503F6E:				; CODE XREF: ExReturnPoolQuota+D300Cj
		mov	eax, ds:_ExpPoolQuotaCookie
		and	ebx, 1
		xor	eax, esi
		mov	[esi+edx*8-4], eax
		mov	eax, ecx
		shl	eax, 3
		push	eax
		push	ebx
		push	edi
		call	_PsReturnPoolQuota@12 ;	PsReturnPoolQuota(x,x,x)
		push	dword ptr [esi+4]
		push	edi
		call	ObDereferenceObjectDeferDeleteWithTag

loc_503F92:				; CODE XREF: ExReturnPoolQuota+2Cj
		pop	edi

loc_503F93:				; CODE XREF: ExReturnPoolQuota+1Ej
		pop	ebx

loc_503F94:				; CODE XREF: ExReturnPoolQuota+D2FEBj
		pop	esi
		retn
ExReturnPoolQuota endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1891. PsReturnPoolQuota

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsReturnPoolQuota(x, x, x)
		public _PsReturnPoolQuota@12
_PsReturnPoolQuota@12 proc near		; CODE XREF: ExReturnPoolQuota+5Ap
					; VdmpDelayInterrupt(x)+336p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		cmp	edx, ds:_PsInitialSystemProcess
		jz	short loc_503FC4
		push	[ebp+arg_8]
		mov	ecx, [edx+188h]
		xor	eax, eax
		cmp	[ebp+arg_4], 1
		setz	al
		push	eax
		call	PspReturnQuota

loc_503FC4:				; CODE XREF: PsReturnPoolQuota(x,x,x)+Ej
		pop	ebp
		retn	0Ch
_PsReturnPoolQuota@12 endp


;  S U B	R O U T	I N E 


ExpGetBilledProcess proc near		; CODE XREF: ExReturnPoolQuota+23p
					; ExQueryPoolBlockSize(x,x)+52p

; FUNCTION CHUNK AT 005040B6 SIZE 0000012B BYTES
; FUNCTION CHUNK AT 0050421C SIZE 00000016 BYTES
; FUNCTION CHUNK AT 005D6F3B SIZE 000000AB BYTES

		mov	edx, ecx
		movzx	ecx, word ptr [edx+2]
		test	ecx, 1000h
		jz	short loc_504005
		and	ecx, 1FFh
		mov	ecx, [edx+ecx*8-4]
		xor	ecx, ds:_ExpPoolQuotaCookie
		xor	ecx, edx
		jz	short loc_504002
		cmp	ecx, ds:_MmSystemRangeStart
		jb	loc_5D6F3B
		mov	al, [ecx]
		and	al, 7Fh
		cmp	al, 3
		jnz	loc_5D6F3B

loc_504002:				; CODE XREF: ExpGetBilledProcess+20j
		mov	eax, ecx
		retn
; 

loc_504005:				; CODE XREF: ExpGetBilledProcess+Cj
		xor	eax, eax
		retn
ExpGetBilledProcess endp


;  S U B	R O U T	I N E 


; __stdcall PpmParkMaximumCoresParked()
_PpmParkMaximumCoresParked@0 proc near	; CODE XREF: PpmCheckMakeupSkippedChecks:loc_48F6E1p
		xor	edx, edx
		push	ebx
		mov	bl, 1
		cmp	_PpmParkNumNodes, edx
		jz	short loc_504049
		xor	ecx, ecx
		push	esi

loc_504018:				; CODE XREF: PpmParkMaximumCoresParked()+3Ej
		imul	eax, ecx, 0D0h
		push	0FFFFFFA6h
		pop	esi
		add	eax, _PpmParkNodes
		sub	esi, eax
		lea	ecx, [eax+5Ah]

loc_50402C:				; CODE XREF: PpmParkMaximumCoresParked()+32j
		mov	al, [ecx+0Dh]
		cmp	al, [ecx]
		ja	short loc_50404D
		inc	ecx
		lea	eax, [esi+ecx]
		cmp	eax, 2
		jb	short loc_50402C

loc_50403C:				; CODE XREF: PpmParkMaximumCoresParked()+47j
		inc	edx
		movzx	ecx, dx
		cmp	ecx, _PpmParkNumNodes
		jb	short loc_504018
		pop	esi

loc_504049:				; CODE XREF: PpmParkMaximumCoresParked()+Bj
		mov	al, bl
		pop	ebx
		retn
; 

loc_50404D:				; CODE XREF: PpmParkMaximumCoresParked()+29j
		xor	bl, bl
		jmp	short loc_50403C
_PpmParkMaximumCoresParked@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ExpWorkerFactoryWantsToCreate(x, x)
_ExpWorkerFactoryWantsToCreate@8 proc near ; CODE XREF:	.text:0052AB58p
		cmp	dword ptr [ecx+60h], 0
		push	ebx
		jnz	short loc_504073
		mov	eax, [ecx+4Ch]
		xor	ebx, ebx
		cmp	edx, 1
		setz	bl
		add	eax, ebx
		cmp	[ecx+50h], eax
		jnb	short loc_504073
		mov	edx, [ecx+4]
		cmp	[edx+10h], ebx
		jbe	short loc_504077

loc_504073:				; CODE XREF: ExpWorkerFactoryWantsToCreate(x,x)+5j
					; ExpWorkerFactoryWantsToCreate(x,x)+17j ...
		xor	al, al
		pop	ebx
		retn
; 

loc_504077:				; CODE XREF: ExpWorkerFactoryWantsToCreate(x,x)+1Fj
		mov	ecx, [edx+4]
		cmp	dword ptr [ecx+4], 0
		jnz	short loc_504086
		cmp	dword ptr [edx+0Ch], 0
		jbe	short loc_504073

loc_504086:				; CODE XREF: ExpWorkerFactoryWantsToCreate(x,x)+2Cj
		mov	al, 1
		pop	ebx
		retn
_ExpWorkerFactoryWantsToCreate@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPfCoalesceAndIssueIOs	proc near	; CODE XREF: MiPfCompletePrefetchIos(x,x,x)+57p
					; MiPrefetchVirtualMemory+4CAp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		mov	ebx, edx
		mov	eax, ecx
		xor	edx, edx
		mov	[ebp+var_8], eax
		and	[ebp+var_10], edx
		lea	ecx, [ebp+var_28]
		and	[ebp+var_14], edx
		and	[ebp+var_1C], edx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_24], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_18], edx
MiPfCoalesceAndIssueIOs	endp

; START	OF FUNCTION CHUNK FOR ExpGetBilledProcess

loc_5040B6:				; CODE XREF: ExpGetBilledProcess+1FEj
					; sub_5041E1+1Ej ...
		mov	esi, [eax]
		cmp	esi, eax
		jnz	short loc_5040E6
		lea	eax, [ebp-28h]
		cmp	[ebp-28h], eax
		jnz	sub_504204

loc_5040C8:				; CODE XREF: sub_504204+Dj
					; ExpGetBilledProcess+260j
		xor	edi, edi

loc_5040CA:				; CODE XREF: sub_5041E1+Dj
					; sub_504204+13j
		cmp	dword ptr [ebp+8], 0
		jnz	short loc_5040DD

loc_5040D0:				; CODE XREF: ExpGetBilledProcess+D3019j
		mov	eax, [ebp-8]
		mov	esi, [eax]
		cmp	esi, eax
		jnz	loc_5D6FA8

loc_5040DD:				; CODE XREF: ExpGetBilledProcess+106j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_5040E6:				; CODE XREF: ExpGetBilledProcess+F2j
		mov	ecx, [esi+70h]
		cmp	ecx, 100000h
		mov	[ebp-20h], ecx
		lea	ecx, [ebp-28h]
		jnb	loc_5D6F50
		cmp	[ebp-28h], ecx
		jnz	loc_5041D3
		test	edi, edi
		jnz	loc_50421C

loc_50410C:				; CODE XREF: ExpGetBilledProcess+25Aj
		mov	edi, [esi+3Ch]
		mov	ecx, [esi+38h]
		mov	eax, [esi+7Ch]
		mov	[ebp-10h], ecx
		mov	[ebp-14h], edi
		mov	[ebp-1Ch], eax
		mov	[ebp-0Ch], edi

loc_504121:				; CODE XREF: ExpGetBilledProcess+214j
		mov	edx, [ebp-14h]
		cmp	edx, [ebp-0Ch]
		mov	edx, [ebp-18h]
		jg	sub_5041E1
		jl	short loc_50413B
		cmp	[ebp-10h], ecx
		ja	sub_5041E1

loc_50413B:				; CODE XREF: ExpGetBilledProcess+168j
		mov	edi, [ebp-1Ch]
		cmp	edi, [esi+7Ch]
		mov	edi, [ebp+8]
		jnz	sub_5041E1
		sub	ecx, [ebp-10h]
		mov	eax, [ebp-14h]
		sbb	[ebp-0Ch], eax
		mov	eax, [ebp-20h]
		add	eax, ecx
		cmp	dword ptr [ebp-0Ch], 0
		mov	[ebp-20h], eax
		mov	eax, [ebp-8]
		ja	short sub_5041E1
		jb	short loc_50416E
		cmp	ecx, 20000h
		ja	short sub_5041E1

loc_50416E:				; CODE XREF: ExpGetBilledProcess+19Cj
		mov	ecx, [ebp-20h]
		add	ecx, edx
		mov	[ebp-18h], ecx
		cmp	ecx, 100000h
		ja	short sub_5041E1
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	loc_50422D
		mov	edx, [esi+4]
		cmp	[edx], esi
		jnz	loc_50422D
		mov	[edx], ecx
		mov	[ecx+4], edx
		lea	edx, [ebp-28h]
		mov	ecx, [ebp-24h]
		cmp	[ecx], edx
		jnz	loc_50422D
		mov	[esi+4], ecx
		mov	[esi], edx
		mov	edx, [ebp-18h]
		mov	[ecx], esi
		mov	ecx, [ebp-10h]
		add	ecx, [ebp-20h]
		mov	[ebp-24h], esi
		adc	dword ptr [ebp-14h], 0
		mov	[ebp-18h], edx
		mov	[ebp-10h], ecx
		test	edi, edi
		jz	loc_5040B6
		mov	eax, [esi+70h]
		sub	[edi], eax
		jmp	short loc_5041FC
; 

loc_5041D3:				; CODE XREF: ExpGetBilledProcess+136j
					; ExpGetBilledProcess+D2F8Bj
		mov	eax, [esi+3Ch]
		mov	ecx, [esi+38h]
		mov	[ebp-0Ch], eax
		jmp	loc_504121
; END OF FUNCTION CHUNK	FOR ExpGetBilledProcess

;  S U B	R O U T	I N E 


sub_5041E1	proc near		; CODE XREF: ExpGetBilledProcess+162j
					; ExpGetBilledProcess+16Dj ...
		push	ebx
		lea	ecx, [ebp-28h]
		call	MiPfIssueCoalesceCandidates
		mov	edi, eax
		test	edi, edi
		js	loc_5040CA
		mov	edi, [ebp+8]
		xor	edx, edx
		mov	[ebp-18h], edx

loc_5041FC:				; CODE XREF: ExpGetBilledProcess+209j
		mov	eax, [ebp-8]
		jmp	loc_5040B6
sub_5041E1	endp


;  S U B	R O U T	I N E 


sub_504204	proc near		; CODE XREF: ExpGetBilledProcess+FAj
		push	ebx
		lea	ecx, [ebp-28h]
		call	MiPfIssueCoalesceCandidates
		mov	edi, eax
		test	edi, edi
		jns	loc_5040C8
		jmp	loc_5040CA
sub_504204	endp

; 
; START	OF FUNCTION CHUNK FOR ExpGetBilledProcess

loc_50421C:				; CODE XREF: ExpGetBilledProcess+13Ej
		cmp	dword ptr [edi], 100000h
		jnb	loc_50410C
		jmp	loc_5040C8
; 

loc_50422D:				; CODE XREF: ExpGetBilledProcess+1BBj
					; ExpGetBilledProcess+1C6j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
; END OF FUNCTION CHUNK	FOR ExpGetBilledProcess	; AL = character to display
; 
		dw 0CCCCh
		align 8
; Exported entry 1783. PsGetEffectiveContainerId

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsGetEffectiveContainerId
PsGetEffectiveContainerId proc near	; CODE XREF: NtQueryInformationThread+F585Bp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D6FE6 SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, [ebp+arg_0]
		cmp	esi, 5
		jge	loc_5D6FE6
		push	ebx
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	loc_5D6FF0
		push	edi
		mov	edi, [ebp+arg_8]
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jnz	short loc_5042DC

loc_504273:				; CODE XREF: PsGetEffectiveContainerId+ADj
		lea	edx, [ebp+var_4]
		mov	ecx, ebx
		call	_PsGetWorkOnBehalfThread@8 ; PsGetWorkOnBehalfThread(x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_5042C7
		mov	ecx, [ebx+150h]
		mov	eax, [ebp+arg_8]
		mov	ecx, [ecx+158h]

loc_504292:				; CODE XREF: PsGetEffectiveContainerId+A2j
		test	ecx, ecx
		jnz	short loc_5042A5

loc_504296:				; CODE XREF: PsGetEffectiveContainerId+88j
					; PsGetEffectiveContainerId+D2DCAj ...
		cmp	[ebp+var_4], 0
		jnz	short loc_5042E7

loc_50429C:				; CODE XREF: PsGetEffectiveContainerId+ABj
					; PsGetEffectiveContainerId+B6j
		xor	eax, eax
		pop	edi

loc_50429F:				; CODE XREF: PsGetEffectiveContainerId+D2DBDj
		pop	ebx

loc_5042A0:				; CODE XREF: PsGetEffectiveContainerId+D2DB3j
		pop	esi
		leave
		retn	0Ch
; 

loc_5042A5:				; CODE XREF: PsGetEffectiveContainerId+5Cj
		sub	esi, 0
		jz	loc_5D7008
		dec	esi
		sub	esi, 1
		jnz	loc_5D6FFA
		mov	esi, [ecx+184h]

loc_5042BE:				; CODE XREF: PsGetEffectiveContainerId+D2DE7j
		test	esi, esi
		jz	short loc_504296
		jmp	loc_5D7024
; 

loc_5042C7:				; CODE XREF: PsGetEffectiveContainerId+49j
		mov	eax, [edx+150h]
		mov	ecx, [eax+158h]
		mov	eax, [ebp+arg_8]
		or	dword ptr [eax+10h], 1
		jmp	short loc_504292
; 

loc_5042DC:				; CODE XREF: PsGetEffectiveContainerId+39j
		cmp	ebx, large fs:124h
		jz	short loc_50429C
		jmp	short loc_504273
; 

loc_5042E7:				; CODE XREF: PsGetEffectiveContainerId+62j
		mov	ecx, edx
		call	ObfDereferenceObject
		jmp	short loc_50429C
PsGetEffectiveContainerId endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAllocatePoolWithTagLookaside(x, x, x, x)
_CmpAllocatePoolWithTagLookaside@16 proc near
					; DATA XREF: CmpInitializeRegistryProcess()+119o
					; CmpInitCmPrivateAlloc()+16o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	10h
_CmpAllocatePoolWithTagLookaside@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcExtendVacbArray proc near		; CODE XREF: CcSetFileSizesEx+3F5p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D702C SIZE 000001FB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	edx, [ebp+arg_4]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_C], ebx
		push	esi
		mov	esi, ecx
		mov	ecx, ebx
		mov	[ebp+var_28], esi
		mov	[ebp+var_10], ecx
		push	edi
		test	edx, edx
		js	loc_5D702C
		mov	edi, [ebp+arg_0]
		xor	eax, eax
		inc	eax
		test	dword ptr [esi+60h], 200h
		jnz	loc_5046A0

loc_504340:				; CODE XREF: CcExtendVacbArray+39Cj
					; CcExtendVacbArray+3A8j ...
		lea	eax, [ebp+var_38]
		mov	[ebp+var_30], ebx
		mov	[ebp+var_34], eax
		mov	[ebp+var_38], eax
		mov	eax, [esi+1Ch]
		mov	[ebp+var_2C], ebx
		mov	ebx, [esi+18h]
		mov	[ebp+var_24], eax
		cmp	edx, eax
		jg	short loc_50436A
		jl	loc_5044C4
		cmp	edi, ebx
		jbe	loc_5044C4

loc_50436A:				; CODE XREF: CcExtendVacbArray+52j
		test	eax, eax
		jg	loc_5044BA
		jl	short loc_504380
		cmp	ebx, 2000000h
		jnb	loc_5044BA

loc_504380:				; CODE XREF: CcExtendVacbArray+6Aj
		mov	ebx, [ebp+arg_0]
		mov	eax, ebx
		mov	[ebp+var_18], eax
		mov	edi, edx
		mov	[ebp+var_1C], edi
		test	edx, edx
		jl	short loc_5043A3
		jg	loc_50454F
		cmp	ebx, 2000000h
		jnb	loc_50454F

loc_5043A3:				; CODE XREF: CcExtendVacbArray+87j
					; CcExtendVacbArray+25Aj
		or	ebx, 0FFFFFFFFh
		test	edi, edi
		jnz	loc_5D7036
		cmp	eax, 100000h
		jbe	loc_504698
		mov	edi, eax
		shr	edi, 12h
		shl	edi, 2

loc_5043C1:				; CODE XREF: CcExtendVacbArray+393j
					; CcExtendVacbArray+D2D30j
		cmp	dword ptr [esi+1Ch], 0
		mov	[ebp+var_20], edi
		jnz	short loc_5043DF
		mov	ebx, [esi+18h]
		cmp	ebx, 100000h
		jbe	loc_5044D5
		shr	ebx, 12h
		shl	ebx, 2

loc_5043DF:				; CODE XREF: CcExtendVacbArray+C0j
					; CcExtendVacbArray+1D0j
		cmp	edi, ebx
		jbe	loc_5044A5
		cmp	[ebp+var_C], 0
		jnz	loc_5D703D

loc_5043F1:				; CODE XREF: CcExtendVacbArray+D2D3Dj
		test	ecx, ecx
		jnz	loc_504567

loc_5043F9:				; CODE XREF: CcExtendVacbArray+262j
		push	70566343h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_5D71C5
		cmp	[ebp+var_C], 0
		jnz	loc_5D704A

loc_50441E:				; CODE XREF: CcExtendVacbArray+D2D4Dj
		lea	ecx, [esi+48h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+40h]
		mov	[ebp+var_24], eax
		test	eax, eax
		jz	loc_5D705A
		push	ebx		; size_t
		push	eax		; void *
		push	[ebp+var_14]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_504443:				; CODE XREF: CcExtendVacbArray+D2D54j
		mov	eax, [ebp+var_20]
		sub	eax, ebx
		push	eax		; size_t
		mov	eax, [ebp+var_14]
		add	eax, ebx
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+var_14]
		add	esp, 0Ch
		cmp	[ebp+var_10], 0
		jnz	loc_50456F

loc_504466:				; CODE XREF: CcExtendVacbArray+271j
		cmp	[ebp+var_C], 0
		jnz	loc_5D7061

loc_504470:				; CODE XREF: CcExtendVacbArray+D2E3Dj
					; CcExtendVacbArray+D2E48j ...
		mov	eax, [ebp+var_14]
		mov	edx, esi
		mov	ecx, [ebp+var_C]
		mov	[esi+40h], eax
		mov	eax, [ebp+var_18]
		mov	[esi+18h], eax
		mov	eax, [ebp+var_1C]
		mov	[esi+1Ch], eax
		call	_CcReleaseBcbLockAndVacbLock@8 ; CcReleaseBcbLockAndVacbLock(x,x)
		mov	ecx, [ebp+var_24]
		lea	eax, [esi+30h]
		cmp	ecx, eax
		jz	short loc_5044A2
		test	ecx, ecx
		jz	short loc_5044A2
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5044A2:				; CODE XREF: CcExtendVacbArray+18Cj
					; CcExtendVacbArray+190j
		mov	edx, [ebp+arg_4]

loc_5044A5:				; CODE XREF: CcExtendVacbArray+D9j
		mov	eax, [ebp+var_18]
		mov	edi, [ebp+arg_0]
		mov	[esi+18h], eax
		mov	eax, [ebp+var_1C]
		mov	ebx, [esi+18h]
		mov	[esi+1Ch], eax
		mov	[ebp+var_24], eax

loc_5044BA:				; CODE XREF: CcExtendVacbArray+64j
					; CcExtendVacbArray+72j
		cmp	edx, eax
		jl	short loc_5044C4
		jg	short loc_5044DD
		cmp	edi, ebx
		ja	short loc_5044DD

loc_5044C4:				; CODE XREF: CcExtendVacbArray+54j
					; CcExtendVacbArray+5Cj ...
		lea	ecx, [ebp+var_38]
		call	CcFreeUnusedVacbLevels
		xor	eax, eax

loc_5044CE:				; CODE XREF: CcExtendVacbArray+D2D29j
					; CcExtendVacbArray+D2EC2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_5044D5:				; CODE XREF: CcExtendVacbArray+CBj
		push	10h
		pop	ebx
		jmp	loc_5043DF
; 

loc_5044DD:				; CODE XREF: CcExtendVacbArray+1B6j
					; CcExtendVacbArray+1BAj
		xor	edi, edi
		push	19h
		inc	edi
		mov	[ebp+var_20], edi
		pop	ecx
		mov	[ebp+var_1C], ecx
		test	eax, eax
		jl	short loc_504524
		jg	short loc_5044F7
		cmp	ebx, 2000000h
		jbe	short loc_504524

loc_5044F7:				; CODE XREF: CcExtendVacbArray+1E5j
		push	19h
		pop	esi

loc_5044FA:				; CODE XREF: CcExtendVacbArray+207j
					; CcExtendVacbArray+20Bj
		xor	eax, eax
		add	esi, 7
		inc	eax
		xor	edx, edx
		mov	ecx, esi
		inc	edi
		call	__allshl
		cmp	[ebp+var_24], edx
		jl	short loc_504515
		jg	short loc_5044FA
		cmp	ebx, eax
		ja	short loc_5044FA

loc_504515:				; CODE XREF: CcExtendVacbArray+205j
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_1C], esi
		mov	esi, [ebp+var_28]
		mov	ecx, [ebp+var_1C]
		mov	[ebp+var_20], edi

loc_504524:				; CODE XREF: CcExtendVacbArray+1E3j
					; CcExtendVacbArray+1EDj
		mov	eax, [ebp+arg_0]
		mov	ebx, edi
		sub	eax, 1
		mov	[ebp+var_24], eax
		sbb	edx, 0
		mov	[ebp+var_18], edx
		call	__allshr
		or	eax, edx
		jnz	short loc_50457E

loc_50453E:				; CODE XREF: CcExtendVacbArray+29Bj
		mov	edi, [ebp+arg_4]

loc_504541:				; CODE XREF: CcExtendVacbArray+38Bj
		mov	eax, [ebp+arg_0]
		mov	[esi+18h], eax
		mov	[esi+1Ch], edi
		jmp	loc_5044C4
; 

loc_50454F:				; CODE XREF: CcExtendVacbArray+89j
					; CcExtendVacbArray+95j
		xor	edi, edi
		xor	ecx, ecx
		mov	eax, 2000000h
		mov	[ebp+var_1C], edi
		inc	ecx
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], ecx
		jmp	loc_5043A3
; 

loc_504567:				; CODE XREF: CcExtendVacbArray+EBj
		add	edi, 8
		jmp	loc_5043F9
; 

loc_50456F:				; CODE XREF: CcExtendVacbArray+158j
		and	dword ptr [edi+ecx-8], 0
		and	dword ptr [edi+ecx-4], 0
		jmp	loc_504466
; 

loc_50457E:				; CODE XREF: CcExtendVacbArray+234j
		mov	esi, [ebp+var_1C]
		mov	edi, [ebp+var_24]

loc_504584:				; CODE XREF: CcExtendVacbArray+28Ej
		mov	edx, [ebp+var_18]
		add	esi, 7
		mov	eax, edi
		mov	ecx, esi
		inc	ebx
		call	__allshr
		or	eax, edx
		jnz	short loc_504584
		mov	edi, [ebp+var_20]
		mov	esi, [ebp+var_28]
		mov	[ebp+var_24], ebx
		cmp	ebx, edi
		jbe	short loc_50453E
		push	4
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[ebp+var_1], al
		cmp	ebx, _CcMaxVacbLevelsSeen
		jnb	loc_5046BE

loc_5045BC:				; CODE XREF: CcExtendVacbArray+3BFj
		mov	ecx, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	ebx, [ecx+438h]
		jnz	loc_5D719B
		mov	eax, [ebx]
		test	eax, eax
		jnz	loc_5D71B1
		mov	ecx, [ebx+4]
		xor	edx, edx
		mov	eax, ebx
		lock cmpxchg [ecx], edx
		cmp	eax, ebx
		jnz	loc_5D71AA

loc_5045F3:				; CODE XREF: CcExtendVacbArray+D2E9Dj
					; CcExtendVacbArray+D2EB8j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [ebp+var_24]
		lea	eax, [ebp+var_38]
		mov	ecx, ebx
		xor	dl, dl
		push	eax
		sub	ecx, edi
		call	_CcAllocateVacbLevels@12 ; CcAllocateVacbLevels(x,x,x)
		test	al, al
		jz	loc_5D71C5
		cmp	[ebp+var_C], 0
		jnz	loc_5D71CF

loc_504620:				; CODE XREF: CcExtendVacbArray+D2ED2j
		lea	ecx, [esi+48h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		xor	eax, eax
		inc	eax
		cmp	edi, eax
		jnz	short loc_50463C
		mov	edx, [esi+40h]
		push	ecx
		mov	ecx, esi
		call	CcCalculateVacbLevelLockCount

loc_50463C:				; CODE XREF: CcExtendVacbArray+327j
		mov	ecx, [esi+40h]
		lea	eax, [edi-1]
		mov	edx, ecx
		mov	[ebp+var_28], ecx
		push	eax
		mov	ecx, esi
		call	_VacbLevelReference@12 ; VacbLevelReference(x,x,x)
		mov	ecx, [eax+4]
		or	ecx, [eax]
		jz	loc_5D71DF

loc_50465A:				; CODE XREF: CcExtendVacbArray+373j
		xor	edx, edx
		lea	ecx, [ebp+var_38]
		inc	edi
		call	CcAllocateVacbLevel
		mov	ecx, [esi+40h]
		mov	edx, eax
		push	edi
		mov	[edx], ecx
		mov	ecx, esi
		call	_VacbLevelReference@12 ; VacbLevelReference(x,x,x)
		inc	dword ptr [eax]
		mov	[esi+40h], edx
		cmp	edi, ebx
		jb	short loc_50465A

loc_50467D:				; CODE XREF: CcExtendVacbArray+D2EDCj
					; CcExtendVacbArray+D2EE9j ...
		mov	eax, [ebp+arg_0]
		mov	edx, esi
		mov	edi, [ebp+arg_4]
		mov	ecx, [ebp+var_C]
		mov	[esi+18h], eax
		mov	[esi+1Ch], edi
		call	_CcReleaseBcbLockAndVacbLock@8 ; CcReleaseBcbLockAndVacbLock(x,x)
		jmp	loc_504541
; 

loc_504698:				; CODE XREF: CcExtendVacbArray+ABj
		push	10h
		pop	edi
		jmp	loc_5043C1
; 

loc_5046A0:				; CODE XREF: CcExtendVacbArray+32j
		cmp	edx, ebx
		jg	short loc_5046B6
		jl	loc_504340
		cmp	edi, 200000h
		jbe	loc_504340

loc_5046B6:				; CODE XREF: CcExtendVacbArray+39Aj
		mov	[ebp+var_C], eax
		jmp	loc_504340
; 

loc_5046BE:				; CODE XREF: CcExtendVacbArray+2AEj
		lea	ecx, [ebx+1]
		mov	_CcMaxVacbLevelsSeen, ecx
		jmp	loc_5045BC
CcExtendVacbArray endp


;  S U B	R O U T	I N E 


CcFreeUnusedVacbLevels proc near	; CODE XREF: CcSetVacbLargeOffset+233p
					; CcExtendVacbArray+1BFp ...

; FUNCTION CHUNK AT 005D7227 SIZE 00000010 BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, offset _CcVacbLevelLookasideList

loc_5046D7:				; CODE XREF: CcFreeUnusedVacbLevels+3Aj
		mov	edx, [esi]
		cmp	edx, esi
		jnz	short loc_5046EB
		mov	edx, [esi+8]
		test	edx, edx
		jnz	loc_5D7227

loc_5046E8:				; CODE XREF: CcFreeUnusedVacbLevels+D2B66j
		pop	edi
		pop	esi
		retn
; 

loc_5046EB:				; CODE XREF: CcFreeUnusedVacbLevels+Fj
		cmp	[edx+4], esi
		jnz	short loc_504708
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	short loc_504708
		mov	[esi], eax
		mov	ecx, edi
		mov	[eax+4], esi
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		dec	dword ptr [esi+0Ch]
		jmp	short loc_5046D7
; 

loc_504708:				; CODE XREF: CcFreeUnusedVacbLevels+22j
					; CcFreeUnusedVacbLevels+29j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
CcFreeUnusedVacbLevels endp


;  S U B	R O U T	I N E 


; __stdcall CcReleaseBcbLockAndVacbLock(x, x)
_CcReleaseBcbLockAndVacbLock@8 proc near ; CODE	XREF: CcGetVacbMiss+215p
					; CcExtendVacbArray+17Fp ...
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		xor	edx, edx
		lea	ecx, [edi+48h]
		call	ExReleasePushLockEx
		test	esi, esi
		jnz	short loc_504729

loc_504725:				; CODE XREF: CcReleaseBcbLockAndVacbLock(x,x)+26j
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_504729:				; CODE XREF: CcReleaseBcbLockAndVacbLock(x,x)+15j
		lea	ecx, [edi+0B4h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	short loc_504725
_CcReleaseBcbLockAndVacbLock@8 endp


;  S U B	R O U T	I N E 


CcAllocateVacbLevel proc near		; CODE XREF: CcSetVacbLargeOffset+203p
					; CcExtendVacbArray+358p ...

; FUNCTION CHUNK AT 005D7237 SIZE 0000013A BYTES

		mov	edi, edi
		push	esi
		push	edi
		test	edx, edx
		jnz	short loc_504779
		mov	esi, [ecx]
		cmp	esi, ecx
		jz	loc_5D7237
		mov	edx, [esi]
		cmp	[edx+4], esi
		jnz	short loc_50479E
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_50479E
		mov	[eax], edx
		xor	edi, edi
		mov	[edx+4], eax
		dec	dword ptr [ecx+0Ch]
		lea	ecx, [esi+4]
		push	204h		; size_t
		push	edi		; int
		push	ecx		; void *
		call	_memset

loc_50476F:				; CODE XREF: CcAllocateVacbLevel+66j
		add	esp, 0Ch
		mov	[esi], edi
		mov	eax, esi
		pop	edi
		pop	esi
		retn
; 

loc_504779:				; CODE XREF: CcAllocateVacbLevel+6j
		mov	esi, [ecx+8]
		xor	edi, edi
		push	1FCh		; size_t
		push	edi		; int
		mov	[ecx+8], edi
		lea	eax, [esi+4]
		push	eax		; void *
		call	_memset
		mov	[esi+400h], edi
		mov	[esi+404h], edi
		jmp	short loc_50476F
; 

loc_50479E:				; CODE XREF: CcAllocateVacbLevel+17j
					; CcAllocateVacbLevel+1Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall CcAllocateVacbLevels(x, x, x)
_CcAllocateVacbLevels@12:		; CODE XREF: CcSetVacbLargeOffset+1EBp
					; CcExtendVacbArray+301p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+8]
		mov	al, dl
		push	edi
		mov	edi, ecx
		mov	[ebp-1], al
		xor	ebx, ebx
		cmp	edi, [esi+0Ch]
		jbe	short loc_5047E8

loc_5047BE:				; CODE XREF: CcAllocateVacbLevel+ADj
		mov	ecx, offset _CcVacbLevelLookasideList
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		test	eax, eax
		jz	short loc_50480D
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_504816
		mov	[eax], esi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[esi+4], eax
		inc	dword ptr [esi+0Ch]
		cmp	edi, [esi+0Ch]
		ja	short loc_5047BE
		mov	al, [ebp-1]

loc_5047E8:				; CODE XREF: CcAllocateVacbLevel+86j
		test	al, al
		jnz	short loc_5047F7

loc_5047EC:				; CODE XREF: CcAllocateVacbLevel+C4j
					; CcAllocateVacbLevel+D5j
		mov	bl, 1

loc_5047EE:				; CODE XREF: CcAllocateVacbLevel+DEj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
; 

loc_5047F7:				; CODE XREF: CcAllocateVacbLevel+B4j
		cmp	[esi+8], ebx
		jnz	short loc_5047EC
		mov	ecx, offset _CcVacbLevelWithBcbListHeadsLookasideList
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	[esi+8], eax
		test	eax, eax
		jnz	short loc_5047EC

loc_50480D:				; CODE XREF: CcAllocateVacbLevel+94j
		mov	ecx, esi
		call	CcFreeUnusedVacbLevels
		jmp	short loc_5047EE
; 

loc_504816:				; CODE XREF: CcAllocateVacbLevel+9Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall MiFlushAcquire(x, x, x)
_MiFlushAcquire@12:			; CODE XREF: MmFlushVirtualMemory+18Cp
					; MiAllocateVirtualMemory+160475p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		lea	ebx, [esi+24h]
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	[ebp-1], al
		mov	eax, [esi+14h]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_504873
		test	edi, edi
		jz	short loc_504854
		mov	ecx, edi
		call	_MiReferenceSubsection@8 ; MiReferenceSubsection(x,x)
		mov	ecx, [ebp+8]
		call	_MiReferenceSubsection@8 ; MiReferenceSubsection(x,x)
		mov	eax, [esi+14h]

loc_504854:				; CODE XREF: CcAllocateVacbLevel+10Aj
		inc	eax
		mov	[esi+14h], eax
		xor	esi, esi
		inc	esi

loc_50485B:				; CODE XREF: CcAllocateVacbLevel+13Fj
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_504873:				; CODE XREF: CcAllocateVacbLevel+106j
		xor	esi, esi
		jmp	short loc_50485B
CcAllocateVacbLevel endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFlushDirtyBitsToPfn proc near		; CODE XREF: MmFlushVirtualMemory+128p

var_E8		= dword	ptr -0E8h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= word ptr -0A0h
var_9C		= dword	ptr -9Ch
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D7371 SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0E8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		and	[ebp+var_B0], 0
		lea	eax, [ebp+var_A4]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, edx
		push	98h		; size_t
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		add	esp, 0Ch
		cmp	byte_6D06C8, 0
		jnz	loc_504A15
		mov	edi, [edi+80h]
		xor	eax, eax
		mov	[ebp+var_A0], ax
		mov	ecx, 40000000h
		mov	[ebp+var_94], eax
		add	edi, 240h
		mov	[ebp+var_90], eax
		mov	eax, offset loc_7FFFF8
		shr	esi, 9
		shr	ebx, 9
		and	esi, eax
		and	ebx, eax
		mov	[ebp+var_A4], 1
		sub	ebx, ecx
		mov	[ebp+var_9C], 21h
		sub	esi, ecx
		mov	[ebp+var_B4], ebx
		mov	ecx, edi
		mov	[ebp+var_E8], edi
		call	MiLockWorkingSetShared
		mov	byte ptr [ebp+var_BC], al
		cmp	esi, ebx
		ja	loc_504A0C

loc_50492F:				; CODE XREF: MiFlushDirtyBitsToPfn+188j
		lea	eax, [ebp+var_B0]
		mov	edx, ebx
		push	eax
		push	0
		push	[ebp+var_BC]
		lea	eax, [ebp+var_A4]
		mov	ecx, esi
		push	eax
		call	MiGetNextPageTable
		mov	esi, eax
		test	esi, esi
		jz	loc_504A06
		mov	eax, [ebp+var_B0]
		mov	edi, esi
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h
		mov	[ebp+var_E0], edi
		test	eax, eax
		jnz	loc_5D724D
		mov	ecx, esi
		mov	edi, 7FFFFFFFh
		shl	ecx, 9
		mov	[ebp+var_A8], ecx

loc_50498D:				; CODE XREF: MiFlushDirtyBitsToPfn+164j
		mov	edx, [esi]
		and	[ebp+var_DC], 0
		and	[ebp+var_D8], 0
		mov	[ebp+var_D0], edx
		nop
		mov	eax, [esi+4]
		mov	[ebp+var_AC], eax
		mov	[ebp+var_C0], eax
		mov	eax, edx
		and	eax, 1
		mov	[ebp+var_C4], edx
		or	eax, 0
		jnz	short loc_504A26

loc_5049C3:				; CODE XREF: MiFlushDirtyBitsToPfn+1B6j
					; MiFlushDirtyBitsToPfn+22Ej
		add	ecx, 1000h
		add	esi, 8
		mov	[ebp+var_A8], ecx
		test	ecx, 1FFFFFh
		jz	short loc_5049DE
		cmp	esi, ebx
		jbe	short loc_50498D

loc_5049DE:				; CODE XREF: MiFlushDirtyBitsToPfn+160j
		lea	ecx, [ebp+var_A4]
		call	MiFlushTbList
		mov	edi, [ebp+var_E0]

loc_5049EF:				; CODE XREF: CcAllocateVacbLevel+D2C36j
		mov	edx, edi
		mov	edi, [ebp+var_E8]
		mov	ecx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		cmp	esi, ebx
		jbe	loc_50492F

loc_504A06:				; CODE XREF: MiFlushDirtyBitsToPfn+DAj
		mov	al, byte ptr [ebp+var_BC]

loc_504A0C:				; CODE XREF: MiFlushDirtyBitsToPfn+B1j
		mov	dl, al
		mov	ecx, edi
		call	MiUnlockWorkingSetShared

loc_504A15:				; CODE XREF: MiFlushDirtyBitsToPfn+43j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_504A26:				; CODE XREF: MiFlushDirtyBitsToPfn+149j
		mov	eax, edx
		and	eax, 42h
		or	eax, 0
		jz	short loc_5049C3
		nop
		mov	eax, [ebp+var_AC]
		mov	ecx, edx
		and	[ebp+var_CC], 0
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		mov	[ebp+var_D8], ecx
		lea	eax, [ecx+10h]
		mov	[ebp+var_B8], eax
		lock bts dword ptr [eax], 1Fh
		jb	short loc_504AAB

loc_504A69:				; CODE XREF: MiFlushDirtyBitsToPfn+D2B29j
		or	byte ptr [ecx+16h], 10h
		lock and [eax],	edi
		mov	eax, [ebp+var_AC]
		and	edx, 0FFFFFFBDh
		mov	[ebp+var_C4], edx
		mov	[ebp+var_C0], eax
		nop
		mov	[esi], edx
		lea	ecx, [ebp+var_A4]
		mov	edx, [ebp+var_A8]
		push	0
		push	1
		mov	[esi+4], eax
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	ecx, [ebp+var_A8]
		jmp	loc_5049C3
; 

loc_504AAB:				; CODE XREF: MiFlushDirtyBitsToPfn+1EFj
		mov	ebx, [ebp+var_B8]
		jmp	loc_5D7371
MiFlushDirtyBitsToPfn endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmHighMemPriorityWatchdogWorker proc	near
					; DATA XREF: SMKM_STORE_MGR<SM_TRAITS>::SmInitialize(SMKM_STORE_MGR<SM_TRAITS> *,_SMKM_STORE_MGR_PARAMS	*)+12Co

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D73A6 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		lea	eax, [esp+50h+var_40]
		push	esi
		push	edi
		push	38h		; size_t
		xor	esi, esi
		mov	[esp+5Ch+var_44], ebx
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebx-450h]
		mov	[esp+58h+var_48], eax
		lea	eax, [esp+58h+var_40]
		push	esi
		push	38h
		push	eax
		push	0B6h
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_504B6B
		cmp	[esp+58h+var_3C], esi
		ja	short loc_504B22
		jb	loc_5D73A6
		cmp	[esp+58h+var_40], 51400000h
		jbe	loc_5D73A6

loc_504B22:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmHighMemPriorityWatchdogWorker+56j
		mov	edi, 1F400h

loc_504B27:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmHighMemPriorityWatchdogWorker+D28F5j
		push	esi
		push	14h
		push	[esp+60h+var_3C]
		push	[esp+64h+var_40]
		call	__aulldiv
		shrd	eax, edx, 0Ch
		imul	eax, 3
		mov	[esp+58h+var_4C], eax
		cmp	eax, edi
		jb	short loc_504B4A
		mov	[esp+58h+var_4C], edi

loc_504B4A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmHighMemPriorityWatchdogWorker+8Ej
		mov	ebx, [esp+58h+var_48]

loc_504B4E:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmHighMemPriorityWatchdogWorker+AFj
		push	ecx
		mov	edx, esi
		mov	ecx, ebx
		call	_SmKmStoreReferenceEx@12 ; SmKmStoreReferenceEx(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_504B86

loc_504B5E:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmHighMemPriorityWatchdogWorker+FFj
		inc	esi
		cmp	esi, 400h
		jb	short loc_504B4E
		mov	ebx, [esp+58h+var_44]

loc_504B6B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmHighMemPriorityWatchdogWorker+50j
		xor	ecx, ecx
		lea	eax, [ebx+0Ch]
		xchg	ecx, [eax]
		mov	ecx, [esp+58h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_504B86:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmHighMemPriorityWatchdogWorker+A6j
		cmp	byte ptr [edi+10F7h], 1
		jz	short loc_504B9A
		lea	edx, [esp+58h+var_4C]
		mov	ecx, edi
		call	SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore

loc_504B9A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmHighMemPriorityWatchdogWorker+D7j
		mov	edx, [edi+10F0h]
		mov	ecx, ebx
		and	edx, 3FFh
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	short loc_504B5E
SMKM_STORE_MGR_SM_TRAITS___SmHighMemPriorityWatchdogWorker endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmHighMemPriorityWatchdogWorker+DFp

var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D73B0 SIZE 00000100 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_228], edx
		push	6
		xor	eax, eax
		lea	edi, [ebp+var_220]
		pop	ecx
		test	byte ptr [esi+10F5h], 4
		rep stosd
		jz	loc_5D73B0
		mov	eax, [esi+498h]
		mov	[ebp+var_244], eax
		test	eax, eax
		jnz	short loc_504C15
		xor	edi, edi

loc_504C04:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+D27FDj
					; SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+D28F3j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_504C15:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+48j
		mov	eax, [esi+117Ch]
		xor	edx, edx
		mov	ecx, [esi+125Ch]
		shr	eax, 0Ch
		mov	[ebp+var_238], eax
		lea	eax, [ebp+var_220]
		push	eax
		call	KiStackAttachProcess
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		lea	ebx, [esi+10F8h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		lea	eax, [esi+1264h]
		mov	[ebp+var_248], eax
		lock inc dword ptr [eax]
		xor	edi, edi
		mov	edx, edi
		mov	ecx, edi
		mov	[ebp+var_22C], edi
		cmp	[esi+1180h], edi
		jbe	loc_5D746D

loc_504C7C:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+28Ej
		cmp	edx, [ebp+var_244]
		jnb	loc_5D746D
		mov	eax, [esi+1184h]
		test	dword ptr [eax+ecx*4], 7FFF0000h
		jz	loc_504E39
		cmp	byte ptr [esi+1E4h], 0
		jnz	loc_504E51
		mov	eax, [esi+278h]
		movzx	eax, word ptr [eax+ecx*2]
		shr	eax, 0Dh

loc_504CB5:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+29Bj
		cmp	eax, 6
		jnz	loc_504E39
		inc	edx
		push	edi
		push	ecx
		mov	[ebp+var_240], edx
		mov	edx, ecx
		push	edi
		mov	ecx, esi
		call	?SmStMapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAXPAU1@KKKK@Z ; SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)
		mov	ebx, eax
		cmp	ebx, 3
		jbe	loc_5D7462
		push	11h
		xor	ecx, ecx
		lea	edx, [esi+10F8h]
		pop	eax
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jnz	loc_504E58

loc_504CF4:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+2ADj
		mov	ecx, edx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+var_228]
		cmp	[eax], edi
		jz	loc_5D73BA
		mov	ecx, [ebp+var_238]
		mov	eax, ebx
		shl	ecx, 0Ch
		mov	[ebp+var_230], ecx
		lea	edx, [ecx+ebx]
		mov	[ebp+var_234], edx
		lea	ecx, [ebp+var_208]
		cmp	ebx, edx
		jnb	short loc_504D47

loc_504D39:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+18Dj
		mov	[ecx], eax
		add	eax, 1000h
		lea	ecx, [ecx+8]
		cmp	eax, edx
		jb	short loc_504D39

loc_504D47:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+17Fj
		mov	eax, [ebp+var_238]
		push	edi
		shl	eax, 3
		push	eax
		lea	eax, [ebp+var_208]
		push	eax
		push	4
		push	ebx
		push	0FFFFFFFFh
		call	_ZwQueryVirtualMemory@24 ; ZwQueryVirtualMemory(x,x,x,x,x,x)
		test	eax, eax
		js	loc_5D73D3

loc_504D6B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+D2821j
					; SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+D284Ej
		lea	eax, [ebp+var_208]
		mov	edx, edi
		mov	[ebp+var_23C], ebx
		mov	[ebp+var_224], eax
		mov	[ebp+var_230], edx
		cmp	ebx, [ebp+var_234]
		jnb	short loc_504DFF

loc_504D8D:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+23Dj
		mov	ecx, [eax+4]
		test	cl, 1
		jnz	short loc_504DA9
		mov	eax, ecx
		and	eax, 0C00000h
		cmp	eax, 400000h
		mov	eax, [ebp+var_224]
		jnz	short loc_504DD4

loc_504DA9:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+1DBj
		and	ecx, 7000000h
		cmp	ecx, 6000000h
		jnz	loc_5D740B
		mov	ecx, [ebp+var_228]
		mov	eax, [ecx]
		test	eax, eax
		jz	loc_5D73BA
		dec	eax

loc_504DCC:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+D288Dj
		mov	[ecx], eax
		mov	eax, [ebp+var_224]

loc_504DD4:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+1EFj
					; SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore:loc_5D740Bj ...
		mov	ecx, [ebp+var_23C]
		add	eax, 8
		add	ecx, 1000h
		mov	[ebp+var_224], eax
		mov	[ebp+var_23C], ecx
		cmp	ecx, [ebp+var_234]
		jb	short loc_504D8D
		test	edx, edx
		jnz	loc_5D744A

loc_504DFF:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+1D3j
					; SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+D28A5j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		lea	ebx, [esi+10F8h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	edx, [ebp+var_22C]
		mov	ecx, esi
		push	edi
		sub	esp, 0Ch
		call	?SmStUnmapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@KKKPAXK@Z ; SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)

loc_504E2D:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+D28B0j
		mov	edx, [ebp+var_240]
		mov	ecx, [ebp+var_22C]

loc_504E39:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+DDj
					; SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+100j
		inc	ecx
		mov	[ebp+var_22C], ecx
		cmp	ecx, [esi+1180h]
		jb	loc_504C7C
		jmp	loc_5D746D
; 

loc_504E51:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+EAj
		mov	eax, edi
		jmp	loc_504CB5
; 

loc_504E58:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+136j
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		lea	edx, [esi+10F8h]
		jmp	loc_504CF4
SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore endp


;  S U B	R O U T	I N E 


; __stdcall MiCleanCfg()
_MiCleanCfg@0	proc near		; CODE XREF: MmCleanProcessAddressSpace+19Fp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, large fs:124h
		push	edi
		mov	eax, [esi+80h]
		mov	ebx, [eax+24Ch]
		mov	edi, [ebx+0C0h]
		test	edi, edi
		jz	short loc_504EB4
		dec	word ptr [esi+13Eh]
		nop
		lea	ecx, [edi+18h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		or	byte ptr [esi+305h], 40h
		nop
		mov	ecx, edi
		call	MiUnlockAndDereferenceVadShared
		and	dword ptr [ebx+0C0h], 0

loc_504EB4:				; CODE XREF: MiCleanCfg()+20j
		pop	edi
		pop	esi
		pop	ebx
		retn
_MiCleanCfg@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeForceAttachProcess proc near		; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+196p
					; MiTrimSharedPageFromViews(x,x,x,x,x)+1D4p ...

var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D74B0 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_20]
		push	6
		xor	eax, eax
		pop	ecx
		rep stosd
		test	edx, edx
		jz	loc_5D74B0

loc_504EE0:				; CODE XREF: KeForceAttachProcess+D2620j
		push	edx
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		and	edx, 1
		lea	edx, ds:1[edx*2]
		call	KiStackAttachProcess
		mov	ecx, [ebp+var_8]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
KeForceAttachProcess endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnlockImageSection proc near		; CODE XREF: MiLockPagableImageSection+132p

var_94		= dword	ptr -94h
var_7C		= dword	ptr -7Ch
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D74DD SIZE 00000062 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	esi, edx
		mov	[ebp+var_4], ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, al
		cmp	bl, 1
		jnb	short loc_504F31
		dec	word ptr [edi+13Ch]
		nop

loc_504F31:				; CODE XREF: MiUnlockImageSection+21j
		mov	ecx, [ebp+var_4]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		dec	eax
		jz	loc_5D74DD
		cmp	eax, 0FFFFFFFFh
		jz	loc_5D74DD
		cmp	eax, 1
		jnz	short loc_504F75
		mov	edx, [ebp+arg_0]
		push	ecx
		mov	ecx, esi
		call	_MiUnlockCodePage@12 ; MiUnlockCodePage(x,x,x)
		mov	eax, [ebp+var_4]
		lock dec dword ptr [eax]
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		lock or	[eax], ecx
		cmp	dword_6CF59C, ecx
		jnz	short loc_504F88

loc_504F75:				; CODE XREF: MiUnlockImageSection+48j
					; MiUnlockImageSection+90j
		cmp	bl, 1
		jnb	short loc_504F81
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)

loc_504F81:				; CODE XREF: MiUnlockImageSection+72j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_504F88:				; CODE XREF: MiUnlockImageSection+6Dj
		push	0
		xor	edx, edx
		mov	ecx, offset dword_6CF59C
		call	ExpUnblockPushLock
		jmp	short loc_504F75
MiUnlockImageSection endp


;  S U B	R O U T	I N E 


; __stdcall MiProbePacketContended(x)
_MiProbePacketContended@4 proc near	; CODE XREF: .text:00464C94p
					; MmProbeAndLockSelectedPages+17785Dp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, [esi+10h]
		test	edx, edx
		jz	short loc_504FB0
		mov	ecx, [esi+3Ch]
		call	_MiPageTableLockIsContended@8 ;	MiPageTableLockIsContended(x,x)
		test	eax, eax
		jnz	short loc_504FC7

loc_504FB0:				; CODE XREF: MiProbePacketContended(x)+Aj
		mov	ecx, [esi+3Ch]
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_504FC7
		call	KeShouldYieldProcessor
		test	eax, eax
		jnz	short loc_504FC7
		pop	esi
		retn
; 

loc_504FC7:				; CODE XREF: MiProbePacketContended(x)+16j
					; MiProbePacketContended(x)+22j ...
		xor	eax, eax
		inc	eax
		pop	esi
		retn
_MiProbePacketContended@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeForceDetachProcess(x, x)
_KeForceDetachProcess@8	proc near	; CODE XREF: MiUnlockStealVm(x)+17p
					; MiTrimSharedPageFromViews(x,x,x,x,x)+B94p ...

var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_1C]
		push	6
		xor	eax, eax
		pop	ecx
		rep stosd
		test	esi, esi
		jz	short loc_50500F

loc_504FF0:				; CODE XREF: KeForceDetachProcess(x,x)+46j
		and	edx, 1
		mov	ecx, esi
		lea	edx, ds:1[edx*2]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_50500F:				; CODE XREF: KeForceDetachProcess(x,x)+22j
		lea	esi, [ebp+var_1C]
		jmp	short loc_504FF0
_KeForceDetachProcess@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetPfnOwnedAndActive(x, x, x, x, x)
_MiSetPfnOwnedAndActive@20 proc	near	; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+76Cp
					; MiFindLargeNodePage(x,x,x,x,x,x,x)+154p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	esi, ecx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	bl, [esi+16h]
		mov	bh, al
		and	dword ptr [esi], 0
		mov	eax, 7FFFFFFFh
		and	[esi+18h], eax
		mov	edx, [ebp+arg_4]
		movzx	ecx, bl
		shr	ecx, 6
		cmp	ecx, edx
		jz	short loc_505051
		push	1
		mov	ecx, esi
		call	MiChangePageAttribute
		mov	bl, [esi+16h]

loc_505051:				; CODE XREF: MiSetPfnOwnedAndActive(x,x,x,x,x)+2Fj
		lea	edi, [esi+10h]
		mov	eax, [edi]
		and	eax, 0C0000001h
		or	eax, 1
		mov	[edi], eax
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_50506B
		mov	[esi+14h], ax

loc_50506B:				; CODE XREF: MiSetPfnOwnedAndActive(x,x,x,x,x)+51j
		mov	eax, [ebp+arg_0]
		and	bl, 0FEh
		or	bl, 6
		mov	[esi+4], eax
		test	byte ptr [ebp+var_4], 1
		mov	[esi+16h], bl
		jz	short loc_5050AD
		mov	eax, [esi+18h]
		and	eax, 0FFFFFFFDh
		push	0
		or	eax, (offset loc_7FFFFA+3)
		push	80h
		mov	[esi+18h], eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		or	dword ptr [edi], 40000000h
		mov	[esi+8], eax
		mov	[esi+0Ch], edx
		mov	dword ptr [esi+4], 0C0000000h

loc_5050AD:				; CODE XREF: MiSetPfnOwnedAndActive(x,x,x,x,x)+6Aj
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MiSetPfnOwnedAndActive@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceFxDefaultPepWorkerEnd proc near ; CODE XREF: PopPepWork+1CCp

var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_8F		= dword	ptr -8Fh
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D753F SIZE 00000197 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_98], edx
		mov	[ebp+var_9C], ecx
		cmp	ebx, 2
		jz	loc_5D74F2
		cmp	ebx, 3
		jz	short loc_50515D

loc_5050FB:				; CODE XREF: PopDiagTraceFxDefaultPepWorkerEnd+AEj
					; PopDiagTraceFxDefaultPepWorkerEnd+B7j ...
		cmp	_PopDiagHandleRegistered, 0
		jz	short loc_50514C
		mov	esi, dword_6C1D74
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_DEFAULT_PEP_WORKER_END
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5D75A2
		push	offset _POP_ETW_EVENT_DEFAULT_PEP_WORKER_DEVICE_RECOVERED
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5D75A2
		push	offset _POP_ETW_EVENT_DEFAULT_PEP_WORKER_DEVICE_ORPHANED
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5D75A2

loc_50514C:				; CODE XREF: PopDiagTraceFxDefaultPepWorkerEnd+3Ej
					; PopDiagTraceFxDefaultPepWorkerEnd+D25ADj ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_50515D:				; CODE XREF: PopDiagTraceFxDefaultPepWorkerEnd+35j
		xor	esi, esi
		mov	edx, offset _PopLogFxDefaultPepWorkerOrphaned
		mov	eax, [edx]

loc_505166:				; CODE XREF: PopDiagTraceFxDefaultPepWorkerEnd+AAj
		mov	ecx, eax
		and	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_505166
		test	eax, eax
		jz	short loc_5050FB
		cmp	dword_6B23F8, 5
		jbe	loc_5050FB
		push	4000h
		mov	esi, offset dword_6B23F8
		push	edi
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_5050FB
		jmp	loc_5D753F
PopDiagTraceFxDefaultPepWorkerEnd endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLfhSubsegmentFree(x, x, x, x)
_RtlpHpLfhSubsegmentFree@16 proc near	; CODE XREF: RtlpHpLfhBucketAddSubsegment+165p
					; RtlpHpLfhOwnerCleanup+70p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		lock dec dword ptr [eax+20h]
		movsx	esi, word ptr [edi+12h]
		add	eax, 1Ch
		neg	esi
		lock xadd [eax], esi
		mov	ecx, edi
		call	_RtlpHpLfhSubsegmentCountEmptyUnits@4 ;	RtlpHpLfhSubsegmentCountEmptyUnits(x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_5051F5

loc_5051CD:				; CODE XREF: RtlpHpLfhSubsegmentFree(x,x,x,x)+5Cj
					; RtlpHpLfhSubsegmentFree(x,x,x,x)+75j
		mov	eax, [ebp+arg_4]
		mov	cl, [edi+1Ch]
		and	eax, 1
		push	eax
		movzx	eax, byte ptr [edi+1Dh]
		shl	eax, cl
		push	eax
		mov	eax, [ebx+8]
		xor	eax, _RtlpHpHeapGlobals
		push	edi
		push	dword ptr [ebx]
		xor	eax, ebx
		call	eax
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_5051F5:				; CODE XREF: RtlpHpLfhSubsegmentFree(x,x,x,x)+2Bj
		test	byte ptr _RtlpHpLfhPerfFlags, 20h
		jz	short loc_5051CD
		mov	cl, [edi+1Ch]
		movsx	eax, word ptr [ebx+1Eh]
		shl	edx, cl
		add	eax, 0Ch
		shr	edx, 0Ch
		add	eax, ebx
		neg	edx
		lock xadd [eax], edx
		jmp	short loc_5051CD
_RtlpHpLfhSubsegmentFree@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLfhSubsegmentCountEmptyUnits(x)
_RtlpHpLfhSubsegmentCountEmptyUnits@4 proc near
					; CODE XREF: RtlpHpLfhSubsegmentFree(x,x,x,x)+22p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		xor	eax, eax
		push	esi
		push	edi
		mov	[ebp+var_4], eax
		mov	esi, eax
		movzx	edi, byte ptr [ebx+1Dh]
		test	edi, edi
		jz	short loc_505244

loc_505232:				; CODE XREF: RtlpHpLfhSubsegmentCountEmptyUnits(x)+3Dj
		lea	ecx, [ebp+var_4]
		mov	edx, eax
		push	ecx
		mov	ecx, ebx
		call	_RtlpHpLfhSubsegmentFindEmptyUnits@12 ;	RtlpHpLfhSubsegmentFindEmptyUnits(x,x,x)
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_50524B

loc_505244:				; CODE XREF: RtlpHpLfhSubsegmentCountEmptyUnits(x)+18j
					; RtlpHpLfhSubsegmentCountEmptyUnits(x)+3Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_50524B:				; CODE XREF: RtlpHpLfhSubsegmentCountEmptyUnits(x)+2Aj
		add	eax, [ebp+var_4]
		add	esi, [ebp+var_4]
		cmp	eax, edi
		jnb	short loc_505244
		jmp	short loc_505232
_RtlpHpLfhSubsegmentCountEmptyUnits@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall RemoveListEntryPte(x, x)
_RemoveListEntryPte@8 proc near		; CODE XREF: MiReleaseSystemCacheView+FCp
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		push	edi
		push	dword ptr [ebx+0Ch]
		push	dword ptr [ebx+8]
		call	_MiGetPteLink@8	; MiGetPteLink(x,x)
		mov	edx, [esi+10h]
		mov	edi, esi
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		mov	ecx, edi
		sub	ecx, edx
		sub	ecx, 40000000h
		sar	ecx, 3
		cmp	eax, ecx
		mov	ecx, esi
		jz	short loc_505290
		lea	ecx, [edx+eax*8]

loc_505290:				; CODE XREF: RemoveListEntryPte(x,x)+33j
		mov	eax, [ebx]
		mov	[ecx], eax
		nop
		mov	eax, [ebx+4]
		mov	[ecx+4], eax
		push	dword ptr [ebx+4]
		push	dword ptr [ebx]
		call	_MiGetPteLink@8	; MiGetPteLink(x,x)
		mov	ecx, [esi+10h]
		sub	edi, ecx
		sub	edi, 40000000h
		sar	edi, 3
		cmp	eax, edi
		jz	short loc_5052BA
		lea	esi, [ecx+eax*8]

loc_5052BA:				; CODE XREF: RemoveListEntryPte(x,x)+5Dj
		mov	eax, [ebx+8]
		mov	[esi+8], eax
		nop
		mov	eax, [ebx+0Ch]
		pop	edi
		mov	[esi+0Ch], eax
		pop	esi
		pop	ebx
		retn
_RemoveListEntryPte@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRemoveQueueEntry(x, x)
_KeRemoveQueueEntry@8 proc near		; CODE XREF: IopCancelWaitCompletionPacket(x,x,x)+64p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		xor	ebx, ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	[ebp+var_1], al
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		cmp	[esi], ebx
		jz	short loc_505307
		dec	dword ptr [edi+4]
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_50531F
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_50531F
		mov	[eax], ecx
		mov	bl, 1
		mov	[ecx+4], eax

loc_505307:				; CODE XREF: KeRemoveQueueEntry(x,x)+21j
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_50531F:				; CODE XREF: KeRemoveQueueEntry(x,x)+2Bj
					; KeRemoveQueueEntry(x,x)+32j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_KeRemoveQueueEntry@8 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmChangeSectionBackingFile proc	near	; CODE XREF: FsRtlChangeBackingFileObject(x,x,x,x)+1Bp
					; MiShareExistingControlArea+10Bp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D76D6 SIZE 00000052 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, edx
		mov	[ebp+var_4], esi
		mov	ebx, ecx
		test	edi, 0FFFFFFFCh
		jnz	loc_5D771E
		cmp	edi, 3
		jz	loc_5D771E
		test	ebx, ebx
		jnz	loc_5D76D6

loc_505355:				; CODE XREF: MmChangeSectionBackingFile+D23B8j
		and	edi, 1

loc_505358:				; CODE XREF: MmChangeSectionBackingFile+D23D9j
		push	offset dword_6CF3C0
		call	ExAcquireSpinLockExclusive
		mov	esi, [esi+14h]
		mov	byte ptr [ebp+arg_0+3],	al
		test	edi, edi
		jnz	loc_50540C
		mov	esi, [esi+8]

loc_505373:				; CODE XREF: MmChangeSectionBackingFile+EAj
		test	esi, esi
		jz	loc_5D7714
		lea	eax, [esi+24h]
		push	eax
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		push	offset dword_6CF3C0
		test	eax, eax
		jz	loc_5D76EC
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		test	byte ptr [esi+1Ch], 1
		jnz	short loc_5053CE
		lea	ecx, [esi+20h]
		test	ebx, ebx
		jnz	loc_5D7702
		mov	ebx, [ecx]
		and	ebx, 0FFFFFFF8h
		jz	short loc_5053CE

loc_5053AE:				; CODE XREF: MmChangeSectionBackingFile+D23EBj
		mov	edx, [ebp+var_4]
		call	@ObFastReplaceObject@8 ; ObFastReplaceObject(x,x)
		mov	ecx, [ebp+var_4]
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag
		push	746C6644h
		push	ebx
		call	ObDereferenceObjectDeferDeleteWithTag

loc_5053CE:				; CODE XREF: MmChangeSectionBackingFile+76j
					; MmChangeSectionBackingFile+88j ...
		mov	ecx, [esi+1Ch]
		test	ecx, 200h
		jz	short loc_5053F1
		mov	eax, large fs:124h
		test	byte ptr [eax+304h], 40h
		jnz	short loc_5053F1
		and	ecx, 0FFFFFDFFh
		mov	[esi+1Ch], ecx

loc_5053F1:				; CODE XREF: MmChangeSectionBackingFile+B3j
					; MmChangeSectionBackingFile+C2j
		lea	eax, [esi+24h]
		push	eax

loc_5053F5:				; CODE XREF: MmChangeSectionBackingFile+D23F5j
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax

loc_505405:				; CODE XREF: MmChangeSectionBackingFile+D23C3j
					; MmChangeSectionBackingFile+D23FFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_50540C:				; CODE XREF: MmChangeSectionBackingFile+46j
		mov	esi, [esi]
		jmp	loc_505373
MmChangeSectionBackingFile endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIsPageTableLocked(x, x)
_MiIsPageTableLocked@8 proc near	; CODE XREF: MiAgePte(x,x,x)+200p
					; .text:0045AD9Dp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		call	MiGetPageTableLockBuffer
		mov	eax, [eax]
		mov	ecx, [ebp+var_4]
		shr	eax, cl
		movzx	eax, al
		and	eax, 1
		leave
		retn
_MiIsPageTableLocked@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLeapPrefetch	proc near		; CODE XREF: MiPrefetchVirtualMemory+462p
					; MiInPagePageTable+14B75Ap ...

var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005D7728 SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		test	esi, esi
		jnz	loc_50553D
		mov	edx, [edi+0Ch]
		mov	eax, [edi+4]
		mov	esi, [edi+10h]
		shl	esi, 0Ch
		add	esi, [eax+edx*8]
		cmp	esi, ds:_MmHighestUserAddress
		ja	loc_505579
		mov	edx, large fs:124h
		mov	cl, [edx+304h]
		test	cl, cl
		js	loc_505579
		mov	al, [edx+305h]
		and	cl, 3
		neg	cl
		sbb	cl, cl
		shr	al, 6
		inc	cl
		not	al
		and	cl, al
		test	cl, 1
		jz	loc_505579
		mov	ebx, [edx+80h]
		lea	eax, [ebx+240h]
		mov	ecx, eax
		call	MiLockWorkingSetShared
		test	byte ptr [ebx+0FCh], 20h
		mov	[ebp+var_1], al
		jnz	loc_5D7732
		cmp	dword ptr [ebx+358h], 0
		jz	loc_5D7732
		mov	ecx, [ebx+350h]
		shr	esi, 0Ch
		test	ecx, ecx
		jz	loc_5055AE

loc_5054E0:				; CODE XREF: MiLeapPrefetch+C5j
		mov	edx, [ecx+0Ch]
		cmp	esi, edx
		jb	short loc_505502
		cmp	esi, [ecx+10h]
		jbe	loc_5D7728
		mov	eax, [ecx+4]

loc_5054F3:				; CODE XREF: MiLeapPrefetch+CEj
		test	eax, eax
		jz	short loc_505506
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_5054E0
		jmp	loc_5D7747
; 

loc_505502:				; CODE XREF: MiLeapPrefetch+AFj
		mov	eax, [ecx]
		jmp	short loc_5054F3
; 

loc_505506:				; CODE XREF: MiLeapPrefetch+BFj
		cmp	edx, esi
		jnb	short loc_505529
		mov	eax, [ecx+4]
		mov	edx, ecx
		test	eax, eax
		jz	short loc_505581
		mov	ecx, eax
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_505525

loc_50551B:				; CODE XREF: MiLeapPrefetch+EDj
		mov	eax, [edx]
		mov	ecx, edx
		mov	edx, eax
		test	eax, eax
		jnz	short loc_50551B

loc_505525:				; CODE XREF: MiLeapPrefetch+E3j
					; MiLeapPrefetch+151j ...
		test	ecx, ecx
		jz	short loc_50559B

loc_505529:				; CODE XREF: MiLeapPrefetch+D2j
		mov	esi, [ecx+0Ch]
		lea	ecx, [ebx+240h]
		mov	dl, [ebp+var_1]
		shl	esi, 0Ch
		call	MiUnlockWorkingSetShared

loc_50553D:				; CODE XREF: MiLeapPrefetch+14j
		mov	ecx, [edi+0Ch]
		mov	eax, [edi+4]
		lea	eax, [eax+ecx*8]
		mov	ebx, [eax]
		mov	edx, ebx
		and	edx, 0FFFFF000h
		cmp	esi, edx
		jb	short loc_50556F
		mov	eax, [eax+4]
		and	ebx, 0FFFh
		add	eax, 0FFFh
		add	eax, ebx
		and	eax, 0FFFFF000h
		add	eax, edx
		cmp	esi, eax
		jb	short loc_505591

loc_50556F:				; CODE XREF: MiLeapPrefetch+11Cj
					; MiLeapPrefetch+176j
		and	dword ptr [edi+10h], 0
		lea	eax, [ecx+1]
		mov	[edi+0Ch], eax

loc_505579:				; CODE XREF: MiLeapPrefetch+2Fj
					; MiLeapPrefetch+44j ...
		xor	eax, eax
		inc	eax

loc_50557C:				; CODE XREF: MiLeapPrefetch+D230Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_505581:				; CODE XREF: MiLeapPrefetch+DBj
					; MiLeapPrefetch+159j
		mov	ecx, [ecx+8]
		and	ecx, 0FFFFFFFCh
		jz	short loc_505525
		cmp	[ecx], edx
		jz	short loc_505525
		mov	edx, ecx
		jmp	short loc_505581
; 

loc_505591:				; CODE XREF: MiLeapPrefetch+137j
		sub	esi, edx
		shr	esi, 0Ch
		mov	[edi+10h], esi
		jmp	short loc_505579
; 

loc_50559B:				; CODE XREF: MiLeapPrefetch+F1j
		mov	dl, [ebp+var_1]

loc_50559E:				; CODE XREF: MiLeapPrefetch+17Aj
		lea	ecx, [ebx+240h]
		call	MiUnlockWorkingSetShared
		mov	ecx, [edi+0Ch]
		jmp	short loc_50556F
; 

loc_5055AE:				; CODE XREF: MiLeapPrefetch+A4j
					; MiLeapPrefetch+D2314j
		mov	dl, al
		jmp	short loc_50559E
MiLeapPrefetch	endp

; 
		align 8
; Exported entry 1142. KeFirstGroupAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeFirstGroupAffinityEx(x, x)
		public _KeFirstGroupAffinityEx@8
_KeFirstGroupAffinityEx@8 proc near	; CODE XREF: KeStartThread+250p
					; KeSetAffinityProcess+52p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_5055DA
		and	dword ptr [ecx+4], 0
		and	dword ptr [ecx+8], 0
		mov	[ecx], eax
		xor	eax, eax

loc_5055D6:				; CODE XREF: KeFirstGroupAffinityEx(x,x)+27j
		pop	ebp
		retn	8
; 

loc_5055DA:				; CODE XREF: KeFirstGroupAffinityEx(x,x)+10j
		mov	eax, 0C0000225h
		jmp	short loc_5055D6
_KeFirstGroupAffinityEx@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepSetTokenBnoIsolation	proc near	; CODE XREF: SeSubProcessToken+1BDp
					; SeSubProcessToken+14A9C4p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D774F SIZE 000000C6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	al, dl
		mov	[ebp+var_8], ecx
		xor	esi, esi
		mov	[ebp+var_1], al
		push	edi
		test	al, al
		jnz	loc_5D774F
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jnz	short loc_505637
		cmp	[ebp+arg_8], esi
		jnz	short loc_505637
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jnz	loc_5D77C0

loc_505616:				; CODE XREF: SepSetTokenBnoIsolation+D21CEj
					; SepSetTokenBnoIsolation+D21F0j
		mov	edx, [ecx+298h]
		test	edx, edx
		jnz	loc_5D77D7

loc_505624:				; CODE XREF: SepSetTokenBnoIsolation+D2209j
		cmp	[ebp+var_1], 0
		jnz	loc_5D77F0

loc_50562E:				; CODE XREF: SepSetTokenBnoIsolation+5Aj
					; SepSetTokenBnoIsolation+D217Ej ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_505637:				; CODE XREF: SepSetTokenBnoIsolation+22j
					; SepSetTokenBnoIsolation+27j ...
		mov	esi, 0C0000030h
		jmp	short loc_50562E
SepSetTokenBnoIsolation	endp


;  S U B	R O U T	I N E 


MiDecreaseUsedPtesCount	proc near	; CODE XREF: .text:00453C3Ep
					; MiReducePteUseCount(x,x)+23p	...

; FUNCTION CHUNK AT 005D7815 SIZE 0000001F BYTES

		mov	edi, edi
		push	esi
		push	edi
		movzx	edi, word ptr [ecx]
		movzx	eax, dx
		mov	esi, edi
		sub	esi, eax
		cmp	esi, 200h
		jnb	loc_5D7815
		pop	edi
		mov	[ecx], si
		mov	eax, esi
		pop	esi
		retn
MiDecreaseUsedPtesCount	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcUpdateTimeOnLogHandles proc near	; CODE XREF: CcLazyWriteScan+620p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= byte ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D7834 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		xor	eax, eax
		and	[ebp+var_8], 0
		push	esi
		push	edi
		and	[ebp+var_4], 0
		lea	edi, [ebp+var_20]
		stosd
		mov	ebx, ecx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_8]
		push	eax
		call	KeQueryTickCount
		lea	edx, [ebp+var_20]
		mov	ecx, offset _CcMasterLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	esi, _CcVolumeCacheMapList
		xor	edi, edi
		inc	edi

loc_5056A4:				; CODE XREF: CcUpdateTimeOnLogHandles+58j
		cmp	esi, offset _CcVolumeCacheMapList
		jz	loc_505733
		test	byte ptr [esi+6Ch], 1
		jnz	short loc_5056BA

loc_5056B6:				; CODE XREF: CcUpdateTimeOnLogHandles+BDj
					; CcUpdateTimeOnLogHandles+D1j	...
		mov	esi, [esi]
		jmp	short loc_5056A4
; 

loc_5056BA:				; CODE XREF: CcUpdateTimeOnLogHandles+54j
		and	[ebp+var_14], 0
		lea	eax, [ebx+40h]
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_10], eax
		jnz	loc_5D7825
		lea	edx, [ebp+var_14]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_50576C

loc_5056DE:				; CODE XREF: CcUpdateTimeOnLogHandles+114j
					; MiDecreaseUsedPtesCount+D21F1j
		mov	ecx, [esi+6Ch]
		test	cl, 1
		jz	short loc_5056F8
		mov	eax, [ebp+var_8]
		and	ecx, 0FFFFFFFEh
		mov	[esi+64h], eax
		mov	eax, [ebp+var_4]
		mov	[esi+68h], eax
		mov	[esi+6Ch], ecx

loc_5056F8:				; CODE XREF: CcUpdateTimeOnLogHandles+84j
		test	ds:byte_70EFC6,	1
		jnz	loc_5D7834
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_505724
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_5056B6
		call	KxWaitForLockChainValid

loc_505724:				; CODE XREF: CcUpdateTimeOnLogHandles+AAj
		mov	[ebp+var_14], 0
		add	eax, 4
		lock xor [eax],	edi
		jmp	short loc_5056B6
; 

loc_505733:				; CODE XREF: CcUpdateTimeOnLogHandles+4Aj
		test	ds:byte_70EFC6,	1
		jnz	loc_5D7844
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	short loc_505779
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_20]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_20]
		cmp	eax, ecx
		jnz	loc_5D7854

loc_50575E:				; CODE XREF: CcUpdateTimeOnLogHandles+126j
					; CcUpdateTimeOnLogHandles+D21EFj
		mov	cl, [ebp+var_18]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_50576C:				; CODE XREF: CcUpdateTimeOnLogHandles+78j
		lea	ecx, [ebp+var_14]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_5056DE
; 

loc_505779:				; CODE XREF: CcUpdateTimeOnLogHandles+E5j
					; CcUpdateTimeOnLogHandles+D21FCj
		mov	[ebp+var_20], 0
		add	eax, 4
		lock xor [eax],	edi
		jmp	short loc_50575E
CcUpdateTimeOnLogHandles endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetProcessPriorityByClass(x, x)
_PspSetProcessPriorityByClass@8	proc near
					; CODE XREF: PsSetProcessPriorityByClass(x,x):loc_7D3C72p
					; PspSetProcessForegroundBackgroundRequest(x,x,x)+7Ap ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	esi
		mov	[ebp+var_4], eax
		mov	esi, ecx
		mov	byte ptr [ebp+var_C], al
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	_PspComputeQuantumAndPriority@20 ; PspComputeQuantumAndPriority(x,x,x,x,x)
		push	[ebp+var_4]
		mov	edx, eax
		mov	ecx, esi
		push	[ebp+var_8]
		push	[ebp+var_C]
		call	KeSetPriorityAndQuantumProcess
		pop	esi
		leave
		retn
_PspSetProcessPriorityByClass@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_5057C4	proc near		; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x):loc_59126Fp

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D7861 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	0
		mov	esi, ecx
		push	edx
		push	esi
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		test	byte ptr ds:_MmTrackLockedPages, 1
		jnz	loc_5D7861

loc_5057E2:				; CODE XREF: sub_5057C4+D20B2j
		pop	esi
		pop	ebp
		retn	0Ch
sub_5057C4	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2225. RtlIsUntrustedObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlIsUntrustedObject
RtlIsUntrustedObject proc near		; CODE XREF: SeGetImageRequiredSigningLevel(x,x,x,x,x)+FBp

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_6D		= byte ptr -6Dh
var_6C		= dword	ptr -6Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D787B SIZE 000000EE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+arg_4]
		and	[ebp+var_74], 0
		mov	[ebp+var_78], eax
		mov	[ebp+var_7C], ecx
		mov	byte ptr [ecx],	1
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		lea	esi, [ebp+var_6C]
		test	eax, eax
		jz	loc_5D787B
		test	ebx, ebx
		jnz	loc_5D7883

loc_505829:				; CODE XREF: RtlIsUntrustedObject+D2091j
		mov	[ebp+var_6D], 0
		push	edi
		test	ebx, ebx
		jnz	loc_5D788D
		lea	ecx, [ebp+var_74]
		push	ecx
		push	68h
		lea	ecx, [ebp+var_6C]
		push	ecx
		push	10h
		pop	edx
		mov	ecx, eax
		call	_ObQuerySecurityObject@20 ; ObQuerySecurityObject(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_5D78F7

loc_505854:				; CODE XREF: RtlIsUntrustedObject+D20B7j
					; RtlIsUntrustedObject+D20F8j
		movzx	eax, word ptr [esi+2]
		mov	ecx, eax
		test	al, 10h
		jz	short loc_50588D
		mov	ebx, [esi+0Ch]
		test	cx, cx
		jns	short loc_50586F
		lea	eax, [ebx+esi]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, eax

loc_50586F:				; CODE XREF: RtlIsUntrustedObject+78j
		test	ebx, ebx
		jz	short loc_50588D
		and	[ebp+var_78], 0

loc_505877:				; CODE XREF: RtlIsUntrustedObject+D2155j
		lea	eax, [ebp+var_78]
		push	eax
		push	11h
		push	ebx
		call	_RtlFindAceByType@12 ; RtlFindAceByType(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	loc_5D793D

loc_50588D:				; CODE XREF: RtlIsUntrustedObject+70j
					; RtlIsUntrustedObject+85j ...
		mov	eax, [ebp+var_7C]
		mov	byte ptr [eax],	0

loc_505893:				; CODE XREF: RtlIsUntrustedObject+D2160j
					; RtlIsUntrustedObject+D2172j
		cmp	[ebp+var_6D], 0
		jnz	loc_5D78EA

loc_50589D:				; CODE XREF: RtlIsUntrustedObject+D2106j
		mov	eax, edi

loc_50589F:				; CODE XREF: RtlIsUntrustedObject+D20C3j
					; RtlIsUntrustedObject+D2111j ...
		pop	edi

loc_5058A0:				; CODE XREF: RtlIsUntrustedObject+D209Cj
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
RtlIsUntrustedObject endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCheckFreeModifiedReservations	proc near ; CODE XREF: MiModifiedPageWriter+17Dp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005D7969 SIZE 0000011A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	esi
		mov	esi, ecx
		push	edi
		mov	[ebp+var_14], esi
		mov	ecx, [esi+1000h]
		mov	eax, [esi+700h]
		mov	edi, [esi+1118h]
		mov	[ebp+var_C], eax
		test	ecx, ecx
		js	short loc_5058EC

loc_5058D8:				; CODE XREF: MiCheckFreeModifiedReservations+3Ej
		cmp	dword ptr [esi+1E8h], 800h
		jb	loc_5D7969

loc_5058E8:				; CODE XREF: MiCheckFreeModifiedReservations+D20CBj
					; MiCheckFreeModifiedReservations+D20DAj ...
		pop	edi
		pop	esi
		leave
		retn
; 

loc_5058EC:				; CODE XREF: MiCheckFreeModifiedReservations+26j
		xor	ecx, ecx
		jmp	short loc_5058D8
MiCheckFreeModifiedReservations	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_SM_TRAITS___SmStAllocateVirtualRegion proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+F6p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D7A83 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	esi, edx
		xor	eax, eax
		mov	edx, ecx
		mov	[ebp+var_4], edx
		mov	ebx, [edx+1184h]
		cmp	[ebx+esi*4], eax
		jnz	short loc_505966
		push	edi
		push	7
		pop	ecx
		lea	edi, [ebp+var_20]
		rep stosd
		mov	eax, [edx+117Ch]
		movzx	ecx, byte ptr [edx+10F5h]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_18]
		shr	ecx, 6
		xor	ecx, eax
		and	ecx, 1
		xor	eax, ecx
		mov	ecx, [ebp+var_4]
		push	4
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_20]
		push	eax
		push	2
		pop	edx
		call	SMKM_STORE_SM_TRAITS___SmStHelperSendCommand
		pop	edi
		test	eax, eax
		js	short loc_505966
		mov	eax, [ebp+var_8]
		test	eax, eax
		js	short loc_505966
		test	[ebp+var_C], 1
		mov	eax, [ebp+var_10]
		mov	[ebx+esi*4], eax
		jnz	loc_5D7A83

loc_505964:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStAllocateVirtualRegion+D219Bj
		xor	eax, eax

loc_505966:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStAllocateVirtualRegion+1Cj
					; SMKM_STORE_SM_TRAITS___SmStAllocateVirtualRegion+5Bj	...
		pop	esi
		pop	ebx
		leave
		retn
SMKM_STORE_SM_TRAITS___SmStAllocateVirtualRegion endp


;  S U B	R O U T	I N E 


; __stdcall MiSetFreeZeroPfnCold(x, x)
_MiSetFreeZeroPfnCold@8	proc near	; CODE XREF: MiDemoteLocalLargePage(x,x,x,x)+246p
					; MiUnlinkNodeLargePageHelper(x,x,x,x,x)+2E7p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	edx, edx
		jz	short loc_50597A
		push	0FFFFFFFDh
		pop	eax
		xor	ecx, ecx
		jmp	short loc_50597E
; 

loc_50597A:				; CODE XREF: MiSetFreeZeroPfnCold(x,x)+7j
		xor	eax, eax
		mov	ecx, eax

loc_50597E:				; CODE XREF: MiSetFreeZeroPfnCold(x,x)+Ej
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	ecx
		push	eax
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		mov	[esi+8], eax
		mov	[esi+0Ch], edx
		pop	esi
		retn
_MiSetFreeZeroPfnCold@8	endp

; 
		align 8
; Exported entry 583. FsRtlLookupLastBaseMcbEntryAndIndex

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlLookupLastBaseMcbEntryAndIndex(x, x, x, x)
		public _FsRtlLookupLastBaseMcbEntryAndIndex@16
_FsRtlLookupLastBaseMcbEntryAndIndex@16	proc near
					; CODE XREF: FsRtlLookupLastLargeMcbEntryAndIndex(x,x,x,x)+2Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	edx, edx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_8]
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_5059F8
		mov	eax, [esi+0Ch]
		mov	[ebp+arg_0], eax
		mov	eax, [eax+ecx*8-4]
		mov	[ebp+arg_8], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_505A19
		lea	eax, [ecx-1]
		test	eax, eax
		mov	eax, [ebp+arg_0]
		jz	short loc_5059D2
		mov	edx, [eax+ecx*8-10h]

loc_5059D2:				; CODE XREF: FsRtlLookupLastBaseMcbEntryAndIndex(x,x,x,x)+34j
		mov	eax, [eax+ecx*8-8]
		mov	ecx, [ebp+arg_8]
		sub	eax, edx
		dec	ecx
		add	eax, ecx

loc_5059DE:				; CODE XREF: FsRtlLookupLastBaseMcbEntryAndIndex(x,x,x,x)+84j
		mov	[edi], eax
		mov	dl, 1
		mov	ecx, [esi+4]
		mov	eax, [esi+0Ch]
		mov	eax, [eax+ecx*8-8]
		dec	eax
		mov	[ebx], eax
		mov	ecx, [esi+4]
		mov	eax, [ebp+arg_C]
		dec	ecx
		mov	[eax], ecx

loc_5059F8:				; CODE XREF: FsRtlLookupLastBaseMcbEntryAndIndex(x,x,x,x)+18j
		xor	ecx, ecx
		mov	al, dl
		cmp	dword ptr [ebx], 0FFFFFFFFh
		setnz	cl
		dec	ecx
		mov	[ebx+4], ecx
		xor	ecx, ecx
		cmp	dword ptr [edi], 0FFFFFFFFh
		setnz	cl
		dec	ecx
		mov	[edi+4], ecx
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_505A19:				; CODE XREF: FsRtlLookupLastBaseMcbEntryAndIndex(x,x,x,x)+2Aj
		or	eax, 0FFFFFFFFh
		jmp	short loc_5059DE
_FsRtlLookupLastBaseMcbEntryAndIndex@16	endp


;  S U B	R O U T	I N E 


; __stdcall MiPageToNode(x)
_MiPageToNode@4	proc near		; CODE XREF: MiDeleteClusterPage(x,x)+EBp
					; MiChangePageAttributeLargeFreeZeroPage(x,x,x)+62p ...
		call	MiSearchNumaNodeTable
		mov	eax, [eax+4]
		retn
_MiPageToNode@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiResetVirtualMemory proc near		; CODE XREF: MiAllocateVirtualMemory+433p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005D7A90 SIZE 0000006F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		xor	eax, eax
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	esi, 80000h
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		setnz	al
		mov	[ebp+arg_8], eax
		mov	edx, [edi+1Ch]
		test	edx, 100000h
		jnz	short loc_505A9B
		mov	eax, [edi+2Ch]
		mov	eax, [eax]
		cmp	dword ptr [eax+20h], 0
		jnz	short loc_505AA5
		test	edx, 200h
		jz	short loc_505AAC

loc_505A68:				; CODE XREF: MiResetVirtualMemory+76j
					; MiResetVirtualMemory+D206Ej ...
		test	dword ptr [ecx+490h], 100h
		jnz	loc_5D7AC1

loc_505A78:				; CODE XREF: MiResetVirtualMemory+D20A9j
					; MiResetVirtualMemory+D20D2j
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		push	0
		push	[ebp+arg_8]
		push	edi
		call	MiWalkVaRange
		sub	esi, 80000h
		neg	esi
		sbb	esi, esi
		and	eax, esi

loc_505A94:				; CODE XREF: MiResetVirtualMemory+82j
					; MiResetVirtualMemory+89j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_505A9B:				; CODE XREF: MiResetVirtualMemory+2Bj
		test	dl, 8
		jz	short loc_505A68
		jmp	loc_5D7A90
; 

loc_505AA5:				; CODE XREF: MiResetVirtualMemory+36j
		mov	eax, 0C0000243h
		jmp	short loc_505A94
; 

loc_505AAC:				; CODE XREF: MiResetVirtualMemory+3Ej
					; MiResetVirtualMemory+D208Bj
		mov	eax, 0C000004Eh
		jmp	short loc_505A94
MiResetVirtualMemory endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiEmptyWorkingSetTail(x)
_MiEmptyWorkingSetTail@4 proc near	; DATA XREF: MiEmptyWorkingSetInitiate(x,x,x,x)+9Ao

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+48h]
		lea	edx, [eax+4]
		cmp	dword ptr [edx+0Ch], 0
		jnz	short loc_505ACE

loc_505AC8:				; CODE XREF: MiEmptyWorkingSetTail(x)+28j
		xor	eax, eax
		pop	ebp
		retn	4
; 

loc_505ACE:				; CODE XREF: MiEmptyWorkingSetTail(x)+12j
		mov	eax, [eax]
		mov	ecx, [ecx+10h]
		and	eax, 4
		push	eax
		call	MiFreeWsleList
		jmp	short loc_505AC8
_MiEmptyWorkingSetTail@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2263. RtlNumberGenericTableElements

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlNumberGenericTableElements(x)
		public _RtlNumberGenericTableElements@4
_RtlNumberGenericTableElements@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+14h]
		pop	ebp
		retn	4
_RtlNumberGenericTableElements@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


CcRescheduleLazyWriteScan proc near	; CODE XREF: CcLazyWriteScan+2DAp
					; CcLazyWriteScan+129294p ...

; FUNCTION CHUNK AT 005D7AFF SIZE 0000000B BYTES

		cmp	byte ptr [ecx+288h], 0
		push	edi
		lea	edi, [ecx+148h]
		jnz	short loc_505B4A
		cmp	byte ptr [edi+48h], 0
		jz	loc_5D7AFF
		push	esi
		test	edx, edx
		jz	short loc_505B2B
		mov	esi, [edx]
		mov	ecx, [edx+4]
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_505B25
		cmp	ecx, 7FFFFFFFh
		jz	short loc_505B2B

loc_505B25:				; CODE XREF: CcRescheduleLazyWriteScan+27j
		mov	eax, esi
		or	eax, ecx
		jnz	short loc_505B4C

loc_505B2B:				; CODE XREF: CcRescheduleLazyWriteScan+1Dj
					; CcRescheduleLazyWriteScan+2Fj
		mov	eax, _CcIdleDelay
		mov	edx, dword_6B625C

loc_505B36:				; CODE XREF: CcRescheduleLazyWriteScan+85j
					; CcRescheduleLazyWriteScan+8Bj ...
		push	edi
		push	3E8h
		push	0
		push	edx
		push	eax
		lea	eax, [edi+20h]
		push	eax
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)
		pop	esi

loc_505B4A:				; CODE XREF: CcRescheduleLazyWriteScan+Ej
		pop	edi
		retn
; 

loc_505B4C:				; CODE XREF: CcRescheduleLazyWriteScan+35j
		push	ecx
		push	esi
		push	0
		push	ds:_KeMaximumIncrement
		call	__allmul
		mov	ecx, 9896800h
		test	edx, edx
		jl	short loc_505B8A
		jg	short loc_505B97
		cmp	eax, ecx
		ja	short loc_505B97

loc_505B6A:				; CODE XREF: CcRescheduleLazyWriteScan+A7j
		test	edx, edx
		jg	short loc_505B81
		jl	short loc_505B8A
		cmp	eax, (offset loc_98967E+2)
		jb	short loc_505B8A

loc_505B77:				; CODE XREF: CcRescheduleLazyWriteScan+A1j
		test	edx, edx
		jl	short loc_505B36
		jg	short loc_505B81
		test	eax, eax
		jz	short loc_505B36

loc_505B81:				; CODE XREF: CcRescheduleLazyWriteScan+78j
					; CcRescheduleLazyWriteScan+87j
		neg	eax
		adc	edx, 0
		neg	edx
		jmp	short loc_505B36
; 

loc_505B8A:				; CODE XREF: CcRescheduleLazyWriteScan+6Ej
					; CcRescheduleLazyWriteScan+7Aj ...
		mov	eax, _CcIdleDelay
		mov	edx, dword_6B625C
		jmp	short loc_505B77
; 

loc_505B97:				; CODE XREF: CcRescheduleLazyWriteScan+70j
					; CcRescheduleLazyWriteScan+74j
		mov	eax, ecx
		xor	edx, edx
		jmp	short loc_505B6A
CcRescheduleLazyWriteScan endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1398. MmFreeContiguousMemory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmFreeContiguousMemory
MmFreeContiguousMemory proc near	; CODE XREF: MmFreeContiguousMemorySpecifyCache(x,x,x)+8p
					; HvlpFreeOverlayPages(x)+4p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D7B3A SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		cmp	esi, dword_6D07D0
		jb	loc_5D7B1D
		mov	eax, esi
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 5
		jz	sub_5D7B0A
		test	al, al
		jz	loc_5D7B1D
		lea	edx, [ebp+var_18]
		mov	ecx, esi
		call	_MiFillPteHierarchy@8 ;	MiFillPteHierarchy(x,x)
		push	2
		pop	ecx

loc_505BF2:				; CODE XREF: MmFreeContiguousMemory+6Ej
		mov	eax, [ebp+ecx*4+var_1C]
		dec	ecx
		mov	edx, [eax]
		mov	[ebp+arg_0], edx
		nop
		mov	edi, [eax+4]
		mov	eax, edx
		and	eax, 80h
		mov	[ebp+var_10], edi
		or	eax, ebx
		jnz	short loc_505C12
		test	ecx, ecx
		jnz	short loc_505BF2

loc_505C12:				; CODE XREF: MmFreeContiguousMemory+6Aj
		mov	ecx, edi
		mov	eax, ebx
		and	ecx, 80000000h
		or	eax, ecx
		mov	eax, ebx
		jz	short loc_505C27
		mov	eax, 200h

loc_505C27:				; CODE XREF: MmFreeContiguousMemory+7Ej
		mov	edi, 0FFFh
		test	esi, edi
		jnz	sub_5D7B16
		push	eax
		lea	eax, [ebp+var_C]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_8]
		call	ExRemovePoolTag
		mov	eax, [ebp+var_C]
		cmp	eax, 1000h
		jb	short loc_505CB3
		test	eax, edi
		jnz	short loc_505CB3
		cmp	[ebp+var_8], 546E6F43h
		jnz	short loc_505CB3
		cmp	ds:_MmProtectFreedNonPagedPool,	1
		mov	ebx, eax
		mov	edi, ebx
		jz	short loc_505CAB

loc_505C67:				; CODE XREF: MmFreeContiguousMemory+10Fj
		shr	edi, 0Ch
		cmp	_ViVerifierEnabled, 0
		jnz	loc_5D7B2C

loc_505C77:				; CODE XREF: sub_5D7B16+1Fj
		push	ebx
		push	esi
		call	MmUnmapIoSpace
		test	ds:byte_70EFC4,	1
		jnz	loc_5D7B3A

loc_505C8B:				; CODE XREF: MmFreeContiguousMemory+D1FA4j
		nop
		mov	eax, [ebp+arg_0]
		mov	edx, edi
		mov	ecx, [ebp+var_10]
		shrd	eax, ecx, 0Ch
		and	eax, 1FFFFFFh
		mov	ecx, eax
		call	_MiFreeContiguousPages@8 ; MiFreeContiguousPages(x,x)

loc_505CA4:				; CODE XREF: sub_5D7B0A+7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_505CAB:				; CODE XREF: MmFreeContiguousMemory+C3j
		lea	ebx, [edi+1000h]
		jmp	short loc_505C67
; 

loc_505CB3:				; CODE XREF: MmFreeContiguousMemory+A9j
					; MmFreeContiguousMemory+ADj ...
		push	[ebp+var_8]
		push	eax
		push	esi
		push	60h
		jmp	loc_5D7B22
MmFreeContiguousMemory endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeContiguousPages(x, x)
_MiFreeContiguousPages@8 proc near	; CODE XREF: MmFreeContiguousMemory+FDp
					; MiAllocateContiguousMemory+DF48Cp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], ecx
		push	edi
		imul	edi, esi, 1Ch
		xor	ecx, ecx
		mov	eax, edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], eax
		mov	ebx, ecx
		mov	[ebp+var_C], ecx
		add	edi, ds:_MmPfnDatabase

loc_505CE8:				; CODE XREF: MiFreeContiguousPages(x,x)+CEj
		test	esi, 1FFh
		jnz	short loc_505D2C
		cmp	eax, 200h
		jb	short loc_505D2C
		xor	edx, edx
		mov	ecx, esi
		call	_MiResidentPageDangleFree@8 ; MiResidentPageDangleFree(x,x)
		test	eax, eax
		jz	short loc_505D2C
		test	ebx, ebx
		jnz	short loc_505D0D
		mov	ebx, offset _MiSystemPartition

loc_505D0D:				; CODE XREF: MiFreeContiguousPages(x,x)+46j
		push	6
		xor	edx, edx
		mov	ecx, esi
		call	_MiFreeLargePageMemory@12 ; MiFreeLargePageMemory(x,x,x)
		add	[ebp+var_10], eax
		mov	edx, 200h
		mov	eax, [ebp+var_8]
		mov	ecx, 3800h
		sub	eax, edx
		jmp	short loc_505D82
; 

loc_505D2C:				; CODE XREF: MiFreeContiguousPages(x,x)+2Ej
					; MiFreeContiguousPages(x,x)+35j ...
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	[ebp+var_1], al
		test	ebx, ebx
		jnz	short loc_505D3F
		mov	ebx, offset _MiSystemPartition

loc_505D3F:				; CODE XREF: MiFreeContiguousPages(x,x)+78j
		xor	ecx, ecx
		mov	eax, 0FFFFh
		add	[edi+14h], ax
		inc	ecx
		cmp	[edi+14h], cx
		jnz	short loc_505D54
		inc	[ebp+var_C]

loc_505D54:				; CODE XREF: MiFreeContiguousPages(x,x)+8Fj
		lea	esi, [edi+10h]
		mov	ecx, edi
		or	dword ptr [esi], 40000000h
		call	MiDecrementShareCount
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_8]
		xor	edx, edx
		mov	esi, [ebp+var_14]
		dec	eax
		push	1Ch
		pop	ecx
		inc	edx

loc_505D82:				; CODE XREF: MiFreeContiguousPages(x,x)+6Aj
		add	esi, edx
		mov	[ebp+var_8], eax
		add	edi, ecx
		mov	[ebp+var_14], esi
		test	eax, eax
		jnz	loc_505CE8
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_505DA4
		mov	edx, eax
		mov	ecx, ebx
		call	_MiFreeLargePageCharges@8 ; MiFreeLargePageCharges(x,x)

loc_505DA4:				; CODE XREF: MiFreeContiguousPages(x,x)+D9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiFreeContiguousPages@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExRemovePoolTag	proc near		; CODE XREF: MmFreeContiguousMemory+9Cp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D7B4B SIZE 000000F3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_14], edx
		and	eax, 1
		mov	[ebp+var_20], edi
		push	offset _ExpLargePoolTableLock
		mov	[ebp+var_28], eax
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	ebx, _PoolBigPageTableSize
		xor	esi, esi
		mov	[ebp+var_1], al
		inc	esi
		mov	eax, edi
		mov	[ebp+var_24], ebx
		shr	eax, 0Ch
		mov	ecx, eax
		shr	ecx, 8
		movzx	edx, cl
		movzx	ecx, al
		shl	ecx, 2
		xor	edx, ecx
		shr	eax, 10h
		mov	ecx, [ebp+var_24]
		shl	edx, 2
		xor	edx, eax
		lea	eax, [ebx-1]
		imul	edx, 2797Ch
		sar	edx, 2
		and	edx, eax
		xor	ebx, ebx

loc_505E0F:				; CODE XREF: ExRemovePoolTag+1D0j
					; ExRemovePoolTag+D1DA9j
		mov	eax, edx
		shl	eax, 4
		add	eax, _PoolBigPageTable
		mov	eax, [eax]
		cmp	eax, edi
		jnz	loc_505F77
		shl	edx, 4
		add	edx, _PoolBigPageTable
		jz	loc_5D7B58
		mov	eax, [ebp+var_14]
		mov	ecx, [edx+4]
		mov	esi, [edx+0Ch]
		mov	[ebp+var_18], esi
		mov	[eax], ecx
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		cmp	ecx, 6C6F6F50h
		jz	loc_5D7B75
		mov	al, [edx+8]
		mov	byte ptr [ebp+arg_0+3],	al
		mov	eax, [edx+8]
		shr	eax, 14h
		mov	[ebp+var_24], eax

loc_505E61:				; CODE XREF: ExRemovePoolTag+D1DD1j
		lock dec ds:_ExpPoolBigEntriesInUse
		lock inc dword ptr [edx]
		push	offset _ExpLargePoolTableLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_14]
		mov	eax, [ecx]
		mov	[ebp+var_8], eax
		cmp	eax, ds:_PoolHitTag
		jz	loc_5D7B80

loc_505E92:				; CODE XREF: ExRemovePoolTag+D1DD7j
		test	ds:byte_70EFC4,	41h
		jnz	loc_5D7B86

loc_505E9F:				; CODE XREF: ExRemovePoolTag+D1DEEj
		mov	eax, [ebp+arg_4]
		and	eax, 20h
		mov	[ebp+var_2C], eax
		jnz	loc_5D7B9D
		movzx	eax, large byte	ptr fs:51h
		mov	edx, _PoolTrackTableMask
		mov	eax, _ExPoolTagTables[eax*4]

loc_505EC3:				; CODE XREF: ExRemovePoolTag+D1DFEj
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_8]
		movzx	ecx, al
		shl	ecx, 2
		movzx	eax, ah
		xor	ecx, eax
		mov	[ebp+var_1C], edx
		movzx	eax, byte ptr [ebp+var_8+2]
		shl	ecx, 2
		xor	ecx, eax
		movzx	eax, byte ptr [ebp+var_8+3]
		shl	ecx, 2
		xor	ecx, eax
		imul	ecx, 9E5Fh
		sar	ecx, 2
		and	ecx, edx
		mov	[ebp+var_30], ecx

loc_505EF7:				; CODE XREF: ExRemovePoolTag+D1E21j
					; ExRemovePoolTag+D1E30j
		mov	edx, [ebp+var_10]
		imul	eax, ecx, 30h
		add	edx, eax
		mov	[ebp+var_14], eax
		mov	eax, [edx]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_8]
		cmp	[ebp+var_C], eax
		jnz	loc_5D7BAD
		cmp	[ebp+var_28], ebx
		jnz	short loc_505F85
		lea	edi, [edx+10h]

loc_505F1B:				; CODE XREF: ExRemovePoolTag+18Cj
					; ExRemovePoolTag+191j
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[ebp+arg_4], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_505F1B
		cmp	edx, [ebp+arg_4]
		jnz	short loc_505F1B
		push	4

loc_505F3F:				; CODE XREF: ExRemovePoolTag+D1E6Bj
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+var_18]
		add	eax, [ebp+var_10]
		neg	ecx
		mov	edi, [ebp+var_20]
		pop	edx
		add	eax, edx
		lock xadd [eax], ecx
		mov	esi, [ebp+var_18]
		xor	ebx, ebx

loc_505F59:				; CODE XREF: ExRemovePoolTag+D1E42j
		mov	dl, byte ptr [ebp+arg_0+3]
		test	dl, dl
		jnz	loc_5D7C1A

loc_505F64:				; CODE XREF: ExRemovePoolTag+D1E7Bj
					; ExRemovePoolTag+D1E8Fj
		push	[ebp+var_28]
		mov	edx, esi
		mov	ecx, edi
		call	ExpFreePoolChecks
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_505F77:				; CODE XREF: ExRemovePoolTag+74j
		inc	edx
		cmp	edx, ecx
		jb	loc_505E0F
		jmp	loc_5D7B4B
; 

loc_505F85:				; CODE XREF: ExRemovePoolTag+16Cj
		lea	edi, [edx+28h]
		jmp	loc_5D7BF1
ExRemovePoolTag	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpFreePoolChecks proc near		; CODE XREF: ExRemovePoolTag+1C1p
					; ExpFreeHeapSpecialPool(x,x)+3Ap

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D7C3E SIZE 0000005F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_ExpPoolFlags
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		test	eax, 207h
		jnz	loc_5D7C3E

loc_505FAA:				; CODE XREF: ExpFreePoolChecks+D1CEDj
					; ExpFreePoolChecks+D1CFCj
		test	byte ptr ds:_ExpPoolFlags, 10h
		jnz	loc_5D7C8F

loc_505FB7:				; CODE XREF: ExpFreePoolChecks+D1D0Aj
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
ExpFreePoolChecks endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2083. RtlFindFirstRunClear

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlFindFirstRunClear
RtlFindFirstRunClear proc near		; CODE XREF: PnprMirrorMarkedPages()+7Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D7C9D SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	edx, edx
		mov	ecx, [ebx]
		test	ecx, ecx
		jz	loc_5D7C9D
		push	esi
		mov	esi, [ebx+4]
		lea	eax, [ecx-1]
		shr	eax, 5
		push	edi
		mov	edi, edx
		lea	eax, [esi+eax*4]
		mov	[ebp+var_4], eax
		cmp	esi, eax
		jnz	loc_506076

loc_505FF6:				; CODE XREF: RtlFindFirstRunClear+B5j
					; RtlFindFirstRunClear+D1CEEj ...
		cmp	edi, ecx
		jnb	short loc_506013
		mov	eax, [ebx+4]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_4]
		mov	ebx, [ebp+var_8]

loc_506006:				; CODE XREF: RtlFindFirstRunClear+4Aj
		bt	[ebx], edi
		jnb	short loc_506010
		inc	edi
		cmp	edi, ecx
		jb	short loc_506006

loc_506010:				; CODE XREF: RtlFindFirstRunClear+45j
		mov	ebx, [ebp+arg_0]

loc_506013:				; CODE XREF: RtlFindFirstRunClear+34j
		cmp	esi, eax
		jnz	short loc_50604C

loc_506017:				; CODE XREF: RtlFindFirstRunClear+9Dj
					; RtlFindFirstRunClear+CDj ...
		mov	esi, [ebx]
		lea	eax, [edx+edi]
		cmp	eax, esi
		jb	short loc_506037

loc_506020:				; CODE XREF: RtlFindFirstRunClear+79j
					; RtlFindFirstRunClear+7Ej ...
		mov	eax, [ebp+arg_4]
		mov	[eax], edi
		pop	edi
		pop	esi
		cmp	edx, 0FFFFFFFFh
		ja	loc_5D7CC7

loc_506030:				; CODE XREF: RtlFindFirstRunClear+D1CDEj
					; RtlFindFirstRunClear+D1D06j
		mov	eax, edx
		pop	ebx
		leave
		retn	8
; 

loc_506037:				; CODE XREF: RtlFindFirstRunClear+5Aj
		mov	ecx, [ebx+4]

loc_50603A:				; CODE XREF: RtlFindFirstRunClear+84j
		bt	[ecx], eax
		jb	short loc_506020
		cmp	edx, 0FFFFFFFFh
		jnb	short loc_506020
		inc	eax
		inc	edx
		cmp	eax, esi
		jb	short loc_50603A
		jmp	short loc_506020
; 

loc_50604C:				; CODE XREF: RtlFindFirstRunClear+51j
		mov	ecx, [esi]
		mov	eax, edi
		and	eax, 1Fh
		mov	[ebp+arg_0], eax
		mov	eax, ds:dword_40BA68[eax*4]
		not	eax
		and	eax, ecx
		jnz	short loc_506017
		push	20h
		pop	edx
		sub	edx, [ebp+arg_0]
		cmp	edx, 0FFFFFFFFh
		jnb	short loc_506020
		mov	ecx, [ebp+var_4]
		add	esi, 4
		jmp	short loc_50608F
; 

loc_506076:				; CODE XREF: RtlFindFirstRunClear+2Cj
		cmp	dword ptr [esi], 0FFFFFFFFh
		jnz	loc_505FF6
		jmp	loc_5D7CA7
; 

loc_506084:				; CODE XREF: RtlFindFirstRunClear+D8j
		add	edx, 20h
		add	esi, 4
		cmp	edx, 0FFFFFFFFh
		jnb	short loc_506020

loc_50608F:				; CODE XREF: RtlFindFirstRunClear+B0j
		cmp	esi, ecx
		jnb	short loc_506017
		cmp	dword ptr [esi], 0
		jnz	loc_506017
		jmp	short loc_506084
RtlFindFirstRunClear endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUpdatePageAttributeStamp proc	near	; CODE XREF: MiCopyHeaderIfResident+17Cp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D7CCF SIZE 0000005F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edi
		cmp	[esi+14h], di
		jnz	loc_506147
		mov	dl, [esi+16h]
		movzx	eax, dl
		and	dl, 7
		and	eax, 7
		mov	ecx, dword_6D579C[eax*4]
		cmp	dl, 2
		jnz	loc_5D7CCF
		mov	ecx, esi
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		imul	ecx, eax, 14h
		add	ecx, offset unk_6D5480

loc_5060E5:				; CODE XREF: MiUpdatePageAttributeStamp+D1C35j
					; MiUpdatePageAttributeStamp+D1C45j ...
		add	ecx, 10h
		mov	[ebp+var_10], edi
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_C], ecx
		jnz	loc_5D7D0F
		lea	edx, [ebp+var_10]
		xchg	edx, [ecx]
		test	edx, edx
		jnz	short loc_50614B

loc_506104:				; CODE XREF: MiUpdatePageAttributeStamp+B5j
					; MiUpdatePageAttributeStamp+D1C7Bj
		mov	[ebp+var_4], edi
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, ds:_KiTbFlushTimeStamp
		shl	eax, 17h
		xor	eax, [esi+10h]
		and	eax, 7800000h
		xor	[esi+10h], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5D7D1E
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_50615D
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jnz	short loc_506155

loc_506147:				; CODE XREF: MiUpdatePageAttributeStamp+15j
					; MiUpdatePageAttributeStamp+CBj ...
		pop	edi
		pop	esi
		leave
		retn
; 

loc_50614B:				; CODE XREF: MiUpdatePageAttributeStamp+64j
		lea	ecx, [ebp+var_10]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	short loc_506104
; 

loc_506155:				; CODE XREF: MiUpdatePageAttributeStamp+A7j
		lea	ecx, [ebp+var_10]
		call	KxWaitForLockChainValid

loc_50615D:				; CODE XREF: MiUpdatePageAttributeStamp+96j
		xor	ecx, ecx
		mov	[ebp+var_10], edi
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_506147
MiUpdatePageAttributeStamp endp

; 
		align 10h
; Exported entry 364. ExGetCurrentProcessorCounts

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExGetCurrentProcessorCounts(x, x, x)
		public _ExGetCurrentProcessorCounts@12
_ExGetCurrentProcessorCounts@12	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, large fs:20h
		mov	eax, [edx+0Ch]
		mov	ecx, [eax+194h]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	ecx, [edx+4A8h]
		mov	eax, [ebp+arg_4]
		add	ecx, [edx+4A4h]
		mov	[eax], ecx
		mov	eax, [ebp+arg_8]
		mov	ecx, [edx+3CCh]
		mov	[eax], ecx
		pop	ebp
		retn	0Ch
_ExGetCurrentProcessorCounts@12	endp


;  S U B	R O U T	I N E 


SepCleanSingletonEntry proc near	; CODE XREF: SepCleanupMarkedForDeletionEntries()+39p

; FUNCTION CHUNK AT 005D7D2E SIZE 0000001B BYTES

		mov	edi, edi
		push	esi
		call	_SepGetSingletonEntryFromIndexNumber@4 ; SepGetSingletonEntryFromIndexNumber(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_5061E4
		push	ebx
		push	esi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [esi+8], 0
		mov	bl, al
		and	dword ptr [esi+0Ch], 0
		mov	ecx, [esi+10h]
		test	ecx, ecx
		jnz	loc_5D7D2E

loc_5061D4:				; CODE XREF: SepCleanSingletonEntry+D1B9Aj
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		pop	ebx
		pop	esi
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_5061E4:				; CODE XREF: SepCleanSingletonEntry+Cj
		pop	esi
		retn
SepCleanSingletonEntry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeletePteWsleCluster(x, x, x, x, x)
_MiDeletePteWsleCluster@20 proc	near	; CODE XREF: .text:00476418p
					; .text:00476B10p

var_A4		= dword	ptr -0A4h
var_A0		= word ptr -0A0h
var_9C		= dword	ptr -9Ch
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		lea	eax, [ebp+var_A4]
		push	esi
		push	edi
		push	98h		; size_t
		push	0		; int
		push	eax		; void *
		mov	edi, edx
		mov	esi, ecx
		call	_memset
		mov	edx, [esi+4]
		add	esp, 0Ch
		xor	eax, eax
		test	edx, edx
		jz	short loc_50627A
		push	eax
		push	dword ptr [esi+8]
		shl	edx, 9
		lea	ecx, [ebp+var_A4]
		mov	[ebp+var_A4], 1
		mov	[ebp+var_A0], ax
		mov	[ebp+var_94], eax
		mov	[ebp+var_9C], 21h
		mov	[ebp+var_90], eax
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	ecx, esi
		call	MiTerminateWsleCluster
		push	[ebp+arg_8]
		mov	edx, edi
		lea	ecx, [ebp+var_A4]
		push	[ebp+arg_4]
		push	0
		push	ebx
		call	_MiDeletePteList@24 ; MiDeletePteList(x,x,x,x,x,x)

loc_50627A:				; CODE XREF: MiDeletePteWsleCluster(x,x,x,x,x)+3Cj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_MiDeletePteWsleCluster@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReassessZeroThreads proc near		; CODE XREF: .text:0046FA48p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D7D49 SIZE 00000058 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_18], ecx
		lea	edi, [ebp+var_28]
		stosd
		stosd
		stosd
		mov	edi, [ebp+arg_0]
		mov	eax, edi
		or	eax, [ebp+arg_4]
		jz	short loc_506326
		mov	eax, [ecx+38h]
		mov	[ebp+var_C], eax
		lea	ebx, [eax+60h]
		cmp	dword ptr [ebx], 0
		jz	short loc_506326
		mov	esi, [ecx+4Ch]
		lea	edx, [ebp+var_28]
		lea	ecx, [eax+10h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebx+4]
		imul	ecx, esi, 1Ch
		cmp	dword ptr [ecx+eax], 1000h
		jb	short loc_5062EE
		add	[ebx+58h], edi
		mov	eax, [ebp+arg_4]
		adc	[ebx+5Ch], eax
		mov	edi, [ebx+14h]
		inc	dword ptr [ebx+18h]
		mov	[ebp+var_14], edi
		cmp	[ebx+18h], edi
		jz	short loc_50632D

loc_5062EE:				; CODE XREF: MiReassessZeroThreads+49j
		test	ds:byte_70EFC6,	1
		jnz	loc_5D7D84
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	loc_5D7D51
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_28]
		cmp	eax, ecx
		jnz	loc_5D7D49

loc_50631D:				; CODE XREF: MiReassessZeroThreads+207j
					; MiReassessZeroThreads+2E8j ...
		mov	cl, [ebp+var_20]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_506326:				; CODE XREF: MiReassessZeroThreads+1Ej
					; MiReassessZeroThreads+2Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_50632D:				; CODE XREF: MiReassessZeroThreads+60j
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	esi, [ebp+var_C]
		push	0
		mov	[esi+28h], eax
		mov	eax, edi
		shl	eax, 0Ch
		shr	eax, 9
		push	eax
		mov	[esi+2Ch], edx
		push	dword ptr [ebx+5Ch]
		push	dword ptr [ebx+58h]
		call	__aulldiv
		mov	ecx, [ebp+var_C]
		mov	esi, [esi+30h]
		mov	[ebp+arg_4], eax
		mov	[ebp+var_8], edx
		or	edx, 0FFFFFFFFh
		mov	ecx, [ecx+34h]
		imul	eax, ecx, 280h
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_10], ecx
		mov	[ebp+var_4], edx
		add	eax, [esi+10h]
		xor	esi, esi
		inc	esi
		mov	[ebp+var_1C], eax
		cmp	dword ptr [eax+228h], 0
		jz	loc_5D7D5D
		cmp	edi, [eax+218h]
		ja	loc_5D7D5D
		mov	eax, [eax+260h]
		test	eax, eax
		jz	loc_5D7D5D
		mov	ecx, [eax+edi*8-8]
		lea	esi, [ebx+20h]
		mov	edx, [eax+edi*8-4]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_4], edx

loc_5063B6:				; CODE XREF: MiReassessZeroThreads+D1AF3j
		cmp	edi, [ebx+10h]
		ja	loc_506529
		push	0
		push	0Ah
		push	edx
		push	ecx
		call	__aulldiv
		mov	ecx, [ebp+var_10]
		add	eax, ecx
		adc	edx, [ebp+var_4]
		cmp	[ebp+var_8], edx
		mov	edx, [ebp+arg_4]
		jb	short loc_5063E8
		ja	loc_50649E
		cmp	edx, eax
		ja	loc_50649E

loc_5063E8:				; CODE XREF: MiReassessZeroThreads+14Cj
					; MiReassessZeroThreads+21Aj
		inc	dword_6C68CC
		cmp	dword ptr [ebx+1Ch], 0
		jnz	loc_50651A

loc_5063F8:				; CODE XREF: MiReassessZeroThreads+298j
		mov	eax, [esi]
		cmp	eax, 6
		jnb	short loc_50640A
		mov	ecx, [ebp+var_8]
		mov	[ebx+eax*8+28h], edx
		mov	[ebx+eax*8+2Ch], ecx

loc_50640A:				; CODE XREF: MiReassessZeroThreads+171j
		mov	eax, [esi]
		inc	eax
		mov	[esi], eax
		cmp	eax, 6
		jz	loc_506504
		xor	eax, eax
		inc	eax

loc_50641B:				; CODE XREF: MiReassessZeroThreads+289j
		cmp	eax, 5
		jz	loc_5064AC

loc_506424:				; CODE XREF: MiReassessZeroThreads+257j
					; MiReassessZeroThreads+273j
		push	eax
		push	[ebp+var_4]
		mov	edx, edi
		mov	ecx, ebx
		push	[ebp+var_10]
		push	[ebp+var_8]
		push	[ebp+arg_4]
		call	MiLogZeroPageDecision
		mov	eax, [ebx+14h]
		cmp	eax, edi
		jnz	loc_50655E
		xor	edi, edi

loc_506447:				; CODE XREF: MiReassessZeroThreads+2D7j
		mov	[ebx+18h], edi
		mov	esi, edi
		mov	[ebx+58h], edi
		mov	[ebx+5Ch], edi
		test	eax, eax
		jz	short loc_50646A
		mov	edx, edi

loc_506458:				; CODE XREF: MiReassessZeroThreads+1DCj
		mov	ecx, [ebx+4]
		xor	eax, eax
		add	ecx, edx
		xchg	eax, [ecx]
		inc	esi
		add	edx, 1Ch
		cmp	esi, [ebx+14h]
		jb	short loc_506458

loc_50646A:				; CODE XREF: MiReassessZeroThreads+1C8j
		test	ds:byte_70EFC6,	1
		jnz	loc_5D7D84
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	loc_506568
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_28]
		cmp	eax, ecx
		jz	loc_50631D
		jmp	loc_5D7D94
; 

loc_50649E:				; CODE XREF: MiReassessZeroThreads+14Ej
					; MiReassessZeroThreads+156j
		mov	eax, ecx
		and	eax, [ebp+var_4]
		cmp	eax, 0FFFFFFFFh
		jz	loc_5063E8

loc_5064AC:				; CODE XREF: MiReassessZeroThreads+192j
					; MiReassessZeroThreads+2C1j
		inc	dword_6C68D0
		xor	ecx, ecx
		inc	ecx
		cmp	[ebx+1Ch], ecx
		jnz	loc_506552

loc_5064BE:				; CODE XREF: MiReassessZeroThreads+2CDj
		mov	eax, [ebx+20h]
		cmp	eax, 6
		jnb	short loc_5064D7
		mov	ecx, [ebp+arg_4]
		mov	[ebx+eax*8+28h], ecx
		mov	ecx, [ebp+var_8]
		mov	[ebx+eax*8+2Ch], ecx
		mov	eax, [ebx+20h]

loc_5064D7:				; CODE XREF: MiReassessZeroThreads+238j
		inc	eax
		mov	[ebx+20h], eax
		cmp	eax, 3
		jz	short loc_5064E8
		push	6
		pop	eax
		jmp	loc_506424
; 

loc_5064E8:				; CODE XREF: MiReassessZeroThreads+252j
		mov	edx, [ebp+var_1C]
		mov	ecx, [ebp+var_C]
		inc	dword ptr [ebx+98h]
		push	0
		call	MiReduceZeroingThreads
		and	dword ptr [ebx+20h], 0
		jmp	loc_506424
; 

loc_506504:				; CODE XREF: MiReassessZeroThreads+186j
		mov	ecx, [ebp+var_18]
		inc	dword ptr [ebx+94h]
		call	MiAddZeroingThreads
		and	dword ptr [esi], 0
		jmp	loc_50641B
; 

loc_50651A:				; CODE XREF: MiReassessZeroThreads+166j
		lea	esi, [ebx+20h]
		and	dword ptr [esi], 0
		and	dword ptr [ebx+1Ch], 0
		jmp	loc_5063F8
; 

loc_506529:				; CODE XREF: MiReassessZeroThreads+12Dj
		xor	ecx, ecx
		mov	dword ptr [ebx+20h], 2
		inc	ecx
		lea	edi, [ebx+28h]
		mov	[ebx+1Ch], ecx
		mov	esi, edi
		or	dword ptr [edi], 0FFFFFFFFh
		or	dword ptr [edi+4], 0FFFFFFFFh
		add	edi, 8
		push	0Ah
		pop	ecx
		rep movsd
		mov	edi, [ebp+var_14]
		jmp	loc_5064AC
; 

loc_506552:				; CODE XREF: MiReassessZeroThreads+22Cj
		and	dword ptr [ebx+20h], 0
		mov	[ebx+1Ch], ecx
		jmp	loc_5064BE
; 

loc_50655E:				; CODE XREF: MiReassessZeroThreads+1B3j
		xor	edi, edi
		mov	[ebx+20h], edi
		jmp	loc_506447
; 

loc_506568:				; CODE XREF: MiReassessZeroThreads+1F0j
					; MiReassessZeroThreads+D1B10j
		mov	[ebp+var_28], edi

loc_50656B:				; CODE XREF: MiReassessZeroThreads+D1ACCj
		xor	ecx, ecx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_50631D
MiReassessZeroThreads endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLogZeroPageDecision proc near		; CODE XREF: MiReassessZeroThreads+1A9p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

; FUNCTION CHUNK AT 005D7DA1 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		push	esi
		mov	esi, [edx+9Ch]
		test	esi, esi
		jz	loc_506627
		inc	dword ptr [esi+4]
		mov	eax, [esi+8]
		mov	ecx, [esi]
		push	edi
		xor	edi, edi
		inc	edi
		cmp	eax, ecx
		jnb	loc_5D7DA1

loc_5065A7:				; CODE XREF: MiLogZeroPageDecision+D1834j
		add	eax, eax
		xor	ecx, ecx
		inc	ecx
		lea	edi, [esi+eax*8]
		mov	eax, [ebp+arg_0]
		cmp	[ebp+arg_4], ecx
		jb	short loc_5065C5
		ja	loc_5D7DB3
		test	eax, eax
		jnb	loc_5D7DB3

loc_5065C5:				; CODE XREF: MiLogZeroPageDecision+3Bj
		and	eax, 0FFFFFFFEh

loc_5065C8:				; CODE XREF: MiLogZeroPageDecision+D183Bj
		mov	[edi], eax
		mov	eax, [ebp+arg_8]
		cmp	[ebp+arg_C], ecx
		jb	short loc_5065D8
		ja	short loc_50663B
		test	eax, eax
		jnb	short loc_50663B

loc_5065D8:				; CODE XREF: MiLogZeroPageDecision+56j
		and	eax, 0FFFFFFFEh

loc_5065DB:				; CODE XREF: MiLogZeroPageDecision+C3j
		mov	[edi+4], eax
		mov	[edi+8], bx
		mov	ax, [edx+14h]
		mov	[edi+0Ah], ax
		mov	al, [ebp+arg_10]
		mov	[edi+0Ch], al
		mov	byte ptr [edi+0Dh], 0
		mov	[edi+0Eh], cx
		mov	ebx, [esi+8]
		cmp	ebx, ecx
		jz	short loc_50662D
		lea	edx, [edi-10h]
		mov	ecx, edi
		call	_MiZeroPageLogEntriesMergable@8	; MiZeroPageLogEntriesMergable(x,x)
		test	eax, eax
		jz	short loc_50662D
		movzx	eax, word ptr [edi-2]
		mov	ecx, 0FFFFh
		cmp	ax, cx
		jz	short loc_50662D
		inc	dword_6C68E0
		inc	eax
		mov	[edi-2], ax

loc_506626:				; CODE XREF: MiLogZeroPageDecision+BFj
					; MiLogZeroPageDecision+D182Ej
		pop	edi

loc_506627:				; CODE XREF: MiLogZeroPageDecision+13j
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
; 

loc_50662D:				; CODE XREF: MiLogZeroPageDecision+83j
					; MiLogZeroPageDecision+91j ...
		inc	dword_6C68E4
		lea	eax, [ebx+1]
		mov	[esi+8], eax
		jmp	short loc_506626
; 

loc_50663B:				; CODE XREF: MiLogZeroPageDecision+58j
					; MiLogZeroPageDecision+5Cj
		or	eax, ecx
		jmp	short loc_5065DB
MiLogZeroPageDecision endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiZeroPageLogEntriesMergable(x, x)
_MiZeroPageLogEntriesMergable@8	proc near ; CODE XREF: MiLogZeroPageDecision+8Ap
		mov	ax, [ecx+8]
		push	esi
		mov	esi, edx
		cmp	ax, [esi+8]
		jnz	short loc_506695
		mov	ax, [ecx+0Ah]
		cmp	ax, [esi+0Ah]
		jnz	short loc_506695
		cmp	byte ptr [ecx+0Ch], 4
		mov	al, [esi+0Ch]
		ja	short loc_506691
		cmp	al, 4
		ja	short loc_506695

loc_506664:				; CODE XREF: MiZeroPageLogEntriesMergable(x,x)+53j
		mov	edx, [ecx]
		test	dl, 1
		jnz	short loc_506695
		mov	eax, [esi]
		test	al, 1
		jnz	short loc_506695
		push	0Ah
		pop	esi
		cmp	edx, eax
		jnb	short loc_506689
		mov	ecx, eax
		sub	ecx, edx

loc_50667C:				; CODE XREF: MiZeroPageLogEntriesMergable(x,x)+4Fj
		xor	edx, edx
		div	esi
		cmp	ecx, eax
		ja	short loc_506695
		xor	eax, eax
		inc	eax
		pop	esi
		retn
; 

loc_506689:				; CODE XREF: MiZeroPageLogEntriesMergable(x,x)+36j
		mov	ecx, edx
		sub	ecx, eax
		mov	eax, edx
		jmp	short loc_50667C
; 

loc_506691:				; CODE XREF: MiZeroPageLogEntriesMergable(x,x)+1Ej
		cmp	al, 4
		ja	short loc_506664

loc_506695:				; CODE XREF: MiZeroPageLogEntriesMergable(x,x)+Bj
					; MiZeroPageLogEntriesMergable(x,x)+15j ...
		xor	eax, eax
		pop	esi
		retn
_MiZeroPageLogEntriesMergable@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmStoreDecommitVirtualMemory(x, x)
_MmStoreDecommitVirtualMemory@8	proc near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReleaseVirtualRegion+72p
					; ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+1D2p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[esp+30h+var_20], edx
		push	6
		xor	eax, eax
		mov	[esp+34h+var_1C], esi
		pop	ecx
		lea	edi, [esp+30h+var_18]
		rep stosd
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[esp+30h+var_24], eax
		lea	edi, [eax+240h]
		mov	ecx, edi
		call	MiLockWorkingSetShared
		mov	ecx, esi
		mov	bl, al
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	dl, bl
		mov	ecx, edi
		mov	esi, eax
		call	MiUnlockWorkingSetShared
		mov	edx, [esp+30h+var_20]
		lea	eax, [esp+30h+var_18]
		mov	ecx, [esp+30h+var_1C]
		dec	edx
		push	eax
		add	edx, ecx
		push	0
		shr	edx, 9
		push	esi
		push	[esp+3Ch+var_24]
		and	edx, offset loc_7FFFF8
		sub	edx, 40000000h
		call	_MiDecommitPages@24 ; MiDecommitPages(x,x,x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MmStoreDecommitVirtualMemory@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_SM_TRAITS___SmStCompareRegionData proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferProcess+34p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D7DBA SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		test	byte ptr [ecx+10F5h], 4
		push	esi
		mov	esi, edx
		push	edi
		mov	eax, [esi]
		jz	loc_5D7DCC
		push	0Ch
		mov	[ebp+var_18], eax
		xor	edi, edi
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_14], edi
		push	eax
		push	5
		pop	edx
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		mov	[ebp+var_1C], offset ?SmStCompareRegionDataCallback@?$SMKM_STORE@USM_TRAITS@@@@SGJPAU_SMKM_STORE_HELPER@@PAXK@Z	; SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)
		call	SMKM_STORE_SM_TRAITS___SmStHelperSendCommand
		test	eax, eax
		jnz	loc_5D7DBA
		mov	eax, [ebp+var_4]

loc_50676F:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCompareRegionData+D169Fj
					; SMKM_STORE_SM_TRAITS___SmStCompareRegionData+D16A7j ...
		pop	edi
		pop	esi
		leave
		retn
SMKM_STORE_SM_TRAITS___SmStCompareRegionData endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcCompleteAsyncReadWorker proc near	; DATA XREF: CcPostWorkQueueAsyncRead+12Co

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D7DE0 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	bl, bl
		cmp	dword ptr [esi+10h], 4
		jnz	short loc_506802
		mov	eax, [esi+14h]
		mov	[ebp+var_8], eax
		mov	eax, [esi+1Ch]
		push	edi
		mov	edi, [esi+20h]
		mov	esi, [ebp+var_8]
		mov	[ebp+var_4], eax

loc_50679B:				; CODE XREF: CcCompleteAsyncReadWorker+76j
		mov	ecx, eax
		call	CcCompleteAsyncRead
		mov	ecx, [ebp+var_4]
		call	_CcFreeWorkQueueEntry@4	; CcFreeWorkQueueEntry(x)
		xor	eax, eax
		lea	ecx, [edi+260h]
		xor	edx, edx
		mov	[ebp+var_4], eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+254h]
		lea	edx, [eax+esi*8]
		cmp	[edx], edx
		jnz	loc_5D7DE0
		mov	eax, [edi+24Ch]
		mov	bl, 1
		dec	dword ptr [eax+esi*4]

loc_5067D8:				; CODE XREF: CcCompleteAsyncReadWorker+D1676j
		xor	edx, edx
		lea	ecx, [edi+260h]
		call	ExReleasePushLockEx
		mov	eax, [ebp+var_4]
		test	bl, bl
		jz	short loc_50679B
		mov	ecx, edi
		call	CcDereferencePartition
		mov	esi, [ebp+arg_0]
		push	71576343h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi

loc_506802:				; CODE XREF: CcCompleteAsyncReadWorker+12j
		pop	esi
		pop	ebx
		leave
		retn	4
CcCompleteAsyncReadWorker endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcCompleteAsyncRead proc near		; CODE XREF: CcCompleteAsyncReadWorker+29p
					; CcAsyncReadWorker+2CFp ...

var_70		= dword	ptr -70h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 005D7DEF SIZE 00000013 BYTES

		push	60h
		push	offset dword_6A4018
		call	__SEH_prolog4
		mov	edx, ecx
		mov	[ebp+var_58], edx
		mov	esi, large fs:124h
		mov	[ebp+var_50], esi
		mov	ecx, esi
		call	_PsGetPagePriorityThread@4 ; PsGetPagePriorityThread(x)
		mov	[ebp+var_4C], eax
		xor	ebx, ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		xor	eax, eax
		lea	edi, [ebp+var_70]
		stosd
		stosd
		stosd
		mov	eax, [edx+8]
		mov	[ebp+var_54], eax
		mov	eax, [edx+18h]
		mov	[ebp+var_40], eax
		mov	eax, [edx+10h]
		mov	[ebp+var_38], eax
		mov	eax, [edx+14h]
		mov	[ebp+var_34], eax
		mov	eax, [edx+1Ch]
		mov	[ebp+var_1C], eax
		mov	ecx, [edx+24h]
		mov	[ebp+var_3C], ecx
		mov	eax, [edx+28h]
		mov	[ebp+var_2C], eax
		mov	edi, [edx+2Ch]
		mov	[ebp+var_44], edi
		mov	eax, [edx+30h]
		mov	[ebp+var_48], eax
		mov	eax, [edx+3Ch]
		mov	[ebp+var_24], eax
		mov	edx, ecx
		mov	ecx, esi
		call	PsSetPagePriorityThread
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, large fs:124h
		mov	[ebp+var_5C], eax
		mov	dword ptr [eax+2D4h], 7
		xor	esi, esi
		inc	esi
		cmp	[edi], ebx
		jl	short loc_5068F3
		mov	[edi], ebx
		mov	ecx, [ebp+var_1C]
		mov	[edi+4], ecx
		mov	[ebp+ms_exc.disabled], esi
		mov	eax, [ebp+var_2C]
		test	byte ptr [eax+6], 5
		jnz	loc_5D7DEF
		push	40000020h
		push	ebx
		push	ebx
		push	esi
		push	ebx
		push	eax
		call	MmMapLockedPagesSpecifyCache
		mov	ecx, [ebp+var_1C]

loc_5068C9:				; CODE XREF: CcCompleteAsyncRead+D15EAj
		mov	[ebp+var_30], eax
		test	eax, eax
		jz	loc_5D7DF7
		push	[ebp+var_34]	; int
		push	[ebp+var_38]	; int
		push	[ebp+var_24]	; int
		push	[ebp+var_3C]	; int
		lea	edx, [ebp+var_28]
		push	edx		; int
		push	eax		; void *
		push	esi		; int
		mov	edx, ecx
		mov	ecx, [ebp+var_40]
		call	CcMapAndCopyFromCache

loc_5068F0:				; CODE XREF: CcCompleteAsyncRead+D15F5j
		mov	[ebp+ms_exc.disabled], ebx

loc_5068F3:				; CODE XREF: CcCompleteAsyncRead+95j
					; sub_5D7E0E+13j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_50690F
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
CcCompleteAsyncRead endp


;  S U B	R O U T	I N E 


sub_50690F	proc near		; CODE XREF: CcCompleteAsyncRead+F2p
					; .text:005D7E2Bj

; FUNCTION CHUNK AT 005D7E30 SIZE 00000050 BYTES

		mov	ecx, [ebp-24h]
		test	ecx, ecx
		jnz	loc_5069B7

loc_50691A:				; CODE XREF: sub_50690F+ADj
		cmp	dword ptr [ebp-28h], 0
		jnz	loc_5D7E30

loc_506924:				; CODE XREF: sub_50690F+D153Bj
		mov	eax, [ebp-48h]
		test	eax, eax
		jz	short loc_506936
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_506936
		push	dword ptr [eax+4]
		call	ecx

loc_506936:				; CODE XREF: sub_50690F+1Aj
					; sub_50690F+20j
		mov	eax, large fs:124h
		mov	[ebp-60h], eax
		mov	[eax+2D4h], ebx
		mov	edx, [ebp-4Ch]
		mov	ecx, [ebp-50h]
		call	PsSetPagePriorityThread
		mov	edi, [ebp-54h]
		lock dec dword ptr [edi+170h]
		mov	eax, [ebp-58h]
		mov	ecx, [eax+4Ch]
		mov	[ebp-64h], ecx
		cmp	ecx, [edi+174h]
		jnz	loc_5D7E6C
		add	ecx, 40h
		lea	edx, [ebp-70h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		push	ecx
		mov	ecx, edi
		call	CcDecrementOpenCount
		test	ds:byte_70EFC6,	1
		jnz	loc_5D7E4F
		mov	eax, [ebp-70h]
		test	eax, eax
		jnz	short loc_5069C1
		mov	edx, [ebp-6Ch]
		lea	eax, [ebp-70h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-70h]
		cmp	eax, ecx
		jnz	loc_5D7E5F

loc_5069AD:				; CODE XREF: sub_50690F+BBj
					; sub_50690F+D154Bj
		mov	cl, [ebp-68h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		retn
; 

loc_5069B7:				; CODE XREF: sub_50690F+5j
		call	_IoDiskIoAttributionDereference@4 ; IoDiskIoAttributionDereference(x)
		jmp	loc_50691A
; 

loc_5069C1:				; CODE XREF: sub_50690F+85j
					; sub_50690F+D1558j
		mov	[ebp-70h], ebx
		add	eax, 4
		lock xor [eax],	esi
		jmp	short loc_5069AD
sub_50690F	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2634. WmiTraceMessage

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _WmiTraceMessage
_WmiTraceMessage proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_C]
		lea	eax, [ebp+arg_14]
		mov	ecx, [ebp+arg_8]
		push	0
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	EtwpTraceMessageVa
		pop	ebp
		retn
_WmiTraceMessage endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeImageHeaderPage proc near	; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+6F3p

var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 005D7E80 SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	byte ptr [ebp+var_1], 0
		push	80000000h
		lea	edx, [ebp+var_1]
		mov	ebx, ecx
		call	MiMapPageInHyperSpaceWorker
		mov	esi, eax
		mov	ecx, 1000h
		sub	ecx, edi
		push	ecx		; size_t
		push	0		; int
		lea	ecx, [esi+edi]
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		mov	dl, 2
		mov	ecx, esi
		push	80000000h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		test	edi, 1FFh
		jnz	loc_5D7E80

loc_506A46:				; CODE XREF: MiInitializeImageHeaderPage+D14BFj
		mov	cl, byte ptr [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiInitializeImageHeaderPage endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmWaitMultipleForCacheManagerPrefetch proc near	; CODE XREF: CcAsyncReadWorker+DAp
					; CcAsyncReadWorkerThread(x)+157p

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D7EB8 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 98h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_78], edx
		cmp	[ebp+arg_0], 0
		lea	edi, [ebp+var_14]
		stosd
		mov	ebx, edx
		mov	[ebp+var_80], ecx
		mov	[ebp+var_94], edx
		stosd
		stosd
		stosd
		jz	short loc_506A92
		lea	ebx, [edx+1]
		mov	[ebp+var_94], ebx

loc_506A92:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+33j
		xor	edi, edi
		cmp	edx, 3
		ja	loc_506C1E
		mov	esi, edi

loc_506A9F:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+1E2j
		test	esi, esi
		jnz	loc_506C3B
		lea	eax, [ebp+var_74]
		mov	[ebp+var_90], eax
		lea	esi, [ebp+var_14]
		cmp	edx, 3
		ja	loc_5D7EB8

loc_506ABC:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+FFj
					; MmWaitMultipleForCacheManagerPrefetch+1F0j ...
		mov	ebx, edi
		test	edx, edx
		jz	short loc_506B29
		mov	eax, esi
		sub	ecx, esi
		mov	[ebp+var_8C], eax
		mov	[ebp+var_98], ecx

loc_506AD2:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+D3j
		mov	ecx, [ecx+eax]
		mov	[ebp+var_7C], edi

loc_506AD8:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+1C5j
		mov	eax, [ecx]
		mov	[ebp+var_88], eax
		mov	eax, [ecx+44h]
		cmp	eax, [ecx+40h]
		jz	loc_506C08
		lea	eax, [ecx+48h]

loc_506AEF:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+1AEj
		mov	eax, [eax]
		cmp	[eax+14h], edi
		jnz	loc_506BA0
		add	eax, 10h
		mov	[ebp+var_7C], eax
		jz	loc_506C0B

loc_506B06:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+1BFj
		test	eax, eax
		jz	short loc_506B77
		mov	eax, [ebp+var_8C]
		inc	ebx
		mov	ecx, [ebp+var_7C]
		mov	[eax], ecx
		add	eax, 4
		mov	ecx, [ebp+var_98]
		mov	[ebp+var_8C], eax
		cmp	ebx, edx
		jb	short loc_506AD2

loc_506B29:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+6Cj
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_506B34
		mov	[esi+ebx*4], eax
		inc	ebx

loc_506B34:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+DAj
		push	[ebp+var_90]
		push	edi
		push	edi
		push	edi
		push	12h
		push	1
		push	esi
		push	ebx
		call	KeWaitForMultipleObjects
		mov	edx, [ebp+var_78]
		lea	ecx, [ebx-1]
		cmp	eax, ecx
		mov	ecx, [ebp+var_80]
		jnz	loc_506ABC
		cmp	[ebp+arg_0], 0
		jz	loc_5D7EC3
		lea	eax, [ebp+var_14]
		cmp	esi, eax
		jnz	loc_506C55

loc_506B6E:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+208j
		mov	eax, [ebp+var_94]
		dec	eax
		jmp	short loc_506B8F
; 

loc_506B77:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+B4j
		mov	ecx, [ebp+var_80]
		mov	ecx, [ecx+ebx*4]
		call	_MmWaitForCacheManagerPrefetch@4 ; MmWaitForCacheManagerPrefetch(x)
		lea	eax, [ebp+var_14]
		cmp	esi, eax
		jnz	loc_506C49

loc_506B8D:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+1FCj
		mov	eax, ebx

loc_506B8F:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+121j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_506BA0:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+A0j
		lea	edx, [ecx+48h]
		cmp	[eax+4], edx
		jnz	loc_506C61
		mov	edx, [eax]
		mov	[ebp+var_84], edx
		cmp	[edx+4], eax
		jnz	loc_506C61
		mov	edi, [ebp+var_84]
		mov	[ecx+48h], edx
		lea	edx, [ecx+48h]
		push	0
		mov	[edi+4], edx
		mov	edi, [ecx+4Ch]
		mov	[ebp+var_84], edi
		cmp	[edi], edx
		pop	edi
		jnz	loc_506C61
		lea	edx, [ecx+48h]
		mov	[eax], edx
		mov	edx, [ebp+var_84]
		mov	[eax+4], edx
		mov	[edx], eax
		mov	edx, [ebp+var_78]
		mov	[ecx+4Ch], eax
		inc	dword ptr [ecx+44h]
		mov	eax, [ecx+44h]
		cmp	eax, [ecx+40h]
		lea	eax, [ecx+48h]
		jnz	loc_506AEF

loc_506C08:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+92j
		mov	eax, [ebp+var_7C]

loc_506C0B:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+ACj
		mov	ecx, [ebp+var_88]
		test	ecx, ecx
		jz	loc_506B06
		jmp	loc_506AD8
; 

loc_506C1E:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+43j
		imul	ecx, ebx, 1Ch
		mov	edx, 6157694Dh
		push	edi
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edx, [ebp+var_78]
		mov	esi, eax
		mov	ecx, [ebp+var_80]
		jmp	loc_506A9F
; 

loc_506C3B:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+4Dj
		lea	eax, [esi+ebx*4]
		mov	[ebp+var_90], eax
		jmp	loc_506ABC
; 

loc_506C49:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+133j
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_506B8D
; 

loc_506C55:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+114j
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_506B6E
; 

loc_506C61:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+152j
					; MmWaitMultipleForCacheManagerPrefetch+163j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
MmWaitMultipleForCacheManagerPrefetch endp ; AL	= character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmGrowKernelStackEx proc near		; CODE XREF: KiSwitchKernelStackAndCallout(x,x,x,x)+A0p
					; KiExpandKernelStackAndCalloutSwitchStack+10ED24p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D7ECB SIZE 0000003D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, large fs:124h
		push	edi
		mov	[ebp+var_8], esi
		mov	eax, [esi+20h]
		mov	ecx, [eax+4]
		mov	eax, [esi+28h]
		and	ecx, 0FFFFFFFEh
		sub	eax, ecx
		cmp	eax, 0F000h
		jb	loc_5D7ECB
		mov	cl, 2
		xor	ebx, ebx
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_1], al
		mov	ecx, offset loc_7FFFF8
		lea	eax, [esi+24h]
		mov	edx, 40000000h
		mov	esi, [ebp+arg_0]
		sub	esi, [ebp+arg_4]
		mov	edi, [eax]
		shr	edi, 9
		shr	esi, 9
		and	edi, ecx
		and	esi, ecx
		mov	[ebp+var_C], eax
		sub	edi, edx
		sub	esi, edx
		cmp	esi, edi
		jnb	short loc_506D3E
		mov	eax, [ebp+var_8]
		mov	eax, [eax+20h]
		mov	eax, [eax+4]
		shr	eax, 9
		and	eax, ecx
		sub	eax, edx
		cmp	esi, eax
		jb	loc_5D7ED5
		sub	edi, esi
		mov	ecx, offset _MiSystemPartition
		sub	edi, 8
		sar	edi, 3
		inc	edi
		push	ebx
		mov	edx, edi
		call	_MiChargeResident@12 ; MiChargeResident(x,x,x)
		test	eax, eax
		jz	short loc_506D50
		mov	eax, [ebp+var_8]
		mov	ecx, [eax+28h]
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000008h
		call	_MI_GET_NODE_FROM_VALID_PTE@4 ;	MI_GET_NODE_FROM_VALID_PTE(x)
		push	2
		push	eax
		mov	eax, [ebp+var_8]
		mov	edx, esi
		or	eax, 1
		mov	ecx, offset _MiSystemPartition
		push	eax
		push	edi
		call	MiAllocateKernelStackPages
		test	eax, eax
		jz	loc_5D7EE5
		mov	ecx, [ebp+var_C]
		shl	esi, 9
		mov	[ecx], esi

loc_506D3E:				; CODE XREF: MmGrowKernelStackEx+63j
					; MmGrowKernelStackEx+EFj ...
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, ebx

loc_506D49:				; CODE XREF: MmGrowKernelStackEx+D126Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_506D50:				; CODE XREF: MmGrowKernelStackEx+95j
		mov	ebx, 0C0000017h
		jmp	short loc_506D3E
MmGrowKernelStackEx endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MI_GET_NODE_FROM_VALID_PTE(x)
_MI_GET_NODE_FROM_VALID_PTE@4 proc near	; CODE XREF: MmGrowKernelStackEx+ACp
		mov	edx, [ecx]
		nop
		mov	eax, [ecx+4]
		nop
		shrd	edx, eax, 0Ch
		and	edx, 1FFFFFFh
		mov	ecx, edx
		call	MiSearchNumaNodeTable
		mov	eax, [eax+4]
		retn
_MI_GET_NODE_FROM_VALID_PTE@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1104. KeAttachProcess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeAttachProcess
KeAttachProcess	proc near		; CODE XREF: KiCompleteKernelInit+1Ep
					; PopGracefulShutdown(x)+1F5p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D7F08 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, large fs:124h
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, [esi+80h]
		cmp	ecx, edi
		jz	short loc_506DF2
		mov	dl, [esi+16Ah]
		push	ebx
		mov	ebx, 10001h
		test	dl, dl
		jnz	loc_5D7F08
		mov	eax, large fs:235Ch
		test	eax, ebx
		jnz	loc_5D7F08
		test	dword ptr [edi+64h], 400h
		jnz	loc_5D7F08
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[ebp+var_4], 0
		lea	ebx, [esi+2Ch]
		mov	byte ptr [ebp+arg_0], al

loc_506DD5:				; CODE XREF: KeAttachProcess+8Cj
		lock bts dword ptr [ebx], 0
		jb	short loc_506DF8
		lea	eax, [esi+174h]
		mov	edx, edi
		push	eax
		push	0
		push	[ebp+arg_0]
		mov	ecx, esi
		call	KiAttachProcess
		pop	ebx

loc_506DF2:				; CODE XREF: KeAttachProcess+1Aj
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_506DF8:				; CODE XREF: KeAttachProcess+60j
					; KeAttachProcess+8Aj
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_506DF8
		jmp	short loc_506DD5
KeAttachProcess	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 572. FsRtlIsNtstatusExpected

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlIsNtstatusExpected(x)
		public _FsRtlIsNtstatusExpected@4
_FsRtlIsNtstatusExpected@4 proc	near	; CODE XREF: sub_5AAF89+Dp
					; sub_5B0E55+16p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, 0C0000094h
		cmp	eax, ecx
		jle	short loc_506E41
		cmp	eax, 0C0000096h
		jz	short loc_506E74
		cmp	eax, 0C00000AAh
		jz	short loc_506E74
		cmp	eax, 0C0000409h
		jz	short loc_506E74
		cmp	eax, 0C0000420h

loc_506E39:				; CODE XREF: FsRtlIsNtstatusExpected(x)+64j
		jz	short loc_506E74

loc_506E3B:				; CODE XREF: FsRtlIsNtstatusExpected(x)+3Aj
					; FsRtlIsNtstatusExpected(x)+56j
		mov	al, 1

loc_506E3D:				; CODE XREF: FsRtlIsNtstatusExpected(x)+68j
		pop	ebp
		retn	4
; 

loc_506E41:				; CODE XREF: FsRtlIsNtstatusExpected(x)+Fj
		jz	short loc_506E74
		cmp	eax, 80000001h
		jl	short loc_506E3B
		cmp	eax, 80000003h
		jle	short loc_506E74
		cmp	eax, 0C0000005h
		jz	short loc_506E74
		cmp	eax, 0C000001Dh
		jz	short loc_506E74
		cmp	eax, 0C0000045h
		jle	short loc_506E3B
		cmp	eax, 0C0000047h
		jle	short loc_506E74
		cmp	eax, 0C000008Ch
		jmp	short loc_506E39
; 

loc_506E74:				; CODE XREF: FsRtlIsNtstatusExpected(x)+16j
					; FsRtlIsNtstatusExpected(x)+1Dj ...
		xor	al, al
		jmp	short loc_506E3D
_FsRtlIsNtstatusExpected@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	SMKM_STORE<struct SM_TRAITS>::SmStGetStoreStats(struct SMKM_STORE<struct SM_TRAITS> *, enum  _ST_STATS_LEVEL, struct _ST_STATS *, unsigned long	*)
?SmStGetStoreStats@?$SMKM_STORE@USM_TRAITS@@@@SGJPAU1@W4_ST_STATS_LEVEL@@PAU_ST_STATS@@PAK@Z proc near
					; CODE XREF: SmpProcessQueryStoreStats(x,x)+5Dp
					; SmProcessCompressionInfoRequest+21Dp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	edx, edx
		pop	ebp
		jmp	ST_STORE_SM_TRAITS___StGetStatsWorker
?SmStGetStoreStats@?$SMKM_STORE@USM_TRAITS@@@@SGJPAU1@W4_ST_STATS_LEVEL@@PAU_ST_STATS@@PAK@Z endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StGetStatsWorker proc near
					; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStGetStoreStats(SMKM_STORE<SM_TRAITS> *,_ST_STATS_LEVEL,_ST_STATS	*,ulong	*)+8j
					; ST_STORE<SM_TRAITS>::StGetStats(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+77p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D7F29 SIZE 0000019D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		mov	ecx, [ebp+arg_4]
		xor	ebx, ebx
		mov	[ebp+var_8], esi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ebx
		mov	eax, [ecx]
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], ebx
		push	edi
		cmp	edx, 4
		jge	loc_5D7F1F
		mov	eax, edx
		sub	eax, ebx
		jnz	loc_5D7F29
		mov	ebx, 0BCh

loc_506EC4:				; CODE XREF: ST_STORE_SM_TRAITS___StGetStatsWorker+D111Fj
		mov	edi, [ebp+arg_0]

loc_506EC7:				; CODE XREF: ST_STORE_SM_TRAITS___StGetStatsWorker+D10B8j
					; ST_STORE_SM_TRAITS___StGetStatsWorker+D10FDj	...
		cmp	[ebp+var_10], ebx
		jb	loc_5D7FAA
		mov	byte ptr [edi],	0Bh
		mov	eax, edx
		shl	eax, 8
		xor	eax, [edi]
		and	eax, 0F00h
		xor	[edi], eax
		mov	ecx, [esi]
		mov	eax, [edi]
		shl	ecx, 0Ch
		xor	ecx, eax
		and	ecx, 0F000h
		xor	ecx, eax
		mov	[edi], ecx
		mov	eax, [esi]
		shl	eax, 8
		xor	eax, ecx
		and	eax, 10000h
		xor	eax, ecx
		mov	[edi], eax
		mov	ecx, [esi]
		shl	ecx, 7
		xor	ecx, eax
		and	ecx, 20000h
		xor	ecx, eax
		mov	[edi], ecx
		mov	edx, [esi+9B4h]
		shl	edx, 15h
		xor	edx, ecx
		and	edx, 3FFC0000h
		xor	edx, ecx
		mov	[edi], edx
		mov	eax, [esi+1E4h]
		shl	eax, 0Ch
		xor	eax, edx
		mov	[edi+4], ebx
		and	eax, 40000000h
		xor	eax, edx
		mov	[edi], eax
		mov	ax, [esi+99Ch]
		mov	[edi+8], ax
		mov	eax, [esi+8]
		mov	[edi+0Ch], eax
		mov	eax, [esi+6ACh]
		add	eax, [esi+21Ch]
		mov	[edi+10h], eax
		mov	eax, [esi+0Ch]
		mov	[edi+14h], eax
		lea	eax, [esi+38h]
		push	50h		; size_t
		mov	dword ptr [edi+18h], 10h
		add	edi, 1Ch
		push	0		; int
		push	edi		; void *
		mov	[ebp+var_18], eax
		call	_memset
		mov	eax, [esi+21Ch]
		add	esp, 0Ch
		mov	[edi], eax
		mov	eax, [esi+3Ch]
		mov	[edi+4], eax
		mov	eax, [esi+60h]
		add	esi, 214h
		push	esi
		mov	[edi+8], eax
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	ecx, [esi]
		mov	esi, [ebp+var_8]
		sub	ecx, eax
		mov	[edi+0Ch], ecx
		add	edi, 14h
		movzx	edx, byte ptr [esi+1E4h]
		lea	ecx, [esi+46Ch]
		neg	edx
		sbb	edx, edx
		and	edx, 0FFFFFFF9h
		add	edx, 8

loc_506FC8:				; CODE XREF: ST_STORE_SM_TRAITS___StGetStatsWorker+155j
		mov	eax, [ecx-4]
		mov	[edi-4], eax
		mov	eax, [ecx]
		lea	ecx, [ecx+8]
		mov	[edi], eax
		lea	edi, [edi+8]
		sub	edx, 1
		jnz	short loc_506FC8
		mov	edi, [ebp+arg_0]
		lea	eax, [esi+4C8h]
		push	50h		; size_t
		push	edx		; int
		add	edi, 6Ch
		mov	[ebp+var_1C], eax
		push	edi		; void *
		call	_memset
		mov	eax, [esi+6ACh]
		add	esp, 0Ch
		mov	[edi], eax
		mov	eax, [esi+4CCh]
		add	esi, 6A4h
		mov	[edi+4], eax
		push	esi
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	ecx, [esi]
		mov	esi, [ebp+var_8]
		sub	ecx, eax
		mov	[edi+0Ch], ecx
		add	edi, 14h
		movzx	ecx, byte ptr [esi+674h]
		lea	edx, [esi+8FCh]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 0FFFFFFF9h
		add	ecx, 8

loc_507039:				; CODE XREF: ST_STORE_SM_TRAITS___StGetStatsWorker+1C6j
		mov	eax, [edx-4]
		mov	[edi-4], eax
		mov	eax, [edx]
		lea	edx, [edx+8]
		mov	[edi], eax
		lea	edi, [edi+8]
		sub	ecx, 1
		jnz	short loc_507039
		cmp	[ebp+var_4], ecx
		jnz	loc_5D7FB6

loc_507057:				; CODE XREF: ST_STORE_SM_TRAITS___StGetStatsWorker+D1161j
					; ST_STORE_SM_TRAITS___StGetStatsWorker+D11C2j	...
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx
		xor	eax, eax

loc_50705E:				; CODE XREF: KeAttachProcess+D11AAj
					; ST_STORE_SM_TRAITS___StGetStatsWorker+D112Bj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
ST_STORE_SM_TRAITS___StGetStatsWorker endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PpmParkCompleteMakeup()
_PpmParkCompleteMakeup@0 proc near	; CODE XREF: PpmCheckMakeupSkippedChecks:loc_48F74Cp
		mov	edi, edi
		push	esi
		mov	esi, _PpmParkNumNodes
		xor	edx, edx
		test	esi, esi
		jz	short loc_507097
		mov	eax, edx

loc_507077:				; CODE XREF: PpmParkCompleteMakeup()+2Fj
		imul	ecx, eax, 0D0h
		add	ecx, _PpmParkNodes
		inc	edx
		mov	eax, [ecx+40h]
		mov	[ecx+48h], eax
		mov	eax, [ecx+44h]
		mov	[ecx+4Ch], eax
		movzx	eax, dx
		cmp	eax, esi
		jb	short loc_507077

loc_507097:				; CODE XREF: PpmParkCompleteMakeup()+Dj
		pop	esi
		retn
_PpmParkCompleteMakeup@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiReleasePageFileSectionInfo(x)
_MiReleasePageFileSectionInfo@4	proc near
					; CODE XREF: MiBuildReservationCluster(x,x,x,x)+7BFp
					; MiReservePageFileSpace+310p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+4]
		test	ecx, ecx
		jnz	short loc_5070B5

loc_5070A6:				; CODE XREF: MiReleasePageFileSectionInfo(x)+23j
		mov	ecx, [esi]
		xor	edx, edx
		call	_MiDecrementModifiedWriteCount@8 ; MiDecrementModifiedWriteCount(x,x)
		test	eax, eax
		jnz	short loc_5070BF
		pop	esi
		retn
; 

loc_5070B5:				; CODE XREF: MiReleasePageFileSectionInfo(x)+Aj
		mov	dl, [esi+10h]
		call	MiUnlockProtoPoolPage
		jmp	short loc_5070A6
; 

loc_5070BF:				; CODE XREF: MiReleasePageFileSectionInfo(x)+17j
		mov	ecx, eax
		pop	esi
		jmp	_MiReleaseControlAreaWaiters@4 ; MiReleaseControlAreaWaiters(x)
_MiReleasePageFileSectionInfo@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetSchedulingGroupCycleNotification(x, x,	x, x)
_KeSetSchedulingGroupCycleNotification@16 proc near ; CODE XREF: sub_759647+30Bp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_18], edx
		xor	ebx, ebx
		mov	[ebp+var_10], esi
		push	edi
		lea	edi, [esi+20h]
		mov	[ebp+var_14], edi
		mov	[edi], ebx
		mov	[edi+4], ebx
		cmp	[ebp+arg_4], ebx
		ja	short loc_5070F6
		cmp	[ebp+arg_0], ebx
		jbe	loc_50717B

loc_5070F6:				; CODE XREF: KeSetSchedulingGroupCycleNotification(x,x,x,x)+23j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, ds:_KeNumberProcessors
		mov	[ebp+var_1], al
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	short loc_50714C
		lea	edi, [esi+80h]

loc_507112:				; CODE XREF: KeSetSchedulingGroupCycleNotification(x,x,x,x)+7Cj
		mov	esi, ds:_KiProcessorBlock[ebx*4]
		add	esi, 2224h
		and	[ebp+var_8], 0

loc_507123:				; CODE XREF: KeSetSchedulingGroupCycleNotification(x,x,x,x)+C8j
		lock bts dword ptr [esi], 0
		jb	short loc_507182
		mov	eax, [edi]
		mov	[edi+28h], eax
		mov	eax, [edi+4]
		mov	[edi+2Ch], eax
		xor	eax, eax
		lock and [esi],	eax
		inc	ebx
		add	edi, 100h
		cmp	ebx, [ebp+var_C]
		jb	short loc_507112
		mov	esi, [ebp+var_10]
		mov	edi, [ebp+var_14]

loc_50714C:				; CODE XREF: KeSetSchedulingGroupCycleNotification(x,x,x,x)+42j
		mov	eax, [ebp+var_18]
		mov	[esi+40h], eax

loc_507152:				; CODE XREF: KeSetSchedulingGroupCycleNotification(x,x,x,x)+A3j
					; KeSetSchedulingGroupCycleNotification(x,x,x,x)+A8j
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp+var_18], ecx
		mov	ecx, [ebp+arg_4]
		nop
		mov	ebx, [ebp+arg_0]
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_507152
		cmp	edx, [ebp+var_18]
		jnz	short loc_507152
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_50717B:				; CODE XREF: KeSetSchedulingGroupCycleNotification(x,x,x,x)+28j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_507182:				; CODE XREF: KeSetSchedulingGroupCycleNotification(x,x,x,x)+60j
					; KeSetSchedulingGroupCycleNotification(x,x,x,x)+C6j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_507182
		jmp	short loc_507123
_KeSetSchedulingGroupCycleNotification@16 endp

; 
		align 8
; Exported entry 890. IoInitializeIrp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IoInitializeIrp(void *,__int16,char)
		public IoInitializeIrp
IoInitializeIrp	proc near		; CODE XREF: IoInitializeIrpEx(x,x,x,x)+10p
					; IopAllocateBackpocketIrp(x,x,x)+BDp ...

arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 005D80C6 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	byte ptr _MmVerifierData, 10h
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		jnz	loc_5D80C6

loc_5071B0:				; CODE XREF: IoInitializeIrp+D0F39j
		mov	si, [ebp+arg_4]
		movzx	eax, si
		push	eax		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	cl, [ebp+arg_8]
		add	esp, 0Ch
		mov	[edi+2], si
		mov	[edi+22h], cl
		push	6
		pop	eax
		mov	[edi], ax
		lea	eax, [ecx+1]
		mov	[edi+23h], al
		mov	eax, large fs:124h
		mov	al, [eax+16Ah]
		mov	[edi+26h], al
		lea	eax, [edi+10h]
		mov	[eax+4], eax
		mov	[eax], eax
		movsx	eax, cl
		imul	eax, 24h
		add	eax, 70h
		add	eax, edi
		mov	[edi+60h], eax
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	0Ch
IoInitializeIrp	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipBuildTraceDeviceList proc near	; CODE XREF: WmiTraceRundownNotify(x,x,x)+2Dp
					; WmiSetNetworkNotify(x)+20p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D80D6 SIZE 00000067 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_18], edx
		push	esi
		push	esi
		push	esi
		push	esi
		push	offset _WmipSMMutex
		mov	[ebp+var_8], ecx
		mov	edi, esi
		call	KeWaitForSingleObject
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bl, al
		mov	ecx, offset _WmipRegistrationSpinLock
		mov	[ebp+var_1], bl
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, _WmipInUseRegEntryCount
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_5D80D6
		push	70696D57h
		shl	eax, 3
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_14], edi
		test	edi, edi
		jz	loc_5D80DD
		mov	edx, _WmipInUseRegEntryHead
		mov	ebx, edi
		cmp	edx, offset _WmipInUseRegEntryHead
		jz	short loc_5072B0

loc_50727E:				; CODE XREF: WmipBuildTraceDeviceList+A5j
		mov	eax, [edx+18h]
		mov	ecx, eax
		mov	edi, [ebp+var_C]
		sar	ecx, 4
		and	ecx, 0F00000h
		test	[ebp+var_8], ecx
		mov	[ebp+var_10], ecx
		setnz	cl
		bt	eax, 1Eh
		setb	al
		test	cl, al
		jnz	short loc_5072F9

loc_5072A3:				; CODE XREF: WmipBuildTraceDeviceList+F7j
					; WmipBuildTraceDeviceList+FBj	...
		mov	edx, [edx]
		cmp	edx, offset _WmipInUseRegEntryHead
		jnz	short loc_50727E
		mov	edi, [ebp+var_14]

loc_5072B0:				; CODE XREF: WmipBuildTraceDeviceList+76j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _WmipRegistrationSpinLock
		jnz	loc_5D8115
		xor	eax, eax
		lock and [ecx],	eax

loc_5072C7:				; CODE XREF: WmipBuildTraceDeviceList+D0F17j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		test	esi, esi
		jz	loc_5D8122
		mov	eax, [ebp+var_18]
		mov	[eax], edi
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		xor	esi, esi

loc_5072F0:				; CODE XREF: WmipBuildTraceDeviceList+D0F23j
					; WmipBuildTraceDeviceList+D0F32j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_5072F9:				; CODE XREF: WmipBuildTraceDeviceList+9Bj
		cmp	dword ptr [edx+8], 0
		jz	short loc_5072A3
		cmp	esi, edi
		jnb	short loc_5072A3
		lea	eax, [edx+18h]
		lock inc dword ptr [eax]
		mov	eax, [ebp+var_10]
		mov	[ebx], edx
		mov	[ebx+4], eax
		add	ebx, 8
		inc	esi
		jmp	short loc_5072A3
WmipBuildTraceDeviceList endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcScanDpc(x, x, x, x)
_CcScanDpc@16	proc near		; DATA XREF: CcInitializePartition+168o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		push	4
		pop	edx
		call	CcNotifyWriteBehindInternal
		pop	ebp
		retn	10h
_CcScanDpc@16	endp


;  S U B	R O U T	I N E 


CcNotifyWriteBehindInternal proc near	; CODE XREF: CcScheduleLazyWriteScan(x,x,x)+7Bp
					; CcScanDpc(x,x,x,x)+Bp ...

; FUNCTION CHUNK AT 005D813D SIZE 00000039 BYTES

		cmp	_CcInitializationComplete, 0
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		jz	short loc_507372
		push	edi
		xor	edi, edi
		test	bl, 1
		jnz	loc_5D813D

loc_507347:				; CODE XREF: CcNotifyWriteBehindInternal+D0E1Fj
		test	bl, 2
		jnz	short loc_507375

loc_50734C:				; CODE XREF: CcNotifyWriteBehindInternal+57j
		test	bl, 4
		jz	short loc_50735F
		push	edi
		push	edi
		lea	eax, [esi+114h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_50735F:				; CODE XREF: CcNotifyWriteBehindInternal+23j
		test	bl, 8
		jnz	loc_5D8150

loc_507368:				; CODE XREF: CcNotifyWriteBehindInternal+D0E32j
		test	bl, 10h
		jnz	loc_5D8163

loc_507371:				; CODE XREF: CcNotifyWriteBehindInternal+D0E45j
		pop	edi

loc_507372:				; CODE XREF: CcNotifyWriteBehindInternal+Dj
		pop	esi
		pop	ebx
		retn
; 

loc_507375:				; CODE XREF: CcNotifyWriteBehindInternal+1Ej
		push	edi
		push	edi
		lea	eax, [esi+104h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_50734C
CcNotifyWriteBehindInternal endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KeSetQuantumProcess(x, x)
_KeSetQuantumProcess@8 proc near	; CODE XREF: KeSetPriorityAndQuantumProcess+262p
					; PsChangeQuantumTable+C6p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		cmp	[esi+69h], bl
		jnz	short loc_507396
		pop	esi
		pop	ebx
		retn
; 

loc_507396:				; CODE XREF: KeSetQuantumProcess(x,x)+Bj
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	edi, [esi+34h]
		mov	bh, al
		push	edi
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	[esi+69h], bl
		add	esi, 2Ch
		mov	ecx, [esi]
		jmp	short loc_5073B7
; 

loc_5073B2:				; CODE XREF: KeSetQuantumProcess(x,x)+33j
		mov	[ecx-41h], bl
		mov	ecx, [ecx]

loc_5073B7:				; CODE XREF: KeSetQuantumProcess(x,x)+2Aj
		cmp	ecx, esi
		jnz	short loc_5073B2
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		pop	edi
		pop	esi
		mov	cl, bh
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_KeSetQuantumProcess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlpOplockBreakToII proc near		; CODE XREF: FsRtlCheckOplockEx2+573p
					; FsRtlCheckUpperOplock+9C27Cp

var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h

; FUNCTION CHUNK AT 005D8176 SIZE 00000175 BYTES

		push	20h
		push	offset dword_6A40F8
		call	__SEH_prolog4
		mov	[ebp+var_20], ecx
		xor	eax, eax
		lea	edi, [ebp+var_30]
		stosd
		stosd
		stosd
		stosd
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	edi, ecx
		mov	eax, [edi+48h]
		test	al, 40h
		jnz	loc_5D8176

loc_5073F9:				; CODE XREF: FsRtlpOplockBreakToII+D0DAFj
					; FsRtlpOplockBreakToII+D0DC8j	...
		mov	[ebp+var_1C], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	nullsub_2
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	30h
FsRtlpOplockBreakToII endp

; [00000001 BYTES: COLLAPSED FUNCTION nullsub_2. PRESS KEYPAD "+" TO EXPAND]
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild proc near
					; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+126p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D82F3 SIZE 0000004A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_1C], 0
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [edx+0Ch]
		mov	[ebp+var_4], eax
		mov	eax, [edx]
		push	edi
		mov	[ebp+var_C], edx
		mov	[ebp+var_10], ecx
		lea	eax, [eax+esi*8]
		lea	esi, [eax-8]
		mov	[ebp+var_14], eax
		mov	edi, [esi]
		movzx	eax, byte ptr [edi+2]
		movzx	edx, byte ptr [edi+3]
		push	eax
		call	?BTreeNewNode@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@@@PAU1@KK@Z ; B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNewNode(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,ulong,ulong)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_507513
		mov	[ebp+var_20], ebx
		lea	edx, [edi+8]
		mov	eax, [edi]
		mov	ecx, eax
		shr	ecx, 1
		and	ecx, 7FFFh
		cmp	byte ptr [edi+3], 0
		mov	[ebp+var_18], ecx
		lea	edx, [edx+ecx*8]
		jz	loc_5D82F3
		test	al, 1
		jz	short loc_507494
		lea	eax, [edx+8]
		cmp	eax, [esi+4]
		jnb	short loc_507494
		inc	ecx
		mov	edx, eax
		mov	[ebp+var_18], ecx

loc_507494:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+66j
					; B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+6Ej
		mov	eax, [edx]
		and	[ebp+var_8], 0

loc_50749A:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+D0EDEj
		mov	[ebp+var_24], eax
		movzx	esi, word ptr [edi]
		sub	esi, ecx
		cmp	byte ptr [edi+3], 0
		lea	ecx, [ebx+8]
		jz	loc_5D8301
		mov	eax, [edi+4]
		mov	[ebx+4], eax
		mov	eax, esi
		shl	eax, 3
		push	eax		; size_t
		push	edx		; void *
		push	ecx		; void *
		call	_memcpy

loc_5074C2:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+D0F00j
		mov	eax, [ebp+var_10]
		add	esp, 0Ch
		mov	[ebx], si
		cmp	[eax], edi
		jz	short loc_50751B
		mov	esi, [ebp+var_C]
		lea	ecx, [ebp+var_24]
		push	ecx
		mov	edx, esi
		mov	ecx, eax
		dec	dword ptr [esi+0Ch]
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx
		inc	dword ptr [esi+0Ch]
		test	eax, eax
		js	loc_507582

loc_5074ED:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+15Fj
		cmp	byte ptr [edi+3], 0
		mov	eax, [ebp+var_18]
		mov	[edi], ax
		jz	short loc_5074FC
		mov	[edi+4], ebx

loc_5074FC:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+D9j
		mov	[ebp+var_1C], ebx
		xor	ebx, ebx
		xor	esi, esi

loc_507503:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+167j
		test	ebx, ebx
		jnz	loc_5D8323

loc_50750B:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+D0F0Dj
		test	esi, esi
		jnz	loc_5D8330

loc_507513:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+3Cj
					; B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+D0F1Aj
		mov	eax, [ebp+var_1C]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_50751B:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+AFj
		movzx	eax, byte ptr [edi+2]
		xor	edx, edx
		inc	eax
		push	eax
		call	?BTreeNewNode@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@@@PAU1@KK@Z ; B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNewNode(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,ulong,ulong)
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	short loc_507582
		mov	[ecx+4], edi
		lea	esi, [ecx+8]
		mov	eax, [ebp+var_24]
		mov	[esi], eax
		mov	eax, [ebp+var_20]
		mov	[esi+4], eax
		xor	eax, eax
		inc	eax
		mov	[ecx], ax
		mov	eax, [ebp+var_10]
		mov	[eax], ecx
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_14]
		mov	eax, [eax+10h]
		lea	eax, ds:0FFFFFFF8h[eax*8]
		push	eax		; size_t
		lea	eax, [ecx-8]
		push	eax		; void *
		push	ecx		; void *
		call	_memmove
		mov	edx, [ebp+var_14]
		add	esp, 0Ch
		mov	eax, [ebp+var_4]
		mov	[edx-8], eax
		mov	eax, [ebp+var_C]
		mov	[edx-4], esi
		inc	dword ptr [eax+0Ch]
		jmp	loc_5074ED
; 

loc_507582:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+C9j
					; B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+111j
		mov	esi, [ebp+var_4]
		jmp	loc_507503
B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static struct	B_TREE_HEADER<union _SM_PAGE_KEY, struct SMKM_STORE_MGR<struct SM_TRAITS>::SMKM_FRONTEND_ENTRY>::NODE *	__stdcall B_TREE<union _SM_PAGE_KEY, struct SMKM_STORE_MGR<struct SM_TRAITS>::SMKM_FRONTEND_ENTRY, 4096, struct	B_TREE_DUMMY_NODE_POOL,	struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>>::BTreeNewNode(struct B_TREE<union _SM_PAGE_KEY, struct SMKM_STORE_MGR<struct SM_TRAITS>::SMKM_FRONTEND_ENTRY,	4096, struct B_TREE_DUMMY_NODE_POOL, struct B_TREE_KEY_COMPARATOR<union	_SM_PAGE_KEY>> *, unsigned long, unsigned long)
?BTreeNewNode@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@@@PAU1@KK@Z proc near
					; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+183p
					; B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+33p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	74426D73h
		mov	edi, 1000h
		mov	ebx, edx
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_5075C4
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	cl, [ebp+arg_0]
		add	esp, 0Ch
		mov	[esi+2], cl
		mov	[esi+3], bl

loc_5075C4:				; CODE XREF: B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNewNode(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,ulong,ulong)+23j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
?BTreeNewNode@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@@@PAU1@KK@Z endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIoPagesInRun(x, x)
_MiIoPagesInRun@8 proc near		; CODE XREF: .text:0047FD77p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		xor	edi, edi

loc_5075DD:				; CODE XREF: MiIoPagesInRun(x,x)+24j
		cmp	esi, dword_6D07B0
		jbe	short loc_5075FB

loc_5075E5:				; CODE XREF: MiIoPagesInRun(x,x)+44j
		inc	edi
		sub	ebx, 1
		jz	short loc_5075F4
		inc	esi
		test	esi, 1FFh
		jnz	short loc_5075DD

loc_5075F4:				; CODE XREF: MiIoPagesInRun(x,x)+1Bj
					; MiIoPagesInRun(x,x)+46j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_5075FB:				; CODE XREF: MiIoPagesInRun(x,x)+15j
		mov	eax, dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_5075E5
		jmp	short loc_5075F4
_MiIoPagesInRun@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlStringCbCopyNExW proc near		; CODE XREF: _CmGetDeviceRegPropWorker+2EFp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D833D SIZE 00000057 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	eax, edx
		mov	ebx, ecx
		push	edi
		mov	edi, eax
		mov	[ebp+var_4], eax
		shr	edi, 1
		mov	ecx, 0C000000Dh
		mov	esi, edi
		neg	esi
		sbb	esi, esi
		and	esi, 3FFFFFF3h
		add	esi, ecx
		test	edi, edi
		jz	short loc_50767E
		mov	eax, [ebp+arg_4]
		shr	eax, 1
		cmp	eax, 7FFFFFFFh
		jnb	loc_5D833D
		xor	esi, esi
		test	edi, edi
		jz	loc_5D8351
		push	eax
		push	[ebp+arg_0]
		lea	eax, [ebp+arg_0]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	sub_507688
		mov	esi, eax
		test	esi, esi
		js	loc_5D8378

loc_507676:				; CODE XREF: RtlStringCbCopyNExW+D0D2Bj
					; RtlStringCbCopyNExW+D0D36j ...
		test	esi, esi
		js	loc_5D8378

loc_50767E:				; CODE XREF: RtlStringCbCopyNExW+29j
					; RtlStringCbCopyNExW+D0D3Dj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
RtlStringCbCopyNExW endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_507688	proc near		; CODE XREF: RtlStringCbCopyNExW+51p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		push	esi
		test	edx, edx
		jz	short loc_5076E1
		mov	esi, [ebp+arg_4]
		push	ebx
		push	edi
		mov	edi, [ebp+arg_8]
		sub	esi, ecx

loc_50769E:				; CODE XREF: sub_507688+2Ej
		test	edi, edi
		jz	short loc_5076B8
		movzx	ebx, word ptr [esi+ecx]
		test	bx, bx
		jz	short loc_5076B8
		mov	[ecx], bx
		add	ecx, 2
		dec	edi
		inc	eax
		sub	edx, 1
		jnz	short loc_50769E

loc_5076B8:				; CODE XREF: sub_507688+18j
					; sub_507688+21j
		pop	edi
		pop	ebx
		test	edx, edx
		jz	short loc_5076E1

loc_5076BE:				; CODE XREF: sub_507688+5Dj
		neg	edx
		sbb	edx, edx
		xor	esi, esi
		mov	[ecx], si
		and	edx, 7FFFFFFBh
		mov	ecx, [ebp+arg_0]
		pop	esi
		test	ecx, ecx
		jz	short loc_5076D7
		mov	[ecx], eax

loc_5076D7:				; CODE XREF: sub_507688+4Bj
		lea	eax, [edx-7FFFFFFBh]
		pop	ebp
		retn	0Ch
; 

loc_5076E1:				; CODE XREF: sub_507688+Aj
					; sub_507688+34j
		sub	ecx, 2
		dec	eax
		jmp	short loc_5076BE
sub_507688	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiStoreWriteModifiedCompleteApc(x, x, x, x,	x)
_MiStoreWriteModifiedCompleteApc@20 proc near
					; DATA XREF: MiStoreModifiedWriteDereference(x)+2Eo

arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_C]
		push	0
		mov	ecx, [eax]
		lea	eax, [ecx+8]
		push	eax
		push	ecx
		call	MiWriteComplete
		pop	ecx
		pop	ebp
		retn	14h
_MiStoreWriteModifiedCompleteApc@20 endp


;  S U B	R O U T	I N E 


; __stdcall MiIsWorkingSetTrimThread()
_MiIsWorkingSetTrimThread@0 proc near	; CODE XREF: .text:004B00E4p
					; MiFlushAllFilesystemPages(x)+2Cp ...
		mov	eax, large fs:124h
		mov	eax, [eax+2DCh]
		cmp	eax, offset KeBalanceSetManager
		jz	short loc_507721
		cmp	eax, offset _MiPartitionWorkingSetManager@4 ; MiPartitionWorkingSetManager(x)
		jz	short loc_507721
		xor	eax, eax
		retn
; 

loc_507721:				; CODE XREF: MiIsWorkingSetTrimThread()+11j
					; MiIsWorkingSetTrimThread()+18j
		xor	eax, eax
		inc	eax
		retn
_MiIsWorkingSetTrimThread@0 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1810. PsGetProcessSequenceNumber

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessSequenceNumber(x)
		public _PsGetProcessSequenceNumber@4
_PsGetProcessSequenceNumber@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, [edx+3E8h]
		mov	edx, [edx+3ECh]
		pop	ebp
		retn	4
_PsGetProcessSequenceNumber@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIntSteerUpdateDeviceInterruptMask(x, x, x)
_KiIntSteerUpdateDeviceInterruptMask@12	proc near
					; CODE XREF: KiIntSteerDistributeInterrupts()+8Ep
					; KiIntSteerDistributeInterrupts()+C7p	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_6		= word ptr -6
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		and	[ebp+var_4], eax
		and	[ebp+var_10], 0
		mov	[ebp+var_6], ax
		mov	ax, [ecx+4]
		mov	[ebp+var_8], ax
		mov	eax, [ecx]
		push	esi
		mov	esi, edx
		mov	[ebp+var_C], eax

loc_507767:				; CODE XREF: KiIntSteerUpdateDeviceInterruptMask(x,x,x)+4Fj
					; KiIntSteerUpdateDeviceInterruptMask(x,x,x)+65j ...
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5077A9
		mov	ecx, [ebp+var_4]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		test	esi, esi
		jnz	short loc_5077AE
		inc	dword ptr [eax+21D8h]
		cmp	dword ptr [eax+21D8h], 1
		jnz	short loc_507767
		movzx	ecx, byte ptr [eax+3C4h]
		mov	eax, [eax+338h]
		add	eax, 50h
		lock btr [eax],	ecx
		jmp	short loc_507767
; 

loc_5077A9:				; CODE XREF: KiIntSteerUpdateDeviceInterruptMask(x,x,x)+34j
		pop	esi
		leave
		retn	4
; 

loc_5077AE:				; CODE XREF: KiIntSteerUpdateDeviceInterruptMask(x,x,x)+40j
		cmp	esi, 1
		jnz	short loc_507767
		sub	[eax+21D8h], esi
		jnz	short loc_507767
		movzx	ecx, byte ptr [eax+3C4h]
		mov	eax, [eax+338h]
		add	eax, 50h
		lock bts [eax],	ecx
		jmp	short loc_507767
_KiIntSteerUpdateDeviceInterruptMask@12	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 804. IoCsqInitialize

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCsqInitialize(x, x, x, x,	x, x, x)
		public _IoCsqInitialize@28
_IoCsqInitialize@28 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		and	dword ptr [ecx+1Ch], 0
		mov	[ecx+4], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+8], eax
		mov	eax, [ebp+arg_C]
		mov	[ecx+0Ch], eax
		mov	eax, [ebp+arg_10]
		mov	[ecx+10h], eax
		mov	eax, [ebp+arg_14]
		mov	[ecx+14h], eax
		mov	eax, [ebp+arg_18]
		mov	[ecx+18h], eax
		xor	eax, eax
		mov	dword ptr [ecx], 2
		pop	ebp
		retn	1Ch
_IoCsqInitialize@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopGetFileVolumeNameInformation	proc near
					; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+281p

var_228		= dword	ptr -228h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D8394 SIZE 0000000C BYTES
; FUNCTION CHUNK AT 005D83BA SIZE 0000000C BYTES

		push	21Ch
		push	offset dword_6A4118
		call	__SEH_prolog4_GS
		mov	ebx, edx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_228], eax
		and	[ebp+var_220], 0
		mov	esi, [ebp+arg_4]
		add	esi, 0FFFFFFFCh
		mov	edi, esi
		lea	eax, [ebp+var_220]
		push	eax
		push	200h
		lea	eax, [ebp+var_21C]
		push	eax
		push	ecx
		call	_ObQueryNameString@16 ;	ObQueryNameString(x,x,x,x)
		test	eax, eax
		js	loc_5D8394
		movzx	eax, word ptr [ebp+var_21C]
		cmp	esi, eax
		jb	short loc_5078B8
		mov	esi, eax

loc_507869:				; CODE XREF: IopGetFileVolumeNameInformation+A9j
		mov	[ebp+ms_exc.disabled], 1
		cmp	edi, eax
		sbb	edi, edi
		and	edi, 80000005h
		mov	ecx, [ebp+var_228]
		mov	[ecx], eax
		push	esi		; size_t
		push	[ebp+var_218]	; void *
		lea	eax, [ecx+4]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebx], edi
		lea	eax, [esi+4]
		mov	[ebx+4], eax

loc_50789D:				; CODE XREF: sub_5D83D7+9j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, edi

loc_5078A6:				; CODE XREF: IopGetFileVolumeNameInformation+D0BAFj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_5078B8:				; CODE XREF: IopGetFileVolumeNameInformation+53j
		and	esi, 0FFFFFFFEh
		jmp	short loc_507869
IopGetFileVolumeNameInformation	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PsEnforceExecutionLimits()
_PsEnforceExecutionLimits@0 proc near	; CODE XREF: KeBalanceSetManager+88p
		mov	eax, _PspJobTimeLimitsRequest
		or	eax, dword_6BEE44
		jz	short locret_5078DE
		mov	eax, _PspJobTimeLimitsCount
		test	eax, eax
		jz	short locret_5078DE
		sub	eax, 1
		mov	_PspJobTimeLimitsCount,	eax
		jz	short loc_5078DF

locret_5078DE:				; CODE XREF: PsEnforceExecutionLimits()+Bj
					; PsEnforceExecutionLimits()+14j ...
		retn
; 

loc_5078DF:				; CODE XREF: PsEnforceExecutionLimits()+1Ej
		push	esi
		push	5
		pop	esi
		mov	edx, offset _PspJobTimeLimitsWorkItemFlags
		mov	eax, [edx]

loc_5078EA:				; CODE XREF: PsEnforceExecutionLimits()+34j
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_5078EA
		pop	esi
		test	al, 4
		jnz	short locret_5078DE
		push	1
		push	offset _PspJobTimeLimitsWorkItem
		call	ExQueueWorkItem
		retn
_PsEnforceExecutionLimits@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmAdjustWorkingSetSizeEx proc near	; CODE XREF: MmAdjustWorkingSetSize(x,x,x,x)+1Dp
					; SmKmVirtualLockContextIncreaseWsMin(x,x,x)+B3p ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005D83E5 SIZE 000001C2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_18], edx
		push	esi
		push	edi
		lea	edi, [ebp+var_24]
		mov	ebx, ecx
		stosd
		xor	ecx, ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], ecx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_30]
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_C]
		xor	edi, edi
		mov	[eax], cl
		mov	eax, [ebp+arg_0]
		mov	ecx, large fs:124h
		sub	eax, edi
		jnz	loc_5D83E5
		mov	edi, [ecx+80h]
		lea	esi, [edi+240h]

loc_507953:				; CODE XREF: MmAdjustWorkingSetSizeEx+D0AFAj
					; MmAdjustWorkingSetSizeEx+D0B0Dj
		cmp	ebx, 0FFFFFFFFh
		jz	loc_507BF2

loc_50795C:				; CODE XREF: MmAdjustWorkingSetSizeEx+2EFj
		mov	al, [esi+60h]
		lea	ecx, [esi+80h]
		and	al, 7
		mov	[ebp+var_8], ecx
		cmp	al, 2
		jz	loc_5D8422
		mov	eax, ecx
		mov	[ebp+var_8], ecx

loc_507977:				; CODE XREF: MmAdjustWorkingSetSizeEx+D0B21j
		push	eax
		mov	[ebp+var_14], eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+var_14]
		mov	[ebp+var_1], al
		mov	eax, offset unk_6D3C40
		and	dword ptr [ecx+4], 0
		mov	cl, [esi+60h]
		and	cl, 7
		cmp	cl, 2
		jz	short loc_50799D
		mov	eax, [ebp+var_8]

loc_50799D:				; CODE XREF: MmAdjustWorkingSetSizeEx+92j
		and	[ebp+var_30], 0
		add	eax, 40h
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_2C], eax
		jnz	loc_5D842C
		lea	edx, [ebp+var_30]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_507C0C

loc_5079C1:				; CODE XREF: MmAdjustWorkingSetSizeEx+30Ej
					; MmAdjustWorkingSetSizeEx+D0B30j
		cmp	[ebp+arg_0], 0
		jnz	short loc_5079D4
		test	byte ptr [edi+0FCh], 20h
		jnz	loc_5D843B

loc_5079D4:				; CODE XREF: MmAdjustWorkingSetSizeEx+BFj
		test	ebx, ebx
		jz	loc_5D8447
		shr	ebx, 0Ch

loc_5079DF:				; CODE XREF: MmAdjustWorkingSetSizeEx+D0B44j
		mov	eax, [ebp+var_18]
		mov	[ebp+var_C], ebx
		test	eax, eax
		jz	loc_5D844F
		shr	eax, 0Ch

loc_5079F0:				; CODE XREF: MmAdjustWorkingSetSizeEx+D0B4Cj
		push	0
		push	[ebp+arg_8]
		mov	[ebp+var_10], eax
		lea	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		mov	ecx, esi
		push	eax
		call	MiCheckWsLimits
		mov	ecx, eax
		mov	[ebp+var_8], eax
		mov	eax, 0C0000000h
		and	ecx, eax
		cmp	ecx, eax
		jz	loc_507AF9
		mov	eax, [ebp+var_C]
		mov	ecx, [esi+3Ch]
		mov	edx, [esi+0Ch]
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], eax
		cmp	eax, ecx
		ja	loc_507B8E
		mov	ebx, ecx
		sub	ebx, eax
		cmp	eax, [edx+14h]
		jb	loc_5D848D

loc_507A3E:				; CODE XREF: MmAdjustWorkingSetSizeEx+2E7j
		mov	eax, [ebp+var_10]
		mov	[ebp+arg_4], eax
		cmp	eax, [esi+40h]
		jb	loc_507B3A

loc_507A4D:				; CODE XREF: MmAdjustWorkingSetSizeEx+24Bj
		mov	eax, [ebp+arg_C]
		cmp	byte ptr [eax],	0
		jnz	short loc_507A5D
		test	ebx, ebx
		jnz	loc_5D84EC

loc_507A5D:				; CODE XREF: MmAdjustWorkingSetSizeEx+14Dj
					; MmAdjustWorkingSetSizeEx+D0C1Ej ...
		mov	eax, [ebp+arg_4]
		mov	ebx, [ebp+arg_8]
		mov	[esi+50h], eax
		mov	eax, [ebp+var_14]
		mov	[esi+3Ch], eax
		test	ebx, ebx
		jz	loc_507AF9
		xor	edi, edi
		mov	eax, offset dword_6D3540
		and	[ebp+var_24], edi
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_20], eax
		jnz	loc_5D8538
		lea	edx, [ebp+var_24]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_5D8547

loc_507A9B:				; CODE XREF: MmAdjustWorkingSetSizeEx+D0C3Cj
					; MmAdjustWorkingSetSizeEx+D0C49j
		mov	eax, [esi+60h]
		mov	[ebp+arg_4], eax
		test	bl, 4
		jnz	loc_5D8554
		xor	ecx, ecx
		test	bl, 8
		jnz	loc_507B56
		inc	ecx

loc_507AB6:				; CODE XREF: MmAdjustWorkingSetSizeEx+258j
		test	bl, cl
		jz	loc_507B63
		or	al, 40h
		mov	byte ptr [ebp+arg_4], al

loc_507AC3:				; CODE XREF: MmAdjustWorkingSetSizeEx+26Bj
		mov	ax, word ptr [ebp+arg_4]
		mov	[esi+60h], ax

loc_507ACB:				; CODE XREF: MmAdjustWorkingSetSizeEx+271j
		test	ds:byte_70EFC6,	cl
		jnz	loc_5D855D
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	loc_5D8578
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jnz	loc_5D856D

loc_507AF9:				; CODE XREF: MmAdjustWorkingSetSizeEx+10Ej
					; MmAdjustWorkingSetSizeEx+168j ...
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jnz	loc_5D858A
		mov	eax, [ebp+var_30]
		test	eax, eax
		jnz	short loc_507B7C
		mov	edx, [ebp+var_2C]
		lea	eax, [ebp+var_30]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_30]
		cmp	eax, ecx
		jnz	loc_5D859A

loc_507B26:				; CODE XREF: MmAdjustWorkingSetSizeEx+286j
					; MmAdjustWorkingSetSizeEx+D0C8Fj
		mov	dl, [ebp+var_1]
		mov	ecx, esi
		call	MiUnlockWorkingSetExclusive
		mov	eax, [ebp+var_8]

loc_507B33:				; CODE XREF: MmAdjustWorkingSetSizeEx+301j
					; MmAdjustWorkingSetSizeEx+D0B17j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_507B3A:				; CODE XREF: MmAdjustWorkingSetSizeEx+141j
		mov	eax, [edx+14h]
		add	eax, 6
		cmp	eax, [ebp+arg_4]
		jnb	loc_5D8499
		mov	al, [esi+63h]
		or	al, 10h
		mov	[esi+63h], al
		jmp	loc_507A4D
; 

loc_507B56:				; CODE XREF: MmAdjustWorkingSetSizeEx+1A9j
		and	al, 7Fh

loc_507B58:				; CODE XREF: MmAdjustWorkingSetSizeEx+D0C52j
		inc	ecx
		mov	byte ptr [ebp+arg_4], al
		mov	edi, ecx
		jmp	loc_507AB6
; 

loc_507B63:				; CODE XREF: MmAdjustWorkingSetSizeEx+1B2j
		test	bl, 2
		jz	short loc_507B6F
		and	al, 0BFh
		mov	edi, ecx
		mov	byte ptr [ebp+arg_4], al

loc_507B6F:				; CODE XREF: MmAdjustWorkingSetSizeEx+260j
		test	edi, edi
		jnz	loc_507AC3
		jmp	loc_507ACB
; 

loc_507B7C:				; CODE XREF: MmAdjustWorkingSetSizeEx+207j
					; MmAdjustWorkingSetSizeEx+D0C9Cj
		xor	ecx, ecx
		mov	[ebp+var_30], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	short loc_507B26
; 

loc_507B8E:				; CODE XREF: MmAdjustWorkingSetSizeEx+125j
		mov	ebx, eax
		mov	eax, [ebp+arg_C]
		sub	ebx, ecx
		cmp	byte ptr [ebp+arg_4], 0
		mov	byte ptr [eax],	1
		jz	loc_5D8457
		cmp	[ebp+arg_0], 0
		jnz	short loc_507BD1
		cmp	edi, ds:_PsInitialSystemProcess
		jz	short loc_507C19
		mov	ecx, [edi+188h]
		mov	edx, edi
		push	ebx
		push	3
		call	@PspChargeQuota@16 ; PspChargeQuota(x,x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		js	loc_507AF9
		mov	eax, [ebp+var_C]
		mov	[ebp+var_14], eax

loc_507BD1:				; CODE XREF: MmAdjustWorkingSetSizeEx+2A0j
					; MmAdjustWorkingSetSizeEx+317j
		push	200h
		mov	edx, ebx
		mov	ecx, offset _MiSystemPartition
		call	_MiChargeResident@12 ; MiChargeResident(x,x,x)
		test	eax, eax
		jz	loc_5D8463
		mov	edx, [ebp+var_18]
		jmp	loc_507A3E
; 

loc_507BF2:				; CODE XREF: MmAdjustWorkingSetSizeEx+50j
		cmp	edx, 0FFFFFFFFh
		jnz	loc_50795C
		push	edx
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	_MiEmptyWorkingSetInitiate@16 ;	MiEmptyWorkingSetInitiate(x,x,x,x)
		jmp	loc_507B33
; 

loc_507C0C:				; CODE XREF: MmAdjustWorkingSetSizeEx+B5j
		lea	ecx, [ebp+var_30]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_5079C1
; 

loc_507C19:				; CODE XREF: MmAdjustWorkingSetSizeEx+2A8j
		and	[ebp+var_8], 0
		jmp	short loc_507BD1
MmAdjustWorkingSetSizeEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCheckWsLimits	proc near		; CODE XREF: MmAdjustWorkingSetSizeEx+FBp
					; MmCreateProcessAddressSpace+176BFEp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D85A7 SIZE 00000081 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	eax, edx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edx, [eax]
		xor	edi, edi
		mov	[ebp+var_4], ecx
		mov	ecx, 40000002h
		mov	esi, [esi]
		mov	[ebp+var_8], eax
		cmp	edx, esi
		ja	loc_5D85A7

loc_507C4B:				; CODE XREF: MiCheckWsLimits+D0992j
		mov	eax, ds:_MiMaximumWorkingSet
		cmp	esi, eax
		ja	loc_5D85B7

loc_507C58:				; CODE XREF: MiCheckWsLimits+D099Bj
		cmp	edx, eax
		ja	loc_5D85C0

loc_507C60:				; CODE XREF: MiCheckWsLimits+D09A4j
		push	14h
		pop	ecx
		cmp	edx, ecx
		jb	loc_5D85C9

loc_507C6B:				; CODE XREF: MiCheckWsLimits+D09B2j
					; MiCheckWsLimits+D09BAj
		mov	eax, [ebp+var_4]
		mov	eax, [eax+0Ch]
		test	eax, eax
		jz	short loc_507C78
		mov	ecx, [eax+14h]

loc_507C78:				; CODE XREF: MiCheckWsLimits+53j
		lea	eax, [ecx+6]
		and	ebx, 1
		cmp	eax, esi
		jnb	loc_5D85DF

loc_507C86:				; CODE XREF: MiCheckWsLimits+D09CBj
		mov	eax, [ebp+arg_4]
		test	al, 4
		jnz	short loc_507C9B
		mov	ecx, [ebp+var_4]
		mov	cl, [ecx+60h]
		test	cl, cl
		js	short loc_507CDA

loc_507C97:				; CODE XREF: MiCheckWsLimits+BEj
		test	al, 1
		jz	short loc_507CC9

loc_507C9B:				; CODE XREF: MiCheckWsLimits+6Bj
					; MiCheckWsLimits+B8j ...
		lea	eax, [edx+6]
		cmp	eax, esi
		jnb	loc_5D85F0

loc_507CA6:				; CODE XREF: MiCheckWsLimits+D09DCj
		mov	eax, [ebp+var_4]
		mov	al, [eax+60h]
		and	al, 7
		cmp	al, 2
		jnb	loc_5D8601

loc_507CB6:				; CODE XREF: MiCheckWsLimits+B6j
					; MiCheckWsLimits+D09E8j ...
		mov	eax, [ebp+var_8]
		mov	[eax], edx
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		mov	eax, edi

loc_507CC2:				; CODE XREF: MiCheckWsLimits+D0A03j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_507CC9:				; CODE XREF: MiCheckWsLimits+79j
		shr	cl, 6
		test	al, 2
		setz	al
		and	cl, al
		test	cl, 1
		jz	short loc_507CB6
		jmp	short loc_507C9B
; 

loc_507CDA:				; CODE XREF: MiCheckWsLimits+75j
		test	al, 8
		jz	short loc_507C9B
		jmp	short loc_507C97
MiCheckWsLimits	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakeVaRangeNoAccess(x, x,	x, x, x, x)
_MiMakeVaRangeNoAccess@24 proc near	; CODE XREF: .text:004513B6p

var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_BC		= dword	ptr -0BCh
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A1		= byte ptr -0A1h
var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_A8], eax
		mov	ebx, ecx
		mov	eax, [ebp+arg_C]
		mov	esi, edx
		push	98h		; size_t
		mov	[ebp+var_BC], eax
		lea	eax, [ebp+var_A0]
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_AC], ebx
		call	_memset
		mov	edi, [ebx+1Ch]
		mov	ecx, offset loc_500000
		mov	eax, edi
		add	esp, 0Ch
		and	eax, ecx
		cmp	eax, ecx
		jnz	loc_507E77
		mov	edx, edi
		shr	edx, 12h
		and	edx, 3
		mov	ebx, ds:_MiVadPageSizes[edx*4]
		cmp	ebx, 1
		jz	loc_507E77
		mov	ecx, [ebp+var_AC]
		mov	eax, 300000h
		and	edi, eax
		sub	edi, eax
		neg	edi
		sbb	edi, edi
		inc	edi
		call	_MiGetVadPtesInCluster@4 ; MiGetVadPtesInCluster(x)
		mov	[ebp+var_B0], eax
		mov	eax, ds:_MiVadPageIndices[edx*4]
		test	eax, eax
		jnz	short loc_507D95
		xor	edx, edx
		inc	edx
		sub	edx, eax
		jz	short loc_507D95
		mov	ecx, [ebp+var_A8]
		push	esi
		call	_MiInsertLargeTbFlushEntry@12 ;	MiInsertLargeTbFlushEntry(x,x,x)
		jmp	short loc_507DA8
; 

loc_507D95:				; CODE XREF: MiMakeVaRangeNoAccess(x,x,x,x,x,x)+9Ej
					; MiMakeVaRangeNoAccess(x,x,x,x,x,x)+A5j
		mov	ecx, [ebp+var_A8]
		mov	edx, esi
		push	0
		push	ebx
		shl	edx, 9
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)

loc_507DA8:				; CODE XREF: MiMakeVaRangeNoAccess(x,x,x,x,x,x)+B3j
		mov	ebx, [esi]
		nop
		mov	eax, [esi+4]
		nop
		shrd	ebx, eax, 0Ch
		xor	edx, edx
		and	ebx, 1FFFFFFh
		mov	[ebp+var_A8], edx
		imul	eax, ebx, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_B4], eax
		cmp	[ebp+var_B0], edx
		jbe	loc_507E60

loc_507DDC:				; CODE XREF: MiMakeVaRangeNoAccess(x,x,x,x,x,x)+178j
		test	edi, edi
		jz	short loc_507E25
		mov	ecx, [esi]
		nop
		and	ecx, 42h
		or	ecx, 0
		jz	short loc_507E25
		mov	eax, 0C0000000h
		mov	edx, esi
		cmp	esi, eax
		jb	short loc_507E05

loc_507DF6:				; CODE XREF: MiMakeVaRangeNoAccess(x,x,x,x,x,x)+123j
		cmp	edx, 0C07FFFFFh
		ja	short loc_507E05
		shl	edx, 9
		cmp	edx, eax
		jnb	short loc_507DF6

loc_507E05:				; CODE XREF: MiMakeVaRangeNoAccess(x,x,x,x,x,x)+114j
					; MiMakeVaRangeNoAccess(x,x,x,x,x,x)+11Cj
		mov	ecx, large fs:124h
		push	[ebp+var_AC]
		mov	ecx, [ecx+80h]
		call	_MiCaptureWriteWatchDirtyBit@12	; MiCaptureWriteWatchDirtyBit(x,x,x)
		mov	edx, [ebp+var_A8]
		xor	edi, edi

loc_507E25:				; CODE XREF: MiMakeVaRangeNoAccess(x,x,x,x,x,x)+FEj
					; MiMakeVaRangeNoAccess(x,x,x,x,x,x)+109j
		push	18h
		lea	ecx, [ebx+edx]
		pop	edx
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		mov	[ebp+var_C8], eax
		mov	[ebp+var_C4], edx
		mov	[esi], eax
		nop
		mov	[esi+4], edx
		add	esi, 8
		mov	edx, [ebp+var_A8]
		inc	edx
		mov	[ebp+var_A8], edx
		cmp	edx, [ebp+var_B0]
		jb	short loc_507DDC
		mov	eax, [ebp+var_B4]

loc_507E60:				; CODE XREF: MiMakeVaRangeNoAccess(x,x,x,x,x,x)+F6j
		mov	ecx, [ebp+var_AC]
		mov	edx, eax
		push	18h
		call	_MiUpdatePfnProtection@12 ; MiUpdatePfnProtection(x,x,x)
		xor	eax, eax
		inc	eax
		jmp	loc_508012
; 

loc_507E77:				; CODE XREF: MiMakeVaRangeNoAccess(x,x,x,x,x,x)+58j
					; MiMakeVaRangeNoAccess(x,x,x,x,x,x)+70j
		mov	eax, large fs:124h
		xor	ebx, ebx
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_A1], bl
		mov	ecx, [eax+80h]
		mov	eax, esi
		add	ecx, 240h
		mov	[ebp+var_90], ebx
		mov	[ebp+var_8C], ebx
		xor	eax, edi
		mov	[ebp+var_A8], ecx
		mov	ebx, esi
		mov	ecx, 0FFFFF000h
		shl	ebx, 9
		mov	[ebp+var_A0], 1
		mov	[ebp+var_9C], 4
		mov	[ebp+var_98], 21h
		test	eax, ecx
		jz	short loc_507EDF
		mov	edi, esi
		and	edi, ecx
		add	edi, 0FF8h

loc_507EDF:				; CODE XREF: MiMakeVaRangeNoAccess(x,x,x,x,x,x)+1F3j
		cmp	esi, edi
		ja	loc_508010

loc_507EE7:				; CODE XREF: MiMakeVaRangeNoAccess(x,x,x,x,x,x)+30Ej
		mov	ecx, [esi]
		mov	[ebp+var_B4], ecx
		nop
		mov	edx, [esi+4]
		mov	eax, ecx
		and	eax, 1
		mov	[ebp+var_B0], edx
		or	eax, 0
		jz	loc_507FF4
		mov	eax, [ebp+var_AC]
		mov	eax, [eax+1Ch]
		and	al, 70h
		cmp	al, 40h
		jnz	short loc_507F32
		mov	ecx, esi
		call	_MiRotatedToFrameBuffer@4 ; MiRotatedToFrameBuffer(x)
		cmp	eax, 1
		jz	loc_507FF4
		mov	ecx, [ebp+var_B4]
		mov	edx, [ebp+var_B0]

loc_507F32:				; CODE XREF: MiMakeVaRangeNoAccess(x,x,x,x,x,x)+234j
		nop
		shrd	ecx, edx, 0Ch
		and	ecx, 1FFFFFFh
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	loc_507FF4
		mov	ecx, [ebp+var_A8]
		mov	edx, ebx
		call	MiLocateWsle
		mov	al, [eax]
		and	al, 0Fh
		cmp	al, 8
		jnz	short loc_507F7E
		mov	eax, [ebp+var_BC]
		mov	dl, 1
		mov	[ebp+var_A1], dl
		mov	dword ptr [eax], 1
		jmp	short loc_507FA8
; 

loc_507F7E:				; CODE XREF: MiMakeVaRangeNoAccess(x,x,x,x,x,x)+286j
		push	0
		push	1
		mov	edx, ebx
		lea	ecx, [ebp+var_A0]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	dl, [ebp+var_A1]
		cmp	dl, 1
		jz	short loc_507FA8
		mov	eax, [ebp+var_94]
		cmp	eax, [ebp+var_98]
		jnz	short loc_507FE3

loc_507FA8:				; CODE XREF: MiMakeVaRangeNoAccess(x,x,x,x,x,x)+29Cj
					; MiMakeVaRangeNoAccess(x,x,x,x,x,x)+2B8j
		cmp	[ebp+var_94], 0
		jz	short loc_507FCA
		mov	ecx, [ebp+var_A8]
		lea	edx, [ebp+var_A0]
		push	0
		call	MiFreeWsleList
		mov	dl, [ebp+var_A1]

loc_507FCA:				; CODE XREF: MiMakeVaRangeNoAccess(x,x,x,x,x,x)+2CFj
		cmp	dl, 1
		jnz	short loc_507FE3
		mov	ecx, [ebp+var_A8]
		mov	edx, ebx
		call	_MiUnlockVa@8	; MiUnlockVa(x,x)
		mov	[ebp+var_A1], 0

loc_507FE3:				; CODE XREF: MiMakeVaRangeNoAccess(x,x,x,x,x,x)+2C6j
					; MiMakeVaRangeNoAccess(x,x,x,x,x,x)+2EDj
		add	esi, 8
		add	ebx, 1000h
		cmp	esi, edi
		jbe	loc_507EE7

loc_507FF4:				; CODE XREF: MiMakeVaRangeNoAccess(x,x,x,x,x,x)+221j
					; MiMakeVaRangeNoAccess(x,x,x,x,x,x)+240j ...
		cmp	[ebp+var_94], 0
		jz	short loc_508010
		mov	ecx, [ebp+var_A8]
		lea	edx, [ebp+var_A0]
		push	0
		call	MiFreeWsleList

loc_508010:				; CODE XREF: MiMakeVaRangeNoAccess(x,x,x,x,x,x)+201j
					; MiMakeVaRangeNoAccess(x,x,x,x,x,x)+31Bj
		xor	eax, eax

loc_508012:				; CODE XREF: MiMakeVaRangeNoAccess(x,x,x,x,x,x)+192j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_MiMakeVaRangeNoAccess@24 endp

; 
		align 8
; Exported entry 2168. RtlInitializeGenericTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlInitializeGenericTable(x, x, x, x, x)
		public _RtlInitializeGenericTable@20
_RtlInitializeGenericTable@20 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		lea	eax, [ecx+4]
		mov	[ecx], edx
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[ecx+0Ch], eax
		mov	eax, [ebp+arg_4]
		mov	[ecx+18h], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+1Ch], eax
		mov	eax, [ebp+arg_C]
		mov	[ecx+20h], eax
		mov	eax, [ebp+arg_10]
		mov	[ecx+14h], edx
		mov	[ecx+10h], edx
		mov	[ecx+24h], eax
		pop	ebp
		retn	14h
_RtlInitializeGenericTable@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreatePteCopyList proc near		; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+278p
					; MiAddPagesToEnclave(x,x,x,x,x)+143p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D8628 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		mov	[esi], eax
		mov	[esi+0Ch], eax
		mov	eax, edx
		shr	eax, 1
		mov	word ptr [esi+8], 21h
		cmp	ecx, eax
		ja	short loc_5080A0
		lea	edx, [ecx+ecx]

loc_508083:				; CODE XREF: MiCreatePteCopyList+41j
		mov	[esi+4], edx

loc_508086:				; CODE XREF: MiCreatePteCopyList+D05CFj
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		mov	[esi+0Ch], eax
		test	eax, eax
		jz	loc_5D8628

loc_50809B:				; CODE XREF: MiCreatePteCopyList+D05D5j
		pop	esi
		pop	ebp
		retn	4
; 

loc_5080A0:				; CODE XREF: MiCreatePteCopyList+1Cj
		and	edx, 0FFFFFFFEh
		jmp	short loc_508083
MiCreatePteCopyList endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWriteValidPteVolatile(x, x, x)
_MiWriteValidPteVolatile@12 proc near	; CODE XREF: .text:004592FAp
					; .text:0045CFCFp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx]
		mov	eax, edx
		mov	[ebp+var_8], ecx
		nop
		mov	esi, [ecx+4]
		and	edx, 1
		and	eax, 2
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], eax

loc_5080C8:				; CODE XREF: MiWriteValidPteVolatile(x,x,x)+61j
		mov	[ebp+var_4], esi
		mov	ebx, edi
		mov	ecx, esi
		test	edx, edx
		jz	short loc_5080D6
		or	ebx, 20h

loc_5080D6:				; CODE XREF: MiWriteValidPteVolatile(x,x,x)+2Bj
		test	eax, eax
		jnz	short loc_5080F8

loc_5080DA:				; CODE XREF: MiWriteValidPteVolatile(x,x,x)+55j
		mov	eax, edi
		mov	edx, esi
		nop
		mov	esi, [ebp+var_8]
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [ebp+var_4]
		cmp	eax, edi
		jnz	short loc_5080FD
		cmp	edx, esi
		jnz	short loc_5080FD
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_5080F8:				; CODE XREF: MiWriteValidPteVolatile(x,x,x)+32j
		or	ebx, 42h
		jmp	short loc_5080DA
; 

loc_5080FD:				; CODE XREF: MiWriteValidPteVolatile(x,x,x)+45j
					; MiWriteValidPteVolatile(x,x,x)+49j
		mov	edi, eax
		mov	esi, edx
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+var_10]
		jmp	short loc_5080C8
_MiWriteValidPteVolatile@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 977. IoSetCompletionRoutineEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetCompletionRoutineEx(x,	x, x, x, x, x, x)
		public _IoSetCompletionRoutineEx@28
_IoSetCompletionRoutineEx@28 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= byte ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_14], 0
		push	ebx
		mov	bl, [ebp+arg_18]
		mov	bh, [ebp+arg_10]
		jz	short loc_50816F

loc_508120:				; CODE XREF: IoSetCompletionRoutineEx(x,x,x,x,x,x,x)+63j
					; IoSetCompletionRoutineEx(x,x,x,x,x,x,x)+67j
		push	73556F49h
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_50817E
		mov	eax, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+8], eax
		mov	eax, [ebp+arg_C]
		mov	[ecx+4], eax
		mov	al, [ebp+arg_14]
		mov	[ecx+0Ch], al
		mov	eax, [ebp+arg_4]
		mov	[ecx+0Dh], bh
		mov	[ecx+0Eh], bl
		mov	eax, [eax+60h]
		mov	dword ptr [eax-8], offset IopUnloadSafeCompletion
		mov	[eax-4], ecx
		mov	byte ptr [eax-21h], 0E0h
		xor	eax, eax

loc_50816A:				; CODE XREF: IoSetCompletionRoutineEx(x,x,x,x,x,x,x)+6Ej
					; IoSetCompletionRoutineEx(x,x,x,x,x,x,x)+75j
		pop	ebx
		pop	ebp
		retn	1Ch
; 

loc_50816F:				; CODE XREF: IoSetCompletionRoutineEx(x,x,x,x,x,x,x)+10j
		test	bl, bl
		jnz	short loc_508120
		test	bh, bh
		jnz	short loc_508120
		mov	eax, 0C000000Dh
		jmp	short loc_50816A
; 

loc_50817E:				; CODE XREF: IoSetCompletionRoutineEx(x,x,x,x,x,x,x)+27j
		mov	eax, 0C000009Ah
		jmp	short loc_50816A
_IoSetCompletionRoutineEx@28 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1678. PoFxCompleteIdleCondition

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoFxCompleteIdleCondition
PoFxCompleteIdleCondition proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D863C SIZE 00000043 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		or	ebx, 0FFFFFFFFh
		push	edi
		mov	edi, [ebp+arg_4]
		mov	eax, [esi+240h]
		mov	eax, [eax+edi*4]
		lock xadd [eax+54h], ebx
		dec	ebx
		jz	loc_5D863C

loc_5081B0:				; CODE XREF: PoFxCompleteIdleCondition+D04CDj
		test	ebx, ebx
		js	loc_5D865C
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
PoFxCompleteIdleCondition endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeRemoveQueueApc proc near		; CODE XREF: EtwpCancelPendingStackwalkApcs+DC197p
					; ExpCancelTimer+B4484p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+8]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		add	esi, 2Ch
		mov	bh, al
		and	[ebp+var_4], 0

loc_5081DD:				; CODE XREF: PoFxCompleteIdleCondition+D04F0j
		lock bts dword ptr [esi], 0
		jb	loc_5D866C
		mov	ecx, edi
		call	KiRemoveQueueApc
		mov	cl, bh
		mov	dword ptr [esi], 0
		mov	bl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
KeRemoveQueueApc endp


;  S U B	R O U T	I N E 


KiRemoveQueueApc proc near		; CODE XREF: KeRemoveQueueApc+2Ap
					; KiSchedulerApc+16C0C1p

; FUNCTION CHUNK AT 005D867F SIZE 00000064 BYTES

		mov	edx, ecx
		push	ebx
		mov	bl, [edx+2Eh]
		test	bl, bl
		jnz	loc_5D867F

loc_508214:				; CODE XREF: KiRemoveQueueApc+D04BAj
		mov	al, bl
		pop	ebx
		retn
KiRemoveQueueApc endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2057. RtlEnumerateGenericTableWithoutSplaying

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlEnumerateGenericTableWithoutSplaying
RtlEnumerateGenericTableWithoutSplaying	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_508230

loc_50822C:				; CODE XREF: RtlEnumerateGenericTableWithoutSplaying+37j
		pop	ebp
		retn	8
; 

loc_508230:				; CODE XREF: RtlEnumerateGenericTableWithoutSplaying+Cj
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ecx, [esi]
		test	ecx, ecx
		jnz	loc_5D86D0
		jmp	short loc_508242
; 

loc_508240:				; CODE XREF: RtlEnumerateGenericTableWithoutSplaying+29j
		mov	eax, ecx

loc_508242:				; CODE XREF: RtlEnumerateGenericTableWithoutSplaying+20j
		mov	ecx, [eax+4]
		test	ecx, ecx
		jnz	short loc_508240

loc_508249:				; CODE XREF: KiRemoveQueueApc+D04D8j
		mov	[esi], eax

loc_50824B:				; CODE XREF: KiRemoveQueueApc+D04D2j
		lea	ecx, [eax+18h]
		neg	eax
		pop	esi
		sbb	eax, eax
		and	eax, ecx
		jmp	short loc_50822C
RtlEnumerateGenericTableWithoutSplaying	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspIsProcessReadyForRemoteThread proc near ; CODE XREF:	PspCreateThread+2B9p

var_35		= byte ptr -35h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 005D86E3 SIZE 0000003E BYTES
; FUNCTION CHUNK AT 005D8728 SIZE 00000016 BYTES

		push	28h
		push	offset dword_6A4160
		call	__SEH_prolog4_GS
		mov	esi, ecx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		cmp	ds:_PsNoRemoteThreadBeforeProcessInit, eax
		jnz	loc_5D86E3

loc_50827C:				; CODE XREF: PspIsProcessReadyForRemoteThread+D0493j
					; PspIsProcessReadyForRemoteThread+D049Ej
		mov	[ebp+var_35], 1

loc_508280:				; CODE XREF: PspIsProcessReadyForRemoteThread+D04E1j
		mov	al, [ebp+var_35]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PspIsProcessReadyForRemoteThread endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmIsStateSeparationEnabled()
_CmIsStateSeparationEnabled@0 proc near	; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x):loc_79F3F7p
					; KIsUnlockSettingEnabled+7Ap ...
		cmp	_CmStateSeparationEnabled, 0
		setnz	al
		retn
_CmIsStateSeparationEnabled@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AppModelFreeUnicodeString(x)
_AppModelFreeUnicodeString@4 proc near	; CODE XREF: KIsUnlockSettingEnabled+D0p
					; KIsUnlockSettingEnabled+D9p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_5082BF
		call	ExFreeHeapPool
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0

loc_5082BF:				; CODE XREF: AppModelFreeUnicodeString(x)+11j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_AppModelFreeUnicodeString@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2447. SeComputeAutoInheritByObjectType

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeComputeAutoInheritByObjectType(x,	x, x)
		public _SeComputeAutoInheritByObjectType@12
_SeComputeAutoInheritByObjectType@12 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		and	[ebp+var_4], 0
		push	0
		push	eax
		push	[ebp+arg_8]
		call	SeComputeAutoInheritByObjectTypeEx
		mov	eax, [ebp+var_4]
		leave
		retn	0Ch
_SeComputeAutoInheritByObjectType@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExFreeSvmAsid	proc near		; CODE XREF: MmCleanProcessAddressSpace:loc_82923Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D873E SIZE 0000007B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax+80h]
		mov	ebx, [edi+3ACh]
		test	ebx, ebx
		jnz	loc_5D873E

loc_508315:				; CODE XREF: ExFreeSvmAsid+D04B5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
ExFreeSvmAsid	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnStartTraceTimer proc near		; CODE XREF: PfSnBeginScenario+175p

var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005D87B9 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		lea	eax, [esi+104h]
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_5D87AF
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ebx, [esi+0B8h]
		mov	[ebp+var_1], al
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	byte ptr [esi+0BCh], 2
		jnz	short loc_5083BD
		mov	eax, [esi+94h]
		xor	edi, edi
		mov	ecx, [esi+90h]
		xor	edx, edx
		push	eax
		push	ecx
		lea	eax, [esi+98h]
		push	eax
		push	edi
		lea	ecx, [esi+68h]
		call	KiSetTimerEx
		test	al, al
		jnz	short loc_5083B6
		or	dword ptr [esi+0BCh], 1
		mov	esi, edi

loc_50838C:				; CODE XREF: PfSnStartTraceTimer+A1j
					; PfSnStartTraceTimer+A8j
		test	ds:byte_70EFC6,	1
		jnz	loc_5D87B9
		xor	eax, eax
		lock and [ebx],	eax

loc_50839E:				; CODE XREF: PfSnStartTraceTimer+D04A9j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx
		test	esi, esi
		jnz	loc_5D87C8

loc_5083B0:				; CODE XREF: ExFreeSvmAsid+D04C4j
					; PfSnStartTraceTimer+D04B6j
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn
; 

loc_5083B6:				; CODE XREF: PfSnStartTraceTimer+67j
		mov	edi, 0C00000E5h
		jmp	short loc_50838C
; 

loc_5083BD:				; CODE XREF: PfSnStartTraceTimer+41j
		mov	edi, 0C0000189h
		jmp	short loc_50838C
PfSnStartTraceTimer endp

; 

NtShutdownWorkerFactory:		; DATA XREF: .text:00580C40o
		push	24h
		push	offset dword_6A4180
		call	__SEH_prolog4
		xor	eax, eax
		lea	edi, [ebp-34h]
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp-24h], al
		test	al, al
		jz	short loc_50841B
		and	dword ptr [ebp-4], 0
		test	byte ptr [ebp+0Ch], 3
		jnz	loc_5084D1
		mov	ecx, [ebp+0Ch]
		lea	edx, [ecx+4]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	loc_5D87D5
		cmp	edx, ecx
		jb	loc_5D87D5

loc_508414:				; CODE XREF: .text:005D87D8j
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_50841B:				; CODE XREF: .text:005083E9j
		mov	eax, ds:_ExpWorkerFactoryObjectType
		and	dword ptr [ebp-1Ch], 0
		push	0
		lea	ecx, [ebp-1Ch]
		push	ecx
		push	dword ptr [ebp-24h]
		push	eax
		push	20h
		push	dword ptr [ebp+8]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_5084BD
		mov	esi, [ebp-1Ch]
		mov	ecx, esi
		call	_ExpShutdownWorkerFactory@4 ; ExpShutdownWorkerFactory(x)
		lea	ecx, [esi+30h]
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	ecx, [esi+58h]
		xor	ebx, ebx
		inc	ebx
		mov	[ebp-4], ebx
		mov	eax, [ebp+0Ch]
		lock xadd [eax], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_508467:				; CODE XREF: .text:005D881Dj
		test	edi, edi
		js	short loc_5084B5
		lea	edx, [ebp-34h]
		mov	esi, [ebp-1Ch]
		mov	ecx, [esi+4]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		and	dword ptr [esi+58h], 0
		test	ds:byte_70EFC6,	1
		jnz	loc_5D8822
		mov	eax, [ebp-34h]
		test	eax, eax
		jnz	loc_5D883A
		mov	edx, [ebp-30h]
		lea	eax, [ebp-34h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-34h]
		cmp	eax, ecx
		jnz	loc_5D8832

loc_5084AC:				; CODE XREF: .text:005D882Dj
					; .text:005D8847j
		mov	cl, [ebp-2Ch]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5084B5:				; CODE XREF: .text:00508469j
		mov	ecx, [ebp-1Ch]
		call	ObfDereferenceObject

loc_5084BD:				; CODE XREF: .text:0050843Cj
		mov	eax, edi

loc_5084BF:				; CODE XREF: .text:005D87F8j
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_5084D1:				; CODE XREF: .text:005083F3j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		dw 0CCCCh
		dd 0CCCCCCCCh
; Exported entry 1796. PsGetProcessDebugPort

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessDebugPort(x)
		public _PsGetProcessDebugPort@4
_PsGetProcessDebugPort@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+190h]
		pop	ebp
		retn	4
_PsGetProcessDebugPort@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCancelIrpsInCurrentThreadListSpecialApc proc	near
					; DATA XREF: IopCancelIrpsInThreadList(x,x)+36o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005D884C SIZE 0000005A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		push	edi
		mov	esi, [eax]
		xor	bh, bh
		mov	edi, large fs:124h
		mov	[ebp+var_4], esi
		mov	[ebp+arg_C], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		add	edi, 350h
		mov	bl, al
		mov	ecx, edi
		mov	[ebp+var_C], edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebp+arg_C]
		add	eax, 2CCh
		mov	[ebp+var_8], eax
		mov	edx, [eax]
		mov	[esi], bh
		mov	esi, [ebp+arg_0]
		and	dword ptr [esi+4Ch], 0
		cmp	eax, edx
		jz	loc_5D887F
		mov	edi, [ebp+var_4]

loc_508546:				; CODE XREF: IopCancelIrpsInCurrentThreadListSpecialApc+CEj
		movsx	ecx, byte ptr [edx+12h]
		movsx	eax, byte ptr [edx+13h]
		add	ecx, 2
		cmp	eax, ecx
		jge	short loc_5085B7
		mov	eax, [esi+34h]
		test	eax, eax
		jz	short loc_508561
		cmp	[edx+18h], eax
		jnz	short loc_508589

loc_508561:				; CODE XREF: IopCancelIrpsInCurrentThreadListSpecialApc+6Cj
		mov	eax, [esi+30h]
		test	eax, eax
		jz	short loc_50856D
		cmp	[edx+54h], eax
		jnz	short loc_508589

loc_50856D:				; CODE XREF: IopCancelIrpsInCurrentThreadListSpecialApc+78j
		mov	eax, [edx-8]
		test	eax, 402h
		jnz	short loc_508589
		test	al, 84h
		jnz	loc_5D884C
		test	byte ptr [edx+17h], 2
		jnz	loc_5D884C

loc_508589:				; CODE XREF: IopCancelIrpsInCurrentThreadListSpecialApc+71j
					; IopCancelIrpsInCurrentThreadListSpecialApc+7Dj ...
		cmp	byte ptr [esi+48h], 0
		jnz	short loc_5085B7
		mov	eax, [esi+34h]
		test	eax, eax
		jz	short loc_50859B
		cmp	[edx+18h], eax
		jnz	short loc_5085B7

loc_50859B:				; CODE XREF: IopCancelIrpsInCurrentThreadListSpecialApc+A6j
		mov	eax, [esi+30h]
		test	eax, eax
		jz	short loc_5085A7
		cmp	[edx+54h], eax
		jnz	short loc_5085B7

loc_5085A7:				; CODE XREF: IopCancelIrpsInCurrentThreadListSpecialApc+B2j
		test	byte ptr [edx-8], 2
		jnz	short loc_5085B7
		mov	byte ptr [edi],	1
		mov	dword ptr [esi+4Ch], 1

loc_5085B7:				; CODE XREF: IopCancelIrpsInCurrentThreadListSpecialApc+65j
					; IopCancelIrpsInCurrentThreadListSpecialApc+9Fj ...
		mov	edx, [edx]
		cmp	[ebp+var_8], edx
		jnz	short loc_508546
		test	ds:byte_70EFC6,	1
		mov	edi, [ebp+var_C]
		jnz	loc_5D8861
		xor	eax, eax
		lock and [edi],	eax

loc_5085D3:				; CODE XREF: IopCancelIrpsInCurrentThreadListSpecialApc+D037Dj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bh, bh
		jnz	loc_5D8870

loc_5085E3:				; CODE XREF: IopCancelIrpsInCurrentThreadListSpecialApc+D038Cj
					; IopCancelIrpsInCurrentThreadListSpecialApc+D03B3j
		push	0
		push	0
		lea	eax, [esi+38h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
IopCancelIrpsInCurrentThreadListSpecialApc endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStateDurationUpdate(x, x, x)
_RtlStateDurationUpdate@12 proc	near	; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+28Ap
					; PoEnergyContextUpdateComponentPower(x,x,x,x)+42Bp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		movzx	edx, dl
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], ebx
		mov	esi, [ebx+4]
		mov	eax, esi
		mov	ecx, [ebx]
		shr	eax, 1Fh
		cmp	eax, edx
		jz	short loc_50862B
		test	eax, eax
		jnz	short loc_508639

loc_50861D:				; CODE XREF: RtlStateDurationUpdate(x,x,x)+6Dj
		mov	ecx, [ebp+arg_0]
		and	esi, 7FFFFFFFh
		shl	edx, 1Fh
		or	esi, edx

loc_50862B:				; CODE XREF: RtlStateDurationUpdate(x,x,x)+1Fj
		mov	[ebx], ecx
		mov	eax, edi
		pop	edi
		mov	[ebx+4], esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_508639:				; CODE XREF: RtlStateDurationUpdate(x,x,x)+23j
		mov	edi, [ebp+arg_0]
		sub	edi, ecx
		or	ecx, 0FFFFFFFFh
		cmp	edi, ecx
		jnb	short loc_508658
		mov	ebx, esi
		mov	eax, edi
		and	ebx, 7FFFFFFFh
		not	eax
		cmp	eax, ebx
		jb	short loc_508658
		lea	ecx, [ebx+edi]

loc_508658:				; CODE XREF: RtlStateDurationUpdate(x,x,x)+4Bj
					; RtlStateDurationUpdate(x,x,x)+5Bj
		mov	ebx, [ebp+var_4]
		xor	ecx, esi
		and	ecx, 7FFFFFFFh
		xor	esi, ecx
		jmp	short loc_50861D
_RtlStateDurationUpdate@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExRemoveVirtualizedTimer proc near	; CODE XREF: PspProcessUnbindVirtualizedTimers+56p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D88A6 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		lea	esi, [ecx-0A0h]
		mov	ebx, [esi+9Ch]
		push	edi
		lea	edi, [esi+28h]
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		and	dword ptr [esi+9Ch], 0
		test	byte ptr [esi+0A8h], 2
		jnz	short loc_5086B1

loc_508696:				; CODE XREF: ExRemoveVirtualizedTimer+56j
		test	ds:byte_70EFC6,	1
		jnz	loc_5D88A6
		xor	eax, eax
		lock and [edi],	eax

loc_5086A8:				; CODE XREF: ExRemoveVirtualizedTimer+D0248j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	8
; 

loc_5086B1:				; CODE XREF: ExRemoveVirtualizedTimer+2Cj
		push	[ebp+arg_4]
		mov	ecx, esi
		push	[ebp+arg_0]
		call	ExpTimerResume
		jmp	short loc_508696
ExRemoveVirtualizedTimer endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSetProcessFreezeStateCallback proc near ; DATA XREF:	PspFreezeJobTree+11Bo

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D88B5 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_14], 0
		and	[ebp+var_10], 0
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi+158h]
		mov	eax, [esi+0FCh]
		test	eax, 40000008h
		jnz	loc_5087AD
		mov	eax, [esi+0FCh]
		test	eax, 4000000h
		jz	loc_5087AD
		test	dword ptr [ecx+310h], 40000h
		jz	loc_5087AD
		mov	eax, [ebx]
		test	byte ptr [eax],	1
		jz	loc_5087AD
		mov	eax, [ecx+194h]
		cmp	eax, 1
		jnz	loc_5087CA

loc_50872A:				; CODE XREF: PspSetProcessFreezeStateCallback+10Cj
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [esi+454h]
		mov	byte ptr [ebp+arg_4+3],	al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		call	KeQueryInterruptTime
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_14]
		push	eax
		mov	[ebp+var_4], edx
		call	KeQuerySystemTime
		lea	eax, [esi+458h]
		mov	edi, [eax]
		cmp	edi, eax
		jz	short loc_50878B
		mov	esi, eax

loc_508761:				; CODE XREF: PspSetProcessFreezeStateCallback+C6j
		mov	eax, [ebx]
		push	[ebp+var_4]
		push	[ebp+var_8]
		cmp	byte ptr [eax+4], 0
		jz	short loc_5087C1
		push	[ebp+var_10]
		lea	ecx, [edi-0A0h]
		xor	dl, dl
		push	[ebp+var_14]
		call	ExpTimerPause

loc_508782:				; CODE XREF: PspSetProcessFreezeStateCallback+108j
		mov	edi, [edi]
		cmp	edi, esi
		jnz	short loc_508761
		mov	esi, [ebp+arg_0]

loc_50878B:				; CODE XREF: PspSetProcessFreezeStateCallback+9Dj
		test	ds:byte_70EFC6,	1
		pop	edi
		jnz	loc_5D88B5
		xor	ecx, ecx
		lea	eax, [esi+454h]
		lock and [eax],	ecx

loc_5087A4:				; CODE XREF: PspSetProcessFreezeStateCallback+D0203j
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5087AD:				; CODE XREF: PspSetProcessFreezeStateCallback+29j
					; PspSetProcessFreezeStateCallback+3Aj	...
		mov	edx, [ebx+4]
		mov	ecx, esi
		push	0
		call	PspRequestProcessExecutionState
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	8
; 

loc_5087C1:				; CODE XREF: PspSetProcessFreezeStateCallback+ADj
		mov	ecx, edi
		call	ExTimerResume
		jmp	short loc_508782
; 

loc_5087CA:				; CODE XREF: PspSetProcessFreezeStateCallback+64j
		test	eax, eax
		jz	loc_50872A
		jmp	short loc_5087AD
PspSetProcessFreezeStateCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExTimerResume	proc near		; CODE XREF: PspSetProcessFreezeStateCallback+103p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D88C8 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		lea	esi, [ecx-0A0h]
		push	edi
		lea	edi, [esi+28h]
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		push	[ebp+arg_4]
		mov	ecx, esi
		push	[ebp+arg_0]
		call	ExpTimerResume
		test	ds:byte_70EFC6,	1
		jnz	loc_5D88C8
		xor	eax, eax
		lock and [edi],	eax

loc_50880A:				; CODE XREF: ExTimerResume+D00FEj
		pop	edi
		pop	esi
		pop	ebp
		retn	8
ExTimerResume	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpTimerResume	proc near		; CODE XREF: ExRemoveVirtualizedTimer+51p
					; ExTimerResume+1Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D88D7 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, [esi+8Ch]
		test	bl, bl
		jz	short loc_508871
		mov	edx, [esi+0B4h]
		push	edi
		mov	edi, [esi+0B0h]
		cmp	bl, 3
		jz	loc_5D88D7

loc_508839:				; CODE XREF: ExpTimerResume+D00D5j
					; ExpTimerResume+D00DFj
		mov	cl, [esi+0A8h]
		mov	eax, [esi+84h]
		mov	[ebp+arg_4], eax
		and	cl, 1
		jnz	short loc_50887E

loc_50884D:				; CODE XREF: ExpTimerResume+72j
		movzx	ecx, cl
		lea	eax, [esi+5Ch]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		push	ecx
		push	dword ptr [esi+0B8h]
		push	[ebp+arg_4]
		push	edx
		push	edi
		push	esi
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)
		pop	edi
		cmp	bl, 3
		jz	short loc_508884

loc_508871:				; CODE XREF: ExpTimerResume+11j
					; ExpTimerResume+79j
		and	byte ptr [esi+0A8h], 0FDh
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_50887E:				; CODE XREF: ExpTimerResume+3Bj
		and	[ebp+arg_4], 0
		jmp	short loc_50884D
; 

loc_508884:				; CODE XREF: ExpTimerResume+5Fj
		lock bts dword ptr [esi], 9
		jmp	short loc_508871
ExpTimerResume	endp

; 
		align 10h
; Exported entry 1266. KeRemoveProcessorGroupAffinity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRemoveProcessorGroupAffinity(x, x)
		public _KeRemoveProcessorGroupAffinity@8
_KeRemoveProcessorGroupAffinity@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		mov	ecx, [edx]
		btr	ecx, eax
		mov	[edx], ecx
		pop	ebp
		retn	8
_KeRemoveProcessorGroupAffinity@8 endp


;  S U B	R O U T	I N E 


EtwpIsExecutingInArbitraryThreadContext	proc near ; CODE XREF: .text:00528842p

; FUNCTION CHUNK AT 005D88F4 SIZE 00000013 BYTES

		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	loc_5D88F4
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_5D88F4

loc_5088C1:				; CODE XREF: EtwpIsExecutingInArbitraryThreadContext+D0058j
		xor	al, al
		retn
EtwpIsExecutingInArbitraryThreadContext	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspNotifyProcessBackgroundTransition(x, x)
_PspNotifyProcessBackgroundTransition@8	proc near
					; CODE XREF: PspApplyJobChainLimitsToProcess(x,x,x)+9Dp
					; PspSetProcessBackgroundCountCallback(x,x):loc_7D77C2p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	[ebp+var_8], edx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		lea	eax, [esi+0FCh]
		test	edx, edx
		jz	loc_50896E
		lock bts dword ptr [eax], 14h

loc_5088E7:				; CODE XREF: PspNotifyProcessBackgroundTransition(x,x)+AFj
		mov	ebx, large fs:124h
		mov	[ebp+var_14], ebx
		dec	word ptr [ebx+13Ch]
		nop
		lea	edi, [esi+398h]
		xor	edx, edx
		mov	ecx, edi
		mov	[ebp+var_10], edi
		call	ExAcquirePushLockSharedEx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_1], al
		lea	eax, [esi+1D0h]
		mov	esi, [eax]
		mov	[ebp+var_C], eax
		cmp	esi, eax
		jz	short loc_508944
		mov	edi, [ebp+var_8]

loc_508926:				; CODE XREF: PspNotifyProcessBackgroundTransition(x,x)+78j
		lea	ebx, [esi-2E4h]
		mov	ecx, ebx
		call	_KeAbThreadAreAllEntriesFree@4 ; KeAbThreadAreAllEntriesFree(x)
		test	eax, eax
		jz	short loc_508978

loc_508937:				; CODE XREF: PspNotifyProcessBackgroundTransition(x,x)+CAj
					; PspNotifyProcessBackgroundTransition(x,x)+D4j
		mov	esi, [esi]
		cmp	esi, [ebp+var_C]
		jnz	short loc_508926
		mov	edi, [ebp+var_10]
		mov	ebx, [ebp+var_14]

loc_508944:				; CODE XREF: PspNotifyProcessBackgroundTransition(x,x)+5Dj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_50899E

loc_50895B:				; CODE XREF: PspNotifyProcessBackgroundTransition(x,x)+E1j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, ebx
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_50896E:				; CODE XREF: PspNotifyProcessBackgroundTransition(x,x)+18j
		lock btr dword ptr [eax], 14h
		jmp	loc_5088E7
; 

loc_508978:				; CODE XREF: PspNotifyProcessBackgroundTransition(x,x)+71j
		mov	eax, [ebx+2FCh]
		shr	eax, 9
		and	eax, 7
		test	edi, edi
		jz	short loc_50899A
		mov	edx, eax
		xor	eax, eax

loc_50898C:				; CODE XREF: PspNotifyProcessBackgroundTransition(x,x)+D8j
		cmp	edx, eax
		jz	short loc_508937
		push	eax
		mov	ecx, ebx
		call	_KeAbProcessBaseIoPriorityChange@12 ; KeAbProcessBaseIoPriorityChange(x,x,x)
		jmp	short loc_508937
; 

loc_50899A:				; CODE XREF: PspNotifyProcessBackgroundTransition(x,x)+C2j
		xor	edx, edx
		jmp	short loc_50898C
; 

loc_50899E:				; CODE XREF: PspNotifyProcessBackgroundTransition(x,x)+95j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_50895B
_PspNotifyProcessBackgroundTransition@8	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiAllocateHyperSpace(x)
_MiAllocateHyperSpace@4	proc near	; CODE XREF: .text:0047DA5Dp
					; MiGetPteMappingPair(x,x)+2Ap
		mov	eax, large fs:20h
		push	esi
		push	edi
		mov	ecx, [eax+3D34h]
		mov	esi, ecx
		and	esi, 0FFFh
		mov	eax, 100h
		mov	edi, ecx
		sub	eax, esi
		and	edi, 0FFFFF000h
		cmp	eax, 2
		jbe	short loc_5089EC
		shl	esi, 0Ch
		add	esi, edi

loc_5089D7:				; CODE XREF: MiAllocateHyperSpace(x)+4Dj
		mov	edx, large fs:20h
		add	ecx, 2
		pop	edi
		mov	eax, esi
		pop	esi
		mov	[edx+3D34h], ecx
		retn
; 

loc_5089EC:				; CODE XREF: MiAllocateHyperSpace(x)+28j
		call	_MiFlushHyperSpace@0 ; MiFlushHyperSpace()
		mov	ecx, edi
		mov	esi, ecx
		jmp	short loc_5089D7
_MiAllocateHyperSpace@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static unsigned long __stdcall ST_STORE<struct SM_TRAITS>::StGetUserSpaceStatsKb(struct ST_STORE<struct SM_TRAITS> *,	unsigned long *, unsigned long *)
?StGetUserSpaceStatsKb@?$ST_STORE@USM_TRAITS@@@@SGKPAU1@PAK1@Z proc near
					; CODE XREF: SmKmStoreDeleteWhenEmpty(x,x,x)+55p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+1Ch]
		lea	esi, [ecx+38h]
		mov	ebx, edx
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_4]
		call	?StDmGetSpaceStats@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@PAK1@Z	; ST_STORE<SM_TRAITS>::StDmGetSpaceStats(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *,ulong *)
		mov	edx, [esi+1E4h]
		lea	ecx, [edi-6]
		mov	eax, edx
		sub	edx, [ebp+var_4]
		shl	eax, cl
		lea	ecx, [edi-6]
		shl	edx, cl
		mov	ecx, [ebp+var_8]
		add	ecx, 3FFh
		mov	[ebx], edx
		shr	ecx, 0Ah
		mov	edx, eax
		shl	ecx, 4
		sub	edx, ecx
		mov	ecx, [ebp+arg_0]
		pop	edi
		pop	esi
		pop	ebx
		mov	[ecx], edx
		leave
		retn	4
?StGetUserSpaceStatsKb@?$ST_STORE@USM_TRAITS@@@@SGKPAU1@PAK1@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	ST_STORE<struct	SM_TRAITS>::StDmGetSpaceStats(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, unsigned long *, unsigned long	*)
?StDmGetSpaceStats@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@PAK1@Z	proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StGetUserSpaceStatsKb(ST_STORE<SM_TRAITS> *,ulong *,ulong *)+23p
					; ST_STORE_SM_TRAITS___StReleaseRegion+FA0DDp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		push	edi
		test	esi, esi
		jz	short loc_508A66
		and	dword ptr [esi], 0

loc_508A66:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmGetSpaceStats(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *,ulong *)+Bj
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	short loc_508A70
		and	dword ptr [edx], 0

loc_508A70:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmGetSpaceStats(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *,ulong *)+15j
		lea	edi, [ecx+434h]
		movzx	ecx, byte ptr [ecx+1ACh]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 0FFFFFFF9h
		add	ecx, 8

loc_508A87:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmGetSpaceStats(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *,ulong *)+48j
		test	esi, esi
		jz	short loc_508A90
		mov	eax, [edi-4]
		add	[esi], eax

loc_508A90:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmGetSpaceStats(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *,ulong *)+33j
		test	edx, edx
		jz	short loc_508A98
		mov	eax, [edi]
		add	[edx], eax

loc_508A98:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmGetSpaceStats(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *,ulong *)+3Cj
		add	edi, 8
		sub	ecx, 1
		jnz	short loc_508A87
		pop	edi
		pop	esi
		pop	ebp
		retn	4
?StDmGetSpaceStats@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@PAK1@Z	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CountUnicodeToUTF8 proc	near		; CODE XREF: RtlUnicodeToUTF8N+15Bp
					; RtlUnicodeStringToUTF8String(x,x,x)+24p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D8907 SIZE 00000123 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		shr	edx, 1
		push	esi
		push	edi
		mov	edi, 7FFh
		lea	ebx, [ecx+edx*2]
		mov	[ebp+var_8], ebx

loc_508AC1:				; CODE XREF: CountUnicodeToUTF8+C4j
		xor	esi, esi

loc_508AC3:				; CODE XREF: CountUnicodeToUTF8+CFF7Fj
		cmp	ecx, ebx
		jnb	loc_508B83
		movzx	eax, word ptr [ecx]
		test	esi, esi
		jnz	loc_5D8907
		mov	esi, eax
		add	ecx, 2

loc_508ADB:				; CODE XREF: CountUnicodeToUTF8+D8j
		lea	eax, [esi-0D800h]
		cmp	eax, 3FFh
		jbe	loc_5D8A24

loc_508AEC:				; CODE XREF: CountUnicodeToUTF8+101j
					; CountUnicodeToUTF8+CFE6Cj ...
		lea	eax, [esi-0D800h]
		cmp	eax, edi
		jbe	loc_5D8925

loc_508AFA:				; CODE XREF: CountUnicodeToUTF8+CFE8Bj
		cmp	esi, 7Fh
		ja	loc_5D8936

loc_508B03:				; CODE XREF: CountUnicodeToUTF8+CFE96j
		mov	eax, ebx
		sub	eax, ecx
		sar	eax, 1
		cmp	eax, 0Dh
		jbe	short loc_508B6F
		lea	ebx, [eax-7]
		lea	ebx, [ecx+ebx*2]

loc_508B14:				; CODE XREF: CountUnicodeToUTF8+CFF41j
					; CountUnicodeToUTF8+CFF71j
		cmp	ecx, ebx
		jnb	short loc_508B67
		movzx	esi, word ptr [ecx]
		add	ecx, 2
		cmp	esi, 7Fh
		ja	loc_5D8941

loc_508B27:				; CODE XREF: CountUnicodeToUTF8+CFEB3j
		test	cl, 2
		jnz	short loc_508B96

loc_508B2C:				; CODE XREF: CountUnicodeToUTF8+BAj
					; CountUnicodeToUTF8+F9j ...
		cmp	ecx, ebx
		jnb	short loc_508B62
		mov	edi, [ecx+4]
		mov	esi, edi
		mov	eax, [ecx]
		or	esi, eax
		test	esi, 0FF80FF80h
		jnz	loc_5D8977

loc_508B45:				; CODE XREF: CountUnicodeToUTF8+CFEF6j
					; CountUnicodeToUTF8+CFEFDj
		mov	edi, [ecx+0Ch]
		add	ecx, 8
		mov	esi, edi
		mov	eax, [ecx]
		or	esi, eax
		test	esi, 0FF80FF80h
		jnz	loc_5D89A8

loc_508B5D:				; CODE XREF: CountUnicodeToUTF8+CFF27j
					; CountUnicodeToUTF8+CFF2Ej
		add	ecx, 8
		jmp	short loc_508B2C
; 

loc_508B62:				; CODE XREF: CountUnicodeToUTF8+88j
		mov	edi, 7FFh

loc_508B67:				; CODE XREF: CountUnicodeToUTF8+70j
					; CountUnicodeToUTF8+CFF79j
		mov	ebx, [ebp+var_8]
		jmp	loc_508AC1
; 

loc_508B6F:				; CODE XREF: CountUnicodeToUTF8+66j
					; CountUnicodeToUTF8+D6j
		cmp	ecx, ebx
		jnb	short loc_508B87
		movzx	esi, word ptr [ecx]
		add	ecx, 2
		cmp	esi, 7Fh
		jbe	short loc_508B6F
		jmp	loc_508ADB
; 

loc_508B83:				; CODE XREF: CountUnicodeToUTF8+1Fj
		test	esi, esi
		jnz	short loc_508BA6

loc_508B87:				; CODE XREF: CountUnicodeToUTF8+CBj
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		mov	[ecx], edx
		pop	ebx
		leave
		retn	4
; 

loc_508B96:				; CODE XREF: CountUnicodeToUTF8+84j
		movzx	esi, word ptr [ecx]
		add	ecx, 2
		cmp	esi, 7Fh
		jbe	short loc_508B2C
		jmp	loc_5D895E
; 

loc_508BA6:				; CODE XREF: CountUnicodeToUTF8+DFj
		inc	edx
		jmp	loc_508AEC
CountUnicodeToUTF8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiAbThreadInsertList(x, x, x)
_KiAbThreadInsertList@12 proc near	; CODE XREF: KeAbProcessBaseIoPriorityChangeInternal+50p
					; KiAbSetMinimumThreadPriority+16Ap ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		push	esi
		xor	esi, esi
		and	[ebp+var_4], esi
		push	edi
		lea	edi, [ebx+2Ch]

loc_508BC3:				; CODE XREF: KiAbThreadInsertList(x,x,x)+5Bj
		lock bts dword ptr [edi], 0
		jb	short loc_508BF9
		mov	ecx, [ebp+arg_0]
		cmp	dword ptr [ecx], 1
		jnz	short loc_508BDE
		mov	edx, [ebp+var_8]
		xor	esi, esi
		inc	esi
		mov	eax, [edx]
		mov	[ecx], eax
		mov	[edx], ecx

loc_508BDE:				; CODE XREF: KiAbThreadInsertList(x,x,x)+24j
		mov	dword ptr [edi], 0
		test	esi, esi
		jz	short loc_508BF0
		lock inc word ptr [ebx+220h]

loc_508BF0:				; CODE XREF: KiAbThreadInsertList(x,x,x)+3Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_508BF9:				; CODE XREF: KiAbThreadInsertList(x,x,x)+1Cj
					; KiAbThreadInsertList(x,x,x)+59j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_508BF9
		jmp	short loc_508BC3
_KiAbThreadInsertList@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 996. IoSetIoPriorityHintIntoThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetIoPriorityHintIntoThread(x, x)
		public _IoSetIoPriorityHintIntoThread@8
_IoSetIoPriorityHintIntoThread@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		cmp	edx, 5
		jnb	short loc_508C29
		mov	ecx, [ebp+arg_0]
		call	PsSetIoPriorityThread
		xor	eax, eax

loc_508C25:				; CODE XREF: IoSetIoPriorityHintIntoThread(x,x)+20j
		pop	ebp
		retn	8
; 

loc_508C29:				; CODE XREF: IoSetIoPriorityHintIntoThread(x,x)+Bj
		mov	eax, 0C000000Dh
		jmp	short loc_508C25
_IoSetIoPriorityHintIntoThread@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1807. PsGetProcessProtection

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessProtection(x)
		public _PsGetProcessProtection@4
_PsGetProcessProtection@4 proc near	; CODE XREF: PAGE:007A30C9p
					; PAGE:007A31ADp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	al, [eax+3A6h]
		pop	ebp
		retn	4
_PsGetProcessProtection@4 endp


;  S U B	R O U T	I N E 


SepLpacCausedAccessFailure proc	near	; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+78Fp
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+148Bp ...

; FUNCTION CHUNK AT 005D8A2A SIZE 00000022 BYTES

		cmp	byte ptr [ecx+18h], 0
		jnz	loc_5D8A2A

loc_508C52:				; CODE XREF: SepLpacCausedAccessFailure+CFDFBj
		xor	al, al
		retn
SepLpacCausedAccessFailure endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopUnloadSafeCompletion	proc near	; DATA XREF: IoSetCompletionRoutineEx(x,x,x,x,x,x,x)+4Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D8A4C SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	ecx, ecx
		push	edi
		mov	edi, [ebp+arg_8]
		cmp	[ebx+18h], ecx
		jl	short loc_508CAC
		cmp	[edi+0Dh], cl

loc_508C6E:				; CODE XREF: IopUnloadSafeCompletion+59j
		jz	loc_5D8A4C

loc_508C74:				; CODE XREF: IopUnloadSafeCompletion+CFDFEj
		push	esi
		mov	esi, [edi]
		mov	edx, 70436F49h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		push	dword ptr [edi+4]
		push	ebx
		push	[ebp+arg_0]
		call	dword ptr [edi+8]
		push	0
		push	edi
		mov	ebx, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, 70436F49h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		pop	esi

loc_508CA4:				; CODE XREF: IopUnloadSafeCompletion+CFE20j
		pop	edi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
; 

loc_508CAC:				; CODE XREF: IopUnloadSafeCompletion+13j
		cmp	[edi+0Ch], cl
		jmp	short loc_508C6E
IopUnloadSafeCompletion	endp

; 
		align 2

;  S U B	R O U T	I N E 


KiGetPendingTick proc near		; CODE XREF: KeResumeClockTimerFromIdle+277p

; FUNCTION CHUNK AT 005D8A7B SIZE 00000011 BYTES

		cmp	ds:_KiClockTimerPerCpu,	0
		jz	loc_5D8A7B
		mov	eax, large fs:20h

loc_508CC5:				; CODE XREF: KiGetPendingTick+CFDD5j
		mov	al, [eax+3D1h]
		and	al, 1
		retn
KiGetPendingTick endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSendClockInterruptToClockOwner()
_KiSendClockInterruptToClockOwner@0 proc near ;	CODE XREF: ExpInsertTimerResolutionEntry+AAp
					; KiTimer2Expiration+19Ap ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_C], 0
		lea	edx, [ebp+var_10]
		xor	eax, eax
		xor	ecx, ecx
		inc	eax
		mov	word ptr [ebp+var_10], ax
		mov	word ptr [ebp+var_10+2], ax
		mov	eax, _KiClockTimerOwner
		bts	ecx, eax
		mov	[ebp+var_8], ecx
		xor	ecx, ecx
		call	ds:__imp_@HalRequestClockInterrupt@8 ; HalRequestClockInterrupt(x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_KiSendClockInterruptToClockOwner@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepAppendAceToTokenDefaultDacl proc near ; CODE	XREF: NtCreateLowBoxToken+32Ep

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D8A8C SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_1C], edx
		lea	edi, [ebp+var_10]
		mov	[ebp+var_20], ecx
		stosd
		xor	esi, esi
		mov	ebx, esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		stosd
		stosd
		mov	edi, [ecx+0A4h]
		test	edi, edi
		jz	loc_508E4A
		push	esi
		mov	ecx, edi
		call	RtlFindAceBySid
		test	eax, eax
		jnz	loc_508E56
		movzx	ebx, word ptr [edi+2]
		lea	eax, [ebp+var_14]
		push	1
		push	4
		push	eax
		push	edi
		call	_RtlQueryInformationAcl@16 ; RtlQueryInformationAcl(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_508E56
		push	2
		push	0Ch
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		call	_RtlQueryInformationAcl@16 ; RtlQueryInformationAcl(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_508E56
		mov	eax, [ebp+var_1C]
		push	63416553h
		movzx	eax, byte ptr [eax+1]
		lea	esi, ds:13h[eax*4]
		add	esi, ebx
		and	esi, 0FFFFFFFCh
		push	esi
		push	1
		mov	[ebp+var_24], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5D8A8C
		push	[ebp+var_14]	; int
		push	esi		; size_t
		push	ebx		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_508E4A
		lea	eax, [ebp+var_18]
		push	eax
		push	0
		push	edi
		call	_RtlGetAce@12	; RtlGetAce(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_508E4A
		mov	eax, [ebp+var_C]
		add	eax, 0FFFFFFF8h
		push	eax
		push	[ebp+var_18]
		push	0
		push	[ebp+var_14]
		push	ebx
		call	RtlAddAce
		mov	esi, eax
		test	esi, esi
		js	short loc_508E4A
		push	[ebp+var_1C]
		push	10000000h
		push	[ebp+var_14]
		push	ebx
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_508E4A
		mov	edi, [ebp+var_20]
		mov	ecx, edi
		mov	edx, [ebp+var_24]
		add	edx, 0Bh
		mov	eax, [edi+9Ch]
		movzx	eax, byte ptr [eax+1]
		lea	edx, [edx+eax*4]
		and	edx, 0FFFFFFFCh
		call	_SepExpandDynamic@8 ; SepExpandDynamic(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_508E4A
		mov	ecx, edi
		call	SepFreeDefaultDacl
		mov	edx, ebx
		mov	ecx, edi
		call	_SepAppendDefaultDacl@8	; SepAppendDefaultDacl(x,x)

loc_508E4A:				; CODE XREF: SepAppendAceToTokenDefaultDacl+35j
					; SepAppendAceToTokenDefaultDacl+BAj ...
		test	ebx, ebx
		jz	short loc_508E56
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_508E56:				; CODE XREF: SepAppendAceToTokenDefaultDacl+45j
					; SepAppendAceToTokenDefaultDacl+61j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
SepAppendAceToTokenDefaultDacl endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LZNT1DecompressChunkWorkItem proc near	; DATA XREF: LZNT1DecompressChunkNewThread(x,x,x,x,x,x)+51o

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D8A96 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]
		push	dword ptr [esi+10h]
		call	_LZNT1DecompressChunk@20 ; LZNT1DecompressChunk(x,x,x,x,x)
		xor	edx, edx
		test	eax, eax
		js	loc_5D8A96

loc_508E8F:				; CODE XREF: LZNT1DecompressChunkWorkItem+CFC34j
					; LZNT1DecompressChunkWorkItem+CFC3Dj
		mov	ecx, [esi+28h]
		or	eax, 0FFFFFFFFh
		add	ecx, 10h
		lock xadd [ecx], eax
		jz	short loc_508EAF

loc_508E9E:				; CODE XREF: LZNT1DecompressChunkWorkItem+51j
		mov	edx, esi
		mov	ecx, offset _RtlLznt1DecompressChunkLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		pop	esi
		pop	ebp
		retn	4
; 

loc_508EAF:				; CODE XREF: LZNT1DecompressChunkWorkItem+34j
		push	edx
		push	edx
		push	dword ptr [esi+28h]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_508E9E
LZNT1DecompressChunkWorkItem endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoIsProcessAntiMalware(x)
_IoIsProcessAntiMalware@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	cl, [eax+3A6h]
		xor	eax, eax
		and	cl, 0F0h
		cmp	cl, 30h
		setz	al
		pop	ebp
		retn	4
_IoIsProcessAntiMalware@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __fastcall KeInitializeGate(x, x)
@KeInitializeGate@8 proc near		; CODE XREF: KiInitializeProcessor+1Cp
					; PspGetContextThreadInternal+1A7p ...
		and	dword ptr [ecx+4], 0
		lea	eax, [ecx+8]
		mov	word ptr [ecx],	107h
		mov	byte ptr [ecx+2], 4
		mov	[eax+4], eax
		mov	[eax], eax
		retn
@KeInitializeGate@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRetainSubsection(x)
_MiRetainSubsection@4 proc near		; CODE XREF: MmAccessFault+632p
					; MiGetHardFaultPages+106CB3p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	esi, [ebx]
		lea	edi, [esi+24h]
		push	edi
		call	ExAcquireSpinLockExclusive
		inc	dword ptr [esi+14h]
		mov	edx, [esi+1Ch]
		mov	[ebp+var_1], al
		test	dl, 20h
		jnz	short loc_508F1A
		cmp	dword ptr [esi+20h], 0
		jnz	short loc_508F2E

loc_508F1A:				; CODE XREF: MiRetainSubsection(x)+22j
					; MiRetainSubsection(x)+44j ...
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_508F2E:				; CODE XREF: MiRetainSubsection(x)+28j
		test	edx, 400h
		jnz	short loc_508F1A
		mov	ecx, ebx
		call	MiIncrementSubsectionViewCount
		jmp	short loc_508F1A
_MiRetainSubsection@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1856. PsIsWin32KFilterAuditEnabled

;  S U B	R O U T	I N E 


; __stdcall PsIsWin32KFilterAuditEnabled()
		public _PsIsWin32KFilterAuditEnabled@0
_PsIsWin32KFilterAuditEnabled@0	proc near
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+490h]
		shr	eax, 0Fh
		and	al, 1
		retn
_PsIsWin32KFilterAuditEnabled@0	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1221. KeQueryGroupAffinity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryGroupAffinity(x)
		public _KeQueryGroupAffinity@4
_KeQueryGroupAffinity@4	proc near	; CODE XREF: PAGE:0075B642p
					; PAGE:0075B67Cp ...

arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jnz	short loc_508F77
		mov	eax, ds:dword_70E328

loc_508F73:				; CODE XREF: KeQueryGroupAffinity(x)+17j
		pop	ebp
		retn	4
; 

loc_508F77:				; CODE XREF: KeQueryGroupAffinity(x)+Aj
		xor	eax, eax
		jmp	short loc_508F73
_KeQueryGroupAffinity@4	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall NtRevertContainerImpersonation()
_NtRevertContainerImpersonation@0 proc near ; CODE XREF: IopProcessWorkItem:loc_4DCEDFp
					; DATA XREF: .text:00580D3Co
		mov	ecx, large fs:124h
		jmp	PspRevertContainerImpersonation
_NtRevertContainerImpersonation@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCheckSystemNxFault proc near		; CODE XREF: .text:0046608Bp
					; .text:004B0284p ...

var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D8AAA SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr [ecx+4], 10h
		jz	short loc_508FC9
		mov	eax, ds:_KeFeatureBits
		and	eax, 1000000h
		or	eax, 0
		push	esi
		mov	esi, [ebp+arg_0]
		jz	short loc_508FB4
		mov	eax, esi
		and	eax, 4
		or	eax, 0
		jnz	loc_5D8AAA

loc_508FB4:				; CODE XREF: MiCheckSystemNxFault+1Cj
		cmp	[ebp+arg_4], 0
		jg	short loc_508FC8
		jl	loc_5D8AB0
		test	esi, esi
		jb	loc_5D8AB0

loc_508FC8:				; CODE XREF: MiCheckSystemNxFault+30j
		pop	esi

loc_508FC9:				; CODE XREF: MiCheckSystemNxFault+9j
		pop	ebp
		retn	8
MiCheckSystemNxFault endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiAllocateInPageSupportBlock(x, x)
_MiAllocateInPageSupportBlock@8	proc near ; CODE XREF: MiGetInPageSupportBlock(x)+4Bp
					; MiInitializePageFaultResources()+46p
		neg	ecx
		push	0
		sbb	ecx, ecx
		and	ecx, 0FFFFFC40h
		add	ecx, 4C8h
		imul	ecx, edx
		mov	edx, 6E496D4Dh
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		retn
_MiAllocateInPageSupportBlock@8	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2157. RtlInitEnumerationHashTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlInitEnumerationHashTable(x, x)
		public _RtlInitEnumerationHashTable@8
_RtlInitEnumerationHashTable@8 proc near
					; CODE XREF: SepCleanupMarkedForDeletionEntries()+22p
					; RtlInitWeakEnumerationHashTable(x,x)+6j ...

var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, [ebp+arg_0]
		lea	edx, [ebp+var_C]
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_C]
		stosd
		mov	ecx, esi
		stosd
		stosd
		xor	edi, edi
		push	edi
		call	_RtlpPopulateContext@12	; RtlpPopulateContext(x,x,x)
		mov	ecx, [ebp+var_C]
		inc	dword ptr [esi+1Ch]
		cmp	[ecx], ecx
		jnz	short loc_509025
		inc	dword ptr [esi+18h]

loc_509025:				; CODE XREF: RtlInitEnumerationHashTable(x,x)+2Aj
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_50904A
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[edx+4], eax
		mov	[ecx], eax
		mov	[eax+10h], edi
		mov	[eax+8], edi
		pop	edi
		mov	[eax+0Ch], ecx
		mov	al, 1
		pop	esi
		leave
		retn	8
; 

loc_50904A:				; CODE XREF: RtlInitEnumerationHashTable(x,x)+34j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall SepRemoveAceFromTokenDefaultDacl(x,	x)
_SepRemoveAceFromTokenDefaultDacl@8:	; CODE XREF: PAGE:007EA568p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, [ecx+0A4h]
		test	esi, esi
		jz	short loc_50907D
		lea	eax, [ebp+var_4]
		mov	ecx, esi
		push	eax
		call	RtlFindAceBySid
		test	eax, eax
		jz	short loc_50907D
		push	[ebp+var_4]
		push	esi
		call	_RtlDeleteAce@8	; RtlDeleteAce(x,x)

loc_50907D:				; CODE XREF: RtlInitEnumerationHashTable(x,x)+6Dj
					; RtlInitEnumerationHashTable(x,x)+7Cj
		pop	esi
		leave
		retn
_RtlInitEnumerationHashTable@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiReleaseFaultCharges(x)
_MiReleaseFaultCharges@4 proc near	; CODE XREF: MmAccessFault:loc_46745Dp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi]
		lea	eax, [esi+24h]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [esi+1Ch]
		mov	bl, al
		test	cl, 20h
		jnz	short loc_5090A2
		cmp	dword ptr [esi+20h], 0
		jnz	short loc_5090B1

loc_5090A2:				; CODE XREF: MiReleaseFaultCharges(x)+1Aj
					; MiReleaseFaultCharges(x)+37j	...
		dec	dword ptr [esi+14h]
		mov	dl, bl
		mov	ecx, esi
		pop	edi
		pop	esi
		pop	ebx
		jmp	MiCheckControlArea
; 

loc_5090B1:				; CODE XREF: MiReleaseFaultCharges(x)+20j
		test	ecx, 400h
		jnz	short loc_5090A2
		push	ecx
		mov	edx, edi
		mov	ecx, edi
		call	_MiDecrementSubsections@12 ; MiDecrementSubsections(x,x,x)
		jmp	short loc_5090A2
_MiReleaseFaultCharges@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2269. RtlNumberOfSetBitsUlongPtr

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlNumberOfSetBitsUlongPtr(x)
		public _RtlNumberOfSetBitsUlongPtr@4
_RtlNumberOfSetBitsUlongPtr@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		not	edx
		movzx	eax, dl
		push	ebx
		shr	edx, 8
		mov	bl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		mov	ecx, edx
		shr	ecx, 8
		add	bl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, bl
		movzx	eax, cl
		pop	ebx
		pop	ebp
		retn	4
_RtlNumberOfSetBitsUlongPtr@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall SeQueryTokenTrustSid(x)
_SeQueryTokenTrustSid@4	proc near	; CODE XREF: PsImpersonateClient+1A4p
		mov	eax, [ecx+280h]
		retn
_SeQueryTokenTrustSid@4	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall EtwAdjustTraceBuffers()
_EtwAdjustTraceBuffers@0 proc near	; CODE XREF: KeBalanceSetManager+77p
		cmp	_EtwpInitialized, 0
		jz	short locret_509126
		sub	_EtwpBufferAdjustmentCount, 1
		jz	short loc_509127

locret_509126:				; CODE XREF: EtwAdjustTraceBuffers()+7j
					; EtwAdjustTraceBuffers()+2Dj
		retn
; 

loc_509127:				; CODE XREF: EtwAdjustTraceBuffers()+10j
		xor	ecx, ecx
		mov	_EtwpBufferAdjustmentCount, 8
		inc	ecx
		mov	edx, offset _EtwpBufferAdjustmentActive
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	short locret_509126
		push	1
		push	offset _EtwpAdjustBuffersWorkItem
		call	ExQueueWorkItem
		retn
_EtwAdjustTraceBuffers@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SSHSupportReleasePushLockExclusive proc	near ; CODE XREF: SleepstudyHelperBuildBlocker+120p
					; SleepstudyHelperBuildBlocker+15Dp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D8AD7 SIZE 00000036 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		mov	edx, ecx
		or	eax, 0FFFFFFFFh
		push	edi
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], eax
		lock xadd [edx], eax
		test	al, 2
		jnz	loc_5D8AC2

loc_509183:				; CODE XREF: MiCheckSystemNxFault+CFB3Cj
					; MiCheckSystemNxFault+CFB4Aj
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	edx, 7FFFFFFCh
		jz	loc_50928E
		mov	esi, large fs:124h
		mov	ecx, edx
		mov	eax, dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], eax
		cmp	edx, eax
		jb	short loc_5091D2
		mov	eax, ecx
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_509297
		mov	eax, [ebp+var_20]
		cmp	edx, eax
		jb	short loc_5091D2
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_509297

loc_5091D2:				; CODE XREF: SSHSupportReleasePushLockExclusive+5Dj
					; SSHSupportReleasePushLockExclusive+73j
		or	eax, 0FFFFFFFFh

loc_5091D5:				; CODE XREF: SSHSupportReleasePushLockExclusive+155j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_5092AA
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_5092F9

loc_509214:				; CODE XREF: SSHSupportReleasePushLockExclusive+1B1j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	loc_5D8AEA
		or	[esi+1E4h], dl

loc_50925A:				; CODE XREF: SSHSupportReleasePushLockExclusive+162j
					; SSHSupportReleasePushLockExclusive+CF9A6j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jnz	short loc_5092B9

loc_50926D:				; CODE XREF: SSHSupportReleasePushLockExclusive+19Ej
					; SSHSupportReleasePushLockExclusive+CF9B8j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_50928E
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	short loc_509306

loc_50928E:				; CODE XREF: SSHSupportReleasePushLockExclusive+3Ej
					; SSHSupportReleasePushLockExclusive+134j ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_509297:				; CODE XREF: SSHSupportReleasePushLockExclusive+68j
					; SSHSupportReleasePushLockExclusive+7Cj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_C], eax
		jmp	loc_5091D5
; 

loc_5092AA:				; CODE XREF: SSHSupportReleasePushLockExclusive+ACj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_50925A
		jmp	loc_5D8AD7
; 

loc_5092B9:				; CODE XREF: SSHSupportReleasePushLockExclusive+11Bj
		test	edi, 8000h
		jz	short loc_5092CA
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5092CA:				; CODE XREF: SSHSupportReleasePushLockExclusive+16Fj
		test	byte ptr [ebp+var_10+2], 1
		jnz	short loc_50930D

loc_5092D0:				; CODE XREF: SSHSupportReleasePushLockExclusive+1CDj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5092E4
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5092E4:				; CODE XREF: SSHSupportReleasePushLockExclusive+187j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_50926D
		jmp	loc_5D8AFB
; 

loc_5092F9:				; CODE XREF: SSHSupportReleasePushLockExclusive+BEj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]
		jmp	loc_509214
; 

loc_509306:				; CODE XREF: SSHSupportReleasePushLockExclusive+13Cj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_50928E
; 

loc_50930D:				; CODE XREF: SSHSupportReleasePushLockExclusive+17Ej
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]
		jmp	short loc_5092D0
SSHSupportReleasePushLockExclusive endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpFreePoolWithTag(x, x)
_CmpFreePoolWithTag@8 proc near		; CODE XREF: CmpFreeExtraParameter(x)+1Ej
					; CmpFreeKeyControlBlock+101p ...
		mov	edi, edi
		push	edx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
_CmpFreePoolWithTag@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiGetComparisonRanks proc near		; CODE XREF: KiEvaluateGroupSchedulingPreemption+BEp
					; KiDirectSwitchThread+12AE0Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D8B0D SIZE 00000066 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, edx
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_8], edx
		push	esi
		cmp	ecx, eax
		jnz	short loc_509352
		mov	edx, [ecx+60h]
		mov	esi, edx

loc_509343:				; CODE XREF: KiGetComparisonRanks+74j
		mov	eax, [ebp+var_8]
		mov	[eax], esi
		mov	eax, [ebp+arg_4]
		pop	esi
		mov	[eax], edx
		leave
		retn	8
; 

loc_509352:				; CODE XREF: KiGetComparisonRanks+12j
		xor	edx, edx
		push	ebx
		mov	bh, [ecx+5Dh]
		xor	bl, bl
		mov	[ebp+var_4], edx
		mov	dl, [eax+5Dh]
		mov	byte ptr [ebp+arg_0+3],	dl
		cmp	bh, dl
		mov	edx, [ebp+var_4]
		ja	loc_5D8B0D
		cmp	bh, byte ptr [ebp+arg_0+3]
		jb	short loc_5093A0

loc_509373:				; CODE XREF: KiGetComparisonRanks+CF7FCj
					; KiGetComparisonRanks+CF815j
		mov	esi, edx
		mov	[ebp+arg_0], esi
		push	edi
		cmp	ecx, eax
		jz	loc_5D8B5B
		mov	esi, [eax+0F4h]
		xor	bl, bl
		mov	edi, [ecx+0F4h]
		mov	[ebp+var_4], esi
		cmp	edi, esi
		jnz	short loc_5093A8

loc_509396:				; CODE XREF: KiGetComparisonRanks+CF833j
		mov	edx, [eax+60h]
		mov	esi, [ecx+60h]

loc_50939C:				; CODE XREF: KiGetComparisonRanks+CF83Dj
					; KiGetComparisonRanks+CF844j
		pop	edi
		pop	ebx
		jmp	short loc_509343
; 

loc_5093A0:				; CODE XREF: KiGetComparisonRanks+47j
		or	bl, 0FFh
		jmp	loc_5D8B2B
; 

loc_5093A8:				; CODE XREF: KiGetComparisonRanks+6Aj
		mov	esi, [ebp+var_4]
		jmp	loc_5D8B44
KiGetComparisonRanks endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl StringCchPrintfW(wchar_t *,int,wchar_t *,char)
StringCchPrintfW proc near		; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+44Ep
					; PAGELK:0071F96Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005D8B73 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		test	eax, eax
		jz	short loc_5093E5
		cmp	eax, 7FFFFFFFh
		ja	short loc_5093E5

loc_5093C5:				; CODE XREF: StringCchPrintfW+3Aj
		test	ecx, ecx
		js	loc_5D8B73
		lea	ecx, [ebp+arg_C]
		mov	edx, eax	; int
		push	ecx		; va_list
		push	[ebp+arg_8]	; wchar_t *
		push	ecx		; int
		mov	ecx, [ebp+arg_0] ; wchar_t *
		call	StringVPrintfWorkerW
		mov	ecx, eax

loc_5093E1:				; CODE XREF: StringCchPrintfW+CF7C5j
					; StringCchPrintfW+CF7D3j
		mov	eax, ecx
		pop	ebp
		retn
; 

loc_5093E5:				; CODE XREF: StringCchPrintfW+Cj
					; StringCchPrintfW+13j
		mov	ecx, 80070057h
		jmp	short loc_5093C5
StringCchPrintfW endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall StringVPrintfWorkerW(wchar_t *,int,int,wchar_t	*,va_list)
StringVPrintfWorkerW proc near		; CODE XREF: StringCchPrintfW+2Ap

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_8]	; va_list
		lea	esi, [edx-1]
		mov	edi, ecx
		push	[ebp+arg_4]	; wchar_t *
		xor	ebx, ebx
		push	esi		; size_t
		push	edi		; wchar_t *
		call	__vsnwprintf
		add	esp, 10h
		test	eax, eax
		js	short loc_509424
		cmp	eax, esi
		ja	short loc_509424
		jnz	short loc_50941B

loc_509415:				; CODE XREF: StringVPrintfWorkerW+3Dj
		xor	eax, eax
		mov	[edi+esi*2], ax

loc_50941B:				; CODE XREF: StringVPrintfWorkerW+27j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_509424:				; CODE XREF: StringVPrintfWorkerW+21j
					; StringVPrintfWorkerW+25j
		mov	ebx, 8007007Ah
		jmp	short loc_509415
StringVPrintfWorkerW endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

wil_details_StagingConfig_QueryFeatureState proc near
					; CODE XREF: wil_StagingConfig_QueryFeatureState+67p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D8B88 SIZE 00000128 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ecx
		mov	[ebp+var_4], edx
		mov	[ebp+var_C], eax
		push	ebx
		push	esi
		mov	ecx, [eax+14h]
		xor	ebx, ebx
		mov	eax, [eax+18h]
		mov	esi, ebx
		mov	[ebp+var_14], eax
		xor	eax, eax
		push	edi
		lea	edi, [ebp+var_20]
		mov	[ebp+var_10], ecx
		stosd
		mov	ecx, ebx
		stosd
		stosd
		mov	eax, [ebp+var_10]
		movzx	eax, word ptr [eax+4]
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	loc_5D8B88

loc_50946B:				; CODE XREF: wil_details_StagingConfig_QueryFeatureState+CF7ABj
					; wil_details_StagingConfig_QueryFeatureState+CF7BCj
		mov	edi, ebx
		test	esi, esi
		jnz	loc_5D8BB7

loc_509475:				; CODE XREF: wil_details_StagingConfig_QueryFeatureState+CF813j
					; wil_details_StagingConfig_QueryFeatureState+CF860j
		mov	esi, [ebp+var_10]
		mov	ecx, ebx
		mov	eax, [ebp+var_C]
		movzx	esi, word ptr [esi+6]
		mov	eax, [eax+1Ch]
		test	esi, esi
		jnz	loc_5D8C91

loc_50948C:				; CODE XREF: wil_details_StagingConfig_QueryFeatureState+CF877j
					; wil_details_StagingConfig_QueryFeatureState+CF87Fj
		mov	eax, edi
		mov	[edx+10h], ebx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
wil_details_StagingConfig_QueryFeatureState endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2288. RtlQueryFeatureConfiguration

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlQueryFeatureConfiguration(x, x, x, x)
		public _RtlQueryFeatureConfiguration@16
_RtlQueryFeatureConfiguration@16 proc near
					; CODE XREF: wil_details_UpdateFeatureConfiguredStates()+3Ep
					; CmQuerySingleFeatureConfiguration+4Ap ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		push	edi
		mov	[esp+18h+var_8], ebx
		mov	[esp+18h+var_4], ebx
		mov	[esp+18h+var_C], ebx
		call	_KeGetEffectiveIrql@0 ;	KeGetEffectiveIrql()
		mov	dl, al
		cmp	dl, 1
		jbe	short loc_5094E0
		xor	ecx, ecx
		call	KeIsBugCheckActive
		test	al, al
		jnz	short loc_5094D9
		cmp	_PoPowerDownActionInProgress, cl
		jz	short loc_509549

loc_5094D9:				; CODE XREF: RtlQueryFeatureConfiguration(x,x,x,x)+31j
		mov	eax, 80000022h
		jmp	short loc_509540
; 

loc_5094E0:				; CODE XREF: RtlQueryFeatureConfiguration(x,x,x,x)+26j
		call	_RtlpFcGetBufferManager@0 ; RtlpFcGetBufferManager()
		mov	edi, eax
		lea	edx, [esp+18h+var_8]
		lea	eax, [esp+18h+var_C]
		mov	ecx, edi
		push	eax
		call	_RtlpFcBufferManagerReferenceBuffers@12	; RtlpFcBufferManagerReferenceBuffers(x,x,x)
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_0]
		push	[ebp+arg_4]
		mov	ecx, [esp+20h+var_C]
		call	RtlpFcQueryFeatureConfigurationFromBufferSet
		mov	esi, eax
		test	esi, esi
		jns	short loc_509521
		cmp	esi, 0C0000225h
		jz	short loc_509523
		cmp	esi, 80000022h
		jnz	short loc_509533
		jmp	short loc_509523
; 

loc_509521:				; CODE XREF: RtlQueryFeatureConfiguration(x,x,x,x)+6Fj
		mov	esi, ebx

loc_509523:				; CODE XREF: RtlQueryFeatureConfiguration(x,x,x,x)+77j
					; RtlQueryFeatureConfiguration(x,x,x,x)+81j
		mov	ecx, [ebp+arg_8]
		mov	eax, [esp+18h+var_8]
		mov	[ecx], eax
		mov	eax, [esp+18h+var_4]
		mov	[ecx+4], eax

loc_509533:				; CODE XREF: RtlQueryFeatureConfiguration(x,x,x,x)+7Fj
		mov	edx, [esp+18h+var_C]
		mov	ecx, edi
		call	_RtlpFcBufferManagerDereferenceBuffers@8 ; RtlpFcBufferManagerDereferenceBuffers(x,x)
		mov	eax, esi

loc_509540:				; CODE XREF: RtlQueryFeatureConfiguration(x,x,x,x)+40j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_509549:				; CODE XREF: RtlQueryFeatureConfiguration(x,x,x,x)+39j
		push	dword ptr [ebp+4]
		movzx	eax, dl
		push	ebx
		push	eax
		push	offset _RtlQueryFeatureConfiguration@16	; RtlQueryFeatureConfiguration(x,x,x,x)
		push	0Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_RtlQueryFeatureConfiguration@16 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpFcBufferManagerDereferenceBuffers(x, x)
_RtlpFcBufferManagerDereferenceBuffers@8 proc near
					; CODE XREF: RtlQueryFeatureConfiguration(x,x,x,x)+9Bp
					; CmFcpManagerDrainUsageNotifications+9Ap ...
		sub	edx, ecx
		push	esi
		push	30h
		pop	esi
		lea	eax, [edx-10h]
		cdq
		idiv	esi
		mov	edx, eax
		call	RtlReleaseSwapReference
		pop	esi
		jmp	_RtlpFcLeaveRegion@4 ; RtlpFcLeaveRegion(x)
_RtlpFcBufferManagerDereferenceBuffers@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlReleaseSwapReference	proc near	; CODE XREF: RtlpFcBufferManagerDereferenceBuffers(x,x)+Ep
					; CmFcManagerNotifyFeatureUsage(x,x)+66p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D8CB0 SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx

loc_50958A:				; CODE XREF: RtlReleaseSwapReference+CF741j
		mov	esi, [edi]
		mov	eax, esi
		and	eax, 1
		cmp	eax, ebx
		jnz	loc_5D8CBE
		mov	ecx, esi
		shr	ecx, 1
		jz	short loc_5095BB
		lea	ecx, ds:0FFFFFFFEh[ecx*2]
		or	ecx, eax
		mov	eax, esi
		lock cmpxchg [edi], ecx
		cmp	eax, esi
		jnz	loc_5D8CB0

loc_5095B6:				; CODE XREF: RtlReleaseSwapReference+CF74Fj
					; RtlReleaseSwapReference+CF766j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_5095BB:				; CODE XREF: RtlReleaseSwapReference+25j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall RtlpFcValidateFeatureConfigurationType(x)
_RtlpFcValidateFeatureConfigurationType@4:
					; CODE XREF: RtlpFcQueryFeatureConfigurationFromBufferSet+12p
					; RtlQueryAllFeatureConfigurations(x,x,x,x)+2Cp
		cmp	ecx, 2
		sbb	eax, eax
		and	eax, 3FFFFFF3h
		add	eax, 0C000000Dh
		retn
RtlReleaseSwapReference	endp ; sp = -18h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFcBufferManagerReferenceBuffers(x, x, x)
_RtlpFcBufferManagerReferenceBuffers@12	proc near
					; CODE XREF: RtlQueryFeatureConfiguration(x,x,x,x)+54p
					; CmFcpManagerDrainUsageNotifications+3Fp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		call	_RtlpFcEnterRegion@4 ; RtlpFcEnterRegion(x)
		call	RtlAcquireSwapReference
		lea	ecx, [ebx+10h]
		mov	esi, [ebx+eax*8+70h]
		mov	[edi], esi
		mov	esi, [ebx+eax*8+74h]
		imul	eax, 30h
		mov	[edi+4], esi
		pop	edi
		pop	esi
		pop	ebx
		add	ecx, eax
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		pop	ebp
		retn	4
_RtlpFcBufferManagerReferenceBuffers@12	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlAcquireSwapReference	proc near	; CODE XREF: RtlpFcBufferManagerReferenceBuffers(x,x,x)+11p
					; CmFcManagerNotifyFeatureUsage(x,x)+39p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D8CEF SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	edi, ecx

loc_509616:				; CODE XREF: RtlAcquireSwapReference+CF6F0j
		mov	esi, [edi]
		mov	edx, esi
		and	edx, 0FFFFFFFEh
		mov	eax, esi
		and	eax, 1
		add	edx, 2
		or	edx, eax
		cmp	edx, 2
		jb	short loc_509645
		mov	ecx, edx
		mov	eax, esi
		lock cmpxchg [edi], ecx
		cmp	eax, esi
		jnz	loc_5D8CEF
		and	edx, 1
		pop	edi
		mov	eax, edx
		pop	esi
		leave
		retn
; 

loc_509645:				; CODE XREF: RtlAcquireSwapReference+22j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall MmUpdateSectionIoAttribution(x, x)
_MmUpdateSectionIoAttribution@8:	; CODE XREF: CcMapAndCopyInToCache+8FFp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		lea	eax, [ebp+var_4+3]
		xor	edx, edx
		xor	ebx, ebx
		push	eax
		inc	edx
		mov	byte ptr [ebp+var_4+3],	bl
		call	MiLockSectionControlArea
		mov	edx, eax
		test	edx, edx
		jz	short loc_50968B
		mov	ecx, [edx+48h]
		shl	ecx, 3
		cmp	esi, ecx
		jnz	short loc_50968F

loc_509675:				; CODE XREF: RtlAcquireSwapReference+ACj
		lea	eax, [edx+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jnz	short loc_5096B6

loc_50968B:				; CODE XREF: RtlAcquireSwapReference+61j
					; RtlAcquireSwapReference+B5j
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_50968F:				; CODE XREF: RtlAcquireSwapReference+6Bj
		xor	eax, eax
		inc	eax
		lock xadd [esi+10h], eax
		inc	eax
		cmp	eax, 1
		jle	short loc_5096BF

loc_50969D:				; CODE XREF: RtlAcquireSwapReference+BCj
		mov	ecx, [edx+48h]
		mov	eax, ecx
		and	eax, 0E0000000h
		shr	esi, 3
		or	eax, esi
		mov	ebx, ecx
		mov	[edx+48h], eax
		shl	ebx, 3
		jmp	short loc_509675
; 

loc_5096B6:				; CODE XREF: RtlAcquireSwapReference+81j
		mov	ecx, ebx
		call	_IoDiskIoAttributionDereference@4 ; IoDiskIoAttributionDereference(x)
		jmp	short loc_50968B
; 

loc_5096BF:				; CODE XREF: RtlAcquireSwapReference+93j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_50969D
RtlAcquireSwapReference	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2047. RtlEndEnumerationHashTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlEndEnumerationHashTable(x, x)
		public _RtlEndEnumerationHashTable@8
_RtlEndEnumerationHashTable@8 proc near	; CODE XREF: SepCleanupMarkedForDeletionEntries()+7Ep
					; RtlEndWeakEnumerationHashTable(x,x)j	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		dec	dword ptr [edx+1Ch]
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	short loc_5096FA
		cmp	[eax+4], ecx
		jnz	short loc_509707
		push	esi
		mov	esi, [ecx+4]
		cmp	[esi], ecx
		jnz	short loc_509707
		mov	[esi], eax
		mov	[eax+4], esi
		mov	eax, [ecx+0Ch]
		pop	esi
		cmp	[eax], eax
		jz	short loc_509702

loc_5096FA:				; CODE XREF: RtlEndEnumerationHashTable(x,x)+12j
					; RtlEndEnumerationHashTable(x,x)+39j
		and	dword ptr [ecx+0Ch], 0
		pop	ebp
		retn	8
; 

loc_509702:				; CODE XREF: RtlEndEnumerationHashTable(x,x)+2Cj
		dec	dword ptr [edx+18h]
		jmp	short loc_5096FA
; 

loc_509707:				; CODE XREF: RtlEndEnumerationHashTable(x,x)+17j
					; RtlEndEnumerationHashTable(x,x)+1Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_RtlEndEnumerationHashTable@8 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcSetLazyWriteScanQueued proc near	; CODE XREF: CcLazyWriteScan+7Cp
					; CcQueueLazyWriteScanThread+127p ...

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005D8CFD SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	edx, 1
		jz	loc_5D8D27
		sub	edx, 1
		jz	short loc_509736
		dec	edx
		sub	edx, 1
		jnz	loc_5D8CFD
		mov	al, [ebp+arg_0]
		mov	[ecx+193h], al

loc_509732:				; CODE XREF: CcSetLazyWriteScanQueued+33j
					; CcSetLazyWriteScanQueued+CF5F9j ...
		pop	ebp
		retn	4
; 

loc_509736:				; CODE XREF: CcSetLazyWriteScanQueued+11j
		mov	al, [ebp+arg_0]
		mov	[ecx+195h], al
		jmp	short loc_509732
CcSetLazyWriteScanQueued endp

; 
		align 2

;  S U B	R O U T	I N E 


SMKM_STORE_SM_TRAITS___SmStUpdateMemoryCondition proc near
					; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmUpdateMemoryConditions(SMKM_STORE_MGR<SM_TRAITS> *,_SMP_MEMORY_CONDITION,ulong)+4Fp

; FUNCTION CHUNK AT 005D8D35 SIZE 00000026 BYTES

		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		mov	[esi+10F6h], bl
		mov	al, [esi+10F6h]
		movzx	eax, al
		cmp	eax, 4
		jnz	short loc_50978F
		mov	eax, [esi+12B8h]

loc_509765:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStUpdateMemoryCondition+54j
		mov	ecx, [esi+1178h]
		cmp	dword ptr [ecx+150h], offset _KiInitialProcess
		jz	short loc_5097A1
		movsx	edx, byte ptr [ecx+87h]

loc_50977E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStUpdateMemoryCondition+62j
		cmp	ebx, 4
		jl	loc_5D8D35
		cmp	edx, eax
		jg	short loc_509798

loc_50978B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStUpdateMemoryCondition+5Dj
					; SMKM_STORE_SM_TRAITS___SmStUpdateMemoryCondition+CF600j ...
		pop	esi
		pop	ebx
		pop	ecx
		retn
; 

loc_50978F:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStUpdateMemoryCondition+1Bj
		mov	eax, ds:?PriorityByMemoryCondition@?1??SmStGetPriorityByMemoryCondition@?$SMKM_STORE@USM_TRAITS@@@@SGJW4_SMP_MEMORY_CONDITION@@J@Z@4PAJA[eax*4]	; long * `SMKM_STORE<SM_TRAITS>::SmStGetPriorityByMemoryCondition(_SMP_MEMORY_CONDITION,long)'::`2'::PriorityByMemoryCondition
		jmp	short loc_509765
; 

loc_509798:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStUpdateMemoryCondition+47j
		push	eax
		push	ecx
		call	KeSetActualBasePriorityThread
		jmp	short loc_50978B
; 

loc_5097A1:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStUpdateMemoryCondition+33j
		xor	edx, edx
		inc	edx
		jmp	short loc_50977E
SMKM_STORE_SM_TRAITS___SmStUpdateMemoryCondition endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes proc near
					; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+F4p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D8D5B SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_C], ecx
		push	esi
		push	edi
		mov	eax, [ebx]
		mov	ecx, [ebx+0Ch]
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], ecx
		mov	esi, [eax+ecx*8-8]
		mov	eax, [ebp+arg_0]
		test	al, 1
		jnz	short loc_50983D
		mov	edi, esi
		mov	esi, eax

loc_5097D0:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes+9Cj
		movzx	edx, word ptr [edi]
		mov	[ebp+arg_0], edx
		mov	edx, [ebp+var_4]
		mov	ecx, [edx+ecx*8-0Ch]
		mov	edx, [ebp+arg_0]
		cmp	edi, eax
		jz	short loc_509844

loc_5097E4:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes+AEj
		cmp	byte ptr [edi+3], 0
		lea	eax, [edx+1]
		lea	eax, [edi+eax*8]
		mov	[ebp+var_8], eax
		jz	loc_5D8D5B
		mov	eax, [esi+4]
		mov	ecx, [ebp+var_8]
		mov	[edi+4], eax
		movzx	eax, word ptr [esi]
		shl	eax, 3
		push	eax		; size_t
		lea	eax, [esi+8]
		push	eax		; void *
		push	ecx		; void *

loc_50980C:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes+CF5D8j
		call	_memcpy
		mov	ax, [esi]
		add	esp, 0Ch
		add	ax, word ptr [ebp+arg_0]
		mov	[edi], ax
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_C]
		mov	edx, ebx
		dec	dword ptr [ebx+0Ch]
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx
		inc	dword ptr [ebx+0Ch]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_50983D:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes+24j
		and	eax, 0FFFFFFFEh
		mov	edi, eax
		jmp	short loc_5097D0
; 

loc_509844:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes+3Cj
		mov	edx, [ebp+var_4]
		sub	ecx, 8
		mov	eax, [ebp+var_8]
		mov	[edx+eax*8-0Ch], ecx
		mov	edx, [ebp+arg_0]
		jmp	short loc_5097E4
B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPrepareToStealNonPagedPool(x, x)
_MiPrepareToStealNonPagedPool@8	proc near ; CODE XREF: MiStealPage+848p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, edx
		xor	edx, edx
		test	byte ptr [ecx+17h], 10h
		push	edi
		jnz	short loc_5098C2
		mov	ecx, [esi]
		mov	[ebp+var_4], ecx
		nop
		mov	edi, [esi+4]
		mov	eax, ecx
		and	eax, 200h
		or	eax, edx
		jnz	short loc_5098C2
		mov	eax, ecx
		and	eax, 20h
		or	eax, edx
		jz	short loc_5098C2
		mov	ebx, ecx
		mov	eax, ecx
		and	ebx, 0FFFFFFDFh
		mov	edx, edi
		mov	[ebp+var_8], ebx
		nop
		mov	ecx, edi
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, [ebp+var_4]
		jnz	short loc_5098BC
		cmp	edx, edi
		jnz	short loc_5098BC
		shl	esi, 9
		xor	edx, edx
		push	2
		mov	ecx, esi
		call	KeFlushSingleTb
		mov	eax, [ebp+var_8]

loc_5098B5:				; CODE XREF: MiPrepareToStealNonPagedPool(x,x)+6Aj
		mov	edx, edi

loc_5098B7:				; CODE XREF: MiPrepareToStealNonPagedPool(x,x)+6Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_5098BC:				; CODE XREF: MiPrepareToStealNonPagedPool(x,x)+48j
					; MiPrepareToStealNonPagedPool(x,x)+4Cj
		xor	eax, eax
		xor	edi, edi
		jmp	short loc_5098B5
; 

loc_5098C2:				; CODE XREF: MiPrepareToStealNonPagedPool(x,x)+13j
					; MiPrepareToStealNonPagedPool(x,x)+27j ...
		mov	eax, edx
		jmp	short loc_5098B7
_MiPrepareToStealNonPagedPool@8	endp


;  S U B	R O U T	I N E 


; __stdcall ExpTryAcquireResourceSharedStarveExclusive(x)
_ExpTryAcquireResourceSharedStarveExclusive@4 proc near
					; CODE XREF: ExpAcquireSharedStarveExclusive+1B1p
					; ExAcquireFastResourceSharedStarveExclusive(x,x,x)+185p
		test	byte ptr [ecx+0Eh], 80h
		jnz	short loc_5098D7
		xor	eax, eax
		inc	eax
		inc	dword ptr [ecx+20h]
		mov	[ecx+0Ch], ax
		retn
; 

loc_5098D7:				; CODE XREF: ExpTryAcquireResourceSharedStarveExclusive(x)+4j
		xor	al, al
		retn
_ExpTryAcquireResourceSharedStarveExclusive@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopFxResidentTimeoutDpcRoutine(x, x, x, x)
_PopFxResidentTimeoutDpcRoutine@16 proc	near ; DATA XREF: PoFxInitPowerManagement+9Eo
		xor	edx, edx
		mov	ecx, offset _PopFxResidentWorkItem
		push	0FFFFFFFFh
		inc	edx
		call	_ExQueueWorkItemEx@12 ;	ExQueueWorkItemEx(x,x,x)
		test	al, al
		jz	short loc_5098F0

locret_5098ED:				; CODE XREF: PopFxResidentTimeoutDpcRoutine(x,x,x,x)+1Dj
		retn	10h
; 

loc_5098F0:				; CODE XREF: PopFxResidentTimeoutDpcRoutine(x,x,x,x)+11j
		mov	cl, 1
		call	_PopFxArmResidentTimer@4 ; PopFxArmResidentTimer(x)
		jmp	short locret_5098ED
_PopFxResidentTimeoutDpcRoutine@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpTimerPause	proc near		; CODE XREF: PspSetProcessFreezeStateCallback+BDp
					; ExWakeTimersPause+79p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005D8D83 SIZE 00000040 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	bl, dl
		mov	[ebp+var_C], edi
		mov	esi, ecx
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		test	bl, bl
		jnz	short loc_509920
		lea	ecx, [esi+28h]
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)

loc_509920:				; CODE XREF: ExpTimerPause+1Cj
		mov	al, [esi+0A8h]
		test	al, 2
		jnz	short loc_509988
		or	al, 2
		lea	edx, [ebp+var_C]
		mov	[esi+0A8h], al
		mov	ecx, esi
		lea	eax, [esi+0B8h]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KeCancelTimerInternal@16 ; KeCancelTimerInternal(x,x,x,x)
		test	al, al
		jz	short loc_5099A8
		mov	edx, [ebp+var_4]
		mov	eax, edx
		sub	eax, 1
		jz	short loc_5099B2
		sub	eax, 1
		jnz	loc_5D8D83
		mov	ecx, [ebp+arg_C]
		cmp	[ebp+var_8], ecx
		jb	short loc_5099AC
		mov	eax, [ebp+arg_8]
		ja	short loc_509970
		cmp	[ebp+var_C], eax
		jbe	short loc_5099AC

loc_509970:				; CODE XREF: ExpTimerPause+6Fj
		sub	eax, [ebp+var_C]
		sbb	ecx, [ebp+var_8]

loc_509976:				; CODE XREF: ExpTimerPause+B6j
					; ExpTimerPause+DEj
		mov	[esi+0B0h], eax
		mov	[esi+0B4h], ecx

loc_509982:				; CODE XREF: ExpTimerPause+B0j
					; ExpTimerPause+CF48Cj	...
		mov	[esi+8Ch], dl

loc_509988:				; CODE XREF: ExpTimerPause+2Ej
		test	bl, bl
		jnz	short loc_5099A1
		add	esi, 28h
		test	ds:byte_70EFC6,	1
		jnz	loc_5D8DB4
		xor	eax, eax
		lock and [esi],	eax

loc_5099A1:				; CODE XREF: ExpTimerPause+90j
					; ExpTimerPause+CF4C4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_5099A8:				; CODE XREF: ExpTimerPause+4Fj
		mov	edx, edi
		jmp	short loc_509982
; 

loc_5099AC:				; CODE XREF: ExpTimerPause+6Aj
					; ExpTimerPause+74j
		mov	eax, edi
		mov	ecx, edi
		jmp	short loc_509976
; 

loc_5099B2:				; CODE XREF: ExpTimerPause+59j
		mov	ecx, [ebp+var_8]
		cmp	ecx, [ebp+arg_C]
		jb	loc_5D8DA3
		mov	eax, [ebp+var_C]
		ja	short loc_5099CC
		cmp	eax, [ebp+arg_8]
		jbe	loc_5D8DA3

loc_5099CC:				; CODE XREF: ExpTimerPause+C7j
		sub	eax, [ebp+arg_8]
		sbb	ecx, [ebp+arg_C]
		add	eax, [ebp+arg_0]
		adc	ecx, [ebp+arg_4]
		jmp	short loc_509976
ExpTimerPause	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeCancelTimerInternal(x, x,	x, x)
_KeCancelTimerInternal@16 proc near	; CODE XREF: ExpTimerPause+48p
					; ExpTimerAdjust(x,x,x,x,x,x,x,x)+34p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		xor	dl, dl
		call	KiCancelTimer
		mov	bl, al
		test	bl, bl
		jz	short loc_509A29
		mov	ecx, [esi+14h]
		mov	al, [esi+1]
		mov	edx, [esi+10h]
		mov	[edi+4], ecx
		mov	ecx, [ebp+arg_0]
		mov	[edi], edx
		mov	dword ptr [ecx], 2
		test	al, 1
		jnz	short loc_509A3A
		test	al, 2
		jnz	short loc_509A42

loc_509A12:				; CODE XREF: KeCancelTimerInternal(x,x,x,x)+66j
					; KeCancelTimerInternal(x,x,x,x)+6Ej
		movzx	eax, al
		mov	ecx, 2710h
		and	eax, 0FFFFFFFCh
		xor	edx, edx
		shl	eax, 10h
		div	ecx
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax

loc_509A29:				; CODE XREF: KeCancelTimerInternal(x,x,x,x)+17j
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	8
; 

loc_509A3A:				; CODE XREF: KeCancelTimerInternal(x,x,x,x)+32j
		mov	dword ptr [ecx], 1
		jmp	short loc_509A12
; 

loc_509A42:				; CODE XREF: KeCancelTimerInternal(x,x,x,x)+36j
		mov	dword ptr [ecx], 3
		jmp	short loc_509A12
_KeCancelTimerInternal@16 endp


;  S U B	R O U T	I N E 


OBJECT_HEADER_TO_AUDIT_INFO proc near	; CODE XREF: ObDuplicateObject+48Ep
					; ObpAuditObjectAccess(x,x,x,x,x)+86p ...

; FUNCTION CHUNK AT 005D8DC3 SIZE 00000014 BYTES

		mov	al, [ecx+0Eh]
		test	al, 20h
		jnz	loc_5D8DC3
		xor	ecx, ecx

loc_509A57:				; CODE XREF: OBJECT_HEADER_TO_AUDIT_INFO+CF388j
		mov	eax, ecx
		retn
OBJECT_HEADER_TO_AUDIT_INFO endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCompletePageWrite proc near		; DATA XREF: .text:00524919o

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D8DD7 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		add	edx, 0FFFFFFC0h
		cmp	byte ptr [edx+21h], 0
		jz	loc_5D8DD7

loc_509A6F:				; CODE XREF: IopCompletePageWrite+CF389j
		mov	ecx, [edx+28h]
		mov	eax, [edx+18h]
		push	ebx
		push	esi
		mov	[ecx], eax
		mov	eax, [edx+1Ch]
		push	edi
		mov	[ecx+4], eax
		mov	ebx, [edx+30h]
		mov	edi, [edx+34h]
		mov	esi, [edx+28h]
		push	edx
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		push	0
		push	esi
		push	edi
		call	ebx
		pop	edi
		pop	esi
		pop	ebx

loc_509A98:				; CODE XREF: IopCompletePageWrite+CF395j
		pop	ebp
		retn	14h
IopCompletePageWrite endp ; sp = -0Ch


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDeleteCloneZombies proc near		; CODE XREF: MmCleanProcessAddressSpace+1D2p
					; MiDeleteInsertedCloneVads(x)+101p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D8DF4 SIZE 00000063 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+24Ch]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		push	esi
		push	edi
		cmp	[eax+94h], bx
		jnz	loc_5D8DF4

loc_509ABD:				; CODE XREF: MiDeleteCloneZombies+CF3A0j
					; MiDeleteCloneZombies+CF3B6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiDeleteCloneZombies endp

; 
		align 8
; Exported entry 197. CcFlushCache

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcFlushCache(x, x, x, x)
		public _CcFlushCache@16
_CcFlushCache@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	0
		push	[ebp+arg_8]
		call	_CcFlushCachePriv@24 ; CcFlushCachePriv(x,x,x,x,x,x)
		pop	ebp
		retn	10h
_CcFlushCache@16 endp ;	sp = -10h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiBalanceSetManagerDeferredRoutine(x, x, x,	x)
_KiBalanceSetManagerDeferredRoutine@16 proc near ; DATA	XREF: KiInitSystem+ECo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	0Ah
		push	[ebp+arg_4]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	ebp
		retn	10h
_KiBalanceSetManagerDeferredRoutine@16 endp

; 
		align 4

ExInitializePagedLookasideListInternal:	; CODE XREF: ExInitializePagedLookasideList(x,x,x,x,x,x,x)+1Cp
					; FsRtlInitExtraCreateParameterLookasideList(x,x,x,x)+1Fp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ax, _ExMinimumLookasideDepth
		mov	edx, [ebp+0Ch]
		mov	ecx, [ebp+10h]
		push	ebx
		push	esi
		mov	esi, [ebp+8]
		push	edi
		xor	edi, edi
		mov	[esi], edi
		mov	[esi+4], edi
		mov	[esi+8], ax
		mov	eax, 100h
		mov	[esi+0Ah], ax
		mov	eax, [ebp+14h]
		or	eax, 1
		mov	[esi+0Ch], edi
		mov	[esi+1Ch], eax
		mov	eax, [ebp+1Ch]
		mov	[esi+20h], eax
		mov	eax, [ebp+18h]
		mov	[esi+10h], edi
		mov	[esi+14h], edi
		mov	[esi+18h], edi
		mov	[esi+24h], eax
		test	edx, edx
		jnz	short loc_509B51
		mov	edx, offset _ExAllocatePoolWithTag@12 ;	ExAllocatePoolWithTag(x,x,x)

loc_509B51:				; CODE XREF: .text:00509B4Aj
		mov	[esi+28h], edx
		test	ecx, ecx
		jnz	short loc_509B5D
		mov	ecx, offset _ExFreePool@4 ; ExFreePool(x)

loc_509B5D:				; CODE XREF: .text:00509B56j
		mov	[esi+2Ch], ecx
		mov	[esi+38h], edi
		mov	[esi+3Ch], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _ExPagedLookasideLock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	[ebp+24h], edi
		jnz	loc_5D8E57
		cmp	_ExMinimumLookasideDepth, di
		jz	short loc_509BCE

loc_509B8A:				; CODE XREF: .text:00509BD5j
					; .text:005D8E68j
		mov	eax, dword_6BBC54
		mov	ecx, offset _ExPagedLookasideListHead
		add	esi, 30h
		cmp	[eax], ecx
		jnz	short loc_509BD7
		mov	[esi], ecx
		mov	ecx, offset _ExPagedLookasideLock
		mov	[esi+4], eax
		mov	[eax], esi
		test	ds:byte_70EFC6,	1
		mov	dword_6BBC54, esi
		jnz	loc_5D8E6D
		xor	eax, eax
		lock and [ecx],	eax

loc_509BBF:				; CODE XREF: .text:005D8E75j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	20h
; 

loc_509BCE:				; CODE XREF: .text:00509B88j
		mov	dword ptr [esi+8], 0FFFF0000h
		jmp	short loc_509B8A
; 

loc_509BD7:				; CODE XREF: .text:00509B99j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1199. KeIsSingleGroupAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeIsSingleGroupAffinityEx
KeIsSingleGroupAffinityEx proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D8E7A SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	dword ptr [eax+8], 0
		jnz	loc_5D8E7A
		xor	eax, eax

loc_509BF6:				; CODE XREF: KeIsSingleGroupAffinityEx+CF2A7j
		pop	ebp
		retn	8
KeIsSingleGroupAffinityEx endp


;  S U B	R O U T	I N E 


; __stdcall KiAbCompareSnappedEntryState(x, x)
_KiAbCompareSnappedEntryState@8	proc near ; CODE XREF: KiAbEntryGetLockedHeadEntry+504p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		lea	esi, [ecx+10h]
		xor	eax, eax
		xor	edx, edx
		nop
		push	ebx
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [esi]
		pop	ebx
		nop
		test	eax, eax
		jns	short loc_509C2B
		cmp	edx, [edi+4]
		jnz	short loc_509C2B
		and	eax, 7FFFFFFCh
		cmp	eax, [edi]
		jnz	short loc_509C2B
		xor	eax, eax
		inc	eax

loc_509C28:				; CODE XREF: KiAbCompareSnappedEntryState(x,x)+33j
		pop	edi
		pop	esi
		retn
; 

loc_509C2B:				; CODE XREF: KiAbCompareSnappedEntryState(x,x)+1Bj
					; KiAbCompareSnappedEntryState(x,x)+20j ...
		xor	eax, eax
		jmp	short loc_509C28
_KiAbCompareSnappedEntryState@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 


RealPredecessor	proc near		; CODE XREF: RtlDeleteElementGenericTableAvl(x,x)+6Fp
					; RtlDeleteElementGenericTableAvlEx+8860Ep ...

; FUNCTION CHUNK AT 005D8E8E SIZE 0000000A BYTES

		mov	eax, [ecx+4]
		test	eax, eax
		jnz	loc_5D8E90
		mov	eax, [ecx]
		jmp	short loc_509C43
; 

loc_509C3F:				; CODE XREF: RealPredecessor+16j
		mov	ecx, eax
		mov	eax, [eax]

loc_509C43:				; CODE XREF: RealPredecessor+Dj
		cmp	[eax+4], ecx
		jz	short loc_509C3F
		cmp	[eax+8], ecx
		jnz	short loc_509C51
		cmp	[eax], eax
		jnz	short locret_509C53

loc_509C51:				; CODE XREF: RealPredecessor+1Bj
		xor	eax, eax

locret_509C53:				; CODE XREF: RealPredecessor+1Fj
		retn
RealPredecessor	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpAllowsLowBoxAccess(x)
_RtlpAllowsLowBoxAccess@4 proc near	; CODE XREF: RtlpLookupLowBox(x,x,x)+3Ap

var_9E		= byte ptr -9Eh
var_9D		= byte ptr -9Dh
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0A4h+var_4], eax
		xor	eax, eax
		mov	[esp+0A4h+var_48], 30000h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+0B0h+var_94], eax
		mov	ecx, 20000h
		mov	[esp+0B0h+var_98], eax
		mov	[esp+0B0h+var_7C], eax
		mov	[esp+0B0h+var_78], eax
		test	byte ptr [edi+16h], 2
		mov	[esp+0B0h+var_9D], al
		mov	[esp+0B0h+var_4C], ecx
		mov	[esp+0B0h+var_44], ecx
		mov	[esp+0B0h+var_40], 1F0000h
		mov	[esp+0B0h+var_6C], eax
		mov	[esp+0B0h+var_68], eax
		mov	[esp+0B0h+var_5C], eax
		mov	[esp+0B0h+var_58], eax
		mov	[esp+0B0h+var_54], eax
		mov	[esp+0B0h+var_8C], eax
		mov	[esp+0B0h+var_88], eax
		mov	[esp+0B0h+var_84], eax
		mov	[esp+0B0h+var_80], eax
		jz	short loc_509CD9
		mov	al, 1
		jmp	loc_509E24
; 

loc_509CD9:				; CODE XREF: RtlpAllowsLowBoxAccess(x)+7Cj
		cmp	byte_6D7060, al
		jnz	short loc_509CE8
		xor	al, al
		jmp	loc_509E24
; 

loc_509CE8:				; CODE XREF: RtlpAllowsLowBoxAccess(x)+8Bj
		push	offset ??_C@_1DA@NLFMKLPC@?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AA?5?$AAA?$AAt?$AAo?$AAm?$AA?5?$AAT?$AAa?$AAb@FNODOBFM@
		lea	eax, [esp+0B4h+var_8C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	eax, byte ptr [edi+18h]
		xor	ebx, ebx
		push	6D4E7441h
		inc	ebx
		lea	eax, ds:2[eax*2]
		push	eax
		push	ebx
		mov	[esp+0BCh+var_9C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_509D48
		push	[esp+0B0h+var_9C] ; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	edx, [esp+0BCh+var_9C]
		lea	eax, [edi+1Ah]
		add	esp, 0Ch
		mov	ecx, esi
		push	eax
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		test	eax, eax
		js	short loc_509D41
		mov	eax, esi
		jmp	short loc_509D4D
; 

loc_509D41:				; CODE XREF: RtlpAllowsLowBoxAccess(x)+E7j
		mov	eax, offset ??_C@_1DK@PCEJDHOK@?$AAU?$AAn?$AAa?$AAb?$AAl?$AAe?$AA?5?$AAt?$AAo?$AA?5?$AAc?$AAa?$AAp?$AAt?$AAu@FNODOBFM@
		jmp	short loc_509D4D
; 

loc_509D48:				; CODE XREF: RtlpAllowsLowBoxAccess(x)+C5j
		mov	eax, offset ??_C@_1FA@EHGIIEPM@?$AAU?$AAn?$AAa?$AAb?$AAl?$AAe?$AA?5?$AAt?$AAo?$AA?5?$AAA?$AAl?$AAl?$AAo?$AAc@FNODOBFM@

loc_509D4D:				; CODE XREF: RtlpAllowsLowBoxAccess(x)+EBj
					; RtlpAllowsLowBoxAccess(x)+F2j
		push	eax
		lea	eax, [esp+0B4h+var_84]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+0B0h+var_8C]
		mov	[esp+0B0h+var_64], eax
		lea	ecx, [esp+0B0h+var_6C]
		lea	eax, [esp+0B0h+var_84]
		mov	[esp+0B0h+var_60], eax
		call	SeSetLearningModeObjectInformation
		mov	ecx, large fs:124h
		lea	eax, [esp+0B0h+var_3C]
		mov	[esp+0B0h+var_90], eax
		lea	edx, [esp+0B0h+var_50]
		push	0
		lea	eax, [esp+0B4h+var_9C]
		push	eax
		lea	eax, [esp+1Bh]
		push	eax
		call	PsReferenceEffectiveToken
		mov	[esp+0B0h+var_74], eax
		xor	edx, edx
		mov	eax, large fs:124h
		push	edx
		mov	eax, [eax+80h]
		mov	eax, [eax+0E4h]
		mov	[esp+0B4h+var_70], eax
		mov	eax, large fs:124h
		mov	ecx, ds:_SeAtomSd
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+0B4h+var_9C], al
		lea	eax, [esp+0B4h+var_94]
		push	eax
		lea	eax, [esp+0B8h+var_98]
		push	eax
		push	[esp+0BCh+var_9C]
		lea	eax, [esp+0C0h+var_4C]
		push	eax
		lea	eax, [esp+0C4h+var_90]
		push	eax
		push	edx
		push	20000h
		push	edx
		lea	eax, [esp+0D4h+var_7C]
		push	eax
		call	SeAccessCheckWithHintWithAdminlessChecks
		mov	ecx, [esp+0B0h+var_74]
		mov	[esp+0B0h+var_9D], al
		call	ObfDereferenceObject
		test	esi, esi
		jz	short loc_509E0D
		push	6D4E7441h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_509E0D:				; CODE XREF: RtlpAllowsLowBoxAccess(x)+1ACj
		call	SeClearLearningModeObjectInformation
		cmp	[esp+0B0h+var_9D], 1
		jnz	short loc_509E20
		cmp	[esp+0B0h+var_98], 0
		jnz	short loc_509E22

loc_509E20:				; CODE XREF: RtlpAllowsLowBoxAccess(x)+1C3j
		xor	bl, bl

loc_509E22:				; CODE XREF: RtlpAllowsLowBoxAccess(x)+1CAj
		mov	al, bl

loc_509E24:				; CODE XREF: RtlpAllowsLowBoxAccess(x)+80j
					; RtlpAllowsLowBoxAccess(x)+8Fj
		mov	ecx, [esp+0B0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_RtlpAllowsLowBoxAccess@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiIntSteerSetDestination(x,	x)
_KiIntSteerSetDestination@8 proc near	; CODE XREF: KiIntSteerDistributeInterrupts()+9Dp
					; KiIntSteerConnect+1F1p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_KiIntSteerVerifyDestination@8 ; KiIntSteerVerifyDestination(x,x)
		test	eax, eax
		js	short loc_509E95
		mov	eax, [esi+68h]
		cmp	eax, 1
		jz	short loc_509E7A
		cmp	eax, 3
		jz	short loc_509E7A
		cmp	eax, 2
		jnz	short loc_509E73
		mov	ecx, [esi+0A0h]
		mov	ax, [edi+4]
		mov	[ecx+4], ax
		mov	eax, [edi]
		mov	[ecx], eax
		xor	eax, eax
		jmp	short loc_509E92
; 

loc_509E73:				; CODE XREF: KiIntSteerSetDestination(x,x)+21j
		mov	eax, 0C00000BBh
		jmp	short loc_509E92
; 

loc_509E7A:				; CODE XREF: KiIntSteerSetDestination(x,x)+17j
					; KiIntSteerSetDestination(x,x)+1Cj
		lea	eax, [esi+10h]
		mov	ecx, [eax]
		inc	ecx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		lea	eax, [esi+18h]
		push	ecx
		push	edi
		push	eax
		call	off_6B137C	; MmProtectDriverSection(x,x,x)

loc_509E92:				; CODE XREF: KiIntSteerSetDestination(x,x)+37j
					; KiIntSteerSetDestination(x,x)+3Ej
		pop	edi
		pop	esi
		retn
; 

loc_509E95:				; CODE XREF: KiIntSteerSetDestination(x,x)+Fj
		push	edi
		push	esi
		push	101h
		push	4001h
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_KiIntSteerSetDestination@8 endp


;  S U B	R O U T	I N E 


; __stdcall KiIntSteerVerifyDestination(x, x)
_KiIntSteerVerifyDestination@8 proc near ; CODE	XREF: KiIntSteerSetDestination(x,x)+8p
					; KiIntSteerComputeCpuSet(x,x)+2Fp
		mov	ax, [ecx+30h]
		cmp	ax, [edx+4]
		jnz	short loc_509ECF
		mov	edx, [edx]
		test	edx, edx
		jz	short loc_509ECF
		mov	ecx, [ecx+2Ch]
		mov	eax, ecx
		or	eax, edx
		sub	eax, ecx
		neg	eax
		sbb	eax, eax
		and	eax, 0C000000Dh
		retn
; 

loc_509ECF:				; CODE XREF: KiIntSteerVerifyDestination(x,x)+8j
					; KiIntSteerVerifyDestination(x,x)+Ej
		mov	eax, 0C000000Dh
		retn
_KiIntSteerVerifyDestination@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ULongLongToULong(x,	x, x)
_ULongLongToULong@12 proc near		; CODE XREF: SmArrayGrow+35p
					; .text:005406BCp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	edx, edx
		cmp	[ebp+arg_4], edx
		ja	short loc_509EF4
		mov	eax, [ebp+arg_0]
		jb	short loc_509EEC
		cmp	eax, 0FFFFFFFFh
		ja	short loc_509EF4

loc_509EEC:				; CODE XREF: ULongLongToULong(x,x,x)+Fj
					; ULongLongToULong(x,x,x)+26j
		mov	[ecx], eax
		mov	eax, edx
		pop	ebp
		retn	8
; 

loc_509EF4:				; CODE XREF: ULongLongToULong(x,x,x)+Aj
					; ULongLongToULong(x,x,x)+14j
		mov	edx, 80070216h
		or	eax, 0FFFFFFFFh
		jmp	short loc_509EEC
_ULongLongToULong@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetAvailablePagesExcludeSlists(x)
_MiGetAvailablePagesExcludeSlists@4 proc near
					; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+855p
					; MiPfPrepareSequentialReadList+10Fp
		mov	eax, [ecx+0FC0h]
		retn
_MiGetAvailablePagesExcludeSlists@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcPerfLogLoggedStreamsStats proc near	; CODE XREF: CcLazyWriteScan+710p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D8E98 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4], ecx
		lea	edi, [ebp+var_10]
		mov	ebx, edx
		stosd
		lea	edx, [ebp+var_10]
		mov	ecx, offset _CcMasterLock
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	esi, _CcVolumeCacheMapList
		cmp	esi, offset _CcVolumeCacheMapList
		jz	short loc_509F53
		mov	edi, [ebp+var_4]

loc_509F3C:				; CODE XREF: CcPerfLogLoggedStreamsStats+4Bj
		cmp	dword ptr [esi+0Ch], 0
		jz	short loc_509F49
		mov	ecx, [esi+60h]
		test	ecx, ecx
		jnz	short loc_509F88

loc_509F49:				; CODE XREF: CcPerfLogLoggedStreamsStats+3Aj
					; CcPerfLogLoggedStreamsStats+9Aj
		mov	esi, [esi]
		cmp	esi, offset _CcVolumeCacheMapList
		jnz	short loc_509F3C

loc_509F53:				; CODE XREF: CcPerfLogLoggedStreamsStats+31j
		test	ds:byte_70EFC6,	1
		jnz	loc_5D8E98
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_509FAA
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jnz	short loc_509FA2

loc_509F7A:				; CODE XREF: CcPerfLogLoggedStreamsStats+B4j
					; CcPerfLogLoggedStreamsStats+CEF9Dj
		mov	cl, [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_509F88:				; CODE XREF: CcPerfLogLoggedStreamsStats+41j
		push	dword ptr [esi+58h]
		mov	edx, edi
		push	dword ptr [esi+54h]
		push	dword ptr [esi+24h]
		push	dword ptr [esi+18h]
		push	ebx
		call	_CcPerfLogVolumeLogHandleInfo@28 ; CcPerfLogVolumeLogHandleInfo(x,x,x,x,x,x,x)
		and	dword ptr [esi+60h], 0
		jmp	short loc_509F49
; 

loc_509FA2:				; CODE XREF: CcPerfLogLoggedStreamsStats+72j
		lea	ecx, [ebp+var_10]
		call	KxWaitForLockChainValid

loc_509FAA:				; CODE XREF: CcPerfLogLoggedStreamsStats+5Fj
		xor	ecx, ecx
		mov	[ebp+var_10], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_509F7A
CcPerfLogLoggedStreamsStats endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcPerfLogVolumeLogHandleInfo(x, x, x, x, x,	x, x)
_CcPerfLogVolumeLogHandleInfo@28 proc near ; CODE XREF:	CcPerfLogLoggedStreamsStats+91p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_18], 0
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_10], eax
		xor	eax, eax
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], eax
		test	dl, 1
		jnz	short loc_50A054

loc_509FFD:				; CODE XREF: CcPerfLogVolumeLogHandleInfo(x,x,x,x,x,x,x)+9Ej
		test	dl, 2
		jnz	short loc_50A05C

loc_50A002:				; CODE XREF: CcPerfLogVolumeLogHandleInfo(x,x,x,x,x,x,x)+A6j
		test	dl, 4
		jz	short loc_50A00D
		or	eax, 4
		mov	[ebp+var_28], eax

loc_50A00D:				; CODE XREF: CcPerfLogVolumeLogHandleInfo(x,x,x,x,x,x,x)+49j
		test	dl, 10h
		jnz	short loc_50A064

loc_50A012:				; CODE XREF: CcPerfLogVolumeLogHandleInfo(x,x,x,x,x,x,x)+AEj
		test	dl, 8
		jnz	short loc_50A06C

loc_50A017:				; CODE XREF: CcPerfLogVolumeLogHandleInfo(x,x,x,x,x,x,x)+B6j
		and	[ebp+var_38], 0
		lea	eax, [ebp+var_2C]
		and	[ebp+var_30], 0
		lea	ecx, [ebp+var_3C]
		push	(offset	off_401900+2)
		push	160Dh
		xor	edx, edx
		mov	[ebp+var_3C], eax
		push	80020000h
		inc	edx
		mov	[ebp+var_34], 20h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
; 

loc_50A054:				; CODE XREF: CcPerfLogVolumeLogHandleInfo(x,x,x,x,x,x,x)+3Fj
		xor	eax, eax
		inc	eax
		mov	[ebp+var_28], eax
		jmp	short loc_509FFD
; 

loc_50A05C:				; CODE XREF: CcPerfLogVolumeLogHandleInfo(x,x,x,x,x,x,x)+44j
		or	eax, 2
		mov	[ebp+var_28], eax
		jmp	short loc_50A002
; 

loc_50A064:				; CODE XREF: CcPerfLogVolumeLogHandleInfo(x,x,x,x,x,x,x)+54j
		or	eax, 10h
		mov	[ebp+var_28], eax
		jmp	short loc_50A012
; 

loc_50A06C:				; CODE XREF: CcPerfLogVolumeLogHandleInfo(x,x,x,x,x,x,x)+59j
		or	eax, 8
		mov	[ebp+var_28], eax
		jmp	short loc_50A017
_CcPerfLogVolumeLogHandleInfo@28 endp


;  S U B	R O U T	I N E 


CcIsLazyWriteScanQueued	proc near	; CODE XREF: CcQueueLazyWriteScanThread+116p

; FUNCTION CHUNK AT 005D8EA8 SIZE 00000016 BYTES

		xor	eax, eax
		test	edx, edx
		jz	short locret_50A098
		cmp	edx, 2
		jbe	short loc_50A099
		cmp	edx, 4
		jnz	loc_5D8EA8
		cmp	[ecx+193h], al
		jnz	short loc_50A0B1
		cmp	[ecx+192h], al

loc_50A096:				; CODE XREF: CcIsLazyWriteScanQueued+3Bj
		jnz	short loc_50A0B1

locret_50A098:				; CODE XREF: CcIsLazyWriteScanQueued+4j
		retn
; 

loc_50A099:				; CODE XREF: CcIsLazyWriteScanQueued+9j
					; CcIsLazyWriteScanQueued+CEE3Cj
		cmp	[ecx+194h], al
		jnz	short loc_50A0B1
		cmp	[ecx+195h], al
		jnz	short loc_50A0B1
		cmp	[ecx+196h], al
		jmp	short loc_50A096
; 

loc_50A0B1:				; CODE XREF: CcIsLazyWriteScanQueued+1Aj
					; CcIsLazyWriteScanQueued:loc_50A096j ...
		mov	al, 1
		retn
CcIsLazyWriteScanQueued	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 875. IoGetLowerDeviceObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetLowerDeviceObject(x)
		public _IoGetLowerDeviceObject@4
_IoGetLowerDeviceObject@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, 746C6644h
		call	IoGetLowerDeviceObjectWithTag
		pop	ebp
		retn	4
_IoGetLowerDeviceObject@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoGetLowerDeviceObjectWithTag proc near	; CODE XREF: IoGetLowerDeviceObject(x)+Dp
					; IopCheckDeviceFlags(x,x)+2Fp	...

var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005D8EBE SIZE 00000087 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	esi, ecx
		mov	[ebp+var_8], edx
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, [esi+0B0h]
		xor	edi, edi
		mov	[ebp+var_1], al
		mov	eax, [ecx+10h]
		test	al, 0Fh
		jnz	loc_5D8EBE

loc_50A0FE:				; CODE XREF: IoGetLowerDeviceObjectWithTag+CEDF5j
		mov	eax, [ecx+18h]
		mov	ebx, edi
		test	eax, eax
		jnz	short loc_50A14F

loc_50A107:				; CODE XREF: IoGetLowerDeviceObjectWithTag+8Bj
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+468h]
		jnz	loc_5D8F1F
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5D8F35
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5D8F2E

loc_50A13D:				; CODE XREF: IoGetLowerDeviceObjectWithTag+CEE59j
					; IoGetLowerDeviceObjectWithTag+CEE70j
		mov	edi, ebx

loc_50A13F:				; CODE XREF: IoGetLowerDeviceObjectWithTag+CEE1Aj
					; IoGetLowerDeviceObjectWithTag+CEE32j	...
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_50A14F:				; CODE XREF: IoGetLowerDeviceObjectWithTag+35j
		mov	edx, [ebp+var_8]
		mov	ebx, eax
		mov	ecx, ebx
		call	ObfReferenceObjectWithTag
		jmp	short loc_50A107
IoGetLowerDeviceObjectWithTag endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall RtlInvertBitMap(x)
_RtlInvertBitMap@4 proc	near		; CODE XREF: HvUnCOWReconciledPages+42p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		mov	ecx, [ebx]
		test	ecx, ecx
		jz	short loc_50A189
		push	esi
		push	edi
		xor	edi, edi

loc_50A16D:				; CODE XREF: RtlInvertBitMap(x)+27j
		mov	edx, [ebx+4]
		mov	esi, [edx+edi]
		cmp	ecx, 20h
		jb	short loc_50A18B
		sub	ecx, 20h
		not	esi

loc_50A17D:				; CODE XREF: RtlInvertBitMap(x)+37j
		mov	[edx+edi], esi
		add	edi, 4
		test	ecx, ecx
		jnz	short loc_50A16D
		pop	edi
		pop	esi

loc_50A189:				; CODE XREF: RtlInvertBitMap(x)+9j
		pop	ebx
		retn
; 

loc_50A18B:				; CODE XREF: RtlInvertBitMap(x)+18j
		xor	eax, eax
		inc	eax
		shl	eax, cl
		xor	ecx, ecx
		dec	eax
		xor	esi, eax
		jmp	short loc_50A17D
_RtlInvertBitMap@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeQueryBootTimeValues proc near		; CODE XREF: PipUpdateDeviceProducts+153p
					; PAGE:0077E79Fp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D8F45 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	ebx, edx
		push	edi
		mov	[ebp+var_C], ebx
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[ebp+var_8], 0
		mov	[ebp+var_1], al
		mov	eax, 0FFDF0018h
		mov	esi, [eax]
		add	eax, 0FFFFFFFCh
		mov	[edi+4], esi
		mov	ecx, [eax]
		mov	eax, 0FFDF001Ch
		mov	[edi], ecx
		mov	eax, [eax]
		cmp	[edi+4], eax
		jnz	loc_5D8F45

loc_50A1D8:				; CODE XREF: KeQueryBootTimeValues+CEDD5j
		mov	eax, ds:_KeBootTime
		mov	ecx, [ebp+arg_0]
		mov	[ebx], eax
		mov	eax, ds:dword_70E2EC
		mov	[ebx+4], eax
		mov	eax, ds:_KeBootTimeBias
		mov	[ecx], eax
		mov	eax, ds:dword_70E73C
		mov	[ecx+4], eax
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
KeQueryBootTimeValues endp

; 
		align 2

;  S U B	R O U T	I N E 


AuthzBasepEqualUnicodeStringCaseSensitive proc near
					; CODE XREF: AuthzBasepFindSecurityAttribute(x,x)+88p
					; AuthzBasepCompareUnicodeStringOperands+EDD5Ep ...

; FUNCTION CHUNK AT 005D8F72 SIZE 00000015 BYTES

		movzx	eax, word ptr [ecx]
		cmp	ax, [edx]
		jz	loc_5D8F72
		xor	al, al
		retn
AuthzBasepEqualUnicodeStringCaseSensitive endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPrefetchRestOfCluster(x, x, x)
_MiPrefetchRestOfCluster@12 proc near	; CODE XREF: .text:004490A2p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, [edx+0Ch]
		cmp	ecx, [edx+8]
		jnb	short loc_50A265
		mov	esi, [edi+88h]
		cmp	esi, dword_6D07D0
		jnb	short loc_50A2A1

loc_50A23D:				; CODE XREF: MiPrefetchRestOfCluster(x,x,x)+94j
					; MiPrefetchRestOfCluster(x,x,x)+98j
		mov	ebx, [ebp+arg_0]

loc_50A240:				; CODE XREF: MiPrefetchRestOfCluster(x,x,x)+9Dj
		mov	eax, [edi+70h]
		add	eax, 0FFFh
		add	esi, eax
		mov	eax, [edx+4]
		and	esi, 0FFFFF000h
		mov	edx, [eax+ecx*8]
		cmp	esi, edx
		jb	short loc_50A265
		mov	ecx, [eax+ecx*8+4]
		lea	eax, [ecx+edx]
		cmp	esi, eax
		jb	short loc_50A26C

loc_50A265:				; CODE XREF: MiPrefetchRestOfCluster(x,x,x)+13j
					; MiPrefetchRestOfCluster(x,x,x)+3Ej ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_50A26C:				; CODE XREF: MiPrefetchRestOfCluster(x,x,x)+49j
		sub	ecx, esi
		mov	[ebp+var_C], esi
		add	ecx, edx
		mov	[ebp+var_8], ecx
		mov	ecx, large fs:124h
		call	_MiGetEffectivePagePriorityThread@4 ; MiGetEffectivePagePriorityThread(x)
		and	eax, 7
		xor	ecx, ecx
		mov	edx, eax
		inc	ecx
		or	edx, 2800h
		shl	edx, 3
		or	edx, eax
		push	edx
		push	ebx
		lea	edx, [ebp+var_C]
		call	MiPrefetchVirtualMemory
		jmp	short loc_50A265
; 

loc_50A2A1:				; CODE XREF: MiPrefetchRestOfCluster(x,x,x)+21j
		mov	eax, esi
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	short loc_50A23D
		cmp	al, 0Bh
		jz	short loc_50A23D
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_50A240
_MiPrefetchRestOfCluster@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ViCreateProcessCallback	proc near	; DATA XREF: VfFaultsSetParameters(x)+37o
					; ViInitSystemPhase1+12o

arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 005D8F87 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	_ViVerifierEnabled, 0
		jnz	loc_5D8F87

loc_50A2CC:				; CODE XREF: ViCreateProcessCallback+CECD8j
		pop	ebp
		retn	0Ch
ViCreateProcessCallback	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSwapStackPage(x, x, x, x,	x, x, x)
_MiSwapStackPage@28 proc near		; CODE XREF: MiTradePage(x,x)+474p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, large fs:124h
		and	[ebp+var_24], 0
		push	esi
		push	edi
		push	0
		push	40h
		mov	edi, edx
		mov	[ebp+var_1C], ecx
		push	2Ch
		mov	edx, 734B694Dh
		mov	[ebp+var_8], edi
		pop	ecx
		mov	[ebp+var_28], eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_50A78B
		mov	eax, [ebp+var_1C]
		mov	[esi+10h], eax
		mov	edi, [edi+4]
		or	edi, 80000000h
		mov	eax, edi
		mov	[ebp+var_18], edi
		shl	eax, 9
		mov	[esi+18h], eax
		cmp	eax, dword_6D07D0
		jb	loc_50A783
		shr	eax, 15h
		movzx	eax, byte ptr dword_6D3994[eax]
		mov	[ebp+var_34], eax
		cmp	eax, 0Eh
		jnz	short loc_50A35B
		mov	eax, offset unk_6D3A40
		jmp	short loc_50A36C
; 

loc_50A35B:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+82j
		cmp	eax, 0Ch
		jnz	loc_50A783
		xor	ecx, ecx
		inc	ecx
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)

loc_50A36C:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+89j
		mov	[esi+20h], eax
		cmp	byte_6D35B0, 0
		mov	[ebp+var_C], eax
		jz	loc_50A783
		mov	eax, [ebp+var_8]
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		cmp	dword ptr [ebx+0Ch], 0FFFFFFFFh
		mov	ecx, eax
		mov	[ebp+var_2C], ecx
		jz	short loc_50A3B0
		mov	eax, dword_6D06D0
		mov	edx, eax
		not	edx
		and	eax, ecx
		and	edx, [ebx+0Ch]
		or	edx, eax
		mov	eax, 230h
		jmp	short loc_50A3DD
; 

loc_50A3B0:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+C7j
		call	MiSearchNumaNodeTable
		mov	cl, byte_6D068C
		mov	edx, [eax+4]
		mov	eax, dword_6D06D0
		and	eax, [ebp+var_2C]
		shl	edx, cl
		or	edx, eax
		test	dword ptr [ebx+10h], 3000000h
		mov	eax, 10200h
		jnz	short loc_50A3DD
		mov	eax, 200h

loc_50A3DD:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+DEj
					; MiSwapStackPage(x,x,x,x,x,x,x)+106j
		mov	ecx, [ebp+var_1C]
		push	eax
		call	MiGetPage
		mov	[ebp+var_20], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_50A783
		imul	eax, 1Ch
		xor	edx, edx
		push	0
		add	eax, ds:_MmPfnDatabase
		mov	ecx, eax
		mov	[ebp+var_10], eax
		call	_MiSetPfnTbFlushStamp@12 ; MiSetPfnTbFlushStamp(x,x,x)
		mov	ecx, [ebp+var_C]
		and	dword ptr [esi+1Ch], 0
		call	MiLockWorkingSetShared
		mov	ecx, [ebp+var_8]
		and	[ebp+var_30], 0
		mov	byte ptr [ebp+var_4+3],	al
		lea	eax, [ecx+10h]
		mov	[ebp+var_14], eax
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_50A448
		mov	edi, eax

loc_50A42E:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+169j
					; MiSwapStackPage(x,x,x,x,x,x,x)+170j
		lea	ecx, [ebp+var_30]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_50A42E
		lock bts dword ptr [edi], 1Fh
		jb	short loc_50A42E
		mov	edi, [ebp+var_18]
		mov	ecx, [ebp+var_8]

loc_50A448:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+15Aj
		cmp	[ebp+var_1C], offset _MiSystemPartition
		jnz	loc_50A765
		mov	eax, [ecx+4]
		or	eax, 80000000h
		cmp	edi, eax
		jnz	loc_50A765
		mov	eax, [esi+18h]
		cmp	eax, dword_6D07D0
		jnb	short loc_50A474
		xor	eax, eax
		jmp	short loc_50A47E
; 

loc_50A474:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+19Ej
		shr	eax, 15h
		movzx	eax, byte ptr dword_6D3994[eax]

loc_50A47E:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+1A2j
		cmp	[ebp+var_34], eax
		jnz	loc_50A765
		xor	edx, edx
		inc	edx
		call	_MiCanStealKernelStack@8 ; MiCanStealKernelStack(x,x)
		test	eax, eax
		jz	loc_50A765
		mov	ecx, [ebp+var_C]
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h
		push	1
		mov	edx, edi
		mov	[ebp+var_18], edi
		call	MiLockPageTableInternal
		test	eax, eax
		jz	loc_50A765
		test	ds:_MiFlags, 800h
		jnz	short loc_50A50A
		push	[ebp+var_10]
		mov	edx, [ebp+var_8]
		mov	ecx, [ebx+8]
		call	MiSwapStackPageNoDpc
		cmp	eax, 1
		jnz	short loc_50A50A
		mov	eax, [ebp+var_14]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	edx, edi

loc_50A4E9:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+320j
		mov	ecx, [ebp+var_C]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [ebp+var_4+3]
		mov	ecx, [ebp+var_C]
		call	MiUnlockWorkingSetShared
		mov	eax, [ebx+18h]
		mov	dword ptr [eax], 1
		jmp	loc_50A72B
; 

loc_50A50A:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+1F7j
					; MiSwapStackPage(x,x,x,x,x,x,x)+20Aj
		mov	eax, [ebp+var_8]
		mov	edi, [eax]
		test	edi, 1FFFFFFEh
		jz	loc_50A74D
		and	edi, 0FFFFFFFEh
		or	edi, 0E0000000h
		shl	edi, 2
		cmp	edi, 0FFFFFFF0h
		jz	loc_50A74D
		mov	edx, [ebp+var_20]
		mov	ecx, [ebx+8]
		push	0FFFFFFFFh
		call	MiGetPteFromCopyList
		mov	[ebp+var_1C], eax
		cmp	edi, 0FFFFFFF8h
		jz	loc_50A5F5
		cmp	edi, [ebp+var_28]
		jz	loc_50A5F5
		lea	edx, [ebp+var_24]
		mov	ecx, edi
		call	_KeTryToFreezeThreadStack@8 ; KeTryToFreezeThreadStack(x,x)
		cmp	al, 1
		jnz	loc_50A642
		mov	eax, [ebp+var_1C]
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_10]
		push	eax
		call	_MiCopyKstack@12 ; MiCopyKstack(x,x,x)
		mov	ecx, [ebp+var_10]
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_10]
		call	_MiSwitchKstackPages@8 ; MiSwitchKstackPages(x,x)
		mov	eax, [ebp+var_10]
		mov	edx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	edx
		mov	ecx, [ebp+var_8]
		mov	al, [ecx+16h]
		and	[ecx+18h], edx
		and	al, 0C7h
		mov	[ecx+16h], al
		mov	al, [ecx+17h]
		and	al, 0DFh
		mov	[ecx+17h], al
		lea	eax, [ecx+10h]
		and	dword ptr [eax], 0C0000000h
		lock and [eax],	edx
		mov	ecx, [esi+18h]
		xor	edx, edx
		push	2
		call	KeFlushSingleTb
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	short loc_50A5D3
		xor	ecx, ecx
		add	eax, 2224h
		lock and [eax],	ecx

loc_50A5D3:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+2F7j
		mov	ecx, [ebp+var_1C]
		mov	eax, ds:_ZeroPte
		mov	dword ptr [edi+2Ch], 0
		mov	[ecx], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	edx, [ebp+var_18]
		mov	[ecx+4], eax
		jmp	loc_50A4E9
; 

loc_50A5F5:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+273j
					; MiSwapStackPage(x,x,x,x,x,x,x)+27Cj
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		test	eax, eax
		jnz	short loc_50A63C
		mov	eax, [ebp+var_14]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_C]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [ebp+var_4+3]
		mov	ecx, [ebp+var_C]
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_1C]
		mov	eax, ds:_ZeroPte
		mov	[ecx], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[ecx+4], eax
		jmp	loc_50A77B
; 

loc_50A63C:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+331j
		mov	eax, [ebp+var_8]
		mov	[esi+1Ch], eax

loc_50A642:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+28Ej
		mov	eax, [ebp+var_14]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_C]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [ebp+var_4+3]
		mov	ecx, [ebp+var_C]
		call	MiUnlockWorkingSetShared
		mov	eax, [ebp+var_2C]
		and	dword ptr [esi+14h], 0
		mov	ecx, [ebp+var_28]
		mov	[esi], eax
		mov	eax, [ebp+var_20]
		mov	[esi+4], eax
		mov	eax, [ebp+var_1C]
		mov	[esi+0Ch], ecx
		mov	[esi+8], eax
		cmp	edi, 0FFFFFFF8h
		jz	short loc_50A694
		cmp	edi, ecx
		jz	short loc_50A694
		push	esi
		push	offset _MiDoStackCopy@16 ; MiDoStackCopy(x,x,x,x)
		call	_KeGenericCallDpc@8 ; KeGenericCallDpc(x,x)
		jmp	short loc_50A6AF
; 

loc_50A694:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+3B1j
					; MiSwapStackPage(x,x,x,x,x,x,x)+3B5j
		push	0
		push	1
		push	3000h
		push	esi
		push	offset _MiJumpStack@4 ;	MiJumpStack(x)
		call	KeExpandKernelStackAndCalloutInternal
		test	eax, eax
		jns	short loc_50A6AF
		mov	[esi+14h], eax

loc_50A6AF:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+3C2j
					; MiSwapStackPage(x,x,x,x,x,x,x)+3DAj
		cmp	dword ptr [esi+14h], 0
		jge	short loc_50A704
		mov	ecx, [ebp+var_1C]
		mov	eax, ds:_ZeroPte
		mov	[ecx], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[ecx+4], eax
		mov	ecx, [ebp+var_10]
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		mov	ecx, [esi+1Ch]
		test	ecx, ecx
		jz	loc_50A783
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [esi+1Ch]
		mov	byte ptr [ebp+var_4+3],	al
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	ecx, [esi+1Ch]
		mov	edx, 7FFFFFFFh
		add	ecx, 10h
		lock and [ecx],	edx
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_50A783
; 

loc_50A704:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+3E3j
		mov	eax, [ebx+18h]
		mov	ecx, [ebp+var_8]
		and	dword ptr [eax], 0
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [ebp+var_14]
		mov	edx, 7FFFFFFFh
		and	dword ptr [ecx], 0C0000000h
		lock and [ecx],	edx
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_50A72B:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+235j
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		mov	[eax+14h], cx
		mov	ecx, [ebx+14h]
		test	ecx, ecx
		jz	short loc_50A740
		mov	eax, [ebp+var_20]
		mov	[ecx], eax

loc_50A740:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+469j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		inc	eax
		jmp	short loc_50A78D
; 

loc_50A74D:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+245j
					; MiSwapStackPage(x,x,x,x,x,x,x)+25Aj
		mov	eax, [ebp+var_14]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_C]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		jmp	short loc_50A770
; 

loc_50A765:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+17Fj
					; MiSwapStackPage(x,x,x,x,x,x,x)+18Fj ...
		mov	eax, [ebp+var_14]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_50A770:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+493j
		mov	dl, byte ptr [ebp+var_4+3]
		mov	ecx, [ebp+var_C]
		call	MiUnlockWorkingSetShared

loc_50A77B:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+367j
		mov	ecx, [ebp+var_10]
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)

loc_50A783:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+6Cj
					; MiSwapStackPage(x,x,x,x,x,x,x)+8Ej ...
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_50A78B:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+46j
		xor	eax, eax

loc_50A78D:				; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+47Bj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	14h
_MiSwapStackPage@28 endp ; sp =	 4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCanStealKernelStack(x, x)
_MiCanStealKernelStack@8 proc near	; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+1BAp
					; MiJumpStackTarget(x)+C1p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, esi
		mov	di, dx
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		cmp	eax, dword_6D07B0
		ja	short loc_50A81F
		mov	ecx, dword_6D35B8
		mov	edx, eax
		shr	edx, 5
		and	eax, 1Fh
		mov	edx, [ecx+edx*4]
		mov	ecx, eax
		shr	edx, cl
		and	edx, 1
		jz	short loc_50A81F
		mov	eax, [esi+18h]
		and	eax, 70000000h
		cmp	eax, 20000000h
		jnz	short loc_50A81F
		test	ds:_MiFlags, 800h
		jz	short loc_50A809
		mov	eax, [esi]
		test	eax, 1FFFFFFEh
		jz	short loc_50A81F
		and	eax, 0FFFFFFFEh
		or	eax, 0E0000000h
		shl	eax, 2
		cmp	eax, 0FFFFFFF0h
		jz	short loc_50A81F

loc_50A809:				; CODE XREF: MiCanStealKernelStack(x,x)+56j
		mov	cl, [esi+16h]
		and	cl, 7
		cmp	cl, 6
		jnz	short loc_50A81F
		cmp	[esi+14h], di
		jnz	short loc_50A81F
		xor	eax, eax
		inc	eax
		jmp	short loc_50A821
; 

loc_50A81F:				; CODE XREF: MiCanStealKernelStack(x,x)+21j
					; MiCanStealKernelStack(x,x)+3Bj ...
		xor	eax, eax

loc_50A821:				; CODE XREF: MiCanStealKernelStack(x,x)+85j
		pop	edi
		pop	esi
		leave
		retn
_MiCanStealKernelStack@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSwapStackPageNoDpc proc near		; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+202p
					; MiJumpStackTarget(x)+160p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D8F97 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[esp+28h+var_C], ecx
		mov	eax, edi
		mov	[esp+28h+var_10], edi
		sub	eax, ds:_MmPfnDatabase
		cdq
		mov	ecx, [edi+4]
		push	1Ch
		pop	edi
		idiv	edi
		or	ecx, 80000000h
		mov	[esp+28h+var_8], eax
		mov	eax, [ebp+arg_0]
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	edi
		mov	esi, [ecx]
		mov	[esp+28h+var_1C], ecx
		mov	[esp+28h+var_4], eax
		nop
		mov	ecx, [ecx+4]
		mov	ebx, esi
		and	ebx, 0FFFFFFDFh
		mov	[esp+28h+var_14], ecx
		mov	[esp+28h+var_18], ebx
		mov	eax, esi
		mov	edx, ecx
		nop
		mov	edi, [esp+28h+var_1C]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [esp+28h+var_10]
		cmp	eax, esi
		jnz	loc_50A95F
		cmp	edx, ecx
		jnz	loc_50A95F
		mov	ecx, [esp+28h+var_1C]
		xor	edx, edx
		push	2
		shl	ecx, 9
		call	KeFlushSingleTb
		mov	ecx, [ebp+arg_0]
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		push	ecx
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		call	_MiCopyPfnEntryEx@12 ; MiCopyPfnEntryEx(x,x,x)
		mov	ebx, [esp+28h+var_4]
		mov	ecx, ebx
		mov	edx, [esp+28h+var_8]
		push	44h
		push	[esp+2Ch+var_C]
		call	_MiCopyPage@16	; MiCopyPage(x,x,x,x)
		mov	ecx, [esp+30h+var_20]
		and	ebx, 1FFFFFFh
		mov	edx, [esp+30h+var_1C]
		xor	esi, esi
		shld	esi, ebx, 0Ch
		mov	eax, edx
		and	ecx, 0FFFh
		shl	ebx, 0Ch
		and	eax, 0FFFFFFE0h
		or	ebx, ecx
		or	esi, eax
		mov	eax, [esp+30h+var_20]
		or	ebx, 20h
		nop
		mov	ecx, esi
		mov	esi, [esp+30h+var_24]
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, [ebp+arg_0]
		lea	esi, [ebx+10h]
		cmp	eax, [esp+30h+var_20]
		jnz	loc_5D8F97
		cmp	edx, [esp+30h+var_1C]
		jnz	loc_5D8F97
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	al, [edi+16h]
		and	dword ptr [edi+18h], 0FFFFFFFh
		and	al, 0FDh
		and	dword ptr [edi+10h], 0C0000000h
		or	al, 5
		mov	[edi+16h], al
		xor	eax, eax
		and	byte ptr [edi+16h], 0C7h
		and	byte ptr [edi+17h], 0DFh
		inc	eax

loc_50A956:				; CODE XREF: MiSwapStackPageNoDpc+13Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_50A95F:				; CODE XREF: MiSwapStackPageNoDpc+6Dj
					; MiSwapStackPageNoDpc+75j ...
		xor	eax, eax
		jmp	short loc_50A956
MiSwapStackPageNoDpc endp

; 
		align 8
; Exported entry 557. FsRtlInsertPerFileContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlInsertPerFileContext
FsRtlInsertPerFileContext proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D8FBD SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	loc_5D8FBD
		push	ebx
		push	esi
		xor	ecx, ecx
		xor	eax, eax
		lock cmpxchg [edi], ecx
		mov	esi, eax
		test	esi, esi
		jnz	short loc_50A9C2
		mov	ebx, 63665346h
		push	ebx
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_50AA0E
		and	dword ptr [esi], 0
		lea	eax, [esi+4]
		and	dword ptr [esi+0Ch], 0
		mov	ecx, esi
		mov	[eax+4], eax
		mov	[eax], eax
		xor	eax, eax
		lock cmpxchg [edi], ecx
		mov	edi, eax
		test	edi, edi
		jnz	loc_5D8FC7

loc_50A9C2:				; CODE XREF: FsRtlInsertPerFileContext+1Fj
					; FsRtlInsertPerFileContext+CE668j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		lea	ecx, [esi+4]
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_50AA15
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[edx+4], eax
		xor	edx, edx
		mov	[ecx], eax
		mov	ecx, esi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	eax, eax

loc_50AA07:				; CODE XREF: FsRtlInsertPerFileContext+ABj
		pop	esi
		pop	ebx

loc_50AA09:				; CODE XREF: FsRtlInsertPerFileContext+CE65Aj
		pop	edi
		pop	ebp
		retn	8
; 

loc_50AA0E:				; CODE XREF: FsRtlInsertPerFileContext+37j
		mov	eax, 0C000009Ah
		jmp	short loc_50AA07
; 

loc_50AA15:				; CODE XREF: FsRtlInsertPerFileContext+79j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall EtwGetProviderIdFromHandle(x, x, x,	x)
_EtwGetProviderIdFromHandle@16:		; CODE XREF: WdiDispatchControl(x)+32p
					; EtwWriteStartScenario+64p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		push	edi
		mov	edi, edx
		test	cl, cl
		jz	short loc_50AA6A
		mov	eax, ds:_EtwpRegistrationObjectType
		lea	ecx, [ebp+var_4]
		push	ebx
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	1
		push	eax
		push	800h
		push	ecx
		mov	[ebp+var_4], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_50AA61
		mov	ecx, [ebp+var_4]
		mov	esi, [ecx+10h]
		add	esi, 14h
		movsd
		movsd
		movsd
		movsd
		call	ObfDereferenceObject

loc_50AA61:				; CODE XREF: FsRtlInsertPerFileContext+E5j
					; FsRtlInsertPerFileContext+12Aj
		mov	eax, ebx

loc_50AA63:				; CODE XREF: FsRtlInsertPerFileContext+131j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_50AA6A:				; CODE XREF: FsRtlInsertPerFileContext+C1j
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_50AA94
		mov	ecx, [esi+10h]
		call	EtwpReferenceGuidEntry
		test	al, al
		jz	short loc_50AA94
		mov	esi, [esi+10h]
		mov	ecx, [ebp+arg_0]
		add	esi, 14h
		movsd
		movsd
		movsd
		movsd
		mov	ecx, [ecx+10h]
		call	EtwpUnreferenceGuidEntry
		jmp	short loc_50AA61
; 

loc_50AA94:				; CODE XREF: FsRtlInsertPerFileContext+107j
					; FsRtlInsertPerFileContext+113j
		mov	eax, 0C0000008h
		jmp	short loc_50AA63
FsRtlInsertPerFileContext endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WdipSemCaptureState proc near		; CODE XREF: WdipSemDisableContextProvider+3Ep

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D8FD5 SIZE 000000A0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		xor	eax, eax
		mov	bl, al
		push	esi
		mov	esi, ecx
		mov	ecx, eax
		push	edi
		test	dl, dl
		jnz	short loc_50AAD2
		test	esi, esi
		jz	short loc_50AADB
		mov	edi, _WdipContextLoggerId
		mov	eax, offset _WdipContextLoggerId
		xchg	edi, [eax]
		mov	eax, [esi+20h]
		xor	edx, edx
		sub	eax, edx
		jnz	loc_5D8FD5

loc_50AAD2:				; CODE XREF: WdipSemCaptureState+16j
					; WdipSemCaptureState+44j ...
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_50AADB:				; CODE XREF: WdipSemCaptureState+1Aj
		mov	ecx, 0C000000Dh
		jmp	short loc_50AAD2
WdipSemCaptureState endp

; 
		align 8
; Exported entry 2206. RtlIpv6StringToAddressExW

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlIpv6StringToAddressExW
RtlIpv6StringToAddressExW proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005D9075 SIZE 00000226 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		mov	[ebp+var_C], eax
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	short loc_50AB3F
		cmp	[ebp+arg_4], eax
		jz	short loc_50AB3F
		cmp	[ebp+arg_8], eax
		jz	short loc_50AB3F
		cmp	[ebp+arg_C], eax
		jz	short loc_50AB3F
		mov	ebx, eax
		mov	[ebp+var_4], eax
		movzx	eax, word ptr [ecx]
		push	5Bh
		pop	edx
		mov	edi, eax
		mov	[ebp+var_8], edi
		cmp	ax, dx
		jz	short loc_50AB4B

loc_50AB23:				; CODE XREF: RtlIpv6StringToAddressExW+66j
		push	[ebp+arg_4]
		lea	eax, [ebp+var_C]
		cmp	di, dx
		push	eax
		push	ecx
		setz	byte ptr [ebp+arg_0+3]
		call	RtlIpv6StringToAddressW
		test	eax, eax
		jns	loc_5D9075

loc_50AB3F:				; CODE XREF: RtlIpv6StringToAddressExW+15j
					; RtlIpv6StringToAddressExW+1Aj ...
		mov	eax, 0C000000Dh

loc_50AB44:				; CODE XREF: RtlIpv6StringToAddressExW+CE7AEj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_50AB4B:				; CODE XREF: RtlIpv6StringToAddressExW+39j
		add	ecx, 2
		jmp	short loc_50AB23
RtlIpv6StringToAddressExW endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2207. RtlIpv6StringToAddressW

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlIpv6StringToAddressW
RtlIpv6StringToAddressW	proc near	; CODE XREF: RtlIpv6StringToAddressExW+4Ap

var_20		= word ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D929B SIZE 00000239 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		and	[ebp+var_18], eax
		xor	ecx, ecx
		and	[ebp+var_14], eax
		xor	edx, edx
		push	edi
		movzx	esi, word ptr [esi]
		xor	edi, edi
		xor	ebx, ebx
		mov	[ebp+var_8], eax
		mov	[ebp+var_1], al
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edx
		test	si, si
		jz	short loc_50ABD1
		mov	dword ptr [ebp+var_20],	80h
		mov	[ebp+var_1C], 3Ah

loc_50AB96:				; CODE XREF: RtlIpv6StringToAddressW+12Fj
		sub	eax, 0
		jnz	short loc_50AC01

loc_50AB9B:				; CODE XREF: RtlIpv6StringToAddressW+CE748j
		cmp	si, word ptr [ebp+var_1C]
		jz	loc_5D9336
		cmp	edi, 7
		ja	short loc_50ABD1
		cmp	si, [ebp+var_20]
		jnb	short loc_50ABD1
		push	4		; wctype_t
		push	esi		; wint_t
		call	_iswctype
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_5D93B0
		push	dword ptr [ebp+var_20] ; wctype_t
		push	esi		; wint_t
		call	_iswctype
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_50AC50

loc_50ABD1:				; CODE XREF: RtlIpv6StringToAddressW+30j
					; RtlIpv6StringToAddressW+52j ...
		mov	eax, [ebp+arg_4]
		mov	esi, [ebp+var_10]
		mov	ecx, [ebp+arg_0]
		mov	[eax], ecx
		test	esi, esi
		jnz	loc_5D940F

loc_50ABE4:				; CODE XREF: RtlIpv6StringToAddressW+CE8C3j
		test	ebx, ebx
		jnz	loc_5D941E
		cmp	edi, 7
		jz	loc_5D941E

loc_50ABF5:				; CODE XREF: RtlIpv6StringToAddressW+CE835j
					; RtlIpv6StringToAddressW+CE87Bj ...
		mov	eax, 0C000000Dh

loc_50ABFA:				; CODE XREF: RtlIpv6StringToAddressW+CE979j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_50AC01:				; CODE XREF: RtlIpv6StringToAddressW+43j
		sub	eax, 1
		jnz	loc_5D929B
		cmp	si, [ebp+var_20]
		jnb	short loc_50AC3B
		push	4		; wctype_t
		push	esi		; wint_t
		call	_iswctype
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_5D92A6
		push	dword ptr [ebp+var_20] ; wctype_t
		push	esi		; wint_t
		call	_iswctype
		mov	edx, [ebp+var_C]
		pop	ecx
		pop	ecx
		mov	ecx, [ebp+var_10]
		test	eax, eax
		jnz	loc_5D92B2

loc_50AC3B:				; CODE XREF: RtlIpv6StringToAddressW+B8j
		cmp	si, word ptr [ebp+var_1C]
		jz	loc_5D92C7
		cmp	si, 2Eh
		jnz	short loc_50ABD1
		jmp	loc_5D930C
; 

loc_50AC50:				; CODE XREF: RtlIpv6StringToAddressW+79j
		mov	ecx, [ebp+var_10]
		test	ecx, ecx
		jnz	loc_50ABD1
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		mov	[ebp+var_18], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1], 1
		inc	edx
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], edx

loc_50AC71:				; CODE XREF: RtlIpv6StringToAddressW+CE7B1j
		cmp	eax, 1
		jnz	short loc_50AC90

loc_50AC76:				; CODE XREF: RtlIpv6StringToAddressW+CE828j
					; RtlIpv6StringToAddressW+CE873j ...
		mov	esi, [ebp+arg_0]
		add	esi, 2
		mov	[ebp+arg_0], esi
		movzx	esi, word ptr [esi]
		test	si, si
		jnz	loc_50AB96
		jmp	loc_50ABD1
; 

loc_50AC90:				; CODE XREF: RtlIpv6StringToAddressW+11Ej
					; RtlIpv6StringToAddressW+CE7DBj
		mov	esi, [ebp+arg_8]
		jmp	loc_5D937A
RtlIpv6StringToAddressW	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1981. RtlCmDecodeMemIoResource

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlCmDecodeMemIoResource
RtlCmDecodeMemIoResource proc near	; CODE XREF: PnpCmResourcesToIoResources+17Dp
					; PnpFilterResourceRequirementsList+48Ap ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D94D4 SIZE 00000047 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		mov	edx, esi
		mov	al, [edi]
		cmp	al, 3
		jnz	short loc_50ACD1

loc_50ACB2:				; CODE XREF: RtlCmDecodeMemIoResource+35j
		mov	edx, [edi+0Ch]

loc_50ACB5:				; CODE XREF: RtlCmDecodeMemIoResource+CE84Dj
					; RtlCmDecodeMemIoResource+CE865j ...
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_50ACC7
		mov	ecx, [edi+4]
		mov	[eax], ecx
		mov	ecx, [edi+8]
		mov	[eax+4], ecx

loc_50ACC7:				; CODE XREF: RtlCmDecodeMemIoResource+1Cj
		mov	eax, edx
		mov	edx, esi
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_50ACD1:				; CODE XREF: RtlCmDecodeMemIoResource+12j
		cmp	al, 1
		jz	short loc_50ACB2
		jmp	loc_5D94D4
RtlCmDecodeMemIoResource endp

; 
		align 10h
; Exported entry 1450. MmMdlPagesAreZero

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmMdlPagesAreZero(x)
		public _MmMdlPagesAreZero@4
_MmMdlPagesAreZero@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, 4002h
		push	esi
		mov	ax, [edx+6]
		and	ax, cx
		cmp	ax, cx
		jnz	short loc_50AD37
		mov	ecx, [edx+18h]
		add	ecx, [edx+10h]
		mov	esi, [edx+14h]
		and	ecx, 0FFFh
		add	esi, 0FFFh
		add	edx, 1Ch
		add	esi, ecx
		xor	ecx, ecx
		shr	esi, 0Ch
		test	esi, esi
		jz	short loc_50AD2F

loc_50AD1D:				; CODE XREF: MmMdlPagesAreZero(x)+4Dj
		mov	eax, [edx]
		cmp	eax, dword_6D34F0
		jnz	short loc_50AD37
		inc	ecx
		add	edx, 4
		cmp	ecx, esi
		jb	short loc_50AD1D

loc_50AD2F:				; CODE XREF: MmMdlPagesAreZero(x)+3Bj
		xor	eax, eax
		inc	eax

loc_50AD32:				; CODE XREF: MmMdlPagesAreZero(x)+59j
		pop	esi
		pop	ebp
		retn	4
; 

loc_50AD37:				; CODE XREF: MmMdlPagesAreZero(x)+18j
					; MmMdlPagesAreZero(x)+45j
		xor	eax, eax
		jmp	short loc_50AD32
_MmMdlPagesAreZero@4 endp

; 
		align 10h
; Exported entry 220. CcPrepareMdlWrite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcPrepareMdlWrite
CcPrepareMdlWrite proc near		; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+2B4p

var_7C		= dword	ptr -7Ch
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005D951B SIZE 0000002E BYTES

		push	6Ch
		push	offset dword_6A42B8
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	ecx, ebx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_6C], ebx
		mov	edx, ebx
		mov	[ebp+var_38], edx
		mov	eax, ebx
		mov	[ebp+var_2C], eax
		mov	[ebp+var_44], eax
		mov	esi, ebx
		mov	[ebp+var_24], esi
		lea	edi, [ebp+var_7C]
		stosd
		stosd
		stosd
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+14h]
		mov	edi, [eax+4]
		mov	[ebp+var_50], edi
		test	byte ptr [ecx+2Ch], 10h
		jnz	short loc_50AD98
		push	ebx
		push	edi
		mov	edx, [ebp+arg_8]
		call	CcForceWriteThrough
		test	al, al
		jnz	loc_5D951B

loc_50AD98:				; CODE XREF: CcPrepareMdlWrite+44j
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		mov	[ebp+var_30], ecx
		mov	[ebp+var_68], ecx
		mov	eax, [eax+4]
		mov	[ebp+var_34], eax
		mov	[ebp+var_64], eax
		mov	[ebp+ms_exc.disabled], ebx
		mov	[ebp+var_54], 1

loc_50ADB6:				; CODE XREF: CcPrepareMdlWrite+25Bj
		cmp	[ebp+arg_8], 0
		jz	loc_50AFA0
		mov	[ebp+var_20], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ebx
		push	eax
		push	ecx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_20]
		push	eax
		lea	edx, [ebp+var_24]
		mov	ecx, edi
		call	CcGetVirtualAddress
		mov	[ebp+var_48], eax
		mov	ecx, [ebp+var_20]
		cmp	ecx, [ebp+arg_8]
		jbe	short loc_50ADEC
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_20], ecx

loc_50ADEC:				; CODE XREF: CcPrepareMdlWrite+A4j
		mov	esi, ecx
		and	[ebp+arg_0], 0
		mov	eax, [ebp+var_30]
		add	esi, eax
		mov	[ebp+var_2C], esi
		mov	edx, [ebp+var_34]
		adc	[ebp+arg_0], edx
		mov	[ebp+var_40], esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_3C], esi
		push	2
		pop	esi
		mov	[ebp+var_28], esi
		test	eax, 0FFFh
		jnz	short loc_50AE24
		cmp	ecx, 1000h
		jb	short loc_50AE24
		push	3
		pop	esi
		mov	[ebp+var_28], esi

loc_50AE24:				; CODE XREF: CcPrepareMdlWrite+D4j
					; CcPrepareMdlWrite+DCj
		test	[ebp+var_2C], 0FFFh
		jz	loc_50AFE0

loc_50AE31:				; CODE XREF: CcPrepareMdlWrite+2A6j
		mov	[ebp+var_70], eax
		mov	[ebp+var_6C], edx
		and	eax, 0FFFFF000h
		mov	[ebp+var_30], eax
		mov	[ebp+var_70], eax
		lea	ecx, [edi+0B4h]
		call	ExAcquireFastMutex
		mov	eax, [edi+28h]
		sub	eax, [ebp+var_30]
		mov	[ebp+var_3C], eax
		mov	ecx, [edi+2Ch]
		sbb	ecx, [ebp+var_34]
		mov	[ebp+var_34], ecx
		mov	[ebp+var_70], eax
		mov	[ebp+var_6C], ecx
		lea	ecx, [edi+0B4h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, [ebp+var_34]
		cmp	ecx, ebx
		jg	loc_50B001
		jl	loc_50AFEB
		mov	eax, [ebp+var_3C]
		cmp	eax, ebx
		jbe	loc_50AFEB

loc_50AE8C:				; CODE XREF: CcPrepareMdlWrite+2C4j
		test	ecx, ecx
		jnz	short loc_50AE9B
		cmp	eax, 1000h
		jbe	loc_50B009

loc_50AE9B:				; CODE XREF: CcPrepareMdlWrite+14Ej
					; CcPrepareMdlWrite+2B1j
		push	[ebp+var_48]
		xor	ecx, ecx
		inc	ecx
		push	ecx
		mov	edx, esi
		mov	esi, [ebp+var_20]
		mov	ecx, esi
		call	_CcMapAndRead@16 ; CcMapAndRead(x,x,x,x)
		push	ebx
		push	ebx
		push	ebx
		push	esi
		push	[ebp+var_48]
		call	IoAllocateMdl
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	loc_5D951B
		mov	eax, large fs:124h
		mov	[ebp+var_58], eax
		movzx	ebx, byte ptr [eax+309h]
		add	ebx, 2
		mov	[ebp+var_38], ebx
		mov	eax, large fs:124h
		mov	[ebp+var_5C], eax
		xor	ecx, ecx
		inc	ecx
		mov	[eax+309h], cl
		push	ecx
		push	0
		push	[ebp+var_1C]
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	eax, large fs:124h
		mov	[ebp+var_60], eax
		sub	bl, 2
		mov	[eax+309h], bl
		xor	ebx, ebx
		mov	eax, ebx
		mov	[ebp+var_38], eax
		lea	esi, [edi+0B4h]
		mov	ecx, esi
		call	ExAcquireFastMutex
		mov	ecx, [ebp+arg_0]
		cmp	ecx, [edi+2Ch]
		jl	short loc_50AF38
		mov	eax, [ebp+var_2C]
		jg	loc_50AFF6
		cmp	eax, [edi+28h]
		ja	loc_50AFF6

loc_50AF38:				; CODE XREF: CcPrepareMdlWrite+1E4j
					; CcPrepareMdlWrite+2BCj
		mov	ecx, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, [ebp+var_24]
		mov	esi, [ecx+4]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+8], eax
		dec	eax
		movzx	eax, ax
		test	ax, ax
		jz	short loc_50AFC9

loc_50AF56:				; CODE XREF: CcPrepareMdlWrite+29Bj
		mov	esi, ebx
		mov	[ebp+var_24], esi
		mov	edx, [ebp+arg_C]
		mov	ecx, [edx]
		test	ecx, ecx
		jnz	loc_5D9532
		mov	eax, [ebp+var_1C]
		mov	[edx], eax

loc_50AF6D:				; CODE XREF: CcPrepareMdlWrite+CE804j
		mov	ecx, ebx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_1C], ecx
		mov	ecx, [ebp+var_2C]
		mov	[ebp+var_30], ecx
		mov	[ebp+var_68], ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_34], eax
		mov	[ebp+var_64], eax
		mov	edx, [ebp+var_44]
		mov	eax, [ebp+var_20]
		add	edx, eax
		mov	[ebp+var_2C], edx
		mov	[ebp+var_44], edx
		sub	[ebp+arg_8], eax
		mov	eax, [ebp+var_34]
		jmp	loc_50ADB6
; 

loc_50AFA0:				; CODE XREF: CcPrepareMdlWrite+7Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, ebx
		mov	edx, ebx
		mov	[ebp+var_54], 0
		call	sub_50B00E
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_50AFC9:				; CODE XREF: CcPrepareMdlWrite+214j
		mov	eax, [esi+74h]
		test	eax, eax
		jnz	loc_5D9525

loc_50AFD4:				; CODE XREF: CcPrepareMdlWrite+CE7EDj
		lock dec dword ptr [esi+180h]
		jmp	loc_50AF56
; 

loc_50AFE0:				; CODE XREF: CcPrepareMdlWrite+EBj
		or	esi, 4
		mov	[ebp+var_28], esi
		jmp	loc_50AE31
; 

loc_50AFEB:				; CODE XREF: CcPrepareMdlWrite+13Bj
					; CcPrepareMdlWrite+146j
		or	esi, 7

loc_50AFEE:				; CODE XREF: CcPrepareMdlWrite+2CCj
		mov	[ebp+var_28], esi
		jmp	loc_50AE9B
; 

loc_50AFF6:				; CODE XREF: CcPrepareMdlWrite+1E9j
					; CcPrepareMdlWrite+1F2j
		mov	[edi+28h], eax
		mov	[edi+2Ch], ecx
		jmp	loc_50AF38
; 

loc_50B001:				; CODE XREF: CcPrepareMdlWrite+135j
		mov	eax, [ebp+var_3C]
		jmp	loc_50AE8C
; 

loc_50B009:				; CODE XREF: CcPrepareMdlWrite+155j
		or	esi, 6
		jmp	short loc_50AFEE
CcPrepareMdlWrite endp


;  S U B	R O U T	I N E 


sub_50B00E	proc near		; CODE XREF: CcPrepareMdlWrite+272p
					; sub_5D9549+17j

; FUNCTION CHUNK AT 005D9565 SIZE 000000EE BYTES

		cmp	[ebp-54h], ebx
		jnz	loc_5D9565
		mov	ecx, edi
		call	CcGetPartition
		mov	ecx, [ebp+18h]
		mov	[ecx], ebx
		mov	edx, [ebp-2Ch]
		mov	[ecx+4], edx
		lea	ecx, [eax+40h]
		lea	edx, [ebp-7Ch]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		inc	dword ptr [edi+4]
		inc	dword ptr [edi+178h]
		test	ds:byte_70EFC6,	1
		jnz	loc_5D962A
		mov	eax, [ebp-7Ch]
		test	eax, eax
		jnz	loc_5D9642
		mov	edx, [ebp-78h]
		lea	eax, [ebp-7Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-7Ch]
		cmp	eax, ecx
		jnz	loc_5D963A

loc_50B06C:				; CODE XREF: sub_50B00E+CE627j
					; sub_50B00E+CE640j
		mov	cl, [ebp-74h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

locret_50B075:				; CODE XREF: sub_50B00E+CE5D2j
		retn
sub_50B00E	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcForceWriteThrough proc near		; CODE XREF: CcPrepareMdlWrite+4Bp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005D9653 SIZE 000000C7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ecx
		mov	byte ptr [ebp+var_4], 0
		push	edi
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		test	esi, esi
		jz	loc_5D9653
		mov	ecx, esi
		call	CcGetPartition
		mov	ecx, [ebp+var_8]
		mov	edi, eax
		mov	edx, [ebp+var_C]

loc_50B0AD:				; CODE XREF: CcForceWriteThrough+CE5E5j
		test	dword ptr [ecx+2Ch], 1000000h
		mov	bl, [ebp+arg_4]
		jnz	loc_5D9660

loc_50B0BD:				; CODE XREF: CcForceWriteThrough+CE5FDj
		test	bl, bl
		jnz	loc_5D9678

loc_50B0C5:				; CODE XREF: CcForceWriteThrough+CE610j
					; CcForceWriteThrough+CE620j ...
		mov	al, byte ptr [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
CcForceWriteThrough endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetSharedProtos(x, x, x)
_MiGetSharedProtos@12 proc near		; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+742p
					; MiLogPageAccess(x,x)+365p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, edi
		mov	bl, al
		call	_MiGetSharedProtosAtDpcLevel@12	; MiGetSharedProtosAtDpcLevel(x,x,x)
		mov	cl, bl
		mov	esi, eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_MiGetSharedProtos@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetSharedProtosAtDpcLevel(x, x, x)
_MiGetSharedProtosAtDpcLevel@12	proc near ; CODE XREF: MiGetSharedProtos(x,x,x)+1Dp
					; MiImageProtoChargedCommit+8EB11p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		lea	ebx, [ecx+24h]
		mov	edi, edx
		push	ebx
		call	ExAcquireSpinLockSharedAtDpcLevel
		mov	eax, [ebp+arg_0]
		mov	esi, [eax+0Ch]

loc_50B11F:				; CODE XREF: MiGetSharedProtosAtDpcLevel(x,x,x)+36j
					; MiGetSharedProtosAtDpcLevel(x,x,x)+3Aj
		test	esi, esi
		jz	short loc_50B12A
		cmp	edi, [esi+20h]
		ja	short loc_50B139
		jb	short loc_50B13E

loc_50B12A:				; CODE XREF: MiGetSharedProtosAtDpcLevel(x,x,x)+1Bj
		push	ebx
		call	ExReleaseSpinLockSharedFromDpcLevel
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_50B139:				; CODE XREF: MiGetSharedProtosAtDpcLevel(x,x,x)+20j
		mov	esi, [esi+4]
		jmp	short loc_50B11F
; 

loc_50B13E:				; CODE XREF: MiGetSharedProtosAtDpcLevel(x,x,x)+22j
		mov	esi, [esi]
		jmp	short loc_50B11F
_MiGetSharedProtosAtDpcLevel@12	endp


;  S U B	R O U T	I N E 


; __stdcall MiLocateSessionProtosInSubsection(x, x)
_MiLocateSessionProtosInSubsection@8 proc near
					; CODE XREF: MiDereferenceSubsectionProtos(x,x,x)+14p
					; MiCreatePerSessionProtos+60p
		mov	eax, [ecx+0Ch]

loc_50B145:				; CODE XREF: MiLocateSessionProtosInSubsection(x,x)+18j
					; MiLocateSessionProtosInSubsection(x,x)+1Cj
		test	eax, eax
		jz	short loc_50B154
		cmp	edx, [eax+20h]
		ja	short loc_50B157
		jb	short loc_50B15C
		test	eax, eax
		jnz	short locret_50B156

loc_50B154:				; CODE XREF: MiLocateSessionProtosInSubsection(x,x)+5j
		xor	eax, eax

locret_50B156:				; CODE XREF: MiLocateSessionProtosInSubsection(x,x)+10j
		retn
; 

loc_50B157:				; CODE XREF: MiLocateSessionProtosInSubsection(x,x)+Aj
		mov	eax, [eax+4]
		jmp	short loc_50B145
; 

loc_50B15C:				; CODE XREF: MiLocateSessionProtosInSubsection(x,x)+Cj
		mov	eax, [eax]
		jmp	short loc_50B145
_MiLocateSessionProtosInSubsection@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdatePerSessionProto(x, x, x, x)
_MiUpdatePerSessionProto@16 proc near	; CODE XREF: MiDereferenceSubsectionProtos(x,x,x)+28p
					; MiCreatePerSessionProtos+94p

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		lea	edi, [ecx+24h]
		mov	esi, edx
		push	edi
		call	ExAcquireSpinLockExclusive
		add	esi, 0Ch
		mov	[ebp+var_1], al
		cmp	[ebp+arg_4], 0
		jz	short loc_50B1A0
		mov	ecx, [esi]
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	byte ptr [ebp+arg_0], 0
		mov	edx, [ebx+20h]
		test	ecx, ecx
		jz	short loc_50B1AF

loc_50B190:				; CODE XREF: MiUpdatePerSessionProto(x,x,x,x)+3Ej
		cmp	edx, [ecx+20h]
		jb	short loc_50B1D0
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_50B1D8

loc_50B19C:				; CODE XREF: MiUpdatePerSessionProto(x,x,x,x)+74j
		mov	ecx, eax
		jmp	short loc_50B190
; 

loc_50B1A0:				; CODE XREF: MiUpdatePerSessionProto(x,x,x,x)+1Dj
		push	[ebp+arg_0]
		push	esi
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		jmp	short loc_50B1BB
; 

loc_50B1AB:				; CODE XREF: MiUpdatePerSessionProto(x,x,x,x)+76j
		mov	byte ptr [ebp+arg_0], 0

loc_50B1AF:				; CODE XREF: MiUpdatePerSessionProto(x,x,x,x)+2Ej
					; MiUpdatePerSessionProto(x,x,x,x)+7Cj
		push	ebx
		push	[ebp+arg_0]
		push	ecx
		push	esi
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		pop	ebx

loc_50B1BB:				; CODE XREF: MiUpdatePerSessionProto(x,x,x,x)+49j
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		leave
		retn	8
; 

loc_50B1D0:				; CODE XREF: MiUpdatePerSessionProto(x,x,x,x)+33j
		mov	eax, [ecx]
		test	eax, eax
		jnz	short loc_50B19C
		jmp	short loc_50B1AB
; 

loc_50B1D8:				; CODE XREF: MiUpdatePerSessionProto(x,x,x,x)+3Aj
		mov	byte ptr [ebp+arg_0], 1
		jmp	short loc_50B1AF
_MiUpdatePerSessionProto@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDeletePerSessionProtos proc near	; CODE XREF: MiFreeSubsectionProtos(x)+Fp
					; MiDeleteSessionDriverProtos+A61ECp

var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D971A SIZE 000000A7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, [ecx+20h]
		push	ebx
		push	esi
		mov	esi, [ecx+24h]
		mov	bl, 21h
		push	edi
		mov	edi, [eax+1Ch]
		xor	eax, eax
		mov	[esp+28h+var_4], ecx
		mov	[esp+28h+var_18], edi
		mov	[esp+28h+var_14], eax
		lea	ecx, [esi+edi*8]
		mov	[esp+28h+var_19], bl
		mov	[esp+28h+var_8], ecx
		cmp	esi, ecx
		jnb	loc_50B2A0

loc_50B218:				; CODE XREF: MiDeletePerSessionProtos+ACj
		test	esi, 0FFFh
		jz	short loc_50B225
		cmp	bl, 21h
		jnz	short loc_50B249

loc_50B225:				; CODE XREF: MiDeletePerSessionProtos+40j
		cmp	bl, 21h
		jnz	loc_5D971A

loc_50B22E:				; CODE XREF: MiDeletePerSessionProtos+CE545j
					; MiDeletePerSessionProtos+CE556j
		lea	edx, [esp+0Fh]
		mov	ecx, esi
		call	MiLockProtoPoolPage
		mov	[esp+28h+var_14], eax
		test	eax, eax
		jz	loc_5D9728
		mov	bl, [esp+28h+var_19]

loc_50B249:				; CODE XREF: MiDeletePerSessionProtos+45j
		xor	edx, edx
		mov	ecx, esi
		call	MiLockLeafPage
		mov	ecx, [esi]
		mov	edi, eax
		mov	[esp+28h+var_C], ecx
		nop
		mov	edx, [esi+4]
		mov	[esp+28h+var_10], edx
		test	edi, edi
		jnz	loc_5D9739
		mov	eax, ecx
		or	eax, edx
		jz	short loc_50B28C
		mov	eax, ecx
		and	eax, 400h
		or	eax, edi
		jz	loc_5D978D

loc_50B27F:				; CODE XREF: MiDeletePerSessionProtos+CE5A0j
					; MiDeletePerSessionProtos+CE5AAj ...
		mov	eax, [esp+28h+var_14]
		add	esi, 8
		cmp	esi, [esp+28h+var_8]
		jb	short loc_50B218

loc_50B28C:				; CODE XREF: MiDeletePerSessionProtos+90j
		cmp	bl, 21h
		jz	short loc_50B29C
		mov	ecx, [esp+28h+var_14]
		mov	dl, bl
		call	MiUnlockProtoPoolPage

loc_50B29C:				; CODE XREF: MiDeletePerSessionProtos+B1j
		mov	edi, [esp+28h+var_18]

loc_50B2A0:				; CODE XREF: MiDeletePerSessionProtos+34j
		mov	edx, edi
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit
		mov	esi, [esp+28h+var_4]
		xor	edx, edx
		lea	ecx, [esi+0Ch]
		call	_MiUpdateSystemProtoPtesTree@8 ; MiUpdateSystemProtoPtesTree(x,x)
		push	0
		push	dword ptr [esi+24h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
MiDeletePerSessionProtos endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SleepstudyHelperCreateBlockerFromGuid proc near
					; CODE XREF: SleepstudyHelper_RegisterComponentEx(x,x,x,x,x,x,x,x,x,x,x)+55p
					; DATA XREF: .data:006B35D4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005D97C1 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		mov	edi, [ebp+arg_10]
		test	esi, esi
		jz	short loc_50B368
		cmp	[ebp+arg_4], ebx
		jz	short loc_50B368
		cmp	[ebp+arg_8], ebx
		jz	short loc_50B368
		cmp	[ebp+arg_C], ebx
		jz	short loc_50B368
		cmp	edi, 6
		ja	short loc_50B368
		cmp	[ebp+arg_14], ebx
		jz	short loc_50B368
		mov	edx, [esi+0Ch]
		push	38h
		pop	ecx
		call	_SSHSupportAllocatePaged@8 ; SSHSupportAllocatePaged(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_50B361
		push	38h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	[ebx], esi
		add	esp, 0Ch
		mov	esi, [ebp+arg_4]
		mov	[ebx+4], edi
		lea	edi, [ebx+8]
		push	[ebp+arg_C]
		movsd
		push	ebx
		movsd
		movsd
		movsd
		mov	esi, [ebp+arg_8]
		lea	edi, [ebx+18h]
		movsd
		movsd
		movsd
		movsd
		mov	byte ptr [ebx+34h], 1
		call	SleepstudyHelperSetBlockerFriendlyName
		mov	esi, eax
		test	esi, esi
		js	loc_5D97C1
		mov	eax, [ebp+arg_14]
		xor	esi, esi
		mov	[eax], ebx

loc_50B358:				; CODE XREF: SleepstudyHelperCreateBlockerFromGuid+90j
					; SleepstudyHelperCreateBlockerFromGuid+CE4EDj	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	18h
; 

loc_50B361:				; CODE XREF: SleepstudyHelperCreateBlockerFromGuid+3Cj
		mov	esi, 0C000000Dh
		jmp	short loc_50B358
; 

loc_50B368:				; CODE XREF: SleepstudyHelperCreateBlockerFromGuid+12j
					; SleepstudyHelperCreateBlockerFromGuid+17j ...
		mov	esi, 0C000000Dh
		jmp	loc_5D97C1
SleepstudyHelperCreateBlockerFromGuid endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SleepstudyHelperSetBlockerFriendlyName proc near
					; CODE XREF: SleepstudyHelperCreateBlockerFromGuid+6Cp
					; DATA XREF: .data:006B35F4o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D97D4 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edi
		test	esi, esi
		jz	short loc_50B3F8
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_50B3F8
		movzx	eax, word ptr [ebx]
		test	ax, ax
		jz	short loc_50B3F8
		mov	edx, [esi]
		mov	ecx, eax
		mov	edx, [edx+0Ch]
		call	_SSHSupportAllocatePaged@8 ; SSHSupportAllocatePaged(x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_50B3E9
		xor	eax, eax
		lea	ecx, [ebp+var_8]
		mov	word ptr [ebp+var_8], ax
		mov	edx, ebx
		mov	ax, [ebx]
		mov	word ptr [ebp+var_8+2],	ax
		call	_RtlUnicodeStringCopy@8	; RtlUnicodeStringCopy(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_50B3F0
		mov	ecx, [esi+2Ch]
		test	ecx, ecx
		jnz	loc_5D97D4

loc_50B3D2:				; CODE XREF: SleepstudyHelperSetBlockerFriendlyName+CE46Dj
		mov	eax, [ebp+var_8]
		mov	ebx, edi
		mov	[esi+28h], eax
		mov	eax, [ebp+var_4]
		mov	[esi+2Ch], eax

loc_50B3E0:				; CODE XREF: SleepstudyHelperSetBlockerFriendlyName+7Cj
					; SleepstudyHelperSetBlockerFriendlyName+CE474j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_50B3E9:				; CODE XREF: SleepstudyHelperSetBlockerFriendlyName+36j
		mov	ebx, 0C000009Ah
		jmp	short loc_50B3E0
; 

loc_50B3F0:				; CODE XREF: SleepstudyHelperSetBlockerFriendlyName+53j
		mov	edi, [ebp+var_4]
		jmp	loc_5D97E4
; 

loc_50B3F8:				; CODE XREF: SleepstudyHelperSetBlockerFriendlyName+14j
					; SleepstudyHelperSetBlockerFriendlyName+1Bj ...
		mov	ebx, 0C000000Dh
		jmp	loc_5D97E4
SleepstudyHelperSetBlockerFriendlyName endp

; 
		align 8
; Exported entry 1009. IoSizeofWorkItem

;  S U B	R O U T	I N E 


; __stdcall IoSizeofWorkItem()
		public _IoSizeofWorkItem@0
_IoSizeofWorkItem@0 proc near		; CODE XREF: VerifierIoInitializeWorkItem(x,x)+18p
		push	34h
		pop	eax
		retn
_IoSizeofWorkItem@0 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 546. FsRtlInitializeBaseMcb

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlInitializeBaseMcb(x, x)
		public _FsRtlInitializeBaseMcb@8
_FsRtlInitializeBaseMcb@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	1
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	FsRtlInitializeBaseMcbEx
		pop	ebp
		retn	8
_FsRtlInitializeBaseMcb@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCompleteLazyWrite(x, x)
_CmpCompleteLazyWrite@8	proc near	; CODE XREF: CmpLazyWriteWorker+8Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [edi+58h]
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [edi+60h]
		xor	esi, esi
		mov	ecx, [edi+64h]
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], ecx
		test	ebx, ebx
		jnz	short loc_50B46D
		and	eax, 7
		cmp	eax, 3
		jz	short loc_50B466
		mov	eax, esi
		jmp	short loc_50B4D7
; 

loc_50B466:				; CODE XREF: CmpCompleteLazyWrite(x,x)+38j
		mov	eax, [ebp+var_8]
		test	ebx, ebx
		jz	short loc_50B477

loc_50B46D:				; CODE XREF: CmpCompleteLazyWrite(x,x)+30j
		mov	ecx, [ebx]
		mov	edx, [edi+70h]
		mov	ebx, [ebx+4]
		jmp	short loc_50B4C0
; 

loc_50B477:				; CODE XREF: CmpCompleteLazyWrite(x,x)+43j
		and	eax, 0FFFFFFF8h
		mov	cl, 1
		mov	ebx, esi
		mov	[ebp+var_8], eax
		call	KiQueryUnbiasedInterruptTime
		mov	ecx, eax
		mov	eax, edx
		mov	edx, [ebp+var_C]
		mov	[ebp+var_10], eax
		cmp	eax, edx
		ja	short loc_50B4B6
		mov	eax, [ebp+var_8]
		jb	short loc_50B49D
		cmp	ecx, eax
		jnb	short loc_50B4B6

loc_50B49D:				; CODE XREF: CmpCompleteLazyWrite(x,x)+6Fj
		sub	eax, ecx
		sbb	edx, [ebp+var_10]
		jnz	short loc_50B4AD
		mov	ecx, 1312D00h
		cmp	eax, ecx
		jbe	short loc_50B4BB

loc_50B4AD:				; CODE XREF: CmpCompleteLazyWrite(x,x)+7Aj
		mov	ebx, edx
		mov	ecx, eax
		mov	edx, [edi+70h]
		jmp	short loc_50B4C0
; 

loc_50B4B6:				; CODE XREF: CmpCompleteLazyWrite(x,x)+6Aj
					; CmpCompleteLazyWrite(x,x)+73j
		mov	ecx, 1312D00h

loc_50B4BB:				; CODE XREF: CmpCompleteLazyWrite(x,x)+83j
		mov	edx, 3E8h

loc_50B4C0:				; CODE XREF: CmpCompleteLazyWrite(x,x)+4Dj
					; CmpCompleteLazyWrite(x,x)+8Cj
		lea	eax, [edi+28h]
		neg	ecx
		push	eax
		push	edx
		push	esi
		adc	ebx, esi
		neg	ebx
		push	ebx
		push	ecx
		push	edi
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)
		xor	eax, eax
		inc	eax

loc_50B4D7:				; CODE XREF: CmpCompleteLazyWrite(x,x)+3Cj
		mov	[edi+60h], eax
		mov	[edi+64h], esi
		test	ds:byte_70EFC6,	1
		jz	short loc_50B4F3
		mov	edx, [ebp+4]
		lea	ecx, [edi+58h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_50B4FB
; 

loc_50B4F3:				; CODE XREF: CmpCompleteLazyWrite(x,x)+BCj
		xor	ecx, ecx
		lea	eax, [edi+58h]
		lock and [eax],	ecx

loc_50B4FB:				; CODE XREF: CmpCompleteLazyWrite(x,x)+C9j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpCompleteLazyWrite@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpHpGCTimerCallback(x, x)
_ExpHpGCTimerCallback@8	proc near	; DATA XREF: ExpHeapGCInitialization()+8o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	eax, offset _ExpHpGCWorkItemNonPaged
		cmp	ecx, 1
		jz	short loc_50B521
		mov	eax, offset _ExpHpGCWorkItemPaged

loc_50B521:				; CODE XREF: ExpHpGCTimerCallback(x,x)+10j
		and	dword ptr [eax], 0
		push	3
		push	eax
		mov	dword ptr [eax+8], offset _ExpHpCompactionRoutine@4 ; ExpHpCompactionRoutine(x)
		mov	[eax+0Ch], ecx
		call	ExQueueWorkItem
		pop	ebp
		retn	8
_ExpHpGCTimerCallback@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwpApplyEventIdPayloadFilter(__int16,int,int,int,void *,char,char)
EtwpApplyEventIdPayloadFilter proc near	; CODE XREF: EtwpApplyEventIdPayloadFilterOnUserEvent+36p

var_2		= byte ptr -2
var_1		= dword	ptr -1
arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= byte ptr  20h

; FUNCTION CHUNK AT 005D97FC SIZE 0000009D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		imul	ebx, edx, 34h
		cmp	[ebp+arg_18], 2
		push	edi
		mov	edi, ecx
		mov	byte ptr [ebp+var_1], 1
		jnb	loc_5D9816
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, [edi+160h]
		mov	[ebp+var_2], al
		mov	edx, [ecx+ebx+24h]
		test	edx, edx
		jz	short loc_50B5A7
		mov	ecx, [ebp+arg_8]
		call	_EtwpPerfectHashFunctionSearch@8 ; EtwpPerfectHashFunctionSearch(x,x)
		cmp	[edx], al
		jz	loc_5D97FC
		xor	al, al
		mov	byte ptr [ebp+var_1], al

loc_50B584:				; CODE XREF: EtwpApplyEventIdPayloadFilter+70j
		test	al, al
		jnz	loc_5D97FC

loc_50B58C:				; CODE XREF: EtwpApplyEventIdPayloadFilter+CE2CEj
					; EtwpApplyEventIdPayloadFilter+CE2D7j
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_50B595:				; CODE XREF: EtwpApplyEventIdPayloadFilter+CE309j
		test	esi, esi
		jnz	loc_5D9848

loc_50B59D:				; CODE XREF: EtwpApplyEventIdPayloadFilter+CE2FAj
					; EtwpApplyEventIdPayloadFilter+CE33Fj	...
		mov	al, byte ptr [ebp+var_1]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_50B5A7:				; CODE XREF: EtwpApplyEventIdPayloadFilter+33j
		mov	al, byte ptr [ebp+var_1]
		jmp	short loc_50B584
EtwpApplyEventIdPayloadFilter endp


;  S U B	R O U T	I N E 


; __stdcall EtwpPerfectHashFunctionSearch(x, x)
_EtwpPerfectHashFunctionSearch@8 proc near ; CODE XREF:	EtwpApplyEventIdPayloadFilter+38p
					; .text:0052830Dp ...
		mov	edi, edi
		push	esi
		mov	si, cx
		mov	cl, [edx+1]
		mov	ax, si
		ror	ax, cl
		and	ax, [edx+2]
		movzx	eax, ax

loc_50B5C2:				; CODE XREF: EtwpPerfectHashFunctionSearch(x,x)+2Cj
		cmp	si, [edx+eax*4+8]
		jz	short loc_50B5DA
		mov	al, [edx+eax*4+6]
		cmp	al, 0FFh
		jnz	short loc_50B5D5
		xor	al, al
		pop	esi
		retn
; 

loc_50B5D5:				; CODE XREF: EtwpPerfectHashFunctionSearch(x,x)+23j
		movzx	eax, al
		jmp	short loc_50B5C2
; 

loc_50B5DA:				; CODE XREF: EtwpPerfectHashFunctionSearch(x,x)+1Bj
		mov	al, 1
		pop	esi
		retn
_EtwpPerfectHashFunctionSearch@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2136. RtlGetProductInfo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlGetProductInfo
RtlGetProductInfo proc near		; CODE XREF: ExGetSuiteMask(x,x)+2Bp
					; ExpUpdateProductType+1Fp

var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_C4		= dword	ptr -0C4h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005D9899 SIZE 0000007D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0F8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_10]
		mov	[ebp+var_F4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_F0], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_EC], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_E0], ecx
		mov	[ebp+var_DC], ebx
		mov	[ebp+var_D8], ebx
		mov	[ebp+var_E4], ebx
		mov	[ebp+var_E8], eax
		push	esi
		push	edi
		test	ecx, ecx
		jz	loc_50B6E1
		sub	esp, 10h
		mov	[ecx], ebx
		mov	edi, esp
		mov	esi, offset dword_40AA54
		sub	esp, 10h
		movsd
		movsd
		movsd
		movsd
		mov	edi, esp
		lea	esi, [ebp+var_F4]
		movsd
		movsd
		movsd
		movsd
		call	CompareVersions
		test	eax, eax
		js	short loc_50B6E1
		lea	eax, [ebp+var_D8]
		push	eax
		push	4
		lea	eax, [ebp+var_E4]
		push	eax
		lea	eax, [ebp+var_DC]
		push	eax
		push	(offset	loc_401558+4)
		call	_ZwQueryLicenseValue@20	; ZwQueryLicenseValue(x,x,x,x,x)
		test	eax, eax
		js	short loc_50B6F4
		cmp	[ebp+var_DC], 4
		jnz	short loc_50B6F4
		cmp	[ebp+var_D8], 4
		jnz	short loc_50B6F4
		lea	eax, [ebp+var_D8]
		push	eax
		push	0C8h
		lea	eax, [ebp+var_D4]
		push	eax
		lea	eax, [ebp+var_DC]
		push	eax
		push	(offset	loc_401553+1)
		call	_ZwQueryLicenseValue@20	; ZwQueryLicenseValue(x,x,x,x,x)
		test	eax, eax
		jns	loc_5D9899

loc_50B6D0:				; CODE XREF: RtlGetProductInfo+CE2E1j
					; RtlGetProductInfo+CE31Fj
		mov	ecx, [ebp+var_E0]
		mov	eax, [ebp+var_E4]
		mov	[ecx], eax

loc_50B6DE:				; CODE XREF: RtlGetProductInfo+11Cj
					; RtlGetProductInfo+CE32Dj
		xor	ebx, ebx
		inc	ebx

loc_50B6E1:				; CODE XREF: RtlGetProductInfo+5Bj
					; RtlGetProductInfo+87j ...
		mov	ecx, [ebp+var_8]
		mov	al, bl
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
; 

loc_50B6F4:				; CODE XREF: RtlGetProductInfo+ACj
					; RtlGetProductInfo+B5j ...
		mov	ecx, [ebp+var_E0]
		mov	dword ptr [ecx], 0ABCDABCDh
		jmp	short loc_50B6DE
RtlGetProductInfo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CompareVersions	proc near		; CODE XREF: RtlGetProductInfo+80p
					; RtlGetProductInfo+CE30Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_10]
		cmp	[ebp+arg_0], eax
		jbe	short loc_50B716

loc_50B70F:				; CODE XREF: CompareVersions+1Cj
					; CompareVersions+26j ...
		xor	eax, eax
		inc	eax

loc_50B712:				; CODE XREF: CompareVersions+36j
					; CompareVersions+3Bj
		pop	ebp
		retn	20h
; 

loc_50B716:				; CODE XREF: CompareVersions+Bj
		jb	short loc_50B73A
		mov	eax, [ebp+arg_14]
		cmp	[ebp+arg_4], eax
		ja	short loc_50B70F
		jb	short loc_50B73A
		mov	eax, [ebp+arg_18]
		cmp	[ebp+arg_8], eax
		ja	short loc_50B70F
		jb	short loc_50B73A
		mov	eax, [ebp+arg_1C]
		cmp	[ebp+arg_C], eax
		ja	short loc_50B70F
		jb	short loc_50B73A
		xor	eax, eax
		jmp	short loc_50B712
; 

loc_50B73A:				; CODE XREF: CompareVersions:loc_50B716j
					; CompareVersions+1Ej ...
		or	eax, 0FFFFFFFFh
		jmp	short loc_50B712
CompareVersions	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiFillSessionWorkingSetEntry(x, x)
_MiFillSessionWorkingSetEntry@8	proc near
					; CODE XREF: MmQuerySessionWorkingSetInformation(x,x)+56p
					; PfpPrivSourceEnum(x,x,x)+2DDp
		mov	eax, [edx+8]
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	[esi], eax
		mov	eax, [edx+104h]
		mov	[esi+10h], eax
		mov	ebx, [edx+100h]
		mov	[esi+4], ebx
		mov	edi, [edx+6Ch]
		mov	[esi+0Ch], edi
		mov	ecx, [edx+20h]
		mov	[esi+8], ecx
		cmp	edi, ecx
		jnb	short loc_50B77E

loc_50B76C:				; CODE XREF: MiFillSessionWorkingSetEntry(x,x)+40j
		mov	[esi+0Ch], edi
		cmp	eax, ebx
		jnb	short loc_50B782

loc_50B773:				; CODE XREF: MiFillSessionWorkingSetEntry(x,x)+44j
		cmp	eax, ecx
		jnb	short loc_50B786

loc_50B777:				; CODE XREF: MiFillSessionWorkingSetEntry(x,x)+48j
		pop	edi
		mov	[esi+10h], eax
		pop	esi
		pop	ebx
		retn
; 

loc_50B77E:				; CODE XREF: MiFillSessionWorkingSetEntry(x,x)+2Aj
		mov	edi, ecx
		jmp	short loc_50B76C
; 

loc_50B782:				; CODE XREF: MiFillSessionWorkingSetEntry(x,x)+31j
		mov	eax, ebx
		jmp	short loc_50B773
; 

loc_50B786:				; CODE XREF: MiFillSessionWorkingSetEntry(x,x)+35j
		mov	eax, ecx
		jmp	short loc_50B777
_MiFillSessionWorkingSetEntry@8	endp


;  S U B	R O U T	I N E 


; __stdcall CmpAcquireWriteQueue(x)
_CmpAcquireWriteQueue@4	proc near	; CODE XREF: CmpFlushHive+29Fp
					; CmpFlushHive+674p ...
		mov	edi, edi
		push	esi
		push	0
		xor	edx, edx
		mov	esi, ecx
		call	KeAbPreAcquire
		mov	edx, large fs:124h
		mov	[esi], edx
		test	eax, eax
		jz	short loc_50B7A9
		or	byte ptr [eax+0Eh], 1

loc_50B7A9:				; CODE XREF: CmpAcquireWriteQueue(x)+19j
		pop	esi
		retn
_CmpAcquireWriteQueue@4	endp

; 
		align 10h
; Exported entry 1403. MmFreePagesFromMdl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmFreePagesFromMdl(x)
		public _MmFreePagesFromMdl@4
_MmFreePagesFromMdl@4 proc near		; CODE XREF: PopFreeHiberContext+7Bp
					; IopLiveDumpAllocateDumpBuffers(x)+30Ep ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	_MiFreePagesFromMdl@8 ;	MiFreePagesFromMdl(x,x)
		pop	ebp
		retn	4
_MmFreePagesFromMdl@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInvalidateCollidedIos	proc near	; CODE XREF: MiFinishHardFault(x,x,x,x)+1C6p
					; MiDeleteTransitionPte:loc_5B0BCCp ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005D9916 SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		test	byte ptr [ecx+78h], 10h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], 1
		jnz	short loc_50B84E
		mov	esi, ecx
		xor	ebx, ebx
		mov	[ebp+var_14], esi

loc_50B7E6:				; CODE XREF: MiInvalidateCollidedIos+1DAj
		lea	eax, [esi+8]
		mov	edi, [eax]

loc_50B7EB:				; CODE XREF: MiInvalidateCollidedIos+72j
		cmp	edi, eax
		jz	short loc_50B838
		imul	edx, [edi+0BCh], 1Ch

loc_50B7F6:				; DATA XREF: .text:loc_427A80w
		mov	esi, edi
		mov	edi, [edi]
		add	edx, ds:_MmPfnDatabase
		test	byte ptr [ecx+78h], 10h
		jnz	short loc_50B840

loc_50B806:				; CODE XREF: MiInvalidateCollidedIos+86j
		mov	ecx, edx
		call	_MiReleaseInPageRefs@4 ; MiReleaseInPageRefs(x)
		mov	edx, [esi]
		cmp	[edx+4], esi
		jnz	loc_50B9AA
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_50B9AA
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, [ebp+var_10]
		mov	[esi+4], esi
		mov	[esi], esi

loc_50B830:				; CODE XREF: MiInvalidateCollidedIos+88j
		mov	eax, [ebp+var_14]
		add	eax, 8
		jmp	short loc_50B7EB
; 

loc_50B838:				; CODE XREF: MiInvalidateCollidedIos+29j
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_50B840:				; CODE XREF: MiInvalidateCollidedIos+40j
		mov	eax, [edx+4]
		or	eax, 80000000h
		cmp	eax, ebx
		jz	short loc_50B806
		jmp	short loc_50B830
; 

loc_50B84E:				; CODE XREF: MiInvalidateCollidedIos+19j
		lea	eax, [ecx+8]
		mov	esi, [eax]
		cmp	[esi+4], eax
		jnz	loc_50B9AA
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_50B9AA
		mov	[edx], esi
		mov	[esi+4], edx
		mov	eax, [ecx+0C4h]
		mov	edi, ds:_MmPfnDatabase
		mov	esi, [ecx+0C8h]
		mov	[ebp+var_20], eax
		imul	eax, 1Ch
		mov	[ebp+var_C], edi
		mov	ecx, [esi+98h]
		mov	[ebp+var_14], esi
		mov	[ebp+var_24], eax
		add	eax, edi
		mov	[ebp+var_28], eax
		mov	ebx, [eax+4]
		lea	eax, [esi+0A8h]
		or	ebx, 80000000h
		mov	[ebp+var_4], ebx
		test	ecx, ecx
		jnz	loc_50B9A3

loc_50B8B2:				; CODE XREF: MiInvalidateCollidedIos+1E1j
		mov	ecx, [eax+18h]
		lea	edx, [eax+1Ch]
		add	ecx, [eax+10h]
		mov	eax, [eax+14h]
		and	ecx, 0FFFh
		and	[ebp+var_8], 0
		add	eax, 0FFFh
		add	ecx, eax
		shr	ecx, 0Ch
		lea	eax, [ecx-1]
		lea	eax, [edx+eax*4]
		mov	[ebp+var_18], eax
		imul	eax, [edx], 1Ch
		mov	edi, [eax+edi+4]
		or	edi, 80000000h
		cmp	ebx, edi
		jb	loc_5D9916
		mov	eax, ebx
		sub	eax, edi
		sar	eax, 3
		cmp	eax, ecx
		mov	ecx, [ebp+var_C]
		jnb	loc_5D9936
		imul	edi, [edx+eax*4], 1Ch
		add	edi, ecx
		mov	[ebp+var_1C], edi
		mov	eax, [edi+4]
		or	eax, 80000000h
		cmp	ebx, eax
		jnz	loc_5D9936

loc_50B91B:				; CODE XREF: MiInvalidateCollidedIos+CE169j
		mov	edx, [ebx]
		nop
		mov	eax, [ebx+4]
		mov	ecx, [ebp+var_20]
		push	eax
		push	edx
		call	_MiUpdateTransitionPteFrame@12 ; MiUpdateTransitionPteFrame(x,x,x)
		mov	edi, eax
		mov	[ebp+var_18], edx
		mov	[ebp+var_C], edi

loc_50B933:				; CODE XREF: MiInvalidateCollidedIos+18Fj
					; MiInvalidateCollidedIos+194j
		mov	esi, [ebx]
		mov	eax, esi
		mov	ecx, [ebx+4]
		mov	edx, ecx
		mov	[ebp+var_20], ecx
		nop
		mov	ecx, [ebp+var_18]
		mov	ebx, edi
		mov	edi, [ebp+var_4]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, edi
		mov	edi, [ebp+var_C]
		cmp	eax, esi
		jnz	short loc_50B933
		cmp	edx, [ebp+var_20]
		jnz	short loc_50B933
		mov	eax, [ebp+var_10]
		mov	ecx, edi
		mov	edi, [ebp+var_1C]
		mov	edx, [ebp+var_24]
		mov	esi, [ebp+var_14]
		mov	[eax+60h], ecx
		mov	ecx, [ebp+var_18]
		mov	[eax+64h], ecx
		mov	ecx, ds:_MmPfnDatabase
		mov	eax, [edi+8]
		xor	eax, [edx+ecx+8]
		and	eax, 3E0h
		xor	[edx+ecx+8], eax
		mov	eax, [ebp+var_8]
		xor	[edx+ecx+0Ch], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_8], eax

loc_50B994:				; CODE XREF: MiInvalidateCollidedIos+CE181j
		mov	ecx, edi
		call	_MiReleaseInPageRefs@4 ; MiReleaseInPageRefs(x)
		mov	ecx, [ebp+var_10]
		jmp	loc_50B7E6
; 

loc_50B9A3:				; CODE XREF: MiInvalidateCollidedIos+E8j
		mov	eax, ecx
		jmp	loc_50B8B2
; 

loc_50B9AA:				; CODE XREF: MiInvalidateCollidedIos+4Ej
					; MiInvalidateCollidedIos+59j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
MiInvalidateCollidedIos	endp


;  S U B	R O U T	I N E 


; __stdcall MiReleaseInPageRefs(x)
_MiReleaseInPageRefs@4 proc near	; CODE XREF: MiInvalidateCollidedIos+44p
					; MiInvalidateCollidedIos+1D2p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	edx, edx
		push	edi
		mov	eax, [esi+18h]
		and	eax, offset loc_7FFFFF
		imul	ecx, eax, 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		lea	edx, [esi+10h]
		mov	ecx, esi
		or	dword ptr [edx], 40000000h
		mov	bl, al
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_50BA40
		mov	ecx, [esi+8]
		and	ecx, 400h
		or	ecx, 0
		jz	short loc_50BA40
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, dword_6D0700
		mov	eax, edx
		mov	edi, [esi+8]
		mov	ecx, [esi+0Ch]
		mov	esi, dword_6D0704
		or	eax, esi
		jz	short loc_50BA30
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_50BA30
		not	esi
		and	ecx, esi

loc_50BA30:				; CODE XREF: MiReleaseInPageRefs(x)+70j
					; MiReleaseInPageRefs(x)+7Aj
		push	3
		push	ecx
		mov	edx, ecx
		mov	ecx, [ecx]
		call	MiDereferenceControlAreaPfnList
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_50BA40:				; CODE XREF: MiReleaseInPageRefs(x)+3Aj
					; MiReleaseInPageRefs(x)+48j
		mov	eax, [esi+0Ch]
		and	dword ptr [esi+8], 0FFFFFFF9h
		mov	[esi+0Ch], eax
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_MiReleaseInPageRefs@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1826. PsGetThreadFreezeCount

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetThreadFreezeCount(x)
		public _PsGetThreadFreezeCount@4
_PsGetThreadFreezeCount@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+150h]
		mov	eax, [ecx+64h]
		shr	eax, 3
		and	eax, 1
		add	eax, [ecx+98h]
		pop	ebp
		retn	4
_PsGetThreadFreezeCount@4 endp

; 
		align 8
; Exported entry 864. IoGetDriverObjectExtension

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoGetDriverObjectExtension
IoGetDriverObjectExtension proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D994A SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, [ebp+arg_0]
		mov	bl, al
		mov	ecx, [ecx+18h]
		mov	esi, [ecx+14h]
		test	esi, esi
		jz	short loc_50BAAF
		mov	ecx, [ebp+arg_4]

loc_50BAAA:				; CODE XREF: IoGetDriverObjectExtension+84j
		cmp	[esi+4], ecx
		jnz	short loc_50BB08

loc_50BAAF:				; CODE XREF: IoGetDriverObjectExtension+1Dj
					; IoGetDriverObjectExtension+86j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	edi, [eax+468h]
		jnz	loc_5D994A
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_50BAF3
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jnz	short loc_50BB10

loc_50BADD:				; CODE XREF: IoGetDriverObjectExtension+7Aj
					; IoGetDriverObjectExtension+CDECCj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_50BB04
		lea	eax, [esi+8]

loc_50BAEC:				; CODE XREF: IoGetDriverObjectExtension+7Ej
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_50BAF3:				; CODE XREF: IoGetDriverObjectExtension+44j
					; IoGetDriverObjectExtension+8Fj
		xor	ecx, ecx
		mov	dword ptr [edi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_50BADD
; 

loc_50BB04:				; CODE XREF: IoGetDriverObjectExtension+5Fj
		xor	eax, eax
		jmp	short loc_50BAEC
; 

loc_50BB08:				; CODE XREF: IoGetDriverObjectExtension+25j
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_50BAAA
		jmp	short loc_50BAAF
; 

loc_50BB10:				; CODE XREF: IoGetDriverObjectExtension+53j
		mov	ecx, edi
		call	KxWaitForLockChainValid
		jmp	short loc_50BAF3
IoGetDriverObjectExtension endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSmallVaStillMapsFrame(x, x)
_MiSmallVaStillMapsFrame@8 proc	near	; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+200p
					; MiLockStealSystemVm(x,x,x,x)+1C8p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, edx
		push	edi
		lea	edx, [ebp+var_10]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_4], ebx
		call	_MiFillPteHierarchy@8 ;	MiFillPteHierarchy(x,x)
		lea	edx, [ebp+var_4]
		lea	ecx, [ebp+var_10]
		call	_MiPageTableStillExists@8 ; MiPageTableStillExists(x,x)
		test	eax, eax
		jz	short loc_50BBC0
		cmp	[ebp+var_4], ebx
		jnz	short loc_50BBC0
		or	edx, 0FFFFFFFFh
		cmp	esi, edx
		jz	short loc_50BB77
		mov	edi, [ebp+var_10]
		mov	ecx, [edi]
		nop
		mov	ebx, [edi+4]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_50BBC0
		nop
		shrd	ecx, ebx, 0Ch
		and	ecx, 1FFFFFFh
		cmp	ecx, esi
		jnz	short loc_50BB7F

loc_50BB77:				; CODE XREF: MiSmallVaStillMapsFrame(x,x)+39j
					; MiSmallVaStillMapsFrame(x,x)+A4j
		xor	eax, eax
		inc	eax

loc_50BB7A:				; CODE XREF: MiSmallVaStillMapsFrame(x,x)+A8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_50BB7F:				; CODE XREF: MiSmallVaStillMapsFrame(x,x)+5Bj
		cmp	edi, 0C0603018h
		jnz	short loc_50BBC0
		mov	eax, ds:_MmPfnDatabase
		imul	ecx, esi, 1Ch
		mov	eax, [ecx+eax+18h]
		and	eax, offset loc_7FFFFF
		cmp	eax, esi
		jnz	short loc_50BBC0
		test	ds:_MiFlags, 0C00000h
		jz	short loc_50BBBC
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MiPaeGetProcessShadowPage@4 ; MiPaeGetProcessShadowPage(x)
		mov	edx, eax

loc_50BBBC:				; CODE XREF: MiSmallVaStillMapsFrame(x,x)+8Cj
		cmp	esi, edx
		jz	short loc_50BB77

loc_50BBC0:				; CODE XREF: MiSmallVaStillMapsFrame(x,x)+2Dj
					; MiSmallVaStillMapsFrame(x,x)+32j ...
		xor	eax, eax
		jmp	short loc_50BB7A
_MiSmallVaStillMapsFrame@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPageTableStillExists(x, x)
_MiPageTableStillExists@8 proc near	; CODE XREF: MiSmallVaStillMapsFrame(x,x)+26p
					; MiSynchronizeSystemVa+111448p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	dword ptr [edx], 0
		push	esi
		push	edi
		push	2
		mov	edi, ecx
		pop	esi

loc_50BBD5:				; CODE XREF: MiPageTableStillExists(x,x)+35j
		dec	esi
		mov	eax, [edi+esi*4]
		mov	ecx, [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_4], eax
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_50BC06
		and	ecx, 80h
		or	ecx, 0
		jnz	short loc_50BC02
		cmp	esi, 1
		jnz	short loc_50BBD5

loc_50BBFB:				; CODE XREF: MiPageTableStillExists(x,x)+40j
		xor	eax, eax
		inc	eax

loc_50BBFE:				; CODE XREF: MiPageTableStillExists(x,x)+44j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_50BC02:				; CODE XREF: MiPageTableStillExists(x,x)+30j
		mov	[edx], esi
		jmp	short loc_50BBFB
; 

loc_50BC06:				; CODE XREF: MiPageTableStillExists(x,x)+25j
		xor	eax, eax
		jmp	short loc_50BBFE
_MiPageTableStillExists@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpFinalizeTimerDeletion(x)
_ExpFinalizeTimerDeletion@4 proc near	; DATA XREF: ExDeleteTimer+2Ao

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+58h]
		test	eax, eax
		jnz	short loc_50BC34

loc_50BC1A:				; CODE XREF: ExpFinalizeTimerDeletion(x)+2Fj
		mov	al, ds:_ExpTimerFreedCookie
		push	6D547845h
		not	al
		push	esi
		mov	[esi+60h], al
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		pop	ebp
		retn	4
; 

loc_50BC34:				; CODE XREF: ExpFinalizeTimerDeletion(x)+Ej
		push	dword ptr [esi+5Ch]
		call	eax
		jmp	short loc_50BC1A
_ExpFinalizeTimerDeletion@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __fastcall ObFastReferenceObjectLocked(x)
@ObFastReferenceObjectLocked@4 proc near ; CODE	XREF: SeCaptureSubjectContext+A4p
					; ObOpenObjectByNameEx+688p ...
		mov	edi, edi
		push	esi
		mov	esi, [ecx]
		and	esi, 0FFFFFFF8h
		jz	short loc_50BC52
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag

loc_50BC52:				; CODE XREF: ObFastReferenceObjectLocked(x)+8j
		mov	eax, esi
		pop	esi
		retn
@ObFastReferenceObjectLocked@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2128. RtlGetMultiTimePrecise

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlGetMultiTimePrecise
RtlGetMultiTimePrecise proc near	; CODE XREF: EtwpGetTimeStampAndQpcDelta(x,x,x)+35p
					; EtwpInitializeTimeStamp+69p ...

var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D9959 SIZE 0000008C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		push	ebx
		xor	ebx, ebx
		push	esi		; struct _exception *
		mov	[ebp+var_20], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_1], bl
		mov	[ebp+var_40], ebx
		cmp	[ebp+arg_4], ebx
		jz	loc_5D9959
		mov	esi, ds:_HvlpReferenceTscPage
		mov	[ebp+var_C], esi
		test	esi, esi
		jnz	short loc_50BCB6
		call	off_6B1448	; MiIsSoftwareEnclave(x)
		mov	esi, eax
		mov	[ebp+var_C], eax

loc_50BCB6:				; CODE XREF: RtlGetMultiTimePrecise+4Dj
		mov	eax, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_4]
		and	eax, 4
		and	edi, 2
		mov	[ebp+var_3C], eax
		mov	[ebp+var_30], edi

loc_50BCC9:				; CODE XREF: RtlGetMultiTimePrecise+CDD1Fj
		mov	ecx, 0FFDF0340h
		call	_RtlBeginReadTickLock@4	; RtlBeginReadTickLock(x)
		cmp	[ebp+var_3C], 0
		mov	[ebp+var_54], eax
		mov	[ebp+var_4C], edx
		jz	short loc_50BD17
		mov	eax, ds:0FFDF0348h
		mov	[ebp+var_20], eax
		mov	eax, ds:0FFDF034Ch
		mov	[ebp+var_24], eax
		mov	eax, ds:0FFDF0358h
		mov	[ebp+var_28], eax
		mov	eax, ds:0FFDF035Ch
		mov	[ebp+var_2C], eax
		mov	al, ds:0FFDF0368h
		mov	[ebp+var_1], al
		mov	eax, ds:0FFDF0014h
		mov	[ebp+var_44], eax
		mov	eax, ds:0FFDF0018h
		mov	[ebp+var_48], eax

loc_50BD17:				; CODE XREF: RtlGetMultiTimePrecise+81j
		test	edi, edi
		jz	loc_5D9963
		test	esi, esi
		jz	loc_5D9963
		movzx	eax, byte ptr ds:0FFDF03C7h
		cdq
		mov	[ebp+var_34], eax
		mov	[ebp+var_38], edx

loc_50BD35:				; CODE XREF: RtlGetMultiTimePrecise+12Cj
					; RtlGetMultiTimePrecise+131j ...
		mov	edi, 0FFDF03B8h

loc_50BD3A:				; CODE XREF: RtlGetMultiTimePrecise+F0j
					; RtlGetMultiTimePrecise+F4j
		mov	edx, [edi]
		mov	esi, [edi+4]
		mov	eax, [edi]
		mov	ecx, [edi+4]
		mov	[ebp+var_18], edx
		mov	[ebp+var_1C], esi
		cmp	edx, eax
		jnz	short loc_50BD3A
		cmp	esi, ecx
		jnz	short loc_50BD3A
		mov	esi, [ebp+var_C]

loc_50BD55:				; CODE XREF: RtlGetMultiTimePrecise+10Dj
					; RtlGetMultiTimePrecise+111j
		mov	edx, [esi+18h]
		mov	ebx, [esi+1Ch]
		mov	eax, [esi+18h]
		mov	ecx, [esi+1Ch]
		mov	[ebp+var_10], edx
		mov	[ebp+var_14], ebx
		cmp	edx, eax
		jnz	short loc_50BD55
		cmp	ebx, ecx
		jnz	short loc_50BD55
		xor	ebx, ebx
		push	ebx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, [ebp+var_C]
		mov	edi, eax
		mov	esi, edx
		mov	eax, [ecx+18h]
		mov	ecx, [ecx+1Ch]
		cmp	[ebp+var_10], eax
		jnz	short loc_50BD35
		cmp	[ebp+var_14], ecx
		jnz	short loc_50BD35
		mov	ecx, 0FFDF03B8h
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		cmp	[ebp+var_18], eax
		jnz	short loc_50BD35
		cmp	[ebp+var_1C], ecx
		jnz	short loc_50BD35

loc_50BDA3:				; CODE XREF: RtlGetMultiTimePrecise+CDD12j
		push	[ebp+var_4C]
		mov	ecx, 0FFDF0340h
		push	[ebp+var_54]
		call	_RtlTryEndReadTickLock@12 ; RtlTryEndReadTickLock(x,x,x)
		test	eax, eax
		jz	loc_5D9973
		test	byte ptr [ebp+arg_4], 1
		mov	ecx, [ebp+arg_0]
		jz	loc_5D9980
		xor	edx, edx
		mov	[ecx], edi
		inc	edx
		mov	[ecx+4], esi
		mov	[ebp+var_8], edx

loc_50BDD3:				; CODE XREF: RtlGetMultiTimePrecise+CDD27j
		cmp	[ebp+var_30], 0
		jz	short loc_50BDED
		mov	eax, [ebp+var_34]
		or	eax, [ebp+var_38]
		jnz	short loc_50BDED
		mov	eax, [ebp+var_10]
		or	eax, [ebp+var_14]
		jnz	loc_5D9988

loc_50BDED:				; CODE XREF: RtlGetMultiTimePrecise+17Bj
					; RtlGetMultiTimePrecise+183j ...
		cmp	[ebp+var_3C], 0
		jz	short loc_50BE57
		cmp	esi, [ebp+var_24]
		jb	short loc_50BE65
		mov	eax, [ebp+var_20]
		ja	short loc_50BE01
		cmp	edi, eax
		jbe	short loc_50BE65

loc_50BE01:				; CODE XREF: RtlGetMultiTimePrecise+19Fj
		sub	edi, eax
		mov	al, [ebp+var_1]
		sbb	esi, [ebp+var_24]
		sub	edi, 1
		sbb	esi, ebx
		test	al, al
		jz	short loc_50BE25
		movsx	ecx, al
		mov	edx, esi
		mov	eax, edi
		call	__allshl
		mov	ecx, [ebp+arg_0]
		mov	edi, eax
		mov	esi, edx

loc_50BE25:				; CODE XREF: RtlGetMultiTimePrecise+1B4j
		mov	eax, [ebp+var_2C]
		mul	edi
		mov	[ebp+arg_4], eax
		mov	eax, [ebp+var_28]
		mov	[ebp+arg_0], edx
		test	esi, esi
		jnz	loc_5D99B1
		mul	edi
		xor	eax, eax
		add	edx, [ebp+arg_4]
		adc	eax, [ebp+arg_0]

loc_50BE45:				; CODE XREF: RtlGetMultiTimePrecise+CDD84j
		mov	edx, [ebp+var_8]

loc_50BE48:				; CODE XREF: RtlGetMultiTimePrecise+20Cj
		add	eax, [ebp+var_44]
		mov	[ecx+10h], eax
		adc	ebx, [ebp+var_48]
		or	edx, 4
		mov	[ecx+14h], ebx

loc_50BE57:				; CODE XREF: RtlGetMultiTimePrecise+195j
		mov	eax, [ebp+arg_8]
		pop	edi
		mov	[eax], edx

loc_50BE5D:				; CODE XREF: RtlGetMultiTimePrecise+CDD02j
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	0Ch
; 

loc_50BE65:				; CODE XREF: RtlGetMultiTimePrecise+19Aj
					; RtlGetMultiTimePrecise+1A3j
		mov	eax, [ebp+var_40]
		jmp	short loc_50BE48
RtlGetMultiTimePrecise endp

; 
		align 10h
; Exported entry 1477. MmUnlockPagableImageSection

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmUnlockPagableImageSection(x)
		public _MmUnlockPagableImageSection@4
_MmUnlockPagableImageSection@4 proc near ; CODE	XREF: PopUnlockAfterSleepWorker(x)+33p
					; MmDuplicateMemory(x)+358p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	MiLockPagableImageSection
		pop	ecx
		pop	ebp
		retn	4
_MmUnlockPagableImageSection@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiSetInPagePrefetchPriority(x, x)
_MiSetInPagePrefetchPriority@8 proc near ; CODE	XREF: MiResolveMappedFileFault+51Ep
					; MiResolvePageFileFault+C2Cp
		mov	ecx, [ecx+28h]
		mov	eax, ecx
		and	cl, 40h
		and	eax, 7
		push	esi
		mov	esi, edx
		movzx	edx, cl
		neg	edx
		mov	ecx, esi
		push	eax
		sbb	edx, edx
		and	edx, 5
		call	_MiSetInPagePriority@12	; MiSetInPagePriority(x,x,x)
		pop	esi
		retn
_MiSetInPagePrefetchPriority@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpSegSegmentInitialize proc	near	; CODE XREF: RtlpHpSegPageRangeAllocate+5F9p
					; RtlpHpSegContextReserve+838F9p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D99E5 SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	al, [esi+9]
		and	al, 7
		cmp	al, 1
		jnb	loc_5D99E5

loc_50BEC6:				; CODE XREF: RtlpHpSegSegmentInitialize+CDB5Bj
		mov	al, [esi+6]
		mov	edx, [ebp+arg_0]
		movzx	edi, al
		neg	al
		shl	edi, 4
		add	edi, ebx
		mov	[edi+0Fh], al
		lea	ebx, [edi+0Ch]
		mov	al, [ebx]
		or	al, 2
		mov	[ebx], al
		xor	eax, eax
		mov	cl, [esi+5]
		inc	eax
		shl	eax, cl
		test	edx, edx
		jnz	loc_5D9A08

loc_50BEF2:				; CODE XREF: RtlpHpSegSegmentInitialize+CDB8Dj
		not	edx
		shl	edx, 8
		xor	edx, [ebx]
		and	edx, 0FFFF00h
		xor	[ebx], edx
		movzx	ecx, byte ptr [edi+0Fh]
		dec	ecx
		mov	eax, ecx
		add	eax, eax
		mov	[edi+eax*8+0Fh], cl
		mov	dword ptr [edi], 0CCDDCCDDh
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
RtlpHpSegSegmentInitialize endp

; 
		align 10h
; Exported entry 1127. KeDetachProcess

;  S U B	R O U T	I N E 


; __stdcall KeDetachProcess()
		public _KeDetachProcess@0
_KeDetachProcess@0 proc	near
		mov	ecx, large fs:124h
		cmp	byte ptr [ecx+16Ah], 0
		jz	short locret_50BF3D
		add	ecx, 174h
		xor	edx, edx
		jmp	KiDetachProcess
; 

locret_50BF3D:				; CODE XREF: KeDetachProcess()+Ej
		retn
_KeDetachProcess@0 endp


;  S U B	R O U T	I N E 


MiRemoveFaultNode proc near		; CODE XREF: .text:0046F703p
					; MiMapPagesToZero(x,x,x)+6Bp ...

; FUNCTION CHUNK AT 005D9A3A SIZE 0000000F BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		cmp	byte ptr [esi+27h], 0
		jnz	loc_5D9A3A
		mov	edi, offset unk_6D2FA8
		mov	ebx, offset dword_6D2FAC

loc_50BF59:				; CODE XREF: MiRemoveFaultNode+CDB06j
		push	edi
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		push	esi
		push	ebx
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		push	edi
		mov	byte ptr [esi+24h], 0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		pop	edi
		pop	esi
		pop	ebx
		retn
MiRemoveFaultNode endp ; sp = -8


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocateMostlyContiguousPagesForMdl proc near	; CODE XREF: MiFindPagesForMdl+BAp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D9A49 SIZE 00000070 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, dword_6D5D84
		or	edx, 60002000h
		or	[ebp+var_8], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_14], eax
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_18], edx
		push	ecx
		mov	eax, [edi+24h]
		mov	ebx, [edi+8]
		mov	esi, [edi+0Ch]
		push	eax
		mov	ecx, [eax+14h]
		push	edx
		push	80000000h
		push	[ebp+arg_0]
		mov	[ebp+var_4], eax
		mov	edx, ebx
		push	dword ptr [edi+20h]
		mov	eax, [edi+14h]
		shr	ecx, 0Ch
		sub	eax, ecx
		mov	ecx, [edi]
		push	eax
		push	0
		push	esi
		call	_MiFindContiguousPages@44 ; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		mov	edx, [edi+14h]
		mov	[ebp+var_10], edx
		mov	eax, [ecx+14h]
		shr	eax, 0Ch
		cmp	eax, edx

loc_50BFDC:				; CODE XREF: MiAllocateMostlyContiguousPagesForMdl+CDB40j
		mov	[ebp+var_C], eax
		jnz	loc_5D9A49

loc_50BFE5:				; CODE XREF: MiAllocateMostlyContiguousPagesForMdl+CDADAj
					; MiAllocateMostlyContiguousPagesForMdl+CDAE5j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
MiAllocateMostlyContiguousPagesForMdl endp


;  S U B	R O U T	I N E 


; __stdcall PiUEventHashGuidIntoBucket(x)
_PiUEventHashGuidIntoBucket@4 proc near	; CODE XREF: PiUEventHandleRegistration+159p
					; PiUEventNotifyDeviceInterfaceChange(x)+42p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	2
		mov	esi, ecx
		mov	edi, 4CB2Fh
		pop	ebx

loc_50BFFB:				; CODE XREF: PiUEventHashGuidIntoBucket(x)+62j
		movzx	eax, byte ptr [esi+1]
		imul	edx, eax, 25h
		movzx	eax, byte ptr [esi+2]
		add	edx, eax
		movzx	eax, byte ptr [esi+3]
		imul	ecx, edx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [esi+4]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [esi+5]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [esi+6]
		imul	ecx, 25h
		add	ecx, eax
		imul	eax, edi, 2FE8ED1Fh
		imul	ecx, 25h
		sub	ecx, eax
		movzx	eax, byte ptr [esi]
		imul	edi, eax, 1A617D0Dh
		lea	esi, [esi+8]
		movzx	eax, byte ptr [esi-1]
		add	edi, ecx
		add	edi, eax
		sub	ebx, 1
		jnz	short loc_50BFFB
		push	0Dh
		pop	ecx
		mov	eax, edi
		xor	edx, edx
		div	ecx
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		retn
_PiUEventHashGuidIntoBucket@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


PsIsThreadAttachedToSpecificSilo proc near ; CODE XREF:	NtSetInformationThread+104B07p
					; NtSetInformationThread+104B37p

; FUNCTION CHUNK AT 005D9AB9 SIZE 00000009 BYTES

		mov	ecx, [ecx+390h]
		xor	al, al
		cmp	ecx, 0FFFFFFFDh
		jnz	loc_5D9AB9
		retn
PsIsThreadAttachedToSpecificSilo endp


;  S U B	R O U T	I N E 


; __stdcall IopSkipCompletionPort(x, x)
_IopSkipCompletionPort@8 proc near	; CODE XREF: .text:00522DCCp
		test	dword ptr [ecx+2Ch], 2000000h
		jnz	short loc_50C07E

loc_50C07B:				; CODE XREF: IopSkipCompletionPort(x,x)+10j
					; IopSkipCompletionPort(x,x)+1Fj
		xor	eax, eax
		retn
; 

loc_50C07E:				; CODE XREF: IopSkipCompletionPort(x,x)+7j
		cmp	byte ptr [edx+21h], 0
		jnz	short loc_50C07B
		mov	eax, [edx+18h]
		and	eax, 0C0000000h
		cmp	eax, 80000000h
		jz	short loc_50C07B
		xor	eax, eax
		inc	eax
		retn
_IopSkipCompletionPort@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcComputeNextScanTime proc near		; CODE XREF: CcLazyWriteScan+691p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D9AC2 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[esi], ebx
		mov	eax, [edi+284h]
		mov	[esi+4], ebx
		cmp	eax, [edi+84h]
		jnb	short loc_50C142
		lea	eax, [ebp+var_10]
		push	eax
		call	KeQueryTickCount
		push	ebx
		push	ds:_KeMaximumIncrement
		push	ebx
		push	9896800h
		call	__aulldiv
		mov	ebx, [edi+44h]
		mov	[ebp+arg_0], eax
		inc	ebx
		mov	eax, [ebp+var_8]
		mov	[ebp+var_4], edx
		mov	[edi+44h], ebx
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_50C103
		cmp	ecx, 7FFFFFFFh
		jz	short loc_50C136

loc_50C103:				; CODE XREF: CcComputeNextScanTime+61j
		mov	eax, edx
		add	eax, [ebp+arg_0]
		mov	[ebp+var_8], eax
		mov	eax, ecx
		adc	eax, [ebp+var_4]
		cmp	eax, [ebp+var_C]
		jg	short loc_50C11F
		jl	short loc_50C136
		mov	eax, [ebp+var_8]
		cmp	eax, [ebp+var_10]
		jbe	short loc_50C136

loc_50C11F:				; CODE XREF: CcComputeNextScanTime+7Bj
		sub	edx, [ebp+var_10]
		sbb	ecx, [ebp+var_C]
		add	edx, [ebp+arg_0]
		mov	[esi], edx
		adc	ecx, [ebp+var_4]
		and	dword ptr [edi+44h], 0
		xor	ebx, ebx
		mov	[esi+4], ecx

loc_50C136:				; CODE XREF: CcComputeNextScanTime+69j
					; CcComputeNextScanTime+7Dj ...
		cmp	ebx, _CcMaxWorklessLazywriteScans
		jnb	loc_5D9AC2

loc_50C142:				; CODE XREF: CcComputeNextScanTime+2Cj
					; CcComputeNextScanTime+CDA38j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
CcComputeNextScanTime endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepCaptureHandles proc near		; CODE XREF: NtCreateLowBoxToken+167p

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005D9AF8 SIZE 0000000D BYTES

		push	10h
		push	offset dword_6A4368
		call	__SEH_prolog4
		mov	ebx, edx
		mov	esi, ecx
		mov	edi, [ebp+arg_0]
		and	dword ptr [edi], 0
		cmp	esi, 0Ah
		ja	short loc_50C1C1
		test	esi, esi
		jz	short loc_50C1C8
		push	63486553h
		mov	eax, esi
		shl	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+arg_0], edx
		test	edx, edx
		jz	short loc_50C1CC
		and	[ebp+ms_exc.disabled], 0
		xor	ecx, ecx

loc_50C18A:				; CODE XREF: SepCaptureHandles+4Ej
		mov	[ebp+var_1C], ecx
		cmp	ecx, esi
		jnb	short loc_50C19A
		mov	eax, [ebx+ecx*4]
		mov	[edx+ecx*4], eax
		inc	ecx
		jmp	short loc_50C18A
; 

loc_50C19A:				; CODE XREF: SepCaptureHandles+45j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[edi], edx
		xor	esi, esi

loc_50C1A5:				; CODE XREF: sub_5D9AE3+10j
		test	esi, esi
		js	loc_5D9AF8

loc_50C1AD:				; CODE XREF: SepCaptureHandles+CD9B6j
		mov	eax, esi

loc_50C1AF:				; CODE XREF: SepCaptureHandles+7Cj
					; SepCaptureHandles+80j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_50C1C1:				; CODE XREF: SepCaptureHandles+19j
		mov	eax, 0C00000EFh
		jmp	short loc_50C1AF
; 

loc_50C1C8:				; CODE XREF: SepCaptureHandles+1Dj
		xor	eax, eax
		jmp	short loc_50C1AF
; 

loc_50C1CC:				; CODE XREF: SepCaptureHandles+38j
		mov	eax, 0C000009Ah
		jmp	short loc_50C1AF
SepCaptureHandles endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeBoostPriorityThread proc near		; CODE XREF: KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+1B0p
					; VdmpQueueIntApcRoutine(x,x,x,x,x)+F9p ...

var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005D9B05 SIZE 0000005A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		mov	esi, ecx
		mov	[ebp+var_18], edx
		cmp	dword ptr [esi+150h], offset _KiInitialProcess
		jz	loc_50C2C1
		and	[ebp+var_10], 0
		push	ebx
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ebx, large fs:20h
		lea	edi, [esi+2Ch]
		and	[ebp+var_14], 0
		mov	[ebp+var_1], al
		mov	ecx, [ebx+4]
		mov	[ebp+var_8], ecx

loc_50C21A:				; CODE XREF: KeBoostPriorityThread+CD93Fj
		lock bts dword ptr [edi], 0
		jb	loc_5D9B05
		movsx	eax, byte ptr [esi+87h]
		mov	edi, [ebp+var_C]
		mov	[ebp+var_20], eax
		cmp	eax, 10h
		jge	short loc_50C294
		cmp	byte ptr [esi+15Ch], 0
		jnz	short loc_50C294
		movsx	edi, byte ptr [esi+15Bh]
		add	edi, [ebp+var_18]
		cmp	edi, eax
		jle	short loc_50C2C4
		cmp	edi, 10h
		jl	short loc_50C256
		push	0Fh
		pop	edi

loc_50C256:				; CODE XREF: KeBoostPriorityThread+7Dj
		mov	eax, [ebp+var_8]
		cmp	esi, eax
		jz	loc_5D9B18

loc_50C261:				; CODE XREF: KeBoostPriorityThread+9Aj
		mov	edx, [esi+34h]
		mov	ecx, [esi+30h]
		cmp	edx, [esi+38h]
		jz	short loc_50C270
		pause
		jmp	short loc_50C261
; 

loc_50C270:				; CODE XREF: KeBoostPriorityThread+96j
					; KeBoostPriorityThread+CD95Cj	...
		cmp	esi, eax
		setnz	al
		movzx	eax, al
		push	eax
		push	edx
		movzx	edx, byte ptr [esi+193h]
		push	ecx
		mov	ecx, esi
		call	_KiComputeQuantumTargetThread@20 ; KiComputeQuantumTargetThread(x,x,x,x,x)
		push	edi
		lea	edx, [ebp+var_10]
		mov	ecx, esi
		call	KiSetPriorityThread

loc_50C294:				; CODE XREF: KeBoostPriorityThread+61j
					; KeBoostPriorityThread+6Aj ...
		lea	edx, [ebp+var_10]
		mov	dword ptr [esi+2Ch], 0
		mov	ecx, ebx
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		mov	dl, [ebp+var_1]
		mov	ecx, ebx
		call	KiCheckForThreadDispatch
		test	dword ptr ds:byte_70EFC4, 2000h
		jnz	loc_5D9B40

loc_50C2BF:				; CODE XREF: KeBoostPriorityThread+CD96Ej
					; KeBoostPriorityThread+CD986j
		pop	edi
		pop	ebx

loc_50C2C1:				; CODE XREF: KeBoostPriorityThread+18j
		pop	esi
		leave
		retn
; 

loc_50C2C4:				; CODE XREF: KeBoostPriorityThread+78j
		mov	edi, [ebp+var_C]
		jmp	short loc_50C294
KeBoostPriorityThread endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMergeTbFlushEntryBackwards(x, x, x, x)
_MiMergeTbFlushEntryBackwards@16 proc near ; CODE XREF:	.text:00458E02p
					; .text:00459EFEp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ecx
		mov	edx, 1000h
		imul	ecx, [ebp+arg_4], arg_0+1
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebx+0Ch]
		shl	edx, cl
		imul	edx, esi
		mov	eax, [ebx+edi*4+10h]
		add	[ebx+10h], esi
		sub	eax, edx
		lea	ecx, [eax+esi]
		xor	ecx, eax
		and	ecx, 3FFh
		xor	ecx, eax
		mov	[ebx+edi*4+10h], ecx
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_MiMergeTbFlushEntryBackwards@16 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2143. RtlGetThreadLangIdByIndex

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlGetThreadLangIdByIndex
RtlGetThreadLangIdByIndex proc near

var_34		= dword	ptr -34h
var_30		= word ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005D9B5F SIZE 00000081 BYTES
; FUNCTION CHUNK AT 005D9BFC SIZE 0000000A BYTES

		push	24h
		push	offset dword_6A4388
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], bx
		cmp	[ebp+arg_0], ebx
		jnz	loc_5D9BFC
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jz	loc_5D9BFC
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, large fs:124h
		test	dword ptr [eax+58h], 400h
		jnz	short loc_50C3B2
		cmp	byte ptr [eax+16Ah], 1
		jz	short loc_50C3B2
		mov	eax, [eax+0A8h]

loc_50C361:				; CODE XREF: RtlGetThreadLangIdByIndex+A6j
		mov	[ebp+arg_0], eax
		mov	eax, [eax+0FB8h]
		mov	[ebp+arg_8], eax
		test	eax, eax
		jnz	loc_5D9B5F

loc_50C375:				; CODE XREF: RtlGetThreadLangIdByIndex+CD870j
					; RtlGetThreadLangIdByIndex+CD882j ...
		movzx	eax, word ptr [ebp+var_20]
		mov	[esi], eax
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jnz	short loc_50C3B6

loc_50C382:				; CODE XREF: RtlGetThreadLangIdByIndex+ADj
					; sub_5D9BEE+9j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+var_1C], 0
		jnz	short loc_50C39D
		cmp	word ptr [ebp+var_20], 0
		jnz	short loc_50C39D
		mov	[ebp+var_1C], 0C0000225h

loc_50C39D:				; CODE XREF: RtlGetThreadLangIdByIndex+7Fj
					; RtlGetThreadLangIdByIndex+86j
		mov	eax, [ebp+var_1C]

loc_50C3A0:				; CODE XREF: RtlGetThreadLangIdByIndex+CD8F3j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_50C3B2:				; CODE XREF: RtlGetThreadLangIdByIndex+42j
					; RtlGetThreadLangIdByIndex+4Bj
		mov	eax, ebx
		jmp	short loc_50C361
; 

loc_50C3B6:				; CODE XREF: RtlGetThreadLangIdByIndex+72j
		mov	eax, [ebp+var_24]
		mov	[ecx], eax
		jmp	short loc_50C382
RtlGetThreadLangIdByIndex endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcPerfLogLazyWriteScan(x, x, x, x, x, x, x,	x, x, x, x, x, x, x)
_CcPerfLogLazyWriteScan@56 proc	near	; CODE XREF: CcLazyWriteScan+6FDp

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_24		= dword	ptr  2Ch
arg_2C		= dword	ptr  34h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_14], 0
		and	[ebp+var_C], 0
		mov	[ebp+var_40], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_34], eax
		mov	eax, _CcNumberOfMappedVacbs
		mov	[ebp+var_30], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_24]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_2C]
		push	400102h
		mov	[ebp+var_44], edx
		xor	edx, edx
		mov	[ebp+var_1C], eax
		inc	edx
		push	1605h
		mov	[ebp+var_48], ecx
		lea	eax, [ebp+var_48]
		push	80020000h
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], 30h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	30h
_CcPerfLogLazyWriteScan@56 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2198. RtlIpv4StringToAddressExW

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlIpv4StringToAddressExW
RtlIpv4StringToAddressExW proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005D9C06 SIZE 00000158 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	ebx, ebx
		push	esi
		push	edi
		mov	[ebp+var_4], ebx
		cmp	[ebp+arg_0], ebx
		jz	short loc_50C48D
		cmp	[ebp+arg_8], ebx
		jz	short loc_50C48D
		cmp	[ebp+arg_C], ebx
		jz	short loc_50C48D
		push	[ebp+arg_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	RtlIpv4StringToAddressW
		test	eax, eax
		jns	loc_5D9C06

loc_50C48D:				; CODE XREF: RtlIpv4StringToAddressExW+11j
					; RtlIpv4StringToAddressExW+16j ...
		mov	eax, 0C000000Dh

loc_50C492:				; CODE XREF: RtlIpv4StringToAddressExW+CD903j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
RtlIpv4StringToAddressExW endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2199. RtlIpv4StringToAddressW

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlIpv4StringToAddressW
RtlIpv4StringToAddressW	proc near	; CODE XREF: RtlIpv4StringToAddressExW+2Ap

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005D9D5E SIZE 000001CF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	esi, [ebp+var_14]
		mov	[ebp+var_20], ebx
		mov	[ebp+var_2C], eax

loc_50C4C5:				; CODE XREF: RtlIpv4StringToAddressW+CCj
		mov	ecx, 80h
		and	[ebp+var_1C], 0
		cmp	word ptr [edi],	30h
		push	0Ah
		pop	ebx
		mov	[ebp+var_15], 0
		mov	[ebp+var_24], ebx
		jz	loc_5D9D5E

loc_50C4E2:				; CODE XREF: RtlIpv4StringToAddressW+CD8EEj
					; RtlIpv4StringToAddressW+CD8FCj
		mov	dl, [ebp+arg_4]
		test	dl, dl
		jz	short loc_50C4EE
		cmp	ebx, 0Ah
		jnz	short loc_50C53C

loc_50C4EE:				; CODE XREF: RtlIpv4StringToAddressW+49j
		movzx	ebx, word ptr [edi]
		test	bx, bx
		jz	loc_5D9E27

loc_50C4FA:				; CODE XREF: RtlIpv4StringToAddressW+CD97Ej
		mov	eax, 80h
		cmp	bx, ax
		jnb	short loc_50C51B
		push	4		; wctype_t
		push	ebx		; wint_t
		call	_iswctype
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_5D9D9F

loc_50C516:				; CODE XREF: RtlIpv4StringToAddressW+CD90Fj
		mov	eax, 80h

loc_50C51B:				; CODE XREF: RtlIpv4StringToAddressW+64j
		cmp	[ebp+var_24], 10h
		jz	loc_5D9DC3

loc_50C525:				; CODE XREF: RtlIpv4StringToAddressW+CD928j
					; RtlIpv4StringToAddressW+CD939j
		mov	cl, [ebp+var_15]
		mov	eax, [ebp+var_1C]

loc_50C52B:				; CODE XREF: RtlIpv4StringToAddressW+CD984j
		mov	dl, [ebp+arg_4]

loc_50C52E:				; CODE XREF: RtlIpv4StringToAddressW+CD98Fj
		cmp	word ptr [edi],	2Eh
		jz	short loc_50C557
		test	cl, cl
		jnz	loc_5D9E32

loc_50C53C:				; CODE XREF: RtlIpv4StringToAddressW+4Ej
					; RtlIpv4StringToAddressW+BEj ...
		mov	eax, [ebp+var_20]
		mov	[eax], edi
		mov	eax, 0C000000Dh

loc_50C546:				; CODE XREF: RtlIpv4StringToAddressW+CDA8Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_50C557:				; CODE XREF: RtlIpv4StringToAddressW+94j
		lea	edx, [ebp+var_8]
		cmp	esi, edx
		jnb	short loc_50C53C
		mov	[esi], eax
		add	edi, 2
		add	esi, 4
		test	cl, cl
		jz	short loc_50C53C
		jmp	loc_50C4C5
RtlIpv4StringToAddressW	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSendJobNotification(x, x, x, x)
_PspSendJobNotification@16 proc	near	; CODE XREF: PspIncrementJobChainProcessCounts(x,x,x,x)+96p
					; PspSendProcessNotificationToJobChain(x,x,x,x)+7Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	[ebp+arg_4]
		mov	esi, ecx
		push	edx
		push	0
		push	[ebp+arg_0]
		push	dword ptr [esi+0D8h]
		push	dword ptr [esi+0D4h]
		call	_IoSetIoCompletion@24 ;	IoSetIoCompletion(x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+arg_0], edi
		test	edi, edi
		js	short loc_50C5C9
		lea	edi, [esi+0E0h]
		push	ebx

loc_50C5A3:				; CODE XREF: PspSendJobNotification(x,x,x,x)+4Ej
					; PspSendJobNotification(x,x,x,x)+53j
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[ebp+arg_4], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_50C5A3
		cmp	edx, [ebp+arg_4]
		jnz	short loc_50C5A3
		mov	edi, [ebp+arg_0]
		pop	ebx

loc_50C5C9:				; CODE XREF: PspSendJobNotification(x,x,x,x)+2Aj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_PspSendJobNotification@16 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1210. KeProcessorGroupAffinity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeProcessorGroupAffinity(x,	x)
		public _KeProcessorGroupAffinity@8
_KeProcessorGroupAffinity@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		mov	ecx, [ebp+arg_4]
		inc	eax
		and	dword ptr [edx+4], 0
		and	dword ptr [edx+8], 0
		shl	eax, cl
		mov	[edx], eax
		pop	ebp
		retn	8
_KeProcessorGroupAffinity@8 endp


;  S U B	R O U T	I N E 


IopInterlockedAdd proc near		; CODE XREF: IopDropIrp+66p
					; IopCancelIrpsInFileObjectList+127p ...
		mov	edi, edi
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		push	esi
		push	edi
		mov	eax, [edx]

loc_50C5FF:				; CODE XREF: IopInterlockedAdd+21j
		mov	edi, eax
		mov	ecx, eax
		and	edi, 3
		and	ecx, 0FFFFFFFCh
		add	edi, ebx
		mov	esi, eax
		or	ecx, edi
		lock cmpxchg [edx], ecx
		cmp	esi, eax
		jnz	short loc_50C5FF
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
IopInterlockedAdd endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1215. KeQueryActiveProcessorCount

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeQueryActiveProcessorCount
KeQueryActiveProcessorCount proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	sub_5D9F2D
		push	eax
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)

loc_50C638:				; CODE XREF: sub_5D9F2D+3Dj
		pop	ebp
		retn	4
KeQueryActiveProcessorCount endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIsPoolPteCommitInProgress(x, x)
_MiIsPoolPteCommitInProgress@8 proc near ; CODE	XREF: MiLinkPoolCommitChain+CAp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, ecx
		push	esi
		and	eax, 1
		xor	esi, esi
		or	eax, esi
		jz	short loc_50C657

loc_50C650:				; CODE XREF: MiIsPoolPteCommitInProgress(x,x)+24j
					; MiIsPoolPteCommitInProgress(x,x)+2Fj	...
		xor	eax, eax

loc_50C652:				; CODE XREF: MiIsPoolPteCommitInProgress(x,x)+3Dj
		pop	esi
		pop	ebp
		retn	8
; 

loc_50C657:				; CODE XREF: MiIsPoolPteCommitInProgress(x,x)+12j
		mov	eax, ecx
		and	eax, 400h
		or	eax, esi
		jnz	short loc_50C650
		mov	eax, ecx
		and	eax, 800h
		or	eax, esi
		jnz	short loc_50C650
		mov	edx, 3E0h
		and	ecx, edx
		cmp	ecx, edx
		jnz	short loc_50C650
		inc	eax
		jmp	short loc_50C652
_MiIsPoolPteCommitInProgress@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KiTryToEndDpcProcessing(x, x)
_KiTryToEndDpcProcessing@8 proc	near	; CODE XREF: KiExecuteDpc(x)+AFp
		mov	edi, edi
		push	ebx
		xor	ebx, ebx
		inc	ebx
		push	esi
		xor	esi, esi
		mov	ax, bx
		lock cmpxchg [ecx], si
		cmp	ax, bx
		jnz	short loc_50C69E
		mov	dword ptr [edx+14h], 0
		mov	al, bl

loc_50C69B:				; CODE XREF: KiTryToEndDpcProcessing(x,x)+24j
		pop	esi
		pop	ebx
		retn
; 

loc_50C69E:				; CODE XREF: KiTryToEndDpcProcessing(x,x)+14j
		xor	al, al
		jmp	short loc_50C69B
_KiTryToEndDpcProcessing@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmQuerySystemMemoryInformation(x, x)
_MmQuerySystemMemoryInformation@8 proc near
					; CODE XREF: EtwpLogMemInfoTimerCallback(x,x)+25p
					; PfpPrivSourceEnum(x,x,x)+240p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, dword_6D35D4
		push	esi
		mov	[ebp+var_10], eax
		lea	esi, [ebp+var_10]
		mov	eax, dword_6CF344
		push	edi
		mov	[ebp+var_C], eax
		mov	edi, ecx
		mov	eax, dword_6D3620
		mov	[ebp+var_8], eax
		mov	eax, dword_6D5EFC
		mov	[ebp+var_4], eax
		xor	eax, eax
		movsd
		movsd
		movsd
		movsd
		pop	edi
		pop	esi
		leave
		retn
_MmQuerySystemMemoryInformation@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPerformSafePdeWrite proc near		; CODE XREF: MiMakeSystemAddressValid+464p
					; .text:00453130p ...

var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005D9F6F SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [ebp+var_A4]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+arg_0]
		mov	eax, esi
		mov	ecx, [ebp+arg_8]
		mov	edi, edx
		shl	eax, 9
		add	esp, 0Ch
		add	eax, 40000000h
		and	edi, 1
		cmp	eax, offset loc_7FFFFF
		ja	loc_5D9F6F
		mov	ebx, [ebp+arg_4]
		mov	eax, edx
		and	eax, 2
		mov	[ebp+var_AC], ecx
		and	edx, 4
		mov	[ebp+var_B8], eax
		mov	[ebp+arg_0], edx
		mov	[ebp+var_A8], ebx

loc_50C74C:				; CODE XREF: MiPerformSafePdeWrite+BBj
					; MiPerformSafePdeWrite+C3j
		mov	[ebp+var_B0], ebx
		mov	[ebp+var_B4], ecx
		test	edi, edi
		jz	short loc_50C75F
		or	ebx, 20h

loc_50C75F:				; CODE XREF: MiPerformSafePdeWrite+7Ej
		test	eax, eax
		jnz	short loc_50C7B2

loc_50C763:				; CODE XREF: MiPerformSafePdeWrite+DCj
		test	edx, edx
		jnz	short loc_50C7BA

loc_50C767:				; CODE XREF: MiPerformSafePdeWrite+E1j
		mov	eax, [ebp+var_A8]
		mov	edx, [ebp+var_AC]
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, eax
		mov	ecx, edx
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+var_B8]
		mov	[ebp+var_A8], ebx
		mov	[ebp+var_AC], ecx
		cmp	ebx, [ebp+var_B0]
		jnz	short loc_50C74C
		cmp	ecx, [ebp+var_B4]
		jnz	short loc_50C74C

loc_50C7A1:				; CODE XREF: MiPerformSafePdeWrite+CD8B6j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_50C7B2:				; CODE XREF: MiPerformSafePdeWrite+85j
		or	ecx, 80000000h
		jmp	short loc_50C763
; 

loc_50C7BA:				; CODE XREF: MiPerformSafePdeWrite+89j
		or	ebx, 4
		jmp	short loc_50C767
MiPerformSafePdeWrite endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1254. KeReleaseInterruptSpinLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeReleaseInterruptSpinLock
KeReleaseInterruptSpinLock proc	near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005D9F97 SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	byte ptr [eax+31h], 0
		jz	loc_5D9F97
		test	ds:byte_70EFC6,	1
		mov	eax, [eax+24h]
		jnz	loc_5D9FA8
		xor	ecx, ecx
		lock and [eax],	ecx

loc_50C7EB:				; CODE XREF: KeReleaseInterruptSpinLock+CD7EEj
		mov	cl, [ebp+arg_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebp
		retn	8
KeReleaseInterruptSpinLock endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1088. KeAcquireInterruptSpinLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeAcquireInterruptSpinLock
KeAcquireInterruptSpinLock proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D9FB7 SIZE 0000001F BYTES
; FUNCTION CHUNK AT 005D9FDA SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	cl, [esi+31h]
		test	cl, cl
		jz	loc_5D9FB7
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [esi+24h]
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	4
KeAcquireInterruptSpinLock endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspLockUnlockProcessExclusive(x, x)
_PspLockUnlockProcessExclusive@8 proc near ; CODE XREF:	PAGE:007A7868p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, edx
		dec	word ptr [esi+13Ch]
		nop
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		add	ecx, 0E0h
		xor	edx, edx
		lock or	[eax], edx
		mov	eax, [ecx]
		test	al, 1
		jnz	short loc_50C85F

loc_50C855:				; CODE XREF: PspLockUnlockProcessExclusive(x,x)+38j
		mov	ecx, esi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	esi
		leave
		retn
; 

loc_50C85F:				; CODE XREF: PspLockUnlockProcessExclusive(x,x)+27j
		call	@ExfAcquireReleasePushLockExclusive@4 ;	ExfAcquireReleasePushLockExclusive(x)
		jmp	short loc_50C855
_PspLockUnlockProcessExclusive@8 endp


;  S U B	R O U T	I N E 


; __stdcall KiDpcWatchdog(x, x,	x, x)
_KiDpcWatchdog@16 proc near		; DATA XREF: KiInitializeProcessor+55o
					; KiInitPrcb(x,x)+144o
		mov	ecx, large fs:20h
		cli
		and	dword ptr [ecx+3B0Ch], 0
		call	KiResetGlobalDpcWatchdogProfiler
		sti
		retn	10h
_KiDpcWatchdog@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiTestForAlertPending proc near		; CODE XREF: KiResumeThread+18Ap

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005D9FD6 SIZE 00000004 BYTES
; FUNCTION CHUNK AT 005D9FE4 SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	dl, dl
		jnz	short loc_50C89A
		test	byte ptr [ecx+86h], 2
		jnz	loc_5D9FFB

loc_50C894:				; CODE XREF: KiTestForAlertPending+40j
					; KiTestForAlertPending+CD781j
		xor	eax, eax

loc_50C896:				; CODE XREF: KeAcquireInterruptSpinLock+CD7E1j
					; KiTestForAlertPending+CD78Cj
		pop	ebp
		retn	8
; 

loc_50C89A:				; CODE XREF: KiTestForAlertPending+7j
		mov	dl, [ebp+arg_0]
		movsx	eax, dl
		cmp	byte ptr [eax+ecx+56h],	0
		jnz	loc_5D9FC9
		test	dl, dl
		jz	short loc_50C8BA
		lea	eax, [ecx+78h]
		cmp	[eax], eax
		jnz	loc_5D9FE4

loc_50C8BA:				; CODE XREF: KiTestForAlertPending+2Fj
		cmp	byte ptr [ecx+56h], 0
		jz	short loc_50C894
		jmp	loc_5D9FF3
KiTestForAlertPending endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpJoinClassOfTrust(x, x, x)
_CmpJoinClassOfTrust@12	proc near	; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+D4p
					; CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+205p

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	dl, [ebp+arg_0]
		mov	ecx, edi
		call	_CmpPerformTrustClassAccessCheck@8 ; CmpPerformTrustClassAccessCheck(x,x)
		test	eax, eax
		js	short loc_50C911
		test	byte ptr [edi+980h], 1
		jz	short loc_50C917
		call	_CmpLockHiveListExclusive@0 ; CmpLockHiveListExclusive()
		lea	ecx, [edi+984h]
		mov	edx, [ecx+4]
		lea	eax, [esi+984h]
		cmp	[edx], ecx
		jnz	short loc_50C920
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		call	_CmpUnlockHiveList@0 ; CmpUnlockHiveList()

loc_50C90F:				; CODE XREF: CmpJoinClassOfTrust(x,x,x)+58j
		xor	eax, eax

loc_50C911:				; CODE XREF: CmpJoinClassOfTrust(x,x,x)+17j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_50C917:				; CODE XREF: CmpJoinClassOfTrust(x,x,x)+20j
		and	dword ptr [esi+980h], 0FFFFFFFEh
		jmp	short loc_50C90F
; 

loc_50C920:				; CODE XREF: CmpJoinClassOfTrust(x,x,x)+38j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_CmpJoinClassOfTrust@12	endp


;  S U B	R O U T	I N E 


; __stdcall CmpPerformTrustClassAccessCheck(x, x)
_CmpPerformTrustClassAccessCheck@8 proc	near ; CODE XREF: CmpJoinClassOfTrust(x,x,x)+10p
					; CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+10Fp
		test	dl, dl
		jnz	short loc_50C92D

loc_50C92A:				; CODE XREF: CmpPerformTrustClassAccessCheck(x,x)+Ej
		xor	eax, eax
		retn
; 

loc_50C92D:				; CODE XREF: CmpPerformTrustClassAccessCheck(x,x)+2j
		test	byte ptr [ecx+980h], 1
		jnz	short loc_50C92A
		mov	eax, 0C000000Dh
		retn
_CmpPerformTrustClassAccessCheck@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcMdlWriteComplete2 proc near		; CODE XREF: FsRtlMdlWriteCompleteDev(x,x,x,x)+14p
					; CcMdlWriteComplete(x,x,x)+42p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DA00F SIZE 00000079 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		and	[esp+3Ch+var_14], 0
		xor	eax, eax
		and	[esp+3Ch+var_10], 0
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+48h+var_C]
		mov	[esp+48h+var_28], ecx
		stosd
		xor	ebx, ebx
		stosd
		stosd
		mov	eax, [ecx+14h]
		mov	edi, [ebp+arg_0]
		mov	esi, [eax+4]
		mov	eax, [edx]
		mov	[esp+48h+var_38], eax
		mov	[esp+48h+var_20], eax
		mov	eax, [edx+4]
		xor	edx, edx
		mov	[esp+48h+var_34], eax
		mov	[esp+48h+var_1C], eax
		mov	ax, [edi+6]
		and	ax, 2
		mov	[esp+48h+var_2C], esi
		movzx	ecx, ax
		mov	esi, edi
		mov	edi, [esp+48h+var_2C]
		inc	edx
		mov	[esp+48h+var_30], ecx

loc_50C99D:				; CODE XREF: CcMdlWriteComplete2+C1j
		mov	eax, [esi]
		mov	[esp+48h+var_24], eax
		test	cx, cx
		jz	short loc_50C9B1
		push	esi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		xor	edx, edx
		inc	edx

loc_50C9B1:				; CODE XREF: CcMdlWriteComplete2+6Aj
		mov	ecx, [esp+4Ch+var_2C]
		mov	eax, [esi+14h]
		test	byte ptr [ecx+2Ch], 10h
		jnz	loc_5DA00F
		push	0
		push	eax
		lea	edx, [esp+54h+var_24]
		mov	ecx, edi
		call	CcSetDirtyInMask

loc_50C9D0:				; CODE XREF: CcMdlWriteComplete2+CD6ECj
					; CcMdlWriteComplete2+CD6F6j
		mov	ecx, [esp+54h+var_44]
		add	ecx, [esi+14h]
		mov	eax, [esp+54h+var_30]
		mov	esi, eax
		mov	[esp+54h+var_44], ecx
		mov	[esp+54h+var_2C], ecx
		mov	ecx, [esp+54h+var_40]
		adc	ecx, 0
		mov	[esp+54h+var_40], ecx
		mov	[esp+54h+var_28], ecx
		mov	ecx, [esp+54h+var_3C]
		push	1
		pop	edx
		test	eax, eax
		jnz	short loc_50C99D
		mov	edi, [ebp+arg_0]
		test	cx, cx
		jz	short loc_50CA63
		mov	ecx, [esp+54h+var_38]
		call	CcGetPartition
		lea	edx, [esp+54h+var_18]
		lea	ecx, [eax+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		push	ecx
		mov	ecx, [esp+58h+var_38]
		call	CcDecrementOpenCount
		test	ds:byte_70EFC6,	1
		jnz	loc_5DA037
		mov	eax, [esp+54h+var_18]
		test	eax, eax
		jnz	loc_5DA051
		mov	edx, [esp+54h+var_14]
		lea	eax, [esp+54h+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+54h+var_18]
		cmp	eax, ecx
		jnz	loc_5DA048

loc_50CA59:				; CODE XREF: CcMdlWriteComplete2+CD707j
					; CcMdlWriteComplete2+CD726j
		mov	cl, byte ptr [esp+54h+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_50CA63:				; CODE XREF: CcMdlWriteComplete2+C9j
		test	ebx, ebx
		js	loc_5DA067

loc_50CA6B:				; CODE XREF: CcMdlWriteComplete2+13Bj
		mov	esi, [edi]
		push	edi
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		mov	edi, esi
		test	esi, esi
		jnz	short loc_50CA6B
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
CcMdlWriteComplete2 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpLazyFlushDpcRoutine proc near	; DATA XREF: CmpInitializeLazyWriters+55o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		lea	edi, [esi+58h]
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		xor	eax, eax
		cmp	_CmpHoldLazyFlush, eax
		jnz	short loc_50CAC3
		push	eax
		push	eax
		lea	eax, [esi+48h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_50CAAB:				; CODE XREF: CmpLazyFlushDpcRoutine+47j
		test	ds:byte_70EFC6,	1
		jnz	loc_5DA079
		xor	eax, eax
		lock and [edi],	eax

loc_50CABD:				; CODE XREF: CcMdlWriteComplete2+CD747j
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
; 

loc_50CAC3:				; CODE XREF: CmpLazyFlushDpcRoutine+1Cj
		mov	[esi+60h], eax
		mov	[esi+64h], eax
		jmp	short loc_50CAAB
CmpLazyFlushDpcRoutine endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall RtlpHpFixedHeapCreate(void *,int,int,int,int,char,int)
RtlpHpFixedHeapCreate proc near		; CODE XREF: RtlCreateHeap+C4p

var_68		= dword	ptr -68h
var_4C		= dword	ptr -4Ch
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005DA0FE SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_14], edx
		push	7
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_C], esi
		lea	edi, [ebp+var_68]
		mov	[ebp+var_8], esi
		rep stosd
		push	7
		pop	ecx
		lea	edi, [ebp+var_4C]
		xor	ebx, ebx
		rep stosd
		test	edx, edx
		jz	sub_5DA088
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	loc_50CC1F
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	loc_50CC1F
		cmp	ecx, eax
		ja	loc_50CC1F

loc_50CB26:				; CODE XREF: sub_5DA088+61j
		test	edx, edx
		jz	loc_5DA0F1

loc_50CB2E:				; CODE XREF: sub_5DA088+71j
		shr	eax, 0Ch
		mov	edi, eax
		mov	[ebp+arg_0], eax
		shr	edi, 3
		add	edi, 3
		and	edi, 0FFFFFFFCh
		add	edi, 100h
		lea	eax, [edi+0FFFh]
		mov	[ebp+var_10], eax
		and	eax, 0FFFFF000h
		mov	[ebp+var_1C], eax
		cmp	ecx, eax
		jb	loc_5DA0FE

loc_50CB5E:				; CODE XREF: RtlpHpFixedHeapCreate+CD64Bj
		push	edi		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		mov	ecx, [ebp+var_14]
		add	esp, 0Ch
		test	ecx, ecx
		jz	short loc_50CB7A
		mov	eax, _RtlpHpHeapGlobals
		xor	eax, ecx
		mov	[esi+4], eax

loc_50CB7A:				; CODE XREF: RtlpHpFixedHeapCreate+A2j
		movzx	eax, [ebp+arg_C]
		mov	edi, [ebp+arg_8]
		and	eax, 1
		mov	[esi+14h], eax
		mov	eax, edi
		and	eax, 13000003h
		mov	[esi+10h], ebx
		mov	[esi+0Ch], eax
		mov	eax, [ebp+arg_0]
		mov	[esi], eax
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_10]
		shr	eax, 0Ch
		push	eax
		mov	dword ptr [esi+8], 0CCDDCCDDh
		lea	eax, [ebp+var_18]
		push	ebx
		add	esi, 100h
		push	eax
		mov	[ebp+var_14], esi
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		mov	eax, [ebp+var_C]
		and	edi, 8000000h
		mov	ecx, [ebp+arg_0]
		xor	esi, eax
		mov	edx, eax	; int
		mov	[ebp+var_30], offset RtlpHpFixedVsAllocate
		mov	[ebp+var_2C], offset RtlpHpFixedVsFree
		mov	[eax+24h], ecx
		lea	ecx, [ebp+var_10]
		push	ecx		; int
		push	edi		; int
		push	dword ptr [eax+14h] ; int
		lea	ecx, [ebp+var_30]
		mov	[eax+28h], esi
		push	ecx		; int
		lea	ecx, [eax+40h]	; void *
		mov	[ebp+var_28], offset _RtlpHpFixedVsCommit@12 ; RtlpHpFixedVsCommit(x,x,x)
		mov	[ebp+var_24], offset _xKdUnmapVirtualAddress@12	; xKdUnmapVirtualAddress(x,x,x)
		mov	[ebp+var_20], ebx
		mov	[ebp+var_10], ebx
		call	RtlpHpVsContextInitialize
		mov	ebx, [ebp+var_C]

loc_50CC0C:				; CODE XREF: RtlpHpFixedHeapCreate+155j
					; sub_5DA088+13j ...
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
; 

loc_50CC1F:				; CODE XREF: RtlpHpFixedHeapCreate+41j
					; RtlpHpFixedHeapCreate+4Cj ...
		xor	ebx, ebx
		jmp	short loc_50CC0C
RtlpHpFixedHeapCreate endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall RtlpHpVsContextInitialize(void	*,int,int,int,int,int)
RtlpHpVsContextInitialize proc near	; CODE XREF: RtlpHpFixedHeapCreate+138p
					; RtlpHpHeapCreate+137p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005DA11C SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	0C0h		; size_t
		mov	ebx, ecx
		mov	esi, edx
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [ebp+arg_8]
		lea	edx, [ebx+84h]
		mov	[ebx+9Ch], eax
		add	esp, 0Ch
		mov	eax, ebx
		mov	edi, edx
		xor	eax, esi
		mov	esi, [ebp+arg_0]
		mov	[ebx+80h], eax
		mov	eax, [ebp+arg_C]
		push	5
		pop	ecx
		rep movsd
		mov	ecx, [ebp+arg_4]
		mov	[ebx+4], ecx
		mov	eax, [eax]
		mov	[ebx+98h], eax
		mov	eax, _RtlpHpHeapGlobals
		xor	eax, ebx
		xor	[edx], eax
		mov	eax, [edx+4]
		xor	eax, _RtlpHpHeapGlobals
		xor	eax, ebx
		mov	[edx+4], eax
		mov	eax, [edx+8]
		xor	eax, _RtlpHpHeapGlobals
		xor	eax, ebx
		mov	[edx+8], eax
		mov	eax, _RtlpHpHeapGlobals
		xor	eax, ebx
		xor	[edx+0Ch], eax
		mov	eax, [edx+10h]
		test	eax, eax
		jnz	loc_5DA11C

loc_50CCAE:				; CODE XREF: RtlpHpVsContextInitialize+CD503j
		xor	eax, eax
		test	[ebp+arg_8], 8000000h
		mov	[ebx], eax
		mov	[ebx+8], eax
		mov	[ebx+0Ch], eax
		jz	short loc_50CCC5
		mov	byte ptr [ebx+0Ch], 1

loc_50CCC5:				; CODE XREF: RtlpHpVsContextInitialize+9Bj
		mov	[ebx+14h], eax
		mov	[ebx+10h], eax
		pop	edi
		mov	[ebx+40h], eax
		pop	esi
		mov	[ebx+44h], eax
		pop	ebx
		pop	ebp
		retn	10h
RtlpHpVsContextInitialize endp


;  S U B	R O U T	I N E 


; __stdcall RtlpHpLegacyGetEnvHandle()
_RtlpHpLegacyGetEnvHandle@0 proc near	; CODE XREF: RtlCreateHeap:loc_7DDBC1p
		mov	eax, _RtlpHpLegacyEnvHandle
		mov	edx, dword_6BEC84
		retn
_RtlpHpLegacyGetEnvHandle@0 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpHpConvertCreationFlags(x, x)
_RtlpHpConvertCreationFlags@8 proc near	; CODE XREF: RtlCreateHeap+8Fp
		mov	edi, edi
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		push	esi
		mov	esi, edx
		and	esi, 1
		test	dl, 4
		jnz	short loc_50CD54

loc_50CCF6:				; CODE XREF: RtlpHpConvertCreationFlags(x,x)+76j
		test	dl, 8
		jz	short loc_50CCFE
		or	esi, 2

loc_50CCFE:				; CODE XREF: RtlpHpConvertCreationFlags(x,x)+15j
		bt	edx, 1Bh
		setnb	cl
		bt	ebx, 0Ch
		setnb	al
		test	cl, al
		jnz	short loc_50CD16
		or	esi, 20000000h

loc_50CD16:				; CODE XREF: RtlpHpConvertCreationFlags(x,x)+2Aj
		test	dl, 20h
		setz	cl
		test	bl, 10h
		setz	al
		test	cl, al
		jnz	short loc_50CD2C
		or	esi, 10000000h

loc_50CD2C:				; CODE XREF: RtlpHpConvertCreationFlags(x,x)+40j
		test	edx, 40000h
		jnz	short loc_50CD5C

loc_50CD34:				; CODE XREF: RtlpHpConvertCreationFlags(x,x)+7Ej
		test	dl, 10h
		jnz	short loc_50CD64

loc_50CD39:				; CODE XREF: RtlpHpConvertCreationFlags(x,x)+86j
		test	edx, 200h
		jz	short loc_50CD47
		or	esi, 8000000h

loc_50CD47:				; CODE XREF: RtlpHpConvertCreationFlags(x,x)+5Bj
		and	edx, 0F000h
		or	edx, esi
		pop	esi
		mov	eax, edx
		pop	ebx
		retn
; 

loc_50CD54:				; CODE XREF: RtlpHpConvertCreationFlags(x,x)+10j
		or	esi, 80000000h
		jmp	short loc_50CCF6
; 

loc_50CD5C:				; CODE XREF: RtlpHpConvertCreationFlags(x,x)+4Ej
		or	esi, 40000000h
		jmp	short loc_50CD34
; 

loc_50CD64:				; CODE XREF: RtlpHpConvertCreationFlags(x,x)+53j
		or	esi, 2000000h
		jmp	short loc_50CD39
_RtlpHpConvertCreationFlags@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWorkerFactoryDeferredThreadCreation()
_ExpWorkerFactoryDeferredThreadCreation@0 proc near
					; CODE XREF: ExpWorkerFactoryManagerThread:loc_56C733p

var_C		= dword	ptr -0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		mov	ecx, offset _ExpWorkerFactoryThreadCreationList
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		mov	_ExpWorkerFactoryThreadCreationState, 0
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_50CDC3
		push	esi

loc_50CD98:				; CODE XREF: ExpWorkerFactoryDeferredThreadCreation()+54j
		mov	esi, edi
		lea	edx, [ebp+var_C]
		mov	edi, [edi]
		mov	ecx, [esi+4]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		and	dword ptr [esi+68h], 0FFFFFFF7h
		lea	edx, [ebp+var_C]
		push	1
		mov	ecx, esi
		call	ExpWorkerFactoryCheckCreate
		mov	ecx, esi
		call	ObfDereferenceObject
		test	edi, edi
		jnz	short loc_50CD98
		pop	esi

loc_50CDC3:				; CODE XREF: ExpWorkerFactoryDeferredThreadCreation()+29j
		pop	edi
		leave
		retn
_ExpWorkerFactoryDeferredThreadCreation@0 endp


;  S U B	R O U T	I N E 


; __stdcall MmGetMaximumNonPagedPoolInBytes()
_MmGetMaximumNonPagedPoolInBytes@0 proc	near
					; CODE XREF: EtwpGetSystemMaximumBufferCount(x)+6Ap
					; ExEnableHandleTracing(x,x)+5Dp
		mov	eax, dword_6D35D8
		shl	eax, 0Ch
		retn
_MmGetMaximumNonPagedPoolInBytes@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDereferenceExtendInfo	proc near	; CODE XREF: MiDeleteVad(x,x,x)+1063p
					; MiMapViewOfDataSection+F92CBp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005DA12C SIZE 0000004F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, large fs:124h
		and	[ebp+var_10], 0
		push	esi
		push	edi
		dec	word ptr [eax+13Eh]
		mov	edi, edx
		mov	esi, ecx
		mov	[ebp+var_1C], eax
		nop
		xor	edx, edx
		mov	ecx, offset dword_6CF3C8
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+44h]
		dec	dword ptr [eax+8]
		mov	eax, [esi+44h]
		cmp	dword ptr [eax+8], 0
		jnz	short loc_50CE17
		mov	[ebp+var_10], eax
		mov	eax, [edi]
		and	dword ptr [eax+18h], 0

loc_50CE17:				; CODE XREF: MiDereferenceExtendInfo+3Cj
		or	ecx, 0FFFFFFFFh
		mov	edx, offset dword_6CF3C8
		mov	[ebp+var_8], ecx
		mov	eax, ecx
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_50CF6C

loc_50CE32:				; CODE XREF: MiDereferenceExtendInfo+1ABj
		xor	edi, edi
		mov	[ebp+var_C], edi
		test	edx, 7FFFFFFCh
		jz	loc_50CF3C
		mov	esi, large fs:124h
		mov	eax, edx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_18], esi
		cmp	edx, offset dword_6CF3C8
		ja	short loc_50CE82
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_50CF57
		cmp	edx, offset dword_6CF3C8
		ja	short loc_50CE82
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_50CF57

loc_50CE82:				; CODE XREF: MiDereferenceExtendInfo+8Ej
					; MiDereferenceExtendInfo+A3j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	edx, offset dword_6CF3C8
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_1], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jz	loc_50CF80
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_50CFD3

loc_50CEC6:				; CODE XREF: MiDereferenceExtendInfo+20Bj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_1], 1
		mov	edx, eax
		jnz	loc_5DA141
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_50CF12:				; CODE XREF: MiDereferenceExtendInfo+1B8j
					; MiDereferenceExtendInfo+CD383j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_18], eax
		jnz	short loc_50CF8F

loc_50CF25:				; CODE XREF: MiDereferenceExtendInfo+1F8j
					; MiDereferenceExtendInfo+CD3A6j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_50CF3C
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_50CFE0

loc_50CF3C:				; CODE XREF: MiDereferenceExtendInfo+6Dj
					; MiDereferenceExtendInfo+15Ej	...
		mov	ecx, [ebp+var_1C]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+var_10]
		pop	edi
		pop	esi
		test	eax, eax
		jz	short locret_50CF55
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

locret_50CF55:				; CODE XREF: MiDereferenceExtendInfo+17Bj
		leave
		retn
; 

loc_50CF57:				; CODE XREF: MiDereferenceExtendInfo+97j
					; MiDereferenceExtendInfo+ACj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_8], eax
		jmp	loc_50CE82
; 

loc_50CF6C:				; CODE XREF: MiDereferenceExtendInfo+5Cj
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	ecx, 0FFFFFFFFh
		mov	edx, offset dword_6CF3C8
		jmp	loc_50CE32
; 

loc_50CF80:				; CODE XREF: MiDereferenceExtendInfo+DEj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_50CF12
		jmp	loc_5DA12C
; 

loc_50CF8F:				; CODE XREF: MiDereferenceExtendInfo+153j
		test	edi, 8000h
		jz	short loc_50CFA0
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_50CFA0:				; CODE XREF: MiDereferenceExtendInfo+1C5j
		test	byte ptr [ebp+var_C+2],	1
		jnz	loc_5DA158

loc_50CFAA:				; CODE XREF: MiDereferenceExtendInfo+CD392j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_50CFBE
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_50CFBE:				; CODE XREF: MiDereferenceExtendInfo+1E1j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_50CF25
		jmp	loc_5DA167
; 

loc_50CFD3:				; CODE XREF: MiDereferenceExtendInfo+F0j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_14]
		jmp	loc_50CEC6
; 

loc_50CFE0:				; CODE XREF: MiDereferenceExtendInfo+166j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_50CF3C
MiDereferenceExtendInfo	endp

; 
		align 10h
; Exported entry 552. FsRtlInitializeLargeMcb

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlInitializeLargeMcb
FsRtlInitializeLargeMcb	proc near	; CODE XREF: FsRtlInitializeMcb(x,x)j

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DA17B SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		xor	edi, edi
		inc	edi
		push	edi
		push	[ebp+arg_4]
		lea	eax, [esi+4]
		push	eax
		call	FsRtlInitializeBaseMcbEx
		mov	ecx, offset _FsRtlFastMutexLookasideList
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	[esi], eax
		test	eax, eax
		jz	loc_5DA17B
		xor	ecx, ecx
		mov	[eax], edi
		push	ecx
		mov	[eax+4], ecx
		mov	[eax+8], ecx
		add	eax, 0Ch
		push	edi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
FsRtlInitializeLargeMcb	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDisksRegisteredForIdle proc near	; CODE XREF: NtPowerInformation+8E7p

; FUNCTION CHUNK AT 005DA19A SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr _PopSimulate, 2
		push	ebx
		jnz	short loc_50D092
		push	esi
		xor	bl, bl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _PopDopeGlobalLock
		mov	bh, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, _PopIdleDetectList
		mov	ecx, offset _PopIdleDetectList

loc_50D06A:				; CODE XREF: FsRtlInitializeLargeMcb+CD19Ej
		cmp	eax, ecx
		jnz	loc_5DA186

loc_50D072:				; CODE XREF: FsRtlInitializeLargeMcb+CD1A5j
		test	ds:byte_70EFC6,	1
		jnz	loc_5DA19A
		xor	eax, eax
		lock and [esi],	eax

loc_50D084:				; CODE XREF: PopDisksRegisteredForIdle+CD16Aj
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi

loc_50D08D:				; CODE XREF: PopDisksRegisteredForIdle+5Aj
		mov	al, bl
		pop	ebx
		pop	ebp
		retn
; 

loc_50D092:				; CODE XREF: PopDisksRegisteredForIdle+Dj
		mov	bl, 1
		jmp	short loc_50D08D
PopDisksRegisteredForIdle endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1834. PsGetThreadTeb

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetThreadTeb(x)
		public _PsGetThreadTeb@4
_PsGetThreadTeb@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+0A8h]
		pop	ebp
		retn	4
_PsGetThreadTeb@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmEventTraceFailedPerfCheckStart proc near ; CODE XREF: PpmCheckPeriodicStart(x,x,x,x)+4Bp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DA1A9 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PpmEtwRegistered, 0
		jz	short loc_50D0F0
		push	ebx
		push	esi
		mov	esi, dword_6BFD04
		mov	ebx, offset _PPM_ETW_PERF_CHECK_FAILED_START
		push	edi
		mov	edi, _PpmEtwHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5DA1A9

loc_50D0ED:				; CODE XREF: PpmEventTraceFailedPerfCheckStart+CD11Fj
		pop	edi
		pop	esi
		pop	ebx

loc_50D0F0:				; CODE XREF: PpmEventTraceFailedPerfCheckStart+19j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
PpmEventTraceFailedPerfCheckStart endp


;  S U B	R O U T	I N E 


; __stdcall RtlpHpSegHeapAddSegment(x, x)
_RtlpHpSegHeapAddSegment@8 proc	near	; CODE XREF: RtlpHpSegPageRangeAllocate+62Dp
					; RtlpHpSegContextReserve+8391Ap
		mov	eax, _RtlpHpHeapGlobals
		xor	eax, ecx
		xor	eax, edx
		xor	eax, 0A2E64EADh
		mov	[edx+8], eax
		lea	eax, [ecx+44h]
		push	esi
		mov	esi, [eax+4]
		cmp	[esi], eax
		jnz	short loc_50D129
		mov	[edx+4], esi
		mov	[edx], eax
		mov	[esi], edx
		mov	[eax+4], edx
		inc	dword ptr [ecx+4Ch]
		pop	esi
		retn
; 

loc_50D129:				; CODE XREF: RtlpHpSegHeapAddSegment(x,x)+1Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_RtlpHpSegHeapAddSegment@8 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmCompressContextUpdateMemoryCondition proc near
					; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmUpdateMemoryConditions(SMKM_STORE_MGR<SM_TRAITS> *,_SMP_MEMORY_CONDITION,ulong)+23p

var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DA1D2 SIZE 0000004B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_10], ebx
		push	esi
		push	edi
		cmp	edx, 4
		jnz	short loc_50D1A9
		push	7
		pop	edi

loc_50D146:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressContextUpdateMemoryCondition+82j
		push	0FFFFh
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		cmp	[ebp+arg_0], 0
		mov	esi, eax
		jnz	short loc_50D189

loc_50D158:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressContextUpdateMemoryCondition+6Fj
		xor	esi, esi
		inc	esi

loc_50D15B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressContextUpdateMemoryCondition+79j
		mov	[ebp+var_4], esi

loc_50D15E:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressContextUpdateMemoryCondition+74j
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	byte ptr [ebp+arg_0+3],	al
		cmp	[ebx+4Ch], edi
		jnz	loc_5DA1EF

loc_50D170:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressContextUpdateMemoryCondition+CD0CBj
					; SMKM_STORE_MGR_SM_TRAITS___SmCompressContextUpdateMemoryCondition+CD0EAj
		push	ebx
		mov	[ebx+34h], esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_50D189:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressContextUpdateMemoryCondition+28j
		cmp	edi, 7
		jg	loc_5DA1D2
		imul	esi, 3

loc_50D195:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressContextUpdateMemoryCondition+CD0B3j
		shr	esi, 2

loc_50D198:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressContextUpdateMemoryCondition+CD0ABj
					; SMKM_STORE_MGR_SM_TRAITS___SmCompressContextUpdateMemoryCondition+CD0BCj
		mov	[ebp+var_4], esi
		test	esi, esi
		jz	short loc_50D158
		cmp	esi, 10h
		jb	short loc_50D15E
		push	10h
		pop	esi
		jmp	short loc_50D15B
; 

loc_50D1A9:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressContextUpdateMemoryCondition+13j
		mov	edi, ds:?PriorityByMemoryCondition@?1??SmStGetPriorityByMemoryCondition@?$SMKM_STORE@USM_TRAITS@@@@SGJW4_SMP_MEMORY_CONDITION@@J@Z@4PAJA[edx*4]	; long * `SMKM_STORE<SM_TRAITS>::SmStGetPriorityByMemoryCondition(_SMP_MEMORY_CONDITION,long)'::`2'::PriorityByMemoryCondition
		jmp	short loc_50D146
SMKM_STORE_MGR_SM_TRAITS___SmCompressContextUpdateMemoryCondition endp


;  S U B	R O U T	I N E 


; __stdcall KiAbThreadUnboostIoPriority(x, x)
_KiAbThreadUnboostIoPriority@8 proc near ; CODE	XREF: PspStorageEmptyArrayNonReadonly+2E1p
					; PspStorageEmptyArrayNonReadonly+35Ap	...
		xor	eax, eax
		test	edx, edx
		setnz	al
		lea	eax, ds:218h[eax*4]
		add	eax, ecx
		lock dec dword ptr [eax]
		test	edx, edx
		jnz	short loc_50D1D3
		push	edx
		push	edx
		mov	dl, 1
		call	PsBoostThreadIoEx
		retn
; 

loc_50D1D3:				; CODE XREF: KiAbThreadUnboostIoPriority(x,x)+15j
		lock dec dword ptr [ecx+330h]
		retn
_KiAbThreadUnboostIoPriority@8 endp

; 
		align 10h
; Exported entry 303. EtwpReenableStackWalkApc

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpReenableStackWalkApc(x)
		public _EtwpReenableStackWalkApc@4
_EtwpReenableStackWalkApc@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		mov	esi, [ebp+arg_0]
		shl	esi, 18h
		push	edi
		lea	edi, [eax+5Ch]
		or	esi, 0FFFFFFh

loc_50D1FC:				; CODE XREF: EtwpReenableStackWalkApc(x)+2Aj
		mov	edx, [edi]
		mov	ecx, esi
		and	ecx, edx
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_50D1FC
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_EtwpReenableStackWalkApc@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiRemoveEntryTimer proc	near		; CODE XREF: KiInsertTimerTable+281p
					; KiAdjustTimerDueTimes+99p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DA21D SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [edx+18h]
		imul	ebx, esi, 18h
		mov	edx, [edi]
		mov	eax, [edi+4]
		cmp	[edx+4], edi
		jnz	short loc_50D272
		cmp	[eax], edi
		jnz	short loc_50D272
		mov	[eax], edx
		mov	[edx+4], eax
		cmp	eax, edx
		jnz	short loc_50D26B
		or	dword ptr [ebx+ecx+54h], 0FFFFFFFFh
		cmp	ds:_KiSerializeTimerExpiration,	0
		movzx	eax, byte ptr [ecx-1E9Bh]
		mov	eax, ds:dword_70E644[eax*8]
		jz	loc_5DA21D
		mov	ecx, esi
		shr	esi, 5
		and	ecx, 1Fh
		shl	esi, 2

loc_50D265:				; CODE XREF: KiRemoveEntryTimer+CD015j
		add	eax, esi
		lock btr [eax],	ecx

loc_50D26B:				; CODE XREF: KiRemoveEntryTimer+26j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_50D272:				; CODE XREF: KiRemoveEntryTimer+19j
					; KiRemoveEntryTimer+1Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
KiRemoveEntryTimer endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFlowThroughInsertNode(x, x)
_MiFlowThroughInsertNode@8 proc	near	; CODE XREF: MiFinishMdlForMappedFileFault(x,x,x,x,x)+271p
					; MiResolvePageFileFault+1005p	...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= dword	ptr -5
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, edx
		push	ebx
		push	esi
		mov	[ebp+var_14], eax
		mov	esi, [eax+8]
		mov	ebx, [eax+0Ch]
		mov	eax, esi
		and	eax, 400h
		mov	[ebp+var_10], esi
		or	eax, 0
		mov	[ebp+var_C], ebx
		push	edi
		mov	edi, ecx
		jz	short loc_50D2DB
		and	dword ptr [edi+0CCh], 0

loc_50D2A9:				; CODE XREF: MiFlowThroughInsertNode(x,x)+F4j
		mov	edx, [ebp+var_14]
		lea	eax, [edi+8]
		or	dword ptr [edi+78h], 10h
		mov	edx, [edx]
		sub	edx, 10h
		lea	ecx, [edx+8]
		mov	esi, [ecx+4]
		cmp	[esi], ecx
		jnz	loc_50D371
		mov	[eax+4], esi
		mov	[eax], ecx
		mov	[esi], eax
		mov	[ecx+4], eax
		mov	[edi+0C8h], edx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_50D2DB:				; CODE XREF: MiFlowThroughInsertNode(x,x)+28j
		lea	ecx, [ebp+var_10]
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		shrd	esi, ebx, 0Ch
		and	esi, 0Fh
		mov	esi, dword_6D5D94[esi*4]
		mov	[edi+0CCh], esi
		mov	[edi+0D0h], eax
		lea	ebx, [esi+88h]
		push	ebx
		call	ExAcquireSpinLockExclusive
		lea	ecx, [esi+8Ch]
		mov	[ebp+var_1], al
		mov	[ebp+var_C], ecx
		lea	edx, [edi+0D4h]
		mov	ecx, [ecx]
		mov	byte ptr [ebp+var_5], 0
		test	ecx, ecx
		jz	short loc_50D350
		mov	esi, [edx-4]

loc_50D328:				; CODE XREF: MiFlowThroughInsertNode(x,x)+BFj
		cmp	esi, [ecx-4]
		ja	short loc_50D339
		jnb	short loc_50D346

loc_50D32F:				; CODE XREF: MiFlowThroughInsertNode(x,x)+D0j
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_50D34C

loc_50D335:				; CODE XREF: MiFlowThroughInsertNode(x,x)+C6j
		mov	ecx, eax
		jmp	short loc_50D328
; 

loc_50D339:				; CODE XREF: MiFlowThroughInsertNode(x,x)+B3j
					; MiFlowThroughInsertNode(x,x)+D2j
		mov	eax, [ecx+4]
		test	eax, eax
		jnz	short loc_50D335
		mov	byte ptr [ebp+var_5], 1
		jmp	short loc_50D350
; 

loc_50D346:				; CODE XREF: MiFlowThroughInsertNode(x,x)+B5j
		cmp	edx, ecx
		jbe	short loc_50D32F
		jmp	short loc_50D339
; 

loc_50D34C:				; CODE XREF: MiFlowThroughInsertNode(x,x)+BBj
		mov	byte ptr [ebp+var_5], 0

loc_50D350:				; CODE XREF: MiFlowThroughInsertNode(x,x)+ABj
					; MiFlowThroughInsertNode(x,x)+CCj
		push	edx
		push	[ebp+var_5]
		push	ecx
		push	[ebp+var_C]
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_50D2A9
; 

loc_50D371:				; CODE XREF: MiFlowThroughInsertNode(x,x)+48j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_MiFlowThroughInsertNode@8 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	SMKM_STORE_MGR<struct SM_TRAITS>::SmHighMemPriorityTimerStart(struct SMKM_STORE_MGR<struct SM_TRAITS> *)
?SmHighMemPriorityTimerStart@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@@Z proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+27Cp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		lea	edx, [ecx+460h]
		sub	esp, 10h
		mov	eax, [edx]
		test	eax, eax
		jz	short loc_50D38C

locret_50D38A:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmHighMemPriorityTimerStart(SMKM_STORE_MGR<SM_TRAITS> *)+1Dj
		leave
		retn
; 

loc_50D38C:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmHighMemPriorityTimerStart(SMKM_STORE_MGR<SM_TRAITS> *)+12j
		xor	eax, eax
		inc	eax
		xchg	eax, [edx]
		test	eax, eax
		jnz	short locret_50D38A
		or	[ebp+var_8], 0FFFFFFFFh
		lea	eax, [ebp+var_10]
		or	[ebp+var_4], 0FFFFFFFFh
		xor	edx, edx
		push	eax
		push	edx
		push	0B2D05E00h
		push	0FFFFFFFFh
		push	4D2FA200h
		lea	eax, [ecx+3F8h]
		mov	[ebp+var_10], edx
		push	eax
		mov	[ebp+var_C], edx
		call	KeSetTimer2
		leave
		retn
?SmHighMemPriorityTimerStart@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThread proc near
					; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxStart(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *,SMKM_STORE_MGR<SM_TRAITS> *,ulong)+2Ap
					; SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxStart(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT	*,SMKM_STORE_MGR<SM_TRAITS> *,ulong)+3Ep ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DA22C SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		and	[esp+14h+var_14], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, edx
		mov	edx, ebx
		call	SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThreadParams
		mov	esi, eax
		test	esi, esi
		jz	loc_5DA22C
		mov	[esi+4], edi
		test	ebx, ebx
		jz	short loc_50D46D
		push	0
		push	0
		lea	eax, [esp+28h+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+20h+var_10]
		mov	[esi+8], eax
		mov	eax, offset SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxWorkerThread

loc_50D40D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThread+AEj
		push	esi
		push	eax
		push	0
		push	dword ptr [edi+46Ch]
		lea	eax, [esp+30h+var_14]
		push	0
		push	1FFFFFh
		push	eax
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_50D448
		test	ebx, ebx
		jz	short loc_50D444
		push	0
		push	0
		push	0
		push	1Ah
		lea	eax, [esp+30h+var_10]
		push	eax
		call	KeWaitForSingleObject

loc_50D444:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThread+6Cj
		xor	esi, esi
		xor	edi, edi

loc_50D448:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThread+68j
		test	esi, esi
		jnz	loc_5DA236

loc_50D450:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThread+CCE6Dj
					; SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThread+CCE84j
		cmp	[esp+20h+var_14], 0
		jz	short loc_50D462
		push	0
		push	[esp+24h+var_14]
		call	ObCloseHandle

loc_50D462:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThread+91j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_50D46D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThread+2Dj
		mov	eax, offset SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxBalancerThread
		jmp	short loc_50D40D
SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThread endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThreadParams proc	near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThread+19p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DA24D SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, edx
		push	edi
		lea	eax, [ebx+48h]
		mov	[ebp+var_4], esi
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		movzx	edi, al
		test	al, al
		jz	short loc_50D4F0
		push	14h
		pop	eax
		test	esi, esi
		jz	short loc_50D4A8
		mov	eax, [ebx+50h]
		add	eax, 1014h

loc_50D4A8:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThreadParams+2Aj
		push	74436D73h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_50D4F4
		xor	edi, edi
		mov	[esi+4], edi
		mov	[esi+8], edi
		mov	[esi+0Ch], edi
		mov	[esi+10h], edi
		mov	[esi], ebx
		cmp	[ebp+var_4], edi
		jz	short loc_50D4E1
		lea	ecx, [esi+14h]
		mov	[esi+0Ch], ecx
		mov	eax, [ebx+50h]
		add	eax, ecx
		mov	[esi+10h], eax

loc_50D4E1:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThreadParams+5Dj
					; SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThreadParams+82j
		test	edi, edi
		jnz	loc_5DA24D

loc_50D4E9:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThreadParams+7Ej
					; SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThreadParams+CCDE1j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_50D4F0:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThreadParams+23j
		xor	esi, esi
		jmp	short loc_50D4E9
; 

loc_50D4F4:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThreadParams+48j
		xor	esi, esi
		jmp	short loc_50D4E1
SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThreadParams endp


;  S U B	R O U T	I N E 


; __stdcall _MapCmDevicePropertyToRegType(x)
__MapCmDevicePropertyToRegType@4 proc near ; CODE XREF:	_CmGetDeviceRegPropWorker+23Bp
					; _CmSetDeviceRegPropWorker+72p
		mov	edi, edi
		dec	ecx
		cmp	ecx, 24h
		ja	short loc_50D51E
		movzx	eax, ds:byte_50D538[ecx]
		jmp	ds:off_50D524[eax*4]

loc_50D50E:				; DATA XREF: .text:0050D52Co
		push	4
		pop	eax
		retn
; 

loc_50D512:				; CODE XREF: _MapCmDevicePropertyToRegType(x)+Fj
					; DATA XREF: .text:off_50D524o
		xor	eax, eax
		inc	eax
		retn
; 

loc_50D516:				; CODE XREF: _MapCmDevicePropertyToRegType(x)+Fj
					; DATA XREF: .text:0050D528o
		push	7
		pop	eax
		retn
; 

loc_50D51A:				; CODE XREF: _MapCmDevicePropertyToRegType(x)+Fj
					; DATA XREF: .text:0050D530o
		push	3
		pop	eax
		retn
; 

loc_50D51E:				; CODE XREF: _MapCmDevicePropertyToRegType(x)+6j
					; _MapCmDevicePropertyToRegType(x)+Fj
					; DATA XREF: ...
		xor	eax, eax
		retn
__MapCmDevicePropertyToRegType@4 endp

; 
		align 4
off_50D524	dd offset loc_50D512	; DATA XREF: _MapCmDevicePropertyToRegType(x)+Fr
		dd offset loc_50D516
		dd offset loc_50D50E
		dd offset loc_50D51A
		dd offset loc_50D51E
byte_50D538	db 0			; DATA XREF: _MapCmDevicePropertyToRegType(x)+8r
		db 2 dup(1), 4
		dd 40400h, 20000h, 2000000h, 3010102h, 3040202h, 2020204h
		dd 2030002h, 1020202h
; 
		add	ah, cl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetJobFreezeCountCallback(x, x)
_PspSetJobFreezeCountCallback@8	proc near ; DATA XREF: PspFreezeJobTree+115o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	esi
		mov	eax, [edx]
		test	byte ptr [eax],	1
		jz	short loc_50D586
		mov	esi, [ecx+194h]
		cmp	byte ptr [eax+4], 0
		lea	eax, [esi+1]
		jz	short loc_50D5B3

loc_50D580:				; CODE XREF: PspSetJobFreezeCountCallback(x,x)+58j
		mov	[ecx+194h], eax

loc_50D586:				; CODE XREF: PspSetJobFreezeCountCallback(x,x)+11j
		mov	eax, [edx]
		test	byte ptr [eax],	4
		jnz	short loc_50D59C

loc_50D58D:				; CODE XREF: PspSetJobFreezeCountCallback(x,x)+53j
		call	_PspComputeExecutionState@4 ; PspComputeExecutionState(x)
		mov	[edx+4], eax
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	8
; 

loc_50D59C:				; CODE XREF: PspSetJobFreezeCountCallback(x,x)+2Dj
		mov	esi, [ecx+19Ch]
		cmp	byte ptr [eax+5], 0
		lea	eax, [esi+1]
		jz	short loc_50D5B8

loc_50D5AB:				; CODE XREF: PspSetJobFreezeCountCallback(x,x)+5Dj
		mov	[ecx+19Ch], eax
		jmp	short loc_50D58D
; 

loc_50D5B3:				; CODE XREF: PspSetJobFreezeCountCallback(x,x)+20j
		lea	eax, [esi-1]
		jmp	short loc_50D580
; 

loc_50D5B8:				; CODE XREF: PspSetJobFreezeCountCallback(x,x)+4Bj
		lea	eax, [esi-1]
		jmp	short loc_50D5AB
_PspSetJobFreezeCountCallback@8	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KeSetDisableQuantumThread(x, x)
_KeSetDisableQuantumThread@8 proc near	; CODE XREF: KeSetDisableQuantumProcess(x,x)+63p
		add	ecx, 5Ch
		test	edx, edx
		jnz	short loc_50D5D1
		lock btr dword ptr [ecx], 8

loc_50D5CA:				; CODE XREF: KeSetDisableQuantumThread(x,x)+18j
		setb	al
		movzx	eax, al
		retn
; 

loc_50D5D1:				; CODE XREF: KeSetDisableQuantumThread(x,x)+5j
		lock bts dword ptr [ecx], 8
		jmp	short loc_50D5CA
_KeSetDisableQuantumThread@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 302. EtwpDisableStackWalkApc

;  S U B	R O U T	I N E 


; __stdcall EtwpDisableStackWalkApc()
		public _EtwpDisableStackWalkApc@0
_EtwpDisableStackWalkApc@0 proc	near
		mov	eax, large fs:124h
		push	esi
		lea	esi, [eax+5Ch]

loc_50D5E8:				; CODE XREF: EtwpDisableStackWalkApc()+1Cj
		mov	edx, [esi]
		mov	ecx, edx
		or	ecx, 0FF000000h
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_50D5E8
		shr	edx, 18h
		mov	eax, edx
		pop	esi
		retn
_EtwpDisableStackWalkApc@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiIncrementPageTableLockCheckWrap(x)
_MiIncrementPageTableLockCheckWrap@4 proc near ; CODE XREF: MiLockPageTablePage(x,x)+1D6p
		mov	eax, [ecx+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 3FFEFDFFh
		jnb	short loc_50D621
		mov	edx, 10000h
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		xor	eax, eax
		inc	eax
		retn
; 

loc_50D621:				; CODE XREF: MiIncrementPageTableLockCheckWrap(x)+Dj
		xor	eax, eax
		retn
_MiIncrementPageTableLockCheckWrap@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1816. PsGetProcessStartKey

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessStartKey(x)
		public _PsGetProcessStartKey@4
_PsGetProcessStartKey@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		mov	edx, ds:0FFDF02C4h
		shl	edx, 10h
		or	eax, [ecx+3E8h]
		or	edx, [ecx+3ECh]
		pop	ebp
		retn	4
_PsGetProcessStartKey@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiCheckAndRearmForceIdle proc near	; CODE XREF: KiTimer2Expiration:loc_4D80A1p
					; KiCallInterruptServiceRoutine:loc_5CB766p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DA25A SIZE 00000062 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		cmp	ds:_KiForceIdleDisabled, esi
		jnz	short loc_50D69A
		push	edi
		cli
		mov	[ebp+var_4], esi
		mov	edi, offset _KiForceIdleLock

loc_50D671:				; CODE XREF: KiCheckAndRearmForceIdle+CCC1Dj
		lock bts dword ptr [edi], 0
		jb	loc_5DA25A
		mov	eax, _KiForceIdleState
		cmp	eax, 1
		jz	loc_5DA270
		cmp	eax, 2
		jz	loc_5DA28F

loc_50D693:				; CODE XREF: KiCheckAndRearmForceIdle+CCC69j
		xor	eax, eax
		lock and [edi],	eax
		sti
		pop	edi

loc_50D69A:				; CODE XREF: KiCheckAndRearmForceIdle+17j
		pop	esi
		leave
		retn
KiCheckAndRearmForceIdle endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetProcessCacheIsolationCallback(x, x)
_PspSetProcessCacheIsolationCallback@8 proc near ; DATA	XREF: sub_759647+779o
					; sub_759647+837o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+0FCh]
		test	eax, 40000008h
		jz	short loc_50D6B9

loc_50D6B3:				; CODE XREF: PspSetProcessCacheIsolationCallback(x,x)+22j
					; PspSetProcessCacheIsolationCallback(x,x)+34j	...
		xor	eax, eax
		pop	ebp
		retn	8
; 

loc_50D6B9:				; CODE XREF: PspSetProcessCacheIsolationCallback(x,x)+13j
		test	byte ptr [ecx+0F8h], 1
		jnz	short loc_50D6B3
		mov	eax, [ebp+arg_4]
		add	ecx, 64h
		cmp	byte ptr [eax],	0
		jnz	short loc_50D6D4
		lock btr dword ptr [ecx], 6
		jmp	short loc_50D6B3
; 

loc_50D6D4:				; CODE XREF: PspSetProcessCacheIsolationCallback(x,x)+2Dj
		lock bts dword ptr [ecx], 6
		jmp	short loc_50D6B3
_PspSetProcessCacheIsolationCallback@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlIsSandboxedTokenHandle proc near	; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2EE6p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_7		= byte ptr -7
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DA2BC SIZE 000000C3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[esp+50h+var_3C], edx
		push	esi
		push	edi
		lea	edi, [esp+58h+var_20]
		mov	esi, ecx
		stosd
		xor	ebx, ebx
		push	6
		pop	ecx
		mov	[esp+58h+var_48], ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+58h+var_38]
		rep stosd
		lea	edi, [esp+58h+var_10]
		stosd
		stosd
		stosd
		xor	eax, eax
		inc	eax
		mov	[esp+58h+var_40], eax
		test	esi, esi
		jnz	loc_5DA2BC

loc_50D72C:				; CODE XREF: RtlIsSandboxedTokenHandle+CCC83j
		push	[esp+58h+var_3C]
		push	ebx
		call	RtlIsSandboxedToken
		mov	byte ptr [esp+58h+var_40], al
		test	ebx, ebx
		jnz	loc_5DA364

loc_50D742:				; CODE XREF: RtlIsSandboxedTokenHandle+CCC31j
					; RtlIsSandboxedTokenHandle+CCC75j ...
		cmp	[esp+58h+var_48], 0
		jnz	loc_5DA371

loc_50D74D:				; CODE XREF: RtlIsSandboxedTokenHandle+CCC9Ej
		mov	ecx, [esp+58h+var_4]
		mov	al, byte ptr [esp+58h+var_40]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
RtlIsSandboxedTokenHandle endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpMemoryRangesQuery proc near		; CODE XREF: PAGE:0077D3E4p

var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DA37F SIZE 00000039 BYTES

		push	3Ch
		push	offset dword_6A4428
		call	__SEH_prolog4
		mov	[ebp+var_24], ecx
		xor	edi, edi
		mov	ebx, edi
		mov	eax, edi
		mov	esi, [ecx+0Ch]
		mov	[ebp+ms_exc.disabled], edi
		test	dl, dl
		jz	short loc_50D790
		push	4
		push	dword ptr [ecx+10h]
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	eax, edi

loc_50D790:				; CODE XREF: PfpMemoryRangesQuery+1Dj
		cmp	dword ptr [esi], 2
		jnz	loc_5DA37F
		mov	ecx, [esi+4]
		push	0FFFFFFFEh
		pop	edx
		test	ecx, edx
		jnz	loc_5DA393
		test	cl, 1
		jnz	loc_5DA3A3

loc_50D7B0:				; CODE XREF: PfpMemoryRangesQuery+CCC45j
		mov	[ebp+ms_exc.disabled], edx
		push	eax
		push	edi
		call	MmGetPhysicalMemoryRangesEx2
		mov	ebx, eax
		mov	[ebp+var_20], ebx
		test	ebx, ebx
		jz	loc_5DA3AE
		mov	ecx, ebx

loc_50D7C9:				; CODE XREF: PfpMemoryRangesQuery+74j
		cmp	[ecx+0Ch], edi
		jl	short loc_50D7DA
		jg	short loc_50D7D5
		cmp	[ecx+8], edi
		jbe	short loc_50D7DA

loc_50D7D5:				; CODE XREF: PfpMemoryRangesQuery+6Aj
		add	ecx, 10h
		jmp	short loc_50D7C9
; 

loc_50D7DA:				; CODE XREF: PfpMemoryRangesQuery+68j
					; PfpMemoryRangesQuery+6Fj
		sub	ecx, ebx
		sar	ecx, 4
		mov	[ebp+var_30], ecx
		mov	eax, ecx
		push	8
		pop	edx
		mul	edx
		mov	esi, eax
		add	esi, 0Ch
		mov	[ebp+var_28], esi
		adc	edx, edi
		mov	[ebp+var_44], edx
		jnz	loc_5DA3AE
		cmp	esi, 0FFFFFFFFh
		ja	loc_5DA3AE
		mov	eax, [ebp+var_24]
		cmp	[eax+10h], esi
		jb	short loc_50D86A
		mov	eax, [eax+0Ch]
		mov	[ebp+var_24], eax
		mov	[ebp+ms_exc.disabled], 1
		mov	[eax+8], ecx
		nop
		mov	edx, edi

loc_50D820:				; CODE XREF: PfpMemoryRangesQuery+104j
		mov	[ebp+var_1C], edx
		cmp	edx, ecx
		jnb	short loc_50D896
		mov	esi, edx
		add	esi, esi
		push	edi
		push	1000h
		push	dword ptr [ebx+esi*8+4]
		push	dword ptr [ebx+esi*8]
		call	__alldiv
		mov	ecx, [ebp+var_1C]
		mov	edx, [ebp+var_24]
		mov	[edx+ecx*8+0Ch], eax
		push	edi
		push	1000h
		push	dword ptr [ebx+esi*8+0Ch]
		push	dword ptr [ebx+esi*8+8]
		call	__alldiv
		mov	edx, [ebp+var_1C]
		mov	ecx, [ebp+var_24]
		mov	[ecx+edx*8+10h], eax
		inc	edx
		mov	ecx, [ebp+var_30]
		jmp	short loc_50D820
; 

loc_50D86A:				; CODE XREF: PfpMemoryRangesQuery+A7j
		mov	esi, 0C0000023h
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_28]
		mov	[eax], ecx

loc_50D877:				; CODE XREF: PfpMemoryRangesQuery+143j
					; PfpMemoryRangesQuery+CCC2Aj ...
		test	ebx, ebx
		jz	short loc_50D882
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_50D882:				; CODE XREF: PfpMemoryRangesQuery+115j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_50D896:				; CODE XREF: PfpMemoryRangesQuery+C1j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_28]
		mov	[eax], ecx
		mov	esi, edi
		jmp	short loc_50D877
PfpMemoryRangesQuery endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiDereferencePageRuns(x)
_MiDereferencePageRuns@4 proc near	; CODE XREF: MiGetPhysicalMemoryRanges+D4p
					; MiComputeNodeMemory+16Ap ...
		mov	edi, edi
		push	ecx
		xor	edx, edx
		inc	edx
		call	MiDereferencePageRunsEx
		pop	ecx
		retn
_MiDereferencePageRuns@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1024. IoUninitializeWorkItem

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoUninitializeWorkItem
IoUninitializeWorkItem proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005DA404 SIZE 00000092 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		cmp	dword ptr [ecx], 0
		jnz	loc_5DA404
		pop	ebp
		retn	4
IoUninitializeWorkItem endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRemoveSecurityCellList(x, x)
_CmpRemoveSecurityCellList@8 proc near	; CODE XREF: CmpDereferenceSecurityNode(x,x)+45p
					; CmpFreeSecurityDescriptor(x,x)+80p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		or	[ebp+var_18], 0FFFFFFFFh
		mov	eax, edx
		or	[ebp+var_20], 0FFFFFFFFh
		or	[ebp+var_10], 0FFFFFFFFh
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], eax
		xor	ecx, ecx
		push	edi
		mov	[ebp+var_14], ecx
		mov	ebx, ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_C], ecx
		lea	ecx, [ebp+var_10]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jz	loc_50D994
		mov	eax, [edi+4]
		lea	ecx, [ebp+var_18]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_50D96E
		mov	eax, [edi+8]
		lea	ecx, [ebp+var_20]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_50D96E
		mov	eax, [ebp+var_4]
		mov	ecx, [edi+8]
		mov	[eax+8], ecx
		lea	eax, [ebp+var_18]
		mov	ecx, [edi+4]
		push	eax
		push	esi
		mov	[ebx+4], ecx
		call	dword ptr [esi+8]
		lea	eax, [ebp+var_20]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		and	[ebp+var_4], 0
		xor	ebx, ebx
		xor	edi, edi
		call	_CmpRemoveFromSecurityCache@8 ;	CmpRemoveFromSecurityCache(x,x)

loc_50D96E:				; CODE XREF: CmpRemoveSecurityCellList(x,x)+4Fj
					; CmpRemoveSecurityCellList(x,x)+61j
		test	edi, edi
		jz	short loc_50D97A
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_50D97A:				; CODE XREF: CmpRemoveSecurityCellList(x,x)+9Ej
		cmp	[ebp+var_4], 0
		jz	short loc_50D988
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_50D988:				; CODE XREF: CmpRemoveSecurityCellList(x,x)+ACj
		test	ebx, ebx
		jz	short loc_50D994
		lea	eax, [ebp+var_20]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_50D994:				; CODE XREF: CmpRemoveSecurityCellList(x,x)+38j
					; CmpRemoveSecurityCellList(x,x)+B8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpRemoveSecurityCellList@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiDetermineModifiedPageListHead(x, x)
_MiDetermineModifiedPageListHead@8 proc	near
					; CODE XREF: MiReplaceTransitionPage(x,x,x,x)+202p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	edx, [ecx+8]
		mov	ecx, [ecx+0Ch]
		mov	esi, edx
		mov	eax, ecx
		shrd	esi, eax, 0Ch
		shrd	edx, ecx, 1
		and	esi, 0Fh
		test	dl, 1
		jnz	short loc_50D9CA
		cmp	esi, [edi+2BCh]
		jz	short loc_50D9CA
		lea	eax, [edi+700h]
		jmp	short loc_50D9D4
; 

loc_50D9CA:				; CODE XREF: MiDetermineModifiedPageListHead(x,x)+1Ej
					; MiDetermineModifiedPageListHead(x,x)+26j
		imul	eax, esi, 14h
		add	eax, 740h
		add	eax, edi

loc_50D9D4:				; CODE XREF: MiDetermineModifiedPageListHead(x,x)+2Ej
		pop	edi
		pop	esi
		retn
_MiDetermineModifiedPageListHead@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1798. PsGetProcessExitProcessCalled

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessExitProcessCalled(x)
		public _PsGetProcessExitProcessCalled@4
_PsGetProcessExitProcessCalled@4 proc near ; CODE XREF:	VerifierMmUnmapLockedPages(x,x)+B2p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+0FCh]
		shr	eax, 2
		and	al, 1
		pop	ebp
		retn	4
_PsGetProcessExitProcessCalled@4 endp

; 
		align 8
; Exported entry 588. FsRtlLookupPerFileContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlLookupPerFileContext
FsRtlLookupPerFileContext proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, [eax]
		test	edi, edi
		jnz	loc_5DA418

loc_50DA0C:				; CODE XREF: IoUninitializeWorkItem+CCB61j
		xor	eax, eax

loc_50DA0E:				; CODE XREF: IoUninitializeWorkItem+CCBC8j
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
FsRtlLookupPerFileContext endp


;  S U B	R O U T	I N E 


; __stdcall OBJECT_HEADER_TO_PROCESS_INFO(x)
_OBJECT_HEADER_TO_PROCESS_INFO@4 proc near ; CODE XREF:	ObpIncrementHandleCountEx+4CCp
					; ObpIncrementHandleCountEx+4F8p ...
		mov	al, [ecx+0Eh]
		test	al, 10h
		jz	short loc_50DA2D
		movzx	eax, al
		and	eax, 1Fh
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax

loc_50DA2A:				; CODE XREF: OBJECT_HEADER_TO_PROCESS_INFO(x)+1Bj
		mov	eax, ecx
		retn
; 

loc_50DA2D:				; CODE XREF: OBJECT_HEADER_TO_PROCESS_INFO(x)+5j
		xor	ecx, ecx
		jmp	short loc_50DA2A
_OBJECT_HEADER_TO_PROCESS_INFO@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryTotalCycleTimeProcessor(x)
_KeQueryTotalCycleTimeProcessor@4 proc near ; CODE XREF: PAGE:00780ACCp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx

loc_50DA39:				; CODE XREF: KeQueryTotalCycleTimeProcessor(x)+1Fj
		mov	edx, [ecx+3B6Ch]
		mov	eax, [ecx+3B68h]
		cmp	edx, [ecx+3B90h]
		jnz	short loc_50DA4F
		leave
		retn
; 

loc_50DA4F:				; CODE XREF: KeQueryTotalCycleTimeProcessor(x)+19j
		pause
		jmp	short loc_50DA39
_KeQueryTotalCycleTimeProcessor@4 endp

; 
		align 8
; Exported entry 895. IoInitializeWorkItem

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoInitializeWorkItem
IoInitializeWorkItem proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DA496 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	3
		pop	edx
		movzx	eax, word ptr [ecx]
		cmp	ax, dx
		jnz	short loc_50DA8D

loc_50DA6B:				; CODE XREF: IoInitializeWorkItem+39j
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax+1Ch], 0
		and	dword ptr [eax], 0
		mov	dword ptr [eax+20h], 1
		mov	[eax+14h], ecx
		mov	dword ptr [eax+8], offset IopProcessWorkItem
		mov	[eax+0Ch], eax
		pop	ebp
		retn	8
; 

loc_50DA8D:				; CODE XREF: IoInitializeWorkItem+11j
		cmp	ax, 4
		jz	short loc_50DA6B
		jmp	loc_5DA496
IoInitializeWorkItem endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1308. KeSignalCallDpcDone

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSignalCallDpcDone(x)
		public _KeSignalCallDpcDone@4
_KeSignalCallDpcDone@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		lock dec dword ptr [eax]
		pop	ebp
		retn	4
_KeSignalCallDpcDone@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PspUnlockProcessShared(x, x)
_PspUnlockProcessShared@8 proc near	; CODE XREF: NtSetInformationThread+ABEp
					; PAGE:0083F759p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	11h
		mov	ebx, edx
		lea	edi, [ecx+0E0h]
		xor	esi, esi
		pop	eax
		lock cmpxchg [edi], esi
		cmp	eax, 11h
		jnz	short loc_50DADA

loc_50DAC9:				; CODE XREF: PspUnlockProcessShared(x,x)+33j
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		mov	ecx, ebx
		pop	ebx
		jmp	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
; 

loc_50DADA:				; CODE XREF: PspUnlockProcessShared(x,x)+19j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_50DAC9
_PspUnlockProcessShared@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnEnablePrefetcherTimerRoutine(x,	x, x, x)
_PfSnEnablePrefetcherTimerRoutine@16 proc near
					; DATA XREF: PfSnAllocateEnablePrefetcherTimer(x)+26o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		xor	edx, edx
		mov	ecx, [esi+48h]
		call	PfSnUpdatePrefetcherFlags
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		pop	ebp
		retn	10h
_PfSnEnablePrefetcherTimerRoutine@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnUpdatePrefetcherFlags proc near	; CODE XREF: PfSnEnablePrefetcherTimerRoutine(x,x,x,x)+Ep
					; PfSnBeginBootPhase+2Bp ...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset dword_6D4958
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ebx, dword_6D49F0
		test	esi, esi
		jnz	short loc_50DB5F
		not	edi
		and	edi, ebx
		mov	dword_6D49F0, edi

loc_50DB38:				; CODE XREF: PfSnUpdatePrefetcherFlags+65j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset dword_6D4958
		jnz	loc_5DA4A8
		xor	eax, eax
		lock and [ecx],	eax

loc_50DB4F:				; CODE XREF: IoInitializeWorkItem+CCA58j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_50DB5F:				; CODE XREF: PfSnUpdatePrefetcherFlags+28j
		mov	ecx, ebx
		or	ecx, edi
		mov	dword_6D49F0, ecx
		jmp	short loc_50DB38
PfSnUpdatePrefetcherFlags endp

; 
		align 10h
; Exported entry  79. ExTryConvertPushLockSharedToExclusiveEx

;  S U B	R O U T	I N E 


		public ExTryConvertPushLockSharedToExclusiveEx
ExTryConvertPushLockSharedToExclusiveEx	proc near

; FUNCTION CHUNK AT 005A83E5 SIZE 00000023 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	edx, 0FFFFFFFCh
		jnz	loc_5A83E5
		xor	ecx, ecx
		push	11h
		inc	ecx
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		pop	esi
		setz	al
		retn
ExTryConvertPushLockSharedToExclusiveEx	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWaitForSystemCacheViewFlush(x)
_MiWaitForSystemCacheViewFlush@4 proc near ; CODE XREF:	MiObtainSystemCacheView+423p
					; MiReleaseSystemCacheView+117E82p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx

loc_50DBA1:				; CODE XREF: MiWaitForSystemCacheViewFlush(x)+27j
		mov	edx, [esi+18h]
		nop
		mov	eax, [esi+1Ch]
		push	eax
		push	edx
		call	_MiGetPteLink@8	; MiGetPteLink(x,x)
		or	eax, edx
		jz	short loc_50DBBD
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		jmp	short loc_50DBA1
; 

loc_50DBBD:				; CODE XREF: MiWaitForSystemCacheViewFlush(x)+1Dj
		pop	esi
		leave
		retn
_MiWaitForSystemCacheViewFlush@4 endp


;  S U B	R O U T	I N E 


; __stdcall AuthzBasepDeleteAllSecurityAttributeValues(x)
_AuthzBasepDeleteAllSecurityAttributeValues@4 proc near
					; CODE XREF: AuthzBasepDeleteSecurityAttribute+80p
					; AuthzBasepDeleteAllSecurityAttributes(x)+21p
		mov	edi, edi
		push	esi
		mov	dl, 1
		mov	esi, ecx
		call	AuthzBasepFreeSecurityAttributeValues
		lea	edx, [esi+2Ch]
		mov	eax, [edx]
		cmp	eax, edx
		jz	short loc_50DC10
		push	ebx
		push	edi

loc_50DBD7:				; CODE XREF: AuthzBasepDeleteAllSecurityAttributeValues(x)+4Cj
		mov	ecx, [eax+10h]
		test	cl, 2
		jnz	short loc_50DC08
		or	ecx, 4
		mov	[eax+10h], ecx
		test	cl, 2
		jnz	short loc_50DC08
		lea	edi, [esi+38h]
		mov	ebx, [edi+4]
		lea	ecx, [eax+8]
		cmp	[ebx], edi
		jnz	short loc_50DC18
		mov	[ecx], edi
		mov	[ecx+4], ebx
		mov	[ebx], ecx
		mov	[edi+4], ecx
		or	dword ptr [eax+10h], 2
		inc	dword ptr [esi+34h]

loc_50DC08:				; CODE XREF: AuthzBasepDeleteAllSecurityAttributeValues(x)+1Dj
					; AuthzBasepDeleteAllSecurityAttributeValues(x)+28j
		mov	eax, [eax]
		cmp	eax, edx
		jnz	short loc_50DBD7
		pop	edi
		pop	ebx

loc_50DC10:				; CODE XREF: AuthzBasepDeleteAllSecurityAttributeValues(x)+13j
		mov	eax, [esi+24h]
		mov	[esi+28h], eax
		pop	esi
		retn
; 

loc_50DC18:				; CODE XREF: AuthzBasepDeleteAllSecurityAttributeValues(x)+35j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_AuthzBasepDeleteAllSecurityAttributeValues@4 endp


;  S U B	R O U T	I N E 


AuthzBasepFreeSecurityAttributeValues proc near
					; CODE XREF: AuthzBasepCommitSecurityAttributeChanges+B5p
					; AuthzBasepDeleteSecurityAttribute+9Fp ...

; FUNCTION CHUNK AT 005DA4B5 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		test	dl, dl
		jnz	short loc_50DC46
		lea	esi, [ebx+2Ch]

loc_50DC2C:				; CODE XREF: AuthzBasepFreeSecurityAttributeValues+26j
		mov	edx, [esi]
		cmp	edx, esi
		jz	short loc_50DC46
		push	ecx
		push	1
		mov	ecx, ebx
		call	_AuthzBasepRemoveSecurityAttributeValueFromLists@16 ; AuthzBasepRemoveSecurityAttributeValueFromLists(x,x,x,x)
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_50DC2C
; 

loc_50DC46:				; CODE XREF: AuthzBasepFreeSecurityAttributeValues+9j
					; AuthzBasepFreeSecurityAttributeValues+12j
		lea	edi, [ebx+38h]
		mov	esi, [edi]

loc_50DC4B:				; CODE XREF: AuthzBasepFreeSecurityAttributeValues+CC8A0j
					; AuthzBasepFreeSecurityAttributeValues+CC8B8j
		cmp	esi, edi
		jnz	loc_5DA4B5
		pop	edi
		pop	esi
		pop	ebx
		retn
AuthzBasepFreeSecurityAttributeValues endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 675. FsRtlUninitializeLargeMcb

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlUninitializeLargeMcb(x)
		public _FsRtlUninitializeLargeMcb@4
_FsRtlUninitializeLargeMcb@4 proc near	; CODE XREF: FsRtlUninitializeMcb(x)j

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	edx, [esi]
		test	edx, edx
		jz	short loc_50DC81
		mov	ecx, offset _FsRtlFastMutexLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		and	dword ptr [esi], 0
		lea	eax, [esi+4]
		push	eax
		call	_FsRtlUninitializeBaseMcb@4 ; FsRtlUninitializeBaseMcb(x)

loc_50DC81:				; CODE XREF: FsRtlUninitializeLargeMcb(x)+Dj
		pop	esi
		pop	ebp
		retn	4
_FsRtlUninitializeLargeMcb@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 323. ExAllocatePool

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExAllocatePool(x, x)
		public _ExAllocatePool@8
_ExAllocatePool@8 proc near		; CODE XREF: VerifierExAllocatePool3(x,x,x,x,x,x)+122j

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:20h
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	656E6F4Eh
		call	ExpAllocatePoolWithTagFromNode
		pop	ebp
		retn	8
_ExAllocatePool@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcBoostLowPriorityWorkerThread proc near
					; CODE XREF: CcAdjustWriteBehindThreadPoolIfNeeded+115p
					; .text:004ACC0Ap

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DA4DB SIZE 0000007D BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		push	edi
		mov	eax, edx
		mov	edi, ecx
		xor	ecx, ecx
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	loc_50DE3A

loc_50DCED:				; CODE XREF: CcBoostLowPriorityWorkerThread+17Dj
		lea	esi, [edi+280h]
		xor	edx, edx
		mov	ecx, esi
		mov	[ebp+var_8], esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+270h]
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	loc_50DE48

loc_50DD10:				; CODE XREF: CcBoostLowPriorityWorkerThread+196j
					; CcBoostLowPriorityWorkerThread+1A9j ...
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_C], edx
		mov	eax, edx
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_5DA50C

loc_50DD24:				; CODE XREF: CcBoostLowPriorityWorkerThread+CC84Ej
					; CcBoostLowPriorityWorkerThread+CC85Bj
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	esi, 7FFFFFFCh
		jz	loc_50DE31
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, dword_6D07D0
		shr	ecx, 15h
		cmp	eax, edx
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], esi
		pop	edx
		jb	short loc_50DD64
		cmp	byte ptr dword_6D3994[ecx], 1
		jz	loc_50DED3

loc_50DD64:				; CODE XREF: CcBoostLowPriorityWorkerThread+95j
		cmp	eax, [ebp+var_20]
		jb	short loc_50DD76
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_50DED3

loc_50DD76:				; CODE XREF: CcBoostLowPriorityWorkerThread+A7j
					; CcBoostLowPriorityWorkerThread+226j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_50DF2F
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_50DF42

loc_50DDB7:				; CODE XREF: CcBoostLowPriorityWorkerThread+28Aj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5DA520
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_50DE03:				; CODE XREF: CcBoostLowPriorityWorkerThread+277j
					; CcBoostLowPriorityWorkerThread+CC872j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jnz	loc_50DEEB

loc_50DE1A:				; CODE XREF: CcBoostLowPriorityWorkerThread+264j
					; CcBoostLowPriorityWorkerThread+CC893j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_50DE31
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_50DF4F

loc_50DE31:				; CODE XREF: CcBoostLowPriorityWorkerThread+6Fj
					; CcBoostLowPriorityWorkerThread+163j ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_50DE3A:				; CODE XREF: CcBoostLowPriorityWorkerThread+27j
		cmp	[eax+4], ecx
		ja	loc_50DCED
		jmp	loc_5DA4DB
; 

loc_50DE48:				; CODE XREF: CcBoostLowPriorityWorkerThread+4Aj
		mov	ecx, large fs:124h
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		test	eax, eax
		jle	loc_50DD10
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_50DE6F
		cmp	eax, [edi+274h]
		jnz	loc_50DD10

loc_50DE6F:				; CODE XREF: CcBoostLowPriorityWorkerThread+1A1j
		mov	ecx, [ebp+var_C]
		push	0
		push	2
		pop	edx
		call	IoBoostThreadIoPriority
		push	0Dh
		push	dword ptr [edi+270h]
		call	KeSetPriorityThread
		mov	[edi+278h], eax
		xor	ecx, ecx
		mov	eax, [edi+274h]
		cmp	[eax+4], ecx
		jbe	loc_5DA4E9
		test	dword ptr [eax+60h], 20000000h
		jnz	loc_50DD10
		push	ecx
		push	ecx
		mov	ecx, [edi+270h]
		xor	dl, dl
		call	PsBoostThreadIoEx
		mov	ecx, [edi+274h]
		mov	edx, 20000000h
		push	1
		call	CcUpdateSharedCacheMapFlag
		jmp	loc_50DD10
; 

loc_50DED3:				; CODE XREF: CcBoostLowPriorityWorkerThread+9Ej
					; CcBoostLowPriorityWorkerThread+B0j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_8]
		jmp	loc_50DD76
; 

loc_50DEEB:				; CODE XREF: CcBoostLowPriorityWorkerThread+154j
		test	edi, 8000h
		jz	short loc_50DEFC
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_50DEFC:				; CODE XREF: CcBoostLowPriorityWorkerThread+231j
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5DA537

loc_50DF06:				; CODE XREF: CcBoostLowPriorityWorkerThread+CC881j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_50DF1A
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_50DF1A:				; CODE XREF: CcBoostLowPriorityWorkerThread+24Dj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_50DE1A
		jmp	loc_5DA546
; 

loc_50DF2F:				; CODE XREF: CcBoostLowPriorityWorkerThread+DFj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_50DE03
		jmp	loc_5DA4F9
; 

loc_50DF42:				; CODE XREF: CcBoostLowPriorityWorkerThread+F1j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]
		jmp	loc_50DDB7
; 

loc_50DF4F:				; CODE XREF: CcBoostLowPriorityWorkerThread+16Bj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_50DE31
CcBoostLowPriorityWorkerThread endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelperSetBlockerParentHandle(x, x)
_SleepstudyHelperSetBlockerParentHandle@8 proc near ; DATA XREF: .data:006B35F8o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	esi, esi
		jz	short loc_50DF8F
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_50DF8F
		mov	ecx, [esi+30h]
		test	ecx, ecx
		jnz	short loc_50DF88

loc_50DF76:				; CODE XREF: SleepstudyHelperSetBlockerParentHandle(x,x)+33j
		mov	ecx, edi
		mov	[esi+30h], edi
		call	_SshpReferenceBlocker@4	; SshpReferenceBlocker(x)
		xor	eax, eax

loc_50DF82:				; CODE XREF: SleepstudyHelperSetBlockerParentHandle(x,x)+3Aj
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_50DF88:				; CODE XREF: SleepstudyHelperSetBlockerParentHandle(x,x)+1Aj
		call	SshpDereferenceBlocker
		jmp	short loc_50DF76
; 

loc_50DF8F:				; CODE XREF: SleepstudyHelperSetBlockerParentHandle(x,x)+Cj
					; SleepstudyHelperSetBlockerParentHandle(x,x)+13j
		mov	eax, 0C000000Dh
		jmp	short loc_50DF82
_SleepstudyHelperSetBlockerParentHandle@8 endp


;  S U B	R O U T	I N E 


; __stdcall MmDeterminePoolType(x)
_MmDeterminePoolType@4 proc near	; CODE XREF: VerifierMmBuildMdlForNonPagedPool(x)+21p
					; ExFreePoolSanityChecks(x)+61p
		call	_MiDeterminePoolType@4 ; MiDeterminePoolType(x)
		lea	ecx, [eax-20h]
		neg	ecx
		sbb	ecx, ecx
		and	eax, ecx
		retn
_MmDeterminePoolType@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetWorkingSetInfo proc near		; CODE XREF: MmQueryVirtualMemory+A64p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005DA558 SIZE 0000000A BYTES

		push	1Ch
		push	offset dword_6A4470
		call	__SEH_prolog4
		mov	[ebp+var_1C], edx
		mov	[ebp+var_20], ecx
		xor	edi, edi
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		mov	ebx, [ebp+arg_4]
		mov	ecx, ebx
		and	ecx, 0FFFh
		neg	ecx
		sbb	ecx, ecx
		neg	ecx
		add	ecx, 8
		mov	eax, ebx
		shr	eax, 0Ch
		add	ecx, eax
		shl	ecx, 2
		push	edi
		push	40h
		mov	edx, 20206D4Dh
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		jz	loc_5DA558
		mov	[esi], edi
		mov	ecx, [ebp+arg_0]
		mov	edx, ecx
		and	edx, 0FFFh
		lea	eax, [ebx+0FFFh]
		add	eax, edx
		shr	eax, 0Ch
		lea	eax, ds:1Ch[eax*4]
		mov	[esi+4], ax
		xor	eax, eax
		mov	[esi+6], ax
		and	ecx, 0FFFFF000h
		mov	[esi+10h], ecx
		mov	[esi+18h], edx
		mov	[esi+14h], ebx
		mov	eax, large fs:124h
		mov	[ebp+ms_exc.disabled], edi
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_4], al
		push	1
		push	[ebp+arg_4]
		push	esi
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	byte ptr [esi+6], 5
		jnz	short loc_50E0B9
		push	40000010h
		push	edi
		push	edi
		push	1
		push	edi
		push	esi
		call	MmMapLockedPagesSpecifyCache
		mov	edi, eax

loc_50E06B:				; CODE XREF: MiGetWorkingSetInfo+116j
		test	edi, edi
		jz	short loc_50E0BE
		push	ebx
		push	edi
		mov	edx, [ebp+var_1C]
		or	edx, 80000000h
		mov	ecx, [ebp+var_20]
		add	ecx, 240h
		call	MiGetWorkingSetInfoEx
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_50E0B0

loc_50E08E:				; CODE XREF: MiGetWorkingSetInfo+111j
					; MiGetWorkingSetInfo+11Dj
		push	esi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, ebx

loc_50E09E:				; CODE XREF: MiGetWorkingSetInfo+CC5B7j
					; sub_5DA570+17j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_50E0B0:				; CODE XREF: MiGetWorkingSetInfo+E6j
		mov	ecx, [edi]
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		jmp	short loc_50E08E
; 

loc_50E0B9:				; CODE XREF: MiGetWorkingSetInfo+B1j
		mov	edi, [esi+0Ch]
		jmp	short loc_50E06B
; 

loc_50E0BE:				; CODE XREF: MiGetWorkingSetInfo+C7j
		mov	ebx, 0C000009Ah
		jmp	short loc_50E08E
MiGetWorkingSetInfo endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetWorkingSetInfoEx proc near		; CODE XREF: MiGetWorkingSetInfo+DDp
					; MmLogSystemShareablePfnInfo(x,x)+D3p	...

var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6A		= byte ptr -6Ah
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DA58C SIZE 00000080 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	ebx, [ebp+arg_0]
		push	6
		mov	esi, ecx
		mov	[ebp+var_7C], edx
		pop	ecx
		lea	edi, [ebp+var_1C]
		rep stosd
		lea	edi, [ebp+var_9C]
		stosd
		push	4Ch		; size_t
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_70]
		xor	edi, edi
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_7C]
		xor	ecx, ecx
		add	esp, 0Ch
		mov	[ebp+var_78], edi
		inc	ecx
		mov	[ebp+var_88], edi
		test	eax, eax
		jns	short loc_50E136
		mov	[ebp+var_9C], ecx
		test	eax, 40000000h
		jz	short loc_50E136
		mov	[ebp+var_9C], 3

loc_50E136:				; CODE XREF: MiGetWorkingSetInfoEx+57j
					; MiGetWorkingSetInfoEx+64j
		test	byte ptr [esi+60h], 7
		jnz	short loc_50E163
		lea	ecx, [esi-240h]
		mov	[ebp+var_78], ecx
		cmp	ecx, ds:_PsIdleProcess
		jz	loc_5DA58C
		mov	eax, large fs:124h
		cmp	[eax+80h], ecx
		jnz	loc_5DA59E

loc_50E163:				; CODE XREF: MiGetWorkingSetInfoEx+74j
					; MiGetWorkingSetInfoEx+CC4EDj
		or	[ebp+var_58], 0FFFFFFFFh
		mov	eax, 8006h
		mov	word ptr [ebp+var_70], ax
		mov	ecx, esi
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_30], offset _MiQueryLeafPte@12	; MiQueryLeafPte(x,x,x)
		mov	[ebp+var_28], eax
		call	MiLockWorkingSetShared
		mov	edx, [ebp+var_78]
		mov	[ebp+var_6A], al
		test	edx, edx
		jz	short loc_50E19E
		test	byte ptr [edx+0FCh], 20h
		jnz	loc_5DA5B8

loc_50E19E:				; CODE XREF: MiGetWorkingSetInfoEx+C9j
		mov	eax, [ebp+var_7C]
		mov	ecx, [esi+40h]
		mov	[ebp+var_74], ecx
		test	eax, eax
		jns	loc_5DA5C2
		test	ecx, ecx
		jz	loc_50E256
		mov	eax, [ebp+arg_4]
		cmp	eax, 8
		jb	short loc_50E1E3
		add	eax, 0FFFFFFF8h
		mov	[ebp+var_80], 4
		shr	eax, 2

loc_50E1CC:				; CODE XREF: MiGetWorkingSetInfoEx+CC532j
		mov	edx, [ebp+var_80]
		inc	eax
		add	edx, ebx
		mov	[ebp+var_84], eax
		mov	[ebp+var_80], edx
		mov	edx, [ebp+var_78]
		cmp	[ebp+var_74], eax
		jbe	short loc_50E21F

loc_50E1E3:				; CODE XREF: MiGetWorkingSetInfoEx+F7j
					; MiGetWorkingSetInfoEx+1A1j ...
		cmp	[ebp+var_7C], edi
		mov	edi, 0C0000004h
		jge	loc_50E275
		mov	[ebx], ecx

loc_50E1F3:				; CODE XREF: MiGetWorkingSetInfoEx+19Cj
					; MiGetWorkingSetInfoEx+1B5j ...
		mov	dl, [ebp+var_6A]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		xor	eax, eax
		inc	eax
		cmp	[ebp+var_88], eax
		jz	loc_5DA5FD

loc_50E20C:				; CODE XREF: MiGetWorkingSetInfoEx+CC541j
		mov	eax, edi

loc_50E20E:				; CODE XREF: MiGetWorkingSetInfoEx+CC4D3j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_50E21F:				; CODE XREF: MiGetWorkingSetInfoEx+11Bj
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		jz	short loc_50E26C

loc_50E228:				; CODE XREF: MiGetWorkingSetInfoEx+1ADj
		mov	eax, [ebp+var_84]
		lea	ecx, [ebp+var_70]
		mov	[ebp+var_90], eax
		mov	eax, [ebp+var_80]
		mov	[ebp+var_60], esi
		mov	[ebp+var_98], eax
		mov	[ebp+var_8C], edx
		call	MiWalkPageTables
		cmp	eax, 4
		jz	short loc_50E264
		mov	eax, [ebp+var_7C]

loc_50E256:				; CODE XREF: MiGetWorkingSetInfoEx+EBj
					; MiGetWorkingSetInfoEx+CC504j
		test	eax, eax
		mov	eax, [ebp+var_94]
		jns	short loc_50E280
		mov	[ebx], eax
		jmp	short loc_50E1F3
; 

loc_50E264:				; CODE XREF: MiGetWorkingSetInfoEx+18Bj
		mov	ecx, [esi+40h]
		jmp	loc_50E1E3
; 

loc_50E26C:				; CODE XREF: MiGetWorkingSetInfoEx+160j
		xor	eax, eax
		inc	eax
		or	word ptr [ebp+var_70], ax
		jmp	short loc_50E228
; 

loc_50E275:				; CODE XREF: MiGetWorkingSetInfoEx+125j
		sub	ecx, [esi+44h]
		mov	[ebx+4], ecx
		jmp	loc_50E1F3
; 

loc_50E280:				; CODE XREF: MiGetWorkingSetInfoEx+198j
		mov	[ebx+4], eax
		jmp	loc_50E1F3
MiGetWorkingSetInfoEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeTokenSetNoChildProcessRestricted(x, x, x)
_SeTokenSetNoChildProcessRestricted@12 proc near
					; CODE XREF: PspSetNoChildProcessRestrictedPolicy(x,x)+2Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	bl, dl
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceExclusiveLite
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, [esi+0B0h]
		cmp	[ebp+arg_0], cl
		jnz	short loc_50E30C
		or	eax, 80000h
		test	bl, bl
		jnz	short loc_50E31A
		and	eax, 0FFEFFFFFh

loc_50E2D3:				; CODE XREF: SeTokenSetNoChildProcessRestricted(x,x,x)+97j
		and	eax, 0FFDFFFFFh

loc_50E2D8:				; CODE XREF: SeTokenSetNoChildProcessRestricted(x,x,x)+90j
		mov	[esi+0B0h], eax

loc_50E2DE:				; CODE XREF: SeTokenSetNoChildProcessRestricted(x,x,x)+89j
		lea	ecx, [esi+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_50E30C:				; CODE XREF: SeTokenSetNoChildProcessRestricted(x,x,x)+3Bj
		test	eax, 80000h
		jnz	short loc_50E2DE
		or	eax, 200000h
		jmp	short loc_50E2D8
; 

loc_50E31A:				; CODE XREF: SeTokenSetNoChildProcessRestricted(x,x,x)+44j
		or	eax, 100000h
		jmp	short loc_50E2D3
_SeTokenSetNoChildProcessRestricted@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSwitchPriQueue proc near		; CODE XREF: KeRemovePriQueue+2B4p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DA60C SIZE 00000220 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	edx, [ebp+arg_0]
		lea	esi, [edi+140h]
		test	edx, edx
		jnz	short loc_50E3A1

loc_50E33B:				; CODE XREF: KiSwitchPriQueue+85j
		mov	ecx, ebx
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		and	[ebp+arg_0], 0
		lea	esi, [edi+2Ch]

loc_50E349:				; CODE XREF: KiSwitchPriQueue+CC2F8j
		lock bts dword ptr [esi], 0
		jb	loc_5DA60C
		movsx	eax, byte ptr [edi+15Bh]
		mov	[edi+0A4h], ebx
		mov	[edi+14Ch], eax
		lock inc dword ptr [ebx+eax*4+110h]
		mov	dword ptr [esi], 0
		lea	eax, [ebx+194h]
		mov	ecx, [eax+4]
		lea	esi, [edi+140h]
		cmp	[ecx], eax
		jnz	short loc_50E3A9
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		mov	eax, 0FFFFFF7Fh
		lock and [ebx],	eax
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_50E3A1:				; CODE XREF: KiSwitchPriQueue+17j
		push	esi
		call	KiActivateWaiterQueueWithNoLocks
		jmp	short loc_50E33B
; 

loc_50E3A9:				; CODE XREF: KiSwitchPriQueue+64j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

MiPurgeImageSection:			; CODE XREF: MiCheckControlArea+126p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		push	ebx
		mov	eax, ecx
		mov	bl, 21h
		push	esi
		xor	esi, esi
		mov	[ebp+var_38], eax
		push	edi
		mov	[ebp+var_18], esi
		lea	edi, [eax+50h]
		mov	byte ptr [ebp+var_1], bl

loc_50E3CB:				; CODE XREF: KiSwitchPriQueue+C2j
		mov	[ebp+var_34], edi
		test	edi, edi
		jz	loc_50E4FC
		movzx	eax, word ptr [edi+12h]
		mov	[ebp+var_28], eax
		test	al, 2
		jnz	short loc_50E3E6

loc_50E3E1:				; CODE XREF: KiSwitchPriQueue+1D5j
		mov	edi, [edi+8]
		jmp	short loc_50E3CB
; 

loc_50E3E6:				; CODE XREF: KiSwitchPriQueue+BDj
		mov	ax, [edi+10h]
		shr	ax, 1
		and	ax, 1Fh
		movzx	eax, ax
		cdq
		shld	edx, eax, 5
		shl	eax, 5
		push	edx
		push	eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, edx
		mov	[ebp+var_4C], eax
		mov	[ebp+var_50], ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], ecx
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		cmp	[edi+14h], esi
		jz	short loc_50E43D
		mov	ecx, edi
		call	_MiMakeSubsectionPte@4 ; MiMakeSubsectionPte(x)
		mov	ecx, [ebp+var_28]
		mov	[ebp+var_10], edx
		movzx	edx, cx
		mov	ecx, [edi+18h]
		shr	edx, 4
		shl	ecx, 9
		or	edx, ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_30], edx

loc_50E43D:				; CODE XREF: KiSwitchPriQueue+F8j
		mov	esi, [edi+4]
		mov	eax, [edi+1Ch]
		lea	eax, [esi+eax*8]
		mov	[ebp+var_54], eax
		cmp	esi, eax
		jnb	loc_50E4E1

loc_50E451:				; CODE XREF: KiSwitchPriQueue+1B6j
		test	esi, 0FFFh
		jz	short loc_50E45E
		cmp	bl, 21h
		jnz	short loc_50E47F

loc_50E45E:				; CODE XREF: KiSwitchPriQueue+135j
		cmp	bl, 21h
		jnz	loc_5DA61F

loc_50E467:				; CODE XREF: KiSwitchPriQueue+CC307j
					; KiSwitchPriQueue+CC318j
		lea	edx, [ebp+var_1]
		mov	ecx, esi
		call	MiLockProtoPoolPage
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	loc_5DA62E
		mov	bl, byte ptr [ebp+var_1]

loc_50E47F:				; CODE XREF: KiSwitchPriQueue+13Aj
		xor	edx, edx
		mov	ecx, esi
		call	MiLockLeafPage
		mov	edi, [esi]
		mov	edx, eax
		mov	[ebp+var_14], edx
		nop
		mov	eax, [esi+4]
		mov	ecx, edi
		or	ecx, eax
		mov	[ebp+var_8], eax
		jz	short loc_50E4DE
		xor	ecx, ecx
		test	edx, edx
		jnz	loc_5DA63F
		mov	eax, edi
		and	eax, 400h
		or	eax, ecx
		jz	loc_5DA7F3

loc_50E4B5:				; CODE XREF: KiSwitchPriQueue+CC33Aj
					; KiSwitchPriQueue+CC4B7j ...
		mov	ecx, [ebp+var_2C]
		add	esi, 8
		add	ecx, 1000h
		mov	[ebp+var_2C], ecx
		cmp	ecx, [ebp+var_30]
		jb	short loc_50E4D5
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_50]
		mov	[ebp+var_10], eax

loc_50E4D5:				; CODE XREF: KiSwitchPriQueue+1A5j
		cmp	esi, [ebp+var_54]
		jb	loc_50E451

loc_50E4DE:				; CODE XREF: KiSwitchPriQueue+178j
		mov	edi, [ebp+var_34]

loc_50E4E1:				; CODE XREF: KiSwitchPriQueue+129j
		cmp	bl, 21h
		jz	short loc_50E4F5
		mov	ecx, [ebp+var_18]
		mov	dl, bl
		call	MiUnlockProtoPoolPage
		mov	bl, 21h
		mov	byte ptr [ebp+var_1], bl

loc_50E4F5:				; CODE XREF: KiSwitchPriQueue+1C2j
		xor	esi, esi
		jmp	loc_50E3E1
; 

loc_50E4FC:				; CODE XREF: KiSwitchPriQueue+AEj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
KiSwitchPriQueue endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1303. KeSetTargetProcessorDpcEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetTargetProcessorDpcEx(x, x)
		public _KeSetTargetProcessorDpcEx@8
_KeSetTargetProcessorDpcEx@8 proc near	; CODE XREF: KiIntSteerDisable+8955Fp
					; KeSetTargetProcessorDpc(x,x)+40p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_50E52F
		mov	edx, [ebp+arg_0]
		mov	ecx, [edx+1Ch]
		test	ecx, ecx
		jnz	short loc_50E529
		add	eax, 20h
		mov	[edx+2], ax

loc_50E529:				; CODE XREF: KeSetTargetProcessorDpcEx(x,x)+1Aj
		xor	eax, eax

loc_50E52B:				; CODE XREF: KeSetTargetProcessorDpcEx(x,x)+2Ej
		pop	ebp
		retn	8
; 

loc_50E52F:				; CODE XREF: KeSetTargetProcessorDpcEx(x,x)+10j
		mov	eax, 0C000000Dh
		jmp	short loc_50E52B
_KeSetTargetProcessorDpcEx@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 147. KeTryToAcquireSpinLockAtDpcLevel

;  S U B	R O U T	I N E 


; __fastcall KeTryToAcquireSpinLockAtDpcLevel(x)
		public @KeTryToAcquireSpinLockAtDpcLevel@4
@KeTryToAcquireSpinLockAtDpcLevel@4 proc near
		test	ds:byte_70EFC6,	21h
		jnz	@KiTryToAcquireSpinLockInstrumented@4 ;	KiTryToAcquireSpinLockInstrumented(x)
		lock bts dword ptr [ecx], 0
		jb	short loc_50E553
		mov	al, 1
		retn
; 

loc_50E553:				; CODE XREF: KeTryToAcquireSpinLockAtDpcLevel(x)+12j
		xor	al, al
		pause
		retn
@KeTryToAcquireSpinLockAtDpcLevel@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpValidTrustSubjectContext(x, x, x, x)
_RtlpValidTrustSubjectContext@16 proc near ; CODE XREF:	RtlpNewSecurityObject+1681p
					; RtlpSetSecurityObject+919p ...

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		xor	al, al
		mov	[ebp+var_1], al
		push	esi
		mov	esi, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_50E582
		lea	eax, [ebp-1]
		push	eax
		call	_RtlSidDominatesForTrust@12 ; RtlSidDominatesForTrust(x,x,x)
		mov	[esi], eax
		mov	al, [ebp+var_1]
		test	al, al
		jz	short loc_50E582

loc_50E57D:				; CODE XREF: RtlpValidTrustSubjectContext(x,x,x,x)+30j
		pop	esi
		leave
		retn	8
; 

loc_50E582:				; CODE XREF: RtlpValidTrustSubjectContext(x,x,x,x)+11j
					; RtlpValidTrustSubjectContext(x,x,x,x)+23j
		mov	dword ptr [esi], 0C0000022h
		jmp	short loc_50E57D
_RtlpValidTrustSubjectContext@16 endp

; 
		align 10h
; Exported entry 658. FsRtlResetBaseMcb

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlResetBaseMcb(x)
		public _FsRtlResetBaseMcb@4
_FsRtlResetBaseMcb@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax+4], 0
		pop	ebp
		retn	4
_FsRtlResetBaseMcb@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 475. FsRtlAllocateFileLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlAllocateFileLock(x, x)
		public _FsRtlAllocateFileLock@8
_FsRtlAllocateFileLock@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	offset _FsRtlFileLockLookasideList
		call	_ExAllocateFromPagedLookasideList@4 ; ExAllocateFromPagedLookasideList(x)
		test	eax, eax
		jz	short loc_50E5CF
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	[eax], ecx
		mov	ecx, [ebp+arg_4]
		mov	[eax+0Ch], edx
		mov	[eax+4], ecx
		mov	[eax+8], dl
		mov	[eax+3Ch], edx

loc_50E5CF:				; CODE XREF: FsRtlAllocateFileLock(x,x)+11j
		pop	ebp
		retn	8
_FsRtlAllocateFileLock@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiDereferenceControlArea(x)
_MiDereferenceControlArea@4 proc near	; CODE XREF: MiDeleteVad(x,x,x)+116Fp
					; MiRefillPurgedExtents(x,x)+53p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		lea	eax, [esi+24h]
		push	eax
		call	ExAcquireSpinLockExclusive
		dec	dword ptr [esi+14h]
		mov	ecx, esi
		dec	dword ptr [esi+18h]
		mov	dl, al
		pop	esi
		jmp	MiCheckControlArea
_MiDereferenceControlArea@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlCompressWorkSpaceSizeXpressLz proc near ; DATA XREF:	.text:00403FBCo

arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005DA82C SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ax, [ebp+arg_0]
		test	ax, ax
		jnz	loc_5DA82C
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 7793h
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 0
		xor	eax, eax

loc_50E626:				; CODE XREF: RtlCompressWorkSpaceSizeXpressLz+CC24Aj
					; RtlCompressWorkSpaceSizeXpressLz+CC254j
		pop	ebp
		retn	0Ch
RtlCompressWorkSpaceSizeXpressLz endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCancelTimer2(x, x)
_NtCancelTimer2@8 proc near		; DATA XREF: .text:00580C98o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	0
		push	0
		call	ExpSetTimer2
		pop	ebp
		retn	8
_NtCancelTimer2@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 805. IoCsqInitializeEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCsqInitializeEx(x, x, x, x, x, x,	x)
		public _IoCsqInitializeEx@28
_IoCsqInitializeEx@28 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		and	dword ptr [ecx+1Ch], 0
		mov	[ecx+4], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+8], eax
		mov	eax, [ebp+arg_C]
		mov	[ecx+0Ch], eax
		mov	eax, [ebp+arg_10]
		mov	[ecx+10h], eax
		mov	eax, [ebp+arg_14]
		mov	[ecx+14h], eax
		mov	eax, [ebp+arg_18]
		mov	[ecx+18h], eax
		xor	eax, eax
		mov	dword ptr [ecx], 3
		pop	ebp
		retn	1Ch
_IoCsqInitializeEx@28 endp

; 
		align 8
; Exported entry 522. FsRtlFreeFileLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlFreeFileLock(x)
		public _FsRtlFreeFileLock@4
_FsRtlFreeFileLock@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		call	FsRtlUninitializeFileLock
		push	[ebp+arg_0]
		push	offset _FsRtlFileLockLookasideList
		call	_ExFreeToPagedLookasideList@8 ;	ExFreeToPagedLookasideList(x,x)
		pop	ebp
		retn	4
_FsRtlFreeFileLock@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 674. FsRtlUninitializeFileLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlUninitializeFileLock
FsRtlUninitializeFileLock proc near	; CODE XREF: FsRtlFreeFileLock(x)+8p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DA859 SIZE 000001E2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		push	edi
		mov	edi, [ebp+arg_0]
		mov	edi, [edi+0Ch]
		test	edi, edi
		jz	loc_50E750
		push	ebx
		push	esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _FsRtlFileLockCancelCollideLock
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	ecx, [edi+10h]
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	ebx, [edi+14h]

loc_50E6E7:				; CODE XREF: FsRtlUninitializeFileLock+CC1D9j
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_50E755
		lea	ebx, [edi+18h]

loc_50E6F0:				; CODE XREF: FsRtlUninitializeFileLock+CC1F1j
		mov	esi, [ebx]
		test	esi, esi
		jnz	loc_5DA88A
		mov	esi, [edi+1Ch]
		xor	ecx, ecx
		inc	ecx
		test	esi, esi
		jnz	loc_5DA8A2
		lea	ebx, [edi+10h]

loc_50E70B:				; CODE XREF: FsRtlUninitializeFileLock+CC36Bj
		test	ds:byte_70EFC6,	cl
		jnz	loc_5DAA1C
		xor	eax, eax
		lock and [ebx],	eax

loc_50E71C:				; CODE XREF: FsRtlUninitializeFileLock+CC37Dj
		test	ds:byte_70EFC6,	cl
		mov	ecx, offset _FsRtlFileLockCancelCollideLock
		pop	esi
		pop	ebx
		jnz	loc_5DAA2E
		xor	eax, eax
		lock and [ecx],	eax

loc_50E734:				; CODE XREF: FsRtlUninitializeFileLock+CC38Aj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, edi
		mov	ecx, offset _FsRtlLockInfoLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax+0Ch], 0

loc_50E750:				; CODE XREF: FsRtlUninitializeFileLock+15j
		pop	edi
		leave
		retn	4
; 

loc_50E755:				; CODE XREF: FsRtlUninitializeFileLock+3Fj
		lea	esi, [eax-10h]
		jmp	loc_5DA869
FsRtlUninitializeFileLock endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSetIRTimer(x, x)
_NtSetIRTimer@8	proc near		; DATA XREF: .text:00580C90o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	0
		call	ExpSetTimer2
		pop	ebp
		retn	8
_NtSetIRTimer@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpFixedVsCommit(x, x, x)
_RtlpHpFixedVsCommit@12	proc near	; DATA XREF: RtlpHpFixedHeapCreate+124o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_8]
		mov	[ebp+arg_0], eax
		mov	edx, [ecx+4]
		xor	edx, _RtlpHpHeapGlobals
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [ebp+arg_4]
		push	eax
		push	ecx
		call	edx
		pop	ebp
		retn	0Ch
_RtlpHpFixedVsCommit@12	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1759. PsDereferenceSiloContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsDereferenceSiloContext(x)
		public _PsDereferenceSiloContext@4
_PsDereferenceSiloContext@4 proc near	; CODE XREF: PspAssignSiloSystemRootPath(x,x)+A4p
					; PspSiloInitializeSystemRootBuffer(x)+51p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	ObfDereferenceObject
		pop	ebp
		retn	4
_PsDereferenceSiloContext@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeCaptureWaitChainHeadEx proc near	; CODE XREF: ExpReleaseResourceForThreadLite+30Bp
					; ExpPrepareToWakeResourceExclusive(x,x,x,x)+2Fp ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DAA3B SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, edx
		xor	esi, esi
		mov	[edi], esi
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_50E7DD
		mov	eax, [edx]
		cmp	eax, edx
		jnz	loc_5DAA3B
		mov	[ecx], esi

loc_50E7D3:				; CODE XREF: KeCaptureWaitChainHeadEx+CC29Cj
		mov	esi, [edx+8]
		mov	ecx, edi
		call	RtlInsertHeadCircularList

loc_50E7DD:				; CODE XREF: KeCaptureWaitChainHeadEx+11j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_50E7E6
		mov	[eax], esi

loc_50E7E6:				; CODE XREF: KeCaptureWaitChainHeadEx+2Ej
		pop	edi
		pop	esi
		pop	ebp
		retn	4
KeCaptureWaitChainHeadEx endp


;  S U B	R O U T	I N E 


RtlInsertHeadCircularList proc near	; CODE XREF: ExpAcquireSharedStarveExclusive+324p
					; KeCaptureWaitChainHeadEx+24p	...
		mov	eax, [ecx]
		test	eax, eax
		jnz	loc_5DAA5A
		mov	[edx+4], edx
		mov	[edx], edx

loc_50E7FB:				; CODE XREF: KeCaptureWaitChainHeadEx+CC2BEj
		mov	[ecx], edx
		retn
RtlInsertHeadCircularList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpFixedVsAllocate proc near		; DATA XREF: RtlpHpFixedHeapCreate+101o

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DAA77 SIZE 000001E7 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 48h
		and	dword ptr [ebx+10h], 1
		push	esi
		push	edi
		mov	edi, [ebx+8]
		lea	esi, [edi+10h]
		mov	[ebp+var_8], esi
		jz	loc_5DAA77
		mov	byte ptr [ebp+var_4+3],	0FFh

loc_50E831:				; CODE XREF: RtlpHpFixedVsAllocate+CC286j
		mov	eax, [edi+24h]
		mov	[ebp+var_3C], eax
		mov	eax, [edi+28h]
		xor	eax, edi
		mov	[ebp+var_38], eax
		mov	eax, [ebx+0Ch]
		push	0
		shr	eax, 0Ch
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		call	RtlFindClearBitsAndSet
		mov	ecx, eax
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_18], ecx
		mov	[ebp+var_C], edx
		cmp	ecx, edx
		jz	short loc_50E88C
		mov	eax, [ebx+18h]
		shl	ecx, 0Ch
		add	ecx, edi
		mov	[ebp+var_14], ecx
		and	dword ptr [eax], 0
		mov	eax, [ebx+14h]
		and	dword ptr [eax], 0

loc_50E874:				; CODE XREF: RtlpHpFixedVsAllocate+AAj
		cmp	dword ptr [ebx+10h], 0
		jz	loc_5DAA89

loc_50E87E:				; CODE XREF: RtlpHpFixedVsAllocate+CC447j
					; RtlpHpFixedVsAllocate+CC45Bj
		mov	eax, [ebp+var_14]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	14h
; 

loc_50E88C:				; CODE XREF: RtlpHpFixedVsAllocate+60j
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		call	RtlFindLongestRunClear
		mov	ecx, [ebx+18h]
		and	[ebp+var_14], 0
		shl	eax, 0Ch
		or	edx, 0FFFFFFFFh
		mov	[ecx], eax
		jmp	short loc_50E874
RtlpHpFixedVsAllocate endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReturnFaultCharges(x, x, x)
_MiReturnFaultCharges@12 proc near	; CODE XREF: MiFreeReadListPages+63p
					; MiPfPrepareReadList+151330p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	MiReturnResavailToPrcb
		test	eax, eax
		jnz	short loc_50E8D3

loc_50E8BE:				; CODE XREF: MiReturnFaultCharges(x,x,x)+33j
		test	[ebp+arg_0], 1
		jz	short loc_50E8CD
		mov	edx, edi
		mov	ecx, esi
		call	MiReturnCommit

loc_50E8CD:				; CODE XREF: MiReturnFaultCharges(x,x,x)+18j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_50E8D3:				; CODE XREF: MiReturnFaultCharges(x,x,x)+12j
		lea	ecx, [esi+1000h]
		lock xadd [ecx], eax
		jmp	short loc_50E8BE
_MiReturnFaultCharges@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFlowThroughRemoveNode(x)
_MiFlowThroughRemoveNode@4 proc	near	; CODE XREF: .text:0044912Ap

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ecx
		push	edi
		mov	[ebp+var_4], eax
		mov	edi, [eax+0CCh]
		test	edi, edi
		jnz	short loc_50E8F9

loc_50E8F6:				; CODE XREF: MiFlowThroughRemoveNode(x)+4Fj
		pop	edi
		leave
		retn
; 

loc_50E8F9:				; CODE XREF: MiFlowThroughRemoveNode(x)+14j
		push	ebx
		push	esi
		lea	esi, [edi+88h]
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+var_4]
		mov	bl, al
		add	ecx, 0D4h
		push	ecx
		lea	ecx, [edi+8Ch]
		push	ecx
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		pop	ebx
		jmp	short loc_50E8F6
_MiFlowThroughRemoveNode@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetPageFileHigh(x, x)
_MiGetPageFileHigh@8 proc near		; CODE XREF: MiFreeReservationRun(x,x)+1Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	edx, dword_6D0700
		mov	eax, edx
		mov	ecx, [ebp+arg_4]
		push	esi
		mov	esi, dword_6D0704
		or	eax, esi
		push	edi
		mov	edi, [ebp+arg_0]
		jz	short loc_50E961
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_50E961
		not	esi
		and	ecx, esi

loc_50E961:				; CODE XREF: MiGetPageFileHigh(x,x)+1Fj
					; MiGetPageFileHigh(x,x)+29j
		pop	edi
		mov	eax, ecx
		xor	edx, edx
		pop	esi
		leave
		retn	8
_MiGetPageFileHigh@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


SepDuplicateLogonSessionReference proc near
					; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+3EDp

; FUNCTION CHUNK AT 005DAC5E SIZE 00000021 BYTES

		mov	edi, edi
		push	ecx
		test	byte ptr [edx+0B0h], 20h
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [esi+0C0h]
		jnz	loc_5DAC5E
		mov	ecx, [edx+0C0h]
		xor	eax, eax
		mov	[edi], ecx
		inc	eax
		lock xadd [ecx+14h], eax
		inc	eax
		cmp	eax, 1
		jle	short loc_50E9A2

loc_50E99C:				; CODE XREF: SepDuplicateLogonSessionReference+3Bj
		xor	eax, eax

loc_50E99E:				; CODE XREF: SepDuplicateLogonSessionReference+CC2FEj
					; SepDuplicateLogonSessionReference+CC30Ej
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_50E9A2:				; CODE XREF: SepDuplicateLogonSessionReference+2Ej
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_50E99C
SepDuplicateLogonSessionReference endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 207. CcInitializeCacheMap

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcInitializeCacheMap(x, x, x, x, x)
		public _CcInitializeCacheMap@20
_CcInitializeCacheMap@20 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	CcInitializeCacheMapEx
		pop	ebp
		retn	14h
_CcInitializeCacheMap@20 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CcDeallocateVacbLevel(x, x)
_CcDeallocateVacbLevel@8 proc near	; CODE XREF: CcSetVacbLargeOffset+1A3p
		mov	eax, ecx
		mov	ecx, offset _CcVacbLevelWithBcbListHeadsLookasideList
		test	edx, edx
		jnz	short loc_50E9DE
		mov	ecx, offset _CcVacbLevelLookasideList

loc_50E9DE:				; CODE XREF: CcDeallocateVacbLevel(x,x)+9j
		mov	edx, eax
		jmp	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
_CcDeallocateVacbLevel@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 571. FsRtlIsNonEmptyDirectoryReparsePointAllowed

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlIsNonEmptyDirectoryReparsePointAllowed(x)
		public _FsRtlIsNonEmptyDirectoryReparsePointAllowed@4
_FsRtlIsNonEmptyDirectoryReparsePointAllowed@4 proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	_RtlIsNonEmptyDirectoryReparsePointAllowed@4 ; RtlIsNonEmptyDirectoryReparsePointAllowed(x)
_FsRtlIsNonEmptyDirectoryReparsePointAllowed@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2215. RtlIsNonEmptyDirectoryReparsePointAllowed

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIsNonEmptyDirectoryReparsePointAllowed(x)
		public _RtlIsNonEmptyDirectoryReparsePointAllowed@4
_RtlIsNonEmptyDirectoryReparsePointAllowed@4 proc near
					; CODE XREF: FsRtlIsNonEmptyDirectoryReparsePointAllowed(x)+6j

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_0], 10000000h
		jnz	short loc_50EA17
		cmp	[ebp+arg_0], 80000018h
		jz	short loc_50EA17
		xor	al, al

loc_50EA13:				; CODE XREF: RtlIsNonEmptyDirectoryReparsePointAllowed(x)+1Fj
		pop	ebp
		retn	4
; 

loc_50EA17:				; CODE XREF: RtlIsNonEmptyDirectoryReparsePointAllowed(x)+Cj
					; RtlIsNonEmptyDirectoryReparsePointAllowed(x)+15j
		mov	al, 1
		jmp	short loc_50EA13
_RtlIsNonEmptyDirectoryReparsePointAllowed@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MmQueryApiSetSchema(x, x)
_MmQueryApiSetSchema@8 proc near	; CODE XREF: PsQueryCurrentApiSetSchema+1Ep
					; PAGE:008D2AFDp
		mov	dword ptr [ecx], offset	dword_6CF4E4
		mov	dword ptr [edx], offset	dword_6CF4E8
		retn
_MmQueryApiSetSchema@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViAvlAllocateNode(x, x)
_ViAvlAllocateNode@8 proc near		; DATA XREF: VfAvlInitializeTreeEx+8Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+38h]
		and	dword ptr [ecx+38h], 0
		add	eax, 0FFFFFFF0h
		pop	ebp
		retn	8
_ViAvlAllocateNode@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExQueryHandleExceptionsPermanency proc near ; CODE XREF: NtClose+13Bp
					; PAGE:0083DCC5p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DAC7F SIZE 00000065 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ecx
		mov	ecx, large fs:124h
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_10], eax
		dec	word ptr [ecx+13Ch]
		mov	[ebp+var_28], ecx
		nop
		lea	esi, [eax+24h]
		xor	edx, edx
		mov	ecx, esi
		mov	[ebp+var_8], esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_10]
		mov	ecx, [eax+54h]
		test	ecx, ecx
		jnz	loc_5DAC7F
		test	byte ptr [eax+1Ch], 2
		jnz	loc_5DAC8F
		mov	[edi], cl
		xor	al, al

loc_50EAA0:				; CODE XREF: ExQueryHandleExceptionsPermanency+CC24Aj
					; ExQueryHandleExceptionsPermanency+CC254j
		mov	ecx, [ebx+8]
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_C], edx
		mov	[ecx], al
		mov	eax, edx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_50EBEF

loc_50EABB:				; CODE XREF: ExQueryHandleExceptionsPermanency+1B6j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	esi, 7FFFFFFCh
		jz	loc_50EBC4
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, dword_6D07D0
		shr	ecx, 15h
		cmp	eax, edx
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], esi
		pop	edx
		jb	short loc_50EAFB
		cmp	byte ptr dword_6D3994[ecx], 1
		jz	loc_50EBD7

loc_50EAFB:				; CODE XREF: ExQueryHandleExceptionsPermanency+ACj
		cmp	eax, [ebp+var_20]
		jb	short loc_50EB0D
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_50EBD7

loc_50EB0D:				; CODE XREF: ExQueryHandleExceptionsPermanency+BEj
					; ExQueryHandleExceptionsPermanency+1AAj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_50EC3F
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_50EC52

loc_50EB4E:				; CODE XREF: ExQueryHandleExceptionsPermanency+21Aj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5DACAC
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_50EB9A:				; CODE XREF: ExQueryHandleExceptionsPermanency+207j
					; ExQueryHandleExceptionsPermanency+CC27Ej
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jnz	short loc_50EBFB

loc_50EBAD:				; CODE XREF: ExQueryHandleExceptionsPermanency+1F4j
					; ExQueryHandleExceptionsPermanency+CC29Fj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_50EBC4
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_50EC5F

loc_50EBC4:				; CODE XREF: ExQueryHandleExceptionsPermanency+86j
					; ExQueryHandleExceptionsPermanency+176j ...
		mov	ecx, [ebp+var_28]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_50EBD7:				; CODE XREF: ExQueryHandleExceptionsPermanency+B5j
					; ExQueryHandleExceptionsPermanency+C7j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_8]
		jmp	loc_50EB0D
; 

loc_50EBEF:				; CODE XREF: ExQueryHandleExceptionsPermanency+75j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_50EABB
; 

loc_50EBFB:				; CODE XREF: ExQueryHandleExceptionsPermanency+16Bj
		test	edi, 8000h
		jz	short loc_50EC0C
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_50EC0C:				; CODE XREF: ExQueryHandleExceptionsPermanency+1C1j
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5DACC3

loc_50EC16:				; CODE XREF: ExQueryHandleExceptionsPermanency+CC28Dj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_50EC2A
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_50EC2A:				; CODE XREF: ExQueryHandleExceptionsPermanency+1DDj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_50EBAD
		jmp	loc_5DACD2
; 

loc_50EC3F:				; CODE XREF: ExQueryHandleExceptionsPermanency+F6j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_50EB9A
		jmp	loc_5DAC99
; 

loc_50EC52:				; CODE XREF: ExQueryHandleExceptionsPermanency+108j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]
		jmp	loc_50EB4E
; 

loc_50EC5F:				; CODE XREF: ExQueryHandleExceptionsPermanency+17Ej
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_50EBC4
ExQueryHandleExceptionsPermanency endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PspLockProcessShared(x, x)
_PspLockProcessShared@8	proc near	; CODE XREF: NtSetInformationThread+A6Dp
					; PAGE:0083F691p ...
		dec	word ptr [edx+13Ch]
		nop
		add	ecx, 0E0h
		xor	edx, edx
		jmp	ExAcquirePushLockSharedEx
_PspLockProcessShared@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall EtwpEnqueueOverflowBuffer(x, x)
@EtwpEnqueueOverflowBuffer@8 proc near	; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+10Fp
					; EtwpDequeueFreeBuffer+D3B6Bp

var_2		= byte ptr -2

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	byte ptr [ebp-1], 0
		push	esi
		xor	eax, eax
		push	edi
		xor	edi, edi
		lea	esi, [ebx+2Ch]
		inc	eax
		lock cmpxchg [esi], edi
		lea	edx, [ebp-1]
		mov	esi, ecx
		call	_EtwpLockBufferList@8 ;	EtwpLockBufferList(x,x)
		lea	ecx, [ebx+20h]
		and	dword ptr [ecx], 0
		lea	edx, [ebp-1]
		mov	eax, [esi+38h]
		mov	[eax], ecx
		mov	[esi+38h], ecx
		mov	ecx, esi
		call	EtwpUnlockBufferList
		lock inc dword ptr [esi+9Ch]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
@EtwpEnqueueOverflowBuffer@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDrvDbUnloadNodeDpcRoutine proc near	; DATA XREF: PiDrvDbCreateNode+149o

arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DACE4 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		lea	edi, [esi+0E8h]
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	byte ptr [esi+0ECh], 0
		jnz	short loc_50ED0C
		lea	eax, [esi+0D8h]
		and	dword ptr [eax], 0
		push	1
		push	eax
		mov	dword ptr [eax+8], offset _PiDrvDbUnloadNodeWorkerCallback@4 ; PiDrvDbUnloadNodeWorkerCallback(x)
		mov	[eax+0Ch], esi
		call	ExQueueWorkItem
		mov	byte ptr [esi+0ECh], 1

loc_50ED0C:				; CODE XREF: PiDrvDbUnloadNodeDpcRoutine+1Ej
		test	ds:byte_70EFC6,	1
		jnz	loc_5DACE4
		xor	eax, eax
		lock and [edi],	eax

loc_50ED1E:				; CODE XREF: PiDrvDbUnloadNodeDpcRoutine+CC024j
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
PiDrvDbUnloadNodeDpcRoutine endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpFixedVsFree proc near		; DATA XREF: RtlpHpFixedHeapCreate+108o

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DACF3 SIZE 0000022C BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	ecx, [ebx+10h]
		mov	eax, [ebx+14h]
		push	esi
		mov	esi, [ebx+0Ch]
		push	edi
		mov	edi, [ebx+8]
		sub	esi, edi
		shr	ecx, 0Ch
		shr	esi, 0Ch
		and	eax, 1
		mov	[ebp+var_8], ecx
		mov	[ebp+var_30], eax
		jz	loc_5DACF3
		mov	byte ptr [ebp+var_4+3],	0FFh

loc_50ED67:				; CODE XREF: RtlpHpFixedVsFree+CBFE0j
		mov	eax, [edi+24h]
		mov	[ebp+var_38], eax
		mov	eax, [edi+28h]
		xor	eax, edi
		mov	[ebp+var_34], eax
		mov	eax, [ebp+var_38]
		cmp	esi, eax
		jnb	loc_5DAD1C
		or	[ebp+var_C], 0FFFFFFFFh
		cmp	ecx, 1
		jbe	loc_5DAD09
		sub	eax, esi
		cmp	eax, ecx
		jb	loc_5DAD1C
		lea	eax, [esi-1]
		add	eax, ecx
		mov	ecx, [ebp+var_34]
		mov	[ebp+var_14], eax
		mov	eax, esi
		shr	eax, 5
		lea	edx, [ecx+eax*4]
		mov	eax, [ebp+var_14]
		shr	eax, 5
		lea	ecx, [ecx+eax*4]
		mov	eax, [edx]
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], eax
		cmp	edx, ecx
		jnz	short loc_50EE00
		mov	edx, [ebp+var_8]
		or	eax, 0FFFFFFFFh
		push	20h
		pop	ecx
		sub	ecx, edx
		mov	[ebp+var_C], eax
		shr	eax, cl
		mov	ecx, esi
		shl	eax, cl
		mov	ecx, [ebp+var_10]
		and	ecx, eax
		cmp	ecx, eax
		jnz	loc_5DAD1C

loc_50EDE0:				; CODE XREF: RtlpHpFixedVsFree+119j
		push	edx
		push	esi
		lea	eax, [ebp+var_38]
		push	eax
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		cmp	[ebp+var_30], 0
		jz	loc_5DAD40

loc_50EDF5:				; CODE XREF: RtlpHpFixedVsFree+CC1E2j
					; RtlpHpFixedVsFree+CC1F6j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	10h
; 

loc_50EE00:				; CODE XREF: RtlpHpFixedVsFree+99j
		or	eax, 0FFFFFFFFh
		mov	ecx, esi
		shl	eax, cl
		mov	ecx, [ebp+var_10]
		and	ecx, eax
		cmp	ecx, eax
		jnz	loc_5DAD1C
		mov	eax, [ebp+var_18]

loc_50EE17:				; CODE XREF: RtlpHpFixedVsFree+CC017j
		add	edx, 4
		mov	[ebp+var_10], edx
		cmp	edx, eax
		jnz	loc_5DAD36
		mov	eax, [ebp+var_10]
		or	edx, 0FFFFFFFFh
		mov	ecx, [ebp+var_14]
		not	ecx
		shr	edx, cl
		mov	eax, [eax]
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_50EE3F

loc_50EE3A:				; CODE XREF: RtlpHpFixedVsFree+CBFF2j
		mov	edx, [ebp+var_8]
		jmp	short loc_50EDE0
; 

loc_50EE3F:				; CODE XREF: RtlpHpFixedVsFree+114j
		xor	al, al
		jmp	loc_5DAD14
RtlpHpFixedVsFree endp


;  S U B	R O U T	I N E 


; __stdcall BiSanitizeHandle(x)
_BiSanitizeHandle@4 proc near		; CODE XREF: BiDeleteKey+13p
					; BcdFlushStore+20p ...
		and	ecx, 0FFFFFFFDh
		mov	eax, ecx
		retn
_BiSanitizeHandle@4 endp


;  S U B	R O U T	I N E 


CmDoVirtualTest	proc near		; CODE XREF: NtDeleteValueKey+319p
					; NtSetValueKey+6EBp ...
		cmp	_CmpVEEnabled, 0
		push	esi
		mov	esi, ecx
		jz	short loc_50EE74
		mov	eax, large fs:124h
		push	edx
		mov	edx, esi
		mov	cl, [eax+15Ah]
		call	CmpIsSystemEntity
		neg	al
		sbb	al, al
		inc	al
		pop	esi
		retn
; 

loc_50EE74:				; CODE XREF: CmDoVirtualTest+Aj
		xor	al, al
		pop	esi
		retn
CmDoVirtualTest	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1878. PsReferenceSiloContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsReferenceSiloContext(x)
		public _PsReferenceSiloContext@4
_PsReferenceSiloContext@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag
		pop	ebp
		retn	4
_PsReferenceSiloContext@4 endp


;  S U B	R O U T	I N E 


; __stdcall WdipTimeoutTimerRoutine(x, x)
_WdipTimeoutTimerRoutine@8 proc	near	; DATA XREF: WdipSemStartTimeoutCheck()+1Bo
		push	1
		push	offset _WdipTimeoutWorkItem
		call	ExQueueWorkItem
		retn	8
_WdipTimeoutTimerRoutine@8 endp

; 
		align 8
; Exported entry 443. ExSystemTimeToLocalTime

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExSystemTimeToLocalTime(x, x)
		public _ExSystemTimeToLocalTime@8
_ExSystemTimeToLocalTime@8 proc	near	; CODE XREF: ExpSetSystemTime+4Ap
					; ExpSetSystemTime+988Cp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	esi, [eax+268h]
		mov	eax, [ebp+arg_0]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		sub	edx, [esi+1B8h]
		mov	eax, [ebp+arg_4]
		sbb	ecx, [esi+1BCh]
		pop	esi
		mov	[eax], edx
		mov	[eax+4], ecx
		pop	ebp
		retn	8
_ExSystemTimeToLocalTime@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpSetPriorityThread(x, x)
_CmpSetPriorityThread@8	proc near	; CODE XREF: CmpDoFileWrite+1F2p
					; CmpDoFileWrite+220p
		mov	edi, edi
		push	edx
		push	ecx
		call	KeSetPriorityThread
		retn
_CmpSetPriorityThread@8	endp


;  S U B	R O U T	I N E 


; int __cdecl SymCryptSaveXmm(struct _exception	*)
@SymCryptSaveXmm@4 proc	near		; CODE XREF: SymCryptSha256AppendBlocks(x,x,x,x)+29p
					; SymCryptSha256AppendBlocks(x,x,x,x)+3Bp
		jmp	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
@SymCryptSaveXmm@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWorkQueueManagerReaperTimer(x, x)
_ExpWorkQueueManagerReaperTimer@8 proc near
					; DATA XREF: ExpWorkQueueManagerInitialize(x,x,x)+5Co

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	0
		push	0
		add	eax, 40h
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	ebp
		retn	8
_ExpWorkQueueManagerReaperTimer@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


PsBoostThreadIoQoS proc	near		; CODE XREF: KiAbThreadBoostIoPriority+D564Ep

; FUNCTION CHUNK AT 005DAF1F SIZE 00000019 BYTES

		mov	edi, edi
		push	esi
		lea	esi, [ecx+330h]
		test	edx, edx
		jz	loc_5DAF1F
		lock dec dword ptr [esi]

loc_50EF18:				; CODE XREF: PsBoostThreadIoQoS+CC026j
		pop	esi
		retn
PsBoostThreadIoQoS endp

; 
		align 10h
; Exported entry 233. CcSetFileSizes

;  S U B	R O U T	I N E 


; __stdcall CcSetFileSizes(x, x)
		public _CcSetFileSizes@8
_CcSetFileSizes@8 proc near
		jmp	CcSetFileSizesEx
_CcSetFileSizes@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __fastcall ExfAcquireReleasePushLockExclusive(x)
@ExfAcquireReleasePushLockExclusive@4 proc near
					; CODE XREF: PspLockUnlockProcessExclusive(x,x):loc_50C85Fp
					; EtwpLockUnlockBufferList+D3D74p ...
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		push	0
		xor	edx, edx
		mov	edi, ecx
		call	KeAbPreAcquire
		mov	esi, eax
		mov	ecx, edi
		push	edi
		mov	edx, esi
		call	ExfAcquirePushLockExclusiveEx
		test	esi, esi
		jz	short loc_50EF4A
		or	byte ptr [esi+0Eh], 1

loc_50EF4A:				; CODE XREF: ExfAcquireReleasePushLockExclusive(x)+1Ej
		mov	ecx, edi
		call	@ExfReleasePushLockExclusive@4 ; ExfReleasePushLockExclusive(x)
		test	esi, esi
		jz	short loc_50EF5C
		mov	ecx, edi
		call	KeAbPostRelease

loc_50EF5C:				; CODE XREF: ExfAcquireReleasePushLockExclusive(x)+2Dj
		pop	edi
		pop	esi
		pop	ecx
		retn
@ExfAcquireReleasePushLockExclusive@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2034. RtlDeleteHashTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlDeleteHashTable
RtlDeleteHashTable proc	near		; CODE XREF: SepDeleteSessionLowboxEntries+81D3Fp
					; RtlpCreateHashTable+D77CBp ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DAF38 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, [edi+8]
		mov	esi, [edi+20h]
		cmp	eax, 80h
		ja	loc_5DAF38
		test	esi, esi
		jz	short loc_50EF8D
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_50EF8D:				; CODE XREF: RtlDeleteHashTable+1Dj
					; RtlDeleteHashTable+CBFD4j ...
		test	byte ptr [edi],	1
		jz	short loc_50EF9A
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_50EF9A:				; CODE XREF: RtlDeleteHashTable+2Aj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
RtlDeleteHashTable endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 329. ExCancelTimer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExCancelTimer(x, x)
		public _ExCancelTimer@8
_ExCancelTimer@8 proc near		; CODE XREF: EtwpStopLoggerInstance(x)+146p
					; EtwpUpdatePeriodicCaptureState(x,x,x,x)+140p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	ExpCheckForFreedEnhancedTimer
		pop	ebp
		jmp	KeCancelTimer2
_ExCancelTimer@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpGetResolution()
_BgpGetResolution@0 proc near		; CODE XREF: LogFwReport+30p
					; GxpReadFrameBufferPixels+41p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, dword_6B6B68
		mov	[eax], ecx
		mov	ecx, dword_6B6B64
		mov	[eax+4], ecx
		mov	ecx, dword_6B6B6C
		mov	[eax+8], ecx
		pop	ebp
		retn	4
_BgpGetResolution@0 endp


;  S U B	R O U T	I N E 


B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorAttachEx proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+38p
					; ST_STORE<SM_TRAITS>::StDmEtwPageRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+36p

; FUNCTION CHUNK AT 005DAF66 SIZE 00000028 BYTES

		mov	edi, edi
		push	esi
		mov	esi, [edx]
		push	edi
		mov	edi, ecx
		and	dword ptr [edi], 0
		and	dword ptr [edi+4], 0
		test	esi, esi
		jz	short loc_50F017
		cmp	byte ptr [esi+3], 0
		push	ebx
		jnz	short loc_50F011
		lea	ebx, [edx+8]

loc_50EFFD:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorAttachEx+2Fj
		mov	eax, [ebx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_5DAF66

loc_50F008:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorAttachEx+CBF8Aj
		mov	esi, [esi+4]

loc_50F00B:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorAttachEx+CBFA0j
		cmp	byte ptr [esi+3], 0
		jz	short loc_50EFFD

loc_50F011:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorAttachEx+18j
		mov	[edi], esi
		mov	[edi+4], esi

loc_50F016:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorAttachEx+CBFA9j
		pop	ebx

loc_50F017:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorAttachEx+11j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorAttachEx endp


;  S U B	R O U T	I N E 


; __stdcall MiUnlockNestedProtoPoolPage(x)
_MiUnlockNestedProtoPoolPage@4 proc near ; CODE	XREF: MiCopyDataPageToImagePage:loc_4AB30Cp
					; MiCopyDataPageToImagePage:loc_5C09A5p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		and	byte ptr [esi+16h], 0DFh
		mov	ecx, esi
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		pop	esi
		retn
_MiUnlockNestedProtoPoolPage@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1786. PsGetJobLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetJobLock(x)
		public _PsGetJobLock@4
_PsGetJobLock@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		add	eax, 20h
		pop	ebp
		retn	4
_PsGetJobLock@4	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall EtwpInsertQueueDpc(x)
_EtwpInsertQueueDpc@4 proc near		; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+193p
					; EtwpPrepareDirtyBuffer+D3A57j ...
		mov	eax, [ecx+1Ch]
		mov	edx, _KiClockTimerOwner
		test	eax, eax
		jnz	short loc_50F068
		lea	eax, [edx+20h]
		mov	[ecx+2], ax

loc_50F068:				; CODE XREF: EtwpInsertQueueDpc(x)+Bj
		push	0
		push	0
		push	ecx
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)
		retn
_EtwpInsertQueueDpc@4 endp

; 
		align 8
; Exported entry 754. IoBoostThreadIo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoBoostThreadIo(x, x, x, x)
		public _IoBoostThreadIo@16
_IoBoostThreadIo@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 0
		jnz	short loc_50F0B6
		cmp	[ebp+arg_8], 1
		mov	ecx, [ebp+arg_0]
		push	0
		push	1
		jnz	short loc_50F09D
		mov	dl, 1
		call	PsBoostThreadIoEx

loc_50F097:				; CODE XREF: IoBoostThreadIo(x,x,x,x)+3Cj
		xor	eax, eax

loc_50F099:				; CODE XREF: IoBoostThreadIo(x,x,x,x)+43j
		pop	ebp
		retn	10h
; 

loc_50F09D:				; CODE XREF: IoBoostThreadIo(x,x,x,x)+16j
		xor	dl, dl
		call	PsBoostThreadIoEx
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	80000000h
		call	IoBoostThreadIoPriority
		jmp	short loc_50F097
; 

loc_50F0B6:				; CODE XREF: IoBoostThreadIo(x,x,x,x)+9j
		mov	eax, 0C000000Dh
		jmp	short loc_50F099
_IoBoostThreadIo@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpLoggerDpc	proc near		; DATA XREF: EtwpInitLoggerContext+214o

arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DAF8E SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, 0FFFFFCFFh
		lea	edx, [esi+25Ch]
		mov	eax, [edx]

loc_50F0D5:				; CODE XREF: EtwpLoggerDpc+1Fj
		mov	ecx, eax
		and	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_50F0D5
		mov	edi, eax
		test	edi, 100h
		jz	short loc_50F0F9
		push	0
		push	0
		lea	eax, [esi+174h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_50F0F9:				; CODE XREF: EtwpLoggerDpc+29j
		test	edi, 200h
		jnz	loc_5DAF8E

loc_50F105:				; CODE XREF: EtwpLoggerDpc+CBED9j
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
EtwpLoggerDpc	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall IopSymlinkGetMostRecentlyUsedName(x)
_IopSymlinkGetMostRecentlyUsedName@4 proc near
					; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+D09p
		mov	edi, edi

loc_50F10E:				; CODE XREF: IopSymlinkGetMostRecentlyUsedName(x)+Ej
		mov	eax, [ecx+8]
		test	eax, eax
		jnz	short loc_50F118
		mov	eax, ecx
		retn
; 

loc_50F118:				; CODE XREF: IopSymlinkGetMostRecentlyUsedName(x)+7j
		mov	ecx, eax
		jmp	short loc_50F10E
_IopSymlinkGetMostRecentlyUsedName@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1234. KeQueryRuntimeThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryRuntimeThread(x, x)
		public _KeQueryRuntimeThread@8
_KeQueryRuntimeThread@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	edx, [eax+1C0h]
		mov	[ecx], edx
		mov	eax, [eax+194h]
		pop	ebp
		retn	8
_KeQueryRuntimeThread@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void __stdcall SmpFlushStorePages(void *)
?SmpFlushStorePages@@YGXPAX@Z proc near	; DATA XREF: SmStoreCompressionStop+6Fo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_MmStoreFlushAllHintedPages@0 ;	MmStoreFlushAllHintedPages()
		push	0
		push	0
		push	[ebp+arg_0]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	ebp
		retn	4
?SmpFlushStorePages@@YGXPAX@Z endp


;  S U B	R O U T	I N E 


; __stdcall CmpSetIoPriorityThread(x, x)
_CmpSetIoPriorityThread@8 proc near	; CODE XREF: CmpDoFileWrite+1DFp
					; CmpDoFileWrite+210p
		jmp	PsSetIoPriorityThread
_CmpSetIoPriorityThread@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageFlushTimerCallback(x, x)
_EtwpCoverageFlushTimerCallback@8 proc near ; DATA XREF: EtwpCoverageEnsureContext()+182o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		xor	edx, edx
		inc	edx
		xor	eax, eax
		lea	ecx, [esi+0Ch]
		lock cmpxchg [ecx], edx
		test	eax, eax
		jnz	short loc_50F187
		push	3
		lea	eax, [esi+0F0h]
		push	eax
		call	ExQueueWorkItem

loc_50F187:				; CODE XREF: EtwpCoverageFlushTimerCallback(x,x)+17j
		pop	esi
		pop	ebp
		retn	8
_EtwpCoverageFlushTimerCallback@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpDelayFreeRMDpcRoutine(x,	x, x, x)
_CmpDelayFreeRMDpcRoutine@16 proc near	; DATA XREF: CmpInitializeTransactions()+C8o
		push	1
		push	offset _CmpDelayFreeRMWorkItem
		call	ExQueueWorkItem
		retn	10h
_CmpDelayFreeRMDpcRoutine@16 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall RtlWriteReleaseTickLock(x)
_RtlWriteReleaseTickLock@4 proc	near	; CODE XREF: KiCalibrateTimeAdjustment+23Fp
					; KiCreateCpuSetForProcessor+A9p
		mov	edx, [ecx]
		mov	eax, [ecx+4]
		add	edx, 1
		mov	[ecx], edx
		adc	eax, 0
		mov	[ecx+4], eax
		retn
_RtlWriteReleaseTickLock@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViTargetDelayFreeAvlNode(x,	x)
_ViTargetDelayFreeAvlNode@8 proc near	; DATA XREF: VfTargetDriversInit()+Ao

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	[eax+3Ch], ecx
		pop	ebp
		retn	8
_ViTargetDelayFreeAvlNode@8 endp


;  S U B	R O U T	I N E 


; __stdcall AuthzBasepAllocateSecurityAttributesList()
_AuthzBasepAllocateSecurityAttributesList@0 proc near
					; CODE XREF: SepVerifyDesktopAppxPackageName+C5p
					; SepInternalQuerySecurityAttributesTokenEx+D0BB7p ...
		push	74416553h
		push	18h
		pop	ecx
		call	_AuthzBasepMemAlloc@12 ; AuthzBasepMemAlloc(x,x,x)
		test	eax, eax
		jz	short locret_50F1EE
		xor	edx, edx
		lea	ecx, [eax+4]
		mov	[eax+8], edx
		mov	[eax+14h], edx
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		lea	ecx, [eax+10h]
		mov	[eax], edx
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		mov	[eax+0Ch], edx

locret_50F1EE:				; CODE XREF: AuthzBasepAllocateSecurityAttributesList()+Fj
		retn
_AuthzBasepAllocateSecurityAttributesList@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	SMKM_STORE_MGR<struct SM_TRAITS>::SmHighMemPriorityWatchdogTimerCallback(struct	_KTIMER2 *, void *)
?SmHighMemPriorityWatchdogTimerCallback@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU_KTIMER2@@PAX@Z proc near
					; DATA XREF: SMKM_STORE_MGR<SM_TRAITS>::SmInitialize(SMKM_STORE_MGR<SM_TRAITS> *,_SMKM_STORE_MGR_PARAMS	*)+112o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		xor	eax, eax
		add	esi, 450h
		mov	edx, esi
		lea	ecx, [esi+0Ch]
		lock cmpxchg [ecx], edx
		test	eax, eax
		jnz	short loc_50F216
		push	3
		push	esi
		call	ExQueueWorkItem

loc_50F216:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmHighMemPriorityWatchdogTimerCallback(_KTIMER2	*,void *)+1Cj
		pop	esi
		pop	ebp
		retn	8
?SmHighMemPriorityWatchdogTimerCallback@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU_KTIMER2@@PAX@Z endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KiGetCpuSetData(x, x)
_KiGetCpuSetData@8 proc	near		; CODE XREF: KeQueryCpuSetInformation+98p
		shl	edx, 4
		add	edx, ds:_KiCpuSetData
		mov	eax, edx
		retn
_KiGetCpuSetData@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnTracingStateDpcRoutine(x, x, x,	x)
_PfSnTracingStateDpcRoutine@16 proc near
					; DATA XREF: IoRequestDeviceRemovalForReset(x,x)+3Eo
					; PfSnInitializePrefetcher()+B0o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	1
		add	eax, 48h
		push	eax
		call	ExQueueWorkItem
		pop	ebp
		retn	10h
_PfSnTracingStateDpcRoutine@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void * __stdcall SmAllocWrapper(unsigned long, void *)
?SmAllocWrapper@@YGPAXKPAX@Z proc near	; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+4AAp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	eax, [eax]
		push	eax
		push	[ebp+arg_0]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	8
?SmAllocWrapper@@YGPAXKPAX@Z endp


;  S U B	R O U T	I N E 


FinishHash	proc near		; CODE XREF: ComputeFlushPeriod+52p
		imul	edx, [ecx], 9
		mov	eax, edx
		shr	eax, 0Bh
		xor	eax, edx
		imul	eax, 8001h
		mov	[ecx], eax
		retn
FinishHash	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MmGetLowestPhysicalPage(x)
_MmGetLowestPhysicalPage@4 proc	near	; CODE XREF: PAGE:0077DEC1p
		mov	eax, dword_6D3018
		movzx	ecx, cx
		mov	eax, [eax+ecx*4]
		mov	eax, [eax+0F40h]
		retn
_MmGetLowestPhysicalPage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmStartIllegalProcessorThrottleLogging(x, x, x)
_PpmStartIllegalProcessorThrottleLogging@12 proc near ;	DATA XREF: PAGELK:0071F280o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax+3E48h], 1
		mov	byte ptr [eax+3E50h], 0
		xor	eax, eax
		pop	ebp
		retn	0Ch
_PpmStartIllegalProcessorThrottleLogging@12 endp


;  S U B	R O U T	I N E 


; __stdcall KiInitializeDpcList(x)
_KiInitializeDpcList@4 proc near	; CODE XREF: KiInitializeProcessor+27p
					; KiInitPrcb(x,x)+108p
		and	dword ptr [ecx], 0
		mov	[ecx+4], ecx
		retn
_KiInitializeDpcList@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall VfIsVerifierEnabled()
_VfIsVerifierEnabled@0 proc near	; CODE XREF: PopInvokeSystemStateHandler+204p
					; PopInvokeSystemStateHandler:loc_71BD8Bp ...
		mov	eax, _ViVerifierEnabled
		retn
_VfIsVerifierEnabled@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmStopIllegalProcessorThrottleLogging(x, x, x)
_PpmStopIllegalProcessorThrottleLogging@12 proc	near ; DATA XREF: PAGELK:0071ECBBo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax+3E48h], 0
		xor	eax, eax
		pop	ebp
		retn	0Ch
_PpmStopIllegalProcessorThrottleLogging@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiIntSteerInitPrcb(x)
_KiIntSteerInitPrcb@4 proc near		; CODE XREF: KiInitPrcb(x,x)+28Bp
		and	dword ptr [ecx+21D8h], 0
		xor	eax, eax
		mov	dword ptr [ecx+21DCh], 1
		retn
_KiIntSteerInitPrcb@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpUserPresenceCallback(x, x, x, x)
_CmpUserPresenceCallback@16 proc near	; DATA XREF: CmpInitializeLazyWriters+D6o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		cmp	dword ptr [eax], 2
		setnz	_CmpUserPresent
		xor	eax, eax
		pop	ebp
		retn	10h
_CmpUserPresenceCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall wil_atomic_uint32_compare_exchange_relaxed(x, x, x)
_wil_atomic_uint32_compare_exchange_relaxed@12 proc near
					; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+89p
					; wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+11Cp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [edx]
		mov	eax, edi
		lock cmpxchg [ecx], esi
		cmp	eax, edi
		pop	edi
		pop	esi
		jnz	short loc_50F30D
		xor	eax, eax
		inc	eax

loc_50F309:				; CODE XREF: wil_atomic_uint32_compare_exchange_relaxed(x,x,x)+23j
		pop	ebp
		retn	4
; 

loc_50F30D:				; CODE XREF: wil_atomic_uint32_compare_exchange_relaxed(x,x,x)+16j
		mov	[edx], eax
		xor	eax, eax
		jmp	short loc_50F309
_wil_atomic_uint32_compare_exchange_relaxed@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgLoadUserImageSymbols(x, x, x, x,	x)
_DbgLoadUserImageSymbols@20 proc near	; CODE XREF: MiLoadUserSymbols+63p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_8], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+arg_0], eax
		mov	eax, 3
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+arg_0]
		int	2Dh		; Internal routine for MSDOS (IRET)
		int	3		; Trap to Debugger
		leave
		retn	0Ch
_DbgLoadUserImageSymbols@20 endp


;  S U B	R O U T	I N E 


; __stdcall MiVaToSoftwareWsle(x, x)
_MiVaToSoftwareWsle@8 proc near		; CODE XREF: MiUnloadSystemImage+48Cp
		movzx	eax, byte ptr [ecx+60h]
		and	eax, 7
		shr	edx, 0Ch
		add	edx, dword_6D2E68[eax*4]
		mov	eax, edx
		retn
_MiVaToSoftwareWsle@8 endp


;  S U B	R O U T	I N E 


; int __fastcall EtwpCoverageInitializeStringBuffer(void *,size_t)
_EtwpCoverageInitializeStringBuffer@8 proc near
					; CODE XREF: EtwpCoverageEnsureStringBuffer+32p
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		lea	eax, [edi+esi]
		add	esp, 0Ch
		mov	[edi+8], eax
		lea	eax, [edi+14h]
		mov	[edi+0Ch], eax
		mov	[edi+10h], eax
		pop	edi
		pop	esi
		retn
_EtwpCoverageInitializeStringBuffer@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRevertQuasiPte(x,	x)
_MiRevertQuasiPte@8 proc near		; CODE XREF: KiCalibrateTimeAdjustment+31Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		and	eax, 0FFFFFBFFh
		or	eax, 1
		pop	ebp
		retn	8
_MiRevertQuasiPte@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakeQuasiPte(x, x)
_MiMakeQuasiPte@8 proc near		; CODE XREF: KiCalibrateTimeAdjustment+30Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		and	eax, 0FFFFFFFEh
		or	eax, 400h
		pop	ebp
		retn	8
_MiMakeQuasiPte@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiGetCurrentGroupCount()
_KiGetCurrentGroupCount@0 proc near	; CODE XREF: KiUpdateProcessorCount(x,x)+3p
		mov	ax, word_6D4E28
		retn
_KiGetCurrentGroupCount@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall HvlRescindEnlightenments(x)
_HvlRescindEnlightenments@4 proc near	; CODE XREF: KiEnableKvaShadowing(x,x)+C1p
		xor	ecx, ecx
		mov	eax, offset _HvlpRescindedEnlightenments
		inc	ecx
		lock or	[eax], ecx
		push	0FFFFFFFEh
		pop	ecx
		mov	eax, offset _HvlEnlightenments
		lock and [eax],	ecx
		mov	eax, offset _HvlpEnlightenments
		lock and [eax],	ecx
		retn
_HvlRescindEnlightenments@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapCorrectErrorSourceDeviceDriver(x, x)
_WheapCorrectErrorSourceDeviceDriver@8 proc near
					; DATA XREF: WheaAddErrorSourceDeviceDriver+FFo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+10h]
		mov	eax, [ebp+arg_4]
		add	ecx, 50h
		mov	[eax], ecx
		xor	eax, eax
		pop	ebp
		retn	8
_WheapCorrectErrorSourceDeviceDriver@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopOkayToQueueNextWorkItem(x)
_PopOkayToQueueNextWorkItem@4 proc near	; CODE XREF: PopCheckPowerSourceAfterRtcWakeTimerWorker(x)+6Dp
					; PopBsdUpdateWorker(x)+FEp ...
		xor	edx, edx
		lea	eax, [ecx+10h]
		xchg	edx, [eax]
		retn
_PopOkayToQueueNextWorkItem@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetSystemRegionIndex(x)
_MiGetSystemRegionIndex@4 proc near	; CODE XREF: MiSessionCreateInternal(x)+254p
		shr	ecx, 15h
		lea	eax, [ecx-400h]
		retn
_MiGetSystemRegionIndex@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepRmProcessCreationCommandLineAuditSettingsWrkr(x,	x)
_SepRmProcessCreationCommandLineAuditSettingsWrkr@8 proc near ;	DATA XREF: PAGE:00A40D18o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	_SepRmAuditingEnabled, 1
		and	dword ptr [eax+18h], 0
		mov	eax, [ebp+arg_0]
		mov	al, [eax+1Ch]
		mov	_SepRmAuditProcessCommandLine, al
		pop	ebp
		retn	8
_SepRmProcessCreationCommandLineAuditSettingsWrkr@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PfFbBufferListUpdateMax(x, x)
_PfFbBufferListUpdateMax@8 proc	near	; CODE XREF: PfTStart+122p
					; PfTStart+15Ap
		lea	eax, [ecx+34h]
		xchg	edx, [eax]
		mov	eax, edx
		retn
_PfFbBufferListUpdateMax@8 endp


;  S U B	R O U T	I N E 


; int __fastcall RtlpFcInitializeBuffers(void *)
_RtlpFcInitializeBuffers@4 proc	near	; CODE XREF: RtlpFcBufferManagerUpdateBuffers(x,x,x,x)+93p
					; SmcCacheInitialize(x)+19p
		push	30h		; size_t
		push	0		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		retn
_RtlpFcInitializeBuffers@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpDisableLazyFlush(x)
_CmpDisableLazyFlush@4 proc near	; CODE XREF: CmSetLazyFlushState+7p
					; CmSetLazyFlushState+4Ap ...
		mov	eax, offset _CmpHoldLazyFlush
		lock or	[eax], ecx
		retn
_CmpDisableLazyFlush@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall BgpGxMarkClean(x)
_BgpGxMarkClean@4 proc near		; CODE XREF: BgpGxCopyBitmapToRectangle(x,x,x)+6Ep
					; BgpGxCopyRectangle(x,x,x,x)+97p
		and	dword ptr [ecx+10h], 0FFFFFFEFh
		retn
_BgpGxMarkClean@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopResetRangeEnum(x)
_PopResetRangeEnum@4 proc near		; CODE XREF: PopSaveHiberContext+2EBp
		mov	eax, [ecx+30h]
		and	dword ptr [ecx+50h], 0
		mov	[ecx+4Ch], eax
		retn
_PopResetRangeEnum@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KeIntSteerIsSteeringEnabled()
_KeIntSteerIsSteeringEnabled@0 proc near
					; CODE XREF: ExpQueryInterruptSteeringInformation+94p
		mov	al, _KiIntSteerEnabled
		retn
_KeIntSteerIsSteeringEnabled@0 endp


;  S U B	R O U T	I N E 


; __stdcall HvlQueryHypervisorTscAdjustment()
_HvlQueryHypervisorTscAdjustment@0 proc	near
					; CODE XREF: PopDiagComputeEarlyHiberStats()+43p
		xor	eax, eax
		xor	edx, edx
		retn
_HvlQueryHypervisorTscAdjustment@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmSiProcessTupleInitialize(x)
_CmSiProcessTupleInitialize@4 proc near	; CODE XREF: CmpInitializeRegistryProcess()+2Fp
		and	_CmpRegistryProcess, 0
		and	dword_6CDE84, 0
		retn
_CmSiProcessTupleInitialize@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MmGetPagedPoolCommitPointer()
_MmGetPagedPoolCommitPointer@0 proc near ; CODE	XREF: KdInitSystem+8Cp
		mov	eax, offset dword_6D35D4
		retn
_MmGetPagedPoolCommitPointer@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopWakeInfoReference(x)
_PopWakeInfoReference@4	proc near	; CODE XREF: PopHandleWakeSources+7Ap
		mov	edi, edi
		lock inc dword ptr [ecx+8]
		retn
_PopWakeInfoReference@4	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiInitializeWsleBase(x, x)
_MiInitializeWsleBase@8	proc near	; CODE XREF: MiInitializeSessionGlobals+81p
		mov	dword_6D2E68[ecx*4], edx
		retn
_MiInitializeWsleBase@8	endp


;  S U B	R O U T	I N E 


; __stdcall PopSetNotificationWork(x)
_PopSetNotificationWork@4 proc near	; CODE XREF: PopUserPresentSet+8Bp
					; PopInitilizeAcDcSettings+76p	...
		mov	eax, _PopNotifyEvents
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_50F4A0
		retn
; 

loc_50F4A0:				; CODE XREF: PopSetNotificationWork(x)+9j
		mov	eax, offset _PopNotifyEvents
		lock or	[eax], ecx
		push	4
		pop	ecx
		call	PopGetPolicyWorker
		jmp	PopCheckForWork
_PopSetNotificationWork@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCheckForIdleness(x, x, x, x)
_PopCheckForIdleness@16	proc near	; DATA XREF: PopInitializeSystemIdleDetection()+35o

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_1A		= word ptr -1Ah
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		xor	ecx, ecx
		xor	eax, eax
		push	edi
		push	0FFFFh
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_1A], ax
		mov	[ebp+var_4], ecx
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	cl, 2
		mov	[ebp+var_8], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	esi, dword_6C22D8
		mov	bl, al
		lea	eax, [ebp+var_10]
		push	eax
		call	KeQueryTickCount
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	byte_6C22D5, 0
		jz	loc_50F624
		mov	edi, [ebp+var_10]
		sub	edi, esi
		test	edi, edi
		jg	short loc_50F522
		mov	byte_6C22D5, 0
		jmp	loc_50F67C
; 

loc_50F522:				; CODE XREF: PopCheckForIdleness(x,x,x,x)+5Ej
		xor	eax, eax
		xor	ebx, ebx
		mov	[ebp+var_1C], ax
		mov	eax, ds:dword_70E328
		push	64h
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_24]
		pop	esi
		push	eax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_24], offset _KeActiveProcessors
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_50F596

loc_50F54D:				; CODE XREF: PopCheckForIdleness(x,x,x,x)+CEj
		mov	eax, [ebp+var_4]
		xor	edx, edx
		mov	ecx, ds:_KiProcessorBlock[eax*4]
		mov	eax, [ecx+0Ch]
		mov	eax, [eax+194h]
		sub	eax, [ecx+3E3Ch]
		imul	eax, 64h
		div	edi
		cmp	eax, esi
		jge	short loc_50F573
		mov	esi, eax

loc_50F573:				; CODE XREF: PopCheckForIdleness(x,x,x,x)+B9j
		add	ebx, eax
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jz	short loc_50F54D
		cmp	esi, 64h
		jle	short loc_50F590
		push	64h
		pop	esi
		jmp	short loc_50F596
; 

loc_50F590:				; CODE XREF: PopCheckForIdleness(x,x,x,x)+D3j
		test	esi, esi
		jns	short loc_50F596
		xor	esi, esi

loc_50F596:				; CODE XREF: PopCheckForIdleness(x,x,x,x)+95j
					; PopCheckForIdleness(x,x,x,x)+D8j ...
		mov	eax, ebx
		cdq
		idiv	[ebp+var_8]
		mov	ecx, eax
		cmp	ecx, 64h
		jle	short loc_50F5A8
		push	64h
		pop	ecx
		jmp	short loc_50F5AE
; 

loc_50F5A8:				; CODE XREF: PopCheckForIdleness(x,x,x,x)+EBj
		test	ecx, ecx
		jns	short loc_50F5AE
		xor	ecx, ecx

loc_50F5AE:				; CODE XREF: PopCheckForIdleness(x,x,x,x)+F0j
					; PopCheckForIdleness(x,x,x,x)+F4j
		cmp	_PopPlatformAoAc, 0
		mov	dword_6C22A4, esi
		mov	_PopSIdle, ecx
		jnz	short loc_50F624
		cmp	dword_6C22AC, 0
		jz	short loc_50F624
		mov	eax, _PopIdleScanInterval
		mov	edx, esi
		add	dword_6C22A8, eax
		push	ecx
		push	ecx
		call	PopDiagTraceIdleCheck
		cmp	_PopPlatformAoAc, 0
		jnz	short loc_50F624
		mov	ecx, _PopPreSleepNotificationSeconds
		mov	edx, dword_6C22AC
		lea	eax, [ecx+78h]
		cmp	eax, edx
		ja	short loc_50F624
		mov	eax, dword_6C22A8
		add	eax, ecx
		cmp	eax, edx
		jb	short loc_50F624
		cmp	_PopIsAboutToSleep, 0
		jnz	short loc_50F624
		xor	edx, edx
		mov	_PopIsAboutToSleep, 1
		inc	edx
		mov	ecx, offset _PopPreSleepNotifyWorkItem
		call	_PopQueueWorkItem@8 ; PopQueueWorkItem(x,x)

loc_50F624:				; CODE XREF: PopCheckForIdleness(x,x,x,x)+51j
					; PopCheckForIdleness(x,x,x,x)+10Bj ...
		mov	eax, [ebp+var_10]
		mov	dword_6C22D8, eax
		mov	eax, [ebp+var_C]
		mov	dword_6C22DC, eax
		xor	eax, eax
		mov	[ebp+var_1C], ax
		mov	eax, ds:dword_70E328
		mov	byte_6C22D5, 1
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], offset _KeActiveProcessors
		jmp	short loc_50F66B
; 

loc_50F652:				; CODE XREF: PopCheckForIdleness(x,x,x,x)+1C4j
		mov	eax, [ebp+var_4]
		mov	ecx, ds:_KiProcessorBlock[eax*4]
		mov	eax, [ecx+0Ch]
		mov	eax, [eax+194h]
		mov	[ecx+3E3Ch], eax

loc_50F66B:				; CODE XREF: PopCheckForIdleness(x,x,x,x)+19Aj
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jz	short loc_50F652

loc_50F67C:				; CODE XREF: PopCheckForIdleness(x,x,x,x)+67j
		xor	ecx, ecx
		cmp	_PopPlatformAoAc, cl
		setz	cl
		dec	ecx
		and	ecx, 78h
		add	ecx, 8
		call	PopGetPolicyWorker
		call	PopCheckForWork
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PopCheckForIdleness@16	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopGetPolicyWorker proc	near		; CODE XREF: PopSetNotificationWork(x)+17p
					; PopCheckForIdleness(x,x,x,x)+1D8p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _PopWorkerSpinLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		or	_PopWorkerPending, esi
		test	ds:byte_70EFC6,	1
		jnz	loc_5E3469
		xor	eax, eax
		lock and [edi],	eax

loc_50F6D6:				; CODE XREF: MiFreePrivateFixupEntryForSystemImage+82801j
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
PopGetPolicyWorker endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceIdleCheck proc near		; CODE XREF: PopCheckForIdleness(x,x,x,x)+125p

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E3478 SIZE 000000B4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_80], edx
		mov	[ebp+var_7C], ebx
		cmp	_PopDiagHandleRegistered, bl
		jz	short loc_50F72C
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_IDLE_CHECK ; "H"
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5E3478

loc_50F72A:				; CODE XREF: PopDiagTraceIdleCheck+D3E45j
		pop	edi
		pop	esi

loc_50F72C:				; CODE XREF: PopDiagTraceIdleCheck+24j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
PopDiagTraceIdleCheck endp

; 
		align 10h
; Exported entry 2068. RtlExpandHashTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlExpandHashTable
RtlExpandHashTable proc	near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	eax, [esi+8]
		cmp	eax, (offset loc_7FFF7C+4)
		jz	loc_50F8C2
		cmp	dword ptr [esi+1Ch], 0
		ja	loc_50F8C2
		lea	ecx, [eax+80h]
		bsr	edi, ecx
		btc	ecx, edi
		mov	[ebp+var_4], ecx
		cmp	eax, 80h
		jz	loc_50F874

loc_50F782:				; CODE XREF: RtlExpandHashTable+166j
		mov	ebx, [esi+20h]
		mov	eax, [ebx+edi*4-1Ch]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	loc_50F858

loc_50F794:				; CODE XREF: RtlExpandHashTable+12Fj
		mov	edx, [esi+0Ch]
		mov	ecx, esi
		inc	dword ptr [esi+8]
		call	_RtlpGetChainHead@8 ; RtlpGetChainHead(x,x)
		mov	ecx, [ebp+var_4]
		mov	ebx, eax
		mov	eax, [ebp+arg_0]
		inc	dword ptr [esi+0Ch]
		lea	edi, [eax+ecx*8]
		mov	[edi+4], edi
		mov	[edi], edi
		mov	edx, [ebx]
		cmp	edx, ebx
		jz	short loc_50F80A
		mov	[ebp+arg_0], ebx

loc_50F7BD:				; CODE XREF: RtlExpandHashTable+BDj
		mov	eax, [edx+8]
		mov	ecx, [esi+4]
		shr	eax, cl
		imul	ecx, eax, 41C64E6Dh
		imul	eax, 10DCDh
		add	ecx, 3039h
		shr	ecx, 10h
		inc	eax
		and	eax, 0FFFF0000h
		or	ecx, eax
		mov	eax, [esi+10h]
		add	eax, eax
		or	eax, 1
		and	ecx, eax
		mov	eax, [esi+8]
		dec	eax
		cmp	ecx, eax
		jz	short loc_50F822
		mov	eax, edx
		mov	[ebp+arg_0], eax

loc_50F7F9:				; CODE XREF: RtlExpandHashTable+111j
		mov	edx, [eax]
		cmp	edx, ebx
		jnz	short loc_50F7BD
		cmp	[edi], edi
		jz	short loc_50F806
		inc	dword ptr [esi+18h]

loc_50F806:				; CODE XREF: RtlExpandHashTable+C1j
		cmp	[ebx], ebx
		jz	short loc_50F853

loc_50F80A:				; CODE XREF: RtlExpandHashTable+78j
					; RtlExpandHashTable+116j
		mov	edx, [esi+10h]
		lea	ecx, [edx+1]
		cmp	[esi+0Ch], ecx
		jz	loc_50F8AB

loc_50F819:				; CODE XREF: RtlExpandHashTable+178j
		mov	al, 1

loc_50F81B:				; CODE XREF: RtlExpandHashTable+184j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_50F822:				; CODE XREF: RtlExpandHashTable+B2j
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	loc_50F8BD
		mov	ecx, [edx+4]
		cmp	[ecx], edx
		jnz	loc_50F8BD
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	short loc_50F8BD
		mov	[edx+4], eax
		mov	[edx], edi
		mov	[eax], edx
		mov	eax, [ebp+arg_0]
		mov	[edi+4], edx
		jmp	short loc_50F7F9
; 

loc_50F853:				; CODE XREF: RtlExpandHashTable+C8j
		dec	dword ptr [esi+18h]
		jmp	short loc_50F80A
; 

loc_50F858:				; CODE XREF: RtlExpandHashTable+4Ej
		lea	ecx, [edi-7]
		call	_RtlpAllocateSecondLevelDir@4 ;	RtlpAllocateSecondLevelDir(x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	loc_5E700F
		mov	[ebx+edi*4-1Ch], eax
		jmp	loc_50F794
; 

loc_50F874:				; CODE XREF: RtlExpandHashTable+3Cj
		mov	eax, [esi+20h]
		push	62615448h
		push	40h
		push	200h
		mov	[ebp+arg_0], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_50F8C2
		push	40h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	[ebx], eax
		mov	[esi+20h], ebx
		jmp	loc_50F782
; 

loc_50F8AB:				; CODE XREF: RtlExpandHashTable+D3j
		lea	ecx, [edx+edx]
		or	ecx, 1
		and	dword ptr [esi+0Ch], 0
		mov	[esi+10h], ecx
		jmp	loc_50F819
; 

loc_50F8BD:				; CODE XREF: RtlExpandHashTable+E7j
					; RtlExpandHashTable+F2j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_50F8C2:				; CODE XREF: RtlExpandHashTable+18j
					; RtlExpandHashTable+22j ...
		xor	al, al
		jmp	loc_50F81B
RtlExpandHashTable endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2011. RtlCreateHashTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCreateHashTable(x, x, x)
		public _RtlCreateHashTable@12
_RtlCreateHashTable@12 proc near	; CODE XREF: SepSetTokenCachedHandles+12Cp
					; SepInitializeLowBoxNumberTable+11p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		mov	edx, 80h
		push	[ebp+arg_4]
		call	RtlpCreateHashTable
		pop	ebp
		retn	0Ch
_RtlCreateHashTable@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpCreateHashTable proc near		; CODE XREF: RtlCreateHashTable(x,x,x)+13p
					; RtlCreateHashTableEx(x,x,x,x)+11p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E702E SIZE 00000091 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_8], ecx
		push	esi
		push	edi
		lea	eax, [ebx-1]
		test	eax, ebx
		jnz	loc_50F9A0
		lea	eax, [ebx-80h]
		cmp	eax, (offset loc_7FFEFF+1)
		ja	loc_50F9A0
		mov	esi, [ecx]
		xor	edi, edi
		mov	eax, edi
		test	esi, esi
		jz	short loc_50F981

loc_50F91C:				; CODE XREF: RtlpCreateHashTable+B1j
		mov	[esi+14h], edi
		mov	[esi+18h], edi
		mov	[esi+1Ch], edi
		mov	[esi+20h], edi
		or	eax, [ebp+arg_4]
		mov	[esi], eax
		lea	eax, [ebx-1]
		mov	[esi+10h], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+8], ebx
		mov	[esi+4], eax
		mov	[esi+0Ch], edi
		cmp	ebx, 80h
		ja	loc_5E702E
		xor	ecx, ecx
		call	_RtlpAllocateSecondLevelDir@4 ;	RtlpAllocateSecondLevelDir(x)
		test	eax, eax
		jz	loc_5E70B4
		mov	edx, [esi+8]
		test	edx, edx
		jz	short loc_50F970
		mov	ecx, eax

loc_50F963:				; CODE XREF: RtlpCreateHashTable+84j
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		add	ecx, 8
		sub	edx, 1
		jnz	short loc_50F963

loc_50F970:				; CODE XREF: RtlpCreateHashTable+75j
		mov	[esi+20h], eax

loc_50F973:				; CODE XREF: RtlpCreateHashTable+D77C5j
		mov	ecx, [ebp+var_8]
		mov	al, 1
		mov	[ecx], esi

loc_50F97A:				; CODE XREF: RtlpCreateHashTable+B8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_50F981:				; CODE XREF: RtlpCreateHashTable+30j
		push	62615448h
		push	24h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_50F9A0
		xor	eax, eax
		inc	eax
		jmp	loc_50F91C
; 

loc_50F9A0:				; CODE XREF: RtlpCreateHashTable+14j
					; RtlpCreateHashTable+22j ...
		xor	al, al
		jmp	short loc_50F97A
RtlpCreateHashTable endp


;  S U B	R O U T	I N E 


; __stdcall RtlpAllocateSecondLevelDir(x)
_RtlpAllocateSecondLevelDir@4 proc near	; CODE XREF: RtlExpandHashTable+11Bp
					; RtlpCreateHashTable+63p ...
		xor	eax, eax
		add	ecx, 7
		inc	eax
		shl	eax, cl
		push	62615448h
		shl	eax, 3
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		retn
_RtlpAllocateSecondLevelDir@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 703. HvlQueryConnection

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public HvlQueryConnection
HvlQueryConnection proc	near		; CODE XREF: EtwpSysModuleRunDown+6Cp
					; HvlPhase0Initialize+31p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E70BF SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:_HvlpHypercallCodeVa
		test	eax, eax
		jnz	loc_5E70BF
		mov	eax, 0C0000001h

loc_50F9DD:				; CODE XREF: HvlQueryConnection+D7704j
		pop	ebp
		retn	4
HvlQueryConnection endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ExRemoveLowBoxAtomReferences(x, x)
_ExRemoveLowBoxAtomReferences@8	proc near ; CODE XREF: SepDereferenceLowBoxNumberEntry+CFp
		mov	edi, edi
		push	ecx
		call	_RtlDestroyLowBoxAtoms@8 ; RtlDestroyLowBoxAtoms(x,x)
		pop	ecx
		retn
_ExRemoveLowBoxAtomReferences@8	endp


;  S U B	R O U T	I N E 


; __stdcall RtlDereferenceAtomTable(x)
_RtlDereferenceAtomTable@4 proc	near	; CODE XREF: SepDereferenceLowBoxNumberEntry+D7p
		mov	edi, edi
		push	ecx
		call	RtlDestroyAtomTable
		retn
_RtlDereferenceAtomTable@4 endp	; sp = -4

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2313. RtlRemoveEntryHashTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlRemoveEntryHashTable
RtlRemoveEntryHashTable	proc near	; CODE XREF: SepCleanupMarkedForDeletionEntries()+2Dp
					; SepDereferenceLowBoxNumberEntry+83p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005E70CF SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [eax+8]
		dec	dword ptr [esi+14h]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	edx, ecx
		jnz	short loc_50FA1E
		dec	dword ptr [esi+18h]
		mov	ecx, [eax+4]
		mov	edx, [eax]

loc_50FA1E:				; CODE XREF: RtlRemoveEntryHashTable+1Aj
		cmp	[edx+4], eax
		jnz	short loc_50FA3F
		cmp	[ecx], eax
		jnz	short loc_50FA3F
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	edx, [ebp+arg_8]
		test	edx, edx
		jnz	loc_5E70CF

loc_50FA37:				; CODE XREF: RtlRemoveEntryHashTable+D76D8j
					; RtlRemoveEntryHashTable+D76E6j
		pop	edi
		mov	al, 1
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_50FA3F:				; CODE XREF: RtlRemoveEntryHashTable+27j
					; RtlRemoveEntryHashTable+2Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
RtlRemoveEntryHashTable	endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepCloseCachedTokenHandles(x, x)
_SepCloseCachedTokenHandles@8 proc near	; CODE XREF: SepDereferenceCachedHandlesEntry+9Bp
					; SepSetTokenCachedHandles+10Bp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		xor	edi, edi
		mov	eax, edx
		mov	esi, edi
		mov	[ebp+var_4], eax
		test	ebx, ebx
		jz	short loc_50FA70

loc_50FA5C:				; CODE XREF: SepCloseCachedTokenHandles(x,x)+2Aj
		push	dword ptr [eax+esi*4]
		call	_ZwClose@4	; ZwClose(x)
		test	eax, eax
		js	short loc_50FA77

loc_50FA68:				; CODE XREF: SepCloseCachedTokenHandles(x,x)+35j
		mov	eax, [ebp+var_4]
		inc	esi
		cmp	esi, ebx
		jb	short loc_50FA5C

loc_50FA70:				; CODE XREF: SepCloseCachedTokenHandles(x,x)+16j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_50FA77:				; CODE XREF: SepCloseCachedTokenHandles(x,x)+22j
		mov	edi, eax
		jmp	short loc_50FA68
_SepCloseCachedTokenHandles@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeSetSchedulingGroupWeights proc near	; CODE XREF: PsSetCpuQuotaInformation(x,x,x)+1ECp
					; sub_759647+9B0p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E70E5 SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4], ecx
		lea	edi, [ebp+var_10]
		mov	ebx, edx
		stosd
		lea	edx, [ebp+var_10]
		mov	ecx, offset _KiSchedulingGroupLock
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		xor	edx, edx
		xor	esi, esi
		inc	edx
		cmp	[ebp+var_4], esi
		jbe	short loc_50FAEE
		mov	edi, [ebp+arg_0]

loc_50FAAE:				; CODE XREF: KeSetSchedulingGroupWeights+6Dj
		mov	ecx, [ebx+esi*4]
		mov	eax, [ecx+4]
		test	al, 1
		jz	short loc_50FAD6
		and	eax, 0FFFFFFFEh
		xor	dl, dl
		mov	[ecx+4], eax
		xor	ecx, ecx
		mov	eax, [ebx+esi*4]
		inc	ecx
		push	dword ptr [eax+4Ch]
		call	KiUpdateMinimumWeight
		test	al, al
		jnz	loc_5E70E5

loc_50FAD6:				; CODE XREF: KeSetSchedulingGroupWeights+3Aj
					; KeSetSchedulingGroupWeights+D7679j
		mov	ecx, [ebx+esi*4]
		mov	eax, [edi+esi*8]
		mov	[ecx], eax
		mov	eax, [edi+esi*8+4]
		inc	esi
		mov	[ecx+4], eax
		cmp	esi, [ebp+var_4]
		jb	short loc_50FAAE
		xor	edx, edx
		inc	edx

loc_50FAEE:				; CODE XREF: KeSetSchedulingGroupWeights+2Dj
		mov	eax, [ebx]
		xor	ecx, ecx
		push	dword ptr [eax+4Ch]
		call	KiUpdateMinimumWeight
		mov	eax, [ebx]
		xor	ecx, ecx
		xor	ebx, ebx
		inc	ebx
		mov	dl, bl
		push	dword ptr [eax+4Ch]
		call	KiAssignSchedulingGroupWeights
		test	ds:byte_70EFC6,	bl
		jnz	loc_5E70FA
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_5E7112
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jnz	loc_5E710A

loc_50FB39:				; CODE XREF: KeSetSchedulingGroupWeights+D7689j
					; KeSetSchedulingGroupWeights+D76A3j
		mov	cl, [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
KeSetSchedulingGroupWeights endp

; 
		align 2

KeInsertSchedulingGroup:		; CODE XREF: PspAddSchedulingGroupToJobChain+ADp
					; PspEstablishJobHierarchy+17F8E2p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp-2Ch]
		cmp	ds:_KiGroupSchedulingEnabled, 0
		mov	esi, edx
		stosd
		mov	ebx, ecx
		mov	[ebp-18h], esi
		mov	[ebp-8], ebx
		stosd
		stosd
		jz	loc_50FE39

loc_50FB74:				; CODE XREF: .text:0050FE3Ej
		mov	eax, [ebp+8]
		mov	[ebp-4], eax
		mov	[ebx], eax
		mov	eax, [ebp+0Ch]
		mov	[ebp-1Ch], eax
		mov	[ebx+4], eax
		xor	eax, eax
		push	eax
		mov	[ebx+20h], eax
		mov	[ebx+24h], eax
		mov	[ebx+0Ch], eax
		mov	[ebx+10h], eax
		mov	[ebx+14h], eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	[ebx+18h], eax
		lea	edi, [ebx+38h]
		xor	ecx, ecx
		mov	[edi+4], edi
		lea	eax, [ebx+44h]
		mov	[edi], edi
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, ds:_KeMaximumProcessors
		mov	[ebx+1Ch], edx
		mov	[ebx+4Ch], ecx
		mov	[ebx+28h], ecx
		mov	[ebx+2Ch], ecx
		mov	[ebx+30h], ecx
		mov	[ebx+34h], ecx
		mov	[ebp+0Ch], eax
		test	eax, eax
		jz	loc_50FC57
		lea	edi, [ebx+88h]
		lea	ebx, [esi+0DDh]

loc_50FBE0:				; CODE XREF: .text:0050FC4Fj
		push	6Ch
		lea	eax, [edi-8]
		push	ecx
		push	eax
		call	_memset
		add	esp, 0Ch
		lea	eax, [edi+64h]
		push	10h
		pop	ecx

loc_50FBF5:				; CODE XREF: .text:0050FC00j
		mov	[eax+4], eax
		mov	[eax], eax
		add	eax, 8
		sub	ecx, 1
		jnz	short loc_50FBF5
		mov	ecx, ds:_KiCycleDivisorShortTerm
		mov	eax, ds:dword_705144
		mov	[edi], ecx
		mov	[edi+8], ecx
		xor	ecx, ecx
		mov	[edi+4], eax
		mov	[edi+0Ch], eax
		mov	[edi+0E4h], ecx
		mov	[edi+0E8h], ecx
		test	esi, esi
		jnz	loc_5E7124
		lea	eax, [edi-8]
		mov	[edi+0ECh], ecx
		mov	[edi+0F0h], eax
		mov	al, cl

loc_50FC3F:				; CODE XREF: .text:005E713Dj
		mov	[edi+55h], al
		mov	eax, 100h
		add	edi, eax
		add	ebx, eax
		sub	dword ptr [ebp+0Ch], 1
		jnz	short loc_50FBE0
		mov	ebx, [ebp-8]
		lea	edi, [ebx+38h]

loc_50FC57:				; CODE XREF: .text:0050FBCEj
		lea	edx, [ebp-2Ch]
		mov	ecx, offset _KiSchedulingGroupLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		test	esi, esi
		jnz	loc_5E7142
		mov	eax, dword_6CB11C
		mov	ecx, offset _KiSchedulingGroupList
		cmp	[eax], ecx
		jnz	loc_50FE43
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	dword_6CB11C, edi

loc_50FC8B:				; CODE XREF: .text:005E715Dj
		mov	eax, ds:_KeNumberProcessors
		xor	edi, edi
		xor	ecx, ecx
		mov	[ebp-20h], eax
		xor	edx, edx
		mov	[ebp+0Ch], ecx
		inc	edi
		mov	[ebp-0Ch], edx
		test	eax, eax
		jz	loc_50FD4B
		lea	edi, [ebx+80h]

loc_50FCAE:				; CODE XREF: .text:0050FD42j
		mov	eax, ds:_KiProcessorBlock[edx*4]
		and	dword ptr [ebp-10h], 0
		mov	[ebp-14h], eax
		lea	esi, [eax+2224h]

loc_50FCC2:				; CODE XREF: .text:0050FE34j
		lock bts dword ptr [esi], 0
		jb	loc_50FE26
		mov	eax, [ebp-14h]
		lea	ecx, [edi+48h]
		mov	esi, [ebp-18h]
		lea	edx, [eax+3CF0h]
		mov	ebx, [edx+4]
		mov	[ebp-14h], ebx
		cmp	[ebx], edx
		jnz	loc_50FE43
		test	byte ptr [ebp-1Ch], 4
		mov	[ecx+4], ebx
		mov	[ecx], edx
		mov	[ebx], ecx
		mov	ebx, [ebp-8]
		mov	[edx+4], ecx
		jnz	loc_5E7162

loc_50FD01:				; CODE XREF: .text:005E716Dj
		xor	edx, edx
		lea	ecx, [eax+2224h]
		lock and [ecx],	edx
		cmp	[eax+4020h], edx
		jz	short loc_50FD32
		mov	ecx, [eax+4024h]
		mov	al, [eax+3C4h]
		cmp	al, [ecx+129h]
		jz	loc_50FDC2
		mov	ecx, [ebp+0Ch]

loc_50FD2F:				; CODE XREF: .text:0050FDCCj
		mov	[edi+64h], ecx

loc_50FD32:				; CODE XREF: .text:0050FD12j
		mov	edx, [ebp-0Ch]
		add	edi, 100h
		inc	edx
		mov	[ebp-0Ch], edx
		cmp	edx, [ebp-20h]
		jb	loc_50FCAE
		xor	edi, edi
		inc	edi

loc_50FD4B:				; CODE XREF: .text:0050FCA2j
		test	byte ptr [ebx+4], 1
		mov	eax, [ebp-4]
		jnz	short loc_50FDD1
		test	esi, esi
		jnz	loc_5E7172
		mov	edx, _KiGroupSchedulingMinimumWeight
		test	edx, edx
		jnz	loc_50FE16

loc_50FD6A:				; CODE XREF: .text:0050FE21j
		movzx	ecx, ax
		mov	_KiGroupSchedulingMinimumWeight, ecx

loc_50FD73:				; CODE XREF: .text:0050FE1Bj
		add	_KiGroupSchedulingTotalWeight, ecx

loc_50FD79:				; CODE XREF: .text:005E7189j
		push	esi
		xor	dl, dl
		xor	ecx, ecx
		call	KiAssignSchedulingGroupWeights

loc_50FD83:				; CODE XREF: .text:0050FDFFj
		test	ds:byte_70EFC6,	1
		pop	edi
		pop	esi
		pop	ebx
		jnz	loc_5E71BB
		mov	eax, [ebp-2Ch]
		test	eax, eax
		jnz	loc_5E71D3
		mov	edx, [ebp-28h]
		lea	eax, [ebp-2Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-2Ch]
		cmp	eax, ecx
		jnz	loc_5E71CB

loc_50FDB5:				; CODE XREF: .text:005E71C6j
					; .text:005E71E3j
		mov	cl, [ebp-24h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn	8
; 

loc_50FDC2:				; CODE XREF: .text:0050FD26j
		or	byte ptr [edi+5Ch], 20h
		lea	ecx, [edi+68h]
		mov	[ebp+0Ch], ecx
		jmp	loc_50FD2F
; 

loc_50FDD1:				; CODE XREF: .text:0050FD52j
		test	esi, esi
		jnz	loc_5E718E
		mov	esi, _KiGroupSchedulingMinimumRate
		test	esi, esi
		jz	short loc_50FE01
		movzx	ecx, ax
		cmp	ecx, esi
		jb	short loc_50FE01
		shl	ecx, 7
		xor	edx, edx
		mov	eax, ecx
		div	esi

loc_50FDF3:				; CODE XREF: .text:005E71A5j
		mov	[ebx+8], eax

loc_50FDF6:				; CODE XREF: .text:0050FE14j
		xor	dl, dl
		mov	ecx, ebx
		call	KiUpdateCpuTargetByRate
		jmp	short loc_50FD83
; 

loc_50FE01:				; CODE XREF: .text:0050FDE1j
					; .text:0050FDE8j
		movzx	eax, ax
		mov	ecx, edi
		mov	_KiGroupSchedulingMinimumRate, eax
		push	0

loc_50FE0D:				; CODE XREF: .text:005E71B6j
		xor	dl, dl
		call	KiAssignSchedulingGroupWeights
		jmp	short loc_50FDF6
; 

loc_50FE16:				; CODE XREF: .text:0050FD64j
		movzx	ecx, ax
		cmp	ecx, edx
		jnb	loc_50FD73
		jmp	loc_50FD6A
; 

loc_50FE26:				; CODE XREF: .text:0050FCC7j
					; .text:0050FE32j
		lea	ecx, [ebp-10h]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_50FE26
		jmp	loc_50FCC2
; 

loc_50FE39:				; CODE XREF: .text:0050FB6Ej
		call	KiEnableGroupScheduling
		jmp	loc_50FB74
; 

loc_50FE43:				; CODE XREF: .text:0050FC78j
					; .text:0050FCE4j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 2 dup(0CCCCCCCCh)
; Exported entry 1640. ObReferenceObjectByPointer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObReferenceObjectByPointer
ObReferenceObjectByPointer proc	near	; CODE XREF: WmipQueryAllData+3CEp
					; EtwpStopTrace+ADp ...

var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005E71E8 SIZE 00000043 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	edx, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	esi, [edi-18h]
		test	edx, edx
		jz	short loc_50FEB1
		mov	eax, esi
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [esi+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		cmp	ds:_ObTypeIndexTable[ecx*4], edx

loc_50FE85:				; CODE XREF: ObReferenceObjectByPointer+65j
		jnz	short loc_50FEB7
		cmp	ds:_ObpTraceFlags, 0
		jnz	loc_5E71E8

loc_50FE94:				; CODE XREF: ObReferenceObjectByPointer+D73A8j
		mov	eax, 1
		lock xadd [esi], eax
		inc	eax
		cmp	eax, 1
		jle	loc_5E71FD
		xor	eax, eax

loc_50FEA9:				; CODE XREF: ObReferenceObjectByPointer+6Cj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_50FEB1:				; CODE XREF: ObReferenceObjectByPointer+15j
		cmp	[ebp+arg_C], 0
		jmp	short loc_50FE85
; 

loc_50FEB7:				; CODE XREF: ObReferenceObjectByPointer:loc_50FE85j
		mov	eax, 0C0000024h
		jmp	short loc_50FEA9
ObReferenceObjectByPointer endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepGetAnonymousToken(x, x)
_SepGetAnonymousToken@8	proc near	; CODE XREF: PspAddSchedulingGroupToJobChain+337p
					; SepCreateClientSecurityEx+194p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_4]
		mov	[ebp+var_1C], 18h
		push	eax		; int
		push	1		; int
		mov	edi, ecx
		mov	ebx, edx
		xor	ecx, ecx
		lea	edx, [ebp+var_1C]
		push	ecx		; int
		push	2		; size_t
		push	2		; int
		mov	[ebp+var_4], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		mov	ecx, ds:_SeAnonymousLogonTokenNoEveryone
		push	1		; char
		call	_SepDuplicateToken@32 ;	SepDuplicateToken(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_510006
		test	edi, edi
		jz	loc_50FFF8
		mov	edx, [edi+1E0h]
		mov	ecx, [ebp+var_4]
		call	_SepSetTokenPackage@8 ;	SepSetTokenPackage(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_51000D
		push	dword ptr [edi+1E8h]
		mov	edx, [edi+1E0h]
		push	dword ptr [edi+1E4h]
		mov	ecx, [ebp+var_4]
		call	SepSetTokenCapabilities
		mov	esi, eax
		test	esi, esi
		js	loc_51000D
		mov	edx, [edi+78h]
		xor	eax, eax
		mov	ecx, [ebp+var_4]
		push	eax
		push	eax
		push	eax
		call	_SepSetTokenSessionById@20 ; SepSetTokenSessionById(x,x,x,x,x)
		mov	eax, [ebp+var_4]
		mov	ecx, [edi+78h]
		mov	[eax+78h], ecx
		mov	edx, [edi+1E0h]
		mov	ecx, [ebp+var_4]
		call	SepSetTokenLowboxNumber
		mov	esi, eax
		test	esi, esi
		js	loc_51000D
		mov	ecx, [edi+1DCh]
		test	ecx, ecx
		jz	short loc_50FFA7
		cmp	dword ptr [ecx], 0
		jz	short loc_50FFA7
		mov	edx, [ebp+var_4]
		push	0
		mov	edx, [edx+1DCh]
		call	AuthzBasepDuplicateSecurityAttributes
		mov	esi, eax
		test	esi, esi
		js	short loc_51000D

loc_50FFA7:				; CODE XREF: SepGetAnonymousToken(x,x)+CCj
					; SepGetAnonymousToken(x,x)+D1j
		mov	eax, [ebp+var_4]
		mov	ecx, 800000h
		and	[eax+48h], ecx
		and	dword ptr [eax+4Ch], 2
		mov	eax, [ebp+var_4]
		and	[eax+50h], ecx
		and	dword ptr [eax+54h], 2
		mov	eax, [ebp+var_4]
		and	[eax+40h], ecx
		and	dword ptr [eax+44h], 2
		mov	eax, [ebp+var_4]
		and	dword ptr [eax+0B0h], 0FFFFDFFFh
		mov	eax, [ebp+var_4]
		or	dword ptr [eax+0B0h], 4000h
		mov	ecx, [ebp+var_4]
		mov	eax, [edi+0B0h]
		and	eax, 380000h
		or	[ecx+0B0h], eax

loc_50FFF8:				; CODE XREF: SepGetAnonymousToken(x,x)+51j
		mov	ecx, [ebp+var_4]
		mov	[ebx], ecx
		test	esi, esi

loc_50FFFF:				; DATA XREF: .text:0041ADDDo
		jns	short loc_510006

loc_510001:				; CODE XREF: SepGetAnonymousToken(x,x)+152j
		call	ObfDereferenceObject

loc_510006:				; CODE XREF: SepGetAnonymousToken(x,x)+49j
					; SepGetAnonymousToken(x,x):loc_50FFFFj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_51000D:				; CODE XREF: SepGetAnonymousToken(x,x)+69j
					; SepGetAnonymousToken(x,x)+8Dj ...
		mov	ecx, [ebp+var_4]
		jmp	short loc_510001
_SepGetAnonymousToken@8	endp

; 
		align 8
dword_510018	dd 2 dup(0CCCCCCCCh)	; DATA XREF: EtwpReserveTraceBuffer+12E102o
					; EtwpReserveTraceBuffer+12E136o
; Exported entry 2249. RtlLookupEntryHashTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlLookupEntryHashTable(x, x, x)
		public _RtlLookupEntryHashTable@12
_RtlLookupEntryHashTable@12 proc near	; CODE XREF: SepRmReferenceFindCap(x,x)+44p
					; SepFindMatchingCachedHandlesEntry+21p ...

var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	loc_5100D6

loc_510036:				; CODE XREF: RtlLookupEntryHashTable(x,x,x)+B9j
		mov	esi, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		mov	eax, edx
		mov	ecx, [esi+4]
		shr	eax, cl
		imul	ebx, eax, 41C64E6Dh
		imul	eax, 10DCDh
		add	ebx, 3039h
		inc	eax
		shr	ebx, 10h
		and	eax, 0FFFF0000h
		or	ebx, eax
		mov	eax, [esi+10h]
		mov	ecx, eax
		and	ecx, ebx
		cmp	ecx, [esi+0Ch]
		jb	short loc_5100C8

loc_51006C:				; CODE XREF: RtlLookupEntryHashTable(x,x,x)+B0j
		cmp	dword ptr [esi+8], 80h
		mov	ebx, [esi+20h]
		jbe	short loc_51008C
		sub	ecx, 0FFFFFF80h
		mov	[ebp+arg_8], 0
		bsr	eax, ecx
		btc	ecx, eax
		mov	ebx, [ebx+eax*4-1Ch]

loc_51008C:				; CODE XREF: RtlLookupEntryHashTable(x,x,x)+56j
		lea	esi, [ebx+ecx*8]
		mov	ecx, [esi]
		mov	ebx, esi
		cmp	ecx, esi
		jz	short loc_5100AC

loc_510097:				; CODE XREF: RtlLookupEntryHashTable(x,x,x)+8Aj
		mov	eax, [ecx+8]
		test	eax, eax
		jz	short loc_5100A2
		cmp	eax, edx
		jnb	short loc_5100AC

loc_5100A2:				; CODE XREF: RtlLookupEntryHashTable(x,x,x)+7Cj
		mov	eax, [ecx]
		mov	ebx, ecx
		mov	ecx, eax
		cmp	eax, esi
		jnz	short loc_510097

loc_5100AC:				; CODE XREF: RtlLookupEntryHashTable(x,x,x)+75j
					; RtlLookupEntryHashTable(x,x,x)+80j
		mov	[edi], esi
		mov	[edi+4], ebx
		mov	[edi+8], edx
		mov	eax, [ebx]
		cmp	esi, eax
		pop	edi
		pop	esi
		pop	ebx
		jz	short loc_5100D2
		cmp	[eax+8], edx
		jnz	short loc_5100D2

loc_5100C2:				; CODE XREF: RtlLookupEntryHashTable(x,x,x)+B4j
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_5100C8:				; CODE XREF: RtlLookupEntryHashTable(x,x,x)+4Aj
		lea	ecx, [eax+eax]
		or	ecx, 1
		and	ecx, ebx
		jmp	short loc_51006C
; 

loc_5100D2:				; CODE XREF: RtlLookupEntryHashTable(x,x,x)+9Bj
					; RtlLookupEntryHashTable(x,x,x)+A0j
		xor	eax, eax
		jmp	short loc_5100C2
; 

loc_5100D6:				; CODE XREF: RtlLookupEntryHashTable(x,x,x)+10j
		lea	edi, [ebp+var_C]
		jmp	loc_510036
_RtlLookupEntryHashTable@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepReferenceCachedTokenHandles proc near ; CODE	XREF: SepSetTokenCachedHandles+4Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	eax, ecx
		xor	ebx, ebx
		xor	esi, esi
		mov	[ebp+var_4], eax
		push	edi
		mov	edi, edx
		test	eax, eax
		jz	short loc_510130
		mov	eax, [ebp+arg_0]
		sub	eax, edi
		mov	[ebp+var_8], eax

loc_510100:				; CODE XREF: SepReferenceCachedTokenHandles+50j
		push	2
		push	200h
		push	0
		add	eax, edi
		push	eax
		push	0FFFFFFFFh
		push	dword ptr [edi]
		push	0FFFFFFFFh
		call	_ZwDuplicateObject@28 ;	ZwDuplicateObject(x,x,x,x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		js	loc_5E720B
		mov	eax, [ebp+var_8]
		inc	esi
		add	edi, 4
		cmp	esi, [ebp+var_4]
		jb	short loc_510100

loc_510130:				; CODE XREF: SepReferenceCachedTokenHandles+18j
					; ObReferenceObjectByPointer+D73BDj ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
SepReferenceCachedTokenHandles endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeRemoveSchedulingGroup	proc near	; CODE XREF: PspRemoveCpuRateControl+24p
					; PspEstablishJobHierarchy:loc_8D088Bp	...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E722B SIZE 00000089 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		lea	edx, [ebp+var_28]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_28]
		mov	esi, ecx
		stosd
		mov	ecx, offset _KiSchedulingGroupLock
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		lea	ecx, [esi+38h]
		mov	edx, [ecx]
		mov	eax, [ecx+4]
		cmp	[edx+4], ecx
		jnz	loc_5102BC
		cmp	[eax], ecx
		jnz	loc_5102BC
		mov	[eax], edx
		mov	[edx+4], eax
		xor	edx, edx
		mov	eax, ds:_KeNumberProcessors
		mov	ecx, edx
		mov	edi, [esi+4Ch]
		mov	ebx, edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_14], ecx
		test	eax, eax
		jz	short loc_510215
		lea	eax, [esi+80h]
		mov	[ebp+var_4], eax

loc_5101A1:				; CODE XREF: KeRemoveSchedulingGroup+D9j
		mov	ebx, ds:_KiProcessorBlock[ecx*4]
		add	ebx, 2224h
		mov	[ebp+var_18], edx

loc_5101B1:				; CODE XREF: KeRemoveSchedulingGroup+17Dj
		lock bts dword ptr [ebx], 0
		jb	loc_5102A9
		mov	eax, [ebp+var_4]
		add	eax, 48h
		mov	ecx, [eax]
		mov	[ebp+var_C], ecx
		mov	edx, [ebp+var_C]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		mov	edx, [ebp+var_4]
		jnz	loc_5102BC
		cmp	[ecx], eax
		jnz	loc_5102BC
		mov	eax, [ebp+var_C]
		mov	[ecx], eax
		mov	[eax+4], ecx
		xor	eax, eax
		lock and [ebx],	eax
		mov	ebx, [ebp+var_10]
		add	ebx, [edx+38h]
		mov	eax, [edx+3Ch]
		adc	[ebp+var_8], eax
		add	edx, 100h
		mov	ecx, [ebp+var_14]
		inc	ecx
		mov	[ebp+var_4], edx
		push	0
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], ecx
		pop	edx
		cmp	ecx, [ebp+var_1C]
		jb	short loc_5101A1

loc_510215:				; CODE XREF: KeRemoveSchedulingGroup+5Cj
		test	byte ptr [esi+4], 1
		jz	loc_5E722B

loc_51021F:				; CODE XREF: KeRemoveSchedulingGroup+D70FBj
					; KeRemoveSchedulingGroup+D7106j
		xor	eax, eax
		inc	eax
		test	edi, edi
		jnz	loc_5E7245
		cmp	_KiSchedulingGroupList,	offset _KiSchedulingGroupList
		jz	loc_5E7279
		mov	ecx, [esi+4]
		push	edx
		and	ecx, eax
		xor	dl, dl
		call	KiUpdateMinimumWeight
		test	al, al
		jnz	short loc_510296
		test	byte ptr [esi+4], 1
		jz	short loc_510296

loc_510251:				; CODE XREF: KeRemoveSchedulingGroup+D7118j
					; KeRemoveSchedulingGroup+D7133j ...
		xor	esi, esi
		inc	esi

loc_510254:				; CODE XREF: KeRemoveSchedulingGroup+16Dj
		test	ds:byte_70EFC6,	1
		jnz	loc_5E728A
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	loc_5E72A2
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_28]
		cmp	eax, ecx
		jnz	loc_5E729A

loc_510283:				; CODE XREF: KeRemoveSchedulingGroup+D715Bj
					; KeRemoveSchedulingGroup+D7175j
		mov	cl, [ebp+var_20]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [ebp+var_8]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_510296:				; CODE XREF: KeRemoveSchedulingGroup+10Fj
					; KeRemoveSchedulingGroup+115j
		push	0

loc_510298:				; CODE XREF: KeRemoveSchedulingGroup+D713Aj
		mov	ecx, [esi+4]
		xor	dl, dl
		xor	esi, esi
		inc	esi
		and	ecx, esi
		call	KiAssignSchedulingGroupWeights
		jmp	short loc_510254
; 

loc_5102A9:				; CODE XREF: KeRemoveSchedulingGroup+7Cj
					; KeRemoveSchedulingGroup+17Bj
		lea	ecx, [ebp+var_18]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5102A9
		jmp	loc_5101B1
; 

loc_5102BC:				; CODE XREF: KeRemoveSchedulingGroup+2Dj
					; KeRemoveSchedulingGroup+35j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
KeRemoveSchedulingGroup	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeSetSchedulingGroupCpuRates proc near	; CODE XREF: sub_759647+80Fp
					; sub_759647:loc_8D3BFCp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E72B4 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		mov	ecx, offset _KiSchedulingGroupLock
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, edx
		stosd
		lea	edx, [ebp+var_C]
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edx, [esi]
		xor	ebx, ebx
		inc	ebx
		mov	eax, [edx+4]
		test	al, bl
		jnz	short loc_510313
		or	eax, ebx
		xor	ecx, ecx
		mov	[edx+4], eax
		mov	dl, bl
		mov	eax, [esi]
		push	dword ptr [eax+4Ch]
		call	KiUpdateMinimumWeight
		mov	eax, [esi]
		xor	dl, dl
		xor	ecx, ecx
		push	dword ptr [eax+4Ch]
		call	KiAssignSchedulingGroupWeights
		mov	edx, [esi]

loc_510313:				; CODE XREF: KeSetSchedulingGroupCpuRates+2Cj
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx]
		mov	[edx], eax
		mov	eax, [ecx+4]
		mov	[edx+4], eax
		mov	dl, bl
		mov	ecx, [esi]
		call	KiUpdateCpuTargetByRate
		mov	eax, [esi]
		mov	dl, bl
		mov	ecx, ebx
		push	dword ptr [eax+4Ch]
		call	KiUpdateMinimumWeight
		test	al, al
		jz	short loc_510349
		mov	eax, [esi]
		xor	dl, dl
		mov	ecx, ebx
		push	dword ptr [eax+4Ch]
		call	KiAssignSchedulingGroupWeights

loc_510349:				; CODE XREF: KeSetSchedulingGroupCpuRates+77j
		test	ds:byte_70EFC6,	bl
		jnz	loc_5E72B4
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_5E72CC
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5E72C4

loc_510377:				; CODE XREF: KeSetSchedulingGroupCpuRates+D6FFDj
					; KeSetSchedulingGroupCpuRates+D7017j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
KeSetSchedulingGroupCpuRates endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAssignSchedulingGroupWeights proc near ; CODE	XREF: KeSetSchedulingGroupWeights+8Ap
					; .text:0050FD7Ep ...

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E72DE SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_1], dl
		mov	edx, ecx
		mov	[ebp+var_8], edx
		push	edi
		test	edx, edx
		jnz	short loc_5103B7
		test	eax, eax
		jnz	loc_5E72DE
		cmp	_KiGroupSchedulingTotalWeight, eax
		jz	short loc_5103FB
		mov	edi, _KiGroupSchedulingMinimumWeight
		jmp	short loc_5103C1
; 

loc_5103B7:				; CODE XREF: KiAssignSchedulingGroupWeights+15j
		test	eax, eax
		jnz	short loc_51040D
		mov	edi, _KiGroupSchedulingMinimumRate

loc_5103C1:				; CODE XREF: KiAssignSchedulingGroupWeights+2Dj
					; KiAssignSchedulingGroupWeights+88j ...
		push	ebx
		push	esi
		test	eax, eax
		jnz	short loc_510412
		mov	esi, _KiSchedulingGroupList
		mov	ebx, offset _KiSchedulingGroupList

loc_5103D2:				; CODE XREF: KiAssignSchedulingGroupWeights+6Fj
					; KiAssignSchedulingGroupWeights+8Fj
		lea	ecx, [esi-38h]
		mov	eax, [ecx+4]
		and	eax, 1
		cmp	eax, edx
		jnz	short loc_5103F3
		movzx	eax, word ptr [ecx]
		xor	edx, edx
		shl	eax, 7
		div	edi
		mov	edx, [ebp+var_8]
		mov	[ecx+8], eax
		test	edx, edx
		jz	short loc_510400

loc_5103F3:				; CODE XREF: KiAssignSchedulingGroupWeights+55j
					; KiAssignSchedulingGroupWeights+83j
		mov	esi, [esi]
		cmp	esi, ebx
		jnz	short loc_5103D2
		pop	esi
		pop	ebx

loc_5103FB:				; CODE XREF: KiAssignSchedulingGroupWeights+25j
					; KiAssignSchedulingGroupWeights+D6F5Aj
		pop	edi
		leave
		retn	4
; 

loc_510400:				; CODE XREF: KiAssignSchedulingGroupWeights+69j
		mov	dl, [ebp+var_1]
		call	KiUpdateCpuTargetByWeight
		mov	edx, [ebp+var_8]
		jmp	short loc_5103F3
; 

loc_51040D:				; CODE XREF: KiAssignSchedulingGroupWeights+31j
		mov	edi, [eax+0Ch]
		jmp	short loc_5103C1
; 

loc_510412:				; CODE XREF: KiAssignSchedulingGroupWeights+3Dj
		lea	ebx, [eax+44h]
		mov	esi, [ebx]
		jmp	short loc_5103D2
KiAssignSchedulingGroupWeights endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiUpdateMinimumWeight proc near		; CODE XREF: KeSetSchedulingGroupWeights+4Dp
					; KeSetSchedulingGroupWeights+79p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E72F0 SIZE 00000043 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	eax, ecx
		mov	[ebp+var_1], dl
		mov	[ebp+var_C], eax
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	eax, eax
		jz	loc_5104D6
		test	esi, esi
		jnz	loc_5E72F0
		mov	edx, _KiGroupSchedulingMinimumRate

loc_510446:				; CODE XREF: KiUpdateMinimumWeight+D6ED9j
		mov	ecx, 2710h

loc_51044B:				; CODE XREF: KiUpdateMinimumWeight+C9j
		lea	eax, [esi+44h]
		test	esi, esi
		jnz	short loc_510457
		mov	eax, offset _KiSchedulingGroupList

loc_510457:				; CODE XREF: KiUpdateMinimumWeight+36j
		mov	edi, [eax]
		xor	ebx, ebx
		and	[ebp+arg_0], ebx
		mov	[ebp+var_8], eax

loc_510461:				; CODE XREF: KiUpdateMinimumWeight+6Ej
		mov	eax, [edi-34h]
		and	eax, 1
		cmp	eax, [ebp+var_C]
		jnz	short loc_5104AA
		cmp	[ebp+var_1], 0
		jz	short loc_5104AF

loc_510472:				; CODE XREF: KiUpdateMinimumWeight+9Bj
		movzx	eax, word ptr [edi-38h]
		cmp	eax, ecx
		jb	short loc_5104E8

loc_51047A:				; CODE XREF: KiUpdateMinimumWeight+D0j
		add	ebx, eax
		mov	eax, [ebp+arg_0]
		inc	eax
		mov	[ebp+arg_0], eax

loc_510483:				; CODE XREF: KiUpdateMinimumWeight+93j
		mov	edi, [edi]
		cmp	edi, [ebp+var_8]
		jnz	short loc_510461
		cmp	[ebp+var_C], 0
		jnz	short loc_5104BB
		test	eax, eax
		jnz	short loc_5104EC
		test	esi, esi
		jnz	loc_5E730D
		and	_KiGroupSchedulingMinimumWeight, esi
		and	_KiGroupSchedulingTotalWeight, esi
		jmp	short loc_5104CD
; 

loc_5104AA:				; CODE XREF: KiUpdateMinimumWeight+50j
		mov	eax, [ebp+arg_0]
		jmp	short loc_510483
; 

loc_5104AF:				; CODE XREF: KiUpdateMinimumWeight+56j
		movzx	eax, word ptr [edi-38h]
		cmp	eax, edx
		jnz	short loc_510472
		xor	al, al
		jmp	short loc_5104CF
; 

loc_5104BB:				; CODE XREF: KiUpdateMinimumWeight+74j
		test	eax, eax
		jz	loc_5E731A
		test	esi, esi
		jnz	short loc_51050D
		mov	_KiGroupSchedulingMinimumRate, ecx

loc_5104CD:				; CODE XREF: KiUpdateMinimumWeight+8Ej
					; KiUpdateMinimumWeight+E4j ...
		mov	al, 1

loc_5104CF:				; CODE XREF: KiUpdateMinimumWeight+9Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_5104D6:				; CODE XREF: KiUpdateMinimumWeight+18j
		test	esi, esi
		jnz	short loc_510508
		mov	edx, _KiGroupSchedulingMinimumWeight

loc_5104E0:				; CODE XREF: KiUpdateMinimumWeight+F1j
		push	9
		pop	ecx
		jmp	loc_51044B
; 

loc_5104E8:				; CODE XREF: KiUpdateMinimumWeight+5Ej
		mov	ecx, eax
		jmp	short loc_51047A
; 

loc_5104EC:				; CODE XREF: KiUpdateMinimumWeight+78j
		test	esi, esi
		jnz	loc_5E72F8
		cmp	[ebp+var_1], 0
		mov	_KiGroupSchedulingMinimumWeight, ecx
		jz	short loc_5104CD
		mov	_KiGroupSchedulingTotalWeight, ebx
		jmp	short loc_5104CD
; 

loc_510508:				; CODE XREF: KiUpdateMinimumWeight+BEj
		mov	edx, [esi+10h]
		jmp	short loc_5104E0
; 

loc_51050D:				; CODE XREF: KiUpdateMinimumWeight+ABj
		mov	[esi+0Ch], ecx
		jmp	short loc_5104CD
KiUpdateMinimumWeight endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiUpdateCpuTargetByWeight proc near	; CODE XREF: KiAssignSchedulingGroupWeights+7Bp
					; KiUpdateChildrenCpuTarget(x,x)+16p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005E7333 SIZE 000000D7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1], dl
		push	edi
		mov	[ebp+var_24], esi
		cmp	dword ptr [esi+4Ch], 0
		movzx	edi, word ptr [esi]
		movzx	eax, word ptr [esi+2]
		mov	[ebp+var_C], edi
		mov	[ebp+var_10], eax
		jnz	loc_5E7333
		mov	ebx, ds:dword_70514C
		mov	ecx, ds:_KiCyclesPerGeneration
		push	ebx
		movzx	eax, di
		cdq
		push	ecx
		push	edx
		push	eax
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ecx
		call	__allmul
		push	0
		push	_KiGroupSchedulingTotalWeight
		push	edx
		push	eax
		call	__aulldiv
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], edx
		cmp	di, cx
		jz	loc_5E73B0

loc_51057C:				; CODE XREF: KiUpdateCpuTargetByWeight+D6E99j
		mov	eax, [ebp+var_8]

loc_51057F:				; CODE XREF: KiUpdateCpuTargetByWeight+D6EA6j
		cmp	eax, ds:_KiCyclesPerGeneration
		jnz	loc_5E73BD
		cmp	ebx, ds:dword_70514C
		jnz	loc_5E73BD
		mov	bl, 1

loc_510599:				; CODE XREF: KiUpdateCpuTargetByWeight+D6EADj
		mov	ecx, ds:_KeNumberProcessors
		xor	edx, edx
		mov	[ebp+var_2], bl
		mov	[ebp+var_28], ecx
		mov	[ebp+var_10], edx
		cmp	ds:_KeMaximumProcessors, edx
		jz	loc_510644
		mov	cl, bl
		lea	edi, [esi+80h]
		shl	cl, 4
		mov	[ebp+var_3], cl

loc_5105C4:				; CODE XREF: KiUpdateCpuTargetByWeight+130j
		mov	ebx, ds:_KiProcessorBlock[edx*4]
		test	ebx, ebx
		jz	short loc_5105F7
		and	[ebp+var_20], 0
		lea	esi, [ebx+2224h]

loc_5105D9:				; CODE XREF: KiUpdateCpuTargetByWeight+17Fj
		lock bts dword ptr [esi], 0
		jb	loc_510683
		cmp	[ebp+var_2], 0
		mov	esi, [ebp+var_24]
		jz	loc_5E73C4

loc_5105F1:				; CODE XREF: KiUpdateCpuTargetByWeight+D6EDCj
		mov	eax, [ebp+var_8]

loc_5105F4:				; CODE XREF: KiUpdateCpuTargetByWeight+D6EBCj
		mov	edx, [ebp+var_10]

loc_5105F7:				; CODE XREF: KiUpdateCpuTargetByWeight+BBj
		mov	ecx, [ebp+var_14]
		mov	[edi+10h], eax
		mov	eax, [ebp+var_C]
		mov	[edi+14h], eax
		mov	al, [edi+5Ch]
		and	al, 0EFh
		mov	[edi+8], ecx
		or	al, [ebp+var_3]
		mov	ecx, [ebp+var_18]
		mov	[edi+0Ch], ecx
		mov	[edi+5Ch], al
		test	ebx, ebx
		jz	short loc_51062F
		cmp	[ebp+var_1], 0
		jnz	short loc_510657

loc_510621:				; CODE XREF: KiUpdateCpuTargetByWeight+157j
					; KiUpdateCpuTargetByWeight+D6EF3j
		xor	ecx, ecx
		lea	eax, [ebx+2224h]
		lock and [eax],	ecx
		mov	edx, [ebp+var_10]

loc_51062F:				; CODE XREF: KiUpdateCpuTargetByWeight+107j
		mov	eax, [ebp+var_8]
		inc	edx
		add	edi, 100h
		mov	[ebp+var_10], edx
		cmp	edx, ds:_KeMaximumProcessors
		jb	short loc_5105C4

loc_510644:				; CODE XREF: KiUpdateCpuTargetByWeight+9Ej
		mov	al, [ebp+var_1]
		test	al, al
		jnz	short loc_510670

loc_51064B:				; CODE XREF: KiUpdateCpuTargetByWeight+16Fj
		pop	edi
		lea	ecx, [esi+44h]
		pop	esi
		pop	ebx
		cmp	[ecx], ecx
		jnz	short loc_510696
		leave
		retn
; 

loc_510657:				; CODE XREF: KiUpdateCpuTargetByWeight+10Dj
		xor	eax, eax
		mov	[edi+20h], eax
		mov	[edi+24h], eax
		mov	[edi+30h], eax
		mov	[edi+34h], eax
		test	byte ptr [esi+4], 2
		jz	short loc_510621
		jmp	loc_5E73F3
; 

loc_510670:				; CODE XREF: KiUpdateCpuTargetByWeight+137j
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	[esi+18h], eax
		mov	al, [ebp+var_1]
		mov	[esi+1Ch], edx
		jmp	short loc_51064B
; 

loc_510683:				; CODE XREF: KiUpdateCpuTargetByWeight+CCj
					; KiUpdateCpuTargetByWeight+17Dj
		lea	ecx, [ebp+var_20]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_510683
		jmp	loc_5105D9
; 

loc_510696:				; CODE XREF: KiUpdateCpuTargetByWeight+141j
		mov	dl, al
		call	_KiUpdateChildrenCpuTarget@8 ; KiUpdateChildrenCpuTarget(x,x)
		leave
		retn
KiUpdateCpuTargetByWeight endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiUpdateCpuTargetByRate	proc near	; CODE XREF: .text:0050FDFAp
					; KeSetSchedulingGroupCpuRates+62p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005E740A SIZE 00000086 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_1], dl
		push	esi
		push	edi
		mov	[ebp+var_24], ebx
		cmp	dword ptr [ebx+4Ch], 0
		jnz	loc_5E740A
		mov	edi, ds:dword_70514C
		movzx	eax, word ptr [ebx]
		mov	esi, ds:_KiCyclesPerGeneration
		push	edi
		cdq
		push	esi
		push	edx
		push	eax
		call	__allmul
		push	0
		push	2710h
		push	edx
		push	eax
		call	__aulldiv
		mov	[ebp+var_14], eax
		movzx	eax, word ptr [ebx+2]
		push	edi
		mov	[ebp+var_18], edx
		cdq
		push	esi
		push	edx
		push	eax
		call	__allmul
		push	0
		push	2710h
		push	edx
		push	eax
		call	__aulldiv
		mov	ecx, eax
		mov	[ebp+var_C], eax
		mov	eax, edx
		mov	[ebp+var_10], edx

loc_510710:				; CODE XREF: KiUpdateCpuTargetByRate+D6DDBj
		lea	esi, [ebx+80h]
		cmp	ecx, ds:_KiCyclesPerGeneration
		jnz	loc_51084D
		cmp	eax, ds:dword_70514C
		jnz	loc_51084D
		mov	dl, 1

loc_510730:				; CODE XREF: KiUpdateCpuTargetByRate+1AFj
		mov	eax, ds:_KeNumberProcessors
		xor	ecx, ecx
		mov	[ebp+var_2], dl
		mov	[ebp+var_28], eax
		mov	[ebp+var_8], ecx
		cmp	ds:_KeMaximumProcessors, ecx
		jz	loc_5107FB
		mov	al, dl
		shl	al, 4
		mov	[ebp+var_3], al

loc_510754:				; CODE XREF: KiUpdateCpuTargetByRate+155j
		mov	edi, ds:_KiProcessorBlock[ecx*4]
		test	edi, edi
		jz	short loc_510784
		and	[ebp+var_20], 0
		lea	ebx, [edi+2224h]

loc_510769:				; CODE XREF: KiUpdateCpuTargetByRate+1C2j
		lock bts dword ptr [ebx], 0
		jb	loc_510854
		cmp	[ebp+var_2], 0
		mov	ebx, [ebp+var_24]
		jz	loc_51081F

loc_510781:				; CODE XREF: KiUpdateCpuTargetByRate+186j
					; KiUpdateCpuTargetByRate+1A8j
		mov	ecx, [ebp+var_8]

loc_510784:				; CODE XREF: KiUpdateCpuTargetByRate+BDj
		mov	eax, [ebp+var_14]
		mov	[esi+8], eax
		mov	eax, [ebp+var_18]
		mov	[esi+0Ch], eax
		mov	eax, [ebp+var_C]
		mov	[esi+10h], eax
		mov	eax, [ebp+var_10]
		mov	[esi+14h], eax
		mov	al, [esi+5Ch]
		and	al, 0EFh
		or	al, [ebp+var_3]
		mov	[esi+5Ch], al
		test	edi, edi
		jz	short loc_5107E5
		cmp	[ebp+var_1], 0
		jz	short loc_5107D7
		xor	edx, edx
		mov	[esi+20h], edx
		mov	[esi+24h], edx
		mov	[esi+30h], edx
		mov	[esi+34h], edx
		test	byte ptr [ebx+4], 2
		jz	short loc_5107D7
		mov	edx, edi
		mov	ecx, esi
		call	_KiResetScb@8	; KiResetScb(x,x)
		mov	edx, esi
		mov	ecx, edi
		call	_KiCheckForEffectivePriorityChange@8 ; KiCheckForEffectivePriorityChange(x,x)

loc_5107D7:				; CODE XREF: KiUpdateCpuTargetByRate+10Fj
					; KiUpdateCpuTargetByRate+123j
		xor	ecx, ecx
		lea	eax, [edi+2224h]
		lock and [eax],	ecx
		mov	ecx, [ebp+var_8]

loc_5107E5:				; CODE XREF: KiUpdateCpuTargetByRate+109j
		inc	ecx
		add	esi, 100h
		mov	[ebp+var_8], ecx
		cmp	ecx, ds:_KeMaximumProcessors
		jb	loc_510754

loc_5107FB:				; CODE XREF: KiUpdateCpuTargetByRate+A6j
		mov	al, [ebp+var_1]
		test	al, al
		jz	short loc_510813
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	[ebx+18h], eax
		mov	al, [ebp+var_1]
		mov	[ebx+1Ch], edx

loc_510813:				; CODE XREF: KiUpdateCpuTargetByRate+160j
		pop	edi
		lea	ecx, [ebx+44h]
		pop	esi
		pop	ebx
		cmp	[ecx], ecx
		jnz	short loc_510867
		leave
		retn
; 

loc_51081F:				; CODE XREF: KiUpdateCpuTargetByRate+DBj
		cmp	byte ptr [edi+3D0h], 0
		jz	loc_510781
		push	[ebp+var_10]
		push	[ebp+var_C]
		push	0
		push	[ebp+var_28]
		call	__allmul
		mov	[ebx+28h], eax
		mov	[ebx+2Ch], edx
		mov	[ebx+30h], eax
		mov	[ebx+34h], edx
		jmp	loc_510781
; 

loc_51084D:				; CODE XREF: KiUpdateCpuTargetByRate+7Cj
					; KiUpdateCpuTargetByRate+88j
		xor	dl, dl
		jmp	loc_510730
; 

loc_510854:				; CODE XREF: KiUpdateCpuTargetByRate+CEj
					; KiUpdateCpuTargetByRate+1C0j
		lea	ecx, [ebp+var_20]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_510854
		jmp	loc_510769
; 

loc_510867:				; CODE XREF: KiUpdateCpuTargetByRate+17Bj
		mov	dl, al
		call	_KiUpdateChildrenCpuTarget@8 ; KiUpdateChildrenCpuTarget(x,x)
		leave
		retn
KiUpdateCpuTargetByRate	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeSetSchedulingGroupRankBias proc near	; CODE XREF: sub_759647+76Bp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005E7490 SIZE 0000005C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_C], 0
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_1], dl
		push	esi
		mov	[ebp+var_14], ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, large fs:20h
		mov	[ebp+var_2], al
		xor	eax, eax
		mov	[ebp+var_18], esi
		mov	[ebp+var_8], eax
		cmp	ds:_KeMaximumProcessors, eax
		jz	short loc_510922
		lea	esi, [ebx+80h]
		push	edi

loc_5108AD:				; CODE XREF: KeSetSchedulingGroupRankBias+A9j
		mov	edi, ds:_KiProcessorBlock[eax*4]
		test	edi, edi
		jz	short loc_5108CD
		and	[ebp+var_10], 0
		lea	ebx, [edi+2224h]

loc_5108C2:				; CODE XREF: KeSetSchedulingGroupRankBias+12Cj
		lock bts dword ptr [ebx], 0
		jb	loc_51098E

loc_5108CD:				; CODE XREF: KeSetSchedulingGroupRankBias+46j
		cmp	[ebp+var_1], 0
		mov	cl, [esi+5Ch]
		mov	ebx, [esi+60h]
		jz	short loc_51094A
		or	cl, 0Ch
		lea	eax, [ebx+1]
		mov	[esi+60h], eax
		mov	[esi+5Ch], cl
		test	cl, 1
		jnz	loc_5109A1

loc_5108EE:				; CODE XREF: KeSetSchedulingGroupRankBias+F6j
					; KeSetSchedulingGroupRankBias+103j ...
		test	edi, edi
		jz	short loc_510906
		mov	edx, esi
		mov	ecx, edi
		call	_KiCheckForEffectivePriorityChange@8 ; KiCheckForEffectivePriorityChange(x,x)
		xor	ecx, ecx
		lea	eax, [edi+2224h]
		lock and [eax],	ecx

loc_510906:				; CODE XREF: KeSetSchedulingGroupRankBias+80j
					; KeSetSchedulingGroupRankBias+10Aj
		mov	eax, [ebp+var_8]
		add	esi, 100h
		inc	eax
		mov	[ebp+var_8], eax
		cmp	eax, ds:_KeMaximumProcessors
		jb	short loc_5108AD
		mov	ebx, [ebp+var_14]
		mov	esi, [ebp+var_18]
		pop	edi

loc_510922:				; CODE XREF: KeSetSchedulingGroupRankBias+34j
		movzx	eax, [ebp+var_1]
		lea	edx, [ebp+var_C]
		shl	eax, 2
		mov	ecx, esi
		xor	eax, [ebx+4]
		and	eax, 4
		xor	[ebx+4], eax
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		mov	dl, [ebp+var_2]
		mov	ecx, esi
		call	KiCheckForThreadDispatch
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_51094A:				; CODE XREF: KeSetSchedulingGroupRankBias+67j
		movzx	eax, cl
		shr	eax, 3
		and	eax, 1
		sub	ebx, eax
		mov	al, cl
		and	al, 0F7h
		mov	[esi+60h], ebx
		mov	[esi+5Ch], al
		test	ebx, ebx
		jz	short loc_510978
		test	cl, 1
		jz	short loc_5108EE
		push	0

loc_51096A:				; CODE XREF: KeSetSchedulingGroupRankBias+133j
		mov	edx, esi
		mov	ecx, edi
		call	KiResortScbQueue
		jmp	loc_5108EE
; 

loc_510978:				; CODE XREF: KeSetSchedulingGroupRankBias+F1j
		test	edi, edi
		jz	short loc_510906
		test	cl, 1
		jnz	loc_5E7490

loc_510985:				; CODE XREF: KeSetSchedulingGroupRankBias+D6C66j
					; KeSetSchedulingGroupRankBias+D6C77j
		and	byte ptr [esi+5Ch], 0FBh
		jmp	loc_5108EE
; 

loc_51098E:				; CODE XREF: KeSetSchedulingGroupRankBias+57j
					; KeSetSchedulingGroupRankBias+12Aj
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_51098E
		jmp	loc_5108C2
; 

loc_5109A1:				; CODE XREF: KeSetSchedulingGroupRankBias+78j
		push	1
		jmp	short loc_51096A
KeSetSchedulingGroupRankBias endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiCheckForEffectivePriorityChange(x, x)
_KiCheckForEffectivePriorityChange@8 proc near ; CODE XREF: KiUpdateCpuTargetByRate+132p
					; KeSetSchedulingGroupRankBias+86p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+8]
		test	esi, esi
		jnz	short loc_5109B6
		mov	esi, [edi+4]

loc_5109B6:				; CODE XREF: KiCheckForEffectivePriorityChange(x,x)+Bj
		mov	eax, [esi+50h]
		test	eax, eax
		jnz	short loc_5109C4

loc_5109BD:				; CODE XREF: KiCheckForEffectivePriorityChange(x,x)+26j
		cmp	eax, edx
		jz	short loc_5109D2

loc_5109C1:				; CODE XREF: KiCheckForEffectivePriorityChange(x,x)+4Fj
		pop	edi
		pop	esi
		retn
; 

loc_5109C4:				; CODE XREF: KiCheckForEffectivePriorityChange(x,x)+15j
		add	eax, [edi+3B34h]

loc_5109CA:				; CODE XREF: KiCheckForEffectivePriorityChange(x,x)+57j
		test	eax, eax
		jz	short loc_5109BD
		cmp	eax, edx
		jnz	short loc_5109F7

loc_5109D2:				; CODE XREF: KiCheckForEffectivePriorityChange(x,x)+19j
		test	byte ptr [esi+2], 4
		jz	short loc_5109E7
		mov	edx, edi
		mov	ecx, esi
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	short loc_5109ED

loc_5109E7:				; CODE XREF: KiCheckForEffectivePriorityChange(x,x)+30j
		mov	cl, [esi+87h]

loc_5109ED:				; CODE XREF: KiCheckForEffectivePriorityChange(x,x)+3Fj
		mov	eax, [edi+33Ch]
		mov	[eax], cl
		jmp	short loc_5109C1
; 

loc_5109F7:				; CODE XREF: KiCheckForEffectivePriorityChange(x,x)+2Aj
		mov	eax, [eax+0F4h]
		jmp	short loc_5109CA
_KiCheckForEffectivePriorityChange@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KiResetScb(x, x)
_KiResetScb@8	proc near		; CODE XREF: KiUpdateCpuTargetByRate+129p
					; KiUpdateCpuTargetByWeight+D6EE5p
		mov	edi, edi
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		and	byte ptr [esi+5Ch], 0F1h
		test	byte ptr [esi+5Ch], 20h
		mov	[esi], ebx
		mov	[esi+4], ebx
		mov	[esi+18h], ebx
		mov	[esi+1Ch], ebx
		mov	[esi+28h], ebx
		mov	[esi+2Ch], ebx
		mov	[esi+38h], ebx
		mov	[esi+3Ch], ebx
		mov	[esi+60h], ebx
		jnz	short loc_510A42
		mov	eax, [esi+64h]
		test	eax, eax
		jz	short loc_510A38
		mov	[eax], ebx

loc_510A38:				; CODE XREF: KiResetScb(x,x)+34j
					; KiResetScb(x,x)+45j
		cmp	[esi+5Eh], bx
		jnz	short loc_510A47

loc_510A3E:				; CODE XREF: KiResetScb(x,x)+76j
					; KiResetScb(x,x)+8Ej ...
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_510A42:				; CODE XREF: KiResetScb(x,x)+2Dj
		mov	[esi+68h], ebx
		jmp	short loc_510A38
; 

loc_510A47:				; CODE XREF: KiResetScb(x,x)+3Cj
		cmp	[esi+60h], ebx
		jnz	short loc_510A56

loc_510A4C:				; CODE XREF: KiResetScb(x,x)+A1j
		mov	eax, [ecx+0F4h]
		test	eax, eax
		jnz	short loc_510A9C

loc_510A56:				; CODE XREF: KiResetScb(x,x)+4Aj
					; KiResetScb(x,x)+A3j
		mov	edx, [ecx+60h]
		mov	eax, edx
		neg	eax
		push	ebx
		sbb	eax, eax
		not	eax
		and	eax, edi
		neg	edx
		push	eax
		sbb	edx, edx
		and	edx, ecx
		mov	ecx, esi
		call	KiMoveScbThreadsToNewReadylist
		test	byte ptr [esi+5Ch], 1
		jz	short loc_510A3E
		lea	ecx, [esi+0ECh]
		test	byte ptr [ecx+4], 1
		mov	eax, [ecx]
		jz	short loc_510A8C
		test	eax, eax
		jz	short loc_510A90
		xor	eax, ecx

loc_510A8C:				; CODE XREF: KiResetScb(x,x)+84j
		test	eax, eax
		jnz	short loc_510A3E

loc_510A90:				; CODE XREF: KiResetScb(x,x)+88j
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	KiRemoveSchedulingGroupQueue
		jmp	short loc_510A3E
; 

loc_510A9C:				; CODE XREF: KiResetScb(x,x)+54j
		mov	ecx, eax
		cmp	[ecx+60h], ebx
		jz	short loc_510A4C
		jmp	short loc_510A56
_KiResetScb@8	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KeGetSchedulingGroupSize()
_KeGetSchedulingGroupSize@0 proc near	; CODE XREF: PspFreeRateControl(x,x)+Bp
					; PspAllocateRateControl+9p ...
		mov	eax, ds:_KeMaximumProcessors
		shl	eax, 8
		sub	eax, 0FFFFFF80h
		retn
_KeGetSchedulingGroupSize@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlDestroyLowBoxAtoms(x, x)
_RtlDestroyLowBoxAtoms@8 proc near	; CODE XREF: ExRemoveLowBoxAtomReferences(x,x)+3p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		mov	edi, ecx
		call	_RtlpLockAtomTable@4 ; RtlpLockAtomTable(x)
		test	al, al
		jz	short loc_510B16
		xor	eax, eax
		lea	ecx, [edi+18h]
		mov	[ebp+var_10], eax
		cmp	[edi+14h], eax
		jbe	short loc_510B0F

loc_510AD8:				; CODE XREF: RtlDestroyLowBoxAtoms(x,x)+5Bj
		mov	ebx, [ecx]
		add	ecx, 4
		mov	[ebp+var_14], ecx
		mov	edx, ebx
		mov	[ebp+var_C], edx
		test	ebx, ebx
		jz	short loc_510B06

loc_510AE9:				; CODE XREF: RtlDestroyLowBoxAtoms(x,x)+4Cj
		mov	ebx, [ebx]
		lea	eax, [edx+8]
		mov	esi, [eax]
		mov	[ebp+var_4], eax
		cmp	esi, eax
		jnz	short loc_510B1B

loc_510AF7:				; CODE XREF: RtlDestroyLowBoxAtoms(x,x)+79j
					; RtlDestroyLowBoxAtoms(x,x)+A3j
		mov	[ebp+var_C], ebx
		mov	edx, ebx
		test	ebx, ebx
		jnz	short loc_510AE9
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+var_14]

loc_510B06:				; CODE XREF: RtlDestroyLowBoxAtoms(x,x)+35j
		inc	eax
		mov	[ebp+var_10], eax
		cmp	eax, [edi+14h]
		jb	short loc_510AD8

loc_510B0F:				; CODE XREF: RtlDestroyLowBoxAtoms(x,x)+24j
		mov	ecx, edi
		call	_RtlpUnlockAtomTable@4 ; RtlpUnlockAtomTable(x)

loc_510B16:				; CODE XREF: RtlDestroyLowBoxAtoms(x,x)+17j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_510B1B:				; CODE XREF: RtlDestroyLowBoxAtoms(x,x)+43j
		mov	edx, [ebp+var_8]

loc_510B1E:				; CODE XREF: RtlDestroyLowBoxAtoms(x,x)+77j
		mov	ecx, esi
		cmp	[esi+8], edx
		jz	short loc_510B2D

loc_510B25:				; CODE XREF: RtlDestroyLowBoxAtoms(x,x)+ABj
		mov	esi, [esi]
		cmp	esi, eax
		jnz	short loc_510B1E
		jmp	short loc_510AF7
; 

loc_510B2D:				; CODE XREF: RtlDestroyLowBoxAtoms(x,x)+71j
		mov	edx, [ecx]
		mov	eax, [esi+4]
		mov	esi, eax
		cmp	[edx+4], ecx
		jnz	short loc_510B5F
		cmp	[eax], ecx
		jnz	short loc_510B5F
		mov	[eax], edx
		mov	[edx+4], eax
		call	_RtlpFreeAtom@4	; RtlpFreeAtom(x)
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_C]
		push	edi
		call	_RtlpDereferenceAtom@12	; RtlpDereferenceAtom(x,x,x)
		test	al, al
		jnz	short loc_510AF7
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+var_8]
		jmp	short loc_510B25
; 

loc_510B5F:				; CODE XREF: RtlDestroyLowBoxAtoms(x,x)+85j
					; RtlDestroyLowBoxAtoms(x,x)+89j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_RtlDestroyLowBoxAtoms@8 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpDereferenceAtom(x, x, x)
_RtlpDereferenceAtom@12	proc near	; CODE XREF: RtlDestroyLowBoxAtoms(x,x)+9Cp
					; RtlDeleteAtomFromAtomTable+65p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	byte ptr [edx+0Eh], 1
		push	esi
		push	edi
		mov	esi, ecx
		jnz	short loc_510B7F
		mov	edi, 0FFFFh
		add	[edx+0Ch], di
		jz	short loc_510B88

loc_510B7F:				; CODE XREF: RtlpDereferenceAtom(x,x,x)+Ej
					; RtlpDereferenceAtom(x,x,x)+57j ...
		xor	al, al

loc_510B81:				; CODE XREF: RtlpDereferenceAtom(x,x,x)+37j
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
; 

loc_510B88:				; CODE XREF: RtlpDereferenceAtom(x,x,x)+19j
		lea	eax, [esi+8]
		cmp	edx, eax
		jnz	short loc_510B9D

loc_510B8F:				; CODE XREF: RtlpDereferenceAtom(x,x,x)+5Fj
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_RtlpFreeAllAtom@8 ; RtlpFreeAllAtom(x,x)
		mov	al, 1
		jmp	short loc_510B81
; 

loc_510B9D:				; CODE XREF: RtlpDereferenceAtom(x,x,x)+29j
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	short loc_510BC5
		mov	ecx, [edx+4]
		cmp	[ecx], edx
		jnz	short loc_510BC5
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	ecx, edx
		call	_RtlpFreeAtom@4	; RtlpFreeAtom(x)
		test	byte ptr [esi+16h], 1
		jnz	short loc_510B7F
		add	[esi+14h], di
		jnz	short loc_510B7F
		jmp	short loc_510B8F
; 

loc_510BC5:				; CODE XREF: RtlpDereferenceAtom(x,x,x)+3Ej
					; RtlpDereferenceAtom(x,x,x)+45j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_RtlpDereferenceAtom@12	endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFreeAllAtom(x, x)
_RtlpFreeAllAtom@8 proc	near		; CODE XREF: RtlpDereferenceAtom(x,x,x)+30p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ecx
		push	eax
		mov	ebx, edx
		lea	eax, [ebp+var_C]
		xor	edx, edx
		push	eax
		push	edx
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], edx
		push	eax
		push	edx
		lea	edx, [ecx+1Ah]
		mov	ecx, ebx
		call	RtlpHashStringToAtom
		test	eax, eax
		js	short loc_510C26
		mov	esi, [ebp+var_4]
		test	esi, esi
		jz	short loc_510C26
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_510C0D
		mov	eax, [esi]
		mov	[ecx], eax

loc_510C0D:				; CODE XREF: RtlpFreeAllAtom(x,x)+3Dj
		lea	edi, [esi+8]

loc_510C10:				; CODE XREF: RtlpFreeAllAtom(x,x)+77j
		mov	ecx, [edi]
		cmp	ecx, edi
		jnz	short loc_510C2B
		mov	edx, esi
		mov	ecx, ebx
		call	_RtlpFreeHandleForAtom@8 ; RtlpFreeHandleForAtom(x,x)
		mov	ecx, esi
		call	_RtlpFreeAtom@4	; RtlpFreeAtom(x)

loc_510C26:				; CODE XREF: RtlpFreeAllAtom(x,x)+2Fj
					; RtlpFreeAllAtom(x,x)+36j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_510C2B:				; CODE XREF: RtlpFreeAllAtom(x,x)+4Aj
		cmp	[ecx+4], edi
		jnz	short loc_510C43
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_510C43
		mov	[edi], eax
		mov	[eax+4], edi
		call	_RtlpFreeAtom@4	; RtlpFreeAtom(x)
		jmp	short loc_510C10
; 

loc_510C43:				; CODE XREF: RtlpFreeAllAtom(x,x)+64j
					; RtlpFreeAllAtom(x,x)+6Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_RtlpFreeAllAtom@8 endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspJobCycleTimeNotificationDpcRoutine proc near	; DATA XREF: sub_759647+BB8o

arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E74EC SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	ecx, [ebp+arg_4]
		mov	edx, 746C6644h
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jz	short loc_510C76
		mov	ecx, [ebp+arg_4]
		mov	edx, 20000h
		call	_PspRequestDeferredJobNotification@8 ; PspRequestDeferredJobNotification(x,x)
		test	al, al
		jz	loc_5E74EC

loc_510C76:				; CODE XREF: PspJobCycleTimeNotificationDpcRoutine+17j
					; PspJobCycleTimeNotificationDpcRoutine+D68B1j
		mov	esp, ebp
		pop	ebp
		retn	10h
PspJobCycleTimeNotificationDpcRoutine endp


;  S U B	R O U T	I N E 


; __stdcall PspRequestDeferredJobNotification(x, x)
_PspRequestDeferredJobNotification@8 proc near
					; CODE XREF: PspJobCycleTimeNotificationDpcRoutine+21p
					; PspSendWakeNotification+7Fp
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		lea	edi, [ebx+310h]
		mov	eax, [edi]

loc_510C8B:				; CODE XREF: PspRequestDeferredJobNotification(x,x)+17j
		mov	esi, eax
		or	esi, edx
		lock cmpxchg [edi], esi
		jnz	short loc_510C8B
		test	eax, 22000h
		jnz	short loc_510CCE
		mov	eax, _PspJobNotificationList

loc_510CA1:				; CODE XREF: PspRequestDeferredJobNotification(x,x)+3Aj
		mov	edx, eax
		mov	[ebx+204h], eax
		mov	ecx, ebx
		mov	esi, offset _PspJobNotificationList
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_510CA1
		test	edx, edx
		jnz	short loc_510CC8
		push	3
		push	offset _PspJobNotificationItem
		call	ExQueueWorkItem

loc_510CC8:				; CODE XREF: PspRequestDeferredJobNotification(x,x)+3Ej
		mov	al, 1

loc_510CCA:				; CODE XREF: PspRequestDeferredJobNotification(x,x)+54j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_510CCE:				; CODE XREF: PspRequestDeferredJobNotification(x,x)+1Ej
		xor	al, al
		jmp	short loc_510CCA
_PspRequestDeferredJobNotification@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoStartDiskIoAttributionForContext(x)
_IoStartDiskIoAttributionForContext@4 proc near	; CODE XREF: PspSetJobIoAttribution+8Bp
					; PspIoRateEntryActivate+18CDCFp

var_6		= byte ptr -6
var_5		= dword	ptr -5
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	offset _IopDiskIoAttributionLock
		mov	ebx, ecx
		call	ExAcquireSpinLockExclusive
		mov	edx, dword_6CCDA4
		mov	esi, _IopDiskIoAttributionTree
		mov	[ebp+var_1], al
		test	dl, 1
		jz	short loc_510D06
		test	esi, esi
		jz	short loc_510D06
		xor	esi, offset _IopDiskIoAttributionTree

loc_510D06:				; CODE XREF: IoStartDiskIoAttributionForContext(x)+28j
					; IoStartDiskIoAttributionForContext(x)+2Cj
		movzx	edi, dl
		and	edi, 1
		mov	byte ptr [ebp+var_5], 0
		test	esi, esi
		jz	short loc_510D51

loc_510D14:				; CODE XREF: IoStartDiskIoAttributionForContext(x)+63j
		lea	eax, [ebx+0Ch]
		push	esi
		push	eax
		call	_IopDiskIoAttributionTreeCompare@8 ; IopDiskIoAttributionTreeCompare(x,x)
		test	eax, eax
		js	short loc_510D37
		mov	eax, [esi+4]
		test	edi, edi
		jz	short loc_510D2F
		test	eax, eax
		jz	short loc_510D4D
		xor	eax, esi

loc_510D2F:				; CODE XREF: IoStartDiskIoAttributionForContext(x)+55j
		test	eax, eax
		jz	short loc_510D4D

loc_510D33:				; CODE XREF: IoStartDiskIoAttributionForContext(x)+73j
		mov	esi, eax
		jmp	short loc_510D14
; 

loc_510D37:				; CODE XREF: IoStartDiskIoAttributionForContext(x)+4Ej
		mov	eax, [esi]
		test	edi, edi
		jz	short loc_510D43
		test	eax, eax
		jz	short loc_510D47
		xor	eax, esi

loc_510D43:				; CODE XREF: IoStartDiskIoAttributionForContext(x)+69j
		test	eax, eax
		jnz	short loc_510D33

loc_510D47:				; CODE XREF: IoStartDiskIoAttributionForContext(x)+6Dj
		mov	byte ptr [ebp+var_5], 0
		jmp	short loc_510D51
; 

loc_510D4D:				; CODE XREF: IoStartDiskIoAttributionForContext(x)+59j
					; IoStartDiskIoAttributionForContext(x)+5Fj
		mov	byte ptr [ebp+var_5], 1

loc_510D51:				; CODE XREF: IoStartDiskIoAttributionForContext(x)+40j
					; IoStartDiskIoAttributionForContext(x)+79j
		push	ebx
		push	[ebp+var_5]
		push	esi
		push	offset _IopDiskIoAttributionTree
		call	RtlRbInsertNodeEx
		push	offset _IopDiskIoAttributionLock
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IoStartDiskIoAttributionForContext@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoDiskIoAttributionQuery proc near	; CODE XREF: IopIoRateStartRateControl+6Ap
					; IoGetIoRateControl+11Ep ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E74FE SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		mov	esi, ecx
		xor	ecx, ecx
		mov	[ebp+var_8], esi
		mov	[ebp+var_2C], ecx
		mov	ebx, edx
		mov	[ebp+var_28], ecx
		stosd
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ecx
		stosd
		mov	eax, ecx
		or	eax, 200h
		inc	ecx
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_1C]
		push	eax
		mov	[ebp+var_34], ecx
		call	_KeQueryUnbiasedInterruptTimePrecise@4 ; KeQueryUnbiasedInterruptTimePrecise(x)
		mov	[ebp+var_18], edx
		lea	ecx, [esi+14h]
		lea	edx, [ebp+var_14]
		mov	[ebp+var_1C], eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		push	3
		lea	edx, [ebp+var_34]
		mov	ecx, esi
		call	IopRecordIoAttribution
		add	esi, 40h
		mov	edi, ebx
		push	8
		pop	ecx
		rep movsd
		mov	esi, [ebp+var_8]
		mov	edi, [ebp+arg_0]
		add	esi, 68h
		test	ds:byte_70EFC6,	1
		push	8
		pop	ecx
		rep movsd
		jnz	loc_5E74FE
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	loc_5E7516
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jnz	loc_5E750E

loc_510E1B:				; CODE XREF: IoDiskIoAttributionQuery+D6791j
					; IoDiskIoAttributionQuery+D67AEj
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
IoDiskIoAttributionQuery endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoGetIoRateControl proc	near

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 005E752B SIZE 00000031 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		push	ebx
		push	esi
		push	edi
		push	8
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+68h+var_20]
		rep stosd
		push	8
		pop	ecx
		lea	edi, [esp+68h+var_40]
		xor	ebx, ebx
		rep stosd
		mov	eax, [ebp+arg_18]
		lea	edx, [esp+68h+var_58]
		mov	ecx, [ebp+arg_0]
		mov	edi, ebx
		mov	[esp+68h+var_54], ebx
		mov	[esp+68h+var_48], ebx
		mov	[eax], ebx
		lea	eax, [esp+68h+var_54]
		push	eax
		mov	[esp+6Ch+var_44], ebx
		mov	[esp+6Ch+var_58], ebx
		mov	[esp+6Ch+var_5C], edi
		call	_IopAcquireReferencesFromIoAttributionHandle@12	; IopAcquireReferencesFromIoAttributionHandle(x,x,x)
		test	eax, eax
		js	loc_510F18
		push	[ebp+arg_10]
		mov	edi, [ebp+arg_C]
		lea	eax, [esp+6Ch+var_48]
		mov	edx, [ebp+arg_4]
		mov	ecx, [esp+6Ch+var_54]
		push	eax
		push	edi
		call	PsIoRateControlReference
		mov	esi, [ebp+arg_14]
		mov	ecx, ebx
		add	esi, 10h
		mov	[esp+68h+var_50], ecx
		mov	[esp+68h+var_4C], esi

loc_510EAC:				; CODE XREF: IoGetIoRateControl+98j
		cmp	[edi+ecx*4], ebx
		jnz	loc_510F3D

loc_510EB5:				; CODE XREF: IoGetIoRateControl+16Fj
		inc	ecx
		add	esi, 20h
		mov	[esp+68h+var_50], ecx
		mov	[esp+68h+var_4C], esi
		cmp	ecx, 2
		jb	short loc_510EAC
		mov	esi, [esp+68h+var_58]
		mov	ecx, esi
		mov	eax, [esi+90h]

loc_510ED2:				; CODE XREF: IoGetIoRateControl+D6707j
		test	eax, eax
		jnz	loc_5E752B
		mov	eax, [ecx+0Ch]
		mov	ecx, [ebp+arg_18]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_1C]
		test	ecx, ecx
		jz	loc_5E7553
		mov	eax, [ebp+arg_8]
		mov	[ecx], ebx
		mov	eax, [eax+150h]
		cmp	[eax+158h], ebx
		jz	short loc_510F0C
		mov	eax, [eax+158h]
		mov	ebx, [eax+3A4h]

loc_510F0C:				; CODE XREF: IoGetIoRateControl+D2j
		test	ebx, ebx
		jnz	loc_5E7538

loc_510F14:				; CODE XREF: IoGetIoRateControl+D671Aj
		mov	edi, [esp+68h+var_5C]

loc_510F18:				; CODE XREF: IoGetIoRateControl+52j
		mov	esi, [esp+68h+var_58]

loc_510F1C:				; CODE XREF: IoGetIoRateControl+D672Bj
		test	esi, esi
		jz	short loc_510F32
		lea	ecx, [esi+8Ch]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, esi
		call	_IoDiskIoAttributionDereference@4 ; IoDiskIoAttributionDereference(x)

loc_510F32:				; CODE XREF: IoGetIoRateControl+F2j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_510F3D:				; CODE XREF: IoGetIoRateControl+83j
		mov	ecx, [esp+ecx*4+68h+var_48]
		lea	eax, [esp+68h+var_40]
		push	eax
		lea	edx, [esp+6Ch+var_20]
		call	IoDiskIoAttributionQuery
		mov	eax, [esp+68h+var_28]
		lea	edx, [esi-10h]
		push	8
		pop	ecx
		lea	esi, [esp+68h+var_20]
		mov	edi, edx
		rep movsd
		mov	esi, [esp+68h+var_4C]
		mov	ecx, [esp+68h+var_50]
		mov	edi, [ebp+arg_C]
		add	[esi+8], eax
		mov	eax, [esp+68h+var_30]
		add	[esi], eax
		mov	eax, [esp+68h+var_2C]
		adc	[esi+4], eax
		mov	eax, [esp+68h+var_40]
		add	[edx], eax
		mov	eax, [esp+68h+var_3C]
		adc	[edx+4], eax
		mov	eax, [esp+68h+var_38]
		add	[esi-8], eax
		mov	eax, [esp+68h+var_34]
		adc	[esi-4], eax
		inc	[esp+68h+var_5C]
		jmp	loc_510EB5
IoGetIoRateControl endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAcquireReferencesFromIoAttributionHandle(x, x, x)
_IopAcquireReferencesFromIoAttributionHandle@12	proc near
					; CODE XREF: IoGetIoRateControl+4Bp
					; IoNotifyQuotaState(x,x,x,x,x)+20p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, edx
		call	_IopFindDiskIoAttribution@4 ; IopFindDiskIoAttribution(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_510FE0
		lea	ecx, [esi+8Ch]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_510FE7
		mov	eax, [ebp+arg_0]
		mov	ecx, [esi+88h]
		mov	[edi], esi
		xor	esi, esi
		mov	edi, esi
		mov	[eax], ecx

loc_510FD4:				; CODE XREF: IopAcquireReferencesFromIoAttributionHandle(x,x,x)+4Cj
		test	esi, esi
		jnz	short loc_510FEE

loc_510FD8:				; CODE XREF: IopAcquireReferencesFromIoAttributionHandle(x,x,x)+45j
					; IopAcquireReferencesFromIoAttributionHandle(x,x,x)+55j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_510FE0:				; CODE XREF: IopAcquireReferencesFromIoAttributionHandle(x,x,x)+12j
		mov	edi, 0C0000225h
		jmp	short loc_510FD8
; 

loc_510FE7:				; CODE XREF: IopAcquireReferencesFromIoAttributionHandle(x,x,x)+21j
		mov	edi, 0C0000189h
		jmp	short loc_510FD4
; 

loc_510FEE:				; CODE XREF: IopAcquireReferencesFromIoAttributionHandle(x,x,x)+36j
		mov	ecx, esi
		call	_IoDiskIoAttributionDereference@4 ; IoDiskIoAttributionDereference(x)
		jmp	short loc_510FD8
_IopAcquireReferencesFromIoAttributionHandle@12	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 934. IoRecordIoAttribution

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoRecordIoAttribution
IoRecordIoAttribution proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E755C SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		cmp	dword ptr [ebx], 1
		jnz	short loc_511060
		mov	ecx, [ebp+arg_0]
		call	_IopFindDiskIoAttribution@4 ; IopFindDiskIoAttribution(x)
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	short loc_511059
		push	edi
		mov	edi, eax

loc_51101D:				; CODE XREF: IoRecordIoAttribution+48j
		mov	eax, [ebx+4]
		test	eax, 800h
		jnz	loc_5E755C

loc_51102B:				; CODE XREF: IoRecordIoAttribution+D6565j
					; IoRecordIoAttribution+D6578j
		push	0
		mov	edx, ebx
		mov	ecx, edi
		call	IopRecordIoAttribution
		mov	esi, eax
		test	esi, esi
		js	short loc_511048

loc_51103C:				; CODE XREF: IoRecordIoAttribution+D6572j
		mov	edi, [edi+90h]
		test	edi, edi
		jnz	short loc_51101D
		xor	esi, esi

loc_511048:				; CODE XREF: IoRecordIoAttribution+3Ej
		mov	ecx, [ebp+arg_4]
		call	_IoDiskIoAttributionDereference@4 ; IoDiskIoAttributionDereference(x)
		pop	edi

loc_511051:				; CODE XREF: IoRecordIoAttribution+62j
					; IoRecordIoAttribution+69j
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_511059:				; CODE XREF: IoRecordIoAttribution+1Cj
		mov	esi, 0C0000008h
		jmp	short loc_511051
; 

loc_511060:				; CODE XREF: IoRecordIoAttribution+Dj
		mov	esi, 0C0000059h
		jmp	short loc_511051
IoRecordIoAttribution endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopFindDiskIoAttribution(x)
_IopFindDiskIoAttribution@4 proc near	; CODE XREF: IopAcquireReferencesFromIoAttributionHandle(x,x,x)+9p
					; IoRecordIoAttribution+12p

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	offset _IopDiskIoAttributionLock
		mov	[ebp+var_8], ecx
		xor	ebx, ebx
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	esi, _IopDiskIoAttributionTree
		mov	[ebp+var_1], al
		mov	eax, dword_6CCDA4
		test	al, 1
		jz	short loc_5110A1
		test	esi, esi
		jnz	short loc_51109B
		mov	esi, ebx
		jmp	short loc_5110A1
; 

loc_51109B:				; CODE XREF: IopFindDiskIoAttribution(x)+2Dj
		xor	esi, offset _IopDiskIoAttributionTree

loc_5110A1:				; CODE XREF: IopFindDiskIoAttribution(x)+29j
					; IopFindDiskIoAttribution(x)+31j
		movzx	edi, al
		and	edi, 1
		test	esi, esi
		jz	short loc_5110E1

loc_5110AB:				; CODE XREF: IopFindDiskIoAttribution(x)+63j
		push	esi
		lea	eax, [ebp+var_8]
		push	eax
		call	_IopDiskIoAttributionTreeCompare@8 ; IopDiskIoAttributionTreeCompare(x,x)
		test	eax, eax
		jns	short loc_5110FB
		mov	eax, [esi]

loc_5110BB:				; CODE XREF: IopFindDiskIoAttribution(x)+98j
		test	edi, edi
		jz	short loc_5110C7
		test	eax, eax
		jz	short loc_5110C7
		xor	esi, eax
		jmp	short loc_5110C9
; 

loc_5110C7:				; CODE XREF: IopFindDiskIoAttribution(x)+55j
					; IopFindDiskIoAttribution(x)+59j
		mov	esi, eax

loc_5110C9:				; CODE XREF: IopFindDiskIoAttribution(x)+5Dj
		test	esi, esi
		jnz	short loc_5110AB

loc_5110CD:				; CODE XREF: IopFindDiskIoAttribution(x):loc_5110FBj
		test	esi, esi
		jz	short loc_5110E1
		xor	eax, eax
		mov	ebx, esi
		inc	eax
		lock xadd [esi+10h], eax
		inc	eax
		cmp	eax, 1
		jle	short loc_511102

loc_5110E1:				; CODE XREF: IopFindDiskIoAttribution(x)+41j
					; IopFindDiskIoAttribution(x)+67j ...
		push	offset _IopDiskIoAttributionLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_5110FB:				; CODE XREF: IopFindDiskIoAttribution(x)+4Fj
		jle	short loc_5110CD
		mov	eax, [esi+4]
		jmp	short loc_5110BB
; 

loc_511102:				; CODE XREF: IopFindDiskIoAttribution(x)+77j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_5110E1
_IopFindDiskIoAttribution@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopDiskIoAttributionTreeCompare(x, x)
_IopDiskIoAttributionTreeCompare@8 proc	near
					; CODE XREF: IoStartDiskIoAttributionForContext(x)+47p
					; IopFindDiskIoAttribution(x)+48p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+0Ch]
		cmp	eax, ecx
		ja	short loc_511126
		sbb	eax, eax
		neg	eax

loc_511122:				; CODE XREF: IopDiskIoAttributionTreeCompare(x,x)+1Fj
		pop	ebp
		retn	8
; 

loc_511126:				; CODE XREF: IopDiskIoAttributionTreeCompare(x,x)+12j
		or	eax, 0FFFFFFFFh
		jmp	short loc_511122
_IopDiskIoAttributionTreeCompare@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall IoDiskIoAttributionDereference(x)
_IoDiskIoAttributionDereference@4 proc near
					; CODE XREF: IoSetDiskIoAttributionOnProcess(x,x)+62p
					; MiCheckAndUpdateIoAttribution(x)+68p	...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		or	eax, 0FFFFFFFFh
		lock xadd [esi+10h], eax
		dec	eax
		test	eax, eax
		jle	short loc_511140
		pop	esi
		retn
; 

loc_511140:				; CODE XREF: IoDiskIoAttributionDereference(x)+10j
		jnz	short loc_511156
		mov	ecx, [esi+90h]
		test	ecx, ecx
		jnz	short loc_51115D

loc_51114C:				; CODE XREF: IoDiskIoAttributionDereference(x)+36j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
; 

loc_511156:				; CODE XREF: IoDiskIoAttributionDereference(x):loc_511140j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		pop	esi
		retn
; 

loc_51115D:				; CODE XREF: IoDiskIoAttributionDereference(x)+1Ej
		call	_IoDiskIoAttributionDereference@4 ; IoDiskIoAttributionDereference(x)
		jmp	short loc_51114C
_IoDiskIoAttributionDereference@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopRecordIoAttribution proc near	; CODE XREF: IoDiskIoAttributionQuery+57p
					; IoRecordIoAttribution+35p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= byte ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005E7579 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		lea	edi, [ebp+var_38]
		mov	ebx, ecx
		stosd
		stosd
		stosd
		mov	eax, [edx+4]
		xor	edi, edi
		mov	[ebp+var_8], eax
		movzx	eax, al
		mov	[ebp+var_2C], edi
		sub	eax, 3
		jnz	loc_511363
		lea	esi, [ebx+38h]

loc_511196:				; CODE XREF: IopRecordIoAttribution+207j
					; IopRecordIoAttribution+217j ...
		test	[ebp+arg_0], 2
		mov	eax, [edx+18h]
		mov	ecx, [edx+1Ch]
		mov	[ebp+var_C], eax
		mov	[ebp+var_18], ecx
		mov	[ebp+var_24], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_20], edi
		jnz	short loc_5111D2
		lea	ecx, [ebx+14h]
		mov	[ebp+var_2C], 1
		lea	edx, [ebp+var_38]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_18]
		mov	eax, [edx+4]
		mov	[ebp+var_8], eax

loc_5111D2:				; CODE XREF: IopRecordIoAttribution+4Ej
		test	[ebp+var_8], 100h
		mov	eax, [ebp+var_C]
		jnz	loc_511310
		test	[ebp+arg_0], 1
		jnz	short loc_5111F6
		dec	dword ptr [ebx+30h]
		dec	dword ptr [esi]
		mov	eax, [edx+4]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_C]

loc_5111F6:				; CODE XREF: IopRecordIoAttribution+82j
		test	[ebp+var_8], 200h
		jnz	short loc_51126B
		mov	ecx, [ebx+18h]
		mov	dword ptr [ebp+arg_0], ecx
		mov	ecx, [ebx+1Ch]
		mov	[ebp+var_8], ecx
		mov	ecx, [edx+10h]
		mov	[ebp+var_10], ecx
		mov	ecx, [edx+14h]
		cmp	[ebp+var_8], ecx
		mov	[ebp+var_14], ecx
		mov	ecx, [ebp+var_18]
		jb	short loc_51122C
		ja	short loc_511238
		mov	eax, dword ptr [ebp+arg_0]
		cmp	eax, [ebp+var_10]
		mov	eax, [ebp+var_C]
		ja	short loc_511238

loc_51122C:				; CODE XREF: IopRecordIoAttribution+B9j
		mov	edx, [ebp+var_10]
		mov	dword ptr [ebp+arg_0], edx
		mov	edx, [ebp+var_14]
		mov	[ebp+var_8], edx

loc_511238:				; CODE XREF: IopRecordIoAttribution+BBj
					; IopRecordIoAttribution+C6j
		cmp	ecx, [ebp+var_8]
		ja	short loc_51124C
		jb	loc_5E7579
		cmp	eax, dword ptr [ebp+arg_0]
		jb	loc_5E7579

loc_51124C:				; CODE XREF: IopRecordIoAttribution+D7j
		mov	edx, eax
		mov	[ebx+18h], eax
		sub	edx, dword ptr [ebp+arg_0]
		mov	[ebp+var_24], edx
		mov	edx, ecx
		sbb	edx, [ebp+var_8]
		mov	[ebp+var_28], edx
		mov	edx, [ebp+var_4]
		mov	[ebx+1Ch], ecx
		mov	eax, [edx+10h]
		mov	ecx, [edx+14h]

loc_51126B:				; CODE XREF: IopRecordIoAttribution+99j
					; IopRecordIoAttribution+D641Bj
		mov	edx, [ebx+20h]
		mov	dword ptr [ebp+arg_0], edx
		mov	edx, [ebx+24h]
		mov	[ebp+var_10], edx
		mov	edx, [ebx+28h]
		mov	[ebp+var_18], edx
		mov	edx, [ebx+2Ch]
		mov	[ebp+var_14], edx
		mov	edx, [ebp+var_10]
		cmp	edx, [ebp+var_14]
		mov	edx, [ebp+var_4]
		jb	short loc_51129B
		ja	short loc_5112AA
		mov	edx, [ebp+var_18]
		cmp	dword ptr [ebp+arg_0], edx
		mov	edx, [ebp+var_4]
		ja	short loc_5112AA

loc_51129B:				; CODE XREF: IopRecordIoAttribution+128j
		mov	edx, [ebp+var_18]
		mov	dword ptr [ebp+arg_0], edx
		mov	edx, [ebp+var_14]
		mov	[ebp+var_10], edx
		mov	edx, [ebp+var_4]

loc_5112AA:				; CODE XREF: IopRecordIoAttribution+12Aj
					; IopRecordIoAttribution+135j
		cmp	ecx, [ebp+var_10]
		jb	short loc_5112CF
		ja	short loc_5112B6
		cmp	eax, dword ptr [ebp+arg_0]
		jb	short loc_5112CF

loc_5112B6:				; CODE XREF: IopRecordIoAttribution+14Bj
		mov	edx, eax
		mov	[ebx+20h], eax
		sub	edx, dword ptr [ebp+arg_0]
		mov	[ebp+var_1C], edx
		mov	edx, ecx
		sbb	edx, [ebp+var_10]
		mov	[ebp+var_20], edx
		mov	edx, [ebp+var_4]
		mov	[ebx+24h], ecx

loc_5112CF:				; CODE XREF: IopRecordIoAttribution+149j
					; IopRecordIoAttribution+150j
		mov	eax, [ebp+var_1C]
		add	[esi+8], eax
		mov	eax, [ebp+var_20]
		adc	[esi+0Ch], eax
		test	dword ptr [edx+4], 200h
		jnz	short loc_511325
		mov	eax, [ebp+var_24]
		add	[esi+10h], eax
		mov	eax, [ebp+var_28]
		adc	[esi+14h], eax
		mov	eax, [edx+8]
		add	[esi+18h], eax
		adc	[esi+1Ch], edi
		mov	eax, [edx+8]
		xor	edx, edx
		dec	eax
		add	eax, _IopDiskIoAttributionBaseIoSize
		div	_IopDiskIoAttributionBaseIoSize
		add	[esi+20h], eax
		jmp	short loc_511325
; 

loc_511310:				; CODE XREF: IopRecordIoAttribution+78j
		mov	edx, [ebx+30h]
		test	edx, edx
		jnz	short loc_51138D

loc_511317:				; CODE XREF: IopRecordIoAttribution+22Ej
					; IopRecordIoAttribution+235j
		mov	[ebx+28h], eax
		mov	[ebx+2Ch], ecx

loc_51131D:				; CODE XREF: IopRecordIoAttribution+22Cj
					; IopRecordIoAttribution+233j
		lea	eax, [edx+1]
		mov	[ebx+30h], eax
		inc	dword ptr [esi]

loc_511325:				; CODE XREF: IopRecordIoAttribution+17Ej
					; IopRecordIoAttribution+1AAj
		cmp	[ebp+var_2C], edi
		jz	short loc_51135A
		test	ds:byte_70EFC6,	1
		jnz	loc_5E7584
		mov	eax, [ebp+var_38]
		test	eax, eax
		jnz	short loc_5113A6
		mov	edx, [ebp+var_34]
		lea	eax, [ebp+var_38]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_38]
		cmp	eax, ecx
		jnz	short loc_51139E

loc_511351:				; CODE XREF: IopRecordIoAttribution+24Ej
					; IopRecordIoAttribution+D642Bj
		mov	cl, [ebp+var_30]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_51135A:				; CODE XREF: IopRecordIoAttribution+1C4j
					; IopRecordIoAttribution+222j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_511363:				; CODE XREF: IopRecordIoAttribution+29j
		sub	eax, 1
		jnz	short loc_511370
		lea	esi, [ebx+60h]
		jmp	loc_511196
; 

loc_511370:				; CODE XREF: IopRecordIoAttribution+202j
		test	[ebp+arg_0], 1
		jz	short loc_5113B4
		lea	esi, [ebx+38h]
		cmp	[esi], edi
		jnz	loc_511196
		lea	esi, [ebx+60h]
		cmp	[esi], edi
		jz	short loc_51135A
		jmp	loc_511196
; 

loc_51138D:				; CODE XREF: IopRecordIoAttribution+1B1j
		cmp	ecx, [ebx+2Ch]
		ja	short loc_51131D
		jb	short loc_511317
		cmp	eax, [ebx+28h]
		jnb	short loc_51131D
		jmp	loc_511317
; 

loc_51139E:				; CODE XREF: IopRecordIoAttribution+1EBj
		lea	ecx, [ebp+var_38]
		call	KxWaitForLockChainValid

loc_5113A6:				; CODE XREF: IopRecordIoAttribution+1D8j
		lea	ecx, [eax+4]
		mov	[ebp+var_38], edi
		xor	eax, eax
		inc	eax
		lock xor [ecx],	eax
		jmp	short loc_511351
; 

loc_5113B4:				; CODE XREF: IopRecordIoAttribution+210j
		mov	edi, 0C00000BBh
		jmp	short loc_51135A
IopRecordIoAttribution endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsIoRateControlReference proc near	; CODE XREF: IoGetIoRateControl+6Bp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005E7594 SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		lea	esi, [edi+340h]
		mov	ecx, esi
		call	_PspIoRateEntryIoControlReference@4 ; PspIoRateEntryIoControlReference(x)
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		mov	[ecx], eax
		test	eax, eax
		jnz	short loc_511415
		xor	esi, esi

loc_5113E5:				; CODE XREF: PsIoRateControlReference+61j
		mov	ebx, [ebp+arg_8]
		mov	[ebx], esi
		and	dword ptr [ecx+4], 0
		lea	ecx, [edi+360h]
		and	dword ptr [ebx+4], 0
		test	byte ptr [ecx+4], 1
		mov	eax, [ecx]
		jz	short loc_511406
		test	eax, eax
		jz	short loc_51140E
		xor	eax, ecx

loc_511406:				; CODE XREF: PsIoRateControlReference+42j
		test	eax, eax
		jnz	loc_5E7594

loc_51140E:				; CODE XREF: PsIoRateControlReference+46j
					; PsIoRateControlReference+D61DDj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_511415:				; CODE XREF: PsIoRateControlReference+25j
		mov	eax, [edi+328h]
		mov	[edx], eax
		jmp	short loc_5113E5
PsIoRateControlReference endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PspIoRateEntryIoControlReference(x)
_PspIoRateEntryIoControlReference@4 proc near ;	CODE XREF: PsIoRateControlReference+16p
					; PspJobIoRateVolumeEntryReference(x,x)+78p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		lea	ecx, [esi+10h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_511435
		xor	eax, eax
		pop	esi
		retn
; 

loc_511435:				; CODE XREF: PspIoRateEntryIoControlReference(x)+Fj
		mov	eax, [esi+14h]
		pop	esi
		retn
_PspIoRateEntryIoControlReference@4 endp


;  S U B	R O U T	I N E 


; __stdcall IoStopDiskIoAttributionForContext(x)
_IoStopDiskIoAttributionForContext@4 proc near ; CODE XREF: PspRemoveIoAttribution(x)+1Bp
					; PspIoRateEntryActivate+18CDF3p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, offset _IopDiskIoAttributionLock
		mov	esi, ecx
		push	edi
		call	ExAcquireSpinLockExclusive
		push	esi
		push	offset _IopDiskIoAttributionTree
		mov	bl, al
		call	RtlRbRemoveNode
		or	dword ptr [esi+8], 0FFFFFFFFh
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		lea	ecx, [esi+8Ch]
		pop	esi
		pop	ebx
		jmp	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
_IoStopDiskIoAttributionForContext@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall SepLocateTokenIntegrity(x)
_SepLocateTokenIntegrity@4 proc	near	; CODE XREF: SepMandatorySubProcessToken+EE98Bp
					; SepMandatorySubProcessToken+EEA61p ...
		mov	edx, [ecx+0B8h]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_51148F
		mov	eax, [ecx+94h]
		lea	eax, [eax+edx*8]
		retn
; 

loc_51148F:				; CODE XREF: SepLocateTokenIntegrity(x)+9j
		xor	eax, eax
		retn
_SepLocateTokenIntegrity@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopSetFileObjectExtensionFlag proc near	; CODE XREF: IopCheckInitiatorHint(x,x)+F9p
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+B7Dp

var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005E75CA SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		cmp	[ebp+arg_0], 0
		push	esi
		mov	esi, edx
		jz	loc_5E75CA
		lea	edx, [ebp+var_4]
		call	IopAllocateFileObjectExtension
		mov	ecx, [ebp+var_4]

loc_5114B4:				; CODE XREF: IopSetFileObjectExtensionFlag+D6148j
		test	eax, eax
		js	short loc_5114BC

loc_5114B8:				; CODE XREF: IopSetFileObjectExtensionFlag+D613Dj
		or	[ecx], esi
		xor	eax, eax

loc_5114BC:				; CODE XREF: IopSetFileObjectExtensionFlag+24j
		pop	esi
		leave
		retn	4
IopSetFileObjectExtensionFlag endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 883. IoGetSilo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetSilo(x)
		public _IoGetSilo@4
_IoGetSilo@4	proc near		; CODE XREF: IopAllocateFoExtensionsOnCreate+68p
					; IopAllocateFoExtensionsOnCreate+116p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+7Ch]
		test	eax, eax
		jnz	short loc_5114DF

loc_5114D5:				; CODE XREF: IoGetSilo(x)+24j
		test	eax, eax
		jnz	short loc_5114EC

loc_5114D9:				; CODE XREF: IoGetSilo(x)+1Fj
		xor	eax, eax

loc_5114DB:				; CODE XREF: IoGetSilo(x)+29j
		pop	ebp
		retn	4
; 

loc_5114DF:				; CODE XREF: IoGetSilo(x)+Dj
		cmp	eax, _IopRevocationExtension
		jz	short loc_5114D9
		mov	eax, [eax+20h]
		jmp	short loc_5114D5
; 

loc_5114EC:				; CODE XREF: IoGetSilo(x)+11j
		mov	eax, [eax+8]
		jmp	short loc_5114DB
_IoGetSilo@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspJobIoRateVolumeEntryRemoveAll(x,	x)
_PspJobIoRateVolumeEntryRemoveAll@8 proc near ;	CODE XREF: PspJobIoRateControlDisable+26p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		push	edi
		lea	edi, [esi+35Ch]
		push	edi
		mov	[ebp+var_10], edi
		call	ExAcquireSpinLockExclusive
		add	esi, 360h
		mov	[ebp+var_1], al
		mov	[ebp+var_C], esi
		test	byte ptr [esi+4], 1
		mov	ecx, [esi]
		jz	short loc_51152A
		test	ecx, ecx
		jz	short loc_51152A
		xor	ecx, esi

loc_51152A:				; CODE XREF: PspJobIoRateVolumeEntryRemoveAll(x,x)+30j
					; PspJobIoRateVolumeEntryRemoveAll(x,x)+34j
		mov	al, [esi+4]
		push	ebx
		movzx	ebx, al
		and	ebx, 1
		test	ecx, ecx
		jz	short loc_511585
		mov	esi, [ebp+var_8]

loc_51153B:				; CODE XREF: PspJobIoRateVolumeEntryRemoveAll(x,x)+6Fj
					; PspJobIoRateVolumeEntryRemoveAll(x,x)+88j ...
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_51154B
		mov	edx, ecx
		test	ebx, ebx
		jnz	short loc_51155C
		mov	ecx, eax
		jmp	short loc_51155E
; 

loc_51154B:				; CODE XREF: PspJobIoRateVolumeEntryRemoveAll(x,x)+4Dj
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_511563
		mov	edx, ecx
		test	ebx, ebx
		jnz	short loc_5115A8
		mov	ecx, eax
		jmp	short loc_5115AA
; 

loc_51155C:				; CODE XREF: PspJobIoRateVolumeEntryRemoveAll(x,x)+53j
		xor	ecx, eax

loc_51155E:				; CODE XREF: PspJobIoRateVolumeEntryRemoveAll(x,x)+57j
		and	dword ptr [edx], 0
		jmp	short loc_51153B
; 

loc_511563:				; CODE XREF: PspJobIoRateVolumeEntryRemoveAll(x,x)+5Ej
		mov	edi, [ecx+8]
		and	edi, 0FFFFFFFCh
		test	ebx, ebx
		jnz	short loc_5115B0

loc_51156D:				; CODE XREF: PspJobIoRateVolumeEntryRemoveAll(x,x)+C0j
					; PspJobIoRateVolumeEntryRemoveAll(x,x)+C4j
		push	esi
		push	ecx
		call	_PspIoRateEntryVolumeDelete@8 ;	PspIoRateEntryVolumeDelete(x,x)
		test	edi, edi
		jz	short loc_51157C
		mov	ecx, edi
		jmp	short loc_51153B
; 

loc_51157C:				; CODE XREF: PspJobIoRateVolumeEntryRemoveAll(x,x)+84j
		mov	esi, [ebp+var_C]
		mov	edi, [ebp+var_10]
		mov	al, [esi+4]

loc_511585:				; CODE XREF: PspJobIoRateVolumeEntryRemoveAll(x,x)+44j
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0
		pop	ebx
		test	al, 1
		jz	short loc_511595
		mov	byte ptr [esi+4], 1

loc_511595:				; CODE XREF: PspJobIoRateVolumeEntryRemoveAll(x,x)+9Dj
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		leave
		retn
; 

loc_5115A8:				; CODE XREF: PspJobIoRateVolumeEntryRemoveAll(x,x)+64j
		xor	ecx, eax

loc_5115AA:				; CODE XREF: PspJobIoRateVolumeEntryRemoveAll(x,x)+68j
		and	dword ptr [edx+4], 0
		jmp	short loc_51153B
; 

loc_5115B0:				; CODE XREF: PspJobIoRateVolumeEntryRemoveAll(x,x)+79j
		test	edi, edi
		jz	short loc_51156D
		xor	edi, ecx
		jmp	short loc_51156D
_PspJobIoRateVolumeEntryRemoveAll@8 endp

; 

PspJobDelete:				; DATA XREF: PspInitPhase0+27Bo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+48h], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	esi, [ebp+8]
		lea	edi, [esp+40h]
		xor	ebx, ebx
		stosd
		push	8
		pop	ecx
		mov	[esp+0Ch], ebx
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+20h]
		rep stosd
		lea	edi, [esp+14h]
		stosd
		lea	ecx, [esi+2FCh]
		stosd
		stosd
		mov	edi, large fs:124h
		call	_PspEmptyPropertySet@4 ; PspEmptyPropertySet(x)
		mov	ecx, esi
		call	PspJobDeleteStorageArrays
		cmp	[esi+21Ch], ebx
		jnz	loc_5117A1
		cmp	[esi+30Ch], ebx
		jnz	loc_5117A1

loc_511628:				; CODE XREF: .text:005117EFj
		mov	ecx, esi
		call	PspJobIoRateControlDisable
		cmp	[esi+328h], ebx
		jnz	loc_5E761E

loc_51163B:				; CODE XREF: .text:005E765Ej
		mov	eax, [esi+0E8h]
		mov	[esp+10h], eax
		cmp	eax, 0FFFFFFFDh
		ja	short loc_51167F
		mov	edx, edi
		mov	[esp+14h], esi
		mov	ecx, esi
		mov	dword ptr [esp+18h], 2
		mov	[esp+1Ch], ebx
		call	_PspLockJobExclusive@8 ; PspLockJobExclusive(x,x)
		lea	eax, [esp+10h]
		push	eax
		push	1
		lea	eax, [esp+1Ch]
		push	eax
		push	6
		call	PsInvokeWin32Callout
		mov	edx, edi
		mov	ecx, esi
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)

loc_51167F:				; CODE XREF: .text:00511648j
		mov	ecx, [esi+0D4h]
		mov	[esi+0B0h], ebx
		test	ecx, ecx
		jnz	loc_5E7663

loc_511693:				; CODE XREF: .text:005E7673j
		mov	eax, [esi+0C4h]
		test	eax, eax
		jnz	loc_5E7678

loc_5116A1:				; CODE XREF: .text:005E76A0j
		mov	ecx, edi
		call	_PspLockJobListExclusive@4 ; PspLockJobListExclusive(x)
		lea	eax, [esi+10h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_51185F
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_51185F
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, edi
		call	PspUnlockJobListExclusive
		mov	eax, [esi+210h]
		test	eax, eax
		jnz	loc_511838

loc_5116DB:				; CODE XREF: .text:0051185Aj
		mov	eax, [esi+218h]
		test	eax, eax
		jz	short loc_5116EB
		push	eax
		call	_IoFreeMiniCompletionPacket@4 ;	IoFreeMiniCompletionPacket(x)

loc_5116EB:				; CODE XREF: .text:005116E3j
		test	dword ptr [esi+310h], 800h
		jz	short loc_511703
		lea	eax, [esi+1B0h]
		push	eax
		call	_ZwDeleteWnfStateName@4	; ZwDeleteWnfStateName(x)

loc_511703:				; CODE XREF: .text:005116F5j
		lea	edx, [esp+40h]
		mov	ecx, esi
		call	_PspGetJobLockHierarchyForDeletion@8 ; PspGetJobLockHierarchyForDeletion(x,x)
		push	ebx
		push	edi
		xor	edx, edx
		lea	ecx, [esp+48h]
		call	_PspLockJobsAndProcessExclusive@16 ; PspLockJobsAndProcessExclusive(x,x,x,x)
		lea	eax, [esi+234h]
		mov	ecx, [eax]
		cmp	ecx, eax
		jnz	loc_5117F4

loc_51172B:				; CODE XREF: .text:00511820j
		push	edi
		xor	edx, edx
		lea	ecx, [esp+44h]
		call	PspUnlockJobsAndProcessExclusive
		lea	eax, [esi+20h]
		push	eax
		call	ExDeleteResourceLite
		cmp	[esi+254h], ebx
		ja	loc_511825

loc_51174C:				; CODE XREF: .text:0051182Dj
					; .text:005E76B6j
		test	dword ptr [esi+310h], 40000000h
		jnz	loc_5E76BB

loc_51175C:				; CODE XREF: .text:005E76C2j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	edx, [esi+2D4h]
		test	edx, edx
		jz	short loc_511788
		mov	ecx, ds:_PspUniqueJobIdTable
		call	ExMapHandleToPointer
		mov	edx, [esi+2D4h]
		mov	ecx, ds:_PspUniqueJobIdTable
		push	eax
		call	ExDestroyHandle

loc_511788:				; CODE XREF: .text:00511769j
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [esp+54h]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_5117A1:				; CODE XREF: .text:00511616j
					; .text:00511622j
		lea	eax, [esp+0Ch]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	PspLockRootJobExclusive
		push	ecx
		lea	edx, [esp+10h]
		mov	ecx, esi
		call	_PspLockJobConditionally@12 ; PspLockJobConditionally(x,x,x)
		cmp	[esi+21Ch], ebx
		jz	short loc_5117CA
		mov	ecx, esi
		call	PspRemoveCpuRateControl

loc_5117CA:				; CODE XREF: .text:005117C1j
		mov	eax, [esi+30Ch]
		test	eax, eax
		jnz	loc_5E75DF

loc_5117D8:				; CODE XREF: .text:005E7619j
		push	ecx
		lea	edx, [esp+10h]
		mov	ecx, esi
		call	_PspUnlockJobConditionally@12 ;	PspUnlockJobConditionally(x,x,x)
		mov	ecx, [esp+0Ch]
		mov	edx, edi
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		jmp	loc_511628
; 

loc_5117F4:				; CODE XREF: .text:00511725j
		cmp	[ecx+4], eax
		jnz	short loc_51185F
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_51185F
		mov	[edx], ecx
		mov	[ecx+4], edx
		push	746C6644h
		mov	[eax+4], eax
		mov	[eax], eax
		push	dword ptr [esi+244h]
		call	ObDereferenceObjectDeferDeleteWithTag
		mov	[esi+244h], ebx
		jmp	loc_51172B
; 

loc_511825:				; CODE XREF: .text:00511746j
		mov	eax, [esi+258h]
		test	eax, eax
		jz	loc_51174C
		jmp	loc_5E76A5
; 

loc_511838:				; CODE XREF: .text:005116D5j
		push	624A7350h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [esi+214h]
		mov	edx, 88h
		push	ebx
		mov	[esi+210h], ebx
		call	PsReturnSharedPoolQuota
		jmp	loc_5116DB
; 

loc_51185F:				; CODE XREF: .text:005116B0j
					; .text:005116BBj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 3 dup(0CCCCCCCCh)

;  S U B	R O U T	I N E 


; __stdcall KiAbDetermineMaxWaiterPriority(x, x)
_KiAbDetermineMaxWaiterPriority@8 proc near ; CODE XREF: KiAbProcessThreadLocks+180p
					; KiAbProcessContextSwitch+FFp
		movzx	eax, word ptr [ecx+2Eh]
		mov	dword ptr [edx], 0
		test	eax, 1FEh
		ja	short loc_51189C

loc_511881:				; CODE XREF: KiAbDetermineMaxWaiterPriority(x,x)+30j
		test	eax, 0FE00h
		ja	short loc_511896

loc_511888:				; CODE XREF: KiAbDetermineMaxWaiterPriority(x,x)+2Aj
		mov	eax, [ecx+24h]
		test	eax, eax
		jnz	short loc_5118AE

loc_51188F:				; CODE XREF: KiAbDetermineMaxWaiterPriority(x,x)+43j
		test	byte ptr [ecx+0Dh], 1
		jnz	short loc_5118A2

locret_511895:				; CODE XREF: KiAbDetermineMaxWaiterPriority(x,x)+39j
		retn
; 

loc_511896:				; CODE XREF: KiAbDetermineMaxWaiterPriority(x,x)+16j
		mov	byte ptr [edx+2], 1
		jmp	short loc_511888
; 

loc_51189C:				; CODE XREF: KiAbDetermineMaxWaiterPriority(x,x)+Fj
		mov	byte ptr [edx+1], 2
		jmp	short loc_511881
; 

loc_5118A2:				; CODE XREF: KiAbDetermineMaxWaiterPriority(x,x)+23j
		call	_KiAbWaiterComputeCpuPriorityKey@4 ; KiAbWaiterComputeCpuPriorityKey(x)
		cmp	al, [edx]
		jle	short locret_511895
		mov	[edx], al
		retn
; 

loc_5118AE:				; CODE XREF: KiAbDetermineMaxWaiterPriority(x,x)+1Dj
		mov	al, [eax+18h]
		mov	[edx], al
		jmp	short loc_51188F
_KiAbDetermineMaxWaiterPriority@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiAbDeferredProcessingWorker(x, x, x, x)
_KiAbDeferredProcessingWorker@16 proc near ; DATA XREF:	KiInitPrcb(x,x)+299o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		lea	eax, [esi+45E4h]
		lea	edi, [esi+45E0h]
		mov	esi, eax

loc_5118D6:				; CODE XREF: KiAbDeferredProcessingWorker(x,x,x,x)+91j
		mov	ecx, [edi]
		test	ecx, ecx
		jnz	short loc_511909
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	_KiAbPropagateBoosts@12	; KiAbPropagateBoosts(x,x,x)
		mov	ecx, [edi]
		test	ecx, ecx
		jnz	short loc_511909
		mov	esi, [ebp+arg_8]
		lea	edx, [ebp+var_4]
		and	[esi+45F8h], ecx
		mov	ecx, esi
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_511909:				; CODE XREF: KiAbDeferredProcessingWorker(x,x,x,x)+24j
					; KiAbDeferredProcessingWorker(x,x,x,x)+37j
		mov	eax, [ecx]
		lea	ebx, [ecx-1F0h]
		and	[ebp+var_8], 0
		mov	[edi], eax
		lea	eax, [ebp+var_8]
		mov	dword ptr [ecx], 1
		xor	ecx, ecx
		lock or	[eax], ecx
		cmp	[ebx+223h], cl
		jbe	short loc_51193F
		push	ecx
		push	esi
		lea	eax, [ebp+var_4]
		xor	edx, edx
		push	eax
		push	1
		push	ecx
		mov	ecx, ebx
		call	KiAbProcessThreadLocks

loc_51193F:				; CODE XREF: KiAbDeferredProcessingWorker(x,x,x,x)+75j
		lock dec word ptr [ebx+220h]
		jmp	short loc_5118D6
_KiAbDeferredProcessingWorker@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiAbPropagateBoosts(x, x, x)
_KiAbPropagateBoosts@12	proc near	; CODE XREF: KiAbDeferredProcessingWorker(x,x,x,x)+2Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	eax, edx
		push	edi
		mov	[ebp+var_4], eax
		mov	edi, ecx

loc_51195B:				; CODE XREF: KiAbPropagateBoosts(x,x,x)+57j
		mov	esi, [edi]
		test	esi, esi
		jnz	short loc_511968
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_511968:				; CODE XREF: KiAbPropagateBoosts(x,x,x)+15j
		mov	eax, [esi]
		lea	ecx, [ebp+var_8]
		and	[ebp+var_8], 0
		xor	edx, edx
		mov	[edi], eax
		mov	eax, [ebp+var_4]
		mov	dword ptr [esi], 1
		lock or	[ecx], edx
		cmp	[esi-7], dl
		jbe	short loc_511999
		push	eax
		push	edi
		push	[ebp+arg_0]
		lea	ecx, [esi-1ECh]
		push	edx
		push	1
		call	KiAbProcessThreadLocks

loc_511999:				; CODE XREF: KiAbPropagateBoosts(x,x,x)+3Aj
		lock dec word ptr [esi+34h]
		mov	eax, [ebp+var_4]
		jmp	short loc_51195B
_KiAbPropagateBoosts@12	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAbProcessThreadLocks proc near	; CODE XREF: KiAbDeferredProcessingWorker(x,x,x,x)+84p
					; KiAbPropagateBoosts(x,x,x)+4Ap ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005E76C7 SIZE 00000063 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		and	[ebp+var_1C], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		mov	esi, ecx
		call	_KeAbThreadAreAllEntriesFree@4 ; KeAbThreadAreAllEntriesFree(x)
		test	eax, eax
		jnz	loc_511B01
		mov	al, [esi+1E4h]
		mov	edi, [esi+1E8h]
		movsx	ecx, al
		mov	al, [esi+222h]
		movsx	ebx, al
		or	ebx, ecx
		mov	[ebp+var_C], edi
		xor	ebx, 3Fh
		jmp	short loc_5119FB
; 

loc_5119E7:				; CODE XREF: KiAbProcessThreadLocks+122j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_5119F2:				; CODE XREF: KiAbProcessThreadLocks+140j
					; KiAbProcessThreadLocks+158j
		mov	ebx, [ebp+var_18]

loc_5119F5:				; CODE XREF: KiAbProcessThreadLocks+CBj
					; KiAbProcessThreadLocks+1A5j ...
		mov	edi, [ebp+var_C]
		mov	edx, [ebp+var_8]

loc_5119FB:				; CODE XREF: KiAbProcessThreadLocks+41j
					; KiAbProcessThreadLocks:loc_511A4Ej ...
		bsf	ecx, ebx
		mov	[ebp+var_1C], ecx
		jz	loc_511B01
		imul	esi, ecx, 30h
		lea	eax, [ebx-1]
		and	ebx, eax
		mov	[ebp+var_18], ebx
		add	esi, edi
		mov	eax, [esi+10h]
		test	eax, eax
		jz	loc_511B5C
		test	al, 2
		jnz	loc_511B5C
		xor	ecx, ecx
		inc	ecx
		test	edx, edx
		jnz	loc_5E76C7

loc_511A32:				; CODE XREF: KiAbProcessThreadLocks+D5D2Bj
		test	eax, eax
		jns	loc_511C96
		test	edx, edx
		jnz	loc_5E76D4
		test	[esi+0Dh], cl
		jz	loc_511B08
		cmp	[ebp+arg_0], edx

loc_511A4E:				; CODE XREF: KiAbProcessThreadLocks+168j
					; KiAbProcessThreadLocks+D5D52j
		jz	short loc_5119FB

loc_511A50:				; CODE XREF: KiAbProcessThreadLocks+1C2j
		and	[ebp+var_10], 0
		lea	edi, [ebp+var_28]
		and	[ebp+var_14], 0
		xor	eax, eax
		stosd
		mov	ecx, esi
		stosd
		stosd
		lea	eax, [ebp+var_28]
		push	eax
		call	KiAbEntryGetLockedHeadEntry
		mov	edi, eax
		test	edi, edi
		jz	short loc_5119F5
		xor	eax, eax
		inc	eax
		test	[esi+0Dh], al
		jz	loc_511B11
		cmp	[ebp+arg_0], 0
		jz	loc_511B8D
		cmp	esi, edi
		jnz	loc_511B4E

loc_511A8F:				; CODE XREF: KiAbProcessThreadLocks+1B3j
		lea	edx, [ebp+var_10]
		mov	ecx, edi
		call	_KiAbDetermineMinOwnerCpuPriority@8 ; KiAbDetermineMinOwnerCpuPriority(x,x)
		mov	edx, edi
		mov	ecx, esi
		call	_KiAbTryIncrementIoWaiterCounts@8 ; KiAbTryIncrementIoWaiterCounts(x,x)
		mov	ecx, esi
		mov	ebx, eax
		call	_KiAbEntryGetCpuPriorityKey@4 ;	KiAbEntryGetCpuPriorityKey(x)
		mov	[ebp+var_1], al
		cmp	byte ptr [ebp+var_10], al
		jl	loc_511C6A
		test	ebx, ebx
		jnz	loc_511C9D
		inc	ebx
		test	ds:byte_70EFC6,	bl
		jnz	loc_5119E7
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	short loc_511AEF
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_28]
		cmp	eax, ecx
		jz	loc_5119F2
		call	KxWaitForLockChainValid

loc_511AEF:				; CODE XREF: KiAbProcessThreadLocks+12Dj
		mov	[ebp+var_28], 0
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_5119F2
; 

loc_511B01:				; CODE XREF: KiAbProcessThreadLocks+1Bj
					; KiAbProcessThreadLocks+5Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_511B08:				; CODE XREF: KiAbProcessThreadLocks+A1j
		cmp	[ebp+arg_4], 0
		jmp	loc_511A4E
; 

loc_511B11:				; CODE XREF: KiAbProcessThreadLocks+D3j
		cmp	[ebp+arg_4], 0
		jz	short loc_511B8D
		cmp	esi, edi
		jnz	loc_511C88

loc_511B1F:				; CODE XREF: KiAbProcessThreadLocks+2EDj
		lea	edx, [ebp+var_10]
		mov	ecx, edi
		call	_KiAbDetermineMaxWaiterPriority@8 ; KiAbDetermineMaxWaiterPriority(x,x)
		cmp	[ebp+var_10], 0
		jnz	short loc_511B6B
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	loc_511BFA
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5119F5
; 

loc_511B4E:				; CODE XREF: KiAbProcessThreadLocks+E5j
		mov	edx, edi
		mov	ecx, esi
		call	_KiAbEntryUpdateWaiterTreePosition@8 ; KiAbEntryUpdateWaiterTreePosition(x,x)
		jmp	loc_511A8F
; 

loc_511B5C:				; CODE XREF: KiAbProcessThreadLocks+75j
					; KiAbProcessThreadLocks+7Dj
		xor	eax, eax

loc_511B5E:				; CODE XREF: KiAbProcessThreadLocks+2F4j
		test	eax, eax
		jz	loc_5119FB
		jmp	loc_511A50
; 

loc_511B6B:				; CODE XREF: KiAbProcessThreadLocks+189j
		lea	eax, [ebp+var_14]
		mov	ecx, esi
		push	eax
		push	[ebp+arg_10]
		lea	edx, [ebp+var_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	KiAbSetMinimumThreadPriority
		test	eax, eax
		jnz	loc_5E76FB

loc_511B8A:				; CODE XREF: KiAbProcessThreadLocks+2DFj
					; KiAbProcessThreadLocks+D5D59j ...
		xor	eax, eax
		inc	eax

loc_511B8D:				; CODE XREF: KiAbProcessThreadLocks+DDj
					; KiAbProcessThreadLocks+171j
		test	ds:byte_70EFC6,	al
		jz	loc_511C32
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_511BA4:				; CODE XREF: KiAbProcessThreadLocks+2A6j
					; KiAbProcessThreadLocks+2C1j
		cmp	[ebp+var_14], 0
		jz	loc_5119F5
		movzx	eax, byte ptr [esi+0Ch]
		mov	edi, 746C6644h
		shl	eax, 3
		mov	edx, edi
		sub	esi, eax
		mov	ecx, esi
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jz	loc_5119F5
		xor	eax, eax
		inc	eax
		test	byte ptr [ebp+var_14], al
		jz	short loc_511BE4
		push	80000000h
		push	2
		pop	edx
		mov	ecx, esi
		call	IoBoostThreadIoPriority

loc_511BE4:				; CODE XREF: KiAbProcessThreadLocks+22Fj
		test	byte ptr [ebp+var_14], 2
		jnz	loc_5E7711

loc_511BEE:				; CODE XREF: KiAbProcessThreadLocks+D5D74j
					; KiAbProcessThreadLocks+D5D81j
		push	edi
		push	esi
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_5119F5
; 

loc_511BFA:				; CODE XREF: KiAbProcessThreadLocks+194j
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	short loc_511C1D
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_28]
		cmp	eax, ecx
		jz	loc_5119F5
		call	KxWaitForLockChainValid

loc_511C1D:				; CODE XREF: KiAbProcessThreadLocks+25Bj
		xor	ecx, ecx
		mov	[ebp+var_28], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_5119F5
; 

loc_511C32:				; CODE XREF: KiAbProcessThreadLocks+1EFj
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	short loc_511C55
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_28]
		cmp	eax, ecx
		jz	loc_511BA4
		call	KxWaitForLockChainValid

loc_511C55:				; CODE XREF: KiAbProcessThreadLocks+293j
		xor	ecx, ecx
		mov	[ebp+var_28], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_511BA4
; 

loc_511C6A:				; CODE XREF: KiAbProcessThreadLocks+10Dj
		test	ebx, ebx
		jnz	short loc_511C9D

loc_511C6E:				; CODE XREF: KiAbProcessThreadLocks+30Ej
		push	[ebp+arg_10]
		mov	dl, al
		mov	ecx, edi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_KiAbCpuBoostOwners@20 ; KiAbCpuBoostOwners(x,x,x,x,x)
		mov	ebx, [ebp+var_18]
		jmp	loc_511B8A
; 

loc_511C88:				; CODE XREF: KiAbProcessThreadLocks+175j
		mov	edx, edi
		mov	ecx, esi
		call	_KiAbEntryUpdateOwnerTreePosition@8 ; KiAbEntryUpdateOwnerTreePosition(x,x)
		jmp	loc_511B1F
; 

loc_511C96:				; CODE XREF: KiAbProcessThreadLocks+90j
		mov	eax, edx
		jmp	loc_511B5E
; 

loc_511C9D:				; CODE XREF: KiAbProcessThreadLocks+115j
					; KiAbProcessThreadLocks+2C8j
		push	[ebp+arg_10]
		mov	edx, ebx
		mov	ecx, edi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_KiAbIoBoostOwners@20 ;	KiAbIoBoostOwners(x,x,x,x,x)
		mov	al, [ebp+var_1]
		jmp	short loc_511C6E
KiAbProcessThreadLocks endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiAbIoBoostOwners(x, x, x, x, x)
_KiAbIoBoostOwners@20 proc near		; CODE XREF: KiAbProcessThreadLocks+306p
					; KiAbProcessContextSwitch+209p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	edi
		mov	edi, ecx
		test	dl, 1
		jz	short loc_511CCF
		mov	byte ptr [ebp+var_4+1],	2

loc_511CCF:				; CODE XREF: KiAbIoBoostOwners(x,x,x,x,x)+15j
		test	dl, 2
		jz	short loc_511CD8
		mov	byte ptr [ebp+var_4+2],	1

loc_511CD8:				; CODE XREF: KiAbIoBoostOwners(x,x,x,x,x)+1Ej
		push	esi
		mov	esi, [edi+1Ch]

loc_511CDC:				; CODE XREF: KiAbIoBoostOwners(x,x,x,x,x)+77j
					; KiAbIoBoostOwners(x,x,x,x,x)+7Bj ...
		test	esi, esi
		jnz	short loc_511D05
		test	byte ptr [edi+0Dh], 1
		pop	esi
		jz	short loc_511CEC

loc_511CE7:				; CODE XREF: KiAbIoBoostOwners(x,x,x,x,x)+4Fj
		pop	edi
		leave
		retn	0Ch
; 

loc_511CEC:				; CODE XREF: KiAbIoBoostOwners(x,x,x,x,x)+31j
		lea	eax, [ebp+var_8]
		mov	ecx, edi
		push	eax
		push	[ebp+arg_8]
		lea	edx, [ebp+var_4]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	KiAbSetMinimumThreadPriority
		jmp	short loc_511CE7
; 

loc_511D05:				; CODE XREF: KiAbIoBoostOwners(x,x,x,x,x)+2Aj
		lea	eax, [ebp+var_8]
		mov	ecx, esi
		push	eax
		push	[ebp+arg_8]
		lea	edx, [ebp+var_4]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	KiAbSetMinimumThreadPriority
		mov	eax, [esi+4]
		mov	ecx, esi
		test	eax, eax
		jnz	short loc_511D35

loc_511D25:				; CODE XREF: KiAbIoBoostOwners(x,x,x,x,x)+7Fj
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jz	short loc_511CDC
		cmp	[esi], ecx
		jz	short loc_511CDC
		mov	ecx, esi
		jmp	short loc_511D25
; 

loc_511D35:				; CODE XREF: KiAbIoBoostOwners(x,x,x,x,x)+6Fj
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_511CDC

loc_511D3D:				; CODE XREF: KiAbIoBoostOwners(x,x,x,x,x)+91j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_511D3D
		jmp	short loc_511CDC
_KiAbIoBoostOwners@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiAbCpuBoostOwners(x, x, x,	x, x)
_KiAbCpuBoostOwners@20 proc near	; CODE XREF: KiAbProcessThreadLocks+2D7p
					; KiAbProcessContextSwitch+220p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	bl, dl
		mov	byte ptr [ebp+var_4], bl
		mov	esi, [edi+1Ch]

loc_511D66:				; CODE XREF: KiAbCpuBoostOwners(x,x,x,x,x)+74j
					; KiAbCpuBoostOwners(x,x,x,x,x)+78j ...
		test	esi, esi
		jnz	short loc_511D90

loc_511D6A:				; CODE XREF: KiAbCpuBoostOwners(x,x,x,x,x)+49j
		test	byte ptr [edi+0Dh], 1
		jz	short loc_511D77

loc_511D70:				; CODE XREF: KiAbCpuBoostOwners(x,x,x,x,x)+44j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_511D77:				; CODE XREF: KiAbCpuBoostOwners(x,x,x,x,x)+24j
		lea	eax, [ebp+var_8]
		mov	ecx, edi
		push	eax
		push	[ebp+arg_8]
		lea	edx, [ebp+var_4]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	KiAbSetMinimumThreadPriority
		jmp	short loc_511D70
; 

loc_511D90:				; CODE XREF: KiAbCpuBoostOwners(x,x,x,x,x)+1Ej
		cmp	[esi+18h], bl
		jge	short loc_511D6A
		lea	eax, [ebp+var_8]
		mov	ecx, esi
		push	eax
		push	[ebp+arg_8]
		lea	edx, [ebp+var_4]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	KiAbSetMinimumThreadPriority
		mov	eax, [esi+4]
		mov	ecx, esi
		mov	[esi+18h], bl
		test	eax, eax
		jnz	short loc_511DC8

loc_511DB8:				; CODE XREF: KiAbCpuBoostOwners(x,x,x,x,x)+7Cj
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jz	short loc_511D66
		cmp	[esi], ecx
		jz	short loc_511D66
		mov	ecx, esi
		jmp	short loc_511DB8
; 

loc_511DC8:				; CODE XREF: KiAbCpuBoostOwners(x,x,x,x,x)+6Cj
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_511D66

loc_511DD0:				; CODE XREF: KiAbCpuBoostOwners(x,x,x,x,x)+8Ej
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_511DD0
		jmp	short loc_511D66
_KiAbCpuBoostOwners@20 endp


;  S U B	R O U T	I N E 


; __stdcall KiAbDetermineMinOwnerCpuPriority(x,	x)
_KiAbDetermineMinOwnerCpuPriority@8 proc near ;	CODE XREF: KiAbProcessThreadLocks+F0p
					; KiAbProcessContextSwitch+1CDp ...
		mov	eax, [ecx+1Ch]
		push	esi
		mov	esi, edx
		test	eax, eax
		jnz	short loc_511DFF
		mov	al, 0Fh

loc_511DE8:				; CODE XREF: KiAbDetermineMinOwnerCpuPriority(x,x)+26j
		mov	[esi], al
		test	byte ptr [ecx+0Dh], 1
		jz	short loc_511DF2

loc_511DF0:				; CODE XREF: KiAbDetermineMinOwnerCpuPriority(x,x)+1Dj
		pop	esi
		retn
; 

loc_511DF2:				; CODE XREF: KiAbDetermineMinOwnerCpuPriority(x,x)+12j
		call	_KiAbOwnerComputeCpuPriorityKey@4 ; KiAbOwnerComputeCpuPriorityKey(x)
		cmp	al, [esi]
		jge	short loc_511DF0
		mov	[esi], al
		pop	esi
		retn
; 

loc_511DFF:				; CODE XREF: KiAbDetermineMinOwnerCpuPriority(x,x)+8j
		mov	al, [eax+18h]
		jmp	short loc_511DE8
_KiAbDetermineMinOwnerCpuPriority@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiAbEntryUpdateOwnerTreePosition(x,	x)
_KiAbEntryUpdateOwnerTreePosition@8 proc near ;	CODE XREF: KiAbProcessThreadLocks+2E8p
					; KiAbProcessContextSwitch+28Ep ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	_KiAbOwnerComputeCpuPriorityKey@4 ; KiAbOwnerComputeCpuPriorityKey(x)
		cmp	[edi+18h], al
		jnz	short loc_511E1E

loc_511E1A:				; CODE XREF: KiAbEntryUpdateOwnerTreePosition(x,x)+84j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_511E1E:				; CODE XREF: KiAbEntryUpdateOwnerTreePosition(x,x)+14j
		push	ebx
		push	edi
		add	esi, 18h
		mov	[edi+18h], al
		push	esi
		call	RtlRbRemoveNode
		test	byte ptr [esi+4], 1
		mov	bl, [edi+18h]
		mov	eax, [esi]
		jnz	short loc_511E8A

loc_511E37:				; CODE XREF: KiAbEntryUpdateOwnerTreePosition(x,x)+8Cj
					; KiAbEntryUpdateOwnerTreePosition(x,x)+90j
		movzx	edx, byte ptr [esi+4]
		and	edx, 1
		mov	byte ptr [ebp+var_4], 0
		test	eax, eax
		jz	short loc_511E7C

loc_511E46:				; CODE XREF: KiAbEntryUpdateOwnerTreePosition(x,x)+6Aj
		cmp	[eax+18h], bl
		jg	short loc_511E70
		mov	ecx, [eax+4]
		test	edx, edx
		jz	short loc_511E58
		test	ecx, ecx
		jz	short loc_511E5C
		xor	ecx, eax

loc_511E58:				; CODE XREF: KiAbEntryUpdateOwnerTreePosition(x,x)+4Cj
		test	ecx, ecx
		jnz	short loc_511E6C

loc_511E5C:				; CODE XREF: KiAbEntryUpdateOwnerTreePosition(x,x)+50j
		mov	byte ptr [ebp+var_4], 1
		jmp	short loc_511E7C
; 

loc_511E62:				; CODE XREF: KiAbEntryUpdateOwnerTreePosition(x,x)+72j
		test	ecx, ecx
		jz	short loc_511E78
		xor	ecx, eax

loc_511E68:				; CODE XREF: KiAbEntryUpdateOwnerTreePosition(x,x)+70j
		test	ecx, ecx
		jz	short loc_511E78

loc_511E6C:				; CODE XREF: KiAbEntryUpdateOwnerTreePosition(x,x)+56j
		mov	eax, ecx
		jmp	short loc_511E46
; 

loc_511E70:				; CODE XREF: KiAbEntryUpdateOwnerTreePosition(x,x)+45j
		mov	ecx, [eax]
		test	edx, edx
		jz	short loc_511E68
		jmp	short loc_511E62
; 

loc_511E78:				; CODE XREF: KiAbEntryUpdateOwnerTreePosition(x,x)+60j
					; KiAbEntryUpdateOwnerTreePosition(x,x)+66j
		mov	byte ptr [ebp+var_4], 0

loc_511E7C:				; CODE XREF: KiAbEntryUpdateOwnerTreePosition(x,x)+40j
					; KiAbEntryUpdateOwnerTreePosition(x,x)+5Cj
		push	edi
		push	[ebp+var_4]
		push	eax
		push	esi
		call	RtlRbInsertNodeEx
		pop	ebx
		jmp	short loc_511E1A
; 

loc_511E8A:				; CODE XREF: KiAbEntryUpdateOwnerTreePosition(x,x)+31j
		test	eax, eax
		jz	short loc_511E92
		xor	eax, esi
		jmp	short loc_511E37
; 

loc_511E92:				; CODE XREF: KiAbEntryUpdateOwnerTreePosition(x,x)+88j
		xor	eax, eax
		jmp	short loc_511E37
_KiAbEntryUpdateOwnerTreePosition@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAbSetMinimumThreadPriority proc near	; CODE XREF: KiAbProcessThreadLocks+1D9p
					; KiAbIoBoostOwners(x,x,x,x,x)+4Ap ...

var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005E772A SIZE 0000007E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		mov	esi, edi
		movzx	eax, byte ptr [edi+0Ch]
		shl	eax, 3
		sub	esi, eax
		mov	ecx, esi
		mov	al, [esi+87h]
		mov	byte ptr [ebp+var_18], al
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		xor	edx, edx
		cmp	eax, 2
		jl	loc_51200A

loc_511ECB:				; CODE XREF: KiAbSetMinimumThreadPriority+17Aj
					; KiAbSetMinimumThreadPriority+183j
		push	ebx
		mov	byte ptr [ebp+var_14], al
		call	KiAbThreadGetIoQoSPriority
		mov	byte ptr [ebp+var_10], al
		mov	ecx, edi
		mov	eax, [ebp+arg_C]
		mov	ebx, edx
		mov	[ebp+var_20], edx
		mov	[eax], edx
		call	_KiAbEntryGetCpuPriorityKey@4 ;	KiAbEntryGetCpuPriorityKey(x)
		mov	ecx, [ebp+var_8]
		mov	cl, [ecx]
		mov	[ebp+var_1], cl
		cmp	al, cl
		jl	short loc_511F59
		mov	al, bl
		mov	[ebp+var_1], al

loc_511EF9:				; CODE XREF: KiAbSetMinimumThreadPriority+14Fj
		mov	ecx, esi
		call	_PsGetBaseIoPriorityThread@4 ; PsGetBaseIoPriorityThread(x)
		mov	edx, [ebp+var_8]
		movsx	ecx, byte ptr [edx+1]
		cmp	eax, ecx
		jl	loc_51201E

loc_511F0F:				; CODE XREF: KiAbSetMinimumThreadPriority+18Ej
					; KiAbSetMinimumThreadPriority+1A4j ...
		xor	eax, eax
		xor	ecx, ecx
		cmp	[esi+334h], eax
		mov	eax, [ebp+var_8]
		setz	cl
		movsx	eax, byte ptr [eax+2]
		cmp	ecx, eax
		jl	loc_5E773A

loc_511F2B:				; CODE XREF: KiAbSetMinimumThreadPriority+D58A8j
					; KiAbSetMinimumThreadPriority+D58BFj ...
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_511F3A
		test	ebx, ebx
		jnz	loc_511FEA

loc_511F3A:				; CODE XREF: KiAbSetMinimumThreadPriority+9Aj
					; KiAbSetMinimumThreadPriority+15Bj ...
		test	dword ptr ds:byte_70EFC4, 200h
		pop	ebx
		jnz	loc_5E776C

loc_511F4B:				; CODE XREF: KiAbSetMinimumThreadPriority+D58DAj
					; KiAbSetMinimumThreadPriority+D590Dj
		xor	eax, eax
		cmp	[ebp+var_1], al
		pop	edi
		setnz	al
		pop	esi
		leave
		retn	10h
; 

loc_511F59:				; CODE XREF: KiAbSetMinimumThreadPriority+5Cj
		movsx	eax, cl
		mov	ebx, 7FFFh
		movzx	ecx, word ptr [edi+2Ch]
		mov	edx, ecx
		and	edx, ebx
		dec	eax
		bts	edx, eax
		xor	edx, ecx
		and	edx, ebx
		lea	ebx, [esi+2Ch]
		xor	edx, ecx
		and	[ebp+var_C], 0
		mov	[edi+2Ch], dx
		mov	dl, [ebp+var_1]
		mov	byte ptr [ebp+var_20], dl

loc_511F84:				; CODE XREF: KiAbSetMinimumThreadPriority+103j
		lock bts dword ptr [ebx], 0
		jnb	short loc_511F9B

loc_511F8B:				; CODE XREF: KiAbSetMinimumThreadPriority+101j
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_511F8B
		jmp	short loc_511F84
; 

loc_511F9B:				; CODE XREF: KiAbSetMinimumThreadPriority+F3j
		mov	dl, [ebp+var_1]
		movsx	ecx, dl
		mov	al, [ecx+esi+1F4h]
		cmp	al, 0FFh
		jz	loc_5E772A
		inc	al
		xor	ebx, ebx
		mov	[ecx+esi+1F4h],	al
		mov	eax, [esi+214h]
		bts	eax, ecx
		mov	[esi+214h], eax
		cmp	[esi+87h], dl
		jge	short loc_511FDE
		mov	edx, [ebp+arg_0]
		push	ecx
		mov	ecx, esi
		call	KiSetPriorityThread
		inc	ebx

loc_511FDE:				; CODE XREF: KiAbSetMinimumThreadPriority+13Aj
		mov	dword ptr [esi+2Ch], 0
		jmp	loc_511EF9
; 

loc_511FEA:				; CODE XREF: KiAbSetMinimumThreadPriority+9Ej
		cmp	byte ptr [esi+1E5h], 0
		jbe	loc_511F3A
		lea	eax, [esi+1ECh]
		mov	ecx, esi
		push	eax
		call	_KiAbThreadInsertList@12 ; KiAbThreadInsertList(x,x,x)
		jmp	loc_511F3A
; 

loc_51200A:				; CODE XREF: KiAbSetMinimumThreadPriority+2Fj
		cmp	[esi+32Ch], edx
		jz	loc_511ECB
		push	2
		pop	eax
		jmp	loc_511ECB
; 

loc_51201E:				; CODE XREF: KiAbSetMinimumThreadPriority+73j
		xor	ecx, ecx
		cmp	[edi+2Ch], cx
		jl	loc_511F0F
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_8]
		push	ecx
		mov	ecx, esi
		call	KiAbThreadBoostIoPriority
		test	eax, eax
		jz	loc_511F0F
		mov	eax, 8000h
		mov	byte ptr [ebp+var_20+1], 2
		or	[edi+2Ch], ax
		xor	ebx, ebx
		inc	ebx
		jmp	loc_511F0F
KiAbSetMinimumThreadPriority endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiAbEntryUpdateWaiterTreePosition(x, x)
_KiAbEntryUpdateWaiterTreePosition@8 proc near ; CODE XREF: KiAbProcessThreadLocks+1AEp
					; KiAbProcessContextSwitch+280p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	edi
		mov	edi, ecx
		call	_KiAbWaiterComputeCpuPriorityKey@4 ; KiAbWaiterComputeCpuPriorityKey(x)
		cmp	[edi+18h], al
		jnz	short loc_51206C

loc_512069:				; CODE XREF: KiAbEntryUpdateWaiterTreePosition(x,x)+82j
		pop	edi
		leave
		retn
; 

loc_51206C:				; CODE XREF: KiAbEntryUpdateWaiterTreePosition(x,x)+11j
		push	ebx
		push	esi
		lea	esi, [edx+20h]
		mov	[edi+18h], al
		push	edi
		push	esi
		call	RtlRbRemoveNode
		test	byte ptr [esi+4], 1
		mov	bl, [edi+18h]
		mov	eax, [esi]
		jnz	short loc_5120DA

loc_512086:				; CODE XREF: KiAbEntryUpdateWaiterTreePosition(x,x)+8Aj
					; KiAbEntryUpdateWaiterTreePosition(x,x)+8Ej
		movzx	edx, byte ptr [esi+4]
		and	edx, 1
		mov	byte ptr [ebp+var_4], 0
		test	eax, eax
		jz	short loc_5120CB

loc_512095:				; CODE XREF: KiAbEntryUpdateWaiterTreePosition(x,x)+67j
		cmp	[eax+18h], bl
		jl	short loc_5120BF
		mov	ecx, [eax+4]
		test	edx, edx
		jz	short loc_5120A7
		test	ecx, ecx
		jz	short loc_5120AB
		xor	ecx, eax

loc_5120A7:				; CODE XREF: KiAbEntryUpdateWaiterTreePosition(x,x)+49j
		test	ecx, ecx
		jnz	short loc_5120BB

loc_5120AB:				; CODE XREF: KiAbEntryUpdateWaiterTreePosition(x,x)+4Dj
		mov	byte ptr [ebp+var_4], 1
		jmp	short loc_5120CB
; 

loc_5120B1:				; CODE XREF: KiAbEntryUpdateWaiterTreePosition(x,x)+6Fj
		test	ecx, ecx
		jz	short loc_5120C7
		xor	ecx, eax

loc_5120B7:				; CODE XREF: KiAbEntryUpdateWaiterTreePosition(x,x)+6Dj
		test	ecx, ecx
		jz	short loc_5120C7

loc_5120BB:				; CODE XREF: KiAbEntryUpdateWaiterTreePosition(x,x)+53j
		mov	eax, ecx
		jmp	short loc_512095
; 

loc_5120BF:				; CODE XREF: KiAbEntryUpdateWaiterTreePosition(x,x)+42j
		mov	ecx, [eax]
		test	edx, edx
		jz	short loc_5120B7
		jmp	short loc_5120B1
; 

loc_5120C7:				; CODE XREF: KiAbEntryUpdateWaiterTreePosition(x,x)+5Dj
					; KiAbEntryUpdateWaiterTreePosition(x,x)+63j
		mov	byte ptr [ebp+var_4], 0

loc_5120CB:				; CODE XREF: KiAbEntryUpdateWaiterTreePosition(x,x)+3Dj
					; KiAbEntryUpdateWaiterTreePosition(x,x)+59j
		push	edi
		push	[ebp+var_4]
		push	eax
		push	esi
		call	RtlRbInsertNodeEx
		pop	esi
		pop	ebx
		jmp	short loc_512069
; 

loc_5120DA:				; CODE XREF: KiAbEntryUpdateWaiterTreePosition(x,x)+2Ej
		test	eax, eax
		jz	short loc_5120E2
		xor	eax, esi
		jmp	short loc_512086
; 

loc_5120E2:				; CODE XREF: KiAbEntryUpdateWaiterTreePosition(x,x)+86j
		xor	eax, eax
		jmp	short loc_512086
_KiAbEntryUpdateWaiterTreePosition@8 endp


;  S U B	R O U T	I N E 


; __stdcall KiAbEntryGetCpuPriorityKey(x)
_KiAbEntryGetCpuPriorityKey@4 proc near	; CODE XREF: KiAbProcessThreadLocks+102p
					; KiAbSetMinimumThreadPriority+4Dp ...
		test	byte ptr [ecx+0Fh], 1
		jz	short loc_5120FB
		test	byte ptr [ecx+0Dh], 1
		jz	_KiAbOwnerComputeCpuPriorityKey@4 ; KiAbOwnerComputeCpuPriorityKey(x)
		jmp	_KiAbWaiterComputeCpuPriorityKey@4 ; KiAbWaiterComputeCpuPriorityKey(x)
; 

loc_5120FB:				; CODE XREF: KiAbEntryGetCpuPriorityKey(x)+4j
		mov	al, [ecx+18h]
		retn
_KiAbEntryGetCpuPriorityKey@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KiAbWaiterComputeCpuPriorityKey(x)
_KiAbWaiterComputeCpuPriorityKey@4 proc	near
					; CODE XREF: KiAbDetermineMaxWaiterPriority(x,x):loc_5118A2p
					; KiAbEntryUpdateWaiterTreePosition(x,x)+9p ...
		movzx	eax, byte ptr [ecx+0Ch]
		shl	eax, 3
		sub	ecx, eax
		mov	al, [ecx+87h]
		cmp	al, 0Fh
		jg	short loc_512114
		retn
; 

loc_512114:				; CODE XREF: KiAbWaiterComputeCpuPriorityKey(x)+11j
		mov	al, 0Fh
		retn
_KiAbWaiterComputeCpuPriorityKey@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiAbOwnerComputeCpuPriorityKey(x)
_KiAbOwnerComputeCpuPriorityKey@4 proc near
					; CODE XREF: KiAbDetermineMinOwnerCpuPriority(x,x):loc_511DF2p
					; KiAbEntryUpdateOwnerTreePosition(x,x)+Cp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, ecx
		xor	ecx, ecx
		push	esi
		mov	esi, 7FFFh
		movzx	eax, word ptr [edx+2Ch]
		test	eax, esi
		ja	short loc_51214E

loc_512130:				; CODE XREF: KiAbOwnerComputeCpuPriorityKey(x)+3Dj
		movzx	eax, byte ptr [edx+0Ch]
		shl	eax, 3
		sub	edx, eax
		pop	esi
		mov	al, [edx+15Bh]
		cmp	al, cl
		jle	short loc_51214A
		mov	cl, al
		cmp	al, 0Fh
		jg	short loc_512157

loc_51214A:				; CODE XREF: KiAbOwnerComputeCpuPriorityKey(x)+2Aj
					; KiAbOwnerComputeCpuPriorityKey(x)+41j
		mov	al, cl
		leave
		retn
; 

loc_51214E:				; CODE XREF: KiAbOwnerComputeCpuPriorityKey(x)+16j
		and	eax, esi
		bsr	ecx, eax
		inc	cl
		jmp	short loc_512130
; 

loc_512157:				; CODE XREF: KiAbOwnerComputeCpuPriorityKey(x)+30j
		mov	cl, 0Fh
		jmp	short loc_51214A
_KiAbOwnerComputeCpuPriorityKey@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAbThreadBoostIoPriority proc near	; CODE XREF: KiAbSetMinimumThreadPriority+19Dp
					; KiAbSetMinimumThreadPriority+D58B8p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E77A8 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], edx
		mov	[ebp+arg_4], eax
		push	edi
		mov	edi, ecx
		test	ebx, ebx
		jnz	loc_5E77A8
		push	esi
		push	esi
		xor	dl, dl
		call	PsBoostThreadIoEx
		mov	eax, 218h

loc_51218B:				; CODE XREF: KiAbThreadBoostIoPriority+D5658j
		lea	ecx, [edi+eax]
		mov	[ebp+arg_0], esi
		xor	edx, edx
		lea	eax, [ebp+arg_0]
		lock or	[eax], edx
		mov	eax, [ecx]
		test	eax, eax
		jnz	short loc_5121EB
		cmp	[ebp+var_4], edx
		jz	short loc_5121DE
		test	ebx, ebx
		jnz	short loc_5121F3
		push	esi
		push	esi
		mov	dl, 1
		mov	ecx, edi
		call	PsBoostThreadIoEx

loc_5121B3:				; CODE XREF: KiAbThreadBoostIoPriority+9Ej
		mov	ebx, [ebp+var_4]
		lea	eax, [edi+1F0h]
		push	eax
		mov	edx, ebx
		mov	ecx, edi
		call	_KiAbThreadInsertList@12 ; KiAbThreadInsertList(x,x,x)
		test	eax, eax
		jz	short loc_5121D5
		lea	ecx, [ebx-45E0h]
		call	_KiAbQueueAutoBoostDpc@4 ; KiAbQueueAutoBoostDpc(x)

loc_5121D5:				; CODE XREF: KiAbThreadBoostIoPriority+6Cj
					; KiAbThreadBoostIoPriority+95j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_5121DE:				; CODE XREF: KiAbThreadBoostIoPriority+46j
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		test	ebx, ebx
		setnz	al
		inc	eax
		or	[edx], eax

loc_5121EB:				; CODE XREF: KiAbThreadBoostIoPriority+41j
		lock inc dword ptr [ecx]
		xor	esi, esi
		inc	esi
		jmp	short loc_5121D5
; 

loc_5121F3:				; CODE XREF: KiAbThreadBoostIoPriority+4Aj
		lock dec dword ptr [edi+330h]
		jmp	short loc_5121B3
KiAbThreadBoostIoPriority endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAbProcessThreadPriorityModification proc near	; CODE XREF: KiQueueReadyThread+36Ep
					; KiSetBasePriorityAndClearDecrement(x,x,x)+15p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E77B9 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, large fs:20h
		test	eax, eax
		jz	short loc_512263
		cmp	eax, 1
		jnz	short loc_512221
		cmp	dl, [ecx+87h]
		jg	short loc_512226

loc_512221:				; CODE XREF: KiAbProcessThreadPriorityModification+17j
					; KiAbProcessThreadPriorityModification+2Dj ...
		pop	esi
		pop	ebp
		retn	4
; 

loc_512226:				; CODE XREF: KiAbProcessThreadPriorityModification+1Fj
		cmp	byte ptr [ecx+1E5h], 0
		jbe	short loc_512221
		cmp	dword ptr [ecx+1ECh], 1
		lea	edx, [ecx+1ECh]
		jnz	short loc_512221
		mov	eax, 45E4h

loc_512243:				; CODE XREF: KiAbProcessThreadPriorityModification+D55D1j
		push	edi
		lea	edi, [esi+eax]
		test	edi, edi
		jz	short loc_512260
		mov	eax, [edi]
		mov	[edx], eax
		mov	[edi], edx
		lock inc word ptr [ecx+220h]
		mov	ecx, esi
		call	_KiAbQueueAutoBoostDpc@4 ; KiAbQueueAutoBoostDpc(x)

loc_512260:				; CODE XREF: KiAbProcessThreadPriorityModification+49j
		pop	edi
		jmp	short loc_512221
; 

loc_512263:				; CODE XREF: KiAbProcessThreadPriorityModification+12j
		cmp	dl, [ecx+15Bh]
		jge	short loc_512221
		cmp	byte ptr [ecx+223h], 0
		jbe	short loc_512221
		jmp	loc_5E77B9
KiAbProcessThreadPriorityModification endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiAbQueueAutoBoostDpc(x)
_KiAbQueueAutoBoostDpc@4 proc near	; CODE XREF: KeAbProcessBaseIoPriorityChangeInternal+5Bp
					; KiAbThreadBoostIoPriority+74p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	dword ptr [esi+45F8h], 0
		jnz	short loc_5122A1
		push	0
		push	esi
		lea	eax, [esi+45E8h]
		push	eax
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)
		mov	dword ptr [esi+45F8h], 1

loc_5122A1:				; CODE XREF: KiAbQueueAutoBoostDpc(x)+Cj
		pop	esi
		retn
_KiAbQueueAutoBoostDpc@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoBoostThreadIoPriority	proc near	; CODE XREF: FsRtlpWaitForIoAtEof+1D8p
					; CcBoostLowPriorityWorkerThread+1B7p ...

var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4A		= byte ptr -4Ah
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E77D6 SIZE 00000172 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_84], edx
		push	8
		pop	edx
		xor	eax, eax
		mov	[ebp+var_6C], esi
		mov	ecx, edx
		mov	[ebp+var_88], edx
		lea	edi, [ebp+var_28]
		xor	ebx, ebx
		rep stosd
		lea	edi, [ebp+var_48]
		mov	ecx, edx
		mov	[ebp+var_4A], bl
		rep stosd
		mov	[ebp+var_70], ebx
		cmp	[ebp+arg_0], eax
		jl	loc_512719
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		add	esi, 350h
		mov	[ebp+var_49], al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [ebp+var_6C]
		xor	eax, eax
		add	ecx, 2CCh
		inc	eax
		cmp	[ecx], ecx
		jnz	short loc_51234F
		test	[ebp+arg_0], 40000000h
		jnz	loc_5E77D6
		test	ds:byte_70EFC6,	al
		jnz	loc_5E77DE
		xor	eax, eax
		lock and [esi],	eax

loc_512335:				; CODE XREF: IoBoostThreadIoPriority+D5544j
		mov	cl, [ebp+var_49]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_51233E:				; CODE XREF: IoBoostThreadIoPriority+271j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_51234F:				; CODE XREF: IoBoostThreadIoPriority+71j
					; IoBoostThreadIoPriority+D5535j
		test	ds:byte_70EFC6,	al
		jnz	loc_5E77ED
		xor	eax, eax
		lock and [esi],	eax

loc_512360:				; CODE XREF: IoBoostThreadIoPriority+D5553j
		mov	cl, [ebp+var_49]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	8
		pop	edx

loc_51236C:				; CODE XREF: IoBoostThreadIoPriority+479j
		mov	esi, ebx
		mov	edi, edx

loc_512370:				; CODE XREF: IoBoostThreadIoPriority+E9j
		lea	ecx, _IopUpdatePriorityCallbackRoutine[esi]
		call	ExReferenceCallBackBlock
		mov	[ebp+esi+var_28], eax
		test	eax, eax
		jnz	loc_51251A

loc_512387:				; CODE XREF: IoBoostThreadIoPriority+27Dj
		add	esi, 4
		sub	edi, 1
		jnz	short loc_512370
		xor	ecx, ecx
		mov	edi, ebx
		inc	ecx
		cmp	[ebp+var_4A], cl
		jz	loc_512488
		mov	esi, [ebp+var_6C]
		mov	[ebp+var_8C], ebx
		lea	eax, [esi+2CCh]
		mov	[ebp+var_78], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		add	esi, 350h
		mov	[ebp+var_4A], al
		mov	ecx, esi
		mov	[ebp+var_90], esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebp+var_78]
		mov	edx, [eax]
		mov	[ebp+var_68], edx
		cmp	edx, eax
		jz	loc_512469
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_B4]
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_BC]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_AC]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_54], eax

loc_512411:				; CODE XREF: IoBoostThreadIoPriority+1BDj
		mov	al, [edx+12h]
		cmp	[edx+13h], al
		jg	short loc_512459
		mov	ecx, [edx+50h]
		movsx	eax, al
		imul	eax, 24h
		add	eax, 60h
		add	eax, edx
		cmp	ecx, eax
		jnb	short loc_512459
		mov	esi, [ecx+14h]
		mov	[ebp+var_7C], esi
		test	esi, esi
		jz	short loc_512459
		mov	ecx, ebx
		push	8
		mov	[ebp+var_50], ecx
		pop	eax

loc_51243D:				; CODE XREF: IoBoostThreadIoPriority+1B0j
		movzx	edx, cx
		mov	[ebp+var_74], edx
		cmp	[ebp+edx*4+var_28], ebx
		jnz	loc_51267D

loc_51244D:				; CODE XREF: IoBoostThreadIoPriority+470j
		inc	ecx
		mov	[ebp+var_50], ecx
		cmp	cx, ax
		jb	short loc_51243D

loc_512456:				; CODE XREF: IoBoostThreadIoPriority+D559Dj
		mov	edx, [ebp+var_68]

loc_512459:				; CODE XREF: IoBoostThreadIoPriority+173j
					; IoBoostThreadIoPriority+185j	...
		mov	edx, [edx]
		mov	[ebp+var_68], edx
		cmp	edx, [ebp+var_78]
		jnz	short loc_512411
		mov	esi, [ebp+var_90]

loc_512469:				; CODE XREF: IoBoostThreadIoPriority+131j
		test	ds:byte_70EFC6,	1
		jnz	loc_5E78AC
		xor	eax, eax
		lock and [esi],	eax

loc_51247B:				; CODE XREF: IoBoostThreadIoPriority+D5612j
		mov	cl, [ebp+var_4A]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jnz	short loc_5124BD

loc_512488:				; CODE XREF: IoBoostThreadIoPriority+F3j
		mov	eax, ebx
		mov	[ebp+var_74], ebx
		mov	[ebp+var_60], eax
		mov	esi, ebx

loc_512492:				; CODE XREF: IoBoostThreadIoPriority+20Dj
		mov	ecx, [ebp+esi+var_28]
		mov	[ebp+var_78], ecx
		test	ecx, ecx
		jnz	loc_512554

loc_5124A1:				; CODE XREF: IoBoostThreadIoPriority+3D4j
		push	8
		inc	eax
		add	esi, 4
		pop	ecx
		mov	[ebp+var_60], eax
		mov	[ebp+var_74], esi
		cmp	ax, cx
		jb	short loc_512492
		test	edi, edi
		jz	short loc_5124BD
		inc	_IoBlanketBoostCount

loc_5124BD:				; CODE XREF: IoBoostThreadIoPriority+1E2j
					; IoBoostThreadIoPriority+211j
		mov	esi, ebx
		test	edi, edi
		jz	short loc_5124FC
		mov	eax, ebx

loc_5124C5:				; CODE XREF: IoBoostThreadIoPriority+256j
		push	2
		pop	ecx
		cmp	si, cx
		jnb	loc_5E7915
		imul	eax, 18h
		lea	edi, [ebp+var_C0]
		add	edi, eax

loc_5124DC:				; CODE XREF: IoBoostThreadIoPriority+D5680j
		mov	ecx, [edi]
		lea	eax, [edi+4]
		push	ebx
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		push	2
		pop	eax
		cmp	si, ax
		jnb	loc_5E7929

loc_5124F3:				; CODE XREF: IoBoostThreadIoPriority+D568Cj
		inc	esi
		movzx	eax, si
		cmp	eax, [ebp+var_70]
		jb	short loc_5124C5

loc_5124FC:				; CODE XREF: IoBoostThreadIoPriority+21Dj
		push	8
		pop	eax

loc_5124FF:				; CODE XREF: IoBoostThreadIoPriority+26Fj
		mov	esi, [ebp+ebx+var_28]
		test	esi, esi
		jnz	short loc_512526

loc_512507:				; CODE XREF: IoBoostThreadIoPriority+2AEj
		add	ebx, 4
		sub	eax, 1
		mov	[ebp+var_88], eax
		jnz	short loc_5124FF
		jmp	loc_51233E
; 

loc_51251A:				; CODE XREF: IoBoostThreadIoPriority+DDj
		mov	eax, [eax+8]
		mov	[ebp+esi+var_48], eax
		jmp	loc_512387
; 

loc_512526:				; CODE XREF: IoBoostThreadIoPriority+261j
		lea	edi, _IopUpdatePriorityCallbackRoutine[ebx]
		mov	ecx, [edi]
		mov	eax, ecx

loc_512530:				; CODE XREF: IoBoostThreadIoPriority+D5693j
		xor	eax, esi
		cmp	eax, 7
		jnb	loc_5E793C
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jnz	loc_5E7935

loc_51254C:				; CODE XREF: IoBoostThreadIoPriority+D569Fj
		mov	eax, [ebp+var_88]
		jmp	short loc_512507
; 

loc_512554:				; CODE XREF: IoBoostThreadIoPriority+1F7j
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, [ebp+esi+var_48]
		mov	[ebp+var_49], al
		mov	ecx, [ecx+10h]
		mov	esi, [ecx+4]
		test	esi, esi
		jz	loc_512633
		imul	ecx, edi, 18h
		lea	eax, [ebp+var_B4]
		lea	edx, [ebp+var_B0]
		add	eax, ecx
		add	edx, ecx
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_B8]
		add	eax, ecx
		mov	[ebp+var_64], edx
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_BC]
		add	eax, ecx
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_AC]
		add	eax, ecx
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_C0]
		add	eax, ecx
		mov	[ebp+var_68], eax

loc_5125B6:				; CODE XREF: IoBoostThreadIoPriority+38Aj
		test	dword ptr [esi+1Ch], 1000000h
		jz	short loc_512629
		cmp	edi, 2
		jnb	loc_5E78BB
		mov	ecx, [ebp+var_78]
		mov	[eax], ecx
		mov	ecx, [ebp+var_5C]
		mov	eax, [ebp+var_60]
		mov	[edx], ebx
		mov	[ecx], ax
		mov	eax, [ebp+var_58]
		mov	ecx, [ebp+var_6C]
		mov	[eax], esi
		mov	eax, [ebp+var_54]
		mov	[eax], ecx
		mov	eax, [ebp+var_50]
		mov	ecx, [ebp+var_84]
		mov	[eax], ecx

loc_5125F0:				; CODE XREF: IoBoostThreadIoPriority+D565Dj
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	ecx, [ebp+var_6C]
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+var_68]
		inc	edi
		mov	edx, [ebp+var_64]
		push	18h
		pop	ecx
		add	[ebp+var_5C], ecx
		add	eax, ecx
		add	[ebp+var_58], ecx
		add	[ebp+var_54], ecx
		add	[ebp+var_50], ecx
		add	edx, ecx
		mov	[ebp+var_64], edx
		mov	[ebp+var_68], eax

loc_512629:				; CODE XREF: IoBoostThreadIoPriority+319j
		mov	esi, [esi+0Ch]
		test	esi, esi
		jnz	short loc_5125B6

loc_512630:				; CODE XREF: IoBoostThreadIoPriority+D562Aj
		mov	[ebp+var_70], edi

loc_512633:				; CODE XREF: IoBoostThreadIoPriority+2C7j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+468h]
		jnz	loc_5E7906
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5127D2
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5127CB

loc_512669:				; CODE XREF: IoBoostThreadIoPriority+539j
					; IoBoostThreadIoPriority+D566Cj
		mov	cl, [ebp+var_49]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_60]
		mov	esi, [ebp+var_74]
		jmp	loc_5124A1
; 

loc_51267D:				; CODE XREF: IoBoostThreadIoPriority+1A3j
		mov	eax, large fs:20h
		mov	[ebp+var_49], bl
		lea	ecx, [eax+468h]
		mov	eax, [ecx+4]
		test	ds:byte_70EFC6,	21h
		jnz	loc_5E77FC
		mov	edx, ecx
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_5127E2

loc_5126A8:				; CODE XREF: IoBoostThreadIoPriority+543j
					; IoBoostThreadIoPriority+D555Fj
		mov	eax, [ebp+var_74]
		mov	eax, [ebp+eax*4+var_48]
		mov	eax, [eax+10h]
		mov	eax, [eax+4]

loc_5126B5:				; CODE XREF: IoBoostThreadIoPriority+41Cj
		test	eax, eax
		jz	short loc_5126CF
		cmp	eax, esi
		jz	short loc_5126C2

loc_5126BD:				; CODE XREF: IoBoostThreadIoPriority+425j
		mov	eax, [eax+0Ch]
		jmp	short loc_5126B5
; 

loc_5126C2:				; CODE XREF: IoBoostThreadIoPriority+417j
		test	dword ptr [eax+1Ch], 1000000h
		jz	short loc_5126BD
		mov	[ebp+var_49], 1

loc_5126CF:				; CODE XREF: IoBoostThreadIoPriority+413j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+468h]
		jnz	loc_5E7808
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5E781E
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5E7817

loc_512705:				; CODE XREF: IoBoostThreadIoPriority+D556Ej
					; IoBoostThreadIoPriority+D5585j
		cmp	[ebp+var_49], 1
		jz	short loc_512722

loc_51270B:				; CODE XREF: IoBoostThreadIoPriority+487j
		mov	ecx, [ebp+var_50]
		mov	esi, [ebp+var_7C]
		push	8
		pop	eax
		jmp	loc_51244D
; 

loc_512719:				; CODE XREF: IoBoostThreadIoPriority+47j
		mov	[ebp+var_4A], 1
		jmp	loc_51236C
; 

loc_512722:				; CODE XREF: IoBoostThreadIoPriority+465j
		mov	ecx, [ebp+var_7C]
		cmp	[ebp+var_8C], ecx
		jz	short loc_51270B
		push	2
		pop	eax
		mov	[ebp+var_8C], ecx
		cmp	edi, eax
		jnb	loc_5E782E
		mov	eax, [ebp+var_74]
		mov	edx, [ebp+var_54]
		mov	esi, [ebp+var_84]
		mov	eax, [ebp+eax*4+var_28]
		mov	[edx], eax
		mov	eax, [ebp+var_58]
		mov	edx, [ebp+var_50]
		mov	[eax], dx
		mov	eax, [ebp+var_5C]
		mov	edx, [ebp+var_80]
		mov	[eax], ecx
		mov	eax, [ebp+var_6C]
		mov	[edx], eax
		mov	edx, [ebp+var_60]
		mov	[edx], esi
		mov	esi, eax
		mov	edx, [ebp+var_64]
		mov	[edx], ebx

loc_512772:				; CODE XREF: IoBoostThreadIoPriority+D55D7j
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	edx, [ebp+var_68]
		inc	edi
		mov	ecx, [ebp+var_64]
		mov	esi, [ebp+var_60]
		add	ecx, 18h
		mov	eax, [ebp+var_80]
		add	esi, 18h
		add	[ebp+var_5C], 18h
		add	eax, 18h
		add	[ebp+var_58], 18h
		add	[ebp+var_54], 18h
		test	byte ptr [edx-8], 2
		mov	[ebp+var_70], edi
		mov	[ebp+var_64], ecx
		mov	[ebp+var_60], esi
		mov	[ebp+var_80], eax
		jz	loc_5E7880
		inc	_IoBoostedPagingIrpCount
		jmp	loc_512459
; 

loc_5127CB:				; CODE XREF: IoBoostThreadIoPriority+3BFj
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5127D2:				; CODE XREF: IoBoostThreadIoPriority+3ACj
		xor	ecx, ecx
		mov	[esi], ebx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_512669
; 

loc_5127E2:				; CODE XREF: IoBoostThreadIoPriority+3FEj
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_5126A8
IoBoostThreadIoPriority	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopBoostThreadCallback(x, x, x)
_IopBoostThreadCallback@12 proc	near	; DATA XREF: IoRegisterPriorityCallback+2Do

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		push	dword ptr [eax+10h]
		call	dword ptr [eax+0Ch]
		mov	edi, 746C6644h
		push	edi
		push	dword ptr [esi]
		call	ObDereferenceObjectDeferDeleteWithTag
		push	edi
		push	dword ptr [esi+4]
		call	ObDereferenceObjectDeferDeleteWithTag
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
_IopBoostThreadCallback@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspExecuteJobFreezeThawCallback(x, x)
_PspExecuteJobFreezeThawCallback@8 proc	near ; DATA XREF: PspFreezeJobTree+136o

var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	ecx, [ebp+arg_0]
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		mov	ebx, large fs:124h
		mov	edx, ebx
		push	esi
		push	edi
		lea	edi, [esp+18h+var_C]
		stosd
		push	0
		stosd
		stosd
		lea	eax, [esp+1Ch+var_C]
		push	eax
		call	_PspGetNextJobProcess@16 ; PspGetNextJobProcess(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_51287D
		mov	edi, [ebp+arg_4]

loc_51285C:				; CODE XREF: PspExecuteJobFreezeThawCallback(x,x)+57j
		mov	ecx, esi
		call	PspChangeProcessExecutionState
		test	eax, eax
		js	short loc_512888

loc_512867:				; CODE XREF: PspExecuteJobFreezeThawCallback(x,x)+66j
		mov	ecx, [ebp+arg_0]
		lea	eax, [esp+18h+var_C]
		push	esi
		push	eax
		mov	edx, ebx
		call	_PspGetNextJobProcess@16 ; PspGetNextJobProcess(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_51285C

loc_51287D:				; CODE XREF: PspExecuteJobFreezeThawCallback(x,x)+33j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_512888:				; CODE XREF: PspExecuteJobFreezeThawCallback(x,x)+41j
		mov	[edi], eax
		jmp	short loc_512867
_PspExecuteJobFreezeThawCallback@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1784. PsGetEffectiveServerSilo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetEffectiveServerSilo(x)
		public _PsGetEffectiveServerSilo@4
_PsGetEffectiveServerSilo@4 proc near	; CODE XREF: PsGetJobServerSilo+12p
					; PsGetCurrentServerSiloGlobals()+1Bp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_5128A4
		xor	eax, eax

loc_5128A0:				; CODE XREF: PsGetEffectiveServerSilo(x)+25j
		pop	ebp
		retn	4
; 

loc_5128A4:				; CODE XREF: PsGetEffectiveServerSilo(x)+Aj
					; PsGetEffectiveServerSilo(x)+21j
		call	_PsIsServerSilo@4 ; PsIsServerSilo(x)
		test	al, al
		jnz	short loc_5128B5
		mov	ecx, [ecx+244h]
		jmp	short loc_5128A4
; 

loc_5128B5:				; CODE XREF: PsGetEffectiveServerSilo(x)+19j
		mov	eax, ecx
		jmp	short loc_5128A0
_PsGetEffectiveServerSilo@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PsIsServerSilo(x)
_PsIsServerSilo@4 proc near		; CODE XREF: PsGetEffectiveServerSilo(x):loc_5128A4p
					; EtwTraceContextSwap+EBD56p ...
		test	ecx, ecx
		jz	short loc_5128C9
		cmp	dword ptr [ecx+2F8h], 0
		setnz	al
		retn
; 

loc_5128C9:				; CODE XREF: PsIsServerSilo(x)+2j
		mov	al, 1
		retn
_PsIsServerSilo@4 endp

; 
		dd 5 dup(0CCCCCCCCh)
; Exported entry 1163. KeInitializeAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeAffinityEx(x)
		public _KeInitializeAffinityEx@4
_KeInitializeAffinityEx@4 proc near	; CODE XREF: sub_759647+44Ap
					; NtCreateJobObject+E6p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 10001h
		mov	dword ptr [eax+4], 0
		mov	dword ptr [eax+8], 0
		pop	ebp
		retn	4
_KeInitializeAffinityEx@4 endp


;  S U B	R O U T	I N E 


SepPotentialGlobalTableAttribute proc near ; CODE XREF:	.text:005E9CC0p
					; SepInternalQuerySecurityAttributesTokenEx+D0B4Cp ...

; FUNCTION CHUNK AT 005E7948 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	esi, offset _PotentialGlobalAttributePrefixes
		xor	edi, edi

loc_51290E:				; CODE XREF: SepPotentialGlobalTableAttribute+32j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_5E7948
		push	1
		push	ebx
		push	esi
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)

loc_512925:				; CODE XREF: SepPotentialGlobalTableAttribute+D5064j
					; SepPotentialGlobalTableAttribute+D506Bj
		test	al, al
		jnz	short loc_512938
		add	edi, 8
		add	esi, 8
		cmp	edi, 8
		jb	short loc_51290E

loc_512934:				; CODE XREF: SepPotentialGlobalTableAttribute+3Aj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_512938:				; CODE XREF: SepPotentialGlobalTableAttribute+27j
		mov	al, 1
		jmp	short loc_512934
SepPotentialGlobalTableAttribute endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepCaptureTokenSecurityOperations proc near
					; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+B4p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E7970 SIZE 00000038 BYTES

		push	20h
		push	offset dword_6A5018
		call	__SEH_prolog4
		mov	esi, edx
		mov	[ebp+var_24], ecx
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		cmp	[ebp+arg_0], bl
		jz	loc_5E7970
		mov	[ebp+ms_exc.disabled], ebx
		cmp	dword ptr [ecx], 1
		jz	loc_5E797A
		test	esi, esi
		jz	loc_5E798B
		mov	eax, esi
		push	4
		pop	ecx
		mul	ecx
		push	edx
		push	eax
		lea	ecx, [ebp+var_1C]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	dword ptr [ebp+arg_0], eax
		test	eax, eax
		js	loc_5E799C
		mov	[ebp+var_20], esi
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_24]

loc_512997:				; CODE XREF: SepCaptureTokenSecurityOperations+D504Aj
		test	eax, eax
		jz	short loc_5129B1
		test	cl, 3
		jnz	short loc_512A03
		lea	edi, [eax+ecx]
		mov	edx, ds:_MmUserProbeAddress
		cmp	edi, edx
		ja	short loc_512A08
		cmp	edi, ecx
		jb	short loc_512A08

loc_5129B1:				; CODE XREF: SepCaptureTokenSecurityOperations+5Dj
					; SepCaptureTokenSecurityOperations+CEj
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi
		push	704F6553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	dword ptr [ebp+arg_0], edx
		test	edx, edx
		jz	short loc_512A0C
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_24]

loc_5129D7:				; CODE XREF: SepCaptureTokenSecurityOperations+A9j
		mov	[ebp+var_28], ebx
		cmp	ebx, esi
		jnb	short loc_5129E7
		mov	eax, [ecx+ebx*4]
		mov	[edx+ebx*4], eax
		inc	ebx
		jmp	short loc_5129D7
; 

loc_5129E7:				; CODE XREF: SepCaptureTokenSecurityOperations+A0j
		mov	[ebp+ms_exc.disabled], edi
		mov	eax, [ebp+arg_4]
		mov	[eax], edx

loc_5129EF:				; CODE XREF: SepCaptureTokenSecurityOperations+D5039j
		xor	eax, eax

loc_5129F1:				; CODE XREF: SepCaptureTokenSecurityOperations+D5j
					; SepCaptureTokenSecurityOperations+D505Bj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_512A03:				; CODE XREF: SepCaptureTokenSecurityOperations+62j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_512A08:				; CODE XREF: SepCaptureTokenSecurityOperations+6Fj
					; SepCaptureTokenSecurityOperations+73j
		mov	[edx], bl
		jmp	short loc_5129B1
; 

loc_512A0C:				; CODE XREF: SepCaptureTokenSecurityOperations+8Fj
		mov	eax, 0C0000017h
		jmp	short loc_5129F1
SepCaptureTokenSecurityOperations endp

; 
		align 8
; Exported entry 2448. SeConvertSecurityDescriptorToStringSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeConvertSecurityDescriptorToStringSecurityDescriptor
SeConvertSecurityDescriptorToStringSecurityDescriptor proc near
					; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+421p
					; CmpLogHiveFileInaccessible+F7p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005E79F2 SIZE 0000004C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_C]
		test	ecx, ecx
		jz	loc_5E79F2
		test	eax, eax
		jz	loc_5E79F2

loc_512A37:				; CODE XREF: SeConvertSecurityDescriptorToStringSecurityDescriptor+D4FDCj
		test	ecx, ecx
		jz	short loc_512A66
		test	esi, esi
		jz	short loc_512A66
		test	eax, eax
		jz	short loc_512A66
		sub	[ebp+arg_4], 1
		jnz	loc_5E7A2C
		push	[ebp+arg_10]
		push	esi
		push	eax
		push	ecx
		push	ecx
		call	LocalConvertSDToStringSD_Rev1

loc_512A59:				; CODE XREF: SeConvertSecurityDescriptorToStringSecurityDescriptor+51j
		test	eax, eax
		jg	loc_5E7A31

loc_512A61:				; CODE XREF: SeConvertSecurityDescriptorToStringSecurityDescriptor+D4FFDj
					; SeConvertSecurityDescriptorToStringSecurityDescriptor+D5005j	...
		pop	esi
		pop	ebp
		retn	14h
; 

loc_512A66:				; CODE XREF: SeConvertSecurityDescriptorToStringSecurityDescriptor+21j
					; SeConvertSecurityDescriptorToStringSecurityDescriptor+25j ...
		push	57h
		pop	eax
		jmp	short loc_512A59
SeConvertSecurityDescriptorToStringSecurityDescriptor endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStringCbCopyNW(x, x, x, x)
_RtlStringCbCopyNW@16 proc near		; CODE XREF: PopDiagGetDriverName(x,x,x)+25p
					; LocalConvertSidToStringSidW+4Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		shr	edx, 1
		mov	eax, edx
		neg	eax
		push	esi
		sbb	eax, eax
		mov	esi, 0C000000Dh
		and	eax, 3FFFFFF3h
		add	eax, esi
		test	edx, edx
		jz	short loc_512AA0
		mov	eax, [ebp+arg_4]
		shr	eax, 1
		cmp	eax, 7FFFFFFEh
		ja	short loc_512AA5
		push	eax
		push	[ebp+arg_0]
		push	ecx
		call	sub_56076C

loc_512AA0:				; CODE XREF: RtlStringCbCopyNW(x,x,x,x)+1Cj
					; RtlStringCbCopyNW(x,x,x,x)+40j
		pop	esi
		pop	ebp
		retn	8
; 

loc_512AA5:				; CODE XREF: RtlStringCbCopyNW(x,x,x,x)+28j
		xor	edx, edx
		mov	eax, esi
		mov	[ecx], dx
		jmp	short loc_512AA0
_RtlStringCbCopyNW@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl RtlStringCchPrintfW(wchar_t *,int,wchar_t	*,char)
RtlStringCchPrintfW proc near		; CODE XREF: DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+146p
					; RtlpInitNlsSectionName(x,x,x,x,x)+16p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005E7A3E SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		test	eax, eax
		jz	short loc_512AE3
		cmp	eax, 7FFFFFFFh
		ja	short loc_512AE3

loc_512AC3:				; CODE XREF: RtlStringCchPrintfW+3Aj
		test	ecx, ecx
		js	loc_5E7A3E
		lea	ecx, [ebp+arg_C]
		mov	edx, eax	; int
		push	ecx		; va_list
		push	[ebp+arg_8]	; wchar_t *
		push	ecx		; int
		mov	ecx, [ebp+arg_0] ; wchar_t *
		call	sub_512AEA
		mov	ecx, eax

loc_512ADF:				; CODE XREF: RtlStringCchPrintfW+D4F92j
					; RtlStringCchPrintfW+D4FA0j
		mov	eax, ecx
		pop	ebp
		retn
; 

loc_512AE3:				; CODE XREF: RtlStringCchPrintfW+Cj
					; RtlStringCchPrintfW+13j
		mov	ecx, 0C000000Dh
		jmp	short loc_512AC3
RtlStringCchPrintfW endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall sub_512AEA(wchar_t *,int,int,wchar_t *,va_list)
sub_512AEA	proc near		; CODE XREF: RtlStringCchPrintfW+2Ap

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_8]	; va_list
		lea	esi, [edx-1]
		mov	edi, ecx
		push	[ebp+arg_4]	; wchar_t *
		xor	ebx, ebx
		push	esi		; size_t
		push	edi		; wchar_t *
		call	__vsnwprintf
		add	esp, 10h
		test	eax, eax
		js	short loc_512B22
		cmp	eax, esi
		ja	short loc_512B22
		jnz	short loc_512B19

loc_512B13:				; CODE XREF: sub_512AEA+3Dj
		xor	eax, eax
		mov	[edi+esi*2], ax

loc_512B19:				; CODE XREF: sub_512AEA+27j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_512B22:				; CODE XREF: sub_512AEA+21j
					; sub_512AEA+25j
		mov	ebx, 80000005h
		jmp	short loc_512B13
sub_512AEA	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2350. RtlSubAuthorityCountSid

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSubAuthorityCountSid(x)
		public _RtlSubAuthorityCountSid@4
_RtlSubAuthorityCountSid@4 proc	near	; CODE XREF: PAGE:007EA3CCp
					; PAGE:007EA443p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		inc	eax
		pop	ebp
		retn	4
_RtlSubAuthorityCountSid@4 endp

; 
		align 10h
; Exported entry 2351. RtlSubAuthoritySid

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSubAuthoritySid(x, x)
		public _RtlSubAuthoritySid@8
_RtlSubAuthoritySid@8 proc near		; CODE XREF: SepValidateReferencedCachedHandles+2E5p
					; SepValidateReferencedCachedHandles+2EFp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]
		lea	eax, [eax+ecx*4]
		add	eax, 8
		pop	ebp
		retn	8
_RtlSubAuthoritySid@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepCreateTokenEx proc near		; CODE XREF: NtCreateTokenEx+48Dp
					; SepCreateToken(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3Ep

var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_14D		= byte ptr -14Dh
var_14C		= byte ptr -14Ch
var_14B		= byte ptr -14Bh
var_14A		= byte ptr -14Ah
var_149		= byte ptr -149h
var_148		= dword	ptr -148h
var_80		= dword	ptr -80h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch
arg_38		= dword	ptr  40h
arg_3C		= dword	ptr  44h
arg_40		= dword	ptr  48h
arg_44		= dword	ptr  4Ch
arg_48		= dword	ptr  50h
arg_4C		= dword	ptr  54h
arg_50		= dword	ptr  58h
arg_54		= byte ptr  5Ch

; FUNCTION CHUNK AT 005E7A53 SIZE 000002A0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1D4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_1B0], edx
		mov	[ebp+var_1A4], ecx
		mov	eax, [ebp+arg_10]
		or	[ebp+var_194], 0FFFFFFFFh
		mov	[ebp+var_1B4], eax
		mov	eax, [ebp+arg_20]
		mov	[ebp+var_170], eax
		mov	eax, [ebp+arg_2C]
		mov	[ebp+var_17C], eax
		mov	eax, [ebp+arg_30]
		mov	[ebp+var_180], eax
		mov	eax, [ebp+arg_34]
		mov	[ebp+var_188], eax
		mov	eax, [ebp+arg_38]
		mov	ebx, [ebp+arg_18]
		mov	[ebp+var_1B8], eax
		mov	eax, [ebp+arg_40]
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_1D0], eax
		mov	eax, [ebp+arg_44]
		mov	edi, [ebp+arg_1C]
		mov	[ebp+var_1CC], eax
		mov	eax, [ebp+arg_4C]
		xor	ecx, ecx
		push	74h		; size_t
		mov	[ebp+var_1C8], eax
		lea	eax, [ebp+var_80]
		push	ecx		; int
		push	eax		; void *
		mov	[ebp+var_1A8], esi
		mov	[ebp+var_184], ebx
		mov	[ebp+var_1A0], edi
		mov	[ebp+var_174], ecx
		mov	[ebp+var_164], ecx
		mov	[ebp+var_15C], ecx
		mov	[ebp+var_14A], cl
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_148]
		push	0C4h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	dl, byte ptr [ebp+var_1B0]
		xor	eax, eax
		add	esp, 0Ch
		mov	[ebp+var_1C0], eax
		mov	[ebp+var_1BC], eax
		mov	ecx, esi
		mov	[ebp+var_14B], al
		mov	[ebp+var_14D], al
		mov	[ebp+var_14C], al
		mov	[ebp+var_164], eax
		lea	eax, [ebp+var_14C]
		push	eax
		call	SeCaptureObjectAttributeSecurityDescriptorPresent
		test	eax, eax
		js	loc_513405
		mov	esi, [ebx]
		xor	ebx, ebx
		mov	[ebp+var_168], esi
		mov	[ebp+var_154], ebx
		test	edi, edi
		jz	loc_5E7A53
		mov	ecx, [ebp+var_170]

loc_512C8C:				; CODE XREF: SepCreateTokenEx+17Cj
		mov	esi, ebx
		cmp	ebx, edi
		jnb	short loc_512CC0
		mov	ebx, [ebp+var_168]

loc_512C98:				; CODE XREF: SepCreateTokenEx+15Cj
		push	dword ptr [ecx+esi*8]
		push	ebx
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		mov	ecx, [ebp+var_170]
		test	al, al
		jnz	loc_512DDD

loc_512CAF:				; CODE XREF: SepCreateTokenEx+28Cj
		inc	esi

loc_512CB0:				; CODE XREF: SepCreateTokenEx+2A1j
		cmp	esi, edi
		jb	short loc_512C98
		mov	ebx, [ebp+var_154]
		mov	[ebp+var_1A0], edi

loc_512CC0:				; CODE XREF: SepCreateTokenEx+13Aj
		mov	esi, [ecx+ebx*8]
		inc	ebx
		mov	[ebp+var_168], esi
		mov	[ebp+var_154], ebx
		cmp	ebx, edi
		jb	short loc_512C8C
		mov	ebx, [ebp+var_184]
		mov	esi, [ebx]

loc_512CDC:				; CODE XREF: SepCreateTokenEx+D4F03j
		push	esi
		push	[ebp+var_188]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		mov	ecx, [ebp+var_180]
		test	al, al
		setnz	al
		mov	[ebp+var_149], al
		test	ecx, ecx
		jnz	loc_5134CC

loc_512D01:				; CODE XREF: SepCreateTokenEx+985j
		mov	dl, 1
		mov	[ebp+var_14A], dl

loc_512D09:				; CODE XREF: SepCreateTokenEx+991j
		mov	ecx, [ebx+4]
		test	cl, 10h
		jnz	loc_5E7A5E
		mov	ecx, [ebp+var_15C]

loc_512D1B:				; CODE XREF: SepCreateTokenEx+D4F18j
		xor	ebx, ebx
		mov	[ebp+var_190], ebx
		test	edi, edi
		jz	loc_512DFE
		mov	[ebp+var_149], al
		mov	eax, [ebp+var_170]
		add	eax, 4
		mov	[ebp+var_190], ebx
		mov	[ebp+var_160], 1
		mov	[ebp+var_158], eax

loc_512D50:				; CODE XREF: SepCreateTokenEx+282j
		mov	ebx, [eax]
		test	bl, 1
		jz	short loc_512D5C
		or	ebx, 6
		mov	[eax], ebx

loc_512D5C:				; CODE XREF: SepCreateTokenEx+1FFj
		test	bl, 10h
		jnz	loc_5E7A73

loc_512D65:				; CODE XREF: SepCreateTokenEx+D4F2Ej
		mov	esi, [eax-4]
		mov	ecx, esi
		push	6		; size_t
		call	_RtlIdentifierAuthoritySid@4 ; RtlIdentifierAuthoritySid(x)
		mov	ecx, _SeUntrustedMandatorySid
		push	eax		; void *
		call	_RtlIdentifierAuthoritySid@4 ; RtlIdentifierAuthoritySid(x)
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_513438

loc_512D8E:				; CODE XREF: SepCreateTokenEx+901j
		mov	ebx, [ebp+var_160]

loc_512D94:				; CODE XREF: SepCreateTokenEx+944j
					; SepCreateTokenEx+9CCj
		cmp	[ebp+var_149], 0
		jz	loc_513527

loc_512DA1:				; CODE XREF: SepCreateTokenEx+9DFj
					; SepCreateTokenEx+9ECj
		mov	dl, [ebp+var_14A]
		test	dl, dl
		jz	loc_5134AB
		mov	eax, [ebp+var_158]

loc_512DB5:				; CODE XREF: SepCreateTokenEx+971j
					; SepCreateTokenEx+9ADj
		add	eax, 8
		inc	ebx
		mov	[ebp+var_158], eax
		mov	[ebp+var_160], ebx
		lea	eax, [ebx-1]
		cmp	eax, edi
		jnb	short loc_512DFC
		mov	eax, [ebp+var_158]
		mov	ecx, [ebp+var_15C]
		jmp	loc_512D50
; 

loc_512DDD:				; CODE XREF: SepCreateTokenEx+153j
		test	byte ptr [ecx+esi*8+4],	20h
		jnz	loc_512CAF
		dec	edi
		mov	eax, [ecx+edi*8]
		mov	[ecx+esi*8], eax
		mov	eax, [ecx+edi*8+4]
		mov	[ecx+esi*8+4], eax
		jmp	loc_512CB0
; 

loc_512DFC:				; CODE XREF: SepCreateTokenEx+274j
		xor	ebx, ebx

loc_512DFE:				; CODE XREF: SepCreateTokenEx+1CFj
		cmp	[ebp+var_149], 0
		jz	loc_5E7A9A
		test	dl, dl
		jz	loc_5E7AA4
		cmp	[ebp+arg_28], 0
		mov	[ebp+var_160], ebx
		mov	[ebp+var_158], ebx
		mov	[ebp+var_198], ebx
		mov	[ebp+var_19C], ebx
		mov	[ebp+var_180], ebx
		mov	[ebp+var_154], ebx
		mov	[ebp+var_168], ebx
		jbe	loc_512EED
		mov	esi, [ebp+var_17C]
		add	esi, 8

loc_512E50:				; CODE XREF: SepCreateTokenEx+38Fj
		mov	eax, [esi]
		mov	[ebp+var_178], eax
		test	eax, 7FFFFFF8h
		jnz	loc_5E7ACE
		mov	ecx, [esi-8]
		mov	ebx, eax
		and	ebx, 3
		mov	[esi], ebx
		cmp	ecx, 24h
		ja	loc_5E7AB8
		xor	eax, eax
		xor	edx, edx
		inc	eax
		call	__allshl
		mov	[ebp+var_17C], eax
		mov	eax, edx
		mov	edx, [ebp+var_17C]
		mov	ecx, edx
		and	ecx, [ebp+var_160]
		mov	[ebp+var_18C], eax
		and	eax, [ebp+var_158]
		or	ecx, eax
		jnz	loc_5E7AAE
		mov	eax, [ebp+var_18C]
		or	[ebp+var_160], edx
		or	[ebp+var_158], eax
		test	bl, 2
		jnz	loc_513427

loc_512EC5:				; CODE XREF: SepCreateTokenEx+8DDj
		test	byte ptr [ebp+var_178],	1
		jnz	loc_513416

loc_512ED2:				; CODE XREF: SepCreateTokenEx+8CCj
		mov	ecx, [ebp+var_168]
		add	esi, 0Ch
		inc	ecx
		mov	[ebp+var_168], ecx
		cmp	ecx, [ebp+arg_28]
		jb	loc_512E50
		xor	ebx, ebx

loc_512EED:				; CODE XREF: SepCreateTokenEx+2EBj
		mov	eax, [ebp+arg_50]
		test	eax, eax
		jnz	loc_5E7AC2

loc_512EF8:				; CODE XREF: SepCreateTokenEx+D4F72j
		push	74416553h
		push	18h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_1AC], esi
		test	esi, esi
		jz	loc_5E7B16
		lea	eax, [esi+4]
		mov	[esi], ebx
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+10h]
		mov	[esi+0Ch], ebx
		mov	[eax+4], eax
		mov	[eax], eax
		cmp	ds:_SeTokenLeakTracking, 0
		jnz	loc_5E7AD8
		mov	ebx, [ebp+var_164]

loc_512F3E:				; CODE XREF: SepCreateTokenEx+D4F9Dj
		lea	ecx, [ebp+var_1C0]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		push	6C546553h
		push	38h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_178], eax
		test	eax, eax
		jz	loc_5E7AFD
		mov	ebx, edi
		shl	ebx, 3
		cmp	_SepTokenSidSharingEnabled, 0
		mov	[ebp+var_1C4], ebx
		jnz	loc_5E7B20
		mov	eax, [ebp+var_184]
		mov	edi, [ebp+arg_24]
		add	edi, 3
		and	edi, 0FFFFFFFCh
		mov	eax, [eax]
		mov	[ebp+var_18C], edi
		movzx	eax, byte ptr [eax+1]
		push	eax
		call	_RtlLengthRequiredSid@4	; RtlLengthRequiredSid(x)
		add	eax, 3
		and	eax, 0FFFFFFFCh
		add	eax, ebx
		lea	ebx, [edi+8]
		add	ebx, eax

loc_512FAE:				; CODE XREF: SepCreateTokenEx+D4FD9j
		mov	eax, [ebp+var_188]
		mov	[ebp+var_168], ebx
		mov	[ebp+var_16C], ebx
		movzx	eax, byte ptr [eax+1]
		push	eax
		call	_RtlLengthRequiredSid@4	; RtlLengthRequiredSid(x)
		mov	ecx, [ebp+var_1B8]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_17C], eax
		test	ecx, ecx
		jz	short loc_512FF2
		movzx	ecx, word ptr [ecx+2]
		add	ecx, 3
		and	ecx, 0FFFFFFFCh
		add	eax, ecx
		mov	[ebp+var_17C], eax

loc_512FF2:				; CODE XREF: SepCreateTokenEx+488j
		mov	ecx, 1000h
		add	ebx, 2A0h
		mov	[ebp+var_16C], ecx
		cmp	eax, ecx
		jnb	loc_5E7B34

loc_51300B:				; CODE XREF: SepCreateTokenEx+D4FE6j
		lea	eax, [ebp+var_174]
		push	eax
		push	0
		lea	eax, [ecx+ebx]
		push	eax
		push	ebx
		xor	ebx, ebx
		push	ebx
		push	1
		push	[ebp+var_1A8]
		push	ds:_SeTokenObjectType
		push	[ebp+var_1B0]
		call	_ObCreateObject@36 ; ObCreateObject(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_5E7B41
		mov	ebx, [ebp+var_174]
		mov	eax, [ebp+var_178]
		push	eax
		mov	[ebx+30h], eax
		call	ExInitializeResourceLite
		lea	ecx, [ebx+10h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		mov	ecx, [ebp+var_1B4]
		xor	edx, edx
		mov	[ebx+20h], edx
		mov	edi, ebx
		mov	[ebx+24h], edx
		mov	[ebx+0C4h], edx
		mov	[ebx+0C8h], edx
		mov	eax, [ecx]
		mov	[ebx+18h], eax
		mov	eax, [ecx+4]
		mov	[ebx+1Ch], eax
		mov	[ebx+0B4h], dl
		mov	ecx, [ebp+arg_14]
		mov	eax, [ebp+var_1C0]
		mov	[ebx+34h], eax
		mov	eax, [ebp+var_1BC]
		mov	[ebx+38h], eax
		mov	eax, [ecx]
		mov	[ebx+28h], eax
		mov	eax, [ecx+4]
		mov	[ebx+2Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[ebx+0A8h], eax
		mov	esi, [ebp+arg_3C]
		mov	eax, [ebp+arg_C]
		mov	[ebx+0ACh], eax
		mov	eax, [ebp+var_15C]
		movsd
		push	88h		; size_t
		push	edx		; int
		movsd
		movsd
		movsd
		mov	[ebx+0B0h], eax
		mov	eax, [ebp+var_16C]
		mov	[ebx+78h], edx
		mov	[ebx+29Ch], edx
		mov	[ebx+88h], eax
		mov	eax, [ebp+var_190]
		mov	[ebx+8Ch], edx
		mov	[ebx+90h], eax
		lea	eax, [ebx+0A4h]
		mov	[eax], edx
		mov	[ebx+288h], edx
		mov	[ebx+28Ch], edx
		mov	[ebp+var_178], eax
		mov	eax, [ebp+var_168]
		mov	[ebx+84h], eax
		mov	eax, [ebp+var_194]
		mov	[ebx+0B8h], eax
		mov	eax, [ebp+var_160]
		mov	[ebx+0BCh], edx
		mov	[ebx+40h], eax
		mov	eax, [ebp+var_158]
		mov	[ebx+44h], eax
		mov	eax, [ebp+var_198]
		mov	[ebx+48h], eax
		mov	eax, [ebp+var_19C]
		mov	[ebx+4Ch], eax
		mov	eax, [ebp+var_180]
		mov	[ebx+50h], eax
		mov	eax, [ebp+var_154]
		mov	[ebx+54h], eax
		lea	eax, [ebx+1ECh]
		mov	[ebx+1E8h], edx
		mov	[ebx+1E4h], edx
		mov	[ebx+1E0h], edx
		mov	[ebx+274h], edx
		mov	[ebx+278h], edx
		push	eax		; void *
		mov	[ebx+298h], edx
		call	_memset
		add	esp, 0Ch
		xor	edx, edx
		mov	eax, [ebp+var_164]
		lea	esi, [ebx+294h]
		mov	[ebx+280h], edx
		mov	[ebx+284h], edx
		mov	[ebx+290h], edx
		mov	[esi], eax
		mov	eax, [ebp+arg_50]
		mov	[ebp+var_154], esi
		test	eax, eax
		jnz	loc_5E7B71

loc_5131CF:				; CODE XREF: SepCreateTokenEx+D5023j
		cmp	[ebp+var_14B], dl
		jz	loc_513547

loc_5131DB:				; CODE XREF: SepCreateTokenEx+A04j
		cmp	[ebp+var_14D], 1
		jz	loc_5135D0

loc_5131E8:				; CODE XREF: SepCreateTokenEx+A8Dj
		push	8
		xor	eax, eax
		lea	edi, [ebx+58h]
		pop	ecx
		rep stosd
		mov	eax, [ebp+var_1AC]
		lea	edi, [ebx+0C0h]
		mov	ecx, [ebp+var_1B4]
		mov	[ebx+1DCh], eax
		lea	eax, [ebx+0A0h]
		mov	[ebx+27Ch], edx
		mov	[eax], edx
		mov	edx, edi
		mov	[ebp+var_1A8], eax
		call	_SepReferenceLogonSession@8 ; SepReferenceLogonSession(x,x)
		mov	[ebp+var_1AC], eax
		test	eax, eax
		js	loc_5E7B7E
		cmp	ds:_SeTokenLeakTracking, 0
		jnz	loc_5E7B9A

loc_513240:				; CODE XREF: SepCreateTokenEx+D50E1j
		cmp	_SepTokenSidSharingEnabled, 0
		mov	edi, [ebp+var_1A0]
		jnz	loc_5E7C3C
		mov	edx, [ebp+var_1C4]
		lea	esi, [ebx+2A0h]
		lea	eax, [edi+1]
		mov	[ebx+94h], esi
		mov	[ebx+7Ch], eax
		mov	eax, [ebp+var_168]
		lea	ecx, [edx+8]
		sub	eax, edx
		lea	edx, [ebp+var_16C]
		add	ecx, esi
		push	edx		; int
		lea	edx, [ebp+var_164]
		mov	[ebp+var_164], ecx
		push	edx		; int
		push	ecx		; void *
		push	esi		; int
		sub	eax, 8
		push	eax		; int
		push	[ebp+var_184]	; int
		mov	[ebp+var_16C], eax
		push	1		; int
		call	_RtlCopySidAndAttributesArray@28 ; RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)
		lea	eax, [ebp+var_16C]
		push	eax		; int
		lea	eax, [ebp+var_164]
		push	eax		; int
		push	[ebp+var_164]	; void *
		lea	eax, [esi+8]
		push	eax		; int
		push	[ebp+var_16C]	; int
		push	[ebp+var_170]	; int
		push	edi		; int
		call	_RtlCopySidAndAttributesArray@28 ; RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)

loc_5132CF:				; CODE XREF: SepCreateTokenEx+D5104j
		lea	eax, [ebx+0CCh]
		push	eax		; void *
		push	dword ptr [ebx+7Ch] ; int
		push	dword ptr [ebx+94h] ; int
		call	RtlSidHashInitialize
		and	dword ptr [ebx+98h], 0
		and	dword ptr [ebx+80h], 0
		push	64546553h
		push	[ebp+var_17C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	eax, [ebp+var_1A8]
		mov	[eax], edi
		test	edi, edi
		jz	loc_5E7C65
		mov	eax, [ebp+var_188]
		mov	[ebx+9Ch], edi
		movzx	eax, byte ptr [eax+1]
		push	eax
		call	_RtlLengthRequiredSid@4	; RtlLengthRequiredSid(x)
		push	[ebp+var_188]	; void *
		mov	esi, eax
		push	edi		; void *
		push	esi		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		mov	ecx, [ebp+var_1B8]
		lea	eax, [esi+3]
		and	eax, 0FFFFFFFCh
		add	edi, eax
		test	ecx, ecx
		jz	short loc_513364
		mov	eax, [ebp+var_178]
		mov	[eax], edi
		movzx	eax, word ptr [ecx+2]
		push	eax		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_513364:				; CODE XREF: SepCreateTokenEx+7F5j
		push	[ebp+var_1C8]
		mov	edx, [ebp+var_1D0]
		mov	ecx, ebx
		push	[ebp+arg_48]
		push	[ebp+var_1CC]
		call	SepSetTokenClaims
		mov	esi, eax
		test	esi, esi
		js	short loc_5133FC
		cmp	[ebp+arg_54], 0
		jnz	loc_51355F

loc_513390:				; CODE XREF: SepCreateTokenEx+A1Aj
		cmp	ds:_SeTokenLeakTracking, 0
		jnz	loc_5E7C6F

loc_51339D:				; CODE XREF: SepCreateTokenEx+D5120j
					; SepCreateTokenEx+D5180j ...
		cmp	[ebp+arg_54], 0
		jnz	loc_51357B
		mov	eax, ds:_SeTokenObjectType
		add	eax, 34h
		push	eax		; int
		push	[ebp+arg_0]	; int
		lea	eax, [ebp+var_148]
		push	eax		; void *
		lea	eax, [ebp+var_80]
		push	eax		; void *
		call	SeCreateAccessState
		mov	esi, eax
		test	esi, esi
		js	short loc_5133FC
		mov	eax, [ebp+var_1A4]
		push	eax
		push	0
		push	1
		push	0
		lea	eax, [ebp+var_80]
		push	eax
		push	ebx
		call	_ObInsertObject@24 ; ObInsertObject(x,x,x,x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_80]
		push	eax
		call	SeDeleteAccessState
		test	esi, esi
		js	short loc_513403
		cmp	[ebp+var_14C], 0
		jz	loc_51349F

loc_5133FC:				; CODE XREF: SepCreateTokenEx+82Ej
					; SepCreateTokenEx+871j ...
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_513403:				; CODE XREF: SepCreateTokenEx+897j
					; SepCreateTokenEx+A69j ...
		mov	eax, esi

loc_513405:				; CODE XREF: SepCreateTokenEx+112j
					; SepCreateTokenEx+D4F3Fj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	58h
; 

loc_513416:				; CODE XREF: SepCreateTokenEx+376j
		or	[ebp+var_180], edx
		or	[ebp+var_154], eax
		jmp	loc_512ED2
; 

loc_513427:				; CODE XREF: SepCreateTokenEx+369j
		or	[ebp+var_198], edx
		or	[ebp+var_19C], eax
		jmp	loc_512EC5
; 

loc_513438:				; CODE XREF: SepCreateTokenEx+232j
		mov	cl, [esi+1]
		test	cl, cl
		jz	loc_5E7A89
		movzx	edx, cl
		cmp	dword ptr [esi+edx*4+4], 4000h
		ja	loc_5E7A90

loc_513454:				; CODE XREF: SepCreateTokenEx+D4F35j
		test	bl, 40h
		jz	loc_512D8E
		cmp	[ebp+var_194], 0FFFFFFFFh
		jnz	loc_5E7ACE
		mov	ebx, [ebp+var_160]
		mov	[ebp+var_194], ebx
		test	cl, cl
		jz	loc_5135C4
		mov	eax, [esi+edx*4+4]
		cmp	eax, 3000h
		jb	short loc_513508
		or	[ebp+var_15C], 2000h
		mov	[ebp+var_14B], 1
		jmp	loc_512D94
; 

loc_51349F:				; CODE XREF: SepCreateTokenEx+8A0j
		mov	ecx, ebx
		call	_SepFinalizeTokenAcls@4	; SepFinalizeTokenAcls(x)
		jmp	loc_5133FC
; 

loc_5134AB:				; CODE XREF: SepCreateTokenEx+253j
		push	esi
		push	[ebp+var_180]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		mov	eax, [ebp+var_158]
		jnz	short loc_5134EC
		mov	dl, [ebp+var_14A]
		jmp	loc_512DB5
; 

loc_5134CC:				; CODE XREF: SepCreateTokenEx+1A5j
		push	esi
		push	ecx
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		mov	al, [ebp+var_149]
		jnz	loc_512D01
		mov	dl, [ebp+var_14A]
		jmp	loc_512D09
; 

loc_5134EC:				; CODE XREF: SepCreateTokenEx+969j
		test	byte ptr [eax],	8
		jz	loc_5E7AA4
		mov	dl, 1
		mov	[ebp+var_190], ebx
		mov	[ebp+var_14A], dl
		jmp	loc_512DB5
; 

loc_513508:				; CODE XREF: SepCreateTokenEx+931j
		mov	ecx, 2000h
		cmp	eax, ecx
		jb	loc_5135C4
		or	[ebp+var_15C], ecx

loc_51351B:				; CODE XREF: SepCreateTokenEx+A75j
		mov	[ebp+var_14B], 0
		jmp	loc_512D94
; 

loc_513527:				; CODE XREF: SepCreateTokenEx+245j
		push	esi
		push	[ebp+var_188]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	loc_512DA1
		mov	[ebp+var_149], 1
		jmp	loc_512DA1
; 

loc_513547:				; CODE XREF: SepCreateTokenEx+67Fj
		and	dword ptr [ebx+4Ch], 0FFFFFFEEh
		mov	eax, 0DFE9F97Bh
		and	[ebx+48h], eax
		and	[ebx+50h], eax
		and	dword ptr [ebx+54h], 0FFFFFFEEh
		jmp	loc_5131DB
; 

loc_51355F:				; CODE XREF: SepCreateTokenEx+834j
		mov	edx, _SeProcTrustWinTcbSid
		mov	ecx, ebx
		call	_SepSetTokenTrust@8 ; SepSetTokenTrust(x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_513390
		jmp	loc_5133FC
; 

loc_51357B:				; CODE XREF: SepCreateTokenEx+84Bj
		mov	eax, large fs:124h
		xor	ecx, ecx
		mov	edi, [ebp+var_174]
		mov	eax, [eax+80h]
		cmp	[eax+12Ch], ecx
		jz	short loc_5135A6
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	edi
		call	_ObInsertObject@24 ; ObInsertObject(x,x,x,x,x,x)
		mov	esi, eax
		xor	ecx, ecx

loc_5135A6:				; CODE XREF: SepCreateTokenEx+A3Fj
		test	esi, esi
		js	loc_5E7CE6
		cmp	[ebp+var_14C], 0
		jz	short loc_5135E8

loc_5135B7:				; CODE XREF: SepCreateTokenEx+A99j
		mov	eax, [ebp+var_1A4]
		mov	[eax], edi
		jmp	loc_513403
; 

loc_5135C4:				; CODE XREF: SepCreateTokenEx+922j
					; SepCreateTokenEx+9B9j
		mov	[ebp+var_14D], 1
		jmp	loc_51351B
; 

loc_5135D0:				; CODE XREF: SepCreateTokenEx+68Cj
		and	dword ptr [ebx+4Ch], 2
		mov	eax, 2800000h
		and	[ebx+48h], eax
		and	[ebx+50h], eax
		and	dword ptr [ebx+54h], 2
		jmp	loc_5131E8
; 

loc_5135E8:				; CODE XREF: SepCreateTokenEx+A5Fj
		mov	ecx, edi
		call	_SepFinalizeTokenAcls@4	; SepFinalizeTokenAcls(x)
		jmp	short loc_5135B7
SepCreateTokenEx endp

; 
		align 4
		db 2 dup(0CCh)
; 
; Exported entry 2039. RtlDeriveCapabilitySidsFromName

		public RtlDeriveCapabilitySidsFromName
RtlDeriveCapabilitySidsFromName:	; CODE XREF: PopCreateNotificationName(x)+B9p
					; PiUEventInitClientRegistrationContext+A4p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-8], eax
		push	ebx
		mov	ebx, [ebp+10h]
		xor	eax, eax
		push	esi
		mov	esi, [ebp+8]
		mov	[ebp-30h], eax
		mov	[ebp-2Ch], eax
		push	edi
		mov	edi, [ebp+0Ch]
		test	esi, esi
		jz	loc_513700
		test	edi, edi
		jz	loc_513700
		test	ebx, ebx
		jz	loc_513700
		push	30h
		push	eax
		push	ebx
		call	_memset
		push	2Ch
		push	0
		push	edi
		call	_memset
		add	esp, 18h
		lea	eax, [ebp-30h]
		push	1
		push	esi
		push	eax
		call	RtlUpcaseUnicodeString
		test	eax, eax
		js	loc_5136EF
		movzx	edx, word ptr [ebp-30h]
		lea	eax, [ebp-28h]
		mov	ecx, [ebp-2Ch]
		push	eax
		call	@SymCryptSha256@12 ; SymCryptSha256(x,x,x)
		push	9
		push	offset _RtlpNtAuthority
		push	edi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	dword ptr [edi+8], 20h
		lea	esi, [ebp-28h]
		add	edi, 0Ch
		push	8
		pop	ecx
		rep movsd
		xor	esi, esi
		mov	edi, (offset loc_A4088F+1)

loc_513694:				; CODE XREF: .text:005136B7j
		lea	eax, [esi+1]
		push	0
		mov	[ebp-34h], eax
		lea	eax, [ebp-30h]
		push	edi
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	loc_5E7CF3
		mov	esi, [ebp-34h]
		add	edi, 8
		cmp	esi, 0Ch
		jb	short loc_513694

loc_5136B9:				; CODE XREF: .text:005E7D0Dj
		lea	eax, [ebp-30h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	esi, 0Ch
		jnz	short loc_5136ED
		push	0Ah
		push	offset _RtlpAppPackageAuthority
		push	ebx
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	8
		mov	dword ptr [ebx+8], 3
		lea	edi, [ebx+10h]
		pop	ecx
		lea	esi, [ebp-28h]
		mov	dword ptr [ebx+0Ch], 400h
		rep movsd

loc_5136ED:				; CODE XREF: .text:005136C5j
		xor	eax, eax

loc_5136EF:				; CODE XREF: .text:00513658j
		mov	ecx, [ebp-8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_513700:				; CODE XREF: .text:0051361Ej
					; .text:00513626j ...
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		db 2 dup(0CCh)
; Exported entry 2258. RtlNormalizeSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlNormalizeSecurityDescriptor(int,void	*Source1,int,int,char)
		public _RtlNormalizeSecurityDescriptor@20
_RtlNormalizeSecurityDescriptor@20 proc	near

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
Source2		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
Source1		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	eax, eax
		mov	ebx, eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], ebx
		mov	[ebp+var_2], al
		mov	edi, [edi]
		push	edi
		push	[ebp+Source1]
		mov	[ebp+var_8], edi
		mov	[ebp+var_1], al
		call	_SeValidSecurityDescriptor@8 ; SeValidSecurityDescriptor(x,x)
		test	al, al
		jz	loc_513B37
		mov	cl, [ebp+arg_10]
		test	cl, cl
		jnz	short loc_513784
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		jz	short loc_513755
		mov	ebx, [ebx]
		mov	[ebp+var_18], ebx
		test	ebx, ebx
		jnz	short loc_513775

loc_513755:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+40j
		push	64536553h
		push	[ebp+Source1]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_18], eax
		test	ebx, ebx
		jz	loc_513B37
		mov	[ebp+var_2], 1

loc_513775:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+49j
		mov	esi, edi
		mov	edi, ebx
		push	5
		pop	ecx
		rep movsd
		mov	edi, [ebp+var_8]
		mov	cl, [ebp+arg_10]

loc_513784:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+39j
		xor	edx, edx
		push	14h
		inc	edx
		pop	esi
		mov	[ebp+var_24], edx
		jmp	short loc_513792
; 

loc_51378F:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+341j
		mov	cl, [ebp+arg_10]

loc_513792:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+83j
		cmp	edx, 1
		jnz	short loc_51379C
		mov	edx, [edi+0Ch]
		jmp	short loc_51379F
; 

loc_51379C:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+8Bj
		mov	edx, [edi+10h]

loc_51379F:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+90j
		mov	[ebp+var_30], edx
		test	edx, edx
		jz	loc_513A41
		cmp	[ebp+var_24], 1
		jnz	short loc_5137BE
		xor	eax, eax
		cmp	[edx+edi+4], ax
		jnz	short loc_5137BE
		mov	[ebp+var_2C], eax
		jmp	short loc_5137C3
; 

loc_5137BE:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+A4j
					; RtlNormalizeSecurityDescriptor(x,x,x,x,x)+ADj
		mov	eax, esi
		mov	[ebp+var_2C], esi

loc_5137C3:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+B2j
		cmp	eax, edx
		jz	short loc_5137E1
		mov	[ebp+var_1], 1
		test	cl, cl
		jnz	loc_513B23
		cmp	[ebp+var_24], 1
		jnz	short loc_5137DE
		mov	[ebx+0Ch], eax
		jmp	short loc_5137E1
; 

loc_5137DE:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+CDj
		mov	[ebx+10h], eax

loc_5137E1:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+BBj
					; RtlNormalizeSecurityDescriptor(x,x,x,x,x)+D2j
		test	eax, eax
		jz	loc_513A41
		test	cl, cl
		jnz	short loc_513804
		add	eax, ebx
		mov	[ebp+var_14], eax
		mov	ebx, [ebp+var_14]
		mov	eax, [edx+edi]
		mov	[ebx], eax
		mov	eax, [edx+edi+4]
		mov	[ebx+4], eax
		mov	ebx, [ebp+var_18]

loc_513804:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+E1j
		xor	eax, eax
		add	esi, 8
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		lea	eax, [edi+8]
		add	eax, edx
		mov	[ebp+var_34], eax
		mov	[ebp+Source1], eax
		movzx	eax, word ptr [edx+edi+4]
		mov	edi, eax
		mov	[ebp+var_20], edi
		xor	edi, edi
		cmp	di, ax
		mov	edi, [ebp+var_8]
		jnb	loc_51390B

loc_513832:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+1FBj
		mov	edx, [ebp+Source1]
		cmp	byte ptr [edx],	0
		jnz	loc_5138C3
		xor	eax, eax
		test	cl, cl
		jz	loc_513951
		mov	ebx, [ebp+var_34]
		mov	[ebp+Source2], ebx
		mov	ebx, [ebp+var_18]
		mov	[ebp+var_20], eax
		cmp	[ebp+var_C], eax
		jbe	short loc_5138C3
		movzx	ecx, word ptr [edx+2]
		mov	[ebp+var_1C], ecx
		mov	ecx, [ebp+Source2]

loc_513863:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+1A2j
		mov	edi, [ebp+var_1C]
		cmp	[ecx+2], di
		mov	edi, [ebp+var_8]
		jnz	short loc_513899
		mov	eax, [ebp+var_1C]
		movzx	edi, word ptr [edx+2]
		movzx	eax, ax
		push	eax		; Length
		push	ecx		; Source2
		push	edx		; Source1
		mov	[ebp+var_1C], edi
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		mov	edx, edi
		mov	edi, [ebp+var_8]
		movzx	ecx, dx
		cmp	eax, ecx
		mov	eax, [ebp+var_20]
		jz	short loc_5138B0
		mov	edx, [ebp+Source1]
		mov	ecx, [ebp+Source2]

loc_513899:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+163j
		inc	eax
		mov	[ebp+var_20], eax
		movzx	eax, word ptr [ecx+2]
		add	ecx, eax
		mov	eax, [ebp+var_20]
		mov	[ebp+Source2], ecx
		cmp	eax, [ebp+var_C]
		jb	short loc_513863
		jmp	short loc_5138B4
; 

loc_5138B0:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+187j
		mov	[ebp+var_1], 1

loc_5138B4:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+1A4j
		cmp	eax, [ebp+var_C]
		jb	loc_513AE7

loc_5138BD:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+2B7j
		mov	edx, [ebp+Source1]
		mov	cl, [ebp+arg_10]

loc_5138C3:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+12Ej
					; RtlNormalizeSecurityDescriptor(x,x,x,x,x)+14Dj
		test	cl, cl
		jnz	short loc_5138D9

loc_5138C7:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+256j
		movzx	eax, word ptr [edx+2]
		push	eax		; size_t
		push	edx		; void *
		lea	eax, [esi+ebx]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_5138D9:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+1BBj
		mov	edx, [ebp+Source1]
		movzx	ecx, word ptr [edx+2]
		add	esi, ecx
		mov	eax, ecx
		inc	[ebp+var_10]

loc_5138E7:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+2C4j
		inc	[ebp+var_C]
		movzx	eax, ax
		add	edx, eax
		mov	[ebp+Source1], edx
		mov	edx, [ebp+var_30]
		movzx	eax, word ptr [edx+edi+4]
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		mov	cl, [ebp+arg_10]
		cmp	[ebp+var_C], eax
		jb	loc_513832

loc_51390B:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+122j
		lea	eax, [esi+3]
		and	eax, 0FFFFFFFCh
		mov	[ebp+Source1], eax
		sub	eax, [ebp+var_2C]
		mov	[ebp+Source2], eax
		mov	eax, [ebp+var_20]
		movzx	eax, ax
		mov	[ebp+var_34], eax
		movzx	eax, word ptr [edx+edi+2]
		cmp	[ebp+Source2], eax
		jz	loc_5139D3
		mov	[ebp+var_1], 1
		test	cl, cl
		jnz	loc_513B23
		mov	ecx, [ebp+var_14]
		mov	eax, [ebp+Source2]
		mov	[ecx+2], ax
		movzx	eax, word ptr [edx+edi+4]
		jmp	loc_5139D6
; 

loc_513951:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+138j
		mov	ecx, [ebp+var_14]
		add	ecx, 8
		mov	[ebp+var_1C], eax
		mov	[ebp+Source2], ecx
		cmp	[ebp+var_10], eax
		jbe	loc_5138C7
		movzx	edi, word ptr [edx+2]
		mov	[ebp+var_20], edi

loc_51396D:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+2ACj
		mov	edi, [ebp+var_20]
		cmp	[ecx+2], di
		mov	edi, [ebp+var_8]
		jnz	short loc_5139A3
		mov	eax, [ebp+var_20]
		movzx	edi, word ptr [edx+2]
		movzx	eax, ax
		push	eax		; Length
		push	ecx		; Source2
		push	edx		; Source1
		mov	[ebp+var_20], edi
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		mov	edx, edi
		mov	edi, [ebp+var_8]
		movzx	ecx, dx
		cmp	eax, ecx
		mov	eax, [ebp+var_1C]
		jz	short loc_5139BA
		mov	edx, [ebp+Source1]
		mov	ecx, [ebp+Source2]

loc_5139A3:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+26Dj
		inc	eax
		mov	[ebp+var_1C], eax
		movzx	eax, word ptr [ecx+2]
		add	ecx, eax
		mov	eax, [ebp+var_1C]
		mov	[ebp+Source2], ecx
		cmp	eax, [ebp+var_10]
		jb	short loc_51396D
		jmp	short loc_5139BE
; 

loc_5139BA:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+291j
		mov	[ebp+var_1], 1

loc_5139BE:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+2AEj
		cmp	eax, [ebp+var_10]
		jnb	loc_5138BD
		mov	edx, [ebp+Source1]
		movzx	eax, word ptr [edx+2]
		jmp	loc_5138E7
; 

loc_5139D3:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+221j
		mov	eax, [ebp+var_34]

loc_5139D6:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+242j
		mov	ecx, [ebp+var_10]
		movzx	eax, ax
		cmp	ecx, eax
		jz	short loc_5139E7
		mov	eax, [ebp+var_14]
		mov	[eax+4], cx

loc_5139E7:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+2D4j
		mov	ecx, [ebp+Source1]
		cmp	esi, ecx
		jz	short loc_513A41
		cmp	[ebp+var_2C], edx
		jnz	loc_513B02
		movzx	eax, word ptr [edx+edi+2]
		cmp	[ebp+Source2], eax
		jnz	loc_513B02
		mov	eax, ecx
		sub	eax, esi
		push	eax
		lea	eax, [esi+edi]
		push	eax
		call	_RtlIsZeroMemory@8 ; RtlIsZeroMemory(x,x)
		test	al, al
		mov	al, [ebp+arg_10]
		jnz	short loc_513A26
		mov	[ebp+var_1], 1
		test	al, al
		jnz	loc_513B23

loc_513A26:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+30Ej
		mov	ecx, [ebp+Source1]

loc_513A29:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+3FBj
		test	al, al
		jnz	short loc_513A3E
		sub	ecx, esi
		lea	eax, [esi+ebx]
		push	ecx		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_513A3E:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+321j
		mov	esi, [ebp+Source1]

loc_513A41:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+9Aj
					; RtlNormalizeSecurityDescriptor(x,x,x,x,x)+D9j ...
		mov	edx, [ebp+var_24]
		inc	edx
		mov	[ebp+var_24], edx
		cmp	edx, 2
		jbe	loc_51378F
		mov	eax, [edi+4]
		cmp	esi, eax
		jz	short loc_513A6C
		cmp	[ebp+arg_10], 0
		mov	[ebp+var_1], 1
		jnz	loc_513B23
		mov	[ebx+4], esi
		mov	eax, [edi+4]

loc_513A6C:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+34Cj
		add	eax, edi
		mov	[ebp+Source1], eax
		movzx	eax, byte ptr [eax+1]
		push	eax
		call	_RtlLengthRequiredSid@4	; RtlLengthRequiredSid(x)
		mov	cl, [ebp+arg_10]
		mov	[ebp+var_34], eax
		test	cl, cl
		jnz	short loc_513A9D
		mov	ecx, [ebx+4]
		push	eax		; size_t
		push	[ebp+Source1]	; void *
		add	ecx, ebx
		push	ecx		; void *
		call	_memcpy
		mov	cl, [ebp+arg_10]
		add	esp, 0Ch
		mov	eax, [ebp+var_34]

loc_513A9D:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+379j
		add	esi, eax
		mov	eax, [edi+8]
		test	eax, eax
		jz	short loc_513AE7
		cmp	esi, eax
		jz	short loc_513AB8
		mov	[ebp+var_1], 1
		test	cl, cl
		jnz	short loc_513B23
		mov	[ebx+8], esi
		mov	eax, [edi+8]

loc_513AB8:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+39Ej
		add	eax, edi
		mov	[ebp+Source1], eax
		movzx	eax, byte ptr [eax+1]
		push	eax
		call	_RtlLengthRequiredSid@4	; RtlLengthRequiredSid(x)
		cmp	[ebp+arg_10], 0
		mov	[ebp+var_34], eax
		jnz	short loc_513AE5
		mov	ecx, [ebx+8]
		push	eax		; size_t
		push	[ebp+Source1]	; void *
		add	ecx, ebx
		push	ecx		; void *
		call	_memcpy
		mov	eax, [ebp+var_34]
		add	esp, 0Ch

loc_513AE5:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+3C4j
		add	esi, eax

loc_513AE7:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+1ADj
					; RtlNormalizeSecurityDescriptor(x,x,x,x,x)+39Aj
		cmp	[ebp+var_1], 0
		jz	short loc_513B23
		cmp	[ebp+arg_10], 0
		jnz	short loc_513B23
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_513B0A
		cmp	[ebp+var_2], 0
		jz	short loc_513B18
		jmp	short loc_513B16
; 

loc_513B02:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+2E7j
					; RtlNormalizeSecurityDescriptor(x,x,x,x,x)+2F5j
		mov	al, [ebp+arg_10]
		jmp	loc_513A29
; 

loc_513B0A:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+3EEj
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_0]

loc_513B16:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+3F6j
		mov	[eax], ebx

loc_513B18:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+3F4j
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_513B32
		mov	[eax], esi
		jmp	short loc_513B32
; 

loc_513B23:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+C3j
					; RtlNormalizeSecurityDescriptor(x,x,x,x,x)+22Dj ...
		cmp	[ebp+var_2], 0
		jz	short loc_513B32
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_513B32:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+413j
					; RtlNormalizeSecurityDescriptor(x,x,x,x,x)+417j ...
		mov	al, [ebp+var_1]
		jmp	short loc_513B39
; 

loc_513B37:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+2Ej
					; RtlNormalizeSecurityDescriptor(x,x,x,x,x)+61j
		xor	al, al

loc_513B39:				; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+42Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_RtlNormalizeSecurityDescriptor@20 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 815. IoDetachDevice

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoDetachDevice
IoDetachDevice	proc near		; CODE XREF: ViFilterDispatchPnp(x,x)+112p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E7D12 SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		test	byte ptr _MmVerifierData, 10h
		mov	bl, al
		mov	esi, [ebp+arg_0]
		mov	byte ptr [ebp+var_4], bl
		jnz	loc_5E7D12

loc_513B6C:				; CODE XREF: IoDetachDevice+D41D6j
		mov	eax, [esi+10h]
		xor	edi, edi
		mov	eax, [eax+0B0h]
		mov	[eax+18h], edi
		mov	eax, [esi+0B0h]
		mov	[esi+10h], edi
		test	byte ptr [eax+10h], 7
		jz	short loc_513BA1
		cmp	[esi+4], edi
		jnz	short loc_513BA1
		push	[ebp+var_4]
		xor	dl, dl
		mov	ecx, esi
		call	IopCompleteUnloadOrDelete

loc_513B9A:				; CODE XREF: IoDetachDevice+99j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_513BA1:				; CODE XREF: IoDetachDevice+41j
					; IoDetachDevice+46j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+468h]
		jnz	loc_5E7D21
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5E7D37
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5E7D30

loc_513BD7:				; CODE XREF: IoDetachDevice+D41E5j
					; IoDetachDevice+D41FCj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_513B9A
IoDetachDevice	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 753. IoAttachDeviceToDeviceStackSafe

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoAttachDeviceToDeviceStackSafe(x, x, x)
		public _IoAttachDeviceToDeviceStackSafe@12
_IoAttachDeviceToDeviceStackSafe@12 proc near ;	CODE XREF: IoAttachDevice(x,x,x)+A9p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	IopAttachDeviceToDeviceStackSafe
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFFF2h
		add	eax, 0C000000Eh
		pop	ecx
		pop	ebp
		retn	0Ch
_IoAttachDeviceToDeviceStackSafe@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpGetRelatedTargetDevice(x, x)
_PnpGetRelatedTargetDevice@8 proc near	; CODE XREF: IoGetRelatedTargetDevice(x,x)+10p
					; PiUEventGetDeviceInstanceIdFromUserHandle(x,x,x)+49p	...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		and	[ebp+var_4], 0
		mov	eax, edx
		push	ebx
		push	esi
		push	edi
		and	dword ptr [eax], 0
		mov	edi, ecx
		push	0Ah
		pop	ecx
		mov	[ebp+var_8], eax
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		push	edi
		mov	bl, al
		call	IoGetRelatedDeviceObject
		push	0Ah
		mov	dl, bl
		mov	esi, eax
		pop	ecx
		call	KeReleaseQueuedSpinLock
		test	esi, esi
		jz	short loc_513CB9
		xor	ebx, ebx
		mov	[ebp+var_2C], 71Bh
		lea	eax, [ebp+var_4]
		mov	[ebp+var_24], ebx
		push	eax
		push	ebx
		push	ecx
		lea	edx, [ebp+var_2C]
		mov	[ebp+var_20], ebx
		mov	ecx, esi
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_28], 4
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], edi
		call	PnpSendIrp
		mov	edi, eax
		test	edi, edi
		js	short loc_513CB0
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_513CB9
		cmp	dword ptr [eax], 1
		jnz	short loc_513CB5
		mov	esi, [eax+4]

loc_513C91:				; CODE XREF: PnpGetRelatedTargetDevice(x,x)+A9j
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jz	short loc_513CB9
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_513CB9
		mov	ecx, [ebp+var_8]
		mov	[ecx], eax
		mov	eax, edi

loc_513CB0:				; CODE XREF: PnpGetRelatedTargetDevice(x,x)+72j
					; PnpGetRelatedTargetDevice(x,x)+B0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_513CB5:				; CODE XREF: PnpGetRelatedTargetDevice(x,x)+7Ej
		mov	esi, ebx
		jmp	short loc_513C91
; 

loc_513CB9:				; CODE XREF: PnpGetRelatedTargetDevice(x,x)+37j
					; PnpGetRelatedTargetDevice(x,x)+79j ...
		mov	eax, 0C000000Eh
		jmp	short loc_513CB0
_PnpGetRelatedTargetDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpSendIrp	proc near		; CODE XREF: PnpGetRelatedTargetDevice(x,x)+69p
					; PnpStartDevice(x,x,x)+63p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005E7D47 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_14], eax
		lea	edi, [ebp+var_10]
		xor	eax, eax
		mov	ebx, edx
		stosd
		lea	edx, [ebp+var_10]
		mov	esi, ecx
		stosd
		stosd
		call	PnpSetDeviceAffinityThread
		cmp	[ebp+arg_4], 0
		mov	edi, eax
		push	[ebp+var_14]
		mov	edx, ebx
		mov	ecx, esi
		jnz	short loc_513D27
		push	0
		push	0C00000BBh
		call	IopSynchronousCall

loc_513D0A:				; CODE XREF: PnpSendIrp+6Fj
		mov	esi, eax
		test	edi, edi
		jnz	loc_5E7D47

loc_513D14:				; CODE XREF: PnpSendIrp+D4090j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_513D27:				; CODE XREF: PnpSendIrp+3Cj
		push	[ebp+arg_4]
		call	PnpAsynchronousCall
		jmp	short loc_513D0A
PnpSendIrp	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpSetDeviceAffinityThread proc	near	; CODE XREF: PnpSendIrp+2Ap
					; PnpCallAddDevice+3Ep

var_C		= dword	ptr -0Ch

; FUNCTION CHUNK AT 005E7D55 SIZE 00000052 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	esi
		mov	esi, edx
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		test	ecx, ecx
		jz	short loc_513D6D
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]

loc_513D53:				; CODE XREF: PnpSetDeviceAffinityThread+3Dj
		test	ecx, ecx
		jnz	short loc_513D5D

loc_513D57:				; CODE XREF: PnpSetDeviceAffinityThread+34j
					; PnpSetDeviceAffinityThread+D4026j ...
		xor	eax, eax

loc_513D59:				; CODE XREF: PnpSetDeviceAffinityThread+D4070j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_513D5D:				; CODE XREF: PnpSetDeviceAffinityThread+23j
		mov	edx, [ecx+1A4h]
		cmp	edx, 0FFFFFFFEh
		jz	short loc_513D57
		jmp	loc_5E7D55
; 

loc_513D6D:				; CODE XREF: PnpSetDeviceAffinityThread+16j
		xor	ecx, ecx
		jmp	short loc_513D53
PnpSetDeviceAffinityThread endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopAttachDeviceToDeviceStackSafe proc near
					; CODE XREF: IoAttachDeviceToDeviceStackSafe(x,x,x)+Fp
					; IoAttachDeviceToDeviceStack(x,x)+Dp ...

var_D2		= byte ptr -0D2h
var_D1		= byte ptr -0D1h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= word ptr -0B0h
var_AE		= word ptr -0AEh
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E7DA7 SIZE 000002ED BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0D4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0D4h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		push	0Ah
		pop	ecx
		mov	[esp+0E0h+var_BC], esi
		mov	eax, [edi+0B0h]
		mov	[esp+0E0h+var_CC], eax
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		test	byte ptr _MmVerifierData, 10h
		mov	[esp+0E0h+var_D1], al
		jnz	loc_5E7DA7

loc_513DBF:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+D403Ej
		push	esi
		call	_IoGetAttachedDevice@4 ; IoGetAttachedDevice(x)
		mov	ecx, [esp+0E0h+var_BC]
		mov	esi, eax
		call	_IopGetDeviceAttachmentBase@4 ;	IopGetDeviceAttachmentBase(x)
		mov	edx, eax
		mov	[esp+0E0h+var_D2], 0
		push	1Ch
		mov	[esp+0E4h+var_C4], edx
		pop	eax
		mov	ecx, [edx+2Ch]
		cmp	ecx, 8
		jnz	loc_513EE6

loc_513DEA:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+177j
					; IopAttachDeviceToDeviceStackSafe+180j ...
		test	dword ptr [edx+1Ch], 10000000h
		jnz	loc_5E7DB5
		cmp	_IopBlockLegacyFsFilters, 0
		jnz	loc_5E7DB5

loc_513E04:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+192j
					; IopAttachDeviceToDeviceStackSafe+D4072j
		mov	cl, [esp+0E0h+var_D2]

loc_513E08:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+D4060j
		test	byte ptr [esi+1Ch], 80h
		jnz	loc_5E7DFF
		mov	eax, [esi+0B0h]
		test	byte ptr [eax+10h], 0Fh
		jnz	loc_5E7DFF
		mov	al, [esi+30h]
		cmp	al, 7Dh
		jnb	loc_5E7DFF
		test	cl, cl
		jnz	loc_5E7DFF
		test	ebx, ebx
		jz	short loc_513E3E
		mov	[ebx], esi
		mov	al, [esi+30h]

loc_513E3E:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+C5j
		inc	al
		mov	[edi+30h], al
		mov	eax, [esi+5Ch]
		mov	[edi+5Ch], eax
		mov	ax, [esi+0ACh]
		mov	[edi+0ACh], ax
		mov	eax, [esi+0B0h]
		test	byte ptr [eax+10h], 10h
		jnz	loc_513F2E

loc_513E67:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+1C6j
		mov	eax, 8000000h
		test	[esi+1Ch], eax
		jnz	loc_513F3D

loc_513E75:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+1CEj
		mov	ecx, edi
		lea	eax, [esi+10h]
		xchg	ecx, [eax]
		mov	eax, [esp+0E0h+var_CC]
		inc	word ptr [esi+0AEh]
		mov	[eax+18h], esi
		mov	eax, [edx+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jnz	loc_513F1B

loc_513E9B:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+1B1j
					; IopAttachDeviceToDeviceStackSafe+D4088j ...
		mov	dl, [esp+0E0h+var_D1]
		push	0Ah
		pop	ecx
		call	KeReleaseQueuedSpinLock
		mov	bl, [esp+0E0h+var_D2]
		test	bl, bl
		jnz	loc_5E7E10

loc_513EB3:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+D430Ej
					; IopAttachDeviceToDeviceStackSafe+D431Dj
		mov	ecx, [esp+0E0h+var_BC]
		mov	eax, [ecx+2Ch]
		cmp	eax, 8
		jnz	short loc_513F0F

loc_513EBF:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+1A0j
					; IopAttachDeviceToDeviceStackSafe+1A7j
		mov	eax, _FltMgrCallbacks
		test	eax, eax
		jz	short loc_513ECD
		push	ecx
		push	edi
		call	dword ptr [eax+14h]

loc_513ECD:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+154j
					; IopAttachDeviceToDeviceStackSafe+1A5j
		mov	ecx, [esp+0E8h+var_C]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_513EE6:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+72j
		cmp	ecx, 3
		jz	loc_513DEA
		cmp	ecx, 14h
		jz	loc_513DEA
		cmp	ecx, 20h
		jz	loc_513DEA
		cmp	ecx, 35h
		jnz	loc_513E04
		jmp	loc_513DEA
; 

loc_513F0F:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+14Bj
		cmp	eax, 14h
		jz	short loc_513EBF
		cmp	eax, 3
		jnz	short loc_513ECD
		jmp	short loc_513EBF
; 

loc_513F1B:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+123j
		xor	eax, eax
		cmp	[ecx+10Ch], eax
		jge	loc_513E9B
		jmp	loc_5E7DE9
; 

loc_513F2E:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+EFj
		mov	eax, [edi+0B0h]
		or	dword ptr [eax+10h], 10h
		jmp	loc_513E67
; 

loc_513F3D:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+FDj
		or	[edi+1Ch], eax
		jmp	loc_513E75
IopAttachDeviceToDeviceStackSafe endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 812. IoDeleteDevice

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoDeleteDevice
IoDeleteDevice	proc near		; CODE XREF: RawDeleteVcb(x)+17p
					; IopCreateRootEnumeratedDeviceObject(x)+4Bp ...

var_A		= byte ptr -0Ah
var_9		= byte ptr -9
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E8094 SIZE 000000E7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ecx, ecx
		push	edi
		mov	ebx, ecx
		mov	[esp+18h+var_8], ecx
		mov	edi, ecx
		test	byte ptr [esi+1Ch], 40h
		jnz	loc_51404B

loc_513F6F:				; CODE XREF: IoDeleteDevice+113j
					; IoDeleteDevice+12Bj ...
		mov	edx, [esi+8]
		xor	cl, cl
		push	ebx
		add	edx, 1Ch
		call	EtwTiLogDeviceObjectLoadUnload
		test	edi, edi
		jnz	loc_51409A

loc_513F85:				; CODE XREF: IoDeleteDevice+158j
		test	byte ptr _MmVerifierData, 90h
		jnz	loc_5E8094

loc_513F92:				; CODE XREF: IoDeleteDevice+D4154j
		test	dword ptr [esi+1Ch], 800h
		jnz	loc_5E80A3

loc_513F9F:				; CODE XREF: IoDeleteDevice+D415Fj
		mov	edi, [esi+18h]
		test	edi, edi
		jnz	loc_5E80AE

loc_513FAA:				; CODE XREF: IoDeleteDevice+D4173j
		test	byte ptr [esi+1Ch], 40h
		jnz	loc_5140A7

loc_513FB4:				; CODE XREF: IoDeleteDevice+163j
		mov	ebx, [esi+0B0h]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	esi
		call	PoRegisterDeviceForIdleDetection
		mov	edi, [ebx+0Ch]
		test	edi, edi
		jnz	loc_5E80C2

loc_513FD0:				; CODE XREF: IoDeleteDevice+D4211j
		mov	ecx, esi
		call	PnpFreeInterruptInformation
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	edx, [esi+0B0h]
		mov	bl, al
		mov	byte ptr [esp+18h+var_4], bl
		or	dword ptr [edx+10h], 2
		cmp	dword ptr [esi+4], 0
		jnz	short loc_51400B
		push	[esp+18h+var_4]
		xor	dl, dl
		mov	ecx, esi
		call	IopCompleteUnloadOrDelete

loc_514002:				; CODE XREF: IoDeleteDevice+FFj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_51400B:				; CODE XREF: IoDeleteDevice+A9j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+468h]
		jnz	loc_5E8160
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5140B2
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5E816F

loc_514041:				; CODE XREF: IoDeleteDevice+177j
					; IoDeleteDevice+D4220j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_514002
; 

loc_51404B:				; CODE XREF: IoDeleteDevice+1Fj
		lea	eax, [esp+18h+var_8]
		push	eax
		push	ecx
		push	ecx
		push	esi
		call	_ObQueryNameString@16 ;	ObQueryNameString(x,x,x,x)
		cmp	eax, 0C0000004h
		jnz	loc_513F6F
		mov	edx, [esp+18h+var_8]
		xor	eax, eax
		lea	ecx, [eax+1]
		call	IopVerifierExAllocatePool
		mov	edi, eax
		test	edi, edi
		jz	loc_513F6F
		lea	eax, [esp+18h+var_8]
		push	eax
		push	[esp+1Ch+var_8]
		push	edi
		push	esi
		call	_ObQueryNameString@16 ;	ObQueryNameString(x,x,x,x)
		test	eax, eax
		js	loc_513F6F
		mov	ebx, edi
		jmp	loc_513F6F
; 

loc_51409A:				; CODE XREF: IoDeleteDevice+35j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_513F85
; 

loc_5140A7:				; CODE XREF: IoDeleteDevice+64j
		push	esi
		call	_ObMakeTemporaryObject@4 ; ObMakeTemporaryObject(x)
		jmp	loc_513FB4
; 

loc_5140B2:				; CODE XREF: IoDeleteDevice+DEj
					; IoDeleteDevice+D422Cj
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_514041
IoDeleteDevice	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1714. PoRegisterDeviceForIdleDetection

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoRegisterDeviceForIdleDetection
PoRegisterDeviceForIdleDetection proc near ; CODE XREF:	IoDeleteDevice+76p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005E817B SIZE 00000137 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		cmp	[ebp+arg_4], edi
		jnz	loc_5E81DD
		cmp	[ebp+arg_8], edi
		jnz	loc_5E81DD
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bl, al
		mov	esi, offset _PopDopeGlobalLock
		mov	ecx, esi
		mov	byte ptr [ebp+arg_4+3],	bl
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+0B0h]
		mov	ecx, [eax+0Ch]
		test	ecx, ecx
		jnz	loc_5E817B

loc_514114:				; CODE XREF: PoRegisterDeviceForIdleDetection+D40B6j
					; PoRegisterDeviceForIdleDetection+D40FDj
		test	ds:byte_70EFC6,	1
		jnz	loc_5E81CE
		xor	eax, eax
		lock and [esi],	eax

loc_514126:				; CODE XREF: PoRegisterDeviceForIdleDetection+D410Cj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_51412E:				; CODE XREF: PoRegisterDeviceForIdleDetection+D411Aj
					; PoRegisterDeviceForIdleDetection+D4140j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
PoRegisterDeviceForIdleDetection endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCompleteUnloadOrDelete proc near	; CODE XREF: IoDetachDevice+4Fp
					; IoDeleteDevice+B3p ...

var_42		= byte ptr -42h
var_40		= dword	ptr -40h
var_3C		= byte ptr -3Ch
var_3B		= byte ptr -3Bh
var_3A		= byte ptr -3Ah
var_39		= byte ptr -39h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_C		= dword	ptr -0Ch
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005E82B2 SIZE 00000144 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[esp+44h+var_39], dl
		xor	ebx, ebx
		mov	dh, 1
		push	edi
		mov	[esp+48h+var_3A], bl
		mov	eax, [esi+0B0h]
		mov	edi, [esi+8]
		mov	[esp+48h+var_3B], dh
		mov	eax, [eax+10h]
		test	al, 4
		jnz	loc_5E82B2
		test	al, 2
		jz	loc_5E8323
		test	al, dh
		jnz	loc_51425D

loc_51417C:				; CODE XREF: IopCompleteUnloadOrDelete+129j
		mov	[esp+48h+var_3B], bl

loc_514180:				; CODE XREF: IopCompleteUnloadOrDelete+12Fj
		mov	eax, [esi+10h]
		mov	[esp+48h+var_30], eax
		test	eax, eax
		jnz	short loc_5141D6
		mov	al, [ebp+arg_0]

loc_51418E:				; CODE XREF: IopCompleteUnloadOrDelete+13Dj
		push	0Ah
		mov	dl, al
		pop	ecx
		call	KeReleaseQueuedSpinLock
		mov	eax, [esi+98h]
		test	eax, eax
		jz	short loc_5141AA
		push	1
		push	eax
		call	ObDereferenceSecurityDescriptor

loc_5141AA:				; CODE XREF: IopCompleteUnloadOrDelete+68j
		mov	ecx, [esi+8]
		mov	edx, esi
		push	ebx
		call	IopInsertRemoveDevice
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	[esp+48h+var_3A], 1
		cmp	[esp+48h+var_3B], bl
		jnz	loc_5E830C
		mov	al, 1

loc_5141CD:				; CODE XREF: IopCompleteUnloadOrDelete+120j
					; IopCompleteUnloadOrDelete+D41B1j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_5141D6:				; CODE XREF: IopCompleteUnloadOrDelete+51j
		mov	eax, [eax+8]
		xor	dl, dl
		mov	eax, [eax+28h]
		mov	[esp+48h+var_34], eax
		call	IopIncrementDeviceObjectRefCount
		mov	dl, [ebp+arg_0]
		push	0Ah
		pop	ecx
		call	KeReleaseQueuedSpinLock
		mov	eax, [esp+48h+var_34]
		test	eax, eax
		jz	short loc_514230
		cmp	dword ptr [eax], 34h
		jbe	short loc_514230
		mov	eax, [eax+34h]
		mov	[esp+48h+var_34], eax
		test	eax, eax
		jz	short loc_514230
		test	byte ptr _MmVerifierData, 10h
		jnz	loc_5E82EE
		mov	[esp+48h+var_38], ebx

loc_51421B:				; CODE XREF: IopCompleteUnloadOrDelete+D41BFj
		push	esi
		push	[esp+4Ch+var_30]
		call	[esp+50h+var_34]
		mov	eax, [esp+50h+var_40]
		test	eax, eax
		jnz	loc_5E82FC

loc_514230:				; CODE XREF: IopCompleteUnloadOrDelete+C0j
					; IopCompleteUnloadOrDelete+C5j ...
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		xor	dl, dl
		mov	[esp+50h+var_42], al
		mov	ecx, esi
		call	IopDecrementDeviceObjectRefCount
		cmp	[esi+10h], ebx
		jz	short loc_51426C

loc_51424A:				; CODE XREF: IopCompleteUnloadOrDelete+137j
		mov	dl, [esp+50h+var_42]

loc_51424E:				; CODE XREF: IopCompleteUnloadOrDelete+D41E6j
		push	0Ah
		pop	ecx
		call	KeReleaseQueuedSpinLock
		mov	al, bl
		jmp	loc_5141CD
; 

loc_51425D:				; CODE XREF: IopCompleteUnloadOrDelete+3Ej
		test	byte ptr [edi+8], 1
		jnz	loc_51417C
		jmp	loc_514180
; 

loc_51426C:				; CODE XREF: IopCompleteUnloadOrDelete+110j
		cmp	[esi+4], ebx
		jnz	short loc_51424A
		mov	al, [esp+50h+var_42]
		jmp	loc_51418E
IopCompleteUnloadOrDelete endp

; 
		align 10h
; Exported entry 141. KeReleaseQueuedSpinLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeReleaseQueuedSpinLock
KeReleaseQueuedSpinLock	proc near	; CODE XREF: PnpGetRelatedTargetDevice(x,x)+30p
					; IopAttachDeviceToDeviceStackSafe+130p ...

; FUNCTION CHUNK AT 005E83F6 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		push	ebx
		push	esi
		lea	esi, [ecx+83h]
		mov	bl, dl
		lea	esi, [eax+esi*8]
		jnz	loc_5E83F6
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5142CC
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_5142C5

loc_5142BA:				; CODE XREF: KeReleaseQueuedSpinLock+5Bj
					; KeReleaseQueuedSpinLock+D4180j
		mov	cl, bl
		pop	esi
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_5142C5:				; CODE XREF: KeReleaseQueuedSpinLock+38j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5142CC:				; CODE XREF: KeReleaseQueuedSpinLock+29j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_5142BA
KeReleaseQueuedSpinLock	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopInsertRemoveDevice proc near		; CODE XREF: IopCompleteUnloadOrDelete+78p
					; IoCreateDevice+2AFp

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005E8405 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	edi, ecx
		mov	esi, edx
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		cmp	[ebp+arg_0], 0
		mov	bl, al
		jz	short loc_514340
		mov	edx, [edi+4]
		mov	[esi+0Ch], edx
		mov	[edi+4], esi

loc_514303:				; CODE XREF: IopInsertRemoveDevice+78j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+468h]
		jnz	loc_5E8405
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_51435F
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_514358

loc_514331:				; CODE XREF: IopInsertRemoveDevice+90j
					; IopInsertRemoveDevice+D4131j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_514340:				; CODE XREF: IopInsertRemoveDevice+1Aj
		mov	ecx, [esi+8]
		add	ecx, 4
		jmp	short loc_51434B
; 

loc_514348:				; CODE XREF: IopInsertRemoveDevice+71j
		lea	ecx, [eax+0Ch]

loc_51434B:				; CODE XREF: IopInsertRemoveDevice+68j
		mov	eax, [ecx]
		cmp	eax, esi
		jnz	short loc_514348
		mov	eax, [esi+0Ch]
		mov	[ecx], eax
		jmp	short loc_514303
; 

loc_514358:				; CODE XREF: IopInsertRemoveDevice+51j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_51435F:				; CODE XREF: IopInsertRemoveDevice+42j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_514331
IopInsertRemoveDevice endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 851. IoGetDeviceAttachmentBaseRef

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetDeviceAttachmentBaseRef(x)
		public _IoGetDeviceAttachmentBaseRef@4
_IoGetDeviceAttachmentBaseRef@4	proc near ; CODE XREF: FsRtlReleaseFileForModWrite+119790p
					; PnpHandleEnumerateHandlesAgainstPdoStack(x,x,x)+5Bp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, 746C6644h
		call	IoGetDeviceAttachmentBaseRefWithTag
		pop	ebp
		retn	4
_IoGetDeviceAttachmentBaseRef@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoGetDeviceAttachmentBaseRefWithTag proc near
					; CODE XREF: IoGetDeviceAttachmentBaseRef(x)+Dp
					; PoStoreRequester(x,x,x,x)+124p ...

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005E8414 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	esi, ecx
		mov	edi, edx
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, esi
		mov	[ebp+var_1], al
		call	_IopGetDeviceAttachmentBase@4 ;	IopGetDeviceAttachmentBase(x)
		mov	ebx, eax
		mov	edx, edi
		mov	ecx, ebx
		call	ObfReferenceObjectWithTag
		mov	ecx, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [ecx+468h]
		jnz	loc_5E8414
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5143F5
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_514406

loc_5143E5:				; CODE XREF: IoGetDeviceAttachmentBaseRefWithTag+78j
					; IoGetDeviceAttachmentBaseRefWithTag+D4092j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_5143F5:				; CODE XREF: IoGetDeviceAttachmentBaseRefWithTag+48j
					; IoGetDeviceAttachmentBaseRefWithTag+81j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_5143E5
; 

loc_514406:				; CODE XREF: IoGetDeviceAttachmentBaseRefWithTag+57j
		mov	ecx, esi
		call	KxWaitForLockChainValid
		jmp	short loc_5143F5
IoGetDeviceAttachmentBaseRefWithTag endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall IoAllowExecution(x)
_IoAllowExecution@4 proc near		; CODE XREF: MiCreateImageOrDataSection+E1p
		mov	ecx, [ecx+4]
		push	ebx
		call	IopGetDevicePDO
		test	eax, eax
		jz	short loc_514433
		mov	ebx, [eax+1Ch]
		mov	ecx, eax
		call	ObfDereferenceObject
		shr	ebx, 17h
		not	bl
		and	bl, 1

loc_51442F:				; CODE XREF: IoAllowExecution(x)+25j
		mov	al, bl
		pop	ebx
		retn
; 

loc_514433:				; CODE XREF: IoAllowExecution(x)+Bj
		mov	bl, 1
		jmp	short loc_51442F
_IoAllowExecution@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopGetDevicePDO	proc near		; CODE XREF: IoAllowExecution(x)+4p
					; IoRevokeHandlesForProcess(x,x)+10Fp ...

; FUNCTION CHUNK AT 005E8423 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	esi, ecx
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, esi
		mov	bl, al
		call	_IopGetDeviceAttachmentBase@4 ;	IopGetDeviceAttachmentBase(x)
		mov	edi, eax
		test	dword ptr [edi+1Ch], 1000h
		jz	short loc_5144BF
		mov	edx, 746C6644h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag

loc_51446A:				; CODE XREF: IopGetDevicePDO+89j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+468h]
		jnz	loc_5E8423
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5144AE
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_5144A7

loc_514498:				; CODE XREF: IopGetDevicePDO+85j
					; IopGetDevicePDO+D3FF5j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
; 

loc_5144A7:				; CODE XREF: IopGetDevicePDO+5Ej
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5144AE:				; CODE XREF: IopGetDevicePDO+4Fj
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_514498
; 

loc_5144BF:				; CODE XREF: IopGetDevicePDO+24j
		xor	edi, edi
		jmp	short loc_51446A
IopGetDevicePDO	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall IopGetDeviceAttachmentBase(x)
_IopGetDeviceAttachmentBase@4 proc near	; CODE XREF: IopAttachDeviceToDeviceStackSafe+59p
					; IoGetDeviceAttachmentBaseRefWithTag+1Ap ...
		mov	edx, ecx
		mov	eax, [edx+0B0h]
		mov	eax, [eax+18h]

loc_5144CF:				; CODE XREF: IopGetDeviceAttachmentBase(x)+1Dj
		test	eax, eax
		jnz	short loc_5144D6
		mov	eax, edx
		retn
; 

loc_5144D6:				; CODE XREF: IopGetDeviceAttachmentBase(x)+Dj
		mov	edx, eax
		mov	ecx, [edx+0B0h]
		mov	eax, [ecx+18h]
		jmp	short loc_5144CF
_IopGetDeviceAttachmentBase@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


IopDecrementDeviceObjectRefCount proc near ; CODE XREF:	IopCompleteUnloadOrDelete+108p
					; PAGE:0081CAA5p ...

; FUNCTION CHUNK AT 005E8432 SIZE 00000090 BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		lea	esi, [edi+4]
		test	dl, dl
		jnz	loc_5E8432
		dec	dword ptr [esi]
		mov	eax, [esi]

loc_5144F9:				; CODE XREF: IopDecrementDeviceObjectRefCount+D3F58j
		test	eax, eax
		js	loc_5E8441
		pop	edi
		pop	esi
		retn
IopDecrementDeviceObjectRefCount endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1159. KeGetRecommendedSharedDataAlignment

;  S U B	R O U T	I N E 


; __stdcall KeGetRecommendedSharedDataAlignment()
		public _KeGetRecommendedSharedDataAlignment@0
_KeGetRecommendedSharedDataAlignment@0 proc near ; CODE	XREF: PAGE:007803D0p
					; ExAllocateCacheAwareRundownProtection+31p ...
		mov	eax, ds:_KeLargestCacheLine
		retn
_KeGetRecommendedSharedDataAlignment@0 endp


;  S U B	R O U T	I N E 


EtwpAdjustTraceBuffers proc near	; DATA XREF: EtwpInitialize+176o

; FUNCTION CHUNK AT 005E84C2 SIZE 0000007E BYTES

		mov	ecx, ds:_EtwpHostSiloState
		test	ecx, ecx
		jz	short locret_51457F
		mov	eax, [ecx+8A4h]
		test	eax, eax
		jnz	short locret_51457F
		push	esi
		call	_EtwpAdjustSiloTraceBuffers@4 ;	EtwpAdjustSiloTraceBuffers(x)
		mov	dl, 1
		xor	ecx, ecx
		call	_PspGetNextSilo@8 ; PspGetNextSilo(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_514582

loc_514539:				; CODE XREF: IopDecrementDeviceObjectRefCount+D3FD9j
		mov	eax, ds:_KeNumberProcessors
		mov	edx, dword_6BC448
		mov	ecx, dword_6BC44C
		imul	edx, eax
		pop	esi
		add	edx, edx
		cmp	ecx, edx
		jg	loc_5E84C2

loc_514558:				; CODE XREF: EtwpAdjustTraceBuffers+D3FBEj
					; EtwpAdjustTraceBuffers+D3FECj
		mov	eax, ds:_KeNumberProcessors
		mov	edx, dword_6BC458
		mov	ecx, dword_6BC45C
		imul	edx, eax
		add	edx, edx
		cmp	ecx, edx
		jg	loc_5E8501

loc_514576:				; CODE XREF: EtwpAdjustTraceBuffers+D3FFDj
					; EtwpAdjustTraceBuffers+D402Bj
		xor	eax, eax
		mov	ecx, offset _EtwpBufferAdjustmentActive
		xchg	eax, [ecx]

locret_51457F:				; CODE XREF: EtwpAdjustTraceBuffers+8j
					; EtwpAdjustTraceBuffers+12j
		retn	4
; 

loc_514582:				; CODE XREF: EtwpAdjustTraceBuffers+27j
		push	edi
		jmp	loc_5E8470
EtwpAdjustTraceBuffers endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpAllocateFreeBuffers(x, x)
_EtwpAllocateFreeBuffers@8 proc	near	; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+5Ap
					; EtwpAllocateTraceBufferPool+8Ep ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], edx
		xor	eax, eax
		push	edi
		mov	[ebp+var_8], eax
		test	dword ptr [esi+258h], 1000h
		mov	edi, [esi+4]
		mov	byte ptr [ebp+var_1], al
		jz	short loc_5145BB
		add	edi, 0FFFh
		and	edi, 0FFFFF000h

loc_5145BB:				; CODE XREF: EtwpAllocateFreeBuffers(x,x)+25j
		test	edx, edx
		jz	loc_51469A
		lea	ecx, [esi+0A0h]
		mov	[ebp+var_18], ecx

loc_5145CC:				; CODE XREF: EtwpAllocateFreeBuffers(x,x)+EFj
		xor	ebx, ebx
		inc	ebx
		lock xadd [ecx], ebx
		inc	ebx
		cmp	ebx, [esi+0A4h]
		ja	loc_514697
		mov	edx, edi
		mov	ecx, esi
		call	EtwpAllocateTraceBuffer
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_51468F
		push	6E777445h
		push	0Ch
		push	0
		push	40h
		call	_ExAllocatePool2@16 ; ExAllocatePool2(x,x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_514684
		lea	edx, [esi+0ACh]
		jmp	short loc_514619
; 

loc_514613:				; CODE XREF: EtwpAllocateFreeBuffers(x,x)+95j
		mov	ecx, ebx
		lock cmpxchg [edx], ecx

loc_514619:				; CODE XREF: EtwpAllocateFreeBuffers(x,x)+89j
		mov	eax, [edx]
		cmp	eax, ebx
		jb	short loc_514613
		mov	ebx, [ebp+var_10]
		mov	ecx, esi
		mov	edx, ebx
		call	EtwpInitializeBufferHeader
		mov	eax, [ebp+var_C]
		lea	edx, [ebp+var_1]
		mov	ecx, esi
		mov	[eax+8], ebx
		call	_EtwpLockBufferList@8 ;	EtwpLockBufferList(x,x)
		lea	ecx, [esi+40h]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_51467F
		mov	eax, [ebp+var_C]
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		lea	edx, [ebp+var_1]
		mov	[ecx+4], eax
		mov	ecx, esi
		call	EtwpUnlockBufferList
		push	0
		mov	edx, ebx
		mov	ecx, esi
		call	EtwpEnqueueAvailableBuffer
		mov	eax, [ebp+var_8]
		lea	ecx, [esi+0A0h]
		inc	eax
		mov	[ebp+var_8], eax
		cmp	eax, [ebp+var_14]
		jb	loc_5145CC
		jmp	short loc_51469A
; 

loc_51467F:				; CODE XREF: EtwpAllocateFreeBuffers(x,x)+BBj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_514684:				; CODE XREF: EtwpAllocateFreeBuffers(x,x)+81j
		mov	ebx, [ebp+var_10]
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_51468F:				; CODE XREF: EtwpAllocateFreeBuffers(x,x)+66j
		mov	ecx, [ebp+var_18]
		lock dec dword ptr [ecx]
		jmp	short loc_5146BB
; 

loc_514697:				; CODE XREF: EtwpAllocateFreeBuffers(x,x)+52j
		lock dec dword ptr [ecx]

loc_51469A:				; CODE XREF: EtwpAllocateFreeBuffers(x,x)+35j
					; EtwpAllocateFreeBuffers(x,x)+F5j
		mov	edx, [esi+4]
		mov	ecx, [esi+0E0h]
		imul	edx, eax
		and	ecx, 1
		mov	eax, [esi+2E4h]
		lea	eax, [eax+ecx*4]
		add	eax, 8C0h
		lock xadd [eax], edx

loc_5146BB:				; CODE XREF: EtwpAllocateFreeBuffers(x,x)+10Dj
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpAllocateFreeBuffers@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


EtwpInitializeBufferHeader proc	near	; CODE XREF: EtwpAllocateFreeBuffers(x,x)+9Ep
					; EtwpUpdateFileHeader+A2p ...

; FUNCTION CHUNK AT 005E8540 SIZE 0000000E BYTES

		mov	edi, edi
		push	esi
		push	edi
		push	48h		; size_t
		mov	edi, edx
		mov	esi, ecx
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	dword ptr [edi+8], 48h
		add	esp, 0Ch
		mov	eax, [edi+8]
		mov	[edi+30h], eax
		mov	eax, [esi+4]
		mov	[edi], eax
		movzx	eax, word ptr [esi]
		mov	[edi+2Ah], ax
		test	ax, ax
		jz	loc_5E8540

loc_5146FB:				; CODE XREF: EtwpInitializeBufferHeader+D3E85j
		mov	eax, 100h
		or	[edi+34h], ax
		pop	edi
		pop	esi
		retn
EtwpInitializeBufferHeader endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpAllocateTraceBuffer	proc near	; CODE XREF: EtwpAllocateFreeBuffers(x,x)+5Cp
					; EtwpPreserveLogger(x)+A0p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E854E SIZE 0000009C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	eax, eax
		mov	ebx, edx
		lea	ecx, [edi+378h]
		cmp	[ecx], eax
		jnz	short loc_51474C
		test	dword ptr [edi+258h], 20000000h
		jnz	loc_5E854E
		push	42777445h
		push	ebx
		push	dword ptr [edi+0E0h]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)

loc_514745:				; CODE XREF: EtwpAllocateTraceBuffer+49j
					; EtwpAllocateTraceBuffer+D3EDDj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_51474C:				; CODE XREF: EtwpAllocateTraceBuffer+1Aj
		call	_EtwpAllocatePartitionMemory@8 ; EtwpAllocatePartitionMemory(x,x)
		jmp	short loc_514745
EtwpAllocateTraceBuffer	endp

; 
		align 10h
; Exported entry 1767. PsGetCurrentProcessId
; Exported entry 1777. PsGetCurrentThreadProcessId

;  S U B	R O U T	I N E 


; __stdcall PsGetCurrentThreadProcessId()
		public _PsGetCurrentThreadProcessId@0
_PsGetCurrentThreadProcessId@0 proc near ; CODE	XREF: PiUEventHandleRegistration+4Ep
					; EtwpNotifyGuid(x,x,x):loc_7EF107p ...
		mov	eax, large fs:124h ; PsGetCurrentProcessId
		mov	eax, [eax+2ACh]
		retn
_PsGetCurrentThreadProcessId@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpAdjustSiloTraceBuffers(x)
_EtwpAdjustSiloTraceBuffers@4 proc near	; CODE XREF: EtwpAdjustTraceBuffers+15p
					; IopDecrementDeviceObjectRefCount+D3FB8p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		mov	byte ptr [ebp+var_1], 0
		push	edi
		xor	edi, edi
		cmp	[ebx+8], edi
		jbe	loc_51486D
		push	esi

loc_51478A:				; CODE XREF: EtwpAdjustSiloTraceBuffers(x)+F8j
		xor	eax, eax
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		mov	[ebp+var_C], eax
		call	EtwpAcquireLoggerContextByLoggerId
		mov	esi, eax
		test	esi, esi
		jz	loc_514862
		test	dword ptr [esi+0Ch], 400h
		jnz	loc_514859
		mov	eax, [esi+9Ch]
		mov	ecx, esi
		mov	[ebp+var_8], eax
		call	EtwpQueryUsedProcessorCount
		mov	ecx, [ebp+var_8]
		cmp	ecx, [esi+98h]
		jbe	loc_514859
		add	eax, eax
		cmp	ecx, eax
		jbe	loc_514859
		lea	edx, [ebp+var_1]
		mov	ecx, esi
		call	_EtwpLockBufferList@8 ;	EtwpLockBufferList(x,x)
		lea	edx, [esi+30h]
		mov	ecx, esi
		call	EtwpDequeueBuffer
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_514800
		mov	edx, eax
		mov	ecx, esi
		call	_EtwpRemoveBufferFromGlobalList@8 ; EtwpRemoveBufferFromGlobalList(x,x)
		mov	[ebp+var_C], eax

loc_514800:				; CODE XREF: EtwpAdjustSiloTraceBuffers(x)+84j
		lea	edx, [ebp+var_1]
		mov	ecx, esi
		call	EtwpUnlockBufferList
		cmp	[ebp+var_8], 0
		jz	short loc_514859
		lock dec dword ptr [esi+0A0h]
		lea	eax, [esi+9Ch]
		lock dec dword ptr [eax]
		mov	ecx, [esi+0E0h]
		mov	eax, [esi+2E4h]
		and	ecx, 1
		mov	edx, [esi+4]
		neg	edx
		lea	eax, [eax+ecx*4]
		add	eax, 8C0h
		lock xadd [eax], edx
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	EtwpFreeTraceBuffer
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_514859
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_514859:				; CODE XREF: EtwpAdjustSiloTraceBuffers(x)+3Cj
					; EtwpAdjustSiloTraceBuffers(x)+5Bj ...
		xor	dl, dl
		mov	ecx, esi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_514862:				; CODE XREF: EtwpAdjustSiloTraceBuffers(x)+2Fj
		inc	edi
		cmp	edi, [ebx+8]
		jb	loc_51478A
		pop	esi

loc_51486D:				; CODE XREF: EtwpAdjustSiloTraceBuffers(x)+15j
		pop	edi
		pop	ebx
		leave
		retn
_EtwpAdjustSiloTraceBuffers@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpQueryUsedProcessorCount proc near	; CODE XREF: EtwpAdjustSiloTraceBuffers(x)+4Dp
					; EtwpBuffersFlushRequired:loc_5E8901p	...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E85EA SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx
		test	dword ptr [esi+0Ch], 40000h
		jnz	loc_5E85EA

loc_51488C:				; CODE XREF: EtwpQueryUsedProcessorCount+D3D85j
		test	dword ptr [esi+0Ch], 10000000h
		jnz	short loc_51489D
		mov	eax, ds:_KeNumberProcessors

loc_51489A:				; CODE XREF: EtwpQueryUsedProcessorCount+2Ej
					; EtwpQueryUsedProcessorCount+D3D8Ej
		pop	esi
		leave
		retn
; 

loc_51489D:				; CODE XREF: EtwpQueryUsedProcessorCount+21j
		xor	eax, eax
		inc	eax
		jmp	short loc_51489A
EtwpQueryUsedProcessorCount endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpLockUnlockBufferList proc near	; CODE XREF: EtwpFlushActiveBuffers(x,x)+1D3p
					; EtwpBufferingModeFlush(x)+F9p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E8605 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	dword ptr [ecx+0E0h], 1
		push	ebx
		push	esi
		lea	esi, [ecx+1F4h]
		jz	short loc_5148C9
		mov	ecx, esi
		call	@KeTestSpinLock@4 ; KeTestSpinLock(x)
		test	al, al
		jz	short loc_5148E0

loc_5148C5:				; CODE XREF: EtwpLockUnlockBufferList+37j
					; EtwpLockUnlockBufferList+69j	...
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_5148C9:				; CODE XREF: EtwpLockUnlockBufferList+16j
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, [esi]
		test	al, 1
		jz	short loc_5148C5
		jmp	loc_5E8614
; 

loc_5148E0:				; CODE XREF: EtwpLockUnlockBufferList+21j
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, esi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	ds:byte_70EFC6,	1
		jnz	loc_5E8605
		xor	eax, eax
		lock and [esi],	eax

loc_514903:				; CODE XREF: EtwpLockUnlockBufferList+D3D6Dj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_5148C5
EtwpLockUnlockBufferList endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 143. KeTestSpinLock

;  S U B	R O U T	I N E 


; __fastcall KeTestSpinLock(x)
		public @KeTestSpinLock@4
@KeTestSpinLock@4 proc near		; CODE XREF: EtwpLockUnlockBufferList+1Ap
					; BgpFwAcquireLock()+36p ...
		mov	edi, edi
		nop
		mov	eax, [ecx]
		test	eax, eax
		jnz	short loc_51491E
		mov	al, 1
		retn
; 

loc_51491E:				; CODE XREF: KeTestSpinLock(x)+7j
		pause
		xor	al, al
		retn
@KeTestSpinLock@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall EtwpQueryMaximumFileSize(x)
_EtwpQueryMaximumFileSize@4 proc near	; CODE XREF: EtwpUpdateFileHeader+124p
					; EtwpFlushBufferToLogfile+2Ap	...
		mov	eax, [ecx+0D8h]
		test	dword ptr [ecx+0Ch], 2000h
		mov	ecx, 400h
		jnz	short loc_51493D
		mov	ecx, 100000h

loc_51493D:				; CODE XREF: EtwpQueryMaximumFileSize(x)+12j
		mul	ecx
		retn
_EtwpQueryMaximumFileSize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpSwitchBuffer(x,	x, x, x, x)
_EtwpSwitchBuffer@20 proc near		; CODE XREF: EtwpReserveTraceBuffer+248p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	[ebp+var_8], edi
		mov	esi, [edi+0Ch]
		and	esi, 400h
		mov	[ebp+var_4], esi
		call	EtwpDequeueFreeBuffer
		mov	edx, eax
		test	edx, edx
		jnz	short loc_5149B4
		mov	esi, [ebp+arg_8]
		and	esi, 200h

loc_514971:				; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+6Fj
		test	esi, esi
		jnz	loc_514A01
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_514A01
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		ja	short loc_514A01
		test	dword ptr [edi+0Ch], 40000h
		jnz	short loc_514A01
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	_EtwpAllocateFreeBuffers@8 ; EtwpAllocateFreeBuffers(x,x)
		cmp	eax, 1
		jnz	short loc_514A01
		mov	ecx, edi
		call	EtwpDequeueFreeBuffer
		mov	edx, eax
		test	edx, edx
		jz	short loc_514971
		mov	esi, [ebp+var_4]

loc_5149B4:				; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+26j
		test	dword ptr [edi+0Ch], 10000000h
		jnz	short loc_5149C5
		mov	ax, word ptr [ebp+arg_4]
		mov	[edx+28h], ax

loc_5149C5:				; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+7Bj
		push	7
		lea	ecx, [edx+0Ch]
		pop	eax
		lock xadd [ecx], eax

loc_5149CF:				; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+F3j
		test	esi, esi
		jnz	short loc_5149D6
		mov	[edx+20h], ebx

loc_5149D6:				; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+91j
		mov	eax, [ebp+arg_0]
		mov	edi, eax
		mov	esi, [eax]

loc_5149DD:				; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+BFj
		mov	eax, esi
		xor	eax, ebx
		cmp	eax, 7
		ja	short loc_514A13
		mov	eax, edx
		mov	ecx, edx
		or	eax, 7
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, esi
		lock cmpxchg [edi], ecx
		cmp	eax, esi
		jz	short loc_514A13
		mov	esi, eax
		jmp	short loc_5149DD
; 

loc_514A01:				; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+33j
					; EtwpSwitchBuffer(x,x,x,x,x)+40j ...
		test	ebx, ebx
		jz	short loc_514A09
		lock dec dword ptr [ebx+0Ch]

loc_514A09:				; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+C3j
		mov	eax, 0C0000017h
		jmp	loc_514AF6
; 

loc_514A13:				; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+A4j
					; EtwpSwitchBuffer(x,x,x,x,x)+BBj
		mov	edi, [ebp+var_8]
		mov	eax, esi
		and	eax, 0FFFFFFF8h
		mov	[ebp+arg_4], eax
		cmp	eax, ebx
		jz	short loc_514A65
		test	eax, eax
		jnz	short loc_514A35
		test	ebx, ebx
		jz	short loc_514A2E
		lock dec dword ptr [ebx+0Ch]

loc_514A2E:				; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+E8j
		mov	esi, [ebp+var_4]
		xor	ebx, ebx
		jmp	short loc_5149CF
; 

loc_514A35:				; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+E4j
		test	ebx, ebx
		jz	short loc_514A3D
		lock dec dword ptr [ebx+0Ch]

loc_514A3D:				; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+F7j
		push	0FFFFFFF9h
		pop	eax
		lea	ecx, [edx+0Ch]
		lock xadd [ecx], eax
		cmp	[ebp+var_4], 0
		mov	ecx, edi
		jz	short loc_514A59
		call	@EtwpEnqueueOverflowBuffer@8 ; EtwpEnqueueOverflowBuffer(x,x)
		jmp	loc_514AF4
; 

loc_514A59:				; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+10Dj
		push	0
		call	EtwpEnqueueAvailableBuffer
		jmp	loc_514AF4
; 

loc_514A65:				; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+E0j
		test	eax, eax
		jz	short loc_514ADA
		mov	edx, eax
		mov	ecx, edi
		call	EtwpPrepareDirtyBuffer
		mov	eax, [ebp+arg_4]
		and	esi, 7
		not	esi
		add	eax, 0Ch
		lock xadd [eax], esi
		cmp	[ebp+var_4], 0
		jnz	short loc_514AF4
		mov	ecx, edi
		call	EtwpBuffersFlushRequired
		test	al, al
		jz	short loc_514AF4
		test	[ebp+arg_8], 600h
		jnz	short loc_514AC0
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_514AC0
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		ja	short loc_514AC0
		push	0
		push	0
		lea	eax, [edi+174h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_514AF4
; 

loc_514AC0:				; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+159j
					; EtwpSwitchBuffer(x,x,x,x,x)+162j ...
		lea	eax, [edi+25Ch]
		lock bts dword ptr [eax], 8
		jb	short loc_514AF4
		lea	ecx, [edi+1B0h]
		call	_EtwpInsertQueueDpc@4 ;	EtwpInsertQueueDpc(x)
		jmp	short loc_514AF4
; 

loc_514ADA:				; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+127j
		cmp	dword ptr [edi+84h], 0
		jbe	short loc_514AF4
		test	[ebp+arg_8], 600h
		mov	ecx, edi
		setnz	dl
		call	EtwpRequestFlushTimer

loc_514AF4:				; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+114j
					; EtwpSwitchBuffer(x,x,x,x,x)+120j ...
		xor	eax, eax

loc_514AF6:				; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+CEj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_EtwpSwitchBuffer@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpDequeueFreeBuffer proc near		; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+1Dp
					; EtwpSwitchBuffer(x,x,x,x,x)+66p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 005E8620 SIZE 0000017B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	eax, eax
		mov	bl, al
		mov	byte ptr [ebp+var_1], al
		cmp	[edi+34h], eax
		jz	loc_514CC5

loc_514B1B:				; CODE XREF: EtwpDequeueFreeBuffer+1CAj
		test	dword ptr [edi+0Ch], 400h
		lea	edx, [ebp+var_1]
		jz	loc_514C8D
		call	_EtwpLockBufferList@8 ;	EtwpLockBufferList(x,x)
		lea	edx, [edi+38h]
		mov	ecx, edi
		call	EtwpDequeueBuffer
		mov	esi, eax
		test	esi, esi
		jnz	short loc_514B4C
		lea	edx, [edi+30h]
		mov	ecx, edi
		call	EtwpDequeueBuffer
		mov	esi, eax

loc_514B4C:				; CODE XREF: EtwpDequeueFreeBuffer+40j
		mov	eax, [edi+308h]
		test	eax, eax
		jnz	loc_5E8620

loc_514B5A:				; CODE XREF: EtwpDequeueFreeBuffer+D3B34j
					; EtwpDequeueFreeBuffer+D3B3Cj
		lea	edx, [ebp+var_1]
		mov	ecx, edi
		call	EtwpUnlockBufferList
		test	bl, bl
		jnz	loc_5E863F

loc_514B6C:				; CODE XREF: EtwpDequeueFreeBuffer+D3B48j
		test	esi, esi
		jz	loc_514CCE
		lea	eax, [edi+9Ch]

loc_514B7A:				; CODE XREF: EtwpDequeueFreeBuffer+D3B98j
		lock dec dword ptr [eax]
		test	dword ptr [edi+0Ch], 4000000h
		jnz	loc_5E864B

loc_514B8A:				; CODE XREF: EtwpDequeueFreeBuffer+D3B62j
		xor	ebx, ebx

loc_514B8C:				; CODE XREF: EtwpDequeueFreeBuffer+D3B53j
					; EtwpDequeueFreeBuffer+D3B5Cj
		cmp	dword ptr [esi+0Ch], 0
		jnz	loc_5E8665
		xor	edx, edx
		lea	ecx, [esi+2Ch]
		inc	edx
		mov	eax, ebx
		lock cmpxchg [ecx], edx
		cmp	eax, ebx
		jnz	loc_5E8665

loc_514BAA:				; CODE XREF: EtwpDequeueFreeBuffer+D3B9Ej
		mov	[ebp+var_8], esi
		test	esi, esi
		jz	loc_514CCE
		mov	ecx, [edi+364h]
		test	ecx, ecx
		jz	loc_514C70
		movzx	eax, word ptr [esi+28h]
		shl	eax, 3
		mov	[ebp+var_10], eax
		lea	esi, [eax+ecx]

loc_514BD0:				; CODE XREF: EtwpDequeueFreeBuffer+EDj
					; EtwpDequeueFreeBuffer+F1j
		mov	ebx, [esi]
		mov	eax, ebx
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_14], ecx
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, edx
		mov	edx, [ebp+var_C]
		cmp	eax, edx
		jnz	short loc_514BD0
		cmp	ebx, ecx
		jnz	short loc_514BD0
		mov	esi, [ebp+var_8]
		mov	eax, [esi+14h]
		mov	ebx, [esi+10h]
		mov	[ebp+var_18], eax
		cmp	eax, ecx
		jl	short loc_514C35
		jg	short loc_514C07
		cmp	ebx, edx
		jbe	short loc_514C35

loc_514C07:				; CODE XREF: EtwpDequeueFreeBuffer+103j
					; EtwpDequeueFreeBuffer+D3BBCj	...
		mov	esi, [edi+364h]
		mov	eax, edx
		add	esi, [ebp+var_10]
		mov	edx, ecx
		nop
		mov	ecx, [ebp+var_18]
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, eax
		mov	eax, edx
		mov	[ebp+var_1C], ecx
		cmp	ecx, [ebp+var_C]
		jnz	loc_5E86A1
		cmp	eax, [ebp+var_14]
		jnz	loc_5E86A1

loc_514C35:				; CODE XREF: EtwpDequeueFreeBuffer+101j
					; EtwpDequeueFreeBuffer+107j ...
		lea	esi, [edi+370h]

loc_514C3B:				; CODE XREF: EtwpDequeueFreeBuffer+155j
					; EtwpDequeueFreeBuffer+159j
		mov	ebx, [esi]
		mov	eax, ebx
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[ebp+var_1C], ebx
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, edx
		mov	edx, [ebp+var_1C]
		cmp	eax, edx
		jnz	short loc_514C3B
		cmp	ebx, ecx
		jnz	short loc_514C3B
		mov	esi, [ebp+var_8]
		cmp	[esi+1Ch], ecx
		jg	short loc_514C70
		jl	loc_5E86D4
		cmp	[esi+18h], edx
		jbe	loc_5E86D4

loc_514C70:				; CODE XREF: EtwpDequeueFreeBuffer+BFj
					; EtwpDequeueFreeBuffer+161j ...
		xor	edx, edx
		mov	ecx, esi
		call	@EtwpResetBufferHeader@8 ; EtwpResetBufferHeader(x,x)

loc_514C79:				; CODE XREF: EtwpDequeueFreeBuffer+1C5j
		mov	eax, [edi+4]
		mov	ecx, [esi]
		cmp	eax, ecx
		jnz	loc_5E8775
		mov	eax, esi

loc_514C88:				; CODE XREF: EtwpDequeueFreeBuffer+1D2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_514C8D:				; CODE XREF: EtwpDequeueFreeBuffer+27j
		call	_EtwpLockBufferList@8 ;	EtwpLockBufferList(x,x)
		lea	edx, [edi+30h]
		mov	ecx, edi
		call	EtwpDequeueBuffer
		lea	edx, [ebp+var_1]
		mov	ecx, edi
		mov	esi, eax
		call	EtwpUnlockBufferList
		test	esi, esi
		jz	short loc_514CCE
		xor	edx, edx
		mov	ecx, esi
		call	@EtwpResetBufferHeader@8 ; EtwpResetBufferHeader(x,x)
		mov	dword ptr [esi+2Ch], 1
		lock dec dword ptr [edi+9Ch]
		jmp	short loc_514C79
; 

loc_514CC5:				; CODE XREF: EtwpDequeueFreeBuffer+17j
		cmp	[edi+3Ch], eax
		jnz	loc_514B1B

loc_514CCE:				; CODE XREF: EtwpDequeueFreeBuffer+70j
					; EtwpDequeueFreeBuffer+B1j ...
		xor	eax, eax
		jmp	short loc_514C88
EtwpDequeueFreeBuffer endp


;  S U B	R O U T	I N E 


EtwpDequeueBuffer proc near		; CODE XREF: EtwpAdjustSiloTraceBuffers(x)+7Ap
					; EtwpDequeueFreeBuffer+37p ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		lea	edx, [esi+4]

loc_514CDD:				; CODE XREF: EtwpDequeueFreeBuffer+D3C98j
		xor	eax, eax
		cmp	[edx], eax
		jz	short loc_514CF7
		mov	ecx, esi
		call	_EtwpBufferQueueRemoveAfter@8 ;	EtwpBufferQueueRemoveAfter(x,x)
		sub	eax, 20h
		cmp	dword ptr [eax+2Ch], 6
		jz	loc_5E8785

loc_514CF7:				; CODE XREF: EtwpDequeueBuffer+Fj
		pop	edi
		pop	esi
		retn
EtwpDequeueBuffer endp


;  S U B	R O U T	I N E 


; __stdcall EtwpBufferQueueRemoveAfter(x, x)
_EtwpBufferQueueRemoveAfter@8 proc near	; CODE XREF: EtwpDequeueBuffer+13p
					; EtwpEnqueueAvailableBuffer+D3AEAp ...
		mov	edi, edi
		push	esi
		mov	esi, [edx]
		mov	eax, [esi]
		mov	[edx], eax
		cmp	dword ptr [esi], 0
		jz	short loc_514D0F
		and	dword ptr [esi], 0

loc_514D0B:				; CODE XREF: EtwpBufferQueueRemoveAfter(x,x)+17j
		mov	eax, esi
		pop	esi
		retn
; 

loc_514D0F:				; CODE XREF: EtwpBufferQueueRemoveAfter(x,x)+Cj
		mov	[ecx], edx
		jmp	short loc_514D0B
_EtwpBufferQueueRemoveAfter@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpEnqueueAvailableBuffer proc	near	; CODE XREF: EtwpAllocateFreeBuffers(x,x)+DAp
					; EtwpSwitchBuffer(x,x,x,x,x)+11Bp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E879B SIZE 0000009F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	eax, edx
		mov	byte ptr [ebp+var_1], 0
		mov	edi, ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_18], edi
		mov	edx, [eax]
		mov	ecx, [edi+4]
		cmp	ecx, edx
		jnz	loc_5E879B
		mov	ecx, [ebp+arg_0]
		mov	[eax+2Ch], ecx
		lea	eax, [edi+250h]
		mov	edi, eax

loc_514D48:				; CODE XREF: EtwpEnqueueAvailableBuffer+5Aj
					; EtwpEnqueueAvailableBuffer+5Fj
		mov	esi, [edi]
		mov	ecx, esi
		mov	edx, [edi+4]
		add	ecx, 1
		mov	eax, edx
		mov	[ebp+var_10], edx
		adc	eax, 0
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], eax
		mov	eax, esi
		nop
		mov	ebx, ecx
		mov	ecx, [ebp+var_C]
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_514D48
		cmp	edx, [ebp+var_10]
		jnz	short loc_514D48
		mov	esi, [ebp+var_8]
		lea	edx, [ebp+var_1]
		mov	eax, [ebp+var_14]
		mov	edi, [ebp+var_18]
		mov	[esi+1Ch], ecx
		mov	ecx, edi
		mov	[esi+18h], eax
		call	_EtwpLockBufferList@8 ;	EtwpLockBufferList(x,x)
		test	dword ptr [edi+0Ch], 4000000h
		jnz	loc_5E87AA

loc_514D9B:				; CODE XREF: EtwpEnqueueAvailableBuffer+D3A9Dj
					; EtwpEnqueueAvailableBuffer+D3AA9j
		lea	ecx, [esi+20h]
		and	dword ptr [ecx], 0
		mov	eax, [edi+30h]
		mov	[eax], ecx
		mov	[edi+30h], ecx

loc_514DA9:				; CODE XREF: EtwpEnqueueAvailableBuffer+D3AC2j
					; EtwpEnqueueAvailableBuffer+D3B21j
		lea	edx, [ebp+var_1]
		mov	ecx, edi
		call	EtwpUnlockBufferList
		lock inc dword ptr [edi+9Ch]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
EtwpEnqueueAvailableBuffer endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpUnlockBufferList proc near		; CODE XREF: EtwpEnqueueOverflowBuffer(x,x)+39p
					; EtwpAllocateFreeBuffers(x,x)+CFp ...

; FUNCTION CHUNK AT 005E883A SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dword ptr [ecx+0E0h], 1
		lea	eax, [ecx+1F4h]
		jz	short loc_514DF5
		test	ds:byte_70EFC6,	1
		push	ebx
		mov	bl, [edx]
		jnz	loc_5E883A
		xor	ecx, ecx
		lock and [eax],	ecx

loc_514DEB:				; CODE XREF: EtwpUnlockBufferList+D3A82j
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_514DF5:				; CODE XREF: EtwpUnlockBufferList+12j
		xor	edx, edx
		mov	ecx, eax
		pop	ebp
		jmp	ExReleasePushLockEx
EtwpUnlockBufferList endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall EtwpLockBufferList(x, x)
_EtwpLockBufferList@8 proc near		; CODE XREF: EtwpEnqueueOverflowBuffer(x,x)+21p
					; EtwpAllocateFreeBuffers(x,x)+AEp ...
		cmp	dword ptr [ecx+0E0h], 1
		push	esi
		push	edi
		mov	edi, edx
		lea	esi, [ecx+1F4h]
		jz	short loc_514E26
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[edi], al
		mov	ecx, esi
		pop	edi
		pop	esi
		jmp	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
; 

loc_514E26:				; CODE XREF: EtwpLockBufferList(x,x)+11j
		pop	edi
		mov	ecx, esi
		xor	edx, edx
		pop	esi
		jmp	ExAcquirePushLockExclusiveEx
_EtwpLockBufferList@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __fastcall EtwpResetBufferHeader(x, x)
@EtwpResetBufferHeader@8 proc near	; CODE XREF: EtwpDequeueFreeBuffer+176p
					; EtwpDequeueFreeBuffer+1B2p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, 100h
		and	dword ptr [esi+4], 0
		and	dword ptr [esi+20h], 0
		mov	dword ptr [esi+8], 48h
		mov	[esi+36h], dx
		test	[esi+34h], ax
		jnz	short loc_514E57
		pop	esi
		retn
; 

loc_514E57:				; CODE XREF: EtwpResetBufferHeader(x,x)+21j
		mov	eax, [esi+8]
		mov	ecx, [esi]
		sub	ecx, eax
		mov	eax, [esi+8]
		push	ecx		; size_t
		add	eax, esi
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, 0FEFFh
		and	[esi+34h], ax
		pop	esi
		retn
@EtwpResetBufferHeader@8 endp


;  S U B	R O U T	I N E 


EtwpPrepareDirtyBuffer proc near	; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+12Dp
					; EtwpFlushActiveBuffers(x,x)+16Fp ...

; FUNCTION CHUNK AT 005E8849 SIZE 0000008D BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	eax, [esi+0Ch]
		test	eax, 400h
		jz	short loc_514EA1
		test	eax, 4000000h
		jnz	loc_5E8849
		push	0
		call	EtwpEnqueueAvailableBuffer

loc_514E9E:				; CODE XREF: EtwpPrepareDirtyBuffer+39j
					; EtwpPrepareDirtyBuffer+D3A13j ...
		pop	edi
		pop	esi
		retn
; 

loc_514EA1:				; CODE XREF: EtwpPrepareDirtyBuffer+10j
		mov	dword ptr [edi+2Ch], 3
		call	EtwpGetLoggerTimeStamp
		mov	[edi+10h], eax
		mov	[edi+14h], edx
		jmp	short loc_514E9E
EtwpPrepareDirtyBuffer endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpGetLoggerTimeStamp proc near	; CODE XREF: EtwpPrepareDirtyBuffer+2Ep
					; EtwSendTraceBuffer(x,x,x,x,x,x)+BEp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E88D6 SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ecx+20h]
		xor	ecx, ecx
		sub	eax, ecx
		jz	short loc_514ED8
		sub	eax, 1
		jnz	loc_5E88D6
		push	ecx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		leave
		retn
; 

loc_514ED8:				; CODE XREF: EtwpGetLoggerTimeStamp+Ej
		call	RtlGetSystemTimePrecise
		leave
		retn
EtwpGetLoggerTimeStamp endp

; 
		align 10h

;  S U B	R O U T	I N E 


EtwpBuffersFlushRequired proc near	; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+149p
					; EtwInitialize+86p

; FUNCTION CHUNK AT 005E8901 SIZE 00000020 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	dword ptr [esi+88h], 0
		jnz	loc_5E8901
		mov	al, 1
		pop	esi
		retn
EtwpBuffersFlushRequired endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlFindNextAlignedForwardRunClear(x, x, x, x)
_RtlFindNextAlignedForwardRunClear@16 proc near	; CODE XREF: EtwpFindUserBufferSpace+33p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		xor	eax, eax
		mov	[ebp+var_10], esi
		xor	edx, edx
		inc	ebx
		push	edi
		mov	ecx, [esi]
		inc	eax
		mov	[ebp+var_8], ecx

loc_514F13:				; CODE XREF: RtlFindNextAlignedForwardRunClear(x,x,x,x)+24j
		bts	ebx, eax
		inc	eax
		cmp	eax, 20h
		jb	short loc_514F13
		mov	eax, [esi+4]
		dec	ecx
		shr	ecx, 5
		mov	[ebp+var_1C], ebx
		lea	edi, [eax+ecx*4]
		mov	[ebp+var_14], edi

loc_514F2C:				; CODE XREF: RtlFindNextAlignedForwardRunClear(x,x,x,x)+E7j
		mov	eax, [esi+4]
		mov	ecx, edx
		shr	ecx, 5
		lea	eax, [eax+ecx*4]

loc_514F37:				; CODE XREF: RtlFindNextAlignedForwardRunClear(x,x,x,x)+87j
		mov	[ebp+var_C], eax
		cmp	eax, edi
		ja	loc_514FE2
		mov	ecx, [eax]
		mov	eax, edx
		and	eax, 1Fh
		and	edx, 0FFFFFFE0h
		mov	esi, ds:dword_40BA68[eax*4]
		mov	eax, ebx
		or	esi, ecx
		and	eax, esi
		mov	[ebp+var_4], esi
		cmp	eax, ebx
		jz	short loc_514FD1
		xor	edi, edi

loc_514F62:				; CODE XREF: RtlFindNextAlignedForwardRunClear(x,x,x,x)+7Cj
		xor	eax, eax
		mov	ecx, edi
		inc	eax
		shl	eax, cl
		test	eax, esi
		jz	short loc_514F7F

loc_514F6D:				; CODE XREF: RtlFindNextAlignedForwardRunClear(x,x,x,x)+D9j
		inc	edi
		inc	edx
		cmp	edi, 20h
		jb	short loc_514F62
		mov	edi, [ebp+var_14]

loc_514F77:				; CODE XREF: RtlFindNextAlignedForwardRunClear(x,x,x,x)+DEj
		mov	eax, [ebp+var_C]
		add	eax, 4
		jmp	short loc_514F37
; 

loc_514F7F:				; CODE XREF: RtlFindNextAlignedForwardRunClear(x,x,x,x)+75j
		xor	esi, esi
		cmp	edx, [ebp+var_8]
		jnb	short loc_514FCC
		mov	eax, [ebp+var_10]
		mov	eax, [eax+4]
		mov	[ebp+var_18], eax

loc_514F8F:				; CODE XREF: RtlFindNextAlignedForwardRunClear(x,x,x,x)+C7j
		mov	ebx, [ebp+var_18]
		mov	eax, edx
		shr	eax, 5
		mov	ecx, edx
		and	ecx, 1Fh
		mov	eax, [ebx+eax*4]
		mov	ebx, [ebp+var_1C]
		sar	eax, cl
		test	al, 1
		jnz	short loc_514FBF
		inc	edx
		inc	esi
		cmp	esi, [ebp+arg_0]
		jnz	short loc_514FBA
		sub	edx, esi
		mov	eax, edx

loc_514FB3:				; CODE XREF: RtlFindNextAlignedForwardRunClear(x,x,x,x)+EFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_514FBA:				; CODE XREF: RtlFindNextAlignedForwardRunClear(x,x,x,x)+B7j
		cmp	edx, [ebp+var_8]
		jb	short loc_514F8F

loc_514FBF:				; CODE XREF: RtlFindNextAlignedForwardRunClear(x,x,x,x)+B0j
		test	esi, esi
		jz	short loc_514FCC
		inc	edi
		add	edi, esi
		cmp	edi, 20h
		jnb	short loc_514FD6
		dec	edi

loc_514FCC:				; CODE XREF: RtlFindNextAlignedForwardRunClear(x,x,x,x)+8Ej
					; RtlFindNextAlignedForwardRunClear(x,x,x,x)+CBj
		mov	esi, [ebp+var_4]
		jmp	short loc_514F6D
; 

loc_514FD1:				; CODE XREF: RtlFindNextAlignedForwardRunClear(x,x,x,x)+68j
		add	edx, 20h
		jmp	short loc_514F77
; 

loc_514FD6:				; CODE XREF: RtlFindNextAlignedForwardRunClear(x,x,x,x)+D3j
		mov	esi, [ebp+var_10]
		inc	edx
		mov	edi, [ebp+var_14]
		jmp	loc_514F2C
; 

loc_514FE2:				; CODE XREF: RtlFindNextAlignedForwardRunClear(x,x,x,x)+46j
		or	eax, 0FFFFFFFFh
		jmp	short loc_514FB3
_RtlFindNextAlignedForwardRunClear@16 endp

; 
		align 4

;  S U B	R O U T	I N E 


EtwpRequestFlushTimer proc near		; CODE XREF: EtwpSwitchBuffer(x,x,x,x,x)+1AFp
					; EtwpLoggerDpc+CBED4p	...

; FUNCTION CHUNK AT 005E8921 SIZE 0000001B BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		lea	esi, [edi+25Ch]
		mov	eax, [esi]
		test	eax, 400h
		jz	short loc_515002

loc_514FFD:				; CODE XREF: EtwpRequestFlushTimer+42j
		xor	al, al

loc_514FFF:				; CODE XREF: EtwpRequestFlushTimer+8Bj
		pop	edi
		pop	esi
		retn
; 

loc_515002:				; CODE XREF: EtwpRequestFlushTimer+13j
		test	dl, dl
		jnz	loc_5E8921
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	loc_5E8921
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		ja	loc_5E8921
		lock bts dword ptr [esi], 0Ah
		jb	short loc_514FFD
		test	byte ptr [edi+0Ch], 10h
		mov	esi, [edi+84h]
		jnz	short loc_51503E
		imul	esi, 3E8h

loc_51503E:				; CODE XREF: EtwpRequestFlushTimer+4Ej
		push	ds:dword_40FA04
		push	ds:_EtwpOneMs
		push	0
		push	esi
		call	__allmul
		shr	esi, 2
		mov	ecx, 1F4h
		cmp	esi, ecx
		jnb	short loc_515075

loc_51505E:				; CODE XREF: EtwpRequestFlushTimer+8Fj
		push	0
		push	esi
		push	0
		push	edx
		push	eax
		lea	eax, [edi+188h]
		push	eax
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)

loc_515071:				; CODE XREF: EtwpRequestFlushTimer+D393Ej
					; EtwpRequestFlushTimer+D394Fj
		mov	al, 1
		jmp	short loc_514FFF
; 

loc_515075:				; CODE XREF: EtwpRequestFlushTimer+74j
		mov	esi, ecx
		jmp	short loc_51505E
EtwpRequestFlushTimer endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall EtwpResetFlushTimer(x, x)
_EtwpResetFlushTimer@8 proc near	; CODE XREF: EtwpLogger(x)+9Cp
					; EtwpLogger(x)+EAp
		mov	edi, edi
		push	esi
		lea	esi, [ecx+25Ch]
		mov	eax, [esi]
		test	eax, 400h
		jz	short loc_515095
		test	dl, dl
		jnz	short loc_515097

loc_515090:				; CODE XREF: EtwpResetFlushTimer(x,x)+29j
		lock btr dword ptr [esi], 0Ah

loc_515095:				; CODE XREF: EtwpResetFlushTimer(x,x)+10j
		pop	esi
		retn
; 

loc_515097:				; CODE XREF: EtwpResetFlushTimer(x,x)+14j
		lea	eax, [ecx+188h]
		push	eax
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		jmp	short loc_515090
_EtwpResetFlushTimer@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpFileCheckAttributesForPrefetch proc near ; CODE XREF: PfpFileBuildReadSupport+DDp
					; PfSnGetSectionObject+F2p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E893C SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		push	23h		; int
		push	8		; size_t
		lea	eax, [ebp+var_8]
		xor	edi, edi
		push	eax		; int
		lea	eax, [ebp+var_10]
		mov	[ebp+var_8], edi
		push	eax		; int
		push	ecx		; int
		mov	esi, edx
		mov	[ebp+var_4], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		call	_NtQueryInformationFile@20 ; NtQueryInformationFile(x,x,x,x,x)
		test	eax, eax
		js	short loc_5150EF
		cmp	eax, 103h
		jz	loc_5E893C
		mov	eax, [ebp+var_8]
		and	eax, esi
		neg	eax
		sbb	eax, eax
		and	eax, 0C00000A4h

loc_5150EF:				; CODE XREF: PfpFileCheckAttributesForPrefetch+2Ej
		pop	edi
		pop	esi
		leave
		retn
PfpFileCheckAttributesForPrefetch endp

; 
		align 10h
; Exported entry 1112. KeClearEvent
; Exported entry 1273. KeResetEvent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeResetEvent(x)
		public _KeResetEvent@4
_KeResetEvent@4	proc near		; CODE XREF: PopUpdateWatchdogNoWorkersEvent(x)+1Ep
					; SMKM_STORE_SM_TRAITS___SmStWorker+151p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi	; KeClearEvent
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, [ebp+arg_0]
		mov	bl, al
		mov	[ebp+var_4], 0
		lock bts dword ptr [esi], 7
		jb	short loc_515147

loc_515122:				; CODE XREF: KeResetEvent(x)+5Aj
		mov	edi, [esi+4]
		mov	eax, 0FFFFFF7Fh
		mov	dword ptr [esi+4], 0
		lock and [esi],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_515147:				; CODE XREF: KeResetEvent(x)+20j
					; KeResetEvent(x)+53j ...
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	al, al
		js	short loc_515147
		lock bts dword ptr [esi], 7
		jnb	short loc_515122
		jmp	short loc_515147
_KeResetEvent@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopWaitForSynchronousIo(x, x, x)
_IopWaitForSynchronousIo@12 proc near	; CODE XREF: .text:00522783p
					; IopQueryXxxInformation+16Ap ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		mov	dl, [ebp+arg_0]
		lea	eax, [esi+5Ch]
		push	eax
		mov	eax, [esi+2Ch]
		shr	eax, 2
		and	al, 1
		movzx	eax, al
		push	eax
		call	_IopWaitForSynchronousIoEvent@16 ; IopWaitForSynchronousIoEvent(x,x,x,x)
		mov	eax, [esi+1Ch]
		pop	esi
		pop	ebp
		retn	4
_IopWaitForSynchronousIo@12 endp


;  S U B	R O U T	I N E 


; __stdcall PfpCheckPrefetchAbort(x)
_PfpCheckPrefetchAbort@4 proc near	; CODE XREF: PfpPrefetchPrivatePages+82p
					; PfpPrefetchPrivatePages+F1p ...
		mov	eax, [ecx]
		mov	edx, [eax+34h]
		test	edx, edx
		jz	short loc_515195
		cmp	dword ptr [edx+4], 0
		jnz	short loc_5151AD

loc_515195:				; CODE XREF: PfpCheckPrefetchAbort(x)+7j
		test	byte ptr [eax+38h], 4
		jz	short loc_5151AA
		mov	eax, [ecx+14h]
		cmp	dword ptr [eax+2Ch], 0
		jnz	short loc_5151AD
		test	byte ptr [eax+28h], 4
		jnz	short loc_5151AD

loc_5151AA:				; CODE XREF: PfpCheckPrefetchAbort(x)+13j
		xor	eax, eax
		retn
; 

loc_5151AD:				; CODE XREF: PfpCheckPrefetchAbort(x)+Dj
					; PfpCheckPrefetchAbort(x)+1Cj	...
		xor	eax, eax
		inc	eax
		retn
_PfpCheckPrefetchAbort@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PfpReadSupportInitialize(x)
_PfpReadSupportInitialize@4 proc near	; CODE XREF: PfpPrefetchFilesTrickle+AFp
					; PfpPrefetchFiles(x,x)+191p ...
		mov	edi, edi
		push	edi
		mov	edx, ecx
		xor	eax, eax
		push	8
		pop	ecx
		mov	edi, edx
		rep stosd
		lea	ecx, [edx+4]
		pop	edi
		jmp	_PfpOpenHandleInitialize@4 ; PfpOpenHandleInitialize(x)
_PfpReadSupportInitialize@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall IopUpdateOtherOperationCount()
_IopUpdateOtherOperationCount@0	proc near ; CODE XREF: .text:0052230Ep
					; IoQueryInformationByName:loc_73F2BBp	...
		cmp	_IoCountOperations, 1
		jnz	short locret_515200
		mov	eax, large fs:124h
		mov	ecx, 1
		mov	eax, [eax+150h]
		add	eax, 200h
		lock add [eax],	ecx
		jnb	short loc_5151F9
		lock adc dword ptr [eax+4], 0

loc_5151F9:				; CODE XREF: IopUpdateOtherOperationCount()+22j
		inc	large dword ptr	fs:624h

locret_515200:				; CODE XREF: IopUpdateOtherOperationCount()+7j
		retn
_IopUpdateOtherOperationCount@0	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopGetMountFlag	proc near		; CODE XREF: PAGE:007F73BBp

; FUNCTION CHUNK AT 005E895B SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		xor	bl, bl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bh, al
		mov	eax, large fs:20h
		lea	ecx, [eax+460h]
		mov	eax, [ecx+4]
		test	ds:byte_70EFC6,	21h
		jnz	loc_5E894F
		mov	edx, ecx
		xchg	edx, [eax]
		test	edx, edx
		jnz	short loc_5152AD

loc_515247:				; CODE XREF: IopGetMountFlag+A2j
					; PfpFileCheckAttributesForPrefetch+D38B0j
		mov	eax, [esi+24h]
		test	eax, eax
		jz	short loc_515256
		test	byte ptr [eax+4], 1
		jz	short loc_515256
		mov	bl, 1

loc_515256:				; CODE XREF: IopGetMountFlag+3Cj
					; IopGetMountFlag+42j
		mov	esi, large fs:20h
		add	esi, 460h
		test	ds:byte_70EFC6,	1
		jnz	loc_5E895B
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_51529A
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_515293

loc_515285:				; CODE XREF: IopGetMountFlag+9Bj
					; IopGetMountFlag+D3755j
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn
; 

loc_515293:				; CODE XREF: IopGetMountFlag+73j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_51529A:				; CODE XREF: IopGetMountFlag+64j
		mov	dword ptr [esi], 0
		lea	ecx, [eax+4]
		mov	edx, 1
		lock xor [ecx],	edx
		jmp	short loc_515285
; 

loc_5152AD:				; CODE XREF: IopGetMountFlag+35j
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	short loc_515247
IopGetMountFlag	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopResetEvent(x)
_IopResetEvent@4 proc near		; CODE XREF: .text:00522165p
					; IopAllocateAndPopulateWriteIrp(x,x)+1Cp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	dword ptr [ecx+2Ch], 4000000h
		jnz	short loc_515303
		push	ebx
		push	esi
		lea	esi, [ecx+5Ch]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bl, al
		mov	[ebp+var_4], 0
		lock bts dword ptr [esi], 7
		jb	short loc_515307

loc_5152EA:				; CODE XREF: IopResetEvent(x)+5Aj
		mov	eax, 0FFFFFF7Fh
		mov	dword ptr [esi+4], 0
		lock and [esi],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		pop	ebx

loc_515303:				; CODE XREF: IopResetEvent(x)+Dj
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_515307:				; CODE XREF: IopResetEvent(x)+28j
					; IopResetEvent(x)+53j	...
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	al, al
		js	short loc_515307
		lock bts dword ptr [esi], 7
		jnb	short loc_5152EA
		jmp	short loc_515307
_IopResetEvent@4 endp


;  S U B	R O U T	I N E 


sub_51531E	proc near		; CODE XREF: PAGE:007F7600p
					; NtSetVolumeInformationFile(x,x,x,x,x):loc_960377p

; FUNCTION CHUNK AT 005E896A SIZE 00000039 BYTES

		cmp	_ViVerifierEnabled, 0
		jnz	loc_5E896A

loc_51532B:				; CODE XREF: sub_51531E+D365Fj
		push	20206F49h
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		retn
sub_51531E	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCancelIrpsInFileObjectList proc near	; CODE XREF: IopRevokeFileObjectForProcess(x,x)+43p
					; NtCancelIoFile+E3p ...

var_22		= byte ptr -22h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005E89A3 SIZE 000000A0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		or	[esp+24h+var_4], 0FFFFFFFFh
		xor	eax, eax
		push	ebx
		push	esi
		xor	esi, esi
		mov	[esp+2Ch+var_10], edx
		and	[esp+2Ch+var_1C], esi
		mov	ebx, ecx
		push	edi
		mov	[esp+30h+var_14], eax
		mov	[esp+30h+var_C], eax
		mov	[esp+30h+var_18], 1
		mov	[esp+30h+var_8], 0FFFFD8F0h
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	edi, [ebx+70h]
		mov	[esp+30h+var_21], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	[ebp+arg_C], 0
		jz	short loc_515398
		or	dword ptr [ebx+2Ch], 400h

loc_515398:				; CODE XREF: IopCancelIrpsInFileObjectList+51j
					; IopCancelIrpsInFileObjectList+D367Aj	...
		lea	eax, [ebx+74h]

loc_51539B:				; CODE XREF: IopCancelIrpsInFileObjectList+139j
					; IopCancelIrpsInFileObjectList+14Bj
		mov	[esp+30h+var_C], esi
		cmp	[eax], eax
		jnz	short loc_5153CC

loc_5153A3:				; CODE XREF: IopCancelIrpsInFileObjectList+B8j
					; IopCancelIrpsInFileObjectList+C6j ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5E8A34
		xor	eax, eax
		lock and [edi],	eax

loc_5153B5:				; CODE XREF: IopCancelIrpsInFileObjectList+D3700j
		mov	cl, [esp+30h+var_21]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esp+30h+var_14]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_5153CC:				; CODE XREF: IopCancelIrpsInFileObjectList+63j
		mov	edx, [esp+30h+var_10]
		lea	ecx, [esp+30h+var_1C]
		push	ecx
		push	esi
		push	[ebp+arg_4]
		mov	ecx, eax
		push	[ebp+arg_0]
		call	_IopCheckListForCancelableIrp@24 ; IopCheckListForCancelableIrp(x,x,x,x,x,x)
		mov	esi, [esp+30h+var_1C]
		mov	cl, al
		xor	eax, eax
		mov	[esp+30h+var_20], eax
		test	esi, esi
		jnz	short loc_51540B
		cmp	[ebp+arg_8], al
		jz	short loc_5153A3
		test	cl, cl
		jz	loc_5E89BD
		cmp	[esp+30h+var_C], eax
		jz	short loc_5153A3
		jmp	loc_5E89B6
; 

loc_51540B:				; CODE XREF: IopCancelIrpsInFileObjectList+B3j
		cmp	[esi+24h], al
		jnz	short loc_51544F
		mov	byte ptr [esi+24h], 1
		test	ds:byte_70EFC6,	1
		mov	[esp+30h+var_14], 1
		jnz	loc_5E89A3
		xor	eax, eax
		lock and [edi],	eax

loc_51542E:				; CODE XREF: IopCancelIrpsInFileObjectList+D3673j
		mov	cl, [esp+30h+var_21]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	esi
		call	IoCancelIrp
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	[esp+30h+var_21], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)

loc_51544F:				; CODE XREF: IopCancelIrpsInFileObjectList+D0j
		test	dword ptr [esi+8], 2000h
		jz	short loc_51545F
		mov	eax, [esi+10h]
		mov	[esp+30h+var_20], eax

loc_51545F:				; CODE XREF: IopCancelIrpsInFileObjectList+118j
		lea	ecx, [esi+30h]
		or	edx, 0FFFFFFFFh
		call	IopInterlockedAdd
		test	eax, eax
		jz	short loc_51548E

loc_51546E:				; CODE XREF: IopCancelIrpsInFileObjectList+156j
		mov	esi, [esp+30h+var_20]
		lea	eax, [ebx+74h]
		cmp	esi, eax
		jnz	loc_51539B
		cmp	[ebp+arg_8], 0
		jz	loc_5153A3
		xor	esi, esi
		jmp	loc_51539B
; 

loc_51548E:				; CODE XREF: IopCancelIrpsInFileObjectList+12Ej
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		jmp	short loc_51546E
IopCancelIrpsInFileObjectList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCheckListForCancelableIrp(x, x, x, x, x,	x)
_IopCheckListForCancelableIrp@24 proc near ; CODE XREF:	IopCancelIrpsInFileObjectList+A0p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	bl, 1
		and	dword ptr [eax], 0
		mov	[ebp+var_4], edx
		mov	edx, ecx
		test	esi, esi
		jnz	short loc_5154B4
		mov	esi, [edx]

loc_5154B4:				; CODE XREF: IopCheckListForCancelableIrp(x,x,x,x,x,x)+1Aj
		cmp	edx, esi
		jz	short loc_5154DC
		mov	ecx, [ebp+var_4]
		push	edi

loc_5154BC:				; CODE XREF: IopCheckListForCancelableIrp(x,x,x,x,x,x)+43j
		lea	edi, [esi-10h]
		mov	eax, [edi+30h]
		and	eax, 0FFFFFFFCh
		cmp	eax, ecx
		jnz	short loc_5154D5
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_5154E4
		cmp	[edi+28h], eax
		jz	short loc_5154E4

loc_5154D5:				; CODE XREF: IopCheckListForCancelableIrp(x,x,x,x,x,x)+31j
					; IopCheckListForCancelableIrp(x,x,x,x,x,x)+8Fj ...
		mov	esi, [esi]
		cmp	edx, esi
		jnz	short loc_5154BC

loc_5154DB:				; CODE XREF: IopCheckListForCancelableIrp(x,x,x,x,x,x)+7Cj
		pop	edi

loc_5154DC:				; CODE XREF: IopCheckListForCancelableIrp(x,x,x,x,x,x)+20j
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	10h
; 

loc_5154E4:				; CODE XREF: IopCheckListForCancelableIrp(x,x,x,x,x,x)+38j
					; IopCheckListForCancelableIrp(x,x,x,x,x,x)+3Dj
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	short loc_515527

loc_5154EB:				; CODE XREF: IopCheckListForCancelableIrp(x,x,x,x,x,x)+96j
		movsx	ecx, byte ptr [edi+22h]
		movsx	eax, byte ptr [edi+23h]
		add	ecx, 2
		cmp	eax, ecx
		jge	short loc_515514
		cmp	byte ptr [edi+24h], 0
		jnz	short loc_515514
		xor	edx, edx
		lea	ecx, [edi+30h]
		inc	edx
		xor	bl, bl
		call	IopInterlockedAdd
		mov	eax, [ebp+arg_C]
		mov	[eax], edi
		jmp	short loc_5154DB
; 

loc_515514:				; CODE XREF: IopCheckListForCancelableIrp(x,x,x,x,x,x)+62j
					; IopCheckListForCancelableIrp(x,x,x,x,x,x)+68j
		mov	eax, [edi+8]
		mov	ecx, [ebp+var_4]
		and	eax, 10000h
		neg	eax
		sbb	al, al
		and	bl, al
		jmp	short loc_5154D5
; 

loc_515527:				; CODE XREF: IopCheckListForCancelableIrp(x,x,x,x,x,x)+53j
		cmp	[edi+50h], eax
		jnz	short loc_5154D5
		jmp	short loc_5154EB
_IopCheckListForCancelableIrp@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlStringCbCopyExW proc	near		; CODE XREF: PiCMGetRelatedDeviceInstance+1DDp
					; _CmGetDeviceMappedPropertyFromComposite+49Dp	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005E8A43 SIZE 000000D3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	eax, edx
		mov	ebx, ecx
		mov	ecx, [ebp+arg_C]
		push	esi
		push	edi
		mov	edi, eax
		mov	[ebp+var_C], eax
		mov	eax, ecx
		shr	edi, 1
		and	eax, 100h
		jz	loc_5155E5
		test	ebx, ebx
		jz	loc_5E8A43

loc_51555C:				; CODE XREF: RtlStringCbCopyExW+CBj
					; RtlStringCbCopyExW+D3517j
		mov	edx, ebx
		mov	[ebp+var_4], edi
		test	eax, eax
		mov	[ebp+var_8], edx
		mov	eax, [ebp+arg_0]
		jz	short loc_515573
		test	eax, eax
		jz	loc_5E8A62

loc_515573:				; CODE XREF: RtlStringCbCopyExW+3Bj
					; RtlStringCbCopyExW+D3539j
		xor	esi, esi
		test	ecx, 0FFFFE000h
		jnz	loc_5E8A6C
		test	edi, edi
		jz	loc_5E8ABB
		push	ecx
		push	eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+arg_0], esi
		push	eax
		mov	edx, edi
		mov	ecx, ebx
		call	sub_54E9F6
		mov	ecx, [ebp+arg_0]
		mov	esi, eax
		sub	edi, ecx
		mov	[ebp+var_4], edi
		lea	edx, [ebx+ecx*2]
		mov	[ebp+var_8], edx
		test	esi, esi
		js	loc_5E8A7A
		mov	ecx, [ebp+arg_C]
		test	ecx, 200h
		jnz	loc_5E8ADB

loc_5155C2:				; CODE XREF: RtlStringCbCopyExW+D35A8j
					; RtlStringCbCopyExW+D35B9j ...
		test	esi, esi
		js	loc_5E8A7A

loc_5155CA:				; CODE XREF: RtlStringCbCopyExW+D3576j
					; RtlStringCbCopyExW+D3588j ...
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jnz	short loc_515601

loc_5155D1:				; CODE XREF: RtlStringCbCopyExW+D8j
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jnz	loc_5E8B06

loc_5155DC:				; CODE XREF: RtlStringCbCopyExW+D1j
					; RtlStringCbCopyExW+D3524j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_5155E5:				; CODE XREF: RtlStringCbCopyExW+20j
		mov	esi, edi
		neg	esi
		sbb	esi, esi
		and	esi, 3FFFFFF3h
		add	esi, 0C000000Dh
		test	edi, edi
		jnz	loc_51555C
		jmp	short loc_5155DC
; 

loc_515601:				; CODE XREF: RtlStringCbCopyExW+A1j
		mov	eax, [ebp+var_8]
		mov	[ecx], eax
		jmp	short loc_5155D1
RtlStringCbCopyExW endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 975. IoSetActivityIdThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetActivityIdThread(x)
		public _IoSetActivityIdThread@4
_IoSetActivityIdThread@4 proc near	; CODE XREF: KiAbCleanupThreadState+EE272p
					; .text:005DD708p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, large fs:124h
		mov	ecx, [ebp+arg_0]
		mov	eax, [edx+35Ch]
		mov	[edx+35Ch], ecx
		pop	ebp
		retn	4
_IoSetActivityIdThread@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 775. IoClearActivityIdThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoClearActivityIdThread(x)
		public _IoClearActivityIdThread@4
_IoClearActivityIdThread@4 proc	near	; CODE XREF: PiDqIrpQueryCreate+1F7p
					; PiDqObjectManagerServiceActionQueue+275p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, large fs:124h
		mov	eax, [ebp+arg_0]
		mov	[ecx+35Ch], eax
		pop	ebp
		retn	4
_IoClearActivityIdThread@4 endp

; 
		align 10h
; Exported entry 2055. RtlEnumerateGenericTableAvl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlEnumerateGenericTableAvl(x, x)
		public _RtlEnumerateGenericTableAvl@8
_RtlEnumerateGenericTableAvl@8 proc near ; CODE	XREF: EtwpFreeKeyNameList(x)+11p
					; PiDmObjectManagerPopulate+9569Ep ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		mov	ecx, [ebp+arg_0]
		lea	eax, [ecx+20h]
		jz	short loc_515664
		and	dword ptr [eax], 0

loc_515664:				; CODE XREF: RtlEnumerateGenericTableAvl(x,x)+Fj
		push	eax
		push	ecx
		call	_RtlEnumerateGenericTableWithoutSplayingAvl@8 ;	RtlEnumerateGenericTableWithoutSplayingAvl(x,x)
		pop	ebp
		retn	8
_RtlEnumerateGenericTableAvl@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2058. RtlEnumerateGenericTableWithoutSplayingAvl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlEnumerateGenericTableWithoutSplayingAvl(x, x)
		public _RtlEnumerateGenericTableWithoutSplayingAvl@8
_RtlEnumerateGenericTableWithoutSplayingAvl@8 proc near
					; CODE XREF: RtlEnumerateGenericTableAvl(x,x)+16p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	dword ptr [eax+18h], 0
		jz	short loc_5156A5
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_5156A9
		call	_RealSuccessor@4 ; RealSuccessor(x)
		test	eax, eax
		jz	short loc_515697

loc_515695:				; CODE XREF: RtlEnumerateGenericTableWithoutSplayingAvl(x,x)+43j
		mov	[esi], eax

loc_515697:				; CODE XREF: RtlEnumerateGenericTableWithoutSplayingAvl(x,x)+1Fj
		lea	ecx, [eax+10h]
		neg	eax
		pop	esi
		sbb	eax, eax
		and	eax, ecx

loc_5156A1:				; CODE XREF: RtlEnumerateGenericTableWithoutSplayingAvl(x,x)+33j
		pop	ebp
		retn	8
; 

loc_5156A5:				; CODE XREF: RtlEnumerateGenericTableWithoutSplayingAvl(x,x)+Cj
		xor	eax, eax
		jmp	short loc_5156A1
; 

loc_5156A9:				; CODE XREF: RtlEnumerateGenericTableWithoutSplayingAvl(x,x)+16j
		mov	eax, [eax+8]
		jmp	short loc_5156B0
; 

loc_5156AE:				; CODE XREF: RtlEnumerateGenericTableWithoutSplayingAvl(x,x)+41j
		mov	eax, ecx

loc_5156B0:				; CODE XREF: RtlEnumerateGenericTableWithoutSplayingAvl(x,x)+38j
		mov	ecx, [eax+4]
		test	ecx, ecx
		jnz	short loc_5156AE
		jmp	short loc_515695
_RtlEnumerateGenericTableWithoutSplayingAvl@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2169. RtlInitializeGenericTableAvl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlInitializeGenericTableAvl(void *,int,int,int,int)
		public _RtlInitializeGenericTableAvl@20
_RtlInitializeGenericTableAvl@20 proc near ; CODE XREF:	PiDqQueryCreate+9Bp
					; PiPnpRtlBeginOperation+7Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	38h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		mov	[esi+28h], eax
		mov	eax, [ebp+arg_8]
		mov	[esi+2Ch], eax
		mov	eax, [ebp+arg_C]
		mov	[esi+30h], eax
		mov	eax, [ebp+arg_10]
		mov	[esi], esi
		mov	[esi+34h], eax
		pop	esi
		pop	ebp
		retn	14h
_RtlInitializeGenericTableAvl@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FindNodeOrParent(x,	x, x)
_FindNodeOrParent@12 proc near		; CODE XREF: RtlInsertElementGenericTableAvl(x,x,x,x)+14p
					; RtlEnumerateGenericTableLikeADirectory+88p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		cmp	dword ptr [ebx+18h], 0
		jz	short loc_515749
		push	esi
		mov	esi, [ebx+8]
		push	edi
		xor	edi, edi
		inc	edi

loc_51570E:				; CODE XREF: FindNodeOrParent(x,x,x)+37j
		lea	eax, [esi+10h]
		push	eax
		push	edx
		push	ebx
		call	dword ptr [ebx+28h]
		test	eax, eax
		jz	short loc_51572D
		cmp	eax, edi
		jnz	short loc_51573B
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_515738

loc_515726:				; CODE XREF: FindNodeOrParent(x,x,x)+3Ej
		mov	edx, [ebp+var_4]
		mov	esi, eax
		jmp	short loc_51570E
; 

loc_51572D:				; CODE XREF: FindNodeOrParent(x,x,x)+25j
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_515726
		push	2
		jmp	short loc_51573A
; 

loc_515738:				; CODE XREF: FindNodeOrParent(x,x,x)+30j
		push	3

loc_51573A:				; CODE XREF: FindNodeOrParent(x,x,x)+42j
		pop	edi

loc_51573B:				; CODE XREF: FindNodeOrParent(x,x,x)+29j
		mov	ecx, [ebp+arg_0]
		mov	eax, edi
		pop	edi
		mov	[ecx], esi
		pop	esi

loc_515744:				; CODE XREF: FindNodeOrParent(x,x,x)+57j
		pop	ebx
		leave
		retn	4
; 

loc_515749:				; CODE XREF: FindNodeOrParent(x,x,x)+10j
		xor	eax, eax
		jmp	short loc_515744
_FindNodeOrParent@12 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2175. RtlInsertElementGenericTableAvl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlInsertElementGenericTableAvl(int,void *,size_t,int)
		public _RtlInsertElementGenericTableAvl@16
_RtlInsertElementGenericTableAvl@16 proc near
					; CODE XREF: VfAvlInsertReservedTreeNode(x,x,x)+53p
					; PiDqQueryAddObjectToResultSet(x,x)+1Ep ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		and	[ebp+var_4], 0
		push	eax
		call	_FindNodeOrParent@12 ; FindNodeOrParent(x,x,x)
		push	eax		; int
		push	[ebp+var_4]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; size_t
		push	[ebp+arg_4]	; void *
		push	[ebp+arg_0]	; int
		call	RtlInsertElementGenericTableFullAvl
		leave
		retn	10h
_RtlInsertElementGenericTableAvl@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlStringCchCopyExW proc near		; CODE XREF: _CmGetDeviceParent+BCp
					; PiPnpRtlGetFilteredDeviceList+1B6p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005E8B16 SIZE 000000B9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	edx, [ebp+arg_C]
		xor	eax, eax
		mov	ecx, edx
		mov	esi, eax
		and	ecx, 100h
		jz	loc_515847
		test	ebx, ebx
		jz	loc_5E8B16

loc_5157AF:				; CODE XREF: RtlStringCchCopyExW+C5j
					; RtlStringCchCopyExW+D3394j
		cmp	edi, 7FFFFFFFh
		ja	loc_5E8B1E

loc_5157BB:				; CODE XREF: RtlStringCchCopyExW+D339Fj
		test	esi, esi
		js	loc_5E8BBD
		mov	eax, edi
		mov	[ebp+var_4], ebx
		test	ecx, ecx
		mov	[ebp+var_8], eax
		mov	ecx, [ebp+arg_0]
		jz	short loc_5157D6
		test	ecx, ecx
		jz	short loc_515854

loc_5157D6:				; CODE XREF: RtlStringCchCopyExW+4Cj
					; RtlStringCchCopyExW+D5j
		xor	esi, esi
		test	edx, 0FFFFE000h
		jnz	loc_5E8B28
		test	edi, edi
		jz	loc_5E8B71
		xor	eax, eax
		mov	edx, edi
		push	ecx
		mov	[ebp+arg_0], eax
		lea	eax, [ebp+arg_0]
		push	ecx
		push	eax
		mov	ecx, ebx
		call	sub_515870
		mov	ecx, [ebp+arg_0]
		mov	esi, eax
		mov	eax, edi
		sub	eax, ecx
		mov	[ebp+arg_0], eax
		mov	[ebp+var_8], eax
		lea	edx, [ebx+ecx*2]
		mov	[ebp+var_4], edx
		test	esi, esi
		js	short loc_51585E
		mov	ecx, [ebp+arg_C]
		test	ecx, 200h
		jnz	loc_5E8B8F

loc_515828:				; CODE XREF: RtlStringCchCopyExW+D33E8j
					; RtlStringCchCopyExW+D340Ej ...
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jnz	short loc_51583F

loc_51582F:				; CODE XREF: RtlStringCchCopyExW+BDj
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jnz	short loc_515843

loc_515836:				; CODE XREF: RtlStringCchCopyExW+C1j
					; RtlStringCchCopyExW+D33DFj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_51583F:				; CODE XREF: RtlStringCchCopyExW+A9j
		mov	[ecx], edx
		jmp	short loc_51582F
; 

loc_515843:				; CODE XREF: RtlStringCchCopyExW+B0j
		mov	[ecx], eax
		jmp	short loc_515836
; 

loc_515847:				; CODE XREF: RtlStringCchCopyExW+1Dj
		test	edi, edi
		jnz	loc_5157AF
		jmp	loc_5E8B1E
; 

loc_515854:				; CODE XREF: RtlStringCchCopyExW+50j
		mov	ecx, offset ??_C@_11LOCGONAA@@FNODOBFM@
		jmp	loc_5157D6
; 

loc_51585E:				; CODE XREF: RtlStringCchCopyExW+93j
		mov	edx, [ebp+arg_C]
		jmp	loc_5E8B36
RtlStringCchCopyExW endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_515870	proc near		; CODE XREF: RtlStringCchCopyExW+77p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		xor	edi, edi
		test	esi, esi
		jz	short loc_5158AA
		mov	ebx, [ebp+arg_4]
		mov	eax, 7FFFFFFEh
		sub	ebx, ecx
		lea	ebx, [ebx+0]

loc_515890:				; CODE XREF: sub_515870+38j
		test	eax, eax
		jz	short loc_5158B5
		movzx	edx, word ptr [ebx+ecx]
		test	dx, dx
		jz	short loc_5158B5
		mov	[ecx], dx
		dec	eax
		add	ecx, 2
		inc	edi
		sub	esi, 1
		jnz	short loc_515890

loc_5158AA:				; CODE XREF: sub_515870+Ej
					; sub_515870+47j
		sub	ecx, 2
		mov	edx, 80000005h
		dec	edi
		jmp	short loc_5158BB
; 

loc_5158B5:				; CODE XREF: sub_515870+22j
					; sub_515870+2Bj
		test	esi, esi
		jz	short loc_5158AA
		xor	edx, edx

loc_5158BB:				; CODE XREF: sub_515870+43j
		xor	eax, eax
		mov	[ecx], ax
		mov	eax, edx
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_5158CB
		mov	[ecx], edi

loc_5158CB:				; CODE XREF: sub_515870+57j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
sub_515870	endp

; 
		align 8
; Exported entry 2056. RtlEnumerateGenericTableLikeADirectory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlEnumerateGenericTableLikeADirectory
RtlEnumerateGenericTableLikeADirectory proc near
					; CODE XREF: PiDmEnumObjectsWithCallback(x,x,x)+A2p
					; PiDmEnumObjectsWithCallback(x,x,x)+125p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005E8BCF SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [eax]
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], esi
		cmp	[ebx+18h], edi
		jz	loc_515978
		cmp	[ebp+arg_4], edi
		jnz	short loc_515903
		mov	[ebp+arg_4], offset ?SmpStoreMgrCallback@@YGJPAU_SMKM_STORE_LIST@@PAXW4_SMKM_CALLBACK_TYPE@@@Z ; SmpStoreMgrCallback(_SMKM_STORE_LIST *,void *,_SMKM_CALLBACK_TYPE)

loc_515903:				; CODE XREF: RtlEnumerateGenericTableLikeADirectory+22j
		mov	eax, [ebp+arg_14]
		mov	ecx, esi
		mov	eax, [eax]
		cmp	eax, [ebx+24h]
		jnz	short loc_515983

loc_51590F:				; CODE XREF: RtlEnumerateGenericTableLikeADirectory+B2j
		test	ecx, ecx
		jz	short loc_515957

loc_515913:				; CODE XREF: RtlEnumerateGenericTableLikeADirectory+A9j
		mov	edi, [ebp+arg_C]

loc_515916:				; CODE XREF: RtlEnumerateGenericTableLikeADirectory+D3301j
		test	edi, edi
		jz	short loc_515923

loc_51591A:				; CODE XREF: RtlEnumerateGenericTableLikeADirectory+62j
		mov	ecx, esi
		call	_RealSuccessor@4 ; RealSuccessor(x)
		mov	esi, eax

loc_515923:				; CODE XREF: RtlEnumerateGenericTableLikeADirectory+40j
					; RtlEnumerateGenericTableLikeADirectory+9Ej
		test	esi, esi
		jz	short loc_51597A
		push	[ebp+arg_8]
		lea	eax, [esi+10h]
		push	eax
		push	ebx
		call	[ebp+arg_4]
		mov	ecx, eax
		cmp	ecx, 0C0000272h
		jz	short loc_51591A
		mov	eax, [ebp+arg_10]
		mov	edx, [ebp+arg_14]
		mov	[eax], esi
		mov	eax, [ebx+24h]
		mov	[edx], eax
		test	ecx, ecx
		jnz	short loc_51597A
		lea	eax, [esi+10h]

loc_515950:				; CODE XREF: RtlEnumerateGenericTableLikeADirectory+A4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_515957:				; CODE XREF: RtlEnumerateGenericTableLikeADirectory+39j
		mov	edx, [ebp+arg_18]
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, ebx
		call	_FindNodeOrParent@12 ; FindNodeOrParent(x,x,x)
		cmp	eax, 1
		jz	short loc_51597E
		cmp	eax, 3
		jz	loc_5E8BCF
		mov	esi, [ebp+var_4]
		jmp	short loc_515923
; 

loc_515978:				; CODE XREF: RtlEnumerateGenericTableLikeADirectory+19j
		mov	[eax], edi

loc_51597A:				; CODE XREF: RtlEnumerateGenericTableLikeADirectory+4Dj
					; RtlEnumerateGenericTableLikeADirectory+73j
		xor	eax, eax
		jmp	short loc_515950
; 

loc_51597E:				; CODE XREF: RtlEnumerateGenericTableLikeADirectory+90j
		mov	esi, [ebp+var_4]
		jmp	short loc_515913
; 

loc_515983:				; CODE XREF: RtlEnumerateGenericTableLikeADirectory+35j
		mov	esi, edi
		mov	ecx, edi
		mov	[ebp+var_4], esi
		jmp	short loc_51590F
RtlEnumerateGenericTableLikeADirectory endp


;  S U B	R O U T	I N E 


; __stdcall RealSuccessor(x)
_RealSuccessor@4 proc near		; CODE XREF: RtlEnumerateGenericTableWithoutSplayingAvl(x,x)+18p
					; RtlEnumerateGenericTableLikeADirectory+44p ...
		mov	edx, ecx
		mov	eax, [edx+8]
		test	eax, eax
		jnz	short loc_5159B2
		mov	ecx, [edx]

loc_515997:				; CODE XREF: RealSuccessor(x)+22j
		cmp	[ecx+8], edx
		jz	short loc_5159AA
		mov	eax, [ecx+4]
		sub	eax, edx
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, ecx

locret_5159A9:				; CODE XREF: RealSuccessor(x)+2Bj
		retn
; 

loc_5159AA:				; CODE XREF: RealSuccessor(x)+Ej
		mov	edx, ecx
		mov	ecx, [ecx]
		jmp	short loc_515997
; 

loc_5159B0:				; CODE XREF: RealSuccessor(x)+2Dj
		mov	eax, ecx

loc_5159B2:				; CODE XREF: RealSuccessor(x)+7j
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short locret_5159A9
		jmp	short loc_5159B0
_RealSuccessor@4 endp

; 
		align 10h
; Exported entry 2177. RtlInsertElementGenericTableFullAvl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlInsertElementGenericTableFullAvl(int,void *,size_t,int,int,int)
		public RtlInsertElementGenericTableFullAvl
RtlInsertElementGenericTableFullAvl proc near
					; CODE XREF: RtlInsertElementGenericTableAvl(x,x,x,x)+29p
					; PiPnpRtlObjectEventCreate+156p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005E8BDE SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_14]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		cmp	ebx, 1
		jz	loc_515AAA
		mov	ecx, [ebp+arg_8]
		lea	eax, [ecx+10h]
		cmp	eax, ecx
		jb	loc_5E8BDE
		push	eax
		mov	eax, [edi+2Ch]
		push	edi
		call	eax
		mov	esi, eax
		test	esi, esi
		jz	loc_5E8BDE
		xor	eax, eax
		mov	[esi], eax
		mov	[esi+4], eax
		mov	[esi+8], eax
		mov	[esi+0Ch], eax
		inc	dword ptr [edi+18h]
		test	ebx, ebx
		jz	loc_515A8D
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		cmp	ebx, 2
		jz	short loc_515A81
		mov	[ecx+8], esi

loc_515A1B:				; CODE XREF: RtlInsertElementGenericTableFullAvl+C4j
		mov	[esi], ecx
		mov	byte ptr [edi+0Ch], 0FFh
		mov	eax, [esi]

loc_515A23:				; CODE XREF: RtlInsertElementGenericTableFullAvl+80j
		cmp	[eax+4], edx
		mov	dl, [ecx+0Ch]
		setnz	al
		lea	eax, ds:0FFFFFFFFh[eax*2]
		test	dl, dl
		jnz	short loc_515A42
		mov	[ecx+0Ch], al
		mov	edx, ecx
		mov	eax, [ecx]
		mov	ecx, eax
		jmp	short loc_515A23
; 

loc_515A42:				; CODE XREF: RtlInsertElementGenericTableFullAvl+75j
		cmp	dl, al
		jz	short loc_515A86
		mov	byte ptr [ecx+0Ch], 0
		cmp	byte ptr [edi+0Ch], 0
		jz	short loc_515AA5

loc_515A50:				; CODE XREF: RtlInsertElementGenericTableFullAvl+CBj
					; RtlInsertElementGenericTableFullAvl+D9j ...
		push	[ebp+arg_8]	; size_t
		lea	eax, [esi+10h]
		push	[ebp+arg_4]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_515A62:				; CODE XREF: RtlInsertElementGenericTableFullAvl+EDj
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jnz	short loc_515A9B

loc_515A69:				; CODE XREF: RtlInsertElementGenericTableFullAvl+E3j
		mov	dword ptr [edi+14h], 0
		lea	eax, [esi+10h]
		mov	dword ptr [edi+10h], 0

loc_515A7A:				; CODE XREF: RtlInsertElementGenericTableFullAvl+D322Aj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	18h
; 

loc_515A81:				; CODE XREF: RtlInsertElementGenericTableFullAvl+56j
		mov	[ecx+4], esi
		jmp	short loc_515A1B
; 

loc_515A86:				; CODE XREF: RtlInsertElementGenericTableFullAvl+84j
		call	_RebalanceNode@4 ; RebalanceNode(x)
		jmp	short loc_515A50
; 

loc_515A8D:				; CODE XREF: RtlInsertElementGenericTableFullAvl+48j
		mov	[edi+8], esi
		mov	[esi], edi
		mov	dword ptr [edi+1Ch], 1
		jmp	short loc_515A50
; 

loc_515A9B:				; CODE XREF: RtlInsertElementGenericTableFullAvl+A7j
		cmp	ebx, 1
		setnz	al
		mov	[ecx], al
		jmp	short loc_515A69
; 

loc_515AA5:				; CODE XREF: RtlInsertElementGenericTableFullAvl+8Ej
		inc	dword ptr [edi+1Ch]
		jmp	short loc_515A50
; 

loc_515AAA:				; CODE XREF: RtlInsertElementGenericTableFullAvl+11j
		mov	esi, [ebp+arg_10]
		jmp	short loc_515A62
RtlInsertElementGenericTableFullAvl endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RebalanceNode(x)
_RebalanceNode@4 proc near		; CODE XREF: RtlInsertElementGenericTableFullAvl:loc_515A86p
					; DeleteNodeFromTree(x,x)+130p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	bl, [edi+0Ch]
		cmp	bl, 1
		jz	short loc_515B27
		mov	esi, [edi+4]

loc_515AC7:				; CODE XREF: RebalanceNode(x)+7Aj
		mov	al, [esi+0Ch]
		cmp	al, bl
		jz	short loc_515B16
		movsx	ecx, bl
		neg	ecx
		movsx	eax, al
		mov	[ebp+var_8], ecx
		cmp	eax, ecx
		jnz	short loc_515B36
		cmp	bl, 1
		jz	short loc_515B2C
		mov	ecx, [esi+8]

loc_515AE5:				; CODE XREF: RebalanceNode(x)+7Fj
		mov	[ebp+var_4], ecx
		call	_PromoteNode@4	; PromoteNode(x)
		call	_PromoteNode@4	; PromoteNode(x)
		mov	edx, [ebp+var_4]
		xor	ecx, ecx
		mov	[edi+0Ch], cl
		mov	[esi+0Ch], cl
		mov	al, [edx+0Ch]
		cmp	al, bl
		jz	short loc_515B47
		movsx	eax, al
		cmp	eax, [ebp+var_8]
		jz	short loc_515B31

loc_515B0C:				; CODE XREF: RebalanceNode(x)+84j
					; RebalanceNode(x)+9Cj
		mov	[edx+0Ch], cl

loc_515B0F:				; CODE XREF: RebalanceNode(x)+75j
		xor	eax, eax

loc_515B11:				; CODE XREF: RebalanceNode(x)+95j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_515B16:				; CODE XREF: RebalanceNode(x)+1Cj
		mov	ecx, esi
		call	_PromoteNode@4	; PromoteNode(x)
		xor	ecx, ecx
		mov	[esi+0Ch], cl
		mov	[edi+0Ch], cl
		jmp	short loc_515B0F
; 

loc_515B27:				; CODE XREF: RebalanceNode(x)+12j
		mov	esi, [edi+8]
		jmp	short loc_515AC7
; 

loc_515B2C:				; CODE XREF: RebalanceNode(x)+30j
		mov	ecx, [esi+4]
		jmp	short loc_515AE5
; 

loc_515B31:				; CODE XREF: RebalanceNode(x)+5Aj
		mov	[esi+0Ch], bl
		jmp	short loc_515B0C
; 

loc_515B36:				; CODE XREF: RebalanceNode(x)+2Bj
		mov	ecx, esi
		call	_PromoteNode@4	; PromoteNode(x)
		neg	bl
		xor	eax, eax
		mov	[esi+0Ch], bl
		inc	eax
		jmp	short loc_515B11
; 

loc_515B47:				; CODE XREF: RebalanceNode(x)+52j
		neg	bl
		mov	[edi+0Ch], bl
		jmp	short loc_515B0C
_RebalanceNode@4 endp


;  S U B	R O U T	I N E 


; __stdcall PromoteNode(x)
_PromoteNode@4	proc near		; CODE XREF: RebalanceNode(x)+38p
					; RebalanceNode(x)+3Dp	...
		mov	eax, [ecx]
		push	esi
		mov	edx, [eax]
		cmp	[eax+4], ecx
		jz	short loc_515B73
		mov	esi, [ecx+4]
		mov	[eax+8], esi
		test	esi, esi
		jnz	short loc_515B87

loc_515B62:				; CODE XREF: PromoteNode(x)+3Bj
		mov	[ecx+4], eax

loc_515B65:				; CODE XREF: PromoteNode(x)+32j
		mov	[eax], ecx
		pop	esi
		cmp	[edx+4], eax
		jnz	short loc_515B82
		mov	[edx+4], ecx

loc_515B70:				; CODE XREF: PromoteNode(x)+37j
		mov	[ecx], edx
		retn
; 

loc_515B73:				; CODE XREF: PromoteNode(x)+8j
		mov	esi, [ecx+8]
		mov	[eax+4], esi
		test	esi, esi
		jnz	short loc_515B8B

loc_515B7D:				; CODE XREF: PromoteNode(x)+3Fj
		mov	[ecx+8], eax
		jmp	short loc_515B65
; 

loc_515B82:				; CODE XREF: PromoteNode(x)+1Dj
		mov	[edx+8], ecx
		jmp	short loc_515B70
; 

loc_515B87:				; CODE XREF: PromoteNode(x)+12j
		mov	[esi], eax
		jmp	short loc_515B62
; 

loc_515B8B:				; CODE XREF: PromoteNode(x)+2Dj
		mov	[esi], eax
		jmp	short loc_515B7D
_PromoteNode@4	endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 2032. RtlDeleteElementGenericTableAvl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlDeleteElementGenericTableAvl(x, x)
		public _RtlDeleteElementGenericTableAvl@8
_RtlDeleteElementGenericTableAvl@8 proc	near ; CODE XREF: VfAvlDeleteTreeNode+5Dp
					; PiDqQueryDeleteObjectFromResultSet(x,x)+11p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		cmp	dword ptr [edi+18h], 0
		jz	short loc_515BD2
		mov	esi, [edi+8]
		mov	ebx, [ebp+arg_4]

loc_515BB7:				; CODE XREF: RtlDeleteElementGenericTableAvl(x,x)+30j
		lea	eax, [esi+10h]
		push	eax
		mov	eax, [edi+28h]
		push	ebx
		push	edi
		call	eax
		test	eax, eax
		jz	short loc_515BD6
		cmp	eax, 1
		jnz	short loc_515BDB
		mov	esi, [esi+8]

loc_515BCE:				; CODE XREF: RtlDeleteElementGenericTableAvl(x,x)+39j
		test	esi, esi
		jnz	short loc_515BB7

loc_515BD2:				; CODE XREF: RtlDeleteElementGenericTableAvl(x,x)+Fj
		xor	al, al
		jmp	short loc_515C06
; 

loc_515BD6:				; CODE XREF: RtlDeleteElementGenericTableAvl(x,x)+24j
		mov	esi, [esi+4]
		jmp	short loc_515BCE
; 

loc_515BDB:				; CODE XREF: RtlDeleteElementGenericTableAvl(x,x)+29j
		cmp	esi, [edi+20h]
		jz	short loc_515C0D

loc_515BE0:				; CODE XREF: RtlDeleteElementGenericTableAvl(x,x)+77j
		inc	dword ptr [edi+24h]
		mov	edx, esi
		mov	ecx, edi
		call	_DeleteNodeFromTree@8 ;	DeleteNodeFromTree(x,x)
		mov	eax, [edi+30h]
		dec	dword ptr [edi+18h]
		push	esi
		push	edi
		mov	dword ptr [edi+14h], 0
		mov	dword ptr [edi+10h], 0
		call	eax
		mov	al, 1

loc_515C06:				; CODE XREF: RtlDeleteElementGenericTableAvl(x,x)+34j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_515C0D:				; CODE XREF: RtlDeleteElementGenericTableAvl(x,x)+3Ej
		mov	ecx, esi
		call	RealPredecessor
		mov	[edi+20h], eax
		jmp	short loc_515BE0
_RtlDeleteElementGenericTableAvl@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DeleteNodeFromTree(x, x)
_DeleteNodeFromTree@8 proc near		; CODE XREF: RtlDeleteElementGenericTableAvl(x,x)+47p
					; RtlDeleteElementGenericTableAvlEx+1Dp

var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_8], ecx
		push	esi
		push	edi
		mov	eax, [ebx+4]
		test	eax, eax
		jnz	loc_515CBC

loc_515C3B:				; CODE XREF: DeleteNodeFromTree(x,x)+A1j
		mov	esi, ebx

loc_515C3D:				; CODE XREF: DeleteNodeFromTree(x,x)+B6j
					; DeleteNodeFromTree(x,x)+C9j ...
		mov	eax, [esi]
		or	dl, 0FFh
		mov	ecx, [esi+4]
		mov	edi, [eax+4]
		mov	[ebp+var_4], edi
		mov	edi, [ebp+var_8]
		test	ecx, ecx
		jnz	loc_515D38
		mov	ecx, [esi+8]
		cmp	[ebp+var_4], esi
		jz	short loc_515CB7
		mov	[eax+8], ecx
		mov	dl, 1

loc_515C63:				; CODE XREF: DeleteNodeFromTree(x,x)+9Aj
		mov	ecx, [esi+8]
		test	ecx, ecx
		jnz	loc_515D45

loc_515C6E:				; CODE XREF: DeleteNodeFromTree(x,x)+129j
					; DeleteNodeFromTree(x,x)+169j
		mov	byte ptr [edi+0Ch], 0
		mov	edi, [esi]

loc_515C74:				; CODE XREF: DeleteNodeFromTree(x,x)+95j
		mov	al, [edi+0Ch]
		cmp	al, dl
		jz	short loc_515CA0
		test	al, al
		jnz	loc_515D4E
		mov	eax, [ebp+var_8]
		neg	dl
		mov	[edi+0Ch], dl
		cmp	byte ptr [eax+0Ch], 0
		jnz	loc_515D30

loc_515C95:				; CODE XREF: DeleteNodeFromTree(x,x)+113j
					; DeleteNodeFromTree(x,x)+137j
		cmp	ebx, esi
		jnz	short loc_515CEE

loc_515C99:				; CODE XREF: DeleteNodeFromTree(x,x)+FEj
					; DeleteNodeFromTree(x,x)+106j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_515CA0:				; CODE XREF: DeleteNodeFromTree(x,x)+59j
		mov	byte ptr [edi+0Ch], 0

loc_515CA4:				; CODE XREF: DeleteNodeFromTree(x,x)+13Fj
		mov	eax, [edi]
		cmp	[eax+8], edi
		mov	edi, eax
		setz	dl
		lea	edx, ds:0FFFFFFFFh[edx*2]
		jmp	short loc_515C74
; 

loc_515CB7:				; CODE XREF: DeleteNodeFromTree(x,x)+3Cj
		mov	[eax+4], ecx
		jmp	short loc_515C63
; 

loc_515CBC:				; CODE XREF: DeleteNodeFromTree(x,x)+15j
		mov	esi, [ebx+8]
		test	esi, esi
		jz	loc_515C3B
		cmp	byte ptr [ebx+0Ch], 0
		jl	loc_515D64
		mov	eax, [esi+4]
		test	eax, eax
		jz	loc_515C3D
		lea	esp, [esp+0]

loc_515CE0:				; CODE XREF: DeleteNodeFromTree(x,x)+C7j
		mov	esi, eax
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_515CE0
		jmp	loc_515C3D
; 

loc_515CEE:				; CODE XREF: DeleteNodeFromTree(x,x)+77j
		mov	eax, [ebx]
		mov	[esi], eax
		mov	eax, [ebx+4]
		mov	[esi+4], eax
		mov	eax, [ebx+8]
		mov	[esi+8], eax
		mov	eax, [ebx+0Ch]
		mov	[esi+0Ch], eax
		mov	eax, [ebx]
		mov	ecx, [esi]
		cmp	[eax+4], ebx
		jz	short loc_515D2B
		mov	[ecx+8], esi

loc_515D10:				; CODE XREF: DeleteNodeFromTree(x,x)+10Ej
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_515D19
		mov	[eax], esi

loc_515D19:				; CODE XREF: DeleteNodeFromTree(x,x)+F5j
		mov	eax, [esi+8]
		test	eax, eax
		jz	loc_515C99
		mov	[eax], esi
		jmp	loc_515C99
; 

loc_515D2B:				; CODE XREF: DeleteNodeFromTree(x,x)+EBj
		mov	[ecx+4], esi
		jmp	short loc_515D10
; 

loc_515D30:				; CODE XREF: DeleteNodeFromTree(x,x)+6Fj
		dec	dword ptr [eax+1Ch]
		jmp	loc_515C95
; 

loc_515D38:				; CODE XREF: DeleteNodeFromTree(x,x)+30j
		cmp	[ebp+var_4], esi
		jz	short loc_515D7F
		mov	[eax+8], ecx
		mov	dl, 1
		mov	ecx, [esi+4]

loc_515D45:				; CODE XREF: DeleteNodeFromTree(x,x)+48j
		mov	eax, [esi]
		mov	[ecx], eax
		jmp	loc_515C6E
; 

loc_515D4E:				; CODE XREF: DeleteNodeFromTree(x,x)+5Dj
		mov	ecx, edi
		call	_RebalanceNode@4 ; RebalanceNode(x)
		test	eax, eax
		jnz	loc_515C95
		mov	edi, [edi]
		jmp	loc_515CA4
; 

loc_515D64:				; CODE XREF: DeleteNodeFromTree(x,x)+ABj
		mov	esi, eax
		mov	eax, [esi+8]
		test	eax, eax
		jz	loc_515C3D

loc_515D71:				; CODE XREF: DeleteNodeFromTree(x,x)+158j
		mov	esi, eax
		mov	eax, [esi+8]
		test	eax, eax
		jnz	short loc_515D71
		jmp	loc_515C3D
; 

loc_515D7F:				; CODE XREF: DeleteNodeFromTree(x,x)+11Bj
		mov	[eax+4], ecx
		mov	ecx, [esi+4]
		mov	eax, [esi]
		mov	[ecx], eax
		jmp	loc_515C6E
_DeleteNodeFromTree@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2211. RtlIsGenericTableEmptyAvl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIsGenericTableEmptyAvl(x)
		public _RtlIsGenericTableEmptyAvl@4
_RtlIsGenericTableEmptyAvl@4 proc near	; CODE XREF: PiDqQueryFreeActiveData+19p
					; PiPnpRtlEndOperation+81p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	dword ptr [eax+18h], 0
		setz	al
		pop	ebp
		retn	4
_RtlIsGenericTableEmptyAvl@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlStringCchCopyNExW proc near		; CODE XREF: _CmGetDeviceInterfaceSubkeyPath+BAp
					; _CmGetDeviceInterfaceSubkeyPath+118p	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005E8BEF SIZE 000000FF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	edx, [ebp+arg_10]
		xor	ecx, ecx
		mov	eax, edx
		mov	esi, ecx
		and	eax, 100h
		mov	ecx, 7FFFFFFFh
		mov	[ebp+var_C], eax
		mov	eax, 0C000000Dh
		jnz	loc_5E8BEF
		test	edi, edi
		jz	loc_5E8BFF

loc_515DE0:				; CODE XREF: RtlStringCchCopyNExW+D2E49j
					; RtlStringCchCopyNExW+D2E51j
		cmp	edi, ecx
		ja	loc_5E8BFF

loc_515DE8:				; CODE XREF: RtlStringCchCopyNExW+D2E59j
		test	esi, esi
		js	loc_5E8CDC
		mov	eax, edi
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], eax
		cmp	[ebp+arg_4], ecx
		jnb	loc_5E8C06
		cmp	[ebp+var_C], 0
		mov	ecx, [ebp+arg_0]
		jnz	loc_5E8C1D

loc_515E0E:				; CODE XREF: RtlStringCchCopyNExW+D2E77j
					; RtlStringCchCopyNExW+D2E86j
		xor	esi, esi
		test	edx, 0FFFFE000h
		jnz	loc_5E8C33
		test	edi, edi
		jz	loc_5E8C80
		push	[ebp+arg_4]
		xor	eax, eax
		mov	edx, edi
		mov	[ebp+arg_0], eax
		lea	eax, [ebp+arg_0]
		push	ecx
		push	eax
		mov	ecx, ebx
		call	sub_515E90
		mov	ecx, [ebp+arg_0]
		mov	esi, eax
		lea	eax, [ebx+ecx*2]
		mov	[ebp+var_4], eax
		mov	eax, edi
		sub	eax, ecx
		mov	[ebp+arg_0], eax
		mov	[ebp+var_8], eax
		test	esi, esi
		js	loc_5E8C41
		mov	edx, [ebp+arg_10]
		test	edx, 200h
		jnz	loc_5E8CA8

loc_515E66:				; CODE XREF: RtlStringCchCopyNExW+D2E65j
					; RtlStringCchCopyNExW+D2E70j ...
		test	esi, esi
		js	loc_5E8C41

loc_515E6E:				; CODE XREF: RtlStringCchCopyNExW+D2EC1j
					; RtlStringCchCopyNExW+D2ED3j ...
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jnz	short loc_515E85

loc_515E75:				; CODE XREF: RtlStringCchCopyNExW+E2j
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jnz	short loc_515E8C

loc_515E7C:				; CODE XREF: RtlStringCchCopyNExW+E6j
					; RtlStringCchCopyNExW+D2ECDj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_515E85:				; CODE XREF: RtlStringCchCopyNExW+CBj
		mov	edx, [ebp+var_4]
		mov	[ecx], edx
		jmp	short loc_515E75
; 

loc_515E8C:				; CODE XREF: RtlStringCchCopyNExW+D2j
		mov	[ecx], eax
		jmp	short loc_515E7C
RtlStringCchCopyNExW endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_515E90	proc near		; CODE XREF: RtlStringCchCopyNExW+8Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		xor	edi, edi
		test	esi, esi
		jz	short loc_515EC2
		mov	ebx, [ebp+arg_4]
		mov	eax, [ebp+arg_8]
		sub	ebx, ecx

loc_515EA8:				; CODE XREF: sub_515E90+30j
		test	eax, eax
		jz	short loc_515ECD
		movzx	edx, word ptr [ebx+ecx]
		test	dx, dx
		jz	short loc_515ECD
		mov	[ecx], dx
		dec	eax
		add	ecx, 2
		inc	edi
		sub	esi, 1
		jnz	short loc_515EA8

loc_515EC2:				; CODE XREF: sub_515E90+Ej
					; sub_515E90+3Fj
		sub	ecx, 2
		mov	edx, 80000005h
		dec	edi
		jmp	short loc_515ED3
; 

loc_515ECD:				; CODE XREF: sub_515E90+1Aj
					; sub_515E90+23j
		test	esi, esi
		jz	short loc_515EC2
		xor	edx, edx

loc_515ED3:				; CODE XREF: sub_515E90+3Bj
		xor	eax, eax
		mov	[ecx], ax
		mov	eax, edx
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_515EE3
		mov	[ecx], edi

loc_515EE3:				; CODE XREF: sub_515E90+4Fj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
sub_515E90	endp

; 
		align 10h
; Exported entry 1819. PsGetServerSiloServiceSessionId

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetServerSiloServiceSessionId(x)
		public _PsGetServerSiloServiceSessionId@4
_PsGetServerSiloServiceSessionId@4 proc	near
					; CODE XREF: PnpNotifyTargetDeviceChangeNotifyEntry(x,x,x,x)+16p
					; PnpNotifyTargetDeviceChange+E0p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_515F0D
		mov	eax, offset _PspHostSiloGlobals

loc_515F01:				; CODE XREF: PsGetServerSiloServiceSessionId(x)+23j
		mov	eax, [eax+28Ch]
		mov	eax, [eax]
		pop	ebp
		retn	4
; 

loc_515F0D:				; CODE XREF: PsGetServerSiloServiceSessionId(x)+Aj
		mov	eax, [eax+2F8h]
		jmp	short loc_515F01
_PsGetServerSiloServiceSessionId@4 endp

; 
		align 10h
; Exported entry 1843. PsIsCurrentThreadInServerSilo

;  S U B	R O U T	I N E 


; __stdcall PsIsCurrentThreadInServerSilo()
		public _PsIsCurrentThreadInServerSilo@0
_PsIsCurrentThreadInServerSilo@0 proc near ; CODE XREF:	RtlGetActiveConsoleId()p
					; RtlGetNtProductType(x)+6p ...
		call	_KeIsExecutingInArbitraryThreadContext@0 ; KeIsExecutingInArbitraryThreadContext()
		test	eax, eax
		jz	short loc_515F31
		xor	eax, eax
		test	eax, eax
		setnz	al
		retn
; 

loc_515F31:				; CODE XREF: PsIsCurrentThreadInServerSilo()+7j
		mov	eax, large fs:124h
		mov	ecx, [eax+390h]
		cmp	ecx, 0FFFFFFFDh
		jz	short loc_515F4E
		push	ecx
		call	_PsGetEffectiveServerSilo@4 ; PsGetEffectiveServerSilo(x)
		test	eax, eax
		setnz	al
		retn
; 

loc_515F4E:				; CODE XREF: PsIsCurrentThreadInServerSilo()+20j
		mov	eax, [eax+150h]
		mov	eax, [eax+3A0h]
		test	eax, eax
		setnz	al
		retn
_PsIsCurrentThreadInServerSilo@0 endp

; 
		dd 4 dup(0CCCCCCCCh)
; Exported entry 2248. RtlLookupElementGenericTableFullAvl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlLookupElementGenericTableFullAvl(x, x, x, x)
		public _RtlLookupElementGenericTableFullAvl@16
_RtlLookupElementGenericTableFullAvl@16	proc near ; CODE XREF: PiPnpRtlObjectEventCreate+A8p
					; PiDmAddCacheReferenceForObject+87p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		cmp	dword ptr [edi+18h], 0
		jz	short loc_515FF4
		mov	esi, [edi+8]
		mov	ebx, [ebp+arg_4]

loc_515F87:				; CODE XREF: RtlLookupElementGenericTableFullAvl(x,x,x,x)+34j
					; RtlLookupElementGenericTableFullAvl(x,x,x,x)+3Fj
		lea	eax, [esi+10h]
		push	eax
		mov	eax, [edi+28h]
		push	ebx
		push	edi
		call	eax
		test	eax, eax
		jz	short loc_515FA6
		cmp	eax, 1
		jnz	short loc_515FDF
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_515FB1
		mov	esi, eax
		jmp	short loc_515F87
; 

loc_515FA6:				; CODE XREF: RtlLookupElementGenericTableFullAvl(x,x,x,x)+24j
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_515FC8
		mov	esi, eax
		jmp	short loc_515F87
; 

loc_515FB1:				; CODE XREF: RtlLookupElementGenericTableFullAvl(x,x,x,x)+30j
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		mov	eax, [ebp+arg_C]
		mov	dword ptr [eax], 3
		xor	eax, eax

loc_515FC1:				; CODE XREF: RtlLookupElementGenericTableFullAvl(x,x,x,x)+82j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_515FC8:				; CODE XREF: RtlLookupElementGenericTableFullAvl(x,x,x,x)+3Bj
		mov	eax, [ebp+arg_8]
		pop	edi
		mov	[eax], esi
		mov	eax, [ebp+arg_C]
		pop	esi
		pop	ebx
		mov	dword ptr [eax], 2
		xor	eax, eax
		pop	ebp
		retn	10h
; 

loc_515FDF:				; CODE XREF: RtlLookupElementGenericTableFullAvl(x,x,x,x)+29j
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+arg_C]
		mov	[ecx], esi
		mov	dword ptr [eax], 1
		mov	eax, [ecx]
		add	eax, 10h
		jmp	short loc_515FC1
; 

loc_515FF4:				; CODE XREF: RtlLookupElementGenericTableFullAvl(x,x,x,x)+Fj
		mov	eax, [ebp+arg_C]
		pop	edi
		pop	esi
		pop	ebx
		mov	dword ptr [eax], 0
		xor	eax, eax
		pop	ebp
		retn	10h
_RtlLookupElementGenericTableFullAvl@16	endp

; 
		align 10h
; Exported entry 2246. RtlLookupElementGenericTableAvl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlLookupElementGenericTableAvl(x, x)
		public _RtlLookupElementGenericTableAvl@8
_RtlLookupElementGenericTableAvl@8 proc	near ; CODE XREF: VfAvlLookupTreeNode+B0p
					; VfAvlLookupTreeNode+91FBCp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		cmp	[edi+18h], esi
		jz	short loc_51606A
		mov	esi, [edi+8]
		push	ebx
		mov	ebx, [ebp+arg_4]

loc_516028:				; CODE XREF: RtlLookupElementGenericTableAvl(x,x)+35j
					; RtlLookupElementGenericTableAvl(x,x)+58j
		lea	eax, [esi+10h]
		push	eax
		mov	eax, [edi+28h]
		push	ebx
		push	edi
		call	eax
		test	eax, eax
		jz	short loc_51605F
		cmp	eax, 1
		jnz	short loc_516047
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_516096
		mov	esi, eax
		jmp	short loc_516028
; 

loc_516047:				; CODE XREF: RtlLookupElementGenericTableAvl(x,x)+2Aj
		mov	eax, 1
		lea	ecx, [esi+10h]
		dec	eax
		neg	eax
		pop	ebx
		sbb	eax, eax
		not	eax
		pop	edi
		and	eax, ecx
		pop	esi
		pop	ebp
		retn	8
; 

loc_51605F:				; CODE XREF: RtlLookupElementGenericTableAvl(x,x)+25j
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_51607E
		mov	esi, eax
		jmp	short loc_516028
; 

loc_51606A:				; CODE XREF: RtlLookupElementGenericTableAvl(x,x)+Fj
		xor	eax, eax
		lea	ecx, [esi+10h]
		dec	eax
		neg	eax
		pop	edi
		sbb	eax, eax
		not	eax
		and	eax, ecx
		pop	esi
		pop	ebp
		retn	8
; 

loc_51607E:				; CODE XREF: RtlLookupElementGenericTableAvl(x,x)+54j
		mov	eax, 2
		lea	ecx, [esi+10h]
		dec	eax
		neg	eax
		pop	ebx
		sbb	eax, eax
		not	eax
		pop	edi
		and	eax, ecx
		pop	esi
		pop	ebp
		retn	8
; 

loc_516096:				; CODE XREF: RtlLookupElementGenericTableAvl(x,x)+31j
		mov	eax, 3
		lea	ecx, [esi+10h]
		dec	eax
		neg	eax
		pop	ebx
		sbb	eax, eax
		not	eax
		pop	edi
		and	eax, ecx
		pop	esi
		pop	ebp
		retn	8
_RtlLookupElementGenericTableAvl@8 endp


;  S U B	R O U T	I N E 


; __stdcall _PnpMapCmStatusToDispatchStatus(x)
__PnpMapCmStatusToDispatchStatus@4 proc	near ; CODE XREF: _PnpDispatchInterfaceClass+4Cp
					; _PnpDispatchDeviceInterface+4Ap ...
		cmp	ecx, 0C000000Eh
		jz	short loc_5160ED
		cmp	ecx, 0C0000039h
		jz	short loc_5160E7
		cmp	ecx, 0C000003Ah
		jz	short loc_5160ED
		cmp	ecx, 0C00000BBh
		jz	short loc_5160E1
		cmp	ecx, 0C00000C0h
		jz	short loc_5160ED
		cmp	ecx, 0C00002B9h
		jz	short loc_5160ED
		mov	eax, ecx
		retn
; 

loc_5160E1:				; CODE XREF: _PnpMapCmStatusToDispatchStatus(x)+1Ej
		mov	eax, 0C0000225h
		retn
; 

loc_5160E7:				; CODE XREF: _PnpMapCmStatusToDispatchStatus(x)+Ej
		mov	eax, 0C0000033h
		retn
; 

loc_5160ED:				; CODE XREF: _PnpMapCmStatusToDispatchStatus(x)+6j
					; _PnpMapCmStatusToDispatchStatus(x)+16j ...
		mov	eax, 0C0000034h
		retn
__PnpMapCmStatusToDispatchStatus@4 endp

; 
		align 10h
; Exported entry 2164. RtlInitUnicodeStringEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlInitUnicodeStringEx(x, x)
		public _RtlInitUnicodeStringEx@8
_RtlInitUnicodeStringEx@8 proc near	; CODE XREF: _CmIsRootEnumeratedDevice(x)+14p
					; PiCMGetRelatedDeviceInstance+15Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		mov	[edx], eax
		mov	eax, [ebp+arg_4]
		mov	[edx+4], eax
		test	eax, eax
		jz	short loc_516143
		push	esi
		lea	esi, [eax+2]
		lea	ebx, [ebx+0]

loc_516120:				; CODE XREF: RtlInitUnicodeStringEx(x,x)+29j
		mov	cx, [eax]
		add	eax, 2
		test	cx, cx
		jnz	short loc_516120
		sub	eax, esi
		sar	eax, 1
		pop	esi
		cmp	eax, 7FFEh
		ja	short loc_516149
		add	eax, eax
		mov	[edx], ax
		add	eax, 2
		mov	[edx+2], ax

loc_516143:				; CODE XREF: RtlInitUnicodeStringEx(x,x)+14j
		xor	eax, eax

loc_516145:				; CODE XREF: RtlInitUnicodeStringEx(x,x)+4Ej
		pop	ebp
		retn	8
; 

loc_516149:				; CODE XREF: RtlInitUnicodeStringEx(x,x)+35j
		mov	eax, 0C0000106h
		jmp	short loc_516145
_RtlInitUnicodeStringEx@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStringCchLengthW(x, x, x)
_RtlStringCchLengthW@12	proc near	; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+6Cp
					; RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+8Cp	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_516174
		cmp	edx, 7FFFFFFFh
		ja	short loc_516174
		push	esi
		call	sub_516190

loc_51616B:				; CODE XREF: RtlStringCchLengthW(x,x,x)+29j
		test	eax, eax
		js	short loc_51617B

loc_51616F:				; CODE XREF: RtlStringCchLengthW(x,x,x)+2Dj
					; RtlStringCchLengthW(x,x,x)+32j
		pop	esi
		pop	ebp
		retn	4
; 

loc_516174:				; CODE XREF: RtlStringCchLengthW(x,x,x)+Bj
					; RtlStringCchLengthW(x,x,x)+13j
		mov	eax, 0C000000Dh
		jmp	short loc_51616B
; 

loc_51617B:				; CODE XREF: RtlStringCchLengthW(x,x,x)+1Dj
		test	esi, esi
		jz	short loc_51616F
		and	dword ptr [esi], 0
		jmp	short loc_51616F
_RtlStringCchLengthW@12	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_516190	proc near		; CODE XREF: RtlStringCchLengthW(x,x,x)+16p
					; _PnpOpenPropertiesKey+60p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		mov	eax, edx
		test	edx, edx
		jz	short loc_5161AD
		mov	edi, edi

loc_5161A0:				; CODE XREF: sub_516190+1Bj
		cmp	[ecx], si
		jz	short loc_5161B4
		add	ecx, 2
		sub	edx, 1
		jnz	short loc_5161A0

loc_5161AD:				; CODE XREF: sub_516190+Cj
					; sub_516190+26j
		mov	esi, 0C000000Dh
		jmp	short loc_5161B8
; 

loc_5161B4:				; CODE XREF: sub_516190+13j
		test	edx, edx
		jz	short loc_5161AD

loc_5161B8:				; CODE XREF: sub_516190+22j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_5161C7
		test	esi, esi
		js	short loc_5161CE
		sub	eax, edx
		mov	[ecx], eax

loc_5161C7:				; CODE XREF: sub_516190+2Dj
					; sub_516190+44j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
; 

loc_5161CE:				; CODE XREF: sub_516190+31j
		mov	dword ptr [ecx], 0
		jmp	short loc_5161C7
sub_516190	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl RtlStringCchPrintfExW(void *,int,int,int,int,wchar_t *,char)
RtlStringCchPrintfExW proc near		; CODE XREF: PopDiagTraceProcessorThrottleDurationPerfTrack(x,x)+6Bp
					; PopDiagTraceProcessorThrottlePerfTrack(x,x)+72p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= byte ptr  20h

; FUNCTION CHUNK AT 005E8CEE SIZE 000000E8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_10]
		sub	esp, 0Ch
		mov	eax, ecx
		xor	edx, edx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		and	eax, 100h
		jnz	loc_5E8CEE
		test	esi, esi
		jz	loc_5E8D0F
		cmp	esi, 7FFFFFFFh
		ja	loc_5E8D0F

loc_516213:				; CODE XREF: RtlStringCchPrintfExW+D2B34j
		mov	ebx, [ebp+arg_0]

loc_516216:				; CODE XREF: RtlStringCchPrintfExW+D2B1Fj
					; RtlStringCchPrintfExW+D2B2Aj
		test	edx, edx
		js	loc_5E8DC6
		mov	edx, ebx
		test	eax, eax
		mov	eax, [ebp+arg_14]
		mov	ebx, esi
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], ebx
		jnz	loc_5E8D19

loc_516233:				; CODE XREF: RtlStringCchPrintfExW+D2B3Bj
					; RtlStringCchPrintfExW+D2B49j
		push	edi
		xor	edi, edi
		test	ecx, 0FFFFE000h
		jnz	loc_5E8D2E
		test	esi, esi
		jz	loc_5E8D44
		mov	ebx, [ebp+arg_0]
		lea	edi, [esi-1]
		xor	eax, eax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+arg_18]
		push	eax		; va_list
		push	[ebp+arg_14]	; wchar_t *
		push	edi		; size_t
		push	ebx		; wchar_t *
		call	__vsnwprintf
		add	esp, 10h
		test	eax, eax
		js	short loc_5162BF
		cmp	eax, edi
		jz	short loc_5162AF
		ja	short loc_5162BF
		mov	edi, eax

loc_516272:				; CODE XREF: RtlStringCchPrintfExW+D5j
		lea	edx, [ebx+edi*2]
		mov	ebx, esi
		sub	ebx, edi
		mov	[ebp+var_4], edx
		mov	edi, [ebp+var_C]
		mov	[ebp+var_8], ebx
		test	edi, edi
		js	loc_5E8D81
		mov	eax, [ebp+arg_10]
		test	eax, 200h
		jnz	loc_5E8D64

loc_516298:				; CODE XREF: RtlStringCchPrintfExW+D2B67j
					; RtlStringCchPrintfExW+D2B87j	...
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jnz	short loc_5162B7

loc_51629F:				; CODE XREF: RtlStringCchPrintfExW+D9j
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jnz	short loc_5162BB

loc_5162A6:				; CODE XREF: RtlStringCchPrintfExW+DDj
					; RtlStringCchPrintfExW+D2BDBj
		mov	eax, edi
		pop	edi

loc_5162A9:				; CODE XREF: RtlStringCchPrintfExW+D2BF1j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5162AF:				; CODE XREF: RtlStringCchPrintfExW+8Cj
					; RtlStringCchPrintfExW+E6j
		xor	eax, eax
		mov	[ebx+edi*2], ax
		jmp	short loc_516272
; 

loc_5162B7:				; CODE XREF: RtlStringCchPrintfExW+BDj
		mov	[eax], edx
		jmp	short loc_51629F
; 

loc_5162BB:				; CODE XREF: RtlStringCchPrintfExW+C4j
		mov	[eax], ebx
		jmp	short loc_5162A6
; 

loc_5162BF:				; CODE XREF: RtlStringCchPrintfExW+88j
					; RtlStringCchPrintfExW+8Ej
		mov	[ebp+var_C], 80000005h
		jmp	short loc_5162AF
RtlStringCchPrintfExW endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStringCbCopyW(x,	x, x)
_RtlStringCbCopyW@12 proc near		; CODE XREF: RtlpAllowsLowBoxAccess(x)+E0p
					; RtlpGetNameFromLangInfoNode+5Dp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		shr	edx, 1
		mov	eax, edx
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFFF3h
		add	eax, 0C000000Dh
		test	edx, edx
		jz	short loc_5162ED
		push	ecx
		push	[ebp+arg_0]
		push	ecx
		call	RtlStringCopyWorkerW

loc_5162ED:				; CODE XREF: RtlStringCbCopyW(x,x,x)+19j
		pop	ebp
		retn	4
_RtlStringCbCopyW@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2419. SeAccessCheckFromState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeAccessCheckFromState
SeAccessCheckFromState proc near	; CODE XREF: CmpCheckAdminAccess+50p
					; EtwpAccessCheckFromState(x,x,x)+39p

var_56C		= dword	ptr -56Ch
var_568		= dword	ptr -568h
var_564		= dword	ptr -564h
var_560		= dword	ptr -560h
var_55C		= dword	ptr -55Ch
var_558		= dword	ptr -558h
var_2B0		= dword	ptr -2B0h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

; FUNCTION CHUNK AT 005E8DD6 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 56Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+56Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+56Ch+var_55C], eax
		mov	eax, [ebp+arg_14]
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	[esp+570h+var_560], eax
		mov	eax, [ebp+arg_18]
		push	esi
		mov	esi, [ebp+arg_4]
		mov	[esp+574h+var_564], eax
		mov	eax, [ebp+arg_20]
		push	edi
		mov	[esp+578h+var_568], eax
		xor	edi, edi
		mov	eax, [ebp+arg_24]
		push	2A8h		; size_t
		mov	[esp+57Ch+var_56C], eax
		lea	eax, [esp+57Ch+var_2B0]
		push	edi		; int
		push	eax		; void *
		call	_memset
		push	2A8h		; size_t
		lea	eax, [esp+588h+var_558]
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 18h
		lea	edx, [esp+578h+var_2B0]
		mov	ecx, esi
		call	_SepTokenFromAccessInformation@8 ; SepTokenFromAccessInformation(x,x)
		test	ebx, ebx
		jnz	loc_5E8DD6

loc_51637C:				; CODE XREF: SeAccessCheckFromState+D2AEFj
		push	[esp+578h+var_56C]
		lea	eax, [esp+57Ch+var_2B0]
		push	[esp+57Ch+var_568]
		push	[ebp+arg_1C]
		push	[esp+584h+var_564]
		push	[esp+588h+var_560]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	edi
		push	eax
		push	[esp+59Ch+var_55C]
		call	SeAccessCheckFromStateEx
		mov	ecx, [esp+578h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	28h
SeAccessCheckFromState endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2420. SeAccessCheckFromStateEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeAccessCheckFromStateEx
SeAccessCheckFromStateEx proc near	; CODE XREF: SeAccessCheckFromState+ACp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

; FUNCTION CHUNK AT 005E8DEA SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	edi
		xor	eax, eax
		lea	edi, [esp+18h+var_10]
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_4]
		mov	[esp+18h+var_8], eax
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jnz	loc_5E8DEA

loc_5163EC:				; CODE XREF: SeAccessCheckFromStateEx+D2A34j
		push	[ebp+arg_24]
		lea	eax, [esp+1Ch+var_10]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	1
		push	eax
		push	0
		push	[ebp+arg_0]
		call	_SeAccessCheckWithHint@44 ; SeAccessCheckWithHint(x,x,x,x,x,x,x,x,x,x,x)
		pop	edi
		mov	esp, ebp
		pop	ebp
		retn	28h
SeAccessCheckFromStateEx endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl RtlStringCbPrintfW(wchar_t *,int,wchar_t *,char)
_RtlStringCbPrintfW proc near		; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+49Fp
					; ExProcessorCounterSetCallback+1FAp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		shr	eax, 1
		mov	ecx, eax
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 3FFFFFF3h
		add	ecx, 0C000000Dh
		test	eax, eax
		jz	short loc_51644E
		lea	ecx, [ebp+arg_C]
		mov	edx, eax	; int
		push	ecx		; va_list
		push	[ebp+arg_8]	; wchar_t *
		push	ecx		; int
		mov	ecx, [ebp+arg_0] ; wchar_t *
		call	RtlStringVPrintfWorkerW
		mov	ecx, eax

loc_51644E:				; CODE XREF: _RtlStringCbPrintfW+1Ej
		mov	eax, ecx
		pop	ebp
		retn
_RtlStringCbPrintfW endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall RtlStringVPrintfWorkerW(wchar_t *,int,int,wchar_t *,va_list)
RtlStringVPrintfWorkerW	proc near	; CODE XREF: _RtlStringCbPrintfW+2Dp

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_8]	; va_list
		lea	esi, [edx-1]
		mov	edi, ecx
		push	[ebp+arg_4]	; wchar_t *
		xor	ebx, ebx
		push	esi		; size_t
		push	edi		; wchar_t *
		call	__vsnwprintf
		add	esp, 10h
		test	eax, eax
		js	short loc_51648C
		cmp	eax, esi
		jz	short loc_516484
		ja	short loc_51648C

loc_51647B:				; CODE XREF: RtlStringVPrintfWorkerW+38j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_516484:				; CODE XREF: RtlStringVPrintfWorkerW+25j
					; RtlStringVPrintfWorkerW+3Fj
		xor	eax, eax
		mov	[edi+esi*2], ax
		jmp	short loc_51647B
; 

loc_51648C:				; CODE XREF: RtlStringVPrintfWorkerW+21j
					; RtlStringVPrintfWorkerW+27j
		mov	ebx, 80000005h
		jmp	short loc_516484
RtlStringVPrintfWorkerW	endp

; 
		align 10h
; Exported entry 1235. KeQuerySystemTime

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeQuerySystemTime
KeQuerySystemTime proc near		; CODE XREF: MiGatherPagefilePages+414p
					; CcLazyWriteScan+202p	...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, 0FFDF0018h
		mov	[ebp+var_4], 0
		mov	eax, [eax]
		mov	[esi+4], eax
		mov	eax, 0FFDF0014h
		mov	eax, [eax]
		mov	[esi], eax
		mov	eax, 0FFDF001Ch
		mov	eax, [eax]
		cmp	[esi+4], eax
		jnz	sub_5E8DFD

loc_5164D4:				; CODE XREF: sub_5E8DFD+29j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
KeQuerySystemTime endp

; 
		align 4

;  S U B	R O U T	I N E 


_MapCmDevicePropertyToRegValue proc near ; CODE	XREF: _CmGetDeviceRegPropWorker+123p
					; _CmSetDeviceRegPropWorker+B5p

; FUNCTION CHUNK AT 005E8E2B SIZE 0000000C BYTES

		cmp	edx, 10h
		jg	short loc_5164FE
		jz	loc_516573
		dec	edx
		cmp	edx, 0Dh	; switch 14 cases
		ja	loc_5165C0	; default
		jmp	ds:off_5165C4[edx*4] ; switch jump

loc_5164F8:				; DATA XREF: .text:off_5165C4o
		mov	eax, (offset off_5A7A00+2) ; case 0x1
		retn
; 

loc_5164FE:				; CODE XREF: _MapCmDevicePropertyToRegValue+3j
		cmp	edx, 1Bh
		jle	short loc_51654A
		sub	edx, 1Ch
		jz	loc_5165AE
		sub	edx, 1
		jz	short loc_516585
		sub	edx, 1
		jz	loc_5E8E31
		sub	edx, 4
		jz	loc_5165BA
		sub	edx, 3
		jnz	loc_5165C0	; default
		mov	eax, offset ??_C@_1BI@NJNACJEM@?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAI?$AAD@FNODOBFM@
		retn
; 

loc_516532:				; CODE XREF: _MapCmDevicePropertyToRegValue+15j
					; DATA XREF: .text:off_5165C4o
		mov	eax, offset ??_C@_1O@GAOCKAOK@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@FNODOBFM@ ; case 0x9
		retn
; 

loc_516538:				; CODE XREF: _MapCmDevicePropertyToRegValue+15j
					; DATA XREF: .text:off_5165C4o
		mov	eax, offset ??_C@_1BK@BFIEKNFP@?$AAF?$AAr?$AAi?$AAe?$AAn?$AAd?$AAl?$AAy?$AAN?$AAa?$AAm?$AAe@FNODOBFM@ ;	case 0xC
		retn
; 

loc_51653E:				; CODE XREF: _MapCmDevicePropertyToRegValue+15j
					; DATA XREF: .text:off_5165C4o
		mov	eax, offset ??_C@_1BG@NKLOKCD@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAD?$AAe?$AAs?$AAc@FNODOBFM@ ; case 0x0
		retn
; 

loc_516544:				; CODE XREF: _MapCmDevicePropertyToRegValue+15j
					; DATA XREF: .text:off_5165C4o
		mov	eax, offset ??_C@_1BI@KGJMAEC@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAF?$AAl?$AAa?$AAg?$AAs@FNODOBFM@	; case 0xA
		retn
; 

loc_51654A:				; CODE XREF: _MapCmDevicePropertyToRegValue+25j
		jz	short loc_5165A8
		sub	edx, 11h
		jz	short loc_51657F
		sub	edx, 1
		jz	short loc_51656D
		sub	edx, 1
		jnz	short loc_51658B
		mov	eax, offset ??_C@_1BK@LMFDGODN@?$AAL?$AAo?$AAw?$AAe?$AAr?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@FNODOBFM@ ;	"LowerFilters"
		retn
; 

loc_516561:				; CODE XREF: _MapCmDevicePropertyToRegValue+15j
					; DATA XREF: .text:off_5165C4o
		mov	eax, offset ??_C@_1BM@BPOEEBIO@?$AAC?$AAo?$AAm?$AAp?$AAa?$AAt?$AAi?$AAb?$AAl?$AAe?$AAI?$AAD?$AAs@FNODOBFM@ ; case 0x2
		retn
; 

loc_516567:				; CODE XREF: _MapCmDevicePropertyToRegValue+15j
					; DATA XREF: .text:off_5165C4o
		mov	eax, offset ??_C@_1BA@IELBACJJ@?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe@FNODOBFM@ ; case 0x4
		retn
; 

loc_51656D:				; CODE XREF: _MapCmDevicePropertyToRegValue+78j
		mov	eax, offset ??_C@_1BK@FNJCPENK@?$AAU?$AAp?$AAp?$AAe?$AAr?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@FNODOBFM@
		retn
; 

loc_516573:				; CODE XREF: _MapCmDevicePropertyToRegValue+5j
		mov	eax, (offset off_5A7A84+2)
		retn
; 

loc_516579:				; CODE XREF: _MapCmDevicePropertyToRegValue+15j
					; DATA XREF: .text:off_5165C4o
		mov	eax, offset ??_C@_17FABJNEFH@?$AAM?$AAf?$AAg@FNODOBFM@ ; case 0xB
		retn
; 

loc_51657F:				; CODE XREF: _MapCmDevicePropertyToRegValue+73j
		mov	eax, offset ??_C@_1BC@CCGAPGE@?$AAU?$AAI?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr@FNODOBFM@
		retn
; 

loc_516585:				; CODE XREF: _MapCmDevicePropertyToRegValue+33j
		mov	eax, (offset off_5A7B56+2)
		retn
; 

loc_51658B:				; CODE XREF: _MapCmDevicePropertyToRegValue+7Dj
		sub	edx, 5
		jnz	short loc_51659C
		mov	eax, offset ??_C@_1BC@FCJNIDNL@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy@FNODOBFM@
		retn
; 

loc_516596:				; CODE XREF: _MapCmDevicePropertyToRegValue+15j
					; DATA XREF: .text:off_5165C4o
		mov	eax, offset ??_C@_1BE@JODLJEMN@?$AAC?$AAl?$AAa?$AAs?$AAs?$AAG?$AAU?$AAI?$AAD@FNODOBFM@ ; case 0x8
		retn
; 

loc_51659C:				; CODE XREF: _MapCmDevicePropertyToRegValue+B2j
		dec	edx
		sub	edx, 1
		jnz	short loc_5165C0 ; default
		mov	eax, offset ??_C@_1BG@KCOOGCNN@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAT?$AAy?$AAp?$AAe@FNODOBFM@
		retn
; 

loc_5165A8:				; CODE XREF: _MapCmDevicePropertyToRegValue:loc_51654Aj
		mov	eax, offset ??_C@_1BE@DJHAJDEM@?$AAE?$AAx?$AAc?$AAl?$AAu?$AAs?$AAi?$AAv?$AAe@FNODOBFM@ ; "Exclusive"
		retn
; 

loc_5165AE:				; CODE XREF: _MapCmDevicePropertyToRegValue+2Aj
		mov	eax, offset ??_C@_1CM@DIJFBEC@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC?$AAh?$AAa?$AAr?$AAa?$AAc?$AAt?$AAe?$AAr@FNODOBFM@
		retn
; 

loc_5165B4:				; CODE XREF: _MapCmDevicePropertyToRegValue+15j
					; DATA XREF: .text:off_5165C4o
		mov	eax, offset ??_C@_1CI@ONPCCHIE@?$AAL?$AAo?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa@FNODOBFM@ ; case 0xD
		retn
; 

loc_5165BA:				; CODE XREF: _MapCmDevicePropertyToRegValue+41j
		mov	eax, offset ??_C@_1BM@MMNDHKFB@?$AAR?$AAe?$AAm?$AAo?$AAv?$AAa?$AAl?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@FNODOBFM@
		retn
; 

loc_5165C0:				; CODE XREF: _MapCmDevicePropertyToRegValue+Fj
					; _MapCmDevicePropertyToRegValue+15j ...
		xor	eax, eax	; default
		retn
_MapCmDevicePropertyToRegValue endp

; 
		align 4
off_5165C4	dd offset loc_51653E	; DATA XREF: _MapCmDevicePropertyToRegValue+15r
		dd offset loc_5164F8	; jump table for switch	statement
		dd offset loc_516561
		dd offset loc_5165C0
		dd offset loc_516567
		dd offset loc_5165C0
		dd offset loc_5165C0
		dd offset loc_5E8E2B
		dd offset loc_516596
		dd offset loc_516532
		dd offset loc_516544
		dd offset loc_516579
		dd offset loc_516538
		dd offset loc_5165B4

;  S U B	R O U T	I N E 


; __stdcall _MapCmDevicePropertyToNtProperty(x,	x)
__MapCmDevicePropertyToNtProperty@8 proc near ;	CODE XREF: _CmGetDeviceRegPropWorker+10Ep
		cmp	edx, 1Dh
		jg	short loc_51661A
		jz	short loc_516617
		sub	edx, 0Fh
		jz	short loc_51663F
		sub	edx, 5
		jz	short loc_516643
		sub	edx, 1
		jz	short loc_51663B
		sub	edx, 1
		jz	short loc_516637

loc_516617:				; CODE XREF: _MapCmDevicePropertyToNtProperty(x,x)+5j
					; _MapCmDevicePropertyToNtProperty(x,x)+31j
		xor	eax, eax
		retn
; 

loc_51661A:				; CODE XREF: _MapCmDevicePropertyToNtProperty(x,x)+3j
		sub	edx, 1Fh
		jz	short loc_51664B
		sub	edx, 1
		jz	short loc_516633
		sub	edx, 1
		jz	short loc_516647
		dec	edx
		sub	edx, 1
		jnz	short loc_516617
		push	0Bh
		jmp	short loc_516635
; 

loc_516633:				; CODE XREF: _MapCmDevicePropertyToNtProperty(x,x)+26j
		push	6

loc_516635:				; CODE XREF: _MapCmDevicePropertyToNtProperty(x,x)+35j
		pop	eax
		retn
; 

loc_516637:				; CODE XREF: _MapCmDevicePropertyToNtProperty(x,x)+19j
		push	4
		pop	eax
		retn
; 

loc_51663B:				; CODE XREF: _MapCmDevicePropertyToNtProperty(x,x)+14j
		push	3
		pop	eax
		retn
; 

loc_51663F:				; CODE XREF: _MapCmDevicePropertyToNtProperty(x,x)+Aj
		xor	eax, eax
		inc	eax
		retn
; 

loc_516643:				; CODE XREF: _MapCmDevicePropertyToNtProperty(x,x)+Fj
		push	2
		pop	eax
		retn
; 

loc_516647:				; CODE XREF: _MapCmDevicePropertyToNtProperty(x,x)+2Bj
		push	0Ah
		pop	eax
		retn
; 

loc_51664B:				; CODE XREF: _MapCmDevicePropertyToNtProperty(x,x)+21j
		push	5
		pop	eax
		retn
__MapCmDevicePropertyToNtProperty@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepIsValidExpression proc near	; CODE XREF: .text:00517D97p
					; .text:00518093p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E8E37 SIZE 000001C7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		mov	[eax], bl
		mov	[ebp+var_4], ebx
		push	edi
		test	esi, esi
		jz	short loc_51668B
		lea	eax, [edx+4]

loc_51666D:				; CODE XREF: AuthzBasepIsValidExpression+39j
		mov	edi, [eax+8]
		test	edi, edi
		jz	loc_516713
		cmp	cl, 0A2h
		jnz	short loc_5166C1

loc_51667D:				; CODE XREF: AuthzBasepIsValidExpression+74j
					; AuthzBasepIsValidExpression+79j ...
		mov	edi, [ebp+var_4]
		add	eax, 1Ch
		inc	edi
		mov	[ebp+var_4], edi
		cmp	edi, esi
		jb	short loc_51666D

loc_51668B:				; CODE XREF: AuthzBasepIsValidExpression+18j
		cmp	cl, 0A2h
		jnz	short loc_5166D0

loc_516690:				; CODE XREF: AuthzBasepIsValidExpression+83j
					; AuthzBasepIsValidExpression+88j ...
		movzx	eax, cl
		add	eax, 0FFFFFF80h
		cmp	eax, 23h
		ja	short loc_5166B8
		movzx	eax, ds:byte_516730[eax]
		jmp	ds:off_516718[eax*4]

loc_5166A9:				; DATA XREF: .text:00516728o
		cmp	esi, 2
		jz	short loc_516713
		cmp	esi, 1
		jnz	short loc_5166B8
		cmp	[edx+0Ch], esi

loc_5166B6:				; CODE XREF: AuthzBasepIsValidExpression+C1j
					; AuthzBasepIsValidExpression+D2961j
		jz	short loc_516713

loc_5166B8:				; CODE XREF: AuthzBasepIsValidExpression+49j
					; AuthzBasepIsValidExpression+52j ...
		mov	al, 1

loc_5166BA:				; CODE XREF: AuthzBasepIsValidExpression+C5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_5166C1:				; CODE XREF: AuthzBasepIsValidExpression+2Bj
		cmp	cl, 86h
		jz	short loc_51667D
		cmp	cl, 87h
		jz	short loc_51667D
		jmp	loc_5E8E37
; 

loc_5166D0:				; CODE XREF: AuthzBasepIsValidExpression+3Ej
		cmp	cl, 86h
		jz	short loc_516690
		cmp	cl, 87h
		jz	short loc_516690
		jmp	loc_5E8EDE
; 

loc_5166DF:				; CODE XREF: AuthzBasepIsValidExpression+52j
					; DATA XREF: .text:off_516718o
		cmp	esi, 2
		jnz	short loc_516713
		cmp	dword ptr [edx+0Ch], 1
		jz	short loc_516713
		cmp	cl, 88h
		jz	loc_5E8FA4
		cmp	cl, 8Fh
		jnz	short loc_5166B8
		jmp	loc_5E8FA4
; 

loc_5166FD:				; CODE XREF: AuthzBasepIsValidExpression+52j
					; DATA XREF: .text:0051671Co
		cmp	esi, 1
		jnz	short loc_516713
		mov	eax, [edx+0Ch]
		cmp	eax, esi
		jz	short loc_516713
		cmp	eax, 3
		jz	short loc_516713
		cmp	eax, 5
		jmp	short loc_5166B6
; 

loc_516713:				; CODE XREF: AuthzBasepIsValidExpression+22j
					; AuthzBasepIsValidExpression+5Cj ...
		xor	al, al
		jmp	short loc_5166BA
AuthzBasepIsValidExpression endp

; 
		align 4
off_516718	dd offset loc_5166DF	; DATA XREF: AuthzBasepIsValidExpression+52r
		dd offset loc_5166FD
		dd offset loc_5E8FB6
		dd offset loc_5E8FDD
		dd offset loc_5166A9
		dd offset loc_5166B8
byte_516730	db 0			; DATA XREF: AuthzBasepIsValidExpression+4Br
		align 4
		dd 1000000h, 2020200h, 102h, 2020202h, 3 dup(5050505h)
		dd 40303h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepPushResult(x, x, x)
_AuthzBasepPushResult@12 proc near	; CODE XREF: .text:00517DF5p
					; .text:005180E8p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [edx]
		xor	eax, eax
		push	edi
		mov	edi, ecx
		cmp	esi, 100h
		jnb	short loc_51677A
		mov	ecx, [ebp+arg_0]
		mov	[edi+esi*4], ecx
		lea	ecx, [esi+1]
		mov	[edx], ecx

loc_516774:				; CODE XREF: AuthzBasepPushResult(x,x,x)+2Bj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_51677A:				; CODE XREF: AuthzBasepPushResult(x,x,x)+13j
		mov	eax, 0C0000409h
		jmp	short loc_516774
_AuthzBasepPushResult@12 endp

; 
		align 10h

MiProcessWorkingSets:			; CODE XREF: MiWorkingSetManager(x,x)+1EAp
					; MiWorkingSetManager(x,x)+237p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+10h], edx
		lea	edi, [esp+3Ch]
		mov	esi, ecx
		stosd
		mov	[esp+24h], esi
		cmp	byte ptr [esi+0Ch], 0
		stosd
		stosd
		jnz	loc_5E8FFE

loc_5167BB:				; CODE XREF: .text:005E9003j
		test	byte ptr [esi+4], 20h
		jnz	loc_516B35
		mov	eax, [esi+0F00h]
		mov	ecx, esi
		mov	[esp+14h], eax
		call	_MiComputeAgingPercent@4 ; MiComputeAgingPercent(x)
		mov	edi, [esp+10h]
		mov	ecx, esi
		mov	edx, edi
		call	MiComputeSystemTrimCriteria
		mov	ebx, eax
		mov	edx, edi
		push	ebx
		mov	ecx, esi
		mov	[esp+1Ch], ebx
		call	MiLogProcessWorkingSetsStart
		mov	esi, ebx
		and	esi, 5
		jnz	loc_516BD3

loc_5167FE:				; CODE XREF: .text:00516BE2j
		mov	eax, [esp+14h]
		mov	dword ptr [esp+28h], 0
		mov	dword ptr [esp+2Ch], 0
		test	esi, esi
		jnz	loc_516BE7

loc_51681A:				; CODE XREF: .text:00516BEBj
		test	bl, 2
		jz	short loc_516822
		inc	dword ptr [eax+40h]

loc_516822:				; CODE XREF: .text:0051681Dj
		xor	esi, esi
		test	bl, 40h
		jnz	loc_516BF0
		lea	edx, [esp+3Ch]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ebx, [esp+14h]

loc_51683F:				; CODE XREF: .text:00516C14j
					; .text:005E9076j
		mov	ecx, [esp+24h]
		mov	edx, [esp+18h]
		add	ecx, 0F04h
		mov	byte ptr [ebx+2Dh], 1
		mov	[esp+20h], ecx

loc_516855:				; CODE XREF: .text:00516BBFj
					; .text:00516C97j
		xor	ebx, ebx
		mov	eax, edx
		and	eax, 1
		mov	[esp+1Ch], ebx
		mov	[esp+38h], eax
		jnz	loc_516C1F

loc_51686A:				; CODE XREF: .text:00516C40j
		mov	ebx, [esp+14h]
		inc	word ptr [ebx+4BCh]
		movzx	eax, word ptr [ebx+4BCh]
		mov	[esp+30h], eax
		mov	eax, [edi+2Ch]
		sub	eax, [edi+34h]
		mov	[edi+30h], eax

loc_516889:				; CODE XREF: .text:005E9096j
					; .text:005E914Fj
		mov	ebx, [esp+1Ch]
		lea	ecx, [ecx+0]

loc_516890:				; CODE XREF: .text:00516A1Bj
		mov	edi, [ecx]
		cmp	edi, ecx
		jz	loc_516C6E
		mov	eax, [edi]
		cmp	[edi+4], ecx
		jnz	loc_516CC0
		cmp	[eax+4], edi
		jnz	loc_516CC0
		mov	[ecx], eax
		mov	ebx, edi
		mov	[eax+4], ecx
		mov	eax, [esp+30h]
		mov	dword ptr [ebx], 0
		cmp	[edi+4Ch], ax
		jz	loc_516A20
		mov	[edi+4Ch], ax
		mov	eax, edx
		and	eax, 40h
		mov	[esp+34h], eax
		jnz	loc_516C45

loc_5168DC:				; CODE XREF: .text:00516C53j
		cmp	dword ptr [edi+38h], 4
		jbe	loc_516BC4

loc_5168E6:				; CODE XREF: .text:00516BC8j
		mov	eax, [edi+50h]
		mov	[esp+0Ch], eax
		shr	eax, 8
		and	al, 0FBh
		or	al, 2
		mov	[esp+0Dh], al
		mov	ax, [esp+0Ch]
		mov	[edi+50h], ax
		mov	eax, [esp+10h]
		cmp	byte ptr [eax+2], 2
		jz	loc_5E9154

loc_51690F:				; CODE XREF: .text:005E916Fj
		test	ds:byte_70EFC6,	1
		jnz	loc_5E9174
		mov	eax, [esp+3Ch]
		test	eax, eax
		jnz	loc_516B45
		mov	edx, [esp+40h]
		lea	eax, [esp+3Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+3Ch]
		cmp	eax, ecx
		jnz	loc_516B3C

loc_516942:				; CODE XREF: .text:00516B58j
					; .text:005E9180j
		mov	cl, [esp+44h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	dword ptr [esp+18h]
		mov	edx, [esp+14h]
		lea	ecx, [edi-10h]
		call	MiTrimOrAgeWorkingSet
		mov	[esp+1Ch], eax
		cmp	eax, 1
		jz	loc_5E9185

loc_516969:				; CODE XREF: .text:005E918Dj
		mov	dword ptr [esp+40h], offset dword_6D3540
		mov	dword ptr [esp+3Ch], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	[esp+44h], al
		jnz	loc_5E9192
		lea	edx, [esp+3Ch]
		mov	eax, offset dword_6D3540
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_516B5D

loc_5169A3:				; CODE XREF: .text:00516B66j
					; .text:005E915Cj ...
		cmp	dword ptr [esp+34h], 0
		jnz	loc_5E91A5

loc_5169AE:				; CODE XREF: .text:005E91B1j
					; .text:005E91C0j
		mov	edx, 1

loc_5169B3:				; CODE XREF: .text:005E91BAj
		mov	eax, [edi+50h]
		mov	ecx, eax
		shr	ecx, 8
		mov	[esp+0Ch], eax
		test	edx, edx
		jz	loc_5E91C5
		shr	eax, 8
		and	al, 0F9h
		mov	[esp+0Dh], al
		mov	ax, [esp+0Ch]
		mov	[edi+50h], ax
		mov	eax, dword_6D5D48
		cmp	dword ptr [eax], offset	dword_6D5D44
		jnz	loc_516CC0
		mov	dword ptr [ebx], offset	dword_6D5D44
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	dword_6D5D48, ebx
		mov	ecx, [edi+28h]
		test	ecx, ecx
		jnz	loc_516B85

loc_516A06:				; CODE XREF: .text:00516B8Fj
					; .text:005E91DBj
		mov	ebx, [esp+1Ch]
		mov	ecx, [esp+20h]
		cmp	ebx, 1
		jz	loc_516C6E
		mov	edx, [esp+18h]
		jmp	loc_516890
; 

loc_516A20:				; CODE XREF: .text:005168C3j
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	loc_516CC0
		cmp	dword ptr [esp+38h], 0
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[eax+4], edi
		mov	[ecx], edi
		mov	edi, [esp+10h]
		jnz	loc_516C77

loc_516A44:				; CODE XREF: .text:00516C91j
		mov	ebx, [esp+1Ch]

loc_516A48:				; CODE XREF: .text:00516C72j
		mov	eax, [esp+18h]
		test	al, 40h
		jnz	loc_516CA0

loc_516A54:				; CODE XREF: .text:00516CB2j
		mov	edx, [esp+28h]
		or	edx, eax
		mov	[esp+28h], edx
		cmp	ebx, 1
		jz	loc_5E9216
		mov	ebx, [esp+14h]
		and	eax, 0FFFFFF3Ch
		or	[esp+2Ch], eax
		mov	eax, [esp+2Ch]
		mov	edx, [ebx+20h]
		cmp	eax, edx
		jnz	loc_516BAC
		mov	eax, [esp+28h]
		mov	byte ptr [ebx+2Dh], 0
		test	al, 5
		jnz	loc_516CB7

loc_516A93:				; CODE XREF: .text:00516CBBj
		test	edx, edx
		jnz	loc_516B6B

loc_516A9B:				; CODE XREF: .text:00516B80j
		test	al, 83h
		jz	short loc_516AEF
		mov	eax, [edi+8]
		mov	[ebx+4E4h], eax
		mov	eax, [edi+0Ch]
		mov	[ebx+4E8h], eax
		mov	eax, [edi+10h]
		mov	[ebx+4ECh], eax
		mov	eax, [edi+14h]
		mov	[ebx+4F0h], eax
		mov	eax, [edi+18h]
		mov	[ebx+4F4h], eax
		mov	eax, [edi+1Ch]
		mov	[ebx+4F8h], eax
		mov	ecx, [edi+20h]
		mov	[ebx+4FCh], ecx
		mov	eax, [edi+24h]
		mov	[ebx+500h], eax
		add	eax, ecx
		mov	[ebx+4E0h], eax

loc_516AEF:				; CODE XREF: .text:00516A9Dj
		test	ds:byte_70EFC6,	1
		jnz	loc_5E9264
		mov	eax, [esp+3Ch]
		test	eax, eax
		jnz	loc_516B94
		mov	edx, [esp+40h]
		lea	eax, [esp+3Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+3Ch]
		cmp	eax, ecx
		jnz	loc_5E9256

loc_516B22:				; CODE XREF: .text:00516BA7j
					; .text:005E9250j ...
		mov	cl, [esp+44h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [esp+24h]
		call	MiLogProcessWorkingSetsStop

loc_516B35:				; CODE XREF: .text:005167BFj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_516B3C:				; CODE XREF: .text:0051693Cj
		lea	ecx, [esp+3Ch]
		call	KxWaitForLockChainValid

loc_516B45:				; CODE XREF: .text:00516922j
		mov	dword ptr [esp+3Ch], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_516942
; 

loc_516B5D:				; CODE XREF: .text:0051699Dj
		lea	ecx, [esp+3Ch]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_5169A3
; 

loc_516B6B:				; CODE XREF: .text:00516A95j
		push	0
		push	0
		push	ebx
		mov	dword ptr [ebx+20h], 0
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	eax, [esp+28h]
		jmp	loc_516A9B
; 

loc_516B85:				; CODE XREF: .text:00516A00j
		mov	edx, 1
		call	KeSignalGate
		jmp	loc_516A06
; 

loc_516B94:				; CODE XREF: .text:00516B02j
					; .text:005E9236j ...
		add	eax, 4
		mov	dword ptr [esp+3Ch], 0
		mov	ecx, 1
		lock xor [eax],	ecx
		jmp	loc_516B22
; 

loc_516BAC:				; CODE XREF: .text:00516A7Dj
		xor	edx, eax
		mov	[esp+18h], edx
		test	dl, 5
		jnz	loc_5E920D

loc_516BBB:				; CODE XREF: .text:005E9211j
		mov	byte ptr [edi+2], 6
		jmp	loc_516855
; 

loc_516BC4:				; CODE XREF: .text:005168E0j
		test	byte ptr [edi+50h], 7
		jnz	loc_5168E6
		jmp	loc_5E907B
; 

loc_516BD3:				; CODE XREF: .text:005167F8j
		mov	ecx, [esp+24h]
		xor	edx, edx
		push	0
		push	0
		call	_MiDrainZeroLookasides@16 ; MiDrainZeroLookasides(x,x,x,x)
		jmp	loc_5167FE
; 

loc_516BE7:				; CODE XREF: .text:00516814j
		mov	byte ptr [eax+2Ch], 1
		jmp	loc_51681A
; 

loc_516BF0:				; CODE XREF: .text:00516827j
		cmp	word ptr [eax+4BEh], 0Ah
		ja	loc_5E9008

loc_516BFE:				; CODE XREF: .text:005E9015j
		lea	edx, [esp+3Ch]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ebx, [esp+14h]
		cmp	byte ptr [ebx+2Eh], 1
		jnz	loc_51683F
		jmp	loc_5E901A
; 

loc_516C1F:				; CODE XREF: .text:00516864j
		movzx	eax, byte ptr [edi]
		mov	ecx, [esp+24h]
		and	eax, 7Fh
		movzx	edx, ds:_MiTrimPassToAge[eax]
		call	MiOrderTrimList
		mov	ecx, [esp+20h]
		mov	edx, [esp+18h]
		mov	[edi+38h], eax
		jmp	loc_51686A
; 

loc_516C45:				; CODE XREF: .text:005168D6j
		mov	ecx, [esp+14h]
		mov	eax, [edi+24h]
		cmp	eax, [ecx+30h]
		mov	ecx, [esp+20h]
		jnb	loc_5168DC
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	short loc_516CC0
		mov	ebx, [esp+1Ch]
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	[ecx+4], edi

loc_516C6E:				; CODE XREF: .text:00516894j
					; .text:00516A11j
		mov	edi, [esp+10h]
		jmp	loc_516A48
; 

loc_516C77:				; CODE XREF: .text:00516A3Ej
		mov	ecx, [esp+24h]
		lea	eax, [esp+3Ch]
		push	eax
		mov	edx, edi
		call	MiCheckSystemTrimEndCriteria
		mov	ecx, [esp+20h]
		mov	edx, [esp+18h]
		test	eax, eax
		jnz	loc_516A44
		jmp	loc_516855
; 
		align 10h

loc_516CA0:				; CODE XREF: .text:00516A4Ej
					; .text:005E9208j
		mov	ecx, esi
		test	esi, esi
		jnz	loc_5E91E0
		mov	ecx, [esp+20h]
		mov	eax, [esp+18h]
		jmp	loc_516A54
; 

loc_516CB7:				; CODE XREF: .text:00516A8Dj
		mov	byte ptr [ebx+2Ch], 0
		jmp	loc_516A93
; 

loc_516CC0:				; CODE XREF: .text:0051689Fj
					; .text:005168A8j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiTrimOrAgeWorkingSet proc near		; CODE XREF: .text:00516957p

var_3A		= byte ptr -3Ah
var_39		= byte ptr -39h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E9275 SIZE 000000C7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[esp+44h+var_30], edx
		push	edi
		cmp	byte ptr [esi+62h], 2
		jz	loc_517007

loc_516CF9:				; CODE XREF: MiTrimOrAgeWorkingSet+33Bj
					; MiTrimOrAgeWorkingSet+346j
		mov	al, [esi+60h]
		mov	edi, dword_6D5D40
		mov	[esp+48h+var_34], edi
		and	al, 7
		jnz	loc_51701B
		mov	eax, large fs:124h
		lea	ecx, [esi-240h]
		cmp	[eax+150h], ecx
		jz	short loc_516D60
		mov	edx, large fs:124h
		xor	eax, eax
		mov	[esp+48h+var_1C], eax
		mov	[esp+48h+var_18], eax
		mov	[esp+48h+var_14], eax
		mov	[esp+48h+var_10], eax
		mov	[esp+48h+var_C], eax
		mov	[esp+48h+var_8], eax
		mov	al, [edx+16Ah]
		test	al, al
		jnz	loc_5E9275
		lea	eax, [esp+48h+var_1C]
		mov	edx, 1
		push	eax
		call	KiStackAttachProcess

loc_516D60:				; CODE XREF: MiTrimOrAgeWorkingSet+50j
					; MiTrimOrAgeWorkingSet+34Dj ...
		mov	ebx, [ebp+arg_0]
		test	bl, 4
		jnz	loc_5E928A

loc_516D6C:				; CODE XREF: MiTrimOrAgeWorkingSet+D25C7j
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 4
		ja	loc_5E929C

loc_516D79:				; CODE XREF: MiTrimOrAgeWorkingSet+D25CEj
		cmp	al, 2
		jz	loc_517073
		lea	edi, [esi+80h]

loc_516D87:				; CODE XREF: MiTrimOrAgeWorkingSet+3A8j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	[esp+48h+var_39], al
		jnz	loc_5E92B5
		mov	edx, [edi]
		and	edx, 7FFFFFFFh
		mov	eax, edx
		lea	ecx, [edx+1]
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	loc_517126

loc_516DB9:				; CODE XREF: MiTrimOrAgeWorkingSet+461j
					; MiTrimOrAgeWorkingSet+D25EEj
		add	edi, 4
		cmp	dword ptr [edi], 0
		jnz	loc_517136

loc_516DC5:				; CODE XREF: MiTrimOrAgeWorkingSet+46Aj
		mov	al, [esp+48h+var_39]
		mov	edi, [esp+48h+var_34]

loc_516DCD:				; CODE XREF: MiTrimOrAgeWorkingSet+D25E0j
		mov	byte ptr [esp+48h+var_38], al
		test	bl, 20h
		jnz	loc_5E92C3

loc_516DDA:				; CODE XREF: MiTrimOrAgeWorkingSet+D25F7j
					; MiTrimOrAgeWorkingSet+D2613j
		test	ebx, 100h
		jnz	loc_5E92E8

loc_516DE6:				; CODE XREF: MiTrimOrAgeWorkingSet+D262Ej
		movzx	ecx, word ptr [edi+4BEh]
		xor	edx, edx
		xor	edi, edi
		mov	[esp+48h+var_2C], ecx
		test	bl, 1
		jnz	loc_5170A7
		test	bl, 2
		jz	loc_51704A
		push	ecx
		push	1
		mov	dl, al
		mov	ecx, esi
		call	MiAgeWorkingSet
		mov	edi, eax
		mov	edx, 1
		mov	[esp+48h+var_38], edx
		test	edi, edi
		jnz	short loc_516E4D
		mov	eax, [esp+48h+var_34]
		cmp	[eax+2Fh], dl
		jnz	short loc_516E4D
		mov	eax, [esp+48h+var_2C]
		cmp	eax, 0Ah
		jnb	short loc_516E4D
		test	eax, eax
		jz	short loc_516E4D
		mov	dl, [esp+48h+var_39]
		mov	ecx, esi
		push	0Ah
		push	2
		call	MiAgeWorkingSet
		mov	edx, [esp+48h+var_38]
		mov	edi, eax

loc_516E4D:				; CODE XREF: MiTrimOrAgeWorkingSet+150j
					; MiTrimOrAgeWorkingSet+159j ...
		mov	[esp+48h+var_2C], 0
		mov	[esp+48h+var_38], 0
		cmp	edi, 1
		jz	loc_516EFB
		cmp	edx, 1
		jnz	short loc_516EBF
		mov	eax, [esi+18h]
		xor	ecx, ecx
		cmp	byte ptr [esi+62h], 2
		mov	edx, [esp+48h+var_30]
		setz	cl
		lea	ecx, ds:1[ecx*2]
		shr	eax, cl
		add	[edx+8], eax
		mov	eax, [esi+1Ch]
		shr	eax, cl
		add	[edx+0Ch], eax
		mov	eax, [esi+20h]
		shr	eax, cl
		add	[edx+10h], eax
		mov	eax, [esi+24h]
		shr	eax, cl
		add	[edx+14h], eax
		mov	eax, [esi+28h]
		shr	eax, cl
		add	[edx+18h], eax
		mov	eax, [esi+2Ch]
		shr	eax, cl
		add	[edx+1Ch], eax
		mov	eax, [esi+30h]
		shr	eax, cl
		add	[edx+20h], eax
		mov	eax, [esi+34h]
		shr	eax, cl
		add	[edx+24h], eax

loc_516EBF:				; CODE XREF: MiTrimOrAgeWorkingSet+199j
		test	bl, 18h
		jnz	loc_51708A

loc_516EC8:				; CODE XREF: MiTrimOrAgeWorkingSet+3C6j
		lea	eax, [esp+48h+var_28]
		mov	[esp+48h+var_28], 0
		push	eax
		mov	[esp+4Ch+var_24], 0
		call	KeQueryTickCount
		mov	ecx, [esp+48h+var_24]
		mov	eax, [esp+48h+var_28]
		push	ecx
		mov	[esp+4Ch+var_38], ecx
		mov	ecx, esi
		push	eax
		mov	[esp+50h+var_2C], eax
		call	MiDrainOldAccessBuffers

loc_516EFB:				; CODE XREF: MiTrimOrAgeWorkingSet+190j
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 4
		ja	loc_5E930B

loc_516F08:				; CODE XREF: MiTrimOrAgeWorkingSet+D2643j
		mov	eax, [esi+60h]
		mov	ecx, eax
		shr	ecx, 18h
		test	cl, 0Ch
		jnz	loc_5E9318
		test	cl, 10h
		jnz	loc_5E9318

loc_516F22:				; CODE XREF: MiTrimOrAgeWorkingSet+D2656j
		and	al, 7
		cmp	al, 2
		jz	loc_51707D
		lea	eax, [esi+80h]
		mov	[esp+48h+var_34], eax

loc_516F36:				; CODE XREF: MiTrimOrAgeWorkingSet+3B5j
		mov	edx, 1
		mov	ecx, esi
		call	MiCheckProcessShadow
		test	ds:byte_70EFC6,	1
		jnz	loc_5E932B
		mov	eax, [esp+48h+var_34]
		mov	ecx, 0BFFFFFFFh
		lock and [eax],	ecx
		lock dec dword ptr [eax]

loc_516F5E:				; CODE XREF: MiTrimOrAgeWorkingSet+D263Dj
					; MiTrimOrAgeWorkingSet+D2667j
		mov	cl, [esp+48h+var_39]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, [esi+60h]
		and	al, 7
		jnz	loc_517033
		mov	eax, large fs:124h
		add	esi, 0FFFFFDC0h
		cmp	[eax+150h], esi
		jz	short loc_516F9E
		mov	ecx, large fs:124h
		mov	edx, 1
		add	ecx, 174h
		call	KiDetachProcess

loc_516F9E:				; CODE XREF: MiTrimOrAgeWorkingSet+2B5j
					; MiTrimOrAgeWorkingSet+365j ...
		test	edi, edi
		jnz	short loc_516FF1
		cmp	dword_6D3140, edi
		jz	short loc_516FF1
		xor	esi, esi
		mov	eax, offset dword_6D3140
		xchg	esi, [eax]
		test	esi, esi
		jz	short loc_516FF1
		mov	eax, [esp+48h+var_2C]
		sub	eax, [esi+10h]
		mov	ecx, [esp+48h+var_38]
		sbb	ecx, [esi+14h]
		cmp	ecx, dword_6FB604
		ja	loc_51709B
		jb	short loc_516FDF
		cmp	eax, _PfKernelGlobals
		ja	loc_51709B

loc_516FDF:				; CODE XREF: MiTrimOrAgeWorkingSet+301j
		test	bl, 18h
		jnz	loc_51709B
		xor	edx, edx
		mov	ecx, esi
		call	_MiReturnCcAccessLog@8 ; MiReturnCcAccessLog(x,x)

loc_516FF1:				; CODE XREF: MiTrimOrAgeWorkingSet+2D0j
					; MiTrimOrAgeWorkingSet+2D8j ...
		mov	ecx, [esp+48h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_517007:				; CODE XREF: MiTrimOrAgeWorkingSet+23j
		test	byte ptr [esi+60h], 7
		jnz	loc_516CF9
		call	_PfLogForegroundProcess@4 ; PfLogForegroundProcess(x)
		jmp	loc_516CF9
; 

loc_51701B:				; CODE XREF: MiTrimOrAgeWorkingSet+38j
		cmp	al, 1
		jnz	loc_516D60
		lea	ecx, [esi-0C0h]
		call	MiAttachSession
		jmp	loc_516D60
; 

loc_517033:				; CODE XREF: MiTrimOrAgeWorkingSet+29Dj
		cmp	al, 1
		jnz	loc_516F9E
		mov	ecx, 1
		call	MiDetachProcessFromSession
		jmp	loc_516F9E
; 

loc_51704A:				; CODE XREF: MiTrimOrAgeWorkingSet+131j
		test	bl, 40h
		jnz	loc_5E9303
		test	bl, bl
		jns	loc_516E4D
		push	ecx
		push	2

loc_51705E:				; CODE XREF: MiTrimOrAgeWorkingSet+D2636j
		mov	dl, al
		mov	ecx, esi
		call	MiAgeWorkingSet
		mov	edi, eax
		mov	edx, 1
		jmp	loc_516E4D
; 

loc_517073:				; CODE XREF: MiTrimOrAgeWorkingSet+ABj
		mov	edi, offset unk_6D3C40
		jmp	loc_516D87
; 

loc_51707D:				; CODE XREF: MiTrimOrAgeWorkingSet+256j
		mov	[esp+48h+var_34], offset unk_6D3C40
		jmp	loc_516F36
; 

loc_51708A:				; CODE XREF: MiTrimOrAgeWorkingSet+1F2j
		mov	dl, [esp+48h+var_39]
		mov	ecx, esi
		push	ebx
		call	MiCaptureAndResetWorkingSetAccessBits
		jmp	loc_516EC8
; 

loc_51709B:				; CODE XREF: MiTrimOrAgeWorkingSet+2FBj
					; MiTrimOrAgeWorkingSet+309j ...
		mov	ecx, esi
		call	_MiQueuePageAccessLog@4	; MiQueuePageAccessLog(x)
		jmp	loc_516FF1
; 

loc_5170A7:				; CODE XREF: MiTrimOrAgeWorkingSet+128j
		mov	ecx, [esp+48h+var_30]
		mov	edx, esi
		push	ecx
		movzx	eax, byte ptr [ecx]
		and	eax, 7Fh
		mov	al, ds:_MiTrimPassToAge[eax]
		mov	[ecx+1], al
		call	MiComputeTrimAmount
		mov	ecx, [esp+48h+var_30]
		test	eax, eax
		jz	short loc_5170E5
		movzx	ecx, byte ptr [ecx+1]
		mov	edx, eax
		push	11h
		push	ecx
		push	[esp+50h+var_38]
		mov	ecx, esi
		call	MiTrimWorkingSet
		mov	ecx, [esp+48h+var_30]
		add	[ecx+34h], eax

loc_5170E5:				; CODE XREF: MiTrimOrAgeWorkingSet+3F8j
		mov	dl, [ecx]
		mov	al, dl
		and	al, 7Fh
		jnz	short loc_51713F
		test	dl, dl
		js	short loc_51713F

loc_5170F1:				; CODE XREF: MiTrimOrAgeWorkingSet+471j
		mov	eax, [esp+48h+var_34]
		cmp	[eax+4BEh], di
		jz	short loc_517143
		mov	edx, 1

loc_517103:				; CODE XREF: MiTrimOrAgeWorkingSet+475j
		cmp	byte ptr [ecx+4], 1
		jnz	short loc_517147
		mov	eax, [esp+48h+var_2C]
		mov	ecx, esi
		push	eax
		push	edx
		mov	dl, [esp+50h+var_39]
		call	MiAgeWorkingSet
		mov	edi, eax
		mov	edx, 1
		jmp	loc_516E4D
; 

loc_517126:				; CODE XREF: MiTrimOrAgeWorkingSet+E3j
		mov	dl, [esp+48h+var_39]
		mov	ecx, edi
		call	ExpWaitForSpinLockSharedAndAcquire
		jmp	loc_516DB9
; 

loc_517136:				; CODE XREF: MiTrimOrAgeWorkingSet+EFj
		xor	eax, eax
		xchg	eax, [edi]
		jmp	loc_516DC5
; 

loc_51713F:				; CODE XREF: MiTrimOrAgeWorkingSet+41Bj
					; MiTrimOrAgeWorkingSet+41Fj
		cmp	al, 4
		jz	short loc_5170F1

loc_517143:				; CODE XREF: MiTrimOrAgeWorkingSet+42Cj
		xor	edx, edx
		jmp	short loc_517103
; 

loc_517147:				; CODE XREF: MiTrimOrAgeWorkingSet+437j
		xor	edx, edx
		jmp	loc_516E4D
MiTrimOrAgeWorkingSet endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAgeWorkingSet	proc near		; CODE XREF: MiTrimOrAgeWorkingSet+13Ep
					; MiTrimOrAgeWorkingSet+172p ...

var_3A8		= dword	ptr -3A8h
var_3A4		= dword	ptr -3A4h
var_3A0		= dword	ptr -3A0h
var_39C		= dword	ptr -39Ch
var_398		= dword	ptr -398h
var_394		= dword	ptr -394h
var_390		= dword	ptr -390h
var_38C		= dword	ptr -38Ch
var_384		= dword	ptr -384h
var_380		= dword	ptr -380h
var_37C		= dword	ptr -37Ch
var_378		= dword	ptr -378h
var_374		= dword	ptr -374h
var_370		= dword	ptr -370h
var_36A		= byte ptr -36Ah
var_369		= byte ptr -369h
var_368		= dword	ptr -368h
var_364		= dword	ptr -364h
var_360		= dword	ptr -360h
var_35C		= byte ptr -35Ch
var_35B		= byte ptr -35Bh
var_358		= dword	ptr -358h
var_354		= dword	ptr -354h
var_350		= dword	ptr -350h
var_34C		= dword	ptr -34Ch
var_348		= dword	ptr -348h
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_33C		= dword	ptr -33Ch
var_338		= dword	ptr -338h
var_334		= word ptr -334h
var_330		= dword	ptr -330h
var_32C		= dword	ptr -32Ch
var_328		= dword	ptr -328h
var_324		= dword	ptr -324h
var_2A0		= dword	ptr -2A0h
var_298		= dword	ptr -298h
var_292		= byte ptr -292h
var_288		= dword	ptr -288h
var_280		= dword	ptr -280h
var_278		= dword	ptr -278h
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_140		= dword	ptr -140h
var_A8		= dword	ptr -0A8h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E933C SIZE 00000250 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3ACh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [ebp+var_140]
		mov	[ebp+var_369], dl
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_360]
		push	0C4h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_298]
		push	4Ch		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_248]
		push	108h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [edi+0Ch]
		add	esp, 0Ch
		mov	esi, [edi+48h]
		mov	edx, 3
		mov	[ebp+var_368], edx
		mov	[ebp+var_364], ecx
		mov	eax, [ecx+14h]
		cmp	esi, eax
		jbe	loc_51748E
		mov	ebx, [ebp+arg_4]
		sub	esi, eax
		test	ebx, ebx
		jz	loc_5E933C

loc_5171F4:				; CODE XREF: MiAgeWorkingSet+D21F1j
		mov	eax, [ebp+arg_0]
		and	eax, 4
		mov	[ebp+var_374], eax
		jnz	loc_5E936B
		mov	al, [edi+60h]
		and	al, 7
		mov	[ebp+var_378], 0
		cmp	al, 2
		jz	loc_517615
		lea	eax, [edi+0C0h]

loc_517223:				; CODE XREF: MiAgeWorkingSet+4CAj
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_37C], eax
		mov	[ebp+var_380], 0
		jnz	loc_5E9346
		lea	edx, [ebp+var_380]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_51761F

loc_517250:				; CODE XREF: MiAgeWorkingSet+4E0j
		xor	edx, edx
		test	byte ptr [ebp+arg_0], 2
		jnz	loc_5174F4
		mov	eax, [ecx+10h]
		mov	[ebp+var_368], eax
		lea	eax, [eax+esi]
		div	ebx
		mov	eax, [ebp+var_364]
		mov	[eax+10h], edx

loc_517273:				; CODE XREF: MiAgeWorkingSet+3C8j
		test	ds:byte_70EFC6,	1
		jnz	loc_5E9358
		mov	eax, [ebp+var_380]
		test	eax, eax
		jnz	loc_517640
		mov	edx, [ebp+var_37C]
		lea	eax, [ebp+var_380]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_380]
		cmp	eax, ecx
		jnz	loc_517635

loc_5172AE:				; CODE XREF: MiAgeWorkingSet+505j
					; MiAgeWorkingSet+D2216j
		mov	ecx, [ebp+var_368]
		lea	eax, [ecx+esi]
		cmp	eax, esi
		jb	loc_5E936B

loc_5172BF:				; CODE XREF: MiAgeWorkingSet+D221Dj
		add	ecx, esi
		mov	eax, 10624DD3h
		imul	ecx, ebx
		mul	ecx
		shr	edx, 6
		mov	[ebp+var_370], edx
		cmp	edx, esi
		ja	loc_51765A

loc_5172DC:				; CODE XREF: MiAgeWorkingSet+51Dj
		xor	esi, esi
		mov	[ebp+var_354], ebx
		test	byte ptr [ebp+arg_0], 3
		mov	ebx, dword_6D5D40
		jz	loc_51738E
		mov	ecx, dword_6D5400
		mov	eax, offset unk_6D5480
		add	ecx, dword_6D53C0

loc_517305:				; CODE XREF: MiAgeWorkingSet+1BFj
		add	ecx, [eax]
		add	eax, 14h
		cmp	eax, offset dword_6D54E4
		jb	short loc_517305
		mov	eax, dword_6D54E4
		add	eax, ecx
		cmp	eax, [ebx+38h]
		jb	loc_517525

loc_517321:				; CODE XREF: MiAgeWorkingSet+401j
					; MiAgeWorkingSet+421j
		cmp	edx, 100h
		ja	loc_5175BD

loc_51732D:				; CODE XREF: MiAgeWorkingSet+49Dj
		mov	edx, 1
		lea	ecx, [ebx+5Ch]
		xor	eax, eax
		lock cmpxchg [ecx], edx
		test	eax, eax
		jnz	loc_5E9381
		lea	esi, [ebx+60h]
		mov	ecx, 100h

loc_51734B:				; CODE XREF: MiAgeWorkingSet+4A9j
					; MiAgeWorkingSet+D223Cj
		mov	al, [edi+60h]
		and	al, 7
		jnz	loc_517576
		mov	eax, 1

loc_51735B:				; CODE XREF: MiAgeWorkingSet+42Dj
		mov	dword ptr [esi+0Ch], 0
		mov	[esi], eax
		mov	word ptr [esi+4], 0
		mov	dword ptr [esi+10h], 0
		mov	[esi+8], ecx
		mov	dword ptr [esi+14h], 0
		test	byte ptr [edi+60h], 7
		jnz	short loc_51738E
		cmp	dword ptr [edi+1A4h], 0
		jnz	loc_5E9391

loc_51738E:				; CODE XREF: MiAgeWorkingSet+19Ej
					; MiAgeWorkingSet+22Fj	...
		mov	al, [ebp+var_369]
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_292], al
		mov	eax, [ebp+var_370]
		mov	[ebp+var_340], eax
		mov	al, [edi+60h]
		mov	[ebp+var_288], edi
		mov	[ebp+var_360], edx
		mov	[ebp+var_33C], esi
		and	al, 7
		jnz	loc_517582
		mov	eax, 1

loc_5173CB:				; CODE XREF: MiAgeWorkingSet+439j
		cmp	[ebp+var_374], 0
		mov	[ebp+var_338], eax
		lea	eax, [ebp+var_360]
		mov	[ebp+var_250], eax
		mov	eax, 0Eh
		mov	[ebp+var_32C], 0
		mov	[ebp+var_334], 4
		mov	[ebp+var_328], 0
		mov	[ebp+var_330], 21h
		mov	[ebp+var_324], 0
		mov	word ptr [ebp+var_298],	ax
		mov	[ebp+var_258], offset _MiAgePte@12 ; MiAgePte(x,x,x)
		mov	[ebp+var_254], offset MiAgeWorkingSetTail
		jnz	loc_5E93AC
		mov	eax, [ebp+var_364]
		test	dl, 2
		jnz	loc_51751D
		mov	eax, [eax+4]

loc_51744D:				; CODE XREF: MiAgeWorkingSet+3D0j
					; MiAgeWorkingSet+D2267j
		mov	[ebp+var_278], eax
		test	eax, eax
		jz	loc_517606

loc_51745B:				; CODE XREF: MiAgeWorkingSet+4C0j
		lea	ecx, [ebp+var_298]
		call	MiWalkPageTables
		mov	edx, eax
		mov	[ebp+var_368], edx
		test	esi, esi
		jz	short loc_517485
		lea	ecx, [ebx+60h]
		cmp	esi, ecx
		jnz	loc_51759C
		xor	eax, eax
		lea	ecx, [ebx+5Ch]
		lock and [ecx],	eax

loc_517485:				; CODE XREF: MiAgeWorkingSet+320j
					; MiAgeWorkingSet+454j	...
		cmp	edx, 4
		jz	loc_5E93BC

loc_51748E:				; CODE XREF: MiAgeWorkingSet+91j
					; MiAgeWorkingSet+D2272j
		mov	esi, dword_6D35BC
		test	esi, esi
		jz	short loc_5174D6
		mov	bl, [edi+60h]
		and	bl, 7
		jnz	loc_51758E
		mov	eax, [edi-15Ch]
		lea	ecx, [edi-94h]
		mov	edi, eax

loc_5174B2:				; CODE XREF: MiAgeWorkingSet+447j
		cmp	dword ptr [esi], 5
		mov	[ebp+var_364], ecx
		jbe	short loc_5174D6
		mov	eax, [esi+8]
		and	eax, 1
		or	eax, 0
		jnz	loc_5E93C7

loc_5174CC:				; CODE XREF: MiAgeWorkingSet+D229Aj
					; MiAgeWorkingSet+D22ACj
		xor	al, al

loc_5174CE:				; CODE XREF: MiAgeWorkingSet+D22B4j
		test	al, al
		jnz	loc_5E9409

loc_5174D6:				; CODE XREF: MiAgeWorkingSet+346j
					; MiAgeWorkingSet+36Bj	...
		cmp	edx, 4
		jz	loc_5E9582
		xor	eax, eax

loc_5174E1:				; CODE XREF: MiAgeWorkingSet+D2437j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_5174F4:				; CODE XREF: MiAgeWorkingSet+106j
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_368], eax
		lea	ecx, [eax+esi]
		mov	eax, ecx
		cmp	ebx, 0Ah
		jnz	loc_517672
		mov	ecx, ebx
		div	ecx

loc_51750F:				; CODE XREF: MiAgeWorkingSet+524j
		mov	eax, [ebp+var_364]
		mov	[eax+0Ch], edx
		jmp	loc_517273
; 

loc_51751D:				; CODE XREF: MiAgeWorkingSet+2F4j
		mov	eax, [eax+8]
		jmp	loc_51744D
; 

loc_517525:				; CODE XREF: MiAgeWorkingSet+1CBj
		cmp	byte ptr [edi+62h], 2
		jz	short loc_51753E
		cmp	ecx, [ebx+34h]
		jb	loc_5E9372
		mov	[ebp+var_358], 5

loc_51753E:				; CODE XREF: MiAgeWorkingSet+3D9j
					; MiAgeWorkingSet+D222Cj
		test	byte ptr [edi+60h], 7
		jnz	short loc_517557
		lea	ecx, [edi-240h]
		call	_MiIsStoreProcess@4 ; MiIsStoreProcess(x)
		test	eax, eax
		jnz	loc_517321

loc_517557:				; CODE XREF: MiAgeWorkingSet+3F2j
		movzx	eax, byte ptr [ebx+4C2h]
		mov	[ebp+var_35C], al
		movzx	eax, byte ptr [ebx+4C3h]
		mov	[ebp+var_35B], al
		jmp	loc_517321
; 

loc_517576:				; CODE XREF: MiAgeWorkingSet+200j
		cmp	al, 2
		sbb	eax, eax
		and	eax, 2
		jmp	loc_51735B
; 

loc_517582:				; CODE XREF: MiAgeWorkingSet+270j
		cmp	al, 2
		sbb	eax, eax
		and	eax, 2
		jmp	loc_5173CB
; 

loc_51758E:				; CODE XREF: MiAgeWorkingSet+34Ej
		cmp	bl, 2
		jb	short loc_5175FE
		xor	edi, edi

loc_517595:				; CODE XREF: MiAgeWorkingSet+4B4j
		xor	ecx, ecx
		jmp	loc_5174B2
; 

loc_51759C:				; CODE XREF: MiAgeWorkingSet+327j
		lea	eax, [ebp+var_140]
		cmp	esi, eax
		jz	loc_517485
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, [ebp+var_368]
		jmp	loc_517485
; 

loc_5175BD:				; CODE XREF: MiAgeWorkingSet+1D7j
		mov	ecx, 3FBh
		mov	[ebp+var_368], ecx
		cmp	edx, ecx
		jnb	short loc_5175D4
		mov	ecx, edx
		mov	[ebp+var_368], edx

loc_5175D4:				; CODE XREF: MiAgeWorkingSet+47Aj
		push	0
		lea	ecx, ds:14h[ecx*4]
		mov	edx, 73576D4Dh
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_51732D
		mov	ecx, [ebp+var_368]
		jmp	loc_51734B
; 

loc_5175FE:				; CODE XREF: MiAgeWorkingSet+441j
		mov	edi, [edi-0B8h]
		jmp	short loc_517595
; 

loc_517606:				; CODE XREF: MiAgeWorkingSet+305j
		mov	[ebp+var_280], 0FFFFFFFFh
		jmp	loc_51745B
; 

loc_517615:				; CODE XREF: MiAgeWorkingSet+C7j
		mov	eax, offset unk_6D3C80
		jmp	loc_517223
; 

loc_51761F:				; CODE XREF: MiAgeWorkingSet+FAj
		lea	ecx, [ebp+var_380]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_51762A:				; CODE XREF: MiAgeWorkingSet+D2203j
		mov	ecx, [ebp+var_364]
		jmp	loc_517250
; 

loc_517635:				; CODE XREF: MiAgeWorkingSet+158j
		lea	ecx, [ebp+var_380]
		call	KxWaitForLockChainValid

loc_517640:				; CODE XREF: MiAgeWorkingSet+138j
		mov	[ebp+var_380], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_5172AE
; 

loc_51765A:				; CODE XREF: MiAgeWorkingSet+186j
		imul	esi, ebx
		mov	eax, 10624DD3h
		mul	esi
		shr	edx, 6
		mov	[ebp+var_370], edx
		jmp	loc_5172DC
; 

loc_517672:				; CODE XREF: MiAgeWorkingSet+3B5j
		div	ebx
		jmp	loc_51750F
MiAgeWorkingSet	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCheckProcessShadow proc near		; CODE XREF: MiTrimOrAgeWorkingSet+26Dp
					; MiUnlockWorkingSetExclusiveUnorderedAtDpc(x)+8p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E958C SIZE 00000089 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	ds:_MiFlags, 0C00000h
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		jz	short loc_5176B4
		test	byte ptr [esi+60h], 7
		jnz	short loc_5176B4
		cmp	byte ptr [esi-1CCh], 1
		jz	short loc_5176B4
		mov	ecx, ebx
		and	ecx, 4
		jnz	short loc_5176BC
		rdtsc
		and	eax, 3FF0h
		or	eax, ecx
		jz	short loc_5176BC

loc_5176B4:				; CODE XREF: MiCheckProcessShadow+17j
					; MiCheckProcessShadow+1Dj ...
		or	eax, 0FFFFFFFFh

loc_5176B7:				; CODE XREF: MiCheckProcessShadow+D1F82j
					; MiCheckProcessShadow+D1F8Bj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_5176BC:				; CODE XREF: MiCheckProcessShadow+2Dj
					; MiCheckProcessShadow+38j
		mov	eax, [esi+0C4h]
		test	ecx, ecx
		jnz	loc_5E958C
		test	eax, eax

loc_5176CC:				; CODE XREF: MiCheckProcessShadow+D1F1Dj
		jz	short loc_5176B4
		cmp	dword ptr [esi+0Ch], 0
		jz	short loc_5176B4
		cmp	dword ptr [esi+10h], 0
		jz	short loc_5176B4
		jmp	loc_5E959C
MiCheckProcessShadow endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDrainOldAccessBuffers	proc near	; CODE XREF: MiTrimOrAgeWorkingSet+226p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E9615 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	dl, [ecx+60h]
		lea	eax, [ecx+80h]
		and	dl, 7
		mov	[ebp+var_4], 0
		push	esi
		cmp	dl, 2
		jz	loc_5177AA
		mov	esi, eax

loc_517707:				; CODE XREF: MiDrainOldAccessBuffers+CFj
		cmp	dword ptr [esi+18h], 0
		jz	loc_517797
		cmp	dl, 2
		jz	loc_5177B4

loc_51771A:				; CODE XREF: MiDrainOldAccessBuffers+D9j
		add	eax, 40h
		mov	[ebp+var_C], 0
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_8], eax
		jnz	loc_5E9615
		lea	edx, [ebp+var_C]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_5177CC

loc_517741:				; CODE XREF: MiDrainOldAccessBuffers+F4j
					; MiDrainOldAccessBuffers+D1F3Fj
		mov	ecx, [esi+18h]
		test	ecx, ecx
		jz	short loc_517770
		mov	eax, [ecx]
		mov	edx, ecx
		test	eax, eax
		jnz	short loc_5177A0

loc_517750:				; CODE XREF: MiDrainOldAccessBuffers+C6j
		mov	eax, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_0]
		sub	edi, [edx+10h]
		sbb	eax, [edx+14h]
		cmp	eax, dword_6FB604
		jb	short loc_51776F
		ja	short loc_5177BE
		cmp	edi, _PfKernelGlobals
		ja	short loc_5177BE

loc_51776F:				; CODE XREF: MiDrainOldAccessBuffers+83j
					; MiDrainOldAccessBuffers+EAj
		pop	edi

loc_517770:				; CODE XREF: MiDrainOldAccessBuffers+66j
		test	ds:byte_70EFC6,	1
		jnz	loc_5E9624
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5177E1
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	short loc_5177D9

loc_517797:				; CODE XREF: MiDrainOldAccessBuffers+2Bj
					; MiDrainOldAccessBuffers+113j	...
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
; 
		align 10h

loc_5177A0:				; CODE XREF: MiDrainOldAccessBuffers+6Ej
					; MiDrainOldAccessBuffers+C8j
		mov	edx, eax
		mov	eax, [edx]
		test	eax, eax
		jz	short loc_517750
		jmp	short loc_5177A0
; 

loc_5177AA:				; CODE XREF: MiDrainOldAccessBuffers+1Fj
		mov	esi, offset unk_6D3C40
		jmp	loc_517707
; 

loc_5177B4:				; CODE XREF: MiDrainOldAccessBuffers+34j
		mov	eax, offset unk_6D3C40
		jmp	loc_51771A
; 

loc_5177BE:				; CODE XREF: MiDrainOldAccessBuffers+85j
					; MiDrainOldAccessBuffers+8Dj
		call	MiEmptyPageAccessLog
		mov	dword ptr [esi+18h], 0
		jmp	short loc_51776F
; 

loc_5177CC:				; CODE XREF: MiDrainOldAccessBuffers+5Bj
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_517741
; 

loc_5177D9:				; CODE XREF: MiDrainOldAccessBuffers+B5j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_5177E1:				; CODE XREF: MiDrainOldAccessBuffers+A2j
		mov	[ebp+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_517797
MiDrainOldAccessBuffers	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiStackAttachProcess proc near		; CODE XREF: MiDeleteFinalPageTables+71p
					; MiIssueHardFault(x,x)+203p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A8408 SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	esi, large fs:124h
		mov	ebx, edx
		mov	eax, large fs:235Ch
		test	eax, 10001h
		push	edi
		setnz	dl
		mov	[ebp+var_8], ebx
		test	bl, 2
		mov	byte ptr [ebp+var_4], 0
		mov	edi, ecx
		setz	al
		test	dl, al
		jz	short loc_517858

loc_517835:				; CODE XREF: KiStackAttachProcess+5Fj
		mov	eax, large fs:235Ch
		and	eax, 10001h
		push	eax
		movzx	eax, byte ptr [esi+16Ah]
		push	eax
		mov	eax, [esi+80h]
		push	eax
		push	edi
		push	5
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_517858:				; CODE XREF: KiStackAttachProcess+33j
		test	dword ptr [edi+64h], 400h
		jnz	short loc_517835
		cmp	[esi+80h], edi
		jz	loc_517A26
		mov	eax, ebx
		and	eax, 2
		mov	[ebp+var_C], eax
		jnz	short loc_51789E
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+var_4], al
		lea	ebx, [esi+2Ch]
		mov	[ebp+var_10], 0
		lea	ebx, [ebx+0]

loc_517890:				; CODE XREF: KiStackAttachProcess+2C3j
		lock bts dword ptr [ebx], 0
		jb	loc_517AB5
		mov	ebx, [ebp+var_8]

loc_51789E:				; CODE XREF: KiStackAttachProcess+75j
		cmp	byte ptr [esi+16Ah], 0
		jnz	loc_517A39
		mov	eax, [esi+80h]
		lea	edx, [esi+70h]
		lea	ebx, [esi+174h]
		mov	[ebx+10h], eax
		mov	al, [edx+14h]
		mov	[ebx+14h], al
		mov	al, [edx+15h]
		mov	[ebx+15h], al
		mov	al, [edx+16h]
		mov	[ebx+16h], al
		mov	ecx, [edx]
		cmp	ecx, edx
		jnz	loc_517A8B
		mov	[ebx+4], ebx
		mov	[ebx], ebx
		mov	byte ptr [ebx+15h], 0

loc_5178E2:				; CODE XREF: KiStackAttachProcess+298j
		mov	ecx, [edx+8]
		lea	eax, [edx+8]
		cmp	ecx, eax
		mov	[ebp+var_14], ecx
		lea	eax, [ebx+8]
		jnz	loc_517A9D
		mov	[eax+4], eax
		mov	[eax], eax
		mov	byte ptr [ebx+16h], 0

loc_5178FF:				; CODE XREF: KiStackAttachProcess+2B0j
		test	byte ptr [ebp+var_8], 1
		lea	eax, [esi+78h]
		mov	[edx+4], edx
		mov	[edx], edx
		mov	[eax+4], eax
		mov	[eax], eax
		mov	word ptr [esi+84h], 0
		mov	byte ptr [esi+86h], 0
		mov	byte ptr [esi+16Ah], 1
		jnz	short loc_51793D
		mov	eax, 8
		lea	ecx, [edi+7Ch]
		lock xadd [ecx], eax
		test	al, 7
		jnz	loc_517A52

loc_51793D:				; CODE XREF: KiStackAttachProcess+127j
					; KiStackAttachProcess+286j
		or	dword ptr [esi+58h], 800h
		nop
		cmp	[ebp+var_C], 0
		mov	[esi+80h], edi
		jnz	short loc_517958
		mov	dword ptr [esi+2Ch], 0

loc_517958:				; CODE XREF: KiStackAttachProcess+14Fj
		mov	ecx, large fs:20h
		mov	eax, [ebx+10h]
		mov	[ebp+var_14], eax
		movzx	eax, byte ptr [ecx+3C5h]
		movzx	edx, byte ptr [ecx+3C4h]
		mov	[ebp+var_20], edx
		lea	eax, ds:60h[eax*4]
		mov	[ebp+var_1C], eax
		add	eax, edi
		lock bts [eax],	edx
		mov	eax, large fs:1Ch
		cmp	ds:_KiKvaShadow, 0
		mov	ebx, [edi+18h]
		mov	[ebp+var_8], eax
		jz	short loc_5179AB
		movzx	ecx, byte ptr [edi+74h]
		mov	large fs:5000h,	ebx
		call	_KiSetAddressPolicy@4 ;	KiSetAddressPolicy(x)

loc_5179AB:				; CODE XREF: KiStackAttachProcess+199j
		test	byte ptr ds:_HvlEnlightenments,	1
		jnz	loc_5A841B
		mov	cr3, ebx

loc_5179BB:				; CODE XREF: KiStackAttachProcess+90C21j
		cmp	ds:_KiKvaShadow, 0
		jz	short loc_5179D2
		cmp	ds:_KiFlushPcid, 0
		jnz	short loc_5179D2
		call	_KeFlushCurrentTb@0 ; KeFlushCurrentTb()

loc_5179D2:				; CODE XREF: KiStackAttachProcess+1C2j
					; KiStackAttachProcess+1CBj
		mov	ebx, [ebp+var_14]
		mov	ax, [ebx+1Ch]
		or	ax, [edi+1Ch]
		jnz	loc_5A8426
		mov	edx, [ebp+var_8]

loc_5179E6:				; CODE XREF: KiStackAttachProcess+90C45j
		mov	ecx, [edx+40h]
		mov	ax, [edi+76h]
		mov	[ecx+66h], ax
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_20]
		add	eax, ebx
		lock btr [eax],	ecx
		and	dword ptr [esi+58h], 0FFFFF7FFh
		cmp	[ebp+var_C], 0
		jnz	short loc_517A13
		mov	cl, byte ptr [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_517A13:				; CODE XREF: KiStackAttachProcess+208j
		mov	eax, [ebp+arg_0]
		pop	edi
		pop	esi
		pop	ebx
		mov	dword ptr [eax+10h], 0
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_517A26:				; CODE XREF: KiStackAttachProcess+67j
		mov	eax, [ebp+arg_0]
		pop	edi
		pop	esi
		pop	ebx
		mov	dword ptr [eax+10h], 1
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_517A39:				; CODE XREF: KiStackAttachProcess+A5j
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, esi
		push	ebx
		push	[ebp+var_4]
		call	KiAttachProcess
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_517A52:				; CODE XREF: KiStackAttachProcess+137j
		push	[ebp+var_4]
		mov	edx, edi
		mov	dword ptr [esi+2Ch], 0
		mov	ecx, esi
		call	@KiInSwapSingleProcess@12 ; KiInSwapSingleProcess(x,x,x)
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_18], 0
		lea	ebx, [esi+2Ch]

loc_517A75:				; CODE XREF: KiStackAttachProcess+90C16j
		lock bts dword ptr [ebx], 0
		jb	loc_5A8408
		lea	ebx, [esi+174h]
		jmp	loc_51793D
; 

loc_517A8B:				; CODE XREF: KiStackAttachProcess+D3j
		mov	eax, [edx+4]
		mov	[ebx], ecx
		mov	[ebx+4], eax
		mov	[ecx+4], ebx
		mov	[eax], ebx
		jmp	loc_5178E2
; 

loc_517A9D:				; CODE XREF: KiStackAttachProcess+F0j
		mov	ecx, [edx+0Ch]
		mov	edx, [ebp+var_14]
		mov	[eax], edx
		mov	[ebx+0Ch], ecx
		mov	[edx+4], eax
		lea	edx, [esi+70h]
		mov	[ecx], eax
		jmp	loc_5178FF
; 

loc_517AB5:				; CODE XREF: KiStackAttachProcess+95j
					; KiStackAttachProcess+2C1j
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_517AB5
		jmp	loc_517890
KiStackAttachProcess endp


;  S U B	R O U T	I N E 


; __stdcall MiReturnCcAccessLog(x, x)
_MiReturnCcAccessLog@8 proc near	; CODE XREF: MiTrimOrAgeWorkingSet+31Cp
					; MiCheckAndProcessCcAccessLog(x,x,x)+4Cp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	edx, edx
		jnz	short loc_517AF1

loc_517AD1:				; CODE XREF: MiReturnCcAccessLog(x,x)+2Fj
		cmp	dword_6D3140, 0
		jnz	short loc_517AEB
		mov	edx, offset dword_6D3140
		xor	eax, eax
		lock cmpxchg [edx], ecx
		neg	eax
		sbb	eax, eax
		and	esi, eax

loc_517AEB:				; CODE XREF: MiReturnCcAccessLog(x,x)+10j
		test	esi, esi
		jnz	short loc_517AF9
		pop	esi
		retn
; 

loc_517AF1:				; CODE XREF: MiReturnCcAccessLog(x,x)+7j
		mov	eax, [esi+18h]
		mov	[esi+20h], eax
		jmp	short loc_517AD1
; 

loc_517AF9:				; CODE XREF: MiReturnCcAccessLog(x,x)+25j
		lea	eax, [esi+38h]
		mov	ecx, esi
		cmp	[esi+20h], eax
		pop	esi
		jnz	_MiQueuePageAccessLog@4	; MiQueuePageAccessLog(x)
		mov	dl, 1
		jmp	_MmFreeAccessPfnBuffer@8 ; MmFreeAccessPfnBuffer(x,x)
_MiReturnCcAccessLog@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KiUnstackDetachProcess(x, x)
_KiUnstackDetachProcess@8 proc near	; CODE XREF: MiDeleteFinalPageTables+DBp
					; .text:004490F7p ...
		mov	eax, [ecx+10h]
		cmp	eax, 1
		jz	short locret_517B2E
		test	eax, eax
		jnz	short loc_517B29
		mov	ecx, large fs:124h
		add	ecx, 174h

loc_517B29:				; CODE XREF: KiUnstackDetachProcess(x,x)+Aj
		jmp	KiDetachProcess
; 

locret_517B2E:				; CODE XREF: KiUnstackDetachProcess(x,x)+6j
		retn
_KiUnstackDetachProcess@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiIsStoreProcess(x)
_MiIsStoreProcess@4 proc near		; CODE XREF: MiInPagePageTable+308p
					; MiAgeWorkingSet+3FAp	...
		cmp	dword_6D514C, ecx
		jz	short loc_517B3B

loc_517B38:				; CODE XREF: MiIsStoreProcess(x)+12j
		xor	eax, eax
		retn
; 

loc_517B3B:				; CODE XREF: MiIsStoreProcess(x)+6j
		cmp	dword_6D5100, 0
		jz	short loc_517B38
		xor	eax, eax
		inc	eax
		retn
_MiIsStoreProcess@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	AuthzBasepQuerySecurityAttributesToken(int,size_t,size_t,int)
AuthzBasepQuerySecurityAttributesToken proc near
					; CODE XREF: AuthzBasepInitializeResourceClaimsFromSacl+EBD9Dp
					; SepInternalQuerySecurityAttributesTokenEx+D0C21p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005E9634 SIZE 00000067 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_C]
		mov	eax, ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], edx
		push	edi
		mov	[ebx], esi
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], esi
		cmp	[eax], esi
		jz	loc_5E9634
		mov	edi, [ebp+arg_0]
		mov	ecx, esi
		test	edi, edi
		jnz	short loc_517BC4

loc_517B76:				; CODE XREF: AuthzBasepQuerySecurityAttributesToken+D1B4Ej
		lea	ecx, [ebp+var_4]
		push	ecx
		push	edi
		mov	ecx, eax
		call	_AuthzBasepGetSecurityAttributesCopyoutBufferSize@16 ; AuthzBasepGetSecurityAttributesCopyoutBufferSize(x,x,x,x)
		test	eax, eax
		js	short loc_517B99
		mov	esi, [ebp+var_4]
		test	esi, esi
		jz	short loc_517BCC
		cmp	[ebp+arg_8], esi
		jnb	short loc_517BA0
		mov	eax, 0C0000023h

loc_517B97:				; CODE XREF: AuthzBasepQuerySecurityAttributesToken+7Aj
		mov	[ebx], esi

loc_517B99:				; CODE XREF: AuthzBasepQuerySecurityAttributesToken+3Cj
					; AuthzBasepQuerySecurityAttributesToken+89j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_517BA0:				; CODE XREF: AuthzBasepQuerySecurityAttributesToken+48j
		push	[ebp+arg_8]	; size_t
		push	0		; int
		push	[ebp+arg_4]	; void *
		call	_memset
		mov	edx, [ebp+var_8]
		add	esp, 0Ch
		mov	ecx, [ebp+var_C]
		push	[ebp+arg_8]	; size_t
		push	[ebp+arg_4]	; size_t
		push	edi		; int
		call	AuthzBasepCopyoutSecurityAttributes
		jmp	short loc_517B97
; 

loc_517BC4:				; CODE XREF: AuthzBasepQuerySecurityAttributesToken+2Cj
		lea	eax, [edx+4]
		jmp	loc_5E965C
; 

loc_517BCC:				; CODE XREF: AuthzBasepQuerySecurityAttributesToken+43j
					; AuthzBasepQuerySecurityAttributesToken+D1B1Bj ...
		mov	eax, 0C000000Dh
		jmp	short loc_517B99
AuthzBasepQuerySecurityAttributesToken endp

; 
		align 10h

AuthzBasepEvaluateAceCondition:		; CODE XREF: SepVerifyDesktopAppxPackageName+161p
					; SepMaximumAccessCheck+584p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 524h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		mov	eax, [ebp+8]
		push	ebx
		mov	ebx, [ebp+1Ch]
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp-504h], eax
		mov	eax, [ebp+2Ch]
		push	58h
		mov	[ebp-490h], eax
		lea	eax, [ebp-60h]
		push	esi
		push	eax
		mov	[ebp-4A8h], edx
		mov	[ebp-494h], ecx
		mov	[ebp-49Ch], ebx
		mov	[ebp-474h], esi
		mov	[ebp-488h], esi
		mov	[ebp-68h], esi
		mov	[ebp-64h], esi
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		mov	[ebp-4E4h], ax
		mov	[ebp-4E0h], al
		push	33h
		push	eax
		lea	eax, [ebp-4DFh]
		push	eax
		call	_memset
		xor	eax, eax
		mov	dword ptr [ebp-478h], 0FFFFFFFFh
		mov	ecx, 7
		mov	[ebp-498h], eax
		lea	edi, [ebp-524h]
		mov	[ebp-4A4h], eax
		rep stosd
		mov	[ebp-4E8h], eax
		add	esp, 0Ch
		mov	[ebp-470h], ax
		xor	al, al
		mov	[ebp-47Bh], al
		mov	[ebp-47Ah], al
		mov	[ebp-469h], al
		mov	[ebp-489h], al
		mov	[ebp-481h], al
		mov	eax, [ebp-490h]
		mov	dword ptr [ebp-500h], 0FFFFFFFFh
		mov	dword ptr [ebp-4FCh], 0FFFFFFFFh
		mov	[ebp-4ACh], esi
		mov	dword ptr [eax], 0FFFFFFFFh
		mov	[ebp-5Ch], esi
		mov	[ebp-2Ch], esi
		mov	dword ptr [ebp-518h], 1
		cmp	[ebp-494h], esi
		jz	loc_5E9D67
		test	ebx, ebx
		jz	loc_5E9D67
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_5E969B
		mov	byte ptr [ebp-48Ah], 0

loc_517D14:				; CODE XREF: .text:005E96A2j
		mov	edi, [ebp+20h]
		cmp	edi, 4
		jb	loc_5E96A7
		cmp	dword ptr [ebx], 78747261h
		jnz	loc_5E96BD
		lea	edx, [ebp-470h]
		lea	ecx, [ebp-4E4h]
		call	_AuthzBasepResetOperands@8 ; AuthzBasepResetOperands(x,x)
		xor	edx, edx
		mov	ebx, 4
		mov	[ebp-480h], edx
		cmp	edi, ebx
		jbe	loc_5E9D71
		mov	eax, [ebp+28h]
		mov	[ebp-4A0h], eax
		jmp	short loc_517D60
; 
		align 10h

loc_517D60:				; CODE XREF: .text:00517D5Bj
					; .text:00517FE2j
		mov	eax, [ebp-49Ch]
		mov	cl, [eax+ebx]
		movzx	eax, cl
		mov	[ebp-479h], cl
		cmp	eax, 0F8h
		jz	loc_517E22
		cmp	eax, 0A2h
		jnz	loc_518051
		lea	eax, [ebp-469h]
		inc	ebx
		push	eax
		push	edx
		lea	edx, [ebp-4E4h]
		call	AuthzBasepIsValidExpression
		test	al, al
		jz	loc_5E9D53
		cmp	dword ptr [ebp-480h], 1
		jnz	loc_5E9B41
		mov	ecx, [ebp-4D4h]
		call	AuthzBasepEvaluateAttribute
		mov	esi, eax
		lea	edx, [ebp-470h]
		lea	ecx, [ebp-4E4h]
		mov	[ebp-478h], esi
		call	_AuthzBasepResetOperands@8 ; AuthzBasepResetOperands(x,x)

loc_517DD5:				; CODE XREF: .text:005E9B6Dj
		cmp	esi, 0FFFFFFFFh
		jz	loc_5E9B72
		test	esi, esi
		jz	loc_5E9B7A
		xor	eax, eax

loc_517DE8:				; CODE XREF: .text:005E9B75j
					; .text:005E9B7Fj
		push	eax
		lea	edx, [ebp-488h]
		lea	ecx, [ebp-468h]
		call	_AuthzBasepPushResult@12 ; AuthzBasepPushResult(x,x,x)
		mov	edx, eax
		mov	[ebp-474h], edx
		test	edx, edx
		js	loc_518005
		lea	edx, [ebp-470h]
		lea	ecx, [ebp-4E4h]
		call	_AuthzBasepResetOperands@8 ; AuthzBasepResetOperands(x,x)
		xor	edx, edx
		jmp	loc_517FD4
; 

loc_517E22:				; CODE XREF: .text:00517D77j
					; .text:00518063j
					; DATA XREF: ...
		inc	ebx
		cmp	edx, 2
		jz	loc_5E9B84

loc_517E2C:				; CODE XREF: .text:005E9C40j
		mov	eax, edi
		sub	eax, ebx
		cmp	eax, 4
		jb	loc_5E9D53
		mov	ecx, [ebp-49Ch]
		mov	eax, edi
		mov	esi, [ecx+ebx]
		add	ebx, 4
		sub	eax, ebx
		mov	[ebp-508h], esi
		cmp	eax, esi
		jb	loc_5E9D53
		cmp	esi, 0FFFEh
		ja	loc_5E9D5D
		lea	eax, [ecx+ebx]
		mov	[ebp-510h], esi
		lea	esi, [edx+edx*2]
		mov	[ebp-50Ch], eax
		lea	ecx, [ebp-470h]
		shl	esi, 4
		add	ecx, edx
		mov	[ebp-4F4h], esi
		lea	eax, [ebp-60h]
		xor	dl, dl
		push	ecx
		add	eax, esi
		lea	ecx, [ebp-524h]
		push	eax
		call	AuthzBasepUnicodeStringFromOperandValue
		mov	[ebp-474h], eax
		test	eax, eax
		js	loc_518005
		mov	al, [ebp-479h]
		lea	edi, [ebp-68h]
		add	edi, esi
		cmp	al, 0F9h
		jz	loc_5E9C45
		cmp	al, 0FBh
		jz	loc_5E9C64
		cmp	al, 0FAh
		jz	loc_5E9C83
		cmp	al, 0FCh
		jz	loc_5E9C94
		mov	eax, [ebp-4A8h]
		mov	dword ptr [edi], 2

loc_517EDF:				; CODE XREF: .text:005E9C57j
					; .text:005E9C5Fj ...
		mov	[ebp+esi-64h], eax
		mov	ecx, edi
		mov	dword ptr [ebp+esi-48h], 0
		mov	dword ptr [ebp+esi-44h], 0
		mov	dword ptr [ebp+esi-40h], 0
		mov	dword ptr [ebp+esi-3Ch], 0
		call	AuthzBasepQuerySecurityAttributeAndValues
		mov	edx, eax
		mov	[ebp-474h], edx
		cmp	edx, 0C0000225h
		jnz	short loc_517F61
		cmp	dword ptr [edi], 2
		jnz	short loc_517F2E
		mov	eax, _SepSingletonGlobal
		test	byte ptr [eax+0Ch], 1
		jnz	loc_5E9CA5

loc_517F2E:				; CODE XREF: .text:00517F1Dj
					; .text:005E9CB5j ...
		cmp	byte ptr [ebp-48Ah], 0
		jnz	loc_518187
		cmp	dword ptr [edi], 2
		jnz	loc_518187
		mov	ecx, edi
		mov	dword ptr [edi], 7
		mov	dword ptr [ebp+esi-64h], 0
		call	AuthzBasepQuerySecurityAttributeAndValues
		mov	edx, eax
		mov	[ebp-474h], eax

loc_517F61:				; CODE XREF: .text:00517F18j
					; .text:005E9D26j ...
		test	edx, edx
		js	loc_51817B
		mov	edx, [ebp-480h]
		mov	ecx, [ebp-4F4h]
		lea	esi, ds:0[edx*8]
		mov	ax, [ebp+ecx-58h]
		sub	esi, edx
		shl	esi, 2
		mov	[ebp+esi-4E4h],	ax
		mov	eax, [ebp+ecx-50h]
		mov	[ebp+esi-4E0h],	eax
		mov	[ebp+esi-4D4h],	edi

loc_517FA0:				; CODE XREF: .text:005181BEj
					; .text:005181E8j
		mov	eax, [edi]
		inc	edx
		add	ebx, [ebp-508h]
		mov	edi, [ebp+20h]
		mov	dword ptr [ebp+esi-4D0h], 0
		mov	dword ptr [ebp+esi-4CCh], 0
		mov	dword ptr [ebp+esi-4DCh], 0
		mov	[ebp+esi-4D8h],	eax

loc_517FD4:				; CODE XREF: .text:00517E1Dj
		mov	esi, [ebp-474h]

loc_517FDA:				; CODE XREF: .text:00518110j
					; .text:00518167j
		mov	[ebp-480h], edx

loc_517FE0:				; CODE XREF: .text:loc_518079j
					; .text:005E994Cj
		cmp	ebx, edi
		jb	loc_517D60
		mov	eax, [ebp-488h]
		cmp	eax, 1
		jnz	loc_5181ED
		mov	eax, [ebp-468h]

loc_517FFD:				; CODE XREF: .text:00518209j
		mov	ecx, [ebp-490h]
		mov	[ecx], eax

loc_518005:				; CODE XREF: .text:00517E04j
					; .text:00517EA2j ...
		mov	ebx, [ebp-474h]

loc_51800B:				; CODE XREF: .text:005E96B8j
					; .text:005E96CEj ...
		xor	esi, esi
		lea	edi, [ebp-5Ch]

loc_518010:				; CODE XREF: .text:00518025j
		cmp	byte ptr [ebp+esi-470h], 0
		jnz	loc_51820E

loc_51801E:				; CODE XREF: .text:00518218j
		inc	esi
		add	edi, 30h
		cmp	esi, 2
		jb	short loc_518010
		cmp	byte ptr [ebp-481h], 0
		jnz	loc_5E9D78

loc_518034:				; CODE XREF: .text:005E9D80j
					; .text:005E9D98j
		test	ebx, ebx
		js	loc_5E9D9D

loc_51803C:				; CODE XREF: .text:005E9DA9j
		mov	ecx, [ebp-4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	28h
; 

loc_518051:				; CODE XREF: .text:00517D82j
		cmp	eax, 0FCh
		ja	loc_5E9D53
		movzx	eax, ds:byte_518288[eax]
		jmp	ds:off_518260[eax*4]

loc_51806A:				; DATA XREF: .text:off_518260o
		mov	eax, [ebp-49Ch]

loc_518070:				; CODE XREF: .text:00518170j
		inc	ebx
		cmp	ebx, edi
		jb	loc_51816C

loc_518079:				; CODE XREF: .text:005E9B3Cj
		jz	loc_517FE0
		jmp	loc_5E9D53
; 

loc_518084:				; CODE XREF: .text:00518063j
					; DATA XREF: .text:00518268o
		lea	eax, [ebp-469h]
		inc	ebx
		push	eax
		push	edx
		lea	edx, [ebp-4E4h]
		call	AuthzBasepIsValidExpression
		test	al, al
		jz	loc_5E98A7
		cmp	byte ptr [ebp-469h], 0
		jnz	loc_5E98D6
		lea	eax, [ebp-478h]
		push	eax
		lea	edx, [ebp-4E4h]
		call	AuthzBasepEvaluateExpression
		mov	al, [ebp-479h]
		cmp	al, 8Fh
		jz	loc_5E98BC
		cmp	al, 8Eh
		jz	loc_5E98BC
		mov	ecx, [ebp-478h]

loc_5180DB:				; CODE XREF: .text:005E98C5j
					; .text:005E98DFj
		push	ecx

loc_5180DC:				; CODE XREF: .text:00518254j
					; .text:005E98A2j
		lea	edx, [ebp-488h]
		lea	ecx, [ebp-468h]
		call	_AuthzBasepPushResult@12 ; AuthzBasepPushResult(x,x,x)
		mov	esi, eax
		mov	[ebp-474h], esi
		test	esi, esi
		js	loc_518005
		lea	edx, [ebp-470h]
		lea	ecx, [ebp-4E4h]
		call	_AuthzBasepResetOperands@8 ; AuthzBasepResetOperands(x,x)
		xor	edx, edx
		jmp	loc_517FDA
; 

loc_518115:				; CODE XREF: .text:00518063j
					; DATA XREF: .text:00518264o
		cmp	edx, 2
		jz	loc_5E96D3

loc_51811E:				; CODE XREF: .text:005E978Fj
		lea	eax, [ebp-4E8h]
		push	eax
		lea	eax, ds:0[edx*8]
		sub	eax, edx
		lea	ecx, [ebp-4E4h]
		mov	edx, edi
		sub	edx, ebx
		lea	eax, [ecx+eax*4]
		mov	ecx, [ebp-49Ch]
		push	eax
		lea	ecx, [ecx+ebx]
		call	AuthzBasepGetConstantOperand
		mov	esi, eax
		mov	[ebp-474h], esi
		test	esi, esi
		js	loc_518005
		mov	edx, [ebp-480h]
		inc	edx
		add	ebx, [ebp-4E8h]
		jmp	loc_517FDA
; 

loc_51816C:				; CODE XREF: .text:00518073j
		cmp	byte ptr [eax+ebx], 0
		jz	loc_518070
		jmp	loc_5E9B3A
; 

loc_51817B:				; CODE XREF: .text:00517F63j
		cmp	edx, 0C0000225h
		jnz	loc_518005

loc_518187:				; CODE XREF: .text:00517F35j
					; .text:00517F3Ej
		mov	edx, [ebp-480h]
		xor	eax, eax
		mov	[ebp-474h], eax
		lea	esi, ds:0[edx*8]
		sub	esi, edx
		shl	esi, 2
		mov	[ebp+esi-4E4h],	ax
		mov	[ebp+esi-4E0h],	eax
		mov	[ebp+esi-4D4h],	eax
		cmp	[ebp+edx-470h],	al
		jz	loc_517FA0
		mov	ecx, [ebp-4F4h]
		push	eax
		mov	eax, [ebp+ecx-5Ch]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, [ebp-480h]
		cmp	edx, 2
		jnb	short loc_518259
		mov	byte ptr [ebp+edx-470h], 0
		jmp	loc_517FA0
; 

loc_5181ED:				; CODE XREF: .text:00517FF1j
		test	eax, eax
		jnz	loc_518005
		cmp	edx, 1
		jnz	loc_518005
		mov	ecx, [ebp-4D4h]
		call	AuthzBasepEvaluateAttribute
		jmp	loc_517FFD
; 

loc_51820E:				; CODE XREF: .text:00518018j
		mov	eax, [edi]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_51801E
; 

loc_51821D:				; CODE XREF: .text:00518063j
					; DATA XREF: .text:0051826Co
		lea	eax, [ebp-469h]
		inc	ebx
		push	eax
		push	edx
		lea	edx, [ebp-4E4h]
		call	AuthzBasepIsValidExpression
		test	al, al
		jz	loc_5E9D53
		xor	edx, edx
		cmp	[ebp-4D4h], edx
		setnz	dl
		mov	[ebp-478h], edx
		cmp	cl, 8Dh
		jz	loc_5E9B26

loc_518253:				; CODE XREF: .text:005E9B35j
		push	edx
		jmp	loc_5180DC
; 

loc_518259:				; CODE XREF: .text:005181DEj
		call	___report_rangecheckfailure
		mov	edi, edi
; 
off_518260	dd offset loc_51806A	; DATA XREF: .text:00518063r
		dd offset loc_518115
		dd offset loc_518084
		dd offset loc_51821D
		dd offset loc_5E9993
		dd offset loc_5E9A66
		dd offset loc_5E9794
		dd offset loc_5E98E4
		dd offset loc_517E22
		dd offset loc_5E9D53
byte_518288	db 0			; DATA XREF: .text:0051805Cr
; 
		add	[ecx], eax
		add	[ecx], eax
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], eax
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], eax
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], eax
		add	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[edx], eax
		add	al, [edx]
		add	al, [edx]
		add	al, [edx]
		add	eax, [edx]
		add	al, 5
		add	al, 5
		add	eax, [edx]
		add	al, ds:9090504h[eax]
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		push	es
		push	es
		or	[edi], eax
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[ecx], ecx
		or	[eax], ecx
		or	[eax], cl
		or	ah, cl

;  S U B	R O U T	I N E 


; __stdcall AuthzBasepResetOperands(x, x)
_AuthzBasepResetOperands@8 proc	near	; CODE XREF: .text:00517D38p
					; .text:00517DD0p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, edx
		lea	esi, [ecx+10h]
		xor	edx, edx
		push	edi
		mov	edi, edx

loc_518394:				; CODE XREF: AuthzBasepResetOperands(x,x)+31j
		xor	eax, eax
		mov	[esi-0Ch], dl
		mov	[esi-10h], ax
		mov	[esi-8], edx
		mov	[esi-4], edx
		cmp	[edi+ebx], al
		jnz	short loc_5183BD

loc_5183A8:				; CODE XREF: AuthzBasepResetOperands(x,x)+4Cj
		mov	[esi], edx
		inc	edi
		mov	[esi+4], edx
		mov	[esi+8], edx
		add	esi, 1Ch
		cmp	edi, 2
		jb	short loc_518394
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_5183BD:				; CODE XREF: AuthzBasepResetOperands(x,x)+20j
		mov	eax, [esi]
		push	edx
		push	dword ptr [eax+0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi]
		xor	edx, edx
		mov	[eax+0Ch], edx
		mov	[edi+ebx], dl
		jmp	short loc_5183A8
_AuthzBasepResetOperands@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	AuthzBasepCopyoutSecurityAttributes(int,size_t,size_t)
AuthzBasepCopyoutSecurityAttributes proc near
					; CODE XREF: AuthzBasepQuerySecurityAttributesToken+75p
					; SepInternalQuerySecurityAttributesTokenEx+EFp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005E9DAE SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_C], ecx
		push	esi
		mov	esi, edx
		mov	[ebp+var_10], esi
		push	edi
		test	ebx, ebx
		jz	loc_5E9DAE
		test	eax, eax
		jz	loc_5E9DAE
		lea	edi, [ebx+eax]
		mov	[ebp+var_4], edi
		cmp	edi, ebx
		jb	loc_5E9DAE
		push	eax		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		lea	eax, [ebx+0Ch]
		mov	[ebp+arg_4], 0Ch
		add	esp, 0Ch
		cmp	eax, edi
		ja	loc_5E9DC8
		test	esi, esi
		jz	loc_51861F
		mov	eax, [ebp+arg_0]

loc_518440:				; CODE XREF: AuthzBasepCopyoutSecurityAttributes+244j
		mov	ecx, 18h
		mov	[ebp+var_14], eax
		mul	ecx
		lea	ecx, [ebp+arg_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	edx, eax
		mov	[ebp+var_8], edx
		test	edx, edx
		js	loc_518629
		mov	esi, [ebp+arg_4]
		lea	edx, [ebx+0Ch]
		add	esi, edx
		cmp	esi, edi
		ja	loc_5E9DD2
		mov	eax, [ebp+var_14]
		mov	[ebx+4], eax
		mov	eax, [ebp+var_10]
		mov	dword ptr [ebx], 1
		mov	[ebx+8], edx
		test	eax, eax
		jz	loc_51855F
		cmp	[ebp+arg_0], 0
		mov	[ebp+var_18], 0
		jbe	loc_518613
		lea	ecx, [edx+10h]
		mov	[ebp+var_8], ecx

loc_5184A2:				; CODE XREF: AuthzBasepCopyoutSecurityAttributes+16Ej
		mov	ecx, [ebp+var_C]
		mov	edx, eax
		call	_AuthzBasepFindSecurityAttribute@8 ; AuthzBasepFindSecurityAttribute(x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_5E9DDC
		mov	cx, [eax+18h]
		inc	esi
		mov	edx, [ebp+var_8]
		mov	[edx-8], cx
		mov	ecx, [eax+24h]
		mov	[edx], ecx
		xor	ecx, ecx
		mov	[edx-6], cx
		mov	eax, [eax+1Ch]
		mov	ecx, [ebp+var_14]
		mov	[edx-4], eax
		movzx	eax, word ptr [ecx+10h]
		mov	[ebp+arg_4], eax
		mov	eax, esi
		and	eax, 0FFFFFFFEh
		add	eax, [ebp+arg_4]
		cmp	eax, edi
		ja	loc_5E9DD2
		mov	eax, [ebp+arg_4]
		lea	edi, [edx-10h]
		and	esi, 0FFFFFFFEh
		mov	[edi], ax
		push	eax		; size_t
		mov	[edx-0Eh], ax
		mov	[edx-0Ch], esi
		mov	eax, [ecx+14h]
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esi, [ebp+arg_4]
		lea	eax, [ebp+arg_4]
		mov	ecx, [ebp+var_14]
		add	esp, 0Ch
		mov	edx, edi
		push	eax
		mov	eax, [ebp+var_4]
		sub	eax, esi
		push	eax
		push	esi
		call	AuthzBasepCopyoutSecurityAttributeValues
		mov	edx, eax
		test	edx, edx
		js	loc_518629
		mov	edi, [ebp+var_18]
		mov	eax, [ebp+var_10]
		inc	edi
		add	esi, [ebp+arg_4]
		add	eax, 8
		add	[ebp+var_8], 18h
		cmp	edi, [ebp+arg_0]
		mov	[ebp+var_18], edi
		mov	edi, [ebp+var_4]
		mov	[ebp+var_10], eax
		jb	loc_5184A2

loc_518554:				; CODE XREF: AuthzBasepCopyoutSecurityAttributes+D19D6j
					; AuthzBasepCopyoutSecurityAttributes+D19E3j
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_51855F:				; CODE XREF: AuthzBasepCopyoutSecurityAttributes+A5j
		mov	eax, [ebp+var_C]
		add	eax, 4
		mov	[ebp+var_18], eax
		mov	ecx, [eax]
		mov	[ebp+arg_0], ecx
		cmp	ecx, eax
		jz	loc_518613
		add	edx, 10h
		mov	[ebp+var_14], edx
		jmp	short loc_518580
; 
		align 10h

loc_518580:				; CODE XREF: AuthzBasepCopyoutSecurityAttributes+19Bj
					; AuthzBasepCopyoutSecurityAttributes+22Dj
		mov	ax, [ecx+18h]
		inc	esi
		mov	[edx-8], ax
		mov	eax, [ecx+24h]
		mov	[edx], eax
		xor	eax, eax
		mov	[edx-6], ax
		mov	eax, [ecx+1Ch]
		mov	[edx-4], eax
		movzx	eax, word ptr [ecx+10h]
		mov	[ebp+arg_4], eax
		mov	eax, esi
		and	eax, 0FFFFFFFEh
		add	eax, [ebp+arg_4]
		cmp	eax, edi
		ja	loc_5E9DD2
		mov	eax, [ebp+arg_4]
		lea	edi, [edx-10h]
		and	esi, 0FFFFFFFEh
		mov	[edi], ax
		push	eax		; size_t
		mov	[edx-0Eh], ax
		mov	[edx-0Ch], esi
		mov	eax, [ecx+14h]
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esi, [ebp+arg_4]
		lea	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		mov	edx, edi
		push	eax
		mov	eax, [ebp+var_4]
		sub	eax, esi
		push	eax
		push	esi
		call	AuthzBasepCopyoutSecurityAttributeValues
		mov	edx, eax
		mov	[ebp+var_8], edx
		test	edx, edx
		js	short loc_518629
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+var_14]
		add	esi, [ebp+arg_4]
		add	edx, 18h
		mov	edi, [ebp+var_4]
		mov	ecx, [ecx]
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_14], edx
		cmp	ecx, [ebp+var_18]
		jnz	loc_518580

loc_518613:				; CODE XREF: AuthzBasepCopyoutSecurityAttributes+B6j
					; AuthzBasepCopyoutSecurityAttributes+18Fj
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_51861F:				; CODE XREF: AuthzBasepCopyoutSecurityAttributes+57j
		mov	eax, [ebp+var_C]
		mov	eax, [eax]
		jmp	loc_518440
; 

loc_518629:				; CODE XREF: AuthzBasepCopyoutSecurityAttributes+7Bj
					; AuthzBasepCopyoutSecurityAttributes+14Bj ...
		mov	eax, [ebp+arg_8]
		jmp	loc_5E9DB3
AuthzBasepCopyoutSecurityAttributes endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepCopyoutSecurityAttributeValues proc near
					; CODE XREF: AuthzBasepCopyoutSecurityAttributes+142p
					; AuthzBasepCopyoutSecurityAttributes+205p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005E9DE6 SIZE 00000145 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		add	ebx, esi
		mov	[ebp+var_4], edx
		mov	edx, ecx
		mov	[ebp+var_14], ebx
		cmp	ebx, esi
		jb	loc_5E9DE6
		movzx	eax, word ptr [edx+18h]
		push	edi
		mov	edi, [ebp+arg_8]
		mov	dword ptr [edi], 0
		cmp	eax, 2
		jnz	short loc_5186D1

loc_518675:				; CODE XREF: AuthzBasepCopyoutSecurityAttributeValues+144j
					; DATA XREF: .text:off_51879Co
		mov	eax, [edx+24h]
		shl	eax, 3
		mov	[ebp+arg_0], eax
		lea	eax, [esi+7]
		mov	ecx, eax
		and	ecx, 0FFFFFFF8h
		add	ecx, [ebp+arg_0]
		cmp	ecx, ebx
		ja	loc_51878B
		mov	ecx, [ebp+var_4]
		and	eax, 0FFFFFFF8h
		mov	[ecx+14h], eax
		lea	ecx, [edx+2Ch]
		mov	edx, [ecx]
		cmp	edx, ecx
		jz	short loc_5186BC
		mov	ebx, eax
		mov	edi, ecx

loc_5186A7:				; CODE XREF: AuthzBasepCopyoutSecurityAttributeValues+7Aj
		mov	ecx, [edx+18h]
		lea	ebx, [ebx+8]
		mov	[ebx-8], ecx
		mov	ecx, [edx+1Ch]
		mov	[ebx-4], ecx
		mov	edx, [edx]
		cmp	edx, edi
		jnz	short loc_5186A7

loc_5186BC:				; CODE XREF: AuthzBasepCopyoutSecurityAttributeValues+61j
		add	eax, [ebp+arg_0]
		mov	edi, [ebp+arg_8]

loc_5186C2:				; CODE XREF: AuthzBasepCopyoutSecurityAttributeValues+CFj
					; AuthzBasepCopyoutSecurityAttributeValues+D17E8j ...
		sub	eax, esi
		mov	[edi], eax
		xor	eax, eax

loc_5186C8:				; CODE XREF: AuthzBasepCopyoutSecurityAttributeValues+D18E6j
		pop	edi

loc_5186C9:				; CODE XREF: AuthzBasepCopyoutSecurityAttributeValues+D17ABj
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_5186D1:				; CODE XREF: AuthzBasepCopyoutSecurityAttributeValues+33j
		cmp	eax, 3
		jnz	loc_518773
		mov	eax, [edx+24h]
		shl	eax, 3
		mov	[ebp+arg_8], eax
		lea	eax, [esi+3]
		mov	ecx, eax
		and	ecx, 0FFFFFFFCh
		add	ecx, [ebp+arg_8]
		cmp	ecx, ebx
		ja	loc_51878B
		mov	ecx, [ebp+var_4]
		and	eax, 0FFFFFFFCh
		mov	[ebp+arg_4], eax
		mov	[ecx+14h], eax
		lea	ecx, [edx+2Ch]
		add	eax, [ebp+arg_8]
		mov	ebx, [ecx]
		mov	[ebp+var_8], ecx
		cmp	ebx, ecx
		jz	short loc_5186C2
		mov	ecx, [ebp+arg_4]
		add	ecx, 4
		mov	[ebp+arg_8], ecx
		lea	ebx, [ebx+0]

loc_518720:				; CODE XREF: AuthzBasepCopyoutSecurityAttributeValues+122j
		movzx	edx, word ptr [ebx+18h]
		mov	esi, edx
		mov	[ebp+arg_4], esi
		mov	[ebp+var_10], esi
		add	esi, eax
		cmp	esi, [ebp+var_14]
		mov	[ebp+var_C], esi
		mov	esi, [ebp+arg_0]
		ja	short loc_51878B
		push	edx		; size_t
		mov	[ecx-4], dx
		mov	[ecx-2], dx
		mov	[ecx], eax
		mov	ecx, [ebx+1Ch]
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+arg_8]
		add	esp, 0Ch
		mov	ebx, [ebx]
		add	ecx, 8
		mov	eax, [ebp+var_C]
		mov	[ebp+arg_8], ecx
		cmp	ebx, [ebp+var_8]
		jnz	short loc_518720
		sub	eax, esi
		mov	[edi], eax
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_518773:				; CODE XREF: AuthzBasepCopyoutSecurityAttributeValues+94j
		dec	eax
		cmp	eax, 0Fh
		ja	loc_5E9F21
		movzx	eax, ds:byte_5187AC[eax]
		jmp	ds:off_51879C[eax*4]
; 

loc_51878B:				; CODE XREF: AuthzBasepCopyoutSecurityAttributeValues+4Bj
					; AuthzBasepCopyoutSecurityAttributeValues+B0j	...
		pop	edi
		pop	esi
		mov	eax, 80000005h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
AuthzBasepCopyoutSecurityAttributeValues endp

; 
		align 4
off_51879C	dd offset loc_518675	; DATA XREF: AuthzBasepCopyoutSecurityAttributeValues+144r
		dd offset loc_5E9DF0
		dd offset loc_5E9E9D
		dd offset loc_5E9F21
byte_5187AC	db 0			; DATA XREF: AuthzBasepCopyoutSecurityAttributeValues+13Dr
		db 2 dup(3), 1
		dd 3030002h, 3030303h, 2030303h, 0CCCCCCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcGetDirtyPagesHelper proc near		; DATA XREF: CcGetDirtyPages(x,x,x,x)+12o

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= byte ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E9F2B SIZE 0000004D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A54F8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 60h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_28], 0
		xor	eax, eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_64], eax
		mov	[ebp+var_60], eax
		mov	[ebp+var_54], eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_58], eax
		lea	edi, [ebp+var_70]
		stosd
		stosd
		stosd
		mov	ecx, [ebp+arg_4]
		mov	eax, [ecx+8]
		mov	[ebp+var_38], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_34], eax
		mov	edi, [ecx]
		mov	[ebp+var_44], edi
		mov	eax, [ecx+4]
		mov	[ebp+var_40], eax
		mov	esi, [ebp+arg_0]
		lea	ecx, [esi+40h]
		lea	edx, [ebp+var_70]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ebx, [esi+30h]
		sub	ebx, 50h
		mov	[ebp+var_24], ebx
		mov	[ebp+var_4], 0
		mov	[ebp+var_48], 1
		jmp	short loc_518860
; 
		align 10h

loc_518860:				; CODE XREF: CcGetDirtyPagesHelper+98j
					; CcGetDirtyPagesHelper+DEj
		lea	eax, [esi-20h]
		cmp	ebx, eax
		jz	loc_518A87
		mov	eax, [ebx+60h]
		test	eax, 800h
		jnz	loc_5E9F53
		test	eax, 2000000h
		jnz	loc_5E9F2B

loc_518884:				; CODE XREF: CcGetDirtyPagesHelper+D1777j
		test	eax, 1000000h
		jz	short loc_518895
		mov	eax, [ebx+98h]
		cmp	[eax], edi
		jz	short loc_5188A0

loc_518895:				; CODE XREF: CcGetDirtyPagesHelper+C9j
					; CcGetDirtyPagesHelper+2AEj
		mov	ebx, [ebx+50h]
		sub	ebx, 50h
		mov	[ebp+var_24], ebx
		jmp	short loc_518860
; 

loc_5188A0:				; CODE XREF: CcGetDirtyPagesHelper+D3j
					; CcGetDirtyPagesHelper+D1771j
		inc	dword ptr [ebx+4]
		inc	dword ptr [ebx+178h]
		inc	dword ptr [ebx+4Ch]
		test	ds:byte_70EFC6,	1
		jnz	loc_5E9F3C
		mov	ecx, [ebp+var_70]
		test	ecx, ecx
		jnz	loc_518B1D
		mov	edx, [ebp+var_6C]
		lea	eax, [ebp+var_70]
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_70]
		cmp	eax, ecx
		jnz	loc_518B0A

loc_5188D9:				; CODE XREF: CcGetDirtyPagesHelper+D1787j
		mov	ebx, [ebp+var_24]
		mov	eax, [ebp+var_20]
		mov	[ebp+var_1C], eax

loc_5188E2:				; CODE XREF: CcGetDirtyPagesHelper+36Fj
		mov	cl, [ebp+var_68]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	ecx, [ebx+44h]
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	esi, eax
		mov	[ebp+var_2C], esi
		test	esi, esi
		jz	loc_518AE8
		mov	[ebp+var_30], esi

loc_518903:				; CODE XREF: CcGetDirtyPagesHelper+335j
		lea	ecx, [ebx+0B4h]
		call	ExAcquireFastMutex
		lea	eax, [ebx+10h]
		mov	edi, [eax]

loc_518913:				; CODE XREF: CcGetDirtyPagesHelper+170j
		sub	edi, 10h
		mov	[ebp+var_28], edi
		lea	esi, [edi+10h]
		cmp	esi, eax
		jz	loc_518A00
		mov	ecx, 2FDh
		cmp	[edi], cx
		jz	short loc_518932

loc_51892E:				; CODE XREF: CcGetDirtyPagesHelper+176j
					; CcGetDirtyPagesHelper+23Bj ...
		mov	edi, [esi]
		jmp	short loc_518913
; 

loc_518932:				; CODE XREF: CcGetDirtyPagesHelper+16Cj
		cmp	byte ptr [edi+2], 0
		jz	short loc_51892E
		mov	eax, [edi+8]
		mov	[ebp+var_64], eax
		mov	eax, [edi+0Ch]
		mov	[ebp+var_60], eax
		mov	eax, [edi+4]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_4C], eax
		mov	eax, [edi+20h]
		mov	[ebp+var_54], eax
		mov	eax, [edi+24h]
		mov	[ebp+var_50], eax
		mov	eax, [edi+28h]
		mov	[ebp+var_5C], eax
		mov	eax, [edi+2Ch]
		mov	[ebp+var_58], eax
		inc	dword ptr [edi+34h]
		lea	ecx, [ebx+0B4h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_51898D
		push	1
		mov	dl, 1
		mov	ecx, eax
		call	CcUnpinFileDataEx
		xor	eax, eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_20], eax

loc_51898D:				; CODE XREF: CcGetDirtyPagesHelper+1B8j
		push	[ebp+var_34]
		push	[ebp+var_38]
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_54]
		push	eax
		push	[ebp+var_3C]
		lea	eax, [ebp+var_64]
		push	eax
		push	[ebp+var_2C]
		call	[ebp+var_40]
		mov	eax, [ebp+var_54]
		or	eax, [ebp+var_50]
		jz	short loc_5189D9
		mov	eax, [ebp+arg_4]
		mov	edx, [eax+10h]
		mov	ecx, [eax+14h]
		mov	eax, edx
		or	eax, ecx
		jz	loc_518A73
		cmp	[ebp+var_50], ecx
		jg	short loc_5189D9
		mov	eax, [ebp+var_54]
		jl	loc_518A76
		cmp	eax, edx
		jb	loc_518A76

loc_5189D9:				; CODE XREF: CcGetDirtyPagesHelper+1EEj
					; CcGetDirtyPagesHelper+206j ...
		lea	ecx, [ebx+0B4h]
		call	ExAcquireFastMutex
		mov	eax, [edi+34h]
		cmp	eax, 1
		ja	loc_518B34
		mov	eax, edi
		mov	[ebp+var_1C], eax
		mov	[ebp+var_20], eax
		lea	eax, [ebx+10h]
		jmp	loc_51892E
; 

loc_518A00:				; CODE XREF: CcGetDirtyPagesHelper+15Ej
		lea	ecx, [ebx+0B4h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		add	ebx, 44h
		mov	ecx, [ebx]
		mov	esi, [ebp+var_30]

loc_518A13:				; CODE XREF: CcGetDirtyPagesHelper+D178Ej
		mov	eax, ecx
		xor	eax, esi
		cmp	eax, 7
		jnb	loc_518AFA
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [ebx], edx
		cmp	eax, ecx
		jnz	loc_5E9F4C

loc_518A31:				; CODE XREF: CcGetDirtyPagesHelper+345j
		mov	esi, [ebp+var_20]
		mov	[ebp+var_1C], esi
		test	esi, esi
		jz	short loc_518A4E
		push	1
		mov	dl, 1
		mov	ecx, esi
		call	CcUnpinFileDataEx
		xor	eax, eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_20], eax

loc_518A4E:				; CODE XREF: CcGetDirtyPagesHelper+279j
		mov	esi, [ebp+arg_0]
		lea	ecx, [esi+40h]
		lea	edx, [ebp+var_70]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ebx, [ebp+var_24]
		dec	dword ptr [ebx+4]
		dec	dword ptr [ebx+178h]
		dec	dword ptr [ebx+4Ch]
		mov	edi, [ebp+var_44]
		jmp	loc_518895
; 

loc_518A73:				; CODE XREF: CcGetDirtyPagesHelper+1FDj
		mov	eax, [ebp+var_54]

loc_518A76:				; CODE XREF: CcGetDirtyPagesHelper+20Bj
					; CcGetDirtyPagesHelper+213j
		mov	ecx, [ebp+arg_4]
		mov	[ecx+10h], eax
		mov	eax, [ebp+var_50]
		mov	[ecx+14h], eax
		jmp	loc_5189D9
; 

loc_518A87:				; CODE XREF: CcGetDirtyPagesHelper+A5j
		test	ds:byte_70EFC6,	1
		jnz	loc_5E9F68
		mov	eax, [ebp+var_70]
		test	eax, eax
		jnz	loc_518B48
		mov	edx, [ebp+var_6C]
		lea	eax, [ebp+var_70]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_70]
		cmp	eax, ecx
		jnz	loc_518B40

loc_518AB6:				; CODE XREF: CcGetDirtyPagesHelper+39Aj
					; CcGetDirtyPagesHelper+D17B3j
		mov	cl, [ebp+var_68]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	[ebp+var_48], 0
		call	sub_518B5F
		mov	al, 1
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_518AE8:				; CODE XREF: CcGetDirtyPagesHelper+13Aj
		mov	ecx, ebx
		call	_CcSlowReferenceSharedCacheMapFileObject@4 ; CcSlowReferenceSharedCacheMapFileObject(x)
		mov	[ebp+var_2C], eax
		mov	[ebp+var_30], eax
		jmp	loc_518903
; 

loc_518AFA:				; CODE XREF: CcGetDirtyPagesHelper+25Aj
		push	746C6644h
		push	esi
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_518A31
; 

loc_518B0A:				; CODE XREF: CcGetDirtyPagesHelper+113j
		lea	ecx, [ebp+var_70]
		call	KxWaitForLockChainValid
		mov	ecx, eax
		mov	ebx, [ebp+var_24]
		mov	eax, [ebp+var_20]
		mov	[ebp+var_1C], eax

loc_518B1D:				; CODE XREF: CcGetDirtyPagesHelper+FEj
		mov	[ebp+var_70], 0
		mov	edx, 1
		lea	eax, [ecx+4]
		lock xor [eax],	edx
		jmp	loc_5188E2
; 

loc_518B34:				; CODE XREF: CcGetDirtyPagesHelper+22Aj
		dec	eax
		mov	[edi+34h], eax
		lea	eax, [ebx+10h]
		jmp	loc_51892E
; 

loc_518B40:				; CODE XREF: CcGetDirtyPagesHelper+2F0j
		lea	ecx, [ebp+var_70]
		call	KxWaitForLockChainValid

loc_518B48:				; CODE XREF: CcGetDirtyPagesHelper+2D9j
		mov	[ebp+var_70], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_518AB6
CcGetDirtyPagesHelper endp


;  S U B	R O U T	I N E 


sub_518B5F	proc near		; CODE XREF: CcGetDirtyPagesHelper+30Dp
					; sub_5E9F78j

; FUNCTION CHUNK AT 005E9F7D SIZE 00000019 BYTES

		cmp	dword ptr [ebp-48h], 0
		jnz	loc_5E9F7D

locret_518B69:				; CODE XREF: sub_518B5F+D1423j
					; sub_518B5F+D1432j
		retn
sub_518B5F	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepCanTokenMatchAllPackageSid proc near	; CODE XREF: SepMatchPackage+57p
					; SepNormalAccessCheck+412p ...

var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E9F96 SIZE 000000EA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+44h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+50h+var_40], 240022h
		mov	eax, [esp+50h+var_40]
		xor	bl, bl
		mov	[esp+50h+var_30], eax
		mov	bh, 1
		mov	[esp+50h+var_38], 0
		mov	eax, [edi+1DCh]
		mov	[esp+50h+var_28], 0
		mov	[esp+50h+var_24], 0
		mov	[esp+50h+var_20], 0
		mov	[esp+50h+var_1C], 0
		mov	[esp+50h+var_18], 0
		mov	[esp+50h+var_14], 0
		mov	[esp+50h+var_10], 0
		mov	[esp+50h+var_C], 0
		mov	[esp+50h+var_2C], offset ??_C@_1CE@CHNBNALE@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAN?$AAO?$AAA?$AAL?$AAL?$AAA?$AAP?$AAP?$AAP@FNODOBFM@
		mov	[esp+50h+var_34], eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_518C3D
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [edi+30h]
		movzx	ecx, word ptr [esi+0Eh]
		mov	eax, ecx
		mov	edx, ecx
		and	eax, 1
		jnz	loc_5E9F96

loc_518C25:				; CODE XREF: SepCanTokenMatchAllPackageSid+D1429j
		test	ax, ax
		jnz	short loc_518C97

loc_518C2A:				; CODE XREF: SepCanTokenMatchAllPackageSid+D1489j
		mov	dl, 1
		test	cl, dl
		mov	ecx, esi
		jnz	loc_5E9FFE
		call	ExpAcquireResourceSharedLite

loc_518C3B:				; CODE XREF: SepCanTokenMatchAllPackageSid+D1493j
		mov	bl, 1

loc_518C3D:				; CODE XREF: SepCanTokenMatchAllPackageSid+91j
		lea	ecx, [esp+50h+var_38]
		call	AuthzBasepQuerySecurityAttributeAndValues
		test	eax, eax
		jns	loc_5EA008

loc_518C4E:				; CODE XREF: SepCanTokenMatchAllPackageSid+D14A5j
					; SepCanTokenMatchAllPackageSid+D14ACj
		test	bl, bl
		jz	short loc_518C83
		mov	esi, [edi+30h]
		movzx	ecx, word ptr [esi+0Eh]
		mov	eax, ecx
		mov	edx, ecx
		and	eax, 1
		jnz	loc_5EA021

loc_518C66:				; CODE XREF: SepCanTokenMatchAllPackageSid+D14B4j
		test	ax, ax
		jnz	short loc_518CB1

loc_518C6B:				; CODE XREF: SepCanTokenMatchAllPackageSid+D150Bj
		test	cl, 1
		mov	ecx, esi
		jnz	short loc_518CCB
		mov	edx, large fs:124h
		call	ExpReleaseResourceForThreadLite

loc_518C7E:				; CODE XREF: SepCanTokenMatchAllPackageSid+160j
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_518C83:				; CODE XREF: SepCanTokenMatchAllPackageSid+E0j
		mov	ecx, [esp+50h+var_4]
		mov	al, bh
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_518C97:				; CODE XREF: SepCanTokenMatchAllPackageSid+B8j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, large fs:124h
		cmp	al, 1
		ja	loc_5E9FB0
		jmp	loc_5E9FC4
; 

loc_518CB1:				; CODE XREF: SepCanTokenMatchAllPackageSid+F9j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, large fs:124h
		cmp	al, 2
		ja	loc_5EA03B
		jmp	loc_5EA04F
; 

loc_518CCB:				; CODE XREF: SepCanTokenMatchAllPackageSid+100j
		call	_ExpFastResourceLegacyRelease@4	; ExpFastResourceLegacyRelease(x)
		jmp	short loc_518C7E
SepCanTokenMatchAllPackageSid endp

; 
		align 10h

;  S U B	R O U T	I N E 


AuthzBasepQuerySecurityAttributeAndValues proc near ; CODE XREF: AuthzBasepGetNextValue+29p
					; AuthzBasepRestartOperandValueEnumeration(x)+24j ...

; FUNCTION CHUNK AT 005EA080 SIZE 00000006 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi]
		cmp	eax, 6
		jz	loc_5EA080
		cmp	eax, 7
		jz	short loc_518D1B
		mov	edx, [esi+20h]
		mov	eax, edx
		or	eax, [esi+24h]
		push	edi
		jnz	short loc_518D57
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_518D13
		lea	edx, [esi+8]
		call	_AuthzBasepFindSecurityAttribute@8 ; AuthzBasepFindSecurityAttribute(x,x)
		test	eax, eax
		jnz	short loc_518D21

loc_518D13:				; CODE XREF: AuthzBasepQuerySecurityAttributeAndValues+25j
		mov	eax, 0C0000225h

loc_518D18:				; CODE XREF: AuthzBasepQuerySecurityAttributeAndValues+88j
		pop	edi
		pop	esi
		retn
; 

loc_518D1B:				; CODE XREF: AuthzBasepQuerySecurityAttributeAndValues+13j
		pop	esi
		jmp	AuthzBasepQuerySystemSecurityAttributeAndValues
; 

loc_518D21:				; CODE XREF: AuthzBasepQuerySecurityAttributeAndValues+31j
		mov	ecx, [eax+24h]
		mov	edi, [eax+2Ch]
		mov	[esi+18h], ecx
		mov	cx, [eax+18h]
		mov	[esi+10h], cx
		mov	ecx, [eax+1Ch]
		mov	[esi+14h], ecx
		mov	[esi+20h], eax
		mov	dword ptr [esi+24h], 0

loc_518D42:				; CODE XREF: AuthzBasepQuerySecurityAttributeAndValues+81j
		lea	eax, [edi+18h]
		mov	[esi+28h], edi
		mov	[esi+1Ch], eax
		xor	eax, eax
		mov	dword ptr [esi+2Ch], 0
		pop	edi
		pop	esi
		retn
; 

loc_518D57:				; CODE XREF: AuthzBasepQuerySecurityAttributeAndValues+1Ej
		mov	eax, [esi+28h]
		mov	edi, [eax]
		lea	eax, [edx+2Ch]
		cmp	edi, eax
		jnz	short loc_518D42
		mov	eax, 8000001Ah
		jmp	short loc_518D18
AuthzBasepQuerySecurityAttributeAndValues endp

; 
		align 10h
; Exported entry 2503. SeSecurityAttributePresent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeSecurityAttributePresent
SeSecurityAttributePresent proc	near	; CODE XREF: SepVerifyDesktopAppxPackageName+76p
					; PsQueryProcessAttributesByToken(x,x,x)+15p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005EA086 SIZE 000000D1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		xor	bl, bl
		call	edi
		mov	esi, [ebp+arg_0]
		cmp	al, 2
		jnb	short loc_518DCA
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [esi+30h]
		movzx	ecx, word ptr [edi+0Eh]
		mov	eax, ecx
		mov	edx, ecx
		and	eax, 1
		jnz	loc_5EA086

loc_518DAC:				; CODE XREF: SeSecurityAttributePresent+D1319j
		test	ax, ax
		jnz	short loc_518E1C

loc_518DB1:				; CODE XREF: SeSecurityAttributePresent+D1379j
		mov	dl, 1
		test	cl, dl
		mov	ecx, edi
		jnz	loc_5EA0EE
		call	ExpAcquireResourceSharedLite

loc_518DC2:				; CODE XREF: SeSecurityAttributePresent+D1383j
		mov	edi, ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, 1

loc_518DCA:				; CODE XREF: SeSecurityAttributePresent+18j
		mov	ecx, [esi+1DCh]
		mov	edx, [ebp+arg_4]
		call	_AuthzBasepFindSecurityAttribute@8 ; AuthzBasepFindSecurityAttribute(x,x)
		test	eax, eax
		setnz	bh
		test	bl, bl
		jz	short loc_518E12
		mov	esi, [esi+30h]
		movzx	ecx, word ptr [esi+0Eh]
		mov	eax, ecx
		mov	edx, ecx
		and	eax, 1
		jnz	loc_5EA0F8

loc_518DF5:				; CODE XREF: SeSecurityAttributePresent+D138Bj
		test	ax, ax
		jnz	short loc_518E36

loc_518DFA:				; CODE XREF: SeSecurityAttributePresent+D13E2j
		test	cl, 1
		mov	ecx, esi
		jnz	short loc_518E4C
		mov	edx, large fs:124h
		call	ExpReleaseResourceForThreadLite

loc_518E0D:				; CODE XREF: SeSecurityAttributePresent+E1j
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_518E12:				; CODE XREF: SeSecurityAttributePresent+6Fj
		pop	edi
		pop	esi
		mov	al, bh
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
; 

loc_518E1C:				; CODE XREF: SeSecurityAttributePresent+3Fj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, large fs:124h
		cmp	al, 1
		ja	loc_5EA0A0
		jmp	loc_5EA0B4
; 

loc_518E36:				; CODE XREF: SeSecurityAttributePresent+88j
		call	edi
		mov	ecx, large fs:124h
		cmp	al, 2
		ja	loc_5EA112
		jmp	loc_5EA126
; 

loc_518E4C:				; CODE XREF: SeSecurityAttributePresent+8Fj
		call	_ExpFastResourceLegacyRelease@4	; ExpFastResourceLegacyRelease(x)
		jmp	short loc_518E0D
SeSecurityAttributePresent endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcUnpinFileDataEx proc near		; CODE XREF: CcAcquireByteRangeForWrite+A5Dp
					; CcAcquireByteRangeForWrite+ABCp ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005EA157 SIZE 00000199 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		xor	eax, eax
		mov	bl, dl
		push	esi
		mov	esi, ecx
		mov	[esp+3Ch+var_C], eax
		mov	[esp+3Ch+var_8], eax
		mov	[esp+3Ch+var_4], eax
		mov	eax, 2FDh
		push	edi
		cmp	[esi], ax
		jz	short loc_518EC2
		mov	edi, [esi+4]
		or	eax, 0FFFFFFFFh
		lock xadd [esi+8], eax
		dec	eax
		movzx	eax, ax
		test	ax, ax
		jz	short loc_518EA7
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_518EA7:				; CODE XREF: CcUnpinFileDataEx+3Cj
		mov	eax, [edi+74h]
		test	eax, eax
		jnz	loc_5EA157

loc_518EB2:				; CODE XREF: CcUnpinFileDataEx+D1301j
		lock dec dword ptr [edi+180h]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_518EC2:				; CODE XREF: CcUnpinFileDataEx+28j
		mov	edi, [esi+70h]
		mov	[esp+40h+var_28], edi
		cmp	dword ptr [edi+6Ch], 0
		mov	eax, [edi+174h]
		mov	[esp+40h+var_24], eax
		mov	eax, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[esp+40h+var_20], eax
		jz	short loc_518F58
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	bh, al
		jnz	loc_5EA166
		mov	[esp+40h+var_1C], 0
		mov	eax, offset dword_6CF3C0
		lock bts dword ptr [eax], 1Fh
		jb	loc_519338

loc_518F11:				; CODE XREF: CcUnpinFileDataEx+4E5j
		mov	edx, dword_6CF3C0
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_5EA177

loc_518F29:				; CODE XREF: CcUnpinFileDataEx+D1312j
					; CcUnpinFileDataEx+D1356j
		test	ds:byte_70EFC6,	1
		jnz	loc_5EA1BB
		mov	dword_6CF3C0, 0

loc_518F40:				; CODE XREF: CcUnpinFileDataEx+D1368j
		mov	cl, bh
		call	[esp+40h+var_20]
		mov	eax, dword_6D4EA4
		mov	eax, [eax+4]
		cmp	[esp+40h+var_24], eax
		jnz	loc_5EA1CD

loc_518F58:				; CODE XREF: CcUnpinFileDataEx+80j
		test	dword ptr [edi+60h], 200h
		jz	loc_51924D
		cmp	[ebp+arg_0], 1
		jz	loc_51924D

loc_518F6F:				; CODE XREF: CcUnpinFileDataEx+3EFj
		add	edi, 0B4h
		mov	[esp+40h+var_10], 0
		mov	eax, edi
		and	eax, 7FFFFFFCh
		mov	[esp+40h+var_14], eax
		jz	loc_5EA1E2
		mov	edx, large fs:124h
		mov	[esp+40h+var_30], edx
		dec	word ptr [edx+13Eh]
		nop
		inc	byte ptr [edx+1E6h]
		nop
		cmp	byte ptr [edx+1E6h], 1
		jnz	loc_519170
		mov	bh, [edx+1E4h]
		mov	[esp+40h+var_18], 0
		test	bh, bh
		jz	loc_519393

loc_518FCB:				; CODE XREF: CcUnpinFileDataEx+573j
		movzx	eax, bh
		bsf	ecx, eax
		mov	al, 1
		shl	al, cl
		mov	[esp+40h+var_18], ecx
		not	al
		and	al, bh
		lea	ecx, [ecx+ecx*2]
		mov	[edx+1E4h], al
		shl	ecx, 4
		add	ecx, [edx+1E8h]
		mov	[esp+40h+var_2C], ecx
		jz	loc_5193BA
		cmp	edi, dword_6D07D0
		jb	short loc_51901C
		mov	eax, edi
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	loc_5EA203
		cmp	al, 0Bh
		jz	loc_5EA203

loc_51901C:				; CODE XREF: CcUnpinFileDataEx+19Fj
		or	eax, 0FFFFFFFFh

loc_51901F:				; CODE XREF: CcUnpinFileDataEx+D13B2j
		mov	[ecx+14h], eax
		nop
		mov	eax, [esp+40h+var_14]
		mov	[ecx+10h], eax

loc_51902A:				; CODE XREF: CcUnpinFileDataEx+562j
		nop
		dec	byte ptr [edx+1E6h]
		lea	eax, [esp+40h+var_10]
		mov	ecx, [esp+40h+var_30]
		mov	edx, edi
		push	eax
		call	KiAbThreadRemoveBoosts
		nop
		mov	ecx, [esp+40h+var_30]
		mov	ax, [ecx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ecx+13Eh], ax
		test	ax, ax
		jnz	short loc_51906A
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jnz	loc_519358

loc_51906A:				; CODE XREF: CcUnpinFileDataEx+1FCj
					; CcUnpinFileDataEx+4FDj ...
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bh, al
		lock btr dword ptr [edi], 0
		jnb	loc_519362

loc_51907F:				; CODE XREF: CcUnpinFileDataEx+50Dj
		mov	eax, [esp+40h+var_2C]
		test	eax, eax
		jz	short loc_51908B
		or	byte ptr [eax+0Eh], 1

loc_51908B:				; CODE XREF: CcUnpinFileDataEx+225j
		mov	eax, large fs:124h
		mov	[edi+4], eax
		movzx	eax, bh
		mov	[edi+1Ch], eax
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	loc_51918B

loc_5190A5:				; CODE XREF: CcUnpinFileDataEx+330j
		mov	eax, [esi+34h]
		test	eax, eax
		jz	loc_5EA2CB
		dec	eax
		mov	[esi+34h], eax

loc_5190B4:				; CODE XREF: CcUnpinFileDataEx+3E8j
		test	eax, eax
		jnz	loc_519254
		cmp	[esi+2], al
		jz	loc_519270
		cmp	[esi+74h], eax
		jz	short loc_519105
		mov	ecx, [esi+30h]
		or	eax, 0FFFFFFFFh
		mov	edx, [ecx+4]
		mov	[esp+40h+var_10], edx
		lock xadd [ecx+8], eax
		dec	eax
		movzx	eax, ax
		test	ax, ax
		jnz	short loc_5190F7
		mov	eax, [edx+74h]
		test	eax, eax
		jnz	loc_5EA239

loc_5190F0:				; CODE XREF: CcUnpinFileDataEx+D13E7j
		lock dec dword ptr [edx+180h]

loc_5190F7:				; CODE XREF: CcUnpinFileDataEx+283j
		mov	dword ptr [esi+74h], 0
		mov	dword ptr [esi+30h], 0

loc_519105:				; CODE XREF: CcUnpinFileDataEx+268j
		test	bl, bl
		jnz	short loc_51913D
		movzx	ecx, word ptr [esi+46h]
		add	esi, 38h
		mov	eax, ecx
		mov	edx, ecx
		and	eax, 1
		jnz	loc_5EA24C

loc_51911D:				; CODE XREF: CcUnpinFileDataEx+D13EFj
		test	ax, ax
		jnz	loc_5193D8

loc_519126:				; CODE XREF: CcUnpinFileDataEx+D1446j
		test	cl, 1
		mov	ecx, esi
		jnz	loc_5EA2AB
		mov	edx, large fs:124h
		call	ExpReleaseResourceForThreadLite

loc_51913D:				; CODE XREF: CcUnpinFileDataEx+2A7j
					; CcUnpinFileDataEx+D1450j
		mov	bl, [edi+1Ch]
		mov	ecx, 1
		mov	dword ptr [edi+4], 0
		xor	eax, eax
		lock cmpxchg [edi], ecx
		test	eax, eax
		jnz	loc_51934A

loc_51915A:				; CODE XREF: CcUnpinFileDataEx+4F3j
		mov	cl, bl
		call	[esp+40h+var_20]
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_519170:				; CODE XREF: CcUnpinFileDataEx+14Fj
		push	0
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	edi
		push	[esp+4Ch+var_30]
		push	192h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_51918B:				; CODE XREF: CcUnpinFileDataEx+23Fj
		mov	ecx, eax
		sub	ecx, 1
		jz	loc_5190A5
		sub	ecx, 1
		jnz	loc_5EA217
		cmp	[esi+2], cl
		jz	loc_519245
		mov	eax, [esi+4]
		lea	edx, [esp+54h+var_20]
		mov	[esi+2], cl
		mov	[esi+20h], ecx
		mov	[esi+24h], ecx
		mov	[esi+28h], ecx
		mov	[esi+2Ch], ecx
		mov	ecx, [esp+54h+var_38]
		shr	eax, 0Ch
		mov	[esp+54h+var_40], eax
		lea	ecx, [ecx+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edx, [esp+54h+var_40]
		mov	ecx, [esp+54h+var_3C]
		call	CcDeductDirtyPages
		mov	eax, [esp+54h+var_38]
		mov	edx, [esp+54h+var_40]
		mov	ecx, [eax+144h]
		cmp	ecx, edx
		jbe	loc_5192F0
		sub	ecx, edx

loc_5191F6:				; CODE XREF: CcUnpinFileDataEx+492j
		mov	[eax+144h], ecx
		mov	eax, [esp+54h+var_3C]
		cmp	dword ptr [eax+4Ch], 0
		jz	loc_5192F7

loc_51920A:				; CODE XREF: CcUnpinFileDataEx+49Bj
					; CcUnpinFileDataEx+4A8j
		test	ds:byte_70EFC6,	1
		jnz	loc_5EA228
		mov	eax, [esp+54h+var_20]
		test	eax, eax
		jnz	loc_51937B
		mov	edx, [esp+54h+var_1C]
		lea	eax, [esp+54h+var_20]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+54h+var_20]
		cmp	eax, ecx
		jnz	loc_519372

loc_51923D:				; CODE XREF: CcUnpinFileDataEx+52Ej
					; CcUnpinFileDataEx+D13D4j
		mov	cl, byte ptr [esp+54h+var_18]
		call	[esp+54h+var_34]

loc_519245:				; CODE XREF: CcUnpinFileDataEx+342j
		mov	eax, [esi+34h]
		jmp	loc_5190B4
; 

loc_51924D:				; CODE XREF: CcUnpinFileDataEx+FFj
					; CcUnpinFileDataEx+109j
		mov	bl, 1
		jmp	loc_518F6F
; 

loc_519254:				; CODE XREF: CcUnpinFileDataEx+256j
		test	bl, bl
		jnz	short loc_519260
		lea	ecx, [esi+38h]
		call	ExReleaseResourceLite

loc_519260:				; CODE XREF: CcUnpinFileDataEx+3F6j
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_519270:				; CODE XREF: CcUnpinFileDataEx+25Fj
		mov	ebx, [esp+40h+var_28]
		xor	edx, edx
		lea	ecx, [ebx+48h]
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [esi+10h]
		lea	eax, [esi+10h]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_5EA2C4
		cmp	[ecx], eax
		jnz	loc_5EA2C4
		mov	[ecx], edx
		mov	[edx+4], ecx
		cmp	dword ptr [ebx+1Ch], 0
		jl	short loc_5192C9
		jg	short loc_5192AE
		cmp	dword ptr [ebx+18h], 2000000h
		jbe	short loc_5192C9

loc_5192AE:				; CODE XREF: CcUnpinFileDataEx+443j
		test	dword ptr [ebx+60h], 200h
		jz	short loc_5192C9
		mov	eax, [esi+0Ch]
		or	edx, 0FFFFFFFFh
		push	eax
		mov	eax, [esi+8]
		mov	ecx, ebx
		push	eax
		call	CcAdjustVacbLevelLockCount

loc_5192C9:				; CODE XREF: CcUnpinFileDataEx+441j
					; CcUnpinFileDataEx+44Cj ...
		xor	edx, edx
		lea	ecx, [ebx+48h]
		call	ExReleasePushLockEx
		cmp	dword ptr [esi+74h], 0
		jnz	short loc_51930D

loc_5192D9:				; CODE XREF: CcUnpinFileDataEx+4C2j
					; CcUnpinFileDataEx+4D6j
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, esi
		call	@CcDeallocateBcb@4 ; CcDeallocateBcb(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_5192F0:				; CODE XREF: CcUnpinFileDataEx+38Ej
		xor	ecx, ecx
		jmp	loc_5191F6
; 

loc_5192F7:				; CODE XREF: CcUnpinFileDataEx+3A4j
		cmp	dword ptr [eax+4], 0
		jz	loc_51920A
		mov	ecx, eax
		call	CcInsertIntoCleanSharedCacheMapList
		jmp	loc_51920A
; 

loc_51930D:				; CODE XREF: CcUnpinFileDataEx+477j
		mov	ecx, [esi+30h]
		or	eax, 0FFFFFFFFh
		mov	ebx, [ecx+4]
		lock xadd [ecx+8], eax
		dec	eax
		movzx	eax, ax
		test	ax, ax
		jnz	short loc_5192D9
		mov	eax, [ebx+74h]
		test	eax, eax
		jnz	loc_5EA2B5

loc_51932F:				; CODE XREF: CcUnpinFileDataEx+D145Fj
		lock dec dword ptr [ebx+180h]
		jmp	short loc_5192D9
; 

loc_519338:				; CODE XREF: CcUnpinFileDataEx+ABj
		mov	dl, bh
		mov	ecx, eax
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[esp+40h+var_1C], eax
		jmp	loc_518F11
; 

loc_51934A:				; CODE XREF: CcUnpinFileDataEx+2F4j
		mov	edx, eax
		mov	ecx, edi
		call	_ExpReleaseFastMutexContended@8	; ExpReleaseFastMutexContended(x,x)
		jmp	loc_51915A
; 

loc_519358:				; CODE XREF: CcUnpinFileDataEx+204j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_51906A
; 

loc_519362:				; CODE XREF: CcUnpinFileDataEx+219j
		mov	edx, [esp+40h+var_2C]
		mov	ecx, edi
		call	_ExpAcquireFastMutexContended@8	; ExpAcquireFastMutexContended(x,x)
		jmp	loc_51907F
; 

loc_519372:				; CODE XREF: CcUnpinFileDataEx+3D7j
		lea	ecx, [esp+54h+var_20]
		call	KxWaitForLockChainValid

loc_51937B:				; CODE XREF: CcUnpinFileDataEx+3BDj
		mov	[esp+54h+var_20], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_51923D
; 

loc_519393:				; CODE XREF: CcUnpinFileDataEx+165j
		cmp	byte ptr [edx+222h], 0
		lea	ecx, [edx+222h]
		jnz	short loc_5193C7
		test	dword ptr ds:byte_70EFC4, 200h
		mov	[esp+40h+var_2C], 0
		jnz	loc_5EA1EF

loc_5193BA:				; CODE XREF: CcUnpinFileDataEx+193j
					; CcUnpinFileDataEx+D139Ej
		lea	eax, [edx+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	loc_51902A
; 

loc_5193C7:				; CODE XREF: CcUnpinFileDataEx+540j
		xor	al, al
		xchg	al, [ecx]
		mov	bh, [edx+1E4h]
		or	bh, al
		jmp	loc_518FCB
; 

loc_5193D8:				; CODE XREF: CcUnpinFileDataEx+2C0j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, large fs:124h
		cmp	al, 2
		ja	loc_5EA266
		jmp	loc_5EA27A
CcUnpinFileDataEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpReleaseResourceForThreadLite	proc near ; CODE XREF: ExReleaseResourceForThreadLite+2Fp
					; SepCanTokenMatchAllPackageSid+109p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005EA2F0 SIZE 00000093 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		push	edi
		mov	ebx, edx
		mov	[ebp+var_20], eax
		mov	[ebp+var_28], eax
		lea	edi, [esi+34h]
		mov	[ebp+var_24], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [ebp+var_20], al
		jnz	loc_5EA2E1
		lea	edx, [ebp+var_28]
		xchg	edx, [edi]
		test	edx, edx
		jnz	loc_51968E

loc_519440:				; CODE XREF: ExpReleaseResourceForThreadLite+296j
					; CcUnpinFileDataEx+D148Bj
		mov	edx, large fs:124h
		movzx	ecx, word ptr [esi+0Eh]
		test	cl, 1
		jnz	loc_5EA2F0
		cmp	_ExpResourceEnforceOwnerTransfer, 0
		jnz	loc_5EA2F0

loc_519461:				; CODE XREF: ExpReleaseResourceForThreadLite+D0EF7j
					; ExpReleaseResourceForThreadLite+D0EFFj
		test	cl, cl
		js	loc_51969B
		test	dword ptr ds:byte_70EFC4, 20000h
		mov	[ebp+var_C], 0
		jnz	loc_5EA314
		mov	[ebp+var_1], 0

loc_519484:				; CODE XREF: ExpReleaseResourceForThreadLite+D0F18j
		test	bl, 3
		jnz	loc_5195ED
		movzx	edi, byte ptr [ebx+26Ch]

loc_519494:				; CODE XREF: ExpReleaseResourceForThreadLite+1EFj
		lea	eax, [esi+18h]
		mov	edx, eax
		mov	ecx, [edx]
		cmp	ecx, ebx
		jnz	loc_5195F4

loc_5194A3:				; CODE XREF: ExpReleaseResourceForThreadLite+21Cj
					; ExpReleaseResourceForThreadLite+2CFj
		mov	ecx, [edx+4]
		mov	eax, ecx
		shr	eax, 3
		and	ecx, 7
		lea	edi, ds:0FFFFFFF8h[eax*8]
		or	edi, ecx
		mov	[edx+4], edi
		cmp	edi, 8
		jnb	loc_5195A5
		mov	ecx, edx
		call	_ExpFreeOwnerEntry@4 ; ExpFreeOwnerEntry(x)
		cmp	dword ptr [esi+20h], 1
		mov	eax, [esi+24h]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], 0
		ja	short loc_5194F1
		cmp	dword ptr [esi+2Ch], 0
		jnz	loc_519701
		cmp	dword ptr [esi+28h], 0
		jnz	loc_5EA33E

loc_5194F1:				; CODE XREF: ExpReleaseResourceForThreadLite+DBj
		xor	eax, eax

loc_5194F3:				; CODE XREF: ExpReleaseResourceForThreadLite+321j
					; ExpReleaseResourceForThreadLite+D0F55j
		dec	eax
		add	[esi+20h], eax
		jnz	short loc_5194FF
		xor	eax, eax
		mov	[esi+0Ch], ax

loc_5194FF:				; CODE XREF: ExpReleaseResourceForThreadLite+F7j
		cmp	dword ptr [esi+2Ch], 0
		jnz	loc_5EA35A
		xor	al, al

loc_51950B:				; CODE XREF: ExpReleaseResourceForThreadLite+D0F5Cj
		test	al, al
		jnz	short loc_51951E
		cmp	dword ptr [esi+28h], 0
		jnz	short loc_51951E
		mov	eax, 0F9h
		and	[esi+0Eh], ax

loc_51951E:				; CODE XREF: ExpReleaseResourceForThreadLite+10Dj
					; ExpReleaseResourceForThreadLite+113j
		mov	eax, [ebp+var_8]
		movzx	edi, byte ptr [esi+0Fh]
		test	eax, eax
		jnz	loc_519726

loc_51952D:				; CODE XREF: ExpReleaseResourceForThreadLite+335j
		test	ds:byte_70EFC6,	1
		jnz	loc_5EA361
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	loc_5196DC
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_28]
		cmp	eax, ecx
		jnz	loc_5196D4

loc_51955C:				; CODE XREF: ExpReleaseResourceForThreadLite+2EEj
					; ExpReleaseResourceForThreadLite+D0F6Cj
		mov	cl, byte ptr [ebp+var_20]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_8], 0
		jnz	loc_5196F3
		xor	al, al

loc_519571:				; CODE XREF: ExpReleaseResourceForThreadLite+2F5j
		movzx	eax, al
		lea	ecx, [ebp+var_C]
		mov	edx, edi
		lea	eax, ds:1[eax*2]
		push	eax
		call	KeWakeWaitChain
		mov	ebx, 10042h
		xor	edi, edi

loc_51958D:				; CODE XREF: ExpReleaseResourceForThreadLite+1EBj
		inc	large dword ptr	fs:41F0h
		cmp	[ebp+var_1], 0
		jnz	loc_5EA371

loc_51959E:				; CODE XREF: ExpReleaseResourceForThreadLite+D0F7Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5195A5:				; CODE XREF: ExpReleaseResourceForThreadLite+BDj
		mov	eax, [esi+24h]
		mov	ebx, 10052h
		shr	edi, 3
		test	ds:byte_70EFC6,	1
		mov	[ebp+var_10], eax
		jnz	loc_5EA32E
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	loc_519677
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_28]
		cmp	eax, ecx
		jnz	loc_51966F

loc_5195E2:				; CODE XREF: ExpReleaseResourceForThreadLite+289j
					; ExpReleaseResourceForThreadLite+D0F39j
		mov	cl, byte ptr [ebp+var_20]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_51958D
; 

loc_5195ED:				; CODE XREF: ExpReleaseResourceForThreadLite+87j
		xor	edi, edi
		jmp	loc_519494
; 

loc_5195F4:				; CODE XREF: ExpReleaseResourceForThreadLite+9Dj
		xor	edx, edx
		test	ecx, ecx
		setnz	dl
		neg	ecx
		mov	[ebp+var_14], edx
		sbb	ecx, ecx
		not	ecx
		and	ecx, eax
		test	edi, edi
		jz	short loc_519622
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_519622
		cmp	edi, [eax+4]
		jnb	short loc_519622
		cmp	[eax+edi*8], ebx
		lea	edx, [eax+edi*8]
		jz	loc_5194A3

loc_519622:				; CODE XREF: ExpReleaseResourceForThreadLite+208j
					; ExpReleaseResourceForThreadLite+20Fj	...
		mov	edi, [esi+28h]
		add	edi, [esi+20h]
		mov	edx, [esi+8]
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edx
		test	edx, edx
		jz	loc_5EA31D
		mov	eax, [edx+4]
		lea	eax, [edx+eax*8]
		add	edx, 8
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_14]
		cmp	eax, edi
		jnb	loc_5EA31D

loc_519650:				; CODE XREF: ExpReleaseResourceForThreadLite+268j
		mov	edi, [edx]
		cmp	edi, ebx
		jz	short loc_5196BA
		test	edi, edi
		jnz	short loc_5196AF
		test	ecx, ecx
		jz	loc_5196FA

loc_519662:				; CODE XREF: ExpReleaseResourceForThreadLite+2B3j
					; ExpReleaseResourceForThreadLite+2FCj
		add	edx, 8
		cmp	edx, [ebp+var_1C]
		jnz	short loc_519650
		jmp	loc_5EA31D
; 

loc_51966F:				; CODE XREF: ExpReleaseResourceForThreadLite+1DCj
		lea	ecx, [ebp+var_28]
		call	KxWaitForLockChainValid

loc_519677:				; CODE XREF: ExpReleaseResourceForThreadLite+1C5j
		mov	[ebp+var_28], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_5195E2
; 

loc_51968E:				; CODE XREF: ExpReleaseResourceForThreadLite+3Aj
		lea	ecx, [ebp+var_28]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_519440
; 

loc_51969B:				; CODE XREF: ExpReleaseResourceForThreadLite+63j
		lea	eax, [ebp+var_28]
		mov	edx, ebx
		push	eax
		mov	ecx, esi
		call	ExpReleaseResourceExclusiveForThreadLite
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5196AF:				; CODE XREF: ExpReleaseResourceForThreadLite+258j
		inc	eax
		cmp	eax, [ebp+var_18]
		jnz	short loc_519662
		jmp	loc_5EA31D
; 

loc_5196BA:				; CODE XREF: ExpReleaseResourceForThreadLite+254j
		mov	ecx, large fs:124h
		mov	eax, edx
		sub	eax, [ebp+var_10]
		sar	eax, 3
		mov	[ecx+26Ch], al
		jmp	loc_5194A3
; 

loc_5196D4:				; CODE XREF: ExpReleaseResourceForThreadLite+156j
		lea	ecx, [ebp+var_28]
		call	KxWaitForLockChainValid

loc_5196DC:				; CODE XREF: ExpReleaseResourceForThreadLite+13Fj
		mov	[ebp+var_28], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_51955C
; 

loc_5196F3:				; CODE XREF: ExpReleaseResourceForThreadLite+169j
		mov	al, 1
		jmp	loc_519571
; 

loc_5196FA:				; CODE XREF: ExpReleaseResourceForThreadLite+25Cj
		mov	ecx, edx
		jmp	loc_519662
; 

loc_519701:				; CODE XREF: ExpReleaseResourceForThreadLite+E1j
		lea	eax, [ebp+var_8]
		push	eax
		lea	ecx, [esi+14h]
		lea	edx, [ebp+var_C]
		call	KeCaptureWaitChainHeadEx
		dec	dword ptr [esi+2Ch]
		mov	ecx, 80h
		or	[esi+0Eh], cx
		mov	eax, 1
		jmp	loc_5194F3
; 

loc_519726:				; CODE XREF: ExpReleaseResourceForThreadLite+127j
		mov	[esi+18h], eax
		mov	eax, [esi+1Ch]
		and	eax, 7
		or	eax, 8
		mov	[esi+1Ch], eax
		jmp	loc_51952D
ExpReleaseResourceForThreadLite	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeWakeWaitChain	proc near		; CODE XREF: ExpConvertExclusiveToSharedLite+77p
					; ExpReleaseResourceForThreadLite+181p	...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005EA383 SIZE 0000011D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_1C], edx
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, [ebx]
		test	edi, edi
		jnz	short loc_519763

loc_519758:				; CODE XREF: KeWakeWaitChain+10Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_519763:				; CODE XREF: KeWakeWaitChain+16j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+var_34], al
		mov	ecx, edi
		mov	eax, large fs:20h
		mov	[ebp+var_8], eax

loc_519777:				; CODE XREF: KeWakeWaitChain+C8j
		mov	eax, ecx
		mov	ecx, [ecx]
		mov	[ebp+var_14], eax
		add	eax, 0Ch
		mov	[ebp+var_30], ecx
		mov	ecx, eax
		mov	[ebp+var_2C], eax
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	eax, [ebp+var_14]
		lea	ecx, [eax+14h]
		mov	dword ptr [eax+10h], 1
		mov	eax, [ecx]
		mov	[ebp+var_28], ecx
		cmp	eax, ecx
		jz	short loc_5197F7

loc_5197A4:				; CODE XREF: KeWakeWaitChain+D0D55j
		mov	ecx, eax
		mov	eax, [eax]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_24], eax
		mov	edx, [ecx+4]
		cmp	[eax+4], ecx
		jz	short loc_5197BD

loc_5197B6:				; CODE XREF: KeWakeWaitChain+7Fj
					; KeWakeWaitChain+D0CF4j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5197BD:				; CODE XREF: KeWakeWaitChain+74j
		cmp	[edx], ecx
		jnz	short loc_5197B6
		mov	[edx], eax
		mov	[eax+4], edx
		mov	al, [ecx+8]
		cmp	al, 1
		jnz	loc_5EA383
		movzx	eax, word ptr [ecx+0Ah]
		mov	edx, ecx
		mov	ecx, [ebp+var_8]
		push	0
		push	eax
		call	KiTryUnwaitThread
		test	al, al
		jz	loc_5EA48F
		mov	eax, [ebp+var_14]
		add	dword ptr [eax+10h], 0FFFFFFFFh
		jnz	loc_5EA48F

loc_5197F7:				; CODE XREF: KeWakeWaitChain+62j
					; KeWakeWaitChain+D0D36j ...
		mov	eax, [ebp+var_2C]
		mov	ecx, 0FFFFFF7Fh
		lock and [eax],	ecx
		mov	ecx, [ebp+var_30]
		inc	esi
		cmp	ecx, edi
		jnz	loc_519777
		test	[ebp+arg_0], 1
		mov	edi, [ebp+var_8]
		jz	short loc_519853
		mov	edx, [edi+4]
		mov	ecx, edi
		call	KiRemoveBoostThread
		mov	ecx, [ebp+var_1C]
		test	ecx, ecx
		jnz	short loc_519858

loc_519828:				; CODE XREF: KeWakeWaitChain+116j
		mov	edx, 1

loc_51982D:				; CODE XREF: KeWakeWaitChain+11Fj
					; KeWakeWaitChain+124j
		test	[ebp+arg_0], 2
		jz	short loc_51983A
		cmp	edx, 1
		jnz	short loc_51983A
		mov	ecx, edx

loc_51983A:				; CODE XREF: KeWakeWaitChain+F1j
					; KeWakeWaitChain+F6j
		push	[ebp+var_34]
		push	ecx
		push	edx
		xor	edx, edx
		mov	ecx, edi
		call	KiExitDispatcher
		mov	dword ptr [ebx], 0
		jmp	loc_519758
; 

loc_519853:				; CODE XREF: KeWakeWaitChain+D5j
		mov	ecx, [ebp+var_1C]
		jmp	short loc_519828
; 

loc_519858:				; CODE XREF: KeWakeWaitChain+E6j
		mov	edx, 2
		cmp	al, cl
		jle	short loc_51982D
		movsx	ecx, al
		jmp	short loc_51982D
KeWakeWaitChain	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall ExpFreeOwnerEntry(x)
_ExpFreeOwnerEntry@4 proc near		; CODE XREF: ExpReleaseResourceForThreadLite+C5p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	eax, [esi+4]
		mov	ebx, [esi]
		test	al, 2
		jnz	short loc_51989D
		test	bl, 3
		jnz	short loc_519894

loc_519884:				; CODE XREF: ExpFreeOwnerEntry(x)+30j
		test	ebx, ebx
		jz	short loc_519894
		test	al, 1
		jnz	short loc_5198C3

loc_51988C:				; CODE XREF: ExpFreeOwnerEntry(x)+67j
		test	al, 4
		jnz	short loc_5198B3

loc_519890:				; CODE XREF: ExpFreeOwnerEntry(x)+51j
		test	al, 2
		jnz	short loc_5198A2

loc_519894:				; CODE XREF: ExpFreeOwnerEntry(x)+12j
					; ExpFreeOwnerEntry(x)+16j ...
		mov	dword ptr [esi], 0
		pop	esi
		pop	ebx
		retn
; 

loc_51989D:				; CODE XREF: ExpFreeOwnerEntry(x)+Dj
		and	ebx, 0FFFFFFFCh
		jmp	short loc_519884
; 

loc_5198A2:				; CODE XREF: ExpFreeOwnerEntry(x)+22j
		push	746C6644h
		push	ebx
		call	ObDereferenceObjectDeferDeleteWithTag
		and	dword ptr [esi+4], 0FFFFFFFDh
		jmp	short loc_519894
; 

loc_5198B3:				; CODE XREF: ExpFreeOwnerEntry(x)+1Ej
		lock dec dword ptr [ebx+330h]
		and	dword ptr [esi+4], 0FFFFFFFBh
		mov	eax, [esi+4]
		jmp	short loc_519890
; 

loc_5198C3:				; CODE XREF: ExpFreeOwnerEntry(x)+1Aj
		push	0
		push	0
		mov	dl, 1
		mov	ecx, ebx
		call	PsBoostThreadIoEx
		and	dword ptr [esi+4], 0FFFFFFFEh
		mov	eax, [esi+4]
		jmp	short loc_51988C
_ExpFreeOwnerEntry@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpUpcaseUnicodeStringPrivate proc near ; CODE	XREF: RtlIsNameInExpression+28p
					; RtlIsNameInUnUpcasedExpression+EDC69p ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 00519981 SIZE 00000007 BYTES

		push	20h
		push	offset dword_6A5518
		call	__SEH_prolog4
		mov	ebx, edx
		mov	[ebp+var_28], ebx
		mov	esi, ecx
		mov	[ebp+var_2C], esi
		mov	[ebp+var_1C], 1
		movzx	eax, word ptr [ebx]
		mov	[esi+2], ax
		push	67727453h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+4], eax
		test	eax, eax
		jz	short loc_519981
		movzx	ecx, word ptr [ebx]
		shr	ecx, 1
		mov	[ebp+var_24], ecx
		and	[ebp+ms_exc.disabled], 0
		xor	eax, eax
		inc	eax
		mov	[ebp+var_30], eax
		xor	edi, edi

loc_519926:				; CODE XREF: RtlpUpcaseUnicodeStringPrivate+6Aj
		mov	[ebp+var_20], edi
		cmp	edi, ecx
		jnb	short loc_519946
		mov	eax, [ebx+4]
		mov	cx, [eax+edi*2]
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	ecx, [esi+4]
		mov	[ecx+edi*2], ax
		inc	edi
		mov	ecx, [ebp+var_24]
		jmp	short loc_519926
; 

loc_519946:				; CODE XREF: RtlpUpcaseUnicodeStringPrivate+51j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		inc	eax
		mov	[ebp+var_30], 0
		call	sub_519976
		mov	ax, [ebx]
		mov	[esi], ax
		xor	eax, eax

loc_519964:				; CODE XREF: RtlpUpcaseUnicodeStringPrivate+ACj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
RtlpUpcaseUnicodeStringPrivate endp


;  S U B	R O U T	I N E 


sub_519976	proc near		; CODE XREF: RtlpUpcaseUnicodeStringPrivate+7Dp
					; sub_5EA4A0+9j

; FUNCTION CHUNK AT 005EA4AE SIZE 00000017 BYTES

		cmp	dword ptr [ebp-30h], 0
		jnz	loc_5EA4AE

locret_519980:				; CODE XREF: sub_519976+D0B3Aj
		retn
sub_519976	endp

; 
; START	OF FUNCTION CHUNK FOR RtlpUpcaseUnicodeStringPrivate

loc_519981:				; CODE XREF: RtlpUpcaseUnicodeStringPrivate+36j
		mov	eax, 0C0000017h
		jmp	short loc_519964
; END OF FUNCTION CHUNK	FOR RtlpUpcaseUnicodeStringPrivate
; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SepInternalQuerySecurityAttributesTokenEx(int,int,int,size_t,size_t,int)
SepInternalQuerySecurityAttributesTokenEx proc near
					; CODE XREF: SeQuerySecurityAttributesTokenAccessInformation+7Cp
					; SeQuerySecurityAttributesToken(x,x,x,x,x,x)+40p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005EA4C5 SIZE 00000117 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_10], ebx
		test	dword ptr [esi+0B0h], 20000h
		mov	[ebp+var_C], ebx
		mov	[ebp+var_4], ebx
		jnz	short loc_5199CF
		cmp	byte ptr [ebp+arg_8], bl
		jnz	loc_5EA513
		mov	eax, _SepSingletonGlobal
		test	byte ptr [eax+0Ch], 1
		jnz	loc_5EA4C5

loc_5199CF:				; CODE XREF: SepInternalQuerySecurityAttributesTokenEx+25j
					; SepInternalQuerySecurityAttributesTokenEx+D0B3Aj ...
		mov	ebx, [esi+1DCh]
		mov	esi, [ebp+arg_14]
		mov	[ebp+arg_4], ebx
		mov	[ebp+arg_8], 0
		mov	dword ptr [esi], 0
		cmp	dword ptr [ebx], 0
		jz	loc_519A9B
		xor	ecx, ecx
		test	edi, edi
		jz	short loc_519A37
		mov	eax, [ebp+arg_0]
		add	eax, 4
		lea	ecx, [ecx+0]

loc_519A00:				; CODE XREF: SepInternalQuerySecurityAttributesTokenEx+A2j
		movzx	edx, word ptr [eax-4]
		test	dx, dx
		jz	loc_5EA5D2
		movzx	esi, word ptr [eax-2]
		test	si, si
		jz	loc_5EA5D2
		cmp	dx, si
		ja	loc_5EA5D2
		cmp	dword ptr [eax], 0
		jz	loc_5EA5D2
		inc	ecx
		add	eax, 8
		cmp	ecx, edi
		jb	short loc_519A00
		mov	esi, [ebp+arg_14]

loc_519A37:				; CODE XREF: SepInternalQuerySecurityAttributesTokenEx+65j
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+arg_8]
		push	eax
		push	edi
		mov	ecx, ebx
		call	_AuthzBasepGetSecurityAttributesCopyoutBufferSize@16 ; AuthzBasepGetSecurityAttributesCopyoutBufferSize(x,x,x,x)
		test	eax, eax
		jns	short loc_519A53

loc_519A4A:				; CODE XREF: SepInternalQuerySecurityAttributesTokenEx+F9j
					; SepInternalQuerySecurityAttributesTokenEx+D0BE0j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_519A53:				; CODE XREF: SepInternalQuerySecurityAttributesTokenEx+B8j
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		jz	loc_5EA5D2
		mov	eax, [ebp+arg_10]
		cmp	eax, ebx
		jb	short loc_519A8B
		mov	esi, [ebp+arg_C]
		push	eax		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	edx, [ebp+arg_0]
		add	esp, 0Ch
		mov	ecx, [ebp+arg_4]
		push	[ebp+arg_10]	; size_t
		push	esi		; size_t
		push	edi		; int
		call	AuthzBasepCopyoutSecurityAttributes
		mov	ecx, [ebp+arg_14]
		mov	[ecx], ebx
		jmp	short loc_519A4A
; 

loc_519A8B:				; CODE XREF: SepInternalQuerySecurityAttributesTokenEx+D3j
		mov	[esi], ebx
		mov	eax, 0C0000023h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_519A9B:				; CODE XREF: SepInternalQuerySecurityAttributesTokenEx+5Bj
		cmp	[ebp+arg_10], 0Ch
		jb	short loc_519AC4
		mov	ecx, [ebp+arg_C]
		xor	eax, eax
		mov	edi, ecx
		stosd
		stosd
		stosd
		mov	eax, 1
		mov	[ecx], ax
		xor	eax, eax
		mov	dword ptr [esi], 0Ch
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_519AC4:				; CODE XREF: SepInternalQuerySecurityAttributesTokenEx+10Fj
		mov	eax, 0C0000023h
		mov	dword ptr [esi], 0Ch
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
SepInternalQuerySecurityAttributesTokenEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepGetSecurityAttributesCopyoutBufferSize(x,	x, x, x)
_AuthzBasepGetSecurityAttributesCopyoutBufferSize@16 proc near
					; CODE XREF: AuthzBasepQuerySecurityAttributesToken+35p
					; SepInternalQuerySecurityAttributesTokenEx+B1p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], 0
		mov	ebx, ecx
		push	edi
		test	esi, esi
		jz	short loc_519B55
		mov	ecx, [ebp+arg_0]
		mov	edx, 18h
		mov	eax, ecx
		mul	edx
		test	edx, edx
		ja	loc_519C07
		jb	short loc_519B19
		cmp	eax, 0FFFFFFFFh
		ja	loc_519C07

loc_519B19:				; CODE XREF: AuthzBasepGetSecurityAttributesCopyoutBufferSize(x,x,x,x)+2Ej
		lea	edi, [eax+0Ch]
		xor	edx, edx
		cmp	edi, 0Ch
		jb	loc_519C07
		mov	[ebp+var_8], edx
		test	ecx, ecx
		jz	loc_519BB7

loc_519B32:				; CODE XREF: AuthzBasepGetSecurityAttributesCopyoutBufferSize(x,x,x,x)+122j
		mov	edx, esi
		mov	ecx, ebx
		call	_AuthzBasepFindSecurityAttribute@8 ; AuthzBasepFindSecurityAttribute(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	loc_519BC7
		mov	edx, 0C0000225h

loc_519B4A:				; CODE XREF: AuthzBasepGetSecurityAttributesCopyoutBufferSize(x,x,x,x)+8Cj
					; AuthzBasepGetSecurityAttributesCopyoutBufferSize(x,x,x,x)+CCj ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_519B55:				; CODE XREF: AuthzBasepGetSecurityAttributesCopyoutBufferSize(x,x,x,x)+18j
		mov	eax, [ebx]
		mov	ecx, 18h
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_519B4A
		mov	edi, [ebp+var_4]
		add	edi, 0Ch
		cmp	edi, 0Ch
		jb	loc_519C07
		mov	esi, [ebx+4]
		add	ebx, 4
		cmp	esi, ebx
		jz	short loc_519BB7

loc_519B87:				; CODE XREF: AuthzBasepGetSecurityAttributesCopyoutBufferSize(x,x,x,x)+D5j
		lea	ecx, [edi+1]
		and	ecx, 0FFFFFFFEh
		cmp	ecx, edi
		jb	short loc_519C07
		movzx	eax, word ptr [esi+10h]
		add	eax, ecx
		cmp	eax, ecx
		jb	short loc_519C07
		lea	edx, [ebp+var_4]
		mov	[ebp+var_4], eax
		mov	ecx, esi
		call	AuthzBasepGetSecurityAttributeValueCopyoutBufferSize
		mov	edx, eax
		test	edx, edx
		js	short loc_519B4A
		mov	esi, [esi]
		mov	edi, [ebp+var_4]
		cmp	esi, ebx
		jnz	short loc_519B87

loc_519BB7:				; CODE XREF: AuthzBasepGetSecurityAttributesCopyoutBufferSize(x,x,x,x)+4Cj
					; AuthzBasepGetSecurityAttributesCopyoutBufferSize(x,x,x,x)+A5j ...
		mov	eax, [ebp+arg_4]
		mov	[eax], edi
		mov	eax, edx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_519BC7:				; CODE XREF: AuthzBasepGetSecurityAttributesCopyoutBufferSize(x,x,x,x)+5Fj
		lea	edx, [edi+1]
		and	edx, 0FFFFFFFEh
		cmp	edx, edi
		jb	short loc_519C07
		movzx	eax, word ptr [ecx+10h]
		add	eax, edx
		cmp	eax, edx
		jb	short loc_519C07
		lea	edx, [ebp+var_4]
		mov	[ebp+var_4], eax
		call	AuthzBasepGetSecurityAttributeValueCopyoutBufferSize
		mov	edx, eax
		test	edx, edx
		js	loc_519B4A
		mov	eax, [ebp+var_8]
		add	esi, 8
		mov	edi, [ebp+var_4]
		inc	eax
		mov	[ebp+var_8], eax
		cmp	eax, [ebp+arg_0]
		jnb	short loc_519BB7
		jmp	loc_519B32
; 

loc_519C07:				; CODE XREF: AuthzBasepGetSecurityAttributesCopyoutBufferSize(x,x,x,x)+28j
					; AuthzBasepGetSecurityAttributesCopyoutBufferSize(x,x,x,x)+33j ...
		mov	edx, 0C0000095h
		jmp	loc_519B4A
_AuthzBasepGetSecurityAttributesCopyoutBufferSize@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepUnicodeStringFromOperandValue	proc near
					; CODE XREF: AuthzBasepCompareUnicodeStringOperands+70p
					; .text:00517E95p ...

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005EA5DC SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, ecx
		mov	[ebp+var_1], dl
		mov	byte ptr [edi],	0
		cmp	dword ptr [esi+0Ch], 1
		jnz	loc_519D17
		movzx	eax, word ptr [esi+14h]
		mov	[ebx+2], ax
		movzx	eax, word ptr [esi+14h]
		mov	[ebx], ax
		mov	eax, [esi+18h]

loc_519C53:				; CODE XREF: AuthzBasepUnicodeStringFromOperandValue+11Aj
		mov	[ebx+4], eax
		cmp	word ptr [ebx],	0
		jz	loc_5EA5F0
		test	eax, eax
		jz	loc_5EA5F0
		mov	eax, [esi+0Ch]
		cmp	eax, 1
		jnz	loc_519D3F
		test	[esi+18h], al
		jz	short loc_519CCF

loc_519C79:				; CODE XREF: AuthzBasepUnicodeStringFromOperandValue+126j
		movzx	eax, word ptr [ebx+2]
		mov	[ebp+arg_4], eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_5EA5DC
		mov	eax, 1

loc_519C93:				; CODE XREF: AuthzBasepUnicodeStringFromOperandValue+D09C1j
		push	61476553h
		push	[ebp+arg_4]
		push	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebx+4], edx
		test	edx, edx
		jz	loc_5EA5E6
		cmp	dword ptr [esi+0Ch], 1
		jnz	loc_519D4E
		mov	eax, [esi+14h]
		push	eax		; size_t
		mov	eax, [esi+18h]

loc_519CBF:				; CODE XREF: AuthzBasepUnicodeStringFromOperandValue+13Bj
		push	eax		; void *
		push	edx		; void *
		call	_memcpy
		mov	dl, [ebp+var_1]
		add	esp, 0Ch
		mov	byte ptr [edi],	1

loc_519CCF:				; CODE XREF: AuthzBasepUnicodeStringFromOperandValue+57j
					; AuthzBasepUnicodeStringFromOperandValue+122j
		test	dl, dl
		jnz	short loc_519CDE

loc_519CD3:				; CODE XREF: AuthzBasepUnicodeStringFromOperandValue+C8j
					; AuthzBasepUnicodeStringFromOperandValue+12Cj
		xor	eax, eax

loc_519CD5:				; CODE XREF: AuthzBasepUnicodeStringFromOperandValue+D09CBj
					; AuthzBasepUnicodeStringFromOperandValue+D09D5j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_519CDE:				; CODE XREF: AuthzBasepUnicodeStringFromOperandValue+B1j
		movzx	eax, word ptr [ebx]
		xor	esi, esi
		test	eax, 0FFFFFFFEh
		jbe	short loc_519CD3
		lea	ebx, [ebx+0]

loc_519CF0:				; CODE XREF: AuthzBasepUnicodeStringFromOperandValue+EAj
		mov	eax, [ebx+4]
		lea	edi, [eax+esi*2]
		movzx	eax, word ptr [edi]
		push	eax
		call	_RtlUpcaseUnicodeChar@4	; RtlUpcaseUnicodeChar(x)
		mov	[edi], ax
		inc	esi
		movzx	eax, word ptr [ebx]
		shr	eax, 1
		cmp	esi, eax
		jb	short loc_519CF0
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_519D17:				; CODE XREF: AuthzBasepUnicodeStringFromOperandValue+1Bj
		mov	eax, [esi+10h]
		mov	eax, [eax+1Ch]
		movzx	eax, word ptr [eax+2]
		mov	[ebx+2], ax
		mov	eax, [esi+10h]
		mov	eax, [eax+1Ch]
		movzx	eax, word ptr [eax]
		mov	[ebx], ax
		mov	eax, [esi+10h]
		mov	eax, [eax+1Ch]
		mov	eax, [eax+4]
		jmp	loc_519C53
; 

loc_519D3F:				; CODE XREF: AuthzBasepUnicodeStringFromOperandValue+4Ej
		cmp	eax, 2
		jnz	short loc_519CCF
		test	dl, dl
		jnz	loc_519C79
		jmp	short loc_519CD3
; 

loc_519D4E:				; CODE XREF: AuthzBasepUnicodeStringFromOperandValue+92j
		mov	eax, [esi+10h]
		mov	ecx, [eax+1Ch]
		movzx	eax, word ptr [ecx]
		push	eax
		mov	eax, [ecx+4]
		jmp	loc_519CBF
AuthzBasepUnicodeStringFromOperandValue	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepFindSecurityAttribute(x, x)
_AuthzBasepFindSecurityAttribute@8 proc	near ; CODE XREF: AuthzBasepAddSecurityAttribute+34p
					; AuthzBasepDeleteSecurityAttribute+2Ep ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ecx+4]
		lea	ebx, [ecx+4]
		push	edi
		mov	eax, edx
		mov	[ebp+var_10], ecx
		xor	edi, edi
		mov	[ebp+var_8], eax
		mov	[ebp+var_1], 0
		cmp	esi, ebx
		jz	short loc_519DB1

loc_519D83:				; CODE XREF: AuthzBasepFindSecurityAttribute(x,x)+46j
		mov	[ebp+var_C], esi
		lea	edi, [esi+10h]
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_519DE3
		push	1
		push	[ebp+var_8]
		push	edi
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)

loc_519D9E:				; CODE XREF: AuthzBasepFindSecurityAttribute(x,x)+8Dj
		test	al, al
		jnz	short loc_519DCE
		mov	esi, [esi]
		cmp	esi, ebx
		jnz	short loc_519D83
		mov	edi, [ebp+var_C]
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_10]

loc_519DB1:				; CODE XREF: AuthzBasepFindSecurityAttribute(x,x)+21j
		mov	ebx, [ecx+10h]
		lea	esi, [ecx+10h]
		cmp	ebx, esi
		jnz	short loc_519DF0

loc_519DBB:				; CODE XREF: AuthzBasepFindSecurityAttribute(x,x)+ACj
		mov	al, [ebp+var_1]

loc_519DBE:				; CODE XREF: AuthzBasepFindSecurityAttribute(x,x)+B5j
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_519DCE:				; CODE XREF: AuthzBasepFindSecurityAttribute(x,x)+40j
		mov	edi, [ebp+var_C]
		mov	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_519DE3:				; CODE XREF: AuthzBasepFindSecurityAttribute(x,x)+31j
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		call	AuthzBasepEqualUnicodeStringCaseSensitive
		jmp	short loc_519D9E
; 
		align 10h

loc_519DF0:				; CODE XREF: AuthzBasepFindSecurityAttribute(x,x)+59j
					; AuthzBasepFindSecurityAttribute(x,x)+B1j
		test	byte ptr [ebx+18h], 1
		lea	edi, [ebx-8]
		jnz	short loc_519E08
		push	ecx
		lea	ecx, [edi+10h]
		mov	edx, eax
		call	AuthzBasepEqualUnicodeString
		test	al, al
		jnz	short loc_519E13

loc_519E08:				; CODE XREF: AuthzBasepFindSecurityAttribute(x,x)+97j
		mov	ebx, [ebx]
		cmp	ebx, esi
		jz	short loc_519DBB
		mov	eax, [ebp+var_8]
		jmp	short loc_519DF0
; 

loc_519E13:				; CODE XREF: AuthzBasepFindSecurityAttribute(x,x)+A6j
		mov	al, 1
		jmp	short loc_519DBE
_AuthzBasepFindSecurityAttribute@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall NLS_UPCASE(x)
_NLS_UPCASE@4	proc near		; CODE XREF: RtlpUpcaseUnicodeStringPrivate+5Ap
					; UpcaseUnicodeToMultiByteNHelper(x,x,x,x,x):loc_660492p ...
		mov	edi, edi
		push	esi
		cmp	cx, 61h
		jb	short loc_519E43
		cmp	cx, 7Ah
		jbe	short loc_519E48
		mov	esi, ds:_Nls844UnicodeUpcaseTable
		test	esi, esi
		jz	short loc_519E43
		mov	eax, 0C0h
		cmp	cx, ax
		jnb	short loc_519E4D

loc_519E43:				; CODE XREF: NLS_UPCASE(x)+7j
					; NLS_UPCASE(x)+17j
		mov	ax, cx
		pop	esi
		retn
; 

loc_519E48:				; CODE XREF: NLS_UPCASE(x)+Dj
		lea	eax, [ecx-20h]
		pop	esi
		retn
; 

loc_519E4D:				; CODE XREF: NLS_UPCASE(x)+21j
		movzx	edx, cx
		mov	eax, edx
		shr	eax, 8
		movzx	ecx, word ptr [esi+eax*2]
		mov	eax, edx
		shr	eax, 4
		and	eax, 0Fh
		add	ecx, eax
		mov	eax, edx
		and	eax, 0Fh
		movzx	ecx, word ptr [esi+ecx*2]
		add	ecx, eax
		mov	ax, [esi+ecx*2]
		add	ax, dx
		pop	esi
		retn
_NLS_UPCASE@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepGetSecurityAttributeValueCopyoutBufferSize proc near
					; CODE XREF: AuthzBasepGetSecurityAttributesCopyoutBufferSize(x,x,x,x)+C3p
					; AuthzBasepGetSecurityAttributesCopyoutBufferSize(x,x,x,x)+101p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005EA5FA SIZE 000000C9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], 0
		mov	esi, edx
		movzx	eax, word ptr [edi+18h]
		mov	ecx, [esi]
		cmp	eax, 2
		jnz	short loc_519EDB

loc_519E9F:				; CODE XREF: AuthzBasepGetSecurityAttributeValueCopyoutBufferSize+C3j
					; DATA XREF: .text:off_519F54o
		lea	ebx, [ecx+7]
		and	ebx, 0FFFFFFF8h
		cmp	ebx, ecx
		jb	loc_519F4A
		mov	eax, [edi+24h]
		mov	ecx, 8
		mul	ecx
		test	edx, edx
		ja	loc_519F4A
		jb	short loc_519ECA
		cmp	eax, 0FFFFFFFFh
		ja	loc_519F4A

loc_519ECA:				; CODE XREF: AuthzBasepGetSecurityAttributeValueCopyoutBufferSize+3Fj
		add	eax, ebx
		cmp	eax, ebx
		jb	short loc_519F4A

loc_519ED0:				; CODE XREF: AuthzBasepGetSecurityAttributeValueCopyoutBufferSize+93j
					; AuthzBasepGetSecurityAttributeValueCopyoutBufferSize+D07B9j ...
		mov	[esi], eax
		xor	eax, eax

loc_519ED4:				; CODE XREF: AuthzBasepGetSecurityAttributeValueCopyoutBufferSize+80j
					; AuthzBasepGetSecurityAttributeValueCopyoutBufferSize+CFj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_519EDB:				; CODE XREF: AuthzBasepGetSecurityAttributeValueCopyoutBufferSize+1Dj
		cmp	eax, 3
		jnz	short loc_519F32
		lea	ebx, [ecx+3]
		and	ebx, 0FFFFFFFCh
		cmp	ebx, ecx
		jb	short loc_519F4A
		mov	eax, [edi+24h]
		mov	ecx, 8
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_519ED4
		mov	eax, [ebp+var_4]
		add	eax, ebx
		cmp	eax, ebx
		jb	short loc_519F4A
		mov	edx, [edi+2Ch]
		add	edi, 2Ch
		cmp	edx, edi
		jz	short loc_519ED0

loc_519F15:				; CODE XREF: AuthzBasepGetSecurityAttributeValueCopyoutBufferSize+A5j
		movzx	ecx, word ptr [edx+18h]
		add	ecx, eax
		cmp	ecx, eax
		jb	short loc_519F4A
		mov	edx, [edx]
		mov	eax, ecx
		cmp	edx, edi
		jnz	short loc_519F15
		pop	edi
		mov	[esi], eax
		xor	eax, eax
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_519F32:				; CODE XREF: AuthzBasepGetSecurityAttributeValueCopyoutBufferSize+5Ej
		dec	eax
		cmp	eax, 0Fh
		ja	loc_5EA6B9
		movzx	eax, ds:byte_519F64[eax]
		jmp	ds:off_519F54[eax*4]
; 

loc_519F4A:				; CODE XREF: AuthzBasepGetSecurityAttributeValueCopyoutBufferSize+27j
					; AuthzBasepGetSecurityAttributeValueCopyoutBufferSize+39j ...
		mov	eax, 0C0000095h
		jmp	short loc_519ED4
AuthzBasepGetSecurityAttributeValueCopyoutBufferSize endp

; 
		align 4
off_519F54	dd offset loc_519E9F	; DATA XREF: AuthzBasepGetSecurityAttributeValueCopyoutBufferSize+C3r
		dd offset loc_5EA5FA
		dd offset loc_5EA65A
		dd offset loc_5EA6B9
byte_519F64	db 0			; DATA XREF: AuthzBasepGetSecurityAttributeValueCopyoutBufferSize+BCr
		db 2 dup(3), 1
		dd 3030002h, 3030303h, 2030303h, 3 dup(0CCCCCCCCh)
; Exported entry 1310. KeStackAttachProcess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeStackAttachProcess
KeStackAttachProcess proc near		; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+117p
					; NtLockVirtualMemory(x,x,x,x)+E9p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_11		= byte ptr -11h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0051A350 SIZE 00000042 BYTES
; FUNCTION CHUNK AT 005EA6C3 SIZE 000000C2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, large fs:124h
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jnz	loc_5EA6C3
		test	dword ptr [esi+64h], 400h
		jnz	loc_5EA6C3
		cmp	[edi+80h], esi
		jnz	short loc_519FCA
		mov	eax, [ebp+arg_4]
		pop	edi
		pop	esi
		mov	dword ptr [eax+10h], 1
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_519FCA:				; CODE XREF: KeStackAttachProcess+36j
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+arg_0], al
		lea	ebx, [edi+2Ch]
		mov	[ebp+var_4], 0
		mov	edi, edi

loc_519FE0:				; CODE XREF: KeStackAttachProcess+BEj
		lock bts dword ptr [ebx], 0
		jb	short loc_51A030
		cmp	byte ptr [edi+16Ah], 0
		mov	edx, esi
		pop	ebx
		mov	ecx, edi
		jnz	short loc_51A018
		lea	eax, [edi+174h]
		push	eax
		push	0
		push	[ebp+arg_0]
		call	KiAttachProcess
		mov	eax, [ebp+arg_4]
		pop	edi
		pop	esi
		mov	dword ptr [eax+10h], 0
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_51A018:				; CODE XREF: KeStackAttachProcess+73j
		push	[ebp+arg_4]
		push	0
		push	[ebp+arg_0]
		call	KiAttachProcess
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
; 
		align 10h

loc_51A030:				; CODE XREF: KeStackAttachProcess+65j
					; KeStackAttachProcess+BCj
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_51A030
		jmp	short loc_519FE0
KeStackAttachProcess endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFindSecurityCellCacheIndex(x, x,	x)
_CmpFindSecurityCellCacheIndex@12 proc near ; CODE XREF: CmpResetCachedSecurity(x,x)+11p
					; CmpUndoDeleteKeyForTransEx(x,x,x)+2A4p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	[ebp+var_4], ebx
		mov	ecx, [edi+4C0h]
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jnz	short loc_51A071
		mov	ecx, [ebp+arg_0]
		xor	al, al
		pop	edi
		pop	ebx
		mov	dword ptr [ecx], 0
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_51A071:				; CODE XREF: CmpFindSecurityCellCacheIndex(x,x,x)+1Cj
		mov	edx, [edi+4C8h]
		test	edx, edx
		js	short loc_51A08A
		cmp	edx, ecx
		jnb	short loc_51A08A
		mov	eax, [edi+4CCh]
		cmp	[eax+edx*8], ebx
		jz	short loc_51A0B6

loc_51A08A:				; CODE XREF: CmpFindSecurityCellCacheIndex(x,x,x)+39j
					; CmpFindSecurityCellCacheIndex(x,x,x)+3Dj
		push	esi
		mov	esi, [edi+4CCh]
		sub	esp, 8
		mov	edx, esi
		push	ecx
		lea	ecx, [ebp+var_4]
		call	_CmpFindLowerBoundInSortedArray@20 ; CmpFindLowerBoundInSortedArray(x,x,x,x,x)
		mov	edx, eax
		sub	edx, esi
		shr	edx, 3
		pop	esi
		cmp	edx, [ebp+var_8]
		jnb	short loc_51A0C5
		cmp	[eax], ebx
		jnz	short loc_51A0C5
		mov	[edi+4C8h], edx

loc_51A0B6:				; CODE XREF: CmpFindSecurityCellCacheIndex(x,x,x)+48j
		mov	ecx, [ebp+arg_0]
		mov	al, 1
		pop	edi
		pop	ebx
		mov	[ecx], edx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_51A0C5:				; CODE XREF: CmpFindSecurityCellCacheIndex(x,x,x)+6Aj
					; CmpFindSecurityCellCacheIndex(x,x,x)+6Ej
		mov	ecx, [ebp+arg_0]
		xor	al, al
		mov	[ecx], edx
		pop	edi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_CmpFindSecurityCellCacheIndex@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiGetVadMandatoryPageSize(x)
_MiGetVadMandatoryPageSize@4 proc near	; CODE XREF: NtGetWriteWatch+2B7p
					; NtGetWriteWatch+320p	...
		mov	eax, [ecx+1Ch]
		mov	ecx, eax
		shr	ecx, 12h
		and	ecx, 3
		mov	ecx, ds:_MiVadPageSizes[ecx*4]
		cmp	ecx, 200h
		jnb	short loc_51A107
		test	eax, 400000h
		jnz	short loc_51A107
		mov	eax, 1
		retn
; 

loc_51A107:				; CODE XREF: MiGetVadMandatoryPageSize(x)+18j
					; MiGetVadMandatoryPageSize(x)+1Fj
		mov	eax, ecx
		retn
_MiGetVadMandatoryPageSize@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFlushTbList	proc near		; CODE XREF: .text:004321C7p
					; MiFlushTbListEarly(x,x):loc_4324D2p ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= byte ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005EA785 SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_34], edi
		mov	edx, [edi+0Ch]
		mov	[ebp+var_18], edx
		test	edx, edx
		jnz	short loc_51A145

loc_51A134:				; CODE XREF: MiFlushTbList+1A0j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_51A145:				; CODE XREF: MiFlushTbList+22j
		mov	esi, [edi]
		mov	eax, dword_6D0748
		mov	cl, [edi+4]
		mov	[ebp+var_1C], esi
		cmp	esi, 1
		jnz	loc_51A2F5
		xor	ebx, ebx

loc_51A15D:				; CODE XREF: MiFlushTbList+1EFj
					; MiFlushTbList+23Bj
		cmp	byte ptr [edi+5], 0
		jnz	loc_51A304
		cmp	[edi+10h], eax
		ja	loc_51A304
		test	byte ptr [edi+4], 1
		lea	eax, [edi+14h]
		mov	[ebp+var_24], eax
		jnz	loc_51A336
		mov	eax, ds:_HvlEnlightenments
		mov	ecx, ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()
		mov	[ebp+var_20], 0
		mov	[ebp+var_28], 0
		test	al, 4
		jnz	loc_5EA6E7

loc_51A19E:				; CODE XREF: KeStackAttachProcess+40Dj
					; KeStackAttachProcess+D0776j
		mov	edi, [ebp+var_24]
		xor	eax, eax
		mov	[ebp+var_10], eax
		mov	esi, edi
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_38], eax
		lea	eax, [edi+edx*4]
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], edx
		mov	[ebp+var_24], eax
		call	ecx
		mov	[ebp+var_11], al
		test	ebx, ebx
		jnz	loc_51A318
		mov	edx, large fs:20h
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], ebx
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, [edx+4]
		mov	ecx, [eax+80h]
		mov	eax, [ecx+58h]
		mov	ebx, [ecx+60h]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+5Ch]
		mov	[ebp+var_C], eax
		mov	eax, [edx+3CCh]
		btr	ebx, eax
		mov	[ebp+var_8], ebx
		lea	edx, [ebp+var_10]
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, ds:_RtlpBitsClearTotal[ebx]
		movzx	eax, cl
		xor	ecx, ecx

loc_51A237:				; CODE XREF: MiFlushTbList+213j
		mov	[ebp+var_20], eax
		test	eax, eax
		jnz	loc_51A2E0

loc_51A242:				; CODE XREF: MiFlushTbList+1E0j
		mov	edi, [ebp+var_24]

loc_51A245:				; CODE XREF: MiFlushTbList+15Aj
		mov	edx, [esi]
		mov	ebx, 1000h
		mov	eax, edx
		shr	eax, 0Ah
		and	eax, 3
		invlpg	byte ptr [edx]
		lea	ecx, [eax+eax*8]
		mov	eax, edx
		shl	ebx, cl
		and	eax, 3FFh
		jnz	short loc_51A2B5

loc_51A265:				; CODE XREF: MiFlushTbList+1B0j
		add	esi, 4
		cmp	esi, edi
		jb	short loc_51A245
		cmp	[ebp+var_20], 0
		jnz	short loc_51A2C2

loc_51A272:				; CODE XREF: MiFlushTbList+1C0j
					; MiFlushTbList+1CEj
		mov	cl, [ebp+var_11]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edi, [ebp+var_34]
		mov	esi, [ebp+var_18]

loc_51A281:				; CODE XREF: KeStackAttachProcess+D0800j
		mov	eax, [ebp+var_1C]

loc_51A284:				; CODE XREF: KeStackAttachProcess+D07F3j
		cmp	ds:_VmTbFlushEnabled, 0
		jnz	loc_5EA785

loc_51A291:				; CODE XREF: MiFlushTbList+D0680j
		cmp	_ExTbFlushActive, 0
		jnz	loc_5EA795

loc_51A29E:				; CODE XREF: MiFlushTbList+206j
					; MiFlushTbList+221j ...
		and	byte ptr [edi+4], 0F7h
		mov	dword ptr [edi+0Ch], 0
		mov	dword ptr [edi+10h], 0
		jmp	loc_51A134
; 

loc_51A2B5:				; CODE XREF: MiFlushTbList+153j
					; MiFlushTbList+1AEj
		invlpg	byte ptr [edx+ebx]
		add	edx, ebx
		sub	eax, 1
		jnz	short loc_51A2B5
		jmp	short loc_51A265
; 

loc_51A2C2:				; CODE XREF: MiFlushTbList+160j
		mov	eax, large fs:20h
		mov	ecx, [eax+2120h]
		test	ecx, ecx
		jz	short loc_51A272

loc_51A2D2:				; CODE XREF: MiFlushTbList+1CCj
		pause
		mov	ecx, [eax+2120h]
		test	ecx, ecx
		jnz	short loc_51A2D2
		jmp	short loc_51A272
; 

loc_51A2E0:				; CODE XREF: MiFlushTbList+12Cj
		push	ecx
		lea	eax, [ebp+var_40]
		push	eax
		push	ecx
		push	offset _KiFlushTargetMultipleRangeTb@16	; KiFlushTargetMultipleRangeTb(x,x,x,x)
		call	_KiIpiSendFlushAwakePacket@24 ;	KiIpiSendFlushAwakePacket(x,x,x,x,x,x)
		jmp	loc_51A242
; 

loc_51A2F5:				; CODE XREF: MiFlushTbList+45j
		test	cl, 8
		jnz	short loc_51A346
		mov	ebx, 1
		jmp	loc_51A15D
; 

loc_51A304:				; CODE XREF: MiFlushTbList+51j
					; MiFlushTbList+5Aj
		test	cl, 1
		mov	ecx, esi
		jnz	short loc_51A328
		mov	edx, ebx
		call	KeFlushTb
		mov	byte ptr [edi+5], 0
		jmp	short loc_51A29E
; 

loc_51A318:				; CODE XREF: MiFlushTbList+B7j
		mov	eax, ds:_KeNumberProcessors
		xor	edx, edx
		dec	eax
		lea	ecx, [edx+1]
		jmp	loc_51A237
; 

loc_51A328:				; CODE XREF: MiFlushTbList+1F9j
		call	KeFlushCurrentTbOnly
		mov	byte ptr [edi+5], 0
		jmp	loc_51A29E
; 

loc_51A336:				; CODE XREF: MiFlushTbList+6Aj
		mov	ecx, [ebp+var_18]
		mov	edx, eax
		push	esi
		call	KeFlushMultipleRangeCurrentTb
		jmp	loc_51A29E
; 

loc_51A346:				; CODE XREF: MiFlushTbList+1E8j
		mov	ebx, 2
		jmp	loc_51A15D
MiFlushTbList	endp

; 
; START	OF FUNCTION CHUNK FOR KeStackAttachProcess

loc_51A350:				; CODE XREF: KeStackAttachProcess+D0769j
					; KeStackAttachProcess+D077Ej ...
		lea	eax, [ebp+var_28]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_20]
		call	_KiPrepareFlushParameters@12 ; KiPrepareFlushParameters(x,x,x)
		mov	esi, [ebp+var_18]
		lea	eax, [edi+14h]
		push	eax
		push	esi
		push	1
		push	ecx
		push	[ebp+var_28]
		mov	ecx, ebx
		call	_KiFlushAffinity@4 ; KiFlushAffinity(x)
		mov	ecx, [ebp+var_20]
		mov	edx, eax
		call	_HvlFlushRangeListTb@28	; HvlFlushRangeListTb(x,x,x,x,x,x,x)
		test	al, al
		jnz	loc_5EA76D
		mov	ecx, ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()
		mov	edx, esi
		jmp	loc_51A19E
; END OF FUNCTION CHUNK	FOR KeStackAttachProcess
; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMoveDirtyBitsToPfns proc near		; CODE XREF: NtResetWriteWatch+114p
					; MiProcessVaRangesInfoClass+12F57Dp

var_14E		= byte ptr -14Eh
var_14D		= byte ptr -14Dh
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EA		= byte ptr -0EAh
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005EA7BA SIZE 0000031C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 154h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+154h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		mov	[esp+164h+var_144], eax
		mov	ebx, edx
		lea	eax, [esp+164h+var_A0]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		shr	esi, 9
		shr	ebx, 9
		and	esi, offset loc_7FFFF8
		and	ebx, offset loc_7FFFF8
		mov	[esp+160h+var_140], 0
		mov	eax, [eax+80h]
		sub	esi, 40000000h
		sub	ebx, 40000000h
		mov	[esp+160h+var_138], 0
		mov	[esp+160h+var_148], esi
		mov	[esp+160h+var_128], ebx
		mov	ecx, [eax+24Ch]
		lea	edi, [eax+240h]
		mov	eax, [ebp+arg_4]
		and	eax, 1
		mov	[esp+160h+var_10C], ecx
		mov	[esp+160h+var_13C], edi
		mov	[esp+160h+var_12C], eax
		jz	loc_5EA7C9
		mov	eax, [esp+160h+var_144]
		mov	eax, [eax+24h]
		test	eax, eax
		jz	short loc_51A45C

loc_51A452:				; CODE XREF: MiMoveDirtyBitsToPfns+D041Ej
		test	byte ptr [eax+24h], 4
		jz	loc_5EA7BA

loc_51A45C:				; CODE XREF: MiMoveDirtyBitsToPfns+B0j
					; MiMoveDirtyBitsToPfns+D0424j
		lea	ecx, [eax+4]
		mov	[esp+160h+var_130], ecx

loc_51A463:				; CODE XREF: MiMoveDirtyBitsToPfns+D0431j
		mov	[esp+160h+var_A0], 1
		mov	[esp+160h+var_9C], 0
		mov	[esp+160h+var_90], 0
		mov	[esp+160h+var_98], 21h
		mov	[esp+160h+var_8C], 0
		mov	al, [edi+60h]
		and	al, 7
		cmp	al, 4
		ja	loc_5EA7D6

loc_51A4A6:				; CODE XREF: MiMoveDirtyBitsToPfns+D0438j
		cmp	al, 2
		jz	loc_5EA7EF
		sub	edi, 0FFFFFF80h

loc_51A4B1:				; CODE XREF: MiMoveDirtyBitsToPfns+D0454j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	[esp+160h+var_14D], al
		jnz	loc_5EA7F9
		mov	edx, [edi]
		and	edx, 7FFFFFFFh
		mov	eax, edx
		lea	ecx, [edx+1]
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	loc_51AA7D

loc_51A4E3:				; CODE XREF: MiMoveDirtyBitsToPfns+6E8j
					; MiMoveDirtyBitsToPfns+D0462j
		add	edi, 4
		cmp	dword ptr [edi], 0
		jnz	loc_5EA807

loc_51A4EF:				; CODE XREF: MiMoveDirtyBitsToPfns+D046Bj
		mov	edi, [esp+160h+var_13C]

loc_51A4F3:				; CODE XREF: MiMoveDirtyBitsToPfns+D044Aj
		cmp	esi, ebx
		ja	loc_51A7F7
		mov	eax, ebx
		shl	eax, 9
		mov	[esp+160h+var_108], eax
		mov	eax, [ebp+arg_4]
		and	eax, 2
		mov	[ebp+arg_4], eax

loc_51A50D:				; CODE XREF: MiMoveDirtyBitsToPfns+62Aj
		cmp	[esp+160h+var_140], 0
		jnz	loc_51A9CF

loc_51A518:				; CODE XREF: MiMoveDirtyBitsToPfns+665j
		test	eax, eax
		jnz	loc_5EA810

loc_51A520:				; CODE XREF: MiMoveDirtyBitsToPfns+D04A6j
		push	4Ch		; size_t
		lea	eax, [esp+164h+var_F0]
		mov	[esp+164h+var_120], 0
		push	0		; int
		push	eax		; void *
		mov	[esp+16Ch+var_11C], 0
		call	_memset
		mov	edx, esi
		mov	eax, 8E1h
		shl	edx, 9
		add	esp, 0Ch
		mov	word ptr [esp+160h+var_F0], ax
		mov	eax, edx
		cmp	edx, 0C0000000h
		jnb	loc_5EA84B

loc_51A55E:				; CODE XREF: MiMoveDirtyBitsToPfns+D04B0j
					; MiMoveDirtyBitsToPfns+D04C0j
		cmp	eax, dword_6D07D0
		jnb	loc_5EA865

loc_51A56A:				; CODE XREF: MiMoveDirtyBitsToPfns+D04D3j
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		add	ecx, 240h

loc_51A57C:				; CODE XREF: MiMoveDirtyBitsToPfns+D04E5j
		mov	eax, 8E5h
		mov	[esp+160h+var_E0], ecx
		mov	word ptr [esp+160h+var_F0], ax
		lea	ecx, [esp+160h+var_F0]
		lea	eax, [esp+160h+var_120]
		mov	[esp+160h+var_E4], 0
		mov	[esp+160h+var_A8], eax
		mov	al, byte ptr [esp+160h+var_F0+2]
		and	al, 0E7h
		mov	[esp+160h+var_AC], offset _MiGetNextPageTableTail@4 ; MiGetNextPageTableTail(x)
		or	al, 4
		mov	[esp+160h+var_DC], edx
		mov	byte ptr [esp+160h+var_F0+2], al
		mov	al, [esp+160h+var_14D]
		mov	[esp+160h+var_EA], al
		mov	eax, [esp+160h+var_108]
		mov	[esp+160h+var_D8], eax
		call	MiWalkPageTables
		mov	ecx, [esp+160h+var_11C]
		mov	edi, ecx
		test	edi, edi
		jz	short loc_51A619
		mov	eax, [esp+160h+var_120]
		mov	edx, edi
		shr	edx, 9
		and	edx, offset loc_7FFFF8
		sub	edx, 40000000h
		mov	[esp+160h+var_140], edx
		test	eax, eax
		jnz	loc_5EA88A
		mov	eax, edi
		and	eax, 0FFFFF000h
		add	eax, 0FF8h
		cmp	eax, ebx
		jbe	loc_51A9B1

loc_51A619:				; CODE XREF: MiMoveDirtyBitsToPfns+242j
		mov	[esp+160h+var_14C], ebx

loc_51A61D:				; CODE XREF: MiMoveDirtyBitsToPfns+621j
					; MiMoveDirtyBitsToPfns+D0575j
		mov	ebx, [esp+160h+var_12C]
		test	ebx, ebx
		jz	loc_51A746
		mov	[esp+160h+var_138], 1

loc_51A631:				; CODE XREF: MiMoveDirtyBitsToPfns+2A2j
		cmp	esi, 0C07FFFFFh
		ja	short loc_51A644
		shl	esi, 9
		cmp	esi, 0C0000000h
		jnb	short loc_51A631

loc_51A644:				; CODE XREF: MiMoveDirtyBitsToPfns+297j
		mov	ecx, [esp+160h+var_144]
		shr	esi, 0Ch
		mov	eax, [ecx+0Ch]
		sub	esi, eax
		mov	ecx, [ecx+1Ch]
		mov	[esp+160h+var_134], eax
		mov	eax, ecx
		shr	eax, 12h
		and	eax, 3
		mov	[esp+160h+var_118], ecx
		mov	ebx, ds:_MiVadPageSizes[eax*4]
		cmp	ebx, 200h
		jnb	loc_5EA91A
		test	ecx, 400000h
		jnz	loc_5EA91A
		mov	ecx, 1

loc_51A687:				; CODE XREF: MiMoveDirtyBitsToPfns+D057Cj
		xor	edx, edx
		mov	eax, esi
		div	ecx
		mov	ecx, [esp+160h+var_14C]
		add	ecx, 8
		mov	edx, eax
		mov	[esp+160h+var_148], edx
		cmp	ecx, 0C0000000h
		jb	short loc_51A6B5

loc_51A6A2:				; CODE XREF: MiMoveDirtyBitsToPfns+313j
		cmp	ecx, 0C07FFFFFh
		ja	short loc_51A6B5
		shl	ecx, 9
		cmp	ecx, 0C0000000h
		jnb	short loc_51A6A2

loc_51A6B5:				; CODE XREF: MiMoveDirtyBitsToPfns+300j
					; MiMoveDirtyBitsToPfns+308j
		mov	eax, [esp+160h+var_144]
		mov	eax, [eax+10h]
		shl	eax, 0Ch
		or	eax, 0FFFh
		cmp	ecx, eax
		ja	loc_51A9A4
		shr	ecx, 0Ch
		sub	ecx, [esp+160h+var_134]
		cmp	ebx, 200h
		jnb	short loc_51A6EA
		test	[esp+160h+var_118], 400000h
		jnz	short loc_51A6EA
		mov	ebx, 1

loc_51A6EA:				; CODE XREF: MiMoveDirtyBitsToPfns+339j
					; MiMoveDirtyBitsToPfns+343j
		xor	edx, edx
		mov	eax, ecx
		div	ebx
		mov	esi, eax
		sub	esi, [esp+160h+var_148]

loc_51A6F6:				; CODE XREF: MiMoveDirtyBitsToPfns+60Cj
		mov	cl, 2
		mov	[esp+160h+var_134], 0
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ebx, [esp+160h+var_144]
		add	ebx, 1Ch
		mov	edx, [ebx]
		nop

loc_51A710:				; CODE XREF: MiMoveDirtyBitsToPfns+D0593j
					; MiMoveDirtyBitsToPfns+D05B0j	...
		test	dl, 1
		jnz	loc_5EA921
		mov	ecx, edx
		mov	eax, edx
		and	ecx, 0FFFFFFFDh
		or	ecx, 1
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	loc_5EA955
		mov	ebx, [esp+160h+var_148]
		push	esi
		push	ebx
		push	[esp+168h+var_130]
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		mov	ecx, [esp+160h+var_11C]
		mov	ebx, [esp+160h+var_12C]

loc_51A746:				; CODE XREF: MiMoveDirtyBitsToPfns+283j
		test	ecx, ecx
		jz	loc_51A7F7
		cmp	edi, [esp+160h+var_14C]
		ja	short loc_51A785

loc_51A754:				; CODE XREF: MiMoveDirtyBitsToPfns+3E3j
		mov	ecx, [edi]
		nop
		mov	edx, [edi+4]
		mov	eax, ecx
		and	eax, 1
		mov	[esp+160h+var_F8], ecx
		or	eax, 0
		mov	[esp+160h+var_F4], edx
		jz	short loc_51A778
		and	ecx, 42h
		or	ecx, 0
		jnz	loc_51A8F9

loc_51A778:				; CODE XREF: MiMoveDirtyBitsToPfns+3CAj
					; MiMoveDirtyBitsToPfns+5F9j ...
		mov	ebx, [esp+160h+var_12C]
		add	edi, 8
		cmp	edi, [esp+160h+var_14C]
		jbe	short loc_51A754

loc_51A785:				; CODE XREF: MiMoveDirtyBitsToPfns+3B2j
		cmp	[esp+160h+var_138], 0
		jz	short loc_51A7B8
		mov	esi, [esp+160h+var_144]
		add	esi, 1Ch
		mov	edx, [esi]
		mov	ecx, edx
		and	ecx, 0FFFFFFFCh
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	loc_5EAA89

loc_51A7A8:				; CODE XREF: MiMoveDirtyBitsToPfns+D06F8j
		mov	cl, 2
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	[esp+160h+var_138], 0

loc_51A7B8:				; CODE XREF: MiMoveDirtyBitsToPfns+3EAj
		mov	esi, edi
		cmp	edi, 0C0000000h
		jb	short loc_51A7D5

loc_51A7C2:				; CODE XREF: MiMoveDirtyBitsToPfns+433j
		cmp	esi, 0C07FFFFFh
		ja	short loc_51A7D5
		shl	esi, 9
		cmp	esi, 0C0000000h
		jnb	short loc_51A7C2

loc_51A7D5:				; CODE XREF: MiMoveDirtyBitsToPfns+420j
					; MiMoveDirtyBitsToPfns+428j
		mov	ebx, [esp+160h+var_128]
		mov	eax, [ebp+arg_4]
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		mov	[esp+160h+var_148], esi
		cmp	esi, ebx
		jbe	loc_51A9C6

loc_51A7F7:				; CODE XREF: MiMoveDirtyBitsToPfns+155j
					; MiMoveDirtyBitsToPfns+3A8j
		lea	ecx, [esp+160h+var_A0]
		call	MiFlushTbList
		cmp	[esp+160h+var_138], 0
		jnz	loc_51AA8D

loc_51A80E:				; CODE XREF: MiMoveDirtyBitsToPfns+6F8j
		mov	eax, [esp+160h+var_140]
		test	eax, eax
		jz	short loc_51A856
		lea	ecx, [esp+160h+var_124]
		mov	[esp+160h+var_124], 0
		push	ecx
		mov	ecx, [esp+164h+var_13C]
		mov	edx, eax
		call	MiGetPageTableLockBuffer
		mov	edi, eax
		mov	esi, 2
		mov	edx, [edi]
		mov	eax, edx
		mov	ebx, [esp+160h+var_124]
		mov	ecx, ebx
		shl	esi, cl
		mov	ecx, edx
		not	esi
		btr	ecx, ebx
		and	ecx, esi
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	loc_51AAA0

loc_51A856:				; CODE XREF: MiMoveDirtyBitsToPfns+474j
					; MiMoveDirtyBitsToPfns+70Fj
		mov	ebx, [esp+160h+var_13C]
		mov	al, [ebx+60h]
		and	al, 7
		cmp	al, 4
		ja	loc_5EAA9D

loc_51A867:				; CODE XREF: MiMoveDirtyBitsToPfns+D0705j
		mov	eax, [ebx+60h]
		mov	ecx, eax
		shr	ecx, 18h
		test	cl, 0Ch
		jnz	loc_5EAAAA
		test	cl, 10h
		jnz	loc_5EAAAA

loc_51A881:				; CODE XREF: MiMoveDirtyBitsToPfns+D0718j
		and	al, 7
		cmp	al, 2
		jz	loc_5EAABD
		lea	esi, [ebx+80h]

loc_51A891:				; CODE XREF: MiMoveDirtyBitsToPfns+D0722j
		test	ds:_MiFlags, 0C00000h
		setnz	cl
		test	al, al
		setz	al
		test	cl, al
		jz	short loc_51A8C0
		cmp	byte ptr [ebx-1CCh], 1
		jz	short loc_51A8C0
		rdtsc
		and	eax, 3FF0h
		or	eax, 0
		jz	loc_51AA0A

loc_51A8C0:				; CODE XREF: MiMoveDirtyBitsToPfns+505j
					; MiMoveDirtyBitsToPfns+50Ej ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5EAAC7
		mov	eax, 0BFFFFFFFh
		lock and [esi],	eax
		lock dec dword ptr [esi]

loc_51A8D8:				; CODE XREF: MiMoveDirtyBitsToPfns+D06FFj
					; MiMoveDirtyBitsToPfns+D0731j
		mov	cl, [esp+160h+var_14D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [esp+160h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_51A8F9:				; CODE XREF: MiMoveDirtyBitsToPfns+3D2j
		nop
		test	ebx, ebx
		jz	loc_5EA95C

loc_51A902:				; CODE XREF: MiMoveDirtyBitsToPfns+D0604j
		mov	ebx, [edi]
		nop
		mov	esi, [edi+4]
		mov	edx, edi
		and	ebx, 0FFFFFFBDh
		shl	edx, 9
		xor	eax, eax
		mov	[esp+160h+var_100], ebx
		mov	[esp+160h+var_FC], esi
		cmp	edx, 0C0000000h
		jnb	loc_5EA9A9

loc_51A926:				; CODE XREF: MiMoveDirtyBitsToPfns+D0623j
		nop
		push	0
		mov	[edi], ebx
		lea	ecx, [esp+164h+var_A0]
		push	1
		mov	[edi+4], esi
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)

loc_51A93C:				; CODE XREF: MiMoveDirtyBitsToPfns+D0676j
		nop
		mov	eax, ds:_MmPfnDatabase
		shrd	ebx, esi, 0Ch
		mov	[esp+160h+var_148], 0
		and	ebx, 1FFFFFFh
		mov	[esp+160h+var_104], 0
		lea	ecx, ds:0[ebx*8]
		sub	ecx, ebx
		lea	ebx, [eax+ecx*4]
		lea	esi, [ebx+10h]
		lock bts dword ptr [esi], 1Fh
		jb	loc_5EAA1B

loc_51A976:				; CODE XREF: MiMoveDirtyBitsToPfns+D0690j
		mov	cl, [ebx+16h]
		xor	esi, esi
		xor	edx, edx
		test	cl, 10h
		jz	loc_5EAA35

loc_51A986:				; CODE XREF: MiMoveDirtyBitsToPfns+D06C4j
					; MiMoveDirtyBitsToPfns+D06D3j
		lea	eax, [ebx+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	ecx, [esp+160h+var_148]
		mov	eax, esi
		or	eax, edx
		jz	loc_51A778
		jmp	loc_5EAA78
; 

loc_51A9A4:				; CODE XREF: MiMoveDirtyBitsToPfns+326j
		mov	esi, [esp+160h+var_130]
		mov	esi, [esi]
		sub	esi, edx
		jmp	loc_51A6F6
; 

loc_51A9B1:				; CODE XREF: MiMoveDirtyBitsToPfns+273j
		mov	eax, edi
		and	eax, 0FFFFF000h
		add	eax, 0FF8h
		mov	[esp+160h+var_14C], eax
		jmp	loc_51A61D
; 

loc_51A9C6:				; CODE XREF: MiMoveDirtyBitsToPfns+451j
		mov	edi, [esp+160h+var_13C]
		jmp	loc_51A50D
; 

loc_51A9CF:				; CODE XREF: MiMoveDirtyBitsToPfns+172j
		lea	ecx, [esp+160h+var_A0]
		call	MiFlushTbList
		mov	edx, [esp+160h+var_140]
		mov	ecx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	ecx, edi
		mov	[esp+160h+var_140], 0
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_51AA69
		call	KeShouldYieldProcessor
		test	eax, eax
		jnz	short loc_51AA69

loc_51AA02:				; CODE XREF: MiMoveDirtyBitsToPfns+6DBj
		mov	eax, [ebp+arg_4]
		jmp	loc_51A518
; 

loc_51AA0A:				; CODE XREF: MiMoveDirtyBitsToPfns+51Aj
		cmp	dword ptr [ebx+0C4h], 0
		jz	loc_51A8C0
		cmp	dword ptr [ebx+0Ch], 0
		jz	loc_51A8C0
		cmp	dword ptr [ebx+10h], 0
		jz	loc_51A8C0
		mov	ecx, ebx
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	loc_51A8C0
		push	1
		mov	edx, 0C0603018h
		call	MiLockPageTableInternal
		test	eax, eax
		jz	loc_51A8C0
		mov	ecx, 1
		call	MiPaeCheckProcessShadow
		mov	edx, 0C0603018h
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		jmp	loc_51A8C0
; 

loc_51AA69:				; CODE XREF: MiMoveDirtyBitsToPfns+657j
					; MiMoveDirtyBitsToPfns+660j
		mov	dl, [esp+160h+var_14D]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		mov	ecx, edi
		call	MiLockWorkingSetShared
		jmp	short loc_51AA02
; 

loc_51AA7D:				; CODE XREF: MiMoveDirtyBitsToPfns+13Dj
		mov	dl, [esp+160h+var_14D]
		mov	ecx, edi
		call	ExpWaitForSpinLockSharedAndAcquire
		jmp	loc_51A4E3
; 

loc_51AA8D:				; CODE XREF: MiMoveDirtyBitsToPfns+468j
		mov	ecx, [esp+160h+var_144]
		mov	dl, 2
		call	MiUnlockVadCore
		jmp	loc_51A80E
; 
		align 10h

loc_51AAA0:				; CODE XREF: MiMoveDirtyBitsToPfns+4B0j
					; MiMoveDirtyBitsToPfns+715j
		mov	ecx, eax
		mov	edx, eax
		btr	ecx, ebx
		and	ecx, esi
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	loc_51A856
		jmp	short loc_51AAA0
MiMoveDirtyBitsToPfns endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAttachProcess	proc near		; CODE XREF: KeAttachProcess+72p
					; KiStackAttachProcess+244p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005A844A SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		mov	eax, [esi+80h]
		lea	edx, [esi+70h]
		push	edi
		mov	edi, [ebp+arg_8]
		mov	[edi+10h], eax
		movzx	eax, byte ptr [edx+14h]
		mov	[edi+14h], al
		movzx	eax, byte ptr [edx+15h]
		mov	[edi+15h], al
		movzx	eax, byte ptr [edx+16h]
		mov	[edi+16h], al
		mov	ecx, [edx]
		cmp	ecx, edx
		jnz	loc_51AC9F
		mov	[edi+4], edi
		mov	[edi], edi
		mov	byte ptr [edi+15h], 0

loc_51AB06:				; CODE XREF: KiAttachProcess+1ECj
		mov	ecx, [edx+8]
		lea	eax, [edx+8]
		cmp	ecx, eax
		mov	[ebp+var_4], ecx
		lea	eax, [edi+8]
		jnz	loc_51AC87
		mov	[eax+4], eax
		mov	[eax], eax
		mov	byte ptr [edi+16h], 0

loc_51AB23:				; CODE XREF: KiAttachProcess+1DAj
		lea	eax, [esi+78h]
		mov	[edx+4], edx
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+174h]
		mov	[edx], edx
		mov	word ptr [esi+84h], 0
		mov	byte ptr [esi+86h], 0
		cmp	edi, eax
		jnz	short loc_51AB51
		mov	byte ptr [esi+16Ah], 1

loc_51AB51:				; CODE XREF: KiAttachProcess+88j
		mov	edx, [ebp+arg_4]
		test	dl, 1
		jnz	short loc_51AB6D
		mov	eax, 8
		lea	ecx, [ebx+7Ch]
		lock xadd [ecx], eax
		test	al, 7
		jnz	loc_51AC4E

loc_51AB6D:				; CODE XREF: KiAttachProcess+97j
					; KiAttachProcess+1C2j
		or	dword ptr [esi+58h], 800h
		nop
		and	edx, 2
		mov	[esi+80h], ebx
		mov	[ebp+arg_4], edx
		jnz	short loc_51AB8A
		mov	dword ptr [esi+2Ch], 0

loc_51AB8A:				; CODE XREF: KiAttachProcess+C1j
		mov	ecx, large fs:20h
		mov	eax, [edi+10h]
		mov	[ebp+var_8], eax
		movzx	eax, byte ptr [ecx+3C5h]
		movzx	edx, byte ptr [ecx+3C4h]
		mov	[ebp+var_10], edx
		lea	eax, ds:60h[eax*4]
		mov	[ebp+var_C], eax
		add	eax, ebx
		lock bts [eax],	edx
		mov	eax, large fs:1Ch
		cmp	ds:_KiKvaShadow, 0
		mov	edi, [ebx+18h]
		mov	[ebp+arg_8], eax
		jz	short loc_51ABDD
		movzx	ecx, byte ptr [ebx+74h]
		mov	large fs:5000h,	edi
		call	_KiSetAddressPolicy@4 ;	KiSetAddressPolicy(x)

loc_51ABDD:				; CODE XREF: KiAttachProcess+10Bj
		test	byte ptr ds:_HvlEnlightenments,	1
		jnz	loc_5A845D
		mov	cr3, edi

loc_51ABED:				; CODE XREF: KiAttachProcess+8D9A3j
		cmp	ds:_KiKvaShadow, 0
		jz	short loc_51AC04
		cmp	ds:_KiFlushPcid, 0
		jnz	short loc_51AC04
		call	_KeFlushCurrentTb@0 ; KeFlushCurrentTb()

loc_51AC04:				; CODE XREF: KiAttachProcess+134j
					; KiAttachProcess+13Dj
		mov	edi, [ebp+var_8]
		mov	ax, [edi+1Ch]
		or	ax, [ebx+1Ch]
		jnz	loc_5A8468
		mov	edx, [ebp+arg_8]

loc_51AC18:				; CODE XREF: KiAttachProcess+8D9C7j
		mov	edx, [edx+40h]
		mov	ax, [ebx+76h]
		mov	ecx, [ebp+var_10]
		mov	[edx+66h], ax
		mov	eax, [ebp+var_C]
		add	eax, edi
		lock btr [eax],	ecx
		and	dword ptr [esi+58h], 0FFFFF7FFh
		cmp	[ebp+arg_4], 0
		pop	edi
		pop	esi
		pop	ebx
		jnz	short loc_51AC48
		mov	cl, byte ptr [ebp+arg_0]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_51AC48:				; CODE XREF: KiAttachProcess+17Dj
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_51AC4E:				; CODE XREF: KiAttachProcess+A7j
		push	[ebp+arg_0]
		mov	edx, ebx
		mov	dword ptr [esi+2Ch], 0
		mov	ecx, esi
		call	@KiInSwapSingleProcess@12 ; KiInSwapSingleProcess(x,x,x)
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_4], 0
		lea	edi, [esi+2Ch]

loc_51AC71:				; CODE XREF: KiAttachProcess+8D998j
		lock bts dword ptr [edi], 0
		jb	loc_5A844A
		mov	edi, [ebp+arg_8]
		mov	edx, [ebp+arg_4]
		jmp	loc_51AB6D
; 

loc_51AC87:				; CODE XREF: KiAttachProcess+54j
		mov	ecx, [edx+0Ch]
		mov	edx, [ebp+var_4]
		mov	[eax], edx
		mov	[edi+0Ch], ecx
		mov	[edx+4], eax
		lea	edx, [esi+70h]
		mov	[ecx], eax
		jmp	loc_51AB23
; 

loc_51AC9F:				; CODE XREF: KiAttachProcess+37j
		mov	eax, [edx+4]
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[ecx+4], edi
		mov	[eax], edi
		jmp	loc_51AB06
KiAttachProcess	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpDrainDelayDerefContext proc near	; CODE XREF: CmpEnumerateLayeredKey+281p
					; CmpCleanUpKCBCacheTable(x)+B3p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005EAAD6 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		cmp	[edi], edi
		jz	loc_51AD56
		push	esi

loc_51ACD7:				; CODE XREF: CmpDrainDelayDerefContext+CFE1Fj
		mov	eax, [edi]
		cmp	eax, edi
		jz	short loc_51AD55
		cmp	[eax+4], edi
		jnz	loc_5EAAE4
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_5EAAE4
		mov	[edi], ecx
		mov	[ecx+4], edi
		lea	ecx, [eax-78h]
		and	byte ptr [ecx+20h], 0FEh
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [ecx+10h]
		mov	esi, [ecx+8]
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], eax
		call	CmpLockHashEntryExclusiveByKcb
		mov	ecx, [ebp+var_4]
		call	_CmpLockKcbExclusive@4 ; CmpLockKcbExclusive(x)
		mov	eax, [ebp+var_4]
		mov	[ebp+var_8], 0
		mov	ecx, [eax+6Ch]
		test	ecx, ecx
		jnz	short loc_51AD5C

loc_51AD2C:				; CODE XREF: CmpDrainDelayDerefContext+A1j
					; CmpDrainDelayDerefContext+C3j
		push	ebx
		mov	edx, edi
		mov	ecx, eax
		call	CmpDereferenceKeyControlBlockWithLock
		mov	ecx, [ebp+var_4]
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	loc_5EAAD6
		mov	ecx, eax
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		jmp	loc_5EAAD6
; 

loc_51AD55:				; CODE XREF: CmpDrainDelayDerefContext+1Bj
		pop	esi

loc_51AD56:				; CODE XREF: CmpDrainDelayDerefContext+10j
		pop	edi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_51AD5C:				; CODE XREF: CmpDrainDelayDerefContext+6Aj
		mov	ecx, [ecx+0Ch]
		test	ecx, ecx
		jz	short loc_51AD2C
		mov	ecx, [ecx+8]
		mov	[ebp+var_8], ecx
		mov	ecx, eax
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	ecx, [ebp+var_8]
		call	_CmpLockKcbExclusive@4 ; CmpLockKcbExclusive(x)
		mov	ecx, [ebp+var_4]
		call	_CmpLockKcbExclusive@4 ; CmpLockKcbExclusive(x)
		mov	eax, [ebp+var_4]
		jmp	short loc_51AD2C
CmpDrainDelayDerefContext endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1256. KeReleaseMutex

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeReleaseMutex(x, x)
		public _KeReleaseMutex@8
_KeReleaseMutex@8 proc near		; CODE XREF: WmipFindRegEntryByDevice+63p
					; WmipReceiveNotifications+23Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		push	0
		push	1
		push	[ebp+arg_0]
		call	KeReleaseMutant
		pop	ebp
		retn	8
_KeReleaseMutex@8 endp

; 
		align 10h
; Exported entry 1255. KeReleaseMutant

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeReleaseMutant
KeReleaseMutant	proc near		; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+235p
					; KeReleaseMutex(x,x)+Fp ...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005EAB00 SIZE 000001AF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_28], 0
		xor	bh, bh
		mov	[ebp+var_14], 0
		mov	[ebp+var_8], eax
		mov	[ebp+var_20], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, [ebp+arg_0]
		mov	cl, al
		mov	eax, large fs:20h
		mov	byte ptr [ebp+var_24], cl
		mov	[ebp+var_4], eax
		mov	[ebp+var_2C], 0
		lock bts dword ptr [esi], 7
		jb	loc_51AFE3

loc_51AE04:				; CODE XREF: KeReleaseMutant+24Ej
		mov	bl, byte ptr [ebp+arg_8]
		mov	edi, [esi+4]
		test	bl, bl
		jnz	loc_5EAAEB
		mov	edx, [ebp+var_8]
		cmp	[esi+18h], edx
		jnz	loc_51AF7F
		mov	al, [eax+223Ah]
		cmp	[esi+2], al
		jnz	loc_51AF7F
		inc	dword ptr [esi+4]
		mov	eax, [esi+4]

loc_51AE33:				; CODE XREF: CmpDrainDelayDerefContext+CFE3Bj
		cmp	eax, 1
		jnz	loc_51AF1E
		test	edi, edi
		jg	loc_51AF1E
		xor	eax, eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], eax
		mov	eax, [esi]
		mov	[ebp+var_44], eax
		mov	byte ptr [ebp+var_44+2], 0
		mov	eax, [ebp+var_44]
		mov	[esi], eax
		movzx	eax, byte ptr [esi+1Dh]
		mov	[ebp+var_28], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_14], eax
		mov	[ebp+var_30], 0
		lea	esi, [eax+2Ch]

loc_51AE74:				; CODE XREF: KeReleaseMutant+22Ej
		lock bts dword ptr [esi], 0
		jb	loc_51AFD0
		mov	esi, [ebp+arg_0]
		mov	edx, [esi+10h]
		lea	eax, [esi+10h]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_51AF42
		cmp	[ecx], eax
		jnz	loc_51AF42
		mov	eax, [ebp+var_14]
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	edx, 0FFFFFF7Fh
		mov	dword ptr [eax+2Ch], 0
		lea	eax, [esi+8]
		mov	ecx, [eax]
		mov	dword ptr [esi+18h], 0
		cmp	ecx, eax
		jnz	short loc_51AF30

loc_51AEC0:				; CODE XREF: KeReleaseMutant+1C7j
					; KeReleaseMutant+214j	...
		test	byte ptr [esi+1Ch], 2
		jnz	loc_5EABF6

loc_51AECA:				; CODE XREF: KeReleaseMutant+CFE48j
		lock and [esi],	edx
		test	bl, bl
		jnz	loc_5EABFD

loc_51AED5:				; CODE XREF: KeReleaseMutant+CFE54j
		mov	eax, [ebp+var_4]
		test	bh, bh
		jnz	loc_5EAC09

loc_51AEE0:				; CODE XREF: KeReleaseMutant+179j
					; KeReleaseMutant+CFE5Ej ...
		cmp	[ebp+arg_C], 0
		jnz	loc_5EAC5D
		xor	edx, edx

loc_51AEEC:				; CODE XREF: KeReleaseMutant+CFEB2j
		push	[ebp+var_24]
		mov	ecx, eax
		push	[ebp+arg_4]
		push	1
		call	KiExitDispatcher
		test	bh, bh
		mov	ebx, [ebp+var_8]
		jnz	loc_5EAC67

loc_51AF06:				; CODE XREF: KeReleaseMutant+CFEC3j
		cmp	[ebp+var_28], 0
		jz	short loc_51AF13
		mov	ecx, ebx
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_51AF13:				; CODE XREF: KeReleaseMutant+15Aj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_51AF1E:				; CODE XREF: KeReleaseMutant+86j
					; KeReleaseMutant+8Ej
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax

loc_51AF26:				; CODE XREF: KeReleaseMutant+CFE7Aj
					; KeReleaseMutant+CFE96j ...
		mov	eax, [ebp+var_4]
		jmp	short loc_51AEE0
; 
		jmp	short loc_51AF30
; 
		align 10h

loc_51AF30:				; CODE XREF: KeReleaseMutant+10Ej
					; KeReleaseMutant+17Bj	...
		mov	eax, [ecx]
		mov	edx, ecx
		mov	[ebp+var_10], edx
		mov	[ebp+var_34], eax
		mov	ecx, [edx+4]
		cmp	[eax+4], edx
		jz	short loc_51AF49

loc_51AF42:				; CODE XREF: KeReleaseMutant+DEj
					; KeReleaseMutant+E6j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_51AF49:				; CODE XREF: KeReleaseMutant+190j
		cmp	[ecx], edx
		jnz	short loc_51AF42
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	al, [edx+8]
		cmp	al, 1
		jnz	short loc_51AFA0
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_20]
		push	eax
		movzx	eax, word ptr [edx+0Ah]
		push	eax
		call	KiTryUnwaitThread
		mov	edx, 0FFFFFF7Fh
		test	al, al
		jz	short loc_51AFBC
		add	dword ptr [esi+4], 0FFFFFFFFh
		jz	loc_51AEC0
		jmp	short loc_51AFBC
; 

loc_51AF7F:				; CODE XREF: KeReleaseMutant+68j
					; KeReleaseMutant+77j
		mov	bl, [esi+1Ch]
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		and	bl, 1
		jnz	short loc_51B003
		mov	eax, 0C0000046h

loc_51AF9A:				; CODE XREF: KeReleaseMutant+258j
		push	eax
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_51AFA0:				; CODE XREF: KeReleaseMutant+1A7j
		cmp	al, 2
		jz	loc_5EAB00
		mov	ecx, [ebp+var_4]
		push	0
		push	100h
		call	KiTryUnwaitThread
		mov	edx, 0FFFFFF7Fh

loc_51AFBC:				; CODE XREF: KeReleaseMutant+1C1j
					; KeReleaseMutant+1CDj	...
		mov	ecx, [ebp+var_34]
		lea	eax, [esi+8]
		cmp	ecx, eax
		jz	loc_51AEC0
		jmp	loc_51AF30
; 
		align 10h

loc_51AFD0:				; CODE XREF: KeReleaseMutant+C9j
					; KeReleaseMutant+22Cj
		lea	ecx, [ebp+var_30]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_51AFD0
		jmp	loc_51AE74
; 

loc_51AFE3:				; CODE XREF: KeReleaseMutant+4Ej
					; KeReleaseMutant+23Fj	...
		lea	ecx, [ebp+var_2C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	al, al
		js	short loc_51AFE3
		lock bts dword ptr [esi], 7
		jb	short loc_51AFE3
		mov	cl, byte ptr [ebp+var_24]
		mov	eax, [ebp+var_4]
		jmp	loc_51AE04
; 

loc_51B003:				; CODE XREF: KeReleaseMutant+1E3j
		mov	eax, 80h
		jmp	short loc_51AF9A
KeReleaseMutant	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KiLeaveCriticalRegionUnsafe(x)
_KiLeaveCriticalRegionUnsafe@4 proc near ; CODE	XREF: PoFxSystemLatencyNotify+52p
					; ExpWorkerFactoryCreateThread+12Dp ...
		mov	edi, edi
		nop
		add	word ptr [ecx+13Ch], 1
		jz	short loc_51B01E

locret_51B01D:				; CODE XREF: KiLeaveCriticalRegionUnsafe(x)+14j
		retn
; 

loc_51B01E:				; CODE XREF: KiLeaveCriticalRegionUnsafe(x)+Bj
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	short locret_51B01D
		cmp	word ptr [ecx+13Eh], 0
		jz	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		retn
_KiLeaveCriticalRegionUnsafe@4 endp

; 
		align 10h
; Exported entry 1980. RtlClearBits

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlClearBits(x, x, x)
		public _RtlClearBits@12
_RtlClearBits@12 proc near		; CODE XREF: HvpGrowDirtyVectors+3Dp
					; HvpGrowDirtyVectors+53p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		jz	short loc_51B074
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		and	ecx, 7
		shr	esi, 3
		add	esi, [eax+4]
		lea	edx, [ecx+ebx]
		cmp	edx, 8
		ja	short loc_51B079
		mov	al, ds:byte_40BA58[ebx]
		shl	al, cl
		not	al

loc_51B071:				; CODE XREF: RtlClearBits(x,x,x)+70j
		and	[esi], al

loc_51B073:				; CODE XREF: RtlClearBits(x,x,x)+68j
		pop	esi

loc_51B074:				; CODE XREF: RtlClearBits(x,x,x)+Bj
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_51B079:				; CODE XREF: RtlClearBits(x,x,x)+25j
		test	ecx, ecx
		jz	short loc_51B089
		mov	al, ds:byte_40BA58[ecx]
		lea	ebx, [edx-8]
		and	[esi], al
		inc	esi

loc_51B089:				; CODE XREF: RtlClearBits(x,x,x)+3Bj
		cmp	ebx, 8
		jbe	short loc_51B0A6
		push	edi
		mov	edi, ebx
		shr	edi, 3
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		add	esi, edi
		and	ebx, 7
		pop	edi

loc_51B0A6:				; CODE XREF: RtlClearBits(x,x,x)+4Cj
		test	ebx, ebx
		jz	short loc_51B073
		mov	al, ds:byte_40AA48[ebx]
		jmp	short loc_51B071
_RtlClearBits@12 endp

; 
		align 10h
; Exported entry 1320. KeUnstackDetachProcess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeUnstackDetachProcess(x)
		public _KeUnstackDetachProcess@4
_KeUnstackDetachProcess@4 proc near	; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+4B9p
					; NtUnlockVirtualMemory(x,x,x,x)+68Dp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+10h]
		cmp	eax, 1
		jz	short loc_51B0E8
		xor	edx, edx
		test	eax, eax
		jnz	short loc_51B0E3
		mov	ecx, large fs:124h
		add	ecx, 174h

loc_51B0E3:				; CODE XREF: KeUnstackDetachProcess(x)+14j
		call	KiDetachProcess

loc_51B0E8:				; CODE XREF: KeUnstackDetachProcess(x)+Ej
		pop	ebp
		retn	4
_KeUnstackDetachProcess@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


PsIsProcessLoggingEnabled proc near	; CODE XREF: MiReadWriteVirtualMemory+129p

; FUNCTION CHUNK AT 005EACAF SIZE 00000010 BYTES

		mov	edi, edi
		push	esi
		xor	esi, esi
		xor	eax, eax
		cmp	edx, 10h
		jnz	short loc_51B113
		mov	esi, 1000000h
		lea	eax, [ecx+0F8h]

loc_51B107:				; CODE XREF: KeReleaseMutant+CFEE9j
					; KeReleaseMutant+CFEFAj ...
		mov	eax, [eax]
		and	eax, esi
		neg	eax
		pop	esi
		sbb	eax, eax
		neg	eax
		retn
; 

loc_51B113:				; CODE XREF: PsIsProcessLoggingEnabled+Aj
		sub	edx, 2
		jz	loc_5EACAF
		sub	edx, 1Eh
		jnz	loc_5EAC93
		lea	eax, [ecx+0F8h]
		mov	esi, 2000000h
		mov	eax, [eax]
		and	eax, esi
		neg	eax
		pop	esi
		sbb	eax, eax
		neg	eax
		retn
PsIsProcessLoggingEnabled endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepNormalAccessCheck proc near		; CODE XREF: SepAccessCheck+1BEp
					; SepAccessCheck+547p

var_60		= dword	ptr -60h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= byte ptr  28h
arg_24		= byte ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= byte ptr  34h

; FUNCTION CHUNK AT 005EACBF SIZE 000002C8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, edx
		mov	[ebp+var_24], 0
		mov	edx, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_18]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], eax
		mov	ecx, [eax+0B0h]
		movzx	eax, word ptr [edx+4]
		and	ecx, 2000h
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], ecx
		mov	[ebp+var_10], edi
		mov	[ebp+var_34], 0FFFFFFFFh
		mov	[ebp+var_38], eax
		cmp	[ebp+arg_14], edi
		jbe	short loc_51B19D
		mov	ecx, [ebp+arg_14]
		lea	eax, [ebx+18h]
		lea	esp, [esp+0]

loc_51B190:				; CODE XREF: SepNormalAccessCheck+58j
		mov	[eax], esi
		lea	eax, [eax+2Ch]
		sub	ecx, 1
		jnz	short loc_51B190
		mov	ecx, [ebp+var_4]

loc_51B19D:				; CODE XREF: SepNormalAccessCheck+44j
		test	ecx, ecx
		jz	loc_51B578

loc_51B1A5:				; CODE XREF: SepNormalAccessCheck+43Cj
					; SepNormalAccessCheck+44Cj
		cmp	[ebp+var_38], 0
		lea	eax, [edx+8]
		mov	[ebp+var_20], edi
		mov	[ebp+var_3C], edi
		mov	[ebp+var_14], 0
		mov	[ebp+var_8], eax
		jbe	loc_51B39C
		mov	edx, [ebp+arg_10]

loc_51B1C5:				; CODE XREF: SepNormalAccessCheck+24Cj
		mov	eax, [ebx+18h]
		test	eax, eax
		jz	loc_51B394

loc_51B1D0:				; CODE XREF: SepNormalAccessCheck+256j
		mov	edi, [ebp+var_8]
		test	byte ptr [edi+1], 8
		jnz	loc_51B372
		test	eax, eax
		jz	loc_51B4C7

loc_51B1E5:				; CODE XREF: SepNormalAccessCheck+399j
		mov	al, [edi]
		test	al, al
		jnz	loc_51B63F

loc_51B1EF:				; CODE XREF: SepNormalAccessCheck+38Bj
		test	ecx, ecx
		jz	loc_51B3B5

loc_51B1F7:				; CODE XREF: SepNormalAccessCheck+279j
					; SepNormalAccessCheck+283j ...
		mov	eax, [ebx+18h]
		mov	[ebp+var_50], eax
		test	eax, eax
		jz	loc_51B36F
		mov	eax, dword ptr [ebp+arg_20]
		lea	esi, [edi+8]
		movzx	eax, al
		neg	eax
		mov	[ebp+var_1C], esi
		sbb	eax, eax
		and	eax, 88h
		lea	edx, [eax+0CCh]
		add	edx, [ebp+var_C]
		cmp	[ebp+arg_2C], 0
		mov	[ebp+var_18], edx
		jnz	loc_5EACD3

loc_51B230:				; CODE XREF: SepNormalAccessCheck+CFB95j
					; SepNormalAccessCheck+CFBB2j
		cmp	[ebp+arg_10], 0
		jnz	loc_51B783

loc_51B23A:				; CODE XREF: SepNormalAccessCheck+654j
					; SepNormalAccessCheck+660j
		cmp	[ebp+arg_24], 0
		jnz	loc_51B428

loc_51B244:				; CODE XREF: SepNormalAccessCheck+2F4j
					; SepNormalAccessCheck+370j
		test	edx, edx
		jz	loc_51B36F
		mov	esi, [ebp+var_1C]
		test	esi, esi
		jz	loc_51B36F
		movzx	eax, byte ptr [esi+1]
		mov	bl, 0
		mov	byte ptr [ebp+arg_4+3],	bl
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_30], eax
		movzx	eax, word ptr [esi]
		mov	ecx, eax
		shr	eax, 8
		mov	[ebp+var_28], ecx
		movzx	ecx, byte ptr [esi+eax*4+4]
		mov	eax, ecx
		and	ecx, 0Fh
		shr	eax, 4
		mov	eax, [edx+eax*4+48h]
		and	eax, [edx+ecx*4+8]
		mov	[ebp+var_2C], eax
		jz	loc_51B3A5

loc_51B293:				; CODE XREF: SepNormalAccessCheck+3CFj
		test	al, al
		jz	loc_51B4FE
		mov	ecx, [edx+4]
		movzx	edx, bl
		mov	[ebp+var_40], ecx
		mov	[ebp+var_4C], edx
		jmp	short loc_51B2B0
; 
		align 10h

loc_51B2B0:				; CODE XREF: SepNormalAccessCheck+167j
					; SepNormalAccessCheck+3B2j
		movzx	eax, al
		mov	[ebp+var_44], eax
		movzx	eax, ds:_SidHashByteToIndexLookupTable[eax]
		mov	[ebp+var_48], eax
		add	eax, edx
		mov	edx, [ecx+eax*8]
		lea	ebx, [ecx+eax*8]
		mov	eax, [ebp+var_28]
		cmp	[edx], ax
		jnz	loc_51B4E4
		mov	eax, esi
		mov	esi, [ebp+var_30]
		sub	esi, 4
		jb	short loc_51B2F1
		mov	edi, edi

loc_51B2E0:				; CODE XREF: SepNormalAccessCheck+1AFj
		mov	ecx, [eax]
		cmp	ecx, [edx]
		jnz	short loc_51B2F6
		add	eax, 4
		add	edx, 4
		sub	esi, 4
		jnb	short loc_51B2E0

loc_51B2F1:				; CODE XREF: SepNormalAccessCheck+19Cj
		cmp	esi, 0FFFFFFFCh
		jz	short loc_51B333

loc_51B2F6:				; CODE XREF: SepNormalAccessCheck+1A4j
		mov	cl, [eax]
		cmp	cl, [edx]
		jnz	loc_51B8CE
		cmp	esi, 0FFFFFFFDh
		jz	short loc_51B333
		mov	cl, [eax+1]
		cmp	cl, [edx+1]
		jnz	loc_51B8CE
		cmp	esi, 0FFFFFFFEh
		jz	short loc_51B333
		mov	cl, [eax+2]
		cmp	cl, [edx+2]
		jnz	loc_51B8CE
		cmp	esi, 0FFFFFFFFh
		jz	short loc_51B333
		mov	al, [eax+3]
		cmp	al, [edx+3]
		jnz	loc_51B8CE

loc_51B333:				; CODE XREF: SepNormalAccessCheck+1B4j
					; SepNormalAccessCheck+1C3j ...
		xor	eax, eax

loc_51B335:				; CODE XREF: SepNormalAccessCheck+793j
		test	eax, eax
		jnz	loc_51B4DE

loc_51B33D:				; CODE XREF: SepNormalAccessCheck+4FAj
		cmp	[ebp+arg_20], 0
		jnz	short loc_51B34F
		mov	eax, [ebp+var_18]
		cmp	ebx, [eax+4]
		jz	loc_51B4B5

loc_51B34F:				; CODE XREF: SepNormalAccessCheck+201j
					; SepNormalAccessCheck+379j
		test	byte ptr [ebx+4], 4
		mov	ebx, [ebp+arg_18]
		jz	short loc_51B36F

loc_51B358:				; CODE XREF: SepNormalAccessCheck+367j
					; SepNormalAccessCheck+382j
		mov	ecx, [ebp+arg_14]
		mov	eax, [edi+4]
		cmp	ecx, 1
		jnz	loc_5EACF7
		not	eax
		and	eax, [ebp+var_50]
		mov	[ebx+18h], eax

loc_51B36F:				; CODE XREF: SepNormalAccessCheck+BFj
					; SepNormalAccessCheck+106j ...
		mov	ecx, [ebp+var_4]

loc_51B372:				; CODE XREF: SepNormalAccessCheck+97j
					; SepNormalAccessCheck+393j ...
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_14]
		mov	edi, [ebp+var_10]
		inc	edx
		mov	[ebp+var_14], edx
		movzx	eax, word ptr [eax+2]
		add	[ebp+var_8], eax
		cmp	edx, [ebp+var_38]
		mov	edx, [ebp+arg_10]
		jb	loc_51B1C5
		jmp	short loc_51B39C
; 

loc_51B394:				; CODE XREF: SepNormalAccessCheck+8Aj
		test	edi, edi
		jnz	loc_51B1D0

loc_51B39C:				; CODE XREF: SepNormalAccessCheck+7Cj
					; SepNormalAccessCheck+252j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	30h
; 

loc_51B3A5:				; CODE XREF: SepNormalAccessCheck+14Dj
					; SepNormalAccessCheck+3D5j
		mov	ebx, [edx]
		cmp	ebx, 20h
		ja	loc_51B591

loc_51B3B0:				; CODE XREF: SepNormalAccessCheck+433j
					; SepNormalAccessCheck+603j ...
		mov	ebx, [ebp+arg_18]
		jmp	short loc_51B36F
; 

loc_51B3B5:				; CODE XREF: SepNormalAccessCheck+B1j
		cmp	[ebp+var_10], 0
		jz	loc_51B1F7
		cmp	[ebp+arg_20], 0
		jnz	loc_51B1F7
		mov	esi, _SePackagePrefixSid
		add	edi, 8
		cmp	byte ptr [edi+1], 2
		jb	short loc_51B3F6
		mov	al, [edi]
		cmp	al, [esi]
		jnz	short loc_51B3F6
		push	6		; Length
		lea	eax, [esi+2]
		push	eax		; Source2
		lea	eax, [edi+2]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 6
		jz	loc_51B51A

loc_51B3F6:				; CODE XREF: SepNormalAccessCheck+296j
					; SepNormalAccessCheck+29Cj ...
		cmp	byte ptr [edi+1], 2
		mov	esi, _SeCapabilityPrefixSid
		jb	short loc_51B420
		mov	al, [edi]
		cmp	al, [esi]
		jnz	short loc_51B420
		push	6		; Length
		lea	eax, [esi+2]
		push	eax		; Source2
		lea	eax, [edi+2]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 6
		jz	loc_51B748

loc_51B420:				; CODE XREF: SepNormalAccessCheck+2C0j
					; SepNormalAccessCheck+2C6j ...
		mov	edi, [ebp+var_8]
		jmp	loc_51B1F7
; 

loc_51B428:				; CODE XREF: SepNormalAccessCheck+FEj
		mov	ecx, _SeOwnerRightsSid
		movzx	eax, word ptr [ecx]
		cmp	ax, [esi]
		jnz	loc_51B244
		mov	edx, [ebp+var_1C]
		shr	eax, 8
		lea	esi, ds:8[eax*4]
		sub	esi, 4
		jb	short loc_51B461
		lea	esp, [esp+0]

loc_51B450:				; CODE XREF: SepNormalAccessCheck+31Fj
		mov	eax, [ecx]
		cmp	eax, [edx]
		jnz	short loc_51B466
		add	ecx, 4
		add	edx, 4
		sub	esi, 4
		jnb	short loc_51B450

loc_51B461:				; CODE XREF: SepNormalAccessCheck+30Aj
		cmp	esi, 0FFFFFFFCh
		jz	short loc_51B4A3

loc_51B466:				; CODE XREF: SepNormalAccessCheck+314j
		mov	al, [ecx]
		cmp	al, [edx]
		jnz	loc_51B8C4
		cmp	esi, 0FFFFFFFDh
		jz	short loc_51B4A3
		mov	al, [ecx+1]
		cmp	al, [edx+1]
		jnz	loc_51B8C4
		cmp	esi, 0FFFFFFFEh
		jz	short loc_51B4A3
		mov	al, [ecx+2]
		cmp	al, [edx+2]
		jnz	loc_51B8C4
		cmp	esi, 0FFFFFFFFh
		jz	short loc_51B4A3
		mov	al, [ecx+3]
		cmp	al, [edx+3]
		jnz	loc_51B8C4

loc_51B4A3:				; CODE XREF: SepNormalAccessCheck+324j
					; SepNormalAccessCheck+333j ...
		xor	eax, eax

loc_51B4A5:				; CODE XREF: SepNormalAccessCheck+789j
		test	eax, eax
		jz	loc_51B358
		mov	edx, [ebp+var_18]
		jmp	loc_51B244
; 

loc_51B4B5:				; CODE XREF: SepNormalAccessCheck+209j
		test	byte ptr [ebx+4], 10h
		jnz	loc_51B34F
		mov	ebx, [ebp+arg_18]
		jmp	loc_51B358
; 

loc_51B4C7:				; CODE XREF: SepNormalAccessCheck+9Fj
		mov	al, [edi]
		test	al, al
		jz	loc_51B1EF
		cmp	al, 9
		jnz	loc_51B372
		jmp	loc_51B1E5
; 

loc_51B4DE:				; CODE XREF: SepNormalAccessCheck+1F7j
		mov	ecx, [ebp+var_40]
		mov	esi, [ebp+var_1C]

loc_51B4E4:				; CODE XREF: SepNormalAccessCheck+18Ej
		mov	eax, [ebp+var_44]
		mov	edx, [ebp+var_48]
		btc	eax, edx
		mov	edx, [ebp+var_4C]
		test	al, al
		jnz	loc_51B2B0
		mov	edx, [ebp+var_18]
		mov	bl, byte ptr [ebp+arg_4+3]

loc_51B4FE:				; CODE XREF: SepNormalAccessCheck+155j
		mov	eax, [ebp+var_2C]
		add	bl, 8
		shr	eax, 8
		mov	byte ptr [ebp+arg_4+3],	bl
		mov	[ebp+var_2C], eax
		test	eax, eax
		jnz	loc_51B293
		jmp	loc_51B3A5
; 

loc_51B51A:				; CODE XREF: SepNormalAccessCheck+2B0j
		mov	eax, [edi+8]
		cmp	eax, [esi+8]
		jnz	loc_51B3F6
		mov	ecx, [ebp+var_8]
		mov	ebx, [ecx+4]
		cmp	eax, 2
		jnz	loc_51B6FB
		cmp	[edi+1], al
		jnz	loc_51B6FB
		mov	eax, [edi+0Ch]
		cmp	eax, 1
		jnz	loc_51B89D
		mov	esi, [ebp+var_3C]
		mov	ecx, [ebp+var_C]
		and	esi, ebx
		call	SepCanTokenMatchAllPackageSid
		mov	ecx, [ebp+arg_28]
		test	al, al
		jz	loc_5EACBF
		or	[ecx+4], esi
		mov	byte ptr [ecx+15h], 1

loc_51B569:				; CODE XREF: SepNormalAccessCheck+5E7j
					; SepNormalAccessCheck+763j ...
		mov	eax, [ecx+4]

loc_51B56C:				; CODE XREF: SepNormalAccessCheck+7CEj
		not	eax
		and	[ebp+var_10], eax
		and	[ecx], eax
		jmp	loc_51B3B0
; 

loc_51B578:				; CODE XREF: SepNormalAccessCheck+5Fj
		cmp	[ebp+arg_20], 0
		jnz	loc_51B1A5
		mov	eax, [ebp+arg_28]
		mov	edi, [eax]
		or	edi, esi
		mov	[ebp+var_10], edi
		jmp	loc_51B1A5
; 

loc_51B591:				; CODE XREF: SepNormalAccessCheck+26Aj
		mov	eax, [edx+4]
		mov	esi, 20h
		mov	edx, [ebp+var_28]
		add	eax, 100h
		mov	[ebp+arg_4], eax

loc_51B5A4:				; CODE XREF: SepNormalAccessCheck+474j
		mov	ecx, [eax]
		cmp	[ecx], dx
		jz	short loc_51B5BE

loc_51B5AB:				; CODE XREF: SepNormalAccessCheck+4EFj
		inc	esi
		add	eax, 8
		mov	[ebp+arg_4], eax
		cmp	esi, ebx
		jb	short loc_51B5A4
		mov	ebx, [ebp+arg_18]
		jmp	loc_51B36F
; 

loc_51B5BE:				; CODE XREF: SepNormalAccessCheck+469j
		mov	edi, [ebp+var_30]
		mov	edx, [ebp+var_1C]
		sub	edi, 4
		jb	short loc_51B5E1
		lea	esp, [esp+0]

loc_51B5D0:				; CODE XREF: SepNormalAccessCheck+49Fj
		mov	eax, [edx]
		cmp	eax, [ecx]
		jnz	short loc_51B5E6
		add	edx, 4
		add	ecx, 4
		sub	edi, 4
		jnb	short loc_51B5D0

loc_51B5E1:				; CODE XREF: SepNormalAccessCheck+487j
		cmp	edi, 0FFFFFFFCh
		jz	short loc_51B623

loc_51B5E6:				; CODE XREF: SepNormalAccessCheck+494j
		mov	al, [edx]
		cmp	al, [ecx]
		jnz	loc_51B8D8
		cmp	edi, 0FFFFFFFDh
		jz	short loc_51B623
		mov	al, [edx+1]
		cmp	al, [ecx+1]
		jnz	loc_51B8D8
		cmp	edi, 0FFFFFFFEh
		jz	short loc_51B623
		mov	al, [edx+2]
		cmp	al, [ecx+2]
		jnz	loc_51B8D8
		cmp	edi, 0FFFFFFFFh
		jz	short loc_51B623
		mov	al, [edx+3]
		cmp	al, [ecx+3]
		jnz	loc_51B8D8

loc_51B623:				; CODE XREF: SepNormalAccessCheck+4A4j
					; SepNormalAccessCheck+4B3j ...
		xor	eax, eax

loc_51B625:				; CODE XREF: SepNormalAccessCheck+79Dj
		test	eax, eax
		jz	short loc_51B634
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+var_28]
		jmp	loc_51B5AB
; 

loc_51B634:				; CODE XREF: SepNormalAccessCheck+4E7j
		mov	ebx, [ebp+arg_4]
		mov	edi, [ebp+var_8]
		jmp	loc_51B33D
; 

loc_51B63F:				; CODE XREF: SepNormalAccessCheck+A9j
		cmp	al, 5
		jz	loc_5EAD0D
		cmp	al, 4
		jz	loc_5EAE0D
		cmp	al, 1
		jz	loc_51B7A5
		cmp	al, 6
		jz	loc_5EAE87
		cmp	al, 9
		jnz	loc_51B372
		movzx	eax, byte ptr [edi+9]
		lea	esi, ds:8[eax*4]
		movzx	eax, word ptr [edi+2]
		mov	ecx, eax
		sub	eax, esi
		sub	eax, 8
		jz	loc_51B36F
		cmp	[ebp+arg_8], 0
		mov	eax, ecx
		jnz	loc_51B87C

loc_51B68F:				; CODE XREF: SepNormalAccessCheck+744j
					; SepNormalAccessCheck+758j
		movzx	eax, ax
		mov	[ebp+arg_4], eax
		mov	eax, [ebp+var_C]
		mov	eax, [eax+27Ch]
		test	eax, eax
		jnz	loc_5EAF32
		xor	ecx, ecx
		xor	edx, edx
		xor	edi, edi
		xor	ebx, ebx

loc_51B6AE:				; CODE XREF: SepNormalAccessCheck+CFE0Aj
		lea	eax, [ebp+var_34]
		push	eax
		push	dword ptr [ebp+arg_20]
		mov	eax, [ebp+arg_4]
		movzx	eax, ax
		sub	eax, esi
		push	0
		sub	eax, 8
		push	eax
		mov	eax, [ebp+var_8]
		add	eax, 8
		add	eax, esi
		mov	esi, [ebp+var_C]
		push	eax
		mov	eax, [ebp+arg_C]
		push	ecx
		push	edx
		mov	edx, [esi+1DCh]
		mov	ecx, esi
		mov	eax, [eax]
		push	edi
		push	ebx
		push	eax
		call	AuthzBasepEvaluateAceCondition
		cmp	[ebp+var_34], 1
		mov	ecx, [ebp+var_4]
		jz	loc_51B7EC
		mov	ebx, [ebp+arg_18]
		jmp	loc_51B372
; 

loc_51B6FB:				; CODE XREF: SepNormalAccessCheck+3EFj
					; SepNormalAccessCheck+3F8j
		mov	eax, [ebp+arg_28]
		mov	byte ptr [eax+14h], 1
		mov	eax, [ebp+var_C]
		test	dword ptr [eax+0B0h], 4000h
		jz	loc_5EACCB
		mov	eax, [eax+1E0h]
		push	edi
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		mov	ecx, [ebp+arg_28]
		test	al, al
		jz	loc_51B569
		mov	eax, [ebp+var_20]
		and	eax, ebx
		or	[ecx+4], eax
		mov	byte ptr [ecx+15h], 1
		mov	eax, [ecx+4]
		not	eax
		and	[ebp+var_10], eax
		and	[ecx], eax
		jmp	loc_51B3B0
; 

loc_51B748:				; CODE XREF: SepNormalAccessCheck+2DAj
		mov	eax, [edi+8]
		cmp	eax, [esi+8]
		jnz	loc_51B420
		mov	eax, [ebp+arg_28]
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_20]
		lea	esi, [eax+8]
		add	eax, 16h
		push	esi		; int
		push	eax		; int
		mov	eax, [ecx+4]
		mov	ecx, [ebp+var_C]
		push	eax		; int
		push	edi		; void *
		call	_SepMatchCapability@24 ; SepMatchCapability(x,x,x,x,x,x)
		mov	eax, [esi]
		mov	ecx, [ebp+arg_28]
		not	eax
		and	[ebp+var_10], eax
		and	[ecx], eax
		jmp	loc_51B36F
; 

loc_51B783:				; CODE XREF: SepNormalAccessCheck+F4j
		mov	eax, _SePrincipalSelfSid
		push	esi
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		mov	edx, [ebp+var_18]
		test	al, al
		jz	loc_51B23A
		mov	esi, [ebp+arg_10]
		mov	[ebp+var_1C], esi
		jmp	loc_51B23A
; 

loc_51B7A5:				; CODE XREF: SepNormalAccessCheck+511j
		mov	ecx, dword ptr [ebp+arg_20]
		lea	eax, [edi+8]
		push	0		; char
		push	dword ptr [ebp+arg_24] ; char
		push	ecx		; char
		movzx	ecx, cl
		neg	ecx
		push	1		; char
		sbb	ecx, ecx
		and	ecx, 88h
		add	ecx, 0CCh
		add	ecx, [ebp+var_C]
		push	eax		; void *
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_51B36F
		mov	eax, [edi+4]
		test	[ebx+18h], eax
		jz	loc_51B36F
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	30h
; 

loc_51B7EC:				; CODE XREF: SepNormalAccessCheck+5ADj
		mov	edx, dword ptr [ebp+arg_20]
		mov	ebx, [ebp+var_8]
		test	ecx, ecx
		jnz	short loc_51B826
		test	dl, dl
		jnz	short loc_51B826
		cmp	[ebp+var_10], ecx
		jz	short loc_51B826
		lea	edi, [ebx+8]
		mov	ecx, edi
		call	_SepIsPackageSid@4 ; SepIsPackageSid(x)
		test	al, al
		jnz	loc_51B8E2
		mov	ecx, edi
		call	SepIsCapabilitySid
		test	al, al
		jnz	loc_5EAF4F
		mov	ecx, [ebp+var_4]
		mov	edx, dword ptr [ebp+arg_20]

loc_51B826:				; CODE XREF: SepNormalAccessCheck+6B4j
					; SepNormalAccessCheck+6B8j ...
		mov	eax, [ebp+arg_18]
		cmp	dword ptr [eax+18h], 0
		jz	loc_5EAF80
		test	dl, dl
		jnz	loc_5EAF6F
		mov	ecx, 0CCh

loc_51B840:				; CODE XREF: SepNormalAccessCheck+CFE34j
		push	dword ptr [ebp+arg_2C] ; char
		lea	eax, [ebx+8]
		add	ecx, esi
		push	dword ptr [ebp+arg_24] ; char
		push	edx		; char
		mov	edx, [ebp+arg_10]
		push	0		; char
		push	eax		; void *
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_51B3B0
		mov	eax, [ebx+4]
		mov	ebx, [ebp+arg_18]
		mov	ecx, ebx
		mov	edx, [ebp+arg_14]
		push	0
		push	eax
		push	[ebp+var_14]
		push	0
		call	AuthzBasepAddAccessTypeList
		jmp	loc_51B36F
; 

loc_51B87C:				; CODE XREF: SepNormalAccessCheck+549j
		mov	eax, ecx
		mov	ecx, [ebp+arg_C]
		cmp	dword ptr [ecx], 0
		jnz	loc_51B68F
		mov	edx, ecx
		mov	ecx, [ebp+arg_8]
		call	AuthzBasepInitializeResourceClaimsFromSacl
		movzx	eax, word ptr [edi+2]
		jmp	loc_51B68F
; 

loc_51B89D:				; CODE XREF: SepNormalAccessCheck+404j
		mov	ecx, [ebp+arg_28]
		cmp	eax, 2
		jnz	loc_51B569
		mov	eax, [ebp+var_20]
		and	eax, ebx
		or	[ecx+4], eax
		mov	byte ptr [ecx+15h], 1
		mov	eax, [ecx+4]
		not	eax
		and	[ebp+var_10], eax
		and	[ecx], eax
		jmp	loc_51B3B0
; 

loc_51B8C4:				; CODE XREF: SepNormalAccessCheck+32Aj
					; SepNormalAccessCheck+33Bj ...
		sbb	eax, eax
		or	eax, 1
		jmp	loc_51B4A5
; 

loc_51B8CE:				; CODE XREF: SepNormalAccessCheck+1BAj
					; SepNormalAccessCheck+1CBj ...
		sbb	eax, eax
		or	eax, 1
		jmp	loc_51B335
; 

loc_51B8D8:				; CODE XREF: SepNormalAccessCheck+4AAj
					; SepNormalAccessCheck+4BBj ...
		sbb	eax, eax
		or	eax, 1
		jmp	loc_51B625
; 

loc_51B8E2:				; CODE XREF: SepNormalAccessCheck+6CBj
		mov	ecx, [ebp+arg_28]
		mov	edx, [ebp+var_20]
		lea	eax, [ecx+18h]
		push	eax
		lea	eax, [ecx+10h]
		push	eax
		lea	eax, [ecx+14h]
		push	eax
		lea	esi, [ecx+4]
		push	esi
		lea	eax, [ecx+15h]
		mov	ecx, [ebp+var_C]
		push	eax
		mov	eax, [ebx+4]
		push	eax
		push	edi
		call	SepMatchPackage

loc_51B909:				; CODE XREF: SepNormalAccessCheck+CFE2Aj
		mov	eax, [esi]
		mov	ecx, [ebp+arg_28]
		jmp	loc_51B56C
SepNormalAccessCheck endp

; 
		align 10h
; Exported entry 2417. SeAccessCheck

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAccessCheck(x, x,	x, x, x, x, x, x, x, x)
		public _SeAccessCheck@40
_SeAccessCheck@40 proc near		; CODE XREF: IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)+8Cp
					; CmpCheckNotifyAccess(x,x,x)+43p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	0
		push	[ebp+arg_0]
		call	_SeAccessCheckWithHint@44 ; SeAccessCheckWithHint(x,x,x,x,x,x,x,x,x,x,x)
		mov	esp, ebp
		pop	ebp
		retn	28h
_SeAccessCheck@40 endp

; 
		align 10h

KiDetachProcess:			; CODE XREF: KeDetachProcess()+18j
					; MiTrimOrAgeWorkingSet+2C9p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		mov	esi, large fs:124h
		mov	ebx, edx
		mov	[ebp-28h], ebx
		mov	edx, ecx
		and	ebx, 2
		mov	[ebp-0Ch], edx
		push	edi
		mov	eax, [esi+80h]
		mov	[ebp-8], eax
		mov	[ebp-24h], ebx
		jnz	loc_5A848C
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp-1], al
		lea	edi, [esi+2Ch]
		mov	dword ptr [ebp-10h], 0

loc_51B9A4:				; CODE XREF: .text:0051BC46j
		lock bts dword ptr [edi], 0
		jb	loc_51BC38
		mov	edx, [ebp-0Ch]
		mov	al, [ebp-1]

loc_51B9B5:				; CODE XREF: .text:005A8491j
		cmp	byte ptr [esi+85h], 0
		jnz	loc_5A8499

loc_51B9C2:				; CODE XREF: .text:005A84DBj
		cmp	byte ptr [esi+16Ah], 0
		jz	loc_51BC4B
		test	byte ptr [esi+84h], 1
		jnz	loc_51BC4B
		lea	edi, [esi+70h]
		cmp	[edi], edi
		jnz	loc_51BC4B
		lea	eax, [esi+78h]
		cmp	[eax], eax
		jnz	loc_51BC4B
		or	dword ptr [esi+58h], 800h
		nop
		lea	ecx, [esi+174h]
		cmp	edx, ecx
		jnz	loc_51BB54
		mov	eax, [ecx+10h]
		mov	[edi+10h], eax
		mov	al, [ecx+14h]
		mov	[edi+14h], al
		mov	al, [ecx+15h]
		mov	[edi+15h], al
		mov	al, [ecx+16h]
		mov	[edi+16h], al
		mov	edx, [ecx]
		cmp	edx, ecx
		jnz	loc_51BC26
		mov	[edi+4], edi
		mov	[edi], edi
		mov	byte ptr [edi+15h], 0

loc_51BA33:				; CODE XREF: .text:0051BC33j
		mov	edx, [ecx+8]
		lea	eax, [ecx+8]
		cmp	edx, eax
		lea	eax, [edi+8]
		jnz	loc_51BBFE
		mov	[eax+4], eax
		mov	[eax], eax
		mov	byte ptr [edi+16h], 0

loc_51BA4D:				; CODE XREF: .text:0051BC0Bj
		mov	dword ptr [esi+184h], 0
		mov	byte ptr [esi+16Ah], 0

loc_51BA5E:				; CODE XREF: .text:0051BB5Ej
		test	ebx, ebx
		jnz	short loc_51BA65
		mov	[esi+2Ch], ebx

loc_51BA65:				; CODE XREF: .text:0051BA60j
		mov	ecx, large fs:20h
		mov	ebx, [esi+80h]
		movzx	eax, byte ptr [ecx+3C5h]
		movzx	edx, byte ptr [ecx+3C4h]
		mov	[ebp-20h], edx
		lea	eax, ds:60h[eax*4]
		mov	[ebp-1Ch], eax
		add	eax, ebx
		lock bts [eax],	edx
		mov	eax, large fs:1Ch
		cmp	ds:_KiKvaShadow, 0
		mov	[ebp-0Ch], eax
		mov	eax, [ebx+18h]
		mov	[ebp-18h], eax
		jz	short loc_51BABD
		movzx	ecx, byte ptr [ebx+74h]
		mov	large fs:5000h,	eax
		call	_KiSetAddressPolicy@4 ;	KiSetAddressPolicy(x)
		mov	eax, [ebp-18h]

loc_51BABD:				; CODE XREF: .text:0051BAA9j
		test	byte ptr ds:_HvlEnlightenments,	1
		jnz	loc_5A84F0
		mov	cr3, eax

loc_51BACD:				; CODE XREF: .text:005A84F6j
		cmp	ds:_KiKvaShadow, 0
		jz	short loc_51BAE4
		cmp	ds:_KiFlushPcid, 0
		jnz	short loc_51BAE4
		call	_KeFlushCurrentTb@0 ; KeFlushCurrentTb()

loc_51BAE4:				; CODE XREF: .text:0051BAD4j
					; .text:0051BADDj
		mov	ecx, [ebp-8]
		mov	ax, [ecx+1Ch]
		or	ax, [ebx+1Ch]
		jnz	loc_5A84FB
		mov	edx, [ebp-0Ch]

loc_51BAF8:				; CODE XREF: .text:005A851Aj
		mov	ecx, [edx+40h]
		mov	ax, [ebx+76h]
		mov	edx, [ebp-20h]
		mov	[ecx+66h], ax
		mov	eax, [ebp-1Ch]
		mov	ecx, [ebp-8]
		add	eax, ecx
		lock btr [eax],	edx
		and	dword ptr [esi+58h], 0FFFFF7FFh
		cmp	dword ptr [ebp-24h], 0
		jnz	short loc_51BB2B
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp-8]

loc_51BB2B:				; CODE XREF: .text:0051BB1Dj
		test	byte ptr [ebp-28h], 1
		jnz	short loc_51BB45
		lea	ebx, [ecx+7Ch]
		mov	eax, 0FFFFFFF8h
		lock xadd [ebx], eax
		and	eax, 0FFFFFFF8h
		cmp	eax, 8
		jz	short loc_51BB63

loc_51BB45:				; CODE XREF: .text:0051BB2Fj
					; .text:0051BBA4j
		cmp	[edi], edi
		jnz	loc_51BC10
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_51BB54:				; CODE XREF: .text:0051BA02j
		mov	ecx, [ebp-0Ch]
		mov	edx, edi
		call	KiMoveApcState
		jmp	loc_51BA5E
; 

loc_51BB63:				; CODE XREF: .text:0051BB43j
		mov	byte ptr [ebp-1], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, [ebp-8]
		mov	[ebp-2], al
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	edx, [ebx]
		test	dl, 7
		jnz	short loc_51BB89
		mov	ecx, [ebp-8]
		add	ecx, 2Ch
		cmp	[ecx], ecx
		jnz	short loc_51BBA6

loc_51BB89:				; CODE XREF: .text:0051BB7Dj
					; .text:0051BBA9j ...
		mov	al, [ebp-1]

loc_51BB8C:				; CODE XREF: .text:0051BBCAj
		mov	ecx, [ebp-8]
		mov	edx, 0FFFFFF7Fh
		lock and [ecx],	edx
		test	al, al
		jnz	short loc_51BBCC

loc_51BB9B:				; CODE XREF: .text:0051BBECj
					; .text:0051BBFCj
		mov	cl, [ebp-2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_51BB45
; 

loc_51BBA6:				; CODE XREF: .text:0051BB87j
		cmp	edx, 8
		jnb	short loc_51BB89
		jmp	short loc_51BBB0
; 
		align 10h

loc_51BBB0:				; CODE XREF: .text:0051BBABj
					; .text:005A8522j
		mov	ecx, edx
		and	edx, 0FFFFFFFBh
		or	edx, 3
		mov	eax, ecx
		lock cmpxchg [ebx], edx
		mov	edx, eax
		cmp	edx, ecx
		jnz	loc_5A851F
		mov	al, 1
		jmp	short loc_51BB8C
; 

loc_51BBCC:				; CODE XREF: .text:0051BB99j
		mov	eax, _KiProcessOutSwapListHead
		lea	ebx, [ecx+54h]

loc_51BBD4:				; CODE XREF: .text:0051BBE5j
		mov	[ebx], eax
		mov	edx, eax
		mov	ecx, ebx
		mov	edi, offset _KiProcessOutSwapListHead
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_51BBD4
		lea	edi, [esi+70h]
		test	eax, eax
		jnz	short loc_51BB9B
		push	0
		push	0Ah
		push	offset _KiSwapEvent
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_51BB9B
; 

loc_51BBFE:				; CODE XREF: .text:0051BA3Ej
		mov	ecx, [ecx+0Ch]
		mov	[eax], edx
		mov	[edi+0Ch], ecx
		mov	[edx+4], eax
		mov	[ecx], eax
		jmp	loc_51BA4D
; 

loc_51BC10:				; CODE XREF: .text:0051BB47j
		mov	cl, 1
		mov	byte ptr [esi+85h], 1
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_51BC26:				; CODE XREF: .text:0051BA24j
		mov	eax, [ecx+4]
		mov	[edi], edx
		mov	[edi+4], eax
		mov	[edx+4], edi
		mov	[eax], edi
		jmp	loc_51BA33
; 

loc_51BC38:				; CODE XREF: .text:0051B9A9j
					; .text:0051BC44j
		lea	ecx, [ebp-10h]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_51BC38
		jmp	loc_51B9A4
; 

loc_51BC4B:				; CODE XREF: .text:0051B9C9j
					; .text:0051B9D6j ...
		push	6
		call	_KeBugCheck@4	; KeBugCheck(x)
; 
		dw 0CCCCh
		align 10h
; Exported entry 2421. SeAccessCheckWithHint

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAccessCheckWithHint(x, x,	x, x, x, x, x, x, x, x,	x)
		public _SeAccessCheckWithHint@44
_SeAccessCheckWithHint@44 proc near	; CODE XREF: SeAccessCheckFromStateEx+49p
					; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)+28p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	0
		push	[ebp+arg_28]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_24]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	SeAccessCheckWithHintWithAdminlessChecks
		mov	esp, ebp
		pop	ebp
		retn	2Ch
_SeAccessCheckWithHint@44 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeAccessCheckWithHintWithAdminlessChecks proc near
					; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+287p
					; ExCpuSetResourceManagerAccessCheck(x)+78p ...

var_D8		= dword	ptr -0D8h
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= byte ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_55		= byte ptr -55h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_33		= byte ptr -33h
var_32		= byte ptr -32h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= byte ptr -24h
var_23		= byte ptr -23h
var_22		= byte ptr -22h
var_21		= dword	ptr -21h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

; FUNCTION CHUNK AT 005EAF87 SIZE 00000569 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	eax, edx
		mov	[ebp+var_80], eax
		mov	ebx, ecx
		mov	[ebp+var_60], ebx
		mov	esi, [ebp+arg_1C]
		mov	edx, [ebp+arg_20]
		mov	ecx, [ebp+arg_C]
		mov	[ebp+var_28], esi
		mov	esi, [ebp+arg_10]
		mov	[ebp+var_64], esi
		mov	esi, [ebp+arg_14]
		mov	[ebp+var_8C], esi
		xor	esi, esi
		mov	[ebp+var_A4], esi
		mov	[ebp+var_A0], esi
		mov	[ebp+var_9C], esi
		mov	[ebp+var_98], esi
		mov	[ebp+var_21+1],	esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_84], esi
		mov	[ebp+var_C8], esi
		mov	[ebp+var_C4], esi
		mov	[ebp+var_C0], esi
		mov	[ebp+var_BC], esi
		mov	[ebp+var_B8], esi
		mov	[ebp+var_7C], esi
		mov	[ebp+var_5C], esi
		mov	[ebp+var_88], esi
		mov	esi, [ebp+var_28]
		and	eax, 8
		mov	[ebp+var_94], eax
		mov	eax, [ebp+var_64]
		mov	dword ptr [esi], 0
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_40], ecx
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_38], ecx
		mov	[ebp+var_2C], edx
		mov	byte ptr [ebp+var_21], 0
		mov	[ebp+var_22], 0
		mov	[ebp+var_45], 0
		mov	[ebp+var_33], 0
		mov	dword ptr [edx], 0C0000022h
		mov	[ebp+var_90], 0
		mov	[ebp+var_AC], 0C0000022h
		mov	[ebp+var_B4], 0FFFFFFFFh
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_30], edi
		test	eax, eax
		jnz	loc_51C13F

loc_51BDA2:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+4A5j
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_A8], eax
		test	al, al
		jz	loc_51C435
		test	ebx, ebx
		jz	loc_51C907
		cmp	dword ptr [edi], 0
		jnz	loc_51C4F0

loc_51BDC4:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+854j
		test	ecx, ecx
		jz	loc_51C6A8
		cmp	[ebp+arg_4], 0
		jnz	short loc_51BDD8
		push	edi
		call	_SeLockSubjectContext@4	; SeLockSubjectContext(x)

loc_51BDD8:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+130j
		movzx	ebx, word ptr [ebx+2]
		xor	edi, edi
		mov	ecx, ebx
		mov	[ebp+var_24], 0
		mov	[ebp+var_23], 0
		and	ecx, 10h
		jmp	short loc_51BDF0
; 
		align 10h

loc_51BDF0:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+14Bj
					; SeAccessCheckWithHintWithAdminlessChecks+1AAj
		test	cx, cx
		jz	short loc_51BE45
		mov	eax, [ebp+var_60]
		mov	edx, [eax+0Ch]
		test	bx, bx
		js	loc_51C2C4

loc_51BE04:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+62Cj
		mov	[ebp+var_44], edx
		test	edx, edx
		jz	short loc_51BE45
		mov	eax, [ebp+var_44]
		add	edx, 8
		mov	dword ptr [ebp+var_70],	0
		movzx	eax, word ptr [eax+4]
		mov	[ebp+var_54], eax
		test	eax, eax
		jz	short loc_51BE45
		mov	eax, dword ptr [ebp+var_70]

loc_51BE26:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+1A3j
		cmp	eax, edi
		jb	short loc_51BE33
		cmp	byte ptr [edx],	14h
		jz	loc_51C7DC

loc_51BE33:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+188j
		inc	eax
		mov	dword ptr [ebp+var_70],	eax
		movzx	eax, word ptr [edx+2]
		add	edx, eax
		mov	eax, dword ptr [ebp+var_70]
		cmp	eax, [ebp+var_54]
		jb	short loc_51BE26

loc_51BE45:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+153j
					; SeAccessCheckWithHintWithAdminlessChecks+169j ...
		xor	edx, edx

loc_51BE47:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+B42j
		inc	edi
		test	edx, edx
		jnz	short loc_51BDF0

loc_51BE4C:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+B4Aj
					; SeAccessCheckWithHintWithAdminlessChecks+B5Bj
		mov	edx, [ebp+var_2C]
		or	esi, 0FFFFFFFFh

loc_51BE52:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+B9Aj
		mov	ecx, [ebp+var_38]
		mov	edi, ecx
		and	edi, 0FDFFFFFFh
		mov	eax, edi
		and	eax, esi
		cmp	eax, edi
		jnz	loc_51C8A7
		mov	ecx, [ebp+var_30]
		mov	dword ptr [edx], 0
		mov	eax, [ecx]
		mov	[ebp+var_3C], eax
		test	eax, eax
		jnz	short loc_51BE81
		mov	eax, [ecx+8]
		mov	[ebp+var_3C], eax

loc_51BE81:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+1D9j
		mov	ebx, [ebp+var_80]
		test	bl, 4
		jnz	short loc_51BEC1
		lea	ecx, [ebp+var_B4]
		push	ecx
		mov	ecx, [ebp+var_60]
		lea	edx, [ebp+var_5C]
		push	0
		push	eax
		call	SepFilterCheck
		mov	edx, [ebp+var_2C]
		mov	[edx], eax
		test	eax, eax
		js	loc_51C512
		mov	eax, edi
		and	eax, [ebp+var_B4]
		cmp	eax, edi
		jnz	loc_5EAF8F
		mov	dword ptr [edx], 0

loc_51BEC1:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+1E7j
		mov	eax, [ebp+var_3C]
		test	bl, 2
		jnz	loc_51C4D5
		mov	byte ptr [ebp+var_44], 0

loc_51BED1:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+843j
		xor	cl, cl

loc_51BED3:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+84Bj
		cmp	_SepAllowAccessUponLogoff, 0
		mov	[ebp+var_31], cl
		mov	[ebp+var_32], 0
		jz	loc_5EAFCD

loc_51BEE7:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF334j
					; SeAccessCheckWithHintWithAdminlessChecks+CF36Fj
		test	cl, cl
		mov	ecx, [ebp+arg_24]
		mov	dword ptr [ebp+var_70],	ecx
		jnz	loc_51C507
		lea	edx, [ebp+var_A4]
		push	edx
		mov	edx, [ebp+var_60]
		push	ecx
		mov	ecx, [ebp+var_8C]
		push	0
		push	eax
		push	[ebp+var_44]
		call	SepMandatoryIntegrityCheck
		mov	edx, [ebp+var_2C]
		mov	[edx], eax
		test	eax, eax
		js	loc_51C512
		cmp	[ebp+var_9C], 0
		jz	short loc_51BF37
		mov	eax, [ebp+var_A4]
		and	eax, edi
		cmp	eax, edi
		jnz	loc_51C54C

loc_51BF37:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+285j
		mov	eax, [ebp+var_38]
		mov	ecx, [ebp+var_3C]
		mov	dword ptr [edx], 0
		test	eax, 2000000h
		jnz	loc_51C5CA

loc_51BF4E:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+86Dj
					; SeAccessCheckWithHintWithAdminlessChecks+8D4j ...
		cmp	_SepRmEnforceCap, 0
		mov	edi, [ebp+var_60]
		jnz	loc_5EB014

loc_51BF5E:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF378j
					; SeAccessCheckWithHintWithAdminlessChecks+CF3E5j
		test	bl, 1
		jnz	loc_51C4B3
		mov	[ebp+var_23], 0

loc_51BF6B:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+81Cj
					; SeAccessCheckWithHintWithAdminlessChecks+827j
		cmp	word ptr [edi+2], 0
		mov	ebx, [edi+4]
		jl	loc_51C2B6

loc_51BF79:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+61Fj
		cmp	[ebp+var_70], 0
		lea	edi, [ecx+0CCh]
		mov	[ebp+var_6C], edi
		jnz	loc_5EB08A

loc_51BF8C:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF3ECj
					; SeAccessCheckWithHintWithAdminlessChecks+CF400j
		test	edi, edi
		jz	short loc_51BFDE
		test	ebx, ebx
		jz	short loc_51BFDE
		movzx	eax, byte ptr [ebx+1]
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_78], eax
		movzx	eax, word ptr [ebx]
		mov	ecx, eax
		shr	eax, 8
		mov	[ebp+var_74], ecx
		movzx	ecx, byte ptr [ebx+eax*4+4]
		mov	eax, ecx
		and	ecx, 0Fh
		shr	eax, 4
		mov	edx, [edi+eax*4+48h]
		and	edx, [edi+ecx*4+8]
		mov	cl, 0
		mov	[ebp+var_4C], edx
		mov	[ebp+var_24], cl
		jnz	loc_51C150

loc_51BFD0:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+9F9j
		mov	eax, [edi]
		mov	[ebp+var_68], eax
		cmp	eax, 20h
		ja	loc_51C6E0

loc_51BFDE:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+2EEj
					; SeAccessCheckWithHintWithAdminlessChecks+2F2j ...
		mov	byte ptr [ebp+var_6C], 0

loc_51BFE2:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+599j
					; SeAccessCheckWithHintWithAdminlessChecks+5A1j ...
		mov	bl, [ebp+var_22]
		mov	edx, [ebp+var_2C]

loc_51BFE8:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+830j
		mov	edi, [ebp+var_40]
		xor	ecx, ecx

loc_51BFED:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+605j
					; SeAccessCheckWithHintWithAdminlessChecks+611j
		mov	eax, [ebp+var_38]
		test	eax, eax
		jz	loc_51C2D1
		mov	ebx, [ebp+var_3C]

loc_51BFFB:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+636j
					; SeAccessCheckWithHintWithAdminlessChecks+C4Cj
		push	dword ptr [ebp+var_70]
		mov	edi, [ebp+var_6C]
		push	0
		mov	[ebp+var_21+1],	ecx
		lea	ecx, [ebp+var_21]
		push	ecx
		lea	ecx, [ebp+var_5C]
		mov	[ebp+var_1C], 0
		push	ecx
		lea	ecx, [ebp+var_21+1]
		mov	[ebp+var_18], 0
		push	ecx
		mov	ecx, [ebp+var_64]
		push	edi
		push	0
		push	edx
		push	ecx
		push	[ebp+var_28]
		mov	ecx, [ebp+var_30]
		xor	edx, edx
		push	[ebp+var_A8]
		mov	[ebp+var_14], 0
		push	[ebp+var_40]
		mov	[ebp+var_10], 0
		push	[ebp+var_8C]
		mov	[ebp+var_C], 0
		push	0
		push	0
		push	eax
		mov	eax, [ecx]
		push	eax
		mov	eax, [ecx+8]
		mov	ecx, [ebp+var_60]
		push	eax
		mov	[ebp+var_8], 0
		call	SepAccessCheck
		cmp	_SepRmEnforceCap, 0
		mov	edx, [ebp+var_7C]
		mov	[ebp+var_55], al
		mov	[ebp+var_44], edx
		jnz	loc_5EB101

loc_51C085:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF46Bj
					; SeAccessCheckWithHintWithAdminlessChecks+CF475j
		mov	edi, [ebp+var_2C]

loc_51C088:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF75Fj
		cmp	[ebp+var_31], 0
		mov	edx, [ebp+var_38]
		jnz	short loc_51C09D
		test	edx, 2000000h
		jnz	loc_51C5F3

loc_51C09D:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+3EFj
		cmp	[ebp+var_32], 0
		jnz	loc_51C579

loc_51C0A7:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+8DDj
					; SeAccessCheckWithHintWithAdminlessChecks+964j ...
		mov	eax, [ebp+var_28]

loc_51C0AA:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+8EAj
					; SeAccessCheckWithHintWithAdminlessChecks+900j ...
		test	edx, 2000000h
		jnz	loc_51C5A5

loc_51C0B6:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+91Fj
					; SeAccessCheckWithHintWithAdminlessChecks+CF7B3j
		mov	cl, [ebp+var_33]

loc_51C0B9:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF7CEj
					; SeAccessCheckWithHintWithAdminlessChecks+CF7DCj
		test	ebx, ebx
		jz	loc_5EB4B1
		cmp	[ebp+var_45], 0
		jnz	loc_51C46D
		test	cl, cl
		jnz	loc_51C46D
		cmp	[ebp+var_14], 0
		jnz	short loc_51C0E9
		test	dword ptr [ebx+0B0h], 4000h
		jnz	loc_51C464

loc_51C0E9:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+437j
					; SeAccessCheckWithHintWithAdminlessChecks+7D4j ...
		mov	esi, [ebp+var_30]

loc_51C0EC:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+80Ej
		cmp	dword ptr [edi], 0
		jl	loc_51C523

loc_51C0F5:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+887j
					; SeAccessCheckWithHintWithAdminlessChecks+897j ...
		cmp	[ebp+var_22], 0
		jnz	loc_5EB4B9

loc_51C0FF:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF821j
					; SeAccessCheckWithHintWithAdminlessChecks+CF832j ...
		cmp	[ebp+arg_4], 0
		jnz	short loc_51C10B
		push	esi
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)

loc_51C10B:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+463j
		mov	esi, [ebp+var_5C]
		test	esi, esi
		jnz	loc_51C861

loc_51C116:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+BD0j
		cmp	byte ptr [ebp+var_21], 0
		jz	loc_51C51C
		cmp	[ebp+var_55], 0
		jz	loc_51C51C
		mov	al, 1

loc_51C12C:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+862j
					; SeAccessCheckWithHintWithAdminlessChecks+87Ej ...
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	28h
; 

loc_51C13F:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+FCj
		mov	dword ptr [eax], 0
		jmp	loc_51BDA2
; 
		align 10h

loc_51C150:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+32Aj
					; SeAccessCheckWithHintWithAdminlessChecks+9F3j
		mov	al, dl
		test	al, al
		jz	loc_51C685
		mov	edx, [edi+4]
		movzx	ecx, cl
		mov	[ebp+var_54], edx
		mov	[ebp+var_68], ecx
		jmp	short loc_51C170
; 
		align 10h

loc_51C170:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+4C6j
					; SeAccessCheckWithHintWithAdminlessChecks+9D6j
		movzx	eax, al
		mov	[ebp+var_80], eax
		movzx	eax, ds:_SidHashByteToIndexLookupTable[eax]
		mov	[ebp+var_50], eax
		add	eax, ecx
		mov	ecx, [edx+eax*8]
		lea	eax, [edx+eax*8]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+var_74]
		cmp	[ecx], ax
		jnz	loc_51C668
		mov	edi, [ebp+var_78]
		mov	edx, ebx
		sub	edi, 4
		jb	short loc_51C1B2

loc_51C1A1:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+510j
		mov	eax, [edx]
		cmp	eax, [ecx]
		jnz	short loc_51C1B7
		add	edx, 4
		add	ecx, 4
		sub	edi, 4
		jnb	short loc_51C1A1

loc_51C1B2:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+4FFj
		cmp	edi, 0FFFFFFFCh
		jz	short loc_51C1F4

loc_51C1B7:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+505j
		mov	al, [edx]
		cmp	al, [ecx]
		jnz	loc_51C912
		cmp	edi, 0FFFFFFFDh
		jz	short loc_51C1F4
		mov	al, [edx+1]
		cmp	al, [ecx+1]
		jnz	loc_51C912
		cmp	edi, 0FFFFFFFEh
		jz	short loc_51C1F4
		mov	al, [edx+2]
		cmp	al, [ecx+2]
		jnz	loc_51C912
		cmp	edi, 0FFFFFFFFh
		jz	short loc_51C1F4
		mov	al, [edx+3]
		cmp	al, [ecx+3]
		jnz	loc_51C912

loc_51C1F4:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+515j
					; SeAccessCheckWithHintWithAdminlessChecks+524j ...
		xor	eax, eax

loc_51C1F6:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+C77j
		test	eax, eax
		jnz	loc_51C665
		mov	edi, [ebp+var_6C]

loc_51C201:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+AE4j
		mov	eax, [ebp+var_44]
		cmp	eax, [edi+4]
		jnz	loc_51C31E
		test	byte ptr [eax+4], 10h
		jnz	loc_51C31E

loc_51C217:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+682j
		mov	ecx, [ebp+var_3C]
		cmp	dword ptr [ecx+80h], 0
		jnz	loc_51C845
		mov	al, 1

loc_51C229:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+68Aj
					; SeAccessCheckWithHintWithAdminlessChecks+BBCj ...
		mov	edx, [ebp+var_38]
		mov	ecx, edx
		and	ecx, 2060000h
		mov	byte ptr [ebp+var_6C], al
		test	al, al
		jz	loc_51BFE2
		test	ecx, ecx
		jz	loc_51BFE2
		cmp	[ebp+var_23], 0
		jnz	short loc_51C276
		mov	ebx, [ebp+var_60]
		movzx	eax, word ptr [ebx+2]
		mov	ecx, eax
		test	al, 4
		jnz	loc_51C32F
		xor	ecx, ecx

loc_51C260:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+6A6j
					; SeAccessCheckWithHintWithAdminlessChecks+CF40Fj ...
		mov	eax, ds:_SeExports
		mov	eax, [eax+188h]
		mov	[ebp+var_68], eax
		test	ecx, ecx
		jnz	loc_51C34B

loc_51C276:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+5ABj
					; SeAccessCheckWithHintWithAdminlessChecks+6BCj ...
		test	edx, 2000000h
		jnz	loc_51C69E
		mov	ecx, edx
		and	ecx, 60000h

loc_51C28A:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+A03j
		mov	bl, [ebp+var_22]
		mov	eax, ecx
		or	eax, [ebp+var_40]
		and	edx, 0FFF9FFFFh
		mov	[ebp+var_38], edx
		mov	edi, eax
		mov	edx, [ebp+var_2C]
		mov	[ebp+var_40], edi
		test	bl, bl
		jnz	loc_51BFED
		mov	byte ptr [ebp+var_6C], bl
		mov	[ebp+var_40], edi
		jmp	loc_51BFED
; 

loc_51C2B6:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+2D3j
		lea	eax, [ebx+edi]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, eax
		jmp	loc_51BF79
; 

loc_51C2C4:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+15Ej
		add	eax, edx
		neg	edx
		sbb	edx, edx
		and	edx, eax
		jmp	loc_51BE04
; 

loc_51C2D1:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+352j
		test	bl, bl
		mov	ebx, [ebp+var_3C]
		jnz	loc_51BFFB
		test	dword ptr [ebx+0B0h], 2000h
		jz	loc_51C8EA

loc_51C2EC:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+C52j
		cmp	[ebp+arg_4], 0
		jnz	short loc_51C2FE
		mov	esi, [ebp+var_30]
		push	esi
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)
		mov	edx, [ebp+var_2C]

loc_51C2FE:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+650j
		mov	eax, [ebp+var_28]
		mov	[eax], edi
		mov	al, 1
		mov	dword ptr [edx], 0
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	28h
; 

loc_51C31E:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+567j
					; SeAccessCheckWithHintWithAdminlessChecks+571j
		test	byte ptr [eax+4], 4
		jnz	loc_51C217
		xor	al, al
		jmp	loc_51C229
; 

loc_51C32F:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+5B8j
		test	cx, cx
		jns	loc_5EB0B4
		mov	eax, [ebx+10h]
		test	eax, eax
		jz	loc_5EB0AD
		lea	ecx, [ebx+eax]
		jmp	loc_51C260
; 

loc_51C34B:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+5D0j
		movzx	eax, word ptr [ecx+4]
		lea	ebx, [ecx+8]
		xor	edi, edi
		mov	[ebp+var_54], eax
		mov	[ebp+var_50], edi
		test	eax, eax
		jz	loc_51C276

loc_51C362:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+713j
		test	byte ptr [ebx+1], 8
		jnz	short loc_51C3A6
		mov	al, [ebx]
		cmp	al, 5
		jnb	loc_51C7A9

loc_51C372:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+B0Bj
		cmp	al, 0Bh
		jnb	loc_5EB0BC

loc_51C37A:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF420j
		cmp	al, 0Fh
		jnb	loc_5EB0C5

loc_51C382:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF427j
		cmp	al, 4
		jz	loc_5EB0E8
		cmp	al, 8
		ja	loc_51C7B6

loc_51C392:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+B18j
					; SeAccessCheckWithHintWithAdminlessChecks+CF45Cj
		mov	ecx, 8

loc_51C397:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF443j
					; SeAccessCheckWithHintWithAdminlessChecks+CF44Dj
		add	ecx, ebx
		jz	short loc_51C3A6
		mov	edx, [ebp+var_68]
		movzx	eax, word ptr [ecx]
		cmp	ax, [edx]
		jz	short loc_51C3BD

loc_51C3A6:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+6C6j
					; SeAccessCheckWithHintWithAdminlessChecks+6F9j ...
		movzx	eax, word ptr [ebx+2]
		inc	edi
		add	ebx, eax
		mov	[ebp+var_50], edi
		cmp	edi, [ebp+var_54]
		jb	short loc_51C362
		mov	edx, [ebp+var_38]
		jmp	loc_51C276
; 

loc_51C3BD:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+704j
		shr	eax, 8
		lea	edi, ds:8[eax*4]
		sub	edi, 4
		jb	short loc_51C3E1
		lea	esp, [esp+0]

loc_51C3D0:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+73Fj
		mov	eax, [ecx]
		cmp	eax, [edx]
		jnz	short loc_51C3E6
		add	ecx, 4
		add	edx, 4
		sub	edi, 4
		jnb	short loc_51C3D0

loc_51C3E1:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+72Aj
		cmp	edi, 0FFFFFFFCh
		jz	short loc_51C423

loc_51C3E6:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+734j
		mov	al, [ecx]
		cmp	al, [edx]
		jnz	loc_51C926
		cmp	edi, 0FFFFFFFDh
		jz	short loc_51C423
		mov	al, [ecx+1]
		cmp	al, [edx+1]
		jnz	loc_51C926
		cmp	edi, 0FFFFFFFEh
		jz	short loc_51C423
		mov	al, [ecx+2]
		cmp	al, [edx+2]
		jnz	loc_51C926
		cmp	edi, 0FFFFFFFFh
		jz	short loc_51C423
		mov	al, [ecx+3]
		cmp	al, [edx+3]
		jnz	loc_51C926

loc_51C423:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+744j
					; SeAccessCheckWithHintWithAdminlessChecks+753j ...
		xor	eax, eax

loc_51C425:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+C8Bj
		test	eax, eax
		jz	loc_51BFE2
		mov	edi, [ebp+var_50]
		jmp	loc_51C3A6
; 

loc_51C435:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+10Dj
		test	ecx, 2000000h
		jnz	loc_51C795

loc_51C441:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+B04j
		mov	eax, [ebp+var_28]
		or	ecx, [ebp+var_40]
		mov	[eax], ecx
		mov	al, 1
		mov	dword ptr [edx], 0
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	28h
; 

loc_51C464:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+443j
		cmp	dword ptr [edi], 0
		jge	loc_51C656

loc_51C46D:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+425j
					; SeAccessCheckWithHintWithAdminlessChecks+42Dj ...
		cmp	[ebp+var_94], 0
		jnz	loc_51C0E9
		cmp	dword ptr [edi], 0
		jge	loc_5EB481
		mov	byte ptr [ebp+var_54], 0

loc_51C487:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF7E5j
		mov	esi, [ebp+var_30]
		mov	eax, edx
		or	eax, [ebp+var_40]
		mov	ecx, esi
		push	0
		push	[ebp+var_54]
		push	eax
		push	[ebp+var_60]
		call	_SepLocateTokenTrustLevel@4 ; SepLocateTokenTrustLevel(x)
		push	eax
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	SeLogAccessFailure
		mov	edx, [ebp+var_38]
		jmp	loc_51C0EC
; 

loc_51C4B3:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+2C1j
		mov	[ebp+var_23], 1
		and	eax, 2060000h
		jnz	loc_51BF6B
		mov	bl, [ebp+var_22]
		test	bl, bl
		jnz	loc_51BF6B
		mov	byte ptr [ebp+var_6C], bl
		jmp	loc_51BFE8
; 

loc_51C4D5:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+227j
		test	dword ptr [eax+0B0h], 2000h
		mov	byte ptr [ebp+var_44], 1
		jz	loc_51BED1
		mov	cl, 1
		jmp	loc_51BED3
; 

loc_51C4F0:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+11Ej
		cmp	dword ptr [edi+4], 2
		jge	loc_51BDC4
		mov	dword ptr [edx], 0C00000A5h
		xor	al, al
		jmp	loc_51C12C
; 

loc_51C507:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+24Fj
		mov	ecx, [ebp+var_3C]
		mov	eax, [ebp+var_38]
		jmp	loc_51BF4E
; 

loc_51C512:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+205j
					; SeAccessCheckWithHintWithAdminlessChecks+278j ...
		cmp	[ebp+arg_4], 0
		jz	loc_51C8F7

loc_51C51C:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+47Aj
					; SeAccessCheckWithHintWithAdminlessChecks+484j ...
		xor	al, al
		jmp	loc_51C12C
; 

loc_51C523:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+44Fj
		cmp	[ebp+var_14], 0
		jnz	loc_51C0F5
		test	dword ptr [ebx+0B0h], 4000h
		jz	loc_51C0F5
		cmp	byte ptr [ebp+var_8], 0
		jz	loc_51C0F5
		jmp	loc_5EB48A
; 

loc_51C54C:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+291j
		mov	ecx, [ebp+var_3C]
		mov	dword ptr [edx], 0C0000022h
		test	dword ptr [ecx+0B0h], 4000h
		jz	short loc_51C512
		cmp	[ebp+var_98], 2000h
		ja	short loc_51C512
		mov	eax, [ebp+var_38]
		mov	[ebp+var_32], 1
		jmp	loc_51BF4E
; 

loc_51C579:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+401j
		cmp	byte ptr [ebp+var_C+2],	0
		jnz	loc_51C0A7
		cmp	byte ptr [ebp+var_C+1],	0
		mov	eax, [ebp+var_28]
		jnz	loc_51C0AA
		mov	dword ptr [edi], 0C0000022h
		mov	dword ptr [eax], 0
		mov	byte ptr [ebp+var_21], 0
		jmp	loc_51C0AA
; 

loc_51C5A5:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+410j
		mov	[ebp+var_45], 0
		cmp	esi, 0FFFFFFFFh
		jnz	loc_5EB413

loc_51C5B2:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF77Ej
					; SeAccessCheckWithHintWithAdminlessChecks+CF797j ...
		mov	ecx, [ebp+var_B4]
		mov	[ebp+var_33], 0
		cmp	ecx, 0FFFFFFFFh
		jz	loc_51C0B6
		jmp	loc_5EB44B
; 

loc_51C5CA:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+2A8j
		test	dword ptr [ecx+0B0h], 4000h
		jz	loc_51BF4E
		cmp	[ebp+var_98], 2000h
		ja	loc_51BF4E
		mov	[ebp+var_32], 1
		jmp	loc_51BF4E
; 

loc_51C5F3:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+3F7j
		cmp	[ebp+var_32], 0
		jnz	loc_51C7C3

loc_51C5FD:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+B37j
		cmp	[ebp+var_9C], 0
		jz	loc_51C0A7
		mov	eax, [ebp+var_A0]
		test	ah, ah
		jz	short loc_51C625
		test	al, al
		jz	short loc_51C625
		cmp	byte ptr [ebp+var_A0+2], 0
		jnz	loc_51C0A7

loc_51C625:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+972j
					; SeAccessCheckWithHintWithAdminlessChecks+976j
		mov	eax, [ebp+var_28]
		mov	ecx, [ebp+var_A4]
		mov	eax, [eax]
		and	ecx, eax
		cmp	ecx, eax
		mov	eax, [ebp+var_28]
		jz	loc_51C0AA
		mov	[eax], ecx
		test	ecx, ecx
		jz	loc_5EB404
		mov	dword ptr [edi], 0
		mov	byte ptr [ebp+var_21], 1
		jmp	loc_51C0AA
; 

loc_51C656:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+7C7j
		cmp	byte ptr [ebp+var_C+3],	0
		jz	loc_51C0E9
		jmp	loc_51C46D
; 

loc_51C665:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+558j
		mov	edx, [ebp+var_54]

loc_51C668:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+4F1j
		mov	eax, [ebp+var_80]
		mov	ecx, [ebp+var_50]
		btc	eax, ecx
		mov	ecx, [ebp+var_68]
		test	al, al
		jnz	loc_51C170
		mov	edi, [ebp+var_6C]
		mov	edx, [ebp+var_4C]
		mov	cl, [ebp+var_24]

loc_51C685:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+4B4j
		shr	edx, 8
		add	cl, 8
		mov	[ebp+var_24], cl
		mov	[ebp+var_4C], edx
		test	edx, edx
		jnz	loc_51C150
		jmp	loc_51BFD0
; 

loc_51C69E:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+5DCj
		mov	ecx, 60000h
		jmp	loc_51C28A
; 

loc_51C6A8:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+126j
		mov	ecx, [ebp+var_40]
		test	ecx, ecx
		jz	loc_51C907
		mov	eax, [ebp+var_28]
		mov	[eax], ecx
		mov	ecx, [ebp+var_64]
		mov	dword ptr [edx], 0
		test	ecx, ecx
		jz	short loc_51C6CB
		mov	dword ptr [ecx], 0

loc_51C6CB:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+A23j
		mov	ecx, [ebp+var_4]
		mov	al, 1
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	28h
; 

loc_51C6E0:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+338j
		mov	ecx, [edi+4]
		mov	edx, 20h
		add	ecx, 100h
		mov	[ebp+var_50], edx
		mov	[ebp+var_44], ecx

loc_51C6F4:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+A70j
		mov	ecx, [ecx]
		mov	edi, [ebp+var_74]
		cmp	[ecx], di
		mov	edi, [ebp+var_6C]
		jz	short loc_51C717

loc_51C701:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+AF0j
		mov	ecx, [ebp+var_44]
		inc	edx
		add	ecx, 8
		mov	[ebp+var_50], edx
		mov	[ebp+var_44], ecx
		cmp	edx, eax
		jb	short loc_51C6F4
		jmp	loc_51BFDE
; 

loc_51C717:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+A5Fj
		mov	eax, [ebp+var_78]
		mov	edx, ebx
		sub	eax, 4
		mov	[ebp+var_4C], eax
		jb	short loc_51C73B

loc_51C724:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+A99j
		mov	eax, [edx]
		cmp	eax, [ecx]
		jnz	short loc_51C740
		mov	eax, [ebp+var_4C]
		add	edx, 4
		add	ecx, 4
		sub	eax, 4
		mov	[ebp+var_4C], eax
		jnb	short loc_51C724

loc_51C73B:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+A82j
		cmp	eax, 0FFFFFFFCh
		jz	short loc_51C780

loc_51C740:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+A88j
		mov	al, [edx]
		cmp	al, [ecx]
		jnz	loc_51C91C
		cmp	[ebp+var_4C], 0FFFFFFFDh
		jz	short loc_51C780
		mov	al, [edx+1]
		cmp	al, [ecx+1]
		jnz	loc_51C91C
		cmp	[ebp+var_4C], 0FFFFFFFEh
		jz	short loc_51C780
		mov	al, [edx+2]
		cmp	al, [ecx+2]
		jnz	loc_51C91C
		cmp	[ebp+var_4C], 0FFFFFFFFh
		jz	short loc_51C780
		mov	al, [edx+3]
		cmp	al, [ecx+3]
		jnz	loc_51C91C

loc_51C780:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+A9Ej
					; SeAccessCheckWithHintWithAdminlessChecks+AAEj ...
		xor	eax, eax

loc_51C782:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+C81j
		test	eax, eax
		jz	loc_51C201
		mov	eax, [ebp+var_68]
		mov	edx, [ebp+var_50]
		jmp	loc_51C701
; 

loc_51C795:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+79Bj
		mov	eax, [ebp+var_8C]
		and	ecx, 0FDFFFFFFh
		or	ecx, [eax+0Ch]
		jmp	loc_51C441
; 

loc_51C7A9:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+6CCj
		cmp	al, 8
		ja	loc_51C372
		jmp	loc_5EB0CD
; 

loc_51C7B6:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+6ECj
		cmp	al, 0Ah
		jbe	loc_51C392
		jmp	loc_5EB0F2
; 

loc_51C7C3:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+957j
		cmp	byte ptr [ebp+var_C+1],	0
		jnz	loc_51C0A7
		cmp	byte ptr [ebp+var_C+2],	0
		jnz	loc_51C0A7
		jmp	loc_51C5FD
; 

loc_51C7DC:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+18Dj
		test	byte ptr [edx+1], 8
		mov	edi, eax
		jnz	loc_51BE47
		test	edx, edx
		jz	loc_51BE4C
		mov	eax, [edx+4]
		lea	edi, [edx+8]
		mov	[ebp+var_54], eax
		test	edi, edi
		jz	loc_51BE4C
		mov	ecx, [ebp+var_30]
		mov	eax, [ecx]
		test	eax, eax
		jnz	short loc_51C87A

loc_51C80A:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF2EAj
		mov	eax, [ecx+8]
		mov	ebx, [eax+280h]

loc_51C813:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+BFCj
		lea	eax, [ebp+var_24]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	_RtlSidDominatesForTrust@12 ; RtlSidDominatesForTrust(x,x,x)
		test	eax, eax
		js	short loc_51C833
		cmp	[ebp+var_24], 0
		jnz	short loc_51C875
		mov	esi, [ebp+var_54]
		or	esi, 1000000h

loc_51C833:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+B82j
					; SeAccessCheckWithHintWithAdminlessChecks+BD8j ...
		mov	edx, [ebp+var_2C]
		mov	[edx], eax
		test	eax, eax
		jns	loc_51BE52
		jmp	loc_51C512
; 

loc_51C845:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+581j
		push	dword ptr [ebp+var_70] ; char
		add	ecx, 154h
		xor	edx, edx
		push	0		; char
		push	1		; char
		push	0		; char
		push	ebx		; void *
		call	SepSidInTokenSidHash
		jmp	loc_51C229
; 

loc_51C861:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+470j
		mov	ecx, esi
		call	AuthzBasepFreeSecurityAttributesList
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_51C116
; 

loc_51C875:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+B88j
		or	esi, 0FFFFFFFFh
		jmp	short loc_51C833
; 

loc_51C87A:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+B68j
		mov	ecx, [ecx+8]
		mov	ebx, [eax+280h]
		lea	eax, [ebp-23h]
		push	eax
		mov	edx, ebx
		mov	ecx, [ecx+280h]
		call	_RtlSidDominatesForTrust@12 ; RtlSidDominatesForTrust(x,x,x)
		test	eax, eax
		js	short loc_51C833
		cmp	[ebp+var_23], 0
		jnz	loc_51C813
		jmp	loc_5EAF87
; 

loc_51C8A7:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+1C3j
		cmp	[ebp+var_94], 0
		mov	ebx, [ebp+var_30]
		mov	dword ptr [edx], 0C0000022h
		jnz	short loc_51C8DD
		mov	esi, [ebx]
		test	esi, esi
		jz	short loc_51C930

loc_51C8BF:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+C93j
		or	ecx, [ebp+var_40]
		push	0
		push	0
		push	ecx
		push	[ebp+var_60]
		mov	ecx, ebx
		call	_SepLocateTokenTrustLevel@4 ; SepLocateTokenTrustLevel(x)
		push	eax
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	SeLogAccessFailure

loc_51C8DD:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+C17j
		cmp	[ebp+arg_4], 0
		jnz	loc_51C51C
		push	ebx
		jmp	short loc_51C8FB
; 

loc_51C8EA:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+646j
		test	ecx, ecx
		jnz	loc_51BFFB
		jmp	loc_51C2EC
; 

loc_51C8F7:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+876j
		mov	esi, [ebp+var_30]
		push	esi

loc_51C8FB:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+C48j
					; SeAccessCheckWithHintWithAdminlessChecks+CF328j ...
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)
		xor	al, al
		jmp	loc_51C12C
; 

loc_51C907:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+115j
					; SeAccessCheckWithHintWithAdminlessChecks+A0Dj
		mov	dword ptr [edx], 0C0000022h
		jmp	loc_51C51C
; 

loc_51C912:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+51Bj
					; SeAccessCheckWithHintWithAdminlessChecks+52Cj ...
		sbb	eax, eax
		or	eax, 1
		jmp	loc_51C1F6
; 

loc_51C91C:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+AA4j
					; SeAccessCheckWithHintWithAdminlessChecks+AB6j ...
		sbb	eax, eax
		or	eax, 1
		jmp	loc_51C782
; 

loc_51C926:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+74Aj
					; SeAccessCheckWithHintWithAdminlessChecks+75Bj ...
		sbb	eax, eax
		or	eax, 1
		jmp	loc_51C425
; 

loc_51C930:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+C1Dj
		mov	esi, [ebx+8]
		jmp	short loc_51C8BF
SeAccessCheckWithHintWithAdminlessChecks endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepMandatoryIntegrityCheck proc	near	; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+26Cp
					; SeAccessCheckByTypeWithAdminlessChecks+45Dp ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_E		= byte ptr -0Eh
var_D		= byte ptr -0Dh
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005EB4F0 SIZE 000001A6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_28], eax
		mov	ecx, [ebp+arg_10]
		mov	eax, [eax+0BCh]
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_20], ebx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_D], 0
		mov	[ebp+var_E], 0
		mov	[ecx+8], eax
		test	eax, eax
		jz	loc_51CEC4
		cmp	eax, 2
		jz	loc_51CEC4
		cmp	[ebp+arg_0], 0
		jnz	loc_51CCF3
		movzx	eax, word ptr [edx+2]
		mov	ecx, eax
		test	al, 10h
		jz	loc_51CCF3
		mov	eax, [edx+0Ch]
		test	cx, cx
		js	loc_51CD04

loc_51C9B1:				; CODE XREF: SepMandatoryIntegrityCheck+3CAj
		test	eax, eax
		jz	loc_51CCF3
		movzx	edx, word ptr [eax+4]
		lea	ecx, [eax+8]
		xor	esi, esi
		test	edx, edx
		jz	loc_51CCF3
		lea	ebx, [ebx+0]

loc_51C9D0:				; CODE XREF: SepMandatoryIntegrityCheck+3ADj
		cmp	byte ptr [ecx],	11h
		jnz	loc_51CCE4
		test	byte ptr [ecx+1], 8
		jnz	loc_51CCF3
		mov	edx, [ecx+4]
		lea	eax, [ecx+8]
		mov	[ebp+var_24], edx

loc_51C9EC:				; CODE XREF: SepMandatoryIntegrityCheck+3BFj
		mov	bl, [ebp+arg_8]
		mov	[ebp+var_18], eax
		test	bl, bl
		jnz	loc_51CD9F

loc_51C9FA:				; CODE XREF: SepMandatoryIntegrityCheck+49Ej
					; SepMandatoryIntegrityCheck+CEC1Fj
		mov	edx, [ebp+var_28]
		mov	ecx, [edx+0B8h]
		cmp	ecx, 0FFFFFFFFh
		jz	loc_51CEE7
		mov	eax, [edx+94h]
		lea	eax, [eax+ecx*8]
		test	eax, eax
		jz	loc_51CEE7
		mov	eax, [eax]

loc_51CA1F:				; CODE XREF: SepMandatoryIntegrityCheck+5ACj
		cmp	[ebp+arg_C], 0
		mov	[ebp+var_14], eax
		jnz	loc_5EB564

loc_51CA2C:				; CODE XREF: SepMandatoryIntegrityCheck+CEC2Cj
		test	bl, bl
		jnz	loc_51CDE3

loc_51CA34:				; CODE XREF: SepMandatoryIntegrityCheck+548j
		mov	ecx, [ebp+var_18]
		mov	al, [ecx+1]
		test	al, al
		jz	loc_5EB61F
		movzx	eax, al
		mov	eax, [ecx+eax*4+4]

loc_51CA49:				; CODE XREF: SepMandatoryIntegrityCheck+CECE1j
		mov	edx, [ebp+var_2C]
		mov	[edx+0Ch], eax
		movzx	esi, word ptr [ecx]
		mov	ecx, [ebp+var_14]
		mov	ax, si
		shr	ax, 8
		movzx	edx, ax
		mov	[ebp+var_40], esi
		movzx	eax, word ptr [ecx]
		movzx	ecx, ax
		mov	[ebp+var_3C], eax
		mov	ax, cx
		shr	ax, 8
		shr	cx, 8
		movzx	eax, ax
		movzx	ebx, cx
		cmp	si, word ptr [ebp+var_3C]
		jnz	loc_5EB626
		mov	eax, [ebp+var_14]
		lea	esi, ds:8[edx*4]
		mov	edx, [ebp+var_18]
		sub	esi, 4
		jb	short loc_51CAA9

loc_51CA98:				; CODE XREF: SepMandatoryIntegrityCheck+167j
		mov	ecx, [edx]
		cmp	ecx, [eax]
		jnz	short loc_51CAAE
		add	edx, 4
		add	eax, 4
		sub	esi, 4
		jnb	short loc_51CA98

loc_51CAA9:				; CODE XREF: SepMandatoryIntegrityCheck+156j
		cmp	esi, 0FFFFFFFCh
		jz	short loc_51CAEB

loc_51CAAE:				; CODE XREF: SepMandatoryIntegrityCheck+15Cj
		mov	cl, [edx]
		cmp	cl, [eax]
		jnz	loc_51CF05
		cmp	esi, 0FFFFFFFDh
		jz	short loc_51CAEB
		mov	cl, [edx+1]
		cmp	cl, [eax+1]
		jnz	loc_51CF05
		cmp	esi, 0FFFFFFFEh
		jz	short loc_51CAEB
		mov	cl, [edx+2]
		cmp	cl, [eax+2]
		jnz	loc_51CF05
		cmp	esi, 0FFFFFFFFh
		jz	short loc_51CAEB
		mov	cl, [edx+3]
		cmp	cl, [eax+3]
		jnz	loc_51CF05

loc_51CAEB:				; CODE XREF: SepMandatoryIntegrityCheck+16Cj
					; SepMandatoryIntegrityCheck+17Bj ...
		xor	eax, eax

loc_51CAED:				; CODE XREF: SepMandatoryIntegrityCheck+5CAj
		test	eax, eax
		jz	loc_51CC5A

loc_51CAF5:				; CODE XREF: SepMandatoryIntegrityCheck+CECE8j
		mov	ecx, [ebp+var_14]
		lea	edx, [ebp+var_C]
		add	ecx, 2
		mov	[ebp+var_C], 0
		mov	[ebp+var_8], 1000h
		mov	esi, 2
		mov	eax, [ecx]
		cmp	eax, [edx]
		jnz	short loc_51CB21
		add	ecx, 4
		mov	esi, 0FFFFFFFEh
		add	edx, 4

loc_51CB21:				; CODE XREF: SepMandatoryIntegrityCheck+1D4j
		mov	al, [ecx]
		cmp	al, [edx]
		jnz	loc_51CF0F
		mov	al, [ecx+1]
		cmp	al, [edx+1]
		jnz	loc_51CF0F
		cmp	esi, 0FFFFFFFEh
		jz	short loc_51CB54
		mov	al, [ecx+2]
		cmp	al, [edx+2]
		jnz	loc_51CF0F
		mov	al, [ecx+3]
		cmp	al, [edx+3]
		jnz	loc_51CF0F

loc_51CB54:				; CODE XREF: SepMandatoryIntegrityCheck+1FAj
		xor	eax, eax

loc_51CB56:				; CODE XREF: SepMandatoryIntegrityCheck+5D4j
		test	eax, eax
		jnz	loc_5EB62D
		mov	ecx, [ebp+var_18]
		lea	edx, [ebp+var_C]
		add	ecx, 2
		lea	esi, [eax+2]
		mov	eax, [ecx]
		cmp	eax, [edx]
		jnz	short loc_51CB7B
		add	ecx, 4
		mov	esi, 0FFFFFFFEh
		add	edx, 4

loc_51CB7B:				; CODE XREF: SepMandatoryIntegrityCheck+22Ej
		mov	al, [ecx]
		cmp	al, [edx]
		jnz	loc_51CF19
		mov	al, [ecx+1]
		cmp	al, [edx+1]
		jnz	loc_51CF19
		cmp	esi, 0FFFFFFFEh
		jz	short loc_51CBAE
		mov	al, [ecx+2]
		cmp	al, [edx+2]
		jnz	loc_51CF19
		mov	al, [ecx+3]
		cmp	al, [edx+3]
		jnz	loc_51CF19

loc_51CBAE:				; CODE XREF: SepMandatoryIntegrityCheck+254j
		xor	eax, eax

loc_51CBB0:				; CODE XREF: SepMandatoryIntegrityCheck+5DEj
		test	eax, eax
		jnz	loc_5EB62D
		mov	eax, [ebp+var_3C]
		cmp	ax, word ptr [ebp+var_40]
		jnz	short loc_51CC2F
		mov	ecx, [ebp+var_14]
		mov	edx, [ebp+var_18]
		movzx	eax, bl
		lea	esi, ds:8[eax*4]
		sub	esi, 4
		jb	short loc_51CBE7

loc_51CBD6:				; CODE XREF: SepMandatoryIntegrityCheck+2A5j
		mov	eax, [ecx]
		cmp	eax, [edx]
		jnz	short loc_51CBEC
		add	ecx, 4
		add	edx, 4
		sub	esi, 4
		jnb	short loc_51CBD6

loc_51CBE7:				; CODE XREF: SepMandatoryIntegrityCheck+294j
		cmp	esi, 0FFFFFFFCh
		jz	short loc_51CC29

loc_51CBEC:				; CODE XREF: SepMandatoryIntegrityCheck+29Aj
		mov	al, [ecx]
		cmp	al, [edx]
		jnz	loc_51CF23
		cmp	esi, 0FFFFFFFDh
		jz	short loc_51CC29
		mov	al, [ecx+1]
		cmp	al, [edx+1]
		jnz	loc_51CF23
		cmp	esi, 0FFFFFFFEh
		jz	short loc_51CC29
		mov	al, [ecx+2]
		cmp	al, [edx+2]
		jnz	loc_51CF23
		cmp	esi, 0FFFFFFFFh
		jz	short loc_51CC29
		mov	al, [ecx+3]
		cmp	al, [edx+3]
		jnz	loc_51CF23

loc_51CC29:				; CODE XREF: SepMandatoryIntegrityCheck+2AAj
					; SepMandatoryIntegrityCheck+2B9j ...
		xor	eax, eax

loc_51CC2B:				; CODE XREF: SepMandatoryIntegrityCheck+5E8j
		test	eax, eax
		jz	short loc_51CC5A

loc_51CC2F:				; CODE XREF: SepMandatoryIntegrityCheck+27Fj
		test	bl, bl
		jz	loc_51CEF1
		mov	ecx, [ebp+var_14]
		movzx	eax, bl
		mov	ecx, [ecx+eax*4+4]

loc_51CC41:				; CODE XREF: SepMandatoryIntegrityCheck+5B3j
		mov	edx, [ebp+var_18]
		mov	al, [edx+1]
		test	al, al
		jz	short loc_51CC5A
		movzx	eax, al
		mov	eax, [edx+eax*4+4]
		cmp	ecx, eax
		jb	loc_51CD0F

loc_51CC5A:				; CODE XREF: SepMandatoryIntegrityCheck+1AFj
					; SepMandatoryIntegrityCheck+2EDj ...
		mov	dl, 1

loc_51CC5C:				; CODE XREF: SepMandatoryIntegrityCheck+3D1j
		mov	eax, [ebp+var_2C]
		test	byte ptr [eax+8], 1
		jz	loc_5EB63C
		mov	ebx, [ebp+var_20]
		mov	ecx, [ebx]
		mov	eax, ecx
		mov	edi, [ebx+8]
		not	eax
		and	edi, eax
		mov	al, 1
		or	edi, ecx
		or	edi, 120000h
		mov	[ebp+var_1C], edi
		test	dl, dl
		jz	loc_51CD16
		mov	eax, [ebx+0Ch]
		or	eax, 11FFFFFh
		or	edi, eax
		mov	al, 1
		mov	[ebp+var_1C], edi
		mov	[ebp+var_D], al

loc_51CC9E:				; CODE XREF: SepMandatoryIntegrityCheck+CECFFj
		mov	[ebp+var_E], al
		mov	bh, al
		test	dl, dl
		jz	short loc_51CD16
		mov	bl, al

loc_51CCA9:				; CODE XREF: SepMandatoryIntegrityCheck+45Aj
		mov	ecx, [ebp+var_28]
		xor	eax, eax
		xor	edx, edx
		mov	ecx, [ecx+4Ch]
		and	ecx, 1
		or	eax, ecx
		jnz	loc_51CEF8

loc_51CCBE:				; CODE XREF: SepMandatoryIntegrityCheck+5C0j
					; SepMandatoryIntegrityCheck+CECF7j
		mov	eax, [ebp+var_2C]
		mov	cl, [ebp+var_D]
		mov	[eax], edi
		mov	[eax+4], cl
		mov	[eax+5], bl
		mov	[eax+6], bh
		mov	eax, edx

loc_51CCD1:				; CODE XREF: SepMandatoryIntegrityCheck+595j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_51CCE4:				; CODE XREF: SepMandatoryIntegrityCheck+93j
		movzx	eax, word ptr [ecx+2]
		inc	esi
		add	ecx, eax
		cmp	esi, edx
		jb	loc_51C9D0

loc_51CCF3:				; CODE XREF: SepMandatoryIntegrityCheck+51j
					; SepMandatoryIntegrityCheck+5Fj ...
		mov	eax, _SepDefaultMandatorySid
		mov	[ebp+var_24], 1
		jmp	loc_51C9EC
; 

loc_51CD04:				; CODE XREF: SepMandatoryIntegrityCheck+6Bj
		test	eax, eax
		jz	short loc_51CCF3
		add	eax, edx
		jmp	loc_51C9B1
; 

loc_51CD0F:				; CODE XREF: SepMandatoryIntegrityCheck+314j
		xor	dl, dl
		jmp	loc_51CC5C
; 

loc_51CD16:				; CODE XREF: SepMandatoryIntegrityCheck+346j
					; SepMandatoryIntegrityCheck+365j
		mov	edx, [ebp+var_24]
		mov	bh, al
		mov	cl, [ebp+var_D]
		mov	eax, edx
		and	eax, 2
		mov	edi, edx
		setnz	bl
		dec	bl
		and	bl, bh
		and	edi, 4
		jnz	loc_5EB644

loc_51CD35:				; CODE XREF: SepMandatoryIntegrityCheck+CED06j
		and	edx, 1
		mov	[ebp+var_24], edx
		setnz	dl
		dec	dl
		and	dl, cl
		mov	[ebp+var_D], dl
		test	eax, eax
		jz	short loc_51CD7F
		mov	ecx, [ebp+var_20]
		xor	esi, esi
		test	dl, dl
		jnz	loc_5EB64B

loc_51CD56:				; CODE XREF: SepMandatoryIntegrityCheck+CED14j
		mov	edx, [ecx]
		test	bh, bh
		jz	short loc_51CD6D
		mov	ecx, [ecx+8]
		mov	eax, edx
		not	eax
		and	ecx, eax
		or	ecx, 100000h
		or	esi, ecx

loc_51CD6D:				; CODE XREF: SepMandatoryIntegrityCheck+41Aj
		or	edx, 20000h
		not	esi
		and	edx, esi
		not	edx
		and	[ebp+var_1C], edx
		mov	dl, [ebp+var_D]

loc_51CD7F:				; CODE XREF: SepMandatoryIntegrityCheck+407j
		mov	esi, [ebp+var_20]
		test	edi, edi
		jnz	loc_5EB659
		mov	edi, [ebp+var_1C]

loc_51CD8D:				; CODE XREF: SepMandatoryIntegrityCheck+CED51j
		cmp	[ebp+var_24], 0
		jnz	loc_51CE8D

loc_51CD97:				; CODE XREF: SepMandatoryIntegrityCheck+57Fj
		mov	[ebp+var_D], dl
		jmp	loc_51CCA9
; 

loc_51CD9F:				; CODE XREF: SepMandatoryIntegrityCheck+B4j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebp+var_28]
		mov	esi, [ecx+30h]
		movzx	ecx, word ptr [esi+0Eh]
		mov	eax, ecx
		mov	edx, ecx
		and	eax, 1
		jnz	loc_5EB4F0

loc_51CDC4:				; CODE XREF: SepMandatoryIntegrityCheck+CEBB3j
		test	ax, ax
		jnz	loc_51CF2D

loc_51CDCD:				; CODE XREF: SepMandatoryIntegrityCheck+CEC15j
		mov	dl, 1
		test	cl, dl
		mov	ecx, esi
		jnz	loc_5EB55A
		call	ExpAcquireResourceSharedLite
		jmp	loc_51C9FA
; 

loc_51CDE3:				; CODE XREF: SepMandatoryIntegrityCheck+EEj
		mov	esi, [edx+30h]
		movzx	ecx, word ptr [esi+0Eh]
		mov	eax, ecx
		mov	edx, ecx
		and	eax, 1
		jnz	loc_5EB571

loc_51CDF7:				; CODE XREF: SepMandatoryIntegrityCheck+CEC34j
		test	ax, ax
		jnz	loc_51CF4A

loc_51CE00:				; CODE XREF: SepMandatoryIntegrityCheck+CEC8Aj
		test	cl, 1
		jnz	loc_5EB5CF
		mov	ebx, large fs:124h
		lea	edi, [esi+34h]
		xor	eax, eax
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], eax
		mov	[ebp+var_38], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [ebp+var_30], al
		jnz	loc_5EB5DB
		lea	edx, [ebp+var_38]
		xchg	edx, [edi]
		test	edx, edx
		jnz	loc_51CEDA

loc_51CE41:				; CODE XREF: SepMandatoryIntegrityCheck+5A2j
					; SepMandatoryIntegrityCheck+CECA5j
		mov	edx, large fs:124h
		movzx	ecx, word ptr [esi+0Eh]
		test	cl, 1
		jnz	loc_5EB5EA
		cmp	_ExpResourceEnforceOwnerTransfer, 0
		jnz	loc_5EB5EA

loc_51CE62:				; CODE XREF: SepMandatoryIntegrityCheck+CECB1j
					; SepMandatoryIntegrityCheck+CECB9j
		test	cl, cl
		js	loc_5EB60E
		xor	al, al

loc_51CE6C:				; CODE XREF: SepMandatoryIntegrityCheck+CECD0j
		test	al, al
		mov	edx, ebx
		lea	eax, [ebp+var_38]
		mov	ecx, esi
		push	eax
		jnz	loc_5EB615
		call	ExpReleaseResourceSharedForThreadLite

loc_51CE81:				; CODE XREF: SepMandatoryIntegrityCheck+CECDAj
		xor	edi, edi

loc_51CE83:				; CODE XREF: SepMandatoryIntegrityCheck+CEC96j
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_51CA34
; 

loc_51CE8D:				; CODE XREF: SepMandatoryIntegrityCheck+451j
		xor	ecx, ecx
		test	bh, bh
		jz	short loc_51CEA2
		mov	eax, [esi]
		mov	ecx, [esi+8]
		not	eax
		and	ecx, eax
		or	ecx, 100000h

loc_51CEA2:				; CODE XREF: SepMandatoryIntegrityCheck+551j
		test	bl, bl
		jz	short loc_51CEAF
		mov	eax, [esi]
		or	eax, 20000h
		or	ecx, eax

loc_51CEAF:				; CODE XREF: SepMandatoryIntegrityCheck+564j
		mov	eax, [esi+4]
		not	ecx
		or	eax, 10D0000h
		and	eax, ecx
		not	eax
		and	edi, eax
		jmp	loc_51CD97
; 

loc_51CEC4:				; CODE XREF: SepMandatoryIntegrityCheck+3Ej
					; SepMandatoryIntegrityCheck+47j
		mov	eax, [ebx+0Ch]
		mov	[ecx], eax
		xor	eax, eax
		mov	word ptr [ecx+4], 101h
		mov	byte ptr [ecx+6], 1
		jmp	loc_51CCD1
; 

loc_51CEDA:				; CODE XREF: SepMandatoryIntegrityCheck+4FBj
		lea	ecx, [ebp+var_38]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_51CE41
; 

loc_51CEE7:				; CODE XREF: SepMandatoryIntegrityCheck+C6j
					; SepMandatoryIntegrityCheck+D7j
		mov	eax, _SeUntrustedMandatorySid
		jmp	loc_51CA1F
; 

loc_51CEF1:				; CODE XREF: SepMandatoryIntegrityCheck+2F1j
		xor	ecx, ecx
		jmp	loc_51CC41
; 

loc_51CEF8:				; CODE XREF: SepMandatoryIntegrityCheck+378j
		or	edi, 80000h
		xor	edx, edx
		jmp	loc_51CCBE
; 

loc_51CF05:				; CODE XREF: SepMandatoryIntegrityCheck+172j
					; SepMandatoryIntegrityCheck+183j ...
		sbb	eax, eax
		or	eax, 1
		jmp	loc_51CAED
; 

loc_51CF0F:				; CODE XREF: SepMandatoryIntegrityCheck+1E5j
					; SepMandatoryIntegrityCheck+1F1j ...
		sbb	eax, eax
		or	eax, 1
		jmp	loc_51CB56
; 

loc_51CF19:				; CODE XREF: SepMandatoryIntegrityCheck+23Fj
					; SepMandatoryIntegrityCheck+24Bj ...
		sbb	eax, eax
		or	eax, 1
		jmp	loc_51CBB0
; 

loc_51CF23:				; CODE XREF: SepMandatoryIntegrityCheck+2B0j
					; SepMandatoryIntegrityCheck+2C1j ...
		sbb	eax, eax
		or	eax, 1
		jmp	loc_51CC2B
; 

loc_51CF2D:				; CODE XREF: SepMandatoryIntegrityCheck+487j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	edx, large fs:124h
		mov	cl, al
		cmp	cl, 1
		ja	loc_5EB50A
		jmp	loc_5EB51E
; 

loc_51CF4A:				; CODE XREF: SepMandatoryIntegrityCheck+4BAj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, large fs:124h
		cmp	al, 2
		ja	loc_5EB58B
		jmp	loc_5EB59F
SepMandatoryIntegrityCheck endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepFilterCheck	proc near		; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+1F9p
					; SeAccessCheckByTypeWithAdminlessChecks+424p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005EB696 SIZE 00000227 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_14], 0FFFFFFFFh
		push	edi
		mov	edi, edx
		mov	dword ptr [eax], 0FFFFFFFFh
		movzx	eax, word ptr [ecx+2]
		xor	edx, edx
		mov	[ebp+var_8], edi
		mov	esi, eax
		mov	[ebp+var_2], bl
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], edx
		test	al, 10h
		jz	short loc_51D025
		test	si, si
		mov	esi, [ecx+0Ch]
		js	short loc_51D029

loc_51CFB2:				; CODE XREF: SepFilterCheck+B7j
					; SepFilterCheck+C2j
		test	edi, edi
		jz	loc_51D037
		mov	ecx, edi

loc_51CFBC:				; CODE XREF: SepFilterCheck+CDj
		mov	[ebp+var_1], dl
		nop

loc_51CFC0:				; CODE XREF: SepFilterCheck+87j
		test	esi, esi
		jz	short loc_51CFF2
		movzx	edx, word ptr [esi+4]
		lea	edi, [esi+8]
		xor	eax, eax
		mov	[ebp+var_24], edx
		test	edx, edx
		mov	edx, [ebp+var_C]
		jz	short loc_51CFF2

loc_51CFD7:				; CODE XREF: SepFilterCheck+80j
		cmp	eax, ebx
		jb	short loc_51CFE0
		cmp	byte ptr [edi],	15h
		jz	short loc_51D042

loc_51CFE0:				; CODE XREF: SepFilterCheck+69j
		inc	eax
		mov	[ebp+var_28], eax
		movzx	eax, word ptr [edi+2]
		add	edi, eax
		mov	eax, [ebp+var_28]
		cmp	eax, [ebp+var_24]
		jb	short loc_51CFD7

loc_51CFF2:				; CODE XREF: SepFilterCheck+52j
					; SepFilterCheck+65j
		xor	edi, edi

loc_51CFF4:				; CODE XREF: SepFilterCheck+D8j
					; SepFilterCheck+CE8FCj
		inc	ebx
		test	edi, edi
		jnz	short loc_51CFC0

loc_51CFF9:				; CODE XREF: SepFilterCheck+CE79Aj
					; SepFilterCheck+CE82Dj ...
		mov	ecx, [ebp+var_14]
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_5EB87E

loc_51D005:				; CODE XREF: SepFilterCheck+CE919j
		cmp	[ebp+var_2], 0
		jnz	loc_5EB88E

loc_51D00F:				; CODE XREF: SepFilterCheck+CE931j
		mov	esi, [ebp+var_2C]
		test	esi, esi
		jnz	loc_5EB8A6
		mov	eax, edx

loc_51D01C:				; CODE XREF: SepFilterCheck+CE948j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_51D025:				; CODE XREF: SepFilterCheck+38j
		xor	esi, esi
		jmp	short loc_51CFB2
; 

loc_51D029:				; CODE XREF: SepFilterCheck+40j
		lea	eax, [esi+ecx]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jmp	loc_51CFB2
; 

loc_51D037:				; CODE XREF: SepFilterCheck+44j
		lea	ecx, [ebp+var_2C]
		mov	[ebp+var_8], ecx
		jmp	loc_51CFBC
; 

loc_51D042:				; CODE XREF: SepFilterCheck+6Ej
		test	byte ptr [edi+1], 8
		mov	ebx, eax
		jnz	short loc_51CFF4
		jmp	loc_5EB696
SepFilterCheck	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepAccessCheck	proc near		; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+3CAp
					; SeAccessCheckByTypeWithAdminlessChecks+5FEp ...

var_98		= byte ptr -98h
var_97		= byte ptr -97h
var_96		= byte ptr -96h
var_95		= byte ptr -95h
var_94		= dword	ptr -94h
var_8D		= byte ptr -8Dh
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= byte ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch
arg_38		= dword	ptr  40h
arg_3C		= dword	ptr  44h
arg_40		= dword	ptr  48h
arg_44		= dword	ptr  4Ch

; FUNCTION CHUNK AT 005EB8BD SIZE 00000249 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+9Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[esp+0A8h+var_64], edx
		mov	[esp+0A8h+var_88], ecx
		mov	eax, [ebp+arg_C]
		mov	[esp+0A8h+var_78], eax
		mov	eax, [ebp+arg_14]
		mov	[esp+0A8h+var_74], eax
		mov	eax, [ebp+arg_20]
		mov	[esp+0A8h+var_5C], eax
		mov	eax, [ebp+arg_24]
		mov	[esp+0A8h+var_4C], eax
		mov	eax, [ebp+arg_28]
		mov	ebx, [ebp+arg_3C]
		mov	[esp+0A8h+var_60], eax
		mov	eax, [ebp+arg_34]
		mov	esi, [ebp+arg_0]
		mov	[esp+0A8h+var_94], eax
		mov	eax, [ebp+arg_38]
		mov	edi, [ebp+arg_4]
		mov	[esp+0A8h+var_70], eax
		mov	eax, [ebp+arg_40]
		push	2Ch		; size_t
		mov	[esp+0ACh+var_48], eax
		lea	eax, [esp+0ACh+var_30]
		push	0		; int
		push	eax		; void *
		mov	[esp+0B4h+var_6C], esi
		mov	[esp+0B4h+var_8C], edi
		mov	[esp+0B4h+var_58], ebx
		mov	[esp+0B4h+var_97], 1
		mov	[esp+0B4h+var_68], 0
		mov	[esp+0B4h+var_8D], 0
		mov	byte ptr [esp+0B4h+var_50], 0
		mov	byte ptr [esp+0B4h+var_54], 0
		call	_memset
		add	esp, 0Ch
		test	edi, edi
		jnz	short loc_51D0FB
		mov	edi, esi
		mov	[esp+0A8h+var_8C], esi

loc_51D0FB:				; CODE XREF: SepAccessCheck+A3j
		mov	esi, [ebp+arg_8]
		mov	[esp+0A8h+var_84], esi
		test	esi, 1000000h
		jnz	loc_51D646
		mov	edi, [ebp+arg_18]

loc_51D111:				; CODE XREF: SepAccessCheck+CE896j
		mov	eax, [esp+0A8h+var_88]
		movzx	ecx, word ptr [eax+2]
		mov	edx, ecx
		mov	eax, ecx
		mov	[esp+0A8h+var_7C], eax
		and	edx, 4
		jz	loc_51D30F
		test	ax, ax
		jns	loc_51D54D
		mov	eax, [esp+0A8h+var_88]
		mov	esi, [eax+10h]
		add	eax, esi
		neg	esi
		sbb	esi, esi
		and	esi, eax
		mov	[esp+0A8h+var_80], esi

loc_51D146:				; CODE XREF: SepAccessCheck+508j
		mov	eax, [esp+0A8h+var_7C]
		mov	esi, [ebp+arg_8]

loc_51D14D:				; CODE XREF: SepAccessCheck+2C7j
		and	eax, 8000h
		test	cl, 10h
		jz	loc_51D31C
		test	ax, ax
		mov	eax, [esp+0A8h+var_88]
		jnz	loc_51D329
		mov	eax, [eax+0Ch]
		mov	[esp+0A8h+var_88], eax

loc_51D16F:				; CODE XREF: SepAccessCheck+2D4j
					; SepAccessCheck+2E8j
		test	dx, dx
		jz	loc_51D2D2
		mov	eax, [esp+0A8h+var_80]
		test	eax, eax
		jz	loc_51D2D2
		mov	edx, [esp+0A8h+var_84]
		test	edx, 80000h
		jnz	loc_51D419

loc_51D194:				; CODE XREF: SepAccessCheck+427j
		cmp	word ptr [eax+4], 0
		jz	loc_5EB911
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jnz	loc_5EB960
		lea	edx, [esp+0A8h+var_30]
		mov	[esp+0A8h+var_1C], 0FFFFFFFFh
		mov	ecx, 1
		mov	[esp+0A8h+var_78], edx
		mov	[esp+0A8h+var_7C], ecx

loc_51D1C6:				; CODE XREF: SepAccessCheck+CE91Aj
		mov	eax, esi
		and	eax, 2000000h
		mov	[esp+0A8h+var_44], eax
		jnz	loc_51D358
		cmp	[ebp+arg_2C], 0
		jnz	loc_51D358
		push	[ebp+arg_44]
		push	[esp+0ACh+var_94]
		push	[ebp+arg_30]
		push	0
		push	[ebp+arg_10]
		push	edx
		mov	edx, [esp+0C0h+var_8C]
		push	ecx
		push	[esp+0C4h+var_64]
		mov	ecx, [esp+0C8h+var_84]
		push	[esp+0C8h+var_70]
		push	[esp+0CCh+var_88]
		push	[esp+0D0h+var_80]
		push	[esp+0D4h+var_6C]
		call	SepNormalAccessCheck
		mov	ecx, [esp+0A8h+var_78]
		mov	edx, [esp+0A8h+var_94]
		mov	eax, [ecx+18h]
		mov	[edx+0Ch], eax
		cmp	dword ptr [ecx+18h], 0
		jnz	loc_51D409
		mov	eax, [esp+0A8h+var_8C]
		mov	ecx, [eax+0B0h]
		test	cl, 10h
		jnz	loc_51D519
		xor	ecx, ecx

loc_51D240:				; CODE XREF: SepAccessCheck+4F0j
		mov	[edx+0Ch], ecx
		mov	ecx, [esp+0A8h+var_78]
		cmp	dword ptr [ecx+18h], 0
		jnz	loc_51D409
		mov	eax, [eax+0B0h]
		test	eax, 2000h
		jz	loc_51D3D7

loc_51D262:				; CODE XREF: SepAccessCheck+3B3j
		or	edi, esi

loc_51D264:				; CODE XREF: SepAccessCheck+2A2j
					; SepAccessCheck+382j ...
		test	edi, edi
		jz	loc_51D305
		xor	esi, esi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_51D284
		mov	eax, [esp+0A8h+var_68]
		test	eax, eax
		jnz	loc_51D47C

loc_51D284:				; CODE XREF: SepAccessCheck+226j
					; SepAccessCheck+2BAj ...
		mov	dh, [esp+0A8h+var_97]

loc_51D288:				; CODE XREF: SepAccessCheck+CEA88j
		cmp	[ebp+arg_2C], 0
		jnz	loc_5EBADD

loc_51D292:				; CODE XREF: SepAccessCheck+3C4j
		mov	eax, [esp+0A8h+var_60]
		mov	ecx, [esp+0A8h+var_5C]
		mov	[eax], esi
		mov	[ecx], edi

loc_51D29E:				; CODE XREF: SepAccessCheck+CEA91j
					; SepAccessCheck+CEAB1j
		test	esi, esi
		js	loc_51D33D
		test	ebx, ebx
		jz	short loc_51D2AD
		mov	byte ptr [ebx],	1

loc_51D2AD:				; CODE XREF: SepAccessCheck+258j
		mov	ecx, [esp+0A8h+var_48]
		test	ecx, ecx
		jnz	loc_51D545

loc_51D2B9:				; CODE XREF: SepAccessCheck+2FAj
					; SepAccessCheck+303j ...
		mov	ecx, [esp+0A8h+var_4]
		mov	al, dh
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	48h
; 

loc_51D2D2:				; CODE XREF: SepAccessCheck+122j
					; SepAccessCheck+12Ej
		mov	eax, esi
		or	eax, edi
		mov	edi, eax
		mov	eax, [esp+0A8h+var_8C]
		test	esi, 2000000h
		jnz	loc_51D634

loc_51D2E8:				; CODE XREF: SepAccessCheck+5F1j
		test	dword ptr [eax+0B0h], 4000h
		jz	loc_51D264
		mov	eax, [esp+0A8h+var_94]
		xor	edi, edi
		mov	byte ptr [eax+15h], 0
		mov	[eax+4], edi

loc_51D305:				; CODE XREF: SepAccessCheck+216j
					; SepAccessCheck+CE90Bj
		mov	esi, 0C0000022h
		jmp	loc_51D284
; 

loc_51D30F:				; CODE XREF: SepAccessCheck+D4j
		mov	[esp+0A8h+var_80], 0
		jmp	loc_51D14D
; 

loc_51D31C:				; CODE XREF: SepAccessCheck+105j
		mov	[esp+0A8h+var_88], 0
		jmp	loc_51D16F
; 

loc_51D329:				; CODE XREF: SepAccessCheck+112j
		mov	ecx, [eax+0Ch]
		add	eax, ecx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	[esp+0A8h+var_88], ecx
		jmp	loc_51D16F
; 

loc_51D33D:				; CODE XREF: SepAccessCheck+250j
		test	ebx, ebx
		jz	short loc_51D344
		mov	byte ptr [ebx],	0

loc_51D344:				; CODE XREF: SepAccessCheck+2EFj
		mov	ecx, [esp+0A8h+var_48]
		test	ecx, ecx
		jz	loc_51D2B9
		mov	byte ptr [ecx],	1
		jmp	loc_51D2B9
; 

loc_51D358:				; CODE XREF: SepAccessCheck+181j
					; SepAccessCheck+18Bj
		push	[ebp+arg_44]
		push	[esp+0ACh+var_94]
		push	[ebp+arg_30]
		push	0
		push	0
		push	[ebp+arg_10]
		push	edx
		mov	edx, [esp+0C4h+var_6C]
		push	ecx
		push	[esp+0C8h+var_64]
		mov	ecx, [esp+0CCh+var_8C]
		push	[esp+0CCh+var_70]
		push	[esp+0D0h+var_88]
		push	[esp+0D4h+var_80]
		call	SepMaximumAccessCheck
		mov	eax, [esp+0A8h+var_8C]
		mov	ecx, [eax+0B0h]
		mov	[esp+0A8h+var_40], ecx
		test	cl, 10h
		jnz	loc_51D5BB
		mov	eax, ecx

loc_51D3A1:				; CODE XREF: SepAccessCheck+5C2j
		mov	edx, [esp+0A8h+var_78]
		add	edx, 1Ch
		mov	ecx, [edx]
		test	eax, 2000h
		jz	loc_51D4ED

loc_51D3B5:				; CODE XREF: SepAccessCheck+4C4j
					; SepAccessCheck+5D6j
		cmp	[ebp+arg_2C], 0
		jnz	loc_5EB97D
		mov	edx, [esp+0A8h+var_84]
		mov	eax, ecx
		or	eax, 2000000h
		not	eax
		test	eax, edx
		jnz	short loc_51D409
		or	edi, ecx
		jmp	loc_51D264
; 

loc_51D3D7:				; CODE XREF: SepAccessCheck+20Cj
		mov	edx, [esp+0A8h+var_84]
		or	edx, esi
		test	eax, 4000h
		mov	eax, [esp+0A8h+var_94]
		jz	loc_51D689
		mov	ecx, [eax+8]
		or	ecx, [eax+4]
		mov	eax, [eax]
		not	ecx
		or	eax, edx

loc_51D3F8:				; CODE XREF: SepAccessCheck+CE928j
		and	ecx, eax

loc_51D3FA:				; CODE XREF: SepAccessCheck+645j
		mov	eax, [esp+0A8h+var_78]
		mov	[eax+18h], ecx
		test	ecx, ecx
		jz	loc_51D262

loc_51D409:				; CODE XREF: SepAccessCheck+1D5j
					; SepAccessCheck+1FBj ...
		mov	dh, [esp+0A8h+var_97]
		mov	esi, 0C0000022h
		xor	edi, edi
		jmp	loc_51D292
; 

loc_51D419:				; CODE XREF: SepAccessCheck+13Ej
		push	[ebp+arg_1C]
		mov	eax, ds:_SeTakeOwnershipPrivilege
		lea	edx, [esp+0ACh+var_3C]
		mov	ecx, [esp+0ACh+var_8C]
		push	1
		mov	[esp+0B0h+var_3C], eax
		mov	eax, ds:dword_A94CBC
		push	1
		mov	[esp+0B4h+var_38], eax
		mov	[esp+0B4h+var_34], 0
		call	_SepPrivilegeCheck@20 ;	SepPrivilegeCheck(x,x,x,x,x)
		test	al, al
		jz	short loc_51D4AF
		mov	edx, [esp+0A8h+var_84]
		or	edi, 80000h
		inc	[esp+0A8h+var_68]
		and	edx, 0FFF7FFFFh
		mov	[esp+0A8h+var_84], edx
		mov	byte ptr [esp+0A8h+var_50], 1
		test	edx, edx
		jz	loc_51D264

loc_51D473:				; CODE XREF: SepAccessCheck+496j
					; SepAccessCheck+CE8BCj
		mov	eax, [esp+0A8h+var_80]
		jmp	loc_51D194
; 

loc_51D47C:				; CODE XREF: SepAccessCheck+22Ej
		mov	esi, [esp+0A8h+var_4C]
		mov	ecx, eax
		mov	dl, [esp+0A8h+var_8D]
		push	esi
		push	[esp+0ACh+var_54]
		push	[esp+0B0h+var_50]
		call	SepAssemblePrivileges
		mov	eax, [esp+0A8h+var_4C]
		xor	esi, esi
		test	eax, eax
		jz	loc_51D284
		cmp	[eax], esi
		jnz	loc_51D284
		jmp	loc_5EBACF
; 

loc_51D4AF:				; CODE XREF: SepAccessCheck+3FCj
		push	[ebp+arg_1C]
		mov	eax, ds:_SeRelabelPrivilege
		lea	edx, [esp+0ACh+var_3C]
		mov	ecx, [esp+0ACh+var_8C]
		push	1
		mov	[esp+0B0h+var_3C], eax
		mov	eax, ds:dword_A94A4C
		push	1
		mov	[esp+0B4h+var_38], eax
		mov	[esp+0B4h+var_34], 0
		call	_SepPrivilegeCheck@20 ;	SepPrivilegeCheck(x,x,x,x,x)
		mov	edx, [esp+0A8h+var_84]
		test	al, al
		jz	short loc_51D473
		jmp	loc_5EB8EB
; 

loc_51D4ED:				; CODE XREF: SepAccessCheck+35Fj
		test	eax, 4000h
		mov	eax, [esp+0A8h+var_94]
		jz	loc_51D622
		mov	ebx, [esp+0A8h+var_94]
		mov	eax, [eax+8]
		or	eax, [ebx+4]
		and	ecx, eax
		mov	eax, ebx
		mov	ebx, [esp+0A8h+var_58]

loc_51D50E:				; CODE XREF: SepAccessCheck+5DFj
		mov	eax, [eax]
		not	eax
		and	edi, eax
		jmp	loc_51D3B5
; 

loc_51D519:				; CODE XREF: SepAccessCheck+1E8j
		test	cl, 8
		jz	loc_51D5A9
		mov	ecx, [esp+0A8h+var_74]
		mov	edx, [ecx+8]
		or	edx, [ecx]
		not	edx
		and	edx, [ecx+4]
		or	edx, 10D0000h

loc_51D536:				; CODE XREF: SepAccessCheck+566j
		xor	ecx, ecx
		test	edx, esi
		jnz	short loc_51D55D

loc_51D53C:				; CODE XREF: SepAccessCheck+557j
		mov	edx, [esp+0A8h+var_94]
		jmp	loc_51D240
; 

loc_51D545:				; CODE XREF: SepAccessCheck+263j
		mov	byte ptr [ecx],	0
		jmp	loc_51D2B9
; 

loc_51D54D:				; CODE XREF: SepAccessCheck+DDj
		mov	esi, [esp+0A8h+var_88]
		mov	eax, [esi+10h]
		mov	[esp+0A8h+var_80], eax
		jmp	loc_51D146
; 

loc_51D55D:				; CODE XREF: SepAccessCheck+4EAj
		push	[ebp+arg_44]
		mov	ecx, [esp+0ACh+var_78]
		push	[esp+0ACh+var_94]
		and	edx, [esp+0B0h+var_84]
		push	[ebp+arg_30]
		mov	[esp+0B4h+var_58], edx
		mov	edx, eax
		push	1
		push	[ebp+arg_10]
		push	ecx
		push	[esp+0C0h+var_7C]
		mov	ecx, [esp+0C4h+var_58]
		push	[esp+0C4h+var_64]
		push	[esp+0C8h+var_70]
		push	[esp+0CCh+var_88]
		push	[esp+0D0h+var_80]
		push	[esp+0D4h+var_6C]
		call	SepNormalAccessCheck
		mov	eax, [esp+0A8h+var_78]
		mov	ecx, [eax+18h]
		mov	eax, [esp+0A8h+var_8C]
		jmp	short loc_51D53C
; 

loc_51D5A9:				; CODE XREF: SepAccessCheck+4CCj
		mov	edx, [esp+0A8h+var_74]
		mov	edx, [edx+0Ch]
		or	edx, 1FFFFFh
		jmp	loc_51D536
; 

loc_51D5BB:				; CODE XREF: SepAccessCheck+349j
		mov	edx, [esp+0A8h+var_74]
		test	cl, 8
		jz	short loc_51D617
		mov	ecx, [edx+8]
		or	ecx, [edx]
		not	ecx
		and	ecx, [edx+4]
		or	ecx, 10D0000h

loc_51D5D4:				; CODE XREF: SepAccessCheck+5D0j
		push	[ebp+arg_44]
		mov	edx, [esp+0ACh+var_6C]
		push	[esp+0ACh+var_94]
		push	[ebp+arg_30]
		push	1
		push	ecx
		push	[ebp+arg_10]
		mov	ecx, [esp+0C0h+var_78]
		push	ecx
		push	[esp+0C4h+var_7C]
		mov	ecx, eax
		push	[esp+0C8h+var_64]
		push	[esp+0CCh+var_70]
		push	[esp+0D0h+var_88]
		push	[esp+0D4h+var_80]
		call	SepMaximumAccessCheck
		mov	eax, [esp+0A8h+var_8C]
		mov	eax, [eax+0B0h]
		jmp	loc_51D3A1
; 

loc_51D617:				; CODE XREF: SepAccessCheck+572j
		mov	ecx, [edx+0Ch]
		or	ecx, 1FFFFFh
		jmp	short loc_51D5D4
; 

loc_51D622:				; CODE XREF: SepAccessCheck+4A6j
		cmp	byte ptr [eax+14h], 0
		jz	loc_51D3B5
		and	ecx, [eax+4]
		jmp	loc_51D50E
; 

loc_51D634:				; CODE XREF: SepAccessCheck+292j
		mov	edx, [esp+0A8h+var_74]
		and	edi, 0FDFFFFFFh
		or	edi, [edx+0Ch]
		jmp	loc_51D2E8
; 

loc_51D646:				; CODE XREF: SepAccessCheck+B8j
		push	[ebp+arg_1C]
		mov	eax, ds:_SeSecurityPrivilege
		lea	edx, [esp+0ACh+var_3C]
		push	1
		mov	[esp+0B0h+var_3C], eax
		mov	ecx, edi
		mov	eax, ds:dword_A94A3C
		push	1
		mov	[esp+0B4h+var_38], eax
		mov	[esp+0B4h+var_34], 0
		call	_SepPrivilegeCheck@20 ;	SepPrivilegeCheck(x,x,x,x,x)
		test	al, al
		jnz	loc_5EB8BD
		xor	edi, edi
		mov	esi, 0C0000061h
		jmp	loc_51D284
; 

loc_51D689:				; CODE XREF: SepAccessCheck+396j
		cmp	byte ptr [eax+14h], 0
		jnz	loc_5EB96F
		xor	ecx, ecx
		jmp	loc_51D3FA
SepAccessCheck	endp

; 
		align 10h
; Exported entry  63. ExReleaseResourceAndLeaveCriticalRegion

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExReleaseResourceAndLeaveCriticalRegion
ExReleaseResourceAndLeaveCriticalRegion	proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005EBB06 SIZE 00000099 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, ecx
		movzx	ecx, word ptr [esi+0Eh]
		mov	eax, ecx
		mov	edx, ecx
		and	eax, 1
		jnz	loc_5EBB06

loc_51D6BC:				; CODE XREF: ExReleaseResourceAndLeaveCriticalRegion+CE469j
		test	ax, ax
		jnz	loc_51D755

loc_51D6C5:				; CODE XREF: ExReleaseResourceAndLeaveCriticalRegion+CE4C0j
		test	cl, 1
		jnz	loc_5EBB65
		xor	eax, eax
		lea	ecx, [esi+34h]
		push	edi
		mov	edi, large fs:124h
		lea	edx, [ebp+var_C]
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edx, large fs:124h
		movzx	ecx, word ptr [esi+0Eh]
		test	cl, 1
		jnz	loc_5EBB71
		cmp	_ExpResourceEnforceOwnerTransfer, 0
		jnz	loc_5EBB71

loc_51D70D:				; CODE XREF: ExReleaseResourceAndLeaveCriticalRegion+CE4D8j
					; ExReleaseResourceAndLeaveCriticalRegion+CE4E0j
		lea	eax, [ebp+var_C]
		test	cl, cl
		mov	edx, edi
		mov	ecx, esi
		push	eax
		jns	short loc_51D74E
		call	ExpReleaseResourceExclusiveForThreadLite

loc_51D71E:				; CODE XREF: ExReleaseResourceAndLeaveCriticalRegion+B3j
		pop	edi

loc_51D71F:				; CODE XREF: ExReleaseResourceAndLeaveCriticalRegion+CE4CCj
		mov	eax, large fs:124h
		nop
		add	word ptr [eax+13Ch], 1
		pop	esi
		jz	short loc_51D735

loc_51D731:				; CODE XREF: ExReleaseResourceAndLeaveCriticalRegion+9Bj
					; ExReleaseResourceAndLeaveCriticalRegion+A5j ...
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_51D735:				; CODE XREF: ExReleaseResourceAndLeaveCriticalRegion+8Fj
		nop
		lea	ecx, [eax+70h]
		cmp	[ecx], ecx
		jz	short loc_51D731
		cmp	word ptr [eax+13Eh], 0
		jnz	short loc_51D731
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_51D731
; 

loc_51D74E:				; CODE XREF: ExReleaseResourceAndLeaveCriticalRegion+77j
		call	ExpReleaseResourceSharedForThreadLite
		jmp	short loc_51D71E
; 

loc_51D755:				; CODE XREF: ExReleaseResourceAndLeaveCriticalRegion+1Fj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, large fs:124h
		cmp	al, 2
		ja	loc_5EBB20
		jmp	loc_5EBB34
ExReleaseResourceAndLeaveCriticalRegion	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpReleaseResourceExclusiveForThreadLite proc near
					; CODE XREF: ExpReleaseResourceForThreadLite+2A3p
					; ExReleaseResourceAndLeaveCriticalRegion+79p ...

var_64		= dword	ptr -64h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005EBB9F SIZE 00000197 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		test	dword ptr ds:byte_70EFC4, 20000h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		jnz	loc_5EBB96
		mov	[ebp+var_4], 0

loc_51D791:				; CODE XREF: ExReleaseResourceAndLeaveCriticalRegion+CE4FAj
		test	byte ptr [edi+0Eh], 1
		jnz	loc_5EBB9F
		cmp	_ExpResourceEnforceOwnerTransfer, 0
		jnz	loc_5EBB9F

loc_51D7A8:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+CE432j
		mov	ecx, [edi+1Ch]
		mov	eax, ecx
		shr	eax, 3
		and	ecx, 7
		lea	esi, ds:0FFFFFFF8h[eax*8]
		or	esi, ecx
		mov	[edi+1Ch], esi
		shr	esi, 3
		test	esi, esi
		jnz	loc_51D8CC
		mov	eax, [edi+1Ch]
		mov	ebx, [edi+18h]
		test	al, 2
		jnz	loc_5EBBCA
		test	bl, 3
		jnz	short loc_51D7F9

loc_51D7DD:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+CE45Dj
		test	ebx, ebx
		jz	short loc_51D7F9
		test	al, 1
		jnz	loc_51DC58

loc_51D7E9:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+4FCj
		test	al, 4
		jnz	loc_51D97F

loc_51D7F1:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+21Dj
		test	al, 2
		jnz	loc_51DD29

loc_51D7F9:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+6Bj
					; ExpReleaseResourceExclusiveForThreadLite+6Fj	...
		xor	ecx, ecx
		mov	dword ptr [edi+18h], 0
		mov	eax, [edi+24h]
		mov	[ebp+var_34], eax
		mov	[ebp+var_24], ecx
		cmp	[edi+28h], ecx
		jnz	loc_51DB81
		mov	eax, [edi+2Ch]
		xor	esi, esi
		mov	[ebp+var_10], esi
		test	eax, eax
		jnz	loc_51D992
		mov	eax, 0FF7Fh
		and	[edi+0Eh], ax

loc_51D82D:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+431j
		xor	eax, eax
		mov	[edi+0Ch], ax

loc_51D833:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+25Cj
		mov	[edi+20h], eax
		cmp	dword ptr [edi+2Ch], 0
		jnz	short loc_51D855
		cmp	dword ptr [edi+28h], 0
		jnz	loc_5EBBD9
		xor	al, al

loc_51D848:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+CE46Bj
		test	al, al
		jnz	short loc_51D855
		mov	eax, 0F9h
		and	[edi+0Eh], ax

loc_51D855:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+CAj
					; ExpReleaseResourceExclusiveForThreadLite+DAj
		mov	al, [edi+0Fh]
		mov	[ebp+var_5], al
		movzx	eax, al
		mov	[ebp+var_50], eax
		test	ecx, ecx
		jnz	loc_51D9D1

loc_51D869:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+270j
		test	ds:byte_70EFC6,	1
		mov	ebx, [ebp+arg_0]
		jnz	loc_5EBBE0
		mov	eax, [ebx]
		test	eax, eax
		jnz	loc_51DBF0
		mov	ecx, [ebx+4]
		xor	edx, edx
		mov	eax, ebx
		lock cmpxchg [ecx], edx
		cmp	eax, ebx
		jnz	loc_51DBE6

loc_51D896:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+CE47Aj
		mov	esi, [ebp+var_10]

loc_51D899:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+491j
		mov	cl, [ebx+8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, 1
		test	esi, esi
		jnz	short loc_51D913

loc_51D8AB:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+40Cj
		mov	ebx, 10022h
		xor	esi, esi

loc_51D8B2:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+1A1j
		inc	large dword ptr	fs:41ECh
		cmp	[ebp+var_4], 0
		jnz	loc_5EBD24

loc_51D8C3:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+CE5C1j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_51D8CC:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+54j
		test	ds:byte_70EFC6,	1
		mov	ebx, 10032h
		mov	eax, [edi+24h]
		mov	[ebp+var_34], eax
		jnz	loc_5EBBBA
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	loc_51DC7B
		mov	ecx, [eax+4]
		xor	edx, edx
		lock cmpxchg [ecx], edx
		mov	ecx, [ebp+arg_0]
		cmp	eax, ecx
		jnz	loc_51DC71

loc_51D905:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+51Cj
					; ExpReleaseResourceExclusiveForThreadLite+CE455j
		mov	eax, [ebp+arg_0]
		mov	cl, [eax+8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_51D8B2
; 

loc_51D913:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+139j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, large fs:20h
		mov	byte ptr [ebp+var_54], al
		mov	eax, [ebp+var_10]
		mov	[ebp+var_C], esi
		mov	[ebp+var_20], eax
		lea	esp, [esp+0]

loc_51D930:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+2BFj
		mov	ecx, [ebp+var_20]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_38], 0
		mov	ecx, [ecx]
		mov	[ebp+var_20], ecx
		lea	ecx, [eax+0Ch]
		mov	[ebp+var_30], ecx
		lock bts dword ptr [ecx], 7
		jb	loc_51DC91

loc_51D953:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+53Fj
		lea	ecx, [eax+14h]
		mov	[eax+10h], ebx
		mov	eax, [ecx]
		mov	[ebp+var_40], ecx
		cmp	eax, ecx
		jz	loc_51DA1E

loc_51D966:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+5D9j
		mov	ecx, eax
		mov	eax, [eax]
		mov	[ebp+var_18], ecx
		mov	[ebp+var_3C], eax
		mov	edx, [ecx+4]
		cmp	[eax+4], ecx
		jz	short loc_51D9E5

loc_51D978:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+277j
					; ExpReleaseResourceExclusiveForThreadLite+45Ej ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_51D97F:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+7Bj
		lock dec dword ptr [ebx+330h]
		and	dword ptr [edi+1Ch], 0FFFFFFFBh
		mov	eax, [edi+1Ch]
		jmp	loc_51D7F1
; 

loc_51D992:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+AEj
		mov	edx, [edi+14h]
		test	edx, edx
		jz	loc_5EBBD2
		mov	eax, [edx]
		cmp	eax, edx
		jnz	loc_51DBC3
		mov	[edi+14h], ecx

loc_51D9AA:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+471j
		mov	ecx, [edx+8]
		mov	esi, edx
		mov	[edx+4], edx
		mov	[edx], edx
		mov	eax, [edi+2Ch]
		mov	[ebp+var_10], esi

loc_51D9BA:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+CE464j
		dec	eax
		mov	[ebp+var_24], ecx
		mov	edx, 1
		mov	[edi+2Ch], eax

loc_51D9C6:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+42Bj
		mov	eax, [edi+20h]
		dec	eax
		add	eax, edx
		jmp	loc_51D833
; 

loc_51D9D1:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+F3j
		mov	eax, [edi+1Ch]
		and	eax, 7
		mov	[edi+18h], ecx
		or	eax, 8
		mov	[edi+1Ch], eax
		jmp	loc_51D869
; 

loc_51D9E5:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+206j
		cmp	[edx], ecx
		jnz	short loc_51D978
		mov	[edx], eax
		mov	[eax+4], edx
		mov	al, [ecx+8]
		cmp	al, 1
		jnz	loc_5EBBEF
		movzx	eax, word ptr [ecx+0Ah]
		mov	edx, ecx
		push	0
		push	eax
		mov	ecx, esi
		call	KiTryUnwaitThread
		test	al, al
		jz	loc_51DD3D
		mov	eax, [ebp+var_1C]
		add	dword ptr [eax+10h], 0FFFFFFFFh
		jnz	loc_51DD3D

loc_51DA1E:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+1F0j
					; ExpReleaseResourceExclusiveForThreadLite+5D3j ...
		mov	eax, [ebp+var_30]
		mov	ecx, 0FFFFFF7Fh
		lock and [eax],	ecx
		mov	eax, [ebp+var_20]
		cmp	eax, [ebp+var_10]
		jnz	loc_51D930
		mov	esi, [esi+4]
		mov	[ebp+var_30], esi
		cmp	byte ptr [esi+15Ch], 0
		jz	loc_51DBB5
		lea	eax, [esi+2Ch]
		mov	[ebp+var_44], 0
		mov	[ebp+var_2C], eax
		mov	esi, eax
		jmp	short loc_51DA60
; 
		align 10h

loc_51DA60:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+2E7j
					; ExpReleaseResourceExclusiveForThreadLite+4E3j
		lock bts dword ptr [esi], 0
		jb	loc_51DC45
		mov	esi, [ebp+var_30]
		mov	al, [esi+15Ch]
		mov	ch, [esi+87h]
		mov	dl, al
		mov	cl, ch
		mov	[ebp+var_2], cl
		and	dl, 0Fh
		jz	short loc_51DA8B
		sub	cl, dl
		mov	[ebp+var_2], cl

loc_51DA8B:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+314j
		shr	al, 4
		test	al, al
		jz	loc_51DBBF
		mov	cl, ch
		mov	[esi+15Ch], dl
		sub	cl, al
		mov	[ebp+var_48], 0
		mov	eax, [esi+214h]
		mov	byte ptr [ebp+arg_0+3],	cl
		test	eax, eax
		jnz	loc_51DC2A

loc_51DAB8:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+4C5j
					; ExpReleaseResourceExclusiveForThreadLite+4D0j
		cmp	cl, ch
		jz	loc_51DB4D
		mov	esi, [ebp+var_C]
		add	esi, 2224h
		mov	[ebp+var_3], 0
		mov	[ebp+var_40], esi
		mov	[ebp+var_4C], 0
		jmp	short loc_51DAE0
; 
		align 10h

loc_51DAE0:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+367j
					; ExpReleaseResourceExclusiveForThreadLite+552j
		lock bts dword ptr [esi], 0
		jb	loc_51DCB4
		mov	eax, [ebp+var_C]
		mov	esi, [ebp+var_30]
		cmp	dword ptr [eax+8], 0
		jnz	short loc_51DB12
		push	1
		mov	edx, esi
		mov	ecx, eax
		call	KiSelectReadyThreadEx
		mov	edx, eax
		mov	[ebp+var_14], edx
		test	edx, edx
		jnz	loc_51DCC7
		mov	[ebp+var_3], bl

loc_51DB12:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+385j
					; ExpReleaseResourceExclusiveForThreadLite+5B4j
		mov	dl, byte ptr [ebp+arg_0+3]
		mov	ecx, esi
		push	1
		call	KiAbProcessThreadPriorityModification
		cmp	[ebp+var_3], 0
		mov	al, byte ptr [ebp+arg_0+3]
		mov	[esi+87h], al
		jz	short loc_51DB45
		test	byte ptr [esi+2], 4
		jnz	loc_51DC06

loc_51DB37:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+4A7j
					; ExpReleaseResourceExclusiveForThreadLite+4B5j
		mov	eax, [ebp+var_C]
		mov	cl, byte ptr [ebp+arg_0+3]
		mov	eax, [eax+33Ch]
		mov	[eax], cl

loc_51DB45:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+3BBj
		mov	eax, [ebp+var_40]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_51DB4D:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+34Aj
		mov	cl, [ebp+var_2]

loc_51DB50:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+451j
		mov	eax, [ebp+var_2C]
		mov	dword ptr [eax], 0

loc_51DB59:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+44Dj
		mov	eax, [ebp+var_50]
		test	eax, eax
		jnz	short loc_51DBA6

loc_51DB60:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+43Ej
					; ExpReleaseResourceExclusiveForThreadLite+443j
		cmp	[ebp+var_24], 0
		jz	short loc_51DB6D
		cmp	ebx, 1
		jnz	short loc_51DB6D
		mov	eax, ebx

loc_51DB6D:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+3F4j
					; ExpReleaseResourceExclusiveForThreadLite+3F9j
		push	[ebp+var_54]
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		push	eax
		push	ebx
		call	KiExitDispatcher
		jmp	loc_51D8AB
; 

loc_51DB81:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+9Ej
		mov	esi, [edi+10h]
		mov	eax, 0FF7Fh
		mov	[edi+10h], ecx
		mov	edx, [edi+28h]
		and	[edi+0Eh], ax
		mov	[ebp+var_10], esi
		mov	[edi+28h], ecx
		test	edx, edx
		jnz	loc_51D9C6
		jmp	loc_51D82D
; 

loc_51DBA6:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+3EEj
		mov	ebx, 2
		cmp	cl, [ebp+var_5]
		jle	short loc_51DB60
		movsx	eax, cl
		jmp	short loc_51DB60
; 

loc_51DBB5:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+2D2j
		mov	cl, [esi+87h]
		inc	cl
		jmp	short loc_51DB59
; 

loc_51DBBF:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+320j
		inc	cl
		jmp	short loc_51DB50
; 

loc_51DBC3:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+231j
		mov	[edi+14h], eax
		mov	ecx, [edx]
		mov	eax, [edx+4]
		cmp	[ecx+4], edx
		jnz	loc_51D978
		cmp	[eax], edx
		jnz	loc_51D978
		mov	[eax], ecx
		mov	[ecx+4], eax
		jmp	loc_51D9AA
; 

loc_51DBE6:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+120j
		mov	ecx, ebx
		call	KxWaitForLockChainValid
		mov	esi, [ebp+var_10]

loc_51DBF0:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+10Dj
		mov	dword ptr [ebx], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_51D899
; 

loc_51DC06:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+3C1j
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		call	KiIsThreadRankNonZero
		test	al, al
		jz	short loc_51DC1C
		mov	byte ptr [ebp+arg_0+3],	bl
		jmp	loc_51DB37
; 

loc_51DC1C:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+4A2j
		mov	al, [esi+87h]
		mov	byte ptr [ebp+arg_0+3],	al
		jmp	loc_51DB37
; 

loc_51DC2A:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+342j
		bsr	edx, eax
		movsx	eax, cl
		mov	[ebp+var_48], edx
		cmp	eax, edx
		jge	loc_51DAB8
		mov	cl, dl
		mov	byte ptr [ebp+arg_0+3],	cl
		jmp	loc_51DAB8
; 

loc_51DC45:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+2F5j
					; ExpReleaseResourceExclusiveForThreadLite+4E1j
		lea	ecx, [ebp+var_44]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_51DC45
		jmp	loc_51DA60
; 

loc_51DC58:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+73j
		push	0
		push	0
		mov	dl, 1
		mov	ecx, ebx
		call	PsBoostThreadIoEx
		and	dword ptr [edi+1Ch], 0FFFFFFFEh
		mov	eax, [edi+1Ch]
		jmp	loc_51D7E9
; 

loc_51DC71:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+18Fj
		call	KxWaitForLockChainValid
		mov	ecx, eax
		mov	eax, [ebp+arg_0]

loc_51DC7B:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+17Bj
		mov	dword ptr [eax], 0
		mov	edx, 1
		lea	eax, [ecx+4]
		lock xor [eax],	edx
		jmp	loc_51D905
; 

loc_51DC91:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+1DDj
		mov	esi, [ebp+var_30]

loc_51DC94:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+530j
					; ExpReleaseResourceExclusiveForThreadLite+537j
		lea	ecx, [ebp+var_38]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	al, al
		js	short loc_51DC94
		lock bts dword ptr [esi], 7
		jb	short loc_51DC94
		mov	esi, [ebp+var_C]
		mov	eax, [ebp+var_1C]
		jmp	loc_51D953
; 

loc_51DCB4:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+375j
					; ExpReleaseResourceExclusiveForThreadLite+550j
		lea	ecx, [ebp+var_4C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_51DCB4
		jmp	loc_51DAE0
; 

loc_51DCC7:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+399j
		test	byte ptr [edx+2], 4
		jnz	loc_5EBD05

loc_51DCD1:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+CE5AFj
		mov	al, [edx+87h]
		mov	[ebp+var_1], al

loc_51DCDA:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+CE5A7j
		mov	ecx, [ebp+var_C]
		mov	dl, [ebp+var_1]
		mov	eax, [ecx+33Ch]
		mov	[eax], dl
		mov	edx, [ebp+var_14]
		mov	[ecx+8], edx
		cmp	edx, [ecx+0Ch]
		jz	short loc_51DD4E
		xor	al, al

loc_51DCF5:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+5E0j
		mov	ecx, [ecx+4DCh]
		test	ecx, ecx
		jz	short loc_51DD02
		mov	[ecx+10h], al

loc_51DD02:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+58Dj
		mov	al, [edx+90h]
		cmp	al, 1
		jnz	short loc_51DD1D
		mov	eax, ds:_KeTickCount
		sub	eax, [edx+138h]
		add	[edx+170h], eax

loc_51DD1D:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+59Aj
		mov	byte ptr [edx+90h], 3
		jmp	loc_51DB12
; 

loc_51DD29:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+83j
		push	746C6644h
		push	ebx
		call	ObDereferenceObjectDeferDeleteWithTag
		and	dword ptr [edi+1Ch], 0FFFFFFFDh
		jmp	loc_51D7F9
; 

loc_51DD3D:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+29Bj
					; ExpReleaseResourceExclusiveForThreadLite+2A8j ...
		mov	eax, [ebp+var_3C]
		cmp	eax, [ebp+var_40]
		jz	loc_51DA1E
		jmp	loc_51D966
; 

loc_51DD4E:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+581j
		mov	al, bl
		jmp	short loc_51DCF5
ExpReleaseResourceExclusiveForThreadLite endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KiSetAddressPolicy(x)
_KiSetAddressPolicy@4 proc near		; CODE XREF: KeSynchronizeAddressPolicy(x)+90p
					; KiSynchronizeAddressPolicyTarget(x,x,x,x)+1Fp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	ecx, large fs:20h
		cmp	esi, 1
		pop	esi
		jnz	short loc_51DD84
		or	dword ptr [ecx+4EECh], 2

loc_51DD7E:				; CODE XREF: KiSetAddressPolicy(x)+2Bj
		test	al, al
		jz	short locret_51DD83
		sti

locret_51DD83:				; CODE XREF: KiSetAddressPolicy(x)+20j
		retn
; 

loc_51DD84:				; CODE XREF: KiSetAddressPolicy(x)+15j
		and	dword ptr [ecx+4EECh], 0FFFFFFFDh
		jmp	short loc_51DD7E
_KiSetAddressPolicy@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpAcquireResourceExclusiveLite	proc near
					; CODE XREF: ExEnterCriticalRegionAndAcquireResourceExclusive+39p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005EBD36 SIZE 000000FB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		xor	eax, eax
		push	ebx
		push	esi
		mov	[ebp+var_18], eax
		mov	bh, dl
		mov	[ebp+var_14], eax
		mov	esi, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_25], al
		mov	eax, large fs:124h
		test	dword ptr ds:byte_70EFC4, 20000h
		push	edi
		mov	[ebp+var_4], eax
		jnz	loc_5EBD36
		xor	bl, bl

loc_51DDC8:				; CODE XREF: ExpAcquireResourceExclusiveLite+CDFA8j
		inc	large dword ptr	fs:41F8h
		lea	edi, [esi+34h]
		mov	[ebp+var_14], edi
		mov	[ebp+var_18], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [ebp+var_10], al
		jnz	loc_5EBD3D
		lea	edx, [ebp+var_18]
		xchg	edx, [edi]
		test	edx, edx
		jnz	loc_51E07B

loc_51DDFF:				; CODE XREF: ExpAcquireResourceExclusiveLite+2F3j
					; ExpAcquireResourceExclusiveLite+CDFB7j
		cmp	dword ptr [esi+20h], 0
		mov	edi, [ebp+var_4]
		jnz	short loc_51DE84
		mov	eax, 80h
		mov	[esi+18h], edi
		or	[esi+0Eh], ax
		mov	eax, 1
		mov	[esi+0Ch], ax
		mov	bh, al
		mov	[esi+20h], eax
		mov	eax, [esi+1Ch]
		and	eax, 7
		or	eax, 8
		mov	[esi+1Ch], eax
		test	ds:byte_70EFC6,	bh
		jnz	loc_5EBD4C
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	loc_51E0AF
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jnz	loc_51E0A7

loc_51DE5C:				; CODE XREF: ExpAcquireResourceExclusiveLite+331j
					; ExpAcquireResourceExclusiveLite+CDFC7j
		mov	cl, byte ptr [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:41FCh
		inc	large dword ptr	fs:41E4h
		test	bl, bl
		jnz	loc_5EBD5C

loc_51DE7B:				; CODE XREF: ExpAcquireResourceExclusiveLite+15Bj
					; ExpAcquireResourceExclusiveLite+CDFDEj ...
		pop	edi
		pop	esi
		mov	al, bh
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_51DE84:				; CODE XREF: ExpAcquireResourceExclusiveLite+76j
		test	byte ptr [esi+0Eh], 80h
		jz	short loc_51DEED
		cmp	[esi+18h], edi
		jnz	short loc_51DEED
		mov	edi, [esi+1Ch]
		add	edi, 8
		mov	[esi+1Ch], edi
		shr	edi, 3
		test	ds:byte_70EFC6,	1
		jnz	loc_5EBD73
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	loc_51E0EF
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jnz	loc_51E0E7

loc_51DECA:				; CODE XREF: ExpAcquireResourceExclusiveLite+371j
					; ExpAcquireResourceExclusiveLite+CDFEEj
		mov	cl, byte ptr [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:4200h
		inc	large dword ptr	fs:41E4h
		test	bl, bl
		jnz	loc_5EBD83

loc_51DEE9:				; CODE XREF: ExpAcquireResourceExclusiveLite+2B9j
					; ExpAcquireResourceExclusiveLite+CE09Cj
		mov	bh, 1
		jmp	short loc_51DE7B
; 

loc_51DEED:				; CODE XREF: ExpAcquireResourceExclusiveLite+F8j
					; ExpAcquireResourceExclusiveLite+FDj
		test	bh, bh
		jz	loc_5EBD92
		inc	dword ptr [esi+2Ch]
		lea	eax, [ebp+var_20]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_20], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_34], 0
		mov	[ebp+var_30], 0
		mov	dword ptr [ebp-28h], 40001h
		mov	[ebp+var_2C], edi
		mov	[ebp+var_24], 0
		test	eax, eax
		jnz	loc_51E05B
		lea	eax, [ebp+var_34]
		mov	[ebp+var_30], eax
		mov	[ebp+var_34], eax
		mov	[esi+14h], eax

loc_51DF37:				; CODE XREF: ExpAcquireResourceExclusiveLite+2E6j
		test	ds:byte_70EFC6,	1
		jnz	loc_5EBDF7
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	loc_51E090
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jnz	loc_51E088

loc_51DF66:				; CODE XREF: ExpAcquireResourceExclusiveLite+312j
					; ExpAcquireResourceExclusiveLite+CE072j
		mov	cl, byte ptr [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:4204h
		test	bl, bl
		jnz	loc_5EBE07

loc_51DF7E:				; CODE XREF: ExpAcquireResourceExclusiveLite+CE085j
		mov	edx, large fs:124h
		mov	[ebp+var_4], 0
		mov	[ebp+var_C], edx
		mov	ecx, [edx+2FCh]
		mov	eax, [edx+150h]
		shr	ecx, 9
		and	ecx, 7
		test	dword ptr [eax+0FCh], 100000h
		jnz	loc_51E0C6
		cmp	ecx, 2
		jb	loc_51E0C8

loc_51DFBA:				; CODE XREF: ExpAcquireResourceExclusiveLite+33Fj
					; ExpAcquireResourceExclusiveLite+34Cj
		cmp	ecx, 1
		jbe	loc_51E054

loc_51DFC3:				; CODE XREF: ExpAcquireResourceExclusiveLite+352j
		test	byte ptr [esi+0Eh], 4
		jnz	loc_51E054
		mov	ecx, 4
		mov	[ebp+var_4], ecx

loc_51DFD5:				; CODE XREF: ExpAcquireResourceExclusiveLite+2C6j
		movzx	eax, word ptr [esi+0Eh]
		mov	edx, eax
		mov	[ebp+var_8], edx
		shr	[ebp+var_8], 8
		shr	edx, 8
		test	al, 2
		jnz	short loc_51DFF2
		mov	dl, byte ptr [ebp+var_8]
		or	ecx, 2
		mov	[ebp+var_4], ecx

loc_51DFF2:				; CODE XREF: ExpAcquireResourceExclusiveLite+257j
		mov	eax, [ebp+var_C]
		movsx	ecx, byte ptr [eax+87h]
		movzx	eax, dl
		mov	edx, [ebp+var_4]
		cmp	ecx, eax
		jle	short loc_51E00C
		or	edx, 0FF00h

loc_51E00C:				; CODE XREF: ExpAcquireResourceExclusiveLite+274j
		test	edx, edx
		jz	short loc_51E01A
		push	[ebp+var_C]
		mov	ecx, esi
		call	ExpApplyPriorityBoost

loc_51E01A:				; CODE XREF: ExpAcquireResourceExclusiveLite+27Ej
		push	offset _ExpApplyRewaitBoost@4 ;	ExpApplyRewaitBoost(x)
		push	10224h
		lea	edx, [ebp+var_34]
		mov	ecx, esi
		call	ExpWaitForResource
		push	0
		mov	edx, edi
		mov	ecx, esi
		call	ExpBoostIoAfterAcquire
		inc	large dword ptr	fs:41FCh
		inc	large dword ptr	fs:41E4h
		test	bl, bl
		jz	loc_51DEE9
		jmp	loc_5EBE1A
; 

loc_51E054:				; CODE XREF: ExpAcquireResourceExclusiveLite+22Dj
					; ExpAcquireResourceExclusiveLite+237j
		xor	ecx, ecx
		jmp	loc_51DFD5
; 

loc_51E05B:				; CODE XREF: ExpAcquireResourceExclusiveLite+195j
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_5EBDF0
		mov	[ebp+var_30], ecx
		lea	edx, [ebp+var_34]
		mov	[ebp+var_34], eax
		mov	[ecx], edx
		mov	ecx, edx
		mov	[eax+4], ecx
		jmp	loc_51DF37
; 

loc_51E07B:				; CODE XREF: ExpAcquireResourceExclusiveLite+69j
		lea	ecx, [ebp+var_18]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_51DDFF
; 

loc_51E088:				; CODE XREF: ExpAcquireResourceExclusiveLite+1D0j
		lea	ecx, [ebp+var_18]
		call	KxWaitForLockChainValid

loc_51E090:				; CODE XREF: ExpAcquireResourceExclusiveLite+1B9j
		mov	[ebp+var_18], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_51DF66
; 

loc_51E0A7:				; CODE XREF: ExpAcquireResourceExclusiveLite+C6j
		lea	ecx, [ebp+var_18]
		call	KxWaitForLockChainValid

loc_51E0AF:				; CODE XREF: ExpAcquireResourceExclusiveLite+AFj
		mov	[ebp+var_18], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx
		jmp	loc_51DE5C
; 

loc_51E0C6:				; CODE XREF: ExpAcquireResourceExclusiveLite+21Bj
		xor	ecx, ecx

loc_51E0C8:				; CODE XREF: ExpAcquireResourceExclusiveLite+224j
		cmp	edx, large fs:124h
		jnz	loc_51DFBA
		cmp	dword ptr [edx+32Ch], 0
		jz	loc_51DFBA
		jmp	loc_51DFC3
; 

loc_51E0E7:				; CODE XREF: ExpAcquireResourceExclusiveLite+134j
		lea	ecx, [ebp+var_18]
		call	KxWaitForLockChainValid

loc_51E0EF:				; CODE XREF: ExpAcquireResourceExclusiveLite+11Dj
		mov	[ebp+var_18], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_51DECA
ExpAcquireResourceExclusiveLite	endp

; 
		align 10h
; Exported entry 347. ExEnterCriticalRegionAndAcquireResourceExclusive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExEnterCriticalRegionAndAcquireResourceExclusive
ExEnterCriticalRegionAndAcquireResourceExclusive proc near

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005EBE31 SIZE 0000007A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+arg_0]
		movzx	ecx, word ptr [esi+0Eh]
		mov	eax, ecx
		mov	edx, ecx
		and	eax, 1
		jnz	loc_5EBE31

loc_51E13C:				; CODE XREF: ExEnterCriticalRegionAndAcquireResourceExclusive+CDD24j
		test	ax, ax
		jnz	short loc_51E161

loc_51E141:				; CODE XREF: ExEnterCriticalRegionAndAcquireResourceExclusive+CDD96j
		mov	dl, 1
		test	cl, dl
		mov	ecx, esi
		jnz	short loc_51E17B
		call	ExpAcquireResourceExclusiveLite

loc_51E14E:				; CODE XREF: ExEnterCriticalRegionAndAcquireResourceExclusive+70j
		mov	eax, large fs:124h
		pop	esi
		mov	eax, [eax+124h]
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_51E161:				; CODE XREF: ExEnterCriticalRegionAndAcquireResourceExclusive+2Fj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, large fs:124h
		cmp	al, 1
		ja	loc_5EBE4B
		jmp	loc_5EBE5F
; 

loc_51E17B:				; CODE XREF: ExEnterCriticalRegionAndAcquireResourceExclusive+37j
		call	_ExpFastResourceLegacyAcquireExclusive@8 ; ExpFastResourceLegacyAcquireExclusive(x,x)
		jmp	short loc_51E14E
ExEnterCriticalRegionAndAcquireResourceExclusive endp

; 
		align 10h
; Exported entry 308. ExAcquireResourceExclusiveLite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExAcquireResourceExclusiveLite
ExAcquireResourceExclusiveLite proc near ; CODE	XREF: CcAcquireByteRangeForWrite+682p
					; SepDesktopAppxSubProcessToken(x,x,x,x,x)+224p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005EBEAB SIZE 00000150 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		mov	bh, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		test	bh, bh
		push	edi
		setz	bl
		inc	bl
		movzx	ecx, word ptr [esi+0Eh]
		mov	eax, ecx
		mov	edx, ecx
		and	eax, 1
		jnz	loc_5EBEAB

loc_51E1BC:				; CODE XREF: ExAcquireResourceExclusiveLite+CDD1Ej
		test	ax, ax
		jnz	loc_51E4E4

loc_51E1C5:				; CODE XREF: ExAcquireResourceExclusiveLite+CDDB9j
		test	cl, 1
		jnz	loc_5EBF4E
		mov	edi, large fs:124h
		xor	eax, eax
		test	dword ptr ds:byte_70EFC4, 20000h
		mov	[esp+38h+var_28], eax
		mov	[esp+38h+var_24], eax
		mov	[esp+38h+var_20], eax
		mov	[esp+38h+var_10], eax
		mov	[esp+38h+var_C], eax
		mov	[esp+38h+var_8], eax
		mov	[esp+38h+var_4], eax
		jnz	loc_5EBF5C
		xor	bh, bh

loc_51E205:				; CODE XREF: ExAcquireResourceExclusiveLite+CDDCEj
		inc	large dword ptr	fs:41F8h
		lea	ecx, [esi+34h]
		lea	edx, [esp+38h+var_28]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, esi
		call	_ExpTryAcquireResourceExclusive@4 ; ExpTryAcquireResourceExclusive(x)
		mov	bl, al
		test	bl, bl
		jz	short loc_51E292
		mov	ecx, [esi+1Ch]
		and	ecx, 7
		mov	[esi+18h], edi
		or	ecx, 8
		mov	[esi+1Ch], ecx
		test	ds:byte_70EFC6,	1
		jnz	loc_5EBF63
		mov	eax, [esp+38h+var_28]
		test	eax, eax
		jnz	loc_51E48D
		mov	edx, [esp+38h+var_24]
		lea	eax, [esp+38h+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+38h+var_28]
		cmp	eax, ecx
		jnz	loc_51E484

loc_51E267:				; CODE XREF: ExAcquireResourceExclusiveLite+310j
					; ExAcquireResourceExclusiveLite+CDDDFj
		mov	cl, byte ptr [esp+38h+var_20]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:41FCh
		inc	large dword ptr	fs:41E4h
		test	bh, bh
		jnz	loc_5EBF74

loc_51E287:				; CODE XREF: ExAcquireResourceExclusiveLite+16Ej
					; ExAcquireResourceExclusiveLite+CDDF6j
		mov	al, bl

loc_51E289:				; CODE XREF: ExAcquireResourceExclusiveLite+CDDC7j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_51E292:				; CODE XREF: ExAcquireResourceExclusiveLite+93j
		test	byte ptr [esi+0Eh], 80h
		jz	short loc_51E300
		cmp	[esi+18h], edi
		jnz	short loc_51E300
		mov	edi, [esi+1Ch]
		add	edi, 8
		mov	[esi+1Ch], edi
		shr	edi, 3
		test	ds:byte_70EFC6,	1
		jnz	loc_5EBF8B
		mov	eax, [esp+38h+var_28]
		test	eax, eax
		jnz	loc_51E4CC
		mov	edx, [esp+38h+var_24]
		lea	eax, [esp+38h+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+38h+var_28]
		cmp	eax, ecx
		jnz	loc_51E4C3

loc_51E2DC:				; CODE XREF: ExAcquireResourceExclusiveLite+34Fj
					; ExAcquireResourceExclusiveLite+CDE07j
		mov	cl, byte ptr [esp+38h+var_20]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:4200h
		inc	large dword ptr	fs:41E4h
		test	bh, bh
		jnz	loc_5EBF9C

loc_51E2FC:				; CODE XREF: ExAcquireResourceExclusiveLite+25Cj
					; ExAcquireResourceExclusiveLite+CDE66j
		mov	bl, 1
		jmp	short loc_51E287
; 

loc_51E300:				; CODE XREF: ExAcquireResourceExclusiveLite+106j
					; ExAcquireResourceExclusiveLite+10Bj
		cmp	[ebp+arg_4], 0
		jz	loc_51E41A
		inc	dword ptr [esi+2Ch]
		lea	eax, [esp+38h+var_10]
		push	0
		push	1
		push	eax
		mov	[esp+44h+var_1C], 0
		mov	[esp+44h+var_18], 0
		mov	[esp+44h+var_10], 0
		mov	[esp+44h+var_C], 0
		mov	[esp+44h+var_8], 0
		mov	[esp+44h+var_4], 0
		mov	[esp+44h+var_14], edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [esi+14h]
		test	eax, eax
		jnz	loc_51E3F7
		lea	eax, [esp+38h+var_1C]
		mov	[esp+38h+var_18], eax
		mov	[esp+38h+var_1C], eax
		mov	[esi+14h], eax

loc_51E369:				; CODE XREF: ExAcquireResourceExclusiveLite+285j
		test	ds:byte_70EFC6,	1
		jnz	loc_5EBFC0
		mov	eax, [esp+38h+var_28]
		test	eax, eax
		jnz	loc_51E46C
		mov	edx, [esp+38h+var_24]
		lea	eax, [esp+38h+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+38h+var_28]
		cmp	eax, ecx
		jnz	loc_51E463

loc_51E39C:				; CODE XREF: ExAcquireResourceExclusiveLite+2EFj
					; ExAcquireResourceExclusiveLite+CDE3Cj
		mov	cl, byte ptr [esp+38h+var_20]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:4204h
		test	bh, bh
		jnz	loc_5EBFD1

loc_51E3B5:				; CODE XREF: ExAcquireResourceExclusiveLite+CDE4Fj
		mov	ecx, esi
		call	_ExpApplyPrewaitBoost@4	; ExpApplyPrewaitBoost(x)
		push	offset _ExpApplyRewaitBoost@4 ;	ExpApplyRewaitBoost(x)
		push	10224h
		lea	edx, [esp+40h+var_1C]
		mov	ecx, esi
		call	ExpWaitForResource
		push	0
		mov	edx, edi
		mov	ecx, esi
		call	ExpBoostIoAfterAcquire
		inc	large dword ptr	fs:41FCh
		inc	large dword ptr	fs:41E4h
		test	bh, bh
		jz	loc_51E2FC
		jmp	loc_5EBFE4
; 

loc_51E3F7:				; CODE XREF: ExAcquireResourceExclusiveLite+1C4j
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_5EBFB9
		mov	[esp+38h+var_18], ecx
		lea	edx, [esp+38h+var_1C]
		mov	[esp+38h+var_1C], eax
		mov	[ecx], edx
		mov	ecx, edx
		mov	[eax+4], ecx
		jmp	loc_51E369
; 

loc_51E41A:				; CODE XREF: ExAcquireResourceExclusiveLite+174j
		test	ds:byte_70EFC6,	1
		jnz	loc_5EBFA8
		mov	eax, [esp+38h+var_28]
		test	eax, eax
		jnz	short loc_51E4AE
		mov	edx, [esp+38h+var_24]
		lea	eax, [esp+38h+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+38h+var_28]
		cmp	eax, ecx
		jnz	short loc_51E4A5

loc_51E445:				; CODE XREF: ExAcquireResourceExclusiveLite+331j
					; ExAcquireResourceExclusiveLite+CDE24j
		mov	cl, byte ptr [esp+38h+var_20]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:4208h
		xor	bl, bl
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_51E463:				; CODE XREF: ExAcquireResourceExclusiveLite+206j
		lea	ecx, [esp+38h+var_28]
		call	KxWaitForLockChainValid

loc_51E46C:				; CODE XREF: ExAcquireResourceExclusiveLite+1ECj
		mov	[esp+38h+var_28], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_51E39C
; 

loc_51E484:				; CODE XREF: ExAcquireResourceExclusiveLite+D1j
		lea	ecx, [esp+38h+var_28]
		call	KxWaitForLockChainValid

loc_51E48D:				; CODE XREF: ExAcquireResourceExclusiveLite+B7j
		mov	[esp+38h+var_28], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_51E267
; 

loc_51E4A5:				; CODE XREF: ExAcquireResourceExclusiveLite+2B3j
		lea	ecx, [esp+38h+var_28]
		call	KxWaitForLockChainValid

loc_51E4AE:				; CODE XREF: ExAcquireResourceExclusiveLite+29Dj
		mov	[esp+38h+var_28], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_51E445
; 

loc_51E4C3:				; CODE XREF: ExAcquireResourceExclusiveLite+146j
		lea	ecx, [esp+38h+var_28]
		call	KxWaitForLockChainValid

loc_51E4CC:				; CODE XREF: ExAcquireResourceExclusiveLite+12Cj
		mov	[esp+38h+var_28], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_51E2DC
; 

loc_51E4E4:				; CODE XREF: ExAcquireResourceExclusiveLite+2Fj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, large fs:124h
		mov	dl, al
		cmp	dl, bl
		ja	loc_5EBEC5
		jmp	loc_5EBEDB
ExAcquireResourceExclusiveLite endp

; 
		dd 4 dup(0CCCCCCCCh)
; Exported entry 309. ExAcquireResourceSharedLite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExAcquireResourceSharedLite
ExAcquireResourceSharedLite proc near	; CODE XREF: MiLookupDataTableEntry(x,x)+9Dp
					; SepAcquireOrderedReadLocks(x,x)+20p ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005EBFFB SIZE 000000A1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	bl, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		test	bl, bl
		setz	bh
		inc	bh
		movzx	ecx, word ptr [esi+0Eh]
		mov	eax, ecx
		mov	edx, ecx
		and	eax, 1
		jnz	loc_5EBFFB

loc_51E535:				; CODE XREF: ExAcquireResourceSharedLite+CDAEEj
		test	ax, ax
		jnz	short loc_51E54E

loc_51E53A:				; CODE XREF: ExAcquireResourceSharedLite+CDB87j
		test	cl, 1
		mov	dl, bl
		mov	ecx, esi
		jnz	short loc_51E56A
		call	ExpAcquireResourceSharedLite

loc_51E548:				; CODE XREF: ExAcquireResourceSharedLite+5Fj
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_51E54E:				; CODE XREF: ExAcquireResourceSharedLite+28j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, large fs:124h
		mov	dl, al
		cmp	dl, bh
		ja	loc_5EC015
		jmp	loc_5EC02B
; 

loc_51E56A:				; CODE XREF: ExAcquireResourceSharedLite+31j
		call	_ExpFastResourceLegacyAcquireShared@8 ;	ExpFastResourceLegacyAcquireShared(x,x)
		jmp	short loc_51E548
ExAcquireResourceSharedLite endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpAcquireResourceSharedLite proc near	; CODE XREF: ExEnterCriticalRegionAndAcquireResourceShared+35p
					; ExEnterPriorityRegionAndAcquireResourceShared+44p ...

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005EC09C SIZE 000000F7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		xor	eax, eax
		push	ebx
		push	esi
		mov	[ebp+var_2C], eax
		mov	bl, dl
		mov	[ebp+var_28], eax
		mov	esi, ecx
		mov	[ebp+var_24], eax
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	eax, large fs:124h
		test	dword ptr ds:byte_70EFC4, 20000h
		push	edi
		mov	[ebp+var_4], eax
		jnz	loc_5EC09C
		xor	bh, bh

loc_51E5CA:				; CODE XREF: ExpAcquireResourceSharedLite+CDB1Ej
		inc	large dword ptr	fs:420Ch
		lea	edi, [esi+34h]
		mov	[ebp+var_28], edi
		mov	[ebp+var_2C], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [ebp+var_24], al
		jnz	loc_5EC0A3
		lea	edx, [ebp+var_2C]
		xchg	edx, [edi]
		test	edx, edx
		jnz	loc_51E92C

loc_51E601:				; CODE XREF: ExpAcquireResourceSharedLite+1DFj
					; ExpAcquireResourceSharedLite+3B4j ...
		mov	edi, [ebp+var_4]

loc_51E604:				; CODE XREF: ExpAcquireResourceSharedLite+510j
		mov	edx, [esi+20h]
		test	edx, edx
		jnz	short loc_51E681
		mov	eax, 1
		mov	[esi+18h], edi
		mov	[esi+0Ch], ax
		mov	bl, 1
		lea	eax, [edx+1]
		mov	[esi+20h], eax
		mov	eax, [esi+1Ch]
		and	eax, 7
		or	eax, 8
		mov	[esi+1Ch], eax
		test	ds:byte_70EFC6,	bl
		jnz	loc_5EC16C
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jnz	loc_51EAA8
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_2C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_2C]
		cmp	eax, ecx
		jnz	loc_51EAA0

loc_51E659:				; CODE XREF: ExpAcquireResourceSharedLite+53Aj
					; ExpAcquireResourceSharedLite+CDBF7j
		mov	cl, byte ptr [ebp+var_24]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:4214h
		inc	large dword ptr	fs:41E4h
		test	bh, bh
		jnz	loc_5EC17C

loc_51E678:				; CODE XREF: ExpAcquireResourceSharedLite+CDB7Dj
					; ExpAcquireResourceSharedLite+CDBE7j ...
		mov	al, bl
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_51E681:				; CODE XREF: ExpAcquireResourceSharedLite+89j
		mov	ax, [esi+0Eh]
		mov	ecx, 80h
		and	ax, cx
		movzx	eax, ax
		test	ax, ax
		jnz	loc_51E8C4

loc_51E699:				; CODE XREF: ExpAcquireResourceSharedLite+4F9j
		mov	eax, [esi+2Ch]
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_1C], eax
		call	_ExpGetThreadResourceHint@4 ; ExpGetThreadResourceHint(x)
		lea	edi, [esi+18h]
		mov	[ebp+var_18], eax
		mov	eax, [edi]
		mov	[ebp+var_8], edi
		cmp	eax, ecx
		jz	loc_51E75D
		mov	[ebp+var_C], 0
		mov	[ebp+var_10], 0
		test	eax, eax
		jz	loc_51E833
		mov	[ebp+var_C], 1

loc_51E6D7:				; CODE XREF: ExpAcquireResourceSharedLite+2C1j
		mov	edi, [ebp+var_18]
		test	edi, edi
		jz	short loc_51E6F4
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_51E6F4
		cmp	edi, [eax+4]
		jnb	short loc_51E6F4
		lea	edi, [eax+edi*8]
		mov	[ebp+var_8], edi
		cmp	[edi], ecx
		jz	short loc_51E75D

loc_51E6F4:				; CODE XREF: ExpAcquireResourceSharedLite+15Cj
					; ExpAcquireResourceSharedLite+163j ...
		mov	eax, [esi+28h]
		add	eax, edx
		mov	[ebp+var_18], eax
		mov	eax, [esi+8]
		mov	edi, eax
		mov	[ebp+var_1C], eax
		test	edi, edi
		jz	loc_51EB47
		mov	eax, [edi+4]
		mov	edx, [ebp+var_18]
		lea	eax, [edi+eax*8]
		add	edi, 8
		mov	[ebp+var_14], eax
		mov	[ebp+var_8], edi
		cmp	[ebp+var_C], edx
		jb	loc_51E7FF

loc_51E727:				; CODE XREF: ExpAcquireResourceSharedLite+2AEj
					; ExpAcquireResourceSharedLite+5C9j
		mov	edx, [ebp+var_10]
		test	edx, edx
		jnz	short loc_51E740
		cmp	edi, eax
		jnb	loc_51EB38
		mov	edx, edi
		test	edi, edi
		jz	loc_51EB38

loc_51E740:				; CODE XREF: ExpAcquireResourceSharedLite+1ACj
		mov	edi, edx
		mov	eax, edx
		mov	[ebp+var_8], edi

loc_51E747:				; CODE XREF: ExpAcquireResourceSharedLite+64Fj
		mov	ecx, large fs:124h
		sub	eax, [ebp+var_1C]
		sar	eax, 3
		mov	[ecx+26Ch], al
		mov	ecx, [ebp+var_4]

loc_51E75D:				; CODE XREF: ExpAcquireResourceSharedLite+134j
					; ExpAcquireResourceSharedLite+172j
		test	edi, edi
		jz	loc_51E601

loc_51E765:				; CODE XREF: ExpAcquireResourceSharedLite+51Bj
		cmp	[edi], ecx
		jz	loc_51E846
		mov	eax, [esi+20h]
		test	eax, eax
		jz	short loc_51E788
		test	byte ptr [esi+0Eh], 80h
		jnz	loc_51E953
		cmp	dword ptr [esi+2Ch], 0
		jnz	loc_51E953

loc_51E788:				; CODE XREF: ExpAcquireResourceSharedLite+1F2j
		mov	edx, [ebp+var_8]
		inc	eax
		mov	[esi+20h], eax
		mov	edi, 1
		mov	[esi+0Ch], di
		mov	eax, [edx+4]
		and	eax, 7
		mov	[edx], ecx
		or	eax, 8
		mov	[edx+4], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5EC143
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jnz	loc_51E941
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_2C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_2C]
		cmp	eax, ecx
		jnz	loc_51E939

loc_51E7D5:				; CODE XREF: ExpAcquireResourceSharedLite+3CEj
					; ExpAcquireResourceSharedLite+CDBCEj
		mov	cl, byte ptr [ebp+var_24]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_51E7DE:				; CODE XREF: ExpAcquireResourceSharedLite+4F1j
		inc	large dword ptr	fs:4214h
		inc	large dword ptr	fs:41E4h
		test	bh, bh
		jnz	loc_5EC153

loc_51E7F4:				; CODE XREF: ExpAcquireResourceSharedLite+31Dj
					; ExpAcquireResourceSharedLite+3A1j ...
		mov	bl, 1
		mov	al, bl
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_51E7FF:				; CODE XREF: ExpAcquireResourceSharedLite+1A1j
		mov	eax, [ebp+var_10]

loc_51E802:				; CODE XREF: ExpAcquireResourceSharedLite+339j
		mov	edx, [edi]
		cmp	edx, ecx
		mov	[ebp+var_20], edx
		mov	edx, [ebp+var_18]
		jz	loc_51EBCD
		cmp	[ebp+var_20], 0
		jz	loc_51E8A8
		inc	[ebp+var_C]
		cmp	[ebp+var_C], edx
		jnz	loc_51E8B0
		add	edi, 8

loc_51E82B:				; CODE XREF: ExpAcquireResourceSharedLite+33Fj
		mov	eax, [ebp+var_14]
		jmp	loc_51E727
; 

loc_51E833:				; CODE XREF: ExpAcquireResourceSharedLite+14Aj
		mov	eax, [ebp+var_1C]
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, edi
		mov	[ebp+var_10], eax
		jmp	loc_51E6D7
; 

loc_51E846:				; CODE XREF: ExpAcquireResourceSharedLite+1E7j
		mov	eax, [edi+4]
		add	eax, 8
		mov	[edi+4], eax
		shr	eax, 3
		test	ds:byte_70EFC6,	1
		mov	[ebp+var_20], eax
		jnz	loc_5EC0D8
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jnz	loc_51EB56
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_2C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_2C]
		cmp	eax, ecx
		jnz	loc_51EB4E

loc_51E884:				; CODE XREF: ExpAcquireResourceSharedLite+5E8j
					; ExpAcquireResourceSharedLite+CDB63j
		mov	cl, byte ptr [ebp+var_24]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:4218h
		inc	large dword ptr	fs:41E4h
		test	bh, bh
		jz	loc_51E7F4
		jmp	loc_5EC0E8
; 

loc_51E8A8:				; CODE XREF: ExpAcquireResourceSharedLite+296j
		test	eax, eax
		jz	loc_51EADB

loc_51E8B0:				; CODE XREF: ExpAcquireResourceSharedLite+2A2j
					; ExpAcquireResourceSharedLite+560j
		add	edi, 8
		mov	[ebp+var_8], edi
		cmp	edi, [ebp+var_14]
		jnz	loc_51E802
		jmp	loc_51E82B
; 

loc_51E8C4:				; CODE XREF: ExpAcquireResourceSharedLite+113j
		cmp	[esi+18h], edi
		jnz	loc_51EA76
		mov	edi, [esi+1Ch]
		add	edi, 8
		mov	[esi+1Ch], edi
		shr	edi, 3
		test	ds:byte_70EFC6,	1
		jnz	loc_5EC0B2
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jnz	loc_51EBDC
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_2C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_2C]
		cmp	eax, ecx
		jnz	loc_51EBD4

loc_51E908:				; CODE XREF: ExpAcquireResourceSharedLite+66Ej
					; ExpAcquireResourceSharedLite+CDB3Dj
		mov	cl, byte ptr [ebp+var_24]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:4210h
		inc	large dword ptr	fs:41E4h
		test	bh, bh
		jz	loc_51E7F4
		jmp	loc_5EC0C2
; 

loc_51E92C:				; CODE XREF: ExpAcquireResourceSharedLite+7Bj
		lea	ecx, [ebp+var_2C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_51E601
; 

loc_51E939:				; CODE XREF: ExpAcquireResourceSharedLite+24Fj
		lea	ecx, [ebp+var_2C]
		call	KxWaitForLockChainValid

loc_51E941:				; CODE XREF: ExpAcquireResourceSharedLite+238j
		mov	[ebp+var_2C], 0
		add	eax, 4
		lock xor [eax],	edi
		jmp	loc_51E7D5
; 

loc_51E953:				; CODE XREF: ExpAcquireResourceSharedLite+1F8j
					; ExpAcquireResourceSharedLite+202j
		test	bl, bl
		jz	loc_51EB8B
		mov	eax, [edi+4]
		and	eax, 7
		mov	[edi], ecx
		or	eax, 8
		mov	[edi+4], eax
		lea	eax, [ebp+var_34]
		inc	dword ptr [esi+28h]
		mov	[ebp+var_30], eax
		mov	[ebp+var_34], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_3C], 40001h
		mov	[ebp+var_40], ecx
		mov	[ebp+var_38], 0
		test	eax, eax
		jnz	loc_51EAF9
		lea	eax, [ebp+var_48]
		mov	[ebp+var_44], eax
		mov	[ebp+var_48], eax

loc_51E99A:				; CODE XREF: ExpAcquireResourceSharedLite+594j
		lea	eax, [ebp+var_48]
		mov	[esi+10h], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5EC119
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jnz	loc_51EB21
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_2C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_2C]
		cmp	eax, ecx
		jnz	loc_51EB19

loc_51E9CF:				; CODE XREF: ExpAcquireResourceSharedLite+5B3j
					; ExpAcquireResourceSharedLite+CDBA4j
		mov	cl, byte ptr [ebp+var_24]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:421Ch
		test	bh, bh
		jnz	loc_5EC129

loc_51E9E7:				; CODE XREF: ExpAcquireResourceSharedLite+CDBB7j
		mov	edx, large fs:124h
		xor	edi, edi
		mov	ecx, edx
		mov	[ebp+var_1C], edx
		call	_PsGetBaseIoPriorityThread@4 ; PsGetBaseIoPriorityThread(x)
		cmp	eax, 2
		jl	loc_51EB6D

loc_51EA03:				; CODE XREF: ExpAcquireResourceSharedLite+5F4j
					; ExpAcquireResourceSharedLite+600j
		cmp	eax, 1
		jle	short loc_51EA12

loc_51EA08:				; CODE XREF: ExpAcquireResourceSharedLite+606j
		test	byte ptr [esi+0Eh], 4
		jz	loc_51EAEF

loc_51EA12:				; CODE XREF: ExpAcquireResourceSharedLite+486j
					; ExpAcquireResourceSharedLite+574j
		movzx	eax, word ptr [esi+0Eh]
		mov	edx, eax
		mov	ecx, eax
		shr	edx, 8
		shr	ecx, 8
		test	al, 2
		jz	loc_51EAE5

loc_51EA28:				; CODE XREF: ExpAcquireResourceSharedLite+56Aj
		mov	eax, [ebp+var_1C]
		movsx	ecx, byte ptr [eax+87h]
		movzx	eax, dl
		cmp	ecx, eax
		jg	loc_51EAD0

loc_51EA3D:				; CODE XREF: ExpAcquireResourceSharedLite+556j
		test	edi, edi
		jnz	short loc_51EABF

loc_51EA41:				; CODE XREF: ExpAcquireResourceSharedLite+54Bj
		push	offset _ExpApplyRewaitBoost@4 ;	ExpApplyRewaitBoost(x)
		push	10244h
		lea	edx, [ebp+var_48]
		mov	ecx, esi
		call	ExpWaitForResource
		mov	eax, [ebp+var_4]
		test	al, 3
		jnz	loc_5EC13C
		movzx	ecx, byte ptr [eax+26Ch]

loc_51EA67:				; CODE XREF: ExpAcquireResourceSharedLite+CDBBEj
		push	ecx
		mov	edx, eax
		mov	ecx, esi
		call	ExpBoostIoAfterAcquire
		jmp	loc_51E7DE
; 

loc_51EA76:				; CODE XREF: ExpAcquireResourceSharedLite+347j
		test	ax, ax
		jz	loc_51E699
		lea	edx, [ebp+var_2C]
		mov	ecx, esi
		call	@ExpFindEmptyEntry@8 ; ExpFindEmptyEntry(x,x)
		mov	edx, eax
		mov	[ebp+var_8], edx
		test	edx, edx
		jz	loc_51E604
		mov	ecx, [ebp+var_4]
		mov	edi, eax
		jmp	loc_51E765
; 

loc_51EAA0:				; CODE XREF: ExpAcquireResourceSharedLite+D3j
		lea	ecx, [ebp+var_2C]
		call	KxWaitForLockChainValid

loc_51EAA8:				; CODE XREF: ExpAcquireResourceSharedLite+BCj
		mov	[ebp+var_2C], 0
		add	eax, 4
		mov	edi, 1
		lock xor [eax],	edi
		jmp	loc_51E659
; 

loc_51EABF:				; CODE XREF: ExpAcquireResourceSharedLite+4BFj
		push	[ebp+var_1C]
		mov	edx, edi
		mov	ecx, esi
		call	ExpApplyPriorityBoost
		jmp	loc_51EA41
; 

loc_51EAD0:				; CODE XREF: ExpAcquireResourceSharedLite+4B7j
		or	edi, 0FF00h
		jmp	loc_51EA3D
; 

loc_51EADB:				; CODE XREF: ExpAcquireResourceSharedLite+32Aj
		mov	eax, edi
		mov	[ebp+var_10], eax
		jmp	loc_51E8B0
; 

loc_51EAE5:				; CODE XREF: ExpAcquireResourceSharedLite+4A2j
		or	edi, 2
		mov	dl, cl
		jmp	loc_51EA28
; 

loc_51EAEF:				; CODE XREF: ExpAcquireResourceSharedLite+48Cj
		mov	edi, 4
		jmp	loc_51EA12
; 

loc_51EAF9:				; CODE XREF: ExpAcquireResourceSharedLite+40Bj
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_5EC112
		mov	[ebp+var_44], ecx
		lea	edx, [ebp+var_48]
		mov	[ebp+var_48], eax
		mov	[ecx], edx
		mov	ecx, edx
		mov	[eax+4], ecx
		jmp	loc_51E99A
; 

loc_51EB19:				; CODE XREF: ExpAcquireResourceSharedLite+449j
		lea	ecx, [ebp+var_2C]
		call	KxWaitForLockChainValid

loc_51EB21:				; CODE XREF: ExpAcquireResourceSharedLite+432j
		mov	[ebp+var_2C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_51E9CF
; 

loc_51EB38:				; CODE XREF: ExpAcquireResourceSharedLite+1B0j
					; ExpAcquireResourceSharedLite+1BAj
		lea	edx, [ebp+var_2C]
		mov	ecx, esi
		call	ExpExpandResourceOwnerTable
		jmp	loc_51E601
; 

loc_51EB47:				; CODE XREF: ExpAcquireResourceSharedLite+186j
		xor	eax, eax
		jmp	loc_51E727
; 

loc_51EB4E:				; CODE XREF: ExpAcquireResourceSharedLite+2FEj
		lea	ecx, [ebp+var_2C]
		call	KxWaitForLockChainValid

loc_51EB56:				; CODE XREF: ExpAcquireResourceSharedLite+2E7j
		mov	[ebp+var_2C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_51E884
; 

loc_51EB6D:				; CODE XREF: ExpAcquireResourceSharedLite+47Dj
		cmp	edx, large fs:124h
		jnz	loc_51EA03
		cmp	[edx+32Ch], edi
		jz	loc_51EA03
		jmp	loc_51EA08
; 

loc_51EB8B:				; CODE XREF: ExpAcquireResourceSharedLite+3D5j
		test	ds:byte_70EFC6,	1
		jnz	loc_5EC102
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jnz	short loc_51EBFB
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_2C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_2C]
		cmp	eax, ecx
		jnz	short loc_51EBF3

loc_51EBB2:				; CODE XREF: ExpAcquireResourceSharedLite+68Dj
					; ExpAcquireResourceSharedLite+CDB8Dj
		mov	cl, byte ptr [ebp+var_24]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:4220h
		xor	bl, bl
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_51EBCD:				; CODE XREF: ExpAcquireResourceSharedLite+28Cj
		mov	eax, edi
		jmp	loc_51E747
; 

loc_51EBD4:				; CODE XREF: ExpAcquireResourceSharedLite+382j
		lea	ecx, [ebp+var_2C]
		call	KxWaitForLockChainValid

loc_51EBDC:				; CODE XREF: ExpAcquireResourceSharedLite+36Bj
		mov	[ebp+var_2C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_51E908
; 

loc_51EBF3:				; CODE XREF: ExpAcquireResourceSharedLite+630j
		lea	ecx, [ebp+var_2C]
		call	KxWaitForLockChainValid

loc_51EBFB:				; CODE XREF: ExpAcquireResourceSharedLite+61Dj
		mov	[ebp+var_2C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_51EBB2
ExpAcquireResourceSharedLite endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall ExpTryAcquireResourceExclusive(x)
_ExpTryAcquireResourceExclusive@4 proc near ; CODE XREF: ExAcquireResourceExclusiveLite+8Ap
					; ExpTryToAcquireResourceExclusiveLite(x)+4Bp ...
		cmp	dword ptr [ecx+20h], 0
		jnz	short loc_51EC2C
		mov	eax, 80h
		or	[ecx+0Eh], ax
		mov	eax, 1
		mov	[ecx+0Ch], ax
		mov	[ecx+20h], eax
		retn
; 

loc_51EC2C:				; CODE XREF: ExpTryAcquireResourceExclusive(x)+4j
		xor	al, al
		retn
_ExpTryAcquireResourceExclusive@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PsBoostThreadIo(x, x)
_PsBoostThreadIo@8 proc	near		; CODE XREF: PopAcquirePolicyLock()+9p
					; PopReleasePolicyLock()+27p ...
		push	0
		push	0
		call	PsBoostThreadIoEx
		retn
_PsBoostThreadIo@8 endp	; sp = -8

; 
		align 10h

PsBoostThreadIoEx:			; CODE XREF: .text:0043BB37p
					; CcApplyLowIoPriorityToThread+45Cp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	byte ptr [ebp-1], 0
		xor	ecx, ecx
		mov	bh, dl
		cmp	ds:_PspAlwaysTrackIoBoosting, ecx
		jnz	loc_5A852D
		mov	bl, [ebp+8]
		test	bl, bl
		jnz	loc_51ECFA

loc_51EC6A:				; CODE XREF: .text:0051ED52j
		lea	eax, [edi+32Ch]
		test	bh, bh
		jz	short loc_51ECA2
		cmp	dword ptr [eax], 0
		jz	loc_51EDFC
		or	esi, 0FFFFFFFFh
		lock xadd [eax], esi
		dec	esi
		test	bl, bl
		jnz	loc_51ED57

loc_51EC8D:				; CODE XREF: .text:0051EDB0j
					; .text:0051EDD7j
		test	bh, bh
		jz	short loc_51ECB4
		test	esi, esi

loc_51EC93:				; CODE XREF: .text:0051ECB7j
		jnz	short loc_51EC99
		test	bh, bh
		jz	short loc_51ECB9

loc_51EC99:				; CODE XREF: .text:loc_51EC93j
					; .text:0051ECC0j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_51ECA2:				; CODE XREF: .text:0051EC72j
		mov	esi, 1
		lock xadd [eax], esi
		inc	esi
		test	bl, bl
		jnz	loc_51EDDC

loc_51ECB4:				; CODE XREF: .text:0051EC8Fj
		cmp	esi, 1
		jmp	short loc_51EC93
; 

loc_51ECB9:				; CODE XREF: .text:0051EC97j
		cmp	byte ptr [edi+1E5h], 0
		jz	short loc_51EC99
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, large fs:20h
		lea	edx, [edi+1ECh]
		push	edx
		mov	ecx, edi
		mov	bl, al
		lea	edx, [esi+45E4h]
		call	_KiAbThreadInsertList@12 ; KiAbThreadInsertList(x,x,x)
		test	eax, eax
		jz	short loc_51ECF0
		mov	ecx, esi
		call	_KiAbQueueAutoBoostDpc@4 ; KiAbQueueAutoBoostDpc(x)

loc_51ECF0:				; CODE XREF: .text:0051ECE7j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_51EC99
; 

loc_51ECFA:				; CODE XREF: .text:0051EC64j
					; .text:005A852Fj
		push	736F6F42h
		push	38h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_51ED3C
		push	38h
		push	0
		push	esi
		call	_memset
		add	esp, 0Ch
		lea	eax, [esi+8]
		push	0
		push	eax
		push	0Ah
		push	1
		call	RtlCaptureStackBackTrace
		mov	eax, large fs:124h
		mov	[esi+30h], eax
		mov	eax, [ebp+0Ch]
		mov	[esi+34h], eax

loc_51ED3C:				; CODE XREF: .text:0051ED0Fj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [edi+34Ch]
		mov	[ebp-1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, esi
		jmp	loc_51EC6A
; 

loc_51ED57:				; CODE XREF: .text:0051EC87j
		cmp	dword ptr [eax], 0
		jnz	loc_5A855D
		test	ecx, ecx
		jz	short loc_51ED8A
		jmp	short loc_51ED7F
; 

loc_51ED66:				; CODE XREF: .text:0051ED98j
		mov	edx, [ecx]
		cmp	[ecx+4], eax
		jnz	loc_51EE00
		cmp	[edx+4], ecx
		jnz	loc_51EE00
		mov	[eax], edx
		mov	[edx+4], eax

loc_51ED7F:				; CODE XREF: .text:0051ED64j
		push	736F6F42h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_51ED8A:				; CODE XREF: .text:0051ED62j
		mov	ecx, [edi+33Ch]
		lea	eax, [edi+33Ch]
		cmp	ecx, eax
		jnz	short loc_51ED66

loc_51ED9A:				; CODE XREF: .text:005A8558j
		mov	ecx, [edi+344h]
		lea	eax, [edi+344h]
		cmp	ecx, eax
		jnz	loc_5A8534

loc_51EDAE:				; CODE XREF: .text:0051EDDEj
					; .text:0051EDFAj ...
		test	bl, bl
		jz	loc_51EC8D
		test	ds:byte_70EFC6,	1
		lea	eax, [edi+34Ch]
		jnz	loc_5A857E
		xor	ecx, ecx
		lock and [eax],	ecx

loc_51EDCE:				; CODE XREF: .text:005A8588j
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_51EC8D
; 

loc_51EDDC:				; CODE XREF: .text:0051ECAEj
		test	ecx, ecx
		jz	short loc_51EDAE
		mov	edx, [edi+340h]
		lea	eax, [edi+33Ch]
		cmp	[edx], eax
		jnz	short loc_51EE00

loc_51EDF0:				; CODE XREF: .text:005A8579j
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		jmp	short loc_51EDAE
; 

loc_51EDFC:				; CODE XREF: .text:0051EC77j
		xor	esi, esi
		jmp	short loc_51EDAE
; 

loc_51EE00:				; CODE XREF: .text:0051ED6Bj
					; .text:0051ED74j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KeAbProcessEffectiveIoPriorityChange(x, x)
_KeAbProcessEffectiveIoPriorityChange@8	proc near ; CODE XREF: ExpApplyPriorityBoost+364p
					; PsBoostThreadIoQoS+CC02Fj
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	edx, edx
		jnz	short loc_51EE21
		cmp	[esi+1E5h], dl
		jnz	short loc_51EE23

loc_51EE21:				; CODE XREF: KeAbProcessEffectiveIoPriorityChange(x,x)+7j
		pop	esi
		retn
; 

loc_51EE23:				; CODE XREF: KeAbProcessEffectiveIoPriorityChange(x,x)+Fj
		push	ebx
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, large fs:20h
		lea	edx, [esi+1ECh]
		push	edx
		mov	ecx, esi
		mov	bl, al
		lea	edx, [edi+45E4h]
		call	_KiAbThreadInsertList@12 ; KiAbThreadInsertList(x,x,x)
		test	eax, eax
		jz	short loc_51EE53
		mov	ecx, edi
		call	_KiAbQueueAutoBoostDpc@4 ; KiAbQueueAutoBoostDpc(x)

loc_51EE53:				; CODE XREF: KeAbProcessEffectiveIoPriorityChange(x,x)+3Aj
		pop	edi
		mov	cl, bl
		pop	ebx
		pop	esi
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_KeAbProcessEffectiveIoPriorityChange@8	endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry  65. ExReleaseResourceLite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExReleaseResourceLite
ExReleaseResourceLite proc near		; CODE XREF: MiLookupDataTableEntry(x,x)+AEp
					; SepDesktopAppxSubProcessToken(x,x,x,x,x)+262p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005EC193 SIZE 000000A8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		movzx	ecx, word ptr [esi+0Eh]
		mov	eax, ecx
		mov	edx, ecx
		and	eax, 1
		jnz	loc_5EC193

loc_51EE8E:				; CODE XREF: ExReleaseResourceLite+CD326j
		test	ax, ax
		jnz	loc_51EF23

loc_51EE97:				; CODE XREF: ExReleaseResourceLite+CD37Dj
		test	cl, 1
		jnz	loc_5EC1F2
		mov	ebx, large fs:124h
		lea	edi, [esi+34h]
		xor	eax, eax
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [ebp+var_4], al
		jnz	loc_5EC1FE
		lea	edx, [ebp+var_C]
		xchg	edx, [edi]
		test	edx, edx
		jnz	short loc_51EF19

loc_51EED4:				; CODE XREF: ExReleaseResourceLite+B1j
					; ExReleaseResourceLite+CD398j
		mov	edx, large fs:124h
		movzx	ecx, word ptr [esi+0Eh]
		test	cl, 1
		jnz	loc_5EC20D
		cmp	_ExpResourceEnforceOwnerTransfer, 0
		jnz	loc_5EC20D

loc_51EEF5:				; CODE XREF: ExReleaseResourceLite+CD3A4j
					; ExReleaseResourceLite+CD3ACj
		lea	eax, [ebp+var_C]
		test	cl, cl
		mov	edx, ebx
		mov	ecx, esi
		push	eax
		js	short loc_51EF0D
		call	ExpReleaseResourceSharedForThreadLite

loc_51EF06:				; CODE XREF: ExReleaseResourceLite+CD389j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_51EF0D:				; CODE XREF: ExReleaseResourceLite+8Fj
		call	ExpReleaseResourceExclusiveForThreadLite
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_51EF19:				; CODE XREF: ExReleaseResourceLite+62j
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	short loc_51EED4
; 

loc_51EF23:				; CODE XREF: ExReleaseResourceLite+21j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, large fs:124h
		cmp	al, 2
		ja	loc_5EC1AD
		jmp	loc_5EC1C1
ExReleaseResourceLite endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpReleaseResourceSharedForThreadLite proc near	; CODE XREF: SepMandatoryIntegrityCheck+53Cp
					; ExReleaseResourceAndLeaveCriticalRegion:loc_51D74Ep ...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005EC23B SIZE 000001CC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, edx
		test	dword ptr ds:byte_70EFC4, 20000h
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], esi
		jnz	loc_5EC232
		mov	[ebp+var_1], 0

loc_51EF68:				; CODE XREF: ExReleaseResourceLite+CD3C6j
		test	bl, 3
		jnz	loc_5EC23B
		movzx	eax, byte ptr [ebx+26Ch]

loc_51EF78:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+CD2FDj
		mov	ecx, [edi+18h]
		lea	edx, [edi+18h]
		mov	[ebp+var_C], edx
		cmp	ecx, ebx
		jnz	loc_51F0A6

loc_51EF89:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+193j
					; ExpReleaseResourceSharedForThreadLite+40Dj
		mov	ecx, [edx+4]
		mov	eax, ecx
		shr	eax, 3
		and	ecx, 7
		lea	ebx, ds:0FFFFFFF8h[eax*8]
		or	ebx, ecx
		mov	[edx+4], ebx
		cmp	ebx, 8
		jnb	loc_51F15A
		mov	ecx, [edx]
		test	bl, 2
		jnz	loc_5EC263
		mov	[ebp+var_20], ecx
		test	cl, 3
		jnz	short loc_51EFDB

loc_51EFBC:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+CD329j
		test	ecx, ecx
		jz	short loc_51EFDB
		test	bl, 1
		jnz	loc_51F36D
		mov	eax, ebx

loc_51EFCB:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+445j
		test	al, 4
		jnz	loc_51F1A7

loc_51EFD3:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+275j
		test	al, 2
		jnz	loc_5EC26E

loc_51EFDB:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+7Aj
					; ExpReleaseResourceSharedForThreadLite+7Ej ...
		mov	dword ptr [edx], 0
		xor	edx, edx
		cmp	dword ptr [edi+20h], 1
		mov	eax, [edi+24h]
		mov	[ebp+var_30], eax
		mov	[ebp+var_20], edx
		ja	short loc_51F006
		mov	eax, [edi+2Ch]
		test	eax, eax
		jnz	loc_51F1BA
		cmp	[edi+28h], edx
		jnz	loc_5EC2A9

loc_51F006:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+B0j
		xor	ecx, ecx

loc_51F008:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+2BFj
					; ExpReleaseResourceSharedForThreadLite+CD378j
		lea	eax, [ecx-1]
		add	[edi+20h], eax
		jnz	short loc_51F016
		xor	eax, eax
		mov	[edi+0Ch], ax

loc_51F016:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+CEj
		cmp	dword ptr [edi+2Ch], 0
		jnz	short loc_51F02B
		cmp	dword ptr [edi+28h], 0
		jnz	short loc_51F02B
		mov	eax, 0F9h
		and	[edi+0Eh], ax

loc_51F02B:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+DAj
					; ExpReleaseResourceSharedForThreadLite+E0j
		mov	al, [edi+0Fh]
		mov	[ebp+var_2], al
		movzx	eax, al
		mov	[ebp+var_40], eax
		test	edx, edx
		jnz	loc_51F26D

loc_51F03F:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+33Cj
		test	ds:byte_70EFC6,	1
		mov	ebx, [ebp+arg_0]
		jnz	loc_5EC2BD
		mov	eax, [ebx]
		test	eax, eax
		jnz	loc_51F144
		mov	ecx, [ebx+4]
		xor	edx, edx
		mov	eax, ebx
		lock cmpxchg [ecx], edx
		cmp	eax, ebx
		jnz	loc_51F13A

loc_51F06C:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+CD387j
		mov	esi, [ebp+var_8]

loc_51F06F:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+215j
		mov	cl, [ebx+8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, 1
		test	esi, esi
		jnz	loc_51F204

loc_51F085:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+3CDj
		mov	esi, 10042h
		xor	ebx, ebx

loc_51F08C:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+262j
		inc	large dword ptr	fs:41F0h
		cmp	[ebp+var_1], 0
		jnz	loc_5EC3F5

loc_51F09D:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+CD4C2j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_51F0A6:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+43j
		xor	edx, edx
		test	ecx, ecx
		setnz	dl
		neg	ecx
		mov	[ebp+var_30], edx
		lea	edx, [edi+18h]
		sbb	ecx, ecx
		not	ecx
		and	ecx, edx
		test	eax, eax
		jz	short loc_51F0D9
		mov	edx, [edi+8]
		test	edx, edx
		jz	short loc_51F0D9
		cmp	eax, [edx+4]
		jnb	short loc_51F0D9
		lea	edx, [edx+eax*8]
		mov	[ebp+var_C], edx
		cmp	[edx], ebx
		jz	loc_51EF89

loc_51F0D9:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+17Dj
					; ExpReleaseResourceSharedForThreadLite+184j ...
		mov	esi, [edi+28h]
		add	esi, [edi+20h]
		mov	edx, [edi+8]
		mov	[ebp+var_2C], esi
		mov	[ebp+var_20], edx
		test	edx, edx
		jz	loc_5EC242
		mov	eax, [edx+4]
		lea	eax, [edx+eax*8]
		add	edx, 8
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_30]
		mov	[ebp+var_C], edx
		cmp	eax, esi
		jnb	loc_5EC242
		lea	ebx, [ebx+0]

loc_51F110:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+1F3j
		mov	esi, [edx]
		cmp	esi, ebx
		jz	loc_51F335
		test	esi, esi
		jnz	loc_51F352
		test	ecx, ecx
		jz	loc_51F366

loc_51F12A:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+416j
					; ExpReleaseResourceSharedForThreadLite+428j
		add	edx, 8
		mov	[ebp+var_C], edx
		cmp	edx, [ebp+var_28]
		jnz	short loc_51F110
		jmp	loc_5EC242
; 

loc_51F13A:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+126j
		mov	ecx, ebx
		call	KxWaitForLockChainValid
		mov	esi, [ebp+var_8]

loc_51F144:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+113j
		mov	dword ptr [ebx], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_51F06F
; 

loc_51F15A:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+63j
		mov	eax, [edi+24h]
		mov	esi, 10052h
		shr	ebx, 3
		test	ds:byte_70EFC6,	1
		mov	[ebp+var_30], eax
		jnz	loc_5EC253
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	loc_51F394
		mov	ecx, [eax+4]
		xor	edx, edx
		lock cmpxchg [ecx], edx
		mov	ecx, [ebp+arg_0]
		cmp	eax, ecx
		jnz	loc_51F38A

loc_51F196:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+465j
					; ExpReleaseResourceSharedForThreadLite+CD31Ej
		mov	eax, [ebp+arg_0]
		mov	cl, [eax+8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_51F08C
; 

loc_51F1A7:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+8Dj
		lock dec dword ptr [ecx+330h]
		and	dword ptr [edx+4], 0FFFFFFFBh
		mov	eax, [edx+4]
		jmp	loc_51EFD3
; 

loc_51F1BA:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+B7j
		mov	ecx, [edi+14h]
		test	ecx, ecx
		jz	loc_5EC29F
		mov	eax, [ecx]
		cmp	eax, ecx
		jnz	loc_51F312
		mov	[edi+14h], edx

loc_51F1D2:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+3F0j
		mov	edx, [ecx+8]
		mov	[ebp+var_20], edx
		test	esi, esi
		jnz	loc_5EC285
		mov	[ecx+4], ecx
		mov	[ecx], ecx

loc_51F1E5:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+CD35Aj
		mov	eax, [edi+2Ch]
		mov	esi, ecx
		mov	[ebp+var_8], esi

loc_51F1ED:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+CD364j
		dec	eax
		mov	ecx, 1
		mov	[edi+2Ch], eax
		mov	eax, 80h
		or	[edi+0Eh], ax
		jmp	loc_51F008
; 

loc_51F204:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+13Fj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, large fs:20h
		mov	esi, [ebp+var_8]
		mov	byte ptr [ebp+var_44], al
		mov	[ebp+var_14], ecx
		lea	ebx, [ebx+0]

loc_51F220:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+CD4B0j
		mov	eax, esi
		mov	[ebp+var_34], 0
		mov	esi, [esi]
		mov	[ebp+var_1C], eax
		mov	[ebp+arg_0], esi
		lea	edx, [eax+0Ch]
		mov	[ebp+var_2C], edx
		lock bts dword ptr [edx], 7
		jb	loc_51F3AA

loc_51F242:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+48Ej
		mov	[eax+10h], ebx
		add	eax, 14h
		mov	[ebp+var_3C], eax
		mov	edx, [eax]
		cmp	edx, eax
		jz	short loc_51F2C0

loc_51F251:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+CD4A2j
		mov	eax, edx
		mov	edx, [edx]
		mov	[ebp+var_10], eax
		mov	[ebp+var_38], edx
		mov	esi, [eax+4]
		mov	[ebp+var_18], esi
		cmp	[edx+4], eax
		jz	short loc_51F281

loc_51F266:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+346j
					; ExpReleaseResourceSharedForThreadLite+3DDj ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_51F26D:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+F9j
		mov	eax, [edi+1Ch]
		and	eax, 7
		mov	[edi+18h], edx
		or	eax, 8
		mov	[edi+1Ch], eax
		jmp	loc_51F03F
; 

loc_51F281:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+324j
		mov	esi, [ebp+var_18]
		cmp	[esi], eax
		jnz	short loc_51F266
		mov	[esi], edx
		mov	[edx+4], esi
		mov	dl, [eax+8]
		mov	esi, [ebp+arg_0]
		cmp	dl, 1
		jnz	loc_5EC2CC
		movzx	eax, word ptr [eax+0Ah]
		mov	edx, [ebp+var_10]
		push	0
		push	eax
		call	KiTryUnwaitThread
		test	al, al
		jz	loc_5EC3D9
		mov	eax, [ebp+var_1C]
		add	dword ptr [eax+10h], 0FFFFFFFFh
		jnz	loc_5EC3D9

loc_51F2C0:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+30Fj
					; ExpReleaseResourceSharedForThreadLite+CD483j	...
		mov	eax, [ebp+var_2C]
		mov	ecx, 0FFFFFF7Fh
		lock and [eax],	ecx
		cmp	esi, [ebp+var_8]
		jnz	loc_5EC3ED
		mov	esi, [ebp+var_14]
		mov	ecx, esi
		mov	edx, [esi+4]
		call	KiRemoveBoostThread
		mov	ecx, [ebp+var_40]
		test	ecx, ecx
		jz	short loc_51F2F2
		mov	ebx, 2
		cmp	al, [ebp+var_2]
		jg	short loc_51F361

loc_51F2F2:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+3A6j
					; ExpReleaseResourceSharedForThreadLite+424j
		cmp	ebx, 1
		jnz	short loc_51F2FF
		cmp	[ebp+var_20], 0
		jz	short loc_51F2FF
		mov	ecx, ebx

loc_51F2FF:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+3B5j
					; ExpReleaseResourceSharedForThreadLite+3BBj
		push	[ebp+var_44]
		xor	edx, edx
		push	ecx
		push	ebx
		mov	ecx, esi
		call	KiExitDispatcher
		jmp	loc_51F085
; 

loc_51F312:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+289j
		mov	[edi+14h], eax
		mov	edx, [ecx]
		mov	eax, [ecx+4]
		cmp	[edx+4], ecx
		jnz	loc_51F266
		cmp	[eax], ecx
		jnz	loc_51F266
		mov	[eax], edx
		mov	[edx+4], eax
		jmp	loc_51F1D2
; 

loc_51F335:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+1D4j
		mov	ecx, large fs:124h
		mov	eax, edx
		sub	eax, [ebp+var_20]
		mov	esi, [ebp+var_8]
		sar	eax, 3
		mov	[ecx+26Ch], al
		jmp	loc_51EF89
; 

loc_51F352:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+1DCj
		inc	eax
		cmp	eax, [ebp+var_2C]
		jnz	loc_51F12A
		jmp	loc_5EC242
; 

loc_51F361:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+3B0j
		movsx	ecx, al
		jmp	short loc_51F2F2
; 

loc_51F366:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+1E4j
		mov	ecx, edx
		jmp	loc_51F12A
; 

loc_51F36D:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+83j
		push	0
		push	0
		mov	dl, 1
		call	PsBoostThreadIoEx
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_20]
		and	dword ptr [edx+4], 0FFFFFFFEh
		mov	eax, [edx+4]
		jmp	loc_51EFCB
; 

loc_51F38A:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+250j
		call	KxWaitForLockChainValid
		mov	ecx, eax
		mov	eax, [ebp+arg_0]

loc_51F394:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+23Cj
		mov	dword ptr [eax], 0
		mov	edx, 1
		lea	eax, [ecx+4]
		lock xor [eax],	edx
		jmp	loc_51F196
; 

loc_51F3AA:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+2FCj
		mov	esi, [ebp+var_2C]
		lea	ecx, [ecx+0]

loc_51F3B0:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+47Cj
					; ExpReleaseResourceSharedForThreadLite+483j
		lea	ecx, [ebp+var_34]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	al, al
		js	short loc_51F3B0
		lock bts dword ptr [esi], 7
		jb	short loc_51F3B0
		mov	esi, [ebp+arg_0]
		mov	ecx, [ebp+var_14]
		mov	eax, [ebp+var_1C]
		jmp	loc_51F242
ExpReleaseResourceSharedForThreadLite endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopReleaseFileObjectLock(x)
_IopReleaseFileObjectLock@4 proc near	; CODE XREF: .text:0052203Ap
					; .text:005220EAp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		mov	eax, large fs:124h
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		push	edi
		movsx	eax, byte ptr [eax+87h]
		mov	[ebp+var_4], eax
		lea	eax, [esi+44h]
		xchg	ecx, [eax]
		cmp	dword ptr [esi+40h], 0
		lea	edi, [esi+4Ch]
		jnz	short loc_51F425

loc_51F40C:				; CODE XREF: IopReleaseFileObjectLock(x)+58j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, esi
		call	ObfDereferenceObject
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_51F425:				; CODE XREF: IopReleaseFileObjectLock(x)+2Aj
		push	1
		push	0
		push	edi
		lea	eax, [ebp+var_4]
		mov	ecx, edi
		push	eax
		lea	edx, [ebp+var_8]
		call	KeSetEventBoostPriorityEx
		jmp	short loc_51F40C
_IopReleaseFileObjectLock@4 endp

; 
		align 10h
; Exported entry 1202. KeLeaveCriticalRegion

;  S U B	R O U T	I N E 


; __stdcall KeLeaveCriticalRegion()
		public _KeLeaveCriticalRegion@0
_KeLeaveCriticalRegion@0 proc near	; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x):loc_435418p
					; PpmIdleUsingStateSelection()+46p ...
		mov	eax, large fs:124h
		nop
		add	word ptr [eax+13Ch], 1
		jz	short loc_51F452

locret_51F451:				; CODE XREF: KeLeaveCriticalRegion()+18j
		retn
; 

loc_51F452:				; CODE XREF: KeLeaveCriticalRegion()+Fj
		nop
		lea	ecx, [eax+70h]
		cmp	[ecx], ecx
		jz	short locret_51F451
		cmp	word ptr [eax+13Eh], 0
		jz	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		retn
_KeLeaveCriticalRegion@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeAbEntryFree(x, x,	x)
_KeAbEntryFree@12 proc near		; CODE XREF: KeAbPostReleaseEx+48p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		mov	al, [esi+10h]
		or	al, 2
		mov	[esi+10h], al
		nop
		cmp	dword ptr [esi+10h], 0
		jge	short loc_51F48C
		call	KiAbEntryRemoveFromTree

loc_51F48C:				; CODE XREF: KeAbEntryFree(x,x,x)+15j
		mov	edx, [esi+2Ch]
		mov	ecx, edx
		mov	eax, [ebp+arg_0]
		and	ecx, 1FFFFh
		and	edx, 0FFFE0000h
		and	byte ptr [esi+0Dh], 0FEh
		mov	[esi+2Ch], edx
		mov	[eax], ecx
		nop
		mov	dword ptr [esi+10h], 0
		pop	esi
		pop	ebp
		retn	4
_KeAbEntryFree@12 endp

; 
		align 10h
; Exported entry 1153. KeGetCurrentThread
; Exported entry 1773. PsGetCurrentThread

;  S U B	R O U T	I N E 


; __stdcall KeGetCurrentThread()
		public _KeGetCurrentThread@0
_KeGetCurrentThread@0 proc near
		mov	eax, large fs:124h ; KeGetCurrentThread
		retn
_KeGetCurrentThread@0 endp

; 
		align 10h
; Exported entry  62. ExReleasePushLockSharedEx

;  S U B	R O U T	I N E 


		public ExReleasePushLockSharedEx
ExReleasePushLockSharedEx proc near

; FUNCTION CHUNK AT 005A858D SIZE 0000001F BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, edx
		push	esi
		mov	esi, ecx
		test	ebx, 0FFFFFFFCh
		jnz	loc_5A858D
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jnz	short loc_51F502

loc_51F4F4:				; CODE XREF: ExReleasePushLockSharedEx+39j
		test	bl, 2
		jnz	short loc_51F50B
		mov	ecx, esi
		pop	esi
		pop	ebx
		jmp	KeAbPostRelease
; 

loc_51F502:				; CODE XREF: ExReleasePushLockSharedEx+22j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_51F4F4
; 

loc_51F50B:				; CODE XREF: ExReleasePushLockSharedEx+27j
		pop	esi
		pop	ebx
		retn
ExReleasePushLockSharedEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeAbPostRelease	proc near		; CODE XREF: PspStorageGetObject(x,x,x)+58p
					; SmpKeyedStoreEntryGet(x,x,x,x)+13Bp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005A85AC SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], esi
		mov	edx, esi
		mov	[ebp+var_18], edi
		and	edx, 7FFFFFFCh
		jz	loc_51F682
		mov	ebx, large fs:124h
		cmp	esi, dword_6D07D0
		jb	short loc_51F55D
		mov	eax, esi
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	loc_51F6C0
		cmp	al, 0Bh
		jz	loc_51F6C0

loc_51F55D:				; CODE XREF: KeAbPostRelease+30j
		mov	[ebp+var_8], 0FFFFFFFFh

loc_51F564:				; CODE XREF: KeAbPostRelease+1BEj
		dec	word ptr [ebx+13Eh]
		nop
		inc	byte ptr [ebx+1E6h]
		nop
		mov	al, [ebx+1E6h]
		mov	[ebp+var_1], al
		mov	al, [ebx+1E4h]
		movsx	ecx, al
		mov	al, [ebx+222h]
		movsx	eax, al
		or	eax, ecx
		xor	eax, 3Fh
		bsr	ecx, eax
		mov	[ebp+var_14], ecx
		jz	loc_51F6AE
		nop

loc_51F5A0:				; CODE XREF: KeAbPostRelease+195j
		lea	esi, [ecx+ecx*2]
		shl	esi, 4
		btr	eax, ecx
		add	esi, [ebx+1E8h]
		mov	[ebp+var_C], eax
		test	byte ptr [esi+0Eh], 1
		jz	loc_51F69F
		test	byte ptr [esi+10h], 1
		jnz	loc_51F69F
		mov	eax, [esi+10h]
		and	eax, 7FFFFFFCh
		cmp	eax, edx
		jnz	loc_51F69C
		mov	ecx, [ebp+var_8]
		cmp	[esi+14h], ecx
		jnz	loc_51F69C
		and	byte ptr [esi+0Eh], 0FEh
		nop
		mov	eax, [esi+10h]
		test	eax, eax
		jz	loc_51F69C
		test	esi, esi
		jz	loc_51F72B
		mov	al, [esi+10h]
		or	al, 2
		mov	[esi+10h], al
		nop
		cmp	[esi+10h], edi
		jl	loc_51F6D3

loc_51F60C:				; CODE XREF: KeAbPostRelease+1CAj
		mov	eax, [esi+2Ch]
		mov	edi, eax
		and	byte ptr [esi+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_18], edi
		mov	[esi+2Ch], eax
		nop
		mov	dword ptr [esi+10h], 0
		sub	esi, [ebx+1E8h]
		jnz	short loc_51F689
		xor	ecx, ecx

loc_51F638:				; CODE XREF: KeAbPostRelease+18Aj
		mov	al, 1
		shl	al, cl
		cmp	[ebp+var_1], 1
		jnz	loc_5A859E
		or	[ebx+1E4h], al

loc_51F64C:				; CODE XREF: KeAbPostRelease+1A9j
					; ExReleasePushLockSharedEx+890D7j
		nop
		dec	byte ptr [ebx+1E6h]
		mov	esi, edi
		and	esi, 1FFFFh
		jnz	loc_51F6E6

loc_51F661:				; CODE XREF: KeAbPostRelease+205j
					; KeAbPostRelease+890B6j
		nop
		mov	ax, [ebx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ebx+13Eh], ax
		test	ax, ax
		jnz	short loc_51F682
		nop
		lea	eax, [ebx+70h]
		cmp	[eax], eax
		jnz	short loc_51F6DF

loc_51F682:				; CODE XREF: KeAbPostRelease+1Dj
					; KeAbPostRelease+168j	...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_51F689:				; CODE XREF: KeAbPostRelease+124j
		mov	eax, 2AAAAAABh
		imul	esi
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		jmp	short loc_51F638
; 

loc_51F69C:				; CODE XREF: KeAbPostRelease+C0j
					; KeAbPostRelease+CCj ...
		mov	eax, [ebp+var_C]

loc_51F69F:				; CODE XREF: KeAbPostRelease+A6j
					; KeAbPostRelease+B0j
		bsr	ecx, eax
		mov	[ebp+var_14], ecx
		jnz	loc_51F5A0
		mov	esi, [ebp+var_10]

loc_51F6AE:				; CODE XREF: KeAbPostRelease+89j
		mov	ecx, [ebp+var_8]

loc_51F6B1:				; CODE XREF: KeAbPostRelease+21Ej
		mov	eax, [ebx+5Ch]
		test	eax, 10000h
		jnz	short loc_51F64C
		jmp	loc_5A85AC
; 

loc_51F6C0:				; CODE XREF: KeAbPostRelease+3Fj
					; KeAbPostRelease+47j
		mov	ecx, [ebx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_8], eax
		jmp	loc_51F564
; 

loc_51F6D3:				; CODE XREF: KeAbPostRelease+F6j
		mov	ecx, esi
		call	KiAbEntryRemoveFromTree
		jmp	loc_51F60C
; 

loc_51F6DF:				; CODE XREF: KeAbPostRelease+170j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_51F682
; 

loc_51F6E6:				; CODE XREF: KeAbPostRelease+14Bj
		test	edi, 8000h
		jnz	short loc_51F720

loc_51F6EE:				; CODE XREF: KeAbPostRelease+219j
		test	byte ptr [ebp+var_18+2], 1
		jnz	short loc_51F730

loc_51F6F4:				; CODE XREF: KeAbPostRelease+230j
		test	edi, 7FFFh
		jz	short loc_51F70B
		and	edi, 7FFFh
		mov	ecx, ebx
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_51F70B:				; CODE XREF: KeAbPostRelease+1EAj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_51F661
		jmp	loc_5A85BB
; 

loc_51F720:				; CODE XREF: KeAbPostRelease+1DCj
		xor	edx, edx
		mov	ecx, ebx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	short loc_51F6EE
; 

loc_51F72B:				; CODE XREF: KeAbPostRelease+E4j
		mov	esi, [ebp+var_10]
		jmp	short loc_51F6B1
; 

loc_51F730:				; CODE XREF: KeAbPostRelease+1E2j
		lea	eax, [ebx+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [ebx+330h]
		jmp	short loc_51F6F4
KeAbPostRelease	endp

; 
		align 10h
; Exported entry 161. ObfDereferenceObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObfDereferenceObject
ObfDereferenceObject proc near		; CODE XREF: PspStorageEmptyArrayNonReadonly:loc_4315AEp
					; CmpDoFileRead+D7p ...

; FUNCTION CHUNK AT 005A85CB SIZE 00000054 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		cmp	ds:_ObpTraceFlags, 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		lea	edi, [ebx-18h]
		jnz	loc_5A85CB

loc_51F76E:				; CODE XREF: ObfDereferenceObject+88E8Bj
		or	esi, 0FFFFFFFFh
		lock xadd [edi], esi
		dec	esi
		test	esi, esi
		jle	short loc_51F783

loc_51F77A:				; CODE XREF: ObfDereferenceObject+9Dj
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_51F783:				; CODE XREF: ObfDereferenceObject+28j
		mov	eax, [edi+4]
		test	eax, eax
		jnz	loc_5A85E0
		test	esi, esi
		js	loc_5A860A
		mov	eax, large fs:124h
		cmp	word ptr [eax+13Eh], 0
		jnz	short loc_51F7E6
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_51F7E6
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 1
		jnb	short loc_51F7E6
		mov	ecx, edi
		call	_OBJECT_HEADER_TO_HANDLE_REVOCATION_INFO@4 ; OBJECT_HEADER_TO_HANDLE_REVOCATION_INFO(x)
		test	eax, eax
		jz	short loc_51F7CB
		mov	ecx, eax
		call	ObpHandleRevocationBlockRemoveObject

loc_51F7CB:				; CODE XREF: ObfDereferenceObject+72j
		cmp	ds:_ObpTraceFlags, 0
		jnz	short loc_51F7EF

loc_51F7D4:				; CODE XREF: ObfDereferenceObject+A6j
		xor	dl, dl
		mov	ecx, edi
		call	ObpRemoveObjectRoutine
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_51F7E6:				; CODE XREF: ObfDereferenceObject+54j
					; ObfDereferenceObject+5Dj ...
		mov	ecx, edi
		call	ObpDeferObjectDeletion
		jmp	short loc_51F77A
; 

loc_51F7EF:				; CODE XREF: ObfDereferenceObject+82j
		mov	ecx, edi
		call	_ObpDeregisterObject@4 ; ObpDeregisterObject(x)
		jmp	short loc_51F7D4
ObfDereferenceObject endp

; 
		align 10h
; Exported entry 163. ObfReferenceObject

;  S U B	R O U T	I N E 


; __fastcall ObfReferenceObject(x)
		public @ObfReferenceObject@4
@ObfReferenceObject@4 proc near		; CODE XREF: FsRtlCreateSectionForDataScan+124p
					; .text:00521FFDp ...
		mov	edx, 746C6644h
		jmp	ObfReferenceObjectWithTag
@ObfReferenceObject@4 endp

; 
		align 10h
; Exported entry 395. ExIsResourceAcquiredSharedLite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExIsResourceAcquiredSharedLite
ExIsResourceAcquiredSharedLite proc near ; CODE	XREF: CmpDoQueryKeyName+73p
					; CmUnloadKey+275p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005EC407 SIZE 0000005A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, [ebp+arg_0]
		movzx	ecx, word ptr [esi+0Eh]
		mov	eax, ecx
		and	eax, 1
		jnz	loc_5EC407

loc_51F82B:				; CODE XREF: ExIsResourceAcquiredSharedLite+CCBFAj
		test	ax, ax
		jnz	loc_51F952

loc_51F834:				; CODE XREF: ExIsResourceAcquiredSharedLite+14Aj
		movzx	eax, word ptr [esi+0Eh]
		test	al, 1
		jnz	loc_5EC435
		xor	ecx, ecx
		push	ebx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], ecx
		cmp	[esi+20h], ecx
		jnz	short loc_51F85D
		xor	ebx, ebx

loc_51F853:				; CODE XREF: ExIsResourceAcquiredSharedLite+FEj
					; ExIsResourceAcquiredSharedLite+10Aj
		mov	eax, ebx
		pop	ebx

loc_51F856:				; CODE XREF: ExIsResourceAcquiredSharedLite+CCC2Cj
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_51F85D:				; CODE XREF: ExIsResourceAcquiredSharedLite+3Fj
		push	edi
		mov	edi, large fs:124h
		cmp	[esi+18h], edi
		jz	loc_51F913
		xor	ebx, ebx
		test	al, al
		js	loc_51F90D
		movzx	eax, byte ptr [edi+26Ch]
		mov	[ebp+arg_0], eax
		lea	eax, [esi+34h]
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [ebp+var_4], al
		jnz	loc_5EC441
		lea	edx, [ebp+var_C]
		lea	eax, [esi+34h]
		xchg	edx, [eax]
		test	edx, edx
		jnz	short loc_51F91F

loc_51F8AD:				; CODE XREF: ExIsResourceAcquiredSharedLite+117j
					; ExIsResourceAcquiredSharedLite+CCC3Cj
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_51F8DD
		mov	edx, [eax+4]
		mov	ecx, [ebp+arg_0]
		cmp	ecx, edx
		jnb	short loc_51F8C6
		cmp	[eax+ecx*8], edi
		lea	ecx, [eax+ecx*8]
		jz	short loc_51F945

loc_51F8C6:				; CODE XREF: ExIsResourceAcquiredSharedLite+ACj
		mov	ecx, 1
		cmp	edx, ecx
		jbe	short loc_51F8DD
		nop

loc_51F8D0:				; CODE XREF: ExIsResourceAcquiredSharedLite+CBj
		cmp	[eax+8], edi
		lea	eax, [eax+8]
		jz	short loc_51F94D
		inc	ecx
		cmp	ecx, edx
		jb	short loc_51F8D0

loc_51F8DD:				; CODE XREF: ExIsResourceAcquiredSharedLite+A2j
					; ExIsResourceAcquiredSharedLite+BDj ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5EC451
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_51F931
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	short loc_51F929

loc_51F904:				; CODE XREF: ExIsResourceAcquiredSharedLite+133j
					; ExIsResourceAcquiredSharedLite+CCC4Cj
		mov	cl, byte ptr [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_51F90D:				; CODE XREF: ExIsResourceAcquiredSharedLite+62j
		pop	edi
		jmp	loc_51F853
; 

loc_51F913:				; CODE XREF: ExIsResourceAcquiredSharedLite+58j
		mov	ebx, [esi+1Ch]
		shr	ebx, 3
		pop	edi
		jmp	loc_51F853
; 

loc_51F91F:				; CODE XREF: ExIsResourceAcquiredSharedLite+9Bj
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	short loc_51F8AD
; 

loc_51F929:				; CODE XREF: ExIsResourceAcquiredSharedLite+F2j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_51F931:				; CODE XREF: ExIsResourceAcquiredSharedLite+DFj
		mov	[ebp+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_51F904
; 

loc_51F945:				; CODE XREF: ExIsResourceAcquiredSharedLite+B4j
		mov	ebx, [ecx+4]

loc_51F948:				; CODE XREF: ExIsResourceAcquiredSharedLite+140j
		shr	ebx, 3
		jmp	short loc_51F8DD
; 

loc_51F94D:				; CODE XREF: ExIsResourceAcquiredSharedLite+C6j
		mov	ebx, [eax+4]
		jmp	short loc_51F948
; 

loc_51F952:				; CODE XREF: ExIsResourceAcquiredSharedLite+1Ej
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jbe	loc_51F834
		jmp	loc_5EC421
ExIsResourceAcquiredSharedLite endp

; 
		align 10h
; Exported entry  26. ExAcquireFastMutex
; Exported entry 104. ExiAcquireFastMutex

;  S U B	R O U T	I N E 


		public ExAcquireFastMutex
ExAcquireFastMutex proc	near		; CODE XREF: CmpWaitForLateUnloadWorker()+Ep
					; RawCompletionRoutine+4Ap ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005EC461 SIZE 0000001E BYTES

		mov	edi, edi	; ExAcquireFastMutex
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		push	edi
		mov	edi, ecx
		mov	dword ptr [ebp-14h], 0
		mov	eax, edi
		and	eax, 7FFFFFFCh
		mov	[ebp-10h], eax
		jz	loc_51FB0E
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jnz	loc_51FA9D
		mov	cl, [esi+1E4h]
		mov	dword ptr [ebp-0Ch], 0
		test	cl, cl
		jz	loc_51FACA

loc_51F9DE:				; CODE XREF: ExAcquireFastMutex+199j
		movzx	eax, cl
		bsf	ecx, eax
		btr	eax, ecx
		mov	[ebp-0Ch], ecx
		mov	[esi+1E4h], al
		lea	edx, [ecx+ecx*2]
		shl	edx, 4
		add	edx, [esi+1E8h]
		mov	[ebp-8], edx
		jz	loc_51FAF0
		mov	ecx, dword_6D07D0
		mov	eax, edi
		shr	eax, 15h
		cmp	edi, ecx
		jb	short loc_51FA32
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_5EC46F
		cmp	edi, ecx
		jb	short loc_51FA32
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_5EC46F

loc_51FA32:				; CODE XREF: ExAcquireFastMutex+A2j
					; ExAcquireFastMutex+B3j
		or	eax, 0FFFFFFFFh

loc_51FA35:				; CODE XREF: ExAcquireFastMutex+CCB0Aj
		mov	[edx+14h], eax
		nop
		mov	eax, [ebp-10h]
		mov	[edx+10h], eax

loc_51FA3F:				; CODE XREF: ExAcquireFastMutex+188j
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp-14h]
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_51FA66
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	short loc_51FAC3

loc_51FA66:				; CODE XREF: ExAcquireFastMutex+ECj
					; ExAcquireFastMutex+158j
		mov	esi, [ebp-8]

loc_51FA69:				; CODE XREF: ExAcquireFastMutex+1A0j
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	cl, al
		mov	[ebp-1], cl
		lock btr dword ptr [edi], 0
		jnb	short loc_51FAB5

loc_51FA7D:				; CODE XREF: ExAcquireFastMutex+151j
		test	esi, esi
		jz	short loc_51FA85
		or	byte ptr [esi+0Eh], 1

loc_51FA85:				; CODE XREF: ExAcquireFastMutex+10Fj
		mov	eax, large fs:124h
		mov	[edi+4], eax
		movzx	eax, cl
		mov	[edi+1Ch], eax
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_51FA9D:				; CODE XREF: ExAcquireFastMutex+53j
		push	0
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	edi
		push	esi
		push	192h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_51FAB5:				; CODE XREF: ExAcquireFastMutex+10Bj
		mov	edx, esi
		mov	ecx, edi
		call	_ExpAcquireFastMutexContended@8	; ExpAcquireFastMutexContended(x,x)
		mov	cl, [ebp-1]
		jmp	short loc_51FA7D
; 

loc_51FAC3:				; CODE XREF: ExAcquireFastMutex+F4j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_51FA66
; 

loc_51FACA:				; CODE XREF: ExAcquireFastMutex+68j
		cmp	byte ptr [esi+222h], 0
		lea	ecx, [esi+222h]
		jnz	short loc_51FAFD
		test	dword ptr ds:byte_70EFC4, 200h
		mov	dword ptr [ebp-8], 0
		jnz	loc_5EC461

loc_51FAF0:				; CODE XREF: ExAcquireFastMutex+8Fj
					; ExAcquireFastMutex+CCAFAj
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	loc_51FA3F
; 

loc_51FAFD:				; CODE XREF: ExAcquireFastMutex+167j
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [esi+1E4h]
		or	cl, al
		jmp	loc_51F9DE
; 

loc_51FB0E:				; CODE XREF: ExAcquireFastMutex+30j
		xor	esi, esi
		jmp	loc_51FA69
ExAcquireFastMutex endp

; 
		align 10h
; Exported entry 590. FsRtlLookupPerStreamContextInternal

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlLookupPerStreamContextInternal
FsRtlLookupPerStreamContextInternal proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005EC47F SIZE 00000043 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	al, [esi+7]
		and	al, 0F0h
		cmp	al, 10h
		jb	loc_5EC47F
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+34h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx

loc_51FB4F:				; CODE XREF: FsRtlLookupPerStreamContextInternal+CC967j
		mov	eax, [ebp+arg_8]
		lea	edx, [esi+2Ch]
		xor	edi, edi
		push	ebx
		test	eax, eax
		jnz	loc_5EC48C
		mov	ecx, [ebp+arg_4]
		mov	eax, [edx]
		test	ecx, ecx
		jz	short loc_51FBCF
		cmp	eax, edx
		jz	short loc_51FB77
		lea	ecx, [ecx+0]

loc_51FB70:				; CODE XREF: FsRtlLookupPerStreamContextInternal+ABj
		cmp	[eax+8], ecx
		jnz	short loc_51FBC7

loc_51FB75:				; CODE XREF: FsRtlLookupPerStreamContextInternal+B3j
		mov	edi, eax

loc_51FB77:				; CODE XREF: FsRtlLookupPerStreamContextInternal+4Bj
					; FsRtlLookupPerStreamContextInternal+ADj ...
		mov	al, [esi+7]
		and	al, 0F0h
		pop	ebx
		cmp	al, 10h
		jb	loc_5EC4B5
		lea	ecx, [esi+34h]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	eax, large fs:124h
		nop
		add	word ptr [eax+13Ch], 1
		jz	short loc_51FBA8

loc_51FBA0:				; CODE XREF: FsRtlLookupPerStreamContextInternal+8Ej
					; FsRtlLookupPerStreamContextInternal+98j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_51FBA8:				; CODE XREF: FsRtlLookupPerStreamContextInternal+7Ej
		nop
		lea	ecx, [eax+70h]
		cmp	[ecx], ecx
		jz	short loc_51FBA0
		cmp	word ptr [eax+13Eh], 0
		jnz	short loc_51FBA0
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_51FBC7:				; CODE XREF: FsRtlLookupPerStreamContextInternal+53j
		mov	eax, [eax]
		cmp	eax, edx
		jnz	short loc_51FB70
		jmp	short loc_51FB77
; 

loc_51FBCF:				; CODE XREF: FsRtlLookupPerStreamContextInternal+47j
		cmp	eax, edx
		jz	short loc_51FB77
		jmp	short loc_51FB75
FsRtlLookupPerStreamContextInternal endp

; 
		align 10h

;  S U B	R O U T	I N E 


KeAbPreAcquire	proc near		; CODE XREF: MiWaitForCollidedFaultComplete+16Ep
					; MiWaitForCollidedFaultComplete+190p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A861F SIZE 00000029 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		mov	edi, edx
		mov	dword ptr [ebp-8], 0
		mov	edx, ecx
		mov	eax, edx
		mov	[ebp-4], edx
		and	eax, 7FFFFFFCh
		mov	[ebp-10h], eax
		jz	loc_5A8618
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jnz	loc_51FCE9
		test	edi, edi
		jnz	loc_51FCFF
		mov	cl, [esi+1E4h]
		mov	[ebp-0Ch], edi
		test	cl, cl
		jz	loc_51FD58

loc_51FC57:				; CODE XREF: KeAbPreAcquire+193j
		movzx	eax, cl
		bsf	ecx, eax
		btr	eax, ecx
		mov	[ebp-0Ch], ecx
		mov	[esi+1E4h], al
		lea	edi, [ecx+ecx*2]
		shl	edi, 4
		add	edi, [esi+1E8h]

loc_51FC75:				; CODE XREF: KeAbPreAcquire+1B1j
					; KeAbPreAcquire+88A63j
		test	edi, edi
		jz	loc_51FD78

loc_51FC7D:				; CODE XREF: KeAbPreAcquire+150j
		mov	ecx, dword_6D07D0
		mov	eax, edx
		shr	eax, 15h
		cmp	edx, ecx
		jb	short loc_51FCAA
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_51FD48
		cmp	edx, ecx
		jb	short loc_51FCAA
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_51FD48

loc_51FCAA:				; CODE XREF: KeAbPreAcquire+AAj
					; KeAbPreAcquire+BBj
		or	eax, 0FFFFFFFFh

loc_51FCAD:				; CODE XREF: KeAbPreAcquire+173j
		mov	[edi+14h], eax
		nop
		mov	eax, [ebp-10h]
		mov	[edi+10h], eax

loc_51FCB7:				; CODE XREF: KeAbPreAcquire+11Dj
					; KeAbPreAcquire+1A0j
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp-8]
		push	eax
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_51FCDC
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	short loc_51FD41

loc_51FCDC:				; CODE XREF: KeAbPreAcquire+F2j
					; KeAbPreAcquire+166j
		mov	eax, edi

loc_51FCDE:				; CODE XREF: ObfDereferenceObject+88ECAj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_51FCE9:				; CODE XREF: KeAbPreAcquire+58j
		test	byte ptr [ebx+8], 1
		jz	loc_5A861F
		xor	edi, edi
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_51FCB7
; 

loc_51FCFF:				; CODE XREF: KeAbPreAcquire+60j
		mov	al, [edi+10h]
		or	al, 2
		mov	[edi+10h], al
		nop
		cmp	dword ptr [edi+10h], 0
		jl	short loc_51FD35

loc_51FD0E:				; CODE XREF: KeAbPreAcquire+15Fj
		mov	ecx, [edi+2Ch]
		mov	eax, ecx
		and	eax, 1FFFFh
		and	ecx, 0FFFE0000h
		and	byte ptr [edi+0Dh], 0FEh
		mov	[ebp-8], eax
		mov	[edi+2Ch], ecx
		nop
		mov	dword ptr [edi+10h], 0
		jmp	loc_51FC7D
; 

loc_51FD35:				; CODE XREF: KeAbPreAcquire+12Cj
		mov	ecx, edi
		call	KiAbEntryRemoveFromTree
		mov	edx, [ebp-4]
		jmp	short loc_51FD0E
; 

loc_51FD41:				; CODE XREF: KeAbPreAcquire+FAj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_51FCDC
; 

loc_51FD48:				; CODE XREF: KeAbPreAcquire+B3j
					; KeAbPreAcquire+C4j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	loc_51FCAD
; 

loc_51FD58:				; CODE XREF: KeAbPreAcquire+71j
		cmp	byte ptr [esi+222h], 0
		lea	ecx, [esi+222h]
		jz	short loc_51FD85
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [esi+1E4h]
		or	cl, al
		jmp	loc_51FC57
; 

loc_51FD78:				; CODE XREF: KeAbPreAcquire+97j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	loc_51FCB7
; 

loc_51FD85:				; CODE XREF: KeAbPreAcquire+185j
		xor	edi, edi
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_51FC75
		jmp	loc_5A8639
KeAbPreAcquire	endp

; 
		dd 5 dup(0CCCCCCCCh)
; Exported entry  56. ExReleaseCacheAwarePushLockSharedEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExReleaseCacheAwarePushLockSharedEx
ExReleaseCacheAwarePushLockSharedEx proc near

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005EC4C2 SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, edx
		mov	[ebp+var_C], eax
		push	esi
		mov	esi, ecx
		test	eax, 0FFFFFFFCh
		jnz	loc_5EC4C2
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jnz	loc_51FEF9

loc_51FDDF:				; CODE XREF: ExReleaseCacheAwarePushLockSharedEx+150j
		test	byte ptr [ebp+var_C], 2
		jnz	loc_51FEE1
		mov	esi, [esi+8]
		mov	[ebp+var_14], esi
		mov	[ebp+var_C], 0
		test	esi, 7FFFFFFCh
		jz	loc_51FEE1
		push	edi
		mov	edi, large fs:124h
		mov	eax, esi
		mov	ecx, dword_6D07D0
		shr	eax, 15h
		cmp	esi, ecx
		jb	short loc_51FE37
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_51FF23
		cmp	esi, ecx
		jb	short loc_51FE37
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_51FF23

loc_51FE37:				; CODE XREF: ExReleaseCacheAwarePushLockSharedEx+67j
					; ExReleaseCacheAwarePushLockSharedEx+78j
		or	eax, 0FFFFFFFFh

loc_51FE3A:				; CODE XREF: ExReleaseCacheAwarePushLockSharedEx+17Ej
		dec	word ptr [edi+13Eh]
		mov	[ebp+var_8], eax
		nop
		inc	byte ptr [edi+1E6h]
		nop
		mov	cl, [edi+1E6h]
		mov	edx, esi
		mov	[ebp+var_1], cl
		mov	ecx, edi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[ebp+var_10], edx
		test	edx, edx
		jz	loc_51FF14
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		cmp	dword ptr [edx+10h], 0
		jl	loc_51FF05

loc_51FE7F:				; CODE XREF: ExReleaseCacheAwarePushLockSharedEx+15Fj
		mov	ecx, [edx+2Ch]
		mov	eax, ecx
		and	byte ptr [edx+0Dh], 0FEh
		and	eax, 1FFFFh
		and	ecx, 0FFFE0000h
		mov	[ebp+var_C], eax
		mov	[edx+2Ch], ecx
		nop
		mov	dword ptr [edx+10h], 0
		sub	edx, [edi+1E8h]
		jnz	short loc_51FEE6
		xor	ecx, ecx

loc_51FEAB:				; CODE XREF: ExReleaseCacheAwarePushLockSharedEx+147j
		cmp	[ebp+var_1], 1
		jnz	loc_5EC4E3
		movzx	eax, byte ptr [edi+1E4h]
		bts	eax, ecx
		mov	[edi+1E4h], al

loc_51FEC5:				; CODE XREF: ExReleaseCacheAwarePushLockSharedEx+16Cj
					; ExReleaseCacheAwarePushLockSharedEx+CC743j
		nop
		dec	byte ptr [edi+1E6h]
		lea	eax, [ebp+var_C]
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	KiAbThreadRemoveBoosts
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi

loc_51FEE1:				; CODE XREF: ExReleaseCacheAwarePushLockSharedEx+33j
					; ExReleaseCacheAwarePushLockSharedEx+4Cj
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_51FEE6:				; CODE XREF: ExReleaseCacheAwarePushLockSharedEx+F7j
		mov	eax, 2AAAAAABh
		imul	edx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		jmp	short loc_51FEAB
; 

loc_51FEF9:				; CODE XREF: ExReleaseCacheAwarePushLockSharedEx+29j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_51FDDF
; 

loc_51FF05:				; CODE XREF: ExReleaseCacheAwarePushLockSharedEx+C9j
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [ebp+var_10]
		jmp	loc_51FE7F
; 

loc_51FF14:				; CODE XREF: ExReleaseCacheAwarePushLockSharedEx+B6j
		mov	eax, [edi+5Ch]
		test	eax, 10000h
		jnz	short loc_51FEC5
		jmp	loc_5EC4D2
; 

loc_51FF23:				; CODE XREF: ExReleaseCacheAwarePushLockSharedEx+70j
					; ExReleaseCacheAwarePushLockSharedEx+81j
		mov	ecx, [edi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	loc_51FE3A
ExReleaseCacheAwarePushLockSharedEx endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KiLeaveGuardedRegionUnsafe(x)
_KiLeaveGuardedRegionUnsafe@4 proc near	; CODE XREF: KeAbPostReleaseEx+8Ep
					; KiSchedulerApc+2D2p ...
		mov	edi, edi
		nop
		add	word ptr [ecx+13Eh], 1
		jz	short loc_51FF4E
		retn
; 

loc_51FF4E:				; CODE XREF: KiLeaveGuardedRegionUnsafe(x)+Bj
		nop
		add	ecx, 70h
		cmp	[ecx], ecx
		jnz	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		retn
_KiLeaveGuardedRegionUnsafe@4 endp

; 
		align 10h
; Exported entry  18. ExAcquireCacheAwarePushLockSharedEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExAcquireCacheAwarePushLockSharedEx
ExAcquireCacheAwarePushLockSharedEx proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005EC4F8 SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, edx
		mov	edx, ecx
		mov	[ebp+var_4], edx
		test	eax, 0FFFFFFFCh
		jnz	loc_5EC4F8
		push	esi
		push	edi
		test	al, 2
		jnz	loc_5200B3
		mov	eax, edx
		mov	[ebp+var_10], 0
		and	eax, 7FFFFFFCh
		mov	[ebp+var_C], eax
		jz	loc_5200B3
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jnz	loc_520080
		mov	cl, [esi+1E4h]
		mov	[ebp+var_8], 0
		test	cl, cl
		jz	loc_5200B7

loc_51FFD3:				; CODE XREF: ExAcquireCacheAwarePushLockSharedEx+191j
		movzx	eax, cl
		bsf	ecx, eax
		btr	eax, ecx
		mov	[ebp+var_8], ecx
		mov	[esi+1E4h], al
		lea	edi, [ecx+ecx*2]
		shl	edi, 4
		add	edi, [esi+1E8h]
		jz	loc_5200D8
		mov	ecx, dword_6D07D0
		mov	eax, edx

loc_51FFFF:				; DATA XREF: .text:off_420910o
					; .text:off_422EC9o ...
		shr	eax, 15h

loc_520002:				; DATA XREF: .text:00425E4Co
		cmp	edx, ecx

loc_520004:				; DATA XREF: IopGetEnvironmentVariableSysEnv(x,x,x,x,x,x,x)+90o
		jb	short loc_520024
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_5200F6
		cmp	edx, ecx
		jb	short loc_520024
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_5200F6

loc_520024:				; CODE XREF: ExAcquireCacheAwarePushLockSharedEx:loc_520004j
					; ExAcquireCacheAwarePushLockSharedEx+B5j
		or	eax, 0FFFFFFFFh

loc_520027:				; CODE XREF: ExAcquireCacheAwarePushLockSharedEx+1A1j
		mov	[edi+14h], eax
		nop
		mov	eax, [ebp+var_C]

loc_52002E:				; DATA XREF: .text:_PnpWstrRawo
		mov	[edi+10h], eax

loc_520031:				; CODE XREF: ExAcquireCacheAwarePushLockSharedEx+180j
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp+var_10]
		push	eax
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1

loc_52004C:				; DATA XREF: .text:00401190o
		jz	loc_5EC517

loc_520052:				; CODE XREF: ExAcquireCacheAwarePushLockSharedEx+CC5BDj
					; ExAcquireCacheAwarePushLockSharedEx+CC5C8j
					; DATA XREF: ...
		mov	edx, [ebp+var_4]

loc_520055:				; CODE XREF: ExAcquireCacheAwarePushLockSharedEx+155j
		mov	al, large fs:51h

loc_52005B:				; DATA XREF: .text:_GlobalSaclKeyPrefixo
					; .text:_PopThermalLoggingDefaultRegKeyo ...
		mov	ecx, 11h
		and	eax, 1Fh
		mov	esi, [edx+eax*4]
		xor	eax, eax
		lock cmpxchg [esi], ecx
		test	eax, eax
		jnz	short loc_52009A

loc_520070:				; CODE XREF: ExAcquireCacheAwarePushLockSharedEx+143j
					; ExAcquireCacheAwarePushLockSharedEx+151j
		test	edi, edi
		jz	short loc_520078
		or	byte ptr [edi+0Eh], 1

loc_520078:				; CODE XREF: ExAcquireCacheAwarePushLockSharedEx+112j
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_520080:				; CODE XREF: ExAcquireCacheAwarePushLockSharedEx+58j
		push	0
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	[ebp+var_4]
		push	esi
		push	192h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_52009A:				; CODE XREF: ExAcquireCacheAwarePushLockSharedEx+10Ej
		mov	ecx, esi
		call	@ExfTryAcquirePushLockShared@4 ; ExfTryAcquirePushLockShared(x)
		test	al, al
		jnz	short loc_520070
		push	[ebp+var_4]
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockSharedEx
		jmp	short loc_520070
; 

loc_5200B3:				; CODE XREF: ExAcquireCacheAwarePushLockSharedEx+1Ej
					; ExAcquireCacheAwarePushLockSharedEx+35j
		xor	edi, edi
		jmp	short loc_520055
; 

loc_5200B7:				; CODE XREF: ExAcquireCacheAwarePushLockSharedEx+6Dj
		cmp	byte ptr [esi+222h], 0
		lea	ecx, [esi+222h]
		jnz	short loc_5200E5
		xor	edi, edi
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_5EC508

loc_5200D8:				; CODE XREF: ExAcquireCacheAwarePushLockSharedEx+91j
					; ExAcquireCacheAwarePushLockSharedEx+CC5B2j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	loc_520031
; 

loc_5200E5:				; CODE XREF: ExAcquireCacheAwarePushLockSharedEx+164j
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [esi+1E4h]
		or	cl, al
		jmp	loc_51FFD3
; 

loc_5200F6:				; CODE XREF: ExAcquireCacheAwarePushLockSharedEx+ADj
					; ExAcquireCacheAwarePushLockSharedEx+BEj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	loc_520027
ExAcquireCacheAwarePushLockSharedEx endp

; 
		align 10h
; Exported entry  30. ExAcquirePushLockExclusiveEx

;  S U B	R O U T	I N E 


		public ExAcquirePushLockExclusiveEx
ExAcquirePushLockExclusiveEx proc near	; CODE XREF: PspStorageEmptyArrayNonReadonly+3Ap
					; SmpKeyedStoreEntryGet(x,x,x,x):loc_43542Bp ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A8648 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, edx
		mov	edx, ecx
		mov	[ebp-4], edx
		push	esi
		push	edi
		test	eax, 0FFFFFFFCh
		jnz	loc_5A8648
		test	al, 2
		jnz	loc_5A8667
		mov	eax, edx
		mov	dword ptr [ebp-10h], 0
		and	eax, 7FFFFFFCh
		mov	[ebp-0Ch], eax
		jz	loc_5A8667
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jnz	loc_520230
		mov	cl, [esi+1E4h]
		mov	dword ptr [ebp-8], 0
		test	cl, cl
		jz	loc_520257

loc_520196:				; CODE XREF: ExAcquirePushLockExclusiveEx+181j
		movzx	eax, cl
		bsf	ecx, eax
		btr	eax, ecx
		mov	[ebp-8], ecx
		mov	[esi+1E4h], al
		lea	edi, [ecx+ecx*2]
		shl	edi, 4
		add	edi, [esi+1E8h]
		jz	loc_520278
		mov	ecx, dword_6D07D0
		mov	eax, edx
		shr	eax, 15h
		cmp	edx, ecx
		jb	short loc_5201DF
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_52024A
		cmp	edx, ecx
		jb	short loc_5201DF
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	short loc_52024A

loc_5201DF:				; CODE XREF: ExAcquirePushLockExclusiveEx+B7j
					; ExAcquirePushLockExclusiveEx+C4j
		or	eax, 0FFFFFFFFh

loc_5201E2:				; CODE XREF: ExAcquirePushLockExclusiveEx+145j
		mov	[edi+14h], eax
		nop
		mov	eax, [ebp-0Ch]
		mov	[edi+10h], eax

loc_5201EC:				; CODE XREF: ExAcquirePushLockExclusiveEx+170j
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp-10h]
		push	eax
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_520215
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	loc_5202A6

loc_520215:				; CODE XREF: ExAcquirePushLockExclusiveEx+F7j
					; ExAcquirePushLockExclusiveEx+19Bj
		mov	edx, [ebp-4]

loc_520218:				; CODE XREF: ExAcquirePushLockExclusiveEx+88559j
		lock bts dword ptr [edx], 0
		jb	short loc_520296

loc_52021F:				; CODE XREF: ExAcquirePushLockExclusiveEx+191j
		test	edi, edi
		jz	short loc_520227
		or	byte ptr [edi+0Eh], 1

loc_520227:				; CODE XREF: ExAcquirePushLockExclusiveEx+111j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_520230:				; CODE XREF: ExAcquirePushLockExclusiveEx+6Bj
		push	0
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	dword ptr [ebp-4]
		push	esi
		push	192h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_52024A:				; CODE XREF: ExAcquirePushLockExclusiveEx+C0j
					; ExAcquirePushLockExclusiveEx+CDj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	short loc_5201E2
; 

loc_520257:				; CODE XREF: ExAcquirePushLockExclusiveEx+80j
		cmp	byte ptr [esi+222h], 0
		lea	ecx, [esi+222h]
		jnz	short loc_520285
		xor	edi, edi
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_5A8658

loc_520278:				; CODE XREF: ExAcquirePushLockExclusiveEx+A4j
					; ExAcquirePushLockExclusiveEx+88552j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	loc_5201EC
; 

loc_520285:				; CODE XREF: ExAcquirePushLockExclusiveEx+154j
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [esi+1E4h]
		or	cl, al
		jmp	loc_520196
; 

loc_520296:				; CODE XREF: ExAcquirePushLockExclusiveEx+10Dj
		mov	ecx, [ebp-4]
		push	edx
		mov	edx, edi
		call	ExfAcquirePushLockExclusiveEx
		jmp	loc_52021F
; 

loc_5202A6:				; CODE XREF: ExAcquirePushLockExclusiveEx+FFj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_520215
ExAcquirePushLockExclusiveEx endp

; 
		dd 4 dup(0CCCCCCCCh)
; Exported entry  31. ExAcquirePushLockSharedEx

;  S U B	R O U T	I N E 


		public ExAcquirePushLockSharedEx
ExAcquirePushLockSharedEx proc near	; CODE XREF: PspStorageGetObject(x,x,x)+2Fp
					; SmpKeyedStoreEntryGet(x,x,x,x)+49p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A866E SIZE 00000026 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, edx
		mov	edx, ecx
		mov	[ebp-4], edx
		push	esi
		push	edi
		test	eax, 0FFFFFFFCh
		jnz	loc_5A866E
		test	al, 2
		jnz	loc_5A868D
		mov	eax, edx
		mov	dword ptr [ebp-10h], 0
		and	eax, 7FFFFFFCh
		mov	[ebp-0Ch], eax
		jz	loc_5A868D
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jnz	loc_5203E4
		mov	cl, [esi+1E4h]
		mov	dword ptr [ebp-8], 0
		test	cl, cl
		jz	loc_52041F

loc_520346:				; CODE XREF: ExAcquirePushLockSharedEx+199j
		movzx	eax, cl
		bsf	ecx, eax
		btr	eax, ecx
		mov	[ebp-8], ecx
		mov	[esi+1E4h], al
		lea	edi, [ecx+ecx*2]
		shl	edi, 4
		add	edi, [esi+1E8h]
		jz	loc_520440
		mov	ecx, dword_6D07D0
		mov	eax, edx
		shr	eax, 15h
		cmp	edx, ecx
		jb	short loc_52038F
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_5203FE
		cmp	edx, ecx
		jb	short loc_52038F
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	short loc_5203FE

loc_52038F:				; CODE XREF: ExAcquirePushLockSharedEx+B7j
					; ExAcquirePushLockSharedEx+C4j
		or	eax, 0FFFFFFFFh

loc_520392:				; CODE XREF: ExAcquirePushLockSharedEx+149j
		mov	[edi+14h], eax
		nop
		mov	eax, [ebp-0Ch]
		mov	[edi+10h], eax

loc_52039C:				; CODE XREF: ExAcquirePushLockSharedEx+188j
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp-10h]
		push	eax
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_5203C1
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	short loc_520418

loc_5203C1:				; CODE XREF: ExAcquirePushLockSharedEx+F7j
					; ExAcquirePushLockSharedEx+15Dj
		mov	edx, [ebp-4]

loc_5203C4:				; CODE XREF: ExAcquirePushLockSharedEx+883CFj
		mov	ecx, 11h
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	short loc_52040B

loc_5203D3:				; CODE XREF: ExAcquirePushLockSharedEx+156j
		test	edi, edi
		jz	short loc_5203DB
		or	byte ptr [edi+0Eh], 1

loc_5203DB:				; CODE XREF: ExAcquirePushLockSharedEx+115j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_5203E4:				; CODE XREF: ExAcquirePushLockSharedEx+6Bj
		push	0
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	dword ptr [ebp-4]
		push	esi
		push	192h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5203FE:				; CODE XREF: ExAcquirePushLockSharedEx+C0j
					; ExAcquirePushLockSharedEx+CDj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	short loc_520392
; 

loc_52040B:				; CODE XREF: ExAcquirePushLockSharedEx+111j
		mov	ecx, [ebp-4]
		push	edx
		mov	edx, edi
		call	ExfAcquirePushLockSharedEx
		jmp	short loc_5203D3
; 

loc_520418:				; CODE XREF: ExAcquirePushLockSharedEx+FFj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_5203C1
; 

loc_52041F:				; CODE XREF: ExAcquirePushLockSharedEx+80j
		cmp	byte ptr [esi+222h], 0
		lea	ecx, [esi+222h]
		jnz	short loc_52044D
		xor	edi, edi
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_5A867E

loc_520440:				; CODE XREF: ExAcquirePushLockSharedEx+A4j
					; ExAcquirePushLockSharedEx+883C8j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	loc_52039C
; 

loc_52044D:				; CODE XREF: ExAcquirePushLockSharedEx+16Cj
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [esi+1E4h]
		or	cl, al
		jmp	loc_520346
ExAcquirePushLockSharedEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAbThreadRemoveBoosts proc near	; CODE XREF: CcSetDirtyPinnedData+1F6p
					; ExAcquireAutoExpandPushLockShared+F5p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A8694 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		mov	esi, [edi]
		mov	eax, esi
		shr	eax, 10h
		movzx	ecx, si
		test	esi, 1FFFFh
		jnz	short loc_52048E

loc_520485:				; CODE XREF: KiAbThreadRemoveBoosts+59j
					; KiAbThreadRemoveBoosts+88246j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_52048E:				; CODE XREF: KiAbThreadRemoveBoosts+23j
		test	cx, cx
		js	short loc_5204C0

loc_520493:				; CODE XREF: KiAbThreadRemoveBoosts+6Dj
		test	al, 1
		jnz	short loc_5204CF

loc_520497:				; CODE XREF: KiAbThreadRemoveBoosts+7Fj
		movzx	edx, word ptr [edi]
		test	edx, 7FFFh
		jz	short loc_5204AF
		and	edx, 7FFFh
		mov	ecx, ebx
		call	KiAbThreadUnboostCpuPriority

loc_5204AF:				; CODE XREF: KiAbThreadRemoveBoosts+40j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_520485
		jmp	loc_5A8694
; 

loc_5204C0:				; CODE XREF: KiAbThreadRemoveBoosts+31j
		xor	edx, edx
		mov	ecx, ebx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		movzx	eax, word ptr [edi+2]
		jmp	short loc_520493
; 

loc_5204CF:				; CODE XREF: KiAbThreadRemoveBoosts+35j
		lea	eax, [ebx+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [ebx+330h]
		jmp	short loc_520497
KiAbThreadRemoveBoosts endp

; 
		align 10h
; Exported entry  61. ExReleasePushLockExclusiveEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExReleasePushLockExclusiveEx
ExReleasePushLockExclusiveEx proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005A86AB SIZE 00000041 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		mov	[ebp+var_8], edx
		push	esi
		push	edi
		test	ebx, 0FFFFFFFCh
		jnz	loc_5A86AB
		or	eax, 0FFFFFFFFh
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_520655

loc_52051F:				; CODE XREF: ExReleasePushLockExclusiveEx+16Dj
		test	bl, 2
		jnz	loc_520617
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	edx, 7FFFFFFCh
		jz	loc_520617
		mov	ebx, large fs:124h
		cmp	edx, dword_6D07D0
		jb	short loc_520563
		mov	eax, edx
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	loc_520631
		cmp	al, 0Bh
		jz	loc_520631

loc_520563:				; CODE XREF: ExReleasePushLockExclusiveEx+56j
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_C], ecx

loc_520569:				; CODE XREF: ExReleasePushLockExclusiveEx+151j
		dec	word ptr [ebx+13Eh]
		nop
		inc	byte ptr [ebx+1E6h]
		nop
		mov	al, [ebx+1E6h]
		push	ecx
		mov	ecx, ebx
		mov	[ebp+var_1], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_520646
		mov	al, [esi+10h]
		or	al, 2
		mov	[esi+10h], al
		nop
		cmp	[esi+10h], edi
		jl	loc_520662

loc_5205A5:				; CODE XREF: ExReleasePushLockExclusiveEx+179j
		mov	eax, [esi+2Ch]
		mov	edi, eax
		and	byte ptr [esi+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[esi+2Ch], eax
		nop
		mov	dword ptr [esi+10h], 0
		sub	esi, [ebx+1E8h]
		jnz	short loc_52061E
		xor	ecx, ecx

loc_5205D1:				; CODE XREF: ExReleasePushLockExclusiveEx+13Fj
		mov	al, 1
		shl	al, cl
		cmp	[ebp+var_1], 1
		jnz	loc_5A86CE
		or	[ebx+1E4h], al

loc_5205E5:				; CODE XREF: ExReleasePushLockExclusiveEx+15Ej
					; ExReleasePushLockExclusiveEx+881E7j
		nop
		dec	byte ptr [ebx+1E6h]
		mov	esi, edi
		and	esi, 1FFFFh
		jnz	short loc_520675

loc_5205F6:				; CODE XREF: ExReleasePushLockExclusiveEx+1B4j
					; ExReleasePushLockExclusiveEx+881F7j
		nop
		mov	ax, [ebx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ebx+13Eh], ax
		test	ax, ax
		jnz	short loc_520617
		nop
		add	ebx, 70h
		cmp	[ebx], ebx
		jnz	short loc_52066E

loc_520617:				; CODE XREF: ExReleasePushLockExclusiveEx+32j
					; ExReleasePushLockExclusiveEx+43j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_52061E:				; CODE XREF: ExReleasePushLockExclusiveEx+DDj
		mov	eax, 2AAAAAABh
		imul	esi
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		jmp	short loc_5205D1
; 

loc_520631:				; CODE XREF: ExReleasePushLockExclusiveEx+65j
					; ExReleasePushLockExclusiveEx+6Dj
		mov	ecx, [ebx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_C], eax
		jmp	loc_520569
; 

loc_520646:				; CODE XREF: ExReleasePushLockExclusiveEx+9Dj
		mov	eax, [ebx+5Ch]
		test	eax, 10000h
		jnz	short loc_5205E5
		jmp	loc_5A86BB
; 

loc_520655:				; CODE XREF: ExReleasePushLockExclusiveEx+29j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp+var_8]
		jmp	loc_52051F
; 

loc_520662:				; CODE XREF: ExReleasePushLockExclusiveEx+AFj
		mov	ecx, esi
		call	KiAbEntryRemoveFromTree
		jmp	loc_5205A5
; 

loc_52066E:				; CODE XREF: ExReleasePushLockExclusiveEx+125j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_520617
; 

loc_520675:				; CODE XREF: ExReleasePushLockExclusiveEx+104j
		test	edi, 8000h
		jnz	short loc_5206AF

loc_52067D:				; CODE XREF: ExReleasePushLockExclusiveEx+1C8j
		test	byte ptr [ebp+var_10+2], 1
		jnz	short loc_5206BA

loc_520683:				; CODE XREF: ExReleasePushLockExclusiveEx+1DAj
		test	edi, 7FFFh
		jz	short loc_52069A
		and	edi, 7FFFh
		mov	ecx, ebx
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_52069A:				; CODE XREF: ExReleasePushLockExclusiveEx+199j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_5205F6
		jmp	loc_5A86DC
; 

loc_5206AF:				; CODE XREF: ExReleasePushLockExclusiveEx+18Bj
		xor	edx, edx
		mov	ecx, ebx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	short loc_52067D
; 

loc_5206BA:				; CODE XREF: ExReleasePushLockExclusiveEx+191j
		lea	eax, [ebx+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [ebx+330h]
		jmp	short loc_520683
ExReleasePushLockExclusiveEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiAbThreadClearAcquiredLockEntry(x,	x, x)
_KiAbThreadClearAcquiredLockEntry@12 proc near
					; CODE XREF: PspStorageEmptyArrayNonReadonly+D7p
					; PspStorageEmptyArrayNonReadonly+254p	...

var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_4], 0
		push	edi
		mov	edi, edx
		and	edi, 7FFFFFFCh
		mov	dl, [ebx+1E4h]
		mov	al, [ebx+222h]
		movsx	esi, al
		movsx	eax, dl
		or	esi, eax
		xor	esi, 3Fh
		bsr	eax, esi
		jz	short loc_520757
		mov	edx, [ebp+arg_0]
		lea	esp, [esp+0]

loc_520710:				; CODE XREF: KiAbThreadClearAcquiredLockEntry(x,x,x)+85j
		btr	esi, eax
		lea	eax, [eax+eax*2]
		shl	eax, 4
		add	eax, [ebx+1E8h]
		test	byte ptr [eax+0Eh], 1
		jz	short loc_520752
		test	byte ptr [eax+10h], 1
		jnz	short loc_520752
		mov	ecx, [eax+10h]
		and	ecx, 7FFFFFFCh
		cmp	ecx, edi
		jnz	short loc_520752
		cmp	[eax+14h], edx
		jnz	short loc_520752
		and	byte ptr [eax+0Eh], 0FEh
		nop
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jz	short loc_520752

loc_520749:				; CODE XREF: KiAbThreadClearAcquiredLockEntry(x,x,x)+89j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_520752:				; CODE XREF: KiAbThreadClearAcquiredLockEntry(x,x,x)+53j
					; KiAbThreadClearAcquiredLockEntry(x,x,x)+59j ...
		bsr	eax, esi
		jnz	short loc_520710

loc_520757:				; CODE XREF: KiAbThreadClearAcquiredLockEntry(x,x,x)+34j
		xor	eax, eax
		jmp	short loc_520749
_KiAbThreadClearAcquiredLockEntry@12 endp

; 
		align 10h
; Exported entry  60. ExReleasePushLockEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExReleasePushLockEx
ExReleasePushLockEx proc near		; CODE XREF: CcPostWorkQueueAsyncRead+95p
					; CcPostWorkQueueAsyncRead+16Cp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005A86EC SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	eax, edx
		mov	ebx, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], ebx
		push	esi
		push	edi
		test	eax, 0FFFFFFFCh
		jnz	loc_5A86EC
		mov	ecx, [ebx]
		mov	esi, 10h
		mov	eax, ecx
		and	eax, 0FFFFFFF0h
		cmp	esi, eax
		lea	edx, [ecx-10h]
		sbb	esi, esi
		and	esi, edx
		test	cl, 2
		jnz	loc_520962
		mov	eax, ecx
		lock cmpxchg [ebx], esi
		cmp	eax, ecx
		jnz	loc_520962

loc_5207AC:				; CODE XREF: ExReleasePushLockEx+209j
		test	byte ptr [ebp+var_10], 2
		jnz	loc_52091E
		xor	edi, edi
		mov	eax, ebx
		and	eax, 7FFFFFFCh
		mov	[ebp+var_10], edi
		mov	[ebp+var_18], eax
		jz	loc_52091E
		mov	ebx, large fs:124h
		mov	edx, [ebp+var_14]
		cmp	edx, dword_6D07D0
		jb	short loc_5207F8
		mov	eax, edx
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 0Bh
		jz	loc_5209BA
		cmp	al, 1
		jz	loc_5209BA

loc_5207F8:				; CODE XREF: ExReleasePushLockEx+7Bj
		mov	[ebp+var_8], 0FFFFFFFFh

loc_5207FF:				; CODE XREF: ExReleasePushLockEx+268j
		dec	word ptr [ebx+13Eh]
		nop
		inc	byte ptr [ebx+1E6h]
		nop
		mov	al, [ebx+1E6h]
		mov	[ebp+var_1], al
		mov	al, [ebx+1E4h]
		movsx	ecx, al
		mov	al, [ebx+222h]
		movsx	esi, al
		or	esi, ecx
		xor	esi, 3Fh
		bsr	eax, esi
		mov	[ebp+var_C], eax
		jz	loc_520947
		mov	ecx, [ebp+var_18]
		lea	ecx, [ecx+0]

loc_520840:				; CODE XREF: ExReleasePushLockEx+1E1j
		btr	esi, eax
		mov	[ebp+var_18], esi
		lea	esi, [eax+eax*2]
		shl	esi, 4
		add	esi, [ebx+1E8h]
		test	byte ptr [esi+0Eh], 1
		jz	loc_520938
		test	byte ptr [esi+10h], 1
		jnz	loc_520938
		mov	eax, [esi+10h]
		and	eax, 7FFFFFFCh
		cmp	eax, ecx
		jnz	loc_520938
		mov	eax, [ebp+var_8]
		cmp	[esi+14h], eax
		jnz	loc_520938
		and	byte ptr [esi+0Eh], 0FEh
		nop
		mov	eax, [esi+10h]
		test	eax, eax
		jz	loc_520938
		test	esi, esi
		jz	loc_520947
		mov	al, [esi+10h]
		or	al, 2
		mov	[esi+10h], al
		nop
		cmp	[esi+10h], edi
		jl	loc_520956

loc_5208AC:				; CODE XREF: ExReleasePushLockEx+1FDj
		mov	eax, [esi+2Ch]
		mov	edi, eax
		and	byte ptr [esi+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[esi+2Ch], eax
		nop
		mov	dword ptr [esi+10h], 0
		sub	esi, [ebx+1E8h]
		jnz	short loc_520925
		xor	ecx, ecx

loc_5208D8:				; CODE XREF: ExReleasePushLockEx+1D6j
		mov	al, 1
		shl	al, cl
		cmp	[ebp+var_1], 1
		jnz	loc_5A86FC
		or	[ebx+1E4h], al

loc_5208EC:				; CODE XREF: ExReleasePushLockEx+1EFj
					; ExReleasePushLockEx+87FA5j
		nop
		dec	byte ptr [ebx+1E6h]
		mov	esi, edi
		and	esi, 1FFFFh
		jnz	short loc_520975

loc_5208FD:				; CODE XREF: ExReleasePushLockEx+244j
					; ExReleasePushLockEx+87FC6j
		nop
		mov	ax, [ebx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ebx+13Eh], ax
		test	ax, ax
		jnz	short loc_52091E
		nop
		lea	eax, [ebx+70h]
		cmp	[eax], eax
		jnz	short loc_52096E

loc_52091E:				; CODE XREF: ExReleasePushLockEx+50j
					; ExReleasePushLockEx+65j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_520925:				; CODE XREF: ExReleasePushLockEx+174j
		mov	eax, 2AAAAAABh
		imul	esi
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		jmp	short loc_5208D8
; 

loc_520938:				; CODE XREF: ExReleasePushLockEx+F6j
					; ExReleasePushLockEx+100j ...
		mov	esi, [ebp+var_18]
		bsr	eax, esi
		mov	[ebp+var_C], eax
		jnz	loc_520840

loc_520947:				; CODE XREF: ExReleasePushLockEx+D4j
					; ExReleasePushLockEx+134j
		mov	eax, [ebx+5Ch]
		test	eax, 10000h
		jnz	short loc_5208EC
		jmp	loc_5A870A
; 

loc_520956:				; CODE XREF: ExReleasePushLockEx+146j
		mov	ecx, esi
		call	KiAbEntryRemoveFromTree
		jmp	loc_5208AC
; 

loc_520962:				; CODE XREF: ExReleasePushLockEx+38j
					; ExReleasePushLockEx+46j
		mov	ecx, ebx
		call	@ExfReleasePushLock@4 ;	ExfReleasePushLock(x)
		jmp	loc_5207AC
; 

loc_52096E:				; CODE XREF: ExReleasePushLockEx+1BCj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_52091E
; 

loc_520975:				; CODE XREF: ExReleasePushLockEx+19Bj
		test	edi, 8000h
		jnz	short loc_5209AF

loc_52097D:				; CODE XREF: ExReleasePushLockEx+258j
		test	byte ptr [ebp+var_10+2], 1
		jnz	short loc_5209CD

loc_520983:				; CODE XREF: ExReleasePushLockEx+27Dj
		test	edi, 7FFFh
		jz	short loc_52099A
		and	edi, 7FFFh
		mov	ecx, ebx
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_52099A:				; CODE XREF: ExReleasePushLockEx+229j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_5208FD
		jmp	loc_5A871B
; 

loc_5209AF:				; CODE XREF: ExReleasePushLockEx+21Bj
		xor	edx, edx
		mov	ecx, ebx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	short loc_52097D
; 

loc_5209BA:				; CODE XREF: ExReleasePushLockEx+8Aj
					; ExReleasePushLockEx+92j
		mov	ecx, [ebx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_8], eax
		jmp	loc_5207FF
; 

loc_5209CD:				; CODE XREF: ExReleasePushLockEx+221j
		lea	eax, [ebx+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [ebx+330h]
		jmp	short loc_520983
ExReleasePushLockEx endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MmGetSessionIdEx(x)
_MmGetSessionIdEx@4 proc near		; CODE XREF: PspStorageEmptyArrayNonReadonly+1B8p
					; PspStorageEmptyArrayNonReadonly+231p	...
		mov	eax, [ecx+180h]
		test	eax, eax
		jz	short loc_5209FA
		test	dword ptr [ecx+3A8h], 1000h
		jnz	short loc_5209FA
		mov	eax, [eax+8]
		retn
; 

loc_5209FA:				; CODE XREF: MmGetSessionIdEx(x)+8j
					; MmGetSessionIdEx(x)+14j
		or	eax, 0FFFFFFFFh
		retn
_MmGetSessionIdEx@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MmIsSessionAddress(x)
_MmIsSessionAddress@4 proc near		; CODE XREF: KiAbFindWakeupLockEntry+34p
					; ViAvlNodeInitializeSessionId(x,x)+Bp	...
		mov	edx, dword_6D07D0
		mov	eax, ecx
		shr	eax, 15h
		cmp	ecx, edx
		jb	short loc_520A25
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_520A28
		cmp	ecx, edx
		jb	short loc_520A25
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	short loc_520A28

loc_520A25:				; CODE XREF: MmIsSessionAddress(x)+Dj
					; MmIsSessionAddress(x)+1Aj
		xor	eax, eax
		retn
; 

loc_520A28:				; CODE XREF: MmIsSessionAddress(x)+16j
					; MmIsSessionAddress(x)+23j
		mov	eax, 1
		retn
_MmIsSessionAddress@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIdentifyPfnWrapper(x, x)
_MiIdentifyPfnWrapper@8	proc near	; CODE XREF: MiQueryLeafPte(x,x,x)+1BBp
					; MiLogAllocateWsleEvent(x,x,x)+28p ...

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_1], al
		lea	esi, [edi+10h]
		mov	[ebp+var_8], 0
		lock bts dword ptr [esi], 1Fh
		jb	short loc_520A80

loc_520A5B:				; CODE XREF: MiIdentifyPfnWrapper(x,x)+63j
		mov	edx, ebx
		mov	ecx, edi
		call	_MiIdentifyPfn@8 ; MiIdentifyPfn(x,x)
		mov	edi, eax
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_520A80:				; CODE XREF: MiIdentifyPfnWrapper(x,x)+29j
					; MiIdentifyPfnWrapper(x,x)+5Cj ...
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_520A80
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_520A5B
		jmp	short loc_520A80
_MiIdentifyPfnWrapper@8	endp

; 
		align 10h

; __stdcall MiIdentifyPfn(x, x)
_MiIdentifyPfn@8:			; CODE XREF: MiCopyOnWrite(x,x,x,x)+77Fp
					; .text:00471B38p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		mov	eax, ecx
		mov	ecx, 7
		push	ebx
		push	esi
		mov	esi, eax
		mov	[ebp-1Ch], eax
		push	edi
		mov	ebx, edx
		lea	edi, [ebp-48h]
		rep movsd
		mov	ecx, eax
		mov	esi, 5
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		mov	cl, [ebp-32h]
		sar	edx, 4
		mov	[ebp-11h], cl
		mov	eax, edx
		movzx	ecx, cl
		and	ecx, 7
		shr	eax, 1Fh
		add	eax, edx
		mov	[ebp-28h], ecx
		mov	edi, ecx
		mov	[ebp-24h], eax
		xor	ecx, ecx
		mov	[ebx+8], eax
		mov	eax, [ebx]
		shld	ecx, edi, 4
		and	eax, 0FFFFFF8Fh
		or	ecx, [ebx+4]
		shl	edi, 4
		or	edi, eax
		mov	al, [ebp-31h]
		mov	dl, al
		shr	dl, 3
		and	dl, 1
		mov	[ebp-1Dh], dl
		jnz	short loc_520B25
		movzx	esi, al

loc_520B25:				; CODE XREF: .text:00520B20j
		and	esi, 7
		xor	edx, edx
		shl	esi, 19h
		and	ecx, 0F1FFFFFFh
		or	edx, edi
		or	esi, ecx
		mov	edi, [ebp-30h]
		mov	[ebx], edx
		mov	[ebx+4], esi
		test	edi, (offset loc_7FFFFF+1)
		jz	loc_520CC4
		mov	ecx, [ebp-1Ch]
		call	_MiGetBaseResidentPage@4 ; MiGetBaseResidentPage(x)
		mov	edi, eax
		mov	ecx, edi
		movzx	edx, byte ptr [edi+16h]
		and	edx, 7
		call	_MiGetPfnPageSizeIndex@4 ; MiGetPfnPageSizeIndex(x)
		mov	esi, [edi+4]
		mov	ecx, eax
		test	esi, esi
		jz	short loc_520B81
		mov	eax, [edi+18h]
		and	eax, 70000000h
		cmp	eax, 10000000h
		jz	short loc_520B81
		or	esi, 80000000h

loc_520B81:				; CODE XREF: .text:00520B6Aj
					; .text:00520B79j
		cmp	edi, [ebp-1Ch]
		jz	short loc_520B91
		lea	eax, [edi+10h]
		mov	edi, 7FFFFFFFh
		lock and [eax],	edi

loc_520B91:				; CODE XREF: .text:00520B84j
		mov	eax, ds:_MiLargePageSizes[ecx*4]
		mov	ecx, eax
		sub	eax, [ebp-24h]
		neg	ecx
		and	ecx, [ebp-24h]
		add	eax, ecx
		mov	[ebp-18h], eax
		cmp	edx, 6
		jnz	loc_520C81
		mov	edx, [ebx]
		mov	edi, [ebx+4]
		and	edx, 0FFFFFFEFh
		or	edx, 160h
		mov	[ebx+4], edi
		mov	[ebx], edx
		test	esi, esi
		jz	short loc_520BCF
		mov	eax, [ebp-24h]
		sub	eax, ecx
		lea	esi, [esi+eax*8]

loc_520BCF:				; CODE XREF: .text:00520BC5j
		mov	ecx, esi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 5
		jnz	short loc_520BF9
		push	ecx
		mov	edx, esi
		mov	ecx, ebx
		call	_MiIdentifyPfnAsNonPagedPool@12	; MiIdentifyPfnAsNonPagedPool(x,x,x)
		mov	eax, [ebp-18h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_520BF9:				; CODE XREF: .text:00520BD9j
		mov	eax, esi
		shl	eax, 9
		neg	esi
		sbb	esi, esi
		and	esi, eax
		mov	ecx, esi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 5
		jnz	short loc_520C31
		and	edx, 0FFFFFFF5h
		mov	[ebx+4], edi
		or	edx, eax
		mov	[ebx+0Ch], esi
		mov	eax, [ebp-18h]
		mov	[ebx], edx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_520C31:				; CODE XREF: .text:00520C0Ej
		mov	eax, esi
		and	eax, 0FFFFF000h
		mov	[ebx+0Ch], eax
		cmp	esi, ds:_MmHighestUserAddress
		jbe	short loc_520C62
		mov	eax, [ebp-18h]
		and	edx, 0FFFFFFF6h
		or	edx, 6
		mov	[ebx], edx
		mov	[ebx+4], edi
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_520C62:				; CODE XREF: .text:00520C41j
		mov	eax, [ebp-18h]
		and	edx, 0FFFFFFFDh
		or	edx, 0Dh
		mov	[ebx], edx
		mov	[ebx+4], edi
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_520C81:				; CODE XREF: .text:00520BAAj
		cmp	edx, 5
		jnz	short loc_520C8B
		mov	edx, 1

loc_520C8B:				; CODE XREF: .text:00520C84j
		mov	ecx, [ebx]
		xor	edi, edi
		mov	eax, [ebx+4]
		and	edi, 0FF1FFFFFh
		shld	edi, edx, 4
		and	ecx, 0FFFFFF8Fh
		and	eax, 0F1FFFFFFh
		shl	edx, 4
		or	edx, ecx
		or	edi, eax
		mov	eax, [ebp-18h]
		mov	[ebx], edx
		mov	[ebx+4], edi
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_520CC4:				; CODE XREF: .text:00520B45j
		mov	eax, [ebp-28h]
		jmp	ds:off_521528[eax*4]

loc_520CCE:				; DATA XREF: .text:00521540o
		test	byte ptr [ebp-48h], 1
		jz	short loc_520CE1
		cmp	byte ptr [ebp-1Dh], 0
		jnz	short loc_520CE1
		cmp	word ptr [ebp-34h], 1
		jbe	short loc_520CEC

loc_520CE1:				; CODE XREF: .text:00520CD2j
					; .text:00520CD8j
		or	edx, 100h
		mov	[ebx+4], esi
		mov	[ebx], edx

loc_520CEC:				; CODE XREF: .text:00520CDFj
					; .text:00520D79j
		lea	ecx, [ebp-48h]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_52106A
		mov	eax, [ebp-40h]
		and	eax, 400h
		or	eax, 0
		jnz	loc_520E43
		mov	edi, [ebp-44h]
		mov	eax, edx
		or	edi, 80000000h
		mov	ecx, esi
		test	dword ptr [ebp-44h], 80000000h
		mov	[ebx+0Ch], edi
		jnz	short loc_520D50
		cmp	dword ptr [ebp-44h], 0
		jz	short loc_520D50
		mov	eax, edi
		xor	ecx, ecx
		or	eax, 1
		and	edx, 1FFh
		mov	[ebx+0Ch], eax
		and	esi, 0FE000000h
		mov	eax, [edi-8]
		shld	ecx, eax, 9
		shl	eax, 9
		or	eax, edx
		or	ecx, esi

loc_520D50:				; CODE XREF: .text:00520D24j
					; .text:00520D2Aj
		and	eax, 0FFFFFFF2h
		mov	[ebx+4], ecx
		or	eax, 2
		mov	[ebx], eax
		jmp	loc_5214FC
; 

loc_520D60:				; CODE XREF: .text:00520CC7j
					; DATA XREF: .text:00521530o ...
		cmp	word ptr [ebp-34h], 1
		jb	short loc_520D72
		or	edx, 100h
		mov	[ebx+4], esi
		mov	[ebx], edx

loc_520D72:				; CODE XREF: .text:00520D65j
		test	dword ptr [ebp-38h], 40000000h
		jz	loc_520CEC
		lea	ecx, [ebp-48h]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_520D97
		mov	eax, [ebp-44h]
		and	eax, 0FFFFFFF8h
		shl	eax, 9
		mov	[ebx+0Ch], eax

loc_520D97:				; CODE XREF: .text:00520D89j
		and	edx, 0FFFFFFF0h
		mov	[ebx+4], esi
		mov	[ebx], edx
		jmp	loc_5214FC
; 

loc_520DA4:				; CODE XREF: .text:00520CC7j
					; DATA XREF: .text:00521544o
		or	edx, 100h
		mov	[ebx+4], esi
		lea	ecx, [ebp-48h]
		mov	[ebx], edx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_520DC7
		mov	eax, [ebp-44h]
		and	eax, 0FFFFFFF8h
		shl	eax, 9
		mov	[ebx+0Ch], eax

loc_520DC7:				; CODE XREF: .text:00520DB9j
		mov	eax, edi
		and	eax, 70000000h
		cmp	eax, 10000000h
		jnz	short loc_520E14
		mov	eax, [ebp-48h]
		test	eax, 1FFFFFFEh
		jnz	short loc_520DE3
		xor	eax, eax
		jmp	short loc_520DEE
; 

loc_520DE3:				; CODE XREF: .text:00520DDDj
		and	eax, 0FFFFFFFEh
		or	eax, 0E0000000h
		shl	eax, 2

loc_520DEE:				; CODE XREF: .text:00520DE1j
		xor	ecx, ecx
		and	edx, 1F9h
		shld	ecx, eax, 9
		and	esi, 0FE000000h
		shl	eax, 9
		or	ecx, esi
		or	eax, edx
		or	eax, 9
		mov	[ebx], eax
		mov	[ebx+4], ecx
		jmp	loc_5214FC
; 

loc_520E14:				; CODE XREF: .text:00520DD3j
		and	edi, offset loc_7FFFFF
		mov	eax, edx
		mov	ecx, esi
		cmp	edi, (offset loc_7FFFFA+3)
		jnz	short loc_520E36
		and	eax, 0FFFFFFFAh
		or	eax, 0Ah
		mov	[ebx], eax
		mov	[ebx+4], ecx
		jmp	loc_5214FC
; 

loc_520E36:				; CODE XREF: .text:00520E24j
		and	eax, 0FFFFFFF0h
		mov	[ebx], eax
		mov	[ebx+4], ecx
		jmp	loc_5214FC
; 

loc_520E43:				; CODE XREF: .text:00520D07j
		mov	ecx, dword_6D0700
		mov	eax, ecx
		mov	edx, dword_6D0704
		or	eax, edx
		mov	edi, [ebp-3Ch]
		mov	esi, edi
		mov	[ebp-28h], edx
		jz	short loc_520E71
		mov	edx, [ebp-40h]
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_520E71
		mov	edi, [ebp-28h]
		not	edi
		and	edi, esi

loc_520E71:				; CODE XREF: .text:00520E5Bj
					; .text:00520E68j
		test	ds:byte_70EFC6,	21h
		mov	eax, [edi]
		mov	[ebp-1Ch], eax
		lea	esi, [eax+24h]
		jz	short loc_520E8E
		or	dl, 0FFh
		mov	ecx, esi
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	short loc_520EF2
; 

loc_520E8E:				; CODE XREF: .text:00520E80j
		mov	dword ptr [ebp-24h], 0
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_520EA9
		or	dl, 0FFh
		mov	ecx, esi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[ebp-24h], eax

loc_520EA9:				; CODE XREF: .text:00520E9Aj
		mov	edx, [esi]
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jz	short loc_520EF2
		lea	esp, [esp+0]

loc_520EC0:				; CODE XREF: .text:00520EF0j
		test	edx, 40000000h
		jnz	short loc_520EDA
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_520EE4

loc_520EDA:				; CODE XREF: .text:00520EC6j
		lea	ecx, [ebp-24h]
		call	KeYieldProcessorEx
		mov	eax, [esi]

loc_520EE4:				; CODE XREF: .text:00520ED8j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_520EC0

loc_520EF2:				; CODE XREF: .text:00520E8Cj
					; .text:00520EB7j
		mov	eax, [ebp-1Ch]
		mov	eax, [eax+20h]
		and	eax, 0FFFFFFF8h
		jnz	short loc_520F1B
		mov	ecx, [ebx]
		mov	eax, [ebx+4]
		and	ecx, 0FFFFFE9Fh
		or	ecx, 10h
		mov	[ebx+4], eax
		push	esi
		mov	[ebx], ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		jmp	loc_5214FC
; 

loc_520F1B:				; CODE XREF: .text:00520EFBj
		mov	eax, [eax+0Ch]
		mov	[ebx+0Ch], eax
		test	ds:byte_70EFC6,	1
		jz	short loc_520F36
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	short loc_520F3C
; 

loc_520F36:				; CODE XREF: .text:00520F28j
		mov	dword ptr [esi], 0

loc_520F3C:				; CODE XREF: .text:00520F34j
		mov	esi, [ebp-1Ch]
		mov	eax, [esi+1Ch]
		shr	eax, 5
		xor	eax, [ebx+0Ch]
		and	eax, 1
		xor	[ebx+0Ch], eax
		mov	ecx, [edi+4]
		mov	[ebp-24h], ecx
		test	ecx, ecx
		jz	loc_52103E
		movzx	edx, word ptr [edi+12h]
		test	dl, 2
		jz	short loc_520F82
		test	dword ptr [esi+1Ch], 4000000h
		jz	short loc_520F82
		mov	edx, ecx
		mov	ecx, edi
		push	0FFFFFFFFh
		call	MiStartingOffset
		mov	ecx, [ebx]
		xor	ecx, eax
		jmp	loc_521029
; 

loc_520F82:				; CODE XREF: .text:00520F63j
					; .text:00520F6Cj
		mov	eax, [edi]
		mov	esi, [ebp-44h]
		or	esi, 80000000h
		mov	[ebp-28h], eax
		test	byte ptr [eax+1Ch], 20h
		jz	short loc_520FF4
		cmp	esi, ecx
		jb	short loc_520FC7
		mov	eax, [edi+1Ch]
		lea	eax, [ecx+eax*8]
		cmp	esi, eax
		jnb	short loc_520FC4
		sub	esi, ecx
		sar	esi, 3
		xor	edx, edx

loc_520FAB:				; CODE XREF: .text:00520FE2j
					; .text:00520FF2j
		mov	eax, [edi+14h]
		xor	ecx, ecx
		shld	edx, esi, 0Ch
		shld	ecx, eax, 9
		shl	esi, 0Ch
		shl	eax, 9
		add	esi, eax
		adc	edx, ecx
		jmp	short loc_521022
; 

loc_520FC4:				; CODE XREF: .text:00520FA2j
		mov	eax, [ebp-28h]

loc_520FC7:				; CODE XREF: .text:00520F98j
		test	dl, 2
		jz	short loc_520FE4
		push	edi
		or	edx, 0FFFFFFFFh
		mov	ecx, eax
		call	_MiGetSharedProtos@12 ;	MiGetSharedProtos(x,x,x)
		sub	esi, [eax+24h]
		sar	esi, 3
		mov	eax, esi
		cdq
		mov	esi, eax
		jmp	short loc_520FAB
; 

loc_520FE4:				; CODE XREF: .text:00520FCAj
		mov	eax, [edi+0Ch]
		sub	esi, [eax+24h]
		sar	esi, 3
		mov	eax, esi
		cdq
		mov	esi, eax
		jmp	short loc_520FAB
; 

loc_520FF4:				; CODE XREF: .text:00520F94j
		mov	ax, [edi+10h]
		xor	ecx, ecx
		sub	esi, [ebp-24h]
		or	ecx, [edi+14h]
		shr	ax, 6
		movzx	eax, ax
		sar	esi, 3
		cdq
		mov	[ebp-18h], eax
		mov	eax, esi
		cdq
		add	ecx, eax
		mov	esi, ecx
		adc	[ebp-18h], edx
		mov	edx, [ebp-18h]
		shld	edx, esi, 0Ch
		shl	esi, 0Ch

loc_521022:				; CODE XREF: .text:00520FC2j
		mov	ecx, [ebx]
		xor	ecx, esi
		mov	esi, [ebp-1Ch]

loc_521029:				; CODE XREF: .text:00520F7Dj
		mov	eax, [ebx+4]
		and	ecx, 0FFFFFE00h
		xor	[ebx], ecx
		xor	eax, edx
		and	eax, 1FFFFFFh
		xor	[ebx+4], eax

loc_52103E:				; CODE XREF: .text:00520F56j
		mov	eax, [esi+1Ch]
		test	al, 8
		jz	short loc_521058
		test	al, 1
		jnz	short loc_521058
		mov	ecx, [ebx]
		and	ecx, 0FFFFFFF8h
		or	ecx, 8
		mov	[ebx], ecx
		jmp	loc_5214F6
; 

loc_521058:				; CODE XREF: .text:00521043j
					; .text:00521047j
		mov	ecx, [ebx]
		mov	eax, [ebx+4]
		and	ecx, 0FFFFFFF1h
		or	ecx, 1
		mov	[ebx], ecx
		jmp	loc_5214F9
; 

loc_52106A:				; CODE XREF: .text:00520CF6j
		mov	edi, [ebp-44h]
		mov	ecx, edi
		mov	[ebp-18h], ecx
		test	ecx, ecx
		jz	short loc_52108E
		mov	eax, [ebp-30h]
		and	eax, 70000000h
		cmp	eax, 10000000h
		jz	short loc_52108E
		or	ecx, 80000000h
		mov	[ebp-18h], ecx

loc_52108E:				; CODE XREF: .text:00521074j
					; .text:00521083j
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 5
		jnz	short loc_5210A8
		mov	edx, [ebp-18h]
		push	ecx
		mov	ecx, ebx
		call	_MiIdentifyPfnAsNonPagedPool@12	; MiIdentifyPfnAsNonPagedPool(x,x,x)
		jmp	loc_5214FC
; 

loc_5210A8:				; CODE XREF: .text:00521096j
		mov	ecx, [ebp-18h]
		cmp	ecx, 0FFFFFFF8h
		jnz	short loc_5210C8
		and	edx, 0FFFFFFF5h
		mov	[ebx+4], esi
		or	edx, 5
		mov	[ebx], edx
		mov	eax, ds:_MmBadPointer
		mov	[ebx+0Ch], eax
		jmp	loc_5214FC
; 

loc_5210C8:				; CODE XREF: .text:005210AEj
		mov	eax, [ebp-30h]
		shr	eax, 1Ch
		and	eax, 7
		mov	[ebp-28h], eax
		cmp	eax, 1
		jnz	short loc_521117
		mov	ecx, [ebp-48h]
		test	ecx, 1FFFFFFEh
		jnz	short loc_5210E8
		xor	ecx, ecx
		jmp	short loc_5210F4
; 

loc_5210E8:				; CODE XREF: .text:005210E2j
		and	ecx, 0FFFFFFFEh
		or	ecx, 0E0000000h
		shl	ecx, 2

loc_5210F4:				; CODE XREF: .text:005210E6j
		xor	eax, eax
		and	edx, 1F9h
		shld	eax, ecx, 9
		and	esi, 0FE000000h
		shl	ecx, 9
		or	eax, esi
		or	ecx, edx
		or	ecx, 9
		mov	[ebx], ecx
		jmp	loc_5214F9
; 

loc_521117:				; CODE XREF: .text:005210D7j
		mov	eax, ecx
		shl	eax, 9
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	[ebp-18h], ecx
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		mov	ecx, [ebp-18h]
		mov	[ebp-24h], eax
		cmp	eax, 5
		jnz	short loc_521147
		and	edx, 0FFFFFFF5h
		mov	[ebx+4], esi
		or	edx, eax
		mov	[ebx+0Ch], ecx
		mov	[ebx], edx
		jmp	loc_5214FC
; 

loc_521147:				; CODE XREF: .text:00521133j
		mov	eax, ecx
		and	eax, 0FFFFF000h
		mov	[ebx+0Ch], eax
		mov	eax, [ebp-30h]
		and	eax, offset loc_7FFFFF
		cmp	eax, (offset loc_7FFFFA+3)
		jnz	short loc_5211A0
		cmp	dword ptr [ebp-24h], 9
		mov	eax, 1
		mov	[ebx+4], esi
		jnz	short loc_521187
		and	edx, 0FFFFFFF6h
		or	edx, 6
		mov	[ebx], edx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_521187:				; CODE XREF: .text:0052116Cj
		and	edx, 0FFFFFFFAh
		or	edx, 0Ah
		mov	[ebx], edx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5211A0:				; CODE XREF: .text:0052115Ej
		mov	eax, ds:_MmHighestUserAddress
		mov	[ebp-2Ch], eax
		cmp	ecx, eax
		jbe	loc_52128C
		cmp	dword ptr [ebp-28h], 2
		jnz	short loc_5211C6
		and	edx, 0FFFFFFFBh
		mov	[ebx+4], esi
		or	edx, 0Bh
		mov	[ebx], edx
		jmp	loc_5214FC
; 

loc_5211C6:				; CODE XREF: .text:005211B4j
		mov	eax, [ebp-24h]
		cmp	eax, 1
		jz	short loc_52120B
		cmp	eax, 0Bh
		jz	short loc_52120B
		cmp	eax, 6
		jnz	short loc_5211E8
		and	edx, 0FFFFFFF4h
		mov	[ebx+4], esi
		or	edx, 4
		mov	[ebx], edx
		jmp	loc_5214FC
; 

loc_5211E8:				; CODE XREF: .text:005211D6j
		cmp	eax, 9
		jz	short loc_5211FB
		cmp	eax, 0Eh
		jz	short loc_5211FB
		cmp	eax, 0Ch
		jnz	loc_521289

loc_5211FB:				; CODE XREF: .text:005211EBj
					; .text:005211F0j
		and	edx, 0FFFFFFF6h
		mov	[ebx+4], esi
		or	edx, 6
		mov	[ebx], edx
		jmp	loc_5214FC
; 

loc_52120B:				; CODE XREF: .text:005211CCj
					; .text:005211D1j
		mov	ecx, [ebp-1Ch]
		call	MiGetTopLevelPfn
		mov	edi, eax
		test	dword ptr [edi+10h], 40000000h
		lea	eax, [edi+10h]
		jz	short loc_521235
		and	dword ptr [ebx], 1FFh
		and	dword ptr [ebx+4], 0FE000000h
		mov	edx, [ebx]
		mov	esi, [ebx+4]
		jmp	short loc_521267
; 

loc_521235:				; CODE XREF: .text:0052121Fj
		mov	edx, [edi]
		xor	esi, esi
		mov	eax, [ebx]
		mov	ecx, [ebx+4]
		and	eax, 1FFh
		shr	edx, 1
		and	ecx, 0FE000000h
		and	edx, 0FFFFFFF8h
		or	edx, 80000000h
		shld	esi, edx, 9
		shl	edx, 9
		or	edx, eax
		or	esi, ecx
		mov	[ebx], edx
		lea	eax, [edi+10h]
		mov	[ebx+4], esi

loc_521267:				; CODE XREF: .text:00521233j
		cmp	edi, [ebp-1Ch]
		jz	short loc_521279
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	edx, [ebx]
		mov	esi, [ebx+4]

loc_521279:				; CODE XREF: .text:0052126Aj
		and	edx, 0FFFFFFF7h
		mov	[ebx+4], esi
		or	edx, 7
		mov	[ebx], edx
		jmp	loc_5214FC
; 

loc_521289:				; CODE XREF: .text:005211F5j
		mov	eax, [ebp-2Ch]

loc_52128C:				; CODE XREF: .text:005211AAj
		and	byte ptr [ebp-11h], 7
		cmp	byte ptr [ebp-11h], 6
		jnz	loc_5213B0
		test	byte ptr [ebp-48h], 1
		jz	short loc_5212AA
		cmp	byte ptr [ebp-1Dh], 0
		jz	loc_5213B0

loc_5212AA:				; CODE XREF: .text:0052129Ej
		cmp	ecx, eax
		jbe	short loc_52130B
		mov	edx, dword_6D2E8C
		or	edi, 80000000h
		mov	eax, dword_6D2E88
		xor	esi, esi
		shr	edx, 9
		shr	eax, 9
		and	edx, offset loc_7FFFF8
		and	eax, offset loc_7FFFF8
		sub	edx, 40000000h
		sub	eax, 40000000h
		cmp	edi, 0C0000000h
		jb	short loc_521306

loc_5212E5:				; CODE XREF: .text:00521304j
		cmp	edi, 0C07FFFFFh
		ja	short loc_521306
		cmp	edi, eax
		jb	short loc_5212F5
		cmp	edi, edx
		jbe	short loc_521339

loc_5212F5:				; CODE XREF: .text:005212EFj
		shl	edi, 9
		inc	esi
		and	eax, 0FFFFF000h
		cmp	edi, 0C0000000h
		jnb	short loc_5212E5

loc_521306:				; CODE XREF: .text:005212E3j
					; .text:005212EBj
		mov	edx, [ebx]
		mov	esi, [ebx+4]

loc_52130B:				; CODE XREF: .text:005212ACj
		lea	eax, [ecx+40000000h]
		mov	[ebx+4], esi
		cmp	eax, offset loc_7FFFFF
		mov	eax, 1
		ja	short loc_521397
		and	edx, 0FFFFFFF3h
		or	edx, 3
		mov	[ebx], edx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_521339:				; CODE XREF: .text:005212F3j
		mov	ecx, [ebp-1Ch]
		call	MiGetTopLevelPfn
		mov	ecx, [ebx+4]
		mov	edi, eax
		mov	eax, [ebx]
		xor	esi, esi
		and	eax, 1FFh
		and	ecx, 0FE000000h
		mov	edx, [edi]
		shr	edx, 1
		and	edx, 0FFFFFFF8h
		or	edx, 80000000h
		shld	esi, edx, 9
		shl	edx, 9
		or	esi, ecx
		or	edx, eax
		mov	[ebx+4], esi
		mov	[ebx], edx
		cmp	edi, [ebp-1Ch]
		jz	short loc_521387
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	edx, [ebx]
		mov	esi, [ebx+4]

loc_521387:				; CODE XREF: .text:00521375j
		and	edx, 0FFFFFFFCh
		mov	[ebx+4], esi
		or	edx, 0Ch
		mov	[ebx], edx
		jmp	loc_5214FC
; 

loc_521397:				; CODE XREF: .text:0052131Ej
		and	edx, 0FFFFFFF5h
		or	edx, 5
		mov	[ebx], edx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5213B0:				; CODE XREF: .text:00521294j
					; .text:005212A4j
		mov	eax, [ebp-1Ch]
		xor	ecx, ecx
		mov	[ebp-10h], ecx
		mov	edi, eax
		mov	[ebp-0Ch], ecx
		mov	[ebp-8], ecx
		mov	esi, [eax+18h]
		mov	[ebp-28h], ecx
		mov	ecx, eax
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		mov	eax, esi
		add	edx, ecx
		and	eax, offset loc_7FFFFF
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	eax, ecx
		jz	short loc_52145D
		lea	edx, [ebp-10h]
		sub	edx, 4

loc_5213F2:				; CODE XREF: .text:0052145Bj
		and	esi, offset loc_7FFFFF
		add	edx, 4
		mov	eax, esi
		mov	[ebp-4Ch], edx
		mov	[ebp-54h], eax
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	edi, [eax+ecx*4]
		mov	eax, [ebp-28h]
		inc	eax
		mov	[ebp-28h], eax
		cmp	eax, 3
		ja	loc_521512
		mov	[edx], edi
		lea	esi, [edi+10h]
		mov	dword ptr [ebp-2Ch], 0
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_52144E

loc_521437:				; CODE XREF: .text:00521442j
					; .text:00521449j
		lea	ecx, [ebp-2Ch]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_521437
		lock bts dword ptr [esi], 1Fh
		jb	short loc_521437
		mov	edx, [ebp-4Ch]

loc_52144E:				; CODE XREF: .text:00521435j
		mov	esi, [edi+18h]
		mov	eax, esi
		and	eax, offset loc_7FFFFF
		cmp	eax, [ebp-54h]
		jnz	short loc_5213F2

loc_52145D:				; CODE XREF: .text:005213EAj
		xor	ecx, ecx
		mov	edx, 7FFFFFFFh

loc_521464:				; CODE XREF: .text:0052147Aj
		mov	eax, [ebp+ecx*4-10h]
		test	eax, eax
		jz	short loc_52147C
		cmp	eax, edi
		jz	short loc_521476
		add	eax, 10h
		lock and [eax],	edx

loc_521476:				; CODE XREF: .text:0052146Ej
		inc	ecx
		cmp	ecx, 3
		jb	short loc_521464

loc_52147C:				; CODE XREF: .text:0052146Aj
		mov	esi, [edi]
		xor	edx, edx
		mov	ecx, [ebx]
		mov	eax, [ebx+4]
		and	ecx, 1FFh
		shr	esi, 1
		and	eax, 0FE000000h
		and	esi, 0FFFFFFF8h
		or	esi, 80000000h
		shld	edx, esi, 9
		shl	esi, 9
		or	edx, eax
		or	esi, ecx
		mov	[ebx+4], edx
		mov	[ebx], esi
		cmp	edi, [ebp-1Ch]
		jz	short loc_5214BB
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_5214BB:				; CODE XREF: .text:005214AEj
		mov	ecx, [ebp-18h]
		lea	eax, [ecx+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	short loc_5214D7
		mov	ecx, [ebx]
		and	ecx, 0FFFFFFF3h
		or	ecx, 3
		mov	[ebx], ecx
		jmp	short loc_5214F6
; 

loc_5214D7:				; CODE XREF: .text:005214C9j
		cmp	ecx, dword_6D2E88
		jb	short loc_5214F3
		cmp	ecx, dword_6D2E8C
		ja	short loc_5214F3
		mov	ecx, [ebx]
		and	ecx, 0FFFFFFFCh
		or	ecx, 0Ch
		mov	[ebx], ecx
		jmp	short loc_5214F6
; 

loc_5214F3:				; CODE XREF: .text:005214DDj
					; .text:005214E5j
		and	dword ptr [ebx], 0FFFFFFF0h

loc_5214F6:				; CODE XREF: .text:00521053j
					; .text:005214D5j ...
		mov	eax, [ebx+4]

loc_5214F9:				; CODE XREF: .text:00521065j
					; .text:00521112j
		mov	[ebx+4], eax

loc_5214FC:				; CODE XREF: .text:00520CC7j
					; .text:00520D5Bj ...
		mov	ecx, [ebp-4]
		mov	eax, 1
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_521512:				; CODE XREF: .text:0052141Ej
		push	0
		push	0
		push	dword ptr [ebp-1Ch]
		push	9696h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		lea	ecx, [ecx+0]
; 
off_521528	dd offset loc_5214FC	; DATA XREF: .text:00520CC7r
		dd offset loc_5214FC
		dd offset loc_520D60
		dd offset loc_520D60
		dd offset loc_520D60
		dd offset loc_5214FC
		dd offset loc_520CCE
		dd offset loc_520DA4
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiIsPfn(x)
_MiIsPfn@4	proc near		; CODE XREF: .text:004556E9p
					; MiCoalesceFreeLargePages(x,x,x)+5Dp ...
		cmp	ecx, dword_6D07B0
		ja	short loc_52156E
		mov	eax, dword_6D35B8
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		retn
; 

loc_52156E:				; CODE XREF: MiIsPfn(x)+6j
		xor	eax, eax
		retn
_MiIsPfn@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiGetSystemRegionType(x)
_MiGetSystemRegionType@4 proc near	; CODE XREF: MiActivePageClaimCandidate(x,x,x,x)+223p
					; MiActivePageClaimCandidate(x,x,x,x)+2EBp ...
		cmp	ecx, dword_6D07D0
		jb	short loc_521593
		shr	ecx, 15h
		movzx	eax, byte ptr dword_6D3994[ecx]
		retn
; 

loc_521593:				; CODE XREF: MiGetSystemRegionType(x)+6j
		xor	eax, eax
		retn
_MiGetSystemRegionType@4 endp

; 
		align 10h
; Exported entry 160. ObReferenceObjectSafeWithTag

;  S U B	R O U T	I N E 


; __fastcall ObReferenceObjectSafeWithTag(x, x)
		public @ObReferenceObjectSafeWithTag@8
@ObReferenceObjectSafeWithTag@8	proc near
					; CODE XREF: AlpcpLookasidePacketCallbackRoutine+D9p
					; PsGetNextPartitionUnsafe(x)+3Dp ...
		mov	edi, edi
		push	esi
		lea	esi, [ecx-18h]
		mov	ecx, [esi]
		push	edi
		mov	edi, edx
		test	ecx, ecx
		jz	short loc_5215CF
		nop

loc_5215B0:				; CODE XREF: ObReferenceObjectSafeWithTag(x,x)+37j
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jnz	short loc_5215D3
		push	edi
		mov	edx, 1
		mov	ecx, esi
		call	ObpTraceObjectReferenceIfActive
		mov	al, 1

loc_5215CC:				; CODE XREF: ObReferenceObjectSafeWithTag(x,x)+31j
		pop	edi
		pop	esi
		retn
; 

loc_5215CF:				; CODE XREF: ObReferenceObjectSafeWithTag(x,x)+Dj
					; ObReferenceObjectSafeWithTag(x,x)+39j
		xor	al, al
		jmp	short loc_5215CC
; 

loc_5215D3:				; CODE XREF: ObReferenceObjectSafeWithTag(x,x)+1Bj
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_5215B0
		jmp	short loc_5215CF
@ObReferenceObjectSafeWithTag@8	endp

; 
		align 10h
; Exported entry 162. ObfDereferenceObjectWithTag

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObfDereferenceObjectWithTag
ObfDereferenceObjectWithTag proc near	; CODE XREF: PsReleaseSiloHardReference(x)+1Bp
					; SepVerifyDesktopAppxImage(x,x,x,x)+153p ...

; FUNCTION CHUNK AT 005EC52D SIZE 0000005A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		cmp	ds:_ObpTraceFlags, 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		lea	edi, [ebx-18h]
		jnz	loc_5EC52D

loc_5215FE:				; CODE XREF: ObfDereferenceObjectWithTag+CAF59j
		or	esi, 0FFFFFFFFh
		lock xadd [edi], esi
		dec	esi
		test	esi, esi
		jle	short loc_521613

loc_52160A:				; CODE XREF: ObfDereferenceObjectWithTag+B0j
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_521613:				; CODE XREF: ObfDereferenceObjectWithTag+28j
		mov	eax, [edi+4]
		test	eax, eax
		jnz	loc_5EC53E
		test	esi, esi
		js	loc_5EC568
		mov	eax, large fs:124h
		cmp	word ptr [eax+13Eh], 0
		jnz	short loc_521689
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_521689
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 1
		jnb	short loc_521689
		mov	al, [edi+0Eh]
		test	al, 40h
		jz	short loc_52166E
		movzx	eax, al
		mov	ecx, edi
		and	eax, 7Fh
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		mov	ecx, [ecx]
		cmp	byte ptr [ecx+0Ch], 0
		jz	short loc_52166E
		call	ObpHandleRevocationBlockRemoveObject

loc_52166E:				; CODE XREF: ObfDereferenceObjectWithTag+6Ej
					; ObfDereferenceObjectWithTag+87j
		cmp	ds:_ObpTraceFlags, 0
		jnz	short loc_521695

loc_521677:				; CODE XREF: ObfDereferenceObjectWithTag+BCj
		xor	dl, dl
		mov	ecx, edi
		call	ObpRemoveObjectRoutine
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_521689:				; CODE XREF: ObfDereferenceObjectWithTag+54j
					; ObfDereferenceObjectWithTag+5Dj ...
		mov	ecx, edi
		call	ObpDeferObjectDeletion
		jmp	loc_52160A
; 

loc_521695:				; CODE XREF: ObfDereferenceObjectWithTag+95j
		mov	ecx, edi
		call	_ObpDeregisterObject@4 ; ObpDeregisterObject(x)
		jmp	short loc_521677
ObfDereferenceObjectWithTag endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopReferenceFileObject proc near	; CODE XREF: .text:00521F6Fp
					; NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+163p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_IoFileObjectType
		push	esi
		push	edi
		push	[ebp+arg_8]
		lea	esi, [ebp+var_4]
		mov	[ebp+var_4], 0
		push	esi
		push	[ebp+arg_0]
		push	eax
		push	edx
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [ebp+arg_4]
		mov	esi, eax
		mov	ecx, [ebp+var_4]
		mov	[edi], ecx
		test	esi, esi
		js	short loc_5216E3
		call	IopFileObjectRevoked
		test	al, al
		jnz	loc_5EC576
		mov	eax, esi

loc_5216E3:				; CODE XREF: IopReferenceFileObject+32j
					; ObfDereferenceObjectWithTag+CAFA2j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
IopReferenceFileObject endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KeLeaveCriticalRegionThread(x)
_KeLeaveCriticalRegionThread@4 proc near ; CODE	XREF: PspUnlockProcessExclusive+147p
					; MiIssueHardFault(x,x)+2B4p ...
		mov	edi, edi
		nop
		add	word ptr [ecx+13Ch], 1
		jnz	short locret_521705
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jnz	short loc_521706

locret_521705:				; CODE XREF: KeLeaveCriticalRegionThread(x)+Bj
		retn
; 

loc_521706:				; CODE XREF: KeLeaveCriticalRegionThread(x)+13j
		cmp	word ptr [ecx+13Eh], 0
		jz	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		retn
_KeLeaveCriticalRegionThread@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


IopFileObjectRevoked proc near		; CODE XREF: IopReferenceFileObject+34p
					; NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+194p ...

; FUNCTION CHUNK AT 005EC587 SIZE 0000001D BYTES

		mov	edi, edi
		push	ecx
		mov	eax, [ecx+7Ch]
		test	eax, eax
		jnz	short loc_52172E

loc_52172A:				; CODE XREF: IopFileObjectRevoked+11j
					; IopFileObjectRevoked+CAE7Aj
		xor	al, al
		pop	ecx
		retn
; 

loc_52172E:				; CODE XREF: IopFileObjectRevoked+8j
		test	byte ptr [eax],	4
		jz	short loc_52172A
		jmp	loc_5EC587
IopFileObjectRevoked endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpTransSilentIgnore()
_CmpTransSilentIgnore@0	proc near	; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x):loc_814D2Bp
		cmp	ds:_CmpMiniNTBoot, 0
		jnz	short loc_52174C
		xor	al, al
		retn
; 

loc_52174C:				; CODE XREF: CmpTransSilentIgnore()+7j
		mov	al, 1
		retn
_CmpTransSilentIgnore@0	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeComputeCreatorDeniedRights(x, x, x, x)
_SeComputeCreatorDeniedRights@16 proc near ; CODE XREF:	ObpAdjustCreatorAccessState+77p
					; PAGE:008169CEp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+20h+var_10], ecx
		test	[ebp+arg_0], 0C0000h
		mov	[esp+20h+var_8], 0
		mov	[esp+20h+var_4], edi
		jz	loc_5218FC
		mov	eax, [edx+30h]
		mov	esi, [eax+2Ch]
		test	esi, esi
		jnz	short loc_521799
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jnz	short loc_521799
		mov	esi, [edx+2Ch]
		test	esi, esi
		jz	loc_5218FC

loc_521799:				; CODE XREF: SeComputeCreatorDeniedRights(x,x,x,x)+35j
					; SeComputeCreatorDeniedRights(x,x,x,x)+3Cj
		movzx	ebx, word ptr [esi+2]
		mov	ecx, ebx
		test	bl, 4
		jnz	short loc_5217A8
		xor	edx, edx
		jmp	short loc_5217B9
; 

loc_5217A8:				; CODE XREF: SeComputeCreatorDeniedRights(x,x,x,x)+52j
		mov	edx, [esi+10h]
		test	cx, cx
		jns	short loc_5217B9
		lea	eax, [edx+esi]
		neg	edx
		sbb	edx, edx
		and	edx, eax

loc_5217B9:				; CODE XREF: SeComputeCreatorDeniedRights(x,x,x,x)+56j
					; SeComputeCreatorDeniedRights(x,x,x,x)+5Ej
		and	ecx, 8000h
		mov	[esp+20h+var_C], ecx
		xor	cl, cl
		call	RtlpOwnerAcesPresent
		test	al, al
		jnz	short loc_521832
		test	bl, 10h
		jnz	short loc_5217D7
		xor	ecx, ecx
		jmp	short loc_5217EA
; 

loc_5217D7:				; CODE XREF: SeComputeCreatorDeniedRights(x,x,x,x)+81j
		mov	ecx, [esi+0Ch]
		cmp	word ptr [esp+20h+var_C], di
		jz	short loc_5217EA
		lea	eax, [ecx+esi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_5217EA:				; CODE XREF: SeComputeCreatorDeniedRights(x,x,x,x)+85j
					; SeComputeCreatorDeniedRights(x,x,x,x)+8Fj
		cmp	_SepRmEnforceCap, 0
		mov	[esp+20h+var_C], edi
		jz	loc_5218FC
		test	ecx, ecx
		jz	loc_5218FC
		call	_SepGetScopedPolicySid@4 ; SepGetScopedPolicySid(x)
		test	eax, eax
		jz	loc_5218FC
		lea	edx, [esp+20h+var_C]
		mov	ecx, eax
		call	_SepRmReferenceFindCap@8 ; SepRmReferenceFindCap(x,x)
		test	eax, eax
		mov	eax, ds:_SepRmDefaultCap
		js	short loc_521828
		mov	eax, [esp+20h+var_C]

loc_521828:				; CODE XREF: SeComputeCreatorDeniedRights(x,x,x,x)+D2j
		test	byte ptr [eax+1Ch], 1
		jz	loc_5218FC

loc_521832:				; CODE XREF: SeComputeCreatorDeniedRights(x,x,x,x)+7Cj
		mov	eax, [esp+20h+var_10]
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_52183F
		mov	ecx, [eax+8]

loc_52183F:				; CODE XREF: SeComputeCreatorDeniedRights(x,x,x,x)+EAj
		push	0
		push	ecx
		mov	edx, esi
		call	SepTokenIsOwner
		test	al, al
		jz	loc_5218FC
		mov	ebx, [ebp+arg_0]
		test	ebx, 40000h
		jz	short loc_5218A2
		mov	eax, large fs:124h
		xor	edx, edx
		push	0
		mov	ecx, esi
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+24h+var_C], al
		lea	eax, [esp+24h+var_8]
		push	eax
		lea	eax, [esp+28h+var_4]
		push	eax
		push	[esp+2Ch+var_C]
		push	offset _StandardBitMapping
		push	0
		push	0
		push	40000h
		push	1
		push	[esp+44h+var_10]
		call	SeAccessCheckWithHintWithAdminlessChecks
		test	al, al
		jnz	short loc_5218A2
		mov	edi, 40000h

loc_5218A2:				; CODE XREF: SeComputeCreatorDeniedRights(x,x,x,x)+10Aj
					; SeComputeCreatorDeniedRights(x,x,x,x)+14Bj
		test	ebx, 80000h
		jz	short loc_5218F1
		mov	eax, large fs:124h
		xor	edx, edx
		push	0
		mov	ecx, esi
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+24h+var_C], al
		lea	eax, [esp+24h+var_8]
		push	eax
		lea	eax, [esp+28h+var_4]
		push	eax
		push	[esp+2Ch+var_C]
		push	offset _StandardBitMapping
		push	0
		push	0
		push	80000h
		push	1
		push	[esp+44h+var_10]
		call	SeAccessCheckWithHintWithAdminlessChecks
		test	al, al
		jnz	short loc_5218F1
		or	edi, 80000h

loc_5218F1:				; CODE XREF: SeComputeCreatorDeniedRights(x,x,x,x)+158j
					; SeComputeCreatorDeniedRights(x,x,x,x)+199j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_5218FC:				; CODE XREF: SeComputeCreatorDeniedRights(x,x,x,x)+27j
					; SeComputeCreatorDeniedRights(x,x,x,x)+43j ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_SeComputeCreatorDeniedRights@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall ObpIsKernelHandle(x, x)
_ObpIsKernelHandle@8 proc near		; CODE XREF: ObIsKernelHandle(x)+Ap
					; ObpCloseHandle+27p ...
		test	dl, dl
		jz	short loc_521917

loc_521914:				; CODE XREF: ObpIsKernelHandle(x,x)+9j
					; ObpIsKernelHandle(x,x)+Ej ...
		xor	al, al
		retn
; 

loc_521917:				; CODE XREF: ObpIsKernelHandle(x,x)+2j
		test	ecx, ecx
		jns	short loc_521914
		cmp	ecx, 0FFFFFFFEh
		jz	short loc_521914
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_521914
		mov	al, 1
		retn
_ObpIsKernelHandle@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall ExSlowReplenishHandleTableEntry(x)
_ExSlowReplenishHandleTableEntry@4 proc	near ; CODE XREF: ObWaitForMultipleObjects+46Fp
					; ObpReferenceObjectByHandleWithTag+2BEp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, [esi+4]
		mov	eax, edx
		shr	eax, 1Bh
		cmp	eax, 1Fh
		jnb	short loc_521956
		mov	ecx, 1Fh
		sub	ecx, eax
		or	edx, 0F8000000h
		mov	[esi+4], edx
		mov	eax, ecx
		pop	esi
		retn
; 

loc_521956:				; CODE XREF: ExSlowReplenishHandleTableEntry(x)+10j
		xor	eax, eax
		pop	esi
		retn
_ExSlowReplenishHandleTableEntry@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpInitializeDelayDerefContext(x)
_CmpInitializeDelayDerefContext@4 proc near ; CODE XREF: CmpEnumerateLayeredKey+D1p
					; CmpCleanUpKCBCacheTable(x)+45p ...
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		retn
_CmpInitializeDelayDerefContext@4 endp

; 
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1130. KeEnterCriticalRegion

;  S U B	R O U T	I N E 


; __stdcall KeEnterCriticalRegion()
		public _KeEnterCriticalRegion@0
_KeEnterCriticalRegion@0 proc near	; CODE XREF: .text:0044742Cp
					; FsRtlCreateSectionForDataScan+6Dp ...
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		retn
_KeEnterCriticalRegion@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __fastcall ExReleaseRundownProtection(x)
@ExReleaseRundownProtection@4 proc near	; CODE XREF: IopIoRateStartRateControl+E3p
					; IoStopIoRateControl(x)+22j ...
		mov	edi, edi
		push	esi
		mov	esi, [ecx]
		and	esi, 0FFFFFFFEh
		mov	eax, esi
		lea	edx, [esi-2]
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		pop	esi
		jnz	@ExfReleaseRundownProtection@4 ; ExfReleaseRundownProtection(x)
		retn
@ExReleaseRundownProtection@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __fastcall ExAcquireRundownProtection(x)
@ExAcquireRundownProtection@4 proc near	; CODE XREF: MiQueuePageAccessLog(x)+35p
					; PfSnActivateTrace+Ep	...
		mov	edi, edi
		push	esi
		mov	esi, [ecx]
		and	esi, 0FFFFFFFEh
		mov	eax, esi
		lea	edx, [esi+2]
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		pop	esi
		jnz	short loc_5219B9
		mov	al, 1
		retn
; 

loc_5219B9:				; CODE XREF: ExAcquireRundownProtection(x)+14j
		jmp	@ExfAcquireRundownProtection@4 ; ExfAcquireRundownProtection(x)
@ExAcquireRundownProtection@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


KCBIsVirtualizable proc	near		; CODE XREF: sub_5009EC+5p
					; CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+130p
		cmp	_CmpVEEnabled, 0
		jz	short loc_5219DE
		test	dword ptr [ecx+68h], 2000000h
		jnz	short loc_5219DE
		call	_CmpIsKcbInsideVirtualizedHive@4 ; CmpIsKcbInsideVirtualizedHive(x)
		test	al, al
		jz	short loc_5219DE
		mov	al, 1
		retn
; 

loc_5219DE:				; CODE XREF: KCBIsVirtualizable+7j
					; KCBIsVirtualizable+10j ...
		xor	al, al
		retn
KCBIsVirtualizable endp

; 
		align 10h

;  S U B	R O U T	I N E 


SeClearLearningModeObjectInformation proc near
					; CODE XREF: RtlpAllowsLowBoxAccess(x):loc_509E0Dp
					; ObReferenceObjectByNameEx:loc_79C49Bp ...

; FUNCTION CHUNK AT 005EC5A4 SIZE 0000004D BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	esi, large fs:124h
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	al, al
		jnz	loc_5EC5EA
		test	byte ptr [esi+84h], 1
		jnz	loc_5EC5A4
		mov	ecx, [edi+360h]
		xor	eax, eax
		test	ecx, ecx
		jnz	loc_5EC5B7

loc_521A2D:				; CODE XREF: SeClearLearningModeObjectInformation+CABC1j
					; SeClearLearningModeObjectInformation+CABCAj ...
		pop	edi
		pop	esi
		retn
SeClearLearningModeObjectInformation endp


;  S U B	R O U T	I N E 


; __fastcall ObFastDereferenceObject(x,	x)
@ObFastDereferenceObject@8 proc	near	; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+2F4p
					; PspGetRedirectionTrustPolicy(x)+30p ...
		mov	edi, edi
		push	esi
		mov	esi, [ecx]
		mov	eax, esi
		push	edi
		mov	edi, edx
		xor	eax, edi
		cmp	eax, 7
		jnb	short loc_521A51

loc_521A41:				; CODE XREF: ObFastDereferenceObject(x,x)+31j
		lea	edx, [esi+1]
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_521A5A
		pop	edi
		pop	esi
		retn
; 

loc_521A51:				; CODE XREF: ObFastDereferenceObject(x,x)+Fj
					; ObFastDereferenceObject(x,x)+33j
		mov	ecx, edi
		pop	edi
		pop	esi
		jmp	ObfDereferenceObject
; 

loc_521A5A:				; CODE XREF: ObFastDereferenceObject(x,x)+1Cj
		mov	esi, eax
		xor	eax, edi
		cmp	eax, 7
		jb	short loc_521A41
		jmp	short loc_521A51
@ObFastDereferenceObject@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


SepDeleteAccessState proc near		; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+517p
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+617p ...

; FUNCTION CHUNK AT 005EC5F1 SIZE 00000059 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		cmp	byte ptr [esi+0Bh], 0
		mov	edi, [esi+30h]
		jnz	loc_5EC5F1

loc_521A83:				; CODE XREF: SepDeleteAccessState+CAB8Bj
		mov	eax, [esi+68h]
		test	eax, eax
		jnz	loc_5EC600

loc_521A8E:				; CODE XREF: SepDeleteAccessState+CAB98j
		mov	eax, [esi+70h]
		test	eax, eax
		jnz	loc_5EC60D

loc_521A99:				; CODE XREF: SepDeleteAccessState+CABA5j
		test	edi, edi
		jz	short loc_521AB1
		cmp	dword ptr [edi+2Ch], 0
		lea	eax, [edi+2Ch]
		jnz	short loc_521AB4

loc_521AA6:				; CODE XREF: SepDeleteAccessState+4Aj
		mov	eax, [edi+38h]
		test	eax, eax
		jnz	loc_5EC61A

loc_521AB1:				; CODE XREF: SepDeleteAccessState+2Bj
					; SepDeleteAccessState+CABAFj ...
		pop	edi
		pop	esi
		retn
; 

loc_521AB4:				; CODE XREF: SepDeleteAccessState+34j
		push	eax
		call	_SeDeassignSecurity@4 ;	SeDeassignSecurity(x)
		jmp	short loc_521AA6
SepDeleteAccessState endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __fastcall ObFastReferenceObject(x)
@ObFastReferenceObject@4 proc near	; CODE XREF: CcPerfLogFlushCache+2Fp
					; CcPerfLogFlushSection+27p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	edx, [edi]
		test	dl, 7
		jz	short loc_521ADD
		lea	ecx, [ecx+0]

loc_521AD0:				; CODE XREF: ObFastReferenceObject(x)+8Bj
		lea	esi, [edx-1]
		mov	eax, edx
		lock cmpxchg [edi], esi
		cmp	eax, edx
		jnz	short loc_521B47

loc_521ADD:				; CODE XREF: ObFastReferenceObject(x)+Bj
					; ObFastReferenceObject(x)+8Dj
		mov	esi, edx
		and	edx, 7
		and	esi, 0FFFFFFF8h
		cmp	edx, 1
		jbe	short loc_521AEF

loc_521AEA:				; CODE XREF: ObFastReferenceObject(x)+64j
					; ObFastReferenceObject(x)+80j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_521AEF:				; CODE XREF: ObFastReferenceObject(x)+28j
		test	edx, edx
		jz	short loc_521B42
		push	ecx
		mov	edx, 7
		mov	ecx, esi
		call	ObReferenceObjectExWithTag
		mov	ecx, [edi]
		mov	eax, ecx
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		ja	short loc_521B33
		nop

loc_521B10:				; CODE XREF: ObFastReferenceObject(x)+71j
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	esi, eax
		jnz	short loc_521B33
		lea	edx, [ecx+7]
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jz	short loc_521AEA
		mov	ecx, eax
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		jbe	short loc_521B10

loc_521B33:				; CODE XREF: ObFastReferenceObject(x)+4Dj
					; ObFastReferenceObject(x)+57j
		push	ecx
		mov	edx, 7
		mov	ecx, esi
		call	ObDereferenceObjectExWithTag
		jmp	short loc_521AEA
; 

loc_521B42:				; CODE XREF: ObFastReferenceObject(x)+31j
		pop	edi
		xor	eax, eax
		pop	esi
		retn
; 

loc_521B47:				; CODE XREF: ObFastReferenceObject(x)+1Bj
		mov	edx, eax
		test	al, 7
		jnz	short loc_521AD0
		jmp	short loc_521ADD
@ObFastReferenceObject@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall SepCreateAccessStateFromSubjectContext(int,void *,void	*,int,int)
_SepCreateAccessStateFromSubjectContext@20 proc	near ; CODE XREF: SeSubProcessToken+3D3p
					; ObOpenObjectByNameEx+166p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, edx
		mov	[ebp+var_C], esi
		push	edi
		test	eax, 0F0000000h
		jnz	loc_521C66

loc_521B73:				; CODE XREF: SepCreateAccessStateFromSubjectContext(x,x,x,x,x)+11Bj
					; SepCreateAccessStateFromSubjectContext(x,x,x,x,x)+131j
		push	74h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	edi, [ebp+arg_0]
		push	0C4h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	[esi+30h], edi
		add	esp, 18h
		mov	eax, [ebx]
		mov	[esi+1Ch], eax
		mov	eax, [ebx+4]
		mov	[esi+20h], eax
		mov	eax, [ebx+8]
		mov	[esi+24h], eax
		mov	eax, [ebx+0Ch]
		mov	[esi+28h], eax
		mov	ecx, [esi+1Ch]
		test	ecx, ecx
		jnz	loc_521C86
		mov	edx, [esi+24h]

loc_521BB8:				; CODE XREF: SepCreateAccessStateFromSubjectContext(x,x,x,x,x)+138j
		mov	eax, [edx+48h]
		and	eax, [edx+40h]
		and	eax, 800000h
		or	eax, 0
		jz	short loc_521BCF
		mov	dword ptr [esi+0Ch], 1

loc_521BCF:				; CODE XREF: SepCreateAccessStateFromSubjectContext(x,x,x,x,x)+76j
		test	ecx, ecx
		jnz	short loc_521BD6
		mov	ecx, [esi+24h]

loc_521BD6:				; CODE XREF: SepCreateAccessStateFromSubjectContext(x,x,x,x,x)+81j
		mov	eax, [ecx+0B0h]
		and	eax, 810h
		or	[esi+0Ch], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+10h], eax
		mov	[esi+18h], eax
		lea	eax, [esi+34h]
		mov	[edi], eax
		mov	esi, offset _ExpLuid
		mov	eax, _ExpLuid
		mov	edx, dword_6B5B94
		mov	ebx, ds:_ExpLuidIncrement
		mov	ecx, ds:dword_40AA94
		add	ebx, eax
		mov	[ebp+var_4], eax
		mov	[ebp+arg_4], edx
		adc	ecx, edx
		mov	[ebp+var_10], esi
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [ebp+var_C]
		mov	ecx, eax
		mov	eax, [ebp+var_4]
		mov	ebx, edx
		mov	[ebp+var_8], ecx
		cmp	eax, ecx
		jnz	short loc_521C90
		mov	ecx, [ebp+arg_4]
		cmp	ecx, ebx
		jnz	short loc_521C8D

loc_521C38:				; CODE XREF: SepCreateAccessStateFromSubjectContext(x,x,x,x,x)+183j
		mov	[esi+4], ecx
		mov	ecx, [ebp+arg_8]
		mov	[esi], eax
		test	ecx, ecx
		jz	short loc_521C5B
		mov	eax, [ecx]
		mov	[edi+4], eax
		mov	eax, [ecx+4]
		mov	[edi+8], eax
		mov	eax, [ecx+8]
		mov	[edi+0Ch], eax
		mov	eax, [ecx+0Ch]
		mov	[edi+10h], eax

loc_521C5B:				; CODE XREF: SepCreateAccessStateFromSubjectContext(x,x,x,x,x)+F2j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_521C66:				; CODE XREF: SepCreateAccessStateFromSubjectContext(x,x,x,x,x)+1Dj
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	loc_521B73
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlMapGenericMask@8 ; RtlMapGenericMask(x,x)
		mov	eax, [ebp+var_8]
		mov	[ebp+arg_4], eax
		jmp	loc_521B73
; 

loc_521C86:				; CODE XREF: SepCreateAccessStateFromSubjectContext(x,x,x,x,x)+5Fj
		mov	edx, ecx
		jmp	loc_521BB8
; 

loc_521C8D:				; CODE XREF: SepCreateAccessStateFromSubjectContext(x,x,x,x,x)+E6j
		mov	ecx, [ebp+var_8]

loc_521C90:				; CODE XREF: SepCreateAccessStateFromSubjectContext(x,x,x,x,x)+DFj
					; SepCreateAccessStateFromSubjectContext(x,x,x,x,x)+171j ...
		mov	esi, ecx
		mov	[ebp+arg_4], ebx
		mov	eax, ecx
		mov	[ebp+var_4], esi
		add	ecx, ds:_ExpLuidIncrement
		mov	edx, ebx
		adc	ebx, ds:dword_40AA94
		mov	[ebp+var_8], ebx
		nop
		mov	edi, [ebp+var_10]
		mov	ebx, ecx
		mov	ecx, [ebp+var_8]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+arg_4]
		mov	ecx, eax
		mov	ebx, edx
		cmp	esi, ecx
		jnz	short loc_521C90
		cmp	edi, ebx
		jnz	short loc_521C90
		mov	esi, [ebp+var_C]
		mov	edi, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_4]
		jmp	loc_521C38
_SepCreateAccessStateFromSubjectContext@20 endp

; 
		align 10h
; Exported entry 1772. PsGetCurrentSilo

;  S U B	R O U T	I N E 


; __stdcall PsGetCurrentSilo()
		public _PsGetCurrentSilo@0
_PsGetCurrentSilo@0 proc near		; CODE XREF: IoRevokeHandlesForProcess(x,x)+ABp
					; VRegEnabledInJob+7p ...
		mov	eax, large fs:124h
		mov	ecx, [eax+390h]
		cmp	ecx, 0FFFFFFFDh
		jnz	short loc_521D1A
		mov	eax, [eax+150h]
		mov	eax, [eax+158h]
		test	eax, eax
		jnz	short loc_521D02

locret_521D01:				; CODE XREF: PsGetCurrentSilo()+2Cj
					; PsGetCurrentSilo()+36j
		retn
; 

loc_521D02:				; CODE XREF: PsGetCurrentSilo()+1Fj
					; PsGetCurrentSilo()+38j
		test	dword ptr [eax+310h], 40000000h
		jnz	short locret_521D01
		mov	eax, [eax+244h]
		test	eax, eax
		jz	short locret_521D01
		jmp	short loc_521D02
; 

loc_521D1A:				; CODE XREF: PsGetCurrentSilo()+Fj
		mov	eax, ecx
		retn
_PsGetCurrentSilo@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeSetLearningModeObjectInformation proc	near ; CODE XREF: RtlpAllowsLowBoxAccess(x)+118p
					; ObReferenceObjectByNameEx+177p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		cmp	byte_6D7060, 0
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], 0
		jnz	sub_5EC64A

loc_521D3F:				; CODE XREF: sub_5EC64A+164j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
SeSetLearningModeObjectInformation endp

; 
		align 10h
; Exported entry 1589. NtSetInformationFile

; __stdcall NtSetInformationFile(x, x, x, x, x)
		public _NtSetInformationFile@20
_NtSetInformationFile@20:		; CODE XREF: NTFastDOSIO(x,x)+133p
					; NTFastDOSIO(x,x)+1C0p
					; DATA XREF: ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5AA8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 7Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	dword ptr [ebp-2Ch], 0
		xor	eax, eax
		mov	[ebp-7Ch], eax
		mov	[ebp-78h], eax
		mov	[ebp-74h], eax
		mov	[ebp-70h], eax
		mov	[ebp-64h], eax
		mov	[ebp-60h], eax
		mov	[ebp-48h], eax
		xor	al, al
		mov	[ebp-19h], al
		mov	[ebp-1Ah], al
		mov	[ebp-1Dh], al
		mov	edx, large fs:124h
		mov	[ebp-38h], edx
		mov	al, [edx+15Ah]
		mov	[ebp-1Bh], al
		mov	[ebp-30h], al
		mov	ebx, [ebp+18h]
		test	al, al
		jz	loc_521F08
		cmp	ebx, 4Ch
		jnb	loc_521EEF
		mov	al, byte ptr ds:(loc_A3F6DB+5)[ebx]
		test	al, al
		jz	loc_521EEF
		movzx	eax, al
		mov	edi, [ebp+14h]
		cmp	edi, eax
		jb	loc_522046
		mov	dword ptr [ebp-4], 0
		mov	ecx, [ebp+0Ch]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_521E09
		mov	ecx, eax

loc_521E09:				; CODE XREF: .text:00521E05j
		mov	eax, [ecx]
		mov	[ecx], eax
		test	edi, edi
		jz	short loc_521E3D
		lea	eax, [edi-1]
		neg	eax
		sbb	eax, eax
		and	eax, 3
		mov	ecx, [ebp+10h]
		test	eax, ecx
		jnz	loc_5228C7
		lea	eax, [ecx+edi]
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	short loc_521E37
		cmp	eax, ecx
		jnb	short loc_521E3A

loc_521E37:				; CODE XREF: .text:00521E31j
		mov	byte ptr [edx],	0

loc_521E3A:				; CODE XREF: .text:00521E35j
		mov	edx, [ebp-38h]

loc_521E3D:				; CODE XREF: .text:00521E0Fj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, ds:_IopSetOperationAccess[ebx*4]
		cmp	ebx, 0Bh
		jz	short loc_521E59
		cmp	ebx, 48h
		jnz	loc_521F5D

loc_521E59:				; CODE XREF: .text:00521E4Ej
		xor	eax, eax
		mov	[ebp-8Ch], eax
		mov	[ebp-88h], eax
		mov	[ebp-84h], eax
		mov	[ebp-80h], eax
		mov	eax, [edx+150h]
		lea	ecx, [ebp-8Ch]
		push	ecx
		push	eax
		push	edx
		call	SeCaptureSubjectContextEx
		mov	eax, [ebp-30h]
		mov	[ebp-28h], eax
		push	eax
		lea	eax, [ebp-8Ch]
		push	eax
		call	RtlIsSandboxedToken
		mov	bl, al
		lea	eax, [ebp-8Ch]
		push	eax
		call	SeReleaseSubjectContext
		mov	eax, [ebp-28h]
		test	bl, bl
		mov	ebx, [ebp+18h]
		jz	loc_521F63
		or	esi, 100h
		jmp	loc_521F63
; 

loc_521EBE:				; DATA XREF: .text:006A5ABCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		mov	eax, 1
		retn
; 

loc_521ECE:				; DATA XREF: .text:006A5AC0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-4Ch]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_521EEF:				; CODE XREF: .text:00521DD2j
					; .text:00521DE0j
		mov	eax, 0C0000003h
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_521F08:				; CODE XREF: .text:00521DC9j
		cmp	ebx, 38h
		jnz	short loc_521F18
		mov	ebx, 0Ah
		mov	byte ptr [ebp-1Ah], 1
		jmp	short loc_521F56
; 

loc_521F18:				; CODE XREF: .text:00521F0Bj
		cmp	ebx, 42h
		jnz	short loc_521F28
		mov	ebx, 41h
		mov	byte ptr [ebp-1Ah], 1
		jmp	short loc_521F56
; 

loc_521F28:				; CODE XREF: .text:00521F1Bj
		cmp	ebx, 39h
		jnz	short loc_521F38
		mov	ebx, 0Bh
		mov	byte ptr [ebp-1Ah], 1
		jmp	short loc_521F56
; 

loc_521F38:				; CODE XREF: .text:00521F2Bj
		cmp	ebx, 49h
		jnz	short loc_521F48
		mov	ebx, 48h
		mov	byte ptr [ebp-1Ah], 1
		jmp	short loc_521F56
; 

loc_521F48:				; CODE XREF: .text:00521F3Bj
		cmp	ebx, 4Bh
		jnz	short loc_521F56
		mov	ebx, 47h
		mov	byte ptr [ebp-1Dh], 1

loc_521F56:				; CODE XREF: .text:00521F16j
					; .text:00521F26j ...
		mov	esi, ds:_IopSetOperationAccess[ebx*4]

loc_521F5D:				; CODE XREF: .text:00521E53j
		mov	eax, [ebp-30h]
		mov	[ebp-28h], eax

loc_521F63:				; CODE XREF: .text:00521EADj
					; .text:00521EB9j
		push	0
		lea	ecx, [ebp-2Ch]
		push	ecx
		push	eax
		mov	edx, esi
		mov	ecx, [ebp+8]
		call	IopReferenceFileObject
		mov	esi, eax
		test	esi, esi
		js	loc_5220F6
		mov	edi, [ebp-2Ch]
		lea	eax, [edi+2Ch]
		mov	[ebp-24h], eax
		mov	eax, [eax]
		mov	[ebp+18h], eax
		test	eax, 800h
		jnz	short loc_521FA3
		push	edi
		call	IoGetRelatedDeviceObject
		mov	[ebp-30h], eax
		mov	eax, [ebp-24h]
		mov	eax, [eax]
		jmp	short loc_521FB2
; 

loc_521FA3:				; CODE XREF: .text:00521F91j
		mov	eax, [edi+4]
		push	eax
		call	_IoGetAttachedDevice@4 ; IoGetAttachedDevice(x)
		mov	[ebp-30h], eax
		mov	eax, [ebp+18h]

loc_521FB2:				; CODE XREF: .text:00521FA1j
		test	al, 2
		jz	loc_522151
		shr	eax, 2
		and	al, 1
		mov	[ebp+18h], al
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	0
		mov	edi, [ebp-2Ch]
		lea	ecx, [edi+4Ch]
		xor	edx, edx
		call	KeAbPreAcquire
		mov	edx, eax
		mov	byte ptr [ebp-1Ch], 0
		mov	ecx, 1
		lea	eax, [edi+44h]
		xchg	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_522006
		test	edx, edx
		jz	short loc_521FFB
		or	byte ptr [edx+0Eh], 1

loc_521FFB:				; CODE XREF: .text:00521FF5j
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	esi, esi
		jmp	short loc_52201A
; 

loc_522006:				; CODE XREF: .text:00521FF1j
		lea	eax, [ebp-1Ch]
		push	eax
		push	edx
		push	dword ptr [ebp+18h]
		mov	dl, [ebp-1Bh]
		mov	ecx, edi
		call	IopWaitAndAcquireFileObjectLock
		mov	esi, eax

loc_52201A:				; CODE XREF: .text:00522004j
		mov	[ebp+18h], esi
		cmp	byte ptr [ebp-1Ch], 0
		jnz	loc_5220EF
		cmp	ebx, 0Eh
		jnz	loc_52214D
		mov	ecx, [ebp+14h]
		cmp	ecx, 8
		jnb	short loc_52205F
		mov	ecx, edi
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)
		mov	ecx, edi
		call	ObfDereferenceObject

loc_522046:				; CODE XREF: .text:00521DEEj
		mov	eax, 0C0000004h
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_52205F:				; CODE XREF: .text:00522036j
		mov	dword ptr [ebp-4], 1
		mov	eax, [ebp+10h]
		mov	ebx, [eax]
		mov	[ebp-6Ch], ebx
		mov	edx, [eax+4]
		mov	[ebp-68h], edx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-24h]
		test	byte ptr [eax],	8
		jz	short loc_522097
		mov	eax, [ebp-30h]
		movzx	eax, word ptr [eax+0ACh]
		test	ax, ax
		jz	short loc_522097
		dec	eax
		test	eax, ebx
		jnz	short loc_52209B

loc_522097:				; CODE XREF: .text:00522081j
					; .text:00522090j
		test	edx, edx
		jns	short loc_5220A2

loc_52209B:				; CODE XREF: .text:00522095j
		mov	esi, 0C000000Dh
		jmp	short loc_5220E1
; 

loc_5220A2:				; CODE XREF: .text:00522099j
		mov	[edi+38h], ebx
		mov	[edi+3Ch], edx
		mov	dword ptr [ebp-4], 2
		mov	eax, [ebp+0Ch]
		mov	dword ptr [eax], 0
		mov	dword ptr [eax+4], 0
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_5220E1
; 

loc_5220C8:				; DATA XREF: .text:006A5AD4o
		mov	eax, 1
		retn
; 

loc_5220CE:				; DATA XREF: .text:006A5AD8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp+14h]
		mov	esi, [ebp+18h]
		mov	edi, [ebp-2Ch]

loc_5220E1:				; CODE XREF: .text:005220A0j
					; .text:005220C6j
		xor	edx, edx
		call	_IopUpdateOtherTransferCount@8 ; IopUpdateOtherTransferCount(x,x)

loc_5220E8:				; CODE XREF: .text:005221E3j
		mov	ecx, edi
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)

loc_5220EF:				; CODE XREF: .text:00522021j
					; .text:005221DDj
		mov	ecx, edi
		call	ObfDereferenceObject

loc_5220F6:				; CODE XREF: .text:00521F78j
					; .text:0052285Dj ...
		mov	eax, esi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_52210C:				; DATA XREF: .text:006A5AC8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-50h], eax
		mov	eax, 1
		retn
; 

loc_52211C:				; DATA XREF: .text:006A5ACCo
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-2Ch]
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)
		mov	ecx, [ebp-2Ch]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-50h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_52214D:				; CODE XREF: .text:0052202Aj
		mov	al, 1
		jmp	short loc_522160
; 

loc_522151:				; CODE XREF: .text:00521FB4j
		push	0
		push	1
		lea	eax, [ebp-7Ch]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	al, al

loc_522160:				; CODE XREF: .text:0052214Fj
		mov	[ebp-24h], al
		mov	ecx, edi
		call	_IopResetEvent@4 ; IopResetEvent(x)
		cmp	ebx, 24h
		jnz	short loc_5221E8
		mov	eax, [ebp+14h]
		mov	bl, [ebp-24h]
		cmp	eax, 0Ch
		jnb	short loc_522181
		mov	esi, 0C0000004h
		jmp	short loc_5221DB
; 

loc_522181:				; CODE XREF: .text:00522178j
		test	bl, bl
		lea	ecx, [edi+5Ch]
		jnz	short loc_52218B
		lea	ecx, [ebp-7Ch]

loc_52218B:				; CODE XREF: .text:00522186j
		push	dword ptr [ebp-28h]
		push	ecx
		push	eax
		push	dword ptr [ebp+10h]
		lea	edx, [ebp-64h]
		mov	ecx, edi
		call	IopTrackLink
		mov	esi, eax
		mov	[ebp+18h], esi
		test	esi, esi
		js	short loc_5221DB
		mov	dword ptr [ebp-4], 3
		mov	eax, [ebp+0Ch]
		mov	dword ptr [eax+4], 0
		mov	[eax], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_5221DB
; 

loc_5221C2:				; DATA XREF: .text:006A5AE0o
		mov	eax, 1
		retn
; 

loc_5221C8:				; DATA XREF: .text:006A5AE4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp+18h]
		mov	edi, [ebp-2Ch]
		mov	bl, [ebp-24h]

loc_5221DB:				; CODE XREF: .text:0052217Fj
					; .text:005221A4j ...
		test	bl, bl
		jz	loc_5220EF
		jmp	loc_5220E8
; 

loc_5221E8:				; CODE XREF: .text:0052216Dj
		mov	eax, [ebp+4]
		push	eax
		mov	al, [ebp-24h]
		xor	al, 1
		movzx	eax, al
		push	eax
		mov	eax, [ebp-30h]
		mov	dl, [eax+30h]
		mov	ecx, eax
		call	IopAllocateIrpExReturn
		mov	edi, eax
		mov	[ebp-40h], edi
		test	edi, edi
		jnz	short loc_52222E
		xor	edx, edx
		mov	ecx, [ebp-2Ch]
		call	_IopAllocateIrpCleanup@8 ; IopAllocateIrpCleanup(x,x)
		mov	eax, 0C000009Ah
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_52222E:				; CODE XREF: .text:00522209j
		mov	eax, [ebp-2Ch]
		mov	[ebp+18h], eax
		mov	[edi+64h], eax
		mov	ecx, [ebp-38h]
		mov	[edi+50h], ecx
		mov	cl, [ebp-1Bh]
		mov	[edi+20h], cl
		cmp	byte ptr [ebp-24h], 0
		jz	short loc_522254
		or	byte ptr [edi+27h], 2
		mov	ecx, [ebp+0Ch]
		xor	edx, edx
		jmp	short loc_522273
; 

loc_522254:				; CODE XREF: .text:00522247j
		cmp	cl, 1
		jnz	short loc_522266
		push	0
		call	_KeSetKernelStackSwapEnable@4 ;	KeSetKernelStackSwapEnable(x)
		mov	[ebp-19h], al
		mov	eax, [ebp+18h]

loc_522266:				; CODE XREF: .text:00522257j
		mov	dword ptr [edi+8], 4
		lea	ecx, [ebp-64h]
		lea	edx, [ebp-7Ch]

loc_522273:				; CODE XREF: .text:00522252j
		mov	[edi+2Ch], edx
		mov	[edi+28h], ecx
		mov	dword ptr [edi+30h], 0
		mov	edx, [edi+60h]
		sub	edx, 24h
		mov	[ebp-34h], edx
		mov	byte ptr [edx],	6
		mov	[edx+18h], eax
		mov	dword ptr [edi+0Ch], 0
		mov	dword ptr [edi+4], 0
		mov	dword ptr [ebp-4], 4
		mov	edx, [ebp+14h]
		call	sub_4FA154
		mov	[ebp-44h], eax
		mov	[edi+0Ch], eax
		push	dword ptr [ebp+14h]
		push	dword ptr [ebp+10h]
		push	eax
		call	_memcpy
		add	esp, 0Ch
		cmp	ebx, 14h
		jz	short loc_5222D0
		cmp	ebx, 13h
		jz	short loc_5222D0
		cmp	ebx, 0Eh
		jnz	short loc_5222DD

loc_5222D0:				; CODE XREF: .text:005222C4j
					; .text:005222C9j
		mov	eax, [ebp-44h]
		cmp	dword ptr [eax+4], 0
		jl	loc_5228CC

loc_5222DD:				; CODE XREF: .text:005222CEj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		or	dword ptr [edi+8], 830h
		mov	eax, [ebp+14h]
		mov	ecx, [ebp-34h]
		mov	[ecx+4], eax
		mov	[ecx+8], ebx
		cmp	byte ptr [ebp-1Ah], 0
		jnz	short loc_522303
		cmp	byte ptr [ebp-1Dh], 0
		jz	short loc_522307

loc_522303:				; CODE XREF: .text:005222FBj
		or	byte ptr [ecx+2], 1

loc_522307:				; CODE XREF: .text:00522301j
		mov	ecx, edi
		call	IopQueueThreadIrp
		call	_IopUpdateOtherOperationCount@0	; IopUpdateOtherOperationCount()
		cmp	ebx, 10h
		jnz	loc_5223AB
		mov	esi, [edi+0Ch]
		mov	edx, [esi]
		test	edx, 0FFFFFFC9h
		jnz	short loc_52239A
		mov	ecx, edx
		and	ecx, 30h
		mov	eax, [ebp+18h]
		jz	short loc_522339
		test	byte ptr [eax+2Ch], 2
		jz	short loc_52239A

loc_522339:				; CODE XREF: .text:00522331j
		test	ecx, ecx
		jnz	short loc_522343
		test	byte ptr [eax+2Ch], 2
		jnz	short loc_52239A

loc_522343:				; CODE XREF: .text:0052233Bj
		cmp	ecx, 30h
		jz	short loc_52239A
		mov	ecx, [eax+2Ch]
		test	cl, 8
		jnz	short loc_522360
		test	dl, 2
		jz	short loc_52235A
		or	ecx, 10h
		jmp	short loc_52235D
; 

loc_52235A:				; CODE XREF: .text:00522353j
		and	ecx, 0FFFFFFEFh

loc_52235D:				; CODE XREF: .text:00522358j
		mov	[eax+2Ch], ecx

loc_522360:				; CODE XREF: .text:0052234Ej
		test	byte ptr [esi],	4
		jz	short loc_52236A
		or	ecx, 20h
		jmp	short loc_52236D
; 

loc_52236A:				; CODE XREF: .text:00522363j
		and	ecx, 0FFFFFFDFh

loc_52236D:				; CODE XREF: .text:00522368j
		mov	[eax+2Ch], ecx
		test	cl, 2
		jz	short loc_522390
		test	byte ptr [esi],	10h
		jz	short loc_52238A
		or	ecx, 4
		mov	[eax+2Ch], ecx
		xor	esi, esi
		mov	[edi+1Ch], esi
		jmp	loc_522764
; 

loc_52238A:				; CODE XREF: .text:00522378j
		and	ecx, 0FFFFFFFBh
		mov	[eax+2Ch], ecx

loc_522390:				; CODE XREF: .text:00522373j
		xor	esi, esi
		mov	[edi+1Ch], esi
		jmp	loc_522764
; 

loc_52239A:				; CODE XREF: .text:00522327j
					; .text:00522337j ...
		mov	esi, 0C000000Dh
		mov	dword ptr [edi+1Ch], 0
		jmp	loc_522764
; 

loc_5223AB:				; CODE XREF: .text:00522316j
		cmp	ebx, 0Ah
		jz	loc_5226E4
		cmp	ebx, 41h
		jz	loc_5226E4
		cmp	ebx, 0Bh
		jz	loc_5226E4
		cmp	ebx, 48h
		jz	loc_5226E4
		cmp	ebx, 1Fh
		jz	loc_5226E4
		cmp	ebx, 28h
		jnz	short loc_522406
		mov	ecx, [edi+0Ch]
		mov	eax, [ebp+14h]
		add	eax, 0FFFFFFFCh
		cmp	eax, [ecx]
		jb	loc_52275F
		mov	ebx, [ebp+18h]
		cmp	word ptr [ecx+4], 5Ch
		jnz	loc_52274B
		mov	esi, 0C000000Dh
		jmp	loc_522767
; 

loc_522406:				; CODE XREF: .text:005223DBj
		cmp	ebx, 0Dh
		jz	loc_5226C6
		cmp	ebx, 40h
		jz	loc_5226C6
		cmp	ebx, 1Eh
		jnz	loc_522514
		mov	ecx, [edi+0Ch]
		mov	[ebp+14h], ecx
		mov	ebx, [ebp+18h]
		cmp	dword ptr [ebx+6Ch], 0
		jnz	loc_522503
		test	byte ptr [ebx+2Ch], 2
		jnz	loc_522503
		mov	eax, ds:_IoCompletionObjectType
		mov	ecx, [ecx]
		mov	dword ptr [ebp-34h], 0
		push	0
		lea	edx, [ebp-34h]
		push	edx
		push	dword ptr [ebp-28h]
		push	eax
		push	2
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_522508
		push	63436F49h
		push	0Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_522498
		mov	ecx, [ebp-34h]
		call	ObfDereferenceObject
		mov	esi, 0C000009Ah
		mov	dword ptr [edi+1Ch], 0
		jmp	loc_522767
; 

loc_522498:				; CODE XREF: .text:0052247Dj
		lea	eax, [ebx+70h]
		mov	ecx, eax
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		lea	ecx, [ebx+70h]
		cmp	dword ptr [ebx+6Ch], 0
		jnz	short loc_5224DB
		and	dword ptr [ebx+2Ch], 0FFFFFBFFh
		mov	edx, [ebp-34h]
		mov	[esi], edx
		mov	edx, [ebp+14h]
		mov	edx, [edx+4]
		mov	[esi+4], edx
		mov	dword ptr [esi+8], 0
		mov	[ebx+6Ch], esi
		xor	esi, esi
		mov	dl, al
		call	KfReleaseSpinLock
		mov	[edi+1Ch], esi
		jmp	loc_522767
; 

loc_5224DB:				; CODE XREF: .text:005224A9j
		mov	dl, al
		call	KfReleaseSpinLock
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp-34h]
		call	ObfDereferenceObject
		mov	esi, 0C0000048h
		mov	dword ptr [edi+1Ch], 0
		jmp	loc_522767
; 

loc_522503:				; CODE XREF: .text:0052242Ej
					; .text:00522438j ...
		mov	esi, 0C000000Dh

loc_522508:				; CODE XREF: .text:00522462j
					; .text:00522558j ...
		mov	dword ptr [edi+1Ch], 0
		jmp	loc_522767
; 

loc_522514:				; CODE XREF: .text:0052241Bj
		cmp	ebx, 3Dh
		jnz	short loc_522581
		mov	eax, [edi+0Ch]
		mov	[ebp+10h], eax
		xor	ecx, ecx
		mov	[ebp+14h], ecx
		mov	ebx, [ebp+18h]
		cmp	[ebx+6Ch], ecx
		jz	short loc_522503
		mov	edx, [eax]
		test	edx, edx
		jz	short loc_522556
		mov	eax, ds:_IoCompletionObjectType
		mov	[ebp-3Ch], ecx
		push	ecx
		lea	ecx, [ebp-3Ch]
		push	ecx
		push	dword ptr [ebp-28h]
		push	eax
		push	2
		push	edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	ecx, [ebp-3Ch]
		mov	[ebp+14h], ecx
		mov	eax, [ebp+10h]

loc_522556:				; CODE XREF: .text:00522530j
		test	esi, esi
		js	short loc_522508
		mov	eax, [eax+4]
		push	eax
		mov	edx, ecx
		mov	ecx, ebx
		call	_IopReplaceCompletionPort@12 ; IopReplaceCompletionPort(x,x,x)
		mov	esi, eax
		mov	ecx, [ebp+14h]
		test	ecx, ecx
		jz	short loc_522508
		call	ObfDereferenceObject
		mov	dword ptr [edi+1Ch], 0
		jmp	loc_522767
; 

loc_522581:				; CODE XREF: .text:00522517j
		cmp	ebx, 29h
		jnz	short loc_5225DF
		mov	edx, [edi+0Ch]
		mov	ebx, [ebp+18h]
		mov	eax, [ebx+2Ch]
		test	al, 2
		jz	short loc_5225A4
		mov	esi, 0C000000Dh
		mov	dword ptr [edi+1Ch], 0
		jmp	loc_522767
; 

loc_5225A4:				; CODE XREF: .text:00522591j
		xor	esi, esi
		mov	ecx, [edx]
		test	cl, 1
		jz	short loc_5225B7
		or	eax, 2000000h
		mov	[ebx+2Ch], eax
		mov	ecx, [edx]

loc_5225B7:				; CODE XREF: .text:005225ABj
		test	cl, 2
		jz	short loc_5225C6
		or	eax, 4000000h
		mov	[ebx+2Ch], eax
		mov	ecx, [edx]

loc_5225C6:				; CODE XREF: .text:005225BAj
		test	cl, 4
		jz	short loc_5225D3
		or	eax, 8000000h
		mov	[ebx+2Ch], eax

loc_5225D3:				; CODE XREF: .text:005225C9j
		mov	dword ptr [edi+1Ch], 0
		jmp	loc_522767
; 

loc_5225DF:				; CODE XREF: .text:00522584j
		cmp	ebx, 2Ah
		jnz	short loc_52263E
		push	dword ptr [ebp-28h]
		mov	eax, ds:dword_A94A5C
		push	eax
		mov	eax, ds:_SeLockMemoryPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		mov	ebx, [ebp+18h]
		test	al, al
		jnz	short loc_522610
		mov	esi, 0C0000061h
		mov	dword ptr [edi+1Ch], 0
		jmp	loc_522767
; 

loc_522610:				; CODE XREF: .text:005225FDj
		test	byte ptr [ebx+2Ch], 2
		jz	short loc_522627
		mov	esi, 0C000000Dh
		mov	dword ptr [edi+1Ch], 0
		jmp	loc_522767
; 

loc_522627:				; CODE XREF: .text:00522614j
		mov	edx, edi
		mov	ecx, ebx
		call	_IopSetFileObjectIosbRange@8 ; IopSetFileObjectIosbRange(x,x)
		mov	esi, eax
		mov	dword ptr [edi+1Ch], 0
		jmp	loc_522767
; 

loc_52263E:				; CODE XREF: .text:005225E2j
		cmp	ebx, 2Bh
		jnz	short loc_522688
		mov	dword ptr [ebp-40h], 0
		mov	eax, [edi+0Ch]
		mov	[ebp+14h], eax
		mov	ebx, [ebp+18h]
		cmp	dword ptr [eax], 2
		ja	loc_522503
		lea	edx, [ebp-40h]
		mov	ecx, ebx
		call	IopAllocateFileObjectExtension
		mov	esi, eax
		test	esi, esi
		js	loc_522508
		mov	ecx, [ebp+14h]
		mov	ecx, [ecx]
		inc	ecx
		mov	eax, [ebp-40h]
		mov	[eax+28h], ecx
		mov	dword ptr [edi+1Ch], 0
		jmp	loc_522767
; 

loc_522688:				; CODE XREF: .text:00522641j
		cmp	ebx, 45h
		mov	ebx, [ebp+18h]
		jnz	loc_52274B
		cmp	byte ptr [ebp-1Bh], 0
		jz	short loc_5226AB
		mov	esi, 0C0000022h
		mov	dword ptr [edi+1Ch], 0
		jmp	loc_522767
; 

loc_5226AB:				; CODE XREF: .text:00522698j
		push	dword ptr [ebp+14h]
		mov	edx, [edi+0Ch]
		mov	ecx, ebx
		call	_IopSetFileMemoryPartitionInformation@12 ; IopSetFileMemoryPartitionInformation(x,x,x)
		mov	esi, eax
		mov	dword ptr [edi+1Ch], 0
		jmp	loc_522767
; 

loc_5226C6:				; CODE XREF: .text:00522409j
					; .text:00522412j
		mov	eax, [edi+0Ch]
		mov	al, [eax]
		cmp	ebx, 40h
		jnz	short loc_5226D2
		and	al, 1

loc_5226D2:				; CODE XREF: .text:005226CEj
		test	al, al
		jz	short loc_5226DF
		mov	edx, [ebp-34h]
		mov	eax, [ebp+8]
		mov	[edx+10h], eax

loc_5226DF:				; CODE XREF: .text:005226D4j
		mov	ebx, [ebp+18h]
		jmp	short loc_52274B
; 

loc_5226E4:				; CODE XREF: .text:005223AEj
					; .text:005223B7j ...
		mov	ecx, [edi+0Ch]
		mov	edx, [ecx+8]
		test	edx, edx
		jz	short loc_52275F
		test	dl, 1
		jnz	short loc_52275F
		mov	eax, [ebp+14h]
		add	eax, 0FFFFFFF4h
		cmp	eax, edx
		jb	short loc_52275F
		cmp	ebx, 1Fh
		jnz	short loc_52270C
		mov	eax, [ecx]
		mov	edx, [ebp-34h]
		mov	[edx+10h], eax
		jmp	short loc_522724
; 

loc_52270C:				; CODE XREF: .text:00522700j
		cmp	ebx, 41h
		jz	short loc_52271A
		cmp	ebx, 48h
		jz	short loc_52271A
		mov	al, [ecx]
		jmp	short loc_52271E
; 

loc_52271A:				; CODE XREF: .text:0052270Fj
					; .text:00522714j
		mov	al, [ecx]
		and	al, 1

loc_52271E:				; CODE XREF: .text:00522718j
		mov	edx, [ebp-34h]
		mov	[edx+10h], al

loc_522724:				; CODE XREF: .text:0052270Aj
		cmp	word ptr [ecx+0Ch], 5Ch
		jz	short loc_522736
		cmp	dword ptr [ecx+4], 0
		jnz	short loc_522736
		mov	ebx, [ebp+18h]
		jmp	short loc_52274B
; 

loc_522736:				; CODE XREF: .text:00522729j
					; .text:0052272Fj
		mov	ebx, [ebp+18h]
		push	ebx
		push	ecx
		mov	edx, edi
		lea	ecx, [ebp-48h]
		call	IopOpenLinkOrRenameTarget
		mov	esi, eax
		test	esi, esi
		js	short loc_522767

loc_52274B:				; CODE XREF: .text:005223F6j
					; .text:0052268Ej ...
		push	2
		push	ebx
		push	dword ptr [ebp-24h]
		mov	edx, edi
		mov	ecx, [ebp-30h]
		call	IopCallDriverReference
		mov	esi, eax
		jmp	short loc_52276A
; 

loc_52275F:				; CODE XREF: .text:005223E8j
					; .text:005226ECj ...
		mov	esi, 0C000000Dh

loc_522764:				; CODE XREF: .text:00522385j
					; .text:00522395j ...
		mov	ebx, [ebp+18h]

loc_522767:				; CODE XREF: .text:00522401j
					; .text:00522493j ...
		mov	[edi+18h], esi

loc_52276A:				; CODE XREF: .text:0052275Dj
		cmp	esi, 103h
		jnz	loc_5227F8
		cmp	byte ptr [ebp-24h], 0
		jz	short loc_522791
		push	dword ptr [ebp-28h]
		mov	edx, ebx
		mov	ecx, edi
		call	_IopWaitForSynchronousIo@12 ; IopWaitForSynchronousIo(x,x,x)
		mov	esi, eax
		mov	ecx, ebx
		jmp	loc_522845
; 

loc_522791:				; CODE XREF: .text:0052277Aj
		push	0
		push	0
		push	dword ptr [ebp-28h]
		push	0
		lea	eax, [ebp-7Ch]
		push	eax
		call	KeWaitForSingleObject
		cmp	eax, 101h
		jz	short loc_5227B1
		cmp	eax, 0C0h
		jnz	short loc_5227BB

loc_5227B1:				; CODE XREF: .text:005227A8j
		mov	edx, edi
		lea	ecx, [ebp-7Ch]
		call	_IopCancelAlertedRequest@8 ; IopCancelAlertedRequest(x,x)

loc_5227BB:				; CODE XREF: .text:005227AFj
		mov	esi, [ebp-64h]
		mov	dword ptr [ebp-4], 5
		mov	ecx, [ebp+0Ch]
		mov	[ecx], esi
		mov	eax, [ebp-60h]
		mov	[ecx+4], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_52284A
; 

loc_5227D9:				; DATA XREF: .text:006A5AF8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-54h], eax
		mov	eax, 1
		retn
; 

loc_5227E9:				; DATA XREF: .text:006A5AFCo
		mov	esp, [ebp-18h]
		mov	esi, [ebp-54h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_52284A
; 

loc_5227F8:				; CODE XREF: .text:00522770j
		mov	dword ptr [ebp-44h], 0
		mov	bh, [ebp-24h]
		test	bh, bh
		jnz	short loc_52280D
		mov	dword ptr [edi+2Ch], 0

loc_52280D:				; CODE XREF: .text:00522804j
		mov	eax, [ebp+0Ch]
		mov	[edi+28h], eax
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		lea	eax, [ebp-44h]
		push	eax
		lea	eax, [ebp-2Ch]
		push	eax
		lea	eax, [ebp-44h]
		push	eax
		lea	eax, [ebp-5Ch]
		push	eax
		lea	ecx, [edi+40h]
		push	ecx
		call	_IopCompleteRequest@20 ; IopCompleteRequest(x,x,x,x,x)
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bh, bh
		jz	short loc_52284A
		mov	ecx, [ebp+18h]

loc_522845:				; CODE XREF: .text:0052278Cj
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)

loc_52284A:				; CODE XREF: .text:005227D7j
					; .text:005227F6j ...
		mov	al, [ebp-19h]
		test	al, al
		jz	short loc_522858
		push	1
		call	_KeSetKernelStackSwapEnable@4 ;	KeSetKernelStackSwapEnable(x)

loc_522858:				; CODE XREF: .text:0052284Fj
		mov	eax, [ebp-48h]
		test	eax, eax
		jz	loc_5220F6
		push	0
		push	eax
		call	ObCloseHandle
		jmp	loc_5220F6
; 

loc_522870:				; DATA XREF: .text:006A5AECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-58h], eax
		mov	eax, 1
		retn
; 

loc_522880:				; DATA XREF: .text:006A5AF0o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-2Ch]
		movzx	eax, byte ptr [ecx+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		push	0
		push	0
		mov	edx, [ebp-40h]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		cmp	byte ptr [ebp-19h], 0
		jz	short loc_5228A9
		push	1
		call	_KeSetKernelStackSwapEnable@4 ;	KeSetKernelStackSwapEnable(x)

loc_5228A9:				; CODE XREF: .text:005228A0j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-58h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_5228C7:				; CODE XREF: .text:00521E20j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_5228CC:				; CODE XREF: .text:005222D7j
		push	0C000000Dh
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
; 
		dw 0CCCCh
		align 10h
; Exported entry 878. IoGetRelatedDeviceObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoGetRelatedDeviceObject
IoGetRelatedDeviceObject proc near	; CODE XREF: CcSetValidData+35p
					; FsRtlReleaseFileForModWrite+60p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005EC7B3 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, [edx+8]
		test	eax, eax
		jz	short loc_522911
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_522911

loc_5228F6:				; CODE XREF: IoGetRelatedDeviceObject+4Bj
					; IoGetRelatedDeviceObject+C9ED8j
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jz	short loc_52290D
		mov	edx, [edx+7Ch]
		test	edx, edx
		jnz	short loc_52292D

loc_522904:				; CODE XREF: IoGetRelatedDeviceObject+2Bj
					; IoGetRelatedDeviceObject+53j	...
		mov	eax, ecx
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jnz	short loc_522904

loc_52290D:				; CODE XREF: IoGetRelatedDeviceObject+1Bj
		pop	ebp
		retn	4
; 

loc_522911:				; CODE XREF: IoGetRelatedDeviceObject+Dj
					; IoGetRelatedDeviceObject+14j
		test	dword ptr [edx+2Ch], 800h
		jnz	short loc_522928
		mov	eax, [edx+4]
		mov	eax, [eax+24h]
		test	eax, eax
		jnz	loc_5EC7B3

loc_522928:				; CODE XREF: IoGetRelatedDeviceObject+38j
					; IoGetRelatedDeviceObject+C9EDEj
		mov	eax, [edx+4]
		jmp	short loc_5228F6
; 

loc_52292D:				; CODE XREF: IoGetRelatedDeviceObject+22j
		cmp	edx, _IopRevocationExtension
		jz	short loc_522904
		mov	edx, [edx+8]
		test	edx, edx
		jz	short loc_522904
		mov	edx, [edx]
		test	edx, edx
		jz	short loc_522904

loc_522942:				; CODE XREF: IoGetRelatedDeviceObject+71j
		cmp	eax, edx
		jnz	short loc_52294C
		mov	eax, edx
		pop	ebp
		retn	4
; 

loc_52294C:				; CODE XREF: IoGetRelatedDeviceObject+64j
		mov	eax, [eax+10h]
		test	eax, eax
		jnz	short loc_522942
		jmp	short loc_522904
IoGetRelatedDeviceObject endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall IopUpdateOtherTransferCount(x, x)
_IopUpdateOtherTransferCount@8 proc near ; CODE	XREF: .text:005220E3p
					; IopUpdateIrpTransferCount(x,x)+1Ej
		cmp	_IoCountOperations, 1
		jnz	short locret_5229A1
		test	edx, edx
		jnz	short loc_52297A
		mov	edx, large fs:124h
		mov	edx, [edx+150h]

loc_52297A:				; CODE XREF: IopUpdateOtherTransferCount(x,x)+Bj
		mov	eax, ecx
		add	edx, 218h
		lock add [edx],	eax
		jnb	short loc_52298C
		lock adc dword ptr [edx+4], 0

loc_52298C:				; CODE XREF: IopUpdateOtherTransferCount(x,x)+25j
		mov	eax, large fs:20h
		add	eax, 518h
		lock add [eax],	ecx
		jnb	short locret_5229A1
		lock adc dword ptr [eax+4], 0

locret_5229A1:				; CODE XREF: IopUpdateOtherTransferCount(x,x)+7j
					; IopUpdateOtherTransferCount(x,x)+3Aj
		retn
_IopUpdateOtherTransferCount@8 endp

; 
		align 10h

; __stdcall IopCompleteRequest(x, x, x,	x, x)
_IopCompleteRequest@20:			; CODE XREF: IopCompleteIrpInFileObjectList(x,x,x)+65p
					; IopPostProcessIrp+54p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5B00
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	esi, [ebp+8]
		mov	[ebp-38h], esi
		lea	ecx, [esi-40h]
		mov	[ebp-20h], ecx
		mov	eax, large fs:124h
		mov	[ebp-24h], eax
		mov	eax, [ebp+14h]
		mov	edi, [eax]
		mov	[ebp-34h], edi
		mov	eax, [ebp+10h]
		test	eax, eax
		jz	short loc_522A12
		cmp	dword ptr [eax], 1
		mov	byte ptr [ebp+17h], 1
		jz	short loc_522A16

loc_522A12:				; CODE XREF: .text:00522A07j
		mov	byte ptr [ebp+17h], 0

loc_522A16:				; CODE XREF: .text:00522A10j
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_522A2A
		push	ecx
		mov	ecx, esi
		call	_IovpCompleteRequest@12	; IovpCompleteRequest(x,x,x)
		mov	ecx, [ebp-20h]

loc_522A2A:				; CODE XREF: .text:00522A1Dj
		mov	eax, [esi-38h]
		test	al, al
		jns	short loc_522A60
		mov	eax, [esi-28h]
		mov	[edi+1Ch], eax
		mov	eax, [ebp+18h]
		mov	eax, [eax]
		mov	[esi+14h], eax
		push	0
		push	0
		lea	eax, [edi+5Ch]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_522A60:				; CODE XREF: .text:00522A2Fj
		test	eax, 2000h
		jz	short loc_522A6F
		mov	eax, [esi-10h]
		and	eax, 0FFFFFFFCh
		jmp	short loc_522A71
; 

loc_522A6F:				; CODE XREF: .text:00522A65j
		xor	eax, eax

loc_522A71:				; CODE XREF: .text:00522A6Dj
		mov	[ebp+8], eax
		call	_IopProcessBufferedIoCompletion@8 ; IopProcessBufferedIoCompletion(x,x)
		mov	ebx, [esi-3Ch]
		test	ebx, ebx
		jz	short loc_522AF7

loc_522A80:				; CODE XREF: .text:00522AF5j
		mov	eax, [ebx]
		mov	[ebp+10h], eax
		movzx	eax, word ptr [ebx+6]
		mov	ecx, eax
		test	al, 20h
		jz	short loc_522A9D
		push	ebx
		mov	eax, [ebx+0Ch]
		push	eax
		call	MmUnmapLockedPages
		movzx	ecx, word ptr [ebx+6]

loc_522A9D:				; CODE XREF: .text:00522A8Dj
		test	cl, 8
		jnz	short loc_522AAC
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_522AEE
; 

loc_522AAC:				; CODE XREF: .text:00522AA0j
		mov	edx, large fs:20h
		mov	ecx, [edx+5B8h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	short loc_522AE7
		inc	dword ptr [ecx+18h]
		mov	ecx, [edx+5BCh]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	short loc_522AE7
		inc	dword ptr [ecx+18h]
		push	ebx
		mov	eax, [ecx+2Ch]
		call	eax
		jmp	short loc_522AEE
; 

loc_522AE7:				; CODE XREF: .text:00522AC4j
					; .text:00522ADAj
		mov	edx, ebx
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_522AEE:				; CODE XREF: .text:00522AAAj
					; .text:00522AE5j
		mov	eax, [ebp+10h]
		mov	ebx, eax
		test	eax, eax
		jnz	short loc_522A80

loc_522AF7:				; CODE XREF: .text:00522A7Ej
		mov	dword ptr [esi-3Ch], 0
		mov	eax, [esi-28h]
		and	eax, 0C0000000h
		cmp	eax, 0C0000000h
		jnz	short loc_522B3A
		cmp	byte ptr [esi-1Fh], 0
		jnz	short loc_522B3A
		mov	ecx, [esi-14h]
		test	ecx, ecx
		jz	loc_522BD0
		test	edi, edi
		jz	loc_522BD0
		test	byte ptr [esi-38h], 4
		jnz	loc_522BD0
		call	ObfDereferenceObject
		jmp	loc_522BD0
; 

loc_522B3A:				; CODE XREF: .text:00522B0Bj
					; .text:00522B11j
		mov	dword ptr [ebp-30h], 0
		mov	dword ptr [ebp-4], 0
		mov	ecx, [esi-18h]
		mov	eax, [esi-24h]
		mov	[ecx+4], eax
		nop
		mov	eax, [esi-28h]
		mov	[ecx], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_522B7C
; 

loc_522B60:				; DATA XREF: .text:006A5B14o
		lea	edx, [ebp-30h]
		mov	ecx, [ebp-14h]
		call	_IopExceptionFilter@8 ;	IopExceptionFilter(x,x)
		retn
; 

loc_522B6C:				; DATA XREF: .text:006A5B18o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-34h]
		mov	esi, [ebp-38h]

loc_522B7C:				; CODE XREF: .text:00522B5Ej
		mov	eax, [esi-14h]
		test	eax, eax
		jz	short loc_522BB0
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		test	edi, edi
		jz	short loc_522BD0
		test	byte ptr [esi-38h], 4
		jnz	short loc_522B9F
		mov	ecx, [esi-14h]
		call	ObfDereferenceObject

loc_522B9F:				; CODE XREF: .text:00522B95j
		test	byte ptr [edi+2Ch], 2
		jz	short loc_522BD0
		test	dword ptr [esi-38h], 1000h
		jnz	short loc_522BD0
		jmp	short loc_522BBD
; 

loc_522BB0:				; CODE XREF: .text:00522B81j
		test	edi, edi
		jz	short loc_522BD0
		test	dword ptr [edi+2Ch], 4000000h
		jnz	short loc_522BCA

loc_522BBD:				; CODE XREF: .text:00522BAEj
		push	0
		push	0
		lea	eax, [edi+5Ch]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_522BCA:				; CODE XREF: .text:00522BBBj
		mov	eax, [esi-28h]
		mov	[edi+1Ch], eax

loc_522BD0:				; CODE XREF: .text:00522B18j
					; .text:00522B20j ...
		mov	eax, [esi-28h]
		and	eax, 0C0000000h
		cmp	eax, 0C0000000h
		jnz	short loc_522C5C
		cmp	byte ptr [esi-1Fh], 0
		jz	short loc_522BF7
		test	byte ptr [esi-38h], 4
		jnz	short loc_522BF7
		test	edi, edi
		jz	short loc_522C5C
		mov	eax, [edi+2Ch]
		and	eax, 2
		jz	short loc_522C5C

loc_522BF7:				; CODE XREF: .text:00522BE3j
					; .text:00522BE9j
		mov	ebx, [ebp-20h]
		test	dword ptr [esi-38h], 2000h
		jz	short loc_522C0C
		mov	edx, edi
		mov	ecx, ebx
		call	IopDequeueIrpFromFileObject

loc_522C0C:				; CODE XREF: .text:00522C01j
		test	edi, edi
		jz	short loc_522C1B
		push	746C6644h
		push	edi
		call	ObDereferenceObjectDeferDeleteWithTag

loc_522C1B:				; CODE XREF: .text:00522C0Ej
		test	dword ptr [esi-38h], 8000h
		jz	short loc_522C4D
		lea	ecx, [esi-10h]
		or	edx, 0FFFFFFFFh
		call	IopInterlockedAdd
		test	eax, eax
		jnz	short loc_522C39

loc_522C33:				; CODE XREF: .text:00522C5Aj
		push	ebx
		call	_IoFreeIrp@4	; IoFreeIrp(x)

loc_522C39:				; CODE XREF: .text:00522C31j
					; .text:00522E5Fj ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_522C4D:				; CODE XREF: .text:00522C22j
		mov	edx, [ebp-24h]
		mov	[esi+10h], edx
		mov	ecx, ebx
		call	IopDequeueIrpFromThread
		jmp	short loc_522C33
; 

loc_522C5C:				; CODE XREF: .text:00522BDDj
					; .text:00522BEDj ...
		xor	ebx, ebx
		mov	[ebp-28h], ebx
		mov	[ebp-2Ch], ebx
		mov	[ebp-19h], bl
		test	edi, edi
		jz	short loc_522CA8
		mov	eax, [edi+6Ch]
		test	eax, eax
		jz	short loc_522CA8
		test	dword ptr [esi-38h], 2000h
		jnz	short loc_522C92
		lea	eax, [ebp-2Ch]
		push	eax
		lea	eax, [ebp-28h]
		push	eax
		lea	edx, [ebp-19h]
		mov	ecx, edi
		call	_IopIncrementCompletionContextUsageCountAndReadData@16 ; IopIncrementCompletionContextUsageCountAndReadData(x,x,x,x)
		mov	ebx, [ebp-28h]
		jmp	short loc_522C9D
; 

loc_522C92:				; CODE XREF: .text:00522C79j
		mov	ebx, [eax]
		mov	[ebp-28h], ebx
		mov	eax, [eax+4]
		mov	[ebp-2Ch], eax

loc_522C9D:				; CODE XREF: .text:00522C90j
		test	ebx, ebx
		jz	short loc_522CA8
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_522CA8:				; CODE XREF: .text:00522C69j
					; .text:00522C70j ...
		mov	edx, [ebp+8]
		mov	ecx, [ebp-20h]
		call	_IopUpdateIrpTransferCount@8 ; IopUpdateIrpTransferCount(x,x)
		test	dword ptr [esi-38h], 2000h
		jz	short loc_522CCB
		mov	edx, edi
		mov	ecx, [ebp-20h]
		call	IopDequeueIrpFromFileObject
		jmp	loc_522D66
; 

loc_522CCB:				; CODE XREF: .text:00522CBAj
		mov	eax, [ebp-24h]
		mov	[esi+10h], eax
		mov	byte ptr [ebp+0Bh], 0
		test	eax, eax
		jz	short loc_522D11
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+0Bh], al
		test	ds:byte_70EFC6,	21h
		jz	short loc_522CFB
		mov	ecx, [ebp-24h]
		lea	ecx, [ecx+350h]
		call	@KiAcquireSpinLockInstrumented@4 ; KiAcquireSpinLockInstrumented(x)
		jmp	short loc_522D11
; 

loc_522CFB:				; CODE XREF: .text:00522CE9j
		mov	eax, [ebp-24h]
		add	eax, 350h
		lock bts dword ptr [eax], 0
		jnb	short loc_522D11
		mov	ecx, eax
		call	KxWaitForSpinLockAndAcquire

loc_522D11:				; CODE XREF: .text:00522CD7j
					; .text:00522CF9j ...
		lea	eax, [esi-30h]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_522EB7
		cmp	[ecx], eax
		jnz	loc_522EB7
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [ebp-24h]
		test	eax, eax
		jz	short loc_522D66
		add	eax, 350h
		test	ds:byte_70EFC6,	1
		jz	short loc_522D58
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	ebx, [ebp-28h]
		jmp	short loc_522D5D
; 

loc_522D58:				; CODE XREF: .text:00522D47j
		xor	ecx, ecx
		lock and [eax],	ecx

loc_522D5D:				; CODE XREF: .text:00522D56j
		mov	cl, [ebp+0Bh]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_522D66:				; CODE XREF: .text:00522CC6j
					; .text:00522D39j
		mov	eax, [esi-38h]
		and	eax, 8000h
		mov	[ebp+8], eax
		jnz	short loc_522DBD
		mov	edx, [esi-10h]
		test	edx, edx
		jz	short loc_522DBD
		cmp	byte ptr [ebp+17h], 0
		jz	short loc_522D86
		movsx	ecx, byte ptr [esi-1Ah]
		jmp	short loc_522D8B
; 

loc_522D86:				; CODE XREF: .text:00522D7Ej
		mov	ecx, 2

loc_522D8B:				; CODE XREF: .text:00522D84j
		mov	eax, [esi-0Ch]
		push	eax
		movzx	eax, byte ptr [esi-20h]
		push	eax
		push	edx
		push	offset _IopUserRundown@4 ; IopUserRundown(x)
		push	offset _IopUserCompletion@20 ; IopUserCompletion(x,x,x,x,x)
		push	ecx
		mov	edx, [ebp-24h]
		push	edx
		push	esi
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		push	2
		push	0
		mov	eax, [esi-18h]
		push	eax
		push	esi
		call	KeInsertQueueApc
		jmp	loc_522E45
; 

loc_522DBD:				; CODE XREF: .text:00522D71j
					; .text:00522D78j
		mov	edx, [ebp-20h]
		test	ebx, ebx
		jz	short loc_522E0E
		cmp	dword ptr [esi-0Ch], 0
		jz	short loc_522E0E
		mov	ecx, edi
		call	_IopSkipCompletionPort@8 ; IopSkipCompletionPort(x,x)
		test	eax, eax
		jnz	short loc_522E0B
		xor	ecx, ecx
		test	edi, edi
		jz	short loc_522DF0
		mov	eax, [edi+4]
		mov	eax, [eax+2Ch]
		cmp	eax, 8
		jz	short loc_522DEB
		cmp	eax, 14h
		jnz	short loc_522DF0

loc_522DEB:				; CODE XREF: .text:00522DE4j
		mov	ecx, 1

loc_522DF0:				; CODE XREF: .text:00522DD9j
					; .text:00522DE9j
		mov	eax, [ebp-2Ch]
		mov	[esi], eax
		mov	dword ptr [esi+20h], 0
		push	0
		push	ecx
		lea	edx, [esi+18h]
		mov	ecx, ebx
		call	KeInsertQueueEx
		jmp	short loc_522E45
; 

loc_522E0B:				; CODE XREF: .text:00522DD3j
		mov	eax, [ebp+8]

loc_522E0E:				; CODE XREF: .text:00522DC2j
					; .text:00522DC8j
		test	eax, eax
		jz	short loc_522E3F
		lea	ebx, [esi-10h]
		mov	eax, [ebx]

loc_522E17:				; CODE XREF: .text:00522E2Cj
		mov	edx, eax
		mov	esi, eax
		and	esi, 3
		dec	esi
		mov	ecx, eax
		and	ecx, 0FFFFFFFCh
		or	ecx, esi
		lock cmpxchg [ebx], ecx
		cmp	edx, eax
		jnz	short loc_522E17
		test	esi, esi
		jnz	short loc_522E3A
		push	dword ptr [ebp-20h]
		call	_IoFreeIrp@4	; IoFreeIrp(x)

loc_522E3A:				; CODE XREF: .text:00522E30j
		mov	ebx, [ebp-28h]
		jmp	short loc_522E45
; 

loc_522E3F:				; CODE XREF: .text:00522E10j
		push	edx
		call	_IoFreeIrp@4	; IoFreeIrp(x)

loc_522E45:				; CODE XREF: .text:00522DB8j
					; .text:00522E09j ...
		test	ebx, ebx
		jz	short loc_522E50
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_522E50:				; CODE XREF: .text:00522E47j
		cmp	byte ptr [ebp-19h], 0
		jz	short loc_522E5D
		mov	ecx, edi
		call	_IopDecrementCompletionContextUsageCount@4 ; IopDecrementCompletionContextUsageCount(x)

loc_522E5D:				; CODE XREF: .text:00522E54j
		test	edi, edi
		jz	loc_522C39
		lea	esi, [edi-18h]
		cmp	ds:_ObpTraceFlags, 0
		jz	short loc_522E81
		push	746C6644h
		push	1
		xor	dl, dl
		mov	ecx, esi
		call	_ObpPushStackInfo@16 ; ObpPushStackInfo(x,x,x,x)

loc_522E81:				; CODE XREF: .text:00522E6Fj
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		dec	eax
		test	eax, eax
		jg	loc_522C39
		mov	ecx, [esi+4]
		test	ecx, ecx
		jnz	short loc_522EBE
		test	eax, eax
		js	short loc_522EE8
		mov	ecx, esi
		call	ObpDeferObjectDeletion
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_522EB7:				; CODE XREF: .text:00522D1Cj
					; .text:00522D24j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_522EBE:				; CODE XREF: .text:00522E96j
		push	ecx
		push	3
		push	edi
		mov	eax, esi
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [esi+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		push	eax
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_522EE8:				; CODE XREF: .text:00522E9Aj
		push	eax
		push	4
		push	edi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 3 dup(0CCh)
		align 10h
; Exported entry 1289. KeSetEvent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetEvent(x, x, x)
		public _KeSetEvent@12
_KeSetEvent@12	proc near		; CODE XREF: ExpUnblockPushLock+41p
					; ExpWakePushLock(x,x)+69p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		mov	esi, [ebp+arg_0]
		test	byte ptr [esi],	7Fh
		jz	short loc_522F7E
		mov	[ebp+var_14], 0

loc_522F18:				; CODE XREF: KeSetEvent(x,x,x)+8Fj
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+var_20], al
		mov	ecx, esi
		mov	eax, large fs:20h
		mov	[ebp+var_8], eax
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	edi, [esi+4]
		mov	ecx, 0FFFFFF7Fh
		mov	dword ptr [esi+4], 1
		test	edi, edi
		jnz	short loc_522F56
		mov	eax, [esi+8]
		push	ebx
		lea	ebx, [esi+8]
		cmp	[ebp+var_14], edi
		jnz	short loc_522F91
		cmp	eax, ebx
		jnz	short loc_522FA0

loc_522F55:				; CODE XREF: KeSetEvent(x,x,x)+9Aj
					; KeSetEvent(x,x,x)+F1j ...
		pop	ebx

loc_522F56:				; CODE XREF: KeSetEvent(x,x,x)+43j
		lock and [esi],	ecx
		push	[ebp+var_20]
		movzx	edx, [ebp+arg_8]
		push	[ebp+arg_4]
		mov	ecx, [ebp+var_8]
		neg	edx
		push	1
		sbb	edx, edx
		and	edx, 3
		call	KiExitDispatcher
		mov	eax, edi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_522F7E:				; CODE XREF: KeSetEvent(x,x,x)+Fj
		cmp	dword ptr [esi+4], 1
		jz	loc_52302D

loc_522F88:				; CODE XREF: KeSetEvent(x,x,x)+131j
		mov	[ebp+var_14], 1
		jmp	short loc_522F18
; 

loc_522F91:				; CODE XREF: KeSetEvent(x,x,x)+4Fj
		cmp	eax, ebx
		jnz	short loc_522FF6

loc_522F95:				; CODE XREF: KeSetEvent(x,x,x)+128j
		mov	[ebx+4], ebx
		mov	[ebx], ebx
		jmp	short loc_522F55
; 
		align 10h

loc_522FA0:				; CODE XREF: KeSetEvent(x,x,x)+53j
					; KeSetEvent(x,x,x)+358j
		mov	edx, [eax]
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		mov	[ebp+var_14], edx
		mov	eax, [ecx+4]
		cmp	[edx+4], ecx
		jz	short loc_522FB9

loc_522FB2:				; CODE XREF: KeSetEvent(x,x,x)+BBj
					; KeSetEvent(x,x,x)+20Dj ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_522FB9:				; CODE XREF: KeSetEvent(x,x,x)+B0j
		cmp	[eax], ecx
		jnz	short loc_522FB2
		mov	[eax], edx
		mov	[edx+4], eax
		mov	al, [ecx+8]
		cmp	al, 1
		jnz	short loc_523043
		movzx	eax, word ptr [ecx+0Ah]
		mov	edx, ecx
		mov	ecx, [ebp+var_8]
		push	0
		push	eax
		call	KiTryUnwaitThread
		test	al, al
		jz	loc_52324D
		add	dword ptr [esi+4], 0FFFFFFFFh
		jnz	loc_52324D

loc_522FEC:				; CODE XREF: KeSetEvent(x,x,x)+352j
		mov	ecx, 0FFFFFF7Fh
		jmp	loc_522F55
; 

loc_522FF6:				; CODE XREF: KeSetEvent(x,x,x)+93j
					; KeSetEvent(x,x,x)+121j
		mov	ecx, eax
		mov	eax, [eax]
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], ecx
		mov	al, [ecx+8]
		cmp	al, 1
		jnz	loc_523145
		movzx	eax, word ptr [ecx+0Ah]
		push	0
		push	eax

loc_523012:				; CODE XREF: KeSetEvent(x,x,x)+364j
		mov	edx, ecx
		mov	ecx, [ebp+var_8]
		call	KiTryUnwaitThread

loc_52301C:				; CODE XREF: KeSetEvent(x,x,x)+2E1j
		mov	eax, [ebp+var_14]
		cmp	eax, ebx
		jnz	short loc_522FF6
		mov	ecx, 0FFFFFF7Fh
		jmp	loc_522F95
; 

loc_52302D:				; CODE XREF: KeSetEvent(x,x,x)+82j
		cmp	[ebp+arg_8], 0
		jnz	loc_522F88
		mov	eax, 1
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_523043:				; CODE XREF: KeSetEvent(x,x,x)+C7j
		cmp	al, 2
		jnz	loc_52323C
		mov	byte ptr [ecx+9], 5
		mov	eax, [ecx+0Ch]
		mov	[ebp+arg_0], eax
		add	eax, 8
		mov	dword ptr [ecx], 0
		mov	[ebp+var_10], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_18], eax
		mov	eax, [eax+4]
		mov	[ebp+var_4], eax
		jz	short loc_523098
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_4]
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_523098:				; CODE XREF: KeSetEvent(x,x,x)+180j
		mov	ecx, [ebp+arg_0]
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+arg_0]
		cmp	[edx], edx
		jz	short loc_5230F8
		mov	eax, [ecx+18h]
		cmp	eax, [ecx+1Ch]
		jnb	short loc_5230F8
		mov	eax, [ebp+var_4]
		mov	eax, [eax+0A4h]
		cmp	eax, ecx
		jz	short loc_5230EC

loc_5230BF:				; CODE XREF: KeSetEvent(x,x,x)+1F6j
		push	[ebp+var_C]
		mov	edx, ecx
		mov	ecx, [ebp+var_18]
		call	KiWakeQueueWaiter
		mov	ecx, [ebp+arg_0]
		test	al, al
		jz	short loc_5230F8

loc_5230D3:				; CODE XREF: KeSetEvent(x,x,x)+230j
					; KeSetEvent(x,x,x)+234j ...
		mov	eax, 0FFFFFF7Fh
		lock and [ecx],	eax
		add	dword ptr [esi+4], 0FFFFFFFFh
		jnz	loc_52324D
		mov	ecx, eax
		jmp	loc_522F55
; 

loc_5230EC:				; CODE XREF: KeSetEvent(x,x,x)+1BDj
		mov	eax, [ebp+var_4]
		cmp	byte ptr [eax+18Bh], 0Fh
		jnz	short loc_5230BF

loc_5230F8:				; CODE XREF: KeSetEvent(x,x,x)+1A8j
					; KeSetEvent(x,x,x)+1B0j ...
		mov	eax, [ecx+4]
		mov	[ebp+var_10], eax
		inc	eax
		mov	[ecx+4], eax
		lea	eax, [ecx+10h]
		mov	ebx, [eax+4]
		mov	[ebp+var_1C], ebx
		cmp	[ebx], eax
		jnz	loc_522FB2
		cmp	[ebp+var_10], 0
		lea	ebx, [ecx+10h]
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+var_1C]
		mov	[eax], ebx
		lea	ebx, [esi+8]
		mov	[eax+4], edx
		mov	[edx], eax
		lea	edx, [ecx+8]
		mov	[ecx+14h], eax
		jnz	short loc_5230D3
		cmp	[edx], edx
		jz	short loc_5230D3
		mov	edx, ecx
		mov	ecx, [ebp+var_18]
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		mov	ecx, [ebp+arg_0]
		jmp	short loc_5230D3
; 

loc_523145:				; CODE XREF: KeSetEvent(x,x,x)+105j
		cmp	al, 2
		jnz	loc_52325D
		mov	byte ptr [ecx+9], 5
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_4], eax
		add	eax, 8
		mov	dword ptr [ecx], 0
		mov	[ebp+var_18], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_1C], eax
		mov	eax, [eax+4]
		mov	[ebp+var_C], eax
		jz	short loc_52319A
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_C]
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_52319A:				; CODE XREF: KeSetEvent(x,x,x)+282j
		mov	ecx, [ebp+var_4]
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_4]
		cmp	[edx], edx
		jz	short loc_5231F2
		mov	eax, [ecx+18h]
		cmp	eax, [ecx+1Ch]
		jnb	short loc_5231F2
		mov	eax, [ebp+var_C]
		mov	eax, [eax+0A4h]
		cmp	eax, ecx
		jz	short loc_5231E6

loc_5231C1:				; CODE XREF: KeSetEvent(x,x,x)+2F0j
		push	[ebp+var_10]
		mov	edx, ecx
		mov	ecx, [ebp+var_1C]
		call	KiWakeQueueWaiter
		mov	ecx, [ebp+var_4]
		test	al, al
		jz	loc_523269

loc_5231D9:				; CODE XREF: KeSetEvent(x,x,x)+327j
					; KeSetEvent(x,x,x)+32Bj ...
		mov	eax, 0FFFFFF7Fh
		lock and [ecx],	eax
		jmp	loc_52301C
; 

loc_5231E6:				; CODE XREF: KeSetEvent(x,x,x)+2BFj
		mov	eax, [ebp+var_C]
		cmp	byte ptr [eax+18Bh], 0Fh
		jnz	short loc_5231C1

loc_5231F2:				; CODE XREF: KeSetEvent(x,x,x)+2AAj
					; KeSetEvent(x,x,x)+2B2j ...
		mov	eax, [ecx+4]
		mov	[ebp+var_C], eax
		inc	eax
		mov	[ecx+4], eax
		lea	eax, [ecx+10h]
		mov	ebx, [eax+4]
		mov	[ebp+var_18], ebx
		cmp	[ebx], eax
		jnz	loc_522FB2
		cmp	[ebp+var_C], 0
		lea	esi, [ecx+10h]
		mov	eax, [ebp+var_10]
		mov	[eax], esi
		mov	esi, [ebp+arg_0]
		mov	[eax+4], ebx
		mov	[ebx], eax
		mov	[ecx+14h], eax
		lea	ebx, [esi+8]
		jnz	short loc_5231D9
		cmp	[edx], edx
		jz	short loc_5231D9
		mov	edx, ecx
		mov	ecx, [ebp+var_1C]
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		mov	ecx, [ebp+var_4]
		jmp	short loc_5231D9
; 

loc_52323C:				; CODE XREF: KeSetEvent(x,x,x)+145j
		push	0
		mov	edx, ecx
		mov	ecx, [ebp+var_8]
		push	100h
		call	KiTryUnwaitThread

loc_52324D:				; CODE XREF: KeSetEvent(x,x,x)+DCj
					; KeSetEvent(x,x,x)+E6j ...
		mov	eax, [ebp+var_14]
		cmp	eax, ebx
		jz	loc_522FEC
		jmp	loc_522FA0
; 

loc_52325D:				; CODE XREF: KeSetEvent(x,x,x)+247j
		push	0
		push	100h
		jmp	loc_523012
; 

loc_523269:				; CODE XREF: KeSetEvent(x,x,x)+2D3j
		mov	edx, [ebp+var_18]
		jmp	short loc_5231F2
_KeSetEvent@12	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiExitDispatcher proc near		; CODE XREF: KeSetProcess+86p
					; KeForceResumeProcess(x)+94p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005EC7C3 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		and	bl, 1
		mov	[esp+24h+var_C], esi
		push	edi
		cmp	dword ptr [esi+3B1Ch], 0
		jnz	short loc_5232D5

loc_523292:				; CODE XREF: KiExitDispatcher+134j
		test	bl, bl
		jnz	loc_523414
		mov	ebx, [ebp+arg_8]
		mov	eax, [esi+8]
		cmp	bl, 2
		jnb	loc_5233AF
		mov	ecx, [esi+4]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[esp+28h+var_1C], ecx
		test	eax, eax
		jnz	loc_523443
		test	byte ptr [ecx+58h], 40h
		jnz	loc_5234F4

loc_5232C8:				; CODE XREF: KiExitDispatcher+266j
					; KiExitDispatcher+27Fj ...
		mov	cl, bl
		call	edi

loc_5232CC:				; CODE XREF: KiExitDispatcher+141j
					; KiExitDispatcher+14Fj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_5232D5:				; CODE XREF: KiExitDispatcher+20j
		test	bl, bl
		jnz	loc_5233FB

loc_5232DD:				; CODE XREF: KiExitDispatcher+19Ej
		mov	eax, [esi+3B1Ch]
		mov	dword ptr [esi+3B1Ch], 0
		lea	ecx, [ecx+0]

loc_5232F0:				; CODE XREF: KiExitDispatcher+13Aj
		mov	edi, [eax-4]
		lea	edx, [eax-9Ch]
		mov	eax, [eax]
		mov	[esp+28h+var_8], eax
		movzx	eax, byte ptr [edx+16Bh]
		mov	[esp+28h+var_1C], edx
		lea	eax, [eax+eax*2]
		lea	eax, [edi+eax*8]
		mov	[esp+28h+var_10], eax

loc_523314:				; CODE XREF: KiExitDispatcher+B6j
		mov	al, [edi+9]
		cmp	al, 5
		jb	loc_5233D6

loc_52331F:				; CODE XREF: KiExitDispatcher+1CEj
		add	edi, 18h
		cmp	edi, [esp+28h+var_10]
		jnz	short loc_523314
		mov	edx, [esp+28h+var_1C]
		mov	al, byte ptr [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	[edx+15Eh], cl
		mov	[edx+15Fh], al
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_5EC7C3

loc_52334E:				; CODE XREF: KiExitDispatcher+C9565j
		mov	eax, [edx+5Ch]
		lea	edi, [edx+5Ch]
		test	eax, 20000h
		jz	loc_523562
		test	eax, 100000h
		jnz	loc_52351B

loc_52336A:				; CODE XREF: KiExitDispatcher+2C4j
					; KiExitDispatcher+391j
		add	edx, 9Ch
		mov	[esp+28h+var_18], 0
		mov	dword ptr [edx], 0
		mov	edi, edi

loc_523380:				; CODE XREF: KiExitDispatcher+2A6j
		lea	eax, [esp+28h+var_18]
		add	edx, 0FFFFFF64h
		push	eax
		mov	ecx, esi
		call	KiDeferredReadySingleThread
		mov	edx, [esp+28h+var_18]
		test	edx, edx
		jnz	loc_523510

loc_52339E:				; CODE XREF: KiExitDispatcher+2EDj
					; KiExitDispatcher+359j ...
		mov	eax, [esp+28h+var_8]
		test	eax, eax
		jz	loc_523292
		jmp	loc_5232F0
; 

loc_5233AF:				; CODE XREF: KiExitDispatcher+33j
		test	eax, eax
		jz	loc_5232CC
		mov	al, [esi+223Ah]
		test	al, al
		jnz	loc_5232CC
		mov	cl, 2
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_5233D6:				; CODE XREF: KiExitDispatcher+A9j
		mov	eax, [edi+10h]
		mov	ecx, eax
		mov	[esp+28h+var_14], eax
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		cmp	byte ptr [edi+9], 4
		jnz	short loc_523432
		mov	ecx, [edi]
		mov	eax, [edi+4]
		cmp	[ecx+4], edi
		jz	short loc_523429

loc_5233F4:				; CODE XREF: KiExitDispatcher+1BBj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5233FB:				; CODE XREF: KiExitDispatcher+67j
		shr	edx, 1
		and	dl, 1
		movzx	eax, dl
		mov	edx, [ebp+arg_4]
		push	eax
		call	KiDirectSwitchThread
		test	al, al
		jz	loc_5232DD

loc_523414:				; CODE XREF: KiExitDispatcher+24j
		mov	ecx, [esi+4]
		mov	al, byte ptr [ebp+arg_8]
		or	dword ptr [ecx+58h], 4
		mov	[ecx+92h], al
		jmp	loc_5232CC
; 

loc_523429:				; CODE XREF: KiExitDispatcher+182j
		cmp	[eax], edi
		jnz	short loc_5233F4
		mov	[eax], ecx
		mov	[ecx+4], eax

loc_523432:				; CODE XREF: KiExitDispatcher+178j
		mov	eax, [esp+28h+var_14]
		mov	ecx, 0FFFFFF7Fh
		lock and [eax],	ecx
		jmp	loc_52331F
; 

loc_523443:				; CODE XREF: KiExitDispatcher+48j
		xor	edx, edx
		call	KiAbProcessContextSwitch
		lea	edi, [esi+2224h]
		mov	[esp+28h+var_4], 0
		jmp	short loc_523460
; 
		align 10h

loc_523460:				; CODE XREF: KiExitDispatcher+1E8j
					; KiExitDispatcher+380j
		lock bts dword ptr [edi], 0
		jb	loc_5235E1
		mov	edx, [esi+8]
		mov	[esp+28h+var_14], edx
		mov	dword ptr [esi+8], 0
		cli
		mov	edx, [esp+28h+var_1C]
		mov	ecx, esi
		push	0
		call	KiEndThreadCycleAccumulation
		sti
		mov	ecx, [esp+28h+var_14]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[esi+4], ecx
		mov	al, [ecx+90h]
		cmp	al, 1
		jz	loc_5EC7DA

loc_5234A3:				; CODE XREF: KiExitDispatcher+C957Bj
		mov	eax, [esp+28h+var_1C]
		mov	edx, eax
		mov	byte ptr [ecx+90h], 2
		mov	ecx, esi
		mov	byte ptr [eax+18Bh], 20h
		mov	[eax+92h], bl
		call	KiQueueReadyThread
		mov	esi, [esp+28h+var_1C]
		mov	ecx, esi
		mov	edx, [esp+28h+var_14]
		push	ebx
		call	@KiSwapContext@12 ; KiSwapContext(x,x,x)
		test	al, al
		jz	loc_5232C8
		mov	cl, 1
		call	edi
		and	dword ptr [esi+58h], 0FFFFFFBFh
		push	0
		push	0
		push	0
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		jmp	loc_5232C8
; 

loc_5234F4:				; CODE XREF: KiExitDispatcher+52j
		mov	cl, 1
		call	edi
		mov	eax, [esp+28h+var_1C]
		push	0
		push	0
		push	0
		and	dword ptr [eax+58h], 0FFFFFFBFh
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		jmp	loc_5232C8
; 

loc_523510:				; CODE XREF: KiExitDispatcher+128j
		mov	eax, [edx]
		mov	[esp+28h+var_18], eax
		jmp	loc_523380
; 

loc_52351B:				; CODE XREF: KiExitDispatcher+F4j
		lock btr dword ptr [edi], 14h
		mov	ecx, [edx+80h]
		mov	eax, 8
		add	ecx, 7Ch
		lock xadd [ecx], eax
		test	al, 7
		jz	loc_52336A
		mov	edi, [edx+80h]
		mov	ecx, edi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	eax, [edi+7Ch]
		test	al, 7
		jz	loc_5235F5
		mov	edx, edi

loc_523554:				; CODE XREF: KiExitDispatcher+30Fj
		mov	ecx, [esp+28h+var_1C]
		call	KiRequestProcessInSwap
		jmp	loc_52339E
; 

loc_523562:				; CODE XREF: KiExitDispatcher+E9j
		mov	eax, [edx+80h]
		mov	ecx, eax
		mov	[esp+28h+var_10], eax
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	edx, [esp+28h+var_10]
		mov	eax, [edx+7Ch]
		lea	ecx, [edx+7Ch]
		test	al, 7
		jnz	short loc_523554
		mov	eax, 8
		lock xadd [ecx], eax
		mov	eax, 0FFFFFF7Fh
		lock and [edx],	eax
		lock btr dword ptr [edi], 14h
		mov	ecx, [esp+28h+var_1C]
		mov	byte ptr [ecx+90h], 6
		lea	edi, [ecx+9Ch]
		mov	eax, _KiStackInSwapListHead
		lea	ecx, [ecx+0]

loc_5235B0:				; CODE XREF: KiExitDispatcher+351j
		mov	[edi], eax
		mov	edx, eax
		mov	ecx, edi
		mov	esi, offset _KiStackInSwapListHead
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_5235B0
		mov	esi, [esp+28h+var_C]
		test	eax, eax
		jnz	loc_52339E
		push	eax
		push	0Ah
		push	offset _KiSwapEvent
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_52339E
; 

loc_5235E1:				; CODE XREF: KiExitDispatcher+1F5j
					; KiExitDispatcher+37Ej
		lea	ecx, [esp+28h+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5235E1
		jmp	loc_523460
; 

loc_5235F5:				; CODE XREF: KiExitDispatcher+2DCj
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		mov	edx, [esp+28h+var_1C]
		jmp	loc_52336A
KiExitDispatcher endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiDeferredReadySingleThread proc near	; CODE XREF: KeSetBasePriorityThread+253p
					; KiReadyThread+4Cp ...

var_58		= dword	ptr -58h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005EC7F0 SIZE 0000014D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_10], ecx
		xor	eax, eax
		mov	[ebp+var_1C], esi
		push	edi
		mov	[ebp+var_4C], eax
		mov	edi, [esi+34h]
		mov	ecx, [esi+30h]
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_8], ecx
		cmp	edi, [esi+38h]
		jnz	loc_5EC7F0

loc_52364C:				; CODE XREF: KiDeferredReadySingleThread+C91F0j
		cmp	byte ptr [esi+15Eh], 1
		mov	[ebp+var_20], 0
		jnz	loc_523A89
		mov	bh, [esi+15Fh]

loc_523666:				; CODE XREF: KiDeferredReadySingleThread+47Bj
		lea	eax, [esi+2Ch]
		mov	[ebp+var_24], 0
		mov	esi, eax

loc_523672:				; CODE XREF: KiDeferredReadySingleThread+940j
		lock bts dword ptr [esi], 0
		jb	loc_523F42
		mov	esi, [ebp+var_1C]
		mov	al, [esi+15Eh]
		test	al, al
		jz	loc_523ADD
		cmp	byte ptr [esi+87h], 10h
		jge	loc_523A82
		mov	eax, ds:_KeTickCount
		xor	bl, bl
		sub	eax, [esi+138h]
		cmp	edi, [esi+1Ch]
		jb	short loc_5236BF
		ja	loc_523D8F
		mov	ecx, [ebp+var_8]
		cmp	ecx, [esi+18h]
		jnb	loc_523D8F

loc_5236BF:				; CODE XREF: KiDeferredReadySingleThread+9Bj
					; KiDeferredReadySingleThread+784j ...
		cmp	bl, 4
		jnb	loc_523A08
		cmp	byte ptr [esi+15Bh], 0Eh
		jge	loc_523A08
		cmp	eax, 2
		jnb	loc_5239FB

loc_5236DE:				; CODE XREF: KiDeferredReadySingleThread+3F2j
					; KiDeferredReadySingleThread+46Dj
		mov	eax, [esi+150h]
		mov	al, [eax+2A2h]
		cmp	al, 2
		jz	loc_523B03

loc_5236F2:				; CODE XREF: KiDeferredReadySingleThread+4F6j
		test	bl, 1
		jnz	loc_523AA1
		test	byte ptr [esi+5Ch], 8
		jnz	loc_523AA1
		mov	dh, [esi+87h]
		test	dh, dh
		jle	loc_523AA1
		mov	al, [esi+15Ch]
		mov	[ebp+var_2], al
		test	al, al
		jnz	loc_523A90
		mov	dl, bl
		shr	dl, 1

loc_523728:				; CODE XREF: KiDeferredReadySingleThread+48Bj
		mov	al, [esi+15Bh]
		movsx	ecx, al
		mov	[ebp+var_1], al
		movsx	eax, bh
		add	eax, ecx
		mov	[ebp+var_2C], eax
		mov	ecx, eax
		mov	[ebp+var_18], ecx
		test	dl, 1
		jnz	loc_523C14

loc_52374A:				; CODE XREF: KiDeferredReadySingleThread+610j
		cmp	ecx, 10h
		jge	loc_523D46

loc_523753:				; CODE XREF: KiDeferredReadySingleThread+73Ej
		movsx	eax, dh
		cmp	ecx, eax
		jg	loc_523C25

loc_52375E:				; CODE XREF: KiDeferredReadySingleThread+498j
					; KiDeferredReadySingleThread+4A4j ...
		mov	al, [esi+15Eh]
		shr	bl, 3

loc_523767:				; CODE XREF: KiDeferredReadySingleThread+474j
		cmp	al, 2
		jz	loc_523C59

loc_52376F:				; CODE XREF: KiDeferredReadySingleThread+6A7j
		test	bl, bl
		jnz	loc_5239C6

loc_523777:				; CODE XREF: KiDeferredReadySingleThread+3DDj
					; KiDeferredReadySingleThread+4EEj ...
		cmp	dword ptr [esi+13Ch], 0
		mov	eax, [esi+16Ch]
		mov	word ptr [esi+15Dh], 0
		mov	[ebp+var_8], eax
		jnz	loc_5239F2
		cmp	byte ptr [esi+92h], 1
		jz	loc_5239F2
		mov	[ebp+var_1], 0

loc_5237A7:				; CODE XREF: KiDeferredReadySingleThread+3E6j
		xor	bl, bl
		btr	dword ptr [esi+58h], 1
		mov	eax, ds:_KiCpuSetSequence
		setb	bh
		mov	byte ptr [ebp+var_2C], bh
		cmp	[esi+160h], eax
		jnz	loc_523DC6

loc_5237C5:				; CODE XREF: KiDeferredReadySingleThread+7BAj
					; KiDeferredReadySingleThread+7C7j
		cmp	ds:_KiForceIdleDisabled, 0
		mov	ax, [esi+168h]
		mov	ecx, [esi+164h]
		mov	word ptr [ebp+var_48], ax
		mov	[ebp+var_4C], ecx
		jnz	short loc_5237F3
		mov	eax, _KiForceIdleState
		cmp	eax, 4
		jz	loc_5EC841
		mov	ecx, [ebp+var_4C]

loc_5237F3:				; CODE XREF: KiDeferredReadySingleThread+1D0j
		lea	eax, [ecx-1]
		test	eax, ecx
		jz	loc_523E0B
		cmp	byte ptr [esi+61h], 0
		jnz	loc_5EC8D7
		cmp	ds:_KiPerfIsoEnabled, 0
		mov	edi, [ebp+var_10]
		jnz	loc_5EC8B5

loc_523818:				; CODE XREF: KiDeferredReadySingleThread+C92B0j
					; KiDeferredReadySingleThread+C92BAj
		xor	bl, bl

loc_52381A:				; CODE XREF: KiDeferredReadySingleThread+C92C2j
		mov	byte ptr [ebp+var_1C], bl
		lea	eax, [ebp+var_14]
		push	[ebp+var_1C]
		mov	edx, esi
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_4C]
		push	eax
		call	KiChooseTargetProcessor
		mov	edi, eax

loc_523833:				; CODE XREF: KiDeferredReadySingleThread+83Ej
					; KiDeferredReadySingleThread+C92DBj
		mov	eax, [edi+3CCh]
		mov	[esi+148h], eax
		mov	edx, [esi+50h]
		mov	[ebp+var_18], eax
		test	edx, edx
		jnz	loc_523CDA

loc_52384D:				; CODE XREF: KiDeferredReadySingleThread+6D0j
		mov	[ebp+var_C], edx
		test	edx, edx
		jnz	loc_523CBC

loc_523858:				; CODE XREF: KiDeferredReadySingleThread+6C2j
					; KiDeferredReadySingleThread+C92EAj
		cmp	[ebp+var_14], 0
		jz	loc_523B0B
		mov	eax, [edi+8]
		test	eax, eax
		jnz	loc_523E53

loc_52386D:				; CODE XREF: KiDeferredReadySingleThread+846j
		test	bh, bh
		jnz	loc_523F9C
		mov	ebx, 2

loc_52387A:				; CODE XREF: KiDeferredReadySingleThread+991j
		test	byte ptr [esi+2], 4
		jnz	loc_523D53

loc_523884:				; CODE XREF: KiDeferredReadySingleThread+756j
		mov	cl, [esi+87h]

loc_52388A:				; CODE XREF: KiDeferredReadySingleThread+750j
		mov	eax, [edi+33Ch]
		mov	[eax], cl
		mov	[edi+8], esi
		cmp	esi, [edi+0Ch]
		jz	loc_5EC906
		xor	cl, cl

loc_5238A0:				; CODE XREF: KiDeferredReadySingleThread+C92F8j
		mov	eax, [edi+4DCh]
		test	eax, eax
		jz	short loc_5238AD
		mov	[eax+10h], cl

loc_5238AD:				; CODE XREF: KiDeferredReadySingleThread+298j
		mov	al, [esi+90h]
		cmp	al, 1
		jz	loc_523FA6
		test	bl, 4
		jnz	loc_523FA6

loc_5238C4:				; CODE XREF: KiDeferredReadySingleThread+9A7j
		mov	byte ptr [esi+90h], 3
		movzx	eax, byte ptr [edi+2238h]
		mov	ebx, [edi+338h]
		mov	byte ptr [edi+223Bh], 0
		test	al, 1
		jnz	loc_5EC90D
		inc	eax
		mov	[edi+2238h], al
		cmp	eax, 1
		jnz	short loc_5238FE
		movzx	eax, byte ptr [edi+3C4h]
		lock btr [ebx],	eax

loc_5238FE:				; CODE XREF: KiDeferredReadySingleThread+2E1j
		movzx	eax, byte ptr [edi+3C4h]
		lea	edx, [ebx+0Ch]
		lock btr [edx],	eax
		mov	ecx, [edi+402Ch]
		lea	eax, [ebx+4]
		not	ecx
		lock and [eax],	ecx
		mov	eax, [edi+402Ch]
		add	ebx, 8
		not	eax
		lock and [ebx],	eax
		mov	eax, [edx]
		not	eax
		and	eax, [edi+402Ch]
		cmp	eax, [edi+3C8h]
		jnz	short loc_523945
		movzx	eax, byte ptr [edi+3C4h]
		lock bts [ebx],	eax

loc_523945:				; CODE XREF: KiDeferredReadySingleThread+328j
		xor	ecx, ecx
		lea	eax, [edi+2224h]
		lock and [eax],	ecx
		mov	ebx, [esi+16Ch]
		mov	[esi+2Ch], ecx
		cmp	edi, [ebp+var_10]
		jz	short loc_523989
		mov	ecx, [ebp+var_18]
		mov	edx, 2
		mov	eax, ds:_KiProcessorBlock[ecx*4]
		add	eax, 21A0h
		lock or	[eax], edx
		mov	eax, large fs:20h
		push	edx
		push	ecx
		inc	dword ptr [eax+40B4h]
		call	ds:__imp__HalSendSoftwareInterrupt@8 ; HalSendSoftwareInterrupt(x,x)

loc_523989:				; CODE XREF: KiDeferredReadySingleThread+34Cj
		test	ds:dword_70EFD0, 8000000h
		jnz	loc_5EC914

loc_523999:				; CODE XREF: KiDeferredReadySingleThread+5F9j
					; KiDeferredReadySingleThread+72Bj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_5239A2:				; CODE XREF: KiDeferredReadySingleThread+4D2j
					; KiDeferredReadySingleThread+4DEj
		mov	dl, 1
		mov	ecx, esi
		call	KiComputeNewPriority
		movsx	ebx, al
		mov	ecx, esi
		push	1
		mov	dl, bl
		call	KiAbProcessThreadPriorityModification
		mov	ecx, esi
		mov	[esi+87h], bl
		call	_KiTryScheduleNextForegroundBoost@4 ; KiTryScheduleNextForegroundBoost(x)

loc_5239C6:				; CODE XREF: KiDeferredReadySingleThread+161j
					; KiDeferredReadySingleThread+75Dj
		movzx	ecx, byte ptr [esi+193h]
		lea	eax, [esi+5Ch]
		imul	ecx, ds:_KiCyclesPerClockQuantum
		xor	edx, edx
		add	ecx, [ebp+var_8]
		adc	edx, edi
		test	byte ptr [eax],	20h
		jnz	loc_523DA1

loc_5239E7:				; CODE XREF: KiDeferredReadySingleThread+796j
		mov	[esi+18h], ecx
		mov	[esi+1Ch], edx
		jmp	loc_523777
; 

loc_5239F2:				; CODE XREF: KiDeferredReadySingleThread+180j
					; KiDeferredReadySingleThread+18Dj
		mov	[ebp+var_1], 1
		jmp	loc_5237A7
; 

loc_5239FB:				; CODE XREF: KiDeferredReadySingleThread+C8j
		cmp	byte ptr [esi+15Ch], 0
		jnz	loc_5236DE

loc_523A08:				; CODE XREF: KiDeferredReadySingleThread+B2j
					; KiDeferredReadySingleThread+BFj
		mov	dl, [esi+87h]
		or	bl, 8
		mov	[ebp+var_1], dl
		cmp	dl, 10h
		jge	short loc_523A6B
		mov	al, ds:_KiForegrounBoostVelocityFlag
		test	al, al
		jnz	loc_5EC805

loc_523A26:				; CODE XREF: KiDeferredReadySingleThread+C91FEj
		mov	ah, [esi+15Ch]
		or	cl, 0FFh
		mov	al, ah
		mov	ch, ah
		shr	al, 4
		and	ch, 0Fh
		sub	cl, al
		mov	al, [esi+15Bh]
		sub	cl, ch
		add	dl, cl
		cmp	dl, al
		jge	short loc_523A4B
		mov	dl, al

loc_523A4B:				; CODE XREF: KiDeferredReadySingleThread+437j
		test	ah, ah
		jnz	loc_523DAB

loc_523A53:				; CODE XREF: KiDeferredReadySingleThread+7B1j
					; KiDeferredReadySingleThread+C922Cj
		mov	eax, [esi+214h]
		mov	[ebp+var_28], 0
		test	eax, eax
		jnz	loc_523E61

loc_523A68:				; CODE XREF: KiDeferredReadySingleThread+85Cj
					; KiDeferredReadySingleThread+864j
		mov	[ebp+var_1], dl

loc_523A6B:				; CODE XREF: KiDeferredReadySingleThread+407j
		push	1
		mov	ecx, esi
		call	KiAbProcessThreadPriorityModification
		mov	al, [ebp+var_1]
		mov	[esi+87h], al
		jmp	loc_5236DE
; 

loc_523A82:				; CODE XREF: KiDeferredReadySingleThread+85j
		mov	bl, 1
		jmp	loc_523767
; 

loc_523A89:				; CODE XREF: KiDeferredReadySingleThread+4Aj
		xor	bh, bh
		jmp	loc_523666
; 

loc_523A90:				; CODE XREF: KiDeferredReadySingleThread+10Ej
		test	al, 0F0h
		jnz	short loc_523AA1
		mov	dl, bl
		shr	dl, 1
		test	dl, 1
		jnz	loc_523728

loc_523AA1:				; CODE XREF: KiDeferredReadySingleThread+E5j
					; KiDeferredReadySingleThread+EFj ...
		mov	al, ds:_KiForegrounBoostVelocityFlag
		test	al, al
		jnz	loc_52375E
		mov	al, bl
		and	al, 6
		cmp	al, 6
		jnz	loc_52375E
		test	byte ptr [esi+5Ch], 8
		jnz	loc_52375E
		cmp	byte ptr [esi+87h], 0
		jle	loc_52375E
		mov	ecx, esi
		call	KiScheduleNextForegroundBoost
		jmp	loc_52375E
; 

loc_523ADD:				; CODE XREF: KiDeferredReadySingleThread+78j
		cmp	edi, [esi+1Ch]
		jb	short loc_523AF4
		ja	loc_5239A2
		mov	ecx, [ebp+var_8]
		cmp	ecx, [esi+18h]
		jnb	loc_5239A2

loc_523AF4:				; CODE XREF: KiDeferredReadySingleThread+4D0j
		movzx	eax, byte ptr [esi+15Dh]
		mov	[ebp+var_20], eax
		jmp	loc_523777
; 

loc_523B03:				; CODE XREF: KiDeferredReadySingleThread+DCj
		or	bl, 2
		jmp	loc_5236F2
; 

loc_523B0B:				; CODE XREF: KiDeferredReadySingleThread+24Cj
		test	bl, bl
		jnz	loc_523D0B
		mov	ecx, [edi+8]
		mov	[ebp+var_1C], ecx
		test	ecx, ecx
		jnz	loc_523CE5
		mov	ecx, [edi+4]
		mov	[ebp+arg_0], ecx
		cmp	ds:_KiGroupSchedulingEnabled, bl
		jz	loc_523DDC
		lea	eax, [ebp+var_C]
		mov	edx, ecx
		push	eax
		push	esi
		mov	ecx, edi
		call	KiEvaluateGroupSchedulingPreemption
		test	al, al
		jz	loc_523D08
		mov	ecx, [ebp+arg_0]

loc_523B4C:				; CODE XREF: KiDeferredReadySingleThread+7D8j
		mov	al, [ecx+90h]
		cmp	al, 2
		jnz	short loc_523B5D
		mov	byte ptr [ecx+15Dh], 1

loc_523B5D:				; CODE XREF: KiDeferredReadySingleThread+544j
		test	bh, bh
		jnz	loc_523E79
		mov	ebx, 2

loc_523B6A:				; CODE XREF: KiDeferredReadySingleThread+86Ej
		test	byte ptr [esi+2], 4
		jnz	loc_523DF3

loc_523B74:				; CODE XREF: KiDeferredReadySingleThread+7F6j
		mov	cl, [esi+87h]

loc_523B7A:				; CODE XREF: KiDeferredReadySingleThread+7F0j
		mov	eax, [edi+33Ch]
		mov	[eax], cl
		mov	[edi+8], esi
		cmp	esi, [edi+0Ch]
		jz	loc_5EC91E
		xor	cl, cl

loc_523B90:				; CODE XREF: KiDeferredReadySingleThread+C9310j
		mov	eax, [edi+4DCh]
		test	eax, eax
		jz	short loc_523B9D
		mov	[eax+10h], cl

loc_523B9D:				; CODE XREF: KiDeferredReadySingleThread+588j
		mov	al, [esi+90h]
		cmp	al, 1
		jz	loc_523E83
		test	bl, 4
		jnz	loc_523E83

loc_523BB4:				; CODE XREF: KiDeferredReadySingleThread+884j
		mov	byte ptr [esi+90h], 3
		lea	eax, [edi+2224h]
		xor	ecx, ecx
		lock and [eax],	ecx
		mov	ebx, [esi+16Ch]
		mov	[esi+2Ch], ecx
		cmp	[ebp+var_10], edi
		jz	short loc_523BFF
		mov	ecx, [ebp+var_18]
		mov	edx, 2
		mov	eax, ds:_KiProcessorBlock[ecx*4]
		add	eax, 21A0h
		lock or	[eax], edx
		mov	eax, large fs:20h
		push	edx
		push	ecx
		inc	dword ptr [eax+40B4h]
		call	ds:__imp__HalSendSoftwareInterrupt@8 ; HalSendSoftwareInterrupt(x,x)

loc_523BFF:				; CODE XREF: KiDeferredReadySingleThread+5C2j
		test	ds:dword_70EFD0, 8000000h
		jz	loc_523999
		jmp	loc_5EC925
; 

loc_523C14:				; CODE XREF: KiDeferredReadySingleThread+134j
		movsx	eax, byte ptr ds:_PsPrioritySeparation
		add	ecx, eax
		mov	[ebp+var_18], ecx
		jmp	loc_52374A
; 

loc_523C25:				; CODE XREF: KiDeferredReadySingleThread+148j
		xor	ah, ah
		cmp	ecx, [ebp+var_2C]
		jg	loc_523D83

loc_523C30:				; CODE XREF: KiDeferredReadySingleThread+77Aj
		mov	al, [ebp+var_2]
		mov	dl, cl
		xor	al, ah
		mov	ecx, esi
		and	al, 0Fh
		xor	al, [ebp+var_2]
		push	1
		mov	[esi+15Ch], al
		call	KiAbProcessThreadPriorityModification
		mov	eax, [ebp+var_18]
		mov	[esi+87h], al
		jmp	loc_52375E
; 

loc_523C59:				; CODE XREF: KiDeferredReadySingleThread+159j
		mov	al, [esi+87h]
		test	al, al
		jle	loc_523D6B
		mov	bh, [esi+15Fh]
		cmp	al, bh
		jge	loc_523D6B
		cmp	al, 0Dh
		jge	loc_523D6B
		test	byte ptr [esi+5Ch], 8
		jnz	loc_523D6B
		cmp	bh, 0Dh
		jl	short loc_523C8E
		mov	bh, 0Dh

loc_523C8E:				; CODE XREF: KiDeferredReadySingleThread+67Aj
		mov	cl, bh
		mov	dl, bh
		sub	cl, al
		shl	cl, 4
		add	[esi+15Ch], cl
		mov	ecx, esi
		push	1
		call	KiAbProcessThreadPriorityModification
		push	edi
		push	[ebp+var_8]
		mov	ecx, esi
		mov	[esi+87h], bh
		call	_KiSetLockOwnershipQuantum@12 ;	KiSetLockOwnershipQuantum(x,x,x)
		jmp	loc_52376F
; 

loc_523CBC:				; CODE XREF: KiDeferredReadySingleThread+242j
		mov	eax, edx
		mov	edi, edi

loc_523CC0:				; CODE XREF: KiDeferredReadySingleThread+6C8j
		test	byte ptr [eax+5Ch], 2
		jnz	loc_5EC8F0
		mov	eax, [eax+0F4h]
		test	eax, eax
		jz	loc_523858
		jmp	short loc_523CC0
; 

loc_523CDA:				; CODE XREF: KiDeferredReadySingleThread+237j
		add	edx, [edi+3B34h]
		jmp	loc_52384D
; 

loc_523CE5:				; CODE XREF: KiDeferredReadySingleThread+50Bj
		cmp	ds:_KiGroupSchedulingEnabled, 0
		jz	loc_523F85
		lea	eax, [ebp+var_C]
		mov	edx, ecx
		push	eax
		push	esi
		mov	ecx, edi
		call	KiEvaluateGroupSchedulingPreemption
		test	al, al
		jnz	loc_523E99

loc_523D08:				; CODE XREF: KiDeferredReadySingleThread+533j
		mov	edx, [ebp+var_C]

loc_523D0B:				; CODE XREF: KiDeferredReadySingleThread+4FDj
					; KiDeferredReadySingleThread+7DEj ...
		push	[ebp+var_20]
		mov	ecx, edi
		push	[ebp+var_2C]
		push	esi
		call	_KiAddThreadToReadyQueue@20 ; KiAddThreadToReadyQueue(x,x,x,x,x)
		xor	ecx, ecx
		lea	eax, [edi+2224h]
		lock and [eax],	ecx
		mov	ecx, [esi+16Ch]
		mov	dword ptr [esi+2Ch], 0
		test	ds:dword_70EFD0, 8000000h
		jz	loc_523999
		jmp	loc_5EC928
; 

loc_523D46:				; CODE XREF: KiDeferredReadySingleThread+13Dj
		mov	ecx, 0Fh
		mov	[ebp+var_18], ecx
		jmp	loc_523753
; 

loc_523D53:				; CODE XREF: KiDeferredReadySingleThread+26Ej
		mov	edx, edi
		mov	ecx, esi
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	loc_52388A
		jmp	loc_523884
; 

loc_523D6B:				; CODE XREF: KiDeferredReadySingleThread+651j
					; KiDeferredReadySingleThread+65Fj ...
		test	bl, bl
		jnz	loc_5239C6
		push	edi
		push	[ebp+var_8]
		mov	ecx, esi
		call	_KiSetLockOwnershipQuantum@12 ;	KiSetLockOwnershipQuantum(x,x,x)
		jmp	loc_523777
; 

loc_523D83:				; CODE XREF: KiDeferredReadySingleThread+61Aj
		mov	ah, cl
		sub	ah, [ebp+var_1]
		sub	ah, bh
		jmp	loc_523C30
; 

loc_523D8F:				; CODE XREF: KiDeferredReadySingleThread+9Dj
					; KiDeferredReadySingleThread+A9j
		mov	bl, 4
		cmp	eax, 2
		jnb	loc_5236BF
		mov	bl, 5
		jmp	loc_5236BF
; 

loc_523DA1:				; CODE XREF: KiDeferredReadySingleThread+3D1j
		lock btr dword ptr [eax], 5
		jmp	loc_5239E7
; 

loc_523DAB:				; CODE XREF: KiDeferredReadySingleThread+43Dj
		test	ch, ch
		jz	short loc_523DBA
		mov	eax, ds:_KeTickCount
		mov	[esi+224h], eax

loc_523DBA:				; CODE XREF: KiDeferredReadySingleThread+79Dj
		mov	byte ptr [esi+15Ch], 0
		jmp	loc_523A53
; 

loc_523DC6:				; CODE XREF: KiDeferredReadySingleThread+1AFj
		test	byte ptr [esi+58h], 8
		jnz	loc_5237C5
		mov	ecx, esi
		call	KiComputeThreadAffinity
		jmp	loc_5237C5
; 

loc_523DDC:				; CODE XREF: KiDeferredReadySingleThread+51Dj
		mov	al, [esi+87h]
		cmp	al, [ecx+87h]
		jg	loc_523B4C
		jmp	loc_523D0B
; 

loc_523DF3:				; CODE XREF: KiDeferredReadySingleThread+55Ej
		mov	edx, edi
		mov	ecx, esi
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	loc_523B7A
		jmp	loc_523B74
; 

loc_523E0B:				; CODE XREF: KiDeferredReadySingleThread+1E8j
		bsr	eax, ecx
		mov	[ebp+var_38], 0
		mov	[ebp+var_38], eax
		mov	[ebp+var_3C], 0
		mov	edi, ds:_KiProcessorBlock[eax*4]
		lea	esi, [edi+2224h]
		lea	esp, [esp+0]

loc_523E30:				; CODE XREF: KiDeferredReadySingleThread+953j
		lock bts dword ptr [esi], 0
		jb	loc_523F55
		test	byte ptr [edi+2238h], 1
		jnz	short loc_523E4B
		mov	[ebp+var_14], 1

loc_523E4B:				; CODE XREF: KiDeferredReadySingleThread+832j
		mov	esi, [ebp+var_1C]
		jmp	loc_523833
; 

loc_523E53:				; CODE XREF: KiDeferredReadySingleThread+257j
		cmp	eax, [edi+0Ch]
		jz	loc_52386D
		jmp	loc_5EC8FF
; 

loc_523E61:				; CODE XREF: KiDeferredReadySingleThread+452j
		bsr	ecx, eax
		movsx	eax, dl
		mov	[ebp+var_28], ecx
		cmp	eax, ecx
		jge	loc_523A68
		mov	dl, cl
		jmp	loc_523A68
; 

loc_523E79:				; CODE XREF: KiDeferredReadySingleThread+54Fj
		mov	ebx, 6
		jmp	loc_523B6A
; 

loc_523E83:				; CODE XREF: KiDeferredReadySingleThread+595j
					; KiDeferredReadySingleThread+59Ej
		mov	eax, ds:_KeTickCount
		sub	eax, [esi+138h]
		add	[esi+170h], eax
		jmp	loc_523BB4
; 

loc_523E99:				; CODE XREF: KiDeferredReadySingleThread+6F2j
		mov	ecx, [ebp+var_1C]

loc_523E9C:				; CODE XREF: KiDeferredReadySingleThread+987j
		mov	byte ptr [ecx+15Dh], 1
		test	bh, bh
		jnz	loc_523FBC
		mov	ebx, 2

loc_523EB0:				; CODE XREF: KiDeferredReadySingleThread+9B1j
		test	byte ptr [esi+2], 4
		jnz	loc_523F68
		mov	dl, [esi+87h]

loc_523EC0:				; CODE XREF: KiDeferredReadySingleThread+970j
		mov	eax, [edi+33Ch]
		mov	[eax], dl
		mov	[edi+8], esi
		cmp	esi, [edi+0Ch]
		jz	loc_5EC917
		xor	dl, dl

loc_523ED6:				; CODE XREF: KiDeferredReadySingleThread+C9309j
		mov	eax, [edi+4DCh]
		test	eax, eax
		jz	short loc_523EE3
		mov	[eax+10h], dl

loc_523EE3:				; CODE XREF: KiDeferredReadySingleThread+8CEj
		mov	al, [esi+90h]
		cmp	al, 1
		jz	loc_523FC6
		test	bl, 4
		jnz	loc_523FC6

loc_523EFA:				; CODE XREF: KiDeferredReadySingleThread+9C7j
		mov	byte ptr [esi+90h], 3
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		lea	edx, [ecx+9Ch]
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx]
		mov	[edx], eax
		lea	eax, [edi+2224h]
		mov	[ecx], edx
		xor	ecx, ecx
		lock and [eax],	ecx
		mov	ecx, [esi+16Ch]
		mov	dword ptr [esi+2Ch], 0
		test	ds:dword_70EFD0, 8000000h
		jz	loc_523999
		jmp	loc_5EC928
; 

loc_523F42:				; CODE XREF: KiDeferredReadySingleThread+67j
					; KiDeferredReadySingleThread+93Ej
		lea	ecx, [ebp+var_24]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_523F42
		jmp	loc_523672
; 

loc_523F55:				; CODE XREF: KiDeferredReadySingleThread+825j
					; KiDeferredReadySingleThread+951j
		lea	ecx, [ebp+var_3C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_523F55
		jmp	loc_523E30
; 

loc_523F68:				; CODE XREF: KiDeferredReadySingleThread+8A4j
		mov	edx, edi
		mov	ecx, esi
		call	KiIsThreadRankNonZero
		mov	dl, 1
		test	al, al
		jnz	short loc_523F7D
		mov	dl, [esi+87h]

loc_523F7D:				; CODE XREF: KiDeferredReadySingleThread+965j
		mov	ecx, [ebp+var_1C]
		jmp	loc_523EC0
; 

loc_523F85:				; CODE XREF: KiDeferredReadySingleThread+6DCj
		mov	al, [esi+87h]
		cmp	al, [ecx+87h]
		jle	loc_523D0B
		jmp	loc_523E9C
; 

loc_523F9C:				; CODE XREF: KiDeferredReadySingleThread+25Fj
		mov	ebx, 6
		jmp	loc_52387A
; 

loc_523FA6:				; CODE XREF: KiDeferredReadySingleThread+2A5j
					; KiDeferredReadySingleThread+2AEj
		mov	eax, ds:_KeTickCount
		sub	eax, [esi+138h]
		add	[esi+170h], eax
		jmp	loc_5238C4
; 

loc_523FBC:				; CODE XREF: KiDeferredReadySingleThread+895j
		mov	ebx, 6
		jmp	loc_523EB0
; 

loc_523FC6:				; CODE XREF: KiDeferredReadySingleThread+8DBj
					; KiDeferredReadySingleThread+8E4j
		mov	eax, ds:_KeTickCount
		sub	eax, [esi+138h]
		add	[esi+170h], eax
		jmp	loc_523EFA
KiDeferredReadySingleThread endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiChooseTargetProcessor	proc near	; CODE XREF: KiDeferredReadySingleThread+21Cp

var_8C		= dword	ptr -8Ch
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2B		= byte ptr -2Bh
var_2A		= byte ptr -2Ah
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 005EC93D SIZE 000002D0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	[ebp+var_4C], ecx
		xor	bl, bl
		mov	ecx, [ebp+arg_4]
		mov	esi, [eax]
		push	edi
		mov	[ebp+var_5C], ecx
		mov	edi, edx
		mov	ch, [ebp+arg_8]
		mov	[ebp+var_50], edi
		mov	[ebp+var_2B], ch
		mov	byte ptr [ebp+var_48], ch
		mov	[ebp+var_40], esi
		mov	[ebp+var_29], bl
		mov	byte ptr [ebp+var_54], bl

loc_52401F:				; CODE XREF: KiChooseTargetProcessor+C8B51j
		mov	ecx, [ebp+var_54]
		mov	[ebp+var_44], ecx

loc_524025:				; CODE XREF: KiChooseTargetProcessor+40Cj
					; KiChooseTargetProcessor+41Cj
		mov	edx, [ebp+var_48]
		jmp	short loc_524030
; 
		align 10h

loc_524030:				; CODE XREF: KiChooseTargetProcessor+48j
		mov	eax, [edi+148h]
		push	ecx
		mov	ecx, [ebp+var_4C]
		push	edx
		mov	ebx, ds:_KiProcessorBlock[eax*4]
		mov	edx, ebx
		push	esi
		push	edi
		call	KiTryLocalThreadSchedule
		mov	esi, eax
		test	esi, esi
		jnz	loc_52413C
		mov	eax, [edi+16Ch]
		mov	ecx, [ebx+338h]
		mov	[ebp+var_30], ecx
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	[ebp+var_34], eax
		mov	edi, [eax+338h]
		cmp	ecx, edi
		jnz	loc_524414
		mov	esi, ebx

loc_52407E:				; CODE XREF: KiChooseTargetProcessor+436j
		mov	edx, [edi]
		mov	eax, edx
		mov	[ebp+var_28], edx
		mov	edx, [ebp+var_40]
		and	eax, edx
		cmp	[ebp+var_29], 0
		mov	ecx, eax
		mov	[ebp+var_3C], eax
		jnz	loc_5EC93D

loc_524099:				; CODE XREF: KiChooseTargetProcessor+C8979j
		test	ecx, ecx
		jz	loc_5241AA

loc_5240A1:				; CODE XREF: KiChooseTargetProcessor+C895Fj
		test	byte ptr [edi+0A5h], 20h
		jz	short loc_5240CD
		mov	ch, [ebp+var_2B]
		test	ch, ch
		jnz	loc_5EC95E

loc_5240B5:				; CODE XREF: KiChooseTargetProcessor+C8998j
		mov	edx, [edi+4]
		mov	eax, [ebp+var_3C]
		and	edx, eax
		jz	loc_524187
		test	ch, ch
		jnz	loc_5EC97D

loc_5240CB:				; CODE XREF: KiChooseTargetProcessor+C89EDj
		mov	eax, edx

loc_5240CD:				; CODE XREF: KiChooseTargetProcessor+C8j
					; KiChooseTargetProcessor+1B4j	...
		mov	edx, [ebp+var_34]
		test	[edx+3C8h], eax
		jnz	short loc_524136
		test	esi, esi
		jz	short loc_5240E4
		test	[esi+3C8h], eax
		jnz	short loc_524138

loc_5240E4:				; CODE XREF: KiChooseTargetProcessor+FAj
		mov	ecx, [edx+402Ch]
		and	ecx, eax
		jnz	short loc_524113
		test	esi, esi
		jz	short loc_5240FC
		mov	ecx, [esi+402Ch]
		and	ecx, eax
		jnz	short loc_524113

loc_5240FC:				; CODE XREF: KiChooseTargetProcessor+110j
		test	ds:_KiCacheAwareScheduling, 1
		jz	short loc_524115
		mov	ecx, [edx+4034h]
		and	ecx, eax
		jz	loc_5EC9D2

loc_524113:				; CODE XREF: KiChooseTargetProcessor+10Cj
					; KiChooseTargetProcessor+11Aj	...
		mov	eax, ecx

loc_524115:				; CODE XREF: KiChooseTargetProcessor+123j
					; KiChooseTargetProcessor+C89F4j ...
		movzx	ecx, byte ptr [edx+3C4h]
		ror	eax, cl
		bsf	esi, eax
		mov	[ebp+var_80], 0
		add	esi, ecx
		and	esi, 1Fh
		mov	esi, ds:_KiProcessorBlock[esi*4]
		jmp	short loc_524138
; 

loc_524136:				; CODE XREF: KiChooseTargetProcessor+F6j
		mov	esi, edx

loc_524138:				; CODE XREF: KiChooseTargetProcessor+102j
					; KiChooseTargetProcessor+154j
		test	esi, esi
		jz	short loc_5241AA

loc_52413C:				; CODE XREF: KiChooseTargetProcessor+6Fj
					; KiChooseTargetProcessor+C8A2Bj ...
		lea	edi, [esi+2224h]
		mov	[ebp+var_74], 0
		lea	esp, [esp+0]

loc_524150:				; CODE XREF: KiChooseTargetProcessor+3EFj
		lock bts dword ptr [edi], 0
		jb	loc_5243C1
		mov	al, [esi+2238h]
		test	al, al
		jnz	loc_5243D4

loc_524169:				; CODE XREF: KiChooseTargetProcessor+C8AE2j
		mov	eax, [ebp+var_5C]
		pop	edi
		mov	dword ptr [eax], 1
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_524187:				; CODE XREF: KiChooseTargetProcessor+DDj
		test	ch, ch
		jnz	short loc_5241AA
		mov	ecx, [ebp+var_4C]
		cmp	[ecx+338h], edi
		jnz	loc_5240CD
		lea	edx, [ebp+var_3C]
		call	KiReduceByEffectiveIdleSmtSet
		mov	eax, [ebp+var_3C]
		jmp	loc_5240CD
; 

loc_5241AA:				; CODE XREF: KiChooseTargetProcessor+BBj
					; KiChooseTargetProcessor+15Aj	...
		mov	edx, [edi+84h]
		mov	esi, [ebp+var_40]
		not	edx
		mov	ecx, [ebp+var_30]
		and	edx, esi
		mov	[ebp+var_28], edx
		cmp	ecx, edi
		jnz	loc_5EC9ED

loc_5241C5:				; CODE XREF: KiChooseTargetProcessor+C8A0Fj
					; KiChooseTargetProcessor+C8A3Aj
		mov	eax, [ecx+84h]
		not	eax
		and	edx, eax
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_28], edx
		mov	ebx, [eax+338h]
		mov	[ebp+var_38], ebx
		cmp	ebx, edi
		jnz	loc_5ECA1F

loc_5241E6:				; CODE XREF: KiChooseTargetProcessor+C8A41j
					; KiChooseTargetProcessor+C8A49j ...
		mov	eax, [ebx+84h]
		mov	ebx, 1
		mov	cl, [edi+8Ah]
		not	eax
		and	edx, eax
		shl	ebx, cl
		mov	eax, [ebp+var_38]
		mov	[ebp+var_70], 0
		movzx	eax, word ptr [eax+8Ah]
		bts	ebx, eax
		mov	eax, [ebp+var_30]
		movzx	eax, word ptr [eax+8Ah]
		bts	ebx, eax
		not	ebx
		and	ebx, [edi+80h]

loc_524226:				; CODE XREF: KiChooseTargetProcessor+C8ADBj
		mov	[ebp+var_28], edx
		lea	esp, [esp+0]

loc_524230:				; CODE XREF: KiChooseTargetProcessor+C8A9Bj
		test	edx, edx
		jnz	loc_5ECA55

loc_524238:				; CODE XREF: KiChooseTargetProcessor+C8A89j
		cmp	[ebp+var_29], 0
		jnz	short loc_524261
		xor	bl, bl
		cmp	_KeSoftParkedQueueThreshold, 0
		mov	[ebp+var_29], bl
		jnz	loc_5ECACD

loc_524250:				; CODE XREF: KiChooseTargetProcessor+C8B34j
					; KiChooseTargetProcessor+C8B3Ej ...
		mov	byte ptr [ebp+var_54], bl
		test	bl, bl
		jnz	loc_5ECB2E
		mov	eax, [ebp+var_54]
		mov	[ebp+var_44], eax

loc_524261:				; CODE XREF: KiChooseTargetProcessor+25Cj
		mov	edx, [ebp+var_34]
		mov	ecx, [edx+4020h]
		and	ecx, esi
		mov	[ebp+var_30], ecx
		lea	eax, [ecx-1]
		test	eax, ecx
		jz	loc_5ECB36
		mov	eax, [edx+4024h]
		movzx	esi, byte ptr [eax+128h]
		movzx	ebx, byte ptr [eax+129h]
		add	eax, 108h
		push	esi		; size_t
		push	eax		; void *
		lea	eax, [ebp+var_24]
		mov	[ebp+var_78], ebx
		add	eax, ebx
		push	eax		; void *
		call	_memcpy
		mov	edi, [ebp+var_50]
		lea	ecx, [ebx+esi]
		mov	edx, [ebp+var_34]
		add	esp, 0Ch
		mov	[ebp+var_38], ecx
		mov	[ebp+var_28], 0FFFFFFFFh
		mov	al, [edi+87h]
		mov	[ebp+var_2A], al
		mov	eax, [edx+338h]
		mov	eax, [eax+104h]
		mov	[ebp+var_3C], eax
		mov	eax, ds:_KiHeteroSchedulerOptions
		test	al, 1
		jnz	loc_5ECB3E
		test	ds:_KiVelocityFlags, 800h
		jz	short loc_5242F7
		cmp	ds:_KeHeteroSystemQos, 0
		jnz	loc_5ECB46

loc_5242F7:				; CODE XREF: KiChooseTargetProcessor+308j
					; KiChooseTargetProcessor+C8B60j
		mov	esi, [ebp+var_30]

loc_5242FA:				; CODE XREF: KiChooseTargetProcessor+C8B6Cj
					; KiChooseTargetProcessor+C8B8Bj ...
		mov	eax, [ebp+var_28]

loc_5242FD:				; CODE XREF: KiChooseTargetProcessor+C8BE5j
		cmp	ebx, ecx
		jnb	short loc_52432B
		mov	ecx, ebx
		mov	eax, 1
		mov	ch, [ebp+var_2A]
		rol	eax, cl
		lea	ecx, [ecx+0]

loc_524310:				; CODE XREF: KiChooseTargetProcessor+346j
		test	esi, eax
		jz	short loc_524320
		mov	cl, byte ptr [ebp+ebx+var_24]
		cmp	cl, ch
		jl	loc_5243B7

loc_524320:				; CODE XREF: KiChooseTargetProcessor+332j
					; KiChooseTargetProcessor+3DCj
		inc	ebx
		rol	eax, 1
		cmp	ebx, [ebp+var_38]
		jb	short loc_524310
		mov	eax, [ebp+var_28]

loc_52432B:				; CODE XREF: KiChooseTargetProcessor+31Fj
		test	eax, eax
		js	short loc_524339

loc_52432F:				; CODE XREF: KiChooseTargetProcessor+C8BD9j
		lfence	eax
		mov	edx, ds:_KiProcessorBlock[eax*4]

loc_524339:				; CODE XREF: KiChooseTargetProcessor+34Dj
		mov	esi, [ebp+var_40]
		mov	[ebp+var_34], edx

loc_52433F:				; CODE XREF: KiChooseTargetProcessor+C8B59j
		mov	eax, [edx+338h]
		lea	ebx, [edx+2224h]
		mov	[ebp+var_38], eax
		mov	[ebp+var_30], ebx
		mov	[ebp+var_7C], 0
		jmp	short loc_524360
; 
		align 10h

loc_524360:				; CODE XREF: KiChooseTargetProcessor+378j
					; KiChooseTargetProcessor+42Fj
		lock bts dword ptr [ebx], 0
		jb	loc_524401
		cmp	[ebp+var_29], 0
		mov	edx, [ebp+var_38]
		jnz	loc_5ECBCA
		xor	ecx, ecx

loc_52437A:				; CODE XREF: KiChooseTargetProcessor+C8BF2j
		mov	bl, [ebp+var_2B]
		test	bl, bl
		jnz	short loc_524389
		mov	eax, [edx]
		or	eax, ecx
		test	eax, esi
		jnz	short loc_5243F1

loc_524389:				; CODE XREF: KiChooseTargetProcessor+39Fj
		mov	esi, [ebp+var_5C]
		mov	edx, [ebp+var_34]
		mov	dword ptr [esi], 0
		test	byte ptr [edx+2238h], 2
		jnz	loc_5ECBD7

loc_5243A2:				; CODE XREF: KiChooseTargetProcessor+C8C0Fj
					; KiChooseTargetProcessor+C8C1Cj ...
		mov	ecx, [ebp+var_4]
		mov	eax, edx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_5243B7:				; CODE XREF: KiChooseTargetProcessor+33Aj
		mov	ch, cl
		mov	[ebp+var_28], ebx
		jmp	loc_524320
; 

loc_5243C1:				; CODE XREF: KiChooseTargetProcessor+175j
					; KiChooseTargetProcessor+3EDj
		lea	ecx, [ebp+var_74]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5243C1
		jmp	loc_524150
; 

loc_5243D4:				; CODE XREF: KiChooseTargetProcessor+183j
		cmp	[ebp+var_29], 0
		jnz	loc_5ECAC0

loc_5243DE:				; CODE XREF: KiChooseTargetProcessor+C8AE8j
		xor	eax, eax
		lock and [edi],	eax
		mov	edi, [ebp+var_50]
		mov	esi, [ebp+var_40]
		mov	ecx, [ebp+var_44]
		jmp	loc_524025
; 

loc_5243F1:				; CODE XREF: KiChooseTargetProcessor+3A7j
		mov	eax, [ebp+var_30]
		xor	ecx, ecx
		lock and [eax],	ecx
		mov	ecx, [ebp+var_44]
		jmp	loc_524025
; 

loc_524401:				; CODE XREF: KiChooseTargetProcessor+385j
					; KiChooseTargetProcessor+42Dj
		lea	ecx, [ebp+var_7C]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_524401
		jmp	loc_524360
; 

loc_524414:				; CODE XREF: KiChooseTargetProcessor+96j
		xor	esi, esi
		jmp	loc_52407E
KiChooseTargetProcessor	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiTryLocalThreadSchedule proc near	; CODE XREF: KiChooseTargetProcessor+66p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005ECC0D SIZE 0000007D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	byte ptr [esi+223Ch], 1
		jnz	short loc_524443

loc_524438:				; CODE XREF: KiTryLocalThreadSchedule+38j
					; KiTryLocalThreadSchedule+5Ej	...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_524443:				; CODE XREF: KiTryLocalThreadSchedule+16j
		mov	eax, [ebp+arg_0]
		cmp	byte ptr [eax+18Bh], 0Fh
		jz	short loc_52445A
		mov	eax, [eax+44h]
		cmp	eax, ds:_KiShortExecutionCycles
		jnb	short loc_524438

loc_52445A:				; CODE XREF: KiTryLocalThreadSchedule+2Dj
		mov	ecx, [esi+338h]
		mov	[ebp+var_8], ecx
		mov	eax, [ecx]
		mov	edx, eax
		and	edx, [ebp+arg_4]
		cmp	[ebp+arg_C], 0
		mov	ebx, edx
		mov	[ebp+var_4], eax
		mov	[ebp+arg_0], edx
		jnz	loc_5ECC0D

loc_52447C:				; CODE XREF: KiTryLocalThreadSchedule+C8808j
		test	ebx, ebx
		jz	short loc_524438

loc_524480:				; CODE XREF: KiTryLocalThreadSchedule+C87EFj
		mov	eax, [esi+4034h]
		and	eax, ebx
		jz	short loc_52448F
		mov	edx, eax
		mov	[ebp+arg_0], edx

loc_52448F:				; CODE XREF: KiTryLocalThreadSchedule+68j
		test	byte ptr [ecx+0A5h], 20h
		jz	short loc_5244B3
		mov	bl, [ebp+arg_8]
		test	bl, bl
		jnz	loc_5ECC2D

loc_5244A3:				; CODE XREF: KiTryLocalThreadSchedule+C8822j
		mov	edx, [ecx+4]
		and	edx, [ebp+arg_0]
		jz	short loc_52450B
		test	bl, bl
		jnz	loc_5ECC47

loc_5244B3:				; CODE XREF: KiTryLocalThreadSchedule+76j
					; KiTryLocalThreadSchedule+104j ...
		mov	eax, [esi+402Ch]
		not	eax
		and	eax, edx
		jz	short loc_5244C1
		mov	edx, eax

loc_5244C1:				; CODE XREF: KiTryLocalThreadSchedule+9Dj
					; KiTryLocalThreadSchedule+109j
		mov	al, [edi+3C5h]
		mov	ecx, [esi+404Ch]
		cmp	al, [esi+3C5h]
		jnz	short loc_5244EA
		mov	eax, [esi+4030h]
		test	[edi+3C8h], eax
		jz	short loc_5244EA
		movzx	ecx, byte ptr [edi+3C4h]

loc_5244EA:				; CODE XREF: KiTryLocalThreadSchedule+B3j
					; KiTryLocalThreadSchedule+C1j
		ror	edx, cl
		bsf	eax, edx
		pop	edi
		add	eax, ecx
		mov	[ebp+var_C], 0
		and	eax, 1Fh
		pop	esi
		pop	ebx
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_52450B:				; CODE XREF: KiTryLocalThreadSchedule+89j
		test	bl, bl
		jnz	loc_524438
		lea	edx, [ebp+arg_0]
		mov	ecx, esi
		call	KiReduceByEffectiveIdleSmtSet
		test	al, al
		jnz	short loc_524526
		mov	edx, [ebp+arg_0]
		jmp	short loc_5244B3
; 

loc_524526:				; CODE XREF: KiTryLocalThreadSchedule+FFj
					; KiTryLocalThreadSchedule+C8819j
		mov	edx, [ebp+arg_0]
		jmp	short loc_5244C1
KiTryLocalThreadSchedule endp

; 
		align 10h
; Exported entry 121. IofCompleteRequest

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IofCompleteRequest
IofCompleteRequest proc	near		; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+6Bp
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+26Dp ...

; FUNCTION CHUNK AT 005ECC8A SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, ds:_IopDispatchCompleteRequest
		test	eax, eax
		jnz	loc_5ECC8A
		call	@IopfCompleteRequest@8 ; IopfCompleteRequest(x,x)

loc_52454A:				; CODE XREF: IofCompleteRequest+C8764j
					; IofCompleteRequest+C876Ej
		mov	esp, ebp
		pop	ebp
		retn
IofCompleteRequest endp

; 
		align 10h

; __fastcall IopfCompleteRequest(x, x)
@IopfCompleteRequest@8:			; CODE XREF: IofCompleteRequest+15p
					; IopPerfCompleteRequest(x,x)+16Dp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	dword ptr [esp+14h], 0
		mov	al, dl
		mov	[esp+10h], edi
		mov	[esp+0Dh], al
		mov	[esp+1Ch], al
		mov	cl, [edi+22h]
		mov	bl, [edi+23h]
		mov	al, cl
		inc	al
		cmp	bl, al
		jg	loc_5251C4
		cmp	word ptr [edi],	6
		jnz	loc_5251C4
		mov	esi, [edi+60h]
		cmp	bl, cl
		jg	short loc_5245B7
		cmp	byte ptr [esi],	16h
		jnz	short loc_5245B7
		mov	eax, [esi+14h]
		mov	ecx, edi
		mov	dl, [esi+1]
		push	eax
		mov	byte ptr [esp+12h], 1
		call	_PoDeviceReleaseIrp@12 ; PoDeviceReleaseIrp(x,x,x)
		mov	edi, [esp+10h]
		jmp	short loc_5245BC
; 

loc_5245B7:				; CODE XREF: .text:00524597j
					; .text:0052459Cj
		mov	byte ptr [esp+0Eh], 0

loc_5245BC:				; CODE XREF: .text:005245B5j
		test	byte ptr [edi+73h], 2
		jz	short loc_5245CA
		mov	ebx, [edi+80h]
		jmp	short loc_5245CC
; 

loc_5245CA:				; CODE XREF: .text:005245C0j
		xor	ebx, ebx

loc_5245CC:				; CODE XREF: .text:005245C8j
		inc	byte ptr [edi+23h]
		mov	eax, [esp+10h]
		mov	[esp+18h], ebx
		add	dword ptr [eax+60h], 24h
		mov	ecx, [esp+10h]
		mov	al, [ecx+22h]
		inc	al
		cmp	[ecx+23h], al
		jg	loc_5246F1
		add	esi, 3

loc_5245F0:				; CODE XREF: .text:005246EBj
		mov	al, [esi]
		and	al, 1
		mov	[ecx+21h], al
		mov	ecx, [esp+10h]
		mov	eax, [ecx+18h]
		test	eax, eax
		jns	short loc_52461D
		cmp	eax, ebx
		jz	short loc_52461D
		or	byte ptr [esi],	2
		mov	ebx, eax
		or	byte ptr [edi+73h], 2
		mov	[edi+80h], ebx
		mov	ecx, [esp+10h]
		mov	[esp+18h], ebx

loc_52461D:				; CODE XREF: .text:00524600j
					; .text:00524604j
		mov	edx, [ecx+18h]
		test	edx, edx
		js	short loc_52462E
		mov	al, [esi]
		test	al, 40h
		jnz	short loc_524648
		test	edx, edx
		jns	short loc_524634

loc_52462E:				; CODE XREF: .text:00524622j
		mov	al, [esi]
		test	al, al
		js	short loc_524648

loc_524634:				; CODE XREF: .text:0052462Cj
		cmp	byte ptr [ecx+24h], 0
		jz	loc_524720
		mov	al, [esi]
		test	al, 20h
		jz	loc_524720

loc_524648:				; CODE XREF: .text:00524628j
					; .text:00524632j
		mov	dl, [esi-2]
		and	al, 2
		mov	[esi], al
		mov	word ptr [esi-2], 0
		mov	dword ptr [esi+1], 0
		mov	dword ptr [esi+5], 0
		mov	dword ptr [esi+9], 0
		mov	dword ptr [esi+15h], 0
		mov	ecx, [esp+10h]
		mov	[esp+0Fh], dl
		mov	al, [ecx+22h]
		inc	al
		cmp	[ecx+23h], al
		jnz	short loc_524687
		xor	ebx, ebx
		jmp	short loc_52468D
; 

loc_524687:				; CODE XREF: .text:00524681j
		mov	eax, [ecx+60h]
		mov	ebx, [eax+14h]

loc_52468D:				; CODE XREF: .text:00524685j
		cmp	byte ptr [esp+0Eh], 0
		jz	short loc_52469E
		push	ebx
		call	_PoDeviceAcquireIrp@12 ; PoDeviceAcquireIrp(x,x,x)
		mov	ecx, [esp+10h]

loc_52469E:				; CODE XREF: .text:00524692j
		mov	eax, [esi+1Dh]
		push	eax
		mov	eax, [esi+19h]
		push	ecx
		push	ebx
		call	eax
		cmp	eax, 0C0000016h
		jz	loc_524ACB
		cmp	byte ptr [esp+0Eh], 0
		jz	short loc_5246C9
		mov	dl, [esp+0Fh]
		mov	ecx, [esp+10h]
		push	ebx
		call	_PoDeviceReleaseIrp@12 ; PoDeviceReleaseIrp(x,x,x)

loc_5246C9:				; CODE XREF: .text:005246B9j
		mov	ebx, [esp+18h]

loc_5246CD:				; CODE XREF: .text:0052475Aj
		mov	eax, [esp+10h]
		add	esi, 24h
		inc	byte ptr [eax+23h]
		mov	eax, [esp+10h]
		add	dword ptr [eax+60h], 24h
		mov	ecx, [esp+10h]
		mov	al, [ecx+22h]
		inc	al
		cmp	[ecx+23h], al
		jle	loc_5245F0

loc_5246F1:				; CODE XREF: .text:005245E7j
		test	byte ptr [ecx+8], 8
		jz	short loc_52475F
		mov	esi, [ecx+0Ch]
		call	_IopFreeIrpAndMdls@4 ; IopFreeIrpAndMdls(x)
		or	eax, 0FFFFFFFFh
		lock xadd [esi+0Ch], eax
		dec	eax
		jnz	loc_524ACB
		mov	dl, [esp+0Dh]
		mov	ecx, esi
		call	IofCompleteRequest
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_524720:				; CODE XREF: .text:00524638j
					; .text:00524642j
		cmp	byte ptr [ecx+21h], 0
		jz	short loc_524735
		mov	al, [ecx+23h]
		cmp	al, [ecx+22h]
		jg	short loc_524735
		mov	eax, [ecx+60h]
		or	byte ptr [eax+3], 1

loc_524735:				; CODE XREF: .text:00524724j
					; .text:0052472Cj
		and	byte ptr [esi],	2
		mov	word ptr [esi-2], 0
		mov	dword ptr [esi+1], 0
		mov	dword ptr [esi+5], 0
		mov	dword ptr [esi+9], 0
		mov	dword ptr [esi+15h], 0
		jmp	loc_5246CD
; 

loc_52475F:				; CODE XREF: .text:005246F5j
		cmp	dword ptr [ecx+18h], 104h
		jnz	short loc_5247A0
		mov	eax, [ecx+1Ch]
		cmp	eax, 2
		jbe	short loc_5247A0
		cmp	eax, 0A0000003h
		jz	short loc_52478E
		cmp	eax, 0A000000Ch
		jz	short loc_52478E
		cmp	eax, 0A0000019h
		jz	short loc_52478E
		mov	dword ptr [ecx+18h], 0C0000279h
		jmp	short loc_52479C
; 

loc_52478E:				; CODE XREF: .text:00524775j
					; .text:0052477Cj ...
		mov	eax, [ecx+54h]
		mov	[esp+14h], eax
		mov	dword ptr [ecx+54h], 0

loc_52479C:				; CODE XREF: .text:0052478Cj
		mov	ecx, [esp+10h]

loc_5247A0:				; CODE XREF: .text:00524766j
					; .text:0052476Ej
		mov	bl, [esp+0Dh]
		test	bl, bl
		jnz	loc_524842
		mov	esi, [ecx+64h]
		test	esi, esi
		jz	loc_524842
		test	dword ptr [ecx+8], 400h
		jnz	loc_524842
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_5247D2
		mov	eax, [eax+8]
		test	eax, eax
		jnz	short loc_5247EF

loc_5247D2:				; CODE XREF: .text:005247C9j
		test	dword ptr [esi+2Ch], 800h
		jnz	short loc_5247EC
		mov	eax, [esi+4]
		mov	eax, [eax+24h]
		test	eax, eax
		jz	short loc_5247EC
		mov	eax, [eax+8]
		test	eax, eax
		jnz	short loc_5247EF

loc_5247EC:				; CODE XREF: .text:005247D9j
					; .text:005247E3j
		mov	eax, [esi+4]

loc_5247EF:				; CODE XREF: .text:005247D0j
					; .text:005247EAj
		mov	edx, [eax+10h]
		test	edx, edx
		jz	short loc_524829
		mov	esi, [esi+7Ch]
		test	esi, esi
		jz	short loc_524820
		cmp	esi, _IopRevocationExtension
		jz	short loc_524820
		mov	esi, [esi+8]
		test	esi, esi
		jz	short loc_524820
		mov	esi, [esi]
		test	esi, esi
		jz	short loc_524820

loc_524812:				; CODE XREF: .text:0052481Bj
		cmp	eax, esi
		jz	short loc_52482B
		mov	eax, [eax+10h]
		test	eax, eax
		jnz	short loc_524812
		lea	ecx, [ecx+0]

loc_524820:				; CODE XREF: .text:005247FBj
					; .text:00524803j ...
		mov	eax, edx
		mov	edx, [eax+10h]
		test	edx, edx
		jnz	short loc_524820

loc_524829:				; CODE XREF: .text:005247F4j
		mov	esi, eax

loc_52482B:				; CODE XREF: .text:00524814j
		mov	eax, [esi+2Ch]
		cmp	eax, 8
		jz	short loc_524838
		cmp	eax, 14h
		jnz	short loc_524842

loc_524838:				; CODE XREF: .text:00524831j
		mov	bl, 1
		mov	[esp+0Dh], bl
		mov	[esp+1Ch], bl

loc_524842:				; CODE XREF: .text:005247A6j
					; .text:005247B1j ...
		mov	eax, [ecx+54h]
		test	eax, eax
		jz	short loc_524860
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+10h]
		mov	dword ptr [eax+54h], 0
		mov	ecx, [esp+10h]

loc_524860:				; CODE XREF: .text:00524847j
		push	1
		or	edx, 0FFFFFFFFh
		call	_IopFreeIrpExtension@12	; IopFreeIrpExtension(x,x,x)
		movzx	ebx, bl
		test	eax, eax
		jz	short loc_524889
		mov	ecx, [esp+10h]
		push	ebx
		mov	ecx, [ecx+64h]
		push	ecx
		lea	ecx, [esp+18h]
		push	ecx
		call	eax
		test	al, al
		jnz	loc_524ACB

loc_524889:				; CODE XREF: .text:0052486Fj
		mov	esi, [esp+10h]
		mov	edi, [esi+8]
		test	edi, 402h
		jz	loc_524945
		test	edi, 440h
		jz	short loc_524902
		mov	ecx, [esi+28h]
		mov	eax, [esi+18h]
		mov	[ecx], eax
		mov	eax, [esi+1Ch]
		mov	[ecx+4], eax
		and	edi, 42h
		jz	short loc_5248C0
		mov	ecx, [esp+10h]
		call	IopDequeueIrpFromThread

loc_5248C0:				; CODE XREF: .text:005248B5j
		movzx	eax, byte ptr [esp+0Dh]
		push	0
		push	eax
		mov	eax, [esp+18h]
		mov	eax, [eax+2Ch]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		test	edi, edi
		jz	loc_524ACB
		mov	eax, ds:_IopDispatchFreeIrp
		mov	ecx, [esp+10h]
		test	eax, eax
		jnz	short loc_5248F6
		call	IopFreeIrp
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5248F6:				; CODE XREF: .text:005248E8j
		call	_IovFreeIrpPrivate@4 ; IovFreeIrpPrivate(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_524902:				; CODE XREF: .text:005248A2j
		mov	ecx, esi
		call	IopDequeueIrpFromThread
		mov	ecx, [esp+10h]
		push	0
		push	0
		push	0
		movsx	eax, byte ptr [ecx+26h]
		push	0
		push	offset IopCompletePageWrite
		push	eax
		mov	eax, [ecx+50h]
		push	eax
		lea	eax, [ecx+40h]
		push	eax
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		mov	eax, [esp+10h]
		push	ebx
		push	0
		push	0
		add	eax, 40h
		push	eax
		call	KeInsertQueueApc
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_524945:				; CODE XREF: .text:00524896j
		mov	edi, [esi+4]
		test	edi, edi
		jz	short loc_524960
		lea	esp, [esp+0]

loc_524950:				; CODE XREF: .text:0052495Aj
		push	edi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		mov	edi, [edi]
		test	edi, edi
		jnz	short loc_524950
		mov	esi, [esp+10h]

loc_524960:				; CODE XREF: .text:0052494Aj
		test	dword ptr [esi+8], 2000h
		jz	short loc_524975
		mov	ecx, [esi+50h]
		call	ObfDereferenceObject
		mov	esi, [esp+10h]

loc_524975:				; CODE XREF: .text:00524967j
		mov	eax, [esi+8]
		test	eax, 800h
		jz	short loc_5249BC
		cmp	byte ptr [esi+21h], 0
		jnz	short loc_5249BC
		cmp	dword ptr [esi+18h], 104h
		jnz	loc_524ACB
		mov	eax, [esi+1Ch]
		cmp	eax, 0A0000003h
		jz	short loc_5249AE
		cmp	eax, 0A000000Ch
		jz	short loc_5249AE
		cmp	eax, 0A0000019h
		jnz	loc_524ACB

loc_5249AE:				; CODE XREF: .text:0052499Aj
					; .text:005249A1j
		mov	eax, [esp+14h]
		mov	[esi+54h], eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5249BC:				; CODE XREF: .text:0052497Dj
					; .text:00524983j
		mov	ebx, [esi+64h]
		mov	edi, [esi+50h]
		mov	[esp+18h], ebx
		test	eax, 2000h
		jz	short loc_5249E6
		push	dword ptr [esp+1Ch]
		mov	edx, ebx
		mov	ecx, esi
		call	_IopCompleteIrpInFileObjectList@12 ; IopCompleteIrpInFileObjectList(x,x,x)
		test	al, al
		jnz	loc_524ACB
		mov	esi, [esp+10h]

loc_5249E6:				; CODE XREF: .text:005249CBj
		mov	eax, ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[esp+20h], eax
		test	edi, edi
		jz	short loc_524A4B
		lea	esi, [edi+350h]
		call	eax
		test	ds:byte_70EFC6,	21h
		mov	[esp+0Fh], al
		jz	short loc_524A11
		mov	ecx, esi
		call	@KiAcquireSpinLockInstrumented@4 ; KiAcquireSpinLockInstrumented(x)
		jmp	short loc_524A1F
; 

loc_524A11:				; CODE XREF: .text:00524A06j
		lock bts dword ptr [esi], 0
		jnb	short loc_524A1F
		mov	ecx, esi
		call	KxWaitForSpinLockAndAcquire

loc_524A1F:				; CODE XREF: .text:00524A0Fj
					; .text:00524A16j
		test	ds:byte_70EFC6,	1
		jz	short loc_524A38
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	ebx, [esp+18h]
		jmp	short loc_524A3D
; 

loc_524A38:				; CODE XREF: .text:00524A26j
		xor	eax, eax
		lock and [esi],	eax

loc_524A3D:				; CODE XREF: .text:00524A36j
		mov	cl, [esp+0Fh]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [esp+10h]

loc_524A4B:				; CODE XREF: .text:005249F1j
		cmp	byte ptr [esi+24h], 0
		jnz	loc_525046
		cmp	edi, large fs:124h
		jnz	short loc_524AD2
		mov	eax, large fs:124h
		cmp	word ptr [eax+13Eh], 0
		jnz	short loc_524AD2
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_524AD2
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 1
		jnb	short loc_524AD2
		mov	eax, large fs:124h
		cmp	byte ptr [eax+16Ah], 1
		jz	short loc_524AD2
		mov	cl, 1
		mov	dword ptr [esp+24h], 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [esp+10h]
		mov	bl, al
		lea	eax, [esp+14h]
		add	ecx, 40h
		push	eax
		lea	eax, [esp+1Ch]
		push	eax
		lea	eax, [esp+2Ch]
		push	eax
		lea	eax, [esp+50h]
		push	eax
		push	ecx
		call	_IopCompleteRequest@20 ; IopCompleteRequest(x,x,x,x,x)
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_524ACB:				; CODE XREF: .text:005246AEj
					; .text:00524708j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_524AD2:				; CODE XREF: .text:00524A5Cj
					; .text:00524A6Cj ...
		mov	eax, [esp+10h]
		mov	cl, [eax+26h]
		mov	byte ptr [eax+40h], 12h
		mov	byte ptr [eax+42h], 30h
		cmp	cl, 2
		jnz	short loc_524AEC
		mov	cl, [edi+16Ah]

loc_524AEC:				; CODE XREF: .text:00524AE4j
		mov	[eax+6Ch], cl
		mov	[eax+48h], edi
		mov	dword ptr [eax+54h], offset _IopCompleteRequest@20 ; IopCompleteRequest(x,x,x,x,x)
		mov	dword ptr [eax+58h], offset _IopAbortRequest@4 ; IopAbortRequest(x)
		mov	dword ptr [eax+5Ch], 0
		mov	word ptr [eax+6Dh], 0
		mov	dword ptr [eax+60h], 0
		mov	byte ptr [eax+41h], 0
		mov	esi, _EtwThreatIntProvRegHandle
		mov	edi, [esp+10h]
		test	esi, esi
		jz	short loc_524B77
		mov	edx, [esi+10h]
		add	edx, 40h
		cmp	dword ptr [edx], 0
		jz	short loc_524B55
		mov	eax, [edx+10h]
		and	eax, 3000h
		or	eax, 0
		jz	short loc_524B55
		mov	ecx, [edx+18h]
		xor	ebx, ebx
		mov	edx, [edx+1Ch]
		mov	eax, ecx
		and	eax, 3000h
		cmp	eax, ecx
		jnz	short loc_524B55
		cmp	ebx, edx
		jz	short loc_524B73

loc_524B55:				; CODE XREF: .text:00524B2Fj
					; .text:00524B3Cj ...
		cmp	byte ptr [esi+35h], 0
		jz	short loc_524B77
		mov	ecx, [esi+14h]
		xor	dl, dl
		push	0
		push	3000h
		add	ecx, 40h
		call	_EtwpLevelKeywordEnabled@16 ; EtwpLevelKeywordEnabled(x,x,x,x)
		test	al, al
		jz	short loc_524B77

loc_524B73:				; CODE XREF: .text:00524B53j
		mov	cl, 1
		jmp	short loc_524B79
; 

loc_524B77:				; CODE XREF: .text:00524B24j
					; .text:00524B59j ...
		xor	cl, cl

loc_524B79:				; CODE XREF: .text:00524B75j
		mov	eax, [edi+60h]
		mov	dl, [edi+6Dh]
		mov	[esp+3Ch], eax
		test	dl, dl
		mov	eax, [edi+5Ch]
		mov	[esp+40h], eax
		setnz	al
		mov	[esp+38h], al
		mov	eax, [edi+54h]
		cmp	eax, offset _KeSpecialUserApcKernelRoutine@20 ;	KeSpecialUserApcKernelRoutine(x,x,x,x,x)
		jnz	short loc_524BA5
		test	dl, dl
		jnz	short loc_524BA5
		mov	bl, 1
		jmp	short loc_524BA7
; 

loc_524BA5:				; CODE XREF: .text:00524B9Bj
					; .text:00524B9Fj
		xor	bl, bl

loc_524BA7:				; CODE XREF: .text:00524BA3j
		mov	esi, [edi+48h]
		mov	eax, large fs:124h
		mov	[esp+34h], esi
		test	dl, dl
		jz	short loc_524BC0
		mov	eax, [eax+150h]
		jmp	short loc_524BC6
; 

loc_524BC0:				; CODE XREF: .text:00524BB6j
		mov	eax, [eax+80h]

loc_524BC6:				; CODE XREF: .text:00524BBEj
		cmp	eax, [esi+150h]
		setnz	al
		test	cl, cl
		jz	short loc_524BF2
		test	al, al
		jz	short loc_524BF2
		test	dl, dl
		jnz	short loc_524BDF
		test	bl, bl
		jz	short loc_524BF2

loc_524BDF:				; CODE XREF: .text:00524BD9j
		mov	edx, 5149654Bh
		mov	byte ptr [esp+0Eh], 1
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		jmp	short loc_524BF7
; 

loc_524BF2:				; CODE XREF: .text:00524BD1j
					; .text:00524BD5j ...
		mov	byte ptr [esp+0Eh], 0

loc_524BF7:				; CODE XREF: .text:00524BF0j
		call	dword ptr [esp+20h]
		mov	[esp+1Ch], al
		lea	ebx, [esi+2Ch]
		mov	eax, large fs:20h
		mov	[esp+20h], eax
		mov	dword ptr [esp+28h], 0

loc_524C14:				; CODE XREF: .text:00524C2Fj
		lock bts dword ptr [ebx], 0
		jnb	short loc_524C31
		jmp	short loc_524C20
; 
		align 10h

loc_524C20:				; CODE XREF: .text:00524C1Bj
					; .text:00524C2Dj
		lea	ecx, [esp+28h]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_524C20
		jmp	short loc_524C14
; 

loc_524C31:				; CODE XREF: .text:00524C19j
		test	dword ptr [esi+58h], 4000h
		jz	loc_524FDD
		cmp	byte ptr [edi+6Eh], 0
		jnz	loc_524FDD
		cmp	byte ptr [edi+6Ch], 0
		mov	eax, [esp+18h]
		mov	edx, [edi+48h]
		mov	[edi+64h], eax
		mov	eax, [esp+14h]
		mov	byte ptr [edi+6Eh], 1
		mov	[edi+68h], eax
		jnz	short loc_524C73
		cmp	byte ptr [edx+16Ah], 0
		jz	short loc_524C73
		mov	eax, 174h
		jmp	short loc_524C81
; 

loc_524C73:				; CODE XREF: .text:00524C61j
					; .text:00524C6Aj
		mov	al, [edx+16Ah]
		mov	[edi+6Ch], al
		mov	eax, 70h

loc_524C81:				; CODE XREF: .text:00524C71j
		cmp	dword ptr [edi+5Ch], 0
		lea	esi, [edx+eax]
		mov	al, [edi+6Dh]
		jz	short loc_524CF0
		test	al, al
		jz	short loc_524CCF
		mov	ecx, [edi+54h]
		cmp	ecx, offset KiSchedulerApcTerminate
		jnz	short loc_524CAB
		or	byte ptr [edx+86h], 2
		movsx	eax, al
		lea	eax, [esi+eax*8]
		jmp	short loc_524D0D
; 

loc_524CAB:				; CODE XREF: .text:00524C9Aj
		cmp	ecx, offset _KeSpecialUserApcKernelRoutine@20 ;	KeSpecialUserApcKernelRoutine(x,x,x,x,x)
		jnz	short loc_524CCF
		movsx	eax, al
		lea	ecx, [esi+eax*8]
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	short loc_524CC6
		nop

loc_524CC0:				; CODE XREF: .text:00524CC4j
		mov	eax, [eax]
		cmp	eax, ecx
		jnz	short loc_524CC0

loc_524CC6:				; CODE XREF: .text:00524CBDj
		or	byte ptr [edx+86h], 1
		jmp	short loc_524D0D
; 

loc_524CCF:				; CODE XREF: .text:00524C8Fj
					; .text:00524CB1j
		movsx	eax, al
		lea	ecx, [edi+4Ch]
		mov	edx, [esi+eax*8+4]
		lea	eax, [esi+eax*8]
		cmp	[edx], eax
		jnz	loc_525134
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		jmp	short loc_524D25
; 

loc_524CF0:				; CODE XREF: .text:00524C8Bj
		movsx	eax, al
		lea	ecx, [esi+eax*8]
		mov	eax, [ecx+4]
		cmp	eax, ecx
		jz	short loc_524D0D
		lea	ecx, [ecx+0]

loc_524D00:				; CODE XREF: .text:00524D0Bj
		cmp	dword ptr [eax+10h], 0
		jz	short loc_524D0D
		mov	eax, [eax+4]
		cmp	eax, ecx
		jnz	short loc_524D00

loc_524D0D:				; CODE XREF: .text:00524CA9j
					; .text:00524CCDj ...
		mov	edx, [eax]
		lea	ecx, [edi+4Ch]
		cmp	[edx+4], eax
		jnz	loc_525134
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[edx+4], ecx
		mov	[eax], ecx

loc_524D25:				; CODE XREF: .text:00524CEEj
		mov	esi, [edi+48h]
		movsx	eax, byte ptr [edi+6Ch]
		mov	dl, [edi+6Dh]
		movzx	ecx, byte ptr [esi+16Ah]
		cmp	eax, ecx
		jnz	loc_524FD5
		mov	ebx, [esp+20h]
		cmp	esi, [ebx+4]
		jnz	short loc_524DA2
		test	dl, dl
		jnz	loc_524FD5
		mov	eax, [esi+13Ch]
		mov	ecx, eax
		mov	edx, [edi+5Ch]
		shr	ecx, 10h
		test	eax, eax
		jz	short loc_524D72
		test	edx, edx
		jnz	loc_524FD5
		test	cx, cx
		jnz	loc_524FD5

loc_524D72:				; CODE XREF: .text:00524D5Fj
		cmp	byte ptr [esp+1Ch], 1
		mov	byte ptr [esi+85h], 1
		jb	short loc_524D93
		mov	cl, 1
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)
		mov	esi, [esp+34h]
		mov	bl, 1
		jmp	loc_524FDF
; 

loc_524D93:				; CODE XREF: .text:00524D7Ej
		or	dword ptr [esi+58h], 40h
		mov	bl, 1
		mov	esi, [esp+34h]
		jmp	loc_524FDF
; 

loc_524DA2:				; CODE XREF: .text:00524D45j
		test	dl, dl
		jnz	loc_524F83
		mov	byte ptr [esi+85h], 1
		lea	eax, [esp+2Ch]
		mov	dword ptr [esp+2Ch], 0
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	al, [esi+90h]
		cmp	al, 2
		jz	loc_524F4C
		cmp	al, 5
		jnz	loc_524FD5
		cmp	[esi+92h], cl
		jnz	loc_524FD5
		cmp	[esi+13Eh], cx
		jnz	loc_524FD5
		cmp	[edi+5Ch], ecx
		jz	short loc_524E0F
		cmp	[esi+13Ch], cx
		jnz	loc_524FD5
		cmp	[esi+84h], cl
		jnz	loc_524FD5

loc_524E0F:				; CODE XREF: .text:00524DF4j
		mov	al, [esi+54h]
		movzx	ecx, al
		and	ecx, 7
		cmp	ecx, 1
		jz	short loc_524E26
		cmp	ecx, 4
		jnz	loc_524F3C

loc_524E26:				; CODE XREF: .text:00524E1Bj
		mov	ecx, [esi+0A4h]
		test	ecx, ecx
		jz	short loc_524E53
		mov	al, [ecx]
		and	al, 7Fh
		cmp	al, 15h
		jnz	short loc_524E4F
		movzx	eax, byte ptr [esi+14Ch]
		mov	[esi+14Ch], eax
		lock inc dword ptr [ecx+eax*4+110h]
		jmp	short loc_524E53
; 

loc_524E4F:				; CODE XREF: .text:00524E36j
		lock inc dword ptr [ecx+18h]

loc_524E53:				; CODE XREF: .text:00524E2Ej
					; .text:00524E4Dj
		mov	edi, [esi+1B4h]
		test	edi, edi
		jz	short loc_524EC6
		add	edi, 3B28h
		mov	dword ptr [esp+30h], 0
		jmp	short loc_524E70
; 
		align 10h

loc_524E70:				; CODE XREF: .text:00524E6Bj
					; .text:00524E86j
		lock bts dword ptr [edi], 0
		jnb	short loc_524E88

loc_524E77:				; CODE XREF: .text:00524E84j
		lea	ecx, [esp+30h]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_524E77
		jmp	short loc_524E70
; 

loc_524E88:				; CODE XREF: .text:00524E75j
		mov	eax, [esi+1B4h]
		test	eax, eax
		jz	short loc_524EC1
		mov	edx, [esi+9Ch]
		lea	eax, [esi+9Ch]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_525134
		cmp	[ecx], eax
		jnz	loc_525134
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	dword ptr [esi+1B4h], 0

loc_524EC1:				; CODE XREF: .text:00524E90j
		xor	eax, eax
		lock and [edi],	eax

loc_524EC6:				; CODE XREF: .text:00524E5Bj
		mov	al, [esi+90h]
		cmp	al, 1
		jnz	short loc_524ED6
		or	dword ptr [esi+58h], 2
		jmp	short loc_524F0A
; 

loc_524ED6:				; CODE XREF: .text:00524ECEj
		cmp	al, 5
		jnz	short loc_524F0A
		mov	eax, ds:_KeTickCount
		sub	eax, [esi+138h]
		cmp	byte ptr [esi+93h], 0
		jnz	short loc_524EFD
		add	[esi+250h], eax
		adc	dword ptr [esi+254h], 0
		jmp	short loc_524F0A
; 

loc_524EFD:				; CODE XREF: .text:00524EECj
		add	[esi+258h], eax
		adc	dword ptr [esi+25Ch], 0

loc_524F0A:				; CODE XREF: .text:00524ED4j
					; .text:00524ED8j ...
		mov	byte ptr [esi+90h], 7
		lea	ecx, [esi+9Ch]
		mov	eax, [ebx+3B1Ch]
		mov	[ecx], eax
		mov	[ebx+3B1Ch], ecx
		mov	dword ptr [esi+94h], 100h
		mov	dword ptr [esi+248h], 0
		mov	al, [esi+54h]

loc_524F3C:				; CODE XREF: .text:00524E20j
		or	al, 20h
		mov	bl, 1
		mov	[esi+54h], al
		mov	esi, [esp+34h]
		jmp	loc_524FDF
; 

loc_524F4C:				; CODE XREF: .text:00524DCAj
		mov	ecx, [esi+148h]
		movzx	eax, large byte	ptr fs:51h
		and	ecx, 7FFFFFFFh
		cmp	eax, ecx
		jnz	short loc_524F74
		mov	cl, 1
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)
		mov	esi, [esp+34h]
		mov	bl, 1
		jmp	short loc_524FDF
; 

loc_524F74:				; CODE XREF: .text:00524F62j
		mov	dl, 1
		call	_KiSendSoftwareInterrupt@8 ; KiSendSoftwareInterrupt(x,x)
		mov	esi, [esp+34h]
		mov	bl, 1
		jmp	short loc_524FDF
; 

loc_524F83:				; CODE XREF: .text:00524DA4j
		mov	al, [esi+90h]
		cmp	al, 5
		jnz	short loc_524FD5
		cmp	byte ptr [esi+93h], 1
		jnz	short loc_524FD5
		mov	cl, [esi+54h]
		mov	al, cl
		and	al, 7
		cmp	al, 4
		jz	short loc_524FD5
		cmp	al, 3
		jz	short loc_524FD5
		test	byte ptr [esi+58h], 10h
		jnz	short loc_524FB4
		test	byte ptr [esi+86h], 2
		jz	short loc_524FD5

loc_524FB4:				; CODE XREF: .text:00524FA9j
		or	cl, 40h
		mov	edx, esi
		push	0
		mov	[esi+54h], cl
		mov	ecx, ebx
		push	0C0h
		call	KiSignalThread
		test	al, al
		jz	short loc_524FD5
		or	byte ptr [esi+86h], 2

loc_524FD5:				; CODE XREF: .text:00524D38j
					; .text:00524D49j ...
		mov	esi, [esp+34h]
		mov	bl, 1
		jmp	short loc_524FDF
; 

loc_524FDD:				; CODE XREF: .text:00524C38j
					; .text:00524C42j
		xor	bl, bl

loc_524FDF:				; CODE XREF: .text:00524D8Ej
					; .text:00524D9Dj ...
		push	dword ptr [esp+1Ch]
		movzx	eax, byte ptr [esp+11h]
		xor	edx, edx
		mov	ecx, [esp+24h]
		push	eax
		push	1
		mov	dword ptr [esi+2Ch], 0
		call	KiExitDispatcher
		cmp	byte ptr [esp+0Eh], 0
		jz	loc_524ACB
		test	bl, bl
		jz	short loc_525033
		push	dword ptr [esp+38h]
		mov	eax, large fs:124h
		mov	edx, esi
		push	dword ptr [esp+18h]
		push	dword ptr [esp+20h]
		mov	cl, [eax+15Ah]
		push	dword ptr [esp+48h]
		push	dword ptr [esp+50h]
		call	_EtwTiLogInsertQueueUserApc@28 ; EtwTiLogInsertQueueUserApc(x,x,x,x,x,x,x)

loc_525033:				; CODE XREF: .text:0052500Aj
		mov	edx, 5149654Bh
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_525046:				; CODE XREF: .text:00524A4Fj
		mov	ecx, 0Bh
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	esi, [esp+10h]
		mov	ecx, _IopDeadIrps
		mov	[esp+0Eh], al
		mov	edi, [esi+50h]
		cmp	ecx, offset _IopDeadIrps
		jz	short loc_525083
		lea	esp, [esp+0]

loc_525070:				; CODE XREF: .text:00525081j
		mov	eax, [ecx]
		lea	edx, [ecx-10h]
		cmp	edx, esi
		jz	short loc_5250F3
		mov	ecx, eax
		cmp	ecx, offset _IopDeadIrps
		jnz	short loc_525070

loc_525083:				; CODE XREF: .text:00525067j
		test	edi, edi
		jz	loc_525113
		movsx	eax, byte ptr [esi+26h]
		push	0
		push	0
		push	0
		push	offset _IopAbortRequest@4 ; IopAbortRequest(x)
		push	offset _IopCompleteRequest@20 ;	IopCompleteRequest(x,x,x,x,x)
		push	eax
		push	edi
		lea	eax, [esi+40h]
		push	eax
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		movzx	eax, byte ptr [esp+0Dh]
		push	eax
		mov	eax, [esp+18h]
		push	eax
		mov	eax, [esp+18h]
		push	ebx
		add	eax, 40h
		push	eax
		call	KeInsertQueueApc
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+470h]
		jz	short loc_52513B
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		mov	cl, [esp+0Eh]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5250F3:				; CODE XREF: .text:00525077j
		mov	esi, [ecx+4]
		cmp	[eax+4], ecx
		jnz	short loc_525134
		cmp	[esi], ecx
		jnz	short loc_525134
		mov	[esi], eax
		mov	ecx, edi
		mov	[eax+4], esi
		lea	eax, [edx+10h]
		mov	[eax+4], eax
		mov	[eax], eax
		call	ObfDereferenceObject

loc_525113:				; CODE XREF: .text:00525085j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+470h]
		jz	short loc_525179
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5251A6
; 

loc_525134:				; CODE XREF: .text:00524CDEj
					; .text:00524D15j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_52513B:				; CODE XREF: .text:005250D6j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_525157
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_525168
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_525157:				; CODE XREF: .text:0052513Fj
		mov	dword ptr [esi], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_525168:				; CODE XREF: .text:0052514Ej
		mov	cl, [esp+0Eh]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_525179:				; CODE XREF: .text:00525126j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_525195
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_5251A6
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_525195:				; CODE XREF: .text:0052517Dj
		mov	dword ptr [esi], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5251A6:				; CODE XREF: .text:00525132j
					; .text:0052518Cj
		mov	cl, [esp+0Eh]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [esp+18h]
		mov	ecx, [esp+10h]
		call	IopDropIrp
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5251C4:				; CODE XREF: .text:00524582j
					; .text:0052458Cj
		push	0
		push	0
		push	1269h
		push	edi
		push	44h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 3 dup(0CCh)
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopDecrementDeviceObjectRef proc near	; CODE XREF: IopCheckVpbMounted+C646Ap
					; IopCheckVpbMounted+C64F2p ...

var_5		= dword	ptr -5
var_1		= byte ptr -1
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005ECCA3 SIZE 0000004B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		mov	[ebp+var_1], dl
		mov	esi, ecx
		xor	bh, bh
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bl, al
		mov	eax, large fs:20h
		mov	byte ptr [ebp+var_5], bl
		lea	ecx, [eax+468h]
		mov	eax, [ecx+4]
		test	ds:byte_70EFC6,	21h
		jnz	loc_5ECCA3
		mov	edx, ecx
		xchg	edx, [eax]
		test	edx, edx
		jnz	short loc_52529D

loc_525220:				; CODE XREF: IopDecrementDeviceObjectRef+C2j
					; IopDecrementDeviceObjectRef+C7ACAj
		mov	eax, [esi+4]
		add	eax, 0FFFFFFFFh
		mov	[esi+4], eax
		js	loc_5ECCAF
		test	eax, eax
		jz	short loc_525274

loc_525233:				; CODE XREF: IopDecrementDeviceObjectRef+A4j
		mov	esi, large fs:20h
		add	esi, 468h
		test	ds:byte_70EFC6,	1
		jnz	loc_5ECCDF
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5252AE
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_5252A7

loc_525262:				; CODE XREF: IopDecrementDeviceObjectRef+DFj
					; IopDecrementDeviceObjectRef+C7B09j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, bh
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_525274:				; CODE XREF: IopDecrementDeviceObjectRef+51j
		cmp	[ebp+var_1], 0
		jnz	short loc_525286
		mov	eax, [esi+0B0h]
		test	byte ptr [eax+10h], 7
		jz	short loc_525233

loc_525286:				; CODE XREF: IopDecrementDeviceObjectRef+98j
		push	[ebp+var_5]
		mov	dl, [ebp+arg_0]
		mov	ecx, esi
		call	IopCompleteUnloadOrDelete
		mov	bh, al
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_52529D:				; CODE XREF: IopDecrementDeviceObjectRef+3Ej
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_525220
; 

loc_5252A7:				; CODE XREF: IopDecrementDeviceObjectRef+80j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5252AE:				; CODE XREF: IopDecrementDeviceObjectRef+71j
		mov	dword ptr [esi], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_525262
IopDecrementDeviceObjectRef endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiTryUnwaitThread proc near		; CODE XREF: KeSetProcess+5Ep
					; KeSetEventBoostPriorityEx+F1p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005A872B SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], edi
		xor	bl, bl
		mov	[ebp+var_8], 0
		mov	esi, [edi+0Ch]
		lea	edi, [esi+2Ch]
		mov	[ebp+var_14], edi

loc_5252F5:				; CODE XREF: KiTryUnwaitThread+1C2j
		lock bts dword ptr [edi], 0
		jb	loc_525486
		mov	al, [esi+90h]
		mov	edi, [ebp+var_C]
		cmp	al, 5
		jnz	loc_5253B6
		mov	cl, [esi+54h]
		xor	bl, bl
		movzx	eax, cl
		and	eax, 7
		cmp	eax, 1
		jnz	loc_52549A

loc_525325:				; CODE XREF: KiTryUnwaitThread+1CDj
		mov	ecx, [esi+0A4h]
		test	ecx, ecx
		jnz	loc_5253D2

loc_525333:				; CODE XREF: KiTryUnwaitThread+10Ej
					; KiTryUnwaitThread+193j
		mov	eax, [esi+1B4h]
		test	eax, eax
		jnz	loc_5253F2

loc_525341:				; CODE XREF: KiTryUnwaitThread+179j
		mov	al, [esi+90h]
		cmp	al, 1
		jz	loc_5A875C
		cmp	al, 5
		jnz	short loc_525374
		mov	eax, ds:_KeTickCount
		sub	eax, [esi+138h]
		cmp	byte ptr [esi+93h], 0
		jnz	short loc_5253E3
		add	[esi+250h], eax
		adc	dword ptr [esi+254h], 0

loc_525374:				; CODE XREF: KiTryUnwaitThread+81j
					; KiTryUnwaitThread+120j ...
		mov	edx, [ebp+var_4]
		lea	ecx, [esi+9Ch]
		mov	byte ptr [esi+90h], 7
		mov	bl, 1
		mov	eax, [edx+3B1Ch]
		mov	[ecx], eax
		mov	eax, [ebp+arg_0]
		mov	[edx+3B1Ch], ecx
		mov	[esi+94h], eax
		mov	dword ptr [esi+248h], 0

loc_5253A7:				; CODE XREF: KiTryUnwaitThread+83476j
					; KiTryUnwaitThread+83480j
		test	bl, bl
		jz	short loc_5253B6

loc_5253AB:				; CODE XREF: KiTryUnwaitThread+1FFj
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	loc_525468

loc_5253B6:				; CODE XREF: KiTryUnwaitThread+3Bj
					; KiTryUnwaitThread+D9j ...
		mov	eax, [ebp+var_14]
		mov	dword ptr [eax], 0
		mov	al, bl
		mov	cl, [edi+9]
		inc	cl
		mov	[edi+9], cl
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_5253D2:				; CODE XREF: KiTryUnwaitThread+5Dj
		mov	al, [ecx]
		and	al, 7Fh
		cmp	al, 15h
		jz	short loc_52544E
		lock inc dword ptr [ecx+18h]
		jmp	loc_525333
; 

loc_5253E3:				; CODE XREF: KiTryUnwaitThread+95j
		add	[esi+258h], eax
		adc	dword ptr [esi+25Ch], 0
		jmp	short loc_525374
; 

loc_5253F2:				; CODE XREF: KiTryUnwaitThread+6Bj
		lea	ebx, [eax+3B28h]
		mov	[ebp+var_10], 0
		nop

loc_525400:				; CODE XREF: KiTryUnwaitThread+210j
		lock bts dword ptr [ebx], 0
		jb	loc_5254D4
		mov	eax, [esi+1B4h]
		test	eax, eax
		jz	short loc_525444
		mov	edx, [esi+9Ch]
		lea	eax, [esi+9Ch]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_5A8755
		cmp	[ecx], eax
		jnz	loc_5A8755
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	dword ptr [esi+1B4h], 0

loc_525444:				; CODE XREF: KiTryUnwaitThread+143j
		xor	eax, eax
		lock and [ebx],	eax
		jmp	loc_525341
; 

loc_52544E:				; CODE XREF: KiTryUnwaitThread+108j
		movzx	eax, byte ptr [esi+14Ch]
		mov	[esi+14Ch], eax
		lock inc dword ptr [ecx+eax*4+110h]
		jmp	loc_525333
; 

loc_525468:				; CODE XREF: KiTryUnwaitThread+E0j
		mov	[eax], esi
		mov	ecx, [edi+10h]
		mov	al, [ecx]
		and	al, 7Fh
		cmp	al, 2
		jnz	loc_5253B6
		push	edx
		mov	edx, esi
		call	_KiWaitSatisfyMutant@12	; KiWaitSatisfyMutant(x,x,x)
		jmp	loc_5253B6
; 

loc_525486:				; CODE XREF: KiTryUnwaitThread+2Aj
					; KiTryUnwaitThread+1C8j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jz	loc_5252F5
		jmp	short loc_525486
; 

loc_52549A:				; CODE XREF: KiTryUnwaitThread+4Fj
		cmp	eax, 4
		jz	loc_525325
		test	eax, eax
		jnz	loc_5A872B
		mov	eax, [ebp+arg_0]
		and	cl, 0FAh
		mov	edx, [ebp+var_4]
		or	cl, 2
		mov	[esi+54h], cl
		mov	[esi+94h], eax
		mov	dword ptr [esi+248h], 0
		mov	[edi+9], bl
		mov	bl, 1
		jmp	loc_5253AB
; 

loc_5254D4:				; CODE XREF: KiTryUnwaitThread+135j
					; KiTryUnwaitThread+216j
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jz	loc_525400
		jmp	short loc_5254D4
KiTryUnwaitThread endp

; 
		align 10h
; Exported entry 325. ExAllocatePoolWithQuotaTag

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExAllocatePoolWithQuotaTag
ExAllocatePoolWithQuotaTag proc	near	; CODE XREF: CmpAllocateTransientPoolWithQuotaTag(x,x,x)+Bp
					; sub_4F0630+14p ...

var_3C		= dword	ptr -3Ch
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005ECCEE SIZE 00000068 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, ebx
		push	esi
		and	eax, 8
		push	edi
		mov	[ebp+var_24], eax
		jnz	loc_52569E

loc_52550C:				; CODE XREF: ExAllocatePoolWithQuotaTag+1B1j
		mov	eax, large fs:124h
		mov	ecx, ebx
		add	ebx, 8
		mov	edi, [eax+80h]
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_14], edi
		cmp	edi, ds:_PsInitialSystemProcess
		jz	loc_52570F
		cmp	eax, 0FF4h
		ja	loc_52570F
		add	eax, 4

loc_52553D:				; CODE XREF: ExAllocatePoolWithQuotaTag+221j
		push	[ebp+arg_8]
		push	eax
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, 0FFFh
		jz	loc_525716
		mov	ecx, _ExpSpecialAllocations
		test	ecx, ecx
		jnz	loc_5ECCEE

loc_525566:				; CODE XREF: ExAllocatePoolWithQuotaTag+C7814j
		test	bl, 8
		jz	loc_525693
		movzx	ecx, word ptr [esi-6]
		add	esi, 0FFFFFFF8h
		mov	eax, ds:_ExpPoolQuotaCookie
		and	ecx, 1FFh
		xor	eax, esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_1C], 0
		mov	[esi+ecx*8-4], eax
		mov	eax, 800h
		test	[esi+2], ax
		jnz	loc_5256A6

loc_5255A0:				; CODE XREF: ExAllocatePoolWithQuotaTag+1E7j
		lea	edx, ds:0[ecx*8]
		mov	[ebp+var_4], edx
		cmp	edi, ds:_PsInitialSystemProcess
		jz	loc_525668
		mov	eax, [edi+188h]
		and	ebx, 1
		lea	edi, [ebp+var_28]
		xor	esi, esi
		mov	cl, ds:_PspResourceFlags[ebx*8]
		mov	byte ptr [ebp+arg_0+3],	cl
		mov	ecx, ebx
		shl	ecx, 7
		add	ecx, eax
		mov	[ebp+var_10], ecx
		mov	eax, [ecx]
		mov	[ebp+arg_4], eax
		mov	[ebp+var_28], 0
		lock or	[edi], esi
		mov	esi, [ebp+var_18]
		lea	edi, [ecx+40h]
		mov	[ebp+var_2C], edi
		mov	edi, [edi]
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi

loc_5255F8:				; CODE XREF: ExAllocatePoolWithQuotaTag+2DAj
		mov	edi, [ebp+var_14]
		jmp	short loc_525600
; 
		align 10h

loc_525600:				; CODE XREF: ExAllocatePoolWithQuotaTag+10Bj
					; ExAllocatePoolWithQuotaTag+26Fj ...
		add	edx, eax
		mov	[ebp+var_30], edx
		cmp	edx, eax
		jb	loc_5ECD09
		cmp	edx, [ebp+var_C]
		ja	loc_525764
		mov	esi, [ebp+var_10]
		mov	ecx, edx
		lock cmpxchg [esi], ecx
		mov	esi, [ebp+var_18]
		cmp	eax, [ebp+arg_4]
		jnz	loc_52574B
		mov	eax, [ebp+var_10]
		add	eax, 4
		mov	[ebp+arg_4], eax
		mov	eax, [eax]
		cmp	edx, eax
		ja	loc_525723

loc_52563E:				; CODE XREF: ExAllocatePoolWithQuotaTag+256j
		test	byte ptr [ebp+arg_0+3],	4
		jz	short loc_525668
		mov	ecx, [ebp+var_4]
		lea	eax, [ebx+42h]
		lea	eax, [edi+eax*4]
		lock xadd [eax], ecx
		add	ecx, [ebp+var_4]
		add	ebx, 44h
		mov	eax, [edi+ebx*4]
		lea	ebx, [edi+ebx*4]
		mov	[ebp+arg_0], ecx
		cmp	ecx, eax
		ja	loc_5256F5

loc_525668:				; CODE XREF: ExAllocatePoolWithQuotaTag+C0j
					; ExAllocatePoolWithQuotaTag+152j ...
		movzx	eax, word ptr [esi+2]
		mov	ecx, ds:_ExpPoolQuotaCookie
		and	eax, 1FFh
		xor	ecx, esi
		xor	ecx, edi
		mov	[esi+eax*8-4], ecx
		mov	ecx, [ebp+var_1C]
		test	ecx, ecx
		jnz	short loc_5256DC

loc_525686:				; CODE XREF: ExAllocatePoolWithQuotaTag+203j
		mov	edx, [ebp+arg_8]
		mov	ecx, edi
		call	ObfReferenceObjectWithTag
		mov	esi, [ebp+var_20]

loc_525693:				; CODE XREF: ExAllocatePoolWithQuotaTag+79j
					; ExAllocatePoolWithQuotaTag+228j ...
		mov	eax, esi

loc_525695:				; CODE XREF: ExAllocatePoolWithQuotaTag+C7842j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_52569E:				; CODE XREF: ExAllocatePoolWithQuotaTag+16j
		and	ebx, 0FFFFFFF7h
		jmp	loc_52550C
; 

loc_5256A6:				; CODE XREF: ExAllocatePoolWithQuotaTag+AAj
		movzx	eax, word ptr [esi]
		mov	edx, esi
		mov	ecx, ds:_ExpPoolQuotaCookie
		and	eax, 1FFh
		shl	eax, 3
		sub	edx, eax
		xor	ecx, edx
		mov	[ebp+var_1C], edx
		movzx	eax, word ptr [edx+2]
		and	eax, 1FFh
		mov	[edx+eax*8-4], ecx
		movzx	ecx, word ptr [edx+2]
		and	ecx, 1FFh
		jmp	loc_5255A0
; 

loc_5256DC:				; CODE XREF: ExAllocatePoolWithQuotaTag+194j
		mov	esi, ds:_ExpPoolQuotaCookie
		movzx	eax, word ptr [ecx+2]
		xor	esi, ecx
		xor	esi, edi
		and	eax, 1FFh
		mov	[ecx+eax*8-4], esi
		jmp	short loc_525686
; 

loc_5256F5:				; CODE XREF: ExAllocatePoolWithQuotaTag+172j
					; ExAllocatePoolWithQuotaTag+218j
		mov	edx, eax
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jz	loc_525668
		mov	ecx, [ebp+arg_0]
		cmp	ecx, eax
		ja	short loc_5256F5
		jmp	loc_525668
; 

loc_52570F:				; CODE XREF: ExAllocatePoolWithQuotaTag+39j
					; ExAllocatePoolWithQuotaTag+44j
		mov	ebx, ecx
		jmp	loc_52553D
; 

loc_525716:				; CODE XREF: ExAllocatePoolWithQuotaTag+62j
		test	esi, esi
		jnz	loc_525693
		jmp	loc_5ECD37
; 

loc_525723:				; CODE XREF: ExAllocatePoolWithQuotaTag+148j
		mov	esi, [ebp+var_30]
		mov	edi, [ebp+arg_4]
		lea	esp, [esp+0]

loc_525730:				; CODE XREF: ExAllocatePoolWithQuotaTag+2E7j
		mov	edx, eax
		mov	ecx, esi
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	loc_5257CF

loc_525740:				; CODE XREF: ExAllocatePoolWithQuotaTag+2E1j
		mov	edi, [ebp+var_14]
		mov	esi, [ebp+var_18]
		jmp	loc_52563E
; 

loc_52574B:				; CODE XREF: ExAllocatePoolWithQuotaTag+135j
		mov	ecx, [ebp+var_2C]
		mov	edx, [ebp+var_4]
		mov	[ebp+arg_4], eax
		mov	ecx, [ecx]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+var_10]
		jmp	loc_525600
; 

loc_525764:				; CODE XREF: ExAllocatePoolWithQuotaTag+120j
		test	byte ptr [ebp+arg_0+3],	1
		jz	loc_5ECD09
		cmp	dword ptr [ecx+48h], 0
		jz	loc_5ECD09
		xor	edx, edx
		lea	eax, [ecx+44h]
		xchg	edx, [eax]
		test	edx, edx
		jnz	short loc_5257B3
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		push	edx
		push	[ebp+arg_4]
		mov	edx, ecx
		mov	ecx, ebx
		call	PspExpandQuota
		test	al, al
		jz	loc_5ECD09
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_10]
		mov	edx, [ebp+var_4]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_4]
		jmp	loc_525600
; 

loc_5257B3:				; CODE XREF: ExAllocatePoolWithQuotaTag+291j
		mov	eax, edx
		lea	edi, [ecx+40h]
		lock xadd [edi], eax
		add	eax, edx
		mov	edx, [ebp+var_4]
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		jmp	loc_5255F8
; 

loc_5257CF:				; CODE XREF: ExAllocatePoolWithQuotaTag+24Aj
		cmp	esi, eax
		jbe	loc_525740
		jmp	loc_525730
ExAllocatePoolWithQuotaTag endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall SeAuditHeaderRequired(x)
_SeAuditHeaderRequired@4 proc near	; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+32p
		cmp	ecx, ds:_IoFileObjectType
		jz	short loc_5257EB

loc_5257E8:				; CODE XREF: SeAuditHeaderRequired(x)+2Dj
		xor	al, al
		retn
; 

loc_5257EB:				; CODE XREF: SeAuditHeaderRequired(x)+6j
		cmp	byte_6BE6E2, 0
		jnz	short loc_52580F
		cmp	byte_6BE6E3, 0
		jnz	short loc_52580F
		cmp	byte_6BE6FA, 0
		jnz	short loc_52580F
		cmp	byte_6BE6FB, 0
		jz	short loc_5257E8

loc_52580F:				; CODE XREF: SeAuditHeaderRequired(x)+12j
					; SeAuditHeaderRequired(x)+1Bj	...
		mov	al, 1
		retn
_SeAuditHeaderRequired@4 endp

; 
		align 10h
; Exported entry 2077. RtlFindAceByType

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlFindAceByType(x,	x, x)
		public _RtlFindAceByType@12
_RtlFindAceByType@12 proc near		; CODE XREF: SepVerifyDesktopAppxPackageName+11Bp
					; SepMandatorySubProcessToken+F0p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		test	eax, eax
		jnz	short loc_525838

loc_52582F:				; CODE XREF: RtlFindAceByType(x,x,x)+23j
					; RtlFindAceByType(x,x,x)+58j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_525838:				; CODE XREF: RtlFindAceByType(x,x,x)+Dj
		movzx	ecx, word ptr [eax+4]
		lea	edx, [eax+8]
		xor	esi, esi
		test	ecx, ecx
		jz	short loc_52582F
		mov	edi, [ebp+arg_8]
		mov	ebx, [ebp+arg_4]
		jmp	short loc_525850
; 
		align 10h

loc_525850:				; CODE XREF: RtlFindAceByType(x,x,x)+2Bj
					; RtlFindAceByType(x,x,x)+5Aj
		test	edi, edi
		jnz	short loc_525864
		movzx	eax, byte ptr [edx]
		cmp	eax, ebx
		jnz	short loc_52586F

loc_52585B:				; CODE XREF: RtlFindAceByType(x,x,x)+5Ej
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_525864:				; CODE XREF: RtlFindAceByType(x,x,x)+32j
		cmp	esi, [edi]
		jb	short loc_52586F
		movzx	eax, byte ptr [edx]
		cmp	eax, ebx
		jz	short loc_52587C

loc_52586F:				; CODE XREF: RtlFindAceByType(x,x,x)+39j
					; RtlFindAceByType(x,x,x)+46j
		movzx	eax, word ptr [edx+2]
		inc	esi
		add	edx, eax
		cmp	esi, ecx
		jnb	short loc_52582F
		jmp	short loc_525850
; 

loc_52587C:				; CODE XREF: RtlFindAceByType(x,x,x)+4Dj
		mov	[edi], esi
		jmp	short loc_52585B
_RtlFindAceByType@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspReturnQuota	proc near		; CODE XREF: PsReturnProcessPagedPoolQuota(x,x)+1Bp
					; PsReturnProcessQuota(x,x,x)+1Ap ...

var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005ECD56 SIZE 00000077 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	[ebp+var_10], edx
		mov	edx, ecx
		mov	ecx, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	al, ds:_PspResourceFlags[ecx*8]
		mov	[ebp+var_1], al
		mov	eax, ecx
		shl	eax, 7
		mov	esi, [eax+edx]
		push	edi
		lea	edi, [eax+edx]
		mov	[ebp+var_C], edx
		lea	edx, [edi+40h]
		mov	[ebp+var_18], eax
		mov	eax, [edx]
		cmp	dword ptr [edi+48h], 0
		mov	[ebp+var_8], eax
		jz	short loc_5258E7
		lea	eax, ds:0[ecx*8]
		sub	eax, ecx
		mov	ecx, [ebp+var_8]
		shl	eax, 2
		mov	[ebp+var_14], eax
		cmp	ecx, esi
		jbe	short loc_5258E7
		mov	eax, dword_6BEE84[eax]
		mov	[ebp+arg_4], eax
		mov	eax, ecx
		sub	eax, esi
		cmp	eax, [ebp+arg_4]
		ja	short loc_52593D

loc_5258E7:				; CODE XREF: PspReturnQuota+3Dj
					; PspReturnQuota+53j ...
		mov	ecx, ebx
		lea	esp, [esp+0]

loc_5258F0:				; CODE XREF: PspReturnQuota+114j
					; PspReturnQuota+C74F5j
		cmp	ecx, esi
		jnb	loc_5ECD4C
		mov	edx, esi
		mov	[ebp+arg_4], ecx
		sub	edx, ecx

loc_5258FF:				; CODE XREF: ExAllocatePoolWithQuotaTag+C7861j
		mov	eax, esi
		lock cmpxchg [edi], edx
		cmp	eax, esi
		jnz	loc_525992
		sub	ecx, [ebp+arg_4]
		jnz	loc_5ECD56
		mov	ecx, [ebp+var_10]
		test	ecx, ecx
		jnz	short loc_525926

loc_52591D:				; CODE XREF: PspReturnQuota+AAj
					; PspReturnQuota+BBj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_525926:				; CODE XREF: PspReturnQuota+9Bj
		test	[ebp+var_1], 4
		jz	short loc_52591D
		mov	eax, [ebp+arg_0]
		neg	ebx
		add	eax, 42h
		lea	eax, [ecx+eax*4]
		lock xadd [eax], ebx
		jmp	short loc_52591D
; 

loc_52593D:				; CODE XREF: PspReturnQuota+65j
		mov	eax, [ebp+arg_4]
		cmp	eax, ebx
		jbe	short loc_525949
		mov	eax, ebx
		mov	[ebp+arg_4], ebx

loc_525949:				; CODE XREF: PspReturnQuota+C2j
		sub	ecx, eax
		mov	eax, [ebp+var_8]
		lock cmpxchg [edx], ecx
		cmp	eax, [ebp+var_8]
		jnz	short loc_5258E7
		mov	ecx, [ebp+arg_4]
		lea	edx, [edi+44h]
		mov	eax, ecx
		lock xadd [edx], eax
		add	ecx, eax
		mov	eax, [ebp+var_14]
		cmp	ecx, dword_6BEE84[eax]
		jbe	loc_5258E7
		xor	eax, eax
		xchg	eax, [edx]
		test	eax, eax
		jz	loc_5258E7
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		push	0
		push	eax
		call	PspReturnResourceQuota
		jmp	loc_5258E7
; 

loc_525992:				; CODE XREF: PspReturnQuota+87j
		mov	esi, eax
		jmp	loc_5258F0
PspReturnQuota	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExFreeHeapPool	proc near		; CODE XREF: ExFreePoolEx(x,x)+Bp
					; AppModelFreeUnicodeString(x)+13p ...

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_3A		= byte ptr -3Ah
var_39		= byte ptr -39h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00526243 SIZE 00000024 BYTES
; FUNCTION CHUNK AT 005ECDCD SIZE 000002E5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+48h+var_18], edi
		cmp	edi, dword_6D07D0
		jb	short loc_5259DA
		mov	eax, edi
		shr	eax, 15h
		movzx	eax, byte ptr dword_6D3994[eax]
		cmp	eax, 1
		jz	loc_526074
		cmp	eax, 0Bh
		jz	loc_526074

loc_5259DA:				; CODE XREF: ExFreeHeapPool+1Aj
		mov	al, 3

loc_5259DC:				; CODE XREF: ExFreeHeapPool+6D6j
		mov	[esp+48h+var_10], 0
		mov	word ptr [esp+48h+var_10+1], 1
		mov	byte ptr [esp+48h+var_10], al
		test	di, di
		jz	loc_5260F0
		xor	ecx, ecx

loc_5259FA:				; CODE XREF: ExFreeHeapPool+779j
		mov	[esp+48h+var_8], 100000h
		mov	[esp+48h+var_4], 100000h
		mov	eax, [esp+ecx*4+48h+var_8]
		dec	eax
		not	eax
		and	eax, edi
		mov	esi, [eax+8]
		xor	esi, eax
		lea	eax, [ecx+2]
		xor	esi, _RtlpHpHeapGlobals
		xor	esi, 0A2E64EADh
		shl	eax, 7
		sub	esi, eax
		mov	[esp+48h+var_24], esi

loc_525A30:				; CODE XREF: ExFreeHeapPool+78Fj
		test	esi, esi
		jz	loc_5ECD8B
		mov	eax, _ExpSpecialAllocations
		test	eax, eax
		jnz	loc_5ECD9C

loc_525A45:				; CODE XREF: PspReturnQuota+C7525j
		test	edi, 0FFFh
		jz	loc_525EE2
		movzx	eax, word ptr [edi-6]
		add	edi, 0FFFFFFF8h
		mov	[esp+48h+var_38], edi
		mov	ecx, eax
		test	eax, 800h
		jnz	loc_525EBF

loc_525A69:				; CODE XREF: ExFreeHeapPool+53Dj
		movzx	edx, cx
		lea	esi, [edi+8]
		mov	ecx, [edi+4]
		mov	eax, edx
		mov	[esp+48h+var_30], eax
		shr	[esp+48h+var_30], 9
		test	byte ptr [esp+48h+var_30], 8
		mov	[esp+48h+var_2C], esi
		mov	esi, [esp+48h+var_24]
		mov	[esp+48h+var_1C], ecx
		jnz	loc_525DFB

loc_525A94:				; CODE XREF: ExFreeHeapPool+461j
					; ExFreeHeapPool+480j ...
		movzx	ecx, word ptr [edi+2]
		lea	edx, [edi+8]
		and	ecx, 1FFh
		shl	ecx, 3
		mov	[esp+48h+var_34], ecx

loc_525AA8:				; CODE XREF: ExFreeHeapPool+89Ej
		mov	eax, ds:_ExpPoolFlags
		test	eax, 207h
		jnz	loc_5ECED7

loc_525AB8:				; CODE XREF: ExFreeHeapPool+C7591j
					; ExFreeHeapPool+C75A8j
		test	byte ptr ds:_ExpPoolFlags, 10h
		jnz	loc_5ECF4D

loc_525AC5:				; CODE XREF: ExFreeHeapPool+C75BEj
		mov	eax, [esp+48h+var_1C]
		mov	[esp+48h+var_28], eax
		cmp	eax, ds:_PoolHitTag
		jz	loc_5ECF63

loc_525AD9:				; CODE XREF: ExFreeHeapPool+C75C4j
		test	ds:byte_70EFC4,	41h
		jnz	loc_5ECF69

loc_525AE6:				; CODE XREF: ExFreeHeapPool+C75DDj
		mov	eax, [esp+48h+var_30]
		and	eax, 20h
		mov	[esp+48h+var_14], eax
		jnz	loc_526064
		movzx	eax, large byte	ptr fs:51h
		mov	edx, _PoolTrackTableMask
		mov	eax, _ExPoolTagTables[eax*4]

loc_525B0C:				; CODE XREF: ExFreeHeapPool+6CFj
		mov	[esp+48h+var_20], eax
		mov	eax, [esp+48h+var_28]
		movzx	ecx, al
		shl	ecx, 2
		movzx	eax, ah
		xor	ecx, eax
		mov	[esp+48h+var_1C], edx
		movzx	eax, byte ptr [esp+48h+var_28+2]
		shl	ecx, 2
		xor	ecx, eax
		movzx	eax, byte ptr [esp+48h+var_28+3]
		shl	ecx, 2
		xor	ecx, eax
		mov	eax, [esp+48h+var_20]
		imul	ecx, 9E5Fh
		sar	ecx, 2
		and	ecx, edx
		mov	[esp+48h+var_10], ecx
		lea	edx, [ecx+ecx*2]
		shl	edx, 4
		add	eax, edx
		mov	[esp+48h+var_2C], eax
		mov	eax, [eax]
		cmp	eax, [esp+48h+var_28]
		jnz	loc_525D50

loc_525B62:				; CODE XREF: ExFreeHeapPool+3DFj
		test	byte ptr [esp+48h+var_30], 1
		jz	loc_525D0C
		mov	ecx, [esp+48h+var_2C]
		add	ecx, 28h
		mov	[esp+48h+var_20], ecx

loc_525B78:				; CODE XREF: ExFreeHeapPool+1FCj
					; ExFreeHeapPool+200j
		mov	eax, [ecx]
		mov	ebx, eax
		mov	esi, [ecx+4]
		add	ebx, 1
		mov	ecx, esi
		mov	[esp+48h+var_10], eax
		adc	ecx, 0
		mov	edx, esi
		nop
		mov	edi, [esp+48h+var_20]
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, edi
		cmp	eax, [esp+48h+var_10]
		jnz	short loc_525B78
		cmp	edx, esi
		jnz	short loc_525B78
		mov	eax, 18h

loc_525BA7:				; CODE XREF: ExFreeHeapPool+3A6j
		mov	edx, [esp+48h+var_34]
		mov	ecx, edx
		add	eax, [esp+48h+var_2C]
		neg	ecx
		lock xadd [eax], ecx
		mov	esi, [esp+48h+var_24]
		mov	edi, [esp+48h+var_38]

loc_525BBF:				; CODE XREF: ExFreeHeapPool+7F2j
		mov	eax, [esp+48h+var_30]
		test	al, 40h
		jnz	loc_5ECF82

loc_525BCB:				; CODE XREF: ExFreeHeapPool+C75F2j
		mov	ecx, [esi+1Ch]
		cmp	edx, 201h
		jnb	loc_525DAB

loc_525BDA:				; CODE XREF: ExFreeHeapPool+411j
					; ExFreeHeapPool+419j ...
		mov	edi, [esi+0Ch]
		mov	ecx, [esi+0B0h]
		and	edi, 11000001h
		mov	[esp+48h+var_2C], edi
		test	ecx, ecx
		jz	short loc_525C03
		mov	eax, large fs:124h
		cmp	ecx, [eax+2B0h]
		jz	loc_5ECF97

loc_525C03:				; CODE XREF: ExFreeHeapPool+24Fj
					; ExFreeHeapPool+C75FEj
		test	edi, 1000000h
		jnz	short loc_525C15
		cmp	dword ptr [esi+10h], 0
		jnz	loc_5ECFA3

loc_525C15:				; CODE XREF: ExFreeHeapPool+269j
					; ExFreeHeapPool+8C2j ...
		test	dword ptr [esi+0Ch], 10000000h
		jnz	loc_5ECFEB

loc_525C22:				; CODE XREF: ExFreeHeapPool+C765Aj
		mov	ecx, [esp+48h+var_38]
		mov	eax, [esi+4]
		mov	edx, [esi]
		mov	[esp+48h+var_10], eax
		test	cx, cx
		jz	loc_5260B2
		xor	eax, eax

loc_525C3A:				; CODE XREF: ExFreeHeapPool+737j
		mov	ecx, _RtlpHpHeapGlobals
		lea	edi, [eax+2]
		shl	edi, 7
		add	edi, esi
		mov	[esp+48h+var_1C], ecx
		mov	esi, [edi]
		mov	[esp+48h+var_10], esi
		and	esi, [esp+48h+var_38]
		mov	eax, [esi+8]
		xor	eax, esi
		xor	eax, edi
		xor	eax, ecx
		cmp	eax, 0A2E64EADh
		jnz	loc_525CF2
		movzx	eax, byte ptr [edi+4]
		mov	edx, [esp+48h+var_38]
		mov	ecx, eax
		sub	edx, esi
		mov	[esp+48h+var_18], eax
		shr	edx, cl
		shl	edx, 4
		add	edx, esi
		jz	short loc_525CF2
		mov	al, [edx+0Ch]
		test	al, 1
		jz	short loc_525CF2
		test	al, 2
		jnz	loc_525D84
		movzx	eax, byte ptr [edx+0Fh]
		shl	eax, 4
		sub	edx, eax
		mov	cl, [edx+0Ch]
		mov	al, cl
		and	al, 3
		cmp	al, 3
		jnz	short loc_525CF2
		and	cl, 0Ch
		cmp	cl, 8
		jb	short loc_525CF2

loc_525CAE:				; CODE XREF: ExFreeHeapPool+3E8j
					; ExFreeHeapPool+400j
		mov	eax, [esp+48h+var_10]
		mov	esi, edx
		mov	ecx, [esp+48h+var_18]
		and	eax, edx
		sub	esi, eax
		sar	esi, 4
		shl	esi, cl
		mov	ecx, [esp+48h+var_38]
		add	esi, eax
		cmp	ecx, esi
		jbe	loc_52607B
		mov	al, [edx+0Ch]
		and	al, 0Ch
		cmp	al, 8
		jnz	loc_525F98
		push	[esp+48h+var_2C]
		mov	edx, esi
		push	ecx
		mov	ecx, [edi+14h]
		call	RtlpHpLfhSubsegmentFreeBlock

loc_525CEB:				; CODE XREF: ExFreeHeapPool+36Aj
					; ExFreeHeapPool+6B0j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_525CF2:				; CODE XREF: ExFreeHeapPool+2C4j
					; ExFreeHeapPool+2E1j ...
		mov	ecx, [esp+48h+var_38]

loc_525CF6:				; CODE XREF: ExFreeHeapPool+406j
		mov	edx, [edi+24h]
		push	0
		push	0
		push	0
		push	ecx

loc_525D00:				; CODE XREF: ExFreeHeapPool+C766Cj
		mov	ecx, 9

loc_525D05:				; CODE XREF: ExFreeHeapPool+C76F1j
					; ExFreeHeapPool+C770Dj
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		jmp	short loc_525CEB
; 

loc_525D0C:				; CODE XREF: ExFreeHeapPool+1C7j
		mov	eax, [esp+48h+var_2C]
		add	eax, 10h
		mov	[esp+48h+var_20], eax

loc_525D17:				; CODE XREF: ExFreeHeapPool+399j
					; ExFreeHeapPool+39Fj
		mov	edi, [eax]
		mov	ebx, edi
		mov	edx, [eax+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[esp+48h+var_10], edx
		adc	ecx, 0
		mov	eax, edi
		nop
		mov	esi, [esp+48h+var_20]
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, edi
		mov	eax, esi
		jnz	short loc_525D17
		cmp	edx, [esp+48h+var_10]
		jnz	short loc_525D17
		mov	eax, 4
		jmp	loc_525BA7
; 
		jmp	short loc_525D50
; 
		align 10h

loc_525D50:				; CODE XREF: ExFreeHeapPool+1BCj
					; ExFreeHeapPool+3ABj ...
		test	eax, eax
		jz	loc_526157

loc_525D58:				; CODE XREF: ExFreeHeapPool+7BCj
					; ExFreeHeapPool+7CCj
		inc	ecx
		and	ecx, [esp+48h+var_1C]
		cmp	ecx, [esp+48h+var_10]
		jz	loc_52617D

loc_525D67:				; CODE XREF: ExFreeHeapPool+7D8j
		mov	eax, [esp+48h+var_20]
		lea	edx, [ecx+ecx*2]
		shl	edx, 4
		add	eax, edx
		mov	[esp+48h+var_2C], eax
		mov	eax, [eax]
		cmp	eax, [esp+48h+var_28]
		jnz	short loc_525D50
		jmp	loc_525B62
; 

loc_525D84:				; CODE XREF: ExFreeHeapPool+2ECj
		and	al, 0Ch
		cmp	al, 8
		jnb	loc_525CAE
		mov	ecx, [esp+48h+var_18]
		mov	eax, 1
		shl	eax, cl
		mov	ecx, [esp+48h+var_38]
		dec	eax
		test	eax, ecx
		jz	loc_525CAE
		jmp	loc_525CF6
; 

loc_525DAB:				; CODE XREF: ExFreeHeapPool+234j
		cmp	edx, 0F80h
		ja	loc_525BDA
		test	ecx, ecx
		jz	loc_525BDA
		lea	eax, [edx+7]
		shr	eax, 3
		movzx	edx, ds:_RtlpLfhBucketIndexMap[eax]
		sub	edx, 30h
		shl	edx, 6
		add	edx, ecx
		mov	[esp+48h+var_10], edx
		mov	ax, [edx+4]
		inc	dword ptr [edx+14h]
		cmp	ax, [edx+8]
		jnb	loc_5260AA
		mov	ecx, [esp+48h+var_10]
		mov	edx, edi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_525DFB:				; CODE XREF: ExFreeHeapPool+EEj
		test	edx, 1000h
		jz	loc_525A94
		and	eax, 1FFh
		mov	[esp+48h+var_20], eax
		mov	eax, [edi+eax*8-4]
		xor	eax, ds:_ExpPoolQuotaCookie
		xor	eax, edi
		mov	[esp+48h+var_34], eax
		jz	loc_525A94
		cmp	eax, ds:_MmSystemRangeStart
		jb	loc_5ECEC5
		mov	al, [eax]
		and	al, 7Fh
		cmp	al, 3
		jnz	loc_5ECEC1
		mov	eax, [esp+48h+var_20]
		shl	eax, 3
		mov	[esp+48h+var_20], eax
		mov	eax, [esp+48h+var_34]
		cmp	eax, ds:_PsInitialSystemProcess
		jz	short loc_525E74
		push	[esp+48h+var_20]
		mov	ecx, [eax+188h]
		shr	edx, 9
		and	edx, 1
		push	edx
		mov	edx, eax
		call	PspReturnQuota
		mov	ecx, [edi+4]
		mov	eax, [esp+48h+var_34]

loc_525E74:				; CODE XREF: ExFreeHeapPool+4B3j
		cmp	ds:_ObpTraceFlags, 0
		lea	edx, [eax-18h]
		mov	[esp+48h+var_20], edx
		jnz	loc_5ECE6C

loc_525E88:				; CODE XREF: ExFreeHeapPool+C74E2j
		or	ecx, 0FFFFFFFFh
		lock xadd [edx], ecx
		dec	ecx
		test	ecx, ecx
		jg	loc_525A94
		mov	esi, [edx+4]
		test	esi, esi
		mov	[esp+48h+var_20], esi
		mov	esi, [esp+48h+var_24]
		jnz	loc_5ECE87
		test	ecx, ecx
		js	loc_5ECEB4
		mov	ecx, edx
		call	ObpDeferObjectDeletion
		jmp	loc_525A94
; 

loc_525EBF:				; CODE XREF: ExFreeHeapPool+C3j
		movzx	eax, word ptr [edi]
		and	eax, 1FFh
		neg	eax
		lea	edi, [edi+eax*8]
		mov	eax, 800h
		or	[edi+2], ax
		movzx	ecx, word ptr [edi+2]
		mov	[esp+48h+var_38], edi
		jmp	loc_525A69
; 

loc_525EE2:				; CODE XREF: ExFreeHeapPool+ABj
		mov	ecx, edi
		call	_MiDeterminePoolType@4 ; MiDeterminePoolType(x)
		mov	[esp+48h+var_34], eax
		cmp	eax, 20h
		jz	loc_5ECDCD

loc_525EF6:				; CODE XREF: ExFreeHeapPool+C7435j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	[esp+48h+var_39], al
		jnz	loc_5ECDDA
		mov	edx, _ExpLargePoolTableLock
		mov	esi, offset _ExpLargePoolTableLock
		and	edx, 7FFFFFFFh
		mov	eax, edx
		lea	ecx, [edx+1]
		lock cmpxchg [esi], ecx
		mov	esi, [esp+48h+var_24]
		cmp	eax, edx
		jnz	loc_526197

loc_525F35:				; CODE XREF: ExFreeHeapPool+805j
					; ExFreeHeapPool+C7446j
		test	byte ptr [esp+48h+var_34], 20h
		jnz	loc_526134
		mov	ecx, _PoolBigPageTable
		mov	[esp+48h+var_2C], ecx
		mov	ecx, _PoolBigPageTableSize
		mov	[esp+48h+var_38], offset _ExpPoolBigEntriesInUse

loc_525F58:				; CODE XREF: ExFreeHeapPool+7B2j
		mov	edx, edi
		mov	[esp+48h+var_30], ecx
		shr	edx, 0Ch

loc_525F61:				; CODE XREF: ExFreeHeapPool+C74A4j
		mov	eax, edx
		mov	[esp+48h+var_20], 1
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, dl
		shl	eax, 2
		xor	ecx, eax
		mov	eax, edx
		shl	ecx, 2
		shr	eax, 10h
		xor	ecx, eax
		imul	eax, ecx, 2797Ch
		mov	ecx, [esp+48h+var_30]
		dec	ecx
		sar	eax, 2
		and	ecx, eax
		jmp	loc_5261C2
; 

loc_525F98:				; CODE XREF: ExFreeHeapPool+336j
		mov	eax, [edi+18h]
		lea	edx, [ecx-8]
		mov	[esp+48h+var_28], eax
		mov	[esp+48h+var_24], edx
		mov	eax, [eax+98h]
		mov	[esp+48h+var_14], eax
		test	al, 1
		jz	short loc_525FC5
		lea	eax, [edx+8]
		test	eax, 0FFFh
		jnz	short loc_525FC5
		sub	edx, 8
		mov	[esp+48h+var_24], edx

loc_525FC5:				; CODE XREF: ExFreeHeapPool+612j
					; ExFreeHeapPool+61Cj
		test	esi, esi
		jz	loc_5ED011
		mov	edx, [esp+48h+var_1C]

loc_525FD1:				; CODE XREF: ExFreeHeapPool+C76D4j
		mov	ax, [esi+16h]
		mov	ecx, 7FFFh
		xor	ax, [esi+14h]
		mov	[esp+48h+var_10], 2BEDh
		xor	ax, word ptr [esp+48h+var_10]
		test	ax, cx
		mov	ecx, [esp+48h+var_38]
		jnz	loc_5ED079
		mov	esi, [esp+48h+var_24]
		mov	eax, [esi]
		xor	eax, esi
		xor	eax, edx
		jge	loc_5ED096
		shr	eax, 1
		xor	ecx, ecx
		and	eax, 7FFFh
		test	byte ptr [esp+48h+var_14], 4
		lea	eax, ds:0FFFFFFF8h[eax*8]
		mov	[esp+48h+var_10], eax
		jz	short loc_526095
		cmp	eax, 1000h
		jnb	short loc_526095
		mov	eax, [esp+48h+var_28]
		cmp	word ptr [eax+44h], 20h
		lea	ecx, [eax+40h]
		jnb	short loc_52608E
		lea	edx, [esi+8]
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_526040:				; CODE XREF: ExFreeHeapPool+708j
		mov	ecx, [edi+14h]
		mov	edx, [esp+48h+var_10]
		movzx	eax, word ptr [ecx+20h]
		sub	eax, 8
		cmp	edx, eax
		ja	loc_525CEB
		push	0
		call	_RtlpHpLfhBucketUpdateStats@12 ; RtlpHpLfhBucketUpdateStats(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_526064:				; CODE XREF: ExFreeHeapPool+151j
		mov	eax, _ExpSessionPoolTrackTable
		mov	edx, _ExpSessionPoolTrackTableMask
		jmp	loc_525B0C
; 

loc_526074:				; CODE XREF: ExFreeHeapPool+2Bj
					; ExFreeHeapPool+34j
		mov	al, 5
		jmp	loc_5259DC
; 

loc_52607B:				; CODE XREF: ExFreeHeapPool+329j
		push	[esp+48h+var_2C]
		push	ecx
		mov	ecx, edi
		call	RtlpHpSegPageRangeShrink
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_52608E:				; CODE XREF: ExFreeHeapPool+696j
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		mov	ecx, eax

loc_526095:				; CODE XREF: ExFreeHeapPool+681j
					; ExFreeHeapPool+688j
		mov	edx, [esp+48h+var_2C]
		add	esi, 8
		push	esi
		mov	[esi], ecx
		mov	ecx, [esp+4Ch+var_28]
		call	RtlpHpVsContextFreeList
		jmp	short loc_526040
; 

loc_5260AA:				; CODE XREF: ExFreeHeapPool+443j
		inc	dword ptr [edx+18h]
		jmp	loc_525BDA
; 

loc_5260B2:				; CODE XREF: ExFreeHeapPool+292j
		push	[esp+48h+var_10]
		push	edx
		call	_RtlpHpEnvGetHeapManager@8 ; RtlpHpEnvGetHeapManager(x,x)
		mov	edx, ecx
		push	ecx
		sub	edx, [eax+4]
		lea	ecx, [eax+8]
		shr	edx, 14h
		add	edx, edx
		call	RtlCSparseBitmapBitmaskRead
		test	eax, eax
		jz	short loc_5260DD
		dec	eax
		cmp	eax, 2
		jnz	loc_525C3A

loc_5260DD:				; CODE XREF: ExFreeHeapPool+731j
		mov	edx, [esp+48h+var_38]
		mov	ecx, esi
		push	edi
		call	RtlpHpLargeFree
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5260F0:				; CODE XREF: ExFreeHeapPool+52j
		mov	esi, [esp+48h+var_10]
		push	0
		push	esi
		call	_RtlpHpEnvGetHeapManager@8 ; RtlpHpEnvGetHeapManager(x,x)
		mov	edx, edi
		push	ecx
		sub	edx, [eax+4]
		lea	ecx, [eax+8]
		shr	edx, 14h
		add	edx, edx
		call	RtlCSparseBitmapBitmaskRead
		test	eax, eax
		jz	short loc_52611F
		lea	ecx, [eax-1]
		cmp	ecx, 2
		jnz	loc_5259FA

loc_52611F:				; CODE XREF: ExFreeHeapPool+771j
		push	0
		push	esi
		mov	ecx, edi
		call	_RtlpHpLargeAllocGetOwner@12 ; RtlpHpLargeAllocGetOwner(x,x,x)
		mov	esi, eax
		mov	[esp+48h+var_24], eax
		jmp	loc_525A30
; 

loc_526134:				; CODE XREF: ExFreeHeapPool+59Aj
		mov	eax, dword_6D05D4
		mov	ecx, [eax+242Ch]
		mov	[esp+48h+var_2C], ecx
		mov	ecx, [eax+2430h]
		add	eax, 23E4h
		mov	[esp+48h+var_38], eax
		jmp	loc_525F58
; 

loc_526157:				; CODE XREF: ExFreeHeapPool+3B2j
		cmp	[esp+48h+var_14], 0
		jnz	loc_525D58
		mov	eax, _PoolTrackTable
		mov	eax, [edx+eax]
		test	eax, eax
		jz	loc_525D58
		mov	edx, [esp+48h+var_2C]
		mov	[edx], eax
		jmp	loc_525D67
; 

loc_52617D:				; CODE XREF: ExFreeHeapPool+3C1j
		push	[esp+48h+var_30]
		mov	edx, [esp+4Ch+var_34]
		mov	ecx, [esp+4Ch+var_28]
		call	ExpRemovePoolTrackerExpansion
		mov	edx, [esp+48h+var_34]
		jmp	loc_525BBF
; 

loc_526197:				; CODE XREF: ExFreeHeapPool+58Fj
		mov	dl, [esp+48h+var_39]
		mov	ecx, offset _ExpLargePoolTableLock
		call	ExpWaitForSpinLockSharedAndAcquire
		jmp	loc_525F35
; 

loc_5261AA:				; CODE XREF: ExFreeHeapPool+82Fj
		inc	ecx
		cmp	ecx, [esp+48h+var_30]
		jb	short loc_5261C2
		cmp	[esp+48h+var_20], 0
		jz	loc_5ECDEB
		xor	ecx, ecx
		mov	[esp+48h+var_20], ecx

loc_5261C2:				; CODE XREF: ExFreeHeapPool+5F3j
					; ExFreeHeapPool+80Fj
		mov	eax, ecx
		shl	eax, 4
		add	eax, [esp+48h+var_2C]
		mov	eax, [eax]
		cmp	eax, edi
		jnz	short loc_5261AA
		mov	eax, [esp+48h+var_2C]
		shl	ecx, 4
		add	ecx, eax
		jz	loc_5ECDEF
		mov	eax, [ecx+4]
		mov	edx, [ecx+0Ch]
		mov	[esp+48h+var_1C], eax
		mov	eax, [ecx+8]
		shr	eax, 8
		and	eax, 0FFFh
		mov	[esp+48h+var_34], edx
		mov	[esp+48h+var_30], eax
		mov	eax, [esp+48h+var_38]
		lock dec dword ptr [eax]
		lock inc dword ptr [ecx]
		test	ds:byte_70EFC6,	1
		jnz	loc_5ECE5A
		mov	ecx, 0BFFFFFFFh
		mov	eax, offset _ExpLargePoolTableLock
		lock and [eax],	ecx
		lock dec dword ptr [eax]

loc_526224:				; CODE XREF: ExFreeHeapPool+C74C7j
		mov	cl, [esp+48h+var_39]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [esp+48h+var_18]
		mov	ecx, [esp+48h+var_34]
		mov	[esp+48h+var_38], edi
		mov	[esp+48h+var_2C], edx
		jmp	loc_525AA8
ExFreeHeapPool	endp

; 
; START	OF FUNCTION CHUNK FOR ExFreeHeapPool

loc_526243:				; CODE XREF: ExFreeHeapPool+C7646j
		movzx	eax, ax
		mov	ecx, ds:_RtlpInterceptorRoutines[eax*4]
		lea	eax, [edx+8]
		push	eax
		push	3
		push	[esp+50h+var_38]
		push	esi
		call	ecx
		test	eax, eax
		js	loc_525CEB
		jmp	loc_525C15
; END OF FUNCTION CHUNK	FOR ExFreeHeapPool
; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCheckDeviceAndDriver	proc near	; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+204p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005ED0B2 SIZE 0000006F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_4], ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edx, large fs:20h
		mov	bl, al
		mov	edi, [edx+46Ch]
		test	ds:byte_70EFC6,	21h
		lea	ecx, [edx+468h]
		jnz	loc_5ED0B2
		mov	edx, ecx
		xchg	edx, [edi]
		test	edx, edx
		jnz	short loc_52631D

loc_5262AE:				; CODE XREF: IopCheckDeviceAndDriver+B2j
					; IopCheckDeviceAndDriver+C6E49j
		mov	eax, [esi+0B0h]
		test	byte ptr [eax+10h], 1Fh
		jnz	loc_526349
		mov	eax, [esi+1Ch]
		test	al, al
		js	loc_526349
		test	al, 8
		jnz	short loc_52633E

loc_5262CD:				; CODE XREF: IopCheckDeviceAndDriver+D2j
					; IopCheckDeviceAndDriver+C6E55j ...
		mov	eax, [esi+4]
		inc	eax
		mov	[esi+4], eax
		test	eax, eax
		jle	loc_5ED0E2
		xor	edi, edi

loc_5262DE:				; CODE XREF: IopCheckDeviceAndDriver+DEj
					; IopCheckDeviceAndDriver+C6E6Dj
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+468h]
		jnz	loc_5ED112
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_52632B
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_526324

loc_52630C:				; CODE XREF: IopCheckDeviceAndDriver+CCj
					; IopCheckDeviceAndDriver+C6EACj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_52631D:				; CODE XREF: IopCheckDeviceAndDriver+3Cj
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	short loc_5262AE
; 

loc_526324:				; CODE XREF: IopCheckDeviceAndDriver+9Aj
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_52632B:				; CODE XREF: IopCheckDeviceAndDriver+8Bj
		mov	dword ptr [esi], 0
		lea	ecx, [eax+4]
		mov	edx, 1
		lock xor [ecx],	edx
		jmp	short loc_52630C
; 

loc_52633E:				; CODE XREF: IopCheckDeviceAndDriver+5Bj
		cmp	dword ptr [esi+4], 0
		jz	short loc_5262CD
		jmp	loc_5ED0BE
; 

loc_526349:				; CODE XREF: IopCheckDeviceAndDriver+48j
					; IopCheckDeviceAndDriver+53j
		mov	edi, 0C000000Eh
		jmp	short loc_5262DE
IopCheckDeviceAndDriver	endp

; 
		dd 4 dup(0CCCCCCCCh)
; Exported entry 2005. RtlCopyUnicodeString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCopyUnicodeString(x, x)
		public _RtlCopyUnicodeString@8
_RtlCopyUnicodeString@8	proc near	; CODE XREF: AuthzBasepAllocateSecurityAttribute(x)+3Bp
					; AuthzBasepCopyoutInternalSecurityAttributeValues(x,x,x,x,x)+107p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_5263B5
		mov	ecx, [eax+4]
		movzx	eax, word ptr [eax]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, eax
		movzx	edx, word ptr [edi+2]
		mov	ebx, [edi+4]
		cmp	ax, dx
		ja	short loc_5263B1

loc_526386:				; CODE XREF: RtlCopyUnicodeString(x,x)+53j
		push	esi		; size_t
		push	ecx		; void *
		push	ebx		; void *
		mov	[edi], si
		call	_memcpy
		movzx	ecx, word ptr [edi]
		add	esp, 0Ch
		movzx	eax, word ptr [edi+2]
		add	ecx, 2
		cmp	ecx, eax
		ja	short loc_5263AA
		shr	esi, 1
		xor	eax, eax
		mov	[ebx+esi*2], ax

loc_5263AA:				; CODE XREF: RtlCopyUnicodeString(x,x)+40j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_5263B1:				; CODE XREF: RtlCopyUnicodeString(x,x)+24j
		mov	esi, edx
		jmp	short loc_526386
; 

loc_5263B5:				; CODE XREF: RtlCopyUnicodeString(x,x)+Aj
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	[eax], cx
		pop	ebp
		retn	8
_RtlCopyUnicodeString@8	endp

; 
		align 10h
; Exported entry 832. IoFreeIrp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoFreeIrp(x)
		public _IoFreeIrp@4
_IoFreeIrp@4	proc near		; CODE XREF: IopFreeIrpAndMdls(x)+1Dp
					; IopDropIrp+70p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, ds:_IopDispatchFreeIrp
		mov	ecx, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_5263EF
		call	IopFreeIrp

loc_5263E9:				; CODE XREF: IoFreeIrp(x)+24j
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_5263EF:				; CODE XREF: IoFreeIrp(x)+12j
		call	_IovFreeIrpPrivate@4 ; IovFreeIrpPrivate(x)
		jmp	short loc_5263E9
_IoFreeIrp@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopFreeIrp	proc near		; CODE XREF: .text:005248EAp
					; IoFreeIrp(x)+14p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A8765 SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		cmp	word ptr [esi],	6
		jnz	loc_5A8765
		mov	cl, [esi+27h]
		xor	eax, eax
		mov	[esi], ax
		test	cl, 40h
		jnz	loc_52656C

loc_526426:				; CODE XREF: IopFreeIrp+17Bj
		mov	al, cl
		and	al, 21h
		cmp	al, 21h
		jz	loc_5A8776
		mov	eax, large fs:20h
		mov	[ebp+var_4], eax
		test	cl, 8
		jnz	loc_5A8782

loc_526444:				; CODE XREF: IopFreeIrp+82392j
		test	cl, 4
		jz	loc_526545
		test	byte ptr _IopIrpStackProfilerFlags, 3
		mov	dl, byte ptr _IopLargeIrpStackLocations
		mov	dh, byte ptr _IopMediumIrpStackLocations
		jz	short loc_526481
		movzx	edi, word ptr [esi+2]
		movsx	ax, dl
		mov	cx, ax
		shl	ax, 3
		add	cx, ax
		shl	cx, 2
		add	cx, 70h
		cmp	di, cx
		jnz	short loc_5264E1

loc_526481:				; CODE XREF: IopFreeIrp+60j
					; IopFreeIrp+FAj ...
		movzx	ebx, word ptr [esi+2]
		movsx	ax, dl
		mov	cx, ax
		shl	ax, 3
		add	cx, ax
		shl	cx, 2
		add	cx, 70h
		cmp	bx, cx
		jb	short loc_52650C
		mov	ecx, 10h
		mov	edi, 5B0h

loc_5264AA:				; CODE XREF: IopFreeIrp+12Ej
					; IopFreeIrp+13Dj
		mov	edx, [ebp+var_4]
		mov	eax, ebx
		mov	[esi+1Ch], eax
		mov	edi, [edi+edx]
		mov	ax, [edi+4]
		inc	dword ptr [edi+14h]
		cmp	ax, [edi+8]
		jnb	loc_52654F

loc_5264C6:				; CODE XREF: IopFreeIrp+164j
		mov	al, [esi+27h]
		test	al, 1
		jnz	loc_526580

loc_5264D1:				; CODE XREF: IopFreeIrp+18Cj
		mov	edx, esi
		mov	ecx, edi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_5264DA:				; CODE XREF: IopFreeIrp+14Dj
					; IopFreeIrp+8237Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5264E1:				; CODE XREF: IopFreeIrp+7Fj
		movsx	ax, dh
		mov	cx, ax
		shl	ax, 3
		add	cx, ax
		shl	cx, 2
		add	cx, 70h
		cmp	di, cx
		jz	short loc_526481
		mov	eax, 94h
		cmp	di, ax
		jz	loc_526481
		jmp	short loc_526545
; 

loc_52650C:				; CODE XREF: IopFreeIrp+9Ej
		movsx	ax, dh
		mov	cx, ax
		shl	ax, 3
		add	cx, ax
		shl	cx, 2
		add	cx, 70h
		cmp	bx, cx
		jnb	short loc_526533
		xor	ecx, ecx
		mov	edi, 5A0h
		jmp	loc_5264AA
; 

loc_526533:				; CODE XREF: IopFreeIrp+125j
		mov	ecx, 8
		mov	edi, 5A8h
		jmp	loc_5264AA
; 

loc_526542:				; CODE XREF: IopFreeIrp+16Aj
		inc	dword ptr [edi+18h]

loc_526545:				; CODE XREF: IopFreeIrp+47j
					; IopFreeIrp+10Aj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_5264DA
; 

loc_52654F:				; CODE XREF: IopFreeIrp+C0j
		inc	dword ptr [edi+18h]
		mov	edi, [ecx+edx+5A4h]
		mov	ax, [edi+4]
		inc	dword ptr [edi+14h]
		cmp	ax, [edi+8]
		jb	loc_5264C6
		jmp	short loc_526542
; 

loc_52656C:				; CODE XREF: IopFreeIrp+20j
		push	1
		or	edx, 0FFFFFFFFh
		mov	ecx, esi
		call	_IopFreeIrpExtension@12	; IopFreeIrpExtension(x,x,x)
		mov	cl, [esi+27h]
		jmp	loc_526426
; 

loc_526580:				; CODE XREF: IopFreeIrp+CBj
		xor	al, 1
		mov	ecx, esi
		mov	[esi+27h], al
		call	ExReturnPoolQuota
		jmp	loc_5264D1
IopFreeIrp	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopAllocateIrpMustSucceed proc near	; CODE XREF: PAGE:0081CA2Ap
					; IopCloseFile(x,x,x,x)+1A9p ...

; FUNCTION CHUNK AT 005ED121 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+4]
		push	ebx
		push	esi
		push	eax
		push	0
		mov	bl, dl
		mov	esi, ecx
		call	IopAllocateIrpExReturn
		test	eax, eax
		jz	loc_5ED121

loc_5265BE:				; CODE XREF: IopAllocateIrpMustSucceed+C6B8Cj
					; IopAllocateIrpMustSucceed+C6BA5j
		or	byte ptr [eax+27h], 20h
		pop	esi
		pop	ebx
		pop	ebp
		retn
IopAllocateIrpMustSucceed endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopAllocateIrpExReturn proc near	; CODE XREF: IoPageReadEx+86p
					; IoAsynchronousPageWrite+32p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005ED14A SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:_IopDispatchAllocateIrp
		test	eax, eax
		jnz	loc_5ED14A
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	IopAllocateIrpPrivate

loc_5265EF:				; CODE XREF: IopAllocateIrpExReturn+C6B92j
		pop	ebp
		retn	8
IopAllocateIrpExReturn endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopAllocateIrpPrivate proc near		; CODE XREF: IoAllocateIrp+1Cp
					; IopAllocateIrpWithExtension(x,x,x,x)+16p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 005ED167 SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_1], 0
		push	ebx
		push	esi
		push	edi
		test	eax, eax
		jz	loc_526806
		cmp	eax, 0FFFFFFFFh
		jz	short loc_52662C
		test	dword ptr [eax+1Ch], 8000000h
		jz	loc_526806

loc_52662C:				; CODE XREF: IopAllocateIrpPrivate+1Dj
		mov	bl, byte ptr [ebp+arg_4]
		add	bl, 2
		mov	[ebp+var_1], 1

loc_526636:				; CODE XREF: IopAllocateIrpPrivate+209j
		mov	edi, large fs:20h
		mov	eax, _IopIrpStackProfilerFlags
		test	al, 3
		setnz	cl
		test	al, 4
		setnz	al
		test	cl, al
		jz	short loc_526685
		cmp	bl, 14h
		jge	short loc_526685
		movsx	ecx, bl
		inc	dword ptr [edi+ecx*4+4608h]
		inc	dword ptr [edi+4658h]
		mov	eax, [edi+ecx*4+4608h]
		sub	eax, [edi+ecx*4+465Ch]
		mov	edx, [edi+4658h]
		cmp	eax, _IopIrpStackProfilerMinSizeThreshold
		ja	loc_52680E

loc_526685:				; CODE XREF: IopAllocateIrpPrivate+4Ej
					; IopAllocateIrpPrivate+53j ...
		mov	dl, byte ptr _IopLargeIrpStackLocations
		xor	esi, esi
		mov	cl, byte ptr _IopMediumIrpStackLocations
		mov	bh, [ebp+arg_8]
		movsx	eax, bl
		mov	[ebp+var_10], eax
		mov	byte ptr [ebp+arg_0+3],	0
		lea	eax, [eax+eax*8]
		lea	eax, ds:70h[eax*4]
		movzx	eax, ax
		mov	[ebp+var_C], eax
		movzx	eax, ax
		mov	[ebp+var_8], eax
		cmp	bl, dl
		jg	loc_526755
		test	bh, bh
		jnz	loc_52687E

loc_5266C6:				; CODE XREF: IopAllocateIrpPrivate+284j
		mov	byte ptr [ebp+arg_0+3],	4
		cmp	bl, 1
		jz	loc_5268A1
		cmp	bl, cl
		jle	loc_526851
		movsx	ax, dl
		mov	dword ptr [ebp+arg_8], 10h
		mov	cx, ax
		shl	ax, 3
		add	cx, ax
		shl	cx, 2
		add	cx, 70h
		movzx	eax, cx
		mov	[ebp+var_8], eax
		mov	eax, 5B0h

loc_526703:				; CODE XREF: IopAllocateIrpPrivate+279j
					; IopAllocateIrpPrivate+2A9j
		mov	eax, [eax+edi]
		mov	ecx, eax
		mov	[ebp+arg_4], eax
		inc	dword ptr [eax+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5268EA
		mov	edx, [ebp+arg_4]

loc_526720:				; CODE XREF: IopAllocateIrpPrivate+30Ej
					; IopAllocateIrpPrivate+317j
		test	byte ptr _IopIrpStackProfilerFlags, 3
		jz	loc_526932
		test	esi, esi
		jz	loc_526932
		mov	ecx, [esi+1Ch]
		movzx	eax, cx
		mov	[ebp+arg_4], eax
		mov	eax, [ebp+var_C]
		movzx	eax, ax
		cmp	ecx, eax
		jb	loc_5268AE
		mov	eax, [ebp+arg_4]
		movzx	eax, ax
		mov	[ebp+var_8], eax

loc_526755:				; CODE XREF: IopAllocateIrpPrivate+B8j
					; IopAllocateIrpPrivate+28Aj ...
		xor	cl, cl
		mov	byte ptr [ebp+arg_4+3],	cl
		test	esi, esi
		jz	loc_5268BC
		test	bh, bh
		jnz	loc_52688F

loc_52676A:				; CODE XREF: IopAllocateIrpPrivate+296j
					; IopAllocateIrpPrivate+C6B79j
		xor	bh, bh

loc_52676C:				; CODE XREF: IopAllocateIrpPrivate+2E5j
		movzx	eax, ax
		push	eax		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, 6
		mov	[esi+22h], bl
		mov	[esi], ax
		inc	bl
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		mov	[esi+2], ax
		mov	eax, large fs:124h
		mov	[esi+23h], bl
		movzx	eax, byte ptr [eax+16Ah]
		mov	[esi+26h], al
		lea	eax, [esi+10h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [ebp+var_10]
		lea	ecx, ds:1Ch[eax*8]
		add	ecx, eax
		mov	al, byte ptr [ebp+arg_4+3]
		or	al, byte ptr [ebp+arg_0+3]
		mov	[esi+27h], al
		lea	ecx, [esi+ecx*4]
		mov	[esi+60h], ecx
		test	bh, bh
		jnz	loc_526928

loc_5267CD:				; CODE XREF: IopAllocateIrpPrivate+32Dj
		cmp	[ebp+var_1], 0
		jz	short loc_5267FB
		add	byte ptr [esi+23h], 0FEh
		lea	eax, [ecx-48h]
		add	byte ptr [esi+22h], 0FEh
		test	byte ptr _IopFunctionPointerMask, 4
		mov	[esi+60h], eax
		mov	[esi+68h], eax
		jnz	loc_5ED17E

loc_5267F1:				; CODE XREF: IopAllocateIrpPrivate+C6B85j
		xor	al, al

loc_5267F3:				; CODE XREF: IopAllocateIrpPrivate+C6B8Dj
		test	al, al
		jnz	loc_5ED192

loc_5267FB:				; CODE XREF: IopAllocateIrpPrivate+1D1j
					; IopAllocateIrpPrivate+C6B99j
		mov	eax, esi

loc_5267FD:				; CODE XREF: IopAllocateIrpPrivate+C6B69j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_526806:				; CODE XREF: IopAllocateIrpPrivate+14j
					; IopAllocateIrpPrivate+26j
		mov	bl, byte ptr [ebp+arg_4]
		jmp	loc_526636
; 

loc_52680E:				; CODE XREF: IopAllocateIrpPrivate+7Fj
		sub	edx, [edi+46ACh]
		cmp	edx, _IopIrpStackProfilerSampleSize
		jbe	loc_526685
		mov	esi, 0FFFFFFFBh
		mov	edx, offset _IopIrpStackProfilerFlags
		mov	eax, [edx]

loc_52682C:				; CODE XREF: IopAllocateIrpPrivate+234j
		mov	ecx, eax
		and	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_52682C
		test	al, 4
		jz	loc_526685
		push	0
		push	0
		push	offset _IopIrpStackProfilerDpc
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)
		jmp	loc_526685
; 

loc_526851:				; CODE XREF: IopAllocateIrpPrivate+D5j
		movsx	ax, cl
		mov	dword ptr [ebp+arg_8], 8
		mov	cx, ax
		shl	ax, 3
		add	cx, ax
		shl	cx, 2
		add	cx, 70h
		movzx	eax, cx
		mov	[ebp+var_8], eax
		mov	eax, 5A8h
		jmp	loc_526703
; 

loc_52687E:				; CODE XREF: IopAllocateIrpPrivate+C0j
		cmp	[edi+3CE4h], esi
		jg	loc_5266C6
		jmp	loc_526755
; 

loc_52688F:				; CODE XREF: IopAllocateIrpPrivate+164j
		cmp	_IopIrpCreditsEnabled, 1
		jle	loc_52676A
		jmp	loc_5ED16E
; 

loc_5268A1:				; CODE XREF: IopAllocateIrpPrivate+CDj
		mov	dword ptr [ebp+arg_8], esi
		mov	eax, 5A0h
		jmp	loc_526703
; 

loc_5268AE:				; CODE XREF: IopAllocateIrpPrivate+146j
		inc	dword ptr [edx+14h]
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_8]

loc_5268BC:				; CODE XREF: IopAllocateIrpPrivate+15Cj
		movzx	eax, ax
		push	20707249h
		push	eax
		test	bh, bh
		jnz	short loc_52691C
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)

loc_5268D3:				; CODE XREF: IopAllocateIrpPrivate+326j
		mov	esi, eax
		test	esi, esi
		jz	loc_5ED167
		mov	eax, [ebp+var_8]
		xor	cl, cl
		mov	byte ptr [ebp+arg_4+3],	cl
		jmp	loc_52676C
; 

loc_5268EA:				; CODE XREF: IopAllocateIrpPrivate+117j
		mov	eax, [ebp+arg_4]
		mov	ecx, dword ptr [ebp+arg_8]
		inc	dword ptr [eax+10h]
		mov	eax, [ecx+edi+5A4h]
		mov	ecx, eax
		mov	[ebp+arg_4], eax
		inc	dword ptr [eax+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edx, [ebp+arg_4]
		mov	esi, eax
		test	esi, esi
		jnz	loc_526720
		inc	dword ptr [edx+10h]
		jmp	loc_526720
; 

loc_52691C:				; CODE XREF: IopAllocateIrpPrivate+2C7j
		push	208h
		call	ExAllocatePoolWithQuotaTag
		jmp	short loc_5268D3
; 

loc_526928:				; CODE XREF: IopAllocateIrpPrivate+1C7j
		or	al, 1
		mov	[esi+27h], al
		jmp	loc_5267CD
; 

loc_526932:				; CODE XREF: IopAllocateIrpPrivate+127j
					; IopAllocateIrpPrivate+12Fj
		mov	eax, [ebp+var_8]
		jmp	loc_526755
IopAllocateIrpPrivate endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopDequeueIrpFromThread	proc near	; CODE XREF: .text:00522C55p
					; .text:005248BBp ...

; FUNCTION CHUNK AT 005ED19E SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	bl, bl
		mov	esi, [edi+50h]
		test	esi, esi
		jz	short loc_526971
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		lea	ecx, [esi+350h]
		mov	bl, al
		jnz	short loc_5269BA
		lock bts dword ptr [ecx], 0
		jb	short loc_5269C1

loc_526971:				; CODE XREF: IopDequeueIrpFromThread+11j
					; IopDequeueIrpFromThread+7Fj ...
		mov	edx, [edi+10h]
		lea	eax, [edi+10h]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_5269C8
		cmp	[ecx], eax
		jnz	short loc_5269C8
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	[eax+4], eax
		mov	[eax], eax
		test	esi, esi
		jz	short loc_5269B5
		add	esi, 350h
		test	ds:byte_70EFC6,	1
		jnz	loc_5ED19E
		xor	eax, eax
		lock and [esi],	eax

loc_5269A9:				; CODE XREF: IopDequeueIrpFromThread+C6868j
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_5269B5:				; CODE XREF: IopDequeueIrpFromThread+4Fj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
; 

loc_5269BA:				; CODE XREF: IopDequeueIrpFromThread+28j
		call	@KiAcquireSpinLockInstrumented@4 ; KiAcquireSpinLockInstrumented(x)
		jmp	short loc_526971
; 

loc_5269C1:				; CODE XREF: IopDequeueIrpFromThread+2Fj
		call	KxWaitForSpinLockAndAcquire
		jmp	short loc_526971
; 

loc_5269C8:				; CODE XREF: IopDequeueIrpFromThread+3Dj
					; IopDequeueIrpFromThread+41j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
IopDequeueIrpFromThread	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoCallDriverWithTracing	proc near	; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+D75p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005ED1AD SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	byte ptr [edx+27h], 0
		push	esi
		push	edi
		jl	short loc_5269FA
		mov	esi, [edx+68h]
		test	esi, esi
		jz	short loc_5269FA
		test	byte ptr [esi],	2
		jnz	loc_5ED1AD

loc_5269FA:				; CODE XREF: IoCallDriverWithTracing+18j
					; IoCallDriverWithTracing+1Fj
		call	IofCallDriver

loc_5269FF:				; CODE XREF: IoCallDriverWithTracing+C681Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
IoCallDriverWithTracing	endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 120. IofCallDriver

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IofCallDriver
IofCallDriver	proc near		; CODE XREF: CcSetValidData+99p
					; IoPageReadEx+180p ...

; FUNCTION CHUNK AT 005ED1F1 SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, ds:_IopDispatchCallDriver
		push	ebx
		push	esi
		mov	esi, ecx
		test	eax, eax
		jnz	loc_5ED1FF
		dec	byte ptr [edx+23h]
		mov	al, [edx+23h]
		test	al, al
		jle	loc_5ED1F1
		mov	eax, [edx+60h]
		sub	eax, 24h
		mov	[edx+60h], eax
		mov	bl, [eax]
		mov	[eax+14h], esi
		cmp	bl, 16h
		jz	short loc_526A6E

loc_526A5A:				; CODE XREF: IofCallDriver+66j
		mov	ecx, [esi+8]
		movzx	eax, bl
		push	edx
		push	esi
		mov	eax, [ecx+eax*4+38h]
		call	eax

loc_526A68:				; CODE XREF: IofCallDriver+C67E9j
					; IofCallDriver+C67F7j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_526A6E:				; CODE XREF: IofCallDriver+38j
		mov	al, [eax+1]
		cmp	al, 2
		jnz	short loc_526A82

loc_526A75:				; CODE XREF: IofCallDriver+64j
		mov	ecx, edx
		call	@IopPoHandleIrp@4 ; IopPoHandleIrp(x)
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_526A82:				; CODE XREF: IofCallDriver+53j
		cmp	al, 3
		jz	short loc_526A75
		jmp	short loc_526A5A
IofCallDriver	endp

; 
		align 10h

IopQueueThreadIrp:			; CODE XREF: IoPageReadEx+16Cp
					; IoAsynchronousPageWrite+C7p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+50h]
		push	ebx
		push	esi
		push	edi
		lea	esi, [eax+2CCh]
		lea	edi, [ecx+10h]
		lea	ebx, [eax+350h]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	[ebp-1], al
		jnz	short loc_526AF7
		lock bts dword ptr [ebx], 0
		jb	short loc_526B00

loc_526AC4:				; CODE XREF: .text:00526AFEj
					; .text:00526B07j
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_526B09
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[eax+4], edi
		mov	[esi], edi
		test	ds:byte_70EFC6,	1
		jnz	loc_5ED21C
		xor	eax, eax
		lock and [ebx],	eax

loc_526AE7:				; CODE XREF: .text:005ED226j
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_526AF7:				; CODE XREF: .text:00526ABBj
		mov	ecx, ebx
		call	@KiAcquireSpinLockInstrumented@4 ; KiAcquireSpinLockInstrumented(x)
		jmp	short loc_526AC4
; 

loc_526B00:				; CODE XREF: .text:00526AC2j
		mov	ecx, ebx
		call	KxWaitForSpinLockAndAcquire
		jmp	short loc_526AC4
; 

loc_526B09:				; CODE XREF: .text:00526AC9j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1171. KeInitializeEvent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeEvent(x, x, x)
		public _KeInitializeEvent@12
_KeInitializeEvent@12 proc near		; CODE XREF: CcSetValidData+2Fp
					; ExTimedWaitForUnblockPushLock+18p ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	al, [ebp+arg_4]
		mov	[ecx], al
		movzx	eax, [ebp+arg_8]
		mov	[ecx+4], eax
		lea	eax, [ecx+8]
		mov	word ptr [ecx+1], 400h
		mov	[eax+4], eax
		mov	[eax], eax
		pop	ebp
		retn	0Ch
_KeInitializeEvent@12 endp

; 
		align 10h

AuthzBasepDuplicateSecurityAttributes:	; CODE XREF: SepGetAnonymousToken(x,x)+DEp
					; SepInternalQuerySecurityAttributesTokenEx+D0BC9p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		lea	eax, [ecx+4]
		mov	dword ptr [ebp-0Ch], 0
		push	esi
		push	edi
		mov	edi, [eax]
		mov	ebx, edx
		mov	[ebp-10h], ebx
		mov	[ebp-8], eax
		cmp	edi, eax
		jz	loc_526D2B
		mov	al, [ebp+8]
		mov	ecx, [ebp-8]
		lea	ecx, [ecx+0]

loc_526B80:				; CODE XREF: .text:00526D22j
		test	al, al
		jnz	loc_526EEB

loc_526B88:				; CODE XREF: .text:00526EF5j
		movzx	esi, word ptr [edi+10h]
		mov	ebx, 1
		add	esi, 40h
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_5ED22B

loc_526BA2:				; CODE XREF: .text:005ED230j
		push	74416553h
		push	esi
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_526F14
		push	40h
		push	0
		push	esi
		call	_memset
		mov	ax, [edi+10h]
		add	esp, 0Ch
		mov	[esi+12h], ax
		lea	eax, [esi+40h]
		mov	[esi+14h], eax
		movzx	ecx, word ptr [esi+12h]
		mov	edx, [edi+14h]
		mov	[ebp-14h], eax
		movzx	eax, word ptr [edi+10h]
		mov	[ebp-18h], ecx
		cmp	ax, cx
		mov	ecx, [ebp-14h]
		mov	ebx, eax
		ja	loc_5ED235

loc_526BF2:				; CODE XREF: .text:005ED23Bj
		push	ebx
		push	edx
		push	ecx
		mov	[esi+10h], bx
		call	_memcpy
		movzx	ecx, word ptr [esi+10h]
		add	esp, 0Ch
		movzx	eax, word ptr [esi+12h]
		add	ecx, 2
		cmp	ecx, eax
		jbe	loc_5ED240

loc_526C14:				; CODE XREF: .text:005ED24Bj
		lea	eax, [esi+2Ch]
		lea	ebx, [esi+38h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[ebx+4], ebx
		mov	[ebx], ebx
		cmp	byte ptr [ebp+8], 0
		mov	eax, [edi+1Ch]
		mov	[esi+1Ch], eax
		jnz	loc_526EFA

loc_526C34:				; CODE XREF: .text:00526EFEj
					; .text:00526F0Fj
		test	byte ptr [esi+20h], 2
		mov	ax, [edi+18h]
		mov	[esi+18h], ax
		jnz	short loc_526C6D
		mov	eax, [ebp-10h]
		lea	ecx, [esi+8]
		mov	ebx, [eax+14h]
		lea	edx, [eax+10h]
		mov	[ebp-18h], ebx
		cmp	[ebx], edx
		jnz	loc_526F25
		mov	[ecx+4], ebx
		mov	[ecx], edx
		mov	[ebx], ecx
		lea	ebx, [esi+38h]
		mov	[edx+4], ecx
		or	dword ptr [esi+20h], 2
		inc	dword ptr [eax+0Ch]

loc_526C6D:				; CODE XREF: .text:00526C40j
		movzx	eax, word ptr [edi+18h]
		cmp	eax, 2
		jnz	loc_526E4D

loc_526C7A:				; CODE XREF: .text:00526E5Ej
					; DATA XREF: .text:off_526F2Co
		mov	ebx, [edi+2Ch]
		lea	eax, [edi+2Ch]
		cmp	ebx, eax
		jz	loc_526D18

loc_526C88:				; CODE XREF: .text:00526D12j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_5ED314
		mov	eax, 1

loc_526C9B:				; CODE XREF: .text:005ED319j
		push	74416553h
		push	28h
		push	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_526F14
		xor	eax, eax
		mov	[ecx], eax
		mov	[ecx+4], eax
		mov	[ecx+8], eax
		mov	[ecx+0Ch], eax
		mov	[ecx+10h], eax
		mov	[ecx+14h], eax
		mov	[ecx+18h], eax
		mov	[ecx+1Ch], eax
		mov	[ecx+20h], eax
		mov	[ecx+24h], eax
		test	byte ptr [ecx+10h], 2
		mov	eax, [ebx+18h]
		mov	[ecx+18h], eax
		mov	eax, [ebx+1Ch]
		mov	[ecx+1Ch], eax
		jnz	short loc_526D0B
		mov	edx, [esi+3Ch]
		lea	eax, [esi+38h]
		mov	[ebp-1Ch], edx
		cmp	[edx], eax
		lea	edx, [ecx+8]
		jnz	loc_526F25
		mov	[edx], eax
		mov	eax, [ebp-1Ch]
		mov	[edx+4], eax
		mov	[eax], edx
		mov	[esi+3Ch], edx
		or	dword ptr [ecx+10h], 2
		inc	dword ptr [esi+34h]

loc_526D0B:				; CODE XREF: .text:00526CE1j
		mov	ebx, [ebx]
		lea	eax, [edi+2Ch]
		cmp	ebx, eax
		jnz	loc_526C88

loc_526D18:				; CODE XREF: .text:00526C82j
					; .text:00526E70j ...
		mov	ecx, [ebp-8]
		mov	al, [ebp+8]

loc_526D1E:				; CODE XREF: .text:00526EEFj
		mov	edi, [edi]
		cmp	edi, ecx
		jnz	loc_526B80
		mov	ebx, [ebp-10h]

loc_526D2B:				; CODE XREF: .text:00526B71j
		mov	dl, 1

loc_526D2D:				; CODE XREF: .text:00526F20j
		mov	[ebp+0Bh], dl

loc_526D30:				; CODE XREF: .text:005ED3A7j
		lea	ecx, [ebx+10h]

loc_526D33:				; CODE XREF: .text:00526E36j
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	loc_526E41
		lea	esi, [eax-8]
		test	dl, dl
		jz	loc_5ED38C
		mov	ecx, [esi+20h]
		xor	dl, dl
		mov	[ebp-2], dl
		test	cl, 2
		jz	short loc_526D81
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_526F25
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_526F25
		mov	[ecx], edx
		mov	[edx+4], ecx
		and	dword ptr [esi+20h], 0FFFFFFFDh
		mov	ecx, [esi+20h]
		test	ebx, ebx
		jz	short loc_526D81
		dec	dword ptr [ebx+0Ch]
		mov	ecx, [esi+20h]

loc_526D81:				; CODE XREF: .text:00526D53j
					; .text:00526D79j
		test	cl, 4
		jnz	loc_5ED32A
		test	cl, 1
		jnz	short loc_526DAD
		mov	ecx, [ebx+8]
		lea	eax, [ebx+4]
		cmp	[ecx], eax
		jnz	loc_526F25
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		or	dword ptr [esi+20h], 1
		inc	dword ptr [ebx]

loc_526DAD:				; CODE XREF: .text:00526D8Dj
		lea	edi, [esi+38h]

loc_526DB0:				; CODE XREF: .text:00526E08j
					; .text:00526E29j ...
		mov	eax, [edi]
		cmp	eax, edi
		jz	short loc_526E2B
		mov	edx, [eax+8]
		lea	ecx, [eax-8]
		test	dl, 4
		jnz	loc_5ED347
		mov	byte ptr [ebp-1], 0

loc_526DC9:				; CODE XREF: .text:005ED34Bj
		test	dl, 2
		jz	short loc_526DF9
		mov	edx, [eax]
		mov	[ebp-1Ch], edx
		cmp	[edx+4], eax
		jnz	loc_526F25
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_526F25
		mov	eax, [ebp-1Ch]
		mov	[edx], eax
		mov	[eax+4], edx
		and	dword ptr [ecx+10h], 0FFFFFFFDh
		dec	dword ptr [esi+34h]
		mov	edx, [ecx+10h]

loc_526DF9:				; CODE XREF: .text:00526DCCj
		and	edx, 1
		cmp	byte ptr [ebp-1], 0
		jnz	loc_5ED350
		test	edx, edx
		jnz	short loc_526DB0
		mov	edx, [esi+30h]
		lea	eax, [esi+2Ch]
		cmp	[edx], eax
		jnz	loc_526F25
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		or	dword ptr [ecx+10h], 1
		inc	dword ptr [esi+24h]
		jmp	short loc_526DB0
; 

loc_526E2B:				; CODE XREF: .text:00526DB4j
		mov	dl, [ebp-2]

loc_526E2E:				; CODE XREF: .text:005ED342j
					; .text:005ED397j
		test	dl, dl
		lea	ecx, [ebx+10h]
		mov	dl, [ebp+0Bh]
		jz	loc_526D33
		jmp	loc_5ED39C
; 

loc_526E41:				; CODE XREF: .text:00526D37j
		mov	eax, [ebp-0Ch]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_526E4D:				; CODE XREF: .text:00526C74j
		dec	eax
		cmp	eax, 0Fh
		ja	loc_5ED31E
		movzx	eax, ds:byte_526F40[eax]
		jmp	ds:off_526F2C[eax*4]

loc_526E65:				; DATA XREF: .text:00526F30o
		mov	eax, [edi+2Ch]
		lea	ecx, [edi+2Ch]
		mov	[ebp-18h], eax
		cmp	eax, ecx
		jz	loc_526D18

loc_526E76:				; CODE XREF: .text:00526EE4j
		movzx	ecx, word ptr [eax+18h]
		add	eax, 18h
		mov	[ebp-14h], eax
		call	_AuthzBasepAllocateSecurityAttributeValue@4 ; AuthzBasepAllocateSecurityAttributeValue(x)
		mov	edx, eax
		mov	[ebp-1Ch], edx
		test	edx, edx
		jz	loc_526F14
		push	dword ptr [ebp-14h]
		xor	eax, eax
		lea	ecx, [edx+18h]
		mov	[ecx], ax
		mov	eax, [ebp-14h]
		push	ecx
		mov	ax, [eax]
		mov	[edx+1Ah], ax
		lea	eax, [edx+28h]
		mov	[edx+1Ch], eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		mov	eax, [ebp-1Ch]
		test	byte ptr [eax+10h], 2
		jnz	short loc_526ED7
		mov	edx, [ebx+4]
		lea	ecx, [eax+8]
		cmp	[edx], ebx
		jnz	short loc_526F25
		mov	[ecx], ebx
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[ebx+4], ecx
		or	dword ptr [eax+10h], 2
		inc	dword ptr [esi+34h]

loc_526ED7:				; CODE XREF: .text:00526EBAj
		mov	eax, [ebp-18h]
		lea	ecx, [edi+2Ch]
		mov	eax, [eax]
		mov	[ebp-18h], eax
		cmp	eax, ecx
		jnz	short loc_526E76
		jmp	loc_526D18
; 

loc_526EEB:				; CODE XREF: .text:00526B82j
		test	byte ptr [edi+1Ch], 1
		jnz	loc_526D1E
		jmp	loc_526B88
; 

loc_526EFA:				; CODE XREF: .text:00526C2Ej
		test	byte ptr [edi+1Ch], 80h
		jz	loc_526C34
		and	eax, 0FFFFFF7Fh
		or	eax, 1
		mov	[esi+1Ch], eax
		jmp	loc_526C34
; 

loc_526F14:				; CODE XREF: .text:00526BB2j
					; .text:00526CACj ...
		mov	dword ptr [ebp-0Ch], 0C000009Ah

loc_526F1B:				; CODE XREF: .text:005ED325j
		mov	ebx, [ebp-10h]
		xor	dl, dl
		jmp	loc_526D2D
; 

loc_526F25:				; CODE XREF: .text:00526C53j
					; .text:00526CF1j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
off_526F2C	dd offset loc_526C7A	; DATA XREF: .text:00526E5Er
		dd offset loc_526E65
		dd offset loc_5ED250
		dd offset loc_5ED2B8
		dd offset loc_5ED31E
byte_526F40	db 0			; DATA XREF: .text:00526E57r
		db 4, 1, 2
		dd 4040003h, 4040404h, 3040404h, 4 dup(0CCCCCCCCh)
; Exported entry 842. IoGetAttachedDevice

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetAttachedDevice(x)
		public _IoGetAttachedDevice@4
_IoGetAttachedDevice@4 proc near	; CODE XREF: IopAttachDeviceToDeviceStackSafe+4Ep
					; .text:00521FA7p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+10h]
		test	eax, eax
		jz	short loc_526F79
		nop

loc_526F70:				; CODE XREF: IoGetAttachedDevice(x)+17j
		mov	ecx, eax
		mov	eax, [ecx+10h]
		test	eax, eax
		jnz	short loc_526F70

loc_526F79:				; CODE XREF: IoGetAttachedDevice(x)+Dj
		mov	eax, ecx
		pop	ebp
		retn	4
_IoGetAttachedDevice@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCheckVpbMounted proc	near		; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+77Ap

var_E		= byte ptr -0Eh
var_D		= byte ptr -0Dh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005ED3AC SIZE 000000D0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[esp+20h+var_8], ecx
		mov	[esp+20h+var_4], edi
		mov	[esp+20h+var_C], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[esp+20h+var_D], al
		mov	eax, large fs:20h
		lea	ecx, [eax+460h]
		mov	eax, [ecx+4]
		test	ds:byte_70EFC6,	21h
		jnz	loc_5ED3AC
		mov	edx, ecx
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_52705E

loc_526FD2:				; CODE XREF: IopCheckVpbMounted+E3j
					; IopCheckVpbMounted+C6433j
		mov	esi, [edi+24h]
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		test	byte ptr [esi+4], 1
		jz	loc_527070

loc_526FE5:				; CODE XREF: IopCheckVpbMounted+1A2j
		test	byte ptr [esi+4], 2
		jnz	loc_5ED404
		inc	dword ptr [esi+14h]
		mov	eax, [esi+14h]
		test	eax, eax
		jle	loc_5ED414

loc_526FFD:				; CODE XREF: IopCheckVpbMounted+C648Fj
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	edi, [eax+460h]
		jnz	loc_5ED45B
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_52704B
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jnz	short loc_527044

loc_52702B:				; CODE XREF: IopCheckVpbMounted+DCj
					; IopCheckVpbMounted+C64E5j
		mov	cl, [esp+20h+var_D]
		call	ebx
		test	esi, esi
		jz	loc_5ED46A

loc_527039:				; CODE XREF: IopCheckVpbMounted+C64F7j
		mov	eax, esi

loc_52703B:				; CODE XREF: IopCheckVpbMounted+189j
					; IopCheckVpbMounted+C6473j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_527044:				; CODE XREF: IopCheckVpbMounted+A9j
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_52704B:				; CODE XREF: IopCheckVpbMounted+9Aj
		mov	dword ptr [edi], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_52702B
; 

loc_52705E:				; CODE XREF: IopCheckVpbMounted+4Cj
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_526FD2
; 
		jmp	short loc_527070
; 
		align 10h

loc_527070:				; CODE XREF: IopCheckVpbMounted+5Fj
					; IopCheckVpbMounted+E8j ...
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+460h]
		jnz	loc_5ED3B8
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5ED3CE
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5ED3C7

loc_5270A6:				; CODE XREF: IopCheckVpbMounted+C6442j
					; IopCheckVpbMounted+C645Fj
		mov	cl, [esp+20h+var_D]
		call	ebx
		mov	ecx, [esp+20h+var_8]
		mov	edx, [ebp+arg_0]
		mov	[esp+20h+var_C], 0
		mov	eax, [ecx+28h]
		shr	eax, 4
		and	al, 1
		cmp	word ptr [edx],	0
		jnz	short loc_52712D
		cmp	dword ptr [ecx+14h], 0
		jnz	short loc_52712D
		mov	dl, 1

loc_5270D1:				; CODE XREF: IopCheckVpbMounted+1AFj
		lea	ecx, [esp+20h+var_C]
		push	ecx
		push	eax
		push	0
		mov	ecx, edi
		call	IopMountVolume
		mov	esi, [ebp+arg_4]
		mov	[esi], eax
		test	eax, eax
		js	loc_5ED3E4
		cmp	eax, 0C0h
		jz	loc_5ED3E4
		cmp	eax, 101h
		jz	loc_5ED3E4
		mov	eax, [esp+20h+var_C]
		test	eax, eax
		jnz	loc_52703B
		lea	ecx, [eax+9]
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	esi, [edi+24h]
		mov	[esp+20h+var_D], al
		test	byte ptr [esi+4], 1
		jnz	loc_526FE5
		jmp	loc_527070
; 

loc_52712D:				; CODE XREF: IopCheckVpbMounted+147j
					; IopCheckVpbMounted+14Dj
		xor	dl, dl
		jmp	short loc_5270D1
IopCheckVpbMounted endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopDoFullTraverseCheck(x, x, x)
_IopDoFullTraverseCheck@12 proc	near	; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+4C6p

var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+20h]
		and	eax, 20100h
		cmp	eax, 20000h
		jz	short loc_527171
		test	dl, dl
		jz	short loc_527171
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp-1]
		mov	[ebp+var_1], 0
		call	_SeIsAppContainerOrIdentifyLevelContext@8 ; SeIsAppContainerOrIdentifyLevelContext(x,x)
		mov	al, [ebp+var_1]
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_527171:				; CODE XREF: IopDoFullTraverseCheck(x,x,x)+13j
					; IopDoFullTraverseCheck(x,x,x)+17j
		xor	al, al
		mov	esp, ebp
		pop	ebp
		retn	4
_IopDoFullTraverseCheck@12 endp

; 
		align 10h
; Exported entry 1846. PsIsHostSilo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsIsHostSilo(x)
		public _PsIsHostSilo@4
_PsIsHostSilo@4	proc near		; CODE XREF: ExpCenturyDpcRoutine(x,x,x,x)+26p
					; ExpNextYearDpcRoutine(x,x,x,x)+26p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		setz	al
		pop	ebp
		retn	4
_PsIsHostSilo@4	endp

; 
		dd 4 dup(0CCCCCCCCh)
; Exported entry 493. FsRtlCheckOplockEx2

;  S U B	R O U T	I N E 


		public FsRtlCheckOplockEx2
FsRtlCheckOplockEx2 proc near		; CODE XREF: FsRtlCheckOplock(x,x,x,x,x)+61p
					; FsRtlCheckOplockEx(x,x,x,x,x,x)+1Ep

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005278A9 SIZE 00000005 BYTES
; FUNCTION CHUNK AT 005ED47C SIZE 000002DC BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5C30
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 8
		push	ebx
		sub	esp, 98h
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		mov	[ebp-24h], eax
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	esi, [ebx+8]
		mov	ecx, [ebx+0Ch]
		mov	[ebp-48h], ecx
		mov	eax, [ebx+18h]
		mov	[ebp-64h], eax
		mov	eax, [ebx+1Ch]
		mov	[ebp-68h], eax
		mov	eax, [ebx+20h]
		mov	[ebp-6Ch], eax
		mov	eax, [ebx+2Ch]
		mov	[ebp-70h], eax
		mov	eax, [ebx+30h]
		mov	[ebp-74h], eax
		mov	dword ptr [ebp-54h], 0
		mov	edx, [esi]
		mov	[ebp-3Ch], edx
		mov	[ebp-88h], edx
		cmp	dword ptr [ebx+14h], 0
		jnz	loc_5ED47C
		mov	edi, [ecx+60h]
		mov	[ebp-0B0h], edi
		mov	eax, [ebx+10h]
		test	al, 4
		jnz	loc_527751
		test	eax, 10000000h
		jnz	loc_52730A
		xor	edx, edx
		cmp	[edi], dl
		jnz	loc_527307
		mov	eax, [edi+18h]
		mov	eax, [eax+7Ch]
		test	eax, eax
		jnz	loc_527619

loc_527268:				; CODE XREF: FsRtlCheckOplockEx2+47Fj
					; FsRtlCheckOplockEx2+48Aj ...
		mov	[ebp-58h], edx
		mov	[ebp-78h], edx
		xor	eax, eax
		mov	[ebp-34h], eax
		mov	[ebp-30h], eax
		mov	[ebp-2Ch], eax
		mov	[ebp-28h], eax
		lea	eax, [ebp-78h]
		push	eax
		push	ecx
		call	_FsRtlGetEcpListFromIrp@8 ; FsRtlGetEcpListFromIrp(x,x)
		mov	ecx, [ebp-78h]
		test	ecx, ecx
		jz	short loc_5272FF
		mov	eax, ds:_GUID_ECP_DUAL_OPLOCK_KEY
		mov	[ebp-34h], eax
		mov	eax, ds:dword_40AAAC
		mov	[ebp-30h], eax
		mov	eax, ds:dword_40AAB0
		mov	[ebp-2Ch], eax
		mov	eax, ds:dword_40AAB4
		mov	[ebp-28h], eax
		push	0
		lea	eax, [ebp-58h]
		push	eax
		lea	eax, [ebp-34h]
		push	eax
		push	ecx
		call	_FsRtlFindExtraCreateParameter@16 ; FsRtlFindExtraCreateParameter(x,x,x,x)
		test	eax, eax
		jz	loc_5ED51A
		mov	eax, ds:_GUID_ECP_OPLOCK_KEY
		mov	[ebp-34h], eax
		mov	eax, ds:dword_40AA9C
		mov	[ebp-30h], eax
		mov	eax, ds:dword_40AAA0
		mov	[ebp-2Ch], eax
		mov	eax, ds:dword_40AAA4
		mov	[ebp-28h], eax
		push	0
		lea	eax, [ebp-58h]
		push	eax
		lea	eax, [ebp-34h]
		push	eax
		push	dword ptr [ebp-78h]
		call	_FsRtlRemoveExtraCreateParameter@16 ; FsRtlRemoveExtraCreateParameter(x,x,x,x)
		test	eax, eax
		jz	loc_5ED521

loc_5272FF:				; CODE XREF: FsRtlCheckOplockEx2+EBj
		xor	edx, edx

loc_527301:				; CODE XREF: FsRtlCheckOplockEx2+C63CAj
		mov	ecx, [ebp-48h]

loc_527304:				; CODE XREF: FsRtlCheckOplockEx2+C636Fj
		mov	eax, [ebx+10h]

loc_527307:				; CODE XREF: FsRtlCheckOplockEx2+B4j
		mov	[ebp-54h], edx

loc_52730A:				; CODE XREF: FsRtlCheckOplockEx2+AAj
		push	eax
		mov	edx, ecx
		mov	ecx, esi
		call	FsRtlpOplockStoreKeyForDeleteOperation
		mov	eax, [esi]
		mov	esi, [ebp-3Ch]
		cmp	esi, eax
		jnz	loc_5ED56F

loc_527321:				; CODE XREF: FsRtlCheckOplockEx2+C63DAj
		mov	ecx, [ebx+10h]
		test	cl, 2
		jnz	short loc_52732D
		test	esi, esi
		jnz	short loc_527350

loc_52732D:				; CODE XREF: FsRtlCheckOplockEx2+187j
					; FsRtlCheckOplockEx2+1B7j ...
		mov	eax, [ebp-54h]

loc_527330:				; CODE XREF: FsRtlCheckOplockEx2+5EFj
					; FsRtlCheckOplockEx2+6A5j ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		mov	ecx, [ebp-24h]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	2Ch
; 

loc_527350:				; CODE XREF: FsRtlCheckOplockEx2+18Bj
		mov	edx, [ebp-48h]
		test	byte ptr [edx+8], 2
		jnz	short loc_52732D
		cmp	dword ptr [ebp-54h], 0
		jnz	short loc_52732D
		mov	eax, ecx
		shr	eax, 1Dh
		and	al, 1
		mov	[ebp-37h], al
		mov	byte ptr [ebp-3Dh], 1
		lea	ecx, [ecx+0]

loc_527370:				; CODE XREF: FsRtlCheckOplockEx2+3CAj
		mov	byte ptr [ebp-3Eh], 0
		mov	dword ptr [ebp-4], 0
		mov	eax, ecx
		and	eax, 10h
		mov	[ebp-0ACh], eax
		jnz	short loc_5273BF
		cmp	byte ptr [ebp-37h], 0
		jnz	short loc_5273BF
		mov	eax, [esi+48h]
		mov	[ebp-7Ch], eax
		mov	esi, [esi+4]
		mov	[ebp-0B4h], esi
		mov	al, [edi]
		cmp	al, 3
		jz	loc_527635

loc_5273A7:				; CODE XREF: FsRtlCheckOplockEx2+49Cj
					; FsRtlCheckOplockEx2+4A6j
		cmp	al, 4
		jz	loc_52773B

loc_5273AF:				; CODE XREF: FsRtlCheckOplockEx2+5A2j
					; FsRtlCheckOplockEx2+5ACj
		test	cl, 8
		jnz	short loc_5273BC
		cmp	al, 12h
		jnz	loc_5275FF

loc_5273BC:				; CODE XREF: FsRtlCheckOplockEx2+212j
					; FsRtlCheckOplockEx2+461j ...
		mov	esi, [ebp-3Ch]

loc_5273BF:				; CODE XREF: FsRtlCheckOplockEx2+1E6j
					; FsRtlCheckOplockEx2+1ECj
		cmp	byte ptr [ebp-3Dh], 0
		jz	loc_52754B
		cmp	byte ptr [ebp-37h], 0
		jnz	loc_52753C
		mov	ecx, [esi+4Ch]
		mov	[ebp-50h], ecx
		mov	eax, large fs:124h
		mov	[ebp-0A8h], eax
		mov	dword ptr [ebp-80h], 0
		mov	dword ptr [ebp-84h], 0
		mov	dword ptr [ebp-84h], 0
		mov	eax, ecx
		and	eax, 7FFFFFFCh
		mov	[ebp-0A4h], eax
		jz	loc_5ED57F
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jnz	loc_52756F
		mov	dword ptr [ebp-80h], 0
		mov	dword ptr [ebp-5Ch], 0
		mov	dword ptr [ebp-90h], 0
		mov	dl, [esi+1E4h]
		test	dl, dl
		jz	loc_5ED586

loc_52745C:				; CODE XREF: FsRtlCheckOplockEx2+C6414j
		movzx	eax, dl
		bsf	ecx, eax
		mov	[ebp-90h], ecx
		movzx	eax, dl
		btr	eax, ecx
		mov	[esi+1E4h], al
		lea	edx, [ecx+ecx*2]
		shl	edx, 4
		add	edx, [esi+1E8h]
		mov	[ebp-5Ch], edx

loc_527483:				; CODE XREF: FsRtlCheckOplockEx2+C643Bj
		mov	ecx, [ebp-50h]

loc_527486:				; CODE XREF: FsRtlCheckOplockEx2+C6429j
		mov	[ebp-80h], edx
		test	edx, edx
		jz	loc_5ED5E0
		mov	eax, ecx
		shr	eax, 15h
		mov	edx, dword_6D07D0
		mov	[ebp-0A0h], edx
		cmp	ecx, edx
		jb	loc_5ED5ED
		movzx	ecx, byte ptr dword_6D3994[eax]
		mov	[ebp-4Ch], ecx

loc_5274B4:				; CODE XREF: FsRtlCheckOplockEx2+C645Bj
		mov	ecx, [ebp-50h]
		cmp	dword ptr [ebp-4Ch], 1
		mov	edx, [ebp-5Ch]
		jz	loc_5ED600
		cmp	ecx, [ebp-0A0h]
		jb	short loc_5274D9
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_5ED600

loc_5274D9:				; CODE XREF: FsRtlCheckOplockEx2+32Aj
		or	eax, 0FFFFFFFFh

loc_5274DC:				; CODE XREF: FsRtlCheckOplockEx2+C646Ej
		mov	[edx+14h], eax
		nop
		mov	eax, [ebp-0A4h]
		mov	[edx+10h], eax

loc_5274E9:				; CODE XREF: FsRtlCheckOplockEx2+C6448j
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp-84h]
		push	eax
		mov	edx, ecx
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_527517
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_527794

loc_527517:				; CODE XREF: FsRtlCheckOplockEx2+369j
					; FsRtlCheckOplockEx2+5F9j
		mov	ecx, [ebp-50h]
		mov	esi, [ebp-5Ch]

loc_52751D:				; CODE XREF: FsRtlCheckOplockEx2+C63E1j
		lock btr dword ptr [ecx], 0
		jnb	loc_5ED613

loc_527528:				; CODE XREF: FsRtlCheckOplockEx2+C647Dj
		test	esi, esi
		jz	short loc_527530
		or	byte ptr [esi+0Eh], 1

loc_527530:				; CODE XREF: FsRtlCheckOplockEx2+38Aj
		mov	eax, [ebp-0A8h]
		mov	[ecx+4], eax
		mov	esi, [ebp-3Ch]

loc_52753C:				; CODE XREF: FsRtlCheckOplockEx2+22Dj
		mov	byte ptr [ebp-37h], 1
		mov	ecx, [esi+48h]
		cmp	ecx, 1
		jnz	short loc_527589

loc_527548:				; CODE XREF: FsRtlCheckOplockEx2+69Ej
		mov	ecx, [ebx+10h]

loc_52754B:				; CODE XREF: FsRtlCheckOplockEx2+223j
					; FsRtlCheckOplockEx2+474j
		mov	eax, [ebp-3Ch]

loc_52754E:				; CODE XREF: FsRtlCheckOplockEx2+45Aj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		call	sub_527876
		cmp	byte ptr [ebp-3Eh], 0
		mov	ecx, [ebx+10h]
		mov	esi, [ebp-3Ch]
		jz	loc_52732D
		jmp	loc_527370
; 

loc_52756F:				; CODE XREF: FsRtlCheckOplockEx2+290j
		push	0
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	dword ptr [ebp-50h]
		push	esi
		push	192h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_527589:				; CODE XREF: FsRtlCheckOplockEx2+3A6j
		xor	ah, ah
		mov	[ebp-35h], ah
		xor	al, al
		mov	[ebp-36h], al
		xor	esi, esi
		mov	[ebp-44h], esi
		cmp	[ebp-0ACh], esi
		jnz	loc_5ED622
		movzx	edx, byte ptr [edi]
		mov	[ebp-4Ch], edx
		cmp	edx, 12h
		mov	edx, [ebp-48h]
		jnz	loc_52764B

loc_5275B6:				; CODE XREF: FsRtlCheckOplockEx2+C64B8j
		mov	edx, edi
		mov	ecx, [ebp-3Ch]
		call	FsRtlpOplockCleanup
		cmp	byte ptr [edi],	12h
		jnz	short loc_5275CF
		test	byte ptr [ebx+10h], 20h
		jnz	loc_5ED6A0

loc_5275CF:				; CODE XREF: FsRtlCheckOplockEx2+423j
					; FsRtlCheckOplockEx2+4BBj ...
		mov	ah, [ebp-35h]

loc_5275D2:				; CODE XREF: FsRtlCheckOplockEx2+51Cj
					; FsRtlCheckOplockEx2+6D1j
		mov	al, [ebp-36h]

loc_5275D5:				; CODE XREF: FsRtlCheckOplockEx2+4AFj
					; FsRtlCheckOplockEx2+60Ej ...
		test	ah, ah
		jnz	loc_5276C1
		test	al, al
		jnz	loc_5277B3

loc_5275E5:				; CODE XREF: FsRtlCheckOplockEx2+52Fj
					; FsRtlCheckOplockEx2+544j ...
		mov	eax, [ebp-3Ch]
		cmp	dword ptr [ebp-54h], 0
		jnz	short loc_5275F7
		test	[eax+48h], esi
		jnz	loc_52780B

loc_5275F7:				; CODE XREF: FsRtlCheckOplockEx2+44Cj
		mov	ecx, [ebx+10h]
		jmp	loc_52754E
; 

loc_5275FF:				; CODE XREF: FsRtlCheckOplockEx2+216j
		test	esi, esi
		jz	loc_5273BC
		cmp	esi, [edi+18h]
		jnz	loc_5273BC
		mov	byte ptr [ebp-3Dh], 0
		jmp	loc_52754B
; 

loc_527619:				; CODE XREF: FsRtlCheckOplockEx2+C2j
		cmp	eax, _IopRevocationExtension
		jz	loc_527268
		mov	eax, [eax+1Ch]
		test	eax, eax
		jz	loc_527268
		jmp	loc_5ED50B
; 

loc_527635:				; CODE XREF: FsRtlCheckOplockEx2+201j
		test	dword ptr [ebp-7Ch], 0FFFF4FFEh
		jnz	loc_5273A7
		mov	byte ptr [ebp-3Dh], 0
		jmp	loc_5273A7
; 

loc_52764B:				; CODE XREF: FsRtlCheckOplockEx2+410j
		cmp	dword ptr [ebp-4Ch], 15h
		ja	short loc_5275D5
		mov	eax, [ebp-4Ch]
		movzx	eax, ds:byte_5278D8[eax]
		jmp	ds:off_5278B0[eax*4]

loc_527662:				; DATA XREF: .text:off_5278B0o
		test	ecx, 7000h
		jz	loc_527720
		mov	eax, [edi+4]
		test	dword ptr [eax+8], 0FFEDFE7Fh
		jz	loc_527720

loc_52767E:				; CODE XREF: FsRtlCheckOplockEx2+596j
					; FsRtlCheckOplockEx2+6BAj
		test	cl, 8
		jnz	loc_5ED62F

loc_527687:				; CODE XREF: FsRtlCheckOplockEx2+C6499j
					; FsRtlCheckOplockEx2+C64A9j
		mov	al, [edi+0Bh]
		test	al, al
		jz	loc_52779E
		cmp	al, 4
		jz	loc_52779E
		cmp	al, 5
		jz	loc_52779E
		test	dword ptr [edi+8], 100000h
		jnz	loc_52779E

loc_5276AF:				; CODE XREF: FsRtlCheckOplockEx2+4BBj
					; DATA XREF: .text:005278C4o
		mov	ah, 1
		mov	[ebp-35h], ah
		mov	esi, 4000h
		mov	[ebp-44h], esi
		jmp	loc_5275D2
; 

loc_5276C1:				; CODE XREF: FsRtlCheckOplockEx2+437j
		mov	ecx, [ebp-3Ch]
		mov	eax, [ecx+48h]
		and	eax, 1F0FFDFh
		cmp	eax, 10h
		jz	loc_5275E5
		mov	edx, [ecx+4]
		mov	ecx, [edi+18h]
		push	0
		call	FsRtlpOplockKeysEqual
		test	al, al
		jnz	loc_5275E5
		lea	eax, [ebp-3Eh]
		push	eax
		lea	eax, [ebp-37h]
		push	eax
		push	dword ptr [ebp-74h]
		push	dword ptr [ebp-70h]
		push	dword ptr [ebx+28h]
		push	dword ptr [ebx+24h]
		push	dword ptr [ebp-6Ch]
		push	dword ptr [ebp-68h]
		push	dword ptr [ebp-64h]
		push	ecx
		push	dword ptr [ebx+10h]
		push	dword ptr [ebp-48h]
		mov	edx, edi
		mov	ecx, [ebp-3Ch]
		call	FsRtlpOplockBreakToII

loc_527718:				; CODE XREF: FsRtlCheckOplockEx2+666j
		mov	[ebp-54h], eax
		jmp	loc_5275E5
; 

loc_527720:				; CODE XREF: FsRtlCheckOplockEx2+4C8j
					; FsRtlCheckOplockEx2+4D8j
		test	cl, 1Eh
		jnz	loc_52784A

loc_527729:				; CODE XREF: FsRtlCheckOplockEx2+6B4j
		test	dword ptr [edi+8], 100000h
		jz	loc_5275CF
		jmp	loc_52767E
; 

loc_52773B:				; CODE XREF: FsRtlCheckOplockEx2+209j
		test	dword ptr [ebp-7Ch], 0FFFFDFFEh
		jnz	loc_5273AF
		mov	byte ptr [ebp-3Dh], 0
		jmp	loc_5273AF
; 

loc_527751:				; CODE XREF: FsRtlCheckOplockEx2+9Fj
		mov	dword ptr [ebp-60h], 0
		test	edx, edx
		jz	loc_527843
		mov	ecx, [edx+4Ch]
		call	ExAcquireFastMutexUnsafe
		cmp	byte ptr [edi],	0
		jnz	loc_5ED486
		mov	ecx, [ebp-3Ch]
		test	dword ptr [ecx+48h], 10000h
		jnz	loc_5ED493
		mov	edi, ecx

loc_527783:				; CODE XREF: FsRtlCheckOplockEx2+C6306j
					; FsRtlCheckOplockEx2+C635Fj
		xor	esi, esi

loc_527785:				; CODE XREF: FsRtlCheckOplockEx2+C62EEj
		mov	ecx, [edi+4Ch]
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	eax, esi
		jmp	loc_527330
; 

loc_527794:				; CODE XREF: FsRtlCheckOplockEx2+371j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_527517
; 

loc_52779E:				; CODE XREF: FsRtlCheckOplockEx2+4BBj
					; FsRtlCheckOplockEx2+4ECj ...
		mov	al, 1
		mov	[ebp-36h], al
		mov	esi, 5000h
		mov	[ebp-44h], esi

loc_5277AB:				; CODE XREF: FsRtlCheckOplockEx2+C6583j
		mov	ah, [ebp-35h]
		jmp	loc_5275D5
; 

loc_5277B3:				; CODE XREF: FsRtlCheckOplockEx2+43Fj
		mov	ecx, [ebp-3Ch]
		mov	eax, [ecx+48h]
		and	eax, 1F0FFDFh
		cmp	eax, 10h
		jz	short loc_5277DB
		mov	edx, [ecx+4]
		mov	ecx, [edi+18h]
		push	0
		call	FsRtlpOplockKeysEqual
		test	al, al
		jnz	loc_5275E5
		mov	ecx, [ebp-3Ch]

loc_5277DB:				; CODE XREF: FsRtlCheckOplockEx2+621j
		lea	eax, [ebp-3Eh]
		push	eax
		lea	eax, [ebp-37h]
		push	eax
		push	dword ptr [ebp-74h]
		push	dword ptr [ebp-70h]
		push	dword ptr [ebx+28h]
		push	dword ptr [ebx+24h]
		push	dword ptr [ebp-6Ch]
		push	dword ptr [ebp-68h]
		push	dword ptr [ebp-64h]
		push	ecx
		push	dword ptr [ebx+10h]
		push	dword ptr [ebp-48h]
		mov	edx, edi
		call	FsRtlpOplockBreakToNone
		jmp	loc_527718
; 

loc_52780B:				; CODE XREF: FsRtlCheckOplockEx2+451j
		lea	ecx, [ebp-3Eh]
		push	ecx
		lea	ecx, [ebp-37h]
		push	ecx
		push	dword ptr [ebp-74h]
		push	dword ptr [ebp-70h]
		push	dword ptr [ebx+28h]
		push	dword ptr [ebx+24h]
		push	dword ptr [ebp-6Ch]
		push	dword ptr [ebp-68h]
		push	dword ptr [ebp-64h]
		push	esi
		push	dword ptr [ebx+14h]
		push	dword ptr [ebx+10h]
		push	dword ptr [ebp-48h]
		mov	edx, edi
		mov	ecx, eax
		call	_FsRtlpOplockBreakByCacheFlags@60 ; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	[ebp-54h], eax
		jmp	loc_527548
; 

loc_527843:				; CODE XREF: FsRtlCheckOplockEx2+5BAj
		xor	eax, eax
		jmp	loc_527330
; 

loc_52784A:				; CODE XREF: FsRtlCheckOplockEx2+583j
		mov	eax, [edi+4]
		test	dword ptr [eax+8], 0FFEFFE7Fh
		jz	loc_527729
		jmp	loc_52767E
; 

loc_52785F:				; CODE XREF: FsRtlCheckOplockEx2+4BBj
					; FsRtlCheckOplockEx2+C654Aj
					; DATA XREF: ...
		test	cl, 8
		jnz	short loc_5278A9
		mov	ah, 1
		mov	[ebp-35h], ah

loc_527869:				; CODE XREF: FsRtlCheckOplockEx2+70Cj
		mov	esi, 4000h
		mov	[ebp-44h], esi
		jmp	loc_5275D2
FsRtlCheckOplockEx2 endp


;  S U B	R O U T	I N E 


sub_527876	proc near		; CODE XREF: FsRtlCheckOplockEx2+3B5p
					; sub_5ED758+15j

; FUNCTION CHUNK AT 005ED772 SIZE 0000000E BYTES

		cmp	byte ptr [ebp-37h], 0
		jz	short locret_5278A8
		test	ecx, 20000000h
		jnz	short locret_5278A8
		mov	esi, [eax+4Ch]
		mov	dword ptr [esi+4], 0
		mov	ecx, 1
		xor	eax, eax
		lock cmpxchg [esi], ecx
		test	eax, eax
		jnz	loc_5ED772

loc_5278A1:				; CODE XREF: sub_527876+C5F05j
		mov	ecx, esi
		call	KeAbPostRelease

locret_5278A8:				; CODE XREF: sub_527876+4j
					; sub_527876+Cj
		retn
sub_527876	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlCheckOplockEx2

loc_5278A9:				; CODE XREF: FsRtlCheckOplockEx2+6C2j
		mov	ah, [ebp-35h]
		jmp	short loc_527869
; END OF FUNCTION CHUNK	FOR FsRtlCheckOplockEx2
; 
		align 10h
off_5278B0	dd offset loc_527662	; DATA XREF: FsRtlCheckOplockEx2+4BBr
		dd offset loc_5ED64E
		dd offset loc_52785F
		dd offset loc_52779E
		dd offset loc_5ED677
		dd offset loc_5276AF
		dd offset loc_5ED6BB
		dd offset loc_5ED663
		dd offset loc_5ED6A0
		dd offset loc_5275CF
byte_5278D8	db 0			; DATA XREF: FsRtlCheckOplockEx2+4B4r
		db 9, 1, 2
		dd 9040903h, 9090509h, 9090609h, 9090709h, 0CCCC0809h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlpOplockStoreKeyForDeleteOperation proc near
					; CODE XREF: FsRtlCheckOplock(x,x,x,x,x)+15p
					; FsRtlCheckOplockEx2+16Fp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005ED7D0 SIZE 00000075 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5C50
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	edi, ecx
		mov	esi, [edx+60h]
		mov	ecx, [edi]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_28], ecx
		xor	bl, bl
		mov	[ebp+var_19], bl
		mov	[ebp+var_4], 0
		mov	al, [esi]
		test	al, al
		jnz	short loc_52794A
		test	dword ptr [esi+8], 1000h
		jnz	short loc_527986

loc_52794A:				; CODE XREF: FsRtlpOplockStoreKeyForDeleteOperation+4Fj
		cmp	al, 6
		jz	short loc_52796E

loc_52794E:				; CODE XREF: FsRtlpOplockStoreKeyForDeleteOperation+8Cj
					; FsRtlpOplockStoreKeyForDeleteOperation+94j ...
		mov	[ebp+var_4], 0FFFFFFFEh
		call	sub_5279AE
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_52796E:				; CODE XREF: FsRtlpOplockStoreKeyForDeleteOperation+5Cj
		mov	eax, [esi+8]
		mov	[ebp+var_24], eax
		cmp	eax, 0Dh
		jz	short loc_5279A1

loc_527979:				; CODE XREF: FsRtlpOplockStoreKeyForDeleteOperation+BCj
		cmp	eax, 40h
		jnz	short loc_52794E
		mov	eax, [edx+0Ch]
		test	byte ptr [eax],	1
		jz	short loc_52794E

loc_527986:				; CODE XREF: FsRtlpOplockStoreKeyForDeleteOperation+58j
					; FsRtlpOplockStoreKeyForDeleteOperation+B7j
		mov	eax, [esi+18h]
		push	eax
		call	_IoGetOplockKeyContextEx@4 ; IoGetOplockKeyContextEx(x)
		mov	edx, eax
		mov	[ebp+var_24], edx
		test	edx, edx
		jnz	loc_5ED7D0

loc_52799C:				; CODE XREF: FsRtlpOplockStoreKeyForDeleteOperation+C5EE4j
					; FsRtlpOplockStoreKeyForDeleteOperation+C5F50j
		mov	ecx, [ebp+var_20]
		jmp	short loc_52794E
; 

loc_5279A1:				; CODE XREF: FsRtlpOplockStoreKeyForDeleteOperation+87j
		mov	eax, [edx+0Ch]
		cmp	byte ptr [eax],	0
		jnz	short loc_527986
		mov	eax, [ebp+var_24]
		jmp	short loc_527979
FsRtlpOplockStoreKeyForDeleteOperation endp


;  S U B	R O U T	I N E 


sub_5279AE	proc near		; CODE XREF: FsRtlpOplockStoreKeyForDeleteOperation+65p
					; sub_5ED845+6j

; FUNCTION CHUNK AT 005ED850 SIZE 0000001A BYTES

		test	bl, bl
		jnz	loc_5ED850

locret_5279B6:				; CODE XREF: sub_5279AE+C5EA9j
					; sub_5279AE+C5EB7j
		retn
sub_5279AE	endp

; 
		align 10h
; Exported entry 743. IoAllocateIrpEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoAllocateIrpEx
IoAllocateIrpEx	proc near		; CODE XREF: FsRtlGetFileExtents(x,x,x,x,x,x,x)+2Fp
					; FsRtlGetFileSize+BDp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005ED86A SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_IopDispatchAllocateIrp
		test	eax, eax
		jnz	loc_5ED86A
		mov	eax, [ebp+4]
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	IopAllocateIrpPrivate

loc_5279E5:				; CODE XREF: IoAllocateIrpEx+C5EBEj
					; IoAllocateIrpEx+C5ECEj
		pop	ecx
		pop	ebp
		retn	0Ch
IoAllocateIrpEx	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepPrivilegeCheck(x, x, x, x, x)
_SepPrivilegeCheck@20 proc near		; CODE XREF: SepAccessCheck+3F5p
					; SepAccessCheck+48Bp ...

var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		cmp	[ebp+arg_8], 0
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], edx
		push	edi
		mov	[ebp+var_10], esi
		mov	[ebp+var_24], 0
		mov	[ebp+var_20], 0
		mov	[ebp+var_1C], 0
		mov	[ebp+var_18], 0
		jz	loc_527B3E
		mov	eax, [esi+48h]
		mov	dword ptr [ebp+arg_8], eax
		mov	eax, [esi+4Ch]
		mov	esi, dword ptr [ebp+arg_8]
		mov	[ebp+var_4], eax
		push	ebx

loc_527A38:				; CODE XREF: SepPrivilegeCheck(x,x,x,x,x)+6Dj
					; SepPrivilegeCheck(x,x,x,x,x)+72j
		mov	edi, [ebp+var_24]
		mov	eax, edi
		mov	ecx, [ebp+var_20]
		mov	edx, ecx
		mov	[ebp+var_C], ecx
		lea	ecx, [ebp+var_24]
		mov	[ebp+var_8], ecx
		nop
		mov	ecx, [ebp+var_4]
		mov	ebx, esi
		mov	esi, [ebp+var_8]
		lock cmpxchg8b qword ptr [esi]
		mov	esi, dword ptr [ebp+arg_8]
		cmp	eax, edi
		jnz	short loc_527A38
		cmp	edx, [ebp+var_C]
		jnz	short loc_527A38
		mov	esi, [ebp+var_10]
		mov	ecx, [esi+40h]
		mov	eax, [esi+44h]
		mov	dword ptr [ebp+arg_8], ecx
		mov	[ebp+var_10], eax

loc_527A73:				; CODE XREF: SepPrivilegeCheck(x,x,x,x,x)+ABj
					; SepPrivilegeCheck(x,x,x,x,x)+AFj
		mov	esi, [ebp+var_1C]
		lea	ebx, [ebp+var_1C]
		mov	edi, [ebp+var_18]
		mov	eax, esi
		mov	[ebp+var_8], edi
		mov	edx, edi
		mov	[ebp+var_C], ebx
		nop
		mov	edi, [ebp+var_C]
		mov	ebx, ecx
		mov	ecx, [ebp+var_10]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_8]
		mov	ecx, dword ptr [ebp+arg_8]
		cmp	eax, esi
		jnz	short loc_527A73
		cmp	edx, edi
		jnz	short loc_527A73
		mov	eax, [ebp+var_1C]
		xor	ecx, ecx
		and	eax, [ebp+var_24]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_18]
		and	eax, [ebp+var_20]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], 0
		lock or	[eax], ecx
		mov	edi, [ebp+arg_0]
		xor	eax, eax
		mov	dword ptr [ebp+arg_8], eax
		test	edi, edi
		jz	short loc_527B12
		mov	esi, [ebp+var_14]
		mov	ebx, edi
		mov	edi, [ebp+var_10]
		add	esi, 8
		lea	esp, [esp+0]

loc_527AE0:				; CODE XREF: SepPrivilegeCheck(x,x,x,x,x)+11Dj
		mov	eax, [esi]
		xor	edx, edx
		mov	ecx, [esi-8]
		and	eax, 7FFFFFFFh
		mov	[ebp+var_14], eax
		mov	[esi], eax
		mov	eax, 1
		call	__allshl
		and	edx, [ebp+var_8]
		and	eax, edi
		or	eax, edx
		jnz	short loc_527B27
		mov	eax, dword ptr [ebp+arg_8]

loc_527B07:				; CODE XREF: SepPrivilegeCheck(x,x,x,x,x)+148j
		add	esi, 0Ch
		sub	ebx, 1
		jnz	short loc_527AE0
		mov	edi, [ebp+arg_0]

loc_527B12:				; CODE XREF: SepPrivilegeCheck(x,x,x,x,x)+DCj
		test	[ebp+arg_4], 1
		pop	ebx
		jz	short loc_527B3A
		cmp	eax, edi
		jz	short loc_527B3E

loc_527B1D:				; CODE XREF: SepPrivilegeCheck(x,x,x,x,x)+14Cj
		xor	al, al

loc_527B1F:				; CODE XREF: SepPrivilegeCheck(x,x,x,x,x)+150j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_527B27:				; CODE XREF: SepPrivilegeCheck(x,x,x,x,x)+112j
		mov	eax, [ebp+var_14]
		or	eax, 80000000h
		mov	[esi], eax
		mov	eax, dword ptr [ebp+arg_8]
		inc	eax
		mov	dword ptr [ebp+arg_8], eax
		jmp	short loc_527B07
; 

loc_527B3A:				; CODE XREF: SepPrivilegeCheck(x,x,x,x,x)+127j
		test	eax, eax
		jz	short loc_527B1D

loc_527B3E:				; CODE XREF: SepPrivilegeCheck(x,x,x,x,x)+32j
					; SepPrivilegeCheck(x,x,x,x,x)+12Bj
		mov	al, 1
		jmp	short loc_527B1F
_SepPrivilegeCheck@20 endp


;  S U B	R O U T	I N E 


; __stdcall IopSymlinkRemoveECP(x, x)
_IopSymlinkRemoveECP@8 proc near	; CODE XREF: IopGraftName(x,x,x)+42Fp
					; IopSymlinkUpdateECP+E8p ...
		push	0
		push	edx
		push	(offset	loc_A3F6CF+1)
		push	ecx
		call	_FsRtlRemoveExtraCreateParameter@16 ; FsRtlRemoveExtraCreateParameter(x,x,x,x)
		retn
_IopSymlinkRemoveECP@8 endp ; sp = -10h

; 
		align 10h
; Exported entry 2060. RtlEqualSid

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlEqualSid(x, x)
		public _RtlEqualSid@8
_RtlEqualSid@8	proc near		; CODE XREF: SepSidInTokenSidHash+5Bp
					; SepSidInTokenSidHash+88p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		movzx	ecx, word ptr [edx]
		cmp	cx, [eax]
		jz	short loc_527B79
		xor	al, al
		pop	ebp
		retn	8
; 

loc_527B79:				; CODE XREF: RtlEqualSid(x,x)+11j
		shr	ecx, 8
		push	esi
		lea	esi, ds:8[ecx*4]
		sub	esi, 4
		jb	short loc_527BA1
		lea	esp, [esp+0]

loc_527B90:				; CODE XREF: RtlEqualSid(x,x)+3Fj
		mov	ecx, [edx]
		cmp	ecx, [eax]
		jnz	short loc_527BA6
		add	edx, 4
		add	eax, 4
		sub	esi, 4
		jnb	short loc_527B90

loc_527BA1:				; CODE XREF: RtlEqualSid(x,x)+27j
		cmp	esi, 0FFFFFFFCh
		jz	short loc_527BD3

loc_527BA6:				; CODE XREF: RtlEqualSid(x,x)+34j
		mov	cl, [edx]
		cmp	cl, [eax]
		jnz	short loc_527BDF
		cmp	esi, 0FFFFFFFDh
		jz	short loc_527BD3
		mov	cl, [edx+1]
		cmp	cl, [eax+1]
		jnz	short loc_527BDF
		cmp	esi, 0FFFFFFFEh
		jz	short loc_527BD3
		mov	cl, [edx+2]
		cmp	cl, [eax+2]
		jnz	short loc_527BDF
		cmp	esi, 0FFFFFFFFh
		jz	short loc_527BD3
		mov	cl, [edx+3]
		cmp	cl, [eax+3]
		jnz	short loc_527BDF

loc_527BD3:				; CODE XREF: RtlEqualSid(x,x)+44j
					; RtlEqualSid(x,x)+4Fj	...
		xor	eax, eax
		test	eax, eax
		pop	esi
		setz	al
		pop	ebp
		retn	8
; 

loc_527BDF:				; CODE XREF: RtlEqualSid(x,x)+4Aj
					; RtlEqualSid(x,x)+57j	...
		sbb	eax, eax
		or	eax, 1
		test	eax, eax
		pop	esi
		setz	al
		pop	ebp
		retn	8
_RtlEqualSid@8	endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 296. EtwWrite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwWrite(x,	x, x, x, x, x)
		public _EtwWrite@24
_EtwWrite@24	proc near		; CODE XREF: PpmPerfSnapDeliveredPerformance+474p
					; PopTraceSystemIdleTimeReset(x)+6Ep ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	0
		push	[ebp+arg_C]
		push	0
		push	0
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	EtwWriteEx
		pop	ebp
		retn	18h
_EtwWrite@24	endp

; 
		align 10h
; Exported entry 298. EtwWriteEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public EtwWriteEx
EtwWriteEx	proc near		; CODE XREF: _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)+85p
					; IoReuseIrp(x,x)+1E9p	...

var_D0		= dword	ptr -0D0h
var_96		= byte ptr -96h
var_95		= byte ptr -95h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_64		= dword	ptr -64h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

; FUNCTION CHUNK AT 005ED893 SIZE 0000011C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+5Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	eax, [ebp+arg_4]
		mov	[esp+68h+var_2C], eax
		mov	eax, [ebp+arg_18]
		mov	[esp+68h+var_40], eax
		mov	eax, [ebp+arg_1C]
		mov	ebx, [ebp+arg_0]
		mov	[esp+68h+var_44], eax
		mov	eax, [ebp+arg_24]
		mov	[esp+68h+var_48], eax
		xor	eax, eax
		mov	[esp+68h+var_30], 0
		mov	[esp+68h+var_2C], 0
		mov	[esp+68h+var_24], eax
		mov	[esp+68h+var_20], eax
		mov	[esp+68h+var_1C], eax
		mov	[esp+68h+var_18], eax
		mov	[esp+68h+var_14], eax
		mov	[esp+68h+var_10], eax
		mov	[esp+68h+var_C], eax
		mov	[esp+68h+var_8], eax
		mov	[esp+68h+var_50], eax
		mov	edi, [ebp+arg_8]
		mov	[esp+68h+var_34], edi
		test	ebx, ebx
		jz	loc_527E2B
		mov	esi, [ebx+38h]
		mov	dl, [ebx+34h]
		lea	eax, [esi+10h]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		test	dl, dl
		jz	short loc_527D39
		mov	eax, [edi+8]
		mov	[esp+68h+var_3C], eax
		mov	eax, [edi+0Ch]
		mov	[esp+68h+var_4C], eax
		mov	eax, [ebx+10h]
		mov	[esp+68h+var_38], eax
		cmp	dword ptr [eax+40h], 0
		jz	short loc_527D39
		mov	cl, [eax+44h]
		cmp	[edi+4], cl
		ja	loc_5ED893

loc_527CE7:				; CODE XREF: EtwWriteEx+C5C6Bj
		test	byte ptr [eax+48h], 40h
		jz	loc_527D76
		mov	eax, [esp+68h+var_3C]
		or	eax, [esp+68h+var_4C]
		jnz	short loc_527D72

loc_527CFB:				; CODE XREF: EtwWriteEx+184j
		lea	eax, [esp+68h+var_30]
		mov	ecx, [esp+68h+var_38]
		push	eax
		movzx	eax, word ptr [ebx+32h]
		push	esi
		push	eax
		push	0
		lea	eax, [esp+78h+var_24]
		push	eax
		push	0
		push	[esp+80h+var_48]
		push	[ebp+arg_20]
		push	[esp+88h+var_44]
		push	[esp+8Ch+var_40]
		push	0
		push	0
		push	edi
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	_EtwpEventWriteFull@72 ; EtwpEventWriteFull(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	[esp+0A8h+var_90], eax

loc_527D39:				; CODE XREF: EtwWriteEx+8Ej
					; EtwWriteEx+A9j ...
		mov	al, [ebx+35h]
		mov	[esp+0A8h+var_95], al
		test	al, al
		jnz	short loc_527DBF

loc_527D44:				; CODE XREF: EtwWriteEx+1ABj
		mov	edx, [esp+0A8h+var_90]

loc_527D48:				; CODE XREF: EtwWriteEx+1F6j
		mov	eax, [ebx+10h]
		mov	[esp+0A8h+var_94], eax
		cmp	dword ptr [eax+168h], 0
		jnz	loc_5ED8A0

loc_527D5C:				; CODE XREF: EtwWriteEx+C5D02j
					; EtwWriteEx+C5D71j ...
		mov	eax, edx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+9Ch+var_44]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	28h
; 

loc_527D72:				; CODE XREF: EtwWriteEx+C9j
		mov	eax, [esp+68h+var_38]

loc_527D76:				; CODE XREF: EtwWriteEx+BBj
		mov	ecx, [eax+50h]
		mov	eax, [eax+54h]
		and	ecx, [esp+68h+var_3C]
		and	eax, [esp+68h+var_4C]
		or	ecx, eax
		jz	short loc_527D39
		mov	eax, [esp+68h+var_38]
		mov	edi, [eax+5Ch]
		mov	ecx, [eax+58h]
		mov	eax, ecx
		and	eax, [esp+68h+var_3C]
		mov	[esp+68h+var_54], edi
		and	edi, [esp+68h+var_4C]
		mov	[esp+68h+var_4C], edi
		mov	edi, [esp+68h+var_34]
		cmp	eax, ecx
		jnz	short loc_527D39
		mov	eax, [esp+68h+var_54]
		cmp	[esp+68h+var_4C], eax
		jz	loc_527CFB
		jmp	loc_527D39
; 

loc_527DBF:				; CODE XREF: EtwWriteEx+112j
		mov	edx, [ebx+14h]
		mov	ecx, [edi+0Ch]
		mov	eax, [edi+8]
		push	ecx
		mov	[esp+0ACh+var_94], edx
		lea	ecx, [edx+40h]
		mov	dl, [edi+4]
		push	eax
		call	_EtwpLevelKeywordEnabled@16 ; EtwpLevelKeywordEnabled(x,x,x,x)
		test	al, al
		jz	loc_527D44
		lea	eax, [esp+0A8h+var_70]
		mov	dl, [esp+0A8h+var_95]
		push	eax
		movzx	eax, word ptr [ebx+32h]
		push	esi
		push	eax
		push	[esp+0B4h+var_94]
		lea	eax, [esp+0B8h+var_64]
		mov	ecx, [ebx+10h]
		push	eax
		push	0
		push	[esp+0C0h+var_88]
		push	[ebp+arg_20]
		push	[esp+0C8h+var_84]
		push	[esp+0CCh+var_80]
		push	0
		push	0
		push	edi
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	_EtwpEventWriteFull@72 ; EtwpEventWriteFull(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	edx, eax
		mov	[esp+0E8h+var_D0], edx
		jmp	loc_527D48
; 

loc_527E2B:				; CODE XREF: EtwWriteEx+77j
		mov	ecx, [esp+68h+var_4]
		mov	eax, 0C0000008h
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	28h
EtwWriteEx	endp

; 
		align 10h

; __stdcall EtwpEventWriteFull(x, x, x,	x, x, x, x, x, x, x, x,	x, x, x, x, x, x, x)
_EtwpEventWriteFull@72:			; CODE XREF: EtwWriteEx+100p
					; EtwWriteEx+1EBp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5CB8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 1ACh
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		mov	[ebp-1Ch], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	[ebp-154h], edx
		mov	eax, [ebp+24h]
		mov	[ebp-1B4h], eax
		mov	[ebp-14Ch], ecx
		mov	eax, [ebp+14h]
		mov	[ebp-104h], eax
		mov	eax, [ebp+2Ch]
		mov	[ebp-160h], eax
		mov	eax, [ebp+34h]
		mov	[ebp-194h], eax
		mov	edi, [ebp+38h]
		mov	eax, [ebp+40h]
		mov	[ebp-180h], eax
		mov	eax, [ebp+44h]
		mov	[ebp-18Ch], eax
		mov	dword ptr [ebp-150h], 0
		push	0C0h
		push	0
		lea	eax, [ebp-0E0h]
		push	eax
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [ebp-128h], 0
		xor	eax, eax
		mov	[ebp-11Ch], eax
		mov	[ebp-140h], eax
		mov	[ebp-12Ch], eax
		mov	[ebp-17Ch], eax
		mov	[ebp-178h], eax
		mov	esi, [ebp+3Ch]
		mov	eax, esi
		and	eax, 200h
		mov	[ebp-188h], eax
		and	esi, 400h
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	eax, [eax+1F0h]
		mov	[ebp-170h], eax
		cmp	dword ptr [ebp+28h], 80h
		jbe	short loc_527F54
		mov	eax, 0C000000Dh
		jmp	loc_529741
; 

loc_527F54:				; CODE XREF: .text:00527F48j
		test	edi, edi
		jz	short loc_527F60
		mov	[ebp-148h], edi
		jmp	short loc_527F6C
; 

loc_527F60:				; CODE XREF: .text:00527F56j
		mov	eax, [ebp-14Ch]
		mov	[ebp-148h], eax

loc_527F6C:				; CODE XREF: .text:00527F5Ej
		cmp	dword ptr [ebp-180h], 0
		jz	short loc_527F85
		test	si, si
		jnz	short loc_527F85
		mov	eax, [ebp-180h]
		movzx	eax, word ptr [eax]
		jmp	short loc_527F87
; 

loc_527F85:				; CODE XREF: .text:00527F73j
					; .text:00527F78j
		xor	eax, eax

loc_527F87:				; CODE XREF: .text:00527F83j
		movzx	eax, ax
		mov	[ebp-184h], eax
		mov	byte ptr [ebp-0E1h], 0
		mov	dword ptr [ebp-20h], 0
		mov	eax, [ebp-14Ch]
		mov	eax, [eax+164h]
		mov	[ebp-130h], eax
		mov	[ebp-174h], eax
		mov	eax, [ebp-18Ch]
		test	eax, eax
		jz	short loc_527FDE
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	eax, ecx
		or	eax, edx
		jz	short loc_527FDE
		mov	[ebp-17Ch], ecx
		mov	[ebp-178h], edx
		mov	byte ptr [ebp-0E1h], 4

loc_527FDE:				; CODE XREF: .text:00527FBEj
					; .text:00527FC9j
		mov	eax, large fs:124h
		mov	[ebp-16Ch], eax
		cmp	dword ptr [ebp+30h], 0
		jnz	short loc_527FF3
		mov	[ebp+30h], eax

loc_527FF3:				; CODE XREF: .text:00527FEEj
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jnz	short loc_528005
		mov	byte ptr [ebp-13Ch], 1Fh
		jmp	short loc_528011
; 

loc_528005:				; CODE XREF: .text:00527FFAj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[ebp-13Ch], al

loc_528011:				; CODE XREF: .text:00528003j
		mov	al, [ebp-13Ch]
		mov	[ebp-109h], al
		mov	byte ptr [ebp-11Dh], 0
		cmp	al, 1
		jnb	short loc_52803D
		mov	eax, [ebp-16Ch]
		dec	word ptr [eax+13Ch]
		nop
		mov	byte ptr [ebp-11Dh], 1

loc_52803D:				; CODE XREF: .text:00528026j
		mov	al, [ebp+8]
		not	al
		and	[ebp-154h], al
		jmp	short loc_528050
; 
		align 10h

loc_528050:				; CODE XREF: .text:00528048j
					; .text:0052811Fj ...
		mov	cl, [ebp-154h]
		movzx	eax, cl
		bsf	edi, eax
		mov	[ebp-128h], edi
		jz	loc_5285B0
		mov	dword ptr [ebp-118h], 1
		xor	eax, eax
		mov	[ebp-1A4h], eax
		mov	[ebp-1A0h], eax
		mov	[ebp-19Ch], eax
		mov	[ebp-1ACh], eax
		mov	[ebp-1A8h], eax
		mov	ebx, 50h
		mov	[ebp-164h], ebx
		mov	[ebp-110h], ebx
		mov	[ebp-100h], eax
		mov	[ebp-134h], eax
		xor	al, al
		mov	[ebp-0EDh], al
		mov	dword ptr [ebp-158h], 0
		xor	eax, eax
		mov	[ebp-124h], eax
		mov	[ebp-15Ch], eax
		mov	[ebp-138h], eax
		mov	[ebp-190h], eax
		dec	cl
		and	[ebp-154h], cl
		add	edi, 3
		shl	edi, 5
		add	edi, [ebp-148h]
		mov	[ebp-0FCh], edi
		mov	esi, [ebp-194h]
		test	esi, esi
		jz	short loc_528125
		movzx	ecx, word ptr [edi+6]
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 8000001Fh
		jns	short loc_528115
		dec	ecx
		or	ecx, 0FFFFFFE0h
		inc	ecx

loc_528115:				; CODE XREF: .text:0052810Ej
		mov	eax, 1
		shl	eax, cl
		test	[esi+edx*4], eax
		jnz	loc_528050

loc_528125:				; CODE XREF: .text:005280FDj
		mov	eax, [ebp-104h]
		mov	edx, [eax+8]
		mov	esi, [eax+0Ch]
		mov	cl, [eax+4]
		cmp	dword ptr [edi], 0
		jz	loc_528050
		mov	al, [edi+4]
		cmp	cl, al
		jbe	short loc_52814C
		test	al, al
		jnz	loc_528050

loc_52814C:				; CODE XREF: .text:00528142j
		mov	ecx, [edi+8]
		mov	[ebp-0ECh], ecx
		test	cl, 40h
		jz	short loc_528160
		mov	eax, edx
		or	eax, esi
		jz	short loc_5281A4

loc_528160:				; CODE XREF: .text:00528158j
		mov	ecx, [edi+10h]
		and	ecx, edx
		mov	eax, [edi+14h]
		and	eax, esi
		or	ecx, eax
		jz	loc_528050
		mov	ecx, [edi+18h]
		mov	eax, [edi+1Ch]
		mov	[ebp-0E8h], eax
		mov	eax, ecx
		and	eax, edx
		mov	edx, [ebp-0E8h]
		and	edx, esi
		cmp	eax, ecx
		jnz	loc_528050
		cmp	edx, [ebp-0E8h]
		jnz	loc_528050
		mov	ecx, [ebp-0ECh]

loc_5281A4:				; CODE XREF: .text:0052815Ej
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	byte ptr [ebp+10h], 2
		jnz	short loc_5281BF
		cmp	dword ptr [eax+0F8h], 0
		jge	short loc_5281CB

loc_5281BF:				; CODE XREF: .text:005281B4j
		test	ecx, 200h
		jnz	loc_528050

loc_5281CB:				; CODE XREF: .text:005281BDj
		mov	eax, [ebp-148h]
		mov	[ebp-0E8h], eax
		mov	edx, [eax+160h]
		mov	esi, [ebp-128h]
		mov	[ebp-108h], esi
		test	edx, edx
		jz	short loc_528213
		imul	eax, esi, 34h
		mov	ecx, [eax+edx]
		mov	eax, ecx
		and	eax, 80000200h
		cmp	eax, 80000200h
		jz	short loc_52820F
		and	ecx, 80000100h
		cmp	ecx, 80000100h
		jnz	short loc_528213

loc_52820F:				; CODE XREF: .text:005281FFj
		mov	al, 1
		jmp	short loc_528215
; 

loc_528213:				; CODE XREF: .text:005281EBj
					; .text:0052820Dj
		xor	al, al

loc_528215:				; CODE XREF: .text:00528211j
		test	al, al
		jz	loc_52839C
		mov	eax, [ebp-104h]
		movzx	eax, word ptr [eax]
		mov	[ebp-114h], eax
		mov	byte ptr [ebp-0E2h], 1
		xor	edi, edi
		cmp	byte ptr [ebp-13Ch], 2
		jnb	loc_528300
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp-10Ah], al
		imul	eax, esi, 34h
		mov	[ebp-108h], eax
		mov	ecx, [ebp-0E8h]
		mov	ecx, [ecx+160h]
		mov	esi, [eax+ecx+24h]
		test	esi, esi
		jz	short loc_5282CC
		mov	dx, [ebp-114h]
		mov	cl, [esi+1]
		ror	dx, cl
		movzx	eax, dx
		mov	cx, [esi+2]
		and	cx, ax
		movzx	eax, cx
		mov	ecx, [ebp-114h]
		cmp	cx, [esi+eax*4+8]
		jz	short loc_5282A4

loc_528292:				; CODE XREF: .text:005282A2j
		mov	al, [esi+eax*4+6]
		cmp	al, 0FFh
		jz	short loc_5282B3
		movzx	eax, al
		cmp	cx, [esi+eax*4+8]
		jnz	short loc_528292

loc_5282A4:				; CODE XREF: .text:00528290j
		mov	al, 1

loc_5282A6:				; CODE XREF: .text:005282B5j
		cmp	[esi], al
		jnz	short loc_5282B7
		mov	byte ptr [ebp-0E2h], 1
		jmp	short loc_5282D5
; 

loc_5282B3:				; CODE XREF: .text:00528298j
		xor	al, al
		jmp	short loc_5282A6
; 

loc_5282B7:				; CODE XREF: .text:005282A8j
		mov	byte ptr [ebp-0E2h], 0
		mov	cl, [ebp-10Ah]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_528331
; 

loc_5282CC:				; CODE XREF: .text:00528269j
		cmp	byte ptr [ebp-0E2h], 0
		jz	short loc_5282F2

loc_5282D5:				; CODE XREF: .text:005282B1j
		mov	eax, [ebp-0E8h]
		mov	eax, [eax+160h]
		mov	edi, [ebp-108h]
		mov	edi, [edi+eax+28h]
		test	edi, edi
		jz	short loc_5282F2
		lock inc dword ptr [edi]

loc_5282F2:				; CODE XREF: .text:005282D3j
					; .text:005282EDj
		mov	cl, [ebp-10Ah]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_528331
; 

loc_528300:				; CODE XREF: .text:0052823Cj
		imul	esi, 34h
		mov	edx, [esi+edx+24h]
		test	edx, edx
		jz	short loc_528321
		mov	ecx, eax
		call	_EtwpPerfectHashFunctionSearch@8 ; EtwpPerfectHashFunctionSearch(x,x)
		cmp	[edx], al
		jnz	loc_528516
		mov	byte ptr [ebp-0E2h], 1

loc_528321:				; CODE XREF: .text:00528309j
		mov	eax, [ebp-0E8h]
		mov	eax, [eax+160h]
		mov	edi, [esi+eax+28h]

loc_528331:				; CODE XREF: .text:005282CAj
					; .text:005282FEj ...
		test	edi, edi
		jz	short loc_52837D
		lea	eax, [ebp-0E2h]
		push	eax
		lea	eax, [edi+8]
		push	eax
		push	1
		push	0
		push	dword ptr [ebp-160h]
		mov	edx, [ebp+28h]
		mov	ecx, [ebp-104h]
		call	_EtwpApplyPayloadFilterInternal@28 ; EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_528363
		mov	byte ptr [ebp-0E2h], 1

loc_528363:				; CODE XREF: .text:0052835Aj
		cmp	byte ptr [ebp-13Ch], 2
		jnb	short loc_52837D
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		jnz	short loc_52837D
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_52837D:				; CODE XREF: .text:00528333j
					; .text:0052836Aj ...
		cmp	byte ptr [ebp-0E2h], 0
		jz	loc_528050
		mov	esi, [ebp-128h]
		mov	[ebp-108h], esi
		mov	edi, [ebp-0FCh]

loc_52839C:				; CODE XREF: .text:00528217j
		cmp	word ptr [ebp-188h], 0
		jz	loc_5284C5
		mov	edx, [ebp-104h]
		mov	ecx, [edx+8]
		mov	[ebp-0F8h], ecx
		mov	eax, [edx+0Ch]
		mov	[ebp-114h], eax
		mov	al, [edx+4]
		mov	[ebp-10Ah], al
		xor	edx, edx
		mov	eax, [ebp-0E8h]
		mov	eax, [eax+160h]
		mov	[ebp-0ECh], eax
		test	eax, eax
		jz	loc_5284C5
		imul	eax, esi, 34h
		add	eax, [ebp-0ECh]
		mov	[ebp-0ECh], eax
		mov	eax, [eax]
		and	eax, 80000400h
		cmp	eax, 80000400h
		mov	edi, [ebp-0FCh]
		jnz	short loc_52841F
		mov	edx, [ebp-0ECh]
		mov	edx, [edx+30h]
		mov	esi, [ebp-128h]
		mov	[ebp-108h], esi

loc_52841F:				; CODE XREF: .text:00528408j
		test	edx, edx
		jz	loc_5284C5
		mov	al, [edx+1]
		cmp	[ebp-10Ah], al
		jbe	short loc_52843A
		test	al, al
		jnz	loc_5284C5

loc_52843A:				; CODE XREF: .text:00528430j
		mov	eax, ecx
		or	eax, [ebp-114h]
		jz	short loc_528480
		mov	ecx, [edx+8]
		and	ecx, [ebp-0F8h]
		mov	eax, [edx+0Ch]
		and	eax, [ebp-114h]
		or	ecx, eax
		jz	short loc_5284C5
		mov	ecx, [edx+10h]
		mov	edx, [edx+14h]
		mov	[ebp-0ECh], edx
		mov	eax, ecx
		and	eax, [ebp-0F8h]
		and	edx, [ebp-114h]
		cmp	eax, ecx
		jnz	short loc_5284C5
		cmp	edx, [ebp-0ECh]
		jnz	short loc_5284C5

loc_528480:				; CODE XREF: .text:00528442j
		mov	eax, [ebp-104h]
		mov	edx, [eax+8]
		mov	ecx, [eax+0Ch]
		mov	al, [eax+4]
		mov	[ebp-1B0h], al
		push	0
		push	ecx
		push	edx
		push	dword ptr [ebp-1B0h]
		push	dword ptr [ebp-13Ch]
		push	0
		push	dword ptr [ebp-160h]
		push	dword ptr [ebp+28h]
		mov	edx, esi
		mov	ecx, [ebp-148h]
		call	_EtwpApplyEventNameFilter@40 ; EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)
		test	al, al
		jz	loc_528050

loc_5284C5:				; CODE XREF: .text:005283A4j
					; .text:005283E1j ...
		movzx	esi, word ptr [edi+6]
		mov	[ebp-114h], esi
		mov	edi, [ebp-130h]
		cmp	byte ptr [ebp-13Ch], 2
		jnb	short loc_528536
		mov	ecx, [edi+188h]
		mov	edx, 1
		mov	ecx, [ecx+esi*4]
		call	@ExAcquireRundownProtectionCacheAwareEx@8 ; ExAcquireRundownProtectionCacheAwareEx(x,x)
		test	al, al
		jz	short loc_528562
		cmp	esi, [edi+8]
		jnb	short loc_528522
		lfence	eax
		mov	eax, [edi+18Ch]
		mov	eax, [eax+esi*4]
		mov	[ebp-118h], eax
		mov	cl, 1
		mov	[ebp-0EDh], cl
		jmp	short loc_528568
; 

loc_528516:				; CODE XREF: .text:00528314j
		mov	byte ptr [ebp-0E2h], 0
		jmp	loc_528331
; 

loc_528522:				; CODE XREF: .text:005284F8j
		mov	dword ptr [ebp-118h], 1
		mov	cl, 1
		mov	[ebp-0EDh], cl
		jmp	short loc_528568
; 

loc_528536:				; CODE XREF: .text:005284DCj
		mov	cl, [ebp-0EDh]
		cmp	esi, [edi+8]
		jnb	short loc_528555
		lfence	eax
		mov	eax, [edi+18Ch]
		mov	eax, [eax+esi*4]
		mov	[ebp-118h], eax
		jmp	short loc_52856E
; 

loc_528555:				; CODE XREF: .text:0052853Fj
		mov	eax, 1
		mov	[ebp-118h], eax
		jmp	short loc_52856E
; 

loc_528562:				; CODE XREF: .text:005284F3j
		mov	cl, [ebp-0EDh]

loc_528568:				; CODE XREF: .text:00528514j
					; .text:00528534j
		mov	eax, [ebp-118h]

loc_52856E:				; CODE XREF: .text:00528553j
					; .text:00528560j
		test	al, 1
		jz	loc_528667
		test	cl, cl
		jz	short loc_52858D
		mov	ecx, [edi+188h]
		mov	edx, 1
		mov	ecx, [ecx+esi*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)

loc_52858D:				; CODE XREF: .text:00528578j
		cmp	esi, 3
		jnz	loc_528050
		mov	eax, [edi+8A4h]
		neg	eax
		sbb	eax, eax
		and	eax, 2F6h
		add	eax, 0C0000008h
		mov	[ebp-150h], eax

loc_5285B0:				; CODE XREF: .text:00528062j
					; .text:00528CA9j
		test	byte ptr [ebp-0E1h], 2
		jz	short loc_5285CC
		mov	edx, [ebp-12Ch]
		lea	edx, [edx-4]
		mov	ecx, offset _EtwpStackLookAsideList
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_5285CC:				; CODE XREF: .text:005285B7j
		cmp	dword ptr [ebp-150h], 0
		jl	loc_52969D
		xor	eax, eax
		mov	[ebp-128h], eax
		cmp	[ebp-20h], eax
		jbe	loc_5296DB
		lea	ebx, [ebx+0]

loc_5285F0:				; CODE XREF: .text:00528660j
		lea	eax, [eax+eax*2]
		lea	ebx, [ebp-0E0h]
		lea	ebx, [ebx+eax*8]
		mov	esi, [ebx+8]
		mov	edi, [ebx+0Ch]
		mov	ecx, [edi]
		mov	eax, ecx
		xor	eax, esi
		cmp	eax, 7
		jnb	short loc_528626
		lea	ecx, [ecx+0]

loc_528610:				; CODE XREF: .text:00528624j
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jz	short loc_52862A
		mov	ecx, eax
		xor	eax, esi
		cmp	eax, 7
		jb	short loc_528610

loc_528626:				; CODE XREF: .text:0052860Bj
		lock dec dword ptr [esi+0Ch]

loc_52862A:				; CODE XREF: .text:0052861Bj
		cmp	byte ptr [ebp-13Ch], 2
		jnb	short loc_528650
		mov	eax, [ebx]
		mov	eax, [eax]
		mov	ecx, [ebp-130h]
		mov	ecx, [ecx+188h]
		mov	edx, 1
		mov	ecx, [ecx+eax*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)

loc_528650:				; CODE XREF: .text:00528631j
		mov	eax, [ebp-128h]
		inc	eax
		mov	[ebp-128h], eax
		cmp	eax, [ebp-20h]
		jb	short loc_5285F0
		jmp	loc_5296DB
; 

loc_528667:				; CODE XREF: .text:00528570j
		mov	edi, [ebp-1B4h]
		mov	eax, edi
		neg	eax
		sbb	eax, eax
		and	eax, 8
		mov	[ebp-0F4h], eax
		neg	edi
		sbb	edi, edi
		and	edi, 18h
		add	edi, ebx
		mov	esi, edi
		mov	[ebp-0F8h], esi
		mov	eax, [ebp-0FCh]
		test	dword ptr [eax+8], 0FFFFFF9Fh
		jz	loc_528B0D
		cmp	_EtwpPagingDisabled, 0
		jnz	short loc_5286CE
		test	byte ptr [ebp+10h], 1
		jnz	short loc_5286CE
		call	_MmCanThreadFault@0 ; MmCanThreadFault()
		test	eax, eax
		jz	short loc_5286CE
		mov	eax, [ebp-16Ch]
		cmp	byte ptr [eax+30Ah], 0
		jnz	short loc_5286CE
		mov	ecx, 80h
		jmp	short loc_5286D0
; 

loc_5286CE:				; CODE XREF: .text:005286A7j
					; .text:005286ADj ...
		xor	ecx, ecx

loc_5286D0:				; CODE XREF: .text:005286CCj
		mov	eax, [ebp-0F4h]
		or	eax, ecx
		mov	[ebp-0F4h], eax
		mov	ecx, [ebp-0FCh]
		mov	edx, [ecx+8]
		mov	[ebp-0F8h], esi
		test	edx, 800h
		jz	short loc_52872D
		mov	ecx, [ebp-170h]
		test	ecx, ecx
		jz	short loc_52872D
		mov	[ebp-0F8h], esi
		cmp	ecx, ds:_EtwpHostSiloState
		jz	short loc_52872D
		or	eax, 100h
		mov	[ebp-0F4h], eax
		movzx	esi, word ptr [ecx+90Ch]
		add	esi, 0Fh
		and	esi, 0FFFFFFF8h
		add	esi, edi
		mov	[ebp-0F8h], esi

loc_52872D:				; CODE XREF: .text:005286F3j
					; .text:005286FDj ...
		test	dl, 1
		jz	loc_528818
		test	al, al
		jns	loc_528818
		mov	ecx, [ebp-11Ch]
		test	ecx, ecx
		jnz	loc_5287F8
		mov	eax, large fs:20h
		mov	[ebp-140h], eax
		mov	edi, [eax+5E0h]
		inc	dword ptr [edi+0Ch]
		mov	ecx, edi
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	ecx, eax
		mov	[ebp-11Ch], ecx
		test	ecx, ecx
		jnz	short loc_5287B9
		inc	dword ptr [edi+10h]
		mov	edi, [ebp-140h]
		mov	edi, [edi+5E4h]
		inc	dword ptr [edi+0Ch]
		mov	ecx, edi
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	ecx, eax
		mov	[ebp-11Ch], ecx
		test	ecx, ecx
		jnz	short loc_5287B9
		inc	dword ptr [edi+10h]
		mov	eax, [edi+20h]
		push	eax
		mov	eax, [edi+24h]
		push	eax
		mov	eax, [edi+1Ch]
		push	eax
		mov	eax, [edi+28h]
		call	eax
		mov	ecx, eax
		mov	[ebp-11Ch], eax
		test	ecx, ecx
		jz	short loc_5287C7

loc_5287B9:				; CODE XREF: .text:00528772j
					; .text:00528797j
		mov	eax, [ebp-140h]
		mov	eax, [eax+3CCh]
		mov	[ecx], eax

loc_5287C7:				; CODE XREF: .text:005287B7j
		mov	[ebp-140h], ecx
		test	ecx, ecx
		jz	short loc_5287EA
		call	EtwpGetSidExtendedHeaderItem
		mov	edi, [ebp-128h]
		mov	eax, [ebp-0F4h]
		mov	ecx, [ebp-11Ch]
		jmp	short loc_5287FE
; 

loc_5287EA:				; CODE XREF: .text:005287CFj
		mov	edi, [ebp-128h]
		mov	eax, [ebp-0F4h]
		jmp	short loc_5287FE
; 

loc_5287F8:				; CODE XREF: .text:00528746j
		mov	edi, [ebp-108h]

loc_5287FE:				; CODE XREF: .text:005287E8j
					; .text:005287F6j
		test	ecx, ecx
		jz	short loc_52881E
		or	eax, 2
		mov	[ebp-0F4h], eax
		movzx	ecx, word ptr [ecx]
		add	esi, ecx
		mov	[ebp-0F8h], esi
		jmp	short loc_52881E
; 

loc_528818:				; CODE XREF: .text:00528730j
					; .text:00528738j
		mov	edi, [ebp-108h]

loc_52881E:				; CODE XREF: .text:00528800j
					; .text:00528816j
		mov	ecx, [ebp-0FCh]
		mov	edx, [ecx+8]
		test	dl, 2
		jz	short loc_52883E
		or	eax, 1
		mov	[ebp-0F4h], eax
		add	esi, 10h
		mov	[ebp-0F8h], esi

loc_52883E:				; CODE XREF: .text:0052882Aj
		test	dl, dl
		jns	short loc_52886B
		call	EtwpIsExecutingInArbitraryThreadContext
		mov	ecx, [ebp-0FCh]
		test	al, al
		mov	eax, [ebp-0F4h]
		jnz	short loc_528871
		or	eax, 20h
		mov	[ebp-0F4h], eax
		add	esi, 10h
		mov	[ebp-0F8h], esi
		jmp	short loc_528871
; 

loc_52886B:				; CODE XREF: .text:00528840j
		mov	eax, [ebp-0F4h]

loc_528871:				; CODE XREF: .text:00528855j
					; .text:00528869j
		mov	ecx, [ecx+8]
		test	ecx, 100h
		jz	short loc_52888E
		or	eax, 40h
		mov	[ebp-0F4h], eax
		add	esi, 10h
		mov	[ebp-0F8h], esi

loc_52888E:				; CODE XREF: .text:0052887Aj
		test	cl, 4
		jz	loc_528B0D
		cmp	_EtwpPagingDisabled, 0
		jnz	loc_528B0D
		mov	eax, [ebp-0E8h]
		mov	ecx, [eax+160h]
		test	ecx, ecx
		jz	short loc_5288E8
		imul	eax, edi, 34h
		mov	ecx, [eax+ecx]
		mov	eax, ecx
		and	eax, 80001000h
		cmp	eax, 80001000h
		jz	short loc_5288E4
		mov	eax, ecx
		and	eax, 80002000h
		cmp	eax, 80002000h
		jz	short loc_5288E4
		and	ecx, 80004000h
		cmp	ecx, 80004000h
		jnz	short loc_5288E8

loc_5288E4:				; CODE XREF: .text:005288C6j
					; .text:005288D4j
		mov	al, 1
		jmp	short loc_5288EA
; 

loc_5288E8:				; CODE XREF: .text:005288B2j
					; .text:005288E2j
		xor	al, al

loc_5288EA:				; CODE XREF: .text:005288E6j
		test	al, al
		jz	loc_5289A2
		mov	eax, [ebp-104h]
		mov	edx, [eax+8]
		mov	ecx, [eax+0Ch]
		mov	al, [eax+4]
		mov	[ebp-1BCh], al
		cmp	byte ptr [ebp-109h], 2
		setb	al
		movzx	eax, al
		push	eax
		push	ecx
		push	edx
		push	dword ptr [ebp-1BCh]
		mov	edx, edi
		mov	ecx, [ebp-148h]
		call	_EtwpApplyLevelKwFilter@24 ; EtwpApplyLevelKwFilter(x,x,x,x,x,x)
		test	al, al
		jz	loc_528B0D
		mov	eax, [ebp-104h]
		movzx	ecx, word ptr [eax]
		cmp	byte ptr [ebp-109h], 2
		setb	al
		movzx	eax, al
		push	eax
		push	edi
		mov	edx, [ebp-148h]
		call	_EtwpApplyStackWalkIdFilter@16 ; EtwpApplyStackWalkIdFilter(x,x,x,x)
		test	al, al
		jz	loc_528B0D
		mov	eax, [ebp-104h]
		mov	edx, [eax+8]
		mov	ecx, [eax+0Ch]
		mov	al, [eax+4]
		mov	[ebp-1B8h], al
		push	1
		push	ecx
		push	edx
		push	dword ptr [ebp-1B8h]
		push	dword ptr [ebp-13Ch]
		push	0
		push	dword ptr [ebp-160h]
		push	dword ptr [ebp+28h]
		mov	edx, edi
		mov	ecx, [ebp-148h]
		call	_EtwpApplyEventNameFilter@40 ; EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)
		test	al, al
		jz	loc_528B0D

loc_5289A2:				; CODE XREF: .text:005288ECj
		test	byte ptr [ebp-0E1h], 1
		jnz	loc_528AF1
		mov	dword ptr [ebp-0E8h], 100h
		call	_EtwpGetStackLookasideListEntry@0 ; EtwpGetStackLookasideListEntry()
		mov	edx, eax
		mov	[ebp-12Ch], edx
		test	edx, edx
		jnz	short loc_528A19
		mov	[ebp-144h], eax
		mov	[ebp-0ECh], eax
		lea	eax, [ebp-144h]
		push	eax
		lea	eax, [ebp-0ECh]
		push	eax
		call	IoGetStackLimits
		lea	eax, [ebp-144h]
		sub	eax, [ebp-0ECh]
		cmp	eax, 528h
		jbe	short loc_528A19
		mov	eax, 310h
		call	__alloca_probe_16
		mov	[ebp-18h], esp
		mov	[ebp-12Ch], esp
		mov	dword ptr [ebp-0E8h], 0C0h

loc_528A19:				; CODE XREF: .text:005289C8j
					; .text:005289FAj
		cmp	dword ptr [ebp-12Ch], 0
		jz	loc_528AEA
		mov	dword ptr [ebp-0ECh], 0
		mov	cl, 1
		mov	eax, [ebp-118h]
		mov	eax, [eax+258h]
		and	eax, 40000000h
		neg	eax
		sbb	al, al
		not	al
		and	al, cl
		mov	[ebp-198h], al
		mov	ecx, [ebp-14Ch]
		add	ecx, 14h
		mov	edx, offset _EventTracingProvGuid
		mov	edi, 0Ch

loc_528A64:				; CODE XREF: .text:00528A73j
		mov	eax, [ecx]
		cmp	eax, [edx]
		jnz	short loc_528A9A
		add	ecx, 4
		add	edx, 4
		sub	edi, 4
		jnb	short loc_528A64
		mov	eax, [ebp-104h]
		cmp	word ptr [eax],	12h
		jnz	short loc_528A9A
		or	dword ptr [ebp-0F4h], 10h
		mov	eax, [ebp-14Ch]
		add	eax, 30h
		mov	byte ptr [ebp-198h], 0
		jmp	short loc_528AA0
; 

loc_528A9A:				; CODE XREF: .text:00528A68j
					; .text:00528A7Fj
		mov	eax, [ebp-0ECh]

loc_528AA0:				; CODE XREF: .text:00528A98j
		push	eax
		push	dword ptr [ebp-198h]
		lea	eax, [ebp-12Ch]
		push	eax
		mov	edi, [ebp-0E8h]
		push	edi
		mov	edx, [ebp+10h]
		mov	ecx, [ebp-16Ch]
		call	_EtwpGetStackExtendedHeaderItem@24 ; EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)
		cmp	dword ptr [ebp-12Ch], 0
		jz	short loc_528AD8
		cmp	edi, 100h
		jnz	short loc_528AD8
		mov	cl, 2
		jmp	short loc_528ADA
; 

loc_528AD8:				; CODE XREF: .text:00528ACAj
					; .text:00528AD2j
		xor	cl, cl

loc_528ADA:				; CODE XREF: .text:00528AD6j
		mov	al, [ebp-0E1h]
		and	al, 0FDh
		or	al, cl
		mov	[ebp-0E1h], al

loc_528AEA:				; CODE XREF: .text:00528A20j
		or	byte ptr [ebp-0E1h], 1

loc_528AF1:				; CODE XREF: .text:005289A9j
		mov	edx, [ebp-12Ch]
		test	edx, edx
		jz	short loc_528B0D
		or	dword ptr [ebp-0F4h], 4
		movzx	eax, word ptr [edx]
		add	esi, eax
		mov	[ebp-0F8h], esi

loc_528B0D:				; CODE XREF: .text:0052869Aj
					; .text:00528891j ...
		mov	eax, [ebp-20h]
		lea	eax, [eax+eax*2]
		lea	edi, [ebp-0E0h]
		lea	edi, [edi+eax*8]
		mov	[ebp-0ECh], edi
		mov	edx, [ebp+28h]
		test	edx, edx
		jz	short loc_528B94
		mov	eax, [ebp-160h]
		lea	ecx, [eax+8]
		mov	ebx, [ebp-124h]
		jmp	short loc_528B40
; 
		align 10h

loc_528B40:				; CODE XREF: .text:00528B38j
					; .text:00528B86j
		cmp	word ptr [ebp-188h], 0
		jnz	short loc_528B4E
		xor	al, al
		jmp	short loc_528B51
; 

loc_528B4E:				; CODE XREF: .text:00528B48j
		mov	al, [ecx+4]

loc_528B51:				; CODE XREF: .text:00528B4Cj
		movzx	eax, al
		sub	eax, 0
		jz	short loc_528B78
		sub	eax, 1
		jnz	short loc_528B80
		mov	ax, [ebp-158h]
		add	ax, [ecx]
		mov	[ebp-158h], ax
		inc	ebx
		mov	[ebp-15Ch], ebx
		jmp	short loc_528B80
; 

loc_528B78:				; CODE XREF: .text:00528B57j
		add	esi, [ecx]
		mov	[ebp-0F8h], esi

loc_528B80:				; CODE XREF: .text:00528B5Cj
					; .text:00528B76j
		add	ecx, 10h
		sub	edx, 1
		jnz	short loc_528B40
		mov	[ebp-124h], ebx
		mov	ebx, [ebp-164h]

loc_528B94:				; CODE XREF: .text:00528B27j
		cmp	dword ptr [ebp-124h], 0
		jz	short loc_528BB2
		movzx	eax, word ptr [ebp-158h]
		add	eax, 0Fh
		and	eax, 0FFFFFFF8h
		add	esi, eax
		mov	[ebp-0F8h], esi

loc_528BB2:				; CODE XREF: .text:00528B9Bj
		mov	eax, [ebp-184h]
		test	ax, ax
		jz	short loc_528BCE
		movzx	eax, ax
		add	eax, 0Fh
		and	eax, 0FFFFFFF8h
		add	esi, eax
		mov	[ebp-0F8h], esi

loc_528BCE:				; CODE XREF: .text:00528BBBj
		mov	[edi+14h], esi
		push	0
		lea	eax, [ebp-1ACh]
		push	eax
		lea	eax, [ebp-1A4h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-118h]
		call	EtwpReserveTraceBuffer
		mov	edi, eax
		mov	[ebp-108h], edi
		test	edi, edi
		jnz	loc_528CAE
		mov	ebx, [ebp-118h]
		cmp	esi, 0FFF8h
		jbe	short loc_528C13
		mov	esi, 0C0000095h
		jmp	short loc_528C24
; 

loc_528C13:				; CODE XREF: .text:00528C0Aj
		cmp	[ebx+8], esi
		sbb	esi, esi
		and	esi, 0BFFFFFEEh
		add	esi, 0C0000017h

loc_528C24:				; CODE XREF: .text:00528C11j
		push	offset _ETW_EVENT_LOST_EVENT
		mov	eax, dword_6BC30C
		push	eax
		mov	eax, _EtwpEventTracingProvRegHandle
		push	eax
		call	EtwEventEnabled
		test	al, al
		jz	short loc_528C57
		push	esi
		lea	eax, [ebx+5Ch]
		push	eax
		mov	ecx, [ebp-14Ch]
		lea	ecx, [ecx+14h]
		mov	edx, [ebp-104h]
		call	_EtwpTraceLostEvent@16 ; EtwpTraceLostEvent(x,x,x,x)

loc_528C57:				; CODE XREF: .text:00528C3Cj
		cmp	dword ptr [ebp-150h], 0
		jl	short loc_528C6F
		test	dword ptr [ebx+0Ch], 8000000h
		jnz	short loc_528C6F
		mov	[ebp-150h], esi

loc_528C6F:				; CODE XREF: .text:00528C5Ej
					; .text:00528C67j
		cmp	byte ptr [ebp-0EDh], 0
		jz	short loc_528C97
		mov	eax, [ebp-130h]
		mov	ecx, [eax+188h]
		mov	edx, 1
		mov	eax, [ebp-114h]
		mov	ecx, [ecx+eax*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)

loc_528C97:				; CODE XREF: .text:00528C76j
		cmp	esi, 0C0000095h
		jnz	loc_528050
		mov	[ebp-150h], esi
		jmp	loc_5285B0
; 

loc_528CAE:				; CODE XREF: .text:00528BF8j
		mov	ecx, [ebp-0ECh]
		mov	edx, [ebp-118h]
		mov	[ecx], edx
		mov	[ecx+4], edi
		mov	eax, [ebp-1A4h]
		mov	[ecx+8], eax
		mov	eax, [ebp-1A0h]
		mov	[ecx+0Ch], eax
		mov	eax, [ebp-19Ch]
		mov	[ecx+10h], eax
		inc	dword ptr [ebp-20h]
		mov	eax, [edx+14h]
		or	eax, esi
		mov	[edi], eax
		lea	ecx, [edi+4]
		mov	[ebp-0FCh], ecx
		mov	ax, [ebp+18h]
		mov	[ecx], ax
		mov	ax, [ebp+1Ch]
		mov	[edi+6], ax
		mov	ecx, [ebp-14Ch]
		mov	eax, [ecx+14h]
		mov	[edi+18h], eax
		mov	eax, [ecx+18h]
		mov	[edi+1Ch], eax
		mov	eax, [ecx+1Ch]
		mov	[edi+20h], eax
		mov	eax, [ecx+20h]
		mov	[edi+24h], eax
		mov	ecx, [ebp-104h]
		mov	eax, [ecx]
		mov	[edi+28h], eax
		mov	eax, [ecx+4]
		mov	[edi+2Ch], eax
		mov	eax, [ecx+8]
		mov	[edi+30h], eax
		mov	eax, [ecx+0Ch]
		mov	[edi+34h], eax
		mov	ecx, [ebp+20h]
		test	ecx, ecx
		jz	short loc_528D54
		mov	eax, [ecx]
		mov	[edi+40h], eax
		mov	eax, [ecx+4]
		mov	[edi+44h], eax
		mov	eax, [ecx+8]
		mov	[edi+48h], eax
		mov	eax, [ecx+0Ch]
		jmp	short loc_528D71
; 

loc_528D54:				; CODE XREF: .text:00528D3Cj
		mov	eax, ds:_GUID_NULL.Data1
		mov	[edi+40h], eax
		mov	eax, dword ptr ds:_GUID_NULL.Data2
		mov	[edi+44h], eax
		mov	eax, dword ptr ds:_GUID_NULL.Data4
		mov	[edi+48h], eax
		mov	eax, dword ptr ds:_GUID_NULL.Data4+4

loc_528D71:				; CODE XREF: .text:00528D52j
		mov	[edi+4Ch], eax
		mov	eax, [ebp-1ACh]
		mov	[edi+10h], eax
		mov	eax, [ebp-1A8h]
		mov	[edi+14h], eax
		mov	ecx, [ebp+30h]
		mov	eax, [ecx+2B0h]
		mov	[edi+8], eax
		mov	eax, [ecx+2ACh]
		mov	[edi+0Ch], eax
		mov	eax, [ecx+194h]
		mov	[edi+38h], eax
		mov	eax, [ecx+1C0h]
		mov	[edi+3Ch], eax
		mov	edx, [ebp-0F4h]
		test	edx, edx
		jz	loc_5291FF
		test	edx, 100h
		jz	loc_528E75
		lea	edx, [edi+50h]
		mov	[ebp-100h], edx
		mov	ebx, [ebp-170h]
		movzx	ecx, word ptr [ebx+90Ch]
		add	cx, 0Fh
		mov	eax, 0FFF8h
		and	cx, ax
		mov	[edx], cx
		mov	eax, 10h
		mov	[edx+2], ax
		movzx	eax, word ptr [ebx+90Ch]
		mov	[edx+6], ax
		xor	eax, eax
		mov	[edx+4], ax
		movzx	eax, word ptr [ebx+90Ch]
		sub	ecx, eax
		sub	ecx, 8
		movzx	edi, cx
		lea	ebx, [edx+8]
		push	eax
		mov	eax, [ebp-170h]
		mov	eax, [eax+908h]
		push	eax
		push	ebx
		call	_memcpy
		push	edi
		push	0
		mov	eax, [ebp-170h]
		movzx	eax, word ptr [eax+90Ch]
		add	eax, ebx
		push	eax
		call	_memset
		add	esp, 18h
		mov	ecx, [ebp-0FCh]
		or	word ptr [ecx],	1
		mov	eax, [ebp-100h]
		movzx	ebx, word ptr [eax]
		add	ebx, 50h
		mov	[ebp-110h], ebx
		mov	[ebp-134h], eax
		mov	edx, [ebp-0F4h]
		mov	edi, [ebp-108h]

loc_528E75:				; CODE XREF: .text:00528DC1j
		test	dl, 8
		jz	short loc_528EEE
		lea	eax, [ebx+edi]
		mov	[ebp-0E8h], eax
		mov	dword ptr [eax], 10018h
		mov	dword ptr [eax+4], 100000h
		mov	ecx, [ebp+24h]
		mov	eax, [ecx]
		mov	edx, [ebp-0E8h]
		mov	[edx+8], eax
		mov	eax, [ecx+4]
		mov	[edx+0Ch], eax
		mov	eax, [ecx+8]
		mov	[edx+10h], eax
		mov	eax, [ecx+0Ch]
		mov	ecx, edx
		mov	[ecx+14h], eax
		mov	ecx, [ebp-0FCh]
		or	word ptr [ecx],	1
		add	ebx, 18h
		mov	[ebp-110h], ebx
		mov	eax, [ebp-100h]
		test	eax, eax
		mov	edx, [ebp-0F4h]
		jz	short loc_528EDA
		or	word ptr [eax+4], 1

loc_528EDA:				; CODE XREF: .text:00528ED3j
		mov	eax, [ebp-0E8h]
		mov	[ebp-100h], eax
		mov	[ebp-134h], eax
		jmp	short loc_528EF4
; 

loc_528EEE:				; CODE XREF: .text:00528E78j
		mov	ecx, [ebp-0FCh]

loc_528EF4:				; CODE XREF: .text:00528EECj
		test	dl, 2
		jz	short loc_528F58
		lea	ecx, [ebx+edi]
		mov	[ebp-164h], ecx
		mov	edx, [ebp-11Ch]
		movzx	eax, word ptr [edx]
		push	eax
		push	edx
		push	ecx
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [ebp-0FCh]
		or	word ptr [ecx],	1
		mov	eax, [ebp-11Ch]
		movzx	eax, word ptr [eax]
		add	ebx, eax
		mov	[ebp-110h], ebx
		mov	eax, [ebp-100h]
		test	eax, eax
		jz	short loc_528F40
		or	word ptr [eax+4], 1

loc_528F40:				; CODE XREF: .text:00528F39j
		mov	eax, [ebp-164h]
		mov	[ebp-100h], eax
		mov	[ebp-134h], eax
		mov	edx, [ebp-0F4h]

loc_528F58:				; CODE XREF: .text:00528EF7j
		test	dl, 1
		jz	short loc_528FCA
		lea	eax, [ebx+edi]
		mov	[ebp-0E8h], eax
		mov	dword ptr [eax], 30010h
		mov	dword ptr [eax+4], 40000h
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		lea	ecx, [eax+1]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, [ebp-0E8h]
		mov	[eax+8], ecx
		mov	ecx, [ebp-0FCh]
		or	word ptr [ecx],	1
		add	ebx, 10h
		mov	[ebp-110h], ebx
		mov	eax, [ebp-100h]
		test	eax, eax
		jz	short loc_528FB8
		or	word ptr [eax+4], 1

loc_528FB8:				; CODE XREF: .text:00528FB1j
		mov	eax, [ebp-0E8h]
		mov	[ebp-100h], eax
		mov	[ebp-134h], eax

loc_528FCA:				; CODE XREF: .text:00528F5Bj
		test	dl, 20h
		jz	short loc_529048
		lea	eax, [ebx+edi]
		mov	[ebp-0E8h], eax
		mov	dword ptr [eax], 0D0010h
		mov	dword ptr [eax+4], 80000h
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	edi, ds:0FFDF02C4h
		xor	ecx, ecx
		shl	edi, 10h
		or	ecx, [eax+3E8h]
		or	edi, [eax+3ECh]
		mov	eax, [ebp-0E8h]
		mov	[eax+8], ecx
		mov	[eax+0Ch], edi
		mov	ecx, [ebp-0FCh]
		or	word ptr [ecx],	1
		add	ebx, 10h
		mov	[ebp-110h], ebx
		mov	eax, [ebp-100h]
		test	eax, eax
		jz	short loc_529036
		or	word ptr [eax+4], 1

loc_529036:				; CODE XREF: .text:0052902Fj
		mov	eax, [ebp-0E8h]
		mov	[ebp-100h], eax
		mov	[ebp-134h], eax

loc_529048:				; CODE XREF: .text:00528FCDj
		mov	edi, [ebp-108h]
		test	dl, 40h
		jz	loc_5290F1
		lea	eax, [ebx+edi]
		mov	[ebp-164h], eax
		mov	dword ptr [eax], 0A0010h
		mov	dword ptr [eax+4], 80000h
		test	byte ptr [ebp-0E1h], 4
		jnz	short loc_5290A9
		lea	ecx, [ebp-17Ch]
		call	_EtwpCreateEventKey@4 ;	EtwpCreateEventKey(x)
		or	byte ptr [ebp-0E1h], 4
		mov	eax, [ebp-18Ch]
		test	eax, eax
		jz	short loc_5290A3
		mov	ecx, [ebp-17Ch]
		mov	[eax], ecx
		mov	ecx, [ebp-178h]
		mov	[eax+4], ecx

loc_5290A3:				; CODE XREF: .text:00529090j
		mov	ecx, [ebp-0FCh]

loc_5290A9:				; CODE XREF: .text:00529074j
		mov	edx, [ebp-164h]
		mov	eax, [ebp-17Ch]
		mov	[edx+8], eax
		mov	eax, [ebp-178h]
		mov	[edx+0Ch], eax
		or	word ptr [ecx],	1
		add	ebx, 10h
		mov	[ebp-110h], ebx
		mov	eax, [ebp-100h]
		test	eax, eax
		jz	short loc_5290DD
		or	word ptr [eax+4], 1

loc_5290DD:				; CODE XREF: .text:005290D6j
		mov	eax, edx
		mov	[ebp-100h], eax
		mov	[ebp-134h], eax
		mov	edx, [ebp-0F4h]

loc_5290F1:				; CODE XREF: .text:00529051j
		test	dl, 4
		jz	loc_5291FF
		lea	ecx, [ebx+edi]
		mov	[ebp-0E8h], ecx
		mov	edx, [ebp-12Ch]
		movzx	eax, word ptr [edx]
		push	eax
		push	edx
		push	ecx
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [ebp-0E8h]
		mov	eax, [ecx+8]
		or	eax, [ecx+0Ch]
		jz	loc_5291C7
		mov	eax, [ebp-0F4h]
		test	al, 10h
		jnz	loc_5291C7
		mov	eax, [ebp-130h]
		cmp	eax, ds:_EtwpHostSiloState
		jnz	short loc_5291B1
		push	41777445h
		push	30h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp-0ECh], eax
		test	eax, eax
		jz	short loc_5291AB
		push	dword ptr [ebp-114h]
		push	0
		push	offset _EtwpCrimsonStackWalkApc@20 ; EtwpCrimsonStackWalkApc(x,x,x,x,x)
		push	0
		push	offset _EtwpCrimsonStackWalkApc@20 ; EtwpCrimsonStackWalkApc(x,x,x,x,x)
		push	0
		push	dword ptr [ebp+30h]
		push	eax
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		push	0
		mov	ecx, [ebp-0E8h]
		mov	eax, [ecx+0Ch]
		push	eax
		mov	eax, [ecx+8]
		push	eax
		push	dword ptr [ebp-0ECh]
		call	KeInsertQueueApc
		test	al, al
		jnz	short loc_5291C1
		push	0
		push	dword ptr [ebp-0ECh]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5291AB:				; CODE XREF: .text:0052915Ej
		mov	ecx, [ebp-0E8h]

loc_5291B1:				; CODE XREF: .text:00529143j
		mov	dword ptr [ecx+8], 0
		mov	dword ptr [ecx+0Ch], 0
		jmp	short loc_5291C7
; 

loc_5291C1:				; CODE XREF: .text:0052919Cj
		mov	ecx, [ebp-0E8h]

loc_5291C7:				; CODE XREF: .text:00529123j
					; .text:00529131j ...
		mov	edx, [ebp-0FCh]
		or	word ptr [edx],	1
		mov	eax, [ebp-12Ch]
		movzx	eax, word ptr [eax]
		add	ebx, eax
		mov	[ebp-110h], ebx
		mov	eax, [ebp-100h]
		test	eax, eax
		jz	short loc_5291F1
		or	word ptr [eax+4], 1

loc_5291F1:				; CODE XREF: .text:005291EAj
		mov	eax, ecx
		mov	[ebp-100h], eax
		mov	[ebp-134h], eax

loc_5291FF:				; CODE XREF: .text:00528DB5j
					; .text:005290F4j
		mov	edx, [ebp-184h]
		test	dx, dx
		jz	loc_52931C
		lea	ecx, [ebx+edi]
		mov	[ebp-144h], ecx
		lea	eax, [edx+0Fh]
		and	eax, 0FFF8h
		mov	[ecx], ax
		mov	dword ptr [ecx+2], 0Ch
		mov	[ecx+6], dx
		sub	eax, edx
		sub	eax, 8
		movzx	eax, ax
		mov	[ebp-0ECh], eax
		lea	eax, [ecx+8]
		mov	[ebp-164h], eax
		mov	dword ptr [ebp-4], 0
		movzx	edi, dx
		push	edi
		push	dword ptr [ebp-180h]
		push	eax
		call	_memcpy
		mov	eax, [ebp-0ECh]
		movzx	eax, ax
		push	eax
		push	0
		mov	eax, [ebp-164h]
		add	eax, edi
		push	eax
		call	_memset
		add	esp, 18h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-100h]
		mov	edi, [ebp-144h]
		jmp	short loc_5292F8
; 

loc_52928D:				; DATA XREF: .text:006A5CCCo
		mov	eax, 1
		retn
; 

loc_529293:				; DATA XREF: .text:006A5CD0o
		mov	esp, [ebp-18h]
		movzx	ecx, word ptr [ebp-0ECh]
		movzx	eax, word ptr [ebp-184h]
		add	ecx, eax
		push	ecx
		push	0
		mov	edi, [ebp-144h]
		lea	eax, [edi+8]
		push	eax
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-140h]
		mov	[ebp-11Ch], eax
		mov	eax, [ebp-174h]
		mov	[ebp-130h], eax
		mov	esi, [ebp-0F8h]
		mov	ebx, [ebp-110h]
		mov	ecx, [ebp-134h]
		mov	eax, [ebp-15Ch]
		mov	[ebp-124h], eax

loc_5292F8:				; CODE XREF: .text:0052928Bj
		mov	eax, [ebp-0FCh]
		or	word ptr [eax],	1
		movzx	eax, word ptr [edi]
		add	ebx, eax
		mov	[ebp-110h], ebx
		test	ecx, ecx
		jz	short loc_529316
		or	word ptr [ecx+4], 1

loc_529316:				; CODE XREF: .text:0052930Fj
		mov	[ebp-100h], edi

loc_52931C:				; CODE XREF: .text:00529208j
		cmp	dword ptr [ebp-124h], 0
		jz	loc_5293A9
		mov	eax, [ebp-158h]
		lea	ecx, [eax+0Fh]
		and	ecx, 0FFF8h
		mov	edi, [ebp-108h]
		mov	[ebx+edi], cx
		mov	dword ptr [ebx+edi+2], 0Bh
		mov	dx, ax
		mov	[ebx+edi+6], dx
		sub	ecx, eax
		sub	ecx, 8
		movzx	edx, cx
		add	edi, 8
		add	edi, ebx
		mov	[ebp-138h], edi
		movzx	ecx, ax
		add	ecx, edi
		mov	[ebp-190h], ecx
		push	edx
		push	0
		push	ecx
		call	_memset
		add	esp, 0Ch
		mov	eax, [ebp-0FCh]
		or	word ptr [eax],	1
		mov	edx, [ebp-108h]
		movzx	eax, word ptr [ebx+edx]
		add	ebx, eax
		mov	[ebp-110h], ebx
		mov	eax, [ebp-100h]
		test	eax, eax
		jz	short loc_5293AF
		or	word ptr [eax+4], 1
		jmp	short loc_5293AF
; 

loc_5293A9:				; CODE XREF: .text:00529323j
		mov	edx, [ebp-108h]

loc_5293AF:				; CODE XREF: .text:005293A0j
					; .text:005293A7j
		xor	eax, eax

loc_5293B1:				; CODE XREF: .text:00529449j
					; .text:0052949Bj ...
		mov	[ebp-144h], eax
		cmp	eax, [ebp+28h]
		jnb	loc_52963B
		mov	ecx, eax
		shl	ecx, 4
		add	ecx, [ebp-160h]
		mov	edi, [ecx+8]
		mov	[ebp-0ECh], edi
		mov	eax, [ecx]
		mov	[ebp-0E8h], eax
		mov	eax, [ecx+4]
		mov	[ebp-164h], eax
		cmp	word ptr [ebp-188h], 0
		jnz	short loc_5293F3
		xor	al, al
		jmp	short loc_5293F6
; 

loc_5293F3:				; CODE XREF: .text:005293EDj
		mov	al, [ecx+0Ch]

loc_5293F6:				; CODE XREF: .text:005293F1j
		movzx	eax, al
		sub	eax, 0
		jz	loc_52958A
		sub	eax, 1
		jz	loc_5294A0
		sub	eax, 2
		jnz	loc_529629
		cmp	edi, 8
		jnz	loc_529629
		mov	dword ptr [ebp-4], 1
		mov	ecx, [ebp-0E8h]
		mov	eax, [ecx]
		mov	[edx+10h], eax
		mov	eax, [ecx+4]
		mov	[edx+14h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-144h]
		inc	eax
		mov	edx, [ebp-108h]
		jmp	loc_5293B1
; 

loc_52944E:				; DATA XREF: .text:006A5CD8o
		mov	eax, 1
		retn
; 

loc_529454:				; DATA XREF: .text:006A5CDCo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-140h]
		mov	[ebp-11Ch], eax
		mov	eax, [ebp-174h]
		mov	[ebp-130h], eax
		mov	edx, [ebp-15Ch]
		mov	[ebp-124h], edx
		mov	ebx, [ebp-110h]
		mov	esi, [ebp-0F8h]
		mov	eax, [ebp-144h]
		inc	eax
		mov	edx, [ebp-108h]
		jmp	loc_5293B1
; 

loc_5294A0:				; CODE XREF: .text:00529405j
		mov	ecx, [ebp-138h]
		test	ecx, ecx
		jz	loc_529765
		lea	eax, [edi+ecx]
		cmp	eax, [ebp-190h]
		ja	loc_529765
		cmp	dword ptr [ebp-124h], 0
		jz	loc_529765
		mov	dword ptr [ebp-4], 2
		push	edi
		push	dword ptr [ebp-0E8h]
		push	ecx
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, [ebp-124h]
		add	[ebp-138h], edi
		dec	edx
		mov	[ebp-124h], edx
		mov	[ebp-15Ch], edx
		mov	eax, [ebp-144h]
		inc	eax
		mov	edx, [ebp-108h]
		jmp	loc_5293B1
; 

loc_529513:				; DATA XREF: .text:006A5CE4o
		mov	eax, 1
		retn
; 

loc_529519:				; DATA XREF: .text:006A5CE8o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-0ECh]
		push	edi
		push	0
		mov	eax, [ebp-138h]
		push	eax
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-140h]
		mov	[ebp-11Ch], eax
		mov	eax, [ebp-174h]
		mov	[ebp-130h], eax
		mov	esi, [ebp-0F8h]
		mov	ebx, [ebp-110h]
		mov	edx, [ebp-15Ch]
		add	[ebp-138h], edi
		dec	edx
		mov	[ebp-124h], edx
		mov	[ebp-15Ch], edx
		mov	eax, [ebp-144h]
		inc	eax
		mov	edx, [ebp-108h]
		jmp	loc_5293B1
; 

loc_52958A:				; CODE XREF: .text:005293FCj
		lea	eax, [ebx+edx]
		mov	[ebp-164h], eax
		add	ebx, edi
		mov	[ebp-110h], ebx
		cmp	ebx, esi
		ja	loc_529765
		mov	dword ptr [ebp-4], 3
		push	edi
		push	dword ptr [ebp-0E8h]
		push	eax
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-144h]
		inc	eax
		mov	edx, [ebp-108h]
		jmp	loc_5293B1
; 

loc_5295D3:				; DATA XREF: .text:006A5CF0o
		mov	eax, 1
		retn
; 

loc_5295D9:				; DATA XREF: .text:006A5CF4o
		mov	esp, [ebp-18h]
		push	dword ptr [ebp-0ECh]
		push	0
		push	dword ptr [ebp-164h]
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-140h]
		mov	[ebp-11Ch], eax
		mov	eax, [ebp-174h]
		mov	[ebp-130h], eax
		mov	eax, [ebp-15Ch]
		mov	[ebp-124h], eax
		mov	ebx, [ebp-110h]
		mov	esi, [ebp-0F8h]

loc_529629:				; CODE XREF: .text:0052940Ej
					; .text:00529417j
		mov	eax, [ebp-144h]
		inc	eax
		mov	edx, [ebp-108h]
		jmp	loc_5293B1
; 

loc_52963B:				; CODE XREF: .text:005293BAj
		mov	eax, [ebp-118h]
		test	dword ptr [eax+0Ch], 80000h
		jz	short loc_529672
		cmp	_KdDebuggerNotPresent, 0
		jnz	short loc_52965C
		cmp	_KdPitchDebugger, 0
		jz	short loc_529665

loc_52965C:				; CODE XREF: .text:00529651j
		cmp	_KdEventLoggingPresent,	0
		jz	short loc_529672

loc_529665:				; CODE XREF: .text:0052965Aj
		lea	edx, [ebp-1A4h]
		mov	ecx, eax
		call	_EtwpSendTraceEvent@8 ;	EtwpSendTraceEvent(x,x)

loc_529672:				; CODE XREF: .text:00529648j
					; .text:00529663j
		mov	esi, [ebp-194h]
		test	esi, esi
		jz	loc_528050
		mov	edx, [ebp-114h]
		mov	eax, edx
		shr	eax, 5
		lea	ecx, [esi+eax*4]
		and	edx, 1Fh
		mov	eax, [ecx]
		bts	eax, edx
		mov	[ecx], eax
		jmp	loc_528050
; 

loc_52969D:				; CODE XREF: .text:005285D3j
		mov	ebx, [ebp-104h]
		mov	esi, [ebx+8]
		mov	edx, [ebx+0Ch]
		mov	cl, [ebx+4]
		cmp	byte ptr [ebp-109h], 2
		setb	al
		movzx	eax, al
		push	eax
		push	ebx
		push	dword ptr [ebp-150h]
		push	dword ptr [ebp-154h]
		lea	eax, [ebp-0E0h]
		push	eax
		push	edx
		push	esi
		mov	edx, [ebp-14Ch]
		call	EtwpFailLogging

loc_5296DB:				; CODE XREF: .text:005285E4j
					; .text:00528662j
		cmp	byte ptr [ebp-11Dh], 0
		jz	short loc_5296EF
		mov	ecx, [ebp-16Ch]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)

loc_5296EF:				; CODE XREF: .text:005296E2j
		mov	ebx, [ebp-11Ch]
		test	ebx, ebx
		jz	short loc_52973B
		mov	edx, large fs:20h
		mov	ecx, [edx+5E0h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	short loc_529734
		inc	dword ptr [ecx+18h]
		mov	ecx, [edx+5E4h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	short loc_529734
		inc	dword ptr [ecx+18h]
		push	ebx
		mov	eax, [ecx+2Ch]
		call	eax
		jmp	short loc_52973B
; 

loc_529734:				; CODE XREF: .text:00529711j
					; .text:00529727j
		mov	edx, ebx
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_52973B:				; CODE XREF: .text:005296F7j
					; .text:00529732j
		mov	eax, [ebp-150h]

loc_529741:				; CODE XREF: .text:00527F4Fj
		lea	esp, [ebp-1CCh]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-1Ch]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	40h
; 

loc_529765:				; CODE XREF: .text:005294A8j
					; .text:005294B7j ...
		push	0
		push	esi
		push	ebx
		push	5
		push	11Dh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 3 dup(0CCh)
		align 10h
; Exported entry 1641. ObReferenceObjectByPointerWithTag

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObReferenceObjectByPointerWithTag
ObReferenceObjectByPointerWithTag proc near ; CODE XREF: ObOpenObjectByPointer+69p
					; IoRegisterPlugPlayNotification+40p

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005ED9AF SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	edx, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	esi, [edi-18h]
		test	edx, edx
		jz	short loc_5297E1
		mov	eax, esi
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [esi+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		cmp	ds:_ObTypeIndexTable[ecx*4], edx
		jnz	short loc_5297E7

loc_5297B7:				; CODE XREF: ObReferenceObjectByPointerWithTag+65j
		cmp	ds:_ObpTraceFlags, 0
		jnz	loc_5ED9AF

loc_5297C4:				; CODE XREF: ObReferenceObjectByPointerWithTag+C423Dj
		mov	eax, 1
		lock xadd [esi], eax
		inc	eax
		cmp	eax, 1
		jle	loc_5ED9C2
		xor	eax, eax

loc_5297D9:				; CODE XREF: ObReferenceObjectByPointerWithTag+6Cj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_5297E1:				; CODE XREF: ObReferenceObjectByPointerWithTag+15j
		cmp	[ebp+arg_C], 0
		jz	short loc_5297B7

loc_5297E7:				; CODE XREF: ObReferenceObjectByPointerWithTag+35j
		mov	eax, 0C0000024h
		jmp	short loc_5297D9
ObReferenceObjectByPointerWithTag endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeAlertThreadByThreadId	proc near	; CODE XREF: NtAlertThreadByThreadId+3Dp
					; RtlpRunOnceWakeAll+12F128p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005ED9EA SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, large fs:20h
		lea	ebx, [esi+2Ch]
		mov	byte ptr [ebp+var_14], al
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], 0
		lea	ebx, [ebx+0]

loc_529820:				; CODE XREF: KeAlertThreadByThreadId+1AEj
		lock bts dword ptr [ebx], 0
		jb	loc_529990
		test	byte ptr [esi+5Ch], 10h
		jnz	loc_5EDA0C
		mov	al, [esi+90h]
		mov	[ebp+var_1], 1
		cmp	al, 5
		jnz	loc_5299A3
		mov	al, [esi+54h]
		mov	cl, al
		and	cl, 7
		cmp	cl, 4
		jz	loc_5299A3
		cmp	cl, 3
		jz	loc_5299A3
		cmp	byte ptr [esi+18Bh], 25h
		jnz	loc_5299A3
		movzx	ecx, al
		xor	dl, dl
		and	ecx, 7
		cmp	ecx, 1
		jnz	loc_5299AD

loc_52987F:				; CODE XREF: KeAlertThreadByThreadId+1C2j
		mov	ecx, [esi+0A4h]
		test	ecx, ecx
		jz	short loc_529899
		mov	al, [ecx]
		and	al, 7Fh
		cmp	al, 15h
		jz	loc_5ED9D0
		lock inc dword ptr [ecx+18h]

loc_529899:				; CODE XREF: KeAlertThreadByThreadId+97j
					; ObReferenceObjectByPointerWithTag+C4265j
		mov	eax, [esi+1B4h]
		test	eax, eax
		jz	short loc_5298FC
		lea	edi, [eax+3B28h]
		mov	[ebp+var_C], 0

loc_5298B0:				; CODE XREF: KeAlertThreadByThreadId+1D3j
		lock bts dword ptr [edi], 0
		jb	loc_5299B7
		mov	eax, [esi+1B4h]
		test	eax, eax
		jz	short loc_5298F4
		mov	edx, [esi+9Ch]
		lea	eax, [esi+9Ch]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_5ED9EA
		cmp	[ecx], eax
		jnz	loc_5ED9EA
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	dword ptr [esi+1B4h], 0

loc_5298F4:				; CODE XREF: KeAlertThreadByThreadId+D3j
		xor	eax, eax
		lock and [edi],	eax
		mov	edi, [ebp+var_10]

loc_5298FC:				; CODE XREF: KeAlertThreadByThreadId+B1j
		mov	al, [esi+90h]
		cmp	al, 1
		jz	loc_5ED9F1
		cmp	al, 5
		jnz	short loc_529933
		mov	eax, ds:_KeTickCount
		sub	eax, [esi+138h]
		cmp	byte ptr [esi+93h], 0
		jz	loc_5ED9FA
		add	[esi+258h], eax
		adc	dword ptr [esi+25Ch], 0

loc_529933:				; CODE XREF: KeAlertThreadByThreadId+11Cj
					; KeAlertThreadByThreadId+C4205j ...
		mov	byte ptr [esi+90h], 7
		lea	ecx, [esi+9Ch]
		mov	eax, [edi+3B1Ch]
		mov	dl, 1
		mov	[ecx], eax
		mov	[edi+3B1Ch], ecx
		mov	dword ptr [esi+94h], 101h
		mov	dword ptr [esi+248h], 0
		mov	al, [esi+54h]

loc_529967:				; CODE XREF: KeAlertThreadByThreadId+1C0j
		or	al, 80h
		mov	[esi+54h], al
		test	dl, dl
		jz	short loc_5299A3

loc_529970:				; CODE XREF: KeAlertThreadByThreadId+1BBj
					; KeAlertThreadByThreadId+C4220j
		push	[ebp+var_14]
		xor	edx, edx
		mov	dword ptr [ebx], 0
		push	1
		push	1
		mov	ecx, edi
		call	KiExitDispatcher
		mov	al, [ebp+var_1]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_529990:				; CODE XREF: KeAlertThreadByThreadId+35j
					; KeAlertThreadByThreadId+1ACj
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_529990
		jmp	loc_529820
; 

loc_5299A3:				; CODE XREF: KeAlertThreadByThreadId+51j
					; KeAlertThreadByThreadId+62j ...
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 4
		jmp	short loc_529970
; 

loc_5299AD:				; CODE XREF: KeAlertThreadByThreadId+89j
		cmp	ecx, 4
		jnz	short loc_529967
		jmp	loc_52987F
; 

loc_5299B7:				; CODE XREF: KeAlertThreadByThreadId+C5j
					; KeAlertThreadByThreadId+1D9j
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jz	loc_5298B0
		jmp	short loc_5299B7
KeAlertThreadByThreadId	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExFastReferenceHandleTableEntry(x, x, x)
_ExFastReferenceHandleTableEntry@12 proc near ;	CODE XREF: ObWaitForMultipleObjects+199p
					; ObpReferenceObjectByHandleWithTag+D6p ...

var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, edx
		mov	[esp+20h+var_10], ecx
		mov	[esp+20h+var_8], 0
		mov	[esp+20h+var_4], 0
		mov	eax, [edi]
		mov	[esi], eax
		mov	eax, [edi+4]
		mov	[esi+4], eax
		nop
		mov	eax, [esi+4]
		cmp	eax, 8000000h
		jb	short loc_529A86
		lea	esp, [esp+0]

loc_529A10:				; CODE XREF: ExFastReferenceHandleTableEntry(x,x,x)+CFj
		mov	ebx, [esi]
		test	ebx, ebx
		jz	short loc_529A86
		test	bl, 1
		jz	loc_529AA4
		mov	edx, [esi+4]
		mov	ecx, eax
		shr	ecx, 1Bh
		and	eax, 7FFFFFFh
		dec	ecx
		shl	ecx, 1Bh
		or	ecx, eax
		mov	eax, ebx
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, eax
		mov	eax, edx
		mov	edx, [esi+4]
		cmp	ebx, [esi]
		jnz	short loc_529A8B
		cmp	eax, edx
		jnz	short loc_529A8B
		mov	eax, edx
		mov	[esp+20h+var_C], 0
		and	eax, 0F8000000h
		cmp	eax, 40000000h
		jz	short loc_529A69
		xor	eax, eax

loc_529A60:				; CODE XREF: ExFastReferenceHandleTableEntry(x,x,x)+B9j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_529A69:				; CODE XREF: ExFastReferenceHandleTableEntry(x,x,x)+8Cj
		and	edx, 7FFFFFFh
		mov	eax, 18h
		or	edx, 38000000h
		pop	edi
		mov	[esi+4], edx
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_529A86:				; CODE XREF: ExFastReferenceHandleTableEntry(x,x,x)+3Aj
					; ExFastReferenceHandleTableEntry(x,x,x)+44j ...
		or	eax, 0FFFFFFFFh
		jmp	short loc_529A60
; 

loc_529A8B:				; CODE XREF: ExFastReferenceHandleTableEntry(x,x,x)+72j
					; ExFastReferenceHandleTableEntry(x,x,x)+76j
		mov	[esi], ebx

loc_529A8D:				; CODE XREF: ExFastReferenceHandleTableEntry(x,x,x)+E3j
		mov	[esi+4], eax
		nop
		mov	eax, [esi+4]
		cmp	eax, 8000000h
		jb	short loc_529A86
		mov	ecx, [esp+20h+var_10]
		jmp	loc_529A10
; 

loc_529AA4:				; CODE XREF: ExFastReferenceHandleTableEntry(x,x,x)+49j
		push	ebx
		mov	edx, edi
		call	_ExpBlockOnLockedHandleEntry@12	; ExpBlockOnLockedHandleEntry(x,x,x)
		mov	eax, [edi]
		mov	[esi], eax
		mov	eax, [edi+4]
		jmp	short loc_529A8D
_ExFastReferenceHandleTableEntry@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 


PsIsThreadInSilo proc near		; CODE XREF: VrpHandleIoctlUnloadDynamicallyLoadedHives+65p
					; VrpHandleIoctlCreateNamespaceNode+11Fp ...

; FUNCTION CHUNK AT 005EDA15 SIZE 0000000D BYTES

		test	edx, edx
		jnz	short loc_529AC7
		mov	al, 1
		retn
; 

loc_529AC7:				; CODE XREF: PsIsThreadInSilo+2j
		mov	eax, [ecx+390h]
		cmp	eax, 0FFFFFFFDh
		jnz	loc_5EDA15
		mov	ecx, [ecx+150h]
		jmp	_PsIsProcessInSilo@8 ; PsIsProcessInSilo(x,x)
PsIsThreadInSilo endp

; 
		align 10h
; Exported entry 1770. PsGetCurrentServerSilo

;  S U B	R O U T	I N E 


; __stdcall PsGetCurrentServerSilo()
		public _PsGetCurrentServerSilo@0
_PsGetCurrentServerSilo@0 proc near	; CODE XREF: PAGELK:loc_71EB44p
					; ExpSystemErrorHandler(x,x,x,x,x):loc_730B00p	...
		call	_KeIsExecutingInArbitraryThreadContext@0 ; KeIsExecutingInArbitraryThreadContext()
		test	eax, eax
		jz	short loc_529AFC
		xor	eax, eax
		retn
; 

loc_529AFC:				; CODE XREF: PsGetCurrentServerSilo()+7j
		mov	eax, large fs:124h
		mov	ecx, [eax+390h]
		cmp	ecx, 0FFFFFFFDh
		jz	short loc_529B14
		push	ecx
		call	_PsGetEffectiveServerSilo@4 ; PsGetEffectiveServerSilo(x)
		retn
; 

loc_529B14:				; CODE XREF: PsGetCurrentServerSilo()+1Bj
		mov	eax, [eax+150h]
		mov	eax, [eax+3A0h]
		retn
_PsGetCurrentServerSilo@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PsIsProcessInSilo(x, x)
_PsIsProcessInSilo@8 proc near		; CODE XREF: PsIsThreadInSilo+1Cj
					; ExpGetProcessInformation+1F3p ...
		test	edx, edx
		jnz	short loc_529B29

loc_529B26:				; CODE XREF: PsIsProcessInSilo(x,x)+Dj
					; PsIsProcessInSilo(x,x)+15j
		mov	al, 1
		retn
; 

loc_529B29:				; CODE XREF: PsIsProcessInSilo(x,x)+2j
		cmp	ecx, ds:_PsInitialSystemProcess
		jz	short loc_529B26
		cmp	ecx, ds:_PsIdleProcess
		jz	short loc_529B26
		mov	ecx, [ecx+158h]
		call	_PspGetJobSilo@4 ; PspGetJobSilo(x)
		mov	ecx, eax
		call	PspIsSiloInSilo
		test	al, al
		setnz	al
		retn
_PsIsProcessInSilo@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall OBJECT_HEADER_TO_HANDLE_REVOCATION_INFO(x)
_OBJECT_HEADER_TO_HANDLE_REVOCATION_INFO@4 proc	near ; CODE XREF: ObfDereferenceObject+6Bp
					; ObpProcessRemoveObjectQueue+17p ...
		mov	al, [ecx+0Eh]
		test	al, 40h
		jz	short loc_529B7F
		movzx	eax, al
		and	eax, 7Fh
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		mov	eax, [ecx]
		cmp	byte ptr [eax+0Ch], 0
		jz	short loc_529B7F
		retn
; 

loc_529B7F:				; CODE XREF: OBJECT_HEADER_TO_HANDLE_REVOCATION_INFO(x)+5j
					; OBJECT_HEADER_TO_HANDLE_REVOCATION_INFO(x)+1Cj
		xor	eax, eax
		retn
_OBJECT_HEADER_TO_HANDLE_REVOCATION_INFO@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepReconcileTrustSidWithProcessProtection(x, x, x, x)
_SepReconcileTrustSidWithProcessProtection@16 proc near
					; CODE XREF: SeCreateClientSecurityEx+9Ap
					; SeCreateClientSecurity(x,x,x,x)+92p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		mov	ecx, edx
		push	edi
		mov	byte ptr [ebx],	0
		mov	dword ptr [eax], 0
		call	SepSidFromProcessProtection
		mov	edi, eax
		test	edi, edi
		jnz	short loc_529BC1

loc_529BB6:				; CODE XREF: SepReconcileTrustSidWithProcessProtection(x,x,x,x)+3Aj
		test	esi, esi
		jnz	short loc_529BCE

loc_529BBA:				; CODE XREF: SepReconcileTrustSidWithProcessProtection(x,x,x,x)+5Bj
					; SepReconcileTrustSidWithProcessProtection(x,x,x,x)+63j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_529BC1:				; CODE XREF: SepReconcileTrustSidWithProcessProtection(x,x,x,x)+24j
		mov	ecx, edi
		call	_RtlIsValidProcessTrustLabelSid@4 ; RtlIsValidProcessTrustLabelSid(x)
		test	al, al
		jnz	short loc_529BB6
		jmp	short loc_529BF5
; 

loc_529BCE:				; CODE XREF: SepReconcileTrustSidWithProcessProtection(x,x,x,x)+28j
		mov	ecx, esi
		call	_RtlIsValidProcessTrustLabelSid@4 ; RtlIsValidProcessTrustLabelSid(x)
		test	al, al
		jz	short loc_529BF5
		test	edi, edi
		jz	short loc_529BEF
		mov	eax, [edi+8]
		cmp	eax, [esi+8]
		jb	short loc_529BF5
		mov	eax, [edi+0Ch]
		cmp	eax, [esi+0Ch]
		jnb	short loc_529BBA
		jmp	short loc_529BF5
; 

loc_529BEF:				; CODE XREF: SepReconcileTrustSidWithProcessProtection(x,x,x,x)+4Bj
		cmp	dword ptr [esi+8], 0
		jbe	short loc_529BBA

loc_529BF5:				; CODE XREF: SepReconcileTrustSidWithProcessProtection(x,x,x,x)+3Cj
					; SepReconcileTrustSidWithProcessProtection(x,x,x,x)+47j ...
		mov	eax, [ebp+arg_4]
		mov	byte ptr [ebx],	1
		mov	[eax], edi
		jmp	short loc_529BBA
_SepReconcileTrustSidWithProcessProtection@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 


SepSidFromProcessProtection proc near	; CODE XREF: SepSetTrustLevelForProcessToken(x,x,x)+1Cp
					; SepReconcileTrustSidWithProcessProtection(x,x,x,x)+1Bp ...

; FUNCTION CHUNK AT 005EDA22 SIZE 0000000C BYTES

		movzx	ecx, byte ptr [ecx]
		xor	eax, eax
		cmp	ecx, 12h
		jnb	short loc_529C0B

locret_529C0A:				; CODE XREF: SepSidFromProcessProtection+11j
					; SepSidFromProcessProtection+1Aj
					; DATA XREF: ...
		retn
; 

loc_529C0B:				; CODE XREF: SepSidFromProcessProtection+8j
		add	ecx, 0FFFFFFEEh
		cmp	ecx, 6Fh
		ja	short locret_529C0A
		movzx	ecx, ds:byte_529C60[ecx]
		jmp	ds:off_529C40[ecx*4]

loc_529C21:				; DATA XREF: .text:00529C44o
		mov	eax, _SeProcTrustLiteAntimalwareSid
		retn
; 

loc_529C27:				; CODE XREF: SepSidFromProcessProtection+1Aj
					; DATA XREF: .text:00529C48o
		mov	eax, _SeProcTrustLiteWinSid
		retn
; 

loc_529C2D:				; CODE XREF: SepSidFromProcessProtection+1Aj
					; DATA XREF: .text:00529C50o
		mov	eax, _SeProcTrustLiteWinTcbSid
		retn
; 

loc_529C33:				; CODE XREF: SepSidFromProcessProtection+1Aj
					; DATA XREF: .text:00529C4Co
		mov	eax, _SeProcTrustWinSid
		retn
; 

loc_529C39:				; CODE XREF: SepSidFromProcessProtection+1Aj
					; DATA XREF: .text:00529C54o
		mov	eax, _SeProcTrustWinTcbSid
		retn
SepSidFromProcessProtection endp

; 
		align 10h
off_529C40	dd offset loc_5EDA28	; DATA XREF: SepSidFromProcessProtection+1Ar
		dd offset loc_529C21
		dd offset loc_529C27
		dd offset loc_529C33
		dd offset loc_529C2D
		dd offset loc_529C39
		dd offset loc_5EDA22
		dd offset locret_529C0A
byte_529C60	db 0			; DATA XREF: SepSidFromProcessProtection+13r
; 
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		add	[edi], eax
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		add	al, [ebx]
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		add	al, 5
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		add	eax, 7070707h
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		pop	es
		push	es

;  S U B	R O U T	I N E 


; __stdcall IopUpdateReadOperationCount()
_IopUpdateReadOperationCount@0 proc near
					; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x):loc_7360D5p
		cmp	_IoCountOperations, 1
		jnz	short locret_529D00
		mov	eax, large fs:124h
		mov	ecx, 1
		mov	eax, [eax+150h]
		add	eax, 1F0h
		lock add [eax],	ecx
		jnb	short loc_529CF9
		lock adc dword ptr [eax+4], 0

loc_529CF9:				; CODE XREF: IopUpdateReadOperationCount()+22j
		inc	large dword ptr	fs:61Ch

locret_529D00:				; CODE XREF: IopUpdateReadOperationCount()+7j
		retn
_IopUpdateReadOperationCount@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall IopUpdateReadTransferCount(x, x)
_IopUpdateReadTransferCount@8 proc near	; CODE XREF: IopUpdateIrpTransferCount(x,x)+Bj
					; IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+365p
		cmp	_IoCountOperations, 1
		jnz	short locret_529D51
		test	edx, edx
		jnz	short loc_529D2A
		mov	edx, large fs:124h
		mov	edx, [edx+150h]

loc_529D2A:				; CODE XREF: IopUpdateReadTransferCount(x,x)+Bj
		mov	eax, ecx
		add	edx, 208h
		lock add [edx],	eax
		jnb	short loc_529D3C
		lock adc dword ptr [edx+4], 0

loc_529D3C:				; CODE XREF: IopUpdateReadTransferCount(x,x)+25j
		mov	eax, large fs:20h
		add	eax, 508h
		lock add [eax],	ecx
		jnb	short locret_529D51
		lock adc dword ptr [eax+4], 0

locret_529D51:				; CODE XREF: IopUpdateReadTransferCount(x,x)+7j
					; IopUpdateReadTransferCount(x,x)+3Aj
		retn
_IopUpdateReadTransferCount@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepReferenceTokenByHandle proc near	; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+2F1p
					; PAGE:00807156p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005EDA2E SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_C]
		mov	byte ptr [esi],	0
		mov	dword ptr [edi], 0
		cmp	ecx, 0FFFFFFFAh
		jz	short loc_529DBB
		cmp	ecx, 0FFFFFFFBh
		jz	short loc_529DBB
		cmp	ecx, 0FFFFFFFCh
		jz	short loc_529DBB
		mov	eax, ds:_SeTokenObjectType
		lea	esi, [ebp+var_4]
		push	0
		push	esi
		push	[ebp+arg_0]
		mov	[ebp+var_4], 0
		push	eax
		push	edx
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, [ebp+arg_4]
		mov	edx, eax
		mov	eax, [ebp+var_4]
		mov	[ecx], eax

loc_529DB0:				; CODE XREF: SepReferenceTokenByHandle+EDj
					; SepReferenceTokenByHandle+139j
		mov	eax, edx

loc_529DB2:				; CODE XREF: SepReferenceTokenByHandle+C3CD3j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_529DBB:				; CODE XREF: SepReferenceTokenByHandle+1Dj
					; SepReferenceTokenByHandle+22j ...
		test	edx, 0FFFFFFE7h
		jnz	loc_5EDA2E
		mov	ebx, [ebp+arg_4]
		mov	byte ptr [ebp+arg_C+3],	0
		mov	[ebp+arg_0], 0
		mov	[ebp+var_8], 0
		mov	dword ptr [ebx], 0
		mov	byte ptr [esi],	0
		mov	byte ptr [ebp+arg_8+3],	0
		mov	dword ptr [edi], 0
		cmp	ecx, 0FFFFFFFCh
		jz	loc_529E83
		lea	eax, [ebp+arg_8+3]
		cmp	ecx, 0FFFFFFFBh
		mov	ecx, large fs:124h
		push	eax
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [ebp+arg_C+3]
		push	eax
		jz	short loc_529E52
		lea	edx, [ebp+var_8]
		call	PsReferenceEffectiveToken
		cmp	[ebp+var_8], 2
		mov	[ebp+arg_C], eax
		jz	short loc_529E9E

loc_529E21:				; CODE XREF: SepReferenceTokenByHandle+10Cj
					; SepReferenceTokenByHandle+142j
		mov	edx, [eax+280h]
		lea	ecx, [ebp+arg_8+3]
		mov	byte ptr [esi],	0
		mov	[ebp+arg_4], edx
		mov	dword ptr [edi], 0
		call	SepSidFromProcessProtection
		mov	[ebp+arg_8], eax
		test	eax, eax
		jnz	short loc_529EAA

loc_529E42:				; CODE XREF: SepReferenceTokenByHandle+158j
		test	edx, edx
		jnz	short loc_529EBA

loc_529E46:				; CODE XREF: SepReferenceTokenByHandle+17Dj
					; SepReferenceTokenByHandle+188j ...
		mov	eax, [ebp+arg_C]
		xor	edx, edx
		mov	[ebx], eax
		jmp	loc_529DB0
; 

loc_529E52:				; CODE XREF: SepReferenceTokenByHandle+AEj
		lea	eax, [ebp+arg_4+3]
		xor	edx, edx
		push	eax
		call	_PsReferenceImpersonationTokenEx@24 ; PsReferenceImpersonationTokenEx(x,x,x,x,x,x)
		mov	[ebp+arg_C], eax
		test	eax, eax
		jz	loc_529F01
		cmp	[ebp+arg_0], 0
		jnz	short loc_529E21

loc_529E6E:				; CODE XREF: SepReferenceTokenByHandle+148j
		mov	ecx, eax
		call	ObfDereferenceObject
		pop	edi
		pop	esi
		mov	eax, 0C00000A6h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_529E83:				; CODE XREF: SepReferenceTokenByHandle+92j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	eax
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	[ebx], eax
		xor	edx, edx
		jmp	loc_529DB0
; 

loc_529E9E:				; CODE XREF: SepReferenceTokenByHandle+BFj
		cmp	[ebp+arg_0], 0
		jnz	loc_529E21
		jmp	short loc_529E6E
; 

loc_529EAA:				; CODE XREF: SepReferenceTokenByHandle+E0j
		mov	ecx, eax
		call	_RtlIsValidProcessTrustLabelSid@4 ; RtlIsValidProcessTrustLabelSid(x)
		test	al, al
		jz	short loc_529F0F
		mov	edx, [ebp+arg_4]
		jmp	short loc_529E42
; 

loc_529EBA:				; CODE XREF: SepReferenceTokenByHandle+E4j
		mov	ecx, edx
		call	_RtlIsValidProcessTrustLabelSid@4 ; RtlIsValidProcessTrustLabelSid(x)
		mov	edx, [ebp+arg_8]
		test	al, al
		jz	short loc_529EF7
		mov	ecx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_529EED
		mov	eax, [edx+8]
		cmp	eax, [ecx+8]
		jb	short loc_529EF7
		mov	eax, [edx+0Ch]
		cmp	eax, [ecx+0Ch]
		jnb	loc_529E46
		mov	byte ptr [esi],	1
		mov	[edi], edx
		jmp	loc_529E46
; 

loc_529EED:				; CODE XREF: SepReferenceTokenByHandle+16Dj
		cmp	dword ptr [ecx+8], 0
		jbe	loc_529E46

loc_529EF7:				; CODE XREF: SepReferenceTokenByHandle+166j
					; SepReferenceTokenByHandle+175j ...
		mov	byte ptr [esi],	1
		mov	[edi], edx
		jmp	loc_529E46
; 

loc_529F01:				; CODE XREF: SepReferenceTokenByHandle+102j
		pop	edi
		pop	esi
		mov	eax, 0C000007Ch
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_529F0F:				; CODE XREF: SepReferenceTokenByHandle+153j
		mov	edx, [ebp+arg_8]
		jmp	short loc_529EF7
SepReferenceTokenByHandle endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall UNLOCK_ADDRESS_SPACE_SHARED(x, x)
_UNLOCK_ADDRESS_SPACE_SHARED@8 proc near ; CODE	XREF: MmGetImageInformation(x,x,x,x)+B4p
					; MiCfgInitializeProcess(x)+C8p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, 11h
		push	edi
		lea	edi, [edx+134h]
		xor	edx, edx
		and	byte ptr [esi+304h], 0FDh
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_529F60

loc_529F43:				; CODE XREF: UNLOCK_ADDRESS_SPACE_SHARED(x,x)+47j
		mov	ecx, edi
		call	KeAbPostRelease
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_529F5D
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	short loc_529F69

loc_529F5D:				; CODE XREF: UNLOCK_ADDRESS_SPACE_SHARED(x,x)+33j
		pop	edi
		pop	esi
		retn
; 

loc_529F60:				; CODE XREF: UNLOCK_ADDRESS_SPACE_SHARED(x,x)+21j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_529F43
; 

loc_529F69:				; CODE XREF: UNLOCK_ADDRESS_SPACE_SHARED(x,x)+3Bj
		pop	edi
		pop	esi
		jmp	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
_UNLOCK_ADDRESS_SPACE_SHARED@8 endp


;  S U B	R O U T	I N E 


; __stdcall LOCK_ADDRESS_SPACE_SHARED(x, x)
_LOCK_ADDRESS_SPACE_SHARED@8 proc near	; CODE XREF: MmGetImageInformation(x,x,x,x)+4Bp
					; MiCfgInitializeProcess(x)+6Ep ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		dec	word ptr [esi+13Eh]
		nop
		lea	ecx, [edx+134h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		or	byte ptr [esi+304h], 2
		nop
		pop	esi
		retn
_LOCK_ADDRESS_SPACE_SHARED@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


MiUnlockAndDereferenceVadShared	proc near ; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+399p
					; MiGetWorkingSetInfoList(x,x,x,x)+11B4p ...

; FUNCTION CHUNK AT 005EDA38 SIZE 00000033 BYTES

		mov	edi, edi
		push	edi
		mov	edi, ecx
		or	eax, 0FFFFFFFFh
		lock xadd [edi+14h], eax
		dec	eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_5EDA38
		push	ebx
		push	esi
		test	eax, eax
		jnz	short loc_529FC3
		test	byte ptr [edi+1Ch], 4
		jnz	short loc_52A011

loc_529FC3:				; CODE XREF: MiUnlockAndDereferenceVadShared+1Bj
		xor	ebx, ebx

loc_529FC5:				; CODE XREF: MiUnlockAndDereferenceVadShared+76j
		mov	esi, large fs:124h
		lea	ecx, [edi+18h]
		xor	edx, edx
		mov	eax, 11h
		and	byte ptr [esi+305h], 0BFh
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	short loc_52A007

loc_529FE6:				; CODE XREF: MiUnlockAndDereferenceVadShared+6Fj
		call	KeAbPostRelease
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_529FFE
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	short loc_52A022

loc_529FFE:				; CODE XREF: MiUnlockAndDereferenceVadShared+54j
					; MiUnlockAndDereferenceVadShared+87j
		pop	esi
		cmp	ebx, 1
		pop	ebx
		jz	short loc_52A018
		pop	edi
		retn
; 

loc_52A007:				; CODE XREF: MiUnlockAndDereferenceVadShared+44j
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		lea	ecx, [edi+18h]
		jmp	short loc_529FE6
; 

loc_52A011:				; CODE XREF: MiUnlockAndDereferenceVadShared+21j
		mov	ebx, 1
		jmp	short loc_529FC5
; 

loc_52A018:				; CODE XREF: MiUnlockAndDereferenceVadShared+63j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		retn
; 

loc_52A022:				; CODE XREF: MiUnlockAndDereferenceVadShared+5Cj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_529FFE
MiUnlockAndDereferenceVadShared	endp

; 
		align 10h

;  S U B	R O U T	I N E 


MI_GET_GRAPHICS_PROTECTION_FROM_VAD proc near ;	CODE XREF: .text:004511E3p
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+401p ...
		mov	eax, [ecx+1Ch]
		mov	ecx, eax
		and	ecx, 1100000h
		cmp	ecx, 1100000h
		jz	loc_5EDA3F
		xor	eax, eax
		retn
MI_GET_GRAPHICS_PROTECTION_FROM_VAD endp


;  S U B	R O U T	I N E 


; __stdcall MiVadDeleted(x)
_MiVadDeleted@4	proc near		; CODE XREF: MiAllocateFromSubAllocatedRegion+11Ep
					; MmEnumerateAddressSpaceAndReferenceImages+100p ...
		mov	eax, [ecx+1Ch]
		shr	eax, 2
		and	eax, 1
		retn
_MiVadDeleted@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiLockVadShared(x, x)
_MiLockVadShared@8 proc	near		; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+EEp
					; MmQueryVirtualMemory+22Ap ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		dec	word ptr [esi+13Eh]
		nop
		lea	ecx, [edx+18h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		or	byte ptr [esi+305h], 40h
		nop
		pop	esi
		retn
_MiLockVadShared@8 endp

; 
		align 2

; __stdcall MiReferenceVad(x)
_MiReferenceVad@4:			; CODE XREF: MiCfgInitializeProcess(x)+BFp
					; MiAllocateFromSubAllocatedRegion+FCp	...
		xor	eax, eax
		inc	eax
		lock xadd [ecx+14h], eax
		jz	short loc_52A08D
		retn
; 

loc_52A08D:				; CODE XREF: .text:0052A08Aj
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dw 0CCCCh
		align 10h

; __stdcall NtSetInformationWorkerFactory(x, x,	x, x)
_NtSetInformationWorkerFactory@16:	; DATA XREF: .text:00580CA8o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6140
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		mov	[ebp-1Ch], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	eax, [ebp+8]
		mov	[ebp-3Ch], eax
		mov	ecx, [ebp+10h]
		mov	[ebp-50h], ecx
		xor	eax, eax
		mov	[ebp-48h], eax
		mov	[ebp-44h], eax
		mov	[ebp-40h], eax
		mov	[ebp-64h], eax
		mov	[ebp-60h], eax
		mov	[ebp-5Ch], eax
		mov	[ebp-58h], eax
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	[ebp-4Ch], bl
		xor	edi, edi
		mov	[ebp-24h], edi
		xor	edx, edx
		mov	[ebp-2Ch], edx
		mov	[ebp-20h], edx
		mov	esi, [ebp+0Ch]
		add	esi, 0FFFFFFFEh
		cmp	esi, 0Dh
		ja	loc_52A763
		movzx	eax, ds:byte_52A7AC[esi]
		jmp	ds:off_52A798[eax*4]

loc_52A134:				; DATA XREF: .text:0052A79Co
		mov	edx, 4
		jmp	short loc_52A15B
; 

loc_52A13B:				; CODE XREF: .text:0052A12Dj
					; DATA XREF: .text:0052A7A4o
		mov	eax, [ebp+14h]
		cmp	eax, 8
		jnb	short loc_52A156
		mov	edx, eax
		and	edx, 7
		add	edx, eax
		jmp	short loc_52A15B
; 

loc_52A14C:				; CODE XREF: .text:0052A12Dj
					; DATA XREF: .text:0052A7A0o
		mov	eax, 0C0000002h
		jmp	loc_52A768
; 

loc_52A156:				; CODE XREF: .text:0052A12Dj
					; .text:0052A141j
					; DATA XREF: ...
		mov	edx, 8

loc_52A15B:				; CODE XREF: .text:0052A139j
					; .text:0052A14Aj
		mov	[ebp-34h], edx
		cmp	[ebp+14h], edx
		jz	short loc_52A16D
		mov	eax, 0C0000004h
		jmp	loc_52A768
; 

loc_52A16D:				; CODE XREF: .text:0052A161j
		mov	[ebp-4], edi
		movzx	eax, ds:byte_52A7D4[esi]
		jmp	ds:off_52A7BC[eax*4]

loc_52A17E:				; DATA XREF: .text:off_52A7BCo
		test	bl, bl
		jz	loc_52A240
		mov	eax, ecx
		test	cl, 3
		jnz	loc_52A786
		jmp	loc_52A231
; 

loc_52A196:				; CODE XREF: .text:0052A177j
					; DATA XREF: .text:0052A7CCo
		test	bl, bl
		jz	short loc_52A1BA
		test	edx, edx
		jz	short loc_52A1BA
		test	cl, 3
		jnz	loc_52A78B
		lea	esi, [ecx+edx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		ja	short loc_52A1B7
		cmp	esi, ecx
		jnb	short loc_52A1BA

loc_52A1B7:				; CODE XREF: .text:0052A1B1j
		mov	byte ptr [eax],	0

loc_52A1BA:				; CODE XREF: .text:0052A198j
					; .text:0052A19Cj ...
		push	edx
		push	ecx
		lea	eax, [ebp-24h]
		push	eax
		call	_memcpy
		add	esp, 0Ch
		mov	edi, [ebp-24h]
		mov	eax, [ebp-20h]
		jmp	short loc_52A24B
; 

loc_52A1D0:				; CODE XREF: .text:0052A177j
					; DATA XREF: .text:0052A7C0o
		test	bl, bl
		jz	short loc_52A22A
		mov	edi, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_52A1E1
		mov	edi, eax

loc_52A1E1:				; CODE XREF: .text:0052A1DDj
		nop
		mov	edi, [edi]
		mov	[ebp-24h], edi
		mov	eax, [ebp-20h]
		jmp	short loc_52A24B
; 

loc_52A1EC:				; CODE XREF: .text:0052A177j
					; DATA XREF: .text:0052A7C8o
		test	bl, bl
		jz	short loc_52A24E
		mov	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_52A1FD
		mov	edx, eax

loc_52A1FD:				; CODE XREF: .text:0052A1F9j
		mov	eax, [edx]
		mov	[edx], eax
		mov	eax, [ebp-20h]
		mov	edi, [ebp-24h]
		jmp	short loc_52A24B
; 

loc_52A209:				; CODE XREF: .text:0052A177j
					; DATA XREF: .text:0052A7C4o
		test	bl, bl
		jz	short loc_52A22A
		test	cl, 3
		jnz	loc_52A790
		lea	eax, [ecx+4]
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	short loc_52A227
		cmp	eax, ecx
		jnb	short loc_52A22A

loc_52A227:				; CODE XREF: .text:0052A221j
		mov	byte ptr [edx],	0

loc_52A22A:				; CODE XREF: .text:0052A1D2j
					; .text:0052A20Bj ...
		mov	edi, [ecx]
		mov	[ebp-24h], edi
		jmp	short loc_52A24E
; 

loc_52A231:				; CODE XREF: .text:0052A191j
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		jb	short loc_52A23D
		mov	eax, edx

loc_52A23D:				; CODE XREF: .text:0052A239j
		nop
		mov	al, [eax]

loc_52A240:				; CODE XREF: .text:0052A180j
		mov	edi, [ecx]
		mov	[ebp-24h], edi
		mov	eax, [ecx+4]
		mov	[ebp-20h], eax

loc_52A24B:				; CODE XREF: .text:0052A1CEj
					; .text:0052A1EAj ...
		mov	[ebp-2Ch], eax

loc_52A24E:				; CODE XREF: .text:0052A1EEj
					; .text:0052A22Fj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, ds:_ExpWorkerFactoryObjectType
		mov	dword ptr [ebp-38h], 0
		push	0
		lea	ecx, [ebp-38h]
		push	ecx
		push	dword ptr [ebp-4Ch]
		push	eax
		push	4
		push	dword ptr [ebp-3Ch]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	loc_52A768
		cmp	dword ptr [ebp+0Ch], 8
		jnz	short loc_52A2A8
		mov	ecx, [ebp-38h]
		mov	eax, [ecx+4]
		mov	eax, [eax+4]
		test	edi, edi
		jnz	short loc_52A299
		mov	edi, ds:_KeNumberProcessors
		mov	ecx, [ebp-38h]

loc_52A299:				; CODE XREF: .text:0052A28Ej
		mov	[eax+1Ch], edi
		call	ObfDereferenceObject
		xor	eax, eax
		jmp	loc_52A768
; 

loc_52A2A8:				; CODE XREF: .text:0052A281j
		xor	ebx, ebx
		mov	[ebp-3Ch], ebx
		xor	al, al
		mov	[ebp-27h], al
		mov	[ebp-2Dh], al
		mov	[ebp-25h], al
		mov	[ebp-2Fh], al
		mov	byte ptr [ebp-26h], 1
		mov	esi, [ebp-38h]
		lea	edx, [ebp-48h]
		mov	ecx, [esi+4]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebp+0Ch]
		add	eax, 0FFFFFFFEh
		jmp	ds:off_52A7E4[eax*4]
; 

loc_52A2DA:				; DATA XREF: .text:0052A80Co
		xor	edi, edi
		cmp	[esi+60h], ebx
		jnz	short loc_52A2FC
		mov	edx, [esi+50h]
		mov	eax, [esi+48h]
		cmp	edx, eax
		jbe	short loc_52A2FC
		sub	edx, eax
		push	edi
		push	edi
		mov	ecx, [esi+4]
		mov	ecx, [ecx+4]
		call	_KeTimeOutQueueWaiters@16 ; KeTimeOutQueueWaiters(x,x,x,x)
		mov	edi, eax

loc_52A2FC:				; CODE XREF: .text:0052A2DFj
					; .text:0052A2E9j
		lea	ecx, [ebp-48h]
		call	KeReleaseInStackQueuedSpinLock
		xor	cl, cl
		mov	[ebp-26h], cl
		mov	[ebp-2Eh], cl
		mov	dword ptr [ebp-4], 1
		mov	eax, [ebp-50h]
		mov	[eax], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_52A69F
; 

loc_52A324:				; DATA XREF: .text:006A6160o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_52A32A:				; DATA XREF: .text:006A6164o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	dl, [ebp-2Dh]
		mov	[ebp-27h], dl
		mov	cl, [ebp-2Eh]
		mov	[ebp-26h], cl
		mov	ebx, [ebp-3Ch]
		mov	al, [ebp-2Fh]
		mov	esi, [ebp-38h]
		jmp	loc_52A6A2
; 

loc_52A34E:				; CODE XREF: .text:0052A2D3j
					; DATA XREF: .text:off_52A7E4o
		mov	eax, [esi+4]
		cmp	[eax+15h], bl
		jnz	loc_52A69A
		mov	edx, [ebp-2Ch]
		test	edx, edx
		jg	short loc_52A3CE
		jl	short loc_52A367
		test	edi, edi
		jnb	short loc_52A3CE

loc_52A367:				; CODE XREF: .text:0052A361j
		cmp	edx, 0FFFFFFFFh
		jl	short loc_52A380
		jg	short loc_52A376
		cmp	edi, 0FF676980h
		jbe	short loc_52A380

loc_52A376:				; CODE XREF: .text:0052A36Cj
		mov	edi, 0FF676980h
		or	edx, 0FFFFFFFFh
		jmp	short loc_52A399
; 

loc_52A380:				; CODE XREF: .text:0052A36Aj
					; .text:0052A374j
		cmp	edx, 0FFFFFFFEh
		jg	short loc_52A399
		jl	short loc_52A38F
		cmp	edi, 9A5F4400h
		jnb	short loc_52A399

loc_52A38F:				; CODE XREF: .text:0052A385j
		mov	edi, 9A5F4400h
		mov	edx, 0FFFFFFFEh

loc_52A399:				; CODE XREF: .text:0052A37Ej
					; .text:0052A383j ...
		mov	[esi+38h], edi
		mov	[esi+3Ch], edx
		mov	dword ptr [ebp-5Ch], 0FFFFFFFFh
		mov	dword ptr [ebp-58h], 0FFFFFFFFh
		lea	eax, [ebp-64h]
		push	eax
		mov	ecx, edi
		neg	ecx
		mov	eax, edx
		adc	eax, 0
		neg	eax
		push	eax
		push	ecx
		push	edx
		push	edi
		lea	eax, [esi+78h]
		push	eax
		call	KeSetTimer2
		jmp	loc_52A69F
; 

loc_52A3CE:				; CODE XREF: .text:0052A35Fj
					; .text:0052A365j
		mov	ebx, 0C000000Dh
		jmp	loc_52A69F
; 

loc_52A3D8:				; CODE XREF: .text:0052A2D3j
					; DATA XREF: .text:0052A7E8o
		mov	ecx, [esi+64h]
		test	edi, edi
		js	short loc_52A3EE
		lea	eax, [ecx+edi]
		cmp	ecx, eax
		jb	short loc_52A3E9
		or	eax, 0FFFFFFFFh

loc_52A3E9:				; CODE XREF: .text:0052A3E4j
		mov	[esi+64h], eax
		jmp	short loc_52A403
; 

loc_52A3EE:				; CODE XREF: .text:0052A3DDj
		mov	eax, edi
		neg	eax
		cmp	ecx, eax
		jbe	short loc_52A3FE
		lea	eax, [ecx+edi]
		mov	[esi+64h], eax
		jmp	short loc_52A403
; 

loc_52A3FE:				; CODE XREF: .text:0052A3F4j
		mov	[esi+64h], ebx
		xor	eax, eax

loc_52A403:				; CODE XREF: .text:0052A3ECj
					; .text:0052A3FCj
		test	ecx, ecx
		jnz	short loc_52A436
		test	eax, eax
		jz	short loc_52A42E
		mov	ecx, esi
		call	_ExpTryEnterWorkerFactoryAwayMode@4 ; ExpTryEnterWorkerFactoryAwayMode(x)
		test	al, al
		jz	loc_52A69F
		push	0
		lea	edx, [ebp-48h]
		mov	ecx, esi
		call	ExpWorkerFactoryCheckCreate
		mov	[ebp-26h], bl
		jmp	loc_52A69F
; 

loc_52A42E:				; CODE XREF: .text:0052A409j
		test	ecx, ecx
		jz	loc_52A69F

loc_52A436:				; CODE XREF: .text:0052A405j
		test	eax, eax
		jnz	loc_52A69F
		test	dword ptr [esi+68h], 200h
		jz	loc_52A69F
		mov	ecx, esi
		call	_ExpLeaveWorkerFactoryAwayMode@4 ; ExpLeaveWorkerFactoryAwayMode(x)
		jmp	loc_52A69F
; 

loc_52A457:				; CODE XREF: .text:0052A2D3j
					; DATA XREF: .text:0052A7ECo
		mov	eax, [esi+4]
		cmp	[eax+15h], bl
		jnz	loc_52A69A
		cmp	edi, [esi+48h]
		mov	al, 1
		ja	short loc_52A46D
		mov	al, [ebp-25h]

loc_52A46D:				; CODE XREF: .text:0052A468j
		mov	[esi+48h], edi
		cmp	[esi+4Ch], edi
		jnb	short loc_52A478
		mov	[esi+4Ch], edi

loc_52A478:				; CODE XREF: .text:0052A473j
		test	al, al
		jz	loc_52A72B
		mov	[ebp-25h], bl
		test	dword ptr [esi+68h], 200h
		jz	short loc_52A493
		mov	ecx, esi
		call	_ExpLeaveWorkerFactoryAwayMode@4 ; ExpLeaveWorkerFactoryAwayMode(x)

loc_52A493:				; CODE XREF: .text:0052A48Aj
		mov	eax, [esi+50h]
		add	eax, [esi+58h]
		cmp	eax, [esi+48h]
		jnb	loc_52A696

loc_52A4A2:				; CODE XREF: .text:0052A4CEj
		inc	dword ptr [esi+60h]
		lea	ecx, [ebp-48h]
		call	KeReleaseInStackQueuedSpinLock
		mov	ecx, esi
		call	ExpWorkerFactoryCreateThread
		mov	ebx, eax
		lea	edx, [ebp-48h]
		mov	ecx, [esi+4]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		test	ebx, ebx
		js	short loc_52A4D5
		mov	ecx, [esi+50h]
		add	ecx, [esi+58h]
		cmp	ecx, [esi+48h]
		jb	short loc_52A4A2
		jmp	loc_52A69F
; 

loc_52A4D5:				; CODE XREF: .text:0052A4C3j
		dec	dword ptr [esi+60h]
		jmp	loc_52A69F
; 

loc_52A4DD:				; CODE XREF: .text:0052A2D3j
					; DATA XREF: .text:0052A7F0o
		mov	eax, [esi+4]
		cmp	[eax+15h], bl
		jnz	loc_52A69A
		mov	byte ptr [ebp-27h], 1
		test	edi, edi
		jz	short loc_52A50C
		cmp	[esi+4Ch], ebx
		jnz	short loc_52A4FB
		cmp	[eax+0Ch], ebx
		jnz	short loc_52A508

loc_52A4FB:				; CODE XREF: .text:0052A4F4j
		mov	eax, [eax+4]
		push	eax
		call	_KeReadStateSemaphore@4	; KeReadStateSemaphore(x)
		test	eax, eax
		jle	short loc_52A50C

loc_52A508:				; CODE XREF: .text:0052A4F9j
		mov	al, 1
		jmp	short loc_52A50F
; 

loc_52A50C:				; CODE XREF: .text:0052A4EFj
					; .text:0052A506j
		mov	al, [ebp-25h]

loc_52A50F:				; CODE XREF: .text:0052A50Aj
		mov	[esi+4Ch], edi
		cmp	edi, [esi+48h]
		jnb	loc_52A6A2
		mov	[esi+48h], edi
		jmp	loc_52A6A2
; 

loc_52A523:				; DATA XREF: .text:0052A814o
		mov	eax, [esi+4]
		cmp	[eax+15h], bl
		jnz	loc_52A69A
		mov	[esi+5Ch], edi
		test	edi, edi
		jz	loc_52A69F
		mov	eax, [esi+48h]
		cmp	edi, eax
		jnb	short loc_52A549
		mov	[esi+5Ch], eax
		jmp	loc_52A69F
; 

loc_52A549:				; CODE XREF: .text:0052A53Fj
		mov	eax, [esi+4Ch]
		cmp	edi, eax
		jbe	loc_52A69F
		mov	[esi+5Ch], eax
		jmp	loc_52A69F
; 

loc_52A55C:				; DATA XREF: .text:0052A800o
		cmp	edi, 3		; switch 4 cases
		ja	loc_52A5F3	; default
		jmp	ds:off_52A81C[edi*4] ; switch jump

loc_52A56C:				; DATA XREF: .text:off_52A81Co
		mov	eax, [esi+50h]	; case 0x0
		cmp	eax, [esi+54h]
		jnz	short loc_52A585
		mov	ebx, 0C0000001h
		mov	al, [ebp-25h]
		mov	byte ptr [ebp-27h], 0
		jmp	loc_52A6A2
; 

loc_52A585:				; CODE XREF: .text:0052A572j
		inc	eax
		mov	[esi+50h], eax
		mov	al, [ebp-25h]
		mov	byte ptr [ebp-27h], 0
		jmp	loc_52A6A2
; 

loc_52A595:				; CODE XREF: .text:0052A565j
					; DATA XREF: .text:off_52A81Co
		mov	eax, [esi+50h]	; case 0x2
		test	eax, eax
		jnz	short loc_52A5AD
		mov	ebx, 0C0000001h
		mov	al, [ebp-25h]
		mov	byte ptr [ebp-27h], 0
		jmp	loc_52A6A2
; 

loc_52A5AD:				; CODE XREF: .text:0052A59Aj
		add	eax, 0FFFFFFFFh
		mov	[esi+50h], eax
		jnz	short loc_52A5F8

loc_52A5B5:				; CODE XREF: .text:0052A565j
					; DATA XREF: .text:off_52A81Co
		mov	al, 1		; case 0x1
		mov	byte ptr [ebp-27h], 0
		jmp	loc_52A6A2
; 

loc_52A5C0:				; CODE XREF: .text:0052A565j
					; DATA XREF: .text:off_52A81Co
		cmp	[esi+50h], ebx	; case 0x3
		jnz	short loc_52A5D6
		mov	ebx, 0C0000001h
		mov	al, [ebp-25h]
		mov	byte ptr [ebp-27h], 0
		jmp	loc_52A6A2
; 

loc_52A5D6:				; CODE XREF: .text:0052A5C3j
		mov	ecx, esi
		call	_ExpRemoveCurrentThreadFromThreadHistory@4 ; ExpRemoveCurrentThreadFromThreadHistory(x)
		dec	dword ptr [esi+50h]
		dec	dword ptr [esi+54h]
		cmp	[esi+50h], ebx
		jnz	short loc_52A5F8
		mov	al, 1
		mov	byte ptr [ebp-27h], 0
		jmp	loc_52A6A2
; 

loc_52A5F3:				; CODE XREF: .text:0052A55Fj
		mov	ebx, 0C000000Dh	; default

loc_52A5F8:				; CODE XREF: .text:0052A5B3j
					; .text:0052A5E6j
		mov	al, [ebp-25h]
		mov	byte ptr [ebp-27h], 0
		jmp	loc_52A6A2
; 

loc_52A604:				; DATA XREF: .text:0052A804o
		mov	eax, [esi+4]
		cmp	[eax+15h], bl
		jnz	loc_52A69A
		mov	eax, [ebp-2Ch]
		mov	[esi+1Ch], eax
		mov	[esi+18h], edi
		jmp	loc_52A69F
; 

loc_52A61E:				; DATA XREF: .text:0052A808o
		mov	eax, [esi+4]
		mov	al, [eax+15h]
		mov	[esi+6Ch], edi
		movzx	ebx, al
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 80h
		jmp	short loc_52A69F
; 

loc_52A636:				; DATA XREF: .text:0052A818o
		mov	eax, [esi+4]
		cmp	[eax+15h], bl
		jnz	short loc_52A69A
		test	dword ptr [esi+68h], 8000h
		jz	short loc_52A64E
		mov	ebx, 0C000A003h
		jmp	short loc_52A69F
; 

loc_52A64E:				; CODE XREF: .text:0052A645j
		mov	edi, [ebp-34h]
		mov	edx, edi
		shr	edx, 3
		lea	ecx, [ebp-24h]
		call	_KeValidateCpuSetMasks@8 ; KeValidateCpuSetMasks(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_52A69F
		lea	eax, [esi+40h]
		xor	ecx, ecx
		mov	[eax], ecx
		mov	[eax+4], ecx
		push	edi
		lea	ecx, [ebp-24h]
		push	ecx
		push	eax
		call	_memcpy
		add	esp, 0Ch
		or	dword ptr [esi+68h], 4000h
		jmp	short loc_52A69F
; 

loc_52A685:				; DATA XREF: .text:0052A810o
		shl	edi, 0Bh
		xor	edi, [esi+68h]
		and	edi, 800h
		xor	[esi+68h], edi
		jmp	short loc_52A69F
; 

loc_52A696:				; CODE XREF: .text:0052A49Cj
		mov	al, bl
		jmp	short loc_52A6A2
; 

loc_52A69A:				; CODE XREF: .text:0052A354j
					; .text:0052A45Dj ...
		mov	ebx, 80h

loc_52A69F:				; CODE XREF: .text:0052A31Fj
					; .text:0052A3C9j ...
		mov	al, [ebp-25h]

loc_52A6A2:				; CODE XREF: .text:0052A349j
					; .text:0052A515j ...
		test	al, al
		jz	loc_52A72B
		mov	edx, [esi+50h]
		mov	ecx, [esi+58h]
		add	ecx, edx
		mov	eax, [esi+4]
		cmp	byte ptr [eax+15h], 0
		jz	short loc_52A6C2
		mov	ebx, 80h
		jmp	short loc_52A72B
; 

loc_52A6C2:				; CODE XREF: .text:0052A6B9j
		mov	edi, [esi+4Ch]
		cmp	edx, edi
		jb	short loc_52A6D6
		cmp	byte ptr [ebp-27h], 0
		jnz	short loc_52A72B
		mov	ebx, 0C0000129h
		jmp	short loc_52A72B
; 

loc_52A6D6:				; CODE XREF: .text:0052A6C7j
		mov	eax, [esi+60h]
		test	eax, eax
		jnz	short loc_52A729
		cmp	ecx, edi
		jnb	short loc_52A729
		test	dword ptr [esi+68h], 200h
		jz	short loc_52A6F4
		mov	ecx, esi
		call	_ExpLeaveWorkerFactoryAwayMode@4 ; ExpLeaveWorkerFactoryAwayMode(x)
		mov	eax, [esi+60h]

loc_52A6F4:				; CODE XREF: .text:0052A6E8j
		inc	eax
		mov	[esi+60h], eax
		lea	ecx, [ebp-48h]
		call	KeReleaseInStackQueuedSpinLock
		mov	byte ptr [ebp-26h], 0
		mov	ecx, esi
		call	ExpWorkerFactoryCreateThread
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_52A72B
		mov	byte ptr [ebp-26h], 1
		lea	edx, [ebp-48h]
		mov	ecx, [esi+4]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		dec	dword ptr [esi+60h]
		cmp	byte ptr [ebp-27h], 0
		jz	short loc_52A72B

loc_52A729:				; CODE XREF: .text:0052A6DBj
					; .text:0052A6DFj
		xor	ebx, ebx

loc_52A72B:				; CODE XREF: .text:0052A47Aj
					; .text:0052A6A4j ...
		cmp	byte ptr [ebp-26h], 0
		jz	short loc_52A739
		lea	ecx, [ebp-48h]
		call	KeReleaseInStackQueuedSpinLock

loc_52A739:				; CODE XREF: .text:0052A72Fj
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, ebx
		jmp	short loc_52A768
; 

loc_52A744:				; DATA XREF: .text:006A6154o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-54h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_52A754:				; DATA XREF: .text:006A6158o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-54h]
		jmp	short loc_52A768
; 

loc_52A763:				; CODE XREF: .text:0052A120j
					; .text:0052A12Dj
					; DATA XREF: ...
		mov	eax, 0C0000003h

loc_52A768:				; CODE XREF: .text:0052A151j
					; .text:0052A168j ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-1Ch]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_52A786:				; CODE XREF: .text:0052A18Bj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_52A78B:				; CODE XREF: .text:0052A1A1j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_52A790:				; CODE XREF: .text:0052A210j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		lea	ecx, [ecx+0]
; 
off_52A798	dd offset loc_52A156	; DATA XREF: .text:0052A12Dr
		dd offset loc_52A134
		dd offset loc_52A14C
		dd offset loc_52A13B
		dd offset loc_52A763
byte_52A7AC	db 0			; DATA XREF: .text:0052A126r
		db 3 dup(1)
		dd 1010402h, 1010100h, 0FF8B0301h
off_52A7BC	dd offset loc_52A17E	; DATA XREF: .text:0052A177r
		dd offset loc_52A1D0
		dd offset loc_52A209
		dd offset loc_52A1EC
		dd offset loc_52A196
		dd 0
byte_52A7D4	db 0			; DATA XREF: .text:0052A170r
		db 3 dup(1)
		dd 2010505h, 1030100h, 0FF8B0401h
off_52A7E4	dd offset loc_52A34E	; DATA XREF: .text:0052A2D3r
		dd offset loc_52A3D8
		dd offset loc_52A457
		dd offset loc_52A4DD
		align 10h
		dd offset loc_52A55C
		dd offset loc_52A604
		dd offset loc_52A61E
		dd offset loc_52A2DA
		dd offset loc_52A685
		dd offset loc_52A523
		dd offset loc_52A636
off_52A81C	dd offset loc_52A56C	; DATA XREF: .text:0052A565r
		dd offset loc_52A5B5	; jump table for switch	statement
		dd offset loc_52A595
		dd offset loc_52A5C0
		align 10h

NtWaitForWorkViaWorkerFactory:		; DATA XREF: .text:00580BACo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6168
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		mov	[ebp-1Ch], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	eax, [ebp+8]
		mov	[ebp-94h], eax
		mov	[ebp-0B0h], eax
		mov	eax, [ebp+0Ch]
		mov	[ebp-70h], eax
		mov	edi, [ebp+10h]
		mov	[ebp-90h], edi
		mov	[ebp-0B4h], edi
		mov	eax, [ebp+14h]
		mov	[ebp-64h], eax
		mov	ebx, [ebp+18h]
		xor	eax, eax
		mov	[ebp-8Ch], eax
		mov	[ebp-88h], eax
		mov	[ebp-84h], eax
		mov	[ebp-80h], eax
		mov	[ebp-7Ch], eax
		mov	[ebp-78h], eax
		mov	[ebp-0A8h], eax
		mov	[ebp-0A4h], eax
		mov	[ebp-0A0h], eax
		push	40h
		push	eax
		lea	eax, [ebp-5Ch]
		push	eax
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [ebp-74h], 0
		xor	esi, esi
		mov	[ebp-9Ch], esi
		mov	eax, large fs:124h
		mov	[ebp-0B8h], eax
		mov	al, [eax+15Ah]
		mov	[ebp-5Dh], al
		mov	[ebp-6Ch], al
		lea	ecx, [ebp-5Ch]
		mov	[ebp-68h], ecx
		test	edi, edi
		jz	loc_5EDB6D
		cmp	edi, 0FFFFFFFh
		ja	loc_5EDB6D
		test	al, al
		jz	loc_5EDAC0
		mov	[ebp-4], esi
		push	4
		mov	eax, edi
		shl	eax, 4
		push	eax
		push	dword ptr [ebp-70h]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	ecx, [ebp-64h]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_5EDA6B

loc_52A942:				; CODE XREF: .text:005EDA6Dj
		mov	eax, [ecx]
		mov	[ecx], eax
		test	bl, 3
		jnz	loc_52AB99
		lea	eax, [ebx+10h]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	loc_5EDA72
		cmp	eax, ebx
		jb	loc_5EDA72

loc_52A968:				; CODE XREF: .text:005EDA75j
		mov	eax, [ebx]
		mov	[ebp-84h], eax
		mov	eax, [ebx+4]
		mov	[ebp-80h], eax
		mov	eax, [ebx+8]
		mov	[ebp-7Ch], eax
		mov	eax, [ebx+0Ch]
		mov	[ebp-78h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-90h]
		mov	ecx, [ebp-94h]

loc_52A995:				; CODE XREF: .text:005EDAAFj
		test	esi, esi
		js	loc_5EDAB4

loc_52A99D:				; CODE XREF: .text:005EDAE2j
		mov	eax, ds:_ExpWorkerFactoryObjectType
		mov	dword ptr [ebp-98h], 0
		push	0
		lea	edx, [ebp-98h]
		push	edx
		push	dword ptr [ebp-6Ch]
		push	eax
		push	2
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	edi, [ebp-98h]
		mov	[ebp-9Ch], edi
		test	esi, esi
		js	loc_52AAE7
		cmp	ebx, 10h
		ja	loc_5EDAE7

loc_52A9E0:				; CODE XREF: .text:005EDB05j
					; .text:005EDB14j
		lea	edx, [ebp-0A8h]
		mov	ecx, [edi+4]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [edi+4]
		cmp	byte ptr [eax+15h], 0
		jnz	loc_5EDB19
		test	dword ptr [edi+68h], 200h
		jnz	loc_52AB2E

loc_52AA08:				; CODE XREF: .text:0052AB38j
		inc	dword ptr [eax+10h]
		jmp	short loc_52AA10
; 
		align 10h

loc_52AA10:				; CODE XREF: .text:0052AA0Bj
					; .text:0052AB5Fj ...
		mov	eax, [edi+4Ch]
		cmp	eax, [edi+50h]
		jb	loc_5EDB2E
		mov	eax, [edi+4]
		cmp	byte ptr [eax+15h], 0
		jnz	loc_5EDB2E
		lea	ecx, [ebp-0A8h]
		call	KeReleaseInStackQueuedSpinLock
		mov	dl, [ebp-5Dh]
		lea	ecx, [ebp-8Ch]
		call	_ExpWorkerFactoryStartDeferredWork@8 ; ExpWorkerFactoryStartDeferredWork(x,x)
		push	1
		push	0
		push	dword ptr [ebp-6Ch]
		lea	eax, [ebp-74h]
		push	eax
		push	ebx
		push	dword ptr [ebp-68h]
		mov	ecx, [edi+4]
		mov	edx, [ebp-70h]
		mov	ecx, [ecx+4]
		call	IoRemoveIoCompletion
		mov	esi, eax
		test	byte ptr [ebp-78h], 1
		jz	short loc_52AA76
		lea	ecx, [ebp-8Ch]
		call	_AlpciDestroyDeferredMessageContext@4 ;	AlpciDestroyDeferredMessageContext(x)
		and	dword ptr [ebp-78h], 0FFFFFFFEh

loc_52AA76:				; CODE XREF: .text:0052AA65j
		lea	edx, [ebp-0A8h]
		mov	ecx, [edi+4]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	esi, 102h
		jz	loc_52AB51

loc_52AA90:				; CODE XREF: .text:0052AB7Ej
					; .text:005EDB33j
		mov	eax, [edi+4]
		dec	dword ptr [eax+10h]
		mov	ecx, edi
		cmp	esi, 102h
		jz	loc_52AB89
		call	_ExpAddCurrentThreadToThreadHistory@4 ;	ExpAddCurrentThreadToThreadHistory(x)

loc_52AAA9:				; CODE XREF: .text:0052AB94j
		mov	ecx, edi
		call	_ExpTryEnterWorkerFactoryAwayMode@4 ; ExpTryEnterWorkerFactoryAwayMode(x)
		test	al, al
		jnz	loc_52AB3D
		lea	ecx, [ebp-0A8h]
		call	KeReleaseInStackQueuedSpinLock

loc_52AAC3:				; CODE XREF: .text:0052AB4Cj
		test	esi, esi
		jnz	short loc_52AAE7
		cmp	byte ptr [ebp-5Dh], 0
		jz	loc_5EDB60
		mov	dword ptr [ebp-4], 1
		mov	eax, [ebp-74h]
		mov	ecx, [ebp-64h]
		mov	[ecx], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_52AAE7:				; CODE XREF: .text:0052A9D1j
					; .text:0052AAC5j ...
		lea	ecx, [ebp-5Ch]
		mov	eax, [ebp-68h]
		cmp	eax, ecx
		jnz	loc_5EDB77

loc_52AAF5:				; CODE XREF: .text:005EDB7Fj
		mov	ecx, [ebp-9Ch]
		test	ecx, ecx
		jz	short loc_52AB04
		call	ObfDereferenceObject

loc_52AB04:				; CODE XREF: .text:0052AAFDj
		test	byte ptr [ebp-78h], 1
		jnz	loc_5EDB84

loc_52AB0E:				; CODE XREF: .text:005EDB9Fj
		mov	eax, esi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-1Ch]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_52AB2E:				; CODE XREF: .text:0052AA02j
		mov	ecx, edi
		call	_ExpLeaveWorkerFactoryAwayMode@4 ; ExpLeaveWorkerFactoryAwayMode(x)
		mov	eax, [edi+4]
		jmp	loc_52AA08
; 

loc_52AB3D:				; CODE XREF: .text:0052AAB2j
		push	0
		lea	edx, [ebp-0A8h]
		mov	ecx, edi
		call	ExpWorkerFactoryCheckCreate
		jmp	loc_52AAC3
; 

loc_52AB51:				; CODE XREF: .text:0052AA8Aj
		mov	edx, 1
		mov	ecx, edi
		call	_ExpWorkerFactoryWantsToCreate@8 ; ExpWorkerFactoryWantsToCreate(x,x)
		test	al, al
		jnz	loc_52AA10
		mov	eax, [edi+50h]
		cmp	eax, [edi+48h]
		jbe	loc_52AA10
		mov	eax, [ebp-0B8h]
		add	eax, 2CCh
		cmp	[eax], eax
		jz	loc_52AA90
		jmp	loc_52AA10
; 

loc_52AB89:				; CODE XREF: .text:0052AA9Ej
		dec	dword ptr [edi+50h]
		dec	dword ptr [edi+54h]
		call	_ExpRemoveCurrentThreadFromThreadHistory@4 ; ExpRemoveCurrentThreadFromThreadHistory(x)
		jmp	loc_52AAA9
; 

loc_52AB99:				; CODE XREF: .text:0052A949j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		dw 0CCCCh
		dd 4 dup(0CCCCCCCCh)
; Exported entry 124. KeAcquireInStackQueuedSpinLock

;  S U B	R O U T	I N E 


; __fastcall KeAcquireInStackQueuedSpinLock(x, x)
		public @KeAcquireInStackQueuedSpinLock@8
@KeAcquireInStackQueuedSpinLock@8 proc near ; CODE XREF: MiMakeSystemRangeAvailable+107p
					; KeQuerySchedulingGroupHistory+2Ap ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	[esi+4], edi
		mov	dword ptr [esi], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[esi+8], al
		test	ds:byte_70EFC6,	21h
		jnz	short loc_52ABE6
		mov	edx, esi
		xchg	edx, [edi]
		pop	edi
		test	edx, edx
		jnz	short loc_52ABDE
		pop	esi
		retn
; 

loc_52ABDE:				; CODE XREF: KeAcquireInStackQueuedSpinLock(x,x)+2Aj
		mov	ecx, esi
		pop	esi
		jmp	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
; 

loc_52ABE6:				; CODE XREF: KeAcquireInStackQueuedSpinLock(x,x)+21j
		mov	edx, edi
		mov	ecx, esi
		pop	edi
		pop	esi
		jmp	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
@KeAcquireInStackQueuedSpinLock@8 endp

; 
		align 10h
; Exported entry 138. KeReleaseInStackQueuedSpinLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeReleaseInStackQueuedSpinLock
KeReleaseInStackQueuedSpinLock proc near ; CODE	XREF: ExpDeleteWorkerFactory(x)+34p
					; CcScanLogHandleList+68p ...

; FUNCTION CHUNK AT 005A8797 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	ds:byte_70EFC6,	1
		push	esi
		mov	esi, ecx
		jnz	loc_5A8797
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_52AC3F
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_52AC38

loc_52AC2B:				; CODE XREF: KeReleaseInStackQueuedSpinLock+50j
					; KeReleaseInStackQueuedSpinLock+7DB9Fj
		mov	cl, [esi+8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		pop	ecx
		pop	ebp
		retn
; 

loc_52AC38:				; CODE XREF: KeReleaseInStackQueuedSpinLock+29j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_52AC3F:				; CODE XREF: KeReleaseInStackQueuedSpinLock+1Aj
		mov	dword ptr [esi], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_52AC2B
KeReleaseInStackQueuedSpinLock endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall ExpTryEnterWorkerFactoryAwayMode(x)
_ExpTryEnterWorkerFactoryAwayMode@4 proc near ;	CODE XREF: .text:0052A40Dp
					; .text:0052AAABp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, [esi+50h]
		cmp	eax, [esi+4Ch]
		jnb	short loc_52AC77
		mov	edi, [esi+4]
		cmp	dword ptr [edi+10h], 0
		jz	short loc_52AC7C

loc_52AC77:				; CODE XREF: ExpTryEnterWorkerFactoryAwayMode(x)+Cj
					; ExpTryEnterWorkerFactoryAwayMode(x)+3Ej
		pop	edi
		xor	al, al
		pop	esi
		retn
; 

loc_52AC7C:				; CODE XREF: ExpTryEnterWorkerFactoryAwayMode(x)+15j
		cmp	dword ptr [esi+64h], 0
		jz	short loc_52ACCE
		mov	ecx, [esi+68h]
		mov	eax, ecx
		or	eax, 200h
		mov	[esi+68h], eax
		mov	eax, [edi+4]
		cmp	dword ptr [eax+4], 0
		jnz	short loc_52ACCE
		test	ecx, 400h
		jnz	short loc_52AC77
		or	ecx, 600h
		mov	edx, 746C6644h
		mov	[esi+68h], ecx
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	ecx, [edi+4]
		add	esi, 0ECh
		push	esi
		mov	edx, offset _ExpWorkerFactoryManagerQueue
		call	KeRegisterObjectNotification
		pop	edi
		xor	al, al
		pop	esi
		retn
; 

loc_52ACCE:				; CODE XREF: ExpTryEnterWorkerFactoryAwayMode(x)+20j
					; ExpTryEnterWorkerFactoryAwayMode(x)+36j
		pop	edi
		mov	al, 1
		pop	esi
		retn
_ExpTryEnterWorkerFactoryAwayMode@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoRemoveIoCompletion proc near		; CODE XREF: .text:0052AA5Ap
					; NtRemoveIoCompletion+C6p ...

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6190
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_20], edx
		mov	eax, ecx
		mov	[ebp+var_28], eax
		mov	[ebp+var_3C], 0
		mov	[ebp+var_38], 0
		push	[ebp+arg_4]
		mov	esi, [ebp+arg_0]
		push	esi
		push	[ebp+arg_10]
		push	[ebp+arg_14]
		push	[ebp+arg_C]
		push	eax
		call	KeRemoveQueueEx
		mov	[ebp+var_34], eax
		xor	edx, edx
		mov	[ebp+var_24], edx
		xor	ebx, ebx

loc_52AD4B:				; CODE XREF: IoRemoveIoCompletion+112j
		mov	[ebp+var_1C], ebx
		cmp	ebx, eax
		jnb	loc_52ADF7
		mov	esi, [esi+ebx*4]
		cmp	esi, 102h
		jz	loc_52AE92
		cmp	esi, 0C0h
		jz	loc_52AE92
		cmp	esi, 80h
		jz	loc_52AE92
		cmp	esi, 101h
		jz	loc_52AE92
		mov	al, [esi+8]
		test	al, al
		jz	loc_52AE99
		cmp	al, 2
		jz	loc_52AE33
		mov	eax, [esi+10h]
		mov	[ebp+arg_10], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+arg_4], eax
		mov	edi, [esi+14h]
		mov	eax, [esi+18h]
		mov	[ebp+arg_14], eax
		mov	ecx, esi
		call	_IopFreeMiniCompletionPacket@4 ; IopFreeMiniCompletionPacket(x)

loc_52ADB8:				; CODE XREF: IoRemoveIoCompletion+1ADj
		mov	esi, [ebp+arg_14]

loc_52ADBB:				; CODE XREF: IoRemoveIoCompletion+1EFj
					; IoRemoveIoCompletion+201j ...
		cmp	byte ptr [ebp+arg_C], 0
		jz	short loc_52AE15
		mov	[ebp+var_4], 0
		mov	eax, ebx
		add	eax, eax
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+var_20]
		mov	[edx+eax*8], ecx
		mov	ecx, [ebp+arg_10]
		mov	[edx+eax*8+4], ecx
		mov	[edx+eax*8+8], edi
		mov	[edx+eax*8+0Ch], esi
		mov	[ebp+var_4], 0FFFFFFFEh

loc_52ADEB:				; CODE XREF: IoRemoveIoCompletion+151j
					; .text:005EDBC7j
		inc	ebx
		mov	eax, [ebp+var_34]
		mov	esi, [ebp+arg_0]
		jmp	loc_52AD4B
; 

loc_52ADF7:				; CODE XREF: IoRemoveIoCompletion+70j
		mov	edx, [ebp+var_24]

loc_52ADFA:				; CODE XREF: IoRemoveIoCompletion+1B4j
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		mov	eax, edx
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_52AE15:				; CODE XREF: IoRemoveIoCompletion+DFj
		mov	eax, ebx
		add	eax, eax
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+var_20]
		mov	[edx+eax*8], ecx
		mov	ecx, [ebp+arg_10]
		mov	[edx+eax*8+4], ecx
		mov	[edx+eax*8+8], edi
		mov	[edx+eax*8+0Ch], esi
		jmp	short loc_52ADEB
; 

loc_52AE33:				; CODE XREF: IoRemoveIoCompletion+B6j
		mov	eax, [esi+1Ch]
		mov	[ebp+arg_10], eax
		mov	eax, [esi+18h]
		mov	[ebp+arg_4], eax
		mov	eax, [esi+24h]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_3C], eax
		mov	eax, [esi+20h]
		mov	[ebp+arg_14], eax
		mov	[ebp+var_38], eax
		mov	ebx, [esi+28h]
		lea	ecx, [esi+30h]
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	byte ptr [esi+34h], 0
		mov	dword ptr [esi+2Ch], 0
		mov	dl, al
		lea	ecx, [esi+30h]
		call	KfReleaseSpinLock
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	ecx, [ebp+var_28]
		call	ObfDereferenceObject
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	ebx, [ebp+var_1C]
		mov	edi, [ebp+var_2C]
		jmp	loc_52ADB8
; 

loc_52AE92:				; CODE XREF: IoRemoveIoCompletion+7Fj
					; IoRemoveIoCompletion+8Bj ...
		mov	edx, esi
		jmp	loc_52ADFA
; 

loc_52AE99:				; CODE XREF: IoRemoveIoCompletion+AEj
		lea	ecx, [esi-58h]
		mov	[ebp+arg_14], ecx
		mov	eax, [ecx+34h]
		mov	[ebp+arg_10], eax
		mov	eax, [ecx+40h]
		mov	[ebp+arg_4], eax
		mov	edi, [ecx+18h]
		mov	[ebp+var_3C], edi
		mov	esi, [ecx+1Ch]
		mov	[ebp+var_38], esi
		mov	eax, [ecx+8]
		test	eax, 2000h
		jz	short loc_52AED4
		lea	edx, [ebp+var_3C]
		call	IopPostProcessIrp
		mov	esi, [ebp+var_38]
		mov	edi, [ebp+var_3C]
		jmp	loc_52ADBB
; 

loc_52AED4:				; CODE XREF: IoRemoveIoCompletion+1DFj
		test	eax, 8000h
		jnz	short loc_52AEE6
		push	ecx
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		jmp	loc_52ADBB
; 

loc_52AEE6:				; CODE XREF: IoRemoveIoCompletion+1F9j
		add	ecx, 30h
		or	edx, 0FFFFFFFFh
		call	IopInterlockedAdd
		test	eax, eax
		jnz	loc_52ADBB
		push	[ebp+arg_14]
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		jmp	loc_52ADBB
IoRemoveIoCompletion endp

; 
		align 10h
; Exported entry 1270. KeRemoveQueueEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeRemoveQueueEx
KeRemoveQueueEx	proc near		; CODE XREF: KeRemoveQueue(x,x,x)+1Bp
					; IoRemoveIoCompletion+5Cp

var_56		= byte ptr -56h
var_4A		= byte ptr -4Ah
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0052B724 SIZE 0000000D BYTES
; FUNCTION CHUNK AT 005EDBCC SIZE 00000296 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		push	ebx
		push	esi
		mov	esi, large fs:124h
		push	edi
		mov	[esp+58h+var_44], 0
		mov	[esp+58h+var_48], 0
		btr	dword ptr [esi+58h], 2
		mov	[esp+58h+var_10], esi
		setb	al
		mov	[esp+58h+var_8], 0
		mov	[esp+58h+var_4], 0
		test	al, al
		jnz	short loc_52AF61
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[esi+92h], al

loc_52AF61:				; CODE XREF: KeRemoveQueueEx+43j
		mov	ebx, [ebp+arg_C]
		test	ebx, ebx
		jnz	loc_52B170
		mov	[esp+58h+var_40], ebx

loc_52AF70:				; CODE XREF: KeRemoveQueueEx+27Fj
					; KeRemoveQueueEx+548j
		mov	eax, [esi+0A4h]
		mov	edi, [ebp+arg_0]
		cmp	eax, edi
		jnz	short loc_52AF8F
		cmp	dword ptr [edi+4], 0
		jnz	loc_52B194

loc_52AF87:				; CODE XREF: KeRemoveQueueEx+28Aj
		test	ebx, ebx
		jnz	loc_52B27C

loc_52AF8F:				; CODE XREF: KeRemoveQueueEx+6Bj
					; KeRemoveQueueEx+371j	...
		mov	dl, [esi+92h]
		lea	edi, [esi+2Ch]
		mov	bl, [ebp+arg_4]
		mov	[esp+58h+var_49], dl
		nop

loc_52AFA0:				; CODE XREF: KeRemoveQueueEx+724j
		and	dword ptr [esi+58h], 0FFFFFFEFh
		cmp	[ebp+arg_8], 0
		mov	byte ptr [esi+54h], 0
		mov	[esi+93h], bl
		jz	short loc_52AFB8
		or	dword ptr [esi+58h], 10h

loc_52AFB8:				; CODE XREF: KeRemoveQueueEx+A2j
		mov	[esp+58h+var_20], 0

loc_52AFC0:				; CODE XREF: KeRemoveQueueEx+6DFj
		lock bts dword ptr [edi], 0
		jb	loc_52B5E0
		cmp	byte ptr [esi+85h], 0
		mov	dl, [esp+58h+var_49]
		jnz	loc_52B5F4

loc_52AFDC:				; CODE XREF: KeRemoveQueueEx+6ECj
					; KeRemoveQueueEx+6F5j
		cmp	[ebp+arg_8], 0
		mov	edi, [ebp+arg_0]
		jz	loc_52B31C
		mov	cl, bl
		movsx	eax, cl
		cmp	byte ptr [eax+esi+56h],	0
		jnz	loc_5EDDAA
		test	cl, cl
		jz	short loc_52B008
		lea	eax, [esi+78h]
		cmp	[eax], eax
		jnz	loc_52B3D5

loc_52B008:				; CODE XREF: KeRemoveQueueEx+EBj
		cmp	byte ptr [esi+56h], 0
		jnz	loc_5EDD9C

loc_52B012:				; CODE XREF: KeRemoveQueueEx+413j
					; KeRemoveQueueEx+421j
		mov	byte ptr [esi+90h], 5
		mov	byte ptr [esi+18Bh], 0Fh
		mov	eax, ds:_KeTickCount
		mov	[esi+138h], eax
		mov	dword ptr [esi+2Ch], 0
		mov	eax, [esi+0A4h]
		cmp	edi, eax
		jnz	loc_52B344

loc_52B040:				; CODE XREF: KeRemoveQueueEx+43Ej
		mov	byte ptr [esi+0E8h], 3
		mov	eax, 80h
		mov	byte ptr [esi+0E9h], 4
		mov	[esi+0EAh], ax
		mov	[esi+0F0h], edi
		mov	[esp+58h+var_18], 0
		lock bts dword ptr [edi], 7
		jb	loc_52B410

loc_52B073:				; CODE XREF: KeRemoveQueueEx+514j
		cmp	dword ptr [edi+4], 0
		jnz	loc_52B353

loc_52B07D:				; CODE XREF: KeRemoveQueueEx+449j
					; KeRemoveQueueEx+462j
		test	byte ptr [edi+1], 1
		jnz	loc_5EDDF0
		cmp	[esp+58h+var_40], 2
		mov	ecx, [esp+58h+var_48]
		mov	edx, ecx
		mov	eax, [esp+58h+var_44]
		mov	[esp+58h+var_34], eax
		mov	[esp+58h+var_C], edx
		mov	[esp+58h+var_20], 0
		mov	[esp+58h+var_1C], 0
		jz	loc_52B45D
		cmp	[esp+58h+var_40], 0
		jnz	loc_52B59A

loc_52B0BF:				; CODE XREF: KeRemoveQueueEx+59Ej
		lock dec dword ptr [edi+18h]
		mov	ebx, [edi+8]
		lea	edx, [edi+8]
		mov	[esp+58h+var_C], ebx
		cmp	[ebx+4], edx
		lea	ebx, [esi+0E0h]
		jnz	loc_5EDE37
		mov	ecx, [esp+58h+var_C]
		mov	[ebx], ecx
		mov	[ebx+4], edx
		mov	[ecx+4], ebx
		mov	ecx, 0FFFFFF7Fh
		mov	[edx], ebx
		lock and [edi],	ecx
		mov	ecx, [esp+58h+var_48]
		mov	edx, ebx
		push	0
		push	ecx
		push	eax
		push	[esp+64h+var_40]
		mov	ecx, esi
		mov	byte ptr [esi+16Bh], 1
		call	KiCommitThreadWait
		mov	byte ptr [esi+18Bh], 0
		cmp	eax, 100h
		jz	loc_52B3C4
		mov	ecx, [ebp+arg_10]
		mov	ebx, 1
		mov	[ecx], eax
		cmp	[ebp+arg_14], ebx
		jbe	short loc_52B155
		cmp	eax, 102h
		jz	short loc_52B155
		cmp	eax, 80h
		jz	short loc_52B155
		cmp	eax, 101h
		jz	short loc_52B155
		cmp	eax, 0C0h
		jz	short loc_52B155
		cmp	dword ptr [edi+4], 0
		jnz	loc_52B4B3

loc_52B155:				; CODE XREF: KeRemoveQueueEx+21Dj
					; KeRemoveQueueEx+224j	...
		test	dword ptr ds:byte_70EFC4, 1000000h
		jnz	loc_5EDDDF

loc_52B165:				; CODE XREF: KeRemoveQueueEx+361j
					; KeRemoveQueueEx+C2D14j
		mov	eax, ebx

loc_52B167:				; CODE XREF: KeRemoveQueueEx+4AFj
					; KeRemoveQueueEx+C2EDBj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_52B170:				; CODE XREF: KeRemoveQueueEx+56j
		cmp	dword ptr [ebx+4], 0
		jl	loc_52B42C
		mov	edx, [ebx]
		mov	[esp+58h+var_44], edx
		mov	edx, [ebx+4]
		mov	[esp+58h+var_40], 1
		mov	[esp+58h+var_48], edx
		jmp	loc_52AF70
; 

loc_52B194:				; CODE XREF: KeRemoveQueueEx+71j
		mov	eax, [edi+18h]
		cmp	eax, [edi+1Ch]
		ja	loc_52AF87
		mov	[esp+58h+var_30], 0
		lock bts dword ptr [edi], 7
		jb	loc_52B5A7

loc_52B1B3:				; CODE XREF: KeRemoveQueueEx+6ABj
		cmp	dword ptr [edi+4], 0
		jz	loc_52B5C3
		mov	eax, [edi+18h]
		cmp	eax, [edi+1Ch]
		ja	loc_52B5C3
		mov	ecx, [edi+10h]
		xor	ebx, ebx
		mov	edi, edi

loc_52B1D0:				; CODE XREF: KeRemoveQueueEx+42Fj
		dec	dword ptr [edi+4]
		mov	eax, [ecx]
		test	eax, eax
		jz	loc_5EDC29
		mov	edx, [ecx+4]
		cmp	[eax+4], ecx
		jnz	loc_5EDE37
		cmp	[edx], ecx
		jnz	loc_5EDE37
		mov	[edx], eax
		mov	[eax+4], edx
		lea	eax, [edi+10h]
		mov	edx, [ebp+arg_10]
		mov	dword ptr [ecx], 0
		mov	[edx+ebx*4], ecx
		inc	ebx
		mov	ecx, [eax]
		cmp	ecx, eax
		jnz	loc_52B336

loc_52B210:				; CODE XREF: KeRemoveQueueEx+429j
		test	ebx, ebx
		jz	loc_52B5C3
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		mov	edi, large fs:20h
		mov	al, [esi+92h]
		mov	[esp+58h+var_38], edi
		mov	[esp+58h+var_49], al
		mov	byte ptr [esp+58h+var_3C], al
		cmp	al, 2
		jnb	loc_5EDBF7
		cmp	dword ptr [edi+8], 0
		mov	ecx, [edi+4]
		mov	[esp+58h+var_40], ecx
		jnz	loc_52B4F9
		test	byte ptr [ecx+58h], 40h
		jnz	loc_5EDBE2

loc_52B25C:				; CODE XREF: KeRemoveQueueEx+685j
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_52B264:				; CODE XREF: KeRemoveQueueEx+C2D07j
		mov	edx, [ebp+arg_10]

loc_52B267:				; CODE XREF: KeRemoveQueueEx+C2CEBj
					; KeRemoveQueueEx+C2CF9j
		test	dword ptr ds:byte_70EFC4, 1000000h
		jz	loc_52B165
		jmp	loc_5EDC1C
; 

loc_52B27C:				; CODE XREF: KeRemoveQueueEx+79j
		mov	eax, [ebx]
		or	eax, [ebx+4]
		jnz	loc_52AF8F
		test	byte ptr [edi+1], 1
		jnz	loc_52B5D0
		mov	bl, [ebp+arg_8]
		test	bl, bl
		jnz	loc_5EDC3F
		test	byte ptr [esi+86h], 2
		jnz	loc_5EDCB2

loc_52B2A9:				; CODE XREF: KeRemoveQueueEx+C2D8Ej
					; KeRemoveQueueEx+C2DA6j
		mov	eax, 102h

loc_52B2AE:				; CODE XREF: KeRemoveQueueEx+C2D58j
					; KeRemoveQueueEx+C2D85j ...
		mov	ecx, [ebp+arg_10]
		mov	[ecx], eax
		test	bl, bl
		jnz	loc_5EDCCA

loc_52B2BB:				; CODE XREF: KeRemoveQueueEx+6C9j
					; KeRemoveQueueEx+C2DB5j ...
		mov	edi, large fs:20h
		mov	bl, [esi+92h]
		mov	[esp+58h+var_38], edi
		mov	byte ptr [esp+58h+var_3C], bl
		cmp	bl, 2
		jnb	loc_5EDD08
		cmp	dword ptr [edi+8], 0
		mov	eax, [edi+4]
		mov	[esp+58h+var_44], eax
		jnz	loc_52B639
		test	byte ptr [eax+58h], 40h
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		jnz	loc_5EDCEC

loc_52B2FA:				; CODE XREF: KeRemoveQueueEx+7BDj
					; KeRemoveQueueEx+C2DF3j
		mov	cl, bl
		call	edi

loc_52B2FE:				; CODE XREF: KeRemoveQueueEx+C2DFCj
					; KeRemoveQueueEx+C2E0Aj ...
		test	dword ptr ds:byte_70EFC4, 1000000h
		jnz	loc_5EDD2D

loc_52B30E:				; CODE XREF: KeRemoveQueueEx+4F3j
					; KeRemoveQueueEx+C2EB4j
		pop	edi
		pop	esi
		mov	eax, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_52B31C:				; CODE XREF: KeRemoveQueueEx+D3j
		test	byte ptr [esi+86h], 2
		jz	loc_52B012
		test	bl, bl
		jnz	loc_52B3DC
		jmp	loc_52B012
; 

loc_52B336:				; CODE XREF: KeRemoveQueueEx+2FAj
		cmp	ebx, [ebp+arg_14]
		jnb	loc_52B210
		jmp	loc_52B1D0
; 

loc_52B344:				; CODE XREF: KeRemoveQueueEx+12Aj
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	@KiSwitchQueue@12 ; KiSwitchQueue(x,x,x)
		jmp	loc_52B040
; 

loc_52B353:				; CODE XREF: KeRemoveQueueEx+167j
		mov	eax, [edi+18h]
		cmp	eax, [edi+1Ch]
		ja	loc_52B07D
		push	[ebp+arg_14]
		mov	edx, [ebp+arg_10]
		mov	ecx, edi
		call	KiAttemptFastRemoveQueue
		mov	[esp+58h+var_3C], eax
		test	eax, eax
		jz	loc_52B07D
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		mov	ebx, [ebp+arg_10]

loc_52B383:				; CODE XREF: KeRemoveQueueEx+81Cj
		mov	edi, large fs:20h
		mov	byte ptr [esi+18Bh], 0
		cmp	dword ptr [edi+3B1Ch], 0
		jnz	loc_5EDE3E

loc_52B39E:				; CODE XREF: KeRemoveQueueEx+C2F3Ej
		push	1
		mov	edx, esi
		mov	ecx, edi
		call	_KiFastExitThreadWait@12 ; KiFastExitThreadWait(x,x,x)
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	edi, [esp+58h+var_3C]
		jnz	loc_5EDE53

loc_52B3BD:				; CODE XREF: KeRemoveQueueEx+C2F4Dj
		mov	eax, edi
		jmp	loc_52B167
; 

loc_52B3C4:				; CODE XREF: KeRemoveQueueEx+20Aj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[esi+92h], al
		jmp	loc_52AF8F
; 

loc_52B3D5:				; CODE XREF: KeRemoveQueueEx+F2j
		or	byte ptr [esi+86h], 2

loc_52B3DC:				; CODE XREF: KeRemoveQueueEx+41Bj
		mov	edi, 0C0h

loc_52B3E1:				; CODE XREF: KeRemoveQueueEx+C2E95j
					; KeRemoveQueueEx+C2EA4j
		mov	dword ptr [esi+2Ch], 0
		mov	ecx, large fs:20h
		call	KiCheckForThreadDispatch
		mov	eax, [ebp+arg_10]
		mov	[eax], edi
		test	dword ptr ds:byte_70EFC4, 1000000h
		jz	loc_52B30E
		jmp	loc_5EDDB9
; 
		align 10h

loc_52B410:				; CODE XREF: KeRemoveQueueEx+15Dj
					; KeRemoveQueueEx+50Dj	...
		lea	ecx, [esp+58h+var_18]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	al, al
		js	short loc_52B410
		lock bts dword ptr [edi], 7
		jnb	loc_52B073
		jmp	short loc_52B410
; 

loc_52B42C:				; CODE XREF: KeRemoveQueueEx+264j
		xor	cl, cl
		call	KiQueryUnbiasedInterruptTime
		mov	edi, [esi+0B0h]
		add	edi, [ebx]
		mov	ecx, [esi+0B4h]
		adc	ecx, [ebx+4]
		sub	eax, edi
		mov	[esp+58h+var_44], eax
		sbb	edx, ecx
		mov	[esp+58h+var_40], 2
		mov	[esp+58h+var_48], edx
		jmp	loc_52AF70
; 

loc_52B45D:				; CODE XREF: KeRemoveQueueEx+19Ej
		xor	cl, cl
		call	KiQueryUnbiasedInterruptTime
		mov	ecx, eax
		mov	eax, edx
		sub	ecx, [esi+0B0h]
		mov	edx, [esp+58h+var_48]
		sbb	eax, [esi+0B4h]
		push	0
		push	edx
		mov	[esp+60h+var_3C], eax
		mov	edx, 2
		mov	eax, [esp+60h+var_44]
		mov	[esp+60h+var_38], ecx
		mov	ecx, esi
		push	eax
		call	KiGetDueTimeWithThreadTimerDelay

loc_52B494:				; CODE XREF: KeRemoveQueueEx+C2E87j
		cmp	[esp+58h+var_3C], edx
		jb	short loc_52B4AA
		ja	loc_5EDDC9
		cmp	[esp+58h+var_38], eax
		ja	loc_5EDDC9

loc_52B4AA:				; CODE XREF: KeRemoveQueueEx+588j
		mov	eax, [esp+58h+var_44]
		jmp	loc_52B0BF
; 

loc_52B4B3:				; CODE XREF: KeRemoveQueueEx+23Fj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	[esp+58h+var_49], al
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		cmp	dword ptr [edi+4], 0
		jz	short loc_52B4DF
		mov	ecx, [ebp+arg_14]
		mov	edx, [ebp+arg_10]
		dec	ecx
		push	ecx
		mov	ecx, edi
		lea	edx, [edx+4]
		call	KiAttemptFastRemoveQueue
		lea	ebx, [eax+1]

loc_52B4DF:				; CODE XREF: KeRemoveQueueEx+5B8j
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		mov	cl, [esp+58h+var_49]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+arg_10]
		jmp	loc_52B155
; 

loc_52B4F9:				; CODE XREF: KeRemoveQueueEx+33Cj
		xor	edx, edx
		call	KiAbProcessContextSwitch
		lea	eax, [edi+2224h]
		mov	[esp+58h+var_2C], 0
		mov	edi, eax

loc_52B510:				; CODE XREF: KeRemoveQueueEx+7DFj
		lock bts dword ptr [edi], 0
		jb	loc_52B6E0
		mov	edi, [esp+58h+var_38]
		mov	edx, [edi+8]
		mov	[esp+58h+var_38], edx
		mov	dword ptr [edi+8], 0
		cli
		mov	edx, [esp+58h+var_40]
		mov	ecx, edi
		push	0
		call	KiEndThreadCycleAccumulation
		sti
		mov	ecx, [esp+58h+var_38]
		mov	[edi+4], ecx
		mov	al, [ecx+90h]
		cmp	al, 1
		jz	loc_5EDBCC

loc_52B551:				; CODE XREF: KeRemoveQueueEx+C2CCDj
		mov	al, [esp+58h+var_49]
		mov	byte ptr [ecx+90h], 2
		mov	ecx, [esp+58h+var_40]
		mov	edx, ecx
		mov	byte ptr [ecx+18Bh], 20h
		mov	[ecx+92h], al
		mov	ecx, edi
		call	KiQueueReadyThread
		push	[esp+58h+var_3C]
		mov	edi, [esp+5Ch+var_40]
		mov	ecx, edi
		mov	edx, [esp+5Ch+var_38]
		call	@KiSwapContext@12 ; KiSwapContext(x,x,x)
		test	al, al
		jnz	loc_52B708

loc_52B591:				; CODE XREF: KeRemoveQueueEx+80Fj
		mov	al, [esp+58h+var_49]
		jmp	loc_52B25C
; 

loc_52B59A:				; CODE XREF: KeRemoveQueueEx+1A9j
		or	eax, ecx
		jz	loc_5EDDC9
		jmp	loc_5EDD35
; 

loc_52B5A7:				; CODE XREF: KeRemoveQueueEx+29Dj
					; KeRemoveQueueEx+6A4j	...
		lea	ecx, [esp+58h+var_30]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	al, al
		js	short loc_52B5A7
		lock bts dword ptr [edi], 7
		jnb	loc_52B1B3
		jmp	short loc_52B5A7
; 

loc_52B5C3:				; CODE XREF: KeRemoveQueueEx+2A7j
					; KeRemoveQueueEx+2B3j	...
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		jmp	loc_52AF8F
; 

loc_52B5D0:				; CODE XREF: KeRemoveQueueEx+37Bj
		mov	ecx, [ebp+arg_10]
		mov	dword ptr [ecx], 80h
		jmp	loc_52B2BB
; 
		align 10h

loc_52B5E0:				; CODE XREF: KeRemoveQueueEx+B5j
					; KeRemoveQueueEx+6DDj
		lea	ecx, [esp+58h+var_20]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_52B5E0
		jmp	loc_52AFC0
; 

loc_52B5F4:				; CODE XREF: KeRemoveQueueEx+C6j
		cmp	word ptr [esi+13Eh], 0
		jnz	loc_52AFDC
		cmp	dl, 1
		jnb	loc_52AFDC
		mov	cl, 1
		mov	dword ptr [edi], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	0
		push	0
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	al, [esp+0Fh]
		mov	[esi+92h], al
		jmp	loc_52AFA0
; 

loc_52B639:				; CODE XREF: KeRemoveQueueEx+3D4j
		xor	edx, edx
		mov	ecx, eax
		call	KiAbProcessContextSwitch
		lea	eax, [edi+2224h]
		mov	[esp+58h+var_24], 0
		mov	edi, eax

loc_52B652:				; CODE XREF: KeRemoveQueueEx+7F3j
		lock bts dword ptr [edi], 0
		jb	loc_52B6F4
		mov	edi, [esp+58h+var_38]
		mov	edx, [edi+8]
		mov	[esp+58h+var_38], edx
		mov	dword ptr [edi+8], 0
		cli
		mov	edx, [esp+58h+var_44]
		mov	ecx, edi
		push	0
		call	KiEndThreadCycleAccumulation
		sti
		mov	ecx, [esp+58h+var_38]
		mov	[edi+4], ecx
		mov	al, [ecx+90h]
		cmp	al, 1
		jz	loc_5EDCD6

loc_52B693:				; CODE XREF: KeRemoveQueueEx+C2DD7j
		mov	eax, [esp+58h+var_44]
		mov	edx, eax
		mov	byte ptr [ecx+90h], 2
		mov	ecx, edi
		mov	byte ptr [eax+18Bh], 20h
		mov	[eax+92h], bl
		call	KiQueueReadyThread
		push	[esp+58h+var_3C]
		mov	edx, [esp+5Ch+var_38]
		mov	ecx, [esp+5Ch+var_44]
		call	@KiSwapContext@12 ; KiSwapContext(x,x,x)
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		test	al, al
		jz	loc_52B2FA
		jmp	loc_5EDCEC
; 
		jmp	short loc_52B6E0
; 
		align 10h

loc_52B6E0:				; CODE XREF: KeRemoveQueueEx+605j
					; KeRemoveQueueEx+7C8j	...
		lea	ecx, [esp+58h+var_2C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_52B6E0
		jmp	loc_52B510
; 

loc_52B6F4:				; CODE XREF: KeRemoveQueueEx+747j
					; KeRemoveQueueEx+7F1j
		lea	ecx, [esp+58h+var_24]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_52B6F4
		jmp	loc_52B652
; 

loc_52B708:				; CODE XREF: KeRemoveQueueEx+67Bj
		mov	cl, 1
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		and	dword ptr [edi+58h], 0FFFFFFBFh

loc_52B714:				; CODE XREF: KeRemoveQueueEx+C2CE2j
		push	0
		push	0
		push	0
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		jmp	loc_52B591
KeRemoveQueueEx	endp

; 
; START	OF FUNCTION CHUNK FOR KeRemoveQueueEx

loc_52B724:				; CODE XREF: KeRemoveQueueEx+C2ECAj
					; KeRemoveQueueEx+C2F22j
		mov	[esp+64h+var_48], 1
		jmp	loc_52B383
; END OF FUNCTION CHUNK	FOR KeRemoveQueueEx
; 
		align 10h
; Exported entry 1324. KeWaitForMutexObject
; Exported entry 1325. KeWaitForSingleObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeWaitForSingleObject
KeWaitForSingleObject proc near		; CODE XREF: WmipFindRegEntryByDevice+16p
					; MiWaitForCollidedFaultComplete+CDp ...

var_9A		= byte ptr -9Ah
var_90		= byte ptr -90h
var_8F		= byte ptr -8Fh
var_8E		= byte ptr -8Eh
var_8D		= byte ptr -8Dh
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005EDE62 SIZE 000002BE BYTES

		mov	edi, edi	; KeWaitForMutexObject
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 94h
		push	ebx
		push	esi
		mov	esi, large fs:124h
		push	edi
		mov	[esp+0A0h+var_30], 0
		mov	[esp+0A0h+var_8C], 0
		btr	dword ptr [esi+58h], 2
		mov	[esp+0A0h+var_88], 0
		setb	dl
		mov	[esp+0A0h+var_8D], 0
		mov	[esp+0A0h+var_70], 0
		mov	[esp+0A0h+var_68], esi
		mov	[esp+0A0h+var_8], 0
		mov	[esp+0A0h+var_4], 0
		mov	[esp+0A0h+var_8F], dl
		test	dl, dl
		jnz	short loc_52B7B7
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	dl, [esp+0A0h+var_8F]
		mov	[esi+92h], al

loc_52B7B7:				; CODE XREF: KeWaitForSingleObject+65j
		mov	edi, [ebp+arg_10]
		test	edi, edi
		jnz	loc_52B9EF
		mov	[esp+0A0h+var_74], edi

loc_52B7C6:				; CODE XREF: KeWaitForSingleObject+2CEj
					; KeWaitForSingleObject+489j
		lea	edi, [esi+2Ch]
		mov	byte ptr [esp+0A0h+var_6C], dl
		mov	[esp+0A0h+var_60], edi

loc_52B7D1:				; CODE XREF: KeWaitForSingleObject+23Cj
		mov	dl, [esi+92h]
		mov	bl, [ebp+arg_C]
		mov	[esp+0A0h+var_8E], dl
		mov	edi, edi

loc_52B7E0:				; CODE XREF: KeWaitForSingleObject+62Aj
		mov	cl, [ebp+arg_8]
		and	dword ptr [esi+58h], 0FFFFFFEFh
		mov	byte ptr [esi+54h], 0
		mov	[esi+93h], cl
		test	bl, bl
		jnz	loc_52BBF6

loc_52B7F9:				; CODE XREF: KeWaitForSingleObject+4BAj
		mov	[esp+0A0h+var_48], 0

loc_52B801:				; CODE XREF: KeWaitForSingleObject+5E5j
		lock bts dword ptr [edi], 0
		jb	loc_52BD16
		cmp	byte ptr [esi+85h], 0
		mov	dl, [esp+0A0h+var_8E]
		jnz	loc_52BD2A

loc_52B81D:				; CODE XREF: KeWaitForSingleObject+5EDj
					; KeWaitForSingleObject+5FBj
		test	bl, bl
		mov	ebx, [ebp+arg_0]
		jnz	loc_52BBCE
		test	byte ptr [esi+86h], 2
		jnz	loc_52BCEC

loc_52B835:				; CODE XREF: KeWaitForSingleObject+4ABj
					; KeWaitForSingleObject+5B0j
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		mov	byte ptr [esi+90h], 5
		mov	[esi+18Bh], al
		mov	eax, ds:_KeTickCount
		mov	[esi+138h], eax
		mov	dword ptr [edi], 0
		xor	edi, edi
		mov	eax, large fs:20h
		mov	byte ptr [esi+0E8h], 1
		mov	byte ptr [esi+0E9h], 4
		mov	[esp+0A0h+var_84], eax
		mov	[esi+0EAh], cx
		mov	[esi+0F0h], ebx
		mov	[esp+0A0h+var_44], ecx
		lock bts dword ptr [ebx], 7
		jb	loc_52BCD0

loc_52B88E:				; CODE XREF: KeWaitForSingleObject+5A4j
		mov	cl, [ebx]
		mov	edx, [ebx+4]
		mov	al, cl
		and	al, 7Fh
		cmp	al, 2
		jz	loc_52BA36
		test	edx, edx
		jg	loc_52BA13

loc_52B8A7:				; CODE XREF: KeWaitForSingleObject+54Ej
					; KeWaitForSingleObject+567j
		cmp	[esp+0A0h+var_74], 2
		mov	eax, [esp+0A0h+var_8C]
		mov	edx, eax
		mov	ecx, [esp+0A0h+var_88]
		mov	edi, ecx
		mov	[esp+0A0h+var_38], edx
		mov	[esp+0A0h+var_64], edi
		mov	[esp+0A0h+var_80], 0
		mov	[esp+0A0h+var_7C], 0
		jz	loc_52BBFF
		cmp	[esp+0A0h+var_74], 0
		jnz	loc_52B981

loc_52B8E1:				; CODE XREF: KeWaitForSingleObject+538j
					; KeWaitForSingleObject+540j
		mov	ecx, [ebx+0Ch]
		lea	eax, [ebx+8]
		cmp	[ecx], eax
		jnz	loc_5EE0AB
		lea	edi, [esi+0E0h]
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi
		mov	eax, 0FFFFFF7Fh
		lock and [ebx],	eax
		cmp	[esp+0A0h+var_8D], 0
		mov	byte ptr [esi+16Bh], 1
		jnz	loc_5EDF66
		mov	eax, [esp+0A0h+var_70]

loc_52B91D:				; CODE XREF: KeWaitForSingleObject+C2835j
		test	eax, eax
		jnz	loc_5EDF7A

loc_52B925:				; CODE XREF: KeWaitForSingleObject+C2841j
		lea	eax, [esp+0A0h+var_30]
		mov	edx, edi
		push	eax
		push	[esp+0A4h+var_88]
		mov	ecx, esi
		push	[esp+0A8h+var_8C]
		push	[esp+0ACh+var_74]
		call	KiCommitThreadWait
		mov	edi, eax
		mov	eax, [esp+0A0h+var_70]
		test	eax, eax
		jnz	loc_5EDF86

loc_52B94D:				; CODE XREF: KeWaitForSingleObject+C286Ej
					; KeWaitForSingleObject+C2886j
		mov	dword ptr [esi+248h], 0
		cmp	edi, 100h
		jnz	loc_52B9E4
		xor	al, al
		mov	[esp+0A0h+var_8F], al
		mov	byte ptr [esp+0A0h+var_6C], al
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[esi+92h], al
		lea	edi, [esi+2Ch]
		jmp	loc_52B7D1
; 

loc_52B981:				; CODE XREF: KeWaitForSingleObject+19Bj
		or	eax, ecx
		jnz	loc_5EDF07

loc_52B989:				; CODE XREF: KeWaitForSingleObject+532j
					; KeWaitForSingleObject+546j
		mov	edi, 102h

loc_52B98E:				; CODE XREF: KeWaitForSingleObject+2DDj
					; KeWaitForSingleObject+2E9j ...
		mov	eax, 0FFFFFF7Fh
		lock and [ebx],	eax
		mov	byte ptr [esi+90h], 2
		lea	eax, [esp+0A0h+var_24]
		mov	[esp+0A0h+var_24], 0
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, [esi+2Ch]
		lea	ebx, [esi+2Ch]
		test	eax, eax
		jnz	loc_52BD6F

loc_52B9BC:				; CODE XREF: KeWaitForSingleObject+65Aj
		mov	dl, [esi+92h]
		mov	al, [esi+54h]
		mov	byte ptr [esp+0A0h+var_60], dl
		test	al, 38h
		jnz	loc_52BDDB

loc_52B9D1:				; CODE XREF: KeWaitForSingleObject+40Aj
		cmp	[esp+0A0h+var_8F], 0
		jnz	loc_52BD9F
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_52B9E4:				; CODE XREF: KeWaitForSingleObject+21Dj
					; KeWaitForSingleObject+5D1j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_52B9EF:				; CODE XREF: KeWaitForSingleObject+7Cj
		cmp	dword ptr [edi+4], 0
		jl	loc_52BB55
		mov	eax, [edi]
		mov	[esp+0A0h+var_8C], eax
		mov	eax, [edi+4]
		mov	[esp+0A0h+var_88], eax
		mov	[esp+0A0h+var_74], 1
		jmp	loc_52B7C6
; 

loc_52BA13:				; CODE XREF: KeWaitForSingleObject+161j
		and	cl, 7
		cmp	cl, 1
		jz	short loc_52BA2E
		cmp	al, 5
		jnz	loc_52B98E
		lea	eax, [edx-1]
		mov	[ebx+4], eax
		jmp	loc_52B98E
; 

loc_52BA2E:				; CODE XREF: KeWaitForSingleObject+2D9j
		mov	[ebx+4], edi
		jmp	loc_52B98E
; 

loc_52BA36:				; CODE XREF: KeWaitForSingleObject+159j
		mov	al, [ebx+1Ch]
		shr	al, 1
		and	al, 1
		mov	[esp+0A0h+var_8D], al
		test	edx, edx
		jle	loc_52BC8B
		mov	ecx, [esp+0A0h+var_84]

loc_52BA4D:				; CODE XREF: KeWaitForSingleObject+561j
		mov	eax, [ebx+4]
		cmp	eax, 80000000h
		jz	loc_5EE08E
		add	eax, 0FFFFFFFFh
		mov	[ebx+4], eax
		jnz	loc_52B98E
		mov	[esi+94h], edi
		mov	[esp+0A0h+var_2C], edi
		lea	edi, [esi+2Ch]

loc_52BA74:				; CODE XREF: KeWaitForSingleObject+67Fj
		lock bts dword ptr [edi], 0
		jb	loc_52BDB0
		cmp	byte ptr [ebx+1Dh], 0
		jz	short loc_52BA8C
		dec	word ptr [esi+13Ch]

loc_52BA8C:				; CODE XREF: KeWaitForSingleObject+343j
		mov	ecx, [esp+0A0h+var_84]
		cmp	[ecx+4], esi
		jnz	loc_5EDFE8
		mov	cl, [ecx+223Ah]

loc_52BA9F:				; CODE XREF: KeWaitForSingleObject+C28AAj
		xor	eax, eax
		mov	[esp+0A0h+var_14], eax
		mov	[esp+0A0h+var_10], eax
		mov	[esp+0A0h+var_C], eax
		mov	eax, [ebx]
		mov	[esp+0A0h+var_18], eax
		mov	byte ptr [esp+0A0h+var_18+2], cl
		mov	eax, [esp+0A0h+var_18]
		mov	[ebx], eax
		mov	al, [ebx+1Ch]
		mov	[ebx+18h], esi
		test	al, 1
		jnz	loc_52BDC4

loc_52BADD:				; CODE XREF: KeWaitForSingleObject+696j
		test	al, 2
		jnz	loc_5EDFEF
		mov	dword ptr [esi+248h], 0

loc_52BAEF:				; CODE XREF: KeWaitForSingleObject+C28B5j
		mov	edx, [esi+1E0h]
		lea	eax, [esi+1DCh]
		lea	ecx, [ebx+10h]
		cmp	[edx], eax
		jnz	loc_5EE0AB
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		mov	eax, 0FFFFFF7Fh
		lock and [ebx],	eax
		mov	byte ptr [esi+90h], 2
		mov	eax, esi
		mov	dword ptr [edi], 0
		mov	edi, [esi+94h]
		mov	ecx, [eax+248h]
		test	ecx, ecx
		jnz	loc_5EDFFA

loc_52BB3B:				; CODE XREF: KeWaitForSingleObject+C28CFj
					; KeWaitForSingleObject+C28D9j
		mov	dl, [esi+92h]
		mov	al, [esi+54h]
		mov	byte ptr [esp+0A0h+var_60], dl
		test	al, 38h
		jz	loc_52B9D1
		jmp	loc_5EE01E
; 

loc_52BB55:				; CODE XREF: KeWaitForSingleObject+2B3j
		mov	eax, 0FFDF03B0h
		mov	[esp+0A0h+var_60], 0
		mov	[esp+0A0h+var_5C], 0
		mov	ebx, [eax]
		mov	eax, [eax+4]
		mov	ecx, ds:0FFDF000Ch
		mov	edi, ds:0FFDF0008h
		mov	[esp+0A0h+var_8C], edi
		mov	edi, [ebp+arg_10]
		mov	[esp+0A0h+var_6C], ebx
		mov	[esp+0A0h+var_80], eax
		mov	[esp+0A0h+var_4C], 0
		cmp	ecx, ds:0FFDF0010h
		jnz	loc_5EDE62

loc_52BB9E:				; CODE XREF: KeWaitForSingleObject+C275Fj
		sub	[esp+0A0h+var_8C], ebx
		mov	[esp+0A0h+var_74], 2
		sbb	ecx, eax
		mov	eax, [esi+0B4h]
		mov	[esp+0A0h+var_88], ecx
		mov	ecx, [esi+0B0h]
		add	ecx, [edi]
		adc	eax, [edi+4]
		sub	[esp+0A0h+var_8C], ecx
		sbb	[esp+0A0h+var_88], eax
		jmp	loc_52B7C6
; 

loc_52BBCE:				; CODE XREF: KeWaitForSingleObject+E2j
		mov	cl, [ebp+arg_8]
		movsx	eax, cl
		cmp	byte ptr [eax+esi+56h],	0
		jnz	loc_5EDFD9
		test	cl, cl
		jnz	loc_52BCB8

loc_52BBE7:				; CODE XREF: KeWaitForSingleObject+57Dj
		cmp	byte ptr [esi+56h], 0
		jz	loc_52B835
		jmp	loc_5EDFCB
; 

loc_52BBF6:				; CODE XREF: KeWaitForSingleObject+B3j
		or	dword ptr [esi+58h], 10h
		jmp	loc_52B7F9
; 

loc_52BBFF:				; CODE XREF: KeWaitForSingleObject+190j
		mov	eax, 0FFDF03B0h
		mov	[esp+0A0h+var_38], 0
		mov	[esp+0A0h+var_34], 0
		mov	edi, [eax]
		mov	eax, [eax+4]
		mov	ecx, ds:0FFDF000Ch
		mov	[esp+0A0h+var_64], eax
		mov	eax, ds:0FFDF0008h
		mov	[esp+0A0h+var_80], edi
		mov	[esp+0A0h+var_40], 0
		cmp	ecx, ds:0FFDF0010h
		jnz	loc_5EDEA4

loc_52BC40:				; CODE XREF: KeWaitForSingleObject+C2788j
		sub	eax, [esi+0B0h]
		mov	ebx, [esi+240h]
		sbb	ecx, [esi+0B4h]
		sub	eax, edi
		mov	edx, [esp+0A0h+var_8C]
		sbb	ecx, [esp+0A0h+var_64]
		cmp	byte ptr [esi+93h], 0
		mov	edi, [esp+0A0h+var_88]
		mov	[esp+0A0h+var_80], ebx
		mov	ebx, [ebp+arg_0]
		jnz	short loc_52BCAC

loc_52BC70:				; CODE XREF: KeWaitForSingleObject+571j
					; KeWaitForSingleObject+C2794j	...
		cmp	ecx, edi
		ja	loc_52B989
		jb	loc_52B8E1
		cmp	eax, edx
		jbe	loc_52B8E1
		jmp	loc_52B989
; 

loc_52BC8B:				; CODE XREF: KeWaitForSingleObject+303j
		cmp	esi, [ebx+18h]
		jnz	loc_52B8A7
		mov	ecx, [esp+0A0h+var_84]
		mov	al, [ecx+223Ah]
		cmp	[ebx+2], al
		jz	loc_52BA4D
		jmp	loc_52B8A7
; 

loc_52BCAC:				; CODE XREF: KeWaitForSingleObject+52Ej
		cmp	[esp+0A0h+var_80], 0
		jz	short loc_52BC70
		jmp	loc_5EDECD
; 

loc_52BCB8:				; CODE XREF: KeWaitForSingleObject+4A1j
		lea	eax, [esi+78h]
		cmp	[eax], eax
		jz	loc_52BBE7
		or	byte ptr [esi+86h], 2
		jmp	short loc_52BCF6
; 
		align 10h

loc_52BCD0:				; CODE XREF: KeWaitForSingleObject+148j
					; KeWaitForSingleObject+59Dj ...
		lea	ecx, [esp+0A0h+var_44]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	al, al
		js	short loc_52BCD0
		lock bts dword ptr [ebx], 7
		jnb	loc_52B88E
		jmp	short loc_52BCD0
; 

loc_52BCEC:				; CODE XREF: KeWaitForSingleObject+EFj
		cmp	[ebp+arg_8], 0
		jz	loc_52B835

loc_52BCF6:				; CODE XREF: KeWaitForSingleObject+58Aj
		mov	edi, 0C0h

loc_52BCFB:				; CODE XREF: KeWaitForSingleObject+C2894j
					; KeWaitForSingleObject+C28A3j
		mov	ebx, [esp+0A0h+var_60]
		mov	dword ptr [ebx], 0
		mov	ecx, large fs:20h

loc_52BD0C:				; CODE XREF: KeWaitForSingleObject+663j
		call	KiCheckForThreadDispatch
		jmp	loc_52B9E4
; 

loc_52BD16:				; CODE XREF: KeWaitForSingleObject+C6j
					; KeWaitForSingleObject+5E3j
		lea	ecx, [esp+0A0h+var_48]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_52BD16
		jmp	loc_52B801
; 

loc_52BD2A:				; CODE XREF: KeWaitForSingleObject+D7j
		cmp	dl, 1
		jnb	loc_52B81D
		cmp	word ptr [esi+13Eh], 0
		jnz	loc_52B81D
		mov	cl, 1
		mov	dword ptr [edi], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	0
		push	0
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	al, [esp+0ACh+var_9A]
		mov	[esi+92h], al
		jmp	loc_52B7E0
; 

loc_52BD6F:				; CODE XREF: KeWaitForSingleObject+276j
		mov	[esp+0A0h+var_20], ecx

loc_52BD76:				; CODE XREF: KeWaitForSingleObject+652j
		lock bts dword ptr [ebx], 0
		jnb	short loc_52BD94
		lea	ecx, [ecx+0]

loc_52BD80:				; CODE XREF: KeWaitForSingleObject+650j
		lea	ecx, [esp+0A0h+var_20]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_52BD80
		jmp	short loc_52BD76
; 

loc_52BD94:				; CODE XREF: KeWaitForSingleObject+63Bj
		mov	dword ptr [ebx], 0
		jmp	loc_52B9BC
; 

loc_52BD9F:				; CODE XREF: KeWaitForSingleObject+296j
		mov	ecx, [esp+0A0h+var_84]
		jmp	loc_52BD0C
; 
		jmp	short loc_52BDB0
; 
		align 10h

loc_52BDB0:				; CODE XREF: KeWaitForSingleObject+339j
					; KeWaitForSingleObject+668j ...
		lea	ecx, [esp+0A0h+var_2C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_52BDB0
		jmp	loc_52BA74
; 

loc_52BDC4:				; CODE XREF: KeWaitForSingleObject+397j
		and	al, 0FEh
		mov	[ebx+1Ch], al
		or	dword ptr [esi+94h], 80h
		mov	al, [ebx+1Ch]
		jmp	loc_52BADD
; 

loc_52BDDB:				; CODE XREF: KeWaitForSingleObject+28Bj
		test	al, 18h
		jnz	loc_5EE0B2

loc_52BDE3:				; CODE XREF: KeWaitForSingleObject+C28E0j
		mov	ecx, [esp+0A0h+var_84]
		mov	dl, 1
		call	KiCheckForThreadDispatch
		push	0
		push	0
		push	0
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		xor	cl, cl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
KeWaitForSingleObject endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiCommitThreadWait proc	near		; CODE XREF: KeRemovePriQueue+139p
					; KeWaitForMultipleObjects+391p ...

var_48		= dword	ptr -48h
var_36		= byte ptr -36h
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005EE120 SIZE 000000CF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		xor	eax, eax
		mov	[esp+3Ch+var_28], edx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[esp+44h+var_10], eax
		xor	cl, cl
		mov	[esp+44h+var_C], eax
		push	edi
		mov	[esp+48h+var_8], eax
		mov	[esp+48h+var_4], eax
		mov	[esp+48h+var_34], eax
		mov	[esp+48h+var_24], eax
		mov	[esp+48h+var_35], cl
		cmp	[ebp+arg_0], eax
		jnz	loc_52C018

loc_52BE4D:				; CODE XREF: KiCommitThreadWait+219j
		mov	ebx, large fs:20h
		mov	[esp+48h+var_30], ebx
		mov	[esi+98h], edx
		cmp	[esi+93h], al
		jz	loc_52BFA9
		test	byte ptr [esi+5Ch], 40h
		jz	loc_52BFA9
		cmp	byte ptr [esi+87h], 19h
		jge	loc_52BFA9
		mov	[esp+48h+var_2C], 1

loc_52BE89:				; CODE XREF: KiCommitThreadWait+19Fj
		lea	edi, [esi+2Ch]
		mov	[esp+48h+var_20], 0

loc_52BE94:				; CODE XREF: KiCommitThreadWait+46Fj
		lock bts dword ptr [edi], 0
		jb	loc_52C270
		mov	al, [esi+54h]
		mov	edi, [ebp+arg_0]
		test	al, 0E7h
		jnz	loc_52C1D9
		and	al, 0F9h
		or	al, 1
		cmp	[esp+48h+var_2C], 0
		mov	[esi+54h], al
		jz	short loc_52BF13
		lea	edi, [ebx+3B28h]
		mov	[esp+48h+var_1C], 0
		lea	esp, [esp+0]

loc_52BED0:				; CODE XREF: KiCommitThreadWait+553j
		lock bts dword ptr [edi], 0
		jb	loc_52C354
		mov	edx, [ebx+3B30h]
		lea	eax, [ebx+3B2Ch]
		mov	edi, [ebp+arg_0]
		lea	ecx, [esi+9Ch]
		cmp	[edx], eax
		jnz	loc_52C269
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		xor	ecx, ecx
		mov	[esi+1B4h], ebx
		lea	eax, [ebx+3B28h]
		lock and [eax],	ecx

loc_52BF13:				; CODE XREF: KiCommitThreadWait+A9j
		mov	ecx, [esi+5Ch]
		lea	edx, [esi+5Ch]
		test	ecx, 1000h
		jnz	loc_5EE120

loc_52BF25:				; CODE XREF: KiCommitThreadWait+C2317j
		bt	ecx, 0Eh
		setb	cl
		bt	dword ptr [esi+58h], 13h
		setb	al
		test	cl, al
		jnz	loc_52C19A

loc_52BF3C:				; CODE XREF: KiCommitThreadWait+38Fj
					; KiCommitThreadWait+39Dj
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+arg_8]
		mov	[esp+48h+var_28], ecx
		mov	[esp+48h+var_2C], edx
		mov	[esp+48h+var_35], 0
		cmp	edi, 2
		jz	loc_52C02E

loc_52BF58:				; CODE XREF: KiCommitThreadWait+22Bj
					; KiCommitThreadWait+238j ...
		cmp	byte ptr [esi+18Bh], 0Fh
		jz	short loc_52BF6B
		mov	ebx, [esi+0A4h]
		test	ebx, ebx
		jnz	short loc_52BFB4

loc_52BF6B:				; CODE XREF: KiCommitThreadWait+14Fj
		mov	dword ptr [esi+2Ch], 0

loc_52BF72:				; CODE XREF: KiCommitThreadWait+203j
					; KiCommitThreadWait+385j ...
		cmp	[esp+48h+var_24], 0
		jnz	loc_52C1C9

loc_52BF7D:				; CODE XREF: KiCommitThreadWait+3C4j
		mov	byte ptr [esi+15Dh], 0
		test	edi, edi
		jnz	loc_52C07A
		mov	edi, [esp+48h+var_30]

loc_52BF90:				; CODE XREF: KiCommitThreadWait+2FEj
					; KiCommitThreadWait+59Bj ...
		push	[ebp+arg_C]
		mov	edx, edi
		mov	ecx, esi
		call	KiSwapThread
		mov	edi, eax

loc_52BF9E:				; CODE XREF: KiCommitThreadWait+4AAj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_52BFA9:				; CODE XREF: KiCommitThreadWait+54j
					; KiCommitThreadWait+5Ej ...
		xor	eax, eax
		mov	[esp+48h+var_2C], eax
		jmp	loc_52BE89
; 

loc_52BFB4:				; CODE XREF: KiCommitThreadWait+159j
		mov	al, [ebx]
		and	al, 7Fh
		cmp	al, 15h
		jz	loc_52C16E
		mov	ecx, 18h

loc_52BFC5:				; CODE XREF: KiCommitThreadWait+379j
		lock dec dword ptr [ebx+ecx]
		lock bts dword ptr [ebx], 7
		jb	loc_52C1B2
		mov	al, 1

loc_52BFD6:				; CODE XREF: KiCommitThreadWait+3A4j
		mov	dword ptr [esi+2Ch], 0
		test	al, al
		jz	loc_52C1B9
		mov	al, [ebx]
		and	al, 7Fh
		cmp	al, 15h
		jz	loc_52C18E
		mov	eax, [ebx+18h]
		cmp	eax, [ebx+1Ch]
		jnb	short loc_52C00B
		mov	edx, [ebx+10h]
		lea	eax, [ebx+10h]
		mov	[esp+48h+var_18], edx
		cmp	edx, eax
		jnz	loc_52C123

loc_52C00B:				; CODE XREF: KiCommitThreadWait+1E7j
					; KiCommitThreadWait+318j ...
		mov	eax, 0FFFFFF7Fh
		lock and [ebx],	eax
		jmp	loc_52BF72
; 

loc_52C018:				; CODE XREF: KiCommitThreadWait+37j
		or	dword ptr [esi+58h], 200h
		or	dword ptr [esi+0B8h], 40000080h
		jmp	loc_52BE4D
; 

loc_52C02E:				; CODE XREF: KiCommitThreadWait+142j
		mov	ebx, [esi+240h]
		cmp	byte ptr [esi+93h], 0
		jz	loc_52BF58
		cmp	dword ptr [esi+13Ch], 0
		jnz	loc_52BF58
		cmp	byte ptr [esi+92h], 0
		jnz	loc_52BF58
		cmp	byte ptr [esi+84h], 0
		jnz	loc_52BF58
		mov	[esp+48h+var_35], 1
		test	ebx, ebx
		jz	loc_52BF58
		jmp	loc_5EE12C
; 

loc_52C07A:				; CODE XREF: KiCommitThreadWait+176j
		lea	ebx, [esi+0B8h]
		cmp	edi, 2
		jnz	loc_5EE161
		mov	ecx, 0FFDF03B0h
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		mov	edx, [esi+0B0h]
		add	edx, eax
		mov	eax, [esi+0B4h]
		adc	eax, ecx
		add	edx, [esp+48h+var_28]
		mov	[ebx+10h], edx
		adc	eax, [esp+48h+var_2C]
		mov	[ebx+14h], eax
		shrd	edx, eax, 12h
		movzx	eax, dl
		mov	[esp+48h+var_34], eax
		mov	eax, [ebx]
		mov	ecx, [esp+48h+var_34]
		mov	[esp+48h+var_10], eax
		and	byte ptr [esp+48h+var_10+1], 0FEh
		cmp	[esp+48h+var_35], 0
		mov	byte ptr [esp+48h+var_10+2], cl
		mov	eax, [esp+48h+var_10]
		mov	[ebx], eax
		jnz	short loc_52C113

loc_52C0DC:				; CODE XREF: KiCommitThreadWait+311j
					; KiCommitThreadWait+C236Fj
		mov	edi, [esp+48h+var_30]
		mov	edx, ebx
		push	0
		push	ecx
		push	0
		mov	ecx, edi
		call	KiInsertTimerTable
		test	al, al
		jz	loc_52C3A0
		test	ds:dword_70EFC8, 20000h
		jnz	loc_5EE184
		mov	eax, 0FFFFFF7Fh
		lock and [ebx],	eax
		jmp	loc_52BF90
; 

loc_52C113:				; CODE XREF: KiCommitThreadWait+2CAj
		mov	eax, [esi+150h]
		add	eax, 450h
		lock inc dword ptr [eax]
		jmp	short loc_52C0DC
; 

loc_52C123:				; CODE XREF: KiCommitThreadWait+1F5j
		lea	eax, [ebx+8]
		cmp	[eax], eax
		jz	loc_52C00B
		mov	ecx, [edx]
		mov	eax, [edx+4]
		cmp	[ecx+4], edx
		jnz	loc_52C269
		cmp	[eax], edx
		jnz	loc_52C269
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	ecx, large fs:20h
		mov	dword ptr [edx], 0
		push	edx
		mov	edx, ebx
		call	KiWakeQueueWaiter
		test	al, al
		jz	loc_5EE13F
		dec	dword ptr [ebx+4]
		jmp	loc_52C00B
; 

loc_52C16E:				; CODE XREF: KiCommitThreadWait+1AAj
		movzx	ecx, byte ptr [esi+14Ch]
		mov	eax, ecx
		or	eax, 100h
		mov	[esi+14Ch], eax
		lea	ecx, ds:110h[ecx*4]
		jmp	loc_52BFC5
; 

loc_52C18E:				; CODE XREF: KiCommitThreadWait+1DBj
		mov	ecx, ebx
		call	KiActivateWaiterPriQueue
		jmp	loc_52BF72
; 

loc_52C19A:				; CODE XREF: KiCommitThreadWait+126j
		lock bts dword ptr [edx], 14h
		jb	loc_52BF3C
		mov	[esp+48h+var_24], 1
		jmp	loc_52BF3C
; 

loc_52C1B2:				; CODE XREF: KiCommitThreadWait+1BEj
		xor	al, al
		jmp	loc_52BFD6
; 

loc_52C1B9:				; CODE XREF: KiCommitThreadWait+1CFj
		push	0
		mov	edx, ebx
		mov	ecx, esi
		call	KiActivateWaiterQueueWithNoLocks
		jmp	loc_52BF72
; 

loc_52C1C9:				; CODE XREF: KiCommitThreadWait+167j
		mov	ecx, [esi+80h]
		call	@KiDecrementProcessStackCount@4	; KiDecrementProcessStackCount(x)
		jmp	loc_52BF7D
; 

loc_52C1D9:				; CODE XREF: KiCommitThreadWait+97j
		test	al, 7
		jz	loc_52C2C5

loc_52C1E1:				; CODE XREF: KiCommitThreadWait+56Cj
		mov	cl, [esp+48h+var_35]

loc_52C1E5:				; CODE XREF: KiCommitThreadWait+4E0j
		mov	byte ptr [esi+90h], 2
		cmp	byte ptr [esi+18Bh], 0Fh
		jz	loc_52C381

loc_52C1F9:				; CODE XREF: KiCommitThreadWait+579j
					; KiCommitThreadWait+58Bj ...
		mov	dword ptr [esi+2Ch], 0
		test	edi, edi
		jnz	loc_52C348

loc_52C208:				; CODE XREF: KiCommitThreadWait+53Fj
		mov	edx, [ebp+arg_C]
		mov	edi, [esi+94h]
		test	edx, edx
		jz	short loc_52C21D
		mov	eax, [esi+248h]
		mov	[edx], eax

loc_52C21D:				; CODE XREF: KiCommitThreadWait+403j
		test	cl, cl
		jnz	loc_52C2F5

loc_52C225:				; CODE XREF: KiCommitThreadWait+533j
		movzx	eax, byte ptr [esi+16Bh]
		mov	edx, [esp+48h+var_28]
		lea	eax, [eax+eax*2]
		lea	eax, [edx+eax*8]
		mov	[esp+48h+var_18], eax
		lea	ebx, [ebx+0]

loc_52C240:				; CODE XREF: KiCommitThreadWait+490j
		mov	al, [edx+9]
		cmp	al, 5
		jnb	short loc_52C295
		mov	eax, [edx+10h]
		mov	ecx, eax
		mov	[esp+48h+var_14], eax
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	edx, [esp+48h+var_28]
		cmp	byte ptr [edx+9], 4
		jnz	short loc_52C289
		mov	eax, [edx]
		mov	ecx, [edx+4]
		cmp	[eax+4], edx
		jz	short loc_52C2BF

loc_52C269:				; CODE XREF: KiCommitThreadWait+E2j
					; KiCommitThreadWait+326j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_52C270:				; CODE XREF: KiCommitThreadWait+89j
					; KiCommitThreadWait+46Dj
		lea	ecx, [esp+48h+var_20]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_52C270
		jmp	loc_52BE94
; 

loc_52C284:				; CODE XREF: KiCommitThreadWait+4B3j
		mov	[ecx], eax
		mov	[eax+4], ecx

loc_52C289:				; CODE XREF: KiCommitThreadWait+44Dj
		mov	eax, [esp+48h+var_14]
		mov	ecx, 0FFFFFF7Fh
		lock and [eax],	ecx

loc_52C295:				; CODE XREF: KiCommitThreadWait+435j
		add	edx, 18h
		mov	[esp+48h+var_28], edx
		cmp	edx, [esp+48h+var_18]
		jnz	short loc_52C240
		cmp	dword ptr [ebx+3B1Ch], 0
		jnz	loc_5EE1DA

loc_52C2AF:				; CODE XREF: KiCommitThreadWait+C23DAj
		push	1
		mov	edx, esi
		mov	ecx, ebx
		call	KiExitThreadWait
		jmp	loc_52BF9E
; 

loc_52C2BF:				; CODE XREF: KiCommitThreadWait+457j
		cmp	[ecx], edx
		jnz	short loc_52C269
		jmp	short loc_52C284
; 

loc_52C2C5:				; CODE XREF: KiCommitThreadWait+3CBj
		test	al, 20h
		jnz	loc_52C368
		and	al, 40h
		mov	cl, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFFBFh
		add	eax, 101h
		mov	[esi+94h], eax
		mov	dword ptr [esi+248h], 0
		jmp	loc_52C1E5
; 

loc_52C2F5:				; CODE XREF: KiCommitThreadWait+40Fj
		mov	cl, [esi+93h]
		lea	ebx, [esi+2Ch]
		mov	[esp+48h+var_35], cl
		mov	[esp+48h+var_14], 0
		lea	ebx, [ebx+0]

loc_52C310:				; CODE XREF: KiCommitThreadWait+C239Cj
		lock bts dword ptr [ebx], 0
		jb	loc_5EE19D
		cmp	edi, 101h
		jnz	loc_52C3B0
		test	byte ptr [esi+58h], 10h
		jnz	loc_5EE1B1
		lea	eax, [esi+5Ch]
		lock btr dword ptr [eax], 4

loc_52C339:				; CODE XREF: KiCommitThreadWait+5A5j
					; KiCommitThreadWait+5AEj ...
		mov	dword ptr [ebx], 0
		mov	ebx, [esp+48h+var_30]
		jmp	loc_52C225
; 

loc_52C348:				; CODE XREF: KiCommitThreadWait+3F2j
		and	dword ptr [esi+58h], 0FFFFFDFFh
		jmp	loc_52C208
; 

loc_52C354:				; CODE XREF: KiCommitThreadWait+C5j
					; KiCommitThreadWait+551j
		lea	ecx, [esp+48h+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_52C354
		jmp	loc_52BED0
; 

loc_52C368:				; CODE XREF: KiCommitThreadWait+4B7j
		mov	dword ptr [esi+94h], 100h
		mov	dword ptr [esi+248h], 0
		jmp	loc_52C1E1
; 

loc_52C381:				; CODE XREF: KiCommitThreadWait+3E3j
		mov	edx, [esi+0A4h]
		test	edx, edx
		jz	loc_52C1F9
		mov	al, [edx]
		and	al, 7Fh
		cmp	al, 15h
		jz	short loc_52C3C3
		lock inc dword ptr [edx+18h]
		jmp	loc_52C1F9
; 

loc_52C3A0:				; CODE XREF: KiCommitThreadWait+2E0j
					; KiCommitThreadWait+C2388j
		push	0
		mov	edx, ebx
		mov	ecx, edi
		call	KiTimerWaitTest
		jmp	loc_52BF90
; 

loc_52C3B0:				; CODE XREF: KiCommitThreadWait+511j
		lea	eax, [esi+78h]
		cmp	[eax], eax
		jz	short loc_52C339
		or	byte ptr [esi+86h], 2
		jmp	loc_52C339
; 

loc_52C3C3:				; CODE XREF: KiCommitThreadWait+585j
		movzx	eax, byte ptr [esi+14Ch]
		mov	[esi+14Ch], eax
		lock inc dword ptr [edx+eax*4+110h]
		jmp	loc_52C1F9
KiCommitThreadWait endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSwapThread	proc near		; CODE XREF: KeTerminateThread+136p
					; KiInSwapSingleProcess(x,x,x)+46p ...

var_A0		= dword	ptr -0A0h
var_92		= byte ptr -92h
var_91		= byte ptr -91h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_65		= byte ptr -65h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005EE1EF SIZE 000003D8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+94h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, edx
		mov	[esp+9Ch+var_24], eax
		mov	ebx, ecx
		mov	[esp+9Ch+var_80], esi
		push	edi
		mov	[esp+0A0h+var_7C], ebx
		cmp	dword ptr [esi+3B1Ch], 0
		jnz	loc_52CF9C

loc_52C41F:				; CODE XREF: KiSwapThread+BCCj
		xor	edx, edx
		mov	ecx, ebx
		call	KiAbProcessContextSwitch
		cli
		mov	byte ptr [esi+11h], 1
		nop
		mov	ecx, [ebx+30h]
		rdtsc
		mov	edi, eax
		sub	eax, [esi+3B40h]
		mov	[esp+0A0h+var_8C], eax
		mov	eax, edx
		sbb	eax, [esi+3B44h]
		add	ecx, [esp+0A0h+var_8C]
		mov	[esp+0A0h+var_90], eax
		mov	eax, [ebx+34h]
		adc	eax, [esp+0A0h+var_90]
		mov	[esp+0A0h+var_1C], eax
		mov	[esp+0A0h+var_20], ecx
		mov	[ebx+38h], eax
		mov	[ebx+30h], ecx
		mov	eax, [ebx+38h]
		mov	[ebx+34h], eax
		xor	eax, eax
		mov	ecx, [ebx+40h]
		add	ecx, [esp+0A0h+var_8C]
		adc	eax, [esp+0A0h+var_90]
		jnz	loc_52CFC9
		cmp	ecx, 0FFFFFFFFh
		ja	loc_52CFC9

loc_52C48C:				; CODE XREF: KiSwapThread+BF4j
		mov	[esi+3B40h], edi
		mov	[esi+3B44h], edx
		mov	al, [ebx+2]
		mov	[ebx+40h], ecx
		mov	[esp+0A0h+var_92], al
		test	al, 3Eh
		jz	loc_52C5D2
		test	al, 10h
		jnz	loc_5EE1EF

loc_52C4B2:				; CODE XREF: KiSwapThread+C1E59j
		test	al, 20h
		jz	loc_52C5C2
		mov	ecx, [ebx+388h]
		mov	[esp+0A0h+var_74], ecx
		test	ecx, ecx
		jz	loc_52C5C0
		mov	edi, [esi+3EA0h]
		mov	eax, [esi+3EA4h]
		test	edi, edi
		jz	loc_52CF49
		test	eax, eax
		jz	loc_52CF49
		cmp	byte ptr [eax+54h], 0
		jnz	loc_5EE23E
		mov	edx, [eax+38h]
		mov	eax, [edi+88h]
		cmp	edx, eax
		jb	short loc_52C501
		mov	edx, eax

loc_52C501:				; CODE XREF: KiSwapThread+11Dj
					; KiSwapThread+B6Ej ...
		cmp	edx, 4Bh
		jb	loc_52CFEE
		mov	edx, 3

loc_52C50F:				; CODE XREF: KiSwapThread+C18j
		movzx	eax, byte ptr [esi+3ED0h]
		mov	[esp+0A0h+var_84], eax
		mov	[esp+0A0h+var_78], edx
		lea	eax, [eax+edx*2]
		lea	esi, [ecx+eax*8]
		mov	ecx, [esi]
		add	ecx, [esp+0A0h+var_8C]
		mov	eax, [esi+4]
		adc	eax, [esp+0A0h+var_90]
		mov	[esp+0A0h+var_88], ecx
		mov	[esp+0A0h+var_60], eax
		lea	esp, [esp+0]

loc_52C540:				; CODE XREF: KiSwapThread+17Cj
					; KiSwapThread+182j
		mov	edi, [esi]
		mov	eax, edi
		mov	edx, [esi+4]
		mov	[esp+0A0h+var_64], edx
		nop
		mov	ebx, ecx
		mov	ecx, [esp+0A0h+var_60]
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [esp+0A0h+var_88]
		cmp	eax, edi
		jnz	short loc_52C540
		cmp	edx, [esp+0A0h+var_64]
		jnz	short loc_52C540
		mov	edi, [esp+0A0h+var_74]
		mov	eax, _KiTimelineBitmapTime
		mov	edx, [edi+0C0h]
		cmp	eax, edx
		ja	loc_52CEA9
		sub	edx, eax
		cmp	edx, 20h
		jnb	short loc_52C591
		mov	eax, [edi+0C4h]
		bts	eax, edx
		mov	[edi+0C4h], eax

loc_52C591:				; CODE XREF: KiSwapThread+1A0j
					; KiSwapThread+AEDj
		cmp	ds:_KiEfficiencyClassSystem, 0
		mov	ebx, [esp+0A0h+var_7C]
		jnz	short loc_52C5AB
		cmp	byte ptr [ebx+244h], 2
		jz	loc_5EE246

loc_52C5AB:				; CODE XREF: KiSwapThread+1BCj
					; KiSwapThread+C1EBDj
		cmp	dword ptr [ebx+36Ch], 0
		jnz	loc_52CBC4

loc_52C5B8:				; CODE XREF: KiSwapThread+896j
		mov	esi, [esp+0A0h+var_80]
		mov	al, [esp+0A0h+var_92]

loc_52C5C0:				; CODE XREF: KiSwapThread+E6j
		and	al, 0DFh

loc_52C5C2:				; CODE XREF: KiSwapThread+D4j
		test	al, 40h
		jnz	loc_5EE2A2

loc_52C5CA:				; CODE XREF: KiSwapThread+C1EC4j
		test	al, 3Eh
		jnz	loc_52CC7B

loc_52C5D2:				; CODE XREF: KiSwapThread+C4j
					; KiSwapThread+8EEj ...
		sti
		mov	ecx, [ebx+44h]
		lea	edi, [esi+2224h]
		mov	eax, [ebx+40h]
		shr	ecx, 1
		shr	eax, 1
		add	ecx, eax
		mov	dword ptr [ebx+40h], 0
		mov	[ebx+44h], ecx
		mov	[esp+0A0h+var_50], 0
		jmp	short loc_52C600
; 
		align 10h

loc_52C600:				; CODE XREF: KiSwapThread+217j
					; KiSwapThread+B9Fj
		lock bts dword ptr [edi], 0
		jb	loc_52CF70
		mov	edi, [ebx+50h]
		mov	[esp+0A0h+var_70], edi
		test	edi, edi
		jnz	loc_52CCD9

loc_52C61A:				; CODE XREF: KiSwapThread+901j
					; KiSwapThread+944j
		mov	edi, [esi+8]
		mov	[esp+0A0h+var_38], 0
		test	edi, edi
		jnz	loc_52CB84
		lea	ecx, [ecx+0]

loc_52C630:				; CODE XREF: KiSwapThread+C70j
		mov	edx, esi
		mov	ecx, 1
		call	KiSelectReadyThread
		mov	edi, eax
		test	edi, edi
		jnz	loc_52CD4C
		cmp	ds:_KiPerfIsoEnabled, eax
		jnz	loc_5EE307

loc_52C652:				; CODE XREF: KiSwapThread+C1F78j
					; KiSwapThread+C1F8Dj ...
		mov	ecx, [esi+3CECh]
		lea	eax, [esi+3CE8h]
		xor	edi, edi
		test	cl, 1
		jnz	loc_52C9D2
		mov	eax, ecx

loc_52C66B:				; CODE XREF: KiSwapThread+600j
		test	eax, eax
		jnz	loc_52CD30

loc_52C673:				; CODE XREF: KiSwapThread+C1FE9j
		test	edi, edi
		jnz	loc_52CD4C

loc_52C67B:				; CODE XREF: KiSwapThread+5F5j
					; KiSwapThread+C1F64j ...
		mov	edx, esi
		xor	ecx, ecx
		call	KiSelectReadyThread
		mov	edi, eax
		test	edi, edi
		jnz	loc_52CD4C
		mov	al, [esi+2238h]
		cmp	al, 7
		jz	loc_5EE3E2
		mov	[esp+0A0h+var_84], edi

loc_52C6A0:				; CODE XREF: KiSwapThread+C200Aj
		mov	ecx, [esi+4DCh]
		mov	edx, [esi+338h]
		movzx	eax, al
		test	ecx, ecx
		jnz	loc_5EE3EF

loc_52C6B7:				; CODE XREF: KiSwapThread+C2013j
		mov	byte ptr [esi+223Bh], 0
		test	al, 1
		jz	short loc_52C70C
		sub	eax, 1
		mov	[esi+2238h], al
		jnz	short loc_52C6D8
		movzx	eax, byte ptr [esi+3C4h]
		lock bts [edx],	eax

loc_52C6D8:				; CODE XREF: KiSwapThread+2EBj
		movzx	eax, byte ptr [esi+3C4h]
		lea	edi, [edx+0Ch]
		lock bts [edi],	eax
		mov	ecx, [esi+402Ch]
		mov	eax, ecx
		and	eax, [edi]
		cmp	eax, ecx
		jnz	loc_52CA60
		lea	eax, [edx+4]

loc_52C6FB:				; CODE XREF: KiSwapThread+698j
		lock or	[eax], ecx

loc_52C6FE:				; CODE XREF: KiSwapThread+68Fj
		movzx	ecx, byte ptr [esi+3C4h]
		lea	eax, [edx+8]
		lock btr [eax],	ecx

loc_52C70C:				; CODE XREF: KiSwapThread+2E0j
		mov	edi, [esi+0Ch]
		test	byte ptr [edi+2], 4
		jnz	loc_5EE3F8

loc_52C719:				; CODE XREF: KiSwapThread+C202Bj
		mov	cl, [edi+87h]

loc_52C71F:				; CODE XREF: KiSwapThread+C2025j
		mov	eax, [esi+33Ch]
		mov	[eax], cl
		test	byte ptr [esi+2238h], 2
		jnz	loc_5EE410
		xor	eax, eax

loc_52C736:				; CODE XREF: KiSwapThread+C2035j
		xor	ecx, ecx
		lea	edi, [esi+2224h]
		lock and [edi],	ecx
		test	eax, eax
		jnz	loc_5EE41A

loc_52C749:				; CODE XREF: KiSwapThread+C2044j
		mov	edx, [esi+338h]
		movzx	eax, word ptr [edx+8Ah]
		mov	[esp+0A0h+var_64], eax
		mov	eax, [edx+80h]
		mov	[esp+0A0h+var_84], eax

loc_52C764:				; CODE XREF: KiSwapThread+C205Fj
		mov	edi, [edx+90h]
		mov	ecx, [edx+84h]
		movzx	eax, byte ptr [esi+3C4h]
		mov	[esp+0A0h+var_8C], edi
		mov	edi, ecx
		mov	[esp+0A0h+var_74], edx
		mov	[esp+0A0h+var_78], eax
		mov	[esp+0A0h+var_90], edi
		cmp	edx, [esi+338h]
		jnz	short loc_52C7B8
		mov	eax, [esp+0A0h+var_8C]
		xor	eax, [esi+4020h]
		xor	ecx, [esi+3C8h]
		test	ds:_KiCacheAwareScheduling, 2
		mov	[esp+0A0h+var_8C], eax
		jz	short loc_52C7B8
		and	edi, [esi+4034h]
		mov	[esp+0A0h+var_90], edi

loc_52C7B8:				; CODE XREF: KiSwapThread+3AFj
					; KiSwapThread+3CCj
		mov	eax, [edx+0Ch]
		not	eax
		and	ecx, eax

loc_52C7BF:				; CODE XREF: KiSwapThread+4CCj
		mov	[esp+0A0h+var_88], ecx
		test	ecx, ecx
		jz	loc_52C8B1

loc_52C7CB:				; CODE XREF: KiSwapThread+4D6j
		mov	eax, edi
		and	eax, [esp+0A0h+var_8C]
		jz	short loc_52C83D
		mov	ecx, [esp+0A0h+var_78]
		ror	eax, cl
		mov	[esp+0A0h+var_80], eax
		lea	ecx, [ecx+0]

loc_52C7E0:				; CODE XREF: KiSwapThread+453j
		bsf	eax, eax
		mov	[esp+0A0h+var_40], 0
		mov	[esp+0A0h+var_40], eax
		add	eax, ecx
		and	eax, 1Fh
		mov	edi, ds:_KiProcessorBlock[eax*4]
		mov	edx, [edi+4020h]
		not	edx
		and	[esp+0A0h+var_8C], edx
		mov	eax, edx
		ror	eax, cl
		xor	edx, edx
		and	[esp+0A0h+var_80], eax
		mov	ecx, esi
		mov	eax, [edi+4024h]
		push	eax
		call	KiSearchForNewThreadOnProcessor
		mov	edi, eax
		test	edi, edi
		jnz	loc_52C93A
		mov	eax, [esp+0A0h+var_80]
		mov	ecx, [esp+0A0h+var_78]
		test	eax, eax
		jnz	short loc_52C7E0
		mov	ecx, [esp+0A0h+var_88]
		mov	edi, [esp+0A0h+var_90]

loc_52C83D:				; CODE XREF: KiSwapThread+3F1j
		mov	edx, edi
		and	edx, ecx
		jz	short loc_52C89A
		mov	ecx, [esp+0A0h+var_78]
		ror	edx, cl
		lea	esp, [esp+0]

loc_52C850:				; CODE XREF: KiSwapThread+4B0j
		bsf	eax, edx
		mov	[esp+0A0h+var_3C], 0
		btc	edx, eax
		mov	[esp+0A0h+var_3C], eax
		mov	[esp+0A0h+var_70], edx
		push	0
		lea	edx, [eax+ecx]
		mov	ecx, esi
		and	edx, 1Fh
		mov	edx, ds:_KiProcessorBlock[edx*4]
		call	KiSearchForNewThreadOnProcessor
		mov	edi, eax
		test	edi, edi
		jnz	loc_52C93A
		mov	edx, [esp+0A0h+var_70]
		mov	ecx, [esp+0A0h+var_78]
		test	edx, edx
		jnz	short loc_52C850
		mov	ecx, [esp+0A0h+var_88]
		mov	edi, [esp+0A0h+var_90]

loc_52C89A:				; CODE XREF: KiSwapThread+461j
		mov	edx, [esp+0A0h+var_74]
		not	edi
		and	ecx, edi
		mov	edi, [edx+84h]
		mov	[esp+0A0h+var_90], edi
		jmp	loc_52C7BF
; 

loc_52C8B1:				; CODE XREF: KiSwapThread+3E5j
		cmp	[esp+0A0h+var_8C], 0
		jnz	loc_52C7CB
		mov	edi, [esp+0A0h+var_84]
		movzx	eax, word ptr [edx+8Ah]
		btr	edi, eax
		mov	[esp+0A0h+var_84], edi
		test	edi, edi
		jnz	loc_52D0E0

loc_52C8D6:				; CODE XREF: KiSwapThread+7CBj
					; KiSwapThread+D12j
		lea	edi, [esi+2224h]

loc_52C8DC:				; CODE XREF: KiSwapThread+C203Ej
		mov	[esp+0A0h+var_34], 0

loc_52C8E4:				; CODE XREF: KiSwapThread+A5Fj
		lock bts dword ptr [edi], 0
		jb	loc_52CE30
		mov	edi, [esi+8]
		test	edi, edi
		jnz	loc_52CE20
		cmp	ds:_KeHeteroSystem, 0
		mov	edi, [esi+0Ch]
		jnz	loc_5EE444

loc_52C90A:				; CODE XREF: KiSwapThread+A47j
					; KiSwapThread+C206Bj ...
		test	byte ptr [edi+2], 4
		jnz	loc_52CF84

loc_52C914:				; CODE XREF: KiSwapThread+BB7j
		mov	cl, [edi+87h]

loc_52C91A:				; CODE XREF: KiSwapThread+BB1j
		mov	eax, [esi+33Ch]
		mov	[eax], cl
		mov	[esi+4], edi
		mov	al, [edi+90h]
		cmp	al, 1
		jz	loc_5EE499

loc_52C933:				; CODE XREF: KiSwapThread+C20CAj
		mov	byte ptr [edi+90h], 2

loc_52C93A:				; CODE XREF: KiSwapThread+443j
					; KiSwapThread+4A0j ...
		cmp	edi, [esi+0Ch]
		jnz	loc_52C9E5

loc_52C943:				; CODE XREF: KiSwapThread+607j
					; KiSwapThread+612j ...
		xor	ecx, ecx
		lea	eax, [esi+2224h]
		lock and [eax],	ecx
		mov	al, [ebx+92h]
		mov	[esp+0A0h+var_65], al
		mov	byte ptr [esp+0A0h+var_70], al
		cmp	ebx, edi
		jz	loc_52CDDC
		test	dword ptr [ebx+5Ch], 400000h
		jnz	loc_5EE4E2

loc_52C971:				; CODE XREF: KiSwapThread+C210Aj
					; KiSwapThread+C2116j ...
		push	[esp+0A0h+var_70]
		mov	edx, edi
		mov	ecx, ebx
		call	@KiSwapContext@12 ; KiSwapContext(x,x,x)
		mov	dl, al
		mov	[esp+0A0h+var_92], dl

loc_52C984:				; CODE XREF: KiSwapThread+A3Bj
					; KiSwapThread+B42j
		mov	edi, [ebx+94h]
		btr	dword ptr [ebx+58h], 9
		jb	loc_52CA7D

loc_52C995:				; CODE XREF: KiSwapThread+79Fj
		mov	ecx, [esp+0A0h+var_24]
		test	ecx, ecx
		jz	short loc_52C9A5
		mov	eax, [ebx+248h]
		mov	[ecx], eax

loc_52C9A5:				; CODE XREF: KiSwapThread+5BBj
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		test	dl, dl
		jnz	loc_52CBB0

loc_52C9B3:				; CODE XREF: KiSwapThread+7DFj
		mov	cl, [esp+0A0h+var_65]
		call	esi
		mov	ecx, [esp+0A0h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_52C9D2:				; CODE XREF: KiSwapThread+283j
		cmp	ecx, 1
		jz	loc_52C67B
		or	eax, 1
		xor	eax, ecx
		jmp	loc_52C66B
; 

loc_52C9E5:				; CODE XREF: KiSwapThread+55Dj
		cmp	edi, ebx
		jz	loc_52C943
		mov	al, [edi+55h]
		test	al, al
		jz	loc_52C943
		test	byte ptr [edi+2], 4
		jnz	loc_52CFB1

loc_52CA02:				; CODE XREF: KiSwapThread+BE4j
		mov	cl, [edi+87h]

loc_52CA08:				; CODE XREF: KiSwapThread+BDEj
		mov	eax, [esi+33Ch]
		mov	[eax], cl
		mov	[esi+8], edi
		cmp	edi, [esi+0Ch]
		jz	loc_5EE4AF
		xor	cl, cl

loc_52CA1E:				; CODE XREF: KiSwapThread+C20D1j
		mov	eax, [esi+4DCh]
		test	eax, eax
		jz	short loc_52CA2B
		mov	[eax+10h], cl

loc_52CA2B:				; CODE XREF: KiSwapThread+646j
		mov	al, [edi+90h]
		cmp	al, 1
		jz	loc_5EE4B6

loc_52CA39:				; CODE XREF: KiSwapThread+C20E7j
		mov	byte ptr [edi+90h], 3
		mov	edi, [esi+0Ch]
		mov	[esi+4], edi
		mov	al, [edi+90h]
		cmp	al, 1
		jz	loc_5EE4CC

loc_52CA54:				; CODE XREF: KiSwapThread+C20FDj
		mov	byte ptr [edi+90h], 2
		jmp	loc_52C943
; 

loc_52CA60:				; CODE XREF: KiSwapThread+312j
		mov	ecx, [edi]
		not	ecx
		and	ecx, [esi+402Ch]
		lea	eax, [ecx-1]
		test	eax, ecx
		jnz	loc_52C6FE
		lea	eax, [edx+8]
		jmp	loc_52C6FB
; 

loc_52CA7D:				; CODE XREF: KiSwapThread+5AFj
		xor	al, al
		mov	[esp+0A0h+var_54], 0
		lea	esi, [ebx+0B8h]
		mov	[esp+0A0h+var_91], al

loc_52CA91:				; CODE XREF: KiSwapThread+CD7j
					; KiSwapThread+CEFj
		mov	[esp+0A0h+var_28], 0
		lock bts dword ptr [esi], 7
		jb	loc_5EE535

loc_52CAA4:				; CODE XREF: KiSwapThread+C216Bj
		mov	al, [esi+3]
		test	al, 0C0h
		jz	loc_52CE80
		movzx	edx, byte ptr [esi+2]
		movzx	eax, al
		shr	eax, 1
		and	eax, 1Fh
		mov	[esp+0A0h+var_70], edx
		lea	ebx, [edx+4]
		mov	[esp+0A0h+var_5C], 0
		lea	ebx, [edx+ebx*2]
		mov	ecx, ds:_KiProcessorBlock[eax*4]
		add	ecx, 2260h
		mov	[esp+0A0h+var_80], ecx
		lea	ebx, [ecx+ebx*8]
		mov	[esp+0A0h+var_84], ebx

loc_52CAE5:				; CODE XREF: KiSwapThread+B80j
		lock bts dword ptr [ebx], 0
		jb	loc_52CF53
		cmp	byte ptr [esi+3], 0
		mov	ebx, [esp+0A0h+var_7C]
		jl	loc_52D07A
		mov	edx, [esp+0A0h+var_70]
		lea	ebx, [esi+18h]
		mov	ecx, [esp+0A0h+var_80]
		lea	eax, [edx+edx*2]
		lea	eax, [ecx+eax*8]
		mov	ecx, [esi+18h]
		mov	[esp+0A0h+var_5C], eax
		lea	eax, [esi+18h]
		mov	[esp+0A0h+var_58], eax
		mov	eax, [eax+4]
		cmp	[ecx+4], ebx
		mov	ebx, [esp+0A0h+var_7C]
		jnz	loc_5EE55F
		mov	esi, [esp+0A0h+var_58]
		cmp	[eax], esi
		lea	esi, [ebx+0B8h]
		jnz	loc_5EE55F
		mov	[eax], ecx
		mov	[ecx+4], eax
		cmp	eax, ecx
		jz	loc_52CD9C

loc_52CB4C:				; CODE XREF: KiSwapThread+9F7j
		mov	eax, [esp+0A0h+var_84]
		xor	ecx, ecx
		lock and [eax],	ecx
		mov	ecx, 0BFFFFF7Fh

loc_52CB5A:				; CODE XREF: KiSwapThread+CBEj
		mov	al, 1
		mov	[esp+0A0h+var_91], al

loc_52CB60:				; CODE XREF: KiSwapThread+AA9j
		lock and [esi],	ecx
		test	ds:dword_70EFC8, 20000h
		jnz	loc_5EE566

loc_52CB73:				; CODE XREF: KiSwapThread+C21E2j
		test	al, al
		jz	loc_52CE8E

loc_52CB7B:				; CODE XREF: KiSwapThread+AC4j
		mov	dl, [esp+0A0h+var_92]
		jmp	loc_52C995
; 

loc_52CB84:				; CODE XREF: KiSwapThread+247j
					; KiSwapThread+C76j
		mov	dword ptr [esi+8], 0
		mov	[esi+4], edi
		mov	al, [edi+90h]
		cmp	al, 1
		jz	loc_52CD86

loc_52CB9C:				; CODE XREF: KiSwapThread+9A0j
					; KiSwapThread+9B7j
		mov	byte ptr [edi+90h], 2
		test	edi, edi
		jnz	loc_52C93A
		jmp	loc_52C8D6
; 

loc_52CBB0:				; CODE XREF: KiSwapThread+5CDj
		mov	cl, 1
		call	esi
		push	0
		push	0
		push	0
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		jmp	loc_52C9B3
; 

loc_52CBC4:				; CODE XREF: KiSwapThread+1D2j
		mov	ecx, [esp+0A0h+var_84]
		mov	eax, [esp+0A0h+var_78]
		add	ecx, 10h
		lea	eax, [ecx+eax*2]
		mov	ecx, [edi+eax*8]
		add	ecx, [esp+0A0h+var_8C]
		lea	esi, [edi+eax*8]
		mov	eax, [esi+4]
		adc	eax, [esp+0A0h+var_90]
		mov	[esp+0A0h+var_74], ecx
		mov	[esp+0A0h+var_70], eax
		jmp	short loc_52CBF0
; 
		align 10h

loc_52CBF0:				; CODE XREF: KiSwapThread+80Bj
					; KiSwapThread+82Cj ...
		mov	edi, [esi]
		mov	eax, edi
		mov	edx, [esi+4]
		mov	[esp+0A0h+var_64], edx
		nop
		mov	ebx, ecx
		mov	ecx, [esp+0A0h+var_70]
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [esp+0A0h+var_74]
		cmp	eax, edi
		jnz	short loc_52CBF0
		cmp	edx, [esp+0A0h+var_64]
		jnz	short loc_52CBF0
		mov	eax, [esp+0A0h+var_7C]
		mov	edx, [esp+0A0h+var_84]
		mov	eax, [eax+36Ch]
		mov	ecx, [eax+388h]
		mov	eax, [esp+0A0h+var_78]
		add	eax, 4
		lea	eax, [edx+eax*2]
		lea	eax, [ecx+eax*8]
		mov	[esp+0A0h+var_88], eax
		lea	esp, [esp+0]

loc_52CC40:				; CODE XREF: KiSwapThread+88Cj
					; KiSwapThread+890j
		mov	edi, [eax]
		mov	ebx, edi
		mov	esi, [eax+4]
		mov	ecx, esi
		add	ebx, [esp+0A0h+var_8C]
		mov	eax, edi
		mov	[esp+0A0h+var_70], esi
		mov	edx, esi
		adc	ecx, [esp+0A0h+var_90]
		nop
		mov	esi, [esp+0A0h+var_88]
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [esp+0A0h+var_70]
		cmp	eax, edi
		mov	eax, [esp+0A0h+var_88]
		jnz	short loc_52CC40
		cmp	edx, esi
		jnz	short loc_52CC40
		mov	ebx, [esp+0A0h+var_7C]
		jmp	loc_52C5B8
; 

loc_52CC7B:				; CODE XREF: KiSwapThread+1ECj
		mov	eax, [ebx+50h]
		test	eax, eax
		jz	loc_52CE44
		add	eax, [esi+3B34h]
		test	eax, eax
		jz	loc_52CE44
		mov	edi, [esp+0A0h+var_8C]
		mov	ecx, [esp+0A0h+var_90]
		lea	esp, [esp+0]

loc_52CCA0:				; CODE XREF: KiSwapThread+8CDj
		add	[eax], edi
		adc	[eax+4], ecx
		mov	eax, [eax+0F4h]
		test	eax, eax
		jnz	short loc_52CCA0

loc_52CCAF:				; CODE XREF: KiSwapThread+A68j
		test	byte ptr [ebx+2], 8
		jnz	loc_52CE4D
		mov	eax, [esp+0A0h+var_90]

loc_52CCBD:				; CODE XREF: KiSwapThread+A89j
					; KiSwapThread+A9Bj
		cmp	byte ptr [ebx+61h], 0
		jnz	loc_5EE2A9

loc_52CCC7:				; CODE XREF: KiSwapThread+C1EDEj
					; KiSwapThread+C1EEFj
		cmp	dword ptr [ebx+0F4h], 0
		jz	loc_52C5D2
		jmp	loc_5EE2D4
; 

loc_52CCD9:				; CODE XREF: KiSwapThread+234j
		add	edi, [esi+3B34h]
		test	edi, edi
		jz	loc_52C61A
		mov	ebx, [esp+0A0h+var_70]
		mov	[esp+0A0h+var_84], 0

loc_52CCF3:				; CODE XREF: KiSwapThread+C1F22j
		test	byte ptr [edi+5Ch], 4
		jnz	loc_52CED2
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	KiComputeGroupSchedulingRank

loc_52CD07:				; CODE XREF: KiSwapThread+B09j
					; KiSwapThread+B16j ...
		mov	eax, [esp+0A0h+var_84]
		add	eax, [edi+60h]
		mov	edi, [edi+0F4h]
		mov	[esp+0A0h+var_84], eax
		test	edi, edi
		jnz	loc_5EE2FA
		mov	ebx, [esp+0A0h+var_7C]
		jmp	loc_52C61A
; 
		align 10h

loc_52CD30:				; CODE XREF: KiSwapThread+28Dj
					; KiSwapThread+C1FE3j
		add	eax, 0FFFFFFB0h
		mov	ecx, esi
		push	0
		mov	edx, eax
		mov	[esp+0A4h+var_70], eax
		call	_KiSelectThreadFromSchedulingGroup@12 ;	KiSelectThreadFromSchedulingGroup(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_5EE39E

loc_52CD4C:				; CODE XREF: KiSwapThread+260j
					; KiSwapThread+295j ...
		mov	eax, ds:_KiCpuSetSequence
		cmp	[edi+160h], eax
		jnz	loc_52CFFD

loc_52CD5D:				; CODE XREF: KiSwapThread+C21j
		test	byte ptr [edi+2], 4
		jnz	loc_52CF27

loc_52CD67:				; CODE XREF: KiSwapThread+B5Aj
		mov	cl, [edi+87h]

loc_52CD6D:				; CODE XREF: KiSwapThread+B54j
		mov	eax, [esi+33Ch]
		mov	[eax], cl
		mov	[esi+4], edi
		mov	al, [edi+90h]
		cmp	al, 1
		jnz	loc_52CB9C

loc_52CD86:				; CODE XREF: KiSwapThread+7B6j
		mov	eax, ds:_KeTickCount
		sub	eax, [edi+138h]
		add	[edi+170h], eax
		jmp	loc_52CB9C
; 

loc_52CD9C:				; CODE XREF: KiSwapThread+766j
		mov	eax, [esp+0A0h+var_5C]
		mov	ecx, [esp+0A0h+var_80]
		mov	dword ptr [eax+54h], 0FFFFFFFFh
		cmp	ds:_KiSerializeTimerExpiration,	0
		movzx	eax, byte ptr [ecx-1E9Bh]
		mov	eax, ds:dword_70E644[eax*8]
		jz	loc_5EE550
		mov	ecx, edx
		shr	edx, 5
		and	ecx, 1Fh
		shl	edx, 2

loc_52CDD1:				; CODE XREF: KiSwapThread+C217Aj
		add	eax, edx
		lock btr [eax],	ecx
		jmp	loc_52CB4C
; 

loc_52CDDC:				; CODE XREF: KiSwapThread+57Ej
		cmp	[edi+85h], cl
		jnz	loc_52D05B

loc_52CDE8:				; CODE XREF: KiSwapThread+C82j
					; KiSwapThread+C8Aj
		xor	al, al
		mov	[esp+0A0h+var_92], al

loc_52CDEE:				; CODE XREF: KiSwapThread+C95j
		cli
		push	ecx
		mov	edx, edi
		mov	ecx, esi
		call	KiStartThreadCycleAccumulation
		sti
		test	dword ptr [edi+5Ch], 800h
		lea	eax, [edi+5Ch]
		jnz	loc_52CFD9

loc_52CE0A:				; CODE XREF: KiSwapThread+C09j
		test	ds:byte_70EFC4,	4
		jnz	loc_52CF15
		mov	dl, [esp+0A0h+var_92]
		jmp	loc_52C984
; 

loc_52CE20:				; CODE XREF: KiSwapThread+514j
					; KiSwapThread+C20A3j
		mov	dword ptr [esi+8], 0
		jmp	loc_52C90A
; 
		align 10h

loc_52CE30:				; CODE XREF: KiSwapThread+509j
					; KiSwapThread+A5Dj
		lea	ecx, [esp+0A0h+var_34]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_52CE30
		jmp	loc_52C8E4
; 

loc_52CE44:				; CODE XREF: KiSwapThread+8A0j
					; KiSwapThread+8AEj
		mov	edi, [esp+0A0h+var_8C]
		jmp	loc_52CCAF
; 

loc_52CE4D:				; CODE XREF: KiSwapThread+8D3j
		mov	edx, [esi+338h]
		mov	ecx, [ebx+164h]
		mov	edx, [edx+84h]
		mov	eax, edx
		and	eax, ecx
		cmp	eax, edx
		mov	eax, [esp+0A0h+var_90]
		jz	loc_52CCBD
		add	[esi+3B70h], edi
		adc	[esi+3B74h], eax
		jmp	loc_52CCBD
; 

loc_52CE80:				; CODE XREF: KiSwapThread+6C9j
		mov	al, [esp+0A0h+var_91]
		mov	ecx, 0FFFFFF7Fh
		jmp	loc_52CB60
; 

loc_52CE8E:				; CODE XREF: KiSwapThread+795j
					; KiSwapThread+C2188j
		lea	eax, [ebx+128h]
		mov	byte ptr [eax+9], 4
		mov	[ebx+0C0h], eax
		mov	[ebx+0C4h], eax
		jmp	loc_52CB7B
; 

loc_52CEA9:				; CODE XREF: KiSwapThread+195j
		mov	ecx, eax
		sub	ecx, edx
		cmp	ecx, 20h
		jnb	loc_52CF3F
		mov	edx, [edi+0C4h]
		shl	edx, cl
		or	edx, 1

loc_52CEC1:				; CODE XREF: KiSwapThread+B64j
		mov	[edi+0C0h], eax
		mov	[edi+0C4h], edx
		jmp	loc_52C591
; 

loc_52CED2:				; CODE XREF: KiSwapThread+917j
		mov	edx, ebx
		mov	ecx, edi
		call	KiCheckMaxOverQuotaTransition
		test	al, al
		jnz	loc_5EE2E0
		mov	eax, [edi+4]
		cmp	eax, [edi+1Ch]
		jb	loc_52CD07
		ja	short loc_52CEFC
		mov	eax, [edi]
		cmp	eax, [edi+18h]
		jb	loc_52CD07

loc_52CEFC:				; CODE XREF: KiSwapThread+B0Fj
		test	byte ptr [edi+5Ch], 2
		jnz	loc_52CD07
		push	esi
		mov	edx, edi
		mov	ecx, ebx
		call	_KiRecomputeGroupSchedulingRank@12 ; KiRecomputeGroupSchedulingRank(x,x,x)
		jmp	loc_52CD07
; 

loc_52CF15:				; CODE XREF: KiSwapThread+A31j
		mov	edx, ebx
		mov	ecx, ebx
		call	EtwTraceContextSwap
		mov	dl, [esp+0A0h+var_92]
		jmp	loc_52C984
; 

loc_52CF27:				; CODE XREF: KiSwapThread+981j
		mov	edx, esi
		mov	ecx, edi
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	loc_52CD6D
		jmp	loc_52CD67
; 

loc_52CF3F:				; CODE XREF: KiSwapThread+AD0j
		mov	edx, 1
		jmp	loc_52CEC1
; 

loc_52CF49:				; CODE XREF: KiSwapThread+FAj
					; KiSwapThread+102j
		mov	edx, 64h
		jmp	loc_52C501
; 

loc_52CF53:				; CODE XREF: KiSwapThread+70Aj
					; KiSwapThread+B86j
		lea	ecx, [esp+0A0h+var_5C]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jz	loc_52CAE5
		jmp	short loc_52CF53
; 
		jmp	short loc_52CF70
; 
		align 10h

loc_52CF70:				; CODE XREF: KiSwapThread+225j
					; KiSwapThread+B88j ...
		lea	ecx, [esp+0A0h+var_50]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_52CF70
		jmp	loc_52C600
; 

loc_52CF84:				; CODE XREF: KiSwapThread+52Ej
		mov	edx, esi
		mov	ecx, edi
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	loc_52C91A
		jmp	loc_52C914
; 

loc_52CF9C:				; CODE XREF: KiSwapThread+39j
		push	2
		push	0
		mov	edx, 1
		mov	ecx, esi
		call	KiProcessThreadWaitList
		jmp	loc_52C41F
; 

loc_52CFB1:				; CODE XREF: KiSwapThread+61Cj
		mov	edx, esi
		mov	ecx, edi
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	loc_52CA08
		jmp	loc_52CA02
; 

loc_52CFC9:				; CODE XREF: KiSwapThread+9Dj
					; KiSwapThread+A6j
		or	ecx, 0FFFFFFFFh
		mov	[esp+0A0h+var_6C], 0
		jmp	loc_52C48C
; 

loc_52CFD9:				; CODE XREF: KiSwapThread+A24j
		lock btr dword ptr [eax], 0Bh
		push	0
		mov	edx, edi
		mov	ecx, esi
		call	_KiInsertDeferredPreemptionApc@12 ; KiInsertDeferredPreemptionApc(x,x,x)
		jmp	loc_52CE0A
; 

loc_52CFEE:				; CODE XREF: KiSwapThread+124j
		mov	eax, 51EB851Fh
		mul	edx
		shr	edx, 3
		jmp	loc_52C50F
; 

loc_52CFFD:				; CODE XREF: KiSwapThread+977j
		test	byte ptr [edi+58h], 8
		jnz	loc_52CD5D
		mov	ecx, edi
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		xor	ecx, ecx
		lea	eax, [esi+2224h]
		lock and [eax],	ecx
		lea	eax, [edi+9Ch]
		mov	[eax], ecx
		lea	edx, [esp+0A0h+var_48]
		mov	ecx, esi
		mov	[esp+0A0h+var_48], eax
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		mov	[esp+0A0h+var_44], 0
		lea	edi, [esi+2224h]
		mov	edi, edi

loc_52D040:				; CODE XREF: KiSwapThread+C1FFDj
		lock bts dword ptr [edi], 0
		jb	loc_5EE3CE
		mov	edi, [esi+8]
		test	edi, edi
		jz	loc_52C630
		jmp	loc_52CB84
; 

loc_52D05B:				; CODE XREF: KiSwapThread+A02j
		cmp	[edi+13Eh], cx
		jnz	loc_52CDE8
		test	al, al
		jnz	loc_52CDE8
		mov	[esp+0A0h+var_92], 1
		jmp	loc_52CDEE
; 

loc_52D07A:				; CODE XREF: KiSwapThread+718j
		mov	eax, [esp+0A0h+var_84]
		xor	ecx, ecx
		lock and [eax],	ecx
		movzx	eax, byte ptr [esi+3]
		mov	ecx, [esp+0A0h+var_80]
		and	eax, 1
		lea	eax, [ecx+eax*4]
		xor	ecx, ecx
		xchg	ecx, [eax]
		test	ecx, ecx
		jz	short loc_52D0A3
		mov	ecx, 0FFFF7Fh
		jmp	loc_52CB5A
; 

loc_52D0A3:				; CODE XREF: KiSwapThread+CB7j
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		cmp	byte ptr [esi+3], 0
		mov	[esp+0A0h+var_58], 0
		jge	loc_52CA91
		lea	ecx, [ecx+0]

loc_52D0C0:				; CODE XREF: KiSwapThread+CEDj
		lea	ecx, [esp+0A0h+var_58]
		call	KeYieldProcessorEx
		cmp	byte ptr [esi+3], 0
		jl	short loc_52D0C0
		jmp	loc_52CA91
; 
		jmp	short loc_52D0E0
; 
		align 10h

loc_52D0E0:				; CODE XREF: KiSwapThread+4F0j
					; KiSwapThread+CF4j ...
		mov	ecx, [esp+0A0h+var_64]
		lea	edx, [esp+0A0h+var_38]
		call	MmGetNextNode
		mov	ecx, eax
		cmp	ecx, 0FFFFFFFFh
		jz	loc_52C8D6
		jmp	loc_5EE429
KiSwapThread	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSearchForNewThreadOnProcessor	proc near ; CODE XREF: KiSearchForNewThreadOnNode(x,x)+ACp
					; KiSearchForNewThreadOnNode(x,x)+EFp ...

var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005EE5C7 SIZE 000000D4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx

loc_52D112:				; CODE XREF: KiSearchForNewThreadOnProcessor+3E8j
					; KiSearchForNewThreadOnProcessor+C1566j
		test	esi, esi
		jz	short loc_52D140
		cmp	dword ptr [esi+3B20h], 0
		jnz	short loc_52D190
		mov	edx, edi
		mov	ecx, esi
		call	_KiMayStealStandbyThread@8 ; KiMayStealStandbyThread(x,x)
		test	al, al
		jnz	short loc_52D190
		cmp	dword ptr [esi+3CE8h], 0
		jnz	short loc_52D190

loc_52D135:				; CODE XREF: KiSearchForNewThreadOnProcessor+47j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_52D140:				; CODE XREF: KiSearchForNewThreadOnProcessor+14j
		test	dword ptr [ebx+4], 0FFFFFFFEh
		jz	short loc_52D135
		lea	ebx, [edi+2224h]
		mov	[ebp+var_18], 0
		jmp	short loc_52D160
; 
		align 10h

loc_52D160:				; CODE XREF: KiSearchForNewThreadOnProcessor+56j
					; KiSearchForNewThreadOnProcessor+39Ej
		lock bts dword ptr [ebx], 0
		jb	loc_52D490
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_1C], 0

loc_52D175:				; CODE XREF: KiSearchForNewThreadOnProcessor+8Ej
		lock bts dword ptr [ebx], 0
		jnb	short loc_52D1EB
		lea	esp, [esp+0]

loc_52D180:				; CODE XREF: KiSearchForNewThreadOnProcessor+8Cj
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_52D180
		jmp	short loc_52D175
; 

loc_52D190:				; CODE XREF: KiSearchForNewThreadOnProcessor+1Dj
					; KiSearchForNewThreadOnProcessor+2Aj ...
		mov	[ebp+var_8], esi
		mov	eax, edi
		mov	[ebp+var_C], eax
		cmp	edi, esi
		ja	loc_52D35A

loc_52D1A0:				; CODE XREF: KiSearchForNewThreadOnProcessor+262j
		lea	ebx, [eax+2224h]
		mov	[ebp+var_10], 0
		lea	ecx, [ecx+0]

loc_52D1B0:				; CODE XREF: KiSearchForNewThreadOnProcessor+380j
		lock bts dword ptr [ebx], 0
		jb	loc_52D472
		mov	ecx, [ebp+var_8]
		mov	ebx, [ebp+arg_0]
		cmp	[ebp+var_C], ecx
		jz	short loc_52D1EB
		lea	eax, [ecx+2224h]
		mov	[ebp+var_14], 0
		mov	[ebp+var_C], eax
		jmp	short loc_52D1E0
; 
		align 10h

loc_52D1E0:				; CODE XREF: KiSearchForNewThreadOnProcessor+D6j
					; KiSearchForNewThreadOnProcessor+354j
		lock bts dword ptr [eax], 0
		jb	loc_52D439

loc_52D1EB:				; CODE XREF: KiSearchForNewThreadOnProcessor+7Aj
					; KiSearchForNewThreadOnProcessor+C4j
		mov	ecx, [edi+8]
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jnz	loc_52D411
		test	ebx, ebx
		jnz	loc_52D3F2
		mov	edx, edi
		mov	ecx, esi
		call	_KiMayStealStandbyThread@8 ; KiMayStealStandbyThread(x,x)
		test	al, al
		jnz	loc_52D367

loc_52D212:				; CODE XREF: KiSearchForNewThreadOnProcessor+2C7j
					; KiSearchForNewThreadOnProcessor+38Aj	...
		mov	eax, [esi+3B20h]
		test	eax, eax
		jz	short loc_52D231
		push	eax
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	KiFindReadyThread
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jnz	short loc_52D253

loc_52D231:				; CODE XREF: KiSearchForNewThreadOnProcessor+11Aj
		cmp	ds:_KiPerfIsoEnabled, 0
		jnz	loc_5EE5C7

loc_52D23E:				; CODE XREF: KiSearchForNewThreadOnProcessor+C1514j
					; KiSearchForNewThreadOnProcessor+C1529j ...
		lea	eax, [esi+3CE8h]
		mov	edx, esi
		push	eax
		mov	ecx, edi
		call	KiGroupSchedulingMoveThread
		mov	ecx, eax
		mov	[ebp+var_8], ecx

loc_52D253:				; CODE XREF: KiSearchForNewThreadOnProcessor+12Fj
					; KiSearchForNewThreadOnProcessor+2C1j	...
		lea	eax, [esi+2224h]

loc_52D259:				; CODE XREF: KiSearchForNewThreadOnProcessor+30Cj
		xor	edx, edx
		lock and [eax],	edx
		test	ecx, ecx
		jz	loc_52D336
		mov	eax, ds:_KiCpuSetSequence
		cmp	[ecx+160h], eax
		jnz	loc_52D4B9

loc_52D277:				; CODE XREF: KiSearchForNewThreadOnProcessor+3BDj
		mov	eax, 2
		mov	bl, dl

loc_52D27E:				; CODE XREF: KiSearchForNewThreadOnProcessor+334j
		test	eax, eax
		jz	short loc_52D29A
		test	byte ptr [ecx+2], 4
		jnz	loc_52D459

loc_52D28C:				; CODE XREF: KiSearchForNewThreadOnProcessor+36Dj
		mov	dl, [ecx+87h]

loc_52D292:				; CODE XREF: KiSearchForNewThreadOnProcessor+367j
		mov	eax, [edi+33Ch]
		mov	[eax], dl

loc_52D29A:				; CODE XREF: KiSearchForNewThreadOnProcessor+180j
		mov	[edi+4], ecx
		mov	al, [ecx+90h]
		cmp	al, 1
		jz	loc_52D3CC

loc_52D2AB:				; CODE XREF: KiSearchForNewThreadOnProcessor+2DDj
		mov	byte ptr [ecx+90h], 2
		test	bl, bl
		jnz	short loc_52D32B
		movzx	eax, byte ptr [edi+2238h]
		mov	esi, [edi+338h]
		mov	[edi+223Bh], bl
		test	al, 1
		jnz	loc_5EE674
		inc	eax
		mov	[edi+2238h], al
		cmp	eax, 1
		jnz	short loc_52D2E8
		movzx	eax, byte ptr [edi+3C4h]
		lock btr [esi],	eax

loc_52D2E8:				; CODE XREF: KiSearchForNewThreadOnProcessor+1DBj
		movzx	eax, byte ptr [edi+3C4h]
		lea	edx, [esi+0Ch]
		lock btr [edx],	eax
		mov	ecx, [edi+402Ch]
		lea	eax, [esi+4]
		not	ecx
		lock and [eax],	ecx
		mov	eax, [edi+402Ch]
		add	esi, 8
		not	eax
		lock and [esi],	eax
		mov	eax, [edx]
		not	eax
		and	eax, [edi+402Ch]
		cmp	eax, [edi+3C8h]
		jz	loc_52D3E2

loc_52D328:				; CODE XREF: KiSearchForNewThreadOnProcessor+2EDj
		mov	ecx, [ebp+var_8]

loc_52D32B:				; CODE XREF: KiSearchForNewThreadOnProcessor+1B4j
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_52D336:				; CODE XREF: KiSearchForNewThreadOnProcessor+160j
		mov	eax, [edi+4DCh]
		test	eax, eax
		jnz	loc_5EE66B

loc_52D344:				; CODE XREF: KiSearchForNewThreadOnProcessor+C156Fj
		xor	edx, edx
		lea	eax, [edi+2224h]
		lock and [eax],	edx
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_52D35A:				; CODE XREF: KiSearchForNewThreadOnProcessor+9Aj
		mov	eax, esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], edi
		jmp	loc_52D1A0
; 

loc_52D367:				; CODE XREF: KiSearchForNewThreadOnProcessor+10Cj
		mov	ecx, [esi+8]
		mov	eax, ds:_KiCpuSetSequence
		cmp	[ecx+160h], eax
		jnz	loc_52D4AA

loc_52D37B:				; CODE XREF: KiSearchForNewThreadOnProcessor+3AEj
		mov	ecx, [esi+8]
		movzx	eax, byte ptr [edi+3C5h]
		mov	[ebp+var_8], ecx
		cmp	ax, [ecx+168h]
		jnz	loc_52D485
		mov	eax, [edi+3C8h]
		test	[ecx+164h], eax
		jz	loc_52D485
		xor	edx, edx
		mov	ecx, esi
		call	KiSelectNextThread
		mov	ecx, [ebp+var_8]
		mov	eax, [edi+3CCh]
		mov	[ecx+148h], eax
		test	ecx, ecx
		jnz	loc_52D253
		jmp	loc_52D212
; 

loc_52D3CC:				; CODE XREF: KiSearchForNewThreadOnProcessor+1A5j
		mov	eax, ds:_KeTickCount
		sub	eax, [ecx+138h]
		add	[ecx+170h], eax
		jmp	loc_52D2AB
; 

loc_52D3E2:				; CODE XREF: KiSearchForNewThreadOnProcessor+222j
		movzx	eax, byte ptr [edi+3C4h]
		lock bts [esi],	eax
		jmp	loc_52D328
; 

loc_52D3F2:				; CODE XREF: KiSearchForNewThreadOnProcessor+FBj
		mov	eax, [ebx+4]
		and	eax, 0FFFFFFFEh
		jz	short loc_52D40A
		push	eax
		push	ebx
		xor	edx, edx
		mov	ecx, edi
		call	KiFindReadyThread
		mov	ecx, eax
		mov	[ebp+var_8], eax

loc_52D40A:				; CODE XREF: KiSearchForNewThreadOnProcessor+2F8j
		mov	eax, ebx
		jmp	loc_52D259
; 

loc_52D411:				; CODE XREF: KiSearchForNewThreadOnProcessor+F3j
		test	ebx, ebx
		jnz	loc_52D4A3
		lea	eax, [esi+2224h]

loc_52D41F:				; CODE XREF: KiSearchForNewThreadOnProcessor+3A5j
		xor	edx, edx
		lock and [eax],	edx
		mov	[edi+8], edx
		cmp	ecx, [edi+0Ch]
		jz	loc_5EE65B
		mov	bl, 1
		xor	eax, eax
		jmp	loc_52D27E
; 

loc_52D439:				; CODE XREF: KiSearchForNewThreadOnProcessor+E5j
		mov	ebx, [ebp+var_C]
		lea	esp, [esp+0]

loc_52D440:				; CODE XREF: KiSearchForNewThreadOnProcessor+34Cj
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_52D440
		mov	ebx, [ebp+arg_0]
		mov	eax, [ebp+var_C]
		jmp	loc_52D1E0
; 

loc_52D459:				; CODE XREF: KiSearchForNewThreadOnProcessor+186j
		mov	edx, edi
		call	KiIsThreadRankNonZero
		mov	ecx, [ebp+var_8]
		mov	dl, 1
		test	al, al
		jnz	loc_52D292
		jmp	loc_52D28C
; 

loc_52D472:				; CODE XREF: KiSearchForNewThreadOnProcessor+B5j
					; KiSearchForNewThreadOnProcessor+37Ej
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_52D472
		jmp	loc_52D1B0
; 

loc_52D485:				; CODE XREF: KiSearchForNewThreadOnProcessor+28Fj
					; KiSearchForNewThreadOnProcessor+2A1j
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		jmp	loc_52D212
; 
		align 10h

loc_52D490:				; CODE XREF: KiSearchForNewThreadOnProcessor+65j
					; KiSearchForNewThreadOnProcessor+39Cj
		lea	ecx, [ebp+var_18]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_52D490
		jmp	loc_52D160
; 

loc_52D4A3:				; CODE XREF: KiSearchForNewThreadOnProcessor+313j
		mov	eax, ebx
		jmp	loc_52D41F
; 

loc_52D4AA:				; CODE XREF: KiSearchForNewThreadOnProcessor+275j
		test	byte ptr [ecx+58h], 8
		jnz	loc_52D37B
		jmp	loc_52D212
; 

loc_52D4B9:				; CODE XREF: KiSearchForNewThreadOnProcessor+171j
		test	byte ptr [ecx+58h], 8
		jnz	loc_52D277
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		xor	edx, edx
		lea	eax, [edi+2224h]
		lock and [eax],	edx
		lea	eax, [ecx+9Ch]
		mov	ecx, edi
		mov	[eax], edx
		lea	edx, [ebp+var_24]
		mov	[ebp+var_24], eax
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		jmp	loc_52D112
KiSearchForNewThreadOnProcessor	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KiMayStealStandbyThread(x, x)
_KiMayStealStandbyThread@8 proc	near	; CODE XREF: KiSearchForNewThreadOnProcessor+23p
					; KiSearchForNewThreadOnProcessor+105p
		mov	al, [ecx+3ED1h]
		cmp	al, [edx+3ED1h]
		jnz	short loc_52D505
		mov	eax, [ecx+8]
		test	eax, eax
		jnz	short loc_52D508

loc_52D505:				; CODE XREF: KiMayStealStandbyThread(x,x)+Cj
					; KiMayStealStandbyThread(x,x)+1Bj
		xor	al, al
		retn
; 

loc_52D508:				; CODE XREF: KiMayStealStandbyThread(x,x)+13j
		cmp	eax, [ecx+0Ch]
		jz	short loc_52D505
		mov	eax, [ecx+33Ch]
		cmp	byte ptr [eax],	10h
		setnl	al
		retn
_KiMayStealStandbyThread@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSelectReadyThread proc near		; CODE XREF: KiSearchForNewThread+28p
					; KiSearchForNewThread+4Cp ...

var_40		= dword	ptr -40h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005EE69B SIZE 000000B2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		mov	ebx, edx
		mov	eax, ecx
		mov	[ebp+var_34], eax
		mov	edx, 1
		push	esi
		shl	edx, cl
		mov	eax, [ebx+338h]
		mov	ecx, [ebx+4024h]
		push	edi
		mov	[ebp+var_8], ebx
		mov	esi, [eax+48h]
		mov	al, [ebx+2238h]
		mov	[ebp+var_20], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_28], esi
		mov	[ebp+var_1], al
		test	al, 2
		jnz	loc_5EE67B

loc_52D565:				; CODE XREF: KiSelectReadyThread+1EBj
					; KiSearchForNewThreadOnProcessor+C1581j ...
		xor	esi, esi
		cmp	ds:_KiForceIdleDisabled, esi
		jnz	short loc_52D579
		mov	eax, _KiForceIdleState
		cmp	eax, 4
		jz	short loc_52D5CD

loc_52D579:				; CODE XREF: KiSelectReadyThread+4Dj
		mov	eax, [ebp+var_8]
		or	edi, 0FFFFFFFFh
		mov	ebx, 0FFFFFFFEh
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], ebx
		mov	ecx, [eax+3B20h]
		cmp	ecx, edx
		mov	[ebp+var_10], ecx
		mov	ecx, [ebp+var_C]
		jnb	loc_52D71B

loc_52D59E:				; CODE XREF: KiSelectReadyThread+213j
		test	ecx, ecx
		jz	short loc_52D5B9
		mov	edi, [ecx+4]
		cmp	edi, edx
		jnb	loc_52D710
		mov	ebx, [ebp+var_14]

loc_52D5B0:				; CODE XREF: KiSelectReadyThread+1F6j
		mov	edi, [ebp+var_18]
		cmp	ebx, edi
		jg	short loc_52D5DF
		jz	short loc_52D5D6

loc_52D5B9:				; CODE XREF: KiSelectReadyThread+80j
					; KiSelectReadyThread+BDj ...
		cmp	edi, [ebp+var_34]
		jge	loc_52D738
		mov	ebx, [ebp+var_8]

loc_52D5C5:				; CODE XREF: KiSelectReadyThread+232j
					; KiSelectReadyThread+23Fj
		test	esi, esi
		jnz	loc_52D6CF

loc_52D5CD:				; CODE XREF: KiSelectReadyThread+57j
					; KiSelectReadyThread+1B4j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_52D5D6:				; CODE XREF: KiSelectReadyThread+97j
		bt	[eax+3B24h], edi
		jb	short loc_52D5B9

loc_52D5DF:				; CODE XREF: KiSelectReadyThread+95j
		mov	[ebp+var_24], esi

loc_52D5E2:				; CODE XREF: KiSelectReadyThread+255j
		lock bts dword ptr [ecx], 0
		jb	loc_52D764
		mov	eax, [ecx+4]
		mov	ebx, [ebp+var_14]
		mov	edi, [ebp+var_20]
		mov	edx, [ebp+var_8]
		lea	esp, [esp+0]

loc_52D600:				; CODE XREF: KiSelectReadyThread+C11C8j
		xor	esi, esi
		cmp	eax, [ebp+var_10]
		jb	loc_52D6B4
		cmp	eax, edi
		jb	loc_52D6B4
		bsr	ebx, eax
		mov	[ebp+var_14], ebx
		lea	ecx, [ecx+ebx*8]
		add	ecx, 8
		btc	eax, ebx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_30], eax
		mov	ecx, [ecx]
		mov	[ebp+var_1C], ecx
		lea	ecx, [ecx+0]

loc_52D630:				; CODE XREF: KiSelectReadyThread+C11BCj
		movzx	eax, byte ptr [ecx-3Bh]
		lea	esi, [ecx-9Ch]
		cmp	eax, 5
		jnb	loc_5EE69B

loc_52D643:				; CODE XREF: KiSelectReadyThread+C1186j
		or	ecx, 0FFFFFFFFh
		test	eax, eax
		jnz	loc_5EE6AB

loc_52D64E:				; CODE XREF: KiSelectReadyThread+C119Bj
		test	[edx+3C8h], ecx
		jz	loc_5EE6C0

loc_52D65A:				; CODE XREF: KiSelectReadyThread+C11ABj
		mov	ecx, [esi+9Ch]
		lea	edi, [esi+9Ch]
		mov	eax, [edi+4]
		cmp	[ecx+4], edi
		jnz	loc_5EE6ED
		cmp	[eax], edi
		jnz	loc_5EE6ED
		mov	[eax], ecx
		cmp	eax, ecx
		mov	[ecx+4], eax
		mov	ecx, [ebp+var_C]
		jnz	short loc_52D68F
		mov	eax, [ecx+4]
		btc	eax, ebx
		mov	[ecx+4], eax

loc_52D68F:				; CODE XREF: KiSelectReadyThread+164j
		dec	dword ptr [ecx+134h]
		mov	eax, [esi+39Ch]
		sub	[ecx+138h], eax
		sbb	dword ptr [ecx+13Ch], 0
		mov	eax, [edx+3CCh]
		mov	[esi+148h], eax

loc_52D6B4:				; CODE XREF: KiSelectReadyThread+E5j
					; KiSelectReadyThread+EDj
		xor	eax, eax
		lock and [ecx],	eax
		test	esi, esi
		jz	loc_52D77A
		mov	eax, [ebp+var_18]
		cmp	ebx, eax
		mov	ebx, [ebp+var_8]
		jz	loc_52D785

loc_52D6CF:				; CODE XREF: KiSelectReadyThread+A7j
					; KiSelectReadyThread+26Cj
		mov	edi, [esi+50h]
		test	edi, edi
		jz	loc_52D5CD
		add	edi, [ebx+3B34h]
		jz	loc_52D5CD
		push	0
		push	1
		push	ecx
		mov	edx, edi
		mov	ecx, esi
		call	_KiGetThreadEffectiveRankNonZero@20 ; KiGetThreadEffectiveRankNonZero(x,x,x,x,x)
		test	eax, eax
		jz	loc_52D5CD
		push	0
		push	esi
		mov	edx, edi
		mov	ecx, ebx
		call	KiAddThreadToScbQueue
		mov	edx, [ebp+var_20]
		jmp	loc_52D565
; 

loc_52D710:				; CODE XREF: KiSelectReadyThread+87j
		bsr	ebx, edi
		mov	[ebp+var_14], ebx
		jmp	loc_52D5B0
; 

loc_52D71B:				; CODE XREF: KiSelectReadyThread+78j
		mov	ecx, [ebp+var_10]
		bsr	edi, ecx
		mov	[ebp+var_10], 1
		mov	ecx, edi
		mov	[ebp+var_18], edi
		shl	[ebp+var_10], cl
		mov	ecx, [ebp+var_C]
		jmp	loc_52D59E
; 

loc_52D738:				; CODE XREF: KiSelectReadyThread+9Cj
		mov	edx, [eax+edi*8+3BE0h]
		mov	ecx, eax
		push	edi
		lea	esi, [edx-9Ch]
		call	_KiRemoveThreadFromReadyQueue@12 ; KiRemoveThreadFromReadyQueue(x,x,x)
		cmp	edi, ebx
		mov	ebx, [ebp+var_8]
		jnz	loc_52D5C5
		btr	[ebx+3B24h], edi
		jmp	loc_52D5C5
; 

loc_52D764:				; CODE XREF: KiSelectReadyThread+C7j
					; KiSelectReadyThread+253j
		lea	ecx, [ebp+var_24]
		call	KeYieldProcessorEx
		mov	ecx, [ebp+var_C]
		mov	eax, [ecx]
		test	eax, eax
		jnz	short loc_52D764
		jmp	loc_52D5E2
; 

loc_52D77A:				; CODE XREF: KiSelectReadyThread+19Bj
		mov	edi, [ebp+var_18]
		mov	eax, [ebp+var_8]
		jmp	loc_52D5B9
; 

loc_52D785:				; CODE XREF: KiSelectReadyThread+1A9j
		bts	[ebx+3B24h], eax
		jmp	loc_52D6CF
KiSelectReadyThread endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAbProcessContextSwitch proc near	; CODE XREF: KiSchedulerApc+134p
					; KiQuantumEnd+502p ...

var_48		= dword	ptr -48h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_28], edi
		mov	al, [esi+1E4h]
		movsx	ecx, al
		mov	al, [esi+222h]
		movsx	eax, al
		or	eax, ecx
		cmp	eax, 3Fh
		jnz	short loc_52D7D2

loc_52D7CB:				; CODE XREF: KiAbProcessContextSwitch+154j
					; KiAbProcessContextSwitch+163j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_52D7D2:				; CODE XREF: KiAbProcessContextSwitch+29j
		mov	ebx, large fs:20h
		mov	ecx, esi
		mov	[ebp+var_C], 0
		mov	[ebp+var_10], 0
		mov	[ebp+var_2C], ebx
		lea	eax, [ebx+45E0h]
		mov	[ebp+var_24], 0
		mov	[ebp+var_18], eax
		call	_KeAbThreadAreAllEntriesFree@4 ; KeAbThreadAreAllEntriesFree(x)
		test	eax, eax
		jnz	loc_52D8E7
		mov	al, [esi+1E4h]
		mov	edx, [esi+1E8h]
		movsx	ecx, al
		mov	al, [esi+222h]
		movsx	eax, al
		or	eax, ecx
		mov	[ebp+var_8], edx
		xor	eax, 3Fh
		bsf	ecx, eax
		mov	[ebp+var_24], ecx
		jz	loc_52D8E7
		mov	ebx, 1
		mov	edi, eax
		lea	esp, [esp+0]

loc_52D840:				; CODE XREF: KiAbProcessContextSwitch+130j
		lea	esi, [ecx+ecx*2]
		shl	esi, 4
		lea	eax, [edi-1]
		add	esi, edx
		and	edi, eax
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_52D8CA
		test	al, 2
		jnz	short loc_52D8CA
		test	al, 1
		jnz	short loc_52D8CA
		test	eax, eax
		js	loc_52D93B

loc_52D864:				; CODE XREF: KiAbProcessContextSwitch+1BBj
					; KiAbProcessContextSwitch+30Dj
		xor	eax, eax
		mov	edx, ebx
		mov	[ebp+var_3C], eax
		mov	ecx, esi
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_3C]
		push	eax
		call	KiAbEntryGetLockedHeadEntry
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_52D8C2
		test	byte ptr [esi+0Dh], 1
		jnz	loc_52D960
		cmp	esi, ebx
		jnz	loc_52DA2A

loc_52D89A:				; CODE XREF: KiAbProcessContextSwitch+293j
		lea	edx, [ebp+var_14]
		mov	ecx, ebx
		call	_KiAbDetermineMaxWaiterPriority@8 ; KiAbDetermineMaxWaiterPriority(x,x)
		cmp	[ebp+var_14], 0
		jnz	loc_52DA45

loc_52D8AE:				; CODE XREF: KiAbProcessContextSwitch+1F6j
		test	ds:byte_70EFC6,	1
		jz	short loc_52D908
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_3C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_52D8C2:				; CODE XREF: KiAbProcessContextSwitch+E6j
					; KiAbProcessContextSwitch+180j ...
		mov	ebx, 1

loc_52D8C7:				; CODE XREF: KiAbProcessContextSwitch+199j
					; KiAbProcessContextSwitch+1B5j
		mov	edx, [ebp+var_8]

loc_52D8CA:				; CODE XREF: KiAbProcessContextSwitch+B2j
					; KiAbProcessContextSwitch+B6j	...
		bsf	ecx, edi
		mov	[ebp+var_24], ecx
		jnz	loc_52D840
		mov	eax, [ebp+var_10]
		mov	edi, [ebp+var_28]
		test	eax, eax
		jnz	loc_52DAB2

loc_52D8E4:				; CODE XREF: KiAbProcessContextSwitch+360j
		mov	ebx, [ebp+var_2C]

loc_52D8E7:				; CODE XREF: KiAbProcessContextSwitch+63j
					; KiAbProcessContextSwitch+8Fj
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jnz	loc_52DA7C

loc_52D8F2:				; CODE XREF: KiAbProcessContextSwitch+2F7j
		test	edi, edi
		jz	loc_52D7CB
		mov	dl, 2
		mov	ecx, ebx
		call	KiCheckForThreadDispatch
		jmp	loc_52D7CB
; 

loc_52D908:				; CODE XREF: KiAbProcessContextSwitch+115j
		mov	eax, [ebp+var_3C]
		test	eax, eax
		jnz	short loc_52D927
		mov	edx, [ebp+var_38]
		lea	eax, [ebp+var_3C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_3C]
		cmp	eax, ecx
		jz	short loc_52D8C2
		call	KxWaitForLockChainValid

loc_52D927:				; CODE XREF: KiAbProcessContextSwitch+16Dj
		mov	[ebp+var_3C], 0
		add	eax, 4
		mov	ebx, 1
		lock xor [eax],	ebx
		jmp	short loc_52D8C7
; 

loc_52D93B:				; CODE XREF: KiAbProcessContextSwitch+BEj
		test	byte ptr [esi+0Fh], 1
		jnz	short loc_52D8CA
		test	byte ptr [esi+0Dh], 1
		mov	ecx, esi
		jnz	loc_52DA9F
		call	_KiAbOwnerComputeCpuPriorityKey@4 ; KiAbOwnerComputeCpuPriorityKey(x)
		cmp	al, [esi+18h]
		jz	loc_52D8C7
		jmp	loc_52D864
; 

loc_52D960:				; CODE XREF: KiAbProcessContextSwitch+ECj
		cmp	esi, ebx
		jnz	loc_52DA1C

loc_52D968:				; CODE XREF: KiAbProcessContextSwitch+285j
		lea	edx, [ebp+var_14]
		mov	ecx, ebx
		call	_KiAbDetermineMinOwnerCpuPriority@8 ; KiAbDetermineMinOwnerCpuPriority(x,x)
		mov	edx, ebx
		mov	ecx, esi
		call	_KiAbTryIncrementIoWaiterCounts@8 ; KiAbTryIncrementIoWaiterCounts(x,x)
		mov	ecx, esi
		mov	[ebp+var_20], eax
		call	_KiAbEntryGetCpuPriorityKey@4 ;	KiAbEntryGetCpuPriorityKey(x)
		mov	edx, [ebp+var_20]
		mov	[ebp+var_1], al
		cmp	byte ptr [ebp+var_14], al
		jl	loc_52DA38
		test	edx, edx
		jz	loc_52D8AE

loc_52D99C:				; CODE XREF: KiAbProcessContextSwitch+29Aj
		push	[ebp+var_18]
		lea	eax, [ebp+var_10]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	_KiAbIoBoostOwners@20 ;	KiAbIoBoostOwners(x,x,x,x,x)
		mov	al, [ebp+var_1]

loc_52D9B1:				; CODE XREF: KiAbProcessContextSwitch+2A0j
		push	[ebp+var_18]
		lea	ecx, [ebp+var_10]
		mov	dl, al
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		mov	ecx, ebx
		call	_KiAbCpuBoostOwners@20 ; KiAbCpuBoostOwners(x,x,x,x,x)

loc_52D9C5:				; CODE XREF: KiAbProcessContextSwitch+2C0j
					; KiAbProcessContextSwitch+2C8j ...
		test	ds:byte_70EFC6,	1
		jz	short loc_52D9E9
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_3C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_52D9D9:				; CODE XREF: KiAbProcessContextSwitch+261j
					; KiAbProcessContextSwitch+27Aj
		mov	ebx, [ebp+var_1C]
		test	ebx, ebx
		jz	loc_52D8C2
		jmp	loc_5EE6F4
; 

loc_52D9E9:				; CODE XREF: KiAbProcessContextSwitch+22Cj
		mov	eax, [ebp+var_3C]
		test	eax, eax
		jnz	short loc_52DA08
		mov	edx, [ebp+var_38]
		lea	eax, [ebp+var_3C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_3C]
		cmp	eax, ecx
		jz	short loc_52D9D9
		call	KxWaitForLockChainValid

loc_52DA08:				; CODE XREF: KiAbProcessContextSwitch+24Ej
		mov	[ebp+var_3C], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx
		jmp	short loc_52D9D9
; 

loc_52DA1C:				; CODE XREF: KiAbProcessContextSwitch+1C2j
		mov	edx, ebx
		mov	ecx, esi
		call	_KiAbEntryUpdateWaiterTreePosition@8 ; KiAbEntryUpdateWaiterTreePosition(x,x)
		jmp	loc_52D968
; 

loc_52DA2A:				; CODE XREF: KiAbProcessContextSwitch+F4j
		mov	edx, ebx
		mov	ecx, esi
		call	_KiAbEntryUpdateOwnerTreePosition@8 ; KiAbEntryUpdateOwnerTreePosition(x,x)
		jmp	loc_52D89A
; 

loc_52DA38:				; CODE XREF: KiAbProcessContextSwitch+1EEj
		test	edx, edx
		jnz	loc_52D99C
		jmp	loc_52D9B1
; 

loc_52DA45:				; CODE XREF: KiAbProcessContextSwitch+108j
		lea	eax, [ebp+var_1C]
		mov	ecx, esi
		push	eax
		push	[ebp+var_18]
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	edx, [ebp+var_14]
		call	KiAbSetMinimumThreadPriority
		test	eax, eax
		jz	loc_52D9C5
		cmp	esi, ebx
		jz	loc_52D9C5
		mov	edx, ebx
		mov	ecx, esi
		call	_KiAbEntryUpdateOwnerTreePosition@8 ; KiAbEntryUpdateOwnerTreePosition(x,x)
		jmp	loc_52D9C5
; 

loc_52DA7C:				; CODE XREF: KiAbProcessContextSwitch+14Cj
					; KiAbProcessContextSwitch+2FDj
		mov	eax, [ecx]
		lea	edx, [ecx-9Ch]
		mov	[ebp+var_C], eax
		mov	ecx, ebx
		lea	eax, [ebp+var_C]
		push	eax
		call	KiDeferredReadySingleThread
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jz	loc_52D8F2
		jmp	short loc_52DA7C
; 

loc_52DA9F:				; CODE XREF: KiAbProcessContextSwitch+1A7j
		call	_KiAbWaiterComputeCpuPriorityKey@4 ; KiAbWaiterComputeCpuPriorityKey(x)
		cmp	al, [esi+18h]
		jz	loc_52D8CA
		jmp	loc_52D864
; 

loc_52DAB2:				; CODE XREF: KiAbProcessContextSwitch+13Ej
		mov	edi, [ebp+var_18]

loc_52DAB5:				; CODE XREF: KiAbProcessContextSwitch+35Bj
		mov	esi, eax
		test	esi, esi
		jz	short loc_52DAC0
		mov	eax, [eax]
		mov	[ebp+var_10], eax

loc_52DAC0:				; CODE XREF: KiAbProcessContextSwitch+319j
		mov	dword ptr [esi], 1
		lea	ecx, [ebp+var_30]
		mov	[ebp+var_30], 0
		xor	edx, edx
		lock or	[ecx], edx
		cmp	[esi-7], dl
		jbe	short loc_52DAF4
		push	edi
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	edx
		push	1
		lea	ecx, [esi-1ECh]
		call	KiAbProcessThreadLocks
		mov	eax, [ebp+var_10]

loc_52DAF4:				; CODE XREF: KiAbProcessContextSwitch+338j
		lock dec word ptr [esi+34h]
		test	eax, eax
		jnz	short loc_52DAB5
		mov	edi, [ebp+var_28]
		jmp	loc_52D8E4
KiAbProcessContextSwitch endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiInsertTimerTable proc	near		; CODE XREF: KiResumeThread+247p
					; KiTimerWaitTest+1F7p	...

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005EE74D SIZE 000000B3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_28], 0
		xor	eax, eax
		mov	[ebp+var_2C], esi
		push	edi
		mov	[ebp+var_24], 0
		mov	[ebp+var_1], 0
		mov	[ebp+var_C], eax
		cmp	[esi+24h], eax
		jnz	short loc_52DB3F
		mov	[esi+4], eax

loc_52DB3F:				; CODE XREF: KiInsertTimerTable+2Aj
		xor	eax, eax
		xor	ebx, ebx
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		cmp	ds:_KiSerializeTimerExpiration,	eax
		jz	loc_5EE74D

loc_52DB5B:				; CODE XREF: KiInsertTimerTable+C0C50j
					; KiInsertTimerTable+C0C62j ...
		mov	eax, [esi]
		mov	ecx, eax
		mov	[ebp+var_3C], eax
		mov	edx, ecx
		mov	al, bl
		sar	edx, 18h
		add	al, al
		sar	ecx, 18h
		xor	dl, al
		mov	[ebp+var_1C], 0
		and	dl, 3Eh
		xor	dl, cl
		mov	byte ptr [ebp+var_3C+3], dl
		mov	eax, [ebp+var_3C]
		mov	[esi], eax
		mov	eax, [esi+10h]
		mov	ecx, ds:_KiProcessorBlock[ebx*4]
		mov	[ebp+var_8], eax
		add	ecx, 2260h
		mov	eax, [esi+14h]
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_14], ecx
		lea	eax, [eax+eax*2]
		lea	eax, [ecx+eax*8]
		mov	[ebp+var_18], eax
		lea	ebx, [eax+44h]
		lea	edi, [eax+40h]

loc_52DBB2:				; CODE XREF: KiInsertTimerTable+26Cj
		lock bts dword ptr [edi], 0
		jb	loc_52DD70
		mov	ecx, [ebx]
		cmp	ecx, ebx
		jz	loc_52DCDB
		mov	edx, [ecx-4]
		mov	eax, [ecx-8]
		cmp	[ebp+arg_0], edx
		jb	loc_52DD9E
		ja	loc_52DCEC
		mov	edi, [ebp+var_8]
		cmp	edi, eax
		ja	loc_52DCEC

loc_52DBE7:				; CODE XREF: KiInsertTimerTable+291j
		cmp	[ebp+arg_0], edx
		ja	loc_52DD33
		jb	short loc_52DBFA
		cmp	edi, eax
		jnb	loc_52DD33

loc_52DBFA:				; CODE XREF: KiInsertTimerTable+E0j
		mov	eax, 2

loc_52DBFF:				; CODE XREF: KiInsertTimerTable+225j
		mov	[ebp+var_C], eax
		mov	ecx, ebx

loc_52DC04:				; CODE XREF: KiInsertTimerTable+21Ej
					; KiInsertTimerTable+256j
		mov	edi, [ecx]

loc_52DC06:				; CODE XREF: KiInsertTimerTable+1D7j
		lea	edx, [esi+18h]
		cmp	[edi+4], ecx
		jnz	loc_5EE7AE
		mov	[edx], edi
		mov	[edx+4], ecx
		mov	[edi+4], edx
		mov	edi, [ebp+arg_8]
		mov	[ecx], edx
		test	al, 2
		jz	loc_52DCB8
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+arg_0]
		mov	ebx, [ebp+var_8]
		mov	[ebp+var_20], 0
		mov	[edx+54h], ecx
		lea	ecx, [ebp+var_20]
		mov	[edx+50h], ebx
		xor	edx, edx
		lock or	[ecx], edx
		cmp	eax, 4
		jb	short loc_52DC86
		cmp	ds:_KiSerializeTimerExpiration,	0
		mov	edx, [ebp+var_14]
		movzx	ecx, byte ptr [edx-1E9Bh]
		mov	ecx, ds:dword_70E644[ecx*8]
		mov	[ebp+var_20], ecx
		jz	loc_5EE7B5
		mov	ecx, [ebp+arg_4]
		mov	edx, ecx
		shr	ecx, 5
		and	edx, 1Fh
		shl	ecx, 2
		mov	[ebp+var_10], ecx
		mov	ecx, [ebp+var_20]

loc_52DC7F:				; CODE XREF: KiInsertTimerTable+C0CB8j
		add	ecx, [ebp+var_10]
		lock bts [ecx],	edx

loc_52DC86:				; CODE XREF: KiInsertTimerTable+138j
		mov	ecx, ds:0FFDF000Ch
		mov	edx, ds:0FFDF0008h
		mov	[ebp+var_24], 0
		cmp	ecx, ds:0FFDF0010h
		jnz	loc_5EE7CD

loc_52DCA5:				; CODE XREF: KiInsertTimerTable+C0CE4j
		cmp	[ebp+arg_0], ecx
		ja	short loc_52DCB8
		jb	loc_52DD84
		cmp	ebx, edx
		jbe	loc_52DD84

loc_52DCB8:				; CODE XREF: KiInsertTimerTable+111j
					; KiInsertTimerTable+198j ...
		mov	bl, [ebp+var_1]

loc_52DCBB:				; CODE XREF: KiInsertTimerTable+298j
		mov	ecx, [ebp+var_18]
		xor	esi, esi
		add	ecx, 40h
		lock and [ecx],	esi
		test	edi, edi
		jnz	loc_5EE7F9

loc_52DCCE:				; CODE XREF: KiInsertTimerTable+C0CEBj
		pop	edi
		not	al
		pop	esi
		and	al, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_52DCDB:				; CODE XREF: KiInsertTimerTable+B1j
		mov	eax, 6
		mov	edi, ecx
		mov	[ebp+var_C], eax
		mov	ecx, ebx
		jmp	loc_52DC06
; 

loc_52DCEC:				; CODE XREF: KiInsertTimerTable+C6j
					; KiInsertTimerTable+D1j
		mov	edi, ds:_KeMaximumIncrement
		shr	edi, 2
		mov	[ebp+var_1C], edi
		mov	edi, [ebp+var_8]
		mov	[ebp+var_10], edi
		sub	[ebp+var_10], eax
		mov	eax, [ebp+arg_0]
		sbb	eax, edx
		test	eax, eax
		ja	short loc_52DD14
		jb	short loc_52DD43
		mov	eax, [ebp+var_10]
		cmp	eax, [ebp+var_1C]
		jbe	short loc_52DD43

loc_52DD14:				; CODE XREF: KiInsertTimerTable+1F8j
		mov	ecx, [ebx+4]
		mov	eax, [ebp+arg_0]
		lea	ebx, [ebx+0]

loc_52DD20:				; CODE XREF: KiInsertTimerTable+22Fj
		cmp	eax, [ecx-4]
		ja	short loc_52DD2C
		jb	short loc_52DD3A
		cmp	edi, [ecx-8]
		jb	short loc_52DD3A

loc_52DD2C:				; CODE XREF: KiInsertTimerTable+213j
					; KiInsertTimerTable+231j ...
		xor	eax, eax
		jmp	loc_52DC04
; 

loc_52DD33:				; CODE XREF: KiInsertTimerTable+DAj
					; KiInsertTimerTable+E4j
		xor	eax, eax
		jmp	loc_52DBFF
; 

loc_52DD3A:				; CODE XREF: KiInsertTimerTable+215j
					; KiInsertTimerTable+21Aj
		mov	ecx, [ecx+4]
		cmp	ecx, ebx
		jnz	short loc_52DD20
		jmp	short loc_52DD2C
; 

loc_52DD43:				; CODE XREF: KiInsertTimerTable+1FAj
					; KiInsertTimerTable+202j
		mov	ebx, [ebx+4]
		cmp	ecx, ebx
		jz	short loc_52DD2C
		mov	eax, [ebp+arg_0]
		lea	ecx, [ecx+0]

loc_52DD50:				; CODE XREF: KiInsertTimerTable+252j
		mov	edx, [ecx]
		cmp	eax, [edx-4]
		jb	short loc_52DD2C
		ja	short loc_52DD5E
		cmp	edi, [edx-8]
		jbe	short loc_52DD2C

loc_52DD5E:				; CODE XREF: KiInsertTimerTable+247j
		mov	ecx, edx
		cmp	ecx, ebx
		jnz	short loc_52DD50
		xor	eax, eax
		jmp	loc_52DC04
; 
		jmp	short loc_52DD70
; 
		align 10h

loc_52DD70:				; CODE XREF: KiInsertTimerTable+A7j
					; KiInsertTimerTable+25Bj ...
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jz	loc_52DBB2
		jmp	short loc_52DD70
; 

loc_52DD84:				; CODE XREF: KiInsertTimerTable+19Aj
					; KiInsertTimerTable+1A2j
		test	edi, edi
		jnz	short loc_52DDA6
		push	ecx
		push	[ebp+arg_4]
		mov	ecx, [ebp+var_14]
		mov	edx, esi
		call	KiRemoveEntryTimer
		lea	eax, [edi+1]
		jmp	loc_52DCB8
; 

loc_52DD9E:				; CODE XREF: KiInsertTimerTable+C0j
		mov	edi, [ebp+var_8]
		jmp	loc_52DBE7
; 

loc_52DDA6:				; CODE XREF: KiInsertTimerTable+276j
		mov	bl, 1
		jmp	loc_52DCBB
KiInsertTimerTable endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWorkerFactoryStartDeferredWork(x, x)
_ExpWorkerFactoryStartDeferredWork@8 proc near ; CODE XREF: .text:0052AA3Dp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		test	byte ptr [esi+14h], 1
		jz	loc_52DEC9
		mov	eax, [esi+8]
		mov	ecx, [esi+0Ch]
		mov	[ebp+var_C], eax
		mov	eax, large fs:124h
		push	edi
		mov	edi, [esi+10h]
		mov	[ebp+var_2C], 0
		dec	word ptr [eax+13Ch]
		mov	[ebp+var_28], 0
		mov	[ebp+var_14], 0
		mov	[ebp+var_10], 0
		nop
		xor	eax, eax
		and	edi, 0FFFF0000h
		mov	[esi], eax
		mov	[esi+4], eax
		test	edi, 20000h
		jnz	loc_52DE9F
		mov	eax, ds:_AlpcPortObjectType
		push	ebx
		push	0
		lea	ebx, [ebp+var_4]
		mov	[ebp+var_4], 0
		push	ebx
		push	edx
		push	eax
		push	1
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_52DE9E
		mov	ebx, [ebp+var_4]
		test	edi, 40000h
		jz	short loc_52DE4B
		mov	ecx, ebx
		call	AlpcpTrackPortReferences

loc_52DE4B:				; CODE XREF: ExpWorkerFactoryStartDeferredWork(x,x)+92j
		push	[ebp+var_8]
		mov	edx, [ebp+var_C]
		lea	ecx, [ebp+var_30]
		or	edi, 4
		mov	[ebp+var_30], ebx
		push	0
		mov	[ebp+var_18], edi
		mov	[ebp+var_20], 0
		mov	[ebp+var_24], 0
		mov	[ebp+var_1C], 0
		call	@AlpcpSendMessage@16 ; AlpcpSendMessage(x,x,x,x)
		test	eax, eax
		jns	short loc_52DE87
		mov	ecx, [ebp+var_30]
		call	ObfDereferenceObject
		jmp	short loc_52DE9E
; 

loc_52DE87:				; CODE XREF: ExpWorkerFactoryStartDeferredWork(x,x)+CBj
		mov	eax, [ebp+var_20]
		lea	ecx, [ebp+var_30]
		mov	[esi], eax
		mov	dl, 1
		mov	eax, [ebp+var_30]
		push	0
		mov	[esi+4], eax
		call	AlpcpSignal

loc_52DE9E:				; CODE XREF: ExpWorkerFactoryStartDeferredWork(x,x)+87j
					; ExpWorkerFactoryStartDeferredWork(x,x)+D5j
		pop	ebx

loc_52DE9F:				; CODE XREF: ExpWorkerFactoryStartDeferredWork(x,x)+62j
		mov	ecx, large fs:124h
		nop
		add	word ptr [ecx+13Ch], 1
		pop	edi
		jnz	short loc_52DEC9
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	short loc_52DEC9
		cmp	word ptr [ecx+13Eh], 0
		jnz	short loc_52DEC9
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_52DEC9:				; CODE XREF: ExpWorkerFactoryStartDeferredWork(x,x)+12j
					; ExpWorkerFactoryStartDeferredWork(x,x)+100j ...
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_ExpWorkerFactoryStartDeferredWork@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall ExpAddCurrentThreadToThreadHistory(x)
_ExpAddCurrentThreadToThreadHistory@4 proc near	; CODE XREF: .text:0052AAA4p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		mov	eax, [ebx+68h]
		and	al, 7
		cmp	al, 4
		jz	short loc_52DF44
		push	esi
		lea	esi, [ebx+20h]
		xor	ecx, ecx
		push	edi
		mov	edi, large fs:124h
		mov	eax, esi
		mov	edi, edi

loc_52DEF0:				; CODE XREF: ExpAddCurrentThreadToThreadHistory(x)+2Bj
		cmp	[eax], edi
		jz	short loc_52DF42
		inc	ecx
		add	eax, 4
		cmp	ecx, 4
		jb	short loc_52DEF0
		mov	edx, 746C6644h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag
		xor	eax, eax
		jmp	short loc_52DF10
; 
		align 10h

loc_52DF10:				; CODE XREF: ExpAddCurrentThreadToThreadHistory(x)+3Bj
					; ExpAddCurrentThreadToThreadHistory(x)+4Cj
		cmp	dword ptr [esi], 0
		jz	short loc_52DF46
		inc	eax
		add	esi, 4
		cmp	eax, 4
		jb	short loc_52DF10
		mov	esi, [ebx+68h]
		and	esi, 7
		mov	ecx, [ebx+esi*4+20h]
		call	ObfDereferenceObject
		mov	[ebx+esi*4+20h], edi
		lea	ecx, [esi+1]
		mov	eax, [ebx+68h]
		and	ecx, 3
		and	eax, 0FFFFFFF8h
		or	ecx, eax
		mov	[ebx+68h], ecx

loc_52DF42:				; CODE XREF: ExpAddCurrentThreadToThreadHistory(x)+22j
					; ExpAddCurrentThreadToThreadHistory(x)+7Aj
		pop	edi
		pop	esi

loc_52DF44:				; CODE XREF: ExpAddCurrentThreadToThreadHistory(x)+Cj
		pop	ebx
		retn
; 

loc_52DF46:				; CODE XREF: ExpAddCurrentThreadToThreadHistory(x)+43j
		mov	[ebx+eax*4+20h], edi
		jmp	short loc_52DF42
_ExpAddCurrentThreadToThreadHistory@4 endp

; 
		dd 5 dup(0CCCCCCCCh)
; 
; Exported entry 1329. KiDeliverApc

; __stdcall KiDeliverApc(x, x, x)
		public _KiDeliverApc@12
_KiDeliverApc@12:			; CODE XREF: KiCheckForKernelApcDelivery()+1Fp
					; KiExitThreadWait+4Dp	...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		push	esi
		mov	esi, [ebp+10h]
		mov	dword ptr [esp+18h], 0
		mov	dword ptr [esp+0Ch], 0
		mov	dword ptr [esp+14h], 0
		mov	dword ptr [esp+10h], 0
		push	edi
		test	esi, esi
		jz	short loc_52DF9C
		mov	ecx, esi
		call	@KiCheckForSListAddress@4 ; KiCheckForSListAddress(x)

loc_52DF9C:				; CODE XREF: .text:0052DF93j
		mov	ebx, large fs:124h
		cmp	word ptr [ebx+13Eh], 0
		mov	eax, [ebx+6Ch]
		mov	edx, [ebx+80h]
		mov	[esp+20h], eax
		mov	[ebx+6Ch], esi
		mov	[esp+3Ch], edx
		mov	byte ptr [ebx+85h], 0
		jnz	loc_52E339
		mov	dword ptr [esp+30h], 0
		lea	eax, [esp+30h]
		xor	ecx, ecx
		lock or	[eax], ecx

loc_52DFDD:				; CODE XREF: .text:0052E0A9j
					; .text:0052E13Ej
		mov	ecx, ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	edi, [ebx+70h]
		cmp	[edi], edi
		jz	loc_52E16C
		call	ecx
		lea	esi, [ebx+2Ch]
		mov	dword ptr [esp+34h], 0
		jmp	short loc_52E000
; 
		align 10h

loc_52E000:				; CODE XREF: .text:0052DFFBj
					; .text:0052E016j
		lock bts dword ptr [esi], 0
		jnb	short loc_52E018

loc_52E007:				; CODE XREF: .text:0052E014j
		lea	ecx, [esp+34h]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_52E007
		jmp	short loc_52E000
; 

loc_52E018:				; CODE XREF: .text:0052E005j
		mov	edx, [edi]
		cmp	edx, edi
		jz	loc_52E157
		mov	byte ptr [ebx+85h], 0
		lea	edi, [edx-0Ch]
		mov	eax, [edi+14h]
		mov	ecx, [edi+1Ch]
		mov	[esp+24h], eax
		mov	[esp+10h], ecx
		mov	eax, [edi+20h]
		mov	[esp+1Ch], eax
		mov	eax, [edi+24h]
		mov	[esp+18h], eax
		mov	eax, [edi+28h]
		mov	[esp+14h], eax
		test	ecx, ecx
		jnz	short loc_52E0AE
		mov	ecx, [edx]
		mov	eax, [edx+4]
		cmp	[ecx+4], edx
		jnz	loc_52E308
		cmp	[eax], edx
		jnz	loc_52E308
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	cl, 1
		mov	byte ptr [edi+2Eh], 0
		mov	dword ptr [esi], 0
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	esi
		or	byte ptr [ebx+84h], 2
		lea	eax, [esp+14h]
		push	eax
		lea	eax, [esp+1Ch]
		push	eax
		lea	eax, [esp+24h]
		push	eax
		lea	eax, [esp+1Ch]
		push	eax
		push	edi
		call	dword ptr [esp+38h]
		and	byte ptr [ebx+84h], 0FDh
		jmp	loc_52DFDD
; 

loc_52E0AE:				; CODE XREF: .text:0052E051j
		cmp	byte ptr [ebx+84h], 0
		jnz	loc_52E143
		cmp	word ptr [ebx+13Ch], 0
		jnz	short loc_52E143
		mov	ecx, [edx]
		mov	eax, [edx+4]
		cmp	[ecx+4], edx
		jnz	loc_52E308
		cmp	[eax], edx
		jnz	loc_52E308
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	cl, 1
		mov	byte ptr [edi+2Eh], 0
		mov	dword ptr [esi], 0
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	esi
		lea	eax, [esp+14h]
		mov	byte ptr [ebx+84h], 1
		push	eax
		lea	eax, [esp+1Ch]
		push	eax
		lea	eax, [esp+24h]
		push	eax
		lea	eax, [esp+1Ch]
		push	eax
		push	edi
		call	dword ptr [esp+38h]
		cmp	dword ptr [esp+10h], 0
		jz	short loc_52E137
		xor	cl, cl
		call	esi
		push	dword ptr [esp+14h]
		push	dword ptr [esp+1Ch]
		push	dword ptr [esp+24h]
		call	dword ptr [esp+1Ch]
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)

loc_52E137:				; CODE XREF: .text:0052E119j
		mov	byte ptr [ebx+84h], 0
		jmp	loc_52DFDD
; 

loc_52E143:				; CODE XREF: .text:0052E0B5j
					; .text:0052E0C3j
		mov	eax, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	cl, 1
		mov	dword ptr [esi], 0
		call	eax
		jmp	loc_52E335
; 

loc_52E157:				; CODE XREF: .text:0052E01Cj
		mov	eax, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	cl, 1
		mov	dword ptr [esi], 0
		call	eax
		mov	ecx, ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()

loc_52E16C:				; CODE XREF: .text:0052DFE8j
		cmp	byte ptr [ebp+8], 1
		jnz	loc_52E335
		lea	eax, [ebx+78h]
		cmp	[eax], eax
		jz	loc_52E335
		xor	edi, edi
		mov	dword ptr [esp+2Ch], 0
		mov	dword ptr [esp+10h], 0
		mov	dword ptr [esp+1Ch], 0
		mov	dword ptr [esp+18h], 0
		mov	dword ptr [esp+14h], 0
		mov	[esp+24h], edi
		call	ecx
		lea	esi, [ebx+2Ch]
		mov	[esp+38h], edi

loc_52E1B8:				; CODE XREF: .text:0052E1CFj
		lock bts dword ptr [esi], 0
		jnb	short loc_52E1D1
		nop

loc_52E1C0:				; CODE XREF: .text:0052E1CDj
		lea	ecx, [esp+38h]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_52E1C0
		jmp	short loc_52E1B8
; 

loc_52E1D1:				; CODE XREF: .text:0052E1BDj
		mov	al, [ebx+86h]
		lea	edx, [ebx+78h]
		mov	[esp+0Fh], al
		and	al, 0FDh
		mov	[ebx+86h], al
		mov	ecx, [edx]
		cmp	ecx, edx
		jz	short loc_52E20C
		lea	esp, [esp+0]

loc_52E1F0:				; CODE XREF: .text:0052E20Aj
		mov	eax, [ecx+8]
		lea	edi, [ecx-0Ch]
		cmp	eax, offset _KeSpecialUserApcKernelRoutine@20 ;	KeSpecialUserApcKernelRoutine(x,x,x,x,x)
		jz	short loc_52E25E
		test	byte ptr [esp+0Fh], 2
		jnz	short loc_52E25E
		mov	ecx, [ecx]
		xor	edi, edi
		cmp	ecx, edx
		jnz	short loc_52E1F0

loc_52E20C:				; CODE XREF: .text:0052E1EAj
					; .text:0052E2CDj ...
		mov	cl, 1
		mov	dword ptr [esi], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	loc_52E335
		lea	eax, [esp+14h]
		push	eax
		lea	eax, [esp+1Ch]
		push	eax
		lea	eax, [esp+24h]
		push	eax
		lea	eax, [esp+1Ch]
		push	eax
		push	edi
		call	dword ptr [esp+40h]
		test	byte ptr [esp+0Fh], 2
		mov	ecx, [esp+10h]
		jz	loc_52E318
		test	ecx, ecx
		jnz	loc_52E30F
		push	1
		call	KeTestAlertThread
		jmp	loc_52E335
; 

loc_52E25E:				; CODE XREF: .text:0052E1FBj
					; .text:0052E202j
		xor	edx, edx
		cmp	eax, offset _KeSpecialUserApcKernelRoutine@20 ;	KeSpecialUserApcKernelRoutine(x,x,x,x,x)
		setnz	dl
		dec	edx
		and	edx, 2
		test	byte ptr [edi+1], 1
		mov	[esp+24h], edx
		lea	edx, [ebx+78h]
		jz	short loc_52E27E
		or	dword ptr [esp+24h], 4

loc_52E27E:				; CODE XREF: .text:0052E277j
		mov	[esp+2Ch], eax
		mov	eax, [edi+1Ch]
		mov	[esp+10h], eax
		mov	eax, [edi+20h]
		mov	[esp+1Ch], eax
		mov	eax, [edi+24h]
		mov	[esp+18h], eax
		mov	eax, [edi+28h]
		mov	[esp+14h], eax
		mov	eax, [ecx]
		mov	[esp+28h], eax
		mov	esi, [esp+28h]
		mov	eax, [ecx+4]
		cmp	[esi+4], ecx
		lea	esi, [ebx+2Ch]
		jnz	short loc_52E308
		cmp	[eax], ecx
		jnz	short loc_52E308
		mov	ecx, [esp+28h]
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	byte ptr [edi+2Eh], 0
		mov	cl, [ebx+86h]
		test	cl, 1
		jz	loc_52E20C
		and	cl, 0FEh
		mov	[ebx+86h], cl
		mov	eax, [edx]
		cmp	eax, edx
		jz	loc_52E20C

loc_52E2E6:				; CODE XREF: .text:0052E2F3j
		cmp	dword ptr [eax+8], offset _KeSpecialUserApcKernelRoutine@20 ; KeSpecialUserApcKernelRoutine(x,x,x,x,x)
		jz	short loc_52E2FA
		mov	eax, [eax]
		cmp	eax, edx
		jnz	short loc_52E2E6
		jmp	loc_52E20C
; 

loc_52E2FA:				; CODE XREF: .text:0052E2EDj
		or	cl, 1
		mov	[ebx+86h], cl
		jmp	loc_52E20C
; 

loc_52E308:				; CODE XREF: .text:0052E05Bj
					; .text:0052E063j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_52E30F:				; CODE XREF: .text:0052E24Cj
		mov	eax, [esp+24h]
		or	eax, 1
		jmp	short loc_52E31C
; 

loc_52E318:				; CODE XREF: .text:0052E244j
		mov	eax, [esp+24h]

loc_52E31C:				; CODE XREF: .text:0052E316j
		mov	edx, [ebp+10h]
		push	eax
		push	dword ptr [esp+18h]
		push	dword ptr [esp+20h]
		push	dword ptr [esp+28h]
		push	ecx
		mov	ecx, [ebp+0Ch]
		call	_KiInitializeUserApc@28	; KiInitializeUserApc(x,x,x,x,x,x,x)

loc_52E335:				; CODE XREF: .text:0052E152j
					; .text:0052E170j ...
		mov	eax, [esp+20h]

loc_52E339:				; CODE XREF: .text:0052DFC6j
		mov	esi, [ebx+80h]
		mov	edi, [esp+3Ch]
		cmp	esi, edi
		jnz	short loc_52E353
		pop	edi
		pop	esi
		mov	[ebx+6Ch], eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_52E353:				; CODE XREF: .text:0052E345j
		call	_KeIsExecutingDpc@0 ; KeIsExecutingDpc()
		push	eax
		movzx	eax, byte ptr [ebx+16Ah]
		push	eax
		push	esi
		push	edi
		push	5
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 


; __stdcall KeAbThreadAreAllEntriesFree(x)
_KeAbThreadAreAllEntriesFree@4 proc near ; CODE	XREF: KiAbFindWakeupLockEntry+1Ap
					; PspNotifyProcessBackgroundTransition(x,x)+6Ap ...
		mov	al, [ecx+1E4h]
		mov	cl, [ecx+222h]
		or	cl, al
		xor	eax, eax
		cmp	cl, 3Fh
		setz	al
		retn
_KeAbThreadAreAllEntriesFree@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAbEntryGetLockedHeadEntry proc near	; CODE XREF: KiAbProcessThreadLocks+C2p
					; KiAbProcessContextSwitch+DDp	...

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005EE800 SIZE 00000085 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		sub	esp, 48h
		push	esi
		mov	esi, ecx
		mov	[esp+4Ch+var_14], 0
		xor	eax, eax
		mov	[esp+4Ch+var_38], esi
		push	edi
		mov	edi, edx
		mov	[esp+50h+var_10], 0
		test	byte ptr [esi+0Fh], 1
		mov	[esp+50h+var_20], edi
		mov	[esp+50h+var_C], eax
		mov	[esp+50h+var_8], eax
		mov	[esp+50h+var_4], eax
		jnz	loc_52E79E

loc_52E3D1:				; CODE XREF: KiAbEntryGetLockedHeadEntry+5F0j
					; KiAbEntryGetLockedHeadEntry+60Bj ...
		mov	eax, [esi+10h]
		mov	ecx, [esi+14h]
		mov	[esp+50h+var_1C], ecx
		mov	[esp+50h+var_2C], ecx
		mov	[esp+50h+var_30], eax
		test	eax, eax
		js	short loc_52E3EF
		test	edi, edi
		jz	loc_52E965

loc_52E3EF:				; CODE XREF: KiAbEntryGetLockedHeadEntry+55j
		and	eax, 7FFFFFFCh
		mov	[esp+50h+var_10], ecx
		mov	[esp+50h+var_14], eax
		shr	eax, 3
		and	eax, 0Fh
		shl	eax, 6
		xor	ecx, ecx
		mov	[esp+50h+var_34], ecx
		lea	esi, _KiAbTreeArray[eax]
		lea	eax, dword_6FAC08[eax]
		mov	[esp+50h+var_30], esi
		mov	[esp+50h+var_3C], eax
		nop

loc_52E420:				; CODE XREF: KiAbEntryGetLockedHeadEntry+653j
		push	eax
		test	ecx, ecx
		jnz	loc_52E8A6
		call	ExAcquireSpinLockSharedAtDpcLevel

loc_52E42E:				; CODE XREF: KiAbEntryGetLockedHeadEntry+51Bj
		mov	eax, [esi+4]
		mov	esi, [esi]
		test	al, 1
		jz	short loc_52E43F
		test	esi, esi
		jz	short loc_52E43F
		xor	esi, [esp+50h+var_30]

loc_52E43F:				; CODE XREF: KiAbEntryGetLockedHeadEntry+A5j
					; KiAbEntryGetLockedHeadEntry+A9j
		movzx	edx, al
		and	edx, 1
		test	esi, esi
		jz	short loc_52E483
		mov	edi, [esp+50h+var_1C]
		lea	ecx, [ecx+0]

loc_52E450:				; CODE XREF: KiAbEntryGetLockedHeadEntry+EDj
		mov	eax, [esi+10h]
		and	eax, 7FFFFFFCh
		cmp	eax, [esp+50h+var_14]
		jb	loc_52E52B
		ja	short loc_52E46F
		cmp	[esi+14h], edi
		jz	short loc_52E47F
		jb	loc_52E52B

loc_52E46F:				; CODE XREF: KiAbEntryGetLockedHeadEntry+D2j
		mov	eax, [esi]
		test	edx, edx
		jnz	loc_52E540

loc_52E479:				; CODE XREF: KiAbEntryGetLockedHeadEntry+1A0j
					; KiAbEntryGetLockedHeadEntry+1A8j ...
		mov	esi, eax

loc_52E47B:				; CODE XREF: KiAbEntryGetLockedHeadEntry+1BAj
		test	esi, esi
		jnz	short loc_52E450

loc_52E47F:				; CODE XREF: KiAbEntryGetLockedHeadEntry+D7j
		mov	edi, [esp+50h+var_20]

loc_52E483:				; CODE XREF: KiAbEntryGetLockedHeadEntry+B7j
		test	edi, edi
		jz	loc_52E7FF
		test	esi, esi
		jnz	loc_52E632
		cmp	[esp+50h+var_34], esi
		jnz	short loc_52E4D5
		test	ds:byte_70EFC6,	21h
		mov	[esp+50h+var_18], esi
		mov	esi, [esp+50h+var_3C]
		mov	[esp+50h+var_34], 1
		jnz	loc_52E9BF
		lock bts dword ptr [esi], 1Fh
		jb	loc_52E9D1
		mov	edx, [esi]
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000001h
		jnz	loc_52E8B0

loc_52E4D5:				; CODE XREF: KiAbEntryGetLockedHeadEntry+107j
					; KiAbEntryGetLockedHeadEntry+541j ...
		mov	esi, [esp+50h+var_30]
		mov	eax, [esi+4]
		mov	ecx, [esi]
		test	al, 1
		jz	short loc_52E4EC
		test	ecx, ecx
		jz	loc_52E61B
		xor	ecx, esi

loc_52E4EC:				; CODE XREF: KiAbEntryGetLockedHeadEntry+150j
					; KiAbEntryGetLockedHeadEntry+28Dj
		movzx	esi, al
		and	esi, 1
		mov	byte ptr [esp+50h+var_20], 0
		test	ecx, ecx
		jz	short loc_52E56C
		mov	edi, [esp+50h+var_1C]
		nop

loc_52E500:				; CODE XREF: KiAbEntryGetLockedHeadEntry+199j
		mov	eax, [ecx+10h]
		and	eax, 7FFFFFFCh
		cmp	eax, [esp+50h+var_14]
		jb	short loc_52E54F
		ja	short loc_52E517
		cmp	[ecx+14h], edi
		jz	short loc_52E54F
		jb	short loc_52E54F

loc_52E517:				; CODE XREF: KiAbEntryGetLockedHeadEntry+17Ej
		mov	eax, [ecx]
		test	esi, esi
		jz	short loc_52E523
		test	eax, eax
		jz	short loc_52E567
		xor	eax, ecx

loc_52E523:				; CODE XREF: KiAbEntryGetLockedHeadEntry+18Bj
		test	eax, eax
		jz	short loc_52E567

loc_52E527:				; CODE XREF: KiAbEntryGetLockedHeadEntry+1CEj
		mov	ecx, eax
		jmp	short loc_52E500
; 

loc_52E52B:				; CODE XREF: KiAbEntryGetLockedHeadEntry+CCj
					; KiAbEntryGetLockedHeadEntry+D9j
		mov	eax, [esi+4]
		test	edx, edx
		jz	loc_52E479
		test	eax, eax
		jz	loc_52E479
		jmp	short loc_52E548
; 

loc_52E540:				; CODE XREF: KiAbEntryGetLockedHeadEntry+E3j
		test	eax, eax
		jz	loc_52E479

loc_52E548:				; CODE XREF: KiAbEntryGetLockedHeadEntry+1AEj
		xor	esi, eax
		jmp	loc_52E47B
; 

loc_52E54F:				; CODE XREF: KiAbEntryGetLockedHeadEntry+17Cj
					; KiAbEntryGetLockedHeadEntry+183j ...
		mov	eax, [ecx+4]
		test	esi, esi
		jz	short loc_52E55C
		test	eax, eax
		jz	short loc_52E560
		xor	eax, ecx

loc_52E55C:				; CODE XREF: KiAbEntryGetLockedHeadEntry+1C4j
		test	eax, eax
		jnz	short loc_52E527

loc_52E560:				; CODE XREF: KiAbEntryGetLockedHeadEntry+1C8j
		mov	byte ptr [esp+50h+var_20], 1
		jmp	short loc_52E56C
; 

loc_52E567:				; CODE XREF: KiAbEntryGetLockedHeadEntry+18Fj
					; KiAbEntryGetLockedHeadEntry+195j
		mov	byte ptr [esp+50h+var_20], 0

loc_52E56C:				; CODE XREF: KiAbEntryGetLockedHeadEntry+169j
					; KiAbEntryGetLockedHeadEntry+1D5j
		mov	esi, [esp+50h+var_38]
		push	esi
		push	[esp+54h+var_20]
		push	ecx
		push	[esp+5Ch+var_30]
		call	RtlRbInsertNodeEx
		mov	ecx, [ebp+arg_0]
		lea	eax, [esi+28h]
		mov	edi, esi
		mov	[ecx+4], eax
		mov	dword ptr [ecx], 0
		test	ds:byte_70EFC6,	21h
		jz	short loc_52E60C
		mov	edx, eax
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)

loc_52E5A0:				; CODE XREF: KiAbEntryGetLockedHeadEntry+282j
					; KiAbEntryGetLockedHeadEntry+289j
		cmp	[esp+50h+var_34], 0
		push	[esp+50h+var_3C]
		jz	loc_5EE800
		call	ExReleaseSpinLockExclusiveFromDpcLevel

loc_52E5B4:				; CODE XREF: KiAbEntryGetLockedHeadEntry+C0475j
		mov	al, [esi+13h]
		or	al, 80h
		mov	[esi+13h], al
		mov	al, [esi+0Fh]
		or	al, 1
		mov	[esi+0Fh], al
		mov	dword ptr [esi+18h], 0
		mov	dword ptr [esi+1Ch], 0
		mov	dword ptr [esi+20h], 0
		mov	dword ptr [esi+24h], 0
		and	word ptr [esi+2Eh], 1

loc_52E5E5:				; CODE XREF: KiAbEntryGetLockedHeadEntry+375j
		movzx	eax, byte ptr [esi+0Ch]
		mov	edx, esi
		shl	eax, 3
		sub	edx, eax
		test	byte ptr [esi+0Dh], 1
		jnz	short loc_52E622
		mov	cl, 1
		lea	eax, [edx+223h]
		lock xadd [eax], cl

loc_52E602:				; CODE XREF: KiAbEntryGetLockedHeadEntry+2E3j
					; KiAbEntryGetLockedHeadEntry+4B6j ...
		mov	eax, edi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_52E60C:				; CODE XREF: KiAbEntryGetLockedHeadEntry+207j
		mov	edx, ecx
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_52E5A0
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	short loc_52E5A0
; 

loc_52E61B:				; CODE XREF: KiAbEntryGetLockedHeadEntry+154j
		xor	ecx, ecx
		jmp	loc_52E4EC
; 

loc_52E622:				; CODE XREF: KiAbEntryGetLockedHeadEntry+264j
		inc	byte ptr [edx+1E5h]
		mov	eax, edi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_52E632:				; CODE XREF: KiAbEntryGetLockedHeadEntry+FDj
		mov	ecx, [ebp+arg_0]
		lea	eax, [esi+28h]
		mov	edi, esi
		mov	[ecx+4], eax
		mov	dword ptr [ecx], 0
		test	ds:byte_70EFC6,	21h
		jz	loc_52E70A
		mov	edx, eax
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)

loc_52E657:				; CODE XREF: KiAbEntryGetLockedHeadEntry+380j
					; KiAbEntryGetLockedHeadEntry+38Bj
		cmp	[esp+50h+var_34], 0
		push	[esp+50h+var_3C]
		jnz	loc_52E8EA
		call	ExReleaseSpinLockSharedFromDpcLevel

loc_52E66B:				; CODE XREF: KiAbEntryGetLockedHeadEntry+55Fj
		mov	eax, [esp+50h+var_38]
		cmp	dword ptr [eax+10h], 0
		jl	short loc_52E602
		test	byte ptr [eax+0Dh], 1
		mov	ecx, eax
		jz	loc_52E72D
		call	_KiAbWaiterComputeCpuPriorityKey@4 ; KiAbWaiterComputeCpuPriorityKey(x)
		mov	dl, al
		mov	eax, [esp+50h+var_38]
		mov	[eax+18h], dl
		lea	eax, [esi+20h]
		mov	ecx, [eax+4]
		mov	[esp+50h+var_20], eax
		test	cl, 1
		jnz	loc_52E720
		mov	eax, [eax]

loc_52E6A4:				; CODE XREF: KiAbEntryGetLockedHeadEntry+398j
					; KiAbEntryGetLockedHeadEntry+409j
		movzx	esi, cl
		xor	cl, cl
		and	esi, 1
		test	eax, eax
		jz	short loc_52E6E2

loc_52E6B0:				; CODE XREF: KiAbEntryGetLockedHeadEntry+346j
		cmp	[eax+18h], dl
		jl	short loc_52E6D8
		mov	ecx, [eax+4]
		test	esi, esi
		jz	short loc_52E6C2
		test	ecx, ecx
		jz	short loc_52E6C6
		xor	ecx, eax

loc_52E6C2:				; CODE XREF: KiAbEntryGetLockedHeadEntry+32Aj
		test	ecx, ecx
		jnz	short loc_52E6D4

loc_52E6C6:				; CODE XREF: KiAbEntryGetLockedHeadEntry+32Ej
		mov	cl, 1
		jmp	short loc_52E6E2
; 

loc_52E6CA:				; CODE XREF: KiAbEntryGetLockedHeadEntry+34Ej
		test	ecx, ecx
		jz	short loc_52E6E0
		xor	ecx, eax

loc_52E6D0:				; CODE XREF: KiAbEntryGetLockedHeadEntry+34Cj
		test	ecx, ecx
		jz	short loc_52E6E0

loc_52E6D4:				; CODE XREF: KiAbEntryGetLockedHeadEntry+334j
		mov	eax, ecx
		jmp	short loc_52E6B0
; 

loc_52E6D8:				; CODE XREF: KiAbEntryGetLockedHeadEntry+323j
		mov	ecx, [eax]
		test	esi, esi
		jz	short loc_52E6D0
		jmp	short loc_52E6CA
; 

loc_52E6E0:				; CODE XREF: KiAbEntryGetLockedHeadEntry+33Cj
					; KiAbEntryGetLockedHeadEntry+342j
		xor	cl, cl

loc_52E6E2:				; CODE XREF: KiAbEntryGetLockedHeadEntry+31Ej
					; KiAbEntryGetLockedHeadEntry+338j
		mov	esi, [esp+50h+var_20]

loc_52E6E6:				; CODE XREF: KiAbEntryGetLockedHeadEntry+3CBj
					; KiAbEntryGetLockedHeadEntry+3ECj ...
		push	[esp+50h+var_38]
		mov	byte ptr [esp+54h+var_1C], cl
		push	[esp+54h+var_1C]
		push	eax
		push	esi
		call	RtlRbInsertNodeEx
		mov	esi, [esp+50h+var_38]
		mov	al, [esi+13h]
		or	al, 80h
		mov	[esi+13h], al
		jmp	loc_52E5E5
; 

loc_52E70A:				; CODE XREF: KiAbEntryGetLockedHeadEntry+2BAj
		mov	edx, ecx
		xchg	edx, [eax]
		test	edx, edx
		jz	loc_52E657
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_52E657
; 

loc_52E720:				; CODE XREF: KiAbEntryGetLockedHeadEntry+30Cj
		mov	esi, [eax]
		test	esi, esi
		jz	short loc_52E797
		xor	eax, esi
		jmp	loc_52E6A4
; 

loc_52E72D:				; CODE XREF: KiAbEntryGetLockedHeadEntry+2EBj
		call	_KiAbOwnerComputeCpuPriorityKey@4 ; KiAbOwnerComputeCpuPriorityKey(x)
		mov	ecx, [esp+50h+var_38]
		add	esi, 18h
		mov	[ecx+18h], al
		mov	edx, [esi+4]
		movsx	eax, al
		mov	[esp+50h+var_1C], eax
		test	dl, 1
		jnz	loc_52E7D3
		mov	eax, [esi]

loc_52E751:				; CODE XREF: KiAbEntryGetLockedHeadEntry+44Dj
					; KiAbEntryGetLockedHeadEntry+463j
		movzx	edx, dl
		xor	cl, cl
		and	edx, 1
		test	eax, eax
		jz	short loc_52E6E6
		lea	ecx, [ecx+0]

loc_52E760:				; CODE XREF: KiAbEntryGetLockedHeadEntry+3FDj
		mov	cl, [eax+18h]
		cmp	cl, byte ptr [esp+50h+var_1C]
		jg	short loc_52E78F
		mov	ecx, [eax+4]
		test	edx, edx
		jz	short loc_52E776
		test	ecx, ecx
		jz	short loc_52E77A
		xor	ecx, eax

loc_52E776:				; CODE XREF: KiAbEntryGetLockedHeadEntry+3DEj
		test	ecx, ecx
		jnz	short loc_52E78B

loc_52E77A:				; CODE XREF: KiAbEntryGetLockedHeadEntry+3E2j
		mov	cl, 1
		jmp	loc_52E6E6
; 

loc_52E781:				; CODE XREF: KiAbEntryGetLockedHeadEntry+405j
		test	ecx, ecx
		jz	short loc_52E7F8
		xor	ecx, eax

loc_52E787:				; CODE XREF: KiAbEntryGetLockedHeadEntry+403j
		test	ecx, ecx
		jz	short loc_52E7F8

loc_52E78B:				; CODE XREF: KiAbEntryGetLockedHeadEntry+3E8j
		mov	eax, ecx
		jmp	short loc_52E760
; 

loc_52E78F:				; CODE XREF: KiAbEntryGetLockedHeadEntry+3D7j
		mov	ecx, [eax]
		test	edx, edx
		jz	short loc_52E787
		jmp	short loc_52E781
; 

loc_52E797:				; CODE XREF: KiAbEntryGetLockedHeadEntry+394j
		xor	eax, eax
		jmp	loc_52E6A4
; 

loc_52E79E:				; CODE XREF: KiAbEntryGetLockedHeadEntry+3Bj
		mov	ecx, [ebp+arg_0]
		lea	eax, [esi+28h]
		mov	[ecx+4], eax
		mov	dword ptr [ecx], 0
		test	ds:byte_70EFC6,	21h
		jz	short loc_52E7E2
		mov	edx, eax
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)

loc_52E7BD:				; CODE XREF: KiAbEntryGetLockedHeadEntry+458j
					; KiAbEntryGetLockedHeadEntry+45Fj
		test	byte ptr [esi+0Fh], 1
		jz	loc_52E96C
		mov	edi, esi
		mov	eax, edi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_52E7D3:				; CODE XREF: KiAbEntryGetLockedHeadEntry+3B9j
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_52E7F1
		mov	eax, esi
		xor	eax, ecx
		jmp	loc_52E751
; 

loc_52E7E2:				; CODE XREF: KiAbEntryGetLockedHeadEntry+424j
		mov	edx, ecx
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_52E7BD
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	short loc_52E7BD
; 

loc_52E7F1:				; CODE XREF: KiAbEntryGetLockedHeadEntry+447j
		xor	eax, eax
		jmp	loc_52E751
; 

loc_52E7F8:				; CODE XREF: KiAbEntryGetLockedHeadEntry+3F3j
					; KiAbEntryGetLockedHeadEntry+3F9j
		xor	cl, cl
		jmp	loc_52E6E6
; 

loc_52E7FF:				; CODE XREF: KiAbEntryGetLockedHeadEntry+F5j
		test	esi, esi
		jz	loc_5EE80A
		mov	ecx, [ebp+arg_0]
		lea	eax, [esi+28h]
		mov	edi, esi
		mov	[ecx+4], eax
		mov	dword ptr [ecx], 0
		test	ds:byte_70EFC6,	21h
		jz	loc_52E8F4
		mov	edx, eax
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)

loc_52E82C:				; CODE XREF: KiAbEntryGetLockedHeadEntry+56Aj
					; KiAbEntryGetLockedHeadEntry+575j
		cmp	[esp+50h+var_34], 0
		push	[esp+50h+var_3C]
		jnz	loc_5EE829
		call	ExReleaseSpinLockSharedFromDpcLevel

loc_52E840:				; CODE XREF: KiAbEntryGetLockedHeadEntry+C049Ej
		mov	eax, [esp+50h+var_38]
		cmp	eax, esi
		jz	loc_52E602
		add	eax, 28h
		mov	[esp+50h+var_C], 0
		test	ds:byte_70EFC6,	21h
		mov	[esp+50h+var_8], eax
		jz	loc_52E90A
		mov	edx, eax
		lea	ecx, [esp+50h+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)

loc_52E873:				; CODE XREF: KiAbEntryGetLockedHeadEntry+582j
					; KiAbEntryGetLockedHeadEntry+591j
		test	ds:byte_70EFC6,	1
		jz	loc_52E926
		mov	edx, [ebp+4]
		lea	ecx, [esp+50h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_52E88C:				; CODE XREF: KiAbEntryGetLockedHeadEntry+5B2j
					; KiAbEntryGetLockedHeadEntry+5D0j
		mov	ecx, [esp+50h+var_38]
		lea	edx, [esp+50h+var_14]
		call	_KiAbCompareSnappedEntryState@8	; KiAbCompareSnappedEntryState(x,x)
		test	eax, eax
		jnz	loc_52E602
		jmp	loc_5EE833
; 

loc_52E8A6:				; CODE XREF: KiAbEntryGetLockedHeadEntry+93j
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		jmp	loc_52E42E
; 

loc_52E8B0:				; CODE XREF: KiAbEntryGetLockedHeadEntry+13Fj
					; KiAbEntryGetLockedHeadEntry+53Fj
		test	edx, 40000000h
		jz	short loc_52E8D6

loc_52E8B8:				; CODE XREF: KiAbEntryGetLockedHeadEntry+556j
		lea	ecx, [esp+50h+var_18]
		call	KeYieldProcessorEx
		mov	eax, [esi]

loc_52E8C3:				; CODE XREF: KiAbEntryGetLockedHeadEntry+558j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000001h
		jnz	short loc_52E8B0
		jmp	loc_52E4D5
; 

loc_52E8D6:				; CODE XREF: KiAbEntryGetLockedHeadEntry+526j
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	short loc_52E8B8
		jmp	short loc_52E8C3
; 

loc_52E8EA:				; CODE XREF: KiAbEntryGetLockedHeadEntry+2D0j
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		jmp	loc_52E66B
; 

loc_52E8F4:				; CODE XREF: KiAbEntryGetLockedHeadEntry+48Fj
		mov	edx, ecx
		xchg	edx, [eax]
		test	edx, edx
		jz	loc_52E82C
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_52E82C
; 

loc_52E90A:				; CODE XREF: KiAbEntryGetLockedHeadEntry+4D2j
		lea	edx, [esp+50h+var_C]
		xchg	edx, [eax]
		test	edx, edx
		jz	loc_52E873
		lea	ecx, [esp+50h+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_52E873
; 

loc_52E926:				; CODE XREF: KiAbEntryGetLockedHeadEntry+4EAj
		mov	eax, [esp+50h+var_C]
		test	eax, eax
		jnz	short loc_52E94D
		mov	edx, [esp+50h+var_8]
		lea	eax, [esp+50h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+50h+var_C]
		cmp	eax, ecx
		jz	loc_52E88C
		call	KxWaitForLockChainValid

loc_52E94D:				; CODE XREF: KiAbEntryGetLockedHeadEntry+59Cj
		mov	[esp+50h+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_52E88C
; 

loc_52E965:				; CODE XREF: KiAbEntryGetLockedHeadEntry+59j
					; KiAbEntryGetLockedHeadEntry+C048Aj ...
		xor	edi, edi
		jmp	loc_52E602
; 

loc_52E96C:				; CODE XREF: KiAbEntryGetLockedHeadEntry+431j
		test	ds:byte_70EFC6,	1
		mov	ecx, [ebp+arg_0]
		jz	short loc_52E985
		mov	edx, [ebp+4]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_52E3D1
; 

loc_52E985:				; CODE XREF: KiAbEntryGetLockedHeadEntry+5E6j
		mov	eax, [ecx]
		test	eax, eax
		jnz	short loc_52E9A9
		mov	eax, ecx
		xor	edx, edx
		mov	ecx, [eax+4]
		lock cmpxchg [ecx], edx
		mov	ecx, [ebp+arg_0]
		cmp	eax, ecx
		jz	loc_52E3D1
		call	KxWaitForLockChainValid
		mov	ecx, [ebp+arg_0]

loc_52E9A9:				; CODE XREF: KiAbEntryGetLockedHeadEntry+5F9j
		mov	dword ptr [ecx], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx
		jmp	loc_52E3D1
; 

loc_52E9BF:				; CODE XREF: KiAbEntryGetLockedHeadEntry+120j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	_ExpTryConvertSharedSpinLockExclusiveInstrumented@8 ; ExpTryConvertSharedSpinLockExclusiveInstrumented(x,x)
		test	eax, eax
		jnz	loc_52E4D5

loc_52E9D1:				; CODE XREF: KiAbEntryGetLockedHeadEntry+12Bj
		push	esi
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	esi, [esp+50h+var_30]
		mov	eax, [esp+50h+var_3C]
		mov	ecx, [esp+50h+var_34]
		jmp	loc_52E420
KiAbEntryGetLockedHeadEntry endp

; 
		align 10h
; Exported entry 2307. RtlRbInsertNodeEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlRbInsertNodeEx
RtlRbInsertNodeEx proc near		; CODE XREF: KiSetClockInterval+84p
					; KiInsertSchedulingGroupQueue+D4p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005EE885 SIZE 0000003D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_C]
		sub	esp, 0Ch
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	dword ptr [edx], 0
		mov	dword ptr [edx+4], 0
		mov	bl, [esi+4]
		mov	cl, bl
		and	cl, 1
		test	eax, eax
		jz	loc_52EC41
		push	edi
		mov	edi, edx
		xor	edi, eax
		mov	[ebp+arg_4], edi
		test	cl, cl
		jnz	loc_52EDF6
		mov	[ebp+arg_C], edx

loc_52EA33:				; CODE XREF: RtlRbInsertNodeEx+409j
		mov	bl, byte ptr [ebp+arg_8]
		mov	edi, [ebp+arg_C]
		movzx	ecx, bl
		mov	[eax+ecx*4], edi
		test	byte ptr [esi+4], 1
		mov	edi, [ebp+arg_4]
		jnz	short loc_52EA4A
		mov	edi, eax

loc_52EA4A:				; CODE XREF: RtlRbInsertNodeEx+56j
		or	edi, 1
		mov	[edx+8], edi
		test	bl, bl
		jz	loc_52EC1A

loc_52EA58:				; CODE XREF: RtlRbInsertNodeEx+23Aj
					; RtlRbInsertNodeEx+24Cj ...
		test	byte ptr [eax+8], 1
		jnz	short loc_52EA67

loc_52EA5E:				; CODE XREF: RtlRbInsertNodeEx+E0j
					; RtlRbInsertNodeEx+4E9j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_52EA67:				; CODE XREF: RtlRbInsertNodeEx+6Cj
		mov	bh, [esi+4]
		mov	byte ptr [ebp+arg_8+3],	bh
		lea	ecx, [ecx+0]

loc_52EA70:				; CODE XREF: RtlRbInsertNodeEx+102j
		mov	edi, [eax+8]
		and	edi, 0FFFFFFFCh
		and	bh, 1
		jnz	loc_52EE0F

loc_52EA7F:				; CODE XREF: RtlRbInsertNodeEx+421j
					; RtlRbInsertNodeEx+429j
		mov	ecx, [edi]
		test	bh, bh
		jnz	loc_52EE1E

loc_52EA89:				; CODE XREF: RtlRbInsertNodeEx+430j
					; RtlRbInsertNodeEx+438j
		cmp	ecx, eax
		mov	[ebp+arg_C], 0
		mov	ecx, [ebp+arg_C]
		setnz	cl
		mov	[ebp+arg_C], ecx
		xor	ecx, 1
		mov	[ebp+arg_4], ecx
		mov	ecx, [edi+ecx*4]
		test	bh, bh
		jnz	short loc_52EB01

loc_52EAA8:				; CODE XREF: RtlRbInsertNodeEx+4B5j
		test	ecx, ecx
		jz	short loc_52EB09
		test	byte ptr [ecx+8], 1
		jz	short loc_52EB09
		and	byte ptr [eax+8], 0FEh
		mov	edx, edi
		and	byte ptr [ecx+8], 0FEh
		mov	eax, [edi+8]
		mov	cl, al
		and	eax, 0FFFFFFFCh
		test	byte ptr [esi+4], 1
		jnz	loc_52EED7

loc_52EACE:				; CODE XREF: RtlRbInsertNodeEx+4F1j
		test	eax, eax
		jz	short loc_52EA5E
		or	cl, 1
		mov	[edi+8], cl
		mov	bh, [esi+4]
		mov	ecx, [eax]
		mov	byte ptr [ebp+arg_8+3],	bh
		test	bh, 1
		jnz	loc_52EEE6

loc_52EAE9:				; CODE XREF: RtlRbInsertNodeEx+4F8j
					; RtlRbInsertNodeEx+500j
		cmp	edi, ecx
		setnz	bl
		test	byte ptr [eax+8], 1
		jnz	loc_52EA70
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_52EB01:				; CODE XREF: RtlRbInsertNodeEx+B6j
		test	ecx, ecx
		jnz	loc_52EEA3

loc_52EB09:				; CODE XREF: RtlRbInsertNodeEx+BAj
					; RtlRbInsertNodeEx+C0j
		movzx	ecx, bl
		cmp	ecx, [ebp+arg_C]
		jnz	loc_52EC6A

loc_52EB15:				; CODE XREF: RtlRbInsertNodeEx+364j
		mov	ecx, [esi+4]
		mov	edx, [esi]
		test	cl, 1
		jnz	loc_52EE2D

loc_52EB23:				; CODE XREF: RtlRbInsertNodeEx+447j
		mov	[ebp+arg_8], edx

loc_52EB26:				; CODE XREF: RtlRbInsertNodeEx+BFEA3j
		mov	edx, [ebp+arg_C]
		movzx	ebx, cl
		xor	edx, 1
		mov	ecx, [eax+8]
		and	ecx, 0FFFFFFFCh
		mov	[ebp+arg_C], edx
		and	ebx, 1
		jnz	loc_52EE4B

loc_52EB41:				; CODE XREF: RtlRbInsertNodeEx+45Dj
					; RtlRbInsertNodeEx+465j
		cmp	ecx, edi
		jnz	loc_5EE89F
		mov	ecx, edx
		xor	ecx, 1
		lea	ecx, [edi+ecx*4]
		mov	[ebp+var_C], ecx
		mov	ecx, [ecx]
		test	ebx, ebx
		jnz	loc_52EE5A

loc_52EB5E:				; CODE XREF: RtlRbInsertNodeEx+46Cj
					; RtlRbInsertNodeEx+474j
		cmp	ecx, eax
		jnz	loc_5EE89F
		lea	edx, [edi+8]
		mov	[ebp+var_8], edx
		mov	edx, [edx]
		and	edx, 0FFFFFFFCh
		test	ebx, ebx
		jnz	loc_52EEAA

loc_52EB79:				; CODE XREF: RtlRbInsertNodeEx+4C4j
		test	edx, edx
		jz	loc_52EDFE
		mov	ecx, [edx+4]
		test	ebx, ebx
		jnz	loc_52EEC8

loc_52EB8C:				; CODE XREF: RtlRbInsertNodeEx+4DAj
					; RtlRbInsertNodeEx+4E2j
		cmp	ecx, edi
		jnz	loc_52ED8D
		test	ebx, ebx
		jnz	loc_52EF38
		mov	ecx, eax

loc_52EB9E:				; CODE XREF: RtlRbInsertNodeEx+54Cj
		mov	[edx+4], ecx

loc_52EBA1:				; CODE XREF: RtlRbInsertNodeEx+3BBj
					; RtlRbInsertNodeEx+41Aj ...
		test	ebx, ebx
		jnz	loc_52EEB9

loc_52EBA9:				; CODE XREF: RtlRbInsertNodeEx+4CBj
					; RtlRbInsertNodeEx+4D3j
		mov	ecx, [eax+8]
		and	ecx, 3
		or	ecx, edx
		mov	[eax+8], ecx
		mov	ecx, [ebp+arg_C]
		mov	ecx, [eax+ecx*4]
		test	ebx, ebx
		jnz	loc_52EE69

loc_52EBC2:				; CODE XREF: RtlRbInsertNodeEx+483j
		test	ecx, ecx
		jnz	loc_52ED59

loc_52EBCA:				; CODE XREF: RtlRbInsertNodeEx+398j
					; RtlRbInsertNodeEx+47Bj ...
		test	ebx, ebx
		jnz	loc_52EE78

loc_52EBD2:				; CODE XREF: RtlRbInsertNodeEx+48Aj
					; RtlRbInsertNodeEx+492j
		mov	edx, [ebp+var_C]
		mov	[edx], ecx
		mov	edx, eax
		xor	edx, edi
		test	ebx, ebx
		jnz	loc_52EE87

loc_52EBE3:				; CODE XREF: RtlRbInsertNodeEx+499j
		mov	ecx, [ebp+arg_C]
		mov	[eax+ecx*4], edi
		test	ebx, ebx
		jnz	short loc_52EBEF
		mov	edx, eax

loc_52EBEF:				; CODE XREF: RtlRbInsertNodeEx+1FBj
		mov	ebx, [ebp+var_8]
		mov	ecx, [ebx]
		and	ecx, 3
		or	ecx, edx
		mov	[ebx], ecx
		test	byte ptr [esi+4], 1
		mov	ecx, [ebp+arg_8]
		jnz	loc_52EE3C

loc_52EC08:				; CODE XREF: RtlRbInsertNodeEx+456j
					; RtlRbInsertNodeEx+BFEAAj
		mov	[esi], ecx
		or	byte ptr [ebx],	1
		and	byte ptr [eax+8], 0FEh
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_52EC1A:				; CODE XREF: RtlRbInsertNodeEx+62j
		mov	ecx, [esi+4]
		test	cl, 1
		jnz	loc_52EE8E
		mov	edi, ecx

loc_52EC28:				; CODE XREF: RtlRbInsertNodeEx+4AEj
					; RtlRbInsertNodeEx+BFE97j
		cmp	eax, edi
		jnz	loc_52EA58
		test	cl, 1
		jnz	loc_52EFA0
		mov	[esi+4], edx
		jmp	loc_52EA58
; 

loc_52EC41:				; CODE XREF: RtlRbInsertNodeEx+2Aj
		mov	eax, edx
		xor	eax, esi
		test	cl, cl
		jnz	loc_52EFB2
		mov	[esi], edx

loc_52EC4F:				; CODE XREF: RtlRbInsertNodeEx+5C7j
		test	bl, 1
		jnz	loc_52EFBC
		mov	[esi+4], edx
		pop	esi
		mov	dword ptr [edx+8], 0
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_52EC6A:				; CODE XREF: RtlRbInsertNodeEx+11Fj
		movzx	ebx, byte ptr [ebp+arg_8+3]
		mov	ecx, [edx+8]
		and	ebx, 1
		and	ecx, 0FFFFFFFCh
		mov	[ebp+arg_8], ebx
		test	ebx, ebx
		jnz	loc_52EEF5

loc_52EC82:				; CODE XREF: RtlRbInsertNodeEx+507j
					; RtlRbInsertNodeEx+50Fj
		cmp	ecx, eax
		jnz	loc_5EE89F
		mov	ecx, [ebp+arg_4]
		lea	ecx, [eax+ecx*4]
		mov	[ebp+var_8], ecx
		mov	ecx, [ecx]
		test	ebx, ebx
		jnz	loc_52EF04

loc_52EC9D:				; CODE XREF: RtlRbInsertNodeEx+516j
					; RtlRbInsertNodeEx+51Ej
		cmp	ecx, edx
		jnz	loc_5EE89F
		mov	ecx, [ebp+arg_C]
		shl	ecx, 2
		mov	[ebp+var_4], ecx
		add	ecx, edi
		mov	[ebp+arg_0], ecx
		mov	ecx, [ecx]
		test	ebx, ebx
		jnz	loc_52EF82

loc_52ECBD:				; CODE XREF: RtlRbInsertNodeEx+594j
					; RtlRbInsertNodeEx+59Cj
		cmp	ecx, eax
		jnz	loc_5EE89F
		lea	ecx, [eax+8]
		mov	[ebp+var_C], ecx
		mov	ecx, [ecx]
		and	ecx, 0FFFFFFFCh
		test	ebx, ebx
		jnz	loc_52EF91

loc_52ECD8:				; CODE XREF: RtlRbInsertNodeEx+5A3j
					; RtlRbInsertNodeEx+5ABj
		cmp	ecx, edi
		jnz	loc_5EE89F
		mov	ecx, edx
		xor	ecx, edi
		mov	[ebp+arg_4], ecx
		test	ebx, ebx
		jnz	short loc_52ECED
		mov	ecx, edx

loc_52ECED:				; CODE XREF: RtlRbInsertNodeEx+2F9j
		mov	ebx, [ebp+arg_0]
		mov	[ebx], ecx
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		jnz	short loc_52ECFC
		mov	[ebp+arg_4], edi

loc_52ECFC:				; CODE XREF: RtlRbInsertNodeEx+307j
		mov	ecx, [edx+8]
		and	ecx, 3
		or	ecx, [ebp+arg_4]
		mov	[edx+8], ecx
		mov	ecx, [ebp+var_4]
		add	ecx, edx
		mov	[ebp+var_4], ecx
		mov	ecx, [ecx]
		test	ebx, ebx
		jnz	loc_52EF13

loc_52ED1A:				; CODE XREF: RtlRbInsertNodeEx+52Dj
		test	ecx, ecx
		jnz	loc_52EDB0

loc_52ED22:				; CODE XREF: RtlRbInsertNodeEx+401j
					; RtlRbInsertNodeEx+525j ...
		test	ebx, ebx
		jnz	loc_52EF22

loc_52ED2A:				; CODE XREF: RtlRbInsertNodeEx+534j
					; RtlRbInsertNodeEx+53Cj
		mov	ebx, [ebp+var_8]
		mov	[ebx], ecx
		mov	ecx, edx
		xor	ecx, eax
		cmp	[ebp+arg_8], 0
		jnz	loc_52EF31

loc_52ED3D:				; CODE XREF: RtlRbInsertNodeEx+543j
		mov	ebx, [ebp+var_4]
		mov	[ebx], eax
		jnz	short loc_52ED46
		mov	ecx, edx

loc_52ED46:				; CODE XREF: RtlRbInsertNodeEx+352j
		mov	ebx, [ebp+var_C]
		mov	eax, [ebx]
		and	eax, 3
		or	eax, ecx
		mov	[ebx], eax
		mov	eax, edx
		jmp	loc_52EB15
; 

loc_52ED59:				; CODE XREF: RtlRbInsertNodeEx+1D4j
		mov	edx, [ecx+8]
		mov	[ebp+arg_0], edx
		and	edx, 0FFFFFFFCh
		test	ebx, ebx
		jnz	loc_52EF41

loc_52ED6A:				; CODE XREF: RtlRbInsertNodeEx+553j
					; RtlRbInsertNodeEx+55Bj
		cmp	edx, eax
		jnz	loc_5EE89F
		test	ebx, ebx
		jnz	loc_52EF50
		mov	edx, [ebp+arg_0]
		and	edx, 3
		mov	[ebp+arg_4], edi
		or	edx, edi
		mov	[ecx+8], edx
		jmp	loc_52EBCA
; 

loc_52ED8D:				; CODE XREF: RtlRbInsertNodeEx+19Ej
		mov	ecx, [edx]
		test	ebx, ebx
		jnz	loc_52EF68

loc_52ED97:				; CODE XREF: RtlRbInsertNodeEx+57Aj
					; RtlRbInsertNodeEx+582j
		cmp	ecx, edi
		jnz	loc_5EE89F
		test	ebx, ebx
		jnz	loc_52EF77
		mov	ecx, eax
		mov	[edx], ecx
		jmp	loc_52EBA1
; 

loc_52EDB0:				; CODE XREF: RtlRbInsertNodeEx+32Cj
		mov	ebx, [ecx+8]
		mov	[ebp+arg_0], ebx
		and	ebx, 0FFFFFFFCh
		cmp	[ebp+arg_8], 0
		mov	[ebp+arg_4], ebx
		jnz	loc_52EFD3

loc_52EDC6:				; CODE XREF: RtlRbInsertNodeEx+5E7j
		mov	ebx, [ebp+arg_4]
		mov	[ebp+arg_4], ebx

loc_52EDCC:				; CODE XREF: RtlRbInsertNodeEx+5F0j
		mov	ebx, [ebp+arg_8]
		cmp	[ebp+arg_4], edx
		jnz	loc_5EE89F
		test	ebx, ebx
		jnz	loc_52EFE5
		mov	ebx, [ebp+arg_0]
		and	ebx, 3
		mov	[ebp+arg_4], eax
		or	ebx, eax
		mov	[ecx+8], ebx
		mov	ebx, [ebp+arg_8]
		jmp	loc_52ED22
; 

loc_52EDF6:				; CODE XREF: RtlRbInsertNodeEx+3Aj
		mov	[ebp+arg_C], edi
		jmp	loc_52EA33
; 

loc_52EDFE:				; CODE XREF: RtlRbInsertNodeEx+18Bj
					; RtlRbInsertNodeEx+4BCj
		cmp	[ebp+arg_8], edi
		jnz	loc_5EE89F
		mov	[ebp+arg_8], eax
		jmp	loc_52EBA1
; 

loc_52EE0F:				; CODE XREF: RtlRbInsertNodeEx+89j
		test	edi, edi
		jz	loc_52EA7F
		xor	edi, eax
		jmp	loc_52EA7F
; 

loc_52EE1E:				; CODE XREF: RtlRbInsertNodeEx+93j
		test	ecx, ecx
		jz	loc_52EA89
		xor	ecx, edi
		jmp	loc_52EA89
; 

loc_52EE2D:				; CODE XREF: RtlRbInsertNodeEx+12Dj
		test	edx, edx
		jz	loc_5EE88C
		xor	edx, esi
		jmp	loc_52EB23
; 

loc_52EE3C:				; CODE XREF: RtlRbInsertNodeEx+212j
		test	ecx, ecx
		jz	loc_5EE898
		xor	ecx, esi
		jmp	loc_52EC08
; 

loc_52EE4B:				; CODE XREF: RtlRbInsertNodeEx+14Bj
		test	ecx, ecx
		jz	loc_52EB41
		xor	ecx, eax
		jmp	loc_52EB41
; 

loc_52EE5A:				; CODE XREF: RtlRbInsertNodeEx+168j
		test	ecx, ecx
		jz	loc_52EB5E
		xor	ecx, edi
		jmp	loc_52EB5E
; 

loc_52EE69:				; CODE XREF: RtlRbInsertNodeEx+1CCj
		test	ecx, ecx
		jz	loc_52EBCA
		xor	ecx, eax
		jmp	loc_52EBC2
; 

loc_52EE78:				; CODE XREF: RtlRbInsertNodeEx+1DCj
		test	ecx, ecx
		jz	loc_52EBD2
		xor	ecx, edi
		jmp	loc_52EBD2
; 

loc_52EE87:				; CODE XREF: RtlRbInsertNodeEx+1EDj
		mov	edi, edx
		jmp	loc_52EBE3
; 

loc_52EE8E:				; CODE XREF: RtlRbInsertNodeEx+230j
		cmp	ecx, 1
		jz	loc_5EE885
		mov	edi, esi
		or	edi, 1
		xor	edi, ecx
		jmp	loc_52EC28
; 

loc_52EEA3:				; CODE XREF: RtlRbInsertNodeEx+113j
		xor	ecx, edi
		jmp	loc_52EAA8
; 

loc_52EEAA:				; CODE XREF: RtlRbInsertNodeEx+183j
		test	edx, edx
		jz	loc_52EDFE
		xor	edx, edi
		jmp	loc_52EB79
; 

loc_52EEB9:				; CODE XREF: RtlRbInsertNodeEx+1B3j
		test	edx, edx
		jz	loc_52EBA9
		xor	edx, eax
		jmp	loc_52EBA9
; 

loc_52EEC8:				; CODE XREF: RtlRbInsertNodeEx+196j
		test	ecx, ecx
		jz	loc_52EB8C
		xor	ecx, edx
		jmp	loc_52EB8C
; 

loc_52EED7:				; CODE XREF: RtlRbInsertNodeEx+D8j
		test	eax, eax
		jz	loc_52EA5E
		xor	eax, edi
		jmp	loc_52EACE
; 

loc_52EEE6:				; CODE XREF: RtlRbInsertNodeEx+F3j
		test	ecx, ecx
		jz	loc_52EAE9
		xor	ecx, eax
		jmp	loc_52EAE9
; 

loc_52EEF5:				; CODE XREF: RtlRbInsertNodeEx+28Cj
		test	ecx, ecx
		jz	loc_52EC82
		xor	ecx, edx
		jmp	loc_52EC82
; 

loc_52EF04:				; CODE XREF: RtlRbInsertNodeEx+2A7j
		test	ecx, ecx
		jz	loc_52EC9D
		xor	ecx, eax
		jmp	loc_52EC9D
; 

loc_52EF13:				; CODE XREF: RtlRbInsertNodeEx+324j
		test	ecx, ecx
		jz	loc_52ED22
		xor	ecx, edx
		jmp	loc_52ED1A
; 

loc_52EF22:				; CODE XREF: RtlRbInsertNodeEx+334j
		test	ecx, ecx
		jz	loc_52ED2A
		xor	ecx, eax
		jmp	loc_52ED2A
; 

loc_52EF31:				; CODE XREF: RtlRbInsertNodeEx+347j
		mov	eax, ecx
		jmp	loc_52ED3D
; 

loc_52EF38:				; CODE XREF: RtlRbInsertNodeEx+1A6j
		mov	ecx, edx
		xor	ecx, eax
		jmp	loc_52EB9E
; 

loc_52EF41:				; CODE XREF: RtlRbInsertNodeEx+374j
		test	edx, edx
		jz	loc_52ED6A
		xor	edx, ecx
		jmp	loc_52ED6A
; 

loc_52EF50:				; CODE XREF: RtlRbInsertNodeEx+384j
		mov	edx, ecx
		xor	edx, edi
		mov	[ebp+arg_4], edx
		mov	edx, [ebp+arg_0]
		and	edx, 3
		or	edx, [ebp+arg_4]
		mov	[ecx+8], edx
		jmp	loc_52EBCA
; 

loc_52EF68:				; CODE XREF: RtlRbInsertNodeEx+3A1j
		test	ecx, ecx
		jz	loc_52ED97
		xor	ecx, edx
		jmp	loc_52ED97
; 

loc_52EF77:				; CODE XREF: RtlRbInsertNodeEx+3B1j
		mov	ecx, edx
		xor	ecx, eax
		mov	[edx], ecx
		jmp	loc_52EBA1
; 

loc_52EF82:				; CODE XREF: RtlRbInsertNodeEx+2C7j
		test	ecx, ecx
		jz	loc_52ECBD
		xor	ecx, edi
		jmp	loc_52ECBD
; 

loc_52EF91:				; CODE XREF: RtlRbInsertNodeEx+2E2j
		test	ecx, ecx
		jz	loc_52ECD8
		xor	ecx, eax
		jmp	loc_52ECD8
; 

loc_52EFA0:				; CODE XREF: RtlRbInsertNodeEx+243j
		mov	ecx, esi
		xor	ecx, edx
		mov	[esi+4], ecx
		or	cl, 1
		mov	[esi+4], cl
		jmp	loc_52EA58
; 

loc_52EFB2:				; CODE XREF: RtlRbInsertNodeEx+257j
		mov	[esi], eax
		mov	bl, [esi+4]
		jmp	loc_52EC4F
; 

loc_52EFBC:				; CODE XREF: RtlRbInsertNodeEx+262j
		mov	[esi+4], eax
		or	al, 1
		mov	[esi+4], al
		pop	esi
		mov	dword ptr [edx+8], 0
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_52EFD3:				; CODE XREF: RtlRbInsertNodeEx+3D0j
		cmp	[ebp+arg_4], 0
		jz	loc_52EDC6
		xor	[ebp+arg_4], ecx
		jmp	loc_52EDCC
; 

loc_52EFE5:				; CODE XREF: RtlRbInsertNodeEx+3EAj
		mov	ebx, ecx
		xor	ebx, eax
		mov	[ebp+arg_4], ebx
		mov	ebx, [ebp+arg_0]
		and	ebx, 3
		or	ebx, [ebp+arg_4]
		mov	[ecx+8], ebx
		mov	ebx, [ebp+arg_8]
		jmp	loc_52ED22
RtlRbInsertNodeEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAbEntryRemoveFromTree	proc near	; CODE XREF: PspStorageEmptyArrayNonReadonly+274p
					; PspStorageEmptyArrayNonReadonly+3C9p	...

var_32		= byte ptr -32h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A87A4 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		xor	eax, eax
		mov	[esp+34h+var_1C], 0
		push	ebx
		mov	ebx, ecx
		mov	[esp+38h+var_18], eax
		mov	[esp+38h+var_14], eax
		mov	[esp+38h+var_10], eax
		mov	[esp+38h+var_C], eax
		mov	[esp+38h+var_8], eax
		mov	[esp+38h+var_4], eax
		mov	eax, [ebx+14h]
		mov	[esp+38h+var_1C], eax
		mov	eax, [ebx+10h]
		and	eax, 7FFFFFFCh
		mov	[esp+38h+var_20], 0
		mov	[esp+38h+var_20], eax
		shr	eax, 3
		and	eax, 0Fh
		mov	[esp+38h+var_2C], ebx
		shl	eax, 6
		push	esi
		push	edi
		lea	esi, dword_6FAC08[eax]
		lea	edi, _KiAbTreeArray[eax]
		mov	[esp+40h+var_30], esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[esp+40h+var_31], al
		movzx	eax, byte ptr [ebx+0Fh]
		and	eax, 1

loc_52F07B:				; CODE XREF: KiAbEntryRemoveFromTree+435j
		mov	[esp+40h+var_28], eax
		nop
		push	esi
		test	eax, eax
		jz	loc_52F327
		call	ExAcquireSpinLockExclusiveAtDpcLevel

loc_52F08E:				; CODE XREF: KiAbEntryRemoveFromTree+32Cj
		mov	eax, [edi+4]
		mov	esi, [edi]
		test	al, 1
		jz	short loc_52F09D
		test	esi, esi
		jz	short loc_52F09D
		xor	esi, edi

loc_52F09D:				; CODE XREF: KiAbEntryRemoveFromTree+95j
					; KiAbEntryRemoveFromTree+99j
		movzx	edx, al
		and	edx, 1
		test	esi, esi
		jz	short loc_52F0D7
		jmp	short loc_52F0B0
; 
		align 10h

loc_52F0B0:				; CODE XREF: KiAbEntryRemoveFromTree+A7j
					; KiAbEntryRemoveFromTree+D5j
		mov	eax, [esi+10h]
		and	eax, 7FFFFFFCh
		cmp	eax, [esp+40h+var_20]
		jb	short loc_52F104
		ja	short loc_52F0CB
		mov	eax, [esi+14h]
		cmp	eax, [esp+40h+var_1C]
		jz	short loc_52F0D7
		jb	short loc_52F104

loc_52F0CB:				; CODE XREF: KiAbEntryRemoveFromTree+BEj
		mov	eax, [esi]
		test	edx, edx
		jnz	short loc_52F111

loc_52F0D1:				; CODE XREF: KiAbEntryRemoveFromTree+109j
					; KiAbEntryRemoveFromTree+10Dj	...
		mov	esi, eax

loc_52F0D3:				; CODE XREF: KiAbEntryRemoveFromTree+117j
		test	esi, esi
		jnz	short loc_52F0B0

loc_52F0D7:				; CODE XREF: KiAbEntryRemoveFromTree+A5j
					; KiAbEntryRemoveFromTree+C7j
		test	ds:byte_70EFC6,	21h
		lea	eax, [esi+28h]
		mov	[esp+40h+var_14], eax
		mov	[esp+40h+var_18], 0
		jnz	short loc_52F119
		lea	edx, [esp+40h+var_18]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_52F124
		lea	ecx, [esp+40h+var_18]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	short loc_52F124
; 

loc_52F104:				; CODE XREF: KiAbEntryRemoveFromTree+BCj
					; KiAbEntryRemoveFromTree+C9j
		mov	eax, [esi+4]
		test	edx, edx
		jz	short loc_52F0D1
		test	eax, eax
		jz	short loc_52F0D1
		jmp	short loc_52F115
; 

loc_52F111:				; CODE XREF: KiAbEntryRemoveFromTree+CFj
		test	eax, eax
		jz	short loc_52F0D1

loc_52F115:				; CODE XREF: KiAbEntryRemoveFromTree+10Fj
		xor	esi, eax
		jmp	short loc_52F0D3
; 

loc_52F119:				; CODE XREF: KiAbEntryRemoveFromTree+EDj
		mov	edx, eax
		lea	ecx, [esp+40h+var_18]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)

loc_52F124:				; CODE XREF: KiAbEntryRemoveFromTree+F7j
					; KiAbEntryRemoveFromTree+102j
		cmp	esi, ebx
		jnz	loc_52F38C
		cmp	[esp+40h+var_28], 0
		jz	loc_52F411
		cmp	dword ptr [esi+20h], 0
		jnz	loc_52F265
		cmp	dword ptr [esi+18h], 0
		lea	eax, [esi+18h]
		jnz	loc_52F268

loc_52F14E:				; CODE XREF: KiAbEntryRemoveFromTree+26Aj
		push	esi
		push	edi
		call	RtlRbRemoveNode
		push	[esp+40h+var_30]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	al, [esi+0Fh]
		test	al, 2
		jnz	loc_52F234

loc_52F169:				; CODE XREF: KiAbEntryRemoveFromTree+260j
		test	al, 4
		jnz	loc_52F209

loc_52F171:				; CODE XREF: KiAbEntryRemoveFromTree+22Fj
					; KiAbEntryRemoveFromTree+322j	...
		mov	al, [esi+13h]
		and	al, 7Fh
		mov	[esi+13h], al
		mov	al, [esi+0Fh]
		and	al, 0FEh
		mov	[esi+0Fh], al
		test	ds:byte_70EFC6,	1
		jz	short loc_52F1C5
		mov	edx, [ebp+4]
		lea	ecx, [esp+40h+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_52F196:				; CODE XREF: KiAbEntryRemoveFromTree+1E1j
					; KiAbEntryRemoveFromTree+1FFj	...
		movzx	eax, byte ptr [ebx+0Ch]
		mov	edx, ebx
		shl	eax, 3
		sub	edx, eax
		test	byte ptr [ebx+0Dh], 1
		jnz	short loc_52F201
		or	cl, 0FFh
		lea	eax, [edx+223h]
		lock xadd [eax], cl

loc_52F1B4:				; CODE XREF: KiAbEntryRemoveFromTree+207j
		mov	cl, [esp+40h+var_31]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_52F1C5:				; CODE XREF: KiAbEntryRemoveFromTree+188j
		mov	eax, [esp+40h+var_18]
		test	eax, eax
		jnz	short loc_52F1EC
		mov	edx, [esp+40h+var_14]
		lea	eax, [esp+40h+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+40h+var_18]
		cmp	eax, ecx
		jz	short loc_52F196

loc_52F1E3:				; CODE XREF: KiAbEntryRemoveFromTree+405j
		lea	ecx, [esp+40h+var_18]
		call	KxWaitForLockChainValid

loc_52F1EC:				; CODE XREF: KiAbEntryRemoveFromTree+1CBj
					; KiAbEntryRemoveFromTree+3E5j
		add	eax, 4
		mov	[esp+40h+var_18], 0
		mov	ecx, 1
		lock xor [eax],	ecx
		jmp	short loc_52F196
; 

loc_52F201:				; CODE XREF: KiAbEntryRemoveFromTree+1A5j
		dec	byte ptr [edx+1E5h]
		jmp	short loc_52F1B4
; 

loc_52F209:				; CODE XREF: KiAbEntryRemoveFromTree+16Bj
		movzx	ecx, word ptr [esi+2Eh]
		mov	ax, cx
		and	ecx, 1FFh
		shr	ax, 9
		dec	ax
		shl	ax, 9
		or	ax, cx
		mov	[esi+2Eh], ax
		mov	al, [esi+0Fh]
		and	al, 0FBh
		mov	[esi+0Fh], al
		jmp	loc_52F171
; 

loc_52F234:				; CODE XREF: KiAbEntryRemoveFromTree+163j
		movzx	eax, word ptr [esi+2Eh]
		mov	edx, 1FEh
		mov	cx, ax
		shr	cx, 1
		dec	cx
		add	cx, cx
		xor	cx, ax
		and	cx, dx
		xor	cx, ax
		mov	[esi+2Eh], cx
		mov	al, [esi+0Fh]
		and	al, 0FDh
		mov	[esi+0Fh], al
		mov	al, [esi+0Fh]
		jmp	loc_52F169
; 

loc_52F265:				; CODE XREF: KiAbEntryRemoveFromTree+13Bj
		lea	eax, [esi+20h]

loc_52F268:				; CODE XREF: KiAbEntryRemoveFromTree+148j
		test	eax, eax
		jz	loc_52F14E
		mov	ebx, [eax]
		push	ebx
		push	eax
		call	RtlRbRemoveNode
		push	ebx
		push	esi
		push	edi
		call	RtlRbReplaceNode
		test	ds:byte_70EFC6,	21h
		lea	eax, [ebx+28h]
		mov	[esp+40h+var_8], eax
		mov	[esp+40h+var_C], 0
		jz	loc_52F331
		mov	edx, eax
		lea	ecx, [esp+40h+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)

loc_52F2A8:				; CODE XREF: KiAbEntryRemoveFromTree+339j
					; KiAbEntryRemoveFromTree+348j
		push	[esp+40h+var_30]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	eax, [esi+18h]
		mov	ecx, 1FEh
		mov	[ebx+18h], eax
		mov	edx, ebx
		mov	eax, [esi+1Ch]
		mov	[ebx+1Ch], eax
		mov	eax, [esi+20h]
		mov	[ebx+20h], eax
		mov	eax, [esi+24h]
		mov	[ebx+24h], eax
		mov	ax, [ebx+2Eh]
		xor	ax, [esi+2Eh]
		and	ax, cx
		xor	[ebx+2Eh], ax
		movzx	eax, word ptr [ebx+2Eh]
		mov	cx, [esi+2Eh]
		xor	cx, ax
		mov	eax, 1FFh
		and	cx, ax
		xor	cx, [esi+2Eh]
		mov	[ebx+2Eh], cx
		mov	ecx, esi
		call	_KiAbTryDecrementIoWaiterCounts@8 ; KiAbTryDecrementIoWaiterCounts(x,x)
		mov	al, [ebx+0Fh]
		or	al, 1
		mov	[ebx+0Fh], al
		test	ds:byte_70EFC6,	1
		jz	short loc_52F34D
		mov	edx, [ebp+4]
		lea	ecx, [esp+40h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_52F31E:				; CODE XREF: KiAbEntryRemoveFromTree+369j
		mov	ebx, [esp+40h+var_2C]
		jmp	loc_52F171
; 

loc_52F327:				; CODE XREF: KiAbEntryRemoveFromTree+83j
		call	ExAcquireSpinLockSharedAtDpcLevel
		jmp	loc_52F08E
; 

loc_52F331:				; CODE XREF: KiAbEntryRemoveFromTree+297j
		lea	edx, [esp+40h+var_C]
		xchg	edx, [eax]
		test	edx, edx
		jz	loc_52F2A8
		lea	ecx, [esp+40h+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_52F2A8
; 

loc_52F34D:				; CODE XREF: KiAbEntryRemoveFromTree+310j
		mov	eax, [esp+40h+var_C]
		test	eax, eax
		jnz	short loc_52F370
		mov	edx, [esp+40h+var_8]
		lea	eax, [esp+40h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+40h+var_C]
		cmp	eax, ecx
		jz	short loc_52F31E
		call	KxWaitForLockChainValid

loc_52F370:				; CODE XREF: KiAbEntryRemoveFromTree+353j
		mov	[esp+40h+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		mov	ebx, [esp+40h+var_2C]
		jmp	loc_52F171
; 

loc_52F38C:				; CODE XREF: KiAbEntryRemoveFromTree+126j
		cmp	[esp+40h+var_28], 0
		push	[esp+40h+var_30]
		jnz	loc_5A87A4
		call	ExReleaseSpinLockSharedFromDpcLevel

loc_52F3A0:				; CODE XREF: KiAbEntryRemoveFromTree+797A9j
		mov	al, [ebx+13h]
		and	al, 7Fh
		mov	[ebx+13h], al
		test	byte ptr [ebx+0Dh], 1
		jz	short loc_52F40A
		mov	edx, esi
		mov	ecx, ebx
		call	_KiAbTryDecrementIoWaiterCounts@8 ; KiAbTryDecrementIoWaiterCounts(x,x)
		mov	eax, 20h

loc_52F3BC:				; CODE XREF: KiAbEntryRemoveFromTree+40Fj
		push	ebx
		add	eax, esi
		push	eax
		call	RtlRbRemoveNode
		test	ds:byte_70EFC6,	1
		jz	short loc_52F3DF
		mov	edx, [ebp+4]
		lea	ecx, [esp+40h+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_52F196
; 

loc_52F3DF:				; CODE XREF: KiAbEntryRemoveFromTree+3CCj
		mov	eax, [esp+40h+var_18]
		test	eax, eax
		jnz	loc_52F1EC
		mov	edx, [esp+40h+var_14]
		lea	eax, [esp+40h+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+40h+var_18]
		cmp	eax, ecx
		jz	loc_52F196
		jmp	loc_52F1E3
; 

loc_52F40A:				; CODE XREF: KiAbEntryRemoveFromTree+3ACj
		mov	eax, 18h
		jmp	short loc_52F3BC
; 

loc_52F411:				; CODE XREF: KiAbEntryRemoveFromTree+131j
		mov	esi, [esp+40h+var_30]
		push	esi
		call	ExReleaseSpinLockSharedFromDpcLevel
		test	ds:byte_70EFC6,	1
		jz	short loc_52F43A
		mov	edx, [ebp+4]
		lea	ecx, [esp+40h+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_52F430:				; CODE XREF: KiAbEntryRemoveFromTree+456j
					; KiAbEntryRemoveFromTree+470j
		mov	eax, 1
		jmp	loc_52F07B
; 

loc_52F43A:				; CODE XREF: KiAbEntryRemoveFromTree+422j
		mov	eax, [esp+40h+var_18]
		test	eax, eax
		jnz	short loc_52F45D
		mov	edx, [esp+40h+var_14]
		lea	eax, [esp+40h+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+40h+var_18]
		cmp	eax, ecx
		jz	short loc_52F430
		call	KxWaitForLockChainValid

loc_52F45D:				; CODE XREF: KiAbEntryRemoveFromTree+440j
		mov	[esp+40h+var_18], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_52F430
KiAbEntryRemoveFromTree	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVsFreeChunkInsert(x, x, x)
_RtlpHpVsFreeChunkInsert@12 proc near	; CODE XREF: RtlpHpVsContextAddSubsegment(x,x)+5Bp
					; RtlpHpVsContextAddSubsegment(x,x)+68p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	[ebp+var_C], ecx
		mov	ecx, ebx
		and	ecx, 0FFFh
		mov	[ebp+var_4], edx
		mov	esi, [ebx]
		add	ecx, 0FFFh
		xor	esi, _RtlpHpHeapGlobals
		xor	esi, ebx
		shr	esi, 1
		and	esi, 7FFFh
		shl	esi, 3
		push	edi
		add	ecx, esi
		mov	edi, ebx
		sub	edi, edx
		shr	ecx, 0Ch
		lea	eax, [esi+0FFFh]
		add	edi, 100Fh
		sub	esi, edx
		shr	eax, 0Ch
		add	esi, ebx
		sub	ecx, eax
		and	edi, 0FFFFF000h
		mov	[ebp+var_10], ecx
		and	esi, 0FFFFF000h
		cmp	edi, esi
		jnb	loc_52F652
		lea	eax, [esi-1]
		mov	ecx, 3Fh
		shr	eax, 0Ch
		or	edx, 0FFFFFFFFh
		sub	ecx, eax
		or	eax, 0FFFFFFFFh
		call	__aullshr
		mov	[ebp+var_8], eax
		mov	ebx, edx
		shr	edi, 0Ch
		or	eax, 0FFFFFFFFh
		or	edx, 0FFFFFFFFh
		mov	ecx, edi
		call	__allshl
		mov	ecx, [ebp+var_8]
		and	ebx, edx
		and	ecx, eax
		mov	eax, [ebp+var_4]
		and	ecx, [eax+8]
		and	ebx, [eax+0Ch]
		mov	[ebp+var_4], ebx

loc_52F52C:				; CODE XREF: RtlpHpVsFreeChunkInsert(x,x,x)+1D9j
		not	ecx
		movzx	eax, cl
		shr	ecx, 8
		mov	bl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, cl
		shr	ecx, 8
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+var_4]
		add	bl, ds:_RtlpBitsClearTotal[eax]
		not	ecx
		movzx	eax, cl
		shr	ecx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, cl
		shr	ecx, 8
		mov	[ebp+var_4], ecx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_4]
		movzx	eax, al
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_8]
		add	cl, dl
		movzx	edx, cl
		mov	ecx, eax
		movzx	eax, al
		shr	ecx, 8
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, bl
		movzx	eax, cl
		mov	ecx, [ebp+var_C]
		add	edx, eax
		add	[ecx+1Ch], edx
		mov	edx, [ebp+arg_0]
		movzx	esi, dx
		mov	eax, [edx]
		xor	eax, _RtlpHpHeapGlobals
		xor	eax, [ebp+var_10]
		xor	eax, edx
		and	eax, 1
		xor	[edx], eax
		movzx	eax, word ptr [edx]
		movzx	edi, word ptr _RtlpHpHeapGlobals
		xor	esi, eax
		mov	edx, [ecx+8]
		lea	eax, [ecx+8]
		mov	ecx, [eax+4]
		xor	esi, edi
		test	cl, 1
		jz	short loc_52F5E3
		test	edx, edx
		jz	short loc_52F5E3
		xor	edx, eax

loc_52F5E3:				; CODE XREF: RtlpHpVsFreeChunkInsert(x,x,x)+15Bj
					; RtlpHpVsFreeChunkInsert(x,x,x)+15Fj
		movzx	ebx, cl
		and	ebx, 1
		mov	byte ptr [ebp+var_8], 0
		test	edx, edx
		jz	short loc_52F632

loc_52F5F1:				; CODE XREF: RtlpHpVsFreeChunkInsert(x,x,x)+196j
		movzx	ecx, word ptr [edx-4]
		lea	eax, [edx-4]
		movzx	eax, ax
		xor	ecx, eax
		xor	ecx, edi
		cmp	esi, ecx
		jb	short loc_52F618
		mov	eax, [edx+4]
		test	ebx, ebx
		jz	short loc_52F610
		test	eax, eax
		jz	short loc_52F62E
		xor	eax, edx

loc_52F610:				; CODE XREF: RtlpHpVsFreeChunkInsert(x,x,x)+188j
		test	eax, eax
		jz	short loc_52F62E

loc_52F614:				; CODE XREF: RtlpHpVsFreeChunkInsert(x,x,x)+1A6j
		mov	edx, eax
		jmp	short loc_52F5F1
; 

loc_52F618:				; CODE XREF: RtlpHpVsFreeChunkInsert(x,x,x)+181j
		mov	eax, [edx]
		test	ebx, ebx
		jz	short loc_52F624
		test	eax, eax
		jz	short loc_52F628
		xor	eax, edx

loc_52F624:				; CODE XREF: RtlpHpVsFreeChunkInsert(x,x,x)+19Cj
		test	eax, eax
		jnz	short loc_52F614

loc_52F628:				; CODE XREF: RtlpHpVsFreeChunkInsert(x,x,x)+1A0j
		mov	byte ptr [ebp+var_8], 0
		jmp	short loc_52F632
; 

loc_52F62E:				; CODE XREF: RtlpHpVsFreeChunkInsert(x,x,x)+18Cj
					; RtlpHpVsFreeChunkInsert(x,x,x)+192j
		mov	byte ptr [ebp+var_8], 1

loc_52F632:				; CODE XREF: RtlpHpVsFreeChunkInsert(x,x,x)+16Fj
					; RtlpHpVsFreeChunkInsert(x,x,x)+1ACj
		mov	eax, [ebp+arg_0]
		add	eax, 4
		push	eax
		push	[ebp+var_8]
		mov	eax, [ebp+var_C]
		push	edx
		add	eax, 8
		push	eax
		call	RtlRbInsertNodeEx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_52F652:				; CODE XREF: RtlpHpVsFreeChunkInsert(x,x,x)+66j
		xor	ecx, ecx
		xor	eax, eax
		mov	[ebp+var_4], eax
		jmp	loc_52F52C
_RtlpHpVsFreeChunkInsert@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpVsChunkSplit proc	near		; CODE XREF: RtlpHpVsContextAllocateInternal+170p

var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005EE8C2 SIZE 00000096 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, ecx
		push	edi
		mov	[ebp+var_4], eax
		mov	ebx, edx
		add	eax, 8
		mov	[ebp+var_10], ebx
		mov	edi, [esi]
		lea	ecx, [esi+4]
		xor	edi, _RtlpHpHeapGlobals
		xor	edi, esi
		mov	[ebp+var_1C], ecx
		push	ecx
		shr	edi, 1
		push	eax
		and	edi, 7FFFh
		mov	[ebp+var_20], eax
		call	RtlRbRemoveNode
		mov	eax, esi
		sub	eax, ebx
		mov	[ebp+var_14], eax
		lea	ecx, [eax+100Fh]
		mov	eax, [esi]
		xor	eax, _RtlpHpHeapGlobals
		and	ecx, 0FFFFF000h
		xor	eax, esi
		mov	[ebp+var_18], ecx
		shr	eax, 1
		and	eax, 7FFFh
		shl	eax, 3
		sub	eax, ebx
		add	eax, esi
		and	eax, 0FFFFF000h
		cmp	ecx, eax
		jb	loc_52FB9F
		xor	ecx, ecx
		xor	ebx, ebx

loc_52F6DC:				; CODE XREF: RtlpHpVsChunkSplit+57Bj
		not	ecx
		not	ebx
		movzx	eax, cl
		shr	ecx, 8
		mov	[ebp+var_8], ebx
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, cl
		shr	ecx, 8
		mov	[ebp+var_C], ecx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		mov	bl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_8]
		shr	eax, 8
		mov	[ebp+var_8], eax
		shr	[ebp+var_8], 8
		movzx	eax, al
		add	bl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_C]
		movzx	eax, al
		add	cl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_8]
		add	cl, dl
		movzx	edx, cl
		mov	ecx, eax
		shr	ecx, 8
		movzx	eax, al
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, bl
		movzx	eax, cl
		add	edx, eax
		mov	eax, [ebp+var_4]
		sub	[eax+1Ch], edx
		mov	edx, [ebp+arg_4]
		mov	[ebp+arg_4], edx
		sub	edi, edx
		jz	short loc_52F79F
		test	byte ptr [eax+98h], 1
		jz	short loc_52F79F
		lea	eax, [esi+edx*8]
		lea	ecx, [eax+0FFFh]
		and	ecx, 0FFFFF000h
		sub	ecx, eax
		shr	ecx, 3
		lea	eax, ds:0[ecx*8]
		cmp	eax, 10h
		jb	loc_530052
		jz	short loc_52F79F
		cmp	eax, 20h
		jb	loc_530048

loc_52F79F:				; CODE XREF: RtlpHpVsChunkSplit+105j
					; RtlpHpVsChunkSplit+10Ej ...
		lea	eax, ds:0[edi*8]
		cmp	eax, 10h
		jb	loc_52FC27

loc_52F7AF:				; CODE XREF: RtlpHpVsChunkSplit+5CFj
		mov	eax, _RtlpHpHeapGlobals
		sbb	ebx, ebx
		mov	ecx, [ebp+var_14]
		not	ebx
		and	ebx, edi
		shl	edx, 3
		mov	edi, eax
		mov	[ebp+var_18], ebx
		not	edi
		not	eax
		xor	edi, [esi]
		xor	edi, esi
		and	edi, 7FFFFFFFh
		xor	edi, eax
		mov	eax, ecx
		shr	eax, 0Ch
		xor	edi, esi
		mov	[ebp+var_14], eax
		mov	[esi], edi
		xor	eax, _RtlpHpHeapGlobals
		xor	eax, esi
		movzx	eax, al
		mov	[ebp+var_24], eax
		mov	[esi+4], eax
		test	ebx, ebx
		jz	short loc_52F7F9
		add	edx, 10h

loc_52F7F9:				; CODE XREF: RtlpHpVsChunkSplit+194j
		lea	eax, [ecx-1]
		mov	ecx, 3Fh
		add	eax, edx
		or	edx, 0FFFFFFFFh
		shr	eax, 0Ch
		sub	ecx, eax
		or	eax, 0FFFFFFFFh
		call	__aullshr
		mov	ecx, [ebp+var_14]
		mov	ebx, eax
		mov	[ebp+var_8], edx
		or	eax, 0FFFFFFFFh
		or	edx, 0FFFFFFFFh
		call	__allshl
		and	[ebp+var_8], edx
		and	ebx, eax
		mov	[ebp+var_C], ebx
		mov	ebx, [ebp+var_10]
		mov	edx, [ebp+var_C]
		mov	ecx, [ebx+8]
		mov	eax, [ebx+0Ch]
		xor	ecx, edx
		xor	eax, [ebp+var_8]
		and	edx, ecx
		mov	ecx, [ebp+var_8]
		and	ecx, eax
		mov	[ebp+var_C], edx
		mov	eax, [ebp+var_C]
		or	eax, ecx
		mov	edx, [ebp+var_18]
		mov	[ebp+var_8], ecx
		jnz	loc_52FE54

loc_52F85A:				; CODE XREF: RtlpHpVsChunkSplit+97Fj
		mov	ecx, [ebp+arg_4]
		lea	eax, [ecx+ecx]
		xor	eax, edi
		xor	eax, _RtlpHpHeapGlobals
		xor	eax, esi
		and	eax, 0FFFEh
		xor	eax, edi
		mov	[esi], eax
		test	edx, edx
		jz	loc_52FC34
		lea	edi, [esi+ecx*8]
		mov	[ebp+var_14], edi
		test	ecx, ecx
		jz	loc_5EE8EF
		mov	eax, ecx
		shl	eax, 10h

loc_52F88E:				; CODE XREF: RtlpHpVsChunkSplit+BF29Ej
		mov	ecx, edx
		and	ecx, 7FFFh
		or	ecx, 0C0000000h
		add	ecx, ecx
		or	ecx, eax
		mov	eax, edi
		xor	ecx, _RtlpHpHeapGlobals
		sub	eax, ebx
		shr	eax, 0Ch
		xor	ecx, edi
		mov	[edi], ecx
		xor	eax, _RtlpHpHeapGlobals
		xor	eax, edi
		movzx	eax, al
		mov	[edi+4], eax
		mov	eax, [ebp+arg_4]
		add	eax, edx
		lea	ecx, [esi+eax*8]
		movzx	eax, word ptr [ebx+14h]
		add	eax, 3
		lea	eax, [ebx+eax*8]
		cmp	ecx, eax
		jnb	short loc_52F8EA
		shl	edx, 10h
		xor	edx, [ecx]
		xor	edx, _RtlpHpHeapGlobals
		xor	edx, ecx
		and	edx, 7FFF0000h
		xor	[ecx], edx

loc_52F8EA:				; CODE XREF: RtlpHpVsChunkSplit+273j
		mov	[ebp+var_1C], 0

loc_52F8F1:				; CODE XREF: RtlpHpVsChunkSplit+7EFj
		mov	edx, _RtlpHpHeapGlobals
		mov	esi, edi
		mov	ecx, [edi]
		xor	esi, edx
		xor	esi, ecx
		mov	eax, esi
		shr	esi, 10h
		shr	eax, 1
		and	eax, 7FFFh
		mov	[ebp+var_24], eax
		mov	[ebp+arg_0], eax
		mov	eax, edi
		xor	eax, edx
		xor	eax, ecx
		and	eax, 7FFFFFFFh
		xor	eax, edi
		xor	eax, edx
		mov	[edi], eax
		and	esi, 7FFFh
		jz	short loc_52F948
		lea	eax, ds:0[esi*8]
		mov	ecx, edi
		sub	ecx, eax
		mov	[ebp+var_28], ecx
		mov	esi, [ecx]
		xor	esi, ecx
		xor	esi, _RtlpHpHeapGlobals
		jge	loc_5EE903

loc_52F948:				; CODE XREF: RtlpHpVsChunkSplit+2C8j
		mov	edx, [ebp+arg_0]

loc_52F94B:				; CODE XREF: RtlpHpVsChunkSplit+BF2C4j
		movzx	eax, word ptr [ebx+14h]
		lea	ecx, [edi+edx*8]
		add	eax, 3
		lea	eax, [ebx+eax*8]
		cmp	ecx, eax
		jnb	short loc_52F96F
		lfence	eax
		mov	esi, [ecx]
		xor	esi, ecx
		xor	esi, _RtlpHpHeapGlobals
		jge	loc_52FFE4

loc_52F96F:				; CODE XREF: RtlpHpVsChunkSplit+2FAj
					; RtlpHpVsChunkSplit:loc_52FFFFj
		mov	ecx, [ebp+var_4]
		test	byte ptr [ecx+98h], 1
		jz	short loc_52F9A2
		movzx	eax, word ptr [ebx+14h]
		lea	esi, [edi+edx*8]
		add	eax, 3
		lea	eax, [ebx+eax*8]
		cmp	esi, eax
		jnb	short loc_52F9A2
		lfence	eax
		mov	esi, [esi]
		lea	eax, [edi+edx*8]
		xor	esi, eax
		xor	esi, _RtlpHpHeapGlobals
		jge	loc_5EE929

loc_52F9A2:				; CODE XREF: RtlpHpVsChunkSplit+319j
					; RtlpHpVsChunkSplit+32Aj ...
		cmp	[ebp+var_24], edx
		jnz	loc_530004

loc_52F9AB:				; CODE XREF: RtlpHpVsChunkSplit+9C7j
					; RtlpHpVsChunkSplit+9E3j
		movzx	eax, word ptr [ebx+14h]
		cmp	edx, eax
		jz	loc_5300AF
		cmp	edx, [ebp+var_1C]
		jbe	short loc_52FA01
		mov	edx, [edi]
		mov	eax, edi
		sub	eax, ebx
		mov	[ebp+var_24], edx
		mov	[ebp+var_18], eax
		lea	ecx, [eax+100Fh]
		mov	eax, edi
		xor	eax, edx
		and	ecx, 0FFFFF000h
		mov	edx, _RtlpHpHeapGlobals
		xor	eax, edx
		shr	eax, 1
		and	eax, 7FFFh
		mov	[ebp+var_28], ecx
		shl	eax, 3
		sub	eax, ebx
		mov	[ebp+var_1C], edx
		add	eax, edi
		and	eax, 0FFFFF000h
		cmp	ecx, eax
		jb	loc_52FCC8

loc_52FA01:				; CODE XREF: RtlpHpVsChunkSplit+35Aj
					; RtlpHpVsChunkSplit+6B5j ...
		mov	eax, [ebp+var_4]
		test	byte ptr [eax+98h], 1
		jz	short loc_52FA51
		lea	eax, [edi+10h]
		test	eax, 0FFFh
		jz	short loc_52FA51
		mov	eax, [edi]
		lea	esi, [edi+1007h]
		mov	edx, edi
		mov	[ebp+arg_C], eax
		xor	edx, eax
		and	esi, 0FFFFF000h
		mov	eax, _RtlpHpHeapGlobals
		mov	ecx, esi
		xor	edx, eax
		mov	[ebp+arg_8], eax
		shr	edx, 1
		sub	ecx, edi
		and	edx, 7FFFh
		lea	eax, ds:0[edx*8]
		cmp	ecx, eax
		jb	loc_52FC3F

loc_52FA51:				; CODE XREF: RtlpHpVsChunkSplit+3ABj
					; RtlpHpVsChunkSplit+3B5j ...
		mov	ecx, [edi]
		mov	esi, edi
		xor	ecx, edi
		and	esi, 0FFFh
		xor	ecx, _RtlpHpHeapGlobals
		add	esi, 0FFFh
		shr	ecx, 1
		and	ecx, 7FFFh
		shl	ecx, 3
		add	esi, ecx
		shr	esi, 0Ch
		lea	eax, [ecx+0FFFh]
		shr	eax, 0Ch
		sub	esi, eax
		mov	eax, edi
		sub	eax, ebx
		lea	edx, [eax+100Fh]
		add	eax, ecx
		and	edx, 0FFFFF000h
		and	eax, 0FFFFF000h
		mov	[ebp+arg_0], edx
		cmp	edx, eax
		jb	loc_530068
		xor	ecx, ecx
		mov	[ebp+arg_C], ecx

loc_52FAAB:				; CODE XREF: RtlpHpVsChunkSplit+A4Aj
		not	ecx
		movzx	eax, cl
		shr	ecx, 8
		mov	bl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, cl
		shr	ecx, 8
		mov	[ebp+arg_8], ecx
		mov	ecx, [ebp+arg_C]
		add	bl, ds:_RtlpBitsClearTotal[eax]
		not	ecx
		movzx	eax, cl
		shr	ecx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, cl
		shr	ecx, 8
		mov	[ebp+arg_C], ecx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+arg_C]
		movzx	eax, al
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+arg_8]
		add	cl, dl
		movzx	edx, cl
		mov	ecx, eax
		movzx	eax, al
		shr	ecx, 8
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, bl
		movzx	eax, cl
		add	edx, eax
		mov	eax, [ebp+var_4]
		add	[eax+1Ch], edx
		mov	eax, [edi]
		xor	eax, esi
		movzx	esi, di
		xor	eax, edi
		xor	eax, _RtlpHpHeapGlobals
		and	eax, 1
		xor	[edi], eax
		movzx	eax, word ptr [edi]
		movzx	ebx, word ptr _RtlpHpHeapGlobals
		xor	esi, eax
		mov	eax, [ebp+var_20]
		xor	esi, ebx
		mov	edx, [eax+4]
		mov	[ebp+arg_C], edx
		test	dl, 1
		jnz	loc_52FC18
		mov	edx, [eax]

loc_52FB5E:				; CODE XREF: RtlpHpVsChunkSplit+5C2j
					; RtlpHpVsChunkSplit+5DAj
		mov	eax, [ebp+arg_C]
		movzx	eax, al
		and	eax, 1
		mov	byte ptr [ebp+arg_C], 0
		mov	[ebp+arg_8], eax
		test	edx, edx
		jz	loc_52FBFC

loc_52FB76:				; CODE XREF: RtlpHpVsChunkSplit+53Dj
		movzx	ecx, word ptr [edx-4]
		lea	eax, [edx-4]
		movzx	eax, ax
		xor	ecx, eax
		xor	ecx, ebx
		cmp	esi, ecx
		jb	short loc_52FBE0
		cmp	[ebp+arg_8], 0
		mov	eax, [edx+4]
		jz	short loc_52FB97
		test	eax, eax
		jz	short loc_52FBF8
		xor	eax, edx

loc_52FB97:				; CODE XREF: RtlpHpVsChunkSplit+52Fj
		test	eax, eax
		jz	short loc_52FBF8

loc_52FB9B:				; CODE XREF: RtlpHpVsChunkSplit+590j
		mov	edx, eax
		jmp	short loc_52FB76
; 

loc_52FB9F:				; CODE XREF: RtlpHpVsChunkSplit+72j
		dec	eax
		mov	ecx, 3Fh
		shr	eax, 0Ch
		or	edx, 0FFFFFFFFh
		sub	ecx, eax
		or	eax, 0FFFFFFFFh
		call	__aullshr
		mov	ecx, [ebp+var_18]
		mov	ebx, edx
		mov	[ebp+var_C], eax
		or	edx, 0FFFFFFFFh
		shr	ecx, 0Ch
		or	eax, 0FFFFFFFFh
		call	__allshl
		mov	ecx, [ebp+var_C]
		and	ebx, edx
		and	ecx, eax
		mov	eax, [ebp+var_10]
		and	ecx, [eax+8]
		and	ebx, [eax+0Ch]
		jmp	loc_52F6DC
; 

loc_52FBE0:				; CODE XREF: RtlpHpVsChunkSplit+526j
		cmp	[ebp+arg_8], 0
		mov	eax, [edx]
		jz	short loc_52FBEE
		test	eax, eax
		jz	short loc_52FBF2
		xor	eax, edx

loc_52FBEE:				; CODE XREF: RtlpHpVsChunkSplit+586j
		test	eax, eax
		jnz	short loc_52FB9B

loc_52FBF2:				; CODE XREF: RtlpHpVsChunkSplit+58Aj
		mov	byte ptr [ebp+arg_C], 0
		jmp	short loc_52FBFC
; 

loc_52FBF8:				; CODE XREF: RtlpHpVsChunkSplit+533j
					; RtlpHpVsChunkSplit+539j
		mov	byte ptr [ebp+arg_C], 1

loc_52FBFC:				; CODE XREF: RtlpHpVsChunkSplit+510j
					; RtlpHpVsChunkSplit+596j
		lea	ecx, [edi+4]
		push	ecx
		push	[ebp+arg_C]
		push	edx
		push	[ebp+var_20]
		call	RtlRbInsertNodeEx
		mov	eax, [ebp+arg_4]

loc_52FC0F:				; CODE XREF: RtlpHpVsChunkSplit+5D6j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_52FC18:				; CODE XREF: RtlpHpVsChunkSplit+4F6j
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_52FC38
		mov	edx, eax
		xor	edx, ecx
		jmp	loc_52FB5E
; 

loc_52FC27:				; CODE XREF: RtlpHpVsChunkSplit+149j
		add	edx, edi
		cmp	eax, 10h
		mov	[ebp+arg_4], edx
		jmp	loc_52F7AF
; 

loc_52FC34:				; CODE XREF: RtlpHpVsChunkSplit+215j
		mov	eax, ecx
		jmp	short loc_52FC0F
; 

loc_52FC38:				; CODE XREF: RtlpHpVsChunkSplit+5BCj
		xor	edx, edx
		jmp	loc_52FB5E
; 

loc_52FC3F:				; CODE XREF: RtlpHpVsChunkSplit+3EBj
		lea	ecx, [esi-10h]
		mov	[ebp+arg_0], ecx
		sub	ecx, edi
		mov	esi, [ebp+arg_0]
		sar	ecx, 3
		sub	edx, ecx
		lea	eax, [ecx+ecx]
		and	ecx, 7FFFh
		xor	eax, edi
		shl	ecx, 0Fh
		xor	eax, [ebp+arg_C]
		xor	eax, [ebp+arg_8]
		and	eax, 0FFFEh
		xor	eax, [ebp+arg_C]
		mov	[edi], eax
		xor	eax, eax
		mov	edi, esi
		stosd
		stosd
		stosd
		stosd
		mov	eax, edx
		and	eax, 7FFFh
		or	ecx, eax
		lea	eax, [ecx+ecx]
		mov	ecx, esi
		xor	ecx, eax
		mov	[esi], eax
		xor	ecx, _RtlpHpHeapGlobals
		mov	[esi], ecx
		lea	ecx, [esi+edx*8]
		movzx	eax, word ptr [ebx+14h]
		add	eax, 3
		lea	eax, [ebx+eax*8]
		cmp	ecx, eax
		jnb	short loc_52FCB5
		shl	edx, 10h
		xor	edx, ecx
		xor	edx, [ecx]
		xor	edx, _RtlpHpHeapGlobals
		and	edx, 7FFF0000h
		xor	[ecx], edx

loc_52FCB5:				; CODE XREF: RtlpHpVsChunkSplit+63Ej
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		push	esi
		call	_RtlpHpVsFreeChunkInsert@12 ; RtlpHpVsFreeChunkInsert(x,x,x)
		mov	edi, [ebp+var_14]
		jmp	loc_52FA51
; 

loc_52FCC8:				; CODE XREF: RtlpHpVsChunkSplit+39Bj
		mov	esi, eax
		or	edx, 0FFFFFFFFh
		dec	eax
		sub	esi, ecx
		shr	eax, 0Ch
		mov	ecx, 3Fh
		sub	ecx, eax
		or	eax, 0FFFFFFFFh
		call	__aullshr
		mov	ecx, [ebp+var_28]
		mov	[ebp+var_8], eax
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_C], edx
		or	edx, 0FFFFFFFFh
		shr	ecx, 0Ch
		call	__allshl
		mov	ecx, [ebp+var_8]
		and	ecx, eax
		mov	eax, [ebp+var_C]
		and	ecx, [ebx+8]
		and	eax, edx
		and	eax, [ebx+0Ch]
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], eax
		cmp	esi, 1000h
		jb	loc_52FA01
		mov	esi, [ebp+var_C]
		mov	eax, ecx
		or	eax, esi
		jz	loc_52FA01
		not	ecx
		mov	ebx, esi
		movzx	eax, cl
		not	ebx
		shr	ecx, 8
		mov	dh, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, cl
		shr	ecx, 8
		mov	[ebp+var_28], ecx
		add	dh, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	ebx, [ebp+var_10]
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_28]
		add	cl, dl
		movzx	esi, cl
		mov	ecx, eax
		shr	ecx, 8
		movzx	eax, al
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dh
		movzx	eax, cl
		add	esi, eax
		cmp	word ptr [ebx+16h], 0
		mov	[ebp+var_28], esi
		jl	loc_52FA01
		mov	eax, [ebp+var_4]
		test	byte ptr [eax+98h], 2
		jnz	short loc_52FDD3
		mov	ecx, [eax+18h]
		shr	ecx, 7
		cmp	ecx, 8
		jbe	loc_53005E

loc_52FDC6:				; CODE XREF: RtlpHpVsChunkSplit+A03j
		mov	eax, [eax+1Ch]
		add	eax, esi
		cmp	eax, ecx
		jbe	loc_52FA01

loc_52FDD3:				; CODE XREF: RtlpHpVsChunkSplit+755j
		mov	esi, [ebp+var_4]
		mov	ecx, edi
		not	ecx
		mov	eax, edi
		xor	ecx, [ebp+var_24]
		not	eax
		xor	ecx, [ebp+var_1C]
		and	ecx, 7FFFFFFFh
		xor	ecx, eax
		mov	eax, [ebp+var_18]
		xor	ecx, [ebp+var_1C]
		shr	eax, 0Ch
		xor	eax, edi
		mov	[edi], ecx
		xor	eax, _RtlpHpHeapGlobals
		movzx	eax, al
		or	eax, 200h
		mov	[edi+4], eax
		mov	eax, [ebp+arg_8]
		and	eax, 1
		mov	[ebp+var_24], eax
		jnz	short loc_52FE20
		mov	edx, [ebp+arg_C]
		mov	ecx, [esi+4]
		call	RtlpHpReleaseQueuedLockExclusive

loc_52FE20:				; CODE XREF: RtlpHpVsChunkSplit+7B3j
		mov	eax, [ebp+var_8]
		mov	edx, ebx
		push	0
		push	[ebp+var_28]
		mov	ecx, esi
		push	[ebp+var_C]
		push	eax
		call	RtlpHpVsSubsegmentCommitPages
		cmp	[ebp+var_24], 0
		jz	loc_5EE946

loc_52FE3F:				; CODE XREF: RtlpHpVsChunkSplit+BF2F3j
		mov	eax, [ebp+arg_0]
		and	dword ptr [edi+4], 0FFFFFDFFh
		mov	[ebp+var_14], edi
		mov	[ebp+var_1C], eax
		jmp	loc_52F8F1
; 

loc_52FE54:				; CODE XREF: RtlpHpVsChunkSplit+1F4j
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_24]
		or	ecx, 200h
		mov	[eax], ecx
		mov	eax, [ebp+arg_8]
		and	eax, 1
		mov	[ebp+var_28], eax
		jnz	short loc_52FE7B
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+arg_C]
		mov	ecx, [ecx+4]
		call	RtlpHpReleaseQueuedLockExclusive

loc_52FE7B:				; CODE XREF: RtlpHpVsChunkSplit+80Bj
		mov	esi, [ebp+var_C]
		mov	ecx, esi
		mov	ebx, [ebp+var_8]
		not	ecx
		movzx	eax, cl
		not	ebx
		shr	ecx, 8
		mov	dh, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, cl
		shr	ecx, 8
		mov	[ebp+var_24], ecx
		shr	ecx, 8
		add	dh, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_24]
		movzx	eax, al
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dh
		movzx	eax, bl
		movzx	edi, cl
		mov	ecx, ebx
		shr	ecx, 8
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		xor	edx, edx
		movzx	eax, cl
		xor	ecx, ecx
		add	edi, eax
		mov	[ebp+var_C], edx
		mov	[ebp+var_24], edi
		xor	eax, eax
		mov	[ebp+var_14], ecx
		lea	edi, [ebp+var_34]
		stosd
		stosd
		stosd
		test	esi, esi
		jz	loc_5EE8A6
		bsf	edx, esi

loc_52FF11:				; CODE XREF: RtlRbInsertNodeEx+BFECDj
		mov	[ebp+var_C], edx

loc_52FF14:				; CODE XREF: RtlRbInsertNodeEx+BFEC4j
		mov	eax, [ebp+var_8]
		mov	[ebp+var_14], ecx
		test	eax, eax
		jnz	loc_5EE8C2
		bsr	ecx, esi

loc_52FF25:				; CODE XREF: RtlpHpVsChunkSplit+BF26Dj
					; RtlpHpVsChunkSplit+BF276j
		mov	ebx, [ebp+var_10]
		sub	ecx, edx
		mov	edi, [ebp+var_4]
		lea	eax, [ecx+1]
		mov	edx, [edi+4]
		lea	ecx, [ebx+10h]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		call	RtlpHpAcquireQueuedLockExclusive
		mov	eax, [ebp+var_14]
		mov	esi, [edi+80h]
		mov	edx, [edi+8Ch]
		xor	esi, edi
		xor	edx, _RtlpHpHeapGlobals
		shl	eax, 0Ch
		xor	edx, edi
		push	eax
		mov	eax, [ebp+var_C]
		shl	eax, 0Ch
		add	eax, ebx
		push	eax
		push	esi
		call	edx
		mov	esi, eax
		test	esi, esi
		js	short loc_52FFA0
		mov	ecx, [ebp+var_14]
		mov	eax, 1
		xor	edx, edx
		call	__allshl
		mov	ecx, [ebp+var_C]
		add	eax, 0FFFFFFFFh
		adc	edx, 0FFFFFFFFh
		call	__allshl
		or	[ebx+8], eax
		lea	eax, [edi+18h]
		or	[ebx+0Ch], edx
		mov	ecx, [ebp+var_24]
		lock xadd [eax], ecx
		xor	esi, esi

loc_52FFA0:				; CODE XREF: RtlpHpVsChunkSplit+90Fj
		mov	ecx, [edi+4]
		lea	edx, [ebp+var_34]
		call	RtlpHpReleaseQueuedLockExclusive
		mov	ecx, [ebp+var_18]
		mov	edx, ecx
		mov	[ebp+var_18], edx
		test	esi, esi
		js	loc_5EE8DB

loc_52FFBB:				; CODE XREF: RtlpHpVsChunkSplit+BF28Aj
		cmp	[ebp+var_28], 0
		jnz	short loc_52FFD1
		push	[ebp+arg_C]
		mov	edx, [edi+4]
		mov	ecx, edi
		call	RtlpHpAcquireQueuedLockExclusive
		mov	edx, [ebp+var_18]

loc_52FFD1:				; CODE XREF: RtlpHpVsChunkSplit+95Fj
		mov	eax, [ebp+var_1C]
		mov	esi, [ebp+arg_0]
		and	dword ptr [eax], 0FFFFFDFFh
		mov	edi, [esi]
		jmp	loc_52F85A
; 

loc_52FFE4:				; CODE XREF: RtlpHpVsChunkSplit+309j
		push	ecx
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		call	_RtlpHpVsFreeChunkRemove@12 ; RtlpHpVsFreeChunkRemove(x,x,x)
		mov	edx, [ebp+arg_0]
		shr	esi, 1
		and	esi, 7FFFh
		add	edx, esi
		mov	[ebp+arg_0], edx

loc_52FFFF:				; DATA XREF: .text:0041A894o
					; .text:off_41B39Co ...
		jmp	loc_52F96F
; 

loc_530004:				; CODE XREF: RtlpHpVsChunkSplit+345j
		lea	eax, [edx+edx]
		xor	eax, [edi]
		lea	ecx, [edi+edx*8]
		xor	eax, edi
		xor	eax, _RtlpHpHeapGlobals
		and	eax, 0FFFEh
		xor	[edi], eax
		movzx	eax, word ptr [ebx+14h]
		add	eax, 3
		lea	eax, [ebx+eax*8]
		cmp	ecx, eax
		jnb	loc_52F9AB
		mov	eax, edx
		shl	eax, 10h
		xor	eax, [ecx]
		xor	eax, ecx
		xor	eax, _RtlpHpHeapGlobals
		and	eax, 7FFF0000h
		xor	[ecx], eax
		jmp	loc_52F9AB
; 

loc_530048:				; CODE XREF: RtlpHpVsChunkSplit+139j
		inc	edx

loc_530049:				; DATA XREF: .text:005A4558o
					; .text:005A5660o
		dec	edi
		mov	[ebp+arg_4], edx
		jmp	loc_52F79F
; 

loc_530052:				; CODE XREF: RtlpHpVsChunkSplit+12Ej
					; DATA XREF: .text:??_C@_1BM@BJJGGDHH@?$AAR?$AAS?$AAA?$AAP?$AAU?$AAB?$AAL?$AAI?$AAC?$AAB?$AAL?$AAO?$AAB@FNODOBFM@o
		add	edx, ecx

loc_530054:				; DATA XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x):loc_9E42C4o
		sub	edi, ecx
		mov	[ebp+arg_4], edx

loc_530059:				; DATA XREF: .text:off_40A808o
					; .text:??_C@_1FE@LIAPLLLG@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@FNODOBFM@o ...
		jmp	loc_52F79F
; 

loc_53005E:				; CODE XREF: RtlpHpVsChunkSplit+760j
		mov	ecx, 8
		jmp	loc_52FDC6
; 

loc_530068:				; CODE XREF: RtlpHpVsChunkSplit+440j
		dec	eax
		mov	ecx, 3Fh
		shr	eax, 0Ch
		or	edx, 0FFFFFFFFh
		sub	ecx, eax
		or	eax, 0FFFFFFFFh
		call	__aullshr
		mov	ecx, [ebp+arg_0]
		mov	[ebp+arg_8], eax
		mov	eax, edx
		mov	[ebp+arg_C], eax
		or	edx, 0FFFFFFFFh
		shr	ecx, 0Ch
		or	eax, 0FFFFFFFFh
		call	__allshl
		mov	ecx, [ebp+arg_8]
		and	ecx, eax
		mov	eax, [ebp+arg_C]
		and	ecx, [ebx+8]
		and	eax, edx
		and	eax, [ebx+0Ch]
		mov	[ebp+arg_C], eax
		jmp	loc_52FAAB
; 

loc_5300AF:				; CODE XREF: RtlpHpVsChunkSplit+351j
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		call	_RtlpHpVsSubsegmentCleanup@8 ; RtlpHpVsSubsegmentCleanup(x,x)
		mov	eax, [ebp+arg_4]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
RtlpHpVsChunkSplit endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpVsContextAllocateInternal	proc near
					; CODE XREF: RtlpHpVsContextMultiAlloc(x,x,x,x,x,x)+33p
					; RtlpHpVsContextAllocate+35p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005EE958 SIZE 00000039 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_14], edx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], esi
		push	edi
		cmp	edx, eax
		jnz	loc_5EE958

loc_5300EE:				; CODE XREF: RtlpHpVsContextAllocateInternal+BE88Ej
		add	eax, 7
		shr	eax, 3
		test	byte ptr [esi+98h], 1
		lea	ecx, [eax+1]
		mov	[ebp+var_8], ecx
		jz	short loc_530109
		lea	ecx, [eax+2]
		mov	[ebp+var_8], ecx

loc_530109:				; CODE XREF: RtlpHpVsContextAllocateInternal+31j
		lea	eax, [ecx+ecx]
		movzx	ebx, ax
		mov	eax, [ebp+arg_C]
		cmp	dword ptr [eax], 0
		jnz	short loc_530130
		test	byte ptr [ebp+arg_4], 1
		mov	dword ptr [eax], 1
		jnz	short loc_530130
		push	[ebp+arg_8]
		mov	edx, [esi+4]
		mov	ecx, esi
		call	RtlpHpAcquireQueuedLockExclusive

loc_530130:				; CODE XREF: RtlpHpVsContextAllocateInternal+45j
					; RtlpHpVsContextAllocateInternal+51j
		lea	ecx, [esi+8]
		mov	[ebp+var_10], ecx

loc_530136:				; CODE XREF: RtlpHpVsContextAllocateInternal+294j
		mov	eax, [ecx+4]
		mov	esi, [ecx]
		test	al, 1
		jz	short loc_530145
		test	esi, esi
		jz	short loc_530145
		xor	esi, ecx

loc_530145:				; CODE XREF: RtlpHpVsContextAllocateInternal+6Dj
					; RtlpHpVsContextAllocateInternal+71j
		movzx	edi, al
		xor	eax, eax
		and	edi, 1
		mov	[ebp+var_C], eax
		test	esi, esi
		jz	short loc_530198
		movzx	edx, word ptr _RtlpHpHeapGlobals
		jmp	short loc_530160
; 
		align 10h

loc_530160:				; CODE XREF: RtlpHpVsContextAllocateInternal+8Bj
					; RtlpHpVsContextAllocateInternal+C3j
		lea	ecx, [esi-4]
		movzx	eax, cx
		movzx	ecx, word ptr [ecx]
		xor	eax, ecx
		xor	eax, edx
		cmp	ebx, eax
		jb	short loc_530182
		jbe	short loc_53019A
		mov	eax, [esi+4]
		test	edi, edi
		jz	short loc_53018F
		test	eax, eax
		jz	short loc_53018F
		xor	esi, eax
		jmp	short loc_530191
; 

loc_530182:				; CODE XREF: RtlpHpVsContextAllocateInternal+9Fj
		mov	eax, [esi]
		mov	[ebp+var_C], esi
		test	edi, edi
		jnz	loc_5302A6

loc_53018F:				; CODE XREF: RtlpHpVsContextAllocateInternal+A8j
					; RtlpHpVsContextAllocateInternal+ACj ...
		mov	esi, eax

loc_530191:				; CODE XREF: RtlpHpVsContextAllocateInternal+B0j
					; RtlpHpVsContextAllocateInternal+1E0j
		test	esi, esi
		jnz	short loc_530160
		mov	eax, [ebp+var_C]

loc_530198:				; CODE XREF: RtlpHpVsContextAllocateInternal+82j
		mov	esi, eax

loc_53019A:				; CODE XREF: RtlpHpVsContextAllocateInternal+A1j
		test	esi, esi
		jz	loc_530306
		mov	eax, [esi-4]
		lea	edi, [esi-4]
		mov	ecx, _RtlpHpHeapGlobals
		mov	edx, edi
		xor	eax, ecx
		xor	eax, edi
		jl	loc_5EE963
		shr	eax, 10h
		and	eax, 7FFFh
		jz	loc_5302FF
		shl	eax, 3
		sub	edx, eax
		mov	eax, [edx]
		xor	eax, ecx
		xor	eax, edx
		jl	short loc_5301E8
		shr	eax, 10h
		and	eax, 7FFFh
		jz	loc_5302FF
		neg	eax
		lea	edx, [edx+eax*8]

loc_5301E8:				; CODE XREF: RtlpHpVsContextAllocateInternal+103j
		mov	eax, [edx+4]
		xor	eax, ecx
		xor	eax, edx
		movzx	eax, al

loc_5301F2:				; CODE XREF: RtlpHpVsContextAllocateInternal+231j
					; RtlpHpVsContextAllocateInternal+BE89Cj
		shl	eax, 0Ch
		mov	ecx, 2BEDh
		sub	edx, eax
		and	edx, 0FFFFF000h
		mov	ax, [edx+16h]
		xor	ax, [edx+14h]
		xor	ax, cx
		mov	ecx, 7FFFh
		test	ax, cx
		jnz	loc_5EE971
		mov	ecx, [ebp+var_4]
		test	byte ptr [ecx+98h], 1
		jz	loc_5302F7
		lea	eax, [edi+10h]
		test	eax, 0FFFh
		mov	eax, [ebp+var_8]
		jnz	short loc_5302B5

loc_530238:				; CODE XREF: RtlpHpVsContextAllocateInternal+1E6j
					; RtlpHpVsContextAllocateInternal+22Aj
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	eax
		push	edi
		call	RtlpHpVsChunkSplit
		test	eax, eax
		jz	loc_530369
		mov	eax, [edi]
		lea	ebx, [edi+8]
		xor	eax, _RtlpHpHeapGlobals
		mov	ecx, [ebp+var_4]
		xor	eax, edi
		shr	eax, 1
		and	eax, 7FFFh
		test	byte ptr [ecx+98h], 1
		lea	edx, ds:0FFFFFFF8h[eax*8]
		jz	short loc_530284
		add	edi, 10h
		test	edi, 0FFFh
		jnz	short loc_530284
		mov	ebx, edi
		sub	edx, 8

loc_530284:				; CODE XREF: RtlpHpVsContextAllocateInternal+1A2j
					; RtlpHpVsContextAllocateInternal+1ADj
		mov	edi, [ebp+var_14]
		mov	eax, [esi]
		cmp	edi, edx
		jb	short loc_5302B8
		and	eax, 0FFFFFEFFh
		mov	[esi], eax

loc_530294:				; CODE XREF: RtlpHpVsContextAllocateInternal+1FFj
		mov	eax, [ebp+arg_4]
		test	al, 2
		jnz	short loc_5302D1

loc_53029B:				; CODE XREF: RtlpHpVsContextAllocateInternal+225j
		mov	eax, ebx

loc_53029D:				; CODE XREF: RtlpHpVsContextAllocateInternal+29Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_5302A6:				; CODE XREF: RtlpHpVsContextAllocateInternal+B9j
		test	eax, eax
		jz	loc_53018F
		xor	esi, eax
		jmp	loc_530191
; 

loc_5302B5:				; CODE XREF: RtlpHpVsContextAllocateInternal+166j
		dec	eax
		jmp	short loc_530238
; 

loc_5302B8:				; CODE XREF: RtlpHpVsContextAllocateInternal+1BBj
		or	eax, 100h
		mov	[esi], eax
		mov	eax, edx
		push	ecx
		sub	eax, edi
		mov	ecx, ebx
		push	eax
		call	_RtlpHpVsChunkSetUnusedBytes@16	; RtlpHpVsChunkSetUnusedBytes(x,x,x,x)
		mov	ecx, [ebp+var_4]
		jmp	short loc_530294
; 

loc_5302D1:				; CODE XREF: RtlpHpVsContextAllocateInternal+1C9j
		test	al, 1
		jnz	short loc_5302E0
		mov	edx, [ebp+arg_8]
		mov	ecx, [ecx+4]
		call	RtlpHpReleaseQueuedLockExclusive

loc_5302E0:				; CODE XREF: RtlpHpVsContextAllocateInternal+203j
		mov	eax, [ebp+arg_C]
		push	edi		; size_t
		push	0		; int
		push	ebx		; void *
		mov	dword ptr [eax], 0
		call	_memset
		add	esp, 0Ch
		jmp	short loc_53029B
; 

loc_5302F7:				; CODE XREF: RtlpHpVsContextAllocateInternal+155j
		mov	eax, [ebp+var_8]
		jmp	loc_530238
; 

loc_5302FF:				; CODE XREF: RtlpHpVsContextAllocateInternal+F2j
					; RtlpHpVsContextAllocateInternal+10Dj
		xor	eax, eax
		jmp	loc_5301F2
; 

loc_530306:				; CODE XREF: RtlpHpVsContextAllocateInternal+CCj
		mov	eax, [ebp+arg_4]
		mov	esi, eax
		mov	edi, [ebp+var_4]
		and	esi, 1
		jnz	short loc_530321
		mov	edx, [ebp+arg_8]
		mov	ecx, [edi+4]
		call	RtlpHpReleaseQueuedLockExclusive
		mov	eax, [ebp+arg_4]

loc_530321:				; CODE XREF: RtlpHpVsContextAllocateInternal+241j
		mov	ecx, [ebp+arg_C]
		mov	edx, [ebp+arg_0]
		push	eax
		mov	dword ptr [ecx], 0
		mov	ecx, edi
		call	RtlpHpVsSubsegmentCreate
		mov	edi, eax
		test	edi, edi
		jz	short loc_530369
		mov	eax, [ebp+arg_C]
		test	esi, esi
		mov	esi, [ebp+var_4]
		mov	dword ptr [eax], 1
		jnz	short loc_530358
		push	[ebp+arg_8]
		mov	edx, [esi+4]
		mov	ecx, esi
		call	RtlpHpAcquireQueuedLockExclusive

loc_530358:				; CODE XREF: RtlpHpVsContextAllocateInternal+279j
		mov	edx, edi
		mov	ecx, esi
		call	_RtlpHpVsContextAddSubsegment@8	; RtlpHpVsContextAddSubsegment(x,x)
		mov	ecx, [ebp+var_10]
		jmp	loc_530136
; 

loc_530369:				; CODE XREF: RtlpHpVsContextAllocateInternal+177j
					; RtlpHpVsContextAllocateInternal+269j	...
		xor	eax, eax
		jmp	loc_53029D
RtlpHpVsContextAllocateInternal	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpVsContextFreeList	proc near	; CODE XREF: RtlpHpVsContextFree+ACp
					; RtlpHpHeapCompact(x,x)+46p ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005EE991 SIZE 0000007C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, edx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_18], eax
		xor	ecx, ecx
		mov	[ebp+var_8], ebx
		and	eax, 1
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_1C], eax
		jnz	short loc_5303A4
		mov	edx, [ebx+4]
		lea	eax, [ebp+var_30]
		push	eax
		mov	ecx, ebx
		call	RtlpHpAcquireQueuedLockExclusive

loc_5303A4:				; CODE XREF: RtlpHpVsContextFreeList+24j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	loc_5305CA
		push	esi
		push	edi

loc_5303B1:				; CODE XREF: RtlpHpVsContextFreeList+252j
		mov	ecx, [eax-8]
		lea	edi, [eax-8]
		mov	edx, _RtlpHpHeapGlobals
		mov	esi, edi
		mov	eax, [eax]
		xor	ecx, edx
		xor	ecx, edi
		mov	[ebp+arg_0], eax
		jge	loc_5EE991
		mov	eax, [edi+4]
		xor	eax, edx
		xor	eax, edi
		movzx	eax, al

loc_5303D8:				; CODE XREF: RtlpHpVsContextFreeList+BE655j
					; RtlpHpVsContextFreeList+BE65Cj
		shl	eax, 0Ch
		mov	edx, 2BEDh
		sub	esi, eax
		and	esi, 0FFFFF000h
		mov	ax, [esi+16h]
		xor	ax, [esi+14h]
		xor	ax, dx
		mov	edx, 7FFFh
		test	ax, dx
		jnz	loc_5EE9D1
		test	ecx, ecx
		jns	loc_5EE9EF
		mov	[ebp+var_10], 0
		mov	[ebp+var_14], 0

loc_530417:				; CODE XREF: RtlpHpVsContextFreeList+28Bj
		lea	eax, [ebp+var_10]
		mov	edx, esi
		push	eax
		push	edi
		mov	ecx, ebx
		call	_RtlpHpVsChunkCoalesce@16 ; RtlpHpVsChunkCoalesce(x,x,x,x)
		movzx	ecx, word ptr [esi+14h]
		mov	edi, eax
		mov	ebx, [ebp+var_10]
		cmp	ebx, ecx
		jz	loc_530600
		cmp	ebx, [ebp+var_14]
		jbe	short loc_530455
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_18]
		mov	edx, esi
		push	edi
		call	_RtlpHpVsChunkDecommit@20 ; RtlpHpVsChunkDecommit(x,x,x,x,x)
		test	eax, eax
		jnz	loc_5305F5

loc_530455:				; CODE XREF: RtlpHpVsContextFreeList+C9j
		mov	ebx, [ebp+var_8]
		test	byte ptr [ebx+98h], 1
		jz	short loc_530481
		lea	eax, [edi+10h]
		test	eax, 0FFFh
		jz	short loc_530481
		push	edi
		mov	edx, esi
		call	_RtlpHpVsChunkAlignSplit@12 ; RtlpHpVsChunkAlignSplit(x,x,x)
		test	eax, eax
		jz	short loc_530481
		push	eax
		mov	edx, esi
		mov	ecx, ebx
		call	_RtlpHpVsFreeChunkInsert@12 ; RtlpHpVsFreeChunkInsert(x,x,x)

loc_530481:				; CODE XREF: RtlpHpVsContextFreeList+EFj
					; RtlpHpVsContextFreeList+F9j ...
		lea	eax, [ebp+var_24]
		mov	[ebp+var_24], 0
		push	eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_20], 0
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	_RtlpHpVsChunkComputeCost@16 ; RtlpHpVsChunkComputeCost(x,x,x,x)
		mov	edx, [ebp+var_24]
		mov	esi, eax
		mov	ebx, [ebp+var_20]
		not	edx
		movzx	ecx, dl
		not	ebx
		shr	edx, 8
		xor	esi, edi
		mov	al, ds:_RtlpBitsClearTotal[ecx]
		movzx	ecx, dl
		shr	edx, 8
		mov	[ebp+var_14], edx
		add	al, ds:_RtlpBitsClearTotal[ecx]
		mov	[ebp+var_1], al
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_14]
		add	cl, dl
		movzx	edx, cl
		mov	ecx, eax
		shr	ecx, 8
		movzx	eax, al
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, [ebp+var_1]
		movzx	eax, cl
		mov	ecx, [ebp+var_8]
		add	edx, eax
		add	[ecx+1Ch], edx
		lea	edx, [ecx+8]
		xor	esi, _RtlpHpHeapGlobals
		xor	esi, [edi]
		and	esi, 1
		mov	[ebp+var_10], edx
		xor	[edi], esi
		movzx	eax, word ptr [edi]
		movzx	ebx, word ptr _RtlpHpHeapGlobals
		movzx	esi, di
		xor	esi, eax
		mov	eax, [edx+4]
		mov	edx, [edx]
		xor	esi, ebx
		test	al, 1
		jnz	loc_5305E2

loc_530555:				; CODE XREF: RtlpHpVsContextFreeList+279j
					; RtlpHpVsContextFreeList+280j
		movzx	eax, al
		and	eax, 1
		mov	byte ptr [ebp+var_C], 0
		mov	[ebp+var_14], eax
		test	edx, edx
		jz	short loc_5305AA

loc_530566:				; CODE XREF: RtlpHpVsContextFreeList+21Cj
		lea	eax, [edx-4]
		movzx	ecx, ax
		movzx	eax, word ptr [eax]
		xor	ecx, eax
		xor	ecx, ebx
		cmp	esi, ecx
		jb	short loc_53058E
		cmp	[ebp+var_14], 0
		mov	eax, [edx+4]
		jz	short loc_530586
		test	eax, eax
		jz	short loc_5305A6
		xor	eax, edx

loc_530586:				; CODE XREF: RtlpHpVsContextFreeList+20Ej
		test	eax, eax
		jz	short loc_5305A6

loc_53058A:				; CODE XREF: RtlpHpVsContextFreeList+22Ej
		mov	edx, eax
		jmp	short loc_530566
; 

loc_53058E:				; CODE XREF: RtlpHpVsContextFreeList+205j
		cmp	[ebp+var_14], 0
		mov	eax, [edx]
		jz	short loc_53059C
		test	eax, eax
		jz	short loc_5305A0
		xor	eax, edx

loc_53059C:				; CODE XREF: RtlpHpVsContextFreeList+224j
		test	eax, eax
		jnz	short loc_53058A

loc_5305A0:				; CODE XREF: RtlpHpVsContextFreeList+228j
		mov	byte ptr [ebp+var_C], 0
		jmp	short loc_5305AA
; 

loc_5305A6:				; CODE XREF: RtlpHpVsContextFreeList+212j
					; RtlpHpVsContextFreeList+218j
		mov	byte ptr [ebp+var_C], 1

loc_5305AA:				; CODE XREF: RtlpHpVsContextFreeList+1F4j
					; RtlpHpVsContextFreeList+234j
		lea	eax, [edi+4]
		push	eax
		push	[ebp+var_C]
		push	edx
		push	[ebp+var_10]
		call	RtlRbInsertNodeEx
		mov	ebx, [ebp+var_8]

loc_5305BD:				; CODE XREF: RtlpHpVsContextFreeList+2BCj
					; RtlpHpVsContextFreeList+2CCj	...
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	loc_5303B1
		pop	edi
		pop	esi

loc_5305CA:				; CODE XREF: RtlpHpVsContextFreeList+39j
		cmp	[ebp+var_1C], 0
		jnz	short loc_5305DB
		mov	ecx, [ebx+4]
		lea	edx, [ebp+var_30]
		call	RtlpHpReleaseQueuedLockExclusive

loc_5305DB:				; CODE XREF: RtlpHpVsContextFreeList+25Ej
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_5305E2:				; CODE XREF: RtlpHpVsContextFreeList+1DFj
		test	edx, edx
		jz	short loc_5305EE
		xor	edx, [ebp+var_10]
		jmp	loc_530555
; 

loc_5305EE:				; CODE XREF: RtlpHpVsContextFreeList+274j
		xor	edx, edx
		jmp	loc_530555
; 

loc_5305F5:				; CODE XREF: RtlpHpVsContextFreeList+DFj
		mov	[ebp+var_14], ebx
		mov	ebx, [ebp+var_8]
		jmp	loc_530417
; 

loc_530600:				; CODE XREF: RtlpHpVsContextFreeList+C0j
		mov	ebx, [ebp+var_8]
		mov	edx, esi
		mov	ecx, ebx
		call	_RtlpHpVsSubsegmentCleanup@8 ; RtlpHpVsSubsegmentCleanup(x,x)
		mov	edi, [ebp+var_1C]
		test	edi, edi
		jnz	short loc_53061E
		mov	ecx, [ebx+4]
		lea	edx, [ebp+var_30]
		call	RtlpHpReleaseQueuedLockExclusive

loc_53061E:				; CODE XREF: RtlpHpVsContextFreeList+2A1j
		push	[ebp+var_18]
		mov	edx, esi
		mov	ecx, ebx
		call	_RtlpHpVsSubsegmentFree@12 ; RtlpHpVsSubsegmentFree(x,x,x)
		test	edi, edi
		jnz	short loc_5305BD
		mov	edx, [ebx+4]
		lea	eax, [ebp+var_30]
		push	eax
		mov	ecx, ebx
		call	RtlpHpAcquireQueuedLockExclusive
		jmp	loc_5305BD
RtlpHpVsContextFreeList	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVsChunkCoalesce(x, x,	x, x)
_RtlpHpVsChunkCoalesce@16 proc near	; CODE XREF: RtlpHpVsContextFreeList+B0p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, _RtlpHpHeapGlobals
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], edx
		mov	esi, [edi]
		mov	ecx, esi
		xor	ecx, eax
		xor	esi, eax
		xor	ecx, edi
		xor	esi, edi
		mov	edx, ecx
		and	esi, 7FFFFFFFh
		shr	edx, 1
		xor	esi, eax
		and	edx, 7FFFh
		shr	ecx, 10h
		xor	esi, edi
		mov	[ebp+var_18], edx
		mov	[edi], esi
		mov	ebx, edx
		mov	[ebp+var_10], ebx
		and	ecx, 7FFFh
		jz	loc_5307A3
		lea	eax, ds:0[ecx*8]
		mov	ecx, edi
		sub	ecx, eax
		mov	[ebp+arg_0], ecx
		mov	esi, [ecx]
		xor	esi, _RtlpHpHeapGlobals
		xor	esi, ecx
		jl	loc_5307A3
		lea	eax, [ecx+4]
		push	eax
		mov	eax, [ebp+var_4]
		add	eax, 8
		push	eax
		call	RtlRbRemoveNode
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		mov	ebx, [ebp+var_8]
		sub	ecx, ebx
		add	ecx, 100Fh
		and	ecx, 0FFFFF000h
		mov	eax, [edi]
		xor	eax, _RtlpHpHeapGlobals
		xor	eax, edi
		mov	[ebp+var_14], ecx
		shr	eax, 1
		and	eax, 7FFFh
		shl	eax, 3
		sub	eax, ebx
		add	eax, edi
		and	eax, 0FFFFF000h
		cmp	ecx, eax
		jb	loc_530954
		xor	ecx, ecx
		xor	ebx, ebx

loc_530712:				; CODE XREF: RtlpHpVsChunkCoalesce(x,x,x,x)+346j
		not	ecx
		shr	esi, 1
		movzx	eax, cl
		not	ebx
		shr	ecx, 8
		and	esi, 7FFFh
		mov	[ebp+arg_0], ebx
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, cl
		shr	ecx, 8
		mov	[ebp+var_C], ecx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		mov	bl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+arg_0]
		shr	eax, 8
		mov	[ebp+arg_0], eax
		shr	[ebp+arg_0], 8
		movzx	eax, al
		add	bl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_C]
		movzx	eax, al
		add	cl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+arg_0]
		add	cl, dl
		movzx	edx, cl
		mov	ecx, eax
		shr	ecx, 8
		movzx	eax, al
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, bl
		mov	ebx, [ebp+var_10]
		movzx	eax, cl
		add	edx, eax
		mov	eax, [ebp+var_4]
		sub	[eax+1Ch], edx
		add	ebx, esi
		mov	[ebp+var_10], ebx

loc_5307A3:				; CODE XREF: RtlpHpVsChunkCoalesce(x,x,x,x)+4Cj
					; RtlpHpVsChunkCoalesce(x,x,x,x)+6Aj
		mov	eax, [ebp+var_8]
		lea	ecx, [edi+ebx*8]
		mov	[ebp+arg_0], ecx
		lea	edx, [eax+18h]
		movzx	eax, word ptr [eax+14h]
		mov	[ebp+var_1C], edx
		lea	eax, [edx+eax*8]
		cmp	ecx, eax
		jnb	loc_5308B3
		lfence	eax
		mov	esi, [ecx]
		xor	esi, _RtlpHpHeapGlobals
		xor	esi, ecx
		jl	loc_5308B3
		lea	eax, [ecx+4]
		push	eax
		mov	eax, [ebp+var_4]
		add	eax, 8
		push	eax
		call	RtlRbRemoveNode
		mov	eax, [ebp+arg_0]
		mov	edx, eax
		mov	ebx, [ebp+var_8]
		sub	edx, ebx
		add	edx, 100Fh
		and	edx, 0FFFFF000h
		mov	ecx, [eax]
		xor	ecx, _RtlpHpHeapGlobals
		xor	ecx, eax
		mov	[ebp+var_14], edx
		shr	ecx, 1
		and	ecx, 7FFFh
		shl	ecx, 3
		sub	ecx, ebx
		add	ecx, eax
		and	ecx, 0FFFFF000h
		cmp	edx, ecx
		jb	loc_53099B
		xor	ecx, ecx
		mov	[ebp+arg_0], ecx

loc_530829:				; CODE XREF: RtlpHpVsChunkCoalesce(x,x,x,x)+38Fj
		not	ecx
		shr	esi, 1
		movzx	eax, cl
		and	esi, 7FFFh
		shr	ecx, 8
		mov	bl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, cl
		shr	ecx, 8
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+arg_0]
		add	bl, ds:_RtlpBitsClearTotal[eax]
		not	ecx
		movzx	eax, cl
		shr	ecx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, cl
		shr	ecx, 8
		mov	[ebp+arg_0], ecx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+arg_0]
		movzx	eax, al
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_C]
		add	cl, dl
		movzx	edx, cl
		mov	ecx, eax
		shr	ecx, 8
		movzx	eax, al
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, bl
		mov	ebx, [ebp+var_4]
		movzx	eax, cl
		add	edx, eax
		sub	[ebx+1Ch], edx
		mov	ebx, [ebp+var_10]
		add	ebx, esi

loc_5308B3:				; CODE XREF: RtlpHpVsChunkCoalesce(x,x,x,x)+16Bj
					; RtlpHpVsChunkCoalesce(x,x,x,x)+17Ej
		mov	eax, [ebp+var_4]
		test	byte ptr [eax+98h], 1
		jz	short loc_5308E2
		mov	ecx, [ebp+var_8]
		lea	edx, [edi+ebx*8]
		movzx	eax, word ptr [ecx+14h]
		add	eax, 3
		lea	eax, [ecx+eax*8]
		cmp	edx, eax
		jnb	short loc_5308E2
		lfence	eax
		mov	esi, [edx]
		xor	esi, _RtlpHpHeapGlobals
		xor	esi, edx
		jge	short loc_53093D

loc_5308E2:				; CODE XREF: RtlpHpVsChunkCoalesce(x,x,x,x)+26Dj
					; RtlpHpVsChunkCoalesce(x,x,x,x)+281j ...
		cmp	[ebp+var_18], ebx
		jz	short loc_530936
		mov	ecx, [ebp+var_1C]
		lea	eax, [ebx+ebx]
		xor	eax, [edi]
		lea	edx, [edi+ebx*8]
		xor	eax, _RtlpHpHeapGlobals
		xor	eax, edi
		and	eax, 0FFFEh
		xor	[edi], eax
		mov	eax, [ebp+var_8]
		movzx	eax, word ptr [eax+14h]
		lea	eax, [ecx+eax*8]
		cmp	edx, eax
		jnb	short loc_530936
		mov	ecx, ebx
		shl	ecx, 10h
		xor	ecx, [edx]
		xor	ecx, _RtlpHpHeapGlobals
		xor	ecx, edx
		and	ecx, 7FFF0000h
		xor	[edx], ecx
		mov	ecx, [ebp+arg_4]
		mov	[ecx], ebx

loc_53092B:				; CODE XREF: RtlpHpVsChunkCoalesce(x,x,x,x)+2EBj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_530936:				; CODE XREF: RtlpHpVsChunkCoalesce(x,x,x,x)+295j
					; RtlpHpVsChunkCoalesce(x,x,x,x)+2BDj
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx
		jmp	short loc_53092B
; 

loc_53093D:				; CODE XREF: RtlpHpVsChunkCoalesce(x,x,x,x)+290j
		push	edx
		mov	edx, ecx
		mov	ecx, [ebp+var_4]
		call	_RtlpHpVsFreeChunkRemove@12 ; RtlpHpVsFreeChunkRemove(x,x,x)
		shr	esi, 1
		and	esi, 7FFFh
		add	ebx, esi
		jmp	short loc_5308E2
; 

loc_530954:				; CODE XREF: RtlpHpVsChunkCoalesce(x,x,x,x)+B8j
		dec	eax
		mov	ecx, 3Fh
		shr	eax, 0Ch
		or	edx, 0FFFFFFFFh
		sub	ecx, eax
		or	eax, 0FFFFFFFFh
		call	__aullshr
		mov	ecx, [ebp+var_14]
		mov	[ebp+var_C], eax
		or	eax, 0FFFFFFFFh
		mov	[ebp+arg_0], edx
		or	edx, 0FFFFFFFFh
		shr	ecx, 0Ch
		call	__allshl
		mov	ecx, [ebp+var_C]
		and	ecx, eax
		mov	eax, [ebp+arg_0]
		and	ecx, [ebx+8]
		and	eax, edx
		and	eax, [ebx+0Ch]
		mov	[ebp+arg_0], eax
		mov	ebx, eax
		jmp	loc_530712
; 

loc_53099B:				; CODE XREF: RtlpHpVsChunkCoalesce(x,x,x,x)+1CEj
		lea	eax, [ecx-1]
		or	edx, 0FFFFFFFFh
		shr	eax, 0Ch
		mov	ecx, 3Fh
		sub	ecx, eax
		or	eax, 0FFFFFFFFh
		call	__aullshr
		mov	ecx, [ebp+var_14]
		mov	[ebp+var_C], eax
		mov	eax, edx
		mov	[ebp+arg_0], eax
		or	edx, 0FFFFFFFFh
		shr	ecx, 0Ch
		or	eax, 0FFFFFFFFh
		call	__allshl
		mov	ecx, [ebp+var_C]
		and	ecx, eax
		mov	eax, [ebp+arg_0]
		and	ecx, [ebx+8]
		and	eax, edx
		and	eax, [ebx+0Ch]
		mov	[ebp+arg_0], eax
		jmp	loc_530829
_RtlpHpVsChunkCoalesce@16 endp

; 
		align 10h
; Exported entry 2308. RtlRbRemoveNode

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlRbRemoveNode
RtlRbRemoveNode	proc near		; CODE XREF: KiSetClockInterval+1Ep
					; KiRemoveSchedulingGroupQueue+46p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005EEA0D SIZE 00000040 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		sub	esp, 28h
		push	ebx
		mov	bl, [eax+4]
		mov	eax, [ebp+arg_4]
		movzx	ecx, bl
		push	esi
		push	edi
		mov	edx, [eax]
		and	ecx, 1
		jnz	loc_530AEA

loc_530A12:				; CODE XREF: RtlRbRemoveNode+FCj
					; RtlRbRemoveNode+104j
		mov	esi, [eax+4]
		test	ecx, ecx
		jnz	loc_530AF9

loc_530A1D:				; CODE XREF: RtlRbRemoveNode+10Bj
					; RtlRbRemoveNode+113j
		test	edx, edx
		jnz	loc_530B08
		mov	[ebp+var_C], esi

loc_530A28:				; CODE XREF: RtlRbRemoveNode+11Bj
		and	bl, 1
		mov	ecx, edx
		neg	ecx
		sbb	ecx, ecx
		test	ecx, esi
		jnz	loc_530B56
		mov	edi, [eax+8]
		and	edi, 0FFFFFFFCh
		test	bl, bl
		jnz	loc_5312DC

loc_530A47:				; CODE XREF: RtlRbRemoveNode+8EEj
					; RtlRbRemoveNode+8F6j
		mov	esi, eax
		test	edi, edi
		jz	loc_530B10
		mov	ecx, [edi+4]
		test	bl, bl
		jnz	loc_5312EB

loc_530A5C:				; CODE XREF: RtlRbRemoveNode+8FDj
					; RtlRbRemoveNode+905j
		cmp	ecx, eax
		jz	short loc_530AA9
		mov	ecx, [edi]
		test	bl, bl
		jnz	loc_53146B

loc_530A6A:				; CODE XREF: RtlRbRemoveNode+A7Dj
					; RtlRbRemoveNode+A85j
		cmp	ecx, eax
		jnz	loc_5EEA17
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_8], 0
		mov	edx, [ebx+4]
		test	dl, 1
		jnz	loc_53147A
		mov	ecx, edx

loc_530A8A:				; CODE XREF: RtlRbRemoveNode+A9Aj
					; RtlRbRemoveNode+BE03Ej
		cmp	ecx, eax
		jnz	short loc_530AB3
		mov	ecx, [ebp+var_C]
		and	dl, 1
		test	ecx, ecx
		jnz	loc_53108C
		test	dl, dl
		jnz	loc_531633
		mov	[ebx+4], edi
		jmp	short loc_530AB3
; 

loc_530AA9:				; CODE XREF: RtlRbRemoveNode+6Ej
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_8], 1

loc_530AB3:				; CODE XREF: RtlRbRemoveNode+9Cj
					; RtlRbRemoveNode+B7j ...
		mov	cl, [eax+8]

loc_530AB6:				; CODE XREF: RtlRbRemoveNode+309j
					; RtlRbRemoveNode+A17j	...
		mov	eax, [ebp+var_C]
		and	cl, 1
		test	byte ptr [ebx+4], 1
		jnz	loc_5312CB

loc_530AC6:				; CODE XREF: RtlRbRemoveNode+8DDj
		mov	edx, eax

loc_530AC8:				; CODE XREF: RtlRbRemoveNode+8E7j
		mov	ebx, [ebp+var_8]
		mov	[edi+ebx*4], edx
		mov	ebx, [ebp+arg_0]
		test	eax, eax
		jnz	loc_530D53
		test	cl, cl
		jz	loc_530CFE

loc_530AE1:				; CODE XREF: RtlRbRemoveNode+547j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_530AEA:				; CODE XREF: RtlRbRemoveNode+1Cj
		test	edx, edx
		jz	loc_530A12
		xor	edx, eax
		jmp	loc_530A12
; 

loc_530AF9:				; CODE XREF: RtlRbRemoveNode+27j
		test	esi, esi
		jz	loc_530A1D
		xor	esi, eax
		jmp	loc_530A1D
; 

loc_530B08:				; CODE XREF: RtlRbRemoveNode+2Fj
		mov	[ebp+var_C], edx
		jmp	loc_530A28
; 

loc_530B10:				; CODE XREF: RtlRbRemoveNode+5Bj
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jnz	loc_53145F

loc_530B1B:				; CODE XREF: RtlRbRemoveNode+A76j
		mov	ebx, [ebp+arg_0]
		mov	edx, [ebx+4]
		mov	esi, [ebx]
		test	dl, 1
		jnz	loc_5315FB

loc_530B2C:				; CODE XREF: RtlRbRemoveNode+C15j
					; RtlRbRemoveNode+BE037j
		cmp	esi, eax
		jnz	loc_5EEA17
		test	dl, 1
		jnz	loc_53160A
		mov	[ebx+4], ecx
		mov	dl, cl

loc_530B42:				; CODE XREF: RtlRbRemoveNode+C2Fj
		test	dl, 1
		jnz	loc_531624

loc_530B4B:				; CODE XREF: RtlRbRemoveNode+C3Ej
		pop	edi
		pop	esi
		mov	[ebx], ecx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_530B56:				; CODE XREF: RtlRbRemoveNode+43j
		mov	eax, [esi]
		mov	ecx, esi
		mov	[ebp+var_14], esi
		mov	edi, esi
		mov	[ebp+var_8], 1
		mov	[ebp+var_20], eax
		test	eax, eax
		jnz	loc_530D91

loc_530B71:				; CODE XREF: RtlRbRemoveNode+3C5j
		test	bl, bl
		jnz	loc_531349

loc_530B79:				; CODE XREF: RtlRbRemoveNode+95Bj
		mov	eax, edx

loc_530B7B:				; CODE XREF: RtlRbRemoveNode+965j
		mov	[ecx], eax
		mov	ebx, [edx+8]
		mov	[ebp+var_20], ebx
		and	ebx, 0FFFFFFFCh
		mov	[ebp+var_C], ebx
		mov	ebx, [ebp+arg_0]
		mov	al, [ebx+4]
		and	al, 1
		mov	[ebp+var_1], al
		mov	eax, [ebp+arg_4]
		jnz	loc_53135A

loc_530B9D:				; CODE XREF: RtlRbRemoveNode+96Ej
		mov	ebx, [ebp+var_C]
		mov	[ebp+var_C], ebx
		mov	ebx, [ebp+arg_0]

loc_530BA6:				; CODE XREF: RtlRbRemoveNode+977j
		cmp	[ebp+var_C], eax
		jnz	loc_5EEA17
		cmp	[ebp+var_1], 0
		jnz	loc_53136C
		mov	[ebp+var_10], ecx

loc_530BBC:				; CODE XREF: RtlRbRemoveNode+983j
		mov	eax, [ebp+var_20]
		and	eax, 3
		or	eax, [ebp+var_10]
		mov	[edx+8], eax
		mov	edx, [esi+8]
		mov	al, [ebx+4]
		mov	[ebp+var_20], edx
		and	edx, 0FFFFFFFCh
		and	al, 1
		mov	[ebp+var_1], al
		mov	eax, [ebp+arg_4]
		jnz	loc_531378

loc_530BE2:				; CODE XREF: RtlRbRemoveNode+98Aj
					; RtlRbRemoveNode+992j
		cmp	edx, eax
		jnz	loc_5EEA17
		mov	edx, ecx
		xor	edx, esi
		cmp	[ebp+var_1], 0
		jnz	loc_531387
		mov	[ebp+var_10], ecx

loc_530BFB:				; CODE XREF: RtlRbRemoveNode+99Aj
		mov	eax, [ebp+var_20]
		and	eax, 3
		or	eax, [ebp+var_10]
		mov	[esi+8], eax
		mov	al, [ebx+4]
		mov	ecx, [ecx+4]
		and	al, 1
		mov	[ebp+var_1], al
		mov	eax, [ebp+arg_4]
		jnz	loc_53138F

loc_530C1B:				; CODE XREF: RtlRbRemoveNode+9A1j
					; RtlRbRemoveNode+9AAj
		cmp	[ebp+var_1], 0
		mov	[ebp+var_C], ecx
		jnz	short loc_530C26
		mov	edx, esi

loc_530C26:				; CODE XREF: RtlRbRemoveNode+232j
		mov	esi, [ebp+var_14]
		mov	[esi+4], edx
		mov	edx, [esi+8]
		mov	ecx, edx
		and	ecx, 0FFFFFFFCh
		mov	[ebp+var_1C], edx
		mov	[ebp+var_10], ecx
		mov	cl, [ebx+4]
		and	cl, 1
		mov	byte ptr [ebp+arg_4+3],	cl
		jnz	loc_53139F

loc_530C49:				; CODE XREF: RtlRbRemoveNode+9B3j
		mov	ebx, [ebp+var_10]

loc_530C4C:				; CODE XREF: RtlRbRemoveNode+9BEj
		mov	[ebp+var_18], ebx
		mov	ebx, [ebp+arg_0]
		cmp	[ebp+var_18], edi
		jnz	loc_53148F

loc_530C5B:				; CODE XREF: RtlRbRemoveNode+AB4j
		mov	ecx, [eax+8]
		and	ecx, 0FFFFFFFCh
		cmp	byte ptr [ebp+arg_4+3],	0
		jnz	loc_5313B3

loc_530C6B:				; CODE XREF: RtlRbRemoveNode+9CDj
					; RtlRbRemoveNode+9D5j	...
		and	edx, 3
		or	edx, ecx
		mov	[esi+8], edx
		mov	cl, [eax+8]
		xor	cl, dl
		and	cl, 1
		xor	cl, dl
		mov	[esi+8], cl
		mov	edx, [eax+8]
		test	edx, 0FFFFFFFCh
		jz	loc_5313E1
		mov	cl, [ebx+4]
		and	edx, 0FFFFFFFCh
		and	cl, 1
		mov	byte ptr [ebp+arg_4+3],	cl
		jnz	loc_53140C

loc_530CA1:				; CODE XREF: RtlRbRemoveNode+A1Ej
					; RtlRbRemoveNode+A26j
		mov	ebx, [edx+4]
		test	cl, cl
		mov	[ebp+var_10], ebx
		mov	ecx, ebx
		jnz	loc_53141B

loc_530CB1:				; CODE XREF: RtlRbRemoveNode+A2Dj
					; RtlRbRemoveNode+A35j
		mov	[ebp+var_10], ecx
		xor	ecx, ecx
		cmp	[ebp+var_10], eax
		setnz	cl
		dec	ecx
		and	ecx, 4
		add	ecx, edx
		mov	[ebp+var_20], ecx
		mov	ecx, [ecx]
		mov	[ebp+var_10], ecx
		mov	cl, byte ptr [ebp+arg_4+3]
		test	cl, cl
		jnz	loc_53142A

loc_530CD5:				; CODE XREF: RtlRbRemoveNode+A41j
		mov	ebx, [ebp+var_10]
		mov	[ebp+var_10], ebx

loc_530CDB:				; CODE XREF: RtlRbRemoveNode+A4Aj
		mov	ebx, [ebp+arg_0]
		cmp	[ebp+var_10], eax
		jnz	loc_5EEA17
		test	cl, cl
		jnz	loc_53143F
		mov	eax, [ebp+var_20]
		mov	edx, esi
		mov	ecx, [ebp+var_1C]
		mov	[eax], edx
		jmp	loc_530AB6
; 

loc_530CFE:				; CODE XREF: RtlRbRemoveNode+EBj
		mov	al, [ebx+4]
		mov	ecx, [ebp+var_8]

loc_530D04:				; CODE XREF: RtlRbRemoveNode+563j
		mov	edx, ecx
		mov	[ebp+var_C], edi
		xor	edx, 1
		mov	esi, [edi+edx*4]
		test	al, 1
		jnz	loc_53144E

loc_530D17:				; CODE XREF: RtlRbRemoveNode+A60j
		mov	ecx, esi

loc_530D19:				; CODE XREF: RtlRbRemoveNode+A6Aj
		test	byte ptr [ecx+8], 1
		jnz	loc_530F58

loc_530D23:				; CODE XREF: RtlRbRemoveNode+687j
					; RtlRbRemoveNode+68Fj	...
		mov	esi, [ecx]
		and	al, 1
		test	esi, esi
		jnz	short loc_530D81

loc_530D2B:				; CODE XREF: RtlRbRemoveNode+39Dj
		mov	esi, [ecx+4]
		test	esi, esi
		jnz	loc_530DBA

loc_530D36:				; CODE XREF: RtlRbRemoveNode+3D6j
		mov	al, [edi+8]
		test	al, 1
		jz	loc_530F1B
		and	al, 0FEh
		mov	[edi+8], al
		or	byte ptr [ecx+8], 1
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_530D53:				; CODE XREF: RtlRbRemoveNode+E3j
		mov	ecx, [eax+8]
		mov	dl, [ebx+4]
		and	ecx, 0FFFFFFFCh
		and	dl, 1
		jnz	loc_5314AF

loc_530D65:				; CODE XREF: RtlRbRemoveNode+AC1j
					; RtlRbRemoveNode+AC9j
		cmp	ecx, esi
		jnz	loc_5EEA17
		test	dl, dl
		jnz	loc_5314BE

loc_530D75:				; CODE XREF: RtlRbRemoveNode+AD0j
					; RtlRbRemoveNode+AD8j
		mov	[eax+8], edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_530D81:				; CODE XREF: RtlRbRemoveNode+339j
		test	al, al
		jnz	loc_5314EF

loc_530D89:				; CODE XREF: RtlRbRemoveNode+B01j
		test	byte ptr [esi+8], 1
		jz	short loc_530D2B
		jmp	short loc_530DCC
; 

loc_530D91:				; CODE XREF: RtlRbRemoveNode+17Bj
		mov	eax, [ebp+var_20]
		mov	[ebp+var_8], 0
		jmp	short loc_530DA0
; 
		align 10h

loc_530DA0:				; CODE XREF: RtlRbRemoveNode+3ABj
					; RtlRbRemoveNode+3C0j
		mov	edi, ecx
		test	bl, bl
		jnz	loc_5313D2

loc_530DAA:				; CODE XREF: RtlRbRemoveNode+9E4j
		mov	ecx, eax

loc_530DAC:				; CODE XREF: RtlRbRemoveNode+9ECj
		mov	eax, [ecx]
		test	eax, eax
		jnz	short loc_530DA0
		mov	[ebp+var_14], ecx
		jmp	loc_530B71
; 

loc_530DBA:				; CODE XREF: RtlRbRemoveNode+340j
		test	al, al
		jnz	loc_531523

loc_530DC2:				; CODE XREF: RtlRbRemoveNode+B35j
		test	byte ptr [esi+8], 1
		jz	loc_530D36

loc_530DCC:				; CODE XREF: RtlRbRemoveNode+39Fj
		shl	edx, 2
		mov	[ebp+var_28], edx
		mov	esi, [edx+ecx]
		test	al, al
		jnz	loc_5314F6

loc_530DDD:				; CODE XREF: RtlRbRemoveNode+B10j
		test	esi, esi
		jz	loc_53110E
		test	byte ptr [esi+8], 1
		jz	loc_53110E

loc_530DEF:				; CODE XREF: RtlRbRemoveNode+873j
		lea	eax, [edi+8]
		mov	[ebp+var_14], eax
		mov	edx, eax
		mov	al, [ecx+8]
		xor	al, [edx]
		and	al, 1
		xor	[ecx+8], al
		mov	eax, edx
		and	byte ptr [eax],	0FEh
		and	byte ptr [esi+8], 0FEh
		mov	edx, [ebx+4]
		mov	eax, [ebx]
		test	dl, 1
		jnz	loc_531505

loc_530E18:				; CODE XREF: RtlRbRemoveNode+B1Fj
		mov	[ebp+var_10], eax

loc_530E1B:				; CODE XREF: RtlRbRemoveNode+BE051j
		mov	eax, [ecx+8]
		movzx	esi, dl
		and	eax, 0FFFFFFFCh
		mov	edx, [ebp+var_8]
		and	esi, 1
		jnz	loc_531548

loc_530E30:				; CODE XREF: RtlRbRemoveNode+B5Aj
					; RtlRbRemoveNode+B62j
		cmp	eax, edi
		jnz	loc_5EEA17
		mov	eax, [ebp+var_28]
		add	eax, edi
		mov	[ebp+var_28], eax
		mov	eax, [eax]
		test	esi, esi
		jnz	loc_531557

loc_530E4A:				; CODE XREF: RtlRbRemoveNode+B69j
					; RtlRbRemoveNode+B71j
		cmp	eax, ecx
		jnz	loc_5EEA17
		mov	eax, [ebp+var_14]
		mov	eax, [eax]
		and	eax, 0FFFFFFFCh
		test	esi, esi
		jnz	loc_531654

loc_530E62:				; CODE XREF: RtlRbRemoveNode+C6Ej
		test	eax, eax
		jz	loc_5314CD
		mov	ebx, [eax+4]
		mov	[ebp+arg_4], ebx
		mov	ebx, [ebp+arg_0]
		test	esi, esi
		jnz	loc_53169F

loc_530E7B:				; CODE XREF: RtlRbRemoveNode+CB6j
		mov	ebx, [ebp+arg_4]
		mov	[ebp+arg_4], ebx
		mov	ebx, [ebp+arg_0]

loc_530E84:				; CODE XREF: RtlRbRemoveNode+CBFj
		cmp	[ebp+arg_4], edi
		jnz	loc_531268
		test	esi, esi
		jnz	loc_5316C6
		mov	ebx, [ebp+arg_0]
		mov	[ebp+arg_4], ecx

loc_530E9B:				; CODE XREF: RtlRbRemoveNode+CDDj
		mov	edx, [ebp+arg_4]
		mov	[eax+4], edx
		mov	edx, [ebp+var_8]

loc_530EA4:				; CODE XREF: RtlRbRemoveNode+8A6j
					; RtlRbRemoveNode+AE9j	...
		test	esi, esi
		jnz	loc_531663

loc_530EAC:				; CODE XREF: RtlRbRemoveNode+C75j
					; RtlRbRemoveNode+C7Dj
		mov	[ebp+arg_0], eax
		mov	eax, [ecx+8]
		and	eax, 3
		or	eax, [ebp+arg_0]
		mov	[ecx+8], eax
		lea	eax, [ecx+edx*4]
		mov	[ebp+var_24], eax
		mov	eax, [eax]
		test	esi, esi
		jnz	loc_531566

loc_530ECB:				; CODE XREF: RtlRbRemoveNode+B80j
		test	eax, eax
		jnz	loc_53109C

loc_530ED3:				; CODE XREF: RtlRbRemoveNode+6DBj
					; RtlRbRemoveNode+B78j	...
		test	esi, esi
		jnz	loc_531575

loc_530EDB:				; CODE XREF: RtlRbRemoveNode+B87j
					; RtlRbRemoveNode+B8Fj
		mov	edx, [ebp+var_28]
		mov	[edx], eax
		mov	edx, edi
		xor	edx, ecx
		test	esi, esi
		jnz	loc_531584

loc_530EEC:				; CODE XREF: RtlRbRemoveNode+B96j
		mov	eax, [ebp+var_24]
		mov	[eax], edi
		test	esi, esi
		jnz	short loc_530EF7
		mov	edx, ecx

loc_530EF7:				; CODE XREF: RtlRbRemoveNode+503j
		mov	ecx, [ebp+var_14]
		mov	eax, [ecx]
		and	eax, 3
		or	eax, edx
		mov	[ecx], eax
		test	byte ptr [ebx+4], 1
		mov	eax, [ebp+var_10]
		jnz	loc_531514

loc_530F10:				; CODE XREF: RtlRbRemoveNode+B2Ej
					; RtlRbRemoveNode+BE058j
		pop	edi
		pop	esi
		mov	[ebx], eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_530F1B:				; CODE XREF: RtlRbRemoveNode+34Bj
		or	byte ptr [ecx+8], 1
		mov	al, [ebx+4]
		mov	ecx, [edi+8]
		mov	ah, al
		and	ecx, 0FFFFFFFCh
		and	ah, 1
		jnz	loc_53152A

loc_530F33:				; CODE XREF: RtlRbRemoveNode+B3Cj
		mov	edi, ecx

loc_530F35:				; CODE XREF: RtlRbRemoveNode+B44j
		test	edi, edi
		jz	loc_530AE1
		mov	edx, [edi+4]
		test	ah, ah
		jnz	loc_531539

loc_530F48:				; CODE XREF: RtlRbRemoveNode+B4Bj
					; RtlRbRemoveNode+B53j
		xor	ecx, ecx
		cmp	edx, [ebp+var_C]
		setz	cl
		mov	[ebp+var_8], ecx
		jmp	loc_530D04
; 

loc_530F58:				; CODE XREF: RtlRbRemoveNode+32Dj
		mov	eax, [ebx+4]
		test	al, 1
		mov	[ebp+var_14], eax
		mov	eax, [ebx]
		mov	[ebp+arg_4], eax
		jnz	loc_5315E8
		mov	eax, [ebp+var_14]

loc_530F6E:				; CODE XREF: RtlRbRemoveNode+C06j
					; RtlRbRemoveNode+E47j
		mov	ebx, [ecx+8]
		movzx	eax, al
		and	ebx, 0FFFFFFFCh
		and	eax, 1
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], eax
		test	eax, eax
		jnz	loc_5315A9

loc_530F88:				; CODE XREF: RtlRbRemoveNode+BBDj
		mov	ebx, [ebp+var_10]
		mov	[ebp+var_10], ebx

loc_530F8E:				; CODE XREF: RtlRbRemoveNode+BC6j
		cmp	[ebp+var_10], edi
		jnz	loc_5EEA17
		test	eax, eax
		jnz	loc_5315BB

loc_530F9F:				; CODE XREF: RtlRbRemoveNode+BCDj
					; RtlRbRemoveNode+BD5j
		cmp	esi, ecx
		jnz	loc_5EEA17
		mov	esi, [edi+8]
		and	esi, 0FFFFFFFCh
		test	eax, eax
		jnz	loc_531681

loc_530FB5:				; CODE XREF: RtlRbRemoveNode+C9Bj
		test	esi, esi
		jz	loc_5314DE
		mov	ebx, [esi+4]
		mov	[ebp+var_10], ebx
		test	eax, eax
		jnz	loc_5316B4

loc_530FCB:				; CODE XREF: RtlRbRemoveNode+CC8j
		mov	ebx, [ebp+var_10]
		mov	[ebp+var_10], ebx

loc_530FD1:				; CODE XREF: RtlRbRemoveNode+CD1j
		cmp	[ebp+var_10], edi
		jnz	loc_53129B
		test	eax, eax
		jnz	loc_5316D2
		mov	eax, [ebp+var_14]
		mov	[ebp+var_18], ecx

loc_530FE8:				; CODE XREF: RtlRbRemoveNode+CE9j
		mov	ebx, [ebp+var_18]
		mov	[esi+4], ebx

loc_530FEE:				; CODE XREF: RtlRbRemoveNode+8D6j
					; RtlRbRemoveNode+AFAj	...
		test	eax, eax
		jnz	loc_531690

loc_530FF6:				; CODE XREF: RtlRbRemoveNode+CA2j
					; RtlRbRemoveNode+CAAj
		mov	eax, [ecx+8]
		and	eax, 3
		or	eax, esi
		mov	[ecx+8], eax
		mov	eax, [ebp+var_8]
		mov	esi, [ecx+eax*4]
		lea	eax, [ecx+eax*4]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	loc_53158B

loc_531018:				; CODE XREF: RtlRbRemoveNode+BA5j
		test	esi, esi
		jnz	loc_5310D0

loc_531020:				; CODE XREF: RtlRbRemoveNode+719j
					; RtlRbRemoveNode+B9Dj	...
		test	eax, eax
		jnz	loc_53159A

loc_531028:				; CODE XREF: RtlRbRemoveNode+BACj
					; RtlRbRemoveNode+BB4j
		mov	[edi+edx*4], esi
		mov	esi, edi
		xor	esi, ecx
		test	eax, eax
		jnz	loc_5315CA
		mov	[ebp+var_18], edi

loc_53103A:				; CODE XREF: RtlRbRemoveNode+BDDj
		cmp	[ebp+var_14], 0
		mov	eax, [ebp+var_1C]
		mov	ebx, [ebp+var_18]
		mov	[eax], ebx
		mov	ebx, [ebp+arg_0]
		jnz	short loc_53104D
		mov	esi, ecx

loc_53104D:				; CODE XREF: RtlRbRemoveNode+659j
		mov	eax, [edi+8]
		and	eax, 3
		or	eax, esi
		mov	[edi+8], eax
		test	byte ptr [ebx+4], 1
		mov	eax, [ebp+arg_4]
		jnz	loc_531645

loc_531065:				; CODE XREF: RtlRbRemoveNode+C5Fj
					; RtlRbRemoveNode+BE045j
		mov	[ebx], eax
		and	byte ptr [ecx+8], 0FEh
		or	byte ptr [edi+8], 1
		mov	al, [ebx+4]
		mov	ecx, [edi+edx*4]
		test	al, 1
		jz	loc_530D23
		test	ecx, ecx
		jz	loc_530D23
		xor	ecx, edi
		jmp	loc_530D23
; 

loc_53108C:				; CODE XREF: RtlRbRemoveNode+A6j
		test	dl, dl
		jnz	loc_531820
		mov	[ebx+4], ecx
		jmp	loc_530AB3
; 

loc_53109C:				; CODE XREF: RtlRbRemoveNode+4DDj
		mov	edx, [eax+8]
		mov	[ebp+arg_4], edx
		and	edx, 0FFFFFFFCh
		test	esi, esi
		jnz	loc_53172B

loc_5310AD:				; CODE XREF: RtlRbRemoveNode+D3Dj
					; RtlRbRemoveNode+D45j
		cmp	edx, ecx
		jnz	loc_5EEA17
		test	esi, esi
		jnz	loc_53173A
		mov	edx, [ebp+arg_4]
		and	edx, 3
		mov	[ebp+arg_0], edi
		or	edx, edi
		mov	[eax+8], edx
		jmp	loc_530ED3
; 

loc_5310D0:				; CODE XREF: RtlRbRemoveNode+62Aj
		mov	ebx, [esi+8]
		mov	[ebp+var_20], ebx
		and	ebx, 0FFFFFFFCh
		mov	[ebp+var_10], ebx
		test	eax, eax
		jnz	loc_531752

loc_5310E4:				; CODE XREF: RtlRbRemoveNode+D66j
		mov	ebx, [ebp+var_10]
		mov	[ebp+var_10], ebx

loc_5310EA:				; CODE XREF: RtlRbRemoveNode+D6Fj
		cmp	[ebp+var_10], ecx
		jnz	loc_5EEA17
		test	eax, eax
		jnz	loc_531764
		mov	ebx, [ebp+var_20]
		and	ebx, 3
		mov	[ebp+var_18], edi
		or	ebx, edi
		mov	[esi+8], ebx
		jmp	loc_531020
; 

loc_53110E:				; CODE XREF: RtlRbRemoveNode+3EFj
					; RtlRbRemoveNode+3F9j	...
		mov	edx, [ebp+var_8]
		mov	esi, [ecx+edx*4]
		test	al, al
		jnz	loc_531672

loc_53111C:				; CODE XREF: RtlRbRemoveNode+C84j
					; RtlRbRemoveNode+C8Cj
		and	byte ptr [esi+8], 0FEh
		movzx	eax, byte ptr [ebx+4]
		mov	ebx, edx
		xor	ebx, 1
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], ebx
		and	eax, 1
		mov	ebx, [esi+8]
		and	ebx, 0FFFFFFFCh
		mov	[ebp+var_C], eax
		test	eax, eax
		mov	[ebp+arg_4], ebx
		mov	eax, ebx
		jnz	loc_5316DE

loc_531148:				; CODE XREF: RtlRbRemoveNode+CF0j
					; RtlRbRemoveNode+CF8j
		cmp	eax, ecx
		jnz	loc_5EEA17
		mov	eax, [ebp+var_18]
		xor	eax, 1
		lea	eax, [ecx+eax*4]
		mov	[ebp+var_24], eax
		mov	eax, [eax]
		mov	[ebp+arg_4], eax
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_5316ED

loc_53116C:				; CODE XREF: RtlRbRemoveNode+D01j
		mov	edx, [ebp+arg_4]
		mov	[ebp+arg_4], edx

loc_531172:				; CODE XREF: RtlRbRemoveNode+D0Aj
		cmp	[ebp+arg_4], esi
		jnz	loc_5EEA17
		mov	ebx, [ebp+var_18]
		shl	ebx, 2
		mov	[ebp+var_1C], ebx
		add	ebx, edi
		mov	[ebp+var_14], ebx
		mov	ebx, [ebx]
		mov	[ebp+arg_4], ebx
		test	eax, eax
		jnz	loc_5317C2

loc_531196:				; CODE XREF: RtlRbRemoveNode+DD6j
		mov	eax, [ebp+arg_4]
		mov	[ebp+arg_4], eax
		mov	eax, [ebp+var_C]

loc_53119F:				; CODE XREF: RtlRbRemoveNode+DDFj
		cmp	[ebp+arg_4], ecx
		jnz	loc_5EEA17
		mov	edx, [ecx+8]
		and	edx, 0FFFFFFFCh
		mov	[ebp+arg_4], edx
		test	eax, eax
		jnz	loc_5317D4

loc_5311B9:				; CODE XREF: RtlRbRemoveNode+DE8j
		mov	ebx, [ebp+arg_4]
		mov	[ebp+arg_4], ebx

loc_5311BF:				; CODE XREF: RtlRbRemoveNode+DF1j
		cmp	[ebp+arg_4], edi
		jnz	loc_5EEA17
		mov	[ebp+arg_4], esi
		xor	[ebp+arg_4], edi
		test	eax, eax
		jnz	loc_5317E6
		mov	[ebp+var_18], esi

loc_5311D9:				; CODE XREF: RtlRbRemoveNode+DFCj
		mov	ebx, [ebp+var_14]
		mov	edx, [ebp+var_18]
		mov	[ebx], edx
		test	eax, eax
		jnz	loc_5317F1

loc_5311E9:				; CODE XREF: RtlRbRemoveNode+E09j
		mov	[ebp+arg_4], edi

loc_5311EC:				; CODE XREF: RtlRbRemoveNode+E03j
		mov	eax, [esi+8]
		and	eax, 3
		or	eax, [ebp+arg_4]
		mov	[esi+8], eax
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+esi]
		mov	[ebp+arg_4], eax
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_5316FF

loc_53120C:				; CODE XREF: RtlRbRemoveNode+D13j
		mov	ebx, [ebp+arg_4]
		mov	[ebp+arg_4], ebx

loc_531212:				; CODE XREF: RtlRbRemoveNode+D1Cj
		cmp	[ebp+arg_4], 0
		jnz	loc_5312FA

loc_53121C:				; CODE XREF: RtlRbRemoveNode+954j
		test	eax, eax
		jnz	loc_531711

loc_531224:				; CODE XREF: RtlRbRemoveNode+D25j
		mov	ebx, [ebp+arg_4]
		mov	[ebp+arg_4], ebx

loc_53122A:				; CODE XREF: RtlRbRemoveNode+D2Ej
		mov	eax, [ebp+var_24]
		mov	edx, [ebp+arg_4]
		mov	[eax], edx
		mov	edx, esi
		xor	edx, ecx
		cmp	[ebp+var_C], 0
		jnz	loc_531723
		mov	[ebp+arg_4], ecx

loc_531243:				; CODE XREF: RtlRbRemoveNode+D36j
		mov	eax, [ebp+var_1C]
		mov	ebx, [ebp+arg_4]
		mov	[eax+esi], ebx
		jnz	short loc_531250
		mov	edx, esi

loc_531250:				; CODE XREF: RtlRbRemoveNode+85Cj
		mov	eax, [ecx+8]
		mov	esi, ecx
		mov	ebx, [ebp+arg_0]
		and	eax, 3
		or	eax, edx
		mov	[ecx+8], eax
		mov	ecx, [ebp+var_20]
		jmp	loc_530DEF
; 

loc_531268:				; CODE XREF: RtlRbRemoveNode+497j
		mov	ebx, [eax]
		mov	[ebp+arg_4], ebx
		test	esi, esi
		jnz	loc_53177C

loc_531275:				; CODE XREF: RtlRbRemoveNode+D90j
		mov	ebx, [ebp+arg_4]
		mov	[ebp+arg_4], ebx

loc_53127B:				; CODE XREF: RtlRbRemoveNode+D9Cj
		cmp	[ebp+arg_4], edi
		jnz	loc_5EEA17
		test	esi, esi
		jnz	loc_531791
		mov	ebx, ecx
		mov	[ebp+arg_4], ecx
		mov	[eax], ebx
		mov	ebx, [ebp+arg_0]
		jmp	loc_530EA4
; 

loc_53129B:				; CODE XREF: RtlRbRemoveNode+5E4j
		mov	ebx, [esi]
		mov	[ebp+var_10], ebx
		test	eax, eax
		jnz	loc_5317A2

loc_5312A8:				; CODE XREF: RtlRbRemoveNode+DB6j
		mov	ebx, [ebp+var_10]
		mov	[ebp+var_10], ebx

loc_5312AE:				; CODE XREF: RtlRbRemoveNode+DBFj
		cmp	[ebp+var_10], edi
		jnz	loc_5EEA17
		test	eax, eax
		jnz	loc_5317B4
		mov	ebx, ecx
		mov	[ebp+var_18], ecx
		mov	[esi], ebx
		jmp	loc_530FEE
; 

loc_5312CB:				; CODE XREF: RtlRbRemoveNode+D0j
		test	eax, eax
		jz	loc_530AC6
		mov	edx, edi
		xor	edx, eax
		jmp	loc_530AC8
; 

loc_5312DC:				; CODE XREF: RtlRbRemoveNode+51j
		test	edi, edi
		jz	loc_530A47
		xor	edi, eax
		jmp	loc_530A47
; 

loc_5312EB:				; CODE XREF: RtlRbRemoveNode+66j
		test	ecx, ecx
		jz	loc_530A5C
		xor	ecx, edi
		jmp	loc_530A5C
; 

loc_5312FA:				; CODE XREF: RtlRbRemoveNode+826j
		mov	ebx, [ebp+arg_4]
		mov	ebx, [ebx+8]
		mov	[ebp+var_14], ebx
		and	ebx, 0FFFFFFFCh
		mov	[ebp+var_10], ebx
		test	eax, eax
		jnz	loc_5317FE

loc_531311:				; CODE XREF: RtlRbRemoveNode+E12j
		mov	eax, [ebp+var_10]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_C]

loc_53131A:				; CODE XREF: RtlRbRemoveNode+E21j
		cmp	[ebp+var_10], esi
		jnz	loc_5EEA17
		test	eax, eax
		jnz	loc_531816
		mov	eax, ecx

loc_53132D:				; CODE XREF: RtlRbRemoveNode+E2Bj
		mov	edx, [ebp+var_14]
		and	edx, 3
		or	edx, eax
		mov	[ebp+var_14], edx
		mov	edx, [ebp+arg_4]
		mov	eax, [ebp+var_14]
		mov	[edx+8], eax
		mov	eax, [ebp+var_C]
		jmp	loc_53121C
; 

loc_531349:				; CODE XREF: RtlRbRemoveNode+183j
		test	edx, edx
		jz	loc_530B79
		mov	eax, ecx
		xor	eax, edx
		jmp	loc_530B7B
; 

loc_53135A:				; CODE XREF: RtlRbRemoveNode+1A7j
		cmp	[ebp+var_C], 0
		jz	loc_530B9D
		xor	[ebp+var_C], edx
		jmp	loc_530BA6
; 

loc_53136C:				; CODE XREF: RtlRbRemoveNode+1C3j
		mov	eax, ecx
		xor	eax, edx
		mov	[ebp+var_10], eax
		jmp	loc_530BBC
; 

loc_531378:				; CODE XREF: RtlRbRemoveNode+1ECj
		test	edx, edx
		jz	loc_530BE2
		xor	edx, esi
		jmp	loc_530BE2
; 

loc_531387:				; CODE XREF: RtlRbRemoveNode+202j
		mov	[ebp+var_10], edx
		jmp	loc_530BFB
; 

loc_53138F:				; CODE XREF: RtlRbRemoveNode+225j
		test	ecx, ecx
		jz	loc_530C1B
		xor	ecx, [ebp+var_14]
		jmp	loc_530C1B
; 

loc_53139F:				; CODE XREF: RtlRbRemoveNode+253j
		cmp	[ebp+var_10], 0
		jz	loc_530C49
		mov	ebx, [ebp+var_10]
		xor	ebx, esi
		jmp	loc_530C4C
; 

loc_5313B3:				; CODE XREF: RtlRbRemoveNode+275j
		test	ecx, ecx
		jz	short loc_5313B9
		xor	ecx, eax

loc_5313B9:				; CODE XREF: RtlRbRemoveNode+9C5j
		cmp	byte ptr [ebp+arg_4+3],	0
		jz	loc_530C6B
		test	ecx, ecx
		jz	loc_530C6B
		xor	ecx, esi
		jmp	loc_530C6B
; 

loc_5313D2:				; CODE XREF: RtlRbRemoveNode+3B4j
		test	eax, eax
		jz	loc_530DAA
		xor	ecx, eax
		jmp	loc_530DAC
; 

loc_5313E1:				; CODE XREF: RtlRbRemoveNode+299j
		mov	ecx, [ebx+4]
		mov	edx, [ebx]
		test	cl, 1
		jnz	loc_5315D2

loc_5313EF:				; CODE XREF: RtlRbRemoveNode+BECj
					; RtlRbRemoveNode+BE030j
		cmp	edx, eax
		jnz	loc_5EEA17
		mov	eax, esi
		test	cl, 1
		jnz	loc_5315E1

loc_531402:				; CODE XREF: RtlRbRemoveNode+BF3j
		mov	ecx, [ebp+var_1C]
		mov	[ebx], eax
		jmp	loc_530AB6
; 

loc_53140C:				; CODE XREF: RtlRbRemoveNode+2ABj
		test	edx, edx
		jz	loc_530CA1
		xor	edx, eax
		jmp	loc_530CA1
; 

loc_53141B:				; CODE XREF: RtlRbRemoveNode+2BBj
		test	ecx, ecx
		jz	loc_530CB1
		xor	ecx, edx
		jmp	loc_530CB1
; 

loc_53142A:				; CODE XREF: RtlRbRemoveNode+2DFj
		cmp	[ebp+var_10], 0
		mov	esi, [ebp+var_14]
		jz	loc_530CD5
		xor	[ebp+var_10], edx
		jmp	loc_530CDB
; 

loc_53143F:				; CODE XREF: RtlRbRemoveNode+2F9j
		mov	eax, [ebp+var_20]
		xor	edx, esi
		mov	ecx, [ebp+var_1C]
		mov	[eax], edx
		jmp	loc_530AB6
; 

loc_53144E:				; CODE XREF: RtlRbRemoveNode+321j
		test	esi, esi
		jz	loc_530D17
		mov	ecx, esi
		xor	ecx, edi
		jmp	loc_530D19
; 

loc_53145F:				; CODE XREF: RtlRbRemoveNode+125j
		mov	dword ptr [ecx+8], 0
		jmp	loc_530B1B
; 

loc_53146B:				; CODE XREF: RtlRbRemoveNode+74j
		test	ecx, ecx
		jz	loc_530A6A
		xor	ecx, edi
		jmp	loc_530A6A
; 

loc_53147A:				; CODE XREF: RtlRbRemoveNode+92j
		cmp	edx, 1
		jz	loc_5EEA2C
		mov	ecx, ebx
		or	ecx, 1
		xor	ecx, edx
		jmp	loc_530A8A
; 

loc_53148F:				; CODE XREF: RtlRbRemoveNode+265j
		test	cl, cl
		mov	ecx, [ebp+var_10]
		jz	loc_5EEA0F
		test	ecx, ecx
		jnz	loc_5EEA0D

loc_5314A2:				; CODE XREF: RtlRbRemoveNode+BE021j
		cmp	esi, edi
		jz	loc_530C5B
		jmp	loc_5EEA17
; 

loc_5314AF:				; CODE XREF: RtlRbRemoveNode+36Fj
		test	ecx, ecx
		jz	loc_530D65
		xor	ecx, eax
		jmp	loc_530D65
; 

loc_5314BE:				; CODE XREF: RtlRbRemoveNode+37Fj
		test	edi, edi
		jz	loc_530D75
		xor	edi, eax
		jmp	loc_530D75
; 

loc_5314CD:				; CODE XREF: RtlRbRemoveNode+474j
					; RtlRbRemoveNode+C66j
		cmp	[ebp+var_10], edi
		jnz	loc_5EEA17
		mov	[ebp+var_10], ecx
		jmp	loc_530EA4
; 

loc_5314DE:				; CODE XREF: RtlRbRemoveNode+5C7j
					; RtlRbRemoveNode+C93j
		cmp	[ebp+arg_4], edi
		jnz	loc_5EEA17
		mov	[ebp+arg_4], ecx
		jmp	loc_530FEE
; 

loc_5314EF:				; CODE XREF: RtlRbRemoveNode+393j
		xor	esi, ecx
		jmp	loc_530D89
; 

loc_5314F6:				; CODE XREF: RtlRbRemoveNode+3E7j
		test	esi, esi
		jz	loc_53110E
		xor	esi, ecx
		jmp	loc_530DDD
; 

loc_531505:				; CODE XREF: RtlRbRemoveNode+422j
		test	eax, eax
		jz	loc_5EEA3A
		xor	eax, ebx
		jmp	loc_530E18
; 

loc_531514:				; CODE XREF: RtlRbRemoveNode+51Aj
		test	eax, eax
		jz	loc_5EEA46
		xor	eax, ebx
		jmp	loc_530F10
; 

loc_531523:				; CODE XREF: RtlRbRemoveNode+3CCj
		xor	esi, ecx
		jmp	loc_530DC2
; 

loc_53152A:				; CODE XREF: RtlRbRemoveNode+53Dj
		test	ecx, ecx
		jz	loc_530F33
		xor	edi, ecx
		jmp	loc_530F35
; 

loc_531539:				; CODE XREF: RtlRbRemoveNode+552j
		test	edx, edx
		jz	loc_530F48
		xor	edx, edi
		jmp	loc_530F48
; 

loc_531548:				; CODE XREF: RtlRbRemoveNode+43Aj
		test	eax, eax
		jz	loc_530E30
		xor	eax, ecx
		jmp	loc_530E30
; 

loc_531557:				; CODE XREF: RtlRbRemoveNode+454j
		test	eax, eax
		jz	loc_530E4A
		xor	eax, edi
		jmp	loc_530E4A
; 

loc_531566:				; CODE XREF: RtlRbRemoveNode+4D5j
		test	eax, eax
		jz	loc_530ED3
		xor	eax, ecx
		jmp	loc_530ECB
; 

loc_531575:				; CODE XREF: RtlRbRemoveNode+4E5j
		test	eax, eax
		jz	loc_530EDB
		xor	eax, edi
		jmp	loc_530EDB
; 

loc_531584:				; CODE XREF: RtlRbRemoveNode+4F6j
		mov	edi, edx
		jmp	loc_530EEC
; 

loc_53158B:				; CODE XREF: RtlRbRemoveNode+622j
		test	esi, esi
		jz	loc_531020
		xor	esi, ecx
		jmp	loc_531018
; 

loc_53159A:				; CODE XREF: RtlRbRemoveNode+632j
		test	esi, esi
		jz	loc_531028
		xor	esi, edi
		jmp	loc_531028
; 

loc_5315A9:				; CODE XREF: RtlRbRemoveNode+592j
		cmp	[ebp+var_10], 0
		jz	loc_530F88
		xor	[ebp+var_10], ecx
		jmp	loc_530F8E
; 

loc_5315BB:				; CODE XREF: RtlRbRemoveNode+5A9j
		test	esi, esi
		jz	loc_530F9F
		xor	esi, edi
		jmp	loc_530F9F
; 

loc_5315CA:				; CODE XREF: RtlRbRemoveNode+641j
		mov	[ebp+var_18], esi
		jmp	loc_53103A
; 

loc_5315D2:				; CODE XREF: RtlRbRemoveNode+9F9j
		test	edx, edx
		jz	loc_5EEA1E
		xor	edx, ebx
		jmp	loc_5313EF
; 

loc_5315E1:				; CODE XREF: RtlRbRemoveNode+A0Cj
		xor	eax, ebx
		jmp	loc_531402
; 

loc_5315E8:				; CODE XREF: RtlRbRemoveNode+575j
		test	eax, eax
		mov	eax, [ebp+var_14]
		jz	loc_531830
		xor	[ebp+arg_4], ebx
		jmp	loc_530F6E
; 

loc_5315FB:				; CODE XREF: RtlRbRemoveNode+136j
		test	esi, esi
		jz	loc_5EEA25
		xor	esi, ebx
		jmp	loc_530B2C
; 

loc_53160A:				; CODE XREF: RtlRbRemoveNode+147j
		mov	eax, ecx
		mov	edx, ecx
		xor	eax, ebx
		neg	edx
		sbb	edx, edx
		and	edx, eax
		mov	[ebx+4], edx
		or	dl, 1
		mov	[ebx+4], dl
		jmp	loc_530B42
; 

loc_531624:				; CODE XREF: RtlRbRemoveNode+155j
		mov	eax, ecx
		xor	eax, ebx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		jmp	loc_530B4B
; 

loc_531633:				; CODE XREF: RtlRbRemoveNode+AEj
		mov	ecx, edi
		xor	ecx, ebx
		mov	[ebx+4], ecx
		or	cl, 1
		mov	[ebx+4], cl
		jmp	loc_530AB3
; 

loc_531645:				; CODE XREF: RtlRbRemoveNode+66Fj
		test	eax, eax
		jz	loc_5EEA33
		xor	eax, ebx
		jmp	loc_531065
; 

loc_531654:				; CODE XREF: RtlRbRemoveNode+46Cj
		test	eax, eax
		jz	loc_5314CD
		xor	eax, edi
		jmp	loc_530E62
; 

loc_531663:				; CODE XREF: RtlRbRemoveNode+4B6j
		test	eax, eax
		jz	loc_530EAC
		xor	eax, ecx
		jmp	loc_530EAC
; 

loc_531672:				; CODE XREF: RtlRbRemoveNode+726j
		test	esi, esi
		jz	loc_53111C
		xor	esi, ecx
		jmp	loc_53111C
; 

loc_531681:				; CODE XREF: RtlRbRemoveNode+5BFj
		test	esi, esi
		jz	loc_5314DE
		xor	esi, edi
		jmp	loc_530FB5
; 

loc_531690:				; CODE XREF: RtlRbRemoveNode+600j
		test	esi, esi
		jz	loc_530FF6
		xor	esi, ecx
		jmp	loc_530FF6
; 

loc_53169F:				; CODE XREF: RtlRbRemoveNode+485j
		cmp	[ebp+arg_4], 0
		mov	edx, [ebp+var_8]
		jz	loc_530E7B
		xor	[ebp+arg_4], eax
		jmp	loc_530E84
; 

loc_5316B4:				; CODE XREF: RtlRbRemoveNode+5D5j
		cmp	[ebp+var_10], 0
		jz	loc_530FCB
		xor	[ebp+var_10], esi
		jmp	loc_530FD1
; 

loc_5316C6:				; CODE XREF: RtlRbRemoveNode+49Fj
		mov	edx, eax
		xor	edx, ecx
		mov	[ebp+arg_4], edx
		jmp	loc_530E9B
; 

loc_5316D2:				; CODE XREF: RtlRbRemoveNode+5ECj
		mov	ebx, esi
		xor	ebx, ecx
		mov	[ebp+var_18], ebx
		jmp	loc_530FE8
; 

loc_5316DE:				; CODE XREF: RtlRbRemoveNode+752j
		test	eax, eax
		jz	loc_531148
		xor	eax, esi
		jmp	loc_531148
; 

loc_5316ED:				; CODE XREF: RtlRbRemoveNode+776j
		cmp	[ebp+arg_4], 0
		jz	loc_53116C
		xor	[ebp+arg_4], ecx
		jmp	loc_531172
; 

loc_5316FF:				; CODE XREF: RtlRbRemoveNode+816j
		cmp	[ebp+arg_4], 0
		jz	loc_53120C
		xor	[ebp+arg_4], esi
		jmp	loc_531212
; 

loc_531711:				; CODE XREF: RtlRbRemoveNode+82Ej
		cmp	[ebp+arg_4], 0
		jz	loc_531224
		xor	[ebp+arg_4], ecx
		jmp	loc_53122A
; 

loc_531723:				; CODE XREF: RtlRbRemoveNode+84Aj
		mov	[ebp+arg_4], edx
		jmp	loc_531243
; 

loc_53172B:				; CODE XREF: RtlRbRemoveNode+6B7j
		test	edx, edx
		jz	loc_5310AD
		xor	edx, eax
		jmp	loc_5310AD
; 

loc_53173A:				; CODE XREF: RtlRbRemoveNode+6C7j
		mov	edx, eax
		xor	edx, edi
		mov	[ebp+arg_0], edx
		mov	edx, [ebp+arg_4]
		and	edx, 3
		or	edx, [ebp+arg_0]
		mov	[eax+8], edx
		jmp	loc_530ED3
; 

loc_531752:				; CODE XREF: RtlRbRemoveNode+6EEj
		cmp	[ebp+var_10], 0
		jz	loc_5310E4
		xor	[ebp+var_10], esi
		jmp	loc_5310EA
; 

loc_531764:				; CODE XREF: RtlRbRemoveNode+705j
		mov	ebx, esi
		xor	ebx, edi
		mov	[ebp+var_18], ebx
		mov	ebx, [ebp+var_20]
		and	ebx, 3
		or	ebx, [ebp+var_18]
		mov	[esi+8], ebx
		jmp	loc_531020
; 

loc_53177C:				; CODE XREF: RtlRbRemoveNode+87Fj
		cmp	[ebp+arg_4], 0
		jz	loc_531275
		xor	[ebp+arg_4], eax
		mov	edx, [ebp+var_8]
		jmp	loc_53127B
; 

loc_531791:				; CODE XREF: RtlRbRemoveNode+896j
		mov	ebx, eax
		xor	ebx, ecx
		mov	[ebp+arg_4], ebx
		mov	[eax], ebx
		mov	ebx, [ebp+arg_0]
		jmp	loc_530EA4
; 

loc_5317A2:				; CODE XREF: RtlRbRemoveNode+8B2j
		cmp	[ebp+var_10], 0
		jz	loc_5312A8
		xor	[ebp+var_10], esi
		jmp	loc_5312AE
; 

loc_5317B4:				; CODE XREF: RtlRbRemoveNode+8C9j
		mov	ebx, esi
		xor	ebx, ecx
		mov	[ebp+var_18], ebx
		mov	[esi], ebx
		jmp	loc_530FEE
; 

loc_5317C2:				; CODE XREF: RtlRbRemoveNode+7A0j
		cmp	[ebp+arg_4], 0
		jz	loc_531196
		xor	[ebp+arg_4], edi
		jmp	loc_53119F
; 

loc_5317D4:				; CODE XREF: RtlRbRemoveNode+7C3j
		cmp	[ebp+arg_4], 0
		jz	loc_5311B9
		xor	[ebp+arg_4], ecx
		jmp	loc_5311BF
; 

loc_5317E6:				; CODE XREF: RtlRbRemoveNode+7E0j
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_18], edx
		jmp	loc_5311D9
; 

loc_5317F1:				; CODE XREF: RtlRbRemoveNode+7F3j
		test	edi, edi
		jnz	loc_5311EC
		jmp	loc_5311E9
; 

loc_5317FE:				; CODE XREF: RtlRbRemoveNode+91Bj
		cmp	[ebp+var_10], 0
		jz	loc_531311
		mov	edx, [ebp+var_10]
		xor	edx, [ebp+arg_4]
		mov	[ebp+var_10], edx
		jmp	loc_53131A
; 

loc_531816:				; CODE XREF: RtlRbRemoveNode+935j
		mov	eax, [ebp+arg_4]
		xor	eax, ecx
		jmp	loc_53132D
; 

loc_531820:				; CODE XREF: RtlRbRemoveNode+69Ej
		xor	ecx, ebx
		mov	[ebx+4], ecx
		or	cl, 1
		mov	[ebx+4], cl
		jmp	loc_530AB3
; 

loc_531830:				; CODE XREF: RtlRbRemoveNode+BFDj
		mov	[ebp+arg_4], 0
		jmp	loc_530F6E
RtlRbRemoveNode	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVsChunkDecommit(x, x,	x, x, x)
_RtlpHpVsChunkDecommit@20 proc near	; CODE XREF: RtlpHpVsContextFreeList+D8p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, edi
		sub	eax, edx
		mov	[ebp+var_10], ecx
		mov	ecx, _RtlpHpHeapGlobals
		mov	[ebp+var_1C], eax
		mov	[ebp+var_8], edx
		lea	ebx, [eax+100Fh]
		mov	[ebp+var_18], ecx
		mov	eax, [edi]
		and	ebx, 0FFFFF000h
		mov	[ebp+var_14], eax
		xor	eax, ecx
		xor	eax, edi
		shr	eax, 1
		and	eax, 7FFFh
		shl	eax, 3
		sub	eax, edx
		add	eax, edi
		and	eax, 0FFFFF000h
		cmp	ebx, eax
		jb	short loc_531899
		xor	eax, eax

loc_531891:				; CODE XREF: RtlpHpVsChunkDecommit(x,x,x,x,x)+15Ej
					; RtlpHpVsChunkDecommit(x,x,x,x,x)+1DEj
		pop	edi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_531899:				; CODE XREF: RtlpHpVsChunkDecommit(x,x,x,x,x)+4Dj
		push	esi
		mov	esi, eax
		mov	ecx, 3Fh
		dec	eax
		or	edx, 0FFFFFFFFh
		shr	eax, 0Ch
		sub	esi, ebx
		sub	ecx, eax
		or	eax, 0FFFFFFFFh
		call	__aullshr
		mov	[ebp+var_4], eax
		or	eax, 0FFFFFFFFh
		mov	[ebp+arg_0], edx
		or	edx, 0FFFFFFFFh
		shr	ebx, 0Ch
		mov	ecx, ebx
		call	__allshl
		mov	ecx, [ebp+var_4]
		mov	ebx, [ebp+arg_0]
		and	ecx, eax
		mov	eax, [ebp+var_8]
		and	ebx, edx
		and	ecx, [eax+8]
		and	ebx, [eax+0Ch]
		mov	[ebp+var_4], ecx
		mov	[ebp+arg_0], ebx
		cmp	esi, 1000h
		jb	loc_53199B
		mov	eax, ecx
		or	eax, ebx
		jz	loc_53199B
		not	ecx
		mov	esi, [ebp+var_8]
		movzx	eax, cl
		not	ebx
		shr	ecx, 8
		mov	dh, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, cl
		shr	ecx, 8
		mov	[ebp+var_C], ecx
		add	dh, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_C]
		add	cl, dl
		movzx	ebx, cl
		mov	ecx, eax
		shr	ecx, 8
		movzx	eax, al
		movzx	ecx, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dh
		movzx	eax, cl
		add	ebx, eax
		cmp	word ptr [esi+16h], 0
		mov	[ebp+var_C], ebx
		jl	short loc_53199B
		mov	ebx, [ebp+var_10]
		test	byte ptr [ebx+98h], 2
		jnz	short loc_5319A3
		mov	eax, [ebx+18h]
		shr	eax, 7
		cmp	eax, 8
		jbe	loc_531A23

loc_531991:				; CODE XREF: RtlpHpVsChunkDecommit(x,x,x,x,x)+1E8j
		mov	ecx, [ebx+1Ch]
		add	ecx, [ebp+var_C]
		cmp	ecx, eax
		ja	short loc_5319A3

loc_53199B:				; CODE XREF: RtlpHpVsChunkDecommit(x,x,x,x,x)+A9j
					; RtlpHpVsChunkDecommit(x,x,x,x,x)+B3j	...
		xor	eax, eax
		pop	esi
		jmp	loc_531891
; 

loc_5319A3:				; CODE XREF: RtlpHpVsChunkDecommit(x,x,x,x,x)+140j
					; RtlpHpVsChunkDecommit(x,x,x,x,x)+159j
		mov	ecx, edi
		mov	eax, edi
		not	ecx
		not	eax
		xor	ecx, [ebp+var_14]
		xor	ecx, [ebp+var_18]
		and	ecx, 7FFFFFFFh
		xor	ecx, eax
		mov	eax, [ebp+var_1C]
		xor	ecx, [ebp+var_18]
		shr	eax, 0Ch
		mov	[edi], ecx
		xor	eax, _RtlpHpHeapGlobals
		xor	eax, edi
		movzx	eax, al
		or	eax, 200h
		and	[ebp+arg_4], 1
		mov	[edi+4], eax
		jnz	short loc_5319E8
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebx+4]
		call	RtlpHpReleaseQueuedLockExclusive

loc_5319E8:				; CODE XREF: RtlpHpVsChunkDecommit(x,x,x,x,x)+19Bj
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		mov	eax, [ebp+var_4]
		push	0
		push	[ebp+var_C]
		push	edx
		push	eax
		mov	edx, esi
		call	RtlpHpVsSubsegmentCommitPages
		cmp	[ebp+arg_4], 0
		jnz	short loc_531A11
		push	[ebp+arg_8]
		mov	edx, [ebx+4]
		mov	ecx, ebx
		call	RtlpHpAcquireQueuedLockExclusive

loc_531A11:				; CODE XREF: RtlpHpVsChunkDecommit(x,x,x,x,x)+1C2j
		and	dword ptr [edi+4], 0FFFFFDFFh
		mov	eax, 1
		pop	esi
		jmp	loc_531891
; 

loc_531A23:				; CODE XREF: RtlpHpVsChunkDecommit(x,x,x,x,x)+14Bj
		mov	eax, 8
		jmp	loc_531991
_RtlpHpVsChunkDecommit@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVsChunkComputeCost(x,	x, x, x)
_RtlpHpVsChunkComputeCost@16 proc near	; CODE XREF: RtlpHpVsFreeChunkRemove(x,x,x)+3Ap
					; RtlpHpVsContextFreeList+12Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], edx
		mov	ebx, esi
		and	ebx, 0FFFh
		push	edi
		mov	eax, [esi]
		add	ebx, 0FFFh
		xor	eax, _RtlpHpHeapGlobals
		mov	edi, esi
		xor	eax, esi
		sub	edi, edx
		shr	eax, 1
		add	edi, 100Fh
		and	eax, 7FFFh
		and	edi, 0FFFFF000h
		shl	eax, 3
		add	ebx, eax
		shr	ebx, 0Ch
		lea	ecx, [eax+0FFFh]
		sub	eax, edx
		add	eax, esi
		shr	ecx, 0Ch
		and	eax, 0FFFFF000h
		sub	ebx, ecx
		cmp	edi, eax
		jb	short loc_531AB0
		xor	esi, esi
		xor	edi, edi
		xor	eax, eax

loc_531A95:				; CODE XREF: RtlpHpVsChunkComputeCost(x,x,x,x)+C3j
		mov	ecx, [ebp+arg_0]
		shr	esi, 0Ch
		mov	[ecx], esi
		mov	ecx, [ebp+arg_4]
		mov	[ecx], edi
		pop	edi
		mov	[ecx+4], eax
		mov	eax, ebx
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_531AB0:				; CODE XREF: RtlpHpVsChunkComputeCost(x,x,x,x)+5Dj
		mov	esi, eax
		mov	ecx, 3Fh
		dec	eax
		or	edx, 0FFFFFFFFh
		shr	eax, 0Ch
		sub	esi, edi
		sub	ecx, eax
		or	eax, 0FFFFFFFFh
		call	__aullshr
		mov	[ebp+var_4], eax
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_8], edx
		or	edx, 0FFFFFFFFh
		shr	edi, 0Ch
		mov	ecx, edi
		call	__allshl
		mov	edi, [ebp+var_4]
		mov	ecx, [ebp+var_C]
		and	edi, eax
		mov	eax, [ebp+var_8]
		and	eax, edx
		and	edi, [ecx+8]
		and	eax, [ecx+0Ch]
		jmp	short loc_531A95
_RtlpHpVsChunkComputeCost@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVsChunkAlignSplit(x, x, x)
_RtlpHpVsChunkAlignSplit@12 proc near	; CODE XREF: RtlpHpVsContextAddSubsegment(x,x)+4Dp
					; RtlpHpVsContextFreeList+FEp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, _RtlpHpHeapGlobals
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	[ebp+var_4], edx
		mov	[ebp+arg_0], ecx
		mov	ebx, [esi]
		lea	edi, [esi+1007h]
		mov	eax, ebx
		and	edi, 0FFFFF000h
		xor	eax, ecx
		mov	edx, edi
		xor	eax, esi
		sub	edx, esi
		shr	eax, 1
		and	eax, 7FFFh
		lea	ecx, ds:0[eax*8]
		cmp	edx, ecx
		jnb	loc_531BC6
		add	edi, 0FFFFFFF0h
		mov	edx, edi
		sub	edx, esi
		sar	edx, 3
		sub	eax, edx
		lea	ecx, [edx+edx]
		and	edx, 7FFFh
		xor	ecx, ebx
		shl	edx, 0Fh
		xor	ecx, [ebp+arg_0]
		xor	ecx, esi
		and	ecx, 0FFFEh
		xor	ecx, ebx
		mov	[esi], ecx
		xor	ecx, ecx
		mov	esi, [ebp+var_4]
		mov	[edi+4], ecx
		mov	[edi+8], ecx
		mov	[edi+0Ch], ecx
		mov	ecx, eax
		and	ecx, 7FFFh
		or	edx, ecx
		lea	ecx, [edx+edx]
		mov	[edi], ecx
		lea	edx, [edi+eax*8]
		xor	ecx, _RtlpHpHeapGlobals
		xor	ecx, edi
		mov	[edi], ecx
		movzx	ecx, word ptr [esi+14h]
		add	ecx, 3
		lea	ecx, [esi+ecx*8]
		cmp	edx, ecx
		jnb	short loc_531BBB
		shl	eax, 10h
		xor	eax, _RtlpHpHeapGlobals
		xor	eax, edx
		xor	eax, [edx]
		and	eax, 7FFF0000h
		xor	[edx], eax

loc_531BBB:				; CODE XREF: RtlpHpVsChunkAlignSplit(x,x,x)+A5j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_531BC6:				; CODE XREF: RtlpHpVsChunkAlignSplit(x,x,x)+40j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_RtlpHpVsChunkAlignSplit@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpSegAlloc	proc near		; CODE XREF: RtlpHpSegSubAllocate+1Ep
					; RtlpHpMetadataAlloc(x,x,x,x,x)+94p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005EEA4D SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_8]
		add	eax, 0FFFh
		push	esi
		push	edi
		mov	edi, ecx
		shr	eax, 0Ch
		mov	ecx, [ebp+arg_0]
		mov	[esp+28h+var_8], eax
		mov	eax, ebx
		mov	[esp+28h+var_18], edx
		lea	ecx, [ecx+0FFFh]
		shr	ecx, 0Ch
		and	eax, 4
		mov	[esp+28h+var_14], ecx
		mov	[esp+28h+var_4], eax
		jnz	loc_531CF3

loc_531C25:				; CODE XREF: RtlpHpSegAlloc+118j
		test	ebx, (offset loc_7FFFFF+1)
		jnz	loc_5EEA4D

loc_531C31:				; CODE XREF: RtlpHpSegAlloc+BCE7Dj
		mov	edx, ecx
		mov	ecx, edi
		push	ebx
		call	RtlpHpSegPageRangeAllocate
		mov	esi, eax
		test	esi, esi
		jz	loc_531D26
		mov	eax, [esi+0Ch]
		movzx	edx, byte ptr [esi+0Fh]
		mov	ecx, [esp+28h+var_8]
		shr	eax, 8
		mov	[esp+28h+var_10], edx
		not	eax
		movzx	eax, ax
		mov	[esp+28h+var_C], eax
		test	ecx, ecx
		jz	short loc_531C8B
		cmp	[esp+28h+var_C], 0
		mov	eax, ebx
		jz	short loc_531C70
		and	eax, 0FFFFFFFDh

loc_531C70:				; CODE XREF: RtlpHpSegAlloc+8Bj
		push	0
		push	eax
		push	ecx
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	RtlpHpSegPageRangeCommit
		test	eax, eax
		js	loc_5EEA62
		mov	edx, [esp+28h+var_10]

loc_531C8B:				; CODE XREF: RtlpHpSegAlloc+82j
		cmp	[esp+28h+var_4], 0
		jnz	short loc_531CFD

loc_531C92:				; CODE XREF: RtlpHpSegAlloc+141j
		movzx	ecx, byte ptr [edi+4]
		shl	edx, cl
		sub	edx, [esp+28h+var_18]
		mov	[esi+4], edx
		mov	eax, [edi]
		movzx	ecx, byte ptr [edi+4]
		and	eax, esi
		sub	esi, eax
		sar	esi, 4
		shl	esi, cl
		add	esi, eax
		test	bl, 2
		jz	short loc_531CCB
		cmp	[esp+28h+var_C], 0
		jz	short loc_531CD6

loc_531CBC:				; CODE XREF: RtlpHpSegAlloc+103j
					; RtlpHpSegAlloc+BCEA7j
		push	[esp+28h+var_18] ; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch

loc_531CCB:				; CODE XREF: RtlpHpSegAlloc+D3j
					; RtlpHpSegAlloc+10Cj ...
		mov	eax, esi

loc_531CCD:				; CODE XREF: RtlpHpSegAlloc+148j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_531CD6:				; CODE XREF: RtlpHpSegAlloc+DAj
		mov	ecx, [edi+1Ch]
		mov	eax, [edi+20h]
		shrd	ecx, eax, 8
		cmp	cl, 2
		jnb	short loc_531CBC
		mov	al, [edi+9]
		and	al, 7
		cmp	al, 1
		jb	short loc_531CCB
		jmp	loc_5EEA71
; 

loc_531CF3:				; CODE XREF: RtlpHpSegAlloc+3Fj
		inc	ecx
		mov	[esp+28h+var_14], ecx
		jmp	loc_531C25
; 

loc_531CFD:				; CODE XREF: RtlpHpSegAlloc+B0j
		mov	cl, [edi+5]
		shl	edx, cl
		mov	ecx, [esp+28h+var_14]
		mov	eax, ecx
		push	0
		sub	eax, edx
		mov	edx, esi
		push	0
		dec	eax
		push	eax
		lea	eax, [ecx-1]
		mov	ecx, edi
		push	eax
		call	RtlpHpSegPageRangeCommit
		mov	edx, [esp+28h+var_10]
		jmp	loc_531C92
; 

loc_531D26:				; CODE XREF: RtlpHpSegAlloc+5Fj
					; RtlpHpSegAlloc+BCE77j ...
		xor	eax, eax
		jmp	short loc_531CCD
RtlpHpSegAlloc	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpSegPageRangeAllocate proc	near	; CODE XREF: RtlpHpSegAlloc+56p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005EEA8C SIZE 00000126 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, 1
		dec	edx
		mov	[ebp+var_10], edi
		or	bl, 0FFh
		mov	[ebp+var_1], bl
		movzx	ecx, byte ptr [edi+5]
		shl	eax, cl
		add	eax, edx
		shr	eax, cl
		mov	esi, eax
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_0]
		shl	esi, 18h
		and	eax, 1
		mov	[ebp+var_18], eax
		jnz	short loc_531DBC
		mov	eax, [ebp+var_10]
		add	edi, 40h
		test	byte ptr [eax+1Ch], 1
		jz	loc_531F00
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	bl, al
		mov	[ebp+var_1], bl
		jnz	loc_5EEA8C
		mov	[ebp+var_1C], 0
		lock bts dword ptr [edi], 1Fh
		jb	loc_532178

loc_531DA5:				; CODE XREF: RtlpHpSegPageRangeAllocate+454j
		mov	edx, [edi]
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_5EEA9A

loc_531DB9:				; CODE XREF: RtlpHpSegPageRangeAllocate+1EBj
					; RtlpHpSegPageRangeAllocate+BCD65j ...
		mov	edi, [ebp+var_10]

loc_531DBC:				; CODE XREF: RtlpHpSegPageRangeAllocate+37j
		mov	eax, [edi+54h]
		lea	ecx, [edi+50h]
		mov	ebx, [ecx]
		test	al, 1
		jz	short loc_531DCE
		test	ebx, ebx
		jz	short loc_531DCE
		xor	ebx, ecx

loc_531DCE:				; CODE XREF: RtlpHpSegPageRangeAllocate+96j
					; RtlpHpSegPageRangeAllocate+9Aj
		movzx	ecx, al
		xor	edx, edx
		and	ecx, 1
		test	ebx, ebx
		jz	short loc_531DFC
		lea	ebx, [ebx+0]

loc_531DE0:				; CODE XREF: RtlpHpSegPageRangeAllocate+CAj
		cmp	esi, [ebx+0Ch]
		jb	loc_531EDB
		jbe	short loc_531DFE
		mov	eax, [ebx+4]
		test	ecx, ecx
		jnz	loc_531EF1

loc_531DF6:				; CODE XREF: RtlpHpSegPageRangeAllocate+1B1j
					; RtlpHpSegPageRangeAllocate+1B9j ...
		mov	ebx, eax

loc_531DF8:				; CODE XREF: RtlpHpSegPageRangeAllocate+1CBj
		test	ebx, ebx
		jnz	short loc_531DE0

loc_531DFC:				; CODE XREF: RtlpHpSegPageRangeAllocate+A8j
		mov	ebx, edx

loc_531DFE:				; CODE XREF: RtlpHpSegPageRangeAllocate+B9j
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[ebp+var_24], esi
		test	ebx, ebx
		jz	loc_5321B6
		test	[ebp+arg_0], (offset loc_7FFFFF+1)
		jnz	loc_5EEAD1
		push	ebx
		lea	eax, [edi+50h]
		push	eax
		call	RtlRbRemoveNode
		mov	dword ptr [ebx+4], 0
		mov	dword ptr [ebx+8], 0
		mov	eax, [ebx+0Ch]
		shr	eax, 8
		not	eax
		mov	dword ptr [ebx], 0CCDDCCDDh
		movzx	ecx, ax
		movsx	eax, word ptr [edi+12h]
		neg	ecx
		add	eax, 8
		add	eax, edi
		lock xadd [eax], ecx

loc_531E54:				; CODE XREF: RtlpHpSegPageRangeAllocate+BCDB1j
		test	ebx, ebx
		jz	loc_5321B6

loc_531E5C:				; CODE XREF: RtlpHpSegPageRangeAllocate+636j
					; RtlpHpSegPageRangeAllocate+BCE1Ej
		movzx	ecx, byte ptr [ebx+0Fh]
		mov	eax, [ebp+var_C]
		cmp	ecx, eax
		jnz	loc_532058

loc_531E6B:				; CODE XREF: RtlpHpSegPageRangeAllocate+40Dj
		mov	eax, [ebp+arg_0]
		shr	eax, 1Ah
		and	eax, 3
		lea	ecx, ds:0[eax*4]
		mov	al, [ebx+0Ch]
		or	ecx, 1
		or	al, cl
		mov	ecx, [ebp+var_C]
		add	ecx, ecx
		mov	[ebx+0Ch], al
		mov	al, [ebx+ecx*8-4]
		or	al, 1
		cmp	[ebp+var_18], 0
		mov	[ebx+ecx*8-4], al
		jnz	short loc_531EBF
		test	byte ptr [edi+1Ch], 1
		lea	ecx, [edi+40h]
		mov	[ebp+var_14], ecx
		jz	short loc_531F20
		test	ds:byte_70EFC6,	1
		jnz	loc_5EEBA5
		mov	dword ptr [ecx], 0

loc_531EBA:				; CODE XREF: RtlpHpSegPageRangeAllocate+BCE7Dj
		mov	cl, [ebp+var_1]
		call	esi

loc_531EBF:				; CODE XREF: RtlpHpSegPageRangeAllocate+169j
					; RtlpHpSegPageRangeAllocate+323j
		mov	esi, [ebp+var_C]
		mov	edx, 1
		dec	esi
		cmp	esi, edx
		ja	loc_532142

loc_531ED0:				; CODE XREF: RtlpHpSegPageRangeAllocate+428j
					; RtlpHpSegPageRangeAllocate+BCE09j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_531EDB:				; CODE XREF: RtlpHpSegPageRangeAllocate+B3j
		mov	eax, [ebx]
		mov	edx, ebx
		test	ecx, ecx
		jz	loc_531DF6
		test	eax, eax
		jz	loc_531DF6
		jmp	short loc_531EF9
; 

loc_531EF1:				; CODE XREF: RtlpHpSegPageRangeAllocate+C0j
		test	eax, eax
		jz	loc_531DF6

loc_531EF9:				; CODE XREF: RtlpHpSegPageRangeAllocate+1BFj
		xor	ebx, eax
		jmp	loc_531DF8
; 

loc_531F00:				; CODE XREF: RtlpHpSegPageRangeAllocate+43j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	[ebp+var_1], 0FFh
		jmp	loc_531DB9
; 

loc_531F20:				; CODE XREF: RtlpHpSegPageRangeAllocate+175j
		mov	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_53219C

loc_531F33:				; CODE XREF: RtlpHpSegPageRangeAllocate+474j
		xor	edi, edi
		mov	[ebp+var_20], edi
		test	ecx, 7FFFFFFCh
		jz	loc_532047
		mov	esi, large fs:124h
		mov	[ebp+var_18], esi
		cmp	ecx, dword_6D07D0
		jb	short loc_531F71
		mov	eax, ecx
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	loc_532165
		cmp	al, 0Bh
		jz	loc_532165

loc_531F71:				; CODE XREF: RtlpHpSegPageRangeAllocate+224j
		or	eax, 0FFFFFFFFh

loc_531F74:				; CODE XREF: RtlpHpSegPageRangeAllocate+443j
		dec	word ptr [esi+13Eh]
		mov	[ebp+var_24], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	byte ptr [ebp+arg_0+3],	dl
		mov	edx, ecx
		push	eax
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		jz	loc_532189
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_5321A9

loc_531FB8:				; CODE XREF: RtlpHpSegPageRangeAllocate+481j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_20], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		mov	eax, 2AAAAAABh
		sub	ecx, [esi+1E8h]
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	byte ptr [ebp+arg_0+3],	1
		jnz	loc_5EEB6D
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al

loc_53200B:				; CODE XREF: RtlpHpSegPageRangeAllocate+461j
					; RtlpHpSegPageRangeAllocate+BCE4Dj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+arg_0], eax
		jnz	loc_53239E

loc_532022:				; CODE XREF: RtlpHpSegPageRangeAllocate+6A5j
					; RtlpHpSegPageRangeAllocate+BCE70j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_532047
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_532394

loc_532047:				; CODE XREF: RtlpHpSegPageRangeAllocate+20Ej
					; RtlpHpSegPageRangeAllocate+309j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_531EBF
; 

loc_532058:				; CODE XREF: RtlpHpSegPageRangeAllocate+135j
		sub	ecx, eax
		xor	edx, edx
		shl	eax, 4
		xor	esi, esi
		add	eax, ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_14], eax
		dec	cl
		mov	edi, [ebp+var_14]
		mov	al, [eax+0Ch]
		or	al, 2
		mov	[edi+0Ch], al
		mov	eax, [ebp+var_20]
		add	eax, eax
		mov	[edi+eax*8-1], cl
		mov	ecx, edi
		mov	eax, [ebp+var_20]
		mov	[ebp+var_20], edx
		mov	[ecx+0Fh], al
		movzx	eax, al
		mov	[ebp+var_8], eax
		shl	[ebp+var_8], 4
		add	[ebp+var_8], edi
		cmp	edi, [ebp+var_8]
		mov	edi, [ebp+var_10]
		jnb	loc_5EEB53
		cmp	eax, 2
		jb	short loc_5320CC
		mov	edi, [ebp+var_8]
		add	edi, 0FFFFFFF0h
		mov	edi, edi

loc_5320B0:				; CODE XREF: RtlpHpSegPageRangeAllocate+397j
		movzx	eax, byte ptr [ecx+0Ch]
		shr	eax, 5
		add	edx, eax
		movzx	eax, byte ptr [ecx+1Ch]
		shr	eax, 5
		add	ecx, 20h
		add	esi, eax
		cmp	ecx, edi
		jb	short loc_5320B0
		mov	edi, [ebp+var_10]

loc_5320CC:				; CODE XREF: RtlpHpSegPageRangeAllocate+376j
		cmp	ecx, [ebp+var_8]
		jnb	loc_53215D
		movzx	ecx, byte ptr [ecx+0Ch]
		shr	ecx, 5

loc_5320DC:				; CODE XREF: RtlpHpSegPageRangeAllocate+430j
		lea	eax, [edx+esi]
		add	ecx, eax

loc_5320E1:				; CODE XREF: RtlpHpSegPageRangeAllocate+BCE25j
		mov	edx, [ebp+var_14]
		not	ecx
		shl	ecx, 8
		xor	ecx, [edx+0Ch]
		and	ecx, 0FFFF00h
		mov	dword ptr [edx], 0CCDDCCDDh
		xor	[edx+0Ch], ecx
		mov	ecx, [ebp+var_C]
		mov	al, cl
		dec	al
		mov	[edx-1], al
		mov	[ebx+0Fh], cl
		mov	ecx, [ebx+0Ch]
		mov	esi, ecx
		mov	eax, [edx+0Ch]
		shr	esi, 8
		shr	eax, 8
		not	esi
		not	eax
		movzx	eax, ax
		sub	esi, eax
		not	esi
		shl	esi, 8
		xor	esi, ecx
		and	esi, 0FFFF00h
		xor	esi, ecx
		mov	[ebx+0Ch], esi
		push	0
		mov	ecx, edi
		call	RtlpHpSegFreeRangeInsert
		mov	esi, [ebp+var_24]
		jmp	loc_531E6B
; 

loc_532142:				; CODE XREF: RtlpHpSegPageRangeAllocate+19Aj
		lea	ecx, [ebx+1Ch]

loc_532145:				; CODE XREF: RtlpHpSegPageRangeAllocate+426j
		mov	[ecx+3], dl
		lea	ecx, [ecx+10h]
		mov	al, [ecx-10h]
		inc	edx
		or	al, 1
		mov	[ecx-10h], al
		cmp	edx, esi
		jb	short loc_532145
		jmp	loc_531ED0
; 

loc_53215D:				; CODE XREF: RtlpHpSegPageRangeAllocate+39Fj
		mov	ecx, [ebp+var_20]
		jmp	loc_5320DC
; 

loc_532165:				; CODE XREF: RtlpHpSegPageRangeAllocate+233j
					; RtlpHpSegPageRangeAllocate+23Bj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_14]
		jmp	loc_531F74
; 

loc_532178:				; CODE XREF: RtlpHpSegPageRangeAllocate+6Fj
		mov	dl, bl
		mov	ecx, edi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[ebp+var_1C], eax
		jmp	loc_531DA5
; 

loc_532189:				; CODE XREF: RtlpHpSegPageRangeAllocate+270j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_53200B
		jmp	loc_5EEB5A
; 

loc_53219C:				; CODE XREF: RtlpHpSegPageRangeAllocate+1FDj
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_14]
		jmp	loc_531F33
; 

loc_5321A9:				; CODE XREF: RtlpHpSegPageRangeAllocate+282j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_28]
		jmp	loc_531FB8
; 

loc_5321B6:				; CODE XREF: RtlpHpSegPageRangeAllocate+D9j
					; RtlpHpSegPageRangeAllocate+126j
		cmp	[ebp+var_18], 0
		jnz	loc_5322FB
		test	byte ptr [edi+1Ch], 1
		lea	ecx, [edi+40h]
		mov	[ebp+var_8], ecx
		jnz	loc_532371
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_5323E0

loc_5321E1:				; CODE XREF: RtlpHpSegPageRangeAllocate+6B8j
		xor	edi, edi
		mov	[ebp+var_20], edi
		test	ecx, 7FFFFFFCh
		jz	loc_5322EC
		mov	ebx, large fs:124h
		cmp	ecx, dword_6D07D0
		jb	short loc_53221C
		mov	eax, ecx
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	loc_532381
		cmp	al, 0Bh
		jz	loc_532381

loc_53221C:				; CODE XREF: RtlpHpSegPageRangeAllocate+4CFj
		or	eax, 0FFFFFFFFh

loc_53221F:				; CODE XREF: RtlpHpSegPageRangeAllocate+65Fj
		dec	word ptr [ebx+13Eh]
		mov	[ebp+var_14], eax
		nop
		inc	byte ptr [ebx+1E6h]
		nop
		mov	dl, [ebx+1E6h]
		mov	[ebp+var_1], dl
		mov	edx, ecx
		push	eax
		mov	ecx, ebx
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		jz	loc_5323ED
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_532447

loc_532263:				; CODE XREF: RtlpHpSegPageRangeAllocate+71Fj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_20], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		mov	eax, 2AAAAAABh
		sub	ecx, [ebx+1E8h]
		imul	ecx
		mov	al, 1
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		shl	al, cl
		cmp	[ebp+var_1], 1
		jnz	loc_5EEAF9
		or	[ebx+1E4h], al

loc_5322B0:				; CODE XREF: RtlpHpSegPageRangeAllocate+6C5j
					; RtlpHpSegPageRangeAllocate+BCDD5j
		nop
		dec	byte ptr [ebx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_28], eax
		jnz	loc_532400

loc_5322C7:				; CODE XREF: RtlpHpSegPageRangeAllocate+70Cj
					; RtlpHpSegPageRangeAllocate+BCDF8j
		nop
		mov	ax, [ebx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ebx+13Eh], ax
		test	ax, ax
		jnz	short loc_5322EC
		nop
		lea	eax, [ebx+70h]
		cmp	[eax], eax
		jnz	loc_532454

loc_5322EC:				; CODE XREF: RtlpHpSegPageRangeAllocate+4BCj
					; RtlpHpSegPageRangeAllocate+5AEj ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebp+var_10]

loc_5322FB:				; CODE XREF: RtlpHpSegPageRangeAllocate+48Aj
					; RtlpHpSegPageRangeAllocate+64Cj
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		and	eax, (offset loc_7FFFFF+1)
		mov	[ebp+var_28], eax
		jnz	loc_5EEB2D

loc_53230E:				; CODE XREF: RtlpHpSegPageRangeAllocate+BCE02j
		push	ecx
		xor	edx, edx
		mov	ecx, edi
		call	RtlpHpSegSegmentAllocate
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	loc_5EEB37
		push	0
		mov	edx, eax
		mov	ecx, edi
		call	RtlpHpSegSegmentInitialize
		movzx	ebx, byte ptr [edi+6]
		mov	eax, [ebp+var_20]
		shl	ebx, 4
		add	ebx, eax
		mov	[ebp+var_1], 0FFh
		cmp	[ebp+var_18], 0
		jnz	short loc_532359
		movzx	edx, byte ptr [edi+1Ch]
		lea	ecx, [edi+40h]
		and	edx, 1
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	[ebp+var_1], al
		mov	eax, [ebp+var_20]

loc_532359:				; CODE XREF: RtlpHpSegPageRangeAllocate+612j
		mov	edx, eax
		mov	ecx, edi
		call	_RtlpHpSegHeapAddSegment@8 ; RtlpHpSegHeapAddSegment(x,x)
		cmp	[ebp+var_28], 0
		jz	loc_531E5C
		jmp	loc_5EEB3E
; 

loc_532371:				; CODE XREF: RtlpHpSegPageRangeAllocate+49Aj
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	esi
		jmp	loc_5322FB
; 

loc_532381:				; CODE XREF: RtlpHpSegPageRangeAllocate+4DEj
					; RtlpHpSegPageRangeAllocate+4E6j
		mov	ecx, [ebx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		jmp	loc_53221F
; 

loc_532394:				; CODE XREF: RtlpHpSegPageRangeAllocate+311j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_532047
; 

loc_53239E:				; CODE XREF: RtlpHpSegPageRangeAllocate+2ECj
		test	edi, 8000h
		jnz	loc_53245E

loc_5323AA:				; CODE XREF: RtlpHpSegPageRangeAllocate+737j
		test	byte ptr [ebp+var_20+2], 1
		jnz	loc_5EEB82

loc_5323B4:				; CODE XREF: RtlpHpSegPageRangeAllocate+BCE5Ej
		test	edi, 7FFFh
		jz	short loc_5323CB
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5323CB:				; CODE XREF: RtlpHpSegPageRangeAllocate+68Aj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_532022
		jmp	loc_5EEB93
; 

loc_5323E0:				; CODE XREF: RtlpHpSegPageRangeAllocate+4ABj
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]
		jmp	loc_5321E1
; 

loc_5323ED:				; CODE XREF: RtlpHpSegPageRangeAllocate+51Bj
		mov	eax, [ebx+5Ch]
		test	eax, 10000h
		jnz	loc_5322B0
		jmp	loc_5EEAE6
; 

loc_532400:				; CODE XREF: RtlpHpSegPageRangeAllocate+591j
		test	edi, 8000h
		jz	short loc_532411
		xor	edx, edx
		mov	ecx, ebx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_532411:				; CODE XREF: RtlpHpSegPageRangeAllocate+6D6j
		test	byte ptr [ebp+var_20+2], 1
		jnz	loc_5EEB0A

loc_53241B:				; CODE XREF: RtlpHpSegPageRangeAllocate+BCDE6j
		test	edi, 7FFFh
		jz	short loc_532432
		and	edi, 7FFFh
		mov	ecx, ebx
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_532432:				; CODE XREF: RtlpHpSegPageRangeAllocate+6F1j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_5322C7
		jmp	loc_5EEB1B
; 

loc_532447:				; CODE XREF: RtlpHpSegPageRangeAllocate+52Dj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_28]
		jmp	loc_532263
; 

loc_532454:				; CODE XREF: RtlpHpSegPageRangeAllocate+5B6j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_5322EC
; 

loc_53245E:				; CODE XREF: RtlpHpSegPageRangeAllocate+674j
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_5323AA
RtlpHpSegPageRangeAllocate endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpSegPageRangeShrink proc near	; CODE XREF: RtlpHpSegFree+78p
					; ExFreeHeapPool+6E2p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005EEBB2 SIZE 0000010D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edi
		mov	bh, [esi+0Fh]
		movzx	ecx, bh
		mov	[ebp+var_10], ecx
		lea	edx, [ecx-1]
		cmp	edx, 1
		ja	loc_532772

loc_532497:				; CODE XREF: RtlpHpSegPageRangeShrink+318j
		mov	eax, [ebp+arg_4]
		or	bl, 0FFh
		and	eax, 1
		mov	[ebp+var_14], eax
		jnz	short loc_5324F8
		mov	eax, [ebp+var_8]
		add	edi, 40h
		test	byte ptr [eax+1Ch], 1
		jz	loc_53261B
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	bl, al
		jnz	loc_5EEBB2
		mov	[ebp+var_C], 0
		lock bts dword ptr [edi], 1Fh
		jb	loc_53279D

loc_5324DE:				; CODE XREF: RtlpHpSegPageRangeShrink+339j
		mov	edx, [edi]
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_5EEBC0

loc_5324F2:				; CODE XREF: RtlpHpSegPageRangeShrink+1C5j
					; RtlpHpSegPageRangeShrink+BC74Bj ...
		mov	ecx, [ebp+var_10]
		mov	edi, [ebp+var_8]

loc_5324F8:				; CODE XREF: RtlpHpSegPageRangeShrink+33j
		mov	edx, [esi+0Ch]
		mov	eax, edx
		shr	eax, 18h
		mov	byte ptr [ebp+var_1], bl
		cmp	eax, ecx
		jnz	loc_5EEBF7

loc_53250B:				; CODE XREF: RtlpHpSegPageRangeShrink+BC792j
		mov	al, [esi+0Ch]
		add	ecx, ecx
		or	al, 2
		mov	[esi+0Ch], al
		mov	al, bh
		dec	al
		mov	[esi+ecx*8-1], al
		mov	ecx, edi
		mov	[esi+0Fh], bh
		mov	eax, [esi+0Ch]
		xor	eax, edx
		mov	dword ptr [esi], 0CCDDCCDDh
		and	eax, 0FFFF00h
		mov	edx, esi
		xor	[esi+0Ch], eax
		mov	al, [esi+0Ch]
		and	al, 0F3h
		mov	[esi+0Ch], al
		lea	eax, [ebp+var_1]
		push	eax
		push	0
		push	[ebp+arg_4]
		call	RtlpHpSegPageRangeCoalesce
		test	byte ptr [edi+9], 10h
		mov	[ebp+var_18], eax
		jnz	loc_5EEC07

loc_53255A:				; CODE XREF: RtlpHpSegPageRangeShrink+BC7A8j
		mov	edx, [eax+0Ch]
		lea	ebx, [edi+50h]
		mov	eax, [ebx+4]
		mov	ecx, [ebx]
		test	al, 1
		jz	short loc_53256F
		test	ecx, ecx
		jz	short loc_53256F
		xor	ecx, ebx

loc_53256F:				; CODE XREF: RtlpHpSegPageRangeShrink+F7j
					; RtlpHpSegPageRangeShrink+FBj
		movzx	esi, al
		and	esi, 1
		mov	byte ptr [ebp+arg_4], 0
		test	ecx, ecx
		jz	short loc_5325B4
		lea	ecx, [ecx+0]

loc_532580:				; CODE XREF: RtlpHpSegPageRangeShrink+128j
		cmp	edx, [ecx+0Ch]
		jb	short loc_53259A
		mov	eax, [ecx+4]
		test	esi, esi
		jz	short loc_532592
		test	eax, eax
		jz	short loc_5325B0
		xor	eax, ecx

loc_532592:				; CODE XREF: RtlpHpSegPageRangeShrink+11Aj
		test	eax, eax
		jz	short loc_5325B0

loc_532596:				; CODE XREF: RtlpHpSegPageRangeShrink+138j
		mov	ecx, eax
		jmp	short loc_532580
; 

loc_53259A:				; CODE XREF: RtlpHpSegPageRangeShrink+113j
		mov	eax, [ecx]
		test	esi, esi
		jz	short loc_5325A6
		test	eax, eax
		jz	short loc_5325AA
		xor	eax, ecx

loc_5325A6:				; CODE XREF: RtlpHpSegPageRangeShrink+12Ej
		test	eax, eax
		jnz	short loc_532596

loc_5325AA:				; CODE XREF: RtlpHpSegPageRangeShrink+132j
		mov	byte ptr [ebp+arg_4], 0
		jmp	short loc_5325B4
; 

loc_5325B0:				; CODE XREF: RtlpHpSegPageRangeShrink+11Ej
					; RtlpHpSegPageRangeShrink+124j
		mov	byte ptr [ebp+arg_4], 1

loc_5325B4:				; CODE XREF: RtlpHpSegPageRangeShrink+10Bj
					; RtlpHpSegPageRangeShrink+13Ej
		mov	esi, [ebp+var_18]
		push	esi
		push	[ebp+arg_4]
		push	ecx
		push	ebx
		call	RtlRbInsertNodeEx
		mov	eax, [esi+0Ch]
		shr	eax, 8
		not	eax
		movzx	ecx, ax
		movsx	eax, word ptr [edi+12h]
		add	eax, 8
		add	eax, edi
		lock xadd [eax], ecx
		xor	esi, esi
		mov	[ebp+var_18], esi

loc_5325DF:				; CODE XREF: RtlpHpSegPageRangeShrink+BC7BBj
					; RtlpHpSegPageRangeShrink+BC7D7j
		cmp	[ebp+var_14], 0
		jnz	short loc_53260A
		test	byte ptr [edi+1Ch], 1
		lea	ebx, [edi+40h]
		jz	short loc_53263A
		test	ds:byte_70EFC6,	1
		jnz	loc_5EEC9B
		mov	dword ptr [ebx], 0

loc_532601:				; CODE XREF: RtlpHpSegPageRangeShrink+BC835j
		mov	cl, byte ptr [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_53260A:				; CODE XREF: RtlpHpSegPageRangeShrink+173j
					; RtlpHpSegPageRangeShrink+2FDj
		test	esi, esi
		jnz	loc_5EECAA

loc_532612:				; CODE XREF: RtlpHpSegPageRangeShrink+BC84Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_53261B:				; CODE XREF: RtlpHpSegPageRangeShrink+3Fj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		or	bl, 0FFh
		jmp	loc_5324F2
; 

loc_53263A:				; CODE XREF: RtlpHpSegPageRangeShrink+17Cj
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_5327C1

loc_53264B:				; CODE XREF: RtlpHpSegPageRangeShrink+358j
		xor	edi, edi
		mov	[ebp+var_14], edi
		test	ebx, 7FFFFFFCh
		jz	loc_53275B
		mov	esi, large fs:124h
		mov	[ebp+var_20], esi
		cmp	ebx, dword_6D07D0
		jb	short loc_532689
		mov	eax, ebx
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	loc_53278D
		cmp	al, 0Bh
		jz	loc_53278D

loc_532689:				; CODE XREF: RtlpHpSegPageRangeShrink+1FCj
		or	eax, 0FFFFFFFFh

loc_53268C:				; CODE XREF: RtlpHpSegPageRangeShrink+328j
		dec	word ptr [esi+13Eh]
		mov	[ebp+var_10], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	edx, ebx
		mov	byte ptr [ebp+arg_4+3],	cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_1C], ecx
		test	ecx, ecx
		jz	loc_5327AE
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_5327CD

loc_5326D0:				; CODE XREF: RtlpHpSegPageRangeShrink+365j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_14], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		mov	eax, 2AAAAAABh
		sub	ecx, [esi+1E8h]
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	byte ptr [ebp+arg_4+3],	1
		jnz	loc_5EEC64
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al

loc_532723:				; CODE XREF: RtlpHpSegPageRangeShrink+346j
					; RtlpHpSegPageRangeShrink+BC804j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+arg_4], eax
		jnz	loc_5327E4

loc_53273A:				; CODE XREF: RtlpHpSegPageRangeShrink+3A7j
					; RtlpHpSegPageRangeShrink+BC826j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_53275B
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	short loc_5327DA

loc_53275B:				; CODE XREF: RtlpHpSegPageRangeShrink+1E6j
					; RtlpHpSegPageRangeShrink+2E1j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebp+var_8]
		mov	esi, [ebp+var_18]
		jmp	loc_53260A
; 

loc_532772:				; CODE XREF: RtlpHpSegPageRangeShrink+21j
		lea	ecx, [esi+1Ch]
		dec	edx

loc_532776:				; CODE XREF: RtlpHpSegPageRangeShrink+313j
		mov	al, [ecx]
		lea	ecx, [ecx+10h]
		and	al, 0FEh
		mov	[ecx-10h], al
		sub	edx, 1
		jnz	short loc_532776
		mov	ecx, [ebp+var_10]
		jmp	loc_532497
; 

loc_53278D:				; CODE XREF: RtlpHpSegPageRangeShrink+20Bj
					; RtlpHpSegPageRangeShrink+213j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	loc_53268C
; 

loc_53279D:				; CODE XREF: RtlpHpSegPageRangeShrink+68j
		mov	dl, bl
		mov	ecx, edi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[ebp+var_C], eax
		jmp	loc_5324DE
; 

loc_5327AE:				; CODE XREF: RtlpHpSegPageRangeShrink+248j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_532723
		jmp	loc_5EEC53
; 

loc_5327C1:				; CODE XREF: RtlpHpSegPageRangeShrink+1D5j
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_53264B
; 

loc_5327CD:				; CODE XREF: RtlpHpSegPageRangeShrink+25Aj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_1C]
		jmp	loc_5326D0
; 

loc_5327DA:				; CODE XREF: RtlpHpSegPageRangeShrink+2E9j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_53275B
; 

loc_5327E4:				; CODE XREF: RtlpHpSegPageRangeShrink+2C4j
		test	edi, 8000h
		jnz	short loc_532822

loc_5327EC:				; CODE XREF: RtlpHpSegPageRangeShrink+3BBj
		test	byte ptr [ebp+var_14+2], 1
		jnz	loc_5EEC79

loc_5327F6:				; CODE XREF: RtlpHpSegPageRangeShrink+BC815j
		test	edi, 7FFFh
		jz	short loc_53280D
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_53280D:				; CODE XREF: RtlpHpSegPageRangeShrink+38Cj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_53273A
		jmp	loc_5EEC8A
; 

loc_532822:				; CODE XREF: RtlpHpSegPageRangeShrink+37Aj
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	short loc_5327EC
RtlpHpSegPageRangeShrink endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpSegPageRangeCommit proc near	; CODE XREF: RtlpHpSegLfhVsDecommit(x,x,x)+A8p
					; RtlpHpSegLfhVsCommit(x,x,x)+42p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005EECBF SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		test	[ebp+arg_8], (offset loc_7FFFFF+1)
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_14], 0
		push	esi
		mov	edx, ecx
		mov	[ebp+var_8], ebx
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_4], edx
		jnz	loc_5EECBF

loc_53285C:				; CODE XREF: RtlpHpSegPageRangeCommit+BC496j
		mov	al, [edx+9]
		and	al, 7
		cmp	al, 1
		jnb	loc_5EECCB
		mov	[ebp+var_10], 3FFh

loc_532870:				; CODE XREF: RtlpHpSegPageRangeCommit+BC4A2j
		mov	eax, [edx]
		mov	cl, [edx+5]
		and	eax, ebx
		mov	esi, [ebp+arg_0]
		sub	ebx, eax
		sar	ebx, 4
		shl	ebx, cl
		test	edi, edi
		jle	loc_5329A7
		lea	edx, [esi+edi]

loc_53288C:				; CODE XREF: RtlpHpSegPageRangeCommit+17Bj
		xor	ecx, ecx
		mov	[ebp+var_1C], edx
		test	edi, edi
		setnle	cl
		xor	edi, edi
		dec	ecx
		mov	[ebp+var_18], edi
		and	ecx, 2
		mov	[ebp+var_28], ecx
		cmp	esi, edx
		jnb	short loc_5328F3

loc_5328A6:				; CODE XREF: RtlpHpSegPageRangeCommit+BC4AAj
		mov	edi, [ebp+var_10]
		lea	eax, [esi+ebx]
		and	eax, edi
		sub	edi, eax
		mov	eax, edx
		inc	edi
		sub	eax, esi
		cmp	edi, eax
		jb	short loc_5328BB
		mov	edi, eax

loc_5328BB:				; CODE XREF: RtlpHpSegPageRangeCommit+87j
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		push	ecx
		mov	ecx, [ebp+var_4]
		push	eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+arg_0], esi
		push	eax
		mov	[ebp+var_C], edi
		call	RtlpHpSegPageRangeHandleCommit
		mov	edx, eax
		mov	[ebp+arg_4], edx
		test	edx, edx
		jnz	short loc_532909

loc_5328DE:				; CODE XREF: RtlpHpSegPageRangeCommit+172j
		add	esi, edi
		mov	edi, [ebp+var_18]
		add	edi, edx
		mov	edx, [ebp+var_1C]
		mov	[ebp+var_18], edi
		cmp	esi, edx
		jb	loc_5EECD7

loc_5328F3:				; CODE XREF: RtlpHpSegPageRangeCommit+74j
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jnz	loc_5329BA

loc_5328FE:				; CODE XREF: RtlpHpSegPageRangeCommit+18Cj
		xor	eax, eax

loc_532900:				; CODE XREF: RtlpHpSegPageRangeCommit+11Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_532909:				; CODE XREF: RtlpHpSegPageRangeCommit+ACj
		mov	eax, [ebp+var_4]
		mov	ecx, [eax]
		and	ecx, [ebp+var_8]
		mov	[ebp+var_24], ecx
		mov	ecx, [ebp+arg_0]
		add	ecx, ebx
		mov	[ebp+var_20], ecx
		test	edx, edx
		jle	loc_5329B0
		test	byte ptr [ebp+arg_8], 2
		mov	ecx, 1000h
		jnz	loc_5329C1

loc_532933:				; CODE XREF: RtlpHpSegPageRangeCommit+185j
					; RtlpHpSegPageRangeCommit+196j
		push	[ebp+var_14]	; int
		push	ecx		; int
		push	edx		; int
		push	[ebp+var_C]	; size_t
		mov	edx, [ebp+var_24]
		mov	ecx, eax
		push	[ebp+var_20]	; int
		call	RtlpHpSegMgrCommit
		test	eax, eax
		js	short loc_532900
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jle	short loc_53296B
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		mov	ecx, [ebp+var_4]
		push	1
		push	eax
		lea	eax, [ebp+arg_0]
		push	eax
		call	RtlpHpSegPageRangeHandleCommit
		mov	eax, [ebp+arg_4]

loc_53296B:				; CODE XREF: RtlpHpSegPageRangeCommit+121j
		mov	edx, [ebp+var_4]
		mov	ecx, eax
		movsx	eax, word ptr [edx+12h]
		add	edx, 4
		add	eax, edx
		lock xadd [eax], ecx
		mov	edx, [ebp+var_8]
		mov	eax, [edx+0Ch]
		mov	ecx, eax
		shr	ecx, 8
		not	ecx
		add	ecx, [ebp+arg_4]
		not	ecx
		shl	ecx, 8
		xor	ecx, eax
		and	ecx, 0FFFF00h
		xor	ecx, eax
		mov	[edx+0Ch], ecx
		mov	edx, [ebp+arg_4]
		jmp	loc_5328DE
; 

loc_5329A7:				; CODE XREF: RtlpHpSegPageRangeCommit+53j
		mov	edx, esi
		sub	edx, edi
		jmp	loc_53288C
; 

loc_5329B0:				; CODE XREF: RtlpHpSegPageRangeCommit+EEj
		mov	ecx, 4000h
		jmp	loc_532933
; 

loc_5329BA:				; CODE XREF: RtlpHpSegPageRangeCommit+C8j
		mov	[eax], edi
		jmp	loc_5328FE
; 

loc_5329C1:				; CODE XREF: RtlpHpSegPageRangeCommit+FDj
		mov	ecx, 40001000h
		jmp	loc_532933
RtlpHpSegPageRangeCommit endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpSegPageRangeHandleCommit proc near ; CODE	XREF: RtlpHpSegPageRangeCommit+A0p
					; RtlpHpSegPageRangeCommit+133p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005EECDF SIZE 000000A5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		movzx	ecx, byte ptr [ecx+5]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, 1
		push	edi
		shl	ebx, cl
		mov	[ebp+var_8], ebx
		mov	esi, [esi]
		mov	edi, esi
		shr	edi, cl
		mov	eax, edi
		mov	[ebp+var_4], 0FFFFFFFFh
		shl	eax, 4
		add	eax, edx
		shl	edi, cl
		lea	edx, [ebx-1]
		mov	[ebp+var_C], 0FFFFFFFFh
		mov	[ebp+var_14], edx
		mov	ebx, edx
		mov	edx, [ebp+arg_4]
		and	ebx, esi
		mov	[ebp+var_18], ebx
		mov	edx, [edx]
		dec	edx
		add	edx, ebx
		xor	ebx, ebx
		and	[ebp+var_14], edx
		mov	esi, edx
		mov	edx, [ebp+var_18]
		shr	esi, cl
		mov	ecx, [ebp+arg_8]
		shl	esi, 4
		add	esi, eax
		mov	[ebp+var_1C], esi
		test	edx, edx
		jnz	loc_5EECDF
		mov	esi, [ebp+var_8]

loc_532A40:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+BC3AFj
		mov	edx, [ebp+var_1C]
		cmp	eax, edx
		jb	short loc_532AA0

loc_532A47:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+F6j
		jnz	short loc_532A77
		movzx	edx, byte ptr [eax+0Ch]
		shr	edx, 5
		mov	[ebp+var_8], 0
		cmp	ecx, 1
		jg	short loc_532A6B
		mov	esi, [ebp+var_14]
		mov	ecx, [ebp+arg_8]
		inc	esi
		cmp	edx, esi
		jb	loc_532B37

loc_532A6B:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+8Aj
		cmp	ecx, 2
		jz	loc_532B7F

loc_532A74:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+189j
					; RtlpHpSegPageRangeHandleCommit+193j ...
		add	ebx, [ebp+var_8]

loc_532A77:				; CODE XREF: RtlpHpSegPageRangeHandleCommit:loc_532A47j
		test	ebx, ebx
		jnz	short loc_532A86

loc_532A7B:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+C8j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_532A86:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+A9j
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		mov	[eax], ecx
		mov	eax, [ebp+var_C]
		sub	eax, ecx
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		jmp	short loc_532A7B
; 
		align 10h

loc_532AA0:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+75j
					; RtlpHpSegPageRangeHandleCommit+F4j
		movzx	edx, byte ptr [eax+0Ch]
		shr	edx, 5
		mov	[ebp+var_18], 0
		cmp	edx, esi
		jb	short loc_532ACB

loc_532AB2:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+FEj
		cmp	ecx, 2
		jz	short loc_532B21

loc_532AB7:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+131j
					; RtlpHpSegPageRangeHandleCommit+14Fj ...
		add	ebx, [ebp+var_18]
		add	eax, 10h
		mov	edx, [ebp+var_1C]
		add	edi, esi
		cmp	eax, edx
		jb	short loc_532AA0
		jmp	loc_532A47
; 

loc_532ACB:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+E0j
		cmp	ecx, 1
		jg	short loc_532AB2
		cmp	[ebp+var_4], 0FFFFFFFFh
		jz	loc_532B9E

loc_532ADA:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+1D4j
		mov	ecx, esi
		mov	[ebp+var_10], esi
		sub	ecx, edx
		mov	[ebp+var_18], ecx

loc_532AE4:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+165j
		mov	esi, [ebp+var_10]
		add	esi, edi
		mov	[ebp+var_C], esi
		mov	esi, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_532B1C
		mov	ecx, [ebp+var_10]
		add	ecx, edi
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+arg_8]
		cmp	ecx, 1
		jl	short loc_532AB7
		mov	cl, [eax+0Ch]
		add	dl, byte ptr [ebp+var_18]
		and	cl, 1Fh
		shl	dl, 5
		or	dl, cl
		mov	ecx, [ebp+var_10]
		add	ecx, edi
		mov	[eax+0Ch], dl
		mov	[ebp+var_C], ecx

loc_532B1C:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+121j
		mov	ecx, [ebp+arg_8]
		jmp	short loc_532AB7
; 

loc_532B21:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+E5j
		test	edx, edx
		jz	short loc_532AB7
		cmp	[ebp+var_4], 0FFFFFFFFh
		jz	short loc_532BA9

loc_532B2B:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+1DCj
		mov	ecx, edx
		mov	[ebp+var_10], edx
		neg	ecx
		mov	[ebp+var_18], ecx
		jmp	short loc_532AE4
; 

loc_532B37:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+95j
		cmp	[ebp+var_4], 0FFFFFFFFh
		jnz	short loc_532B43
		lea	esi, [edx+edi]
		mov	[ebp+var_4], esi

loc_532B43:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+16Bj
		mov	esi, [ebp+var_14]
		inc	esi
		add	esi, edi
		mov	[ebp+var_C], esi
		mov	esi, [ebp+var_14]
		inc	esi
		mov	[ebp+var_8], esi
		sub	[ebp+var_8], edx

loc_532B56:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+1CCj
		cmp	ecx, 1
		jl	loc_532A74
		cmp	[ebp+var_8], 0
		jz	loc_532A74
		mov	cl, [eax+0Ch]
		add	dl, byte ptr [ebp+var_8]
		and	cl, 1Fh
		shl	dl, 5
		or	dl, cl
		mov	[eax+0Ch], dl
		jmp	loc_532A74
; 

loc_532B7F:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+9Ej
		test	edx, edx
		jz	loc_532A74
		cmp	[ebp+var_4], 0FFFFFFFFh
		jnz	short loc_532B90
		mov	[ebp+var_4], edi

loc_532B90:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+1BBj
		lea	esi, [edx+edi]
		mov	[ebp+var_8], edx
		neg	[ebp+var_8]
		mov	[ebp+var_C], esi
		jmp	short loc_532B56
; 

loc_532B9E:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+104j
		lea	ecx, [edx+edi]
		mov	[ebp+var_4], ecx
		jmp	loc_532ADA
; 

loc_532BA9:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+159j
		mov	[ebp+var_4], edi
		jmp	loc_532B2B
RtlpHpSegPageRangeHandleCommit endp

; 
		align 10h

;  S U B	R O U T	I N E 


RtlpHpSegPageRangeCoalesce proc	near	; CODE XREF: RtlpHpSegContextCompact+25Bp
					; RtlpHpSegPageRangeShrink+D8p

var_58		= dword	ptr -58h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005EED84 SIZE 0000005E BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 48h
		push	esi
		mov	esi, edx
		mov	[ebp-0Ch], ecx
		push	edi
		mov	[ebp-14h], esi
		mov	dword ptr [ebp-3Ch], 0
		lea	esp, [esp+0]

loc_532BF0:				; CODE XREF: RtlpHpSegPageRangeCoalesce+258j
		mov	eax, [ecx]
		mov	edx, esi
		and	eax, esi
		xor	edi, edi
		sub	edx, eax
		mov	eax, [esi+0Ch]
		sar	edx, 4
		mov	[ebp-10h], edx
		mov	edx, eax
		shr	eax, 8
		not	eax
		shr	edx, 18h
		movzx	eax, ax
		mov	[ebp-8], eax
		mov	eax, [ebp-10h]
		add	eax, edx
		cmp	eax, 100h
		jnb	short loc_532C34
		shl	edx, 4
		add	edx, esi
		mov	al, [edx+0Ch]
		and	al, 1
		movzx	edi, al
		neg	edi
		sbb	edi, edi
		not	edi
		and	edi, edx

loc_532C34:				; CODE XREF: RtlpHpSegPageRangeCoalesce+5Dj
		movzx	eax, byte ptr [ecx+6]
		cmp	[ebp-10h], eax
		jbe	short loc_532C57
		test	byte ptr [esi-4], 2
		lea	edx, [esi-10h]
		mov	[ebp-10h], edx
		jz	loc_532CF6

loc_532C4D:				; CODE XREF: RtlpHpSegPageRangeCoalesce+144j
		test	byte ptr [edx+0Ch], 1
		jz	loc_532E1D

loc_532C57:				; CODE XREF: RtlpHpSegPageRangeCoalesce+7Bj
					; RtlpHpSegPageRangeCoalesce+2B7j
		mov	al, [esi+0Ch]
		or	al, 11h
		mov	[esi+0Ch], al
		test	edi, edi
		jnz	loc_532D21

loc_532C67:				; CODE XREF: RtlpHpSegPageRangeCoalesce+1CEj
		cmp	dword ptr [ebp-8], 0
		jbe	short loc_532CD1
		cmp	dword ptr [ebx+0Ch], 0
		mov	edi, [ebp-0Ch]
		jnz	loc_532D9F
		test	byte ptr [edi+9], 8
		jnz	loc_532D9F
		movsx	eax, word ptr [edi+12h]
		mov	cl, [edi+7]
		mov	[ebp-34h], eax
		mov	edx, [eax+edi+4]
		mov	eax, edx
		shr	eax, cl
		mov	[ebp-10h], eax
		cmp	eax, 8
		jbe	loc_532D93

loc_532CA2:				; CODE XREF: RtlpHpSegPageRangeCoalesce+1DAj
		mov	cl, [edi+8]
		shr	edx, cl
		mov	[ebp-30h], edx
		cmp	edx, 8
		jbe	loc_532FE7

loc_532CB3:				; CODE XREF: RtlpHpSegPageRangeCoalesce+42Fj
		mov	ecx, [ebp-34h]
		mov	eax, [edi+ecx+8]
		add	eax, [ecx+edi+0Ch]
		add	eax, [ebp-8]
		mov	[ebp-34h], eax
		cmp	eax, [ebp-10h]
		ja	short loc_532D09

loc_532CC9:				; CODE XREF: RtlpHpSegPageRangeCoalesce+15Fj
		cmp	eax, edx
		ja	loc_532D9F

loc_532CD1:				; CODE XREF: RtlpHpSegPageRangeCoalesce+ABj
		movzx	ecx, byte ptr [esi+0Fh]
		add	ecx, ecx
		pop	edi
		mov	al, [esi+ecx*8-4]
		and	al, 0FEh
		mov	[esi+ecx*8-4], al
		mov	al, [esi+0Ch]
		and	al, 0EEh
		mov	[esi+0Ch], al
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	0Ch
; 

loc_532CF6:				; CODE XREF: RtlpHpSegPageRangeCoalesce+87j
		movzx	eax, byte ptr [edx+0Fh]
		neg	eax
		shl	eax, 4
		add	edx, eax
		mov	[ebp-10h], edx
		jmp	loc_532C4D
; 

loc_532D09:				; CODE XREF: RtlpHpSegPageRangeCoalesce+107j
		mov	ecx, [edi+24h]
		call	_RtlpHpScheduleCompaction@4 ; RtlpHpScheduleCompaction(x)
		test	eax, eax
		js	loc_532D9F
		mov	edx, [ebp-30h]
		mov	eax, [ebp-34h]
		jmp	short loc_532CC9
; 

loc_532D21:				; CODE XREF: RtlpHpSegPageRangeCoalesce+A1j
		mov	edx, edi
		call	_RtlpHpSegFreeRangeRemove@8 ; RtlpHpSegFreeRangeRemove(x,x)
		mov	dl, [esi+0Fh]
		movzx	ecx, dl
		sub	ecx, 1
		jz	short loc_532D42
		add	ecx, ecx
		mov	al, [esi+ecx*8+0Ch]
		and	al, 0FEh
		mov	[esi+ecx*8+0Ch], al
		mov	dl, [esi+0Fh]

loc_532D42:				; CODE XREF: RtlpHpSegPageRangeCoalesce+171j
		mov	al, [edi+0Fh]
		mov	ecx, [ebp-8]
		add	al, dl
		mov	[esi+0Fh], al
		mov	eax, [edi+0Ch]
		shr	eax, 8
		not	eax
		movzx	eax, ax
		add	ecx, eax
		mov	eax, ecx
		mov	[ebp-8], ecx
		not	eax
		shl	eax, 8
		xor	eax, [esi+0Ch]
		and	eax, 0FFFF00h
		xor	[esi+0Ch], eax
		mov	al, [edi+0Ch]
		and	al, 0FDh
		mov	[edi+0Ch], al
		movzx	edx, byte ptr [esi+0Fh]
		dec	edx
		mov	ecx, edx
		add	ecx, ecx
		mov	al, [esi+ecx*8+0Ch]
		or	al, 1
		mov	[esi+ecx*8+0Ch], al
		mov	[esi+ecx*8+0Fh], dl
		jmp	loc_532C67
; 

loc_532D93:				; CODE XREF: RtlpHpSegPageRangeCoalesce+DCj
		mov	dword ptr [ebp-10h], 8
		jmp	loc_532CA2
; 

loc_532D9F:				; CODE XREF: RtlpHpSegPageRangeCoalesce+B4j
					; RtlpHpSegPageRangeCoalesce+BEj ...
		mov	eax, [ebx+10h]
		mov	al, [eax]
		mov	[ebp-1], al
		mov	eax, [ebx+8]
		and	eax, 1
		mov	[ebp-40h], eax
		jnz	short loc_532DD1
		test	byte ptr [edi+1Ch], 1
		lea	ecx, [edi+40h]
		mov	[ebp-10h], ecx
		jz	loc_532E7C
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_532DD1:				; CODE XREF: RtlpHpSegPageRangeCoalesce+1F0j
					; RtlpHpSegPageRangeCoalesce+3F8j
		mov	cl, [edi+5]
		lea	eax, [ebp-3Ch]
		push	eax
		movzx	eax, byte ptr [esi+0Fh]
		mov	edx, esi
		shl	eax, cl
		mov	ecx, edi
		push	0
		neg	eax
		push	eax
		push	0
		call	RtlpHpSegPageRangeCommit
		or	cl, 0FFh
		cmp	dword ptr [ebp-40h], 0
		jnz	short loc_532E08
		movzx	edx, byte ptr [edi+1Ch]
		lea	ecx, [edi+40h]
		and	edx, 1
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	cl, al

loc_532E08:				; CODE XREF: RtlpHpSegPageRangeCoalesce+235j
		mov	eax, [ebx+10h]
		mov	[eax], cl
		mov	al, [esi+0Ch]
		mov	ecx, [ebp-0Ch]
		and	al, 0EFh
		mov	[esi+0Ch], al
		jmp	loc_532BF0
; 

loc_532E1D:				; CODE XREF: RtlpHpSegPageRangeCoalesce+91j
		call	_RtlpHpSegFreeRangeRemove@8 ; RtlpHpSegFreeRangeRemove(x,x)
		mov	edx, [ebp-10h]
		mov	al, [esi+0Fh]
		add	[edx+0Fh], al
		mov	ecx, [edx+0Ch]
		mov	eax, ecx
		shr	eax, 8
		not	eax
		movzx	eax, ax
		add	[ebp-8], eax
		mov	eax, [ebp-8]
		not	eax
		shl	eax, 8
		xor	eax, ecx
		and	eax, 0FFFF00h
		xor	eax, ecx
		mov	[edx+0Ch], eax
		mov	ah, 1
		mov	al, [esi+0Fh]
		mov	cl, [esi+0Ch]
		cmp	ah, al
		sbb	al, al
		add	al, 0FDh
		and	al, cl
		mov	[esi+0Ch], al
		mov	esi, edx
		movzx	ecx, byte ptr [edx+0Fh]
		dec	ecx
		mov	[ebp-14h], esi
		mov	eax, ecx
		add	eax, eax
		mov	[edx+eax*8+0Fh], cl
		mov	ecx, [ebp-0Ch]
		jmp	loc_532C57
; 

loc_532E7C:				; CODE XREF: RtlpHpSegPageRangeCoalesce+1FCj
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_532FF4

loc_532E8D:				; CODE XREF: RtlpHpSegPageRangeCoalesce+43Cj
		xor	edi, edi
		mov	[ebp-34h], edi
		test	ecx, 7FFFFFFCh
		jz	loc_532FA9
		mov	eax, large fs:124h
		mov	edx, ecx
		mov	esi, dword_6D07D0
		shr	edx, 15h
		cmp	ecx, esi
		mov	[ebp-30h], esi
		mov	esi, [ebp-14h]
		mov	[ebp-8], eax
		jb	short loc_532EC9
		cmp	byte ptr dword_6D3994[edx], 1
		jz	loc_532FBD

loc_532EC9:				; CODE XREF: RtlpHpSegPageRangeCoalesce+2FAj
		cmp	ecx, [ebp-30h]
		jb	short loc_532EDB
		cmp	byte ptr dword_6D3994[edx], 0Bh
		jz	loc_532FBD

loc_532EDB:				; CODE XREF: RtlpHpSegPageRangeCoalesce+30Cj
		or	edx, 0FFFFFFFFh
		mov	[ebp-30h], edx

loc_532EE1:				; CODE XREF: RtlpHpSegPageRangeCoalesce+410j
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	cl, [eax+1E6h]
		mov	[ebp-1], cl
		mov	ecx, eax
		push	edx
		mov	edx, [ebp-10h]
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[ebp-38h], edx
		test	edx, edx
		jz	loc_532FD5
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		cmp	[edx+10h], edi
		jl	loc_533001

loc_532F23:				; CODE XREF: RtlpHpSegPageRangeCoalesce+44Bj
		mov	eax, [edx+2Ch]
		mov	edi, eax
		and	byte ptr [edx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp-34h], edi
		mov	[edx+2Ch], eax
		nop
		mov	ecx, [ebp-8]
		mov	eax, 2AAAAAABh
		mov	dword ptr [edx+10h], 0
		sub	edx, [ecx+1E8h]
		imul	edx
		sar	edx, 3
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		cmp	byte ptr [ebp-1], 1
		mov	[ebp-30h], eax
		jnz	loc_5EED84
		movzx	eax, byte ptr [ecx+1E4h]
		mov	edx, [ebp-30h]
		bts	eax, edx
		mov	[ecx+1E4h], al

loc_532F7F:				; CODE XREF: RtlpHpSegPageRangeCoalesce+420j
					; RtlpHpSegPageRangeCoalesce+BC1DAj
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp-38h], eax
		jnz	loc_533017

loc_532F96:				; CODE XREF: RtlpHpSegPageRangeCoalesce+495j
					; RtlpHpSegPageRangeCoalesce+BC1FFj
		nop
		add	word ptr [ecx+13Eh], 1
		jnz	short loc_532FA9
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jnz	short loc_533010

loc_532FA9:				; CODE XREF: RtlpHpSegPageRangeCoalesce+2D8j
					; RtlpHpSegPageRangeCoalesce+3DFj ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebp-0Ch]
		jmp	loc_532DD1
; 

loc_532FBD:				; CODE XREF: RtlpHpSegPageRangeCoalesce+303j
					; RtlpHpSegPageRangeCoalesce+315j
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp-30h], eax
		mov	eax, [ebp-8]
		jmp	loc_532EE1
; 

loc_532FD5:				; CODE XREF: RtlpHpSegPageRangeCoalesce+34Bj
		mov	ecx, [ebp-8]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	short loc_532F7F
		jmp	loc_5EEDC4
; 

loc_532FE7:				; CODE XREF: RtlpHpSegPageRangeCoalesce+EDj
		mov	edx, 8
		mov	[ebp-30h], edx
		jmp	loc_532CB3
; 

loc_532FF4:				; CODE XREF: RtlpHpSegPageRangeCoalesce+2C7j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp-10h]
		jmp	loc_532E8D
; 

loc_533001:				; CODE XREF: RtlpHpSegPageRangeCoalesce+35Dj
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [ebp-38h]
		jmp	loc_532F23
; 

loc_533010:				; CODE XREF: RtlpHpSegPageRangeCoalesce+3E7j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_532FA9
; 

loc_533017:				; CODE XREF: RtlpHpSegPageRangeCoalesce+3D0j
		test	edi, 8000h
		jz	short loc_533029
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [ebp-8]

loc_533029:				; CODE XREF: RtlpHpSegPageRangeCoalesce+45Dj
		test	byte ptr [ebp-32h], 1
		jnz	loc_5EED9F

loc_533033:				; CODE XREF: RtlpHpSegPageRangeCoalesce+BC1ECj
		test	edi, 7FFFh
		jz	short loc_533048
		and	edi, 7FFFh
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_533048:				; CODE XREF: RtlpHpSegPageRangeCoalesce+479j
		test	dword ptr ds:byte_70EFC4, 200h
		mov	ecx, [ebp-8]
		jz	loc_532F96
		jmp	loc_5EEDB1
RtlpHpSegPageRangeCoalesce endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExAllocatePoolMm proc near		; CODE XREF: MiZeroPageCalibrate+6Ep
					; MiZeroPageCalibrate+A2p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005EEDE2 SIZE 0000007A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, eax
		mov	[ebp+var_4], edx
		and	esi, 0FFFFF800h
		mov	[ebp+var_8], ecx
		xor	bl, bl
		xor	bh, bh
		or	esi, 0
		jnz	loc_533139
		mov	ecx, eax
		and	ecx, 1C0h
		cmp	ecx, 40h
		jnz	short loc_5330F9
		mov	esi, 200h

loc_53309A:				; CODE XREF: ExAllocatePoolMm+A3j
					; ExAllocatePoolMm+BAj	...
		mov	ecx, eax
		and	ecx, 4
		or	ecx, 0
		jnz	loc_5EEDE2

loc_5330A8:				; CODE XREF: ExAllocatePoolMm+BBD85j
		mov	ecx, eax
		and	ecx, 2
		or	ecx, 0
		jnz	short loc_5330B8
		or	esi, 400h

loc_5330B8:				; CODE XREF: ExAllocatePoolMm+50j
		push	edi
		mov	edi, [ebp+arg_4]
		mov	edx, eax
		mov	ecx, edi
		and	edx, 629h
		and	ecx, 1
		or	edx, ecx
		jnz	loc_5EEDEA

loc_5330D1:				; CODE XREF: ExAllocatePoolMm+CCj
					; ExAllocatePoolMm+D0j
		xor	eax, eax
		pop	edi
		test	bh, bh
		jnz	short loc_533132

loc_5330D8:				; CODE XREF: ExAllocatePoolMm+D7j
		test	bl, bl
		jnz	loc_5EEE4B
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		push	eax
		push	[ebp+arg_8]
		push	[ebp+var_4]
		call	ExpAllocatePoolWithTagFromNode

loc_5330F1:				; CODE XREF: ExAllocatePoolMm+DBj
					; ExAllocatePoolMm+BBDF7j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_5330F9:				; CODE XREF: ExAllocatePoolMm+33j
		cmp	ecx, 80h
		jnz	short loc_533105
		xor	esi, esi
		jmp	short loc_53309A
; 

loc_533105:				; CODE XREF: ExAllocatePoolMm+9Fj
		cmp	ecx, 100h
		jnz	short loc_533139
		mov	ecx, eax
		mov	esi, 1
		and	ecx, 10h
		or	ecx, 0
		jz	loc_53309A
		jmp	loc_5EEDD8
; 

loc_533125:				; CODE XREF: ExAllocatePoolMm+BBDCCj
					; ExAllocatePoolMm+BBDD5j ...
		and	edi, 1
		xor	eax, eax
		or	eax, edi
		jz	short loc_5330D1
		mov	bh, 1
		jmp	short loc_5330D1
; 

loc_533132:				; CODE XREF: ExAllocatePoolMm+76j
		mov	eax, 1
		jmp	short loc_5330D8
; 

loc_533139:				; CODE XREF: ExAllocatePoolMm+22j
					; ExAllocatePoolMm+ABj
		xor	eax, eax
		jmp	short loc_5330F1
ExAllocatePoolMm endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpAllocatePoolWithTagFromNode proc near ; CODE	XREF: ExAllocateTimer+71p
					; ExGetSessionPoolTagInfo+1E7p	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005EEE5C SIZE 0000005F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, ecx
		mov	[esp+1Ch+var_8], 0
		mov	[esp+1Ch+var_C], 0
		push	edi
		mov	edi, edx
		test	esi, esi
		jns	short loc_5331A5
		movzx	ecx, ds:_KeNumberNodes
		and	esi, 7FFFFFFFh
		mov	[esp+20h+var_10], ecx

loc_53317A:				; CODE XREF: ExpAllocatePoolWithTagFromNode+6Dj
		mov	[esp+20h+var_4], 0
		mov	eax, esi

loc_533184:				; CODE XREF: ExpAllocatePoolWithTagFromNode+BBD31j
		push	[ebp+arg_8]
		mov	edx, edi
		mov	ecx, ebx
		push	eax
		push	[ebp+arg_0]
		call	ExAllocateHeapPool
		test	eax, eax
		jz	loc_5EEE5C

loc_53319C:				; CODE XREF: ExpAllocatePoolWithTagFromNode+BBD76j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_5331A5:				; CODE XREF: ExpAllocatePoolWithTagFromNode+27j
		mov	[esp+20h+var_10], 1
		jmp	short loc_53317A
ExpAllocatePoolWithTagFromNode endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExAllocateHeapPool proc	near		; CODE XREF: ExpAllocatePoolWithTagFromNode+4Fp

var_80		= dword	ptr -80h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005EEEBB SIZE 00000363 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[esp+7Ch+var_50], 0
		mov	esi, ebx
		mov	[esp+7Ch+var_6C], ebx
		shr	esi, 9
		mov	eax, ebx
		and	eax, 44h
		and	esi, 2
		push	edi
		mov	edi, edx
		cmp	al, 44h
		jz	loc_5EEEBB

loc_5331E3:				; CODE XREF: ExAllocateHeapPool+BBD12j
		mov	edx, ds:_ExpPoolFlags
		test	ebx, 201h
		setz	cl
		bt	edx, 0Ah
		setb	al
		test	cl, al
		jnz	loc_5335D9

loc_533201:				; CODE XREF: ExAllocateHeapPool+42Fj
		mov	[esp+80h+var_6C], ebx
		test	dl, 8
		jnz	loc_533D81

loc_53320E:				; CODE XREF: ExAllocateHeapPool+BBD36j
					; ExAllocateHeapPool+BBD43j
		mov	eax, [ebp+arg_8]
		mov	[esp+80h+var_48], eax

loc_533215:				; CODE XREF: ExAllocateHeapPool+BBD51j
		mov	eax, [ebp+arg_0]
		and	eax, 7FFFFFFFh
		mov	[esp+80h+var_60], eax
		jz	loc_5EEF06

loc_533227:				; CODE XREF: ExAllocateHeapPool+BBD5Fj
		cmp	edi, 0FF0h
		ja	short loc_533248
		mov	edx, ds:_MmSpecialPoolTag
		test	edx, edx
		jnz	loc_5EEF14

loc_53323D:				; CODE XREF: ExAllocateHeapPool+BBD66j
					; ExAllocateHeapPool+BBD89j ...
		test	byte ptr [esp+80h+var_48], 1
		jnz	loc_5EEF4B

loc_533248:				; CODE XREF: ExAllocateHeapPool+7Dj
					; ExAllocateHeapPool+BBDABj
		test	edi, edi
		jz	loc_5EEF84

loc_533250:				; CODE XREF: ExAllocateHeapPool+BBDD9j
		mov	ecx, [ebp+arg_4]
		cmp	ecx, 80000000h
		jz	loc_5EEFA7
		movzx	eax, ds:_KeNumberNodes
		cmp	ecx, eax
		jnb	loc_5EEF8E
		cmp	ecx, 80000000h
		jz	loc_5EEFA7

loc_53327A:				; CODE XREF: ExAllocateHeapPool+BBE0Aj
		cmp	ecx, dword_6D8E70
		jnb	loc_5EEFBF

loc_533286:				; CODE XREF: ExAllocateHeapPool+BBE11j
		imul	ecx, 20C0h
		add	ecx, offset dword_6D8E80
		test	ebx, ebx
		js	loc_533B21
		mov	eax, ebx
		and	eax, 21h
		cmp	al, 21h
		jz	loc_5337D3
		test	bl, 1
		jz	loc_5335E4
		mov	eax, 2

loc_5332B5:				; CODE XREF: ExAllocateHeapPool+43Cj
					; ExAllocateHeapPool+447j
		mov	ecx, [ecx+eax*4]

loc_5332B8:				; CODE XREF: ExAllocateHeapPool+641j
					; ExAllocateHeapPool+974j
		mov	[esp+80h+var_64], ecx
		cmp	edi, 0FF0h
		ja	loc_533813
		add	edi, 8
		test	bl, 4
		jnz	loc_53370A

loc_5332D4:				; CODE XREF: ExAllocateHeapPool+567j
					; ExAllocateHeapPool+576j
		lea	ebx, [edi+7]
		and	ebx, 0FFFFFFF8h
		mov	[esp+80h+var_44], ebx
		cmp	ebx, 201h
		jnb	loc_53368B

loc_5332EA:				; CODE XREF: ExAllocateHeapPool+4E1j
					; ExAllocateHeapPool+505j ...
		mov	edi, [ecx+0Ch]
		mov	edx, [ecx+20h]
		or	edi, esi
		mov	eax, edx
		and	edi, 93000F0Bh
		test	eax, eax
		jnz	loc_5EF02B
		mov	eax, dword_6BEC74
		test	eax, eax
		jnz	loc_5EF02B

loc_53330F:				; CODE XREF: ExAllocateHeapPool+BBE7Dj
		xor	eax, eax
		mov	[esp+80h+var_48], eax
		mov	[esp+80h+var_40], eax
		test	edi, 1000000h
		jnz	short loc_533330
		mov	edx, [ecx+10h]
		mov	[esp+80h+var_40], edx
		test	edx, edx
		jnz	loc_5EF054

loc_533330:				; CODE XREF: ExAllocateHeapPool+16Fj
					; ExAllocateHeapPool+BBED8j
		lea	esi, [eax+ebx]
		mov	[esp+80h+var_58], esi
		test	edi, 10000000h
		jnz	loc_5EF08D

loc_533343:				; CODE XREF: ExAllocateHeapPool+BBEE4j
		test	edi, 20000F08h
		jnz	loc_5EF099

loc_53334F:				; CODE XREF: ExAllocateHeapPool+BBEF6j
		test	esi, esi
		jz	loc_5EF0AB

loc_533357:				; CODE XREF: ExAllocateHeapPool+BBF04j
		cmp	esi, ebx
		jb	loc_533CA1
		cmp	ebx, 7FFFFFFFh
		ja	loc_533CA1
		movzx	eax, word ptr [ecx+2E0h]
		mov	edx, edi
		and	edx, 13000003h
		sub	eax, 8
		mov	[esp+80h+var_54], edx
		cmp	esi, eax
		ja	loc_533A20
		add	ecx, 2C0h
		mov	edx, esi
		mov	[esp+80h+var_3C], ecx
		cmp	ebx, esi
		jnz	loc_5EF0B9

loc_53339D:				; CODE XREF: ExAllocateHeapPool+BBF0Cj
		lea	eax, [edx+7]
		shr	eax, 3
		movzx	eax, ds:_RtlpLfhBucketIndexMap[eax]
		add	eax, 20h
		lea	eax, [ecx+eax*4]
		mov	[esp+80h+var_30], eax
		mov	eax, [eax]
		test	al, 1
		jnz	loc_533B69

loc_5333BE:				; CODE XREF: ExAllocateHeapPool+B2Dj
		mov	esi, _RtlpHpLfhPerfFlags
		movzx	edx, byte ptr [ecx+1Ch]
		mov	eax, [esp+80h+var_30]
		shr	esi, 0Ah
		and	esi, 1
		inc	esi
		lea	ecx, [edx-1]
		mov	eax, [eax]
		and	ecx, 3
		mov	[esp+80h+var_30], eax
		add	edx, 3
		shl	esi, 6
		mov	eax, esi
		sub	eax, ecx
		add	eax, edx
		mov	edx, [esp+80h+var_30]
		mov	[esp+80h+var_70], eax
		cmp	byte ptr [edx+2], 1
		jnz	loc_533673
		xor	al, al

loc_5333FF:				; CODE XREF: ExAllocateHeapPool+4D6j
		mov	esi, [esp+80h+var_70]
		push	[esp+80h+var_54]
		mov	ecx, [esp+84h+var_3C]
		add	esi, edx
		movzx	eax, al
		push	ebx
		mov	eax, [esi+eax*4]
		push	eax
		call	RtlpHpLfhSlotAllocate
		mov	esi, eax
		mov	[esp+80h+var_70], esi
		test	esi, esi
		jz	loc_533802
		mov	edx, [esp+80h+var_54]
		test	dl, 2
		jnz	loc_5337F6
		mov	esi, [esp+80h+var_58]

loc_533439:				; CODE XREF: ExAllocateHeapPool+65Ej
					; ExAllocateHeapPool+9D3j
		cmp	eax, 0FFFFFFFFh
		jz	loc_533A1C
		mov	esi, [esp+80h+var_70]

loc_533446:				; CODE XREF: ExAllocateHeapPool+8B8j
					; ExAllocateHeapPool+8C3j ...
		test	esi, esi
		jz	short loc_533456
		test	edi, 30000F08h
		jnz	loc_5EF108

loc_533456:				; CODE XREF: ExAllocateHeapPool+298j
					; ExAllocateHeapPool+BBF78j ...
		mov	edi, [esp+80h+var_70]

loc_53345A:				; CODE XREF: ExAllocateHeapPool+AF7j
		test	edi, edi
		jz	loc_533DBB
		mov	eax, [esp+80h+var_6C]

loc_533466:				; CODE XREF: ExAllocateHeapPool+54Fj
		mov	esi, [esp+80h+var_60]
		mov	ecx, 0FE00h
		and	[edi], cx
		mov	[esp+80h+var_28], ecx
		mov	ecx, eax
		and	ecx, 0FFEFh
		mov	[edi+4], esi
		or	ecx, 2
		mov	[esp+80h+var_5C], esi
		mov	eax, ebx
		shl	ecx, 9
		shr	eax, 3
		and	eax, 1FFh
		or	ecx, eax
		xor	eax, eax
		movzx	edx, cx
		mov	[edi+2], cx
		shr	edx, 9
		mov	[esp+80h+var_18], eax
		mov	[esp+80h+var_14], eax
		mov	[esp+80h+var_10], eax
		mov	eax, ds:_PoolHitTag
		mov	[esp+80h+var_64], edx
		cmp	esi, eax
		jz	loc_5EF178

loc_5334C0:				; CODE XREF: ExAllocateHeapPool+BBFC9j
		test	ds:byte_70EFC4,	41h
		jnz	loc_5EF17E

loc_5334CD:				; CODE XREF: ExAllocateHeapPool+BBFE5j
		mov	eax, edx
		and	eax, 20h
		mov	[esp+80h+var_30], eax
		jnz	loc_533A00
		movzx	eax, large byte	ptr fs:51h
		mov	eax, _ExPoolTagTables[eax*4]
		mov	[esp+80h+var_58], eax
		mov	eax, _PoolTrackTableMask
		mov	[esp+80h+var_54], eax
		mov	eax, _PoolTrackTableSize

loc_5334FD:				; CODE XREF: ExAllocateHeapPool+867j
		mov	[esp+80h+var_3C], eax
		mov	eax, [esp+80h+var_5C]
		movzx	ecx, al
		shl	ecx, 2
		movzx	eax, ah
		xor	ecx, eax
		movzx	eax, byte ptr [esp+80h+var_5C+2]
		shl	ecx, 2
		xor	ecx, eax
		movzx	eax, byte ptr [esp+80h+var_5C+3]
		shl	ecx, 2
		xor	ecx, eax
		mov	eax, [esp+80h+var_58]
		imul	esi, ecx, 9E5Fh
		sar	esi, 2
		and	esi, [esp+80h+var_54]
		mov	[esp+80h+var_2C], esi
		lea	ecx, [esi+esi*2]
		shl	ecx, 4
		add	eax, ecx
		mov	[esp+80h+var_40], ecx
		mov	[esp+80h+var_60], eax
		mov	eax, [eax]
		mov	edi, [esp+80h+var_5C]
		cmp	eax, edi
		mov	[esp+80h+var_50], edi
		mov	edi, [esp+80h+var_70]
		jnz	loc_533631

loc_53355F:				; CODE XREF: ExAllocateHeapPool+4BEj
		test	dl, 1
		jz	loc_5335FC
		mov	eax, [esp+80h+var_60]
		add	eax, 20h
		mov	[esp+80h+var_50], eax

loc_533573:				; CODE XREF: ExAllocateHeapPool+3EDj
					; ExAllocateHeapPool+3F1j
		mov	edi, [eax]
		mov	ebx, edi
		mov	esi, [eax+4]
		add	ebx, 1
		mov	ecx, esi
		mov	[esp+80h+var_2C], esi
		adc	ecx, 0
		mov	eax, edi
		mov	edx, esi
		nop
		mov	esi, [esp+80h+var_50]
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [esp+80h+var_2C]
		cmp	eax, edi
		mov	eax, [esp+80h+var_50]
		jnz	short loc_533573
		cmp	edx, esi
		jnz	short loc_533573
		mov	eax, 18h

loc_5335A8:				; CODE XREF: ExAllocateHeapPool+47Cj
		mov	edi, [esp+80h+var_70]
		add	eax, [esp+80h+var_60]
		mov	ecx, [esp+80h+var_44]
		lock xadd [eax], ecx

loc_5335B8:				; CODE XREF: ExAllocateHeapPool+ADFj
		mov	ebx, [esp+80h+var_6C]
		test	bl, 4
		jnz	loc_53372B

loc_5335C5:				; CODE XREF: ExAllocateHeapPool+594j
					; ExAllocateHeapPool+61Ej
		lea	eax, [edi+8]

loc_5335C8:				; CODE XREF: ExAllocateHeapPool+84Bj
					; ExAllocateHeapPool+C06j ...
		test	eax, eax
		jz	loc_5EF1DF

loc_5335D0:				; CODE XREF: ExAllocateHeapPool+BBD27j
					; ExAllocateHeapPool+BC032j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_5335D9:				; CODE XREF: ExAllocateHeapPool+4Bj
		or	ebx, 200h
		jmp	loc_533201
; 

loc_5335E4:				; CODE XREF: ExAllocateHeapPool+FAj
		xor	eax, eax
		test	ebx, 200h
		jz	loc_5332B5
		mov	eax, 1
		jmp	loc_5332B5
; 

loc_5335FC:				; CODE XREF: ExAllocateHeapPool+3B2j
		mov	edi, [esp+80h+var_60]
		add	edi, 8

loc_533603:				; CODE XREF: ExAllocateHeapPool+46Fj
					; ExAllocateHeapPool+475j
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[esp+80h+var_2C], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_533603
		cmp	edx, [esp+80h+var_2C]
		jnz	short loc_533603
		mov	eax, 4
		jmp	loc_5335A8
; 

loc_533631:				; CODE XREF: ExAllocateHeapPool+3A9j
					; ExAllocateHeapPool+4B8j
		test	eax, eax
		jz	loc_533B88

loc_533639:				; CODE XREF: ExAllocateHeapPool+A57j
		inc	esi
		and	esi, [esp+80h+var_54]
		cmp	esi, [esp+80h+var_2C]
		jz	loc_533C80

loc_533648:				; CODE XREF: ExAllocateHeapPool+9F6j
					; ExAllocateHeapPool+ACBj ...
		mov	eax, [esp+80h+var_58]
		lea	ecx, [esi+esi*2]
		shl	ecx, 4
		add	eax, ecx
		mov	[esp+80h+var_40], ecx
		mov	[esp+80h+var_60], eax
		mov	eax, [eax]
		mov	edx, [esp+80h+var_5C]
		mov	[esp+80h+var_50], edx
		cmp	eax, edx
		jnz	short loc_533631
		mov	edx, [esp+80h+var_64]
		jmp	loc_53355F
; 

loc_533673:				; CODE XREF: ExAllocateHeapPool+247j
		mov	eax, large fs:124h
		movzx	ecx, byte ptr [eax+3A1h]
		lea	eax, [esi+edx]
		mov	al, [eax+ecx]
		jmp	loc_5333FF
; 

loc_53368B:				; CODE XREF: ExAllocateHeapPool+134j
		cmp	ebx, 0F80h
		ja	loc_5332EA
		mov	edx, [ecx+1Ch]
		shr	ebx, 3
		movzx	eax, ds:_RtlpLfhBucketIndexMap[ebx]
		movzx	ebx, ds:_RtlpBucketBlockSizes[eax*2]
		add	eax, 0FFFFFFCFh
		mov	[esp+80h+var_44], ebx
		test	edx, edx
		jz	loc_5332EA
		shl	eax, 6
		add	eax, edx
		inc	dword ptr [eax+4Ch]
		lea	ecx, [eax+40h]
		mov	[esp+80h+var_30], eax
		movzx	eax, word ptr [ecx+4]
		mov	[esp+80h+var_3C], ecx
		test	ax, ax
		jz	loc_533AAF
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edi, eax
		mov	[esp+80h+var_70], eax
		test	edi, edi
		jz	loc_533AAB

loc_5336EE:				; CODE XREF: ExAllocateHeapPool+90Aj
					; ExAllocateHeapPool+93Bj ...
		mov	eax, [esp+80h+var_6C]
		test	eax, 400h
		jnz	loc_533A9A

loc_5336FD:				; CODE XREF: ExAllocateHeapPool+9B4j
		test	edi, edi
		jnz	loc_533466
		jmp	loc_533AA2
; 

loc_53370A:				; CODE XREF: ExAllocateHeapPool+11Ej
		mov	eax, ds:_ExpCacheLineSize
		add	edi, eax
		cmp	edi, 0FF0h
		jbe	loc_5332D4
		sub	edi, eax
		and	ebx, 0FFFFFFFBh
		mov	[esp+80h+var_6C], ebx
		jmp	loc_5332D4
; 

loc_53372B:				; CODE XREF: ExAllocateHeapPool+40Fj
		mov	edx, ds:_ExpCacheLineSize
		mov	eax, 0F7FFh
		and	[edi+2], ax
		dec	edx
		mov	eax, 0FFFFFFF8h
		sub	eax, edi
		and	edx, eax
		jz	loc_5335C5
		lea	ecx, [edx+edi]
		mov	esi, 1FFh
		sar	edx, 3
		xor	dx, [ecx]
		and	dx, si
		mov	[esp+80h+var_2C], ecx
		xor	[ecx], dx
		movzx	edx, word ptr [ecx]
		movzx	eax, word ptr [edi+2]
		and	edx, esi
		sub	ax, dx
		xor	ax, [ecx+2]
		and	ax, si
		mov	esi, 0FE00h
		xor	[ecx+2], ax
		movzx	eax, word ptr [edi]
		movzx	ecx, word ptr [ecx+2]
		and	si, ax
		or	si, dx
		and	ecx, 1FFh
		mov	edx, [esp+80h+var_2C]
		mov	[edx], si
		and	esi, 1FFh
		movzx	eax, word ptr [edi+2]
		and	ax, word ptr [esp+80h+var_28]
		or	ax, cx
		mov	ecx, 800h
		or	ax, cx
		mov	[edx+2], ax
		mov	eax, [edi+4]
		mov	[edx+4], eax
		cmp	esi, 1
		jbe	short loc_5337CC
		mov	eax, edx
		xor	eax, ds:_ExpPoolQuotaCookie
		mov	[edi+8], eax

loc_5337CC:				; CODE XREF: ExAllocateHeapPool+60Fj
		mov	edi, edx
		jmp	loc_5335C5
; 

loc_5337D3:				; CODE XREF: ExAllocateHeapPool+F1j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		mov	eax, [eax+1D8h]
		mov	ecx, [eax+1C78h]
		jmp	loc_5332B8
; 

loc_5337F6:				; CODE XREF: ExAllocateHeapPool+27Fj
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch

loc_533802:				; CODE XREF: ExAllocateHeapPool+272j
		mov	eax, [esp+80h+var_70]
		mov	esi, [esp+80h+var_58]
		mov	edx, [esp+80h+var_54]
		jmp	loc_533439
; 

loc_533813:				; CODE XREF: ExAllocateHeapPool+112j
		lea	edx, [edi+7]
		and	edx, 0FFFFFFF8h
		mov	eax, edx
		mov	[esp+80h+var_58], edx
		and	eax, 0FFFh
		cmp	edx, 10000h
		jnb	loc_533B3F
		cmp	eax, 0FE0h
		ja	loc_533B3F

loc_53383B:				; CODE XREF: ExAllocateHeapPool+99Fj
		cmp	edx, edi
		jb	loc_533D6E
		test	edx, 0FFFh
		jnz	loc_533A8E
		cmp	edx, [ecx+18Ch]
		ja	loc_533A8E
		mov	eax, ebx
		add	ecx, 100h
		shr	eax, 9
		and	eax, 2
		cmp	edx, [ecx+0Ch]
		ja	loc_5EEFC6

loc_533872:				; CODE XREF: ExAllocateHeapPool+BBE19j
		push	eax
		push	edx
		push	edx
		call	RtlpHpSegAlloc

loc_53387A:				; CODE XREF: ExAllocateHeapPool+8E5j
		mov	[esp+80h+var_50], eax
		test	eax, eax
		jz	loc_5EF1DD
		mov	edi, [esp+80h+var_58]
		mov	ecx, eax
		mov	esi, [esp+80h+var_60]
		mov	edx, esi
		push	0
		push	0
		push	ebx
		push	edi
		call	ExpAddTagForBigPages
		test	eax, eax
		jz	loc_533D6E
		xor	eax, eax
		mov	[esp+80h+var_68], esi
		mov	[esp+80h+var_24], eax
		mov	[esp+80h+var_20], eax
		mov	[esp+80h+var_1C], eax
		mov	eax, ds:_PoolHitTag
		cmp	esi, eax
		jz	loc_5EEFCE

loc_5338C4:				; CODE XREF: ExAllocateHeapPool+BBE1Fj
		test	ds:byte_70EFC4,	41h
		jnz	loc_5EEFD4

loc_5338D1:				; CODE XREF: ExAllocateHeapPool+BBE39j
		mov	eax, ebx
		and	eax, 20h
		mov	[esp+80h+var_70], eax
		jnz	loc_533B29
		movzx	eax, large byte	ptr fs:51h
		mov	edx, _PoolTrackTableMask
		mov	edi, _ExPoolTagTables[eax*4]
		mov	eax, _PoolTrackTableSize

loc_5338FA:				; CODE XREF: ExAllocateHeapPool+98Aj
		mov	[esp+80h+var_64], eax
		mov	eax, [esp+80h+var_68]
		movzx	ecx, al
		shl	ecx, 2
		movzx	eax, ah
		xor	ecx, eax
		mov	[esp+80h+var_44], edx
		movzx	eax, byte ptr [esp+80h+var_68+2]
		shl	ecx, 2
		xor	ecx, eax
		mov	[esp+80h+var_3C], edi
		movzx	eax, byte ptr [esp+80h+var_68+3]
		shl	ecx, 2
		xor	ecx, eax
		imul	esi, ecx, 9E5Fh
		sar	esi, 2
		and	esi, edx
		mov	[esp+80h+var_30], esi
		lea	ecx, [esi+esi*2]
		shl	ecx, 4
		mov	eax, [ecx+edi]
		lea	edx, [ecx+edi]
		mov	edi, [esp+80h+var_68]
		cmp	eax, edi
		mov	[esp+80h+var_54], edi
		mov	edi, [esp+80h+var_58]
		mov	[esp+80h+var_40], ecx
		mov	[esp+80h+var_60], edx
		jz	short loc_53399D
		lea	esp, [esp+0]

loc_533960:				; CODE XREF: ExAllocateHeapPool+7EBj
		test	eax, eax
		jz	loc_533CAC

loc_533968:				; CODE XREF: ExAllocateHeapPool+B41j
		inc	esi
		and	esi, [esp+80h+var_44]
		cmp	esi, [esp+80h+var_30]
		jz	loc_533DA6

loc_533977:				; CODE XREF: ExAllocateHeapPool+B15j
					; ExAllocateHeapPool+BB9j ...
		mov	edx, [esp+80h+var_3C]
		lea	ecx, [esi+esi*2]
		shl	ecx, 4
		add	edx, ecx
		mov	[esp+80h+var_40], ecx
		mov	[esp+80h+var_60], edx
		mov	eax, [edx]
		mov	ebx, [esp+80h+var_68]
		cmp	eax, ebx
		mov	[esp+80h+var_54], ebx
		mov	ebx, [esp+80h+var_6C]
		jnz	short loc_533960

loc_53399D:				; CODE XREF: ExAllocateHeapPool+7AAj
		test	bl, 1
		jnz	loc_533AF0
		lea	eax, [edx+8]
		mov	[esp+80h+var_54], eax
		lea	ecx, [ecx+0]

loc_5339B0:				; CODE XREF: ExAllocateHeapPool+82Aj
					; ExAllocateHeapPool+82Ej
		mov	esi, [eax]
		mov	ebx, esi
		mov	edi, [eax+4]
		add	ebx, 1
		mov	ecx, edi
		mov	[esp+80h+var_30], edi
		adc	ecx, 0
		mov	eax, esi
		mov	edx, edi
		nop
		mov	edi, [esp+80h+var_54]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [esp+80h+var_30]
		cmp	eax, esi
		mov	eax, [esp+80h+var_54]
		jnz	short loc_5339B0
		cmp	edx, edi
		jnz	short loc_5339B0
		mov	ecx, 4

loc_5339E5:				; CODE XREF: ExAllocateHeapPool+96Cj
		mov	eax, [esp+80h+var_60]
		mov	edi, [esp+80h+var_58]
		add	eax, ecx
		lock xadd [eax], edi
		mov	ebx, [esp+80h+var_6C]
		mov	eax, [esp+80h+var_50]
		jmp	loc_5335C8
; 

loc_533A00:				; CODE XREF: ExAllocateHeapPool+326j
		mov	eax, _ExpSessionPoolTrackTable
		mov	[esp+80h+var_58], eax
		mov	eax, _ExpSessionPoolTrackTableMask
		mov	[esp+80h+var_54], eax
		mov	eax, _ExpSessionPoolTrackTableSize
		jmp	loc_5334FD
; 

loc_533A1C:				; CODE XREF: ExAllocateHeapPool+28Cj
		mov	ecx, [esp+80h+var_64]

loc_533A20:				; CODE XREF: ExAllocateHeapPool+1D3j
		cmp	esi, 20000h
		ja	loc_5EF0C1
		lea	eax, [ecx+200h]
		xor	ecx, ecx
		mov	[esp+80h+var_C], ecx
		mov	[esp+80h+var_8], ecx
		mov	[esp+80h+var_4], ecx
		mov	[esp+80h+var_34], ecx
		lea	ecx, [esp+80h+var_34]
		push	ecx
		lea	ecx, [esp+84h+var_C]
		mov	[esp+84h+var_30], eax
		push	ecx
		push	edx
		push	esi
		mov	edx, ebx
		mov	ecx, eax
		call	RtlpHpVsContextAllocateInternal
		cmp	[esp+80h+var_34], 0
		mov	esi, eax
		mov	[esp+80h+var_70], esi
		jz	loc_533446
		test	byte ptr [esp+80h+var_54], 1
		jnz	loc_533446
		mov	ecx, [esp+80h+var_30]
		lea	edx, [esp+80h+var_C]
		mov	ecx, [ecx+4]
		call	RtlpHpReleaseQueuedLockExclusive
		jmp	loc_533446
; 

loc_533A8E:				; CODE XREF: ExAllocateHeapPool+699j
					; ExAllocateHeapPool+6A5j
		push	ecx
		push	esi
		call	RtlpHpAllocateHeap
		jmp	loc_53387A
; 

loc_533A9A:				; CODE XREF: ExAllocateHeapPool+547j
		test	edi, edi
		jnz	loc_533B54

loc_533AA2:				; CODE XREF: ExAllocateHeapPool+555j
		mov	ecx, [esp+80h+var_64]
		jmp	loc_5332EA
; 

loc_533AAB:				; CODE XREF: ExAllocateHeapPool+538j
		mov	ecx, [esp+80h+var_3C]

loc_533AAF:				; CODE XREF: ExAllocateHeapPool+525j
		inc	dword ptr [ecx+10h]
		xor	edi, edi
		mov	[esp+80h+var_70], edi
		test	edi, edi
		jnz	loc_5336EE
		mov	eax, [esp+80h+var_30]
		mov	[esp+80h+var_4C], edi
		mov	[esp+80h+var_38], edi
		movzx	edx, word ptr [eax+48h]
		movzx	ecx, word ptr [eax+44h]
		nop
		mov	eax, edx
		sub	eax, ecx
		cmp	ecx, edx
		sbb	ecx, ecx
		and	ecx, eax
		shr	ecx, 1
		jnz	loc_533BAB
		mov	[esp+80h+var_70], edi
		jmp	loc_5336EE
; 

loc_533AF0:				; CODE XREF: ExAllocateHeapPool+7F0j
		lea	edi, [edx+20h]

loc_533AF3:				; CODE XREF: ExAllocateHeapPool+95Fj
					; ExAllocateHeapPool+965j
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[esp+80h+var_30], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_533AF3
		cmp	edx, [esp+80h+var_30]
		jnz	short loc_533AF3
		mov	ecx, 18h
		jmp	loc_5339E5
; 

loc_533B21:				; CODE XREF: ExAllocateHeapPool+E4j
		mov	ecx, [ecx+0Ch]
		jmp	loc_5332B8
; 

loc_533B29:				; CODE XREF: ExAllocateHeapPool+72Aj
		mov	edi, _ExpSessionPoolTrackTable
		mov	edx, _ExpSessionPoolTrackTableMask
		mov	eax, _ExpSessionPoolTrackTableSize
		jmp	loc_5338FA
; 

loc_533B3F:				; CODE XREF: ExAllocateHeapPool+67Aj
					; ExAllocateHeapPool+685j
		add	edx, 0FFFh
		and	edx, 0FFFFF000h
		mov	[esp+80h+var_58], edx
		jmp	loc_53383B
; 

loc_533B54:				; CODE XREF: ExAllocateHeapPool+8ECj
		push	ebx		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	eax, [esp+8Ch+var_6C]
		add	esp, 0Ch
		jmp	loc_5336FD
; 

loc_533B69:				; CODE XREF: ExAllocateHeapPool+208j
		push	1
		call	_RtlpHpLfhBucketUpdateStats@12 ; RtlpHpLfhBucketUpdateStats(x,x,x)
		test	eax, eax
		jnz	loc_533CD9
		mov	edx, [esp+80h+var_54]
		or	eax, 0FFFFFFFFh
		mov	[esp+80h+var_70], eax
		jmp	loc_533439
; 

loc_533B88:				; CODE XREF: ExAllocateHeapPool+483j
		mov	edx, [esp+80h+var_30]
		test	edx, edx
		jnz	short loc_533BFC
		mov	eax, _PoolTrackTable
		mov	eax, [ecx+eax]
		test	eax, eax
		jz	loc_533C94
		mov	edx, [esp+80h+var_60]
		mov	[edx], eax
		jmp	loc_533648
; 

loc_533BAB:				; CODE XREF: ExAllocateHeapPool+931j
		lea	eax, [esp+80h+var_38]
		inc	ecx
		push	eax
		lea	eax, [esp+84h+var_4C]
		mov	edx, ebx
		push	eax
		push	0
		push	ecx
		mov	ecx, [esp+90h+var_64]
		add	ecx, 200h
		call	_RtlpHpVsContextMultiAlloc@24 ;	RtlpHpVsContextMultiAlloc(x,x,x,x,x,x)
		test	eax, eax
		jz	loc_5EF020
		mov	edi, [esp+80h+var_4C]
		mov	[esp+80h+var_70], edi
		mov	edx, [edi]
		mov	[esp+80h+var_4C], edx
		sub	eax, 1
		jz	loc_5336EE
		mov	ecx, [esp+80h+var_3C]
		push	eax
		push	[esp+84h+var_38]
		call	@InterlockedPushListSList@16 ; InterlockedPushListSList(x,x,x,x)
		jmp	loc_5336EE
; 

loc_533BFC:				; CODE XREF: ExAllocateHeapPool+9DEj
		mov	ecx, [esp+80h+var_50]

loc_533C00:				; CODE XREF: ExAllocateHeapPool+AECj
		mov	eax, [esp+80h+var_3C]
		dec	eax
		cmp	esi, eax
		jz	loc_533639
		test	edx, edx
		jnz	loc_533CCA
		lea	edx, [esp+80h+var_18]
		mov	ecx, offset _ExpTaggedPoolLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [esp+80h+var_40]
		add	ecx, _PoolTrackTable
		cmp	dword ptr [ecx], 0
		jnz	short loc_533C3E
		mov	edx, [esp+80h+var_60]
		mov	eax, [esp+80h+var_50]
		mov	[ecx], eax
		mov	[edx], eax

loc_533C3E:				; CODE XREF: ExAllocateHeapPool+A80j
		test	ds:byte_70EFC6,	1
		jnz	loc_5EF19A
		mov	eax, [esp+80h+var_18]
		test	eax, eax
		jnz	loc_5EF1B4
		mov	edx, [esp+80h+var_14]
		lea	eax, [esp+80h+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+80h+var_18]
		cmp	eax, ecx
		jnz	loc_5EF1AB

loc_533C71:				; CODE XREF: ExAllocateHeapPool+BBFF6j
					; ExAllocateHeapPool+BC017j
		mov	cl, byte ptr [esp+80h+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_533648
; 

loc_533C80:				; CODE XREF: ExAllocateHeapPool+492j
		push	[esp+80h+var_64]
		mov	ecx, [esp+84h+var_50]
		mov	edx, ebx
		call	ExpInsertPoolTrackerExpansion
		jmp	loc_5335B8
; 

loc_533C94:				; CODE XREF: ExAllocateHeapPool+9EAj
		mov	ecx, [esp+80h+var_5C]
		mov	[esp+80h+var_50], ecx
		jmp	loc_533C00
; 

loc_533CA1:				; CODE XREF: ExAllocateHeapPool+1A9j
					; ExAllocateHeapPool+1B5j
		xor	edi, edi
		mov	[esp+80h+var_70], edi
		jmp	loc_53345A
; 

loc_533CAC:				; CODE XREF: ExAllocateHeapPool+7B2j
		cmp	[esp+80h+var_70], 0
		jnz	loc_533D92
		mov	eax, _PoolTrackTable
		mov	eax, [ecx+eax]
		test	eax, eax
		jz	short loc_533CE2
		mov	[edx], eax
		jmp	loc_533977
; 

loc_533CCA:				; CODE XREF: ExAllocateHeapPool+A5Fj
		mov	edx, [esp+80h+var_60]
		xor	eax, eax
		lock cmpxchg [edx], ecx
		jmp	loc_533648
; 

loc_533CD9:				; CODE XREF: ExAllocateHeapPool+9C2j
		mov	ecx, [esp+80h+var_3C]
		jmp	loc_5333BE
; 

loc_533CE2:				; CODE XREF: ExAllocateHeapPool+B11j
		mov	ecx, [esp+80h+var_68]
		mov	[esp+80h+var_54], ecx

loc_533CEA:				; CODE XREF: ExAllocateHeapPool+BE6j
		mov	eax, [esp+80h+var_64]
		dec	eax
		cmp	esi, eax
		jz	loc_533968
		cmp	[esp+80h+var_70], 0
		jnz	loc_533D9B
		lea	edx, [esp+80h+var_24]
		mov	ecx, offset _ExpTaggedPoolLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, _PoolTrackTable
		mov	edx, [esp+80h+var_40]
		cmp	dword ptr [edx+eax], 0
		jnz	short loc_533D2C
		mov	ecx, [esp+80h+var_54]
		mov	[edx+eax], ecx
		mov	eax, [esp+80h+var_60]
		mov	[eax], ecx

loc_533D2C:				; CODE XREF: ExAllocateHeapPool+B6Dj
		test	ds:byte_70EFC6,	1
		jnz	loc_5EEFEE
		mov	eax, [esp+80h+var_24]
		test	eax, eax
		jnz	loc_5EF008
		mov	edx, [esp+80h+var_20]
		lea	eax, [esp+80h+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+80h+var_24]
		cmp	eax, ecx
		jnz	loc_5EEFFF

loc_533D5F:				; CODE XREF: ExAllocateHeapPool+BBE4Aj
					; ExAllocateHeapPool+BBE6Bj
		mov	cl, byte ptr [esp+80h+var_1C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_533977
; 

loc_533D6E:				; CODE XREF: ExAllocateHeapPool+68Dj
					; ExAllocateHeapPool+6EFj ...
		mov	ecx, [esp+80h+var_50]
		xor	eax, eax
		test	ecx, ecx
		jnz	loc_5EF1CC
		jmp	loc_5EF1DF
; 

loc_533D81:				; CODE XREF: ExAllocateHeapPool+58j
		test	ebx, 80000080h
		jz	loc_5EEEC7
		jmp	loc_5EEEDC
; 

loc_533D92:				; CODE XREF: ExAllocateHeapPool+B01j
		mov	ecx, [esp+80h+var_54]
		jmp	loc_533CEA
; 

loc_533D9B:				; CODE XREF: ExAllocateHeapPool+B4Cj
		xor	eax, eax
		lock cmpxchg [edx], ecx
		jmp	loc_533977
; 

loc_533DA6:				; CODE XREF: ExAllocateHeapPool+7C1j
		mov	ecx, [esp+80h+var_54]
		mov	edx, edi
		push	ebx
		call	ExpInsertPoolTrackerExpansion
		mov	eax, [esp+80h+var_50]
		jmp	loc_5335C8
; 

loc_533DBB:				; CODE XREF: ExAllocateHeapPool+2ACj
					; ExAllocateHeapPool+BBE88j ...
		mov	ebx, [esp+80h+var_6C]
		jmp	short loc_533D6E
ExAllocateHeapPool endp

; 
		align 10h

;  S U B	R O U T	I N E 


RtlpHpLfhSlotAllocate proc near		; CODE XREF: RtlpHpLfhContextAllocate+96p
					; ExAllocateHeapPool+265p

var_98		= dword	ptr -98h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005EF21E SIZE 00000859 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, _RtlpHpLfhPerfFlags
		mov	[ebp-30h], edx
		xor	edx, edx
		shr	eax, 2
		push	esi
		and	eax, 1
		mov	[ebp-8], ecx
		push	edi
		mov	byte ptr [ebp-1], 0FFh
		mov	[ebp-14h], edx
		mov	[ebp-2Ch], edx
		mov	[ebp-0Ch], edx
		mov	[ebp-1Ch], eax

loc_533E13:				; CODE XREF: RtlpHpLfhSlotAllocate+F2Fj
					; RtlpHpLfhSlotAllocate+BB560j
		test	eax, eax
		jz	loc_5EF1F3
		mov	eax, [ebx+8]
		lea	esi, [eax+1Ch]

loc_533E21:				; CODE XREF: RtlpHpLfhSlotAllocate+72Bj
		mov	edi, [esi]
		test	edi, 0FFFh
		jz	loc_5340D7
		nop

loc_533E30:				; CODE XREF: RtlpHpLfhSlotAllocate+E1Cj
		lea	ecx, [edi-1]
		mov	eax, edi
		lock cmpxchg [esi], ecx
		cmp	eax, edi
		jnz	loc_534BDE
		and	edi, 0FFFFF000h
		mov	[ebp-3Ch], edi
		jz	loc_5340D1
		test	edx, edx
		jnz	loc_534C09

loc_533E58:				; CODE XREF: RtlpHpLfhSlotAllocate+E6Dj
					; RtlpHpLfhSlotAllocate+1035j
		movzx	eax, word ptr [edi+12h]
		movzx	ecx, byte ptr [edi+17h]
		add	ecx, eax
		mov	eax, [ebx+8]
		add	ecx, ecx
		mov	[ebp-38h], ecx
		movzx	eax, byte ptr [eax+1]
		movzx	eax, ds:_RtlpSearchWidth[eax]
		mov	[ebp-24h], eax
		mov	eax, edi
		shr	eax, 0Ch
		mov	[ebp-48h], eax
		xor	eax, dword_6BEC64
		xor	eax, [edi+18h]
		mov	[ebp-34h], eax
		mov	[ebp-70h], eax
		movzx	eax, ax
		cmp	[ebx+0Ch], eax
		sbb	eax, eax
		and	eax, 2
		inc	eax
		mov	[ebp-44h], eax
		mov	eax, [ebp-8]
		test	byte ptr [eax+22h], 2
		jnz	loc_5EF3B0
		call	_RtlpLfhIncrementDataSlot@0 ; RtlpLfhIncrementDataSlot()
		movzx	eax, ax
		movzx	edx, byte ptr _RtlpLowFragHeapRandomData[eax]

loc_533EBA:				; CODE XREF: RtlpHpLfhSlotAllocate+BB5E2j
		movzx	eax, word ptr [edi+14h]
		mov	esi, [ebp-38h]
		add	eax, eax
		shr	eax, 5
		add	eax, 8
		mov	[ebp-20h], edx
		mov	dword ptr [ebp-54h], 0
		lea	ecx, [edi+eax*4]
		lea	eax, [esi-1]
		shr	eax, 5
		add	eax, 8
		lea	eax, [edi+eax*4]
		mov	[ebp-28h], eax

loc_533EE5:				; CODE XREF: RtlpHpLfhSlotAllocate+E09j
		mov	[ebp-18h], ecx
		jmp	short loc_533EF0
; 
		align 10h

loc_533EF0:				; CODE XREF: RtlpHpLfhSlotAllocate+118j
					; RtlpHpLfhSlotAllocate+E00j
		cmp	esi, 20h
		jb	loc_534759
		mov	eax, [ecx]
		mov	[ebp-10h], eax
		and	eax, 55555555h
		cmp	eax, 55555555h
		jz	loc_5344A6

loc_533F0E:				; CODE XREF: RtlpHpLfhSlotAllocate+705j
		cmp	ecx, [ebp-28h]
		jz	loc_53456B

loc_533F17:				; CODE XREF: RtlpHpLfhSlotAllocate+7A0j
					; RtlpHpLfhSlotAllocate+7A9j ...
		mov	eax, [ebp-10h]

loc_533F1A:				; CODE XREF: RtlpHpLfhSlotAllocate+996j
		mov	ecx, [ebp-24h]
		imul	edx, ecx
		shr	edx, 7
		and	edx, 1FFFFFEh
		mov	[ebp-20h], edx
		lea	esp, [esp+0]

loc_533F30:				; CODE XREF: RtlpHpLfhSlotAllocate+C25j
		not	eax
		mov	[ebp-50h], eax
		cmp	ecx, 20h
		jb	loc_534587
		mov	ecx, 55555555h

loc_533F43:				; CODE XREF: RtlpHpLfhSlotAllocate+7E2j
		and	eax, ecx
		mov	ecx, edx
		ror	eax, cl
		bsf	eax, eax
		add	eax, edx
		mov	edx, [ebp-44h]
		and	eax, 1Fh
		mov	ecx, eax
		mov	[ebp-50h], eax
		shl	edx, cl
		mov	ecx, [ebp-18h]
		mov	[ebp-54h], eax
		mov	eax, [ebp-10h]
		or	edx, eax
		lock cmpxchg [ecx], edx
		mov	edx, eax
		cmp	edx, [ebp-10h]
		jnz	loc_5349D6
		mov	esi, [ebp-34h]
		lea	eax, [edi+20h]
		sub	ecx, eax
		movzx	eax, si
		sar	ecx, 2
		shl	ecx, 5
		add	ecx, [ebp-50h]
		shr	ecx, 1
		mov	esi, ecx
		mov	[ebp-80h], eax
		imul	esi, eax
		movzx	eax, word ptr [ebp-6Eh]
		mov	[ebp-18h], ecx
		mov	[edi+14h], cx
		add	esi, eax
		cmp	byte ptr [edi+1Dh], 1
		mov	[ebp-28h], esi
		jbe	loc_53407F
		movzx	ecx, byte ptr [edi+1Ch]
		mov	edx, esi
		movzx	eax, word ptr [edi+1Eh]
		add	eax, edi
		shr	edx, cl
		mov	dword ptr [ebp-40h], 0
		mov	byte ptr [ebp-3], 0FFh
		mov	dword ptr [ebp-38h], 0
		lea	eax, [eax+edx*2]
		mov	dword ptr [ebp-24h], 0FFFFFFFFh
		mov	[ebp-10h], eax
		lea	esi, [edx+edx]
		mov	eax, [ebp-48h]
		mov	[ebp-70h], esi
		movzx	esi, ax
		movzx	eax, word ptr dword_6BEC64
		xor	esi, eax
		mov	dword ptr [ebp-34h], 0
		movzx	eax, word ptr [edi+18h]
		xor	esi, eax
		mov	[ebp-44h], esi
		mov	eax, esi
		mov	esi, [ebp-28h]
		dec	eax
		add	eax, esi
		shr	eax, cl
		xor	ecx, ecx
		sub	eax, edx
		mov	[ebp-20h], ecx
		mov	edx, [ebp-10h]
		inc	eax
		lea	eax, [edx+eax*2]
		mov	[ebp-50h], eax
		cmp	edx, eax
		jnb	short loc_53407F
		mov	esi, [ebp-70h]
		mov	byte ptr [ebp-2], 0FFh

loc_534025:				; CODE XREF: RtlpHpLfhSlotAllocate+28Cj
		mov	ax, [edx]
		movzx	eax, ax

loc_53402B:				; CODE XREF: RtlpHpLfhSlotAllocate+27Bj
					; RtlpHpLfhSlotAllocate+813j
		mov	[ebp-1Ch], eax
		test	ax, ax
		jle	loc_5345B7
		inc	eax
		movzx	ecx, ax
		mov	ax, [ebp-1Ch]
		lock cmpxchg [edx], cx
		movzx	eax, ax
		cmp	ax, [ebp-1Ch]
		jnz	short loc_53402B
		mov	ecx, [ebp-20h]

loc_534050:				; CODE XREF: RtlpHpLfhSlotAllocate+8B1j
		add	edx, 2
		add	esi, 2
		mov	[ebp-10h], edx
		cmp	edx, [ebp-50h]
		jb	short loc_534025
		mov	esi, [ebp-28h]
		test	ecx, ecx
		jnz	loc_534637

loc_534069:				; CODE XREF: RtlpHpLfhSlotAllocate+86Ej
					; RtlpHpLfhSlotAllocate+898j
		mov	edx, [ebp-24h]
		cmp	edx, 0FFFFFFFFh
		jnz	loc_53492F
		cmp	dword ptr [ebp-38h], 0
		jnz	loc_534686

loc_53407F:				; CODE XREF: RtlpHpLfhSlotAllocate+1D7j
					; RtlpHpLfhSlotAllocate+24Cj ...
		mov	eax, [ebx+0Ch]
		lea	edx, [esi+edi]
		mov	esi, [ebp-80h]
		mov	[ebp-10h], edx
		cmp	eax, esi
		jb	loc_534500

loc_534093:				; CODE XREF: RtlpHpLfhSlotAllocate+75Bj
					; RtlpHpLfhSlotAllocate+BB7F3j
		mov	esi, [ebp-8]
		test	edx, edx
		jz	loc_5EF5D2

loc_53409E:				; CODE XREF: RtlpHpLfhSlotAllocate+BB810j
		mov	eax, [ebp-14h]
		test	eax, eax
		jnz	loc_5EF5E5

loc_5340A9:				; CODE XREF: RtlpHpLfhSlotAllocate+6CBj
					; RtlpHpLfhSlotAllocate+BB9F0j	...
		mov	edi, [ebp-8]

loc_5340AC:				; CODE XREF: RtlpHpLfhSlotAllocate+BBC98j
		mov	esi, [ebp-10h]
		mov	eax, [ebp-0Ch]

loc_5340B2:				; CODE XREF: RtlpHpLfhSlotAllocate+BBCA2j
		cmp	dword ptr [ebp-2Ch], 0
		jnz	loc_534BF7

loc_5340BC:				; CODE XREF: RtlpHpLfhSlotAllocate+E34j
		test	eax, eax
		jnz	loc_5351F6

loc_5340C4:				; CODE XREF: RtlpHpLfhSlotAllocate+1434j
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	0Ch
; 

loc_5340D1:				; CODE XREF: RtlpHpLfhSlotAllocate+7Aj
					; RtlpHpLfhSlotAllocate+E22j
		mov	ecx, [ebp-8]
		mov	eax, [ebx+8]

loc_5340D7:				; CODE XREF: RtlpHpLfhSlotAllocate+59j
		cmp	edx, 2
		jnz	loc_5344DA
		mov	edi, [ebx+8]

loc_5340E3:				; CODE XREF: ExAllocateHeapPool+BC069j
		mov	eax, [ebp-1Ch]

loc_5340E6:				; CODE XREF: ExAllocateHeapPool+BC048j
		cmp	dword ptr [edi+4], 0
		lea	ecx, [edi+4]
		mov	[ebp-24h], ecx
		jbe	loc_534A2B
		test	eax, eax
		jz	loc_5EF21E
		mov	dword ptr [ebp-3Ch], 1000h

loc_534105:				; CODE XREF: RtlpHpLfhSlotAllocate+BB455j
		lea	ecx, [edi+0Ch]
		mov	edi, [ecx]
		mov	[ebp-20h], ecx
		mov	[ebp-10h], edi
		cmp	edi, ecx
		jz	loc_5EF252
		jmp	short loc_534120
; 
		align 10h

loc_534120:				; CODE XREF: RtlpHpLfhSlotAllocate+348j
					; RtlpHpLfhSlotAllocate+BB47Cj
		mov	ax, [edi+10h]
		mov	dword ptr [ebp-2Ch], 0
		movzx	esi, ax
		mov	edi, edi

loc_534130:				; CODE XREF: RtlpHpLfhSlotAllocate+1635j
					; RtlpHpLfhSlotAllocate+BB46Fj
		mov	eax, [ebp-3Ch]
		cmp	ax, si
		jb	loc_5EF22A
		movzx	eax, si
		mov	[ebp-28h], eax
		cmp	edx, 1
		jz	loc_5EF244

loc_53414B:				; CODE XREF: RtlpHpLfhSlotAllocate+BB460j
		mov	ecx, esi
		sub	ecx, eax
		mov	ax, si
		movzx	edx, cx
		lea	esi, [edi+10h]
		mov	cx, dx
		lock cmpxchg [esi], cx
		movzx	esi, ax
		mov	eax, [ebp-28h]
		movzx	ecx, ax
		mov	[ebp-48h], ecx
		lea	eax, [ecx+edx]
		cmp	esi, eax
		jnz	loc_535402
		cmp	word ptr [edi+10h], 0
		jnz	loc_5353A1
		movzx	eax, byte ptr [edi+16h]
		mov	esi, edi
		mov	[ebp-3Ch], esi
		test	eax, eax
		jnz	loc_5EF25F
		mov	edx, [ebp-24h]
		mov	ecx, edx

loc_534198:				; CODE XREF: RtlpHpLfhSlotAllocate+BB4A5j
					; RtlpHpLfhSlotAllocate+BB4B8j
		mov	eax, [ebx+8]
		add	eax, 14h
		mov	dword ptr [ebp-50h], 0
		cmp	dword ptr [ebp-20h], 0
		jz	short loc_5341D2
		mov	esi, [edi]
		cmp	[esi+4], edi
		jnz	loc_5EF810
		mov	edx, [edi+4]
		cmp	[edx], edi
		jnz	loc_5EF810
		mov	[edx], esi
		mov	[esi+4], edx
		mov	edx, [ebp-24h]
		mov	esi, [ebp-3Ch]
		test	ecx, ecx
		jz	short loc_5341D2
		dec	dword ptr [ecx]

loc_5341D2:				; CODE XREF: RtlpHpLfhSlotAllocate+3D9j
					; RtlpHpLfhSlotAllocate+3FEj
		mov	byte ptr [edi+16h], 1
		test	eax, eax
		jz	short loc_5341F1
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_5EF810
		mov	[edi], eax
		xor	esi, esi
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi

loc_5341F1:				; CODE XREF: RtlpHpLfhSlotAllocate+408j
		mov	ecx, [ebx+8]
		test	byte ptr [ecx],	1
		jnz	short loc_534202
		cmp	dword ptr [edx], 8
		ja	loc_5EF28D

loc_534202:				; CODE XREF: RtlpHpLfhSlotAllocate+427j
					; RtlpHpLfhSlotAllocate+BB4E4j
		test	esi, esi
		jnz	loc_5EF2B9

loc_53420A:				; CODE XREF: RtlpHpLfhSlotAllocate+15D4j
					; RtlpHpLfhSlotAllocate+BB4EDj	...
		cmp	word ptr [ebp-28h], 1
		mov	edx, [ebp-14h]
		jbe	short loc_534224
		mov	eax, [ebp-48h]
		dec	eax
		xor	eax, edi
		and	eax, 0FFFh
		xor	eax, edi
		mov	[ecx+1Ch], eax

loc_534224:				; CODE XREF: RtlpHpLfhSlotAllocate+442j
					; RtlpHpLfhSlotAllocate+BB48Aj
		mov	eax, [ebp-8]
		lea	esi, [ecx+8]
		mov	[ebp-44h], esi
		mov	al, [eax+1Dh]
		cmp	edx, 2
		jnz	loc_5EF2CF
		test	al, al
		jz	loc_534530
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel

loc_534247:				; CODE XREF: RtlpHpLfhSlotAllocate+BB538j
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_534250:				; CODE XREF: RtlpHpLfhSlotAllocate+796j
					; RtlpHpLfhSlotAllocate+BB52Dj
		test	edi, edi
		jz	loc_5EF30D
		movzx	eax, word ptr [edi+12h]
		lea	edx, [edi+20h]
		movzx	ecx, byte ptr [edi+17h]
		mov	esi, [edi+18h]
		add	ecx, eax
		mov	eax, [ebx+8]
		add	ecx, ecx
		mov	[ebp-48h], ecx
		mov	[ebp-38h], edx
		movzx	eax, byte ptr [eax+1]
		movzx	eax, ds:_RtlpSearchWidth[eax]
		mov	[ebp-28h], eax
		mov	eax, edi
		shr	eax, 0Ch
		xor	esi, eax
		mov	[ebp-50h], eax
		xor	esi, dword_6BEC64
		movzx	eax, si
		cmp	[ebx+0Ch], eax
		mov	[ebp-44h], esi
		sbb	eax, eax
		mov	[ebp-34h], esi
		and	eax, 2
		inc	eax
		mov	[ebp-80h], eax
		mov	eax, [ebp-8]
		test	byte ptr [eax+22h], 2
		jnz	loc_5EF817
		call	_RtlpLfhIncrementDataSlot@0 ; RtlpLfhIncrementDataSlot()
		movzx	eax, ax
		movzx	edx, byte ptr _RtlpLowFragHeapRandomData[eax]
		mov	[ebp-20h], edx
		lea	edx, [edi+20h]

loc_5342C8:				; CODE XREF: RtlpHpLfhSlotAllocate+BBA4Ej
		movzx	eax, word ptr [edi+14h]
		mov	edi, [ebp-48h]
		add	eax, eax
		mov	esi, [ebp-28h]
		shr	eax, 5
		mov	dword ptr [ebp-84h], 0
		lea	ecx, [edx+eax*4]
		lea	eax, [edi-1]
		shr	eax, 5
		lea	eax, [edx+eax*4]
		mov	[ebp-3Ch], eax

loc_5342F0:				; CODE XREF: RtlpHpLfhSlotAllocate+16B7j
		mov	[ebp-18h], ecx

loc_5342F3:				; CODE XREF: RtlpHpLfhSlotAllocate+16AEj
		cmp	edi, 20h
		jb	loc_53498E
		mov	edx, [ecx]
		mov	eax, edx
		and	eax, 55555555h
		mov	[ebp-24h], edx
		cmp	eax, 55555555h
		jz	loc_5349A1

loc_534313:				; CODE XREF: RtlpHpLfhSlotAllocate+C01j
		cmp	ecx, [ebp-3Ch]
		jz	loc_5345E8

loc_53431C:				; CODE XREF: RtlpHpLfhSlotAllocate+81Dj
					; RtlpHpLfhSlotAllocate+825j ...
		mov	ecx, esi
		imul	ecx, [ebp-20h]
		shr	ecx, 7
		and	ecx, 1FFFFFEh
		mov	[ebp-20h], ecx
		mov	edi, edi

loc_534330:				; CODE XREF: RtlpHpLfhSlotAllocate+BBA5Bj
		not	edx
		cmp	esi, 20h
		jb	loc_534605
		mov	eax, 55555555h

loc_534340:				; CODE XREF: RtlpHpLfhSlotAllocate+862j
		and	edx, eax
		ror	edx, cl
		bsf	eax, edx
		mov	edx, [ebp-80h]
		add	eax, ecx
		and	eax, 1Fh
		mov	ecx, eax
		mov	[ebp-70h], eax
		shl	edx, cl
		mov	ecx, [ebp-18h]
		mov	[ebp-84h], eax
		mov	eax, [ebp-24h]
		or	edx, eax
		lock cmpxchg [ecx], edx
		cmp	eax, [ebp-24h]
		jnz	loc_53545E
		sub	ecx, [ebp-38h]
		mov	esi, [ebp-44h]
		mov	edi, [ebp-10h]
		sar	ecx, 2
		shl	ecx, 5
		add	ecx, [ebp-70h]
		shr	ecx, 1
		movzx	eax, si
		mov	esi, ecx
		imul	esi, eax
		mov	[ebp-88h], eax
		movzx	eax, word ptr [ebp-32h]
		mov	[ebp-18h], ecx
		mov	[edi+14h], cx
		add	esi, eax
		cmp	byte ptr [edi+1Dh], 1
		mov	[ebp-1Ch], esi
		jbe	loc_534482
		movzx	ecx, byte ptr [edi+1Ch]
		mov	edx, esi
		movzx	eax, word ptr [edi+1Eh]
		add	eax, edi
		shr	edx, cl
		mov	dword ptr [ebp-4Ch], 0
		mov	byte ptr [ebp-4], 0FFh
		mov	dword ptr [ebp-34h], 0
		lea	eax, [eax+edx*2]
		mov	dword ptr [ebp-20h], 0FFFFFFFFh
		mov	[ebp-3Ch], eax
		lea	esi, [edx+edx]
		mov	eax, [ebp-50h]
		mov	[ebp-80h], esi
		movzx	esi, ax
		movzx	eax, word ptr [edi+18h]
		xor	esi, eax
		mov	dword ptr [ebp-38h], 0
		movzx	eax, word ptr dword_6BEC64
		xor	esi, eax
		mov	[ebp-44h], esi
		mov	eax, esi
		mov	esi, [ebp-1Ch]
		dec	eax
		add	eax, esi
		shr	eax, cl
		xor	ecx, ecx
		sub	eax, edx
		mov	[ebp-24h], ecx
		mov	edx, [ebp-3Ch]
		inc	eax
		lea	eax, [edx+eax*2]
		mov	[ebp-70h], eax
		cmp	edx, eax
		jnb	short loc_534482
		mov	esi, [ebp-80h]
		mov	byte ptr [ebp-2], 0FFh

loc_534425:				; CODE XREF: RtlpHpLfhSlotAllocate+68Cj
		mov	ax, [edx]
		movzx	eax, ax

loc_53442B:				; CODE XREF: RtlpHpLfhSlotAllocate+67Bj
					; RtlpHpLfhSlotAllocate+C56j
		mov	[ebp-28h], eax
		test	ax, ax
		jle	loc_5349FA
		inc	eax
		movzx	ecx, ax
		mov	ax, [ebp-28h]
		lock cmpxchg [edx], cx
		movzx	eax, ax
		cmp	ax, [ebp-28h]
		jnz	short loc_53442B
		mov	ecx, [ebp-24h]

loc_534450:				; CODE XREF: RtlpHpLfhSlotAllocate+E86j
		add	edx, 2
		add	esi, 2
		mov	[ebp-3Ch], edx
		cmp	edx, [ebp-70h]
		jb	short loc_534425
		mov	esi, [ebp-1Ch]
		test	ecx, ecx
		jnz	loc_534C5B

loc_534469:				; CODE XREF: RtlpHpLfhSlotAllocate+E92j
		mov	edx, [ebp-8]

loc_53446C:				; CODE XREF: RtlpHpLfhSlotAllocate+EBCj
		mov	eax, [ebp-20h]
		cmp	eax, 0FFFFFFFFh
		jnz	loc_534E6A
		cmp	dword ptr [ebp-34h], 0
		jnz	loc_534D56

loc_534482:				; CODE XREF: RtlpHpLfhSlotAllocate+5D7j
					; RtlpHpLfhSlotAllocate+64Cj ...
		mov	eax, [ebx+0Ch]
		lea	edx, [esi+edi]
		mov	esi, [ebp-88h]
		mov	[ebp-10h], edx
		cmp	eax, esi
		jb	loc_5346D0

loc_534499:				; CODE XREF: RtlpHpLfhSlotAllocate+92Bj
					; RtlpHpLfhSlotAllocate+BBC78j
		test	edx, edx
		jnz	loc_5340A9
		jmp	loc_5EFA57
; 

loc_5344A6:				; CODE XREF: RtlpHpLfhSlotAllocate+138j
		mov	edx, [ebp-28h]
		lea	esp, [esp+0]

loc_5344B0:				; CODE XREF: RtlpHpLfhSlotAllocate+6FAj
		cmp	ecx, edx
		jz	loc_534F82
		add	ecx, 4

loc_5344BB:				; CODE XREF: RtlpHpLfhSlotAllocate+11B5j
		mov	eax, [ecx]
		mov	[ebp-10h], eax
		and	eax, 55555555h
		cmp	eax, 55555555h
		jz	short loc_5344B0
		mov	edx, [ebp-20h]
		mov	esi, [ebp-38h]
		mov	[ebp-18h], ecx
		jmp	loc_533F0E
; 

loc_5344DA:				; CODE XREF: RtlpHpLfhSlotAllocate+30Aj
		movzx	edx, byte ptr [ecx+1Dh]
		lea	ecx, [eax+8]
		mov	dword ptr [ebp-14h], 2
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	ecx, [ebp-8]
		mov	edx, 2
		mov	[ebp-1], al
		mov	eax, [ebx+8]
		jmp	loc_533E21
; 

loc_534500:				; CODE XREF: RtlpHpLfhSlotAllocate+2BDj
		sub	esi, eax
		mov	eax, [ebp-48h]
		movzx	ecx, ax
		movzx	eax, word ptr dword_6BEC64
		xor	ecx, eax
		movzx	eax, word ptr [edi+18h]
		xor	ecx, eax
		cmp	esi, 1
		jz	loc_5EF5C8
		and	esi, 3FFFh

loc_534526:				; CODE XREF: RtlpHpLfhSlotAllocate+BB7FDj
		mov	[ecx+edx-2], si
		jmp	loc_534093
; 

loc_534530:				; CODE XREF: RtlpHpLfhSlotAllocate+46Bj
		mov	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_534546
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_534546:				; CODE XREF: RtlpHpLfhSlotAllocate+76Dj
		xor	edi, edi
		mov	[ebp-38h], edi
		test	esi, 7FFFFFFCh
		jnz	loc_5346A9

loc_534557:				; CODE XREF: RtlpHpLfhSlotAllocate+AC5j
					; RtlpHpLfhSlotAllocate+AD1j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebp-10h]
		jmp	loc_534250
; 

loc_53456B:				; CODE XREF: RtlpHpLfhSlotAllocate+141j
		mov	eax, esi
		and	eax, 1Fh
		jz	loc_533F17
		cmp	eax, [ebp-24h]
		jnb	loc_533F17
		mov	[ebp-24h], eax
		jmp	loc_533F17
; 

loc_534587:				; CODE XREF: RtlpHpLfhSlotAllocate+168j
		and	eax, 55555555h
		mov	dword ptr [ebp-1Ch], 1
		shl	dword ptr [ebp-1Ch], cl
		dec	dword ptr [ebp-1Ch]
		bsf	eax, eax
		mov	ecx, eax
		add	edx, eax
		shl	dword ptr [ebp-1Ch], cl
		mov	ecx, [ebp-1Ch]
		mov	eax, [ebp-50h]
		and	ecx, 55555555h
		mov	[ebp-20h], edx
		jmp	loc_533F43
; 

loc_5345B7:				; CODE XREF: RtlpHpLfhSlotAllocate+261j
		cmp	dword ptr [ebp-38h], 0
		jnz	loc_53466D
		mov	eax, [ebp-8]
		lea	ecx, [edi+0Ch]
		mov	dword ptr [ebp-38h], 1
		movzx	edx, byte ptr [eax+1Dh]
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	edx, [ebp-10h]
		mov	[ebp-2], al
		mov	cx, [edx]
		movzx	eax, cx
		jmp	loc_53402B
; 

loc_5345E8:				; CODE XREF: RtlpHpLfhSlotAllocate+546j
		mov	eax, edi
		and	eax, 1Fh
		jz	loc_53431C
		cmp	eax, esi
		jnb	loc_53431C
		mov	esi, eax
		mov	[ebp-28h], esi
		jmp	loc_53431C
; 

loc_534605:				; CODE XREF: RtlpHpLfhSlotAllocate+565j
		mov	eax, edx
		mov	dword ptr [ebp-1Ch], 1
		and	eax, 55555555h
		bsf	eax, eax
		add	ecx, eax
		mov	[ebp-20h], ecx
		mov	ecx, esi
		shl	dword ptr [ebp-1Ch], cl
		mov	ecx, eax
		dec	dword ptr [ebp-1Ch]
		mov	eax, [ebp-1Ch]
		shl	eax, cl
		mov	ecx, [ebp-20h]
		and	eax, 55555555h
		jmp	loc_534340
; 

loc_534637:				; CODE XREF: RtlpHpLfhSlotAllocate+293j
		test	byte ptr _RtlpHpLfhPerfFlags, 20h
		jz	loc_534069
		mov	cl, [edi+1Ch]
		mov	eax, [ebp-20h]
		shl	eax, cl
		cdq
		and	edx, 0FFFh
		add	eax, edx
		mov	edx, [ebp-8]
		sar	eax, 0Ch
		movsx	ecx, word ptr [edx+1Eh]
		add	ecx, 0Ch
		add	ecx, edx
		lock xadd [ecx], eax
		jmp	loc_534069
; 

loc_53466D:				; CODE XREF: RtlpHpLfhSlotAllocate+7EBj
		mov	ecx, [ebp-20h]
		test	ax, ax
		jnz	loc_534909
		dec	ecx
		mov	[ebp-20h], ecx

loc_53467D:				; CODE XREF: RtlpHpLfhSlotAllocate+B4Bj
					; RtlpHpLfhSlotAllocate+B5Aj
		inc	eax
		mov	[edx], ax
		jmp	loc_534050
; 

loc_534686:				; CODE XREF: RtlpHpLfhSlotAllocate+2A9j
		mov	eax, [ebp-8]
		lea	ecx, [edi+0Ch]
		mov	[ebp-24h], ecx
		cmp	byte ptr [eax+1Dh], 0
		jz	short loc_534700
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp-2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_53407F
; 

loc_5346A9:				; CODE XREF: RtlpHpLfhSlotAllocate+781j
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	edx, dword_6D07D0
		shr	ecx, 15h
		mov	[ebp-14h], eax
		cmp	esi, edx
		jnb	loc_53476B

loc_5346C5:				; CODE XREF: RtlpHpLfhSlotAllocate+1642j
					; RtlpHpLfhSlotAllocate+1655j
		or	ecx, 0FFFFFFFFh
		mov	[ebp-48h], ecx
		jmp	loc_53478B
; 

loc_5346D0:				; CODE XREF: RtlpHpLfhSlotAllocate+6C3j
		sub	esi, eax
		mov	eax, [ebp-50h]
		movzx	ecx, ax
		movzx	eax, word ptr [edi+18h]
		xor	ecx, eax
		movzx	eax, word ptr dword_6BEC64
		xor	ecx, eax
		cmp	esi, 1
		jz	loc_5EFA4D
		and	esi, 3FFFh

loc_5346F6:				; CODE XREF: RtlpHpLfhSlotAllocate+BBC82j
		mov	[ecx+edx-2], si
		jmp	loc_534499
; 

loc_534700:				; CODE XREF: RtlpHpLfhSlotAllocate+8C3j
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_534715
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp-24h]

loc_534715:				; CODE XREF: RtlpHpLfhSlotAllocate+93Bj
		mov	eax, large fs:124h
		mov	edx, ecx
		mov	esi, dword_6D07D0
		xor	edi, edi
		shr	edx, 15h
		cmp	ecx, esi
		mov	[ebp-70h], esi
		mov	esi, [ebp-28h]
		mov	[ebp-38h], edi
		mov	[ebp-10h], eax
		jnb	loc_534A5C

loc_53473C:				; CODE XREF: RtlpHpLfhSlotAllocate+C93j
		cmp	ecx, [ebp-70h]
		jb	short loc_53474E
		cmp	byte ptr dword_6D3994[edx], 0Bh
		jz	loc_534A69

loc_53474E:				; CODE XREF: RtlpHpLfhSlotAllocate+96Fj
		or	edx, 0FFFFFFFFh
		mov	[ebp-44h], edx
		jmp	loc_534A7C
; 

loc_534759:				; CODE XREF: RtlpHpLfhSlotAllocate+123j
		cmp	esi, [ebp-24h]
		jnb	short loc_534761
		mov	[ebp-24h], esi

loc_534761:				; CODE XREF: RtlpHpLfhSlotAllocate+98Cj
		mov	eax, [ecx]
		mov	[ebp-10h], eax
		jmp	loc_533F1A
; 

loc_53476B:				; CODE XREF: RtlpHpLfhSlotAllocate+8EFj
		cmp	byte ptr dword_6D3994[ecx], 1
		jnz	loc_535410

loc_534778:				; CODE XREF: RtlpHpLfhSlotAllocate+164Fj
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp-48h], eax
		mov	eax, [ebp-14h]

loc_53478B:				; CODE XREF: RtlpHpLfhSlotAllocate+8FBj
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	dl, [eax+1E6h]
		mov	[ebp-2], dl
		mov	edx, esi
		push	ecx
		mov	ecx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[ebp-50h], edx
		test	edx, edx
		jnz	short loc_534814
		mov	ecx, [ebp-14h]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jz	loc_5348CC

loc_5347C7:				; CODE XREF: RtlpHpLfhSlotAllocate+AB4j
					; RtlpHpLfhSlotAllocate+AF7j
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp-50h], eax
		jz	loc_53488C
		test	edi, 8000h
		jz	short loc_5347F0
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [ebp-14h]

loc_5347F0:				; CODE XREF: RtlpHpLfhSlotAllocate+A14j
		test	byte ptr [ebp-36h], 1
		jz	short loc_534800
		mov	edx, 1
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_534800:				; CODE XREF: RtlpHpLfhSlotAllocate+A24j
		test	edi, 7FFFh
		jnz	loc_5348DD
		mov	edi, [ebp-14h]
		jmp	loc_5348EF
; 

loc_534814:				; CODE XREF: RtlpHpLfhSlotAllocate+9E4j
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		cmp	[edx+10h], edi
		jge	short loc_53482C
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [ebp-50h]

loc_53482C:				; CODE XREF: RtlpHpLfhSlotAllocate+A50j
		mov	eax, [edx+2Ch]
		mov	edi, eax
		and	byte ptr [edx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp-38h], edi
		mov	[edx+2Ch], eax
		nop
		mov	ecx, [ebp-14h]
		mov	eax, 2AAAAAABh
		mov	dword ptr [edx+10h], 0
		sub	edx, [ecx+1E8h]
		imul	edx
		sar	edx, 3
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		cmp	byte ptr [ebp-2], 1
		mov	[ebp-3Ch], eax
		jnz	short loc_5348B1
		movzx	eax, byte ptr [ecx+1E4h]
		mov	edx, [ebp-3Ch]
		bts	eax, edx
		mov	[ecx+1E4h], al
		jmp	loc_5347C7
; 

loc_534889:				; CODE XREF: RtlpHpLfhSlotAllocate+B29j
					; RtlpHpLfhSlotAllocate+B37j
		mov	ecx, [ebp-14h]

loc_53488C:				; CODE XREF: RtlpHpLfhSlotAllocate+A08j
		nop
		add	word ptr [ecx+13Eh], 1
		jnz	loc_534557
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	loc_534557
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_534557
; 

loc_5348B1:				; CODE XREF: RtlpHpLfhSlotAllocate+A9Fj
		mov	ecx, [ebp-3Ch]
		mov	al, 1
		shl	al, cl
		mov	ecx, [ebp-14h]
		lea	esi, [ecx+222h]
		lock or	[esi], al
		mov	esi, [ebp-44h]
		jmp	loc_5347C7
; 

loc_5348CC:				; CODE XREF: RtlpHpLfhSlotAllocate+9F1j
		push	0
		push	dword ptr [ebp-48h]
		push	esi
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5348DD:				; CODE XREF: RtlpHpLfhSlotAllocate+A36j
		and	edi, 7FFFh
		mov	edx, edi
		mov	edi, [ebp-14h]
		mov	ecx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5348EF:				; CODE XREF: RtlpHpLfhSlotAllocate+A3Fj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_534889
		push	dword ptr [ebp-50h]
		mov	edx, esi
		mov	ecx, edi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	short loc_534889
; 

loc_534909:				; CODE XREF: RtlpHpLfhSlotAllocate+8A3j
		mov	edx, esi
		inc	ecx
		sar	edx, 1
		cmp	dword ptr [ebp-24h], 0FFFFFFFFh
		mov	[ebp-34h], edx
		mov	edx, [ebp-10h]
		mov	[ebp-20h], ecx
		jnz	loc_53467D
		mov	ecx, [ebp-34h]
		mov	[ebp-24h], ecx
		mov	ecx, [ebp-20h]
		jmp	loc_53467D
; 

loc_53492F:				; CODE XREF: RtlpHpLfhSlotAllocate+29Fj
		mov	cl, [ebp-2]
		mov	eax, [ebp-34h]
		sub	eax, edx
		mov	[ebp-3], cl
		movzx	ecx, byte ptr [edi+1Ch]
		inc	eax
		shl	edx, cl
		mov	[ebp-24h], edx
		mov	edx, [ebp-8]
		mov	[ebp-40h], eax
		shl	eax, cl
		push	eax
		mov	ecx, [edx]
		mov	edx, [edx+0Ch]
		xor	edx, _RtlpHpHeapGlobals
		xor	edx, [ebp-8]
		mov	[ebp-70h], eax
		mov	eax, [ebp-24h]
		add	eax, edi
		push	eax
		push	ecx
		call	edx
		mov	edx, edi
		test	eax, eax
		js	loc_5EF3B7
		mov	ecx, [ebp-8]
		lea	eax, [ebp-3]
		push	eax
		push	1
		lea	eax, [ebp-40h]
		push	eax
		push	dword ptr [ebp-70h]
		push	dword ptr [ebp-24h]
		call	RtlpHpLfhSubsegmentIncBlockCounts
		jmp	loc_53407F
; 

loc_53498E:				; CODE XREF: RtlpHpLfhSlotAllocate+526j
		cmp	edi, esi
		jnb	short loc_534997
		mov	esi, edi
		mov	[ebp-28h], esi

loc_534997:				; CODE XREF: RtlpHpLfhSlotAllocate+BC0j
		mov	edx, [ecx]
		mov	[ebp-24h], edx
		jmp	loc_53431C
; 

loc_5349A1:				; CODE XREF: RtlpHpLfhSlotAllocate+53Dj
		mov	esi, [ebp-38h]
		mov	edx, [ebp-3Ch]

loc_5349A7:				; CODE XREF: RtlpHpLfhSlotAllocate+BF3j
		cmp	ecx, edx
		jz	loc_5353FB
		add	ecx, 4

loc_5349B2:				; CODE XREF: RtlpHpLfhSlotAllocate+162Dj
		mov	edi, [ecx]
		mov	eax, edi
		and	eax, 55555555h
		mov	[ebp-24h], edi
		cmp	eax, 55555555h
		jz	short loc_5349A7
		mov	edi, [ebp-48h]
		mov	edx, [ebp-24h]
		mov	esi, [ebp-28h]
		mov	[ebp-18h], ecx
		jmp	loc_534313
; 

loc_5349D6:				; CODE XREF: RtlpHpLfhSlotAllocate+19Fj
		mov	ecx, edx
		and	ecx, 55555555h
		cmp	ecx, 55555555h
		jz	loc_534BC1
		mov	ecx, [ebp-24h]
		mov	eax, edx
		mov	edx, [ebp-20h]
		mov	[ebp-10h], eax
		jmp	loc_533F30
; 

loc_5349FA:				; CODE XREF: RtlpHpLfhSlotAllocate+661j
		cmp	dword ptr [ebp-34h], 0
		jnz	loc_534C42
		mov	eax, [ebp-8]
		lea	ecx, [edi+0Ch]
		mov	dword ptr [ebp-34h], 1
		movzx	edx, byte ptr [eax+1Dh]
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	edx, [ebp-3Ch]
		mov	[ebp-2], al
		mov	cx, [edx]
		movzx	eax, cx
		jmp	loc_53442B
; 

loc_534A2B:				; CODE XREF: RtlpHpLfhSlotAllocate+320j
		mov	eax, [ebp-8]
		lea	esi, [edi+8]
		mov	[ebp-20h], esi
		mov	al, [eax+1Dh]
		cmp	edx, 2
		jnz	loc_5EF335
		test	al, al
		jz	loc_534D04
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel

loc_534A4E:				; CODE XREF: RtlpHpLfhSlotAllocate+BB59Ej
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_534CA0
; 

loc_534A5C:				; CODE XREF: RtlpHpLfhSlotAllocate+966j
		cmp	byte ptr dword_6D3994[edx], 1
		jnz	loc_53473C

loc_534A69:				; CODE XREF: RtlpHpLfhSlotAllocate+978j
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp-44h], eax
		mov	eax, [ebp-10h]

loc_534A7C:				; CODE XREF: RtlpHpLfhSlotAllocate+984j
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	cl, [eax+1E6h]
		mov	[ebp-2], cl
		mov	ecx, eax
		push	edx
		mov	edx, [ebp-24h]
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[ebp-70h], edx
		test	edx, edx
		jnz	short loc_534ACB
		mov	ecx, [ebp-10h]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_534B3F
		push	edx
		push	dword ptr [ebp-44h]
		push	dword ptr [ebp-24h]
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_534ACB:				; CODE XREF: RtlpHpLfhSlotAllocate+CD6j
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		cmp	[edx+10h], edi
		jge	short loc_534AE3
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [ebp-70h]

loc_534AE3:				; CODE XREF: RtlpHpLfhSlotAllocate+D07j
		mov	eax, [edx+2Ch]
		mov	edi, eax
		and	byte ptr [edx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp-38h], edi
		mov	[edx+2Ch], eax
		nop
		mov	ecx, [ebp-10h]
		mov	eax, 2AAAAAABh
		mov	dword ptr [edx+10h], 0
		sub	edx, [ecx+1E8h]
		imul	edx
		sar	edx, 3
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		cmp	byte ptr [ebp-2], 1
		mov	[ebp-44h], eax
		jnz	loc_534D7A
		movzx	eax, byte ptr [ecx+1E4h]
		mov	edx, [ebp-44h]
		bts	eax, edx
		mov	[ecx+1E4h], al

loc_534B3F:				; CODE XREF: RtlpHpLfhSlotAllocate+CE3j
					; RtlpHpLfhSlotAllocate+FC0j
		nop
		mov	eax, [ebp-10h]
		mov	ecx, edi
		dec	byte ptr [eax+1E6h]
		and	ecx, 1FFFFh
		mov	[ebp-70h], ecx
		jz	short loc_534B93
		test	edi, 8000h
		jz	short loc_534B6A
		xor	edx, edx
		mov	ecx, eax
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp-10h]

loc_534B6A:				; CODE XREF: RtlpHpLfhSlotAllocate+D8Cj
		test	byte ptr [ebp-36h], 1
		jz	short loc_534B7C
		mov	edx, 1
		mov	ecx, eax
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_534B7C:				; CODE XREF: RtlpHpLfhSlotAllocate+D9Ej
		test	edi, 7FFFh
		jnz	loc_534D95
		mov	edi, [ebp-10h]
		jmp	loc_534DA7
; 

loc_534B90:				; CODE XREF: RtlpHpLfhSlotAllocate+FE1j
					; RtlpHpLfhSlotAllocate+FF4j
		mov	eax, [ebp-10h]

loc_534B93:				; CODE XREF: RtlpHpLfhSlotAllocate+D84j
		nop
		add	word ptr [eax+13Eh], 1
		jz	short loc_534BB2

loc_534B9E:				; CODE XREF: RtlpHpLfhSlotAllocate+DE8j
					; RtlpHpLfhSlotAllocate+DEFj
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebp-3Ch]
		jmp	loc_53407F
; 

loc_534BB2:				; CODE XREF: RtlpHpLfhSlotAllocate+DCCj
		nop
		add	eax, 70h
		cmp	[eax], eax
		jz	short loc_534B9E
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_534B9E
; 

loc_534BC1:				; CODE XREF: RtlpHpLfhSlotAllocate+C14j
		mov	ecx, [ebp-18h]
		mov	edx, [ebp-20h]
		add	ecx, 4
		mov	[ebp-18h], ecx
		cmp	ecx, [ebp-28h]
		jbe	loc_533EF0
		lea	ecx, [edi+20h]
		jmp	loc_533EE5
; 

loc_534BDE:				; CODE XREF: RtlpHpLfhSlotAllocate+6Bj
		mov	dword ptr [ebp-2Ch], 1
		mov	edi, eax
		test	eax, 0FFFh
		jnz	loc_533E30
		jmp	loc_5340D1
; 

loc_534BF7:				; CODE XREF: RtlpHpLfhSlotAllocate+2E6j
		mov	edx, [ebp-30h]
		mov	ecx, edi
		call	RtlpHpLfhBucketUpdateAffinityMapping
		mov	eax, [ebp-0Ch]
		jmp	loc_5340BC
; 

loc_534C09:				; CODE XREF: RtlpHpLfhSlotAllocate+82j
		mov	eax, [ebp-8]
		mov	ecx, [ebx+8]
		add	ecx, 8
		mov	[ebp-24h], ecx
		mov	al, [eax+1Dh]
		cmp	edx, 2
		jnz	loc_5EF373
		test	al, al
		jz	loc_534DC9
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel

loc_534C2F:				; CODE XREF: RtlpHpLfhSlotAllocate+BB5DBj
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_534C38:				; CODE XREF: RtlpHpLfhSlotAllocate+BB5D0j
		xor	eax, eax
		mov	[ebp-14h], eax
		jmp	loc_533E58
; 

loc_534C42:				; CODE XREF: RtlpHpLfhSlotAllocate+C2Ej
		mov	ecx, [ebp-24h]
		test	ax, ax
		jnz	loc_534E44
		dec	ecx
		mov	[ebp-24h], ecx

loc_534C52:				; CODE XREF: RtlpHpLfhSlotAllocate+1086j
					; RtlpHpLfhSlotAllocate+1095j
		inc	eax
		mov	[edx], ax
		jmp	loc_534450
; 

loc_534C5B:				; CODE XREF: RtlpHpLfhSlotAllocate+693j
		test	byte ptr _RtlpHpLfhPerfFlags, 20h
		jz	loc_534469
		mov	cl, [edi+1Ch]
		mov	eax, [ebp-24h]
		shl	eax, cl
		cdq
		and	edx, 0FFFh
		add	eax, edx
		mov	edx, [ebp-8]
		sar	eax, 0Ch
		movsx	ecx, word ptr [edx+1Eh]
		add	ecx, 0Ch
		add	ecx, edx
		lock xadd [ecx], eax
		jmp	loc_53446C
; 

loc_534C91:				; CODE XREF: RtlpHpLfhSlotAllocate+F55j
					; RtlpHpLfhSlotAllocate+123Cj
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebx+8]

loc_534CA0:				; CODE XREF: RtlpHpLfhSlotAllocate+C87j
					; RtlpHpLfhSlotAllocate+BB593j
		mov	eax, [ebp-8]
		mov	ecx, [ebp-30h]
		movzx	edx, byte ptr [eax+1Dh]
		call	_RtlpHpLfhBucketGetSubsegment@8	; RtlpHpLfhBucketGetSubsegment(x,x)
		mov	[ebp-0Ch], eax
		test	eax, eax
		jnz	short loc_534CCF
		push	dword ptr [ebx+10h]
		mov	edx, [ebp-30h]
		mov	ecx, [ebp-8]
		call	RtlpHpLfhSubsegmentCreate
		mov	[ebp-0Ch], eax
		test	eax, eax
		jz	loc_5EFA6D

loc_534CCF:				; CODE XREF: RtlpHpLfhSlotAllocate+EE4j
		mov	eax, [ebp-8]
		mov	ecx, esi
		mov	dword ptr [ebp-14h], 2
		movzx	edx, byte ptr [eax+1Dh]
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	edx, [ebp-0Ch]
		mov	ecx, edi
		mov	[ebp-1], al
		call	_RtlpHpLfhSlotAddSubsegment@8 ;	RtlpHpLfhSlotAddSubsegment(x,x)
		mov	ecx, [ebp-8]
		mov	edx, 2
		mov	[ebp-0Ch], eax
		mov	eax, [ebp-1Ch]
		jmp	loc_533E13
; 

loc_534D04:				; CODE XREF: RtlpHpLfhSlotAllocate+C72j
		mov	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_534D1A
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_534D1A:				; CODE XREF: RtlpHpLfhSlotAllocate+F41j
		xor	edi, edi
		mov	[ebp-3Ch], edi
		test	esi, 7FFFFFFCh
		jz	loc_534C91
		mov	eax, [ebp-20h]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, dword_6D07D0
		shr	ecx, 15h
		mov	[ebp-44h], esi
		cmp	eax, edx
		jnb	loc_534F8A

loc_534D4B:				; CODE XREF: RtlpHpLfhSlotAllocate+165Cj
					; RtlpHpLfhSlotAllocate+166Fj
		or	ecx, 0FFFFFFFFh
		mov	[ebp-50h], ecx
		jmp	loc_534FAA
; 

loc_534D56:				; CODE XREF: RtlpHpLfhSlotAllocate+6ACj
		cmp	byte ptr [edx+1Dh], 0
		lea	ecx, [edi+0Ch]
		mov	[ebp-28h], ecx
		jz	loc_534E0A
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp-2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_534482
; 

loc_534D7A:				; CODE XREF: RtlpHpLfhSlotAllocate+D56j
		mov	esi, [ebp-10h]
		mov	al, 1
		mov	ecx, [ebp-44h]
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp-28h]
		jmp	loc_534B3F
; 

loc_534D95:				; CODE XREF: RtlpHpLfhSlotAllocate+DB2j
		and	edi, 7FFFh
		mov	edx, edi
		mov	edi, [ebp-10h]
		mov	ecx, edi
		call	KiAbThreadUnboostCpuPriority

loc_534DA7:				; CODE XREF: RtlpHpLfhSlotAllocate+DBBj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_534B90
		push	dword ptr [ebp-70h]
		mov	edx, [ebp-24h]
		mov	ecx, edi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_534B90
; 

loc_534DC9:				; CODE XREF: RtlpHpLfhSlotAllocate+E53j
		mov	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_534DE0
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp-24h]

loc_534DE0:				; CODE XREF: RtlpHpLfhSlotAllocate+1006j
		xor	edi, edi
		mov	[ebp-34h], edi
		test	ecx, 7FFFFFFCh
		jnz	loc_534EC8

loc_534DF1:				; CODE XREF: RtlpHpLfhSlotAllocate+154Bj
					; RtlpHpLfhSlotAllocate+1557j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebp-3Ch]
		xor	eax, eax
		mov	[ebp-14h], eax
		jmp	loc_533E58
; 

loc_534E0A:				; CODE XREF: RtlpHpLfhSlotAllocate+F90j
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_534E1F
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp-28h]

loc_534E1F:				; CODE XREF: RtlpHpLfhSlotAllocate+1045j
		xor	edi, edi
		mov	[ebp-44h], edi
		test	ecx, 7FFFFFFCh
		jnz	loc_534EED

loc_534E30:				; CODE XREF: RtlpHpLfhSlotAllocate+1445j
					; RtlpHpLfhSlotAllocate+1451j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebp-10h]
		jmp	loc_534482
; 

loc_534E44:				; CODE XREF: RtlpHpLfhSlotAllocate+E78j
		mov	edi, esi
		inc	ecx
		sar	edi, 1
		cmp	dword ptr [ebp-20h], 0FFFFFFFFh
		mov	[ebp-38h], edi
		mov	edi, [ebp-10h]
		mov	[ebp-24h], ecx
		jnz	loc_534C52
		mov	edi, [ebp-38h]
		mov	[ebp-20h], edi
		mov	edi, [ebp-10h]
		jmp	loc_534C52
; 

loc_534E6A:				; CODE XREF: RtlpHpLfhSlotAllocate+6A2j
		mov	edx, [ebp-38h]
		mov	cl, [ebp-2]
		sub	edx, eax
		inc	edx
		mov	[ebp-4], cl
		movzx	ecx, byte ptr [edi+1Ch]
		mov	[ebp-4Ch], edx
		shl	edx, cl
		mov	[ebp-48h], edx
		mov	edx, [ebp-8]
		push	dword ptr [ebp-48h]
		shl	eax, cl
		mov	[ebp-20h], eax
		add	eax, edi
		mov	ecx, [edx]
		mov	edx, [edx+0Ch]
		xor	edx, _RtlpHpHeapGlobals
		xor	edx, [ebp-8]
		push	eax
		push	ecx
		call	edx
		mov	edx, edi
		test	eax, eax
		js	loc_5EF830
		mov	ecx, [ebp-8]
		lea	eax, [ebp-4]
		push	eax
		push	1
		lea	eax, [ebp-4Ch]
		push	eax
		push	dword ptr [ebp-48h]
		push	dword ptr [ebp-20h]
		call	RtlpHpLfhSubsegmentIncBlockCounts
		jmp	loc_534482
; 

loc_534EC8:				; CODE XREF: RtlpHpLfhSlotAllocate+101Bj
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		mov	[ebp-48h], esi
		cmp	ecx, edx
		jnb	loc_535231

loc_534EE5:				; CODE XREF: RtlpHpLfhSlotAllocate+1676j
					; RtlpHpLfhSlotAllocate+1689j
		or	eax, 0FFFFFFFFh
		jmp	loc_53524C
; 

loc_534EED:				; CODE XREF: RtlpHpLfhSlotAllocate+105Aj
		mov	eax, large fs:124h
		mov	edx, ecx
		mov	esi, dword_6D07D0
		shr	edx, 15h
		cmp	ecx, esi
		mov	[ebp-80h], esi
		mov	esi, [ebp-1Ch]
		mov	[ebp-14h], eax
		jb	loc_535119
		cmp	byte ptr dword_6D3994[edx], 1
		jnz	loc_535119

loc_534F1C:				; CODE XREF: RtlpHpLfhSlotAllocate+1355j
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp-48h], eax
		mov	eax, [ebp-14h]

loc_534F2F:				; CODE XREF: RtlpHpLfhSlotAllocate+1361j
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	cl, [eax+1E6h]
		mov	[ebp-2], cl
		mov	ecx, eax
		push	edx
		mov	edx, [ebp-28h]
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[ebp-80h], edx
		test	edx, edx
		jnz	loc_535136
		mov	ecx, [ebp-14h]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_5351AA
		push	edx
		push	dword ptr [ebp-48h]
		push	dword ptr [ebp-28h]
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_534F82:				; CODE XREF: RtlpHpLfhSlotAllocate+6E2j
		lea	ecx, [edi+20h]
		jmp	loc_5344BB
; 

loc_534F8A:				; CODE XREF: RtlpHpLfhSlotAllocate+F75j
		cmp	byte ptr dword_6D3994[ecx], 1
		jnz	loc_53542A

loc_534F97:				; CODE XREF: RtlpHpLfhSlotAllocate+1669j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp-50h], eax
		mov	eax, [ebp-20h]

loc_534FAA:				; CODE XREF: RtlpHpLfhSlotAllocate+F81j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	[ebp-2], dl
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp-48h], ecx
		test	ecx, ecx
		jnz	short loc_535011
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jz	loc_535106

loc_534FE3:				; CODE XREF: RtlpHpLfhSlotAllocate+12AAj
					; RtlpHpLfhSlotAllocate+1331j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp-50h], eax
		jnz	loc_53507F

loc_534FFA:				; CODE XREF: RtlpHpLfhSlotAllocate+12F3j
					; RtlpHpLfhSlotAllocate+1306j
		nop
		add	word ptr [esi+13Eh], 1
		jz	loc_5350DB

loc_535009:				; CODE XREF: RtlpHpLfhSlotAllocate+1311j
					; RtlpHpLfhSlotAllocate+131Cj
		mov	esi, [ebp-20h]
		jmp	loc_534C91
; 

loc_535011:				; CODE XREF: RtlpHpLfhSlotAllocate+1203j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_535027
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp-48h]

loc_535027:				; CODE XREF: RtlpHpLfhSlotAllocate+124Dj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp-3Ch], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		mov	eax, 2AAAAAABh
		sub	ecx, [esi+1E8h]
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	byte ptr [ebp-2], 1
		jnz	loc_5350F1
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al
		jmp	loc_534FE3
; 

loc_53507F:				; CODE XREF: RtlpHpLfhSlotAllocate+1224j
		test	edi, 8000h
		jz	short loc_535090
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_535090:				; CODE XREF: RtlpHpLfhSlotAllocate+12B5j
		test	byte ptr [ebp-3Ah], 1
		jz	short loc_5350A2
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5350A2:				; CODE XREF: RtlpHpLfhSlotAllocate+12C4j
		test	edi, 7FFFh
		jz	short loc_5350B9
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5350B9:				; CODE XREF: RtlpHpLfhSlotAllocate+12D8j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_534FFA
		push	dword ptr [ebp-50h]
		mov	edx, [ebp-20h]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_534FFA
; 

loc_5350DB:				; CODE XREF: RtlpHpLfhSlotAllocate+1233j
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	loc_535009
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_535009
; 

loc_5350F1:				; CODE XREF: RtlpHpLfhSlotAllocate+1294j
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp-44h]
		jmp	loc_534FE3
; 

loc_535106:				; CODE XREF: RtlpHpLfhSlotAllocate+120Dj
		push	0
		push	dword ptr [ebp-50h]
		push	dword ptr [ebp-20h]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_535119:				; CODE XREF: RtlpHpLfhSlotAllocate+1139j
					; RtlpHpLfhSlotAllocate+1146j
		cmp	ecx, [ebp-80h]
		jb	short loc_53512B
		cmp	byte ptr dword_6D3994[edx], 0Bh
		jz	loc_534F1C

loc_53512B:				; CODE XREF: RtlpHpLfhSlotAllocate+134Cj
		or	edx, 0FFFFFFFFh
		mov	[ebp-48h], edx
		jmp	loc_534F2F
; 

loc_535136:				; CODE XREF: RtlpHpLfhSlotAllocate+1189j
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		cmp	[edx+10h], edi
		jge	short loc_53514E
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [ebp-80h]

loc_53514E:				; CODE XREF: RtlpHpLfhSlotAllocate+1372j
		mov	eax, [edx+2Ch]
		mov	edi, eax
		and	byte ptr [edx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp-44h], edi
		mov	[edx+2Ch], eax
		nop
		mov	ecx, [ebp-14h]
		mov	eax, 2AAAAAABh
		mov	dword ptr [edx+10h], 0
		sub	edx, [ecx+1E8h]
		imul	edx
		sar	edx, 3
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		cmp	byte ptr [ebp-2], 1
		mov	[ebp-4Ch], eax
		jnz	loc_5353A9
		movzx	eax, byte ptr [ecx+1E4h]
		mov	edx, [ebp-4Ch]
		bts	eax, edx
		mov	[ecx+1E4h], al

loc_5351AA:				; CODE XREF: RtlpHpLfhSlotAllocate+119Aj
					; RtlpHpLfhSlotAllocate+15EFj
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp-84h], eax
		jz	short loc_53520C
		test	edi, 8000h
		jz	short loc_5351D2
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [ebp-14h]

loc_5351D2:				; CODE XREF: RtlpHpLfhSlotAllocate+13F6j
		test	byte ptr [ebp-42h], 1
		jz	short loc_5351E2
		mov	edx, 1
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5351E2:				; CODE XREF: RtlpHpLfhSlotAllocate+1406j
		test	edi, 7FFFh
		jnz	loc_5353C4
		mov	edi, [ebp-14h]
		jmp	loc_5353D6
; 

loc_5351F6:				; CODE XREF: RtlpHpLfhSlotAllocate+2EEj
		push	dword ptr [ebx+10h]
		mov	edx, [ebp-30h]
		mov	ecx, edi
		push	eax
		call	RtlpHpLfhBucketAddSubsegment
		jmp	loc_5340C4
; 

loc_535209:				; CODE XREF: RtlpHpLfhSlotAllocate+1610j
					; RtlpHpLfhSlotAllocate+1626j
		mov	ecx, [ebp-14h]

loc_53520C:				; CODE XREF: RtlpHpLfhSlotAllocate+13EEj
		nop
		add	word ptr [ecx+13Eh], 1
		jnz	loc_534E30
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	loc_534E30
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_534E30
; 

loc_535231:				; CODE XREF: RtlpHpLfhSlotAllocate+110Fj
		cmp	byte ptr dword_6D3994[eax], 1
		jnz	loc_535444

loc_53523E:				; CODE XREF: RtlpHpLfhSlotAllocate+1683j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp-24h]

loc_53524C:				; CODE XREF: RtlpHpLfhSlotAllocate+1118j
		dec	word ptr [esi+13Eh]
		mov	[ebp-38h], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	[ebp-2], dl
		mov	edx, ecx
		push	eax
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp-50h], ecx
		test	ecx, ecx
		jnz	short loc_535296
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_5352FF
		push	ecx
		push	dword ptr [ebp-38h]
		push	dword ptr [ebp-24h]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_535296:				; CODE XREF: RtlpHpLfhSlotAllocate+14A8j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5352AC
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp-50h]

loc_5352AC:				; CODE XREF: RtlpHpLfhSlotAllocate+14D2j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp-34h], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		mov	eax, 2AAAAAABh
		sub	ecx, [esi+1E8h]
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	byte ptr [ebp-2], 1
		jnz	loc_53538C
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al

loc_5352FF:				; CODE XREF: RtlpHpLfhSlotAllocate+14B2j
					; RtlpHpLfhSlotAllocate+15CCj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp-50h], eax
		jnz	short loc_535337

loc_535312:				; CODE XREF: RtlpHpLfhSlotAllocate+15ABj
					; RtlpHpLfhSlotAllocate+15BAj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	loc_534DF1
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	loc_534DF1
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_534DF1
; 

loc_535337:				; CODE XREF: RtlpHpLfhSlotAllocate+1540j
		test	edi, 8000h
		jz	short loc_535348
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_535348:				; CODE XREF: RtlpHpLfhSlotAllocate+156Dj
		test	byte ptr [ebp-32h], 1
		jz	short loc_53535A
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_53535A:				; CODE XREF: RtlpHpLfhSlotAllocate+157Cj
		test	edi, 7FFFh
		jz	short loc_535371
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_535371:				; CODE XREF: RtlpHpLfhSlotAllocate+1590j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_535312
		push	dword ptr [ebp-50h]
		mov	edx, [ebp-24h]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	short loc_535312
; 

loc_53538C:				; CODE XREF: RtlpHpLfhSlotAllocate+1519j
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp-48h]
		jmp	loc_5352FF
; 

loc_5353A1:				; CODE XREF: RtlpHpLfhSlotAllocate+3ACj
					; RtlpHpLfhSlotAllocate+BB497j
		mov	ecx, [ebx+8]
		jmp	loc_53420A
; 

loc_5353A9:				; CODE XREF: RtlpHpLfhSlotAllocate+13C1j
		mov	ecx, [ebp-4Ch]
		mov	al, 1
		shl	al, cl
		mov	ecx, [ebp-14h]
		lea	esi, [ecx+222h]
		lock or	[esi], al
		mov	esi, [ebp-1Ch]
		jmp	loc_5351AA
; 

loc_5353C4:				; CODE XREF: RtlpHpLfhSlotAllocate+1418j
		and	edi, 7FFFh
		mov	edx, edi
		mov	edi, [ebp-14h]
		mov	ecx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5353D6:				; CODE XREF: RtlpHpLfhSlotAllocate+1421j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_535209
		push	dword ptr [ebp-84h]
		mov	edx, [ebp-28h]
		mov	ecx, edi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_535209
; 

loc_5353FB:				; CODE XREF: RtlpHpLfhSlotAllocate+BD9j
		mov	ecx, esi
		jmp	loc_5349B2
; 

loc_535402:				; CODE XREF: RtlpHpLfhSlotAllocate+3A1j
		mov	edx, [ebp-14h]
		jnb	loc_534130
		jmp	loc_5EF235
; 

loc_535410:				; CODE XREF: RtlpHpLfhSlotAllocate+9A2j
		cmp	esi, edx
		jb	loc_5346C5
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_534778
		jmp	loc_5346C5
; 

loc_53542A:				; CODE XREF: RtlpHpLfhSlotAllocate+11C1j
		cmp	eax, edx
		jb	loc_534D4B
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_534F97
		jmp	loc_534D4B
; 

loc_535444:				; CODE XREF: RtlpHpLfhSlotAllocate+1468j
		cmp	ecx, edx
		jb	loc_534EE5
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_53523E
		jmp	loc_534EE5
; 

loc_53545E:				; CODE XREF: RtlpHpLfhSlotAllocate+59Bj
		mov	ecx, eax
		and	ecx, 55555555h
		cmp	ecx, 55555555h
		jnz	loc_5EF823
		mov	ecx, [ebp-18h]
		add	ecx, 4
		mov	[ebp-18h], ecx
		cmp	ecx, [ebp-3Ch]
		jbe	loc_5342F3
		mov	ecx, [ebp-38h]
		jmp	loc_5342F0
RtlpHpLfhSlotAllocate endp

; 
		align 10h

;  S U B	R O U T	I N E 


ExpAddTagForBigPages proc near		; CODE XREF: ExInsertPoolTag+50p
					; ExAllocateHeapPool+6E8p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005EFA77 SIZE 00000081 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ecx
		mov	[ebp-34h], edx
		shr	ecx, 0Ch
		mov	[ebp-2Ch], eax
		movzx	eax, cl
		shl	eax, 2
		push	esi
		mov	[ebp-28h], eax
		xor	esi, esi
		push	edi
		mov	edi, [ebx+0Ch]
		mov	eax, ecx
		shr	eax, 8
		shr	ecx, 10h
		and	edi, 20h
		mov	dword ptr [ebp-8], 0
		mov	[ebp-14h], esi
		mov	[ebp-10h], eax
		mov	[ebp-0Ch], ecx
		mov	[ebp-1Ch], edi

loc_5354E4:				; CODE XREF: ExpAddTagForBigPages+147j
					; ExpAddTagForBigPages+BA61Cj ...
		movzx	eax, al
		xor	eax, [ebp-28h]
		shl	eax, 2
		xor	eax, ecx
		mov	cl, 2
		imul	esi, eax, 2797Ch
		sar	esi, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	[ebp-1], al
		jnz	loc_5EFA77
		mov	edx, _ExpLargePoolTableLock
		mov	edi, offset _ExpLargePoolTableLock
		and	edx, 7FFFFFFFh
		mov	eax, edx
		lea	ecx, [edx+1]
		lock cmpxchg [edi], ecx
		mov	edi, [ebp-1Ch]
		cmp	eax, edx
		jnz	loc_5356E6

loc_535535:				; CODE XREF: ExpAddTagForBigPages+263j
					; ExpAddTagForBigPages+BA5F3j
		test	edi, edi
		jnz	loc_535666
		mov	ecx, _PoolBigPageTable
		mov	eax, offset _ExpPoolBigEntriesInUse
		mov	edx, _PoolBigPageTableSize

loc_53554E:				; CODE XREF: ExpAddTagForBigPages+1ECj
		mov	[ebp-20h], eax
		mov	[ebp-24h], edx
		mov	[ebp-18h], ecx
		test	ecx, ecx
		jz	short loc_535591
		cmp	[eax], edx
		jz	short loc_535591
		lea	eax, [edx-1]
		mov	edi, edx
		and	esi, eax
		shl	edi, 4
		shl	esi, 4
		add	esi, ecx
		add	edi, ecx
		mov	eax, esi
		mov	[ebp-30h], eax

loc_535575:				; CODE XREF: ExpAddTagForBigPages+FCj
		mov	edx, [esi]
		test	dl, 1
		jnz	short loc_5355E2

loc_53557C:				; CODE XREF: ExpAddTagForBigPages+BA5FEj
		inc	dword ptr [ebp-14h]
		add	esi, 10h
		cmp	esi, edi
		jnb	loc_535681

loc_53558A:				; CODE XREF: ExpAddTagForBigPages+1F3j
		cmp	esi, eax
		jnz	short loc_535575
		mov	edi, [ebp-1Ch]

loc_535591:				; CODE XREF: ExpAddTagForBigPages+C9j
					; ExpAddTagForBigPages+CDj
		push	offset _ExpLargePoolTableLock
		call	ExTryConvertSharedSpinLockExclusive
		test	eax, eax
		jz	loc_5EFA93
		mov	ecx, [ebx+0Ch]
		lea	eax, [ebp-8]
		push	eax
		call	ExpResizeBigPageTable
		push	offset _ExpLargePoolTableLock
		mov	esi, eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	loc_5EFAEB
		mov	esi, [ebp-8]
		mov	ecx, [ebp-0Ch]
		mov	eax, [ebp-10h]
		test	esi, esi
		jz	loc_5354E4
		jmp	loc_5EFAB1
; 

loc_5355E2:				; CODE XREF: ExpAddTagForBigPages+EAj
		mov	ecx, [ebp-2Ch]
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	loc_5EFA88
		mov	eax, [ebp-34h]
		mov	edi, [ebx+0Ch]
		movzx	ecx, word ptr [ebx+10h]
		mov	[esi+4], eax
		mov	al, [ebx+14h]
		mov	[esi+8], al
		mov	eax, edi
		and	eax, 0FFFh
		shl	ecx, 0Ch
		or	ecx, eax
		movzx	eax, byte ptr [esi+8]
		shl	ecx, 8
		or	ecx, eax
		mov	eax, [ebx+8]
		mov	[esi+0Ch], eax
		mov	eax, [ebp-20h]
		mov	[esi+8], ecx
		lock inc dword ptr [eax]
		cmp	dword ptr [ebp-14h], 10h
		jnb	short loc_535688

loc_535630:				; CODE XREF: ExpAddTagForBigPages+200j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _ExpLargePoolTableLock
		jnz	loc_5EFADE
		mov	eax, 0BFFFFFFFh
		lock and [ecx],	eax
		lock dec dword ptr [ecx]

loc_53564D:				; CODE XREF: ExpAddTagForBigPages+BA649j
					; ExpAddTagForBigPages+BA656j
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_535656:				; CODE XREF: ExpAddTagForBigPages+238j
					; ExpAddTagForBigPages+24Ej
		mov	eax, 1

loc_53565B:				; CODE XREF: ExpAddTagForBigPages+BA663j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	10h
; 

loc_535666:				; CODE XREF: ExpAddTagForBigPages+A7j
		mov	eax, dword_6D05D4
		mov	ecx, [eax+242Ch]
		mov	edx, [eax+2430h]
		add	eax, 23E4h
		jmp	loc_53554E
; 

loc_535681:				; CODE XREF: ExpAddTagForBigPages+F4j
		mov	esi, ecx
		jmp	loc_53558A
; 

loc_535688:				; CODE XREF: ExpAddTagForBigPages+19Ej
		mov	ecx, [ebp-24h]
		shr	ecx, 2
		cmp	[eax], ecx
		jbe	short loc_535630
		push	offset _ExpLargePoolTableLock
		call	ExTryConvertSharedSpinLockExclusive
		cmp	eax, 1
		jnz	loc_5EFACF
		lea	eax, [ebp-8]
		mov	ecx, edi
		push	eax
		call	ExpResizeBigPageTable
		push	offset _ExpLargePoolTableLock
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp-8]
		test	esi, esi
		jz	short loc_535656
		lea	ebx, [ebx+0]

loc_5356D0:				; CODE XREF: ExpAddTagForBigPages+254j
		mov	eax, esi
		mov	esi, [esi]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jz	loc_535656
		jmp	short loc_5356D0
; 

loc_5356E6:				; CODE XREF: ExpAddTagForBigPages+9Fj
		mov	dl, [ebp-1]
		mov	ecx, offset _ExpLargePoolTableLock
		call	ExpWaitForSpinLockSharedAndAcquire
		jmp	loc_535535
ExpAddTagForBigPages endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpSegFreeRangeInsert proc near	; CODE XREF: RtlpHpSegContextCompact+269p
					; RtlpHpSegPageRangeAllocate+405p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005EFAF8 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	[ebp+arg_0], 0
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		mov	[ebp+var_4], esi
		jnz	short loc_53571F
		test	byte ptr [ebx+9], 10h
		jnz	loc_5EFAF8

loc_53571F:				; CODE XREF: RtlpHpSegFreeRangeInsert+13j
					; RtlpHpSegFreeRangeInsert+BA409j
		mov	eax, [ebx+54h]
		mov	edx, [esi+0Ch]
		mov	ecx, [ebx+50h]
		push	edi
		lea	edi, [ebx+50h]
		test	al, 1
		jz	short loc_535736
		test	ecx, ecx
		jz	short loc_535736
		xor	ecx, edi

loc_535736:				; CODE XREF: RtlpHpSegFreeRangeInsert+2Ej
					; RtlpHpSegFreeRangeInsert+32j
		movzx	esi, al
		and	esi, 1
		mov	byte ptr [ebp+arg_0], 0
		test	ecx, ecx
		jz	short loc_535778

loc_535744:				; CODE XREF: RtlpHpSegFreeRangeInsert+5Cj
		cmp	edx, [ecx+0Ch]
		jb	short loc_53575E
		mov	eax, [ecx+4]
		test	esi, esi
		jz	short loc_535756
		test	eax, eax
		jz	short loc_535774
		xor	eax, ecx

loc_535756:				; CODE XREF: RtlpHpSegFreeRangeInsert+4Ej
		test	eax, eax
		jz	short loc_535774

loc_53575A:				; CODE XREF: RtlpHpSegFreeRangeInsert+6Cj
		mov	ecx, eax
		jmp	short loc_535744
; 

loc_53575E:				; CODE XREF: RtlpHpSegFreeRangeInsert+47j
		mov	eax, [ecx]
		test	esi, esi
		jz	short loc_53576A
		test	eax, eax
		jz	short loc_53576E
		xor	eax, ecx

loc_53576A:				; CODE XREF: RtlpHpSegFreeRangeInsert+62j
		test	eax, eax
		jnz	short loc_53575A

loc_53576E:				; CODE XREF: RtlpHpSegFreeRangeInsert+66j
		mov	byte ptr [ebp+arg_0], 0
		jmp	short loc_535778
; 

loc_535774:				; CODE XREF: RtlpHpSegFreeRangeInsert+52j
					; RtlpHpSegFreeRangeInsert+58j
		mov	byte ptr [ebp+arg_0], 1

loc_535778:				; CODE XREF: RtlpHpSegFreeRangeInsert+42j
					; RtlpHpSegFreeRangeInsert+72j
		mov	esi, [ebp+var_4]
		push	esi
		push	[ebp+arg_0]
		push	ecx
		push	edi
		call	RtlRbInsertNodeEx
		mov	eax, [esi+0Ch]
		shr	eax, 8
		not	eax
		movzx	ecx, ax
		movsx	eax, word ptr [ebx+12h]
		add	eax, 8
		add	eax, ebx
		lock xadd [eax], ecx
		xor	eax, eax
		pop	edi

loc_5357A1:				; CODE XREF: RtlpHpSegFreeRangeInsert+BA419j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
RtlpHpSegFreeRangeInsert endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAllocatePool(x, x, x, x)
_MiAllocatePool@16 proc	near		; CODE XREF: NtGetWriteWatch+99Ap
					; MiStoreWriteModifiedPages+591p ...

var_8		= dword	ptr -8
var_2		= dword	ptr -2
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		mov	eax, large fs:20h
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax+338h]
		mov	edi, edx
		mov	ebx, ecx
		mov	[ebp+var_8], 0
		lea	edx, [ebp+var_8]
		mov	byte ptr [ebp+var_2], 0
		mov	ecx, 1
		mov	byte ptr [ebp+var_2+1],	0
		movzx	esi, word ptr [eax+8Ah]
		lea	eax, [ebp+var_2+1]
		push	eax
		lea	eax, [ebp+var_2]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ExpPoolFlagsToPoolType
		test	eax, eax
		js	short loc_53583C
		xor	eax, eax
		cmp	byte ptr [ebp+var_2+1],	al
		jnz	short loc_535840

loc_535807:				; CODE XREF: MiAllocatePool(x,x,x,x)+95j
		cmp	byte ptr [ebp+var_2], 0
		jnz	short loc_535829
		mov	ecx, [ebp+var_8]
		or	esi, 80000000h
		push	eax
		push	esi
		push	edi
		mov	edx, ebx
		call	ExpAllocatePoolWithTagFromNode

loc_535820:				; CODE XREF: MiAllocatePool(x,x,x,x)+8Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_535829:				; CODE XREF: MiAllocatePool(x,x,x,x)+5Bj
		push	edi
		push	ebx
		push	[ebp+var_8]
		call	ExAllocatePoolWithQuotaTag
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_53583C:				; CODE XREF: MiAllocatePool(x,x,x,x)+4Ej
		xor	eax, eax
		jmp	short loc_535820
; 

loc_535840:				; CODE XREF: MiAllocatePool(x,x,x,x)+55j
		mov	eax, 1
		jmp	short loc_535807
_MiAllocatePool@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpAllocateHeap proc	near		; CODE XREF: RtlpHpMetadataAlloc(x,x,x,x,x)+5Dp
					; ExAllocateHeapPool+8E0p ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005EFB1E SIZE 00000121 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ecx+0Ch]
		or	esi, eax
		mov	[esp+34h+var_24], edx
		push	edi
		mov	edi, [ecx+20h]
		and	esi, 93000F0Bh
		mov	eax, edi
		mov	[esp+38h+var_20], ecx
		test	eax, eax
		jnz	loc_5EFB1E
		mov	eax, dword_6BEC74
		test	eax, eax
		jnz	loc_5EFB1E

loc_535899:				; CODE XREF: RtlpHpAllocateHeap+BA2D0j
		xor	eax, eax
		mov	[esp+38h+var_28], eax
		mov	[esp+38h+var_18], eax
		test	esi, 1000000h
		jnz	short loc_5358BA
		mov	ebx, [ecx+10h]
		mov	[esp+38h+var_18], ebx
		test	ebx, ebx
		jnz	loc_5EFB47

loc_5358BA:				; CODE XREF: RtlpHpAllocateHeap+59j
					; RtlpHpAllocateHeap+BA32Fj
		lea	edi, [edx+eax]
		test	esi, 10000000h
		jnz	loc_5EFB84

loc_5358C9:				; CODE XREF: RtlpHpAllocateHeap+BA337j
		test	esi, 20000F08h
		jnz	loc_5EFB8C

loc_5358D5:				; CODE XREF: RtlpHpAllocateHeap+BA345j
		test	edi, edi
		jz	loc_5EFB9A

loc_5358DD:				; CODE XREF: RtlpHpAllocateHeap+BA34Fj
		cmp	edi, edx
		jb	loc_5359CA
		cmp	edx, 7FFFFFFFh
		ja	loc_5359CA
		movzx	eax, word ptr [ecx+2E0h]
		mov	ebx, esi
		sub	eax, 8
		and	ebx, 13000003h
		cmp	edi, eax
		jbe	loc_53598E

loc_53590B:				; CODE XREF: RtlpHpAllocateHeap+15Cj
		cmp	edi, 20000h
		ja	loc_5359B1
		lea	eax, [ecx+200h]
		xor	ecx, ecx
		mov	[esp+38h+var_10], ecx
		mov	[esp+38h+var_C], ecx
		mov	[esp+38h+var_8], ecx
		mov	[esp+38h+var_1C], ecx
		lea	ecx, [esp+38h+var_1C]
		push	ecx
		lea	ecx, [esp+3Ch+var_10]
		mov	[esp+3Ch+var_14], eax
		push	ecx
		push	ebx
		push	edi
		mov	ecx, eax
		call	RtlpHpVsContextAllocateInternal
		cmp	[esp+38h+var_1C], 0
		mov	[esp+38h+var_2C], eax
		jz	short loc_53596A
		test	bl, 1
		jnz	short loc_53596A
		mov	ecx, [esp+38h+var_14]
		lea	edx, [esp+38h+var_10]
		mov	ecx, [ecx+4]
		call	RtlpHpReleaseQueuedLockExclusive
		mov	eax, [esp+38h+var_2C]

loc_53596A:				; CODE XREF: RtlpHpAllocateHeap+FFj
					; RtlpHpAllocateHeap+104j ...
		test	eax, eax
		jz	short loc_53597A
		test	esi, 30000F08h
		jnz	loc_5EFBC7

loc_53597A:				; CODE XREF: RtlpHpAllocateHeap+11Cj
					; RtlpHpAllocateHeap+17Cj ...
		mov	ecx, [esp+38h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_53598E:				; CODE XREF: RtlpHpAllocateHeap+B5j
		push	ebx
		push	edi
		add	ecx, 2C0h
		call	RtlpHpLfhContextAllocate
		mov	[esp+38h+var_2C], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_53596A
		mov	edx, [esp+38h+var_24]
		mov	ecx, [esp+38h+var_20]
		jmp	loc_53590B
; 

loc_5359B1:				; CODE XREF: RtlpHpAllocateHeap+C1j
		cmp	edi, [ecx+18Ch]
		jbe	loc_5EFBA4
		push	ebx
		push	edi
		call	_RtlpHpLargeAlloc@16 ; RtlpHpLargeAlloc(x,x,x,x)

loc_5359C4:				; CODE XREF: RtlpHpAllocateHeap+BA372j
		mov	[esp+38h+var_2C], eax
		jmp	short loc_53596A
; 

loc_5359CA:				; CODE XREF: RtlpHpAllocateHeap+8Fj
					; RtlpHpAllocateHeap+9Bj ...
		xor	eax, eax
		jmp	short loc_53597A
RtlpHpAllocateHeap endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocateAccessLog proc near		; CODE XREF: MiLogPageAccess(x,x):loc_45A1BBp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= dword	ptr -2

; FUNCTION CHUNK AT 005EFC3F SIZE 00000086 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	edx, 420h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, offset _MiSystemPartition
		call	MiSufficientAvailablePages
		test	eax, eax
		jz	loc_5EFC70
		cmp	dword_6D5E40, edx
		jl	loc_5EFC70
		mov	ecx, dword_6D4254
		mov	edx, dword_6D41E8
		mov	eax, dword_6D3D68
		shr	ecx, 0Ch
		test	edx, edx
		jnz	loc_5EFC3F

loc_535A1C:				; CODE XREF: MiAllocateAccessLog+BA27Ej
					; MiAllocateAccessLog+BA286j
		mov	edx, dword_6CF344
		mov	esi, dword_6D5E00
		shl	eax, 9
		cmp	esi, ecx
		jb	loc_5EFC5B

loc_535A33:				; CODE XREF: MiAllocateAccessLog+BA28Dj
		mov	esi, dword_6D5E40
		cmp	esi, ecx
		jb	loc_5EFC62

loc_535A41:				; CODE XREF: MiAllocateAccessLog+BA294j
		cmp	eax, edx
		jbe	loc_5EFC69
		sub	eax, edx

loc_535A4B:				; CODE XREF: MiAllocateAccessLog+BA29Bj
		add	eax, ecx
		cmp	eax, 800h
		jb	loc_5EFC70
		mov	ecx, 1000h

loc_535A5D:				; CODE XREF: MiAllocateAccessLog+BA2A5j
		mov	al, [edi+60h]
		and	al, 7
		mov	[ebp+var_8], ecx
		cmp	al, 2
		jz	loc_535BA8
		lea	esi, [edi+98h]

loc_535A73:				; CODE XREF: MiAllocateAccessLog+1DDj
		mov	ebx, [esi]
		mov	[ebp+var_10], esi
		test	ebx, ebx
		jnz	loc_535B74

loc_535A80:				; CODE XREF: MiAllocateAccessLog+1B0j
					; MiAllocateAccessLog+1B9j ...
		mov	eax, large fs:20h
		lea	edx, [ebp+var_C]
		mov	ecx, 1
		mov	[ebp+var_C], 0
		mov	byte ptr [ebp+var_2], 0
		mov	byte ptr [ebp+var_2+1],	0
		mov	eax, [eax+338h]
		movzx	esi, word ptr [eax+8Ah]
		lea	eax, [ebp+var_2+1]
		push	eax
		lea	eax, [ebp+var_2]
		push	eax
		push	0
		push	40h
		call	ExpPoolFlagsToPoolType
		test	eax, eax
		js	loc_5EFC99
		xor	eax, eax
		cmp	byte ptr [ebp+var_2+1],	al
		jnz	loc_5EFC7A

loc_535ACE:				; CODE XREF: MiAllocateAccessLog+BA2AFj
		cmp	byte ptr [ebp+var_2], 0
		jnz	loc_5EFC84
		mov	edx, [ebp+var_8]
		or	esi, 80000000h
		mov	ecx, [ebp+var_C]
		push	eax
		push	esi
		push	63416D4Dh
		call	ExpAllocatePoolWithTagFromNode

loc_535AF0:				; CODE XREF: MiAllocateAccessLog+BA2C4j
		mov	esi, eax
		test	esi, esi
		jz	loc_5EFC99
		mov	eax, [ebp+var_10]
		mov	[eax], esi
		lea	eax, [esi+38h]
		mov	[esi+20h], eax
		mov	eax, [ebp+var_8]
		add	eax, 0FFFFFFFCh
		mov	dword ptr [esi+4], 0
		add	eax, esi
		mov	dword ptr [eax], 0
		mov	[esi+28h], eax
		add	eax, 0FFFFFFFCh
		mov	[esi+24h], eax
		mov	dword ptr [esi], 0
		mov	dword ptr [esi+30h], 0
		mov	al, [edi+60h]
		and	al, 7
		cmp	al, 2
		jnb	short loc_535B9F
		test	al, al
		jnz	short loc_535BB2
		lea	eax, [edi-240h]
		mov	[esi+2Ch], eax

loc_535B46:				; CODE XREF: MiAllocateAccessLog+1D6j
					; MiAllocateAccessLog+1F2j
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], 0
		push	eax
		mov	[ebp+var_14], 0
		call	KeQueryTickCount
		mov	eax, [ebp+var_18]
		mov	[esi+10h], eax
		mov	eax, [ebp+var_14]
		mov	[esi+14h], eax
		mov	eax, esi
		mov	[esi], ebx

loc_535B6D:				; CODE XREF: MiAllocateAccessLog+BA2F0j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_535B74:				; CODE XREF: MiAllocateAccessLog+AAj
		mov	eax, [ebx]
		cmp	ecx, 200h
		jz	short loc_535B8F
		test	eax, eax
		jz	loc_535A80
		cmp	dword ptr [eax], 0
		jz	loc_535A80

loc_535B8F:				; CODE XREF: MiAllocateAccessLog+1ACj
		mov	ecx, ebx
		call	MiEmptyPageAccessLog
		xor	ebx, ebx
		mov	[esi], ebx
		jmp	loc_535A80
; 

loc_535B9F:				; CODE XREF: MiAllocateAccessLog+167j
		mov	dword ptr [esi+2Ch], 0
		jmp	short loc_535B46
; 

loc_535BA8:				; CODE XREF: MiAllocateAccessLog+97j
		mov	esi, offset unk_6D3C58
		jmp	loc_535A73
; 

loc_535BB2:				; CODE XREF: MiAllocateAccessLog+16Bj
		mov	dword ptr [esi+2Ch], 1
		mov	eax, [edi-0B8h]
		mov	[esi+30h], eax
		jmp	short loc_535B46
MiAllocateAccessLog endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSufficientAvailablePages proc	near	; CODE XREF: MmAccessFault+47Bp
					; MmAccessFault+6A4p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005EFCC5 SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+0FC0h]
		sub	esp, 8
		push	ebx
		push	esi
		push	edi
		cmp	eax, edx
		jb	loc_5EFCC5

loc_535BE9:				; CODE XREF: MiSufficientAvailablePages+BA123j
		mov	eax, 1

loc_535BEE:				; CODE XREF: MiSufficientAvailablePages+BA146j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
MiSufficientAvailablePages endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPrefetchVirtualMemory	proc near	; CODE XREF: MiInPageSingleKernelStack+3A1p
					; MiPrefetchRestOfCluster(x,x,x)+80p ...

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005EFD1B SIZE 000000D2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 60h
		mov	eax, edx
		mov	[esp+60h+var_30], 1
		push	esi
		mov	esi, [ebp+arg_4]
		mov	[esp+64h+var_2C], eax
		mov	[esp+64h+var_50], eax
		lea	eax, [esp+64h+var_1C]
		push	edi
		mov	edi, large fs:124h
		mov	[esp+68h+var_18], eax
		mov	[esp+68h+var_1C], eax
		lea	eax, [esp+68h+var_14]
		mov	[esp+68h+var_28], ecx
		mov	[esp+68h+var_24], 0
		mov	[esp+68h+var_20], 0
		mov	[esp+68h+var_10], eax
		mov	[esp+68h+var_14], eax
		mov	[esp+68h+var_C], 0
		mov	[esp+68h+var_4], 0
		mov	[esp+68h+var_8], esi
		mov	dl, [edi+30Ah]
		mov	[esp+68h+var_60], 0
		mov	[esp+68h+var_54], 0
		mov	[esp+68h+var_5C], edi
		cmp	dl, 2
		jnb	loc_5360B0
		mov	eax, [ebp+arg_0]
		cmp	eax, 1
		jz	short loc_535CA9
		mov	al, [eax+60h]
		and	al, 7
		cmp	al, 1
		jz	loc_535FCB
		test	al, al
		jnz	loc_5EFD1B

loc_535CA9:				; CODE XREF: MiPrefetchVirtualMemory+92j
					; MiPrefetchVirtualMemory+3D8j
		mov	ecx, 6
		lea	edi, [esp+68h+var_48]
		xor	eax, eax
		inc	dl
		rep stosd
		mov	ecx, [esp+68h+var_5C]
		mov	[ecx+30Ah], dl
		dec	word ptr [ecx+13Ch]
		nop
		mov	eax, [esp+68h+var_24]
		cmp	eax, [esp+68h+var_28]
		jnb	loc_5EFDB1
		jmp	short loc_535CE0
; 
		align 10h

loc_535CE0:				; CODE XREF: MiPrefetchVirtualMemory+D8j
					; MiPrefetchVirtualMemory+2A1j
		test	[esp+68h+var_8], 40000h
		jnz	loc_535ECF

loc_535CEE:				; CODE XREF: MiPrefetchVirtualMemory+2D7j
		mov	ecx, [esp+68h+var_50]
		mov	eax, [esp+68h+var_24]
		mov	edx, [ecx+eax*8]
		lea	eax, [ecx+eax*8]
		mov	ecx, [eax+4]
		mov	[esp+68h+var_4C], eax
		mov	eax, edx
		and	eax, 0FFFh
		add	eax, 0FFFh
		add	eax, ecx
		shr	eax, 0Ch
		cmp	[esp+68h+var_20], eax
		jnb	loc_5EFD2E
		test	ecx, ecx
		jz	loc_5EFD9C
		mov	edi, [esp+68h+var_20]
		shl	edi, 0Ch
		add	edi, edx
		cmp	edi, dword_6D2E88
		jnb	loc_53602D

loc_535D3B:				; CODE XREF: MiPrefetchVirtualMemory+433j
		xor	eax, eax
		lea	ecx, [ecx+0]

loc_535D40:				; CODE XREF: MiPrefetchVirtualMemory+157j
		mov	ecx, dword_6D2E68[eax*4]
		test	ecx, ecx
		jz	short loc_535D53
		cmp	edi, ecx
		jnb	loc_535F09

loc_535D53:				; CODE XREF: MiPrefetchVirtualMemory+149j
					; MiPrefetchVirtualMemory+311j
		inc	eax
		cmp	eax, 2
		jle	short loc_535D40

loc_535D59:				; CODE XREF: MiPrefetchVirtualMemory+BA128j
		mov	ecx, edi
		call	_MiIsSessionMetadata@4 ; MiIsSessionMetadata(x)
		test	eax, eax
		jnz	loc_5EFD2E
		cmp	edi, 0C0000000h
		jnb	loc_535FE3

loc_535D74:				; CODE XREF: MiPrefetchVirtualMemory+3E9j
		mov	edx, ecx

loc_535D76:				; CODE XREF: MiPrefetchVirtualMemory+416j
					; MiPrefetchVirtualMemory+425j
		mov	eax, dword_6D07D0
		mov	ecx, edx
		shr	ecx, 15h
		cmp	edx, eax
		jnb	loc_535EE2

loc_535D88:				; CODE XREF: MiPrefetchVirtualMemory+34Cj
					; MiPrefetchVirtualMemory+35Dj
		mov	ecx, [ebp+arg_0]
		cmp	ecx, 1
		jz	loc_5EFD2E
		test	byte ptr [ecx+60h], 7
		jnz	loc_5EFD2E

loc_535D9E:				; CODE XREF: MiPrefetchVirtualMemory:loc_535EFEj
		test	byte ptr [esp+68h+var_8], 80h
		jnz	short loc_535DEB
		mov	edx, 120h
		mov	ecx, offset _MiSystemPartition
		call	MiSufficientAvailablePages
		test	eax, eax
		jz	loc_535F76
		mov	eax, dword_6D5F54
		mov	ecx, dword_6D5EFC
		cmp	ecx, eax
		ja	loc_535F76
		sub	eax, ecx
		cmp	eax, 1080h
		jb	loc_535F76
		cmp	dword_6D5E40, edx
		jl	loc_535F76
		mov	ecx, [ebp+arg_0]

loc_535DEB:				; CODE XREF: MiPrefetchVirtualMemory+1A3j
		test	esi, 20000h
		jnz	loc_5EFD3C

loc_535DF7:				; CODE XREF: MiPrefetchVirtualMemory+BA154j
		mov	eax, [esp+68h+var_24]
		mov	[esp+68h+var_4C], eax
		mov	eax, [esp+68h+var_20]
		mov	[esp+68h+var_58], eax
		lea	eax, [esp+68h+var_30]
		or	eax, 1
		push	eax
		push	0
		push	edi
		push	0
		call	MmAccessFault
		mov	edi, eax
		mov	al, byte ptr [esp+68h+var_30+1]
		cmp	al, 2
		jz	loc_535F6B
		cmp	al, 1
		jz	loc_5360A6
		mov	eax, [esp+68h+var_24]
		cmp	eax, [esp+68h+var_4C]
		jnz	short loc_535E6B
		mov	edx, [esp+68h+var_20]
		cmp	edx, [esp+68h+var_58]
		jnz	short loc_535E6B
		mov	edx, [esp+68h+var_2C]
		mov	ecx, [edx+eax*8]
		mov	eax, [edx+eax*8+4]
		and	ecx, 0FFFh
		mov	edx, [esp+68h+var_20]
		add	eax, 0FFFh
		add	eax, ecx
		inc	edx
		shr	eax, 0Ch
		mov	[esp+68h+var_20], edx
		cmp	edx, eax
		jz	short loc_535EA6

loc_535E6B:				; CODE XREF: MiPrefetchVirtualMemory+237j
					; MiPrefetchVirtualMemory+241j	...
		test	edi, edi
		js	loc_53603E

loc_535E73:				; CODE XREF: MiPrefetchVirtualMemory+469j
		cmp	[esp+68h+var_C], 200000h
		jnb	loc_5360BD

loc_535E81:				; CODE XREF: MiPrefetchVirtualMemory+4CFj
		test	[esp+68h+var_8], 400h
		jnz	loc_535F1C

loc_535E8F:				; CODE XREF: MiPrefetchVirtualMemory+345j
					; MiPrefetchVirtualMemory+BA137j ...
		mov	eax, [esp+68h+var_24]
		cmp	eax, [esp+68h+var_28]
		jnb	loc_535F76
		mov	ecx, [esp+68h+var_5C]
		jmp	loc_535CE0
; 

loc_535EA6:				; CODE XREF: MiPrefetchVirtualMemory+269j
		mov	eax, [esp+68h+var_24]
		mov	edx, [esp+68h+var_28]
		inc	eax
		mov	[esp+68h+var_24], eax
		mov	[esp+68h+var_20], 0
		cmp	eax, edx
		jnb	short loc_535E6B
		mov	ecx, [esp+68h+var_2C]
		cmp	dword ptr [ecx+eax*8+4], 0
		jnz	short loc_535E6B
		jmp	loc_5EFD59
; 

loc_535ECF:				; CODE XREF: MiPrefetchVirtualMemory+E8j
		mov	eax, [ecx+2FCh]
		test	al, 1
		jz	loc_535CEE
		jmp	loc_5EFD8E
; 

loc_535EE2:				; CODE XREF: MiPrefetchVirtualMemory+182j
		cmp	byte ptr dword_6D3994[ecx], 1
		jnz	short loc_535F4A

loc_535EEB:				; CODE XREF: MiPrefetchVirtualMemory+359j
		mov	ecx, [ebp+arg_0]
		cmp	ecx, 1
		jz	loc_5EFD2E
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 1

loc_535EFE:				; CODE XREF: MiPrefetchVirtualMemory+369j
		jz	loc_535D9E
		jmp	loc_5EFD2E
; 

loc_535F09:				; CODE XREF: MiPrefetchVirtualMemory+14Dj
		add	ecx, 100000h
		cmp	edi, ecx
		jnb	loc_535D53
		jmp	loc_5EFD25
; 

loc_535F1C:				; CODE XREF: MiPrefetchVirtualMemory+289j
		xor	edi, edi
		xor	eax, eax

loc_535F20:				; CODE XREF: MiPrefetchVirtualMemory+343j
		lea	ecx, [esp+68h+var_14]
		test	eax, eax
		jz	short loc_535F2C
		lea	ecx, [esp+68h+var_1C]

loc_535F2C:				; CODE XREF: MiPrefetchVirtualMemory+326j
		mov	edx, [ecx]
		cmp	edx, ecx
		jnz	loc_536090

loc_535F36:				; CODE XREF: MiPrefetchVirtualMemory+49Ej
		cmp	edi, 4
		jz	loc_5EFD62
		inc	eax
		cmp	eax, 2
		jb	short loc_535F20
		jmp	loc_535E8F
; 

loc_535F4A:				; CODE XREF: MiPrefetchVirtualMemory+2E9j
		cmp	edx, eax
		jb	loc_535D88
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	short loc_535EEB
		cmp	edx, eax
		jb	loc_535D88
		mov	ecx, [ebp+arg_0]
		cmp	ecx, 1
		jmp	short loc_535EFE
; 

loc_535F6B:				; CODE XREF: MiPrefetchVirtualMemory+221j
		test	byte ptr [esp+68h+var_8], 80h
		jnz	loc_5360A6

loc_535F76:				; CODE XREF: MiPrefetchVirtualMemory+1B6j
					; MiPrefetchVirtualMemory+1C9j	...
		mov	edi, [esp+68h+var_60]

loc_535F7A:				; CODE XREF: MiPrefetchVirtualMemory+BA197j
					; MiPrefetchVirtualMemory+BA1B3j
		test	esi, 20000h
		jnz	loc_5EFDB8

loc_535F86:				; CODE XREF: MiPrefetchVirtualMemory+BA1CCj
		push	[ebp+arg_0]
		lea	edx, [esp+6Ch+var_14]
		lea	ecx, [esp+6Ch+var_1C]
		call	_MiPfCompletePrefetchIos@12 ; MiPfCompletePrefetchIos(x,x,x)
		test	eax, eax
		js	loc_5EFDD1

loc_535F9E:				; CODE XREF: MiPrefetchVirtualMemory+BA1DFj
		test	edi, edi
		js	short loc_535FAE
		mov	eax, [esp+68h+var_54]
		test	eax, eax
		js	loc_536074

loc_535FAE:				; CODE XREF: MiPrefetchVirtualMemory+3A0j
					; MiPrefetchVirtualMemory+47Cj	...
		mov	edi, [esp+68h+var_5C]
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		dec	byte ptr [edi+30Ah]
		mov	eax, [esp+68h+var_60]

loc_535FC3:				; CODE XREF: MiPrefetchVirtualMemory+BA120j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_535FCB:				; CODE XREF: MiPrefetchVirtualMemory+9Bj
		mov	eax, [edi+80h]
		cmp	dword ptr [eax+180h], 0
		jnz	loc_535CA9
		jmp	loc_5EFD1B
; 

loc_535FE3:				; CODE XREF: MiPrefetchVirtualMemory+16Ej
		cmp	edi, 0C07FFFFFh
		ja	loc_535D74
		mov	eax, dword_6D07D0
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	edi, eax
		jnb	loc_5EFD2E
		mov	edx, edi
		jmp	short loc_536010
; 
		align 10h

loc_536010:				; CODE XREF: MiPrefetchVirtualMemory+40Bj
					; MiPrefetchVirtualMemory+42Bj
		cmp	edx, 0C07FFFFFh
		ja	loc_535D76
		shl	edx, 9
		cmp	edx, 0C0000000h
		jb	loc_535D76
		jmp	short loc_536010
; 

loc_53602D:				; CODE XREF: MiPrefetchVirtualMemory+135j
		cmp	edi, dword_6D2E8C
		ja	loc_535D3B
		jmp	loc_5EFD2E
; 

loc_53603E:				; CODE XREF: MiPrefetchVirtualMemory+26Dj
		mov	[esp+68h+var_54], edi
		cmp	edi, 0C0000005h
		jnz	loc_535F76
		mov	eax, [esp+68h+var_24]
		cmp	eax, [esp+68h+var_28]
		jz	loc_535F76
		xor	edx, edx
		lea	ecx, [esp+68h+var_30]
		call	MiLeapPrefetch
		test	eax, eax
		jnz	loc_535E73
		jmp	loc_535F76
; 

loc_536074:				; CODE XREF: MiPrefetchVirtualMemory+3A8j
		test	[esp+68h+var_8], 8000h
		jz	loc_535FAE
		jmp	loc_5EFDE4
; 
		jmp	short loc_536090
; 
		align 10h

loc_536090:				; CODE XREF: MiPrefetchVirtualMemory+330j
					; MiPrefetchVirtualMemory+487j	...
		inc	edi
		cmp	edi, 4
		jz	loc_5EFD62
		mov	edx, [edx]
		cmp	edx, ecx
		jz	loc_535F36
		jmp	short loc_536090
; 

loc_5360A6:				; CODE XREF: MiPrefetchVirtualMemory+229j
					; MiPrefetchVirtualMemory+370j
		mov	byte ptr [esp+68h+var_30+1], 0
		jmp	loc_535E6B
; 

loc_5360B0:				; CODE XREF: MiPrefetchVirtualMemory+86j
		pop	edi
		mov	eax, 0C000009Ah
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_5360BD:				; CODE XREF: MiPrefetchVirtualMemory+27Bj
		lea	eax, [esp+68h+var_C]
		push	eax
		lea	edx, [esp+6Ch+var_1C]
		lea	ecx, [esp+6Ch+var_14]
		call	MiPfCoalesceAndIssueIOs
		jmp	loc_535E81
MiPrefetchVirtualMemory	endp


;  S U B	R O U T	I N E 


; __stdcall MiIsSessionMetadata(x)
_MiIsSessionMetadata@4 proc near	; CODE XREF: MiPrefetchVirtualMemory+15Bp
					; MiCombineCandidate(x,x,x):loc_640199p
		mov	edx, dword_6D07D0
		mov	eax, ecx
		shr	eax, 15h
		cmp	ecx, edx
		jnb	short loc_5360E6

loc_5360E3:				; CODE XREF: MiIsSessionMetadata(x)+22j
					; MiIsSessionMetadata(x)+2Bj ...
		xor	eax, eax
		retn
; 

loc_5360E6:				; CODE XREF: MiIsSessionMetadata(x)+Dj
		cmp	byte ptr dword_6D3994[eax], 1
		jnz	short loc_536105

loc_5360EF:				; CODE XREF: MiIsSessionMetadata(x)+3Ej
		mov	eax, dword_6D05D4
		cmp	ecx, eax
		jb	short loc_5360E3
		add	eax, 8000h
		cmp	ecx, eax
		jnb	short loc_5360E3
		xor	eax, eax
		inc	eax
		retn
; 

loc_536105:				; CODE XREF: MiIsSessionMetadata(x)+19j
		cmp	ecx, edx
		jb	short loc_5360E3
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jnz	short loc_5360E3
		jmp	short loc_5360EF
_MiIsSessionMetadata@4 endp


;  S U B	R O U T	I N E 


; __stdcall LOCK_ADDRESS_SPACE(x, x)
_LOCK_ADDRESS_SPACE@8 proc near		; CODE XREF: MiDeleteEmptyPageTables(x,x,x)+60p
					; MiInitializeVadBitMap(x)+5Fp	...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		dec	word ptr [esi+13Eh]
		nop
		lea	ecx, [edx+134h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [esi+304h], 1
		nop
		pop	esi
		retn
_LOCK_ADDRESS_SPACE@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAddViewsForSection proc near		; CODE XREF: MiReferenceDataSubsections(x,x,x,x,x)+54p
					; MmMapViewInSystemCache+D3p ...

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005EFDED SIZE 00000319 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		push	ebx
		push	esi
		mov	esi, [ecx]
		mov	eax, edx
		push	edi
		mov	[ebp+var_1C], eax
		mov	ebx, ecx
		mov	[ebp+var_50], ecx
		cmp	dword ptr [esi+20h], 0
		mov	[ebp+var_10], eax
		mov	[ebp+var_54], esi
		mov	[ebp+var_18], 0
		jnz	loc_5363D3
		mov	eax, large fs:124h
		mov	ecx, [esi]
		mov	[ebp+var_8], 0
		mov	[ebp+var_14], eax
		dec	word ptr [eax+13Eh]
		mov	[ebp+var_C], ecx
		nop
		add	ecx, 1Ch
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_1C]

loc_536198:				; CODE XREF: MiAddViewsForSection+2A8j
		and	eax, 180h
		lea	edi, [esi+24h]
		mov	cl, 2
		mov	[ebp+var_4C], eax
		mov	[ebp+var_3C], edi
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [ebp+var_20], al
		jnz	loc_5EFDED
		mov	[ebp+var_2C], 0
		lock bts dword ptr [edi], 1Fh
		jb	loc_536682

loc_5361D0:				; CODE XREF: MiAddViewsForSection+54Ej
		mov	edx, [edi]
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_5366A7

loc_5361E4:				; CODE XREF: MiAddViewsForSection+597j
					; MiAddViewsForSection+B9CB6j
		mov	eax, [ebp+var_1C]
		test	al, 1
		jnz	loc_536438
		mov	edx, [ebp+var_10]

loc_5361F2:				; CODE XREF: MiAddViewsForSection+309j
		mov	ecx, [ebp+arg_4]
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_34], ecx
		mov	[ebp+var_28], esi
		mov	edi, edi

loc_536200:				; CODE XREF: MiAddViewsForSection+38Bj
		cmp	dword ptr [ebx+4], 0
		mov	eax, [ebx+1Ch]
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], eax
		jz	loc_53645E
		push	[ebp+var_20]
		mov	ecx, ebx
		call	MiReferenceActiveSubsection
		mov	[ebp+var_4], eax
		test	eax, eax
		js	loc_5367C8
		cmp	[ebp+var_8], 1
		mov	[ebp+var_18], ebx
		jz	loc_5363ED

loc_536235:				; CODE XREF: MiAddViewsForSection+2B5j
					; MiAddViewsForSection+367j ...
		mov	ecx, [ebp+var_34]
		mov	eax, esi
		or	eax, ecx
		jz	loc_5364B7
		mov	eax, [ebx+1Ch]
		test	ecx, ecx
		jb	short loc_536257
		ja	loc_5364AC
		cmp	esi, eax
		ja	loc_5364AC

loc_536257:				; CODE XREF: MiAddViewsForSection+107j
					; MiAddViewsForSection+391j
		test	ds:byte_70EFC6,	1
		jnz	loc_5F00AA
		mov	dword ptr [edi], 0

loc_53626A:				; CODE XREF: MiAddViewsForSection+B9F74j
		mov	cl, byte ptr [ebp+var_20]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_8], 0
		jnz	loc_5363C8
		mov	esi, [ebp+var_C]
		or	eax, 0FFFFFFFFh
		add	esi, 1Ch
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_5364F7

loc_536294:				; CODE XREF: MiAddViewsForSection+3BEj
		xor	edi, edi
		mov	[ebp+var_38], edi
		test	esi, 7FFFFFFCh
		jz	loc_5363A0
		mov	ebx, large fs:124h
		cmp	esi, dword_6D07D0
		jb	short loc_5362CF
		mov	eax, esi
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	loc_53644E
		cmp	al, 0Bh
		jz	loc_53644E

loc_5362CF:				; CODE XREF: MiAddViewsForSection+172j
		or	eax, 0FFFFFFFFh

loc_5362D2:				; CODE XREF: MiAddViewsForSection+319j
		dec	word ptr [ebx+13Eh]
		mov	[ebp+var_3C], eax
		nop
		inc	byte ptr [ebx+1E6h]
		nop
		mov	cl, [ebx+1E6h]
		mov	edx, esi
		mov	byte ptr [ebp+arg_4+3],	cl
		mov	ecx, ebx
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5364D6
		mov	al, [esi+10h]
		or	al, 2
		mov	[esi+10h], al
		nop
		cmp	[esi+10h], edi
		jl	loc_536663

loc_536313:				; CODE XREF: MiAddViewsForSection+52Aj
		mov	eax, [esi+2Ch]
		mov	edi, eax
		and	byte ptr [esi+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_38], edi
		mov	[esi+2Ch], eax
		nop
		mov	dword ptr [esi+10h], 0
		mov	eax, 2AAAAAABh
		sub	esi, [ebx+1E8h]
		imul	esi
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	byte ptr [ebp+arg_4+3],	1
		jnz	loc_5F00D0
		movzx	eax, byte ptr [ebx+1E4h]
		bts	eax, ecx
		mov	[ebx+1E4h], al

loc_536366:				; CODE XREF: MiAddViewsForSection+39Ej
					; MiAddViewsForSection+B9F9Dj
		nop
		dec	byte ptr [ebx+1E6h]
		mov	esi, edi
		and	esi, 1FFFFh
		jnz	loc_5366DF

loc_53637B:				; CODE XREF: MiAddViewsForSection+5D6j
					; MiAddViewsForSection+B9FC1j
		nop
		mov	ax, [ebx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ebx+13Eh], ax
		test	ax, ax
		jnz	short loc_5363A0
		nop
		lea	eax, [ebx+70h]
		cmp	[eax], eax
		jnz	loc_536693

loc_5363A0:				; CODE XREF: MiAddViewsForSection+15Fj
					; MiAddViewsForSection+252j ...
		nop
		mov	ecx, [ebp+var_14]
		mov	ax, [ecx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ecx+13Eh], ax
		test	ax, ax
		jnz	short loc_5363C8
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jnz	loc_53669D

loc_5363C8:				; CODE XREF: MiAddViewsForSection+137j
					; MiAddViewsForSection+27Aj ...
		xor	eax, eax

loc_5363CA:				; CODE XREF: MiAddViewsForSection+B9D26j
					; MiAddViewsForSection+B9F3Ej ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_5363D3:				; CODE XREF: MiAddViewsForSection+28j
		mov	[ebp+var_8], 1
		mov	[ebp+var_14], 0
		mov	[ebp+var_C], 0
		jmp	loc_536198
; 

loc_5363ED:				; CODE XREF: MiAddViewsForSection+EFj
		mov	eax, [ebx+24h]
		test	eax, 40000000h
		jz	loc_536235
		mov	esi, [ebx+1Ch]
		and	eax, 3FFFFFFFh
		push	edi
		mov	[ebp+arg_4], eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_20]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		sub	esi, [ebp+arg_4]
		xor	edx, edx
		mov	eax, [ebx+4]
		mov	ecx, ebx
		push	0
		push	esi
		push	eax
		call	_MiAllocateFileExtents@20 ; MiAllocateFileExtents(x,x,x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		js	loc_5F00A2
		mov	esi, [ebp+var_28]
		jmp	short loc_5364A1
; 

loc_536438:				; CODE XREF: MiAddViewsForSection+A9j
		inc	dword ptr [esi+14h]
		inc	dword ptr [esi+30h]
		or	eax, 4
		mov	edx, eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_10], edx
		jmp	loc_5361F2
; 

loc_53644E:				; CODE XREF: MiAddViewsForSection+181j
					; MiAddViewsForSection+189j
		mov	ecx, [ebx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	loc_5362D2
; 

loc_53645E:				; CODE XREF: MiAddViewsForSection+CDj
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_20]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_8], 0
		jz	loc_536503

loc_536477:				; CODE XREF: MiAddViewsForSection+4FBj
		test	byte ptr [ebp+var_1C], 2
		jnz	loc_5EFE61
		push	[ebp+var_44]
		push	ecx
		mov	ecx, ebx
		call	MiCreatePrototypePtes
		mov	[ebp+var_4], eax
		test	eax, eax
		js	loc_536721
		cmp	[ebp+var_8], 0
		jz	loc_536640

loc_5364A1:				; CODE XREF: MiAddViewsForSection+2F6j
		push	edi
		call	ExAcquireSpinLockExclusive
		jmp	loc_536235
; 

loc_5364AC:				; CODE XREF: MiAddViewsForSection+109j
					; MiAddViewsForSection+111j
		sub	esi, eax
		mov	[ebp+var_28], esi
		sbb	ecx, 0
		mov	[ebp+var_34], ecx

loc_5364B7:				; CODE XREF: MiAddViewsForSection+FCj
		cmp	[ebp+var_8], 0
		mov	eax, [ebp+var_48]
		mov	ebx, [ebx+8]
		mov	[ebp+var_18], eax
		jz	short loc_5364E9

loc_5364C6:				; CODE XREF: MiAddViewsForSection+5FCj
					; MiAddViewsForSection+68Dj
		mov	edx, [ebp+var_10]

loc_5364C9:				; CODE XREF: MiAddViewsForSection+3B5j
		test	ebx, ebx
		jnz	loc_536200
		jmp	loc_536257
; 

loc_5364D6:				; CODE XREF: MiAddViewsForSection+1BBj
		mov	eax, [ebx+5Ch]
		test	eax, 10000h
		jnz	loc_536366
		jmp	loc_5F00B9
; 

loc_5364E9:				; CODE XREF: MiAddViewsForSection+384j
		mov	edx, [ebp+var_4C]
		or	edx, 4
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], edx
		jmp	short loc_5364C9
; 

loc_5364F7:				; CODE XREF: MiAddViewsForSection+14Ej
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_536294
; 

loc_536503:				; CODE XREF: MiAddViewsForSection+331j
		mov	edx, [ebp+var_C]
		or	eax, 0FFFFFFFFh
		add	edx, 1Ch
		mov	[ebp+var_24], edx
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_536757

loc_53651D:				; CODE XREF: MiAddViewsForSection+621j
		xor	edi, edi
		mov	[ebp+var_30], edi
		test	edx, 7FFFFFFCh
		jz	loc_536630
		mov	ecx, large fs:124h
		mov	[ebp+var_4], ecx
		cmp	edx, dword_6D07D0
		jb	short loc_53655B
		mov	eax, edx
		shr	eax, 15h
		mov	al, byte ptr dword_6D3994[eax]
		cmp	al, 1
		jz	loc_53666F
		cmp	al, 0Bh
		jz	loc_53666F

loc_53655B:				; CODE XREF: MiAddViewsForSection+3FEj
		or	eax, 0FFFFFFFFh

loc_53655E:				; CODE XREF: MiAddViewsForSection+53Dj
		dec	word ptr [ecx+13Eh]
		mov	[ebp+var_38], eax
		nop
		inc	byte ptr [ecx+1E6h]
		nop
		mov	dl, [ecx+1E6h]
		mov	byte ptr [ebp+arg_4+3],	dl
		mov	edx, [ebp+var_24]
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[ebp+var_40], edx
		test	edx, edx
		jz	loc_536741
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		cmp	[edx+10h], edi
		jl	loc_5367AF

loc_5365A1:				; CODE XREF: MiAddViewsForSection+679j
		mov	eax, [edx+2Ch]
		mov	edi, eax
		and	byte ptr [edx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_30], edi
		mov	[edx+2Ch], eax
		nop
		mov	ecx, [ebp+var_4]
		mov	eax, 2AAAAAABh
		mov	dword ptr [edx+10h], 0
		sub	edx, [ecx+1E8h]
		imul	edx
		mov	al, 1
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		shl	al, cl
		cmp	byte ptr [ebp+arg_4+3],	1
		mov	ecx, [ebp+var_4]
		jnz	loc_5EFDFB
		or	[ecx+1E4h], al

loc_5365F4:				; CODE XREF: MiAddViewsForSection+60Cj
					; MiAddViewsForSection+B9CC7j
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+arg_4], eax
		jnz	loc_536766

loc_53660B:				; CODE XREF: MiAddViewsForSection+664j
					; MiAddViewsForSection+B9CECj
		nop
		mov	ax, [ecx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ecx+13Eh], ax
		test	ax, ax
		jnz	short loc_536630
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jnz	loc_5367BE

loc_536630:				; CODE XREF: MiAddViewsForSection+3E8j
					; MiAddViewsForSection+4E2j ...
		mov	ecx, [ebp+var_14]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebp+var_3C]
		jmp	loc_536477
; 

loc_536640:				; CODE XREF: MiAddViewsForSection+35Bj
		mov	eax, [ebp+var_14]
		dec	word ptr [eax+13Eh]
		nop
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		lea	ecx, [ecx+1Ch]
		call	ExAcquirePushLockExclusiveEx
		push	edi
		call	ExAcquireSpinLockExclusive
		jmp	loc_536235
; 

loc_536663:				; CODE XREF: MiAddViewsForSection+1CDj
		mov	ecx, esi
		call	KiAbEntryRemoveFromTree
		jmp	loc_536313
; 

loc_53666F:				; CODE XREF: MiAddViewsForSection+40Dj
					; MiAddViewsForSection+415j
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_4]
		jmp	loc_53655E
; 

loc_536682:				; CODE XREF: MiAddViewsForSection+8Aj
		mov	dl, al
		mov	ecx, edi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[ebp+var_2C], eax
		jmp	loc_5361D0
; 

loc_536693:				; CODE XREF: MiAddViewsForSection+25Aj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_5363A0
; 

loc_53669D:				; CODE XREF: MiAddViewsForSection+282j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_5363C8
; 

loc_5366A7:				; CODE XREF: MiAddViewsForSection+9Ej
					; MiAddViewsForSection+59Dj
		test	edx, 40000000h
		jnz	short loc_5366C1
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_5366CB

loc_5366C1:				; CODE XREF: MiAddViewsForSection+56Dj
		lea	ecx, [ebp+var_2C]
		call	KeYieldProcessorEx
		mov	eax, [edi]

loc_5366CB:				; CODE XREF: MiAddViewsForSection+57Fj
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jz	loc_5361E4
		jmp	short loc_5366A7
; 

loc_5366DF:				; CODE XREF: MiAddViewsForSection+235j
		test	edi, 8000h
		jnz	loc_5367D8

loc_5366EB:				; CODE XREF: MiAddViewsForSection+6A1j
		test	byte ptr [ebp+var_38+2], 1
		jnz	loc_5F00E2

loc_5366F5:				; CODE XREF: MiAddViewsForSection+B9FAEj
		test	edi, 7FFFh
		jz	short loc_53670C
		and	edi, 7FFFh
		mov	ecx, ebx
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_53670C:				; CODE XREF: MiAddViewsForSection+5BBj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_53637B
		jmp	loc_5F00F3
; 

loc_536721:				; CODE XREF: MiAddViewsForSection+351j
		cmp	eax, 0C000020Ah
		jnz	loc_5F00A2
		cmp	[ebp+var_8], 0
		jz	loc_5EFE31

loc_536736:				; CODE XREF: MiAddViewsForSection+B9D09j
		push	edi
		call	ExAcquireSpinLockExclusive
		jmp	loc_5364C6
; 

loc_536741:				; CODE XREF: MiAddViewsForSection+449j
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_5365F4
		jmp	loc_5EFE4E
; 

loc_536757:				; CODE XREF: MiAddViewsForSection+3D7j
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp+var_24]
		jmp	loc_53651D
; 

loc_536766:				; CODE XREF: MiAddViewsForSection+4C5j
		test	edi, 8000h
		jz	short loc_536778
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [ebp+var_4]

loc_536778:				; CODE XREF: MiAddViewsForSection+62Cj
		test	byte ptr [ebp+var_30+2], 1
		jnz	loc_5EFE0C

loc_536782:				; CODE XREF: MiAddViewsForSection+B9CD9j
		test	edi, 7FFFh
		jz	short loc_536797
		and	edi, 7FFFh
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_536797:				; CODE XREF: MiAddViewsForSection+648j
		test	dword ptr ds:byte_70EFC4, 200h
		mov	ecx, [ebp+var_4]
		jz	loc_53660B
		jmp	loc_5EFE1E
; 

loc_5367AF:				; CODE XREF: MiAddViewsForSection+45Bj
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [ebp+var_40]
		jmp	loc_5365A1
; 

loc_5367BE:				; CODE XREF: MiAddViewsForSection+4EAj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_536630
; 

loc_5367C8:				; CODE XREF: MiAddViewsForSection+E2j
		cmp	eax, 0C000020Ah
		jz	loc_5364C6
		jmp	loc_5EFE6B
; 

loc_5367D8:				; CODE XREF: MiAddViewsForSection+5A5j
		xor	edx, edx
		mov	ecx, ebx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_5366EB
MiAddViewsForSection endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReferenceActiveSubsection proc near	; CODE XREF: MiAddViewsForSection+D8p
					; MiUpControlAreaRefs+DCp ...

var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005F0106 SIZE 0000015A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		xor	edi, edi
		cmp	[ebp+arg_0], 21h
		mov	[ebp+var_4], edi
		mov	edx, [esi]
		mov	[ebp+var_8], edx
		mov	eax, [edx+20h]
		mov	[ebp+var_10], eax
		jz	loc_5F0106
		lea	esp, [esp+0]

loc_536820:				; CODE XREF: MiReferenceActiveSubsection+B992Aj
					; MiReferenceActiveSubsection+B9969j ...
		cmp	dword ptr [esi+4], 0
		mov	ecx, [esi]
		jz	loc_5F011F
		test	byte ptr [ecx+1Ch], 20h
		mov	eax, [ecx+20h]
		jnz	short loc_536865
		test	eax, eax
		jnz	short loc_536855

loc_536839:				; CODE XREF: MiReferenceActiveSubsection+77j
					; MiReferenceActiveSubsection+7Dj ...
		test	bl, 20h
		jnz	loc_5F021A

loc_536842:				; CODE XREF: MiReferenceActiveSubsection+B9A2Ej
		test	edi, edi
		jnz	loc_5F0249

loc_53684A:				; CODE XREF: MiReferenceActiveSubsection+B9A48j
					; MiReferenceActiveSubsection+B9A54j ...
		xor	eax, eax

loc_53684C:				; CODE XREF: MiReferenceActiveSubsection+B99EEj
					; MiReferenceActiveSubsection+B9A14j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_536855:				; CODE XREF: MiReferenceActiveSubsection+47j
		test	byte ptr [esi+12h], 1
		jnz	short loc_536865
		add	dword ptr [esi+3Ch], 1
		jz	loc_5F0209

loc_536865:				; CODE XREF: MiReferenceActiveSubsection+43j
					; MiReferenceActiveSubsection+69j
		test	eax, eax
		jz	short loc_536839
		test	byte ptr [ecx+1Ch], 20h
		jnz	short loc_536839
		test	byte ptr [esi+12h], 8
		jnz	short loc_53687C

loc_536875:				; CODE XREF: MiReferenceActiveSubsection+96j
		or	word ptr [esi+10h], 1
		jmp	short loc_536839
; 

loc_53687C:				; CODE XREF: MiReferenceActiveSubsection+83j
		mov	ecx, esi
		call	_MiRemoveUnusedSubsection@4 ; MiRemoveUnusedSubsection(x)
		mov	edx, [ebp+var_8]
		jmp	short loc_536875
MiReferenceActiveSubsection endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetControlAreaPtes(x)
_MiGetControlAreaPtes@4	proc near	; CODE XREF: MiPfPrepareSequentialReadList+49p
					; MiMapViewOfDataSection+106p

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	esi
		mov	esi, ecx
		mov	eax, [esi+1Ch]
		test	al, 20h
		jnz	short loc_5368A8
		cmp	dword ptr [esi+20h], 0
		jnz	short loc_5368C8

loc_5368A8:				; CODE XREF: MiGetControlAreaPtes(x)+10j
					; MiGetControlAreaPtes(x)+3Dj
		mov	esi, [esi]
		mov	ecx, 3FFh
		mov	ax, [esi+8]
		and	ax, cx
		xor	ecx, ecx
		or	ecx, [esi+4]
		movzx	eax, ax
		cdq
		mov	edx, eax
		mov	eax, ecx
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5368C8:				; CODE XREF: MiGetControlAreaPtes(x)+16j
		test	eax, 400h
		jnz	short loc_5368A8
		push	ebx
		lea	eax, [esi+24h]
		push	edi
		push	eax
		mov	[ebp+var_8], eax
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	edx, 1
		mov	[ebp+var_1], al
		mov	ecx, esi
		call	_MiFindLastSubsection@8	; MiFindLastSubsection(x,x)
		push	[ebp+var_8]
		mov	esi, eax
		xor	edi, edi
		mov	cx, [esi+10h]
		or	edi, [esi+14h]
		shr	cx, 6
		movzx	eax, cx
		cdq
		mov	ebx, eax
		mov	eax, [esi+24h]
		and	eax, 3FFFFFFFh
		sub	edi, eax
		sbb	ebx, 0
		add	edi, [esi+1Ch]
		adc	ebx, 0
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		mov	edx, ebx
		pop	edi
		pop	ebx
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_MiGetControlAreaPtes@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCheckPurgeAndUpMapCount proc near	; CODE XREF: MiMapViewOfImageSection+12Fp
					; MiMapViewInSystemSpace+2Cp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F0260 SIZE 0000007E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		xor	eax, eax
		push	esi
		mov	esi, ecx
		mov	[ebp+var_24], eax
		push	edi
		mov	cl, 2
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		lea	edi, [esi+24h]
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_1], al
		jnz	loc_5F0260
		mov	[ebp+var_8], 0
		lock bts dword ptr [edi], 1Fh
		jb	short loc_5369C0

loc_53697C:				; CODE XREF: MiCheckPurgeAndUpMapCount+9Cj
		mov	edx, [edi]
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_5369D0

loc_53698C:				; CODE XREF: MiCheckPurgeAndUpMapCount+D0j
					; MiCheckPurgeAndUpMapCount+B9939j
		test	byte ptr [esi+1Ch], 4
		jnz	loc_5F026E
		mov	al, [ebp+var_1]

loc_536999:				; CODE XREF: MiCheckPurgeAndUpMapCount+B9997j
		inc	dword ptr [esi+14h]
		inc	dword ptr [esi+18h]
		test	ds:byte_70EFC6,	1
		jnz	loc_5F02CC
		mov	dword ptr [edi], 0

loc_5369B2:				; CODE XREF: MiCheckPurgeAndUpMapCount+B99A9j
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5369C0:				; CODE XREF: MiCheckPurgeAndUpMapCount+4Aj
		mov	dl, al
		mov	ecx, edi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[ebp+var_8], eax
		jmp	short loc_53697C
; 
		align 10h

loc_5369D0:				; CODE XREF: MiCheckPurgeAndUpMapCount+5Aj
					; MiCheckPurgeAndUpMapCount+D2j
		test	edx, 40000000h
		jnz	short loc_5369EA
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_5369F4

loc_5369EA:				; CODE XREF: MiCheckPurgeAndUpMapCount+A6j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [edi]

loc_5369F4:				; CODE XREF: MiCheckPurgeAndUpMapCount+B8j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jz	short loc_53698C
		jmp	short loc_5369D0
MiCheckPurgeAndUpMapCount endp


;  S U B	R O U T	I N E 


; __stdcall MiAweControlArea(x)
_MiAweControlArea@4 proc near		; CODE XREF: MiReferenceAweHandle(x,x,x,x,x)+4Fp
					; MiDeletePageFileSectionNodes(x)+2Fp ...
		cmp	dword ptr [ecx+20h], 0
		jnz	short loc_536A1C
		test	dword ptr [ecx+1Ch], 400h
		jnz	short loc_536A1C
		test	dword ptr [ecx+34h], 20000h
		jnz	short loc_536A1F

loc_536A1C:				; CODE XREF: MiAweControlArea(x)+4j
					; MiAweControlArea(x)+Dj
		xor	eax, eax
		retn
; 

loc_536A1F:				; CODE XREF: MiAweControlArea(x)+16j
		xor	eax, eax
		inc	eax
		retn
_MiAweControlArea@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


MiGetWsAndInsertVad proc near		; CODE XREF: MiInsertProcessVads(x,x)+2Fp
					; MiMapViewOfImageSection+411p	...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F02DE SIZE 0000005C BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		sub	esp, 20h
		push	esi
		mov	esi, [eax+80h]
		mov	edx, esi
		push	edi
		push	1
		mov	edi, ecx
		call	MiInsertVad
		test	dword ptr [edi+1Ch], 100000h
		jnz	loc_536BF0
		mov	eax, [edi+2Ch]
		or	esi, 1
		mov	[edi+40h], esi
		lea	esi, [edi+38h]
		mov	ecx, [eax]
		mov	eax, large fs:124h
		mov	[ebp-14h], ecx
		dec	word ptr [eax+13Eh]
		nop
		lea	edi, [ecx+3Ch]
		xor	edx, edx
		mov	ecx, edi
		mov	[ebp-8], edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp-14h]
		test	dword ptr [eax+1Ch], 400h
		jnz	short loc_536AC4
		mov	ecx, [eax+4]
		add	eax, 4
		cmp	[ecx+4], eax
		jnz	loc_5F02DE
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[ecx+4], esi
		mov	[eax], esi

loc_536AC4:				; CODE XREF: MiGetWsAndInsertVad+79j
		mov	ecx, large fs:124h
		or	eax, 0FFFFFFFFh
		mov	[ebp-14h], ecx
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_536C33

loc_536ADF:				; CODE XREF: MiGetWsAndInsertVad+20Dj
		mov	eax, [ebp-8]
		xor	edi, edi
		mov	[ebp-10h], edi
		test	eax, 7FFFFFFCh
		jz	loc_536BE1
		mov	esi, large fs:124h
		mov	ecx, eax
		mov	edx, dword_6D07D0
		shr	ecx, 15h
		mov	[ebp-1Ch], esi
		cmp	eax, edx
		jb	short loc_536B29
		cmp	byte ptr dword_6D3994[ecx], 1
		jz	loc_536C0C
		cmp	eax, edx
		jb	short loc_536B29
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_536C0C

loc_536B29:				; CODE XREF: MiGetWsAndInsertVad+D9j
					; MiGetWsAndInsertVad+EAj
		or	edx, 0FFFFFFFFh
		mov	[ebp-0Ch], edx

loc_536B2F:				; CODE XREF: MiGetWsAndInsertVad+1EFj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	[ebp-1], cl
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp-18h], ecx
		test	ecx, ecx
		jz	loc_536C24
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_536C42

loc_536B70:				; CODE XREF: MiGetWsAndInsertVad+21Aj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp-10h], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		jnz	short loc_536BF9

loc_536B9A:				; CODE XREF: MiGetWsAndInsertVad+1DAj
		cmp	byte ptr [ebp-1], 1
		jnz	loc_5F02F8
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al

loc_536BB4:				; CODE XREF: MiGetWsAndInsertVad+1FCj
					; MiGetWsAndInsertVad+B98D8j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp-1Ch], eax
		jnz	loc_536C56

loc_536BCB:				; CODE XREF: MiGetWsAndInsertVad+259j
					; MiGetWsAndInsertVad+B98FBj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_536BDE
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	short loc_536C4F

loc_536BDE:				; CODE XREF: MiGetWsAndInsertVad+1A4j
					; MiGetWsAndInsertVad+224j
		mov	ecx, [ebp-14h]

loc_536BE1:				; CODE XREF: MiGetWsAndInsertVad+BCj
		nop
		add	word ptr [ecx+13Eh], 1
		jz	loc_536C9F

loc_536BF0:				; CODE XREF: MiGetWsAndInsertVad+3Bj
					; MiGetWsAndInsertVad+275j ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_536BF9:				; CODE XREF: MiGetWsAndInsertVad+168j
		mov	eax, 2AAAAAABh
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		jmp	short loc_536B9A
; 

loc_536C0C:				; CODE XREF: MiGetWsAndInsertVad+E2j
					; MiGetWsAndInsertVad+F3j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp-0Ch], eax
		mov	eax, [ebp-8]
		jmp	loc_536B2F
; 

loc_536C24:				; CODE XREF: MiGetWsAndInsertVad+128j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_536BB4
		jmp	loc_5F02E5
; 

loc_536C33:				; CODE XREF: MiGetWsAndInsertVad+A9j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp-14h]
		jmp	loc_536ADF
; 

loc_536C42:				; CODE XREF: MiGetWsAndInsertVad+13Aj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp-18h]
		jmp	loc_536B70
; 

loc_536C4F:				; CODE XREF: MiGetWsAndInsertVad+1ACj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_536BDE
; 

loc_536C56:				; CODE XREF: MiGetWsAndInsertVad+195j
		test	edi, 8000h
		jnz	short loc_536C94

loc_536C5E:				; CODE XREF: MiGetWsAndInsertVad+26Dj
		test	byte ptr [ebp-0Eh], 1
		jnz	loc_5F030D

loc_536C68:				; CODE XREF: MiGetWsAndInsertVad+B98E9j
		test	edi, 7FFFh
		jz	short loc_536C7F
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_536C7F:				; CODE XREF: MiGetWsAndInsertVad+23Ej
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_536BCB
		jmp	loc_5F031E
; 

loc_536C94:				; CODE XREF: MiGetWsAndInsertVad+22Cj
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	short loc_536C5E
; 

loc_536C9F:				; CODE XREF: MiGetWsAndInsertVad+1BAj
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	loc_536BF0
		jmp	loc_5F0330
MiGetWsAndInsertVad endp


;  S U B	R O U T	I N E 


; __stdcall MiLockVad(x, x)
_MiLockVad@8	proc near		; CODE XREF: MiDeleteEmptyPageTables(x,x,x)+99p
					; MiCfgInitializeProcess(x)+D1p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		dec	word ptr [esi+13Eh]
		nop
		lea	ecx, [edx+18h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [esi+304h], 80h
		nop
		pop	esi
		retn
_MiLockVad@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiComputeContiguousSubsectionPte(x,	x, x)
_MiComputeContiguousSubsectionPte@12 proc near ; CODE XREF: MiAdvanceVadView+DD0D0p
					; MiMapViewOfDataSection+424p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+24h]
		mov	edx, [ebp+arg_0]
		and	eax, 3FFFFFFFh
		push	esi
		mov	esi, [ecx+1Ch]
		sub	esi, eax
		cmp	[ebp+arg_4], 0
		jb	short loc_536CF4
		ja	short loc_536CFF
		cmp	edx, esi
		jnb	short loc_536CFF

loc_536CF4:				; CODE XREF: MiComputeContiguousSubsectionPte(x,x,x)+1Aj
					; MiComputeContiguousSubsectionPte(x,x,x)+30j
		mov	eax, [ecx+4]
		pop	esi
		lea	eax, [eax+edx*8]
		pop	ebp
		retn	8
; 

loc_536CFF:				; CODE XREF: MiComputeContiguousSubsectionPte(x,x,x)+1Cj
					; MiComputeContiguousSubsectionPte(x,x,x)+20j
		lea	edx, [esi-1]
		jmp	short loc_536CF4
_MiComputeContiguousSubsectionPte@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

UNLOCK_ADDRESS_SPACE proc near		; CODE XREF: MiDeleteEmptyPageTables(x,x,x)+25Dp
					; MiInitializeVadBitMap(x)+7Cp	...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F033A SIZE 0000004B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	byte ptr [ecx+304h], 0FEh
		add	edx, 134h
		mov	[ebp+var_14], ecx
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_8], edx
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_536E8F

loc_536D3C:				; CODE XREF: UNLOCK_ADDRESS_SPACE+18Cj
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	edx, 7FFFFFFCh
		jz	loc_536E3D
		push	esi
		mov	esi, large fs:124h
		mov	eax, edx
		mov	ecx, dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_1C], esi

loc_536D64:				; DATA XREF: EtwpTraceIo+FAo
					; EtwpTraceOpticalIo(x,x,x,x,x)+251o
		cmp	edx, ecx
		jb	short loc_536D86
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_536E68
		cmp	edx, ecx
		jb	short loc_536D86
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_536E68

loc_536D86:				; CODE XREF: UNLOCK_ADDRESS_SPACE+56j
					; UNLOCK_ADDRESS_SPACE+67j
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_C], ecx

loc_536D8C:				; CODE XREF: UNLOCK_ADDRESS_SPACE+16Bj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_1], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_18], ecx
		test	ecx, ecx
		jz	loc_536E80
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_536EA1

loc_536DCB:				; CODE XREF: UNLOCK_ADDRESS_SPACE+199j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		jnz	short loc_536E55

loc_536DF5:				; CODE XREF: UNLOCK_ADDRESS_SPACE+156j
		cmp	[ebp+var_1], 1
		jnz	loc_5F034D
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al

loc_536E0F:				; CODE XREF: UNLOCK_ADDRESS_SPACE+178j
					; UNLOCK_ADDRESS_SPACE+B964Dj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_1C], eax
		jnz	loc_536EBC

loc_536E26:				; CODE XREF: UNLOCK_ADDRESS_SPACE+1DFj
					; UNLOCK_ADDRESS_SPACE+B9670j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_536E39
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	short loc_536EAE

loc_536E39:				; CODE XREF: UNLOCK_ADDRESS_SPACE+11Fj
					; UNLOCK_ADDRESS_SPACE+1A3j
		mov	ecx, [ebp+var_14]
		pop	esi

loc_536E3D:				; CODE XREF: UNLOCK_ADDRESS_SPACE+38j
		nop
		add	word ptr [ecx+13Eh], 1
		pop	edi
		jnz	short loc_536E51
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jnz	short loc_536EB5

loc_536E51:				; CODE XREF: UNLOCK_ADDRESS_SPACE+137j
					; UNLOCK_ADDRESS_SPACE+1AAj
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_536E55:				; CODE XREF: UNLOCK_ADDRESS_SPACE+E3j
		mov	eax, 2AAAAAABh
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		jmp	short loc_536DF5
; 

loc_536E68:				; CODE XREF: UNLOCK_ADDRESS_SPACE+5Fj
					; UNLOCK_ADDRESS_SPACE+70j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, [ebp+var_8]
		mov	ecx, eax
		mov	[ebp+var_C], eax
		jmp	loc_536D8C
; 

loc_536E80:				; CODE XREF: UNLOCK_ADDRESS_SPACE+A3j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_536E0F
		jmp	loc_5F033A
; 

loc_536E8F:				; CODE XREF: UNLOCK_ADDRESS_SPACE+26j
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_14]
		mov	edx, [ebp+var_8]
		jmp	loc_536D3C
; 

loc_536EA1:				; CODE XREF: UNLOCK_ADDRESS_SPACE+B5j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_18]
		jmp	loc_536DCB
; 

loc_536EAE:				; CODE XREF: UNLOCK_ADDRESS_SPACE+127j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_536E39
; 

loc_536EB5:				; CODE XREF: UNLOCK_ADDRESS_SPACE+13Fj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_536E51
; 

loc_536EBC:				; CODE XREF: UNLOCK_ADDRESS_SPACE+110j
		test	edi, 8000h
		jnz	short loc_536EFA

loc_536EC4:				; CODE XREF: UNLOCK_ADDRESS_SPACE+1F3j
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5F0362

loc_536ECE:				; CODE XREF: UNLOCK_ADDRESS_SPACE+B965Ej
		test	edi, 7FFFh
		jz	short loc_536EE5
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_536EE5:				; CODE XREF: UNLOCK_ADDRESS_SPACE+1C4j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_536E26
		jmp	loc_5F0373
; 

loc_536EFA:				; CODE XREF: UNLOCK_ADDRESS_SPACE+1B2j
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	short loc_536EC4
UNLOCK_ADDRESS_SPACE endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnlockVad	proc near		; CODE XREF: MiDeleteEmptyPageTables(x,x,x)+243p
					; MiDeleteEmptyPageTables(x,x,x)+254p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F0385 SIZE 0000004B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	esi
		mov	esi, ecx
		or	eax, 0FFFFFFFFh
		lea	ecx, [edx+18h]
		mov	[ebp+var_1C], esi
		mov	[ebp+var_8], ecx
		and	byte ptr [esi+304h], 7Fh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_53709B

loc_536F3C:				; CODE XREF: MiUnlockVad+193j
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	loc_53703D
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_18], esi
		cmp	ecx, edx
		jb	short loc_536F85
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_537061
		cmp	ecx, edx
		jb	short loc_536F85
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_537061

loc_536F85:				; CODE XREF: MiUnlockVad+55j
					; MiUnlockVad+66j
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_C], edx

loc_536F8B:				; CODE XREF: MiUnlockVad+164j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	[ebp+var_1], al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jz	loc_537088
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_5370A8

loc_536FCC:				; CODE XREF: MiUnlockVad+1A0j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		jnz	short loc_53704E

loc_536FF6:				; CODE XREF: MiUnlockVad+14Fj
		cmp	[ebp+var_1], 1
		jnz	loc_5F0398
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al

loc_537010:				; CODE XREF: MiUnlockVad+180j
					; MiUnlockVad+B9498j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_18], eax
		jnz	loc_5370BF

loc_537027:				; CODE XREF: MiUnlockVad+1E2j
					; MiUnlockVad+B94BBj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_53703A
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	short loc_5370B5

loc_53703A:				; CODE XREF: MiUnlockVad+120j
					; MiUnlockVad+1AAj
		mov	esi, [ebp+var_1C]

loc_53703D:				; CODE XREF: MiUnlockVad+38j
		nop
		add	word ptr [esi+13Eh], 1
		pop	edi
		jz	short loc_537079

loc_537049:				; CODE XREF: MiUnlockVad+16Fj
					; MiUnlockVad+176j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_53704E:				; CODE XREF: MiUnlockVad+E4j
		mov	eax, 2AAAAAABh
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		jmp	short loc_536FF6
; 

loc_537061:				; CODE XREF: MiUnlockVad+5Ej
					; MiUnlockVad+6Fj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_C], eax
		jmp	loc_536F8B
; 

loc_537079:				; CODE XREF: MiUnlockVad+137j
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_537049
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_537049
; 

loc_537088:				; CODE XREF: MiUnlockVad+A4j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_537010
		jmp	loc_5F0385
; 

loc_53709B:				; CODE XREF: MiUnlockVad+26j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]
		jmp	loc_536F3C
; 

loc_5370A8:				; CODE XREF: MiUnlockVad+B6j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_14]
		jmp	loc_536FCC
; 

loc_5370B5:				; CODE XREF: MiUnlockVad+128j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_53703A
; 

loc_5370BF:				; CODE XREF: MiUnlockVad+111j
		test	edi, 8000h
		jnz	short loc_5370FD

loc_5370C7:				; CODE XREF: MiUnlockVad+1F6j
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5F03AD

loc_5370D1:				; CODE XREF: MiUnlockVad+B94A9j
		test	edi, 7FFFh
		jz	short loc_5370E8
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5370E8:				; CODE XREF: MiUnlockVad+1C7j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_537027
		jmp	loc_5F03BE
; 

loc_5370FD:				; CODE XREF: MiUnlockVad+1B5j
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	short loc_5370C7
MiUnlockVad	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLocatePagefileSubsection(x, x)
_MiLocatePagefileSubsection@8 proc near	; CODE XREF: MiOffsetToProtos+292p
					; MiZeroCfgSystemWideBitmapWorker+46p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	eax, [edi]
		mov	ecx, [esi]
		mov	edx, [esi+4]
		test	dword ptr [eax+1Ch], 1000h
		mov	ebx, [eax+38h]
		mov	[ebp+var_8], ebx
		jnz	short loc_537154
		cmp	dword ptr [edi+20h], 40000000h
		jnb	short loc_537154
		mov	eax, [edi+1Ch]
		test	edx, edx
		jb	short loc_53714B
		ja	short loc_5371BA
		cmp	ecx, eax
		jnb	short loc_5371BA

loc_53714B:				; CODE XREF: MiLocatePagefileSubsection(x,x)+33j
		mov	eax, edi

loc_53714D:				; CODE XREF: MiLocatePagefileSubsection(x,x)+ACj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_537154:				; CODE XREF: MiLocatePagefileSubsection(x,x)+23j
					; MiLocatePagefileSubsection(x,x)+2Cj
		cmp	dword ptr [edi+20h], 40000000h
		mov	eax, 4000h
		jnb	short loc_5371B3

loc_537162:				; CODE XREF: MiLocatePagefileSubsection(x,x)+A8j
		push	ebx
		push	0
		shr	eax, 3
		push	eax
		push	edx
		push	ecx
		call	__aulldvrm
		mov	[ebp+var_4], ebx
		pop	ebx
		nop
		mov	ebx, [ebp+var_4]
		mov	[ebp+var_10], edx
		mov	edx, ecx
		or	edx, ebx
		mov	[ebp+var_C], eax
		jz	short loc_537185
		inc	eax

loc_537185:				; CODE XREF: MiLocatePagefileSubsection(x,x)+72j
		cmp	eax, [ebp+var_8]
		ja	short loc_5371BA
		mov	edx, [ebp+var_C]
		lea	eax, ds:0[edx*8]
		sub	eax, edx
		mov	edx, [edi+eax*8+1Ch]
		lea	eax, [edi+eax*8]
		test	ebx, ebx
		jb	short loc_5371A7
		ja	short loc_5371BA
		cmp	ecx, edx
		jnb	short loc_5371BA

loc_5371A7:				; CODE XREF: MiLocatePagefileSubsection(x,x)+8Fj
		pop	edi
		mov	[esi+4], ebx
		mov	[esi], ecx
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5371B3:				; CODE XREF: MiLocatePagefileSubsection(x,x)+50j
		mov	eax, 200000h
		jmp	short loc_537162
; 

loc_5371BA:				; CODE XREF: MiLocatePagefileSubsection(x,x)+35j
					; MiLocatePagefileSubsection(x,x)+39j ...
		xor	eax, eax
		jmp	short loc_53714D
_MiLocatePagefileSubsection@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiIncludeSharedCommit(x)
_MiIncludeSharedCommit@4 proc near	; CODE XREF: MiUpdateProcessSharedCommit(x,x)p
					; MiInsertSharedCommitNode+12p	...
		mov	eax, [ecx+1Ch]
		test	al, 20h
		jnz	short loc_5371DC
		test	eax, 400h
		jnz	short loc_5371E2
		cmp	ecx, dword_6CF4FC
		jz	short loc_5371E2
		cmp	dword ptr [ecx+20h], 0
		jnz	short loc_5371E2

loc_5371DC:				; CODE XREF: MiIncludeSharedCommit(x)+5j
		mov	eax, 1
		retn
; 

loc_5371E2:				; CODE XREF: MiIncludeSharedCommit(x)+Cj
					; MiIncludeSharedCommit(x)+14j	...
		xor	eax, eax
		retn
_MiIncludeSharedCommit@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiSectionControlArea(x)
_MiSectionControlArea@4	proc near	; CODE XREF: MmUnmapViewInSystemCache+5Ep
					; MiInsertInSystemSpace+77p ...
		mov	eax, [ecx+14h]
		mov	ecx, eax
		and	ecx, 0FFFFFFFCh
		test	al, 1
		jnz	short loc_537209
		test	al, 2
		jnz	short loc_537203
		mov	eax, ecx
		retn
; 

loc_537203:				; CODE XREF: MiSectionControlArea(x)+Ej
		mov	eax, [ecx+14h]
		mov	eax, [eax]
		retn
; 

loc_537209:				; CODE XREF: MiSectionControlArea(x)+Aj
		mov	eax, [ecx+14h]
		mov	eax, [eax+8]
		retn
_MiSectionControlArea@4	endp

; 
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1965. RtlAvlInsertNodeEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlAvlInsertNodeEx(x, x, x,	x)
		public _RtlAvlInsertNodeEx@16
_RtlAvlInsertNodeEx@16 proc near	; CODE XREF: MiInsertVad+11Cp
					; MiBeginPageAccessor+BAp ...

var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_C]
		mov	dword ptr [esi], 0
		mov	dword ptr [esi+4], 0
		mov	[esi+8], edx
		test	edx, edx
		jz	loc_537360
		mov	ch, byte ptr [ebp+arg_8]
		push	ebx
		movzx	eax, ch
		or	bl, 0FFh
		push	edi
		lea	edi, [edx+8]
		mov	[edx+eax*4], esi
		mov	al, ch
		mov	cl, [edi]
		add	al, al
		mov	bh, cl
		sub	bl, al
		and	bh, 3
		and	bl, 3
		test	bh, bh
		jnz	short loc_53729F
		lea	esp, [esp+0]

loc_537270:				; CODE XREF: RtlAvlInsertNodeEx(x,x,x,x)+7Dj
		and	cl, 0FCh
		mov	esi, edx
		or	cl, bl
		mov	[edi], cl
		mov	edx, [edi]
		and	edx, 0FFFFFFFCh
		jz	short loc_5372A7
		cmp	[edx], esi
		lea	edi, [edx+8]
		mov	cl, [edi]
		setnz	ch
		mov	bh, cl
		mov	al, ch
		or	bl, 0FFh
		add	al, al
		and	bh, 3
		sub	bl, al
		and	bl, 3
		test	bh, bh
		jz	short loc_537270

loc_53729F:				; CODE XREF: RtlAvlInsertNodeEx(x,x,x,x)+47j
		cmp	bh, bl
		jz	short loc_5372AE

loc_5372A3:				; CODE XREF: RtlAvlInsertNodeEx(x,x,x,x)+100j
		and	byte ptr [edx+8], 0FCh

loc_5372A7:				; CODE XREF: RtlAvlInsertNodeEx(x,x,x,x)+5Ej
					; RtlAvlInsertNodeEx(x,x,x,x)+13Bj ...
		pop	edi
		pop	ebx
		pop	esi
		pop	ebp
		retn	10h
; 

loc_5372AE:				; CODE XREF: RtlAvlInsertNodeEx(x,x,x,x)+81j
		movzx	eax, byte ptr [esi+8]
		movzx	edi, bh
		and	eax, 3
		movzx	ecx, ch
		cmp	eax, edi
		jnz	short loc_537322
		mov	eax, [esi+8]
		xor	ecx, 1
		and	eax, 0FFFFFFFCh
		cmp	eax, edx
		jnz	loc_5373BC
		mov	eax, ecx
		xor	eax, 1
		cmp	[edx+eax*4], esi
		lea	ebx, [edx+eax*4]
		jnz	loc_5373BC
		mov	edi, [edx+8]
		and	edi, 0FFFFFFFCh
		jz	loc_5373AE
		cmp	[edi+4], edx
		jnz	loc_537384
		mov	[edi+4], esi

loc_5372F9:				; CODE XREF: RtlAvlInsertNodeEx(x,x,x,x)+16Aj
					; RtlAvlInsertNodeEx(x,x,x,x)+197j
		mov	eax, [esi+8]
		and	eax, 3
		or	eax, edi
		lea	edi, [esi+ecx*4]
		mov	[esi+8], eax
		mov	ecx, [edi]
		test	ecx, ecx
		jnz	short loc_53736A

loc_53730D:				; CODE XREF: RtlAvlInsertNodeEx(x,x,x,x)+162j
		mov	[ebx], ecx
		mov	[edi], edx
		mov	eax, [edx+8]
		and	eax, 3
		or	eax, esi
		mov	[edx+8], eax
		and	byte ptr [esi+8], 0FCh
		jmp	short loc_5372A3
; 

loc_537322:				; CODE XREF: RtlAvlInsertNodeEx(x,x,x,x)+9Dj
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	esi
		call	_RtlpTreeDoubleRotateNodes@20 ;	RtlpTreeDoubleRotateNodes(x,x,x,x,x)
		and	byte ptr [edx+8], 0FCh
		mov	bl, [esi+8]
		and	bl, 0FCh
		mov	[ebp+arg_8], eax
		mov	[esi+8], bl
		movzx	eax, byte ptr [eax+8]
		mov	ecx, eax
		and	ecx, 3
		cmp	edi, ecx
		jz	short loc_537396
		xor	eax, 0FFFFFFFEh
		and	eax, 3
		cmp	edi, eax
		jz	short loc_53738F

loc_537354:				; CODE XREF: RtlAvlInsertNodeEx(x,x,x,x)+174j
		mov	eax, [ebp+arg_8]
		and	byte ptr [eax+8], 0FCh
		jmp	loc_5372A7
; 

loc_537360:				; CODE XREF: RtlAvlInsertNodeEx(x,x,x,x)+1Ej
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		pop	esi
		pop	ebp
		retn	10h
; 

loc_53736A:				; CODE XREF: RtlAvlInsertNodeEx(x,x,x,x)+EBj
		mov	eax, [ecx+8]
		mov	[ebp+arg_8], eax
		and	eax, 0FFFFFFFCh
		cmp	eax, esi
		jnz	short loc_5373BC
		mov	eax, [ebp+arg_8]
		and	eax, 3
		or	eax, edx
		mov	[ecx+8], eax
		jmp	short loc_53730D
; 

loc_537384:				; CODE XREF: RtlAvlInsertNodeEx(x,x,x,x)+D0j
		cmp	[edi], edx
		jnz	short loc_5373BC
		mov	[edi], esi
		jmp	loc_5372F9
; 

loc_53738F:				; CODE XREF: RtlAvlInsertNodeEx(x,x,x,x)+132j
		or	bl, bh
		mov	[esi+8], bl
		jmp	short loc_537354
; 

loc_537396:				; CODE XREF: RtlAvlInsertNodeEx(x,x,x,x)+128j
		mov	al, [edx+8]
		xor	al, bh
		xor	al, 0FEh
		and	al, 3
		xor	[edx+8], al
		mov	eax, [ebp+arg_8]
		and	byte ptr [eax+8], 0FCh
		jmp	loc_5372A7
; 

loc_5373AE:				; CODE XREF: RtlAvlInsertNodeEx(x,x,x,x)+C7j
		mov	eax, [ebp+arg_0]
		cmp	[eax], edx
		jnz	short loc_5373BC
		mov	[eax], esi
		jmp	loc_5372F9
; 

loc_5373BC:				; CODE XREF: RtlAvlInsertNodeEx(x,x,x,x)+AAj
					; RtlAvlInsertNodeEx(x,x,x,x)+BBj ...
		mov	ecx, 1Dh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_RtlAvlInsertNodeEx@16 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetCommittedPages(x)
_MiGetCommittedPages@4 proc near	; CODE XREF: MiDeleteSegmentPages+73p
					; MiReferenceActiveSubsection+B9948p ...
		cmp	dword ptr [ecx+20h], 0
		jnz	short loc_5373D3
		mov	eax, [ecx+48h]
		and	eax, 0FFFFFh
		retn
; 

loc_5373D3:				; CODE XREF: MiGetCommittedPages(x)+4j
		mov	eax, [ecx]
		mov	eax, [eax+0Ch]
		retn
_MiGetCommittedPages@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiDereferenceControlAreaBySection(x, x)
_MiDereferenceControlAreaBySection@8 proc near
					; CODE XREF: MmGetImageFileSignatureInformation+67p
					; MiDereferenceFailedControlArea+17j ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		lea	eax, [edi+24h]
		push	eax
		call	ExAcquireSpinLockExclusive
		dec	dword ptr [edi+0Ch]
		mov	dl, al
		sub	[edi+18h], esi
		mov	ecx, edi
		pop	edi
		pop	esi
		jmp	MiCheckControlArea
_MiDereferenceControlAreaBySection@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCheckControlArea proc	near		; CODE XREF: MmUnmapViewInSystemCache+3E2p
					; MiDeleteVad(x,x,x)+125Fp ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F03D0 SIZE 000000A6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[esp+24h+var_18], 0
		xor	ecx, ecx
		mov	[esp+24h+var_10], 0FFFFFFFFh
		xor	eax, eax
		mov	[esp+24h+var_C], ecx
		push	edi
		mov	bl, dl
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[esp+28h+var_1C], eax
		mov	[esp+28h+var_8], ecx
		mov	[esp+28h+var_4], ecx
		cmp	[esi+14h], eax
		jz	short loc_5374AC

loc_537441:				; CODE XREF: MiCheckControlArea+AFj
		cmp	[esi+2Ch], eax
		jnz	loc_53763B

loc_53744A:				; CODE XREF: MiCheckControlArea+100j
					; MiCheckControlArea+175j ...
		cmp	eax, 4
		jnb	loc_5375FF

loc_537453:				; CODE XREF: MiCheckControlArea+216j
		test	eax, eax
		jnz	loc_53757A
		test	ds:byte_70EFC6,	1
		jnz	loc_5F041C
		mov	[esi+24h], eax

loc_53746B:				; CODE XREF: MiCheckControlArea+B9027j
		mov	cl, bl
		call	edi
		mov	eax, [esp+28h+var_18]
		test	eax, eax
		jnz	loc_537620

loc_53747B:				; CODE XREF: MiCheckControlArea+233j
		mov	esi, dword_6D5EFC
		mov	eax, 0CCCCCCCDh
		mov	ecx, dword_6D5F54
		mul	ecx
		shr	edx, 3
		lea	eax, [edx+edx*8]
		cmp	esi, eax
		jnb	loc_5F042C

loc_53749C:				; CODE XREF: MiCheckControlArea+B9017j
					; MiCheckControlArea+B9033j ...
		lea	ecx, [esp+28h+var_10]
		call	_MiReturnImageBase@4 ; MiReturnImageBase(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5374AC:				; CODE XREF: MiCheckControlArea+3Fj
		cmp	[esi+0Ch], eax
		jnz	short loc_537441
		mov	eax, [esi+20h]
		and	eax, 0FFFFFFF8h
		jz	loc_5375A6
		mov	edx, [esi+1Ch]
		cmp	[esi+10h], ecx
		jz	loc_5375E0
		test	edx, 40000h
		jnz	loc_5F03D0
		mov	eax, edx
		and	eax, 20020h
		cmp	eax, 20020h
		jnz	loc_5375B8

loc_5374E7:				; CODE XREF: MiCheckControlArea+1C2j
		test	dl, 20h
		jnz	loc_5375C7

loc_5374F0:				; CODE XREF: MiCheckControlArea+1DBj
		xor	eax, eax

loc_5374F2:				; CODE XREF: MiCheckControlArea+B8FD9j
		mov	ecx, edx
		and	ecx, 20020h
		cmp	ecx, 20020h
		jnz	loc_53744A
		or	edx, 4
		mov	dword ptr [esi+14h], 1
		lea	edi, [esi+24h]
		mov	[esi+1Ch], edx
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, esi
		call	MiPurgeImageSection
		push	edi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [esi+1Ch], 0FFFFFFFBh
		mov	bl, al
		add	dword ptr [esi+14h], 0FFFFFFFFh
		jnz	loc_5F03FB
		cmp	dword ptr [esi+0Ch], 0
		jnz	loc_5F03FB
		cmp	dword ptr [esi+10h], 0
		jz	loc_5F03DE
		mov	eax, [esp+24h+var_18]
		test	eax, eax
		jnz	short loc_53756F
		mov	ecx, esi
		call	MiInsertUnusedSegment
		mov	eax, [esp+24h+var_18]
		or	eax, 4

loc_53756B:				; CODE XREF: MiCheckControlArea+B9000j
		mov	[esp+24h+var_18], eax

loc_53756F:				; CODE XREF: MiCheckControlArea+15Bj
					; MiCheckControlArea+B8FF6j
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		jmp	loc_53744A
; 

loc_53757A:				; CODE XREF: MiCheckControlArea+55j
		test	al, 1
		jnz	loc_5F0405
		lea	eax, [esi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	edi
		mov	ecx, esi
		call	MiSegmentDelete
		lea	ecx, [esp+28h+var_10]
		call	_MiReturnImageBase@4 ; MiReturnImageBase(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5375A6:				; CODE XREF: MiCheckControlArea+B7j
		or	dword ptr [esi+1Ch], 1
		mov	eax, 2
		mov	[esp+28h+var_1C], eax
		jmp	loc_53744A
; 

loc_5375B8:				; CODE XREF: MiCheckControlArea+E1j
		mov	ecx, esi
		call	MiInsertUnusedSegment
		mov	edx, [esi+1Ch]
		jmp	loc_5374E7
; 

loc_5375C7:				; CODE XREF: MiCheckControlArea+EAj
		lea	eax, [esp+28h+var_10]
		mov	edx, 1
		push	eax
		mov	ecx, esi
		call	MiImageUnused
		mov	edx, [esi+1Ch]
		jmp	loc_5374F0
; 

loc_5375E0:				; CODE XREF: MiCheckControlArea+C3j
		or	edx, 1
		mov	[esp+28h+var_1C], 2
		mov	ecx, esi
		mov	[esi+1Ch], edx
		call	_MiClearFilePointer@4 ;	MiClearFilePointer(x)
		mov	eax, 2
		jmp	loc_53744A
; 

loc_5375FF:				; CODE XREF: MiCheckControlArea+4Dj
		mov	edx, 3
		mov	ecx, esi
		call	_MiBuildWakeList@8 ; MiBuildWakeList(x,x)
		mov	[esp+28h+var_18], eax
		mov	eax, [esp+28h+var_1C]
		and	eax, 0FFFFFFFBh
		jmp	loc_537453
; 
		jmp	short loc_537620
; 
		align 10h

loc_537620:				; CODE XREF: MiCheckControlArea+75j
					; MiCheckControlArea+21Bj ...
		mov	esi, [eax]
		lea	ecx, [eax+0Ch]
		mov	edx, 1
		call	KeSignalGate
		mov	eax, esi
		test	esi, esi
		jz	loc_53747B
		jmp	short loc_537620
; 

loc_53763B:				; CODE XREF: MiCheckControlArea+44j
		mov	eax, 4
		mov	[esp+28h+var_1C], eax
		jmp	loc_53744A
MiCheckControlArea endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ObpLockDirectoryShared(x, x)
_ObpLockDirectoryShared@8 proc near	; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+C7Ep
					; ObpLookupDirectoryUsingHash+B0p ...
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	dword ptr [edi+14h], 0BBBB1234h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+94h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	edx, 746C6644h
		mov	dword ptr [edi+14h], 0DDDD1234h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	[edi], esi
		mov	word ptr [edi+12h], 1
		pop	edi
		pop	esi
		retn
_ObpLockDirectoryShared@8 endp


;  S U B	R O U T	I N E 


; __stdcall SepTokenFromAccessInformation(x, x)
_SepTokenFromAccessInformation@8 proc near
					; CODE XREF: SeTokenFromAccessInformation(x,x,x,x)+15p
					; SeAccessCheckFromState+79p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	2A8h		; size_t
		xor	ebx, ebx
		mov	esi, edx
		push	ebx		; int
		push	esi		; void *
		mov	edi, ecx
		call	_memset
		mov	eax, [edi+0Ch]
		add	esp, 0Ch
		mov	[esi+18h], eax
		mov	eax, [edi+10h]
		mov	[esi+1Ch], eax
		mov	eax, [edi+14h]
		mov	[esi+0A8h], eax
		cmp	eax, 2
		jz	loc_5377CC

loc_5376C8:				; CODE XREF: SepTokenFromAccessInformation(x,x)+145j
		mov	edx, [edi+8]
		lea	eax, [esi+50h]
		push	eax
		lea	eax, [esi+48h]
		push	eax
		lea	eax, [esi+40h]
		lea	ecx, [edx+4]
		mov	edx, [edx]
		push	eax
		call	_SepPrivilegesToBitmask@20 ; SepPrivilegesToBitmask(x,x,x,x,x)
		mov	eax, [edi]
		mov	eax, [eax]
		mov	[esi+7Ch], eax
		mov	eax, [edi]
		mov	eax, [eax+4]
		mov	[esi+94h], eax
		lea	eax, [esi+0CCh]
		mov	ecx, [edi]
		push	eax		; void *
		push	dword ptr [ecx]	; int
		push	dword ptr [ecx+4] ; int
		call	RtlSidHashInitialize
		mov	eax, [edi+4]
		mov	eax, [eax]
		mov	[esi+80h], eax
		mov	eax, [edi+4]
		mov	eax, [eax+4]
		mov	[esi+98h], eax
		lea	eax, [esi+154h]
		mov	ecx, [edi+4]
		push	eax		; void *
		push	dword ptr [ecx]	; int
		push	dword ptr [ecx+4] ; int
		call	RtlSidHashInitialize
		mov	eax, [edi+2Ch]
		mov	eax, [eax]
		mov	[esi+1E8h], eax
		mov	eax, [edi+2Ch]
		mov	eax, [eax+4]
		mov	[esi+1E4h], eax
		lea	eax, [esi+1ECh]
		mov	ecx, [edi+2Ch]
		push	eax		; void *
		push	dword ptr [ecx]	; int
		push	dword ptr [ecx+4] ; int
		call	RtlSidHashInitialize
		mov	eax, [edi+28h]
		test	eax, eax
		jnz	short loc_5377C4

loc_537763:				; CODE XREF: SepTokenFromAccessInformation(x,x)+13Aj
		mov	eax, [edi+30h]
		test	eax, eax
		jz	short loc_537770
		mov	[esi+280h], eax

loc_537770:				; CODE XREF: SepTokenFromAccessInformation(x,x)+D8j
		mov	eax, [edi+20h]
		or	dword ptr [esi+0B8h], 0FFFFFFFFh
		mov	ecx, [esi+7Ch]
		mov	[esi+0B0h], eax
		mov	eax, [edi+1Ch]
		mov	[esi+0BCh], eax
		test	ecx, ecx
		jz	short loc_5377A6
		mov	eax, [esi+94h]
		add	eax, 4

loc_537799:				; CODE XREF: SepTokenFromAccessInformation(x,x)+114j
		test	byte ptr [eax],	40h
		jnz	short loc_5377B3

loc_53779E:				; CODE XREF: SepTokenFromAccessInformation(x,x)+12Aj
					; SepTokenFromAccessInformation(x,x)+132j
		inc	ebx
		add	eax, 8
		cmp	ebx, ecx
		jb	short loc_537799

loc_5377A6:				; CODE XREF: SepTokenFromAccessInformation(x,x)+FEj
		mov	eax, [edi+34h]
		pop	edi
		mov	[esi+1DCh], eax
		pop	esi
		pop	ebx
		retn
; 

loc_5377B3:				; CODE XREF: SepTokenFromAccessInformation(x,x)+10Cj
		cmp	dword ptr [esi+0B8h], 0FFFFFFFFh
		jnz	short loc_53779E
		mov	[esi+0B8h], ebx
		jmp	short loc_53779E
; 

loc_5377C4:				; CODE XREF: SepTokenFromAccessInformation(x,x)+D1j
		mov	[esi+1E0h], eax
		jmp	short loc_537763
; 

loc_5377CC:				; CODE XREF: SepTokenFromAccessInformation(x,x)+32j
		mov	eax, [edi+18h]
		mov	[esi+0ACh], eax
		jmp	loc_5376C8
_SepTokenFromAccessInformation@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmGetSessionObjectById proc near	; CODE XREF: SepSetTokenSessionById(x,x,x,x,x)+34p
					; SeSetSessionIdToken+23p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005F0476 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		call	_MmGetSessionById@4 ; MmGetSessionById(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5378B5
		push	esi
		mov	esi, [ebx+180h]
		mov	edi, [esi+2Ch]
		mov	[ebp+var_8], offset dword_6D3540
		mov	[ebp+var_C], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_4], al
		jnz	loc_5F0476
		lea	edx, [ebp+var_C]
		mov	eax, offset dword_6D3540
		xchg	edx, [eax]
		test	edx, edx
		jnz	short loc_53788F

loc_53783D:				; CODE XREF: MmGetSessionObjectById+B7j
					; MmGetSessionObjectById+B8CA3j
		test	byte ptr [esi+4], 2
		pop	esi
		jnz	short loc_5378B9
		mov	edx, 746C6644h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag

loc_537850:				; CODE XREF: MmGetSessionObjectById+DBj
		test	ds:byte_70EFC6,	1
		jnz	loc_5F0488
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5378A1
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	short loc_537899

loc_537877:				; CODE XREF: MmGetSessionObjectById+D3j
					; MmGetSessionObjectById+B8CB3j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	eax, edi

loc_537889:				; CODE XREF: MmGetSessionObjectById+D7j
		pop	edi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_53788F:				; CODE XREF: MmGetSessionObjectById+5Bj
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	short loc_53783D
; 

loc_537899:				; CODE XREF: MmGetSessionObjectById+95j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_5378A1:				; CODE XREF: MmGetSessionObjectById+82j
		mov	[ebp+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_537877
; 

loc_5378B5:				; CODE XREF: MmGetSessionObjectById+1Bj
		xor	eax, eax
		jmp	short loc_537889
; 

loc_5378B9:				; CODE XREF: MmGetSessionObjectById+62j
		xor	edi, edi
		jmp	short loc_537850
MmGetSessionObjectById endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmGetSessionById(x)
_MmGetSessionById@4 proc near		; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+263p
					; MmGetSessionObjectById+12p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	eax, eax
		mov	esi, ecx
		push	edi
		mov	[ebp+var_C], eax
		xor	ebx, ebx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		call	_KeIsExecutingInArbitraryThreadContext@0 ; KeIsExecutingInArbitraryThreadContext()
		test	eax, eax
		jz	short loc_5378E7
		xor	edi, edi
		jmp	short loc_5378F5
; 

loc_5378E7:				; CODE XREF: MmGetSessionById(x)+21j
		mov	eax, large fs:124h
		push	eax
		call	_PsGetThreadServerSilo@4 ; PsGetThreadServerSilo(x)
		mov	edi, eax

loc_5378F5:				; CODE XREF: MmGetSessionById(x)+25j
		mov	[ebp+var_8], offset dword_6D3540
		mov	[ebp+var_C], ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [ebp+var_4], al
		jz	short loc_537920
		mov	edx, offset dword_6D3540
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_537936
; 

loc_537920:				; CODE XREF: MmGetSessionById(x)+4Fj
		lea	edx, [ebp+var_C]
		mov	eax, offset dword_6D3540
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_537936
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_537936:				; CODE XREF: MmGetSessionById(x)+5Ej
					; MmGetSessionById(x)+6Cj
		mov	eax, dword_6D05D8
		test	eax, eax
		jz	short loc_537974
		nop

loc_537940:				; CODE XREF: MmGetSessionById(x)+92j
		mov	ecx, [eax-50h]
		cmp	esi, ecx
		ja	short loc_53794D
		jnb	short loc_537956
		mov	eax, [eax]
		jmp	short loc_537950
; 

loc_53794D:				; CODE XREF: MmGetSessionById(x)+85j
		mov	eax, [eax+4]

loc_537950:				; CODE XREF: MmGetSessionById(x)+8Bj
		test	eax, eax
		jnz	short loc_537940
		jmp	short loc_537974
; 

loc_537956:				; CODE XREF: MmGetSessionById(x)+87j
		test	eax, eax
		jz	short loc_537974
		test	edi, edi
		jz	short loc_537966
		cmp	[eax+23F8h], edi
		jnz	short loc_537974

loc_537966:				; CODE XREF: MmGetSessionById(x)+9Cj
		cmp	ecx, esi
		jnz	short loc_537974
		lea	ecx, [eax-58h]
		call	MiSelectSessionAttachProcess
		mov	ebx, eax

loc_537974:				; CODE XREF: MmGetSessionById(x)+7Dj
					; MmGetSessionById(x)+94j ...
		test	ds:byte_70EFC6,	1
		jz	short loc_53799A
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		mov	cl, byte ptr [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_53799A:				; CODE XREF: MmGetSessionById(x)+BBj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5379B9
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5379CB
		call	KxWaitForLockChainValid

loc_5379B9:				; CODE XREF: MmGetSessionById(x)+DFj
		mov	[ebp+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5379CB:				; CODE XREF: MmGetSessionById(x)+F2j
		mov	cl, byte ptr [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MmGetSessionById@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1832. PsGetThreadServerSilo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetThreadServerSilo(x)
		public _PsGetThreadServerSilo@4
_PsGetThreadServerSilo@4 proc near	; CODE XREF: MiGetNextSession(x,x)+2Ep
					; RtlGetActiveConsoleId()+21p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+390h]
		cmp	ecx, 0FFFFFFFDh
		jnz	short loc_537A05
		mov	eax, [eax+150h]
		mov	eax, [eax+3A0h]

loc_537A01:				; CODE XREF: PsGetThreadServerSilo(x)+29j
		pop	ebp
		retn	4
; 

loc_537A05:				; CODE XREF: PsGetThreadServerSilo(x)+11j
		push	ecx
		call	_PsGetEffectiveServerSilo@4 ; PsGetEffectiveServerSilo(x)
		jmp	short loc_537A01
_PsGetThreadServerSilo@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSelectSessionAttachProcess proc near	; CODE XREF: MiGetNextSession(x,x)+C3p
					; MmGetSessionById(x)+ADp ...

var_10		= dword	ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F0498 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	dword ptr [ecx+1DCh], 0
		push	ebx
		push	esi
		push	edi
		jz	short loc_537AA0
		test	byte ptr [ecx+4], 2
		jnz	short loc_537AA0
		mov	ebx, [ecx+10h]
		lea	edx, [ecx+10h]
		cmp	ebx, edx
		jz	short loc_537AA0

loc_537A32:				; CODE XREF: MiSelectSessionAttachProcess+98j
		test	byte ptr [ebx+181h], 1
		jnz	short loc_537AA4
		mov	eax, [ebx-24h]
		and	eax, 0C00h
		cmp	eax, 0C00h
		jb	short loc_537AA4
		mov	al, [ebx+183h]
		and	al, 60h
		cmp	al, 40h
		jz	short loc_537AA4
		mov	eax, [ebx-138h]
		lea	edi, [ebx-138h]
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_537AA4
		lea	esp, [esp+0]

loc_537A70:				; CODE XREF: MiSelectSessionAttachProcess+B8A8Fj
		lea	ecx, [eax+1]
		lock cmpxchg [edi], ecx
		mov	ecx, eax
		cmp	ecx, [ebp+var_4]
		jnz	loc_5F0498
		push	746C6644h
		mov	edx, 1
		mov	ecx, edi
		call	ObpTraceObjectReferenceIfActive
		lea	eax, [ebx-120h]

loc_537A99:				; CODE XREF: MiSelectSessionAttachProcess+92j
					; MiSelectSessionAttachProcess+9Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_537AA0:				; CODE XREF: MiSelectSessionAttachProcess+10j
					; MiSelectSessionAttachProcess+16j ...
		xor	eax, eax
		jmp	short loc_537A99
; 

loc_537AA4:				; CODE XREF: MiSelectSessionAttachProcess+29j
					; MiSelectSessionAttachProcess+38j ...
		mov	ebx, [ebx]
		cmp	ebx, edx
		jnz	short loc_537A32
		xor	eax, eax
		jmp	short loc_537A99
MiSelectSessionAttachProcess endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopQueueIrpToFileObject	proc near	; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+51p
					; IopSynchronousServiceTail(x,x,x,x,x,x,x)+ABp

var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F04AA SIZE 00000040 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	ebx, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	edi, [esi+70h]
		mov	[ebp+var_1], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	dword ptr [esi+2Ch], 400h
		jnz	loc_5F04AA
		mov	eax, [esi+74h]
		lea	ecx, [ebx+10h]
		add	esi, 74h
		cmp	[eax+4], esi
		jnz	loc_5F04D4
		mov	[ecx], eax
		mov	edx, 70436F49h
		mov	[ecx+4], esi
		mov	[eax+4], ecx
		mov	eax, large fs:124h
		mov	[esi], ecx
		mov	esi, [eax+80h]
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	ecx, large fs:124h
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag
		or	dword ptr [ebx+8], 2000h
		lea	eax, [ebx+30h]
		mov	[ebp+var_8], eax
		mov	ebx, [ebp+var_8]
		mov	[eax], esi
		mov	eax, [eax]

loc_537B38:				; CODE XREF: IopQueueIrpToFileObject+9Dj
		mov	ecx, eax
		mov	edx, eax
		and	ecx, 3
		and	edx, 0FFFFFFFCh
		inc	ecx
		mov	esi, eax
		or	edx, ecx
		lock cmpxchg [ebx], edx
		cmp	esi, eax
		jnz	short loc_537B38
		test	ds:byte_70EFC6,	1
		jnz	loc_5F04DB
		xor	eax, eax
		lock and [edi],	eax

loc_537B61:				; CODE XREF: IopQueueIrpToFileObject+B8A35j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, 1

loc_537B6C:				; CODE XREF: IopQueueIrpToFileObject+B8A1Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
IopQueueIrpToFileObject	endp

; 
		align 10h
; Exported entry 843. IoGetAttachedDeviceReference

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoGetAttachedDeviceReference
IoGetAttachedDeviceReference proc near	; CODE XREF: IopPrepareDeviceNotify(x)+1Ep
					; IoShutdownSystem(x)+4Cp ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F04EA SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, large fs:20h
		mov	bl, al
		mov	esi, [ecx+46Ch]
		add	ecx, 468h
		test	ds:byte_70EFC6,	21h
		jnz	loc_5F04EA
		mov	edx, ecx
		xchg	edx, [esi]
		test	edx, edx
		jnz	short loc_537C35

loc_537BB8:				; CODE XREF: IoGetAttachedDeviceReference+BAj
					; IoGetAttachedDeviceReference+B8971j
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+10h]
		test	eax, eax
		jnz	short loc_537C10

loc_537BC2:				; CODE XREF: IoGetAttachedDeviceReference+99j
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	edi, [eax+468h]
		jnz	loc_5F04F6
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_537C22
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jnz	short loc_537C1B

loc_537BFC:				; CODE XREF: IoGetAttachedDeviceReference+B3j
					; IoGetAttachedDeviceReference+B8980j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 
		align 10h

loc_537C10:				; CODE XREF: IoGetAttachedDeviceReference+40j
					; IoGetAttachedDeviceReference+97j
		mov	esi, eax
		mov	eax, [esi+10h]
		test	eax, eax
		jnz	short loc_537C10
		jmp	short loc_537BC2
; 

loc_537C1B:				; CODE XREF: IoGetAttachedDeviceReference+7Aj
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_537C22:				; CODE XREF: IoGetAttachedDeviceReference+6Bj
		mov	dword ptr [edi], 0
		lea	ecx, [eax+4]
		mov	edx, 1
		lock xor [ecx],	edx
		jmp	short loc_537BFC
; 

loc_537C35:				; CODE XREF: IoGetAttachedDeviceReference+36j
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_537BB8
IoGetAttachedDeviceReference endp

; 
		align 10h

;  S U B	R O U T	I N E 


ObpIncrPointerCount proc near		; CODE XREF: ObInheritObjectHandle+20p
					; ObpReferenceProcessObjectByHandle+194p ...

; FUNCTION CHUNK AT 005A87AE SIZE 00000021 BYTES

		xor	eax, eax
		inc	eax
		lock xadd [ecx], eax
		inc	eax
		cmp	eax, 1
		jle	loc_5A87AE
		retn
ObpIncrPointerCount endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpTraceObjectReferenceIfActive	proc near ; CODE XREF: MiEmptyPageAccessLog+105p
					; ObReferenceObjectSafe(x)+29p	...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		cmp	ds:_ObpTraceFlags, 0
		jnz	loc_5A87BF

loc_537C67:				; CODE XREF: ObpIncrPointerCount+70B8Aj
		mov	esp, ebp
		pop	ebp
		retn	4
ObpTraceObjectReferenceIfActive	endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 2344. RtlSidHashInitialize

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlSidHashInitialize(int,int,void *)
		public RtlSidHashInitialize
RtlSidHashInitialize proc near		; CODE XREF: SepCreateTokenEx+789p
					; SepTokenFromAccessInformation(x,x)+71p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005F0505 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	loc_5F0505
		push	88h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		test	ecx, ecx
		jz	short loc_537CEC
		push	ebx
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_537CEB
		mov	[edi+4], ecx
		mov	[edi], ebx
		cmp	ebx, 20h
		ja	short loc_537CF3

loc_537CBA:				; CODE XREF: RtlSidHashInitialize+78j
		push	esi
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_537CEA
		lea	eax, [esi+1]

loc_537CC4:				; CODE XREF: RtlSidHashInitialize+68j
		mov	edx, [ecx+esi*8]
		inc	esi
		movzx	ecx, byte ptr [edx+1]
		movzx	edx, byte ptr [edx+ecx*4+4]
		mov	ecx, edx
		shr	edx, 4
		and	ecx, 0Fh
		or	[edi+ecx*4+8], eax
		or	[edi+edx*4+48h], eax
		mov	ecx, [ebp+arg_0]
		rol	eax, 1
		cmp	esi, ebx
		jb	short loc_537CC4

loc_537CEA:				; CODE XREF: RtlSidHashInitialize+3Fj
		pop	esi

loc_537CEB:				; CODE XREF: RtlSidHashInitialize+2Ej
		pop	ebx

loc_537CEC:				; CODE XREF: RtlSidHashInitialize+26j
		xor	eax, eax

loc_537CEE:				; CODE XREF: RtlSidHashInitialize+B888Aj
		pop	edi
		pop	ebp
		retn	0Ch
; 

loc_537CF3:				; CODE XREF: RtlSidHashInitialize+38j
		mov	ebx, 20h
		jmp	short loc_537CBA
RtlSidHashInitialize endp

; 
		align 10h
; Exported entry 380. ExInitializeResourceLite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExInitializeResourceLite
ExInitializeResourceLite proc near	; CODE XREF: CcAllocateInitializeBcb(x,x,x,x)+7Bp
					; SepCreateTokenEx+4F9p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F050F SIZE 00000079 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		mov	dword ptr [esi+8], 0
		mov	dword ptr [esi+0Ch], 0
		mov	dword ptr [esi+18h], 0
		mov	dword ptr [esi+1Ch], 0
		mov	dword ptr [esi+20h], 0
		mov	dword ptr [esi+24h], 0
		mov	dword ptr [esi+28h], 0
		mov	dword ptr [esi+2Ch], 0
		mov	dword ptr [esi+30h], 0
		mov	[esi+4], esi
		mov	[esi], esi
		mov	[esi+10h], eax
		mov	[esi+14h], eax
		mov	[esi+34h], eax
		test	_NtGlobalFlag, 2000h
		jnz	loc_5F050F

loc_537D6A:				; CODE XREF: ExInitializeResourceLite+B8817j
		mov	cl, 2
		mov	[esi+30h], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	bl, al
		mov	edi, offset _ExpResourceSpinLock
		jnz	loc_5F051C
		mov	[ebp+arg_0], 0
		lock bts dword ptr [edi], 1Fh
		jb	short loc_537E0C

loc_537D97:				; CODE XREF: ExInitializeResourceLite+118j
		mov	edx, ds:_ExpResourceSpinLock
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_5F052A

loc_537DAF:				; CODE XREF: ExInitializeResourceLite+B8825j
					; ExInitializeResourceLite+B885Fj
		mov	eax, dword_6BBC84
		cmp	dword ptr [eax], offset	_ExpSystemResourcesList
		jnz	short loc_537E1D
		mov	dword ptr [esi], offset	_ExpSystemResourcesList
		mov	[esi+4], eax
		mov	[eax], esi
		test	ds:byte_70EFC6,	1
		mov	dword_6BBC84, esi
		jnz	loc_5F0564
		mov	ds:_ExpResourceSpinLock, 0

loc_537DE4:				; CODE XREF: ExInitializeResourceLite+B886Ej
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:41D8h
		test	dword ptr ds:byte_70EFC4, 20000h
		jnz	loc_5F0573

loc_537E03:				; CODE XREF: ExInitializeResourceLite+B8883j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	4
; 

loc_537E0C:				; CODE XREF: ExInitializeResourceLite+95j
		mov	dl, bl
		mov	ecx, edi
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[ebp+arg_0], eax
		jmp	loc_537D97
; 

loc_537E1D:				; CODE XREF: ExInitializeResourceLite+BAj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall SepReferenceLuidToIndexEntry(x)
_SepReferenceLuidToIndexEntry@4:	; CODE XREF: SepRefDerefLuidToIndexEntryIfNecessary(x,x)+12j
					; SepDuplicateToken(x,x,x,x,x,x,x,x)+506p
		xor	eax, eax
		inc	eax
		lock xadd [ecx+0Ch], eax
		inc	eax
		cmp	eax, 1
		jle	short loc_537E33
		retn
; 

loc_537E33:				; CODE XREF: ExInitializeResourceLite+130j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		retn
ExInitializeResourceLite endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAssignSecurityEx2(x, x, x, x, x, x, x, x,	x, x)
_SeAssignSecurityEx2@40	proc near	; CODE XREF: ObpAssignSecurity+98p
					; ObpAssignSecurity+114p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_10]
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		test	eax, eax
		jz	short loc_537E57
		cmp	dword ptr [eax], 8
		jnz	short loc_537E8C

loc_537E57:				; CODE XREF: SeAssignSecurityEx2(x,x,x,x,x,x,x,x,x,x)+10j
		cmp	[ebp+arg_4], 0
		jnz	short loc_537E82
		xor	ecx, ecx
		xor	edx, edx

loc_537E61:				; CODE XREF: SeAssignSecurityEx2(x,x,x,x,x,x,x,x,x,x)+4Aj
		push	eax
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	ecx
		push	edx
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, edi
		call	RtlpNewSecurityObject

loc_537E7C:				; CODE XREF: SeAssignSecurityEx2(x,x,x,x,x,x,x,x,x,x)+51j
		pop	edi
		pop	esi
		pop	ebp
		retn	20h
; 

loc_537E82:				; CODE XREF: SeAssignSecurityEx2(x,x,x,x,x,x,x,x,x,x)+1Bj
		mov	ecx, 1
		lea	edx, [ebp+arg_4]
		jmp	short loc_537E61
; 

loc_537E8C:				; CODE XREF: SeAssignSecurityEx2(x,x,x,x,x,x,x,x,x,x)+15j
		mov	eax, 0C000000Dh
		jmp	short loc_537E7C
_SeAssignSecurityEx2@40	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeComputeAutoInheritByObjectTypeEx proc	near
					; CODE XREF: SeComputeAutoInheritByObjectType(x,x,x)+19p
					; ObpAssignSecurity+43p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005F0588 SIZE 00000088 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_10], edx
		push	edi
		mov	edi, [ebp+arg_8]
		mov	esi, ecx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_1], bl
		test	edi, edi
		jz	short loc_537ED2
		cmp	dword ptr [edi], 8
		jnz	loc_538014
		mov	dword ptr [edi+4], 0FFFFFFFFh

loc_537ED2:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+20j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _SepMandatoryObjectTypePolicyLock
		call	ExAcquirePushLockSharedEx
		mov	edx, _SepMandatoryObjectTypePolicyCount
		xor	ecx, ecx
		test	edx, edx
		jz	short loc_537F37
		mov	eax, offset _SepMandatoryObjectTypePolicy
		lea	ecx, [ecx+0]

loc_537F00:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+6Aj
		cmp	esi, [eax]
		jz	short loc_537F0E
		inc	ecx
		add	eax, 14h
		cmp	ecx, edx
		jb	short loc_537F00
		jmp	short loc_537F37
; 

loc_537F0E:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+62j
		lea	eax, [ecx+ecx*4]
		mov	ecx, dword_6BE784[eax*4]
		test	cl, 1
		jz	short loc_537F2E
		mov	edx, dword_6BE788[eax*4]
		mov	ebx, dword_6BE78C[eax*4]
		mov	[ebp+var_C], edx

loc_537F2E:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+7Bj
		test	cl, 2
		jnz	loc_5F0588

loc_537F37:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+56j
					; SeComputeAutoInheritByObjectTypeEx+6Cj ...
		xor	edx, edx
		mov	eax, 11h
		mov	esi, offset _SepMandatoryObjectTypePolicyLock
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	loc_538008

loc_537F50:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+16Fj
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebp+var_C]
		mov	esi, [ebp+var_10]
		test	ecx, ecx
		jz	short loc_537F6A
		test	esi, esi
		jnz	short loc_537F8B

loc_537F6A:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+C4j
					; SeComputeAutoInheritByObjectTypeEx+F3j ...
		cmp	[ebp+var_1], 0
		jnz	loc_5F05A5

loc_537F74:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+B874Bj
					; SeComputeAutoInheritByObjectTypeEx+B8759j ...
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_537FD4

loc_537F7B:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+146j
					; SeComputeAutoInheritByObjectTypeEx+151j ...
		mov	eax, [ebp+arg_4]
		pop	edi
		pop	esi
		mov	[eax], ebx
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_537F8B:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+C8j
		movzx	eax, word ptr [esi+2]
		mov	edx, eax
		test	al, 10h
		jz	short loc_537F6A
		mov	eax, [esi+0Ch]
		test	dx, dx
		jns	short loc_537FA3
		test	eax, eax
		jz	short loc_537F6A
		add	eax, esi

loc_537FA3:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+FBj
		test	eax, eax
		jz	short loc_537F6A
		lea	edx, [eax+8]
		movzx	eax, word ptr [eax+4]
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	short loc_537F6A
		xor	eax, eax

loc_537FB7:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+132j
		cmp	byte ptr [edx],	11h
		jz	loc_5F059B
		inc	eax
		mov	[ebp+arg_8], eax
		movzx	eax, word ptr [edx+2]
		add	edx, eax
		mov	eax, [ebp+arg_8]
		cmp	eax, [ebp+var_10]
		jnb	short loc_537F6A
		jmp	short loc_537FB7
; 

loc_537FD4:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+D9j
		test	esi, esi
		jz	short loc_537FF8
		test	byte ptr [esi+2], 4
		jz	short loc_537FF8

loc_537FDE:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+161j
					; SeComputeAutoInheritByObjectTypeEx+166j
		test	esi, esi
		jz	short loc_537FE8
		test	byte ptr [esi+2], 10h
		jnz	short loc_537F7B

loc_537FE8:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+140j
		mov	ecx, 800h
		test	[eax+2], cx
		jz	short loc_537F7B
		or	ebx, 2
		jmp	short loc_537F7B
; 

loc_537FF8:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+136j
					; SeComputeAutoInheritByObjectTypeEx+13Cj
		mov	ecx, 400h
		test	[eax+2], cx
		jz	short loc_537FDE
		or	ebx, 1
		jmp	short loc_537FDE
; 

loc_538008:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+AAj
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_537F50
; 

loc_538014:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+25j
		pop	edi
		pop	esi
		mov	eax, 0C000000Dh
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
SeComputeAutoInheritByObjectTypeEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAccessCheck(x, x,	x, x, x, x, x, x)
_NtAccessCheck@32 proc near		; DATA XREF: .text:_KiServiceTableo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		push	eax
		push	[ebp+arg_1C]
		xor	edx, edx
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	eax
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_SeAccessCheckByType@48	; SeAccessCheckByType(x,x,x,x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	20h
_NtAccessCheck@32 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAccessCheckByType(x, x, x, x, x, x, x, x,	x, x, x, x)
_SeAccessCheckByType@48	proc near	; CODE XREF: NtAccessCheckByType(x,x,x,x,x,x,x,x,x,x,x)+28p
					; NtAccessCheck(x,x,x,x,x,x,x,x)+24p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A62C8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	edi, edx
		mov	[ebp+var_24], edi
		mov	ebx, ecx
		mov	[ebp+var_28], ebx
		xor	esi, esi
		mov	[ebp+var_1C], esi
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_4], esi
		test	al, al
		mov	eax, [ebp+arg_18]
		jnz	short loc_5380B8
		mov	ecx, [eax]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_5380FE
; 

loc_5380B8:				; CODE XREF: SeAccessCheckByType(x,x,x,x,x,x,x,x,x,x,x,x)+58j
		mov	edx, eax
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_5380C6
		mov	edx, ecx

loc_5380C6:				; CODE XREF: SeAccessCheckByType(x,x,x,x,x,x,x,x,x,x,x,x)+72j
		nop
		mov	ecx, [edx]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_5380FE
; 

loc_5380D5:				; DATA XREF: .text:006A62DCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		mov	eax, 1
		retn
; 

loc_5380E5:				; DATA XREF: .text:006A62E0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp+20h]
		mov	edi, [ebp-24h]
		mov	ebx, [ebp-28h]
		mov	ecx, [ebp-1Ch]

loc_5380FE:				; CODE XREF: SeAccessCheckByType(x,x,x,x,x,x,x,x,x,x,x,x)+66j
					; SeAccessCheckByType(x,x,x,x,x,x,x,x,x,x,x,x)+83j
		test	esi, esi
		jns	short loc_538118
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	28h
; 

loc_538118:				; CODE XREF: SeAccessCheckByType(x,x,x,x,x,x,x,x,x,x,x,x)+B0j
		push	0
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	eax
		push	ecx
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, ebx
		call	SeAccessCheckByTypeWithAdminlessChecks
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	28h
_SeAccessCheckByType@48	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeAccessCheckByTypeWithAdminlessChecks proc near
					; CODE XREF: SeAccessCheckByType(x,x,x,x,x,x,x,x,x,x,x,x)+EBp

var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= byte ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_71		= dword	ptr -71h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5D		= byte ptr -5Dh
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= byte ptr -54h
var_53		= byte ptr -53h
var_52		= byte ptr -52h
var_51		= byte ptr -51h
var_50		= dword	ptr -50h
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h

; FUNCTION CHUNK AT 005F0610 SIZE 0000008B BYTES
; FUNCTION CHUNK AT 005F070E SIZE 00000073 BYTES
; FUNCTION CHUNK AT 005F07A5 SIZE 00000047 BYTES
; FUNCTION CHUNK AT 005F081E SIZE 0000004B BYTES
; FUNCTION CHUNK AT 005F08D9 SIZE 0000009A BYTES
; FUNCTION CHUNK AT 005F09B2 SIZE 0000014B BYTES
; FUNCTION CHUNK AT 005F0B10 SIZE 00000451 BYTES
; FUNCTION CHUNK AT 005F0F74 SIZE 0000021A BYTES
; FUNCTION CHUNK AT 005F11D3 SIZE 00000072 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A62E8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 164h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	eax, edx
		mov	[ebp+var_B8], eax
		mov	edi, ecx
		mov	[ebp+var_78], edi
		mov	[ebp+var_104], edi
		mov	[ebp+var_108], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_84], eax
		mov	[ebp+var_10C], eax
		mov	edx, [ebp+arg_8]
		mov	[ebp+var_98], edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_64], eax
		mov	[ebp+var_D4], eax
		mov	[ebp+var_B0], eax
		mov	ebx, [ebp+arg_10]
		mov	esi, [ebp+arg_14]
		mov	[ebp+var_A8], esi
		mov	edi, [ebp+arg_1C]
		mov	[ebp+var_90], edi
		mov	eax, [ebp+arg_20]
		mov	[ebp+var_7C], eax
		mov	[ebp+var_140], eax
		mov	ecx, [ebp+arg_24]
		mov	[ebp+var_88], ecx
		mov	[ebp+var_D0], ecx
		mov	[ebp+var_12C], 0
		xor	edx, edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_130], edx
		mov	[ebp+var_138], edx
		xor	eax, eax
		mov	[ebp+var_71+1],	eax
		mov	[ebp+var_13C], eax
		mov	[ebp+var_BC], eax
		mov	[ebp+var_134], eax
		mov	[ebp+var_6C], eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_68], eax
		mov	[ebp+var_C8], eax
		mov	[ebp+var_80], eax
		mov	[ebp+var_94], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_D8], eax
		mov	[ebp+var_9C], eax
		mov	[ebp+var_F4], eax
		mov	[ebp+var_F0], eax
		mov	[ebp+var_EC], eax
		mov	[ebp+var_E8], eax
		mov	[ebp+var_15C], eax
		mov	[ebp+var_158], eax
		mov	[ebp+var_154], eax
		mov	[ebp+var_150], eax
		xor	dl, dl
		mov	[ebp+var_49], dl
		mov	[ebp+var_B4], eax
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_C4], eax
		mov	[ebp+var_100], eax
		mov	[ebp+var_174], eax
		mov	[ebp+var_170], eax
		mov	[ebp+var_16C], eax
		mov	[ebp+var_168], eax
		mov	[ebp+var_164], eax
		mov	[ebp+var_CC], eax
		mov	[ebp+var_5D], al
		xor	al, al
		mov	[ebp+var_52], al
		mov	[ebp+var_DC], 0
		mov	[ebp+var_51], al
		mov	[ebp+var_E0], 0
		mov	byte ptr [ebp+var_71], al
		mov	[ebp+var_53], al
		mov	[ebp+var_54], al
		mov	[ebp+var_E4], 0
		mov	[ebp+var_FC], 0
		mov	[ebp+var_F8], 0
		mov	[ebp+var_8C], 0C0000022h
		mov	[ebp+var_A0], 0FFFFFFFFh
		mov	[ebp+var_FC], 0FFFFFFFFh
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_AC], al
		test	al, al
		jz	loc_5F0610
		mov	[ebp+var_4], 0
		mov	ecx, [ebp+arg_28]
		mov	[ebp+var_58], ecx
		test	cl, cl
		jnz	loc_5F0625
		mov	ecx, [ebp+var_88]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_5F067F

loc_538396:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8521j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+var_7C]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_5F0686

loc_5383AA:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8528j
		mov	eax, [ecx]
		mov	[ecx], eax

loc_5383AE:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B851Aj
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	loc_5F068D

loc_5383BD:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B852Fj
		mov	eax, [ecx]
		mov	[ecx], eax
		push	4
		mov	edi, [ebp+arg_18]
		push	edi
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		test	esi, esi
		jz	short loc_5383DC
		cmp	edi, 14h
		jb	short loc_5383DC
		mov	dword ptr [esi], 0

loc_5383DC:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+26Fj
					; SeAccessCheckByTypeWithAdminlessChecks+274j
		mov	ecx, ebx
		test	bl, 3
		jnz	loc_538C6B
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_5F0694

loc_5383F4:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8536j
		nop
		mov	al, [ecx]
		mov	eax, [ebx]
		mov	[ebp+var_2C], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_28], eax
		mov	eax, [ebx+8]
		mov	[ebp+var_24], eax
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+var_6C]

loc_538411:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B84D4j
					; SeAccessCheckByTypeWithAdminlessChecks+B84EFj
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ebx, [ebp+var_84]

loc_53841E:				; CODE XREF: sub_5F06AE+5Bj
		test	eax, eax
		js	loc_5388B4
		mov	esi, [ebp+arg_4]
		test	esi, 0F0000000h
		jnz	loc_5F070E
		lea	eax, [ebp+var_E4]
		push	eax
		lea	eax, [ebp+var_71]
		push	eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	dword ptr [ebp+var_AC]
		mov	edx, 8
		mov	ecx, ebx
		call	SepReferenceTokenByHandle
		mov	edi, eax
		test	edi, edi
		js	loc_538C1E
		cmp	ebx, 0FFFFFFFBh
		jz	loc_538A90
		cmp	ebx, 0FFFFFFFCh
		jz	loc_538A90
		cmp	ebx, 0FFFFFFFAh
		jz	loc_538A90
		mov	ebx, [ebp+var_5C]
		cmp	dword ptr [ebx+0A8h], 2
		jnz	loc_538C14
		cmp	dword ptr [ebx+0ACh], 1
		jl	loc_5F071B

loc_538498:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+933j
		lea	eax, [ebp+var_D8]
		push	eax
		push	dword ptr [ebp+var_AC]
		mov	edx, [ebp+var_64]
		mov	ecx, [ebp+var_98]
		call	SeCaptureObjectTypeList
		mov	edi, eax
		test	edi, edi
		js	loc_538803
		lea	eax, [ebp+var_68]
		push	eax		; int
		push	0		; int
		push	1		; int
		push	dword ptr [ebp+var_AC] ; char
		push	[ebp+var_78]	; size_t
		call	SeCaptureSecurityDescriptor
		mov	edi, eax
		test	edi, edi
		js	loc_538803
		cmp	[ebp+var_68], 0
		jz	loc_538C25
		mov	eax, [ebp+var_68]
		movzx	edx, word ptr [eax+2]
		test	dx, dx
		jns	loc_5F0725
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	loc_538C25
		add	eax, ecx

loc_538504:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B85CBj
		test	eax, eax
		jz	loc_538C25
		mov	eax, [ebp+var_68]
		test	dx, dx
		jns	loc_5F0730
		mov	ecx, [eax+8]
		test	ecx, ecx
		jz	loc_538C25
		add	eax, ecx

loc_538525:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B85D3j
		test	eax, eax
		jz	loc_538C25
		cmp	byte ptr [ebp+var_71], 0
		jnz	loc_538C09
		mov	eax, [ebx+280h]

loc_53853D:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+AAFj
		lea	ecx, [ebp+var_A0]
		push	ecx
		push	1
		push	eax
		push	ebx
		push	0
		mov	edx, [ebp+var_68]
		call	SepTrustLevelCheck
		mov	edi, eax
		test	edi, edi
		js	loc_538803
		mov	edx, esi
		lea	ecx, [ebp+var_A0]
		call	_SepFilterToDiscretionary@8 ; SepFilterToDiscretionary(x,x)
		test	eax, eax
		js	loc_5F0738
		lea	eax, [ebp+var_FC]
		push	eax
		push	1
		push	ebx
		lea	edx, [ebp+var_B4]
		mov	ecx, [ebp+var_68]
		call	SepFilterCheck
		mov	edi, eax
		test	edi, edi
		js	loc_538803
		mov	edx, esi
		lea	ecx, [ebp+var_FC]
		call	_SepFilterToDiscretionary@8 ; SepFilterToDiscretionary(x,x)
		test	eax, eax
		js	loc_5F073E

loc_5385A8:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B85E4j
		lea	eax, [ebp+var_15C]
		push	eax
		push	[ebp+arg_2C]
		push	1
		push	ebx
		push	0
		mov	edx, [ebp+var_68]
		lea	ecx, [ebp+var_2C]
		call	SepMandatoryIntegrityCheck
		mov	edi, eax
		test	edi, edi
		js	loc_538803
		mov	[ebp+var_49], 0
		mov	edx, esi
		lea	ecx, [ebp+var_15C]
		call	_SepMandatoryToDiscretionary@8 ; SepMandatoryToDiscretionary(x,x)
		test	eax, eax
		js	loc_538901
		test	esi, 2000000h
		jnz	loc_538901

loc_5385F1:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+7ABj
					; SeAccessCheckByTypeWithAdminlessChecks+7BBj
		mov	cl, [ebp+var_49]

loc_5385F4:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+7C6j
		test	eax, eax
		js	loc_538AEB

loc_5385FC:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+98Dj
		push	dword ptr [ebp+var_AC]
		lea	eax, [ebp+var_9C]
		push	eax
		push	ebx
		push	0
		lea	edx, [ebp+var_80]
		lea	ecx, [ebp+arg_4]
		call	SePrivilegePolicyCheck
		mov	esi, [ebp+arg_4]
		mov	cl, [ebp+var_49]
		test	esi, esi
		jz	loc_5F0752

loc_538625:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+993j
					; SeAccessCheckByTypeWithAdminlessChecks+B85EDj ...
		test	eax, eax
		js	loc_538C2F

loc_53862D:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+AD1j
		mov	edi, [ebp+var_9C]
		test	edi, edi
		jnz	loc_5F07A5
		cmp	[ebp+arg_18], 14h
		jb	loc_538BE2
		mov	[ebp+var_4], 5
		mov	eax, [ebp+var_A8]
		mov	[eax], edi
		mov	[eax+4], edi
		mov	[ebp+var_4], 0FFFFFFFEh

loc_53865E:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8704j
		mov	eax, [ebp+var_B8]
		test	eax, eax
		jnz	loc_538A98

loc_53866C:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+955j
		lea	eax, [ebp+var_F4]
		push	eax
		call	SeCaptureSubjectContext
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		lea	edi, [ebx+30h]
		mov	[ebp+var_A8], edi
		push	1
		mov	eax, [edi]
		push	eax
		call	ExAcquireResourceSharedLite
		push	[ebp+arg_2C]
		push	ecx
		mov	edx, [ebp+var_68]
		mov	ecx, ebx
		call	SepTokenIsOwner
		mov	byte ptr [ebp+var_90], al
		cmp	_SepAllowAccessUponLogoff, 0
		jz	loc_5F08E8

loc_5386B1:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B878Fj
					; SeAccessCheckByTypeWithAdminlessChecks+B879Dj ...
		cmp	_SepRmEnforceCap, 0
		jnz	loc_5F09B2

loc_5386BE:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B88E7j
		mov	ecx, [ebp+var_68]

loc_5386C1:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8859j
					; SeAccessCheckByTypeWithAdminlessChecks+B8882j ...
		mov	esi, [ebp+arg_4]
		test	esi, 2060000h
		jnz	loc_53892B

loc_5386D0:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+7CDj
					; SeAccessCheckByTypeWithAdminlessChecks+7FFj ...
		test	esi, esi
		jz	loc_538B62

loc_5386D8:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8906j
		mov	ebx, [ebp+var_5C]

loc_5386DB:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8918j
		mov	eax, [ebp+var_B0]
		shl	eax, 3
		cmp	byte ptr [ebp+var_58], 0
		jnz	loc_5F0B10
		lea	ecx, [ebp+var_12C]
		mov	[ebp+var_50], ecx
		lea	edi, [ebp+var_130]
		mov	eax, [ebp+var_D4]
		shl	eax, 2

loc_538706:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B89F1j
		mov	[ebp+var_B8], eax
		mov	[ebp+var_78], edi
		mov	eax, [ebp+var_94]
		mov	[ebp+var_48], eax
		push	[ebp+arg_2C]
		push	0
		push	0
		lea	eax, [ebp+var_B4]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_90]
		push	[ebp+var_58]
		push	edi
		push	0
		push	ecx
		push	dword ptr [ebp+var_AC]
		push	[ebp+var_80]
		lea	eax, [ebp+var_2C]
		push	eax
		push	[ebp+var_64]
		push	[ebp+var_D8]
		push	esi
		push	ebx
		push	[ebp+var_EC]
		mov	edx, [ebp+var_C8]
		mov	ecx, [ebp+var_68]
		call	SepAccessCheck
		cmp	_SepRmEnforceCap, 0
		jnz	loc_5F0B56

loc_538770:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8A00j
					; SeAccessCheckByTypeWithAdminlessChecks+B8A0Aj
		mov	esi, [ebp+arg_4]
		mov	ebx, [ebp+var_5C]

loc_538776:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8DC7j
		mov	ecx, [ebp+var_A8]
		mov	ecx, [ecx]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		lea	eax, [ebp+var_F4]
		push	eax
		call	SeReleaseSubjectContext
		mov	edi, esi
		and	edi, 2000000h
		jnz	loc_538994
		cmp	[ebp+var_49], 0
		jnz	loc_538AF8

loc_5387AC:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+976j
					; SeAccessCheckByTypeWithAdminlessChecks+980j ...
		mov	ebx, [ebp+var_78]

loc_5387AF:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+861j
		test	edi, edi
		jnz	loc_5389C6

loc_5387B7:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+8A4j
					; SeAccessCheckByTypeWithAdminlessChecks+B8F9Ej
		mov	edx, [ebp+var_50]

loc_5387BA:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8EEAj
					; SeAccessCheckByTypeWithAdminlessChecks+B8F10j ...
		mov	[ebp+var_4], 9
		mov	eax, [ebx]
		mov	esi, [ebp+var_88]
		mov	[esi], eax
		mov	eax, [edx]
		mov	edi, [ebp+var_7C]
		mov	[edi], eax
		mov	eax, [ebx]
		mov	[ebp+var_8C], eax
		cmp	_SepRmEnforceCap, 0
		jnz	loc_5F1103

loc_5387E7:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8FA7j
					; SeAccessCheckByTypeWithAdminlessChecks+B8FB0j ...
		cmp	byte ptr [ebp+var_58], 0
		jnz	loc_5F1134

loc_5387F1:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8FE2j
		xor	edi, edi
		mov	[ebp+var_6C], edi
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	esi, [ebp+arg_4]
		mov	ebx, [ebp+var_5C]

loc_538803:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+357j
					; SeAccessCheckByTypeWithAdminlessChecks+377j ...
		cmp	[ebp+var_68], 0
		jz	short loc_538849
		test	ebx, ebx
		jz	short loc_538849
		cmp	[ebp+var_53], 0
		jnz	loc_538A2A
		cmp	[ebp+var_54], 0
		jnz	loc_538A2A
		mov	eax, [ebp+var_3C]
		test	eax, eax
		jnz	short loc_538838
		test	dword ptr [ebx+0B0h], 4000h
		jnz	loc_538A0F

loc_538838:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+6C6j
					; SeAccessCheckByTypeWithAdminlessChecks+8C4j ...
		test	edi, edi
		js	short loc_538849
		cmp	[ebp+var_8C], 0
		jl	loc_5388D2

loc_538849:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+6A7j
					; SeAccessCheckByTypeWithAdminlessChecks+6ABj ...
		cmp	byte ptr [ebp+var_58], 0
		jnz	loc_5F11F4

loc_538853:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B90A8j
					; SeAccessCheckByTypeWithAdminlessChecks+B90B6j
		test	ebx, ebx
		jz	short loc_53885E
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_53885E:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+6F5j
		mov	eax, [ebp+var_D8]
		test	eax, eax
		jnz	loc_5F121B

loc_53886C:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B90C3j
		mov	ecx, [ebp+var_C8]
		test	ecx, ecx
		jnz	loc_538AC0

loc_53887A:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+96Dj
		mov	eax, [ebp+var_68]
		test	eax, eax
		jz	short loc_53888F
		push	0
		push	dword ptr [ebp+var_AC]
		push	eax
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)

loc_53888F:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+71Fj
		cmp	[ebp+var_5D], 0
		jnz	loc_5F1228

loc_538899:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B90D3j
		mov	eax, [ebp+var_E0]
		test	eax, eax
		jnz	loc_5F1238

loc_5388A7:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B90E0j
		mov	ecx, [ebp+var_B4]
		call	_SepFreeResourceInfo@4 ; SepFreeResourceInfo(x)
		mov	eax, edi

loc_5388B4:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+2C0j
					; SeAccessCheckByTypeWithAdminlessChecks+B84C0j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	30h
; 

loc_5388D2:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+6E3j
		test	eax, eax
		jnz	loc_538849
		test	dword ptr [ebx+0B0h], 4000h
		jz	loc_538849
		mov	edx, esi
		lea	ecx, [ebp+var_48]
		call	SepLpacCausedAccessFailure
		test	al, al
		jz	loc_538849
		jmp	loc_5F11EA
; 

loc_538901:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+47Fj
					; SeAccessCheckByTypeWithAdminlessChecks+48Bj
		test	dword ptr [ebx+0B0h], 4000h
		jz	loc_5385F1
		cmp	[ebp+var_150], 2000h
		ja	loc_5385F1
		mov	cl, 1
		mov	[ebp+var_49], cl
		jmp	loc_5385F4
; 

loc_53892B:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+56Aj
		test	al, al
		jz	loc_5386D0
		movzx	eax, word ptr [ecx+2]
		test	al, 4
		jz	loc_5F0A4C
		test	ax, ax
		jns	loc_5F0A5A
		mov	eax, [ecx+10h]
		test	eax, eax
		jz	loc_5F0A53
		lea	edx, [eax+ecx]

loc_538956:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B88EEj
					; SeAccessCheckByTypeWithAdminlessChecks+B88F5j ...
		xor	cl, cl
		call	RtlpOwnerAcesPresent
		test	al, al
		jnz	loc_5386D0
		test	esi, 2000000h
		jz	loc_538B4D
		mov	[ebp+var_94], 60000h
		mov	eax, [ebp+var_80]
		or	eax, 60000h

loc_538983:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+9FDj
		mov	[ebp+var_80], eax
		and	esi, 0FFF9FFFFh
		mov	[ebp+arg_4], esi
		jmp	loc_5386D0
; 

loc_538994:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+63Cj
		cmp	[ebp+var_49], 0
		jnz	loc_538AD2

loc_53899E:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+986j
		cmp	byte ptr [ebp+var_58], 0
		jnz	loc_5F0F2C
		xor	eax, eax

loc_5389AA:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8DCFj
		push	eax
		push	0
		mov	ebx, [ebp+var_78]
		push	ebx
		push	[ebp+var_50]
		mov	edx, esi
		lea	ecx, [ebp+var_15C]
		call	SepConstrainByMandatory
		jmp	loc_5387AF
; 

loc_5389C6:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+651j
		mov	eax, [ebp+var_64]
		cmp	byte ptr [ebp+var_58], 0
		jnz	loc_5F0F74
		xor	edx, edx

loc_5389D5:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8E16j
		mov	ecx, [ebp+var_A0]
		mov	[ebp+var_53], 0
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_5F0F7B

loc_5389E8:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8ED1j
		mov	edi, [ebp+var_50]

loc_5389EB:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8E2Dj
					; SeAccessCheckByTypeWithAdminlessChecks+B8E4Bj
		cmp	byte ptr [ebp+var_58], 0
		jnz	loc_5F1036
		xor	edx, edx

loc_5389F7:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8ED8j
		mov	ecx, [ebp+var_FC]
		mov	[ebp+var_54], 0
		cmp	ecx, 0FFFFFFFFh
		jz	loc_5387B7
		jmp	loc_5F103D
; 

loc_538A0F:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+6D2j
		test	edi, edi
		js	loc_538849
		cmp	[ebp+var_8C], 0
		jl	short loc_538A2A
		cmp	byte ptr [ebp+var_34+3], 0
		jz	loc_538838

loc_538A2A:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+6B1j
					; SeAccessCheckByTypeWithAdminlessChecks+6BBj ...
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	eax, [ebx+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		cmp	[ebp+var_8C], 0
		jge	loc_5F11D3
		mov	byte ptr [ebp+var_84], 0

loc_538A4E:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B907Aj
		cmp	byte ptr [ebp+var_71], 0
		jnz	loc_5F11DF
		mov	ecx, [ebx+280h]

loc_538A5E:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B9085j
		push	0
		push	[ebp+var_84]
		mov	eax, [ebp+var_80]
		or	eax, esi
		push	eax
		push	[ebp+var_68]
		push	ecx
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	SeLogAccessFailure
		mov	ecx, [ebx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+var_3C]
		jmp	loc_538838
; 

loc_538A90:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+303j
					; SeAccessCheckByTypeWithAdminlessChecks+30Cj ...
		mov	ebx, [ebp+var_5C]
		jmp	loc_538498
; 

loc_538A98:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+506j
		lea	ecx, [ebp+var_C8]
		push	ecx
		push	1
		sub	esp, 0Ch
		mov	dl, [ebp+var_AC]
		mov	ecx, eax
		call	SeCaptureSid
		mov	edi, eax
		test	edi, edi
		jns	loc_53866C
		jmp	loc_5F08D9
; 

loc_538AC0:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+714j
		push	1
		mov	dl, [ebp+var_AC]
		call	_SeReleaseSid@12 ; SeReleaseSid(x,x,x)
		jmp	loc_53887A
; 

loc_538AD2:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+838j
		cmp	byte ptr [ebp+var_34+1], 0
		jnz	loc_5387AC
		cmp	byte ptr [ebp+var_34+2], 0
		jnz	loc_5387AC
		jmp	loc_53899E
; 

loc_538AEB:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+496j
		test	cl, cl
		jnz	loc_5385FC
		jmp	loc_538625
; 

loc_538AF8:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+646j
		cmp	byte ptr [ebp+var_34+2], 0
		jnz	loc_5387AC
		cmp	byte ptr [ebp+var_34+1], 0
		jnz	loc_5387AC
		mov	[ebp+var_4], 8
		cmp	byte ptr [ebp+var_58], 0
		jnz	loc_5F0F34
		mov	eax, [ebp+var_88]
		mov	dword ptr [eax], 0C0000022h
		mov	eax, [ebp+var_7C]
		mov	dword ptr [eax], 0

loc_538B32:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8DEAj
		mov	[ebp+var_8C], 0C0000022h
		xor	edi, edi
		mov	[ebp+var_6C], edi
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_538803
; 

loc_538B4D:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+80Bj
		mov	eax, esi
		and	eax, 60000h
		mov	[ebp+var_94], eax
		or	eax, [ebp+var_80]
		jmp	loc_538983
; 

loc_538B62:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+572j
		cmp	[ebp+var_5D], 0
		jnz	loc_5F0A62

loc_538B6C:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B890Cj
		mov	ebx, [ebp+var_5C]
		test	dword ptr [ebx+0B0h], 2000h
		jz	loc_5F0A71

loc_538B7F:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B891Ej
		mov	[ebp+var_4], 7
		cmp	byte ptr [ebp+var_58], 0
		jnz	loc_5F0A83
		mov	eax, [ebp+var_88]
		cmp	[ebp+var_80], 0
		jz	loc_5F0ADF
		mov	dword ptr [eax], 0
		mov	[ebp+var_8C], 0
		mov	eax, [ebp+var_80]
		mov	edi, [ebp+var_7C]
		mov	[edi], eax

loc_538BB8:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B893Cj
					; SeAccessCheckByTypeWithAdminlessChecks+B8998j
		xor	edi, edi
		mov	[ebp+var_6C], edi
		mov	[ebp+var_4], 0FFFFFFFEh

loc_538BC4:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B880Ej
					; sub_5F0986+27j
		mov	ecx, [ebx+30h]

loc_538BC7:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8DB8j
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		lea	eax, [ebp+var_F4]
		push	eax
		call	SeReleaseSubjectContext
		jmp	loc_538803
; 

loc_538BE2:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+4DFj
		mov	[ebp+var_4], 4
		mov	ecx, [ebp+var_90]
		mov	dword ptr [ecx], 14h
		mov	edi, 0C0000023h
		mov	[ebp+var_6C], edi
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_538803
; 

loc_538C09:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+3D1j
		mov	eax, [ebp+var_E4]
		jmp	loc_53853D
; 

loc_538C14:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+325j
		mov	edi, 0C000005Ch
		jmp	loc_538803
; 

loc_538C1E:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+2FAj
		xor	ebx, ebx
		jmp	loc_538803
; 

loc_538C25:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+381j
					; SeAccessCheckByTypeWithAdminlessChecks+39Cj ...
		mov	edi, 0C0000079h
		jmp	loc_538803
; 

loc_538C2F:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+4C7j
		test	cl, cl
		jnz	loc_53862D
		mov	[ebp+var_4], 1
		mov	edx, [ebp+var_88]
		mov	edi, [ebp+var_7C]
		cmp	byte ptr [ebp+var_58], cl
		jnz	short loc_538C70
		mov	[edx], eax
		mov	dword ptr [edi], 0

loc_538C54:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B860Ej
		mov	[ebp+var_8C], eax
		xor	edi, edi
		mov	[ebp+var_6C], edi
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_538803
; 

loc_538C6B:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+281j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_538C70:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+AEAj
		xor	ecx, ecx
		jmp	loc_5F0765
SeAccessCheckByTypeWithAdminlessChecks endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall SepFreeResourceInfo(x)
_SepFreeResourceInfo@4 proc near	; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+74Dp
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+8F6p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jnz	short loc_538C83
		pop	esi
		retn
; 

loc_538C83:				; CODE XREF: SepFreeResourceInfo(x)+7j
		call	AuthzBasepFreeSecurityAttributesList
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
_SepFreeResourceInfo@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeCaptureObjectTypeList	proc near	; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+34Ep
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+4A0p

var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F1245 SIZE 000001B5 BYTES
; FUNCTION CHUNK AT 005F1425 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A63F8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	eax, edx
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], ecx
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_60], esi
		xor	edi, edi
		mov	[ebp+var_34], edi
		xor	ebx, ebx
		mov	[ebp+var_38], ebx
		mov	[esi], ebx
		cmp	[ebp+arg_0], 1
		jnz	short loc_538D34
		mov	[ebp+var_4], ebx
		test	eax, eax
		jnz	loc_5F1245

loc_538D03:				; CODE XREF: SeCaptureObjectTypeList+B8629j
					; SeCaptureObjectTypeList+B86D2j ...
		mov	[ebp+var_4], 0FFFFFFFEh

loc_538D0A:				; CODE XREF: sub_5F140A+16j
		test	edi, edi
		js	loc_5F1425
		mov	[esi], ebx

loc_538D14:				; CODE XREF: SeCaptureObjectTypeList+B8787j
					; SeCaptureObjectTypeList+B8795j
		mov	eax, edi

loc_538D16:				; CODE XREF: SeCaptureObjectTypeList+99j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_538D34:				; CODE XREF: SeCaptureObjectTypeList+56j
		mov	eax, 0C0000002h
		jmp	short loc_538D16
SeCaptureObjectTypeList	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall SepMandatoryToDiscretionary(x, x)
_SepMandatoryToDiscretionary@8 proc near
					; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+478p
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+552p ...
		and	edx, 0FDFFFFFFh
		cmp	dword ptr [ecx+8], 0
		jz	short loc_538D50
		mov	eax, [ecx]
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_538D53

loc_538D50:				; CODE XREF: SepMandatoryToDiscretionary(x,x)+Aj
		xor	eax, eax
		retn
; 

loc_538D53:				; CODE XREF: SepMandatoryToDiscretionary(x,x)+12j
		mov	eax, 0C0000022h
		retn
_SepMandatoryToDiscretionary@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall SepFilterToDiscretionary(x,	x)
_SepFilterToDiscretionary@8 proc near	; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+404p
					; SeAccessCheckByTypeWithAdminlessChecks+43Bp ...
		mov	eax, [ecx]
		and	edx, 0FDFFFFFFh
		and	eax, edx
		sub	eax, edx
		neg	eax
		sbb	eax, eax
		and	eax, 0C0000022h
		retn
_SepFilterToDiscretionary@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepTrustLevelCheck proc	near		; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+3EDp
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+2B4p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= dword	ptr -2
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005F143A SIZE 00000108 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	byte ptr [ebp+var_2], 0
		xor	esi, esi
		mov	byte ptr [ebp+var_2+1],	0
		mov	[ebp+var_3], 0
		movzx	ebx, word ptr [edi+2]
		mov	eax, ebx
		and	eax, 10h

loc_538D94:				; CODE XREF: SepTrustLevelCheck+2Ej
		test	ax, ax
		jnz	short loc_538DB4

loc_538D99:				; CODE XREF: SepTrustLevelCheck+5Aj
					; SepTrustLevelCheck+72j ...
		xor	edx, edx

loc_538D9B:				; CODE XREF: SepTrustLevelCheck+B86D0j
		inc	esi
		test	edx, edx
		jnz	short loc_538D94

loc_538DA0:				; CODE XREF: SepTrustLevelCheck+B86D8j
					; SepTrustLevelCheck+B86ECj
		mov	ecx, [ebp+arg_10]
		xor	eax, eax
		mov	dword ptr [ecx], 0FFFFFFFFh

loc_538DAB:				; CODE XREF: SepTrustLevelCheck+B87BEj
					; SepTrustLevelCheck+B87CDj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_538DB4:				; CODE XREF: SepTrustLevelCheck+27j
		mov	edx, [edi+0Ch]
		test	bx, bx
		jns	short loc_538DC5
		lea	ecx, [edx+edi]
		neg	edx
		sbb	edx, edx
		and	edx, ecx

loc_538DC5:				; CODE XREF: SepTrustLevelCheck+4Aj
		mov	[ebp+var_C], edx
		test	edx, edx
		jz	short loc_538D99
		mov	ecx, [ebp+var_C]
		add	edx, 8
		mov	[ebp+var_8], 0
		movzx	ecx, word ptr [ecx+4]
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	short loc_538D99
		mov	ecx, [ebp+var_8]

loc_538DE7:				; CODE XREF: SepTrustLevelCheck+96j
		cmp	ecx, esi
		jb	short loc_538DF4
		cmp	byte ptr [edx],	14h
		jz	loc_5F143A

loc_538DF4:				; CODE XREF: SepTrustLevelCheck+79j
		inc	ecx
		mov	[ebp+var_8], ecx
		movzx	ecx, word ptr [edx+2]
		add	edx, ecx
		mov	ecx, [ebp+var_8]
		cmp	ecx, [ebp+var_C]
		jnb	short loc_538D99
		jmp	short loc_538DE7
SepTrustLevelCheck endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SePrivilegePolicyCheck proc near	; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+4B2p
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+5ABp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_13		= byte ptr -13h
var_12		= byte ptr -12h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005F1542 SIZE 000000CA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_18], edx
		mov	ecx, [ebp+arg_8]
		xor	esi, esi
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_12], 0
		mov	[ebp+var_11], 0
		mov	[ebp+var_13], 0
		test	eax, eax
		jnz	short loc_538E7E

loc_538E48:				; CODE XREF: SePrivilegePolicyCheck+72j
					; SePrivilegePolicyCheck+B8735j
		mov	eax, [edi]
		test	eax, 1000000h
		jnz	loc_5F154A

loc_538E55:				; CODE XREF: SePrivilegePolicyCheck+B8786j
		test	eax, 80000h
		jnz	short loc_538E89

loc_538E5C:				; CODE XREF: SePrivilegePolicyCheck+CFj
		mov	bl, [ebp+var_11]
		mov	bh, bl

loc_538E61:				; CODE XREF: SePrivilegePolicyCheck+EFj
					; SePrivilegePolicyCheck+B87A0j
		test	esi, esi
		jnz	loc_538F04

loc_538E69:				; CODE XREF: SePrivilegePolicyCheck+153j
					; SePrivilegePolicyCheck+B87F7j
		xor	eax, eax

loc_538E6B:				; CODE XREF: SePrivilegePolicyCheck+B8767j
					; SePrivilegePolicyCheck+B87AAj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_538E7E:				; CODE XREF: SePrivilegePolicyCheck+36j
		mov	ebx, [eax]
		test	ebx, ebx
		jnz	short loc_538E48
		jmp	loc_5F1542
; 

loc_538E89:				; CODE XREF: SePrivilegePolicyCheck+4Aj
		push	[ebp+arg_C]
		mov	eax, ds:_SeTakeOwnershipPrivilege
		lea	edx, [ebp+var_10]
		push	1
		mov	[ebp+var_10], eax
		mov	ecx, ebx
		mov	eax, ds:dword_A94CBC
		push	1
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], 0
		call	_SepPrivilegeCheck@20 ;	SepPrivilegeCheck(x,x,x,x,x)
		test	al, al
		jnz	short loc_538EEA
		push	[ebp+arg_C]
		mov	eax, ds:_SeRelabelPrivilege
		lea	edx, [ebp+var_10]
		push	1
		mov	[ebp+var_10], eax
		mov	ecx, ebx
		mov	eax, ds:dword_A94A4C
		push	1
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], 0
		call	_SepPrivilegeCheck@20 ;	SepPrivilegeCheck(x,x,x,x,x)
		test	al, al
		jz	loc_538E5C
		jmp	loc_5F159B
; 

loc_538EEA:				; CODE XREF: SePrivilegePolicyCheck+A3j
		mov	eax, [ebp+var_18]
		inc	esi
		and	dword ptr [edi], 0FFF7FFFFh
		mov	bh, 1
		mov	bl, [ebp+var_11]
		or	dword ptr [eax], 80000h
		jmp	loc_538E61
; 

loc_538F04:				; CODE XREF: SePrivilegePolicyCheck+53j
		push	72506553h
		lea	eax, [esi+esi*2]
		lea	eax, ds:8[eax*4]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, [ebp+var_1C]
		mov	[edi], eax
		test	eax, eax
		jz	loc_5F15B5
		mov	[eax], esi
		mov	eax, [edi]
		mov	dword ptr [eax+4], 0
		test	bh, bh
		jz	short loc_538F6E
		mov	ecx, [edi]
		mov	esi, 1
		mov	eax, ds:_SeTakeOwnershipPrivilege
		mov	[ecx+8], eax
		mov	eax, ds:dword_A94CBC
		mov	[ecx+0Ch], eax
		mov	eax, [edi]
		mov	dword ptr [eax+10h], 80000000h

loc_538F57:				; CODE XREF: SePrivilegePolicyCheck+160j
		cmp	[ebp+var_13], 0
		jnz	loc_5F15BF

loc_538F61:				; CODE XREF: SePrivilegePolicyCheck+B87D1j
		test	bl, bl
		jz	loc_538E69
		jmp	loc_5F15E6
; 

loc_538F6E:				; CODE XREF: SePrivilegePolicyCheck+125j
		xor	esi, esi
		jmp	short loc_538F57
SePrivilegePolicyCheck endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepTokenIsOwner	proc near		; CODE XREF: SeComputeCreatorDeniedRights(x,x,x,x)+F4p
					; SeAccessCheckByTypeWithAdminlessChecks+539p ...

arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005F160C SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	word ptr [edx+2], 0
		push	ebx
		push	esi
		mov	esi, [edx+4]
		mov	ebx, ecx
		push	edi
		jge	short loc_538F9E
		lea	eax, [esi+edx]
		neg	esi
		sbb	esi, esi
		and	esi, eax

loc_538F9E:				; CODE XREF: SepTokenIsOwner+13j
		cmp	[ebp+arg_4], 0
		lea	edi, [ebx+0CCh]
		jnz	loc_5F160C

loc_538FAE:				; CODE XREF: SepTokenIsOwner+B868Ej
					; SepTokenIsOwner+B86A8j
		push	esi		; void *
		push	edi		; int
		call	_RtlSidHashLookup@8 ; RtlSidHashLookup(x,x)
		test	eax, eax
		jz	short loc_538FC4
		cmp	eax, [edi+4]
		jz	short loc_538FCE

loc_538FBE:				; CODE XREF: SepTokenIsOwner+52j
		test	byte ptr [eax+4], 4
		jnz	short loc_538FD4

loc_538FC4:				; CODE XREF: SepTokenIsOwner+37j
					; SepTokenIsOwner+B86A2j
		xor	al, al
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
; 

loc_538FCE:				; CODE XREF: SepTokenIsOwner+3Cj
		test	byte ptr [eax+4], 10h
		jnz	short loc_538FBE

loc_538FD4:				; CODE XREF: SepTokenIsOwner+42j
		cmp	dword ptr [ebx+80h], 0
		jnz	short loc_538FE7
		mov	al, 1
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
; 

loc_538FE7:				; CODE XREF: SepTokenIsOwner+5Bj
		push	dword ptr [ebp+arg_4] ;	char
		lea	ecx, [ebx+154h]
		xor	edx, edx
		push	0		; char
		push	1		; char
		push	0		; char
		push	esi		; void *
		call	SepSidInTokenSidHash
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
SepTokenIsOwner	endp

; 
		align 10h
; Exported entry 2345. RtlSidHashLookup

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlSidHashLookup(int,void *)
		public _RtlSidHashLookup@8
_RtlSidHashLookup@8 proc near		; CODE XREF: SepSidInTokenSidHash+31p
					; SepTokenIsOwner+30p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		test	ebx, ebx
		jz	short loc_53906E
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_53906E
		movzx	eax, byte ptr [edx+1]
		mov	[ebp+var_1], 0
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_10], eax
		movzx	eax, word ptr [edx]
		mov	esi, eax
		shr	eax, 8
		mov	[ebp+var_8], esi
		movzx	ecx, byte ptr [edx+eax*4+4]
		mov	eax, ecx
		and	ecx, 0Fh
		shr	eax, 4
		mov	eax, [ebx+eax*4+48h]
		and	eax, [ebx+ecx*4+8]
		mov	[ebp+var_C], eax
		jnz	short loc_539080

loc_539060:				; CODE XREF: RtlSidHashLookup(x,x)+198j
		mov	eax, [ebx]
		mov	[ebp+arg_0], eax
		cmp	eax, 20h
		ja	loc_539134

loc_53906E:				; CODE XREF: RtlSidHashLookup(x,x)+10j
					; RtlSidHashLookup(x,x)+17j ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 
		align 10h

loc_539080:				; CODE XREF: RtlSidHashLookup(x,x)+4Ej
					; RtlSidHashLookup(x,x)+192j
		mov	cl, al
		test	cl, cl
		jz	loc_539196
		movzx	eax, [ebp+var_1]
		mov	edi, [ebx+4]
		mov	[ebp+var_1C], edi
		mov	[ebp+var_20], eax
		jmp	short loc_5390A0
; 
		align 10h

loc_5390A0:				; CODE XREF: RtlSidHashLookup(x,x)+87j
					; RtlSidHashLookup(x,x)+17Dj
		movzx	ecx, cl
		mov	[ebp+var_14], ecx
		movzx	ebx, ds:_SidHashByteToIndexLookupTable[ecx]
		add	eax, ebx
		mov	[ebp+var_18], ebx
		mov	ebx, [ebp+arg_0]
		lea	edi, [edi+eax*8]
		mov	eax, [edi]
		cmp	[eax], si
		jnz	loc_53917F
		mov	esi, [ebp+var_10]
		sub	esi, 4
		jb	short loc_5390E1
		jmp	short loc_5390D0
; 
		align 10h

loc_5390D0:				; CODE XREF: RtlSidHashLookup(x,x)+BBj
					; RtlSidHashLookup(x,x)+CFj
		mov	ecx, [edx]
		cmp	ecx, [eax]
		jnz	short loc_5390E6
		add	edx, 4
		add	eax, 4
		sub	esi, 4
		jnb	short loc_5390D0

loc_5390E1:				; CODE XREF: RtlSidHashLookup(x,x)+B9j
		cmp	esi, 0FFFFFFFCh
		jz	short loc_539123

loc_5390E6:				; CODE XREF: RtlSidHashLookup(x,x)+C4j
		mov	cl, [edx]
		cmp	cl, [eax]
		jnz	loc_5391B8
		cmp	esi, 0FFFFFFFDh
		jz	short loc_539123
		mov	cl, [edx+1]
		cmp	cl, [eax+1]
		jnz	loc_5391B8
		cmp	esi, 0FFFFFFFEh
		jz	short loc_539123
		mov	cl, [edx+2]
		cmp	cl, [eax+2]
		jnz	loc_5391B8
		cmp	esi, 0FFFFFFFFh
		jz	short loc_539123
		mov	cl, [edx+3]
		cmp	cl, [eax+3]
		jnz	loc_5391B8

loc_539123:				; CODE XREF: RtlSidHashLookup(x,x)+D4j
					; RtlSidHashLookup(x,x)+E3j ...
		xor	eax, eax

loc_539125:				; CODE XREF: RtlSidHashLookup(x,x)+1ADj
		test	eax, eax
		jnz	short loc_539176
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_539134:				; CODE XREF: RtlSidHashLookup(x,x)+58j
		mov	esi, [ebx+4]
		mov	edi, 20h
		mov	ebx, [ebp+arg_0]
		add	esi, 100h
		mov	ecx, [ebp+var_8]

loc_539148:				; CODE XREF: RtlSidHashLookup(x,x)+14Ej
		mov	eax, [esi]
		cmp	[eax], cx
		jz	short loc_539160

loc_53914F:				; CODE XREF: RtlSidHashLookup(x,x)+164j
		inc	edi
		add	esi, 8
		cmp	edi, ebx
		jnb	loc_53906E
		mov	edx, [ebp+arg_4]
		jmp	short loc_539148
; 

loc_539160:				; CODE XREF: RtlSidHashLookup(x,x)+13Dj
		push	[ebp+var_10]	; size_t
		push	eax		; void *
		push	edx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_5391AD
		mov	ecx, [ebp+var_8]
		jmp	short loc_53914F
; 

loc_539176:				; CODE XREF: RtlSidHashLookup(x,x)+117j
		mov	edx, [ebp+arg_4]
		mov	esi, [ebp+var_8]
		mov	ecx, [ebp+var_14]

loc_53917F:				; CODE XREF: RtlSidHashLookup(x,x)+ADj
		mov	eax, [ebp+var_18]
		btc	ecx, eax
		mov	edi, [ebp+var_1C]
		mov	eax, [ebp+var_20]
		test	cl, cl
		jnz	loc_5390A0
		mov	eax, [ebp+var_C]

loc_539196:				; CODE XREF: RtlSidHashLookup(x,x)+74j
		add	[ebp+var_1], 8
		shr	eax, 8
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	loc_539080
		jmp	loc_539060
; 

loc_5391AD:				; CODE XREF: RtlSidHashLookup(x,x)+15Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_5391B8:				; CODE XREF: RtlSidHashLookup(x,x)+DAj
					; RtlSidHashLookup(x,x)+EBj ...
		sbb	eax, eax
		or	eax, 1
		jmp	loc_539125
_RtlSidHashLookup@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepConstrainByConstraintMask proc near	; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+A21p
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+A4Ap

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005F162D SIZE 000000ED BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_10]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ebx, ecx
		mov	[ebp+var_4], ebx
		mov	byte ptr [eax],	0
		push	edi
		mov	edi, edx
		cmp	ebx, 0FFFFFFFFh
		jnz	loc_5F162D

loc_5391E4:				; CODE XREF: SepConstrainByConstraintMask+B847Dj
					; SepConstrainByConstraintMask+B84A2j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
SepConstrainByConstraintMask endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpSignal	proc near		; CODE XREF: ExpWorkerFactoryStartDeferredWork(x,x)+E9p
					; NtAlpcSendWaitReceivePort+E3p ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= word ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005F171A SIZE 000001CA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	esi
		mov	esi, ecx
		mov	eax, [esi+10h]
		test	eax, eax
		jnz	loc_53931C
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	loc_539336
		test	dl, dl
		jz	loc_539300
		mov	[ebp+var_10], 1
		cmp	[ebp+arg_0], al
		jnz	short loc_53922C
		mov	[ebp+var_10], 5

loc_53922C:				; CODE XREF: AlpcpSignal+33j
		push	ebx
		lea	esi, [ecx+2B4h]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ebx, large fs:20h
		mov	dl, al
		mov	byte ptr [ebp+var_14], dl
		mov	[ebp+var_4], ebx
		mov	[ebp+var_18], 0
		lock bts dword ptr [esi], 7
		jb	loc_5F171A

loc_53925A:				; CODE XREF: AlpcpSignal+B8542j
		mov	eax, [esi+4]
		lea	ecx, [eax+1]
		cmp	ecx, [esi+10h]
		jg	loc_5F1854
		cmp	ecx, eax
		jl	loc_5F1854
		mov	[esi+4], ecx
		test	eax, eax
		jnz	short loc_5392D3
		mov	ebx, [esi+8]
		lea	eax, [esi+8]
		cmp	ebx, eax
		jz	short loc_5392D0
		push	edi

loc_539283:				; CODE XREF: AlpcpSignal+B864Fj
		mov	eax, [ebx]
		mov	edi, ebx
		mov	ebx, eax
		mov	ecx, [edi+4]
		cmp	[eax+4], edi
		jz	short loc_539298

loc_539291:				; CODE XREF: AlpcpSignal+AAj
					; AlpcpSignal+B85F8j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_539298:				; CODE XREF: AlpcpSignal+9Fj
		cmp	[ecx], edi
		jnz	short loc_539291
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	al, [edi+8]
		cmp	al, 1
		jnz	loc_5F1737
		movzx	eax, word ptr [edi+0Ah]
		mov	edx, edi
		mov	ecx, [ebp+var_4]
		push	0
		push	eax
		call	KiTryUnwaitThread
		test	al, al
		jz	loc_5F183A
		add	dword ptr [esi+4], 0FFFFFFFFh
		jnz	loc_5F183A

loc_5392CF:				; CODE XREF: AlpcpSignal+B8631j
					; AlpcpSignal+B8655j
		pop	edi

loc_5392D0:				; CODE XREF: AlpcpSignal+90j
		mov	ebx, [ebp+var_4]

loc_5392D3:				; CODE XREF: AlpcpSignal+86j
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		test	byte ptr [ebp+var_10], 4
		mov	edx, 1
		jz	loc_5F184A

loc_5392EA:				; CODE XREF: AlpcpSignal+B865Fj
		push	[ebp+var_14]
		mov	ecx, ebx
		push	1
		push	1
		call	KiExitDispatcher
		pop	ebx

loc_5392F9:				; CODE XREF: AlpcpSignal+14Bj
					; AlpcpSignal+175j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_539300:				; CODE XREF: AlpcpSignal+23j
		push	2
		push	ecx
		push	1
		add	ecx, 2B4h
		mov	edx, 1
		call	KeReleaseSemaphoreEx
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_53931C:				; CODE XREF: AlpcpSignal+10j
		cmp	byte ptr [esi+22h], 0
		push	edx
		push	1
		jz	short loc_539367
		mov	dl, [esi+23h]
		mov	ecx, eax
		call	_AlpcpQueueIoCompletionPort@16 ; AlpcpQueueIoCompletionPort(x,x,x,x)
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_539336:				; CODE XREF: AlpcpSignal+1Bj
		mov	eax, [esi+14h]
		test	al, 1
		jz	short loc_5392F9
		cmp	eax, 4
		jb	short loc_53935E
		push	edx
		push	0
		and	eax, 0FFFFFFFCh
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [esi+14h]
		test	cl, 2
		jz	short loc_53935E
		and	ecx, 0FFFFFFFCh
		call	ObfDereferenceObject

loc_53935E:				; CODE XREF: AlpcpSignal+150j
					; AlpcpSignal+164j
		mov	dword ptr [esi+14h], 0
		jmp	short loc_5392F9
; 

loc_539367:				; CODE XREF: AlpcpSignal+133j
		mov	eax, [eax+94h]
		push	1
		push	eax
		call	KeReleaseSemaphore
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
AlpcpSignal	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiIntSteerLogProc proc near		; CODE XREF: PpmParkSteerInterrupts+3B1p
					; KiIntSteerLogStatus(x)+13p

var_2A		= word ptr -2Ah
var_28		= dword	ptr -28h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		xor	edi, edi
		mov	[ebp+var_2A], ax
		mov	esi, offset _PPM_ETW_INTERRUPT_STEERING_PROC_CHANGE
		mov	[ebp+var_28], edi
		test	cl, cl
		jnz	short loc_5393C1

loc_5393A4:				; CODE XREF: KiIntSteerLogProc+4Aj
		mov	ecx, esi
		call	_KiIntSteerEtwEventEnabled@4 ; KiIntSteerEtwEventEnabled(x)
		test	al, al
		jnz	loc_5F186F

loc_5393B3:				; CODE XREF: AlpcpSignal+B86EFj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_5393C1:				; CODE XREF: KiIntSteerLogProc+26j
		mov	esi, offset _PPM_ETW_INTERRUPT_STEERING_PROC_RUNDOWN
		jmp	short loc_5393A4
KiIntSteerLogProc endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiIntSteerLogMask proc near		; CODE XREF: KiIntSteerLogStatus(x)+Cp

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F18E4 SIZE 00000081 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, offset _PPM_ETW_INTERRUPT_STEERING_MASK_CHANGE
		test	cl, cl
		jnz	short loc_539400

loc_5393E4:				; CODE XREF: KiIntSteerLogMask+3Dj
		mov	ecx, esi
		call	_KiIntSteerEtwEventEnabled@4 ; KiIntSteerEtwEventEnabled(x)
		test	al, al
		jnz	loc_5F18E4

loc_5393F3:				; CODE XREF: KiIntSteerLogMask+B8598j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_539400:				; CODE XREF: KiIntSteerLogMask+1Aj
		mov	esi, offset _PPM_ETW_INTERRUPT_STEERING_MASK_RUNDOWN
		jmp	short loc_5393E4
KiIntSteerLogMask endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall SeQueryTokenTrustLink(x)
_SeQueryTokenTrustLink@4 proc near	; CODE XREF: PsRestoreImpersonation+3Dp
					; PsRestoreImpersonation:loc_82D847p
		mov	eax, [ecx+284h]
		retn
_SeQueryTokenTrustLink@4 endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1239. KeQueryTotalCycleTimeThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeQueryTotalCycleTimeThread
KeQueryTotalCycleTimeThread proc near	; CODE XREF: NtQueryInformationThread+15Cp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F1965 SIZE 0000014D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	eax, large fs:124h
		push	edi
		cmp	esi, eax
		jnz	loc_5F1965
		cli
		mov	eax, large fs:20h
		mov	edx, esi
		push	[ebp+arg_4]
		mov	ecx, eax
		mov	[ebp+arg_0], eax
		call	KiEndThreadCycleAccumulation
		mov	ebx, edx
		mov	edi, eax
		push	ecx
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	KiStartThreadCycleAccumulation
		sti
		mov	eax, edi
		mov	edx, ebx

loc_539477:				; CODE XREF: KeQueryTotalCycleTimeThread+B868Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
KeQueryTotalCycleTimeThread endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiEndThreadCycleAccumulation proc near	; CODE XREF: KiSchedulerApc+228p
					; KiIdleSchedule+2Fp ...

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A87CF SIZE 0000008D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_14], edi
		mov	byte ptr [ebx+11h], 1
		nop
		rdtsc
		mov	ecx, edx
		mov	[ebp+var_18], eax
		mov	edx, eax
		mov	[ebp+var_1C], ecx
		sub	edx, [ebx+3B40h]
		mov	esi, ecx
		mov	eax, [edi+30h]
		sbb	esi, [ebx+3B44h]
		add	eax, edx
		mov	ecx, [edi+34h]
		adc	ecx, esi
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], ecx
		mov	[edi+38h], ecx
		mov	[edi+30h], eax
		mov	[ebp+var_2C], eax
		mov	eax, [edi+38h]
		mov	[edi+34h], eax
		xor	eax, eax
		mov	[ebp+var_30], ecx
		mov	ecx, [edi+40h]
		add	ecx, edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], esi
		adc	eax, esi
		mov	[ebp+var_38], eax
		jnz	loc_53975E
		cmp	ecx, 0FFFFFFFFh
		ja	loc_53975E

loc_5394F7:				; CODE XREF: KiEndThreadCycleAccumulation+2E8j
		mov	edx, [ebp+var_18]
		mov	esi, [ebp+var_1C]
		mov	[ebx+3B40h], edx
		mov	[ebx+3B44h], esi
		mov	al, [edi+2]
		mov	[edi+40h], ecx
		mov	[ebp+var_1], al
		test	al, 3Eh
		jz	loc_53962E
		test	al, 10h
		jnz	loc_5397B2

loc_539522:				; CODE XREF: KiEndThreadCycleAccumulation+377j
		test	al, 20h
		jz	loc_53961C
		mov	ecx, [edi+388h]
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jz	loc_53961A
		mov	esi, [ebx+3EA0h]
		mov	eax, [ebx+3EA4h]
		test	esi, esi
		jz	loc_539799
		test	eax, eax
		jz	loc_539799
		cmp	byte ptr [eax+54h], 0
		jnz	loc_5A87CF
		mov	edx, [eax+38h]
		mov	eax, [esi+88h]
		cmp	edx, eax
		jb	short loc_539570
		mov	edx, eax

loc_539570:				; CODE XREF: KiEndThreadCycleAccumulation+ECj
					; KiEndThreadCycleAccumulation+31Ej ...
		cmp	edx, 4Bh
		jb	loc_5397A3
		mov	edx, 3

loc_53957E:				; CODE XREF: KiEndThreadCycleAccumulation+32Dj
		movzx	eax, byte ptr [ebx+3ED0h]
		mov	[ebp+var_28], eax
		mov	[ebp+var_10], edx
		lea	eax, [eax+edx*2]
		lea	edi, [ecx+eax*8]
		mov	ecx, [edi]
		add	ecx, [ebp+var_C]
		mov	eax, [edi+4]
		adc	eax, [ebp+var_8]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_34], eax

loc_5395A2:				; CODE XREF: KiEndThreadCycleAccumulation+13Bj
					; KiEndThreadCycleAccumulation+140j
		mov	esi, [edi]
		mov	eax, esi
		mov	edx, [edi+4]
		mov	[ebp+var_38], edx
		nop
		mov	ebx, ecx
		mov	ecx, [ebp+var_34]
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [ebp+var_20]
		cmp	eax, esi
		jnz	short loc_5395A2
		cmp	edx, [ebp+var_38]
		jnz	short loc_5395A2
		mov	ebx, [ebp+var_24]
		mov	eax, _KiTimelineBitmapTime
		mov	edx, [ebx+0C0h]
		cmp	eax, edx
		ja	loc_53976D
		sub	edx, eax
		cmp	edx, 20h
		jnb	short loc_5395EE
		mov	eax, [ebx+0C4h]
		bts	eax, edx
		mov	[ebx+0C4h], eax

loc_5395EE:				; CODE XREF: KiEndThreadCycleAccumulation+15Dj
					; KiEndThreadCycleAccumulation+30Dj
		cmp	ds:_KiEfficiencyClassSystem, 0
		mov	edi, [ebp+var_14]
		jnz	short loc_539607
		cmp	byte ptr [edi+244h], 2
		jz	loc_5A87D7

loc_539607:				; CODE XREF: KiEndThreadCycleAccumulation+178j
					; KiEndThreadCycleAccumulation+6F399j
		cmp	dword ptr [edi+36Ch], 0
		jnz	loc_5396A4

loc_539614:				; CODE XREF: KiEndThreadCycleAccumulation+2A8j
		mov	al, [ebp+var_1]
		mov	ebx, [ebp+var_40]

loc_53961A:				; CODE XREF: KiEndThreadCycleAccumulation+B5j
		and	al, 0DFh

loc_53961C:				; CODE XREF: KiEndThreadCycleAccumulation+A4j
		test	al, 40h
		jnz	loc_5A881E

loc_539624:				; CODE XREF: KiEndThreadCycleAccumulation+6F3A0j
		test	al, 3Eh
		jnz	short loc_539644

loc_539628:				; CODE XREF: KiEndThreadCycleAccumulation+216j
					; KiEndThreadCycleAccumulation+6F3D7j
		mov	edx, [ebp+var_18]
		mov	esi, [ebp+var_1C]

loc_53962E:				; CODE XREF: KiEndThreadCycleAccumulation+94j
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_2C]
		test	ecx, ecx
		jnz	short loc_53969D

loc_539638:				; CODE XREF: KiEndThreadCycleAccumulation+222j
		mov	edx, [ebp+var_30]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_539644:				; CODE XREF: KiEndThreadCycleAccumulation+1A6j
		mov	eax, [edi+50h]
		test	eax, eax
		jnz	loc_53972D

loc_53964F:				; CODE XREF: KiEndThreadCycleAccumulation+2B5j
		mov	esi, [ebp+var_C]

loc_539652:				; CODE XREF: KiEndThreadCycleAccumulation+2CEj
		test	byte ptr [edi+2], 8
		jz	loc_539756
		mov	edx, [ebx+338h]
		mov	ecx, [edi+164h]
		mov	edx, [edx+84h]
		mov	eax, edx
		and	eax, ecx
		cmp	eax, edx
		mov	eax, [ebp+var_8]
		jz	short loc_539685
		add	[ebx+3B70h], esi
		adc	[ebx+3B74h], eax

loc_539685:				; CODE XREF: KiEndThreadCycleAccumulation+1F7j
					; KiEndThreadCycleAccumulation+2D9j
		cmp	byte ptr [edi+61h], 0
		jnz	loc_5A8825

loc_53968F:				; CODE XREF: KiEndThreadCycleAccumulation+6F3BAj
					; KiEndThreadCycleAccumulation+6F3CBj
		cmp	dword ptr [edi+0F4h], 0
		jz	short loc_539628
		jmp	loc_5A8850
; 

loc_53969D:				; CODE XREF: KiEndThreadCycleAccumulation+1B6j
		mov	[ecx], edx
		mov	[ecx+4], esi
		jmp	short loc_539638
; 

loc_5396A4:				; CODE XREF: KiEndThreadCycleAccumulation+18Ej
		mov	ecx, [ebp+var_28]
		mov	eax, [ebp+var_10]
		add	ecx, 10h
		lea	eax, [ecx+eax*2]
		mov	ecx, [ebx+eax*8]
		add	ecx, [ebp+var_C]
		lea	edi, [ebx+eax*8]
		mov	eax, [edi+4]
		adc	eax, [ebp+var_8]
		mov	[ebp+var_24], ecx
		mov	[ebp+var_38], eax

loc_5396C5:				; CODE XREF: KiEndThreadCycleAccumulation+25Ej
					; KiEndThreadCycleAccumulation+263j
		mov	esi, [edi]
		mov	eax, esi
		mov	edx, [edi+4]
		mov	[ebp+var_34], edx
		nop
		mov	ebx, ecx
		mov	ecx, [ebp+var_38]
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [ebp+var_24]
		cmp	eax, esi
		jnz	short loc_5396C5
		cmp	edx, [ebp+var_34]
		jnz	short loc_5396C5
		mov	edi, [ebp+var_14]
		mov	edx, [ebp+var_28]
		mov	eax, [edi+36Ch]
		mov	ecx, [eax+388h]
		mov	eax, [ebp+var_10]
		add	eax, 4
		lea	eax, [edx+eax*2]
		lea	edi, [ecx+eax*8]

loc_539703:				; CODE XREF: KiEndThreadCycleAccumulation+29Ej
					; KiEndThreadCycleAccumulation+2A3j
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		mov	eax, esi
		add	ebx, [ebp+var_C]
		mov	ecx, edx
		mov	[ebp+var_38], edx
		adc	ecx, [ebp+var_8]
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_539703
		cmp	edx, [ebp+var_38]
		jnz	short loc_539703
		mov	edi, [ebp+var_14]
		jmp	loc_539614
; 

loc_53972D:				; CODE XREF: KiEndThreadCycleAccumulation+1C9j
		add	eax, [ebx+3B34h]
		test	eax, eax
		jz	loc_53964F
		mov	esi, [ebp+var_C]
		mov	ecx, [ebp+var_8]

loc_539741:				; CODE XREF: KiEndThreadCycleAccumulation+2D4j
		add	[eax], esi
		adc	[eax+4], ecx
		mov	eax, [eax+0F4h]
		test	eax, eax
		jz	loc_539652
		jmp	short loc_539741
; 

loc_539756:				; CODE XREF: KiEndThreadCycleAccumulation+1D6j
		mov	eax, [ebp+var_8]
		jmp	loc_539685
; 

loc_53975E:				; CODE XREF: KiEndThreadCycleAccumulation+68j
					; KiEndThreadCycleAccumulation+71j
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_38], 0
		jmp	loc_5394F7
; 

loc_53976D:				; CODE XREF: KiEndThreadCycleAccumulation+152j
		mov	ecx, eax
		sub	ecx, edx
		cmp	ecx, 20h
		jnb	short loc_539792
		mov	edx, [ebx+0C4h]
		shl	edx, cl
		or	edx, 1

loc_539781:				; CODE XREF: KiEndThreadCycleAccumulation+317j
		mov	[ebx+0C0h], eax
		mov	[ebx+0C4h], edx
		jmp	loc_5395EE
; 

loc_539792:				; CODE XREF: KiEndThreadCycleAccumulation+2F4j
		mov	edx, 1
		jmp	short loc_539781
; 

loc_539799:				; CODE XREF: KiEndThreadCycleAccumulation+C9j
					; KiEndThreadCycleAccumulation+D1j
		mov	edx, 64h
		jmp	loc_539570
; 

loc_5397A3:				; CODE XREF: KiEndThreadCycleAccumulation+F3j
		mov	eax, 51EB851Fh
		mul	edx
		shr	edx, 3
		jmp	loc_53957E
; 

loc_5397B2:				; CODE XREF: KiEndThreadCycleAccumulation+9Cj
		mov	cl, [edi+60h]
		mov	esi, [ebx+3B40h]
		sub	esi, [ebx+3B48h]
		mov	edx, [ebx+3B44h]
		sbb	edx, [ebx+3B4Ch]
		movzx	ecx, cl
		add	[ebx+ecx*8+3B50h], esi
		adc	[ebx+ecx*8+3B54h], edx
		and	al, 0EFh
		mov	dword ptr [ebx+3B48h], 0
		mov	dword ptr [ebx+3B4Ch], 0
		mov	[ebp+var_1], al
		jmp	loc_539522
KiEndThreadCycleAccumulation endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiStartThreadCycleAccumulation proc near ; CODE	XREF: KiIdleSchedule+57p
					; KiGroupSchedulingGenerationEnd+86p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A885C SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	[ebp+var_4], edx
		rdtsc
		mov	ebx, eax
		mov	eax, edx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], eax
		push	edi
		mov	edx, ebx
		mov	[ebp+var_18], esi
		mov	edi, eax
		mov	[ebp+var_1C], ebx
		sub	edx, [esi+3B40h]
		mov	eax, [esi+3B68h]
		sbb	edi, [esi+3B44h]
		add	eax, edx
		mov	ecx, [esi+3B6Ch]
		adc	ecx, edi
		mov	edi, [ebp+var_4]
		mov	[esi+3B90h], ecx
		mov	[esi+3B68h], eax
		mov	[esi+3B6Ch], ecx
		test	byte ptr [edi+2], 20h
		jz	loc_5398FA
		mov	eax, [esi+3EA0h]
		mov	edi, ebx
		sub	edi, [esi+3B40h]
		mov	ebx, [ebp+var_8]
		sbb	ebx, [esi+3B44h]
		mov	ecx, [esi+3EA4h]
		test	eax, eax
		jz	short loc_5398A5
		test	ecx, ecx
		jz	short loc_5398A5
		cmp	byte ptr [ecx+54h], 0
		jnz	loc_5A885C
		mov	ecx, [ecx+38h]
		mov	eax, [eax+88h]
		cmp	ecx, eax
		jb	short loc_53989C
		mov	ecx, eax

loc_53989C:				; CODE XREF: KiStartThreadCycleAccumulation+98j
					; KiStartThreadCycleAccumulation+6F05Fj
		cmp	ecx, 4Bh
		jb	loc_539926

loc_5398A5:				; CODE XREF: KiStartThreadCycleAccumulation+7Dj
					; KiStartThreadCycleAccumulation+81j
		mov	edx, 3

loc_5398AA:				; CODE XREF: KiStartThreadCycleAccumulation+130j
		movzx	eax, byte ptr [esi+3ED0h]
		lea	eax, [eax+edx*2]
		lea	eax, [eax+773h]
		lea	eax, [esi+eax*8]
		mov	esi, eax
		mov	[ebp+var_C], eax
		mov	eax, [esi]
		mov	ecx, [esi+4]
		add	eax, edi
		mov	[ebp+var_C], eax
		adc	ecx, ebx
		mov	[ebp+var_10], ecx

loc_5398D1:				; CODE XREF: KiStartThreadCycleAccumulation+EAj
					; KiStartThreadCycleAccumulation+EFj
		mov	edi, [esi]
		mov	eax, edi
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[ebp+var_14], ecx
		nop
		mov	ebx, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, edi
		jnz	short loc_5398D1
		cmp	edx, [ebp+var_14]
		jnz	short loc_5398D1
		mov	esi, [ebp+var_18]
		mov	ebx, [ebp+var_1C]
		mov	edi, [ebp+var_4]

loc_5398FA:				; CODE XREF: KiStartThreadCycleAccumulation+58j
		mov	ecx, [ebp+var_8]
		mov	[esi+3B40h], ebx
		mov	[esi+3B44h], ecx
		mov	al, [edi+2]
		test	al, 10h
		jnz	short loc_539935

loc_539910:				; CODE XREF: KiStartThreadCycleAccumulation+147j
		test	al, 2
		jnz	loc_5A8864

loc_539918:				; CODE XREF: KiStartThreadCycleAccumulation+6F06Dj
		nop
		pop	edi
		mov	byte ptr [esi+11h], 0
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_539926:				; CODE XREF: KiStartThreadCycleAccumulation+9Fj
		mov	eax, 51EB851Fh
		mul	ecx
		shr	edx, 3
		jmp	loc_5398AA
; 

loc_539935:				; CODE XREF: KiStartThreadCycleAccumulation+10Ej
		mov	al, [edi+60h]
		mov	[esi+3B48h], ebx
		mov	[esi+3B4Ch], ecx
		mov	al, [edi+2]
		jmp	short loc_539910
KiStartThreadCycleAccumulation endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KiComputeSharedReadyQueueAffinityThread(x, x)
_KiComputeSharedReadyQueueAffinityThread@8 proc	near
					; CODE XREF: KiUpdateSharedReadyQueueAffinityThread(x,x)+6p
		test	ecx, ecx
		jnz	short loc_539961
		mov	eax, [edx+16Ch]
		mov	ecx, ds:_KiProcessorBlock[eax*4]

loc_539961:				; CODE XREF: KiComputeSharedReadyQueueAffinityThread(x,x)+2j
		mov	eax, [ecx+4020h]
		push	ebx
		xor	bl, bl
		test	eax, eax
		jz	short loc_539982
		mov	ecx, [edx+164h]
		and	ecx, eax
		cmp	ecx, eax
		jnz	short loc_53997E
		mov	al, 1
		pop	ebx
		retn
; 

loc_53997E:				; CODE XREF: KiComputeSharedReadyQueueAffinityThread(x,x)+28j
		xor	al, al
		pop	ebx
		retn
; 

loc_539982:				; CODE XREF: KiComputeSharedReadyQueueAffinityThread(x,x)+1Cj
		mov	al, bl
		pop	ebx
		retn
_KiComputeSharedReadyQueueAffinityThread@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSetPriorityThread proc near		; CODE XREF: KiAbApplyWakeupBoost+12Ep
					; KiAbThreadUnboostCpuPriority+B6p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_3		= byte ptr  0Bh

; FUNCTION CHUNK AT 005F1AB2 SIZE 00000082 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	bl, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_10], edx
		push	edi
		mov	[ebp+var_4], 0
		mov	[ebp+var_C], 0
		mov	eax, [esi+214h]
		mov	[ebp+var_18], 0
		test	eax, eax
		jnz	loc_539ADA

loc_5399C6:				; CODE XREF: KiSetPriorityThread+155j
					; KiSetPriorityThread+15Dj
		movsx	eax, byte ptr [esi+87h]
		movsx	edi, bl
		mov	[ebp+var_8], edi
		cmp	eax, edi
		jz	loc_539B71
		lea	eax, [ebp+var_C]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_4]
		call	KiAcquireThreadStateLock
		movsx	ecx, byte ptr [esi+87h]
		xor	bh, bh
		movzx	eax, al
		mov	[ebp+var_14], ecx
		mov	[ebp+arg_3], bh
		cmp	eax, 2
		jnz	loc_539A9C
		mov	edi, [ebp+var_4]
		mov	edx, esi
		mov	ebx, [ebp+var_8]
		mov	ecx, edi
		lea	eax, [edi+8]
		mov	[ebp+var_1C], eax
		mov	eax, [eax]
		test	eax, eax
		mov	[ebp+var_10], eax
		setz	al
		movzx	eax, al
		push	eax
		push	ebx
		call	_KiUpdateThreadPriority@16 ; KiUpdateThreadPriority(x,x,x,x)
		mov	ecx, [ebp+var_14]
		mov	eax, [ebp+var_10]
		cmp	ebx, ecx
		jge	loc_539AC6
		test	eax, eax
		jnz	loc_539AC4
		mov	al, [esi+90h]
		mov	edi, [ebp+var_4]
		cmp	al, 2
		jnz	loc_539BFE
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	KiSelectReadyThreadEx
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_539B14

loc_539A64:				; CODE XREF: KiSetPriorityThread:loc_539AC6j
					; KiSetPriorityThread+216j ...
		mov	bh, [ebp+arg_3]

loc_539A67:				; CODE XREF: KiSetPriorityThread+132j
					; KiSetPriorityThread+13Dj ...
		mov	edx, esi
		xor	ecx, ecx
		call	_KiUpdateSharedReadyQueueAffinityThread@8 ; KiUpdateSharedReadyQueueAffinityThread(x,x)
		test	edi, edi
		jz	short loc_539A7F
		xor	ecx, ecx
		lea	eax, [edi+2224h]
		lock and [eax],	ecx

loc_539A7F:				; CODE XREF: KiSetPriorityThread+E2j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_539A95

loc_539A86:				; CODE XREF: KiSetPriorityThread+10Aj
		test	bh, bh
		jnz	short loc_539AF2

loc_539A8A:				; CODE XREF: KiSetPriorityThread+176j
					; KiSetPriorityThread+17Fj
		mov	al, 1

loc_539A8C:				; CODE XREF: KiSetPriorityThread+1E3j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_539A95:				; CODE XREF: KiSetPriorityThread+F4j
		xor	ecx, ecx
		lock and [eax],	ecx
		jmp	short loc_539A86
; 

loc_539A9C:				; CODE XREF: KiSetPriorityThread+6Ej
		sub	eax, 1
		jz	loc_539B78
		push	1
		sub	eax, 2
		jz	loc_539BC3
		mov	dl, bl
		mov	ecx, esi
		call	KiAbProcessThreadPriorityModification
		mov	edi, [ebp+var_4]
		mov	[esi+87h], bl
		jmp	short loc_539A67
; 

loc_539AC4:				; CODE XREF: KiSetPriorityThread+A8j
		cmp	ebx, ecx

loc_539AC6:				; CODE XREF: KiSetPriorityThread+A0j
		jle	short loc_539A64
		mov	bh, [ebp+arg_3]
		test	eax, eax
		jnz	short loc_539A67
		mov	al, [esi+90h]
		mov	edi, [ebp+var_4]
		jmp	short loc_539A67
; 

loc_539ADA:				; CODE XREF: KiSetPriorityThread+30j
		bsr	ecx, eax
		movsx	eax, bl
		mov	[ebp+var_18], ecx
		cmp	eax, ecx
		jge	loc_5399C6
		mov	bl, cl
		jmp	loc_5399C6
; 

loc_539AF2:				; CODE XREF: KiSetPriorityThread+F8j
		mov	al, large fs:51h
		movzx	edx, al
		mov	eax, [ebp+var_4]
		mov	ecx, [eax+3CCh]
		cmp	edx, ecx
		jz	short loc_539A8A
		mov	dl, 2
		call	_KiSendSoftwareInterrupt@8 ; KiSendSoftwareInterrupt(x,x)
		jmp	loc_539A8A
; 

loc_539B14:				; CODE XREF: KiSetPriorityThread+CEj
		test	byte ptr [ebx+2], 4
		jnz	loc_539BAB

loc_539B1E:				; CODE XREF: KiSetPriorityThread+22Ej
		mov	cl, [ebx+87h]

loc_539B24:				; CODE XREF: KiSetPriorityThread+228j
		mov	eax, [edi+33Ch]
		mov	[eax], cl
		mov	eax, [ebp+var_1C]
		cmp	ebx, [edi+0Ch]
		setz	cl
		mov	[eax], ebx
		mov	eax, [edi+4DCh]
		test	eax, eax
		jnz	loc_539BF6

loc_539B45:				; CODE XREF: KiSetPriorityThread+269j
		mov	al, [ebx+90h]
		cmp	al, 1
		jnz	short loc_539B60
		mov	eax, ds:_KeTickCount
		sub	eax, [ebx+138h]
		add	[ebx+170h], eax

loc_539B60:				; CODE XREF: KiSetPriorityThread+1BDj
		mov	edi, [ebp+var_4]
		mov	byte ptr [ebx+90h], 3
		mov	bh, 1
		jmp	loc_539A67
; 

loc_539B71:				; CODE XREF: KiSetPriorityThread+45j
		xor	al, al
		jmp	loc_539A8C
; 

loc_539B78:				; CODE XREF: KiSetPriorityThread+10Fj
		mov	edi, [ebp+var_4]
		mov	edx, [ebp+var_C]
		push	ecx
		push	esi
		mov	ecx, edi
		call	_KiRemoveThreadFromAnyReadyQueue@16 ; KiRemoveThreadFromAnyReadyQueue(x,x,x,x)
		push	1
		mov	dl, bl
		mov	ecx, esi
		call	KiAbProcessThreadPriorityModification
		mov	edx, [ebp+var_10]
		mov	ecx, esi
		push	edx
		mov	edx, [ebp+var_8]
		mov	[esi+87h], bl
		call	_KiPrepareReadyThreadForRescheduling@12	; KiPrepareReadyThreadForRescheduling(x,x,x)
		jmp	loc_539A64
; 

loc_539BAB:				; CODE XREF: KiSetPriorityThread+188j
		mov	edx, edi
		mov	ecx, ebx
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	loc_539B24
		jmp	loc_539B1E
; 

loc_539BC3:				; CODE XREF: KiSetPriorityThread+11Aj
		push	edi
		mov	edi, [ebp+var_4]
		mov	edx, esi
		mov	ecx, edi
		call	_KiUpdateThreadPriority@16 ; KiUpdateThreadPriority(x,x,x,x)
		mov	ebx, [ebp+var_8]
		cmp	ebx, [ebp+var_14]
		jge	loc_539A64
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	KiSelectReadyThreadEx
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_539A64
		jmp	loc_5F1AB2
; 

loc_539BF6:				; CODE XREF: KiSetPriorityThread+1AFj
		mov	[eax+10h], cl
		jmp	loc_539B45
; 

loc_539BFE:				; CODE XREF: KiSetPriorityThread+B9j
		mov	eax, [edi+3B20h]
		lea	ecx, [ebx+1]
		mov	bh, [ebp+arg_3]
		shr	eax, cl
		test	eax, eax
		jz	loc_539A67
		jmp	loc_5F1B2B
KiSetPriorityThread endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAcquireThreadStateLock proc near	; CODE XREF: KiSetThreadSchedulingGroup+41p
					; KiRemoveThreadFromSchedulingGroup+87p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F1B34 SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_24], edx
		mov	[ebp+var_4], edi

loc_539C33:				; CODE XREF: KiAcquireThreadStateLock+2Ej
					; KiAcquireThreadStateLock+AEj	...
		mov	bl, [edi+90h]
		xor	esi, esi
		movzx	eax, bl
		mov	[ebp+var_8], esi
		cmp	eax, 2
		jnz	short loc_539C9F

loc_539C46:				; CODE XREF: KiAcquireThreadStateLock+A1j
		mov	esi, [edi+148h]
		test	esi, esi
		js	short loc_539C33
		mov	esi, ds:_KiProcessorBlock[esi*4]
		mov	[ebp+var_20], 0
		lea	edi, [esi+2224h]
		mov	[ebp+var_14], edi
		jmp	short loc_539C70
; 
		align 10h

loc_539C70:				; CODE XREF: KiAcquireThreadStateLock+47j
					; KiAcquireThreadStateLock+172j
		lock bts dword ptr [edi], 0
		jb	loc_539D84
		mov	edi, [ebp+var_4]
		cmp	edi, [esi+4]
		jnz	loc_539E1B

loc_539C87:				; CODE XREF: KiAcquireThreadStateLock+8Cj
					; KiAcquireThreadStateLock+95j	...
		mov	eax, [ebp+var_24]
		mov	ecx, [ebp+arg_0]
		pop	edi
		mov	[eax], esi
		mov	eax, [ebp+var_8]
		mov	[ecx], eax
		mov	al, bl
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_539C9F:				; CODE XREF: KiAcquireThreadStateLock+24j
		sub	eax, 1
		jz	short loc_539D1E
		sub	eax, 2
		jz	short loc_539CC3
		sub	eax, 2
		jnz	short loc_539C87
		mov	al, [edi+54h]
		and	al, 7
		cmp	al, 1
		jz	short loc_539C87
		cmp	al, 3
		jnb	loc_539D77

loc_539CBF:				; CODE XREF: KiAcquireThreadStateLock+15Fj
		mov	bl, 2
		jmp	short loc_539C46
; 

loc_539CC3:				; CODE XREF: KiAcquireThreadStateLock+87j
		mov	ecx, [edi+148h]
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		js	loc_539C33
		mov	esi, ds:_KiProcessorBlock[ecx*4]
		mov	[ebp+var_10], 0
		lea	edi, [esi+2224h]
		mov	[ebp+var_14], edi
		jmp	short loc_539CF0
; 
		align 10h

loc_539CF0:				; CODE XREF: KiAcquireThreadStateLock+CBj
					; KiAcquireThreadStateLock+185j
		lock bts dword ptr [edi], 0
		jb	loc_539D97
		mov	edi, [ebp+var_4]
		cmp	edi, [esi+8]
		jz	short loc_539C87
		mov	al, [edi+90h]
		cmp	al, 3
		jz	loc_5F1B34

loc_539D11:				; CODE XREF: KiAcquireThreadStateLock+B7F1Dj
		mov	eax, [ebp+var_14]
		xor	ecx, ecx
		lock and [eax],	ecx
		jmp	loc_539C33
; 

loc_539D1E:				; CODE XREF: KiAcquireThreadStateLock+82j
		mov	ecx, [edi+148h]
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jns	short loc_539DAA
		mov	eax, ecx
		mov	[ebp+var_18], esi
		and	eax, 7FFFFFFFh
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	edi, [eax+4024h]
		mov	[ebp+var_8], edi

loc_539D45:				; CODE XREF: KiAcquireThreadStateLock+1E0j
		lock bts dword ptr [edi], 0
		jb	loc_539DF2
		mov	edi, [ebp+var_4]
		mov	al, [edi+90h]
		cmp	al, 1
		jnz	loc_539E16
		mov	eax, [edi+148h]
		cmp	eax, [ebp+var_C]
		jnz	loc_539E16
		xor	esi, esi
		jmp	loc_539C87
; 

loc_539D77:				; CODE XREF: KiAcquireThreadStateLock+99j
		cmp	al, 6
		jbe	loc_539C87
		jmp	loc_539CBF
; 

loc_539D84:				; CODE XREF: KiAcquireThreadStateLock+55j
					; KiAcquireThreadStateLock+170j
		lea	ecx, [ebp+var_20]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_539D84
		jmp	loc_539C70
; 

loc_539D97:				; CODE XREF: KiAcquireThreadStateLock+D5j
					; KiAcquireThreadStateLock+183j
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_539D97
		jmp	loc_539CF0
; 

loc_539DAA:				; CODE XREF: KiAcquireThreadStateLock+109j
		mov	esi, ds:_KiProcessorBlock[ecx*4]
		mov	[ebp+var_1C], 0
		lea	edi, [esi+2224h]
		mov	[ebp+var_14], edi

loc_539DC1:				; CODE XREF: KiAcquireThreadStateLock+1D0j
		lock bts dword ptr [edi], 0
		jb	short loc_539DE2
		mov	edi, [ebp+var_4]
		mov	al, [edi+90h]
		cmp	al, 1
		jz	short loc_539E05

loc_539DD5:				; CODE XREF: KiAcquireThreadStateLock+1F4j
		mov	eax, [ebp+var_14]

loc_539DD8:				; CODE XREF: KiAcquireThreadStateLock+1F9j
		xor	ecx, ecx
		lock and [eax],	ecx
		jmp	loc_539C33
; 

loc_539DE2:				; CODE XREF: KiAcquireThreadStateLock+1A6j
					; KiAcquireThreadStateLock+1CEj
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_539DE2
		jmp	short loc_539DC1
; 

loc_539DF2:				; CODE XREF: KiAcquireThreadStateLock+12Aj
					; KiAcquireThreadStateLock+1DEj
		lea	ecx, [ebp+var_18]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_539DF2
		jmp	loc_539D45
; 

loc_539E05:				; CODE XREF: KiAcquireThreadStateLock+1B3j
		mov	eax, [edi+148h]
		cmp	eax, [ebp+var_C]
		jz	loc_539C87
		jmp	short loc_539DD5
; 

loc_539E16:				; CODE XREF: KiAcquireThreadStateLock+13Bj
					; KiAcquireThreadStateLock+14Aj
		mov	eax, [ebp+var_8]
		jmp	short loc_539DD8
; 

loc_539E1B:				; CODE XREF: KiAcquireThreadStateLock+61j
		mov	eax, [ebp+var_14]
		xor	ecx, ecx
		lock and [eax],	ecx
		jmp	loc_539C33
KiAcquireThreadStateLock endp

; 
		align 10h
; Exported entry 1284. KeSetActualBasePriorityThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeSetActualBasePriorityThread
KeSetActualBasePriorityThread proc near	; CODE XREF: .text:0046EF6Bp
					; .text:0046F223p ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F1B54 SIZE 000000E0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	esi
		mov	esi, [ebp+arg_0]
		cmp	dword ptr [esi+150h], offset _KiInitialProcess
		jz	loc_5F1B4A
		push	ebx
		push	edi
		mov	[ebp+var_10], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, large fs:20h
		lea	ebx, [esi+2Ch]
		mov	byte ptr [ebp+var_30], al
		mov	[ebp+var_20], 0
		mov	eax, [edi+4]
		mov	[ebp+arg_0], eax

loc_539E75:				; CODE XREF: KeSetActualBasePriorityThread+33Ej
		lock bts dword ptr [ebx], 0
		jb	loc_53A160
		movsx	eax, byte ptr [esi+15Bh]
		mov	ecx, esi
		mov	ebx, [ebp+arg_4]
		mov	dl, bl
		push	0
		mov	[ebp+var_1C], eax
		mov	byte ptr [esi+18Dh], 0
		mov	[ebp+var_8], ebx
		call	KiAbProcessThreadPriorityModification
		mov	al, [esi+15Ch]
		mov	[esi+15Bh], bl
		test	al, al
		jnz	loc_53A1AA

loc_539EB6:				; CODE XREF: KeSetActualBasePriorityThread+385j
		movsx	eax, byte ptr [esi+87h]
		cmp	ebx, eax
		jz	loc_539FEA
		cmp	esi, [ebp+arg_0]
		jnz	loc_53A051
		cmp	byte ptr [edi+11h], 0
		jnz	loc_5F1B54
		cli
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	_KiUpdateTotalCyclesCurrentThread@12 ; KiUpdateTotalCyclesCurrentThread(x,x,x)
		sti

loc_539EE5:				; CODE XREF: KeSetActualBasePriorityThread+B7D30j
		mov	byte ptr [ebp+arg_0], 0

loc_539EE9:				; CODE XREF: KeSetActualBasePriorityThread+257j
		push	[ebp+arg_0]
		mov	ecx, esi
		push	edx
		movzx	edx, byte ptr [esi+193h]
		push	eax
		call	_KiComputeQuantumTargetThread@20 ; KiComputeQuantumTargetThread(x,x,x,x,x)
		mov	eax, [esi+214h]
		mov	[ebp+var_4], 0
		mov	[ebp+var_14], 0
		mov	[ebp+var_24], 0
		test	eax, eax
		jnz	loc_53A0B7

loc_539F1F:				; CODE XREF: KeSetActualBasePriorityThread+292j
					; KeSetActualBasePriorityThread+29Dj
		movsx	eax, byte ptr [esi+87h]
		movsx	ecx, bl
		mov	[ebp+var_C], ecx
		cmp	eax, ecx
		jz	loc_539FEA
		lea	eax, [ebp+var_14]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_4]
		call	KiAcquireThreadStateLock
		movsx	ecx, byte ptr [esi+87h]
		movzx	eax, al
		mov	[ebp+var_18], ecx
		mov	byte ptr [ebp+arg_0+3],	0
		cmp	eax, 2
		jnz	loc_53A08C
		mov	ebx, [ebp+var_4]
		mov	edx, esi
		mov	ecx, ebx
		lea	eax, [ebx+8]
		mov	[ebp+var_28], eax
		mov	eax, [eax]
		test	eax, eax
		mov	[ebp+var_8], eax
		setz	al
		movzx	eax, al
		push	eax
		push	[ebp+var_C]
		call	_KiUpdateThreadPriority@16 ; KiUpdateThreadPriority(x,x,x,x)
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+var_18]
		mov	eax, [ebp+var_8]
		cmp	ecx, edx
		jge	loc_53A02F
		test	eax, eax
		jnz	loc_53A02D
		mov	al, [esi+90h]
		mov	ebx, [ebp+var_4]
		cmp	al, 2
		jnz	loc_5F1BF3
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	KiSelectReadyThreadEx
		mov	ecx, eax
		mov	[ebp+var_18], ecx
		test	ecx, ecx
		jnz	loc_53A0F1

loc_539FC1:				; CODE XREF: KeSetActualBasePriorityThread:loc_53A02Fj
					; KeSetActualBasePriorityThread+203j ...
		mov	edx, esi
		xor	ecx, ecx
		call	_KiUpdateSharedReadyQueueAffinityThread@8 ; KiUpdateSharedReadyQueueAffinityThread(x,x)
		test	ebx, ebx
		jz	short loc_539FD9
		xor	ecx, ecx
		lea	eax, [ebx+2224h]
		lock and [eax],	ecx

loc_539FD9:				; CODE XREF: KeSetActualBasePriorityThread+19Cj
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_53A026

loc_539FE0:				; CODE XREF: KeSetActualBasePriorityThread+1FBj
		cmp	byte ptr [ebp+arg_0+3],	0
		jnz	loc_53A0D2

loc_539FEA:				; CODE XREF: KeSetActualBasePriorityThread+8Fj
					; KeSetActualBasePriorityThread+FEj ...
		mov	ecx, [esi+0A4h]
		test	ecx, ecx
		jnz	short loc_53A040

loc_539FF4:				; CODE XREF: KeSetActualBasePriorityThread+216j
		mov	dword ptr [esi+2Ch], 0

loc_539FFB:				; CODE XREF: KeSetActualBasePriorityThread+21Fj
		push	[ebp+var_30]
		lea	edx, [ebp+var_10]
		mov	ecx, edi
		call	@KiProcessDeferredReadyList@12 ; KiProcessDeferredReadyList(x,x,x)
		test	dword ptr ds:byte_70EFC4, 2000h
		mov	edi, [ebp+var_1C]
		jnz	loc_5F1C1B

loc_53A01B:				; CODE XREF: KeSetActualBasePriorityThread+B7DFFj
		mov	eax, edi
		pop	edi
		pop	ebx

loc_53A01F:				; CODE XREF: KiAcquireThreadStateLock+B7F2Fj
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_53A026:				; CODE XREF: KeSetActualBasePriorityThread+1AEj
		xor	ecx, ecx
		lock and [eax],	ecx
		jmp	short loc_539FE0
; 

loc_53A02D:				; CODE XREF: KeSetActualBasePriorityThread+162j
		cmp	ecx, edx

loc_53A02F:				; CODE XREF: KeSetActualBasePriorityThread+15Aj
		jle	short loc_539FC1
		test	eax, eax
		jnz	short loc_539FC1
		mov	al, [esi+90h]

loc_53A03B:				; CODE XREF: KeSetActualBasePriorityThread+B7DBEj
		mov	ebx, [ebp+var_4]
		jmp	short loc_539FC1
; 

loc_53A040:				; CODE XREF: KeSetActualBasePriorityThread+1C2j
		mov	al, [ecx]
		and	al, 7Fh
		cmp	al, 15h
		jnz	short loc_539FF4
		mov	edx, esi
		call	KiPriQueueThreadPriorityChanged
		jmp	short loc_539FFB
; 

loc_53A051:				; CODE XREF: KeSetActualBasePriorityThread+98j
		mov	edx, [esi+34h]
		mov	eax, [esi+30h]
		mov	[ebp+var_2C], 0
		mov	[ebp+var_28], 0
		cmp	edx, [esi+38h]
		jz	short loc_53A07D
		lea	ebx, [ebx+0]

loc_53A070:				; CODE XREF: KeSetActualBasePriorityThread+24Bj
		pause
		mov	edx, [esi+34h]
		mov	eax, [esi+30h]
		cmp	edx, [esi+38h]
		jnz	short loc_53A070

loc_53A07D:				; CODE XREF: KeSetActualBasePriorityThread+238j
		mov	ebx, [ebp+arg_4]
		mov	byte ptr [ebp+arg_0], 1
		mov	[ebp+var_8], ebx
		jmp	loc_539EE9
; 

loc_53A08C:				; CODE XREF: KeSetActualBasePriorityThread+126j
		sub	eax, 1
		jz	loc_53A173
		push	1
		sub	eax, 2
		jz	loc_53A1BA
		mov	dl, bl
		mov	ecx, esi
		call	KiAbProcessThreadPriorityModification
		mov	[esi+87h], bl
		mov	ebx, [ebp+var_4]
		jmp	loc_539FC1
; 

loc_53A0B7:				; CODE XREF: KeSetActualBasePriorityThread+E9j
		bsr	ecx, eax
		movsx	eax, bl
		mov	[ebp+var_24], ecx
		cmp	eax, ecx
		jge	loc_539F1F
		mov	bl, cl
		mov	[ebp+var_8], ebx
		jmp	loc_539F1F
; 

loc_53A0D2:				; CODE XREF: KeSetActualBasePriorityThread+1B4j
		mov	al, large fs:51h
		movzx	ecx, al
		mov	eax, [ebp+var_4]
		mov	eax, [eax+3CCh]
		cmp	ecx, eax
		jz	loc_539FEA
		jmp	loc_5F1C0D
; 

loc_53A0F1:				; CODE XREF: KeSetActualBasePriorityThread+18Bj
		test	byte ptr [ecx+2], 4
		jnz	short loc_53A148

loc_53A0F7:				; CODE XREF: KeSetActualBasePriorityThread+328j
		mov	dl, [ecx+87h]

loc_53A0FD:				; CODE XREF: KeSetActualBasePriorityThread+326j
		mov	eax, [ebx+33Ch]
		mov	[eax], dl
		mov	eax, [ebp+var_28]
		cmp	ecx, [ebx+0Ch]
		setz	dl
		mov	[eax], ecx
		mov	eax, [ebx+4DCh]
		test	eax, eax
		jnz	short loc_53A15A

loc_53A11A:				; CODE XREF: KeSetActualBasePriorityThread+32Dj
		mov	al, [ecx+90h]
		cmp	al, 1
		jnz	short loc_53A135
		mov	eax, ds:_KeTickCount
		sub	eax, [ecx+138h]
		add	[ecx+170h], eax

loc_53A135:				; CODE XREF: KeSetActualBasePriorityThread+2F2j
		mov	ebx, [ebp+var_4]
		mov	byte ptr [ecx+90h], 3
		mov	byte ptr [ebp+arg_0+3],	1
		jmp	loc_539FC1
; 

loc_53A148:				; CODE XREF: KeSetActualBasePriorityThread+2C5j
		mov	edx, ebx
		call	KiIsThreadRankNonZero
		mov	ecx, [ebp+var_18]
		mov	dl, 1
		test	al, al
		jnz	short loc_53A0FD
		jmp	short loc_53A0F7
; 

loc_53A15A:				; CODE XREF: KeSetActualBasePriorityThread+2E8j
		mov	[eax+10h], dl
		jmp	short loc_53A11A
; 
		align 10h

loc_53A160:				; CODE XREF: KeSetActualBasePriorityThread+4Aj
					; KeSetActualBasePriorityThread+33Cj
		lea	ecx, [ebp+var_20]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_53A160
		jmp	loc_539E75
; 

loc_53A173:				; CODE XREF: KeSetActualBasePriorityThread+25Fj
		mov	ebx, [ebp+var_4]
		mov	edx, [ebp+var_14]
		push	ecx
		push	esi
		mov	ecx, ebx
		call	_KiRemoveThreadFromAnyReadyQueue@16 ; KiRemoveThreadFromAnyReadyQueue(x,x,x,x)
		mov	dl, byte ptr [ebp+var_8]
		mov	ecx, esi
		push	1
		call	KiAbProcessThreadPriorityModification
		mov	eax, [ebp+var_8]
		mov	ecx, esi
		mov	edx, [ebp+var_C]
		mov	[esi+87h], al
		lea	eax, [ebp+var_10]
		push	eax
		call	_KiPrepareReadyThreadForRescheduling@12	; KiPrepareReadyThreadForRescheduling(x,x,x)
		jmp	loc_539FC1
; 

loc_53A1AA:				; CODE XREF: KeSetActualBasePriorityThread+80j
		test	al, 0Fh
		jnz	short loc_53A1DA

loc_53A1AE:				; CODE XREF: KeSetActualBasePriorityThread+3BBj
		mov	byte ptr [esi+15Ch], 0
		jmp	loc_539EB6
; 

loc_53A1BA:				; CODE XREF: KeSetActualBasePriorityThread+26Aj
		push	[ebp+var_C]
		mov	ebx, [ebp+var_4]
		mov	edx, esi
		mov	ecx, ebx
		call	_KiUpdateThreadPriority@16 ; KiUpdateThreadPriority(x,x,x,x)
		mov	edx, [ebp+var_18]
		cmp	[ebp+var_C], edx
		jge	loc_539FC1
		jmp	loc_5F1B65
; 

loc_53A1DA:				; CODE XREF: KeSetActualBasePriorityThread+37Cj
		mov	eax, ds:_KeTickCount
		mov	ebx, [ebp+arg_4]
		mov	[esi+224h], eax
		mov	[ebp+var_8], ebx
		jmp	short loc_53A1AE
KeSetActualBasePriorityThread endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspUnlockThreadSecurityExclusive proc near ; CODE XREF:	PsSwapImpersonationToken+94p
					; sub_81BE47+Cp ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F1C34 SIZE 00000066 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		lea	eax, [ecx+2F0h]
		mov	[ebp+var_14], edx
		mov	[ebp+var_8], eax
		or	ecx, 0FFFFFFFFh
		lock xadd [eax], ecx
		test	cl, 2
		jnz	loc_5F1C34

loc_53A214:				; CODE XREF: PspUnlockThreadSecurityExclusive+B7A47j
					; PspUnlockThreadSecurityExclusive+B7A5Aj
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	eax, 7FFFFFFCh
		jz	loc_53A316
		push	esi
		mov	esi, large fs:124h
		mov	ecx, eax
		mov	edx, dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_1C], esi
		cmp	eax, edx
		jb	short loc_53A25D
		cmp	byte ptr dword_6D3994[ecx], 1
		jz	loc_53A345
		cmp	eax, edx
		jb	short loc_53A25D
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_53A345

loc_53A25D:				; CODE XREF: PspUnlockThreadSecurityExclusive+4Dj
					; PspUnlockThreadSecurityExclusive+5Ej
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_C], edx

loc_53A263:				; CODE XREF: PspUnlockThreadSecurityExclusive+168j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	[ebp+var_1], cl
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_18], ecx
		test	ecx, ecx
		jz	loc_53A35D
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_53A36C

loc_53A2A4:				; CODE XREF: PspUnlockThreadSecurityExclusive+184j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		jnz	short loc_53A332

loc_53A2CE:				; CODE XREF: PspUnlockThreadSecurityExclusive+153j
		cmp	[ebp+var_1], 1
		jnz	loc_5F1C62
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al

loc_53A2E8:				; CODE XREF: PspUnlockThreadSecurityExclusive+175j
					; PspUnlockThreadSecurityExclusive+B7A82j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_1C], eax
		jnz	loc_53A380

loc_53A2FF:				; CODE XREF: PspUnlockThreadSecurityExclusive+1C3j
					; PspUnlockThreadSecurityExclusive+B7AA5j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_53A312
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	short loc_53A379

loc_53A312:				; CODE XREF: PspUnlockThreadSecurityExclusive+118j
					; PspUnlockThreadSecurityExclusive+18Ej
		mov	edx, [ebp+var_14]
		pop	esi

loc_53A316:				; CODE XREF: PspUnlockThreadSecurityExclusive+2Fj
		nop
		add	word ptr [edx+13Ch], 1
		pop	edi
		jnz	short loc_53A32E
		nop
		lea	eax, [edx+70h]
		cmp	[eax], eax
		jnz	loc_53A3C9

loc_53A32E:				; CODE XREF: PspUnlockThreadSecurityExclusive+130j
					; PspUnlockThreadSecurityExclusive+1E1j ...
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_53A332:				; CODE XREF: PspUnlockThreadSecurityExclusive+DCj
		mov	eax, 2AAAAAABh
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		jmp	short loc_53A2CE
; 

loc_53A345:				; CODE XREF: PspUnlockThreadSecurityExclusive+56j
					; PspUnlockThreadSecurityExclusive+67j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_8]
		jmp	loc_53A263
; 

loc_53A35D:				; CODE XREF: PspUnlockThreadSecurityExclusive+9Cj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_53A2E8
		jmp	loc_5F1C4F
; 

loc_53A36C:				; CODE XREF: PspUnlockThreadSecurityExclusive+AEj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_18]
		jmp	loc_53A2A4
; 

loc_53A379:				; CODE XREF: PspUnlockThreadSecurityExclusive+120j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_53A312
; 

loc_53A380:				; CODE XREF: PspUnlockThreadSecurityExclusive+109j
		test	edi, 8000h
		jnz	short loc_53A3BE

loc_53A388:				; CODE XREF: PspUnlockThreadSecurityExclusive+1D7j
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5F1C77

loc_53A392:				; CODE XREF: PspUnlockThreadSecurityExclusive+B7A93j
		test	edi, 7FFFh
		jz	short loc_53A3A9
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_53A3A9:				; CODE XREF: PspUnlockThreadSecurityExclusive+1A8j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_53A2FF
		jmp	loc_5F1C88
; 

loc_53A3BE:				; CODE XREF: PspUnlockThreadSecurityExclusive+196j
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	short loc_53A388
; 

loc_53A3C9:				; CODE XREF: PspUnlockThreadSecurityExclusive+138j
		cmp	word ptr [edx+13Eh], 0
		jnz	loc_53A32E
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_53A32E
PspUnlockThreadSecurityExclusive endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PspLockThreadSecurityExclusive(x, x)
_PspLockThreadSecurityExclusive@8 proc near ; CODE XREF: PsSwapImpersonationToken+40p
					; NtSetInformationThread+746p ...
		dec	word ptr [edx+13Ch]
		nop
		add	ecx, 2F0h
		xor	edx, edx
		jmp	ExAcquirePushLockExclusiveEx
_PspLockThreadSecurityExclusive@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSidDominatesForTrust(x, x, x)
_RtlSidDominatesForTrust@12 proc near	; CODE XREF: SepLocateTokenTrustLevel(x)+2Fp
					; RtlpValidTrustSubjectContext(x,x,x,x)+17p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		mov	byte ptr [esi],	0
		test	ebx, ebx
		jnz	short loc_53A437

loc_53A426:				; CODE XREF: RtlSidDominatesForTrust(x,x,x)+2Ej
		test	edi, edi
		jnz	short loc_53A447

loc_53A42A:				; CODE XREF: RtlSidDominatesForTrust(x,x,x)+49j
					; RtlSidDominatesForTrust(x,x,x)+66j
		mov	al, 1
		mov	[esi], al
		xor	eax, eax

loc_53A430:				; CODE XREF: RtlSidDominatesForTrust(x,x,x)+35j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_53A437:				; CODE XREF: RtlSidDominatesForTrust(x,x,x)+14j
		call	_RtlIsValidProcessTrustLabelSid@4 ; RtlIsValidProcessTrustLabelSid(x)
		test	al, al
		jnz	short loc_53A426

loc_53A440:				; CODE XREF: RtlSidDominatesForTrust(x,x,x)+40j
		mov	eax, 0C000000Dh
		jmp	short loc_53A430
; 

loc_53A447:				; CODE XREF: RtlSidDominatesForTrust(x,x,x)+18j
		mov	ecx, edi
		call	_RtlIsValidProcessTrustLabelSid@4 ; RtlIsValidProcessTrustLabelSid(x)
		test	al, al
		jz	short loc_53A440
		test	ebx, ebx
		jnz	short loc_53A468
		cmp	[edi+8], ebx
		jbe	short loc_53A42A

loc_53A45B:				; CODE XREF: RtlSidDominatesForTrust(x,x,x)+5Ej
					; RtlSidDominatesForTrust(x,x,x)+68j
		xor	al, al
		pop	edi
		mov	[esi], al
		xor	eax, eax
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_53A468:				; CODE XREF: RtlSidDominatesForTrust(x,x,x)+44j
		mov	eax, [ebx+8]
		cmp	eax, [edi+8]
		jb	short loc_53A45B
		mov	eax, [ebx+0Ch]
		cmp	eax, [edi+0Ch]
		jnb	short loc_53A42A
		jmp	short loc_53A45B
_RtlSidDominatesForTrust@12 endp


;  S U B	R O U T	I N E 


; __stdcall KiIntSteerEtwEventEnabled(x)
_KiIntSteerEtwEventEnabled@4 proc near	; CODE XREF: PpmParkSteerInterrupts+3A2p
					; PpmParkSteerInterrupts+3BBp ...
		mov	edx, _KiIntSteerEtwHandle
		mov	eax, edx
		push	esi
		mov	esi, dword_6FBC0C
		or	eax, esi
		jz	short loc_53A497
		push	ecx
		push	esi
		push	edx
		call	EtwEventEnabled
		pop	esi
		retn
; 

loc_53A497:				; CODE XREF: KiIntSteerEtwEventEnabled(x)+11j
		xor	al, al
		pop	esi
		retn
_KiIntSteerEtwEventEnabled@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpSignalAndWait proc	near		; CODE XREF: AlpcpCompleteDeferSignalRequestAndWait(x,x,x,x,x)+3Fp
					; PAGE:0082FDFBp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_F		= byte ptr  17h

; FUNCTION CHUNK AT 005F1C9A SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], edx
		mov	cl, [ebp+arg_C]
		push	edi
		mov	eax, [esi+18h]
		mov	ebx, [esi+10h]
		shr	eax, 15h
		and	al, 1
		mov	byte ptr [ebp+var_8], al
		test	ebx, ebx
		jz	loc_53A604
		cmp	byte ptr [esi+22h], 0
		jz	loc_53A632
		mov	al, [esi+23h]
		lea	edx, [ebp+var_18]
		mov	edi, [ebx+18h]
		mov	ecx, edi
		mov	[ebp+arg_F], al
		xor	eax, eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [edi+8]
		cmp	eax, [edi+4]
		jnb	loc_53A665
		mov	ecx, [edi+18h]
		test	ecx, ecx
		jz	short loc_53A50C
		mov	eax, [ecx]
		mov	[edi+18h], eax
		mov	eax, [edi+8]

loc_53A50C:				; CODE XREF: AlpcpSignalAndWait+62j
		mov	ecx, [ecx+4]
		inc	eax
		mov	[ebp+var_4], ecx
		mov	[edi+8], eax

loc_53A516:				; CODE XREF: AlpcpSignalAndWait+1D5j
					; AlpcpSignalAndWait+1DDj
		test	ds:byte_70EFC6,	1
		jz	loc_53A5CA
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_53A52E:				; CODE XREF: AlpcpSignalAndWait+142j
					; AlpcpSignalAndWait+15Fj
		mov	cl, byte ptr [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	edi, [ebx+0D0h]
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	loc_53A649

loc_53A551:				; CODE XREF: AlpcpSignalAndWait+1B0j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_53A57C
		mov	edx, [ebx+14h]
		mov	ecx, [ebx+10h]
		push	1
		push	eax
		movzx	eax, [ebp+arg_F]
		push	0
		push	0
		neg	eax
		push	0
		sbb	eax, eax
		push	eax
		call	IoSetIoCompletionEx2

loc_53A57C:				; CODE XREF: AlpcpSignalAndWait+BDj
					; AlpcpSignalAndWait+18Dj ...
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	[ebp+arg_8]
		push	[ebp+var_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	[ebp+var_C]
		call	KeWaitForSingleObject
		mov	ecx, large fs:124h
		mov	edi, eax
		dec	word ptr [ecx+13Ch]
		nop
		cmp	_AlpcpLogEnabled, 0
		jnz	loc_5F1CC8

loc_53A5B3:				; CODE XREF: AlpcpSignalAndWait+B782Fj
		mov	ecx, [esi+10h]
		test	ecx, ecx
		jz	short loc_53A5BF
		call	ObfDereferenceObject

loc_53A5BF:				; CODE XREF: AlpcpSignalAndWait+118j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_53A5CA:				; CODE XREF: AlpcpSignalAndWait+7Dj
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	short loc_53A5ED
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jz	loc_53A52E
		call	KxWaitForLockChainValid

loc_53A5ED:				; CODE XREF: AlpcpSignalAndWait+12Fj
		mov	[ebp+var_18], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_53A52E
; 

loc_53A604:				; CODE XREF: AlpcpSignalAndWait+23j
		mov	edx, [esi+0Ch]
		test	edx, edx
		jz	short loc_53A655
		xor	eax, eax
		test	cl, cl
		setz	al
		lea	eax, ds:1[eax*4]
		push	eax
		push	ecx
		lea	ecx, [edx+2B4h]
		mov	edx, 1
		push	1
		call	KeReleaseSemaphoreEx
		jmp	loc_53A57C
; 

loc_53A632:				; CODE XREF: AlpcpSignalAndWait+2Dj
		mov	eax, [ebx+94h]
		push	1
		push	1
		push	1
		push	eax
		call	KeReleaseSemaphore
		jmp	loc_53A57C
; 

loc_53A649:				; CODE XREF: AlpcpSignalAndWait+ABj
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_53A551
; 

loc_53A655:				; CODE XREF: AlpcpSignalAndWait+169j
		mov	eax, [esi+14h]
		test	al, 1
		jz	loc_53A57C
		jmp	loc_5F1C9A
; 

loc_53A665:				; CODE XREF: AlpcpSignalAndWait+57j
		cmp	[ebp+arg_F], 0
		mov	[ebp+var_4], 0
		jnz	short loc_53A67A
		inc	dword ptr [edi+0Ch]
		jmp	loc_53A516
; 

loc_53A67A:				; CODE XREF: AlpcpSignalAndWait+1D0j
		inc	dword ptr [edi+10h]
		jmp	loc_53A516
AlpcpSignalAndWait endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTraceThreadWorkOnBehalfUpdate proc near ; CODE XREF:	PspRevertContainerImpersonation+14Fp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F1CD4 SIZE 0000007C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, _EtwpPsProvRegHandle
		mov	ebx, ecx
		push	edi
		mov	edi, dword_6BC18C
		push	offset _ThreadWorkOnBehalfUpdate
		push	edi
		push	esi
		mov	[ebp+var_2C], edx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5F1CD4

loc_53A6CA:				; CODE XREF: EtwTraceThreadWorkOnBehalfUpdate+B76BBj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
EtwTraceThreadWorkOnBehalfUpdate endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsImpersonateContainerOfThread proc near ; CODE	XREF: IopProcessWorkItem:loc_4DCED1p
					; NtSetInformationThread+1D8p ...

var_50		= dword	ptr -50h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2A		= byte ptr -2Ah
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F1D50 SIZE 0000014E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	edx, 746E6F43h
		mov	[ebp+var_3C], edi
		call	ObfReferenceObjectWithTag
		mov	esi, large fs:124h
		mov	ecx, esi
		call	PspRevertContainerImpersonation
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_2A], al
		jnz	loc_5F1D50
		mov	[ebp+var_34], 0
		mov	ebx, offset _PspThreadWorkOnBehalfLock
		lock bts dword ptr [ebx], 1Fh
		jb	loc_53A893

loc_53A741:				; CODE XREF: PsImpersonateContainerOfThread+1BFj
		mov	edx, _PspThreadWorkOnBehalfLock
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_5F1D61

loc_53A759:				; CODE XREF: PsImpersonateContainerOfThread+B767Cj
					; PsImpersonateContainerOfThread+B76B6j
		mov	[esi+36Ch], edi
		movsx	ebx, byte ptr [edi+87h]
		cmp	ebx, 0Fh
		jg	loc_53A8A4

loc_53A76F:				; CODE XREF: PsImpersonateContainerOfThread+1C9j
		mov	[ebp+var_30], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_29], al
		lea	edi, [esi+2Ch]
		mov	[ebp+var_38], 0
		lea	esp, [esp+0]

loc_53A790:				; CODE XREF: PsImpersonateContainerOfThread+1DEj
		lock bts dword ptr [edi], 0
		jb	loc_53A8B0
		mov	edi, [ebp+var_3C]
		movsx	ecx, bl
		mov	[esi+1E7h], bl
		mov	al, [ecx+esi+1F4h]
		cmp	al, 0FFh
		jz	loc_5F1D9B
		inc	al
		mov	[ecx+esi+1F4h],	al
		mov	eax, [esi+214h]
		bts	eax, ecx
		mov	[esi+214h], eax
		cmp	[esi+87h], bl
		jl	loc_53A883

loc_53A7DA:				; CODE XREF: PsImpersonateContainerOfThread+1AEj
		mov	dword ptr [esi+2Ch], 0
		mov	ebx, large fs:20h
		mov	ecx, [ebp+var_30]
		test	ecx, ecx
		jnz	loc_5F1DAB

loc_53A7F3:				; CODE XREF: PsImpersonateContainerOfThread+B76E8j
		mov	dl, [ebp+var_29]
		mov	ecx, ebx
		call	KiCheckForThreadDispatch
		mov	ebx, large fs:20h
		cmp	ds:_KeHeteroSystemQos, 0
		jnz	loc_5F1DCD

loc_53A811:				; CODE XREF: PsImpersonateContainerOfThread+B7739j
					; PsImpersonateContainerOfThread+B7740j
		test	ds:byte_70EFC6,	1
		jnz	loc_5F1E25
		mov	_PspThreadWorkOnBehalfLock, 0

loc_53A828:				; CODE XREF: PsImpersonateContainerOfThread+B7752j
		mov	cl, [ebp+var_2A]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [edi+150h]
		mov	eax, [eax+158h]
		test	eax, eax
		jz	short loc_53A852
		mov	edx, [eax+220h]
		test	edx, edx
		jz	short loc_53A852
		mov	ecx, esi
		call	KeSetThreadChargeOnlySchedulingGroup

loc_53A852:				; CODE XREF: PsImpersonateContainerOfThread+15Fj
					; PsImpersonateContainerOfThread+169j
		mov	esi, dword_6BC18C
		mov	ebx, _EtwpPsProvRegHandle
		push	offset _ThreadWorkOnBehalfUpdate
		push	esi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5F1E37

loc_53A872:				; CODE XREF: PsImpersonateContainerOfThread+B77B9j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_53A883:				; CODE XREF: PsImpersonateContainerOfThread+F4j
		push	ecx
		lea	edx, [ebp+var_30]
		mov	ecx, esi
		call	KiSetPriorityThread
		jmp	loc_53A7DA
; 

loc_53A893:				; CODE XREF: PsImpersonateContainerOfThread+5Bj
		mov	dl, al
		mov	ecx, ebx
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[ebp+var_34], eax
		jmp	loc_53A741
; 

loc_53A8A4:				; CODE XREF: PsImpersonateContainerOfThread+89j
		mov	ebx, 0Fh
		jmp	loc_53A76F
; 
		align 10h

loc_53A8B0:				; CODE XREF: PsImpersonateContainerOfThread+B5j
					; PsImpersonateContainerOfThread+1DCj
		lea	ecx, [ebp+var_38]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_53A8B0
		jmp	loc_53A790
PsImpersonateContainerOfThread endp

; 
		align 10h
; Exported entry 288. EtwEventEnabled

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public EtwEventEnabled
EtwEventEnabled	proc near		; CODE XREF: PoTraceSystemTimerResolutionUpdate+3Ap
					; PopDiagTraceClearDeepSleepConstraint+35p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005F1E9E SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	loc_53A979
		mov	eax, [esi+10h]
		push	ebx
		push	edi
		mov	edi, [ebp+arg_8]
		add	eax, 40h
		cmp	dword ptr [eax], 0
		mov	edx, [edi+0Ch]
		mov	ebx, [edi+8]
		mov	[ebp+arg_4], edx
		jz	short loc_53A925
		mov	cl, [eax+4]
		cmp	[edi+4], cl
		ja	loc_5F1E9E

loc_53A907:				; CODE XREF: EtwEventEnabled+B75D6j
		test	byte ptr [eax+8], 40h
		jz	short loc_53A913
		mov	ecx, ebx
		or	ecx, edx
		jz	short loc_53A958

loc_53A913:				; CODE XREF: EtwEventEnabled+3Bj
		mov	edx, [eax+10h]
		mov	ecx, [eax+14h]
		and	edx, ebx
		and	ecx, [ebp+arg_4]
		or	edx, ecx
		jnz	short loc_53A936
		mov	edx, [ebp+arg_4]

loc_53A925:				; CODE XREF: EtwEventEnabled+29j
					; EtwEventEnabled+7Ej ...
		cmp	byte ptr [esi+35h], 0
		jnz	short loc_53A963

loc_53A92B:				; CODE XREF: EtwEventEnabled+A5j
		pop	edi
		xor	al, al
		pop	ebx

loc_53A92F:				; CODE XREF: EtwEventEnabled+ABj
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_53A936:				; CODE XREF: EtwEventEnabled+50j
		mov	edx, [eax+1Ch]
		mov	ecx, [eax+18h]
		mov	eax, ecx
		mov	[ebp+arg_8], edx
		and	eax, ebx
		mov	[ebp+var_4], edx
		mov	edx, [ebp+arg_4]
		and	[ebp+arg_8], edx
		cmp	eax, ecx
		jnz	short loc_53A925
		mov	eax, [ebp+var_4]
		cmp	[ebp+arg_8], eax
		jnz	short loc_53A925

loc_53A958:				; CODE XREF: EtwEventEnabled+41j
					; EtwEventEnabled+A7j
		pop	edi
		pop	ebx
		mov	al, 1
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_53A963:				; CODE XREF: EtwEventEnabled+59j
		mov	ecx, [esi+14h]
		push	edx
		mov	dl, [edi+4]
		add	ecx, 40h
		push	ebx
		call	_EtwpLevelKeywordEnabled@16 ; EtwpLevelKeywordEnabled(x,x,x,x)
		test	al, al
		jz	short loc_53A92B
		jmp	short loc_53A958
; 

loc_53A979:				; CODE XREF: EtwEventEnabled+Cj
		xor	al, al
		jmp	short loc_53A92F
EtwEventEnabled	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspRevertContainerImpersonation	proc near ; CODE XREF: NtRevertContainerImpersonation()+7j
					; PsImpersonateContainerOfThread+2Dp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F1EAB SIZE 00000078 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, [esi+36Ch]
		test	ebx, ebx
		jnz	short loc_53A9A1
		mov	eax, 0C0000001h

loc_53A99B:				; CODE XREF: PspRevertContainerImpersonation+161j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_53A9A1:				; CODE XREF: PspRevertContainerImpersonation+14j
		test	dword ptr [esi+5Ch], 200h
		lea	eax, [esi+5Ch]
		push	edi
		mov	edi, ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		jnz	loc_53AAF6

loc_53A9B8:				; CODE XREF: PspRevertContainerImpersonation+1D1j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	cl, al
		mov	[ebp+var_1], cl
		jnz	loc_5F1EAB
		mov	[ebp+var_8], 0
		mov	eax, offset _PspThreadWorkOnBehalfLock
		lock bts dword ptr [eax], 1Fh
		jb	loc_53AB56

loc_53A9E9:				; CODE XREF: PspRevertContainerImpersonation+1E2j
		mov	edx, _PspThreadWorkOnBehalfLock
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	loc_5F1EBC

loc_53AA01:				; CODE XREF: PspRevertContainerImpersonation+B7537j
					; PspRevertContainerImpersonation+B757Cj
		mov	dword ptr [esi+36Ch], 0
		mov	[ebp+var_C], 0
		call	edi
		mov	byte ptr [ebp+var_18], al
		lea	edi, [esi+2Ch]
		mov	[ebp+var_14], 0

loc_53AA21:				; CODE XREF: PspRevertContainerImpersonation+205j
		lock bts dword ptr [edi], 0
		jb	loc_53AB77
		movsx	ecx, byte ptr [esi+1E7h]
		mov	al, [ecx+esi+1F4h]
		test	al, al
		jz	loc_5F1F01
		sub	al, 1
		mov	[ecx+esi+1F4h],	al
		jnz	short loc_53AA8B
		mov	edx, [esi+214h]
		mov	eax, 1
		btc	edx, ecx
		shl	eax, cl
		mov	[esi+214h], edx
		cmp	edx, eax
		jnb	short loc_53AA8B
		mov	dl, [esi+87h]
		cmp	dl, 10h
		jge	short loc_53AA8B
		mov	al, [esi+15Ch]
		mov	cl, al
		and	al, 0Fh
		shr	cl, 4
		add	cl, al
		add	cl, [esi+15Bh]
		cmp	cl, dl
		jl	short loc_53AAE6

loc_53AA8B:				; CODE XREF: PspRevertContainerImpersonation+CBj
					; PspRevertContainerImpersonation+E5j ...
		push	[ebp+var_18]
		mov	byte ptr [esi+1E7h], 0
		lea	edx, [ebp+var_C]
		mov	dword ptr [edi], 0
		mov	ecx, large fs:20h
		call	@KiProcessDeferredReadyList@12 ; KiProcessDeferredReadyList(x,x,x)
		test	ds:byte_70EFC6,	1
		pop	edi
		jnz	loc_5F1F11
		mov	_PspThreadWorkOnBehalfLock, 0

loc_53AAC2:				; CODE XREF: PspRevertContainerImpersonation+B759Ej
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	edx, edx
		mov	ecx, ebx
		call	EtwTraceThreadWorkOnBehalfUpdate
		push	746E6F43h
		push	ebx
		call	ObDereferenceObjectDeferDeleteWithTag
		xor	eax, eax
		jmp	loc_53A99B
; 

loc_53AAE6:				; CODE XREF: PspRevertContainerImpersonation+109j
		movsx	eax, cl
		lea	edx, [ebp+var_C]
		push	eax
		mov	ecx, esi
		call	KiSetPriorityThread
		jmp	short loc_53AA8B
; 

loc_53AAF6:				; CODE XREF: PspRevertContainerImpersonation+32j
		call	edi
		mov	edi, large fs:20h
		cli
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	KiEndThreadCycleAccumulation
		push	ecx
		mov	edx, esi
		mov	ecx, edi
		call	KiStartThreadCycleAccumulation
		sti
		add	edi, 2224h
		mov	[ebp+var_10], 0

loc_53AB23:				; CODE XREF: PspRevertContainerImpersonation+1F5j
		lock bts dword ptr [edi], 0
		jb	short loc_53AB67
		lock btr dword ptr [esi], 12h
		mov	dword ptr [esi+50h], 0
		lea	eax, [esi+5Ch]
		lock btr dword ptr [eax], 9
		xor	eax, eax
		lock and [edi],	eax
		xor	cl, cl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edi, ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		jmp	loc_53A9B8
; 

loc_53AB56:				; CODE XREF: PspRevertContainerImpersonation+63j
		mov	dl, cl
		mov	ecx, eax
		call	ExpWaitForSpinLockExclusiveAndAcquire
		mov	[ebp+var_8], eax
		jmp	loc_53A9E9
; 

loc_53AB67:				; CODE XREF: PspRevertContainerImpersonation+1A8j
					; PspRevertContainerImpersonation+1F3j
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_53AB67
		jmp	short loc_53AB23
; 

loc_53AB77:				; CODE XREF: PspRevertContainerImpersonation+A6j
					; PspRevertContainerImpersonation+203j
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_53AB77
		jmp	loc_53AA21
PspRevertContainerImpersonation	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiProcessDeferredReadyList(x, x, x)
@KiProcessDeferredReadyList@12 proc near ; CODE	XREF: KiAbApplyWakeupBoost+11Dp
					; KeRevertToUserGroupAffinityThread+C7p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		mov	dl, [ebp+arg_0]
		mov	ecx, esi
		call	KiCheckForThreadDispatch
		pop	esi
		pop	ebp
		retn	4
@KiProcessDeferredReadyList@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KiReadyDeferredReadyList(x,	x)
_KiReadyDeferredReadyList@8 proc near	; CODE XREF: KiAbApplyWakeupBoost:loc_43C10Dp
					; KiAbThreadUnboostCpuPriority+DFp ...
		mov	edi, edi
		push	ebx
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_53ABC1

loc_53ABBE:				; CODE XREF: KiReadyDeferredReadyList(x,x)+19j
					; KiReadyDeferredReadyList(x,x)+32j
		pop	edi
		pop	ebx
		retn
; 

loc_53ABC1:				; CODE XREF: KiReadyDeferredReadyList(x,x)+Cj
		push	esi
		mov	esi, [eax]
		mov	[edi], esi
		pop	esi
		test	eax, eax
		jz	short loc_53ABBE
		jmp	short loc_53ABD0
; 
		align 10h

loc_53ABD0:				; CODE XREF: KiReadyDeferredReadyList(x,x)+1Bj
					; KiReadyDeferredReadyList(x,x)+38j
		push	edi
		lea	edx, [eax-9Ch]
		mov	ecx, ebx
		call	KiDeferredReadySingleThread
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_53ABBE
		mov	ecx, [eax]
		mov	[edi], ecx
		jmp	short loc_53ABD0
_KiReadyDeferredReadyList@8 endp

; 
		align 10h
; Exported entry 1803. PsGetProcessInheritedFromUniqueProcessId

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessInheritedFromUniqueProcessId(x)
		public _PsGetProcessInheritedFromUniqueProcessId@4
_PsGetProcessInheritedFromUniqueProcessId@4 proc near
					; CODE XREF: PsChargeProcessWakeCounter(x,x,x,x)+8p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+170h]
		pop	ebp
		retn	4
_PsGetProcessInheritedFromUniqueProcessId@4 endp

; 
		align 10h
; Exported entry 164. ObfReferenceObjectWithTag

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObfReferenceObjectWithTag
ObfReferenceObjectWithTag proc near	; CODE XREF: PspStorageGetObject(x,x,x)+43p
					; PspHardDereferenceSiloWorker(x)+2Ep ...

arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005A8872 SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		cmp	ds:_ObpTraceFlags, 0
		push	esi
		push	edi
		mov	edi, ecx
		lea	esi, [edi-18h]
		jnz	loc_5A8872

loc_53AC2C:				; CODE XREF: ObfReferenceObjectWithTag+6DC6Ej
		mov	eax, 1
		lock xadd [esi], eax
		inc	eax
		cmp	eax, 1
		jle	loc_5A8883
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
ObfReferenceObjectWithTag endp

; 
		align 10h
; Exported entry 1618. ObDereferenceObjectDeferDeleteWithTag

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObDereferenceObjectDeferDeleteWithTag
ObDereferenceObjectDeferDeleteWithTag proc near
					; CODE XREF: ObDereferenceObjectDeferDelete(x)+Dp
					; CcPerfLogFlushCache+10Cp ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A88B4 SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_ObpTraceFlags, 0
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [esi-18h]
		jnz	loc_5A8891
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		dec	eax
		test	eax, eax
		jle	short loc_53AC7C

loc_53AC76:				; CODE XREF: ObDereferenceObjectDeferDeleteWithTag+46j
					; ObfReferenceObjectWithTag+6DC99j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_53AC7C:				; CODE XREF: ObDereferenceObjectDeferDeleteWithTag+24j
					; ObfReferenceObjectWithTag+6DC9Fj
		mov	ecx, [edi+4]
		test	ecx, ecx
		jnz	loc_5A88B4
		test	eax, eax
		js	loc_5A88DE
		mov	ecx, edi
		call	ObpDeferObjectDeletion
		jmp	short loc_53AC76
ObDereferenceObjectDeferDeleteWithTag endp


;  S U B	R O U T	I N E 


; __stdcall PsEncodeThreadWorkOnBehalfTicket(x,	x)
_PsEncodeThreadWorkOnBehalfTicket@8 proc near ;	CODE XREF: NtQueryInformationThread+574p
					; NtQueryInformationThread:loc_82E099p	...
		mov	eax, [ecx+2B0h]
		mov	[edx], eax
		mov	eax, [ecx+280h]
		mov	[edx+4], eax
		mov	eax, ds:_PspWorkOnBehalfEncodingKey
		xor	[edx], eax
		mov	eax, ds:dword_A9451C
		xor	[edx+4], eax
		retn
_PsEncodeThreadWorkOnBehalfTicket@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PsGetWorkOnBehalfThread(x, x)
_PsGetWorkOnBehalfThread@8 proc	near	; CODE XREF: IoReferenceIoAttributionFromThread(x,x)+14p
					; IopQueueWorkItemProlog+66p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	eax, [esi+36Ch]
		mov	dword ptr [edi], 0
		test	eax, eax
		jnz	short loc_53ACDB

loc_53ACD8:				; CODE XREF: PsGetWorkOnBehalfThread(x,x)+22j
					; PsGetWorkOnBehalfThread(x,x)+62j
		pop	edi
		pop	esi
		retn
; 

loc_53ACDB:				; CODE XREF: PsGetWorkOnBehalfThread(x,x)+16j
		cmp	esi, large fs:124h
		jz	short loc_53ACD8
		push	ebx
		push	offset _PspThreadWorkOnBehalfLock
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	esi, [esi+36Ch]
		mov	bl, al
		test	esi, esi
		jz	short loc_53AD0D
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	dword ptr [edi], 1

loc_53AD0D:				; CODE XREF: PsGetWorkOnBehalfThread(x,x)+39j
		push	offset _PspThreadWorkOnBehalfLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi
		pop	ebx
		jmp	short loc_53ACD8
_PsGetWorkOnBehalfThread@8 endp

; 
		align 10h
; Exported entry  77. ExTryAcquirePushLockExclusiveEx

;  S U B	R O U T	I N E 


		public ExTryAcquirePushLockExclusiveEx
ExTryAcquirePushLockExclusiveEx	proc near

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005A890A SIZE 00000013 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	[ebp-4], ecx
		push	esi
		push	edi
		test	edx, 0FFFFFFFCh
		jnz	loc_5A88EC
		test	dl, 2
		jnz	loc_53AE6B
		mov	edx, ecx
		mov	dword ptr [ebp-24h], 0
		and	edx, 7FFFFFFCh
		mov	[ebp-8], edx
		jz	loc_53AE6B
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jz	short loc_53ADF2
		xor	edi, edi
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h

loc_53ADA6:				; CODE XREF: ExTryAcquirePushLockExclusiveEx+136j
					; ExTryAcquirePushLockExclusiveEx+14Aj
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp-24h]
		mov	edx, ecx
		mov	ecx, esi
		push	eax
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_53ADD1
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	loc_53AEC8

loc_53ADD1:				; CODE XREF: ExTryAcquirePushLockExclusiveEx+93j
					; ExTryAcquirePushLockExclusiveEx+19Dj
		mov	ecx, [ebp-4]

loc_53ADD4:				; CODE XREF: ExTryAcquirePushLockExclusiveEx+13Dj
		lock bts dword ptr [ecx], 0
		jb	loc_53AEB6
		test	edi, edi
		jz	short loc_53ADE7
		or	byte ptr [edi+0Eh], 1

loc_53ADE7:				; CODE XREF: ExTryAcquirePushLockExclusiveEx+B1j
		mov	al, 1

loc_53ADE9:				; CODE XREF: ExTryAcquirePushLockExclusiveEx+193j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_53ADF2:				; CODE XREF: ExTryAcquirePushLockExclusiveEx+6Aj
		mov	ah, [esi+1E4h]
		mov	dword ptr [ebp-0Ch], 0
		test	ah, ah
		jz	short loc_53AE7F

loc_53AE03:				; CODE XREF: ExTryAcquirePushLockExclusiveEx+16Aj
		movzx	eax, ah
		bsf	ecx, eax
		btr	eax, ecx
		mov	[ebp-0Ch], ecx
		mov	[esi+1E4h], al
		lea	edi, [ecx+ecx*2]
		shl	edi, 4
		add	edi, [esi+1E8h]

loc_53AE21:				; CODE XREF: ObDereferenceObjectDeferDeleteWithTag+6DCB5j
		mov	ecx, [ebp-4]

loc_53AE24:				; CODE XREF: ExTryAcquirePushLockExclusiveEx+17Bj
		test	edi, edi
		jz	short loc_53AE72
		mov	edx, dword_6D07D0
		mov	eax, ecx
		shr	eax, 15h
		cmp	ecx, edx
		mov	[ebp-20h], edx
		mov	edx, [ebp-8]
		jb	short loc_53AE4A
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_5A890A

loc_53AE4A:				; CODE XREF: ExTryAcquirePushLockExclusiveEx+10Bj
		cmp	ecx, [ebp-20h]
		jb	short loc_53AE5C
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_5A890A

loc_53AE5C:				; CODE XREF: ExTryAcquirePushLockExclusiveEx+11Dj
		or	eax, 0FFFFFFFFh

loc_53AE5F:				; CODE XREF: ExTryAcquirePushLockExclusiveEx+6DBE8j
		mov	[edi+14h], eax
		nop
		mov	[edi+10h], edx
		jmp	loc_53ADA6
; 

loc_53AE6B:				; CODE XREF: ExTryAcquirePushLockExclusiveEx+2Fj
					; ExTryAcquirePushLockExclusiveEx+47j
		xor	edi, edi
		jmp	loc_53ADD4
; 

loc_53AE72:				; CODE XREF: ExTryAcquirePushLockExclusiveEx+F6j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	loc_53ADA6
; 

loc_53AE7F:				; CODE XREF: ExTryAcquirePushLockExclusiveEx+D1j
		cmp	byte ptr [esi+222h], 0
		lea	edi, [esi+222h]
		jz	short loc_53AE9F
		xor	al, al
		xchg	al, [edi]
		mov	ah, [esi+1E4h]
		or	ah, al
		jmp	loc_53AE03
; 

loc_53AE9F:				; CODE XREF: ExTryAcquirePushLockExclusiveEx+15Cj
		xor	edi, edi
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_53AE24
		jmp	loc_5A88FC
; 

loc_53AEB6:				; CODE XREF: ExTryAcquirePushLockExclusiveEx+A9j
		test	edi, edi
		jz	short loc_53AEC1
		mov	edx, edi
		call	KeAbPostReleaseEx

loc_53AEC1:				; CODE XREF: ExTryAcquirePushLockExclusiveEx+188j
		xor	al, al
		jmp	loc_53ADE9
; 

loc_53AEC8:				; CODE XREF: ExTryAcquirePushLockExclusiveEx+9Bj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_53ADD1
ExTryAcquirePushLockExclusiveEx	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpApplyPriorityBoost proc near		; CODE XREF: ExpConvertExclusiveToSharedLite+9Ep
					; ExpApplyPrewaitBoost(x)+4Cp ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F1F23 SIZE 0000005F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		push	edi
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		test	byte ptr [esi+0Eh], 8
		mov	[ebp+var_20], eax
		jnz	loc_53B180
		mov	edi, [ebp+arg_0]
		mov	ebx, [edi+2FCh]
		mov	eax, [edi+150h]
		shr	ebx, 9
		and	ebx, 7
		mov	[ebp+var_C], ebx
		test	dword ptr [eax+0FCh], 100000h
		jnz	loc_53B44B

loc_53AF2A:				; CODE XREF: ExpApplyPriorityBoost+570j
		cmp	ebx, 2
		jb	loc_53B3F5

loc_53AF33:				; CODE XREF: ExpApplyPriorityBoost+52Fj
		ja	short loc_53AF3C
		mov	[ebp+var_C], 2

loc_53AF3C:				; CODE XREF: ExpApplyPriorityBoost:loc_53AF33j
		mov	eax, edx
		mov	[ebp+var_4], 0
		and	eax, 4
		mov	[ebp+var_28], 0
		mov	ebx, edx
		mov	[ebp+var_10], eax
		and	edx, 2
		lea	eax, [esi+34h]
		and	ebx, 0FF00h
		mov	[ebp+var_14], edx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_24], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [ebp+var_20], al
		jnz	loc_5F1F23
		lea	edx, [ebp+var_28]
		lea	eax, [esi+34h]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_53B359

loc_53AF8F:				; CODE XREF: ExpApplyPriorityBoost+481j
					; ExpApplyPriorityBoost+B704Ej
		mov	ecx, [ebp+var_10]
		movzx	eax, word ptr [esi+0Eh]
		test	ecx, ecx
		jz	short loc_53AFA4
		or	eax, 4
		mov	[esi+0Eh], ax
		movzx	eax, ax

loc_53AFA4:				; CODE XREF: ExpApplyPriorityBoost+B8j
		movzx	eax, ax
		mov	edx, eax
		shr	edx, 8
		cmp	[ebp+var_14], 0
		jz	short loc_53AFBE
		or	eax, 2
		mov	[esi+0Eh], ax
		shr	eax, 8
		mov	dl, al

loc_53AFBE:				; CODE XREF: ExpApplyPriorityBoost+D0j
		test	ebx, ebx
		jz	short loc_53AFE1
		mov	bl, [edi+87h]
		movsx	ecx, bl
		movzx	eax, dl
		cmp	ecx, eax
		jle	short loc_53AFDE
		cmp	bl, 0Fh
		jnb	loc_53B1AE

loc_53AFDB:				; CODE XREF: ExpApplyPriorityBoost+2D0j
		mov	[esi+0Fh], bl

loc_53AFDE:				; CODE XREF: ExpApplyPriorityBoost+F0j
		mov	ecx, [ebp+var_10]

loc_53AFE1:				; CODE XREF: ExpApplyPriorityBoost+E0j
		test	byte ptr [esi+1Ch], 2
		mov	eax, 1
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	ebx, [esi+18h]
		jnz	loc_53B4E4
		test	bl, 3
		jnz	loc_53B345

loc_53B002:				; CODE XREF: ExpApplyPriorityBoost+607j
		test	ebx, ebx
		jz	loc_53B345
		test	ecx, ecx
		jz	short loc_53B046
		test	[esi+1Ch], al
		jnz	short loc_53B046
		mov	eax, [ebx+150h]
		mov	ecx, [ebx+2FCh]
		test	dword ptr [eax+0FCh], 100000h
		jnz	loc_53B414
		and	ecx, 0E00h
		cmp	ecx, 400h
		jb	loc_53B414

loc_53B041:				; CODE XREF: ExpApplyPriorityBoost+54Cj
		mov	eax, 1

loc_53B046:				; CODE XREF: ExpApplyPriorityBoost+12Cj
					; ExpApplyPriorityBoost+131j
		cmp	[ebp+var_14], 0
		jz	short loc_53B075
		test	byte ptr [esi+1Ch], 4
		jnz	short loc_53B075
		or	[ebp+var_4], 2
		lock xadd [ebx+330h], eax
		inc	eax
		cmp	eax, 1
		jnz	short loc_53B071
		cmp	byte ptr [ebx+1E5h], 0
		jnz	loc_53B4A5

loc_53B071:				; CODE XREF: ExpApplyPriorityBoost+182j
					; ExpApplyPriorityBoost+5FFj
		or	dword ptr [esi+1Ch], 4

loc_53B075:				; CODE XREF: ExpApplyPriorityBoost+16Aj
					; ExpApplyPriorityBoost+170j
		cmp	[ebp+var_18], 0
		mov	edx, [ebp+var_4]
		jz	short loc_53B091
		movsx	ecx, byte ptr [ebx+87h]
		movzx	eax, byte ptr [esi+0Fh]
		cmp	eax, ecx
		jg	loc_53B189

loc_53B091:				; CODE XREF: ExpApplyPriorityBoost+19Cj
					; ExpApplyPriorityBoost+2B2j
		test	edx, edx
		jz	loc_53B142
		mov	edx, 746C6644h
		mov	ecx, ebx
		call	ObfReferenceObjectWithTag
		test	ds:byte_70EFC6,	1
		jnz	loc_5F1F33
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	loc_53B36E
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_28]
		cmp	eax, ecx
		jnz	loc_53B366

loc_53B0D4:				; CODE XREF: ExpApplyPriorityBoost+4A0j
					; ExpApplyPriorityBoost+B705Ej
		mov	cl, byte ptr [ebp+var_20]
		call	edi
		mov	eax, [ebp+var_4]
		test	al, 4
		jnz	loc_53B431

loc_53B0E4:				; CODE XREF: ExpApplyPriorityBoost+566j
		test	al, 2
		jz	short loc_53B0F2
		mov	ecx, ebx
		call	_PsBoostThreadOutstandingIoQoS@4 ; PsBoostThreadOutstandingIoQoS(x)
		mov	eax, [ebp+var_4]

loc_53B0F2:				; CODE XREF: ExpApplyPriorityBoost+206j
		test	eax, 0FF00h
		jnz	loc_53B197

loc_53B0FD:				; CODE XREF: ExpApplyPriorityBoost+2C9j
		push	746C6644h
		push	ebx
		mov	[ebp+var_4], 0
		call	ObDereferenceObjectDeferDeleteWithTag
		lea	ebx, [esi+34h]
		mov	[ebp+var_28], 0
		mov	[ebp+var_24], ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [ebp+var_20], al
		jnz	loc_5F1F43
		lea	edx, [ebp+var_28]
		xchg	edx, [ebx]
		test	edx, edx
		jnz	loc_53B34C

loc_53B13F:				; CODE XREF: ExpApplyPriorityBoost+474j
					; ExpApplyPriorityBoost+B706Dj
		mov	edx, [ebp+var_4]

loc_53B142:				; CODE XREF: ExpApplyPriorityBoost+1B3j
					; ExpApplyPriorityBoost+467j
		test	byte ptr [esi+0Eh], 80h
		jz	short loc_53B1B5

loc_53B148:				; CODE XREF: ExpApplyPriorityBoost+2DAj
					; ExpApplyPriorityBoost+2E9j ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5F1F72
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	loc_53B3B2
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_28]
		cmp	eax, ecx
		jnz	loc_53B3AA

loc_53B177:				; CODE XREF: ExpApplyPriorityBoost+4E4j
					; ExpApplyPriorityBoost+B709Dj
		mov	cl, byte ptr [ebp+var_20]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_53B180:				; CODE XREF: ExpApplyPriorityBoost+1Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_53B189:				; CODE XREF: ExpApplyPriorityBoost+1ABj
		or	edx, 0FF00h
		mov	[ebp+var_4], edx
		jmp	loc_53B091
; 

loc_53B197:				; CODE XREF: ExpApplyPriorityBoost+217j
		inc	large dword ptr	fs:4268h
		mov	ecx, ebx
		movzx	edx, byte ptr [esi+0Fh]
		call	KeSetPriorityBoost
		jmp	loc_53B0FD
; 

loc_53B1AE:				; CODE XREF: ExpApplyPriorityBoost+F5j
		mov	bl, 0Fh
		jmp	loc_53AFDB
; 

loc_53B1B5:				; CODE XREF: ExpApplyPriorityBoost+266j
		mov	edi, [esi+8]
		test	edi, edi
		jz	short loc_53B148
		mov	eax, [edi+4]
		mov	ebx, 1
		mov	[ebp+var_1C], eax
		cmp	eax, ebx
		jbe	loc_53B148
		nop

loc_53B1D0:				; CODE XREF: ExpApplyPriorityBoost+313j
		mov	eax, [edi+0Ch]
		lea	edi, [edi+8]
		mov	ecx, [edi]
		test	al, 2
		jnz	loc_53B4EC
		mov	[ebp+arg_0], ecx
		test	cl, 3
		jnz	short loc_53B1EC

loc_53B1E8:				; CODE XREF: ExpApplyPriorityBoost+612j
		test	ecx, ecx
		jnz	short loc_53B1FA

loc_53B1EC:				; CODE XREF: ExpApplyPriorityBoost+306j
					; ExpApplyPriorityBoost+392j ...
		mov	edx, [ebp+var_4]
		inc	ebx
		cmp	ebx, [ebp+var_1C]
		jb	short loc_53B1D0
		jmp	loc_53B148
; 

loc_53B1FA:				; CODE XREF: ExpApplyPriorityBoost+30Aj
		cmp	[ebp+var_10], 0
		mov	[ebp+var_8], eax
		jz	short loc_53B21E
		mov	[ebp+var_8], eax
		test	al, 1
		jnz	short loc_53B21E
		mov	[ebp+var_8], eax
		call	_PsGetBaseIoPriorityThread@4 ; PsGetBaseIoPriorityThread(x)
		mov	ecx, [ebp+arg_0]
		cmp	eax, 2
		jb	loc_53B455

loc_53B21E:				; CODE XREF: ExpApplyPriorityBoost+321j
					; ExpApplyPriorityBoost+328j
		mov	eax, [ebp+var_8]

loc_53B221:				; CODE XREF: ExpApplyPriorityBoost+590j
		cmp	[ebp+var_14], 0
		jz	short loc_53B250
		test	al, 4
		jnz	short loc_53B250
		or	[ebp+var_4], 2
		mov	eax, 1
		lock xadd [ecx+330h], eax
		inc	eax
		cmp	eax, 1
		jnz	short loc_53B24C
		xor	edx, edx
		call	_KeAbProcessEffectiveIoPriorityChange@8	; KeAbProcessEffectiveIoPriorityChange(x,x)
		mov	ecx, [ebp+arg_0]

loc_53B24C:				; CODE XREF: ExpApplyPriorityBoost+360j
		or	dword ptr [edi+4], 4

loc_53B250:				; CODE XREF: ExpApplyPriorityBoost+345j
					; ExpApplyPriorityBoost+349j
		cmp	[ebp+var_18], 0
		jz	loc_53B49D
		movzx	eax, byte ptr [esi+0Fh]
		movsx	ecx, byte ptr [ecx+87h]
		cmp	eax, ecx
		mov	eax, [ebp+var_4]
		jg	loc_53B385

loc_53B270:				; CODE XREF: ExpApplyPriorityBoost+4ADj
					; ExpApplyPriorityBoost+5C0j
		test	eax, eax
		jz	loc_53B1EC
		mov	ecx, [ebp+arg_0]
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag
		test	ds:byte_70EFC6,	1
		jnz	loc_5F1F52
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	loc_53B3D1
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_28]
		cmp	eax, ecx
		jnz	loc_53B3C9

loc_53B2B4:				; CODE XREF: ExpApplyPriorityBoost+503j
					; ExpApplyPriorityBoost+B707Dj
		mov	cl, byte ptr [ebp+var_20]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_4]
		test	al, 4
		jnz	loc_53B475

loc_53B2C8:				; CODE XREF: ExpApplyPriorityBoost+5ABj
		test	al, 2
		jz	short loc_53B2D7
		mov	ecx, [ebp+arg_0]
		call	_PsBoostThreadOutstandingIoQoS@4 ; PsBoostThreadOutstandingIoQoS(x)
		mov	eax, [ebp+var_4]

loc_53B2D7:				; CODE XREF: ExpApplyPriorityBoost+3EAj
		test	eax, 0FF00h
		jnz	loc_53B392

loc_53B2E2:				; CODE XREF: ExpApplyPriorityBoost+4C5j
		push	746C6644h
		push	[ebp+arg_0]
		call	ObDereferenceObjectDeferDeleteWithTag
		lea	eax, [esi+34h]
		mov	[ebp+var_4], 0
		mov	[ebp+var_24], eax
		mov	[ebp+var_28], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [ebp+var_20], al
		jnz	loc_5F1F62
		lea	edx, [ebp+var_28]
		lea	eax, [esi+34h]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_53B3E8

loc_53B329:				; CODE XREF: ExpApplyPriorityBoost+510j
					; ExpApplyPriorityBoost+B708Dj
		mov	eax, [esi+8]
		test	eax, eax
		jz	loc_53B148
		mov	ecx, [ebp+var_1C]
		cmp	[eax+4], ecx
		jz	loc_53B1EC
		jmp	loc_53B148
; 

loc_53B345:				; CODE XREF: ExpApplyPriorityBoost+11Cj
					; ExpApplyPriorityBoost+124j
		xor	edx, edx
		jmp	loc_53B142
; 

loc_53B34C:				; CODE XREF: ExpApplyPriorityBoost+259j
		lea	ecx, [ebp+var_28]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_53B13F
; 

loc_53B359:				; CODE XREF: ExpApplyPriorityBoost+A9j
		lea	ecx, [ebp+var_28]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_53AF8F
; 

loc_53B366:				; CODE XREF: ExpApplyPriorityBoost+1EEj
		lea	ecx, [ebp+var_28]
		call	KxWaitForLockChainValid

loc_53B36E:				; CODE XREF: ExpApplyPriorityBoost+1D7j
		mov	[ebp+var_28], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx
		jmp	loc_53B0D4
; 

loc_53B385:				; CODE XREF: ExpApplyPriorityBoost+38Aj
		or	eax, 0FF00h
		mov	[ebp+var_4], eax
		jmp	loc_53B270
; 

loc_53B392:				; CODE XREF: ExpApplyPriorityBoost+3FCj
		inc	large dword ptr	fs:426Ch
		movzx	edx, byte ptr [esi+0Fh]
		mov	ecx, [ebp+arg_0]
		call	KeSetPriorityBoost
		jmp	loc_53B2E2
; 

loc_53B3AA:				; CODE XREF: ExpApplyPriorityBoost+291j
		lea	ecx, [ebp+var_28]
		call	KxWaitForLockChainValid

loc_53B3B2:				; CODE XREF: ExpApplyPriorityBoost+27Aj
		mov	[ebp+var_28], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx
		jmp	loc_53B177
; 

loc_53B3C9:				; CODE XREF: ExpApplyPriorityBoost+3CEj
		lea	ecx, [ebp+var_28]
		call	KxWaitForLockChainValid

loc_53B3D1:				; CODE XREF: ExpApplyPriorityBoost+3B7j
		mov	[ebp+var_28], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx
		jmp	loc_53B2B4
; 

loc_53B3E8:				; CODE XREF: ExpApplyPriorityBoost+443j
		lea	ecx, [ebp+var_28]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_53B329
; 

loc_53B3F5:				; CODE XREF: ExpApplyPriorityBoost+4Dj
		mov	eax, large fs:124h
		cmp	edi, eax
		jnz	short loc_53B40C
		cmp	dword ptr [edi+32Ch], 0
		jnz	loc_53B490

loc_53B40C:				; CODE XREF: ExpApplyPriorityBoost+51Dj
					; ExpApplyPriorityBoost+5B8j
		cmp	ebx, 2
		jmp	loc_53AF33
; 

loc_53B414:				; CODE XREF: ExpApplyPriorityBoost+149j
					; ExpApplyPriorityBoost+15Bj
		push	0
		push	0
		xor	dl, dl
		mov	[ebp+var_4], 4
		mov	ecx, ebx
		call	PsBoostThreadIoEx
		or	dword ptr [esi+1Ch], 1
		jmp	loc_53B041
; 

loc_53B431:				; CODE XREF: ExpApplyPriorityBoost+1FEj
		mov	edx, [ebp+var_C]
		mov	ecx, ebx
		inc	_ExpResourceIoBoosted
		push	0
		call	IoBoostThreadIoPriority
		mov	eax, [ebp+var_4]
		jmp	loc_53B0E4
; 

loc_53B44B:				; CODE XREF: ExpApplyPriorityBoost+44j
		xor	ebx, ebx
		mov	[ebp+var_C], ebx
		jmp	loc_53AF2A
; 

loc_53B455:				; CODE XREF: ExpApplyPriorityBoost+338j
		or	edx, 4
		push	0
		mov	[ebp+var_4], edx
		xor	dl, dl
		push	0
		call	PsBoostThreadIoEx
		or	dword ptr [edi+4], 1
		mov	eax, [edi+4]
		mov	ecx, [ebp+arg_0]
		jmp	loc_53B221
; 

loc_53B475:				; CODE XREF: ExpApplyPriorityBoost+3E2j
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+arg_0]
		inc	_ExpResourceIoBoostedShared
		push	0
		call	IoBoostThreadIoPriority
		mov	eax, [ebp+var_4]
		jmp	loc_53B2C8
; 

loc_53B490:				; CODE XREF: ExpApplyPriorityBoost+526j
		mov	ebx, 2
		mov	[ebp+var_C], ebx
		jmp	loc_53B40C
; 

loc_53B49D:				; CODE XREF: ExpApplyPriorityBoost+374j
		mov	eax, [ebp+var_4]
		jmp	loc_53B270
; 

loc_53B4A5:				; CODE XREF: ExpApplyPriorityBoost+18Bj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, large fs:20h
		lea	edx, [ebx+1ECh]
		push	edx
		mov	ecx, ebx
		mov	byte ptr [ebp+arg_0+3],	al
		lea	edx, [edi+45E4h]
		call	_KiAbThreadInsertList@12 ; KiAbThreadInsertList(x,x,x)
		test	eax, eax
		jz	short loc_53B4D4
		mov	ecx, edi
		call	_KiAbQueueAutoBoostDpc@4 ; KiAbQueueAutoBoostDpc(x)

loc_53B4D4:				; CODE XREF: ExpApplyPriorityBoost+5EBj
		mov	cl, byte ptr [ebp+arg_0+3]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	edi
		jmp	loc_53B071
; 

loc_53B4E4:				; CODE XREF: ExpApplyPriorityBoost+113j
		and	ebx, 0FFFFFFFCh
		jmp	loc_53B002
; 

loc_53B4EC:				; CODE XREF: ExpApplyPriorityBoost+2FAj
		and	ecx, 0FFFFFFFCh
		mov	[ebp+arg_0], ecx
		jmp	loc_53B1E8
ExpApplyPriorityBoost endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PsBoostThreadOutstandingIoQoS(x)
_PsBoostThreadOutstandingIoQoS@4 proc near ; CODE XREF:	ExpApplyPriorityBoost+20Ap
					; ExpApplyPriorityBoost+3EFp ...
		cmp	dword ptr [ecx+334h], 0
		jnz	_IoBoostThreadOutstandingIo@4 ;	IoBoostThreadOutstandingIo(x)
		retn
_PsBoostThreadOutstandingIoQoS@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1674. PoEnergyEstimationEnabled

;  S U B	R O U T	I N E 


; __stdcall PoEnergyEstimationEnabled()
		public _PoEnergyEstimationEnabled@0
_PoEnergyEstimationEnabled@0 proc near	; CODE XREF: KiInitializePcr(x,x,x,x,x,x,x,x):loc_724D00p
					; PspFoldProcessAccountingIntoJob(x,x,x)+1C2p ...
		mov	al, _PopEnergyEstimationEnabled
		retn
_PoEnergyEstimationEnabled@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeSetThreadChargeOnlySchedulingGroup proc near
					; CODE XREF: PsImpersonateContainerOfThread+16Dp
					; PspExitThread+16850Ep ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F1F82 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		test	dword ptr [esi+5Ch], 200h
		lea	eax, [esi+5Ch]
		jnz	loc_5F1F82
		test	ebx, ebx
		jz	short loc_53B547
		mov	eax, [esi+50h]
		test	eax, eax
		jz	short loc_53B54F

loc_53B547:				; CODE XREF: KeSetThreadChargeOnlySchedulingGroup+1Ej
					; KeSetThreadChargeOnlySchedulingGroup+B6A6Aj
		pop	esi
		xor	al, al
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_53B54F:				; CODE XREF: KeSetThreadChargeOnlySchedulingGroup+25j
					; KeSetThreadChargeOnlySchedulingGroup+B6A64j
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, large fs:20h
		cli
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	KiEndThreadCycleAccumulation
		push	ecx
		mov	edx, esi
		mov	ecx, edi
		call	KiStartThreadCycleAccumulation
		sti
		add	edi, 2224h
		mov	[ebp+var_4], 0

loc_53B581:				; CODE XREF: KeSetThreadChargeOnlySchedulingGroup+A4j
		lock bts dword ptr [edi], 0
		jb	short loc_53B5B6
		test	ebx, ebx
		jz	loc_5F1F8F
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 9
		mov	[esi+50h], ebx
		lock bts dword ptr [esi], 12h

loc_53B5A0:				; CODE XREF: KeSetThreadChargeOnlySchedulingGroup+B6A83j
		xor	eax, eax
		lock and [edi],	eax
		xor	cl, cl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	al, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_53B5B6:				; CODE XREF: KeSetThreadChargeOnlySchedulingGroup+66j
					; KeSetThreadChargeOnlySchedulingGroup+A2j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_53B5B6
		jmp	short loc_53B581
KeSetThreadChargeOnlySchedulingGroup endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpBoostIoAfterAcquire proc near	; CODE XREF: ExpAcquireSharedStarveExclusive+21Bp
					; ExpAcquireResourceExclusiveLite+2A4p	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F1FA8 SIZE 00000060 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		push	edi
		mov	edi, edx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		movzx	ecx, word ptr [esi+0Eh]
		mov	[ebp+var_8], eax
		test	cl, 8
		jnz	loc_53B702
		xor	ebx, ebx
		test	cl, 4
		jz	short loc_53B62C
		mov	eax, [edi+150h]
		mov	edx, [edi+2FCh]
		test	dword ptr [eax+0FCh], 100000h
		jnz	loc_53B739
		and	edx, 0E00h
		cmp	edx, 400h
		jb	loc_53B739

loc_53B62C:				; CODE XREF: ExpBoostIoAfterAcquire+2Cj
					; ExpBoostIoAfterAcquire+16Ej
		test	cl, 2
		jz	short loc_53B634
		or	ebx, 2

loc_53B634:				; CODE XREF: ExpBoostIoAfterAcquire+5Fj
		test	ebx, ebx
		jz	loc_53B702
		lea	eax, [esi+34h]
		mov	[ebp+var_10], 0
		mov	[ebp+var_C], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [ebp+var_8], al
		jnz	loc_5F1FA8
		lea	edx, [ebp+var_10]
		lea	eax, [esi+34h]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_53B710

loc_53B66F:				; CODE XREF: ExpBoostIoAfterAcquire+148j
					; ExpBoostIoAfterAcquire+B69E3j
		push	[ebp+arg_0]
		lea	eax, [ebp+var_10]
		mov	edx, edi
		push	1
		push	0
		push	eax
		mov	ecx, esi
		call	@ExpFindCurrentThread@24 ; ExpFindCurrentThread(x,x,x,x,x,x)
		mov	esi, eax
		test	bl, 4
		jnz	loc_53B743

loc_53B68E:				; CODE XREF: ExpBoostIoAfterAcquire+18Aj
					; ExpBoostIoAfterAcquire+1A2j
		test	bl, 2
		jz	short loc_53B6BD
		test	byte ptr [esi+4], 4
		jnz	short loc_53B70B
		mov	eax, 1
		lock xadd [edi+330h], eax
		inc	eax
		cmp	eax, 1
		jnz	short loc_53B6B9
		cmp	byte ptr [edi+1E5h], 0
		jnz	loc_5F1FB8

loc_53B6B9:				; CODE XREF: ExpBoostIoAfterAcquire+DAj
					; ExpBoostIoAfterAcquire+B6A23j
		or	dword ptr [esi+4], 4

loc_53B6BD:				; CODE XREF: ExpBoostIoAfterAcquire+C1j
					; ExpBoostIoAfterAcquire+13Ej
		test	ds:byte_70EFC6,	1
		jnz	loc_5F1FF8
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_53B725
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jnz	short loc_53B71D

loc_53B6E4:				; CODE XREF: ExpBoostIoAfterAcquire+167j
					; ExpBoostIoAfterAcquire+B6A33j
		mov	cl, byte ptr [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jz	short loc_53B702
		test	bl, 4
		jnz	short loc_53B75F

loc_53B6F6:				; CODE XREF: ExpBoostIoAfterAcquire+19Dj
		test	bl, 2
		jz	short loc_53B702
		mov	ecx, edi
		call	_PsBoostThreadOutstandingIoQoS@4 ; PsBoostThreadOutstandingIoQoS(x)

loc_53B702:				; CODE XREF: ExpBoostIoAfterAcquire+21j
					; ExpBoostIoAfterAcquire+66j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_53B70B:				; CODE XREF: ExpBoostIoAfterAcquire+C7j
		and	ebx, 0FFFFFFFDh
		jmp	short loc_53B6BD
; 

loc_53B710:				; CODE XREF: ExpBoostIoAfterAcquire+99j
		lea	ecx, [ebp+var_10]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_53B66F
; 

loc_53B71D:				; CODE XREF: ExpBoostIoAfterAcquire+112j
		lea	ecx, [ebp+var_10]
		call	KxWaitForLockChainValid

loc_53B725:				; CODE XREF: ExpBoostIoAfterAcquire+FFj
		mov	[ebp+var_10], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_53B6E4
; 

loc_53B739:				; CODE XREF: ExpBoostIoAfterAcquire+44j
					; ExpBoostIoAfterAcquire+56j
		mov	ebx, 4
		jmp	loc_53B62C
; 

loc_53B743:				; CODE XREF: ExpBoostIoAfterAcquire+B8j
		test	byte ptr [esi+4], 1
		jnz	short loc_53B76F
		push	0
		push	0
		xor	dl, dl
		mov	ecx, edi
		call	PsBoostThreadIoEx
		or	dword ptr [esi+4], 1
		jmp	loc_53B68E
; 

loc_53B75F:				; CODE XREF: ExpBoostIoAfterAcquire+124j
		push	0
		mov	edx, 2
		mov	ecx, edi
		call	IoBoostThreadIoPriority
		jmp	short loc_53B6F6
; 

loc_53B76F:				; CODE XREF: ExpBoostIoAfterAcquire+177j
		and	ebx, 0FFFFFFFBh
		jmp	loc_53B68E
ExpBoostIoAfterAcquire endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExpFindCurrentThread(x, x,	x, x, x, x)
@ExpFindCurrentThread@24 proc near	; CODE XREF: ExpAcquireSharedStarveExclusive+133p
					; ExpSetResourceOwnerPointerEx+55p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		lea	eax, [ebx+18h]
		mov	esi, [eax]
		cmp	esi, edx
		jnz	short loc_53B794

loc_53B78E:				; CODE XREF: ExpFindCurrentThread(x,x,x,x,x,x)+53j
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_53B794:				; CODE XREF: ExpFindCurrentThread(x,x,x,x,x,x)+14j
		push	edi
		xor	edi, edi
		test	esi, esi
		jnz	short loc_53B7A6
		mov	edi, [ebp+arg_8]
		neg	edi
		sbb	edi, edi
		not	edi
		and	edi, eax

loc_53B7A6:				; CODE XREF: ExpFindCurrentThread(x,x,x,x,x,x)+21j
		mov	edx, [ebp+arg_C]
		xor	ecx, ecx
		test	esi, esi
		setnz	cl
		test	edx, edx
		jz	short loc_53B7CD
		mov	eax, [ebx+8]
		test	eax, eax
		jz	short loc_53B7CD
		cmp	edx, [eax+4]
		jnb	short loc_53B7CD
		lea	eax, [eax+edx*8]
		mov	edx, [ebp+var_4]
		cmp	[eax], edx
		jnz	short loc_53B7CD

loc_53B7CA:				; CODE XREF: ExpFindCurrentThread(x,x,x,x,x,x)+82j
					; ExpFindCurrentThread(x,x,x,x,x,x)+ACj
		pop	edi
		jmp	short loc_53B78E
; 

loc_53B7CD:				; CODE XREF: ExpFindCurrentThread(x,x,x,x,x,x)+3Aj
					; ExpFindCurrentThread(x,x,x,x,x,x)+41j ...
		mov	eax, [ebx+8]
		mov	esi, eax
		mov	[ebp+arg_8], eax
		test	esi, esi
		jz	short loc_53B7FC
		mov	eax, [esi+4]
		lea	edx, [esi+eax*8]
		mov	eax, [ebx+28h]
		add	eax, [ebx+20h]
		add	esi, 8
		mov	[ebp+arg_C], eax
		cmp	ecx, eax
		jb	short loc_53B826

loc_53B7EF:				; CODE XREF: ExpFindCurrentThread(x,x,x,x,x,x)+C6j
					; ExpFindCurrentThread(x,x,x,x,x,x)+CBj
		mov	eax, [ebp+arg_8]

loc_53B7F2:				; CODE XREF: ExpFindCurrentThread(x,x,x,x,x,x)+86j
		cmp	[ebp+arg_4], 0
		jnz	short loc_53B800

loc_53B7F8:				; CODE XREF: ExpFindCurrentThread(x,x,x,x,x,x)+D7j
		xor	eax, eax
		jmp	short loc_53B7CA
; 

loc_53B7FC:				; CODE XREF: ExpFindCurrentThread(x,x,x,x,x,x)+5Fj
		xor	edx, edx
		jmp	short loc_53B7F2
; 

loc_53B800:				; CODE XREF: ExpFindCurrentThread(x,x,x,x,x,x)+7Ej
		test	edi, edi
		jnz	short loc_53B80E
		cmp	esi, edx
		jnb	short loc_53B845
		mov	edi, esi
		test	esi, esi
		jz	short loc_53B845

loc_53B80E:				; CODE XREF: ExpFindCurrentThread(x,x,x,x,x,x)+8Aj
		mov	edx, edi
		sub	edx, eax
		mov	eax, edi

loc_53B814:				; CODE XREF: ExpFindCurrentThread(x,x,x,x,x,x)+E0j
		mov	ecx, large fs:124h
		sar	edx, 3
		mov	[ecx+26Ch], dl
		jmp	short loc_53B7CA
; 

loc_53B826:				; CODE XREF: ExpFindCurrentThread(x,x,x,x,x,x)+75j
					; ExpFindCurrentThread(x,x,x,x,x,x)+C4j
		mov	eax, [esi]
		cmp	eax, [ebp+var_4]
		jz	short loc_53B851
		test	eax, eax
		jz	short loc_53B85A
		inc	ecx
		cmp	ecx, [ebp+arg_C]
		jz	short loc_53B840

loc_53B837:				; CODE XREF: ExpFindCurrentThread(x,x,x,x,x,x)+E4j
					; ExpFindCurrentThread(x,x,x,x,x,x)+E8j
		add	esi, 8
		cmp	esi, edx
		jnz	short loc_53B826
		jmp	short loc_53B7EF
; 

loc_53B840:				; CODE XREF: ExpFindCurrentThread(x,x,x,x,x,x)+BDj
		add	esi, 8
		jmp	short loc_53B7EF
; 

loc_53B845:				; CODE XREF: ExpFindCurrentThread(x,x,x,x,x,x)+8Ej
					; ExpFindCurrentThread(x,x,x,x,x,x)+94j
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	ExpExpandResourceOwnerTable
		jmp	short loc_53B7F8
; 

loc_53B851:				; CODE XREF: ExpFindCurrentThread(x,x,x,x,x,x)+B3j
		mov	edx, esi
		mov	eax, esi
		sub	edx, [ebp+arg_8]
		jmp	short loc_53B814
; 

loc_53B85A:				; CODE XREF: ExpFindCurrentThread(x,x,x,x,x,x)+B7j
		test	edi, edi
		jnz	short loc_53B837
		mov	edi, esi
		jmp	short loc_53B837
@ExpFindCurrentThread@24 endp


;  S U B	R O U T	I N E 


; __stdcall KeQueryTimelineBitmapTime()
_KeQueryTimelineBitmapTime@0 proc near	; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x):loc_75199Bp
					; PoEnergyContextUpdateComponentPower(x,x,x,x)+1D9p ...
		mov	eax, _KiTimelineBitmapTime
		retn
_KeQueryTimelineBitmapTime@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeSetPriorityBoost proc	near		; CODE XREF: KeGenericProcessorCallback(x,x,x,x)+132p
					; FsRtlpWaitForIoAtEof+191p ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F2008 SIZE 00000182 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		mov	[ebp+var_1C], ebx
		cmp	dword ptr [esi+150h], offset _KiInitialProcess
		jz	loc_53BA2C
		mov	[ebp+var_C], 0
		mov	[ebp+var_2], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	dl, al
		mov	eax, large fs:20h
		mov	cl, [esi+87h]
		mov	byte ptr [ebp+var_28], dl
		mov	[ebp+var_40], eax
		test	cl, cl
		jle	loc_53BAE2
		movsx	ecx, cl
		cmp	ecx, ebx
		jge	loc_53BAE2
		mov	eax, [esi+34h]
		mov	ecx, [esi+30h]
		mov	[ebp+var_3C], 0
		mov	[ebp+var_38], 0
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], ecx
		cmp	eax, [esi+38h]
		jnz	loc_5F2008

loc_53B8EC:				; CODE XREF: KeSetPriorityBoost+B67AEj
		push	edi
		lea	edi, [esi+2Ch]
		mov	[ebp+var_2C], 0
		mov	[ebp+var_38], edi
		lea	ebx, [ebx+0]

loc_53B900:				; CODE XREF: KeSetPriorityBoost+220j
		lock bts dword ptr [edi], 0
		jb	loc_53BA82
		mov	al, [esi+87h]
		test	al, al
		jle	loc_53BA0D
		movsx	edx, al
		cmp	edx, ebx
		jge	loc_53BA0D
		mov	cl, bl
		mov	[ebp+var_2], 1
		sub	cl, al
		mov	[ebp+var_8], 0
		mov	eax, [esi+214h]
		shl	cl, 4
		add	[esi+15Ch], cl
		mov	[ebp+var_14], 0
		mov	[ebp+var_30], 0
		test	eax, eax
		jnz	loc_53BA6A

loc_53B958:				; CODE XREF: KeSetPriorityBoost+205j
					; KeSetPriorityBoost+20Dj
		movsx	edi, bl
		mov	[ebp+var_10], edi
		cmp	edx, edi
		jz	loc_53B9FD
		lea	eax, [ebp+var_14]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_8]
		call	KiAcquireThreadStateLock
		movsx	ecx, byte ptr [esi+87h]
		movzx	eax, al
		mov	[ebp+var_18], ecx
		mov	[ebp+var_1], 0
		cmp	eax, 2
		jnz	loc_53BA39
		mov	edi, [ebp+var_8]
		mov	edx, esi
		mov	ebx, [ebp+var_10]
		mov	ecx, edi
		lea	eax, [edi+8]
		mov	[ebp+var_34], eax
		mov	eax, [eax]
		test	eax, eax
		mov	[ebp+var_1C], eax
		setz	al
		movzx	eax, al
		push	eax
		push	ebx
		call	_KiUpdateThreadPriority@16 ; KiUpdateThreadPriority(x,x,x,x)
		mov	ecx, [ebp+var_18]
		mov	eax, [ebp+var_1C]
		cmp	ebx, ecx
		jl	loc_5F20AD

loc_53B9C0:				; CODE XREF: KeSetPriorityBoost+B68EFj
		jle	loc_53BA62
		mov	bl, [ebp+var_1]
		test	eax, eax
		jnz	short loc_53B9D6
		mov	al, [esi+90h]
		mov	edi, [ebp+var_8]

loc_53B9D6:				; CODE XREF: KeSetPriorityBoost+15Bj
					; KeSetPriorityBoost+1F5j ...
		mov	edx, esi
		xor	ecx, ecx
		call	_KiUpdateSharedReadyQueueAffinityThread@8 ; KiUpdateSharedReadyQueueAffinityThread(x,x)
		test	edi, edi
		jz	short loc_53B9EE
		xor	ecx, ecx
		lea	eax, [edi+2224h]
		lock and [eax],	ecx

loc_53B9EE:				; CODE XREF: KeSetPriorityBoost+171j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_53BA32

loc_53B9F5:				; CODE XREF: KeSetPriorityBoost+1C7j
		test	bl, bl
		jnz	loc_5F2164

loc_53B9FD:				; CODE XREF: KeSetPriorityBoost+F0j
					; KeSetPriorityBoost+B6908j ...
		push	[ebp+var_20]
		mov	ecx, esi
		push	[ebp+var_24]
		call	_KiSetLockOwnershipQuantum@12 ;	KiSetLockOwnershipQuantum(x,x,x)
		mov	edi, [ebp+var_38]

loc_53BA0D:				; CODE XREF: KeSetPriorityBoost+A3j
					; KeSetPriorityBoost+AEj
		cmp	[ebp+var_2], 0
		mov	dword ptr [edi], 0
		pop	edi
		jz	loc_53BADF
		push	[ebp+var_28]
		mov	ecx, [ebp+var_40]
		lea	edx, [ebp+var_C]
		call	@KiProcessDeferredReadyList@12 ; KiProcessDeferredReadyList(x,x,x)

loc_53BA2C:				; CODE XREF: KeSetPriorityBoost+1Bj
					; KeSetPriorityBoost+27Aj
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_53BA32:				; CODE XREF: KeSetPriorityBoost+183j
		xor	ecx, ecx
		lock and [eax],	ecx
		jmp	short loc_53B9F5
; 

loc_53BA39:				; CODE XREF: KeSetPriorityBoost+118j
		sub	eax, 1
		jz	short loc_53BA95
		push	1
		sub	eax, 2
		jnz	loc_53BACB
		push	edi
		mov	edi, [ebp+var_8]
		mov	edx, esi
		mov	ecx, edi
		call	_KiUpdateThreadPriority@16 ; KiUpdateThreadPriority(x,x,x,x)
		mov	ebx, [ebp+var_10]
		cmp	ebx, [ebp+var_18]
		jl	loc_5F2023

loc_53BA62:				; CODE XREF: KeSetPriorityBoost:loc_53B9C0j
					; KeSetPriorityBoost+26Dj ...
		mov	bl, [ebp+var_1]
		jmp	loc_53B9D6
; 

loc_53BA6A:				; CODE XREF: KeSetPriorityBoost+E2j
		bsr	ecx, eax
		movsx	eax, bl
		mov	[ebp+var_30], ecx
		cmp	eax, ecx
		jge	loc_53B958
		mov	bl, cl
		jmp	loc_53B958
; 

loc_53BA82:				; CODE XREF: KeSetPriorityBoost+95j
					; KeSetPriorityBoost+21Ej
		lea	ecx, [ebp+var_2C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_53BA82
		jmp	loc_53B900
; 

loc_53BA95:				; CODE XREF: KeSetPriorityBoost+1CCj
		mov	edi, [ebp+var_8]
		mov	edx, [ebp+var_14]
		push	ecx
		push	esi
		mov	ecx, edi
		call	_KiRemoveThreadFromAnyReadyQueue@16 ; KiRemoveThreadFromAnyReadyQueue(x,x,x,x)
		push	1
		mov	dl, bl
		mov	ecx, esi
		call	KiAbProcessThreadPriorityModification
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_C]
		push	eax
		mov	ecx, esi
		mov	[esi+87h], bl
		call	_KiPrepareReadyThreadForRescheduling@12	; KiPrepareReadyThreadForRescheduling(x,x,x)
		mov	bl, [ebp+var_1]
		jmp	loc_53B9D6
; 

loc_53BACB:				; CODE XREF: KeSetPriorityBoost+1D3j
		mov	dl, bl
		mov	ecx, esi
		call	KiAbProcessThreadPriorityModification
		mov	[esi+87h], bl

loc_53BADA:				; CODE XREF: KeSetPriorityBoost+B6838j
		mov	edi, [ebp+var_8]
		jmp	short loc_53BA62
; 

loc_53BADF:				; CODE XREF: KeSetPriorityBoost+1A8j
		mov	dl, byte ptr [ebp+var_28]

loc_53BAE2:				; CODE XREF: KeSetPriorityBoost+48j
					; KeSetPriorityBoost+53j
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_53BA2C
KeSetPriorityBoost endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSetLockOwnershipQuantum(x, x, x)
_KiSetLockOwnershipQuantum@12 proc near	; CODE XREF: KiDeferredReadySingleThread+6A2p
					; KiDeferredReadySingleThread+769p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+1Ch]
		mov	eax, [edi+18h]
		cmp	ebx, esi
		ja	short loc_53BB2B
		jb	short loc_53BB10
		cmp	edx, eax
		ja	short loc_53BB2B

loc_53BB10:				; CODE XREF: KiSetLockOwnershipQuantum(x,x,x)+1Aj
		mov	ecx, ds:_KiLockQuantumTarget
		sub	eax, edx
		sbb	esi, ebx
		test	esi, esi
		ja	short loc_53BB24
		jb	short loc_53BB2B
		cmp	eax, ecx
		jb	short loc_53BB2B

loc_53BB24:				; CODE XREF: KiSetLockOwnershipQuantum(x,x,x)+2Cj
					; KiSetLockOwnershipQuantum(x,x,x)+4Cj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_53BB2B:				; CODE XREF: KiSetLockOwnershipQuantum(x,x,x)+18j
					; KiSetLockOwnershipQuantum(x,x,x)+1Ej	...
		mov	eax, ds:_KiLockQuantumTarget
		xor	ecx, ecx
		add	eax, edx
		mov	[edi+18h], eax
		adc	ecx, ebx
		mov	[edi+1Ch], ecx
		jmp	short loc_53BB24
_KiSetLockOwnershipQuantum@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpRequestShareableOplock(x, x, x, x, x,	x, x, x)
_FsRtlpRequestShareableOplock@32 proc near
					; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+42Bp
					; FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+130p ...

var_100		= dword	ptr -100h
var_F0		= dword	ptr -0F0h
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_99		= byte ptr -99h
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8B		= byte ptr -8Bh
var_8A		= byte ptr -8Ah
var_89		= byte ptr -89h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= byte ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A67A0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 0E0h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_88], edx
		mov	eax, ecx
		mov	[ebp+var_98], eax
		mov	edi, [ebp+arg_0]
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_94], ecx
		mov	[ebp+var_84], 0
		xor	esi, esi
		mov	[ebp+var_90], esi
		mov	[ebp+var_A0], esi
		mov	[ebp+var_8B], 0
		xor	cl, cl
		mov	[ebp+var_8A], cl
		mov	[ebp+var_99], cl
		mov	ebx, [eax]
		test	ebx, ebx
		jnz	short loc_53BBD4
		call	FsRtlpAllocateOplock
		mov	ebx, eax
		mov	eax, [ebp+var_98]
		mov	[eax], ebx

loc_53BBD4:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+83j
		mov	eax, [ebp+arg_4]
		cmp	[ebp+arg_10], 0
		jnz	short loc_53BBFE
		cmp	eax, 10000h
		jz	short loc_53BBFE
		mov	esi, [ebx+4Ch]
		mov	[ebp+var_A0], esi
		mov	ecx, esi
		call	ExAcquireFastMutexUnsafe
		mov	[ebp+var_8B], 1
		mov	eax, [ebp+arg_4]

loc_53BBFE:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+9Bj
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+A2j
		mov	[ebp+var_4], 0
		mov	ecx, [ebx+48h]
		mov	[ebp+var_98], ecx
		test	ecx, 10000h
		jz	loc_53BD82
		mov	ecx, [ebp+var_88]
		cmp	byte ptr [ecx],	0Dh
		jnz	loc_53BD82
		mov	esi, [ecx+18h]
		lea	edx, [ebx+3Ch]
		mov	ecx, [edx]

loc_53BC31:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+10Cj
		cmp	ecx, edx
		jz	short loc_53BC4E
		lea	edx, [ecx-1Ch]
		cmp	esi, [edx+0Ch]
		jnz	short loc_53BC47
		mov	cl, 1
		mov	[ebp+var_90], edx
		jmp	short loc_53BC52
; 

loc_53BC47:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+FBj
		mov	ecx, [ecx]
		lea	edx, [ebx+3Ch]
		jmp	short loc_53BC31
; 

loc_53BC4E:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+F3j
		xor	edx, edx
		mov	cl, dl

loc_53BC52:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+105j
		test	cl, cl
		jz	loc_53BD82
		test	[ebp+var_98], 20000h
		jz	short loc_53BCCC
		mov	ecx, edx
		call	_FsRtlpOplockDequeueRH@4 ; FsRtlpOplockDequeueRH(x)
		mov	esi, [ebp+var_90]
		lea	eax, [esi+1Ch]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_53C0DB
		cmp	[ecx], eax
		jnz	loc_53C0DB
		mov	[ecx], edx
		mov	[edx+4], ecx
		lea	eax, [ebx+3Ch]
		cmp	[eax], eax
		jnz	short loc_53BC9F
		and	dword ptr [ebx+48h], 0FFFCFFFFh

loc_53BC9F:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+156j
		cmp	dword ptr [esi+14h], 0
		jz	short loc_53BCAE
		mov	edx, esi
		mov	ecx, ebx
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)

loc_53BCAE:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+163j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+var_90], 0
		mov	ecx, ebx
		call	FsRtlpComputeShareableOplockState
		jmp	loc_53BF1E
; 

loc_53BCCC:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+124j
		lea	ecx, [ebx+2Ch]
		mov	esi, [ecx]

loc_53BCD1:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+1B4j
		cmp	esi, ecx
		jz	short loc_53BCF6
		mov	ecx, esi
		cmp	byte ptr [esi+1Dh], 0
		jz	short loc_53BCE4
		cmp	eax, 3000h
		jz	short loc_53BCEF

loc_53BCE4:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+19Bj
		mov	esi, [esi+4]
		call	_FsRtlpRemoveAndCompleteWaitingIrp@4 ; FsRtlpRemoveAndCompleteWaitingIrp(x)
		mov	eax, [ebp+arg_4]

loc_53BCEF:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+1A2j
		mov	esi, [esi]
		lea	ecx, [ebx+2Ch]
		jmp	short loc_53BCD1
; 

loc_53BCF6:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+193j
		mov	edx, [ebp+var_90]
		mov	ecx, [edx+0Ch]
		call	_IoGetOplockFullFoExt@4	; IoGetOplockFullFoExt(x)
		test	eax, eax
		jz	short loc_53BD0F
		mov	dword ptr [eax+28h], 0

loc_53BD0F:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+1C6j
		mov	ecx, [edx]
		mov	eax, [edx+4]
		cmp	[ecx+4], edx
		jnz	loc_53C0DB
		cmp	[eax], edx
		jnz	loc_53C0DB
		mov	[eax], ecx
		mov	[ecx+4], eax
		lea	ecx, [edx+1Ch]
		mov	esi, [ecx]
		mov	eax, [ecx+4]
		cmp	[esi+4], ecx
		jnz	loc_53C0DB
		cmp	[eax], ecx
		jnz	loc_53C0DB
		mov	[eax], esi
		mov	[esi+4], eax
		lea	eax, [ebx+3Ch]
		cmp	[eax], eax
		jnz	short loc_53BD56
		and	dword ptr [ebx+48h], 0FFFCFFFFh

loc_53BD56:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+20Dj
		cmp	dword ptr [edx+14h], 0
		jz	short loc_53BD69
		mov	ecx, ebx
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		mov	edx, [ebp+var_90]

loc_53BD69:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+21Aj
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+var_90], 0
		mov	ecx, ebx
		call	FsRtlpComputeShareableOplockState

loc_53BD82:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+D4j
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+E3j ...
		mov	edx, [ebp+arg_14]
		mov	esi, [ebp+arg_4]
		mov	ecx, esi
		call	FsRtlpOplockUpperLowerCompatible
		test	al, al
		jz	loc_53BF1E
		test	esi, 1000h
		jnz	short loc_53BDAB
		cmp	esi, 10000h
		jnz	loc_53BED4

loc_53BDAB:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+25Dj
		mov	eax, [ebp+var_88]
		mov	eax, [eax+18h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_53BED4
		push	eax
		call	MmDoesFileHaveUserWritableReferences
		test	eax, eax
		jz	loc_53BED4
		cmp	esi, 10000h
		jz	loc_53BF2E
		mov	eax, [edi+0Ch]
		mov	dword ptr [eax+8], 0
		or	dword ptr [eax+0Ch], 4
		cmp	dword_6B2398, 5
		jbe	loc_53BF1E
		push	4000h
		push	0
		mov	ecx, offset dword_6B2398
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_53BF1E
		mov	[ebp+var_B0], 1
		mov	[ebp+var_AC], 0
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_60], eax
		mov	[ebp+var_5C], 0
		mov	[ebp+var_58], 8
		mov	[ebp+var_54], 0
		mov	[ebp+var_98], esi
		lea	eax, [ebp+var_98]
		mov	[ebp+var_50], eax
		mov	[ebp+var_4C], 0
		mov	[ebp+var_48], 4
		mov	[ebp+var_44], 0
		mov	eax, [ebx+48h]
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], 0
		mov	[ebp+var_38], 4
		mov	[ebp+var_34], 0
		mov	[ebp+var_B8], 1000000h
		mov	[ebp+var_B4], 0
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], 0
		mov	[ebp+var_28], 8
		mov	[ebp+var_24], 0
		lea	eax, [ebp+var_80]
		push	eax
		push	6
		push	ecx
		mov	edx, offset loc_41B516
		mov	ecx, offset dword_6B2398
		call	__tlgWriteAgg@20 ; _tlgWriteAgg(x,x,x,x,x)
		jmp	short loc_53BF1E
; 

loc_53BED4:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+265j
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+279j ...
		mov	dl, [ebp+arg_10]
		test	dl, dl
		jnz	short loc_53BEF5
		test	byte ptr [ebx+48h], 40h
		jz	short loc_53BEF5

loc_53BEE1:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+6B6j
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+6C9j
		cmp	esi, 10000h
		jnz	short loc_53BF1E
		mov	[ebp+var_84], 0C0000909h
		jmp	short loc_53BF38
; 

loc_53BEF5:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+399j
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+39Fj
		cmp	esi, 3000h
		ja	loc_53C1AE
		jz	loc_53C1BA
		cmp	esi, 10h
		jz	short loc_53BF68
		cmp	esi, 1000h
		jz	short loc_53BF87

loc_53BF14:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+674j
		mov	al, [ebp+var_8A]

loc_53BF1A:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+669j
		test	al, al
		jnz	short loc_53BF38

loc_53BF1E:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+187j
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+251j ...
		mov	dword ptr [edi+18h], 0C00000E2h
		mov	dl, 1
		mov	ecx, edi
		call	IofCompleteRequest

loc_53BF2E:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+293j
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+7D2j
		mov	[ebp+var_84], 0C00000E2h

loc_53BF38:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+3B3j
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+3DCj ...
		mov	[ebp+var_4], 0FFFFFFFEh
		call	sub_53C56E
		mov	eax, [ebp+var_84]
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_53BF68:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+3CAj
		mov	eax, [ebx+48h]
		test	al, 1
		jnz	short loc_53BF87
		and	eax, 1F0FFDFh
		cmp	eax, 10h
		jz	short loc_53BF87
		cmp	eax, 1000h
		jz	short loc_53BF87
		cmp	eax, 1010h
		jnz	short loc_53BF1E

loc_53BF87:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+3D2j
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+42Dj ...
		test	dl, dl
		jnz	loc_53C0BA
		mov	ecx, [ebx+48h]
		test	cl, 1
		jnz	short loc_53BFD9
		mov	eax, ecx
		and	eax, 1F0FFDFh
		cmp	eax, 10h
		jz	short loc_53BFD9
		cmp	eax, 1000h
		jz	short loc_53BFD9
		cmp	eax, 1010h
		jz	short loc_53BFD9
		cmp	eax, 3000h
		jz	short loc_53BFD9
		cmp	eax, 0B000h
		jz	short loc_53BFD9
		cmp	eax, 103000h
		jz	short loc_53BFD9
		cmp	eax, offset loc_803000
		jz	short loc_53BFD9
		test	ecx, 10000h
		jz	loc_53BF1E

loc_53BFD9:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+455j
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+461j ...
		test	dl, dl
		jnz	loc_53C0BA
		lea	eax, [ebx+1Ch]
		mov	esi, [eax]
		cmp	esi, eax
		jnz	short loc_53BFF8
		lea	eax, [ebx+24h]
		cmp	[eax], eax
		jz	short loc_53C046

loc_53BFF1:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+4D5j
		lea	eax, [ebx+1Ch]
		cmp	esi, eax
		jz	short loc_53C017

loc_53BFF8:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+4A8j
		mov	edx, [esi+0Ch]
		mov	eax, [ebp+var_88]
		mov	ecx, [eax+18h]

loc_53C004:				; DATA XREF: PopFlushVolumeWorker+7232o
		push	0
		call	FsRtlpOplockKeysEqual
		test	al, al
		jnz	loc_53BF1E
		mov	esi, [esi]
		jmp	short loc_53BFF1
; 

loc_53C017:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+4B6j
		lea	eax, [ebx+24h]
		mov	esi, [eax]
		lea	esp, [esp+0]

loc_53C020:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+504j
		cmp	esi, eax
		jz	short loc_53C046
		mov	edx, [esi+0Ch]
		mov	eax, [ebp+var_88]
		mov	ecx, [eax+18h]
		push	0
		call	FsRtlpOplockKeysEqual
		test	al, al
		jnz	loc_53BF1E
		mov	esi, [esi]
		lea	eax, [ebx+24h]
		jmp	short loc_53C020
; 

loc_53C046:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+4AFj
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+4E2j
		mov	eax, [ebx+48h]
		and	eax, 1F0FFDFh
		cmp	eax, 10h
		jz	short loc_53C068
		cmp	eax, 1000h
		jz	short loc_53C068
		cmp	eax, 1010h
		jz	short loc_53C068
		cmp	eax, 0B000h
		jnz	short loc_53C0BA

loc_53C068:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+511j
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+518j ...
		lea	eax, [ebx+14h]
		mov	esi, [eax]
		mov	ecx, [ebp+var_88]

loc_53C073:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+5ADj
		cmp	esi, eax
		jz	short loc_53C0BA
		mov	edx, [esi+8]
		cmp	dword ptr [edx+0Ch], 90240h
		jz	short loc_53C08B
		mov	eax, [edx+18h]
		cmp	eax, [ecx+18h]
		jz	short loc_53C0E8

loc_53C08B:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+541j
		mov	edx, [edx+18h]
		mov	eax, [ebp+var_88]
		mov	ecx, [eax+18h]
		push	0
		call	FsRtlpOplockKeysEqual
		test	al, al
		jz	short loc_53C0E2
		mov	ecx, [esi+4]
		mov	eax, [ebp+arg_4]
		and	eax, 7000h
		push	eax
		mov	edx, 215h
		mov	ecx, [ecx]
		call	_FsRtlpRemoveAndCompleteReadOnlyIrp@12 ; FsRtlpRemoveAndCompleteReadOnlyIrp(x,x,x)

loc_53C0BA:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+449j
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+49Bj ...
		mov	eax, [edi+60h]
		mov	[ebp+var_BC], eax
		or	byte ptr [eax+3], 1
		mov	dword ptr [edi+18h], 0
		lea	eax, [edi+58h]
		lea	ecx, [ebx+14h]
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jz	short loc_53C0EF

loc_53C0DB:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+13Ej
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+146j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_53C0E2:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+560j
		mov	ecx, [ebp+var_88]

loc_53C0E8:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+549j
		mov	esi, [esi]
		lea	eax, [ebx+14h]
		jmp	short loc_53C073
; 

loc_53C0EF:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+599j
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[edx+4], eax
		mov	[ecx], eax
		mov	[edi+1Ch], ebx
		mov	ecx, ebx
		call	FsRtlpComputeShareableOplockState
		cmp	[ebp+arg_C], 0
		jz	short loc_53C11C
		mov	eax, [ebp+var_88]
		mov	ecx, [eax+18h]
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag

loc_53C11C:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+5C7j
		mov	ecx, 7
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[edi+25h], al
		cmp	byte ptr [edi+24h], 0
		jz	short loc_53C13A
		mov	dl, 1
		mov	ecx, edi
		call	_FsRtlpCancelReadOnlyOplockIrp@8 ; FsRtlpCancelReadOnlyOplockIrp(x,x)
		jmp	short loc_53C19D
; 

loc_53C13A:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+5EDj
		mov	ecx, offset _FsRtlpReadOnlyOplockIrpCancelRoutine@8 ; FsRtlpReadOnlyOplockIrpCancelRoutine(x,x)
		lea	eax, [edi+38h]
		xchg	ecx, [eax]
		mov	bl, [edi+25h]
		mov	eax, large fs:20h
		lea	esi, [eax+450h]
		test	ds:byte_70EFC6,	1
		jz	short loc_53C168
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_53C195
; 

loc_53C168:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+61Aj
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_53C184
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_53C195
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_53C184:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+62Cj
		mov	dword ptr [esi], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_53C195:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+626j
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+63Bj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_53C19D:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+5F8j
		mov	al, 1
		mov	[ebp+var_84], 103h
		jmp	loc_53BF1A
; 

loc_53C1AE:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+3BBj
		cmp	esi, 10000h
		jnz	loc_53BF14

loc_53C1BA:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+3C1j
		test	dl, dl
		jnz	short loc_53C1FC
		mov	ecx, [ebx+48h]
		test	cl, 1
		jnz	short loc_53C1FC
		mov	eax, ecx
		and	eax, 1F0FFDFh
		cmp	eax, 1000h
		jz	short loc_53C1FC
		cmp	eax, 3000h
		jz	short loc_53C1FC
		cmp	eax, 0B000h
		jz	short loc_53C1FC
		cmp	eax, 103000h
		jz	short loc_53C1FC
		cmp	eax, offset loc_803000
		jz	short loc_53C1FC
		test	ecx, 10000h
		jz	loc_53BEE1

loc_53C1FC:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+67Cj
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+684j ...
		mov	ecx, [ebp+var_88]
		mov	eax, [ecx+18h]
		cmp	byte ptr [eax+25h], 0
		jnz	loc_53BEE1
		test	dl, dl
		jnz	loc_53C344
		mov	eax, [ebx+48h]
		and	eax, 1F0FFDFh
		cmp	eax, 1000h
		jz	short loc_53C22D
		cmp	eax, 0B000h
		jnz	short loc_53C280

loc_53C22D:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+6E4j
		lea	eax, [ebx+14h]
		mov	esi, [eax]

loc_53C232:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+7E8j
		cmp	esi, eax
		jz	short loc_53C280
		mov	eax, [esi+8]
		mov	edx, [eax+18h]
		mov	ecx, [ecx+18h]
		push	0
		call	FsRtlpOplockKeysEqual
		test	al, al
		jz	loc_53C31D
		cmp	[ebp+arg_4], 10000h
		jnz	short loc_53C266

loc_53C257:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+782j
		mov	[ebp+var_84], 0C00000E3h
		jmp	loc_53BF38
; 

loc_53C266:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+715j
		mov	ecx, [esi+4]
		push	3000h
		mov	edx, 215h
		mov	ecx, [ecx]
		call	_FsRtlpRemoveAndCompleteReadOnlyIrp@12 ; FsRtlpRemoveAndCompleteReadOnlyIrp(x,x,x)
		mov	ecx, [ebp+var_88]

loc_53C280:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+6EBj
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+6F4j
		mov	eax, [ebx+48h]
		and	eax, 1F0FFDFh
		cmp	eax, 3000h
		jz	short loc_53C296
		cmp	eax, 0B000h
		jnz	short loc_53C2E0

loc_53C296:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+74Dj
		lea	eax, [ebx+1Ch]
		mov	esi, [eax]
		jmp	short loc_53C2A0
; 
		align 10h

loc_53C2A0:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+75Bj
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+7F8j
		cmp	esi, eax
		jz	short loc_53C2E0
		mov	edx, [esi+0Ch]
		mov	ecx, [ecx+18h]
		push	0
		call	FsRtlpOplockKeysEqual
		test	al, al
		jz	short loc_53C32D
		cmp	dword ptr [esi+1Ch], 0
		jnz	short loc_53C32D
		cmp	[ebp+arg_4], 10000h
		jz	short loc_53C257
		mov	ecx, [esi+4]
		push	0
		push	0
		push	0
		push	3000h
		push	215h
		mov	edx, ebx
		mov	ecx, [ecx]
		call	_FsRtlpRemoveAndCompleteRHIrp@28 ; FsRtlpRemoveAndCompleteRHIrp(x,x,x,x,x,x,x)

loc_53C2E0:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+754j
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+762j
		lea	eax, [ebx+24h]
		mov	esi, [eax]
		cmp	esi, eax
		jz	short loc_53C344
		lea	esp, [esp+0]

loc_53C2F0:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+802j
		cmp	esi, eax
		jz	short loc_53C344
		mov	edx, [esi+0Ch]
		mov	eax, [ebp+var_88]
		mov	ecx, [eax+18h]
		push	0
		call	FsRtlpOplockKeysEqual
		test	al, al
		jz	short loc_53C33D
		cmp	[ebp+arg_4], 10000h
		jz	loc_53BF2E
		jmp	loc_53BF1E
; 

loc_53C31D:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+708j
		mov	esi, [esi]
		lea	eax, [ebx+14h]
		mov	ecx, [ebp+var_88]
		jmp	loc_53C232
; 

loc_53C32D:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+773j
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+779j
		mov	esi, [esi]
		lea	eax, [ebx+1Ch]
		mov	ecx, [ebp+var_88]
		jmp	loc_53C2A0
; 

loc_53C33D:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+7C9j
		mov	esi, [esi]
		lea	eax, [ebx+24h]
		jmp	short loc_53C2F0
; 

loc_53C344:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+6D1j
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+7A7j ...
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		mov	edx, [ebp+var_94]
		mov	eax, [edx]
		mov	[eax+10h], ecx
		mov	eax, [ebp+var_88]
		mov	ecx, [eax+18h]
		mov	eax, [edx]
		mov	[eax+0Ch], ecx
		mov	eax, [edx]
		mov	[ebp+var_88], eax
		lea	ecx, [ebx+1Ch]
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jz	short loc_53C382
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_53C382:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+839j
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[edx+4], eax
		mov	[ecx], eax
		mov	esi, [eax+0Ch]
		push	2Ch		; size_t
		push	0		; int
		lea	eax, [ebp+var_F0]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, [ebp+var_88]
		mov	[ebp+var_C8], eax
		lea	edx, [ebp+var_F0]
		mov	ecx, esi
		call	IoSetOplockPrivateFoExt
		mov	esi, eax
		test	esi, esi
		jns	short loc_53C3CC
		mov	ecx, [ebp+var_88]
		call	_FsRtlpOplockDequeueRH@4 ; FsRtlpOplockDequeueRH(x)

loc_53C3CC:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+87Fj
		mov	[ebp+var_84], esi
		test	esi, esi
		jns	short loc_53C3F4
		cmp	[ebp+arg_4], 10000h
		jz	loc_53BF38
		mov	[edi+18h], esi
		mov	dl, 1
		mov	ecx, edi
		call	IofCompleteRequest
		jmp	loc_53BF38
; 

loc_53C3F4:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+894j
		mov	esi, [ebp+arg_4]
		cmp	esi, 10000h
		jnz	short loc_53C434
		mov	edi, [ebp+var_94]
		mov	eax, [edi]
		add	eax, 1Ch
		lea	ecx, [ebx+3Ch]
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jz	short loc_53C41B
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_53C41B:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+8D2j
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[edx+4], eax
		mov	[ecx], eax
		mov	[ebp+var_84], 0
		jmp	loc_53C54D
; 

loc_53C434:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+8BDj
		mov	ecx, large fs:124h
		mov	[ebp+var_C0], ecx
		mov	edx, [ebp+var_94]
		mov	eax, [edx]
		mov	[eax+14h], ecx
		mov	eax, [edx]
		mov	ecx, [eax+14h]
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag
		mov	ecx, [ebp+var_94]
		mov	eax, [ecx]
		mov	[eax+8], edi
		mov	eax, [edi+60h]
		mov	[ebp+var_C4], eax
		or	byte ptr [eax+3], 1
		mov	[ebp+var_84], 103h
		mov	dword ptr [edi+18h], 0
		mov	[edi+1Ch], ebx
		cmp	[ebp+arg_C], 0
		jz	short loc_53C49C
		mov	eax, [ecx]
		mov	ecx, [eax+0Ch]
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag

loc_53C49C:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+94Bj
		mov	ecx, 7
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[edi+25h], al
		cmp	byte ptr [edi+24h], 0
		jz	short loc_53C4DA
		cmp	[ebp+arg_C], 0
		jz	short loc_53C4C2
		cmp	[ebp+arg_10], 0
		mov	byte ptr [ebp+var_88], 0
		jnz	short loc_53C4C9

loc_53C4C2:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+973j
		mov	byte ptr [ebp+var_88], 1

loc_53C4C9:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+980j
		push	[ebp+var_88]
		mov	dl, 1
		mov	ecx, edi
		call	FsRtlpCancelOplockRHIrp
		jmp	short loc_53C547
; 

loc_53C4DA:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+96Dj
		mov	ecx, offset _FsRtlpOplockRHIrpCancelRoutine@8 ;	FsRtlpOplockRHIrpCancelRoutine(x,x)
		lea	eax, [edi+38h]
		xchg	ecx, [eax]
		mov	al, [edi+25h]
		mov	[ebp+var_89], al
		mov	eax, large fs:20h
		lea	edi, [eax+450h]
		test	ds:byte_70EFC6,	1
		jz	short loc_53C50E
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_53C53B
; 

loc_53C50E:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+9C0j
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_53C52A
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jz	short loc_53C53B
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_53C52A:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+9D2j
		mov	dword ptr [edi], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_53C53B:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+9CCj
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+9E1j
		mov	cl, [ebp+var_89]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_53C547:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+998j
		mov	edi, [ebp+var_94]

loc_53C54D:				; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+8EFj
		mov	dword ptr [edi], 0
		mov	ecx, ebx
		call	FsRtlpComputeShareableOplockState
		cmp	esi, 10000h
		jnz	loc_53BF38
		or	[ebx+48h], esi
		jmp	loc_53BF38
_FsRtlpRequestShareableOplock@32 endp


;  S U B	R O U T	I N E 


sub_53C56E	proc near		; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+3FFp
					; DATA XREF: .text:006A67B8o
		cmp	byte ptr [ebp-8Bh], 0
		jz	short locret_53C58B
		cmp	dword ptr [ebp+0Ch], 10000h
		jz	short locret_53C58B
		mov	ecx, [ebp-0A0h]
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)

locret_53C58B:				; CODE XREF: sub_53C56E+7j
					; sub_53C56E+10j
		retn
sub_53C56E	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlpComputeShareableOplockState proc near
					; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1ABp
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+896p ...

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F218A SIZE 0000009C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	edx, ecx
		mov	ebx, [edx+14h]
		push	esi
		push	edi
		mov	eax, [edx+48h]
		lea	edi, [edx+14h]
		mov	esi, eax
		and	esi, 1010000h
		cmp	ebx, edi
		jnz	loc_5F218A
		lea	ecx, [edx+1Ch]
		cmp	[ecx], ecx
		jz	short loc_53C5DE

loc_53C5BB:				; CODE XREF: FsRtlpComputeShareableOplockState+53j
		cmp	ebx, edi
		jnz	loc_5F218A

loc_53C5C3:				; CODE XREF: FsRtlpComputeShareableOplockState+B5C0Aj
		lea	ecx, [edx+1Ch]
		cmp	[ecx], ecx
		jz	short loc_53C5F7

loc_53C5CA:				; CODE XREF: FsRtlpComputeShareableOplockState+B5C88j
		and	eax, 20h
		or	eax, 3000h

loc_53C5D2:				; CODE XREF: FsRtlpComputeShareableOplockState+84j
					; FsRtlpComputeShareableOplockState+A3j ...
		pop	edi
		or	eax, esi
		pop	esi
		mov	[edx+48h], eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_53C5DE:				; CODE XREF: FsRtlpComputeShareableOplockState+29j
		lea	ecx, [edx+24h]
		cmp	[ecx], ecx
		jnz	short loc_53C5BB
		and	eax, 20h
		or	eax, 1
		pop	edi
		or	eax, esi
		pop	esi
		mov	[edx+48h], eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_53C5F7:				; CODE XREF: FsRtlpComputeShareableOplockState+38j
		cmp	ebx, edi
		jnz	loc_5F21A0
		mov	ebx, [edx+24h]
		lea	ecx, [edx+24h]
		and	eax, 20h
		xor	edi, edi
		or	eax, 3000h
		mov	[edx+48h], eax
		cmp	ebx, ecx
		jz	short loc_53C5D2

loc_53C616:				; CODE XREF: FsRtlpComputeShareableOplockState+A5j
		test	edi, edi
		jnz	loc_5F220D

loc_53C61E:				; CODE XREF: FsRtlpComputeShareableOplockState+B5C91j
		mov	edi, [ebx+18h]
		mov	eax, [edx+48h]
		and	edi, 0F00000h
		or	eax, edi
		mov	[edx+48h], eax
		mov	ebx, [ebx]
		cmp	ebx, ecx
		jz	short loc_53C5D2
		jmp	short loc_53C616
FsRtlpComputeShareableOplockState endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoSetOplockPrivateFoExt	proc near	; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+876p
					; FsRtlpOplockEnqueueRH(x,x)+36p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F2226 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		mov	eax, [ecx+7Ch]
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edx
		xor	esi, esi
		mov	[ebp+var_4], edi
		xor	bl, bl
		test	eax, eax
		jnz	loc_53C6FD
		lea	edx, [ebp+var_4]
		call	IopAllocateFileObjectExtension
		mov	esi, eax
		test	esi, esi
		js	loc_53C6F6
		mov	edi, [ebp+var_4]

loc_53C677:				; CODE XREF: IoSetOplockPrivateFoExt+C3j
					; IoSetOplockPrivateFoExt+D2j
		mov	ecx, offset _IopOplockFoExtLookasideList
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	edx, eax
		test	edx, edx
		jz	loc_5F2226
		mov	dword ptr [edx], 0
		mov	bl, 1
		mov	dword ptr [edx+4], 0
		mov	dword ptr [edx+8], 0
		mov	dword ptr [edx+0Ch], 0
		mov	dword ptr [edx+10h], 0
		mov	dword ptr [edx+14h], 0
		mov	dword ptr [edx+18h], 0
		mov	dword ptr [edx+1Ch], 0
		mov	dword ptr [edx+20h], 0
		mov	dword ptr [edx+24h], 0

loc_53C6D2:				; CODE XREF: IoSetOplockPrivateFoExt+D0j
		mov	eax, [ebp+var_8]
		mov	eax, [eax+28h]
		mov	[edx+28h], eax
		test	bl, bl
		jz	short loc_53C6F4
		mov	esi, edx
		lea	ecx, [edi+1Ch]
		xor	eax, eax
		lock cmpxchg [ecx], esi
		test	eax, eax
		jnz	loc_5F2230
		xor	esi, esi

loc_53C6F4:				; CODE XREF: IoSetOplockPrivateFoExt+9Dj
					; IoSetOplockPrivateFoExt+B5BFFj
		mov	eax, esi

loc_53C6F6:				; CODE XREF: IoSetOplockPrivateFoExt+2Ej
					; IoSetOplockPrivateFoExt+B5BEBj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_53C6FD:				; CODE XREF: IoSetOplockPrivateFoExt+1Cj
		cmp	eax, _IopRevocationExtension
		jz	loc_53C677
		mov	edx, [eax+1Ch]
		mov	edi, eax
		test	edx, edx
		jnz	short loc_53C6D2
		jmp	loc_53C677
IoSetOplockPrivateFoExt	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ExAllocateFromNPagedLookasideList(x)
_ExAllocateFromNPagedLookasideList@4 proc near ; CODE XREF: .text:004A83F4p
					; FsRtlInitializeBaseMcbEx+4Ap	...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		inc	dword ptr [esi+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jz	short loc_53C72B
		pop	esi
		retn
; 

loc_53C72B:				; CODE XREF: ExAllocateFromNPagedLookasideList(x)+Fj
		push	dword ptr [esi+20h]
		inc	dword ptr [esi+10h]
		push	dword ptr [esi+24h]
		push	dword ptr [esi+1Ch]
		call	dword ptr [esi+28h]
		pop	esi
		retn
_ExAllocateFromNPagedLookasideList@4 endp

; 
		dd 5 dup(0CCCCCCCCh)
; Exported entry 902. IoIsOperationSynchronous

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoIsOperationSynchronous(x)
		public _IoIsOperationSynchronous@4
_IoIsOperationSynchronous@4 proc near	; CODE XREF: FsRtlpOplockFsctrlInternal+E1p
					; FsRtlpOplockFsctrlInternal+2BAp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		mov	ebx, [ecx+8]
		mov	eax, ebx
		mov	ecx, [ecx+60h]
		and	eax, 42h
		mov	ecx, [ecx+18h]
		test	byte ptr [ecx+2Ch], 2
		setz	dl
		test	bl, 4
		pop	ebx
		setz	cl
		test	dl, cl
		jnz	short loc_53C784
		cmp	eax, 2
		jz	short loc_53C789

loc_53C77E:				; CODE XREF: IoIsOperationSynchronous(x)+42j
		mov	al, 1
		pop	ebp
		retn	4
; 

loc_53C784:				; CODE XREF: IoIsOperationSynchronous(x)+27j
		cmp	eax, 42h
		jz	short loc_53C78F

loc_53C789:				; CODE XREF: IoIsOperationSynchronous(x)+2Cj
					; IoIsOperationSynchronous(x)+44j
		xor	al, al
		pop	ebp
		retn	4
; 

loc_53C78F:				; CODE XREF: IoIsOperationSynchronous(x)+37j
		cmp	eax, 2
		jnz	short loc_53C77E
		jmp	short loc_53C789
_IoIsOperationSynchronous@4 endp

; 
		align 10h
; Exported entry  58. ExReleaseFastMutexUnsafe

;  S U B	R O U T	I N E 


; __fastcall ExReleaseFastMutexUnsafe(x)
		public @ExReleaseFastMutexUnsafe@4
@ExReleaseFastMutexUnsafe@4 proc near	; CODE XREF: sub_4EC1C4+Bp
					; sub_4FB9CB+3p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	eax, eax
		mov	ecx, 1
		mov	dword ptr [esi+4], 0
		lock cmpxchg [esi], ecx
		test	eax, eax
		jnz	short loc_53C7C3

loc_53C7BB:				; CODE XREF: ExReleaseFastMutexUnsafe(x)+2Cj
		mov	ecx, esi
		pop	esi
		jmp	KeAbPostRelease
; 

loc_53C7C3:				; CODE XREF: ExReleaseFastMutexUnsafe(x)+19j
		mov	edx, eax
		mov	ecx, esi
		call	_ExpReleaseFastMutexContended@8	; ExpReleaseFastMutexContended(x,x)
		jmp	short loc_53C7BB
@ExReleaseFastMutexUnsafe@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry  38. ExEnterCriticalRegionAndAcquireFastMutexUnsafe

;  S U B	R O U T	I N E 


; __fastcall ExEnterCriticalRegionAndAcquireFastMutexUnsafe(x)
		public @ExEnterCriticalRegionAndAcquireFastMutexUnsafe@4
@ExEnterCriticalRegionAndAcquireFastMutexUnsafe@4 proc near
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		jmp	ExAcquireFastMutexUnsafe
@ExEnterCriticalRegionAndAcquireFastMutexUnsafe@4 endp

; 
		align 10h
; Exported entry  29. ExAcquireFastMutexUnsafe

;  S U B	R O U T	I N E 


		public ExAcquireFastMutexUnsafe
ExAcquireFastMutexUnsafe proc near	; CODE XREF: FsRtlCancelNotify+9Bp
					; FsRtlUninitializeOplock+31p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F2244 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp-14h], eax
		mov	eax, edi
		mov	dword ptr [ebp-10h], 0
		and	eax, 7FFFFFFCh
		mov	[ebp-0Ch], eax
		jz	loc_53C97E
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jnz	loc_53C910
		mov	cl, [esi+1E4h]
		mov	dword ptr [ebp-8], 0
		test	cl, cl
		jz	loc_53C93A

loc_53C867:				; CODE XREF: ExAcquireFastMutexUnsafe+189j
		movzx	eax, cl
		bsf	ecx, eax
		btr	eax, ecx
		mov	[ebp-8], ecx
		mov	[esi+1E4h], al
		lea	edx, [ecx+ecx*2]
		shl	edx, 4
		add	edx, [esi+1E8h]
		mov	[ebp-4], edx
		jz	loc_53C960
		mov	ecx, dword_6D07D0
		mov	eax, edi
		shr	eax, 15h
		cmp	edi, ecx
		jb	short loc_53C8BB
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_5F2252
		cmp	edi, ecx
		jb	short loc_53C8BB
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_5F2252

loc_53C8BB:				; CODE XREF: ExAcquireFastMutexUnsafe+ABj
					; ExAcquireFastMutexUnsafe+BCj
		or	eax, 0FFFFFFFFh

loc_53C8BE:				; CODE XREF: ExAcquireFastMutexUnsafe+B5A6Dj
		mov	[edx+14h], eax
		nop
		mov	eax, [ebp-0Ch]
		mov	[edx+10h], eax

loc_53C8C8:				; CODE XREF: ExAcquireFastMutexUnsafe+178j
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp-10h]
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_53C8EF
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	short loc_53C928

loc_53C8EF:				; CODE XREF: ExAcquireFastMutexUnsafe+F5j
					; ExAcquireFastMutexUnsafe+13Dj
		mov	esi, [ebp-4]

loc_53C8F2:				; CODE XREF: ExAcquireFastMutexUnsafe+190j
		lock btr dword ptr [edi], 0
		jnb	short loc_53C92F

loc_53C8F9:				; CODE XREF: ExAcquireFastMutexUnsafe+148j
		test	esi, esi
		jz	short loc_53C901
		or	byte ptr [esi+0Eh], 1

loc_53C901:				; CODE XREF: ExAcquireFastMutexUnsafe+10Bj
		mov	eax, [ebp-14h]
		mov	[edi+4], eax
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_53C910:				; CODE XREF: ExAcquireFastMutexUnsafe+5Cj
		push	0
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	edi
		push	esi
		push	192h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_53C928:				; CODE XREF: ExAcquireFastMutexUnsafe+FDj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_53C8EF
; 

loc_53C92F:				; CODE XREF: ExAcquireFastMutexUnsafe+107j
		mov	edx, esi
		mov	ecx, edi
		call	_ExpAcquireFastMutexContended@8	; ExpAcquireFastMutexContended(x,x)
		jmp	short loc_53C8F9
; 

loc_53C93A:				; CODE XREF: ExAcquireFastMutexUnsafe+71j
		cmp	byte ptr [esi+222h], 0
		lea	ecx, [esi+222h]
		jnz	short loc_53C96D
		test	dword ptr ds:byte_70EFC4, 200h
		mov	dword ptr [ebp-4], 0
		jnz	loc_5F2244

loc_53C960:				; CODE XREF: ExAcquireFastMutexUnsafe+98j
					; ExAcquireFastMutexUnsafe+B5A5Dj
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	loc_53C8C8
; 

loc_53C96D:				; CODE XREF: ExAcquireFastMutexUnsafe+157j
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [esi+1E4h]
		or	cl, al
		jmp	loc_53C867
; 

loc_53C97E:				; CODE XREF: ExAcquireFastMutexUnsafe+39j
		xor	esi, esi
		jmp	loc_53C8F2
ExAcquireFastMutexUnsafe endp

; 
		align 10h
; Exported entry 128. KeAcquireQueuedSpinLock

;  S U B	R O U T	I N E 


; __fastcall KeAcquireQueuedSpinLock(x)
		public @KeAcquireQueuedSpinLock@4
@KeAcquireQueuedSpinLock@4 proc	near	; CODE XREF: IoGetAttachedDeviceReferenceWithTag+Fp
					; .text:0043DF10p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edx, large fs:20h
		mov	bl, al
		lea	ecx, [edx+418h]
		mov	eax, [ecx+esi*8+4]
		lea	ecx, [ecx+esi*8]
		test	ds:byte_70EFC6,	21h
		jnz	short loc_53C9CF
		mov	edx, ecx
		xchg	edx, [eax]
		test	edx, edx
		jnz	short loc_53C9C8

loc_53C9C3:				; CODE XREF: KeAcquireQueuedSpinLock(x)+3Dj
					; KeAcquireQueuedSpinLock(x)+46j
		pop	esi
		mov	al, bl
		pop	ebx
		retn
; 

loc_53C9C8:				; CODE XREF: KeAcquireQueuedSpinLock(x)+31j
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	short loc_53C9C3
; 

loc_53C9CF:				; CODE XREF: KeAcquireQueuedSpinLock(x)+29j
		mov	edx, eax
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_53C9C3
@KeAcquireQueuedSpinLock@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 494. FsRtlCheckOplockEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlCheckOplockEx(x, x, x,	x, x, x)
		public _FsRtlCheckOplockEx@24
_FsRtlCheckOplockEx@24 proc near	; CODE XREF: FsRtlpOplockFsctrlInternal+229p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	FsRtlCheckOplockEx2
		pop	ebp
		retn	18h
_FsRtlCheckOplockEx@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlpAttachOplockKey proc near		; CODE XREF: FsRtlOplockBreakH+44p
					; FsRtlpOplockFsctrlInternal+1F0p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F2262 SIZE 0000004D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		mov	eax, [esi+60h]
		mov	[ebp+var_20], eax
		cmp	[eax], bl
		jnz	short loc_53CA98
		push	dword ptr [eax+18h]
		call	_IoGetOplockKeyContextEx@4 ; IoGetOplockKeyContextEx(x)
		test	eax, eax
		jnz	short loc_53CA98
		and	[ebp+var_18], ebx
		lea	eax, [ebp+var_1C]
		and	[ebp+var_1C], ebx
		push	eax
		push	esi
		call	_FsRtlGetEcpListFromIrp@8 ; FsRtlGetEcpListFromIrp(x,x)
		cmp	[ebp+var_1C], ebx
		jz	short loc_53CA98
		push	edi
		mov	esi, offset _GUID_ECP_DUAL_OPLOCK_KEY
		lea	edi, [ebp+var_14]
		push	ebx
		lea	eax, [ebp+var_18]
		push	eax
		movsd
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_1C]
		movsd
		movsd
		movsd
		call	_FsRtlFindExtraCreateParameter@16 ; FsRtlFindExtraCreateParameter(x,x,x,x)
		push	2
		pop	ecx
		test	eax, eax
		jz	loc_5F2262
		mov	esi, offset _GUID_ECP_OPLOCK_KEY
		lea	edi, [ebp+var_14]
		push	ebx
		lea	eax, [ebp+var_18]
		push	eax
		movsd
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_1C]
		movsd
		movsd
		movsd
		call	_FsRtlRemoveExtraCreateParameter@16 ; FsRtlRemoveExtraCreateParameter(x,x,x,x)
		test	eax, eax
		jz	loc_5F2269

loc_53CA97:				; CODE XREF: FsRtlpAttachOplockKey+B58A4j
		pop	edi

loc_53CA98:				; CODE XREF: FsRtlpAttachOplockKey+20j
					; FsRtlpAttachOplockKey+2Cj ...
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
FsRtlpAttachOplockKey endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 877. IoGetOplockKeyContextEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetOplockKeyContextEx(x)
		public _IoGetOplockKeyContextEx@4
_IoGetOplockKeyContextEx@4 proc	near	; CODE XREF: FsRtlpOplockKeysEqual+33p
					; FsRtlpOplockKeysEqual+3Bp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	0
		push	6
		pop	edx
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		test	eax, eax
		jnz	short loc_53CACA

loc_53CAC4:				; CODE XREF: IoGetOplockKeyContextEx(x)+22j
		xor	eax, eax

loc_53CAC6:				; CODE XREF: IoGetOplockKeyContextEx(x)+20j
		pop	ebp
		retn	4
; 

loc_53CACA:				; CODE XREF: IoGetOplockKeyContextEx(x)+14j
		test	byte ptr [eax+2], 3
		jnz	short loc_53CAC6
		jmp	short loc_53CAC4
_IoGetOplockKeyContextEx@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopGetFileObjectExtension(x, x, x)
_IopGetFileObjectExtension@12 proc near	; CODE XREF: CcInitializeCacheMapEx+16Ap
					; IoGetOplockKeyContextEx(x)+Dp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ecx+7Ch]
		test	ecx, ecx
		jz	short loc_53CAF5
		cmp	ecx, _IopRevocationExtension
		jz	short loc_53CAFC
		mov	eax, [ecx+edx*4+4]
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_53CB00

loc_53CAF1:				; CODE XREF: IopGetFileObjectExtension(x,x,x)+2Cj
					; IopGetFileObjectExtension(x,x,x)+30j
		pop	ebp
		retn	4
; 

loc_53CAF5:				; CODE XREF: IopGetFileObjectExtension(x,x,x)+Aj
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_53CB04

loc_53CAFC:				; CODE XREF: IopGetFileObjectExtension(x,x,x)+12j
					; IopGetFileObjectExtension(x,x,x)+35j
		xor	eax, eax
		jmp	short loc_53CAF1
; 

loc_53CB00:				; CODE XREF: IopGetFileObjectExtension(x,x,x)+1Dj
		mov	[edx], ecx
		jmp	short loc_53CAF1
; 

loc_53CB04:				; CODE XREF: IopGetFileObjectExtension(x,x,x)+28j
		and	dword ptr [eax], 0
		jmp	short loc_53CAFC
_IopGetFileObjectExtension@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall FsRtlpOplockDequeueRH(x)
_FsRtlpOplockDequeueRH@4 proc near	; CODE XREF: FsRtlUninitializeOplock+A6p
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+128p ...
		mov	edx, ecx
		mov	ecx, [edx+0Ch]
		call	_IoGetOplockFullFoExt@4	; IoGetOplockFullFoExt(x)
		test	eax, eax
		jz	short loc_53CB1C
		and	dword ptr [eax+28h], 0

loc_53CB1C:				; CODE XREF: FsRtlpOplockDequeueRH(x)+Cj
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	short loc_53CB30
		mov	ecx, [edx+4]
		cmp	[ecx], edx
		jnz	short loc_53CB30
		mov	[ecx], eax
		mov	[eax+4], ecx
		retn
; 

loc_53CB30:				; CODE XREF: FsRtlpOplockDequeueRH(x)+17j
					; FsRtlpOplockDequeueRH(x)+1Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_FsRtlpOplockDequeueRH@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlpOplockCleanup proc near		; CODE XREF: FsRtlCheckOplockEx2+41Bp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 005F22AF SIZE 000001A2 BYTES

		push	18h
		push	offset dword_6A6850
		call	__SEH_prolog4
		mov	[ebp+var_20], edx
		mov	ebx, ecx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_1B], 0
		and	[ebp+ms_exc.disabled], 0
		xor	eax, eax
		inc	eax
		cmp	[ebx+48h], eax
		jz	short loc_53CBD7
		mov	ecx, [edx+18h]
		call	_IoGetOplockFullFoExt@4	; IoGetOplockFullFoExt(x)
		mov	[ebp+var_24], eax
		test	dword ptr [ebx+48h], 1000000h
		jnz	loc_5F22AF

loc_53CB72:				; CODE XREF: FsRtlpOplockCleanup+B57DAj
					; FsRtlpOplockCleanup+B57E6j
		lea	edi, [ebx+14h]
		mov	esi, [edi]
		cmp	esi, edi
		jnz	short loc_53CBF3

loc_53CB7B:				; CODE XREF: FsRtlpOplockCleanup+B5832j
		mov	eax, 216h
		mov	esi, [ebp+var_24]
		test	esi, esi
		jz	short loc_53CBC8
		mov	esi, [esi+28h]
		test	esi, esi
		jz	short loc_53CBC8
		xor	ecx, ecx
		mov	[ebp+var_19], cl
		test	dword ptr [esi+18h], 0F00000h
		jnz	loc_53CC59
		test	dword ptr [ebx+48h], 10000h
		jnz	short loc_53CC01

loc_53CBA9:				; CODE XREF: FsRtlpOplockCleanup+D0j
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	eax
		mov	edx, ebx
		mov	ecx, esi
		call	_FsRtlpRemoveAndCompleteRHIrp@28 ; FsRtlpRemoveAndCompleteRHIrp(x,x,x,x,x,x,x)

loc_53CBB7:				; CODE XREF: FsRtlpOplockCleanup+112j
		mov	ecx, ebx
		call	FsRtlpComputeShareableOplockState
		cmp	[ebp+var_19], 0
		jnz	loc_53CC4D

loc_53CBC8:				; CODE XREF: FsRtlpOplockCleanup+4Fj
					; FsRtlpOplockCleanup+56j ...
		mov	eax, [ebp+var_20]
		mov	eax, [eax+18h]
		cmp	eax, [ebx+4]
		jz	loc_5F237B

loc_53CBD7:				; CODE XREF: FsRtlpOplockCleanup+22j
					; FsRtlpOplockCleanup+B590Ej
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_53CC89
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_53CBF3:				; CODE XREF: FsRtlpOplockCleanup+43j
		mov	[ebp+var_1A], 0
		mov	edx, 216h
		jmp	loc_5F2321
; 

loc_53CC01:				; CODE XREF: FsRtlpOplockCleanup+71j
		lea	edi, [esi+1Ch]
		cmp	[edi], ecx
		jz	short loc_53CBA9
		mov	ecx, esi
		call	_FsRtlpOplockDequeueRH@4 ; FsRtlpOplockDequeueRH(x)
		mov	ecx, [edi]
		mov	eax, [edi+4]
		cmp	[ecx+4], edi
		jnz	short loc_53CC90
		cmp	[eax], edi
		jnz	short loc_53CC90
		mov	[eax], ecx
		mov	[ecx+4], eax
		lea	eax, [ebx+3Ch]
		cmp	[eax], eax
		jnz	short loc_53CC30
		and	dword ptr [ebx+48h], 0FFFCFFFFh

loc_53CC30:				; CODE XREF: FsRtlpOplockCleanup+F1j
		cmp	dword ptr [esi+14h], 0
		jnz	loc_5F236D

loc_53CC3A:				; CODE XREF: FsRtlpOplockCleanup+151j
					; FsRtlpOplockCleanup+B5840j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		inc	eax
		mov	[ebp+var_19], al
		jmp	loc_53CBB7
; 

loc_53CC4D:				; CODE XREF: FsRtlpOplockCleanup+8Cj
		mov	ecx, ebx
		call	FsRtlpReleaseIrpsWaitingForRH
		jmp	loc_53CBC8
; 

loc_53CC59:				; CODE XREF: FsRtlpOplockCleanup+64j
		mov	ecx, esi
		call	_FsRtlpOplockDequeueRH@4 ; FsRtlpOplockDequeueRH(x)
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	FsRtlpModifyThreadPriorities
		mov	edx, esi
		mov	ecx, ebx
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		lea	eax, [ebx+24h]
		cmp	[eax], eax
		jnz	short loc_53CC7F
		mov	byte ptr [ebx+10h], 0

loc_53CC7F:				; CODE XREF: FsRtlpOplockCleanup+143j
		mov	ecx, [esi+0Ch]
		call	ObfDereferenceObject
		jmp	short loc_53CC3A
FsRtlpOplockCleanup endp


;  S U B	R O U T	I N E 


sub_53CC89	proc near		; CODE XREF: FsRtlpOplockCleanup+A8p
					; sub_5F2451+3j
		cmp	byte ptr [ebp-1Bh], 0
		jnz	short loc_53CC95
		retn
; 

loc_53CC90:				; CODE XREF: FsRtlpOplockCleanup+E1j
					; FsRtlpOplockCleanup+E5j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_53CC95:				; CODE XREF: sub_53CC89+4j
		or	dword ptr [ebx+48h], 1000000h
		retn
sub_53CC89	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IoGetOplockFullFoExt(x)
_IoGetOplockFullFoExt@4	proc near	; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+1BFp
					; FsRtlpOplockDequeueRH(x)+5p ...
		test	ecx, ecx
		jz	short loc_53CCB5
		mov	eax, [ecx+7Ch]
		test	eax, eax
		jz	short loc_53CCB5
		cmp	eax, _IopRevocationExtension
		jz	short loc_53CCB5
		mov	eax, [eax+1Ch]
		retn
; 

loc_53CCB5:				; CODE XREF: IoGetOplockFullFoExt(x)+2j
					; IoGetOplockFullFoExt(x)+9j ...
		xor	eax, eax
		retn
_IoGetOplockFullFoExt@4	endp


;  S U B	R O U T	I N E 


; __stdcall ObpReleaseLookupContext(x)
_ObpReleaseLookupContext@4 proc	near	; CODE XREF: ObpDeleteNameCheck+18Cp
					; ObReferenceObjectByNameEx+129p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		cmp	[esi+12h], bl
		jz	short loc_53CCED
		mov	ecx, [esi]
		xor	edx, edx
		add	ecx, 94h
		call	ExReleasePushLockEx
		mov	ecx, [esi]
		mov	dword ptr [esi+14h], 0EEEE1234h
		call	ObfDereferenceObject
		mov	[esi], ebx
		mov	[esi+12h], bx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_53CCED:				; CODE XREF: ObpReleaseLookupContext(x)+Bj
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_53CCFC
		call	ObfDereferenceObject
		mov	[esi+4], ebx

loc_53CCFC:				; CODE XREF: ObpReleaseLookupContext(x)+3Aj
		pop	esi
		pop	ebx
		retn
_ObpReleaseLookupContext@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2405. RtlValidateUnicodeString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlValidateUnicodeString(x,	x)
		public _RtlValidateUnicodeString@8
_RtlValidateUnicodeString@8 proc near	; CODE XREF: RtlDuplicateUnicodeString+7Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jnz	short loc_53CD1C
		push	ecx
		mov	ecx, [ebp+arg_4]
		call	sub_53CD24

loc_53CD18:				; CODE XREF: RtlValidateUnicodeString(x,x)+1Dj
		pop	ebp
		retn	8
; 

loc_53CD1C:				; CODE XREF: RtlValidateUnicodeString(x,x)+9j
		mov	eax, 0C000000Dh
		jmp	short loc_53CD18
_RtlValidateUnicodeString@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


sub_53CD24	proc near		; CODE XREF: RtlValidateUnicodeString(x,x)+Fp
					; NtSetCachedSigningLevel2+A9DECp
		xor	eax, eax
		test	ecx, ecx
		jz	short locret_53CD53
		push	ebx
		movzx	ebx, word ptr [ecx]
		test	bl, 1
		jnz	short loc_53CD60
		movzx	edx, word ptr [ecx+2]
		test	dl, 1
		jnz	short loc_53CD60
		cmp	bx, dx
		ja	short loc_53CD60
		push	esi
		mov	esi, 0FFFEh
		cmp	dx, si
		pop	esi
		ja	short loc_53CD60
		cmp	[ecx+4], eax
		jz	short loc_53CD56

loc_53CD52:				; CODE XREF: sub_53CD24+3Aj
					; sub_53CD24+41j
		pop	ebx

locret_53CD53:				; CODE XREF: sub_53CD24+4j
		retn	4
; 

loc_53CD56:				; CODE XREF: sub_53CD24+2Cj
		test	bx, bx
		jnz	short loc_53CD60
		test	dx, dx
		jz	short loc_53CD52

loc_53CD60:				; CODE XREF: sub_53CD24+Dj
					; sub_53CD24+16j ...
		mov	eax, 0C000000Dh
		jmp	short loc_53CD52
sub_53CD24	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlFindAceBySid	proc near		; CODE XREF: SepAppendAceToTokenDefaultDacl+3Ep
					; RtlInitEnumerationHashTable(x,x)+75p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F2459 SIZE 00000083 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		test	ecx, ecx
		jz	short loc_53CDCE
		movzx	eax, word ptr [ecx+4]
		lea	esi, [ecx+8]
		xor	edx, edx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], edx
		test	eax, eax
		jz	short loc_53CDCE
		mov	ebx, [ebp+arg_0]
		jmp	short loc_53CDA0
; 
		align 10h

loc_53CDA0:				; CODE XREF: RtlFindAceBySid+27j
					; RtlFindAceBySid+5Cj
		mov	al, [esi]
		cmp	al, 3
		ja	loc_5F2459

loc_53CDAA:				; CODE XREF: RtlFindAceBySid+B56EFj
					; RtlFindAceBySid+B56FBj ...
		mov	ecx, 8

loc_53CDAF:				; CODE XREF: RtlFindAceBySid+B5732j
					; RtlFindAceBySid+B5767j
		add	ecx, esi
		jz	short loc_53CDBF
		test	ebx, ebx
		jnz	short loc_53CDF6
		movzx	eax, word ptr [ecx]
		cmp	ax, [edi]
		jz	short loc_53CDD2

loc_53CDBF:				; CODE XREF: RtlFindAceBySid+41j
					; RtlFindAceBySid+88j ...
		movzx	eax, word ptr [esi+2]
		inc	edx
		add	esi, eax
		mov	[ebp+var_4], edx
		cmp	edx, [ebp+var_8]
		jb	short loc_53CDA0

loc_53CDCE:				; CODE XREF: RtlFindAceBySid+Fj
					; RtlFindAceBySid+22j
		xor	eax, eax
		jmp	short loc_53CDED
; 

loc_53CDD2:				; CODE XREF: RtlFindAceBySid+4Dj
		shr	eax, 8
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	edi		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_53CE05

loc_53CDEB:				; CODE XREF: RtlFindAceBySid+9Fj
		mov	eax, esi

loc_53CDED:				; CODE XREF: RtlFindAceBySid+60j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_53CDF6:				; CODE XREF: RtlFindAceBySid+45j
		cmp	edx, [ebx]
		jb	short loc_53CDBF
		push	edi
		push	ecx
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	short loc_53CE0A

loc_53CE05:				; CODE XREF: RtlFindAceBySid+79j
		mov	edx, [ebp+var_4]
		jmp	short loc_53CDBF
; 

loc_53CE0A:				; CODE XREF: RtlFindAceBySid+93j
		mov	eax, [ebp+var_4]
		mov	[ebx], eax
		jmp	short loc_53CDEB
RtlFindAceBySid	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall OBJECT_HEADER_TO_QUOTA_INFO(x)
_OBJECT_HEADER_TO_QUOTA_INFO@4 proc near ; CODE	XREF: ObAdjustSecurityQuota(x,x)+13p
					; NtQueryObject+1ACp ...
		mov	al, [ecx+0Eh]
		test	al, 8
		jz	short loc_53CE2B
		movzx	eax, al
		and	eax, 0Fh
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax

loc_53CE28:				; CODE XREF: OBJECT_HEADER_TO_QUOTA_INFO(x)+1Bj
		mov	eax, ecx
		retn
; 

loc_53CE2B:				; CODE XREF: OBJECT_HEADER_TO_QUOTA_INFO(x)+5j
		xor	ecx, ecx
		jmp	short loc_53CE28
_OBJECT_HEADER_TO_QUOTA_INFO@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall OBP_GET_SILO_ROOT_DIRECTORY_FROM_SILO(x)
_OBP_GET_SILO_ROOT_DIRECTORY_FROM_SILO@4 proc near
					; CODE XREF: ObpCreateSymbolicLinkName+A9p
					; ObQueryNameStringMode+A2p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, ds:_PsObjectDirectorySiloContextSlot
		test	ecx, ecx
		jnz	short loc_53CE5E
		mov	ecx, ds:dword_717F7C

loc_53CE46:				; CODE XREF: OBP_GET_SILO_ROOT_DIRECTORY_FROM_SILO(x)+34j
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		call	PspStorageGetUnreferencedObject
		test	eax, eax
		mov	eax, _ObpRootDirectoryObject
		jns	short loc_53CE66
		leave
		retn
; 

loc_53CE5E:				; CODE XREF: OBP_GET_SILO_ROOT_DIRECTORY_FROM_SILO(x)+Ej
		mov	ecx, [ecx+308h]
		jmp	short loc_53CE46
; 

loc_53CE66:				; CODE XREF: OBP_GET_SILO_ROOT_DIRECTORY_FROM_SILO(x)+2Aj
		mov	eax, [ebp+var_4]
		leave
		retn
_OBP_GET_SILO_ROOT_DIRECTORY_FROM_SILO@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspStorageGetUnreferencedObject	proc near
					; CODE XREF: OBP_GET_SILO_ROOT_DIRECTORY_FROM_SILO(x)+1Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005A891D SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	PspGetStorageArrayIfPossible
		test	eax, eax
		js	short locret_53CEA7
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_8]
		mov	ecx, [eax+ecx*8+4]
		test	ecx, 0FFFFFFFEh
		jnz	loc_5A891D
		mov	eax, 0C0000225h

locret_53CEA7:				; CODE XREF: PspStorageGetUnreferencedObject+1Ej
					; PspStorageGetUnreferencedObject+6BABBj ...
		leave
		retn	4
PspStorageGetUnreferencedObject	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspGetStorageArrayIfPossible proc near	; CODE XREF: PspStorageGetObject(x,x,x)+17p
					; PspStorageGetUnreferencedObject+17p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005A893B SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	edx, 20h
		jnb	loc_5A893B

loc_53CEBA:				; CODE XREF: PspGetStorageArrayIfPossible+6BAA2j
		mov	eax, [ebp+arg_0]
		mov	[eax], edx
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		xor	eax, eax

loc_53CEC6:				; CODE XREF: PspGetStorageArrayIfPossible+6BAADj
					; PspGetStorageArrayIfPossible+6BAB7j
		pop	ebp
		retn	8
PspGetStorageArrayIfPossible endp

; 
		align 10h
; Exported entry 2108. RtlGetAce

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetAce(x, x, x)
		public _RtlGetAce@12
_RtlGetAce@12	proc near		; CODE XREF: SepAppendAceToTokenDefaultDacl+C3p
					; SepSetProcessTrustLabelAceForToken(x)+12Ap ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	edi
		mov	al, [ecx]
		sub	al, 2
		cmp	al, 2
		ja	short loc_53CF26
		movzx	eax, word ptr [ecx+4]
		cmp	[ebp+arg_4], eax
		jnb	short loc_53CF26
		mov	edi, [ebp+arg_8]
		lea	edx, [ecx+8]
		xor	ebx, ebx
		mov	[edi], edx
		cmp	[ebp+arg_4], ebx
		ja	short loc_53CF0C

loc_53CEFA:				; CODE XREF: RtlGetAce(x,x,x)+54j
		movzx	eax, word ptr [ecx+2]
		add	eax, ecx
		cmp	edx, eax
		jnb	short loc_53CF26
		xor	eax, eax

loc_53CF06:				; CODE XREF: RtlGetAce(x,x,x)+5Bj
		pop	edi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_53CF0C:				; CODE XREF: RtlGetAce(x,x,x)+28j
					; RtlGetAce(x,x,x)+52j
		movzx	eax, word ptr [ecx+2]
		add	eax, ecx
		cmp	edx, eax
		jnb	short loc_53CF26
		movzx	eax, word ptr [edx+2]
		add	edx, eax
		inc	ebx
		mov	[edi], edx
		cmp	ebx, [ebp+arg_4]
		jb	short loc_53CF0C
		jmp	short loc_53CEFA
; 

loc_53CF26:				; CODE XREF: RtlGetAce(x,x,x)+10j
					; RtlGetAce(x,x,x)+19j	...
		mov	eax, 0C000000Dh
		jmp	short loc_53CF06
_RtlGetAce@12	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2239. RtlLengthSid

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlLengthSid(x)
		public _RtlLengthSid@4
_RtlLengthSid@4	proc near		; CODE XREF: sub_785212+1133p
					; sub_785212+1140p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:8[eax*4]
		pop	ebp
		retn	4
_RtlLengthSid@4	endp

; 
		align 10h
; Exported entry 1958. RtlAppendUnicodeStringToString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlAppendUnicodeStringToString(x, x)
		public _RtlAppendUnicodeStringToString@8
_RtlAppendUnicodeStringToString@8 proc near ; CODE XREF: KsepEvntLogShimsApplied(x,x,x)+121p
					; OpenGlobalizationUserSettingsKey_ForMua+172p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		movzx	edi, word ptr [edx]
		test	di, di
		jz	short loc_53CFAF
		mov	esi, [ebp+arg_0]
		mov	ebx, edi
		movzx	eax, word ptr [esi]
		mov	[ebp+arg_4], eax
		lea	ecx, [ebx+eax]
		movzx	eax, word ptr [esi+2]
		cmp	ecx, eax
		ja	short loc_53CFB8
		mov	ecx, [ebp+arg_4]
		mov	eax, [esi+4]
		shr	ecx, 1
		push	ebx		; size_t
		lea	ecx, [eax+ecx*2]
		mov	eax, [edx+4]
		push	eax		; void *
		push	ecx		; void *
		mov	[ebp+arg_4], ecx
		call	_memmove
		add	[esi], di
		add	esp, 0Ch
		movzx	ecx, word ptr [esi]
		movzx	eax, word ptr [esi+2]
		inc	ecx
		cmp	ecx, eax
		jnb	short loc_53CFAF
		mov	eax, [ebp+arg_4]
		shr	ebx, 1
		xor	ecx, ecx
		mov	[eax+ebx*2], cx

loc_53CFAF:				; CODE XREF: RtlAppendUnicodeStringToString(x,x)+11j
					; RtlAppendUnicodeStringToString(x,x)+52j
		xor	eax, eax

loc_53CFB1:				; CODE XREF: RtlAppendUnicodeStringToString(x,x)+6Dj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_53CFB8:				; CODE XREF: RtlAppendUnicodeStringToString(x,x)+27j
		mov	eax, 0C0000023h
		jmp	short loc_53CFB1
_RtlAppendUnicodeStringToString@8 endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1959. RtlAppendUnicodeToString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlAppendUnicodeToString(int,void *)
		public _RtlAppendUnicodeToString@8
_RtlAppendUnicodeToString@8 proc near	; CODE XREF: LdrpGetResourceFileName+102p
					; LdrpGetResourceFileName+111p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		test	edx, edx
		jz	short loc_53D043
		mov	eax, edx
		lea	esi, [eax+2]

loc_53CFE4:				; CODE XREF: RtlAppendUnicodeToString(x,x)+1Dj
		mov	cx, [eax]
		add	eax, 2
		test	cx, cx
		jnz	short loc_53CFE4
		sub	eax, esi
		sar	eax, 1
		cmp	eax, 7FFEh
		ja	short loc_53D04C
		mov	edi, [ebp+arg_0]
		add	eax, eax
		movzx	ecx, ax
		movzx	esi, cx
		mov	[ebp+arg_4], ecx
		movzx	ebx, word ptr [edi]
		movzx	eax, word ptr [edi+2]
		lea	ecx, [esi+ebx]
		cmp	ecx, eax
		ja	short loc_53D04C
		mov	eax, [edi+4]
		shr	ebx, 1
		push	esi		; size_t
		push	edx		; void *
		lea	ebx, [eax+ebx*2]
		push	ebx		; void *
		call	_memmove
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		add	[edi], ax
		movzx	ecx, word ptr [edi]
		movzx	eax, word ptr [edi+2]
		inc	ecx
		cmp	ecx, eax
		jnb	short loc_53D043
		shr	esi, 1
		xor	eax, eax
		mov	[ebx+esi*2], ax

loc_53D043:				; CODE XREF: RtlAppendUnicodeToString(x,x)+Dj
					; RtlAppendUnicodeToString(x,x)+69j
		xor	eax, eax

loc_53D045:				; CODE XREF: RtlAppendUnicodeToString(x,x)+81j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_53D04C:				; CODE XREF: RtlAppendUnicodeToString(x,x)+28j
					; RtlAppendUnicodeToString(x,x)+44j
		mov	eax, 0C0000023h
		jmp	short loc_53D045
_RtlAppendUnicodeToString@8 endp

; 
		align 8
; Exported entry 1305. KeSetTimer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetTimer(x, x, x,	x)
		public _KeSetTimer@16
_KeSetTimer@16	proc near		; CODE XREF: ExpRefreshTimeZoneInformation(x)+5DBp
					; ExpRefreshTimeZoneInformation(x)+627p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	[ebp+arg_4]
		push	[ebp+arg_C]
		push	0
		call	KiSetTimerEx
		pop	ebp
		retn	10h
_KeSetTimer@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCloseWaitCompletionPacket proc near	; DATA XREF: IoCreateObjectTypes+1E4o

var_C		= dword	ptr -0Ch
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005F24DC SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		cmp	[ebp+arg_C], 1
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		jnz	short loc_53D0FD
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		lea	edi, [ebx+30h]
		mov	ecx, edi
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	esi, [ebx+2Ch]
		mov	byte ptr [ebp+arg_C+3],	al
		test	esi, esi
		jz	short loc_53D0B0
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	al, byte ptr [ebp+arg_C+3]

loc_53D0B0:				; CODE XREF: IopCloseWaitCompletionPacket+2Ej
		mov	dl, al
		mov	ecx, edi
		call	KfReleaseSpinLock
		test	esi, esi
		jz	short loc_53D0FB
		lea	ecx, [esi+28h]
		lea	edx, [ebp+var_C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, edi
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		cmp	byte ptr [ebx+34h], 0
		mov	byte ptr [ebp+arg_C], al
		jz	loc_5F24DC
		push	[ebp+arg_C]
		mov	dl, 1
		mov	ecx, ebx
		call	_IopCancelWaitCompletionPacket@12 ; IopCancelWaitCompletionPacket(x,x,x)
		test	al, al
		jz	short loc_53D102

loc_53D0EC:				; CODE XREF: IopCloseWaitCompletionPacket+B546Fj
		lea	ecx, [ebp+var_C]
		call	KeReleaseInStackQueuedSpinLock
		mov	ecx, esi
		call	ObfDereferenceObject

loc_53D0FB:				; CODE XREF: IopCloseWaitCompletionPacket+45j
		pop	esi
		pop	ebx

loc_53D0FD:				; CODE XREF: IopCloseWaitCompletionPacket+15j
		pop	edi
		leave
		retn	10h
; 

loc_53D102:				; CODE XREF: IopCloseWaitCompletionPacket+74j
		mov	al, byte ptr [ebp+arg_C]
		jmp	loc_5F24DC
IopCloseWaitCompletionPacket endp

; 

NtCancelTimer:				; DATA XREF: .text:005811CCo
		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+4], ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A69E0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		push	ecx
		push	ecx
		push	ebx
		sub	esp, 68h
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp-23h], al
		mov	[ebp-64h], al
		mov	edi, [ebx+0Ch]
		test	edi, edi
		jnz	loc_5F24EA

loc_53D170:				; CODE XREF: .text:005F24ECj
					; .text:005F250Ej
		and	dword ptr [ebp-48h], 0
		push	0
		lea	eax, [ebp-48h]
		push	eax
		push	dword ptr [ebp-64h]
		push	0
		push	2
		push	dword ptr [ebx+8]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	[ebp-7Ch], eax
		test	eax, eax
		js	loc_53D24F
		mov	esi, [ebp-48h]
		mov	[ebp-28h], esi
		lea	eax, [esi-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		cmp	eax, ds:_ExpIRTimerObjectType
		jz	loc_5F2539
		cmp	eax, ds:_ExTimerObjectType
		jnz	loc_5F255F
		and	dword ptr [ebp-64h], 0
		mov	byte ptr [ebp-22h], 0
		lea	edi, [esi+28h]
		mov	[ebp-60h], edi
		mov	ecx, edi
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	[ebp-21h], al
		mov	ecx, [esi+90h]
		mov	[ebp-44h], ecx
		test	ecx, ecx
		jnz	loc_53D3C6
		mov	edi, offset _ExpWakeTimerLock
		or	ecx, 0FFFFFFFFh
		mov	[ebp-40h], ecx
		xor	esi, esi
		mov	eax, [ebp-28h]

loc_53D20A:				; CODE XREF: .text:0053D51Cj
		mov	ecx, eax
		call	ExpCancelTimer
		inc	eax
		mov	[ebp-78h], eax
		mov	dl, [ebp-21h]
		mov	ecx, [ebp-60h]
		call	KfReleaseSpinLock
		cmp	byte ptr [ebp-22h], 0
		jnz	short loc_53D268

loc_53D226:				; CODE XREF: .text:0053D3C1j
		mov	eax, [ebp-28h]
		mov	ecx, [eax+4]
		mov	[ebp-64h], ecx
		mov	edx, [ebp-78h]
		mov	ecx, eax
		call	@ObDereferenceObjectEx@8 ; ObDereferenceObjectEx(x,x)
		mov	eax, [ebx+0Ch]
		test	eax, eax
		jnz	loc_5F2609

loc_53D244:				; CODE XREF: .text:005F262Aj
					; .text:005F263Bj
		mov	ecx, [ebp-44h]
		test	ecx, ecx
		jnz	loc_53D521

loc_53D24F:				; CODE XREF: .text:0053D18Ej
					; .text:0053D526j
		mov	eax, [ebp-7Ch]

loc_53D252:				; CODE XREF: .text:005F2534j
					; .text:005F2549j ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_53D268:				; CODE XREF: .text:0053D224j
		cmp	dword ptr [ebp-44h], 0
		jz	short loc_53D293
		mov	eax, [ebp-28h]
		add	eax, 94h
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_53D61C
		cmp	[ecx], eax
		jnz	loc_53D61C
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	[eax], esi

loc_53D293:				; CODE XREF: .text:0053D26Cj
		or	ecx, 0FFFFFFFFh
		mov	eax, ecx
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_53D558

loc_53D2A6:				; CODE XREF: .text:0053D55Fj
		mov	[ebp-4Ch], esi
		test	edi, 7FFFFFFCh
		jz	loc_53D3B9
		mov	edi, large fs:124h
		mov	edx, offset _ExpWakeTimerLock
		mov	eax, edx
		shr	eax, 15h
		mov	ecx, dword_6D07D0
		mov	[ebp-60h], ecx
		cmp	ecx, edx
		push	0FFFFFFFFh
		pop	ecx
		ja	short loc_53D2E3
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_53D564

loc_53D2E3:				; CODE XREF: .text:0053D2D4j
		cmp	[ebp-60h], edx
		ja	short loc_53D2F5
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_53D564

loc_53D2F5:				; CODE XREF: .text:0053D2E6j
					; .text:0053D574j
		dec	word ptr [edi+13Eh]
		nop
		inc	byte ptr [edi+1E6h]
		nop
		mov	al, [edi+1E6h]
		mov	[ebp-22h], al
		push	ecx
		mov	ecx, edi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[ebp-70h], edx
		test	edx, edx
		jz	loc_53D5EA
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		cmp	[edx+10h], esi
		jl	loc_53D5FD

loc_53D334:				; CODE XREF: .text:0053D607j
		mov	ecx, [edx+2Ch]
		mov	eax, ecx
		and	eax, 1FFFFh
		mov	[ebp-4Ch], eax
		and	ecx, 0FFFE0000h
		mov	[edx+2Ch], ecx
		and	byte ptr [edx+0Dh], 0FEh
		nop
		mov	[edx+10h], esi
		sub	edx, [edi+1E8h]
		mov	eax, edx
		cdq
		push	30h
		pop	ecx
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp-22h], 1
		jnz	loc_5F25D4
		or	[edi+1E4h], dl

loc_53D376:				; CODE XREF: .text:0053D5F2j
					; .text:005F25DDj
		nop
		dec	byte ptr [edi+1E6h]
		mov	edx, [ebp-4Ch]
		mov	esi, edx
		and	esi, 1FFFFh
		jnz	loc_53D579

loc_53D38E:				; CODE XREF: .text:0053D5B3j
					; .text:005F2604j
		nop
		mov	ax, [edi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[edi+13Eh], ax
		test	ax, ax
		jnz	short loc_53D3B3
		nop
		lea	eax, [edi+70h]
		cmp	[eax], eax
		jnz	loc_53D60C

loc_53D3B3:				; CODE XREF: .text:0053D3A5j
		mov	eax, [ebp-48h]
		mov	[ebp-28h], eax

loc_53D3B9:				; CODE XREF: .text:0053D2AFj
					; .text:0053D617j
		mov	ecx, [ebp-64h]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		jmp	loc_53D226
; 

loc_53D3C6:				; CODE XREF: .text:0053D1F4j
		mov	dl, al
		mov	ecx, edi
		call	KfReleaseSpinLock
		mov	eax, large fs:124h
		mov	[ebp-64h], eax
		dec	word ptr [eax+13Ch]
		nop
		xor	eax, eax
		mov	[ebp-74h], eax
		mov	edi, offset _ExpWakeTimerLock
		mov	ecx, edi
		and	ecx, 7FFFFFFCh
		mov	[ebp-70h], ecx
		jz	loc_5F2570
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jnz	loc_53D52B
		mov	[ebp-6Ch], eax
		mov	dl, [esi+1E4h]
		test	dl, dl
		jz	loc_5F257E

loc_53D42F:				; CODE XREF: .text:005F2594j
		movzx	eax, dl
		bsf	ecx, eax
		mov	[ebp-6Ch], ecx
		mov	al, 1
		shl	al, cl
		not	al
		and	al, dl
		mov	[esi+1E4h], al
		imul	edx, ecx, 30h
		add	edx, [esi+1E8h]
		mov	[ebp-44h], edx

loc_53D452:				; CODE XREF: .text:005F25A8j
					; .text:005F25BAj
		test	edx, edx
		jz	loc_53D5BE
		mov	ecx, edi
		shr	ecx, 15h
		mov	eax, dword_6D07D0
		mov	[ebp-40h], eax
		cmp	eax, edi
		ja	short loc_53D48E
		mov	eax, ecx
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_53D542
		mov	eax, [ebp-40h]
		cmp	eax, edi
		ja	short loc_53D48E
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_53D542

loc_53D48E:				; CODE XREF: .text:0053D469j
					; .text:0053D47Fj
		or	eax, 0FFFFFFFFh
		mov	[ebp-40h], eax

loc_53D494:				; CODE XREF: .text:0053D553j
		mov	[edx+14h], eax
		nop
		mov	eax, [ebp-70h]
		mov	[edx+10h], eax

loc_53D49E:				; CODE XREF: .text:0053D5CCj
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp-74h]
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_53D4D7
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_53D5D1

loc_53D4D7:				; CODE XREF: .text:0053D4C9j
					; .text:0053D5D6j
		mov	esi, [ebp-28h]
		mov	eax, [ebp-44h]

loc_53D4DD:				; CODE XREF: .text:005F2579j
		lock bts dword ptr [edi], 0
		jb	loc_53D5DB

loc_53D4E8:				; CODE XREF: .text:0053D5E5j
		mov	eax, [ebp-44h]
		test	eax, eax
		jz	short loc_53D4F3
		or	byte ptr [eax+0Eh], 1

loc_53D4F3:				; CODE XREF: .text:0053D4EDj
		mov	byte ptr [ebp-22h], 1
		mov	ecx, [ebp-60h]
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	[ebp-21h], al
		mov	eax, [esi+90h]
		mov	[ebp-44h], eax
		xor	esi, esi
		mov	eax, [ebp-28h]
		mov	[eax+90h], esi
		mov	eax, [ebp-48h]
		mov	[ebp-28h], eax
		jmp	loc_53D20A
; 

loc_53D521:				; CODE XREF: .text:0053D249j
		call	_PoDestroyReasonContext@4 ; PoDestroyReasonContext(x)
		jmp	loc_53D24F
; 

loc_53D52B:				; CODE XREF: .text:0053D418j
		push	eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	edi
		push	esi
		push	192h

loc_53D53D:				; CODE XREF: .text:005F25CFj
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_53D542:				; CODE XREF: .text:0053D474j
					; .text:0053D488j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		or	ecx, 0FFFFFFFFh
		mov	[ebp-40h], ecx
		jmp	loc_53D494
; 

loc_53D558:				; CODE XREF: .text:0053D2A0j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_53D2A6
; 

loc_53D564:				; CODE XREF: .text:0053D2DDj
					; .text:0053D2EFj
		mov	ecx, [edi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp-40h], ecx
		jmp	loc_53D2F5
; 

loc_53D579:				; CODE XREF: .text:0053D388j
		test	edx, 8000h
		jz	short loc_53D58A
		xor	edx, edx
		mov	ecx, edi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_53D58A:				; CODE XREF: .text:0053D57Fj
		test	byte ptr [ebp-4Ah], 1
		jnz	loc_5F25E2

loc_53D594:				; CODE XREF: .text:005F25F2j
		mov	eax, 7FFFh
		mov	edx, [ebp-4Ch]
		test	edx, eax
		jz	short loc_53D5A9
		and	edx, eax
		mov	ecx, edi
		call	KiAbThreadUnboostCpuPriority

loc_53D5A9:				; CODE XREF: .text:0053D59Ej
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_53D38E
		jmp	loc_5F25F7
; 

loc_53D5BE:				; CODE XREF: .text:0053D454j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		or	ecx, 0FFFFFFFFh
		mov	[ebp-40h], ecx
		jmp	loc_53D49E
; 

loc_53D5D1:				; CODE XREF: .text:0053D4D1j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_53D4D7
; 

loc_53D5DB:				; CODE XREF: .text:0053D4E2j
		push	edi
		mov	edx, eax
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx
		jmp	loc_53D4E8
; 

loc_53D5EA:				; CODE XREF: .text:0053D31Cj
		mov	eax, [edi+5Ch]
		test	eax, 10000h
		jnz	loc_53D376
		jmp	loc_5F25BF
; 

loc_53D5FD:				; CODE XREF: .text:0053D32Ej
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [ebp-70h]
		jmp	loc_53D334
; 

loc_53D60C:				; CODE XREF: .text:0053D3ADj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		mov	esi, [ebp-48h]
		mov	[ebp-28h], esi
		jmp	loc_53D3B9
; 

loc_53D61C:				; CODE XREF: .text:0053D27Ej
					; .text:0053D286j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtAssociateWaitCompletionPacket	proc near ; DATA XREF: .text:005811E4o

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 005F2640 SIZE 00000030 BYTES
; FUNCTION CHUNK AT 005F268B SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6A08
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		mov	byte ptr [ebp+var_2C], al
		mov	eax, ds:_IopWaitCompletionPacketObjectType
		mov	[ebp+var_20], 0
		push	0
		lea	ecx, [ebp+var_20]
		push	ecx
		mov	esi, [ebp+var_2C]
		push	esi
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	loc_53D784
		mov	eax, ds:_IoCompletionObjectType
		mov	[ebp+var_28], 0
		push	0
		lea	ecx, [ebp+var_28]
		push	ecx
		push	esi
		push	eax
		push	2
		push	[ebp+arg_4]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_5F2640
		mov	[ebp+var_24], 0
		push	0
		lea	eax, [ebp+var_24]
		push	eax
		push	esi
		push	0
		push	100000h
		push	[ebp+arg_8]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+arg_8], esi
		test	esi, esi
		js	loc_5F264F
		mov	ebx, [ebp+var_24]
		mov	ecx, ebx
		call	_ObGetAssociatedWaitObject@4 ; ObGetAssociatedWaitObject(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_5F268B
		mov	cl, [edi]
		and	cl, 7Fh
		cmp	cl, 2
		jz	loc_5F268B
		cmp	cl, 4
		jz	loc_5F268B
		mov	ebx, [ebp+var_20]
		lea	eax, [ebx+30h]
		mov	[ebp+arg_4], eax
		mov	ecx, eax
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	byte ptr [ebp+arg_0+3],	al
		cmp	byte ptr [ebx+34h], 0
		jnz	loc_5F265C
		mov	byte ptr [ebx+34h], 1
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+arg_C]
		mov	[ecx+18h], eax
		mov	eax, [ebp+arg_10]
		mov	[ecx+1Ch], eax
		mov	eax, [ebp+arg_14]
		mov	[ecx+24h], eax
		mov	eax, [ebp+arg_18]
		mov	[ecx+20h], eax
		mov	eax, [ebp+var_24]
		mov	[ecx+28h], eax
		mov	edx, [ebp+var_28]
		mov	[ecx+2Ch], edx
		push	ecx
		mov	ecx, edi
		call	KeRegisterObjectNotification
		mov	byte ptr [ebp+arg_4+3],	al
		mov	dl, byte ptr [ebp+arg_0+3]
		lea	ecx, [ebx+30h]
		call	KfReleaseSpinLock
		mov	ecx, [ebp+arg_1C]
		test	ecx, ecx
		jnz	short loc_53D798

loc_53D782:				; CODE XREF: NtAssociateWaitCompletionPacket+190j
					; sub_5F2679+Dj ...
		mov	eax, esi

loc_53D784:				; CODE XREF: NtAssociateWaitCompletionPacket+6Aj
					; NtAssociateWaitCompletionPacket+B501Aj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_53D798:				; CODE XREF: NtAssociateWaitCompletionPacket+150j
		mov	[ebp+var_4], 0
		cmp	[ebp+var_19], 0
		jz	short loc_53D7B4
		mov	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_53D7C2

loc_53D7B0:				; CODE XREF: NtAssociateWaitCompletionPacket+194j
		mov	al, [edx]
		mov	[edx], al

loc_53D7B4:				; CODE XREF: NtAssociateWaitCompletionPacket+173j
		mov	al, byte ptr [ebp+arg_4+3]
		mov	[ecx], al
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_53D782
; 

loc_53D7C2:				; CODE XREF: NtAssociateWaitCompletionPacket+17Ej
		mov	edx, eax
		jmp	short loc_53D7B0
NtAssociateWaitCompletionPacket	endp

; 
		align 10h
; Exported entry 151. KfReleaseSpinLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KfReleaseSpinLock
KfReleaseSpinLock proc near		; CODE XREF: IopCancelWaitCompletionPacket(x,x,x)+38p
					; IopFreeWaitCompletionPacket(x,x)+2Cp	...

; FUNCTION CHUNK AT 005A8968 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	ds:byte_70EFC6,	1
		push	ebx
		mov	bl, dl
		jnz	loc_5A8968
		xor	eax, eax
		lock and [ecx],	eax

loc_53D7EB:				; CODE XREF: KfReleaseSpinLock+6B1A0j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx
		pop	ecx
		pop	ebp
		retn
KfReleaseSpinLock endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeRegisterObjectNotification proc near	; CODE XREF: ExpTryEnterWorkerFactoryAwayMode(x)+64p
					; NtAssociateWaitCompletionPacket+138p	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F26AC SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], eax
		mov	word ptr [esi+8], 402h
		mov	[esi+0Ch], eax
		mov	[esi+10h], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bl, al
		mov	[ebp+var_8], 0
		mov	byte ptr [ebp+var_C], bl
		lock bts dword ptr [edi], 7
		jb	loc_53D954

loc_53D83E:				; CODE XREF: KeRegisterObjectNotification+167j
		cmp	dword ptr [edi+4], 0
		jg	short loc_53D877
		mov	ecx, [edi+0Ch]
		lea	eax, [edi+8]
		cmp	[ecx], eax
		jnz	loc_53D941
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	al, al
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_53D877:				; CODE XREF: KeRegisterObjectNotification+42j
		mov	ecx, edi
		call	_KiWaitSatisfyOther@4 ;	KiWaitSatisfyOther(x)
		mov	ebx, [ebp+var_4]
		mov	byte ptr [esi+9], 5
		mov	dword ptr [esi], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_4], eax
		mov	eax, [eax+4]
		mov	[ebp+arg_0], eax
		jnz	loc_5F26AC

loc_53D8B0:				; CODE XREF: KeRegisterObjectNotification+B4EC1j
		mov	ecx, ebx
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		lea	ecx, [ebx+8]
		cmp	[ecx], ecx
		jz	short loc_53D8EE
		mov	eax, [ebx+18h]
		cmp	eax, [ebx+1Ch]
		jnb	short loc_53D8EE
		mov	edx, [ebp+arg_0]
		mov	eax, [edx+0A4h]
		cmp	eax, ebx
		jnz	short loc_53D8DC
		cmp	byte ptr [edx+18Bh], 0Fh
		jz	short loc_53D8EE

loc_53D8DC:				; CODE XREF: KeRegisterObjectNotification+D1j
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		push	esi
		call	KiWakeQueueWaiter
		test	al, al
		jnz	short loc_53D916
		lea	ecx, [ebx+8]

loc_53D8EE:				; CODE XREF: KeRegisterObjectNotification+BCj
					; KeRegisterObjectNotification+C4j ...
		mov	eax, [ebx+4]
		mov	[ebp+arg_0], eax
		inc	eax
		mov	[ebx+4], eax
		lea	eax, [ebx+10h]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_53D941
		cmp	[ebp+arg_0], 0
		mov	[esi], eax
		mov	[esi+4], edx
		mov	[edx], esi
		mov	[eax+4], esi
		jnz	short loc_53D916
		cmp	[ecx], ecx
		jnz	short loc_53D948

loc_53D916:				; CODE XREF: KeRegisterObjectNotification+E9j
					; KeRegisterObjectNotification+110j ...
		mov	eax, 0FFFFFF7Fh
		lock and [ebx],	eax
		lock and [edi],	eax
		push	[ebp+var_C]
		mov	ecx, large fs:20h
		xor	edx, edx
		push	0
		push	1
		call	KiExitDispatcher
		pop	edi
		pop	esi
		mov	al, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_53D941:				; CODE XREF: KeRegisterObjectNotification+4Cj
					; KeRegisterObjectNotification+100j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_53D948:				; CODE XREF: KeRegisterObjectNotification+114j
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		jmp	short loc_53D916
; 

loc_53D954:				; CODE XREF: KeRegisterObjectNotification+38j
					; KeRegisterObjectNotification+160j ...
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	al, al
		js	short loc_53D954
		lock bts dword ptr [edi], 7
		jnb	loc_53D83E
		jmp	short loc_53D954
KeRegisterObjectNotification endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 150. KfAcquireSpinLock

;  S U B	R O U T	I N E 


; __fastcall KfAcquireSpinLock(x)
		public @KfAcquireSpinLock@4
@KfAcquireSpinLock@4 proc near		; CODE XREF: IopFreeWaitCompletionPacket(x,x)+18p
					; .text:0052249Dp ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	bl, al
		jnz	short loc_53D9AC
		lock bts dword ptr [esi], 0
		jb	short loc_53D9A3

loc_53D99E:				; CODE XREF: KfAcquireSpinLock(x)+2Aj
					; KfAcquireSpinLock(x)+33j
		pop	esi
		mov	al, bl
		pop	ebx
		retn
; 

loc_53D9A3:				; CODE XREF: KfAcquireSpinLock(x)+1Cj
		mov	ecx, esi
		call	KxWaitForSpinLockAndAcquire
		jmp	short loc_53D99E
; 

loc_53D9AC:				; CODE XREF: KfAcquireSpinLock(x)+15j
		mov	ecx, esi
		call	@KiAcquireSpinLockInstrumented@4 ; KiAcquireSpinLockInstrumented(x)
		jmp	short loc_53D99E
@KfAcquireSpinLock@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ObGetAssociatedWaitObject(x)
_ObGetAssociatedWaitObject@4 proc near	; CODE XREF: IopCancelWaitCompletionPacket(x,x,x)+15p
					; NtAssociateWaitCompletionPacket+C7p
		add	ecx, 0FFFFFFE8h
		call	ObpGetWaitObject
		mov	ecx, eax
		sub	ecx, offset _ObpDefaultObject
		neg	ecx
		sbb	ecx, ecx
		and	eax, ecx
		retn
_ObGetAssociatedWaitObject@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


ObpGetWaitObject proc near		; CODE XREF: ObGetAssociatedWaitObject(x)+3p
					; NtSignalAndWaitForSingleObject(x,x,x,x)+D9p

; FUNCTION CHUNK AT 005F26C6 SIZE 0000000D BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, esi
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [esi+0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		push	edi
		mov	edi, ds:_ObTypeIndexTable[edx*4]
		mov	edx, [edi+10h]
		test	dl, 1
		jnz	short loc_53DA06
		test	edx, edx
		js	short loc_53DA2B
		lea	eax, [esi+18h]

loc_53DA01:				; CODE XREF: ObpGetWaitObject+5Bj
		add	eax, edx

loc_53DA03:				; CODE XREF: ObpGetWaitObject+41j
					; ObpGetWaitObject+5Fj	...
		pop	edi
		pop	esi
		retn
; 

loc_53DA06:				; CODE XREF: ObpGetWaitObject+2Aj
		test	dl, 2
		jnz	short loc_53DA11
		mov	eax, [edx+esi+17h]
		jmp	short loc_53DA03
; 

loc_53DA11:				; CODE XREF: ObpGetWaitObject+3Bj
		movzx	eax, word ptr [edi+7Ch]
		mov	ecx, [edi+78h]
		mov	eax, [eax+esi+18h]
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_5F26C6
		lea	eax, [esi+15h]
		jmp	short loc_53DA01
; 

loc_53DA2B:				; CODE XREF: ObpGetWaitObject+2Ej
		mov	eax, edx
		jmp	short loc_53DA03
ObpGetWaitObject endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 756. IoBuildDeviceIoControlRequest

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoBuildDeviceIoControlRequest(x, x,	x, x, x, x, x, x, x)
		public _IoBuildDeviceIoControlRequest@36
_IoBuildDeviceIoControlRequest@36 proc near ; CODE XREF: IoVolumeDeviceToGuidPath+87p
					; IoVolumeDeviceNameToGuidPath+134p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	dword ptr [ebp+4] ; int
		push	[ebp+arg_20]	; int
		push	[ebp+arg_1C]	; int
		push	[ebp+arg_18]	; int
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; size_t
		push	[ebp+arg_8]	; void *
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		call	IopBuildDeviceIoControlRequest
		mov	esp, ebp
		pop	ebp
		retn	24h
_IoBuildDeviceIoControlRequest@36 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IopBuildDeviceIoControlRequest(int,int,void *,size_t,int,int,int,int,int,int)
IopBuildDeviceIoControlRequest proc near
					; CODE XREF: IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)+26p
					; FsRtlGetVirtualDiskNestingLevel+A0p ...

var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

; FUNCTION CHUNK AT 005F26D3 SIZE 00000023 BYTES
; FUNCTION CHUNK AT 005F2734 SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6A60
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 8
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		push	[ebp+arg_24]
		push	0
		mov	ebx, [ebp+arg_4]
		mov	dl, [ebx+30h]
		mov	ecx, ebx
		call	IopAllocateIrpExReturn
		mov	esi, eax
		mov	[ebp+arg_24], esi
		test	esi, esi
		jz	loc_53DD52
		mov	edi, [esi+60h]
		cmp	byte ptr [ebp+arg_18], 0
		setnz	al
		add	al, 0Eh
		mov	[edi-24h], al
		mov	eax, [ebp+arg_14]
		mov	[edi-20h], eax
		mov	ecx, [ebp+arg_C]
		mov	[edi-1Ch], ecx
		mov	edx, [ebp+arg_0]
		mov	[edi-18h], edx
		and	edx, 3
		mov	[ebp+arg_18], edx
		jnz	loc_53DC35
		test	ecx, ecx
		jnz	short loc_53DAFD
		test	eax, eax
		jz	loc_53DD3F

loc_53DAFD:				; CODE XREF: IopBuildDeviceIoControlRequest+83j
		cmp	ecx, eax
		ja	loc_53DC2E

loc_53DB05:				; CODE XREF: IopBuildDeviceIoControlRequest+1C0j
		cmp	_ViVerifierEnabled, 0
		jnz	loc_53DD0B

loc_53DB12:				; CODE XREF: IopBuildDeviceIoControlRequest+B4CCBj
		push	20206F49h
		push	eax
		push	204h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)

loc_53DB22:				; CODE XREF: IopBuildDeviceIoControlRequest+2CAj
		mov	[esi+0Ch], eax
		test	eax, eax
		jz	loc_5F26EB
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jnz	loc_53DC1C

loc_53DB38:				; CODE XREF: IopBuildDeviceIoControlRequest+1B9j
		mov	dword ptr [esi+8], 30h
		mov	eax, [ebp+arg_10]
		mov	[esi+3Ch], eax
		test	eax, eax
		jz	short loc_53DB50
		mov	dword ptr [esi+8], 70h

loc_53DB50:				; CODE XREF: IopBuildDeviceIoControlRequest+D7j
					; IopBuildDeviceIoControlRequest+1C7j ...
		mov	eax, [ebp+arg_20]
		mov	[esi+28h], eax
		mov	eax, [ebp+arg_1C]
		mov	[esi+2Ch], eax
		mov	eax, large fs:124h
		mov	[esi+50h], eax
		lea	edi, [eax+2CCh]
		lea	ebx, [esi+10h]
		add	eax, 350h
		mov	[ebp+arg_8], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+arg_18+3], al
		mov	ecx, [ebp+arg_8]
		test	ds:byte_70EFC6,	21h
		jnz	loc_5F2746
		lock bts dword ptr [ecx], 0
		jb	loc_5F274D

loc_53DB9A:				; CODE XREF: IopBuildDeviceIoControlRequest+B4CE5j
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	loc_5F275A
		mov	[ebx], eax
		mov	[ebx+4], edi
		mov	[eax+4], ebx
		mov	[edi], ebx
		test	ds:byte_70EFC6,	1
		jnz	loc_5F2761
		xor	eax, eax
		lock and [ecx],	eax

loc_53DBC1:				; CODE XREF: IopBuildDeviceIoControlRequest+B4CF9j
		mov	cl, byte ptr [ebp+arg_18+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [esi+50h]
		mov	edx, [ecx+2FCh]
		shr	edx, 9
		and	edx, 7
		mov	eax, [ecx+150h]
		test	dword ptr [eax+0FCh], 100000h
		jnz	loc_53DC78

loc_53DBEF:				; CODE XREF: IopBuildDeviceIoControlRequest+20Aj
		cmp	edx, 2
		jb	short loc_53DC5C

loc_53DBF4:				; CODE XREF: IopBuildDeviceIoControlRequest+1F3j
					; IopBuildDeviceIoControlRequest+1FCj ...
		inc	edx
		shl	edx, 11h
		mov	ecx, [esi+8]
		and	ecx, 0FFF1FFFFh
		or	edx, ecx
		mov	[esi+8], edx
		mov	eax, esi

loc_53DC08:				; CODE XREF: sub_5F26FC+33j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	28h
; 

loc_53DC1C:				; CODE XREF: IopBuildDeviceIoControlRequest+C2j
		push	[ebp+arg_C]	; size_t
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_53DB38
; 

loc_53DC2E:				; CODE XREF: IopBuildDeviceIoControlRequest+8Fj
		mov	eax, ecx
		jmp	loc_53DB05
; 

loc_53DC35:				; CODE XREF: IopBuildDeviceIoControlRequest+7Bj
		test	edx, edx
		jz	loc_53DB50
		cmp	edx, 2
		jbe	short loc_53DC7F
		cmp	edx, 3
		jnz	loc_53DB50
		mov	eax, [ebp+arg_10]
		mov	[esi+3Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[edi-14h], eax
		jmp	loc_53DB50
; 

loc_53DC5C:				; CODE XREF: IopBuildDeviceIoControlRequest+182j
		cmp	ecx, large fs:124h
		jnz	short loc_53DBF4
		cmp	dword ptr [ecx+32Ch], 0
		jz	short loc_53DBF4
		mov	edx, 2
		jmp	loc_53DBF4
; 

loc_53DC78:				; CODE XREF: IopBuildDeviceIoControlRequest+179j
		xor	edx, edx
		jmp	loc_53DBEF
; 

loc_53DC7F:				; CODE XREF: IopBuildDeviceIoControlRequest+1D0j
		cmp	[ebp+arg_8], 0
		jz	loc_5F26D3
		mov	edx, ecx
		mov	ecx, 204h
		call	IopVerifierExAllocatePool
		mov	[esi+0Ch], eax
		test	eax, eax
		jz	loc_5F26EB
		push	[ebp+arg_C]	; size_t
		push	[ebp+arg_8]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, 30h
		mov	eax, [ebp+arg_14]

loc_53DCB7:				; CODE XREF: IopBuildDeviceIoControlRequest+B4C65j
		mov	edx, esi
		mov	[edx+8], ecx
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	loc_53DB50
		push	0
		push	0
		push	0
		push	eax
		push	ecx
		call	IoAllocateMdl
		mov	ecx, eax
		mov	[esi+4], ecx
		test	ecx, ecx
		jz	loc_5F26DA
		mov	[ebp+var_4], 0
		cmp	[ebp+arg_18], 1
		jz	short loc_53DD68
		mov	edx, 1

loc_53DCF3:				; CODE XREF: IopBuildDeviceIoControlRequest+2FAj
		movzx	eax, byte ptr [edi-24h]
		push	eax
		push	ebx
		push	edx
		call	IopProbeAndLockPages
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_53DB50
; 

loc_53DD0B:				; CODE XREF: IopBuildDeviceIoControlRequest+9Cj
		test	_VfRuleClasses,	0FFAFFFFFh
		jz	loc_5F2734

loc_53DD1B:				; CODE XREF: IopBuildDeviceIoControlRequest+B4CD1j
		test	byte ptr _MmVerifierData, 10h
		jnz	short loc_53DD6C
		mov	ecx, 20h

loc_53DD29:				; CODE XREF: IopBuildDeviceIoControlRequest+301j
		push	ecx
		push	20206F49h
		push	eax
		push	204h
		call	ExAllocatePoolWithTagPriority
		jmp	loc_53DB22
; 

loc_53DD3F:				; CODE XREF: IopBuildDeviceIoControlRequest+87j
		mov	dword ptr [esi+8], 0
		mov	dword ptr [esi+3Ch], 0
		jmp	loc_53DB50
; 

loc_53DD52:				; CODE XREF: IopBuildDeviceIoControlRequest+4Ej
					; IopBuildDeviceIoControlRequest+B4C81j
		xor	eax, eax
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	28h
; 

loc_53DD68:				; CODE XREF: IopBuildDeviceIoControlRequest+27Cj
		xor	edx, edx
		jmp	short loc_53DCF3
; 

loc_53DD6C:				; CODE XREF: IopBuildDeviceIoControlRequest+2B2j
		mov	ecx, 28h
		jmp	short loc_53DD29
IopBuildDeviceIoControlRequest endp

; 
		align 8
; Exported entry 1108. KeCancelTimer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeCancelTimer(x)
		public _KeCancelTimer@4
_KeCancelTimer@4 proc near		; CODE XREF: CmpArmLazyWriter+146p
					; PopSetWatchdog+76p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		mov	bh, al
		call	KiCancelTimer
		mov	cl, bh
		mov	bl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	4
_KeCancelTimer@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopSetLockOperationProcess proc	near	; CODE XREF: IopCloseFile(x,x,x,x)+83p
					; PAGE:0083AA41p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= byte ptr  8
arg_3		= byte ptr  0Bh

; FUNCTION CHUNK AT 005F276E SIZE 0000004C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_C], 0
		mov	eax, ecx
		xor	edi, edi
		xor	bh, bh
		mov	[ebp+var_10], eax
		test	esi, esi
		jz	loc_5F276E
		mov	bl, [ebp+arg_0]
		lea	edx, [edi+1]
		push	edi		; int
		test	bl, bl
		jnz	loc_53DE8F
		lea	ecx, [ebp+var_C]
		push	ecx		; int
		push	edx		; char
		push	10h		; size_t
		mov	ecx, eax
		call	IopGetSetSpecificExtension
		mov	[ebp+var_8], eax
		test	eax, eax
		js	loc_53DE86
		lea	edx, [edi+8]
		call	sub_4FC146
		mov	edi, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_C], eax

loc_53DE0D:				; CODE XREF: IopSetLockOperationProcess+ECj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+arg_3], al
		mov	eax, [ebp+var_10]
		add	eax, 70h
		mov	ecx, eax
		mov	[ebp+var_14], eax
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebp+var_10]
		mov	al, [eax+24h]
		mov	[ebp+var_1], al
		mov	eax, [ebp+var_C]
		mov	edx, [eax+8]
		test	edx, edx
		jz	short loc_53DEA9
		mov	ecx, edx
		jmp	short loc_53DE40
; 
		align 10h

loc_53DE40:				; CODE XREF: IopSetLockOperationProcess+8Bj
					; IopSetLockOperationProcess+B49CCj
		cmp	[ecx+4], esi
		jnz	loc_5F2778
		mov	bh, 1

loc_53DE4B:				; CODE XREF: IopSetLockOperationProcess+FBj
					; IopSetLockOperationProcess+10Dj
		mov	esi, [ebp+var_8]

loc_53DE4E:				; CODE XREF: IopSetLockOperationProcess+B49DCj
		test	ds:byte_70EFC6,	1
		jnz	loc_5F2791
		mov	eax, [ebp+var_14]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_53DE63:				; CODE XREF: IopSetLockOperationProcess+B49ECj
		mov	cl, [ebp+arg_3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bh, bh
		jz	short loc_53DE7C
		test	edi, edi
		jz	short loc_53DE7C
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_53DE7C:				; CODE XREF: IopSetLockOperationProcess+BEj
					; IopSetLockOperationProcess+C2j
		test	bl, bl
		jnz	loc_5F27A1
		mov	eax, esi

loc_53DE86:				; CODE XREF: IopSetLockOperationProcess+47j
					; IopSetLockOperationProcess+F7j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_53DE8F:				; CODE XREF: IopSetLockOperationProcess+2Ej
		mov	[ebp+var_8], edi
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	loc_53DE0D

loc_53DEA2:				; CODE XREF: IopSetLockOperationProcess+B49F5j
					; IopSetLockOperationProcess+B49FDj
		mov	eax, 0C0000001h
		jmp	short loc_53DE86
; 

loc_53DEA9:				; CODE XREF: IopSetLockOperationProcess+87j
					; IopSetLockOperationProcess+B49D2j
		test	bl, bl
		jnz	short loc_53DE4B
		test	edi, edi
		jz	loc_5F2787
		mov	[edi], edx
		mov	[eax+8], edi
		mov	[edi+4], esi
		jmp	short loc_53DE4B
IopSetLockOperationProcess endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IopGetSetSpecificExtension(size_t,char,int,int)
IopGetSetSpecificExtension proc	near	; CODE XREF: IopCheckInitiatorHint(x,x)+AFp
					; IopSetLockOperationProcess+3Dp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005F27BA SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		mov	cl, [ebp+arg_4]
		push	edi
		xor	edi, edi
		test	cl, cl
		jz	short loc_53DEE9
		xor	edx, edx
		mov	ecx, ebx
		call	IopAllocateFileObjectExtension
		test	eax, eax
		js	short loc_53DF1A
		mov	cl, [ebp+arg_4]
		mov	edx, [ebp+var_4]

loc_53DEE9:				; CODE XREF: IopGetSetSpecificExtension+14j
		mov	eax, [ebx+7Ch]
		push	esi
		test	eax, eax
		jz	loc_5F27BA
		cmp	eax, _IopRevocationExtension
		jz	short loc_53DF54
		mov	esi, [eax+edx*4+4]
		mov	edi, eax

loc_53DF03:				; CODE XREF: IopGetSetSpecificExtension+B48FEj
		test	esi, esi
		jz	short loc_53DF20

loc_53DF07:				; CODE XREF: IopGetSetSpecificExtension+62j
					; IopGetSetSpecificExtension+8Dj ...
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_53DF10
		mov	[eax], esi

loc_53DF10:				; CODE XREF: IopGetSetSpecificExtension+4Cj
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jnz	short loc_53DF5F

loc_53DF17:				; CODE XREF: IopGetSetSpecificExtension+A1j
		xor	eax, eax

loc_53DF19:				; CODE XREF: IopGetSetSpecificExtension+9Dj
		pop	esi

loc_53DF1A:				; CODE XREF: IopGetSetSpecificExtension+21j
		pop	edi
		pop	ebx
		leave
		retn	10h
; 

loc_53DF20:				; CODE XREF: IopGetSetSpecificExtension+45j
					; IopGetSetSpecificExtension+96j
		test	cl, cl
		jz	short loc_53DF07
		mov	edx, [ebp+arg_0]
		call	sub_4FC146
		mov	esi, eax
		test	esi, esi
		jz	short loc_53DF58
		push	[ebp+arg_0]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	edx, [ebp+var_4]
		add	esp, 0Ch
		mov	ecx, edi
		push	esi
		call	_IopSetTypeSpecificFoExtension@12 ; IopSetTypeSpecificFoExtension(x,x,x)
		test	eax, eax
		jns	short loc_53DF07
		jmp	loc_5F27C3
; 

loc_53DF54:				; CODE XREF: IopGetSetSpecificExtension+3Bj
		xor	esi, esi
		jmp	short loc_53DF20
; 

loc_53DF58:				; CODE XREF: IopGetSetSpecificExtension+70j
		mov	eax, 0C000009Ah
		jmp	short loc_53DF19
; 

loc_53DF5F:				; CODE XREF: IopGetSetSpecificExtension+55j
		mov	[eax], edi
		jmp	short loc_53DF17
IopGetSetSpecificExtension endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtSetTimerEx	proc near		; DATA XREF: .text:00580C5Co

var_4C		= dword	ptr -4Ch
var_24		= dword	ptr -24h
var_1D		= dword	ptr -1Dh
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005F27DE SIZE 00000008 BYTES
; FUNCTION CHUNK AT 005F2808 SIZE 0000001F BYTES
; FUNCTION CHUNK AT 005F2849 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6AB8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	ecx, 8
		xor	eax, eax
		lea	edi, [ebp+var_4C]
		rep stosd
		mov	byte ptr [ebp+var_1D], al
		mov	[ebp+var_24], eax
		mov	eax, large fs:124h
		mov	dl, [eax+15Ah]
		mov	[ebp+var_19], dl
		test	dl, dl
		jz	loc_5F2808
		mov	[ebp+var_4], 0
		mov	eax, [ebp+arg_C]
		mov	ebx, [ebp+arg_8]
		test	eax, eax
		jz	short loc_53E001
		test	bl, 3
		jnz	loc_53E0B6
		lea	ecx, [ebx+eax]
		mov	esi, ds:_MmUserProbeAddress
		cmp	ecx, esi
		ja	loc_5F27DE
		cmp	ecx, ebx
		jb	loc_5F27DE

loc_53E001:				; CODE XREF: NtSetTimerEx+6Dj
					; NtSetTimerEx+B4871j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_53E008:				; CODE XREF: NtSetTimerEx+B489Ej
		cmp	[ebp+arg_4], 0
		jnz	loc_5F2813
		cmp	eax, 20h
		jnz	loc_5F281D
		test	dl, dl
		jz	short loc_53E03C
		mov	[ebp+var_4], 1
		mov	ecx, 8
		mov	esi, ebx
		lea	edi, [ebp+var_4C]
		rep movsd
		mov	[ebp+var_4], 0FFFFFFFEh
		lea	ebx, [ebp+var_4C]

loc_53E03C:				; CODE XREF: NtSetTimerEx+ADj
		mov	ecx, [ebx+14h]
		cmp	ecx, 7FFFFFFFh
		ja	loc_5F2849
		mov	eax, [ebx+10h]
		test	eax, eax
		jnz	short loc_53E097

loc_53E052:				; CODE XREF: NtSetTimerEx+144j
		mov	eax, [ebx+1Ch]
		push	eax
		mov	eax, [ebx+18h]
		push	eax
		push	ecx
		push	[ebp+var_1D]
		mov	edi, [ebp+var_24]
		push	edi
		mov	eax, [ebx+0Ch]
		push	eax
		mov	eax, [ebx+8]
		push	eax
		push	ebx
		mov	ecx, [ebp+arg_0]
		call	ExpSetTimer
		mov	esi, eax
		test	esi, esi
		js	short loc_53E0BB
		cmp	esi, 40000025h
		jz	short loc_53E0BB

loc_53E081:				; CODE XREF: NtSetTimerEx+14Dj
					; NtSetTimerEx+156j
		mov	eax, esi

loc_53E083:				; CODE XREF: NtSetTimerEx+13Cj
					; sub_5F27F6+Dj ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_53E097:				; CODE XREF: NtSetTimerEx+E0j
		lea	ecx, [ebp+var_24]
		push	ecx
		lea	ecx, [ebp+var_1D]
		push	ecx
		push	0
		push	0
		mov	ecx, eax
		call	_PoCaptureReasonContext@24 ; PoCaptureReasonContext(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_53E083
		mov	ecx, [ebx+14h]
		mov	dl, [ebp+var_19]
		jmp	short loc_53E052
; 

loc_53E0B6:				; CODE XREF: NtSetTimerEx+72j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_53E0BB:				; CODE XREF: NtSetTimerEx+107j
					; NtSetTimerEx+10Fj
		test	edi, edi
		jz	short loc_53E081
		mov	ecx, edi
		call	_PoDestroyReasonContext@4 ; PoDestroyReasonContext(x)
		jmp	short loc_53E081
NtSetTimerEx	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpSetTimer	proc near		; CODE XREF: NtSetTimerEx+FEp
					; NtSetTimer+70p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 005F2853 SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_4]
		push	edi
		push	eax
		mov	ebx, edx
		mov	[ebp+var_4], edi
		push	ebx
		push	edi
		push	2
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_53E147
		push	esi
		mov	esi, [ebp+var_4]
		lea	eax, [esi-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		cmp	eax, ds:_ExpIRTimerObjectType
		jz	loc_5F2853
		mov	ecx, esi
		cmp	eax, ds:_ExTimerObjectType
		jnz	loc_5F2899
		push	[ebp+arg_1C]
		mov	dl, bl
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ExpSetTimerObject

loc_53E146:				; CODE XREF: ExpSetTimer+B47BBj
					; ExpSetTimer+B47CCj ...
		pop	esi

loc_53E147:				; CODE XREF: ExpSetTimer+20j
		pop	edi
		pop	ebx
		leave
		retn	20h
ExpSetTimer	endp

; 
		align 10h

ExpSetTimerObject:			; CODE XREF: ExpSetTimer+79p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6AE0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 54h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	[ebp-3Ch], edx
		mov	esi, ecx
		mov	[ebp-60h], esi
		xor	ecx, ecx
		mov	[ebp-20h], ecx
		mov	[ebp-19h], cl
		mov	[ebp-38h], ecx
		mov	edi, [ebp+14h]
		mov	[ebp-2Ch], edi
		test	edi, edi
		jnz	loc_53E4D0

loc_53E1A6:				; CODE XREF: .text:0053E621j
					; .text:0053E62Bj ...
		mov	dword ptr [ebp-40h], 0
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[ebp-28h], eax
		mov	byte ptr [ebp+17h], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp-1Ah], al
		cmp	byte ptr [ebp-3Ch], 0
		jz	short loc_53E1DC
		mov	eax, [ebp-28h]
		test	byte ptr [eax+64h], 10h
		jnz	loc_53E300

loc_53E1DC:				; CODE XREF: .text:0053E1CDj
					; .text:0053E30Fj
		lea	ecx, [esi+28h]
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	byte ptr [ebp-19h], 0
		jnz	short loc_53E1F7
		cmp	dword ptr [esi+90h], 0
		jnz	loc_5F2951

loc_53E1F7:				; CODE XREF: .text:0053E1E8j
		mov	eax, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[ebp-44h], eax

loc_53E1FF:				; CODE XREF: .text:005F2B46j
		mov	ecx, esi
		call	ExpCancelTimer
		inc	eax
		mov	[ebp-24h], eax
		mov	eax, [esi+4]
		mov	[ebp-48h], eax
		mov	ecx, [ebp+1Ch]
		mov	[esi+84h], ecx
		mov	dword ptr [esi+88h], 0
		mov	edx, [ebp+20h]
		mov	[esi+0B8h], edx
		mov	eax, [ebp+0Ch]
		test	eax, eax
		jnz	loc_53E73A

loc_53E237:				; CODE XREF: .text:0053E7A5j
		mov	byte ptr [ebp+0Ch], 0
		mov	eax, [ebp+8]
		mov	edi, [eax]
		mov	[ebp+10h], edi
		mov	eax, [eax+4]
		mov	[ebp-30h], eax
		mov	eax, [ebp-28h]
		mov	edi, [eax+158h]
		mov	[ebp-58h], edi
		cmp	byte ptr [ebp+17h], 0
		mov	edi, [ebp-2Ch]
		jnz	loc_53E314

loc_53E262:				; CODE XREF: .text:0053E32Cj
					; .text:0053E33Dj ...
		test	byte ptr [esi+0A8h], 2
		jnz	loc_5F2BFA
		push	dword ptr [ebp-40h]
		push	edx
		push	ecx
		push	dword ptr [ebp-30h]
		push	dword ptr [ebp+10h]
		push	esi
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)
		test	edi, edi
		jnz	loc_53E630

loc_53E288:				; CODE XREF: .text:0053E635j
					; .text:005F2C1Dj ...
		mov	eax, [esi+90h]
		mov	[ebp+8], eax
		mov	[esi+90h], edi
		mov	al, [ebp+18h]
		shl	al, 2
		xor	al, [esi+0A8h]
		and	al, 4
		xor	[esi+0A8h], al
		lea	ecx, [esi+28h]
		call	@KefReleaseSpinLockFromDpcLevel@4 ; KefReleaseSpinLockFromDpcLevel(x)
		cmp	byte ptr [ebp+17h], 0
		jnz	loc_53E348

loc_53E2BD:				; CODE XREF: .text:0053E356j
		mov	cl, [ebp-1Ah]
		call	dword ptr [ebp-44h]
		cmp	byte ptr [ebp-19h], 0
		jnz	loc_53E35B

loc_53E2CD:				; CODE XREF: .text:0053E4BEj
					; .text:0053E4CBj
		mov	eax, [ebp-24h]
		test	eax, eax
		jz	short loc_53E2DE
		push	ecx
		mov	edx, eax
		mov	ecx, esi
		call	ObDereferenceObjectExWithTag

loc_53E2DE:				; CODE XREF: .text:0053E2D2j
		mov	ecx, [ebp+24h]
		test	ecx, ecx
		jnz	loc_5F2CAA

loc_53E2E9:				; CODE XREF: .text:005F28D8j
					; .text:005F2CD4j ...
		mov	eax, [ebp-20h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_53E300:				; CODE XREF: .text:0053E1D6j
		lea	ecx, [eax+454h]
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	byte ptr [ebp+17h], 1
		jmp	loc_53E1DC
; 

loc_53E314:				; CODE XREF: .text:0053E25Cj
		cmp	dword ptr [esi+9Ch], 0
		jz	loc_5F2B4B

loc_53E321:				; CODE XREF: .text:005F2B91j
		lock inc dword ptr [eax+448h]
		test	byte ptr [eax+64h], 10h
		jz	loc_53E262
		mov	eax, [eax+0ACh]
		mov	[ebp+0Ch], eax
		test	eax, eax
		jz	loc_53E262
		jmp	loc_5F2B96
; 

loc_53E348:				; CODE XREF: .text:0053E2B7j
		mov	ecx, [ebp-28h]
		add	ecx, 454h
		call	@KefReleaseSpinLockFromDpcLevel@4 ; KefReleaseSpinLockFromDpcLevel(x)
		jmp	loc_53E2BD
; 

loc_53E35B:				; CODE XREF: .text:0053E2C7j
		cmp	dword ptr [ebp+8], 0
		jz	loc_53E658
		test	edi, edi
		jz	loc_5F2C2E

loc_53E36D:				; CODE XREF: .text:0053E65Aj
					; .text:0053E688j ...
		or	eax, 0FFFFFFFFh
		mov	ecx, offset _ExpWakeTimerLock
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_53E6B2

loc_53E383:				; CODE XREF: .text:0053E6BCj
		mov	dword ptr [ebp-34h], 0
		mov	eax, offset _ExpWakeTimerLock
		test	eax, 7FFFFFFCh
		jz	loc_53E4B1
		mov	edi, large fs:124h
		mov	[ebp+20h], edi
		mov	ecx, eax
		shr	ecx, 15h
		mov	edx, dword_6D07D0
		cmp	edx, eax
		ja	short loc_53E3D7
		mov	eax, ecx
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_53E68D
		cmp	edx, offset _ExpWakeTimerLock
		ja	short loc_53E3D7
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_53E68D

loc_53E3D7:				; CODE XREF: .text:0053E3B1j
					; .text:0053E3C8j
		or	eax, 0FFFFFFFFh

loc_53E3DA:				; CODE XREF: .text:0053E698j
		mov	[ebp+1Ch], eax
		dec	word ptr [edi+13Eh]
		nop
		inc	byte ptr [edi+1E6h]
		nop
		mov	cl, [edi+1E6h]
		mov	[ebp+1Bh], cl
		push	eax
		mov	edx, offset _ExpWakeTimerLock
		mov	ecx, edi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[ebp+14h], edx
		test	edx, edx
		jz	loc_53E7AA
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		cmp	dword ptr [edx+10h], 0
		jl	loc_53E7C3

loc_53E422:				; CODE XREF: .text:0053E7CDj
		mov	eax, [edx+2Ch]
		mov	edi, eax
		and	edi, 1FFFFh
		mov	[ebp-34h], edi
		and	eax, 0FFFE0000h
		mov	[edx+2Ch], eax
		and	byte ptr [edx+0Dh], 0FEh
		nop
		mov	dword ptr [edx+10h], 0
		mov	ecx, [ebp+20h]
		sub	edx, [ecx+1E8h]
		mov	eax, 2AAAAAABh
		imul	edx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		mov	al, 1
		shl	al, cl
		mov	ecx, [ebp+20h]
		cmp	byte ptr [ebp+1Bh], 1
		jnz	loc_5F2C6F
		or	[ecx+1E4h], al

loc_53E475:				; CODE XREF: .text:0053E7BEj
					; .text:005F2C7Bj
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+18h], eax
		jnz	loc_53E6C1

loc_53E48C:				; CODE XREF: .text:0053E6FFj
					; .text:005F2CA5j
		nop
		mov	ax, [ecx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ecx+13Eh], ax
		test	ax, ax
		jnz	short loc_53E4B1
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jnz	loc_53E7D2

loc_53E4B1:				; CODE XREF: .text:0053E394j
					; .text:0053E4A3j ...
		mov	ecx, [ebp-38h]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	eax, [ebp+8]
		test	eax, eax
		jz	loc_53E2CD
		mov	ecx, eax
		call	_PoDestroyReasonContext@4 ; PoDestroyReasonContext(x)
		jmp	loc_53E2CD
; 

loc_53E4D0:				; CODE XREF: .text:0053E1A0j
		cmp	[ebp+18h], cl
		jnz	loc_5F28A8

loc_53E4D9:				; CODE XREF: .text:005F28AFj
					; .text:005F28CBj
		cmp	dword_6C2E60, 2
		jl	loc_5F28DD

loc_53E4E6:				; CODE XREF: .text:005F28E4j
		mov	byte ptr [ebp-19h], 1
		mov	eax, large fs:124h
		mov	[ebp-38h], eax
		dec	word ptr [eax+13Ch]
		nop
		mov	dword ptr [ebp-50h], 0
		mov	eax, offset _ExpWakeTimerLock
		and	eax, 7FFFFFFCh
		mov	[ebp-48h], eax
		jz	loc_5F28FC
		mov	edx, large fs:124h
		mov	[ebp-28h], edx
		dec	word ptr [edx+13Eh]
		nop
		inc	byte ptr [edx+1E6h]
		nop
		cmp	byte ptr [edx+1E6h], 1
		jnz	loc_53E63A
		mov	dword ptr [ebp-4Ch], 0
		mov	cl, [edx+1E4h]
		mov	[ebp+17h], cl
		test	cl, cl
		jz	loc_5F2906

loc_53E553:				; CODE XREF: .text:005F2920j
		movzx	eax, cl
		bsf	ecx, eax
		mov	[ebp-4Ch], ecx
		mov	al, 1
		shl	al, cl
		not	al
		and	al, [ebp+17h]
		mov	[edx+1E4h], al
		lea	eax, [ecx+ecx*2]
		shl	eax, 4
		add	eax, [edx+1E8h]
		mov	[ebp+14h], eax

loc_53E57A:				; CODE XREF: .text:005F2934j
					; .text:005F294Cj
		test	eax, eax
		jz	loc_53E70A
		mov	ecx, offset _ExpWakeTimerLock
		shr	ecx, 15h
		mov	edi, dword_6D07D0
		cmp	edi, offset _ExpWakeTimerLock
		ja	short loc_53E5BF
		mov	eax, ecx
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_53E69D
		mov	eax, [ebp+14h]
		cmp	edi, offset _ExpWakeTimerLock
		ja	short loc_53E5BF
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_53E69D

loc_53E5BF:				; CODE XREF: .text:0053E596j
					; .text:0053E5B0j
		or	ecx, 0FFFFFFFFh

loc_53E5C2:				; CODE XREF: .text:0053E6ADj
		mov	[eax+14h], ecx
		nop
		mov	ecx, [ebp-48h]
		mov	[eax+10h], ecx

loc_53E5CC:				; CODE XREF: .text:0053E712j
		nop
		dec	byte ptr [edx+1E6h]
		lea	eax, [ebp-50h]
		push	eax
		mov	edx, offset _ExpWakeTimerLock
		mov	ecx, [ebp-28h]
		call	KiAbThreadRemoveBoosts
		nop
		mov	ecx, [ebp-28h]
		mov	ax, [ecx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ecx+13Eh], ax
		test	ax, ax
		jnz	short loc_53E60C
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jnz	loc_53E717

loc_53E60C:				; CODE XREF: .text:0053E5FEj
					; .text:0053E71Cj
		mov	eax, [ebp+14h]

loc_53E60F:				; CODE XREF: .text:005F2901j
		mov	ecx, offset _ExpWakeTimerLock
		lock bts dword ptr [ecx], 0
		jb	loc_53E721

loc_53E61F:				; CODE XREF: .text:0053E735j
		test	eax, eax
		jz	loc_53E1A6
		or	byte ptr [eax+0Eh], 1
		jmp	loc_53E1A6
; 

loc_53E630:				; CODE XREF: .text:0053E282j
		lock bts dword ptr [esi], 9
		jmp	loc_53E288
; 

loc_53E63A:				; CODE XREF: .text:0053E535j
		push	0
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	offset _ExpWakeTimerLock
		push	dword ptr [ebp-28h]
		push	192h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_53E658:				; CODE XREF: .text:0053E35Fj
		test	edi, edi
		jz	loc_53E36D
		lea	eax, [esi+94h]
		mov	ecx, dword_6BBC74
		cmp	dword ptr [ecx], offset	_ExpWakeTimerList
		jnz	loc_53E7DC
		mov	dword ptr [eax], offset	_ExpWakeTimerList
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	dword_6BBC74, eax
		jmp	loc_53E36D
; 

loc_53E68D:				; CODE XREF: .text:0053E3BCj
					; .text:0053E3D1j
		mov	ecx, [edi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	loc_53E3DA
; 

loc_53E69D:				; CODE XREF: .text:0053E5A1j
					; .text:0053E5B9j
		mov	ecx, [edx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	eax, [ebp+14h]
		jmp	loc_53E5C2
; 

loc_53E6B2:				; CODE XREF: .text:0053E37Dj
		mov	ecx, offset _ExpWakeTimerLock
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_53E383
; 

loc_53E6C1:				; CODE XREF: .text:0053E486j
		test	edi, 8000h
		jz	short loc_53E6D3
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [ebp+20h]

loc_53E6D3:				; CODE XREF: .text:0053E6C7j
		test	byte ptr [ebp-32h], 1
		jnz	loc_5F2C80

loc_53E6DD:				; CODE XREF: .text:005F2C90j
		test	edi, 7FFFh
		jz	short loc_53E6F2
		and	edi, 7FFFh
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_53E6F2:				; CODE XREF: .text:0053E6E3j
		mov	ecx, [ebp+20h]
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_53E48C
		jmp	loc_5F2C95
; 

loc_53E70A:				; CODE XREF: .text:0053E57Cj
		lea	eax, [edx+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	loc_53E5CC
; 

loc_53E717:				; CODE XREF: .text:0053E606j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_53E60C
; 

loc_53E721:				; CODE XREF: .text:0053E619j
		push	offset _ExpWakeTimerLock
		mov	edx, eax
		mov	ecx, offset _ExpWakeTimerLock
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [ebp+14h]
		jmp	loc_53E61F
; 

loc_53E73A:				; CODE XREF: .text:0053E231j
		mov	edi, large fs:124h
		push	dword ptr [ebp+10h]
		push	dword ptr [ebp-3Ch]
		push	eax
		push	0
		push	offset _ExpTimerApcRoutine@20 ;	ExpTimerApcRoutine(x,x,x,x,x)
		push	2
		push	edi
		lea	eax, [esi+2Ch]
		push	eax
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		lea	eax, [edi+2A0h]
		mov	[ebp+1Ch], eax
		mov	ecx, eax
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	eax, [esi+7Ch]
		add	edi, 2A4h
		mov	edx, [edi+4]
		cmp	[edx], edi
		jnz	short loc_53E7DC
		mov	[eax], edi
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[edi+4], eax
		or	byte ptr [esi+0A8h], 1
		mov	ecx, [ebp+1Ch]
		call	@KefReleaseSpinLockFromDpcLevel@4 ; KefReleaseSpinLockFromDpcLevel(x)
		lea	eax, [esi+5Ch]
		mov	[ebp-40h], eax
		dec	dword ptr [ebp-24h]
		xor	ecx, ecx
		mov	[ebp+1Ch], ecx
		mov	edx, [ebp+20h]
		jmp	loc_53E237
; 

loc_53E7AA:				; CODE XREF: .text:0053E409j
		mov	eax, [edi+5Ch]
		test	eax, 10000h
		jz	loc_5F2C5A
		mov	edi, [ebp-34h]
		mov	ecx, [ebp+20h]
		jmp	loc_53E475
; 

loc_53E7C3:				; CODE XREF: .text:0053E41Cj
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [ebp+14h]
		jmp	loc_53E422
; 

loc_53E7D2:				; CODE XREF: .text:0053E4ABj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_53E4B1
; 

loc_53E7DC:				; CODE XREF: .text:0053E672j
					; .text:0053E779j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		align 8
; Exported entry 149. KefReleaseSpinLockFromDpcLevel
; Exported entry 158. KiReleaseSpinLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KefReleaseSpinLockFromDpcLevel(x)
		public @KefReleaseSpinLockFromDpcLevel@4
@KefReleaseSpinLockFromDpcLevel@4 proc near
					; CODE XREF: PsRemoveVirtualizedTimer(x,x,x,x)+1Dp
					; PsRemoveVirtualizedTimer(x,x,x,x)+5Cp ...
		mov	edi, edi	; KefReleaseSpinLockFromDpcLevel
		push	ebp
		mov	ebp, esp
		test	ds:byte_70EFC6,	1
		jnz	short loc_53E7FD
		xor	eax, eax
		lock and [ecx],	eax
		pop	ebp
		retn
; 

loc_53E7FD:				; CODE XREF: KefReleaseSpinLockFromDpcLevel(x)+Cj
		mov	edx, [ebp+4]
		pop	ebp
		jmp	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
@KefReleaseSpinLockFromDpcLevel@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1287. KeSetCoalescableTimer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetCoalescableTimer(x, x,	x, x, x, x)
		public _KeSetCoalescableTimer@24
_KeSetCoalescableTimer@24 proc near	; CODE XREF: CmpArmLazyWriter+185p
					; PopFxEnableWorkOrderWatchdog+4Fp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_10]
		mov	byte ptr [ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		test	eax, eax
		jnz	short loc_53E842
		mov	esi, [ebp+arg_C]
		mov	ebx, [ebp+arg_8]
		mov	edi, [ebp+arg_4]

loc_53E829:				; CODE XREF: KeSetCoalescableTimer(x,x,x,x,x,x)+8Bj
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		push	ebx
		push	edi
		push	[ebp+arg_14]
		push	[ebp+var_4]
		call	KiSetTimerEx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_53E842:				; CODE XREF: KeSetCoalescableTimer(x,x,x,x,x,x)+12j
		mov	ecx, 2710h
		mul	ecx
		mov	ecx, 0FC0000h
		test	edx, edx
		jnz	short loc_53E856
		cmp	eax, ecx
		jbe	short loc_53E899

loc_53E856:				; CODE XREF: KeSetCoalescableTimer(x,x,x,x,x,x)+44j
		mov	esi, [ebp+arg_8]
		sub	eax, ecx
		mov	ecx, [ebp+arg_4]
		sbb	edx, 0
		test	esi, esi
		jg	short loc_53E8A4
		jl	short loc_53E86B
		test	ecx, ecx
		jnb	short loc_53E8A4

loc_53E86B:				; CODE XREF: KeSetCoalescableTimer(x,x,x,x,x,x)+59j
		mov	edi, ecx
		mov	ebx, esi
		sub	edi, eax
		sbb	ebx, edx
		cmp	ebx, esi
		jl	short loc_53E87D
		jg	short loc_53E8D8
		cmp	edi, ecx
		ja	short loc_53E8D8

loc_53E87D:				; CODE XREF: KeSetCoalescableTimer(x,x,x,x,x,x)+69j
					; KeSetCoalescableTimer(x,x,x,x,x,x)+A2j ...
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jnz	short loc_53E8C0

loc_53E884:				; CODE XREF: KeSetCoalescableTimer(x,x,x,x,x,x)+CAj
					; KeSetCoalescableTimer(x,x,x,x,x,x)+D8j
		mov	eax, 0FC0000h

loc_53E889:				; CODE XREF: KeSetCoalescableTimer(x,x,x,x,x,x)+96j
		shr	eax, 12h
		cmp	eax, 3Fh
		ja	short loc_53E8E6

loc_53E891:				; CODE XREF: KeSetCoalescableTimer(x,x,x,x,x,x)+DDj
		shl	al, 2
		mov	byte ptr [ebp+var_4], al
		jmp	short loc_53E829
; 

loc_53E899:				; CODE XREF: KeSetCoalescableTimer(x,x,x,x,x,x)+48j
		mov	esi, [ebp+arg_C]
		mov	ebx, [ebp+arg_8]
		mov	edi, [ebp+arg_4]
		jmp	short loc_53E889
; 

loc_53E8A4:				; CODE XREF: KeSetCoalescableTimer(x,x,x,x,x,x)+57j
					; KeSetCoalescableTimer(x,x,x,x,x,x)+5Dj
		mov	edi, eax
		mov	ebx, edx
		add	edi, ecx
		adc	ebx, esi
		cmp	ebx, esi
		jg	short loc_53E87D
		jl	short loc_53E8B6
		cmp	edi, ecx
		jnb	short loc_53E87D

loc_53E8B6:				; CODE XREF: KeSetCoalescableTimer(x,x,x,x,x,x)+A4j
		or	edi, 0FFFFFFFFh
		mov	ebx, 7FFFFFFFh
		jmp	short loc_53E87D
; 

loc_53E8C0:				; CODE XREF: KeSetCoalescableTimer(x,x,x,x,x,x)+76j
		push	0
		push	2710h
		push	edx
		push	eax
		call	__alldiv
		add	eax, esi
		cmp	eax, esi
		jb	short loc_53E8E1
		mov	esi, eax
		jmp	short loc_53E884
; 

loc_53E8D8:				; CODE XREF: KeSetCoalescableTimer(x,x,x,x,x,x)+6Bj
					; KeSetCoalescableTimer(x,x,x,x,x,x)+6Fj
		xor	edi, edi
		mov	ebx, 80000000h
		jmp	short loc_53E87D
; 

loc_53E8E1:				; CODE XREF: KeSetCoalescableTimer(x,x,x,x,x,x)+C6j
		or	esi, 0FFFFFFFFh
		jmp	short loc_53E884
; 

loc_53E8E6:				; CODE XREF: KeSetCoalescableTimer(x,x,x,x,x,x)+83j
		push	3Fh
		pop	eax
		jmp	short loc_53E891
_KeSetCoalescableTimer@24 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpCancelTimer	proc near		; CODE XREF: .text:0053D20Cp
					; .text:0053E201p ...

; FUNCTION CHUNK AT 005F2CF8 SIZE 000000A0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		test	byte ptr [esi+0A8h], 1
		jnz	loc_5F2CF8
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	dl, 1
		mov	ecx, esi
		mov	bl, al
		call	KiCancelTimer
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_53E91E:				; CODE XREF: ExpCancelTimer+B448Bj
					; ExpCancelTimer+B4492j
		mov	eax, edi
		mov	byte ptr [esi+8Ch], 0
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
ExpCancelTimer	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSetTimerEx	proc near		; CODE XREF: PopSetWatchdog+13Ap
					; CcScheduleLazyWriteScan(x,x,x)+67p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], 0
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ebx, large fs:20h
		xor	dl, dl
		mov	ecx, esi
		mov	byte ptr [ebp+var_C], al
		call	KiCancelTimer
		push	[ebp+arg_C]
		mov	ecx, [ebp+arg_4]
		push	[ebp+arg_8]
		mov	dl, [ebp+arg_0]
		mov	[ebp+var_1], al
		lea	eax, [ebp+var_8]
		mov	[esi+20h], ecx
		mov	ecx, esi
		push	eax
		mov	[esi+24h], edi
		call	KiComputeDueTime
		test	eax, eax
		jz	short loc_53E9D4
		mov	edi, [ebp+arg_4]
		mov	edx, esi
		push	0
		push	[ebp+var_8]
		mov	ecx, ebx
		mov	dword ptr [esi+4], 0
		push	edi
		call	KiInsertTimerTable
		test	al, al
		jz	short loc_53E9D4
		test	ds:dword_70EFC8, 20000h
		jnz	loc_5F2D88
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax

loc_53E9B8:				; CODE XREF: KiSetTimerEx+AFj
					; ExpCancelTimer+B44A7j
		push	[ebp+var_C]
		xor	edx, edx
		mov	ecx, ebx
		push	0
		push	1
		call	KiExitDispatcher
		mov	al, [ebp+var_1]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_53E9D4:				; CODE XREF: KiSetTimerEx+51j
					; KiSetTimerEx+6Ej
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	KiTimerWaitTest
		jmp	short loc_53E9B8
KiSetTimerEx	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiComputeDueTime proc near		; CODE XREF: KiResumeThread+232p
					; KiSetTimerEx+4Ap ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005F2D98 SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		mov	ebx, [ebp+arg_8]
		xor	eax, eax
		mov	[ebp+var_18], 0
		mov	[ebp+var_14], 0
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_8], ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], esi
		push	edi
		mov	eax, [esi]
		mov	[ebp+var_28], eax
		mov	byte ptr [ebp+var_28+1], dl
		test	ebx, ebx
		jns	short loc_53EAA3
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_C], ecx

loc_53EA37:				; CODE XREF: KiComputeDueTime+10Dj
		xor	edi, edi
		mov	[ebp+arg_8], edi
		test	dl, 0FCh
		jnz	short loc_53EA95

loc_53EA41:				; CODE XREF: KiComputeDueTime+B1j
		mov	eax, ds:0FFDF000Ch
		mov	ecx, ds:0FFDF0008h
		mov	[ebp+var_14], 0
		cmp	eax, ds:0FFDF0010h
		jnz	loc_5F2DC0

loc_53EA5F:				; CODE XREF: KiComputeDueTime+B43F4j
		sub	ecx, [ebp+var_C]
		mov	[esi+10h], ecx
		sbb	eax, ebx
		add	ecx, edi
		mov	[esi+14h], eax
		adc	eax, 0
		shrd	ecx, eax, 12h
		mov	eax, [ebp+arg_0]
		or	byte ptr [ebp+var_28+3], 40h
		movzx	ecx, cl
		mov	byte ptr [ebp+var_28+2], cl
		mov	[eax], ecx
		mov	eax, [ebp+var_28]
		pop	edi
		mov	[esi], eax
		mov	eax, 1
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_53EA95:				; CODE XREF: KiComputeDueTime+4Fj
		movzx	edi, dl
		and	edi, 0FFFFFFFCh
		shl	edi, 10h
		mov	[ebp+arg_8], edi
		jmp	short loc_53EA41
; 

loc_53EAA3:				; CODE XREF: KiComputeDueTime+3Fj
		or	dl, 1
		mov	[ebp+var_10], 0
		mov	byte ptr [ebp+var_28+1], dl
		mov	ecx, 0FFDF0014h
		mov	edx, 0FFDF0018h
		mov	eax, 0FFDF001Ch
		mov	edx, [edx]
		mov	ecx, [ecx]
		mov	eax, [eax]
		cmp	edx, eax
		jnz	loc_5F2D98

loc_53EACD:				; CODE XREF: KiComputeDueTime+B43CBj
		sub	ecx, [ebp+arg_4]
		mov	[ebp+var_C], ecx
		sbb	edx, ebx
		mov	ebx, edx
		mov	[ebp+var_8], ebx
		js	short loc_53EAFA
		mov	eax, [ebp+var_28]
		mov	[esi], eax
		xor	eax, eax
		pop	edi
		mov	dword ptr [esi+10h], 0
		mov	dword ptr [esi+14h], 0
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_53EAFA:				; CODE XREF: KiComputeDueTime+EAj
		mov	dl, byte ptr [ebp+var_28+1]
		jmp	loc_53EA37
KiComputeDueTime endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiCancelTimer	proc near		; CODE XREF: KiSuspendThread+1EDp
					; KeCancelTimerInternal(x,x,x,x)+Ep ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F2DE9 SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	bh, dl
		mov	[ebp+var_24], 0
		mov	esi, ecx
		xor	bl, bl
		push	edi

loc_53EB32:				; CODE XREF: KiCancelTimer+18Ej
					; KiCancelTimer+1A0j
		mov	[ebp+var_28], 0
		lock bts dword ptr [esi], 7
		jb	loc_53ECB8

loc_53EB44:				; CODE XREF: KiCancelTimer+1BBj
		mov	al, [esi+3]
		test	al, 0C0h
		jnz	short loc_53EB76
		test	bh, bh
		jnz	loc_53EC17

loc_53EB53:				; CODE XREF: KiCancelTimer+102j
					; KiCancelTimer+10Fj
		test	ds:dword_70EFC8, 20000h
		pop	edi
		jnz	loc_5F2DFF

loc_53EB64:				; CODE XREF: KiCancelTimer+B42F1j
					; KiCancelTimer+B4331j
		mov	ecx, [ebp+var_4]
		mov	al, bl
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_53EB76:				; CODE XREF: KiCancelTimer+39j
		movzx	edi, byte ptr [esi+2]
		movzx	eax, al
		shr	eax, 1
		and	eax, 1Fh
		mov	[ebp+var_30], edi
		lea	edi, [edi+edi*2]
		mov	[ebp+var_2C], 0
		lea	edi, [edi+8]
		mov	ecx, ds:_KiProcessorBlock[eax*4]
		add	ecx, 2260h
		mov	[ebp+var_18], ecx
		lea	edi, [ecx+edi*8]
		mov	[ebp+var_20], edi
		jmp	short loc_53EBB0
; 
		align 10h

loc_53EBB0:				; CODE XREF: KiCancelTimer+98j
					; KiCancelTimer+15Ej
		lock bts dword ptr [edi], 0
		jb	loc_53EC60
		cmp	byte ptr [esi+3], 0
		mov	edi, [ebp+var_30]
		jl	loc_53EC73
		mov	ecx, [ebp+var_18]
		lea	edx, [esi+18h]
		lea	eax, [edi+edi*2]
		lea	eax, [ecx+eax*8]
		mov	ecx, [edx]
		mov	[ebp+var_1C], eax
		mov	eax, [edx+4]
		cmp	[ecx+4], edx
		jnz	loc_5F2DF8
		cmp	[eax], edx
		jnz	loc_5F2DF8
		mov	[eax], ecx
		mov	[ecx+4], eax
		cmp	eax, ecx
		jz	short loc_53EC24

loc_53EBF6:				; CODE XREF: KiCancelTimer+14Dj
		mov	eax, [ebp+var_20]
		xor	ecx, ecx
		lock and [eax],	ecx
		movzx	eax, bh
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFF80h
		add	eax, 0BFFFFFFFh

loc_53EC0D:				; CODE XREF: KiCancelTimer+1D3j
		lock and [esi],	eax
		mov	bl, 1
		jmp	loc_53EB53
; 

loc_53EC17:				; CODE XREF: KiCancelTimer+3Dj
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		jmp	loc_53EB53
; 

loc_53EC24:				; CODE XREF: KiCancelTimer+E4j
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_18]
		mov	dword ptr [eax+54h], 0FFFFFFFFh
		cmp	ds:_KiSerializeTimerExpiration,	0
		movzx	eax, byte ptr [ecx-1E9Bh]
		mov	eax, ds:dword_70E644[eax*8]
		jz	loc_5F2DE9
		mov	ecx, edi
		shr	edi, 5
		and	ecx, 1Fh
		shl	edi, 2

loc_53EC57:				; CODE XREF: KiCancelTimer+B42E3j
		add	eax, edi
		lock btr [eax],	ecx
		jmp	short loc_53EBF6
; 
		align 10h

loc_53EC60:				; CODE XREF: KiCancelTimer+A5j
					; KiCancelTimer+15Cj
		lea	ecx, [ebp+var_2C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_53EC60
		jmp	loc_53EBB0
; 

loc_53EC73:				; CODE XREF: KiCancelTimer+B2j
		mov	eax, [ebp+var_20]
		xor	ecx, ecx
		lock and [eax],	ecx
		movzx	eax, byte ptr [esi+3]
		mov	ecx, [ebp+var_18]
		and	eax, 1
		lea	eax, [ecx+eax*4]
		xor	ecx, ecx
		xchg	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_53ECD3
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		mov	[ebp+var_1C], ecx
		cmp	[esi+3], cl
		jge	loc_53EB32

loc_53ECA4:				; CODE XREF: KiCancelTimer+1A6j
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		cmp	byte ptr [esi+3], 0
		jge	loc_53EB32
		jmp	short loc_53ECA4
; 

loc_53ECB8:				; CODE XREF: KiCancelTimer+2Ej
					; KiCancelTimer+1B4j ...
		lea	ecx, [ebp+var_28]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	al, al
		js	short loc_53ECB8
		lock bts dword ptr [esi], 7
		jnb	loc_53EB44
		jmp	short loc_53ECB8
; 

loc_53ECD3:				; CODE XREF: KiCancelTimer+17Ej
		mov	eax, 0FF000000h
		test	bh, bh
		jz	short loc_53ECE1
		mov	eax, 0FF000080h

loc_53ECE1:				; CODE XREF: KiCancelTimer+1CAj
		not	eax
		jmp	loc_53EC0D
KiCancelTimer	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1248. KeReadStateTimer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeReadStateTimer(x)
		public _KeReadStateTimer@4
_KeReadStateTimer@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	al, [eax+4]
		pop	ebp
		retn	4
_KeReadStateTimer@4 endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 850. IoGetCurrentProcess
; Exported entry 1766. PsGetCurrentProcess

;  S U B	R O U T	I N E 


; __stdcall PsGetCurrentProcess()
		public _PsGetCurrentProcess@0
_PsGetCurrentProcess@0 proc near	; CODE XREF: MiInitializeMdlBatchPages(x):loc_4B178Cp
					; SepDesktopAppxSubProcessToken(x,x,x,x,x)+2E7p ...
		mov	eax, large fs:124h ; IoGetCurrentProcess
		mov	eax, [eax+80h]
		retn
_PsGetCurrentProcess@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __fastcall ObDereferenceObjectEx(x, x)
@ObDereferenceObjectEx@8 proc near	; CODE XREF: .text:0053D234p
					; PspClearProcessThreadCidRefs(x,x,x)+60p ...
		mov	edi, edi
		push	ecx
		call	ObDereferenceObjectExWithTag
		retn
@ObDereferenceObjectEx@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


ObDereferenceObjectExWithTag proc near	; CODE XREF: MiReferenceControlAreaFile+C3p
					; MiLogPageAccess(x,x)+28Ap ...

; FUNCTION CHUNK AT 005F2E46 SIZE 00000065 BYTES

		cmp	ds:_ObpTraceFlags, 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		lea	eax, [ebx-18h]
		jnz	loc_5F2E46

loc_53ED47:				; CODE XREF: ObDereferenceObjectExWithTag+B4128j
		mov	esi, edi
		neg	esi
		lock xadd [eax], esi
		sub	esi, edi
		test	esi, esi
		jle	short loc_53ED5D

loc_53ED55:				; CODE XREF: ObDereferenceObjectExWithTag+47j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn	4
; 

loc_53ED5D:				; CODE XREF: ObDereferenceObjectExWithTag+23j
		mov	ecx, [eax+4]
		test	ecx, ecx
		jnz	loc_5F2E5D
		test	esi, esi
		js	loc_5F2E85
		mov	ecx, eax
		call	ObpDeferObjectDeletion
		jmp	short loc_53ED55
ObDereferenceObjectExWithTag endp

; 
		align 10h

;  S U B	R O U T	I N E 


KxWaitForSpinLockAndAcquire proc near	; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+1DAp
					; KxAcquireSpinLock(x)+12j ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		jmp	short loc_53ED90
; 
		align 10h

loc_53ED90:				; CODE XREF: KxWaitForSpinLockAndAcquire+8j
					; KxWaitForSpinLockAndAcquire+23j ...
		inc	esi
		test	ds:_HvlLongSpinCountMask, esi
		jz	loc_5F2E93

loc_53ED9D:				; CODE XREF: ObDereferenceObjectExWithTag+B416Aj
		pause

loc_53ED9F:				; CODE XREF: ObDereferenceObjectExWithTag+B4176j
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_53ED90
		lock bts dword ptr [edi], 0
		jb	short loc_53ED90
		pop	edi
		mov	eax, esi
		pop	esi
		retn
KxWaitForSpinLockAndAcquire endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1811. PsGetProcessServerSilo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessServerSilo(x)
		public _PsGetProcessServerSilo@4
_PsGetProcessServerSilo@4 proc near	; CODE XREF: ObpDecrementHandleCount(x,x)+F8p
					; ObDereferenceDeviceMap(x)+8p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+3A0h]
		pop	ebp
		retn	4
_PsGetProcessServerSilo@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryAffinityProcess(x, x, x, x)
_KeQueryAffinityProcess@16 proc	near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+DAEp
					; PAGE:0083B981p ...

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_1], al
		lea	eax, [ebx+34h]
		push	eax
		call	ExAcquireSpinLockSharedAtDpcLevel
		mov	eax, [ebp+arg_0]
		lea	esi, [ebx+40h]
		movsd
		movsd
		movsd
		test	eax, eax
		jz	short loc_53EDFA
		mov	dword ptr [eax], 1

loc_53EDFA:				; CODE XREF: KeQueryAffinityProcess(x,x,x,x)+2Aj
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jnz	short loc_53EE1A

loc_53EE01:				; CODE XREF: KeQueryAffinityProcess(x,x,x,x)+59j
		lea	eax, [ebx+34h]
		push	eax
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_53EE1A:				; CODE XREF: KeQueryAffinityProcess(x,x,x,x)+37j
		mov	ax, [ebx+70h]
		mov	[ecx], ax
		jmp	short loc_53EE01
_KeQueryAffinityProcess@16 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopAcquireRwLockShared(x)
_PopAcquireRwLockShared@4 proc near	; CODE XREF: PopThermalTraceRundownEvents()+Cp
					; PoThermalCounterSetCallback(x,x,x)+3Ap
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		jmp	ExAcquirePushLockSharedEx
_PopAcquireRwLockShared@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KeGetDynamicTickDisableReason()
_KeGetDynamicTickDisableReason@0 proc near
					; CODE XREF: PopDiagTraceDynamicTickStatusRundown()+3Bp
					; EtwpClockSourceRunDown(x,x)+3Ap
		mov	al, byte ptr ds:_KiDynamicTickDisableReason
		retn
_KeGetDynamicTickDisableReason@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopThermalTraceRundownEvents()
_PopThermalTraceRundownEvents@0	proc near ; CODE XREF: PopDiagTraceControlCallback+F5p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, offset _PopPolicyDeviceLock
		mov	ecx, edi
		call	_PopAcquireRwLockShared@4 ; PopAcquireRwLockShared(x)
		mov	esi, _PopThermal
		mov	ebx, offset _PopThermal

loc_53EE5C:				; CODE XREF: PopThermalTraceRundownEvents()+5Cj
		cmp	esi, ebx
		jz	short loc_53EE9E
		mov	cl, [esi+21h]
		test	cl, 2
		jz	short loc_53EE9A
		movzx	eax, byte ptr [esi+29h]
		lea	edx, [esi+398h]
		push	eax
		movzx	eax, byte ptr [esi+28h]
		push	eax
		push	dword ptr [esi+30h]
		mov	al, cl
		shr	cl, 2
		and	al, 1
		and	cl, 1
		movzx	eax, al
		push	eax
		movzx	eax, byte ptr [esi+25h]
		push	eax
		movzx	eax, cl
		mov	ecx, [esi+18h]
		push	eax
		call	PopDiagTraceThermalZoneRundown

loc_53EE9A:				; CODE XREF: PopThermalTraceRundownEvents()+26j
		mov	esi, [esi]
		jmp	short loc_53EE5C
; 

loc_53EE9E:				; CODE XREF: PopThermalTraceRundownEvents()+1Ej
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_PopReleaseRwLock@4 ; PopReleaseRwLock(x)
_PopThermalTraceRundownEvents@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceThermalZoneRundown proc near ; CODE	XREF: PopThermalTraceRundownEvents()+55p

var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005F2EAB SIZE 00000171 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_AC], ebx
		push	edi
		mov	edi, edx
		mov	[ebp+var_B4], ebx
		mov	[ebp+var_A8], ebx
		mov	[ebp+var_B0], ebx
		cmp	_PopDiagHandleRegistered, bl
		jz	short loc_53EF04
		push	offset _POP_ETW_EVENT_THERMAL_ZONE_RUNDOWN
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5F2EAB

loc_53EF04:				; CODE XREF: PopDiagTraceThermalZoneRundown+3Cj
					; PopDiagTraceThermalZoneRundown+B415Dj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
PopDiagTraceThermalZoneRundown endp

; 
		align 2

;  S U B	R O U T	I N E 


PopDiagTraceFxRundown proc near		; CODE XREF: PopDiagTraceControlCallback:loc_8418ACp

; FUNCTION CHUNK AT 005F301C SIZE 00000016 BYTES

		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopFxPluginLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	esi, _PopFxPluginList
		mov	ebx, offset _PopFxPluginList

loc_53EF40:				; CODE XREF: PopDiagTraceFxRundown+B4117j
		cmp	esi, ebx
		jnz	loc_5F301C
		push	11h
		pop	ebx
		xor	edx, edx
		mov	eax, ebx
		lock cmpxchg [edi], edx
		cmp	eax, ebx
		jz	short loc_53EF5E
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_53EF5E:				; CODE XREF: PopDiagTraceFxRundown+3Fj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	edi, offset _PopFxDeviceListLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	esi, _PopFxDeviceList

loc_53EF79:				; CODE XREF: PopDiagTraceFxRundown+83j
		cmp	esi, offset _PopFxDeviceList
		jz	short loc_53EF9B
		cmp	dword ptr [esi+1Ch], 0
		jz	short loc_53EF97
		mov	dl, 1
		mov	ecx, esi
		call	PopFxTraceDeviceRegistration
		mov	ecx, esi
		call	PopDiagTraceDeviceVerboseRundown

loc_53EF97:				; CODE XREF: PopDiagTraceFxRundown+6Fj
		mov	esi, [esi]
		jmp	short loc_53EF79
; 

loc_53EF9B:				; CODE XREF: PopDiagTraceFxRundown+69j
		xor	edx, edx
		mov	eax, ebx
		lock cmpxchg [edi], edx
		cmp	eax, ebx
		jz	short loc_53EFAE
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_53EFAE:				; CODE XREF: PopDiagTraceFxRundown+8Fj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
PopDiagTraceFxRundown endp

; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPepGetDevicePlatformStateDependents proc near
					; CODE XREF: PopDiagTraceDeviceVerboseRundown+9Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F3032 SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], esi
		lea	eax, [esi+2Ch]
		push	eax
		and	dword ptr [edi], 0
		mov	[ebp+var_C], eax
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		cmp	dword ptr [esi+7Ch], 2
		mov	[ebp+var_1], al
		jz	loc_5F3032

loc_53EFF3:				; CODE XREF: PopPepGetDevicePlatformStateDependents+B4084j
					; PopPepGetDevicePlatformStateDependents+B40BDj
		push	[ebp+var_C]
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		xor	al, al
		pop	esi
		leave
		retn
PopPepGetDevicePlatformStateDependents endp


;  S U B	R O U T	I N E 


; __stdcall PopReleaseRwLock(x)
_PopReleaseRwLock@4 proc near		; CODE XREF: PopThermalTraceRundownEvents()+63j
					; PopCoolingSxTransition+21p ...
		cmp	dword ptr [ecx+4], 0
		jz	short loc_53F014
		and	dword ptr [ecx+4], 0

loc_53F014:				; CODE XREF: PopReleaseRwLock(x)+4j
		xor	edx, edx
		call	ExReleasePushLockEx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopReleaseRwLock@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopAcquireRwLockExclusive(x)
_PopAcquireRwLockExclusive@4 proc near	; CODE XREF: PopCoolingSxTransition+11p
					; PopCoolingSxTransition+39p ...
		mov	eax, large fs:124h
		push	esi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+4], eax
		pop	esi
		retn
_PopAcquireRwLockExclusive@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceDeepSleepConstraintRundown proc near
					; CODE XREF: PopDiagTraceControlCallback+1E4p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0E4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	edi
		xor	edi, edi
		cmp	_PopDiagHandleRegistered, 0
		jz	short loc_53F083
		push	offset _POP_ETW_DEEP_SLEEP_CONSTRAINT_RUNDOWN
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jnz	sub_5F3088

loc_53F083:				; CODE XREF: PopDiagTraceDeepSleepConstraintRundown+1Fj
					; sub_5F3088+10Ej
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopDiagTraceDeepSleepConstraintRundown endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExSetHandleAttributes proc near		; CODE XREF: ObSetHandleAttributes+C3p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F319B SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		and	esi, 6
		jz	short loc_53F0AA
		mov	eax, esi
		and	esi, edx
		not	eax
		and	eax, [ecx]
		or	eax, esi
		mov	[ecx], eax

loc_53F0AA:				; CODE XREF: ExSetHandleAttributes+Cj
		test	byte ptr [ebp+arg_0], 8
		pop	esi
		jnz	loc_5F319B

loc_53F0B5:				; CODE XREF: ExSetHandleAttributes+B4122j
		test	byte ptr [ebp+arg_0], 1
		jz	short loc_53F0CB
		mov	eax, [ecx+4]
		test	dl, 1
		jz	short loc_53F0CF
		or	eax, 2000000h

loc_53F0C8:				; CODE XREF: ExSetHandleAttributes+44j
		mov	[ecx+4], eax

loc_53F0CB:				; CODE XREF: ExSetHandleAttributes+29j
		pop	ebp
		retn	4
; 

loc_53F0CF:				; CODE XREF: ExSetHandleAttributes+31j
		and	eax, 0FDFFFFFFh
		jmp	short loc_53F0C8
ExSetHandleAttributes endp


;  S U B	R O U T	I N E 


; __stdcall ObpUnlockDirectory(x, x)
_ObpUnlockDirectory@8 proc near		; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+C75p
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+E1Ep ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		add	ecx, 94h
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, [esi]
		mov	dword ptr [esi+14h], 0EEEE1234h
		call	ObfDereferenceObject
		xor	eax, eax
		mov	[esi], eax
		mov	[esi+12h], ax
		pop	esi
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_ObpUnlockDirectory@8 endp


;  S U B	R O U T	I N E 


; __stdcall ObpLockDirectoryExclusive(x, x)
_ObpLockDirectoryExclusive@8 proc near	; CODE XREF: ObpDeleteNameCheck+D8p
					; NtSetInformationObject+12Dp ...
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	dword ptr [edi+14h], 0AAAA1234h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+94h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	edx, 746C6644h
		mov	dword ptr [edi+14h], 0CCCC1234h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	[edi], esi
		mov	word ptr [edi+12h], 101h
		pop	edi
		pop	esi
		retn
_ObpLockDirectoryExclusive@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PopPrintEx	proc near		; CODE XREF: PopCoalescingSetTimer()+11p
					; PopSessionInputChange(x,x,x)+3Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	1		; char
		lea	eax, [ebp+arg_8]
		mov	edx, 92h
		push	eax		; va_list
		push	[ebp+arg_4]	; char *
		mov	ecx, offset ??_C@_00CNPNBAHC@@FNODOBFM@
		push	[ebp+arg_0]	; int
		call	vDbgPrintExWithPrefixInternal
		pop	ebp
		retn
_PopPrintEx	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 267. DbgPrint

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _DbgPrint
_DbgPrint	proc near		; CODE XREF: CcInitializeCacheMapEx+1169B3p
					; CcGetPartition+11653Fp ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	1		; char
		lea	eax, [ebp+arg_4]
		mov	ecx, offset ??_C@_00CNPNBAHC@@FNODOBFM@
		push	eax		; va_list
		push	[ebp+arg_0]	; char *
		push	3		; int
		push	65h
		pop	edx
		call	vDbgPrintExWithPrefixInternal
		pop	ecx
		pop	ebp
		retn
_DbgPrint	endp

; 
		align 8
; Exported entry 3020. vDbgPrintEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall vDbgPrintEx(x, x, x, x)
		public _vDbgPrintEx@16
_vDbgPrintEx@16	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, offset ??_C@_00CNPNBAHC@@FNODOBFM@
		push	1		; char
		push	[ebp+arg_C]	; va_list
		push	[ebp+arg_8]	; char *
		push	[ebp+arg_4]	; int
		call	vDbgPrintExWithPrefixInternal
		pop	ebp
		retn	10h
_vDbgPrintEx@16	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	vDbgPrintExWithPrefixInternal(int,char *,va_list,char)
vDbgPrintExWithPrefixInternal proc near	; CODE XREF: _PopPrintEx+1Bp
					; _DbgPrint+19p ...

var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005F31B7 SIZE 00000037 BYTES
; FUNCTION CHUNK AT 005F320E SIZE 000000BE BYTES

		push	28h
		push	offset dword_6A6F50
		call	__SEH_prolog4_GS
		mov	eax, edx
		mov	[ebp+var_28], eax
		mov	edi, ecx
		mov	[ebp+var_24], edi
		and	[ebp+var_30], 0
		and	[ebp+var_2C], 0
		push	[ebp+arg_0]
		push	eax
		call	_NtQueryDebugFilterState@8 ; NtQueryDebugFilterState(x,x)
		test	eax, eax
		jnz	short loc_53F1FC

loc_53F1E5:				; CODE XREF: vDbgPrintExWithPrefixInternal+B410Dj
		xor	eax, eax

loc_53F1E7:				; CODE XREF: vDbgPrintExWithPrefixInternal+F0j
					; sub_5F31FC+Dj ...
		lea	esp, [ebp-48h]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_53F1FC:				; CODE XREF: vDbgPrintExWithPrefixInternal+29j
		xor	ebx, ebx
		xor	eax, eax
		xor	esi, esi

loc_53F202:				; CODE XREF: vDbgPrintExWithPrefixInternal+B400Cj
		cmp	esi, 200h
		jnb	loc_5F31CC
		mov	eax, 80h
		call	__alloca_probe_16
		mov	[ebp+ms_exc.old_esp], esp
		mov	ebx, esp
		sub	esi, 0FFFFFF80h
		and	[ebp+ms_exc.disabled], 0
		lea	ecx, [edi+1]

loc_53F227:				; CODE XREF: vDbgPrintExWithPrefixInternal+72j
		mov	al, [edi]
		inc	edi
		test	al, al
		jnz	short loc_53F227
		sub	edi, ecx
		lea	eax, [esi-1]
		cmp	edi, eax
		ja	loc_5F31B7

loc_53F23B:				; CODE XREF: vDbgPrintExWithPrefixInternal+B3FFFj
		push	edi		; size_t
		push	[ebp+var_24]	; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	[ebp+arg_8]	; va_list
		push	[ebp+arg_4]	; char *
		mov	edx, esi
		sub	edx, edi	; int
		lea	ecx, [edi+ebx]	; int
		call	_RtlStringCbVPrintfA@16	; RtlStringCbVPrintfA(x,x,x,x)
		mov	[ebp+var_38], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	eax, eax
		js	loc_5F31BE

loc_53F26C:				; CODE XREF: vDbgPrintExWithPrefixInternal+B4014j
					; vDbgPrintExWithPrefixInternal+B401Fj
		mov	ecx, ebx
		lea	edx, [ecx+1]

loc_53F271:				; CODE XREF: vDbgPrintExWithPrefixInternal+BCj
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_53F271
		sub	ecx, edx

loc_53F27A:				; CODE XREF: vDbgPrintExWithPrefixInternal+B402Fj
		mov	[ebp+var_2C], ebx
		mov	word ptr [ebp+var_30], cx
		mov	eax, _KiBugCheckActive
		test	al, 3
		jnz	short loc_53F297
		cmp	_RtlpDebugPrintCallbacksActive,	1
		jz	loc_5F320E

loc_53F297:				; CODE XREF: vDbgPrintExWithPrefixInternal+CEj
					; vDbgPrintExWithPrefixInternal+B40E9j	...
		push	[ebp+arg_0]
		mov	edx, [ebp+var_28]
		lea	ecx, [ebp+var_30]
		call	_DebugPrint@12	; DebugPrint(x,x,x)
		cmp	eax, 80000003h
		jnz	loc_53F1E7
		jmp	loc_5F32B6
vDbgPrintExWithPrefixInternal endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQueryDebugFilterState(x, x)
_NtQueryDebugFilterState@8 proc	near	; CODE XREF: vDbgPrintExWithPrefixInternal+22p
					; DbgQueryDebugFilterState(x,x)+6j
					; DATA XREF: ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		cmp	edx, 9Ch
		jnb	short loc_53F2F3
		mov	ecx, [ebp+arg_4]

loc_53F2C9:				; CODE XREF: NtQueryDebugFilterState(x,x)+43j
		cmp	ecx, 1Fh
		ja	short loc_53F2D5
		xor	eax, eax
		inc	eax
		shl	eax, cl
		mov	ecx, eax

loc_53F2D5:				; CODE XREF: NtQueryDebugFilterState(x,x)+16j
		test	_Kd_WIN2000_Mask, ecx
		jnz	short loc_53F2EE
		mov	eax, ds:_KdComponentTable[edx*4]
		test	[eax], ecx
		jnz	short loc_53F2EE
		xor	eax, eax

loc_53F2EA:				; CODE XREF: NtQueryDebugFilterState(x,x)+3Bj
		pop	ebp
		retn	8
; 

loc_53F2EE:				; CODE XREF: NtQueryDebugFilterState(x,x)+25j
					; NtQueryDebugFilterState(x,x)+30j
		xor	eax, eax
		inc	eax
		jmp	short loc_53F2EA
; 

loc_53F2F3:				; CODE XREF: NtQueryDebugFilterState(x,x)+Ej
		push	65h
		pop	edx
		push	3
		pop	ecx
		jmp	short loc_53F2C9
_NtQueryDebugFilterState@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DebugPrint(x, x, x)
_DebugPrint@12	proc near		; CODE XREF: vDbgPrintExWithPrefixInternal+E6p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		movzx	eax, word ptr [ecx]
		push	edx
		mov	edx, [ecx+4]
		xor	ecx, ecx
		push	eax
		inc	ecx
		call	_DebugService@20 ; DebugService(x,x,x,x,x)
		pop	ebp
		retn	4
_DebugPrint@12	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1664. PoClearPowerRequest

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoClearPowerRequest
PoClearPowerRequest proc near		; CODE XREF: PopApplyLegacyPowerRequestFlags:loc_53F3C4p
					; PopApplyLegacyPowerRequestFlags:loc_53F3DAp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F32CC SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		sub	eax, edx
		jz	short loc_53F336
		sub	eax, 1
		jnz	loc_5F32CC
		inc	edx

loc_53F336:				; CODE XREF: PoClearPowerRequest+Cj
					; PoClearPowerRequest+B3FC9j
		mov	ecx, [ebp+arg_0]
		call	PoClearPowerRequestInternal

loc_53F33E:				; CODE XREF: PoClearPowerRequest+B3FBDj
		pop	ebp
		retn	8
PoClearPowerRequest endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopGetLegacyPowerRequestFlags(x, x,	x)
_PopGetLegacyPowerRequestFlags@12 proc near ; CODE XREF: PoRegisterSystemState(x,x)+72p
					; NtSetThreadExecutionState+C9p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, 80000000h
		test	ecx, ecx
		jz	short loc_53F374
		xor	eax, eax
		cmp	eax, [ecx+18h]
		sbb	eax, eax
		and	eax, 2
		add	esi, eax
		cmp	[ecx+1Ch], edi
		ja	short loc_53F385

loc_53F365:				; CODE XREF: PopGetLegacyPowerRequestFlags(x,x,x)+46j
		cmp	[ecx+20h], edi
		ja	short loc_53F38A

loc_53F36A:				; CODE XREF: PopGetLegacyPowerRequestFlags(x,x,x)+4Bj
		mov	edi, esi
		xor	edi, edx
		and	edi, 7FFFFFFFh

loc_53F374:				; CODE XREF: PopGetLegacyPowerRequestFlags(x,x,x)+10j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_53F37D
		mov	[eax], esi

loc_53F37D:				; CODE XREF: PopGetLegacyPowerRequestFlags(x,x,x)+37j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_53F385:				; CODE XREF: PopGetLegacyPowerRequestFlags(x,x,x)+21j
		or	esi, 1
		jmp	short loc_53F365
; 

loc_53F38A:				; CODE XREF: PopGetLegacyPowerRequestFlags(x,x,x)+26j
		or	esi, 40h
		jmp	short loc_53F36A
_PopGetLegacyPowerRequestFlags@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopApplyLegacyPowerRequestFlags	proc near ; CODE XREF: PoRegisterSystemState(x,x)+78p
					; NtSetThreadExecutionState+EAp

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005F32EC SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_0], 1
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		jz	short loc_53F3AE
		push	1
		push	esi
		test	bl, 1
		jz	short loc_53F3C4
		call	PoSetPowerRequest

loc_53F3AE:				; CODE XREF: PopApplyLegacyPowerRequestFlags+Fj
					; PopApplyLegacyPowerRequestFlags+39j
		test	[ebp+arg_0], 2
		jnz	short loc_53F3CB

loc_53F3B4:				; CODE XREF: PopApplyLegacyPowerRequestFlags+48j
					; PopApplyLegacyPowerRequestFlags+4Fj
		test	[ebp+arg_0], 40h
		jnz	loc_5F32EC

loc_53F3BE:				; CODE XREF: PopApplyLegacyPowerRequestFlags+B3F69j
					; PopApplyLegacyPowerRequestFlags+B3F73j
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_53F3C4:				; CODE XREF: PopApplyLegacyPowerRequestFlags+17j
		call	PoClearPowerRequest
		jmp	short loc_53F3AE
; 

loc_53F3CB:				; CODE XREF: PopApplyLegacyPowerRequestFlags+22j
		push	0
		push	esi
		test	bl, 2
		jz	short loc_53F3DA
		call	PoSetPowerRequest
		jmp	short loc_53F3B4
; 

loc_53F3DA:				; CODE XREF: PopApplyLegacyPowerRequestFlags+41j
		call	PoClearPowerRequest
		jmp	short loc_53F3B4
PopApplyLegacyPowerRequestFlags	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1724. PoSetPowerRequest

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoSetPowerRequest
PoSetPowerRequest proc near		; CODE XREF: PopApplyLegacyPowerRequestFlags+19p
					; PopApplyLegacyPowerRequestFlags+43p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F3308 SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		sub	eax, edx
		jz	short loc_53F3FE
		sub	eax, 1
		jnz	loc_5F3308
		inc	edx

loc_53F3FE:				; CODE XREF: PoSetPowerRequest+Cj
					; PoSetPowerRequest+B3F3Dj
		mov	ecx, [ebp+arg_0]
		call	PoSetPowerRequestInternal

loc_53F406:				; CODE XREF: PoSetPowerRequest+B3F31j
		pop	ebp
		retn	8
PoSetPowerRequest endp


;  S U B	R O U T	I N E 


; __stdcall PoArmStopWatchCollection(x)
_PoArmStopWatchCollection@4 proc near	; CODE XREF: PopStatsNotifyPowerRequestBlocking(x)+94p
					; PopStatsNotifyPowerRequestCsState(x,x,x)+BCp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	eax, [esi+8]
		or	eax, [esi+0Ch]
		jnz	short loc_53F445
		push	edi
		mov	bl, 1
		call	KeQueryInterruptTime
		mov	edi, [esi]
		mov	[esi+8], eax
		mov	[esi+0Ch], edx
		jmp	short loc_53F434
; 

loc_53F42A:				; CODE XREF: PoArmStopWatchCollection(x)+2Cj
		lea	ecx, [edi-4]
		call	_PopInternalUpdateStopWatchState@4 ; PopInternalUpdateStopWatchState(x)
		mov	edi, [edi]

loc_53F434:				; CODE XREF: PoArmStopWatchCollection(x)+1Ej
		cmp	edi, esi
		jnz	short loc_53F42A
		mov	ecx, esi
		call	_PopInternalUpdateActiveStopWatchesCollectionState@4 ; PopInternalUpdateActiveStopWatchesCollectionState(x)
		pop	edi

loc_53F440:				; CODE XREF: PoArmStopWatchCollection(x)+3Dj
		pop	esi
		mov	al, bl
		pop	ebx
		retn
; 

loc_53F445:				; CODE XREF: PoArmStopWatchCollection(x)+Cj
		xor	bl, bl
		jmp	short loc_53F440
_PoArmStopWatchCollection@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoUnarmStopWatchCollection(x)
_PoUnarmStopWatchCollection@4 proc near	; CODE XREF: PopStatsNotifyPowerRequestBlocking(x)+55p
					; PopStatsNotifyPowerRequestCsState(x,x,x)+6Dp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		mov	edi, ecx
		mov	eax, [edi+8]
		or	eax, [edi+0Ch]
		jz	short loc_53F4B0
		mov	eax, [edi+10h]
		mov	bl, 1
		push	esi
		mov	esi, [edi+14h]
		mov	[ebp+var_4], eax
		call	KeQueryInterruptTime
		sub	eax, [edi+8]
		sbb	edx, [edi+0Ch]
		add	[edi+10h], eax
		mov	ecx, [edi+10h]
		adc	[edi+14h], edx
		cmp	[edi+14h], esi
		ja	short loc_53F488
		jb	short loc_53F4B4
		cmp	ecx, [ebp+var_4]
		jb	short loc_53F4B4

loc_53F488:				; CODE XREF: PoUnarmStopWatchCollection(x)+35j
					; PoUnarmStopWatchCollection(x)+72j
		and	dword ptr [edi+8], 0
		and	dword ptr [edi+0Ch], 0
		mov	esi, [edi]
		jmp	short loc_53F49E
; 

loc_53F494:				; CODE XREF: PoUnarmStopWatchCollection(x)+56j
		lea	ecx, [esi-4]
		call	_PopInternalUpdateStopWatchState@4 ; PopInternalUpdateStopWatchState(x)
		mov	esi, [esi]

loc_53F49E:				; CODE XREF: PoUnarmStopWatchCollection(x)+48j
		cmp	esi, edi
		jnz	short loc_53F494
		mov	ecx, edi
		call	_PopInternalUpdateActiveStopWatchesCollectionState@4 ; PopInternalUpdateActiveStopWatchesCollectionState(x)
		pop	esi

loc_53F4AA:				; CODE XREF: PoUnarmStopWatchCollection(x)+68j
		pop	edi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_53F4B0:				; CODE XREF: PoUnarmStopWatchCollection(x)+10j
		xor	bl, bl
		jmp	short loc_53F4AA
; 

loc_53F4B4:				; CODE XREF: PoUnarmStopWatchCollection(x)+37j
					; PoUnarmStopWatchCollection(x)+3Cj
		or	dword ptr [edi+10h], 0FFFFFFFFh
		or	dword ptr [edi+14h], 0FFFFFFFFh
		jmp	short loc_53F488
_PoUnarmStopWatchCollection@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoClearPowerRequestInternal proc near	; CODE XREF: PoClearPowerRequest+1Bp
					; PpmEndHighPerfRequest+ECp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= byte ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F3328 SIZE 0000008F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_10], ecx
		lea	edi, [ebp+var_20]
		xor	ebx, ebx
		stosd
		mov	esi, edx
		mov	[ebp+var_1], bl
		mov	[ebp+var_2], bl
		stosd
		stosd
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		mov	[ebp+var_4], al
		mov	[ebp+var_8], ebx
		setb	[ebp+var_3]
		mov	[ebp+var_C], ebx
		cmp	esi, 5
		ja	loc_5F33AD
		mov	edi, [ebp+var_10]
		xor	edx, edx
		inc	edx
		mov	ecx, esi
		mov	eax, edx
		shl	eax, cl
		mov	[ebp+var_14], eax
		test	[edi+0Ch], eax
		jz	loc_5F33AD
		cmp	[edi+esi*4+18h], ebx
		jz	loc_5F33AD
		cmp	[edi+44h], ebx
		jz	loc_53F662
		test	esi, esi
		jz	short loc_53F534
		cmp	esi, 3
		jnz	loc_53F655

loc_53F534:				; CODE XREF: PoClearPowerRequestInternal+6Bj
					; PoClearPowerRequestInternal+199j ...
		mov	cl, dl
		mov	[ebp+var_1], cl

loc_53F539:				; CODE XREF: PoClearPowerRequestInternal+1A6j
		cmp	esi, 3
		jnz	short loc_53F553
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	[edi+54h], eax
		jnz	loc_5F33AD

loc_53F553:				; CODE XREF: PoClearPowerRequestInternal+7Ej
		test	cl, cl
		jz	loc_53F669

loc_53F55B:				; CODE XREF: PoClearPowerRequestInternal+1B4j
		mov	cl, dl
		mov	[ebp+var_2], dl
		call	_PopAcquirePowerRequestPushLock@4 ; PopAcquirePowerRequestPushLock(x)
		cmp	_PopPowerRequestNotificationsEnabled, bl
		setz	al
		dec	al
		and	[ebp+var_1], al

loc_53F573:				; CODE XREF: PoClearPowerRequestInternal+1AEj
		lea	edx, [ebp+var_20]
		mov	ecx, offset _PopPowerRequestSpinLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [edi+esi*4+18h]
		mov	eax, [ebp+var_14]
		dec	ecx
		mov	[edi+esi*4+18h], ecx
		test	[edi+10h], eax
		jnz	loc_53F68D
		test	ecx, ecx
		jnz	loc_53F684
		mov	eax, _PopPowerRequestAttributes[esi*8]
		inc	ecx
		dec	eax
		mov	_PopPowerRequestAttributes[esi*8], eax
		test	esi, esi
		jz	short loc_53F5BE
		cmp	esi, 3
		jz	short loc_53F5BE
		cmp	esi, ecx
		jnz	loc_53F677

loc_53F5BE:				; CODE XREF: PoClearPowerRequestInternal+F1j
					; PoClearPowerRequestInternal+F6j ...
		cmp	off_6B146C[esi*8], ebx
		jz	short loc_53F5D7
		mov	dl, [ebp+var_3]
		dec	byte ptr [edi+esi+38h]
		xor	dl, cl
		mov	ecx, edi
		call	_PopQueuePowerRequestCallbacks@8 ; PopQueuePowerRequestCallbacks(x,x)

loc_53F5D7:				; CODE XREF: PoClearPowerRequestInternal+107j
					; PoClearPowerRequestInternal+1C1j
		test	esi, esi
		jz	loc_5F3336

loc_53F5DF:				; CODE XREF: PoClearPowerRequestInternal+1C9j
					; PoClearPowerRequestInternal+1D2j ...
		mov	ecx, edi
		call	_PopDiagTracePowerRequestChange@4 ; PopDiagTracePowerRequestChange(x)
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jnz	loc_5F3366
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	loc_53F695
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_20]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_20]
		cmp	eax, ecx
		jnz	loc_5F3376

loc_53F617:				; CODE XREF: PoClearPowerRequestInternal+1E3j
					; PoClearPowerRequestInternal+B3EB3j
		mov	cl, [ebp+var_18]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_1], bl
		jnz	loc_5F3383

loc_53F629:				; CODE XREF: PoClearPowerRequestInternal+B3ECFj
		cmp	[ebp+var_2], bl
		jz	short loc_53F633
		call	_PopReleasePowerRequestPushLock@0 ; PopReleasePowerRequestPushLock()

loc_53F633:				; CODE XREF: PoClearPowerRequestInternal+16Ej
		cmp	[ebp+var_3], bl
		jz	short loc_53F643
		cmp	[edi+3Eh], bl
		jz	short loc_53F643
		push	ebx
		call	_PopPowerRequestCallbackWorker@4 ; PopPowerRequestCallbackWorker(x)

loc_53F643:				; CODE XREF: PoClearPowerRequestInternal+178j
					; PoClearPowerRequestInternal+17Dj
		mov	esi, [ebp+var_8]
		test	esi, esi
		jnz	loc_5F3392

loc_53F64E:				; CODE XREF: PoClearPowerRequestInternal+B3EEAj
					; PoClearPowerRequestInternal+B3EF4j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_53F655:				; CODE XREF: PoClearPowerRequestInternal+70j
		cmp	esi, edx
		jz	loc_53F534
		jmp	loc_5F3328
; 

loc_53F662:				; CODE XREF: PoClearPowerRequestInternal+63j
					; PoClearPowerRequestInternal+B3E6Dj
		mov	cl, bl
		jmp	loc_53F539
; 

loc_53F669:				; CODE XREF: PoClearPowerRequestInternal+97j
		cmp	esi, 3
		jnz	loc_53F573
		jmp	loc_53F55B
; 

loc_53F677:				; CODE XREF: PoClearPowerRequestInternal+FAj
		test	eax, eax
		jz	loc_53F5BE
		jmp	loc_53F5D7
; 

loc_53F684:				; CODE XREF: PoClearPowerRequestInternal+D9j
		cmp	[ebp+var_1], bl
		jz	loc_53F5DF

loc_53F68D:				; CODE XREF: PoClearPowerRequestInternal+D1j
		mov	[ebp+var_1], bl
		jmp	loc_53F5DF
; 

loc_53F695:				; CODE XREF: PoClearPowerRequestInternal+13Cj
					; PoClearPowerRequestInternal+B3EC0j
		xor	ecx, ecx
		mov	[ebp+var_20], ebx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_53F617
PoClearPowerRequestInternal endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerRequestCleanUp(x)
_PopPowerRequestCleanUp@4 proc near	; CODE XREF: PspExitThread+5A5p
					; PoDeletePowerRequest(x)+9p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		mov	esi, ecx
		xor	edx, edx
		mov	[ebp+var_8], edx
		mov	bl, [esi+5Ch]
		stosd
		stosd
		xor	edi, edi
		mov	[ebp+var_4], edi
		cmp	[esi], edx
		jz	short loc_53F6E1
		xor	eax, eax
		lea	ecx, [eax+1]
		call	_PopAcquirePowerRequestPushLock@4 ; PopAcquirePowerRequestPushLock(x)
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_53F6E6
		call	_PopReleasePowerRequestPushLock@0 ; PopReleasePowerRequestPushLock()

loc_53F6E1:				; CODE XREF: PopPowerRequestCleanUp(x)+24j
					; PopPowerRequestCleanUp(x)+204j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_53F6E6:				; CODE XREF: PopPowerRequestCleanUp(x)+34j
		mov	ecx, [esi+4]
		cmp	[eax+4], esi
		jnz	loc_53F8C9
		cmp	[ecx], esi
		jnz	loc_53F8C9
		mov	[ecx], eax
		mov	[eax+4], ecx
		xor	eax, eax
		mov	[esi], eax
		cmp	[esi+24h], eax
		jz	short loc_53F727
		cmp	byte_6C2E34, al
		jnz	short loc_53F714
		test	bl, bl
		jz	short loc_53F727

loc_53F714:				; CODE XREF: PopPowerRequestCleanUp(x)+68j
		mov	[esi+24h], eax
		test	bl, bl
		jnz	short loc_53F727
		test	byte ptr [esi+10h], 8
		jnz	short loc_53F727
		dec	dword_6B1480

loc_53F727:				; CODE XREF: PopPowerRequestCleanUp(x)+60j
					; PopPowerRequestCleanUp(x)+6Cj ...
		mov	ecx, esi
		call	_PopPowerRequestIsExecutionRequiredCapable@4 ; PopPowerRequestIsExecutionRequiredCapable(x)
		test	al, al
		jz	short loc_53F739
		xor	dl, dl
		call	_PopUpdatePowerRequestProcessWakeCounter@8 ; PopUpdatePowerRequestProcessWakeCounter(x,x)

loc_53F739:				; CODE XREF: PopPowerRequestCleanUp(x)+8Aj
		mov	eax, [esi+54h]
		test	eax, eax
		jz	short loc_53F755
		mov	edi, eax
		mov	edx, 72506F50h
		mov	ecx, edi
		mov	[ebp+var_4], edi
		call	ObfReferenceObjectWithTag
		and	dword ptr [esi+54h], 0

loc_53F755:				; CODE XREF: PopPowerRequestCleanUp(x)+98j
		test	bl, bl
		jz	short loc_53F761
		dec	_PopSpecialPowerRequestObjectCount
		jmp	short loc_53F767
; 

loc_53F761:				; CODE XREF: PopPowerRequestCleanUp(x)+B1j
		dec	_PopPowerRequestObjectCount

loc_53F767:				; CODE XREF: PopPowerRequestCleanUp(x)+B9j
		mov	ecx, [esi+14h]
		call	_PopPowerRequestDeleteEntryById@4 ; PopPowerRequestDeleteEntryById(x)
		call	_PopReleasePowerRequestPushLock@0 ; PopReleasePowerRequestPushLock()
		mov	ecx, esi
		call	_PopStatsDeletePowerRequest@4 ;	PopStatsDeletePowerRequest(x)
		mov	ecx, esi
		call	_PopDiagTracePowerRequestClose@4 ; PopDiagTracePowerRequestClose(x)
		lea	edx, [ebp+var_14]
		mov	ecx, offset _PopPowerRequestSpinLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	bh, [esi+3Eh]
		test	bh, bh
		jz	short loc_53F7B8
		lea	eax, [esi+30h]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_53F8C9
		cmp	[ecx], eax
		jnz	loc_53F8C9
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	byte ptr [esi+3Eh], 0

loc_53F7B8:				; CODE XREF: PopPowerRequestCleanUp(x)+EEj
		xor	edi, edi
		xor	ecx, ecx
		inc	edi

loc_53F7BD:				; CODE XREF: PopPowerRequestCleanUp(x)+156j
		mov	eax, edi
		shl	eax, cl
		test	[esi+10h], eax
		jnz	short loc_53F7F8
		cmp	dword ptr [esi+ecx*4+18h], 0
		jbe	short loc_53F7F8
		mov	eax, _PopPowerRequestAttributes[ecx*8]
		dec	eax
		mov	_PopPowerRequestAttributes[ecx*8], eax
		test	ecx, ecx
		jz	short loc_53F7E9
		cmp	ecx, 3
		jz	short loc_53F7E9
		test	eax, eax
		jnz	short loc_53F7ED

loc_53F7E9:				; CODE XREF: PopPowerRequestCleanUp(x)+138j
					; PopPowerRequestCleanUp(x)+13Dj
		dec	byte ptr [ecx+esi+38h]

loc_53F7ED:				; CODE XREF: PopPowerRequestCleanUp(x)+141j
		test	ecx, ecx
		jnz	short loc_53F7F8
		mov	[ebp+var_8], 2

loc_53F7F8:				; CODE XREF: PopPowerRequestCleanUp(x)+11Ej
					; PopPowerRequestCleanUp(x)+125j ...
		inc	ecx
		cmp	ecx, 6
		jb	short loc_53F7BD
		test	ds:byte_70EFC6,	1
		jz	short loc_53F814
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_53F840
; 

loc_53F814:				; CODE XREF: PopPowerRequestCleanUp(x)+15Fj
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_53F833
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_53F840
		call	KxWaitForLockChainValid

loc_53F833:				; CODE XREF: PopPowerRequestCleanUp(x)+173j
		mov	[ebp+var_14], 0
		add	eax, 4
		lock xor [eax],	edi

loc_53F840:				; CODE XREF: PopPowerRequestCleanUp(x)+16Cj
					; PopPowerRequestCleanUp(x)+186j
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	dword ptr [esi+8]
		mov	edx, [esi+14h]
		lea	ecx, [esi+38h]
		call	_PopPowerRequestExecuteCallbacks@12 ; PopPowerRequestExecuteCallbacks(x,x,x)
		mov	edi, [ebp+var_4]
		test	bh, bh
		jz	short loc_53F86A
		mov	edx, 72506F50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_53F86A:				; CODE XREF: PopPowerRequestCleanUp(x)+1B6j
		mov	ecx, [esi+40h]
		call	_PoDestroyReasonContext@4 ; PoDestroyReasonContext(x)
		cmp	dword ptr [esi+44h], 0
		jz	short loc_53F883
		mov	edx, [esi+14h]
		mov	ecx, [esi+8]
		call	PopNotifySessionUserPowerRequestDeleted

loc_53F883:				; CODE XREF: PopPowerRequestCleanUp(x)+1D0j
		test	bl, bl
		jnz	short loc_53F88E
		mov	ecx, esi
		call	_PopUmpoSendPowerRequestOverrideCleanup@4 ; PopUmpoSendPowerRequestOverrideCleanup(x)

loc_53F88E:				; CODE XREF: PopPowerRequestCleanUp(x)+1DFj
		test	edi, edi
		jz	short loc_53F8A8
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		call	_PopProcessDisplayRequiredChange@8 ; PopProcessDisplayRequiredChange(x,x)
		mov	edx, 72506F50h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_53F8A8:				; CODE XREF: PopPowerRequestCleanUp(x)+1EAj
		test	bl, bl
		jz	loc_53F6E1
		test	edi, edi
		jz	loc_53F6E1
		mov	edx, 72506F50h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		jmp	loc_53F6E1
; 

loc_53F8C9:				; CODE XREF: PopPowerRequestCleanUp(x)+46j
					; PopPowerRequestCleanUp(x)+4Ej ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PopPowerRequestCleanUp@4 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUmpoSendPowerRequestOverrideQuery(x)
_PopUmpoSendPowerRequestOverrideQuery@4	proc near
					; CODE XREF: PopCreateUserPowerRequest(x,x,x)+102p
					; PopCreateKernelPowerRequest(x,x)+60p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		xor	edx, edx
		push	1
		push	eax
		mov	ecx, [ebx+40h]
		call	_PoStoreRequester@16 ; PoStoreRequester(x,x,x,x)
		mov	edi, [ebp+var_4]
		push	6F706D55h
		add	edi, 8
		push	edi
		push	1
		mov	[ebp+var_8], edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_53F959
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	ecx, [ebx+40h]
		lea	eax, [ebp+var_4]
		add	esp, 0Ch
		lea	edx, [esi+8]
		push	1
		push	eax
		call	_PoStoreRequester@16 ; PoStoreRequester(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_53F947
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		mov	dword ptr [esi], 8
		mov	eax, [ebx+14h]
		push	0
		mov	[esi+4], eax
		call	PopUmpoSendPowerMessage
		mov	edi, eax

loc_53F947:				; CODE XREF: PopUmpoSendPowerRequestOverrideQuery(x)+5Dj
		push	6F706D55h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_53F952:				; CODE XREF: PopUmpoSendPowerRequestOverrideQuery(x)+90j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_53F959:				; CODE XREF: PopUmpoSendPowerRequestOverrideQuery(x)+3Aj
		mov	edi, 0C000009Ah
		jmp	short loc_53F952
_PopUmpoSendPowerRequestOverrideQuery@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoStoreRequester(x,	x, x, x)
_PoStoreRequester@16 proc near		; CODE XREF: PopUmpoSendPowerRequestOverrideQuery(x)+1Bp
					; PopUmpoSendPowerRequestOverrideQuery(x)+54p ...

var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax]
		mov	edi, ecx
		xor	ecx, ecx
		mov	[esp+28h+var_4], eax
		mov	esi, edx
		mov	[esp+28h+var_19], cl
		mov	[esp+28h+var_14], ecx
		mov	edx, ecx
		mov	[esp+28h+var_C], edx
		mov	[esp+28h+var_18], ecx
		test	esi, esi
		jz	short loc_53F9A8
		cmp	eax, 18h
		jb	short loc_53F9A8
		lea	eax, [esi+18h]
		mov	bl, 1
		mov	[esp+28h+var_14], eax
		mov	eax, [edi]
		mov	[esi+4], eax
		jmp	short loc_53F9AA
; 

loc_53F9A8:				; CODE XREF: PoStoreRequester(x,x,x,x)+31j
					; PoStoreRequester(x,x,x,x)+36j
		mov	bl, cl

loc_53F9AA:				; CODE XREF: PoStoreRequester(x,x,x,x)+46j
		cmp	[edi], ecx
		jz	loc_53FA74
		test	bl, bl
		jz	short loc_53F9D6
		call	_Feature_3401902395__private_IsEnabledDeviceUsage@0 ; Feature_3401902395__private_IsEnabledDeviceUsage()
		test	eax, eax
		jz	short loc_53F9C4
		mov	eax, [edi+10h]
		jmp	short loc_53F9CD
; 

loc_53F9C4:				; CODE XREF: PoStoreRequester(x,x,x,x)+5Dj
		mov	eax, [edi+4]
		mov	eax, [eax+0E4h]

loc_53F9CD:				; CODE XREF: PoStoreRequester(x,x,x,x)+62j
		mov	[esi+0Ch], eax
		mov	eax, [edi+18h]
		mov	[esi+10h], eax

loc_53F9D6:				; CODE XREF: PoStoreRequester(x,x,x,x)+54j
		call	_Feature_3401902395__private_IsEnabledDeviceUsage@0 ; Feature_3401902395__private_IsEnabledDeviceUsage()
		test	eax, eax
		jz	short loc_53F9E4
		add	edi, 8
		jmp	short loc_53F9ED
; 

loc_53F9E4:				; CODE XREF: PoStoreRequester(x,x,x,x)+7Dj
		mov	eax, [edi+4]
		mov	edi, [eax+1C0h]

loc_53F9ED:				; CODE XREF: PoStoreRequester(x,x,x,x)+82j
		cmp	[ebp+arg_4], 0
		mov	ecx, [edi+4]
		movzx	edi, word ptr [edi]
		mov	[esp+28h+var_18], edi
		jz	short loc_53FA26
		mov	eax, edi
		shr	eax, 1
		add	eax, eax
		lea	eax, [eax+ecx]
		jz	short loc_53FA15

loc_53FA08:				; CODE XREF: PoStoreRequester(x,x,x,x)+B3j
		cmp	word ptr [eax],	5Ch
		jz	short loc_53FA15
		sub	eax, 2
		cmp	eax, ecx
		jnz	short loc_53FA08

loc_53FA15:				; CODE XREF: PoStoreRequester(x,x,x,x)+A6j
					; PoStoreRequester(x,x,x,x)+ACj
		cmp	eax, ecx
		jz	short loc_53FA26
		add	eax, 2
		sub	ecx, eax
		add	edi, ecx
		mov	ecx, eax
		mov	[esp+28h+var_18], edi

loc_53FA26:				; CODE XREF: PoStoreRequester(x,x,x,x)+9Bj
					; PoStoreRequester(x,x,x,x)+B7j
		lea	eax, [edi+1Ah]
		mov	[esp+28h+var_10], eax
		test	bl, bl
		jz	short loc_53FA69
		mov	ebx, [esp+28h+var_4]
		cmp	ebx, eax
		jb	short loc_53FA65
		push	edi		; size_t
		push	ecx		; void *
		push	[esp+30h+var_14] ; void	*
		mov	bl, 1
		call	_memcpy
		mov	eax, [esp+34h+var_14]
		xor	ecx, ecx
		shr	edi, 1
		add	esp, 0Ch
		mov	edx, ecx
		mov	[eax+edi*2], cx
		sub	eax, esi
		mov	[esi+8], eax
		mov	eax, [esp+28h+var_10]
		jmp	loc_53FBB6
; 

loc_53FA65:				; CODE XREF: PoStoreRequester(x,x,x,x)+D7j
		mov	eax, [esp+28h+var_10]

loc_53FA69:				; CODE XREF: PoStoreRequester(x,x,x,x)+CFj
		xor	bl, bl

loc_53FA6B:				; CODE XREF: PoStoreRequester(x,x,x,x)+24Aj
		mov	edx, [esp+28h+var_C]
		jmp	loc_53FBB6
; 

loc_53FA74:				; CODE XREF: PoStoreRequester(x,x,x,x)+4Cj
		mov	ecx, [edi+4]
		test	ecx, ecx
		jz	loc_53FBB3
		mov	edx, 67446F50h
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	ecx, eax
		mov	[esp+28h+var_8], ecx
		test	ecx, ecx
		jz	loc_53FBAF
		mov	eax, [ecx+0B0h]
		xor	edx, edx
		cmp	[eax+14h], edx
		jz	loc_53FB81
		lea	eax, [esp+28h+var_18]
		push	eax
		test	bl, bl
		jz	loc_53FB62
		mov	eax, [esp+2Ch+var_4]
		mov	edi, [esp+2Ch+var_14]
		add	eax, 0FFFFFFE8h
		push	edi
		push	eax
		push	edx
		push	ecx
		call	IoGetDeviceProperty

loc_53FAC9:				; CODE XREF: PoStoreRequester(x,x,x,x)+214j
					; PoStoreRequester(x,x,x,x)+21Cj
		mov	ecx, [esp+28h+var_8]

loc_53FACD:				; CODE XREF: PoStoreRequester(x,x,x,x)+22Aj
		test	eax, eax
		jns	short loc_53FB02
		mov	ecx, [ecx+8]
		add	ecx, 1Ch
		movzx	edx, word ptr [ecx]
		add	edx, 2
		mov	[esp+28h+var_18], edx
		test	bl, bl
		jz	loc_53FB8F
		mov	ebx, [esp+28h+var_4]
		lea	eax, [edx+18h]
		cmp	ebx, eax
		jb	loc_53FB8F
		push	ecx
		mov	ecx, edi
		mov	bl, 1
		call	RtlStringCbCopyUnicodeString

loc_53FB02:				; CODE XREF: PoStoreRequester(x,x,x,x)+16Fj
		mov	edx, [esp+28h+var_18]

loc_53FB06:				; CODE XREF: PoStoreRequester(x,x,x,x)+231j
		lea	ecx, [edx+18h]
		mov	[esp+28h+var_10], ecx
		test	bl, bl
		jz	short loc_53FB1F
		mov	eax, edi
		mov	[esp+28h+var_19], 1
		sub	eax, esi
		add	edi, edx
		mov	[esi+8], eax

loc_53FB1F:				; CODE XREF: PoStoreRequester(x,x,x,x)+1AFj
		mov	eax, [esp+28h+var_8]
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_53FB98
		add	eax, 14h
		mov	[esp+28h+var_C], eax
		movzx	edx, word ptr [eax]
		add	edx, 2
		add	ecx, edx
		mov	[esp+28h+var_18], edx
		mov	[esp+28h+var_10], ecx
		test	bl, bl
		jz	short loc_53FB96
		cmp	[esp+28h+var_4], ecx
		jb	short loc_53FB96
		push	eax
		mov	ecx, edi
		mov	bl, 1
		call	RtlStringCbCopyUnicodeString
		sub	edi, esi
		mov	[esi+0Ch], edi
		jmp	short loc_53FB98
; 

loc_53FB62:				; CODE XREF: PoStoreRequester(x,x,x,x)+14Fj
		push	edx
		push	edx
		push	edx
		push	ecx
		call	IoGetDeviceProperty
		mov	edi, [esp+28h+var_14]
		cmp	eax, 0C0000023h
		jnz	loc_53FAC9
		xor	eax, eax
		jmp	loc_53FAC9
; 

loc_53FB81:				; CODE XREF: PoStoreRequester(x,x,x,x)+142j
		mov	edi, [esp+28h+var_14]
		mov	eax, 0C0000010h
		jmp	loc_53FACD
; 

loc_53FB8F:				; CODE XREF: PoStoreRequester(x,x,x,x)+183j
					; PoStoreRequester(x,x,x,x)+192j
		xor	bl, bl
		jmp	loc_53FB06
; 

loc_53FB96:				; CODE XREF: PoStoreRequester(x,x,x,x)+1E9j
					; PoStoreRequester(x,x,x,x)+1EFj
		xor	bl, bl

loc_53FB98:				; CODE XREF: PoStoreRequester(x,x,x,x)+1CEj
					; PoStoreRequester(x,x,x,x)+200j
		mov	ecx, [esp+28h+var_8]
		mov	edx, 67446F50h
		call	ObfDereferenceObjectWithTag
		mov	eax, [esp+28h+var_10]
		jmp	loc_53FA6B
; 

loc_53FBAF:				; CODE XREF: PoStoreRequester(x,x,x,x)+131j
		mov	edx, [esp+28h+var_C]

loc_53FBB3:				; CODE XREF: PoStoreRequester(x,x,x,x)+119j
		push	18h
		pop	eax

loc_53FBB6:				; CODE XREF: PoStoreRequester(x,x,x,x)+100j
					; PoStoreRequester(x,x,x,x)+10Fj
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		test	bl, bl
		jnz	short loc_53FBC6
		mov	eax, 0C0000023h
		jmp	short loc_53FBDF
; 

loc_53FBC6:				; CODE XREF: PoStoreRequester(x,x,x,x)+25Dj
		xor	eax, eax
		cmp	[esi+4], eax
		jnz	short loc_53FBDD
		cmp	[esp+28h+var_19], al
		jnz	short loc_53FBD6
		mov	[esi+8], eax

loc_53FBD6:				; CODE XREF: PoStoreRequester(x,x,x,x)+271j
		test	edx, edx
		jnz	short loc_53FBDD
		mov	[esi+0Ch], eax

loc_53FBDD:				; CODE XREF: PoStoreRequester(x,x,x,x)+26Bj
					; PoStoreRequester(x,x,x,x)+278j
		xor	eax, eax

loc_53FBDF:				; CODE XREF: PoStoreRequester(x,x,x,x)+264j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_PoStoreRequester@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopUmpoSendPowerMessage	proc near	; CODE XREF: PopUmpoSendPowerRequestOverrideQuery(x)+72p
					; PopUmpoSendFlushSleepStudyLoggerNotification()+3Fp ...

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005F33B7 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_74], 0
		push	ebx
		push	esi
		push	edi
		push	6F706D55h
		push	1000h
		push	1
		mov	esi, edx
		mov	ebx, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_5F33B7
		xor	cl, cl
		call	_PopAcquireUmpoPushLock@4 ; PopAcquireUmpoPushLock(x)
		cmp	_PopAlpcClientPort, 0
		jz	short loc_53FCA7
		cmp	esi, 0FE8h
		ja	loc_5F33C1
		push	0FFCh		; size_t
		lea	eax, [edi+4]
		push	0		; int
		push	eax		; void *
		call	_memset
		movzx	eax, si
		mov	[edi], ax
		add	eax, 18h
		push	esi		; size_t
		mov	[edi+2], ax
		lea	eax, [edi+18h]
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 18h
		cmp	[ebp+arg_0], 0
		jnz	short loc_53FCAE
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	edi
		push	10000h
		push	_PopAlpcClientPort
		call	_ZwAlpcSendWaitReceivePort@32 ;	ZwAlpcSendWaitReceivePort(x,x,x,x,x,x,x,x)

loc_53FC85:				; CODE XREF: PopUmpoSendPowerMessage+117j
		mov	esi, eax

loc_53FC87:				; CODE XREF: PopUmpoSendPowerMessage+C4j
					; PopUmpoSendPowerMessage+FEj ...
		call	_PopReleaseUmpoPushLock@0 ; PopReleaseUmpoPushLock()
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_53FC94:				; CODE XREF: PopUmpoSendPowerMessage+B37D4j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_53FCA7:				; CODE XREF: PopUmpoSendPowerMessage+46j
		mov	esi, 0C0000042h
		jmp	short loc_53FC87
; 

loc_53FCAE:				; CODE XREF: PopUmpoSendPowerMessage+83j
		push	6Ch		; size_t
		xor	esi, esi
		lea	eax, [ebp+var_70]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_74], 1000h
		lea	eax, [ebp+var_70]
		push	esi
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		push	edi
		push	esi
		push	edi
		push	20000h
		push	_PopAlpcClientPort
		call	_ZwAlpcSendWaitReceivePort@32 ;	ZwAlpcSendWaitReceivePort(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_53FC87
		push	20000000h
		lea	eax, [ebp+var_70]
		push	eax
		call	_AlpcGetMessageAttribute@8 ; AlpcGetMessageAttribute(x,x)
		mov	edx, eax
		mov	ecx, edi
		call	PopUmpoProcessMessage
		jmp	short loc_53FC85
PopUmpoSendPowerMessage	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PoDestroyReasonContext(x)
_PoDestroyReasonContext@4 proc near	; CODE XREF: .text:loc_53D521p
					; NtSetTimerEx+151p ...
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		cmp	dword ptr [esi], 0
		jnz	short loc_53FD1F
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_53FD1F
		mov	edx, 67446F50h
		call	ObfDereferenceObjectWithTag

loc_53FD1F:				; CODE XREF: PoDestroyReasonContext(x)+Aj
					; PoDestroyReasonContext(x)+11j
		call	_Feature_3401902395__private_IsEnabledDeviceUsage@0 ; Feature_3401902395__private_IsEnabledDeviceUsage()
		mov	edi, 78435250h
		test	eax, eax
		jz	short loc_53FD40
		cmp	dword ptr [esi], 0
		jz	short loc_53FD40
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_53FD40
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_53FD40:				; CODE XREF: PoDestroyReasonContext(x)+29j
					; PoDestroyReasonContext(x)+2Ej ...
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ecx
		retn
_PoDestroyReasonContext@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopProcessPowerRequestOverrideQueryResponse proc near
					; CODE XREF: PopUmpoProcessPowerMessage+27p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= byte ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= word ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F33CB SIZE 00000123 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		stosd
		mov	esi, ecx
		xor	cl, cl
		stosd
		stosd
		mov	eax, [esi+4]
		mov	[ebp+var_30], eax
		xor	eax, eax
		mov	ebx, eax
		mov	[ebp+var_15], al
		mov	edi, eax
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_20], edi
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], ax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], ax
		call	_PopAcquirePowerRequestPushLock@4 ; PopAcquirePowerRequestPushLock(x)
		mov	ecx, [esi]
		call	_PopPowerRequestFindEntryById@4	; PopPowerRequestFindEntryById(x)
		test	eax, eax
		jz	loc_53FE38
		mov	edi, [eax]
		lea	edx, [ebp+var_2C]
		mov	ecx, offset _PopPowerRequestSpinLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edx, [edi+10h]
		mov	ecx, [ebp+var_30]
		xor	edx, ecx
		push	1
		mov	[edi+10h], ecx
		pop	eax

loc_53FDC1:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+B3747j
		mov	[ebp+var_34], edx
		jnz	loc_5F33CB
		mov	dl, al
		mov	ecx, edi
		call	_PopQueuePowerRequestCallbacks@8 ; PopQueuePowerRequestCallbacks(x,x)
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jnz	loc_5F3498
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jnz	short loc_53FE54
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_2C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_2C]
		cmp	eax, ecx
		jnz	loc_5F34A8

loc_53FE00:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+118j
					; PopProcessPowerRequestOverrideQueryResponse+B3757j
		mov	cl, [ebp+var_24]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	ebx, ebx
		xor	esi, esi
		inc	ebx

loc_53FE0E:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+D1j
		cmp	byte ptr [ebp+esi+var_C], 0
		jnz	loc_5F34B5

loc_53FE19:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+B3773j
		inc	esi
		cmp	esi, 6
		jb	short loc_53FE0E
		mov	ebx, [ebp+var_1C]
		xor	esi, esi

loc_53FE24:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+E7j
		cmp	byte ptr [ebp+esi+var_14], 0
		jnz	loc_5F34C4

loc_53FE2F:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+B3783j
		inc	esi
		cmp	esi, 6
		jb	short loc_53FE24
		mov	edi, [ebp+var_20]

loc_53FE38:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+52j
		call	_PopReleasePowerRequestPushLock@0 ; PopReleasePowerRequestPushLock()
		test	ebx, ebx
		jnz	loc_5F34D4

loc_53FE45:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+B379Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_53FE54:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+9Bj
					; PopProcessPowerRequestOverrideQueryResponse+B3764j
		xor	ecx, ecx
		mov	[ebp+var_2C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	short loc_53FE00
PopProcessPowerRequestOverrideQueryResponse endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoSetPowerRequestInternal proc near	; CODE XREF: PoSetPowerRequest+1Bp
					; PpmBeginHighPerfRequest()+10p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F34EE SIZE 00000079 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_1], 0
		lea	edi, [ebp+var_18]
		mov	[ebp+var_2], 0
		stosd
		mov	esi, edx
		mov	ebx, ecx
		stosd
		stosd
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		xor	edx, edx
		mov	[ebp+var_4], al
		cmp	al, 2
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], edx
		setb	[ebp+var_3]
		cmp	esi, 5
		ja	loc_5F355D
		xor	eax, eax
		mov	ecx, esi
		inc	eax
		mov	edi, eax
		shl	edi, cl
		test	[ebx+0Ch], edi
		jz	loc_5F355D
		cmp	[ebx+44h], edx
		jz	loc_54007D
		test	esi, esi
		jz	short loc_53FECC
		cmp	esi, eax
		jnz	loc_540052

loc_53FECC:				; CODE XREF: PoSetPowerRequestInternal+5Cj
					; PoSetPowerRequestInternal+1EFj ...
		mov	cl, al
		mov	[ebp+var_1], cl

loc_53FED1:				; CODE XREF: PoSetPowerRequestInternal+219j
		cmp	esi, 3
		jz	loc_540060

loc_53FEDA:				; CODE XREF: PoSetPowerRequestInternal+212j
		test	cl, cl
		jz	loc_540084

loc_53FEE2:				; CODE XREF: PoSetPowerRequestInternal+227j
		mov	cl, al
		mov	[ebp+var_2], al
		call	_PopAcquirePowerRequestPushLock@4 ; PopAcquirePowerRequestPushLock(x)
		cmp	_PopPowerRequestNotificationsEnabled, 0
		setz	al
		dec	al
		and	[ebp+var_1], al

loc_53FEFB:				; CODE XREF: PoSetPowerRequestInternal+221j
		lea	edx, [ebp+var_18]
		mov	ecx, offset _PopPowerRequestSpinLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebx+esi*4+18h]
		cmp	eax, 0FFFFFFFFh
		jz	loc_5F34FC
		inc	eax
		mov	[ebx+esi*4+18h], eax
		test	[ebx+10h], edi
		jnz	loc_5F3515
		xor	ecx, ecx
		inc	ecx
		cmp	eax, ecx
		jnz	loc_540092
		mov	eax, _PopPowerRequestAttributes[esi*8]
		cmp	eax, 0FFFFFFFFh
		jz	loc_5F3506
		inc	eax
		mov	_PopPowerRequestAttributes[esi*8], eax
		test	esi, esi
		jz	short loc_53FF52
		cmp	esi, ecx
		jnz	loc_54003C

loc_53FF52:				; CODE XREF: PoSetPowerRequestInternal+E2j
					; PoSetPowerRequestInternal+1D9j ...
		cmp	off_6B146C[esi*8], 0
		jz	short loc_53FF6C
		mov	dl, [ebp+var_3]
		inc	byte ptr [ebx+esi+38h]
		xor	dl, cl
		mov	ecx, ebx
		call	_PopQueuePowerRequestCallbacks@8 ; PopQueuePowerRequestCallbacks(x,x)

loc_53FF6C:				; CODE XREF: PoSetPowerRequestInternal+F4j
					; PoSetPowerRequestInternal:loc_54004Dj
		test	esi, esi
		jz	loc_53FFF5

loc_53FF74:				; CODE XREF: PoSetPowerRequestInternal+194j
					; PoSetPowerRequestInternal:loc_540004j ...
		mov	ecx, ebx
		call	_PopDiagTracePowerRequestChange@4 ; PopDiagTracePowerRequestChange(x)
		xor	edi, edi

loc_53FF7D:				; CODE XREF: PoSetPowerRequestInternal+B369Bj
		xor	ecx, ecx
		inc	ecx

loc_53FF80:				; CODE XREF: PoSetPowerRequestInternal+B36AAj
		test	ds:byte_70EFC6,	cl
		jnz	loc_5F351E
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	loc_5F3539
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jnz	loc_5F352E

loc_53FFAE:				; CODE XREF: PoSetPowerRequestInternal+B36C3j
					; PoSetPowerRequestInternal+B36E0j
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		js	short loc_53FFC5
		cmp	[ebp+var_1], 0
		jnz	loc_5F354B

loc_53FFC5:				; CODE XREF: PoSetPowerRequestInternal+153j
					; PoSetPowerRequestInternal+B36F2j
		cmp	[ebp+var_2], 0
		jz	short loc_53FFD0
		call	_PopReleasePowerRequestPushLock@0 ; PopReleasePowerRequestPushLock()

loc_53FFD0:				; CODE XREF: PoSetPowerRequestInternal+163j
		test	edi, edi
		js	short loc_53FFE7
		cmp	[ebp+var_3], 0
		jz	short loc_53FFE7
		cmp	byte ptr [ebx+3Eh], 0
		jz	short loc_53FFE7
		push	0
		call	_PopPowerRequestCallbackWorker@4 ; PopPowerRequestCallbackWorker(x)

loc_53FFE7:				; CODE XREF: PoSetPowerRequestInternal+16Cj
					; PoSetPowerRequestInternal+172j ...
		mov	ebx, [ebp+var_8]
		test	ebx, ebx
		jnz	short loc_540024

loc_53FFEE:				; CODE XREF: PoSetPowerRequestInternal+1D4j
					; PoSetPowerRequestInternal+B36FCj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_53FFF5:				; CODE XREF: PoSetPowerRequestInternal+108j
		mov	eax, [ebx+54h]
		test	eax, eax
		jz	loc_53FF74

loc_540000:				; DATA XREF: .text:00421BCCo
					; .text:00421E58o ...
		cmp	[ebp+var_4], 2

loc_540004:				; DATA XREF: .text:0042557Co
		jnb	loc_53FF74
		mov	edx, 72506F50h
		mov	[ebp+var_8], eax
		mov	ecx, eax
		call	ObfReferenceObjectWithTag
		xor	eax, eax
		inc	eax
		mov	[ebp+var_C], eax
		jmp	loc_53FF74
; 

loc_540024:				; CODE XREF: PoSetPowerRequestInternal+186j
		mov	edx, [ebp+var_C]
		mov	ecx, ebx
		call	_PopProcessDisplayRequiredChange@8 ; PopProcessDisplayRequiredChange(x,x)

loc_54002E:				; DATA XREF: .text:_PnpWstrTranslatedo
		mov	edx, 72506F50h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		jmp	short loc_53FFEE
; 

loc_54003C:				; CODE XREF: PoSetPowerRequestInternal+E6j
		cmp	esi, 3
		jz	loc_53FF52
		cmp	eax, ecx
		jz	loc_53FF52

loc_54004D:				; DATA XREF: .text:005A55AEo
		jmp	loc_53FF6C
; 

loc_540052:				; CODE XREF: PoSetPowerRequestInternal+60j
					; DATA XREF: .text:005A4578o ...
		cmp	esi, 3
		jz	loc_53FECC
		jmp	loc_5F34EE
; 

loc_540060:				; CODE XREF: PoSetPowerRequestInternal+6Ej
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	[ebx+54h], eax
		jnz	loc_5F355D
		xor	eax, eax
		inc	eax
		jmp	loc_53FEDA
; 

loc_54007D:				; CODE XREF: PoSetPowerRequestInternal+54j
					; PoSetPowerRequestInternal+B368Bj
		mov	cl, dl
		jmp	loc_53FED1
; 

loc_540084:				; CODE XREF: PoSetPowerRequestInternal+76j
		cmp	esi, 3
		jnz	loc_53FEFB
		jmp	loc_53FEE2
; 

loc_540092:				; CODE XREF: PoSetPowerRequestInternal+C2j
		cmp	[ebp+var_1], 0
		jz	loc_53FF74
		jmp	loc_5F3515
PoSetPowerRequestInternal endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTracePowerRequestChange(x)
_PopDiagTracePowerRequestChange@4 proc near ; CODE XREF: PoClearPowerRequestInternal+123p
					; PoSetPowerRequestInternal+110p ...

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 78h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		push	esi
		mov	esi, ecx
		mov	[ebp+var_78], esi
		jz	loc_54016C
		push	ebx
		mov	ebx, _PopDiagHandle
		push	edi
		mov	edi, dword_6C1D74
		push	offset _POP_ETW_EVENT_CHANGE_POWER_REQUEST
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jz	loc_54016A
		lea	eax, [ebp+var_78]
		xor	edx, edx
		mov	[ebp+var_74], eax
		lea	eax, [esi+1Ch]
		mov	[ebp+var_64], eax
		lea	eax, [esi+18h]
		mov	[ebp+var_54], eax
		lea	eax, [esi+20h]
		mov	[ebp+var_44], eax
		lea	eax, [esi+24h]
		mov	[ebp+var_34], eax
		lea	eax, [esi+28h]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [esi+2Ch]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	7
		push	edx
		push	offset _POP_ETW_EVENT_CHANGE_POWER_REQUEST
		push	edi
		push	ebx
		mov	[ebp+var_70], edx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_54016A:				; CODE XREF: PopDiagTracePowerRequestChange(x)+41j
		pop	edi
		pop	ebx

loc_54016C:				; CODE XREF: PopDiagTracePowerRequestChange(x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTracePowerRequestChange@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopQueuePowerRequestCallbacks(x, x)
_PopQueuePowerRequestCallbacks@8 proc near ; CODE XREF:	PoClearPowerRequestInternal+114p
					; PopProcessPowerRequestOverrideQueryResponse+82p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		cmp	byte ptr [esi+3Eh], 0
		jnz	short loc_5401CB
		xor	eax, eax

loc_54018A:				; CODE XREF: PopQueuePowerRequestCallbacks(x,x)+1Bj
		cmp	byte ptr [esi+eax+38h],	0
		jnz	short loc_540199
		inc	eax
		cmp	eax, 6
		jl	short loc_54018A
		jmp	short loc_5401CB
; 

loc_540199:				; CODE XREF: PopQueuePowerRequestCallbacks(x,x)+15j
		mov	edx, 72506F50h
		call	ObfReferenceObjectWithTag
		mov	ecx, _PopPowerRequestCallbacks
		lea	eax, [esi+30h]
		mov	edx, offset _PopPowerRequestCallbacks
		cmp	[ecx+4], edx
		jnz	short loc_5401EC
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[ecx+4], eax
		mov	_PopPowerRequestCallbacks, eax
		mov	byte ptr [esi+3Eh], 1
		test	bl, bl
		jnz	short loc_5401CE

loc_5401CB:				; CODE XREF: PopQueuePowerRequestCallbacks(x,x)+Cj
					; PopQueuePowerRequestCallbacks(x,x)+1Dj ...
		pop	esi
		pop	ebx
		retn
; 

loc_5401CE:				; CODE XREF: PopQueuePowerRequestCallbacks(x,x)+4Fj
		cmp	_PopCallbackWorkItemScheduled, 0
		jnz	short loc_5401CB
		push	0
		push	offset _PopCallbackWorkItem
		mov	_PopCallbackWorkItemScheduled, 1
		call	ExQueueWorkItem
		jmp	short loc_5401CB
; 

loc_5401EC:				; CODE XREF: PopQueuePowerRequestCallbacks(x,x)+3Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_PopQueuePowerRequestCallbacks@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerRequestCallbackWorker(x)
_PopPowerRequestCallbackWorker@4 proc near ; CODE XREF:	PoClearPowerRequestInternal+180p
					; PoSetPowerRequestInternal+17Cp
					; DATA XREF: ...

var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd

loc_54020E:				; CODE XREF: PopPowerRequestCallbackWorker(x)+95j
		lea	edx, [ebp+var_18]
		mov	ecx, offset _PopPowerRequestSpinLock
		mov	edi, offset _PopPowerRequestCallbacks
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	_PopPowerRequestCallbacks, edi
		jz	short loc_540291
		mov	esi, dword_6C391C
		cmp	[esi], edi
		jnz	short loc_5402AE
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_5402AE
		mov	dword_6C391C, eax
		add	esi, 0FFFFFFD0h
		mov	[eax], edi
		xor	edi, edi
		xor	ecx, ecx

loc_540247:				; CODE XREF: PopPowerRequestCallbackWorker(x)+65j
		mov	al, [esi+ecx+38h]
		mov	byte ptr [ebp+ecx+var_C], al
		test	al, al
		jnz	short loc_540289

loc_540253:				; CODE XREF: PopPowerRequestCallbackWorker(x)+9Dj
		inc	ecx
		cmp	ecx, 6
		jl	short loc_540247
		mov	byte ptr [esi+3Eh], 0

loc_54025D:				; CODE XREF: PopPowerRequestCallbackWorker(x)+AAj
		lea	ecx, [ebp+var_18]
		call	_PopReleasePowerRequestSpinLock@4 ; PopReleasePowerRequestSpinLock(x)
		test	esi, esi
		jz	short loc_54029E
		test	edi, edi
		jz	short loc_54027B
		push	dword ptr [esi+8]
		mov	edx, [esi+14h]
		lea	ecx, [ebp+var_C]
		call	_PopPowerRequestExecuteCallbacks@12 ; PopPowerRequestExecuteCallbacks(x,x,x)

loc_54027B:				; CODE XREF: PopPowerRequestCallbackWorker(x)+79j
		mov	edx, 72506F50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		jmp	short loc_54020E
; 

loc_540289:				; CODE XREF: PopPowerRequestCallbackWorker(x)+5Fj
		mov	byte ptr [esi+ecx+38h],	0
		inc	edi
		jmp	short loc_540253
; 

loc_540291:				; CODE XREF: PopPowerRequestCallbackWorker(x)+34j
		xor	esi, esi
		mov	_PopCallbackWorkItemScheduled, 0
		xor	edi, edi
		jmp	short loc_54025D
; 

loc_54029E:				; CODE XREF: PopPowerRequestCallbackWorker(x)+75j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_5402AE:				; CODE XREF: PopPowerRequestCallbackWorker(x)+3Ej
					; PopPowerRequestCallbackWorker(x)+45j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_PopPowerRequestCallbackWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerRequestExecuteCallbacks(x, x, x)
_PopPowerRequestExecuteCallbacks@12 proc near ;	CODE XREF: PopPowerRequestCleanUp(x)+1ACp
					; PopPowerRequestCallbackWorker(x)+84p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		xor	esi, esi

loc_5402C2:				; CODE XREF: PopPowerRequestExecuteCallbacks(x,x,x)+19j
		mov	al, [esi+edi]
		test	al, al
		jnz	short loc_5402D6

loc_5402C9:				; CODE XREF: PopPowerRequestExecuteCallbacks(x,x,x)+34j
		inc	esi
		cmp	esi, 6
		jl	short loc_5402C2
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_5402D6:				; CODE XREF: PopPowerRequestExecuteCallbacks(x,x,x)+13j
		setnle	al
		movzx	eax, al
		push	eax
		push	ebx
		push	[ebp+arg_0]
		call	off_6B146C[esi*8]
		jmp	short loc_5402C9
_PopPowerRequestExecuteCallbacks@12 endp


;  S U B	R O U T	I N E 


_tlgCreate1Sz_char proc	near		; CODE XREF: EtwTelemetryCoverageReport(x)+3FEp
					; MiLogWsEmptyControl+FED4Ep ...

; FUNCTION CHUNK AT 005F3567 SIZE 0000000D BYTES

		mov	edi, edi
		push	esi
		test	edx, edx
		jz	loc_5F3567
		mov	esi, edx
		push	edi
		lea	edi, [esi+1]

loc_5402FB:				; CODE XREF: _tlgCreate1Sz_char+16j
		mov	al, [esi]
		inc	esi
		test	al, al
		jnz	short loc_5402FB
		sub	esi, edi
		inc	esi
		pop	edi

loc_540306:				; CODE XREF: _tlgCreate1Sz_char+B3285j
		and	dword ptr [ecx+4], 0
		and	dword ptr [ecx+0Ch], 0
		mov	[ecx+8], esi
		mov	[ecx], edx
		pop	esi
		retn
_tlgCreate1Sz_char endp

; 
		align 10h
; Exported entry 1768. PsGetCurrentProcessSessionId

;  S U B	R O U T	I N E 


; __stdcall PsGetCurrentProcessSessionId()
		public _PsGetCurrentProcessSessionId@0
_PsGetCurrentProcessSessionId@0	proc near
					; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+D64p
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x):loc_811683p ...
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, [eax+180h]
		test	ecx, ecx
		jz	short loc_54034F
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_54034F
		mov	eax, [ecx+8]

loc_540345:				; CODE XREF: PsGetCurrentProcessSessionId()+32j
		lea	ecx, [eax+1]
		neg	ecx
		sbb	ecx, ecx
		and	eax, ecx
		retn
; 

loc_54034F:				; CODE XREF: PsGetCurrentProcessSessionId()+14j
					; PsGetCurrentProcessSessionId()+20j
		or	eax, 0FFFFFFFFh
		jmp	short loc_540345
_PsGetCurrentProcessSessionId@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SessionIsInteractive proc near		; CODE XREF: NtSetThreadExecutionState+15Cp
					; PopCreateUserPowerRequest(x,x,x)+9Cp	...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F3574 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		cmp	esi, 0FFFFFFFFh
		jz	short loc_5403AF
		lea	edx, [ebp+var_4]
		call	_PsGetSiloBySessionId@8	; PsGetSiloBySessionId(x,x)
		test	eax, eax
		js	short loc_5403AF
		mov	ecx, [ebp+var_4]
		mov	eax, offset _PspHostSiloGlobals
		test	ecx, ecx
		jnz	short loc_5403A7

loc_540380:				; CODE XREF: SessionIsInteractive+59j
		mov	eax, [eax+28Ch]
		cmp	esi, [eax]
		jz	short loc_540392

loc_54038A:				; CODE XREF: SessionIsInteractive+51j
		mov	bl, 1

loc_54038C:				; CODE XREF: SessionIsInteractive+4Fj
		mov	al, bl

loc_54038E:				; CODE XREF: SessionIsInteractive+5Dj
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_540392:				; CODE XREF: SessionIsInteractive+34j
		test	ecx, ecx
		jnz	loc_5F3574
		mov	eax, 0FFDF02D8h
		mov	eax, [eax]

loc_5403A1:				; CODE XREF: SessionIsInteractive+B322Fj
		cmp	esi, eax
		jnz	short loc_54038C
		jmp	short loc_54038A
; 

loc_5403A7:				; CODE XREF: SessionIsInteractive+2Aj
		mov	eax, [ecx+2F8h]
		jmp	short loc_540380
; 

loc_5403AF:				; CODE XREF: SessionIsInteractive+12j
					; SessionIsInteractive+1Ej
		xor	al, al
		jmp	short loc_54038E
SessionIsInteractive endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoPauseStopWatch(x)
_PoPauseStopWatch@4 proc near		; CODE XREF: PopStatsMarkPowerRequestInactive(x,x)+4Fp
					; PopPausePowerRequestStats(x)+2Bp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		or	esi, 0FFFFFFFFh
		push	edi
		mov	edi, ecx
		mov	eax, esi
		lock xadd [edi+20h], eax
		dec	eax
		jnz	short loc_5403DF
		call	_PopInternalUpdateStopWatchState@4 ; PopInternalUpdateStopWatchState(x)
		mov	ecx, [edi]
		lock xadd [ecx+28h], esi
		dec	esi
		jnz	short loc_5403DF
		call	_PopInternalUpdateActiveStopWatchesCollectionState@4 ; PopInternalUpdateActiveStopWatchesCollectionState(x)

loc_5403DF:				; CODE XREF: PoPauseStopWatch(x)+15j
					; PoPauseStopWatch(x)+24j
		pop	edi
		pop	esi
		leave
		retn
_PoPauseStopWatch@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PoStartStopWatch(x)
_PoStartStopWatch@4 proc near		; CODE XREF: PopStatsMarkPowerRequestActive(x,x)+4Fp
					; PopStatsScenarioStateChange(x,x)+3Ej
		xor	eax, eax
		push	esi
		mov	esi, ecx
		inc	eax
		lock xadd [esi+20h], eax
		inc	eax
		lock inc dword ptr [esi+24h]
		cmp	eax, 1
		jnz	short loc_540414
		call	_PopInternalUpdateStopWatchState@4 ; PopInternalUpdateStopWatchState(x)
		mov	ecx, [esi]
		xor	eax, eax
		inc	eax
		lock xadd [ecx+28h], eax
		inc	eax
		cmp	eax, 1
		jnz	short loc_540414
		pop	esi
		jmp	_PopInternalUpdateActiveStopWatchesCollectionState@4 ; PopInternalUpdateActiveStopWatchesCollectionState(x)
; 

loc_540414:				; CODE XREF: PoStartStopWatch(x)+13j
					; PoStartStopWatch(x)+28j
		pop	esi
		retn
_PoStartStopWatch@4 endp

; 

; __stdcall PoCaptureReasonContext(x, x, x, x, x, x)
_PoCaptureReasonContext@24:		; CODE XREF: NtSetTimerEx+135p
					; NtSetTimer+88438p ...
		push	30h
		push	offset dword_6A6F98
		call	__SEH_prolog4
		mov	[ebp-19h], dl
		mov	ebx, ecx
		push	7
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp-40h]
		rep stosd
		xor	ecx, ecx
		mov	edi, [ebp+14h]
		mov	[edi], ecx
		test	ebx, ebx
		jz	loc_5404C8
		test	dl, dl
		jz	loc_5404C8
		mov	[ebp-4], ecx
		cmp	[ebp+0Ch], cl
		jnz	short loc_54047B
		test	bl, 3
		jnz	loc_540529
		lea	esi, [ebx+1Ch]
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		ja	short loc_540469
		cmp	esi, ebx
		jnb	short loc_54046B

loc_540469:				; CODE XREF: .text:00540463j
		mov	[eax], cl

loc_54046B:				; CODE XREF: .text:00540467j
		push	7
		pop	ecx
		mov	esi, ebx
		lea	edi, [ebp-40h]
		rep movsd
		lea	ebx, [ebp-40h]
		mov	edi, [ebp+14h]

loc_54047B:				; CODE XREF: .text:0054044Ej
		push	edi
		push	dword ptr [ebp+10h]
		mov	ecx, ebx
		call	_PopCaptureReasonContext@16 ; PopCaptureReasonContext(x,x,x,x)
		mov	esi, eax
		mov	[ebp-24h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_5404D5
; 

loc_540494:				; DATA XREF: .text:006A6FACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_5404A2:				; DATA XREF: .text:006A6FB0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp+14h]
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_5404BC
		push	78435250h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi], 0

loc_5404BC:				; CODE XREF: .text:005404ACj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	short loc_540517
; 

loc_5404C8:				; CODE XREF: .text:0054043Aj
					; .text:00540442j
		push	edi
		push	dword ptr [ebp+10h]
		mov	ecx, ebx
		call	_PopCaptureReasonContext@16 ; PopCaptureReasonContext(x,x,x,x)
		mov	esi, eax

loc_5404D5:				; CODE XREF: .text:00540492j
		test	esi, esi
		js	short loc_540515
		call	_Feature_3401902395__private_IsEnabledDeviceUsage@0 ; Feature_3401902395__private_IsEnabledDeviceUsage()
		neg	eax
		sbb	eax, eax
		neg	eax
		mov	eax, [edi]
		push	eax
		mov	edx, [ebp+8]
		mov	cl, [ebp-19h]
		jz	short loc_540510
		call	_PoGetRequester@12 ; PoGetRequester(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_540515
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_540515
		push	78435250h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi], 0
		jmp	short loc_540515
; 

loc_540510:				; CODE XREF: .text:005404EDj
		call	_PoGetRequesterOld@12 ;	PoGetRequesterOld(x,x,x)

loc_540515:				; CODE XREF: .text:005404D7j
					; .text:005404F8j ...
		mov	eax, esi

loc_540517:				; CODE XREF: .text:005404C6j
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_540529:				; CODE XREF: .text:00540453j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoGetRequester(x, x, x)
_PoGetRequester@12 proc	near		; CODE XREF: .text:005404EFp

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	0Ch
		push	offset dword_6A6FB8
		call	__SEH_prolog4
		mov	esi, edx
		test	cl, cl
		jnz	short loc_540564
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax], 0
		mov	[eax+4], esi
		test	esi, esi
		jz	loc_5405FC
		mov	edx, 67446F50h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		jmp	loc_5405FC
; 

loc_540564:				; CODE XREF: PoGetRequester(x,x,x)+10j
		and	[ebp+var_1C], 0
		mov	eax, large fs:124h
		test	dword ptr [eax+58h], 400h
		jnz	short loc_540588
		cmp	byte ptr [eax+16Ah], 1
		jz	short loc_540588
		mov	eax, [eax+0A8h]
		jmp	short loc_54058A
; 

loc_540588:				; CODE XREF: PoGetRequester(x,x,x)+45j
					; PoGetRequester(x,x,x)+4Ej
		xor	eax, eax

loc_54058A:				; CODE XREF: PoGetRequester(x,x,x)+56j
		test	eax, eax
		jz	short loc_5405AF
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [eax+0F60h]
		mov	[ebp+var_1C], eax
		jmp	short loc_5405A8
; 

loc_54059D:				; DATA XREF: .text:006A6FCCo
		xor	eax, eax
		inc	eax
		retn
; 

loc_5405A1:				; DATA XREF: .text:006A6FD0o
		mov	esp, [ebp+ms_exc.old_esp]
		and	[ebp+var_1C], 0

loc_5405A8:				; CODE XREF: PoGetRequester(x,x,x)+6Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_5405AF:				; CODE XREF: PoGetRequester(x,x,x)+5Cj
		xor	eax, eax
		cmp	[ebp+var_1C], eax
		setnz	al
		inc	eax
		mov	esi, [ebp+arg_0]
		mov	[esi], eax
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		mov	eax, [ecx+0E4h]
		mov	[esi+10h], eax
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[esi+14h], eax
		mov	edx, [ecx+1C0h]
		push	78435250h
		push	100h
		lea	ecx, [esi+8]
		call	PopUnicodeStringDeepCopy
		test	eax, eax
		js	short loc_5405FE
		mov	eax, [ebp+var_1C]
		mov	[esi+18h], eax

loc_5405FC:				; CODE XREF: PoGetRequester(x,x,x)+1Dj
					; PoGetRequester(x,x,x)+2Fj
		xor	eax, eax

loc_5405FE:				; CODE XREF: PoGetRequester(x,x,x)+C4j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PoGetRequester@12 endp

; 

; __stdcall PopCaptureReasonContext(x, x, x, x)
_PopCaptureReasonContext@16:		; CODE XREF: .text:00540481p
					; .text:005404CEp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, [ebp+0Ch]
		push	ebx
		xor	ebx, ebx
		mov	[esp+8], edx
		push	esi
		push	edi
		mov	[eax], ebx
		mov	edi, ecx
		mov	eax, [ebp+8]
		mov	[esp+14h], ebx
		mov	[esp+30h], ebx
		mov	[esp+34h], ebx
		push	20h
		pop	esi
		test	eax, eax
		jz	short loc_540643
		mov	[eax], bl

loc_540643:				; CODE XREF: .text:0054063Fj
		mov	[esp+1Ch], ebx
		mov	eax, ebx
		mov	[esp+24h], ebx
		mov	[esp+18h], eax
		push	8
		pop	ecx
		test	edi, edi
		jnz	short loc_540665
		mov	dword ptr [esp+28h], 80000000h
		jmp	loc_540732
; 

loc_540665:				; CODE XREF: .text:00540656j
		cmp	[edi], ebx
		ja	loc_540895
		mov	eax, [edi+4]
		mov	[esp+28h], eax
		test	al, 1
		jz	short loc_54068F
		movzx	eax, word ptr [edi+8]
		add	eax, 2
		test	al, 1
		jnz	loc_540895
		lea	esi, [eax+34h]
		jmp	loc_540732
; 

loc_54068F:				; CODE XREF: .text:00540676j
		test	al, 2
		jz	loc_54072A
		movzx	eax, word ptr [edi+8]
		add	eax, 2
		test	al, 1
		jnz	loc_540895
		lea	esi, [eax+34h]
		mov	eax, [edi+14h]
		mov	[esp+1Ch], eax
		mul	ecx
		lea	ecx, [esp+24h]
		mov	[esp+20h], esi
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	loc_540895
		mov	eax, [edi+18h]
		mov	[esp+18h], eax
		cmp	[esp+10h], bl
		jz	short loc_5406F8
		mov	ecx, [esp+24h]
		test	ecx, ecx
		jz	short loc_5406F8
		test	al, 3
		jnz	loc_5408A3
		mov	edx, ds:_MmUserProbeAddress
		add	ecx, eax
		cmp	ecx, edx
		ja	short loc_5406F6
		cmp	ecx, eax
		jnb	short loc_5406F8

loc_5406F6:				; CODE XREF: .text:005406F0j
		mov	[edx], bl

loc_5406F8:				; CODE XREF: .text:005406D4j
					; .text:005406DCj ...
		cmp	[esp+1Ch], ebx
		jbe	short loc_540732

loc_5406FE:				; CODE XREF: .text:00540728j
		movzx	edx, word ptr [eax+ebx*8]
		lea	ecx, [esp+20h]
		push	ecx
		add	edx, 2
		mov	ecx, esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_540895
		mov	esi, [esp+20h]
		inc	ebx
		cmp	ebx, [esp+1Ch]
		jnb	short loc_540732
		mov	eax, [esp+18h]
		jmp	short loc_5406FE
; 

loc_54072A:				; CODE XREF: .text:00540691j
		test	eax, eax
		jns	loc_540895

loc_540732:				; CODE XREF: .text:00540660j
					; .text:0054068Aj ...
		cmp	byte ptr [esp+10h], 0
		push	78435250h
		push	esi
		jz	short loc_540748
		push	9
		call	ExAllocatePoolWithQuotaTag
		jmp	short loc_54074F
; 

loc_540748:				; CODE XREF: .text:0054073Dj
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)

loc_54074F:				; CODE XREF: .text:00540746j
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_54075F
		mov	eax, 0C000009Ah
		jmp	loc_54089A
; 

loc_54075F:				; CODE XREF: .text:00540753j
		call	_Feature_3401902395__private_IsEnabledDeviceUsage@0 ; Feature_3401902395__private_IsEnabledDeviceUsage()
		test	eax, eax
		jz	short loc_540774
		push	esi
		push	0
		push	ebx
		call	_memset
		add	esp, 0Ch

loc_540774:				; CODE XREF: .text:00540766j
		mov	eax, [ebp+0Ch]
		mov	ecx, [esp+28h]
		mov	[eax], ebx
		test	ecx, ecx
		jns	short loc_54078A
		and	dword ptr [ebx+1Ch], 0
		jmp	loc_54088E
; 

loc_54078A:				; CODE XREF: .text:0054077Fj
		push	dword ptr [esp+10h]
		lea	edx, [ebx+23h]
		mov	eax, ebx
		and	edx, 0FFFFFFFCh
		sub	eax, edx
		mov	[esp+2Ch], edx
		add	eax, esi
		add	esi, ebx
		mov	[ebx+1Ch], eax
		mov	[edx], ecx
		lea	eax, [edx+14h]
		mov	[esp+18h], eax
		and	ecx, 1
		mov	dword ptr [edx+4], 14h
		lea	ecx, [edi+8]
		mov	[esp+30h], esi
		lea	edx, [esp+18h]
		push	esi
		jz	short loc_5407EB
		call	_PopSafeCopyUnicodeString@16 ; PopSafeCopyUnicodeString(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_54087D

loc_5407D3:				; CODE XREF: .text:005407F4j
					; .text:0054085Dj
		push	78435250h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+0Ch]
		and	dword ptr [eax], 0

loc_5407E4:				; CODE XREF: .text:00540890j
		mov	eax, esi
		jmp	loc_54089A
; 

loc_5407EB:				; CODE XREF: .text:005407C2j
		call	_PopSafeCopyUnicodeString@16 ; PopSafeCopyUnicodeString(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_5407D3
		mov	ecx, [esp+28h]
		mov	ax, [edi+10h]
		mov	edx, [esp+1Ch]
		and	dword ptr [esp+28h], 0
		mov	[ecx+8], ax
		mov	eax, [esp+14h]
		sub	eax, ecx
		mov	[ecx+0Ch], edx
		mov	[ecx+10h], eax
		test	edx, edx
		jz	short loc_54087D
		mov	eax, [esp+18h]

loc_54081F:				; CODE XREF: .text:0054087Bj
		cmp	byte ptr [esp+10h], 0
		jz	short loc_540846
		mov	ecx, ds:_MmUserProbeAddress
		mov	edx, eax
		cmp	eax, ecx
		jb	short loc_540834
		mov	edx, ecx

loc_540834:				; CODE XREF: .text:00540830j
		nop
		mov	ecx, [edx]
		mov	eax, [edx+4]
		mov	[esp+34h], eax
		lea	eax, [esp+30h]
		mov	[esp+30h], ecx

loc_540846:				; CODE XREF: .text:00540824j
		push	dword ptr [esp+10h]
		lea	edx, [esp+18h]
		mov	ecx, eax
		push	dword ptr [esp+30h]
		call	_PopSafeCopyUnicodeString@16 ; PopSafeCopyUnicodeString(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_5407D3
		mov	ecx, [esp+28h]
		mov	eax, [esp+18h]
		inc	ecx
		add	eax, 8
		mov	[esp+28h], ecx
		mov	[esp+18h], eax
		cmp	ecx, [esp+1Ch]
		jb	short loc_54081F

loc_54087D:				; CODE XREF: .text:005407CDj
					; .text:00540819j
		mov	ecx, [ebp+8]
		test	ecx, ecx
		jz	short loc_54088E
		mov	eax, [edi+4]
		shr	eax, 2
		and	al, 1
		mov	[ecx], al

loc_54088E:				; CODE XREF: .text:00540785j
					; .text:00540882j
		xor	esi, esi
		jmp	loc_5407E4
; 

loc_540895:				; CODE XREF: .text:00540667j
					; .text:00540681j ...
		mov	eax, 0C000000Dh

loc_54089A:				; CODE XREF: .text:0054075Aj
					; .text:005407E6j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_5408A3:				; CODE XREF: .text:005406E0j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSafeCopyUnicodeString(x,	x, x, x)
_PopSafeCopyUnicodeString@16 proc near	; CODE XREF: .text:005407C4p
					; .text:loc_5407EBp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		movzx	ecx, word ptr [edi]
		mov	esi, [ebx]
		mov	edx, ecx
		lea	eax, [edx+2]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		sub	eax, esi
		cmp	[ebp+var_4], eax
		ja	short loc_540935
		cmp	[ebp+arg_4], 0
		jnz	short loc_54090E

loc_5408D4:				; CODE XREF: PopSafeCopyUnicodeString(x,x,x,x)+67j
					; PopSafeCopyUnicodeString(x,x,x,x)+7Ej ...
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		push	edi
		call	RtlStringCbCopyUnicodeString
		test	eax, eax
		js	short loc_540935
		lea	ecx, [esi+2]
		xor	edx, edx

loc_5408E8:				; CODE XREF: PopSafeCopyUnicodeString(x,x,x,x)+47j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, dx
		jnz	short loc_5408E8
		movzx	eax, word ptr [edi]
		sub	esi, ecx
		sar	esi, 1
		add	esi, esi
		cmp	eax, esi
		jnz	short loc_540935
		lea	eax, [esi+2]
		add	[ebx], eax
		xor	eax, eax

loc_540907:				; CODE XREF: PopSafeCopyUnicodeString(x,x,x,x)+90j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_54090E:				; CODE XREF: PopSafeCopyUnicodeString(x,x,x,x)+28j
		test	cx, cx
		jz	short loc_5408D4
		mov	eax, [edi+4]
		test	al, 1
		jnz	short loc_540930
		mov	ecx, ds:_MmUserProbeAddress
		add	edx, eax
		cmp	edx, ecx
		ja	short loc_54092A
		cmp	edx, eax
		jnb	short loc_5408D4

loc_54092A:				; CODE XREF: PopSafeCopyUnicodeString(x,x,x,x)+7Aj
		xor	eax, eax
		mov	[ecx], al
		jmp	short loc_5408D4
; 

loc_540930:				; CODE XREF: PopSafeCopyUnicodeString(x,x,x,x)+6Ej
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_540935:				; CODE XREF: PopSafeCopyUnicodeString(x,x,x,x)+22j
					; PopSafeCopyUnicodeString(x,x,x,x)+37j ...
		mov	eax, 0C000000Dh
		jmp	short loc_540907
_PopSafeCopyUnicodeString@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlStringCbCopyUnicodeString proc near	; CODE XREF: PoStoreRequester(x,x,x,x)+19Dp
					; PoStoreRequester(x,x,x,x)+1F6p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F3588 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	0
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		shr	ebx, 1
		pop	ecx
		mov	eax, ecx
		jz	short loc_540998
		cmp	ebx, 7FFFh
		ja	short loc_540998

loc_540959:				; CODE XREF: RtlStringCbCopyUnicodeString+61j
		test	eax, eax
		js	short loc_540993
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		push	ecx
		mov	ecx, esi
		call	sub_4344FE
		test	eax, eax
		js	short loc_54099F
		test	esi, esi
		jz	short loc_54099F
		movzx	edi, word ptr [esi]
		mov	ecx, [esi+4]
		shr	edi, 1

loc_54097C:				; CODE XREF: RtlStringCbCopyUnicodeString+65j
		test	eax, eax
		js	loc_5F3588
		push	edi
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		call	RtlStringCopyWideCharArrayWorker

loc_540991:				; CODE XREF: RtlStringCbCopyUnicodeString+B2C54j
		pop	edi
		pop	esi

loc_540993:				; CODE XREF: RtlStringCbCopyUnicodeString+1Fj
		pop	ebx
		leave
		retn	4
; 

loc_540998:				; CODE XREF: RtlStringCbCopyUnicodeString+13j
					; RtlStringCbCopyUnicodeString+1Bj
		mov	eax, 0C000000Dh
		jmp	short loc_540959
; 

loc_54099F:				; CODE XREF: RtlStringCbCopyUnicodeString+32j
					; RtlStringCbCopyUnicodeString+36j
		xor	ecx, ecx
		jmp	short loc_54097C
RtlStringCbCopyUnicodeString endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlStringCopyWideCharArrayWorker proc near ; CODE XREF:	RtlStringCbCopyUnicodeString+50p

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	edx, edx
		jz	short loc_5409EA
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_8]
		sub	esi, ecx

loc_5409B7:				; CODE XREF: RtlStringCopyWideCharArrayWorker+25j
		test	edi, edi
		jz	short loc_5409CB
		mov	ax, [esi+ecx]
		mov	[ecx], ax
		add	ecx, 2
		dec	edi
		sub	edx, 1
		jnz	short loc_5409B7

loc_5409CB:				; CODE XREF: RtlStringCopyWideCharArrayWorker+15j
		pop	edi
		pop	esi
		test	edx, edx
		jz	short loc_5409EA

loc_5409D1:				; CODE XREF: RtlStringCopyWideCharArrayWorker+49j
		neg	edx
		sbb	edx, edx
		and	edx, 7FFFFFFBh
		xor	eax, eax
		mov	[ecx], ax
		lea	eax, [edx-7FFFFFFBh]
		pop	ebp
		retn	0Ch
; 

loc_5409EA:				; CODE XREF: RtlStringCopyWideCharArrayWorker+7j
					; RtlStringCopyWideCharArrayWorker+2Bj
		sub	ecx, 2
		jmp	short loc_5409D1
RtlStringCopyWideCharArrayWorker endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PopInternalUpdateStopWatchState(x)
_PopInternalUpdateStopWatchState@4 proc	near ; CODE XREF: PoArmStopWatchCollection(x)+23p
					; PoUnarmStopWatchCollection(x)+4Dp ...
		mov	edi, edi
		push	ebx
		push	edi
		mov	edi, ecx
		xor	edx, edx
		lea	eax, [edi+20h]
		lock xadd [eax], edx
		xor	ebx, ebx
		inc	ebx
		test	edx, edx
		jg	short loc_540A4E

loc_540A06:				; CODE XREF: PopInternalUpdateStopWatchState(x)+66j
		xor	cl, cl

loc_540A08:				; CODE XREF: PopInternalUpdateStopWatchState(x)+6Aj
		mov	eax, [edi+10h]
		or	eax, [edi+14h]
		jnz	short loc_540A12
		xor	bl, bl

loc_540A12:				; CODE XREF: PopInternalUpdateStopWatchState(x)+1Ej
		cmp	cl, bl
		jnz	short loc_540A19

loc_540A16:				; CODE XREF: PopInternalUpdateStopWatchState(x)+5Cj
					; PopInternalUpdateStopWatchState(x)+77j
		pop	edi
		pop	ebx
		retn
; 

loc_540A19:				; CODE XREF: PopInternalUpdateStopWatchState(x)+24j
		test	cl, cl
		jnz	short loc_540A5C
		mov	ebx, [edi+18h]
		push	esi
		mov	esi, [edi+1Ch]
		call	KeQueryInterruptTime
		sub	eax, [edi+10h]
		sbb	edx, [edi+14h]
		add	[edi+18h], eax
		mov	ecx, [edi+18h]
		adc	[edi+1Ch], edx
		cmp	[edi+1Ch], esi
		pop	esi
		ja	short loc_540A44
		jb	short loc_540A69
		cmp	ecx, ebx
		jb	short loc_540A69

loc_540A44:				; CODE XREF: PopInternalUpdateStopWatchState(x)+4Cj
					; PopInternalUpdateStopWatchState(x)+81j
		and	dword ptr [edi+10h], 0
		and	dword ptr [edi+14h], 0
		jmp	short loc_540A16
; 

loc_540A4E:				; CODE XREF: PopInternalUpdateStopWatchState(x)+14j
		mov	ecx, [edi]
		mov	eax, [ecx+8]
		or	eax, [ecx+0Ch]
		jz	short loc_540A06
		mov	cl, bl
		jmp	short loc_540A08
; 

loc_540A5C:				; CODE XREF: PopInternalUpdateStopWatchState(x)+2Bj
		call	KeQueryInterruptTime
		mov	[edi+10h], eax
		mov	[edi+14h], edx
		jmp	short loc_540A16
; 

loc_540A69:				; CODE XREF: PopInternalUpdateStopWatchState(x)+4Ej
					; PopInternalUpdateStopWatchState(x)+52j
		or	dword ptr [edi+18h], 0FFFFFFFFh
		or	dword ptr [edi+1Ch], 0FFFFFFFFh
		jmp	short loc_540A44
_PopInternalUpdateStopWatchState@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoQueryStopWatch proc near		; CODE XREF: PopIsDataAccruedByPowerRequestStats(x)+33p
					; PopPublishAndPurgePowerRequestStats(x,x,x)+12Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F3595 SIZE 00000061 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		mov	esi, edx
		mov	[ebp+var_C], esi
		cmp	[edi], ebx
		jz	short loc_540ABB
		test	esi, esi
		jz	short loc_540AA7
		mov	eax, [edi+18h]
		mov	[esi], eax
		mov	eax, [edi+1Ch]
		mov	[esi+4], eax
		mov	eax, [edi+10h]
		or	eax, [edi+14h]
		jnz	loc_5F3595

loc_540AA7:				; CODE XREF: PoQueryStopWatch+1Aj
					; PoQueryStopWatch+B2B5Ej ...
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	loc_5F35E3

loc_540AB2:				; CODE XREF: PoQueryStopWatch+4Cj
					; PoQueryStopWatch+B2B7Dj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_540ABB:				; CODE XREF: PoQueryStopWatch+16j
		mov	ebx, 0C00000B7h
		jmp	short loc_540AB2
PoQueryStopWatch endp


;  S U B	R O U T	I N E 


; __stdcall PoIsRunningStopWatch(x)
_PoIsRunningStopWatch@4	proc near	; CODE XREF: PopPausePowerRequestStats(x):loc_842E94p
		mov	eax, [ecx+10h]
		or	eax, [ecx+14h]
		jnz	short loc_540ACD
		xor	al, al
		retn
; 

loc_540ACD:				; CODE XREF: PoIsRunningStopWatch(x)+6j
		mov	al, 1
		retn
_PoIsRunningStopWatch@4	endp


;  S U B	R O U T	I N E 


; __stdcall PopInternalUpdateActiveStopWatchesCollectionState(x)
_PopInternalUpdateActiveStopWatchesCollectionState@4 proc near
					; CODE XREF: PoArmStopWatchCollection(x)+30p
					; PoUnarmStopWatchCollection(x)+5Ap ...
		mov	edi, edi
		push	ebx
		push	edi
		mov	edi, ecx
		xor	edx, edx
		lea	eax, [edi+28h]
		lock xadd [eax], edx
		xor	ebx, ebx
		inc	ebx
		test	edx, edx
		jg	short loc_540B2C

loc_540AE6:				; CODE XREF: PopInternalUpdateActiveStopWatchesCollectionState(x)+62j
		xor	cl, cl

loc_540AE8:				; CODE XREF: PopInternalUpdateActiveStopWatchesCollectionState(x)+66j
		mov	eax, [edi+18h]
		or	eax, [edi+1Ch]
		jnz	short loc_540AF2
		xor	bl, bl

loc_540AF2:				; CODE XREF: PopInternalUpdateActiveStopWatchesCollectionState(x)+1Ej
		cmp	cl, bl
		jz	short loc_540B29
		test	cl, cl
		jnz	short loc_540B38
		mov	ebx, [edi+20h]
		push	esi
		mov	esi, [edi+24h]
		call	KeQueryInterruptTime
		sub	eax, [edi+18h]
		sbb	edx, [edi+1Ch]
		add	[edi+20h], eax
		mov	ecx, [edi+20h]
		adc	[edi+24h], edx
		cmp	[edi+24h], esi
		pop	esi
		ja	short loc_540B21
		jb	short loc_540B45
		cmp	ecx, ebx
		jb	short loc_540B45

loc_540B21:				; CODE XREF: PopInternalUpdateActiveStopWatchesCollectionState(x)+49j
					; PopInternalUpdateActiveStopWatchesCollectionState(x)+7Dj
		and	dword ptr [edi+18h], 0
		and	dword ptr [edi+1Ch], 0

loc_540B29:				; CODE XREF: PopInternalUpdateActiveStopWatchesCollectionState(x)+24j
					; PopInternalUpdateActiveStopWatchesCollectionState(x)+73j
		pop	edi
		pop	ebx
		retn
; 

loc_540B2C:				; CODE XREF: PopInternalUpdateActiveStopWatchesCollectionState(x)+14j
		mov	eax, [edi+8]
		or	eax, [edi+0Ch]
		jz	short loc_540AE6
		mov	cl, bl
		jmp	short loc_540AE8
; 

loc_540B38:				; CODE XREF: PopInternalUpdateActiveStopWatchesCollectionState(x)+28j
		call	KeQueryInterruptTime
		mov	[edi+18h], eax
		mov	[edi+1Ch], edx
		jmp	short loc_540B29
; 

loc_540B45:				; CODE XREF: PopInternalUpdateActiveStopWatchesCollectionState(x)+4Bj
					; PopInternalUpdateActiveStopWatchesCollectionState(x)+4Fj
		or	dword ptr [edi+20h], 0FFFFFFFFh
		or	dword ptr [edi+24h], 0FFFFFFFFh
		jmp	short loc_540B21
_PopInternalUpdateActiveStopWatchesCollectionState@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PoIsArmedStopWatchCollection(x)
_PoIsArmedStopWatchCollection@4	proc near
					; CODE XREF: PopStatsNotifyPowerRequestBlocking(x)+3Cp
					; PopStatsNotifyPowerRequestCsState(x,x,x)+64p
		mov	eax, [ecx+8]
		or	eax, [ecx+0Ch]
		jz	short loc_540B5B
		mov	al, 1
		retn
; 

loc_540B5B:				; CODE XREF: PoIsArmedStopWatchCollection(x)+6j
		xor	al, al
		retn
_PoIsArmedStopWatchCollection@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrpResSearchResourceMappedFile	proc near
					; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+2D5p
					; LdrResSearchResource(x,x,x,x,x,x,x,x)+34Bp ...

var_344		= dword	ptr -344h
var_33C		= dword	ptr -33Ch
var_334		= dword	ptr -334h
var_330		= dword	ptr -330h
var_32C		= dword	ptr -32Ch
var_328		= dword	ptr -328h
var_324		= dword	ptr -324h
var_320		= dword	ptr -320h
var_31C		= dword	ptr -31Ch
var_318		= dword	ptr -318h
var_314		= dword	ptr -314h
var_310		= dword	ptr -310h
var_30C		= dword	ptr -30Ch
var_308		= dword	ptr -308h
var_304		= dword	ptr -304h
var_300		= dword	ptr -300h
var_2F9		= byte ptr -2F9h
var_2F8		= dword	ptr -2F8h
var_2F4		= dword	ptr -2F4h
var_2F0		= dword	ptr -2F0h
var_2EC		= dword	ptr -2ECh
var_2E8		= dword	ptr -2E8h
var_2E4		= dword	ptr -2E4h
var_2E0		= dword	ptr -2E0h
var_2D9		= byte ptr -2D9h
var_2D8		= dword	ptr -2D8h
var_2D4		= word ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_D0		= dword	ptr -0D0h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005F35F6 SIZE 0000000A BYTES
; FUNCTION CHUNK AT 005F361C SIZE 000001F8 BYTES
; FUNCTION CHUNK AT 005F381D SIZE 0000000B BYTES

		push	334h
		push	offset dword_6A7038
		call	__SEH_prolog4_GS
		mov	[ebp+var_300], edx
		mov	[ebp+var_2F8], ecx
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_2E4], esi
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_308], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_328], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_32C], eax
		mov	ecx, [ebp+arg_18]
		mov	[ebp+var_30C], ecx
		xor	ebx, ebx
		mov	[ebp+var_31C], ebx
		mov	[ebp+var_318], ebx
		mov	[ebp+var_314], ebx
		mov	[ebp+var_310], ebx
		push	208h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_2D8]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	al, bl
		mov	ecx, [ebp+arg_0]
		mov	edx, ecx
		and	edx, 40h
		mov	[ebp+var_33C], edx
		mov	[ebp+var_304], ebx
		mov	[ebp+var_2D9], bl
		mov	[ebp+var_2F4], ebx
		mov	edi, ecx
		and	edi, 80h
		mov	[ebp+var_2E0], edi
		cmp	[ebp+arg_8], 3
		jnz	loc_5F3653
		movzx	eax, word ptr [esi+8]
		mov	[ebp+var_2F4], eax
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [esi]
		test	eax, 0FFFF0000h
		jnz	loc_54105E

loc_540C29:				; CODE XREF: LdrpResSearchResourceMappedFile+50Fj
		mov	al, bl
		xor	edx, edx
		inc	edx

loc_540C2E:				; CODE XREF: LdrpResSearchResourceMappedFile+B2A9Dj
		mov	[ebp+var_2F9], al
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+arg_0]

loc_540C3E:				; CODE XREF: LdrpResSearchResourceMappedFile+B2AF8j
		mov	esi, edi
		test	cl, 10h
		jz	loc_540F63

loc_540C49:				; CODE XREF: LdrpResSearchResourceMappedFile+40Aj
					; LdrpResSearchResourceMappedFile+414j	...
		mov	eax, esi
		mov	edx, 60000h
		and	eax, edx
		cmp	eax, edx
		jz	loc_5F36A0
		mov	edx, esi
		not	edx
		xor	eax, eax
		inc	eax
		mov	word ptr [ebp+var_2D8],	ax
		xor	eax, eax
		mov	[ebp+var_2D4], ax
		mov	eax, ecx
		not	eax
		test	al, 10h
		setnz	cl
		bt	edx, 13h
		setb	al
		and	cl, al
		bt	edx, 11h
		setb	al
		test	cl, al
		jnz	short loc_540C94
		cmp	[ebp+arg_8], 3
		jnz	short loc_540CA7

loc_540C94:				; CODE XREF: LdrpResSearchResourceMappedFile+12Ej
		mov	eax, [ebp+arg_0]
		test	al, 10h
		jz	loc_540F3B
		test	al, 20h
		jz	loc_540F3B

loc_540CA7:				; CODE XREF: LdrpResSearchResourceMappedFile+134j
					; LdrpResSearchResourceMappedFile+3FAj
		mov	edx, [ebp+arg_0]

loc_540CAA:				; CODE XREF: LdrpResSearchResourceMappedFile+B2B5Dj
		mov	eax, esi
		not	eax
		bt	eax, 12h
		setnb	cl
		bt	esi, 13h
		setnb	al
		and	cl, al
		test	dl, 10h
		setz	al
		test	cl, al
		jz	loc_540FC7

loc_540CCC:				; CODE XREF: LdrpResSearchResourceMappedFile+494j
		mov	edi, ebx
		mov	ecx, ebx
		mov	[ebp+var_334], ebx

loc_540CD6:				; CODE XREF: LdrpResSearchResourceMappedFile+464j
		movzx	eax, word ptr [ebp+var_2D8]
		cmp	ecx, eax
		jnb	loc_540E35
		mov	[ebp+var_2EC], ebx
		mov	[ebp+var_2E8], ebx
		movzx	eax, [ebp+ecx*8+var_2D4]
		mov	[ebp+var_2F0], eax
		mov	ecx, [ebp+ecx*8+var_2D0]
		mov	[ebp+var_2E0], ecx
		mov	eax, ebx
		mov	[ebp+var_330], ebx

loc_540D14:				; CODE XREF: LdrpResSearchResourceMappedFile+3D0j
		cmp	eax, 2
		jnb	loc_540FB5
		sub	eax, ebx
		jz	loc_540E49
		sub	eax, 1
		jnz	loc_5F36D1
		mov	dl, bl
		mov	[ebp+var_2D9], dl

loc_540D36:				; CODE XREF: LdrpResSearchResourceMappedFile+335j
					; LdrpResSearchResourceMappedFile+3B5j
		mov	ecx, [ebp+arg_0]
		mov	eax, ecx
		not	eax
		test	al, 2
		jz	short loc_540D57
		cmp	[ebp+arg_8], 2
		jle	short loc_540D57
		movzx	eax, word ptr [ebp+var_2F0]
		mov	edi, [ebp+var_2E4]
		mov	[edi+8], eax

loc_540D57:				; CODE XREF: LdrpResSearchResourceMappedFile+1E1j
					; LdrpResSearchResourceMappedFile+1E7j
		mov	[ebp+var_304], ebx
		test	dl, dl
		jnz	loc_541040
		lea	eax, [ebp+var_2F0]
		mov	[ebp+var_2F4], eax

loc_540D71:				; CODE XREF: LdrpResSearchResourceMappedFile+4E8j
		test	dl, dl
		jnz	loc_54104B
		test	cl, 20h
		jz	loc_540F33

loc_540D82:				; CODE XREF: LdrpResSearchResourceMappedFile+3D8j
					; LdrpResSearchResourceMappedFile+4F0j
		mov	eax, [ebp+var_328]
		test	eax, eax
		jz	loc_5F371E

loc_540D90:				; CODE XREF: LdrpResSearchResourceMappedFile+B2BC6j
		mov	[ebp+var_320], eax
		test	dl, dl
		mov	eax, [ebp+var_310]
		jnz	short loc_540DA6
		mov	eax, [ebp+var_314]

loc_540DA6:				; CODE XREF: LdrpResSearchResourceMappedFile+240j
		mov	[ebp+var_324], eax
		test	dl, dl
		mov	edi, [ebp+var_318]
		jnz	loc_541053
		mov	edi, [ebp+var_31C]
		mov	edx, [ebp+var_300]

loc_540DC6:				; CODE XREF: LdrpResSearchResourceMappedFile+4FBj
		cmp	[ebp+var_2D9], 0
		mov	eax, [ebp+var_2EC]
		jnz	short loc_540DDB
		mov	eax, [ebp+var_2F8]

loc_540DDB:				; CODE XREF: LdrpResSearchResourceMappedFile+275j
		push	[ebp+var_2F4]
		push	ecx
		push	[ebp+var_320]
		push	[ebp+var_308]
		lea	ecx, [ebp+var_2D8]
		push	ecx
		push	[ebp+arg_8]
		push	[ebp+var_2E4]
		push	ebx
		push	[ebp+var_324]
		push	edi
		push	edx
		xor	edx, edx
		mov	ecx, eax
		call	LdrpResSearchResourceInsideDirectory
		mov	edi, eax
		cmp	[ebp+var_33C], 0
		jnz	loc_5F3729

loc_540E1F:				; CODE XREF: LdrpResSearchResourceMappedFile+B2BDBj
					; LdrpResSearchResourceMappedFile+B2BE8j ...
		test	edi, edi
		js	loc_540F18

loc_540E27:				; CODE XREF: LdrpResSearchResourceMappedFile+B2C1Fj
		mov	edx, [ebp+var_30C]
		test	edx, edx
		jnz	loc_5F379C

loc_540E35:				; CODE XREF: LdrpResSearchResourceMappedFile+181j
					; LdrpResSearchResourceMappedFile+B2AF0j ...
		mov	eax, edi

loc_540E37:				; CODE XREF: LdrpResSearchResourceMappedFile+48Bj
					; LdrpResSearchResourceMappedFile+B2B63j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_540E49:				; CODE XREF: LdrpResSearchResourceMappedFile+1C1j
		cmp	ecx, 9
		jz	loc_5F36C6
		mov	ecx, esi
		and	ecx, 0A0000h
		neg	ecx
		sbb	cl, cl
		inc	cl
		test	dl, 10h
		setz	al
		test	cl, al
		jz	loc_540F1B
		cmp	word ptr [ebp+var_2F0],	0
		jz	loc_540F1B
		cmp	_PnPBootDriversInitialized, 0
		jz	loc_540F1B
		mov	dl, 1
		mov	[ebp+var_2D9], dl

loc_540E91:				; CODE XREF: LdrpResSearchResourceMappedFile+B2B79j
		test	dl, dl
		jz	loc_540D36
		mov	eax, esi
		or	eax, 1000h
		push	eax
		lea	eax, [ebp+var_2E8]
		push	eax
		lea	eax, [ebp+var_2EC]
		push	eax
		mov	edx, [ebp+var_2F0]
		mov	ecx, [ebp+var_2F8]
		call	LdrLoadAlternateResourceModuleEx
		mov	edi, eax
		test	edi, edi
		js	loc_5F36DC
		mov	eax, [ebp+var_2E8]
		test	eax, eax
		jz	loc_5F36FA

loc_540ED8:				; CODE XREF: LdrpResSearchResourceMappedFile+B2BBBj
		mov	edx, [ebp+arg_0]
		test	edx, 1000h
		jz	short loc_540EEB
		test	edi, edi
		js	loc_540FB5

loc_540EEB:				; CODE XREF: LdrpResSearchResourceMappedFile+383j
		lea	ecx, [ebp+var_310]
		push	ecx
		lea	ecx, [ebp+var_318]
		push	ecx
		push	edx
		mov	edx, eax
		mov	ecx, [ebp+var_2EC]
		call	LdrpResGetResourceDirectory
		mov	edi, eax
		test	edi, edi
		js	short loc_540F18
		mov	dl, [ebp+var_2D9]
		jmp	loc_540D36
; 

loc_540F18:				; CODE XREF: LdrpResSearchResourceMappedFile+2C3j
					; LdrpResSearchResourceMappedFile+3ADj	...
		mov	edx, [ebp+arg_0]

loc_540F1B:				; CODE XREF: LdrpResSearchResourceMappedFile+30Aj
					; LdrpResSearchResourceMappedFile+318j	...
		mov	ecx, [ebp+var_2E0]

loc_540F21:				; CODE XREF: LdrpResSearchResourceMappedFile+B2B6Ej
		mov	eax, [ebp+var_330]
		inc	eax
		mov	[ebp+var_330], eax
		jmp	loc_540D14
; 

loc_540F33:				; CODE XREF: LdrpResSearchResourceMappedFile+21Ej
		or	ecx, 4
		jmp	loc_540D82
; 

loc_540F3B:				; CODE XREF: LdrpResSearchResourceMappedFile+13Bj
					; LdrpResSearchResourceMappedFile+143j
		test	al, 4
		jnz	loc_5F36AA

loc_540F43:				; CODE XREF: LdrpResSearchResourceMappedFile+B2B4Fj
		lea	eax, [ebp+var_2D8]
		push	eax
		push	esi
		push	[ebp+var_2F4]
		call	LdrResFallbackLangList
		test	eax, eax
		jns	loc_540CA7
		jmp	loc_5F36B2
; 

loc_540F63:				; CODE XREF: LdrpResSearchResourceMappedFile+E5j
		mov	esi, edi
		cmp	[ebp+arg_8], edx
		jl	loc_540C49
		cmp	[ebp+arg_8], 3
		jg	loc_540C49
		mov	esi, [ebp+var_2E4]
		jnz	loc_5F365B
		movzx	edx, word ptr [esi+8]

loc_540F88:				; CODE XREF: LdrpResSearchResourceMappedFile+B2AFFj
		test	ecx, 1000000h
		jnz	short loc_540FA8
		mov	esi, [esi]
		cmp	esi, 10h
		jnz	short loc_540FF7

loc_540F97:				; CODE XREF: LdrpResSearchResourceMappedFile+49Cj
					; LdrpResSearchResourceMappedFile+4A0j
		mov	eax, ecx
		not	eax
		test	al, 8
		jz	short loc_541000
		test	dx, dx
		jnz	loc_5F3662

loc_540FA8:				; CODE XREF: LdrpResSearchResourceMappedFile+430j
					; LdrpResSearchResourceMappedFile+B2B0Cj ...
		or	ecx, 10h
		mov	[ebp+arg_0], ecx
		mov	esi, edi
		jmp	loc_540C49
; 

loc_540FB5:				; CODE XREF: LdrpResSearchResourceMappedFile+1B9j
					; LdrpResSearchResourceMappedFile+387j
		mov	ecx, [ebp+var_334]
		inc	ecx
		mov	[ebp+var_334], ecx
		jmp	loc_540CD6
; 

loc_540FC7:				; CODE XREF: LdrpResSearchResourceMappedFile+168j
		lea	eax, [ebp+var_314]
		push	eax
		lea	eax, [ebp+var_31C]
		push	eax
		push	edx
		mov	edx, [ebp+var_300]
		mov	ecx, [ebp+var_2F8]
		call	LdrpResGetResourceDirectory
		test	eax, eax
		js	loc_540E37
		mov	edx, [ebp+arg_0]
		jmp	loc_540CCC
; 

loc_540FF7:				; CODE XREF: LdrpResSearchResourceMappedFile+437j
		cmp	esi, 18h
		jz	short loc_540F97
		test	al, al
		jnz	short loc_540F97

loc_541000:				; CODE XREF: LdrpResSearchResourceMappedFile+43Fj
					; LdrpResSearchResourceMappedFile+B2B1Aj
		push	1
		push	ecx
		push	ebx
		mov	edx, [ebp+var_300]
		mov	esi, [ebp+var_2F8]
		mov	ecx, esi
		call	LdrResGetRCConfig
		mov	edi, eax
		test	edi, edi
		js	loc_5F3683
		push	ecx
		push	ecx
		mov	edx, [ebp+var_2E4]
		mov	ecx, esi
		call	_LdrIsResItemExist@16 ;	LdrIsResItemExist(x,x,x,x)
		mov	esi, eax
		or	esi, [ebp+var_2E0]

loc_541038:				; CODE XREF: LdrpResSearchResourceMappedFile+B2B3Dj
		mov	ecx, [ebp+arg_0]
		jmp	loc_540C49
; 

loc_541040:				; CODE XREF: LdrpResSearchResourceMappedFile+201j
		mov	[ebp+var_2F4], ebx
		jmp	loc_540D71
; 

loc_54104B:				; CODE XREF: LdrpResSearchResourceMappedFile+215j
		or	ecx, 20h
		jmp	loc_540D82
; 

loc_541053:				; CODE XREF: LdrpResSearchResourceMappedFile+256j
		mov	edx, [ebp+var_2E8]
		jmp	loc_540DC6
; 

loc_54105E:				; CODE XREF: LdrpResSearchResourceMappedFile+C5j
		push	(offset	off_5A5428+2) ;	wchar_t	*
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_540C29
		jmp	loc_5F35F6
LdrpResSearchResourceMappedFile	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrpFindMessageInAlternateModule proc near
					; CODE XREF: LdrpLoadResourceFromAlternativeModule+89p
					; LdrpResSearchResourceMappedFile+B2C16p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 005F3839 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		test	ecx, ecx
		jz	short loc_5410D8
		test	edx, edx
		jz	short loc_5410D8
		mov	bl, [ebp+arg_8]
		test	bl, bl
		jnz	short loc_5410A5
		push	0
		lea	eax, [ebp+var_4]
		push	eax
		call	LdrpAccessResourceDataNoMultipleLanguage
		test	eax, eax
		js	short loc_5410D3
		mov	edx, [ebp+var_4]

loc_5410A5:				; CODE XREF: LdrpFindMessageInAlternateModule+19j
		mov	ecx, [edx]
		add	edx, 4
		test	bl, bl
		jnz	loc_5F3839

loc_5410B2:				; CODE XREF: LdrpFindMessageInAlternateModule+B27CAj
		test	ecx, ecx
		jz	short loc_5410CA
		mov	eax, [ebp+arg_4]

loc_5410B9:				; CODE XREF: LdrpFindMessageInAlternateModule+50j
		dec	ecx
		cmp	eax, [edx]
		jb	short loc_5410C3
		cmp	eax, [edx+4]
		jbe	short loc_5410D1

loc_5410C3:				; CODE XREF: LdrpFindMessageInAlternateModule+44j
		add	edx, 0Ch
		test	ecx, ecx
		jnz	short loc_5410B9

loc_5410CA:				; CODE XREF: LdrpFindMessageInAlternateModule+3Cj
		mov	eax, 0C0000109h
		jmp	short loc_5410D3
; 

loc_5410D1:				; CODE XREF: LdrpFindMessageInAlternateModule+49j
		xor	eax, eax

loc_5410D3:				; CODE XREF: LdrpFindMessageInAlternateModule+28j
					; LdrpFindMessageInAlternateModule+57j	...
		pop	ebx
		leave
		retn	0Ch
; 

loc_5410D8:				; CODE XREF: LdrpFindMessageInAlternateModule+Ej
					; LdrpFindMessageInAlternateModule+12j
		mov	eax, 0C000000Dh
		jmp	short loc_5410D3
LdrpFindMessageInAlternateModule endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrpGetAlternateResourceModuleHandleEx proc near ; CODE	XREF: LdrpAccessResourceData+52p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005411E2 SIZE 0000000B BYTES
; FUNCTION CHUNK AT 005F3852 SIZE 0000004D BYTES

		push	20h
		push	offset dword_6A70A8
		call	__SEH_prolog4
		mov	[ebp+var_2C], ecx
		xor	esi, esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		call	LdrpInitMuiCrits
		push	esi
		push	esi
		push	esi
		push	esi
		push	offset _MuiMutex
		call	KeWaitForSingleObject
		mov	[ebp+ms_exc.disabled], esi
		mov	ebx, [ebp+arg_4]
		mov	[ebx], esi
		mov	edi, _AlternateResourceModuleCount
		mov	[ebp+var_24], edi
		lea	ecx, [edi-1]

loc_54111E:				; CODE XREF: LdrpGetAlternateResourceModuleHandleEx+73j
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		js	short loc_541198
		mov	edx, ecx
		shl	edx, 5
		mov	ebx, _AlternateResourceModules
		mov	eax, [ebp+var_2C]
		cmp	[edx+ebx+4], eax
		jnz	short loc_541152
		cmp	[ebp+var_20], 0
		jnz	short loc_541155
		mov	eax, [edx+ebx+10h]
		mov	[ebp+var_20], eax
		mov	eax, [edx+ebx+18h]
		mov	[ebp+var_1C], eax
		mov	edi, ecx
		mov	[ebp+var_24], edi

loc_541152:				; CODE XREF: LdrpGetAlternateResourceModuleHandleEx+57j
		dec	ecx
		jmp	short loc_54111E
; 

loc_541155:				; CODE XREF: LdrpGetAlternateResourceModuleHandleEx+5Dj
		mov	ebx, edi

loc_541157:				; CODE XREF: LdrpGetAlternateResourceModuleHandleEx+103j
		mov	[ebp+var_28], ebx
		test	ebx, ebx
		js	loc_5F3852
		mov	ecx, ebx
		shl	ecx, 5
		mov	eax, _AlternateResourceModules
		mov	edx, [ebp+var_2C]
		cmp	[ecx+eax+4], edx
		jnz	short loc_5411E2
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	LdrpGetMappingFromCacheEntry
		test	al, al
		jz	short loc_5411E2
		mov	edi, ebx
		mov	[ebp+var_24], edi
		test	ebx, ebx
		js	loc_5F3852

loc_541198:				; CODE XREF: LdrpGetAlternateResourceModuleHandleEx+43j
					; LdrpGetAlternateResourceModuleHandleEx+B277Bj
		cmp	edi, _AlternateResourceModuleCount
		jz	short loc_5411E8
		cmp	[ebp+var_1C], 0
		jz	loc_5F3860

loc_5411AA:				; CODE XREF: LdrpGetAlternateResourceModuleHandleEx+B278Ej
					; LdrpGetAlternateResourceModuleHandleEx+B27AFj ...
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax

loc_5411B2:				; CODE XREF: LdrpGetAlternateResourceModuleHandleEx+10Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_5411D3
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
LdrpGetAlternateResourceModuleHandleEx endp


;  S U B	R O U T	I N E 


sub_5411D3	proc near		; CODE XREF: LdrpGetAlternateResourceModuleHandleEx+D9p
					; sub_5F389F+2j
		push	esi
		push	esi
		push	1
		push	offset _MuiMutex
		call	KeReleaseMutant
		retn
sub_5411D3	endp

; 
; START	OF FUNCTION CHUNK FOR LdrpGetAlternateResourceModuleHandleEx

loc_5411E2:				; CODE XREF: LdrpGetAlternateResourceModuleHandleEx+93j
					; LdrpGetAlternateResourceModuleHandleEx+A9j
		dec	ebx
		jmp	loc_541157
; 

loc_5411E8:				; CODE XREF: LdrpGetAlternateResourceModuleHandleEx+BEj
		mov	[ebp+var_20], esi
		jmp	short loc_5411B2
; END OF FUNCTION CHUNK	FOR LdrpGetAlternateResourceModuleHandleEx
; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrpGetMappingFromCacheEntry proc near	; CODE XREF: LdrpGetAlternateResourceModuleHandleEx+A2p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F38A6 SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		test	edi, edi
		jz	short loc_541250
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jz	short loc_541250
		cmp	esi, _AlternateResourceModuleCount
		jnb	short loc_541250
		lfence	eax
		mov	eax, _AlternateResourceModules
		shl	esi, 5
		mov	ecx, [esi+eax+18h]
		mov	esi, [esi+eax+10h]
		test	esi, esi
		jz	short loc_541250
		cmp	esi, 0FFFFFFFFh
		jz	short loc_541250
		test	ecx, ecx
		jz	loc_5F38A6

loc_541231:				; CODE XREF: LdrpGetMappingFromCacheEntry+B26F2j
		mov	eax, esi
		and	eax, 0FFFFFFFCh
		cmp	edi, eax
		jb	short loc_541250
		add	eax, ecx
		cmp	edi, eax
		jnb	short loc_541250
		mov	eax, [ebp+arg_4]
		mov	[ebx], esi
		mov	[eax], ecx
		mov	al, 1

loc_541249:				; CODE XREF: LdrpGetMappingFromCacheEntry+64j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_541250:				; CODE XREF: LdrpGetMappingFromCacheEntry+Ej
					; LdrpGetMappingFromCacheEntry+15j ...
		xor	al, al
		jmp	short loc_541249
LdrpGetMappingFromCacheEntry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFindMessageInTable(x, x, x, x)
_RtlpFindMessageInTable@16 proc	near	; CODE XREF: RtlFindMessage(x,x,x,x,x)+73p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	ebx, [edx-1]
		add	ebx, edi
		mov	eax, [edi]
		lea	ecx, [edi+4]
		test	eax, eax
		jz	short loc_541282
		mov	edx, [ebp+arg_0]

loc_54126F:				; CODE XREF: RtlpFindMessageInTable(x,x,x,x)+2Cj
		mov	esi, [ecx]
		dec	eax
		cmp	edx, esi
		jb	short loc_54127B
		cmp	edx, [ecx+4]
		jbe	short loc_541289

loc_54127B:				; CODE XREF: RtlpFindMessageInTable(x,x,x,x)+20j
		add	ecx, 0Ch
		test	eax, eax
		jnz	short loc_54126F

loc_541282:				; CODE XREF: RtlpFindMessageInTable(x,x,x,x)+16j
					; RtlpFindMessageInTable(x,x,x,x)+46j
		mov	eax, 0C0000109h
		jmp	short loc_5412A7
; 

loc_541289:				; CODE XREF: RtlpFindMessageInTable(x,x,x,x)+25j
		mov	ecx, [ecx+8]
		add	ecx, edi
		sub	edx, esi
		jz	short loc_5412A0

loc_541292:				; CODE XREF: RtlpFindMessageInTable(x,x,x,x)+4Aj
		movzx	eax, word ptr [ecx]
		dec	edx
		add	ecx, eax
		cmp	ecx, ebx
		ja	short loc_541282
		test	edx, edx
		jnz	short loc_541292

loc_5412A0:				; CODE XREF: RtlpFindMessageInTable(x,x,x,x)+3Cj
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		xor	eax, eax

loc_5412A7:				; CODE XREF: RtlpFindMessageInTable(x,x,x,x)+33j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_RtlpFindMessageInTable@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrpGetImageSize proc near		; CODE XREF: LdrpAccessResourceData+7Dp
					; LdrpAccessResourceDataNoMultipleLanguage+37p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F38E5 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	edi
		mov	eax, ebx
		xor	edi, edi
		and	eax, 0FFFFFFFCh
		mov	esi, edi
		push	eax
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jz	short loc_541307
		test	bl, 1
		jz	short loc_5412EB
		mov	ecx, ebx
		call	_LdrpKrnGetDataTableEntry@4 ; LdrpKrnGetDataTableEntry(x)
		test	eax, eax
		jnz	short loc_541302

loc_5412DF:				; CODE XREF: LdrpGetImageSize+52j
					; LdrpGetImageSize+57j	...
		mov	eax, [ebp+var_4]
		mov	[eax], esi
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_5412EB:				; CODE XREF: LdrpGetImageSize+24j
		movzx	ecx, word ptr [eax+18h]
		mov	edx, 10Bh
		cmp	cx, dx
		jnz	loc_5F38E5

loc_5412FD:				; CODE XREF: LdrpGetImageSize+B2645j
		mov	esi, [eax+50h]
		jmp	short loc_5412DF
; 

loc_541302:				; CODE XREF: LdrpGetImageSize+2Fj
		mov	esi, [eax+20h]
		jmp	short loc_5412DF
; 

loc_541307:				; CODE XREF: LdrpGetImageSize+1Fj
					; LdrpGetImageSize+B263Fj
		mov	edi, 0C000007Bh
		jmp	short loc_5412DF
LdrpGetImageSize endp


;  S U B	R O U T	I N E 


; __stdcall LdrpKrnGetDataTableEntry(x)
_LdrpKrnGetDataTableEntry@4 proc near	; CODE XREF: LdrpGetImageSize+28p
					; LdrLoadAlternateResourceModuleEx+F0p	...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, large fs:124h
		mov	ebx, ecx
		push	edi
		xor	edi, edi
		test	esi, esi
		jz	short loc_541375
		dec	word ptr [esi+13Ch]
		nop
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceSharedLite
		mov	ecx, _PsLoadedModuleList
		test	ecx, ecx
		jz	short loc_541375

loc_541340:				; CODE XREF: LdrpKrnGetDataTableEntry(x)+41j
		mov	edx, [ecx+18h]
		cmp	ebx, edx
		jnb	short loc_541368

loc_541347:				; CODE XREF: LdrpKrnGetDataTableEntry(x)+61j
		mov	ecx, [ecx]
		cmp	ecx, offset _PsLoadedModuleList
		jnz	short loc_541340

loc_541351:				; CODE XREF: LdrpKrnGetDataTableEntry(x)+65j
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite
		mov	ecx, esi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi

loc_541364:				; CODE XREF: LdrpKrnGetDataTableEntry(x)+69j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_541368:				; CODE XREF: LdrpKrnGetDataTableEntry(x)+37j
		mov	eax, [ecx+20h]
		add	eax, edx
		cmp	ebx, eax
		jnb	short loc_541347
		mov	edi, ecx
		jmp	short loc_541351
; 

loc_541375:				; CODE XREF: LdrpKrnGetDataTableEntry(x)+12j
					; LdrpKrnGetDataTableEntry(x)+30j
		xor	eax, eax
		jmp	short loc_541364
_LdrpKrnGetDataTableEntry@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlAddressInSectionTable(x,	x, x)
_RtlAddressInSectionTable@12 proc near	; CODE XREF: RtlpImageDirectoryEntryToData32(x,x,x,x,x,x)+62p
					; RtlpImageDirectoryEntryToData64(x,x,x,x,x,x)+5Ap ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	[ebp+arg_0]
		mov	esi, edx
		call	RtlSectionTableFromVirtualAddress
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_5413AF
		mov	eax, [ecx+14h]
		sub	eax, [ecx+0Ch]
		add	eax, esi
		add	eax, [ebp+arg_0]
		nop
		mov	ecx, ds:_MmHighestUserAddress
		cmp	esi, ecx
		jb	short loc_5413AB

loc_5413A6:				; CODE XREF: RtlAddressInSectionTable(x,x,x)+33j
					; RtlAddressInSectionTable(x,x,x)+37j
		pop	esi
		pop	ebp
		retn	4
; 

loc_5413AB:				; CODE XREF: RtlAddressInSectionTable(x,x,x)+2Aj
		cmp	eax, ecx
		jb	short loc_5413A6

loc_5413AF:				; CODE XREF: RtlAddressInSectionTable(x,x,x)+14j
		xor	eax, eax
		jmp	short loc_5413A6
_RtlAddressInSectionTable@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlSectionTableFromVirtualAddress proc near ; CODE XREF: RtlAddressInSectionTable(x,x,x)+Bp
					; KiShadowProcessorAllocation+8Ap ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F38F8 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ax, [ecx+14h]
		lea	edx, [ecx+18h]
		push	esi
		movzx	esi, word ptr [ecx+6]
		movzx	eax, ax
		push	edi
		mov	edi, ds:_MmHighestUserAddress
		add	edx, eax
		cmp	ecx, edi
		jbe	loc_5F38F8

loc_5413D9:				; CODE XREF: RtlSectionTableFromVirtualAddress+B2561j
		xor	ecx, ecx
		test	esi, esi
		jz	short loc_5413F9

loc_5413DF:				; CODE XREF: RtlSectionTableFromVirtualAddress+43j
		mov	edi, [edx+0Ch]
		cmp	[ebp+arg_0], edi
		jb	short loc_5413F1
		mov	eax, [edx+10h]
		add	eax, edi
		cmp	[ebp+arg_0], eax
		jb	short loc_5413FD

loc_5413F1:				; CODE XREF: RtlSectionTableFromVirtualAddress+31j
		add	edx, 28h
		inc	ecx
		cmp	ecx, esi
		jb	short loc_5413DF

loc_5413F9:				; CODE XREF: RtlSectionTableFromVirtualAddress+29j
					; RtlSectionTableFromVirtualAddress+B2546j ...
		xor	eax, eax
		jmp	short loc_5413FF
; 

loc_5413FD:				; CODE XREF: RtlSectionTableFromVirtualAddress+3Bj
		mov	eax, edx

loc_5413FF:				; CODE XREF: RtlSectionTableFromVirtualAddress+47j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
RtlSectionTableFromVirtualAddress endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LdrIsResItemExist(x, x, x, x)
_LdrIsResItemExist@16 proc near		; CODE XREF: LdrpResSearchResourceMappedFile+4CDp
					; LdrpSearchResourceSection_U(x,x,x,x,x)+1A9p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		push	1
		push	1
		mov	edi, edx
		call	LdrpGetRcConfig
		mov	esi, eax
		test	esi, esi
		jz	short loc_541461
		mov	edx, [edi]
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		mov	ecx, esi
		call	LdrRscIsTypeExist
		test	eax, eax
		js	short loc_541453
		test	dword ptr [esi+14h], 100h
		mov	eax, [ebp+var_4]
		jnz	short loc_54145A

loc_541442:				; CODE XREF: LdrIsResItemExist(x,x,x,x)+59j
		test	byte ptr [esi+10h], 10h
		jz	short loc_54144D
		or	eax, 200000h

loc_54144D:				; CODE XREF: LdrIsResItemExist(x,x,x,x)+40j
					; LdrIsResItemExist(x,x,x,x)+52j ...
		pop	edi
		pop	esi
		leave
		retn	8
; 

loc_541453:				; CODE XREF: LdrIsResItemExist(x,x,x,x)+2Ej
		mov	eax, 60000h
		jmp	short loc_54144D
; 

loc_54145A:				; CODE XREF: LdrIsResItemExist(x,x,x,x)+3Aj
		or	eax, 100000h
		jmp	short loc_541442
; 

loc_541461:				; CODE XREF: LdrIsResItemExist(x,x,x,x)+1Cj
		mov	eax, 80000h
		jmp	short loc_54144D
_LdrIsResItemExist@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrRscIsTypeExist proc near		; CODE XREF: LdrIsResItemExist(x,x,x,x)+27p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F391A SIZE 000000F8 BYTES
; FUNCTION CHUNK AT 005F3A2B SIZE 0000000A BYTES

		push	30h
		push	offset dword_6A70E8
		call	__SEH_prolog4
		mov	eax, edx
		mov	[ebp+var_1C], eax
		mov	esi, ecx
		xor	ebx, ebx
		test	esi, esi
		jz	loc_5F3A2B
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	loc_5F3A2B
		mov	[ebp+ms_exc.disabled], ebx
		cmp	eax, 10000h
		jnb	loc_5F391A
		mov	ecx, [esi+60h]
		shr	ecx, 2
		mov	[ebp+var_30], ecx
		mov	edx, [esi+5Ch]
		add	edx, esi
		mov	[ebp+var_34], edx

loc_5414AF:				; CODE XREF: LdrRscIsTypeExist+5Cj
		sub	ecx, 1
		mov	[ebp+var_30], ecx
		js	short loc_5414C6
		sub	eax, [edx]
		add	edx, 4
		mov	[ebp+var_34], edx
		test	eax, eax
		mov	eax, [ebp+var_1C]
		jnz	short loc_5414AF

loc_5414C6:				; CODE XREF: LdrRscIsTypeExist+4Dj
		test	ecx, ecx
		js	short loc_541513

loc_5414CA:				; CODE XREF: LdrRscIsTypeExist+B1j
		mov	ecx, [esi+70h]
		shr	ecx, 2
		mov	[ebp+var_38], ecx
		mov	edx, [esi+6Ch]
		add	edx, esi
		mov	[ebp+var_3C], edx

loc_5414DB:				; CODE XREF: LdrRscIsTypeExist+A9j
		sub	ecx, 1
		mov	[ebp+var_38], ecx
		js	short loc_5414EF
		sub	eax, [edx]
		add	edx, 4
		mov	[ebp+var_3C], edx
		test	eax, eax
		jnz	short loc_54150E

loc_5414EF:				; CODE XREF: LdrRscIsTypeExist+79j
		test	ecx, ecx
		js	short loc_54151B

loc_5414F3:				; CODE XREF: LdrRscIsTypeExist+B9j
					; LdrRscIsTypeExist+B259Fj ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, ebx

loc_5414FC:				; CODE XREF: LdrRscIsTypeExist+B25C8j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_54150E:				; CODE XREF: LdrRscIsTypeExist+85j
		mov	eax, [ebp+var_1C]
		jmp	short loc_5414DB
; 

loc_541513:				; CODE XREF: LdrRscIsTypeExist+60j
		or	dword ptr [edi], 40000h
		jmp	short loc_5414CA
; 

loc_54151B:				; CODE XREF: LdrRscIsTypeExist+89j
					; LdrRscIsTypeExist+B25A5j
		or	dword ptr [edi], 20000h
		jmp	short loc_5414F3
LdrRscIsTypeExist endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrpGetRcConfig	proc near		; CODE XREF: LdrIsResItemExist(x,x,x,x)+13p
					; LdrpVerifyAlternateResourceModuleEx+24p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005F3A35 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_18], 0
		and	[ebp+var_14], 0
		push	ebx
		push	esi
		or	ebx, 0FFFFFFFFh
		cmp	[ebp+arg_4], 0
		push	edi
		mov	edi, ecx
		jz	short loc_54157B
		push	8
		push	0
		xor	edx, edx
		call	LdrpGetFromMUIMemCache
		mov	esi, eax
		mov	[ebp+var_14], esi
		cmp	esi, ebx
		jz	loc_5F3A35
		test	esi, esi
		jz	short loc_54157B

loc_541568:				; CODE XREF: LdrpGetRcConfig+ABj
					; LdrpGetRcConfig+C6j
		mov	eax, esi

loc_54156A:				; CODE XREF: LdrpGetRcConfig+B2513j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_54157B:				; CODE XREF: LdrpGetRcConfig+26j
					; LdrpGetRcConfig+42j
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_18]
		push	eax
		push	2000030h
		push	3
		lea	edx, [ebp+var_10]
		mov	[ebp+var_10], (offset off_5A5428+2)
		mov	ecx, edi
		mov	[ebp+var_C], 1
		call	_LdrpSearchResourceSection_U@20	; LdrpSearchResourceSection_U(x,x,x,x,x)
		test	eax, eax
		js	short loc_5415EF
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_14]
		mov	ecx, edi
		push	eax
		call	LdrpAccessResourceDataNoMultipleLanguage
		test	eax, eax
		js	short loc_5415EF
		mov	esi, [ebp+var_14]
		cmp	dword ptr [esi], 0FECDFECDh
		jnz	loc_5F3A3C

loc_5415CB:				; CODE XREF: LdrpGetRcConfig+CDj
		cmp	[ebp+arg_0], 0
		jz	short loc_541568
		test	esi, esi
		jz	short loc_5415D7
		mov	ebx, esi

loc_5415D7:				; CODE XREF: LdrpGetRcConfig+AFj
		push	0
		push	eax
		push	2
		push	0
		push	ebx
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	LdrpSetAlternateResourceModuleHandle
		jmp	loc_541568
; 

loc_5415EF:				; CODE XREF: LdrpGetRcConfig+80j
					; LdrpGetRcConfig+96j ...
		xor	esi, esi
		jmp	short loc_5415CB
LdrpGetRcConfig	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrpLoadResourceFromAlternativeModule proc near
					; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+259p
					; LdrpSearchResourceSection_U(x,x,x,x,x)+418p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005F3A46 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	ebx, ebx
		cmp	[ebp+arg_0], 4
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], ebx
		jnz	loc_5F3A46

loc_54160D:				; CODE XREF: LdrpLoadResourceFromAlternativeModule+B2456j
		test	[ebp+arg_4], 1000000h
		push	edi
		mov	edi, 0F2EEh
		jnz	short loc_541620
		movzx	edi, word ptr [esi+8]

loc_541620:				; CODE XREF: LdrpLoadResourceFromAlternativeModule+26j
		push	[ebp+arg_4]
		lea	eax, [ebp+arg_0]
		mov	[ebp+arg_0], ebx
		push	eax
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		call	LdrLoadAlternateResourceModuleEx
		test	eax, eax
		jns	short loc_54164E
		cmp	eax, 0C000003Ah
		jz	short loc_54168A
		cmp	eax, 0C0000034h
		jz	short loc_54168A

loc_541647:				; CODE XREF: LdrpLoadResourceFromAlternativeModule+79j
					; LdrpLoadResourceFromAlternativeModule+7Dj ...
		pop	edi

loc_541648:				; CODE XREF: LdrpLoadResourceFromAlternativeModule+B2461j
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_54164E:				; CODE XREF: LdrpLoadResourceFromAlternativeModule+43j
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		movzx	eax, di
		mov	edi, [ebp+arg_8]
		push	edi
		push	2000030h
		push	3
		mov	[esi+8], eax
		call	_LdrpSearchResourceSection_U@20	; LdrpSearchResourceSection_U(x,x,x,x,x)
		test	byte ptr [ebp+arg_4], 40h
		jz	short loc_541647
		test	eax, eax
		js	short loc_541647
		mov	edx, [edi]
		mov	ecx, [ebp+var_4]
		push	ebx
		push	dword ptr [esi+0Ch]
		push	ebx
		call	LdrpFindMessageInAlternateModule
		test	eax, eax
		jns	short loc_541647
		mov	[edi], ebx
		jmp	short loc_541647
; 

loc_54168A:				; CODE XREF: LdrpLoadResourceFromAlternativeModule+4Aj
					; LdrpLoadResourceFromAlternativeModule+51j
		mov	eax, 0C00B0001h
		jmp	short loc_541647
LdrpLoadResourceFromAlternativeModule endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrLoadAlternateResourceModuleEx proc near ; CODE XREF:	LdrpResSearchResourceMappedFile+35Dp
					; LdrpLoadResourceFromAlternativeModule+3Cp ...

var_308		= dword	ptr -308h
var_304		= dword	ptr -304h
var_300		= dword	ptr -300h
var_2F8		= dword	ptr -2F8h
var_2F4		= dword	ptr -2F4h
var_2F0		= dword	ptr -2F0h
var_2EC		= dword	ptr -2ECh
var_2E8		= dword	ptr -2E8h
var_2E4		= dword	ptr -2E4h
var_2E0		= dword	ptr -2E0h
var_2DC		= dword	ptr -2DCh
var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_C8		= word ptr -0C8h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005F3A79 SIZE 0000002E BYTES
; FUNCTION CHUNK AT 005F3AC9 SIZE 0000000A BYTES

		push	2FCh
		push	offset dword_6A7128
		call	__SEH_prolog4_GS
		mov	edi, ecx
		mov	[ebp+var_2E0], edi
		movzx	eax, dx
		mov	[ebp+var_2E8], eax
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_2F4], ebx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_2F8], eax
		xor	esi, esi
		mov	[ebp+var_2E4], esi
		mov	[ebp+var_2DC], esi
		mov	[ebp+var_2F0], esi
		mov	[ebp+var_2EC], esi
		push	0AAh		; size_t
		push	esi		; int
		lea	eax, [ebp+var_C8]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_2D8], esi
		test	edi, edi
		jz	loc_5F3AC9
		mov	eax, [ebp+var_2E8]
		test	ax, ax
		jz	loc_5F3AC9
		test	ebx, ebx
		jz	loc_5F3AC9
		push	4
		lea	ecx, [ebp+var_2D8]
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	LdrpGetFromMUIMemCache
		mov	edi, eax
		mov	[ebp+var_2D4], edi
		cmp	edi, 0FFFFFFFFh
		jz	short loc_541773
		test	edi, edi
		jz	short loc_54177C
		mov	[ebp+ms_exc.disabled], esi
		mov	[ebx], edi
		mov	ecx, [ebp+var_2F8]
		test	ecx, ecx
		jz	short loc_541752
		mov	eax, [ebp+var_2D8]
		mov	[ecx], eax

loc_541752:				; CODE XREF: LdrLoadAlternateResourceModuleEx+B6j
					; sub_5F3A6B+9j
		mov	[ebp+var_300], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi

loc_541761:				; CODE XREF: LdrLoadAlternateResourceModuleEx+E8j
					; LdrLoadAlternateResourceModuleEx+22Aj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_541773:				; CODE XREF: LdrLoadAlternateResourceModuleEx+A3j
		mov	[ebx], esi
		mov	eax, 0C00B0006h
		jmp	short loc_541761
; 

loc_54177C:				; CODE XREF: LdrLoadAlternateResourceModuleEx+A7j
		mov	ecx, [ebp+var_2E0]
		call	_LdrpKrnGetDataTableEntry@4 ; LdrpKrnGetDataTableEntry(x)
		mov	ebx, eax
		mov	[ebp+var_308], ebx
		test	ebx, ebx
		jz	loc_5418FC
		lea	eax, [ebp+var_2D0]
		mov	[ebp+var_2EC], eax
		mov	[ebp+var_2F0], 2080000h
		mov	eax, [ebp+arg_8]
		and	eax, 1000000h
		mov	[ebp+var_304], eax
		jnz	short loc_5417E8
		push	2
		push	55h
		lea	edx, [ebp+var_C8]
		mov	ebx, [ebp+var_2E8]
		mov	ecx, ebx
		call	DownLevelLangIDToLanguageName
		test	eax, eax
		jz	loc_5418E7
		mov	eax, [ebp+var_304]
		mov	ebx, [ebp+var_308]

loc_5417E8:				; CODE XREF: LdrLoadAlternateResourceModuleEx+129j
		test	eax, eax
		mov	ecx, offset ??_C@_19IGBJANMC@?$AA?4?$AAm?$AAu?$AAn@FNODOBFM@ ; ".mun"
		jnz	short loc_5417F6
		mov	ecx, offset ??_C@_19BLMODFHL@?$AA?4?$AAm?$AAu?$AAi@FNODOBFM@ ; "."

loc_5417F6:				; CODE XREF: LdrLoadAlternateResourceModuleEx+15Dj
		lea	edx, [ebp+var_2F0]
		push	edx
		lea	edx, [ebp+var_C8]
		push	edx
		push	ecx
		test	eax, eax
		setnz	dl
		mov	ecx, ebx
		call	LdrpGetResourceFileName
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_541873
		lea	eax, [ebp+var_2D8]
		push	eax
		lea	eax, [ebp+var_2E4]
		push	eax
		lea	eax, [ebp+var_2DC]
		push	eax
		lea	edx, [ebp+var_2F0]
		mov	ecx, [ebp+var_2E0]
		call	LdrpMapResourceFile
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_541873
		mov	edi, [ebp+var_2E4]
		or	edi, 1
		mov	[ebp+var_2D4], edi
		push	ecx		; int
		push	[ebp+arg_8]	; int
		lea	eax, [ebp+var_C8]
		push	eax		; wchar_t *
		push	ecx		; int
		mov	edx, edi
		mov	ecx, [ebp+var_2E0]
		call	LdrpVerifyAlternateResourceModuleEx
		test	al, al
		jz	loc_5F3A79

loc_541873:				; CODE XREF: LdrLoadAlternateResourceModuleEx+183j
					; LdrLoadAlternateResourceModuleEx+1AFj ...
		test	edi, edi
		jnz	short loc_54187E
		or	[ebp+var_2D4], 0FFFFFFFFh

loc_54187E:				; CODE XREF: LdrLoadAlternateResourceModuleEx+1E3j
		mov	edi, [ebp+var_2D8]
		push	edi
		push	ebx
		push	1
		push	[ebp+var_2E8]
		push	esi
		lea	eax, [ebp+var_2DC]
		push	eax
		lea	edx, [ebp+var_2D4]
		mov	ecx, [ebp+var_2E0]
		call	LdrpSetAlternateResourceModuleHandle
		mov	ecx, [ebp+var_2D4]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_5418C1
		mov	eax, [ebp+var_2F4]
		mov	[eax], esi

loc_5418BA:				; CODE XREF: LdrLoadAlternateResourceModuleEx+253j
		mov	eax, ebx
		jmp	loc_541761
; 

loc_5418C1:				; CODE XREF: LdrLoadAlternateResourceModuleEx+21Ej
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_2F4]
		mov	[eax], ecx
		mov	eax, [ebp+var_2F8]
		test	eax, eax
		jz	short loc_5418DC
		mov	[eax], edi

loc_5418DC:				; CODE XREF: LdrLoadAlternateResourceModuleEx+246j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_5418E3:				; CODE XREF: sub_5F3AB8+Cj
		mov	ebx, esi
		jmp	short loc_5418BA
; 

loc_5418E7:				; CODE XREF: LdrLoadAlternateResourceModuleEx+144j
		movzx	eax, bx
		push	eax		; char
		push	offset ??_C@_0CE@CLNABMMP@LDR?3?5No?5Locale?5name?5for?5LangId?5@FNODOBFM@ ; "LDR: No Locale name for LangId %d	\n"
		push	1		; int
		push	55h		; int
		call	_DbgPrintEx
		add	esp, 10h

loc_5418FC:				; CODE XREF: LdrLoadAlternateResourceModuleEx+FFj
		mov	ebx, 0C00B0001h
		jmp	loc_541873
LdrLoadAlternateResourceModuleEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrpGetFromMUIMemCache proc near	; CODE XREF: LdrpGetRcConfig+2Ep
					; LdrLoadAlternateResourceModuleEx+93p	...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 00541A4B SIZE 0000000D BYTES
; FUNCTION CHUNK AT 005F3AD3 SIZE 0000001F BYTES

		push	20h
		push	offset dword_6A7150
		call	__SEH_prolog4
		mov	[ebp+var_1C], dx
		mov	[ebp+var_24], ecx
		xor	ebx, ebx
		mov	esi, ebx
		mov	[ebp+var_20], esi
		mov	al, bl
		mov	[ebp+var_19], al
		mov	[ebp+var_1A], al
		test	[ebp+arg_4], 0Ch
		jz	loc_541A54
		test	dword ptr [ebp+arg_4], 0FFFFFFF3h
		jnz	loc_541A54
		test	[ebp+arg_4], 4
		jz	short loc_54194E
		test	dx, dx
		jz	loc_541A54

loc_54194E:				; CODE XREF: LdrpGetFromMUIMemCache+3Dj
		and	ecx, 0FFFFFFFCh
		push	ecx
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	loc_541A54
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_54196B
		mov	[eax], ebx

loc_54196B:				; CODE XREF: LdrpGetFromMUIMemCache+61j
		call	LdrpInitMuiCrits
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _MuiMutex
		call	KeWaitForSingleObject
		mov	[ebp+ms_exc.disabled], ebx
		mov	edi, _AlternateResourceModuleCount
		dec	edi

loc_541988:				; CODE XREF: LdrpGetFromMUIMemCache+111j
		mov	eax, edi
		mov	[ebp+var_2C], edi
		test	eax, eax
		js	short loc_5419E7
		mov	ecx, edi
		shl	ecx, 5
		mov	edx, _AlternateResourceModules
		mov	eax, [ebp+var_24]
		cmp	[ecx+edx+4], eax
		jnz	short loc_541A16
		mov	eax, [ecx+edx+0Ch]
		mov	esi, [ebp+var_28]
		cmp	eax, [esi+58h]
		mov	esi, [ebp+var_20]
		jnz	loc_5F3AD3
		test	[ebp+arg_4], 8
		jnz	short loc_541A10
		test	[ebp+arg_4], 4
		jz	short loc_541A16
		mov	ax, [ebp+var_1C]
		test	ax, ax
		jz	short loc_541A16
		cmp	[ecx+edx], ax
		jnz	short loc_541A16
		mov	esi, [ecx+edx+10h]
		mov	[ebp+var_20], esi
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_5419E7
		mov	eax, [ecx+edx+18h]
		mov	[edi], eax

loc_5419E7:				; CODE XREF: LdrpGetFromMUIMemCache+89j
					; LdrpGetFromMUIMemCache+D9j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_24]
		call	sub_541A3C
		cmp	[ebp+var_19], 0
		jnz	short loc_541A4B

loc_5419FC:				; CODE XREF: LdrpGetFromMUIMemCache+14Cj
		mov	eax, esi

loc_5419FE:				; CODE XREF: LdrpGetFromMUIMemCache+150j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_541A10:				; CODE XREF: LdrpGetFromMUIMemCache+B6j
		cmp	[ecx+edx+8], ebx
		jnz	short loc_541A1C

loc_541A16:				; CODE XREF: LdrpGetFromMUIMemCache+9Dj
					; LdrpGetFromMUIMemCache+BCj ...
		dec	edi
		jmp	loc_541988
; 

loc_541A1C:				; CODE XREF: LdrpGetFromMUIMemCache+10Ej
		lfence	eax
		mov	esi, [ecx+edx+8]
		mov	[ebp+var_20], esi
		cmp	esi, 0FFFFFFFFh
		jz	short loc_5419E7
		test	esi, esi
		jz	short loc_5419E7
		cmp	dword ptr [esi], 0FECDFECDh
		jz	short loc_5419E7
		jmp	loc_5F3AE0
LdrpGetFromMUIMemCache endp


;  S U B	R O U T	I N E 


sub_541A3C	proc near		; CODE XREF: LdrpGetFromMUIMemCache+EBp
					; sub_5F3AF2+Ej
		push	ebx
		push	ebx
		push	1
		push	offset _MuiMutex
		call	KeReleaseMutant
		retn
sub_541A3C	endp

; 
; START	OF FUNCTION CHUNK FOR LdrpGetFromMUIMemCache

loc_541A4B:				; CODE XREF: LdrpGetFromMUIMemCache+F4j
		mov	ecx, edi
		call	LdrUnloadAlternateResourceModuleEx
		jmp	short loc_5419FC
; 

loc_541A54:				; CODE XREF: LdrpGetFromMUIMemCache+26j
					; LdrpGetFromMUIMemCache+33j ...
		xor	eax, eax
		jmp	short loc_5419FE
; END OF FUNCTION CHUNK	FOR LdrpGetFromMUIMemCache

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrpInitMuiCrits proc near		; CODE XREF: LdrpGetAlternateResourceModuleHandleEx+17p
					; LdrpGetFromMUIMemCache:loc_54196Bp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F3B05 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		or	[esp+8+var_4], 0FFFFFFFFh
		mov	[esp+8+var_8], 0FFF0BDC0h

loc_541A6E:				; CODE XREF: LdrpInitMuiCrits+3Cj
		xor	ecx, ecx
		mov	edx, offset _MuiLockInitCount
		inc	ecx
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	short loc_541A9A
		cmp	_MuiLockInitCount, 1
		jz	loc_5F3B05

loc_541A8D:				; CODE XREF: LdrpInitMuiCrits+B20B8j
		cmp	_MuiLockInitCount, 2
		jnz	short loc_541A6E

loc_541A96:				; CODE XREF: LdrpInitMuiCrits+5Cj
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_541A9A:				; CODE XREF: LdrpInitMuiCrits+26j
		push	0
		push	1
		xor	dl, dl
		mov	ecx, offset _MuiMutex
		call	KiInitializeMutant
		mov	_MuiLockInitCount, 2
		jmp	short loc_541A96
LdrpInitMuiCrits endp

; 

; __stdcall PoInitializeStopWatch(x, x)
_PoInitializeStopWatch@8:		; CODE XREF: PopGetStopWatchByRequestType(x,x,x):loc_842F30p
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		xor	eax, eax
		push	0Ah
		mov	edi, esi
		pop	ecx
		rep stosd
		mov	[esi], edx
		add	esi, 4
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	short loc_541ADE
		mov	[esi], eax
		mov	[esi+4], edx
		mov	[eax+4], esi
		pop	edi
		mov	[edx], esi
		pop	esi
		retn
; 

loc_541ADE:				; CODE XREF: .text:00541ACFj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		align 8
; Exported entry 1174. KeInitializeMutex

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeMutex(x, x)
		public _KeInitializeMutex@8
_KeInitializeMutex@8 proc near		; CODE XREF: EtwpInitLoggerContext+192p
					; KeAllocateCalloutStackEx+CBp	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	dl, dl
		push	0
		push	1
		call	KiInitializeMutant
		pop	ebp
		retn	8
_KeInitializeMutex@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeMutantEx(x, x, x)
_KeInitializeMutantEx@12 proc near	; CODE XREF: NtCreateMutant(x,x,x,x)+E7p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		push	0
		call	KiInitializeMutant
		pop	ebp
		retn	4
_KeInitializeMutantEx@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiInitializeMutant proc	near		; CODE XREF: LdrpInitMuiCrits+4Dp
					; KeInitializeMutex(x,x)+Ep ...

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005F3B15 SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_2], dl
		push	8
		xor	eax, eax
		mov	edi, esi
		pop	ecx
		rep stosd
		mov	byte ptr [esi],	2
		test	dl, dl
		jnz	short loc_541B5E
		mov	dword ptr [esi+4], 1

loc_541B3B:				; CODE XREF: KiInitializeMutant+9Bj
		lea	eax, [esi+8]
		mov	[eax+4], eax
		mov	[eax], eax
		and	byte ptr [esi+1Ch], 0FEh
		test	[ebp+arg_4], 1
		mov	al, [ebp+arg_0]
		mov	[esi+1Dh], al
		jnz	loc_5F3B28

loc_541B57:				; CODE XREF: KiInitializeMutant+B201Aj
					; KiInitializeMutant+B202Dj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_541B5E:				; CODE XREF: KiInitializeMutant+1Ej
		mov	ebx, large fs:124h
		mov	[esi+18h], ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[ebp+var_8], 0
		lea	edi, [ebx+2Ch]
		mov	[ebp+var_1], al

loc_541B78:				; CODE XREF: KiInitializeMutant+B200Fj
		lock bts dword ptr [edi], 0
		jb	loc_5F3B15
		lea	ecx, [ebx+1DCh]
		mov	edx, [ecx+4]
		lea	eax, [esi+10h]
		cmp	[edx], ecx
		jnz	short loc_541BB1
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		mov	cl, [ebp+var_1]
		mov	dword ptr [edi], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	dl, [ebp+var_2]
		jmp	short loc_541B3B
; 

loc_541BB1:				; CODE XREF: KiInitializeMutant+7Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall PiUEventEstimateRequiredClientBufferSize(x)
_PiUEventEstimateRequiredClientBufferSize@4:
					; CODE XREF: PiUEventNotifyClientPendingEvent(x)+13p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+48h]
		mov	ecx, 1040h
		and	dword ptr [ebp-4], 0
		mul	ecx
		lea	ecx, [ebp-4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_541BDD
		mov	eax, [ebp-4]
		leave
		retn
; 

loc_541BDD:				; CODE XREF: KiInitializeMutant+C2j
		or	eax, 0FFFFFFFFh
		leave
		retn
KiInitializeMutant endp


;  S U B	R O U T	I N E 


; __stdcall PnpIsSafeToExamineUserModeTeb()
_PnpIsSafeToExamineUserModeTeb@0 proc near ; CODE XREF:	PnpRequestDeviceAction+E4p
					; IopInitActivityIdIrp(x):loc_60A516p ...
		call	_KeIsAttachedProcess@0 ; KeIsAttachedProcess()
		test	al, al
		jnz	short loc_541C16
		push	esi
		mov	esi, large fs:124h
		cmp	byte ptr [esi+15Ah], 1
		jz	short loc_541C00

loc_541BFC:				; CODE XREF: PnpIsSafeToExamineUserModeTeb()+25j
					; PnpIsSafeToExamineUserModeTeb()+2Ej
		xor	al, al
		pop	esi
		retn
; 

loc_541C00:				; CODE XREF: PnpIsSafeToExamineUserModeTeb()+18j
		call	_KeAreAllApcsDisabled@0	; KeAreAllApcsDisabled()
		test	al, al
		jnz	short loc_541BFC
		cmp	byte ptr [esi+30Ah], 1
		ja	short loc_541BFC
		inc	al
		pop	esi
		retn
; 

loc_541C16:				; CODE XREF: PnpIsSafeToExamineUserModeTeb()+7j
		xor	al, al
		retn
_PnpIsSafeToExamineUserModeTeb@0 endp

; 
		align 10h
; Exported entry 839. IoGetActivityIdThread

;  S U B	R O U T	I N E 


; __stdcall IoGetActivityIdThread()
		public _IoGetActivityIdThread@0
_IoGetActivityIdThread@0 proc near	; CODE XREF: PnpInsertEventInQueue+24p
					; IopMountVolume:loc_8EAF8Bp ...
		mov	eax, large fs:124h
		mov	eax, [eax+35Ch]
		retn
_IoGetActivityIdThread@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiUEventHashStringIntoBucket(x)
_PiUEventHashStringIntoBucket@4	proc near ; CODE XREF: PiUEventHandleRegistration+206p
					; PiUEventNotifyTargetDeviceChange+C3p	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		xor	esi, esi
		lea	eax, [ebp+var_C]
		push	ecx
		push	eax
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		push	1
		lea	eax, [ebp+var_C]
		push	eax
		call	RtlHashUnicodeString
		mov	eax, [ebp+var_4]
		xor	edx, edx
		push	0Dh
		pop	ecx
		div	ecx
		pop	esi
		mov	eax, edx
		leave
		retn
_PiUEventHashStringIntoBucket@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDiagnosticTraceObject(x,	x)
_PnpDiagnosticTraceObject@8 proc near	; CODE XREF: PnpDeviceCompletionRoutine(x,x,x)+4Bp
					; PiDrvDbLoadNodeWorkerCallback+35p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, _PnpEtwHandle
		mov	ebx, ecx
		push	edi
		mov	edi, dword_6D4DF4
		mov	eax, esi
		or	eax, edi
		mov	[ebp+var_28], edx
		jz	short loc_541CFC
		push	ebx
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_541CFC
		mov	edx, [ebp+var_28]
		and	[ebp+var_20], 0
		and	[ebp+var_18], 0
		mov	[ebp+var_1C], 2
		movzx	ecx, word ptr [edx]
		mov	ax, cx
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_24], eax
		mov	eax, [edx+4]
		xor	edx, edx
		mov	[ebp+var_14], eax
		mov	eax, ecx
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	ebx
		push	edi
		push	esi
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_541CED:				; CODE XREF: PnpDiagnosticTraceObject(x,x)+92j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_541CFC:				; CODE XREF: PnpDiagnosticTraceObject(x,x)+2Aj
					; PnpDiagnosticTraceObject(x,x)+36j
		xor	eax, eax
		jmp	short loc_541CED
_PnpDiagnosticTraceObject@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDrvDbUnloadNodeReset proc near	; CODE XREF: PiDrvDbUnloadNodeWorkerCallback(x)+Cp

; FUNCTION CHUNK AT 005F4D48 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	edi, [esi+0E8h]
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	byte ptr [esi+0ECh], 0
		test	ds:byte_70EFC6,	1
		jnz	loc_5F4D48
		xor	eax, eax
		lock and [edi],	eax

loc_541D38:				; CODE XREF: PiDrvDbUnloadNodeReset+B3052j
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
PiDrvDbUnloadNodeReset endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDrvDbUnloadNodeWaitWorkerCallback(x)
_PiDrvDbUnloadNodeWaitWorkerCallback@4 proc near
					; DATA XREF: PiDrvDbUnloadNodeWorkerCallback(x)+74o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	0
		push	0
		push	dword ptr [esi+100h]
		call	_ZwWaitForSingleObject@12 ; ZwWaitForSingleObject(x,x,x)
		mov	ecx, large fs:124h
		mov	ebx, eax
		dec	word ptr [ecx+13Ch]
		nop
		push	1
		lea	edi, [esi+2Ch]
		push	edi
		call	ExAcquireResourceExclusiveLite
		cmp	byte ptr [esi+111h], 0
		jnz	short loc_541DA6
		push	ebx
		lea	edx, [esi+8]
		mov	byte ptr [esi+111h], 1
		mov	ecx, offset _KMPnPEvt_DriverDatabaseUnload_Stop
		call	_PnpDiagnosticTraceObjectWithStatus@12 ; PnpDiagnosticTraceObjectWithStatus(x,x,x)
		push	ebx
		lea	edx, [esi+8]
		mov	ecx, offset _KMPnPEvt_DriverDatabaseLoaded_Stop
		call	_PnpDiagnosticTraceObjectWithStatus@12 ; PnpDiagnosticTraceObjectWithStatus(x,x,x)

loc_541DA6:				; CODE XREF: PiDrvDbUnloadNodeWaitWorkerCallback(x)+3Dj
		mov	ecx, edi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PiDrvDbUnloadNodeWaitWorkerCallback@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDiagnosticTraceObjectWithStatus(x, x, x)
_PnpDiagnosticTraceObjectWithStatus@12 proc near
					; CODE XREF: PiDrvDbUnloadNodeWaitWorkerCallback(x)+4Fp
					; PiDrvDbUnloadNodeWaitWorkerCallback(x)+5Dp ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, _PnpEtwHandle
		mov	ebx, ecx
		push	edi
		mov	edi, dword_6D4DF4
		mov	eax, esi
		or	eax, edi
		mov	[ebp+var_38], edx
		jz	short loc_541E65
		push	ebx
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_541E65
		mov	edx, [ebp+var_38]
		and	[ebp+var_30], 0
		and	[ebp+var_28], 0
		mov	[ebp+var_2C], 2
		movzx	ecx, word ptr [edx]
		mov	ax, cx
		mov	[ebp+var_C], 4
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_34], eax
		mov	eax, [edx+4]
		xor	edx, edx
		mov	[ebp+var_24], eax
		mov	eax, ecx
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	ebx
		push	edi
		push	esi
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_541E54:				; CODE XREF: PnpDiagnosticTraceObjectWithStatus(x,x,x)+A7j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_541E65:				; CODE XREF: PnpDiagnosticTraceObjectWithStatus(x,x,x)+2Aj
					; PnpDiagnosticTraceObjectWithStatus(x,x,x)+36j
		xor	eax, eax
		jmp	short loc_541E54
_PnpDiagnosticTraceObjectWithStatus@12 endp

; 
		align 2
; Exported entry 1206. KeNotifyProcessorFreezeSupported

;  S U B	R O U T	I N E 


; __fastcall SymCryptFatalIntercept(x)
		public @SymCryptFatalIntercept@4
@SymCryptFatalIntercept@4 proc near	; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+107Dp
					; KeResumeClockTimerFromIdle:loc_48CDAFp ...
		retn	0
@SymCryptFatalIntercept@4 endp

; 
		align 2
; Exported entry 1458. MmProtectDriverSection

;  S U B	R O U T	I N E 


; __stdcall MmProtectDriverSection(x, x, x)
		public _MmProtectDriverSection@12
_MmProtectDriverSection@12 proc	near	; CODE XREF: KiIntSteerSetDestination(x,x)+52p
					; EtwpTraceLastBranchRecord(x,x,x,x)+F6p
					; DATA XREF: ...
		mov	eax, 0C00000BBh
		retn	0Ch
_MmProtectDriverSection@12 endp


;  S U B	R O U T	I N E 


; __stdcall xHalConvertPerformanceCounterToAuxiliaryCounter(x, x, x, x)
_xHalConvertPerformanceCounterToAuxiliaryCounter@16 proc near
					; CODE XREF: KeConvertAuxiliaryCounterToPerformanceCounter(x,x,x,x)+11p
					; KeConvertPerformanceCounterToAuxiliaryCounter(x,x,x,x)+11p ...
		mov	eax, 0C0000002h
		retn	10h
_xHalConvertPerformanceCounterToAuxiliaryCounter@16 endp


;  S U B	R O U T	I N E 


; __stdcall ext_ms_win_fs_clfs_l1_1_0_ClfsReadNextLogRecord(x, x, x, x,	x, x, x, x)
_ext_ms_win_fs_clfs_l1_1_0_ClfsReadNextLogRecord@32 proc near ;	DATA XREF: .data:006B127Co
		mov	eax, 0C00000BBh
		retn	20h
_ext_ms_win_fs_clfs_l1_1_0_ClfsReadNextLogRecord@32 endp

; Exported entry 331. ExCleanupRundownProtectionCacheAware
; Exported entry 1288. KeSetDmaIoCoherency
; Exported entry 1734. PoStartNextPowerIrp

;  S U B	R O U T	I N E 


; __stdcall KeSetDmaIoCoherency(x)
		public _KeSetDmaIoCoherency@4
_KeSetDmaIoCoherency@4 proc near	; CODE XREF: KiResumeClockTimer+69p
					; KeBugCheck2(x,x,x,x,x,x)+46Cp ...
		retn	4		; ExCleanupRundownProtectionCacheAware
_KeSetDmaIoCoherency@4 endp		; KeSetDmaIoCoherency

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete(x, x, x, x)
_ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete@16 proc near
					; CODE XREF: KiSetClockTickRate+49p
					; KiSetClockTickRate+12Ap ...
		mov	eax, 0C00000BBh
		retn	10h
_ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete@16 endp


;  S U B	R O U T	I N E 


; __stdcall ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x, x)
_ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment@8 proc near
					; CODE XREF: KiMaskInterruptInternal+52p
					; KeUnmaskInterrupt+66p ...
		mov	eax, 0C00000BBh
		retn	8
_ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment@8 endp

; Exported entry 716. HvlUpdatePerformanceStateCountersForLp
; Exported entry 1375. MmAllocateMemoryRanges
; Exported entry 1401. MmFreeMemoryRanges
; Exported entry 1460. MmQueryMemoryRanges
; Exported entry 1663. PoCancelDeviceNotify

;  S U B	R O U T	I N E 


; __stdcall ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig(x)
		public _ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig@4
_ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig@4 proc near
					; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+778p
					; EtwGetKernelTraceTimestampSilo+16670Ep ...
		mov	eax, 0C00000BBh	; HvlUpdatePerformanceStateCountersForLp
					; MmAllocateMemoryRanges
					; MmFreeMemoryRanges
					; MmQueryMemoryRanges
		retn	4
_ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig@4 endp

; Exported entry 382. ExInitializeRundownProtectionCacheAwareEx
; Exported entry 2048. RtlEndStrongEnumerationHashTable

;  S U B	R O U T	I N E 


; __stdcall RtlEndStrongEnumerationHashTable(x,	x)
		public _RtlEndStrongEnumerationHashTable@8
_RtlEndStrongEnumerationHashTable@8 proc near ;	CODE XREF: PpmInstallNewIdleStates+3BFp
					; KiFreezeTargetExecution(x,x)+C0p ...
		retn	8		; ExInitializeRundownProtectionCacheAwareEx
_RtlEndStrongEnumerationHashTable@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall xHalFlushIoRectangleExternalCache(x, x, x, x, x, x)
_xHalFlushIoRectangleExternalCache@24 proc near	; DATA XREF: .data:006B1360o
		retn	18h
_xHalFlushIoRectangleExternalCache@24 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall xKdUnmapVirtualAddress(x, x, x)
_xKdUnmapVirtualAddress@12 proc	near	; CODE XREF: PopPepTriggerActivity(x,x,x,x)+36p
					; DATA XREF: .text:off_401278o	...
		retn	0Ch
_xKdUnmapVirtualAddress@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall xHalGetInterruptVector(x, x, x, x, x, x)
_xHalGetInterruptVector@24 proc	near	; DATA XREF: .data:006B1268o
		xor	eax, eax
		retn	18h
_xHalGetInterruptVector@24 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall xHalIommuUnblockDevice(x, x)
_xHalIommuUnblockDevice@8 proc near	; CODE XREF: HvlDebuggerSupportInitialize+7DBDBp
					; HvlDebuggerSupportInitialize+7DDBFp ...
		mov	eax, 0C0000002h
		retn	8
_xHalIommuUnblockDevice@8 endp


;  S U B	R O U T	I N E 


; __stdcall xHalpIsInterruptTypeSecondary(x, x)
_xHalpIsInterruptTypeSecondary@8 proc near ; CODE XREF:	KiIntSteerGetLineInformation+3Fp
					; KiIsInterruptTypeSecondary+84564p ...
		xor	al, al
		retn	8
_xHalpIsInterruptTypeSecondary@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ext_ms_win_ntos_tm_l1_1_0_NtQueryInformationTransactionManager(x, x, x, x, x)
_ext_ms_win_ntos_tm_l1_1_0_NtQueryInformationTransactionManager@20 proc	near
					; CODE XREF: MiFillPerSessionProtos(x,x,x,x,x,x,x,x,x)+E6p
					; DATA XREF: .data:006B126Co
		mov	eax, 0C00000BBh
		retn	14h
_ext_ms_win_ntos_tm_l1_1_0_NtQueryInformationTransactionManager@20 endp


;  S U B	R O U T	I N E 


; __stdcall xHalHaltSystem()
_xHalHaltSystem@0 proc near		; CODE XREF: KeBugCheck2(x,x,x,x,x,x):loc_61C5AFp
					; KiBugCheckDebugBreak(x)+8Dp ...
		mov	edi, edi

loc_541ECC:				; CODE XREF: xHalHaltSystem():loc_541ECCj
		jmp	short loc_541ECC
_xHalHaltSystem@0 endp


;  S U B	R O U T	I N E 


; __stdcall xHalProcessorFreeze()
_xHalProcessorFreeze@0 proc near	; CODE XREF: MmProtectVirtualMemory:loc_8DB5A3p
					; MiAllocateVirtualMemoryPrepare:loc_8DB979p ...
		mov	eax, 0C00000BBh
		retn
_xHalProcessorFreeze@0 endp


;  S U B	R O U T	I N E 


; __stdcall xKdReleasePciDeviceForDebugging(x)
_xKdReleasePciDeviceForDebugging@4 proc	near
					; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+500p
					; KeQueryAuxiliaryCounterFrequency(x)+6j ...
		mov	eax, 0C0000002h
		retn	4
_xKdReleasePciDeviceForDebugging@4 endp

; Exported entry 241. CcTestControl

;  S U B	R O U T	I N E 


; __stdcall xHalIommuGetLibraryContext(x, x, x)
		public _xHalIommuGetLibraryContext@12
_xHalIommuGetLibraryContext@12 proc near ; DATA	XREF: .data:006B135Co
					; .data:006B3198o ...
		mov	eax, 0C0000002h
		retn	0Ch
_xHalIommuGetLibraryContext@12 endp


;  S U B	R O U T	I N E 


; __stdcall xHalTimerQueryAndResetRtcErrors(x)
_xHalTimerQueryAndResetRtcErrors@4 proc	near ; CODE XREF: PAGELK:0071F184p
					; DATA XREF: .data:off_6B13ECo	...
		xor	al, al
		retn	4
_xHalTimerQueryAndResetRtcErrors@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiRevokeExecuteTail(x)
_MiRevokeExecuteTail@4 proc near	; CODE XREF: MiExtendSection+130CA8p
					; DATA XREF: MmRemoveExecuteGrants()+77o ...
		xor	eax, eax
		retn	4
_MiRevokeExecuteTail@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall xHalProcessorHalt(x, x, x)
_xHalProcessorHalt@12 proc near		; DATA XREF: .data:006B133Co
		mov	edi, edi
		int	3		; Trap to Debugger
		mov	eax, 0C00000BBh
		retn	0Ch
_xHalProcessorHalt@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall xHalQueryIoPortAccessSupported()
_xHalQueryIoPortAccessSupported@0 proc near ; DATA XREF: .data:006B12C4o
		mov	al, 1
		retn
_xHalQueryIoPortAccessSupported@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall xHalQueryProcessorRestartEntryPoint(x)
_xHalQueryProcessorRestartEntryPoint@4 proc near ; DATA	XREF: .data:006B134Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax], 0
		and	dword ptr [eax+4], 0
		mov	eax, 0C00000BBh
		pop	ebp
		retn	4
_xHalQueryProcessorRestartEntryPoint@4 endp


;  S U B	R O U T	I N E 


; __stdcall xHalTopologyQueryProcessorRelationships(x, x, x, x,	x, x, x)
_xHalTopologyQueryProcessorRelationships@28 proc near ;	DATA XREF: .data:006B143Co
		mov	eax, 0C00000BBh
		retn	1Ch
_xHalTopologyQueryProcessorRelationships@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall xHalVectorToIDTEntry(x)
_xHalVectorToIDTEntry@4	proc near	; DATA XREF: .data:006B1254o

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	al, [ebp+arg_0]
		pop	ebp
		retn	4
_xHalVectorToIDTEntry@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall xHalVectorToIDTEntryEx(x)
_xHalVectorToIDTEntryEx@4 proc near	; DATA XREF: .data:006B12F8o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		pop	ebp
		retn	4
_xHalVectorToIDTEntryEx@4 endp

; Exported entry 1930. PsWrapApcWow64Thread

;  S U B	R O U T	I N E 


; __stdcall xKdGetAcpiTablePhase0(x, x)
		public _xKdGetAcpiTablePhase0@8
_xKdGetAcpiTablePhase0@8 proc near	; CODE XREF: MiGetSystemAddressForImage+B1E7Dp
					; MiGetSystemAddressForImage+B2094p ...
		xor	eax, eax
		retn	8
_xKdGetAcpiTablePhase0@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ext_ms_win_ntos_ksr_l1_1_3_KsrFreePersistedMemoryBlock(x, x, x, x)
_ext_ms_win_ntos_ksr_l1_1_3_KsrFreePersistedMemoryBlock@16 proc	near
					; DATA XREF: RtlpGetHeapInterceptorIndex(x)+5o
					; .data:006B1258o
		xor	eax, eax
		retn	10h
_ext_ms_win_ntos_ksr_l1_1_3_KsrFreePersistedMemoryBlock@16 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall xKdWatchdogDelayExpiration(x)
_xKdWatchdogDelayExpiration@4 proc near	; DATA XREF: .data:006B13F4o
		mov	eax, 0C0000001h
		retn	4
_xKdWatchdogDelayExpiration@4 endp


;  S U B	R O U T	I N E 


; __stdcall HvlGetQpcBias()
_HvlGetQpcBias@0 proc near		; DATA XREF: HvlGetEnlightenmentInfo(x)+159o
		mov	eax, ds:_HvlpReferenceTscPage
		mov	eax, [eax+18h]
		mov	edx, ds:_HvlpReferenceTscPage
		mov	edx, [edx+1Ch]
		retn
_HvlGetQpcBias@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlWriteApicCommandRegister(x, x)
_HvlWriteApicCommandRegister@8 proc near ; DATA	XREF: HvlGetEnlightenmentInfo(x)+BDo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		or	eax, [ebp+arg_4]
		mov	ecx, 40000071h
		wrmsr
		pop	ebp
		retn	8
_HvlWriteApicCommandRegister@8 endp


;  S U B	R O U T	I N E 


; __stdcall BvgaGetDisplayState()
_BvgaGetDisplayState@0 proc near	; DATA XREF: .data:006B2CC8o
		mov	eax, _BvgaDisplayState
		retn
_BvgaGetDisplayState@0 endp


;  S U B	R O U T	I N E 


; __stdcall BvgaIsBootDriverInstalled()
_BvgaIsBootDriverInstalled@0 proc near	; DATA XREF: .data:006B2C9Co
		mov	al, _BvgaBootDriverInstalled
		retn
_BvgaIsBootDriverInstalled@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BvgaSetProgressBarSubset(x,	x)
_BvgaSetProgressBarSubset@8 proc near	; DATA XREF: .data:006B2CB8o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		imul	eax, [ebp+arg_0], 64h
		mov	ecx, [ebp+arg_4]
		mov	_BvgaProgressState, eax
		imul	eax, ecx, 64h
		sub	ecx, [ebp+arg_0]
		mov	dword_6CD918, ecx
		mov	dword_6CD914, eax
		pop	ebp
		retn	8
_BvgaSetProgressBarSubset@8 endp


;  S U B	R O U T	I N E 


; __stdcall KiDummyDoubleFaultHandler()
_KiDummyDoubleFaultHandler@0 proc near	; DATA XREF: KiSetHaltedNmiandDoubleFaultHandler()+5Do
		mov	eax, large fs:1Ch
		mov	eax, [eax+3Ch]
		mov	byte ptr [eax+55h], 89h

loc_541FB5:				; CODE XREF: .text:00541FB6j
		hlt
_KiDummyDoubleFaultHandler@0 endp

		jmp	short loc_541FB5

;  S U B	R O U T	I N E 


; __stdcall KiDummyNmiHandler()
_KiDummyNmiHandler@0 proc near		; DATA XREF: KiSetHaltedNmiandDoubleFaultHandler()+2Fo
		mov	eax, large fs:1Ch
		mov	eax, [eax+3Ch]
		mov	byte ptr [eax+5Dh], 89h

loc_541FC5:				; CODE XREF: KiDummyNmiHandler()+Ej
		hlt
		jmp	short loc_541FC5
_KiDummyNmiHandler@0 endp


;  S U B	R O U T	I N E 


; __stdcall KiInvalidateRangeAllCachesTarget(x,	x, x, x)
_KiInvalidateRangeAllCachesTarget@16 proc near
					; DATA XREF: KeInvalidateRangeAllCaches(x,x)+49o
					; KiCompleteKernelInit+121o
		retn	10h
_KiInvalidateRangeAllCachesTarget@16 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KiSchedulerApcNop(x, x, x, x, x)
_KiSchedulerApcNop@20 proc near		; DATA XREF: MiQueueSyncModifiedWriterApc(x,x,x,x,x)+13o
					; PAGELK:0071A610o ...
		retn	14h
_KiSchedulerApcNop@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeIdleSpecCtrl(x, x, x, x)
_KeIdleSpecCtrl@16 proc	near		; CODE XREF: PoIdle(x)+BAp
					; PoIdle(x)+2AEp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	edx, edx
		jz	short loc_542018
		mov	dl, [ecx+21B9h]
		xor	eax, eax
		test	dl, 1
		jz	short loc_541FF7
		cmp	[ecx+21BAh], ax
		jz	short loc_541FF7
		or	byte ptr [ecx+21B8h], 1

loc_541FF7:				; CODE XREF: KeIdleSpecCtrl(x,x,x,x)+15j
					; KeIdleSpecCtrl(x,x,x,x)+1Ej
		mov	[ebp+var_4], eax
		test	dl, 20h
		jz	short loc_54200D
		mov	ax, [ecx+4F08h]
		mov	word ptr [ebp+var_4+2],	ax
		mov	eax, [ebp+var_4]

loc_54200D:				; CODE XREF: KeIdleSpecCtrl(x,x,x,x)+2Dj
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	ax, [ebp+arg_4]
		jmp	short locret_542021
; 

loc_542018:				; CODE XREF: KeIdleSpecCtrl(x,x,x,x)+8j
		and	byte ptr [ecx+21B8h], 0FEh
		xor	eax, eax

locret_542021:				; CODE XREF: KeIdleSpecCtrl(x,x,x,x)+46j
		leave
		retn	8
_KeIdleSpecCtrl@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseGetIoCallbacks(x)
_KseGetIoCallbacks@4 proc near		; DATA XREF: KsepEngineInitialize+5Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+18h]
		mov	eax, [eax+1Ch]
		pop	ebp
		retn	4
_KseGetIoCallbacks@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPageMightBeZero(x, x, x)
_MiPageMightBeZero@12 proc near		; CODE XREF: MiSharePages(x,x,x,x,x)+7D5p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		mov	edx, ecx
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_542085
		mov	al, [edx+60h]
		and	al, 7
		cmp	al, 2
		jnb	short loc_5420BD
		push	0
		xor	edx, edx
		call	_MiGetPagePrivilege@12 ; MiGetPagePrivilege(x,x,x)
		test	eax, 0FFFFFFFDh
		jnz	short loc_5420BD
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_5420A4
		mov	eax, [ebp+arg_0]
		shl	eax, 9
		add	eax, 40000000h
		cmp	eax, offset loc_7FFFFF
		ja	short loc_5420A4
		jmp	short loc_5420BD
; 

loc_542085:				; CODE XREF: MiPageMightBeZero(x,x,x)+13j
		test	dword ptr [esi+18h], (offset loc_7FFFFF+1)
		jnz	short loc_542097
		mov	eax, [esi+4]
		test	eax, eax
		js	short loc_542097
		jnz	short loc_5420BD

loc_542097:				; CODE XREF: MiPageMightBeZero(x,x,x)+54j
					; MiPageMightBeZero(x,x,x)+5Bj
		mov	eax, [esi+8]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_5420BD

loc_5420A4:				; CODE XREF: MiPageMightBeZero(x,x,x)+37j
					; MiPageMightBeZero(x,x,x)+49j
		xor	eax, eax
		inc	eax
		cmp	[esi+14h], ax
		jnz	short loc_5420BD
		mov	cl, [esi+16h]
		and	cl, 0C0h
		cmp	cl, 40h
		jnz	short loc_5420BD
		test	[esi+17h], cl
		jz	short loc_5420BF

loc_5420BD:				; CODE XREF: MiPageMightBeZero(x,x,x)+1Cj
					; MiPageMightBeZero(x,x,x)+2Cj	...
		xor	eax, eax

loc_5420BF:				; CODE XREF: MiPageMightBeZero(x,x,x)+83j
		pop	esi
		pop	ebp
		retn	4
_MiPageMightBeZero@12 endp

; 

; __stdcall MiGetSinglePageToZero(x, x)
_MiGetSinglePageToZero@8:		; CODE XREF: MiGetPagesToZero(x,x,x)+48p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		mov	esi, edx
		mov	byte ptr [ebp-1], 21h
		mov	edx, [ecx+544h]
		push	edi
		xor	edi, edi
		mov	[ebp-8], esi
		mov	eax, [esi+48h]
		mov	ecx, edi
		mov	[ebp-0Ch], edi
		mov	[ebp-1Ch], eax
		mov	[ebp-14h], edx
		mov	[ebp-10h], ecx
		jmp	short loc_5420F4
; 

loc_5420F2:				; CODE XREF: .text:005421B5j
					; .text:005421D2j
		xor	edi, edi

loc_5420F4:				; CODE XREF: .text:005420F0j
		imul	eax, [esi+48h],	14h
		mov	esi, [eax+edx+8]
		mov	[ebp-18h], esi
		cmp	esi, offset loc_7FFFFF
		jz	short loc_542124
		imul	edi, esi, 1Ch
		add	edi, ds:_MmPfnDatabase
		test	ecx, ecx
		jnz	short loc_542124
		mov	eax, [edi+10h]
		test	eax, eax
		jns	short loc_542124
		mov	dword ptr [ebp-0Ch], 1
		xor	edi, edi

loc_542124:				; CODE XREF: .text:00542105j
					; .text:00542112j ...
		test	edi, edi
		jz	short loc_54218E
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	[ebp-1], al
		cmp	esi, dword_6D07B0
		ja	loc_5421ED
		mov	edx, dword_6D35B8
		mov	ecx, [ebp-18h]
		shr	esi, 5
		and	ecx, 1Fh
		mov	edx, [edx+esi*4]
		shr	edx, cl
		and	edx, 1
		jz	loc_5421ED
		mov	cl, [edi+16h]
		mov	al, cl
		and	al, 7
		cmp	al, 1
		jnz	loc_5421ED
		test	dword ptr [edi+18h], 800000h
		jnz	short loc_5421ED
		test	cl, 8
		jz	short loc_5421E4
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	edi, edi

loc_54218E:				; CODE XREF: .text:00542126j
		mov	esi, [ebp-8]
		mov	edx, dword_6D0680
		not	edx
		mov	eax, [esi+48h]
		and	edx, eax
		inc	eax
		and	eax, dword_6D0680
		or	edx, eax
		xor	eax, eax
		mov	[esi+48h], edx

loc_5421AC:				; CODE XREF: .text:0054220Bj
		cmp	edx, [ebp-1Ch]
		mov	ecx, [ebp-10h]
		mov	edx, [ebp-14h]
		jnz	loc_5420F2
		mov	edx, [ebp-0Ch]

loc_5421BE:				; CODE XREF: .text:005421EBj
		test	edx, edx
		jz	short loc_5421D8
		mov	ecx, [ebp-10h]
		mov	esi, [ebp-8]
		inc	ecx
		mov	edx, [ebp-14h]
		mov	[ebp-10h], ecx
		cmp	ecx, 2
		jb	loc_5420F2

loc_5421D8:				; CODE XREF: .text:005421C0j
		test	edi, edi
		jz	short loc_542235
		cmp	[edi+14h], ax
		jnz	short loc_54223B
		jmp	short loc_54220D
; 

loc_5421E4:				; CODE XREF: .text:00542176j
		xor	eax, eax
		mov	edx, eax
		mov	[ebp-0Ch], edx
		jmp	short loc_5421BE
; 

loc_5421ED:				; CODE XREF: .text:00542138j
					; .text:00542155j ...
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp-8]
		xor	eax, eax
		mov	edi, eax
		mov	edx, [esi+48h]
		jmp	short loc_5421AC
; 

loc_54220D:				; CODE XREF: .text:005421E2j
		mov	ecx, [ebp-8]
		mov	edx, edi
		call	MiBeginPageAccessor
		mov	esi, eax
		lea	ecx, [edi+10h]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_542235
		mov	eax, edi
		jmp	short loc_542237
; 

loc_542235:				; CODE XREF: .text:005421DAj
					; .text:0054222Fj
		xor	eax, eax

loc_542237:				; CODE XREF: .text:00542233j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_54223B:				; CODE XREF: .text:005421E0j
		push	dword ptr [edi+4]
		push	dword ptr [edi+14h]
		push	dword ptr [ebp-18h]
		push	8Dh
		push	4Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMapPagesToZero(x,	x, x)
_MiMapPagesToZero@12 proc near		; CODE XREF: MiGetPagesToZero(x,x,x)+A8p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_1C], ebx
		push	edi
		mov	edi, edx
		mov	[ebp+var_18], edi
		cmp	ecx, 2
		jnb	short loc_542278
		mov	eax, ds:_MiLargePageSizes[ecx*4]
		jmp	short loc_54227B
; 

loc_542278:				; CODE XREF: MiMapPagesToZero(x,x,x)+1Bj
		xor	eax, eax
		inc	eax

loc_54227B:				; CODE XREF: MiMapPagesToZero(x,x,x)+24j
		mov	[ebp+var_C], eax
		test	ecx, ecx
		jnz	short loc_542287
		mov	esi, [ebx+30h]
		jmp	short loc_542292
; 

loc_542287:				; CODE XREF: MiMapPagesToZero(x,x,x)+2Ej
		mov	edx, eax
		mov	ecx, ebx
		call	_MiGetSmallZeroPtes@8 ;	MiGetSmallZeroPtes(x,x)
		mov	esi, eax

loc_542292:				; CODE XREF: MiMapPagesToZero(x,x,x)+33j
		mov	eax, esi
		shl	eax, 9
		mov	[ebp+var_20], eax
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, edi
		mov	[ebp+var_14], eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		cmp	byte ptr [ebx+25h], 1
		mov	[ebp+var_1], al
		jnz	short loc_5422E3
		mov	ecx, ebx
		call	MiRemoveFaultNode
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	dword_6C6910
		xor	eax, eax
		jmp	loc_542445
; 

loc_5422E3:				; CODE XREF: MiMapPagesToZero(x,x,x)+67j
		mov	cl, [edi+16h]
		xor	edx, edx
		movzx	eax, cl
		inc	edx
		shr	eax, 6
		cmp	[ebp+var_C], edx
		jnz	short loc_542322
		test	eax, eax
		jz	short loc_54230F
		cmp	eax, 2
		jz	short loc_54230F
		and	cl, 0C0h
		cmp	cl, 0C0h
		jnz	short loc_542322
		push	edx
		mov	ecx, edi
		call	_MiFinalizePageAttribute@12 ; MiFinalizePageAttribute(x,x,x)
		jmp	short loc_542322
; 

loc_54230F:				; CODE XREF: MiMapPagesToZero(x,x,x)+A4j
					; MiMapPagesToZero(x,x,x)+A9j
		shl	eax, 4
		cmp	dword_6D0750[eax], edx
		jnz	short loc_542322
		push	edx
		mov	ecx, edi
		call	MiChangePageAttribute

loc_542322:				; CODE XREF: MiMapPagesToZero(x,x,x)+A0j
					; MiMapPagesToZero(x,x,x)+B1j ...
		push	4
		mov	edx, edi
		pop	ecx
		call	_MiMakeProtectionPfnCompatible@8 ; MiMakeProtectionPfnCompatible(x,x)
		mov	edx, [ebp+var_14]
		or	eax, 0A0000000h
		push	eax
		mov	ecx, esi
		call	MiMakeValidPte
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_C]
		mov	ecx, eax
		shl	ecx, 3
		add	ecx, esi
		mov	[ebp+var_14], edx
		mov	[ebp+var_8], ecx
		cmp	esi, ecx
		jnb	loc_54240C
		mov	edx, [ebp+var_10]
		mov	edi, ecx
		mov	ebx, [ebp+var_14]

loc_54235F:				; CODE XREF: MiMapPagesToZero(x,x,x)+1ABj
		and	[ebp+var_14], 0
		mov	ecx, esi
		mov	[ebp+var_8], ebx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_5423BA
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_54239B
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr word_6D07B8+1,	0
		mov	[ebp+var_14], ecx
		jnz	short loc_5423BA
		mov	eax, edx
		and	eax, ecx

loc_54238D:				; CODE XREF: MiMapPagesToZero(x,x,x)+166j
		or	eax, 0
		jz	short loc_5423BA
		mov	eax, ebx
		or	eax, 80000000h
		jmp	short loc_5423BD
; 

loc_54239B:				; CODE XREF: MiMapPagesToZero(x,x,x)+126j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_5423BA
		mov	eax, edx
		and	eax, 1
		jmp	short loc_54238D
; 

loc_5423BA:				; CODE XREF: MiMapPagesToZero(x,x,x)+11Dj
					; MiMapPagesToZero(x,x,x)+135j	...
		mov	eax, [ebp+var_8]

loc_5423BD:				; CODE XREF: MiMapPagesToZero(x,x,x)+147j
		mov	[esi+4], eax
		nop
		cmp	[ebp+var_14], 0
		mov	ecx, edx
		mov	[esi], ecx
		jz	short loc_5423D7
		push	eax
		push	ecx
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		mov	edx, [ebp+var_10]

loc_5423D7:				; CODE XREF: MiMapPagesToZero(x,x,x)+177j
		mov	ecx, edx
		mov	eax, ebx
		add	ecx, 1000h
		adc	eax, 0
		xor	ecx, edx
		xor	eax, ebx
		and	ecx, 0FFFFF000h
		and	eax, 1Fh
		xor	edx, ecx
		add	esi, 8
		mov	[ebp+var_10], edx
		xor	ebx, eax
		cmp	esi, edi
		jb	loc_54235F
		mov	edi, [ebp+var_18]
		mov	ebx, [ebp+var_1C]
		mov	eax, [ebp+var_C]

loc_54240C:				; CODE XREF: MiMapPagesToZero(x,x,x)+FFj
		mov	ecx, eax
		mov	[ebx+28h], edi
		shl	ecx, 3
		mov	edx, 7FFFFFFFh
		sub	esi, ecx
		shl	eax, 0Ch
		mov	ecx, [ebp+var_20]
		mov	[ebx+14h], ecx
		dec	ecx
		add	eax, ecx
		mov	[ebx+10h], esi
		mov	ecx, [ebp+arg_0]
		mov	[ebx+20h], ecx
		lea	ecx, [edi+10h]
		mov	[ebx+18h], eax
		lock and [ecx],	edx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		inc	eax

loc_542445:				; CODE XREF: MiMapPagesToZero(x,x,x)+8Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiMapPagesToZero@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeZeroPageSlistSufficient(x, x,	x)
_MiFreeZeroPageSlistSufficient@12 proc near ; CODE XREF: MiZeroPage(x,x)+352p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		test	byte ptr [esi+4], 20h
		jnz	short loc_5424A1
		mov	ecx, [ebp+arg_0]
		mov	eax, [esi+ecx*4+954h]
		movzx	eax, word ptr [eax+edx*8+4]
		cmp	eax, [esi+0DB8h]
		jge	short loc_5424A1
		xor	eax, eax
		test	ecx, ecx
		mov	cl, byte_6D068C
		setz	al
		shr	edx, cl
		imul	ecx, edx, 280h
		xor	edx, edx
		lea	eax, ds:1000h[eax*2]
		push	eax
		add	ecx, [esi+10h]
		call	_MiNodeFreeZeroPages@12	; MiNodeFreeZeroPages(x,x,x)
		cmp	eax, 40h
		jbe	short loc_5424A1
		xor	eax, eax
		jmp	short loc_5424A4
; 

loc_5424A1:				; CODE XREF: MiFreeZeroPageSlistSufficient(x,x,x)+Cj
					; MiFreeZeroPageSlistSufficient(x,x,x)+23j ...
		xor	eax, eax
		inc	eax

loc_5424A4:				; CODE XREF: MiFreeZeroPageSlistSufficient(x,x,x)+53j
		pop	esi
		pop	ebp
		retn	4
_MiFreeZeroPageSlistSufficient@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiGetLeafPfnBuddy(x, x)
_MiGetLeafPfnBuddy@8 proc near		; CODE XREF: MiDeleteSubsectionLargePages(x,x,x)+34p
					; MiFreeLargePages(x,x)+2Ap ...
		mov	eax, [ecx]
		test	eax, 1FFFFFFEh
		jnz	short loc_5424B6
		xor	eax, eax
		retn
; 

loc_5424B6:				; CODE XREF: MiGetLeafPfnBuddy(x,x)+7j
		and	eax, 0FFFFFFFEh
		or	eax, 0E0000000h
		shl	eax, 2
		retn
_MiGetLeafPfnBuddy@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIsPageTableDeletable(x, x)
_MiIsPageTableDeletable@8 proc near	; CODE XREF: MiDeleteClusterPage(x,x)+398p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	edx, ecx
		push	edi
		mov	edi, esi
		mov	ecx, 0C0000000h
		shl	edi, 9
		mov	ebx, [edx+10h]
		mov	eax, edi
		mov	[ebp+var_4], ebx
		cmp	edi, ecx
		jb	short loc_5424F3

loc_5424E5:				; CODE XREF: MiIsPageTableDeletable(x,x)+2Fj
		cmp	eax, 0C07FFFFFh
		ja	short loc_5424F3
		shl	eax, 9
		cmp	eax, ecx
		jnb	short loc_5424E5

loc_5424F3:				; CODE XREF: MiIsPageTableDeletable(x,x)+21j
					; MiIsPageTableDeletable(x,x)+28j
		cmp	eax, ds:_MmHighestUserAddress
		ja	short loc_54252C
		mov	eax, large fs:124h
		shr	esi, 3
		and	esi, 7FFh
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		cmp	word ptr [eax+esi*2+190h], 0
		jz	loc_5425AB

loc_542525:				; CODE XREF: MiIsPageTableDeletable(x,x)+8Fj
					; MiIsPageTableDeletable(x,x)+E3j
		xor	eax, eax

loc_542527:				; CODE XREF: MiIsPageTableDeletable(x,x)+ECj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_54252C:				; CODE XREF: MiIsPageTableDeletable(x,x)+37j
		mov	ecx, [esi]
		nop
		mov	eax, [esi+4]
		nop
		shrd	ecx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	ecx, 1FFFFFFh
		imul	ecx, 1Ch
		mov	eax, [ecx+eax+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jnz	short loc_542525
		mov	al, [ebx+60h]
		and	al, 7
		cmp	al, 1
		jnz	short loc_5425AB
		test	byte ptr [edx],	4
		jz	short loc_54256E
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	MiLockPageTableInternal
		jmp	short loc_542570
; 

loc_54256E:				; CODE XREF: MiIsPageTableDeletable(x,x)+9Dj
		xor	esi, esi

loc_542570:				; CODE XREF: MiIsPageTableDeletable(x,x)+AAj
		xor	ebx, ebx
		inc	ebx

loc_542573:				; CODE XREF: MiIsPageTableDeletable(x,x)+CDj
		mov	edx, [edi]
		nop
		mov	ecx, edx
		or	ecx, [edi+4]
		jz	short loc_542586
		and	edx, 1
		or	edx, 0
		jz	short loc_542593
		nop

loc_542586:				; CODE XREF: MiIsPageTableDeletable(x,x)+B9j
		add	edi, 8
		test	edi, 0FFFh
		jnz	short loc_542573
		jmp	short loc_542595
; 

loc_542593:				; CODE XREF: MiIsPageTableDeletable(x,x)+C1j
		xor	ebx, ebx

loc_542595:				; CODE XREF: MiIsPageTableDeletable(x,x)+CFj
		test	esi, esi
		jz	short loc_5425A3
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_5425A3:				; CODE XREF: MiIsPageTableDeletable(x,x)+D5j
		test	ebx, ebx
		jz	loc_542525

loc_5425AB:				; CODE XREF: MiIsPageTableDeletable(x,x)+5Dj
					; MiIsPageTableDeletable(x,x)+98j
		xor	eax, eax
		inc	eax
		jmp	loc_542527
_MiIsPageTableDeletable@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopRegisterEnergyEstimation(x, x)
_PopRegisterEnergyEstimation@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	_PopComputeEnergy, eax
		mov	eax, [ebp+arg_4]
		mov	_PopSnapEnergyCounters,	eax
		pop	ebp
		retn	8
_PopRegisterEnergyEstimation@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PpmIdleRemoveVetoBias()
_PpmIdleRemoveVetoBias@0 proc near
		mov	_PpmIdleVetoBias, 0
		xor	eax, eax
		retn
_PpmIdleRemoveVetoBias@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopAwayModeUserPresenceDpc(x, x, x,	x)
_PopAwayModeUserPresenceDpc@16 proc near ; DATA	XREF: PipCslStateChangeCallback+9B887o
					; PopSetSystemAwayMode(x)+6Bo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		xchg	ecx, [eax]
		pop	ebp
		retn	10h
_PopAwayModeUserPresenceDpc@16 endp


;  S U B	R O U T	I N E 


; __stdcall PopPepStartVoidActivity(x, x, x)
_PopPepStartVoidActivity@12 proc near	; DATA XREF: .text:004013F0o
		xor	al, al
		retn	0Ch
_PopPepStartVoidActivity@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsEventHandler(x, x)
_PopDirectedDripsEventHandler@8	proc near ; DATA XREF: PAGEDATA:00A93A44o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 4
		xor	eax, eax
		pop	ebp
		retn	8
_PopDirectedDripsEventHandler@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSxTransitionEventHandler(x, x)
_PopSxTransitionEventHandler@8 proc near ; DATA	XREF: PAGEDATA:00A93784o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0
		xor	eax, eax
		pop	ebp
		retn	8
_PopSxTransitionEventHandler@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PpmHeteroGetHgsEnablementStatus()
_PpmHeteroGetHgsEnablementStatus@0 proc	near ; DATA XREF: PAGE:00A40238o
		mov	al, ds:_PpmHeteroHgsEnabled
		retn
_PpmHeteroGetHgsEnablementStatus@0 endp


;  S U B	R O U T	I N E 


; __stdcall HvcallpNoHypervisorPresent()
_HvcallpNoHypervisorPresent@0 proc near	; CODE XREF: HvcallInitiateHypercall(x,x,x,x,x,x)+1Bp
					; DATA XREF: ALMOSTRO:_HvcallCodeVao
		mov	eax, 1000h
		xor	edx, edx
		retn
_HvcallpNoHypervisorPresent@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockDownWorkingSet proc near		; CODE XREF: MiCloneProcessAddressSpace+5Ep
					; MiCloneProcessAddressSpace+209p ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DAF9C SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_2C], edx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		rep stosd
		lea	eax, [ebp+var_1C]
		xor	edx, edx
		lea	ebx, [esi+240h]
		mov	ecx, esi
		push	eax
		mov	[ebp+var_30], ebx
		call	KiStackAttachProcess
		mov	al, [ebx+60h]
		mov	esi, offset unk_6D3C40
		and	al, 7
		cmp	al, 2
		jz	short loc_54267E
		lea	esi, [ebx+80h]

loc_54267E:				; CODE XREF: MiLockDownWorkingSet+46j
		push	esi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [esi+4], 0
		mov	ebx, 0C0603018h
		mov	[ebp+var_1D], al
		mov	[ebp+var_24], 4

loc_542697:				; CODE XREF: MiLockDownWorkingSet+B1j
		mov	ecx, [ebx]
		nop
		mov	eax, [ebx+4]
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	esi, ecx, 1Ch
		add	esi, ds:_MmPfnDatabase
		and	[ebp+var_28], 0
		lea	edi, [esi+10h]

loc_5426B7:				; CODE XREF: MiLockDownWorkingSet+9897Aj
		lock bts dword ptr [edi], 1Fh
		jb	loc_5DAF9C
		cmp	[ebp+var_2C], 1
		mov	ecx, esi
		jnz	short loc_542707
		xor	edx, edx
		inc	edx
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)

loc_5426D2:				; CODE XREF: MiLockDownWorkingSet+DCj
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		sub	ebx, 8
		sub	[ebp+var_24], 1
		jnz	short loc_542697
		mov	dl, [ebp+var_1D]
		mov	ecx, [ebp+var_30]
		call	MiUnlockWorkingSetExclusive
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_542707:				; CODE XREF: MiLockDownWorkingSet+98j
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		jmp	short loc_5426D2
MiLockDownWorkingSet endp


;  S U B	R O U T	I N E 


; __stdcall MiFreeForkMaps(x)
_MiFreeForkMaps@4 proc near		; CODE XREF: MiCloneVads+484p
					; MiCloneVads+98867p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, [esi+14h]
		test	edx, edx
		jz	short loc_542735
		shr	edx, 9
		mov	ecx, offset dword_6D35E0
		and	edx, offset loc_7FFFF8
		push	1
		sub	edx, 40000000h
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_542735:				; CODE XREF: MiFreeForkMaps(x)+Aj
		mov	edx, [esi+4]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_542743
		pop	esi
		jmp	MiFinishLastForkPageTable
; 

loc_542743:				; CODE XREF: MiFreeForkMaps(x)+2Dj
		pop	esi
		retn
_MiFreeForkMaps@4 endp ; sp = -4

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiVadShouldBeForked(x)
_MiVadShouldBeForked@4 proc near	; CODE XREF: MiAllocateChildVads+87p
		mov	edx, [ecx+1Ch]
		mov	eax, edx
		push	esi
		mov	esi, offset loc_500000
		and	eax, esi
		cmp	eax, esi
		jz	short loc_5427AF
		mov	esi, edx
		and	esi, 100000h
		jz	short loc_542777
		test	edx, 400000h
		jnz	short loc_5427AA
		mov	eax, edx
		and	eax, 0C0000h
		cmp	eax, 80000h
		jnb	short loc_5427AA

loc_542777:				; CODE XREF: MiVadShouldBeForked(x)+19j
		mov	eax, edx
		and	eax, 70h
		jz	short loc_542788
		cmp	eax, 20h
		jz	short loc_542788
		cmp	eax, 50h
		jnz	short loc_5427AF

loc_542788:				; CODE XREF: MiVadShouldBeForked(x)+36j
					; MiVadShouldBeForked(x)+3Bj
		test	esi, esi
		jz	short loc_5427A0
		test	edx, 1000000h
		jnz	short loc_54279C
		test	edx, 2000000h
		jnz	short loc_5427AF

loc_54279C:				; CODE XREF: MiVadShouldBeForked(x)+4Cj
		test	esi, esi
		jnz	short loc_5427AA

loc_5427A0:				; CODE XREF: MiVadShouldBeForked(x)+44j
		mov	eax, [ecx+28h]
		test	eax, 4000000h
		jz	short loc_5427AF

loc_5427AA:				; CODE XREF: MiVadShouldBeForked(x)+21j
					; MiVadShouldBeForked(x)+2Fj ...
		xor	eax, eax
		inc	eax
		pop	esi
		retn
; 

loc_5427AF:				; CODE XREF: MiVadShouldBeForked(x)+Fj
					; MiVadShouldBeForked(x)+40j ...
		xor	eax, eax
		pop	esi
		retn
_MiVadShouldBeForked@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCloneVads	proc near		; CODE XREF: MiCloneProcessAddressSpace+15Dp

var_15C		= dword	ptr -15Ch
var_128		= dword	ptr -128h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_B4		= dword	ptr -0B4h
var_A8		= dword	ptr -0A8h
var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005DAFAF SIZE 000000F3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 11Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[ebp+var_F4], eax
		mov	eax, [ebp+arg_4]
		push	esi
		push	edi
		mov	[ebp+var_110], eax
		lea	edi, [ebp+var_C0]
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_CC], ecx
		mov	ecx, 8
		mov	[ebp+var_11C], eax
		xor	eax, eax
		push	98h		; size_t
		push	eax		; int
		rep stosd
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_C4], edx
		push	eax		; void *
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		mov	edi, [ebp+var_CC]
		xor	ebx, ebx
		mov	[ebp+var_10C], 0
		mov	[ebp+var_108], 0
		mov	[ebp+var_104], 0
		mov	[ebp+var_F0], 0
		mov	[ebp+var_E8], 0
		mov	[ebp+var_EC], 0
		mov	[ebp+var_D8], ebx
		mov	[ebp+var_E4], eax
		lea	esp, [esp+0]

loc_542880:				; CODE XREF: MiCloneVads+98852j
		mov	esi, [edi+14Ch]
		test	esi, esi
		jz	loc_5DAFAF

loc_54288E:				; CODE XREF: MiCloneVads+987F4j
		mov	ecx, [edi+24Ch]
		mov	edx, esi
		mov	eax, [ecx+8Ch]
		push	eax
		mov	eax, [ecx+88h]
		mov	ecx, edi
		push	eax
		call	MiBuildNewCloneDescriptor
		mov	[ebp+var_D0], eax
		test	eax, eax
		jz	loc_5DB080
		inc	esi
		shl	esi, 4
		push	esi
		push	[ebp+var_C4]
		call	_PsChargeProcessNonPagedPoolQuota@8 ; PsChargeProcessNonPagedPoolQuota(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_5DB08A
		push	0
		push	40h
		mov	edx, 64436D4Dh
		mov	ecx, 30h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_D4], eax
		test	eax, eax
		jz	loc_5DB051
		mov	edi, [ebp+var_CC]
		mov	[eax+20h], esi
		add	edi, 240h
		mov	eax, [ebp+var_E4]
		mov	[ebp+var_E0], edi
		mov	ecx, [eax+80h]
		mov	ecx, [ecx+24Ch]
		dec	word ptr [eax+13Eh]
		nop
		add	ecx, 0A4h
		xor	edx, edx
		call	ExAcquireAutoExpandPushLockExclusive
		mov	al, [edi+60h]
		lea	ecx, [edi+80h]
		and	al, 7
		mov	[ebp+var_100], ecx
		cmp	al, 2
		jz	loc_5DAFB9
		mov	edi, ecx

loc_54294B:				; CODE XREF: MiCloneVads+987FEj
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	[edi+4], ebx
		mov	dl, al
		mov	edi, [ebp+var_CC]
		mov	eax, [ebp+var_D0]
		mov	byte ptr [ebp+var_DC], dl
		mov	ecx, [edi+14Ch]
		cmp	ecx, [eax+14h]
		ja	loc_5DAFC3
		mov	edx, [ebp+var_D4]
		mov	eax, [ebp+var_F4]
		mov	esi, [ebp+var_E0]
		mov	ecx, esi
		mov	[edx], eax
		mov	eax, [ebp+var_E4]
		mov	dl, byte ptr [ebp+var_DC]
		mov	[edi+140h], eax
		call	MiUnlockWorkingSetExclusive
		mov	ecx, [ebp+var_E4]
		call	_MiUnlockAweVadsExclusive@4 ; MiUnlockAweVadsExclusive(x)
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		jz	loc_5DB017
		mov	esi, [ebp+var_100]

loc_5429C2:				; CODE XREF: MiCloneVads+9885Cj
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	eax, [ebp+var_D0]
		lea	edx, [ebp+var_C0]
		mov	[esi+4], ebx
		mov	esi, [ebp+var_C4]
		mov	ecx, esi
		mov	eax, [eax+0Ch]
		mov	[ebp+var_F4], eax
		call	_MiInitializeForkMaps@8	; MiInitializeForkMaps(x,x)
		test	eax, eax
		jz	loc_5DB021
		mov	eax, [ebp+var_D0]
		mov	ecx, edi
		mov	ebx, [ebp+var_F4]
		mov	edx, eax
		push	1
		mov	dword ptr [eax+18h], 1
		call	MiInsertClone
		mov	eax, [esi+350h]
		xor	edx, edx
		mov	[ebp+var_A0], 1
		mov	[ebp+var_9C], 0
		mov	[ebp+var_90], 0
		mov	[ebp+var_98], 21h
		mov	[ebp+var_8C], 0
		test	eax, eax
		jz	short loc_542A58

loc_542A50:				; CODE XREF: MiCloneVads+296j
		mov	edx, eax
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_542A50

loc_542A58:				; CODE XREF: MiCloneVads+28Ej
		test	edx, edx
		jz	loc_542C33

loc_542A60:				; CODE XREF: MiCloneVads+461j
		mov	eax, [edx+4]
		mov	edi, edx
		mov	[ebp+var_118], edx
		mov	ecx, edx
		mov	[ebp+var_D8], edi
		test	eax, eax
		jz	loc_542D5E
		mov	ecx, [eax]
		mov	[ebp+var_C8], eax
		test	ecx, ecx
		jz	short loc_542A9E
		jmp	short loc_542A90
; 
		align 10h

loc_542A90:				; CODE XREF: MiCloneVads+2C7j
					; MiCloneVads+2DCj
		mov	eax, [ecx]
		mov	[ebp+var_C8], ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_542A90

loc_542A9E:				; CODE XREF: MiCloneVads+2C5j
					; MiCloneVads+5AAj ...
		mov	esi, [edi+0Ch]
		shl	esi, 0Ch
		mov	ecx, esi
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	ecx, [edi+20h]
		and	ecx, 7FFFFFFFh
		mov	[ebp+var_FC], eax
		cmp	ecx, 0FFFFDh
		jnb	loc_542C19
		mov	ecx, edi
		call	_MiIsVadLargePrivate@4 ; MiIsVadLargePrivate(x)
		test	eax, eax
		jnz	loc_542C19
		mov	eax, [edi+10h]
		shr	esi, 9
		sub	esi, 40000000h
		and	eax, 0FFFFFh
		lea	edi, ds:0C0000000h[eax*8]
		mov	[ebp+var_F8], edi

loc_542AF3:				; CODE XREF: MiCloneVads+441j
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList
		mov	ecx, [ebp+var_E0]
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	loc_542D99
		call	KeShouldYieldProcessor
		test	eax, eax
		jnz	loc_542D99

loc_542B1E:				; CODE XREF: MiCloneVads+5EAj
		push	[ebp+var_DC]
		lea	eax, [ebp+var_EC]
		mov	edx, esi
		push	[ebp+var_CC]
		lea	ecx, [ebp+var_C0]
		push	eax
		push	edi
		call	MiUpdateForkMaps
		mov	edx, [ebp+var_D8]
		mov	esi, eax
		mov	ecx, [edx+1Ch]
		mov	eax, ecx
		and	eax, 70h
		cmp	al, 50h
		jz	loc_542BFF
		cmp	esi, edi
		ja	loc_542C07
		mov	eax, [ebp+var_F8]
		mov	edi, esi
		and	edi, 0FFFFF000h
		add	edi, 0FF8h
		cmp	edi, eax
		jbe	short loc_542B79
		mov	edi, eax

loc_542B79:				; CODE XREF: MiCloneVads+3B5j
		mov	eax, [ebp+var_B4]
		sub	eax, esi
		mov	[ebp+var_114], eax

loc_542B87:				; CODE XREF: MiCloneVads+42Ej
		lea	ecx, [ebp+var_104]
		add	eax, esi
		push	ecx
		lea	ecx, [ebp+var_10C]
		push	ecx
		push	[ebp+var_DC]
		lea	ecx, [ebp+var_A0]
		push	[ebp+arg_8]
		push	edx
		push	[ebp+var_FC]
		mov	edx, [ebp+var_C4]
		push	ecx
		push	[ebp+var_A8]
		lea	ecx, [ebp+var_EC]
		push	ecx
		mov	ecx, [ebp+var_CC]
		push	ebx
		push	[ebp+var_110]
		push	eax
		push	esi
		call	_MiBuildForkPte@60 ; MiBuildForkPte(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jnz	loc_542D56

loc_542BDD:				; CODE XREF: MiCloneVads+599j
		mov	eax, [ebp+var_114]
		add	esi, 8
		mov	edx, [ebp+var_D8]
		cmp	esi, edi
		jbe	short loc_542B87
		mov	eax, [ebp+var_118]
		mov	edi, [ebp+var_F8]
		mov	ecx, [eax+1Ch]

loc_542BFF:				; CODE XREF: MiCloneVads+391j
		cmp	esi, edi
		jbe	loc_542AF3

loc_542C07:				; CODE XREF: MiCloneVads+399j
		and	ecx, 300000h
		cmp	ecx, 300000h
		jz	loc_542D89

loc_542C19:				; CODE XREF: MiCloneVads+300j
					; MiCloneVads+30Fj ...
		mov	edx, [ebp+var_C8]
		test	edx, edx
		jnz	loc_542A60
		mov	edi, [ebp+var_CC]
		mov	esi, [ebp+var_C4]

loc_542C33:				; CODE XREF: MiCloneVads+29Aj
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList
		lea	ecx, [ebp+var_C0]
		call	_MiFreeForkMaps@4 ; MiFreeForkMaps(x)
		mov	edx, [ebp+var_D0]
		sub	ebx, [ebp+var_F4]
		mov	eax, [ebp+var_EC]
		sar	ebx, 4
		mov	ecx, [edx+1Ch]
		add	[esi+14Ch], eax
		mov	eax, [esi+14Ch]
		mov	[ebp+var_EC], eax
		mov	[ebp+var_D8], ebx
		test	ebx, ebx
		jz	loc_542EE4
		mov	[ecx], ebx
		mov	[edx+18h], ebx
		mov	[edx+14h], ebx

loc_542C89:				; CODE XREF: MiCloneVads+731j
		mov	eax, [edi+148h]
		xor	edx, edx
		mov	esi, [ebp+var_D4]
		mov	[ebp+var_D4], esi
		mov	[ebp+var_C8], edx
		test	eax, eax
		jz	short loc_542CBE
		jmp	short loc_542CB0
; 
		align 10h

loc_542CB0:				; CODE XREF: MiCloneVads+4E7j
					; MiCloneVads+4FCj
		mov	edx, eax
		mov	[ebp+var_C8], eax
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_542CB0

loc_542CBE:				; CODE XREF: MiCloneVads+4E5j
		test	edx, edx
		jz	loc_542DDE

loc_542CC6:				; CODE XREF: MiCloneVads+612j
		cmp	dword ptr [edx+18h], 0
		jz	short loc_542D21
		mov	eax, [edx+1Ch]
		add	eax, 4
		lock inc dword ptr [eax]
		mov	eax, [ebp+var_E8]
		mov	ecx, 0Ch
		add	eax, [esi+20h]
		mov	ebx, [esi]
		mov	esi, edx
		mov	[ebp+var_E8], eax
		mov	eax, [ebp+var_F0]
		add	eax, [edx+20h]
		mov	edx, [ebp+var_D4]
		mov	edi, edx
		rep movsd
		mov	ecx, [ebp+var_C4]
		push	0
		mov	[ebp+var_F0], eax
		call	MiInsertClone
		mov	edx, [ebp+var_C8]
		mov	esi, ebx
		mov	[ebp+var_D4], esi

loc_542D21:				; CODE XREF: MiCloneVads+50Aj
		mov	eax, [edx+4]
		mov	ecx, edx
		test	eax, eax
		jnz	loc_542DAF
		mov	edx, [edx+8]
		and	edx, 0FFFFFFFCh
		mov	[ebp+var_C8], edx
		jz	loc_542DD0

loc_542D40:				; CODE XREF: MiCloneVads+58Cj
		cmp	[edx], ecx
		jz	short loc_542D4E
		mov	ecx, edx
		mov	edx, [edx+8]
		and	edx, 0FFFFFFFCh
		jnz	short loc_542D40

loc_542D4E:				; CODE XREF: MiCloneVads+582j
		mov	[ebp+var_C8], edx
		jmp	short loc_542DD0
; 

loc_542D56:				; CODE XREF: MiCloneVads+417j
		add	ebx, 10h
		jmp	loc_542BDD
; 

loc_542D5E:				; CODE XREF: MiCloneVads+2B5j
		mov	edx, [edx+8]
		and	edx, 0FFFFFFFCh
		mov	[ebp+var_C8], edx
		jz	loc_542A9E

loc_542D70:				; CODE XREF: MiCloneVads+5BCj
		cmp	[edx], ecx
		jz	short loc_542D7E
		mov	ecx, edx
		mov	edx, [edx+8]
		and	edx, 0FFFFFFFCh
		jnz	short loc_542D70

loc_542D7E:				; CODE XREF: MiCloneVads+5B2j
		mov	[ebp+var_C8], edx
		jmp	loc_542A9E
; 

loc_542D89:				; CODE XREF: MiCloneVads+453j
		mov	ecx, [ebp+var_FC]
		call	_MiCloneWriteWatch@8 ; MiCloneWriteWatch(x,x)
		jmp	loc_542C19
; 

loc_542D99:				; CODE XREF: MiCloneVads+34Bj
					; MiCloneVads+358j
		mov	dl, byte ptr [ebp+var_DC]
		mov	ecx, [ebp+var_E0]
		call	_MiRelockWorkingSetExclusive@8 ; MiRelockWorkingSetExclusive(x,x)
		jmp	loc_542B1E
; 

loc_542DAF:				; CODE XREF: MiCloneVads+568j
		mov	edx, eax
		mov	[ebp+var_C8], edx
		mov	ecx, [edx]
		test	ecx, ecx
		jz	short loc_542DD0
		lea	ecx, [ecx+0]

loc_542DC0:				; CODE XREF: MiCloneVads+60Ej
		mov	eax, [ecx]
		mov	edx, ecx
		mov	[ebp+var_C8], edx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_542DC0

loc_542DD0:				; CODE XREF: MiCloneVads+57Aj
					; MiCloneVads+594j ...
		test	edx, edx
		jnz	loc_542CC6
		mov	ebx, [ebp+var_D8]

loc_542DDE:				; CODE XREF: MiCloneVads+500j
		xor	edi, edi

loc_542DE0:				; CODE XREF: MiCloneVads+98871j
		mov	esi, [ebp+var_E0]
		mov	ecx, esi
		mov	dl, byte ptr [ebp+var_DC]
		call	MiUnlockWorkingSetExclusive
		mov	edx, [ebp+var_E4]
		mov	eax, [edx+80h]
		mov	ecx, [eax+24Ch]
		dec	word ptr [edx+13Eh]
		nop
		add	ecx, 0A4h
		xor	edx, edx
		call	ExAcquireAutoExpandPushLockExclusive
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		jz	loc_5DB036
		mov	esi, [ebp+var_100]

loc_542E2D:				; CODE XREF: MiCloneVads+9887Bj
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	dl, byte ptr [ebp+var_DC]
		mov	ecx, [ebp+var_E0]
		mov	dword ptr [esi+4], 0
		mov	esi, [ebp+var_CC]
		mov	dword ptr [esi+140h], 0
		call	MiUnlockWorkingSetExclusive
		mov	ecx, [ebp+var_E4]
		call	_MiUnlockAweVadsExclusive@4 ; MiUnlockAweVadsExclusive(x)
		mov	eax, [ebp+var_D4]
		test	eax, eax
		jnz	loc_542EF6

loc_542E74:				; CODE XREF: MiCloneVads+765j
		mov	edx, [ebp+var_E8]
		mov	eax, [ebp+var_C4]
		cmp	edx, [ebp+var_F0]
		ja	loc_542F2A

loc_542E8C:				; CODE XREF: MiCloneVads+770j
					; MiCloneVads+792j
		mov	edx, [ebp+var_10C]
		test	edx, edx
		jz	short loc_542E9D
		mov	ecx, eax
		call	_MiReturnFullProcessCommitment@8 ; MiReturnFullProcessCommitment(x,x)

loc_542E9D:				; CODE XREF: MiCloneVads+6D4j
		mov	edx, [ebp+var_108]
		test	edx, edx
		jz	short loc_542EB2
		mov	ecx, [ebp+var_C4]
		call	_MiReturnFullProcessCharges@8 ;	MiReturnFullProcessCharges(x,x)

loc_542EB2:				; CODE XREF: MiCloneVads+6E5j
		test	ebx, ebx
		jz	loc_542F57
		test	edi, edi
		js	loc_542F57

loc_542EC2:				; CODE XREF: MiCloneVads+7A4j
		cmp	[ebp+var_104], 1
		jz	loc_5DB040

loc_542ECF:				; CODE XREF: MiCloneVads+9888Cj
		mov	eax, edi

loc_542ED1:				; CODE XREF: MiCloneVads+988C5j
					; MiCloneVads+988DDj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_542EE4:				; CODE XREF: MiCloneVads+4BBj
		push	edx
		lea	eax, [edi+148h]
		push	eax
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		jmp	loc_542C89
; 

loc_542EF6:				; CODE XREF: MiCloneVads+6AEj
		mov	ebx, [ebp+var_E8]
		lea	esp, [esp+0]

loc_542F00:				; CODE XREF: MiCloneVads+751j
		add	ebx, [eax+20h]
		mov	esi, [eax]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		test	esi, esi
		jnz	short loc_542F00
		mov	esi, [ebp+var_CC]
		mov	[ebp+var_E8], ebx
		mov	ebx, [ebp+var_D8]
		jmp	loc_542E74
; 

loc_542F2A:				; CODE XREF: MiCloneVads+6C6j
		cmp	eax, ds:_PsInitialSystemProcess
		jz	loc_542E8C
		sub	edx, [ebp+var_F0]
		mov	ecx, [eax+188h]
		push	edx
		push	0
		mov	edx, eax
		call	PspReturnQuota
		mov	eax, [ebp+var_C4]
		jmp	loc_542E8C
; 

loc_542F57:				; CODE XREF: MiCloneVads+6F4j
					; MiCloneVads+6FCj
		mov	edx, [ebp+var_D0]
		mov	ecx, esi
		call	_MiFreeCloneDescriptor@8 ; MiFreeCloneDescriptor(x,x)
		jmp	loc_542EC2
MiCloneVads	endp

; 
		align 10h

; __stdcall MiBuildForkPte(x, x, x, x, x, x, x,	x, x, x, x, x, x, x, x)
_MiBuildForkPte@60:			; CODE XREF: MiCloneVads+410p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B0h
		xor	eax, eax
		mov	[ebp-10h], ecx
		mov	[ebp-54h], eax
		mov	[ebp-50h], eax
		mov	[ebp-4Ch], eax
		mov	eax, [ebp+8]
		push	ebx
		push	esi
		push	edi
		mov	ecx, [eax]
		mov	[ebp-58h], edx
		mov	dword ptr [ebp-30h], 0
		nop
		mov	eax, [eax+4]
		mov	[ebp-0Ch], ecx
		or	ecx, eax
		mov	[ebp-8], eax
		jnz	short loc_542FF4
		mov	ecx, [ebp+10h]
		test	ecx, ecx
		jz	short loc_542FE9
		mov	eax, [ebp+28h]
		cmp	dword ptr [eax+20h], 0
		jge	short loc_542FE9
		mov	eax, [ebp+24h]
		mov	edx, [eax+1Ch]
		shr	edx, 7
		and	edx, 1Fh
		call	_MiFindZeroCloneBlock@8	; MiFindZeroCloneBlock(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_542FE9
		mov	ecx, [ebp+1Ch]
		mov	edx, 1
		call	_MiIncreaseUsedPtesCount@8 ; MiIncreaseUsedPtesCount(x,x)
		push	dword ptr [ebp+34h]
		push	dword ptr [ebp+0Ch]
		push	esi
		call	_MiWriteSharedDemandZeroPte@20 ; MiWriteSharedDemandZeroPte(x,x,x,x,x)

loc_542FE9:				; CODE XREF: .text:00542FAEj
					; .text:00542FB7j ...
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	34h
; 

loc_542FF4:				; CODE XREF: .text:00542FA7j
		mov	eax, large fs:124h
		mov	ecx, [ebp+1Ch]
		mov	eax, [eax+80h]
		mov	edx, [eax+24Ch]
		inc	word ptr [ecx]
		add	edx, 18h
		lea	eax, [edx+178h]
		cmp	ecx, eax
		jb	short loc_54303B
		lea	eax, [edx+0D78h]
		cmp	ecx, eax
		jnb	short loc_54303B
		sub	ecx, edx
		sub	ecx, 178h
		sar	ecx, 1
		sub	ecx, 40000h
		shl	ecx, 0Ch
		call	MmIsAddressValidEx

loc_54303B:				; CODE XREF: .text:00543017j
					; .text:00543021j
		mov	al, [ebp+30h]
		xor	ecx, ecx
		mov	edi, [ebp-8]
		mov	esi, [ebp-0Ch]
		mov	ebx, [ebp+30h]
		mov	dword ptr [ebp+28h], 0
		mov	dword ptr [ebp-24h], 0FFFFFFFFh
		mov	[ebp+1Fh], al

loc_54305A:				; CODE XREF: .text:005431ADj
					; .text:00543254j
		mov	edx, [ebp-10h]
		lea	ecx, [ecx+0]
		cmp	ecx, 1
		mov	ecx, [ebp+8]
		jnz	short loc_543086
		push	1
		push	ebx
		push	0
		xor	edx, edx
		call	MiMakeSystemAddressValid
		mov	ecx, [ebp+8]
		mov	esi, [ecx]
		nop
		mov	edi, [ecx+4]
		mov	edx, [ebp-10h]
		mov	[ebp-0Ch], esi
		mov	[ebp-8], edi

loc_543086:				; CODE XREF: .text:00543066j
		mov	eax, esi
		mov	dword ptr [ebp-28h], 1
		and	eax, 1
		or	eax, 0
		jz	loc_543259
		nop
		mov	edx, esi
		mov	eax, edi
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		cmp	dword ptr [ebp+28h], 0
		lea	ebx, [eax+ecx*4]
		mov	[ebp-14h], ebx
		jnz	loc_5431B2
		cmp	word ptr [ebx+14h], 1
		jbe	short loc_5430DE
		mov	ecx, ebx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_5431B2

loc_5430DE:				; CODE XREF: .text:005430CDj
		mov	ecx, [ebp-10h]
		mov	edx, [ebp+8]
		shl	edx, 9
		mov	[ebp-18h], edx
		movzx	eax, byte ptr [ecx+2A0h]
		and	eax, 7
		mov	ecx, dword_6D2E68[eax*4]
		mov	eax, edx
		shr	eax, 0Ch
		add	ecx, eax
		mov	dl, [ecx]
		mov	al, dl
		and	al, 0Fh
		mov	[ebp+2Bh], al
		cmp	al, 0Ah
		jz	loc_543DF3
		mov	ecx, ebx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	loc_5437F5
		mov	eax, [ebp+14h]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	dword ptr [ebp-3Ch], 0
		mov	dword ptr [ebp-38h], 0
		mov	ecx, [eax-40000000h]
		mov	[ebp-6Ch], ecx
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	[ebp-38h], eax
		mov	[ebp-7Ch], ecx
		mov	[ebp-78h], eax
		nop
		mov	edx, ecx
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		cmp	byte ptr [ebp+2Bh], 8
		lea	ebx, [eax+ecx*4]
		mov	eax, ds:_ZeroPte
		mov	[ebp-1Ch], eax
		mov	eax, ds:dword_40F9FC
		mov	[ebp-20h], eax
		jnz	loc_543334
		mov	edx, 3
		mov	ecx, ebx
		call	_MiLockPageTablePage@8 ; MiLockPageTablePage(x,x)
		test	eax, eax
		jnz	loc_543334
		mov	ebx, [ebp+30h]
		mov	ecx, [ebp-28h]
		mov	dword ptr [ebp+28h], 1
		jmp	loc_54305A
; 

loc_5431B2:				; CODE XREF: .text:005430C2j
					; .text:005430D8j
		mov	ecx, [ebp-10h]
		lea	edx, [ebp-54h]
		push	0
		lea	ecx, [ecx+240h]
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		mov	eax, [ebp-54h]
		mov	ecx, 1
		lock xadd [eax], ecx
		inc	ecx
		dec	ecx
		cmp	dword ptr [ebp-24h], 0FFFFFFFFh
		jnz	loc_543B47
		mov	edx, [ebp-50h]
		and	edx, ecx
		mov	ecx, offset _MiSystemPartition
		or	edx, [ebp-4Ch]
		push	0
		call	MiGetPage
		mov	ebx, eax
		mov	[ebp-24h], ebx
		cmp	ebx, 0FFFFFFFFh
		jnz	loc_543B44
		mov	ecx, [ebp+20h]
		call	MiFlushTbList
		mov	ebx, [ebp-10h]
		mov	dl, [ebp+1Fh]
		lea	ecx, [ebx+240h]
		call	MiUnlockWorkingSetExclusive
		mov	ecx, offset _MiSystemPartition
		call	_MiWaitForFreePage@8 ; MiWaitForFreePage(x,x)
		mov	al, [ebx+2A0h]
		and	al, 7
		cmp	al, 2
		jnz	short loc_543235
		mov	ebx, offset unk_6D3C40
		jmp	short loc_54323B
; 

loc_543235:				; CODE XREF: .text:0054322Cj
		sub	ebx, 0FFFFFD40h

loc_54323B:				; CODE XREF: .text:00543233j
					; .text:00543327j ...
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	dword ptr [ebx+4], 0
		mov	[ebp+30h], al
		mov	ebx, [ebp+30h]
		mov	[ebp+1Fh], al

loc_543251:				; CODE XREF: .text:00543299j
		mov	ecx, [ebp-28h]
		jmp	loc_54305A
; 

loc_543259:				; CODE XREF: .text:00543095j
		mov	eax, esi
		and	eax, 400h
		or	eax, 0
		jnz	loc_543CCB
		mov	eax, esi
		and	eax, 800h
		or	eax, 0
		jz	short loc_5432AD
		push	ecx
		push	dword ptr [ebp+34h]
		lea	eax, [ebp-24h]
		push	ebx
		push	dword ptr [ebp+2Ch]
		push	eax
		push	dword ptr [ebp+20h]
		push	dword ptr [ebp+18h]
		push	dword ptr [ebp+14h]
		push	dword ptr [ebp+0Ch]
		push	ecx
		mov	ecx, edx
		call	_MiHandleForkTransitionPte@48 ;	MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_543251
		xor	eax, eax
		cmp	ecx, 1
		setnz	al
		mov	[ebp+8], eax
		mov	esi, eax
		jmp	loc_543DBA
; 

loc_5432AD:				; CODE XREF: .text:00543273j
		mov	ebx, esi
		mov	eax, edi
		shrd	ebx, eax, 5
		push	edi
		push	esi
		and	ebx, 1Fh
		call	_IS_PTE_NOT_DEMAND_ZERO@8 ; IS_PTE_NOT_DEMAND_ZERO(x,x)
		test	eax, eax
		jz	loc_543C87
		cmp	ebx, 10h
		jz	loc_543C6E
		mov	eax, ebx
		and	eax, 0FFFFFFF8h
		cmp	eax, 10h
		jnz	loc_543B8A
		mov	ecx, [ebp+20h]
		call	MiFlushTbList
		mov	ebx, [ebp-10h]
		mov	dl, [ebp+1Fh]
		add	ebx, 240h
		mov	ecx, ebx
		call	MiUnlockWorkingSetExclusive
		mov	eax, [ebp+8]
		lea	edx, [ebp-74h]
		push	2Dh
		shl	eax, 9
		mov	ecx, 1
		push	ebx
		mov	[ebp-74h], eax
		mov	dword ptr [ebp-70h], 1000h
		call	MiPrefetchVirtualMemory
		mov	al, [ebx+60h]
		and	al, 7
		cmp	al, 2
		jnz	short loc_54332C
		mov	ebx, offset unk_6D3C40
		jmp	loc_54323B
; 

loc_54332C:				; CODE XREF: .text:00543320j
		sub	ebx, 0FFFFFF80h
		jmp	loc_54323B
; 

loc_543334:				; CODE XREF: .text:00543186j
					; .text:0054319Aj
		mov	dword ptr [ebp-60h], 0
		add	ebx, 10h
		lock bts dword ptr [ebx], 1Fh
		jnb	short loc_54335F

loc_543345:				; CODE XREF: .text:00543350j
					; .text:00543357j
		lea	ecx, [ebp-60h]
		call	KeYieldProcessorEx
		cmp	dword ptr [ebx], 0
		jl	short loc_543345
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_543345
		mov	edi, [ebp-8]
		mov	esi, [ebp-0Ch]

loc_54335F:				; CODE XREF: .text:00543343j
		mov	eax, [ebx]
		lea	ecx, [eax+1]
		xor	ecx, eax
		and	ecx, 3FFFFFFFh
		xor	ecx, eax
		mov	eax, 7FFFFFFFh
		mov	[ebx], ecx
		lock and [ebx],	eax
		mov	edx, [ebp-14h]
		mov	eax, esi
		and	eax, 42h
		or	eax, 0
		jz	loc_54343B
		mov	ebx, [ebp+24h]
		mov	eax, [ebx+1Ch]
		and	eax, 300000h
		cmp	eax, 300000h
		jnz	short loc_5433B5
		mov	ecx, edx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_5433B5
		mov	edx, [ebp-18h]
		mov	ecx, [ebp-10h]
		push	ebx
		call	_MiCaptureWriteWatchDirtyBit@12	; MiCaptureWriteWatchDirtyBit(x,x,x)
		mov	edx, [ebp-14h]

loc_5433B5:				; CODE XREF: .text:00543399j
					; .text:005433A4j
		mov	dword ptr [ebp-64h], 0
		lea	ebx, [edx+10h]
		lock bts dword ptr [ebx], 1Fh
		jnb	short loc_5433E3

loc_5433C6:				; CODE XREF: .text:005433D1j
					; .text:005433D8j
		lea	ecx, [ebp-64h]
		call	KeYieldProcessorEx
		cmp	dword ptr [ebx], 0
		jl	short loc_5433C6
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_5433C6
		mov	edi, [ebp-8]
		mov	esi, [ebp-0Ch]
		mov	edx, [ebp-14h]

loc_5433E3:				; CODE XREF: .text:005433C4j
		mov	ch, [edx+16h]
		mov	dword ptr [ebp-1Ch], 0
		mov	dword ptr [ebp-20h], 0
		test	ch, 10h
		jnz	short loc_543430
		lea	eax, [edx+8]
		mov	cl, ch
		mov	[ebp+30h], eax
		mov	eax, [eax]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_54342A
		test	ch, 8
		jnz	short loc_54342A
		mov	ecx, [ebp+30h]
		lea	edx, [eax+1]
		push	eax
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	[ebp-20h], edx
		mov	edx, [ebp-14h]
		mov	[ebp-1Ch], eax
		mov	cl, [edx+16h]

loc_54342A:				; CODE XREF: .text:0054340Bj
					; .text:00543410j
		or	cl, 10h
		mov	[edx+16h], cl

loc_543430:				; CODE XREF: .text:005433F7j
		and	esi, 0FFFFFFBDh
		mov	[ebp-8], edi
		mov	[ebp-0Ch], esi
		jmp	short loc_54346D
; 

loc_54343B:				; CODE XREF: .text:00543383j
		mov	dword ptr [ebp-68h], 0
		lea	ebx, [edx+10h]
		lock bts dword ptr [ebx], 1Fh
		jnb	short loc_54346D
		lea	esp, [esp+0]

loc_543450:				; CODE XREF: .text:0054345Bj
					; .text:00543462j
		lea	ecx, [ebp-68h]
		call	KeYieldProcessorEx
		cmp	dword ptr [ebx], 0
		jl	short loc_543450
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_543450
		mov	edi, [ebp-8]
		mov	esi, [ebp-0Ch]
		mov	edx, [ebp-14h]

loc_54346D:				; CODE XREF: .text:00543439j
					; .text:0054344Aj
		mov	eax, [edx+8]
		mov	ecx, [edx+0Ch]
		mov	[ebp+24h], ecx
		mov	ecx, eax
		mov	[ebp+30h], eax
		mov	eax, [ebp+24h]
		shrd	ecx, eax, 1
		test	cl, 1
		jz	loc_54350B
		mov	ecx, [ebp+30h]
		shrd	ecx, eax, 0Ch
		mov	dword ptr [ebp+10h], 2
		and	ecx, 0Fh
		mov	eax, dword_6D5D94[ecx*4]
		mov	[ebp+28h], eax
		mov	eax, [ebp-1Ch]
		or	eax, [ebp-20h]
		jz	short loc_5434B5
		mov	dword ptr [ebp+10h], 3

loc_5434B5:				; CODE XREF: .text:005434ACj
		mov	edx, dword_6D0704
		mov	eax, dword_6D0700
		mov	ecx, [ebp+24h]
		or	eax, edx
		mov	[ebp+18h], edx
		mov	edx, [ebp-14h]
		jz	short loc_5434DE
		mov	eax, [ebp+30h]
		and	eax, 10h
		or	eax, 0
		jnz	short loc_5434DE
		not	dword ptr [ebp+18h]
		and	ecx, [ebp+18h]

loc_5434DE:				; CODE XREF: .text:005434CBj
					; .text:005434D6j
		mov	eax, [edx+0Ch]
		push	eax
		mov	eax, [edx+8]
		mov	edx, ecx
		mov	ecx, [ebp+28h]
		push	eax
		push	dword ptr [ebp+10h]
		call	_MiTransferSoftwarePte@20 ; MiTransferSoftwarePte(x,x,x,x,x)
		mov	[ebp-1Ch], eax
		mov	eax, [ebp+30h]
		mov	[ebp-20h], edx
		and	eax, 0FFFFFFFDh
		mov	edx, [ebp-14h]
		mov	[edx+8], eax
		mov	eax, [ebp+24h]
		mov	[edx+0Ch], eax

loc_54350B:				; CODE XREF: .text:00543485j
		mov	eax, [ebp+14h]
		or	dword ptr [edx+18h], 80000000h
		mov	[edx+4], eax
		nop
		mov	eax, [ebp-6Ch]
		mov	ecx, [ebp-38h]
		shrd	eax, ecx, 0Ch
		xor	eax, [edx+18h]
		and	eax, offset loc_7FFFFF
		xor	[edx+18h], eax
		mov	ecx, [edx+8]
		nop
		mov	eax, [edx+0Ch]
		mov	[ebp+30h], eax
		mov	eax, ecx
		and	eax, 80h
		or	eax, 0
		jz	short loc_543551
		or	ecx, 20h
		mov	[edx+8], ecx
		nop
		mov	eax, [ebp+30h]
		mov	[edx+0Ch], eax

loc_543551:				; CODE XREF: .text:00543542j
		mov	ecx, [edx+8]
		mov	eax, [edx+0Ch]
		shrd	ecx, eax, 5
		mov	eax, 7FFFFFFFh
		mov	[ebp+24h], ecx
		lock and [ebx],	eax
		mov	edx, [ebp-1Ch]
		mov	eax, edx
		mov	ecx, [ebp-20h]
		or	eax, ecx
		jz	short loc_543583
		push	ecx
		push	edx
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo

loc_543583:				; CODE XREF: .text:00543570j
		mov	eax, esi
		and	eax, 800h
		or	eax, 0
		jz	short loc_5435A1
		and	esi, 0FFFFF7FFh
		mov	[ebp-8], edi
		or	esi, 200h
		mov	[ebp-0Ch], esi

loc_5435A1:				; CODE XREF: .text:0054358Dj
		nop
		mov	eax, [ebp+8]
		mov	edx, [ebp-18h]
		mov	ecx, [ebp+20h]
		push	0
		mov	[eax], esi
		push	1
		mov	[eax+4], edi
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	ebx, [ebp+14h]
		xor	edx, edx
		mov	dword ptr [ebx], 0
		mov	dword ptr [ebx+4], 0
		cmp	dword_6D07D0, 0C0000000h
		sbb	eax, eax
		and	eax, 0FFFFFFF8h
		add	eax, 0C0603018h
		cmp	ebx, 0C0603000h
		jb	short loc_54363D
		cmp	ebx, eax
		jnb	short loc_54363D
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_54360D
		cmp	byte ptr word_6D07B8+1,	0
		mov	edx, 1
		jnz	short loc_54363D
		mov	eax, esi
		and	eax, edx
		or	eax, 0
		jz	short loc_54363D
		jmp	short loc_543637
; 

loc_54360D:				; CODE XREF: .text:005435F2j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_54363D
		mov	ecx, [ebp-0Ch]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_54363D
		mov	edi, [ebp-8]
		mov	esi, ecx

loc_543637:				; CODE XREF: .text:0054360Bj
		or	edi, 80000000h

loc_54363D:				; CODE XREF: .text:005435E5j
					; .text:005435E9j ...
		mov	[ebx+4], edi
		nop
		mov	[ebx], esi
		test	edx, edx
		jz	short loc_543650
		push	edi
		push	esi
		mov	ecx, ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_543650:				; CODE XREF: .text:00543645j
		mov	edi, [ebp-18h]
		mov	edx, edi
		mov	dword ptr [ebx+0Ch], 2
		mov	ebx, [ebp-10h]
		add	ebx, 240h
		shr	edx, 0Ch
		movzx	eax, byte ptr [ebx+60h]
		and	eax, 7
		mov	eax, dword_6D2E68[eax*4]
		mov	[ebp+8], eax
		lea	esi, [eax+edx]
		mov	al, [esi]
		mov	cl, al
		and	cl, 0Fh
		cmp	cl, 0Ah
		jz	loc_543DE4
		mov	ecx, [ebp+8]
		and	al, 8Fh
		mov	[ecx+edx], al
		xor	edx, edx
		mov	eax, [ebp-14h]
		or	edx, 400h
		mov	ecx, dword_6D0700
		mov	[ebp+30h], ecx
		mov	esi, [eax+4]
		mov	eax, dword_6D0704
		or	esi, 80000000h
		mov	[ebp+8], eax
		mov	eax, ecx
		or	eax, [ebp+8]
		jz	short loc_5436D6
		mov	eax, [ebp+8]
		and	ecx, edx
		and	eax, esi
		or	ecx, eax
		jnz	short loc_5436D3
		or	edx, [ebp+30h]
		or	esi, [ebp+8]
		jmp	short loc_5436D6
; 

loc_5436D3:				; CODE XREF: .text:005436C9j
		or	edx, 10h

loc_5436D6:				; CODE XREF: .text:005436BEj
					; .text:005436D1j
		test	byte ptr [ebp+2Ch], 1
		mov	[ebp-0Ch], edx
		mov	[ebp-8], esi
		jz	short loc_543711
		mov	eax, [ebp+34h]
		or	edx, 8
		mov	ecx, [ebp+14h]
		mov	edi, offset dword_6D5F64
		mov	[ebp-0Ch], edx
		mov	[ebp-8], esi
		inc	dword ptr [eax+4]
		mov	eax, 1
		mov	dword ptr [ecx+8], 1
		lock xadd [edi], eax
		mov	eax, [ecx+8]
		mov	edi, [ebp-18h]
		jmp	short loc_543713
; 

loc_543711:				; CODE XREF: .text:005436E0j
		xor	eax, eax

loc_543713:				; CODE XREF: .text:0054370Fj
		mov	ecx, [ebp+24h]
		and	eax, 7FFFFFFh
		shl	ecx, 1Bh
		or	eax, ecx
		mov	ecx, [ebp+14h]
		mov	[ecx+8], eax
		mov	eax, [ebp+0Ch]
		mov	[eax], edx
		nop
		mov	[eax+4], esi
		or	ecx, 0FFFFFFFFh
		mov	eax, [ebp-10h]
		add	eax, 14Ch
		lock xadd [eax], ecx
		mov	al, [ebx+60h]
		and	al, 7
		mov	dword ptr [ebp-40h], 0
		cmp	al, 2
		mov	eax, offset unk_6D3C80
		jz	short loc_543759
		lea	eax, [ebx+0C0h]

loc_543759:				; CODE XREF: .text:00543751j
		test	ds:byte_70EFC6,	21h
		mov	[ebp-44h], eax
		mov	dword ptr [ebp-48h], 0
		jz	short loc_543778
		mov	edx, eax
		lea	ecx, [ebp-48h]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_543789
; 

loc_543778:				; CODE XREF: .text:0054376Aj
		lea	edx, [ebp-48h]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_543789
		lea	ecx, [ebp-48h]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_543789:				; CODE XREF: .text:00543776j
					; .text:0054377Fj
		dec	dword ptr [ebx+4Ch]
		lea	eax, [edi+40000000h]
		cmp	eax, offset loc_7FFFFF
		jbe	short loc_54379C
		dec	dword ptr [ebx+44h]

loc_54379C:				; CODE XREF: .text:00543797j
		test	ds:byte_70EFC6,	1
		jz	short loc_5437BA
		mov	edx, [ebp+4]
		lea	ecx, [ebp-48h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		mov	esi, 1
		jmp	loc_543DBA
; 

loc_5437BA:				; CODE XREF: .text:005437A3j
		mov	eax, [ebp-48h]
		test	eax, eax
		jnz	short loc_5437D9
		mov	edx, [ebp-44h]
		lea	eax, [ebp-48h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-48h]
		cmp	eax, ecx
		jz	short loc_5437EB
		call	KxWaitForLockChainValid

loc_5437D9:				; CODE XREF: .text:005437BFj
		mov	dword ptr [ebp-48h], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_5437EB:				; CODE XREF: .text:005437D2j
		mov	esi, 1
		jmp	loc_543DBA
; 

loc_5437F5:				; CODE XREF: .text:0054311Cj
		mov	eax, [ebp-18h]
		mov	edi, [ebx+4]
		shr	eax, 9
		or	edi, 80000000h
		and	eax, offset loc_7FFFF8
		nop
		movzx	ecx, dl
		shr	ecx, 4
		and	ecx, 7
		jz	short loc_54386A
		mov	edx, [eax-40000000h]
		mov	eax, [eax-3FFFFFFCh]
		mov	[ebp-38h], eax
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_54383D
		mov	eax, edx
		and	eax, 8
		or	eax, 0
		jz	short loc_54383D
		or	ecx, 18h
		jmp	short loc_543848
; 

loc_54383D:				; CODE XREF: .text:0054382Cj
					; .text:00543836j
		and	edx, 10h
		or	edx, 0
		jz	short loc_543848
		or	ecx, 8

loc_543848:				; CODE XREF: .text:0054383Bj
					; .text:00543843j
		test	ecx, ecx
		jz	short loc_54386A
		or	ecx, 0F8000020h
		or	eax, 0FFFFFFFFh
		shld	eax, ecx, 5
		shl	ecx, 5
		push	eax
		push	ecx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [ebx+18h]
		mov	esi, eax
		jmp	short loc_5438CA
; 

loc_54386A:				; CODE XREF: .text:00543813j
					; .text:0054384Aj
		mov	eax, dword_6D0704
		xor	esi, esi
		mov	ecx, dword_6D0700
		or	esi, 400h
		mov	[ebp+30h], eax
		mov	edx, edi
		mov	eax, ecx
		mov	[ebp+14h], ecx
		or	eax, [ebp+30h]
		jz	short loc_5438A2
		mov	eax, [ebp+30h]
		and	ecx, esi
		and	eax, edx
		or	ecx, eax
		jnz	short loc_54389F
		or	esi, [ebp+14h]
		or	edx, [ebp+30h]
		jmp	short loc_5438A2
; 

loc_54389F:				; CODE XREF: .text:00543895j
		or	esi, 10h

loc_5438A2:				; CODE XREF: .text:0054388Aj
					; .text:0054389Dj
		mov	eax, [ebx+18h]
		mov	ecx, eax
		mov	[ebp-0Ch], esi
		mov	[ebp-8], edx
		test	eax, (offset loc_7FFFFF+1)
		jnz	short loc_5438D0
		mov	ecx, [ebx+4]
		mov	[ebp+30h], ecx
		mov	ecx, eax
		cmp	dword ptr [ebp+30h], 0
		jl	short loc_5438D0
		jz	short loc_5438D0
		or	esi, 800h

loc_5438CA:				; CODE XREF: .text:00543868j
		mov	[ebp-8], edx
		mov	[ebp-0Ch], esi

loc_5438D0:				; CODE XREF: .text:005438B2j
					; .text:005438C0j ...
		test	ecx, (offset loc_7FFFFF+1)
		jnz	short loc_5438F8
		mov	eax, [ebx+4]
		test	eax, eax
		js	short loc_5438F8
		jz	short loc_5438F8
		lock inc dword ptr [edi-8]
		mov	ecx, offset dword_6D5D38
		mov	eax, 1
		lock xadd [ecx], eax
		jmp	loc_543B36
; 

loc_5438F8:				; CODE XREF: .text:005438D6j
					; .text:005438DDj ...
		mov	eax, large fs:124h
		push	30h
		push	0
		mov	esi, [eax+80h]
		lea	eax, [ebp-0ACh]
		push	eax
		call	_memset
		mov	eax, [esi+148h]
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_543949
		mov	[ebp-0A0h], edi
		mov	[ebp-9Ch], edi
		lea	ecx, [ecx+0]

loc_543930:				; CODE XREF: .text:00543947j
		cmp	edi, [eax+10h]
		ja	short loc_543942
		cmp	edi, [eax+0Ch]
		jnb	loc_5439EF
		mov	eax, [eax]
		jmp	short loc_543945
; 

loc_543942:				; CODE XREF: .text:00543933j
		mov	eax, [eax+4]

loc_543945:				; CODE XREF: .text:00543940j
		test	eax, eax
		jnz	short loc_543930

loc_543949:				; CODE XREF: .text:0054391Fj
					; .text:005439F1j ...
		mov	edi, [ebx+8]
		mov	eax, edi
		mov	esi, [ebx+0Ch]
		and	eax, 400h
		or	eax, 0
		jz	short loc_543984
		mov	ecx, dword_6D0700
		mov	eax, ecx
		mov	edx, dword_6D0704
		or	eax, edx
		jz	short loc_54397B
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_54397B
		not	edx
		and	esi, edx

loc_54397B:				; CODE XREF: .text:0054396Bj
					; .text:00543975j
		cmp	esi, 0FFFFFFFFh
		jz	loc_543B30

loc_543984:				; CODE XREF: .text:00543959j
		mov	esi, [ebp+24h]
		mov	ecx, [esi+1Ch]
		mov	eax, ecx
		and	al, 70h
		cmp	al, 20h
		jnz	loc_543B30
		test	ecx, 100000h
		jz	short loc_5439BC
		test	ecx, 400000h
		jnz	loc_543B30
		and	ecx, 0C0000h
		cmp	ecx, 80000h
		jnb	loc_543B30

loc_5439BC:				; CODE XREF: .text:0054399Cj
		mov	eax, [esi+28h]
		test	eax, 1000000h
		jnz	loc_543B30
		mov	ecx, [ebp-10h]
		mov	dword ptr [ebp-2Ch], 0
		mov	eax, [ecx+180h]
		test	eax, eax
		jz	short loc_543A4C
		test	dword ptr [ecx+3A8h], 1000h
		jnz	short loc_543A4C
		mov	eax, [eax+8]
		jmp	short loc_543A4F
; 

loc_5439EF:				; CODE XREF: .text:00543938j
		test	eax, eax
		jz	loc_543949
		mov	eax, [eax+1Ch]
		mov	ecx, [eax+0Ch]
		lock inc dword ptr [edi+0Ch]
		test	byte ptr [ebp+2Ch], 1
		jz	loc_543949
		mov	edx, 1
		mov	eax, edx
		lock xadd [edi+8], eax
		inc	eax
		and	eax, 7FFFFFFh
		cmp	eax, edx
		mov	eax, [ebp+34h]
		jnz	short loc_543A33
		inc	dword ptr [eax+4]
		lea	eax, [ecx+1124h]
		lock xadd [eax], edx
		jmp	short loc_543A35
; 

loc_543A33:				; CODE XREF: .text:00543A22j
		inc	dword ptr [eax]

loc_543A35:				; CODE XREF: .text:00543A31j
		mov	esi, [ebp-0Ch]
		mov	edx, [ebp-8]
		or	esi, 8
		mov	[ebp-30h], edi
		mov	[ebp-0Ch], esi
		mov	[ebp-8], edx
		jmp	loc_543B36
; 

loc_543A4C:				; CODE XREF: .text:005439DCj
					; .text:005439E8j
		or	eax, 0FFFFFFFFh

loc_543A4F:				; CODE XREF: .text:005439EDj
		mov	edx, [ebp-58h]
		mov	[ebp+30h], eax
		mov	ebx, [edx+180h]
		test	ebx, ebx
		jz	short loc_543A70
		test	dword ptr [edx+3A8h], 1000h
		jnz	short loc_543A70
		mov	ebx, [ebx+8]
		jmp	short loc_543A73
; 

loc_543A70:				; CODE XREF: .text:00543A5Dj
					; .text:00543A69j
		or	ebx, 0FFFFFFFFh

loc_543A73:				; CODE XREF: .text:00543A6Ej
		cmp	eax, ebx
		jnz	short loc_543A88
		mov	esi, ds:_ZeroPte
		mov	edx, ds:dword_40F9FC
		jmp	loc_543B22
; 

loc_543A88:				; CODE XREF: .text:00543A75j
		mov	eax, [esi+2Ch]
		mov	[ebp-2Ch], eax
		mov	eax, [eax]
		mov	[ebp+14h], eax
		test	dword ptr [eax+1Ch], 4000000h
		jnz	short loc_543AAA
		mov	esi, ds:_ZeroPte
		mov	edx, ds:dword_40F9FC
		jmp	short loc_543B22
; 

loc_543AAA:				; CODE XREF: .text:00543A9Aj
		mov	edx, [ebp+8]
		lea	eax, [ebp-2Ch]
		push	eax
		shr	edx, 3
		mov	ecx, esi
		push	0
		and	edx, 0FFFFFh
		call	MiGetProtoPteAddress
		mov	edi, eax
		test	edi, edi
		jnz	short loc_543AD7
		mov	esi, ds:_ZeroPte
		mov	edx, ds:dword_40F9FC
		jmp	short loc_543B22
; 

loc_543AD7:				; CODE XREF: .text:00543AC7j
		mov	eax, [ebp-2Ch]
		test	byte ptr [eax+12h], 2
		jnz	short loc_543AEE
		mov	esi, ds:_ZeroPte
		mov	edx, ds:dword_40F9FC
		jmp	short loc_543B22
; 

loc_543AEE:				; CODE XREF: .text:00543ADEj
		mov	edx, [ebp+30h]
		mov	ecx, [ebp+14h]
		push	eax
		call	_MiGetSharedProtos@12 ;	MiGetSharedProtos(x,x,x)
		push	dword ptr [ebp-2Ch]
		mov	ecx, [ebp+14h]
		mov	edx, ebx
		mov	esi, [eax+24h]
		call	_MiGetSharedProtos@12 ;	MiGetSharedProtos(x,x,x)
		sub	edi, esi
		and	edi, 0FFFFFFF8h
		add	edi, [eax+24h]
		xor	eax, eax
		or	eax, 400h
		push	edi
		push	eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	esi, eax

loc_543B22:				; CODE XREF: .text:00543A83j
					; .text:00543AA8j ...
		mov	eax, esi
		or	eax, edx
		jz	short loc_543B30
		mov	[ebp-0Ch], esi
		mov	[ebp-8], edx
		jmp	short loc_543B36
; 

loc_543B30:				; CODE XREF: .text:0054397Ej
					; .text:00543990j ...
		mov	edx, [ebp-8]
		mov	esi, [ebp-0Ch]

loc_543B36:				; CODE XREF: .text:005438F3j
					; .text:00543A47j ...
		mov	eax, [ebp+0Ch]
		mov	[eax], esi
		nop
		mov	[eax+4], edx
		jmp	loc_543DB8
; 

loc_543B44:				; CODE XREF: .text:005431F9j
		mov	ebx, [ebp-14h]

loc_543B47:				; CODE XREF: .text:005431D7j
		movzx	edx, byte ptr [ebx+16h]
		mov	ebx, [ebp-24h]
		mov	eax, ds:_MmPfnDatabase
		push	0
		shr	edx, 6
		lea	esi, ds:0[ebx*8]
		sub	esi, ebx
		lea	ecx, [eax+esi*4]
		call	_MiFinalizePageAttribute@12 ; MiFinalizePageAttribute(x,x,x)
		mov	edx, [ebp+0Ch]
		mov	ecx, [ebp+8]
		push	21h
		push	dword ptr [ebp+30h]
		push	ebx
		call	_MiDuplicateCloneLeaf@20 ; MiDuplicateCloneLeaf(x,x,x,x,x)
		mov	eax, [ebp+18h]
		inc	dword ptr [eax]
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	34h
; 

loc_543B8A:				; CODE XREF: .text:005432D8j
		lea	ecx, [ebp-0Ch]
		call	_MI_MAKE_PROTECT_WRITE_COPY@4 ;	MI_MAKE_PROTECT_WRITE_COPY(x)
		mov	esi, [ebp-0Ch]
		mov	ecx, esi
		mov	edi, [ebp-8]
		mov	eax, edi
		shrd	ecx, eax, 1
		test	cl, 1
		jz	short loc_543BC4
		mov	eax, esi
		mov	edx, 1
		and	eax, 0FFFFFFFBh
		mov	ecx, offset _MiSystemPartition
		push	edi
		push	eax
		call	MiReleasePageFileInfo
		and	esi, 0FFFFFFFDh
		mov	[ebp-8], edi
		mov	[ebp-0Ch], esi

loc_543BC4:				; CODE XREF: .text:00543BA3j
		mov	eax, [ebp+14h]
		mov	dword ptr [eax], 0
		mov	dword ptr [eax+4], 0
		mov	[eax], esi
		nop
		mov	esi, eax
		xor	eax, eax
		or	eax, 400h
		push	esi
		push	eax
		mov	[esi+4], edi
		mov	dword ptr [esi+0Ch], 2
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, eax
		mov	[ebp-8], edx
		mov	eax, [ebp+8]
		mov	[ebp-0Ch], ecx
		mov	[eax], ecx
		nop
		test	byte ptr [ebp+2Ch], 1
		mov	[eax+4], edx
		jz	short loc_543C36
		cmp	ebx, 18h
		jz	short loc_543C16
		or	ecx, 8
		mov	[ebp-8], edx
		mov	[ebp-0Ch], ecx

loc_543C16:				; CODE XREF: .text:00543C0Bj
		mov	eax, [ebp+34h]
		mov	edi, offset dword_6D5F64
		mov	dword ptr [esi+8], 1
		inc	dword ptr [eax+4]
		mov	eax, 1
		lock xadd [edi], eax
		mov	eax, [esi+8]
		jmp	short loc_543C3F
; 

loc_543C36:				; CODE XREF: .text:00543C06j
		mov	dword ptr [esi+8], 0
		xor	eax, eax

loc_543C3F:				; CODE XREF: .text:00543C34j
		and	eax, 7FFFFFFh
		shl	ebx, 1Bh
		or	eax, ebx
		mov	[esi+8], eax
		mov	eax, [ebp+0Ch]
		mov	[eax], ecx
		nop
		mov	[eax+4], edx
		or	ecx, 0FFFFFFFFh
		mov	eax, [ebp-10h]
		add	eax, 14Ch
		lock xadd [eax], ecx
		mov	esi, 1
		jmp	loc_543DBA
; 

loc_543C6E:				; CODE XREF: .text:005432CAj
		mov	ecx, esi
		mov	eax, edi
		shrd	ecx, eax, 1
		test	cl, 1
		jz	loc_543DAF
		and	esi, 0FFFFFFFDh
		jmp	loc_543DA9
; 

loc_543C87:				; CODE XREF: .text:005432C1j
		mov	ecx, esi
		mov	eax, edi
		shrd	ecx, eax, 1
		test	cl, 1
		jz	short loc_543C9D
		and	esi, 0FFFFFFFDh
		mov	[ebp-8], edi
		mov	[ebp-0Ch], esi

loc_543C9D:				; CODE XREF: .text:00543C92j
		mov	ecx, [ebp+10h]
		test	ecx, ecx
		jz	loc_543DAF
		mov	edx, ebx
		call	_MiFindZeroCloneBlock@8	; MiFindZeroCloneBlock(x,x)
		mov	[ebp-30h], eax
		test	eax, eax
		jz	loc_543DAF
		push	dword ptr [ebp+34h]
		push	dword ptr [ebp+0Ch]
		push	eax
		call	_MiWriteSharedDemandZeroPte@20 ; MiWriteSharedDemandZeroPte(x,x,x,x,x)
		jmp	loc_543DB8
; 

loc_543CCB:				; CODE XREF: .text:00543263j
		mov	eax, dword_6D0704
		mov	ebx, edi
		mov	ecx, dword_6D0700
		mov	edx, ebx
		mov	[ebp+30h], eax
		mov	eax, ecx
		or	eax, [ebp+30h]
		mov	[ebp+14h], edx
		jz	short loc_543CFC
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_543CFA
		mov	ebx, [ebp+30h]
		not	ebx
		and	ebx, edx
		jmp	short loc_543CFC
; 

loc_543CFA:				; CODE XREF: .text:00543CEFj
		mov	ebx, edx

loc_543CFC:				; CODE XREF: .text:00543CE5j
					; .text:00543CF8j
		push	edi
		push	esi
		call	_MI_PROTO_FORMAT_COMBINED@8 ; MI_PROTO_FORMAT_COMBINED(x,x)
		test	al, al
		jz	short loc_543D1E
		lock inc dword ptr [ebx-8]
		mov	ecx, offset dword_6D5D38
		mov	eax, 1
		lock xadd [ecx], eax
		jmp	loc_543DAF
; 

loc_543D1E:				; CODE XREF: .text:00543D05j
		lea	eax, [ebp-30h]
		mov	edx, ebx
		push	eax
		push	dword ptr [ebp+34h]
		push	dword ptr [ebp+2Ch]
		call	MiReferenceCloneProto
		test	eax, eax
		jnz	short loc_543D52
		push	eax
		push	80h
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [ebp+0Ch]
		mov	[ecx], eax
		nop
		mov	eax, [ebp+38h]
		mov	[ecx+4], edx
		mov	dword ptr [eax], 1
		jmp	short loc_543DB8
; 

loc_543D52:				; CODE XREF: .text:00543D31j
		mov	eax, [ebp-30h]
		test	eax, eax
		jz	short loc_543D70
		mov	eax, [eax+8]
		and	eax, 0F8000000h
		cmp	eax, 0C0000000h
		jz	short loc_543DAF
		mov	edi, [ebp+14h]
		or	esi, 8
		jmp	short loc_543DA9
; 

loc_543D70:				; CODE XREF: .text:00543D57j
		push	edi
		push	esi
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		test	eax, eax
		jnz	short loc_543DAF
		mov	ecx, [ebp+24h]
		mov	eax, [ecx+1Ch]
		and	al, 70h
		cmp	al, 20h
		jnz	short loc_543DAF
		call	_MiIsVadLargePrivate@4 ; MiIsVadLargePrivate(x)
		test	eax, eax
		jnz	short loc_543DAF
		mov	edx, [ebp-58h]
		push	ecx
		push	dword ptr [ebp+8]
		mov	ecx, [ebp-10h]
		call	_MiMakePerSessionProtoPte@16 ; MiMakePerSessionProtoPte(x,x,x,x)
		mov	ecx, eax
		or	ecx, edx
		jz	short loc_543DAF
		mov	esi, eax
		mov	edi, edx

loc_543DA9:				; CODE XREF: .text:00543C82j
					; .text:00543D6Ej
		mov	[ebp-8], edi
		mov	[ebp-0Ch], esi

loc_543DAF:				; CODE XREF: .text:00543C79j
					; .text:00543CA2j ...
		mov	eax, [ebp+0Ch]
		mov	[eax], esi
		nop
		mov	[eax+4], edi

loc_543DB8:				; CODE XREF: .text:00543B3Fj
					; .text:00543CC6j ...
		xor	esi, esi

loc_543DBA:				; CODE XREF: .text:005432A8j
					; .text:005437B5j ...
		mov	ebx, [ebp-24h]
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_543DD9
		mov	ecx, ds:_MmPfnDatabase
		lea	edx, ds:0[ebx*8]
		sub	edx, ebx
		lea	ecx, [ecx+edx*4]
		call	_MiLockAndInsertPageInFreeList@4 ; MiLockAndInsertPageInFreeList(x)

loc_543DD9:				; CODE XREF: .text:00543DC0j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	34h
; 

loc_543DE4:				; CODE XREF: .text:00543686j
		push	esi
		push	ebx
		push	edi
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_543DF3:				; CODE XREF: .text:0054310Dj
		mov	eax, [ebp-10h]
		push	ecx
		add	eax, 240h
		push	eax
		push	dword ptr [ebp-18h]
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReferenceCloneProto proc near		; CODE XREF: .text:00543D2Ap

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005DB0A2 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, large fs:124h
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	ecx, [ecx+80h]
		and	dword ptr [esi], 0
		call	_MiLocateCloneAddress@8	; MiLocateCloneAddress(x,x)
		test	eax, eax
		jnz	short loc_543E3C

loc_543E32:				; CODE XREF: MiReferenceCloneProto+3Cj
					; MiReferenceCloneProto+5Cj
		xor	eax, eax
		pop	edi
		inc	eax
		pop	esi
		pop	ecx
		pop	ebp
		retn	0Ch
; 

loc_543E3C:				; CODE XREF: MiReferenceCloneProto+22j
		mov	eax, [eax+1Ch]
		mov	edi, [eax+0Ch]
		lock inc dword ptr [edx+0Ch]
		test	[ebp+arg_0], 1
		jz	short loc_543E32
		xor	eax, eax
		inc	eax
		lock xadd [edx+8], eax
		inc	eax
		and	eax, 7FFFFFFh
		cmp	eax, 1
		jz	loc_5DB0A2
		mov	ecx, [ebp+arg_4]
		inc	dword ptr [ecx]

loc_543E68:				; CODE XREF: MiReferenceCloneProto+972A7j
		mov	[esi], edx
		jmp	short loc_543E32
MiReferenceCloneProto endp


;  S U B	R O U T	I N E 


; __stdcall MiFindZeroCloneBlock(x, x)
_MiFindZeroCloneBlock@8	proc near	; CODE XREF: .text:00542FC5p
					; .text:00543CAAp
		mov	edi, edi
		push	esi
		mov	esi, [ecx+0Ch]
		mov	ecx, [ecx+10h]

loc_543E75:				; CODE XREF: MiFindZeroCloneBlock(x,x)+24j
		cmp	esi, ecx
		ja	short loc_543E92
		mov	eax, [esi+8]
		shr	eax, 1Bh
		cmp	eax, edx
		jnz	short loc_543E8D
		cmp	dword ptr [esi+0Ch], 0FFFFFFFFh
		jz	short loc_543E8D
		mov	eax, esi
		pop	esi
		retn
; 

loc_543E8D:				; CODE XREF: MiFindZeroCloneBlock(x,x)+15j
					; MiFindZeroCloneBlock(x,x)+1Bj
		add	esi, 10h
		jmp	short loc_543E75
; 

loc_543E92:				; CODE XREF: MiFindZeroCloneBlock(x,x)+Bj
		xor	eax, eax
		pop	esi
		retn
_MiFindZeroCloneBlock@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWriteSharedDemandZeroPte(x, x, x,	x, x)
_MiWriteSharedDemandZeroPte@20 proc near ; CODE	XREF: .text:00542FE4p
					; .text:00543CC1p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_543ED1
		inc	dword ptr [esi+8]
		inc	eax
		mov	[esi+0Ch], eax
		mov	eax, [ebp+arg_8]
		inc	dword ptr [eax]

loc_543EB2:				; CODE XREF: MiWriteSharedDemandZeroPte(x,x,x,x,x)+79j
		xor	eax, eax
		or	eax, 400h
		push	esi
		push	eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [ebp+arg_4]
		or	eax, 8
		mov	[ecx], eax
		nop
		mov	[ecx+4], edx
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_543ED1:				; CODE XREF: MiWriteSharedDemandZeroPte(x,x,x,x,x)+Ej
		mov	ecx, [esi+8]
		xor	eax, eax
		shr	ecx, 1Bh
		shld	eax, ecx, 5
		shl	ecx, 5
		push	eax
		push	ecx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[esi], eax
		nop
		mov	eax, [esi+8]
		xor	ecx, ecx
		and	eax, 0F8000001h
		mov	[esi+4], edx
		inc	ecx
		or	eax, ecx
		mov	[esi+0Ch], ecx
		mov	[esi+8], eax
		mov	eax, [ebp+arg_8]
		inc	dword ptr [eax+4]
		mov	eax, offset dword_6D5F64
		lock xadd [eax], ecx
		jmp	short loc_543EB2
_MiWriteSharedDemandZeroPte@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUpdateForkMaps proc near		; CODE XREF: MiCloneVads+37Ap

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005DB0BA SIZE 0000008B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, edx
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_8]
		push	ecx
		push	4
		push	[ebp+arg_C]
		xor	esi, esi
		mov	[ebp+var_4], edi
		push	esi
		mov	ecx, eax
		mov	[ebp+var_8], esi
		mov	[ebp+var_10], esi
		call	MiGetNextPageTable
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_544052
		shl	eax, 9
		mov	ecx, eax
		mov	[ebp+arg_0], eax
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	loc_5DB0BA
		mov	eax, [edi+10h]
		xor	eax, ebx
		test	eax, 0FFFFF000h
		jnz	short loc_543F93
		mov	edx, [edi+8]

loc_543F6E:				; CODE XREF: MiUpdateForkMaps+13Bj
		mov	ecx, ebx
		and	ecx, 0FFFh
		push	1
		push	[ebp+arg_C]
		or	ecx, edx
		xor	edx, edx
		mov	[edi+0Ch], ecx
		mov	ecx, ebx
		push	esi
		call	MiMakeSystemAddressValid

loc_543F8A:				; CODE XREF: MiUpdateForkMaps+971C3j
					; MiUpdateForkMaps+971D1j
		mov	eax, ebx

loc_543F8C:				; CODE XREF: MiUpdateForkMaps+146j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_543F93:				; CODE XREF: MiUpdateForkMaps+57j
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_14]
		call	_MiFillPteHierarchy@8 ;	MiFillPteHierarchy(x,x)
		mov	eax, [edi]
		mov	ecx, [ebp+arg_0]
		mov	[edi+10h], ebx
		shr	ecx, 1Eh
		mov	eax, [eax+194h]
		mov	edx, [eax+ecx*8]
		nop
		mov	eax, [eax+ecx*8+4]
		mov	ecx, [edi+14h]
		shrd	edx, eax, 0Ch
		push	esi
		and	edx, 1FFFFFFh
		push	40000020h
		mov	[ebp+var_8], edx
		call	MiMapSinglePage
		mov	ecx, [ebp+var_10]
		shr	ecx, 3
		and	ecx, 1FFh
		lea	eax, [eax+ecx*8]
		mov	edi, [eax]
		mov	[ebp+var_C], eax
		nop
		mov	ecx, [eax+4]
		mov	eax, edi
		or	eax, ecx
		jnz	loc_5DB0E8
		mov	edi, [ebp+var_4]
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_8]
		push	ecx
		lea	ecx, [edi+4]
		call	MiDoneWithThisPageGetAnother
		mov	edi, [edi+4]
		mov	edx, edi
		push	1
		push	[ebp+var_8]
		push	[ebp+var_C]
		push	[ebp+var_10]
		call	MiBuildForkPageTable
		mov	eax, [ebp+arg_4]
		inc	dword ptr [eax]

loc_544020:				; CODE XREF: MiUpdateForkMaps+971EAj
					; MiUpdateForkMaps+9722Ej
		mov	edx, edi
		mov	edi, [ebp+var_4]
		push	esi
		push	40000020h
		mov	ecx, [edi+14h]
		call	MiMapSinglePage
		mov	ecx, [edi+1Ch]
		mov	edx, eax
		mov	eax, [ebp+arg_0]
		shr	eax, 15h
		mov	[edi+8], edx
		lea	ecx, [ecx+eax*2]
		add	ecx, 178h
		mov	[edi+18h], ecx
		jmp	loc_543F6E
; 

loc_544052:				; CODE XREF: MiUpdateForkMaps+32j
		mov	eax, [ebp+arg_0]
		add	eax, 8
		jmp	loc_543F8C
MiUpdateForkMaps endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiIsVadLargePrivate(x)
_MiIsVadLargePrivate@4 proc near	; CODE XREF: MiCloneVads+308p
					; .text:00543D87p ...
		mov	eax, [ecx+1Ch]
		test	eax, 100000h
		jnz	short loc_544072

loc_544068:				; CODE XREF: MiIsVadLargePrivate(x)+25j
		call	_MiVadMapsLargeImage@4 ; MiVadMapsLargeImage(x)
		test	eax, eax
		jnz	short loc_544085
		retn
; 

loc_544072:				; CODE XREF: MiIsVadLargePrivate(x)+8j
		test	eax, 400000h
		jnz	short loc_544085
		and	eax, 0C0000h
		cmp	eax, 80000h
		jb	short loc_544068

loc_544085:				; CODE XREF: MiIsVadLargePrivate(x)+11j
					; MiIsVadLargePrivate(x)+19j
		xor	eax, eax
		inc	eax
		retn
_MiIsVadLargePrivate@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiBuildForkPageTable proc near		; CODE XREF: MiUpdateForkMaps+104p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005DB145 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		imul	edi, [ebp+arg_8], 1Ch
		mov	eax, edx
		imul	ebx, eax, 1Ch
		push	0
		push	80h
		mov	[ebp+var_8], eax
		add	edi, ds:_MmPfnDatabase
		add	ebx, ds:_MmPfnDatabase
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[ebx+8], eax
		mov	ecx, edi
		mov	eax, [ebx+18h]
		xor	eax, [ebp+arg_8]
		and	eax, offset loc_7FFFFF
		mov	[ebx+0Ch], edx
		xor	[ebx+18h], eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		xor	edx, edx
		mov	byte ptr [ebp+arg_8+3],	al
		inc	edx
		mov	ecx, edi
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	eax, 7FFFFFFFh
		lea	ecx, [edi+10h]
		lock and [ecx],	eax
		and	[ebp+var_4], 0
		lea	esi, [ebx+10h]

loc_5440F3:				; CODE XREF: MiBuildForkPageTable+970C9j
		lock bts dword ptr [esi], 1Fh
		jb	loc_5DB145
		or	byte ptr [ebx+16h], 10h
		xor	edi, edi
		mov	cl, [ebx+16h]
		inc	edi
		mov	al, cl
		and	al, 0C0h
		cmp	al, 40h
		jnz	loc_5DB158

loc_544114:				; CODE XREF: MiBuildForkPageTable+970DBj
		mov	eax, [esi]
		and	cl, 0FEh
		and	eax, 0C0000001h
		mov	[ebx+14h], di
		or	eax, edi
		or	cl, 6
		mov	[esi], eax
		mov	edx, edi
		mov	eax, [ebp+arg_0]
		mov	[ebx+4], eax
		mov	[ebx+16h], cl
		mov	ecx, ebx
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	cl, byte ptr [ebp+arg_8+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+arg_C], edi
		jnz	short loc_544165
		mov	ecx, [ebp+var_8]
		push	4
		pop	edx
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		nop
		mov	[ecx+4], edx

loc_544165:				; CODE XREF: MiBuildForkPageTable+C5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
MiBuildForkPageTable endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDoneWithThisPageGetAnother proc near	; CODE XREF: MiUpdateForkMaps+EFp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005DB16A SIZE 00000053 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		mov	ebx, ecx
		mov	[ebp+var_8], ebx
		stosd
		stosd
		lea	edi, [edx+240h]
		mov	edx, [ebx]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_544196
		call	MiFinishLastForkPageTable

loc_544196:				; CODE XREF: MiDoneWithThisPageGetAnother+23j
		push	0
		lea	edx, [ebp+var_14]
		mov	ecx, edi
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		mov	eax, [ebp+var_14]
		xor	ecx, ecx
		inc	ecx
		lock xadd [eax], ecx
		inc	ecx
		mov	eax, [ebp+var_10]
		dec	ecx
		and	eax, ecx
		mov	esi, offset _MiSystemPartition
		or	eax, [ebp+var_C]
		mov	ecx, esi
		push	302h
		mov	edx, eax
		mov	[ebp+var_4], eax
		call	MiGetPage
		mov	[ebx], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5441DA

loc_5441D3:				; CODE XREF: MiDoneWithThisPageGetAnother+9704Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_5441DA:				; CODE XREF: MiDoneWithThisPageGetAnother+65j
		mov	bl, [ebp+arg_4]
		jmp	loc_5DB16A
MiDoneWithThisPageGetAnother endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFinishLastForkPageTable proc near	; CODE XREF: MiFreeForkMaps(x)+30j
					; MiDoneWithThisPageGetAnother+25p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005DB1BD SIZE 00000050 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	eax, edx
		imul	esi, eax, 1Ch
		push	edi
		mov	edi, 80000000h
		mov	[ebp+var_8], eax
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		mov	ebx, [esi+4]
		or	ebx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, esi
		mov	[ebp+var_1], al
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		lea	eax, [esi+10h]
		mov	ecx, [eax]
		and	ecx, 3FFFFFFFh
		mov	[ebp+var_C], eax
		cmp	ecx, 1
		ja	short loc_544249
		mov	ecx, esi
		call	MiDecrementShareCount

loc_544230:				; CODE XREF: MiFinishLastForkPageTable+CBj
		mov	eax, [ebp+var_C]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_544249:				; CODE XREF: MiFinishLastForkPageTable+45j
		mov	ecx, [esi+18h]
		xor	edx, edx
		push	edi
		and	ecx, offset loc_7FFFFF
		call	MiMapPageInHyperSpaceWorker
		mov	ecx, ebx
		shr	ecx, 3
		and	ecx, 1FFh
		lea	edi, [eax+ecx*8]
		mov	ecx, [edi]
		nop
		and	ecx, 1
		or	ecx, 0
		jnz	short loc_54429F
		mov	edx, [ebp+var_8]
		mov	ecx, ebx
		push	80000004h
		call	MiMakeValidPte
		mov	ecx, edi
		mov	esi, eax
		xor	ebx, ebx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5DB1BD

loc_544295:				; CODE XREF: MiFinishLastForkPageTable+96FEEj
					; MiFinishLastForkPageTable+9700Cj ...
		mov	[edi+4], edx
		nop
		mov	[edi], esi
		test	ebx, ebx
		jnz	short loc_5442AF

loc_54429F:				; CODE XREF: MiFinishLastForkPageTable+8Fj
					; MiFinishLastForkPageTable+D4j
		push	80000000h
		mov	dl, 21h
		mov	ecx, edi
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		jmp	short loc_544230
; 

loc_5442AF:				; CODE XREF: MiFinishLastForkPageTable+BBj
		push	edx
		push	esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	short loc_54429F
MiFinishLastForkPageTable endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCloneImageVad	proc near		; CODE XREF: MiAllocateChildVads+211p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DB20D SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	[ebp+var_4], edx
		mov	edx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	eax, [edx+2Ch]
		mov	edi, ecx
		mov	esi, [edx+1Ch]
		mov	ebx, [eax]
		test	esi, 100000h
		jnz	short loc_5442EA
		mov	eax, esi
		and	al, 70h
		cmp	al, 20h
		jnz	short loc_5442EA
		test	esi, 200000h
		jnz	short loc_544302

loc_5442EA:				; CODE XREF: MiCloneImageVad+20j
					; MiCloneImageVad+28j
		xor	esi, esi

loc_5442EC:				; CODE XREF: MiCloneImageVad+61j
		test	dword ptr [ebx+1Ch], 4000000h
		jnz	loc_5DB20D

loc_5442F9:				; CODE XREF: MiCloneImageVad+96F67j
		xor	eax, eax

loc_5442FB:				; CODE XREF: MiCloneImageVad+96F70j
					; MiCloneImageVad+96F82j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_544302:				; CODE XREF: MiCloneImageVad+30j
		mov	ecx, [ebp+var_4]
		xor	esi, esi
		inc	esi
		call	_MiCopyForkedFixupVad@8	; MiCopyForkedFixupVad(x,x)
		mov	eax, [edi+24Ch]
		inc	dword ptr [eax+98h]
		jmp	short loc_5442EC
MiCloneImageVad	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCloneCaptureVadCommit	proc near	; CODE XREF: MiAllocateChildVads+236p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DB23F SIZE 0000006F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	ebx, ecx
		push	esi
		push	40h
		push	48h
		mov	edx, 6356694Dh
		mov	[ebp+var_1C], ebx
		pop	ecx
		mov	[ebp+var_20], esi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_5DB23F
		lea	eax, [edi+4]
		mov	[edi], esi
		mov	[eax], esi
		mov	edx, 0FFFFFh
		mov	[ebp+var_4], eax
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		mov	eax, [ebx+0Ch]
		add	ecx, 240h
		and	eax, edx
		mov	[ebp+var_C], ecx
		lea	ebx, ds:0C0000000h[eax*8]
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+10h]
		and	eax, edx
		lea	eax, ds:0C0000000h[eax*8]
		mov	[ebp+var_18], eax
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short loc_5443A1
		lea	eax, [ecx+80h]

loc_5443A1:				; CODE XREF: MiCloneCaptureVadCommit+7Dj
		push	eax
		mov	[ebp+var_10], eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+var_10]
		mov	byte ptr [ebp+var_8], al
		mov	[ecx+4], esi

loc_5443B3:				; CODE XREF: MiCloneCaptureVadCommit+E6j
		mov	eax, [ebp+var_18]
		cmp	ebx, eax
		ja	short loc_544404
		lea	ecx, [ebp+var_20]
		mov	edx, eax
		push	ecx
		push	4
		push	[ebp+var_8]
		mov	ecx, ebx
		push	esi
		call	MiGetNextPageTable
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_544404
		and	ebx, 0FFFFF000h
		mov	eax, ebx
		shl	eax, 9
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_4]
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_544420

loc_5443EA:				; CODE XREF: MiCloneCaptureVadCommit+151j
		cmp	ecx, 10h
		jz	loc_5DB249

loc_5443F3:				; CODE XREF: MiCloneCaptureVadCommit+96F83j
		mov	edx, [ebp+var_14]
		mov	[edi+ecx*4+8], edx
		inc	dword ptr [eax]

loc_5443FC:				; CODE XREF: MiCloneCaptureVadCommit+14Cj
		add	ebx, 1000h
		jmp	short loc_5443B3
; 

loc_544404:				; CODE XREF: MiCloneCaptureVadCommit+9Cj
					; MiCloneCaptureVadCommit+B5j
		mov	dl, byte ptr [ebp+var_8]
		mov	ecx, [ebp+var_C]
		call	MiUnlockWorkingSetExclusive

loc_54440F:				; CODE XREF: MiCloneCaptureVadCommit+96F8Dj
		mov	eax, [ebp+var_1C]
		mov	[eax+4], edi
		test	esi, esi
		js	short loc_544472

loc_544419:				; CODE XREF: MiCloneCaptureVadCommit+15Dj
		mov	eax, esi

loc_54441B:				; CODE XREF: MiCloneCaptureVadCommit+96F28j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_544420:				; CODE XREF: MiCloneCaptureVadCommit+CCj
		mov	eax, [edi+ecx*4+4]
		mov	edx, eax
		and	edx, 1FFFFFh
		mov	[ebp+var_10], eax
		lea	eax, [edx+1]
		cmp	eax, edx
		jbe	short loc_54446A
		cmp	edx, 1FFFFFh
		jz	short loc_54446A
		mov	eax, [ebp+var_10]
		and	eax, 0FFE00000h
		mov	[ebp+var_24], eax
		lea	eax, [edx+1]
		mov	edx, [ebp+var_24]
		shl	eax, 15h
		add	eax, edx
		cmp	eax, [ebp+var_14]
		jnz	short loc_54446A
		mov	eax, [ebp+var_10]
		inc	eax
		and	eax, 1FFFFFh
		or	eax, edx
		mov	[edi+ecx*4+4], eax
		jmp	short loc_5443FC
; 

loc_54446A:				; CODE XREF: MiCloneCaptureVadCommit+118j
					; MiCloneCaptureVadCommit+120j	...
		mov	eax, [ebp+var_4]
		jmp	loc_5443EA
; 

loc_544472:				; CODE XREF: MiCloneCaptureVadCommit+FBj
		mov	ecx, eax
		call	_MiCloneDiscardVadCommit@4 ; MiCloneDiscardVadCommit(x)
		jmp	short loc_544419
MiCloneCaptureVadCommit	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDuplicateCloneLeaf(x, x, x, x, x)
_MiDuplicateCloneLeaf@20 proc near	; CODE XREF: .text:00543B75p
					; MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+3DFp

var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	34h
		push	offset dword_6A4580
		call	__SEH_prolog4
		mov	[ebp+var_34], edx
		mov	eax, ecx
		mov	[ebp+var_24], eax
		xor	ebx, ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		mov	ecx, [eax]
		mov	[ebp+var_2C], ecx
		nop
		mov	edx, [eax+4]
		mov	[ebp+var_28], edx
		mov	eax, ecx
		and	eax, 1
		or	eax, ebx
		jz	short loc_5444DA
		nop
		mov	esi, ecx
		mov	eax, edx
		shrd	esi, eax, 0Ch
		and	esi, 1FFFFFFh
		imul	edx, esi, 1Ch
		mov	eax, ds:_MmPfnDatabase
		mov	[ebp+var_20], eax
		add	edx, eax
		mov	[ebp+var_1C], edx
		xor	ecx, ecx
		inc	ecx
		mov	edi, [edx+8]
		mov	eax, [edx+0Ch]
		jmp	loc_5445CC
; 

loc_5444DA:				; CODE XREF: MiDuplicateCloneLeaf(x,x,x,x,x)+2Fj
		mov	esi, ecx
		mov	ecx, edx
		mov	edi, esi
		mov	[ebp+var_1C], ecx
		mov	edx, dword_6D0700
		mov	eax, dword_6D0704
		mov	[ebp+var_20], eax
		mov	eax, edx
		or	eax, [ebp+var_20]
		jz	short loc_544516
		mov	eax, edi
		and	eax, 10h
		or	eax, ebx
		jnz	short loc_544513
		mov	esi, edx
		not	esi
		mov	ecx, [ebp+var_20]
		not	ecx
		and	esi, edi
		mov	eax, [ebp+var_1C]
		and	ecx, eax
		jmp	short loc_544518
; 

loc_544513:				; CODE XREF: MiDuplicateCloneLeaf(x,x,x,x,x)+83j
		and	esi, 0FFFFFFEFh

loc_544516:				; CODE XREF: MiDuplicateCloneLeaf(x,x,x,x,x)+7Aj
		mov	eax, ecx

loc_544518:				; CODE XREF: MiDuplicateCloneLeaf(x,x,x,x,x)+95j
		shrd	esi, ecx, 0Ch
		and	esi, 3FFFFFFh
		imul	edx, esi, 1Ch
		mov	ecx, ds:_MmPfnDatabase
		mov	[ebp+var_20], ecx
		add	edx, ecx
		mov	[ebp+var_1C], edx
		test	byte ptr [edx+16h], 20h
		jz	loc_5445CA
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		add	ecx, 240h
		mov	[ebp+arg_8], ecx
		mov	esi, 7FFFFFFFh
		lea	eax, [edx+10h]
		lock and [eax],	esi
		mov	dl, byte ptr [ebp+arg_4]
		call	MiUnlockWorkingSetExclusive
		mov	eax, large fs:124h
		mov	[ebp+arg_4], eax
		inc	byte ptr [eax+30Ah]
		mov	edx, [ebp+var_24]
		shl	edx, 9
		mov	[ebp+ms_exc.disabled], ebx
		mov	al, [edx]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_544598
; 

loc_544588:				; DATA XREF: .text:006A4594o
		xor	eax, eax
		inc	eax
		retn
; 

loc_54458C:				; DATA XREF: .text:006A4598o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx

loc_544598:				; CODE XREF: MiDuplicateCloneLeaf(x,x,x,x,x)+10Aj
		mov	eax, [ebp+arg_4]
		dec	byte ptr [eax+30Ah]
		mov	eax, [ebp+arg_8]
		mov	al, [eax+60h]
		and	al, 7
		cmp	al, 2
		jnz	short loc_5445B4
		mov	esi, offset unk_6D3C40
		jmp	short loc_5445BA
; 

loc_5445B4:				; CODE XREF: MiDuplicateCloneLeaf(x,x,x,x,x)+12Fj
		mov	esi, [ebp+arg_8]
		sub	esi, 0FFFFFF80h

loc_5445BA:				; CODE XREF: MiDuplicateCloneLeaf(x,x,x,x,x)+136j
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	[esi+4], ebx
		xor	eax, eax
		jmp	loc_5446F4
; 

loc_5445CA:				; CODE XREF: MiDuplicateCloneLeaf(x,x,x,x,x)+BBj
		mov	ecx, ebx

loc_5445CC:				; CODE XREF: MiDuplicateCloneLeaf(x,x,x,x,x)+59j
		shrd	edi, eax, 5
		shr	eax, 5
		mov	[ebp+var_3C], eax
		mov	[ebp+arg_4], ecx
		and	edi, 1Fh
		imul	ebx, [ebp+arg_0], 1Ch
		add	ebx, [ebp+var_20]
		cmp	ecx, 1
		jz	short loc_5445F2
		mov	ecx, ebx
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		mov	ecx, [ebp+arg_4]

loc_5445F2:				; CODE XREF: MiDuplicateCloneLeaf(x,x,x,x,x)+16Aj
		lea	eax, [ecx-1]
		neg	eax
		sbb	eax, eax
		and	eax, 3
		add	eax, 81h
		push	eax
		push	0
		mov	edx, esi
		mov	ecx, [ebp+arg_0]
		call	_MiCopyPage@16	; MiCopyPage(x,x,x,x)
		mov	edx, [ebp+arg_4]
		mov	esi, 7FFFFFFFh
		test	edx, edx
		jnz	short loc_544620
		lea	eax, [ebx+10h]
		lock and [eax],	esi

loc_544620:				; CODE XREF: MiDuplicateCloneLeaf(x,x,x,x,x)+19Cj
		mov	ecx, [ebp+var_1C]
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		mov	[ebp+var_1C], eax
		movzx	eax, byte ptr [ecx+16h]
		shr	eax, 6
		mov	[ebp+var_20], eax
		cmp	edx, 1
		jnz	short loc_544646
		mov	edx, edi
		mov	ecx, [ebp+arg_0]
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		jmp	short loc_544663
; 

loc_544646:				; CODE XREF: MiDuplicateCloneLeaf(x,x,x,x,x)+1BCj
		lea	eax, [ecx+10h]
		lock and [eax],	esi
		mov	cl, byte ptr [ebp+arg_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	[ebp+var_28]
		push	[ebp+var_2C]
		mov	ecx, [ebp+arg_0]
		call	_MiUpdateTransitionPteFrame@12 ; MiUpdateTransitionPteFrame(x,x,x)

loc_544663:				; CODE XREF: MiDuplicateCloneLeaf(x,x,x,x,x)+1C8j
		mov	[ebp+var_2C], edx
		mov	[ebp+var_30], eax
		mov	ecx, [ebp+var_34]
		mov	[ecx], eax
		nop
		mov	[ecx+4], edx
		call	_MiVaToPfn@4	; MiVaToPfn(x)
		push	10h
		push	eax
		mov	edx, [ebp+var_24]
		mov	ecx, [ebp+arg_0]
		call	MiInitializePfnForOtherProcess
		and	edi, 1Fh
		xor	ecx, ecx
		shld	ecx, edi, 5
		shl	edi, 5
		mov	eax, [ebx+8]
		and	eax, 0FFFFFC1Fh
		or	edi, eax
		or	[ebx+0Ch], ecx
		mov	[ebx+8], edi
		mov	ecx, ebx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	byte ptr [ebp+arg_4+3],	al
		mov	cl, [ebx+16h]
		movzx	eax, cl
		shr	eax, 6
		mov	edx, [ebp+var_20]
		cmp	eax, edx
		jz	short loc_5446C7
		push	3
		mov	ecx, ebx
		call	MiChangePageAttribute
		mov	cl, [ebx+16h]

loc_5446C7:				; CODE XREF: MiDuplicateCloneLeaf(x,x,x,x,x)+23Dj
		mov	al, [ebx+17h]
		xor	al, byte ptr [ebp+var_1C]
		and	al, 7
		xor	[ebx+17h], al
		and	cl, 0FEh
		or	cl, 6
		mov	[ebx+16h], cl
		mov	ecx, ebx
		call	MiDecrementShareCount
		lea	ecx, [ebx+10h]
		lock and [ecx],	esi
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		inc	eax

loc_5446F4:				; CODE XREF: MiDuplicateCloneLeaf(x,x,x,x,x)+149j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MiDuplicateCloneLeaf@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRelockWorkingSetExclusive(x, x)
_MiRelockWorkingSetExclusive@8 proc near ; CODE	XREF: MiCloneVads+5E5p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	al, [ecx+60h]
		push	ebx
		push	esi
		and	al, 7
		mov	esi, offset unk_6D3C40
		push	edi
		cmp	al, 2
		jz	short loc_544723
		lea	esi, [ecx+80h]

loc_544723:				; CODE XREF: MiRelockWorkingSetExclusive(x,x)+15j
		mov	eax, [esi]
		xor	edi, edi
		inc	edi
		test	eax, 40000000h
		jnz	short loc_54476B
		xor	ebx, ebx

loc_544731:				; CODE XREF: MiRelockWorkingSetExclusive(x,x)+6Aj
		call	MiUnlockWorkingSetExclusive
		xor	edi, edi
		test	ebx, ebx
		jnz	short loc_54474E

loc_54473C:				; CODE XREF: MiRelockWorkingSetExclusive(x,x)+50j
					; MiRelockWorkingSetExclusive(x,x)+63j
		push	esi
		call	ExAcquireSpinLockExclusive
		test	edi, edi
		jnz	short loc_544749
		and	[esi+4], edi

loc_544749:				; CODE XREF: MiRelockWorkingSetExclusive(x,x)+3Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_54474E:				; CODE XREF: MiRelockWorkingSetExclusive(x,x)+34j
		and	[ebp+var_4], edi

loc_544751:				; CODE XREF: MiRelockWorkingSetExclusive(x,x)+5Ej
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_54473C
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		test	byte ptr [ebp+var_4], 3Fh
		jnz	short loc_544751
		xor	edi, edi
		inc	edi
		jmp	short loc_54473C
; 

loc_54476B:				; CODE XREF: MiRelockWorkingSetExclusive(x,x)+27j
		mov	ebx, edi
		mov	[esi+4], edi
		jmp	short loc_544731
_MiRelockWorkingSetExclusive@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInsertClone	proc near		; CODE XREF: MiCloneVads+24Ep
					; MiCloneVads+54Ep ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DB2AE SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		xor	ecx, ecx
		cmp	[ebp+arg_0], ecx
		jnz	short loc_5447D2

loc_544785:				; CODE XREF: MiInsertClone+6Dj
					; MiInsertClone+96B45j	...
		add	edi, 148h
		mov	byte ptr [ebp+arg_0], 0
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_5447C0
		mov	edx, [ebx+0Ch]

loc_544798:				; CODE XREF: MiInsertClone+48j
		cmp	edx, [ecx+10h]
		ja	short loc_5447A5
		mov	eax, [ebx+10h]
		cmp	eax, [ecx+0Ch]
		jb	short loc_5447B2

loc_5447A5:				; CODE XREF: MiInsertClone+29j
		mov	eax, [ecx+4]
		test	eax, eax
		jnz	short loc_5447B8
		mov	byte ptr [ebp+arg_0], 1
		jmp	short loc_5447C0
; 

loc_5447B2:				; CODE XREF: MiInsertClone+31j
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_5447BC

loc_5447B8:				; CODE XREF: MiInsertClone+38j
		mov	ecx, eax
		jmp	short loc_544798
; 

loc_5447BC:				; CODE XREF: MiInsertClone+44j
		mov	byte ptr [ebp+arg_0], 0

loc_5447C0:				; CODE XREF: MiInsertClone+21j
					; MiInsertClone+3Ej
		push	ebx
		push	[ebp+arg_0]
		push	ecx
		push	edi
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_5447D2:				; CODE XREF: MiInsertClone+11j
		mov	eax, [edi+24Ch]
		cmp	[eax+94h], cx
		jz	short loc_544785
		jmp	loc_5DB2AE
MiInsertClone	endp


;  S U B	R O U T	I N E 


; __stdcall MiUnlockAweVadsExclusive(x)
_MiUnlockAweVadsExclusive@4 proc near	; CODE XREF: MiCloneVads+1EAp
					; MiCloneVads+6A1p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	edx, edx
		mov	eax, [esi+80h]
		mov	ecx, [eax+24Ch]
		add	ecx, 0A4h
		call	ExReleaseAutoExpandPushLockExclusive
		mov	ecx, esi
		pop	esi
		jmp	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
_MiUnlockAweVadsExclusive@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiInitializeForkMaps(x, x)
_MiInitializeForkMaps@8	proc near	; CODE XREF: MiCloneVads+228p
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, edx
		xor	eax, eax
		push	edi
		mov	edi, ecx
		xor	edx, edx
		push	2
		mov	[esi+8], eax
		xor	ecx, ecx
		mov	[esi+0Ch], eax
		mov	[esi+10h], eax
		mov	[esi+14h], eax
		mov	[esi+18h], eax
		mov	[esi+1Ch], eax
		or	dword ptr [esi+4], 0FFFFFFFFh
		push	40000020h
		mov	[esi], edi
		call	MiMapSinglePage
		mov	[esi+14h], eax
		test	eax, eax
		jz	short loc_544859
		mov	eax, [edi+24Ch]
		add	eax, 18h
		mov	[esi+1Ch], eax
		xor	eax, eax
		inc	eax

loc_544855:				; CODE XREF: MiInitializeForkMaps(x,x)+4Fj
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_544859:				; CODE XREF: MiInitializeForkMaps(x,x)+38j
		xor	eax, eax
		jmp	short loc_544855
_MiInitializeForkMaps@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockPagedAddress proc	near		; CODE XREF: MiLockPagedRange+12p

var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DB2D2 SIZE 000000AB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_10], 0
		mov	eax, ecx
		push	ebx
		push	esi
		mov	esi, eax
		mov	[ebp+var_C], eax
		shr	esi, 9
		mov	ecx, offset loc_7FFFF8
		and	esi, ecx
		mov	eax, 40000000h
		sub	esi, eax
		mov	ebx, esi
		shr	ebx, 9
		and	ebx, ecx
		mov	ecx, offset unk_6D3840
		sub	ebx, eax
		push	edi
		mov	[ebp+var_1C], ebx
		call	MiLockWorkingSetShared
		mov	byte ptr [ebp+var_4], al

loc_54489E:				; CODE XREF: MiLockPagedAddress+170j
					; MiLockPagedAddress+96A93j
		push	4
		push	[ebp+var_4]
		xor	edx, edx
		mov	ecx, esi
		push	0
		call	MiMakeSystemAddressValid
		mov	edx, [esi]
		nop
		mov	edi, [esi+4]
		mov	ecx, edx
		and	ecx, 1
		xor	eax, eax
		or	ecx, eax
		jz	loc_544994
		mov	ecx, edx
		and	ecx, 200h
		or	ecx, eax
		jnz	loc_5DB2D2
		nop
		shrd	edx, edi, 0Ch
		mov	[ebp+var_14], eax
		and	edx, 1FFFFFFh
		imul	ecx, edx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		mov	[ebp+var_8], ecx
		lea	edi, [ecx+10h]
		lock bts dword ptr [edi], 1Fh
		jb	loc_5DB330

loc_5448FB:				; CODE XREF: MiLockPagedAddress+96AEAj
		xor	edx, edx
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		xor	edi, edi
		test	eax, eax
		jz	loc_5DB34D
		mov	ecx, [ebp+var_8]
		inc	edi
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		mov	[ebp+var_10], eax

loc_544918:				; CODE XREF: MiLockPagedAddress+96AF1j
		mov	ecx, [ebp+var_8]
		mov	ebx, 7FFFFFFFh
		add	ecx, 10h
		lock and [ecx],	ebx
		mov	ebx, [ebp+var_1C]
		test	edi, edi
		jz	short loc_544975
		mov	ecx, [ebp+var_10]
		mov	eax, ecx
		or	eax, edx
		jnz	loc_5DB354

loc_54493A:				; CODE XREF: MiLockPagedAddress+96B05j
		mov	edx, [esi]
		nop
		mov	eax, [esi+4]
		mov	ecx, edx
		mov	[ebp+var_1C], eax
		and	ecx, 20h
		xor	eax, eax
		or	ecx, eax
		jz	loc_5DB368
		and	edx, 42h
		or	edx, eax
		jz	loc_5DB368

loc_54495D:				; CODE XREF: MiLockPagedAddress+96B1Aj
		test	ds:_MiFlags, 100h
		jnz	short loc_544975
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		push	1
		call	KeFlushSingleTb

loc_544975:				; CODE XREF: MiLockPagedAddress+CDj
					; MiLockPagedAddress+109j
		mov	edx, ebx
		mov	ebx, offset unk_6D3840
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [ebp+var_4]
		mov	ecx, ebx
		call	MiUnlockWorkingSetShared
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_544994:				; CODE XREF: MiLockPagedAddress+5Fj
		mov	edi, offset unk_6D3840
		mov	edx, ebx
		mov	ecx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [ebp+var_4]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		push	0
		push	0
		push	[ebp+var_C]
		push	0
		call	MmAccessFault
		mov	edi, eax
		test	edi, edi
		js	loc_5DB319
		mov	ecx, offset unk_6D3840

loc_5449C9:				; CODE XREF: MiLockPagedAddress+96AB6j
		call	MiLockWorkingSetShared
		jmp	loc_54489E
MiLockPagedAddress endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCommitPageTableRangesForVad proc near	; CODE XREF: MiInsertChildVads+60p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DB37D SIZE 0000004B BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		and	[ebp+var_C], 0
		push	esi
		push	edi
		mov	edi, [ecx+4]
		mov	[ebp+var_18], ecx
		test	edi, edi
		jnz	short loc_544A09
		xor	eax, eax

loc_544A00:				; CODE XREF: MiCommitPageTableRangesForVad+1FEj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_544A09:				; CODE XREF: MiCommitPageTableRangesForVad+28j
		mov	edx, large fs:124h
		mov	[ebp+var_38], edx
		mov	esi, [edx+80h]
		mov	dword ptr [ecx+8], 1
		dec	word ptr [edx+13Eh]
		nop
		add	esi, 138h
		xor	edx, edx
		mov	ecx, esi
		mov	[ebp+var_8], esi
		call	ExAcquirePushLockExclusiveEx

loc_544A3A:				; CODE XREF: MiCommitPageTableRangesForVad+C5j
		cmp	[ebp+var_C], 0
		mov	eax, [edi]
		mov	[ebp+var_14], eax
		jl	short loc_544A8A
		xor	esi, esi
		cmp	[edi+4], esi
		jbe	short loc_544A8A
		lea	eax, [edi+8]
		mov	[ebp+var_10], eax

loc_544A52:				; CODE XREF: MiCommitPageTableRangesForVad+B4j
		mov	eax, [eax]
		mov	edx, eax
		mov	ecx, [ebp+var_18]
		and	eax, 1FFFFFh
		shl	eax, 15h
		and	edx, 0FFE00000h
		add	eax, 1FFFFFh
		add	eax, edx
		push	eax
		call	_MiCommitPageTablesForVad@12 ; MiCommitPageTablesForVad(x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		js	short loc_544A8A
		mov	eax, [ebp+var_10]
		inc	esi
		add	eax, 4
		mov	[ebp+var_10], eax
		cmp	esi, [edi+4]
		jb	short loc_544A52

loc_544A8A:				; CODE XREF: MiCommitPageTableRangesForVad+6Fj
					; MiCommitPageTableRangesForVad+76j ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_14]
		mov	edi, eax
		test	eax, eax
		jnz	short loc_544A3A
		mov	esi, [ebp+var_8]
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_10], edx
		mov	eax, edx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_544BFE

loc_544AB4:				; CODE XREF: MiCommitPageTableRangesForVad+231j
		xor	edi, edi
		mov	[ebp+var_14], edi
		test	esi, 7FFFFFFCh
		jz	loc_544BBD
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, dword_6D07D0
		shr	ecx, 15h
		cmp	eax, edx
		push	0FFFFFFFFh
		mov	[ebp+var_30], edx
		mov	[ebp+var_34], esi
		pop	edx
		jb	short loc_544AF4
		cmp	byte ptr dword_6D3994[ecx], 1
		jz	loc_544BD7

loc_544AF4:				; CODE XREF: MiCommitPageTableRangesForVad+111j
		cmp	eax, [ebp+var_30]
		jb	short loc_544B06
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_544BD7

loc_544B06:				; CODE XREF: MiCommitPageTableRangesForVad+123j
					; MiCommitPageTableRangesForVad+216j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jz	loc_544BEF
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_544C0A

loc_544B47:				; CODE XREF: MiCommitPageTableRangesForVad+23Ej
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_14], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5DB390
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_544B93:				; CODE XREF: MiCommitPageTableRangesForVad+223j
					; MiCommitPageTableRangesForVad+969CEj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_34], eax
		jnz	short loc_544C17

loc_544BA6:				; CODE XREF: MiCommitPageTableRangesForVad+27Cj
					; MiCommitPageTableRangesForVad+969EFj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_544BBD
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_544C5B

loc_544BBD:				; CODE XREF: MiCommitPageTableRangesForVad+EBj
					; MiCommitPageTableRangesForVad+1DBj ...
		mov	ecx, [ebp+var_38]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+var_18]
		mov	dword ptr [eax+8], 0FFFFFFFEh
		mov	eax, [ebp+var_C]
		jmp	loc_544A00
; 

loc_544BD7:				; CODE XREF: MiCommitPageTableRangesForVad+11Aj
					; MiCommitPageTableRangesForVad+12Cj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_8]
		jmp	loc_544B06
; 

loc_544BEF:				; CODE XREF: MiCommitPageTableRangesForVad+15Bj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_544B93
		jmp	loc_5DB37D
; 

loc_544BFE:				; CODE XREF: MiCommitPageTableRangesForVad+DAj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_544AB4
; 

loc_544C0A:				; CODE XREF: MiCommitPageTableRangesForVad+16Dj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]
		jmp	loc_544B47
; 

loc_544C17:				; CODE XREF: MiCommitPageTableRangesForVad+1D0j
		test	edi, 8000h
		jz	short loc_544C28
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_544C28:				; CODE XREF: MiCommitPageTableRangesForVad+249j
		test	byte ptr [ebp+var_14+2], 1
		jnz	loc_5DB3A7

loc_544C32:				; CODE XREF: MiCommitPageTableRangesForVad+969DDj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_544C46
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_544C46:				; CODE XREF: MiCommitPageTableRangesForVad+265j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_544BA6
		jmp	loc_5DB3B6
; 

loc_544C5B:				; CODE XREF: MiCommitPageTableRangesForVad+1E3j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_544BBD
MiCommitPageTableRangesForVad endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUpControlAreaRefs proc near		; CODE XREF: MiDeletePartialVad+DD492p
					; MiInsertChildVads+4Fp ...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DB3C8 SIZE 000000A2 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, [ecx+2Ch]
		and	[ebp+var_44], 0
		push	esi
		push	edi
		mov	esi, [eax]
		mov	edi, [ecx+1Ch]
		mov	eax, edi
		and	eax, 0F80h
		mov	[ebp+var_34], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_14], esi
		cmp	eax, 200h
		jz	loc_544DEA
		and	edi, 0F80h
		cmp	edi, 300h
		jz	loc_544DEA

loc_544CBB:				; CODE XREF: MiUpControlAreaRefs+188j
					; MiUpControlAreaRefs+192j ...
		xor	eax, eax
		xor	edi, edi
		and	[ebp+var_40], eax
		and	[ebp+var_1C], eax
		test	dword ptr [esi+1Ch], 400h
		mov	[ebp+var_18], eax
		mov	[ebp+var_8], edi
		jnz	short loc_544D01
		mov	edi, [ecx+0Ch]
		call	_MiLockNestedVad@4 ; MiLockNestedVad(x)
		cmp	dword ptr [esi+20h], 0
		jz	short loc_544CEC
		test	byte ptr [esi+1Ch], 20h
		jz	loc_544F7F

loc_544CEC:				; CODE XREF: MiUpControlAreaRefs+7Aj
		lea	edi, [esi+50h]
		mov	[ebp+var_8], edi

loc_544CF2:				; CODE XREF: MiUpControlAreaRefs+32Cj
		test	edi, edi
		jz	loc_5DB3C8
		mov	[ebp+var_40], 1

loc_544D01:				; CODE XREF: MiUpControlAreaRefs+6Cj
					; MiUpControlAreaRefs+9676Aj
		cmp	dword ptr [esi+20h], 0
		jz	loc_544F56
		and	[ebp+var_3C], 0
		and	[ebp+var_38], 0

loc_544D13:				; CODE XREF: MiUpControlAreaRefs+314j
		lea	eax, [esi+24h]
		push	eax
		call	ExAcquireSpinLockExclusive
		inc	dword ptr [esi+14h]
		inc	dword ptr [esi+18h]
		mov	byte ptr [ebp+var_10], al
		test	edi, edi
		jz	short loc_544D4A
		mov	eax, [esi+1Ch]
		test	al, 20h
		jz	short loc_544D88

loc_544D30:				; CODE XREF: MiUpControlAreaRefs+126j
		cmp	[ebp+var_34], 0
		jz	loc_5DB3F3
		push	[ebp+var_10]
		mov	ecx, edi
		push	8
		pop	edx
		call	MiReferenceActiveSubsection
		mov	[ebp+var_18], eax

loc_544D4A:				; CODE XREF: MiUpControlAreaRefs+C1j
					; MiUpControlAreaRefs+16Fj ...
		lea	eax, [esi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	dword ptr [esi+20h], 0
		jz	loc_544E18

loc_544D66:				; CODE XREF: MiUpControlAreaRefs+2EBj
		cmp	[ebp+var_40], 1
		jnz	short loc_544D74
		mov	ecx, [ebp+var_C]
		call	_MiUnlockNestedVad@4 ; MiUnlockNestedVad(x)

loc_544D74:				; CODE XREF: MiUpControlAreaRefs+104j
		mov	eax, [ebp+var_18]
		test	eax, eax
		js	loc_5DB457

loc_544D7F:				; CODE XREF: MiUpControlAreaRefs+967F5j
					; MiUpControlAreaRefs+967FFj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_544D88:				; CODE XREF: MiUpControlAreaRefs+C8j
		cmp	dword ptr [esi+20h], 0
		jz	short loc_544D30
		mov	eax, [ebp+var_C]
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	1
		mov	ecx, eax
		mov	edx, [eax+10h]
		call	MiGetProtoPteAddress
		and	[ebp+var_30], 0
		mov	eax, edi
		mov	[ebp+var_20], eax

loc_544DAA:				; CODE XREF: MiUpControlAreaRefs+17Dj
		cmp	[ebp+var_34], 0
		jz	loc_5DB3D5
		push	[ebp+var_10]
		mov	ecx, eax
		push	8
		pop	edx
		call	MiReferenceActiveSubsection
		mov	[ebp+var_18], eax
		test	eax, eax
		js	loc_5DB3E4

loc_544DCC:				; CODE XREF: MiUpControlAreaRefs+96779j
		mov	eax, [ebp+var_20]
		mov	[ebp+var_30], eax
		cmp	eax, [ebp+var_1C]
		jz	loc_544D4A
		mov	eax, [eax+8]
		mov	[ebp+var_20], eax
		test	eax, eax
		jnz	short loc_544DAA
		jmp	loc_544D4A
; 

loc_544DEA:				; CODE XREF: MiUpControlAreaRefs+3Dj
					; MiUpControlAreaRefs+4Fj
		cmp	dword ptr [esi+20h], 0
		jz	loc_544CBB
		test	byte ptr [esi+1Ch], 20h
		jnz	loc_544CBB
		lea	eax, [esi+34h]
		test	edx, edx
		jz	loc_545014
		lock inc dword ptr [eax]

loc_544E0C:				; CODE XREF: MiUpControlAreaRefs+3B1j
		mov	[ebp+var_44], 1
		jmp	loc_544CBB
; 

loc_544E18:				; CODE XREF: MiUpControlAreaRefs+FAj
		mov	edx, [ebp+var_38]
		or	eax, 0FFFFFFFFh
		add	edx, 1Ch
		mov	[ebp+var_38], eax
		mov	[ebp+var_10], edx
		lock xadd [edx], eax
		test	al, 2
		jnz	loc_5DB40A

loc_544E33:				; CODE XREF: MiUpControlAreaRefs+967A6j
					; MiUpControlAreaRefs+967B6j
		xor	edi, edi
		mov	[ebp+var_34], edi
		test	edx, 7FFFFFFCh
		jz	loc_544F49
		mov	esi, large fs:124h
		mov	ecx, edx
		mov	eax, dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_20], esi
		mov	[ebp+var_30], eax
		cmp	edx, eax
		jb	short loc_544E82
		mov	eax, ecx
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_544F97
		mov	eax, [ebp+var_30]
		cmp	edx, eax
		jb	short loc_544E82
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_544F97

loc_544E82:				; CODE XREF: MiUpControlAreaRefs+1F7j
					; MiUpControlAreaRefs+20Dj
		or	eax, 0FFFFFFFFh

loc_544E85:				; CODE XREF: MiUpControlAreaRefs+33Fj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jz	loc_544FAA
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_544FBD

loc_544EC4:				; CODE XREF: MiUpControlAreaRefs+35Fj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_34], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	loc_5DB434
		or	[esi+1E4h], dl

loc_544F0A:				; CODE XREF: MiUpControlAreaRefs+34Cj
					; MiUpControlAreaRefs+967DAj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_38], eax
		jnz	loc_544FCA

loc_544F21:				; CODE XREF: MiUpControlAreaRefs+399j
					; MiUpControlAreaRefs+967ECj
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_544F46
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_54500A

loc_544F46:				; CODE XREF: MiUpControlAreaRefs+2D2j
					; MiUpControlAreaRefs+3A9j
		mov	esi, [ebp+var_14]

loc_544F49:				; CODE XREF: MiUpControlAreaRefs+1D8j
		mov	ecx, [ebp+var_3C]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_544D66
; 

loc_544F56:				; CODE XREF: MiUpControlAreaRefs+9Fj
		mov	ecx, large fs:124h
		mov	eax, [esi]
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], eax
		dec	word ptr [ecx+13Eh]
		nop
		lea	ecx, [eax+1Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	edi, [ebp+var_8]
		jmp	loc_544D13
; 

loc_544F7F:				; CODE XREF: MiUpControlAreaRefs+80j
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		push	eax
		push	0
		mov	edx, edi
		call	MiGetProtoPteAddress
		mov	edi, [ebp+var_8]
		jmp	loc_544CF2
; 

loc_544F97:				; CODE XREF: MiUpControlAreaRefs+202j
					; MiUpControlAreaRefs+216j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_38], eax
		jmp	loc_544E85
; 

loc_544FAA:				; CODE XREF: MiUpControlAreaRefs+246j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_544F0A
		jmp	loc_5DB421
; 

loc_544FBD:				; CODE XREF: MiUpControlAreaRefs+258j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]
		jmp	loc_544EC4
; 

loc_544FCA:				; CODE XREF: MiUpControlAreaRefs+2B5j
		test	edi, 8000h
		jz	short loc_544FDB
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_544FDB:				; CODE XREF: MiUpControlAreaRefs+36Aj
		test	byte ptr [ebp+var_34+2], 1
		jnz	short loc_54501C

loc_544FE1:				; CODE XREF: MiUpControlAreaRefs+3C6j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_544FF5
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_544FF5:				; CODE XREF: MiUpControlAreaRefs+382j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_544F21
		jmp	loc_5DB445
; 

loc_54500A:				; CODE XREF: MiUpControlAreaRefs+2DAj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_544F46
; 

loc_545014:				; CODE XREF: MiUpControlAreaRefs+19Dj
		lock dec dword ptr [eax]
		jmp	loc_544E0C
; 

loc_54501C:				; CODE XREF: MiUpControlAreaRefs+379j
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]
		jmp	short loc_544FE1
MiUpControlAreaRefs endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreateForkWsles()
_MiCreateForkWsles@0 proc near		; CODE XREF: MiCloneProcessAddressSpace:loc_8461C9p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, dword_6D07D0
		push	edi
		mov	edi, [eax+80h]

loc_545049:				; DATA XREF: IopLiveDumpGenerateIptSecondaryData()+155o
		mov	eax, 40000000h
		lea	esi, [esi-1]
		shr	esi, 9
		sub	esi, eax
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, eax
		mov	al, [edi+2A0h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short loc_545078
		lea	eax, [edi+2C0h]

loc_545078:				; CODE XREF: MiCreateForkWsles()+42j
		push	eax
		mov	[ebp+var_4], eax
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		lea	ecx, [edi+240h]
		mov	eax, [ebp+var_4]
		mov	dl, bl
		push	1
		push	esi
		push	0C0600000h
		and	dword ptr [eax+4], 0
		call	MiCreateForkWsle
		mov	dl, bl
		lea	ecx, [edi+240h]
		call	MiUnlockWorkingSetExclusive
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiCreateForkWsles@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreateForkWsle proc near		; CODE XREF: MiCreateForkWsles()+6Cp
					; MiCreateForkWsle+963CFp

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005DB46A SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	[ebp+var_1], dl
		mov	[ebp+var_8], ecx
		cmp	esi, [ebp+arg_4]
		ja	short loc_5450EB
		mov	ebx, [ebp+arg_8]

loc_5450CD:				; CODE XREF: MiCreateForkWsle+37j
		mov	edi, [esi]
		nop
		mov	edx, [esi+4]
		mov	eax, edi
		and	eax, 1
		mov	[ebp+arg_0], edx
		or	eax, 0
		jnz	short loc_5450F2

loc_5450E0:				; CODE XREF: MiCreateForkWsle+4Aj
					; MiCreateForkWsle+6Cj	...
		mov	ecx, [ebp+var_8]
		add	esi, 8
		cmp	esi, [ebp+arg_4]
		jbe	short loc_5450CD

loc_5450EB:				; CODE XREF: MiCreateForkWsle+16j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_5450F2:				; CODE XREF: MiCreateForkWsle+2Cj
		mov	eax, edi
		and	eax, 80h
		or	eax, 0
		jnz	short loc_5450E0
		cmp	ebx, 1
		jg	loc_5DB46A

loc_545107:				; CODE XREF: MiCreateForkWsle+963DAj
		nop
		shrd	edi, edx, 0Ch
		and	edi, 1FFFFFFh
		imul	eax, edi, 1Ch
		add	eax, ds:_MmPfnDatabase
		test	byte ptr [eax],	1
		jnz	short loc_5450E0
		push	ds:dword_40F9FC
		xor	edx, edx
		push	ds:_ZeroPte
		push	edx
		push	edx
		push	edx
		push	eax
		mov	edx, esi
		call	_MiAllocateWsle@32 ; MiAllocateWsle(x,x,x,x,x,x,x,x)
		jmp	short loc_5450E0
MiCreateForkWsle endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreateCloneChain proc	near		; CODE XREF: MiCloneProcessAddressSpace+C0p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 00545221 SIZE 00000026 BYTES
; FUNCTION CHUNK AT 005DB491 SIZE 00000043 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, edx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_18], eax
		push	ebx
		push	esi
		and	dword ptr [eax], 0
		xor	ebx, ebx
		mov	eax, large fs:124h
		mov	esi, offset unk_6D3C40
		and	[ebp+var_8], ebx
		push	edi
		xor	edi, edi
		mov	eax, [eax+80h]
		mov	[ebp+var_C], eax
		lea	ecx, [eax+240h]
		mov	al, [ecx+60h]
		and	al, 7
		mov	[ebp+var_10], ecx
		cmp	al, 2
		jz	short loc_545185
		lea	esi, [ecx+80h]

loc_545185:				; CODE XREF: MiCreateCloneChain+41j
		push	esi
		call	ExAcquireSpinLockExclusive
		and	[esi+4], ebx
		xor	esi, esi
		mov	[ebp+var_1], al
		mov	eax, [ebp+var_C]
		mov	eax, [eax+148h]

loc_54519C:				; CODE XREF: MiCreateCloneChain+9Aj
		test	eax, eax
		jnz	short loc_5451D2

loc_5451A0:				; CODE XREF: MiCreateCloneChain+EFj
					; MiCreateCloneChain+F6j ...
		test	esi, esi
		jnz	short loc_5451D8

loc_5451A4:				; CODE XREF: MiCreateCloneChain+96378j
		mov	dl, [ebp+var_1]
		mov	ecx, [ebp+var_10]
		call	MiUnlockWorkingSetExclusive
		test	ebx, ebx
		js	loc_5DB4B9
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	short loc_545214

loc_5451BE:				; CODE XREF: MiCreateCloneChain+E3j
		test	ebx, ebx
		js	loc_5DB4B9

loc_5451C6:				; CODE XREF: MiCreateCloneChain+96393j
		mov	eax, [ebp+var_18]
		mov	[eax], edi
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_5451D2:				; CODE XREF: MiCreateCloneChain+62j
		mov	esi, eax
		mov	eax, [eax]
		jmp	short loc_54519C
; 

loc_5451D8:				; CODE XREF: MiCreateCloneChain+66j
		cmp	[esi+18h], ebx
		jz	loc_5DB491
		push	0
		push	40h
		push	30h
		mov	edx, 64436D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_5DB4AF
		mov	[ecx], edi
		mov	edi, ecx
		mov	eax, [esi+20h]
		mov	[ecx+20h], eax
		mov	eax, [ebp+var_8]
		add	eax, [esi+20h]
		mov	[ebp+var_8], eax
		jmp	loc_5DB491
; 

loc_545214:				; CODE XREF: MiCreateCloneChain+80j
		push	eax
		push	[ebp+var_14]
		call	_PsChargeProcessNonPagedPoolQuota@8 ; PsChargeProcessNonPagedPoolQuota(x,x)
		mov	ebx, eax
		jmp	short loc_5451BE
MiCreateCloneChain endp

; 
; START	OF FUNCTION CHUNK FOR MiCreateCloneChain

loc_545221:				; CODE XREF: MiCreateCloneChain+EDj
					; MiCreateCloneChain+9636Ej
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_545221
		jmp	loc_5451A0
; 

loc_545230:				; CODE XREF: MiCreateCloneChain+104j
		cmp	[esi], ecx
		jz	loc_5451A0
		mov	ecx, esi

loc_54523A:				; CODE XREF: MiCreateCloneChain+9635Cj
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_545230
		jmp	loc_5451A0
; END OF FUNCTION CHUNK	FOR MiCreateCloneChain
; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiHandleForkTransitionPte(x, x, x, x, x, x,	x, x, x, x, x, x)
_MiHandleForkTransitionPte@48 proc near	; CODE XREF: .text:00543290p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_8], ecx
		lea	edi, [ebp+var_40]
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	edi, [ebp+arg_8]
		or	eax, 400h
		push	edi
		push	eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, ds:_ZeroPte
		mov	[ebp+var_10], ecx
		mov	ecx, ds:dword_40F9FC
		mov	[ebp+var_34], edx
		xor	edx, edx
		mov	[ebp+var_14], ecx
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_18], eax
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5453D8
		mov	al, byte ptr [ebp+arg_1C]
		xor	esi, esi
		mov	[ebp+var_1], al

loc_5452A3:				; CODE XREF: MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+18Aj
		or	edx, 0FFFFFFFFh
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_2C], esi
		mov	ecx, [eax]
		mov	[ebp+var_24], ecx
		nop
		mov	eax, [eax+4]
		mov	[ebp+var_2C], eax
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		mov	[ebp+var_C], ecx
		cmp	[ebx+14h], si
		jnz	short loc_5452D6
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	eax, 10h
		jnz	loc_5453E1

loc_5452D6:				; CODE XREF: MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+7Ej
		movzx	eax, byte ptr [ebx+16h]
		mov	ecx, [ebp+var_8]
		shr	eax, 6
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_14]
		mov	eax, [eax]
		cmp	eax, edx
		jnz	loc_545592
		lea	eax, [ebx+10h]
		mov	edx, 7FFFFFFFh
		lock and [eax],	edx
		lea	ebx, [ecx+240h]
		push	esi
		lea	edx, [ebp+var_40]
		mov	ecx, ebx
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		mov	eax, [ebp+var_40]
		xor	ecx, ecx
		inc	ecx
		lock xadd [eax], ecx
		inc	ecx
		mov	eax, [ebp+var_3C]
		dec	ecx
		and	eax, ecx
		mov	ecx, offset _MiSystemPartition
		or	eax, [ebp+var_38]
		push	esi
		mov	edx, eax
		mov	[ebp+var_24], eax
		call	MiGetPage
		mov	ecx, [ebp+arg_14]
		mov	[ecx], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_5453AF
		mov	edi, [ebp+arg_0]

loc_54533D:				; CODE XREF: MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+162j
		mov	ecx, [ebp+arg_10]
		call	MiFlushTbList
		mov	dl, [ebp+var_1]
		mov	ecx, ebx
		call	MiUnlockWorkingSetExclusive
		mov	ecx, offset _MiSystemPartition
		call	_MiWaitForFreePage@8 ; MiWaitForFreePage(x,x)
		mov	al, [ebx+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short loc_54536D
		lea	eax, [ebx+80h]

loc_54536D:				; CODE XREF: MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+11Dj
		push	eax
		mov	[ebp+var_C], eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		push	1
		mov	byte ptr [ebp+var_1C], al
		push	[ebp+var_1C]
		mov	[ecx+4], esi
		mov	ecx, edi
		push	esi
		mov	[ebp+var_1], al
		mov	byte ptr [ebp+arg_1C], al
		call	MiMakeSystemAddressValid
		mov	edx, [ebp+var_24]
		mov	ecx, offset _MiSystemPartition
		push	esi
		call	MiGetPage
		mov	ecx, [ebp+arg_14]
		mov	[ecx], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_54533D
		mov	edi, [ebp+arg_8]

loc_5453AF:				; CODE XREF: MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+F0j
		mov	ebx, [ebp+arg_0]
		mov	ecx, [ebx]
		nop
		mov	eax, [ebx+4]
		and	ecx, 401h
		or	ecx, esi
		mov	[ebp+var_2C], eax
		jnz	short loc_5453D8
		xor	edx, edx
		mov	ecx, ebx
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_5452A3

loc_5453D8:				; CODE XREF: MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+4Dj
					; MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+17Bj ...
		xor	eax, eax

loc_5453DA:				; CODE XREF: MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+345j
					; MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+3F7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	28h
; 

loc_5453E1:				; CODE XREF: MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+88j
		mov	eax, [ebp+var_24]
		mov	[edi], esi
		mov	[edi+4], esi
		mov	[edi], eax
		nop
		mov	eax, [ebp+var_2C]
		mov	ecx, edi
		mov	[edi+4], eax
		call	_MI_MAKE_PROTECT_WRITE_COPY@4 ;	MI_MAKE_PROTECT_WRITE_COPY(x)
		xor	ecx, ecx
		mov	dword ptr [edi+0Ch], 2
		inc	ecx
		and	[ebp+arg_18], ecx
		jz	short loc_545421
		mov	eax, [ebp+arg_20]
		mov	[edi+8], ecx
		inc	dword ptr [eax+4]
		mov	eax, ecx
		mov	ecx, offset dword_6D5F64
		lock xadd [ecx], eax
		mov	ecx, [edi+8]
		jmp	short loc_545423
; 

loc_545421:				; CODE XREF: MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+1BEj
		mov	ecx, esi

loc_545423:				; CODE XREF: MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+1D7j
		mov	eax, [ebp+var_C]
		lea	edx, [ebx+8]
		and	ecx, 7FFFFFFh
		shl	eax, 1Bh
		or	ecx, eax
		mov	[edi+8], ecx
		mov	eax, [edx]
		mov	ecx, [edx+4]
		mov	[ebp+arg_14], ecx
		mov	ecx, eax
		mov	[ebp+arg_1C], eax
		mov	eax, [ebp+arg_14]
		shrd	ecx, eax, 1
		test	cl, 1
		jz	short loc_545491
		mov	ecx, [ebp+arg_1C]
		mov	[ebp+var_10], ecx
		mov	ecx, eax
		mov	al, [ebx+16h]
		and	al, 7
		mov	[ebp+var_14], ecx
		cmp	al, 3
		jnz	short loc_545475
		xor	edx, edx
		mov	ecx, ebx
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		xor	ecx, ecx
		lea	edx, [ebx+8]
		inc	ecx
		jmp	short loc_545477
; 

loc_545475:				; CODE XREF: MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+21Aj
		mov	ecx, esi

loc_545477:				; CODE XREF: MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+22Bj
		and	dword ptr [edx], 0FFFFFFFDh
		mov	eax, [edx+4]
		mov	[edx+4], eax
		test	ecx, ecx
		jz	short loc_545491
		push	8
		pop	edx
		mov	ecx, ebx
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)
		lea	edx, [ebx+8]

loc_545491:				; CODE XREF: MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+206j
					; MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+23Aj
		or	dword ptr [ebx+18h], 80000000h
		mov	ecx, edx
		mov	[ebx+4], edi
		call	_MI_MAKE_PROTECT_WRITE_COPY@4 ;	MI_MAKE_PROTECT_WRITE_COPY(x)
		mov	eax, [ebx+18h]
		shr	edi, 9
		and	eax, offset loc_7FFFFF
		and	edi, offset loc_7FFFF8
		mov	[ebp+arg_14], eax
		mov	esi, [edi-40000000h]
		nop
		mov	edx, [edi-3FFFFFFCh]
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], edx
		nop
		mov	ecx, esi
		mov	eax, edx
		shrd	ecx, eax, 0Ch
		xor	ecx, [ebx+18h]
		and	ecx, offset loc_7FFFFF
		xor	[ebx+18h], ecx
		nop
		shrd	esi, edx, 0Ch
		and	esi, 1FFFFFFh
		imul	esi, 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		lea	eax, [esi+10h]
		mov	edx, 7FFFFFFFh
		lock and [eax],	edx
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_18]
		mov	[eax], ecx
		nop
		mov	esi, [ebp+var_34]
		mov	[eax+4], esi
		lea	eax, [ebx+10h]
		lock and [eax],	edx
		mov	edx, [ebp+var_10]
		mov	eax, edx
		mov	ebx, [ebp+var_14]
		or	eax, ebx
		jz	short loc_545551
		mov	ecx, edx
		mov	eax, ebx
		shrd	ecx, eax, 2
		test	cl, 1
		jz	short loc_54553F
		and	edx, 0FFFFFFFBh

loc_54553F:				; CODE XREF: MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+2F2j
		push	ebx
		push	edx
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		inc	edx
		call	MiReleasePageFileInfo
		mov	ecx, [ebp+var_18]

loc_545551:				; CODE XREF: MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+2E5j
		cmp	[ebp+arg_18], 0
		jz	short loc_545560
		cmp	[ebp+var_C], 18h
		jz	short loc_545560
		or	ecx, 8

loc_545560:				; CODE XREF: MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+30Dj
					; MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+313j
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		nop
		imul	ecx, [ebp+arg_14], arg_14
		xor	edx, edx
		mov	[eax+4], esi
		add	ecx, ds:_MmPfnDatabase
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		mov	ecx, [ebp+var_8]
		or	eax, 0FFFFFFFFh
		add	ecx, 14Ch
		lock xadd [ecx], eax
		push	2
		pop	eax
		jmp	loc_5453DA
; 

loc_545592:				; CODE XREF: MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+A2j
		imul	edi, eax, 1Ch
		add	edi, ds:_MmPfnDatabase
		mov	ecx, edi
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		mov	edx, [ebp+var_2C]
		mov	ecx, edi
		push	1
		call	_MiFinalizePageAttribute@12 ; MiFinalizePageAttribute(x,x,x)
		lea	eax, [edi+10h]
		mov	edi, 7FFFFFFFh
		lock and [eax],	edi
		test	byte ptr [ebx+16h], 20h
		jz	short loc_545617
		mov	ecx, [ebp+arg_10]
		call	MiFlushTbList
		test	byte ptr [ebx+16h], 8
		jz	short loc_545617
		lea	eax, [ebx+10h]
		lock and [eax],	edi
		mov	ebx, [ebp+var_8]
		mov	dl, [ebp+var_1]
		lea	ecx, [ebx+240h]
		call	MiUnlockWorkingSetExclusive
		push	offset _MiShortTime
		push	esi
		push	esi
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	al, [ebx+2A0h]
		and	al, 7
		cmp	al, 2
		jnz	short loc_545603
		mov	ebx, offset unk_6D3C40
		jmp	short loc_545609
; 

loc_545603:				; CODE XREF: MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+3B2j
		sub	ebx, 0FFFFFD40h

loc_545609:				; CODE XREF: MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+3B9j
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	[ebx+4], esi
		jmp	loc_5453D8
; 

loc_545617:				; CODE XREF: MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+375j
					; MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+383j
		mov	ebx, [ebp+arg_14]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	2
		push	[ebp+arg_1C]
		push	dword ptr [ebx]
		call	_MiDuplicateCloneLeaf@20 ; MiDuplicateCloneLeaf(x,x,x,x,x)
		test	eax, eax
		jz	loc_5453D8
		mov	eax, [ebp+arg_C]
		or	dword ptr [ebx], 0FFFFFFFFh
		inc	dword ptr [eax]
		xor	eax, eax
		inc	eax
		jmp	loc_5453DA
_MiHandleForkTransitionPte@48 endp


;  S U B	R O U T	I N E 


; __stdcall MI_MAKE_PROTECT_WRITE_COPY(x)
_MI_MAKE_PROTECT_WRITE_COPY@4 proc near	; CODE XREF: .text:00543B8Dp
					; MiHandleForkTransitionPte(x,x,x,x,x,x,x,x,x,x,x,x)+1ACp ...
		mov	edx, [ecx]
		push	esi
		nop
		mov	esi, [ecx+4]
		mov	eax, edx
		and	eax, 80h
		or	eax, 0
		jz	short loc_545660
		or	edx, 20h
		mov	[ecx], edx
		nop
		mov	[ecx+4], esi

loc_545660:				; CODE XREF: MI_MAKE_PROTECT_WRITE_COPY(x)+11j
		pop	esi
		retn
_MI_MAKE_PROTECT_WRITE_COPY@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeClonePool(x)
_MiFreeClonePool@4 proc	near		; CODE XREF: MiDereferenceSegmentThread+D8p
					; MiProcessDereferenceList+8FC0Cp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		lea	eax, [ecx+478h]
		push	esi
		push	edi
		mov	[ebp+var_4], eax
		mov	ecx, eax
		jmp	short loc_545695
; 

loc_545678:				; CODE XREF: MiFreeClonePool(x)+26j
					; MiFreeClonePool(x)+47j
		mov	ecx, ebx
		call	_MiUnlockPagedAddress@4	; MiUnlockPagedAddress(x)
		add	ebx, 1000h
		sub	edi, 1
		jnz	short loc_545678

loc_54568A:				; CODE XREF: MiFreeClonePool(x)+43j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_4]

loc_545695:				; CODE XREF: MiFreeClonePool(x)+14j
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_5456AB
		mov	edi, [esi+0Ch]
		test	edi, edi
		jz	short loc_54568A
		mov	ebx, esi
		jmp	short loc_545678
; 

loc_5456AB:				; CODE XREF: MiFreeClonePool(x)+3Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiFreeClonePool@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiUnlockPagedAddress(x)
_MiUnlockPagedAddress@4	proc near	; CODE XREF: MiFreeClonePool(x)+18p
					; MiFreeCombinePool(x)+79p ...
		mov	edi, edi
		push	ecx
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		push	ebx
		push	esi
		mov	edx, [ecx-40000000h]
		nop
		mov	eax, [ecx-3FFFFFFCh]
		nop
		shrd	edx, eax, 0Ch
		and	edx, 1FFFFFFh
		imul	esi, edx, 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, esi
		mov	bl, al
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	eax, 7FFFFFFFh
		lea	ecx, [esi+10h]
		lock and [ecx],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		pop	ebx
		pop	ecx
		retn
_MiUnlockPagedAddress@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteCloneDescriptor(x, x)
_MiDeleteCloneDescriptor@8 proc	near	; CODE XREF: .text:004595CAp
					; .text:00472325p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, edx
		or	eax, 0FFFFFFFFh
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], esi
		mov	ecx, [ebx+1Ch]
		mov	[ebp+var_4], ecx
		lock xadd [ecx+4], eax
		dec	eax
		jnz	short loc_54577C
		mov	esi, [ebx+10h]
		sub	esi, [ebx+0Ch]
		mov	edx, [ecx+8]
		add	esi, 10h
		mov	eax, esi
		and	eax, 0FFFh
		neg	eax
		push	edi
		mov	edi, [ecx+0Ch]
		sbb	eax, eax
		neg	eax
		shr	esi, 0Ch
		add	eax, esi
		mov	[edx+0Ch], eax
		lea	ecx, [edi+478h]
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		xor	esi, esi
		lea	eax, [edi+468h]
		push	esi
		push	esi
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, edi
		call	MiDecrementCloneHeaderCount
		push	esi
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_8]
		pop	edi

loc_54577C:				; CODE XREF: MiDeleteCloneDescriptor(x,x)+20j
		push	dword ptr [ebx+20h]
		push	esi
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		mov	ecx, [esi+24Ch]
		lea	edx, [ebx+24h]
		add	ecx, 90h
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		pop	esi
		pop	ebx
		leave
		retn
_MiDeleteCloneDescriptor@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDecrementCloneHeaderCount proc near	; CODE XREF: MiDeleteCloneDescriptor(x,x)+64p
					; MiDrainCrossPartitionUsage(x)+157p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DB4D4 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ecx
		push	ebx
		mov	[ebp+var_10], eax
		add	eax, 358h
		push	esi
		mov	[ebp+var_4], eax
		push	edi

loc_5457B6:				; CODE XREF: MiDecrementCloneHeaderCount+41j
					; MiDecrementCloneHeaderCount+46j
		mov	esi, [eax]
		mov	edi, esi
		mov	edx, [eax+4]
		sub	edi, 1
		mov	ecx, edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edi
		sbb	ecx, 0
		mov	eax, esi
		nop
		mov	ebx, edi
		mov	edi, [ebp+var_4]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_8]
		cmp	eax, esi
		mov	eax, [ebp+var_4]
		jnz	short loc_5457B6
		cmp	edx, [ebp+var_C]
		jnz	short loc_5457B6
		or	edi, ecx
		pop	edi
		pop	esi
		pop	ebx
		jz	loc_5DB4D4
		leave
		retn
MiDecrementCloneHeaderCount endp

; 
		align 10h

; __stdcall MiUpdateOldPte(x, x, x)
_MiUpdateOldPte@12:			; DATA XREF: MmUpdateOldWorkingSetPages+119o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		cmp	dword ptr [ebp+10h], 1
		push	ebx
		push	esi
		push	edi
		jge	loc_5459A0
		mov	edi, [ebp+8]
		mov	esi, [ebp+0Ch]
		mov	dword ptr [esp+18h], 0
		mov	dword ptr [esp+1Ch], 0
		mov	edi, [edi+10h]
		mov	ebx, [esi]
		mov	[esp+14h], edi
		nop
		mov	eax, [esi+4]
		mov	[esp+10h], eax
		nop
		mov	edx, ebx
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		test	dword ptr [eax+ecx*4+18h], (offset loc_7FFFFF+1)
		lea	eax, [eax+ecx*4]
		mov	[esp+18h], eax
		jnz	short loc_545892
		mov	eax, [eax+4]
		test	eax, eax
		js	short loc_545892
		jz	short loc_545892
		or	eax, 80000000h
		mov	edx, esi
		push	eax
		mov	ecx, edi
		call	_MiDemoteCombinedPte@12	; MiDemoteCombinedPte(x,x,x)
		cmp	eax, 1
		jnz	short loc_545892
		mov	ebx, [esi]
		nop
		mov	eax, [esi+4]
		mov	[esp+10h], eax

loc_545892:				; CODE XREF: .text:00545869j
					; .text:00545870j ...
		mov	edi, esi
		shl	edi, 9
		lea	eax, [edi+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	loc_545950
		mov	eax, edi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	edx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		mov	eax, [eax+ecx*4]
		shr	eax, 1
		and	al, 7

loc_5458DE:				; CODE XREF: .text:0054596Fj
		cmp	al, 6
		jnz	loc_5459A0
		mov	eax, [ebp+8]
		mov	ecx, [esp+18h]
		mov	esi, [eax+48h]
		mov	eax, [ecx+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jnz	loc_545987
		test	[esi], al
		jz	short loc_54590E
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_545987

loc_54590E:				; CODE XREF: .text:00545903j
		mov	eax, [esp+10h]
		shrd	ebx, eax, 5
		and	ebx, 1
		mov	eax, ebx
		or	eax, 0
		jz	short loc_545974
		mov	eax, [esi+0A8h]
		test	eax, eax
		jz	short loc_545974
		cmp	edi, ds:_MmHighestUserAddress
		ja	short loc_545974
		mov	edx, edi
		mov	ecx, eax
		call	_MiInsertVmAccessedEntry@8 ; MiInsertVmAccessedEntry(x,x)
		test	eax, eax
		jz	short loc_545987
		push	dword ptr [ebp+8]
		call	MiUpdateOldWorkingSetPagesTail
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_545950:				; CODE XREF: .text:005458A2j
		mov	edx, [esp+14h]
		mov	ecx, edi
		shr	ecx, 0Ch
		movzx	eax, byte ptr [edx+60h]
		and	eax, 7
		add	ecx, dword_6D2E68[eax*4]
		mov	al, [ecx]
		and	al, 0Fh
		cmp	al, 0Ah
		jz	short loc_5459AB
		jmp	loc_5458DE
; 

loc_545974:				; CODE XREF: .text:0054591Ej
					; .text:00545928j ...
		or	ebx, 0
		jnz	short loc_545987
		mov	edx, [ebp+0Ch]
		push	esi
		push	ecx
		mov	ecx, [esp+1Ch]
		call	MiUpdateOldPteWorker

loc_545987:				; CODE XREF: .text:005458FBj
					; .text:0054590Cj ...
		inc	dword ptr [esi+0Ch]
		mov	eax, [esi+0Ch]
		cmp	eax, [esi+8]
		jb	short loc_5459A0
		mov	eax, 3
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_5459A0:				; CODE XREF: .text:00545812j
					; .text:005458E0j ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_5459AB:				; CODE XREF: .text:0054596Dj
		push	ecx
		push	edx
		push	edi
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUpdateOldPteWorker proc near		; CODE XREF: .text:00545982p
					; MiUpdateOldPagesEPTCallback(x,x,x,x,x)+5Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DB4E8 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	edi, edx
		mov	ecx, [ebp+arg_0]
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		mov	esi, [ebp+arg_4]
		test	byte ptr [esi],	2
		mov	edx, [esi+4]
		jz	loc_5DB4E8
		cmp	edx, 8
		jnz	short loc_5459FC

loc_5459E5:				; CODE XREF: MiUpdateOldPteWorker+44j
		push	0
		lea	eax, [esi+10h]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	_MiEmptyWorkingSetHelper@16 ; MiEmptyWorkingSetHelper(x,x,x,x)

loc_5459F4:				; CODE XREF: MiUpdateOldPteWorker+42j
					; MiUpdateOldPteWorker+95B2Ej ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
; 

loc_5459FC:				; CODE XREF: MiUpdateOldPteWorker+27j
		cmp	eax, edx
		jnz	short loc_5459F4
		jmp	short loc_5459E5
MiUpdateOldPteWorker endp


;  S U B	R O U T	I N E 


; __stdcall KeQueryOwnerMutant(x, x)
_KeQueryOwnerMutant@8 proc near		; CODE XREF: NtQueryMutant+ABp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	bl, al
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	edx, [edi+18h]
		test	edx, edx
		jnz	short loc_545A3B

loc_545A28:				; CODE XREF: KeQueryOwnerMutant(x,x)+4Aj
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_545A3B:				; CODE XREF: KeQueryOwnerMutant(x,x)+24j
		mov	ecx, [edx+2ACh]
		mov	[esi], ecx
		mov	ecx, [edx+2B0h]
		mov	[esi+4], ecx
		jmp	short loc_545A28
_KeQueryOwnerMutant@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspHandleTableWalker proc near		; DATA XREF: PAGE:0083E764o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005DB4FA SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		push	esi
		inc	ecx
		lock xadd [eax], ecx
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+arg_4]
		xor	esi, esi
		add	ecx, 20h
		mov	[ebp+arg_4], esi
		xor	edx, edx
		lock or	[eax], edx
		cmp	[ecx], esi
		jnz	loc_5DB4FA

loc_545A79:				; CODE XREF: PspHandleTableWalker+95AB4j
		mov	edx, [ebp+arg_C]
		mov	esi, [edx+8]
		cmp	esi, [edx+4]
		jnb	short loc_545A96
		mov	ecx, [edx]
		mov	eax, [ebp+arg_8]
		mov	[ecx+esi*4], eax
		inc	dword ptr [edx+8]
		xor	al, al

loc_545A91:				; CODE XREF: PspHandleTableWalker+4Aj
		pop	esi
		pop	ebp
		retn	10h
; 

loc_545A96:				; CODE XREF: PspHandleTableWalker+34j
		mov	al, 1
		jmp	short loc_545A91
PspHandleTableWalker endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDecrementCloneBlockReference proc near ; CODE	XREF: MiCopyOnWrite(x,x,x,x)+AD2p
					; .text:0047333Cp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DB507 SIZE 0000005A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax+140h]
		mov	esi, ecx
		mov	[ebp+var_4], edx
		test	eax, eax
		jnz	loc_5DB507

loc_545ABB:				; CODE XREF: MiDecrementCloneBlockReference+95A74j
		mov	eax, [esi+1Ch]
		or	edi, 0FFFFFFFFh
		mov	ecx, [eax+0Ch]
		mov	eax, edi
		mov	[ebp+var_8], ecx
		lock xadd [edx+0Ch], eax
		dec	eax
		jz	short loc_545B0D
		push	4
		pop	ebx

loc_545AD4:				; CODE XREF: MiDecrementCloneBlockReference+7Dj
		mov	eax, [ebp+arg_0]
		mov	ecx, esi
		mov	eax, [eax+24Ch]
		push	dword ptr [eax+8Ch]
		push	dword ptr [eax+88h]
		call	_MI_IS_CLONE_COMMIT_CHARGED@12 ; MI_IS_CLONE_COMMIT_CHARGED(x,x,x)
		test	eax, eax
		jz	loc_5DB524

loc_545AF8:				; CODE XREF: MiDecrementCloneBlockReference+95AB3j
		lock xadd [esi+18h], edi
		dec	edi
		jz	loc_5DB552

loc_545B04:				; CODE XREF: MiDecrementCloneBlockReference+95AC2j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
; 

loc_545B0D:				; CODE XREF: MiDecrementCloneBlockReference+35j
		call	MiDeleteMergedPte
		mov	edx, [ebp+var_4]
		mov	ebx, eax
		jmp	short loc_545AD4
MiDecrementCloneBlockReference endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MI_IS_CLONE_COMMIT_CHARGED(x, x, x)
_MI_IS_CLONE_COMMIT_CHARGED@12 proc near ; CODE	XREF: MiDecrementCloneBlockReference+51p
					; MiSplitReducedCommitClonePage(x)+135p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		cmp	eax, [ecx+2Ch]
		jb	short loc_545B31
		ja	short loc_545B38
		mov	eax, [ebp+arg_0]
		cmp	eax, [ecx+28h]
		ja	short loc_545B38

loc_545B31:				; CODE XREF: MI_IS_CLONE_COMMIT_CHARGED(x,x,x)+Bj
		xor	eax, eax
		inc	eax

loc_545B34:				; CODE XREF: MI_IS_CLONE_COMMIT_CHARGED(x,x,x)+20j
		pop	ebp
		retn	8
; 

loc_545B38:				; CODE XREF: MI_IS_CLONE_COMMIT_CHARGED(x,x,x)+Dj
					; MI_IS_CLONE_COMMIT_CHARGED(x,x,x)+15j
		xor	eax, eax
		jmp	short loc_545B34
_MI_IS_CLONE_COMMIT_CHARGED@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDeleteMergedPte proc near		; CODE XREF: .text:004722A7p
					; MiDecrementCloneBlockReference:loc_545B0Dp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 005DB561 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ecx
		mov	byte ptr [ebp+var_1], 0
		mov	esi, [edi]
		nop
		or	esi, [edi+4]
		jz	short loc_545B8B
		lea	edx, [ebp+var_1]
		mov	ecx, edi
		call	MiLockProtoPoolPage
		mov	ecx, edi
		mov	[ebp+var_C], eax
		call	_MiTryDeleteTransitionPte@8 ; MiTryDeleteTransitionPte(x,x)
		xor	edx, edx
		mov	ebx, eax
		inc	edx
		cmp	ebx, edx
		jz	loc_5DB561

loc_545B79:				; CODE XREF: MiDeleteMergedPte+95A35j
		mov	dl, byte ptr [ebp+var_1]
		mov	ecx, [ebp+var_C]
		call	MiUnlockProtoPoolPage
		mov	eax, ebx

loc_545B86:				; CODE XREF: MiDeleteMergedPte+51j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_545B8B:				; CODE XREF: MiDeleteMergedPte+1Aj
		xor	eax, eax
		jmp	short loc_545B86
MiDeleteMergedPte endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUpdateOldWorkingSetPagesTail proc near ; CODE	XREF: .text:00545942p
					; DATA XREF: MmUpdateOldWorkingSetPages+121o

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DB576 SIZE 00000031 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, [edi+48h]

loc_545BA2:				; CODE XREF: MiUpdateOldWorkingSetPagesTail+95A12j
		cmp	dword ptr [esi+1Ch], 0
		jnz	short loc_545BC1

loc_545BA8:				; CODE XREF: MiUpdateOldWorkingSetPagesTail+3Ej
		mov	edx, [esi+0A8h]
		test	edx, edx
		jnz	loc_5DB576

loc_545BB6:				; CODE XREF: MiUpdateOldWorkingSetPagesTail+959E9j
					; MiUpdateOldWorkingSetPagesTail+959F9j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_545BC1:				; CODE XREF: MiUpdateOldWorkingSetPagesTail+16j
		mov	ecx, [edi+10h]
		lea	edx, [esi+10h]
		push	0
		call	MiFreeWsleList
		jmp	short loc_545BA8
MiUpdateOldWorkingSetPagesTail endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_SM_TRAITS___SmStTrimWsStore proc near ; CODE	XREF: SmStoreCompressionStop+BBp
					; SmProcessSystemStoreTrimRequest(x,x,x)+B0p

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_44		= dword	ptr -44h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DB5A7 SIZE 0000003D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+84h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[esp+90h+var_78], edx
		push	6
		pop	ecx
		xor	eax, eax
		mov	[esp+90h+var_74], ebx
		lea	edi, [esp+90h+var_5C]
		xor	edx, edx
		rep stosd
		push	8
		pop	ecx
		lea	edi, [esp+90h+var_44]
		rep stosd
		mov	ecx, [ebx+125Ch]
		lea	eax, [esp+90h+var_5C]
		push	eax
		call	KiStackAttachProcess
		test	byte ptr [ebx+10F5h], 8
		jnz	loc_545F70
		lea	eax, [ebx+1254h]
		or	ebx, 0FFFFFFFFh
		mov	[esp+90h+var_60], eax
		xchg	ebx, [eax]
		mov	[esp+90h+var_68], ebx
		cmp	ebx, 0FFFFFFFFh
		jz	loc_5DB5A7
		xor	esi, esi
		test	ebx, ebx
		jz	loc_545F67
		cmp	[ebx], esi
		jz	loc_545F67
		cmp	[esp+90h+var_78], esi
		jnz	loc_545F67
		lea	ecx, [ebx+4]
		mov	[esp+90h+var_84], ecx

loc_545C6B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+39Bj
		mov	eax, large fs:124h
		mov	[esp+90h+var_80], esi
		dec	word ptr [eax+13Eh]
		nop
		mov	eax, [esp+90h+var_74]
		xor	edx, edx
		add	eax, 10F8h
		mov	ecx, eax
		mov	[esp+90h+var_64], eax
		call	ExAcquirePushLockSharedEx
		mov	ecx, [esp+90h+var_84]
		test	ecx, ecx
		jz	loc_545DDA
		mov	edi, esi

loc_545CA1:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+197j
					; SMKM_STORE_SM_TRAITS___SmStTrimWsStore+1E7j
		mov	eax, [ecx]
		mov	[esp+90h+var_70], eax
		cmp	eax, edi
		jbe	loc_545DD6
		mov	ecx, [ecx+4]
		dec	eax
		shr	eax, 5
		mov	ebx, edi
		lea	eax, [ecx+eax*4]
		mov	[esp+90h+var_6C], eax
		mov	eax, edi
		shr	eax, 5
		lea	edx, [ecx+eax*4]
		cmp	edx, [esp+90h+var_6C]
		jz	short loc_545CE8
		mov	ecx, edi
		and	ecx, 1Fh
		mov	[esp+90h+var_7C], ecx
		mov	ecx, ds:dword_40BA68[ecx*4]
		or	ecx, [edx]
		cmp	ecx, 0FFFFFFFFh
		jz	loc_545F1A

loc_545CE8:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+FBj
					; SMKM_STORE_SM_TRAITS___SmStTrimWsStore+35Cj ...
		mov	eax, [esp+90h+var_70]
		cmp	ebx, eax
		jnb	short loc_545D01
		mov	ecx, [esp+90h+var_84]
		mov	ecx, [ecx+4]

loc_545CF7:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+12Fj
		bt	[ecx], ebx
		jnb	short loc_545D01
		inc	ebx
		cmp	ebx, eax
		jb	short loc_545CF7

loc_545D01:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+11Ej
					; SMKM_STORE_SM_TRAITS___SmStTrimWsStore+12Aj
		mov	edi, esi
		cmp	edx, [esp+90h+var_6C]
		jz	short loc_545D25
		mov	ecx, [edx]
		mov	eax, ebx
		and	eax, 1Fh
		mov	[esp+90h+var_70], eax
		mov	eax, ds:dword_40BA68[eax*4]
		not	eax
		and	eax, ecx
		jz	loc_545F43

loc_545D25:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+137j
					; SMKM_STORE_SM_TRAITS___SmStTrimWsStore+392j ...
		mov	ecx, [esp+90h+var_84]
		lea	eax, [edi+ebx]
		mov	edx, [ecx]
		cmp	eax, edx
		jnb	short loc_545D49
		mov	ecx, [ecx+4]

loc_545D35:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+173j
		bt	[ecx], eax
		jb	short loc_545D45
		cmp	edi, 0FFFFFFFFh
		jnb	short loc_545D45
		inc	eax
		inc	edi
		cmp	eax, edx
		jb	short loc_545D35

loc_545D45:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+168j
					; SMKM_STORE_SM_TRAITS___SmStTrimWsStore+16Dj ...
		mov	ecx, [esp+90h+var_84]

loc_545D49:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+160j
		mov	[esp+90h+var_7C], ebx
		cmp	edi, 0FFFFFFFFh
		ja	loc_5DB5CD

loc_545D56:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+95A00j
		test	edi, edi
		jz	short loc_545DD6
		lea	eax, [edi+ebx]
		mov	edi, [esp+90h+var_7C]
		mov	[esp+90h+var_70], eax
		cmp	ebx, eax
		jnb	loc_545CA1
		mov	ebx, [esp+90h+var_74]

loc_545D71:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+1E1j
		mov	eax, [ebx+1184h]
		mov	eax, [eax+edi*4]
		test	eax, 7FFF0000h
		jz	short loc_545DAC
		test	eax, eax
		js	short loc_545DAC
		mov	edx, [esp+90h+var_80]
		push	4
		push	ecx
		push	esi
		mov	[esp+edx*4+9Ch+var_24],	edi
		mov	ecx, ebx
		mov	edx, edi
		call	?SmStMapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAXPAU1@KKKK@Z ; SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)
		mov	ecx, [esp+90h+var_80]
		mov	[esp+ecx*4+90h+var_44],	eax
		inc	ecx
		mov	[esp+90h+var_80], ecx
		cmp	ecx, 8
		jz	short loc_545DBC

loc_545DAC:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+1AFj
					; SMKM_STORE_SM_TRAITS___SmStTrimWsStore+1B3j ...
		inc	edi
		cmp	edi, [esp+90h+var_70]
		jb	short loc_545D71
		mov	ecx, [esp+90h+var_84]
		jmp	loc_545CA1
; 

loc_545DBC:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+1DAj
		push	esi
		push	ecx
		push	8
		lea	eax, [esp+9Ch+var_44]
		mov	ecx, ebx
		push	eax
		lea	edx, [esp+0A0h+var_24]
		call	SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch
		mov	[esp+90h+var_80], esi
		jmp	short loc_545DAC
; 

loc_545DD6:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+D9j
					; SMKM_STORE_SM_TRAITS___SmStTrimWsStore+188j
		mov	ebx, [esp+90h+var_68]

loc_545DDA:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+C9j
		mov	eax, [esp+90h+var_74]
		mov	edi, esi
		mov	ecx, [esp+90h+var_78]
		mov	[esp+90h+var_7C], ecx
		cmp	[eax+1180h], esi
		jbe	short loc_545E11

loc_545DF0:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+23Fj
		mov	eax, [eax+1184h]
		mov	eax, [eax+edi*4]
		test	eax, 7FFF0000h
		jnz	loc_545E8A

loc_545E04:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+2BCj
					; SMKM_STORE_SM_TRAITS___SmStTrimWsStore+2E4j ...
		mov	eax, [esp+90h+var_74]
		inc	edi
		cmp	edi, [eax+1180h]
		jb	short loc_545DF0

loc_545E11:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+21Ej
		mov	edx, [esp+90h+var_80]
		test	edx, edx
		jz	short loc_545E36
		neg	ecx
		lea	edi, [esp+90h+var_7C]
		sbb	ecx, ecx
		and	ecx, edi
		push	ecx
		push	ecx
		push	edx
		lea	ecx, [esp+9Ch+var_44]
		push	ecx
		lea	edx, [esp+0A0h+var_24]
		mov	ecx, eax
		call	SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch

loc_545E36:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+247j
					; SMKM_STORE_SM_TRAITS___SmStTrimWsStore+95A09j
		mov	edi, [esp+90h+var_64]
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_545E4F
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_545E4F:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+276j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [esp+90h+var_60]
		xchg	ebx, [eax]

loc_545E68:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+3A2j
					; SMKM_STORE_SM_TRAITS___SmStTrimWsStore+959DCj
		xor	edx, edx
		lea	ecx, [esp+90h+var_5C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [esp+90h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_545E8A:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+22Ej
		test	eax, eax
		js	loc_545E04
		mov	eax, [esp+90h+var_84]
		test	eax, eax
		jz	short loc_545EB9
		mov	eax, [eax+4]
		mov	edx, edi
		shr	edx, 5
		mov	ecx, edi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		sar	eax, cl
		test	al, 1
		jnz	short loc_545EB9

loc_545EB0:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+310j
		mov	ecx, [esp+90h+var_78]
		jmp	loc_545E04
; 

loc_545EB9:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+2C8j
					; SMKM_STORE_SM_TRAITS___SmStTrimWsStore+2DEj
		mov	edx, [esp+90h+var_80]
		push	4
		push	ecx
		mov	ecx, [esp+98h+var_74]
		mov	[esp+edx*4+98h+var_24],	edi
		mov	edx, edi
		push	esi
		call	?SmStMapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAXPAU1@KKKK@Z ; SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)
		mov	edx, [esp+90h+var_80]
		mov	[esp+edx*4+90h+var_44],	eax
		inc	edx
		mov	[esp+90h+var_80], edx
		cmp	edx, 8
		jnz	short loc_545EB0
		mov	eax, [esp+90h+var_78]
		lea	ecx, [esp+90h+var_7C]
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		push	eax
		push	ecx
		mov	ecx, [esp+98h+var_74]
		lea	eax, [esp+98h+var_44]
		push	edx
		push	eax
		lea	edx, [esp+0A0h+var_24]
		call	SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch
		mov	ecx, [esp+90h+var_78]
		mov	[esp+90h+var_80], esi
		test	ecx, ecx
		jz	loc_545E04
		jmp	loc_5DB5D5
; 

loc_545F1A:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+112j
		mov	eax, [esp+90h+var_6C]
		mov	ebx, edi
		sub	ebx, [esp+90h+var_7C]
		add	ebx, 20h
		add	edx, 4

loc_545F2A:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+371j
		cmp	edx, eax
		jnb	loc_545CE8
		cmp	dword ptr [edx], 0FFFFFFFFh
		jnz	loc_545CE8
		add	edx, 4
		add	ebx, 20h
		jmp	short loc_545F2A
; 

loc_545F43:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+14Fj
		push	20h
		pop	edi
		sub	edi, [esp+90h+var_70]
		cmp	edi, 0FFFFFFFFh
		jnb	loc_545D45
		mov	ecx, [esp+90h+var_6C]
		add	edx, 4

loc_545F5A:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+959F8j
		cmp	edx, ecx
		jb	loc_5DB5B1
		jmp	loc_545D25
; 

loc_545F67:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+7Cj
					; SMKM_STORE_SM_TRAITS___SmStTrimWsStore+84j ...
		mov	[esp+90h+var_84], esi
		jmp	loc_545C6B
; 

loc_545F70:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+56j
		xor	esi, esi
		jmp	loc_545E68
SMKM_STORE_SM_TRAITS___SmStTrimWsStore endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch proc near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+1FBp
					; SMKM_STORE_SM_TRAITS___SmStTrimWsStore+261p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005DB5E4 SIZE 00000118 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	eax, ecx
		mov	[ebp+var_24], edx
		push	edi
		xor	edi, edi
		mov	[ebp+var_20], eax
		push	11h
		lea	ebx, [eax+10F8h]
		mov	[ebp+var_4], edi
		xor	esi, esi
		pop	eax
		lock cmpxchg [ebx], esi
		cmp	eax, 11h
		jz	short loc_545FAB
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_545FAB:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+2Aj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ebx, [ebp+var_20]
		mov	esi, [ebp+arg_4]
		mov	ebx, [ebx+117Ch]
		mov	[ebp+var_14], ebx
		cmp	[ebp+arg_C], edi
		jnz	loc_5DB5E4
		mov	ebx, edi
		test	esi, esi
		jz	short loc_545FFD
		mov	edi, [ebp+arg_0]

loc_545FDF:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+81j
		mov	eax, [edi+ebx*4]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_14]
		push	1
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	0FFFFFFFFh
		call	_ZwUnlockVirtualMemory@16 ; ZwUnlockVirtualMemory(x,x,x,x)
		inc	ebx
		cmp	ebx, esi
		jb	short loc_545FDF
		xor	edi, edi

loc_545FFD:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+62j
					; SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+95699j ...
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		mov	ebx, [ebp+var_20]
		xor	edx, edx
		lea	ecx, [ebx+10F8h]
		call	ExAcquirePushLockSharedEx
		test	esi, esi
		jz	short loc_546036

loc_54601F:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+BCj
		mov	eax, [ebp+var_24]
		mov	ecx, ebx
		push	2
		sub	esp, 0Ch
		mov	edx, [eax+edi*4]
		call	?SmStUnmapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@KKKPAXK@Z ; SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)
		inc	edi
		cmp	edi, esi
		jb	short loc_54601F

loc_546036:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+A5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiForcedTrim	proc near		; CODE XREF: MiPreUnlockWorkingSetShared+B7p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005DB6FC SIZE 000000CF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, dword_6D5D40
		push	ebx
		push	esi
		push	edi
		push	6
		mov	[ebp+var_24], edx
		mov	edi, ecx
		pop	edx
		mov	ecx, offset _MiSystemPartition
		mov	[ebp+var_1C], eax
		xor	ebx, ebx
		call	_MiGetAvailablePagesBelowPriority@8 ; MiGetAvailablePagesBelowPriority(x,x)
		mov	esi, [ebp+var_1C]
		mov	ecx, [edi+48h]
		mov	[ebp+var_18], eax
		mov	eax, [edi+0Ch]
		mov	esi, [esi+4DCh]
		mov	eax, [eax+14h]
		cmp	ecx, eax
		jbe	short loc_5460EF
		sub	ecx, eax
		mov	[ebp+var_10], 64h
		mov	eax, dword_6D5D88
		xor	edx, edx
		mov	[ebp+var_8], eax
		imul	eax, ecx, 0Fh
		div	[ebp+var_10]
		xor	edx, edx
		mov	[ebp+var_20], eax
		inc	edx
		lea	eax, [edi+1Ch]

loc_5460A0:				; CODE XREF: MiForcedTrim+70j
		add	ebx, [eax]
		cmp	ebx, [ebp+var_20]
		jnb	short loc_5460B0
		inc	edx
		add	eax, 4
		cmp	edx, 8
		jb	short loc_5460A0

loc_5460B0:				; CODE XREF: MiForcedTrim+67j
		mov	al, [edi+60h]
		and	al, 7
		mov	[ebp+var_C], ebx
		push	0
		mov	[ebp+var_1], al
		pop	ebx
		jnz	loc_5DB6FC

loc_5460C4:				; CODE XREF: MiForcedTrim+956FCj
					; MiForcedTrim+95704j
		mov	eax, [ebp+var_18]
		cmp	eax, esi
		jb	loc_5DB747

loc_5460CF:				; CODE XREF: MiForcedTrim+95730j
					; MiForcedTrim+9574Cj ...
		mov	eax, [ebp+var_20]
		cmp	[ebp+var_C], eax
		jb	loc_5DB7AD
		test	dword ptr [edi+4], 3FFFh
		jz	loc_5DB7AD

loc_5460E8:				; CODE XREF: MiForcedTrim+95788j
		mov	eax, ebx

loc_5460EA:				; CODE XREF: MiForcedTrim+B3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_5460EF:				; CODE XREF: MiForcedTrim+3Ej
		xor	eax, eax
		jmp	short loc_5460EA
MiForcedTrim	endp

; 
		align 8
; Exported entry 1665. PoCpuIdledSinceLastCallImprecise

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoCpuIdledSinceLastCallImprecise(x,	x)
		public _PoCpuIdledSinceLastCallImprecise@8
_PoCpuIdledSinceLastCallImprecise@8 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		mov	ecx, ds:_KiProcessorBlock[eax*4]
		xor	eax, eax
		inc	eax
		mov	[ebp+arg_0], ecx
		test	ecx, ecx
		jz	short locret_546154
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		lea	esi, [ecx+3D80h]
		xor	edx, edx
		mov	eax, [edi]
		mov	[ebp+var_4], eax
		mov	eax, [edi+4]
		mov	[ebp+arg_4], eax
		xor	eax, eax
		nop
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [esi]
		mov	[edi], eax
		mov	eax, [ebp+arg_0]
		mov	[edi+4], edx
		mov	ecx, [eax+3D88h]
		mov	eax, [eax+3D8Ch]
		or	ecx, eax
		jz	short loc_546158

loc_54614E:				; CODE XREF: PoCpuIdledSinceLastCallImprecise(x,x)+66j
					; PoCpuIdledSinceLastCallImprecise(x,x)+6Fj
		xor	eax, eax
		inc	eax

loc_546151:				; CODE XREF: PoCpuIdledSinceLastCallImprecise(x,x)+73j
		pop	edi
		pop	esi
		pop	ebx

locret_546154:				; CODE XREF: PoCpuIdledSinceLastCallImprecise(x,x)+18j
		leave
		retn	8
; 

loc_546158:				; CODE XREF: PoCpuIdledSinceLastCallImprecise(x,x)+54j
		mov	eax, [edi+4]
		cmp	eax, [ebp+arg_4]
		ja	short loc_54614E
		jb	short loc_546169
		mov	eax, [edi]
		cmp	eax, [ebp+var_4]
		ja	short loc_54614E

loc_546169:				; CODE XREF: PoCpuIdledSinceLastCallImprecise(x,x)+68j
		xor	al, al
		jmp	short loc_546151
_PoCpuIdledSinceLastCallImprecise@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PspUnlockThreadSecurityShared(x, x)
_PspUnlockThreadSecurityShared@8 proc near ; CODE XREF:	sub_82E197+8p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	11h
		mov	ebx, edx
		lea	edi, [ecx+2F0h]
		xor	esi, esi
		pop	eax
		lock cmpxchg [edi], esi
		cmp	eax, 11h
		jnz	short loc_54619A

loc_546189:				; CODE XREF: PspUnlockThreadSecurityShared(x,x)+33j
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		mov	ecx, ebx
		pop	ebx
		jmp	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
; 

loc_54619A:				; CODE XREF: PspUnlockThreadSecurityShared(x,x)+19j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_546189
_PspUnlockThreadSecurityShared@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmpProcessQueryStoreStats(x, x)
_SmpProcessQueryStoreStats@8 proc near	; CODE XREF: SmQueryStoreCommitUsage(x,x)+39p
					; SmProcessQueryStoreStats+45p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], eax
		cmp	ecx, ds:dword_718460
		jz	short loc_546208
		push	eax
		mov	[ebp+var_4], ecx
		lea	edx, [ebp+var_4]
		push	eax
		mov	ecx, offset unk_718478
		call	_SmpKeyedStoreEntryGet@16 ; SmpKeyedStoreEntryGet(x,x,x,x)
		test	eax, eax
		jnz	short loc_5461DA

loc_5461D2:				; CODE XREF: SmpProcessQueryStoreStats(x,x)+3Dj
		mov	eax, 0C0000225h

loc_5461D7:				; CODE XREF: SmpProcessQueryStoreStats(x,x)+62j
		pop	esi
		leave
		retn
; 

loc_5461DA:				; CODE XREF: SmpProcessQueryStoreStats(x,x)+2Cj
		movzx	edx, word ptr [eax+8]

loc_5461DE:				; CODE XREF: SmpProcessQueryStoreStats(x,x)+6Aj
		cmp	edx, 0FFFFFFFFh
		jz	short loc_5461D2
		and	edx, 3FFh
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		mov	[ebp+var_8], 600h
		mov	ecx, [eax]
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	?SmStGetStoreStats@?$SMKM_STORE@USM_TRAITS@@@@SGJPAU1@W4_ST_STATS_LEVEL@@PAU_ST_STATS@@PAK@Z ; SMKM_STORE<SM_TRAITS>::SmStGetStoreStats(SMKM_STORE<SM_TRAITS> *,_ST_STATS_LEVEL,_ST_STATS *,ulong *)
		jmp	short loc_5461D7
; 

loc_546208:				; CODE XREF: SmpProcessQueryStoreStats(x,x)+16j
		mov	edx, ds:dword_718490
		jmp	short loc_5461DE
_SmpProcessQueryStoreStats@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmUpdateOldWorkingSetPages proc	near	; CODE XREF: PfpDeprioritizeOldPagesInWs+E2p

var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= byte ptr -224h
var_222		= byte ptr -222h
var_218		= dword	ptr -218h
var_210		= dword	ptr -210h
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1C8		= dword	ptr -1C8h
var_1C4		= word ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_130		= dword	ptr -130h
var_128		= dword	ptr -128h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005DB7CB SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 234h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+234h+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		pop	eax
		mov	esi, ecx
		mov	[esp+240h+var_230], edx
		mov	ecx, eax
		mov	[esp+240h+var_22C], esi
		xor	eax, eax
		lea	edi, [esp+240h+var_128]
		push	0ACh		; size_t
		rep stosd
		xor	ebx, ebx
		lea	eax, [esp+244h+var_1D8]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		push	4Ch		; size_t
		lea	eax, [esp+250h+var_228]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		push	108h		; size_t
		lea	eax, [esp+25Ch+var_110]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	eax, large fs:124h
		add	esp, 24h
		cmp	[eax+80h], esi
		jz	loc_5463AB
		lea	eax, [esp+240h+var_128]
		xor	edi, edi
		push	eax
		xor	edx, edx
		mov	ecx, esi
		inc	edi
		call	KiStackAttachProcess

loc_5462A4:				; CODE XREF: MmUpdateOldWorkingSetPages+19Dj
		mov	eax, [esp+240h+var_1D8]
		add	esi, 240h
		test	[ebp+arg_0], 2
		jz	short loc_5462BB
		or	eax, 1
		mov	[esp+240h+var_1D8], eax

loc_5462BB:				; CODE XREF: MmUpdateOldWorkingSetPages+A2j
		test	[ebp+arg_0], 1
		jz	short loc_5462C8
		or	eax, 2
		mov	[esp+240h+var_1D8], eax

loc_5462C8:				; CODE XREF: MmUpdateOldWorkingSetPages+AFj
		mov	eax, [esp+240h+var_230]
		mov	ecx, esi
		mov	[esp+240h+var_1D4], eax
		mov	[esp+240h+var_1BC], ebx
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		test	byte ptr [esi+60h], 7
		mov	[esp+240h+var_1C8], eax
		mov	[esp+240h+var_1C4], 4
		mov	[esp+240h+var_1B8], ebx
		mov	[esp+240h+var_1C0], 21h
		mov	[esp+240h+var_1B4], ebx
		jnz	short loc_546314
		cmp	[esi+1A4h], ebx
		jnz	loc_5DB7CB

loc_546314:				; CODE XREF: MmUpdateOldWorkingSetPages+F6j
					; MmUpdateOldWorkingSetPages+955D4j
		or	[esp+240h+var_210], 0FFFFFFFFh
		lea	eax, [esp+240h+var_1D8]
		push	6
		mov	[esp+244h+var_1E0], eax
		pop	eax
		mov	word ptr [esp+240h+var_228], ax
		mov	[esp+240h+var_1E8], offset _MiUpdateOldPte@12 ;	MiUpdateOldPte(x,x,x)
		mov	[esp+240h+var_1E4], offset MiUpdateOldWorkingSetPagesTail
		mov	[esp+240h+var_218], esi
		mov	[esp+240h+var_224], al
		call	MiLockWorkingSetShared
		mov	dl, al
		mov	eax, [esp+240h+var_22C]
		mov	[esp+240h+var_222], dl
		test	byte ptr [eax+0FCh], 20h
		jnz	short loc_5463A4
		mov	eax, [esi+30h]
		mov	[esp+240h+var_1D0], eax
		test	eax, eax
		jz	short loc_546371
		lea	ecx, [esp+240h+var_228]
		call	MiWalkPageTables
		mov	dl, [esp+240h+var_222]

loc_546371:				; CODE XREF: MmUpdateOldWorkingSetPages+152j
					; MmUpdateOldWorkingSetPages+199j
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		cmp	edi, 1
		jnz	short loc_54638B
		xor	edx, edx
		lea	ecx, [esp+240h+var_128]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_54638B:				; CODE XREF: MmUpdateOldWorkingSetPages+16Bj
		mov	ecx, [esp+240h+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_5463A4:				; CODE XREF: MmUpdateOldWorkingSetPages+147j
		mov	ebx, 0C000010Ah
		jmp	short loc_546371
; 

loc_5463AB:				; CODE XREF: MmUpdateOldWorkingSetPages+7Aj
		mov	edi, ebx
		jmp	loc_5462A4
MmUpdateOldWorkingSetPages endp


;  S U B	R O U T	I N E 


; __stdcall PspLockThreadSecurityShared(x, x)
_PspLockThreadSecurityShared@8 proc near ; CODE	XREF: NtQueryInformationThread+763p
		dec	word ptr [edx+13Ch]
		nop
		add	ecx, 2F0h
		xor	edx, edx
		jmp	ExAcquirePushLockSharedEx
_PspLockThreadSecurityShared@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpFailLogging	proc near		; CODE XREF: .text:005296D6p
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+14FAp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= byte ptr  20h

; FUNCTION CHUNK AT 005DB7E9 SIZE 0000014E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_8]
		mov	ch, cl
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_8], edx
		push	edi
		mov	edi, [edx+164h]
		mov	[ebp+var_1], ch
		mov	[ebp+var_C], edi
		cmp	[eax+0C0h], ebx
		ja	short loc_546407

loc_5463F1:				; CODE XREF: EtwpFailLogging+9556Aj
		mov	cl, [ebp+arg_C]
		movzx	eax, cl
		bsf	esi, eax
		jnz	loc_5DB878
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_546407:				; CODE XREF: EtwpFailLogging+27j
		lea	esi, [eax+8]
		jmp	loc_5DB7E9
EtwpFailLogging	endp

; 
		align 10h

;  S U B	R O U T	I N E 


EtwpUpdateEventsLostCount proc near	; CODE XREF: EtwpReserveTraceBuffer+273p
					; EtwpLogKernelEvent+12E1D1p ...

; FUNCTION CHUNK AT 005DB937 SIZE 0000000B BYTES

		mov	edi, edi
		lock inc dword ptr [ecx+0A8h]
		test	byte ptr [ecx+258h], 8
		jnz	loc_5DB937
		retn
EtwpUpdateEventsLostCount endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteDeferredCloneDescriptors(x)
_MiDeleteDeferredCloneDescriptors@4 proc near ;	CODE XREF: MiGetVadWakeList+202p
					; MiDeleteVad(x,x,x)+25Ap ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	ecx, [esi+24Ch]
		add	ecx, 90h
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_54646C
		lea	eax, [esi+148h]
		mov	[ebp+var_4], eax

loc_546455:				; CODE XREF: MiDeleteDeferredCloneDescriptors(x)+42j
		lea	esi, [edi-24h]
		mov	edi, [edi]
		push	esi
		push	eax
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		mov	eax, [ebp+var_4]
		mov	[esi], ebx
		mov	ebx, esi
		test	edi, edi
		jnz	short loc_546455

loc_54646C:				; CODE XREF: MiDeleteDeferredCloneDescriptors(x)+22j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_MiDeleteDeferredCloneDescriptors@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpMemoryListQuery proc	near		; CODE XREF: PAGE:0077D3BAp

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DB942 SIZE 0000000F BYTES

		push	74h
		push	offset dword_6A4648
		call	__SEH_prolog4
		mov	[ebp+var_1D], dl
		mov	ebx, ecx
		push	58h		; size_t
		xor	esi, esi
		push	esi		; int
		lea	eax, [ebp+var_84]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_24], esi
		push	40h
		pop	ecx
		cmp	[ebx+10h], ecx
		jb	loc_5DB942
		lea	eax, [ebp+var_24]
		push	eax
		push	ecx
		push	58h
		lea	edx, [ebp+var_84]
		or	ecx, 0FFFFFFFFh
		call	MmQueryMemoryListInformation
		mov	edi, [ebx+0Ch]
		mov	[ebp+ms_exc.disabled], esi
		cmp	[ebp+var_1D], 0
		jz	short loc_5464D4
		push	8
		push	dword ptr [ebx+10h]
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_5464D4:				; CODE XREF: PfpMemoryListQuery+53j
		xor	eax, eax
		inc	eax
		mov	[edi], eax
		push	40h
		pop	edx
		mov	[edi+4], edx
		mov	[edi+8], eax
		and	dword ptr [edi+10h], 0FFFFFF00h
		mov	eax, [ebp+var_60]
		add	eax, [ebp+var_70]
		add	eax, [ebp+var_6C]
		add	eax, [ebp+var_68]
		add	eax, [ebp+var_64]
		mov	[edi+18h], eax
		mov	[edi+1Ch], esi
		mov	eax, [ebp+var_5C]
		mov	[edi+20h], eax
		mov	[edi+24h], esi
		mov	eax, [ebp+var_54]
		add	eax, [ebp+var_58]
		mov	[edi+28h], eax
		mov	[edi+2Ch], esi
		mov	eax, [ebp+var_84]
		add	eax, [ebp+var_80]
		mov	[edi+30h], eax
		mov	[edi+34h], esi
		mov	eax, [ebp+var_78]
		add	eax, [ebp+var_7C]
		mov	[edi+38h], eax
		mov	[edi+3Ch], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+arg_0]
		mov	[eax], edx

loc_54653A:				; CODE XREF: PfpMemoryListQuery+954D8j
					; sub_5DB95F+Dj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
PfpMemoryListQuery endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiStoreLogWriteDisabled	proc near	; CODE XREF: MiStoreWriteModifiedPages+8F1p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DB971 SIZE 00000045 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, dword_6D35BC
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	short loc_546589
		cmp	dword ptr [esi], 5
		jbe	short loc_546589
		push	0
		push	2
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_5DB971

loc_546589:				; CODE XREF: MiStoreLogWriteDisabled+21j
					; MiStoreLogWriteDisabled+26j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
MiStoreLogWriteDisabled	endp


;  S U B	R O U T	I N E 


; __stdcall MI_CLEAR_RESET_PTE(x)
_MI_CLEAR_RESET_PTE@4 proc near		; CODE XREF: MiActOnPte(x,x,x,x,x,x,x,x)+31Bp
					; MiActOnPte(x,x,x,x,x,x,x,x)+44Fp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, [esi]
		nop
		mov	eax, [esi+4]
		push	eax
		push	edx
		push	0
		push	0
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		mov	[esi], eax
		mov	[esi+4], edx
		pop	esi
		retn
_MI_CLEAR_RESET_PTE@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCopyOnWriteCheckConditions proc near	; CODE XREF: MiSplitPrivatePage(x,x,x)+3BFp
					; MiCopyToUserVa(x,x,x,x)+25Bp	...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DB9B6 SIZE 0000008A BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		push	edi
		cmp	edx, 0C0000434h
		jnz	loc_5DBA01
		test	byte ptr [ecx+60h], 7
		jnz	loc_54675E
		mov	edi, large fs:124h
		mov	[ebp+var_28], edi
		mov	esi, [edi+80h]
		mov	eax, [esi+140h]
		test	eax, eax
		jz	loc_54675E
		cmp	eax, edi
		jz	loc_54675E
		dec	word ptr [edi+13Eh]
		nop
		add	esi, 134h
		xor	edx, edx
		mov	ecx, esi
		mov	[ebp+var_8], esi
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [edi+304h], 1
		nop
		and	byte ptr [edi+304h], 0FEh
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_C], edx
		mov	eax, edx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_54677F

loc_54664D:				; CODE XREF: MiCopyOnWriteCheckConditions+1D0j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	esi, 7FFFFFFCh
		jz	loc_546756
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, dword_6D07D0
		shr	ecx, 15h
		cmp	eax, edx
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], esi
		pop	edx
		jb	short loc_54668D
		cmp	byte ptr dword_6D3994[ecx], 1
		jz	loc_546767

loc_54668D:				; CODE XREF: MiCopyOnWriteCheckConditions+C8j
		cmp	eax, [ebp+var_20]
		jb	short loc_54669F
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_546767

loc_54669F:				; CODE XREF: MiCopyOnWriteCheckConditions+DAj
					; MiCopyOnWriteCheckConditions+1C4j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_5467CF
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_5467E2

loc_5466E0:				; CODE XREF: MiCopyOnWriteCheckConditions+234j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5DB9C9
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_54672C:				; CODE XREF: MiCopyOnWriteCheckConditions+221j
					; MiCopyOnWriteCheckConditions+95425j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jnz	short loc_54678B

loc_54673F:				; CODE XREF: MiCopyOnWriteCheckConditions+20Ej
					; MiCopyOnWriteCheckConditions+95446j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_546756
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_5467EF

loc_546756:				; CODE XREF: MiCopyOnWriteCheckConditions+A2j
					; MiCopyOnWriteCheckConditions+192j ...
		mov	ecx, [ebp+var_28]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_54675E:				; CODE XREF: MiCopyOnWriteCheckConditions+2Cj
					; MiCopyOnWriteCheckConditions+4Aj ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_546767:				; CODE XREF: MiCopyOnWriteCheckConditions+D1j
					; MiCopyOnWriteCheckConditions+E3j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_8]
		jmp	loc_54669F
; 

loc_54677F:				; CODE XREF: MiCopyOnWriteCheckConditions+91j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_54664D
; 

loc_54678B:				; CODE XREF: MiCopyOnWriteCheckConditions+187j
		test	edi, 8000h
		jz	short loc_54679C
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_54679C:				; CODE XREF: MiCopyOnWriteCheckConditions+1DBj
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5DB9E0

loc_5467A6:				; CODE XREF: MiCopyOnWriteCheckConditions+95434j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5467BA
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5467BA:				; CODE XREF: MiCopyOnWriteCheckConditions+1F7j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_54673F
		jmp	loc_5DB9EF
; 

loc_5467CF:				; CODE XREF: MiCopyOnWriteCheckConditions+112j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_54672C
		jmp	loc_5DB9B6
; 

loc_5467E2:				; CODE XREF: MiCopyOnWriteCheckConditions+124j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]
		jmp	loc_5466E0
; 

loc_5467EF:				; CODE XREF: MiCopyOnWriteCheckConditions+19Aj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_546756
MiCopyOnWriteCheckConditions endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiRaisedIrqlFault proc near		; CODE XREF: MmAccessFault+7AAp

var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005DBA40 SIZE 00000123 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		inc	eax
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	ecx, [esi+8]
		mov	edi, ecx
		and	edi, eax
		jnz	short loc_546822
		mov	edx, eax
		call	@KeInvalidAccessAllowed@8 ; KeInvalidAccessAllowed(x,x)
		cmp	al, dl
		jz	loc_5DBB04

loc_546822:				; CODE XREF: MiRaisedIrqlFault+17j
		test	byte ptr [esi+24h], 20h
		jnz	loc_5DBA40
		mov	eax, ecx
		and	eax, 0FFFFFFFEh
		test	edi, edi
		jnz	loc_5DBA69

loc_546839:				; CODE XREF: MiRaisedIrqlFault+9527Aj
		xor	edx, edx
		call	@KeInvalidAccessAllowed@8 ; KeInvalidAccessAllowed(x,x)
		cmp	al, 1

loc_546842:				; CODE XREF: MiRaisedIrqlFault+9528Cj
		jz	loc_5DBB04
		mov	eax, large fs:124h
		cmp	dword_6D2F84, 0
		mov	ebx, [esi]
		mov	[ebp+var_8], eax
		jnz	loc_5DBA8B

loc_546860:				; CODE XREF: MiRaisedIrqlFault+952F6j
		cmp	ebx, dword_6D07D0
		jb	loc_54693B
		xor	edx, edx
		lea	edi, [esi+10h]
		inc	edx

loc_546872:				; CODE XREF: MiRaisedIrqlFault+A6j
		mov	eax, [edi]
		mov	ecx, [eax]
		nop
		mov	ebx, [eax+4]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_5DBAF5
		mov	eax, ecx
		and	eax, 80h
		or	eax, 0
		jnz	loc_5DBB22
		test	edx, edx
		jz	short loc_5468A2
		dec	edx
		sub	edi, 4
		jmp	short loc_546872
; 

loc_5468A2:				; CODE XREF: MiRaisedIrqlFault+A0j
		mov	ebx, [esi]
		shr	ebx, 9
		and	ebx, offset loc_7FFFF8
		mov	edi, [ebx-40000000h]
		nop
		mov	ecx, [ebx-3FFFFFFCh]
		mov	eax, edi
		and	eax, 1
		mov	[ebp+var_8], ecx
		xor	edx, edx
		or	eax, edx
		jz	loc_5DBAF5
		test	byte ptr [esi+4], 2
		jz	short loc_5468EC
		mov	eax, edi
		and	eax, 200h
		or	eax, edx
		jnz	short loc_54693B
		mov	eax, edi
		and	eax, 800h
		or	eax, edx
		jz	loc_5DBA57

loc_5468EC:				; CODE XREF: MiRaisedIrqlFault+D6j
		push	ecx
		push	edi
		xor	edx, edx
		mov	ecx, esi
		call	MiCheckSystemNxFault
		nop
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		mov	eax, edx
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	eax, ecx, 1Ch
		xor	ecx, ecx
		inc	ecx
		add	eax, ds:_MmPfnDatabase
		cmp	[eax+14h], cx
		jbe	loc_5DBB0E

loc_54691F:				; CODE XREF: MiRaisedIrqlFault+95317j
					; MiRaisedIrqlFault+95323j
		push	edx
		push	edi
		push	ecx
		push	dword ptr [esi+8]
		lea	edx, [ebx-40000000h]
		mov	ecx, esi
		push	dword ptr [esi]
		call	MiNoFaultFound

loc_546934:				; CODE XREF: MiRaisedIrqlFault+9535Ej
		xor	eax, eax

loc_546936:				; CODE XREF: MiRaisedIrqlFault+146j
					; MiRaisedIrqlFault+9530Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_54693B:				; CODE XREF: MiRaisedIrqlFault+6Cj
					; MiRaisedIrqlFault+E1j ...
		mov	eax, 0D0000006h
		jmp	short loc_546936
MiRaisedIrqlFault endp


;  S U B	R O U T	I N E 


PfpReturnAccessBuffer proc near		; CODE XREF: PfpFlushBuffers+243p
					; PfpFlushBuffers+304p

; FUNCTION CHUNK AT 005DBB63 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebx
		push	edi
		mov	edi, ecx
		mov	ebx, offset unk_6FB608
		mov	ecx, ebx
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_5469A8
		push	esi
		movzx	esi, word_6FB624
		cmp	esi, dword_6FB61C
		jnb	loc_5DBB63
		mov	edx, edi
		mov	ecx, offset unk_6FB620
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		cmp	dword_6FB610, 0
		jz	short loc_546993

loc_546981:				; CODE XREF: PfpReturnAccessBuffer+54j
					; PfpReturnAccessBuffer+64j
		xor	esi, esi
		inc	esi

loc_546984:				; CODE XREF: PfpReturnAccessBuffer+9522Fj
		mov	ecx, ebx
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		test	esi, esi
		pop	esi
		jz	short loc_5469A8
		pop	edi
		pop	ebx
		retn
; 

loc_546993:				; CODE XREF: PfpReturnAccessBuffer+3Dj
		cmp	esi, 8
		jb	short loc_546981
		push	0
		push	0
		push	offset unk_6FB60C
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_546981
; 

loc_5469A8:				; CODE XREF: PfpReturnAccessBuffer+14j
					; PfpReturnAccessBuffer+4Cj
		mov	ecx, edi
		xor	dl, dl
		pop	edi
		pop	ebx
		jmp	_MmFreeAccessPfnBuffer@8 ; MmFreeAccessPfnBuffer(x,x)
PfpReturnAccessBuffer endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapLockedPagesInUserSpaceHelper proc near ; CODE XREF: MiMapLockedPagesInUserSpace+1D4p
					; MmRotatePhysicalView(x,x,x,x,x,x)+353p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005DBB76 SIZE 00000099 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_10]
		shr	ecx, 9
		sar	edi, 1Fh
		and	ecx, offset loc_7FFFF8
		and	edi, 0FFFFFFFDh
		mov	[ebp+var_8], edx
		mov	edx, [eax+80h]
		sub	ecx, 40000000h
		add	edi, 4
		mov	[ebp+var_4], ecx
		cmp	[ebp+arg_4], 0
		jnz	loc_546AAC
		or	edi, 8

loc_5469F8:				; CODE XREF: MiMapLockedPagesInUserSpaceHelper+FCj
					; MiMapLockedPagesInUserSpaceHelper+105j
		mov	esi, [ebp+arg_C]
		lea	eax, [edx+240h]
		mov	[ebp+arg_4], eax
		test	esi, esi
		jz	loc_5DBB76
		push	1
		mov	ecx, esi
		call	MiInsertVad
		mov	esi, [esi+1Ch]
		mov	eax, [ebp+arg_4]
		shr	esi, 0Ch
		and	esi, 3Fh

loc_546A21:				; CODE XREF: MiMapLockedPagesInUserSpaceHelper+951C4j
		mov	ecx, eax
		xor	ebx, ebx
		call	MiLockWorkingSetShared
		mov	byte ptr [ebp+arg_C], al

loc_546A2D:				; CODE XREF: MiMapLockedPagesInUserSpaceHelper+D6j
		mov	eax, [ebp+arg_0]
		mov	[ebp+arg_10], edi
		test	eax, eax
		jnz	loc_5DBB7D

loc_546A3B:				; CODE XREF: MiMapLockedPagesInUserSpaceHelper+951FFj
		test	ebx, ebx
		jnz	short loc_546ABE

loc_546A3F:				; CODE XREF: MiMapLockedPagesInUserSpaceHelper+9520Ej
		mov	ebx, [ebp+var_4]
		xor	edx, edx
		mov	ecx, [ebp+var_4]
		push	0
		push	[ebp+arg_C]
		shr	ebx, 9
		and	ebx, offset loc_7FFFF8
		push	esi
		sub	ebx, 40000000h
		call	MiMakeSystemAddressValid
		mov	ecx, [ebp+var_4]

loc_546A64:				; CODE XREF: MiMapLockedPagesInUserSpaceHelper+113j
		mov	edx, [ebp+var_8]
		push	[ebp+arg_10]
		mov	edx, [edx]
		call	MiInsertPhysicalPteMapping
		mov	eax, [ebp+var_4]
		add	[ebp+var_8], 4
		add	eax, 8
		mov	[ebp+var_4], eax
		test	al, 78h
		jz	loc_5DBBC7

loc_546A86:				; CODE XREF: MiMapLockedPagesInUserSpaceHelper+95231j
					; MiMapLockedPagesInUserSpaceHelper+95256j
		sub	[ebp+arg_8], 1
		jnz	short loc_546A2D
		test	ebx, ebx
		jz	short loc_546A9A
		mov	ecx, [ebp+arg_4]
		mov	edx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_546A9A:				; CODE XREF: MiMapLockedPagesInUserSpaceHelper+DAj
		mov	dl, byte ptr [ebp+arg_C]
		mov	ecx, [ebp+arg_4]
		call	MiUnlockWorkingSetShared
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_546AAC:				; CODE XREF: MiMapLockedPagesInUserSpaceHelper+3Bj
		cmp	[ebp+arg_4], 2
		jnz	loc_5469F8
		or	edi, 18h
		jmp	loc_5469F8
; 

loc_546ABE:				; CODE XREF: MiMapLockedPagesInUserSpaceHelper+89j
		mov	ecx, [ebp+var_4]
		test	ecx, 0FFFh
		jnz	short loc_546A64
		jmp	loc_5DBBB8
MiMapLockedPagesInUserSpaceHelper endp


;  S U B	R O U T	I N E 


; __stdcall MiDoubleLockMdlPage(x)
_MiDoubleLockMdlPage@4 proc near	; CODE XREF: MiMapLockedPagesInUserSpace+169p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		xor	edx, edx
		mov	ecx, edi
		mov	bl, al
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		mov	esi, eax
		lea	ecx, [edi+10h]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_MiDoubleLockMdlPage@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1814. PsGetProcessSignatureLevel

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessSignatureLevel(x, x)
		public _PsGetProcessSignatureLevel@8
_PsGetProcessSignatureLevel@8 proc near	; CODE XREF: PAGE:007A31C0p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]
		test	edx, edx
		jz	short loc_546B1D
		mov	cl, [eax+3A5h]
		mov	[edx], cl

loc_546B1D:				; CODE XREF: PsGetProcessSignatureLevel(x,x)+Dj
		mov	al, [eax+3A4h]
		pop	ebp
		retn	8
_PsGetProcessSignatureLevel@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmMediaBufferingWorker	proc near	; DATA XREF: PpmPerfInitialize+99o

var_1C		= dword	ptr -1Ch
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DBC0F SIZE 00000067 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	ebx
		mov	esi, offset _PpmMediaBufferingWork
		push	edi

loc_546B42:				; CODE XREF: PpmMediaBufferingWorker+B5j
					; PpmMediaBufferingWorker+9513Aj
		mov	bh, 1
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	[ebp+var_15], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	bl, byte_6C3C25
		cmp	bl, byte_6C2D4C
		jz	loc_546BE8
		mov	byte_6C2D4C, bl
		test	ds:byte_70EFC6,	bh
		jnz	loc_5DBC0F
		xor	eax, eax
		lock and [esi],	eax

loc_546B7D:				; CODE XREF: PpmMediaBufferingWorker+950F1j
		mov	cl, [ebp+var_15]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		and	[ebp+var_1C], 0
		cmp	_PpmEtwRegistered, 0
		jz	short loc_546BB8
		mov	esi, dword_6BFD04
		mov	edi, _PpmEtwHandle
		push	offset _PPM_ETW_MEDIA_BUFFERING_NOTIFY
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5DBC1E

loc_546BB3:				; CODE XREF: PpmMediaBufferingWorker+95128j
		mov	esi, offset _PpmMediaBufferingWork

loc_546BB8:				; CODE XREF: PpmMediaBufferingWorker+69j
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		cmp	_PpmLowPowerProfile, 0
		jnz	short loc_546BD1
		test	bl, bl
		jz	short loc_546C1B
		xor	bh, bh

loc_546BD1:				; CODE XREF: PpmMediaBufferingWorker+A1j
					; PpmMediaBufferingWorker+101j
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		test	bh, bh
		jz	loc_546B42
		jmp	loc_5DBC55
; 

loc_546BE8:				; CODE XREF: PpmMediaBufferingWorker+38j
		test	ds:byte_70EFC6,	1
		pop	edi
		mov	byte_6C3C24, 0
		pop	ebx
		jnz	loc_5DBC67
		xor	eax, eax
		lock and [esi],	eax

loc_546C03:				; CODE XREF: PpmMediaBufferingWorker+95149j
		mov	cl, [ebp+var_15]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_546C1B:				; CODE XREF: PpmMediaBufferingWorker+A5j
		cmp	_PpmPdcMediaEngaged, 0
		setz	al
		dec	al
		and	bh, al
		jmp	short loc_546BD1
PpmMediaBufferingWorker	endp

; 
		align 10h
; Exported entry 1321. KeUpdateThreadTag

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeUpdateThreadTag
KeUpdateThreadTag proc near

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DBC76 SIZE 000000BC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		xor	edi, edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_C], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_1], al
		mov	[ebp+arg_0], edi
		lea	ebx, [esi+2Ch]

loc_546C5D:				; CODE XREF: KeUpdateThreadTag+95054j
		lock bts dword ptr [ebx], 0
		jb	loc_5DBC76
		mov	al, [esi+60h]
		movzx	eax, al
		cmp	eax, [ebp+arg_4]
		jz	short loc_546CB3
		mov	eax, large fs:124h
		cmp	esi, eax
		jnz	loc_5DBC89
		mov	edi, large fs:20h
		mov	[ebp+var_8], edi
		cli
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	KiEndThreadCycleAccumulation
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jnz	short loc_546CC5
		lock btr dword ptr [esi], 14h

loc_546CA3:				; CODE XREF: KeUpdateThreadTag+9Aj
		mov	[esi+60h], cl
		mov	edx, esi
		push	ecx
		mov	ecx, edi
		call	KiStartThreadCycleAccumulation
		sti
		xor	edi, edi

loc_546CB3:				; CODE XREF: KeUpdateThreadTag+41j
					; KeUpdateThreadTag+950F2j ...
		mov	cl, [ebp+var_1]
		mov	[ebx], edi
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_546CC5:				; CODE XREF: KeUpdateThreadTag+6Cj
		lock bts dword ptr [esi], 14h
		jmp	short loc_546CA3
KeUpdateThreadTag endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExHandleLogBadReference	proc near	; CODE XREF: AlpcpLookupMessage+223p
					; ObpCloseHandle+16B038p ...

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005DBD32 SIZE 000000CD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	byte ptr [esi+1Ch], 2
		jnz	loc_5DBD32

loc_546CE2:				; CODE XREF: ExHandleLogBadReference+95088j
					; ExHandleLogBadReference+950A0j ...
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
ExHandleLogBadReference	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiStoreLogWriteCompleteFailure proc near ; CODE	XREF: MiStoreModifiedWriteComplete(x)+1Ep

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, dword_6D35BC
		push	edi
		mov	edi, ecx
		test	esi, esi
		jz	short loc_546D24
		cmp	dword ptr [esi], 5
		jbe	short loc_546D24
		xor	ebx, ebx
		mov	ecx, esi
		push	ebx
		push	2
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_5DBDCC

loc_546D24:				; CODE XREF: MiStoreLogWriteCompleteFailure+1Fj
					; MiStoreLogWriteCompleteFailure+24j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
MiStoreLogWriteCompleteFailure endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiKernelStackVaToStackNode(x)
_MiKernelStackVaToStackNode@4 proc near	; CODE XREF: MiResolvePageFileFault+102Bp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	offset unk_6D341C
		mov	edi, ecx
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	esi, dword_6D3418
		mov	bl, al
		jmp	short loc_546D52
; 

loc_546D4F:				; CODE XREF: MiKernelStackVaToStackNode(x)+25j
		mov	esi, [esi+4]

loc_546D52:				; CODE XREF: MiKernelStackVaToStackNode(x)+19j
					; MiKernelStackVaToStackNode(x)+46j
		test	esi, esi
		jz	short loc_546D60
		cmp	edi, [esi+0Ch]
		ja	short loc_546D4F
		cmp	edi, [esi+10h]
		jb	short loc_546D78

loc_546D60:				; CODE XREF: MiKernelStackVaToStackNode(x)+20j
		push	offset unk_6D341C
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_546D78:				; CODE XREF: MiKernelStackVaToStackNode(x)+2Aj
		mov	esi, [esi]
		jmp	short loc_546D52
_MiKernelStackVaToStackNode@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 165. PoNotifyMediaBuffering

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoNotifyMediaBuffering
PoNotifyMediaBuffering proc near

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005DBDFF SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	[ebp+var_1], cl
		mov	esi, offset _PpmMediaBufferingWork
		mov	ecx, esi
		mov	[ebp+var_2], 0
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		xor	ebx, ebx
		inc	ebx
		cmp	byte_6C3C24, 0
		jnz	short loc_546DB2
		mov	[ebp+var_2], bl
		mov	byte_6C3C24, bl

loc_546DB2:				; CODE XREF: PoNotifyMediaBuffering+25j
		test	ds:byte_70EFC6,	1
		mov	cl, [ebp+var_1]
		mov	byte_6C3C25, cl
		jnz	loc_5DBDFF
		xor	eax, eax
		lock and [esi],	eax

loc_546DCD:				; CODE XREF: PoNotifyMediaBuffering+9508Aj
		cmp	[ebp+var_2], 0
		jz	short loc_546E09
		mov	eax, large fs:124h
		cmp	dword ptr [eax+150h], offset _KiInitialProcess
		jz	short loc_546DEC
		movsx	ebx, byte ptr [eax+87h]

loc_546DEC:				; CODE XREF: PoNotifyMediaBuffering+61j
		cmp	ebx, 1Fh
		jge	short loc_546DF2
		inc	ebx

loc_546DF2:				; CODE XREF: PoNotifyMediaBuffering+6Dj
		test	cl, cl
		jnz	short loc_546DFB
		cmp	ebx, 10h
		jle	short loc_546E0D

loc_546DFB:				; CODE XREF: PoNotifyMediaBuffering+72j
					; PoNotifyMediaBuffering+8Ej
		lea	eax, [ebx+20h]
		push	eax
		push	offset dword_6C3C28
		call	ExQueueWorkItem

loc_546E09:				; CODE XREF: PoNotifyMediaBuffering+4Fj
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_546E0D:				; CODE XREF: PoNotifyMediaBuffering+77j
		push	10h
		pop	ebx
		jmp	short loc_546DFB
PoNotifyMediaBuffering endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLocateOldestSecure(x)
_MiLocateOldestSecure@4	proc near	; CODE XREF: MiUnmapLockedPagesInUserSpace+5Ap

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		mov	esi, [eax+80h]
		push	edi
		mov	edi, offset unk_6D3C40
		mov	al, [esi+2A0h]
		and	al, 7
		cmp	al, 2
		jz	short loc_546E43
		lea	edi, [esi+2C0h]

loc_546E43:				; CODE XREF: MiLocateOldestSecure(x)+29j
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	edx, [ebp+var_4]
		mov	[edi+4], ebx
		mov	edx, [edx+24h]

loc_546E52:				; CODE XREF: MiLocateOldestSecure(x)+5Cj
		test	edx, edx
		jnz	short loc_546E6A
		mov	dl, al
		lea	ecx, [esi+240h]
		call	MiUnlockWorkingSetExclusive
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_546E6A:				; CODE XREF: MiLocateOldestSecure(x)+42j
		mov	ebx, edx
		mov	edx, [edx]
		jmp	short loc_546E52
_MiLocateOldestSecure@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFaultInPagedPool proc	near		; CODE XREF: .text:0045119Fp
					; MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+CF4p

var_C		= dword	ptr -0Ch
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005DBE11 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	ecx, offset loc_7FFFF8
		mov	esi, ebx
		shr	esi, 9
		and	esi, ecx
		push	edi
		add	esi, 0C0000000h
		mov	edi, esi
		mov	[ebp+var_C], esi
		shr	edi, 9
		and	edi, ecx
		mov	ecx, offset unk_6D3840
		call	MiLockWorkingSetShared
		push	0
		lea	edx, [edi-40000000h]
		mov	[ebp+var_1], al
		mov	ecx, offset unk_6D3840
		call	MiLockPageTableInternal
		mov	esi, [esi]
		nop
		mov	edx, [ebp+var_C]
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	short loc_546ED7
		and	esi, 200h
		or	esi, 0
		jnz	loc_5DBE11

loc_546ED7:				; CODE XREF: MiFaultInPagedPool+56j
					; MiFaultInPagedPool+94FACj
		mov	esi, offset unk_6D3840
		lea	edx, [edi-40000000h]
		mov	ecx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [ebp+var_1]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		mov	al, [ebx]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiFaultInPagedPool endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetAffinityThread(x, x)
_KeSetAffinityThread@8 proc near	; CODE XREF: ExpWorkerThread+160E5Dp
					; NtSetInformationThread+AA1p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_8], 0
		mov	eax, ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_10], eax
		push	edi
		mov	edi, [eax+150h]
		movzx	ebx, word ptr [esi+4]
		mov	[ebp+var_C], ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_1], al
		mov	eax, large fs:20h
		mov	[ebp+var_14], eax
		lea	eax, [edi+34h]
		push	eax
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		movzx	ebx, bx
		mov	edx, [edi+ebx*4+48h]
		test	edx, edx
		jz	short loc_546F82
		mov	ecx, [esi]
		mov	eax, ecx
		and	eax, edx
		cmp	eax, ecx
		jnz	short loc_546F82

loc_546F4D:				; CODE XREF: KeSetAffinityThread(x,x)+92j
		cmp	dword ptr [esi], 0
		jz	short loc_546F8E

loc_546F52:				; CODE XREF: KeSetAffinityThread(x,x)+9Aj
		mov	ecx, [ebp+var_10]
		lea	edx, [ebp+var_8]
		push	esi
		call	KiSetAffinityThread
		lea	eax, [edi+34h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	ecx, [ebp+var_14]
		lea	edx, [ebp+var_8]
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		mov	dl, [ebp+var_1]
		mov	ecx, [ebp+var_14]
		call	KiCheckForThreadDispatch
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_546F82:				; CODE XREF: KeSetAffinityThread(x,x)+47j
					; KeSetAffinityThread(x,x)+51j
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		call	_KiExtendProcessAffinity@8 ; KiExtendProcessAffinity(x,x)
		jmp	short loc_546F4D
; 

loc_546F8E:				; CODE XREF: KeSetAffinityThread(x,x)+56j
		mov	eax, [edi+ebx*4+48h]
		mov	[esi], eax
		jmp	short loc_546F52
_KeSetAffinityThread@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeQueryAffinityThread proc near		; CODE XREF: NtQueryInformationThread+8DDp
					; MiCombineAllPhysicalMemory(x)+92p

var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005DBE21 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	eax, eax
		mov	ebx, ecx
		mov	[edi+6], eax
		mov	[edi+0Ah], ax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[ebp+var_8], 0
		lea	esi, [ebx+2Ch]
		mov	[ebp+var_1], al

loc_546FBD:				; CODE XREF: KeQueryAffinityThread+94E99j
		lock bts dword ptr [esi], 0
		jb	loc_5DBE21
		mov	ax, [ebx+158h]
		mov	cl, [ebp+var_1]
		mov	[edi+4], ax
		mov	eax, [ebx+154h]
		mov	[edi], eax
		mov	dword ptr [esi], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
KeQueryAffinityThread endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiDoubleUnlockMdlPage(x)
_MiDoubleUnlockMdlPage@4 proc near	; CODE XREF: .text:0047174Dp
					; MiMapLockedPagesInUserSpace+B3193p
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, esi
		mov	bl, al
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	eax, 7FFFFFFFh
		lea	ecx, [esi+10h]
		lock and [ecx],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		pop	ebx
		pop	ecx
		retn
_MiDoubleUnlockMdlPage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopGetDozeTimerSource proc near		; CODE XREF: PopWnfAudioCallback+83p

; FUNCTION CHUNK AT 005DBE34 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _PopIdleAoAcDozeS4Lock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	byte_6C22E4, 0
		jnz	short loc_547064

loc_547043:				; CODE XREF: PopGetDozeTimerSource+4Ej
		test	ds:byte_70EFC6,	1
		jnz	loc_5DBE34
		xor	eax, eax
		lock and [edi],	eax

loc_547055:				; CODE XREF: PopGetDozeTimerSource+94E22j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn
; 

loc_547064:				; CODE XREF: PopGetDozeTimerSource+25j
		mov	esi, dword_6C22E8
		jmp	short loc_547043
PopGetDozeTimerSource endp


;  S U B	R O U T	I N E 


MiIsPfnLocked	proc near		; CODE XREF: .text:0047172Fp
					; MmAreMdlPagesLocked(x)+58p

; FUNCTION CHUNK AT 005DBE43 SIZE 0000004B BYTES

		mov	edx, [ecx+10h]
		push	esi
		movzx	esi, word ptr [ecx+14h]
		and	edx, 3FFFFFFFh
		push	edi
		xor	edi, edi
		mov	eax, esi
		inc	edi
		cmp	eax, edx
		jbe	loc_5DBE43

loc_547088:				; CODE XREF: MiIsPfnLocked+94DE6j
					; MiIsPfnLocked+94DF8j	...
		mov	eax, edi

loc_54708A:				; CODE XREF: MiIsPfnLocked+94E1Dj
		pop	edi
		pop	esi
		retn
MiIsPfnLocked	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcIncrementWriteBehindPriority proc near ; CODE	XREF: CcLazyWriteScan+62Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005DBE8E SIZE 000001D3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		and	[ebp+var_4], esi
		mov	eax, [ebx+160h]
		push	edi
		mov	edi, [ebx+174h]
		test	eax, eax
		jnz	loc_5DBE8E

loc_5470B4:				; CODE XREF: CcIncrementWriteBehindPriority+94E02j
					; CcIncrementWriteBehindPriority+94E58j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
CcIncrementWriteBehindPriority endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1404. MmFreePagesFromMdlEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmFreePagesFromMdlEx
MmFreePagesFromMdlEx proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_4], 0FFFFFFFEh
		mov	eax, [ebp+arg_0]
		jnz	loc_5DC01A
		test	dword ptr [eax+14h], 0FFFh
		jnz	loc_5DC01A
		mov	edx, [ebp+arg_4]
		mov	ecx, eax
		call	_MiFreePagesFromMdl@8 ;	MiFreePagesFromMdl(x,x)
		pop	ebp
		retn	8
MmFreePagesFromMdlEx endp


;  S U B	R O U T	I N E 


; __stdcall MiLockPageTable(x, x)
_MiLockPageTable@8 proc	near		; CODE XREF: NtLockVirtualMemory(x,x,x,x)+58Cp
					; MiMapUserLargePages(x,x,x)+1DCp
		push	0
		call	MiLockPageTableInternal
		retn
_MiLockPageTable@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlCompressBufferXpressHuff proc near	; DATA XREF: .text:00403FD4o

arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_1C]
		mov	cx, [ebp+arg_0]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		test	cx, cx
		jnz	loc_5DC02E
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		push	edx
		push	0
		push	0
		push	eax
		push	[ebp+arg_18]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	RtlCompressBufferXpressHuffStandard

loc_547135:				; CODE XREF: CcIncrementWriteBehindPriority+94FC4j
					; CcIncrementWriteBehindPriority+94FCEj
		pop	ebp
		retn	20h
RtlCompressBufferXpressHuff endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlCompressBufferXpressHuffStandard proc near ;	CODE XREF: RtlCompressBufferXpressHuff+30p
					; RtlCompressBufferProgress+8C9E9p

var_60		= dword	ptr -60h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005DC061 SIZE 00000063 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		push	ebx
		mov	ebx, ecx
		mov	ecx, [ebp+arg_0]
		add	ecx, [ebp+arg_4]
		cmp	[ebp+arg_4], 12Ch
		push	esi
		lea	esi, [ebx+edx]
		mov	[ebp+var_14], ebx
		push	edi
		mov	[ebp+var_24], esi
		mov	[ebp+var_48], ecx
		jb	loc_547821
		mov	eax, ebx
		mov	ecx, 0AF6h
		mov	ebx, [ebp+arg_C]
		mov	esi, eax
		mov	edi, ebx
		rep stosd
		lea	edi, [ebx+2BD8h]
		mov	ecx, 12EEh
		rep stosd
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jnz	loc_5DC061

loc_54719A:				; CODE XREF: RtlCompressBufferXpressHuffStandard+94F2Cj
		mov	ecx, edx
		mov	[ebp+arg_18], ecx

loc_54719F:				; CODE XREF: RtlCompressBufferXpressHuffStandard+94F26j
		mov	[ebp+var_54], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_4C], ecx
		lea	ecx, [ebx+0B9A0h]
		mov	[ebp+var_50], eax

loc_5471B1:				; CODE XREF: RtlCompressBufferXpressHuffStandard+3D0j
		push	800h		; size_t
		push	0		; int
		push	ecx		; void *
		lea	edi, [ebx+0C2A0h]
		mov	[ebp+var_28], 0
		mov	[ebp+var_2C], 0
		call	_memset
		mov	eax, [ebp+var_24]
		lea	ecx, [esi+10000h]
		add	esp, 0Ch
		mov	[ebp+var_20], ecx
		cmp	ecx, eax
		jbe	short loc_5471EA
		mov	ecx, eax
		mov	[ebp+var_20], eax

loc_5471EA:				; CODE XREF: RtlCompressBufferXpressHuffStandard+A3j
		mov	edx, [ebp+arg_18]
		lea	eax, [ecx-28h]
		add	edx, esi
		mov	[ebp+var_1C], eax
		mov	[ebp+var_8], edx
		cmp	eax, edx
		jnb	short loc_5471FF
		mov	[ebp+var_8], eax

loc_5471FF:				; CODE XREF: RtlCompressBufferXpressHuffStandard+BAj
		mov	edx, edi
		mov	ecx, 1
		add	edi, 4
		mov	[ebp+arg_10], ecx
		mov	[ebp+var_C], edx
		mov	[ebp+arg_14], edi
		cmp	esi, [ebp+var_14]
		jnz	short loc_547235
		movzx	eax, byte ptr [esi]
		mov	ecx, 2
		mov	[ebp+arg_10], ecx
		inc	dword ptr [ebx+eax*4+0B9A0h]
		mov	al, [esi]
		inc	esi
		mov	[edi], al
		inc	edi
		mov	eax, [ebp+var_1C]
		mov	[ebp+arg_14], edi

loc_547235:				; CODE XREF: RtlCompressBufferXpressHuffStandard+D5j
		cmp	esi, eax
		jnb	loc_547485
		lea	ecx, [ecx+0]

loc_547240:				; CODE XREF: RtlCompressBufferXpressHuffStandard+156j
					; RtlCompressBufferXpressHuffStandard+32Ej ...
		movzx	eax, byte ptr [esi]
		movzx	ecx, byte ptr [esi+1]
		mov	[ebp+var_44], esi
		lea	edx, [ebx+eax*4]
		movzx	eax, byte ptr [esi+2]
		lea	ebx, [esi+1]
		mov	[ebp+var_30], ebx
		lea	ecx, [eax+ecx*4]
		mov	edi, [edx+ecx*8]
		mov	[edx+ecx*8], esi
		mov	dl, [esi]
		cmp	[edi], dl
		jz	short loc_547298

loc_547266:				; CODE XREF: RtlCompressBufferXpressHuffStandard+15Dj
					; RtlCompressBufferXpressHuffStandard+165j ...
		mov	ecx, [ebp+var_44]
		mov	esi, ebx
		mov	edx, [ebp+arg_C]
		mov	edi, [ebp+arg_14]
		movzx	eax, byte ptr [ecx]
		inc	dword ptr [edx+eax*4+0B9A0h]
		mov	al, [ecx]
		mov	[edi], al
		inc	edi
		mov	eax, [ebp+arg_10]
		mov	[ebp+arg_14], edi
		lea	ecx, [eax+eax]
		test	eax, eax
		jle	loc_5475E7
		mov	[ebp+arg_10], ecx
		mov	ebx, edx
		jmp	short loc_547240
; 

loc_547298:				; CODE XREF: RtlCompressBufferXpressHuffStandard+124j
		mov	al, [edi+1]
		cmp	al, [ebx]
		jnz	short loc_547266
		mov	al, [edi+2]
		cmp	al, [esi+2]
		jnz	short loc_547266
		mov	eax, esi
		sub	eax, edi
		cmp	eax, 10000h
		jge	short loc_547266
		mov	dh, [edi+3]
		lea	eax, [edi+3]
		mov	[ebp+var_4], eax
		lea	eax, [esi+3]
		mov	[ebp+var_18], eax
		mov	al, [eax]
		mov	[ebp+var_40], esi
		mov	byte ptr [ebp+arg_4+3],	al
		cmp	al, dh
		jnz	loc_5473AE

loc_5472D1:				; CODE XREF: RtlCompressBufferXpressHuffStandard+581j
		mov	dh, [edi+4]
		lea	eax, [edi+4]
		lea	ecx, [esi+4]
		mov	[ebp+var_38], eax
		mov	al, [ecx]
		mov	[ebp+var_4], ecx
		mov	byte ptr [ebp+arg_4+3],	al
		cmp	al, dh
		jnz	loc_547572

loc_5472ED:				; CODE XREF: RtlCompressBufferXpressHuffStandard+60Bj
		mov	bh, [edi+5]
		lea	eax, [edi+5]
		mov	[ebp+var_3C], eax
		lea	eax, [esi+5]
		mov	[ebp+var_10], eax
		mov	al, [eax]
		mov	byte ptr [ebp+arg_4+3],	al
		cmp	al, bh
		jnz	loc_547631

loc_547309:				; CODE XREF: RtlCompressBufferXpressHuffStandard+65Fj
		mov	ebx, [ebp+var_24]
		add	esi, 6
		add	edi, 6
		lea	edx, [ebx-28h]
		cmp	esi, edx
		jnb	short loc_547398
		lea	esp, [esp+0]

loc_547320:				; CODE XREF: RtlCompressBufferXpressHuffStandard+256j
		mov	eax, [edi]
		mov	ecx, [esi]
		cmp	ecx, eax
		jnz	loc_547557
		mov	eax, [edi+4]
		mov	ecx, [esi+4]
		cmp	ecx, eax
		jnz	loc_547551
		mov	eax, [edi+8]
		mov	ecx, [esi+8]
		cmp	ecx, eax
		jnz	loc_547715
		mov	eax, [edi+0Ch]
		mov	ecx, [esi+0Ch]
		cmp	ecx, eax
		jnz	loc_547750
		mov	eax, [edi+10h]
		mov	ecx, [esi+10h]
		cmp	ecx, eax
		jnz	loc_54775B
		mov	eax, [edi+14h]
		mov	ecx, [esi+14h]
		cmp	ecx, eax
		jnz	loc_5477A4
		mov	eax, [edi+18h]
		mov	ecx, [esi+18h]
		cmp	ecx, eax
		jnz	loc_5477AF
		mov	eax, [edi+1Ch]
		mov	ecx, [esi+1Ch]
		cmp	ecx, eax
		jnz	loc_5477E0
		add	esi, 20h
		add	edi, 20h
		cmp	esi, edx
		jb	short loc_547320

loc_547398:				; CODE XREF: RtlCompressBufferXpressHuffStandard+1D7j
		cmp	esi, ebx
		jnb	short loc_5473F5
		lea	esp, [esp+0]

loc_5473A0:				; CODE XREF: RtlCompressBufferXpressHuffStandard+26Aj
		mov	al, [esi]
		cmp	al, [edi]
		jnz	short loc_5473F5
		inc	esi
		inc	edi
		cmp	esi, ebx
		jb	short loc_5473A0
		jmp	short loc_5473F5
; 

loc_5473AE:				; CODE XREF: RtlCompressBufferXpressHuffStandard+18Bj
		movzx	eax, dl
		lea	ecx, [eax+ecx*2]
		movzx	eax, byte ptr [ebp+arg_4+3]
		add	eax, ecx
		mov	[ebp+var_10], ecx
		mov	ecx, [ebp+arg_C]
		mov	eax, [ecx+eax*4+2BD8h]
		mov	[ebp+arg_4], eax
		movzx	eax, dh
		add	eax, [ebp+var_10]
		mov	edx, [ebp+arg_4]
		mov	[ecx+eax*4+2BD8h], edi
		mov	eax, esi
		sub	eax, edx
		cmp	eax, 10000h
		jge	short loc_5473EF
		mov	eax, [esi]
		cmp	eax, [edx]
		jz	loc_5476B2

loc_5473EF:				; CODE XREF: RtlCompressBufferXpressHuffStandard+2A3j
		mov	esi, [ebp+var_18]
		mov	edi, [ebp+var_4]

loc_5473F5:				; CODE XREF: RtlCompressBufferXpressHuffStandard+25Aj
					; RtlCompressBufferXpressHuffStandard+264j ...
		mov	ebx, esi
		mov	edx, esi
		sub	ebx, [ebp+var_40]
		sub	edx, edi
		cmp	ebx, 3
		jz	loc_547529

loc_547407:				; CODE XREF: RtlCompressBufferXpressHuffStandard+3EFj
		cmp	edx, 100h
		jnb	loc_54753D
		movzx	ecx, ds:_XpressHighBitIndexTable[edx]

loc_54741A:				; CODE XREF: RtlCompressBufferXpressHuffStandard+40Cj
		add	[ebp+var_28], ecx
		or	eax, 0FFFFFFFFh
		shl	eax, cl
		sub	ebx, 3
		add	edx, eax
		shl	cl, 4
		mov	eax, [ebp+arg_14]
		lea	edi, [eax+1]
		mov	[ebp+arg_4], edi
		cmp	ebx, 0Fh
		jnb	loc_5476C6
		add	cl, bl
		mov	[eax], cl

loc_547440:				; CODE XREF: RtlCompressBufferXpressHuffStandard+5ABj
					; RtlCompressBufferXpressHuffStandard+69Bj
		mov	ebx, [ebp+arg_C]
		movzx	eax, cl
		inc	dword ptr [ebx+eax*4+0BDA0h]
		mov	eax, [ebp+arg_10]
		mov	[edi], dx
		add	edi, 2
		mov	[ebp+arg_14], edi
		lea	ecx, ds:1[eax*2]
		test	eax, eax
		jle	loc_5476FB
		mov	[ebp+arg_10], ecx

loc_54746B:				; CODE XREF: RtlCompressBufferXpressHuffStandard+5D0j
		cmp	esi, [ebp+var_8]
		jb	loc_547240
		mov	eax, [ebp+var_1C]
		cmp	esi, eax
		jb	loc_5DC0A5
		mov	edx, [ebp+var_C]

loc_547482:				; CODE XREF: RtlCompressBufferXpressHuffStandard+4CFj
		mov	ecx, [ebp+arg_10]

loc_547485:				; CODE XREF: RtlCompressBufferXpressHuffStandard+F7j
		cmp	esi, [ebp+var_20]
		jb	loc_5477F0

loc_54748E:				; CODE XREF: RtlCompressBufferXpressHuffStandard+6CEj
		test	ecx, ecx
		jle	short loc_54749D

loc_547492:				; CODE XREF: RtlCompressBufferXpressHuffStandard+35Bj
		lea	ecx, ds:1[ecx*2]
		test	ecx, ecx
		jg	short loc_547492

loc_54749D:				; CODE XREF: RtlCompressBufferXpressHuffStandard+350j
		lea	eax, ds:1[ecx*2]
		mov	[edx], eax
		cmp	esi, [ebp+var_24]
		jb	loc_5DC0B8
		inc	dword ptr [ebx+0BDA0h]
		mov	[ebp+arg_4], 1

loc_5474BC:				; CODE XREF: RtlCompressBufferXpressHuffStandard+94F7Fj
		lea	ecx, [ebx+7790h]
		call	XpressBuildHuffmanEncodings
		mov	ecx, [ebp+var_28]
		add	ecx, 1Fh
		add	eax, ecx
		mov	ecx, [ebp+var_2C]
		shr	eax, 5
		lea	eax, [ecx+eax*4]
		mov	ecx, [ebp+var_34]
		add	eax, 102h
		add	eax, ecx
		cmp	eax, [ebp+var_48]
		jnb	loc_547821
		push	[ebp+arg_4]
		lea	edx, [ebx+0C2A0h]
		push	ecx
		push	edi
		lea	ecx, [ebx+7790h]
		call	XpressDoHuffmanPass
		cmp	[ebp+arg_4], 0
		lea	ecx, [ebx+0B9A0h]
		mov	edi, eax
		mov	[ebp+var_34], edi
		jz	loc_5471B1
		mov	ecx, [ebp+arg_8]
		sub	edi, [ebp+arg_0]
		xor	eax, eax
		mov	[ecx], edi

loc_547520:				; CODE XREF: RtlCompressBufferXpressHuffStandard+6E6j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_547529:				; CODE XREF: RtlCompressBufferXpressHuffStandard+2C1j
		cmp	edx, 1000h
		jbe	loc_547407
		mov	ebx, [ebp+var_30]
		jmp	loc_547266
; 

loc_54753D:				; CODE XREF: RtlCompressBufferXpressHuffStandard+2CDj
		mov	eax, edx
		shr	eax, 8
		movzx	ecx, ds:_XpressHighBitIndexTable[eax]
		add	ecx, 8
		jmp	loc_54741A
; 

loc_547551:				; CODE XREF: RtlCompressBufferXpressHuffStandard+1F4j
		add	esi, 4
		add	edi, 4

loc_547557:				; CODE XREF: RtlCompressBufferXpressHuffStandard+1E6j
					; RtlCompressBufferXpressHuffStandard+5DBj ...
		cmp	cl, al
		jnz	loc_5473F5
		mov	al, [esi+1]
		cmp	al, [edi+1]
		jz	loc_54761A
		inc	esi
		inc	edi
		jmp	loc_5473F5
; 

loc_547572:				; CODE XREF: RtlCompressBufferXpressHuffStandard+1A7j
		movzx	eax, byte ptr [esi+2]
		mov	bl, [ebx]
		add	al, 61h
		mov	dl, [esi]
		add	al, bl
		ror	al, 1
		xor	al, dl
		rol	al, 3
		movzx	ecx, al
		mov	eax, [ebp+var_18]
		movzx	eax, byte ptr [eax]
		add	al, dl
		rol	al, 3
		xor	al, bl
		ror	al, 1
		movzx	eax, al
		lea	ecx, [eax+ecx*4]
		movzx	eax, byte ptr [ebp+arg_4+3]
		add	ecx, ecx
		add	eax, ecx
		mov	[ebp+var_10], ecx
		mov	ecx, [ebp+arg_C]
		mov	ebx, [ecx+eax*4+2BD8h]
		movzx	eax, dh
		mov	edx, [ebp+var_10]
		add	eax, edx
		mov	[ecx+eax*4+2BD8h], edi
		mov	eax, esi
		sub	eax, ebx
		cmp	eax, 10000h
		jge	loc_5DC071
		mov	eax, [esi]
		cmp	eax, [ebx]
		mov	eax, [ebp+var_4]
		jz	loc_547720

loc_5475DD:				; CODE XREF: RtlCompressBufferXpressHuffStandard+5EBj
					; RtlCompressBufferXpressHuffStandard+5F3j ...
		mov	edi, [ebp+var_38]
		mov	esi, eax
		jmp	loc_5473F5
; 

loc_5475E7:				; CODE XREF: RtlCompressBufferXpressHuffStandard+14Bj
		mov	eax, [ebp+var_C]
		mov	edx, edi
		mov	ebx, [ebp+arg_C]
		add	edi, 4
		mov	[ebp+arg_10], 1
		mov	[ebp+var_C], edx
		mov	[eax], ecx
		mov	[ebp+arg_14], edi
		cmp	esi, [ebp+var_8]
		jb	loc_547240
		mov	eax, [ebp+var_1C]
		cmp	esi, eax
		jnb	loc_547482
		jmp	loc_5DC079
; 

loc_54761A:				; CODE XREF: RtlCompressBufferXpressHuffStandard+425j
		mov	al, [esi+2]
		cmp	al, [edi+2]
		jz	loc_5476F0
		add	esi, 2
		add	edi, 2
		jmp	loc_5473F5
; 

loc_547631:				; CODE XREF: RtlCompressBufferXpressHuffStandard+1C3j
		mov	bl, [esi]
		mov	cl, [ecx]
		mov	al, bl
		ror	al, 1
		add	al, 45h
		rol	bl, cl
		xor	al, cl
		movzx	ecx, bl
		rol	al, 3
		movzx	edx, al
		mov	eax, [ebp+var_18]
		mov	[ebp+var_38], edx
		mov	edx, [ebp+var_30]
		movzx	eax, byte ptr [eax]
		rol	al, 3
		xor	al, [edx]
		mov	edx, [ebp+var_38]
		ror	al, 1
		movzx	eax, al
		add	edx, eax
		movzx	eax, byte ptr [esi+2]
		xor	ecx, eax
		movzx	eax, byte ptr [ebp+arg_4+3]
		lea	ecx, [ecx+edx*4]
		add	ecx, ecx
		add	eax, ecx
		mov	[ebp+var_38], ecx
		mov	ecx, [ebp+arg_C]
		mov	edx, [ecx+eax*4+2BD8h]
		movzx	eax, bh
		mov	ebx, [ebp+var_38]
		add	eax, ebx
		mov	[ecx+eax*4+2BD8h], edi
		mov	eax, esi
		sub	eax, edx
		cmp	eax, 10000h
		jge	short loc_5476A5
		mov	eax, [esi]
		cmp	eax, [edx]
		jz	loc_547766

loc_5476A5:				; CODE XREF: RtlCompressBufferXpressHuffStandard+559j
		mov	eax, [ebp+var_10]

loc_5476A8:				; CODE XREF: RtlCompressBufferXpressHuffStandard+631j
					; RtlCompressBufferXpressHuffStandard+642j ...
		mov	edi, [ebp+var_3C]
		mov	esi, eax
		jmp	loc_5473F5
; 

loc_5476B2:				; CODE XREF: RtlCompressBufferXpressHuffStandard+2A9j
		shr	eax, 18h
		mov	edi, edx
		add	eax, [ebp+var_10]
		mov	[ecx+eax*4+2BD8h], esi
		jmp	loc_5472D1
; 

loc_5476C6:				; CODE XREF: RtlCompressBufferXpressHuffStandard+2F6j
		add	cl, 0Fh
		mov	[ebp+arg_14], ebx
		sub	ebx, 0Fh
		mov	[eax], cl
		mov	eax, [ebp+arg_4]
		inc	edi
		cmp	ebx, 0FFh
		jnb	loc_5477BA
		mov	[eax], bl
		mov	eax, 1

loc_5476E8:				; CODE XREF: RtlCompressBufferXpressHuffStandard+94F60j
		add	[ebp+var_2C], eax
		jmp	loc_547440
; 

loc_5476F0:				; CODE XREF: RtlCompressBufferXpressHuffStandard+4E0j
		add	esi, 3
		add	edi, 3
		jmp	loc_5473F5
; 

loc_5476FB:				; CODE XREF: RtlCompressBufferXpressHuffStandard+322j
		mov	eax, [ebp+var_C]
		mov	[ebp+var_C], edi
		add	edi, 4
		mov	[ebp+arg_10], 1
		mov	[ebp+arg_14], edi
		mov	[eax], ecx
		jmp	loc_54746B
; 

loc_547715:				; CODE XREF: RtlCompressBufferXpressHuffStandard+202j
		add	esi, 8
		add	edi, 8
		jmp	loc_547557
; 

loc_547720:				; CODE XREF: RtlCompressBufferXpressHuffStandard+497j
		mov	cl, [eax]
		cmp	cl, [ebx+4]
		mov	byte ptr [ebp+arg_4+3],	cl
		mov	ecx, [ebp+arg_C]
		jnz	loc_5475DD
		cmp	esi, ebx
		jz	loc_5475DD
		movzx	eax, byte ptr [ebp+arg_4+3]
		mov	edi, ebx
		add	eax, edx
		mov	[ecx+eax*4+2BD8h], esi
		mov	ecx, [ebp+var_4]
		jmp	loc_5472ED
; 

loc_547750:				; CODE XREF: RtlCompressBufferXpressHuffStandard+210j
		add	esi, 0Ch
		add	edi, 0Ch
		jmp	loc_547557
; 

loc_54775B:				; CODE XREF: RtlCompressBufferXpressHuffStandard+21Ej
		add	esi, 10h
		add	edi, 10h
		jmp	loc_547557
; 

loc_547766:				; CODE XREF: RtlCompressBufferXpressHuffStandard+55Fj
		mov	eax, [ebp+var_4]
		mov	al, [eax]
		cmp	al, [edx+4]
		mov	eax, [ebp+var_10]
		jnz	loc_5476A8
		mov	cl, [eax]
		cmp	cl, [edx+5]
		mov	byte ptr [ebp+arg_4+3],	cl
		mov	ecx, [ebp+arg_C]
		jnz	loc_5476A8
		cmp	esi, edx
		jz	loc_5476A8
		movzx	eax, byte ptr [ebp+arg_4+3]
		mov	edi, edx
		add	eax, ebx
		mov	[ecx+eax*4+2BD8h], esi
		jmp	loc_547309
; 

loc_5477A4:				; CODE XREF: RtlCompressBufferXpressHuffStandard+22Cj
		add	esi, 14h
		add	edi, 14h
		jmp	loc_547557
; 

loc_5477AF:				; CODE XREF: RtlCompressBufferXpressHuffStandard+23Aj
		add	esi, 18h
		add	edi, 18h
		jmp	loc_547557
; 

loc_5477BA:				; CODE XREF: RtlCompressBufferXpressHuffStandard+59Bj
		mov	byte ptr [eax],	0FFh
		lea	ebx, [eax+3]
		mov	eax, [ebp+arg_14]
		cmp	eax, 10000h
		jnb	loc_5DC08C
		mov	[edi], ax
		mov	eax, 3
		add	[ebp+var_2C], eax
		mov	edi, ebx
		jmp	loc_547440
; 

loc_5477E0:				; CODE XREF: RtlCompressBufferXpressHuffStandard+248j
		add	esi, 1Ch
		add	edi, 1Ch
		jmp	loc_547557
; 
		jmp	short loc_5477F0
; 
		align 10h

loc_5477F0:				; CODE XREF: RtlCompressBufferXpressHuffStandard+348j
					; RtlCompressBufferXpressHuffStandard+6ABj ...
		movzx	eax, byte ptr [esi]
		inc	dword ptr [ebx+eax*4+0B9A0h]
		mov	al, [esi]
		inc	esi
		mov	[edi], al
		inc	edi
		lea	eax, [ecx+ecx]
		test	ecx, ecx
		jle	short loc_547813
		mov	ecx, eax

loc_547809:				; CODE XREF: RtlCompressBufferXpressHuffStandard+6DFj
		cmp	esi, [ebp+var_20]
		jb	short loc_5477F0
		jmp	loc_54748E
; 

loc_547813:				; CODE XREF: RtlCompressBufferXpressHuffStandard+6C5j
		mov	[edx], eax
		mov	ecx, 1
		mov	edx, edi
		add	edi, 4
		jmp	short loc_547809
; 

loc_547821:				; CODE XREF: RtlCompressBufferXpressHuffStandard+26j
					; RtlCompressBufferXpressHuffStandard+3A5j
		mov	eax, 0C0000023h
		jmp	loc_547520
RtlCompressBufferXpressHuffStandard endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

XpressBuildHuffmanEncodings proc near	; CODE XREF: RtlCompressBufferXpressHuffStandard+382p
					; RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+574p

var_38		= dword	ptr -38h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DC0C4 SIZE 0000006B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		push	202h		; size_t
		push	0		; int
		lea	eax, [ebx+380Ch]
		mov	[ebp+var_4], ebx
		push	eax		; void *
		mov	[ebp+var_24], eax
		call	_memset
		push	202h		; size_t
		lea	eax, [ebx+3A0Eh]
		push	0		; int
		push	eax		; void *
		call	_memset
		push	200h		; size_t
		lea	eax, [ebx+800h]
		lea	edi, [ebx+4010h]
		mov	[ebp+var_18], eax
		push	0		; int
		push	edi		; void *
		mov	esi, eax
		mov	[ebp+var_10], edi
		call	_memset
		lea	eax, [ebx+4210h]
		add	esp, 24h
		xor	ecx, ecx
		mov	[ebp+var_2C], eax
		mov	edx, eax
		lea	ebx, [ebx+0]

loc_5478A0:				; CODE XREF: XpressBuildHuffmanEncodings+84j
		mov	ebx, [edx]
		test	ebx, ebx
		jnz	loc_547A10

loc_5478AA:				; CODE XREF: XpressBuildHuffmanEncodings+20Aj
		inc	ecx
		add	edx, 4
		cmp	ecx, 200h
		jb	short loc_5478A0
		mov	ebx, [ebp+var_4]
		push	100h		; size_t
		push	0		; int
		mov	[ebp+var_8], esi
		lea	eax, [ebx+4A10h]
		push	eax		; void *
		mov	[ebp+var_28], eax
		call	_memset
		lea	eax, [ebx+80Ch]
		add	esp, 0Ch
		mov	[ebp+var_20], eax
		cmp	esi, eax
		jbe	loc_5DC0C4
		lea	ecx, [ebx+380Eh]
		mov	edx, 0FFh

loc_5478F1:				; CODE XREF: XpressBuildHuffmanEncodings+DDj
		movzx	eax, word ptr [ecx-2]
		lea	ecx, [ecx+2]
		add	[ecx-2], ax
		movzx	eax, word ptr [ecx+1FEh]
		add	[ecx+200h], ax
		sub	edx, 1
		jnz	short loc_5478F1
		lea	edx, [ebx+800h]
		cmp	edx, esi
		jnb	short loc_547949
		lea	esp, [esp+0]

loc_547920:				; CODE XREF: XpressBuildHuffmanEncodings+117j
		movzx	eax, byte ptr [edx]
		movzx	ecx, word ptr [ebx+eax*2+380Ch]
		mov	ax, [edx+8]
		mov	[ebx+ecx*2+3C10h], ax
		movzx	eax, byte ptr [edx]
		add	edx, 0Ch
		inc	word ptr [ebx+eax*2+380Ch]
		cmp	edx, esi
		jb	short loc_547920

loc_547949:				; CODE XREF: XpressBuildHuffmanEncodings+E7j
		mov	ecx, esi
		mov	eax, 2AAAAAABh
		sub	ecx, ebx
		sub	ecx, 800h
		imul	ecx
		sar	edx, 1
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		mov	[ebp+var_C], eax
		jz	short loc_5479B6
		mov	ecx, [ebp+var_4]
		add	ebx, 3C10h

loc_547971:				; CODE XREF: XpressBuildHuffmanEncodings+17Fj
		movzx	edi, word ptr [ebx]
		lea	ebx, [ebx+2]
		mov	esi, [ecx+edi*4+4210h]
		mov	eax, esi
		shr	eax, 8
		lea	ecx, [ecx+eax*2]
		movzx	eax, word ptr [ecx+3A0Eh]
		mov	edx, eax
		inc	eax
		sub	[ebp+var_C], 1
		mov	[ecx+3A0Eh], ax
		mov	ecx, [ebp+var_4]
		lea	eax, [edx+edx*2]
		mov	[ecx+eax*4+808h], edi
		mov	[ecx+eax*4+800h], esi
		jnz	short loc_547971
		mov	esi, [ebp+var_8]
		mov	ebx, ecx

loc_5479B6:				; CODE XREF: XpressBuildHuffmanEncodings+136j
		mov	edi, [ebp+var_18]
		lea	eax, [ebx+818h]
		mov	[ebp+var_1C], eax

loc_5479C2:				; CODE XREF: XpressBuildHuffmanEncodings+948DCj
					; XpressBuildHuffmanEncodings+948FAj
		mov	edx, eax
		mov	[esi+4], edi
		mov	eax, [ebp+var_20]
		mov	ecx, esi
		mov	[esi+8], eax
		mov	ebx, esi
		mov	eax, [eax]
		add	eax, [edi]
		mov	[esi], eax

loc_5479D7:				; CODE XREF: XpressBuildHuffmanEncodings+1DEj
					; XpressBuildHuffmanEncodings+219j
		cmp	edx, esi
		jz	short loc_547A55

loc_5479DB:				; CODE XREF: XpressBuildHuffmanEncodings+227j
		add	ecx, 0Ch
		cmp	edx, esi
		jz	short loc_547A4B
		cmp	ebx, ecx
		jnb	short loc_5479EC
		mov	eax, [ebx]
		cmp	eax, [edx]
		jb	short loc_547A4B

loc_5479EC:				; CODE XREF: XpressBuildHuffmanEncodings+1B4j
		mov	[ecx+4], edx
		mov	eax, [edx]
		add	edx, 0Ch

loc_5479F4:				; CODE XREF: XpressBuildHuffmanEncodings+223j
		mov	[ecx], eax
		cmp	edx, esi
		jz	short loc_547A3F
		cmp	ebx, ecx
		jnb	short loc_547A04
		mov	eax, [ebx]
		cmp	eax, [edx]
		jb	short loc_547A3F

loc_547A04:				; CODE XREF: XpressBuildHuffmanEncodings+1CCj
		mov	[ecx+8], edx
		mov	eax, [edx]
		add	[ecx], eax
		add	edx, 0Ch
		jmp	short loc_5479D7
; 

loc_547A10:				; CODE XREF: XpressBuildHuffmanEncodings+74j
		mov	edi, [ebp+var_4]
		movzx	eax, bl
		mov	[esi], ebx
		shr	ebx, 8
		inc	word ptr [edi+eax*2+380Eh]
		mov	eax, edi
		inc	word ptr [eax+ebx*2+3A10h]
		mov	dword ptr [esi+4], 0
		mov	[esi+8], ecx
		add	esi, 0Ch
		jmp	loc_5478AA
; 

loc_547A3F:				; CODE XREF: XpressBuildHuffmanEncodings+1C8j
					; XpressBuildHuffmanEncodings+1D2j
		mov	[ecx+8], ebx
		mov	eax, [ebx]
		add	[ecx], eax
		add	ebx, 0Ch
		jmp	short loc_5479D7
; 

loc_547A4B:				; CODE XREF: XpressBuildHuffmanEncodings+1B0j
					; XpressBuildHuffmanEncodings+1BAj
		mov	[ecx+4], ebx
		mov	eax, [ebx]
		add	ebx, 0Ch
		jmp	short loc_5479F4
; 

loc_547A55:				; CODE XREF: XpressBuildHuffmanEncodings+1A9j
		cmp	ebx, ecx
		jnz	short loc_5479DB
		mov	ebx, [ebp+var_4]
		xor	eax, eax
		mov	edx, [ebp+var_24]
		xor	edi, edi
		add	ebx, 3810h

loc_547A69:				; CODE XREF: XpressBuildHuffmanEncodings+270j
		mov	[ebp+var_C], eax
		lea	esp, [esp+0]

loc_547A70:				; CODE XREF: XpressBuildHuffmanEncodings+28Cj
		cmp	dword ptr [ecx+4], 0
		lea	esi, [ecx+8]
		mov	[ebp+var_14], esi
		jnz	short loc_547AA2
		mov	[ecx+4], eax
		mov	eax, esi
		mov	esi, [ebp+var_4]
		mov	ecx, [ebp+var_C]
		mov	eax, [eax]
		mov	[eax+esi+4010h], cl
		test	edi, edi
		jz	short loc_547ABE
		mov	ecx, [edx-8]
		sub	ebx, 8
		dec	edi
		sub	edx, 8
		mov	eax, [ebx]
		jmp	short loc_547A69
; 

loc_547AA2:				; CODE XREF: XpressBuildHuffmanEncodings+24Aj
		inc	eax
		inc	edi
		mov	[ebx], eax
		add	ebx, 8
		mov	[ebp+var_C], eax
		mov	eax, [ecx+4]
		mov	[edx], eax
		add	edx, 8
		mov	eax, [ebp+var_14]
		mov	ecx, [eax]
		mov	eax, [ebp+var_C]
		jmp	short loc_547A70
; 

loc_547ABE:				; CODE XREF: XpressBuildHuffmanEncodings+262j
		mov	edx, [esi+804h]
		mov	esi, [ebp+var_8]
		mov	[ebp+var_14], edx
		cmp	edx, 0Fh
		ja	loc_5DC102
		mov	ebx, [esi-8]
		xor	eax, eax
		mov	edi, [ebp+var_10]
		xor	ecx, ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_1C], ecx
		cmp	ebx, edx
		ja	short loc_547B2D

loc_547AE7:				; CODE XREF: XpressBuildHuffmanEncodings+2FBj
		mov	esi, [ebp+var_28]
		xor	eax, eax
		mov	edx, [ebp+var_2C]
		mov	[ebp+var_C], eax

loc_547AF2:				; CODE XREF: XpressBuildHuffmanEncodings+2DFj
		movzx	ecx, byte ptr [edi+eax]
		cmp	ecx, ebx
		jz	short loc_547B36

loc_547AFA:				; CODE XREF: XpressBuildHuffmanEncodings+32Bj
		movzx	ecx, byte ptr [edi+eax+1]
		cmp	ecx, ebx
		jz	short loc_547B5D

loc_547B03:				; CODE XREF: XpressBuildHuffmanEncodings+359j
		add	eax, 2
		inc	esi
		add	edx, 8
		cmp	eax, 200h
		jb	short loc_547AF2
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_1C]
		add	eax, eax
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_C]
		imul	eax, ebx
		inc	ebx
		add	ecx, eax
		mov	[ebp+var_1C], ecx
		cmp	ebx, [ebp+var_14]
		jbe	short loc_547AE7

loc_547B2D:				; CODE XREF: XpressBuildHuffmanEncodings+2B5j
		mov	eax, ecx

loc_547B2F:				; CODE XREF: XpressBuildHuffmanEncodings+948A0j
					; XpressBuildHuffmanEncodings+948CDj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_547B36:				; CODE XREF: XpressBuildHuffmanEncodings+2C8j
		mov	ecx, [ebp+var_C]
		add	ecx, [edx]
		mov	edi, [ebp+var_4]
		or	[esi], bl
		mov	[ebp+var_C], ecx
		movzx	ecx, bx
		mov	[edi+eax*4], cx
		mov	ecx, edi
		mov	edi, [ebp+var_8]
		mov	[ecx+eax*4+2], di
		inc	edi
		mov	[ebp+var_8], edi
		mov	edi, [ebp+var_10]
		jmp	short loc_547AFA
; 

loc_547B5D:				; CODE XREF: XpressBuildHuffmanEncodings+2D1j
		mov	ecx, [ebp+var_C]
		add	ecx, [edx+4]
		mov	edi, [ebp+var_4]
		mov	[ebp+var_C], ecx
		mov	cl, bl
		shl	cl, 4
		or	[esi], cl
		movzx	ecx, bx
		mov	[edi+eax*4+4], cx
		mov	ecx, edi
		mov	edi, [ebp+var_8]
		mov	[ecx+eax*4+6], di
		inc	edi
		mov	[ebp+var_8], edi
		mov	edi, [ebp+var_10]
		jmp	loc_547B03
XpressBuildHuffmanEncodings endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

XpressDoHuffmanPass proc near		; CODE XREF: RtlCompressBufferXpressHuffStandard+3BCp
					; RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+5AEp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005DC12F SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	ebx, edx
		mov	edx, ecx
		push	edi
		mov	edi, eax
		mov	[ebp+var_14], edx
		add	eax, 100h
		mov	ecx, 40h
		lea	esi, [edx+4A10h]
		mov	[ebp+var_8], eax
		rep movsd
		add	eax, 2
		xor	esi, esi
		mov	[ebp+var_C], eax
		mov	edi, 10h
		add	eax, 2
		mov	[ebp+var_4], eax
		nop

loc_547BD0:				; CODE XREF: XpressDoHuffmanPass+DAj
		mov	ecx, [ebx]
		add	ebx, 4
		lea	eax, ds:1[ecx*2]
		test	ecx, ecx
		js	loc_547C70
		jmp	short loc_547C2E
; 

loc_547BE6:				; CODE XREF: XpressDoHuffmanPass+C4j
		mov	cl, byte ptr [ebp+arg_4]
		movzx	edx, di
		mov	edi, [ebp+var_10]
		sub	cl, dl
		shr	di, cl
		mov	cx, dx
		shl	si, cl
		mov	ecx, [ebp+var_8]
		or	di, si
		mov	[ecx], di
		mov	ecx, [ebp+var_C]
		mov	edi, [ebp+var_1C]
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_C], ecx
		add	ecx, 2
		mov	[ebp+var_4], ecx
		add	edi, 10h
		mov	ecx, [ebp+var_18]
		movzx	esi, word ptr [ecx+2]

loc_547C22:				; CODE XREF: XpressDoHuffmanPass+D6j
					; XpressDoHuffmanPass+178j
		mov	edx, [ebp+var_14]
		lea	ecx, [eax+eax]
		test	eax, eax
		mov	eax, ecx
		js	short loc_547C68

loc_547C2E:				; CODE XREF: XpressDoHuffmanPass+54j
		movzx	ecx, byte ptr [ebx]
		inc	ebx
		lea	ecx, [edx+ecx*4]
		mov	[ebp+var_18], ecx
		movzx	ecx, word ptr [ecx]
		movzx	edx, cx
		mov	[ebp+arg_4], ecx
		mov	ecx, [ebp+var_18]
		movzx	ecx, word ptr [ecx+2]
		mov	[ebp+var_10], ecx
		mov	ecx, edi
		sub	ecx, edx
		mov	[ebp+var_1C], ecx
		cmp	edi, edx
		jb	short loc_547BE6
		mov	edi, ecx
		mov	cx, word ptr [ebp+arg_4]
		shl	si, cl
		or	si, word ptr [ebp+var_10]
		movzx	esi, si
		jmp	short loc_547C22
; 

loc_547C68:				; CODE XREF: XpressDoHuffmanPass+9Cj
		test	eax, eax
		jz	loc_547BD0

loc_547C70:				; CODE XREF: XpressDoHuffmanPass+4Ej
		cmp	ebx, [ebp+arg_0]
		jnb	loc_547DCB
		lfence	eax
		mov	cl, [ebx]
		add	edx, 400h
		mov	byte ptr [ebp+arg_4+3],	cl
		inc	ebx
		movzx	ecx, cl
		mov	[ebp+var_24], ecx
		lea	ecx, [edx+ecx*4]
		movzx	edx, word ptr [ecx]
		mov	[ebp+var_20], ecx
		movzx	ecx, word ptr [ecx+2]
		mov	[ebp+var_10], ecx
		mov	ecx, edi
		mov	[ebp+var_18], edx
		movzx	edx, dx
		sub	ecx, edx
		mov	[ebp+var_1C], ecx
		cmp	edi, edx
		jb	short loc_547D0D
		mov	cx, word ptr [ebp+var_18]
		mov	edi, [ebp+var_10]
		shl	si, cl
		or	si, di
		movzx	ecx, si
		mov	esi, [ebp+var_1C]

loc_547CC2:				; CODE XREF: XpressDoHuffmanPass+1B9j
		mov	[ebp+var_10], ecx
		mov	edi, esi
		mov	ecx, [ebp+var_24]
		and	ecx, 0Fh
		cmp	cl, 0Fh
		jz	loc_547D8B

loc_547CD6:				; CODE XREF: XpressDoHuffmanPass+20Aj
					; XpressDoHuffmanPass+230j ...
		mov	cl, byte ptr [ebp+arg_4+3]
		shr	cl, 4
		movzx	edx, cl
		movzx	ecx, cl
		sub	edi, edx
		mov	word ptr [ebp+arg_4+2],	cx
		movzx	ecx, word ptr [ebx]
		mov	[ebp+var_1C], ecx
		cmp	esi, edx
		jb	short loc_547D4E
		mov	cx, word ptr [ebp+arg_4+2]
		mov	edx, [ebp+var_10]
		mov	esi, [ebp+var_1C]
		shl	dx, cl
		or	dx, si
		movzx	esi, dx

loc_547D05:				; CODE XREF: XpressDoHuffmanPass+1F6j
		add	ebx, 2
		jmp	loc_547C22
; 

loc_547D0D:				; CODE XREF: XpressDoHuffmanPass+11Dj
		mov	cl, byte ptr [ebp+var_18]
		movzx	edx, di
		mov	edi, [ebp+var_10]
		sub	cl, dl
		shr	di, cl
		mov	cx, dx
		shl	si, cl
		mov	ecx, [ebp+var_8]
		or	di, si
		mov	esi, [ebp+var_1C]
		mov	[ecx], di
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_C], ecx
		add	ecx, 2
		mov	[ebp+var_4], ecx
		add	esi, 10h
		mov	ecx, [ebp+var_20]
		movzx	ecx, word ptr [ecx+2]
		jmp	loc_547CC2
; 

loc_547D4E:				; CODE XREF: XpressDoHuffmanPass+160j
		mov	cl, byte ptr [ebp+arg_4+2]
		movzx	edx, si
		mov	esi, [ebp+var_1C]
		sub	cl, dl
		shr	si, cl
		mov	cx, dx
		mov	edx, [ebp+var_10]
		shl	dx, cl
		mov	ecx, [ebp+var_8]
		or	si, dx
		mov	[ecx], si
		mov	ecx, [ebp+var_C]
		movzx	esi, word ptr [ebx]
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_C], ecx
		add	ecx, 2
		mov	[ebp+var_4], ecx
		add	edi, 10h
		jmp	loc_547D05
; 

loc_547D8B:				; CODE XREF: XpressDoHuffmanPass+140j
		mov	edx, [ebp+var_4]
		mov	cl, [ebx]
		inc	ebx
		mov	[edx], cl
		inc	edx
		mov	[ebp+var_4], edx
		cmp	cl, 0FFh
		jnz	loc_547CD6
		mov	ecx, [ebp+var_4]
		movzx	edx, word ptr [ebx]
		mov	[ebp+var_24], edx
		mov	[ecx], dl
		mov	edx, [ebp+var_4]
		mov	cl, [ebx+1]
		add	ebx, 2
		add	[ebp+var_4], 2
		cmp	word ptr [ebp+var_24], 0
		mov	[edx+1], cl
		jnz	loc_547CD6
		jmp	loc_5DC12F
; 

loc_547DCB:				; CODE XREF: XpressDoHuffmanPass+E3j
		cmp	[ebp+arg_8], 0
		jz	short loc_547DF8
		movzx	ebx, word ptr [edx+402h]
		movzx	ecx, word ptr [edx+400h]
		mov	[ebp+arg_0], ebx
		mov	eax, ecx
		mov	ebx, edi
		sub	ebx, eax
		cmp	edi, eax
		jb	short loc_547E18
		shl	si, cl
		mov	edi, ebx
		or	si, word ptr [ebp+arg_0]
		movzx	esi, si

loc_547DF8:				; CODE XREF: XpressDoHuffmanPass+23Fj
					; XpressDoHuffmanPass+2BEj
		mov	cx, di
		shl	si, cl
		xor	eax, eax
		mov	ecx, [ebp+var_8]
		pop	edi
		mov	[ecx], si
		mov	ecx, [ebp+var_C]
		pop	esi
		pop	ebx
		mov	[ecx], ax
		mov	eax, [ebp+var_4]
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_547E18:				; CODE XREF: XpressDoHuffmanPass+25Aj
		movzx	eax, di
		mov	edi, [ebp+arg_0]
		sub	cl, al
		shr	di, cl
		mov	cx, ax
		shl	si, cl
		mov	ecx, [ebp+var_8]
		or	di, si
		mov	[ecx], di
		lea	edi, [ebx+10h]
		mov	ecx, [ebp+var_C]
		movzx	esi, word ptr [edx+402h]
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_C], ecx
		add	ecx, 2
		mov	[ebp+var_4], ecx
		jmp	short loc_547DF8
XpressDoHuffmanPass endp

; 

; __stdcall MiResetAccessBitPte(x, x, x)
_MiResetAccessBitPte@12:		; DATA XREF: MiCaptureAndResetWorkingSetAccessBits+69o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	ecx, [ebp+8]
		push	ebx
		mov	ebx, [ebp+0Ch]
		push	esi
		mov	eax, [ecx+48h]
		push	edi
		mov	edi, [ecx+10h]
		mov	edx, [ebx]
		mov	[esp+10h], eax
		mov	dword ptr [esp+18h], 0
		mov	dword ptr [esp+1Ch], 0
		nop
		mov	ecx, [ebx+4]
		mov	eax, edx
		and	eax, 20h
		or	eax, 0
		jz	loc_548060
		nop
		mov	eax, ds:_MmPfnDatabase
		shrd	edx, ecx, 0Ch
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		cmp	dword ptr [ebp+10h], 0
		lea	esi, [eax+ecx*4]
		mov	[esp+14h], esi
		jz	short loc_547EDA
		mov	eax, [esi+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jnz	loc_548060
		mov	edx, ebx
		mov	ecx, edi
		call	_MiIsPageTableLocked@8 ; MiIsPageTableLocked(x,x)
		test	eax, eax
		jnz	loc_548060

loc_547EDA:				; CODE XREF: .text:00547EB6j
		test	dword ptr [esi+18h], 800000h
		jnz	short loc_547F01
		mov	eax, [esi+4]
		test	eax, eax
		js	short loc_547F01
		jz	short loc_547F01
		or	eax, 80000000h
		mov	edx, ebx
		push	eax
		mov	ecx, edi
		call	_MiDemoteCombinedPte@12	; MiDemoteCombinedPte(x,x,x)
		cmp	eax, 1
		jnz	short loc_547F01
		nop

loc_547F01:				; CODE XREF: .text:00547EE1j
					; .text:00547EE8j ...
		mov	eax, [esp+10h]
		mov	esi, ebx
		shl	esi, 9
		mov	ecx, [eax+8]
		test	ecx, ecx
		jz	short loc_547F39
		cmp	esi, ds:_MmHighestUserAddress
		ja	short loc_547F39
		mov	edx, esi
		call	_MiInsertVmAccessedEntry@8 ; MiInsertVmAccessedEntry(x,x)
		test	eax, eax
		jz	loc_548060
		push	dword ptr [ebp+8]
		call	MiResetAccessBitsTail
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_547F39:				; CODE XREF: .text:00547F0Fj
					; .text:00547F17j
		lea	eax, [esi+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	short loc_547F93
		mov	eax, esi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	edx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		mov	eax, [eax+ecx*4]
		shr	eax, 1
		and	al, 7

loc_547F7C:				; CODE XREF: .text:00547FB2j
		cmp	al, 7
		jnz	short loc_547FCC
		mov	ecx, [esp+14h]
		mov	cl, [ecx+17h]
		test	cl, 8
		jz	short loc_547FB4
		mov	ecx, 5
		jmp	short loc_547FBA
; 

loc_547F93:				; CODE XREF: .text:00547F44j
		movzx	eax, byte ptr [edi+60h]
		mov	ecx, esi
		and	eax, 7
		shr	ecx, 0Ch
		add	ecx, dword_6D2E68[eax*4]
		mov	al, [ecx]
		and	al, 0Fh
		cmp	al, 0Ah
		jz	loc_54806B
		jmp	short loc_547F7C
; 

loc_547FB4:				; CODE XREF: .text:00547F8Aj
		movzx	ecx, cl
		and	ecx, 7

loc_547FBA:				; CODE XREF: .text:00547F91j
		cmp	ecx, dword_6D3158
		jnb	short loc_547FCC
		mov	dword ptr [esp+18h], 0
		jmp	short loc_547FE9
; 

loc_547FCC:				; CODE XREF: .text:00547F7Ej
					; .text:00547FC0j
		mov	dword ptr [esp+18h], 1
		test	al, al
		jz	short loc_547FE9
		cmp	al, 7
		jnb	short loc_547FE9
		push	0
		push	1
		mov	edx, esi
		mov	ecx, edi
		call	MiSetVaAgeList

loc_547FE9:				; CODE XREF: .text:00547FCAj
					; .text:00547FD6j ...
		mov	eax, [esp+10h]
		mov	ecx, edi
		mov	edx, [esp+14h]
		push	0
		mov	esi, [eax+4]
		mov	eax, [eax]
		push	eax
		push	esi
		push	ebx
		call	_MiClearPteAccessed@24 ; MiClearPteAccessed(x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_548060
		cmp	dword ptr [esp+18h], 1
		jnz	short loc_54802E
		mov	eax, [esp+10h]
		cmp	dword ptr [eax], 0
		jz	short loc_54802E
		test	esi, esi
		jnz	short loc_548032
		mov	edx, ebx
		mov	ecx, edi
		call	_MiLogPageAccess@8 ; MiLogPageAccess(x,x)
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_54802E:				; CODE XREF: .text:0054800Bj
					; .text:00548014j
		test	esi, esi
		jz	short loc_548060

loc_548032:				; CODE XREF: .text:00548018j
		mov	eax, [esi+0Ch]
		mov	ecx, dword_6D0748
		cmp	eax, [esi+8]
		jnb	short loc_54804B
		cmp	byte ptr [esi+5], 0
		jnz	short loc_54804B
		cmp	[esi+10h], ecx
		jbe	short loc_548060

loc_54804B:				; CODE XREF: .text:0054803Ej
					; .text:00548044j
		cmp	ecx, 400h
		jb	short loc_548060
		cmp	byte ptr [esi+5], 0
		jnz	short loc_548060
		mov	ecx, esi
		call	MiFlushTbList

loc_548060:				; CODE XREF: .text:00547E8Cj
					; .text:00547EC3j ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_54806B:				; CODE XREF: .text:00547FACj
		push	ecx
		push	edi
		push	esi
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlDecompressBufferXpressLz proc near	; DATA XREF: .text:00403FA8o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005DC15A SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		cmp	eax, 5
		jb	loc_54841D
		mov	ebx, [ebp+arg_8]
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebx+eax]
		mov	eax, [ebp+arg_4]
		add	eax, edx
		mov	[ebp+arg_C], ecx
		mov	[ebp+var_4], eax
		lea	edi, [ecx-56h]
		add	eax, 0FFFFFEA0h
		mov	[ebp+var_C], edi
		xor	esi, esi
		mov	[ebp+var_8], eax
		mov	[ebp+arg_4], esi
		mov	edi, edi

loc_5480C0:				; CODE XREF: RtlDecompressBufferXpressLz+146j
		mov	ecx, [ebx]
		add	ebx, 4
		cmp	edx, eax
		jnb	loc_548267
		cmp	ebx, edi
		jnb	loc_548267
		lea	eax, ds:1[ecx*2]
		test	ecx, ecx
		js	short loc_5480F0
		jmp	short loc_54813E
; 

loc_5480E2:				; CODE XREF: RtlDecompressBufferXpressLz+C0j
		mov	cl, [ebx]
		mov	[edx], cl
		inc	edx
		inc	ebx

loc_5480E8:				; CODE XREF: RtlDecompressBufferXpressLz+BAj
					; RtlDecompressBufferXpressLz+E0j ...
		add	eax, eax
		jz	loc_5481C0

loc_5480F0:				; CODE XREF: RtlDecompressBufferXpressLz+5Ej
		movzx	edi, word ptr [ebx]
		add	ebx, 2
		mov	esi, edi
		shr	edi, 3
		and	esi, 7
		inc	edi
		cmp	esi, 7
		jz	loc_5481A0

loc_548108:				; CODE XREF: RtlDecompressBufferXpressLz+13Bj
		mov	ecx, edx
		add	esi, 3
		sub	ecx, edi
		mov	[ebp+arg_8], ecx
		cmp	ecx, [ebp+arg_0]
		jb	loc_54841D
		cmp	edi, 4
		jb	loc_548217

loc_548124:				; CODE XREF: RtlDecompressBufferXpressLz+1E2j
		mov	edi, [ebp+arg_8]
		mov	ecx, [ecx]
		mov	[edx], ecx
		mov	ecx, [edi+4]
		mov	[edx+4], ecx
		cmp	esi, 9
		jge	short loc_548162

loc_548136:				; CODE XREF: RtlDecompressBufferXpressLz+113j
		add	edx, esi

loc_548138:				; CODE XREF: RtlDecompressBufferXpressLz+1D9j
		test	eax, eax
		js	short loc_5480E8

loc_54813C:				; CODE XREF: RtlDecompressBufferXpressLz+DEj
		add	eax, eax

loc_54813E:				; CODE XREF: RtlDecompressBufferXpressLz+60j
		test	eax, eax
		js	short loc_5480E2
		add	eax, eax
		js	loc_5481CB
		add	eax, eax
		mov	ecx, [ebx]
		mov	[edx], ecx
		js	loc_5481DC
		add	edx, 4
		add	ebx, 4
		add	eax, eax
		jns	short loc_54813C
		jmp	short loc_5480E8
; 

loc_548162:				; CODE XREF: RtlDecompressBufferXpressLz+B4j
		add	edx, 8
		add	edi, 8
		sub	esi, 8

loc_54816B:				; CODE XREF: RtlDecompressBufferXpressLz+11Ej
		mov	[ebp+var_10], esi
		mov	[ebp+arg_8], edi
		cmp	edx, [ebp+var_8]
		jnb	loc_5483DB
		mov	ecx, [edi]
		mov	[edx], ecx
		mov	ecx, [edi+4]
		mov	[edx+4], ecx
		mov	ecx, [edi+8]
		mov	[edx+8], ecx
		mov	ecx, [edi+0Ch]
		mov	[edx+0Ch], ecx
		cmp	esi, 11h
		jl	short loc_548136
		add	edx, 10h
		add	edi, 10h
		sub	esi, 10h
		jmp	short loc_54816B
; 

loc_5481A0:				; CODE XREF: RtlDecompressBufferXpressLz+82j
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jnz	short loc_5481E7
		mov	ecx, ebx
		inc	ebx
		mov	[ebp+arg_4], ecx
		movzx	esi, byte ptr [ecx]
		and	esi, 0Fh

loc_5481B3:				; CODE XREF: RtlDecompressBufferXpressLz+174j
		cmp	esi, 0Fh
		jz	short loc_5481F6

loc_5481B8:				; CODE XREF: RtlDecompressBufferXpressLz+195j
		add	esi, 7
		jmp	loc_548108
; 

loc_5481C0:				; CODE XREF: RtlDecompressBufferXpressLz+6Aj
		mov	eax, [ebp+var_8]
		mov	edi, [ebp+var_C]
		jmp	loc_5480C0
; 

loc_5481CB:				; CODE XREF: RtlDecompressBufferXpressLz+C4j
		mov	cx, [ebx]
		mov	[edx], cx
		add	edx, 2
		add	ebx, 2
		jmp	loc_5480E8
; 

loc_5481DC:				; CODE XREF: RtlDecompressBufferXpressLz+D0j
		add	edx, 3
		add	ebx, 3
		jmp	loc_5480E8
; 

loc_5481E7:				; CODE XREF: RtlDecompressBufferXpressLz+125j
		movzx	esi, byte ptr [ecx]
		shr	esi, 4
		mov	[ebp+arg_4], 0
		jmp	short loc_5481B3
; 

loc_5481F6:				; CODE XREF: RtlDecompressBufferXpressLz+136j
		lea	ecx, [ebx+7]
		cmp	ecx, [ebp+var_C]
		jnb	loc_54836B
		movzx	esi, byte ptr [ebx]
		inc	ebx
		cmp	esi, 0FFh
		jz	loc_5483F6

loc_548212:				; CODE XREF: RtlDecompressBufferXpressLz+391j
		add	esi, 0Fh
		jmp	short loc_5481B8
; 

loc_548217:				; CODE XREF: RtlDecompressBufferXpressLz+9Ej
		movzx	ecx, byte ptr [ecx]
		mov	[edx], cl
		sub	edi, 1
		jz	short loc_54823C
		sub	edi, 1
		jnz	loc_54839A
		mov	ecx, [ebp+arg_8]
		movzx	ecx, byte ptr [ecx+1]
		mov	[edx+1], cl
		lea	ecx, [edi+2]
		lea	edi, [ecx-4]
		jmp	short loc_548255
; 

loc_54823C:				; CODE XREF: RtlDecompressBufferXpressLz+19Fj
		mov	edi, [ebp+arg_8]
		movzx	ecx, byte ptr [edi]
		mov	[edx+1], cl
		movzx	ecx, byte ptr [edi]

loc_548248:				; CODE XREF: RtlDecompressBufferXpressLz+328j
		mov	[edx+2], cl
		mov	edi, 0FFFFFFFDh
		mov	ecx, 3

loc_548255:				; CODE XREF: RtlDecompressBufferXpressLz+1BAj
		add	edx, ecx
		add	esi, edi
		jz	loc_548138
		mov	ecx, [ebp+arg_8]
		jmp	loc_548124
; 

loc_548267:				; CODE XREF: RtlDecompressBufferXpressLz+47j
					; RtlDecompressBufferXpressLz+4Fj
		mov	edi, [ebp+arg_C]
		jmp	short loc_54827C
; 

loc_54826C:				; CODE XREF: RtlDecompressBufferXpressLz+258j
		lea	eax, [ebx+3]
		cmp	eax, edi
		jnb	loc_54841D
		mov	ecx, [ebx]
		add	ebx, 4

loc_54827C:				; CODE XREF: RtlDecompressBufferXpressLz+1EAj
		lea	eax, ds:1[ecx*2]
		test	ecx, ecx
		js	short loc_5482DA

loc_548287:				; CODE XREF: RtlDecompressBufferXpressLz+2B0j
		test	eax, eax
		js	short loc_5482BF
		jmp	short loc_548290
; 
		align 10h

loc_548290:				; CODE XREF: RtlDecompressBufferXpressLz+20Bj
					; RtlDecompressBufferXpressLz+23Aj
		lea	edi, [ebx+2]
		add	eax, eax
		cmp	edi, [ebp+arg_C]
		ja	loc_54841D
		lea	esi, [edx+2]
		cmp	esi, [ebp+var_4]
		ja	loc_54841D
		mov	cx, [ebx]
		mov	ebx, edi
		mov	[edx], cx
		mov	edx, esi
		test	eax, eax
		js	short loc_548335
		add	eax, eax
		jns	short loc_548290
		mov	edi, [ebp+arg_C]

loc_5482BF:				; CODE XREF: RtlDecompressBufferXpressLz+209j
		cmp	ebx, edi
		jnb	loc_54841D
		cmp	edx, [ebp+var_4]
		jnb	loc_54841D
		mov	cl, [ebx]
		mov	[edx], cl
		inc	edx
		inc	ebx

loc_5482D6:				; CODE XREF: RtlDecompressBufferXpressLz+2ACj
					; RtlDecompressBufferXpressLz+2B8j
		add	eax, eax
		jz	short loc_54826C

loc_5482DA:				; CODE XREF: RtlDecompressBufferXpressLz+205j
		cmp	ebx, edi
		jz	loc_548387
		lea	ecx, [ebx+1]
		cmp	ecx, edi
		jnb	loc_5DC172
		movzx	edi, word ptr [ebx]
		add	ebx, 2
		mov	ecx, edi
		shr	edi, 3
		and	ecx, 7
		inc	edi
		cmp	ecx, 7
		jz	short loc_54833A

loc_548301:				; CODE XREF: RtlDecompressBufferXpressLz+2DCj
		mov	esi, edx
		add	ecx, 3
		sub	esi, edi
		cmp	esi, [ebp+arg_0]
		jb	loc_54841D
		lea	edi, [ecx+edx]
		mov	[ebp+arg_8], edi
		cmp	edi, [ebp+var_4]
		ja	loc_54841D
		mov	edi, edx
		mov	edx, [ebp+arg_8]

loc_548325:				; CODE XREF: RtlDecompressBufferXpressLz+371j
		rep movsb
		mov	edi, [ebp+arg_C]
		test	eax, eax
		js	short loc_5482D6
		add	eax, eax
		jmp	loc_548287
; 

loc_548335:				; CODE XREF: RtlDecompressBufferXpressLz+236j
		mov	edi, [ebp+arg_C]
		jmp	short loc_5482D6
; 

loc_54833A:				; CODE XREF: RtlDecompressBufferXpressLz+27Fj
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jnz	short loc_54835E
		cmp	ebx, [ebp+arg_C]
		jnb	loc_54841D
		movzx	ecx, byte ptr [ebx]
		mov	[ebp+arg_4], ebx
		inc	ebx
		and	ecx, 0Fh

loc_548354:				; CODE XREF: RtlDecompressBufferXpressLz+2E9j
		cmp	ecx, 0Fh
		jz	short loc_54836B

loc_548359:				; CODE XREF: RtlDecompressBufferXpressLz+305j
		add	ecx, 7
		jmp	short loc_548301
; 

loc_54835E:				; CODE XREF: RtlDecompressBufferXpressLz+2BFj
		movzx	ecx, byte ptr [ecx]
		shr	ecx, 4
		xor	esi, esi
		mov	[ebp+arg_4], esi
		jmp	short loc_548354
; 

loc_54836B:				; CODE XREF: RtlDecompressBufferXpressLz+17Cj
					; RtlDecompressBufferXpressLz+2D7j
		mov	esi, [ebp+arg_C]
		cmp	ebx, esi
		jnb	loc_54841D
		movzx	ecx, byte ptr [ebx]
		inc	ebx
		cmp	ecx, 0FFh
		jz	short loc_5483AD

loc_548382:				; CODE XREF: RtlDecompressBufferXpressLz+359j
		add	ecx, 0Fh
		jmp	short loc_548359
; 

loc_548387:				; CODE XREF: RtlDecompressBufferXpressLz+25Cj
					; RtlDecompressBufferXpressLz+940FBj
		mov	eax, [ebp+arg_14]
		sub	edx, [ebp+arg_0]
		mov	[eax], edx
		xor	eax, eax

loc_548391:				; CODE XREF: RtlDecompressBufferXpressLz+3A2j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_54839A:				; CODE XREF: RtlDecompressBufferXpressLz+1A4j
		mov	edi, [ebp+arg_8]
		movzx	ecx, byte ptr [edi+1]
		mov	[edx+1], cl
		movzx	ecx, byte ptr [edi+2]
		jmp	loc_548248
; 

loc_5483AD:				; CODE XREF: RtlDecompressBufferXpressLz+300j
		lea	ecx, [ebx+1]
		cmp	ecx, esi
		jnb	short loc_54841D
		movzx	ecx, word ptr [ebx]
		add	ebx, 2
		mov	[ebp+arg_8], ecx
		test	ecx, ecx
		jz	loc_5DC15A

loc_5483C5:				; CODE XREF: RtlDecompressBufferXpressLz+940EDj
		cmp	ecx, 16h
		jl	short loc_54841D
		add	ecx, 3
		add	ecx, edx
		cmp	ecx, edx
		jb	short loc_54841D
		mov	ecx, [ebp+arg_8]
		sub	ecx, 16h
		jmp	short loc_548382
; 

loc_5483DB:				; CODE XREF: RtlDecompressBufferXpressLz+F4j
		lea	ecx, [esi+edx]
		mov	[ebp+var_C], ecx
		cmp	ecx, [ebp+var_4]
		ja	short loc_54841D
		mov	esi, [ebp+arg_8]
		mov	edi, edx
		mov	ecx, [ebp+var_10]
		mov	edx, [ebp+var_C]
		jmp	loc_548325
; 

loc_5483F6:				; CODE XREF: RtlDecompressBufferXpressLz+18Cj
		movzx	esi, word ptr [ebx]
		add	ebx, 2
		test	esi, esi
		jz	short loc_548416

loc_548400:				; CODE XREF: RtlDecompressBufferXpressLz+39Bj
		cmp	esi, 16h
		jl	short loc_54841D
		lea	ecx, [edx+3]
		add	ecx, esi
		cmp	ecx, edx
		jb	short loc_54841D
		sub	esi, 16h
		jmp	loc_548212
; 

loc_548416:				; CODE XREF: RtlDecompressBufferXpressLz+37Ej
		mov	esi, [ebx]
		add	ebx, 4
		jmp	short loc_548400
; 

loc_54841D:				; CODE XREF: RtlDecompressBufferXpressLz+11j
					; RtlDecompressBufferXpressLz+95j ...
		mov	eax, 0C0000242h
		jmp	loc_548391
RtlDecompressBufferXpressLz endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiRemoveLowestPriorityStandbyPage(x, x, x)
_MiRemoveLowestPriorityStandbyPage@12 proc near	; CODE XREF: MiGetPage+618p
					; MiPurgePartitionStandby+8Fp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 40h
		xor	eax, eax
		mov	[ebp-0Ch], ecx
		mov	[ebp-3Ch], eax
		mov	[ebp-38h], eax
		mov	[ebp-34h], eax
		lea	eax, [edx+50h]
		push	esi
		lea	eax, [eax+eax*4]
		push	edi
		lea	eax, [ecx+eax*4]
		lea	edi, [ecx+640h]
		mov	[ebp-14h], eax
		cmp	edi, eax
		jnb	loc_5488A9
		mov	eax, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		lea	esi, [edi+10h]
		mov	[ebp-10h], eax
		mov	eax, [ebp-14h]
		mov	[ebp-18h], esi
		jmp	short loc_548490
; 
		align 10h

loc_548490:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+56j
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+473j
		cmp	dword ptr [edi+8], offset loc_7FFFFF
		jz	loc_548898
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	[ebp-1], al
		mov	[ebp-38h], esi
		mov	dword ptr [ebp-3Ch], 0
		jz	short loc_5484C7
		mov	edx, esi
		lea	ecx, [ebp-3Ch]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5484D8
; 

loc_5484C7:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+89j
		lea	edx, [ebp-3Ch]
		xchg	edx, [esi]
		test	edx, edx
		jz	short loc_5484D8
		lea	ecx, [ebp-3Ch]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_5484D8:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+95j
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+9Ej
		mov	ecx, [edi+8]
		mov	[ebp-1Ch], ecx
		cmp	ecx, offset loc_7FFFFF
		jnz	short loc_548541
		test	ds:byte_70EFC6,	1
		jz	short loc_548505
		mov	edx, [ebx+4]
		lea	ecx, [ebp-3Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		mov	cl, [ebp-1]
		call	dword ptr [ebp-10h]
		jmp	loc_548895
; 

loc_548505:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+BDj
		mov	eax, [ebp-3Ch]
		test	eax, eax
		jnz	short loc_548524
		mov	edx, [ebp-38h]
		lea	eax, [ebp-3Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-3Ch]
		cmp	eax, ecx
		jz	short loc_548536
		call	KxWaitForLockChainValid

loc_548524:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+DAj
		mov	dword ptr [ebp-3Ch], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_548536:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+EDj
		mov	cl, [ebp-1]
		call	dword ptr [ebp-10h]
		jmp	loc_548895
; 

loc_548541:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+B4j
		mov	edx, ds:_MmPfnDatabase
		lea	eax, ds:0[ecx*8]
		sub	eax, ecx
		mov	[ebp-2Ch], edx
		lea	edx, [edx+eax*4]
		mov	eax, dword_6D3250
		mov	[ebp-8], edx
		cmp	ecx, eax
		jb	loc_548651
		add	eax, 800h
		cmp	ecx, eax
		jnb	loc_548651
		mov	eax, dword_6D0700
		mov	[ebp-20h], edx
		mov	[ebp-24h], ecx
		mov	ecx, [edx+8]
		mov	edx, [edx+0Ch]
		mov	[ebp-8], edx
		mov	edx, dword_6D0704
		mov	[ebp-28h], eax
		or	eax, edx
		mov	[ebp-1Ch], edx
		mov	edx, [ebp-8]
		jz	short loc_5485B1
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_5485B1
		mov	eax, [ebp-28h]
		not	dword ptr [ebp-1Ch]
		not	eax
		and	ecx, eax
		and	edx, [ebp-1Ch]

loc_5485B1:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+168j
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+172j
		shrd	ecx, edx, 0Ch
		mov	edx, [ebp-2Ch]
		and	ecx, 3FFFFFFh
		mov	[ebp-1Ch], ecx
		lea	eax, ds:0[ecx*8]
		sub	eax, ecx
		lea	edx, [edx+eax*4]
		mov	[ebp-8], edx
		cmp	ecx, [ebp-24h]
		jnz	loc_54865F
		mov	ecx, [ebp-20h]
		mov	edx, 1
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		mov	ecx, [ebp-20h]
		mov	al, [ecx+17h]
		and	al, 0F7h
		mov	[ecx+17h], al
		call	_MiRemoveDecayClusterTimer@4 ; MiRemoveDecayClusterTimer(x)
		test	ds:byte_70EFC6,	1
		jz	short loc_548615
		mov	edx, [ebx+4]
		lea	ecx, [ebp-3Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		mov	cl, [ebp-1]
		call	dword ptr [ebp-10h]
		jmp	loc_54888F
; 

loc_548615:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+1CDj
		mov	eax, [ebp-3Ch]
		test	eax, eax
		jnz	short loc_548634
		mov	edx, [ebp-38h]
		lea	eax, [ebp-3Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-3Ch]
		cmp	eax, ecx
		jz	short loc_548646
		call	KxWaitForLockChainValid

loc_548634:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+1EAj
		mov	dword ptr [ebp-3Ch], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_548646:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+1FDj
		mov	cl, [ebp-1]
		call	dword ptr [ebp-10h]
		jmp	loc_54888F
; 

loc_548651:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+130j
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+13Dj
		mov	dword ptr [ebp-20h], 0
		mov	dword ptr [ebp-24h], offset loc_7FFFFF

loc_54865F:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+1A3j
		lea	esi, [edx+10h]
		mov	[ebp-2Ch], esi
		lock bts dword ptr [esi], 1Fh
		jnb	loc_5487DB
		test	ds:byte_70EFC6,	1
		jz	short loc_548686
		mov	edx, [ebx+4]
		lea	ecx, [ebp-3Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5486B7
; 

loc_548686:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+247j
		mov	eax, [ebp-3Ch]
		test	eax, eax
		jnz	short loc_5486A5
		mov	edx, [ebp-38h]
		lea	eax, [ebp-3Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-3Ch]
		cmp	eax, ecx
		jz	short loc_5486B7
		call	KxWaitForLockChainValid

loc_5486A5:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+25Bj
		mov	dword ptr [ebp-3Ch], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_5486B7:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+254j
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+26Ej
		mov	dword ptr [ebp-30h], 0
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_5486D9

loc_5486C5:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+2A0j
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+2A7j
		lea	ecx, [ebp-30h]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_5486C5
		lock bts dword ptr [esi], 1Fh
		jb	short loc_5486C5

loc_5486D9:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+293j
		mov	ecx, [ebp-8]
		mov	al, [ecx+16h]
		and	al, 7
		cmp	al, 2
		jnz	loc_54887E
		cmp	dword ptr [ebp-0Ch], offset _MiSystemPartition
		jnz	loc_54887E
		test	ds:byte_70EFC6,	21h
		mov	eax, [ebp-18h]
		mov	[ebp-38h], eax
		mov	dword ptr [ebp-3Ch], 0
		jz	short loc_548718
		mov	edx, eax
		lea	ecx, [ebp-3Ch]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_548729
; 

loc_548718:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+2DAj
		lea	edx, [ebp-3Ch]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_548729
		lea	ecx, [ebp-3Ch]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_548729:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+2E6j
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+2EFj
		mov	edx, [ebp-20h]
		mov	eax, [edi+8]
		test	edx, edx
		jz	loc_5487D3
		cmp	[ebp-24h], eax
		jnz	short loc_548780
		mov	eax, dword_6D0700
		mov	esi, dword_6D0704
		mov	ecx, [edx+8]
		mov	edx, [edx+0Ch]
		mov	[ebp-28h], eax
		or	eax, esi
		mov	[ebp-24h], esi
		mov	esi, [ebp-2Ch]
		jz	short loc_548771
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_548771
		mov	eax, [ebp-28h]
		not	dword ptr [ebp-24h]
		not	eax
		and	ecx, eax
		and	edx, [ebp-24h]

loc_548771:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+328j
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+332j
		shrd	ecx, edx, 0Ch
		and	ecx, 3FFFFFFh
		cmp	[ebp-1Ch], ecx

loc_54877E:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+3A6j
		jz	short loc_5487D8

loc_548780:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+30Aj
		test	ds:byte_70EFC6,	1
		jz	short loc_548799
		mov	edx, [ebx+4]
		lea	ecx, [ebp-3Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_54887E
; 

loc_548799:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+357j
		mov	eax, [ebp-3Ch]
		test	eax, eax
		jnz	short loc_5487BC
		mov	edx, [ebp-38h]
		lea	eax, [ebp-3Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-3Ch]
		cmp	eax, ecx
		jz	loc_54887E
		call	KxWaitForLockChainValid

loc_5487BC:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+36Ej
		mov	dword ptr [ebp-3Ch], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx
		jmp	loc_54887E
; 

loc_5487D3:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+301j
		cmp	[ebp-1Ch], eax
		jmp	short loc_54877E
; 

loc_5487D8:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x):loc_54877Ej
		mov	edx, [ebp-8]

loc_5487DB:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+23Aj
		cmp	byte_6D5872, 0
		jz	loc_5488B7
		mov	ecx, edx
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		mov	eax, dword_6D5BBC
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		shr	ecx, 9
		mov	edx, ecx
		and	ecx, 1Fh
		shr	edx, 5
		mov	eax, [eax+edx*4]
		sar	eax, cl
		test	al, 1
		jz	loc_5488B7
		mov	ecx, [ebp-8]
		mov	edx, 1
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		test	ds:byte_70EFC6,	1
		jz	short loc_548843
		mov	edx, [ebx+4]
		lea	ecx, [ebp-3Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_548874
; 

loc_548843:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+404j
		mov	eax, [ebp-3Ch]
		test	eax, eax
		jnz	short loc_548862
		mov	edx, [ebp-38h]
		lea	eax, [ebp-3Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-3Ch]
		cmp	eax, ecx
		jz	short loc_548874
		call	KxWaitForLockChainValid

loc_548862:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+418j
		mov	dword ptr [ebp-3Ch], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_548874:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+411j
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+42Bj
		mov	ecx, [ebp-8]
		xor	edx, edx
		call	_MiDiscardTransitionPteEx@8 ; MiDiscardTransitionPteEx(x,x)

loc_54887E:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+2B3j
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+2C0j ...
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	cl, [ebp-1]
		call	dword ptr [ebp-10h]
		mov	esi, [ebp-18h]

loc_54888F:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+1E0j
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+21Cj
		sub	edi, 14h
		sub	esi, 14h

loc_548895:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+D0j
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+10Cj
		mov	eax, [ebp-14h]

loc_548898:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+67j
		add	edi, 14h
		add	esi, 14h
		mov	[ebp-18h], esi
		cmp	edi, eax
		jb	loc_548490

loc_5488A9:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+3Fj
		or	eax, 0FFFFFFFFh
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_5488B7:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+3B2j
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+3EAj
		mov	eax, [edi]
		test	eax, eax
		jz	loc_548C80
		dec	eax
		mov	[edi], eax
		cmp	dword_6D3034, 1
		jnz	loc_54895A
		mov	ecx, [ebp-1Ch]
		mov	eax, dword_6D3068
		shr	ecx, 5
		mov	dword ptr [ebp-24h], 1
		lea	esi, [eax+ecx*4]
		mov	ecx, [ebp-1Ch]
		and	ecx, 1Fh
		mov	[ebp-2Ch], ecx
		lea	eax, [ecx+1]
		cmp	eax, 20h
		ja	short loc_548900
		mov	eax, 1
		shl	eax, cl
		jmp	short loc_548957
; 

loc_548900:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+4C5j
		test	ecx, ecx
		jz	short loc_54894C
		mov	edx, 20h
		mov	eax, 1
		sub	edx, ecx
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, [ebp-2Ch]
		dec	eax
		shl	eax, cl
		lock or	[esi], eax
		mov	eax, 1
		add	esi, 4
		sub	eax, edx
		mov	[ebp-24h], eax
		cmp	eax, 20h
		jb	short loc_548948
		mov	ecx, eax
		shr	ecx, 5

loc_548934:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+513j
		mov	dword ptr [esi], 0FFFFFFFFh
		sub	eax, 20h
		add	esi, 4
		sub	ecx, 1
		jnz	short loc_548934
		mov	[ebp-24h], eax

loc_548948:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+4FDj
		test	eax, eax
		jz	short loc_54895A

loc_54894C:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+4D2j
		mov	ecx, [ebp-24h]
		mov	eax, 1
		shl	eax, cl
		dec	eax

loc_548957:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+4CEj
		lock or	[esi], eax

loc_54895A:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+49Bj
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+51Aj
		mov	ecx, [ebp-8]
		mov	edx, [ecx+10h]
		lea	eax, [ecx+10h]
		mov	esi, [ecx]
		and	edx, offset loc_7FFFFF
		test	byte ptr [ecx+17h], 8
		mov	[ebp-2Ch], esi
		mov	[ebp-20h], eax
		mov	[ebp-28h], edx
		jz	short loc_5489F3
		mov	ecx, edx
		call	_MiIsDecayPfn@4	; MiIsDecayPfn(x)
		cmp	eax, 1
		jnz	short loc_5489A2
		cmp	esi, edx
		jnz	short loc_5489A2
		mov	ecx, [ebp-8]
		call	_MiDeleteParentDecayNode@4 ; MiDeleteParentDecayNode(x)
		mov	ecx, [ebp-8]
		mov	al, [ecx+17h]
		and	al, 0F7h
		mov	[ecx+17h], al
		jmp	loc_548A41
; 

loc_5489A2:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+554j
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+558j
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[edx*8]
		mov	edi, [ebp-2Ch]
		sub	ecx, edx
		lea	esi, [eax+ecx*4]
		mov	ecx, edi
		mov	eax, [esi+0Ch]
		push	eax
		mov	eax, [esi+8]
		push	eax
		call	_MiUpdateTransitionPteFrame@12 ; MiUpdateTransitionPteFrame(x,x,x)
		mov	[esi+0Ch], edx
		lea	ecx, ds:0[edi*8]
		mov	edx, [ebp-28h]
		sub	ecx, edi
		mov	[esi+8], eax
		mov	eax, ds:_MmPfnDatabase
		push	0
		lea	ecx, [eax+ecx*4]
		call	_MiSetPfnBlink@12 ; MiSetPfnBlink(x,x,x)
		mov	ecx, [ebp-8]
		mov	al, [ecx+17h]
		and	al, 0F7h
		mov	[ecx+17h], al
		jmp	short loc_548A41
; 

loc_5489F3:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+548j
		mov	[edi+8], esi
		cmp	esi, offset loc_7FFFFF
		jz	short loc_548A3A
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		add	eax, 10h
		lea	esi, [eax+ecx*4]
		mov	ecx, [esi]
		mov	edx, ecx
		or	edx, offset loc_7FFFFF
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	ecx, eax
		jz	short loc_548A41

loc_548A26:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+606j
		mov	edx, eax
		mov	ecx, eax
		or	edx, offset loc_7FFFFF
		lock cmpxchg [esi], edx
		cmp	ecx, eax
		jnz	short loc_548A26
		jmp	short loc_548A41
; 

loc_548A3A:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+5CCj
		mov	dword ptr [edi+0Ch], offset loc_7FFFFF

loc_548A41:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+56Dj
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+5C1j ...
		test	ds:byte_70EFC6,	1
		jz	short loc_548A57
		mov	edx, [ebx+4]
		lea	ecx, [ebp-3Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_548A88
; 

loc_548A57:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+618j
		mov	eax, [ebp-3Ch]
		test	eax, eax
		jnz	short loc_548A76
		mov	edx, [ebp-38h]
		lea	eax, [ebp-3Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-3Ch]
		cmp	eax, ecx
		jz	short loc_548A88
		call	KxWaitForLockChainValid

loc_548A76:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+62Cj
		mov	dword ptr [ebp-3Ch], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_548A88:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+625j
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+63Fj
		mov	ecx, [ebp-0Ch]
		or	esi, 0FFFFFFFFh
		lock xadd [ecx+0FC0h], esi
		dec	esi
		cmp	esi, [ecx+0B2Ch]
		jz	short loc_548AA7
		cmp	esi, [ecx+0B30h]
		jnz	short loc_548AAF

loc_548AA7:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+66Dj
		call	MiUpdateAvailableEvents
		mov	ecx, [ebp-0Ch]

loc_548AAF:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+675j
		lea	edi, [esi+1]
		cmp	esi, 420h
		ja	short loc_548AFD
		mov	eax, [ecx+0F00h]
		test	eax, eax
		jz	short loc_548ACB
		mov	al, [eax+2Ch]
		test	al, al
		jnz	short loc_548AD3

loc_548ACB:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+692j
		call	_MiObtainFreePages@4 ; MiObtainFreePages(x)
		mov	ecx, [ebp-0Ch]

loc_548AD3:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+699j
		cmp	esi, 0A0h
		jnb	short loc_548AFD
		cmp	edi, 0A0h
		jb	short loc_548AFD
		mov	eax, [ecx+2C0h]
		test	eax, eax
		jz	short loc_548AFD
		push	0
		push	0
		lea	eax, [ecx+260h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_548AFD:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+688j
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+6A9j ...
		cmp	esi, 9Fh
		jb	short loc_548B0C
		mov	esi, 1
		jmp	short loc_548B73
; 

loc_548B0C:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+6D3j
		mov	ecx, [ebx+8]
		test	ecx, 2000h
		jz	short loc_548B1E
		mov	esi, 1
		jmp	short loc_548B73
; 

loc_548B1E:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+6E5j
		mov	eax, large fs:124h
		mov	edx, [eax+300h]
		mov	eax, edx
		and	al, 0Ch
		cmp	al, 8
		jnz	short loc_548B39
		mov	esi, 1
		jmp	short loc_548B73
; 

loc_548B39:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+700j
		mov	eax, [ebp-0Ch]
		cmp	esi, 20h
		jnb	short loc_548B4C
		cmp	eax, offset _MiSystemPartition
		jnz	short loc_548B4C
		xor	esi, esi
		jmp	short loc_548B73
; 

loc_548B4C:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+70Fj
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+716j
		test	cl, 4
		jz	short loc_548B58
		mov	esi, 1
		jmp	short loc_548B73
; 

loc_548B58:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+71Fj
		test	dl, 2
		jz	short loc_548B69
		cmp	esi, 21h
		jb	short loc_548B69
		mov	esi, 1
		jmp	short loc_548B73
; 

loc_548B69:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+72Bj
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+730j
		movzx	esi, byte ptr [eax+4]
		shr	esi, 5
		and	esi, 1

loc_548B73:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+6DAj
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+6ECj ...
		mov	edi, [ebp-20h]
		xor	edx, edx
		mov	ecx, [ebp-8]
		and	dword ptr [edi], 0FF800000h
		call	_MiRestoreTransitionPte@8 ; MiRestoreTransitionPte(x,x)
		mov	edx, [ebp-8]
		mov	ecx, edx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFEC0h
		add	eax, 0B00h
		add	eax, [ebp-0Ch]
		lock dec dword ptr [eax]
		mov	al, [edx+16h]
		and	dword ptr [edx+18h], 7FFFFFFFh
		and	al, 0C7h
		mov	[edx+16h], al
		mov	al, [edx+17h]
		and	al, 0DFh
		mov	dword ptr [edx], 0
		mov	[edx+17h], al
		mov	al, [edx+16h]
		and	al, 0FDh
		or	al, 5
		mov	[edx+16h], al
		mov	eax, ds:_ZeroPte
		mov	[edx+8], eax
		mov	eax, ds:dword_40F9FC
		mov	[edx+0Ch], eax
		mov	ecx, [edx+8]
		mov	edx, eax
		mov	eax, ecx
		or	eax, edx
		jnz	short loc_548C26
		mov	eax, dword_6D0704
		xor	edx, edx
		mov	edi, dword_6D0700
		mov	ecx, 80h
		mov	[ebp-24h], eax
		mov	eax, edi
		or	eax, [ebp-24h]
		jz	short loc_548C21
		mov	eax, edi
		and	eax, ecx
		or	eax, edx
		jnz	short loc_548C1A
		mov	edx, [ebp-24h]
		mov	ecx, edi
		mov	edi, [ebp-20h]
		or	ecx, 80h
		jmp	short loc_548C32
; 

loc_548C1A:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+7D8j
		mov	ecx, 90h
		xor	edx, edx

loc_548C21:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+7D0j
		mov	edi, [ebp-20h]
		jmp	short loc_548C32
; 

loc_548C26:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+7B4j
		and	ecx, 0FFFFFC9Fh
		or	ecx, 80h

loc_548C32:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+7E8j
					; MiRemoveLowestPriorityStandbyPage(x,x,x)+7F4j
		mov	eax, [ebp-8]
		mov	[eax+8], ecx
		mov	[eax+0Ch], edx
		test	esi, esi
		jnz	short loc_548C64
		xor	edx, edx
		mov	ecx, eax
		call	_MiReturnFreeZeroPage@8	; MiReturnFreeZeroPage(x,x)
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	cl, [ebp-1]
		call	dword ptr [ebp-10h]
		or	eax, 0FFFFFFFFh
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_548C64:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+80Dj
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	cl, [ebp-1]
		call	dword ptr [ebp-10h]
		mov	eax, [ebp-1Ch]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_548C80:				; CODE XREF: MiRemoveLowestPriorityStandbyPage(x,x,x)+48Bj
		mov	ecx, [ebp-0Ch]
		push	0
		call	_MiGetAvailablePagesExcludeSlists@4 ; MiGetAvailablePagesExcludeSlists(x)
		push	eax
		push	edi
		push	1
		push	4Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_MiRemoveLowestPriorityStandbyPage@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmLazyRegionsWorker proc	near
					; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+242p
					; ST_STORE_SM_TRAITS___StDmCleanup+F9892p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00548EE0 SIZE 0000000E BYTES
; FUNCTION CHUNK AT 005DC180 SIZE 000000D3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		mov	ecx, [ebp+arg_0]
		mov	ebx, edx
		mov	[ebp+var_4], esi
		mov	edx, edi
		mov	[ebp+var_8], edx
		mov	[ebp+var_10], edi
		test	ecx, ecx
		jz	short loc_548CCF
		push	0FFFFFFFEh
		lea	eax, [ecx+8]
		pop	esi
		lock and [eax],	si
		mov	esi, [ebp+var_4]
		mov	eax, 0FFFEh
		and	[ecx+0Ah], ax

loc_548CCF:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+21j
		and	ebx, 1
		mov	[ebp+var_1C], ebx
		mov	ebx, edi

loc_548CD7:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+11Fj
					; ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+1C0j
		mov	eax, [esi+1DCh]
		mov	[ebp+var_18], eax
		cmp	eax, ebx
		jbe	loc_548E97
		mov	ecx, [esi+1E0h]
		dec	eax
		shr	eax, 5
		mov	edi, ebx
		lea	eax, [ecx+eax*4]
		mov	[ebp+var_C], eax
		mov	eax, ebx
		shr	eax, 5
		lea	edx, [ecx+eax*4]
		cmp	edx, [ebp+var_C]
		jz	short loc_548D3A
		mov	ecx, ebx
		and	ecx, 1Fh
		mov	[ebp+var_14], ecx
		mov	ecx, ds:dword_40BA68[ecx*4]
		or	ecx, [edx]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_548D3A
		sub	edi, [ebp+var_14]
		mov	ebx, [ebp+var_C]
		add	edi, 20h
		add	edx, 4

loc_548D29:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+A2j
		cmp	edx, ebx
		jnb	short loc_548D3D
		cmp	dword ptr [edx], 0FFFFFFFFh
		jnz	short loc_548D3D
		add	edx, 4
		add	edi, 20h
		jmp	short loc_548D29
; 

loc_548D3A:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+6Fj
					; ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+85j
		mov	ebx, [ebp+var_C]

loc_548D3D:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+95j
					; ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+9Aj
		mov	eax, [ebp+var_18]
		cmp	edi, eax
		jnb	short loc_548D54
		mov	ecx, [esi+1E0h]

loc_548D4A:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+BCj
		bt	[ecx], edi
		jnb	short loc_548D54
		inc	edi
		cmp	edi, eax
		jb	short loc_548D4A

loc_548D54:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+ACj
					; ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+B7j
		xor	esi, esi
		cmp	edx, ebx
		jz	short loc_548D72
		mov	ecx, [edx]
		mov	ebx, edi
		and	ebx, 1Fh
		mov	eax, ds:dword_40BA68[ebx*4]
		not	eax
		and	eax, ecx
		jz	loc_548EBF

loc_548D72:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+C2j
					; ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+245j ...
		mov	eax, [ebp+var_4]
		lea	ecx, [esi+edi]
		mov	edx, [eax+1DCh]
		cmp	ecx, edx
		jnb	short loc_548D91
		mov	eax, [eax+1E0h]

loc_548D88:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+1D8j
		bt	[eax], ecx
		jnb	loc_548E61

loc_548D91:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+EAj
					; ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+1CEj ...
		mov	ebx, edi
		cmp	esi, 0FFFFFFFFh
		ja	loc_5DC19D

loc_548D9C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+9350Aj
		mov	edx, [ebp+var_8]
		test	esi, esi
		jz	loc_548E92
		lea	eax, [esi+edi]
		mov	esi, [ebp+var_4]
		push	0
		cmp	edi, eax
		mov	[ebp+var_18], eax
		pop	edi
		jnb	loc_548CD7

loc_548DBB:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+1C6j
		mov	eax, [ebp+var_10]
		mov	esi, [ebp+var_4]
		inc	eax
		mov	[ebp+var_10], eax
		test	al, 0Fh
		jz	loc_5DC1A5

loc_548DCD:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+93513j
					; ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+93531j
		cmp	byte ptr [esi+1ACh], 0
		jnz	loc_548E79
		mov	eax, [esi+240h]
		movzx	ecx, word ptr [eax+ebx*2]
		shr	ecx, 0Dh
		xor	edi, edi

loc_548DE9:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+1E7j
		imul	eax, ecx, 0Ch
		cmp	ebx, [eax+esi+2B4h]
		jz	short loc_548DF8
		push	8
		pop	ecx

loc_548DF8:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+15Dj
		cmp	ecx, 8
		jnz	short loc_548E37
		mov	eax, [esi+240h]
		mov	edx, 1FFFh
		mov	ecx, [esi+1C0h]
		test	[eax+ebx*2], dx
		jnz	short loc_548E82
		test	byte ptr [ecx+10F5h], 4
		jz	loc_5DC1D9
		mov	eax, [ebp+var_1C]
		mov	edx, ebx
		or	eax, 2
		push	eax
		call	SMKM_STORE_SM_TRAITS___SmStReleaseVirtualRegion

loc_548E2F:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+9356Bj
		test	eax, eax
		js	loc_5DC206

loc_548E37:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+165j
					; ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+1F5j ...
		mov	edx, ebx
		mov	eax, ebx
		shr	edx, 3
		and	eax, 7
		add	edx, [esi+1E0h]
		movsx	ecx, byte ptr [edx]
		bts	ecx, eax
		mov	[edx], cl
		mov	edx, [ebp+var_8]

loc_548E52:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+93576j
		inc	ebx
		cmp	ebx, [ebp+var_18]
		jnb	loc_548CD7
		jmp	loc_548DBB
; 

loc_548E61:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+F5j
		cmp	esi, 0FFFFFFFFh
		jnb	loc_548D91
		inc	ecx
		inc	esi
		cmp	ecx, edx
		jb	loc_548D88
		jmp	loc_548D91
; 

loc_548E79:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+13Ej
		xor	edi, edi
		mov	ecx, edi
		jmp	loc_548DE9
; 

loc_548E82:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+17Cj
		mov	edx, ebx
		call	?SmStIsRegionBusy@?$SMKM_STORE@USM_TRAITS@@@@SGKPAU1@K@Z ; SMKM_STORE<SM_TRAITS>::SmStIsRegionBusy(SMKM_STORE<SM_TRAITS> *,ulong)
		test	eax, eax
		jz	short loc_548E37
		jmp	loc_5DC211
; 

loc_548E92:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+10Bj
		mov	esi, [ebp+var_4]
		xor	edi, edi

loc_548E97:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+4Cj
		xor	ebx, ebx
		inc	ebx

loc_548E9A:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+9353Ej
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_548EB6
		mov	ax, [ecx+8]
		and	ax, bx
		jnz	loc_5DC234
		test	edx, edx
		jnz	loc_5DC234

loc_548EB6:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+209j
					; ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+935A9j ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	4
; 

loc_548EBF:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+D6j
		push	20h
		pop	esi
		sub	esi, ebx
		cmp	esi, 0FFFFFFFFh
		jnb	loc_548D91
		mov	ecx, [ebp+var_C]
		add	edx, 4

loc_548ED3:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+93502j
		cmp	edx, ecx
		jb	loc_5DC180
		jmp	loc_548D72
ST_STORE_SM_TRAITS___StDmLazyRegionsWorker endp

; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmLazyRegionsWorker

loc_548EE0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+9358Fj
					; ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+93599j
		cmp	eax, 3
		jnz	loc_548E37
		jmp	loc_5DC206
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmLazyRegionsWorker

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmUpdateRegionLazyCleanup proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+170p
					; ST_STORE_SM_TRAITS___StReleaseRegion+FA091p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DC253 SIZE 00000050 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	[ebp+arg_0], 0
		mov	eax, ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], eax
		mov	edx, [eax+1E0h]
		jz	short loc_548F4A
		mov	eax, esi
		and	esi, 1Fh
		shr	eax, 5
		mov	ecx, esi
		lea	ebx, [edx+eax*4]
		mov	eax, [ebx]
		sar	eax, cl
		test	al, 1
		jz	short loc_548F44
		push	edi
		xor	edi, edi
		lea	eax, [esi+1]
		inc	edi
		cmp	eax, 20h
		ja	loc_5DC253
		shl	edi, cl
		not	edi
		lock and [ebx],	edi

loc_548F35:				; CODE XREF: ST_STORE_SM_TRAITS___StDmUpdateRegionLazyCleanup+933A0j
					; ST_STORE_SM_TRAITS___StDmUpdateRegionLazyCleanup+933B0j
		mov	ecx, [ebp+var_4]
		lea	edx, [ecx+1E8h]
		call	?StDmLazyWorkItemQueue@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DATA_MGR@1@PAU_ST_WORK_ITEM@1@@Z ; ST_STORE<SM_TRAITS>::StDmLazyWorkItemQueue(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)
		pop	edi

loc_548F44:				; CODE XREF: ST_STORE_SM_TRAITS___StDmUpdateRegionLazyCleanup+2Ej
					; ST_STORE_SM_TRAITS___StDmUpdateRegionLazyCleanup+6Ej
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_548F4A:				; CODE XREF: ST_STORE_SM_TRAITS___StDmUpdateRegionLazyCleanup+19j
		mov	ecx, esi
		and	esi, 7
		shr	ecx, 3
		movsx	eax, byte ptr [ecx+edx]
		bts	eax, esi
		mov	[ecx+edx], al
		jmp	short loc_548F44
ST_STORE_SM_TRAITS___StDmUpdateRegionLazyCleanup endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	SMKM_STORE<struct SM_TRAITS>::SmStDirectReadCallout(void *)
?SmStDirectReadCallout@?$SMKM_STORE@USM_TRAITS@@@@SGXPAX@Z proc	near
					; DATA XREF: SMKM_STORE_SM_TRAITS___SmStDirectRead+94o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	dword ptr [esi+8]
		mov	edx, [esi+4]
		mov	ecx, [esi]
		and	dword ptr [esi+0Ch], 0
		call	SMKM_STORE_SM_TRAITS___SmStDirectReadIssue
		mov	edx, [esi+8]
		mov	edi, eax
		mov	ecx, [esi]
		call	?StReleaseReadContext@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@PAX@Z ; ST_STORE<SM_TRAITS>::StReleaseReadContext(ST_STORE<SM_TRAITS> *,void *)
		cmp	edi, 0C0000112h
		jz	short loc_548F9F
		mov	edx, [esi+4]
		mov	ecx, [esi]
		push	edi
		call	SMKM_STORE_SM_TRAITS___SmStDirectReadComplete
		mov	dword ptr [esi+0Ch], 1

loc_548F9F:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStDirectReadCallout(void *)+2Dj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
?SmStDirectReadCallout@?$SMKM_STORE@USM_TRAITS@@@@SGXPAX@Z endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_SM_TRAITS___SmStDirectReadComplete proc near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReadThread+124p
					; SMKM_STORE<SM_TRAITS>::SmStDirectReadCallout(void *)+35p

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	0Ch
		push	offset dword_6A4718
		call	__SEH_prolog4
		mov	[ebp+var_1C], ecx
		and	[ebp+ms_exc.disabled], 0
		lea	eax, [ebp+arg_0]
		push	eax
		push	edx
		mov	edx, ecx
		call	SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree

loc_548FC5:				; CODE XREF: sub_5DC2B1+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
SMKM_STORE_SM_TRAITS___SmStDirectReadComplete endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_SM_TRAITS___SmStDirectReadIssue proc	near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReadThread+116p
					; SMKM_STORE<SM_TRAITS>::SmStDirectReadCallout(void *)+16p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	1Ch
		push	offset dword_6A4738
		call	__SEH_prolog4
		mov	esi, edx
		mov	ebx, ecx
		mov	[ebp+var_1C], ebx
		and	[ebp+var_20], 0
		lea	eax, [ebx+1260h]
		mov	[ebp+var_28], eax
		lock inc dword ptr [eax]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		lea	ecx, [ebx+10F8h]
		mov	[ebp+var_24], ecx
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		and	[ebp+ms_exc.disabled], 0
		mov	edi, [ebp+arg_0]
		mov	dword ptr [edi+1Ch], 2
		push	esi
		mov	edx, edi
		lea	ecx, [ebx+38h]
		call	ST_STORE_SM_TRAITS___StDmPageRetrieve
		mov	esi, eax
		mov	edx, [edi+1Ch]
		mov	[ebp+var_2C], edx
		mov	edx, ebx
		add	edx, 10B0h
		lea	ecx, [ebx+38h]
		call	?StDmLazyWorkItemQueue@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DATA_MGR@1@PAU_ST_WORK_ITEM@1@@Z ; ST_STORE<SM_TRAITS>::StDmLazyWorkItemQueue(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)
		mov	[ebp+var_20], esi

loc_549053:				; CODE XREF: sub_5DC2C7+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+var_24]
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_549072
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_549072:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStDirectReadIssue+8Bj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+var_28]
		lock dec dword ptr [eax]
		mov	eax, [ebp+var_20]
		cmp	eax, 8000000Eh
		jz	short loc_5490A7

loc_549095:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStDirectReadIssue+CEj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_5490A7:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStDirectReadIssue+B5j
		mov	eax, 0C000009Ah
		jmp	short loc_549095
SMKM_STORE_SM_TRAITS___SmStDirectReadIssue endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static unsigned long __stdcall ST_STORE<struct SM_TRAITS>::StDmLazyWorkItemQueue(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, struct ST_STORE<struct SM_TRAITS>::_ST_WORK_ITEM *)
?StDmLazyWorkItemQueue@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DATA_MGR@1@PAU_ST_WORK_ITEM@1@@Z proc	near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmUpdateRegionLazyCleanup+50p
					; SMKM_STORE_SM_TRAITS___SmStDirectReadIssue+6Dp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		lea	edi, [edx+8]
		mov	[esp+10h+var_4], ecx
		xor	esi, esi
		test	byte ptr [edi],	1
		jnz	short loc_5490F8
		xor	ebx, ebx
		inc	ebx
		mov	ax, [edi]

loc_5490CE:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmLazyWorkItemQueue(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+2Bj
		mov	cx, ax
		or	cx, bx
		lock cmpxchg [edi], cx
		jnz	short loc_5490CE
		movzx	eax, ax
		test	al, bl
		mov	ebx, [esp+10h+var_4]
		jnz	short loc_5490F8
		mov	ecx, [ebx+1C0h]
		push	2
		call	SMKM_STORE_SM_TRAITS___SmStWorkItemQueue
		xor	eax, eax
		lea	esi, [eax+1]

loc_5490F8:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmLazyWorkItemQueue(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+18j
					; ST_STORE<SM_TRAITS>::StDmLazyWorkItemQueue(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+36j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
?StDmLazyWorkItemQueue@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DATA_MGR@1@PAU_ST_WORK_ITEM@1@@Z endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmPageRetrieve proc near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStDirectReadIssue+55p
					; ST_STORE_SM_TRAITS___StWorkItemProcess+131F52p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DC2CF SIZE 00000067 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_28], ecx
		mov	ecx, [ebp+arg_0]
		lea	edi, [ebp+var_18]
		stosd
		mov	[ebp+var_2C], edx
		xor	edx, edx
		mov	[ebp+var_24], ecx
		lea	ebx, [ecx+4]
		mov	[ebp+var_20], edx
		stosd
		mov	esi, ebx
		stosd
		stosd
		lea	eax, [ebp+var_20]
		mov	[ebp+var_1C], eax
		lea	edi, [ebp+var_38]
		movzx	eax, byte ptr [ebx]
		mov	[ebx], dl
		movsd
		mov	[ebp+var_3C], eax
		movsd
		movsd
		mov	esi, [ebp+var_2C]
		cmp	[esi+14h], edx
		jz	short loc_549161
		push	dword ptr [ecx+8]
		call	_MmAreMdlPagesCached@4 ; MmAreMdlPagesCached(x)
		mov	ecx, [ebp+var_24]
		test	eax, eax
		jz	short loc_5491DA

loc_549161:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRetrieve+4Ej
					; ST_STORE_SM_TRAITS___StDmPageRetrieve+DEj
		lea	edi, [ebp+var_18]
		mov	edx, esi
		mov	eax, edi
		push	eax
		push	ecx
		jmp	short loc_549196
; 

loc_54916C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRetrieve+A4j
		cmp	esi, 103h
		jz	short loc_5491E5

loc_549174:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRetrieve+E6j
		mov	ecx, [ebp+var_38]
		lea	eax, [ecx+1]
		xor	eax, ecx
		movzx	eax, al
		xor	ecx, eax
		movzx	eax, cl
		mov	[ebp+var_38], ecx
		cmp	eax, [ebp+var_3C]
		jnb	short loc_5491AD
		inc	[ebp+var_30]
		mov	edx, [ebp+var_2C]
		push	edi
		push	[ebp+var_24]

loc_549196:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRetrieve+68j
		mov	ecx, [ebp+var_28]
		lea	eax, [ebp+var_38]
		push	eax
		call	ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve
		mov	esi, eax
		test	esi, esi
		jns	short loc_54916C
		mov	ecx, [ebp+var_38]
		jmp	short loc_5491AF
; 

loc_5491AD:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRetrieve+88j
		xor	esi, esi

loc_5491AF:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRetrieve+A9j
		mov	eax, [ebx]
		xor	eax, ecx
		test	al, al
		jz	short loc_5491B9
		mov	[ebx], cl

loc_5491B9:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRetrieve+B3j
		mov	edi, [ebp+var_1C]
		lea	eax, [ebp+var_20]
		cmp	edi, eax
		jnz	loc_5DC2CF

loc_5491C7:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRetrieve+9322Fj
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_5491DA:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRetrieve+5Dj
		or	dword ptr [ebx], 8000000h
		jmp	loc_549161
; 

loc_5491E5:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRetrieve+70j
		add	edi, 10h
		jmp	short loc_549174
ST_STORE_SM_TRAITS___StDmPageRetrieve endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRetrieve+9Bp
					; ST_STORE<SM_TRAITS>::StDmSinglePageRetrieveSync(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,void *,void *,ulong)+4Fp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005DC336 SIZE 00000080 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		xor	eax, eax
		mov	[ebp+var_18], edx
		push	ebx
		push	esi
		mov	[ebp+var_8], eax
		mov	esi, eax
		mov	[ebp+var_10], eax
		mov	ebx, ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		and	eax, 2
		push	edi
		mov	[ebp+var_1C], eax
		jnz	loc_5DC336
		lea	eax, [ebp+var_8]
		push	eax
		mov	eax, [ebp+arg_0]
		push	eax
		call	ST_STORE_SM_TRAITS___StDmpSinglePageLookup
		mov	edi, eax
		test	edi, edi
		js	loc_549356
		mov	edi, [ebp+var_8]

loc_549233:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+93152j
		mov	edx, [edi]
		mov	eax, [ebx+1C4h]
		mov	ecx, [ebx+1C8h]
		and	eax, edx
		shr	edx, cl
		test	dword ptr [ebx+1ACh], 40000h
		mov	[ebp+var_14], eax
		mov	[ebp+var_8], edx
		jz	short loc_54926C
		push	0
		xor	edx, edx
		lea	ecx, [ebp+var_10]
		call	_SmSetThreadSystemPagePriority@12 ; SmSetThreadSystemPagePriority(x,x,x)
		mov	edx, [ebp+var_8]
		xor	esi, esi
		mov	[ebp+var_C], eax
		inc	esi

loc_54926C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+6Bj
		mov	eax, [ebp+arg_8]
		mov	ecx, [edi]
		mov	[eax], ecx
		mov	ecx, [edi+4]
		and	ecx, 0FFFh
		jbe	loc_54936D

loc_549282:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+188j
		mov	[eax+4], cx
		mov	ecx, 0FFh
		mov	eax, [ebp+arg_0]
		mov	ax, [eax]
		and	ax, cx
		mov	ecx, [ebp+arg_8]
		mov	[ecx+6], ax
		cmp	byte ptr [ebx+1ACh], 0
		jnz	loc_5DC341
		mov	eax, [edi+8]
		mov	[ecx+8], eax

loc_5492AE:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+93161j
					; ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+93174j
		mov	eax, [ebx+1ACh]
		test	eax, 40000h
		jz	loc_5DC363

loc_5492BF:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+9319Ej
		push	8
		pop	ecx

loc_5492C2:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+93198j
		mov	edi, [ebp+var_14]
		shl	edi, 4
		cmp	ecx, 8
		jnz	loc_5DC3A5
		mov	ecx, [ebx+1C0h]
		push	1
		push	ecx
		push	edi
		test	byte ptr [ecx+10F5h], 4
		jz	short loc_54935F
		call	?SmStMapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAXPAU1@KKKK@Z ; SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)

loc_5492E9:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+17Aj
		mov	[ebp+var_4], eax
		cmp	eax, 3
		jbe	loc_5DC38D

loc_5492F5:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+931C7j
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+arg_0]
		push	edx
		push	[ebp+arg_8]
		mov	[edx+18h], ecx
		push	dword ptr [ecx+4]
		mov	ecx, [ebp+var_1C]
		push	[ebp+arg_4]
		mov	edx, [edx+4]
		or	ecx, eax
		or	ecx, 1
		push	ecx
		mov	ecx, ebx
		call	ST_STORE_SM_TRAITS___StDmSinglePageTransfer
		mov	edi, eax
		test	edi, edi
		js	short loc_549323
		xor	edi, edi

loc_549323:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+135j
		cmp	[ebp+var_4], 0
		jz	short loc_549345
		mov	ecx, [ebx+1C0h]
		mov	edx, [ebp+var_8]
		push	0
		sub	esp, 0Ch
		test	byte ptr [ecx+10F5h], 4
		jz	short loc_549366
		call	?SmStUnmapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@KKKPAXK@Z ; SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)

loc_549345:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+13Dj
					; ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+181j ...
		test	esi, esi
		jz	short loc_549356
		mov	edx, [ebp+var_C]
		lea	ecx, [ebp+var_10]
		push	1
		call	_SmSetThreadSystemPagePriority@12 ; SmSetThreadSystemPagePriority(x,x,x)

loc_549356:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+40j
					; ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+15Dj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_54935F:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+F8j
		call	?SmStMapPhysicalRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAXPAU1@KKKK@Z ; SMKM_STORE<SM_TRAITS>::SmStMapPhysicalRegion(SMKM_STORE<SM_TRAITS>	*,ulong,ulong,ulong,ulong)
		jmp	short loc_5492E9
; 

loc_549366:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+154j
		call	?SmStUnmapPhysicalRegion@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@KKKPAXK@Z ;	SMKM_STORE<SM_TRAITS>::SmStUnmapPhysicalRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)
		jmp	short loc_549345
; 

loc_54936D:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+92j
		mov	ecx, 1000h
		jmp	loc_549282
ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmSetThreadSystemPagePriority(x, x,	x)
_SmSetThreadSystemPagePriority@12 proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+74p
					; ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+167p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ecx
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_54938E
		mov	ecx, large fs:124h
		mov	[eax], ecx

loc_54938E:				; CODE XREF: SmSetThreadSystemPagePriority(x,x,x)+Bj
		cmp	[ebp+arg_0], 0
		jnz	short loc_54939D
		call	_PsSetSystemPagePriorityThread@8 ; PsSetSystemPagePriorityThread(x,x)

loc_549399:				; CODE XREF: SmSetThreadSystemPagePriority(x,x,x)+2Cj
		pop	ebp
		retn	4
; 

loc_54939D:				; CODE XREF: SmSetThreadSystemPagePriority(x,x,x)+1Aj
		call	_PsRevertToUserPagePriorityThread@8 ; PsRevertToUserPagePriorityThread(x,x)
		xor	eax, eax
		jmp	short loc_549399
_SmSetThreadSystemPagePriority@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmSinglePageTransfer proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+12Cp
					; ST_STORE<SM_TRAITS>::StDmDeviceIoTransfer(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *,ST_STORE<SM_TRAITS>::_ST_DEVICE_IO	*)+86p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005DC3B6 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, edx
		push	edi
		mov	edi, esi
		mov	[ebp+var_4], ecx
		neg	edi
		sbb	edi, edi
		and	edi, esi
		neg	esi
		sbb	esi, esi
		and	esi, 4
		cmp	esi, 4
		jb	short loc_54941D
		mov	eax, [ebp+arg_8]
		test	byte ptr [eax+6], 5
		jz	loc_5DC3B6
		mov	ecx, [eax+0Ch]

loc_5493DC:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageTransfer+93024j
		test	dword ptr [edi+4], 8000000h
		jnz	short loc_549413

loc_5493E5:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageTransfer+70j
					; ST_STORE_SM_TRAITS___StDmSinglePageTransfer+7Aj
		test	ecx, ecx
		jz	short loc_549422
		mov	edx, [ebp+arg_C]
		movzx	eax, word ptr [edx+6]
		shl	eax, 0Ch
		add	eax, ecx
		cmp	esi, 10h
		jnb	short loc_549418

loc_5493FA:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageTransfer+75j
		push	[ebp+arg_10]
		mov	ecx, [ebp+var_4]
		push	edx
		push	eax
		push	[ebp+arg_0]
		mov	edx, ebx
		call	ST_STORE_SM_TRAITS___StDmSinglePageCopy

loc_54940C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageTransfer+81j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_549413:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageTransfer+3Dj
		or	esi, 10h
		jmp	short loc_5493E5
; 

loc_549418:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageTransfer+52j
		or	eax, 1
		jmp	short loc_5493FA
; 

loc_54941D:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageTransfer+24j
		mov	ecx, [ebp+arg_8]
		jmp	short loc_5493E5
; 

loc_549422:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageTransfer+41j
		mov	eax, 0C000009Ah
		jmp	short loc_54940C
ST_STORE_SM_TRAITS___StDmSinglePageTransfer endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmSinglePageCopy	proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageTransfer+61p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005DC3CF SIZE 000000F8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_24], eax
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		mov	[ebp+var_48], edx
		stosd
		mov	edx, ecx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_1C], edx
		stosd
		stosd
		mov	eax, [edx+1D4h]
		xor	edi, edi
		add	ebx, eax
		mov	[ebp+var_44], eax
		mov	eax, [edx+234h]
		mov	esi, edi
		mov	[ebp+var_34], eax
		mov	[ebp+var_3C], edi
		mov	[ebp+var_18], ebx
		mov	ecx, [eax+4]
		mov	eax, [ebp+var_28]
		movzx	eax, word ptr [eax+4]
		dec	eax
		add	eax, ecx
		neg	ecx
		and	eax, ecx
		mov	ecx, [ebp+var_20]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_38], ecx
		test	cl, 1
		jnz	loc_5495EF

loc_5494A8:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+1D4j
		mov	eax, ebx
		and	eax, 3
		mov	[ebp+var_40], eax
		mov	eax, [ebp+var_34]
		mov	[ebp+var_30], eax
		jz	short loc_5494DA
		and	[ebp+var_14], 0FFFFFFFCh
		and	ebx, 0FFFFFFFCh
		test	byte ptr [ebp+var_40], 2
		mov	[ebp+var_18], ebx
		jnz	loc_5DC3CF
		mov	ecx, eax
		mov	[ebp+var_30], eax
		cmp	[ecx+0Ch], edi
		jnz	loc_5DC3EC

loc_5494DA:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+8Cj
					; ST_STORE_SM_TRAITS___StDmSinglePageCopy+92FEAj
		cmp	[eax+0Ch], edi
		jnz	loc_5DC419

loc_5494E3:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+9301Ej
		mov	eax, [ebp+var_1C]
		test	dword ptr [eax+1ACh], 40000h
		jz	short loc_549538
		mov	esi, [eax+1C0h]
		mov	eax, [ebp+var_24]
		add	esi, 10F8h
		add	eax, 1Ch
		jz	loc_5DC472
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_54951F
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_54951F:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+ECj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_549532:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+9305Fj
		mov	eax, [ebp+var_1C]
		push	2
		pop	esi

loc_549538:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+C6j
		mov	ecx, [ebp+var_28]
		movzx	ecx, word ptr [ecx+4]
		cmp	ecx, 1000h
		jnb	loc_5495E0
		push	[ebp+var_48]
		movzx	eax, word ptr [eax+224h]
		lea	edx, [ebp+var_3C]
		push	edx
		push	ecx
		push	ebx
		mov	ebx, [ebp+var_38]
		push	1000h
		push	ebx
		push	eax
		call	_RtlDecompressBufferEx@28 ; RtlDecompressBufferEx(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_5DC48E
		mov	ecx, 1000h
		cmp	[ebp+var_3C], ecx
		jnz	loc_5DC48E
		mov	eax, [ebp+var_20]
		cmp	ebx, eax
		jnz	short loc_549603

loc_549587:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+1C3j
		mov	ebx, edi
		mov	[ebp+var_14], edi
		mov	edi, esi

loc_54958E:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+92FBDj
					; ST_STORE_SM_TRAITS___StDmSinglePageCopy+93075j
		mov	esi, [ebp+var_18]

loc_549591:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+93043j
		test	edi, edi
		mov	edi, [ebp+var_1C]
		jz	short loc_549608
		mov	eax, large fs:124h
		mov	ecx, [edi+1C0h]
		dec	word ptr [eax+13Eh]
		nop
		add	ecx, 10F8h
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebp+var_24]
		mov	dword ptr [eax+1Ch], 2

loc_5495C3:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+1E1j
		cmp	[ebp+var_14], 0
		jnz	loc_5DC4A4

loc_5495CD:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+93098j
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_5495E0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+11Bj
		push	ecx		; size_t
		push	ebx		; void *
		push	[ebp+var_20]	; void *

loc_5495E5:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+1DCj
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_549587
; 

loc_5495EF:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+78j
		mov	eax, [ebp+var_24]
		and	ecx, 0FFFFFFFEh
		mov	[ebp+var_20], ecx
		mov	eax, [eax+14h]
		mov	[ebp+var_38], eax
		jmp	loc_5494A8
; 

loc_549603:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+15Bj
		push	ecx
		push	ebx
		push	eax
		jmp	short loc_5495E5
; 

loc_549608:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+16Cj
		mov	eax, [ebp+var_24]
		jmp	short loc_5495C3
ST_STORE_SM_TRAITS___StDmSinglePageCopy	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ST_STORE_SM_TRAITS___StDmpSinglePageLookup proc	near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+37p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DC4C7 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, edx
		push	edi
		mov	[ebp+var_4], eax
		mov	ebx, ecx
		cmp	byte ptr [esi],	0
		mov	edi, [eax+8]
		jz	short loc_54967A
		mov	esi, [ebx+1C0h]
		mov	eax, [eax+10h]
		cmp	eax, [esi+1100h]
		jnz	short loc_549677
		mov	edx, edi
		call	?BTreeFindNextEntry@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAU_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@PAU1@PAUSEARCH_RESULT@1@@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindNextEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)
		mov	edx, eax
		cmp	edx, 0FFFFFFFFh
		jz	loc_5DC4C7
		test	edx, edx
		jz	loc_5DC4D1
		mov	ecx, [ebp+arg_0]
		mov	eax, [edx]
		cmp	eax, [ecx+8]
		jnz	loc_5DC4D1

loc_549662:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageLookup+A8j
		mov	ecx, ebx
		call	?ST_PAGE_RECORD_GET@?$ST_STORE@USM_TRAITS@@@@SGPAU_ST_PAGE_RECORD@1@PAU_ST_DATA_MGR@1@PAU_ST_PAGE_ENTRY@1@@Z ; ST_STORE<SM_TRAITS>::ST_PAGE_RECORD_GET(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY *)
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		xor	eax, eax

loc_549670:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageLookup+87j
					; ST_STORE_SM_TRAITS___StDmpSinglePageLookup+92EBEj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_549677:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageLookup+2Aj
		mov	esi, [ebp+arg_0]

loc_54967A:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageLookup+19j
		mov	eax, [edi+14h]
		test	al, 1
		jz	short loc_5496C7

loc_549681:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageLookup+C3j
		or	eax, 1
		mov	edx, edi
		mov	[edi+14h], eax
		mov	ecx, ebx
		push	dword ptr [esi+8]
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		test	eax, eax
		js	short loc_549670
		mov	eax, [ebx+1C0h]
		mov	ecx, [ebp+var_4]
		mov	eax, [eax+1100h]
		mov	[ecx+10h], eax
		mov	ecx, [edi+0Ch]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_5496B8

loc_5496B1:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageLookup+ACj
		lea	edx, [edi+8]

loc_5496B4:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageLookup+B7j
		mov	edx, [edx]
		jmp	short loc_549662
; 

loc_5496B8:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageLookup+A1j
		test	ecx, ecx
		jz	short loc_5496B1
		lea	edx, ds:0FFFFFFFCh[ecx*8]
		add	edx, [edi]
		jmp	short loc_5496B4
; 

loc_5496C7:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageLookup+71j
		mov	edx, edi
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref
		mov	eax, [edi+14h]
		jmp	short loc_549681
ST_STORE_SM_TRAITS___StDmpSinglePageLookup endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static struct	ST_STORE<struct	SM_TRAITS>::_ST_PAGE_RECORD * __stdcall	ST_STORE<struct	SM_TRAITS>::ST_PAGE_RECORD_GET(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY *)
?ST_PAGE_RECORD_GET@?$ST_STORE@USM_TRAITS@@@@SGPAU_ST_PAGE_RECORD@1@PAU_ST_DATA_MGR@1@PAU_ST_PAGE_ENTRY@1@@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageLookup+56p
					; ST_STORE<SM_TRAITS>::StDmEtwPageRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+B3p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		and	[ebp+var_C], 0
		push	esi
		mov	esi, [edx+4]
		mov	edx, esi
		push	edi
		mov	edi, ecx
		mov	ebx, [edi+0F4h]
		mov	ecx, ebx
		shr	edx, cl
		mov	ecx, [edi+0F8h]
		bsr	eax, edx
		mov	[ebp+var_4], ecx
		mov	ecx, [edi+0FCh]
		btc	edx, eax
		mov	[ebp+var_8], ecx
		mov	ecx, [edi+104h]
		mov	eax, [edi+eax*4+6Ch]
		mov	[ebp+var_C], ecx

loc_549719:				; CODE XREF: ST_STORE<SM_TRAITS>::ST_PAGE_RECORD_GET(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY *)+7Aj
		mov	ecx, [ebp+var_4]
		imul	edx, 0Ch
		and	ecx, esi
		imul	ecx, [ebp+var_8]
		mov	eax, [edx+eax]
		add	eax, ecx
		add	eax, [ebp+var_C]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_549737
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_549737:				; CODE XREF: ST_STORE<SM_TRAITS>::ST_PAGE_RECORD_GET(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY *)+5Cj
		mov	esi, [eax+4]
		mov	ecx, ebx
		and	[ebp+var_10], 0
		mov	edx, esi
		shr	edx, cl
		bsr	eax, edx
		btc	edx, eax
		mov	eax, [edi+eax*4+6Ch]
		jmp	short loc_549719
?ST_PAGE_RECORD_GET@?$ST_STORE@USM_TRAITS@@@@SGPAU_ST_PAGE_RECORD@1@PAU_ST_DATA_MGR@1@PAU_ST_PAGE_ENTRY@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static struct	ST_STORE<struct	SM_TRAITS>::_ST_PAGE_ENTRY * __stdcall B_TREE<union _SM_PAGE_KEY, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY, 4096, struct NP_CONTEXT, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>>::BTreeFindNextEntry(struct B_TREE<union	_SM_PAGE_KEY, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY, 4096, struct NP_CONTEXT, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>> *, struct B_TREE<union _SM_PAGE_KEY, struct	ST_STORE<struct	SM_TRAITS>::_ST_PAGE_ENTRY, 4096, struct NP_CONTEXT, struct B_TREE_KEY_COMPARATOR<union	_SM_PAGE_KEY>>::SEARCH_RESULT *)
?BTreeFindNextEntry@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAU_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@PAU1@PAUSEARCH_RESULT@1@@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageLookup+2Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, [edx+0Ch]
		mov	[ebp+var_C], ecx
		test	esi, esi
		jz	short loc_5497BB
		push	ebx
		push	edi
		mov	edi, [edx]
		mov	eax, [edi+esi*8-8]
		add	dword ptr [edi+esi*8-4], 8
		mov	ecx, [edi+esi*8-4]
		mov	[ebp+var_4], eax
		mov	ebx, [eax]
		and	ebx, 0FFFFh
		lea	eax, [eax+ebx*8]
		mov	[ebp+var_8], eax
		add	eax, 8
		cmp	ecx, eax
		jnb	short loc_549793

loc_54978C:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindNextEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)+60j
					; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindNextEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>	*,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)+69j ...
		pop	edi
		pop	ebx

loc_54978E:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindNextEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)+6Dj
		mov	eax, ecx
		pop	esi
		leave
		retn
; 

loc_549793:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindNextEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)+3Aj
		test	ebx, ebx
		jz	short loc_5497BF
		mov	eax, [ebp+var_8]

loc_54979A:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindNextEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)+75j
		push	ecx
		mov	ecx, [ebp+var_C]
		mov	[edi+esi*8-4], eax
		call	?BTreeFindLeafSiblingEx@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAUSEARCH_RESULT@1@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSiblingEx(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)
		test	eax, eax
		jz	short loc_5497C7
		or	ecx, 0FFFFFFFFh
		cmp	eax, ecx
		jz	short loc_54978C
		lea	ecx, [eax+8]
		mov	[edi+esi*8-4], ecx
		jmp	short loc_54978C
; 

loc_5497BB:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindNextEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)+11j
		xor	ecx, ecx
		jmp	short loc_54978E
; 

loc_5497BF:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindNextEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)+45j
		mov	eax, [ebp+var_4]
		add	eax, 8
		jmp	short loc_54979A
; 

loc_5497C7:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindNextEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)+59j
		xor	ecx, ecx
		jmp	short loc_54978C
?BTreeFindNextEntry@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAU_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@PAU1@PAUSEARCH_RESULT@1@@Z endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static struct	B_TREE_HEADER<union _SM_PAGE_KEY, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY>::NODE * __stdcall B_TREE<union _SM_PAGE_KEY, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY, 4096, struct NP_CONTEXT, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>>::BTreeFindLeafSiblingEx(struct B_TREE<union _SM_PAGE_KEY, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY, 4096, struct NP_CONTEXT, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>>	*, struct B_TREE<union _SM_PAGE_KEY, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY,	4096, struct NP_CONTEXT, struct	B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>>::SEARCH_RESULT *, unsigned long)
?BTreeFindLeafSiblingEx@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAUSEARCH_RESULT@1@K@Z proc near
					; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindNextEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)+52p
					; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSibling(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE_HEADER<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY>::NODE *,ulong)+8Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	ebx, edx
		lea	eax, [ebp+var_10]
		push	edi
		xor	edx, edx
		mov	esi, ecx
		xor	edi, edi
		inc	edx
		push	eax
		mov	ecx, ebx
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		call	?BTreeFindSeperatorIndexEntry@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGKPAUSEARCH_RESULT@1@KPAUPATH_ENTRY@1@@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindSeperatorIndexEntry(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::PATH_ENTRY *)
		test	eax, eax
		jz	short loc_54986B
		push	edi
		lea	ecx, [ebp+var_10]
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDescendToSibling
		mov	edx, [ebx+14h]
		lea	ecx, [esi+8]
		and	edx, 1
		mov	[ebp+var_8], eax
		add	edx, edx
		mov	edi, esi
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		mov	eax, [edi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_549874
		mov	edx, [ebp+var_8]
		mov	edi, [edx]

loc_549820:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSiblingEx(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)+B5j
		test	edi, edi
		jz	short loc_549888
		mov	eax, [ebx]
		mov	ecx, [ebx+0Ch]
		mov	edx, [eax+ecx*8-0Ch]
		mov	ecx, [eax+ecx*8-10h]
		lea	eax, [ecx+8]
		cmp	edx, eax
		jbe	short loc_549883
		add	edx, 0FFFFFFFCh

loc_54983B:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSiblingEx(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)+BAj
		lea	eax, [esi+8]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		mov	eax, [esi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_549852
		mov	ecx, esi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)

loc_549852:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSiblingEx(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)+7Dj
		push	ebx
		lea	ecx, [ebp+var_10]
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDescendToSibling
		mov	esi, [ebx+0Ch]
		lea	ecx, [edi+8]
		mov	edx, [ebx]
		mov	[edx+esi*8-8], edi
		mov	[edx+esi*8-4], ecx

loc_54986B:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSiblingEx(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)+27j
					; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSiblingEx(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)+BFj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_549874:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSiblingEx(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)+4Dj
		push	edx
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		call	?NpLeafRefInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAXK@Z ; NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)
		mov	edi, eax
		jmp	short loc_549820
; 

loc_549883:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSiblingEx(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)+6Aj
		lea	edx, [ecx+4]
		jmp	short loc_54983B
; 

loc_549888:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSiblingEx(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)+56j
		or	edi, 0FFFFFFFFh
		jmp	short loc_54986B
?BTreeFindLeafSiblingEx@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAUSEARCH_RESULT@1@K@Z endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDescendToSibling proc near
					; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSiblingEx(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)+2Dp
					; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSiblingEx(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)+8Ap

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DC4DB SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ecx]
		push	esi
		mov	esi, [ecx+4]
		push	edi
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_5498D3
		movzx	eax, byte ptr [edx+2]
		mov	ecx, [edi+0Ch]
		sub	ecx, eax
		mov	eax, [edi]
		lea	eax, [eax+ecx*8]

loc_5498AF:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDescendToSibling+47j
		lea	ecx, [esi+4]
		add	esi, 8

loc_5498B5:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDescendToSibling+92C55j
		test	eax, eax
		jz	short loc_5498C1
		mov	[eax], edx
		mov	[eax+4], esi
		add	eax, 8

loc_5498C1:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDescendToSibling+29j
		cmp	byte ptr [edx+2], 2
		jnz	loc_5DC4DB
		pop	edi
		mov	eax, ecx
		pop	esi
		pop	ebp
		retn	4
; 

loc_5498D3:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDescendToSibling+11j
		xor	eax, eax
		jmp	short loc_5498AF
B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDescendToSibling endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPaeAllocatePage proc near		; CODE XREF: MiPaeAllocate+AAp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DC4E8 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		push	80000000h
		push	4
		xor	ebx, ebx
		lea	edi, [ebp+var_10]
		push	ebx
		push	ebx
		push	ebx
		stosd
		push	0FFFFFFFFh
		push	ebx
		push	ebx
		stosd
		push	1000h
		stosd
		call	MmAllocateContiguousNodeMemory
		mov	edi, eax
		test	edi, edi
		jz	loc_5499C7
		mov	ecx, edi
		call	_MiVaToPfn@4	; MiVaToPfn(x)
		mov	[edi+8], eax
		lea	edx, [ebp+var_10]
		mov	[edi+0Ch], ebx
		mov	ecx, offset dword_6D0654
		mov	esi, dword_6D0620
		mov	eax, esi
		shl	eax, 5
		mov	[ebp+var_4], eax
		add	edi, eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		xor	ecx, ecx
		xor	edx, edx
		inc	ecx
		mov	ebx, ecx
		lea	eax, [ecx+7Fh]
		div	esi
		mov	edx, eax
		cmp	edx, ecx
		jbe	short loc_549971
		mov	eax, [ebp+var_4]
		mov	esi, offset dword_6D0630

loc_549953:				; CODE XREF: MiPaeAllocatePage+97j
		mov	ecx, dword_6D0634
		cmp	[ecx], esi
		jnz	short loc_5499CB
		mov	[edi], esi
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	dword_6D0634, edi
		add	edi, eax
		inc	ebx
		cmp	ebx, edx
		jb	short loc_549953

loc_549971:				; CODE XREF: MiPaeAllocatePage+71j
		mov	eax, dword_6D062C
		dec	eax
		add	eax, edx
		test	ds:byte_70EFC6,	1
		mov	dword_6D062C, eax
		jnz	loc_5DC4E8
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_5DC500
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jnz	loc_5DC4F8

loc_5499AD:				; CODE XREF: MiPaeAllocatePage+92C1Bj
		xor	esi, esi
		inc	esi

loc_5499B0:				; CODE XREF: MiPaeAllocatePage+92C38j
		mov	cl, [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lock inc dword_6D0650
		mov	eax, esi

loc_5499C2:				; CODE XREF: MiPaeAllocatePage+F1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_5499C7:				; CODE XREF: MiPaeAllocatePage+31j
		xor	eax, eax
		jmp	short loc_5499C2
; 

loc_5499CB:				; CODE XREF: MiPaeAllocatePage+83j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
MiPaeAllocatePage endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiVaToPfn(x)
_MiVaToPfn@4	proc near		; CODE XREF: MiGetPhysicalAddress+FAp
					; MiDuplicateCloneLeaf(x,x,x,x,x)+1F6p	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	edx, [ebp+var_8]
		push	edi
		mov	esi, ecx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	_MiFillPteHierarchy@8 ;	MiFillPteHierarchy(x,x)
		push	2
		pop	edx

loc_5499F0:				; CODE XREF: MiVaToPfn(x)+38j
		mov	eax, [ebp+edx*4+var_C]
		sub	edx, 1
		mov	ecx, [eax]
		nop
		mov	edi, [eax+4]
		jz	short loc_549A0A
		mov	eax, ecx
		and	eax, 80h
		or	eax, ebx
		jz	short loc_5499F0

loc_549A0A:				; CODE XREF: MiVaToPfn(x)+2Dj
		nop
		shrd	ecx, edi, 0Ch
		and	ecx, 1FFFFFFh
		test	edx, edx
		jnz	short loc_549A20

loc_549A19:				; CODE XREF: MiVaToPfn(x)+6Bj
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn
; 

loc_549A20:				; CODE XREF: MiVaToPfn(x)+47j
		xor	edi, edi
		inc	edi
		shr	esi, 0Ch

loc_549A26:				; CODE XREF: MiVaToPfn(x)+6Dj
		mov	eax, esi
		shr	esi, 9
		and	eax, 1FFh
		imul	eax, edi
		shl	edi, 9
		add	ecx, eax
		sub	edx, 1
		jz	short loc_549A19
		jmp	short loc_549A26
_MiVaToPfn@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopLoadDriverImage proc	near		; CODE XREF: NtLoadDriver(x)+8p

var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 005DC515 SIZE 00000029 BYTES

		push	48h
		push	offset dword_6A4758
		call	__SEH_prolog4
		mov	esi, ecx
		xor	ebx, ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_1C], ebx
		push	2Ch		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_58]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		jz	loc_5DC51C
		mov	edi, large fs:124h
		mov	al, [edi+15Ah]
		mov	byte ptr [ebp+var_20], al
		test	al, al
		jz	loc_549B89
		push	[ebp+var_20]
		push	ds:dword_A94E04
		push	ds:_SeLoadDriverPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_5DC526
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_549BA1
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_5DC530

loc_549AC1:				; CODE XREF: IopLoadDriverImage+92AF2j
		nop
		mov	eax, [esi]
		mov	[ebp+var_2C], eax
		mov	ecx, [esi+4]
		mov	[ebp+var_28], ecx
		movzx	eax, ax
		test	ax, ax
		jz	loc_5DC515
		test	cl, 1
		jnz	loc_549BA5
		lea	edx, [ecx+eax]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	loc_5DC537
		cmp	edx, ecx
		jb	loc_5DC537

loc_549AFA:				; CODE XREF: IopLoadDriverImage+92AF9j
		movzx	edx, word ptr [ebp+var_2C]
		call	sub_549BAA
		mov	esi, eax
		mov	[ebp+var_1C], esi
		movzx	ecx, word ptr [ebp+var_2C]
		push	ecx		; size_t
		push	[ebp+var_28]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_28], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_549B23:				; CODE XREF: IopLoadDriverImage+157j
		push	ebx
		push	ebx
		lea	eax, [ebp+var_48]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	[ebp+var_38], ebx
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_34], eax
		mov	eax, [edi+80h]
		cmp	eax, ds:_PsInitialSystemProcess
		lea	eax, [ebp+var_58]
		jz	short loc_549B99
		mov	[ebp+var_50], offset _IopLoadUnloadDriver@4 ; IopLoadUnloadDriver(x)
		mov	[ebp+var_4C], eax
		mov	[ebp+var_58], ebx
		push	1
		push	eax
		call	ExQueueWorkItem
		push	ebx
		push	ebx
		push	ebx
		push	6
		lea	eax, [ebp+var_48]
		push	eax
		call	KeWaitForSingleObject

loc_549B6B:				; CODE XREF: IopLoadDriverImage+15Fj
		test	esi, esi
		jz	short loc_549B76
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_549B76:				; CODE XREF: IopLoadDriverImage+12Dj
		mov	eax, [ebp+var_30]

loc_549B79:				; CODE XREF: IopLoadDriverImage+163j
					; IopLoadDriverImage+92AE1j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_549B89:				; CODE XREF: IopLoadDriverImage+42j
		mov	eax, [esi]
		mov	[ebp+var_2C], eax
		mov	eax, [esi+4]
		mov	[ebp+var_28], eax
		mov	esi, [ebp+var_1C]
		jmp	short loc_549B23
; 

loc_549B99:				; CODE XREF: IopLoadDriverImage+106j
		push	eax
		call	_IopLoadUnloadDriver@4 ; IopLoadUnloadDriver(x)
		jmp	short loc_549B6B
; 

loc_549BA1:				; CODE XREF: IopLoadDriverImage+6Bj
		xor	eax, eax
		jmp	short loc_549B79
; 

loc_549BA5:				; CODE XREF: IopLoadDriverImage+9Cj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
IopLoadDriverImage endp


;  S U B	R O U T	I N E 


sub_549BAA	proc near		; CODE XREF: IopLoadDriverImage+BEp
					; IopUnloadDriver+2BCp

; FUNCTION CHUNK AT 005DC56E SIZE 00000073 BYTES

		cmp	_ViVerifierEnabled, 0
		jnz	loc_5DC56E

loc_549BB7:				; CODE XREF: sub_549BAA+929D7j
		push	20206F49h
		push	edx
		push	1
		call	ExAllocatePoolWithQuotaTag

locret_549BC4:				; CODE XREF: sub_549BAA+929FAj
		retn
sub_549BAA	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnlockDriverMappings proc near	; CODE XREF: MiReleaseDriverPtes+DEp
					; MiReleaseDriverPtes+11Bp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005DC5E1 SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	[ebp+var_18], ecx
		mov	edx, offset dword_6CF57C
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_8], ecx
		mov	eax, ecx
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_549D19

loc_549BEC:				; CODE XREF: MiUnlockDriverMappings+162j
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], edi
		test	edx, 7FFFFFFCh
		jz	loc_549CF9
		mov	eax, edx
		push	esi
		mov	esi, large fs:124h
		mov	edx, dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_14], esi
		cmp	edx, offset dword_6CF57C
		ja	short loc_549C3E
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_549D04
		cmp	edx, offset dword_6CF57C
		ja	short loc_549C3E
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_549D04

loc_549C3E:				; CODE XREF: MiUnlockDriverMappings+54j
					; MiUnlockDriverMappings+69j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	edx, offset dword_6CF57C
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_1], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jz	loc_549D71
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_549D84

loc_549C82:				; CODE XREF: MiUnlockDriverMappings+1C6j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_1], 1
		mov	edx, eax
		jnz	loc_5DC5CA
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_549CCE:				; CODE XREF: MiUnlockDriverMappings+1B3j
					; sub_549BAA+92A32j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_14], eax
		jnz	short loc_549D2D

loc_549CE1:				; CODE XREF: MiUnlockDriverMappings+1A0j
					; MiUnlockDriverMappings+92A39j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_549CF8
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_549D91

loc_549CF8:				; CODE XREF: MiUnlockDriverMappings+124j
					; MiUnlockDriverMappings+1D0j
		pop	esi

loc_549CF9:				; CODE XREF: MiUnlockDriverMappings+32j
		mov	ecx, [ebp+var_18]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		leave
		retn
; 

loc_549D04:				; CODE XREF: MiUnlockDriverMappings+5Dj
					; MiUnlockDriverMappings+72j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_8], eax
		jmp	loc_549C3E
; 

loc_549D19:				; CODE XREF: MiUnlockDriverMappings+20j
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	ecx, 0FFFFFFFFh
		mov	edx, offset dword_6CF57C
		jmp	loc_549BEC
; 

loc_549D2D:				; CODE XREF: MiUnlockDriverMappings+119j
		test	edi, 8000h
		jz	short loc_549D3E
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_549D3E:				; CODE XREF: MiUnlockDriverMappings+16Dj
		test	byte ptr [ebp+var_C+2],	1
		jnz	loc_5DC5E1

loc_549D48:				; CODE XREF: MiUnlockDriverMappings+92A25j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_549D5C
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_549D5C:				; CODE XREF: MiUnlockDriverMappings+189j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_549CE1
		jmp	loc_5DC5F0
; 

loc_549D71:				; CODE XREF: MiUnlockDriverMappings+A4j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_549CCE
		jmp	loc_5DC5B5
; 

loc_549D84:				; CODE XREF: MiUnlockDriverMappings+B6j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_10]
		jmp	loc_549C82
; 

loc_549D91:				; CODE XREF: MiUnlockDriverMappings+12Cj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_549CF8
MiUnlockDriverMappings endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiLockDriverMappings(x)
_MiLockDriverMappings@4	proc near	; CODE XREF: MiReleaseDriverPtes+2Ap
					; MiReserveDriverPtes+1Cp
		dec	word ptr [ecx+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset dword_6CF57C
		jmp	ExAcquirePushLockExclusiveEx
_MiLockDriverMappings@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgUnLoadImageSymbolsUnicode(x, x, x)
_DbgUnLoadImageSymbolsUnicode@12 proc near ; CODE XREF:	MiUnloadSystemImage+25Cp
					; MiSegmentDelete+15391Ap ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	esi
		push	edi
		mov	esi, edx
		xor	edi, edi
		mov	edx, ecx
		mov	[ebp+var_10], edi
		lea	ecx, [ebp+var_10]
		mov	[ebp+var_C], edi
		call	DbgUnicodeStringToAnsiString
		test	eax, eax
		jz	short loc_549E0D
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_20]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		mov	[ebp+arg_0], eax
		mov	eax, 4
		mov	ecx, [ebp+arg_0]

loc_549DF5:				; DATA XREF: .text:00429DA1o
		mov	edx, [ebp+var_8]
		int	2Dh		; Internal routine for MSDOS (IRET)
		int	3		; Trap to Debugger
		push	edi
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		inc	eax

loc_549E07:				; CODE XREF: DbgUnLoadImageSymbolsUnicode(x,x,x)+5Fj
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_549E0D:				; CODE XREF: DbgUnLoadImageSymbolsUnicode(x,x,x)+20j
		xor	eax, eax
		jmp	short loc_549E07
_DbgUnLoadImageSymbolsUnicode@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopInterlockedRemoveHeadList proc near	; CODE XREF: IoShutdownSystem(x)+ABp
					; IoShutdownSystem(x)+180p ...

; FUNCTION CHUNK AT 005DC604 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	esi, ecx
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	edi, [esi]
		mov	bl, al
		cmp	edi, esi
		jnz	short loc_549E73
		xor	edi, edi

loc_549E2E:				; CODE XREF: IopInterlockedRemoveHeadList+74j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+468h]
		jnz	loc_5DC604
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5DC61A
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5DC613

loc_549E64:				; CODE XREF: IopInterlockedRemoveHeadList+927FCj
					; IopInterlockedRemoveHeadList+92817j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
; 

loc_549E73:				; CODE XREF: IopInterlockedRemoveHeadList+18j
		mov	edx, [edi]
		mov	ecx, [edi+4]
		cmp	[edx+4], edi
		jnz	short loc_549E88
		cmp	[ecx], edi
		jnz	short loc_549E88
		mov	[ecx], edx
		mov	[edx+4], ecx
		jmp	short loc_549E2E
; 

loc_549E88:				; CODE XREF: IopInterlockedRemoveHeadList+69j
					; IopInterlockedRemoveHeadList+6Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
IopInterlockedRemoveHeadList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiProcessLoaderEntry(x, x)
_MiProcessLoaderEntry@8	proc near	; CODE XREF: MiUnloadSystemImage+387p
					; MiConstructLoaderEntry+338p

var_5		= dword	ptr -5
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		push	edi
		mov	esi, edx
		mov	byte ptr [ebp+var_1], 0
		dec	word ptr [ebx+13Ch]
		mov	edi, ecx
		nop
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceExclusiveLite
		lea	ecx, [ebp+var_1]
		call	_MmLockLoadedModuleListExclusive@4 ; MmLockLoadedModuleListExclusive(x)
		cmp	esi, 1
		jnz	loc_549F76
		mov	eax, dword_6C6E3C
		mov	ecx, offset _PsLoadedModuleList
		cmp	[eax], ecx
		jnz	loc_549F9C
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	ecx, dword_6CF5A0
		mov	dword_6C6E3C, edi
		mov	edx, [edi+18h]
		mov	byte ptr [ebp+var_5], 0
		test	ecx, ecx
		jz	short loc_549F22

loc_549EFD:				; CODE XREF: MiProcessLoaderEntry(x,x)+85j
		mov	eax, [ecx-64h]
		mov	esi, [ecx-6Ch]
		dec	eax
		add	eax, esi
		cmp	edx, eax
		jbe	short loc_549F15
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_549F70

loc_549F11:				; CODE XREF: MiProcessLoaderEntry(x,x)+8Fj
		mov	ecx, eax
		jmp	short loc_549EFD
; 

loc_549F15:				; CODE XREF: MiProcessLoaderEntry(x,x)+7Aj
		cmp	edx, esi
		jnb	short loc_549F60
		mov	eax, [ecx]
		test	eax, eax
		jnz	short loc_549F11
		mov	byte ptr [ebp+var_5], al

loc_549F22:				; CODE XREF: MiProcessLoaderEntry(x,x)+6Dj
					; MiProcessLoaderEntry(x,x)+E6j
		lea	eax, [edi+84h]
		push	eax
		push	[ebp+var_5]
		push	ecx
		push	offset dword_6CF5A0
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)

loc_549F37:				; CODE XREF: MiProcessLoaderEntry(x,x)+10Cj
		push	offset _PsLoadedModuleSpinLock
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite
		mov	ecx, ebx
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_549F60:				; CODE XREF: MiProcessLoaderEntry(x,x)+89j
		push	0
		push	ecx
		push	edx
		push	2101h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_549F70:				; CODE XREF: MiProcessLoaderEntry(x,x)+81j
		mov	byte ptr [ebp+var_5], 1
		jmp	short loc_549F22
; 

loc_549F76:				; CODE XREF: MiProcessLoaderEntry(x,x)+39j
		mov	ecx, [edi]
		cmp	[ecx+4], edi
		jnz	short loc_549F9C
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	short loc_549F9C
		mov	[eax], ecx
		mov	[ecx+4], eax
		lea	eax, [edi+84h]
		push	eax
		push	offset dword_6CF5A0
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		jmp	short loc_549F37
; 

loc_549F9C:				; CODE XREF: MiProcessLoaderEntry(x,x)+4Bj
					; MiProcessLoaderEntry(x,x)+EDj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_MiProcessLoaderEntry@8	endp


;  S U B	R O U T	I N E 


; __stdcall MmLockLoadedModuleListExclusive(x)
_MmLockLoadedModuleListExclusive@4 proc	near ; CODE XREF: MiProcessLoaderEntry(x,x)+31p
					; MiSessionRemoveImage+65p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[esi], al
		pop	esi
		cmp	al, 1Bh
		jnb	short loc_549FBC
		mov	cl, 1Bh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)

loc_549FBC:				; CODE XREF: MmLockLoadedModuleListExclusive(x)+10j
		push	offset _PsLoadedModuleSpinLock
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		retn
_MmLockLoadedModuleListExclusive@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgLoadImageSymbolsUnicode(x, x, x)
_DbgLoadImageSymbolsUnicode@12 proc near ; CODE	XREF: MiDriverLoadSucceeded+13Fp
					; MiHandleBootImage+29EFEp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		mov	esi, edx
		mov	edx, ecx
		lea	ecx, [ebp+var_8]
		call	DbgUnicodeStringToAnsiString
		test	eax, eax
		jz	short loc_54A006
		push	0FFFFFFFFh
		push	esi
		lea	eax, [ebp+var_8]
		push	eax
		call	DbgLoadImageSymbols
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		inc	eax

loc_54A001:				; CODE XREF: DbgLoadImageSymbolsUnicode(x,x,x)+40j
		pop	esi
		leave
		retn	4
; 

loc_54A006:				; CODE XREF: DbgLoadImageSymbolsUnicode(x,x,x)+1Ej
		xor	eax, eax
		jmp	short loc_54A001
_DbgLoadImageSymbolsUnicode@12 endp

; 
		align 10h
; Exported entry 266. DbgLoadImageSymbols

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public DbgLoadImageSymbols
DbgLoadImageSymbols proc near		; CODE XREF: DbgLoadImageSymbolsUnicode(x,x,x)+27p
					; KdRegisterDebuggerDataBlock+6A2p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005DC62E SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+arg_8]
		push	ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], eax
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jz	loc_5DC62E
		mov	ecx, [eax+58h]
		mov	[ebp+var_C], ecx
		mov	eax, [eax+50h]
		mov	[ebp+var_8], eax

loc_54A03E:				; CODE XREF: DbgLoadImageSymbols+92626j
		lea	eax, [ebp+var_14]
		mov	[ebp+arg_4], eax
		mov	eax, 3
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		int	2Dh		; Internal routine for MSDOS (IRET)
		int	3		; Trap to Debugger
		leave
		retn	0Ch
DbgLoadImageSymbols endp


;  S U B	R O U T	I N E 


DbgUnicodeStringToAnsiString proc near	; CODE XREF: DbgUnLoadImageSymbolsUnicode(x,x,x)+19p
					; DbgLoadImageSymbolsUnicode(x,x,x)+17p ...

; FUNCTION CHUNK AT 005DC63B SIZE 0000000F BYTES

		mov	edi, edi
		push	ebx
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		push	ebx
		call	_RtlxUnicodeStringToAnsiSize@4 ; RtlxUnicodeStringToAnsiSize(x)
		cmp	eax, 0FFFFh
		ja	short loc_54A0A8
		push	esi
		movzx	esi, ax
		push	644C6D4Dh
		push	eax
		push	200h
		lea	edx, [esi-1]
		mov	[edi+2], si
		mov	[edi], dx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi+4], eax
		pop	esi
		test	eax, eax
		jz	short loc_54A0A8
		push	0
		push	ebx
		push	edi
		call	RtlUnicodeStringToAnsiString
		test	eax, eax
		js	loc_5DC63B
		xor	eax, eax
		inc	eax

loc_54A0A5:				; CODE XREF: DbgUnicodeStringToAnsiString+54j
		pop	edi
		pop	ebx
		retn
; 

loc_54A0A8:				; CODE XREF: DbgUnicodeStringToAnsiString+13j
					; DbgUnicodeStringToAnsiString+39j ...
		xor	eax, eax
		jmp	short loc_54A0A5
DbgUnicodeStringToAnsiString endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ApiSetResolveToHost proc near		; CODE XREF: MiResolveImageReferences+FFp
					; ExIsMultiSessionSku+839CFp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005DC64A SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	[esi], ebx
		mov	[esi+4], ebx
		movzx	eax, word ptr [edx]
		mov	[ebp+arg_8], eax
		cmp	eax, 8
		jb	short loc_54A0FA
		mov	edx, [edx+4]
		mov	ecx, [edx]
		mov	eax, [edx+4]
		and	ecx, 0FFDFFFDFh
		and	eax, 0FFFFFFDFh
		cmp	ecx, (offset loc_50003C+5)
		jnz	short loc_54A0EB
		cmp	eax, 2D0049h
		jz	short loc_54A108

loc_54A0EB:				; CODE XREF: ApiSetResolveToHost+36j
		cmp	ecx, offset nullsub_4
		jnz	short loc_54A0FA
		cmp	eax, 2D0054h
		jz	short loc_54A108

loc_54A0FA:				; CODE XREF: ApiSetResolveToHost+1Dj
					; ApiSetResolveToHost+45j ...
		mov	eax, [ebp+arg_4]
		pop	edi
		pop	esi
		mov	[eax], bl
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_54A108:				; CODE XREF: ApiSetResolveToHost+3Dj
					; ApiSetResolveToHost+4Cj
		mov	eax, [ebp+arg_8]
		movzx	eax, ax
		lea	ecx, [edx+eax]
		jmp	short loc_54A11F
; 

loc_54A113:				; CODE XREF: ApiSetResolveToHost+76j
		lea	ecx, [ecx-2]
		sub	eax, 2
		cmp	word ptr [ecx],	2Dh
		jz	short loc_54A124

loc_54A11F:				; CODE XREF: ApiSetResolveToHost+65j
		cmp	eax, 1
		ja	short loc_54A113

loc_54A124:				; CODE XREF: ApiSetResolveToHost+71j
		shr	ax, 1
		movzx	eax, ax
		test	ax, ax
		jz	short loc_54A0FA
		push	eax
		mov	ecx, edi
		call	ApiSetpSearchForApiSet
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_54A0FA
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	short loc_54A14E
		cmp	dword ptr [ecx+14h], 1
		ja	loc_5DC64A

loc_54A14E:				; CODE XREF: ApiSetResolveToHost+96j
		cmp	[ecx+14h], ebx
		jbe	short loc_54A0FA
		mov	ecx, [ecx+10h]
		add	ecx, edi

loc_54A158:				; CODE XREF: ApiSetResolveToHost+925B3j
		mov	eax, [ecx+0Ch]
		mov	bl, 1
		add	eax, edi
		mov	[esi+4], eax
		mov	ax, [ecx+10h]
		mov	[esi+2], ax
		mov	ax, [ecx+10h]
		mov	[esi], ax
		jmp	short loc_54A0FA
ApiSetResolveToHost endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall RtlWow64GetEquivalentMachineCHPE(x)
_RtlWow64GetEquivalentMachineCHPE@4 proc near
					; CODE XREF: LdrImageDirectoryEntryToLoadConfig+5Cp
		mov	eax, 3A64h
		cmp	cx, ax
		jz	short loc_54A182

loc_54A17E:				; CODE XREF: RtlWow64GetEquivalentMachineCHPE(x)+13j
		mov	ax, cx
		retn
; 

loc_54A182:				; CODE XREF: RtlWow64GetEquivalentMachineCHPE(x)+8j
		mov	ecx, 14Ch
		jmp	short loc_54A17E
_RtlWow64GetEquivalentMachineCHPE@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


HeadlessKernelAddLogEntry proc near	; CODE XREF: .text:005683DEp
					; IopLoadDriver+15Dp ...

; FUNCTION CHUNK AT 005DC664 SIZE 00000011 BYTES

		mov	edi, edi
		push	ecx
		mov	eax, _HeadlessGlobals
		test	eax, eax
		jnz	loc_5DC664

loc_54A19A:				; CODE XREF: HeadlessKernelAddLogEntry+924DEj
		pop	ecx
		retn
HeadlessKernelAddLogEntry endp


;  S U B	R O U T	I N E 


RtlFileMapFree	proc near		; CODE XREF: AslFileMappingDelete+Ep
					; AslpFileGetChecksumAttributes(x,x)+151p ...

; FUNCTION CHUNK AT 005DC675 SIZE 0000002E BYTES

		mov	edi, edi
		push	edi
		mov	edi, ecx
		test	edi, edi
		jz	short loc_54A1CD
		mov	eax, [edi+18h]
		test	eax, eax
		jnz	short loc_54A1DD

loc_54A1AC:				; CODE XREF: RtlFileMapFree+47j
		cmp	byte ptr [edi+1Ch], 0
		jnz	short loc_54A1CF

loc_54A1B2:				; CODE XREF: RtlFileMapFree+37j
					; RtlFileMapFree+3Fj
		cmp	byte ptr [edi+1Dh], 0
		jnz	loc_5DC675

loc_54A1BC:				; CODE XREF: RtlFileMapFree+924DEj
					; RtlFileMapFree+924EAj
		cmp	byte ptr [edi+1Eh], 0
		jnz	loc_5DC68B

loc_54A1C6:				; CODE XREF: RtlFileMapFree+924F4j
					; RtlFileMapFree+92502j
		push	8
		pop	ecx
		xor	eax, eax
		rep stosd

loc_54A1CD:				; CODE XREF: RtlFileMapFree+7j
		pop	edi
		retn
; 

loc_54A1CF:				; CODE XREF: RtlFileMapFree+14j
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_54A1B2
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_54A1B2
; 

loc_54A1DD:				; CODE XREF: RtlFileMapFree+Ej
		push	eax
		call	_MmUnsecureVirtualMemory@4 ; MmUnsecureVirtualMemory(x)
		jmp	short loc_54A1AC
RtlFileMapFree	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlFileMapInitializeByNtPath(x, x)
_RtlFileMapInitializeByNtPath@8	proc near ; CODE XREF: AslFileMappingCreate+9Ap

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_24], 18h
		push	esi
		push	esi
		push	60h
		push	1
		push	5
		push	80h
		push	esi
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], esi
		push	eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_8], esi
		push	eax
		push	80100080h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], esi
		push	eax
		mov	ebx, ecx
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], 240h
		mov	[ebp+var_1C], edx
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_54A25B
		mov	eax, [ebp+var_4]
		mov	edi, esi
		mov	byte ptr [ebx+1Ch], 1
		mov	[ebx], eax
		mov	[ebp+var_4], esi

loc_54A250:				; CODE XREF: RtlFileMapInitializeByNtPath(x,x)+78j
		test	esi, esi
		jnz	short loc_54A260

loc_54A254:				; CODE XREF: RtlFileMapInitializeByNtPath(x,x)+80j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_54A25B:				; CODE XREF: RtlFileMapInitializeByNtPath(x,x)+5Aj
		mov	esi, [ebp+var_4]
		jmp	short loc_54A250
; 

loc_54A260:				; CODE XREF: RtlFileMapInitializeByNtPath(x,x)+6Cj
		push	esi
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_54A254
_RtlFileMapInitializeByNtPath@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlStringCchCopyW proc near		; CODE XREF: PopLogNotifyDevice(x,x,x)+C2p
					; SdbpGetPathAppPatchPreRS3(x,x,x,x)+C6p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DC6A3 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		test	edx, edx
		jz	short loc_54A291
		cmp	edx, 7FFFFFFFh
		ja	short loc_54A291

loc_54A27B:				; CODE XREF: RtlStringCchCopyW+2Ej
		test	eax, eax
		js	loc_5DC6A3
		push	ecx
		push	[ebp+arg_0]
		push	ecx
		call	RtlStringCopyWorkerW

loc_54A28D:				; CODE XREF: RtlStringCchCopyW+9243Dj
					; RtlStringCchCopyW+92448j
		pop	ebp
		retn	4
; 

loc_54A291:				; CODE XREF: RtlStringCchCopyW+9j
					; RtlStringCchCopyW+11j
		mov	eax, 0C000000Dh
		jmp	short loc_54A27B
RtlStringCchCopyW endp


;  S U B	R O U T	I N E 


; __stdcall KsepPoolFreePaged(x)
_KsepPoolFreePaged@4 proc near		; CODE XREF: KsepEngineGetShimsFromRegistry+51p
					; KsepEngineGetShimsFromRegistry+5Cp ...
		test	ecx, ecx
		jz	short locret_54A2AE
		push	6145534Bh
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lock inc dword_6C6FA4

locret_54A2AE:				; CODE XREF: KsepPoolFreePaged(x)+2j
		retn
_KsepPoolFreePaged@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KsepPoolAllocatePaged(x)
_KsepPoolAllocatePaged@4 proc near	; CODE XREF: KsepEvntLogShimsApplied(x,x,x)+76p
					; KsepEvntLogShimsApplied(x,x,x)+FBp ...
		mov	edi, edi
		push	esi
		push	edi
		push	6145534Bh
		mov	edi, ecx
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_54A2E1
		lock inc dword_6C6FA0
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch

loc_54A2DC:				; CODE XREF: KsepPoolAllocatePaged(x)+38j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_54A2E1:				; CODE XREF: KsepPoolAllocatePaged(x)+17j
		lock inc dword_6C6FB0
		jmp	short loc_54A2DC
_KsepPoolAllocatePaged@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_KsepLogInfo	proc near		; CODE XREF: KseShimDriverIoCallbacks+E6p
					; KseDriverLoadImage(x)+131p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+arg_8]
		push	eax		; va_list
		push	[ebp+arg_4]	; char *
		push	2
		pop	edx
		call	_KsepLogEtwMessage@16 ;	KsepLogEtwMessage(x,x,x,x)
		pop	ebp
		retn
_KsepLogInfo	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	KsepLogEtwMessage(char *,va_list)
_KsepLogEtwMessage@16 proc near		; CODE XREF: _KsepLogInfo+12p
					; _KsepLogError+11p

var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 128h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, _KseEtwHandle
		or	eax, dword_6FD4D4
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	[ebp+var_128], ecx
		mov	edi, edx
		mov	ecx, [ebp+arg_0]
		jz	loc_54A3D5
		push	esi		; va_list
		push	ecx		; char *
		mov	edx, 100h	; int
		lea	ecx, [ebp+var_104] ; int
		call	_RtlStringCbVPrintfA@16	; RtlStringCbVPrintfA(x,x,x,x)
		test	eax, eax
		js	loc_54A3D5
		xor	esi, esi
		mov	[ebp+var_11C], 4
		lea	eax, [ebp+var_128]
		mov	[ebp+var_120], esi
		lea	ecx, [ebp+var_104]
		mov	[ebp+var_124], eax
		mov	[ebp+var_118], esi
		lea	edx, [ecx+1]

loc_54A381:				; CODE XREF: KsepLogEtwMessage(x,x,x,x)+82j
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_54A381
		sub	ecx, edx
		mov	[ebp+var_110], esi
		mov	[ebp+var_108], esi
		lea	eax, [ebp+var_104]
		mov	[ebp+var_114], eax
		lea	eax, [ecx+1]
		mov	[ebp+var_10C], eax
		mov	eax, offset _KShimErrorMessage
		test	edi, edi
		jz	short loc_54A3B9
		mov	eax, offset _KShimInfoMessage

loc_54A3B9:				; CODE XREF: KsepLogEtwMessage(x,x,x,x)+AEj
		lea	ecx, [ebp+var_124]
		push	ecx
		push	2
		push	esi
		push	eax
		push	dword_6FD4D4
		push	_KseEtwHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_54A3D5:				; CODE XREF: KsepLogEtwMessage(x,x,x,x)+30j
					; KsepLogEtwMessage(x,x,x,x)+4Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_KsepLogEtwMessage@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall RtlStringCbVPrintfA(int,int,char *,va_list)
_RtlStringCbVPrintfA@16	proc near	; CODE XREF: vDbgPrintExWithPrefixInternal+9Bp
					; KsepLogEtwMessage(x,x,x,x)+43p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		test	edx, edx
		jz	short loc_54A40D
		cmp	edx, 7FFFFFFFh
		ja	short loc_54A40D

loc_54A3F9:				; CODE XREF: RtlStringCbVPrintfA(x,x,x,x)+2Cj
		test	eax, eax
		js	short loc_54A414
		push	[ebp+arg_4]	; va_list
		push	[ebp+arg_0]	; char *
		push	ecx		; int
		call	sub_54A41E

loc_54A409:				; CODE XREF: RtlStringCbVPrintfA(x,x,x,x)+30j
					; RtlStringCbVPrintfA(x,x,x,x)+35j
		pop	ebp
		retn	8
; 

loc_54A40D:				; CODE XREF: RtlStringCbVPrintfA(x,x,x,x)+9j
					; RtlStringCbVPrintfA(x,x,x,x)+11j
		mov	eax, 0C000000Dh
		jmp	short loc_54A3F9
; 

loc_54A414:				; CODE XREF: RtlStringCbVPrintfA(x,x,x,x)+15j
		test	edx, edx
		jz	short loc_54A409
		mov	byte ptr [ecx],	0
		jmp	short loc_54A409
_RtlStringCbVPrintfA@16	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall sub_54A41E(char *,int,int,char	*,va_list)
sub_54A41E	proc near		; CODE XREF: RtlStringCbVPrintfA(x,x,x,x)+1Ep
					; RtlStringCchPrintfA+2Ap

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_8]	; va_list
		lea	esi, [edx-1]
		mov	edi, ecx
		push	[ebp+arg_4]	; char *
		xor	ebx, ebx
		push	esi		; size_t
		push	edi		; char *
		call	__vsnprintf
		add	esp, 10h
		test	eax, eax
		js	short loc_54A455
		cmp	eax, esi
		ja	short loc_54A455
		jz	short loc_54A450

loc_54A447:				; CODE XREF: sub_54A41E+35j
					; sub_54A41E+3Fj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_54A450:				; CODE XREF: sub_54A41E+27j
		mov	[esi+edi], bl
		jmp	short loc_54A447
; 

loc_54A455:				; CODE XREF: sub_54A41E+21j
					; sub_54A41E+25j
		mov	[esi+edi], bl
		mov	ebx, 80000005h
		jmp	short loc_54A447
sub_54A41E	endp

; 
		align 10h

;  S U B	R O U T	I N E 


KsepPoolFreeNonPaged proc near		; CODE XREF: KseShimDriverIoCallbacks+8Dp

; FUNCTION CHUNK AT 005DC6B5 SIZE 00000013 BYTES

		test	ecx, ecx
		jnz	loc_5DC6B5
		retn
KsepPoolFreeNonPaged endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VfTargetDriversAdd proc	near		; CODE XREF: VfDriverLoadImage+3Ep
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+20Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DC6C8 SIZE 0000006F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[esp+14h+var_C], ecx
		xor	esi, esi
		inc	ebx
		push	edi
		mov	edi, edx
		cmp	_VfSafeMode, esi
		jnz	loc_54A515
		cmp	_ViTargetInitialized, esi
		jz	short loc_54A515
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jnz	loc_5DC6C8

loc_54A4A2:				; CODE XREF: VfTargetDriversAdd+92284j
		mov	edx, [esp+18h+var_C]
		mov	ecx, offset _ViTargetDriversAvl
		push	edi
		call	VfAvlReserveNode
		mov	ecx, eax
		mov	[esp+18h+var_C], ecx
		test	ecx, ecx
		jz	loc_5DC6F3
		test	esi, esi
		jnz	loc_5DC714

loc_54A4C7:				; CODE XREF: VfTargetDriversAdd+922B7j
		mov	[ecx+1Ch], esi
		lea	edi, [ecx+0Ch]
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		call	VfThunkAddTargetNotify
		and	[esp+18h+var_4], 0
		lea	edx, [esp+18h+var_8]
		push	[esp+18h+var_C]
		and	[esp+1Ch+var_8], 0
		mov	ecx, offset _ViTargetDriversAvl
		mov	byte ptr [esp+1Ch+var_4+1], 4
		call	_VfAvlInsertReservedTreeNode@12	; VfAvlInsertReservedTreeNode(x,x,x)
		test	esi, esi
		jnz	loc_5DC726

loc_54A501:				; CODE XREF: VfTargetDriversAdd+922C8j
		lea	ecx, [esp+18h+var_8]
		call	VfAvlCleanupLockContext

loc_54A50A:				; CODE XREF: VfTargetDriversAdd+ADj
					; VfTargetDriversAdd+92294j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_54A515:				; CODE XREF: VfTargetDriversAdd+1Fj
					; VfTargetDriversAdd+2Bj ...
		xor	ebx, ebx
		jmp	short loc_54A50A
VfTargetDriversAdd endp

; 
		align 2

;  S U B	R O U T	I N E 


VfAvlCleanupLockContext	proc near	; CODE XREF: VfTargetDriversAdd+9Bp
					; VfTargetDriversRemove+89p ...

; FUNCTION CHUNK AT 005DC737 SIZE 00000011 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	al, [esi+5]
		test	al, 2
		jnz	loc_5DC737

loc_54A52A:				; CODE XREF: VfAvlCleanupLockContext+92229j
		test	al, 1
		jz	short loc_54A53F
		mov	cl, [esi+4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		and	byte ptr [esi+5], 0FEh
		mov	byte ptr [esi+4], 0

loc_54A53F:				; CODE XREF: VfAvlCleanupLockContext+12j
		pop	esi
		retn
VfAvlCleanupLockContext	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfAvlInsertReservedTreeNode(x, x, x)
_VfAvlInsertReservedTreeNode@12	proc near ; CODE XREF: VfTargetDriversAdd+8Ap
					; ViDevObjAdd(x)+5Bp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		mov	edx, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		mov	edx, [edx]
		call	ViAvlTableIndex
		test	byte ptr [esi+5], 1
		mov	ebx, eax
		jnz	short loc_54A56F
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		or	byte ptr [esi+5], 1
		mov	[esi+4], al

loc_54A56F:				; CODE XREF: VfAvlInsertReservedTreeNode(x,x,x)+1Cj
		mov	ecx, [edi+8]
		mov	edx, esi
		shl	ebx, 7
		add	ecx, ebx
		call	ViAvlAcquireTableLockAtDpcLevelSafe
		mov	eax, [edi+8]
		mov	ecx, [ebp+arg_0]
		mov	[eax+ebx+38h], ecx
		lea	eax, [ebp+arg_0+3]
		push	eax		; int
		mov	eax, [edi+8]
		push	4		; size_t
		push	ecx		; void *
		add	eax, ebx
		push	eax		; int
		call	_RtlInsertElementGenericTableAvl@16 ; RtlInsertElementGenericTableAvl(x,x,x,x)
		lock inc dword ptr [edi+4]
		mov	ecx, [edi+8]
		mov	edx, esi
		add	ecx, ebx
		call	_ViAvlReleaseTableLockFromDpcLevel@8 ; ViAvlReleaseTableLockFromDpcLevel(x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_VfAvlInsertReservedTreeNode@12	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ViAvlReleaseTableLockFromDpcLevel(x, x)
_ViAvlReleaseTableLockFromDpcLevel@8 proc near
					; CODE XREF: VfAvlInsertReservedTreeNode(x,x,x)+63p
					; VfAvlDeleteTreeNode+7Cp ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		add	ecx, 40h
		push	ecx
		test	byte ptr [esi+5], 4
		jz	short loc_54A5CF
		call	ExReleaseSpinLockExclusiveFromDpcLevel

loc_54A5C6:				; CODE XREF: ViAvlReleaseTableLockFromDpcLevel(x,x)+22j
		and	byte ptr [esi+5], 0FDh
		and	dword ptr [esi], 0
		pop	esi
		retn
; 

loc_54A5CF:				; CODE XREF: ViAvlReleaseTableLockFromDpcLevel(x,x)+Dj
		call	ExReleaseSpinLockSharedFromDpcLevel
		jmp	short loc_54A5C6
_ViAvlReleaseTableLockFromDpcLevel@8 endp


;  S U B	R O U T	I N E 


ViAvlAcquireTableLockAtDpcLevelSafe proc near
					; CODE XREF: VfAvlInsertReservedTreeNode(x,x,x)+37p
					; VfAvlDeleteTreeNode+4Ep ...

; FUNCTION CHUNK AT 005DC748 SIZE 0000000D BYTES

		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	al, [esi+5]
		test	al, 2
		jnz	short loc_54A5F3

loc_54A5E6:				; CODE XREF: ViAvlAcquireTableLockAtDpcLevelSafe+2Bj
		mov	edx, esi
		mov	ecx, edi
		call	_ViAvlAcquireTableLockAtDpcLevel@8 ; ViAvlAcquireTableLockAtDpcLevel(x,x)

loc_54A5EF:				; CODE XREF: ViAvlAcquireTableLockAtDpcLevelSafe+29j
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_54A5F3:				; CODE XREF: ViAvlAcquireTableLockAtDpcLevelSafe+Ej
		mov	ecx, [esi]
		cmp	ecx, edi
		jnz	loc_5DC748

loc_54A5FD:				; CODE XREF: ViAvlAcquireTableLockAtDpcLevelSafe+9217Aj
		test	al, 2
		jnz	short loc_54A5EF
		jmp	short loc_54A5E6
ViAvlAcquireTableLockAtDpcLevelSafe endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ViAvlAcquireTableLockAtDpcLevel(x, x)
_ViAvlAcquireTableLockAtDpcLevel@8 proc	near
					; CODE XREF: ViAvlAcquireTableLockAtDpcLevelSafe+14p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		test	byte ptr [esi+5], 4
		lea	eax, [edi+40h]
		push	eax
		jz	short loc_54A624
		call	ExAcquireSpinLockExclusiveAtDpcLevel

loc_54A61B:				; CODE XREF: ViAvlAcquireTableLockAtDpcLevel(x,x)+25j
		or	byte ptr [esi+5], 2
		mov	[esi], edi
		pop	edi
		pop	esi
		retn
; 

loc_54A624:				; CODE XREF: ViAvlAcquireTableLockAtDpcLevel(x,x)+10j
		call	ExAcquireSpinLockSharedAtDpcLevel
		jmp	short loc_54A61B
_ViAvlAcquireTableLockAtDpcLevel@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


ViAvlTableIndex	proc near		; CODE XREF: VfAvlInsertReservedTreeNode(x,x,x)+11p
					; VfAvlDeleteTreeNode+30p ...

; FUNCTION CHUNK AT 005DC755 SIZE 0000000C BYTES

		mov	ecx, [ecx+0Ch]
		cmp	ecx, 1
		jnz	loc_5DC755
		xor	eax, eax
		retn
ViAvlTableIndex	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VfAvlReserveNode proc near		; CODE XREF: VfTargetDriversAdd+42p
					; ViDevObjAdd(x)+33p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DC761 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	eax, [edi+14h]
		cmp	eax, 1
		jz	loc_5DC761
		push	54416656h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)

loc_54A664:				; CODE XREF: VfAvlReserveNode+9212Fj
		test	eax, eax
		jz	short loc_54A68F
		lea	esi, [eax+10h]
		mov	eax, [ebp+arg_0]
		mov	[esi], ebx
		test	eax, eax
		jz	short loc_54A693

loc_54A674:				; CODE XREF: VfAvlReserveNode+59j
		mov	[esi+4], eax
		cmp	byte ptr [edi+10h], 0
		jz	short loc_54A686
		mov	edx, esi
		mov	ecx, edi
		call	_ViAvlNodeInitializeSessionId@8	; ViAvlNodeInitializeSessionId(x,x)

loc_54A686:				; CODE XREF: VfAvlReserveNode+3Fj
					; VfAvlReserveNode+55j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_54A68F:				; CODE XREF: VfAvlReserveNode+2Aj
		xor	esi, esi
		jmp	short loc_54A686
; 

loc_54A693:				; CODE XREF: VfAvlReserveNode+36j
		mov	eax, [edi]
		jmp	short loc_54A674
VfAvlReserveNode endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ViAvlNodeInitializeSessionId(x, x)
_ViAvlNodeInitializeSessionId@8	proc near ; CODE XREF: VfAvlReserveNode+45p
					; VfAvlDeleteTreeNode+26p ...
		cmp	byte ptr [ecx+10h], 0
		push	esi
		mov	esi, edx
		jz	short loc_54A6AC
		mov	ecx, [esi]
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		test	eax, eax
		jnz	short loc_54A6B4

loc_54A6AC:				; CODE XREF: ViAvlNodeInitializeSessionId(x,x)+7j
		or	eax, 0FFFFFFFFh

loc_54A6AF:				; CODE XREF: ViAvlNodeInitializeSessionId(x,x)+2Ej
		mov	[esi+8], eax
		pop	esi
		retn
; 

loc_54A6B4:				; CODE XREF: ViAvlNodeInitializeSessionId(x,x)+12j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	short loc_54A6AF
_ViAvlNodeInitializeSessionId@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreateSystemSection proc near		; CODE XREF: MiCreateSectionForDriver+C2p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_24		= dword	ptr  2Ch

; FUNCTION CHUNK AT 005DC770 SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	[esp+10h+var_4], ebx

loc_54A6DC:				; CODE XREF: MiCreateSystemSection+920C0j
		push	ebx
		push	[ebp+arg_24]
		mov	edx, [ebp+arg_0]
		lea	ecx, [esp+18h+var_4]
		push	ebx
		push	ebx
		push	[ebp+arg_18]
		push	ebx
		push	ebx
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	10h
		push	ebx
		push	ebx
		call	MiCreateSection
		mov	esi, eax
		test	esi, esi
		js	loc_5DC770
		mov	ecx, [esp+10h+var_4]
		mov	[edi], ecx
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		test	eax, eax
		jz	short loc_54A74E
		lea	ebx, [eax+20h]
		cmp	dword ptr [ebx], 0
		jz	short loc_54A74E
		mov	ecx, eax
		call	MiReferenceControlAreaFile
		mov	edi, eax
		mov	ecx, edi
		call	_CcZeroEndOfLastPage@4 ; CcZeroEndOfLastPage(x)
		mov	ecx, [ebx]
		mov	edx, ecx
		xor	edx, edi
		cmp	edx, 7
		jnb	loc_5DC79A

loc_54A73D:				; CODE XREF: MiCreateSystemSection+920CCj
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [ebx], edx
		cmp	eax, ecx
		jnz	loc_5DC78D

loc_54A74E:				; CODE XREF: MiCreateSystemSection+4Cj
					; MiCreateSystemSection+54j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	30h
MiCreateSystemSection endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl KsepLogError(int,char *,char)
_KsepLogError	proc near		; CODE XREF: KsepSdbMapToMemory+B4p
					; KsepShimDatabaseTime+C1p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+arg_8]
		push	eax		; va_list
		push	[ebp+arg_4]	; char *
		xor	edx, edx
		call	_KsepLogEtwMessage@16 ;	KsepLogEtwMessage(x,x,x,x)
		pop	ebp
		retn
_KsepLogError	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDiagnosticTraceDriverFullInfo(x,	x, x, x, x)
_PnpDiagnosticTraceDriverFullInfo@20 proc near ; CODE XREF: IopLoadDriver+55Bp
					; IopUnloadDriver+22Fp

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_3C], 4
		movzx	ecx, word ptr [edx]
		mov	ax, cx
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_64], eax
		mov	eax, [edx+4]
		push	edi
		xor	edi, edi
		mov	[ebp+var_54], eax
		mov	eax, ecx
		mov	[ebp+var_60], edi
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_58], edi
		mov	[ebp+var_50], edi
		mov	[ebp+var_48], edi
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], edi
		mov	[ebp+var_38], edi
		push	2
		pop	ebx
		mov	[ebp+var_5C], ebx
		test	ecx, ecx
		jz	short loc_54A844
		cmp	[ecx+4], edi
		jz	short loc_54A844
		mov	ax, [ecx]
		shr	ax, 1
		movzx	edx, ax

loc_54A7E5:				; CODE XREF: PnpDiagnosticTraceDriverFullInfo(x,x,x,x,x)+D4j
		movzx	eax, dx
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], edi
		test	ecx, ecx
		jz	short loc_54A848
		mov	eax, [ecx+4]

loc_54A801:				; CODE XREF: PnpDiagnosticTraceDriverFullInfo(x,x,x,x,x)+D8j
		mov	[ebp+var_24], eax
		mov	ecx, esi
		movzx	eax, dx
		add	eax, eax
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	6
		pop	edx
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], edi
		call	_PnpDiagnosticTrace@12 ; PnpDiagnosticTrace(x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_54A844:				; CODE XREF: PnpDiagnosticTraceDriverFullInfo(x,x,x,x,x)+63j
					; PnpDiagnosticTraceDriverFullInfo(x,x,x,x,x)+68j
		mov	edx, edi
		jmp	short loc_54A7E5
; 

loc_54A848:				; CODE XREF: PnpDiagnosticTraceDriverFullInfo(x,x,x,x,x)+8Aj
		mov	eax, edi
		jmp	short loc_54A801
_PnpDiagnosticTraceDriverFullInfo@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDiagnosticTrace(x, x, x)
_PnpDiagnosticTrace@12 proc near	; CODE XREF: PnpDiagnosticTraceDriverFullInfo(x,x,x,x,x)+BCp
					; PnpCompleteSystemStartProcess()+Dp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, _PnpEtwHandle
		mov	ebx, ecx
		push	edi
		mov	edi, dword_6D4DF4
		mov	eax, esi
		or	eax, edi
		mov	[ebp+var_4], edx
		jz	short loc_54A88F
		push	ebx
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_54A88F
		push	[ebp+arg_0]
		push	[ebp+var_4]
		push	0
		push	ebx
		push	edi
		push	esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_54A888:				; CODE XREF: PnpDiagnosticTrace(x,x,x)+45j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_54A88F:				; CODE XREF: PnpDiagnosticTrace(x,x,x)+1Ej
					; PnpDiagnosticTrace(x,x,x)+2Aj
		xor	eax, eax
		jmp	short loc_54A888
_PnpDiagnosticTrace@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall VfDifCaptureIoCallbacks(x)
_VfDifCaptureIoCallbacks@4 proc	near	; CODE XREF: IopLoadDriver+488p
					; IopInitializeBuiltinDriver(x,x,x,x,x,x)+2E2p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	ViDifCheckCallbackInterception
		test	al, al
		jnz	short loc_54A8A4
		pop	esi
		retn
; 

loc_54A8A4:				; CODE XREF: VfDifCaptureIoCallbacks(x)+Cj
		mov	ecx, esi
		pop	esi
		jmp	_ViDifCaptureIoCallbacks@4 ; ViDifCaptureIoCallbacks(x)
_VfDifCaptureIoCallbacks@4 endp


;  S U B	R O U T	I N E 


VfDifCaptureDriverEntry	proc near	; CODE XREF: IopLoadDriver+472p
					; IopInitializeBuiltinDriver(x,x,x,x,x,x)+2B5p

; FUNCTION CHUNK AT 005DC7AA SIZE 0000001E BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi+18h]
		call	ViDifCheckCallbackInterception
		test	al, al
		jnz	loc_5DC7AA

loc_54A8C2:				; CODE XREF: VfDifCaptureDriverEntry+91F05j
		xor	al, al

loc_54A8C4:				; CODE XREF: VfDifCaptureDriverEntry+91F17j
		pop	edi
		pop	esi
		retn
VfDifCaptureDriverEntry	endp

; 
		align 4

;  S U B	R O U T	I N E 


ViDifCheckCallbackInterception proc near ; CODE	XREF: VfDifCaptureIoCallbacks(x)+5p
					; VfDifCaptureDriverEntry+9p ...

; FUNCTION CHUNK AT 005DC7C8 SIZE 00000081 BYTES

		cmp	_KernelVerifier, 0
		push	esi
		mov	esi, ecx
		jnz	short loc_54A8E2
		push	esi
		call	_MmIsDriverVerifying@4 ; MmIsDriverVerifying(x)
		test	eax, eax
		jnz	loc_5DC7C8

loc_54A8E2:				; CODE XREF: ViDifCheckCallbackInterception+Aj
					; ViDifCheckCallbackInterception+91F07j ...
		xor	al, al
		pop	esi
		retn
ViDifCheckCallbackInterception endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1420. MmIsDriverVerifying

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmIsDriverVerifying(x)
		public _MmIsDriverVerifying@4
_MmIsDriverVerifying@4 proc near	; CODE XREF: ViDifCheckCallbackInterception+Dp
					; VfIsVerificationEnabled+81874p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_54A904
		test	dword ptr [eax+34h], 2000000h
		jnz	short loc_54A90A

loc_54A904:				; CODE XREF: MmIsDriverVerifying(x)+Dj
		xor	eax, eax

loc_54A906:				; CODE XREF: MmIsDriverVerifying(x)+21j
		pop	ebp
		retn	4
; 

loc_54A90A:				; CODE XREF: MmIsDriverVerifying(x)+16j
		xor	eax, eax
		inc	eax
		jmp	short loc_54A906
_MmIsDriverVerifying@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VfAvlDeleteTreeNode proc near		; CODE XREF: VfTargetDriversRemove+7Fp
					; ViDevObjRemove(x)+64p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DC8DE SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	[ebp+var_C], eax
		mov	ebx, ecx
		mov	eax, [ebp+arg_4]
		push	edi
		mov	edi, edx
		test	eax, eax
		jz	short loc_54A99A

loc_54A930:				; CODE XREF: VfAvlDeleteTreeNode+8Cj
		lea	edx, [ebp+var_C]
		mov	[ebp+var_8], eax
		call	_ViAvlNodeInitializeSessionId@8	; ViAvlNodeInitializeSessionId(x,x)
		mov	edx, [ebp+var_C]
		mov	ecx, ebx
		call	ViAvlTableIndex
		test	byte ptr [edi+5], 1
		mov	esi, eax
		jz	loc_5DC8DE

loc_54A951:				; CODE XREF: VfAvlDeleteTreeNode+91FDDj
		mov	ecx, [ebx+8]
		mov	edx, edi
		shl	esi, 7
		add	ecx, esi
		mov	[ebp+arg_0], esi
		call	ViAvlAcquireTableLockAtDpcLevelSafe
		lea	eax, [ebp+var_C]
		push	eax
		mov	eax, [ebx+8]
		add	eax, esi
		push	eax
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)
		lock dec dword ptr [ebx+4]
		mov	ecx, [ebx+8]
		mov	edx, edi
		mov	eax, [ebp+arg_0]
		mov	esi, [ecx+esi+3Ch]
		and	dword ptr [ecx+eax+3Ch], 0
		mov	ecx, [ebx+8]
		add	ecx, eax
		call	_ViAvlReleaseTableLockFromDpcLevel@8 ; ViAvlReleaseTableLockFromDpcLevel(x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_54A99A:				; CODE XREF: VfAvlDeleteTreeNode+1Ej
		mov	eax, [ebx]
		jmp	short loc_54A930
VfAvlDeleteTreeNode endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VfAvlLookupTreeNode proc near		; CODE XREF: VfTargetDriversRemove+4Cp
					; VfTargetDriversGetNode(x)+32p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DC8F2 SIZE 000000C4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_8], eax
		push	esi
		mov	esi, edx
		push	edi
		test	ecx, ecx
		jz	loc_5DC8F2

loc_54A9C3:				; CODE XREF: VfAvlLookupTreeNode+91F59j
		mov	edx, [ebp+arg_0]
		mov	eax, edx
		and	eax, 0FFFh
		mov	edi, edx
		add	eax, 0FFFh
		and	edi, 0FFFFF000h
		add	eax, ecx
		shr	eax, 0Ch
		mov	[ebp+var_C], eax
		cmp	edi, edx
		jnz	loc_5DC8FC

loc_54A9EA:				; CODE XREF: VfAvlLookupTreeNode+91FECj
		add	ecx, edx
		mov	[ebp+arg_0], ecx
		test	eax, eax
		jz	short loc_54AA6E

loc_54A9F3:				; CODE XREF: VfAvlLookupTreeNode+9200Dj
		lea	eax, [edi+1000h]
		mov	[ebp+var_1C], edi
		mov	[ebp+arg_4], eax
		cmp	eax, ecx
		jbe	short loc_54AA65
		mov	eax, ecx
		sub	eax, edi
		mov	[ebp+var_18], eax

loc_54AA0A:				; CODE XREF: VfAvlLookupTreeNode+CEj
		lea	edx, [ebp+var_1C]
		mov	ecx, ebx
		call	_ViAvlNodeInitializeSessionId@8	; ViAvlNodeInitializeSessionId(x,x)
		mov	edx, [ebp+var_1C]
		mov	ecx, ebx
		call	ViAvlTableIndex
		test	byte ptr [esi+5], 1
		mov	edi, eax
		jnz	short loc_54AA35
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		or	byte ptr [esi+5], 1
		mov	[esi+4], al

loc_54AA35:				; CODE XREF: VfAvlLookupTreeNode+86j
		mov	ecx, [ebx+8]
		mov	edx, esi
		shl	edi, 7
		add	ecx, edi
		call	ViAvlAcquireTableLockAtDpcLevelSafe
		lea	eax, [ebp+var_1C]
		push	eax
		mov	eax, [ebx+8]
		add	eax, edi
		push	eax
		call	_RtlLookupElementGenericTableAvl@8 ; RtlLookupElementGenericTableAvl(x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_5DC98F

loc_54AA5E:				; CODE XREF: VfAvlLookupTreeNode+D3j
					; VfAvlLookupTreeNode+91FC6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_54AA65:				; CODE XREF: VfAvlLookupTreeNode+63j
		mov	[ebp+var_18], 1000h
		jmp	short loc_54AA0A
; 

loc_54AA6E:				; CODE XREF: VfAvlLookupTreeNode+53j
					; VfAvlLookupTreeNode+92013j
		mov	eax, [ebp+var_8]
		jmp	short loc_54AA5E
VfAvlLookupTreeNode endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VfTargetDriversRemove proc near		; CODE XREF: VfDriverUnloadImage+27p
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+28Cp

var_2C		= dword	ptr -2Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DC9B6 SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		xor	eax, eax
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_2C]
		push	8
		pop	ecx
		rep stosd
		cmp	_VfSafeMode, eax
		jnz	loc_54AB2B
		xor	esi, esi
		cmp	_ViTargetInitialized, esi
		jz	loc_54AB2B
		mov	eax, [ebx+18h]
		lea	edx, [ebp+var_C]
		push	1
		mov	[ebp+var_8], esi
		mov	ecx, offset _ViTargetDriversAvl
		push	eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], esi
		mov	byte ptr [ebp+var_8+1],	4
		call	VfAvlLookupTreeNode
		mov	edi, eax
		test	edi, edi
		jz	short loc_54AAFA
		mov	esi, [edi+1Ch]
		test	esi, esi
		jnz	loc_5DC9B6

loc_54AAD6:				; CODE XREF: VfTargetDriversRemove+91F5Ej
		push	8
		mov	esi, edi
		lea	edi, [ebp+var_2C]
		pop	ecx
		rep movsd
		cmp	[ebp+var_10], 0
		jnz	short loc_54AB30

loc_54AAE6:				; CODE XREF: VfTargetDriversRemove+C2j
		push	1
		push	[ebp+var_4]
		lea	edx, [ebp+var_C]
		mov	ecx, offset _ViTargetDriversAvl
		call	VfAvlDeleteTreeNode
		mov	esi, eax

loc_54AAFA:				; CODE XREF: VfTargetDriversRemove+55j
		lea	ecx, [ebp+var_C]
		call	VfAvlCleanupLockContext
		test	esi, esi
		jz	short loc_54AB2B
		lea	ecx, [ebp+var_2C]
		call	_VfThunkRemoveTargetNotify@4 ; VfThunkRemoveTargetNotify(x)
		cmp	[ebp+var_10], 0
		jnz	loc_5DC9D7

loc_54AB18:				; CODE XREF: VfTargetDriversRemove+91F70j
		cmp	dword_6BE394, 1
		jz	loc_5DC9E9
		push	esi
		call	_VfUtilFreePoolCheckIRQL@4 ; VfUtilFreePoolCheckIRQL(x)

loc_54AB2B:				; CODE XREF: VfTargetDriversRemove+1Dj
					; VfTargetDriversRemove+2Bj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_54AB30:				; CODE XREF: VfTargetDriversRemove+70j
		dec	dword_6BE398
		jmp	short loc_54AAE6
VfTargetDriversRemove endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilFreePoolCheckIRQL(x)
_VfUtilFreePoolCheckIRQL@4 proc	near	; CODE XREF: VfTargetDriversRemove+B2p
					; VerifierIoSetCompletionRoutineEx(x,x,x,x,x,x,x)+68p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		cmp	al, 2
		setnz	dl
		call	VfPoolDelayFreeIfPossible
		pop	ebp
		retn	4
_VfUtilFreePoolCheckIRQL@4 endp


;  S U B	R O U T	I N E 


VfPoolDelayFreeIfPossible proc near	; CODE XREF: VfUtilFreePoolCheckIRQL(x)+15p
					; VfUtilFreePoolDispatchLevel(x)+Ap

; FUNCTION CHUNK AT 005DC9FA SIZE 0000003F BYTES

		mov	edi, edi
		push	ebx
		push	esi
		xor	ebx, ebx
		push	edi
		cmp	edx, 1
		ja	short loc_54AB77
		imul	esi, edx, 30h
		add	esi, offset _VfPoolDelayFreeData
		inc	dword ptr [esi+20h]
		cmp	[esi+1Ch], ebx
		jnz	loc_5DC9FA

loc_54AB77:				; CODE XREF: VfPoolDelayFreeIfPossible+Aj
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_54AB7E:				; CODE XREF: VfPoolDelayFreeIfPossible+91ECAj
					; VfPoolDelayFreeIfPossible+91EDBj
		pop	edi
		pop	esi
		pop	ebx
		retn
VfPoolDelayFreeIfPossible endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCleanupNotifications	proc near	; CODE XREF: IopDeleteFileObjectExtension+EE37Fp
					; IopUnloadDriver+205p	...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DCA39 SIZE 0000006E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	edx, edx
		mov	ecx, offset _IopSessionNotificationLock
		call	ExAcquirePushLockExclusiveEx
		mov	edi, _IopSessionNotificationQueueHead
		mov	eax, offset _IopSessionNotificationQueueHead
		cmp	edi, eax
		jnz	short loc_54ABC6

loc_54ABB0:				; CODE XREF: IopCleanupNotifications+91EFEj
		xor	edx, edx
		mov	ecx, offset _IopSessionNotificationLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_54ABC6:				; CODE XREF: IopCleanupNotifications+2Cj
		mov	eax, [ebp+var_4]
		jmp	loc_5DCA39
IopCleanupNotifications	endp


;  S U B	R O U T	I N E 


IopCheckUnloadDriver proc near		; CODE XREF: IopUnloadDriver+165p
					; IovpUnloadDriver(x)+2Ap

; FUNCTION CHUNK AT 005DCAA7 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	esi, ecx
		mov	edi, edx
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, [esi+4]
		mov	bl, al
		test	ecx, ecx
		jnz	short loc_54ABEE
		test	byte ptr [esi+8], 1
		jnz	short loc_54AC3E

loc_54ABEE:				; CODE XREF: IopCheckUnloadDriver+18j
		mov	edx, [esi+8]
		test	dl, dl
		js	short loc_54ABF9
		test	ecx, ecx
		jnz	short loc_54AC32

loc_54ABF9:				; CODE XREF: IopCheckUnloadDriver+25j
					; IopCheckUnloadDriver+6Ej
		test	dl, 10h
		jz	loc_5DCA8A
		mov	byte ptr [edi],	1
		mov	al, 1
		xor	edx, edx

loc_54AC09:				; CODE XREF: IopCheckUnloadDriver+90j
		test	ecx, ecx
		jnz	short loc_54AC45
		test	byte ptr [esi+8], 80h
		jnz	loc_5DCAA7

loc_54AC17:				; CODE XREF: IopCheckUnloadDriver+91EDCj
					; IopCheckUnloadDriver+91EE6j
		test	al, al
		jz	short loc_54AC1F
		or	dword ptr [esi+8], 1

loc_54AC1F:				; CODE XREF: IopCheckUnloadDriver+4Bj
		push	0Ah
		mov	dl, bl
		pop	ecx
		call	KeReleaseQueuedSpinLock
		mov	eax, 0C0000001h

loc_54AC2E:				; CODE XREF: IopCleanupNotifications+91F20j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_54AC32:				; CODE XREF: IopCheckUnloadDriver+29j
		mov	eax, [ecx+0B0h]
		test	byte ptr [eax+10h], 1
		jz	short loc_54ABF9

loc_54AC3E:				; CODE XREF: IopCheckUnloadDriver+1Ej
		xor	edi, edi
		jmp	loc_5DCA8F
; 

loc_54AC45:				; CODE XREF: IopCheckUnloadDriver+3Dj
		mov	eax, [ecx+0B0h]
		or	dword ptr [eax+10h], 1
		cmp	[ecx+4], edx
		jnz	short loc_54AC60
		cmp	[ecx+10h], edx
		jnz	short loc_54AC60
		mov	al, [edi]

loc_54AC5B:				; CODE XREF: IopCheckUnloadDriver+96j
		mov	ecx, [ecx+0Ch]
		jmp	short loc_54AC09
; 

loc_54AC60:				; CODE XREF: IopCheckUnloadDriver+84j
					; IopCheckUnloadDriver+89j
		mov	[edi], dl
		mov	al, dl
		jmp	short loc_54AC5B
IopCheckUnloadDriver endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiResolvePageFileFault proc near	; CODE XREF: MiIssueFlowThroughFault(x,x,x,x,x,x,x)+112p
					; MiDispatchFault+549p	...

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DCAB9 SIZE 0000034B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		push	ebx
		mov	ebx, [edx]
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10], edx
		mov	[ebp+var_74], 0
		mov	[ebp+var_58], 0
		mov	[ebp+var_54], 0
		mov	ecx, [edi]
		mov	[ebp+var_4C], ecx
		mov	ecx, [edi+8]
		mov	[ebp+var_64], ecx
		mov	ecx, [edi+14h]
		mov	[ebp+var_C], eax
		mov	[ebp+var_48], ecx
		mov	[ebp+var_20], ebx
		nop
		mov	ecx, large fs:124h
		mov	esi, [edx+4]
		mov	[ebp+var_34], esi
		mov	[ebp+var_80], ebx
		test	byte ptr [ecx+304h], 4
		mov	[ebp+var_7C], esi
		mov	[ebp+var_84], ecx
		jnz	loc_5DCAB9
		mov	edx, ebx
		and	edx, 800h
		mov	ecx, edx
		or	ecx, eax
		jnz	loc_54BB9E
		mov	[ebp+var_38], eax
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_30], esi

loc_54ACF5:				; CODE XREF: MiResolvePageFileFault+F9Aj
		mov	ecx, [ebp+var_64]
		mov	esi, ecx
		and	ecx, 0FFFFFFFEh
		mov	[ebp+var_24], 0
		mov	[ebp+var_40], 2
		mov	[ebp+var_64], ecx
		and	esi, 1
		jnz	loc_54B7DB

loc_54AD17:				; CODE XREF: MiResolvePageFileFault+B6Ej
		test	esi, esi
		jnz	loc_54B7E9

loc_54AD1F:				; CODE XREF: MiResolvePageFileFault+B8Ej
					; MiResolvePageFileFault+DA9j ...
		mov	edx, 2

loc_54AD24:				; CODE XREF: MiResolvePageFileFault+BBEj
		mov	ecx, [ebp+var_4C]
		mov	[ebp+var_50], 0
		cmp	ecx, dword_6D07D0
		jnb	loc_54B633
		mov	[ebp+var_14], 0

loc_54AD41:				; CODE XREF: MiResolvePageFileFault+9D0j
		test	esi, esi
		jnz	loc_54B833

loc_54AD49:				; CODE XREF: MiResolvePageFileFault+BC9j
		mov	esi, [ebp+var_34]
		mov	edx, ebx
		mov	ecx, esi
		shrd	edx, ecx, 5
		and	edx, 1Fh
		cmp	dl, 1Fh
		jz	loc_54BC91
		cmp	[ebp+var_14], 0Ch
		jz	loc_54B9C3

loc_54AD6A:				; CODE XREF: MiResolvePageFileFault+D5Aj
					; MiResolvePageFileFault+1037j
		mov	ecx, [ebp+var_24]

loc_54AD6D:				; CODE XREF: MiResolvePageFileFault+BE2j
		cmp	eax, 20h
		jnb	loc_54B938

loc_54AD76:				; CODE XREF: MiResolvePageFileFault+CCFj
					; MiResolvePageFileFault+CE3j
		mov	eax, [ebp+var_84]
		mov	ecx, [ebp+var_10]
		mov	ebx, ecx
		mov	[ebp+var_18], 1
		mov	[ebp+var_3C], ebx
		mov	eax, [eax+80h]
		mov	[ebp+var_2C], eax
		mov	eax, 10h
		mov	[ebp+var_8], eax
		lea	eax, [ecx+40000000h]
		mov	[ebp+var_64], 0
		mov	[ebp+var_70], 2
		cmp	eax, offset loc_7FFFFF
		ja	loc_54B69A
		mov	ecx, [ebp+var_20]
		mov	eax, esi
		shrd	ecx, eax, 5
		shr	eax, 5
		mov	[ebp+var_5C], eax
		mov	al, byte ptr [ebp+var_64]
		mov	[ebp+var_1], al

loc_54ADD0:				; CODE XREF: MiResolvePageFileFault+A80j
		mov	eax, [edi+28h]
		and	ecx, 1Fh
		mov	[ebp+var_14], eax
		xor	edx, edx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_44], ecx
		push	eax
		mov	ecx, edi
		call	MiComputeFaultNode
		mov	esi, eax
		mov	eax, [ebp+var_14]
		mov	[ebp+var_6C], esi
		mov	[ebp+var_68], eax
		test	eax, eax
		jnz	loc_54B7B6
		mov	eax, ds:_MmHighestUserAddress
		mov	ecx, ebx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	ecx, eax
		ja	loc_54B645
		cmp	ecx, 0C0000000h
		mov	ecx, [ebp+var_2C]
		jb	short loc_54AE30
		call	_MiIsStoreProcess@4 ; MiIsStoreProcess(x)
		test	eax, eax
		jnz	loc_54B7A3

loc_54AE30:				; CODE XREF: MiResolvePageFileFault+1B1j
					; MiResolvePageFileFault+9D8j
		mov	eax, [ebp+var_48]
		test	byte ptr [eax+60h], 7
		jnz	short loc_54AE64
		mov	eax, [ebp+var_4C]
		cmp	eax, dword_6D07D0
		jnb	short loc_54AE64
		mov	eax, [ecx+24Ch]
		cmp	dword ptr [eax+0B0h], 0
		jnz	loc_54B7A3
		cmp	dword ptr [eax+0B4h], 0
		jnz	loc_54B7A3

loc_54AE64:				; CODE XREF: MiResolvePageFileFault+1C7j
					; MiResolvePageFileFault+1D2j ...
		mov	edi, [ebp+var_20]
		mov	eax, [ebp+var_34]
		shrd	edi, eax, 0Bh
		and	edi, 1
		mov	eax, edi
		or	eax, 0
		jnz	loc_54BC0F

loc_54AE7C:				; CODE XREF: MiResolvePageFileFault+FAAj
		push	[ebp+var_30]
		mov	ecx, offset _MiSystemPartition
		push	[ebp+var_1C]
		call	_MiIsPteInStore@16 ; MiIsPteInStore(x,x,x,x)
		mov	edx, dword_6D348C
		mov	ecx, eax
		mov	eax, [ebp+var_C]
		and	ecx, 1
		or	eax, ecx
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_C], eax
		cmp	ecx, 1
		jz	short loc_54AEC9
		test	edx, edx
		jnz	loc_5DCB37
		mov	edx, [ebp+var_24]
		test	edx, edx
		jnz	loc_54B857
		mov	edx, [ebp+var_4C]
		cmp	edx, ds:_MmHighestUserAddress
		ja	loc_54B64D

loc_54AEC9:				; CODE XREF: MiResolvePageFileFault+235j
					; MiResolvePageFileFault+9E9j ...
		and	eax, 1
		mov	[ebp+var_5C], eax
		jz	short loc_54AEDE
		mov	eax, dword_6D5104
		cmp	ecx, eax
		ja	loc_5DCB63

loc_54AEDE:				; CODE XREF: MiResolvePageFileFault+25Fj
					; MiResolvePageFileFault+91EF6j
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+arg_0]
		mov	edx, [ebp+var_40]
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	MiAllocateInPageSupport
		mov	ecx, eax
		mov	[ebp+var_40], ecx
		test	ecx, ecx
		jz	loc_5DCB6B
		mov	edx, ebx
		mov	eax, [edx]
		nop
		mov	edx, [edx+4]
		cmp	eax, [ebp+var_20]
		jnz	loc_5DCDCA
		cmp	edx, [ebp+var_34]
		jnz	loc_5DCDCA
		or	edi, 0
		jnz	loc_54BB5A

loc_54AF29:				; CODE XREF: MiResolvePageFileFault+F23j
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	loc_54B88F

loc_54AF34:				; CODE XREF: MiResolvePageFileFault+C22j
					; MiResolvePageFileFault+C31j
		cmp	[ebp+var_8], 1
		jbe	loc_54B190
		mov	edx, 140h
		mov	ecx, offset _MiSystemPartition
		call	MiSufficientAvailablePages
		test	eax, eax
		jz	loc_54B190
		mov	edx, ebx
		mov	ecx, 1FFh
		mov	eax, edx
		shr	eax, 3
		and	eax, 1FFh
		sub	ecx, eax
		mov	[ebp+var_2C], eax
		test	[ebp+var_1], 10h
		mov	edi, ecx
		mov	[ebp+var_28], ecx
		jnz	loc_54B71D

loc_54AF7A:				; CODE XREF: MiResolvePageFileFault+B25j
					; MiResolvePageFileFault+B2Ej
		mov	ecx, [ebp+var_8]

loc_54AF7D:				; CODE XREF: MiResolvePageFileFault+91F0Fj
		cmp	[ebp+var_24], 0
		jnz	loc_54B621
		test	byte ptr [ebp+var_C], 4
		jnz	loc_54B621

loc_54AF91:				; CODE XREF: MiResolvePageFileFault+9B8j
		cmp	ecx, 1
		jbe	loc_54B190
		lea	eax, [ecx-1]
		mov	[ebp+var_8], eax
		cmp	edi, eax
		jbe	short loc_54AFA6
		mov	edi, eax

loc_54AFA6:				; CODE XREF: MiResolvePageFileFault+332j
		mov	eax, [ebp+var_20]
		lea	ecx, [ebp+var_58]
		mov	[ebp+var_58], eax
		lea	ebx, [edx+8]
		mov	eax, [ebp+var_34]
		mov	[ebp+var_54], eax
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		mov	edx, edi
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		mov	[ebp+var_38], 0
		add	edx, eax
		adc	ecx, ecx
		mov	[ebp+var_74], ecx
		jnz	loc_5DCB84
		cmp	edx, 0FFFFFFFEh
		jnb	loc_5DCB84

loc_54AFE1:				; CODE XREF: MiResolvePageFileFault+91F1Bj
		cmp	[ebp+var_5C], 0
		jz	loc_54B9A7

loc_54AFEB:				; CODE XREF: MiResolvePageFileFault+D3Bj
		or	[ebp+var_C], 8

loc_54AFEF:				; CODE XREF: MiResolvePageFileFault+D41j
		mov	ecx, [ebp+var_20]
		mov	eax, ecx
		mov	edx, [ebp+var_34]
		and	eax, 0FFFFFF1Dh
		mov	[ebp+var_28], eax
		mov	[ebp+var_5C], edx
		test	edi, edi
		jz	short loc_54B070
		mov	esi, edx
		jmp	short loc_54B010
; 
		align 10h

loc_54B010:				; CODE XREF: MiResolvePageFileFault+398j
					; MiResolvePageFileFault+3F0j
		mov	ecx, [ebp+var_14]
		mov	edx, [ebp+var_38]
		add	ecx, 1
		push	esi
		adc	edx, 0
		mov	[ebp+var_14], ecx
		push	eax
		push	edx
		push	ecx
		mov	[ebp+var_38], edx
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		mov	ecx, [ebx]
		mov	esi, edx
		mov	[ebp+var_74], eax
		nop
		mov	edx, [ebx+4]
		mov	eax, ecx
		and	eax, 3E0h
		or	eax, 0
		jz	loc_54B95E
		mov	eax, [ebp+var_74]
		and	ecx, 0FFFFFF1Dh
		cmp	ecx, eax
		jnz	short loc_54B064
		cmp	edx, esi
		jnz	short loc_54B064
		mov	[ebp+var_3C], ebx

loc_54B05A:				; CODE XREF: MiResolvePageFileFault+3F8j
					; MiResolvePageFileFault+CFBj
		add	ebx, 8
		sub	edi, 1
		jnz	short loc_54B010
		jmp	short loc_54B06A
; 

loc_54B064:				; CODE XREF: MiResolvePageFileFault+3E1j
					; MiResolvePageFileFault+3E5j
		test	byte ptr [ebp+var_C], 8
		jz	short loc_54B05A

loc_54B06A:				; CODE XREF: MiResolvePageFileFault+3F2j
					; MiResolvePageFileFault+CF2j
		mov	ecx, [ebp+var_20]
		mov	edx, [ebp+var_34]

loc_54B070:				; CODE XREF: MiResolvePageFileFault+394j
		mov	eax, [ebp+var_3C]
		sub	eax, [ebp+var_10]
		mov	edi, [ebp+var_8]
		sar	eax, 3
		sub	edi, eax
		lea	ebx, [eax+1]
		mov	[ebp+var_18], ebx
		mov	ebx, [ebp+var_2C]
		cmp	ebx, edi
		jbe	short loc_54B08D
		mov	ebx, edi

loc_54B08D:				; CODE XREF: MiResolvePageFileFault+419j
		mov	eax, [ebp+var_10]
		mov	[ebp+var_58], ecx
		lea	ecx, [ebp+var_58]
		mov	[ebp+var_54], edx
		mov	[ebp+var_14], eax
		mov	[ebp+var_8], eax
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		mov	edi, eax
		mov	ecx, 0
		mov	edx, edi
		add	edx, 0FFFFFFFFh
		adc	ecx, 0FFFFFFFFh
		xor	eax, eax
		cmp	eax, ecx
		jb	short loc_54B0C7
		ja	loc_5DCB90
		cmp	ebx, edx
		ja	loc_5DCB90

loc_54B0C7:				; CODE XREF: MiResolvePageFileFault+447j
					; MiResolvePageFileFault+91F23j
		mov	edx, [ebp+var_34]
		test	ebx, ebx
		jz	short loc_54B130
		mov	eax, [ebp+var_8]
		xor	esi, esi

loc_54B0D3:				; CODE XREF: MiResolvePageFileFault+4B2j
		sub	eax, 8
		add	edi, 0FFFFFFFFh
		push	edx
		push	[ebp+var_28]
		adc	esi, 0FFFFFFFFh
		mov	[ebp+var_8], eax
		push	esi
		push	edi
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_8]
		mov	ecx, [eax]
		nop
		mov	eax, [eax+4]
		mov	[ebp+var_5C], eax
		mov	eax, ecx
		and	eax, 3E0h
		or	eax, 0
		jz	loc_54B9CF
		and	ecx, 0FFFFFF1Dh
		cmp	ecx, [ebp+var_28]
		jnz	short loc_54B126
		cmp	[ebp+var_5C], edx
		jnz	short loc_54B126
		mov	eax, [ebp+var_8]
		mov	[ebp+var_14], eax

loc_54B11F:				; CODE XREF: MiResolvePageFileFault+D6Cj
		sub	ebx, 1
		jnz	short loc_54B0D3
		jmp	short loc_54B130
; 

loc_54B126:				; CODE XREF: MiResolvePageFileFault+4A2j
					; MiResolvePageFileFault+4A7j
		test	byte ptr [ebp+var_C], 8
		jz	loc_54B9D9

loc_54B130:				; CODE XREF: MiResolvePageFileFault+45Cj
					; MiResolvePageFileFault+4B4j ...
		mov	edi, [ebp+var_10]
		sub	edi, [ebp+var_14]
		mov	edx, dword_6D0704
		mov	ebx, [ebp+var_34]
		mov	ecx, ebx
		mov	eax, dword_6D0700
		mov	esi, ecx
		sar	edi, 3
		or	eax, edx
		mov	[ebp+var_14], edx
		mov	edx, [ebp+var_20]
		jz	short loc_54B166
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_54B166
		mov	ecx, [ebp+var_14]
		not	ecx
		and	ecx, esi

loc_54B166:				; CODE XREF: MiResolvePageFileFault+4E3j
					; MiResolvePageFileFault+4EDj
		xor	eax, eax
		sub	ecx, edi
		push	ebx
		push	edx
		sbb	eax, eax
		push	eax
		push	ecx
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		mov	ebx, [ebp+var_10]
		lea	ecx, ds:0[edi*8]
		add	[ebp+var_18], edi
		sub	ebx, ecx
		mov	esi, [ebp+var_6C]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_30], edx
		mov	[ebp+var_3C], ebx

loc_54B190:				; CODE XREF: MiResolvePageFileFault+2C8j
					; MiResolvePageFileFault+2DFj ...
		push	[ebp+var_70]
		mov	edi, [ebp+var_18]
		mov	ecx, offset _MiSystemPartition
		mov	edx, edi
		call	MiObtainFaultCharges
		mov	[ebp+var_8], eax
		cmp	edi, eax
		ja	loc_5DCB98

loc_54B1AD:				; CODE XREF: MiResolvePageFileFault+91FA1j
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	loc_54B8A6

loc_54B1B8:				; CODE XREF: MiResolvePageFileFault+C39j
					; MiResolvePageFileFault+C5Dj
		mov	ecx, edi
		mov	[ebp+var_28], edi

loc_54B1BD:				; CODE XREF: MiResolvePageFileFault+C63j
		test	ecx, ecx
		jz	loc_54BAF3
		test	eax, eax
		jnz	loc_54B8D8

loc_54B1CD:				; CODE XREF: MiResolvePageFileFault+C6Bj
					; MiResolvePageFileFault+C76j ...
		mov	ecx, [ebp+var_44]
		lea	eax, [ebp+var_28]
		push	eax
		push	0FFFFFFFFh
		push	[ebp+var_50]
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		mov	edx, [ebp+var_48]
		mov	ecx, offset _MiSystemPartition
		push	eax
		push	esi
		call	_MiGetPageChain@28 ; MiGetPageChain(x,x,x,x,x,x,x)
		mov	esi, [ebp+var_28]
		mov	edi, eax
		mov	[ebp+var_20], eax

loc_54B1F5:				; CODE XREF: MiResolvePageFileFault+92071j
		test	edi, edi
		jz	loc_54BAF3
		cmp	esi, [ebp+var_18]
		jnz	loc_54BA43

loc_54B206:				; CODE XREF: MiResolvePageFileFault+DDEj
		mov	esi, [ebp+var_40]
		mov	[ebp+var_34], 0
		mov	[ebp+var_2C], 0
		mov	eax, [esi+78h]
		shr	eax, 9
		mov	[ebp+var_5C], eax
		lea	eax, [esi+0A8h]
		mov	[ebp+var_50], eax
		lea	eax, [esi+0C4h]
		mov	[ebp+var_14], eax
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_C]

loc_54B238:				; CODE XREF: MiResolvePageFileFault+778j
		mov	edx, [ebx]
		nop
		mov	ecx, [ebx+4]
		mov	[ebp+var_44], ecx
		test	al, 10h
		jnz	loc_54B30B
		mov	ecx, edx
		and	ecx, 0C01h
		or	ecx, 0
		jnz	loc_54BA1E
		mov	ecx, [ebp+var_44]
		mov	edi, ecx
		mov	ebx, dword_6D0700
		mov	esi, dword_6D0704
		mov	[ebp+var_38], ecx
		mov	ecx, ebx
		or	ecx, esi
		mov	[ebp+var_48], esi
		jz	short loc_54B28C
		mov	ecx, edx
		and	ecx, 10h
		or	ecx, 0
		jnz	loc_54B3F2
		not	esi
		and	esi, edi
		mov	[ebp+var_38], esi

loc_54B28C:				; CODE XREF: MiResolvePageFileFault+605j
					; MiResolvePageFileFault+785j
		mov	esi, [ebp+var_30]
		mov	ecx, ebx
		or	ecx, [ebp+var_48]
		mov	ebx, [ebp+var_1C]
		jz	loc_5DCCE6
		mov	ecx, ebx
		and	ecx, 10h
		or	ecx, 0
		mov	ecx, esi
		jnz	loc_54B3FA
		mov	esi, [ebp+var_48]
		not	esi
		and	esi, ecx

loc_54B2B4:				; CODE XREF: MiResolvePageFileFault+78Cj
					; MiResolvePageFileFault+92079j
		xor	esi, [ebp+var_38]
		mov	[ebp+var_54], ecx
		xor	ecx, ecx
		or	ecx, esi
		jnz	loc_5DCCF6
		mov	ecx, edx
		shrd	ecx, edi, 2
		test	cl, 1
		jz	loc_5DCCF6
		mov	ecx, ebx
		xor	ecx, edx
		and	ecx, 0F000h
		or	ecx, 0
		jnz	loc_5DCCF6
		push	[ebp+var_44]
		mov	ecx, offset _MiSystemPartition
		push	edx
		call	_MiIsPteInStore@16 ; MiIsPteInStore(x,x,x,x)
		mov	ecx, [ebp+var_C]
		mov	ebx, [ebp+var_3C]
		and	ecx, 1
		mov	edi, [ebp+var_20]
		cmp	eax, ecx
		jnz	loc_5DCCEE
		mov	esi, [ebp+var_40]

loc_54B30B:				; CODE XREF: MiResolvePageFileFault+5D3j
		inc	[ebp+var_2C]
		mov	ecx, edi
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		mov	edx, [ebp+var_28]
		mov	[edx], eax
		cmp	ebx, [ebp+var_10]
		jz	loc_54B401
		mov	edx, [esi+78h]
		shr	edx, 0Ch

loc_54B33D:				; CODE XREF: MiResolvePageFileFault+794j
		and	edx, 7
		mov	ecx, edi
		call	MiLockSetPfnPriority
		mov	esi, [edi+10h]
		xor	edx, edx
		push	0
		mov	ecx, edi
		and	esi, offset loc_7FFFFF
		call	_MiSetPfnBlink@12 ; MiSetPfnBlink(x,x,x)
		cmp	esi, offset loc_7FFFFF
		jz	loc_54B5FB
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		lea	edi, [eax+ecx*4]

loc_54B378:				; CODE XREF: MiResolvePageFileFault+98Dj
		mov	[ebp+var_20], edi

loc_54B37B:				; CODE XREF: MiResolvePageFileFault+DC7j
		add	[ebp+var_28], 4
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	loc_54B602

loc_54B38A:				; CODE XREF: MiResolvePageFileFault+999j
		mov	edx, dword_6D0700
		add	ebx, 8
		mov	esi, dword_6D0704
		mov	eax, edx
		or	eax, esi
		mov	ecx, [ebp+var_30]
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_48], ecx
		jz	short loc_54B3BC
		mov	ecx, [ebp+var_1C]
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_54B3ED
		mov	ecx, esi
		not	ecx
		and	ecx, [ebp+var_48]

loc_54B3BC:				; CODE XREF: MiResolvePageFileFault+736j
					; MiResolvePageFileFault+780j
		push	[ebp+var_30]
		mov	esi, [ebp+var_1C]
		xor	eax, eax
		add	ecx, 1
		push	esi
		adc	eax, eax
		push	eax
		push	ecx
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		inc	[ebp+var_34]
		mov	esi, [ebp+var_18]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_30], edx

loc_54B3E0:				; CODE XREF: MiResolvePageFileFault+92104j
		cmp	[ebp+var_34], esi
		jnb	short loc_54B409
		mov	esi, [ebp+var_40]
		jmp	loc_54B238
; 

loc_54B3ED:				; CODE XREF: MiResolvePageFileFault+743j
		mov	ecx, [ebp+var_48]
		jmp	short loc_54B3BC
; 

loc_54B3F2:				; CODE XREF: MiResolvePageFileFault+60Fj
		mov	[ebp+var_38], edi
		jmp	loc_54B28C
; 

loc_54B3FA:				; CODE XREF: MiResolvePageFileFault+637j
		mov	esi, ecx
		jmp	loc_54B2B4
; 

loc_54B401:				; CODE XREF: MiResolvePageFileFault+6C1j
		mov	edx, [ebp+var_5C]
		jmp	loc_54B33D
; 

loc_54B409:				; CODE XREF: MiResolvePageFileFault+773j
		mov	edx, [ebp+var_10]

loc_54B40C:				; CODE XREF: MiResolvePageFileFault+9210Fj
		mov	eax, [ebp+var_14]
		mov	ecx, esi
		neg	ecx
		lea	ebx, [ebx+ecx*8]
		mov	ecx, edx
		mov	dl, [ebp+var_1]
		sub	ecx, ebx
		sar	ecx, 3
		shr	dl, 4
		and	dl, 1
		mov	[ebp+var_38], ebx
		movzx	edi, dl
		mov	ecx, [eax+ecx*4]
		mov	eax, [ebp+var_50]
		mov	[ebp+var_44], ecx
		mov	ecx, ebx
		shl	ecx, 9
		neg	edi
		mov	[ebp+var_2], dl
		sbb	edi, edi
		shl	esi, 0Ch
		not	edi
		and	edi, ecx
		mov	ecx, [ebp+var_50]
		mov	edx, edi
		and	edi, 0FFFFF000h
		and	edx, 0FFFh
		mov	dword ptr [ecx], 0
		lea	ecx, [edx+0FFFh]
		add	ecx, esi
		shr	ecx, 0Ch
		lea	ecx, ds:1Ch[ecx*4]
		mov	[eax+4], cx
		mov	ecx, eax
		mov	eax, 42h
		mov	[ecx+6], ax
		mov	eax, [ebp+var_C]
		mov	[ecx+10h], edi
		mov	[ecx+18h], edx
		mov	[ecx+14h], esi
		test	al, 2
		jnz	loc_54BA53
		mov	eax, 4042h
		mov	[ecx+6], ax
		mov	ecx, [ebp+var_18]

loc_54B4A0:				; CODE XREF: MiResolvePageFileFault+DF9j
		mov	edi, [ebx]
		nop
		mov	eax, [ebx+4]
		mov	ebx, [ebp+var_40]
		mov	[ebp+var_14], eax
		mov	[ebp+var_80], edi
		mov	[ebp+var_7C], eax
		cmp	ecx, 1
		jnz	loc_54B60E
		mov	eax, [ebx+78h]
		mov	dl, [ebp+var_1]
		shr	eax, 9
		and	dl, 0F8h
		and	al, 7
		or	dl, al
		or	dl, 8
		mov	[ebp+var_1], dl
		mov	byte ptr [ebp+var_64], dl
		mov	[ebp+var_2], dl

loc_54B4D7:				; CODE XREF: MiResolvePageFileFault+9ACj
		push	[ebp+var_64]
		mov	esi, [ebp+var_38]
		lea	edx, [ebx+0C4h]
		push	ebx
		push	esi
		push	ecx
		mov	ecx, [ebp+var_4C]
		call	_MiInitializeReadInProgressPfn@24 ; MiInitializeReadInProgressPfn(x,x,x,x,x,x)
		test	byte ptr [ebp+var_C], 10h
		jnz	loc_54BC1F

loc_54B4F8:				; CODE XREF: MiResolvePageFileFault+101Cj
		test	[ebp+var_2], 10h
		jnz	loc_54B6F5

loc_54B502:				; CODE XREF: MiResolvePageFileFault+A8Fj
		mov	edx, [ebp+var_10]
		mov	eax, [edx]
		nop
		mov	ecx, [edx+4]
		mov	[ebx+64h], ecx
		mov	ecx, [ebp+var_24]
		mov	[ebx+60h], eax
		mov	[ebx+8Ch], edx
		test	ecx, ecx
		jnz	loc_54B8F1

loc_54B522:				; CODE XREF: MiResolvePageFileFault+C84j
					; MiResolvePageFileFault+C9Aj ...
		mov	ecx, [ebp+var_84]
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		cmp	eax, 2
		jl	loc_54B91B

loc_54B536:				; CODE XREF: MiResolvePageFileFault+CB2j
		mov	eax, [ebp+var_68]
		test	eax, eax
		jnz	loc_54B67E

loc_54B541:				; CODE XREF: MiResolvePageFileFault+A1Fj
					; MiResolvePageFileFault+92139j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	loc_54B704

loc_54B54C:				; CODE XREF: MiResolvePageFileFault+A9Dj
		mov	ecx, [ebp+var_20]
		call	_MiFreePageChain@4 ; MiFreePageChain(x)
		mov	eax, [ebp+var_2C]
		mov	ecx, [ebp+var_8]
		cmp	eax, ecx
		jnz	loc_54B9E1

loc_54B562:				; CODE XREF: MiResolvePageFileFault+D8Ej
					; MiResolvePageFileFault+DA1j
		mov	eax, [ebp+arg_4]
		lea	ecx, [ebp+var_80]
		mov	[eax], ebx
		mov	eax, [ebp+var_14]
		shrd	edi, eax, 0Ch
		and	edi, 0Fh
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		test	[ebp+var_1], 10h
		mov	ecx, eax
		mov	edx, dword_6D5D94[edi*4]
		jnz	loc_54B712

loc_54B58C:				; CODE XREF: MiResolvePageFileFault+AA8j
		test	byte ptr [ebp+var_C], 1
		jz	loc_54B970
		and	ecx, 0FFFFFFFh
		shl	edi, 1Ch
		or	ecx, edi
		mov	dword ptr [ebx+3Ch], 0
		or	dword ptr [ebx+78h], 100h

loc_54B5AF:				; CODE XREF: MiResolvePageFileFault+D0Cj
		mov	eax, [ebx+78h]
		or	eax, 200000h
		mov	[ebx+38h], ecx
		mov	[ebx+7Ch], edx
		mov	[ebx+78h], eax
		cmp	dword ptr [edx+80h], 0
		jnz	loc_54B981

loc_54B5CD:				; CODE XREF: MiResolvePageFileFault+D32j
					; MiResolvePageFileFault+EDFj
		mov	eax, [ebp+var_44]
		mov	[ebx+90h], esi
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	eax, [eax+ecx*4]
		mov	[ebx+94h], eax
		mov	eax, 0C0033333h

loc_54B5F2:				; CODE XREF: MiResolvePageFileFault+91E5Cj
					; MiResolvePageFileFault+91EB8j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_54B5FB:				; CODE XREF: MiResolvePageFileFault+6F1j
		xor	edi, edi
		jmp	loc_54B378
; 

loc_54B602:				; CODE XREF: MiResolvePageFileFault+714j
		mov	ecx, eax
		call	_MiAdvanceFaultList@4 ;	MiAdvanceFaultList(x)
		jmp	loc_54B38A
; 

loc_54B60E:				; CODE XREF: MiResolvePageFileFault+845j
		mov	al, [ebp+var_1]
		and	al, 0DFh
		mov	[ebp+var_1], al
		mov	byte ptr [ebp+var_64], al
		mov	[ebp+var_2], al
		jmp	loc_54B4D7
; 

loc_54B621:				; CODE XREF: MiResolvePageFileFault+311j
					; MiResolvePageFileFault+31Bj
		xor	eax, eax
		mov	[ebp+var_2C], eax
		test	edi, edi
		jnz	loc_54AF91
		jmp	loc_54B190
; 

loc_54B633:				; CODE XREF: MiResolvePageFileFault+C4j
		shr	ecx, 15h
		movzx	ecx, byte ptr dword_6D3994[ecx]
		mov	[ebp+var_14], ecx
		jmp	loc_54AD41
; 

loc_54B645:				; CODE XREF: MiResolvePageFileFault+1A2j
		mov	ecx, [ebp+var_2C]
		jmp	loc_54AE30
; 

loc_54B64D:				; CODE XREF: MiResolvePageFileFault+253j
		test	[ebp+var_1], 10h
		mov	ecx, 1
		mov	[ebp+var_8], ecx
		jnz	loc_54AEC9
		cmp	edx, 0C0000000h
		jnb	loc_54B927

loc_54B66B:				; CODE XREF: MiResolvePageFileFault+CBDj
		or	eax, 4
		mov	ecx, 10h
		mov	[ebp+var_C], eax

loc_54B676:				; CODE XREF: MiResolvePageFileFault+91ED5j
		mov	[ebp+var_8], ecx
		jmp	loc_54AEC9
; 

loc_54B67E:				; CODE XREF: MiResolvePageFileFault+8CBj
		mov	eax, [eax+1Ch]
		shr	eax, 12h
		and	eax, 3
		cmp	ds:_MiVadPageSizes[eax*4], 10h
		jnz	loc_54B541
		jmp	loc_5DCDA2
; 

loc_54B69A:				; CODE XREF: MiResolvePageFileFault+145j
		mov	eax, [ebp+var_4C]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[ebp+var_1], 10h
		mov	ecx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		push	eax
		push	ecx
		call	_MI_PROTO_FORMAT_COMBINED@8 ; MI_PROTO_FORMAT_COMBINED(x,x)
		test	al, al
		jnz	loc_5DCB2D
		mov	al, [ebp+var_1]

loc_54B6C8:				; CODE XREF: MiResolvePageFileFault+91EC2j
		test	al, 20h
		jnz	loc_54B9B6
		mov	eax, [ebp+var_2C]
		cmp	dword ptr [eax+148h], 0
		jnz	loc_54B9B6

loc_54B6E0:				; CODE XREF: MiResolvePageFileFault+D4Ej
		mov	ecx, [ebp+var_20]
		nop
		mov	eax, esi
		shrd	ecx, eax, 5
		shr	eax, 5
		mov	[ebp+var_5C], eax
		jmp	loc_54ADD0
; 

loc_54B6F5:				; CODE XREF: MiResolvePageFileFault+88Cj
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	_MiObtainProtoReference@8 ; MiObtainProtoReference(x,x)
		jmp	loc_54B502
; 

loc_54B704:				; CODE XREF: MiResolvePageFileFault+8D6j
		mov	dl, 21h
		mov	ecx, eax
		call	MiUnlockProtoPoolPage
		jmp	loc_54B54C
; 

loc_54B712:				; CODE XREF: MiResolvePageFileFault+916j
		mov	eax, [ebp+arg_0]
		mov	[ebx+5Ch], eax
		jmp	loc_54B58C
; 

loc_54B71D:				; CODE XREF: MiResolvePageFileFault+304j
		mov	eax, [ebp+var_68]
		mov	edi, [ebp+var_4C]
		test	eax, eax
		jnz	short loc_54B739
		mov	ecx, edi
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	[ebp+var_68], eax
		test	eax, eax
		jz	loc_5DCB75

loc_54B739:				; CODE XREF: MiResolvePageFileFault+AB5j
		test	dword ptr [eax+1Ch], 100000h
		jnz	loc_5DCB75
		lea	ecx, [ebp+var_74]
		mov	edx, edi
		push	ecx
		push	4
		shr	edx, 0Ch
		mov	ecx, eax
		call	MiGetProtoPteAddress
		mov	eax, [ebp+var_74]
		test	eax, eax
		jz	loc_5DCB75
		test	byte ptr [eax+12h], 2
		jnz	loc_5DCB75
		mov	ecx, [eax+1Ch]
		mov	edx, [eax+4]
		mov	edi, [ebp+var_28]
		shl	ecx, 3
		sub	ecx, ebx
		add	ecx, edx
		sar	ecx, 3
		dec	ecx
		cmp	ecx, edi
		jb	loc_54BA3C

loc_54B789:				; CODE XREF: MiResolvePageFileFault+DCEj
		mov	ecx, ebx
		sub	ecx, edx
		mov	edx, ebx
		sar	ecx, 3
		cmp	ecx, [ebp+var_2C]
		jnb	loc_54AF7A
		mov	[ebp+var_2C], ecx
		jmp	loc_54AF7A
; 

loc_54B7A3:				; CODE XREF: MiResolvePageFileFault+1BAj
					; MiResolvePageFileFault+1E1j ...
		mov	ecx, [ebp+var_4C]
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	[ebp+var_68], eax
		test	eax, eax
		jz	loc_54AE64

loc_54B7B6:				; CODE XREF: MiResolvePageFileFault+186j
		mov	ecx, [eax+20h]
		and	ecx, 7FFFFFFFh
		cmp	ecx, 0FFFFEh
		jnz	loc_54AE64
		or	[ebp+var_1], 80h
		mov	[ebp+var_70], 7
		jmp	loc_54AE64
; 

loc_54B7DB:				; CODE XREF: MiResolvePageFileFault+A1j
		cmp	byte ptr [ecx],	5
		jnz	loc_54AD17
		jmp	loc_5DCAD1
; 

loc_54B7E9:				; CODE XREF: MiResolvePageFileFault+A9j
		mov	bl, [ecx]
		mov	[ebp+var_2], bl
		cmp	bl, 2
		mov	ebx, [ebp+var_20]
		jz	loc_54BA16
		cmp	[ebp+var_2], 1
		jnz	loc_54AD1F
		or	edx, 0
		mov	[ebp+var_24], ecx
		jnz	loc_5DCB26
		lea	ecx, [ebp+var_80]
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		test	eax, eax
		jz	loc_5DCB26
		mov	eax, [ebp+var_C]
		xor	edx, edx
		or	eax, 20h
		mov	[ebp+var_40], edx
		mov	[ebp+var_C], eax
		jmp	loc_54AD24
; 

loc_54B833:				; CODE XREF: MiResolvePageFileFault+D3j
		mov	ecx, [ebp+var_64]
		cmp	byte ptr [ecx],	4
		jnz	loc_54AD49
		mov	esi, [ebp+var_34]
		or	edx, 8
		mov	[ebp+var_50], 8
		mov	[ebp+var_24], ecx
		mov	[ebp+var_40], edx
		jmp	loc_54AD6D
; 

loc_54B857:				; CODE XREF: MiResolvePageFileFault+244j
		mov	cl, [ebp+var_1]
		shr	cl, 4
		and	cl, 1
		mov	[ebp+var_2], cl
		jnz	loc_54BADC

loc_54B869:				; CODE XREF: MiResolvePageFileFault+E70j
					; MiResolvePageFileFault+91EEEj
		test	cl, cl
		jnz	loc_54BAEB
		xor	ecx, ecx

loc_54B873:				; CODE XREF: MiResolvePageFileFault+E7Ej
		and	eax, 1
		push	eax
		push	ecx
		mov	ecx, offset _MiSystemPartition
		call	_MiComputeFaultCluster@16 ; MiComputeFaultCluster(x,x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_8], ecx
		jmp	loc_54AEC9
; 

loc_54B88F:				; CODE XREF: MiResolvePageFileFault+2BEj
		cmp	byte ptr [eax],	1
		jnz	loc_54AF34
		mov	edx, ecx
		mov	ecx, eax
		call	_MiSetInPagePrefetchPriority@8 ; MiSetInPagePrefetchPriority(x,x)
		jmp	loc_54AF34
; 

loc_54B8A6:				; CODE XREF: MiResolvePageFileFault+542j
		cmp	byte ptr [eax],	1
		jnz	loc_54B1B8
		mov	edx, [eax+28h]
		mov	ecx, offset _MiSystemPartition
		shr	edx, 3
		and	edx, 7
		inc	edx
		call	_MiGetAvailablePagesBelowPriority@8 ; MiGetAvailablePagesBelowPriority(x,x)
		mov	[ebp+var_28], eax
		mov	ecx, eax
		cmp	eax, edi
		mov	eax, [ebp+var_24]
		ja	loc_54B1B8
		jmp	loc_54B1BD
; 

loc_54B8D8:				; CODE XREF: MiResolvePageFileFault+557j
		cmp	byte ptr [eax],	1
		jnz	loc_54B1CD
		mov	ecx, [eax+2Ch]
		test	ecx, ecx
		jz	loc_54B1CD
		jmp	loc_5DCC16
; 

loc_54B8F1:				; CODE XREF: MiResolvePageFileFault+8ACj
		cmp	byte ptr [ecx],	1
		jnz	loc_54B522
		mov	eax, [ebx+78h]
		or	eax, 8
		mov	[ebx+78h], eax
		test	dword ptr [ecx+28h], 2000h
		jz	loc_54B522
		or	eax, 20h
		mov	[ebx+78h], eax
		jmp	loc_54B522
; 

loc_54B91B:				; CODE XREF: MiResolvePageFileFault+8C0j
		or	dword ptr [ebx+78h], 80h
		jmp	loc_54B536
; 

loc_54B927:				; CODE XREF: MiResolvePageFileFault+9F5j
		cmp	edx, 0C07FFFFFh
		ja	loc_54B66B
		jmp	loc_54AEC9
; 

loc_54B938:				; CODE XREF: MiResolvePageFileFault+100j
		test	dword ptr [ecx+28h], 200h
		jz	loc_54AD76
		push	esi
		push	ebx
		mov	ecx, offset _MiSystemPartition
		call	_MiIsPteInStore@16 ; MiIsPteInStore(x,x,x,x)
		test	eax, eax
		jz	loc_54AD76
		jmp	loc_5DCB18
; 

loc_54B95E:				; CODE XREF: MiResolvePageFileFault+3D0j
		test	byte ptr [ebp+var_C], 8
		jnz	loc_54B06A
		mov	eax, [ebp+var_74]
		jmp	loc_54B05A
; 

loc_54B970:				; CODE XREF: MiResolvePageFileFault+920j
		xor	eax, eax
		shld	eax, ecx, 0Ch
		shl	ecx, 0Ch
		mov	[ebx+3Ch], eax
		jmp	loc_54B5AF
; 

loc_54B981:				; CODE XREF: MiResolvePageFileFault+957j
		mov	ecx, [ebp+var_24]
		test	ecx, ecx
		jz	short loc_54B99A
		cmp	byte ptr [ecx],	1
		jnz	short loc_54B99A
		test	dword ptr [ecx+28h], 1000h
		jnz	loc_54BB48

loc_54B99A:				; CODE XREF: MiResolvePageFileFault+D16j
					; MiResolvePageFileFault+D1Bj ...
		or	eax, 400000h
		mov	[ebx+78h], eax
		jmp	loc_54B5CD
; 

loc_54B9A7:				; CODE XREF: MiResolvePageFileFault+375j
		cmp	[ebp+var_24], 0
		jnz	loc_54AFEB
		jmp	loc_54AFEF
; 

loc_54B9B6:				; CODE XREF: MiResolvePageFileFault+A5Aj
					; MiResolvePageFileFault+A6Aj
		mov	eax, 1
		mov	[ebp+var_8], eax
		jmp	loc_54B6E0
; 

loc_54B9C3:				; CODE XREF: MiResolvePageFileFault+F4j
		mov	[ebp+var_50], 8
		jmp	loc_54AD6A
; 

loc_54B9CF:				; CODE XREF: MiResolvePageFileFault+493j
		test	byte ptr [ebp+var_C], 8
		jnz	loc_54B130

loc_54B9D9:				; CODE XREF: MiResolvePageFileFault+4BAj
		mov	eax, [ebp+var_8]
		jmp	loc_54B11F
; 

loc_54B9E1:				; CODE XREF: MiResolvePageFileFault+8ECj
		sub	ecx, eax
		mov	[ebp+var_8], ecx
		mov	edx, ecx
		mov	ecx, offset _MiSystemPartition
		call	MiReturnResavailToPrcb
		test	eax, eax
		jnz	loc_5DCDAE

loc_54B9FA:				; CODE XREF: MiResolvePageFileFault+92147j
		test	byte ptr [ebp+var_70], 1
		jz	loc_54B562
		mov	edx, [ebp+var_8]
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit
		jmp	loc_54B562
; 

loc_54BA16:				; CODE XREF: MiResolvePageFileFault+B84j
		mov	[ebp+var_24], ecx
		jmp	loc_54AD1F
; 

loc_54BA1E:				; CODE XREF: MiResolvePageFileFault+5E4j
					; MiResolvePageFileFault+92081j ...
		test	al, 8
		jnz	loc_5DCD01
		mov	edx, [ebp+var_28]
		or	eax, 2
		mov	ecx, dword_6D34EC
		mov	[ebp+var_C], eax
		mov	[edx], ecx
		jmp	loc_54B37B
; 

loc_54BA3C:				; CODE XREF: MiResolvePageFileFault+B13j
		mov	edi, ecx
		jmp	loc_54B789
; 

loc_54BA43:				; CODE XREF: MiResolvePageFileFault+590j
		lea	eax, [ebx+esi*8]
		cmp	eax, [ebp+var_10]
		jbe	short loc_54BA6E

loc_54BA4B:				; CODE XREF: MiResolvePageFileFault+E67j
		mov	[ebp+var_18], esi
		jmp	loc_54B206
; 

loc_54BA53:				; CODE XREF: MiResolvePageFileFault+81Ej
		call	_MiReduceMdl@4	; MiReduceMdl(x)
		test	eax, eax
		jnz	loc_5DCD84

loc_54BA60:				; CODE XREF: MiResolvePageFileFault+9211Ej
					; MiResolvePageFileFault+9212Dj
		mov	eax, [ebp+var_50]
		mov	ecx, [eax+14h]
		shr	ecx, 0Ch
		jmp	loc_54B4A0
; 

loc_54BA6E:				; CODE XREF: MiResolvePageFileFault+DD9j
		mov	ecx, dword_6D0704
		mov	eax, dword_6D0700
		mov	edx, [ebp+var_30]
		or	eax, ecx
		mov	[ebp+var_44], ecx
		mov	ecx, [ebp+var_1C]
		mov	[ebp+var_48], edx
		jz	short loc_54BA9B
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_54BA9B
		mov	edx, [ebp+var_44]
		not	edx
		and	edx, [ebp+var_48]

loc_54BA9B:				; CODE XREF: MiResolvePageFileFault+E17j
					; MiResolvePageFileFault+E21j
		mov	eax, [ebp+var_18]
		sub	eax, esi
		mov	[ebp+var_18], eax
		lea	eax, [ebx+eax*8]
		cmp	eax, [ebp+var_10]
		jbe	short loc_54BAB8
		mov	eax, [ebp+var_10]
		mov	[ebp+var_18], eax
		sub	[ebp+var_18], ebx
		sar	[ebp+var_18], 3

loc_54BAB8:				; CODE XREF: MiResolvePageFileFault+E39j
		push	[ebp+var_30]
		mov	ebx, eax
		xor	eax, eax
		push	ecx
		mov	ecx, [ebp+var_18]
		add	ecx, edx
		mov	[ebp+var_3C], ebx
		adc	eax, eax
		push	eax
		push	ecx
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		mov	[ebp+var_1C], eax
		mov	[ebp+var_30], edx
		jmp	loc_54BA4B
; 

loc_54BADC:				; CODE XREF: MiResolvePageFileFault+BF3j
		cmp	[ebp+var_68], 0
		jnz	loc_54B869
		jmp	loc_5DCB4A
; 

loc_54BAEB:				; CODE XREF: MiResolvePageFileFault+BFBj
		mov	ecx, [ebp+var_68]
		jmp	loc_54B873
; 

loc_54BAF3:				; CODE XREF: MiResolvePageFileFault+54Fj
					; MiResolvePageFileFault+587j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	loc_54BCAC

loc_54BAFE:				; CODE XREF: MiResolvePageFileFault+1045j
		mov	ecx, [ebp+var_40]
		call	_MiFreeInPageSupportBlock@4 ; MiFreeInPageSupportBlock(x)
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	short loc_54BB11
		mov	byte ptr [eax+1], 2

loc_54BB11:				; CODE XREF: MiResolvePageFileFault+E9Bj
		mov	ebx, [ebp+var_8]
		mov	ecx, offset _MiSystemPartition
		mov	edx, ebx
		call	MiReturnResavailToPrcb
		test	eax, eax
		jnz	loc_5DCDBC

loc_54BB28:				; CODE XREF: MiResolvePageFileFault+92155j
		test	byte ptr [ebp+var_70], 1
		jz	short loc_54BB3A
		mov	edx, ebx
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit

loc_54BB3A:				; CODE XREF: MiResolvePageFileFault+EBCj
					; MiResolvePageFileFault+91E96j ...
		pop	edi
		pop	esi
		mov	eax, 0C0000017h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_54BB48:				; CODE XREF: MiResolvePageFileFault+D24j
		test	byte ptr ds:dword_7051B8, 1
		jz	loc_54B5CD
		jmp	loc_54B99A
; 

loc_54BB5A:				; CODE XREF: MiResolvePageFileFault+2B3j
		mov	edi, [ebp+var_38]
		mov	dl, [edi+16h]
		mov	al, dl
		and	al, 28h
		cmp	al, 28h
		jz	loc_5DCDCA
		test	dl, 20h
		jz	loc_5DCDCA
		mov	eax, [ebp+var_1C]
		cmp	eax, [edi+8]
		jnz	loc_5DCDCA
		mov	eax, [ebp+var_30]
		cmp	eax, [edi+0Ch]
		jnz	loc_5DCDCA
		mov	eax, [edi]
		test	byte ptr [eax+68h], 20h
		jz	loc_54AF29
		jmp	loc_5DCDCA
; 

loc_54BB9E:				; CODE XREF: MiResolvePageFileFault+76j
		mov	eax, dword_6D0700
		mov	ecx, ebx
		mov	ebx, dword_6D0704
		mov	[ebp+var_44], eax
		or	eax, ebx
		mov	[ebp+var_6C], ebx
		mov	ebx, [ebp+var_20]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_38], esi
		jz	short loc_54BBD8
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_54BBD8
		mov	ecx, [ebp+var_44]
		mov	esi, [ebp+var_6C]
		not	ecx
		and	ecx, [ebp+var_14]
		not	esi
		and	esi, [ebp+var_38]

loc_54BBD8:				; CODE XREF: MiResolvePageFileFault+F4Cj
					; MiResolvePageFileFault+F56j
		mov	eax, ds:_MmPfnDatabase
		shrd	ecx, esi, 0Ch
		and	ecx, 3FFFFFFh
		mov	[ebp+var_44], ecx
		shl	ecx, 3
		sub	ecx, [ebp+var_44]
		lea	ecx, [eax+ecx*4]
		mov	eax, [ecx+8]
		mov	[ebp+var_1C], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_30], eax
		mov	eax, 10h
		mov	[ebp+var_38], ecx
		mov	[ebp+var_C], eax
		jmp	loc_54ACF5
; 

loc_54BC0F:				; CODE XREF: MiResolvePageFileFault+206j
		mov	eax, 1
		or	[ebp+var_70], eax
		mov	[ebp+var_8], eax
		jmp	loc_54AE7C
; 

loc_54BC1F:				; CODE XREF: MiResolvePageFileFault+882j
		mov	eax, dword_6D0700
		mov	edx, edi
		mov	ebx, dword_6D0704
		mov	ecx, [ebp+var_14]
		mov	esi, ecx
		mov	[ebp+var_5C], eax
		or	eax, ebx
		mov	[ebp+var_48], ebx
		mov	ebx, [ebp+var_40]
		jz	short loc_54BC56
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_54BCBA
		mov	edi, [ebp+var_5C]
		mov	ecx, [ebp+var_48]
		not	edi
		not	ecx
		and	edi, edx
		and	ecx, esi

loc_54BC56:				; CODE XREF: MiResolvePageFileFault+FCCj
					; MiResolvePageFileFault+104Cj
		mov	eax, ds:_MmPfnDatabase
		shrd	edi, ecx, 0Ch
		and	edi, 3FFFFFFh
		lea	ecx, ds:0[edi*8]
		sub	ecx, edi
		lea	esi, [eax+ecx*4]
		mov	ecx, ebx
		mov	edx, esi
		call	_MiFlowThroughInsertNode@8 ; MiFlowThroughInsertNode(x,x)
		mov	ecx, [esi+0Ch]
		mov	edi, [esi+8]
		mov	esi, [ebp+var_38]
		mov	[ebp+var_80], edi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_7C], ecx
		jmp	loc_54B4F8
; 

loc_54BC91:				; CODE XREF: MiResolvePageFileFault+EAj
		mov	ecx, [ebp+var_4C]
		mov	[ebp+var_50], 8
		call	_MiKernelStackVaToStackNode@4 ;	MiKernelStackVaToStackNode(x)
		or	[ebp+var_40], 8
		mov	eax, [ebp+var_C]
		jmp	loc_54AD6A
; 

loc_54BCAC:				; CODE XREF: MiResolvePageFileFault+E88j
		mov	dl, 21h
		mov	ecx, eax
		call	MiUnlockProtoPoolPage
		jmp	loc_54BAFE
; 

loc_54BCBA:				; CODE XREF: MiResolvePageFileFault+FD6j
		mov	edi, edx
		jmp	short loc_54BC56
MiResolvePageFileFault endp


;  S U B	R O U T	I N E 


; __stdcall MiFreePageChain(x)
_MiFreePageChain@4 proc	near		; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+B15p
					; MiResolvePageFileFault+8DFp ...
		test	ecx, ecx
		jnz	short loc_54BCC3
		retn
; 

loc_54BCC3:				; CODE XREF: MiFreePageChain(x)+2j
		push	edi
		mov	edi, offset loc_7FFFFF
		push	esi

loc_54BCCA:				; CODE XREF: MiFreePageChain(x)+23j
		mov	esi, [ecx+10h]
		and	esi, edi
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		cmp	esi, edi
		jz	short loc_54BCE3
		imul	ecx, esi, 1Ch
		add	ecx, ds:_MmPfnDatabase
		jnz	short loc_54BCCA

loc_54BCE3:				; CODE XREF: MiFreePageChain(x)+18j
		pop	esi
		pop	edi
		retn
_MiFreePageChain@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiResetAccessBitsTail proc near		; CODE XREF: .text:00547F2Bp
					; DATA XREF: MiCaptureAndResetWorkingSetAccessBits+77o

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DCE04 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, [edi+48h]

loc_54BCF4:				; CODE XREF: MiResetAccessBitsTail+91147j
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_54BD00
		call	MiFlushTbList

loc_54BD00:				; CODE XREF: MiResetAccessBitsTail+13j
		mov	edx, [esi+8]
		test	edx, edx
		jnz	loc_5DCE04

loc_54BD0B:				; CODE XREF: MiResetAccessBitsTail+91121j
					; MiResetAccessBitsTail+91131j
		pop	edi
		xor	eax, eax
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
MiResetAccessBitsTail endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmPageRead proc near	; CODE XREF: MiIssueHardFaultIo+DBp
					; MiMakeOutswappedPageResident(x,x,x,x,x)+5B9p	...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005DCE32 SIZE 000000A7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	ecx, edx
		xor	edx, edx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		test	bl, 3
		jnz	loc_54BE8D

loc_54BD3B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+189j
		mov	esi, [ebp+arg_8]
		mov	eax, [ebp+arg_4]
		mov	[ebp+arg_0], esi
		mov	[esi+4], edx
		mov	edx, ecx
		mov	[esi], eax
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		mov	eax, [ebx+14h]
		shr	eax, 0Ch
		mov	[ebp+var_10], eax
		mov	[ebp+arg_4], eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+arg_4]
		push	eax
		call	SMKM_STORE_MGR_SM_TRAITS___SmReadPickStore
		mov	edi, eax
		test	edi, edi
		js	loc_5DCE4B
		mov	eax, [ebp+arg_4]
		mov	edi, [ebp+var_8]
		mov	[esi+4], eax
		mov	eax, [ebp+var_4]
		cmp	eax, 2
		jnb	loc_5DCE32

loc_54BD8C:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+91125j
		test	byte ptr ds:dword_718424, 10h
		jz	short loc_54BDC0
		mov	edx, [ebp+var_10]
		mov	ecx, esi
		push	0
		call	SmAcquireReleaseResAvailForRead
		mov	ecx, eax
		mov	eax, [ebp+var_4]
		and	ecx, 1
		shl	ecx, 3
		or	eax, ecx
		mov	[ebp+var_4], eax
		cmp	eax, 8
		jb	loc_5DCE46
		or	eax, 4
		mov	[ebp+var_4], eax

loc_54BDC0:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+7Fj
		test	al, 1
		jnz	loc_54BEA2

loc_54BDC8:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+91146j
		mov	eax, ds:dword_718424
		xor	edx, edx
		and	eax, 1
		inc	edx
		push	eax
		push	0
		push	esi
		mov	ecx, offset unk_71836C
		call	SmFpAllocate
		mov	esi, eax
		test	esi, esi
		jz	loc_5DCE5F

loc_54BDEB:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+19Cj
					; SMKM_STORE_MGR_SM_TRAITS___SmPageRead+1B7j
		xor	eax, eax
		mov	edi, esi
		test	byte ptr [ebp+var_C], 1
		push	8
		pop	ecx
		rep stosd
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+arg_8]
		mov	dword ptr [esi], 2
		mov	[esi+8], ebx
		mov	eax, [eax]
		mov	[esi+0Ch], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+4], al
		mov	[esi+18h], ecx
		jnz	loc_5DCE6C

loc_54BE1B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+9115Fj
		test	byte ptr [ebp+var_4], 1
		jnz	loc_54BED6

loc_54BE25:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+1C9j
		mov	ebx, [ebp+var_8]
		mov	edx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		push	esi
		mov	eax, [ebx+10F0h]
		and	eax, 3FFh
		push	eax
		call	SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork
		test	eax, eax
		js	loc_5DCE78
		xor	eax, eax
		mov	[ebp+var_4], 0FFFFFFFBh
		xor	esi, esi
		mov	[ebp+arg_0], eax
		xor	ebx, ebx
		mov	edi, 103h

loc_54BE5C:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+9116Cj
		test	esi, esi
		jnz	loc_5DCE85

loc_54BE64:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+91153j
					; SMKM_STORE_MGR_SM_TRAITS___SmPageRead+9117Ej
		mov	esi, [ebp+arg_8]

loc_54BE67:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+9113Aj
		test	ebx, ebx
		jnz	loc_5DCE97

loc_54BE6F:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+911A1j
		test	byte ptr [ebp+var_4], 4
		mov	ebx, [ebp+arg_0]
		jnz	loc_5DCEBA

loc_54BE7C:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+911B2j
		test	ebx, ebx
		jnz	loc_5DCECB

loc_54BE84:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+911C0j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_54BE8D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+21j
		mov	eax, ebx
		and	eax, 1
		mov	[ebp+var_4], eax
		test	bl, 2
		jnz	short loc_54BEE2

loc_54BE9A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+1D4j
		and	ebx, 0FFFFFFFCh
		jmp	loc_54BD3B
; 

loc_54BEA2:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+AEj
		mov	ecx, offset unk_7182C0
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_54BDEB
		push	61576D73h
		push	38h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_54BDEB
		jmp	loc_5DCE53
; 

loc_54BED6:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+10Bj
		or	dword ptr [esi+4], 4000000h
		jmp	loc_54BE25
; 

loc_54BEE2:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+184j
		or	eax, 2
		mov	[ebp+var_4], eax
		jmp	short loc_54BE9A
SMKM_STORE_MGR_SM_TRAITS___SmPageRead endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmAcquireReleaseResAvailForRead	proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+138p
					; SMKM_STORE_MGR_SM_TRAITS___SmPageRead+88p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DCED9 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		jz	short loc_54BF1F
		cmp	ds:dword_718470, esi
		jz	short loc_54BF3C
		lea	edx, [edi+18h]
		mov	ecx, offset _MiSystemPartition
		call	MiReturnResavailToPrcb
		test	eax, eax
		jnz	short loc_54BF31

loc_54BF14:				; CODE XREF: SmAcquireReleaseResAvailForRead+50j
					; SmAcquireReleaseResAvailForRead+5Bj
		xor	ecx, ecx
		inc	ecx

loc_54BF17:				; CODE XREF: SmAcquireReleaseResAvailForRead+40j
					; SmAcquireReleaseResAvailForRead+9100Cj ...
		pop	edi
		mov	eax, ecx
		pop	esi
		pop	ebp
		retn	4
; 

loc_54BF1F:				; CODE XREF: SmAcquireReleaseResAvailForRead+Fj
		mov	ecx, edi
		call	_MmStoreChargeResidentAvailableForRead@4 ; MmStoreChargeResidentAvailableForRead(x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_54BF17
		jmp	loc_5DCED9
; 

loc_54BF31:				; CODE XREF: SmAcquireReleaseResAvailForRead+28j
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax
		jmp	short loc_54BF14
; 

loc_54BF3C:				; CODE XREF: SmAcquireReleaseResAvailForRead+17j
		xor	eax, eax
		mov	ecx, offset dword_718470
		xchg	eax, [ecx]
		jmp	short loc_54BF14
SmAcquireReleaseResAvailForRead	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MmStoreChargeResidentAvailableForRead(x)
_MmStoreChargeResidentAvailableForRead@4 proc near ; CODE XREF:	SmFirstTimeInit+3D3p
					; SmAcquireReleaseResAvailForRead+37p
		lea	edx, [ecx+18h]
		mov	ecx, offset _MiSystemPartition
		push	0
		call	_MiChargeResident@12 ; MiChargeResident(x,x,x)
		neg	eax
		sbb	eax, eax
		neg	eax
		retn
_MmStoreChargeResidentAvailableForRead@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmReadPickStore proc	near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+54p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005DCF03 SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, ecx
		mov	eax, [ebx]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], esi
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_14], esi
		push	eax
		mov	[ebp+var_8], esi
		call	SMKM_STORE_MGR_SM_TRAITS___SmFeReadInitiate
		mov	[ebp+var_4], eax
		cmp	eax, 400h
		jz	short loc_54BFDE
		inc	dword ptr [edi+474h]
		cmp	[ebp+var_14], esi
		ja	loc_5DCF03
		cmp	[ebp+var_18], esi
		ja	loc_5DCF03

loc_54BFB1:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmReadPickStore+90FD4j
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	_SmKmStoreReferenceEx@12 ; SmKmStoreReferenceEx(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_54BFDE
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		cmp	[ebp+var_8], esi
		jnz	short loc_54BFE5

loc_54BFCB:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmReadPickStore+8Dj
		mov	ecx, [ebp+var_C]
		mov	[ebx], ecx
		mov	ecx, [ebp+arg_4]
		mov	[ecx], edx

loc_54BFD5:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmReadPickStore+85j
					; SMKM_STORE_MGR_SM_TRAITS___SmReadPickStore+90FC9j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_54BFDE:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmReadPickStore+39j
					; SMKM_STORE_MGR_SM_TRAITS___SmReadPickStore+61j
		mov	esi, 0C0000225h
		jmp	short loc_54BFD5
; 

loc_54BFE5:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmReadPickStore+6Bj
		mov	dword ptr [eax], 1
		jmp	short loc_54BFCB
SMKM_STORE_MGR_SM_TRAITS___SmReadPickStore endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmFeReadInitiate proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmReadPickStore+2Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005DCF37 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax]
		mov	esi, edx
		mov	[ebp+var_8], eax
		mov	ebx, ecx
		mov	[ebp+var_4], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		lea	edi, [ebx+0F0h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		push	[ebp+arg_8]
		lea	eax, [ebp+var_4]
		mov	edx, esi
		push	eax
		mov	ecx, ebx
		call	?SmFeCheckPresent@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGKPAU1@PAT_SM_PAGE_KEY@@PAK2@Z ; SMKM_STORE_MGR<SM_TRAITS>::SmFeCheckPresent(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY	*,ulong	*,ulong	*)
		mov	esi, eax
		cmp	esi, 400h
		jz	short loc_54C06A
		mov	eax, [ebx+464h]
		xor	edx, edx
		test	al, 4
		jnz	short loc_54C051
		mov	ecx, [ebp+arg_8]
		cmp	[ecx], edx
		jnz	short loc_54C09B

loc_54C051:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeReadInitiate+5Aj
		mov	ecx, [ebp+var_4]
		cmp	ecx, [ebp+var_8]
		jnz	loc_5DCF37

loc_54C05D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeReadInitiate+90F51j
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		mov	[eax+4], edx
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_54C06A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeReadInitiate+4Ej
					; SMKM_STORE_MGR_SM_TRAITS___SmFeReadInitiate+B2j
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_54C07F
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_54C07F:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeReadInitiate+88j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_54C09B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeReadInitiate+61j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeReadInitiate+90F4Bj
		mov	esi, 400h
		jmp	short loc_54C06A
SMKM_STORE_MGR_SM_TRAITS___SmFeReadInitiate endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static unsigned long __stdcall SMKM_STORE_MGR<struct SM_TRAITS>::SmFeCheckPresent(struct SMKM_STORE_MGR<struct SM_TRAITS> *, union _SM_PAGE_KEY *, unsigned long *, unsigned long *)
?SmFeCheckPresent@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGKPAU1@PAT_SM_PAGE_KEY@@PAK2@Z proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeReadInitiate+41p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [edx]
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_68], eax
		mov	edi, ecx
		mov	eax, [ebp+arg_4]
		push	58h		; size_t
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_60]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		lea	eax, [ebp+var_48]
		mov	[ebp+var_74], ebx
		mov	[ebp+var_60], eax
		lea	ecx, [edi+0F4h]
		mov	eax, [ebp+var_68]
		lea	edx, [ebp+var_60]
		add	esp, 0Ch
		mov	[ebp+var_70], ebx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], ebx
		mov	eax, [eax]
		push	esi
		mov	[ebp+var_4C], 1
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], 8
		mov	[ebp+var_78], eax
		mov	[ebp+var_64], 400h
		mov	[ebp+var_6C], ebx
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		lea	eax, [ebp+var_60]
		push	eax
		lea	edx, [ebp+var_74]
		call	?BTreeIteratorFromSearchResult@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUITERATOR@1@PAUSEARCH_RESULT@1@@Z ; B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeIteratorFromSearchResult(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::ITERATOR *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)
		mov	edi, [ebp+var_70]
		mov	edx, [ebp+var_74]

loc_54C12E:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeCheckPresent(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong *,ulong *)+D8j
		test	edx, edx
		jz	short loc_54C181
		movzx	eax, word ptr [edx]
		add	edi, 8
		inc	eax
		lea	eax, [edx+eax*8]
		cmp	edi, eax
		jnb	short loc_54C1A6
		mov	ecx, edi
		jmp	short loc_54C14D
; 

loc_54C144:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeCheckPresent(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong *,ulong *)+109j
					; SMKM_STORE_MGR<SM_TRAITS>::SmFeCheckPresent(SMKM_STORE_MGR<SM_TRAITS>	*,_SM_PAGE_KEY *,ulong *,ulong *)+110j
		lea	eax, [ecx+8]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_54C14D:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeCheckPresent(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong *,ulong *)+A0j
		test	ecx, ecx
		jz	short loc_54C181
		cmp	esi, [ecx]
		jb	short loc_54C181
		test	byte ptr [ecx+7], 1
		jnz	short loc_54C181
		mov	al, [ecx+6]
		cmp	al, 3
		jnz	short loc_54C1B4

loc_54C162:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeCheckPresent(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong *,ulong *)+116j
		cmp	al, 1
		jz	short loc_54C1BA

loc_54C166:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeCheckPresent(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong *,ulong *)+11Fj
		movzx	eax, word ptr [ecx+4]
		test	ebx, ebx
		jz	short loc_54C17C
		cmp	[ebp+var_64], eax
		jnz	short loc_54C181

loc_54C173:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeCheckPresent(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong *,ulong *)+DDj
		inc	ebx
		cmp	ebx, [ebp+var_78]
		jnb	short loc_54C181
		inc	esi
		jmp	short loc_54C12E
; 

loc_54C17C:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeCheckPresent(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong *,ulong *)+CAj
		mov	[ebp+var_64], eax
		jmp	short loc_54C173
; 

loc_54C181:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeCheckPresent(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong *,ulong *)+8Ej
					; SMKM_STORE_MGR<SM_TRAITS>::SmFeCheckPresent(SMKM_STORE_MGR<SM_TRAITS>	*,_SM_PAGE_KEY *,ulong *,ulong *)+ADj ...
		test	ebx, ebx
		jz	short loc_54C1C3
		mov	ecx, [ebp+var_68]
		mov	edx, [ebp+var_7C]
		mov	eax, [ebp+var_64]
		mov	[ecx], ebx
		mov	ecx, [ebp+var_6C]
		mov	[edx], ecx

loc_54C195:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeCheckPresent(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong *,ulong *)+126j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_54C1A6:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeCheckPresent(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong *,ulong *)+9Cj
		mov	ecx, [edx+4]
		test	ecx, ecx
		jz	short loc_54C144
		mov	edx, ecx
		lea	edi, [ecx+8]
		jmp	short loc_54C144
; 

loc_54C1B4:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeCheckPresent(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong *,ulong *)+BEj
		cmp	al, 1
		jnz	short loc_54C181
		jmp	short loc_54C162
; 

loc_54C1BA:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeCheckPresent(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong *,ulong *)+C2j
		mov	[ebp+var_6C], 1
		jmp	short loc_54C166
; 

loc_54C1C3:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeCheckPresent(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong *,ulong *)+E1j
		mov	eax, 400h
		jmp	short loc_54C195
?SmFeCheckPresent@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGKPAU1@PAT_SM_PAGE_KEY@@PAK2@Z endp


;  S U B	R O U T	I N E 


; __stdcall MiPageAvailable(x, x)
_MiPageAvailable@8 proc	near		; CODE XREF: MiGetPage+5B9p
					; MiGetPage+144928p
		mov	eax, edx
		mov	edx, [ecx+0FC0h]
		test	edx, edx
		jz	short loc_54C1D7
		dec	edx

loc_54C1D7:				; CODE XREF: MiPageAvailable(x,x)+Aj
		push	eax
		call	MiPageAvailableEx
		retn
_MiPageAvailable@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker proc near
					; DATA XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueInsert+DCo

var_38		= dword	ptr -38h
var_32		= byte ptr -32h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2A		= byte ptr -2Ah
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_B		= byte ptr  13h

; FUNCTION CHUNK AT 005DCF44 SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		and	[esp+2Ch+var_8], 0
		and	[esp+2Ch+var_4], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	[esp+38h+var_20], 64h
		mov	esi, [ebx+14h]
		mov	eax, esi
		mov	edi, [ebx+10h]
		and	eax, 3
		and	edi, 7
		shl	eax, 3
		or	edi, eax
		and	esi, 0FFFFFFFCh
		shl	edi, 4
		add	edi, esi
		mov	[esp+38h+var_10], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		add	esi, 200h
		mov	[esp+38h+var_29], al
		mov	ecx, esi
		mov	[esp+38h+var_C], esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		dec	dword ptr [edi+8]
		inc	dword ptr [edi+0Ch]
		test	ds:byte_70EFC6,	1
		jnz	loc_5DCF44
		xor	eax, eax
		lock and [esi],	eax

loc_54C253:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+90D70j
		mov	cl, [esp+38h+var_29]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_54C25D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+214j
		lea	eax, [esp+38h+var_8]
		push	eax
		lea	esi, [ebx-20h]
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, [ebp+arg_0]
		mov	ebx, edx
		push	0
		mov	edx, esi
		mov	edi, eax
		mov	ecx, [ecx+10h]
		and	ecx, 0FFFFFFF8h
		call	SMKM_STORE_SM_TRAITS___SmStWorkItemQueue
		xor	esi, esi
		push	esi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		sub	eax, edi
		push	esi
		push	0F4240h
		sbb	edx, ebx
		push	edx
		push	eax
		call	__allmul
		push	[esp+40h+var_C]
		push	[esp+44h+var_10]
		push	edx
		push	eax
		call	__alldiv
		cmp	edx, esi
		ja	short loc_54C2BE
		jb	loc_54C40B
		cmp	eax, [esp+40h+var_28]
		jb	loc_54C40B

loc_54C2BE:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+CEj
					; SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+231j
		mov	ebx, [esp+40h+var_18]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[esp+40h+var_30], esi
		mov	[esp+14h], esi
		mov	[esp+40h+var_24], esi
		mov	esi, [esp+40h+var_14]

loc_54C2D8:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+163j
					; SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+181j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	[esp+40h+var_31], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebx+4]
		cmp	dword ptr [eax], 0
		jnz	loc_54C3A3
		cmp	[esp+40h+var_24], 0
		jnz	loc_54C3AE
		test	ds:byte_70EFC6,	1
		jnz	loc_5DCF53
		xor	eax, eax
		lock and [esi],	eax

loc_54C312:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+90D7Fj
		mov	cl, [esp+40h+var_31]
		call	edi
		mov	eax, [esp+40h+var_30]
		or	eax, [esp+14h]
		jnz	short loc_54C331
		push	eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	[esp+10h], eax
		mov	[esp+44h+var_30], edx

loc_54C331:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+142j
		mov	ecx, [ebx+8]
		xor	edx, edx
		cmp	ecx, [ebx+0Ch]
		ja	short loc_54C357

loc_54C33B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+177j
		mov	eax, [ebx+4]
		cmp	dword ptr [eax], 0
		jnz	short loc_54C2D8
		inc	edx
		mov	[esp+44h+var_24], edx
		test	dl, 7Fh
		jz	short loc_54C364

loc_54C34D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+1C3j
		pause
		mov	eax, [ebx+8]
		cmp	eax, [ebx+0Ch]
		jbe	short loc_54C33B

loc_54C357:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+15Bj
					; SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+1B5j ...
		mov	[esp+44h+var_28], 1
		jmp	loc_54C2D8
; 

loc_54C364:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+16Dj
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		sub	eax, [esp+48h+var_38]
		push	0
		sbb	edx, [esp+18h]
		push	0F4240h
		push	edx
		push	eax
		call	__allmul
		push	[esp+48h+var_14]
		push	[esp+4Ch+var_18]
		push	edx
		push	eax
		call	__alldiv
		test	edx, edx
		ja	short loc_54C357
		jb	short loc_54C39D
		cmp	eax, [esp+48h+var_30]
		jnb	short loc_54C357

loc_54C39D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+1B7j
		mov	edx, [esp+48h+var_28]
		jmp	short loc_54C34D
; 

loc_54C3A3:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+111j
		cmp	eax, ebx
		jnz	short loc_54C3F7
		xor	ebx, ebx
		mov	[ebp+arg_0], ebx
		jmp	short loc_54C3DA
; 

loc_54C3AE:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+11Cj
		dec	dword ptr [ebx+0Ch]
		test	ds:byte_70EFC6,	1
		jnz	loc_5DCF71
		xor	eax, eax
		lock and [esi],	eax

loc_54C3C3:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+90D9Dj
		mov	cl, [esp+40h+var_31]
		call	edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_54C3D2:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+227j
		and	dword ptr [ebx], 0
		mov	[ebx+4], ebx

loc_54C3D8:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+22Bj
		mov	ebx, ecx

loc_54C3DA:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+1CEj
		test	ds:byte_70EFC6,	1
		jnz	loc_5DCF62
		xor	eax, eax
		lock and [esi],	eax

loc_54C3EC:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+90D8Ej
		mov	cl, [esp-4+arg_B]
		call	edi
		jmp	loc_54C25D
; 

loc_54C3F7:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+1C7j
		mov	ecx, [ebx]
		mov	[ebp+arg_0], ecx
		mov	eax, [ecx]
		mov	[ebx], eax
		mov	eax, [ebx+4]
		cmp	ecx, eax
		jz	short loc_54C3D2
		dec	dword ptr [eax]
		jmp	short loc_54C3D8
; 

loc_54C40B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+D0j
					; SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+DAj
		mov	[esp+40h+var_28], eax
		jmp	loc_54C2BE
SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpResizeBigPageTable proc near		; CODE XREF: ExpAddTagForBigPages+11Ap
					; ExpAddTagForBigPages+21Bp ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= byte ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DCF80 SIZE 00000083 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 3Ch
		and	[ebp+var_18], 0
		mov	eax, ecx
		mov	ecx, [ebx+8]
		push	esi
		push	edi
		and	dword ptr [ecx], 0
		and	eax, 20h
		mov	[ebp+var_2C], eax
		jnz	loc_54C711
		mov	ecx, _PoolBigPageTable
		mov	edi, _PoolBigPageTableSize
		mov	[ebp+var_14], ecx
		mov	[ebp+var_20], offset _ExpPoolBigEntriesInUse

loc_54C45E:				; CODE XREF: ExpResizeBigPageTable+320j
		test	edi, edi
		jz	loc_54C6FA
		mov	eax, edi
		lea	ecx, [edi+edi]
		shl	eax, 4
		mov	[ebp+var_8], ecx
		cmp	ecx, edi
		jbe	loc_5DCFB0
		cmp	ecx, 0FFFFFFFh
		ja	loc_5DCFB0
		lea	ecx, [eax+eax]

loc_54C488:				; CODE XREF: ExpResizeBigPageTable+2F3j
		lea	eax, [ecx+0FFFh]
		cmp	ecx, eax
		jnb	loc_5DCFB0
		and	eax, 0FFFFF000h
		mov	edx, eax
		mov	[ebp+var_C], eax
		call	_ExAllocateHeapPages@8 ; ExAllocateHeapPages(x,x)
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		jz	loc_5DCFB0
		push	[ebp+var_C]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		mov	ecx, eax
		mov	edx, esi
		shl	ecx, 4
		add	ecx, esi

loc_54C4CC:				; CODE XREF: ExpResizeBigPageTable+C3j
		mov	dword ptr [edx], 1
		add	edx, 10h
		cmp	edx, ecx
		jnz	short loc_54C4CC
		mov	ecx, [ebp+var_14]
		mov	edx, ecx
		shl	edi, 4
		add	edi, ecx
		dec	eax
		mov	[ebp+var_28], edi
		mov	[ebp+var_10], eax
		cmp	ecx, edi
		jz	short loc_54C4FB

loc_54C4EE:				; CODE XREF: ExpResizeBigPageTable+E5j
		mov	eax, [edx]
		test	al, 1
		jz	short loc_54C537

loc_54C4F4:				; CODE XREF: ExpResizeBigPageTable+17Bj
		add	edx, 10h
		cmp	edx, edi
		jnz	short loc_54C4EE

loc_54C4FB:				; CODE XREF: ExpResizeBigPageTable+D8j
		cmp	[ebp+var_20], offset _ExpPoolBigEntriesInUse
		jnz	loc_54C73F
		mov	edi, esi

loc_54C50A:				; CODE XREF: ExpResizeBigPageTable+34Bj
		mov	edx, esi
		shr	edx, 0Ch
		mov	eax, edx
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, dl
		shl	eax, 2
		xor	ecx, eax
		shr	edx, 10h
		shl	ecx, 2
		xor	ecx, edx
		mov	edx, [ebp+var_10]
		imul	ecx, 2797Ch
		sar	ecx, 2
		and	ecx, edx
		jmp	short loc_54C59F
; 

loc_54C537:				; CODE XREF: ExpResizeBigPageTable+DEj
		shr	eax, 0Ch
		mov	[ebp+var_1C], eax
		shr	eax, 8
		movzx	ecx, al
		mov	eax, [ebp+var_1C]
		movzx	eax, al
		shl	eax, 2
		xor	ecx, eax
		mov	eax, [ebp+var_1C]
		shl	ecx, 2
		shr	eax, 10h
		xor	ecx, eax
		imul	edi, ecx, 2797Ch
		mov	ecx, [ebp+var_10]
		sar	edi, 2
		and	edi, ecx
		jmp	short loc_54C574
; 

loc_54C569:				; CODE XREF: ExpResizeBigPageTable+168j
		lea	eax, [edi+1]
		cmp	ecx, eax
		sbb	edi, edi
		not	edi
		and	edi, eax

loc_54C574:				; CODE XREF: ExpResizeBigPageTable+153j
		mov	eax, edi
		add	eax, eax
		test	byte ptr [esi+eax*8], 1
		jz	short loc_54C569
		shl	edi, 4
		add	edi, esi
		mov	esi, edx
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_24]
		mov	edi, [ebp+var_28]
		jmp	loc_54C4F4
; 

loc_54C594:				; CODE XREF: ExpResizeBigPageTable+194j
		lea	eax, [ecx+1]
		cmp	edx, eax
		sbb	ecx, ecx
		not	ecx
		and	ecx, eax

loc_54C59F:				; CODE XREF: ExpResizeBigPageTable+121j
		mov	eax, ecx
		add	eax, eax
		mov	eax, [edi+eax*8]
		test	al, 1
		jz	short loc_54C594
		mov	edx, [ebp+var_C]
		add	ecx, ecx
		mov	dword ptr [edi+ecx*8+4], 6C6F6F50h
		mov	[edi+ecx*8], esi
		mov	byte ptr [edi+ecx*8+8],	0
		movzx	eax, byte ptr [edi+ecx*8+8]
		or	eax, 20000h
		mov	[edi+ecx*8+0Ch], edx
		mov	[edi+ecx*8+8], eax
		lock inc ds:_ExpPoolBigEntriesInUse
		cmp	[ebp+var_2C], 0
		mov	ecx, [ebp+var_8]
		jnz	loc_54C764
		mov	_PoolBigPageTable, esi
		mov	_PoolBigPageTableSize, ecx

loc_54C5F1:				; CODE XREF: ExpResizeBigPageTable+366j
		xor	eax, eax
		lea	edi, [ebp+var_38]
		stosd
		mov	ecx, 6C6F6F50h
		mov	[ebp+var_4], ecx
		stosd
		stosd
		mov	eax, ds:_PoolHitTag
		cmp	eax, ecx
		jz	loc_5DCFB7

loc_54C60E:				; CODE XREF: ExpResizeBigPageTable+90BA4j
		test	ds:byte_70EFC4,	41h
		jnz	loc_5DCFBD

loc_54C61B:				; CODE XREF: ExpResizeBigPageTable+90BBDj
		movzx	eax, large byte	ptr fs:51h
		mov	esi, _PoolTrackTableMask
		mov	[ebp+var_28], esi
		mov	edx, _ExPoolTagTables[eax*4]
		mov	eax, _PoolTrackTableSize
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+var_4]
		movzx	ecx, al
		shl	ecx, 2
		movzx	eax, ah
		xor	ecx, eax
		mov	[ebp+var_8], edx
		movzx	eax, byte ptr [ebp+var_4+2]
		shl	ecx, 2
		xor	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+3]
		shl	ecx, 2
		xor	ecx, eax
		imul	edi, ecx, 9E5Fh
		sar	edi, 2
		and	edi, esi
		mov	[ebp+var_24], edi
		jmp	short loc_54C683
; 

loc_54C66E:				; CODE XREF: ExpResizeBigPageTable+27Dj
		test	eax, eax
		jz	loc_54C77F

loc_54C676:				; CODE XREF: ExpResizeBigPageTable+3F1j
		inc	edi
		and	edi, [ebp+var_28]
		cmp	edi, [ebp+var_24]
		jz	loc_54C80A

loc_54C683:				; CODE XREF: ExpResizeBigPageTable+258j
					; ExpResizeBigPageTable+3E1j ...
		imul	esi, edi, 30h
		mov	[ebp+var_20], esi
		mov	eax, [esi+edx]
		mov	ecx, [ebp+var_4]
		cmp	eax, ecx
		jnz	short loc_54C66E
		lea	eax, [edx+8]
		add	eax, esi
		mov	[ebp+var_10], eax

loc_54C69B:				; CODE XREF: ExpResizeBigPageTable+2AEj
					; ExpResizeBigPageTable+2B3j
		mov	edi, [eax]
		mov	esi, edi
		mov	edx, [eax+4]
		xor	eax, eax
		inc	eax
		mov	[ebp+var_2C], edx
		add	esi, eax
		mov	ecx, edx
		mov	eax, edi
		adc	ecx, 0
		nop
		push	ebx
		mov	ebx, esi
		mov	esi, [ebp+var_10]
		lock cmpxchg8b qword ptr [esi]
		pop	ebx
		nop
		cmp	eax, edi
		mov	eax, esi
		jnz	short loc_54C69B
		cmp	edx, [ebp+var_2C]
		jnz	short loc_54C69B
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_20]
		add	ecx, 4
		add	eax, ecx
		mov	ecx, [ebp+var_C]
		lock xadd [eax], ecx

loc_54C6DB:				; CODE XREF: ExpResizeBigPageTable+403j
		mov	ecx, [ebp+var_14]
		test	ecx, ecx
		jz	short loc_54C70C
		mov	eax, [ebp+var_18]
		mov	[ecx], eax

loc_54C6E7:				; CODE XREF: ExpResizeBigPageTable+2FBj
		mov	eax, [ebx+8]
		mov	[eax], ecx
		xor	eax, eax
		inc	eax

loc_54C6EF:				; CODE XREF: ExpResizeBigPageTable+90B9Ej
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_54C6FA:				; CODE XREF: ExpResizeBigPageTable+4Cj
		mov	ecx, 200h
		mov	[ebp+var_8], ecx
		mov	ecx, 2000h
		jmp	loc_54C488
; 

loc_54C70C:				; CODE XREF: ExpResizeBigPageTable+2CCj
		mov	ecx, [ebp+var_18]
		jmp	short loc_54C6E7
; 

loc_54C711:				; CODE XREF: ExpResizeBigPageTable+2Ej
		mov	eax, dword_6D05D4
		mov	ecx, [eax+242Ch]
		mov	edi, [eax+2430h]
		add	eax, 23E4h
		cmp	_PoolBigPageTableSize, 0
		mov	[ebp+var_14], ecx
		mov	[ebp+var_20], eax
		jnz	loc_54C45E
		jmp	loc_5DCFB0
; 

loc_54C73F:				; CODE XREF: ExpResizeBigPageTable+EEj
		mov	eax, ds:_ExpPoolBigEntriesInUse
		cmp	eax, _PoolBigPageTableSize
		jz	loc_5DCF80

loc_54C750:				; CODE XREF: ExpResizeBigPageTable+90B81j
		mov	eax, _PoolBigPageTableSize
		mov	edi, _PoolBigPageTable
		dec	eax
		mov	[ebp+var_10], eax
		jmp	loc_54C50A
; 

loc_54C764:				; CODE XREF: ExpResizeBigPageTable+1CBj
		mov	eax, dword_6D05D4
		mov	[eax+242Ch], esi
		mov	eax, dword_6D05D4
		mov	[eax+2430h], ecx
		jmp	loc_54C5F1
; 

loc_54C77F:				; CODE XREF: ExpResizeBigPageTable+25Cj
		mov	eax, _PoolTrackTable
		mov	eax, [esi+eax]
		test	eax, eax
		jnz	short loc_54C7FA
		mov	eax, [ebp+var_2C]
		dec	eax
		cmp	edi, eax
		jz	short loc_54C802
		lea	edx, [ebp+var_38]
		mov	ecx, offset _ExpTaggedPoolLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, _PoolTrackTable
		cmp	dword ptr [esi+ecx], 0
		jnz	short loc_54C7B8
		mov	eax, [ebp+var_4]
		mov	[esi+ecx], eax
		mov	ecx, [ebp+var_8]
		mov	[esi+ecx], eax

loc_54C7B8:				; CODE XREF: ExpResizeBigPageTable+396j
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jnz	loc_5DCFD6
		mov	eax, [ebp+var_38]
		test	eax, eax
		jnz	loc_5DCFEE
		mov	edx, [ebp+var_34]
		lea	eax, [ebp+var_38]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_38]
		cmp	eax, ecx
		jnz	loc_5DCFE6

loc_54C7E9:				; CODE XREF: ExpResizeBigPageTable+90BCDj
					; ExpResizeBigPageTable+90BEAj
		mov	cl, [ebp+var_30]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [ebp+var_8]
		jmp	loc_54C683
; 

loc_54C7FA:				; CODE XREF: ExpResizeBigPageTable+375j
		mov	[esi+edx], eax
		jmp	loc_54C683
; 

loc_54C802:				; CODE XREF: ExpResizeBigPageTable+37Dj
		mov	ecx, [ebp+var_4]
		jmp	loc_54C676
; 

loc_54C80A:				; CODE XREF: ExpResizeBigPageTable+269j
		mov	edx, [ebp+var_C]
		push	200h
		call	ExpInsertPoolTrackerExpansion
		jmp	loc_54C6DB
ExpResizeBigPageTable endp


;  S U B	R O U T	I N E 


; __stdcall ExAllocateHeapPages(x, x)
_ExAllocateHeapPages@8 proc near	; CODE XREF: ExpInsertPoolTrackerExpansion+156p
					; ExpResizeBigPageTable+8Cp ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		mov	ecx, 200h
		push	0
		mov	edx, 80000000h
		call	ExGetHeapFromType
		cmp	esi, [eax+18Ch]
		jnb	short loc_54C855
		lea	ecx, [eax+100h]
		cmp	esi, [eax+10Ch]
		ja	short loc_54C863

loc_54C848:				; CODE XREF: ExAllocateHeapPages(x,x)+4Dj
		push	0
		push	esi
		push	esi
		mov	edx, esi
		call	RtlpHpSegAlloc
		pop	esi
		retn
; 

loc_54C855:				; CODE XREF: ExAllocateHeapPages(x,x)+1Cj
		push	ecx
		push	0
		mov	edx, esi
		mov	ecx, eax
		call	RtlpHpAllocateHeap
		pop	esi
		retn
; 

loc_54C863:				; CODE XREF: ExAllocateHeapPages(x,x)+2Aj
		lea	ecx, [eax+180h]
		jmp	short loc_54C848
_ExAllocateHeapPages@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapSinglePage	proc near		; CODE XREF: MiUpdateForkMaps+BBp
					; MiUpdateForkMaps+11Cp ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005DD003 SIZE 00000068 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		test	edi, edi
		jz	loc_54C91B
		mov	esi, edi
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		mov	ecx, [esi]
		nop
		or	ecx, [esi+4]
		jz	short loc_54C8B5
		mov	eax, ds:_ZeroPte
		mov	[esi], eax
		nop
		mov	eax, ds:dword_40F9FC
		xor	edx, edx
		push	1
		mov	ecx, edi
		mov	[esi+4], eax
		call	KeFlushSingleTb

loc_54C8B5:				; CODE XREF: MiMapSinglePage+2Cj
					; MiMapSinglePage+CBj
		mov	ecx, [ebp+arg_0]
		sar	ecx, 1Fh
		and	ecx, 0FFFFFFFDh
		add	ecx, 4
		test	[ebp+arg_0], 40000000h
		jz	loc_5DD003

loc_54C8CE:				; CODE XREF: MiMapSinglePage+9079Aj
		imul	edx, ebx, 1Ch
		add	edx, ds:_MmPfnDatabase
		call	_MiMakeProtectionPfnCompatible@8 ; MiMakeProtectionPfnCompatible(x,x)
		or	eax, 0A0000000h
		mov	edx, ebx
		push	eax
		mov	ecx, esi
		call	MiMakeValidPte
		and	[ebp+arg_0], 0
		mov	ecx, esi
		mov	ebx, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5DD00B
		mov	ecx, [ebp+arg_0]

loc_54C903:				; CODE XREF: MiMapSinglePage+907B2j
					; MiMapSinglePage+907C0j ...
		mov	[esi+4], edx
		nop
		mov	[esi], ebx
		test	ecx, ecx
		jnz	loc_5DD05D

loc_54C911:				; CODE XREF: MiMapSinglePage+E1j
					; MiMapSinglePage+907FAj
		mov	eax, edi

loc_54C913:				; CODE XREF: MiMapSinglePage+E5j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
; 

loc_54C91B:				; CODE XREF: MiMapSinglePage+Fj
		xor	edx, edx
		mov	ecx, offset dword_6D35E0
		inc	edx
		call	MiReservePtes
		mov	esi, eax
		test	esi, esi
		jz	short loc_54C94F
		mov	edi, esi
		shl	edi, 9
		test	[ebp+arg_4], 2
		jz	loc_54C8B5
		mov	eax, ds:_ZeroPte
		mov	[esi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[esi+4], eax
		jmp	short loc_54C911
; 

loc_54C94F:				; CODE XREF: MiMapSinglePage+C0j
		xor	eax, eax
		jmp	short loc_54C913
MiMapSinglePage	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDeprioritizeVad proc near		; CODE XREF: MmAccessFault+764p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DD06B SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, large fs:124h
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		mov	eax, [esi+80h]
		dec	word ptr [esi+13Eh]
		mov	[ebp+var_C], eax
		nop
		mov	edx, edi
		mov	ecx, esi
		call	MiTryLockVad
		test	eax, eax
		jz	loc_5DD06B
		test	byte ptr [edi+1Ch], 4
		jnz	loc_54CA44
		mov	eax, [edi+0Ch]
		shr	ebx, 0Ch
		sub	ebx, eax
		mov	[ebp+var_14], eax
		mov	eax, [edi+28h]
		test	eax, 2000000h
		jz	loc_54CA44
		mov	eax, [edi+2Ch]
		mov	esi, [eax]
		mov	ecx, esi
		call	MiReferenceControlAreaFile
		mov	[ebp+var_4], eax
		mov	ecx, [eax+0Ch]
		mov	[ebp+var_10], ecx
		lea	ecx, [esi+20h]
		mov	[ebp+var_8], ecx
		mov	ecx, [ecx]
		mov	edx, ecx
		xor	edx, eax
		cmp	edx, 7
		jnb	loc_5DD09A

loc_54C9D9:				; CODE XREF: MiDeprioritizeVad+9073Ej
		mov	esi, [ebp+var_8]
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		mov	esi, [ebp+var_4]
		cmp	eax, ecx
		jnz	loc_5DD08B

loc_54C9F0:				; CODE XREF: MiDeprioritizeVad+90751j
		mov	esi, [ebp+var_C]
		test	dword ptr [esi+0FCh], 4000h
		jz	short loc_54CA50
		mov	edx, [ebp+var_10]
		and	ebx, 0FFFFFF00h
		mov	ecx, [esi+1DCh]
		push	ebx
		call	PfCheckDeprioritizeFile
		cmp	eax, 1
		jnz	short loc_54CA50
		mov	eax, [edi+28h]
		test	eax, 2000000h
		jz	short loc_54CA44
		mov	ecx, [ebp+var_14]
		lea	eax, [esi+240h]
		add	ecx, 0FFFFFF00h
		mov	edx, 100h
		push	12h
		add	ecx, ebx
		push	eax
		shl	ecx, 0Ch
		call	_MiDeprioritizeVirtualAddresses@16 ; MiDeprioritizeVirtualAddresses(x,x,x,x)

loc_54CA44:				; CODE XREF: MiDeprioritizeVad+3Cj
					; MiDeprioritizeVad+55j ...
		mov	ecx, edi
		call	MiUnlockAndDereferenceVad

loc_54CA4B:				; CODE XREF: MiDeprioritizeVad+90732j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_54CA50:				; CODE XREF: MiDeprioritizeVad+A9j
					; MiDeprioritizeVad+C3j
		and	dword ptr [edi+28h], 0FDFFFFFFh
		jmp	short loc_54CA44
MiDeprioritizeVad endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiTryLockVad	proc near		; CODE XREF: MiDeprioritizeVad+2Bp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DD0AA SIZE 0000002B BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		xor	eax, eax
		mov	[ebp+var_14], ecx
		test	byte ptr [ecx+304h], 80h
		push	edi
		jnz	loc_54CB18
		add	edx, 18h
		mov	[ebp+var_10], eax
		mov	esi, edx
		mov	[ebp+var_4], edx
		and	esi, 7FFFFFFCh
		mov	[ebp+var_C], esi
		jz	loc_5DD0AA
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jz	short loc_54CB21
		mov	edi, eax

loc_54CAC3:				; CODE XREF: MiTryLockVad+F1j
					; MiTryLockVad+152j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h

loc_54CACB:				; CODE XREF: MiTryLockVad+129j
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp+var_10]
		push	eax
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_54CAF4
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_54CBB7

loc_54CAF4:				; CODE XREF: MiTryLockVad+8Cj
					; MiTryLockVad+162j
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_14]

loc_54CAFA:				; CODE XREF: MiTryLockVad+90652j
		lock bts dword ptr [edx], 0
		jb	loc_5DD0C0
		test	edi, edi
		jz	short loc_54CB0D
		or	byte ptr [edi+0Eh], 1

loc_54CB0D:				; CODE XREF: MiTryLockVad+ADj
		xor	eax, eax
		inc	eax
		or	byte ptr [ecx+304h], 80h
		nop

loc_54CB18:				; CODE XREF: MiTryLockVad+28j
					; MiTryLockVad+90676j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_54CB21:				; CODE XREF: MiTryLockVad+65j
		mov	cl, [esi+1E4h]
		mov	[ebp+var_8], eax
		test	cl, cl
		jz	short loc_54CB88

loc_54CB2E:				; CODE XREF: MiTryLockVad+144j
		movzx	ecx, cl
		bsf	eax, ecx
		imul	edi, eax, 30h
		btr	ecx, eax
		mov	[ebp+var_8], eax
		mov	[esi+1E4h], cl
		add	edi, [esi+1E8h]

loc_54CB49:				; CODE XREF: MiTryLockVad+90661j
		test	edi, edi
		jz	loc_54CAC3
		mov	ecx, dword_6D07D0
		mov	eax, edx
		shr	eax, 15h
		cmp	edx, ecx
		jb	short loc_54CB76
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_54CBC1
		cmp	edx, ecx
		jb	short loc_54CB76
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	short loc_54CBC1

loc_54CB76:				; CODE XREF: MiTryLockVad+104j
					; MiTryLockVad+111j
		or	eax, 0FFFFFFFFh

loc_54CB79:				; CODE XREF: MiTryLockVad+172j
		mov	[edi+14h], eax
		nop
		mov	eax, [ebp+var_C]
		mov	[edi+10h], eax
		jmp	loc_54CACB
; 

loc_54CB88:				; CODE XREF: MiTryLockVad+D2j
		lea	ecx, [esi+222h]
		cmp	[ecx], al
		jz	short loc_54CBA0
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [esi+1E4h]
		or	cl, al
		jmp	short loc_54CB2E
; 

loc_54CBA0:				; CODE XREF: MiTryLockVad+136j
		test	dword ptr ds:byte_70EFC4, 200h
		mov	edi, eax
		jz	loc_54CAC3
		jmp	loc_5DD0B1
; 

loc_54CBB7:				; CODE XREF: MiTryLockVad+94j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_54CAF4
; 

loc_54CBC1:				; CODE XREF: MiTryLockVad+10Dj
					; MiTryLockVad+11Aj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	short loc_54CB79
MiTryLockVad	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeprioritizeVirtualAddresses(x, x, x, x)
_MiDeprioritizeVirtualAddresses@16 proc	near ; CODE XREF: MiDeprioritizeVad+EBp
					; HvTrimHive+11C912p

var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_A9		= byte ptr -0A9h
var_A8		= dword	ptr -0A8h
var_A1		= byte ptr -0A1h
var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		lea	eax, [ebp+var_A0]
		push	esi
		push	edi
		push	98h		; size_t
		push	0		; int
		push	eax		; void *
		mov	esi, edx
		mov	[ebp+var_B8], ebx
		mov	edi, ecx
		call	_memset
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		and	eax, 7
		mov	ecx, ebx
		mov	[ebp+var_B0], eax
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		shr	edi, 9
		xor	ecx, ecx
		and	edi, offset loc_7FFFF8
		mov	[ebp+var_A0], eax
		mov	eax, dword_6D3154
		sub	edi, 40000000h
		mov	[ebp+var_90], ecx
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_A8], ecx
		mov	ecx, ebx
		lea	esi, [edi+esi*8]
		mov	[ebp+var_9C], 4
		mov	[ebp+var_98], 21h
		mov	[ebp+var_BC], eax
		mov	[ebp+var_C4], esi
		call	MiLockWorkingSetShared
		mov	[ebp+var_A1], al
		cmp	edi, esi
		jnb	loc_54CE85
		mov	ecx, [ebp+var_A8]

loc_54CC87:				; CODE XREF: MiDeprioritizeVirtualAddresses(x,x,x,x)+280j
		mov	esi, edi
		shr	esi, 9
		test	ecx, ecx
		jz	short loc_54CCD3
		mov	eax, esi
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	ecx, eax
		jz	short loc_54CCCF
		cmp	[ebp+var_94], 0
		jz	short loc_54CCBE
		push	0
		lea	edx, [ebp+var_A0]
		mov	ecx, ebx
		call	MiFreeWsleList
		mov	ecx, [ebp+var_A8]

loc_54CCBE:				; CODE XREF: MiDeprioritizeVirtualAddresses(x,x,x,x)+D9j
		mov	edx, ecx
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		xor	ecx, ecx
		mov	[ebp+var_A8], ecx

loc_54CCCF:				; CODE XREF: MiDeprioritizeVirtualAddresses(x,x,x,x)+D0j
		test	ecx, ecx
		jnz	short loc_54CD1D

loc_54CCD3:				; CODE XREF: MiDeprioritizeVirtualAddresses(x,x,x,x)+C0j
		lea	eax, [ebp+var_C8]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	MiLockLowestValidPageTable
		and	esi, offset loc_7FFFF8
		mov	ecx, eax
		sub	esi, 40000000h
		mov	[ebp+var_A8], ecx
		cmp	ecx, esi
		jz	short loc_54CD1D
		mov	edx, ecx
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		xor	ecx, ecx
		and	edi, 0FFFFF000h
		mov	[ebp+var_A8], ecx
		add	edi, 0FF8h
		jmp	loc_54CE45
; 

loc_54CD1D:				; CODE XREF: MiDeprioritizeVirtualAddresses(x,x,x,x)+103j
					; MiDeprioritizeVirtualAddresses(x,x,x,x)+12Bj
		mov	eax, [edi]
		and	eax, 1
		or	eax, 0
		jz	loc_54CE45
		mov	ecx, [edi]
		nop
		mov	eax, [edi+4]
		shrd	ecx, eax, 0Ch
		mov	eax, edi
		and	ecx, 1FFFFFFh
		shl	eax, 9
		imul	esi, ecx, 1Ch
		mov	edx, eax
		mov	ecx, ebx
		mov	[ebp+var_C0], eax
		add	esi, ds:_MmPfnDatabase
		call	MiLocateWsle
		mov	al, [eax]
		and	al, 0Fh
		mov	[ebp+var_A9], al
		cmp	al, 9
		jz	loc_54CE3F
		test	dword ptr [esi+18h], (offset loc_7FFFFF+1)
		jnz	short loc_54CD8B
		mov	eax, [esi+4]
		test	eax, eax
		js	short loc_54CD8B
		jz	short loc_54CD8B
		or	eax, 80000000h
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	_MiDemoteCombinedPte@12	; MiDemoteCombinedPte(x,x,x)

loc_54CD8B:				; CODE XREF: MiDeprioritizeVirtualAddresses(x,x,x,x)+1A3j
					; MiDeprioritizeVirtualAddresses(x,x,x,x)+1AAj	...
		test	byte ptr [ebp+arg_4], 8
		jnz	short loc_54CDEC
		mov	ecx, esi
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		cmp	[ebp+var_B0], eax
		jz	short loc_54CDEC
		and	[ebp+var_B4], 0
		lea	eax, [esi+10h]
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_54CDD2
		lea	ebx, [esi+10h]

loc_54CDB4:				; CODE XREF: MiDeprioritizeVirtualAddresses(x,x,x,x)+1F5j
					; MiDeprioritizeVirtualAddresses(x,x,x,x)+1FCj
		lea	ecx, [ebp+var_B4]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		js	short loc_54CDB4
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_54CDB4
		mov	ebx, [ebp+var_B8]

loc_54CDD2:				; CODE XREF: MiDeprioritizeVirtualAddresses(x,x,x,x)+1E1j
		mov	edx, [ebp+var_B0]
		mov	ecx, esi
		push	1
		call	_MiUpdatePfnPriority@12	; MiUpdatePfnPriority(x,x,x)
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx

loc_54CDEC:				; CODE XREF: MiDeprioritizeVirtualAddresses(x,x,x,x)+1C1j
					; MiDeprioritizeVirtualAddresses(x,x,x,x)+1D0j
		test	byte ptr [ebp+arg_4], 10h
		jz	short loc_54CE3F
		cmp	[ebp+var_A9], 8
		jz	short loc_54CE3F
		cmp	[ebp+var_BC], 0
		jz	short loc_54CE0D
		mov	edx, edi
		mov	ecx, ebx
		call	MI_WSLE_LOG_ACCESS

loc_54CE0D:				; CODE XREF: MiDeprioritizeVirtualAddresses(x,x,x,x)+234j
		mov	edx, [ebp+var_C0]
		lea	ecx, [ebp+var_A0]
		push	0
		push	1
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	eax, [ebp+var_94]
		cmp	eax, [ebp+var_98]
		jnz	short loc_54CE3F
		push	0
		lea	edx, [ebp+var_A0]
		mov	ecx, ebx
		call	MiFreeWsleList

loc_54CE3F:				; CODE XREF: MiDeprioritizeVirtualAddresses(x,x,x,x)+196j
					; MiDeprioritizeVirtualAddresses(x,x,x,x)+222j	...
		mov	ecx, [ebp+var_A8]

loc_54CE45:				; CODE XREF: MiDeprioritizeVirtualAddresses(x,x,x,x)+14Aj
					; MiDeprioritizeVirtualAddresses(x,x,x,x)+157j
		add	edi, 8
		cmp	edi, [ebp+var_C4]
		jb	loc_54CC87
		test	ecx, ecx
		jz	short loc_54CE7F
		cmp	[ebp+var_94], 0
		jz	short loc_54CE76
		push	0
		lea	edx, [ebp+var_A0]
		mov	ecx, ebx
		call	MiFreeWsleList
		mov	ecx, [ebp+var_A8]

loc_54CE76:				; CODE XREF: MiDeprioritizeVirtualAddresses(x,x,x,x)+291j
		mov	edx, ecx
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_54CE7F:				; CODE XREF: MiDeprioritizeVirtualAddresses(x,x,x,x)+288j
		mov	al, [ebp+var_A1]

loc_54CE85:				; CODE XREF: MiDeprioritizeVirtualAddresses(x,x,x,x)+ADj
		mov	dl, al
		mov	ecx, ebx
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_MiDeprioritizeVirtualAddresses@16 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1381. MmAreMdlPagesCached

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmAreMdlPagesCached(x)
		public _MmAreMdlPagesCached@4
_MmAreMdlPagesCached@4 proc near	; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRetrieve+53p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	ecx, [eax+18h]
		lea	esi, [eax+1Ch]
		add	ecx, [eax+10h]
		mov	eax, [eax+14h]
		and	ecx, 0FFFh
		add	eax, 0FFFh
		add	eax, ecx
		shr	eax, 0Ch
		lea	ebx, [esi+eax*4]

loc_54CECE:				; CODE XREF: MmAreMdlPagesCached(x)+67j
		mov	edi, [esi]
		cmp	edi, dword_6D07B0
		ja	short loc_54CF17
		mov	eax, dword_6D35B8
		mov	edx, edi
		shr	edx, 5
		mov	ecx, edi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_54CF17
		mov	ecx, ds:_MmPfnDatabase
		imul	edx, edi, 1Ch
		mov	cl, [edx+ecx+16h]
		and	cl, 0C0h
		cmp	cl, 40h
		jnz	short loc_54CF17
		add	esi, 4
		cmp	esi, ebx
		jb	short loc_54CECE
		xor	eax, eax
		inc	eax

loc_54CF10:				; CODE XREF: MmAreMdlPagesCached(x)+75j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_54CF17:				; CODE XREF: MmAreMdlPagesCached(x)+32j
					; MmAreMdlPagesCached(x)+4Bj ...
		xor	eax, eax
		jmp	short loc_54CF10
_MmAreMdlPagesCached@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_SM_TRAITS___SmStDirectRead proc near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+191p

var_50		= dword	ptr -50h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DD0D5 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		mov	ebx, ecx
		mov	esi, edx
		push	6
		pop	ecx
		rep stosd
		mov	ecx, large fs:124h
		lea	edi, [ebp+var_38]
		stosd
		xor	edx, edx
		mov	[ebp+var_28], esi
		stosd
		stosd
		stosd
		xor	eax, eax
		cmp	byte ptr [ecx+16Ah], 1
		mov	[ebp+var_20], eax
		jz	loc_54D004

loc_54CF64:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStDirectRead+FDj
		mov	ecx, [ebx+125Ch]
		lea	eax, [ebp+var_1C]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		push	2
		pop	eax
		mov	ecx, ebx
		mov	[ebp+var_20], eax
		call	ST_STORE_SM_TRAITS___StAcquireReadContext
		mov	edx, eax
		mov	[ebp+var_24], edx
		test	edx, edx
		jz	loc_54D02B
		push	3
		pop	eax
		push	6
		pop	ecx
		push	0
		push	0
		mov	[ebp+var_20], eax
		lea	edi, [ebp+var_50]
		push	2000h
		lea	eax, [ebp+var_38]
		mov	[ebp+var_38], ebx
		rep movsd
		mov	edi, [ebp+var_28]
		push	eax
		push	offset ?SmStDirectReadCallout@?$SMKM_STORE@USM_TRAITS@@@@SGXPAX@Z ; SMKM_STORE<SM_TRAITS>::SmStDirectReadCallout(void *)
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], edx
		call	KeExpandKernelStackAndCalloutInternal
		mov	edx, [ebp+var_24]
		test	eax, eax
		js	short loc_54D026
		cmp	[ebp+var_2C], 0
		push	2
		pop	eax
		mov	[ebp+var_20], eax
		push	6
		jz	short loc_54D01E
		pop	eax
		mov	[ebp+var_20], eax

loc_54CFD9:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStDirectRead+FBj
					; SMKM_STORE_SM_TRAITS___SmStDirectRead+108j ...
		test	al, 1
		jnz	loc_5DD0D5

loc_54CFE1:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStDirectRead+901C3j
		test	al, 2
		jz	short loc_54CFF2
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	eax, [ebp+var_20]

loc_54CFF2:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStDirectRead+C7j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		shr	eax, 2
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_54D004:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStDirectRead+42j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		cmp	ecx, [ebx+125Ch]
		jnz	short loc_54CFD9
		jmp	loc_54CF64
; 

loc_54D01E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStDirectRead+B7j
		pop	ecx
		lea	esi, [ebp+var_50]
		rep movsd
		jmp	short loc_54CFD9
; 

loc_54D026:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStDirectRead+A9j
		push	3
		pop	eax
		jmp	short loc_54CFD9
; 

loc_54D02B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStDirectRead+6Dj
		mov	eax, [ebp+var_20]
		jmp	short loc_54CFD9
SMKM_STORE_SM_TRAITS___SmStDirectRead endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReplacePageOfProtoPool proc near	; CODE XREF: MiStealPage+C44p

var_AC		= dword	ptr -0ACh
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_64		= dword	ptr -64h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DD0E4 SIZE 00000098 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		push	7
		mov	esi, ecx
		mov	[ebp+var_70], eax
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_64], edx
		lea	edi, [ebp+var_AC]
		mov	[ebp+var_6C], esi
		push	40h		; size_t
		rep stosd
		lea	eax, [ebp+var_48]
		mov	[ebp+var_5C], ebx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_74], eax
		mov	[ebp+var_78], 200h
		call	_memset
		add	esp, 0Ch
		lea	edx, [ebp+var_78]
		mov	ecx, esi
		call	MiGetPrototypePteRanges
		test	eax, eax
		jz	loc_5DD0E4
		and	[ebp+var_4C], 0
		push	1000h		; size_t
		push	esi		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	ecx, ecx
		mov	[ebp+var_50], ecx

loc_54D0AD:				; CODE XREF: MiReplacePageOfProtoPool+211j
		mov	edx, [ebp+var_78]
		cmp	ecx, edx
		mov	[ebp+var_58], edx
		sbb	ebx, ebx
		and	ebx, ecx
		lea	edi, [edx-1]

loc_54D0BC:				; CODE XREF: MiReplacePageOfProtoPool+900D2j
		and	[ebp+var_7C], 0
		mov	eax, edi
		sub	eax, ebx
		inc	eax
		cmp	eax, 1
		jb	loc_5DD0EB
		mov	eax, edi
		lea	ecx, [ebp+var_48]
		shr	eax, 5
		lea	esi, [ebp+var_48]
		xor	edx, edx
		inc	edx
		lea	eax, [ecx+eax*4]
		mov	ecx, ebx
		mov	[ebp+var_54], eax
		and	ecx, 1Fh
		mov	eax, ebx
		shl	edx, cl
		shr	eax, 5
		dec	edx
		lea	esi, [esi+eax*4]
		mov	eax, [esi]
		not	eax
		or	eax, edx
		cmp	eax, 0FFFFFFFFh
		jz	loc_54D4D4

loc_54D101:				; CODE XREF: MiReplacePageOfProtoPool+4B7j
		not	eax
		lea	ecx, [ebp+var_48]
		bsf	eax, eax
		sub	esi, ecx
		sar	esi, 2
		shl	esi, 5
		add	esi, eax
		mov	[ebp+var_7C], eax
		cmp	esi, edi
		ja	loc_54D4EC
		cmp	esi, 0FFFFFFFFh
		jz	loc_54D4EF

loc_54D127:				; CODE XREF: MiReplacePageOfProtoPool+900C0j
		cmp	esi, [ebp+var_50]
		jb	loc_54D247
		cmp	esi, 0FFFFFFFFh
		jz	loc_54D247
		cmp	esi, 200h
		jnb	loc_54D4FA
		mov	eax, esi
		lea	edx, [ebp+var_48]
		shr	eax, 5
		mov	edi, esi
		lea	edx, [edx+eax*4]
		lea	eax, [ebp+var_C]
		cmp	edx, eax
		jz	short loc_54D188
		mov	ebx, esi
		and	ebx, 1Fh
		mov	ecx, ds:dword_40BA68[ebx*4]
		or	ecx, [edx]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_54D188
		sub	edi, ebx
		add	edi, 20h
		add	edx, 4

loc_54D174:				; CODE XREF: MiReplacePageOfProtoPool+156j
		lea	eax, [ebp+var_C]
		cmp	edx, eax
		jnb	short loc_54D188
		cmp	dword ptr [edx], 0FFFFFFFFh
		jnz	short loc_54D188
		add	edx, 4
		add	edi, 20h
		jmp	short loc_54D174
; 

loc_54D188:				; CODE XREF: MiReplacePageOfProtoPool+127j
					; MiReplacePageOfProtoPool+13Aj ...
		mov	ebx, 200h

loc_54D18D:				; CODE XREF: MiReplacePageOfProtoPool+16Aj
		cmp	edi, ebx
		jnb	short loc_54D19C
		lea	eax, [ebp+var_48]
		bt	[eax], edi
		jnb	short loc_54D19C
		inc	edi
		jmp	short loc_54D18D
; 

loc_54D19C:				; CODE XREF: MiReplacePageOfProtoPool+15Fj
					; MiReplacePageOfProtoPool+167j
		lea	eax, [ebp+var_C]
		xor	ebx, ebx
		cmp	edx, eax
		jnz	loc_54D480

loc_54D1A9:				; CODE XREF: MiReplacePageOfProtoPool+465j
					; MiReplacePageOfProtoPool+493j ...
		lea	eax, [ebx+edi]

loc_54D1AC:				; CODE XREF: MiReplacePageOfProtoPool+192j
		cmp	eax, 200h
		jnb	short loc_54D1C4
		lea	ecx, [ebp+var_48]
		bt	[ecx], eax
		jb	short loc_54D1C4
		cmp	ebx, 0FFFFFFFFh
		jnb	short loc_54D1C7
		inc	eax
		inc	ebx
		jmp	short loc_54D1AC
; 

loc_54D1C4:				; CODE XREF: MiReplacePageOfProtoPool+181j
					; MiReplacePageOfProtoPool+189j
		cmp	ebx, 0FFFFFFFFh

loc_54D1C7:				; CODE XREF: MiReplacePageOfProtoPool+18Ej
					; MiReplacePageOfProtoPool+474j ...
		ja	loc_5DD107

loc_54D1CD:				; CODE XREF: MiReplacePageOfProtoPool+900DAj
		test	ebx, ebx
		jz	loc_54D4FC

loc_54D1D5:				; CODE XREF: MiReplacePageOfProtoPool+4D1j
		lea	ecx, [ebx+esi]
		mov	eax, esi
		mov	ebx, [ebp+var_6C]
		sub	edi, esi
		shl	eax, 3
		add	ecx, edi
		add	ebx, eax
		mov	[ebp+var_50], ecx
		test	edi, edi
		jz	short loc_54D23A
		sub	eax, ebx
		add	eax, [ebp+var_5C]
		mov	[ebp+var_54], eax

loc_54D1F5:				; CODE XREF: MiReplacePageOfProtoPool+205j
		mov	edx, [ebp+var_4C]
		mov	ecx, ebx
		call	MiLockLeafPage
		mov	edx, eax
		test	edx, edx
		jnz	loc_54D402
		mov	edx, esi
		mov	eax, esi
		shr	edx, 3
		and	eax, 7
		movsx	ecx, byte ptr [ebp+edx+var_48]
		btr	ecx, eax
		mov	byte ptr [ebp+edx+var_48], cl

loc_54D21F:				; CODE XREF: MiReplacePageOfProtoPool+3F5j
					; MiReplacePageOfProtoPool+3FFj
		mov	ecx, [ebp+var_54]
		mov	eax, [ebx]
		mov	[ecx+ebx], eax
		mov	eax, [ebx+4]
		mov	[ecx+ebx+4], eax
		add	ebx, 8
		inc	esi
		sub	edi, 1
		jnz	short loc_54D1F5
		mov	ecx, [ebp+var_50]

loc_54D23A:				; CODE XREF: MiReplacePageOfProtoPool+1BBj
		mov	ebx, 200h
		cmp	ecx, ebx
		jb	loc_54D0AD

loc_54D247:				; CODE XREF: MiReplacePageOfProtoPool+FAj
					; MiReplacePageOfProtoPool+103j
		imul	esi, [ebp+var_64], 1Ch
		imul	ebx, [ebp+var_70], 1Ch
		mov	ecx, [ebp+var_4C]
		add	esi, ds:_MmPfnDatabase
		add	ebx, ds:_MmPfnDatabase
		test	ecx, ecx
		jz	loc_5DD10F
		mov	ecx, esi
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)

loc_54D26D:				; CODE XREF: MiReplacePageOfProtoPool+90106j
		mov	ecx, [ebp+var_4C]

loc_54D270:				; CODE XREF: MiReplacePageOfProtoPool+900EBj
		cmp	word ptr [esi+14h], 2
		lea	edx, [esi+10h]
		jnz	loc_5DD13B
		mov	eax, [ebp+var_4C]
		mov	esi, [edx]
		inc	eax
		movzx	ecx, si
		cmp	ecx, eax
		jnz	loc_5DD145
		and	esi, 3FFFFFFFh
		cmp	esi, 10000h
		jnb	loc_5DD145
		mov	ecx, ebx
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		lea	ecx, [ebx+10h]
		mov	eax, [ecx]
		and	eax, 0C0000000h
		or	eax, esi
		mov	[ecx], eax
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	ecx, [ebp+var_4C]
		xor	ebx, ebx
		inc	ebx

loc_54D2C4:				; CODE XREF: MiReplacePageOfProtoPool+90122j
		mov	[ebp+var_50], ebx
		xor	eax, eax

loc_54D2C9:				; CODE XREF: MiReplacePageOfProtoPool+3CDj
		mov	[ebp+var_54], eax
		test	ecx, ecx
		jz	loc_54D46D
		mov	edx, [ebp+var_78]
		mov	ebx, eax
		cmp	eax, edx
		mov	[ebp+var_58], edx
		sbb	edi, edi
		and	edi, eax
		lea	esi, [edx-1]

loc_54D2E5:				; CODE XREF: MiReplacePageOfProtoPool+9013Ej
		and	[ebp+var_84], 0
		mov	eax, esi
		sub	eax, edi
		inc	eax
		cmp	eax, 1
		jb	loc_5DD157
		mov	eax, esi
		lea	ecx, [ebp+var_48]
		shr	eax, 5
		xor	edx, edx
		inc	edx
		lea	eax, [ecx+eax*4]
		mov	ecx, edi
		mov	[ebp+var_64], eax
		and	ecx, 1Fh
		mov	eax, edi
		shl	edx, cl
		shr	eax, 5
		lea	ecx, [ebp+var_48]
		dec	edx
		lea	ecx, [ecx+eax*4]
		mov	eax, [ecx]
		not	eax
		or	eax, edx
		cmp	eax, 0FFFFFFFFh
		jz	loc_54D44A

loc_54D32D:				; CODE XREF: MiReplacePageOfProtoPool+42Dj
		not	eax
		lea	edx, [ebp+var_48]
		bsf	eax, eax
		sub	ecx, edx
		sar	ecx, 2
		shl	ecx, 5
		add	ecx, eax
		mov	[ebp+var_84], eax
		cmp	ecx, esi
		ja	loc_54D462
		cmp	ecx, 0FFFFFFFFh
		jz	loc_54D465

loc_54D356:				; CODE XREF: MiReplacePageOfProtoPool+9012Cj
		mov	eax, [ebp+var_6C]
		xor	ebx, ebx
		mov	[ebp+var_64], ebx
		mov	edx, [eax+ecx*8]
		nop
		mov	esi, [eax+ecx*8+4]
		mov	eax, edx
		and	eax, 1
		mov	[ebp+var_90], edx
		or	eax, ebx
		mov	[ebp+var_8C], esi
		jnz	loc_54D43A
		mov	eax, dword_6D0700
		mov	edi, edx
		mov	ebx, dword_6D0704
		mov	[ebp+var_5C], eax
		or	eax, ebx
		mov	[ebp+var_54], ebx
		mov	ebx, esi
		mov	[ebp+var_64], esi
		jz	short loc_54D3B7
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	loc_5DD173
		mov	edx, [ebp+var_5C]
		mov	esi, [ebp+var_54]
		not	edx
		not	esi
		and	edx, edi
		and	esi, ebx

loc_54D3B7:				; CODE XREF: MiReplacePageOfProtoPool+369j
					; MiReplacePageOfProtoPool+90147j
		shrd	edx, esi, 0Ch
		and	edx, 3FFFFFFh

loc_54D3C1:				; CODE XREF: MiReplacePageOfProtoPool+415j
		mov	ebx, [ebp+var_50]
		imul	edx, 1Ch
		add	edx, ds:_MmPfnDatabase
		cmp	ebx, 1
		jnz	short loc_54D3E9
		mov	eax, [edx+18h]
		xor	eax, [ebp+var_70]
		and	eax, offset loc_7FFFFF
		xor	eax, [edx+18h]
		mov	[ebp+var_94], eax
		mov	[edx+18h], eax

loc_54D3E9:				; CODE XREF: MiReplacePageOfProtoPool+3A0j
		dec	[ebp+var_4C]
		lea	eax, [edx+10h]
		mov	edx, 7FFFFFFFh
		lock and [eax],	edx
		lea	eax, [ecx+1]
		mov	ecx, [ebp+var_4C]
		jmp	loc_54D2C9
; 

loc_54D402:				; CODE XREF: MiReplacePageOfProtoPool+1D3j
		mov	ecx, [ebp+var_4C]
		inc	ecx
		test	byte ptr [edx+16h], 8
		mov	[ebp+var_4C], ecx
		jnz	loc_5DD150
		mov	ecx, [ebx]
		nop
		mov	eax, [ebx+4]
		and	ecx, 1
		or	ecx, 0
		mov	[ebp+var_84], eax
		jnz	loc_54D21F
		test	byte ptr [edx+16h], 20h
		jz	loc_54D21F
		jmp	loc_5DD14D
; 

loc_54D43A:				; CODE XREF: MiReplacePageOfProtoPool+349j
		nop
		shrd	edx, esi, 0Ch
		and	edx, 1FFFFFFh
		jmp	loc_54D3C1
; 

loc_54D44A:				; CODE XREF: MiReplacePageOfProtoPool+2F7j
		mov	edx, [ebp+var_64]

loc_54D44D:				; CODE XREF: MiReplacePageOfProtoPool+42Bj
		add	ecx, 4
		cmp	ecx, edx
		ja	short loc_54D462
		mov	eax, [ecx]
		not	eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_54D44D
		jmp	loc_54D32D
; 

loc_54D462:				; CODE XREF: MiReplacePageOfProtoPool+317j
					; MiReplacePageOfProtoPool+422j
		or	ecx, 0FFFFFFFFh

loc_54D465:				; CODE XREF: MiReplacePageOfProtoPool+320j
		mov	edx, [ebp+var_58]
		jmp	loc_5DD15A
; 

loc_54D46D:				; CODE XREF: MiReplacePageOfProtoPool+29Ej
		mov	eax, ebx

loc_54D46F:				; CODE XREF: MiReplacePageOfProtoPool+900B6j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_54D480:				; CODE XREF: MiReplacePageOfProtoPool+173j
		mov	ecx, [edx]
		mov	eax, edi
		and	eax, 1Fh
		mov	[ebp+var_54], eax
		mov	eax, ds:dword_40BA68[eax*4]
		not	eax
		and	eax, ecx
		jnz	loc_54D1A9
		push	20h
		pop	ebx
		sub	ebx, [ebp+var_54]
		cmp	ebx, 0FFFFFFFFh
		jnb	loc_54D1C7
		add	edx, 4
		jmp	short loc_54D4BE
; 

loc_54D4AF:				; CODE XREF: MiReplacePageOfProtoPool+4A2j
		add	ebx, 20h
		add	edx, 4
		cmp	ebx, 0FFFFFFFFh
		jnb	loc_54D1C7

loc_54D4BE:				; CODE XREF: MiReplacePageOfProtoPool+47Dj
		lea	eax, [ebp+var_C]
		cmp	edx, eax
		jnb	loc_54D1A9
		cmp	dword ptr [edx], 0
		jnz	loc_54D1A9
		jmp	short loc_54D4AF
; 

loc_54D4D4:				; CODE XREF: MiReplacePageOfProtoPool+CBj
		mov	ecx, [ebp+var_54]

loc_54D4D7:				; CODE XREF: MiReplacePageOfProtoPool+4B5j
		add	esi, 4
		cmp	esi, ecx
		ja	short loc_54D4EC
		mov	eax, [esi]
		not	eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_54D4D7
		jmp	loc_54D101
; 

loc_54D4EC:				; CODE XREF: MiReplacePageOfProtoPool+E8j
					; MiReplacePageOfProtoPool+4ACj
		or	esi, 0FFFFFFFFh

loc_54D4EF:				; CODE XREF: MiReplacePageOfProtoPool+F1j
		mov	ecx, [ebp+var_50]
		mov	edx, [ebp+var_58]
		jmp	loc_5DD0EE
; 

loc_54D4FA:				; CODE XREF: MiReplacePageOfProtoPool+10Fj
		xor	ebx, ebx

loc_54D4FC:				; CODE XREF: MiReplacePageOfProtoPool+19Fj
		mov	edi, 200h
		jmp	loc_54D1D5
MiReplacePageOfProtoPool endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetPrototypePteRanges	proc near	; CODE XREF: MiReplacePageOfProtoPool+58p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005DD17C SIZE 00000009 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_8], 0
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_18], edx
		push	esi
		push	edi
		push	offset unk_6CF4C4
		lea	eax, [ebx+1000h]
		mov	[ebp+var_14], ebx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_C], 1
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	edi, dword_6CF4C0
		mov	[ebp+var_1], al
		test	edi, edi
		jz	short loc_54D570
		lea	esi, [ebx+0FFFh]

loc_54D54A:				; CODE XREF: MiGetPrototypePteRanges+5Cj
		and	[ebp+var_10], 0
		lea	edx, [ebp+var_10]
		mov	ecx, edi
		call	MiObtainProtoBaseFromNode
		mov	ecx, eax
		cmp	esi, ecx
		jnb	short loc_54D566
		mov	edi, [edi]

loc_54D560:				; CODE XREF: MiGetPrototypePteRanges+E1j
		test	edi, edi
		jnz	short loc_54D54A
		jmp	short loc_54D570
; 

loc_54D566:				; CODE XREF: MiGetPrototypePteRanges+56j
		mov	eax, [ebp+var_10]
		lea	eax, [ecx+eax*8]
		cmp	ebx, eax
		jnb	short loc_54D5E4

loc_54D570:				; CODE XREF: MiGetPrototypePteRanges+3Cj
					; MiGetPrototypePteRanges+5Ej
		mov	esi, edi
		test	edi, edi
		jz	loc_54D658

loc_54D57A:				; CODE XREF: MiGetPrototypePteRanges+125j
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	MiObtainProtoBaseFromNode
		mov	edx, [ebp+var_14]
		mov	ebx, eax
		mov	ecx, [ebp+var_8]
		cmp	ebx, edx
		jb	short loc_54D5EC

loc_54D590:				; CODE XREF: MiGetPrototypePteRanges+F5j
		lea	eax, [edx+1000h]
		cmp	ebx, eax
		jnb	short loc_54D5CA
		mov	eax, [esi+0Ch]
		and	al, 7
		cmp	al, 4
		jz	loc_5DD17C
		sub	ebx, edx
		mov	edx, 200h
		sar	ebx, 3
		lea	eax, [ecx+ebx]
		cmp	eax, edx
		ja	loc_54D673

loc_54D5BC:				; CODE XREF: MiGetPrototypePteRanges+174j
		push	ecx
		push	ebx
		push	[ebp+var_18]
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		test	ebx, ebx
		jnz	short loc_54D5FD

loc_54D5CA:				; CODE XREF: MiGetPrototypePteRanges+92j
					; MiGetPrototypePteRanges+F3j ...
		mov	esi, [edi+4]
		test	esi, esi
		jnz	short loc_54D633
		mov	esi, [edi+8]

loc_54D5D4:				; CODE XREF: MiGetPrototypePteRanges+DCj
		and	esi, 0FFFFFFFCh
		jz	short loc_54D643
		cmp	[esi], edi
		jz	short loc_54D643
		mov	edi, esi
		mov	esi, [esi+8]
		jmp	short loc_54D5D4
; 

loc_54D5E4:				; CODE XREF: MiGetPrototypePteRanges+68j
		mov	edi, [edi+4]
		jmp	loc_54D560
; 

loc_54D5EC:				; CODE XREF: MiGetPrototypePteRanges+88j
		lea	eax, [ebx+ecx*8]
		cmp	eax, edx
		ja	loc_54D67F

loc_54D5F7:				; CODE XREF: MiGetPrototypePteRanges+187j
		cmp	ebx, edx
		jb	short loc_54D5CA
		jmp	short loc_54D590
; 

loc_54D5FD:				; CODE XREF: MiGetPrototypePteRanges+C2j
		mov	eax, [esi]
		mov	ecx, esi
		test	eax, eax
		jnz	short loc_54D616

loc_54D605:				; CODE XREF: MiGetPrototypePteRanges+10Ej
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jz	short loc_54D629
		cmp	[esi+4], ecx
		jz	short loc_54D629
		mov	ecx, esi
		jmp	short loc_54D605
; 

loc_54D616:				; CODE XREF: MiGetPrototypePteRanges+FDj
		mov	esi, eax
		cmp	dword ptr [esi+4], 0
		jz	short loc_54D629

loc_54D61E:				; CODE XREF: MiGetPrototypePteRanges+121j
		mov	eax, [esi+4]
		mov	esi, eax
		cmp	dword ptr [eax+4], 0
		jnz	short loc_54D61E

loc_54D629:				; CODE XREF: MiGetPrototypePteRanges+105j
					; MiGetPrototypePteRanges+10Aj	...
		test	esi, esi
		jnz	loc_54D57A
		jmp	short loc_54D5CA
; 

loc_54D633:				; CODE XREF: MiGetPrototypePteRanges+C9j
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_54D643

loc_54D639:				; CODE XREF: MiGetPrototypePteRanges+13Bj
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_54D639

loc_54D643:				; CODE XREF: MiGetPrototypePteRanges+D1j
					; MiGetPrototypePteRanges+D5j ...
		test	esi, esi
		jz	short loc_54D658
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	MiObtainProtoBaseFromNode
		mov	edi, eax
		cmp	edi, [ebp+var_1C]
		jb	short loc_54D692

loc_54D658:				; CODE XREF: MiGetPrototypePteRanges+6Ej
					; MiGetPrototypePteRanges+13Fj	...
		push	offset unk_6CF4C4
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_C]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_54D673:				; CODE XREF: MiGetPrototypePteRanges+B0j
		mov	ecx, edx
		sub	ecx, ebx
		mov	[ebp+var_8], ecx
		jmp	loc_54D5BC
; 

loc_54D67F:				; CODE XREF: MiGetPrototypePteRanges+EBj
		mov	eax, edx
		sub	eax, ebx
		mov	ebx, edx
		sar	eax, 3
		sub	ecx, eax
		mov	[ebp+var_8], ecx
		jmp	loc_54D5F7
; 

loc_54D692:				; CODE XREF: MiGetPrototypePteRanges+150j
		mov	ecx, [ebp+var_14]
		cmp	edi, ecx
		jb	short loc_54D658
		mov	eax, [esi+0Ch]
		and	al, 7
		cmp	al, 4
		jz	short loc_54D70F
		mov	ebx, [ebp+var_8]
		sub	edi, ecx
		sar	edi, 3
		mov	ecx, 200h
		lea	eax, [ebx+edi]
		cmp	eax, ecx
		ja	short loc_54D706

loc_54D6B6:				; CODE XREF: MiGetPrototypePteRanges+207j
		push	ebx
		push	edi
		push	[ebp+var_18]
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		lea	eax, [ebx+edi]
		cmp	eax, 200h
		jz	short loc_54D658
		mov	eax, [esi+4]
		mov	ecx, esi
		test	eax, eax
		jnz	short loc_54D6EB

loc_54D6D3:				; CODE XREF: MiGetPrototypePteRanges+1E3j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jz	loc_54D643
		cmp	[esi], ecx
		jz	loc_54D643
		mov	ecx, esi
		jmp	short loc_54D6D3
; 

loc_54D6EB:				; CODE XREF: MiGetPrototypePteRanges+1CBj
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	loc_54D643

loc_54D6F7:				; CODE XREF: MiGetPrototypePteRanges+1F9j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_54D6F7
		jmp	loc_54D643
; 

loc_54D706:				; CODE XREF: MiGetPrototypePteRanges+1AEj
		mov	ebx, ecx
		sub	ebx, edi
		mov	[ebp+var_8], ebx
		jmp	short loc_54D6B6
; 

loc_54D70F:				; CODE XREF: MiGetPrototypePteRanges+19Aj
		and	[ebp+var_C], 0
		jmp	loc_54D658
MiGetPrototypePteRanges	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiProcessDereferenceList proc near	; CODE XREF: MiDereferenceSegmentThread+C3p
					; MiRemoveUnusedSegments(x,x)+100p

var_42		= byte ptr -42h
var_41		= byte ptr -41h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DD185 SIZE 000001A9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		push	34h		; size_t
		lea	eax, [esp+54h+var_34]
		mov	[esp+54h+var_3C], edx
		push	0		; int
		push	eax		; void *
		mov	ebx, ecx
		call	_memset
		and	[esp+5Ch+var_40], 0
		lea	eax, [ebx+340h]
		add	esp, 0Ch
		push	eax
		call	ExAcquireSpinLockExclusive
		lea	edi, [ebx+3CCh]

loc_54D754:				; CODE XREF: MiProcessDereferenceList+B3j
		mov	[esp+50h+var_41], al

loc_54D758:				; CODE XREF: MiProcessDereferenceList+F5j
					; MiProcessDereferenceList+107j ...
		mov	esi, [edi]
		cmp	esi, edi
		jz	short loc_54D7CD
		cmp	[esi+4], edi
		jnz	loc_54D883
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_54D883
		mov	[edi], eax
		mov	[eax+4], edi
		lea	eax, [esi+20h]
		push	eax
		mov	[esp+54h+var_38], eax
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		test	eax, eax
		jz	loc_54D857
		and	dword ptr [esi+18h], 0F7FFFFFFh
		lea	eax, [ebx+340h]
		push	eax
		mov	[esi+4], esi
		mov	[esi], esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		push	[esp+50h+var_38]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+50h+var_41]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	ecx, [esi-4]
		call	MiSegmentDelete

loc_54D7BF:				; CODE XREF: MiProcessDereferenceList+166j
		lea	eax, [ebx+340h]
		push	eax
		call	ExAcquireSpinLockExclusive
		jmp	short loc_54D754
; 

loc_54D7CD:				; CODE XREF: MiProcessDereferenceList+44j
		lea	edi, [ebx+340h]

loc_54D7D3:				; CODE XREF: MiProcessDereferenceList+8FB6Ej
		lea	ecx, [ebx+3DCh]

loc_54D7D9:				; CODE XREF: MiProcessDereferenceList+8FAD4j
					; MiProcessDereferenceList+8FB5Aj
		mov	eax, [ecx]
		cmp	eax, ecx
		jnz	loc_5DD185
		mov	esi, [esp+50h+var_3C]
		test	esi, esi
		jz	short loc_54D805

loc_54D7EB:				; CODE XREF: MiProcessDereferenceList+8FBF9j
		lea	ecx, [ebx+3D4h]
		mov	eax, [ecx]
		cmp	eax, ecx
		jnz	loc_5DD28B
		mov	esi, [esp+50h+var_3C]
		lea	ecx, [ebx+3DCh]

loc_54D805:				; CODE XREF: MiProcessDereferenceList+D1j
		lea	edi, [ebx+3CCh]
		cmp	[edi], edi
		jnz	loc_54D758
		test	esi, esi
		jz	short loc_54D825
		lea	eax, [ebx+3D4h]
		cmp	[eax], eax
		jnz	loc_54D758

loc_54D825:				; CODE XREF: MiProcessDereferenceList+FDj
		cmp	[ecx], ecx
		jnz	loc_54D758
		lea	eax, [ebx+340h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+50h+var_41]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	dword ptr [ebx+46Ch], 0
		jnz	loc_5DD316

loc_54D850:				; CODE XREF: MiProcessDereferenceList+8FC11j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_54D857:				; CODE XREF: MiProcessDereferenceList+6Ej
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	short loc_54D883
		mov	[esi], eax
		mov	[esi+4], edi
		mov	[eax+4], esi
		lea	eax, [ebx+340h]
		push	eax
		mov	[edi], esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+50h+var_41]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_54D7BF
; 

loc_54D883:				; CODE XREF: MiProcessDereferenceList+49j
					; MiProcessDereferenceList+54j	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
MiProcessDereferenceList endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiValidatePagefilePageHash proc	near	; CODE XREF: .text:00449204p
					; MiMakeOutswappedPageResident(x,x,x,x,x)+68Ep

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4D		= byte ptr -4Dh
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DD32E SIZE 00000085 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	ecx, [eax+98h]
		lea	edx, [eax+0A8h]
		test	ecx, ecx
		jnz	loc_5DD32E

loc_54D8B3:				; CODE XREF: MiValidatePagefilePageHash+8FAA8j
		mov	eax, [eax+34h]
		lea	edi, [edx+1Ch]
		mov	ecx, [edx+18h]
		add	eax, 0FFFh
		add	ecx, [edx+10h]
		and	ecx, 0FFFh
		add	eax, ecx
		shr	eax, 0Ch
		add	eax, 7
		lea	esi, [edx+eax*4]
		xor	eax, eax
		test	byte ptr [edx+6], 5
		mov	ebx, eax
		mov	[ebp+var_6C], esi
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_64], eax
		mov	[ebp+var_58], eax
		jz	loc_54DA40
		mov	eax, [edx+0Ch]

loc_54D8F2:				; CODE XREF: MiValidatePagefilePageHash+1C8j
		mov	[ebp+var_5C], eax
		cmp	edi, esi
		jnb	loc_54D9ED
		mov	ecx, esi
		sub	ecx, edi
		mov	[ebp+var_60], ecx

loc_54D904:				; CODE XREF: MiValidatePagefilePageHash+15Fj
		mov	edx, [edi]
		imul	esi, edx, 1Ch
		mov	[ebp+var_70], edx
		add	esi, ds:_MmPfnDatabase
		cmp	esi, dword_6D34E8
		jz	loc_54D9CB
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	[ebp+var_4D], al
		lea	eax, [esi+10h]
		test	dword ptr [eax], 40000000h
		mov	[ebp+var_54], eax
		jnz	short loc_54D9AF
		lea	ebx, [esi+8]
		mov	edx, [ebx]
		mov	ecx, [ebx+4]
		shrd	edx, ecx, 5
		and	edx, 1Fh
		test	byte ptr ds:dword_7051B8, 1
		jnz	short loc_54D96A
		cmp	edx, 1Fh
		jz	short loc_54D96A
		mov	eax, edx
		shr	eax, 3
		cmp	eax, 3
		jz	loc_5DD335

loc_54D961:				; CODE XREF: MiValidatePagefilePageHash+8FAB0j
		cmp	eax, 1
		jz	loc_5DD33E

loc_54D96A:				; CODE XREF: MiValidatePagefilePageHash+C4j
					; MiValidatePagefilePageHash+C9j
		mov	edx, [ebp+var_5C]
		mov	ecx, esi
		call	MiComputePageHash
		cmp	[ebp+var_58], 0
		mov	[ebp+var_68], eax
		jz	loc_54DA25

loc_54D981:				; CODE XREF: MiValidatePagefilePageHash+1B3j
		mov	ecx, ebx
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5DD346
		mov	esi, [ebp+var_4C]
		cmp	esi, [ebp+var_64]
		jnb	short loc_54D9FE

loc_54D99A:				; CODE XREF: MiValidatePagefilePageHash+198j
		mov	esi, [ebp+esi*4+var_48]
		mov	ecx, [ebp+var_68]
		mov	eax, [ebp+var_54]
		cmp	ecx, esi
		jnz	loc_5DD34C

loc_54D9AC:				; CODE XREF: MiValidatePagefilePageHash+8FAB9j
					; MiValidatePagefilePageHash+8FACAj ...
		mov	ebx, [ebp+var_4C]

loc_54D9AF:				; CODE XREF: MiValidatePagefilePageHash+ACj
		mov	cl, [ebp+var_4D]
		cmp	cl, 21h
		jz	short loc_54D9C5
		mov	edx, 7FFFFFFFh
		lock and [eax],	edx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_54D9C5:				; CODE XREF: MiValidatePagefilePageHash+12Dj
		mov	ecx, [ebp+var_60]
		mov	eax, [ebp+var_5C]

loc_54D9CB:				; CODE XREF: MiValidatePagefilePageHash+90j
		inc	ebx
		mov	[ebp+var_4C], ebx
		test	eax, eax
		jz	short loc_54D9DB
		add	eax, 1000h
		mov	[ebp+var_5C], eax

loc_54D9DB:				; CODE XREF: MiValidatePagefilePageHash+149j
		add	edi, 4
		sub	ecx, 4
		mov	[ebp+var_60], ecx
		cmp	edi, [ebp+var_6C]
		jb	loc_54D904

loc_54D9ED:				; CODE XREF: MiValidatePagefilePageHash+6Fj
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_54D9FE:				; CODE XREF: MiValidatePagefilePageHash+110j
		mov	eax, [ebp+var_60]
		sar	eax, 2
		mov	[ebp+var_64], eax
		cmp	eax, 10h
		ja	short loc_54DA55

loc_54DA0C:				; CODE XREF: MiValidatePagefilePageHash+1D3j
		lea	ecx, [ebp+var_48]
		mov	edx, ebx
		push	ecx
		mov	ecx, [ebp+var_58]
		push	eax
		call	_MiObtainPagefileHashes@16 ; MiObtainPagefileHashes(x,x,x,x)
		xor	esi, esi
		mov	[ebp+var_4C], esi
		jmp	loc_54D99A
; 

loc_54DA25:				; CODE XREF: MiValidatePagefilePageHash+F3j
		mov	esi, [ebx]
		mov	edx, [ebx+4]
		shrd	esi, edx, 0Ch
		and	esi, 0Fh
		mov	eax, dword_6D5D94[esi*4]
		mov	[ebp+var_58], eax
		jmp	loc_54D981
; 

loc_54DA40:				; CODE XREF: MiValidatePagefilePageHash+61j
		push	0C0000010h
		push	eax
		push	eax
		push	1
		push	eax
		push	edx
		call	MmMapLockedPagesSpecifyCache
		jmp	loc_54D8F2
; 

loc_54DA55:				; CODE XREF: MiValidatePagefilePageHash+182j
		push	10h
		pop	eax
		mov	[ebp+var_64], eax
		jmp	short loc_54DA0C
MiValidatePagefilePageHash endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiObtainPagefileHashes(x, x, x, x)
_MiObtainPagefileHashes@16 proc	near	; CODE XREF: MiValidatePagefilePageHash+18Ep

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		lea	ebx, [esi+88h]
		push	ebx
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	ecx, [esi+80h]
		mov	[ebp+var_1], al
		lea	edx, [ecx+edi*4]
		mov	edi, [ebp+arg_0]
		xor	ecx, ecx
		test	edi, edi
		jz	short loc_54DAB4
		mov	esi, [ebp+arg_4]

loc_54DA8F:				; CODE XREF: MiObtainPagefileHashes(x,x,x,x)+54j
		mov	eax, edx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	eax, [eax-40000000h]
		and	eax, 1
		or	eax, 0
		jz	short loc_54DACA
		mov	eax, [edx]

loc_54DAA9:				; CODE XREF: MiObtainPagefileHashes(x,x,x,x)+6Ej
		add	edx, 4
		mov	[esi+ecx*4], eax
		inc	ecx
		cmp	ecx, edi
		jb	short loc_54DA8F

loc_54DAB4:				; CODE XREF: MiObtainPagefileHashes(x,x,x,x)+2Cj
		push	ebx
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_54DACA:				; CODE XREF: MiObtainPagefileHashes(x,x,x,x)+47j
		xor	eax, eax
		jmp	short loc_54DAA9
_MiObtainPagefileHashes@16 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 294. EtwTelemetryCoverageReport

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTelemetryCoverageReport(x)
		public _EtwTelemetryCoverageReport@4
_EtwTelemetryCoverageReport@4 proc near	; CODE XREF: EtwpCoverageRecordAtHighIrql(x)+58p
					; PsSetProcessFaultInformation+99p ...

var_D2		= byte ptr -0D2h
var_D1		= byte ptr -0D1h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0D4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0D4h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		mov	[esp+0DCh+var_CC], ebx
		push	edi
		mov	[esp+0E0h+var_B8], esi
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jnz	short loc_54DB0D
		add	al, 1Fh
		jmp	short loc_54DB13
; 

loc_54DB0D:				; CODE XREF: EtwTelemetryCoverageReport(x)+33j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()

loc_54DB13:				; CODE XREF: EtwTelemetryCoverageReport(x)+37j
		mov	[esp+0E0h+var_BC], esi
		mov	edi, esi
		mov	[esp+0E0h+var_C4], esi
		cmp	al, 2
		jnb	short loc_54DB2C
		test	byte ptr [ebx+0Ch], 1
		jnz	short loc_54DB2C
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_54DB2E
; 

loc_54DB2C:				; CODE XREF: EtwTelemetryCoverageReport(x)+4Bj
					; EtwTelemetryCoverageReport(x)+51j
		mov	ebx, esi

loc_54DB2E:				; CODE XREF: EtwTelemetryCoverageReport(x)+56j
		cmp	_EtwpCoverageNonPagedContext, esi
		jnz	short loc_54DB53
		test	ebx, ebx
		jnz	short loc_54DB44
		mov	esi, 0C00000B7h
		jmp	loc_54DEEF
; 

loc_54DB44:				; CODE XREF: EtwTelemetryCoverageReport(x)+64j
		call	_EtwpCoverageEnsureContext@0 ; EtwpCoverageEnsureContext()
		mov	esi, eax
		test	esi, esi
		js	loc_54DEEF

loc_54DB53:				; CODE XREF: EtwTelemetryCoverageReport(x)+60j
		mov	eax, _EtwpCoverageNonPagedContext
		mov	edx, [esp+0E0h+var_CC]
		mov	[esp+0E0h+var_C8], eax
		lea	esi, [eax+18h]
		cmp	dword ptr [edx+8], 0FFFFFF00h
		jb	short loc_54DB76
		mov	esi, 0C00000BBh
		jmp	loc_54DEEF
; 

loc_54DB76:				; CODE XREF: EtwTelemetryCoverageReport(x)+96j
		test	ebx, ebx
		jz	short loc_54DB8C
		mov	ecx, _EtwpCoverageContext
		call	_EtwpCoverageRecord@8 ;	EtwpCoverageRecord(x,x)
		xor	esi, esi
		jmp	loc_54DEEF
; 

loc_54DB8C:				; CODE XREF: EtwTelemetryCoverageReport(x)+A4j
		mov	ebx, [esp+0E0h+var_CC]
		lea	edx, [esp+0E0h+var_BC]
		mov	ecx, ebx
		mov	[esp+0E0h+var_C0], 1
		call	_EtwpCoverageValidateCP@8 ; EtwpCoverageValidateCP(x,x)
		test	eax, eax
		jnz	short loc_54DBB5
		mov	esi, 0C000000Dh

loc_54DBAC:				; CODE XREF: EtwTelemetryCoverageReport(x)+FFj
		mov	[esp+0E0h+var_D0], esi
		jmp	loc_54DD67
; 

loc_54DBB5:				; CODE XREF: EtwTelemetryCoverageReport(x)+D1j
		mov	eax, [esp+0E0h+var_C8]
		mov	ecx, [ebx+8]
		mov	[esp+0E0h+var_B4], ecx
		mov	eax, [eax]
		cmp	ecx, eax
		jb	short loc_54DBD5
		xor	eax, eax
		inc	eax
		xor	esi, esi
		mov	[esp+0E0h+var_C4], eax
		mov	[esp+0E0h+var_B8], eax
		jmp	short loc_54DBAC
; 

loc_54DBD5:				; CODE XREF: EtwTelemetryCoverageReport(x)+F0j
		mov	[ebx+8], eax

loc_54DBD8:				; CODE XREF: EtwTelemetryCoverageReport(x)+219j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	[esp+0E0h+var_D1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [esi+4]
		mov	eax, [esi+20h]
		mov	[esp+0E0h+var_D0], eax
		test	ecx, ecx
		jz	short loc_54DC0F
		push	[esp+0E0h+var_BC]
		mov	edx, [ebx]
		call	_EtwpCoverageAddToStringBuffer@12 ; EtwpCoverageAddToStringBuffer(x,x,x)
		mov	[esp+0E0h+var_C4], eax
		cmp	eax, 1
		jz	loc_54DCF2

loc_54DC0F:				; CODE XREF: EtwTelemetryCoverageReport(x)+121j
		test	ds:byte_70EFC6,	1
		jz	short loc_54DC24
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_54DC29
; 

loc_54DC24:				; CODE XREF: EtwTelemetryCoverageReport(x)+142j
		xor	eax, eax
		lock and [esi],	eax

loc_54DC29:				; CODE XREF: EtwTelemetryCoverageReport(x)+14Ej
		mov	cl, [esp+0E0h+var_D1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jnz	short loc_54DC77
		push	56777445h
		push	400h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_54DD34
		push	400h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		lea	eax, [edi+14h]
		add	esp, 0Ch
		lea	ecx, [edi+400h]
		mov	[edi+0Ch], eax
		mov	[edi+8], ecx
		mov	[edi+10h], eax

loc_54DC77:				; CODE XREF: EtwTelemetryCoverageReport(x)+161j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	[esp+0E0h+var_D1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [esi+20h]
		cmp	[esp+0E0h+var_D0], eax
		jnz	short loc_54DCC9
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_54DCC0
		lea	edx, [esi+8]
		mov	ebx, [edx+4]
		mov	[esp+0E0h+var_D0], ebx
		cmp	[ebx], edx
		mov	ebx, [esp+0E0h+var_CC]
		jz	short loc_54DCAF
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_54DCAF:				; CODE XREF: EtwTelemetryCoverageReport(x)+1D4j
		mov	eax, [esp+0E0h+var_D0]
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	[edx+4], ecx
		mov	eax, [esi+20h]

loc_54DCC0:				; CODE XREF: EtwTelemetryCoverageReport(x)+1C2j
		inc	eax
		mov	[esi+4], edi
		mov	[esi+20h], eax
		xor	edi, edi

loc_54DCC9:				; CODE XREF: EtwTelemetryCoverageReport(x)+1BBj
		test	ds:byte_70EFC6,	1
		jz	short loc_54DCDE
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_54DCE3
; 

loc_54DCDE:				; CODE XREF: EtwTelemetryCoverageReport(x)+1FCj
		xor	eax, eax
		lock and [esi],	eax

loc_54DCE3:				; CODE XREF: EtwTelemetryCoverageReport(x)+208j
		mov	cl, [esp+0E0h+var_D1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_54DBD8
; 

loc_54DCF2:				; CODE XREF: EtwTelemetryCoverageReport(x)+135j
		cmp	dword ptr [esi+24h], 0
		jnz	short loc_54DD0A
		push	1
		lea	eax, [esi+10h]
		push	eax
		call	ExQueueWorkItem
		mov	dword ptr [esi+24h], 1

loc_54DD0A:				; CODE XREF: EtwTelemetryCoverageReport(x)+222j
		test	ds:byte_70EFC6,	1
		jz	short loc_54DD1F
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_54DD24
; 

loc_54DD1F:				; CODE XREF: EtwTelemetryCoverageReport(x)+23Dj
		xor	eax, eax
		lock and [esi],	eax

loc_54DD24:				; CODE XREF: EtwTelemetryCoverageReport(x)+249j
		mov	cl, [esp+0E0h+var_D1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	ebx, ebx
		xor	esi, esi
		jmp	short loc_54DD4C
; 

loc_54DD34:				; CODE XREF: EtwTelemetryCoverageReport(x)+17Bj
		mov	eax, [esp+0E0h+var_B4]
		mov	[ebx+8], eax
		mov	eax, [esp+0E0h+var_C8]
		lock inc dword ptr [eax+4]
		mov	ebx, [esp+0E0h+var_C0]
		mov	esi, 0C000009Ah

loc_54DD4C:				; CODE XREF: EtwTelemetryCoverageReport(x)+25Ej
		mov	[esp+0E0h+var_D0], esi
		test	edi, edi
		jz	short loc_54DD5F
		push	56777445h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_54DD5F:				; CODE XREF: EtwTelemetryCoverageReport(x)+27Ej
		test	ebx, ebx
		jz	loc_54DEEF

loc_54DD67:				; CODE XREF: EtwTelemetryCoverageReport(x)+DCj
		cmp	_EtwpCoverageCoreTracingEnabled, 0
		jz	loc_54DEEF
		mov	ecx, ds:0FFDF0004h
		mov	ebx, 0FFDF0324h
		mov	[esp+0E0h+var_C0], ecx
		mov	edi, [ebx]
		lea	eax, [ebx-4]
		mov	edx, [eax]
		add	eax, 8
		mov	eax, [eax]
		cmp	edi, eax
		jz	short loc_54DDAD
		lea	eax, [ebx-4]
		lea	esi, [ebx+4]

loc_54DD99:				; CODE XREF: EtwTelemetryCoverageReport(x)+2CFj
		pause
		mov	edi, [ebx]
		mov	edx, [eax]
		mov	ecx, [esi]
		cmp	edi, ecx
		jnz	short loc_54DD99
		mov	esi, [esp+0E0h+var_D0]
		mov	ecx, [esp+0E0h+var_C0]

loc_54DDAD:				; CODE XREF: EtwTelemetryCoverageReport(x)+2BDj
		mov	eax, edx
		shl	edi, 8
		mul	ecx
		imul	edi, ecx
		mov	ebx, eax
		shrd	ebx, edx, 18h
		add	ebx, edi
		cmp	dword_6B2A68, 5
		jbe	loc_54DEEF
		xor	edi, edi
		mov	ecx, offset dword_6B2A68
		push	edi
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_54DEEF
		mov	ecx, [esp+0E0h+var_C8]
		push	4
		pop	edx
		mov	[esp+0E0h+var_70], edx
		mov	eax, [ecx]
		mov	[esp+0E0h+var_B0], eax
		lea	eax, [esp+0E0h+var_B0]
		mov	[esp+0E0h+var_78], eax
		mov	eax, [ecx+4]
		mov	[esp+0E0h+var_AC], eax
		lea	eax, [esp+0E0h+var_AC]
		mov	[esp+0E0h+var_68], eax
		mov	eax, ebx
		sub	eax, [ecx+10h]
		sub	ebx, [ecx+14h]
		lea	ecx, [esp+0E0h+var_18]
		mov	[esp+0E0h+var_A8], eax
		lea	eax, [esp+0E0h+var_A8]
		mov	[esp+0E0h+var_58], eax
		lea	eax, [esp+0E0h+var_A4]
		mov	[esp+0E0h+var_48], eax
		mov	eax, [esp+0E0h+var_C4]
		mov	[esp+0E0h+var_A0], eax
		lea	eax, [esp+0E0h+var_A0]
		mov	[esp+0E0h+var_60], edx
		mov	[esp+0E0h+var_50], edx
		mov	[esp+0E0h+var_40], edx
		mov	[esp+0E0h+var_30], edx
		mov	[esp+0E0h+var_20], edx
		mov	edx, [esp+0E0h+var_CC]
		mov	[esp+0E0h+var_38], eax
		mov	eax, [esp+0E0h+var_B8]
		mov	[esp+0E0h+var_9C], eax
		lea	eax, [esp+0E0h+var_9C]
		mov	edx, [edx]
		mov	[esp+0E0h+var_74], edi
		mov	[esp+0E0h+var_6C], edi
		mov	[esp+0E0h+var_64], edi
		mov	[esp+0E0h+var_5C], edi
		mov	[esp+0E0h+var_54], edi
		mov	[esp+0E0h+var_4C], edi
		mov	[esp+0E0h+var_A4], ebx
		mov	[esp+0E0h+var_44], edi
		mov	[esp+0E0h+var_3C], edi
		mov	[esp+0E0h+var_34], edi
		mov	[esp+0E0h+var_2C], edi
		mov	[esp+0E0h+var_28], eax
		mov	[esp+0E0h+var_24], edi
		mov	[esp+0E0h+var_1C], edi
		call	_tlgCreate1Sz_char
		lea	eax, [esp+0E0h+var_98]
		push	eax
		push	9
		push	edi
		push	edi
		push	(offset	loc_422D75+2)
		push	offset dword_6B2A68
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_54DEEF:				; CODE XREF: EtwTelemetryCoverageReport(x)+6Bj
					; EtwTelemetryCoverageReport(x)+79j ...
		mov	ecx, [esp+0E0h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_EtwTelemetryCoverageReport@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

TelemetryCoverageTableLocateInternal proc near ; CODE XREF: EtwpCoverageRecord(x,x)+117p
					; EtwpCoverageCheckCP(x,x)+5Ap	...

; FUNCTION CHUNK AT 005DD3B3 SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	eax, [edi+4]
		lea	edx, [edi+34h]
		mov	esi, [edi+8]
		and	esi, ebx
		lea	edx, [edx+eax*4]
		cmp	esi, eax
		jnb	loc_5DD3A6

loc_54DF2B:				; CODE XREF: MiValidatePagefilePageHash+8FB26j
		lea	ecx, [edi+34h]
		lea	ecx, [ecx+esi*4]
		mov	eax, ecx
		cmp	ecx, edx
		jnb	short loc_54DF4C
		mov	esi, edx

loc_54DF39:				; CODE XREF: TelemetryCoverageTableLocateInternal+8F4B0j
		mov	edx, [eax]
		test	edx, edx
		jz	short loc_54DF47
		cmp	edx, ebx
		jnz	loc_5DD3B3

loc_54DF47:				; CODE XREF: TelemetryCoverageTableLocateInternal+35j
					; TelemetryCoverageTableLocateInternal+8F4BFj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_54DF4C:				; CODE XREF: TelemetryCoverageTableLocateInternal+2Dj
					; TelemetryCoverageTableLocateInternal+8F4B6j
		lea	eax, [edi+34h]
		jmp	loc_5DD3D8
TelemetryCoverageTableLocateInternal endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageValidateCP(x, x)
_EtwpCoverageValidateCP@8 proc near	; CODE XREF: EtwTelemetryCoverageReport(x)+CAp
					; EtwpCoverageRecordAtHighIrql(x)+21p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		lea	edx, [ebp+var_4]
		mov	edi, [esi]
		mov	ecx, edi
		call	_TelemetryCoverageStringHashInternal@8 ; TelemetryCoverageStringHashInternal(x,x)
		cmp	eax, [esi+4]
		jnz	short loc_54DF8E
		mov	ecx, edi
		call	_TelemetryCoverageValidateName@4 ; TelemetryCoverageValidateName(x)
		test	eax, eax
		jz	short loc_54DF8E
		mov	eax, [ebp+var_4]
		mov	[ebx], eax
		xor	eax, eax
		inc	eax

loc_54DF89:				; CODE XREF: EtwpCoverageValidateCP(x,x)+40j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_54DF8E:				; CODE XREF: EtwpCoverageValidateCP(x,x)+20j
					; EtwpCoverageValidateCP(x,x)+2Bj
		or	dword ptr [esi+8], 0FFFFFFFFh
		xor	eax, eax
		jmp	short loc_54DF89
_EtwpCoverageValidateCP@8 endp


;  S U B	R O U T	I N E 


; __stdcall TelemetryCoverageValidateName(x)
_TelemetryCoverageValidateName@4 proc near ; CODE XREF:	EtwpCoverageValidateCP(x,x)+24p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, ecx
		inc	edi
		xor	esi, esi

loc_54DFA2:				; CODE XREF: TelemetryCoverageValidateName(x)+1Aj
		mov	dl, [ecx]
		cmp	dl, 61h
		jl	short loc_54DFB2
		cmp	dl, 7Ah
		jg	short loc_54DFB2

loc_54DFAE:				; CODE XREF: TelemetryCoverageValidateName(x)+24j
					; TelemetryCoverageValidateName(x)+2Bj
		inc	esi

loc_54DFAF:				; CODE XREF: TelemetryCoverageValidateName(x)+39j
		inc	ecx
		jmp	short loc_54DFA2
; 

loc_54DFB2:				; CODE XREF: TelemetryCoverageValidateName(x)+11j
					; TelemetryCoverageValidateName(x)+16j
		cmp	dl, 5Ah
		jg	short loc_54DFBC
		cmp	dl, 41h
		jge	short loc_54DFAE

loc_54DFBC:				; CODE XREF: TelemetryCoverageValidateName(x)+1Fj
		lea	eax, [edx-30h]
		cmp	al, 9
		jbe	short loc_54DFAE
		cmp	dl, 5Fh
		jnz	short loc_54DFD1
		test	esi, esi
		jz	short loc_54DFEC
		inc	edi
		xor	esi, esi
		jmp	short loc_54DFAF
; 

loc_54DFD1:				; CODE XREF: TelemetryCoverageValidateName(x)+30j
		test	dl, dl
		jnz	short loc_54DFEC
		test	esi, esi
		jz	short loc_54DFEC
		cmp	edi, 3
		jb	short loc_54DFEC
		sub	ecx, ebx
		cmp	ecx, 40h
		jge	short loc_54DFEC
		xor	eax, eax
		inc	eax

loc_54DFE8:				; CODE XREF: TelemetryCoverageValidateName(x)+58j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_54DFEC:				; CODE XREF: TelemetryCoverageValidateName(x)+34j
					; TelemetryCoverageValidateName(x)+3Dj	...
		xor	eax, eax
		jmp	short loc_54DFE8
_TelemetryCoverageValidateName@4 endp


;  S U B	R O U T	I N E 


; __stdcall TelemetryCoverageStringHashInternal(x, x)
_TelemetryCoverageStringHashInternal@8 proc near
					; CODE XREF: EtwpCoverageValidateCP(x,x)+18p
					; EtwpCoverageHighIrqlCPWorkItemCallback(x)+D4p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, 811C9DC5h
		mov	edi, ecx
		jmp	short loc_54E009
; 

loc_54DFFD:				; CODE XREF: TelemetryCoverageStringHashInternal(x,x)+1Dj
		imul	esi, 1000193h
		movsx	eax, al
		add	esi, eax
		inc	ecx

loc_54E009:				; CODE XREF: TelemetryCoverageStringHashInternal(x,x)+Bj
		mov	al, [ecx]
		test	al, al
		jnz	short loc_54DFFD
		sub	ecx, edi
		mov	[edx], ecx
		test	esi, esi
		jz	short loc_54E01C

loc_54E017:				; CODE XREF: TelemetryCoverageStringHashInternal(x,x)+2Fj
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_54E01C:				; CODE XREF: TelemetryCoverageStringHashInternal(x,x)+25j
		xor	esi, esi
		inc	esi
		jmp	short loc_54E017
_TelemetryCoverageStringHashInternal@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageAddToStringBuffer(x, x,	x)
_EtwpCoverageAddToStringBuffer@12 proc near ; CODE XREF: EtwTelemetryCoverageReport(x)+129p
					; EtwpCoverageRecord(x,x)+14Cp	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	edx, [esi+8]
		mov	ecx, [esi+0Ch]
		sub	edx, ecx
		lea	eax, [edi+1]
		cmp	edx, eax
		jb	short loc_54E056
		push	ebx
		call	_RtlStringCchCopyA@12 ;	RtlStringCchCopyA(x,x,x)
		lea	eax, [edi+1]
		add	[esi+0Ch], eax
		xor	eax, eax
		inc	eax

loc_54E04F:				; CODE XREF: EtwpCoverageAddToStringBuffer(x,x,x)+36j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_54E056:				; CODE XREF: EtwpCoverageAddToStringBuffer(x,x,x)+1Cj
		xor	eax, eax
		jmp	short loc_54E04F
_EtwpCoverageAddToStringBuffer@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStringCchCopyA(x, x, x)
_RtlStringCchCopyA@12 proc near		; CODE XREF: EtwpCoverageAddToStringBuffer(x,x,x)+1Fp
					; EtwpCoverageRecordAtHighIrql(x)+3Bp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		test	edx, edx
		jz	short loc_54E083
		cmp	edx, 7FFFFFFFh
		ja	short loc_54E083

loc_54E06D:				; CODE XREF: RtlStringCchCopyA(x,x,x)+2Ej
		test	eax, eax
		js	short loc_54E08A
		push	7FFFFFFEh
		push	[ebp+arg_0]
		push	ecx
		call	sub_54E094

loc_54E07F:				; CODE XREF: RtlStringCchCopyA(x,x,x)+32j
					; RtlStringCchCopyA(x,x,x)+37j
		pop	ebp
		retn	4
; 

loc_54E083:				; CODE XREF: RtlStringCchCopyA(x,x,x)+9j
					; RtlStringCchCopyA(x,x,x)+11j
		mov	eax, 0C000000Dh
		jmp	short loc_54E06D
; 

loc_54E08A:				; CODE XREF: RtlStringCchCopyA(x,x,x)+15j
		test	edx, edx
		jz	short loc_54E07F
		mov	byte ptr [ecx],	0
		jmp	short loc_54E07F
_RtlStringCchCopyA@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_54E094	proc near		; CODE XREF: RtlStringCchCopyA(x,x,x)+20p
					; RtlStringCbCopyNA+2Bp

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	edx, edx
		jz	short loc_54E0D8
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		sub	eax, ecx

loc_54E0A7:				; CODE XREF: sub_54E094+25j
		test	esi, esi
		jz	short loc_54E0BB
		mov	bl, [eax+ecx]
		test	bl, bl
		jz	short loc_54E0BB
		mov	[ecx], bl
		inc	ecx
		dec	esi
		sub	edx, 1
		jnz	short loc_54E0A7

loc_54E0BB:				; CODE XREF: sub_54E094+15j
					; sub_54E094+1Cj
		pop	esi
		pop	ebx
		test	edx, edx
		jz	short loc_54E0D8

loc_54E0C1:				; CODE XREF: sub_54E094+45j
		neg	edx
		mov	byte ptr [ecx],	0
		sbb	edx, edx
		and	edx, 7FFFFFFBh
		lea	eax, [edx-7FFFFFFBh]
		pop	ebp
		retn	0Ch
; 

loc_54E0D8:				; CODE XREF: sub_54E094+7j
					; sub_54E094+2Bj
		dec	ecx
		jmp	short loc_54E0C1
sub_54E094	endp

; 
		align 10h
; Exported entry 2450. SeConvertStringSecurityDescriptorToSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeConvertStringSecurityDescriptorToSecurityDescriptor
SeConvertStringSecurityDescriptorToSecurityDescriptor proc near
					; CODE XREF: IoCreateDeviceSecure:loc_850C98p
					; PipCreateDependencyNode+188p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005DD3E3 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jz	short loc_54E116
		cmp	[ebp+arg_8], 0
		jz	short loc_54E116
		sub	[ebp+arg_4], 1
		jnz	loc_5DD3E3
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_0]
		push	ecx
		call	LocalConvertStringSDToSD_Rev1

loc_54E10A:				; CODE XREF: SeConvertStringSecurityDescriptorToSecurityDescriptor+39j
		test	eax, eax
		jg	loc_5DD3E8

loc_54E112:				; CODE XREF: SeConvertStringSecurityDescriptorToSecurityDescriptor+8F310j
		pop	ebp
		retn	10h
; 

loc_54E116:				; CODE XREF: SeConvertStringSecurityDescriptorToSecurityDescriptor+9j
					; SeConvertStringSecurityDescriptorToSecurityDescriptor+Fj
		push	57h
		pop	eax
		jmp	short loc_54E10A
SeConvertStringSecurityDescriptorToSecurityDescriptor endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCaptureAndResetWorkingSetAccessBits proc near	; CODE XREF: MiTrimOrAgeWorkingSet+3C1p

var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F6		= byte ptr -1F6h
var_1EC		= dword	ptr -1ECh
var_1E4		= dword	ptr -1E4h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_A4		= dword	ptr -0A4h
var_A0		= word ptr -0A0h
var_9C		= dword	ptr -9Ch
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8		= dword	ptr -8
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005DD3F5 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 208h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		xor	edi, edi
		lea	eax, [ebp+var_A4]
		push	edi		; int
		push	eax		; void *
		mov	bl, dl
		mov	esi, ecx
		call	_memset
		push	4Ch		; size_t
		lea	eax, [ebp+var_1FC]
		mov	[ebp+var_204], edi
		push	edi		; int
		push	eax		; void *
		mov	[ebp+var_200], edi
		call	_memset
		push	108h		; size_t
		lea	eax, [ebp+var_1AC]
		push	edi		; int
		push	eax		; void *
		call	_memset
		or	[ebp+var_1E4], 0FFFFFFFFh
		add	esp, 24h
		xor	edx, edx
		mov	[ebp+var_1BC], offset _MiResetAccessBitPte@12 ;	MiResetAccessBitPte(x,x,x)
		test	byte ptr [esi+60h], 7
		mov	[ebp+var_1B8], offset MiResetAccessBitsTail
		push	6
		pop	eax
		mov	word ptr [ebp+var_1FC],	ax
		mov	[ebp+var_1EC], esi
		mov	[ebp+var_1F6], bl
		jnz	short loc_54E1C1
		cmp	[esi+1A4h], edx
		jnz	loc_5DD3F5

loc_54E1C1:				; CODE XREF: MiCaptureAndResetWorkingSetAccessBits+97j
					; MiCaptureAndResetWorkingSetAccessBits+8F2EFj
		test	[ebp+arg_0], 10h
		jz	short loc_54E1FD
		lea	eax, [ebp+var_A4]
		mov	ecx, esi
		mov	[ebp+var_204], eax
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		mov	[ebp+var_A4], eax
		mov	[ebp+var_A0], di
		mov	[ebp+var_94], edx
		mov	[ebp+var_9C], 21h
		mov	[ebp+var_90], edx

loc_54E1FD:				; CODE XREF: MiCaptureAndResetWorkingSetAccessBits+A9j
		mov	eax, dword_6D3154
		lea	ecx, [ebp+var_1FC]
		mov	[ebp+var_208], eax
		lea	eax, [ebp+var_208]
		mov	[ebp+var_1B4], eax
		call	MiWalkPageTables
		mov	ecx, esi
		call	MiDrainSystemAccessLog
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
MiCaptureAndResetWorkingSetAccessBits endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUseSlabAllocatorForDriverPage	proc near
					; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+2AAp
					; MiAllocateDriverPage+22p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DD410 SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr ds:_MiFlags+2,	1
		jnz	loc_5DD410

loc_54E24A:				; CODE XREF: MiUseSlabAllocatorForDriverPage+8F1E9j
		test	byte ptr [ecx+4], 10h
		jnz	loc_5DD435

loc_54E254:				; CODE XREF: MiUseSlabAllocatorForDriverPage+8F1FFj
		xor	eax, eax

loc_54E256:				; CODE XREF: MiUseSlabAllocatorForDriverPage+8F1F8j
					; MiUseSlabAllocatorForDriverPage+8F20Dj
		pop	ebp
		retn	4
MiUseSlabAllocatorForDriverPage	endp


;  S U B	R O U T	I N E 


; __stdcall MiPreInitializeSystemImagePage(x)
_MiPreInitializeSystemImagePage@4 proc near ; CODE XREF: MiAllocateDriverPage+9Ap
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	dl, [esi+16h]
		lea	ecx, [esi+10h]
		and	dword ptr [ecx], 0C0000000h
		and	dl, 0FDh
		or	dl, 5
		mov	[esi+16h], dl
		xor	edx, edx
		mov	[esi+14h], dx
		mov	edx, 7FFFFFFFh
		and	[esi+18h], edx
		and	byte ptr [esi+16h], 0C7h
		and	byte ptr [esi+17h], 0DFh
		lock and [ecx],	edx
		mov	cl, al
		pop	esi
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_MiPreInitializeSystemImagePage@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiTradeActivePage(x, x, x, x, x, x)
_MiTradeActivePage@24 proc near		; CODE XREF: MiLockCode(x,x,x,x)+466p
					; MiReplaceLockedPage(x,x,x,x,x)+B1p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], ebx
		lea	eax, [ebx+10h]
		inc	edi
		mov	[ebp+var_10], eax
		mov	eax, [eax]
		and	eax, 3FFFFFFFh
		cmp	eax, edi
		jnz	short loc_54E336
		cmp	[ebx+14h], di
		jnz	short loc_54E336
		mov	eax, edx
		sub	eax, ds:_MmPfnDatabase
		cdq
		push	1Ch
		pop	esi
		idiv	esi
		mov	[ebp+var_8], eax
		mov	eax, ebx
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	esi
		test	ds:_MiFlags, 8000h
		mov	[ebp+var_20], eax
		jz	short loc_54E305
		push	0
		xor	edx, edx
		call	_MiGetPagePrivilege@12 ; MiGetPagePrivilege(x,x,x)
		test	eax, eax
		jz	short loc_54E305
		mov	ecx, edi
		jmp	short loc_54E307
; 

loc_54E305:				; CODE XREF: MiTradeActivePage(x,x,x,x,x,x)+56j
					; MiTradeActivePage(x,x,x,x,x,x)+63j
		xor	ecx, ecx

loc_54E307:				; CODE XREF: MiTradeActivePage(x,x,x,x,x,x)+67j
		mov	edi, [ebp+arg_0]
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h
		mov	[ebp+var_18], edi
		mov	esi, [edi]
		nop
		cmp	[ebp+arg_8], 2
		mov	eax, esi
		mov	ebx, [edi+4]
		jnz	short loc_54E33F
		and	eax, 42h
		or	eax, 0
		jnz	short loc_54E336
		test	ecx, ecx
		jz	short loc_54E35B

loc_54E336:				; CODE XREF: MiTradeActivePage(x,x,x,x,x,x)+25j
					; MiTradeActivePage(x,x,x,x,x,x)+2Bj ...
		xor	eax, eax

loc_54E338:				; CODE XREF: MiTradeActivePage(x,x,x,x,x,x)+263j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_54E33F:				; CODE XREF: MiTradeActivePage(x,x,x,x,x,x)+8Cj
		and	eax, 0FFFFFFFEh
		or	eax, 400h
		mov	[edi], eax
		nop
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	[edi+4], ebx
		call	KeFlushSingleTb

loc_54E35B:				; CODE XREF: MiTradeActivePage(x,x,x,x,x,x)+98j
		mov	eax, [ebp+var_C]
		and	[ebp+var_14], 0
		movzx	eax, byte ptr [eax+16h]
		shr	eax, 6
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_10]
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_54E390
		mov	edi, eax

loc_54E378:				; CODE XREF: MiTradeActivePage(x,x,x,x,x,x)+E8j
					; MiTradeActivePage(x,x,x,x,x,x)+EFj
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_54E378
		lock bts dword ptr [edi], 1Fh
		jb	short loc_54E378
		mov	edi, [ebp+var_18]

loc_54E390:				; CODE XREF: MiTradeActivePage(x,x,x,x,x,x)+D8j
		mov	ecx, [ebp+var_4]
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		mov	edx, [ebp+var_1C]
		mov	ecx, [ebp+var_4]
		push	1
		call	_MiFinalizePageAttribute@12 ; MiFinalizePageAttribute(x,x,x)
		mov	edx, [ebp+var_C]
		push	ecx
		mov	ecx, [ebp+var_4]
		call	_MiCopyPfnEntryEx@12 ; MiCopyPfnEntryEx(x,x,x)
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_8]
		push	6
		push	0
		call	_MiCopyPage@16	; MiCopyPage(x,x,x,x)
		mov	eax, [ebp+var_4]
		mov	edx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	edx
		mov	ecx, [ebp+var_C]
		mov	al, [ecx+16h]
		and	byte ptr [ecx+17h], 0F7h
		and	al, 0FDh
		and	[ecx+18h], edx
		or	al, 5
		mov	[ecx+16h], al
		lea	eax, [ecx+10h]
		and	byte ptr [ecx+16h], 0C7h
		and	byte ptr [ecx+17h], 0DFh
		lock and [eax],	edx
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		and	eax, 1FFFFFFh
		and	esi, 0FFFh
		shld	ecx, eax, 0Ch
		and	ebx, 0FFFFFFE0h
		shl	eax, 0Ch
		or	ebx, ecx
		or	esi, eax
		mov	[ebp+var_18], ecx
		cmp	[ebp+arg_8], 2
		mov	[ebp+var_8], eax
		mov	[ebp+var_1C], esi
		mov	[ebp+var_20], ebx
		jnz	short loc_54E440
		nop
		mov	ecx, ebx

loc_54E423:				; CODE XREF: MiTradeActivePage(x,x,x,x,x,x)+19Bj
					; MiTradeActivePage(x,x,x,x,x,x)+1A0j
		mov	esi, [edi]
		mov	eax, esi
		mov	edx, [edi+4]
		mov	[ebp+var_20], edx
		nop
		mov	ebx, [ebp+var_1C]
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_54E423
		cmp	edx, [ebp+var_20]
		jnz	short loc_54E423
		jmp	short loc_54E49D
; 

loc_54E440:				; CODE XREF: MiTradeActivePage(x,x,x,x,x,x)+182j
		mov	ecx, edi
		xor	edx, edx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_54E48A
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_54E462
		inc	edx
		cmp	byte ptr word_6D07B8+1,	0
		jnz	short loc_54E48A
		jmp	short loc_54E47A
; 

loc_54E462:				; CODE XREF: MiTradeActivePage(x,x,x,x,x,x)+1B8j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_54E48A

loc_54E47A:				; CODE XREF: MiTradeActivePage(x,x,x,x,x,x)+1C4j
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	short loc_54E48A
		or	ebx, 80000000h

loc_54E48A:				; CODE XREF: MiTradeActivePage(x,x,x,x,x,x)+1AFj
					; MiTradeActivePage(x,x,x,x,x,x)+1C2j ...
		mov	[edi+4], ebx
		nop
		mov	[edi], esi
		test	edx, edx
		jz	short loc_54E49D
		push	ebx
		push	esi
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_54E49D:				; CODE XREF: MiTradeActivePage(x,x,x,x,x,x)+1A2j
					; MiTradeActivePage(x,x,x,x,x,x)+1F6j
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	KeFlushSingleTb
		mov	ecx, [ebp+var_4]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_54E4FC
		mov	edi, [ecx+4]
		or	edi, 80000000h
		mov	ecx, [edi]
		nop
		mov	eax, [edi+4]
		nop
		and	ecx, 0FFFh
		and	eax, 0FFFFFFE0h
		or	ecx, [ebp+var_8]
		or	eax, [ebp+var_18]
		mov	[ebp+arg_8], ecx
		mov	[ebp+arg_0], eax

loc_54E4DC:				; CODE XREF: MiTradeActivePage(x,x,x,x,x,x)+259j
					; MiTradeActivePage(x,x,x,x,x,x)+25Ej
		mov	esi, [edi]
		mov	eax, esi
		mov	edx, [edi+4]
		mov	[ebp+arg_4], edx
		nop
		mov	ebx, ecx
		mov	ecx, [ebp+arg_0]
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [ebp+arg_8]
		cmp	eax, esi
		jnz	short loc_54E4DC
		cmp	edx, [ebp+arg_4]
		jnz	short loc_54E4DC

loc_54E4FC:				; CODE XREF: MiTradeActivePage(x,x,x,x,x,x)+219j
		xor	eax, eax
		inc	eax
		jmp	loc_54E338
_MiTradeActivePage@24 endp


;  S U B	R O U T	I N E 


MiStoreFaultComplete proc near		; CODE XREF: .text:00449172p
					; MiMakeOutswappedPageResident(x,x,x,x,x)+611p

; FUNCTION CHUNK AT 005DD44A SIZE 00000053 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	ecx, [edi+30h]
		mov	esi, [edi+34h]
		test	ecx, ecx
		js	loc_5DD44A
		mov	eax, esi
		movzx	ecx, si
		shl	eax, 10h
		or	eax, 1
		shl	ecx, 0Ch
		mov	[edi+34h], ecx

loc_54E52C:				; CODE XREF: MiStoreFaultComplete+8EF88j
					; MiStoreFaultComplete+8EF94j
		pop	edi
		pop	esi
		mov	[ebx], eax
		pop	ebx
		retn
MiStoreFaultComplete endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocatePfnRepurposeLogDispatch proc near ; DATA XREF: MiInitializeBootDefaults+B4o

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DD49D SIZE 00000082 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_10]
		push	eax
		mov	[ebp+var_1C], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		call	KeQueryTickCount
		mov	ebx, [ebp+var_10]
		mov	edx, 70526D4Dh
		mov	esi, [ebp+var_C]
		mov	ecx, 1000h
		push	edi
		push	40h
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], esi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_54E594
		and	dword ptr [edi], 0
		lea	ecx, [edi+38h]
		mov	[edi+20h], ecx
		lea	ecx, [edi+0FFCh]
		mov	dword ptr [edi+4], 2
		mov	[edi+24h], ecx
		mov	[edi+10h], ebx
		mov	[edi+14h], esi

loc_54E594:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+41j
		and	[ebp+var_24], 0
		mov	eax, offset dword_6D3180
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_20], eax
		jnz	loc_5DD49D
		lea	edx, [ebp+var_24]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_54E6CD

loc_54E5BA:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+1A3j
					; MiAllocatePfnRepurposeLogDispatch+8EF75j
		cmp	dword_6D3154, 0
		mov	esi, dword_6D3260
		jz	loc_5DD4C4
		test	edi, edi
		jz	loc_5DD4AC
		mov	dword_6D3260, edi
		xor	edi, edi

loc_54E5DD:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+8EF7Cj
					; MiAllocatePfnRepurposeLogDispatch+8EF8Dj ...
		xor	ebx, ebx
		inc	ebx
		test	ds:byte_70EFC6,	bl
		jnz	loc_5DD4D0
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	loc_54E6E2
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jnz	loc_54E6DA

loc_54E60E:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+1BDj
					; MiAllocatePfnRepurposeLogDispatch+8EFA9j
		test	edi, edi
		jnz	loc_5DD4E0

loc_54E616:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+8EFB6j
		test	esi, esi
		jz	loc_54E6A3
		mov	ecx, [esi+20h]
		lea	edi, [esi+38h]
		cmp	ecx, edi
		jz	loc_54E6C3
		test	ecx, 0FFFh
		jz	short loc_54E660
		mov	eax, [ebp+var_C]
		cmp	eax, [esi+14h]
		ja	short loc_54E64E
		jb	loc_5DD4ED
		mov	eax, [ebp+var_10]
		cmp	eax, [esi+10h]
		jb	loc_5DD4ED

loc_54E64E:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+108j
		mov	edx, [ebp+var_8]
		mov	eax, [ebp+var_4]

loc_54E654:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+8EFD5j
		mov	[esi+18h], eax
		lea	eax, [ecx-4]
		mov	[esi+1Ch], edx
		mov	[esi+24h], eax

loc_54E660:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+100j
		mov	ecx, offset unk_6FB608
		mov	[esi+20h], edi
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_54E6C3
		movzx	edi, word_6FB624
		cmp	edi, dword_6FB61C
		jnb	loc_5DD50C
		mov	edx, esi
		mov	ecx, offset unk_6FB620
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		cmp	edi, 8
		jnb	short loc_54E6AA

loc_54E695:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+17Fj
					; MiAllocatePfnRepurposeLogDispatch+18Fj ...
		mov	ecx, offset unk_6FB608
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		test	ebx, ebx
		jz	short loc_54E6C3

loc_54E6A3:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+E6j
					; MiAllocatePfnRepurposeLogDispatch+199j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_54E6AA:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+161j
		cmp	dword_6FB610, 0
		jnz	short loc_54E695
		push	0
		push	0
		push	offset unk_6FB60C
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_54E695
; 

loc_54E6C3:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+F4j
					; MiAllocatePfnRepurposeLogDispatch+13Dj ...
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_54E6A3
; 

loc_54E6CD:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+82j
		lea	ecx, [ebp+var_24]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_54E5BA
; 

loc_54E6DA:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+D6j
		lea	ecx, [ebp+var_24]
		call	KxWaitForLockChainValid

loc_54E6E2:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+BFj
		mov	[ebp+var_24], 0
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_54E60E
MiAllocatePfnRepurposeLogDispatch endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSwapDirectoryTableBaseTarget(x, x, x, x)
_KiSwapDirectoryTableBaseTarget@16 proc	near
					; DATA XREF: KeSwapDirectoryTableBase(x,x,x)+2Fo

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_4]
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	ebx, [eax+8]
		or	eax, 0FFFFFFFFh
		mov	esi, [ebp+arg_C]
		push	edi
		lock xadd [esi], eax
_KiSwapDirectoryTableBaseTarget@16 endp

		dec	eax
		mov	edi, eax
		mov	ecx, 80000000h
		not	edi
		and	edi, ecx
		test	eax, 7FFFFFFFh
		jnz	loc_54E7AC
		mov	eax, [esi+4]
		or	eax, edi
		mov	[esi], eax
		jmp	short loc_54E744
; 

loc_54E731:				; CODE XREF: .text:0054E742j
		lea	ecx, [ebp-4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		and	eax, 80000000h

loc_54E740:				; CODE XREF: .text:0054E7B0j
		cmp	eax, edi
		jnz	short loc_54E731

loc_54E744:				; CODE XREF: .text:0054E72Fj
		mov	edi, [ebp+0Ch]
		mov	ecx, [edi+0Ch]
		call	MmStealTopLevelPage
		test	eax, eax
		jnz	short loc_54E7C8

loc_54E753:				; CODE XREF: .text:0054E7CBj
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		dec	eax
		mov	edi, eax
		mov	ecx, 80000000h
		not	edi
		and	edi, ecx
		test	eax, 7FFFFFFFh
		jnz	short loc_54E7B2
		mov	eax, [esi+4]
		or	eax, edi
		mov	[esi], eax
		jmp	short loc_54E789
; 

loc_54E776:				; CODE XREF: .text:0054E787j
		lea	ecx, [ebp+14h]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		and	eax, 80000000h

loc_54E785:				; CODE XREF: .text:0054E7BAj
		cmp	eax, edi
		jnz	short loc_54E776

loc_54E789:				; CODE XREF: .text:0054E774j
		mov	eax, [ebp+0Ch]
		cmp	byte ptr [eax],	0
		jz	short loc_54E79F
		mov	eax, large fs:124h
		cmp	[eax+80h], ebx
		jz	short loc_54E7BC

loc_54E79F:				; CODE XREF: .text:0054E78Fj
					; .text:0054E7C6j
		mov	eax, [ebp+10h]
		lock dec dword ptr [eax]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_54E7AC:				; CODE XREF: .text:0054E722j
		mov	eax, [esi]
		and	eax, ecx
		jmp	short loc_54E740
; 

loc_54E7B2:				; CODE XREF: .text:0054E76Bj
		mov	eax, [esi]
		and	dword ptr [ebp+14h], 0
		and	eax, ecx
		jmp	short loc_54E785
; 

loc_54E7BC:				; CODE XREF: .text:0054E79Dj
		mov	edx, [ebx+18h]
		mov	ecx, ebx
		call	_KiLoadDirectoryTableBase@8 ; KiLoadDirectoryTableBase(x,x)
		jmp	short loc_54E79F
; 

loc_54E7C8:				; CODE XREF: .text:0054E751j
		mov	byte ptr [edi],	1
		jmp	short loc_54E753
; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmStealTopLevelPage proc near		; CODE XREF: .text:0054E74Ap

var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DD51F SIZE 000000BD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, large fs:124h
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	[esp+28h+var_4], ebx
		cmp	[ebx+14h], eax
		jz	short loc_54E7F6
		xor	eax, eax

loc_54E7EF:				; CODE XREF: MmStealTopLevelPage+10Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_54E7F6:				; CODE XREF: MmStealTopLevelPage+1Dj
		mov	eax, [eax+80h]
		mov	edi, offset unk_6D3C40
		mov	[esp+28h+var_C], eax
		lea	ecx, [eax+240h]
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		jz	short loc_54E81A
		lea	edi, [ecx+80h]

loc_54E81A:				; CODE XREF: MmStealTopLevelPage+44j
		push	edi
		call	ExAcquireSpinLockExclusive
		xor	esi, esi
		mov	[esp+28h+var_19], al
		mov	ecx, ebx
		mov	[edi+4], esi
		call	_MiReplacePageTablePage@4 ; MiReplacePageTablePage(x)
		cmp	[ebx+1Ch], esi
		jl	loc_54E8C4
		mov	ecx, [ebx+4]
		mov	eax, [ebx+10h]
		shr	ecx, 0Ch
		mov	[esp+28h+var_10], eax
		and	ecx, 1FFh
		mov	eax, [ebx+8]
		lea	ecx, [eax+ecx*8]
		mov	edi, [ecx]
		nop
		mov	edx, [ecx+4]
		mov	eax, ds:_ZeroPte
		mov	[ecx], eax
		nop
		mov	eax, ds:dword_40F9FC
		and	edi, 0FFFh
		and	[esp+28h+var_18], esi
		and	edx, 0FFFFFFE0h
		mov	[ecx+4], eax
		mov	eax, [esp+28h+var_10]
		and	eax, 1FFFFFFh
		shld	[esp+28h+var_18], eax, 0Ch
		or	edx, [esp+28h+var_18]
		shl	eax, 0Ch
		mov	[esp+28h+var_8], eax
		or	edi, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5DD51F

loc_54E89E:				; CODE XREF: MmStealTopLevelPage+8EDABj
		mov	eax, esi

loc_54E8A0:				; CODE XREF: MmStealTopLevelPage+8ED68j
					; MmStealTopLevelPage:loc_5DD552j ...
		mov	[ecx+4], edx
		nop
		mov	[ecx], edi
		test	eax, eax
		jnz	loc_5DD581

loc_54E8AE:				; CODE XREF: MmStealTopLevelPage+8EDBAj
		cmp	[ebx+20h], esi
		jnz	short loc_54E8DE
		mov	eax, esi

loc_54E8B5:				; CODE XREF: MmStealTopLevelPage+187j
		mov	ecx, [esp+28h+var_10]
		mov	edx, esi
		push	eax
		call	MiPaeUpdateSelfMap
		xor	esi, esi
		inc	esi

loc_54E8C4:				; CODE XREF: MmStealTopLevelPage+65j
		mov	ecx, [esp+28h+var_C]
		mov	dl, [esp+28h+var_19]
		lea	ecx, [ecx+240h]
		call	MiUnlockWorkingSetExclusive
		mov	eax, esi
		jmp	loc_54E7EF
; 

loc_54E8DE:				; CODE XREF: MmStealTopLevelPage+E3j
		mov	ecx, [esp+28h+var_C]
		mov	ecx, [ecx+304h]
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		mov	[esp+28h+var_14], ecx
		mov	ebx, [ecx]
		nop
		mov	edi, [ecx+4]
		mov	eax, ds:_ZeroPte
		mov	[ecx], eax
		nop
		mov	eax, ds:dword_40F9FC
		xor	edx, edx
		mov	[ecx+4], eax
		push	2
		shl	ecx, 9
		call	KeFlushSingleTb
		mov	ecx, [esp+28h+var_14]
		and	ebx, 0FFFh
		or	ebx, [esp+28h+var_8]
		and	edi, 0FFFFFFE0h
		or	edi, [esp+28h+var_18]
		mov	edx, esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5DD58D

loc_54E941:				; CODE XREF: MmStealTopLevelPage+8EDD2j
					; MmStealTopLevelPage+8EDF0j ...
		mov	[ecx+4], edi
		nop
		mov	[ecx], ebx
		test	edx, edx
		jnz	short loc_54E95A

loc_54E94B:				; CODE XREF: MmStealTopLevelPage+193j
		mov	esi, [esp+28h+var_4]
		xor	eax, eax
		inc	eax
		mov	esi, [esi+20h]
		jmp	loc_54E8B5
; 

loc_54E95A:				; CODE XREF: MmStealTopLevelPage+17Bj
		push	edi
		push	ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	short loc_54E94B
MmStealTopLevelPage endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	SMKM_STORE_MGR<struct SM_TRAITS>::SmProcessReadCompletion(struct SMKM_STORE_MGR<struct SM_TRAITS> *, struct SMKM_STORE_MGR<struct SM_TRAITS>::_SM_WORK_ITEM *, unsigned	long, struct SMKM_STORE<struct SM_TRAITS> *, long)
?SmProcessReadCompletion@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@PAU_SM_WORK_ITEM@1@KPAU?$SMKM_STORE@USM_TRAITS@@@@J@Z proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+11Fp

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, byte ptr [edx+4]
		push	esi
		mov	esi, [edx+18h]
		test	eax, eax
		jz	short loc_54E994
		mov	[esi+4], ax
		mov	al, [ecx+464h]
		and	al, 8
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, [ebp+arg_8]

loc_54E98D:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmProcessReadCompletion(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE_MGR<SM_TRAITS>::_SM_WORK_ITEM *,ulong,SMKM_STORE<SM_TRAITS> *,long)+33j
		mov	[esi], eax
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_54E994:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmProcessReadCompletion(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE_MGR<SM_TRAITS>::_SM_WORK_ITEM *,ulong,SMKM_STORE<SM_TRAITS> *,long)+Fj
		mov	eax, [ebp+arg_8]
		jmp	short loc_54E98D
?SmProcessReadCompletion@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@PAU_SM_WORK_ITEM@1@KPAU?$SMKM_STORE@USM_TRAITS@@@@J@Z endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlStringCchCatExW proc	near		; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+1AEp
					; _CmGetDeviceInterfaceRegKeyPath+1C6p	...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DD5DC SIZE 0000003E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		xor	eax, eax
		mov	esi, edx
		mov	[ebp+var_4], eax
		mov	edi, ecx
		push	ecx
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlStringValidateDestAndLengthW
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_54E9ED
		mov	eax, [ebp+var_4]
		mov	edx, esi
		push	ebx
		sub	edx, eax
		lea	ebx, [edi+eax*2]
		xor	eax, eax
		mov	ecx, eax
		cmp	edx, 1
		jbe	loc_5DD5DC
		push	ecx
		push	[ebp+arg_0]
		lea	eax, [ebp+arg_0]
		mov	ecx, ebx
		push	eax
		call	sub_54E9F6
		mov	ecx, eax
		test	ecx, ecx
		js	loc_5DD5FC

loc_54E9EC:				; CODE XREF: RtlStringCchCatExW+8EC4Aj
					; RtlStringCchCatExW+8EC64j ...
		pop	ebx

loc_54E9ED:				; CODE XREF: RtlStringCchCatExW+1Fj
		pop	edi
		mov	eax, ecx
		pop	esi
		leave
		retn	10h
RtlStringCchCatExW endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_54E9F6	proc near		; CODE XREF: RtlStringCbCopyExW+68p
					; RtlStringCchCatExW+43p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		push	esi
		test	edx, edx
		jz	short loc_54EA51
		mov	esi, [ebp+arg_4]
		push	ebx
		push	edi
		mov	edi, 7FFFFFFEh
		sub	esi, ecx

loc_54EA0E:				; CODE XREF: sub_54E9F6+30j
		test	edi, edi
		jz	short loc_54EA28
		movzx	ebx, word ptr [esi+ecx]
		test	bx, bx
		jz	short loc_54EA28
		mov	[ecx], bx
		add	ecx, 2
		dec	edi
		inc	eax
		sub	edx, 1
		jnz	short loc_54EA0E

loc_54EA28:				; CODE XREF: sub_54E9F6+1Aj
					; sub_54E9F6+23j
		pop	edi
		pop	ebx
		test	edx, edx
		jz	short loc_54EA51

loc_54EA2E:				; CODE XREF: sub_54E9F6+5Fj
		neg	edx
		sbb	edx, edx
		xor	esi, esi
		mov	[ecx], si
		and	edx, 7FFFFFFBh
		mov	ecx, [ebp+arg_0]
		pop	esi
		test	ecx, ecx
		jz	short loc_54EA47
		mov	[ecx], eax

loc_54EA47:				; CODE XREF: sub_54E9F6+4Dj
		lea	eax, [edx-7FFFFFFBh]
		pop	ebp
		retn	0Ch
; 

loc_54EA51:				; CODE XREF: sub_54E9F6+Aj
					; sub_54E9F6+36j
		sub	ecx, 2
		dec	eax
		jmp	short loc_54EA2E
sub_54E9F6	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlStringValidateDestAndLengthW	proc near ; CODE XREF: RtlStringCchCatExW+16p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		test	edx, edx
		jz	short loc_54EA81
		cmp	edx, 7FFFFFFFh
		ja	short loc_54EA81

loc_54EA6C:				; CODE XREF: RtlStringValidateDestAndLengthW+2Ej
		test	esi, esi
		js	short loc_54EA88
		push	[ebp+arg_0]
		call	sub_4EBA32
		mov	esi, eax

loc_54EA7A:				; CODE XREF: RtlStringValidateDestAndLengthW+36j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
; 

loc_54EA81:				; CODE XREF: RtlStringValidateDestAndLengthW+Aj
					; RtlStringValidateDestAndLengthW+12j
		mov	esi, 0C000000Dh
		jmp	short loc_54EA6C
; 

loc_54EA88:				; CODE XREF: RtlStringValidateDestAndLengthW+16j
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax], 0
		jmp	short loc_54EA7A
RtlStringValidateDestAndLengthW	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWakeLargePageRebuild(x, x, x)
_MiWakeLargePageRebuild@12 proc	near	; CODE XREF: MiUnlinkNodeLargePageHelper(x,x,x,x,x)+326p
					; MiSignalLargePageRebuild+13Cp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		test	byte ptr [ebx+4], 20h
		jnz	short loc_54EAB9
		mov	esi, [ebp+arg_0]
		imul	edi, esi, 280h
		add	edi, 130h
		add	edi, [ebx+10h]
		cmp	byte ptr [edi+11h], 0
		jz	short loc_54EAC3

loc_54EAB9:				; CODE XREF: MiWakeLargePageRebuild(x,x,x)+Fj
					; MiWakeLargePageRebuild(x,x,x)+88j
		xor	eax, eax
		inc	eax

loc_54EABC:				; CODE XREF: MiWakeLargePageRebuild(x,x,x)+4Fj
					; MiWakeLargePageRebuild(x,x,x)+83j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_54EAC3:				; CODE XREF: MiWakeLargePageRebuild(x,x,x)+27j
		cmp	byte ptr [edi+12h], 8
		jnz	short loc_54EB15

loc_54EAC9:				; CODE XREF: MiWakeLargePageRebuild(x,x,x)+8Aj
		lea	eax, [ebx+64h]
		mov	ecx, [eax]
		mov	[ebp+arg_0], eax
		call	PsReferencePartitionSafe
		movzx	eax, al
		mov	[ebp+var_4], eax
		cmp	eax, 1
		jnz	short loc_54EABC
		and	dword ptr [edi], 0
		mov	ecx, edi
		shr	ebx, 3
		mov	[edi+11h], al
		and	ebx, 0FFFFFFFh
		mov	eax, [ebp+arg_0]
		shl	esi, 1Ch
		or	ebx, esi
		mov	dword ptr [edi+8], offset MiRebuildLargePages
		mov	[edi+0Ch], ebx
		push	dword ptr [eax]
		push	0FFFFFFFFh
		push	4
		pop	edx
		call	ExQueueWorkItemToPartition
		mov	eax, [ebp+var_4]
		jmp	short loc_54EABC
; 

loc_54EB15:				; CODE XREF: MiWakeLargePageRebuild(x,x,x)+37j
		test	dl, 1
		jz	short loc_54EAB9
		jmp	short loc_54EAC9
_MiWakeLargePageRebuild@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiImageProtoChargedCommit proc near	; CODE XREF: MiDeleteSystemPagableVm(x,x,x,x,x,x)+680p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DD61A SIZE 0000005A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		mov	ecx, large fs:124h
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		lea	esi, [edx+50h]
		mov	[ebp+var_8], eax
		test	esi, esi
		jz	short loc_54EB95

loc_54EB4A:				; CODE XREF: MiImageProtoChargedCommit+72j
		movzx	edi, word ptr [esi+10h]
		mov	ecx, [esi+4]
		shr	edi, 1
		and	edi, 1Fh
		cmp	ebx, ecx
		jb	short loc_54EB67
		mov	eax, [esi+1Ch]
		lea	eax, [ecx+eax*8]
		cmp	ebx, eax
		jb	short loc_54EB90
		mov	eax, [ebp+var_8]

loc_54EB67:				; CODE XREF: MiImageProtoChargedCommit+3Cj
		test	byte ptr [esi+12h], 2
		jnz	loc_5DD61A

loc_54EB71:				; CODE XREF: MiImageProtoChargedCommit+8EB05j
		mov	eax, [esi]
		test	byte ptr [eax+1Ch], 20h
		jz	short loc_54EB84
		mov	eax, [esi+0Ch]
		test	eax, eax
		jnz	loc_5DD653

loc_54EB84:				; CODE XREF: MiImageProtoChargedCommit+5Bj
					; MiImageProtoChargedCommit+8EB32j ...
		mov	esi, [esi+8]
		test	esi, esi
		jz	short loc_54EB95
		mov	eax, [ebp+var_8]
		jmp	short loc_54EB4A
; 

loc_54EB90:				; CODE XREF: MiImageProtoChargedCommit+46j
					; MiImageProtoChargedCommit+8EB29j ...
		cmp	edi, 4
		jnb	short loc_54EB9C

loc_54EB95:				; CODE XREF: MiImageProtoChargedCommit+2Cj
					; MiImageProtoChargedCommit+6Dj
		xor	eax, eax

loc_54EB97:				; CODE XREF: MiImageProtoChargedCommit+83j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_54EB9C:				; CODE XREF: MiImageProtoChargedCommit+77j
		xor	eax, eax
		inc	eax
		jmp	short loc_54EB97
MiImageProtoChargedCommit endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpRequestDeviceAction proc near	; CODE XREF: IoInvalidateDeviceState+4Cp
					; IoInvalidateDeviceRelations+4Dp ...

var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8
arg_3		= byte ptr  0Bh
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005DD674 SIZE 00000024 BYTES
; FUNCTION CHUNK AT 005DD6AE SIZE 0000004D BYTES

		push	28h
		push	offset dword_6A4860
		call	__SEH_prolog4
		mov	[ebp+var_1C], edx
		mov	[ebp+var_20], ecx
		mov	esi, offset _GUID_NULL
		lea	edi, [ebp+var_38]
		movsd
		movsd
		movsd
		movsd
		and	[ebp+var_24], 0
		cmp	dword_6CC5E4, 0
		jnz	loc_5DD674
		push	32706E50h
		push	40h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_28], ebx
		test	ebx, ebx
		jz	loc_5DD680
		mov	esi, [ebp+var_20]
		test	esi, esi
		jz	loc_54EDF7

loc_54EBFA:				; CODE XREF: PnpRequestDeviceAction+260j
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	[ebx+8], esi
		mov	ecx, [ebp+var_1C]
		mov	[ebx+0Ch], ecx
		mov	al, [ebp+arg_0]
		mov	[ebx+10h], al
		mov	eax, [ebp+arg_4]
		mov	[ebx+14h], eax
		mov	eax, [ebp+arg_8]
		mov	[ebx+18h], eax
		mov	eax, [ebp+arg_C]
		mov	[ebx+1Ch], eax
		mov	dword ptr [ebx+30h], 1
		mov	byte ptr [ebx+34h], 0
		mov	byte ptr [ebx+3Ch], 0
		and	dword ptr [ebx+38h], 0
		test	ecx, ecx
		jz	loc_54EE7F
		cmp	ecx, 6
		jz	short loc_54EC96
		cmp	ecx, 8
		jle	short loc_54EC5F
		cmp	ecx, 0Ah
		jle	short loc_54EC96
		cmp	ecx, 0Eh
		jz	short loc_54EC96
		cmp	ecx, 10h
		jg	loc_54EE76

loc_54EC5F:				; CODE XREF: PnpRequestDeviceAction+A8j
					; PnpRequestDeviceAction+2D7j
		mov	al, 1

loc_54EC61:				; CODE XREF: PnpRequestDeviceAction+2DFj
		test	al, al
		jz	short loc_54EC96
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jnz	short loc_54EC96
		mov	eax, large fs:124h
		mov	esi, [eax+35Ch]
		test	esi, esi
		jnz	loc_5DD68C
		call	_PnpIsSafeToExamineUserModeTeb@0 ; PnpIsSafeToExamineUserModeTeb()
		test	al, al
		jnz	loc_54EE3B

loc_54EC93:				; CODE XREF: PnpRequestDeviceAction+2C2j
					; sub_5DD69C+Dj
		mov	ecx, [ebp+var_1C]

loc_54EC96:				; CODE XREF: PnpRequestDeviceAction+A3j
					; PnpRequestDeviceAction+ADj ...
		lea	edi, [ebx+20h]
		lea	esi, [ebp+var_38]
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	loc_5DD6AE
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]

loc_54ECB4:				; CODE XREF: PnpRequestDeviceAction+8EB0Ej
		push	0
		push	0
		mov	edx, ecx
		mov	ecx, eax
		call	PnpLogActionQueueEvent
		mov	eax, [ebx+0Ch]
		mov	[ebp+arg_4], eax
		mov	edi, ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		call	edi
		mov	[ebp+arg_3], al
		mov	esi, offset dword_6C3838
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, dword_6C383C
		inc	ecx
		mov	dword_6C383C, ecx
		cmp	ecx, 1
		jz	loc_54EE69

loc_54ECF4:				; CODE XREF: PnpRequestDeviceAction+2CFj
		test	ds:byte_70EFC6,	1
		jnz	loc_5DD6B5
		xor	eax, eax
		lock and [esi],	eax

loc_54ED06:				; CODE XREF: PnpRequestDeviceAction+8EB1Dj
		mov	cl, [ebp+arg_3]
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	esi
		mov	edx, [ebp+arg_4]
		xor	ecx, ecx
		call	PopDirectedDripsDiagNotifyPnpActionQueueEvent
		call	edi
		mov	[ebp+arg_3], al
		mov	edi, offset _PnpSpinLock
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, dword_6CB7FC
		mov	ecx, offset _PnpEnumerationRequestList
		cmp	[eax], ecx
		jnz	loc_54EE86
		mov	[ebx], ecx
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	dword_6CB7FC, ebx
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jnz	loc_5DD6C4

loc_54ED56:				; CODE XREF: PnpRequestDeviceAction+8EB27j
		mov	edx, [ebp+var_1C]
		cmp	edx, 7
		jz	loc_54EE07
		cmp	edx, 0Ah
		jz	loc_54EE07
		cmp	_PnpEnumerationInProgress, 0
		jz	short loc_54EDA0

loc_54ED74:				; CODE XREF: PnpRequestDeviceAction+205j
		test	ds:byte_70EFC6,	1
		jnz	loc_5DD6DD
		xor	eax, eax
		lock and [edi],	eax

loc_54ED86:				; CODE XREF: PnpRequestDeviceAction+8EB45j
		mov	cl, [ebp+arg_3]
		call	esi

loc_54ED8B:				; CODE XREF: PnpRequestDeviceAction+253j
					; PnpRequestDeviceAction+294j ...
		mov	eax, [ebp+var_24]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_54EDA0:				; CODE XREF: PnpRequestDeviceAction+1D0j
		cmp	_PnPBootDriversLoaded, 0
		jz	short loc_54ED74
		mov	_PnpEnumerationInProgress, 1
		push	offset _PnpEnumerationLock
		call	_KeResetEvent@4	; KeResetEvent(x)
		test	ds:byte_70EFC6,	1
		jnz	loc_5DD6CE
		xor	eax, eax
		lock and [edi],	eax

loc_54EDCC:				; CODE XREF: PnpRequestDeviceAction+8EB36j
		mov	cl, [ebp+arg_3]
		call	esi
		mov	dword_6CB7D8, offset PnpDeviceActionWorker
		and	dword_6CB7DC, 0
		and	_PnpDeviceEnumerationWorkItem, 0
		push	1
		push	offset _PnpDeviceEnumerationWorkItem
		call	ExQueueWorkItem
		jmp	short loc_54ED8B
; 

loc_54EDF7:				; CODE XREF: PnpRequestDeviceAction+52j
		mov	eax, _IopRootDeviceNode
		mov	esi, [eax+10h]
		mov	[ebp+var_20], esi
		jmp	loc_54EBFA
; 

loc_54EE07:				; CODE XREF: PnpRequestDeviceAction+1BAj
					; PnpRequestDeviceAction+1C3j
		mov	_PnpEnumerationInProgress, 1
		push	offset _PnpEnumerationLock
		call	_KeResetEvent@4	; KeResetEvent(x)
		test	ds:byte_70EFC6,	1
		jnz	loc_5DD6EC
		xor	eax, eax
		lock and [edi],	eax

loc_54EE2A:				; CODE XREF: PnpRequestDeviceAction+8EB54j
		mov	cl, [ebp+arg_3]
		call	esi
		push	0
		call	PnpDeviceActionWorker
		jmp	loc_54ED8B
; 

loc_54EE3B:				; CODE XREF: PnpRequestDeviceAction+EBj
		and	[ebp+ms_exc.disabled], 0
		cmp	large dword ptr	fs:18h,	0
		jz	short loc_54EE5D
		mov	esi, large fs:18h
		add	esi, 0F50h
		lea	edi, [ebp+var_38]
		movsd
		movsd
		movsd
		movsd

loc_54EE5D:				; CODE XREF: PnpRequestDeviceAction+2A5j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_54EC93
; 

loc_54EE69:				; CODE XREF: PnpRequestDeviceAction+14Cj
		push	4
		pop	ecx
		call	_PopDirectedDripsSetDisengageReason@4 ;	PopDirectedDripsSetDisengageReason(x)
		jmp	loc_54ECF4
; 

loc_54EE76:				; CODE XREF: PnpRequestDeviceAction+B7j
		cmp	ecx, 12h
		jg	loc_54EC5F

loc_54EE7F:				; CODE XREF: PnpRequestDeviceAction+9Aj
		xor	al, al
		jmp	loc_54EC61
; 

loc_54EE86:				; CODE XREF: PnpRequestDeviceAction+196j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PnpRequestDeviceAction endp


PnpDeviceActionWorker:			; CODE XREF: PnpRequestDeviceAction+28Fp
					; DATA XREF: PnpUnlockDeviceActionQueue+67o ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+50h], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+4Ch]
		stosd
		xor	ebx, ebx
		push	8
		pop	ecx
		mov	[esp+24h], ebx
		mov	esi, offset _PnpDeviceActionThread
		stosd
		mov	[esp+28h], ebx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+2Ch]
		rep stosd
		mov	eax, large fs:124h
		xchg	eax, [esi]
		xor	eax, eax
		mov	[esp+1Ch], bl
		mov	[esp+13h], bl
		mov	[esp+15h], bl
		lea	ecx, [eax+1]
		call	PpDevNodeLockTree

loc_54EEE7:				; CODE XREF: .text:0054F117j
					; .text:0054F1DFj ...
		mov	ecx, offset _PnpSpinLock
		mov	[esp+17h], bl
		mov	[esp+18h], ebx
		mov	byte ptr [esp+16h], 1
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	ebx, _PnpEnumerationRequestList
		mov	cl, al
		mov	[esp+14h], cl
		cmp	ebx, offset _PnpEnumerationRequestList
		jz	loc_54F122
		cmp	dword ptr [ebx+4], offset _PnpEnumerationRequestList
		mov	eax, [ebx]
		jnz	loc_54F27B
		cmp	[eax+4], ebx
		jnz	loc_54F27B
		mov	_PnpEnumerationRequestList, eax
		mov	dword ptr [eax+4], offset _PnpEnumerationRequestList
		mov	byte ptr [ebx+34h], 1

loc_54EF3E:				; CODE XREF: .text:0054F181j
		mov	dl, cl
		mov	ecx, offset _PnpSpinLock
		call	KfReleaseSpinLock
		test	ebx, ebx
		jz	loc_54F186
		push	10h
		lea	esi, [ebx+20h]
		push	esi
		push	offset _GUID_NULL
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_5DD6FB

loc_54EF6D:				; CODE XREF: .text:005DD712j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	edx, edx
		lea	ecx, [ebx+38h]
		call	ExAcquirePushLockExclusiveEx
		mov	al, [ebx+3Ch]
		lea	ecx, [ebx+38h]
		xor	edx, edx
		mov	[esp+14h], al
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	edx, [ebx+0Ch]
		push	2
		pop	ecx
		call	PopDirectedDripsNotifyPnpActionQueueEvent
		mov	[ebx+4], ebx
		mov	[ebx], ebx
		cmp	dword_6CC5E4, 0
		jnz	loc_5DD717
		cmp	byte ptr [esp+14h], 0
		jnz	loc_5DD721
		mov	ecx, [ebx+8]
		test	ecx, ecx
		jz	loc_5DD72B
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]

loc_54EFCE:				; CODE XREF: .text:005DD72Dj
		cmp	dword ptr [eax+0ACh], 314h
		jz	loc_5DD732
		test	ecx, ecx
		jz	loc_5DD73C
		mov	eax, [ecx+0B0h]
		mov	edi, [eax+14h]

loc_54EFEF:				; CODE XREF: .text:005DD73Ej
		mov	[esp+20h], edi
		test	edi, edi
		jz	short loc_54F00F
		mov	edx, 65706E50h
		call	ObfReferenceObjectWithTag
		mov	edx, [ebx+0Ch]
		mov	ecx, edi
		push	0
		push	1
		call	PnpLogActionQueueEvent

loc_54F00F:				; CODE XREF: .text:0054EFF5j
		mov	eax, [ebx+0Ch]
		cmp	eax, 19h	; switch 26 cases
		ja	loc_5DD80B	; default
		jmp	ds:off_54F280[eax*4] ; switch jump

loc_54F022:				; DATA XREF: .text:off_54F280o
		mov	ecx, ebx	; case 0xB
		call	PiProcessRequeryDeviceState

loc_54F029:				; CODE XREF: .text:0054F219j
					; .text:0054F25Fj ...
		mov	esi, eax

loc_54F02B:				; CODE XREF: .text:0054F1EDj
					; .text:0054F200j ...
		test	edi, edi
		jz	short loc_54F049
		mov	edx, [ebx+0Ch]
		mov	ecx, edi
		push	esi
		push	2
		call	PnpLogActionQueueEvent
		mov	ecx, [ebx+8]
		mov	edx, 65706E50h
		call	ObfDereferenceObjectWithTag

loc_54F049:				; CODE XREF: .text:0054F02Dj
					; .text:005DD71Cj ...
		mov	edx, [ebx+0Ch]
		push	3
		pop	ecx
		call	PopDirectedDripsNotifyPnpActionQueueEvent
		xor	eax, eax
		inc	eax
		mov	[esp+20h], eax

loc_54F05B:				; CODE XREF: .text:0054F109j
		mov	edi, [ebx]
		mov	eax, [edi]
		cmp	[edi+4], ebx
		jnz	loc_54F27B
		cmp	[eax+4], edi
		jnz	loc_54F27B
		mov	[ebx], eax
		mov	[eax+4], ebx
		mov	eax, [edi+0Ch]
		mov	[esp+18h], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset dword_6C3838
		mov	[esp+14h], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		sub	dword_6C383C, 1
		jz	loc_54F205

loc_54F09E:				; CODE XREF: .text:0054F20Dj
		xor	eax, eax
		mov	ecx, offset dword_6C3838
		inc	eax
		test	ds:byte_70EFC6,	al
		jnz	loc_5DD815
		xor	eax, eax
		lock and [ecx],	eax

loc_54F0B7:				; CODE XREF: .text:005DD81Dj
		mov	cl, [esp+14h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [esp+18h]
		xor	eax, eax
		lea	ecx, [eax+1]
		call	PopDirectedDripsDiagNotifyPnpActionQueueEvent
		mov	eax, [edi+1Ch]
		test	eax, eax
		jnz	loc_5DD822

loc_54F0DA:				; CODE XREF: .text:005DD824j
		mov	eax, [edi+18h]
		test	eax, eax
		jnz	loc_5DD829

loc_54F0E5:				; CODE XREF: .text:005DD833j
		cmp	edi, ebx
		jnz	short loc_54F0FD
		and	dword ptr [esp+20h], 0
		cmp	byte ptr [esp+16h], 0
		jz	short loc_54F0FD
		mov	ecx, [edi+8]
		call	ObfDereferenceObject

loc_54F0FD:				; CODE XREF: .text:0054F0E7j
					; .text:0054F0F3j
		mov	ecx, edi
		call	_PnpDeleteDeviceActionRequest@4	; PnpDeleteDeviceActionRequest(x)
		cmp	dword ptr [esp+20h], 0
		jnz	loc_54F05B
		cmp	byte ptr [esp+17h], 0
		push	0
		pop	ebx
		jz	loc_54EEE7
		jmp	loc_5DD838
; 

loc_54F122:				; CODE XREF: .text:0054EF10j
		cmp	byte ptr [esp+13h], 0
		jnz	short loc_54F17F
		cmp	byte ptr [esp+1Ch], 0
		jnz	short loc_54F17F
		cmp	byte ptr [esp+15h], 0
		jnz	short loc_54F17F
		xor	eax, eax
		push	eax
		push	eax
		push	offset _PnpEnumerationLock
		mov	_PnpEnumerationInProgress, al
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	dl, [esp+14h]
		mov	ecx, offset _PnpSpinLock
		call	KfReleaseSpinLock
		xor	eax, eax
		mov	ecx, offset _PnpDeviceActionThread
		xchg	eax, [ecx]
		xor	eax, eax
		lea	ecx, [eax+1]
		call	PpDevNodeUnlockTree
		mov	ecx, [esp+5Ch]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_54F17F:				; CODE XREF: .text:0054F127j
					; .text:0054F12Ej ...
		xor	ebx, ebx
		jmp	loc_54EF3E
; 

loc_54F186:				; CODE XREF: .text:0054EF4Cj
		cmp	byte ptr [esp+13h], 0
		jz	loc_54F21E

loc_54F191:				; CODE XREF: .text:0054F223j
		mov	ecx, _IopRootDeviceNode
		mov	al, _PnPBootDriversInitialized
		mov	dword ptr [esp+24h], 3
		mov	[esp+28h], al
		mov	ecx, [ecx+10h]
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	ebx, ebx
		cmp	[esp+13h], bl
		jz	loc_54F240
		mov	eax, ebx

loc_54F1BE:				; CODE XREF: .text:0054F243j
		mov	ecx, _IopRootDeviceNode
		xor	edx, edx
		push	ebx
		push	ebx
		push	dword ptr [esp+24h]
		push	eax
		lea	eax, [esp+34h]
		push	eax
		call	PipProcessDevNodeTree
		mov	[esp+1Ch], bl
		mov	[esp+13h], bl
		jmp	loc_54EEE7
; 

loc_54F1E4:				; CODE XREF: .text:0054F01Bj
					; DATA XREF: .text:off_54F280o
		mov	byte ptr [esp+13h], 1 ;	case 0x7

loc_54F1E9:				; CODE XREF: .text:0054F23Ej
					; .text:0054F272j ...
		mov	esi, [esp+18h]
		jmp	loc_54F02B
; 

loc_54F1F2:				; CODE XREF: .text:0054F01Bj
					; DATA XREF: .text:off_54F280o
		mov	ecx, ebx	; case 0x8
		call	PiProcessReenumeration

loc_54F1F9:				; CODE XREF: .text:0054F26Bj
		mov	esi, eax
		mov	byte ptr [esp+16h], 0
		jmp	loc_54F02B
; 

loc_54F205:				; CODE XREF: .text:0054F098j
		push	4
		pop	ecx
		call	_PopDirectedDripsClearDisengageReason@4	; PopDirectedDripsClearDisengageReason(x)
		jmp	loc_54F09E
; 

loc_54F212:				; CODE XREF: .text:0054F01Bj
					; DATA XREF: .text:off_54F280o
		mov	ecx, ebx	; case 0x2
		call	_PpProcessClearProblem@4 ; PpProcessClearProblem(x)
		jmp	loc_54F029
; 

loc_54F21E:				; CODE XREF: .text:0054F18Bj
		cmp	byte ptr [esp+1Ch], 0
		jnz	loc_54F191
		call	_PnpCompleteSystemStartProcess@0 ; PnpCompleteSystemStartProcess()
		xor	ebx, ebx
		mov	[esp+15h], bl
		jmp	loc_54EEE7
; 

loc_54F239:				; CODE XREF: .text:0054F01Bj
					; DATA XREF: .text:off_54F280o
		mov	byte ptr [esp+1Ch], 1 ;	case 0x0
		jmp	short loc_54F1E9
; 

loc_54F240:				; CODE XREF: .text:0054F1B6j
		push	3
		pop	eax
		jmp	loc_54F1BE
; 

loc_54F248:				; CODE XREF: .text:0054F01Bj
					; DATA XREF: .text:off_54F280o
		mov	eax, [ebx+8]	; case 0x5
		test	eax, eax
		jz	short loc_54F277
		mov	eax, [eax+0B0h]
		mov	ecx, [eax+14h]

loc_54F258:				; CODE XREF: .text:0054F279j
		xor	dl, dl
		call	_PiQueryPowerRelations@8 ; PiQueryPowerRelations(x,x)
		jmp	loc_54F029
; 

loc_54F264:				; CODE XREF: .text:0054F01Bj
					; DATA XREF: .text:off_54F280o
		mov	ecx, ebx	; case 0x11
		call	_PiProcessStartSystemDevices@4 ; PiProcessStartSystemDevices(x)
		jmp	short loc_54F1F9
; 

loc_54F26D:				; CODE XREF: .text:0054F01Bj
					; DATA XREF: .text:off_54F280o
		mov	byte ptr [esp+15h], 1 ;	case 0x12
		jmp	loc_54F1E9
; 

loc_54F277:				; CODE XREF: .text:0054F24Dj
		xor	ecx, ecx
		jmp	short loc_54F258
; 

loc_54F27B:				; CODE XREF: .text:0054EF1Fj
					; .text:0054EF28j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
off_54F280	dd offset loc_54F239	; DATA XREF: .text:0054F01Br
		dd offset loc_5DD743	; jump table for switch	statement
		dd offset loc_54F212
		dd offset loc_5DD743
		dd offset loc_5DD74F
		dd offset loc_54F248
		dd offset loc_5DD75B
		dd offset loc_54F1E4
		dd offset loc_54F1F2
		dd offset loc_54F1F2
		dd offset loc_54F1F2
		dd offset loc_54F022
		dd offset loc_5DD767
		dd offset loc_5DD773
		dd offset loc_54F1F2
		dd offset loc_5DD790
		dd offset loc_5DD767
		dd offset loc_54F264
		dd offset loc_54F26D
		dd offset loc_5DD79C
		dd offset loc_5DD7EF
		dd offset loc_5DD7FF
		dd offset loc_5DD7FF
		dd offset loc_5DD7FF
		dd offset loc_5DD7FF
		dd offset loc_5DD743

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpLogActionQueueEvent proc near	; CODE XREF: PnpRequestDeviceAction+11Ap
					; .text:0054F00Ap ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DD845 SIZE 00000195 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		cmp	edx, 0Eh
		jg	loc_54F385
		push	8
		pop	ebx
		jz	short loc_54F315
		cmp	edx, ebx
		jz	short loc_54F333
		jle	short loc_54F310
		cmp	edx, 0Ah
		jle	short loc_54F315
		cmp	edx, 0Ch
		jz	loc_5DD94E

loc_54F310:				; CODE XREF: PnpLogActionQueueEvent+18j
					; PnpLogActionQueueEvent+3Cj ...
		pop	ebx
		pop	ebp
		retn	8
; 

loc_54F315:				; CODE XREF: PnpLogActionQueueEvent+12j
					; PnpLogActionQueueEvent+1Dj
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_54F351
		cmp	eax, 1
		jz	short loc_54F35E
		cmp	eax, 2
		jnz	short loc_54F310
		test	byte_6CD8BB, bl
		jz	short loc_54F310
		jmp	loc_5DD8B1
; 

loc_54F333:				; CODE XREF: PnpLogActionQueueEvent+16j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_54F36B
		cmp	eax, 1
		jz	short loc_54F378
		cmp	eax, 2
		jnz	short loc_54F310
		test	byte_6CD8BB, bl
		jz	short loc_54F310
		jmp	loc_5DD869
; 

loc_54F351:				; CODE XREF: PnpLogActionQueueEvent+32j
		test	byte_6CD8BB, bl
		jz	short loc_54F310
		jmp	loc_5DD885
; 

loc_54F35E:				; CODE XREF: PnpLogActionQueueEvent+37j
		test	byte_6CD8BB, bl
		jz	short loc_54F310
		jmp	loc_5DD89B
; 

loc_54F36B:				; CODE XREF: PnpLogActionQueueEvent+50j
		test	byte_6CD8BB, bl
		jz	short loc_54F310
		jmp	loc_5DD845
; 

loc_54F378:				; CODE XREF: PnpLogActionQueueEvent+55j
		test	byte_6CD8BB, bl
		jz	short loc_54F310
		jmp	loc_5DD857
; 

loc_54F385:				; CODE XREF: PnpLogActionQueueEvent+9j
		cmp	edx, 10h
		jz	loc_5DD94E
		cmp	edx, 14h
		jle	loc_54F310
		jmp	loc_5DD8C7
PnpLogActionQueueEvent endp


;  S U B	R O U T	I N E 


; __stdcall PnpDeleteDeviceActionRequest(x)
_PnpDeleteDeviceActionRequest@4	proc near ; CODE XREF: .text:0054F0FFp
					; PiControlGetSetDeviceStatus+13Cp ...
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+30h], eax
		jnz	short locret_54F3B1
		push	32706E50h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

locret_54F3B1:				; CODE XREF: PnpDeleteDeviceActionRequest(x)+8j
		retn
_PnpDeleteDeviceActionRequest@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpProcessClearProblem(x)
_PpProcessClearProblem@4 proc near	; CODE XREF: .text:0054F214p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ecx+14h]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_C], 1
		mov	[ebp+var_8], 5
		test	eax, eax
		jz	short loc_54F418
		mov	eax, [eax+0B0h]
		mov	ecx, [eax+14h]

loc_54F3E8:				; CODE XREF: PpProcessClearProblem(x)+68j
		mov	eax, [ecx+0ACh]
		cmp	eax, 313h
		jz	short loc_54F41C
		cmp	eax, 314h
		jz	short loc_54F41C
		lea	eax, [ebp+var_10]
		mov	edx, offset PiResetProblemDevicesWorker
		push	eax
		call	_PipForDeviceNodeSubtree@12 ; PipForDeviceNodeSubtree(x,x,x)
		xor	eax, eax

loc_54F40C:				; CODE XREF: PpProcessClearProblem(x)+6Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_54F418:				; CODE XREF: PpProcessClearProblem(x)+2Bj
		xor	ecx, ecx
		jmp	short loc_54F3E8
; 

loc_54F41C:				; CODE XREF: PpProcessClearProblem(x)+41j
					; PpProcessClearProblem(x)+48j
		mov	eax, 0C0000056h
		jmp	short loc_54F40C
_PpProcessClearProblem@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDirectedDripsNotifyPnpActionQueueEvent proc near ; CODE XREF: .text:0054EF98p
					; .text:0054F04Fp

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005DD9DA SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset dword_6C3838
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, edi
		sub	esi, 0
		jz	short loc_54F491
		sub	esi, 1
		jz	short loc_54F47E

loc_54F450:				; CODE XREF: PopDirectedDripsNotifyPnpActionQueueEvent+61j
					; PopDirectedDripsNotifyPnpActionQueueEvent+6Bj ...
		test	ds:byte_70EFC6,	1
		mov	ecx, offset dword_6C3838
		jnz	loc_5DD9DA
		xor	eax, eax
		lock and [ecx],	eax

loc_54F467:				; CODE XREF: PopDirectedDripsNotifyPnpActionQueueEvent+8E5BEj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, ebx
		mov	ecx, edi
		call	PopDirectedDripsDiagNotifyPnpActionQueueEvent
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_54F47E:				; CODE XREF: PopDirectedDripsNotifyPnpActionQueueEvent+2Aj
		sub	dword_6C383C, 1
		jnz	short loc_54F450
		push	4
		pop	ecx
		call	_PopDirectedDripsClearDisengageReason@4	; PopDirectedDripsClearDisengageReason(x)
		jmp	short loc_54F450
; 

loc_54F491:				; CODE XREF: PopDirectedDripsNotifyPnpActionQueueEvent+25j
		mov	eax, dword_6C383C
		inc	eax
		mov	dword_6C383C, eax
		cmp	eax, 1
		jnz	short loc_54F450
		push	4
		pop	ecx
		call	_PopDirectedDripsSetDisengageReason@4 ;	PopDirectedDripsSetDisengageReason(x)
		jmp	short loc_54F450
PopDirectedDripsNotifyPnpActionQueueEvent endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDirectedDripsDiagNotifyPnpActionQueueEvent proc near
					; CODE XREF: PnpRequestDeviceAction+174p
					; .text:0054F0CAp ...

; FUNCTION CHUNK AT 005DD9E7 SIZE 00000095 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset dword_6BF65C
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		call	KeQueryInterruptTime
		xor	ecx, ecx
		sub	edi, ecx
		jz	short loc_54F4F2
		sub	edi, 1
		jz	short loc_54F52E
		sub	edi, 1
		jnz	short loc_54F540
		mov	dword_6BF664, esi
		cmp	byte_6BF6D0, cl
		jz	short loc_54F50B
		jmp	loc_5DDA12
; 

loc_54F4F2:				; CODE XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+27j
		inc	dword_6BF660
		inc	dword_6BF668[esi*4]
		cmp	byte_6BF6D0, cl
		jnz	loc_5DDA4B

loc_54F50B:				; CODE XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+3Fj
					; PopDirectedDripsDiagNotifyPnpActionQueueEvent+92j ...
		test	ds:byte_70EFC6,	1
		mov	ecx, offset dword_6BF65C
		jnz	loc_5DDA6F
		xor	eax, eax
		lock and [ecx],	eax

loc_54F522:				; CODE XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+8E5CBj
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_54F52E:				; CODE XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+2Cj
		sub	dword_6BF660, 1
		jz	short loc_54F55D

loc_54F537:				; CODE XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+B7j
					; PopDirectedDripsDiagNotifyPnpActionQueueEvent+8E59Aj
		dec	dword_6BF668[esi*4]
		jmp	short loc_54F50B
; 

loc_54F540:				; CODE XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+31j
		sub	edi, 1
		jnz	short loc_54F50B
		cmp	byte_6BF6D0, cl
		jnz	loc_5DD9E7

loc_54F551:				; CODE XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+8E561j
		mov	dword_6BF664, 1Ah
		jmp	short loc_54F50B
; 

loc_54F55D:				; CODE XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+89j
		cmp	byte_6BF6D0, cl
		jz	short loc_54F537
		jmp	loc_5DDA22
PopDirectedDripsDiagNotifyPnpActionQueueEvent endp


;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsClearDisengageReason(x)
_PopDirectedDripsClearDisengageReason@4	proc near ; CODE XREF: .text:0054F208p
					; PopDirectedDripsNotifyPnpActionQueueEvent+66p ...
		mov	edi, edi
		push	ebx
		push	esi
		xor	esi, esi
		inc	esi
		shl	esi, cl
		mov	edx, esi
		push	edi
		not	edx
		mov	edi, offset unk_6C3718
		mov	eax, [edi]

loc_54F57F:				; CODE XREF: PopDirectedDripsClearDisengageReason(x)+1Dj
		mov	ecx, eax
		and	ecx, edx
		lock cmpxchg [edi], ecx
		jnz	short loc_54F57F
		mov	edx, eax
		xor	ebx, ebx
		mov	edi, offset _PopDirectedDripsState
		mov	eax, [edi]

loc_54F594:				; CODE XREF: PopDirectedDripsClearDisengageReason(x)+32j
		mov	ecx, eax
		or	ecx, ebx
		lock cmpxchg [edi], ecx
		jnz	short loc_54F594
		test	al, 1
		jnz	short loc_54F5A6

loc_54F5A2:				; CODE XREF: PopDirectedDripsClearDisengageReason(x)+3Ej
					; PopDirectedDripsClearDisengageReason(x)+49j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_54F5A6:				; CODE XREF: PopDirectedDripsClearDisengageReason(x)+36j
		test	edx, esi
		jz	short loc_54F5A2
		push	0
		push	2
		call	_PopQueueDirectedDripsWork@12 ;	PopQueueDirectedDripsWork(x,x,x)
		jmp	short loc_54F5A2
_PopDirectedDripsClearDisengageReason@4	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsSetDisengageReason(x)
_PopDirectedDripsSetDisengageReason@4 proc near	; CODE XREF: PnpRequestDeviceAction+2CAp
					; PopDirectedDripsNotifyPnpActionQueueEvent+80p ...
		mov	edi, edi
		push	ebx
		xor	edx, edx
		push	esi
		inc	edx
		mov	esi, offset unk_6C3718
		push	edi
		shl	edx, cl
		mov	eax, [esi]

loc_54F5C7:				; CODE XREF: PopDirectedDripsSetDisengageReason(x)+19j
		mov	ecx, eax
		or	ecx, edx
		lock cmpxchg [esi], ecx
		jnz	short loc_54F5C7
		mov	esi, eax
		xor	ebx, ebx
		mov	edi, offset _PopDirectedDripsState
		mov	eax, [edi]

loc_54F5DC:				; CODE XREF: PopDirectedDripsSetDisengageReason(x)+2Ej
		mov	ecx, eax
		or	ecx, ebx
		lock cmpxchg [edi], ecx
		jnz	short loc_54F5DC
		test	al, 1
		jnz	short loc_54F5EE

loc_54F5EA:				; CODE XREF: PopDirectedDripsSetDisengageReason(x)+3Aj
					; PopDirectedDripsSetDisengageReason(x)+45j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_54F5EE:				; CODE XREF: PopDirectedDripsSetDisengageReason(x)+32j
		test	esi, edx
		jnz	short loc_54F5EA
		push	0
		push	2
		call	_PopQueueDirectedDripsWork@12 ;	PopQueueDirectedDripsWork(x,x,x)
		jmp	short loc_54F5EA
_PopDirectedDripsSetDisengageReason@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopQueueDirectedDripsWork(x, x, x)
_PopQueueDirectedDripsWork@12 proc near	; CODE XREF: PopDirectedDripsClearDisengageReason(x)+44p
					; PopDirectedDripsSetDisengageReason(x)+40p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi

loc_54F607:				; CODE XREF: PopQueueDirectedDripsWork(x,x,x)+35j
					; PopQueueDirectedDripsWork(x,x,x)+39j
		mov	esi, dword_6C36A8
		mov	ebx, esi
		mov	edi, dword_6C36AC
		mov	eax, esi
		or	ebx, [ebp+arg_0]
		mov	ecx, edi
		or	ecx, [ebp+arg_4]
		mov	edx, edi
		mov	[ebp+var_4], edi
		mov	edi, offset dword_6C36A8
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_4]
		cmp	eax, esi
		jnz	short loc_54F607
		cmp	edx, edi
		jnz	short loc_54F607
		or	esi, edi
		pop	edi
		pop	esi
		pop	ebx
		jnz	short locret_54F64E
		push	0
		push	0
		push	offset unk_6C36B4
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

locret_54F64E:				; CODE XREF: PopQueueDirectedDripsWork(x,x,x)+40j
		leave
		retn	8
_PopQueueDirectedDripsWork@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueInsert proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+1C9p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DDA7C SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_14], 0
		lea	eax, [ebp+var_14]
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_10], eax
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, ecx
		mov	eax, [ebx+10h]
		xor	eax, [ebp+arg_0]
		and	eax, 7
		shl	edi, 4
		xor	[ebx+10h], eax
		add	edi, esi
		mov	eax, [ebp+arg_0]
		shr	eax, 3
		xor	eax, [ebx+14h]
		and	eax, 3
		xor	[ebx+14h], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		add	esi, 200h
		mov	[ebp+var_5], al
		mov	ecx, esi
		mov	[ebp+var_C], esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	dword ptr [edi+8], 0
		jnz	short loc_54F6B7
		cmp	dword ptr [edi+0Ch], 0
		jz	loc_54F746

loc_54F6B7:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueInsert+59j
		mov	eax, [edi+4]
		push	0FFFFh
		mov	eax, [eax]
		inc	eax
		mov	[ebx], eax
		mov	eax, [edi+4]
		mov	[eax], ebx
		mov	[edi+4], ebx
		mov	esi, [ebx]
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		cmp	esi, eax
		mov	esi, [ebp+var_C]
		jnb	short loc_54F755

loc_54F6DA:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueInsert+101j
					; SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueInsert+106j ...
		mov	eax, [ebp+var_10]
		mov	eax, [eax]
		add	[edi+8], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5DDA7C
		xor	eax, eax
		lock and [esi],	eax

loc_54F6F4:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueInsert+8E434j
		mov	cl, [ebp+var_5]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_54F6FD:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueInsert+F2j
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		cmp	edx, eax
		jz	short loc_54F717
		mov	ecx, [ebp+var_14]
		mov	eax, [ecx]
		mov	[ebp+var_14], eax
		cmp	ecx, edx
		jz	short loc_54F71E
		dec	dword ptr [edx]
		jmp	short loc_54F728
; 

loc_54F717:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueInsert+B3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_54F71E:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueInsert+BFj
		and	[ebp+var_14], 0
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], eax

loc_54F728:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueInsert+C3j
		and	dword ptr [ecx], 0
		mov	edx, [ebp+arg_0]
		mov	dword ptr [ecx+8], offset SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker
		mov	[ecx+0Ch], ecx
		push	ds:dword_71846C
		push	ecx
		call	ExQueueWorkItemToPrivatePool
		jmp	short loc_54F6FD
; 

loc_54F746:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueInsert+5Fj
		mov	ecx, [ebp+var_10]
		mov	eax, [ecx]
		inc	eax
		mov	[ebx], eax
		mov	[ecx], ebx
		mov	[ebp+var_10], ebx
		jmp	short loc_54F6DA
; 

loc_54F755:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueInsert+86j
		cmp	[edi+4], edi
		jz	short loc_54F6DA
		mov	eax, [edi]
		mov	[ebp+var_14], eax
		mov	eax, [edi+4]
		mov	[ebp+var_10], eax
		mov	[edi+4], edi
		and	dword ptr [edi], 0
		jmp	loc_54F6DA
SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueInsert endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExQueueWorkItemToPrivatePool proc near	; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueInsert+EDp

arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DDA8B SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 8
		push	ebx
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		jnb	loc_5DDA8B
		cmp	[ebp+arg_4], 0
		jz	loc_5DDA8B
		lea	edx, [edi+20h]
		call	ExpValidateWorkItem
		push	[ebp+arg_4]
		mov	eax, ds:_PspSystemPartition
		mov	edx, ebx
		push	0FFFFFFFFh
		push	edi
		mov	ecx, [eax+8]
		call	ExpQueueWorkItem
		test	al, al
		jz	loc_5DDA8B
		pop	edi
		pop	ebx
		pop	ebp
		retn	8
ExQueueWorkItemToPrivatePool endp ; sp = -0Ch


;  S U B	R O U T	I N E 


CcCalculateVacbLevelLockCount proc near	; CODE XREF: CcExtendVacbArray+32Fp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		xor	esi, esi
		mov	edi, edx
		mov	ecx, 80h

loc_54F7CA:				; CODE XREF: CcCalculateVacbLevelLockCount+1Cj
		mov	eax, [edi]
		lea	edi, [edi+4]
		test	eax, eax
		jnz	short loc_54F7F6

loc_54F7D3:				; CODE XREF: CcCalculateVacbLevelLockCount+3Dj
		sub	ecx, 1
		jnz	short loc_54F7CA
		test	dword ptr [ebx+60h], 200h
		jnz	loc_5DDA9F

loc_54F7E5:				; CODE XREF: ExQueueWorkItemToPrivatePool+8E350j
		push	0
		mov	ecx, ebx
		call	_VacbLevelReference@12 ; VacbLevelReference(x,x,x)
		pop	edi
		mov	[eax], esi
		pop	esi
		pop	ebx
		retn	4
; 

loc_54F7F6:				; CODE XREF: CcCalculateVacbLevelLockCount+17j
		inc	esi
		jmp	short loc_54F7D3
CcCalculateVacbLevelLockCount endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeLargePageMemory(x, x,	x)
_MiFreeLargePageMemory@12 proc near	; CODE XREF: MiFreeMdlPageRun(x,x,x)+6Ep
					; MiFreeContiguousPages(x,x)+53p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		test	[ebp+arg_0], 2
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jz	short loc_54F817
		call	_MiConvertSmallPageRangeToLarge@8 ; MiConvertSmallPageRangeToLarge(x,x)

loc_54F817:				; CODE XREF: MiFreeLargePageMemory(x,x,x)+16j
		mov	ebx, dword ptr [ebp+arg_0]
		mov	ecx, ds:_MiLargePageSizes[esi*4]
		not	ebx
		imul	eax, edi, 1Ch
		and	ebx, 1
		mov	[esp+18h+var_4], ebx
		mov	[esp+18h+var_8], ecx
		add	eax, ds:_MmPfnDatabase
		mov	[esp+18h+var_C], eax
		test	ebx, ebx
		jnz	short loc_54F89B
		mov	ecx, esi
		call	_MiColdPageSizeSupported@4 ; MiColdPageSizeSupported(x)
		test	eax, eax
		jz	short loc_54F897
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	_MiChangePageHeatImmediate@12 ;	MiChangePageHeatImmediate(x,x,x)
		mov	ecx, [esp+18h+var_C]
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	bh, al
		xor	edx, edx
		mov	eax, [esp+18h+var_C]
		inc	edx
		mov	bl, [eax+16h]
		mov	cl, bl
		and	cl, 0FDh
		or	cl, 5
		mov	[eax+16h], cl
		mov	ecx, eax
		call	_MiSetFreeZeroPfnCold@8	; MiSetFreeZeroPfnCold(x,x)
		mov	ecx, [esp+18h+var_C]
		mov	dl, bh
		mov	al, [ecx+16h]
		xor	al, bl
		and	al, 7
		xor	al, [ecx+16h]
		mov	[ecx+16h], al
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		mov	ebx, [esp+18h+var_4]

loc_54F897:				; CODE XREF: MiFreeLargePageMemory(x,x,x)+4Ej
		mov	ecx, [esp+18h+var_8]

loc_54F89B:				; CODE XREF: MiFreeLargePageMemory(x,x,x)+43j
		mov	edx, edi
		test	esi, esi
		jz	short loc_54F8AC
		and	edx, 0FFFFFE00h
		mov	ecx, 200h

loc_54F8AC:				; CODE XREF: MiFreeLargePageMemory(x,x,x)+A5j
		push	0
		push	0
		push	ecx
		mov	ecx, offset _MiSystemPartition
		call	MiUpdateLargePageBitMap
		push	dword ptr [ebp+arg_0]
		mov	edx, esi
		mov	ecx, edi
		call	_MiReadyLargePageToFree@12 ; MiReadyLargePageToFree(x,x,x)
		test	eax, eax
		jz	short loc_54F8D6
		mov	ecx, [esp+18h+var_C]
		mov	edx, ebx
		call	_MiFinishLargePageFree@8 ; MiFinishLargePageFree(x,x)

loc_54F8D6:				; CODE XREF: MiFreeLargePageMemory(x,x,x)+CFj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MiFreeLargePageMemory@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLargeFreePageToMdl(x, x, x, x, x)
_MiLargeFreePageToMdl@20 proc near	; CODE XREF: MiTradePage(x,x)+2CDp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		xor	esi, esi
		mov	[ebp+var_C], ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_54F90A
		test	[ebp+arg_8], 8
		jnz	short loc_54F90A
		push	10h
		pop	esi

loc_54F90A:				; CODE XREF: MiLargeFreePageToMdl(x,x,x,x,x)+1Fj
					; MiLargeFreePageToMdl(x,x,x,x,x)+25j
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_8]
		push	ecx
		mov	ecx, [ebp+var_C]
		push	esi
		mov	ebx, ds:_MiLargePageSizes[eax*4]
		mov	edi, ebx
		neg	edi
		mov	dword ptr [ebp+arg_8], ebx
		and	edi, [ebp+var_4]
		push	eax
		mov	edx, edi
		call	_MiTryUnlinkNodeLargePage@20 ; MiTryUnlinkNodeLargePage(x,x,x,x,x)
		test	eax, eax
		jz	short loc_54F9AE
		imul	esi, edi, 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiIsFreeZeroPfnCold@4 ; MiIsFreeZeroPfnCold(x)
		test	eax, eax
		jz	short loc_54F970
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	1
		call	_MiChangePageHeatImmediate@12 ;	MiChangePageHeatImmediate(x,x,x)
		mov	ecx, esi
		call	_MiLockPage@4	; MiLockPage(x)
		xor	edx, edx
		mov	ecx, esi
		mov	bl, al
		call	_MiSetFreeZeroPfnCold@8	; MiSetFreeZeroPfnCold(x,x)
		mov	dl, bl
		mov	ecx, esi
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		mov	ebx, dword ptr [ebp+arg_8]

loc_54F970:				; CODE XREF: MiLargeFreePageToMdl(x,x,x,x,x)+64j
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		push	eax
		push	eax
		push	1
		push	eax
		mov	ecx, esi
		call	_MiConvertEntireLargePageToSmall@24 ; MiConvertEntireLargePageToSmall(x,x,x,x,x,x)
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_54F9AB
		mov	ecx, [esi+14h]
		mov	eax, ecx
		shr	eax, 0Ch
		add	eax, 7
		lea	edx, [esi+eax*4]
		mov	eax, ebx
		shl	eax, 0Ch
		add	eax, ecx
		mov	[esi+14h], eax

loc_54F9A0:				; CODE XREF: MiLargeFreePageToMdl(x,x,x,x,x)+C9j
		mov	[edx], edi
		inc	edi
		lea	edx, [edx+4]
		sub	ebx, 1
		jnz	short loc_54F9A0

loc_54F9AB:				; CODE XREF: MiLargeFreePageToMdl(x,x,x,x,x)+A6j
		xor	eax, eax
		inc	eax

loc_54F9AE:				; CODE XREF: MiLargeFreePageToMdl(x,x,x,x,x)+50j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MiLargeFreePageToMdl@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiTryUnlinkNodeLargePage(x,	x, x, x, x)
_MiTryUnlinkNodeLargePage@20 proc near	; CODE XREF: MiLargeFreePageToMdl(x,x,x,x,x)+49p
					; MiDemoteLargeFreePage(x,x,x,x,x)+6Dp	...

var_34		= dword	ptr -34h
var_30		= byte ptr -30h
var_2E		= word ptr -2Eh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, [ebp+arg_4]
		and	[ebp+var_18], 0
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_10], ecx
		mov	ecx, edi
		mov	[ebp+var_4], eax
		call	MiSearchNumaNodeTable
		imul	edi, 1Ch
		mov	esi, [eax+4]
		add	edi, ds:_MmPfnDatabase
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		cmp	[ebp+var_10], offset _MiSystemPartition
		mov	cl, al
		mov	byte ptr [ebp+arg_4+3],	cl
		jnz	loc_54FC46
		mov	eax, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		imul	ecx, esi, 280h
		mov	[ebp+var_8], eax
		mov	[ebp+var_14], ecx

loc_54FA10:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+1E8j
		xor	ebx, ebx
		inc	ebx
		and	[ebp+var_20], 0
		mov	esi, ebx
		mov	ebx, dword_6D4E50
		add	ebx, ecx
		test	ds:byte_70EFC6,	21h
		lea	eax, [ebx+204h]
		mov	[ebp+var_1C], eax
		jz	short loc_54FA3F
		mov	edx, eax
		lea	ecx, [ebp+var_20]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_54FA50
; 

loc_54FA3F:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+7Bj
		lea	edx, [ebp+var_20]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_54FA50
		lea	ecx, [ebp+var_20]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_54FA50:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+87j
					; MiTryUnlinkNodeLargePage(x,x,x,x,x)+90j
		mov	ecx, edi
		call	_MiGetPfnPageSizeIndex@4 ; MiGetPfnPageSizeIndex(x)
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		inc	edx
		cmp	eax, ecx
		jz	short loc_54FA65
		mov	ecx, edx
		jmp	short loc_54FA79
; 

loc_54FA65:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+A9j
		mov	al, [edi+16h]
		and	al, 7
		cmp	al, dl
		jbe	loc_54FBAD
		xor	ecx, ecx
		cmp	al, 5
		setnz	cl

loc_54FA79:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+ADj
		mov	eax, [ebp+arg_8]
		xor	esi, esi
		mov	[eax], ecx
		cmp	[ebx+1F4h], esi
		jz	loc_54FBDF
		test	byte ptr [ebp+var_4], 10h
		jz	loc_54FB20
		and	[ebp+var_2C], esi
		lea	eax, [ebp+var_28]
		mov	[ebp+var_24], eax
		mov	[ebp+var_28], eax
		mov	eax, [ebx+1F8h]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_34]
		mov	[ebx+1F8h], eax
		mov	[ebp+var_2E], 4
		mov	[ebp+var_30], 7
		mov	[ebp-2Fh], dl
		test	ds:byte_70EFC6,	dl
		jz	short loc_54FAD6
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_20]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_54FB01
; 

loc_54FAD6:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+111j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	short loc_54FAF8
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_20]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_20]
		cmp	eax, ecx
		jz	short loc_54FB01
		call	KxWaitForLockChainValid
		xor	edx, edx
		inc	edx

loc_54FAF8:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+125j
		mov	[ebp+var_20], esi
		add	eax, 4
		lock xor [eax],	edx

loc_54FB01:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+11Ej
					; MiTryUnlinkNodeLargePage(x,x,x,x,x)+138j
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, byte ptr [ebp+arg_4+3]
		call	[ebp+var_8]
		push	ecx
		push	12h
		pop	edx
		lea	ecx, [ebp+var_30]
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		jmp	short loc_54FB91
; 

loc_54FB20:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+DAj
		and	[ebp+var_C], esi
		test	ds:byte_70EFC6,	dl
		jz	short loc_54FB38
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_20]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_54FB63
; 

loc_54FB38:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+173j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	short loc_54FB5A
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_20]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_20]
		cmp	eax, ecx
		jz	short loc_54FB63
		call	KxWaitForLockChainValid
		xor	edx, edx
		inc	edx

loc_54FB5A:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+187j
		mov	[ebp+var_20], esi
		add	eax, 4
		lock xor [eax],	edx

loc_54FB63:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+180j
					; MiTryUnlinkNodeLargePage(x,x,x,x,x)+19Aj
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, byte ptr [ebp+arg_4+3]
		call	[ebp+var_8]
		cmp	byte ptr [ebp+arg_4+3],	2
		jnz	short loc_54FBA3
		and	[ebp+var_C], esi
		jmp	short loc_54FB87
; 

loc_54FB7F:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+1D9j
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx

loc_54FB87:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+1C7j
		mov	eax, [ebx+1F4h]
		test	eax, eax
		jnz	short loc_54FB7F

loc_54FB91:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+168j
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [ebp+var_14]
		mov	byte ptr [ebp+arg_4+3],	al
		jmp	loc_54FA10
; 

loc_54FBA3:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+1C2j
		mov	eax, [ebp+arg_8]
		and	[eax], esi
		jmp	loc_54FC5D
; 

loc_54FBAD:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+B6j
		push	[ebp+var_4]
		mov	edx, edi
		push	0
		push	ecx
		mov	ecx, ebx
		call	_MiUnlinkNodeLargePageHelper@20	; MiUnlinkNodeLargePageHelper(x,x,x,x,x)
		test	eax, eax
		jz	short loc_54FBD7
		test	byte ptr [ebp+var_4], 20h
		jz	short loc_54FBDF
		mov	eax, [ebp+var_10]
		mov	eax, [eax+10h]
		add	eax, [ebp+var_14]
		inc	dword ptr [eax+1F4h]
		jmp	short loc_54FBDF
; 

loc_54FBD7:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+208j
		mov	eax, [ebp+arg_8]
		and	dword ptr [eax], 0
		xor	esi, esi

loc_54FBDF:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+D0j
					; MiTryUnlinkNodeLargePage(x,x,x,x,x)+20Ej ...
		xor	ebx, ebx
		inc	ebx
		test	ds:byte_70EFC6,	bl
		jz	short loc_54FBF7
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_20]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_54FC23
; 

loc_54FBF7:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+232j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	short loc_54FC16
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_20]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_20]
		cmp	eax, ecx
		jz	short loc_54FC23
		call	KxWaitForLockChainValid

loc_54FC16:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+246j
		mov	[ebp+var_20], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_54FC23:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+23Fj
					; MiTryUnlinkNodeLargePage(x,x,x,x,x)+259j
		test	esi, esi
		jz	short loc_54FC31
		test	byte ptr [ebp+var_4], 20h
		jz	short loc_54FC31
		mov	byte ptr [ebp+arg_4+3],	2

loc_54FC31:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+26Fj
					; MiTryUnlinkNodeLargePage(x,x,x,x,x)+275j
		lea	ecx, [edi+10h]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	cl, byte ptr [ebp+arg_4+3]
		call	[ebp+var_8]
		mov	eax, esi
		jmp	short loc_54FC5F
; 

loc_54FC46:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+43j
		mov	edx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	edx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	dword ptr [ebx], 1

loc_54FC5D:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+1F2j
		xor	eax, eax

loc_54FC5F:				; CODE XREF: MiTryUnlinkNodeLargePage(x,x,x,x,x)+28Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MiTryUnlinkNodeLargePage@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViAvlCompareNodeUseSessionId(x, x, x)
_ViAvlCompareNodeUseSessionId@12 proc near ; DATA XREF:	VfAvlInitializeTreeEx+7Fo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_4]
		push	esi
		push	edi
		push	[ebp+arg_0]
		call	_ViAvlCompareNode@12 ; ViAvlCompareNode(x,x,x)
		cmp	eax, 2
		jz	short loc_54FC88

loc_54FC82:				; CODE XREF: ViAvlCompareNodeUseSessionId(x,x,x)+2Aj
					; ViAvlCompareNodeUseSessionId(x,x,x)+2Fj ...
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_54FC88:				; CODE XREF: ViAvlCompareNodeUseSessionId(x,x,x)+1Aj
		mov	ecx, [edi+8]
		cmp	ecx, [esi+8]
		jb	short loc_54FC97
		jbe	short loc_54FC82
		xor	eax, eax
		inc	eax
		jmp	short loc_54FC82
; 

loc_54FC97:				; CODE XREF: ViAvlCompareNodeUseSessionId(x,x,x)+28j
		xor	eax, eax
		jmp	short loc_54FC82
_ViAvlCompareNodeUseSessionId@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViAvlCompareNode(x,	x, x)
_ViAvlCompareNode@12 proc near		; CODE XREF: ViAvlCompareNodeUseSessionId(x,x,x)+12p
					; DATA XREF: VfAvlInitializeTreeEx:loc_A56B19o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		push	esi
		mov	edx, [eax]
		mov	esi, [ecx]
		cmp	edx, esi
		jb	short loc_54FCC4
		jz	short loc_54FCD2
		mov	ecx, [ecx+4]
		xor	eax, eax
		add	ecx, esi
		cmp	ecx, edx
		setnbe	al
		inc	eax

loc_54FCBF:				; CODE XREF: ViAvlCompareNode(x,x,x)+34j
					; ViAvlCompareNode(x,x,x)+39j
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_54FCC4:				; CODE XREF: ViAvlCompareNode(x,x,x)+12j
		mov	eax, [eax+4]
		add	eax, edx
		cmp	esi, eax
		sbb	eax, eax
		and	eax, 2
		jmp	short loc_54FCBF
; 

loc_54FCD2:				; CODE XREF: ViAvlCompareNode(x,x,x)+14j
		push	2
		pop	eax
		jmp	short loc_54FCBF
_ViAvlCompareNode@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiIsPfnSystemCharged(x)
_MiIsPfnSystemCharged@4	proc near	; CODE XREF: .text:0044A7BCp
					; .text:0047878Ep ...
		mov	eax, ds:_MmHighestUserAddress
		mov	edx, [ecx+4]
		shr	eax, 9
		or	edx, 80000000h
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	edx, eax
		jbe	short loc_54FD02

loc_54FCF7:				; CODE XREF: MiIsPfnSystemCharged(x)+30j
		movzx	eax, byte ptr [ecx+17h]
		shr	eax, 5
		and	eax, 1
		retn
; 

loc_54FD02:				; CODE XREF: MiIsPfnSystemCharged(x)+1Dj
		cmp	edx, 0C0000000h
		jb	short loc_54FCF7
		xor	eax, eax
		retn
_MiIsPfnSystemCharged@4	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 377. ExInitializeNPagedLookasideList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExInitializeNPagedLookasideList(x, x, x, x,	x, x, x)
		public _ExInitializeNPagedLookasideList@28
_ExInitializeNPagedLookasideList@28 proc near
					; CODE XREF: FsRtlInitExtraCreateParameterLookasideList(x,x,x,x)+36p
					; AlpcpInitSystem+194p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ExInitializeNPagedLookasideListInternal
		pop	ebp
		retn	1Ch
_ExInitializeNPagedLookasideList@28 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExInitializeNPagedLookasideListInternal	proc near
					; CODE XREF: ExInitializeNPagedLookasideList(x,x,x,x,x,x,x)+1Cp
					; RtlInitializeCompression()+17p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= word ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 005DDAC5 SIZE 00000086 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ax, _ExMinimumLookasideDepth
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		xor	edi, edi
		mov	[esi], edi
		mov	[esi+4], edi
		mov	[esi+8], ax
		mov	eax, 100h
		mov	[esi+0Ah], ax
		mov	eax, [ebp+arg_C]
		mov	[esi+1Ch], eax
		mov	eax, [ebp+arg_14]
		mov	[esi+20h], eax
		mov	eax, [ebp+arg_10]
		mov	[esi+0Ch], edi
		mov	[esi+10h], edi
		mov	[esi+14h], edi
		mov	[esi+18h], edi
		mov	[esi+24h], eax
		test	edx, edx
		jnz	short loc_54FD8A
		mov	edx, offset _ExAllocatePoolWithTag@12 ;	ExAllocatePoolWithTag(x,x,x)

loc_54FD8A:				; CODE XREF: ExInitializeNPagedLookasideListInternal+4Bj
		mov	[esi+28h], edx
		test	ecx, ecx
		jnz	short loc_54FD96
		mov	ecx, offset _ExFreePool@4 ; ExFreePool(x)

loc_54FD96:				; CODE XREF: ExInitializeNPagedLookasideListInternal+57j
		mov	[esi+2Ch], ecx
		mov	[esi+38h], edi
		mov	[esi+3Ch], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _ExNPagedLookasideLock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	[ebp+arg_1C], edi
		jnz	loc_5DDAC5
		cmp	_ExMinimumLookasideDepth, di
		jz	short loc_54FE07

loc_54FDC3:				; CODE XREF: ExInitializeNPagedLookasideListInternal+D6j
					; ExInitializeNPagedLookasideListInternal+8DD9Ej
		mov	eax, dword_6BBC64
		mov	ecx, offset _ExNPagedLookasideListHead
		add	esi, 30h
		cmp	[eax], ecx
		jnz	short loc_54FE10
		mov	[esi], ecx
		mov	ecx, offset _ExNPagedLookasideLock
		mov	[esi+4], eax
		mov	[eax], esi
		test	ds:byte_70EFC6,	1
		mov	dword_6BBC64, esi
		jnz	loc_5DDADB
		xor	eax, eax
		lock and [ecx],	eax

loc_54FDF8:				; CODE XREF: ExInitializeNPagedLookasideListInternal+8DDABj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	20h
; 

loc_54FE07:				; CODE XREF: ExInitializeNPagedLookasideListInternal+89j
		mov	dword ptr [esi+8], 0FFFF0000h
		jmp	short loc_54FDC3
; 

loc_54FE10:				; CODE XREF: ExInitializeNPagedLookasideListInternal+9Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

PfTSetTraceWorkerPriority:		; CODE XREF: PfPowerActionNotify+E1p
					; PfPowerActionNotify+FBp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		mov	esi, ecx
		cmp	esi, 1Fh
		ja	loc_5DDB43
		mov	eax, large fs:124h
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PfTGlobals
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, dword_6D42C0
		test	eax, eax
		jz	loc_5DDAE8
		push	esi
		push	eax
		call	KeSetPriorityThread
		mov	[ebp+var_10], eax

loc_54FE5E:				; CODE XREF: ExInitializeNPagedLookasideListInternal+8DDB7j
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_8], ecx
		mov	eax, ecx
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_54FFA1

loc_54FE74:				; CODE XREF: ExInitializeNPagedLookasideListInternal+273j
		xor	edi, edi
		mov	eax, offset _PfTGlobals
		mov	[ebp+var_C], edi
		test	eax, 7FFFFFFCh
		jz	loc_54FF80
		mov	esi, large fs:124h
		mov	edx, dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_18], esi
		cmp	edx, offset _PfTGlobals
		ja	short loc_54FEC6
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_54FF8C
		cmp	edx, offset _PfTGlobals
		ja	short loc_54FEC6
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_54FF8C

loc_54FEC6:				; CODE XREF: ExInitializeNPagedLookasideListInternal+16Aj
					; ExInitializeNPagedLookasideListInternal+17Fj	...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	edx, offset _PfTGlobals
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_1], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jz	loc_54FFF4
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_550007

loc_54FF0A:				; CODE XREF: ExInitializeNPagedLookasideListInternal+2D7j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_1], 1
		mov	edx, eax
		jnz	loc_5DDB09
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_54FF56:				; CODE XREF: ExInitializeNPagedLookasideListInternal:loc_54FFFCj
					; ExInitializeNPagedLookasideListInternal+8DDE3j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_18], eax
		jnz	short loc_54FFB0

loc_54FF69:				; CODE XREF: ExInitializeNPagedLookasideListInternal+2B1j
					; ExInitializeNPagedLookasideListInternal+8DE06j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_54FF80
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_550014

loc_54FF80:				; CODE XREF: ExInitializeNPagedLookasideListInternal+14Bj
					; ExInitializeNPagedLookasideListInternal+23Aj	...
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+var_10]
		pop	edi

loc_54FF89:				; CODE XREF: ExInitializeNPagedLookasideListInternal+8DE0Ej
		pop	esi
		leave
		retn
; 

loc_54FF8C:				; CODE XREF: ExInitializeNPagedLookasideListInternal+173j
					; ExInitializeNPagedLookasideListInternal+188j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_8], eax
		jmp	loc_54FEC6
; 

loc_54FFA1:				; CODE XREF: ExInitializeNPagedLookasideListInternal+136j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	ecx, 0FFFFFFFFh
		jmp	loc_54FE74
; 

loc_54FFB0:				; CODE XREF: ExInitializeNPagedLookasideListInternal+22Fj
		test	edi, 8000h
		jz	short loc_54FFC1
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_54FFC1:				; CODE XREF: ExInitializeNPagedLookasideListInternal+27Ej
		test	byte ptr [ebp+var_C+2],	1
		jnz	loc_5DDB20

loc_54FFCB:				; CODE XREF: ExInitializeNPagedLookasideListInternal+8DDF2j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_54FFDF
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_54FFDF:				; CODE XREF: ExInitializeNPagedLookasideListInternal+29Aj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_54FF69
		jmp	loc_5DDB2F
; 

loc_54FFF4:				; CODE XREF: ExInitializeNPagedLookasideListInternal+1BAj
		mov	eax, [esi+5Ch]
		test	eax, 10000h

loc_54FFFC:				; DATA XREF: .text:off_422DF4o
		jnz	loc_54FF56

loc_550002:				; DATA XREF: .text:00425E1Co
		jmp	loc_5DDAF4
; 

loc_550007:				; CODE XREF: ExInitializeNPagedLookasideListInternal+1CCj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_14]
		jmp	loc_54FF0A
; 

loc_550014:				; CODE XREF: ExInitializeNPagedLookasideListInternal+242j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_54FF80
ExInitializeNPagedLookasideListInternal	endp


;  S U B	R O U T	I N E 


; __stdcall MiCaptureAllWorkingSetAccessBits(x,	x)
_MiCaptureAllWorkingSetAccessBits@8 proc near ;	CODE XREF: MmPerformMemoryListCommand+1Bp
		xor	eax, eax
		cmp	edx, 1
		setz	al
		lea	edx, ds:8[eax*8]
		jmp	$+5
_MiCaptureAllWorkingSetAccessBits@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiQueueWorkingSetRequest proc near	; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+6A7p
					; MiFlushAllFilesystemPages(x)+81p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005DDB4B SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		test	byte ptr [ecx+4], 20h
		push	ebx
		push	edi
		lea	edi, [ebp+var_C]
		mov	ebx, edx
		stosd
		stosd
		stosd
		jnz	short loc_5500CA
		push	esi
		mov	esi, [ecx+0F00h]
		test	esi, esi
		jz	short loc_5500C9
		lea	edx, [ebp+var_C]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [esi+20h]
		test	eax, eax
		jnz	short loc_550074
		push	esi
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	eax, [esi+20h]

loc_550074:				; CODE XREF: MiQueueWorkingSetRequest+37j
		or	eax, ebx
		xor	edi, edi
		mov	[esi+20h], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5DDB4B
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_5DDB63
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5DDB5B

loc_5500AA:				; CODE XREF: MiQueueWorkingSetRequest+8DB24j
					; MiQueueWorkingSetRequest+8DB3Dj
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	edi
		push	edi
		lea	eax, [esi+48h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	edi
		push	edi
		push	edi
		push	12h
		push	esi
		call	KeWaitForSingleObject

loc_5500C9:				; CODE XREF: MiQueueWorkingSetRequest+23j
		pop	esi

loc_5500CA:				; CODE XREF: MiQueueWorkingSetRequest+18j
		pop	edi
		pop	ebx
		leave
		retn
MiQueueWorkingSetRequest endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPfIssueCoalesceCandidates proc near	; CODE XREF: sub_5041E1+4p
					; sub_504204+4p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DDB74 SIZE 0000004B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi]
		mov	eax, [esi]
		cmp	eax, edi
		jnz	short loc_550118
		cmp	[esi+4], edi
		jnz	short loc_550140
		cmp	[eax+4], esi
		jnz	short loc_550140
		mov	[edi], eax
		xor	edx, edx
		push	0
		mov	ecx, esi
		mov	[eax+4], edi
		call	MiIssueHardFaultIo
		mov	edx, [ebp+arg_0]
		lea	ecx, [edx+4]
		mov	eax, [ecx]
		cmp	[eax], edx
		jnz	short loc_550140
		mov	[esi], edx
		mov	[esi+4], eax
		mov	[eax], esi

loc_55010D:				; CODE XREF: MiPfIssueCoalesceCandidates+68j
		mov	[ecx], esi
		xor	eax, eax

loc_550111:				; CODE XREF: MiPfIssueCoalesceCandidates+8DAECj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_550118:				; CODE XREF: MiPfIssueCoalesceCandidates+10j
		call	MiPfIssueCoalescedSupport
		mov	esi, eax
		test	esi, esi
		jz	short loc_550138
		mov	eax, [ebp+arg_0]
		lea	ecx, [eax+4]
		mov	edx, [ecx]
		cmp	[edx], eax
		jnz	short loc_550140
		mov	[esi], eax
		mov	[esi+4], edx
		mov	[edx], esi
		jmp	short loc_55010D
; 

loc_550138:				; CODE XREF: MiPfIssueCoalesceCandidates+53j
		mov	ebx, [ebp+arg_0]
		jmp	loc_5DDB74
; 

loc_550140:				; CODE XREF: MiPfIssueCoalesceCandidates+15j
					; MiPfIssueCoalesceCandidates+1Aj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
MiPfIssueCoalesceCandidates endp


MiPfIssueCoalescedSupport:		; CODE XREF: MiPfIssueCoalesceCandidates:loc_550118p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		mov	ebx, edx
		xor	edx, edx
		push	esi
		push	edi
		mov	eax, ebx
		mov	[ebp-28h], edx
		shr	eax, 0Ch
		mov	edi, ecx
		push	edx
		mov	[ebp-24h], edx
		mov	edx, 7343694Dh
		push	40h
		lea	ecx, ds:0C4h[eax*4]
		mov	[ebp-14h], edi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		mov	[ebp-20h], esi
		test	esi, esi
		jz	loc_55031A
		xor	edx, edx
		mov	ecx, esi
		call	_MiInitializeInPageSupport@8 ; MiInitializeInPageSupport(x,x)
		or	dword ptr [esi+78h], (offset loc_7FFFFF+1)
		lea	eax, [ebx+0FFFh]
		shr	eax, 0Ch
		lea	ecx, [esi+0A8h]
		xor	edx, edx
		mov	[ecx+14h], ebx
		mov	[ecx], edx
		mov	[ecx+10h], edx
		lea	eax, ds:1Ch[eax*4]
		mov	[ecx+18h], edx
		mov	[ecx+4], ax
		xor	eax, eax
		mov	[ecx+6], ax
		mov	eax, 4042h
		or	[esi+0AEh], ax
		mov	ecx, edx
		lea	eax, [esi+0C4h]
		mov	[ebp-10h], edx
		mov	[ebp-4], eax
		mov	eax, ds:_MmBadPointer
		mov	[ebp-18h], eax
		mov	[ebp-8], ecx

loc_5501E8:				; CODE XREF: .text:005502CEj
		mov	ebx, [edi]
		mov	[ebp-0Ch], edx
		cmp	ebx, edi
		jz	loc_5502ED
		cmp	[ebx+4], edi
		jnz	loc_55031E
		mov	eax, [ebx]
		cmp	[eax+4], ebx
		jnz	loc_55031E
		mov	[edi], eax
		mov	[eax+4], edi
		lea	eax, [esi+8]
		mov	edi, [eax+4]
		mov	[ebp-1Ch], edi
		cmp	[edi], eax
		mov	edi, [ebp-14h]
		jnz	loc_55031E
		mov	ecx, [ebp-1Ch]
		mov	[ebx], eax
		mov	[ebx+4], ecx
		mov	[ecx], ebx
		mov	ecx, [ebp-8]
		mov	[eax+4], ebx
		mov	eax, 4000h
		test	[ebx+0AEh], ax
		mov	eax, 0FFFFBFFFh
		jz	loc_5DDBBF

loc_550249:				; CODE XREF: .text:005DDBC6j
		cmp	dword ptr [ebp-10h], 0
		jz	loc_5502D3
		cmp	ecx, [ebx+38h]
		jnz	short loc_55025D
		cmp	edx, [ebx+3Ch]
		jz	short loc_550295

loc_55025D:				; CODE XREF: .text:00550256j
		and	[esi+0AEh], ax
		mov	edi, [ebx+38h]
		push	dword_6D34EC
		sub	edi, ecx
		mov	esi, edi
		shr	esi, 0Ch
		shl	esi, 2
		push	esi
		push	dword ptr [ebp-4]
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		add	[ebp-4], esi
		add	[ebp-8], edi
		mov	eax, [ebp-0Ch]
		adc	eax, 0
		add	[ebp-10h], edi
		mov	edi, [ebp-14h]
		mov	[ebp-0Ch], eax

loc_550295:				; CODE XREF: .text:0055025Bj
					; .text:005502EBj
		mov	esi, [ebx+70h]
		shr	esi, 0Ch
		mov	eax, esi
		shl	eax, 2
		push	eax
		lea	eax, [ebx+0C4h]
		push	eax
		push	dword ptr [ebp-4]
		call	_memcpy
		mov	eax, [ebp-4]
		add	esp, 0Ch
		mov	edx, [ebp-0Ch]
		lea	eax, [eax+esi*4]
		mov	esi, [ebp-20h]
		mov	[ebp-4], eax
		mov	eax, [ebx+70h]
		add	[ebp-8], eax
		adc	edx, 0
		add	[ebp-10h], eax
		jmp	loc_5501E8
; 

loc_5502D3:				; CODE XREF: .text:0055024Dj
		mov	eax, [ebx+38h]
		mov	[ebp-8], eax
		mov	[ebp-28h], eax
		mov	eax, [ebx+3Ch]
		mov	[ebp-0Ch], eax
		mov	[ebp-24h], eax
		mov	eax, [ebx+7Ch]
		mov	[ebp-18h], eax
		jmp	short loc_550295
; 

loc_5502ED:				; CODE XREF: .text:005501EFj
		mov	ecx, [ebp-18h]
		lea	edi, [esi+30h]
		push	0
		push	6
		push	edi
		lea	ebx, [esi+10h]
		push	ebx
		lea	eax, [ebp-28h]
		push	eax
		lea	edx, [esi+0A8h]
		call	IoPageReadEx
		test	eax, eax
		js	loc_5DDBCB

loc_550313:				; CODE XREF: .text:005DDBDAj
		mov	eax, esi

loc_550315:				; CODE XREF: .text:0055031Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_55031A:				; CODE XREF: .text:00550180j
		xor	eax, eax
		jmp	short loc_550315
; 

loc_55031E:				; CODE XREF: .text:005501F8j
					; .text:00550203j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		align 8
; Exported entry 2406. RtlVerifyVersionInfo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlVerifyVersionInfo
RtlVerifyVersionInfo proc near		; CODE XREF: WdipSemLoadScenarioTable+3C7p
					; AslpFileGetVersionBlock(x,x,x)+165p

var_132		= byte ptr -132h
var_131		= dword	ptr -131h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_14		= word ptr -14h
var_12		= word ptr -12h
var_10		= word ptr -10h
var_E		= byte ptr -0Eh
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005DDBDF SIZE 00000164 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 134h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+134h+var_4], eax
		cmp	[ebp+arg_4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_C]
		mov	byte ptr [esp+140h+var_131], 0
		jz	loc_5DDD39
		push	118h		; size_t
		lea	eax, [esp+144h+var_124]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+140h+var_128], 11Ch
		lea	eax, [esp+140h+var_128]
		push	eax
		call	RtlGetVersion
		test	eax, eax
		jnz	loc_55042E
		test	byte ptr [ebp+arg_4], 40h
		jnz	loc_5504B4

loc_550394:				; CODE XREF: RtlVerifyVersionInfo+199j
					; RtlVerifyVersionInfo+1CDj ...
		xor	ebx, ebx
		mov	al, 1
		inc	ebx
		mov	byte ptr [esp+140h+var_131], al
		test	byte ptr [ebp+arg_4], 2
		jz	short loc_5503E9
		test	edi, edi
		jl	short loc_5503B5
		jg	loc_5DDBF1
		test	esi, esi
		jnb	loc_5DDBF1

loc_5503B5:				; CODE XREF: RtlVerifyVersionInfo+7Dj
		push	edi
		push	esi
		push	2
		pop	ecx
		call	_RtlpVerGetConditionMask@12 ; RtlpVerGetConditionMask(x,x,x)
		mov	ebx, eax

loc_5503C1:				; CODE XREF: RtlVerifyVersionInfo+8D8D4j
		push	0
		lea	eax, [esp+144h+var_131]
		mov	ecx, ebx
		push	eax
		mov	eax, [ebp+arg_0]
		push	[esp+148h+var_124]
		mov	edx, [eax+4]
		call	RtlpVerCompare
		test	al, al
		mov	al, byte ptr [esp+140h+var_131]
		jz	loc_5DDC01
		test	al, al
		jz	short loc_55040B

loc_5503E9:				; CODE XREF: RtlVerifyVersionInfo+79j
					; RtlVerifyVersionInfo+8D8DBj
		test	byte ptr [ebp+arg_4], 1
		jnz	short loc_550445

loc_5503EF:				; CODE XREF: RtlVerifyVersionInfo+144j
		test	al, al
		jz	short loc_55040B

loc_5503F3:				; CODE XREF: RtlVerifyVersionInfo+8D913j
		test	byte ptr [ebp+arg_4], 20h
		jnz	loc_5DDC46

loc_5503FD:				; CODE XREF: RtlVerifyVersionInfo+8D975j
		test	al, al
		jz	short loc_55040B

loc_550401:				; CODE XREF: RtlVerifyVersionInfo+8D966j
		test	byte ptr [ebp+arg_4], 10h
		jnz	loc_5DDCA2

loc_55040B:				; CODE XREF: RtlVerifyVersionInfo+BFj
					; RtlVerifyVersionInfo+C9j ...
		test	byte ptr [ebp+arg_4], 4
		jnz	short loc_550473
		mov	ebx, [ebp+arg_0]

loc_550414:				; CODE XREF: RtlVerifyVersionInfo+181j
		test	byte ptr [ebp+arg_4], 8
		jnz	loc_5DDCFF

loc_55041E:				; CODE XREF: RtlVerifyVersionInfo+8DA0Cj
		mov	ecx, 80h
		test	byte ptr [ebp+arg_4], cl
		jnz	loc_55053B

loc_55042C:				; CODE XREF: RtlVerifyVersionInfo+244j
		xor	eax, eax

loc_55042E:				; CODE XREF: RtlVerifyVersionInfo+5Cj
					; RtlVerifyVersionInfo+24Fj ...
		mov	ecx, [esp+140h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_550445:				; CODE XREF: RtlVerifyVersionInfo+C5j
		cmp	ebx, 1
		jz	loc_5DDC0E

loc_55044E:				; CODE XREF: RtlVerifyVersionInfo+8D8FBj
					; RtlVerifyVersionInfo+8D90Cj
		push	1
		lea	eax, [esp+144h+var_131]
		mov	ecx, ebx
		push	eax
		mov	eax, [ebp+arg_0]
		push	[esp+148h+var_120]
		mov	edx, [eax+8]
		call	RtlpVerCompare
		test	al, al
		mov	al, byte ptr [esp+140h+var_131]
		jnz	short loc_5503EF
		jmp	loc_5DDC39
; 

loc_550473:				; CODE XREF: RtlVerifyVersionInfo+E7j
		test	edi, edi
		jl	short loc_550485
		jg	loc_5DDCEF
		test	esi, esi
		jnb	loc_5DDCEF

loc_550485:				; CODE XREF: RtlVerifyVersionInfo+14Dj
		push	edi
		push	esi
		push	4
		pop	ecx
		call	_RtlpVerGetConditionMask@12 ; RtlpVerGetConditionMask(x,x,x)

loc_55048F:				; CODE XREF: RtlVerifyVersionInfo+8D9D2j
		mov	ebx, [ebp+arg_0]
		lea	ecx, [esp+140h+var_131]
		push	0
		push	ecx
		push	[esp+148h+var_11C]
		mov	edx, [ebx+0Ch]
		mov	ecx, eax
		call	RtlpVerCompare
		test	al, al
		jnz	loc_550414
		jmp	loc_550572
; 

loc_5504B4:				; CODE XREF: RtlVerifyVersionInfo+66j
		mov	eax, [ebp+arg_0]
		movzx	eax, word ptr [eax+118h]
		test	ax, ax
		jz	loc_550394
		xor	ecx, ecx
		mov	[esp+140h+var_131+1], eax
		mov	[esp+140h+var_12C], ecx

loc_5504D1:				; CODE XREF: RtlVerifyVersionInfo+1BEj
		xor	ebx, ebx
		inc	ebx
		shl	ebx, cl
		test	eax, ebx
		jnz	short loc_550504

loc_5504DA:				; CODE XREF: RtlVerifyVersionInfo+211j
					; RtlVerifyVersionInfo+26Bj
		mov	bl, byte ptr [esp+140h+var_131]

loc_5504DE:				; CODE XREF: RtlVerifyVersionInfo+8D8C4j
		inc	ecx
		mov	[esp+140h+var_12C], ecx
		cmp	ecx, 10h
		jb	short loc_5504D1
		push	edi
		push	esi
		push	40h
		pop	ecx
		call	_RtlpVerGetConditionMask@12 ; RtlpVerGetConditionMask(x,x,x)
		cmp	eax, 7
		jnz	loc_550394
		test	bl, bl
		jz	short loc_550572
		jmp	loc_550394
; 

loc_550504:				; CODE XREF: RtlVerifyVersionInfo+1B0j
		test	edi, edi
		jl	short loc_550516
		jg	loc_5DDBDF
		test	esi, esi
		jnb	loc_5DDBDF

loc_550516:				; CODE XREF: RtlVerifyVersionInfo+1DEj
		push	edi
		push	esi
		push	40h
		pop	ecx
		call	_RtlpVerGetConditionMask@12 ; RtlpVerGetConditionMask(x,x,x)
		mov	ecx, [esp+140h+var_12C]

loc_550524:				; CODE XREF: RtlVerifyVersionInfo+8D8B9j
		sub	eax, 6
		jnz	short loc_55057C
		movzx	eax, [esp+140h+var_10]
		test	eax, ebx
		jz	short loc_550572
		mov	eax, [esp+140h+var_131+1]
		jmp	short loc_5504DA
; 

loc_55053B:				; CODE XREF: RtlVerifyVersionInfo+FEj
		test	edi, edi
		jl	short loc_550545
		jg	short loc_55059E
		test	esi, esi
		jnb	short loc_55059E

loc_550545:				; CODE XREF: RtlVerifyVersionInfo+215j
		push	edi
		push	esi
		call	_RtlpVerGetConditionMask@12 ; RtlpVerGetConditionMask(x,x,x)

loc_55054C:				; CODE XREF: RtlVerifyVersionInfo+278j
		movzx	edx, byte ptr [ebx+11Ah]
		lea	ecx, [esp+140h+var_131]
		push	0
		push	ecx
		movzx	ecx, [esp+148h+var_E]
		push	ecx
		mov	ecx, eax
		call	RtlpVerCompare
		test	al, al
		jnz	loc_55042C

loc_550572:				; CODE XREF: RtlVerifyVersionInfo+187j
					; RtlVerifyVersionInfo+1D5j ...
		mov	eax, 0C0000059h
		jmp	loc_55042E
; 

loc_55057C:				; CODE XREF: RtlVerifyVersionInfo+1FFj
		sub	eax, 1
		jnz	loc_5DDD39
		movzx	eax, [esp+140h+var_10]
		test	eax, ebx
		mov	eax, [esp+140h+var_131+1]
		jz	loc_5504DA
		jmp	loc_5DDBE6
; 

loc_55059E:				; CODE XREF: RtlVerifyVersionInfo+217j
					; RtlVerifyVersionInfo+21Bj
		xor	eax, eax
		jmp	short loc_55054C
RtlVerifyVersionInfo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpVerGetConditionMask(x, x, x)
_RtlpVerGetConditionMask@12 proc near	; CODE XREF: RtlVerifyVersionInfo+92p
					; RtlVerifyVersionInfo+162p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax

loc_5505A9:				; CODE XREF: RtlpVerGetConditionMask(x,x,x)+Cj
		mov	edx, eax
		inc	eax
		shr	ecx, 1
		jnz	short loc_5505A9
		mov	eax, [ebp+arg_0]
		imul	ecx, edx, 3
		mov	edx, [ebp+arg_4]
		call	__aullshr
		and	eax, 7
		pop	ebp
		retn	8
_RtlpVerGetConditionMask@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpVerCompare	proc near		; CODE XREF: RtlVerifyVersionInfo+ACp
					; RtlVerifyVersionInfo+139p ...

var_2C		= byte ptr -2Ch
var_18		= byte ptr -18h
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 005DDD43 SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		test	[ebp+arg_8], 1
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, ecx
		jnz	short loc_55061B
		mov	ecx, dword ptr [ebp+arg_0]

loc_5505E8:				; CODE XREF: RtlpVerCompare+A1j
		cmp	edx, ecx
		setz	al
		mov	[edi], al
		sub	esi, 1
		jz	short loc_55066C
		sub	esi, 1
		jz	loc_5DDD68
		sub	esi, 1
		jnz	loc_5DDD43
		cmp	ecx, edx
		setnl	al

loc_55060B:				; CODE XREF: RtlpVerCompare+ABj
					; RtlpVerCompare+8D789j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_55061B:				; CODE XREF: RtlpVerCompare+1Dj
		push	ebx
		push	edx		; char
		mov	ebx, (offset off_5A59CF+1)
		lea	eax, [ebp+var_18]
		push	ebx		; char *
		push	14h		; int
		push	eax		; char *
		call	RtlStringCbPrintfA
		push	dword ptr [ebp+arg_0] ;	char
		lea	eax, [ebp+var_2C]
		push	ebx		; char *
		push	14h		; int
		push	eax		; char *
		call	RtlStringCbPrintfA
		add	esp, 20h
		lea	ecx, [ebp+var_18]
		lea	eax, [ebp+var_2C]

loc_550646:				; CODE XREF: RtlpVerCompare+9Cj
		mov	bl, [eax]
		xor	edx, edx
		cmp	bl, [ecx]
		jnz	short loc_550673
		test	bl, bl
		jz	short loc_550664
		mov	bl, [eax+1]
		cmp	bl, [ecx+1]
		jnz	short loc_550673
		add	eax, 2
		add	ecx, 2
		test	bl, bl
		jnz	short loc_550646

loc_550664:				; CODE XREF: RtlpVerCompare+8Aj
		mov	ecx, edx

loc_550666:				; CODE XREF: RtlpVerCompare+B2j
		pop	ebx
		jmp	loc_5505E8
; 

loc_55066C:				; CODE XREF: RtlpVerCompare+2Cj
		cmp	ecx, edx
		setz	al
		jmp	short loc_55060B
; 

loc_550673:				; CODE XREF: RtlpVerCompare+86j
					; RtlpVerCompare+92j
		sbb	ecx, ecx
		or	ecx, 1
		jmp	short loc_550666
RtlpVerCompare	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl RtlStringCbPrintfA(char *,int,char *,char)
RtlStringCbPrintfA proc	near		; CODE XREF: RtlpVerCompare+63p
					; RtlpVerCompare+72p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005DDD72 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		test	eax, eax
		jz	short loc_5506B0
		cmp	eax, 7FFFFFFFh
		ja	short loc_5506B0

loc_55068F:				; CODE XREF: RtlStringCbPrintfA+3Bj
		test	ecx, ecx
		js	loc_5DDD72
		lea	ecx, [ebp+arg_C]
		mov	edx, eax	; int
		push	ecx		; va_list
		push	[ebp+arg_8]	; char *
		mov	ecx, [ebp+arg_0] ; char	*
		push	0		; int
		call	RtlStringVPrintfWorkerA
		mov	ecx, eax

loc_5506AC:				; CODE XREF: RtlStringCbPrintfA+8D6FAj
					; RtlStringCbPrintfA+8D706j
		mov	eax, ecx
		pop	ebp
		retn
; 

loc_5506B0:				; CODE XREF: RtlStringCbPrintfA+Cj
					; RtlStringCbPrintfA+13j
		mov	ecx, 0C000000Dh
		jmp	short loc_55068F
RtlStringCbPrintfA endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall RtlStringVPrintfWorkerA(char *,int,int,char *,va_list)
RtlStringVPrintfWorkerA	proc near	; CODE XREF: RtlStringCbPrintfA+2Bp
					; _RtlStringCbPrintfExA+87p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_8]	; va_list
		lea	esi, [edx-1]
		mov	edi, ecx
		push	[ebp+arg_4]	; char *
		xor	ebx, ebx
		push	esi		; size_t
		push	edi		; char *
		call	__vsnprintf
		add	esp, 10h
		test	eax, eax
		js	short loc_5506F8
		cmp	eax, esi
		ja	short loc_5506F8
		jz	short loc_5506F3
		mov	esi, eax

loc_5506E3:				; CODE XREF: RtlStringVPrintfWorkerA+3Ej
					; RtlStringVPrintfWorkerA+48j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_550702

loc_5506EA:				; CODE XREF: RtlStringVPrintfWorkerA+4Cj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_5506F3:				; CODE XREF: RtlStringVPrintfWorkerA+27j
		mov	[esi+edi], bl
		jmp	short loc_5506E3
; 

loc_5506F8:				; CODE XREF: RtlStringVPrintfWorkerA+21j
					; RtlStringVPrintfWorkerA+25j
		mov	[esi+edi], bl
		mov	ebx, 80000005h
		jmp	short loc_5506E3
; 

loc_550702:				; CODE XREF: RtlStringVPrintfWorkerA+30j
		mov	[eax], esi
		jmp	short loc_5506EA
RtlStringVPrintfWorkerA	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiZeroSectionObjectPointer(x, x, x)
_MiZeroSectionObjectPointer@12 proc near ; CODE	XREF: MiCreateImageOrDataSection+2E9p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		test	[ebp+arg_0], 1000000h
		mov	eax, [ecx+14h]
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], eax
		push	edi
		mov	[ebp+var_8], esi
		jz	short loc_55072A
		add	eax, 8
		mov	[ebp+var_4], eax

loc_55072A:				; CODE XREF: MiZeroSectionObjectPointer(x,x,x)+1Cj
		mov	ecx, eax
		call	KeAbPostRelease
		lea	edi, [esi+24h]
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	esi, [esi+2Ch]
		mov	bl, al
		mov	eax, [ebp+var_8]
		push	offset dword_6CF3C0
		and	dword ptr [eax+2Ch], 0
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	eax, [ebp+var_4]
		push	offset dword_6CF3C0
		and	dword ptr [eax], 0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	eax, [ebp+var_8]
		push	edi
		or	dword ptr [eax+1Ch], 0C0000h
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiZeroSectionObjectPointer@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCsqCancelRoutine proc near		; DATA XREF: IoCsqInsertIrpEx+4Do

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DDD85 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		xor	edi, edi
		mov	byte ptr [ebp+var_4], 0
		mov	al, [ebx+25h]
		inc	edi
		mov	byte ptr [ebp+arg_4+3],	al
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+450h]
		jnz	loc_5DDD85
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_55081A
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_550828

loc_5507C9:				; CODE XREF: IopCsqCancelRoutine+A4j
					; IopCsqCancelRoutine+8D60Dj
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edi, [ebx+4Ch]
		mov	eax, [edi]
		cmp	eax, 1
		jz	short loc_55080B
		cmp	eax, 2
		jnz	short loc_550831

loc_5507E1:				; CODE XREF: IopCsqCancelRoutine+B4j
		mov	esi, edi

loc_5507E3:				; CODE XREF: IopCsqCancelRoutine+8Cj
		and	dword ptr [esi+1Ch], 0
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		call	dword ptr [esi+10h]
		push	ebx
		push	esi
		call	dword ptr [esi+8]
		cmp	edi, esi
		jnz	short loc_550810

loc_5507F8:				; CODE XREF: IopCsqCancelRoutine+96j
		push	[ebp+var_4]
		push	esi
		call	dword ptr [esi+14h]
		push	ebx
		push	esi
		call	dword ptr [esi+18h]

loc_550804:				; CODE XREF: IopCsqCancelRoutine+B2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_55080B:				; CODE XREF: IopCsqCancelRoutine+58j
		mov	esi, [edi+8]
		jmp	short loc_5507E3
; 

loc_550810:				; CODE XREF: IopCsqCancelRoutine+74j
		and	dword ptr [edi+4], 0
		and	dword ptr [ebx+4Ch], 0
		jmp	short loc_5507F8
; 

loc_55081A:				; CODE XREF: IopCsqCancelRoutine+36j
					; IopCsqCancelRoutine+ADj
		mov	dword ptr [esi], 0
		add	eax, 4
		lock xor [eax],	edi
		jmp	short loc_5507C9
; 

loc_550828:				; CODE XREF: IopCsqCancelRoutine+45j
		mov	ecx, esi
		call	KxWaitForLockChainValid
		jmp	short loc_55081A
; 

loc_550831:				; CODE XREF: IopCsqCancelRoutine+5Dj
		cmp	eax, 3
		jnz	short loc_550804
		jmp	short loc_5507E1
IopCsqCancelRoutine endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSwapValueInList(x, x, x,	x)
_CmpSwapValueInList@16 proc near	; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+792p
					; CmSetValueKey(x,x,x,x,x,x,x)+83Dp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_4]
		or	[ebp+var_8], 0FFFFFFFFh
		push	ebx
		push	esi
		mov	eax, [eax+4]
		xor	esi, esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], esi
		lea	ecx, [ebp+var_8]
		mov	ebx, edx
		push	ecx
		push	eax
		push	edi
		call	dword ptr [edi+4]
		test	eax, eax
		jz	short loc_550879
		mov	ecx, [ebp+arg_0]
		mov	[eax+ecx*4], ebx
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_550870:				; CODE XREF: CmpSwapValueInList(x,x,x,x)+46j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_550879:				; CODE XREF: CmpSwapValueInList(x,x,x,x)+28j
		mov	esi, 0C000009Ah
		jmp	short loc_550870
_CmpSwapValueInList@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiOkToSetPteDirtyForNotValidFault(x, x, x)
_MiOkToSetPteDirtyForNotValidFault@12 proc near	; CODE XREF: MiIssueHardFault(x,x)+41Bp
					; MiProbeLeafPteAccess(x,x)+384p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ecx, ds:_MmHighestUserAddress
		jbe	short loc_550894

loc_55088D:				; CODE XREF: MiOkToSetPteDirtyForNotValidFault(x,x,x)+34j
		xor	eax, eax
		inc	eax

loc_550890:				; CODE XREF: MiOkToSetPteDirtyForNotValidFault(x,x,x)+41j
		pop	ebp
		retn	8
; 

loc_550894:				; CODE XREF: MiOkToSetPteDirtyForNotValidFault(x,x,x)+Bj
		cmp	[ebp+arg_4], 0
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		jl	short loc_5508AE
		jg	short loc_5508B6
		cmp	[ebp+arg_0], 0
		jnb	short loc_5508B6

loc_5508AE:				; CODE XREF: MiOkToSetPteDirtyForNotValidFault(x,x,x)+24j
					; MiOkToSetPteDirtyForNotValidFault(x,x,x)+3Dj
		mov	eax, [eax+4B4h]
		jmp	short loc_55088D
; 

loc_5508B6:				; CODE XREF: MiOkToSetPteDirtyForNotValidFault(x,x,x)+26j
					; MiOkToSetPteDirtyForNotValidFault(x,x,x)+2Cj
		test	byte ptr [eax+0FCh], 10h
		jz	short loc_5508AE
		xor	eax, eax
		jmp	short loc_550890
_MiOkToSetPteDirtyForNotValidFault@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPfCompleteCoalescedIo	proc near	; CODE XREF: MiPfCompletePrefetchIos(x,x,x):loc_4BC5AEp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DDD94 SIZE 00000067 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_8], edx
		push	ebx
		push	ebx
		mov	esi, ecx
		mov	[ebp+var_4], ebx
		push	ebx
		push	9
		lea	eax, [esi+10h]
		push	eax
		call	KeWaitForSingleObject
		movzx	eax, word ptr [esi+0AEh]
		lea	edi, [esi+0A8h]
		mov	ecx, eax
		test	eax, 200h
		jnz	loc_5DDD94

loc_550901:				; CODE XREF: MiPfCompleteCoalescedIo+8D4E8j
		test	cl, 1
		jz	short loc_550912
		push	edi
		push	dword ptr [esi+0B4h]
		call	MmUnmapLockedPages

loc_550912:				; CODE XREF: MiPfCompleteCoalescedIo+40j
		mov	eax, [esi+30h]
		test	eax, eax
		js	short loc_55098C
		mov	eax, [esi+34h]
		mov	ecx, [esi+0BCh]
		cmp	eax, ecx
		jnz	loc_5DDDB1

loc_55092A:				; CODE XREF: MiPfCompleteCoalescedIo+CBj
		lea	ebx, [esi+8]

loc_55092D:				; CODE XREF: MiPfCompleteCoalescedIo+AAj
					; MiPfCompleteCoalescedIo+B1j ...
		mov	edi, [ebx]
		cmp	edi, ebx
		jz	short loc_55097C
		cmp	[edi+4], ebx
		jnz	short loc_550995
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	short loc_550995
		mov	[ebx], eax
		xor	ecx, ecx
		mov	[eax+4], ebx
		mov	eax, [esi+30h]
		mov	[edi+30h], eax
		cmp	[esi+30h], ecx
		jl	short loc_550991
		mov	eax, [edi+70h]

loc_550954:				; CODE XREF: MiPfCompleteCoalescedIo+CFj
		push	ecx
		mov	[edi+34h], eax
		lea	eax, [edi+10h]
		push	ecx
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		call	MiPfCompleteInPageSupport
		test	eax, eax
		jns	short loc_55092D
		cmp	eax, 0C0000434h
		jz	short loc_55092D
		mov	[ebp+var_4], eax
		jmp	short loc_55092D
; 

loc_55097C:				; CODE XREF: MiPfCompleteCoalescedIo+6Dj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_55098C:				; CODE XREF: MiPfCompleteCoalescedIo+53j
		mov	[ebp+var_4], eax
		jmp	short loc_55092A
; 

loc_550991:				; CODE XREF: MiPfCompleteCoalescedIo+8Bj
		mov	eax, ecx
		jmp	short loc_550954
; 

loc_550995:				; CODE XREF: MiPfCompleteCoalescedIo+72j
					; MiPfCompleteCoalescedIo+79j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
MiPfCompleteCoalescedIo	endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExCompareExchangeCallBack proc near	; CODE XREF: IoRegisterPriorityCallback+52p
					; IoUnregisterPriorityCallback(x)+4Bp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DDDFB SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		test	edi, edi
		jz	short loc_5509BA
		push	8
		pop	edx
		mov	ecx, edi
		call	ExAcquireRundownProtectionEx
		test	al, al
		jz	short loc_5509F5

loc_5509BA:				; CODE XREF: ExCompareExchangeCallBack+10j
		mov	esi, [ebx]

loc_5509BC:				; CODE XREF: ExCompareExchangeCallBack+7Dj
		mov	eax, esi
		xor	eax, [ebp+arg_0]
		cmp	eax, 7
		jbe	short loc_5509FE

loc_5509C6:				; CODE XREF: ExCompareExchangeCallBack+79j
		push	0FFFFFFF8h
		mov	eax, esi
		pop	ebx
		and	eax, ebx
		mov	[ebp+var_4], eax
		cmp	eax, [ebp+arg_0]
		jz	short loc_550A19
		test	edi, edi
		jz	short loc_5509F5
		mov	edx, [edi]
		test	dl, 1
		jnz	loc_5DDE05

loc_5509E4:				; CODE XREF: ExCompareExchangeCallBack+8D465j
		lea	ecx, [edx-10h]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	loc_5DDDFB

loc_5509F5:				; CODE XREF: ExCompareExchangeCallBack+1Ej
					; ExCompareExchangeCallBack+3Dj ...
		xor	al, al

loc_5509F7:				; CODE XREF: ExCompareExchangeCallBack+85j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_5509FE:				; CODE XREF: ExCompareExchangeCallBack+2Aj
		mov	eax, edi
		mov	ecx, edi
		or	eax, 7
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, esi
		lock cmpxchg [ebx], ecx
		cmp	eax, esi
		jz	short loc_5509C6
		mov	esi, eax
		jmp	short loc_5509BC
; 

loc_550A19:				; CODE XREF: ExCompareExchangeCallBack+39j
		test	eax, eax
		jnz	short loc_550A21

loc_550A1D:				; CODE XREF: ExCompareExchangeCallBack+C3j
					; MiPfCompleteCoalescedIo+8D511j ...
		mov	al, 1
		jmp	short loc_5509F7
; 

loc_550A21:				; CODE XREF: ExCompareExchangeCallBack+81j
		mov	edi, offset _ExpCallBackFlush
		push	edi
		call	ExAcquireSpinLockExclusive
		push	edi
		mov	bl, al
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edi, [ebp+var_4]
		and	esi, 7
		inc	esi
		mov	edx, [edi]
		test	dl, 1
		jnz	loc_5DDDC8
		lea	ebx, [esi+esi]

loc_550A51:				; CODE XREF: MiPfCompleteCoalescedIo+8D4FEj
		mov	ecx, edx
		mov	eax, edx
		sub	ecx, ebx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_550A1D
		jmp	loc_5DDDBE
ExCompareExchangeCallBack endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReferenceOwningSession proc near	; CODE XREF: MiLockStealSystemVm(x,x,x,x)+148p
					; MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+135p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

; FUNCTION CHUNK AT 005DDE35 SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	ebx, ecx
		stosd
		stosd
		stosd
		call	MiGetTopLevelPfn
		lea	ecx, [eax+10h]
		test	dword ptr [ecx], 40000000h
		jnz	loc_5DDE35
		mov	esi, [eax]
		shr	esi, 1
		and	esi, 0FFFFFFF8h
		or	esi, 80000000h
		cmp	eax, ebx
		jz	short loc_550AA6
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax

loc_550AA6:				; CODE XREF: MiReferenceOwningSession+38j
		lea	ecx, [ebp+var_C]
		call	_MiTryToAcquireExpansionLockAtDpc@4 ; MiTryToAcquireExpansionLockAtDpc(x)
		test	eax, eax
		jz	short loc_550AF1
		mov	ecx, esi
		call	MiSelectSessionAttachProcess
		test	ds:byte_70EFC6,	1
		mov	esi, eax
		jnz	loc_5DDE4A
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_5DDE62
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5DDE5A

loc_550AEA:				; CODE XREF: MiReferenceOwningSession+8D3F1j
					; MiReferenceOwningSession+8D40Ej
		mov	eax, esi

loc_550AEC:				; CODE XREF: MiReferenceOwningSession+8Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_550AF1:				; CODE XREF: MiReferenceOwningSession+4Cj
					; MiReferenceOwningSession+8D3D3j ...
		xor	eax, eax
		jmp	short loc_550AEC
MiReferenceOwningSession endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiDeleteImageSecurity(x)
_MiDeleteImageSecurity@4 proc near	; CODE XREF: MiDeleteControlArea+6Bp
		mov	ecx, [ecx+38h]
		mov	ecx, [ecx+14h]
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	eax, 8
		ja	short loc_550B07
		retn
; 

loc_550B07:				; CODE XREF: MiDeleteImageSecurity(x)+Ej
		and	ecx, 0FFFFFFF8h
		jmp	_SeReleaseImageValidationContext@4 ; SeReleaseImageValidationContext(x)
_MiDeleteImageSecurity@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1166. KeInitializeDeviceQueue

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeDeviceQueue(x)
		public _KeInitializeDeviceQueue@4
_KeInitializeDeviceQueue@4 proc	near	; CODE XREF: IoCreateDevice+332p
					; IoCreateController(x)+C9p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	14h
		pop	eax
		mov	[ecx], ax
		mov	[ecx+2], ax
		lea	eax, [ecx+4]
		mov	[eax+4], eax
		mov	[eax], eax
		and	dword ptr [ecx+0Ch], 0
		mov	byte ptr [ecx+10h], 0
		pop	ebp
		retn	4
_KeInitializeDeviceQueue@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInsertPhysicalPteMapping proc	near	; CODE XREF: MiMapLockedPagesInUserSpaceHelper+B8p
					; MiInsertViewOfPhysicalSection+CCp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DDE77 SIZE 000000C3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		mov	ecx, esi
		mov	edi, edx
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		mov	[esp+18h+var_4], eax
		cmp	edi, dword_6D07B0
		ja	short loc_550B7F
		mov	eax, dword_6D35B8
		mov	edx, edi
		shr	edx, 5
		mov	ecx, edi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jnz	loc_550C78

loc_550B7F:				; CODE XREF: MiInsertPhysicalPteMapping+26j
		mov	ecx, edi
		call	_MiLookupIoPageNode@4 ;	MiLookupIoPageNode(x)
		test	eax, eax
		jz	loc_5DDEAF
		mov	ecx, edi
		xor	edx, edx
		and	ecx, 1FFFFFFh
		and	esi, 7
		sub	ecx, [eax+14h]
		mov	eax, [eax+18h]
		mov	ax, [eax+ecx*2]
		mov	word ptr [esp+18h+var_8], ax
		movzx	eax, ax
		shr	eax, 0Eh
		sub	eax, edx
		jz	loc_550CB5
		dec	eax
		sub	eax, 1
		jz	loc_5DDEC0

loc_550BC2:				; CODE XREF: MiInsertPhysicalPteMapping+170j
					; MiInsertPhysicalPteMapping+17Ej ...
		or	esi, 80000000h
		mov	edx, edi
		push	esi
		mov	ecx, ebx
		call	MiMakeValidPte
		mov	ecx, ebx
		mov	esi, eax
		xor	edi, edi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5DDEC8
		mov	ecx, edi

loc_550BE7:				; CODE XREF: MiInsertPhysicalPteMapping+8D3A1j
					; MiInsertPhysicalPteMapping+8D3AEj ...
		mov	[ebx+4], edx
		nop
		mov	[ebx], esi
		test	ecx, ecx
		jnz	loc_5DDF18

loc_550BF5:				; CODE XREF: MiInsertPhysicalPteMapping+8D3E7j
		mov	eax, large fs:124h
		mov	ecx, ebx
		shr	ecx, 0Ch
		xor	edx, edx
		and	ecx, 7FFh
		inc	edx
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		add	eax, 190h
		lea	ecx, [eax+ecx*2]
		call	_MiIncreaseUsedPtesCount@8 ; MiIncreaseUsedPtesCount(x,x)
		shr	ebx, 9
		and	ebx, offset loc_7FFFF8
		mov	ecx, [ebx-40000000h]
		nop
		mov	eax, [ebx-3FFFFFFCh]
		shrd	ecx, eax, 0Ch
		mov	[esp+18h+var_4], edi
		and	ecx, 1FFFFFFh
		imul	ebx, ecx, 1Ch
		add	ebx, ds:_MmPfnDatabase
		lea	esi, [ebx+10h]

loc_550C52:				; CODE XREF: MiInsertPhysicalPteMapping+8D3FBj
		lock bts dword ptr [esi], 1Fh
		jb	loc_5DDF26
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_550C78:				; CODE XREF: MiInsertPhysicalPteMapping+3Fj
		imul	ecx, edi, 1Ch
		xor	edx, edx
		add	ecx, ds:_MmPfnDatabase
		mov	[esp+18h+var_8], ecx
		cmp	[ecx+14h], dx
		jz	loc_5DDE77

loc_550C91:				; CODE XREF: MiInsertPhysicalPteMapping+8D34Bj
		mov	dl, [ecx+16h]
		mov	al, dl
		and	al, 0C0h
		cmp	al, 0C0h
		jz	loc_5DDE8A

loc_550CA0:				; CODE XREF: MiInsertPhysicalPteMapping+8D360j
		movzx	eax, dl
		shr	eax, 6
		cmp	eax, [esp+18h+var_4]
		jz	loc_550BC2
		jmp	loc_5DDE9F
; 

loc_550CB5:				; CODE XREF: MiInsertPhysicalPteMapping+78j
		or	esi, 8
		jmp	loc_550BC2
MiInsertPhysicalPteMapping endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiLookupIoPageNode(x)
_MiLookupIoPageNode@4 proc near		; CODE XREF: MiInsertPhysicalPteMapping+47p
					; .text:00629E07p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	offset unk_6D3440
		mov	edi, ecx
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	esi, dword_6D3448
		mov	bl, al
		jmp	short loc_550CDB
; 

loc_550CD9:				; CODE XREF: MiLookupIoPageNode(x)+26j
		mov	esi, [esi]

loc_550CDB:				; CODE XREF: MiLookupIoPageNode(x)+19j
					; MiLookupIoPageNode(x)+4Cj
		test	esi, esi
		jz	short loc_550CEF
		mov	eax, [esi+14h]
		cmp	edi, eax
		jb	short loc_550CD9
		add	eax, 200h
		cmp	edi, eax
		jnb	short loc_550D07

loc_550CEF:				; CODE XREF: MiLookupIoPageNode(x)+1Fj
		push	offset unk_6D3440
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_550D07:				; CODE XREF: MiLookupIoPageNode(x)+2Fj
		mov	esi, [esi+4]
		jmp	short loc_550CDB
_MiLookupIoPageNode@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1101. KeAndGroupAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeAndGroupAffinityEx
KeAndGroupAffinityEx proc near		; CODE XREF: KeQueryLogicalProcessorRelationship+3E7p
					; PpmEventDomainPerfStateChange+817E4p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005DDF3A SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_8]
		mov	ecx, [eax+8]
		mov	eax, [ebp+arg_4]
		and	ecx, [eax]
		test	edx, edx
		jnz	loc_5DDF3A

loc_550D2D:				; CODE XREF: KeAndGroupAffinityEx+8D232j
		xor	eax, eax
		test	ecx, ecx
		setnz	al
		pop	ebp
		retn	0Ch
KeAndGroupAffinityEx endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2278. RtlPcToFileHeader

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlPcToFileHeader
RtlPcToFileHeader proc near		; CODE XREF: EtwpLocateDbgIdForRegEntry+C7p

var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DDF49 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		lea	ecx, [ebp-1]
		mov	[ebp+var_1], 0
		call	_MmLockLoadedModuleListShared@4	; MmLockLoadedModuleListShared(x)
		mov	ecx, _PsLoadedModuleList
		test	ecx, ecx
		jz	loc_5DDF49
		mov	edx, offset _PsLoadedModuleList
		jmp	short loc_550D7C
; 

loc_550D66:				; CODE XREF: RtlPcToFileHeader+40j
		lea	eax, [ecx]
		mov	ecx, [ecx]
		mov	esi, [eax+18h]
		cmp	[ebp+arg_0], esi
		jb	short loc_550D7C
		mov	eax, [eax+20h]
		add	eax, esi
		cmp	[ebp+arg_0], eax
		jb	short loc_550D85

loc_550D7C:				; CODE XREF: RtlPcToFileHeader+26j
					; RtlPcToFileHeader+32j
		cmp	ecx, edx
		jnz	short loc_550D66
		jmp	loc_5DDF49
; 

loc_550D85:				; CODE XREF: RtlPcToFileHeader+3Cj
		push	offset _PsLoadedModuleSpinLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		cmp	cl, 1Bh
		jnb	short loc_550D9D
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_550D9D:				; CODE XREF: RtlPcToFileHeader+57j
		mov	ecx, [ebp+arg_4]
		mov	eax, esi
		mov	[ecx], esi

loc_550DA4:				; CODE XREF: RtlPcToFileHeader+8D22Bj
		pop	esi
		leave
		retn	8
RtlPcToFileHeader endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2577. VerSetConditionMask

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerSetConditionMask(x, x, x, x)
		public _VerSetConditionMask@16
_VerSetConditionMask@16	proc near	; CODE XREF: WdipSemLoadScenarioTable+3A9p
					; AslpFileGetVersionBlock(x,x,x)+14Ep ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	dl, [ebp+arg_C]
		mov	eax, [ebp+arg_8]
		and	dl, 7
		test	eax, eax
		jz	short loc_550DE6
		xor	ecx, ecx

loc_550DC2:				; CODE XREF: VerSetConditionMask(x,x,x,x)+17j
		inc	ecx
		shr	eax, 1
		jnz	short loc_550DC2
		imul	ecx, 3
		movzx	eax, dl
		cdq
		sub	ecx, 3
		call	__allshl
		or	edx, [ebp+arg_4]
		or	eax, [ebp+arg_0]
		or	edx, 80000000h

loc_550DE2:				; CODE XREF: VerSetConditionMask(x,x,x,x)+3Cj
		pop	ebp
		retn	10h
; 

loc_550DE6:				; CODE XREF: VerSetConditionMask(x,x,x,x)+10j
		xor	eax, eax
		xor	edx, edx
		jmp	short loc_550DE2
_VerSetConditionMask@16	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 413. ExRegisterCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExRegisterCallback
ExRegisterCallback proc	near		; CODE XREF: SeRegisterImageVerificationCallback(x,x,x,x,x,x)+23p
					; KeRegisterProcessorChangeCallback+A3p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005DDF6E SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		push	65524243h
		push	1Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5DDF6E
		mov	eax, [ebp+arg_4]
		lea	ecx, [edi+4]
		and	dword ptr [esi+14h], 0
		xor	bl, bl
		mov	[esi+0Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[esi+8], edi
		mov	[esi+10h], eax
		mov	byte ptr [esi+18h], 0
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	dl, al
		cmp	[edi+10h], bl
		jz	short loc_550E76

loc_550E47:				; CODE XREF: ExRegisterCallback+89j
		lea	eax, [edi+8]
		mov	bl, 1
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_550E7F
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi

loc_550E5D:				; CODE XREF: ExRegisterCallback+8Bj
		lea	ecx, [edi+4]
		call	KfReleaseSpinLock
		test	bl, bl
		jz	loc_5DDF7C

loc_550E6D:				; CODE XREF: ExRegisterCallback+8D19Bj
		mov	eax, esi

loc_550E6F:				; CODE XREF: ExRegisterCallback+8D185j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_550E76:				; CODE XREF: ExRegisterCallback+53j
		lea	ecx, [edi+8]
		cmp	[ecx], ecx
		jz	short loc_550E47
		jmp	short loc_550E5D
; 

loc_550E7F:				; CODE XREF: ExRegisterCallback+5Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
ExRegisterCallback endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetControlAreaSystemVa(x,	x)
_MiSetControlAreaSystemVa@8 proc near	; CODE XREF: MiSelectImageBase+19Cp

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		lea	ebx, [edi+24h]
		push	ebx
		call	ExAcquireSpinLockExclusive
		or	dword ptr [edi+1Ch], 10000000h
		mov	edx, [edi+34h]
		mov	[ebp+var_1], al
		cmp	esi, 1
		jnz	short loc_550EC9
		or	edx, 10000h

loc_550EB2:				; CODE XREF: MiSetControlAreaSystemVa(x,x)+4Bj
		push	ebx
		mov	[edi+34h], edx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_550EC9:				; CODE XREF: MiSetControlAreaSystemVa(x,x)+26j
		and	edx, 0FFFEFFFFh
		jmp	short loc_550EB2
_MiSetControlAreaSystemVa@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1836. PsGetVersion

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsGetVersion
PsGetVersion	proc near		; CODE XREF: Win7PsGetVersion(x,x,x,x)+16p
					; Win81PsGetVersion(x,x,x,x)+16p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005DDF92 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_550EE8
		mov	dword ptr [eax], 0Ah

loc_550EE8:				; CODE XREF: PsGetVersion+Aj
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	short loc_550F1B

loc_550EEF:				; CODE XREF: PsGetVersion+48j
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jnz	loc_5DDF92

loc_550EFA:				; CODE XREF: PsGetVersion+8D0C5j
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jnz	loc_5DDFA0

loc_550F05:				; CODE XREF: PsGetVersion+8D0D9j
		mov	eax, _NtBuildNumber
		and	eax, 0F0000000h
		cmp	eax, 0C0000000h
		setz	al
		pop	ebp
		retn	10h
; 

loc_550F1B:				; CODE XREF: PsGetVersion+17j
		and	dword ptr [eax], 0
		jmp	short loc_550EEF
PsGetVersion	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCleanSection	proc near		; CODE XREF: MiAttemptSectionDelete+73p
					; MiCheckControlArea+B9012p

var_2A		= byte ptr -2Ah
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_F		= byte ptr -0Fh
var_E		= byte ptr -0Eh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005DDFB4 SIZE 000000E0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[esp+38h+var_29], dl
		push	7
		xor	eax, eax
		lea	edi, [esp+3Ch+var_1C]
		xor	edx, edx
		xor	ebx, ebx
		pop	ecx
		rep stosd
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		inc	ebx
		mov	[esp+38h+var_24], edx
		mov	[esp+38h+var_20], edx

loc_550F52:				; CODE XREF: MiCleanSection+8D125j
		test	byte ptr [esi+1Ch], 20h
		jz	loc_5DDFB4

loc_550F5C:				; CODE XREF: MiCleanSection+8D16Fj
		mov	[esi+14h], edx
		mov	ecx, esi
		push	edx
		mov	dl, [esp+3Ch+var_29]
		call	MiDestroySection
		mov	eax, ebx

loc_550F6D:				; CODE XREF: MiCleanSection+8D168j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
MiCleanSection	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDestroySection proc near		; CODE XREF: MiCleanSection+46p
					; MiDeleteCachedSegment(x)+C3p	...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DE094 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		or	dword ptr [esi+1Ch], 9
		call	_MiDrainControlAreaWrites@8 ; MiDrainControlAreaWrites(x,x)
		mov	ecx, esi
		call	_MiClearFilePointer@4 ;	MiClearFilePointer(x)
		lea	eax, [esi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+arg_0], 0
		jnz	loc_5DE094

loc_550FAD:				; CODE XREF: MiDestroySection+8D12Ej
		mov	ecx, esi
		call	MiSegmentDelete
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	4
MiDestroySection endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiFreePageFileHashPfn(x)
_MiFreePageFileHashPfn@4 proc near	; CODE XREF: MiFreePageFileHashPfns(x)+78p
					; MiMapPageFileHash+F5927p
		imul	eax, ecx, 1Ch
		push	2
		add	eax, ds:_MmPfnDatabase
		and	dword ptr [eax+10h], 0C0000000h
		xor	edx, edx
		mov	[eax+14h], dx
		pop	edx
		jmp	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
_MiFreePageFileHashPfn@4 endp


;  S U B	R O U T	I N E 


; __stdcall LdrUnloadAlternateResourceModule(x)
_LdrUnloadAlternateResourceModule@4 proc near ;	CODE XREF: MiUnloadSystemImage+247p
		mov	edi, edi
		push	ecx
		call	LdrUnloadAlternateResourceModuleEx
		pop	ecx
		retn
_LdrUnloadAlternateResourceModule@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrUnloadAlternateResourceModuleEx proc	near ; CODE XREF: LdrpGetFromMUIMemCache+147p
					; LdrUnloadAlternateResourceModule(x)+3p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 00551073 SIZE 00000004 BYTES
; FUNCTION CHUNK AT 005DE0A9 SIZE 000000DE BYTES

		push	18h
		push	offset dword_6A48F0
		call	__SEH_prolog4
		mov	esi, ecx
		mov	[ebp+var_24], esi
		xor	ebx, ebx
		mov	al, bl
		mov	[ebp+var_19], al
		test	esi, esi
		jz	short loc_551073
		call	LdrpInitMuiCrits
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _MuiMutex
		call	KeWaitForSingleObject
		mov	[ebp+ms_exc.disabled], ebx
		mov	edi, _AlternateResourceModuleCount
		test	edi, edi
		jz	short loc_551041

loc_551020:				; CODE XREF: LdrUnloadAlternateResourceModuleEx+5Bj
		mov	[ebp+var_28], edi
		test	edi, edi
		jle	short loc_551045
		mov	ecx, edi
		shl	ecx, 5
		add	ecx, _AlternateResourceModules
		mov	[ebp+var_20], ecx
		cmp	[ecx-1Ch], esi
		jz	loc_5DE0A9

loc_55103E:				; CODE XREF: LdrUnloadAlternateResourceModuleEx+8D19Ej
		dec	edi
		jmp	short loc_551020
; 

loc_551041:				; CODE XREF: LdrUnloadAlternateResourceModuleEx+3Aj
		mov	[ebp+var_19], 1

loc_551045:				; CODE XREF: LdrUnloadAlternateResourceModuleEx+41j
					; LdrUnloadAlternateResourceModuleEx+8D15Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_551064
		mov	al, [ebp+var_19]

loc_551054:				; CODE XREF: LdrUnloadAlternateResourceModuleEx+91j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
LdrUnloadAlternateResourceModuleEx endp


;  S U B	R O U T	I N E 


sub_551064	proc near		; CODE XREF: LdrUnloadAlternateResourceModuleEx+68p
					; sub_5DE187+2j
		push	ebx
		push	ebx
		push	1
		push	offset _MuiMutex
		call	KeReleaseMutant
		retn
sub_551064	endp

; 
; START	OF FUNCTION CHUNK FOR LdrUnloadAlternateResourceModuleEx

loc_551073:				; CODE XREF: LdrUnloadAlternateResourceModuleEx+1Aj
		xor	al, al
		jmp	short loc_551054
; END OF FUNCTION CHUNK	FOR LdrUnloadAlternateResourceModuleEx
; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFindFreePageFileSpaceForward proc near ; CODE	XREF: MiFindFreePageFileSpace+367p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005DE18E SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, edx
		xor	edx, edx
		mov	[ebp+var_18], eax
		push	ebx
		push	esi
		mov	eax, [eax]
		mov	esi, edx
		mov	[ebp+var_8], eax
		mov	ebx, edx
		mov	eax, [ecx]
		mov	[ebp+var_28], eax
		mov	eax, [ecx+38h]
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_10], eax
		push	edi
		mov	eax, [eax+10h]
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_4], edx
		mov	[ebp+var_24], eax

loc_5510B3:				; CODE XREF: MiFindFreePageFileSpaceForward+61j
					; MiFindFreePageFileSpaceForward+6Bj ...
		lea	eax, [ebp+var_4]
		mov	edx, ecx
		push	eax
		push	0FFFFFFFFh
		push	ecx
		lea	ecx, [ebp+var_28]
		call	_RtlFindNextClearRunUlong@20 ; RtlFindNextClearRunUlong(x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_551158
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+edx]
		mov	[ebp+var_8], ecx
		cmp	edx, esi
		jb	short loc_5510B3
		cmp	edx, edi
		jnb	short loc_5510E5
		test	[ebp+arg_4], 80h
		jnz	short loc_5510B3

loc_5510E5:				; CODE XREF: MiFindFreePageFileSpaceForward+65j
		mov	ecx, eax
		mov	[ebp+var_C], edi
		and	ecx, 1Fh
		sub	eax, ecx
		mov	[ebp+arg_0], ecx
		mov	ecx, eax
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_10]
		shr	ecx, 5
		push	20h
		mov	eax, [eax+8]
		lea	eax, [eax+ecx*4]
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_1C], eax
		lea	eax, [ecx+edx]
		mov	[ebp+var_20], eax
		pop	eax
		cmp	edi, eax
		jbe	short loc_551170

loc_551116:				; CODE XREF: MiFindFreePageFileSpaceForward+BFj
					; MiFindFreePageFileSpaceForward+D3j ...
		lea	eax, [ebp+var_4]
		mov	edx, ecx
		push	eax
		push	[ebp+var_C]
		push	ecx
		lea	ecx, [ebp+var_20]
		call	_RtlFindNextClearRunUlong@20 ; RtlFindNextClearRunUlong(x,x,x,x,x)
		test	eax, eax
		jz	short loc_55114D
		mov	edx, [ebp+var_4]
		lea	ecx, [edx+eax]
		mov	[ebp+arg_0], ecx
		cmp	eax, esi
		jbe	short loc_551116
		cmp	eax, edi
		ja	short loc_551175

loc_55113D:				; CODE XREF: MiFindFreePageFileSpaceForward+FFj
		mov	ebx, [ebp+var_14]
		mov	esi, eax
		add	ebx, edx
		cmp	eax, edi
		jz	short loc_551158
		mov	ecx, [ebp+arg_0]
		jmp	short loc_551116
; 

loc_55114D:				; CODE XREF: MiFindFreePageFileSpaceForward+B2j
		mov	ecx, [ebp+var_8]
		cmp	esi, edi
		jnz	loc_5510B3

loc_551158:				; CODE XREF: MiFindFreePageFileSpaceForward+50j
					; MiFindFreePageFileSpaceForward+CEj
		test	[ebp+arg_4], 80h
		jnz	loc_5DE18E

loc_551162:				; CODE XREF: MiFindFreePageFileSpaceForward+8D118j
					; MiFindFreePageFileSpaceForward+8D122j
		mov	eax, [ebp+var_18]
		pop	edi
		mov	[eax], ebx
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_551170:				; CODE XREF: MiFindFreePageFileSpaceForward+9Cj
		mov	[ebp+var_C], eax
		jmp	short loc_551116
; 

loc_551175:				; CODE XREF: MiFindFreePageFileSpaceForward+C3j
		mov	eax, edi
		jmp	short loc_55113D
MiFindFreePageFileSpaceForward endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiClearPfnImageVerified	proc near	; CODE XREF: MiProbeLeafPteAccess(x,x)+351p
					; MiInsertPageInList(x,x)+680p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DE19F SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	eax, edx
		mov	ecx, eax
		mov	[ebp+var_4], eax
		and	ecx, 4
		mov	eax, [esi+18h]
		and	eax, 70000000h
		cmp	eax, 30000000h
		jnz	short loc_5511C2
		test	ecx, ecx
		jz	loc_5DE19F
		mov	bl, 21h

loc_5511A8:				; CODE XREF: MiClearPfnImageVerified+8D02Ej
		test	byte ptr [ebp+var_4], 8
		jnz	loc_5DE1AD

loc_5511B2:				; CODE XREF: MiClearPfnImageVerified+8D043j
		and	dword ptr [esi+18h], 8FFFFFFFh
		cmp	bl, 21h
		jnz	loc_5DE1E2

loc_5511C2:				; CODE XREF: MiClearPfnImageVerified+22j
					; MiClearPfnImageVerified+8D07Bj
		pop	esi
		pop	ebx
		leave
		retn
MiClearPfnImageVerified	endp


;  S U B	R O U T	I N E 


CcAdjustWriteBehindThreadPool proc near	; CODE XREF: CcAdjustWriteBehindThreadPoolIfNeeded+FEp
					; CcAdjustWriteBehindThreadPoolIfNeeded+1167EDp

; FUNCTION CHUNK AT 005DE1FA SIZE 0000003A BYTES

		test	dl, dl
		jnz	loc_5DE1FA
		or	dword ptr [ecx+284h], 0FFFFFFFFh
		lea	eax, [ecx+0A4h]
		cmp	[eax], eax
		jnz	loc_5DE219

locret_5511E3:				; CODE XREF: CcAdjustWriteBehindThreadPool+8D045j
					; CcAdjustWriteBehindThreadPool+8D05Aj
		retn
CcAdjustWriteBehindThreadPool endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmVerifyCallbackFunctionCheckFlags(x, x)
_MmVerifyCallbackFunctionCheckFlags@8 proc near
					; CODE XREF: PsSetCreateThreadNotifyRoutineEx+18p
					; PspSetCreateProcessNotifyRoutine+24p	...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		mov	ecx, dword_6D07D0
		mov	eax, esi
		shr	eax, 15h
		push	edi
		cmp	esi, ecx
		jb	short loc_551226
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_551276
		cmp	esi, ecx
		jb	short loc_551226
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	short loc_551276

loc_551226:				; CODE XREF: MmVerifyCallbackFunctionCheckFlags(x,x)+2Aj
					; MmVerifyCallbackFunctionCheckFlags(x,x)+37j
		mov	eax, large fs:124h
		xor	edi, edi
		mov	[ebp+var_4], eax
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceSharedLite
		xor	edx, edx
		mov	ecx, esi
		call	_MiLookupDataTableEntry@8 ; MiLookupDataTableEntry(x,x)
		test	eax, eax
		jz	short loc_551259
		test	byte ptr [eax+34h], 20h
		jz	short loc_551259
		inc	edi

loc_551259:				; CODE XREF: MmVerifyCallbackFunctionCheckFlags(x,x)+6Cj
					; MmVerifyCallbackFunctionCheckFlags(x,x)+72j
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite
		mov	ecx, [ebp+var_4]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	eax, edi

loc_55126D:				; CODE XREF: MmVerifyCallbackFunctionCheckFlags(x,x)+94j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_551276:				; CODE XREF: MmVerifyCallbackFunctionCheckFlags(x,x)+33j
					; MmVerifyCallbackFunctionCheckFlags(x,x)+40j
		xor	eax, eax
		jmp	short loc_55126D
_MmVerifyCallbackFunctionCheckFlags@8 endp


;  S U B	R O U T	I N E 


; __stdcall KeVerifyGroupAffinity(x, x)
_KeVerifyGroupAffinity@8 proc near	; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+EACp
					; PAGE:007A7CB1p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		movzx	eax, word ptr [esi+4]
		cmp	ax, ds:_KiActiveGroups
		jnb	short loc_5512B9
		mov	edx, ds:dword_70E328[eax*4]
		test	bl, bl
		jnz	short loc_55129F
		cmp	dword ptr [esi], 0
		jz	short loc_5512B9

loc_55129F:				; CODE XREF: KeVerifyGroupAffinity(x,x)+1Ej
		mov	ecx, [esi]
		mov	eax, ecx
		and	eax, edx
		cmp	eax, ecx
		jnz	short loc_5512B9
		mov	ecx, esi
		call	_KiVerifyReservedFieldGroupAffinity@4 ;	KiVerifyReservedFieldGroupAffinity(x)
		test	eax, eax
		jz	short loc_5512B9
		mov	al, 1

loc_5512B6:				; CODE XREF: KeVerifyGroupAffinity(x,x)+41j
		pop	esi
		pop	ebx
		retn
; 

loc_5512B9:				; CODE XREF: KeVerifyGroupAffinity(x,x)+13j
					; KeVerifyGroupAffinity(x,x)+23j ...
		xor	al, al
		jmp	short loc_5512B6
_KeVerifyGroupAffinity@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


CmpTransEnlistUowInCmTrans proc	near	; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+611p
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+662p ...

; FUNCTION CHUNK AT 005DE234 SIZE 0000000F BYTES

		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_LOCK_TRANSACTION_LIST@0 ; LOCK_TRANSACTION_LIST()
		test	byte ptr [edi+18h], 7
		jnz	loc_5DE234
		lea	eax, [edi+8]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_5512F8
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		call	_UNLOCK_TRANSACTION_LIST@0 ; UNLOCK_TRANSACTION_LIST()
		mov	[esi+1Ch], edi
		xor	eax, eax

loc_5512F4:				; CODE XREF: CmpTransEnlistUowInCmTrans+8CF80j
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_5512F8:				; CODE XREF: CmpTransEnlistUowInCmTrans+20j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall MiDeletePhysmemPte(x, x)
_MiDeletePhysmemPte@8:			; CODE XREF: .text:0045885Ep
		mov	edi, edi
		push	esi
		mov	esi, [edx]
		nop
		mov	eax, [edx+4]
		and	esi, 0FFFFFFFEh
		or	esi, 400h
		mov	[edx], esi
		nop
		mov	[edx+4], eax
		mov	ecx, [ecx+0Ch]
		push	0
		push	1
		shl	edx, 9
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		pop	esi
		retn
CmpTransEnlistUowInCmTrans endp	; sp = -0Ch

; 
		align 4

; __stdcall CmpTransEnlistUowInKcb(x, x)
_CmpTransEnlistUowInKcb@8:		; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+607p
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+658p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		lea	esi, [edi+70h]
		mov	edx, [esi+4]
		lea	eax, [ebx+10h]
		cmp	[edx], esi
		jnz	short loc_551356
		mov	[eax], esi
		mov	ecx, edi
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[esi+4], eax
		call	CmpReferenceKeyControlBlock
		mov	[ebx+18h], edi
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_551356:				; CODE XREF: .text:0055133Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		align 10h
; Exported entry 340. ExDeleteNPagedLookasideList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExDeleteNPagedLookasideList(x)
		public _ExDeleteNPagedLookasideList@4
_ExDeleteNPagedLookasideList@4 proc near
					; CODE XREF: FsRtlDeleteExtraCreateParameterLookasideList(x,x):loc_849595p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, offset _ExNPagedLookasideLock
		call	ExpRemoveGeneralLookaside
		mov	ecx, [ebp+arg_0]
		call	_ExpFlushGeneralLookaside@8 ; ExpFlushGeneralLookaside(x,x)
		pop	ebp
		retn	4
_ExDeleteNPagedLookasideList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWaitForPageWriteCompletion(x, x, x, x)
_MiWaitForPageWriteCompletion@16 proc near ; CODE XREF:	MiFlushSectionInternal+BAEp
					; MmPurgeSection+3DAp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_10], 40107h
		xor	eax, eax
		mov	[ebp+var_18], 8
		mov	[ebp+var_1C], eax
		mov	ebx, ecx
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], eax
		lea	esi, [edi+24h]
		lea	eax, [ebp+var_8]
		push	esi
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	eax, [edi+2Ch]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_1C]
		push	esi
		mov	[edi+2Ch], eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	ecx, 7FFFFFFFh
		lea	eax, [ebx+10h]
		lock and [eax],	ecx
		mov	dl, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	MiUnlockProtoPoolPage
		push	ecx
		push	12h
		pop	edx
		lea	ecx, [ebp+var_10]
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiWaitForPageWriteCompletion@16 endp

; 
		align 8
; Exported entry 451. ExUnregisterCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExUnregisterCallback
ExUnregisterCallback proc near		; CODE XREF: IopCleanupNotifications+91ED3p
					; SeUnregisterImageVerificationCallback(x)+Dj ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DE243 SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [esi+8]
		mov	[ebp+var_4], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		add	edi, 4

loc_551412:				; CODE XREF: ExUnregisterCallback+8CE92j
		mov	ecx, edi
		mov	byte ptr [ebp+arg_0+3],	al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	dword ptr [esi+14h], 0
		jnz	loc_5DE243
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	short loc_55146A
		cmp	[eax], esi
		jnz	short loc_55146A
		mov	[eax], ecx
		mov	[ecx+4], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5DE28F
		xor	eax, eax
		lock and [edi],	eax

loc_55144B:				; CODE XREF: ExUnregisterCallback+8CEA1j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_55146A:				; CODE XREF: ExUnregisterCallback+36j
					; ExUnregisterCallback+3Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall KiLoadDirectoryTableBase(x,	x)
_KiLoadDirectoryTableBase@8:		; CODE XREF: .text:0054E7C1p
		cmp	ds:_KiKvaShadow, 0
		push	esi
		mov	esi, edx
		jz	short loc_55148C
		movzx	ecx, byte ptr [ecx+74h]
		mov	large fs:5000h,	esi
		call	_KiSetAddressPolicy@4 ;	KiSetAddressPolicy(x)

loc_55148C:				; CODE XREF: ExUnregisterCallback+82j
		test	byte ptr ds:_HvlEnlightenments,	1
		jnz	short loc_5514B0
		mov	cr3, esi

loc_551498:				; CODE XREF: ExUnregisterCallback+BEj
		cmp	ds:_KiKvaShadow, 0
		pop	esi
		jz	short locret_5514AF
		cmp	ds:_KiFlushPcid, 0
		jz	_KeFlushCurrentTb@0 ; KeFlushCurrentTb()

locret_5514AF:				; CODE XREF: ExUnregisterCallback+A8j
		retn
; 

loc_5514B0:				; CODE XREF: ExUnregisterCallback+9Bj
		push	esi
		call	_HvlSwitchVirtualAddressSpace@4	; HvlSwitchVirtualAddressSpace(x)
		jmp	short loc_551498
ExUnregisterCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmKmStoreHelperCommandCleanup proc near	; CODE XREF: SmKmStoreHelperWorker+DDp
					; SmKmStoreHelperWorker+12352Fp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DE29E SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		xor	esi, esi
		dec	edx
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		push	edi
		mov	edi, ecx
		sub	edx, 1
		jz	loc_5DE2B7
		sub	edx, 1
		jz	short loc_55150E
		sub	edx, 1
		jnz	loc_5DE29E
		mov	ebx, [ebp+arg_0]
		cmp	[ebx+18h], esi
		jl	short loc_55150E
		mov	edx, [edi+48h]
		mov	ecx, [ebx+10h]
		push	edi
		call	SmKmUnlockMdl
		push	dword ptr [ebx+10h]
		mov	ecx, [edi+48h]
		push	edi
		push	2
		pop	edx
		call	SmFpFree

loc_55150E:				; CODE XREF: SmKmStoreHelperCommandCleanup+28j
					; SmKmStoreHelperCommandCleanup+39j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
SmKmStoreHelperCommandCleanup endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 447. ExTryConvertSharedSpinLockExclusive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExTryConvertSharedSpinLockExclusive
ExTryConvertSharedSpinLockExclusive proc near ;	CODE XREF: ExpAddTagForBigPages+106p
					; ExpAddTagForBigPages+207p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DE2EF SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		test	ds:byte_70EFC6,	21h
		push	ebx
		push	esi
		push	edi
		jnz	loc_5DE2EF
		mov	esi, [ebp+arg_0]
		lock bts dword ptr [esi], 1Fh
		jb	short loc_551561
		mov	edx, [esi]
		mov	edi, 0BFFFFFFFh
		and	[ebp+var_4], 0
		mov	eax, edx
		mov	ebx, 80000001h

loc_55154D:				; CODE XREF: ExTryConvertSharedSpinLockExclusive+8CE0Bj
		and	eax, edi
		cmp	eax, ebx
		jnz	loc_5DE2FF
		xor	eax, eax
		inc	eax

loc_55155A:				; CODE XREF: ExTryConvertSharedSpinLockExclusive+49j
					; ExTryConvertSharedSpinLockExclusive+8CDE0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_551561:				; CODE XREF: ExTryConvertSharedSpinLockExclusive+1Fj
		xor	eax, eax
		jmp	short loc_55155A
ExTryConvertSharedSpinLockExclusive endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry  51. ExReInitializeRundownProtection

;  S U B	R O U T	I N E 


; __fastcall ExReInitializeRundownProtection(x)
		public @ExReInitializeRundownProtection@4
@ExReInitializeRundownProtection@4 proc	near
		xor	eax, eax
		xchg	eax, [ecx]
		retn
@ExReInitializeRundownProtection@4 endp

; 
		align 10h

PopUnregisterPowerSettingCallback:	; CODE XREF: PopDispatchPowerSettingCallbacks+BAp
					; PoUnregisterPowerSettingCallback+45p
		mov	al, [ecx+11h]
		mov	edx, [ecx]
		test	al, al
		jnz	loc_5DE32A
		cmp	[edx+4], ecx
		jnz	short loc_5515A3
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	short loc_5515A3
		mov	[eax], edx
		mov	[edx+4], eax
		and	dword ptr [ecx+8], 0
		push	74655350h
		push	ecx
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
; 

loc_5515A3:				; CODE XREF: .text:00551580j
					; .text:00551587j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2322. RtlSecondsSince1970ToTime

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSecondsSince1970ToTime(x, x)
		public _RtlSecondsSince1970ToTime@8
_RtlSecondsSince1970ToTime@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		add	ecx, dword ptr ds:_SecondsToStartOf1970
		push	989680h
		adc	eax, dword ptr ds:_SecondsToStartOf1970+4
		push	eax
		push	ecx
		call	_RtlExtendedIntegerMultiply@12 ; RtlExtendedIntegerMultiply(x,x,x)
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		mov	[ecx+4], edx
		pop	ebp
		retn	8
_RtlSecondsSince1970ToTime@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSwapDirectoryTableBase(x,	x, x)
_KeSwapDirectoryTableBase@12 proc near	; CODE XREF: MiStealPage+D84p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		xor	ebx, ebx
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C], ecx
		mov	byte ptr [ebp+var_14], bl
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], eax
		test	edx, edx
		jnz	short loc_551622
		mov	ebx, [ecx+18h]

loc_551607:				; CODE XREF: KeSwapDirectoryTableBase(x,x,x)+49j
					; KeSwapDirectoryTableBase(x,x,x)+51j
		lea	eax, [ebp+var_14]
		push	eax
		push	offset _KiSwapDirectoryTableBaseTarget@16 ; KiSwapDirectoryTableBaseTarget(x,x,x,x)
		call	_KeGenericCallDpc@8 ; KeGenericCallDpc(x,x)
		mov	ecx, ebx
		call	KeFlushProcessTb
		pop	edi
		pop	ebx
		leave
		retn	4
; 

loc_551622:				; CODE XREF: KeSwapDirectoryTableBase(x,x,x)+26j
		cmp	edx, 1
		jnz	short loc_551607
		mov	ebx, [ecx+18h]
		add	ebx, 20h
		jmp	short loc_551607
_KeSwapDirectoryTableBase@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeNodeFree proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+1F1p
					; ST_STORE_SM_TRAITS___StDmCleanup+1FDp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DE357 SIZE 00000065 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	cl, [edi+3]
		test	cl, cl
		jz	loc_5DE357

loc_551648:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeNodeFree+8CD87j
		lea	eax, [esi+8]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		movzx	eax, cl
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	NP_CONTEXT__NpNodeFree
		pop	edi
		pop	esi
		leave
		retn
B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeNodeFree endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLegitimatePageForDriversToMap(x)
_MiLegitimatePageForDriversToMap@4 proc	near
					; CODE XREF: MmMapLockedPagesWithReservedMapping+106p
					; MiMapLockedPagesInUserSpace+154p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_5516EE
		mov	edx, [ecx+18h]
		test	edx, (offset loc_7FFFFF+1)
		jz	short loc_5516A2
		and	[ebp+var_4], eax
		lea	edx, [ebp+var_4]
		and	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_MiGetPfnPageSizeIndexUnsynchronized@12	; MiGetPfnPageSizeIndexUnsynchronized(x,x,x)
		cmp	eax, 2
		jz	short loc_55169B
		cmp	[ebp+var_4], 6

loc_551699:				; CODE XREF: MiLegitimatePageForDriversToMap(x)+8Aj
		jz	short loc_5516EE

loc_55169B:				; CODE XREF: MiLegitimatePageForDriversToMap(x)+31j
		mov	eax, 0C0000018h
		jmp	short loc_5516F0
; 

loc_5516A2:				; CODE XREF: MiLegitimatePageForDriversToMap(x)+1Aj
		mov	eax, [ecx+4]
		mov	esi, offset loc_7FFFFF
		shl	eax, 9
		add	eax, 40000000h
		cmp	eax, esi
		ja	short loc_5516EE
		and	edx, esi
		cmp	edx, (offset loc_7FFFFA+3)
		jz	short loc_5516EE
		mov	al, [ecx+16h]
		test	al, 20h
		jz	short loc_5516D7
		test	dword ptr [ecx+10h], 3FFFFFFFh
		jnz	short loc_5516D7
		cmp	word ptr [ecx+14h], 0
		jnz	short loc_5516EE

loc_5516D7:				; CODE XREF: MiLegitimatePageForDriversToMap(x)+63j
					; MiLegitimatePageForDriversToMap(x)+6Cj
		test	al, 8
		jnz	short loc_5516EE
		mov	eax, [ecx]
		shr	eax, 1
		and	eax, 0FFFFFFF8h
		or	eax, 80000000h
		cmp	eax, 80000018h
		jmp	short loc_551699
; 

loc_5516EE:				; CODE XREF: MiLegitimatePageForDriversToMap(x)+Fj
					; MiLegitimatePageForDriversToMap(x):loc_551699j ...
		xor	eax, eax

loc_5516F0:				; CODE XREF: MiLegitimatePageForDriversToMap(x)+3Ej
		pop	esi
		leave
		retn
_MiLegitimatePageForDriversToMap@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepExpandSingletonArrays proc near	; CODE XREF: SepAddLuidToIndexEntry+14Dp

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005DE3BC SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, 74446553h
		mov	ebx, 600h
		push	edi
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5DE3D7
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		push	_SepSingletonGlobal
		call	ExAcquireSpinLockExclusive
		mov	ecx, _SepSingletonGlobal
		push	edi
		mov	[ebp+var_1], al
		mov	ecx, [ecx+4]
		lea	ecx, ds:4[ecx*4]
		push	ecx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5DE3BC
		mov	edi, _SepSingletonGlobal
		mov	eax, [edi+4]
		shl	eax, 2
		push	eax		; size_t
		push	dword ptr [edi+8] ; void *
		push	ebx		; void *
		call	_memcpy
		mov	eax, [edi+4]
		add	esp, 0Ch
		mov	[ebx+eax*4], esi
		mov	esi, [edi+8]
		inc	dword ptr [edi+4]
		push	edi
		mov	[edi+8], ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	74446553h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax

loc_5517A1:				; CODE XREF: SepExpandSingletonArrays+8CCE8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
SepExpandSingletonArrays endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 880. IoGetRequestorProcessId

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetRequestorProcessId(x)
		public _IoGetRequestorProcessId@4
_IoGetRequestorProcessId@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		call	_IoGetRequestorProcess@4 ; IoGetRequestorProcess(x)
		test	eax, eax
		jz	short loc_5517C7
		mov	eax, [eax+0E4h]

loc_5517C3:				; CODE XREF: IoGetRequestorProcessId(x)+1Dj
		pop	ebp
		retn	4
; 

loc_5517C7:				; CODE XREF: IoGetRequestorProcessId(x)+Fj
		xor	eax, eax
		jmp	short loc_5517C3
_IoGetRequestorProcessId@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall _PnpCtxGetPreferredBaseKeyNodeType(x)
__PnpCtxGetPreferredBaseKeyNodeType@4 proc near
					; CODE XREF: _PnpCtxGetCachedContextBaseKeyNode(x,x,x)+20p
		add	ecx, 0FFFFFFFCh
		cmp	ecx, 0Bh
		ja	short loc_5517E6
		movzx	eax, ds:byte_5517F4[ecx]
		jmp	ds:off_5517EC[eax*4]

loc_5517E2:				; DATA XREF: .text:005517F0o
		push	2
		pop	eax
		retn
; 

loc_5517E6:				; CODE XREF: _PnpCtxGetPreferredBaseKeyNodeType(x)+6j
					; _PnpCtxGetPreferredBaseKeyNodeType(x)+Fj
					; DATA XREF: ...
		xor	eax, eax
		inc	eax
		retn
__PnpCtxGetPreferredBaseKeyNodeType@4 endp

; 
		align 4
off_5517EC	dd offset loc_5517E6	; DATA XREF: _PnpCtxGetPreferredBaseKeyNodeType(x)+Fr
		dd offset loc_5517E2
byte_5517F4	db 0			; DATA XREF: _PnpCtxGetPreferredBaseKeyNodeType(x)+8r
		db 1, 2	dup(0)
		dd 1010100h, 1010000h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiRebuildLargePages proc near		; DATA XREF: MiWakeLargePageRebuild(x,x,x)+6Ao

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DE3E1 SIZE 000001BA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		xor	eax, eax
		xor	edx, edx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, 0C8h
		push	edi
		lea	edi, [ebp+var_1C]
		stosd
		stosd
		stosd
		mov	eax, esi
		or	eax, 0F0000000h
		shr	esi, 1Ch
		shl	eax, 3
		imul	edi, esi, 280h
		mov	[ebp+var_C], eax
		add	edi, [eax+10h]
		mov	al, [edi+143h]
		mov	[ebp+var_1], al
		mov	eax, [edi+1DCh]
		div	ecx
		xor	ecx, ecx
		cmp	[ebp+var_1], cl
		mov	ebx, eax
		setnz	cl
		dec	ecx
		and	ecx, 1F00h
		add	ecx, 100h
		cmp	ebx, ecx
		jnb	loc_5DE3E1

loc_551866:				; CODE XREF: MiRebuildLargePages+8CBF1j
					; MiRebuildLargePages+8CD96j
		mov	eax, [ebp+var_C]
		mov	ecx, [eax+64h]
		call	PsDereferencePartition
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
MiRebuildLargePages endp


;  S U B	R O U T	I N E 


; __stdcall MiPaeGetProcessShadowPage(x)
_MiPaeGetProcessShadowPage@4 proc near	; CODE XREF: MiSmallVaStillMapsFrame(x,x)+9Bp
		test	ds:_MiFlags, 0C00000h
		jz	short loc_5518AE
		cmp	dword ptr [ecx+24Ch], 0
		jz	short loc_5518AE
		cmp	dword ptr [ecx+304h], 0
		jz	short loc_5518AE
		mov	ecx, [ecx+194h]
		mov	eax, [ecx+38h]
		mov	ecx, [ecx+3Ch]
		shrd	eax, ecx, 0Ch
		and	eax, 1FFFFFFh
		jz	short loc_5518AE
		retn
; 

loc_5518AE:				; CODE XREF: MiPaeGetProcessShadowPage(x)+Aj
					; MiPaeGetProcessShadowPage(x)+13j ...
		or	eax, 0FFFFFFFFh
		retn
_MiPaeGetProcessShadowPage@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiSanitizePage(x)
_MiSanitizePage@4 proc near		; CODE XREF: MiMapLockedPagesInUserSpace+234p
					; MiMapViewOfPhysicalSection+B6p ...
		cmp	ecx, 2000000h
		jnb	short loc_5518BD

loc_5518BA:				; CODE XREF: MiSanitizePage(x)+11j
		mov	eax, ecx
		retn
; 

loc_5518BD:				; CODE XREF: MiSanitizePage(x)+6j
		and	ecx, 1FFFFFFh
		jmp	short loc_5518BA
_MiSanitizePage@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopSystemRequiredSet(x)
_PopSystemRequiredSet@4	proc near	; CODE XREF: NtSetThreadExecutionState+17Cp
		push	3
		pop	ecx
		jmp	_PopResetIdleTime@4 ; PopResetIdleTime(x)
_PopSystemRequiredSet@4	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1399. MmFreeContiguousMemorySpecifyCache

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmFreeContiguousMemorySpecifyCache(x, x, x)
		public _MmFreeContiguousMemorySpecifyCache@12
_MmFreeContiguousMemorySpecifyCache@12 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		call	MmFreeContiguousMemory
		pop	ebp
		retn	0Ch
_MmFreeContiguousMemorySpecifyCache@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall _MapCmClassPropertyToRegValue(x, x)
__MapCmClassPropertyToRegValue@8 proc near
					; CODE XREF: _CmGetInstallerClassRegPropWorker+BDp
					; _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+15Bp
		cmp	edx, 18h
		jg	short loc_551913
		jz	short loc_551923
		sub	edx, 8
		jz	short loc_55190D
		sub	edx, 5
		jz	short loc_55193A
		sub	edx, 5
		jz	short loc_551907
		sub	edx, 1
		jnz	short loc_551940
		mov	eax, offset ??_C@_1BK@LMFDGODN@?$AAL?$AAo?$AAw?$AAe?$AAr?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@FNODOBFM@ ;	"LowerFilters"
		retn
; 

loc_551907:				; CODE XREF: _MapCmClassPropertyToRegValue(x,x)+14j
		mov	eax, offset ??_C@_1BK@FNJCPENK@?$AAU?$AAp?$AAp?$AAe?$AAr?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@FNODOBFM@
		retn
; 

loc_55190D:				; CODE XREF: _MapCmClassPropertyToRegValue(x,x)+Aj
		mov	eax, offset ??_C@_1M@OAHBGIFG@?$AAC?$AAl?$AAa?$AAs?$AAs@FNODOBFM@
		retn
; 

loc_551913:				; CODE XREF: _MapCmClassPropertyToRegValue(x,x)+3j
		sub	edx, 1Ah
		jz	short loc_551929
		sub	edx, 1
		jnz	short loc_55192F
		mov	eax, offset ??_C@_1BE@DJHAJDEM@?$AAE?$AAx?$AAc?$AAl?$AAu?$AAs?$AAi?$AAv?$AAe@FNODOBFM@ ; "Exclusive"
		retn
; 

loc_551923:				; CODE XREF: _MapCmClassPropertyToRegValue(x,x)+5j
		mov	eax, offset ??_C@_1BC@FCJNIDNL@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy@FNODOBFM@
		retn
; 

loc_551929:				; CODE XREF: _MapCmClassPropertyToRegValue(x,x)+30j
		mov	eax, offset ??_C@_1BG@KCOOGCNN@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAT?$AAy?$AAp?$AAe@FNODOBFM@
		retn
; 

loc_55192F:				; CODE XREF: _MapCmClassPropertyToRegValue(x,x)+35j
		sub	edx, 1
		jnz	short loc_551940
		mov	eax, offset ??_C@_1CM@DIJFBEC@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC?$AAh?$AAa?$AAr?$AAa?$AAc?$AAt?$AAe?$AAr@FNODOBFM@
		retn
; 

loc_55193A:				; CODE XREF: _MapCmClassPropertyToRegValue(x,x)+Fj
		mov	eax, offset ??_C@_1BE@GIMFMPPP@?$AAC?$AAl?$AAa?$AAs?$AAs?$AAD?$AAe?$AAs?$AAc@FNODOBFM@
		retn
; 

loc_551940:				; CODE XREF: _MapCmClassPropertyToRegValue(x,x)+19j
					; _MapCmClassPropertyToRegValue(x,x)+4Cj
		xor	eax, eax
		retn
__MapCmClassPropertyToRegValue@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFlushAllPagesWorker proc near		; CODE XREF: MiFlushAllPages+55p
					; MiFlushAllPages+8ABE3p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005C875D SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	ebx, edx
		mov	esi, ecx
		dec	word ptr [edi+13Ch]
		nop
		lea	eax, [esi+1C4h]
		mov	[ebp+var_4], eax
		lock inc dword ptr [eax]
		lea	eax, [esi+1C8h]
		mov	[ebp+var_8], eax
		lock inc dword ptr [eax]

loc_551985:				; CODE XREF: MiFlushAllPagesWorker+B4j
		xor	edx, edx
		mov	ecx, esi
		call	MiCanFlushMakeProgress
		test	eax, eax
		jz	short loc_551A0A
		test	ebx, ebx
		jnz	loc_5C875D

loc_55199A:				; CODE XREF: MiFlushAllPagesWorker+76E17j
		push	0
		push	0
		lea	eax, [esi+1CCh]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		or	edx, 0FFFFFFFFh
		mov	ecx, esi
		call	MiWakeModifiedPageWriter
		mov	eax, [esi+64h]
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_5519C6
		push	2
		pop	edx
		call	CcNotifyWriteBehindInternal

loc_5519C6:				; CODE XREF: MiFlushAllPagesWorker+6Cj
		cmp	dword ptr [esi+2C0h], 0
		jz	short loc_5519D6
		mov	ecx, esi
		call	MiStoreUpdateMemoryConditions

loc_5519D6:				; CODE XREF: MiFlushAllPagesWorker+7Dj
		push	offset _Mi30Milliseconds
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		sub	eax, [ebp+arg_0]
		sbb	edx, [ebp+arg_4]
		cmp	edx, [ebp+arg_C]
		jb	short loc_5519FD
		ja	short loc_551A0A
		cmp	eax, [ebp+arg_8]
		ja	short loc_551A0A

loc_5519FD:				; CODE XREF: MiFlushAllPagesWorker+A4j
		cmp	dword ptr [esi+10C0h], 32h
		ja	loc_551985

loc_551A0A:				; CODE XREF: MiFlushAllPagesWorker+40j
					; MiFlushAllPagesWorker+A6j ...
		mov	eax, [ebp+var_4]
		lock dec dword ptr [eax]
		mov	eax, [ebp+var_8]
		lock dec dword ptr [eax]
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
MiFlushAllPagesWorker endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeFlushSingleCurrentTb proc near	; CODE XREF: MiStackTheftIsr(x)+70p
					; MiStackTheftIsr(x)+117p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch

; FUNCTION CHUNK AT 005DE59B SIZE 0000008F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		and	[esp+24h+var_18], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+30h+var_C]
		mov	byte ptr [esp+30h+var_1C], 0
		stosd
		mov	ebx, edx
		mov	[esp+30h+var_10], ebx
		mov	esi, ecx
		stosd
		stosd
		mov	eax, ds:_HvlEnlightenments
		xor	edi, edi
		inc	edi
		test	eax, (offset loc_7FFFFF+1)
		jnz	loc_5DE59B

loc_551A60:				; CODE XREF: KeFlushSingleCurrentTb+8CB79j
					; KeFlushSingleCurrentTb+8CBC2j
		invlpg	byte ptr [esi]

loc_551A63:				; CODE XREF: KeFlushSingleCurrentTb+8CBBCj
		and	esi, 0FFFFF000h
		cmp	ds:_VmTbFlushEnabled, 0
		jnz	loc_5DE5EB

loc_551A76:				; CODE XREF: KeFlushSingleCurrentTb+8CBD7j
		cmp	_ExTbFlushActive, 0
		jnz	loc_5DE600

loc_551A83:				; CODE XREF: KeFlushSingleCurrentTb+8CC01j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
KeFlushSingleCurrentTb endp


;  S U B	R O U T	I N E 


; __stdcall KeRebaselineSystemTime()
_KeRebaselineSystemTime@0 proc near	; CODE XREF: PopInvokeSystemStateHandler+41Fp
					; INIT:00ACD4A1p
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ds:0FFDF0348h, eax
		mov	ds:0FFDF034Ch, edx
		and	_KiSystemTimeErrorAccumulator, 0
		and	dword_6D4B0C, 0
		retn
_KeRebaselineSystemTime@0 endp


;  S U B	R O U T	I N E 


; __stdcall IoDumpStackResumeCapable(x)
_IoDumpStackResumeCapable@4 proc near	; CODE XREF: PopSaveHiberContext+149p
		xor	al, al
		cmp	_CrashdmpImageEntry, 0
		jz	short locret_551AC4
		mov	edx, dword_6D4AE4
		test	edx, edx
		jz	short locret_551AC4
		push	ecx
		call	edx

locret_551AC4:				; CODE XREF: IoDumpStackResumeCapable(x)+9j
					; IoDumpStackResumeCapable(x)+13j
		retn
_IoDumpStackResumeCapable@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IoInitializeDumpStack(x, x)
_IoInitializeDumpStack@8 proc near	; CODE XREF: PopRestoreHiberContext+137p
					; PopSaveHiberContext+221p
		cmp	_CrashdmpImageEntry, 0
		mov	eax, 0C0000001h
		jz	short locret_551AE3
		mov	edx, dword_6D4ACC
		test	edx, edx
		jz	short locret_551AE3
		push	0
		push	ecx
		call	edx

locret_551AE3:				; CODE XREF: IoInitializeDumpStack(x,x)+Cj
					; IoInitializeDumpStack(x,x)+16j
		retn
_IoInitializeDumpStack@8 endp


;  S U B	R O U T	I N E 


; __stdcall KeRebaselineInterruptTime()
_KeRebaselineInterruptTime@0 proc near	; CODE XREF: KiCalibrateTimeAdjustment+99p
					; PopInvokeSystemStateHandler+2AFp ...
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ds:0FFDF0350h, eax
		mov	ds:0FFDF0354h, edx
		and	_KiInterruptTimeErrorAccumulator, 0
		and	dword_6D4B04, 0
		retn
_KeRebaselineInterruptTime@0 endp


;  S U B	R O U T	I N E 


; __stdcall IoNotifyDump(x)
_IoNotifyDump@4	proc near		; CODE XREF: PopRestoreHiberContext+F8p
					; PopRestoreHiberContext+22Ep ...
		mov	eax, dword_6D4AD8
		test	eax, eax
		jz	short locret_551B24
		sub	ecx, 1
		jz	short loc_551B2D
		sub	ecx, 1
		jz	short loc_551B25
		sub	ecx, 1
		jnz	short locret_551B24
		push	ecx
		push	ecx
		push	5

loc_551B22:				; CODE XREF: IoNotifyDump(x)+25j
					; IoNotifyDump(x)+2Dj
		call	eax

locret_551B24:				; CODE XREF: IoNotifyDump(x)+7j
					; IoNotifyDump(x)+16j
		retn
; 

loc_551B25:				; CODE XREF: IoNotifyDump(x)+11j
		push	0
		push	0
		push	4
		jmp	short loc_551B22
; 

loc_551B2D:				; CODE XREF: IoNotifyDump(x)+Cj
		push	0
		push	0
		push	3
		jmp	short loc_551B22
_IoNotifyDump@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxNotifySystemStateTransition proc near ; CODE XREF:	PopHandleNextState(x,x)+68p
					; PopHandleNextState(x,x)+225p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DE62A SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+3EF0h]
		test	eax, eax
		jnz	loc_5DE62A

locret_551B4A:				; CODE XREF: PopFxNotifySystemStateTransition+8CB25j
		leave
		retn	4
PopFxNotifySystemStateTransition endp


;  S U B	R O U T	I N E 


KeRestoreIptStateAfterProcessorComesOnline proc	near
					; CODE XREF: PopHandleNextState(x,x):loc_71C1AAp
					; PnprQuiesceProcessorDpc(x,x,x,x):loc_72E071p

; FUNCTION CHUNK AT 005DE660 SIZE 0000001F BYTES

		cmp	ds:_KiIptMsrMask, 0
		jnz	loc_5DE660

locret_551B5B:				; CODE XREF: KeRestoreIptStateAfterProcessorComesOnline+8CB20j
		retn
KeRestoreIptStateAfterProcessorComesOnline endp


;  S U B	R O U T	I N E 


; __stdcall KeResumeClockTimer()
_KeResumeClockTimer@0 proc near		; CODE XREF: PopHandleNextState(x,x):loc_71C16Cp
		mov	edi, edi
		push	ecx
		call	KiResumeClockTimer
		pop	ecx
		retn
_KeResumeClockTimer@0 endp


;  S U B	R O U T	I N E 


; __stdcall KeRestoreProcessorSpecificFeatures()
_KeRestoreProcessorSpecificFeatures@0 proc near
					; CODE XREF: PopHandleNextState(x,x):loc_71C165p
					; PnprQuiesceProcessorDpc(x,x,x,x):loc_72E05Cp
		mov	edi, edi
		push	ecx
		call	_KiSetPageAttributesTable@0 ; KiSetPageAttributesTable()
		cmp	ds:_KiTLBCOverride, 0
		jnz	short loc_551B9C

loc_551B77:				; CODE XREF: KeRestoreProcessorSpecificFeatures()+3Bj
		mov	eax, offset _KiSystemCallExit2
		sub	eax, offset _KiSystemCallExit
		mov	_KiSystemCallExitAdjust, eax
		call	KiLoadFastSyscallMachineSpecificRegisters
		call	KiEnableFastSyscallReturn
		call	_KiRestoreXSaveSupport@0 ; KiRestoreXSaveSupport()
		call	_KiRestoreFeatureBits@0	; KiRestoreFeatureBits()
		pop	ecx
		retn
; 

loc_551B9C:				; CODE XREF: KeRestoreProcessorSpecificFeatures()+Fj
		call	_KiDisableCacheErrataSource@0 ;	KiDisableCacheErrataSource()
		jmp	short loc_551B77
_KeRestoreProcessorSpecificFeatures@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiRestoreFeatureBits()
_KiRestoreFeatureBits@0	proc near	; CODE XREF: KeRestoreProcessorSpecificFeatures()+2Fp

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	10h
		push	offset dword_6A4998
		call	__SEH_prolog4
		mov	ebx, large fs:20h
		mov	[ebp+var_1C], ebx
		cmp	byte ptr [ebx+3BEh], 1
		jnz	short loc_551BD5
		mov	ecx, 1A0h
		mov	eax, ds:_KiIa32MiscEnable
		mov	edx, ds:dword_70E4BC
		wrmsr

loc_551BD5:				; CODE XREF: KiRestoreFeatureBits()+1Dj
		mov	ecx, [ebx+3D54h]
		and	ecx, 1
		xor	eax, eax
		or	eax, ecx
		jz	short loc_551C0A
		movzx	eax, byte ptr [ebx+3C5h]
		cdq
		mov	esi, eax
		mov	edi, edx
		shld	edi, esi, 8
		shl	esi, 8
		movzx	eax, byte ptr [ebx+3C4h]
		cdq
		or	eax, esi
		or	edx, edi
		mov	ecx, 0C0000103h
		wrmsr

loc_551C0A:				; CODE XREF: KiRestoreFeatureBits()+3Ej
		movzx	eax, word ptr [ebx+21BAh]
		mov	ecx, eax
		test	ax, ax
		jnz	short loc_551C27
		mov	eax, ds:_KeFeatureBits2
		and	eax, 600h
		or	eax, 0
		jz	short loc_551C2F

loc_551C27:				; CODE XREF: KiRestoreFeatureBits()+72j
		mov	eax, ecx
		cdq
		push	48h
		pop	ecx
		wrmsr

loc_551C2F:				; CODE XREF: KiRestoreFeatureBits()+81j
		mov	ecx, ebx
		call	_KiSetVirtualMitigationControl@4 ; KiSetVirtualMitigationControl(x)
		mov	eax, ds:_KeFeatureBits2
		and	eax, 8000h
		or	eax, 0
		jz	short loc_551C58
		mov	ecx, 122h
		mov	eax, [ebx+3F38h]
		mov	edx, [ebx+3F3Ch]
		wrmsr

loc_551C58:				; CODE XREF: KiRestoreFeatureBits()+9Fj
		cmp	byte ptr [ebx+3BEh], 2
		jnz	short loc_551C9F
		mov	al, [ebx+14h]
		cmp	al, 0Fh
		jle	short loc_551C9F
		cmp	al, 11h
		jz	short loc_551C9F
		call	HviIsAnyHypervisorPresent
		test	al, al
		jnz	short loc_551C9F
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, 0C0011029h
		rdmsr
		or	eax, 2
		wrmsr
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_551C9F
; 

loc_551C8E:				; DATA XREF: .text:006A49ACo
		xor	eax, eax
		inc	eax
		retn
; 

loc_551C92:				; DATA XREF: .text:006A49B0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_1C]

loc_551C9F:				; CODE XREF: KiRestoreFeatureBits()+BBj
					; KiRestoreFeatureBits()+C2j ...
		mov	ecx, ebx
		call	KiCheckMicrocode
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KiRestoreFeatureBits@0	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1439. MmMapMemoryDumpMdlEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmMapMemoryDumpMdlEx(x, x, x, x)
		public _MmMapMemoryDumpMdlEx@16
_MmMapMemoryDumpMdlEx@16 proc near	; CODE XREF: PopCreateDumpMdl+87p
					; IopLiveDumpBufferDumpData(x,x)+F3p

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_C], 0FFFFFFFDh
		jnz	short loc_551CDE
		push	[ebp+arg_C]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_8]
		call	MiMapMemoryDumpMdl
		xor	eax, eax

loc_551CDA:				; CODE XREF: MmMapMemoryDumpMdlEx(x,x,x,x)+27j
		pop	ebp
		retn	10h
; 

loc_551CDE:				; CODE XREF: MmMapMemoryDumpMdlEx(x,x,x,x)+Cj
		mov	eax, 0C00000F2h
		jmp	short loc_551CDA
_MmMapMemoryDumpMdlEx@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlCompressBufferProgress proc near	; CODE XREF: PopAddPagesToCompressedPageSet+73p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005DE67F SIZE 0000009E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_10]
		push	esi
		add	eax, 3
		mov	esi, edx
		movzx	edx, cl
		and	eax, 0FFFFFFFCh
		and	ecx, 0FF00h
		cmp	edx, 3
		jnz	loc_5DE6B3
		test	cx, cx
		jnz	loc_5DE67F
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	1000h
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	eax
		push	[ebp+arg_C]
		push	10000h
		push	[ebp+arg_4]
		call	RtlCompressBufferXpressLzStandard

loc_551D3D:				; CODE XREF: RtlCompressBufferProgress+8C9BEj
					; RtlCompressBufferProgress+8C9EEj ...
		pop	esi
		pop	ebp
		retn	20h
RtlCompressBufferProgress endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopGetNextTable	proc near		; CODE XREF: PopSaveHiberContext+D9p
					; PopSaveHiberContext+4AAp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005DE71D SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, [ebp+arg_4]
		and	[ebp+var_4], 0
		add	eax, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], eax
		and	[edx], edi
		xor	eax, eax
		cmp	byte ptr [ebp+arg_8], al
		mov	ebx, ecx
		mov	[ebp+var_1C], edx
		setz	al
		mov	[ebp+var_18], ebx
		mov	[ebp+var_8], edi
		mov	[ebp+var_20], eax
		lea	edx, [ebx+8]

loc_551D77:				; CODE XREF: PopGetNextTable+227j
		xor	ecx, ecx
		xor	eax, eax
		inc	ecx
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	loc_551F61
		lea	edx, [ebx+30h]
		cmp	[ebx+4Ch], edx
		jnz	loc_551F6E

loc_551D94:				; CODE XREF: PopGetNextTable+234j
					; PopGetNextTable+23Fj	...
		mov	eax, [ebx+0B4h]
		cmp	edi, eax
		jnb	loc_551F04

loc_551DA2:				; CODE XREF: PopGetNextTable+165j
		mov	ecx, [ebx+48h]
		sub	eax, edi
		mov	esi, [ebx+50h]
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], ecx
		mov	eax, [ecx]
		mov	[ebp+var_18], eax
		cmp	eax, esi
		jbe	loc_551EFC
		mov	ecx, [ecx+4]
		dec	eax
		shr	eax, 5
		lea	edx, [ecx+eax*4]
		mov	eax, esi
		shr	eax, 5
		mov	[ebp+arg_8], edx
		lea	edi, [ecx+eax*4]
		cmp	edi, edx
		jz	short loc_551DED
		mov	edx, esi
		and	edx, 1Fh
		mov	ecx, ds:dword_40BA68[edx*4]
		or	ecx, [edi]
		cmp	ecx, 0FFFFFFFFh
		jz	loc_551F3C

loc_551DED:				; CODE XREF: PopGetNextTable+92j
					; PopGetNextTable+20Aj	...
		mov	ecx, [ebp+var_18]
		cmp	esi, ecx
		jnb	short loc_551E04
		mov	eax, [ebp+var_14]
		mov	eax, [eax+4]

loc_551DFA:				; CODE XREF: PopGetNextTable+C0j
		bt	[eax], esi
		jnb	short loc_551E04
		inc	esi
		cmp	esi, ecx
		jb	short loc_551DFA

loc_551E04:				; CODE XREF: PopGetNextTable+B0j
					; PopGetNextTable+BBj
		xor	edx, edx
		cmp	edi, [ebp+arg_8]
		jz	loc_5DE729
		mov	ecx, [edi]
		mov	eax, esi
		and	eax, 1Fh
		mov	[ebp+var_18], eax
		mov	eax, ds:dword_40BA68[eax*4]
		not	eax
		and	eax, ecx
		mov	ecx, [ebp+var_10]
		jz	loc_551F09

loc_551E2D:				; CODE XREF: PopGetNextTable+1DBj
					; PopGetNextTable+1E4j	...
		mov	edi, [ebp+var_14]
		lea	eax, [edx+esi]
		mov	edi, [edi]
		mov	[ebp+arg_8], edi
		cmp	eax, edi
		jnb	short loc_551E52
		mov	edi, [ebp+var_14]
		mov	edi, [edi+4]

loc_551E42:				; CODE XREF: PopGetNextTable+10Ej
		bt	[edi], eax
		jb	short loc_551E52
		cmp	edx, ecx
		jnb	short loc_551E54
		inc	eax
		inc	edx
		cmp	eax, [ebp+arg_8]
		jb	short loc_551E42

loc_551E52:				; CODE XREF: PopGetNextTable+F8j
					; PopGetNextTable+103j
		cmp	edx, ecx

loc_551E54:				; CODE XREF: PopGetNextTable+107j
					; PopGetNextTable+1CFj	...
		jbe	short loc_551E58
		mov	edx, ecx

loc_551E58:				; CODE XREF: PopGetNextTable:loc_551E54j
		test	edx, edx
		jz	loc_551EF9
		mov	edi, [ebp+arg_0]
		lea	eax, [edx+esi]
		mov	[ebx+50h], eax
		lea	ecx, [edx-1]
		and	ecx, 0Fh
		mov	eax, esi
		shl	eax, 4
		or	ecx, eax
		mov	eax, [ebp+var_4]
		movzx	eax, ax
		mov	[edi+eax*4], ecx
		mov	edi, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		add	edi, edx
		mov	eax, [ebp+var_C]
		inc	ecx
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], ecx

loc_551E91:				; CODE XREF: PopGetNextTable+158j
		mov	[eax], esi
		add	eax, 4
		inc	esi
		sub	edx, 1
		jnz	short loc_551E91
		mov	[ebp+var_C], eax
		mov	eax, [ebx+0B4h]
		cmp	edi, eax
		jb	loc_551DA2

loc_551EAD:				; CODE XREF: PopGetNextTable+1C5j
		xor	esi, esi
		mov	[ebx+8], esi
		test	edi, edi
		jz	short loc_551EF0
		mov	eax, [ebp+var_1C]
		mov	edx, [ebp+arg_4]
		push	[ebp+var_20]
		mov	[eax], cl
		mov	ecx, edi
		shl	ecx, 0Ch
		mov	eax, ecx
		mov	[edx+14h], ecx
		mov	ecx, [ebp+arg_C]
		shr	eax, 0Ch
		push	edx
		mov	[edx], esi
		mov	[edx+10h], esi
		lea	eax, ds:1Ch[eax*4]
		mov	[edx+18h], esi
		mov	[edx+4], ax
		xor	eax, eax
		mov	[edx+6], ax
		call	_MmMapMemoryDumpMdlEx2@16 ; MmMapMemoryDumpMdlEx2(x,x,x,x)

loc_551EF0:				; CODE XREF: PopGetNextTable+172j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_551EF9:				; CODE XREF: PopGetNextTable+118j
		mov	edi, [ebp+var_8]

loc_551EFC:				; CODE XREF: PopGetNextTable+75j
		mov	eax, [ebx+48h]
		mov	eax, [eax]
		mov	[ebx+50h], eax

loc_551F04:				; CODE XREF: PopGetNextTable+5Aj
		mov	ecx, [ebp+var_4]
		jmp	short loc_551EAD
; 

loc_551F09:				; CODE XREF: PopGetNextTable+E5j
		push	20h
		pop	edx
		sub	edx, [ebp+var_18]
		cmp	edx, ecx
		jnb	loc_551E54
		add	edi, 4

loc_551F1A:				; CODE XREF: PopGetNextTable+1F8j
		cmp	edi, [ebp+arg_8]
		jnb	loc_551E2D
		cmp	dword ptr [edi], 0
		jnz	loc_551E2D
		add	edx, 20h
		add	edi, 4
		cmp	edx, ecx
		jnb	loc_551E54
		jmp	short loc_551F1A
; 

loc_551F3C:				; CODE XREF: PopGetNextTable+A5j
		sub	esi, edx
		mov	edx, [ebp+arg_8]
		add	esi, 20h
		add	edi, 4
		jmp	short loc_551F58
; 

loc_551F49:				; CODE XREF: PopGetNextTable+218j
		cmp	dword ptr [edi], 0FFFFFFFFh
		jnz	loc_551DED
		add	edi, 4
		add	esi, 20h

loc_551F58:				; CODE XREF: PopGetNextTable+205j
		cmp	edi, edx
		jb	short loc_551F49
		jmp	loc_551DED
; 

loc_551F61:				; CODE XREF: PopGetNextTable+40j
					; PopGetNextTable+225j
		pause
		mov	eax, [edx]
		test	eax, eax
		jnz	short loc_551F61
		jmp	loc_551D77
; 

loc_551F6E:				; CODE XREF: PopGetNextTable+4Cj
		mov	eax, [ebx+0B4h]
		test	eax, eax
		jz	loc_551D94

loc_551F7C:				; CODE XREF: PopGetNextTable+2D6j
		mov	ecx, [ebx+4Ch]
		cmp	ecx, edx
		jz	loc_551D94
		mov	esi, [ebx+50h]
		sub	eax, edi
		mov	edx, [ecx+0Ch]
		add	edx, esi
		mov	[ebp+arg_8], esi
		mov	esi, [ecx+10h]
		sub	esi, edx
		mov	[ebp+var_14], edx
		mov	edx, [ebp+arg_8]
		shl	edx, 0Ch
		add	edx, [ecx+14h]
		mov	[ebp+var_10], edx
		cmp	esi, eax
		ja	loc_5DE71D
		mov	eax, [ecx]
		mov	[ebx+4Ch], eax
		xor	eax, eax

loc_551FB7:				; CODE XREF: PopGetNextTable+8C9E2j
		mov	edx, [ebp+var_4]
		lea	ecx, [esi-1]
		mov	edi, [ebp+arg_0]
		and	ecx, 0Fh
		mov	[ebx+50h], eax
		mov	eax, [ebp+var_14]
		shl	eax, 4
		or	ecx, eax
		movzx	eax, dx
		inc	edx
		mov	[ebp+var_4], edx
		mov	[edi+eax*4], ecx
		mov	edi, [ebp+var_8]
		test	esi, esi
		jz	short loc_55200D
		mov	ebx, [ebp+var_C]
		add	edi, esi
		mov	[ebp+var_8], edi
		mov	edi, [ebp+var_10]

loc_551FEA:				; CODE XREF: PopGetNextTable+2C0j
		push	edi
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		shrd	eax, edx, 0Ch
		add	edi, 1000h
		mov	[ebx], eax
		add	ebx, 4
		sub	esi, 1
		jnz	short loc_551FEA
		mov	edi, [ebp+var_8]
		mov	[ebp+var_C], ebx
		mov	ebx, [ebp+var_18]

loc_55200D:				; CODE XREF: PopGetNextTable+29Bj
		mov	eax, [ebx+0B4h]
		lea	edx, [ebx+30h]
		cmp	edi, eax
		jb	loc_551F7C
		jmp	loc_551D94
PopGetNextTable	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlDecompressBufferProgress proc near	; CODE XREF: PopDecompressHiberBlocks+308p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005DE731 SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, cl
		push	esi
		mov	esi, edx
		cmp	eax, 3
		jnz	loc_5DE731
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	1000h
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	RtlDecompressBufferXpressLzProgress

loc_552062:				; CODE XREF: RtlDecompressBufferProgress+8C727j
					; RtlDecompressBufferProgress+8C731j
		pop	esi
		pop	ebp
		retn	20h
RtlDecompressBufferProgress endp

; 
		align 10h
; Exported entry 1209. KePollFreezeExecution

;  S U B	R O U T	I N E 


		public KePollFreezeExecution
KePollFreezeExecution proc near		; CODE XREF: ConsumerPeekAndConsumeBuffer:loc_71D500p
					; ConsumerPeekAndConsumeBuffer:loc_71D530p ...
		mov	eax, large fs:20h
		mov	ecx, [eax+21A0h]
		add	eax, 21A0h
		test	cl, 4
		jnz	loc_5A83F6
		pause
		retn
KePollFreezeExecution endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlDecompressBufferXpressLzProgress proc near ;	CODE XREF: RtlDecompressBufferProgress+2Dp

var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005DE766 SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_10], ebx
		push	esi
		push	edi
		mov	edi, 1000h
		cmp	eax, 5
		jb	loc_55279A
		mov	ecx, [ebp+arg_0]
		lea	esi, [ebx+edx]
		add	eax, ecx
		mov	[ebp+var_4], esi
		mov	[ebp+arg_0], eax
		mov	esi, ebx
		lea	eax, [edx-160h]
		add	eax, ebx
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jnz	loc_552723

loc_5520D7:				; CODE XREF: RtlDecompressBufferXpressLzProgress+69Bj
		mov	edi, edx

loc_5520D9:				; CODE XREF: RtlDecompressBufferXpressLzProgress+695j
		mov	edx, [ebp+var_8]
		add	ebx, edi
		mov	[ebp+arg_C], ebx
		cmp	edx, ebx
		jnb	short loc_5520E8
		mov	[ebp+arg_C], edx

loc_5520E8:				; CODE XREF: RtlDecompressBufferXpressLzProgress+53j
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_20], eax
		xor	eax, eax
		mov	[ebp+var_1C], edi
		mov	[ebp+arg_10], eax
		lea	esp, [esp+0]

loc_552100:				; CODE XREF: RtlDecompressBufferXpressLzProgress+A8j
		mov	eax, [ebp+arg_0]
		mov	edx, ecx
		mov	edi, [ecx]
		add	eax, 0FFFFFFAAh
		mov	ebx, [ebp+arg_C]
		add	ecx, 4
		mov	[ebp+arg_4], ecx
		cmp	ecx, eax
		jnb	loc_55232A
		cmp	esi, ebx
		jnb	loc_5522F9

loc_552123:				; CODE XREF: RtlDecompressBufferXpressLzProgress+285j
		lea	ebx, ds:1[edi*2]
		test	edi, edi
		js	short loc_55213A
		jmp	short loc_55218B
; 

loc_552130:				; CODE XREF: RtlDecompressBufferXpressLzProgress+FDj
		mov	al, [ecx]
		mov	[esi], al
		inc	esi
		inc	ecx

loc_552136:				; CODE XREF: RtlDecompressBufferXpressLzProgress+F7j
					; RtlDecompressBufferXpressLzProgress+117j ...
		add	ebx, ebx
		jz	short loc_552100

loc_55213A:				; CODE XREF: RtlDecompressBufferXpressLzProgress+9Cj
		movzx	edx, word ptr [ecx]
		add	ecx, 2
		mov	edi, edx
		mov	[ebp+arg_4], ecx
		shr	edx, 3
		and	edi, 7
		inc	edx
		mov	[ebp+var_18], edx
		cmp	edi, 7
		jz	loc_5521EB

loc_552158:				; CODE XREF: RtlDecompressBufferXpressLzProgress+179j
		mov	ecx, esi
		add	edi, 3
		sub	ecx, edx
		cmp	ecx, [ebp+var_10]
		jb	loc_55279A
		cmp	edx, 4
		jb	loc_552261

loc_552171:				; CODE XREF: RtlDecompressBufferXpressLzProgress+20Bj
		mov	eax, [ecx]
		mov	[esi], eax
		mov	eax, [ecx+4]
		mov	[esi+4], eax
		cmp	edi, 9
		jge	short loc_5521AD

loc_552180:				; CODE XREF: RtlDecompressBufferXpressLzProgress+14Ej
		add	esi, edi

loc_552182:				; CODE XREF: RtlDecompressBufferXpressLzProgress+211j
		mov	ecx, [ebp+arg_4]
		test	ebx, ebx
		js	short loc_552136
		add	ebx, ebx

loc_55218B:				; CODE XREF: RtlDecompressBufferXpressLzProgress+9Ej
					; RtlDecompressBufferXpressLzProgress+11Bj
		test	ebx, ebx
		js	short loc_552130
		add	ebx, ebx
		js	short loc_55220E
		add	ebx, ebx
		mov	eax, [ecx]
		mov	[esi], eax
		js	loc_55221F
		add	esi, 4
		add	ecx, 4
		add	ebx, ebx
		js	short loc_552136
		add	ebx, ebx
		jmp	short loc_55218B
; 

loc_5521AD:				; CODE XREF: RtlDecompressBufferXpressLzProgress+EEj
		add	esi, 8
		add	ecx, 8
		sub	edi, 8

loc_5521B6:				; CODE XREF: RtlDecompressBufferXpressLzProgress+159j
		mov	[ebp+var_14], edi
		mov	[ebp+var_18], ecx
		cmp	esi, [ebp+arg_C]
		jnb	loc_5522D8

loc_5521C5:				; CODE XREF: RtlDecompressBufferXpressLzProgress+264j
		mov	eax, [ecx]
		mov	[esi], eax
		mov	eax, [ecx+4]
		mov	[esi+4], eax
		mov	eax, [ecx+8]
		mov	[esi+8], eax
		mov	eax, [ecx+0Ch]
		mov	[esi+0Ch], eax
		cmp	edi, 11h
		jl	short loc_552180
		add	esi, 10h
		add	ecx, 10h
		sub	edi, 10h
		jmp	short loc_5521B6
; 

loc_5521EB:				; CODE XREF: RtlDecompressBufferXpressLzProgress+C2j
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jnz	short loc_55222A
		mov	eax, ecx
		inc	ecx
		mov	[ebp+arg_10], eax
		mov	[ebp+arg_4], ecx
		movzx	edi, byte ptr [eax]
		and	edi, 0Fh

loc_552201:				; CODE XREF: RtlDecompressBufferXpressLzProgress+1A7j
		cmp	edi, 0Fh
		jz	short loc_552239

loc_552206:				; CODE XREF: RtlDecompressBufferXpressLzProgress+1CFj
		add	edi, 7
		jmp	loc_552158
; 

loc_55220E:				; CODE XREF: RtlDecompressBufferXpressLzProgress+101j
		mov	ax, [ecx]
		mov	[esi], ax
		add	esi, 2
		add	ecx, 2
		jmp	loc_552136
; 

loc_55221F:				; CODE XREF: RtlDecompressBufferXpressLzProgress+109j
		add	esi, 3
		add	ecx, 3
		jmp	loc_552136
; 

loc_55222A:				; CODE XREF: RtlDecompressBufferXpressLzProgress+160j
		movzx	edi, byte ptr [eax]
		shr	edi, 4
		mov	[ebp+arg_10], 0
		jmp	short loc_552201
; 

loc_552239:				; CODE XREF: RtlDecompressBufferXpressLzProgress+174j
		mov	edi, [ebp+arg_0]
		lea	eax, [ecx+7]
		mov	edx, [ebp+var_18]
		add	edi, 0FFFFFFAAh
		cmp	eax, edi
		jnb	loc_5523C2
		movzx	edi, byte ptr [ecx]
		inc	ecx
		mov	[ebp+arg_4], ecx
		cmp	edi, 0FFh
		jz	short loc_5522A6

loc_55225C:				; CODE XREF: RtlDecompressBufferXpressLzProgress+240j
		add	edi, 0Fh
		jmp	short loc_552206
; 

loc_552261:				; CODE XREF: RtlDecompressBufferXpressLzProgress+DBj
		movzx	eax, byte ptr [ecx]
		mov	[esi], al
		sub	edx, 1
		jz	short loc_552281
		movzx	eax, byte ptr [ecx+1]
		mov	[esi+1], al
		sub	edx, 1
		jnz	short loc_5522D2
		mov	eax, 2
		lea	edx, [eax-4]
		jmp	short loc_552297
; 

loc_552281:				; CODE XREF: RtlDecompressBufferXpressLzProgress+1D9j
		movzx	eax, byte ptr [ecx]
		mov	[esi+1], al
		movzx	eax, byte ptr [ecx]

loc_55228A:				; CODE XREF: RtlDecompressBufferXpressLzProgress+246j
		mov	[esi+2], al
		mov	edx, 0FFFFFFFDh
		mov	eax, 3

loc_552297:				; CODE XREF: RtlDecompressBufferXpressLzProgress+1EFj
		add	esi, eax
		add	edi, edx
		jnz	loc_552171
		jmp	loc_552182
; 

loc_5522A6:				; CODE XREF: RtlDecompressBufferXpressLzProgress+1CAj
		movzx	edi, word ptr [ecx]
		add	ecx, 2
		mov	[ebp+arg_4], ecx
		test	edi, edi
		jz	loc_5DE766

loc_5522B7:				; CODE XREF: RtlDecompressBufferXpressLzProgress+8C6DEj
		cmp	edi, 16h
		jl	loc_55279A
		lea	eax, [esi+3]
		add	eax, edi
		cmp	eax, esi
		jb	loc_55279A
		sub	edi, 16h
		jmp	short loc_55225C
; 

loc_5522D2:				; CODE XREF: RtlDecompressBufferXpressLzProgress+1E5j
		movzx	eax, byte ptr [ecx+2]
		jmp	short loc_55228A
; 

loc_5522D8:				; CODE XREF: RtlDecompressBufferXpressLzProgress+12Fj
		mov	eax, [ebp+var_8]
		cmp	esi, eax
		jnb	loc_552701
		push	esi
		mov	edx, eax
		lea	ecx, [ebp+var_24]
		call	_RtlpMakeXpressCallback@12 ; RtlpMakeXpressCallback(x,x,x)
		mov	ecx, [ebp+var_18]
		mov	[ebp+arg_C], eax
		jmp	loc_5521C5
; 

loc_5522F9:				; CODE XREF: RtlDecompressBufferXpressLzProgress+8Dj
		mov	eax, [ebp+var_8]
		cmp	esi, eax
		jnb	loc_5526C1
		push	esi
		mov	edx, eax
		lea	ecx, [ebp+var_24]
		call	_RtlpMakeXpressCallback@12 ; RtlpMakeXpressCallback(x,x,x)
		mov	ecx, [ebp+arg_4]
		mov	[ebp+arg_C], eax
		jmp	loc_552123
; 

loc_55231A:				; CODE XREF: RtlDecompressBufferXpressLzProgress+393j
		lea	eax, [ecx+3]
		cmp	eax, edi
		jnb	loc_55279A
		mov	edi, [ecx]
		mov	ebx, [ebp+arg_C]

loc_55232A:				; CODE XREF: RtlDecompressBufferXpressLzProgress+85j
		lea	ecx, [edx+4]
		mov	[ebp+arg_4], ecx
		cmp	esi, ebx
		jnb	loc_5526B6

loc_552338:				; CODE XREF: RtlDecompressBufferXpressLzProgress+705j
		lea	ebx, ds:1[edi*2]
		test	edi, edi
		js	loc_552429
		jmp	short loc_55234B
; 

loc_552349:				; CODE XREF: RtlDecompressBufferXpressLzProgress+386j
		add	ebx, ebx

loc_55234B:				; CODE XREF: RtlDecompressBufferXpressLzProgress+2B7j
		mov	edi, [ebp+arg_0]
		mov	edi, edi

loc_552350:				; CODE XREF: RtlDecompressBufferXpressLzProgress+2F5j
		test	ebx, ebx
		js	short loc_552387
		add	ebx, ebx
		js	loc_552517
		add	ebx, ebx
		js	loc_552695
		lea	eax, [ecx+3]
		add	ebx, ebx
		cmp	eax, edi
		jnb	loc_55279A
		mov	eax, [ecx]
		add	ecx, 4
		mov	[esi], eax
		add	esi, 4
		test	ebx, ebx
		js	loc_55241F
		add	ebx, ebx
		jmp	short loc_552350
; 

loc_552387:				; CODE XREF: RtlDecompressBufferXpressLzProgress+2C2j
		cmp	ecx, edi
		jnb	loc_55279A
		mov	al, [ecx]
		mov	[esi], al
		inc	esi
		inc	ecx
		jmp	loc_55241F
; 

loc_55239A:				; CODE XREF: RtlDecompressBufferXpressLzProgress+3C6j
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jnz	loc_55249D
		cmp	ecx, [ebp+arg_0]
		jnb	loc_55279A
		mov	eax, ecx
		inc	ecx
		mov	[ebp+arg_10], eax
		mov	[ebp+arg_4], ecx
		movzx	edi, byte ptr [eax]
		and	edi, 0Fh

loc_5523BD:				; CODE XREF: RtlDecompressBufferXpressLzProgress+41Aj
		cmp	edi, 0Fh
		jnz	short loc_5523E1

loc_5523C2:				; CODE XREF: RtlDecompressBufferXpressLzProgress+1B7j
		cmp	ecx, [ebp+arg_0]
		jnb	loc_55279A
		movzx	edi, byte ptr [ecx]
		inc	ecx
		mov	[ebp+arg_4], ecx
		cmp	edi, 0FFh
		jz	loc_5524DC

loc_5523DE:				; CODE XREF: RtlDecompressBufferXpressLzProgress+482j
		add	edi, 0Fh

loc_5523E1:				; CODE XREF: RtlDecompressBufferXpressLzProgress+330j
		add	edi, 7

loc_5523E4:				; CODE XREF: RtlDecompressBufferXpressLzProgress+3C4j
		add	edi, 3
		mov	[ebp+var_C], edi
		mov	edi, esi
		sub	edi, edx
		cmp	edi, [ebp+var_10]
		jb	loc_55279A
		cmp	edx, 4
		jb	loc_5526C9
		mov	edx, [ebp+var_C]

loc_552403:				; CODE XREF: RtlDecompressBufferXpressLzProgress+666j
		mov	eax, [edi]
		mov	[esi], eax
		mov	eax, [edi+4]
		mov	[esi+4], eax
		cmp	edx, 9
		jge	short loc_55245B

loc_552412:				; CODE XREF: RtlDecompressBufferXpressLzProgress+408j
		add	esi, edx

loc_552414:				; CODE XREF: RtlDecompressBufferXpressLzProgress+66Cj
		test	ebx, ebx
		jns	loc_552349
		mov	edi, [ebp+arg_0]

loc_55241F:				; CODE XREF: RtlDecompressBufferXpressLzProgress+2EDj
					; RtlDecompressBufferXpressLzProgress+305j ...
		mov	edx, ecx
		add	ebx, ebx
		jz	loc_55231A

loc_552429:				; CODE XREF: RtlDecompressBufferXpressLzProgress+2B1j
		mov	edx, [ebp+arg_0]
		cmp	ecx, edx
		jz	loc_5525B0
		lea	eax, [ecx+1]
		cmp	eax, edx
		jnb	loc_5DE78C
		movzx	edx, word ptr [ecx]
		add	ecx, 2
		mov	edi, edx
		mov	[ebp+arg_4], ecx
		shr	edx, 3
		and	edi, 7
		inc	edx
		cmp	edi, 7
		jnz	short loc_5523E4
		jmp	loc_55239A
; 

loc_55245B:				; CODE XREF: RtlDecompressBufferXpressLzProgress+380j
		add	esi, 8
		add	edi, 8
		sub	edx, 8

loc_552464:				; CODE XREF: RtlDecompressBufferXpressLzProgress+403j
		mov	[ebp+var_C], edx
		mov	[ebp+var_18], edi
		cmp	esi, [ebp+arg_C]
		jnb	short loc_5524AF

loc_55246F:				; CODE XREF: RtlDecompressBufferXpressLzProgress+600j
		mov	eax, [edi]
		mov	[esi], eax
		mov	eax, [edi+4]
		mov	[esi+4], eax
		mov	eax, [edi+8]
		mov	[esi+8], eax
		mov	eax, [edi+0Ch]
		mov	[esi+0Ch], eax
		cmp	edx, 11h
		jl	short loc_552495
		add	esi, 10h
		add	edi, 10h
		sub	edx, 10h
		jmp	short loc_552464
; 

loc_552495:				; CODE XREF: RtlDecompressBufferXpressLzProgress+3F8j
		mov	ecx, [ebp+arg_4]
		jmp	loc_552412
; 

loc_55249D:				; CODE XREF: RtlDecompressBufferXpressLzProgress+30Fj
		movzx	edi, byte ptr [eax]
		shr	edi, 4
		mov	[ebp+arg_10], 0
		jmp	loc_5523BD
; 

loc_5524AF:				; CODE XREF: RtlDecompressBufferXpressLzProgress+3DDj
		mov	eax, [ebp+var_8]
		cmp	esi, eax
		jb	loc_55267F
		lea	eax, [edx+esi]
		cmp	eax, [ebp+var_4]
		ja	loc_55279A
		mov	edi, esi
		mov	ecx, edx
		mov	esi, [ebp+var_18]
		mov	edx, [ebp+arg_0]
		rep movsb
		mov	ecx, [ebp+arg_4]
		mov	esi, eax
		jmp	loc_5525B0
; 

loc_5524DC:				; CODE XREF: RtlDecompressBufferXpressLzProgress+348j
		lea	eax, [ecx+1]
		cmp	eax, [ebp+arg_0]
		jnb	loc_55279A
		movzx	edi, word ptr [ecx]
		add	ecx, 2
		mov	[ebp+arg_4], ecx
		test	edi, edi
		jz	loc_5DE773

loc_5524F9:				; CODE XREF: RtlDecompressBufferXpressLzProgress+8C6F7j
		cmp	edi, 16h
		jl	loc_55279A
		lea	eax, [esi+3]
		add	eax, edi
		cmp	eax, esi
		jb	loc_55279A
		sub	edi, 16h
		jmp	loc_5523DE
; 

loc_552517:				; CODE XREF: RtlDecompressBufferXpressLzProgress+2C6j
		lea	eax, [ecx+1]
		cmp	eax, edi
		jnb	loc_55279A
		mov	ax, [ecx]
		mov	[esi], ax
		add	esi, 2
		add	ecx, 2
		jmp	loc_55241F
; 

loc_552533:				; CODE XREF: RtlDecompressBufferXpressLzProgress+528j
		cmp	ecx, edx
		jnb	loc_55279A
		cmp	esi, [ebp+var_4]
		jnb	loc_55279A
		mov	al, [ecx]
		mov	[esi], al
		inc	esi
		inc	ecx

loc_55254A:				; CODE XREF: RtlDecompressBufferXpressLzProgress+522j
					; RtlDecompressBufferXpressLzProgress+556j
		add	ebx, ebx
		jz	loc_5525F0

loc_552552:				; CODE XREF: RtlDecompressBufferXpressLzProgress+57Bj
		cmp	ecx, edx
		jz	loc_55264B
		lea	eax, [ecx+1]
		cmp	eax, edx
		jnb	loc_5DE7B3
		movzx	edi, word ptr [ecx]
		add	ecx, 2
		mov	edx, edi
		mov	[ebp+arg_4], ecx
		shr	edi, 3
		and	edx, 7
		inc	edi
		cmp	edx, 7
		jz	loc_552610

loc_552580:				; CODE XREF: RtlDecompressBufferXpressLzProgress+59Cj
		mov	eax, esi
		add	edx, 3
		sub	eax, edi
		cmp	eax, [ebp+var_10]
		jb	loc_55279A
		lea	ecx, [edx+esi]
		mov	[ebp+arg_C], ecx
		cmp	ecx, [ebp+var_4]
		ja	loc_55279A
		mov	edi, esi
		mov	ecx, edx
		mov	edx, [ebp+arg_0]
		mov	esi, eax
		rep movsb
		mov	esi, [ebp+arg_C]
		mov	ecx, [ebp+arg_4]

loc_5525B0:				; CODE XREF: RtlDecompressBufferXpressLzProgress+39Ej
					; RtlDecompressBufferXpressLzProgress+447j ...
		test	ebx, ebx
		js	short loc_55254A
		add	ebx, ebx

loc_5525B6:				; CODE XREF: RtlDecompressBufferXpressLzProgress+55Ej
					; RtlDecompressBufferXpressLzProgress+579j
		test	ebx, ebx
		js	loc_552533
		lea	edi, [ecx+2]
		add	ebx, ebx
		cmp	edi, edx
		ja	loc_55279A
		lea	edx, [esi+2]
		cmp	edx, [ebp+var_4]
		ja	loc_55279A
		mov	ax, [ecx]
		mov	ecx, edi
		mov	[esi], ax
		mov	esi, edx
		mov	edx, [ebp+arg_0]
		test	ebx, ebx
		js	loc_55254A
		add	ebx, ebx
		jmp	short loc_5525B6
; 

loc_5525F0:				; CODE XREF: RtlDecompressBufferXpressLzProgress+4BCj
		lea	eax, [ecx+3]
		cmp	eax, edx
		jnb	loc_55279A
		mov	edi, [ecx]
		add	ecx, 4

loc_552600:				; CODE XREF: RtlDecompressBufferXpressLzProgress+634j
		lea	ebx, ds:1[edi*2]
		test	edi, edi
		jns	short loc_5525B6
		jmp	loc_552552
; 

loc_552610:				; CODE XREF: RtlDecompressBufferXpressLzProgress+4EAj
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_552631
		movzx	edx, byte ptr [eax]
		shr	edx, 4
		mov	[ebp+arg_10], 0

loc_552624:				; CODE XREF: RtlDecompressBufferXpressLzProgress+5B9j
		cmp	edx, 0Fh
		jz	short loc_55265E

loc_552629:				; CODE XREF: RtlDecompressBufferXpressLzProgress+5EDj
		add	edx, 7
		jmp	loc_552580
; 

loc_552631:				; CODE XREF: RtlDecompressBufferXpressLzProgress+585j
		cmp	ecx, [ebp+arg_0]
		jnb	loc_55279A
		mov	eax, ecx
		inc	ecx
		mov	[ebp+arg_10], eax
		mov	[ebp+arg_4], ecx
		movzx	edx, byte ptr [eax]
		and	edx, 0Fh
		jmp	short loc_552624
; 

loc_55264B:				; CODE XREF: RtlDecompressBufferXpressLzProgress+4C4j
					; RtlDecompressBufferXpressLzProgress+8C72Cj
		mov	eax, [ebp+arg_8]
		sub	esi, [ebp+var_10]
		mov	[eax], esi
		xor	eax, eax

loc_552655:				; CODE XREF: RtlDecompressBufferXpressLzProgress+70Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_55265E:				; CODE XREF: RtlDecompressBufferXpressLzProgress+597j
		cmp	ecx, [ebp+arg_0]
		jnb	loc_55279A
		movzx	edx, byte ptr [ecx]
		inc	ecx
		mov	[ebp+arg_4], ecx
		cmp	edx, 0FFh
		jz	loc_552742

loc_55267A:				; CODE XREF: RtlDecompressBufferXpressLzProgress+6DCj
		add	edx, 0Fh
		jmp	short loc_552629
; 

loc_55267F:				; CODE XREF: RtlDecompressBufferXpressLzProgress+424j
		push	esi
		mov	edx, eax
		lea	ecx, [ebp+var_24]
		call	_RtlpMakeXpressCallback@12 ; RtlpMakeXpressCallback(x,x,x)
		mov	edx, [ebp+var_C]
		mov	[ebp+arg_C], eax
		jmp	loc_55246F
; 

loc_552695:				; CODE XREF: RtlDecompressBufferXpressLzProgress+2CEj
		lea	edx, [ecx+2]
		cmp	edx, edi
		jnb	loc_55279A
		mov	ax, [ecx]
		mov	[esi], ax
		mov	al, [edx]
		mov	[esi+2], al
		add	esi, 3
		add	ecx, 3
		jmp	loc_55241F
; 

loc_5526B6:				; CODE XREF: RtlDecompressBufferXpressLzProgress+2A2j
		mov	eax, [ebp+var_8]
		cmp	esi, eax
		jb	loc_552784

loc_5526C1:				; CODE XREF: RtlDecompressBufferXpressLzProgress+26Ej
		mov	edx, [ebp+arg_0]
		jmp	loc_552600
; 

loc_5526C9:				; CODE XREF: RtlDecompressBufferXpressLzProgress+36Aj
		movzx	eax, byte ptr [edi]
		mov	[esi], al
		cmp	edx, 1
		jnz	short loc_552730
		movzx	eax, byte ptr [edi]
		mov	[esi+1], al
		movzx	eax, byte ptr [edi]

loc_5526DC:				; CODE XREF: RtlDecompressBufferXpressLzProgress+6B0j
		mov	[ebp+var_14], 0FFFFFFFDh
		mov	[ebp+var_18], 3
		mov	[esi+2], al

loc_5526ED:				; CODE XREF: RtlDecompressBufferXpressLzProgress+6EFj
		mov	edx, [ebp+var_C]
		add	esi, [ebp+var_18]
		add	edx, [ebp+var_14]
		jnz	loc_552403
		jmp	loc_552414
; 

loc_552701:				; CODE XREF: RtlDecompressBufferXpressLzProgress+24Dj
		lea	eax, [edi+esi]
		cmp	eax, [ebp+var_4]
		ja	loc_55279A
		mov	edx, [ebp+arg_0]
		mov	edi, esi
		mov	esi, ecx
		mov	ecx, [ebp+var_14]
		rep movsb
		mov	ecx, [ebp+arg_4]
		mov	esi, eax
		jmp	loc_5525B0
; 

loc_552723:				; CODE XREF: RtlDecompressBufferXpressLzProgress+41j
		cmp	edx, edi
		jnb	loc_5520D9
		jmp	loc_5520D7
; 

loc_552730:				; CODE XREF: RtlDecompressBufferXpressLzProgress+641j
		movzx	eax, byte ptr [edi+1]
		mov	[esi+1], al
		sub	edx, 2
		jz	short loc_552771
		movzx	eax, byte ptr [edi+2]
		jmp	short loc_5526DC
; 

loc_552742:				; CODE XREF: RtlDecompressBufferXpressLzProgress+5E4j
		lea	eax, [ecx+1]
		cmp	eax, [ebp+arg_0]
		jnb	short loc_55279A
		movzx	edx, word ptr [ecx]
		add	ecx, 2
		mov	[ebp+arg_4], ecx
		test	edx, edx
		jz	loc_5DE79A

loc_55275B:				; CODE XREF: RtlDecompressBufferXpressLzProgress+8C71Ej
		cmp	edx, 16h
		jl	short loc_55279A
		lea	eax, [esi+3]
		add	eax, edx
		cmp	eax, esi
		jb	short loc_55279A
		sub	edx, 16h
		jmp	loc_55267A
; 

loc_552771:				; CODE XREF: RtlDecompressBufferXpressLzProgress+6AAj
		mov	[ebp+var_18], 2
		mov	[ebp+var_14], 0FFFFFFFEh
		jmp	loc_5526ED
; 

loc_552784:				; CODE XREF: RtlDecompressBufferXpressLzProgress+62Bj
		push	esi
		mov	edx, eax
		lea	ecx, [ebp+var_24]
		call	_RtlpMakeXpressCallback@12 ; RtlpMakeXpressCallback(x,x,x)
		mov	ecx, [ebp+arg_4]
		mov	[ebp+arg_C], eax
		jmp	loc_552338
; 

loc_55279A:				; CODE XREF: RtlDecompressBufferXpressLzProgress+1Bj
					; RtlDecompressBufferXpressLzProgress+D2j ...
		mov	eax, 0C0000242h
		jmp	loc_552655
RtlDecompressBufferXpressLzProgress endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpMakeXpressCallback(x, x, x)
_RtlpMakeXpressCallback@12 proc	near	; CODE XREF: RtlCompressBufferXpressLzStandard+616p
					; RtlCompressBufferXpressLzStandard+629p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	eax, [esi+4]
		push	eax
		mov	eax, [esi]
		call	eax
		mov	eax, [ebp+arg_0]
		add	eax, [esi+8]
		cmp	edi, eax
		jb	short loc_5527D3

loc_5527CD:				; CODE XREF: RtlpMakeXpressCallback(x,x,x)+25j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_5527D3:				; CODE XREF: RtlpMakeXpressCallback(x,x,x)+1Bj
		mov	eax, edi
		jmp	short loc_5527CD
_RtlpMakeXpressCallback@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmMapMemoryDumpMdlEx2(x, x,	x, x)
_MmMapMemoryDumpMdlEx2@16 proc near	; CODE XREF: PopGetNextTable+1A9p
					; PopDecompressHiberBlocks+1FAp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_4], 0FFFFFFFCh
		jnz	short loc_552801
		mov	eax, [ebp+arg_4]
		and	eax, 3
		cmp	al, 3
		jz	short loc_552801
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	MiMapMemoryDumpMdl
		xor	eax, eax

loc_5527FD:				; CODE XREF: MmMapMemoryDumpMdlEx2(x,x,x,x)+2Ej
		pop	ebp
		retn	8
; 

loc_552801:				; CODE XREF: MmMapMemoryDumpMdlEx2(x,x,x,x)+Cj
					; MmMapMemoryDumpMdlEx2(x,x,x,x)+16j
		mov	eax, 0C00000F2h
		jmp	short loc_5527FD
_MmMapMemoryDumpMdlEx2@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapMemoryDumpMdl proc	near		; CODE XREF: MmMapMemoryDumpMdlEx(x,x,x,x)+17p
					; MmMapMemoryDumpMdlEx2(x,x,x,x)+1Ep ...

var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= byte ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DE7C1 SIZE 0000009C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0BCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0BCh+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		lea	eax, [esp+0C0h+var_A0]
		push	esi
		push	edi
		push	98h		; size_t
		push	0		; int
		push	eax		; void *
		mov	[esp+0D4h+var_B4], ecx
		mov	[esp+0D4h+var_AC], ebx
		call	_memset
		mov	ecx, [ebx+14h]
		add	esp, 0Ch
		mov	eax, [ebx+18h]
		add	ecx, eax
		test	ecx, 0FFFh
		jnz	loc_5DE7C1
		xor	edx, edx

loc_552864:				; CODE XREF: MiMapMemoryDumpMdl+8BFB6j
		shr	ecx, 0Ch
		add	ecx, edx
		mov	[esp+0C8h+var_98], 21h
		mov	edx, [esp+0C8h+var_B4]
		mov	esi, edx
		shr	esi, 9
		add	eax, edx
		and	esi, offset loc_7FFFF8
		mov	[ebx+0Ch], eax
		add	esi, 0C0000000h
		mov	[esp+0C8h+var_B8], ecx
		mov	[esp+0C8h+var_A4], esi
		lea	eax, [ebx+1Ch]
		mov	edi, esi
		mov	[esp+0C8h+var_B0], eax
		mov	esi, edx
		mov	[esp+0C8h+var_8C], 0
		and	esi, 0FFFFF000h
		mov	[esp+0C8h+var_9C], 3

loc_5528B1:				; CODE XREF: MiMapMemoryDumpMdl+ECj
		mov	ebx, [edi]
		nop
		mov	eax, [edi+4]
		mov	[esp+0C8h+var_A8], eax
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	short loc_5528D8
		push	0
		push	1
		mov	edx, esi
		lea	ecx, [esp+0D0h+var_A0]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	ecx, [esp+0C8h+var_B8]

loc_5528D8:				; CODE XREF: MiMapMemoryDumpMdl+B3j
		or	ebx, [esp+0C8h+var_A8]
		jz	short loc_5528EC
		mov	dword ptr [edi], 0
		nop
		mov	dword ptr [edi+4], 0

loc_5528EC:				; CODE XREF: MiMapMemoryDumpMdl+CCj
		add	edi, 8
		add	esi, 1000h
		sub	ecx, 1
		mov	[esp+0C8h+var_B8], ecx
		jnz	short loc_5528B1
		cmp	[esp+0C8h+var_94], 0
		mov	esi, [esp+0C8h+var_A4]
		jz	short loc_552912
		lea	ecx, [esp+0C8h+var_A0]
		call	MiFlushTbList

loc_552912:				; CODE XREF: MiMapMemoryDumpMdl+F7j
		mov	edx, [esp+0C8h+var_AC]
		mov	edi, [edx+14h]
		mov	eax, [edx+18h]
		add	edi, eax
		test	edi, 0FFFh
		jnz	loc_5DE7CB
		xor	ecx, ecx

loc_55292C:				; CODE XREF: MiMapMemoryDumpMdl+8BFC0j
		add	eax, [esp+0C8h+var_B4]
		shr	edi, 0Ch
		add	edi, ecx
		mov	[edx+0Ch], eax
		mov	ecx, [ebp+arg_4]
		test	cl, 2
		jnz	loc_5DE853
		mov	ebx, [esp+0C8h+var_B0]
		and	ecx, 1
		mov	[ebp+arg_4], ecx
		mov	edi, edi

loc_552950:				; CODE XREF: MiMapMemoryDumpMdl+196j
		mov	eax, 4
		test	ecx, ecx
		jz	short loc_5529C8
		mov	ecx, [ebx]

loc_55295B:				; CODE XREF: MiMapMemoryDumpMdl+1DDj
		or	eax, 0A0000000h
		mov	edx, ecx
		push	eax
		mov	ecx, esi
		call	MiMakeValidPte
		mov	ecx, esi
		mov	[esp+0C8h+var_B8], eax
		mov	[esp+0C8h+var_B4], 0
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5DE7D5
		mov	ecx, [esp+0C8h+var_B8]

loc_552989:				; CODE XREF: MiMapMemoryDumpMdl+8BFE1j
					; MiMapMemoryDumpMdl+8BFEFj ...
		mov	[esi+4], edx
		nop
		cmp	[esp+0C8h+var_B4], 0
		mov	[esi], ecx
		jnz	loc_5DE845

loc_55299A:				; CODE XREF: MiMapMemoryDumpMdl+8C03Ej
		mov	ecx, [ebp+arg_4]
		add	ebx, 4
		add	esi, 8
		sub	edi, 1
		jnz	short loc_552950
		mov	eax, [esp+0C8h+var_AC]
		or	word ptr [eax+6], 11h

loc_5529B1:				; CODE XREF: MiMapMemoryDumpMdl+8C048j
		mov	ecx, [esp+0C8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_5529C8:				; CODE XREF: MiMapMemoryDumpMdl+147j
		mov	eax, [ebx]
		mov	[esp+0C8h+var_B0], eax
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	edx, [eax+ecx*4]
		mov	ecx, 4
		call	_MiMakeProtectionPfnCompatible@8 ; MiMakeProtectionPfnCompatible(x,x)
		mov	ecx, [esp+0C8h+var_B0]
		jmp	loc_55295B
MiMapMemoryDumpMdl endp


;  S U B	R O U T	I N E 


KdCheckForDebugBreak proc near		; CODE XREF: KeAccumulateTicks:loc_5B7D0Cp
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+44p ...

; FUNCTION CHUNK AT 005DE85D SIZE 00000022 BYTES

		cmp	_KdPitchDebugger, 0
		jz	loc_5DE85D

loc_5529FF:				; CODE XREF: KdCheckForDebugBreak+8BE72j
		cmp	_KdEventLoggingEnabled,	0
		jnz	loc_5DE86A

locret_552A0C:				; CODE XREF: KdCheckForDebugBreak+8BE7Fj
		retn
KdCheckForDebugBreak endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KeSuspendClockTimer()
_KeSuspendClockTimer@0 proc near	; CODE XREF: PopHandleNextState(x,x)+C8p
		jmp	_KiSuspendClockTimer@0 ; KiSuspendClockTimer()
_KeSuspendClockTimer@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KiSuspendClockTimer()
_KiSuspendClockTimer@0 proc near	; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+811p
					; KeSuspendClockTimer()j ...
		mov	edi, edi
		push	esi
		mov	esi, large fs:20h
		mov	eax, ds:_KiClockState
		push	edi
		mov	edi, _KiClockTimerOwner
		test	byte ptr [esi+3D1h], 1
		jnz	short loc_552A47

loc_552A33:				; CODE XREF: KiSuspendClockTimer()+40j
		cmp	[esi+3CCh], edi
		jz	short loc_552A56

loc_552A3B:				; CODE XREF: KiSuspendClockTimer()+48j
		cmp	byte ptr [esi+3D0h], 0
		jnz	short loc_552A5E

loc_552A44:				; CODE XREF: KiSuspendClockTimer()+51j
		pop	edi
		pop	esi
		retn
; 

loc_552A47:				; CODE XREF: KiSuspendClockTimer()+1Dj
		call	off_6B138C	; SymCryptFatalIntercept(x)
		and	byte ptr [esi+3D1h], 0FEh
		jmp	short loc_552A33
; 

loc_552A56:				; CODE XREF: KiSuspendClockTimer()+25j
		inc	dword_6CAB48
		jmp	short loc_552A3B
; 

loc_552A5E:				; CODE XREF: KiSuspendClockTimer()+2Ej
		mov	byte ptr [esi+3D0h], 0
		jmp	short loc_552A44
_KiSuspendClockTimer@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


KeSaveIptStateBeforeProcessorGoesOffline proc near
					; CODE XREF: PopHandleNextState(x,x):loc_71BFE2p
					; PnprQuiesceProcessorDpc(x,x,x,x)+F1p

; FUNCTION CHUNK AT 005DE87F SIZE 0000001F BYTES

		cmp	ds:_KiIptMsrMask, 0
		jnz	loc_5DE87F

locret_552A75:				; CODE XREF: KeSaveIptStateBeforeProcessorGoesOffline+8BE25j
		retn
KeSaveIptStateBeforeProcessorGoesOffline endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopWakeDeviceList proc near		; CODE XREF: PoBroadcastSystemState+32Ap

var_40		= dword	ptr -40h
var_2C		= dword	ptr -2Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DE89E SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		xor	eax, eax
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_2C]
		xor	esi, esi
		stosd
		mov	ebx, ecx
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_40]
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	eax, [edx+18h]
		mov	edi, [edx]
		sub	edi, [edx+4]
		mov	ecx, [eax]
		mov	edx, [ebp+var_8]
		mov	[ebp+var_4], edi
		mov	[ebp+var_C], eax

loc_552AB8:				; CODE XREF: PopWakeDeviceList+49j
		cmp	ecx, eax
		jz	short loc_552AC1
		mov	ecx, [ecx]
		inc	edx
		jmp	short loc_552AB8
; 

loc_552AC1:				; CODE XREF: PopWakeDeviceList+44j
		push	edi
		push	edx
		lea	eax, [ebp+var_40]
		push	eax
		call	_KeInitializeSemaphore@12 ; KeInitializeSemaphore(x,x,x)
		push	edi
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		call	_KeInitializeSemaphore@12 ; KeInitializeSemaphore(x,x,x)
		lea	eax, [ebp+var_40]
		mov	[ebx+14h], eax
		lea	eax, [ebp+var_2C]
		mov	[ebx+18h], eax
		test	edi, edi
		jle	loc_552BBD
		xor	edi, edi

loc_552AEE:				; CODE XREF: PopWakeDeviceList+12Dj
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_40]
		push	eax
		call	KeWaitForSingleObject
		mov	ecx, dword_6C231C
		lea	edx, [ebp+var_18]
		lea	ecx, [ecx+8]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebp+var_C]
		mov	edi, [eax]
		mov	ecx, [edi]
		cmp	[edi+4], eax
		jnz	loc_552BEB
		cmp	[ecx+4], edi
		jnz	loc_552BEB
		mov	[eax], ecx
		mov	[ecx+4], eax
		lea	eax, [ebx+0F0h]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_552BEB
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi
		test	ds:byte_70EFC6,	1
		jnz	loc_5DE89E
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	short loc_552BD2
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jnz	short loc_552BCA

loc_552B6C:				; CODE XREF: PopWakeDeviceList+16Cj
					; PopWakeDeviceList+8BE33j
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		dec	[ebp+var_4]
		mov	ecx, edi
		inc	esi
		call	PopIsNotifyForDirectedPowerTransition
		mov	edx, edi
		mov	ecx, ebx
		test	al, al
		jnz	short loc_552BE4
		call	PopNotifyDevice

loc_552B8D:				; CODE XREF: PopWakeDeviceList+173j
		xor	edi, edi
		test	_PopSimulate, 80000h
		jnz	loc_5DE8AE

loc_552B9F:				; CODE XREF: PopWakeDeviceList+8BE3Aj
		cmp	[ebp+var_4], 0
		jg	loc_552AEE
		jmp	short loc_552BB9
; 

loc_552BAB:				; CODE XREF: PopWakeDeviceList+145j
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_2C]
		push	eax
		call	KeWaitForSingleObject
		dec	esi

loc_552BB9:				; CODE XREF: PopWakeDeviceList+133j
		test	esi, esi
		jg	short loc_552BAB

loc_552BBD:				; CODE XREF: PopWakeDeviceList+70j
		and	dword ptr [ebx+14h], 0
		and	dword ptr [ebx+18h], 0
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_552BCA:				; CODE XREF: PopWakeDeviceList+F4j
		lea	ecx, [ebp+var_18]
		call	KxWaitForLockChainValid

loc_552BD2:				; CODE XREF: PopWakeDeviceList+E1j
		xor	ecx, ecx
		mov	[ebp+var_18], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_552B6C
; 

loc_552BE4:				; CODE XREF: PopWakeDeviceList+110j
		call	_PopIssueDirectedPowerTransition@8 ; PopIssueDirectedPowerTransition(x,x)
		jmp	short loc_552B8D
; 

loc_552BEB:				; CODE XREF: PopWakeDeviceList+A0j
					; PopWakeDeviceList+A9j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
PopWakeDeviceList endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopSleepDeviceList proc	near		; CODE XREF: PoBroadcastSystemState+1ACp

var_54		= dword	ptr -54h
var_40		= dword	ptr -40h
var_2C		= dword	ptr -2Ch
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= byte ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DE8C6 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_2C]
		mov	ebx, ecx
		stosd
		lea	ecx, [edx+10h]
		xor	esi, esi
		mov	[ebp+var_10], ecx
		and	[ebp+var_4], esi
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_40]
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_54]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ecx]
		mov	edi, [edx+4]
		mov	[ebp+var_C], edi
		cmp	eax, ecx
		jz	short loc_552C46
		mov	edx, [ebp+var_4]

loc_552C3C:				; CODE XREF: PopSleepDeviceList+51j
		mov	eax, [eax]
		inc	edx
		cmp	eax, ecx
		jnz	short loc_552C3C
		mov	[ebp+var_4], edx

loc_552C46:				; CODE XREF: PopSleepDeviceList+47j
		xor	eax, eax
		push	0
		inc	eax
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	[ebp+var_4]
		lea	eax, [ebp+var_54]
		push	eax
		call	_KeInitializeSemaphore@12 ; KeInitializeSemaphore(x,x,x)
		push	edi
		push	0
		lea	eax, [ebp+var_40]
		push	eax
		call	_KeInitializeSemaphore@12 ; KeInitializeSemaphore(x,x,x)
		lea	eax, [ebp+var_2C]
		mov	[ebx+10h], eax
		lea	eax, [ebp+var_54]
		mov	[ebx+14h], eax
		lea	eax, [ebp+var_40]
		mov	[ebx+18h], eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_54]
		mov	[ebp+var_4], eax
		test	edi, edi
		jle	loc_552D78
		xor	edi, edi

loc_552C96:				; CODE XREF: PopSleepDeviceList+16Ej
		push	edi
		push	edi
		push	edi
		push	edi
		xor	eax, eax
		push	edi
		inc	eax
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	2
		call	KeWaitForMultipleObjects
		cmp	[ebx+0F8h], edi
		jl	loc_552D64
		mov	ecx, dword_6C231C
		lea	edx, [ebp+var_1C]
		lea	ecx, [ecx+8]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebp+var_10]
		mov	edi, [eax]
		mov	ecx, [edi]
		cmp	[edi+4], eax
		jnz	loc_552DA9
		cmp	[ecx+4], edi
		jnz	loc_552DA9
		mov	[eax], ecx
		mov	[ecx+4], eax
		lea	eax, [ebx+0F0h]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_552DA9
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi
		test	ds:byte_70EFC6,	1
		jnz	loc_5DE8C6
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_552D90
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jnz	short loc_552D88

loc_552D27:				; CODE XREF: PopSleepDeviceList+1B0j
					; PopSleepDeviceList+8BCE1j
		mov	cl, [ebp+var_14]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		dec	[ebp+var_C]
		mov	ecx, edi
		inc	esi
		call	PopIsNotifyForDirectedPowerTransition
		mov	edx, edi
		mov	ecx, ebx
		test	al, al
		jnz	short loc_552DA2
		call	PopNotifyDevice

loc_552D48:				; CODE XREF: PopSleepDeviceList+1B7j
		xor	edi, edi
		test	_PopSimulate, 80000h
		jnz	loc_5DE8D6

loc_552D5A:				; CODE XREF: PopSleepDeviceList+8BCE8j
		cmp	[ebp+var_C], 0
		jg	loc_552C96

loc_552D64:				; CODE XREF: PopSleepDeviceList+C0j
					; PopSleepDeviceList+186j
		test	esi, esi
		jle	short loc_552D78
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_40]
		push	eax
		call	KeWaitForSingleObject
		dec	esi
		jmp	short loc_552D64
; 

loc_552D78:				; CODE XREF: PopSleepDeviceList+9Ej
					; PopSleepDeviceList+176j
		xor	eax, eax
		pop	edi
		pop	esi
		mov	[ebx+10h], eax
		mov	[ebx+14h], eax
		mov	[ebx+18h], eax
		pop	ebx
		leave
		retn
; 

loc_552D88:				; CODE XREF: PopSleepDeviceList+135j
		lea	ecx, [ebp+var_1C]
		call	KxWaitForLockChainValid

loc_552D90:				; CODE XREF: PopSleepDeviceList+122j
		xor	ecx, ecx
		mov	[ebp+var_1C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	short loc_552D27
; 

loc_552DA2:				; CODE XREF: PopSleepDeviceList+151j
		call	_PopIssueDirectedPowerTransition@8 ; PopIssueDirectedPowerTransition(x,x)
		jmp	short loc_552D48
; 

loc_552DA9:				; CODE XREF: PopSleepDeviceList+E1j
					; PopSleepDeviceList+EAj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
PopSleepDeviceList endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopMapInternalActionToIrpAction	proc near ; CODE XREF: PopRequestPowerIrp+F9p
					; PopNotifyDevice+3Dp ...

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005DE8EE SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	7
		pop	eax
		cmp	ecx, eax
		jz	loc_5DE8EE
		cmp	edx, 5
		jnz	short loc_552DC6
		push	3
		pop	ecx

loc_552DC6:				; CODE XREF: PopMapInternalActionToIrpAction+13j
		mov	eax, ecx

loc_552DC8:				; CODE XREF: PopMapInternalActionToIrpAction+8BB44j
					; PopMapInternalActionToIrpAction+8BB55j
		pop	ebp
		retn	4
PopMapInternalActionToIrpAction	endp


;  S U B	R O U T	I N E 


; __stdcall PoFxActivateDeviceForSystemTransition(x, x)
_PoFxActivateDeviceForSystemTransition@8 proc near ; CODE XREF:	PopNotifyDevice+DCp
		mov	edi, edi
		push	ecx
		push	edx
		mov	dl, 1
		call	PopFxActivateDevice
		pop	ecx
		retn
_PoFxActivateDeviceForSystemTransition@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


PopIsNotifyForDirectedPowerTransition proc near	; CODE XREF: PopWakeDeviceList+105p
					; PopSleepDeviceList+146p

; FUNCTION CHUNK AT 005DE908 SIZE 00000032 BYTES

		xor	edx, edx
		test	dword_6C2314, (offset loc_7FFFFF+1)
		jnz	loc_5DE908

loc_552DEC:				; CODE XREF: PopIsNotifyForDirectedPowerTransition+8BB31j
					; PopIsNotifyForDirectedPowerTransition+8BB42j	...
		mov	al, dl
		retn
PopIsNotifyForDirectedPowerTransition endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PopDiagTraceEventNoPayload(x)
_PopDiagTraceEventNoPayload@4 proc near	; CODE XREF: PopScanIdleList(x,x,x)+73p
					; PopScanIdleList(x,x,x)+1E5p ...
		cmp	_PopDiagHandleRegistered, 0
		push	esi
		mov	esi, ecx
		jz	short loc_552E18
		push	ebx
		mov	ebx, _PopDiagHandle
		push	edi
		mov	edi, dword_6C1D74
		push	esi
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jnz	short loc_552E1A

loc_552E16:				; CODE XREF: PopDiagTraceEventNoPayload(x)+37j
		pop	edi
		pop	ebx

loc_552E18:				; CODE XREF: PopDiagTraceEventNoPayload(x)+Aj
		pop	esi
		retn
; 

loc_552E1A:				; CODE XREF: PopDiagTraceEventNoPayload(x)+24j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	esi
		push	edi
		push	ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	short loc_552E16
_PopDiagTraceEventNoPayload@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopPrepareSleep(x, x)
_PopPrepareSleep@8 proc	near		; CODE XREF: PopIssueActionRequest+1A0p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_PopDiagTracePrepareSleep@0 ; PopDiagTracePrepareSleep()
		push	36h
		pop	ecx
		call	PopCheckpointSystemSleep
		xor	edx, edx
		mov	dword ptr [esi+10h], 0Dh
		mov	ecx, esi
		call	PopDispatchStateCallout
		call	_PopDiagTracePrepareSleepEnd@0 ; PopDiagTracePrepareSleepEnd()
		push	37h
		pop	ecx
		pop	esi
		jmp	PopCheckpointSystemSleep
_PopPrepareSleep@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorDiagTraceHandleIntent(x, x, x, x,	x, x)
_PopPowerAggregatorDiagTraceHandleIntent@24 proc near
					; CODE XREF: PopPowerAggregatorRecordIntent+1Ep

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_68], ecx
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_C]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_4]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_6C], edx
		xor	edx, edx
		push	eax
		push	6
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	ecx, offset _POP_ETW_EVENT_POWER_AGGREGATOR_HANDLE_INTENT
		mov	[ebp+var_8], edx
		pop	edx
		call	PopPowerAggregatorDiagTraceEvent
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_PopPowerAggregatorDiagTraceHandleIntent@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopSetPowerActionWatchdogState proc near ; CODE	XREF: PAGELK:0071F8C5p
					; PopIssueActionRequest+89p ...

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005DE93A SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		cmp	edi, 2
		ja	loc_552FBE
		cmp	edi, 1
		jz	loc_552FC3

loc_552F0D:				; CODE XREF: PopSetPowerActionWatchdogState+D8j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bl, al
		mov	esi, offset dword_6C27CC
		mov	ecx, esi
		mov	[ebp+var_1], bl
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, dword_6C281C
		cmp	ecx, edi
		jz	short loc_552FA4
		xor	esi, esi
		test	ecx, ecx
		jz	short loc_552F58
		push	offset unk_6C27F0
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		test	al, al
		jz	loc_5DE93A
		mov	dword_6C2820, esi
		mov	dword_6C2824, esi
		mov	dword_6C281C, esi

loc_552F58:				; CODE XREF: PopSetPowerActionWatchdogState+42j
		test	edi, edi
		jz	short loc_552F9F
		mov	ecx, edi
		call	_PopGetPowerActionWatchdogTimeout@4 ; PopGetPowerActionWatchdogTimeout(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_552F9C
		call	KeQueryInterruptTime
		mov	dword_6C2824, edx
		mov	ecx, offset unk_6C27F0
		mov	dword_6C2820, eax
		mov	edx, 0FF676980h
		mov	eax, ebx
		mov	dword_6C281C, edi
		imul	edx
		push	edx
		push	eax
		push	offset unk_6C27D0
		push	esi
		xor	edx, edx
		call	KiSetTimerEx

loc_552F9C:				; CODE XREF: PopSetPowerActionWatchdogState+77j
		mov	bl, [ebp+var_1]

loc_552F9F:				; CODE XREF: PopSetPowerActionWatchdogState+6Aj
		mov	esi, offset dword_6C27CC

loc_552FA4:				; CODE XREF: PopSetPowerActionWatchdogState+3Cj
		test	ds:byte_70EFC6,	1
		jnz	loc_5DE945
		xor	eax, eax
		lock and [esi],	eax

loc_552FB6:				; CODE XREF: PopSetPowerActionWatchdogState+8BA5Fj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_552FBE:				; CODE XREF: PopSetPowerActionWatchdogState+Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_552FC3:				; CODE XREF: PopSetPowerActionWatchdogState+17j
		call	_PopUpdatePowerActionWatchdogTimeouts@0	; PopUpdatePowerActionWatchdogTimeouts()
		jmp	loc_552F0D
PopSetPowerActionWatchdogState endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopGetPowerActionWatchdogTimeout(x)
_PopGetPowerActionWatchdogTimeout@4 proc near
					; CODE XREF: PopSetPowerActionWatchdogState+6Ep
		cmp	ecx, 1
		jnz	short loc_552FDC
		mov	ecx, ds:_PopPowerActionTransitioningWatchdogTimeout

loc_552FD9:				; CODE XREF: PopGetPowerActionWatchdogTimeout(x)+1Dj
		mov	eax, ecx
		retn
; 

loc_552FDC:				; CODE XREF: PopGetPowerActionWatchdogTimeout(x)+3j
		sub	ecx, 2
		neg	ecx
		sbb	ecx, ecx
		not	ecx
		and	ecx, ds:_PopPowerActionResumingWatchdogTimeout
		jmp	short loc_552FD9
_PopGetPowerActionWatchdogTimeout@4 endp

; 
		align 10h
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 


; __stdcall PopSetPowerActionState(x)
_PopSetPowerActionState@4 proc near	; CODE XREF: PAGELK:0071EC82p
					; PAGELK:0071FB01p ...
		mov	edi, edi
		push	ecx
		cmp	byte_6C26C1, cl
		jz	short loc_55300F
		push	5
		mov	byte_6C26C1, cl
		test	cl, cl
		pop	ecx
		jz	short loc_553011
		call	PopDeepSleepSetDisengageReason

loc_55300F:				; CODE XREF: PopSetPowerActionState(x)+9j
		pop	ecx
		retn
; 

loc_553011:				; CODE XREF: PopSetPowerActionState(x)+16j
		call	PopDeepSleepClearDisengageReason
		pop	ecx
		retn
_PopSetPowerActionState@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopGetMonitorReasonFromPowerEventId(x)
_PopGetMonitorReasonFromPowerEventId@4 proc near
					; CODE XREF: PopSleepstudyStartNextSession+FBp
					; PopPowerAggregatorActiveToScreenOffStateHandler(x)+6Ap
		xor	edx, edx
		cmp	ecx, 2Dh
		jz	short loc_55303C
		mov	eax, edx

loc_553021:				; CODE XREF: PopGetMonitorReasonFromPowerEventId(x)+16j
		cmp	ds:dword_705CA4[eax*8],	ecx
		jz	short loc_553032
		inc	eax
		cmp	eax, 33h
		jb	short loc_553021
		jmp	short loc_553039
; 

loc_553032:				; CODE XREF: PopGetMonitorReasonFromPowerEventId(x)+10j
		mov	edx, ds:_PopMonitorEventMapping[eax*8]

loc_553039:				; CODE XREF: PopGetMonitorReasonFromPowerEventId(x)+18j
					; PopGetMonitorReasonFromPowerEventId(x)+27j
		mov	eax, edx
		retn
; 

loc_55303C:				; CODE XREF: PopGetMonitorReasonFromPowerEventId(x)+5j
		push	14h
		pop	edx
		jmp	short loc_553039
_PopGetMonitorReasonFromPowerEventId@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpServiceMainThreadUnboost proc near	; CODE XREF: PfPowerActionNotify+140p
					; DATA XREF: PfpPowerActionDpcRoutine+885EBo

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DE954 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset unk_6D48B0
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jnz	loc_5DE954

loc_553069:				; CODE XREF: PfpServiceMainThreadUnboost+8B921j
		mov	esi, dword_6D48A8
		test	esi, esi
		jz	short loc_553086
		push	dword_6D48AC
		and	dword_6D48A8, 0
		push	esi
		call	KeSetActualBasePriorityThread

loc_553086:				; CODE XREF: PfpServiceMainThreadUnboost+2Fj
					; PfpServiceMainThreadUnboost+8B91Bj
		test	ds:byte_70EFC6,	1
		mov	ecx, offset unk_6D48B0
		jnz	loc_5DE968
		xor	eax, eax
		lock and [ecx],	eax

loc_55309D:				; CODE XREF: PfpServiceMainThreadUnboost+8B92Ej
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_5530B4
		push	746C6644h
		push	esi
		call	ObDereferenceObjectDeferDeleteWithTag

loc_5530B4:				; CODE XREF: PfpServiceMainThreadUnboost+65j
		test	edi, edi
		jnz	loc_5DE975

loc_5530BC:				; CODE XREF: PfpServiceMainThreadUnboost+8B93Bj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
PfpServiceMainThreadUnboost endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUmpoSendFlushSleepStudyLoggerNotification()
_PopUmpoSendFlushSleepStudyLoggerNotification@0	proc near ; CODE XREF: PAGELK:0071F014p

var_44		= dword	ptr -44h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	dword_6C2858, eax
		mov	dword_6C285C, edx
		call	_PopDiagTraceFlushSleepStudyLogger@0 ; PopDiagTraceFlushSleepStudyLogger()
		push	44h		; size_t
		lea	eax, [ebp+var_44]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_44], 0Dh
		lea	ecx, [ebp+var_44]
		push	1
		push	44h
		pop	edx
		call	PopUmpoSendPowerMessage
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	dword_6C2860, eax
		mov	dword_6C2864, edx
		call	_PopDiagTraceFlushSleepStudyLoggerEnd@0	; PopDiagTraceFlushSleepStudyLoggerEnd()
		leave
		retn
_PopUmpoSendFlushSleepStudyLoggerNotification@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoPowerOffMonitor()
_PoPowerOffMonitor@0 proc near		; CODE XREF: NtPowerInformation+1332p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+20h+var_4], eax
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+28h+var_1C]
		rep stosd
		lea	ecx, [esp+28h+var_1C]
		mov	[esp+28h+var_14], 1
		call	PoBlockConsoleSwitch
		lea	ecx, [esp+28h+var_1C]
		mov	[esp+28h+var_20], eax
		call	_PoStartPowerStateTasks@4 ; PoStartPowerStateTasks(x)
		lea	edx, [esp+28h+var_20]
		mov	[esp+28h+var_C], 0Ch
		lea	ecx, [esp+28h+var_1C]
		call	PopDispatchStateCallout
		lea	ecx, [esp+28h+var_1C]
		mov	esi, eax
		call	_PoEndPowerStateTasks@4	; PoEndPowerStateTasks(x)
		mov	edx, [esp+28h+var_20]
		lea	ecx, [esp+28h+var_1C]
		call	_PoUnblockConsoleSwitch@8 ; PoUnblockConsoleSwitch(x,x)
		mov	ecx, [esp+28h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_PoPowerOffMonitor@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerTransitionTimesInMs(x, x, x, x, x, x)
_PopPowerTransitionTimesInMs@24	proc near ; CODE XREF: PopDiagTracePowerTransitionTime()+92p
					; PopCalculateWakeTimeAdjustment()+27p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	[ebp+var_8], edx
		mov	dl, 1
		mov	[ebp+var_4], ecx
		mov	ecx, large fs:20h
		push	edi
		call	_KeQueryCycleCounterFrequency@8	; KeQueryCycleCounterFrequency(x,x)
		mov	esi, eax
		mov	ecx, 3E8h
		mov	eax, edx
		mul	ecx
		mov	edi, eax
		mov	eax, esi
		mov	esi, [ebp+var_4]
		mul	ecx
		add	edi, edx
		mov	ebx, eax
		test	esi, esi
		jz	short loc_5531F0
		mov	edx, offset dword_6C2850
		mov	ecx, offset dword_6C2848
		call	PopQpcTimeInMs
		mov	[esi], eax

loc_5531F0:				; CODE XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+39j
		mov	esi, [ebp+var_8]
		test	esi, esi
		jz	short loc_553208
		mov	edx, offset dword_6C2870
		mov	ecx, offset dword_6C2868
		call	PopQpcTimeInMs
		mov	[esi], eax

loc_553208:				; CODE XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+51j
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jz	short loc_553237
		and	[ebp+var_10], 0
		lea	ecx, [ebp+var_10]
		and	[ebp+var_C], 0
		mov	edx, offset dword_6C2888
		call	PopQpcTimeInMs
		mov	[esi], eax
		cmp	dword_6C2A90, 0
		jz	short loc_553237
		add	eax, dword_6C2908
		mov	[esi], eax

loc_553237:				; CODE XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+69j
					; PopPowerTransitionTimesInMs(x,x,x,x,x,x)+89j
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_553253
		push	edi
		push	ebx
		push	dword_6C28D4
		push	dword_6C28D0
		call	__aulldiv
		mov	[esi], eax

loc_553253:				; CODE XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+98j
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_55327C
		mov	ecx, dword_6C2940
		add	ecx, dword_6C2A08
		mov	eax, dword_6C2944
		adc	eax, dword_6C2A0C
		push	edi
		push	ebx
		push	eax
		push	ecx
		call	__aulldiv
		mov	[esi], eax

loc_55327C:				; CODE XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+B4j
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jz	short loc_553298
		push	edi
		push	ebx
		push	dword_6C28B4
		push	dword_6C28B0
		call	__aulldiv
		mov	[esi], eax

loc_553298:				; CODE XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+DDj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PopPowerTransitionTimesInMs@24	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PopGetTransitionsToOnCount()
_PopGetTransitionsToOnCount@0 proc near	; CODE XREF: PopSetSleepMarker(x)+7p
					; PopSetSleepMarker(x)+15p
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopTelemetryOsState
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	esi, dword_6C1F60
		mov	dword_6C1F24, eax
		test	eax, eax
		jz	short loc_5532DA
		and	dword_6C1F24, 0

loc_5532DA:				; CODE XREF: PopGetTransitionsToOnCount()+31j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_PopGetTransitionsToOnCount@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall HvlMarkHiberPhase()
_HvlMarkHiberPhase@0 proc near		; CODE XREF: PopMarkComponentsBootPhase+110p
		cmp	ds:_HvlHypervisorConnected, 0
		jnz	_HvlpMarkHvlPagesForHibernation@0 ; HvlpMarkHvlPagesForHibernation()
		retn
_HvlMarkHiberPhase@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopRunNormalIrpWorkers()
_PopRunNormalIrpWorkers@0 proc near	; CODE XREF: PopUnlockAfterSleepWorker(x)+28p
		mov	edi, edi
		push	esi
		mov	esi, offset _PopIrpWorkerMutex
		mov	ecx, esi
		call	ExAcquireFastMutex
		mov	ecx, esi
		mov	_PopCreateIrpWorkerAllowed, 1
		pop	esi
		jmp	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
_PopRunNormalIrpWorkers@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall RtlMarkHiberPhase()
_RtlMarkHiberPhase@0 proc near		; CODE XREF: PopMarkComponentsBootPhase+10Bp
		push	73727058h
		push	600h
		push	offset _XpressHashFunction
		push	10000h
		push	0
		call	PoSetHiberRange
		push	73727058h
		push	100h
		push	offset _XpressHighBitIndexTable
		push	10000h
		push	0
		call	PoSetHiberRange
		retn
_RtlMarkHiberPhase@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KeSetTargetProcessorIndexDpc(x, x)
_KeSetTargetProcessorIndexDpc@8	proc near ; CODE XREF: PAGELK:00720B76p
		mov	eax, [ecx+1Ch]
		test	eax, eax
		jnz	short locret_553366
		lea	eax, [edx+20h]
		mov	[ecx+2], ax

locret_553366:				; CODE XREF: KeSetTargetProcessorIndexDpc(x,x)+5j
		retn
_KeSetTargetProcessorIndexDpc@8	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoGetDumpHiberRanges proc near		; CODE XREF: PopSaveHiberContext+200p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DE982 SIZE 00000072 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		test	esi, esi
		jz	loc_553400
		mov	ecx, [esi+0C8h]
		test	ecx, ecx
		jz	short loc_553400
		cmp	byte ptr [esi+0CCh], 0
		mov	ebx, 10000h
		jnz	loc_5DE982
		mov	eax, [ecx]
		sub	eax, 2
		cmp	eax, 2
		ja	short loc_553405
		mov	eax, [ecx+4]
		sub	eax, 20h
		cmp	eax, 24h
		ja	short loc_553405
		mov	eax, [ecx+0Ch]
		test	eax, eax
		jnz	loc_5DE9D4

loc_5533B8:				; CODE XREF: IoGetDumpHiberRanges+A2j
					; IoGetDumpHiberRanges+8B667j ...
		mov	eax, _CrashdmpImageBase
		test	eax, eax
		jz	short loc_5533DD
		push	eax
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		push	676D4944h
		push	dword ptr [eax+50h]
		push	_CrashdmpImageBase
		push	ebx
		push	0
		call	PoSetHiberRange

loc_5533DD:				; CODE XREF: IoGetDumpHiberRanges+57j
		lea	edi, [esi+0D8h]
		mov	esi, [edi]
		jmp	short loc_5533FC
; 

loc_5533E7:				; CODE XREF: IoGetDumpHiberRanges+96j
		push	676D4944h
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	ebx
		push	0
		call	PoSetHiberRange
		mov	esi, [esi]

loc_5533FC:				; CODE XREF: IoGetDumpHiberRanges+7Dj
		cmp	esi, edi
		jnz	short loc_5533E7

loc_553400:				; CODE XREF: IoGetDumpHiberRanges+Ej
					; IoGetDumpHiberRanges+1Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_553405:				; CODE XREF: IoGetDumpHiberRanges+38j
					; IoGetDumpHiberRanges+43j
		mov	eax, [ecx+0Ch]
		test	eax, eax
		jz	short loc_5533B8
		jmp	loc_5DE9DE
IoGetDumpHiberRanges endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMarkKernelPageTablePte(x,	x, x)
_MiMarkKernelPageTablePte@12 proc near	; DATA XREF: MiMarkKernelPageTablePages()+24o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_4]
		push	esi
		xor	esi, esi
		mov	ecx, [eax]
		nop
		mov	edx, [eax+4]
		mov	eax, ecx
		and	eax, 1
		or	eax, esi
		jz	short loc_553457
		mov	eax, ecx
		and	eax, 80h
		or	eax, esi
		jnz	short loc_553457
		nop
		push	706B6D4Dh
		shrd	ecx, edx, 0Ch
		push	1
		and	ecx, 1FFFFFFh
		push	ecx
		push	14000h
		push	esi
		call	PoSetHiberRange

loc_553457:				; CODE XREF: MiMarkKernelPageTablePte(x,x,x)+1Aj
					; MiMarkKernelPageTablePte(x,x,x)+25j
		xor	eax, eax
		pop	esi
		leave
		retn	0Ch
_MiMarkKernelPageTablePte@12 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1722. PoSetHiberRange

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoSetHiberRange
PoSetHiberRange	proc near		; CODE XREF: RtlMarkHiberPhase()+16p
					; RtlMarkHiberPhase()+31p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005DE9F4 SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, _KiBugCheckActive
		push	ebx
		push	esi
		xor	esi, esi
		mov	[esp+24h+var_14], esi
		push	edi
		mov	edi, [ebp+arg_0]
		test	al, 3
		jnz	loc_5535AA
		mov	ecx, [ebp+arg_C]
		test	edi, edi
		jnz	loc_5535C5
		mov	edi, dword_6C26F8
		mov	[ebp+arg_0], edi
		test	edi, edi
		jz	loc_5DE9F4
		mov	eax, [edi+7Ch]
		cmp	eax, 8
		jnz	loc_5535DE
		mov	ebx, [ebp+arg_4]
		mov	edx, 10000h
		mov	eax, ebx
		mov	[esp+28h+var_18], ebx
		and	eax, 0FFFFBFFFh
		cmp	eax, edx
		jnz	loc_5DEA16
		test	ecx, ecx
		jz	loc_5535E8

loc_5534D3:				; CODE XREF: PoSetHiberRange+18Aj
		mov	eax, ebx
		and	eax, edx

loc_5534D7:				; CODE XREF: PoSetHiberRange+16Fj
		test	ecx, ecx
		jz	loc_5535F9

loc_5534DF:				; CODE XREF: PoSetHiberRange+8B5D2j
		test	bl, 4
		jnz	loc_5DEA3B

loc_5534E8:				; CODE XREF: PoSetHiberRange+8B5E1j
		test	ebx, 4000h
		jnz	loc_553594
		mov	eax, [ebp+arg_8]
		mov	esi, eax
		add	eax, 0FFFh
		shr	esi, 0Ch
		add	eax, ecx
		shr	eax, 0Ch
		mov	[esp+28h+var_14], eax
		cmp	esi, eax

loc_55350C:				; CODE XREF: PoSetHiberRange+12Bj
		mov	[esp+28h+var_C], esi
		jnb	loc_5535AA
		mov	eax, esi
		shl	eax, 0Ch
		push	eax
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		shrd	eax, edx, 0Ch
		lea	ecx, [esi+1]
		mov	[esp+28h+var_10], eax
		xor	eax, eax
		inc	eax
		mov	[esp+28h+var_8], ecx
		mov	[esp+28h+var_1C], eax
		cmp	ecx, [esp+28h+var_14]
		jnb	short loc_553576
		mov	eax, [esp+28h+var_10]
		lea	ebx, [esi+1]
		mov	edi, [esp+28h+var_14]
		shl	ebx, 0Ch
		sub	eax, esi
		mov	[esp+28h+var_4], eax
		mov	esi, ecx

loc_553553:				; CODE XREF: PoSetHiberRange+15Dj
		push	ebx
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		mov	ecx, [esp+28h+var_4]
		shrd	eax, edx, 0Ch
		add	ecx, esi
		cmp	ecx, eax
		mov	eax, [esp+28h+var_1C]
		jz	short loc_5535B3

loc_55356B:				; CODE XREF: PoSetHiberRange+15Fj
		mov	ebx, [esp+28h+var_18]
		mov	esi, [esp+28h+var_C]
		mov	edi, [ebp+arg_0]

loc_553576:				; CODE XREF: PoSetHiberRange+D7j
		push	[ebp+arg_10]
		mov	edx, ebx
		mov	ecx, edi
		push	eax
		push	[esp+30h+var_10]
		call	PopSetRange
		add	esi, [esp+28h+var_1C]
		cmp	esi, [esp+28h+var_14]
		jmp	loc_55350C
; 

loc_553594:				; CODE XREF: PoSetHiberRange+8Aj
		push	[ebp+arg_10]
		and	ebx, 0FFFFBFFFh
		push	ecx
		push	[ebp+arg_8]
		mov	edx, ebx
		mov	ecx, edi
		call	PopSetRange

loc_5535AA:				; CODE XREF: PoSetHiberRange+1Ej
					; PoSetHiberRange+ACj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_5535B3:				; CODE XREF: PoSetHiberRange+105j
		inc	eax
		add	ebx, 1000h
		inc	esi
		mov	[esp+28h+var_1C], eax
		cmp	esi, edi
		jb	short loc_553553
		jmp	short loc_55356B
; 

loc_5535C5:				; CODE XREF: PoSetHiberRange+29j
		mov	ebx, [ebp+arg_4]
		mov	eax, ebx
		mov	[esp+28h+var_18], ebx
		and	eax, 10000h
		jz	loc_5534D7
		jmp	loc_5DEA16
; 

loc_5535DE:				; CODE XREF: PoSetHiberRange+46j
		cmp	eax, 9
		jz	short loc_5535AA
		jmp	loc_5DE9F8
; 

loc_5535E8:				; CODE XREF: PoSetHiberRange+69j
		test	ebx, 4000h
		jz	loc_5534D3
		jmp	loc_5DEA16
; 

loc_5535F9:				; CODE XREF: PoSetHiberRange+75j
		mov	ecx, [ebp+arg_8]
		test	eax, eax
		jz	loc_5DEA21
		call	_MmMarkImageForHiberPhase@4 ; MmMarkImageForHiberPhase(x)
		jmp	short loc_5535AA
PoSetHiberRange	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopSetRange	proc near		; CODE XREF: PoSetHiberRange+11Ep
					; PoSetHiberRange+141p

var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005DEA4A SIZE 00000058 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		cmp	byte ptr [esi+1Ch], 0
		jnz	loc_5DEA4A
		test	edx, 8000h
		jnz	short loc_553648
		test	dl, 2
		jnz	short loc_553656
		test	edx, 10000h
		jz	loc_5DEA62
		mov	edx, [ebp+arg_0]
		push	ecx
		push	[ebp+arg_4]
		call	_PopSetBootPhaseRange@16 ; PopSetBootPhaseRange(x,x,x,x)

loc_553643:				; CODE XREF: PopSetRange+48j
					; PopSetRange+58j
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_553648:				; CODE XREF: PopSetRange+18j
		mov	edx, [ebp+arg_0]
		push	ecx
		push	[ebp+arg_4]
		call	_PopDiscardRange@16 ; PopDiscardRange(x,x,x,x)
		jmp	short loc_553643
; 

loc_553656:				; CODE XREF: PopSetRange+1Dj
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		push	[ebp+arg_4]
		call	PopCloneRange
		jmp	short loc_553643
PopSetRange	endp


;  S U B	R O U T	I N E 


; __stdcall MiIsPfnTradable(x)
_MiIsPfnTradable@4 proc	near		; CODE XREF: MiMarkNonPagedHiberPhasePte+85p
					; MiInSwapPageDirectories(x,x)+8Cp
		movzx	eax, byte ptr [ecx]
		and	eax, 1
		retn
_MiIsPfnTradable@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1418. MmIsAddressValid

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmIsAddressValid(x)
		public _MmIsAddressValid@4
_MmIsAddressValid@4 proc near		; CODE XREF: PopMarkComponentsBootPhase+62p
					; PopMarkComponentsBootPhase+86p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	MmIsAddressValidEx
		pop	ebp
		retn	4
_MmIsAddressValid@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopGenerateMdl(x)
_PopGenerateMdl@4 proc near		; CODE XREF: PopAllocatePages+9p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	0Dh
		rdtsc
		push	1
		mov	edi, ecx
		mov	[ebp+var_4], edx
		mov	ebx, eax
		xor	ecx, ecx
		mov	eax, edi
		shl	eax, 0Ch
		push	eax
		push	ecx
		push	ecx
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		push	ecx
		push	ecx
		call	_MmAllocatePagesForMdlEx@36 ; MmAllocatePagesForMdlEx(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_5536D6
		mov	ecx, dword_6C26F8
		mov	ecx, [ecx+58h]
		mov	[esi], ecx
		mov	ecx, dword_6C26F8
		mov	[ecx+58h], esi
		mov	ecx, dword_6C26F8
		add	[ecx+60h], edi
		adc	dword ptr [ecx+64h], 0

loc_5536D6:				; CODE XREF: PopGenerateMdl(x)+2Fj
		rdtsc
		sub	eax, ebx
		pop	edi
		sbb	edx, [ebp+var_4]
		add	dword_6C28C8, eax
		mov	eax, esi
		pop	esi
		adc	dword_6C28CC, edx
		pop	ebx
		leave
		retn
_PopGenerateMdl@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiLockAllMemoryLists()
_MiLockAllMemoryLists@0	proc near	; CODE XREF: MmDuplicateMemory(x):loc_7208DBp
		xor	edx, edx
		mov	ecx, offset MiLockMemoryLists
		inc	edx
		call	MiIterateOverPartitions
		push	offset unk_6D2FA8
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		push	offset unk_6D2FA0
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		retn
_MiLockAllMemoryLists@0	endp


;  S U B	R O U T	I N E 


; __stdcall MiUnlockAllMemoryLists()
_MiUnlockAllMemoryLists@0 proc near	; CODE XREF: MmDuplicateMemory(x)+2D4p
		mov	edi, edi
		push	ecx
		push	offset unk_6D2FA0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		push	offset unk_6D2FA8
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		xor	edx, edx
		mov	ecx, offset MiLockMemoryLists
		call	MiIterateOverPartitions
		pop	ecx
		retn
_MiUnlockAllMemoryLists@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiResumeFromHibernate(x)
_MiResumeFromHibernate@4 proc near	; CODE XREF: MmDuplicateMemory(x)+284p
		mov	edx, ecx
		mov	ecx, offset _MiResumeMarkPageLists@8 ; MiResumeMarkPageLists(x,x)
		jmp	$+5
_MiResumeFromHibernate@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiIterateOverPartitions	proc near	; CODE XREF: MiLockAllMemoryLists()+8p
					; MiUnlockAllMemoryLists()+1Ep	...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], edx
		xor	ebx, ebx
		mov	[ebp+var_14], ecx

loc_553757:				; CODE XREF: MiIterateOverPartitions+9Bj
					; MiIterateOverPartitions+A8j
		mov	eax, dword_6D3008
		mov	edx, [eax]
		cmp	ebx, edx
		mov	ecx, [eax+4]
		sbb	edi, edi
		mov	[ebp+var_4], edx
		and	edi, ebx
		mov	[ebp+var_8], ecx
		lea	esi, [edx-1]

loc_553770:				; CODE XREF: PopSetRange+8B491j
		and	[ebp+var_C], 0
		mov	eax, esi
		sub	eax, edi
		inc	eax
		cmp	eax, 1
		jb	loc_5DEA83
		mov	eax, esi
		xor	edx, edx
		shr	eax, 5
		inc	edx
		lea	eax, [ecx+eax*4]
		mov	ecx, edi
		mov	[ebp+var_C], eax
		and	ecx, 1Fh
		shl	edx, cl
		mov	eax, edi
		mov	ecx, [ebp+var_8]
		dec	edx
		shr	eax, 5
		lea	ecx, [ecx+eax*4]
		mov	eax, [ecx]
		not	eax
		or	eax, edx
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5537F6

loc_5537AE:				; CODE XREF: MiIterateOverPartitions+C5j
		sub	ecx, [ebp+var_8]
		not	eax
		bsf	eax, eax
		sar	ecx, 2
		shl	ecx, 5
		add	ecx, eax
		cmp	ecx, esi
		ja	short loc_55380B
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_55380E

loc_5537C7:				; CODE XREF: PopSetRange+8B47Cj
		cmp	ecx, ebx
		jb	short loc_5537F1
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_5537F1
		mov	eax, dword_6D3018
		lea	ebx, [ecx+1]
		mov	eax, [eax+ecx*4]
		test	byte ptr [eax+4], 2
		jz	loc_553757
		push	[ebp+var_10]
		push	eax
		call	[ebp+var_14]
		jmp	loc_553757
; 

loc_5537F1:				; CODE XREF: MiIterateOverPartitions+85j
					; MiIterateOverPartitions+8Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_5537F6:				; CODE XREF: MiIterateOverPartitions+68j
		mov	edx, [ebp+var_C]

loc_5537F9:				; CODE XREF: MiIterateOverPartitions+C3j
		add	ecx, 4
		cmp	ecx, edx
		ja	short loc_55380B
		mov	eax, [ecx]
		not	eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5537F9
		jmp	short loc_5537AE
; 

loc_55380B:				; CODE XREF: MiIterateOverPartitions+7Cj
					; MiIterateOverPartitions+BAj
		or	ecx, 0FFFFFFFFh

loc_55380E:				; CODE XREF: MiIterateOverPartitions+81j
		mov	edx, [ebp+var_4]
		jmp	loc_5DEA86
MiIterateOverPartitions	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockMemoryLists proc near		; DATA XREF: MiLockAllMemoryLists()+2o
					; MiUnlockAllMemoryLists()+19o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DEAA2 SIZE 000000D8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		cmp	[ebp+arg_4], 0
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [esi+0AC0h]
		mov	[ebp+var_4], edi
		jnz	short loc_5538B0
		mov	edx, dword_6D06D4
		xor	esi, esi
		movzx	ecx, ds:_KeNumberNodes
		mov	[ebp+arg_0], esi
		lea	eax, ds:0Fh[edx*2]
		add	eax, ecx
		jz	short loc_5538AA

loc_55384F:				; CODE XREF: MiLockMemoryLists+92j
		lea	eax, ds:0Eh[edx*2]
		sub	eax, esi
		add	eax, ecx
		imul	esi, eax, 0Ch
		add	esi, edi
		test	ds:byte_70EFC6,	1
		jnz	loc_5DEAA2
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5DEAB8
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5DEAB1

loc_553889:				; CODE XREF: MiLockMemoryLists+8B296j
					; MiLockMemoryLists+8B2B1j
		mov	edx, dword_6D06D4
		mov	esi, [ebp+arg_0]
		movzx	ecx, ds:_KeNumberNodes
		inc	esi
		mov	[ebp+arg_0], esi
		lea	eax, ds:0Fh[edx*2]
		add	eax, ecx
		cmp	esi, eax
		jb	short loc_55384F

loc_5538AA:				; CODE XREF: MiLockMemoryLists+37j
					; MiLockMemoryLists+297j ...
		pop	edi
		pop	esi
		leave
		retn	8
; 

loc_5538B0:				; CODE XREF: MiLockMemoryLists+1Aj
		and	dword ptr [edi], 0
		lea	eax, [esi+910h]
		mov	[edi+4], eax
		test	ds:byte_70EFC6,	21h
		jnz	loc_5DEACC
		mov	edx, edi
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_5DEADA

loc_5538D5:				; CODE XREF: MiLockMemoryLists+8B2BFj
					; MiLockMemoryLists+8B2CBj
		xor	ecx, ecx
		mov	[ebp+var_C], 4
		lea	eax, [esi+540h]
		inc	ecx
		push	2
		pop	esi
		mov	[ebp+arg_4], ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], esi

loc_5538F1:				; CODE XREF: MiLockMemoryLists+13Fj
		and	[ebp+var_8], 0
		cmp	dword_6D06D4, 0
		mov	edx, [eax]
		jz	short loc_553946
		imul	esi, ecx, 0Ch
		add	esi, edi
		lea	edi, [edx+10h]

loc_553908:				; CODE XREF: MiLockMemoryLists+128j
		and	dword ptr [esi], 0
		mov	[esi+4], edi
		test	ds:byte_70EFC6,	21h
		jnz	loc_5DEAE6
		mov	edx, esi
		xchg	edx, [edi]
		test	edx, edx
		jnz	loc_5DEAF1

loc_553927:				; CODE XREF: MiLockMemoryLists+8B2E5j
		mov	edx, [ebp+var_8]
		inc	ecx
		add	esi, 0Ch
		mov	[ebp+arg_4], ecx
		inc	edx
		add	edi, 14h
		mov	[ebp+var_8], edx
		cmp	edx, dword_6D06D4
		jb	short loc_553908
		mov	edi, [ebp+var_4]
		mov	esi, [ebp+var_14]

loc_553946:				; CODE XREF: MiLockMemoryLists+E8j
		mov	eax, [ebp+var_10]
		add	eax, 4
		sub	esi, 1
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], esi
		jnz	short loc_5538F1
		imul	esi, ecx, 0Ch
		push	8
		pop	edx
		push	edx
		mov	[ebp+var_8], edx
		add	esi, edi
		mov	edi, [ebp+arg_0]
		add	edi, 650h
		add	ecx, edx
		mov	[ebp+arg_4], ecx
		pop	eax

loc_553972:				; CODE XREF: MiLockMemoryLists+187j
		and	dword ptr [esi], 0
		mov	[esi+4], edi
		test	ds:byte_70EFC6,	21h
		jnz	loc_5DEB00
		mov	edx, esi
		xchg	edx, [edi]
		test	edx, edx
		jnz	loc_5DEB0B

loc_553991:				; CODE XREF: MiLockMemoryLists+8B2FFj
		add	edi, 14h
		add	esi, 0Ch
		sub	eax, 1
		mov	[ebp+var_8], eax
		jnz	short loc_553972
		imul	ecx, [ebp+arg_4], arg_4
		mov	edi, [ebp+var_4]
		mov	eax, [ebp+arg_0]
		add	eax, 10D0h
		add	ecx, edi
		and	dword ptr [ecx], 0
		mov	[ecx+4], eax
		test	ds:byte_70EFC6,	21h
		jnz	loc_5DEB1A
		mov	edx, ecx
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_5DEB26

loc_5539CF:				; CODE XREF: MiLockMemoryLists+8B30Bj
					; MiLockMemoryLists+8B315j
		mov	ecx, [ebp+arg_4]
		push	4
		lea	eax, [ecx+1]
		imul	esi, eax, 0Ch
		lea	eax, [ecx+5]
		mov	[ebp+arg_4], eax
		pop	eax
		add	esi, edi
		mov	edi, [ebp+arg_0]
		add	edi, 890h

loc_5539EC:				; CODE XREF: MiLockMemoryLists+201j
		and	dword ptr [esi], 0
		mov	[esi+4], edi
		test	ds:byte_70EFC6,	21h
		jnz	loc_5DEB30
		mov	edx, esi
		xchg	edx, [edi]
		test	edx, edx
		jnz	loc_5DEB3B

loc_553A0B:				; CODE XREF: MiLockMemoryLists+8B32Fj
		add	edi, 14h
		add	esi, 0Ch
		sub	eax, 1
		mov	[ebp+var_C], eax
		jnz	short loc_5539EC
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		mov	edi, [ebp+var_4]
		xor	esi, esi
		cmp	dx, ds:_KeNumberNodes
		mov	edx, [ebp+arg_4]
		mov	ecx, [eax+10h]
		jnb	short loc_553A8A
		imul	edi, edx, 0Ch
		lea	eax, [ecx+204h]
		mov	[ebp+var_8], eax
		mov	[ebp+arg_4], edx
		add	edi, [ebp+var_4]

loc_553A44:				; CODE XREF: MiLockMemoryLists+26Cj
		and	dword ptr [edi], 0
		mov	[edi+4], eax
		test	ds:byte_70EFC6,	21h
		jnz	loc_5DEB4A
		mov	edx, edi
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_5DEB55

loc_553A63:				; CODE XREF: MiLockMemoryLists+8B349j
		mov	edx, [ebp+arg_4]
		add	eax, 280h
		inc	edx
		mov	[ebp+var_8], eax
		movzx	eax, ds:_KeNumberNodes
		add	edi, 0Ch
		inc	esi
		mov	[ebp+arg_4], edx
		cmp	esi, eax
		mov	eax, [ebp+var_8]
		jb	short loc_553A44
		mov	edi, [ebp+var_4]
		mov	eax, [ebp+arg_0]

loc_553A8A:				; CODE XREF: MiLockMemoryLists+21Aj
		imul	ecx, edx, 0Ch
		add	eax, 1110h
		add	ecx, edi
		and	dword ptr [ecx], 0
		mov	[ecx+4], eax
		test	ds:byte_70EFC6,	21h
		jnz	loc_5DEB64
		mov	edx, ecx
		xchg	edx, [eax]
		test	edx, edx
		jz	loc_5538AA
		jmp	loc_5DEB70
MiLockMemoryLists endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiResumeMarkPageLists(x, x)
_MiResumeMarkPageLists@8 proc near	; DATA XREF: MiResumeFromHibernate(x)+2o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_553ACD
		mov	[eax+0A30h], cl

loc_553ACD:				; CODE XREF: MiResumeMarkPageLists(x,x)+Dj
		mov	byte ptr [eax+0A31h], 1
		pop	ebp
		retn	8
_MiResumeMarkPageLists@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiMirrorReduceBlackWrites(x, x)
_MiMirrorReduceBlackWrites@8 proc near	; CODE XREF: MiMirrorBlackPhase(x)+50p
					; DATA XREF: MiMirrorBlackPhase(x)+59o

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		sub	esp, 8
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, [ebx+0Ch]
		mov	edx, 2
		push	esi
		push	edi
		mov	[ebp-4], edx
		mov	esi, [eax]
		mov	ecx, [eax+4]
		mov	eax, [eax+8]
		mov	[ebp-14h], esi
		mov	[ebp-24h], eax
		test	cl, 8
		jnz	short loc_553B23
		test	ecx, 400h
		jz	short loc_553B2B

loc_553B23:				; CODE XREF: MiMirrorReduceBlackWrites(x,x)+39j
		mov	edx, 1
		mov	[ebp-4], edx

loc_553B2B:				; CODE XREF: MiMirrorReduceBlackWrites(x,x)+41j
		mov	edi, [ebx+8]
		xor	esi, esi
		mov	dword ptr [ebp-18h], 0
		mov	[ebp-10h], esi
		lea	eax, [edi+640h]
		mov	[ebp-0Ch], eax

loc_553B43:				; CODE XREF: MiMirrorReduceBlackWrites(x,x)+213j
					; MiMirrorReduceBlackWrites(x,x)+23Dj ...
		cmp	edx, 1
		jg	short loc_553B57
		mov	eax, [edi+edx*4+540h]
		lea	ecx, [esi+esi*4]
		lea	edi, [eax+ecx*4]
		jmp	short loc_553B59
; 

loc_553B57:				; CODE XREF: MiMirrorReduceBlackWrites(x,x)+66j
		mov	edi, eax

loc_553B59:				; CODE XREF: MiMirrorReduceBlackWrites(x,x)+75j
		mov	edi, [edi+8]
		mov	[ebp-8], edi
		cmp	edi, offset loc_7FFFFF
		jz	loc_553CDE
		jmp	short loc_553B70
; 
		align 10h

loc_553B70:				; CODE XREF: MiMirrorReduceBlackWrites(x,x)+8Bj
					; MiMirrorReduceBlackWrites(x,x)+1F5j
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[edi*8]
		sub	ecx, edi
		lea	ecx, [eax+ecx*4]
		mov	[ebp-20h], ecx
		cmp	edx, 2
		jnz	loc_553C0A
		mov	eax, dword_6D3250
		cmp	edi, eax
		jb	short loc_553C0A
		add	eax, 800h
		cmp	edi, eax
		jnb	short loc_553C0A
		mov	eax, [ecx+8]
		mov	edx, [ecx+0Ch]
		mov	ecx, dword_6D0704
		mov	esi, dword_6D0700
		mov	[ebp-8], ecx
		mov	ecx, esi
		or	ecx, [ebp-8]
		jz	short loc_553BD0
		mov	ecx, eax
		and	ecx, 10h
		or	ecx, 0
		jnz	short loc_553BD0
		mov	ecx, [ebp-8]
		not	esi
		not	ecx
		and	eax, esi
		and	edx, ecx

loc_553BD0:				; CODE XREF: MiMirrorReduceBlackWrites(x,x)+D9j
					; MiMirrorReduceBlackWrites(x,x)+E3j
		shrd	eax, edx, 0Ch
		and	eax, 3FFFFFFh
		cmp	eax, edi
		jz	loc_553CC4

loc_553BE1:				; CODE XREF: MiMirrorReduceBlackWrites(x,x)+123j
		mov	ecx, ds:_MmPfnDatabase
		lea	edx, ds:0[eax*8]
		sub	edx, eax
		push	1
		lea	esi, [ecx+edx*4]
		mov	ecx, [ebp-14h]
		mov	edx, eax
		call	MiMirrorOmitPagesFromCopy
		mov	eax, [esi]
		cmp	eax, edi
		jnz	short loc_553BE1
		jmp	loc_553CC4
; 

loc_553C0A:				; CODE XREF: MiMirrorReduceBlackWrites(x,x)+A7j
					; MiMirrorReduceBlackWrites(x,x)+B4j ...
		mov	ecx, [ebp-8]
		mov	edi, 1
		mov	eax, dword_6D3068
		shr	ecx, 5
		lea	esi, [eax+ecx*4]
		mov	ecx, [ebp-8]
		and	ecx, 1Fh
		mov	[ebp-1Ch], ecx
		lea	eax, [ecx+1]
		cmp	eax, 20h
		ja	short loc_553C36
		mov	eax, edi
		shl	eax, cl
		not	eax
		jmp	short loc_553C7D
; 

loc_553C36:				; CODE XREF: MiMirrorReduceBlackWrites(x,x)+14Cj
		test	ecx, ecx
		jz	short loc_553C76
		mov	edx, 20h
		mov	eax, edi
		sub	edx, ecx
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, [ebp-1Ch]
		dec	eax
		shl	eax, cl
		not	eax
		lock and [esi],	eax
		sub	edi, edx
		add	esi, 4
		cmp	edi, 20h
		jb	short loc_553C72
		mov	eax, edi
		shr	eax, 5

loc_553C61:				; CODE XREF: MiMirrorReduceBlackWrites(x,x)+190j
		mov	dword ptr [esi], 0
		sub	edi, 20h
		add	esi, 4
		sub	eax, 1
		jnz	short loc_553C61

loc_553C72:				; CODE XREF: MiMirrorReduceBlackWrites(x,x)+17Aj
		test	edi, edi
		jz	short loc_553C80

loc_553C76:				; CODE XREF: MiMirrorReduceBlackWrites(x,x)+158j
		or	eax, 0FFFFFFFFh
		mov	ecx, edi
		shl	eax, cl

loc_553C7D:				; CODE XREF: MiMirrorReduceBlackWrites(x,x)+154j
		lock and [esi],	eax

loc_553C80:				; CODE XREF: MiMirrorReduceBlackWrites(x,x)+194j
		mov	edi, [ebp-14h]
		mov	esi, [ebp-8]
		cmp	dword ptr [edi+0Ch], 0
		jz	short loc_553C99
		push	1
		push	esi
		push	offset dword_6D305C
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)

loc_553C99:				; CODE XREF: MiMirrorReduceBlackWrites(x,x)+1AAj
		test	byte ptr [edi+10h], 20h
		jz	short loc_553CC4
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	MiMapPageInHyperSpaceWorker
		push	0FFFFFFFEh
		mov	esi, eax
		push	1000h
		push	esi
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		push	0
		mov	dl, 21h
		mov	ecx, esi
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)

loc_553CC4:				; CODE XREF: MiMirrorReduceBlackWrites(x,x)+FBj
					; MiMirrorReduceBlackWrites(x,x)+125j ...
		mov	edi, [ebp-20h]
		mov	edx, [ebp-4]
		mov	edi, [edi]
		mov	[ebp-8], edi
		cmp	edi, offset loc_7FFFFF
		jnz	loc_553B70
		mov	esi, [ebp-10h]

loc_553CDE:				; CODE XREF: MiMirrorReduceBlackWrites(x,x)+85j
		cmp	edx, 1
		jg	short loc_553CFE
		mov	eax, [ebp-0Ch]
		inc	esi
		mov	edi, [ebx+8]
		mov	[ebp-10h], esi
		cmp	esi, dword_6D06D4
		jb	loc_553B43
		xor	esi, esi
		mov	[ebp-10h], esi

loc_553CFE:				; CODE XREF: MiMirrorReduceBlackWrites(x,x)+201j
		test	edx, edx
		jz	short loc_553D2F
		mov	eax, [ebp-0Ch]
		cmp	edx, 2
		jnz	short loc_553D23
		mov	ecx, [ebp-18h]
		add	eax, 14h
		mov	edi, [ebx+8]
		inc	ecx
		mov	[ebp-18h], ecx
		mov	[ebp-0Ch], eax
		cmp	ecx, [ebp-24h]
		jnz	loc_553B43

loc_553D23:				; CODE XREF: MiMirrorReduceBlackWrites(x,x)+228j
		mov	edi, [ebx+8]
		dec	edx
		mov	[ebp-4], edx
		jmp	loc_553B43
; 

loc_553D2F:				; CODE XREF: MiMirrorReduceBlackWrites(x,x)+220j
		mov	edx, [ebx+8]
		mov	ecx, [ebp-14h]
		push	1
		call	_MiMirrorNodeLargePages@12 ; MiMirrorNodeLargePages(x,x,x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
_MiMirrorReduceBlackWrites@8 endp ; sp =  4

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMirrorNodeLargePages(x, x, x)
_MiMirrorNodeLargePages@12 proc	near	; CODE XREF: MiMirrorReduceBlackWrites(x,x)+257p
					; MiMirrorGatherBrownPages+8AD49p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_30], ecx
		push	esi
		mov	esi, [edx+10h]
		push	edi
		lea	edi, [ebp+var_40]
		mov	[ebp+var_1], 21h
		stosd
		mov	[ebp+var_28], esi
		stosd
		stosd
		movzx	eax, ds:_KeNumberNodes
		imul	eax, 280h
		add	eax, esi
		mov	[ebp+var_34], eax
		cmp	esi, eax
		jnb	loc_553F0F
		lea	ebx, [esi+204h]
		mov	[ebp+var_2C], ebx

loc_553D8B:				; CODE XREF: MiMirrorNodeLargePages(x,x,x)+1C1j
		cmp	[ebp+arg_0], 0
		jnz	short loc_553DC9
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		and	[ebp+var_40], 0
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_1], al
		mov	[ebp+var_3C], ebx
		jz	short loc_553DB8
		mov	edx, ebx
		lea	ecx, [ebp+var_40]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_553DC9
; 

loc_553DB8:				; CODE XREF: MiMirrorNodeLargePages(x,x,x)+62j
		lea	edx, [ebp+var_40]
		xchg	edx, [ebx]
		test	edx, edx
		jz	short loc_553DC9
		lea	ecx, [ebp+var_40]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_553DC9:				; CODE XREF: MiMirrorNodeLargePages(x,x,x)+47j
					; MiMirrorNodeLargePages(x,x,x)+6Ej ...
		mov	edx, esi
		xor	ebx, ebx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ebx

loc_553DD3:				; CODE XREF: MiMirrorNodeLargePages(x,x,x)+150j
		mov	eax, ds:_MiLargePageSizes[ebx]
		mov	[ebp+var_8], eax
		mov	eax, dword_6D0740[ebx]
		mov	ebx, eax
		push	58h
		mov	[ebp+var_1C], eax
		pop	edi

loc_553DEA:				; CODE XREF: MiMirrorNodeLargePages(x,x,x)+135j
		mov	[ebp+var_1C], 2

loc_553DF1:				; CODE XREF: MiMirrorNodeLargePages(x,x,x)+12Cj
		mov	eax, edi
		push	4
		mov	[ebp+var_18], eax
		pop	esi

loc_553DF9:				; CODE XREF: MiMirrorNodeLargePages(x,x,x)+123j
		mov	ecx, [edx+eax]
		mov	[ebp+var_10], ecx
		test	ebx, ebx
		jz	short loc_553E62
		mov	edx, ebx
		mov	[ebp+var_14], ebx

loc_553E08:				; CODE XREF: MiMirrorNodeLargePages(x,x,x)+112j
		mov	eax, [ecx]
		mov	[ebp+var_C], eax
		cmp	eax, ecx
		jz	short loc_553E4E

loc_553E11:				; CODE XREF: MiMirrorNodeLargePages(x,x,x)+101j
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+arg_0], 0
		jnz	short loc_553E2F
		mov	edx, [ebp+var_8]
		mov	ecx, eax
		call	MiMirrorAddPagesToBrownList
		jmp	short loc_553E3C
; 

loc_553E2F:				; CODE XREF: MiMirrorNodeLargePages(x,x,x)+D9j
		push	[ebp+var_8]
		mov	ecx, [ebp+var_30]
		mov	edx, eax
		call	MiMirrorOmitPagesFromCopy

loc_553E3C:				; CODE XREF: MiMirrorNodeLargePages(x,x,x)+E5j
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		mov	eax, [eax]
		mov	[ebp+var_C], eax
		cmp	eax, ecx
		jnz	short loc_553E11
		mov	edx, [ebp+var_14]

loc_553E4E:				; CODE XREF: MiMirrorNodeLargePages(x,x,x)+C7j
		add	ecx, 0Ch
		sub	edx, 1
		mov	[ebp+var_10], ecx
		mov	[ebp+var_14], edx
		jnz	short loc_553E08
		mov	eax, [ebp+var_18]
		mov	edx, [ebp+var_24]

loc_553E62:				; CODE XREF: MiMirrorNodeLargePages(x,x,x)+B9j
		add	eax, 4
		mov	[ebp+var_18], eax
		sub	esi, 1
		jnz	short loc_553DF9
		add	edi, 10h
		sub	[ebp+var_1C], 1
		jnz	loc_553DF1
		cmp	edi, 78h
		jle	loc_553DEA
		mov	ebx, [ebp+var_20]
		add	edx, 98h
		add	ebx, 4
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ebx
		cmp	ebx, 8
		jb	loc_553DD3
		cmp	[ebp+arg_0], esi
		mov	esi, [ebp+var_28]
		jnz	short loc_553EF4
		test	ds:byte_70EFC6,	1
		jz	short loc_553EBC
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_40]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_553EEB
; 

loc_553EBC:				; CODE XREF: MiMirrorNodeLargePages(x,x,x)+165j
		mov	eax, [ebp+var_40]
		test	eax, eax
		jnz	short loc_553EDB
		mov	edx, [ebp+var_3C]
		lea	eax, [ebp+var_40]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_40]
		cmp	eax, ecx
		jz	short loc_553EEB
		call	KxWaitForLockChainValid

loc_553EDB:				; CODE XREF: MiMirrorNodeLargePages(x,x,x)+179j
		xor	ecx, ecx
		mov	[ebp+var_40], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_553EEB:				; CODE XREF: MiMirrorNodeLargePages(x,x,x)+172j
					; MiMirrorNodeLargePages(x,x,x)+18Cj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_553EF4:				; CODE XREF: MiMirrorNodeLargePages(x,x,x)+15Cj
		mov	ebx, [ebp+var_2C]
		mov	eax, 280h
		add	esi, eax
		add	ebx, eax
		mov	[ebp+var_28], esi
		mov	[ebp+var_2C], ebx
		cmp	esi, [ebp+var_34]
		jb	loc_553D8B

loc_553F0F:				; CODE XREF: MiMirrorNodeLargePages(x,x,x)+34j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiMirrorNodeLargePages@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMirrorOmitPagesFromCopy proc near	; CODE XREF: MiMirrorReduceBlackWrites(x,x)+11Ap
					; MiMirrorNodeLargePages(x,x,x)+EFp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DEB7A SIZE 00000065 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, dword_6D3068
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		mov	esi, ebx
		and	edx, 1Fh
		shr	esi, 5
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		mov	[ebp+arg_0], edx
		lea	esi, [eax+esi*4]
		lea	eax, [edx+edi]
		cmp	eax, 20h
		ja	short loc_553F73
		cmp	edi, 20h
		jz	short loc_553FA1
		xor	eax, eax
		inc	eax
		shl	eax, cl
		mov	ecx, edx
		dec	eax
		shl	eax, cl
		not	eax

loc_553F56:				; CODE XREF: MiMirrorOmitPagesFromCopy+89j
		lock and [esi],	eax

loc_553F59:				; CODE XREF: MiMirrorOmitPagesFromCopy+82j
					; MiMirrorOmitPagesFromCopy+91j
		mov	esi, [ebp+var_4]
		cmp	dword ptr [esi+0Ch], 0
		jnz	loc_5DEB9E

loc_553F66:				; CODE XREF: MiMirrorOmitPagesFromCopy+8AC94j
		test	byte ptr [esi+10h], 20h
		jnz	short loc_553FA9

loc_553F6C:				; CODE XREF: MiMirrorOmitPagesFromCopy+95j
					; MiMirrorOmitPagesFromCopy+8ACC4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_553F73:				; CODE XREF: MiMirrorOmitPagesFromCopy+2Dj
		test	edx, edx
		jnz	loc_5DEB7A

loc_553F7B:				; CODE XREF: MiMirrorOmitPagesFromCopy+8AC83j
		cmp	ecx, 20h
		jb	short loc_553F96
		mov	eax, ecx
		shr	eax, 5

loc_553F85:				; CODE XREF: MiMirrorOmitPagesFromCopy+7Ej
		mov	dword ptr [esi], 0
		sub	ecx, 20h
		add	esi, 4
		sub	eax, 1
		jnz	short loc_553F85

loc_553F96:				; CODE XREF: MiMirrorOmitPagesFromCopy+68j
		test	ecx, ecx
		jz	short loc_553F59
		or	eax, 0FFFFFFFFh
		shl	eax, cl
		jmp	short loc_553F56
; 

loc_553FA1:				; CODE XREF: MiMirrorOmitPagesFromCopy+32j
		mov	dword ptr [esi], 0
		jmp	short loc_553F59
; 

loc_553FA9:				; CODE XREF: MiMirrorOmitPagesFromCopy+54j
		test	edi, edi
		jz	short loc_553F6C
		jmp	loc_5DEBAF
MiMirrorOmitPagesFromCopy endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMirrorVerify	proc near		; CODE XREF: MmDuplicateMemory(x)+259p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DEBDF SIZE 00000234 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_10], 0
		mov	eax, ecx
		mov	[ebp+var_1C], eax
		cmp	dword ptr [eax+0Ch], 0
		jnz	short loc_553FCD
		xor	eax, eax
		leave
		retn
; 

loc_553FCD:				; CODE XREF: MiMirrorVerify+15j
		push	esi
		push	edi
		xor	esi, esi
		jmp	loc_5DEBDF
MiMirrorVerify	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMirrorPerformBrownWrites proc	near	; CODE XREF: MiMirrorBrownPhase(x)+A4p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DEE13 SIZE 000002EB BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	[ebp+var_38], ecx
		xor	ecx, ecx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_30], edx
		push	edi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_10], esi
		mov	[ebp+var_18], ecx
		mov	[ebp+var_1C], ecx

loc_554008:				; CODE XREF: MiMirrorPerformBrownWrites+211j
		mov	eax, dword_6D305C
		cmp	esi, eax
		mov	edi, [ebp+var_10]
		sbb	edx, edx
		mov	[ebp+var_2C], eax
		and	edx, esi
		mov	esi, dword_6D3060
		lea	ecx, [eax-1]
		mov	[ebp+var_24], esi
		xor	eax, eax

loc_554027:				; CODE XREF: MiMirrorPerformBrownWrites+8AE5Fj
		mov	[ebp+var_28], eax
		mov	eax, ecx
		sub	eax, edx
		mov	[ebp+var_14], ecx
		inc	eax
		mov	[ebp+var_8], edx
		cmp	eax, 1
		jb	loc_5DEE13
		mov	eax, ecx
		mov	ecx, edx
		shr	eax, 5
		xor	edx, edx
		and	ecx, 1Fh
		inc	edx
		shl	edx, cl
		dec	edx
		lea	eax, [esi+eax*4]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_8]
		shr	eax, 5
		lea	esi, [esi+eax*4]
		mov	eax, [esi]
		not	eax
		or	eax, edx
		cmp	eax, 0FFFFFFFFh
		jz	loc_554232

loc_55406C:				; CODE XREF: MiMirrorPerformBrownWrites+26Fj
		sub	esi, [ebp+var_24]
		not	eax
		bsf	eax, eax
		sar	esi, 2
		shl	esi, 5
		add	esi, eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_C], esi
		cmp	esi, [ebp+var_14]
		ja	loc_55424A
		cmp	esi, 0FFFFFFFFh
		jz	loc_554250

loc_554094:				; CODE XREF: MiMirrorPerformBrownWrites+8AE45j
		cmp	esi, edi
		jb	loc_5541ED
		cmp	esi, 0FFFFFFFFh
		jz	loc_5541ED
		mov	eax, dword_6D305C
		cmp	eax, esi
		jbe	loc_5DEE3A
		mov	ecx, dword_6D3060
		dec	eax
		shr	eax, 5
		mov	edi, esi
		lea	eax, [ecx+eax*4]
		mov	[ebp+var_10], eax
		mov	eax, esi
		shr	eax, 5
		lea	edx, [ecx+eax*4]
		cmp	edx, [ebp+var_10]
		jz	short loc_5540EB
		mov	ecx, esi
		and	ecx, 1Fh
		mov	[ebp+var_2C], ecx
		mov	ecx, ds:dword_40BA68[ecx*4]
		or	ecx, [edx]
		cmp	ecx, 0FFFFFFFFh
		jz	loc_55420B

loc_5540EB:				; CODE XREF: MiMirrorPerformBrownWrites+F9j
					; MiMirrorPerformBrownWrites+245j ...
		mov	ecx, dword_6D305C
		jmp	short loc_5540FE
; 

loc_5540F3:				; CODE XREF: MiMirrorPerformBrownWrites+12Aj
		mov	eax, dword_6D3060
		bt	[eax], edi
		jnb	short loc_554102
		inc	edi

loc_5540FE:				; CODE XREF: MiMirrorPerformBrownWrites+11Bj
		cmp	edi, ecx
		jb	short loc_5540F3

loc_554102:				; CODE XREF: MiMirrorPerformBrownWrites+125j
		xor	eax, eax
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		cmp	edx, [ebp+var_10]
		jz	short loc_554154
		mov	ecx, [edx]
		mov	eax, edi
		and	eax, 1Fh
		mov	[ebp+var_2C], eax
		mov	eax, ds:dword_40BA68[eax*4]
		not	eax
		and	eax, ecx
		jnz	loc_554203
		push	20h
		pop	ecx
		sub	ecx, [ebp+var_2C]
		mov	[ebp+var_8], ecx
		cmp	ecx, 0FFFFFFFFh
		jnb	short loc_554180
		add	edx, 4
		jmp	short loc_55414A
; 

loc_55413C:				; CODE XREF: MiMirrorPerformBrownWrites+17Cj
		add	ecx, 20h
		add	edx, 4
		mov	[ebp+var_8], ecx
		cmp	ecx, 0FFFFFFFFh
		jnb	short loc_554180

loc_55414A:				; CODE XREF: MiMirrorPerformBrownWrites+164j
		cmp	edx, [ebp+var_10]
		jnb	short loc_554154
		cmp	dword ptr [edx], 0
		jz	short loc_55413C

loc_554154:				; CODE XREF: MiMirrorPerformBrownWrites+136j
					; MiMirrorPerformBrownWrites+177j ...
		mov	eax, dword_6D305C
		lea	edx, [ecx+edi]
		cmp	edx, eax
		jnb	short loc_55417D
		mov	esi, eax

loc_554162:				; CODE XREF: MiMirrorPerformBrownWrites+19Fj
		mov	eax, dword_6D3060
		bt	[eax], edx
		jb	short loc_554177
		cmp	ecx, 0FFFFFFFFh
		jnb	short loc_554177
		inc	edx
		inc	ecx
		cmp	edx, esi
		jb	short loc_554162

loc_554177:				; CODE XREF: MiMirrorPerformBrownWrites+194j
					; MiMirrorPerformBrownWrites+199j
		mov	esi, [ebp+var_C]
		mov	[ebp+var_8], ecx

loc_55417D:				; CODE XREF: MiMirrorPerformBrownWrites+188j
		cmp	ecx, 0FFFFFFFFh

loc_554180:				; CODE XREF: MiMirrorPerformBrownWrites+15Fj
					; MiMirrorPerformBrownWrites+172j
		ja	loc_5DEE4A

loc_554186:				; CODE XREF: MiMirrorPerformBrownWrites+8AE7Aj
		test	ecx, ecx
		jz	loc_5DEE3F

loc_55418E:				; CODE XREF: MiMirrorPerformBrownWrites+8AE6Fj
		mov	eax, [ebp+var_30]
		sub	edi, esi
		and	eax, 8
		mov	[ebp+var_14], edi
		mov	[ebp+var_3C], eax
		jnz	loc_5DEE55

loc_5541A2:				; CODE XREF: MiMirrorPerformBrownWrites+8B0D3j
		add	[ebp+var_1C], edi
		mov	eax, esi
		mov	ecx, 1000h
		mul	ecx
		mov	esi, eax
		mov	ecx, edx
		mov	eax, edi
		mov	edx, 1000h
		mul	edx
		push	edx
		push	eax
		mov	eax, [ebp+var_38]
		push	ecx
		push	esi
		call	dword ptr [eax+8]
		cmp	[ebp+var_3C], 0
		mov	[ebp+var_20], eax
		jnz	loc_5DF0AE

loc_5541D2:				; CODE XREF: MiMirrorPerformBrownWrites+8B123j
		mov	esi, [ebp+var_C]
		test	eax, eax
		js	short loc_5541ED
		add	esi, edi
		add	esi, [ebp+var_8]

loc_5541DE:				; CODE XREF: MiMirrorPerformBrownWrites+8AF20j
		mov	[ebp+var_10], esi

loc_5541E1:				; CODE XREF: MiMirrorPerformBrownWrites+8B0C0j
		cmp	esi, dword_6D305C
		jb	loc_554008

loc_5541ED:				; CODE XREF: MiMirrorPerformBrownWrites+C0j
					; MiMirrorPerformBrownWrites+C9j ...
		mov	eax, [ebx+8]
		mov	edi, [ebp+var_1C]
		mov	[eax], edi
		mov	eax, [ebp+var_20]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_554203:				; CODE XREF: MiMirrorPerformBrownWrites+14Dj
		mov	ecx, [ebp+var_8]
		jmp	loc_554154
; 

loc_55420B:				; CODE XREF: MiMirrorPerformBrownWrites+10Fj
		mov	eax, [ebp+var_10]
		mov	edi, esi
		sub	edi, [ebp+var_2C]
		add	edi, 20h
		add	edx, 4

loc_554219:				; CODE XREF: MiMirrorPerformBrownWrites+25Aj
		cmp	edx, eax
		jnb	loc_5540EB
		cmp	dword ptr [edx], 0FFFFFFFFh
		jnz	loc_5540EB
		add	edx, 4
		add	edi, 20h
		jmp	short loc_554219
; 

loc_554232:				; CODE XREF: MiMirrorPerformBrownWrites+90j
		mov	ecx, [ebp+var_10]

loc_554235:				; CODE XREF: MiMirrorPerformBrownWrites+26Dj
		add	esi, 4
		cmp	esi, ecx
		ja	short loc_55424A
		mov	eax, [esi]
		not	eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_554235
		jmp	loc_55406C
; 

loc_55424A:				; CODE XREF: MiMirrorPerformBrownWrites+AFj
					; MiMirrorPerformBrownWrites+264j
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_C], esi

loc_554250:				; CODE XREF: MiMirrorPerformBrownWrites+B8j
		mov	edx, [ebp+var_8]
		jmp	loc_5DEE19
MiMirrorPerformBrownWrites endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMirrorPerformBlackWrites proc	near	; CODE XREF: MiMirrorBlackPhase(x)+6Dj

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DF0FE SIZE 00000054 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		xor	eax, eax
		mov	[ebp+var_1C], ecx
		push	edi
		mov	[ebp+var_14], eax
		xor	edi, edi

loc_554274:				; CODE XREF: MiMirrorPerformBlackWrites+1BFj
		mov	ecx, dword_6D3064
		mov	[ebp+var_8], ecx
		cmp	edi, ecx
		jnb	loc_5DF0FE
		mov	esi, edi
		mov	[ebp+var_4], edi

loc_55428A:				; CODE XREF: MiMirrorPerformBlackWrites+8AEA3j
		mov	eax, dword_6D3068
		lea	edx, [ecx-1]
		mov	[ebp+var_C], eax

loc_554295:				; CODE XREF: MiMirrorPerformBlackWrites+8AEC7j
		mov	eax, edx
		mov	[ebp+var_18], edx
		sub	eax, esi
		mov	[ebp+var_20], 0
		inc	eax
		cmp	eax, 1
		jb	loc_5DF108
		mov	ecx, [ebp+var_C]
		mov	eax, edx
		shr	eax, 5
		mov	edx, 1
		lea	eax, [ecx+eax*4]
		mov	ecx, esi
		mov	[ebp+var_10], eax
		and	ecx, 1Fh
		shl	edx, cl
		mov	eax, esi
		mov	ecx, [ebp+var_C]
		dec	edx
		shr	eax, 5
		lea	esi, [ecx+eax*4]
		mov	eax, [esi]
		not	eax
		or	eax, edx
		cmp	eax, 0FFFFFFFFh
		jz	loc_55449D

loc_5542E2:				; CODE XREF: MiMirrorPerformBlackWrites+253j
		not	eax
		sub	esi, ecx
		bsf	eax, eax
		sar	esi, 2
		shl	esi, 5
		add	esi, eax
		mov	[ebp+var_10], esi
		cmp	esi, [ebp+var_18]
		ja	loc_5544B8
		cmp	esi, 0FFFFFFFFh
		jz	loc_5544BE

loc_554306:				; CODE XREF: MiMirrorPerformBlackWrites+8AEB2j
		cmp	esi, edi
		jb	loc_5DF14A
		cmp	esi, 0FFFFFFFFh
		jz	loc_5DF14A
		mov	eax, dword_6D3064
		cmp	eax, esi
		jbe	loc_5DF12C
		mov	ecx, dword_6D3068
		dec	eax
		shr	eax, 5
		mov	edx, esi
		lea	edi, [ecx+eax*4]
		mov	eax, esi
		shr	eax, 5
		mov	[ebp+var_4], edi
		lea	ecx, [ecx+eax*4]
		mov	[ebp+var_C], ecx
		cmp	ecx, edi
		jz	loc_5DF138
		mov	ecx, [ecx]
		mov	edi, esi
		and	edi, 1Fh
		mov	eax, ds:dword_40BA68[edi*4]
		or	eax, ecx
		mov	ecx, [ebp+var_C]
		cmp	eax, 0FFFFFFFFh
		mov	eax, [ebp+var_4]
		jz	loc_554475

loc_554368:				; CODE XREF: MiMirrorPerformBlackWrites+224j
					; MiMirrorPerformBlackWrites+238j ...
		mov	edi, dword_6D3064
		cmp	edx, edi
		jnb	short loc_554384

loc_554372:				; CODE XREF: MiMirrorPerformBlackWrites+11Fj
		mov	eax, dword_6D3068
		bt	[eax], edx
		jnb	short loc_554381
		inc	edx
		cmp	edx, edi
		jb	short loc_554372

loc_554381:				; CODE XREF: MiMirrorPerformBlackWrites+11Aj
		mov	eax, [ebp+var_4]

loc_554384:				; CODE XREF: MiMirrorPerformBlackWrites+110j
		xor	edi, edi
		mov	[ebp+var_8], edi
		cmp	ecx, eax
		jz	short loc_5543A8
		mov	ecx, [ecx]
		mov	eax, edx
		and	eax, 1Fh
		mov	[ebp+var_18], eax
		mov	eax, ds:dword_40BA68[eax*4]
		not	eax
		and	eax, ecx
		jz	loc_55442B

loc_5543A8:				; CODE XREF: MiMirrorPerformBlackWrites+12Bj
					; MiMirrorPerformBlackWrites+1E4j ...
		mov	eax, dword_6D3064
		lea	ecx, [edi+edx]
		cmp	ecx, eax
		jnb	short loc_5543D1
		mov	esi, eax

loc_5543B6:				; CODE XREF: MiMirrorPerformBlackWrites+169j
		mov	eax, dword_6D3068
		bt	[eax], ecx
		jb	short loc_5543CB
		cmp	edi, 0FFFFFFFFh
		jnb	short loc_5543CB
		inc	ecx
		inc	edi
		cmp	ecx, esi
		jb	short loc_5543B6

loc_5543CB:				; CODE XREF: MiMirrorPerformBlackWrites+15Ej
					; MiMirrorPerformBlackWrites+163j
		mov	esi, [ebp+var_10]
		mov	[ebp+var_8], edi

loc_5543D1:				; CODE XREF: MiMirrorPerformBlackWrites+152j
		cmp	edi, 0FFFFFFFFh

loc_5543D4:				; CODE XREF: MiMirrorPerformBlackWrites+1D9j
					; MiMirrorPerformBlackWrites+205j
		ja	loc_5DF13F

loc_5543DA:				; CODE XREF: MiMirrorPerformBlackWrites+8AEE5j
		test	edi, edi
		jz	loc_5544D2
		sub	edx, esi
		mov	[ebp+var_10], edx

loc_5543E7:				; CODE XREF: MiMirrorPerformBlackWrites+27Cj
		mov	ecx, 1000h
		mov	eax, esi
		mul	ecx
		mov	edi, eax
		mov	ecx, edx
		mov	eax, [ebp+var_10]
		mov	edx, 1000h
		mul	edx
		push	edx
		push	eax
		mov	eax, [ebp+var_1C]
		push	ecx
		push	edi
		mov	eax, [eax+8]
		call	eax
		mov	[ebp+var_14], eax
		test	eax, eax
		js	short loc_554425
		mov	edi, [ebp+var_8]
		add	edi, esi
		add	edi, [ebp+var_10]
		cmp	edi, dword_6D3064
		jb	loc_554274

loc_554425:				; CODE XREF: MiMirrorPerformBlackWrites+1AFj
					; MiMirrorPerformBlackWrites+8AEEDj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_55442B:				; CODE XREF: MiMirrorPerformBlackWrites+142j
		mov	edi, 20h
		sub	edi, [ebp+var_18]
		mov	[ebp+var_8], edi
		cmp	edi, 0FFFFFFFFh
		jnb	short loc_5543D4
		mov	ecx, [ebp+var_C]
		add	ecx, 4
		cmp	ecx, [ebp+var_4]
		jnb	loc_5543A8
		lea	ebx, [ebx+0]

loc_554450:				; CODE XREF: MiMirrorPerformBlackWrites+20Ej
		cmp	dword ptr [ecx], 0
		jnz	loc_5543A8
		add	edi, 20h
		add	ecx, 4
		mov	[ebp+var_8], edi
		cmp	edi, 0FFFFFFFFh
		jnb	loc_5543D4
		cmp	ecx, [ebp+var_4]
		jb	short loc_554450
		jmp	loc_5543A8
; 

loc_554475:				; CODE XREF: MiMirrorPerformBlackWrites+102j
		mov	edx, esi
		add	ecx, 4
		sub	edx, edi
		mov	[ebp+var_C], ecx
		add	edx, 20h
		cmp	ecx, eax
		jnb	loc_554368
		lea	ebx, [ebx+0]

loc_554490:				; CODE XREF: MiMirrorPerformBlackWrites+26Ej
		cmp	dword ptr [ecx], 0FFFFFFFFh
		jz	short loc_5544C6

loc_554495:				; CODE XREF: MiMirrorPerformBlackWrites+270j
		mov	[ebp+var_C], ecx
		jmp	loc_554368
; 

loc_55449D:				; CODE XREF: MiMirrorPerformBlackWrites+7Cj
		mov	ecx, [ebp+var_10]

loc_5544A0:				; CODE XREF: MiMirrorPerformBlackWrites+24Ej
		add	esi, 4
		cmp	esi, ecx
		ja	short loc_5544B8
		mov	eax, [esi]
		not	eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5544A0
		mov	ecx, [ebp+var_C]
		jmp	loc_5542E2
; 

loc_5544B8:				; CODE XREF: MiMirrorPerformBlackWrites+97j
					; MiMirrorPerformBlackWrites+245j
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_10], esi

loc_5544BE:				; CODE XREF: MiMirrorPerformBlackWrites+A0j
		mov	ecx, [ebp+var_8]
		jmp	loc_5DF10E
; 

loc_5544C6:				; CODE XREF: MiMirrorPerformBlackWrites+233j
		add	ecx, 4
		add	edx, 20h
		cmp	ecx, eax
		jb	short loc_554490
		jmp	short loc_554495
; 

loc_5544D2:				; CODE XREF: MiMirrorPerformBlackWrites+17Cj
					; MiMirrorPerformBlackWrites+8AED3j
		mov	eax, dword_6D3064
		sub	eax, esi
		mov	[ebp+var_10], eax
		jmp	loc_5543E7
MiMirrorPerformBlackWrites endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMirrorGatherBrownPages proc near	; CODE XREF: MiMirrorBrownPhase(x)+96p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= byte ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DF152 SIZE 0000014C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4], edx
		lea	edi, [ebp+var_2C]
		stosd
		push	10h
		pop	esi
		mov	[ebp+var_14], esi
		stosd
		stosd
		mov	eax, [ecx]
		xor	ecx, ecx
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_8], ecx
		cmp	edi, 4
		jg	loc_554622
		mov	ebx, [ebp+arg_4]

loc_55451A:				; CODE XREF: MiMirrorGatherBrownPages+137j
		mov	esi, [edx+edi*4+95Ch]
		cmp	edi, eax
		jle	loc_5DF152

loc_554529:				; CODE XREF: MiMirrorGatherBrownPages+8AC7Aj
		cmp	edi, 2
		jz	loc_5546CA

loc_554532:				; CODE XREF: MiMirrorGatherBrownPages+1F0j
		cmp	edi, 3
		jz	loc_554601

loc_55453B:				; CODE XREF: MiMirrorGatherBrownPages+8AC8Aj
		lea	ecx, [esi+10h]
		lea	edx, [ebp+var_2C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	dword ptr [esi], 0
		jz	short loc_554595
		mov	esi, [esi+8]
		mov	[ebp+var_10], esi

loc_554551:				; CODE XREF: MiMirrorGatherBrownPages+AEj
		mov	ebx, ds:_MmPfnDatabase
		imul	edx, esi, 1Ch
		mov	[ebp+var_C], ebx
		mov	[ebp+var_1C], edx
		cmp	edi, 2
		jnz	short loc_554575
		mov	ecx, esi
		call	_MiIsDecayPfn@4	; MiIsDecayPfn(x)
		cmp	eax, 1
		jz	loc_5DF171

loc_554575:				; CODE XREF: MiMirrorGatherBrownPages+81j
		xor	eax, eax
		mov	ecx, esi
		lea	edx, [eax+1]
		call	MiMirrorAddPagesToBrownList

loc_554581:				; CODE XREF: MiMirrorGatherBrownPages+8ACEEj
		mov	esi, [ebp+var_1C]
		mov	esi, [esi+ebx]
		mov	[ebp+var_10], esi
		cmp	esi, offset loc_7FFFFF
		jnz	short loc_554551
		mov	ebx, [ebp+arg_4]

loc_554595:				; CODE XREF: MiMirrorGatherBrownPages+67j
		test	ds:byte_70EFC6,	1
		jnz	loc_5DF1D5
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jnz	loc_5DF1ED
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_2C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_2C]
		cmp	eax, ecx
		jnz	loc_5DF1E5

loc_5545C4:				; CODE XREF: MiMirrorGatherBrownPages+8ACFEj
					; MiMirrorGatherBrownPages+8AD1Bj
		mov	cl, [ebp+var_24]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		inc	eax
		cmp	edi, eax
		jle	loc_5DF202
		cmp	edi, 2
		jnz	loc_5546D7
		lea	eax, [ebx+1]
		cmp	ebx, 7
		jnz	loc_5DF235

loc_5545ED:				; CODE XREF: MiMirrorGatherBrownPages+8AD58j
		sub	ebx, 7
		neg	ebx
		sbb	ebx, ebx
		and	ebx, eax
		mov	[ebp+arg_4], ebx

loc_5545F9:				; CODE XREF: MiMirrorGatherBrownPages+8AD4Ej
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		jmp	short loc_55460F
; 

loc_554601:				; CODE XREF: MiMirrorGatherBrownPages+53j
		mov	eax, [esi]
		cmp	eax, [edx+1118h]
		jnz	loc_5DF161

loc_55460F:				; CODE XREF: MiMirrorGatherBrownPages+11Dj
		xor	eax, eax
		inc	eax

loc_554612:				; CODE XREF: MiMirrorGatherBrownPages+1FEj
					; MiMirrorGatherBrownPages+8AD33j ...
		inc	edi
		mov	[ebp+arg_0], edi
		cmp	edi, 4
		jle	loc_55451A
		push	10h
		pop	esi

loc_554622:				; CODE XREF: MiMirrorGatherBrownPages+2Fj
		lea	ecx, [edx+10D0h]
		lea	edx, [ebp+var_2C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edi, [ebp+var_4]
		mov	ecx, offset loc_7FFFFF
		add	edi, 748h
		xor	ebx, ebx

loc_554640:				; CODE XREF: MiMirrorGatherBrownPages+16Dj
		mov	eax, [edi]
		cmp	eax, ecx
		jnz	short loc_5546A4

loc_554646:				; CODE XREF: MiMirrorGatherBrownPages+1E3j
		add	edi, 14h
		sub	esi, 1
		mov	[ebp+var_14], esi
		jnz	short loc_554640
		mov	ebx, [ebp+var_4]
		mov	eax, [ebx+708h]
		xor	ebx, ebx
		inc	ebx
		cmp	eax, ecx
		jnz	loc_5DF254

loc_554665:				; CODE XREF: MiMirrorGatherBrownPages+8AD8Dj
		test	ds:byte_70EFC6,	1
		jnz	loc_5DF274
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jnz	loc_5DF28C
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_2C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_2C]
		cmp	eax, ecx
		jnz	loc_5DF284

loc_554694:				; CODE XREF: MiMirrorGatherBrownPages+8AD9Dj
					; MiMirrorGatherBrownPages+8ADB7j
		mov	cl, [ebp+var_24]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_5546A4:				; CODE XREF: MiMirrorGatherBrownPages+162j
					; MiMirrorGatherBrownPages+1DEj
		imul	esi, eax, 1Ch
		lea	edx, [ebx+1]
		mov	ecx, eax
		add	esi, ds:_MmPfnDatabase
		call	MiMirrorAddPagesToBrownList
		mov	eax, [esi]
		mov	ecx, offset loc_7FFFFF
		cmp	eax, ecx
		jnz	short loc_5546A4
		mov	esi, [ebp+var_14]
		jmp	loc_554646
; 

loc_5546CA:				; CODE XREF: MiMirrorGatherBrownPages+4Aj
		lea	eax, [ebx+50h]
		imul	esi, eax, 14h
		add	esi, edx
		jmp	loc_554532
; 

loc_5546D7:				; CODE XREF: MiMirrorGatherBrownPages+F9j
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		cmp	edi, 3
		jnz	loc_554612
		jmp	loc_5DF23F
MiMirrorGatherBrownPages endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMirrorAddPagesToBrownList proc near	; CODE XREF: MiMirrorNodeLargePages(x,x,x)+E0p
					; MiMirrorGatherBrownPages+9Ap	...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DF29E SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, dword_6D3068
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	edx, ecx
		mov	esi, edx
		mov	[ebp+var_4], edx
		shr	esi, 5
		mov	ebx, edx
		and	ebx, 1Fh
		mov	ecx, edi
		lea	esi, [eax+esi*4]
		lea	eax, [ebx+edi]
		cmp	eax, 20h
		ja	loc_5DF29E
		cmp	edi, 20h
		jz	short loc_554741
		xor	eax, eax
		inc	eax
		shl	eax, cl
		mov	ecx, ebx
		dec	eax
		shl	eax, cl
		not	eax

loc_55472D:				; CODE XREF: MiMirrorAddPagesToBrownList+8ABFEj
		lock and [esi],	eax

loc_554730:				; CODE XREF: MiMirrorAddPagesToBrownList+5Bj
					; MiMirrorAddPagesToBrownList+8ABF3j
		push	edi
		push	edx
		push	offset dword_6D305C
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_554741:				; CODE XREF: MiMirrorAddPagesToBrownList+33j
		mov	dword ptr [esi], 0
		jmp	short loc_554730
MiMirrorAddPagesToBrownList endp

; 
		align 2

;  S U B	R O U T	I N E 


MiMirrorDiscardPageContents proc near	; CODE XREF: MiMirrorBlackPhase(x):loc_592D61p

; FUNCTION CHUNK AT 005DF2EF SIZE 00000078 BYTES

		mov	eax, dword_6D2FAC
		xor	ecx, ecx
		mov	edx, ecx

loc_554753:				; CODE XREF: MiMirrorDiscardPageContents+27j
		test	eax, eax
		jnz	short loc_55476D
		test	edx, edx
		jnz	short loc_554773

loc_55475B:				; CODE XREF: MiMirrorDiscardPageContents+8ABD9j
		mov	eax, dword_6D2FA4

loc_554760:				; CODE XREF: MiMirrorDiscardPageContents+33j
		test	eax, eax
		jnz	short loc_554779

loc_554764:				; CODE XREF: MiMirrorDiscardPageContents+8ABF1j
					; MiMirrorDiscardPageContents+8AC01j ...
		test	ecx, ecx
		jnz	loc_5DF328
		retn
; 

loc_55476D:				; CODE XREF: MiMirrorDiscardPageContents+Bj
		mov	edx, eax
		mov	eax, [eax]
		jmp	short loc_554753
; 

loc_554773:				; CODE XREF: MiMirrorDiscardPageContents+Fj
		push	esi
		jmp	loc_5DF2EF
; 

loc_554779:				; CODE XREF: MiMirrorDiscardPageContents+18j
		mov	ecx, eax
		mov	eax, [eax]
		jmp	short loc_554760
MiMirrorDiscardPageContents endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CcNotifyWriteBehind(x)
_CcNotifyWriteBehind@4 proc near	; CODE XREF: MmDuplicateMemory(x)+90p
					; MiShutdownSystem()+1Cp
		mov	edi, edi
		push	ecx
		push	0
		push	2
		pop	edx
		mov	ecx, offset _CcNotifyWriteBehindHelper@8 ; CcNotifyWriteBehindHelper(x,x)
		call	CcForEachPartition
		pop	ecx
		retn
_CcNotifyWriteBehind@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmFlushAllPagesEx(x, x, x)
_MmFlushAllPagesEx@12 proc near		; CODE XREF: PopTransitionToSleep+D9p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	bl, cl
		mov	edi, edx
		xor	ecx, ecx

loc_5547A6:				; CODE XREF: MmFlushAllPagesEx(x,x,x)+33j
		call	_PsGetNextPartition@4 ;	PsGetNextPartition(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_5547BA
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_5547BA:				; CODE XREF: MmFlushAllPagesEx(x,x,x)+1Bj
		push	ecx
		mov	ecx, [esi]
		mov	dl, bl
		push	edi
		call	MiFlushAllPages
		mov	ecx, esi
		jmp	short loc_5547A6
_MmFlushAllPagesEx@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


IoGetDumpStackTransferSizes proc near	; CODE XREF: PopHiberInitializeResources+8Bp

; FUNCTION CHUNK AT 005DF367 SIZE 00000019 BYTES

		cmp	_CrashdmpImageEntry, 0
		jz	loc_5DF367
		mov	eax, dword_6D4AE8
		test	eax, eax
		jz	loc_5DF367
		push	edx
		push	ecx
		call	eax

locret_5547E8:				; CODE XREF: IoGetDumpStackTransferSizes+8ABA9j
		retn
IoGetDumpStackTransferSizes endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFlushAllPages	proc near		; CODE XREF: MmFlushAllPagesEx(x,x,x)+2Cp
					; MmPerformMemoryListCommand+D405p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DF380 SIZE 00000057 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [esp+38h+var_1C]
		push	6
		pop	ecx
		xor	eax, eax
		mov	[esp+38h+var_20], esi
		rep stosd
		mov	cl, 1
		mov	bl, dl
		call	KiQueryUnbiasedInterruptTime
		mov	ecx, edx
		mov	edi, eax
		mov	eax, [ebp+arg_0]
		mov	edx, (offset loc_98967E+2)
		mul	edx
		mov	[esp+38h+var_24], ecx
		push	edx
		push	eax
		push	ecx
		mov	[esp+44h+var_2C], edx
		mov	ecx, esi
		push	edi
		xor	edx, edx
		mov	[esp+48h+var_28], eax
		call	MiFlushAllPagesWorker
		test	bl, bl
		jnz	loc_5DF380

loc_55484C:				; CODE XREF: MiFlushAllPages+8AB9Ej
					; MiFlushAllPages+8ABE8j
		mov	ecx, [esp+38h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
MiFlushAllPages	endp


;  S U B	R O U T	I N E 


; __stdcall PopGenerateScratchMdl(x, x)
_PopGenerateScratchMdl@8 proc near	; CODE XREF: PopGenerateUnHibernatedMdl(x,x)+1Bp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	5
		push	1
		mov	edi, edx
		xor	ebx, ebx
		mov	eax, edi
		mov	esi, ecx
		shl	eax, 0Ch
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	0FFFFFFFFh
		push	ebx
		push	1000000h
		call	_MmAllocatePagesForMdlEx@36 ; MmAllocatePagesForMdlEx(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_554897
		mov	ecx, [esi+58h]
		mov	[eax], ecx
		add	[esi+60h], edi
		mov	[esi+58h], eax
		adc	[esi+64h], ebx

loc_554897:				; CODE XREF: PopGenerateScratchMdl(x,x)+27j
		pop	edi
		pop	esi
		pop	ebx
		retn
_PopGenerateScratchMdl@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MI_CHECK_HIBER_VERIFY_PTE(x)
_MI_CHECK_HIBER_VERIFY_PTE@4 proc near	; CODE XREF: MiConvertHiberPhasePte+E4p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ecx+4]
		mov	edx, [ecx]
		xor	ecx, ecx
		mov	[ebp+var_4], eax
		mov	eax, edx
		and	eax, 1
		or	eax, ecx
		jnz	short loc_5548CD
		mov	eax, edx
		and	eax, 400h
		or	eax, ecx
		jz	short loc_5548CD
		and	edx, 4
		or	edx, ecx
		jz	short loc_5548CD
		xor	eax, eax
		inc	eax
		leave
		retn
; 

loc_5548CD:				; CODE XREF: MI_CHECK_HIBER_VERIFY_PTE(x)+18j
					; MI_CHECK_HIBER_VERIFY_PTE(x)+23j ...
		xor	eax, eax
		leave
		retn
_MI_CHECK_HIBER_VERIFY_PTE@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFinishResume(x)
_MiFinishResume@4 proc near		; DATA XREF: MiInitializeMirroring+35o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	MiReferencePageRuns
		xor	ecx, ecx
		mov	ebx, eax
		call	_PsGetNextPartition@4 ;	PsGetNextPartition(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_554923
		push	edi

loc_5548F5:				; CODE XREF: MiFinishResume(x)+4Ej
		cmp	[ebp+arg_0], 0
		mov	edi, [esi]
		jz	short loc_55490E
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	MiPurgePartitionStandby
		mov	byte ptr [edi+0A30h], 0

loc_55490E:				; CODE XREF: MiFinishResume(x)+29j
		mov	ecx, edi
		call	_MiPurgeZeroList@4 ; MiPurgeZeroList(x)
		mov	ecx, esi
		call	_PsGetNextPartition@4 ;	PsGetNextPartition(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_5548F5
		pop	edi

loc_554923:				; CODE XREF: MiFinishResume(x)+20j
		test	ebx, ebx
		jz	short loc_554931
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	MiDereferencePageRunsEx

loc_554931:				; CODE XREF: MiFinishResume(x)+53j
		lock dec dword_6D35AC
		or	dword_6D3054, 0FFFFFFFFh
		push	0
		push	0
		push	offset unk_6D3038
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_MiFinishResume@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPurgeZeroList(x)
_MiPurgeZeroList@4 proc	near		; CODE XREF: MiFinishResume(x)+3Ep

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], esi
		cmp	byte ptr [esi+0A31h], 0
		jz	loc_554A4D
		call	_MiPurgeLargeZeroNodePages@4 ; MiPurgeLargeZeroNodePages(x)
		mov	edx, [esi+540h]
		xor	ecx, ecx
		mov	[ebp+var_10], ecx
		cmp	dword_6D06D4, ecx
		jz	loc_554A46
		lea	eax, [edx+8]
		mov	[ebp+var_C], eax
		push	edi

loc_554992:				; CODE XREF: MiPurgeZeroList(x)+E8j
		mov	edi, [eax]
		cmp	edi, offset loc_7FFFFF
		jz	loc_554A2C

loc_5549A0:				; CODE XREF: MiPurgeZeroList(x)+CFj
		imul	eax, edi, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	[ebp+var_1], al
		cmp	edi, dword_6D07B0
		ja	short loc_554A01
		mov	edx, dword_6D35B8
		mov	esi, edi
		shr	esi, 5
		mov	ecx, edi
		and	ecx, 1Fh
		mov	edx, [edx+esi*4]
		mov	esi, [ebp+var_8]
		shr	edx, cl
		and	edx, 1
		jz	short loc_554A04
		test	dword ptr [esi+18h], 800000h
		jnz	short loc_554A04
		test	byte ptr [esi+16h], 7
		jnz	short loc_554A04
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	MiUnlinkFreeOrZeroedPage
		push	2
		pop	edx
		mov	ecx, edi
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		jmp	short loc_554A04
; 

loc_554A01:				; CODE XREF: MiPurgeZeroList(x)+68j
		mov	esi, [ebp+var_8]

loc_554A04:				; CODE XREF: MiPurgeZeroList(x)+85j
					; MiPurgeZeroList(x)+8Ej ...
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_C]
		mov	edi, [eax]
		cmp	edi, offset loc_7FFFFF
		jnz	loc_5549A0
		mov	ecx, [ebp+var_10]

loc_554A2C:				; CODE XREF: MiPurgeZeroList(x)+46j
		inc	ecx
		add	eax, 14h
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], eax
		cmp	ecx, dword_6D06D4
		jb	loc_554992
		mov	esi, [ebp+var_14]
		pop	edi

loc_554A46:				; CODE XREF: MiPurgeZeroList(x)+31j
		mov	byte ptr [esi+0A31h], 0

loc_554A4D:				; CODE XREF: MiPurgeZeroList(x)+15j
		pop	esi
		leave
		retn
_MiPurgeZeroList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPurgeLargeZeroNodePages(x)
_MiPurgeLargeZeroNodePages@4 proc near	; CODE XREF: MiPurgeZeroList(x)+1Bp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		xor	eax, eax
		mov	[ebp+var_28], ecx
		push	esi
		mov	esi, [ecx+10h]
		push	edi
		lea	edi, [ebp+var_38]
		stosd
		stosd
		stosd
		movzx	eax, ds:_KeNumberNodes
		imul	eax, 280h
		add	eax, esi
		mov	[ebp+var_2C], eax
		cmp	esi, eax
		jnb	loc_554C77
		lea	edi, [esi+204h]
		push	ebx

loc_554A89:				; CODE XREF: MiPurgeLargeZeroNodePages(x)+220j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		and	[ebp+var_38], 0
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_1], al
		mov	[ebp+var_34], edi
		jz	short loc_554AB0
		mov	edx, edi
		lea	ecx, [ebp+var_38]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_554AC1
; 

loc_554AB0:				; CODE XREF: MiPurgeLargeZeroNodePages(x)+52j
		lea	edx, [ebp+var_38]
		xchg	edx, [edi]
		test	edx, edx
		jz	short loc_554AC1
		lea	ecx, [ebp+var_38]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_554AC1:				; CODE XREF: MiPurgeLargeZeroNodePages(x)+5Ej
					; MiPurgeLargeZeroNodePages(x)+67j
		xor	ecx, ecx
		mov	[ebp+var_24], esi
		mov	[ebp+var_10], ecx
		mov	edx, esi

loc_554ACB:				; CODE XREF: MiPurgeLargeZeroNodePages(x)+1C0j
		cmp	dword ptr [edx], 0
		jz	loc_554C00
		mov	eax, dword_6D0740[ecx*4]
		and	[ebp+var_18], 0
		push	58h
		pop	ebx
		mov	[ebp+var_C], eax
		mov	[ebp+var_20], ebx

loc_554AE8:				; CODE XREF: MiPurgeLargeZeroNodePages(x)+1AAj
		and	[ebp+var_14], 0
		mov	[ebp+var_1C], ebx

loc_554AEF:				; CODE XREF: MiPurgeLargeZeroNodePages(x)+191j
		mov	ebx, [edx+ebx]
		xor	eax, eax
		mov	[ebp+var_8], eax
		cmp	[ebp+var_C], eax
		jbe	loc_554BCE
		mov	edx, [ebp+var_C]

loc_554B03:				; CODE XREF: MiPurgeLargeZeroNodePages(x)+175j
		cmp	[ebx], ebx
		jz	loc_554BBC
		push	[ebp+var_14]
		mov	edx, esi
		push	0
		push	eax
		push	[ebp+var_18]
		push	ecx
		mov	ecx, [ebp+var_28]
		call	_MiMoveLargeZeroToFree@28 ; MiMoveLargeZeroToFree(x,x,x,x,x,x,x)
		test	eax, eax
		jnz	loc_554BB3
		test	ds:byte_70EFC6,	1
		jz	short loc_554B3D
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_38]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_554B6C
; 

loc_554B3D:				; CODE XREF: MiPurgeLargeZeroNodePages(x)+DEj
		mov	eax, [ebp+var_38]
		test	eax, eax
		jnz	short loc_554B5C
		mov	edx, [ebp+var_34]
		lea	eax, [ebp+var_38]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_38]
		cmp	eax, ecx
		jz	short loc_554B6C
		call	KxWaitForLockChainValid

loc_554B5C:				; CODE XREF: MiPurgeLargeZeroNodePages(x)+F2j
		xor	ecx, ecx
		mov	[ebp+var_38], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_554B6C:				; CODE XREF: MiPurgeLargeZeroNodePages(x)+EBj
					; MiPurgeLargeZeroNodePages(x)+105j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		dec	[ebp+var_8]
		mov	cl, 2
		sub	ebx, 0Ch
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		and	[ebp+var_38], 0
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_1], al
		mov	[ebp+var_34], edi
		jz	short loc_554BA2
		mov	edx, edi
		lea	ecx, [ebp+var_38]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_554BB3
; 

loc_554BA2:				; CODE XREF: MiPurgeLargeZeroNodePages(x)+144j
		lea	edx, [ebp+var_38]
		xchg	edx, [edi]
		test	edx, edx
		jz	short loc_554BB3
		lea	ecx, [ebp+var_38]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_554BB3:				; CODE XREF: MiPurgeLargeZeroNodePages(x)+D1j
					; MiPurgeLargeZeroNodePages(x)+150j ...
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_8]

loc_554BBC:				; CODE XREF: MiPurgeLargeZeroNodePages(x)+B5j
		inc	eax
		add	ebx, 0Ch
		mov	[ebp+var_8], eax
		cmp	eax, edx
		jb	loc_554B03
		mov	edx, [ebp+var_24]

loc_554BCE:				; CODE XREF: MiPurgeLargeZeroNodePages(x)+AAj
		mov	eax, [ebp+var_14]
		mov	ebx, [ebp+var_1C]
		inc	eax
		add	ebx, 4
		mov	[ebp+var_14], eax
		mov	[ebp+var_1C], ebx
		cmp	eax, 3
		jle	loc_554AEF
		mov	eax, [ebp+var_18]
		mov	ebx, [ebp+var_20]
		inc	eax
		add	ebx, 20h
		mov	[ebp+var_18], eax
		mov	[ebp+var_20], ebx
		cmp	eax, 1
		jle	loc_554AE8

loc_554C00:				; CODE XREF: MiPurgeLargeZeroNodePages(x)+7Ej
		inc	ecx
		add	edx, 98h
		mov	[ebp+var_10], ecx
		mov	[ebp+var_24], edx
		cmp	ecx, 2
		jb	loc_554ACB
		test	ds:byte_70EFC6,	1
		jz	short loc_554C2C
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_38]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_554C5B
; 

loc_554C2C:				; CODE XREF: MiPurgeLargeZeroNodePages(x)+1CDj
		mov	eax, [ebp+var_38]
		test	eax, eax
		jnz	short loc_554C4B
		mov	edx, [ebp+var_34]
		lea	eax, [ebp+var_38]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_38]
		cmp	eax, ecx
		jz	short loc_554C5B
		call	KxWaitForLockChainValid

loc_554C4B:				; CODE XREF: MiPurgeLargeZeroNodePages(x)+1E1j
		xor	ecx, ecx
		mov	[ebp+var_38], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_554C5B:				; CODE XREF: MiPurgeLargeZeroNodePages(x)+1DAj
					; MiPurgeLargeZeroNodePages(x)+1F4j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, 280h
		add	esi, ebx
		add	edi, ebx
		cmp	esi, [ebp+var_2C]
		jb	loc_554A89
		pop	ebx

loc_554C77:				; CODE XREF: MiPurgeLargeZeroNodePages(x)+2Cj
		pop	edi
		pop	esi
		leave
		retn
_MiPurgeLargeZeroNodePages@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPurgePartitionStandby	proc near	; CODE XREF: MiFinishResume(x)+30p
					; MiTrimAllSystemPagableMemory(x,x)+125p ...

var_E		= byte ptr -0Eh
var_D		= byte ptr -0Dh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DF405 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	cl, 2
		mov	[esp+20h+var_8], ebx
		mov	[esp+20h+var_4], esi
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edx, ebx
		mov	ecx, esi
		jmp	short loc_554D02
; 

loc_554CA4:				; CODE XREF: MiPurgePartitionStandby+99j
		imul	edi, ebx, 1Ch
		add	edi, ds:_MmPfnDatabase
		and	[esp+20h+var_C], 0
		lea	esi, [edi+10h]

loc_554CB5:				; CODE XREF: MiPurgePartitionStandby+8A798j
		lock bts dword ptr [esi], 1Fh
		jb	loc_5DF405
		or	dword ptr [esi], 40000000h
		mov	ecx, edi
		call	_MiIsFreeZeroPfnCold@4 ; MiIsFreeZeroPfnCold(x)
		neg	eax
		mov	ecx, ebx
		sbb	eax, eax
		and	eax, 400h
		lea	edx, [eax+2]
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	cl, [esp+20h+var_D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edx, [esp+20h+var_8]
		mov	ecx, [esp+20h+var_4]

loc_554D02:				; CODE XREF: MiPurgePartitionStandby+26j
		push	2000h
		mov	[esp+24h+var_D], al
		call	_MiRemoveLowestPriorityStandbyPage@12 ;	MiRemoveLowestPriorityStandbyPage(x,x,x)
		mov	ebx, eax
		cmp	ebx, 0FFFFFFFFh
		jnz	short loc_554CA4
		mov	cl, [esp+20h+var_D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
MiPurgePartitionStandby	endp


;  S U B	R O U T	I N E 


MiComputeNextWalkPte proc near		; CODE XREF: .text:0045AD4Bp

; FUNCTION CHUNK AT 005DF419 SIZE 00000012 BYTES

		add	ecx, 8
		cmp	edx, 1
		jnz	short loc_554D33

loc_554D30:				; CODE XREF: MiComputeNextWalkPte+1Aj
					; MiComputeNextWalkPte+8A6F6j
		mov	eax, ecx
		retn
; 

loc_554D33:				; CODE XREF: MiComputeNextWalkPte+6j
		shl	ecx, 9
		mov	edx, 0C0000000h

loc_554D3B:				; CODE XREF: MiComputeNextWalkPte+8A6FEj
		mov	eax, ecx
		shl	eax, 9
		cmp	eax, edx
		jb	short loc_554D30
		jmp	loc_5DF419
MiComputeNextWalkPte endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepCancelActivityRange(x, x, x, x, x)
_PopPepCancelActivityRange@20 proc near	; CODE XREF: PopPepCancelActivities(x,x,x)+30p
					; PopPepCancelActivities(x,x,x)+4Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		cmp	esi, [ebp+arg_4]
		jg	short loc_554D78
		imul	eax, edx, 1Fh
		push	ebx
		add	eax, esi
		lea	ecx, dword_401230[eax*4]

loc_554D68:				; CODE XREF: PopPepCancelActivityRange(x,x,x,x,x)+2Bj
		mov	edx, [ecx]
		test	edx, edx
		jnz	short loc_554D7E

loc_554D6E:				; CODE XREF: PopPepCancelActivityRange(x,x,x,x,x)+3Bj
					; PopPepCancelActivityRange(x,x,x,x,x)+4Ej
		inc	esi
		add	ecx, 4
		cmp	esi, [ebp+arg_4]
		jle	short loc_554D68
		pop	ebx

loc_554D78:				; CODE XREF: PopPepCancelActivityRange(x,x,x,x,x)+Fj
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_554D7E:				; CODE XREF: PopPepCancelActivityRange(x,x,x,x,x)+22j
		mov	eax, [edi+esi*4]
		mov	ebx, [eax]
		test	edx, ebx
		jz	short loc_554D6E
		test	bl, 2
		jz	short loc_554D95
		mov	eax, [ebp+arg_8]
		lock dec dword ptr [eax]
		mov	eax, [edi+esi*4]

loc_554D95:				; CODE XREF: PopPepCancelActivityRange(x,x,x,x,x)+40j
		and	dword ptr [eax], 0FFFFFFFCh
		jmp	short loc_554D6E
_PopPepCancelActivityRange@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopCompleteNotifyTransitionCommon proc near
					; CODE XREF: PopCompleteDirectedPowerTransitionCallback(x,x,x)+25p
					; PopSystemIrpCompletion+BFp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= byte ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DF42B SIZE 00000085 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_1], 0
		push	esi
		push	edi
		lea	edi, [ebp+var_30]
		mov	esi, edx
		stosd
		lea	edx, [ebp+var_30]
		mov	ebx, ecx
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], ebx
		stosd
		stosd
		mov	eax, dword_6C2314
		mov	edi, [esi-58h]
		shr	eax, 17h
		and	al, 1
		mov	[ebp+var_14], edi
		mov	byte ptr [ebp+var_10], al
		mov	eax, [esi-54h]
		mov	ecx, eax
		sub	ecx, _IopRootDeviceNode
		neg	ecx
		sbb	ecx, ecx
		and	[ebp+var_8], 0
		and	ecx, eax
		mov	[ebp+var_24], ecx
		mov	ecx, dword_6C231C
		lea	ecx, [ecx+8]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		movzx	eax, byte ptr [esi+1Ch]
		lea	edx, [ebx+1Ch]
		mov	ecx, [esi]
		imul	eax, 28h
		mov	[ebp+var_1C], ecx
		mov	edi, [ebp+var_1C]
		mov	ecx, [esi+4]
		mov	[ebp+var_C], edx
		add	eax, edx
		cmp	[edi+4], esi
		jnz	loc_555047
		cmp	[ecx], esi
		jnz	loc_555047
		mov	edx, edi
		mov	[ecx], edx
		mov	[edx+4], ecx
		lea	edx, [ebx+1Ch]
		cmp	byte ptr [ebx+100h], 0
		jnz	loc_554EF9
		lea	ecx, [eax+20h]
		mov	edi, [ecx+4]
		cmp	[edi], ecx
		jnz	loc_555047
		mov	[esi], ecx
		mov	[esi+4], edi
		mov	[edi], esi
		mov	edi, [ebp+var_14]
		mov	[ecx+4], esi
		dec	dword ptr [eax+0Ch]
		mov	ecx, [ebp+var_24]
		test	ecx, ecx
		jz	short loc_554E79
		push	[ebp+var_10]
		movzx	eax, byte ptr [esi+1Ch]
		add	ecx, 5Ch
		push	eax
		call	PopReadyParentSleep
		lea	edx, [ebx+1Ch]
		test	al, al
		jnz	loc_554F94

loc_554E79:				; CODE XREF: PopCompleteNotifyTransitionCommon+C2j
					; PopCompleteNotifyTransitionCommon+200j
		lea	ecx, [esi+10h]
		mov	eax, [ecx]
		cmp	eax, ecx
		jnz	loc_554FE8

loc_554E86:				; CODE XREF: PopCompleteNotifyTransitionCommon+27Cj
		test	edi, edi
		jnz	loc_554F72

loc_554E8E:				; CODE XREF: PopCompleteNotifyTransitionCommon+1F5j
		lea	eax, [esi+8]
		mov	edi, [eax]
		mov	[ebp+var_24], eax
		cmp	edi, eax
		jnz	loc_55501B

loc_554E9E:				; CODE XREF: PopCompleteNotifyTransitionCommon+29Fj
		mov	edi, [ebp+arg_0]
		test	edi, edi
		js	loc_5DF42B

loc_554EA9:				; CODE XREF: PopCompleteNotifyTransitionCommon+191j
					; PopCompleteNotifyTransitionCommon+1C4j ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5DF48F
		mov	eax, [ebp+var_30]
		test	eax, eax
		jnz	loc_554FD3
		mov	edx, [ebp+var_2C]
		lea	eax, [ebp+var_30]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_30]
		cmp	eax, ecx
		jnz	loc_554FCB

loc_554ED8:				; CODE XREF: PopCompleteNotifyTransitionCommon+249j
					; PopCompleteNotifyTransitionCommon+8A700j
		mov	cl, [ebp+var_28]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_1], 0
		jnz	loc_5DF49F
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	short loc_554F63

loc_554EF2:				; CODE XREF: PopCompleteNotifyTransitionCommon+1D6j
					; PopCompleteNotifyTransitionCommon+8A711j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_554EF9:				; CODE XREF: PopCompleteNotifyTransitionCommon+99j
		lea	ecx, [eax+10h]
		mov	edi, [ecx+4]
		mov	[ebp+arg_0], edi
		cmp	[edi], ecx
		mov	edi, [ebp+var_14]
		jnz	loc_555047
		mov	edx, [ebp+arg_0]
		mov	[esi+4], edx
		mov	[esi], ecx
		mov	[edx], esi
		lea	edx, [ebx+1Ch]
		mov	[ecx+4], esi
		inc	dword ptr [eax+0Ch]
		test	edi, edi
		jnz	short loc_554F9F

loc_554F24:				; CODE XREF: PopCompleteNotifyTransitionCommon+22Cj
		lea	eax, [esi+8]
		mov	edi, [eax]
		cmp	edi, eax
		jz	loc_554EA9
		mov	ebx, [ebp+var_8]

loc_554F34:				; CODE XREF: PopCompleteNotifyTransitionCommon+1BCj
		push	[ebp+var_10]
		movzx	eax, byte ptr [esi+1Ch]
		mov	ecx, [edi-4]
		push	eax
		call	PopReadyChildWake
		test	al, al
		jnz	loc_55503E

loc_554F4C:				; CODE XREF: PopCompleteNotifyTransitionCommon+2A5j
		mov	edi, [edi]
		lea	eax, [esi+8]
		mov	edx, [ebp+var_C]
		cmp	edi, eax
		jnz	short loc_554F34
		mov	[ebp+var_8], ebx
		mov	ebx, [ebp+var_18]
		jmp	loc_554EA9
; 

loc_554F63:				; CODE XREF: PopCompleteNotifyTransitionCommon+156j
		push	0
		push	eax
		push	0
		push	dword ptr [ebx+14h]
		call	KeReleaseSemaphore
		jmp	short loc_554EF2
; 

loc_554F72:				; CODE XREF: PopCompleteNotifyTransitionCommon+EEj
		mov	ebx, [ebp+var_C]
		mov	esi, [ebp+var_10]

loc_554F78:				; CODE XREF: PopCompleteNotifyTransitionCommon+1EDj
		push	esi
		lea	ecx, [edi+5Ch]
		mov	edx, ebx
		call	PopPrepChildWake
		mov	edi, [edi]
		test	edi, edi
		jnz	short loc_554F78
		mov	esi, [ebp+var_20]
		mov	ebx, [ebp+var_18]
		jmp	loc_554E8E
; 

loc_554F94:				; CODE XREF: PopCompleteNotifyTransitionCommon+D9j
		xor	eax, eax
		inc	eax
		mov	[ebp+var_8], eax
		jmp	loc_554E79
; 

loc_554F9F:				; CODE XREF: PopCompleteNotifyTransitionCommon+188j
		mov	ebx, [ebp+var_8]

loc_554FA2:				; CODE XREF: PopCompleteNotifyTransitionCommon+224j
		push	[ebp+var_10]
		movzx	eax, byte ptr [esi+1Ch]
		lea	ecx, [edi+5Ch]
		push	eax
		call	PopReadyChildWake
		test	al, al
		jz	short loc_554FB7
		inc	ebx

loc_554FB7:				; CODE XREF: PopCompleteNotifyTransitionCommon+21Aj
		mov	edi, [edi]
		mov	edx, [ebp+var_C]
		test	edi, edi
		jnz	short loc_554FA2
		mov	[ebp+var_8], ebx
		mov	ebx, [ebp+var_18]
		jmp	loc_554F24
; 

loc_554FCB:				; CODE XREF: PopCompleteNotifyTransitionCommon+138j
		lea	ecx, [ebp+var_30]
		call	KxWaitForLockChainValid

loc_554FD3:				; CODE XREF: PopCompleteNotifyTransitionCommon+121j
		xor	ecx, ecx
		mov	[ebp+var_30], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_554ED8
; 

loc_554FE8:				; CODE XREF: PopCompleteNotifyTransitionCommon+E6j
		mov	ebx, [ebp+var_8]
		mov	edi, eax

loc_554FED:				; CODE XREF: PopCompleteNotifyTransitionCommon+271j
		push	[ebp+var_10]
		movzx	eax, byte ptr [esi+1Ch]
		mov	ecx, [edi+14h]
		push	eax
		call	PopReadyParentSleep
		test	al, al
		jnz	short loc_555044

loc_555001:				; CODE XREF: PopCompleteNotifyTransitionCommon+2ABj
		mov	edi, [edi]
		lea	eax, [esi+10h]
		mov	edx, [ebp+var_C]
		cmp	edi, eax
		jnz	short loc_554FED
		mov	edi, [ebp+var_14]
		mov	[ebp+var_8], ebx
		mov	ebx, [ebp+var_18]
		jmp	loc_554E86
; 

loc_55501B:				; CODE XREF: PopCompleteNotifyTransitionCommon+FEj
		mov	ebx, [ebp+var_C]
		mov	esi, [ebp+var_10]

loc_555021:				; CODE XREF: PopCompleteNotifyTransitionCommon+297j
		mov	ecx, [edi-4]
		mov	edx, ebx
		push	esi
		call	PopPrepChildWake
		mov	edi, [edi]
		cmp	edi, [ebp+var_24]
		jnz	short loc_555021
		mov	esi, [ebp+var_20]
		mov	ebx, [ebp+var_18]
		jmp	loc_554E9E
; 

loc_55503E:				; CODE XREF: PopCompleteNotifyTransitionCommon+1ACj
		inc	ebx
		jmp	loc_554F4C
; 

loc_555044:				; CODE XREF: PopCompleteNotifyTransitionCommon+265j
		inc	ebx
		jmp	short loc_555001
; 

loc_555047:				; CODE XREF: PopCompleteNotifyTransitionCommon+7Aj
					; PopCompleteNotifyTransitionCommon+82j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
PopCompleteNotifyTransitionCommon endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxIncrementDeviceSleepCount(x)
_PopFxIncrementDeviceSleepCount@4 proc near
					; CODE XREF: PoFxStartDevicePowerManagement+82AB6p
					; PopSystemIrpCompletion+A5p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	short loc_5550BB
		mov	eax, [ecx+0B0h]
		mov	esi, [eax+14h]

loc_555062:				; CODE XREF: PopFxIncrementDeviceSleepCount(x)+71j
		test	esi, esi
		jz	short loc_5550A7
		lea	edi, [esi+2Ch]
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		lea	edx, [esi+0A8h]
		mov	eax, [esi+44h]
		xor	edi, edi
		mov	[ebp+var_4], eax
		mov	eax, [edx]

loc_555081:				; CODE XREF: PopFxIncrementDeviceSleepCount(x)+3Dj
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_555081
		lea	edi, [esi+2Ch]
		test	al, 4
		jnz	short loc_5550AC

loc_555092:				; CODE XREF: PopFxIncrementDeviceSleepCount(x)+6Bj
		mov	eax, [ebp+var_4]
		inc	eax
		mov	[esi+44h], eax

loc_555099:				; CODE XREF: PopFxIncrementDeviceSleepCount(x)+6Dj
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5550A7:				; CODE XREF: PopFxIncrementDeviceSleepCount(x)+18j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_5550AC:				; CODE XREF: PopFxIncrementDeviceSleepCount(x)+44j
		mov	eax, [esi+28h]
		mov	eax, [eax+238h]
		test	al, 1
		jz	short loc_555092
		jmp	short loc_555099
; 

loc_5550BB:				; CODE XREF: PopFxIncrementDeviceSleepCount(x)+Bj
		xor	esi, esi
		jmp	short loc_555062
_PopFxIncrementDeviceSleepCount@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPrepChildWake proc near		; CODE XREF: PopCompleteNotifyTransitionCommon+1E4p
					; PopCompleteNotifyTransitionCommon+28Dp

var_10		= dword	ptr -10h
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005DF4B0 SIZE 0000007A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	esi
		mov	esi, edx
		jnz	loc_5DF4B0

loc_5550D2:				; CODE XREF: PopPrepChildWake+8A401j
		mov	eax, [ecx+38h]
		cmp	eax, [ecx+34h]
		jnz	short loc_55510B
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_555114
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_555114
		mov	[edx], eax
		mov	[eax+4], edx
		movzx	eax, byte ptr [ecx+1Ch]
		inc	eax
		imul	eax, 28h
		add	eax, esi
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_555114
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		mov	eax, [ecx+38h]

loc_55510B:				; CODE XREF: PopPrepChildWake+18j
		dec	eax
		mov	[ecx+38h], eax

loc_55510F:				; CODE XREF: PopPrepChildWake+8A3FBj
		pop	esi
		pop	ebp
		retn	4
; 

loc_555114:				; CODE XREF: PopPrepChildWake+1Fj
					; PopPrepChildWake+26j	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

PopReadyParentSleep:			; CODE XREF: PopCompleteNotifyTransitionCommon+CFp
					; PopCompleteNotifyTransitionCommon+25Ep
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		xor	bl, bl
		push	esi
		mov	esi, edx
		cmp	[ebp+arg_4], bl
		jnz	loc_5DF4C6

loc_55512E:				; CODE XREF: PopPrepChildWake+8A417j
		sub	dword ptr [ecx+30h], 1
		jz	short loc_55513C

loc_555134:				; CODE XREF: PopPrepChildWake+B2j
					; PopPrepChildWake+B6j	...
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	8
; 

loc_55513C:				; CODE XREF: PopPrepChildWake+72j
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_555178
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_555178
		mov	[edx], eax
		mov	[eax+4], edx
		movzx	eax, byte ptr [ecx+1Ch]
		imul	eax, 28h
		add	eax, 18h
		add	eax, esi
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_555178
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		mov	al, [ecx+1Ch]
		cmp	al, [ebp+arg_0]
		jnz	short loc_555134
		mov	bl, 1
		jmp	short loc_555134
; 

loc_555178:				; CODE XREF: PopPrepChildWake+81j
					; PopPrepChildWake+88j	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

PopReadyChildWake:			; CODE XREF: PopCompleteNotifyTransitionCommon+1A5p
					; PopCompleteNotifyTransitionCommon+213p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		push	edi
		mov	edi, edx
		jnz	loc_5DF4DC

loc_555190:				; CODE XREF: PopPrepChildWake+8A427j
		xor	dl, dl
		inc	dword ptr [ecx+38h]
		mov	eax, [ecx+38h]
		cmp	eax, [ecx+34h]
		jb	short loc_5551D9
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_5551E0
		push	esi
		mov	esi, [ecx+4]
		cmp	[esi], ecx
		jnz	short loc_5551E0
		mov	[esi], eax
		mov	[eax+4], esi
		movzx	eax, byte ptr [ecx+1Ch]
		imul	eax, 28h
		add	eax, 20h
		add	eax, edi
		mov	esi, [eax+4]
		cmp	[esi], eax
		jnz	short loc_5551E0
		mov	[ecx+4], esi
		mov	[ecx], eax
		mov	[esi], ecx
		mov	[eax+4], ecx
		mov	al, [ecx+1Ch]
		pop	esi
		cmp	al, [ebp+arg_0]
		jnz	short loc_5551D9
		inc	dl

loc_5551D9:				; CODE XREF: PopPrepChildWake+DBj
					; PopPrepChildWake+115j ...
		mov	al, dl
		pop	edi
		pop	ebp
		retn	8
; 

loc_5551E0:				; CODE XREF: PopPrepChildWake+E2j
					; PopPrepChildWake+EAj	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

PopHaltDeviceIdle:			; CODE XREF: PoInitializeBroadcast+A6p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		stosd
		xor	edi, edi
		mov	esi, edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopDopeGlobalLock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	byte_6D4A50, 1
		cmp	dword_6D4A4C, esi
		ja	loc_5DF4F4

loc_555223:				; CODE XREF: PopPrepChildWake+8A449j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopDopeGlobalLock
		jnz	loc_5DF50E
		xor	eax, eax
		lock and [ecx],	eax

loc_55523A:				; CODE XREF: PopPrepChildWake+8A456j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jnz	loc_5DF51B

loc_55524A:				; CODE XREF: PopPrepChildWake+8A465j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PopPrepChildWake endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopResumeDeviceIdle proc near		; CODE XREF: PoClearBroadcast()+Fp

; FUNCTION CHUNK AT 005DF52A SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _PopDopeGlobalLock
		mov	bl, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	ds:byte_70EFC6,	1
		mov	byte_6D4A50, 0
		jnz	loc_5DF52A
		xor	eax, eax
		lock and [esi],	eax

loc_555284:				; CODE XREF: PopResumeDeviceIdle+8A2E4j
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
PopResumeDeviceIdle endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteSessionAddressSpace(x, x)
_MiDeleteSessionAddressSpace@8 proc near ; CODE	XREF: MiDereferenceSessionFinal+118p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ecx
		mov	[ebp+var_C], edx
		mov	edi, eax
		mov	[ebp+var_8], eax
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		push	3
		sub	edi, 40000000h
		pop	ebx

loc_5552B7:				; CODE XREF: MiDeleteSessionAddressSpace(x,x)+65j
		mov	ecx, [edi]
		nop
		mov	eax, [edi+4]
		nop
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	esi, ecx, 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		inc	word ptr [esi+14h]
		lea	ecx, [esi+10h]
		mov	edx, 7FFFFFFFh
		lock and [ecx],	edx
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	edi, [edi+8]
		sub	ebx, 1
		jnz	short loc_5552B7
		mov	edi, [ebp+var_8]
		lea	esi, [edi+0C0h]
		mov	ecx, esi
		call	MiDrainSystemAccessLog
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short loc_55531B
		lea	eax, [esi+80h]

loc_55531B:				; CODE XREF: MiDeleteSessionAddressSpace(x,x)+83j
		push	eax
		mov	[ebp+var_8], eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+var_8]
		mov	ebx, [ebp+var_C]
		mov	[ebp+var_1], al
		and	dword ptr [ecx+4], 0
		test	byte ptr [edi+4], 10h
		jz	short loc_555341
		mov	ecx, esi
		call	_MiDeleteWorkingSetList@4 ; MiDeleteWorkingSetList(x)
		mov	al, [ebp+var_1]

loc_555341:				; CODE XREF: MiDeleteSessionAddressSpace(x,x)+A5j
		mov	dl, al
		mov	ecx, esi
		call	MiUnlockWorkingSetExclusive
		push	ebx
		push	0
		push	0
		push	0FFBFFFFFh
		push	dword_6D07D0
		mov	dl, 21h
		mov	ecx, esi
		call	_MiDeletePagablePteRange@28 ; MiDeletePagablePteRange(x,x,x,x,x,x,x)
		mov	ecx, edi
		call	_MiDeleteTopLevelSessionMapping@4 ; MiDeleteTopLevelSessionMapping(x)
		add	dword ptr [ebx+4], 0FFFFFFFDh
		add	dword ptr [ebx+0Ch], 0FFFFFFFEh
		add	dword ptr [ebx], 0FFFFFFFEh
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiDeleteSessionAddressSpace@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteTopLevelSessionMapping(x)
_MiDeleteTopLevelSessionMapping@4 proc near
					; CODE XREF: MiDeleteSessionAddressSpace(x,x)+D5p

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_A0]
		push	ebx		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		mov	edi, dword_6D05D4
		lea	ecx, [esi+0C0h]
		shr	edi, 12h
		add	esp, 0Ch
		and	edi, 3FF8h
		mov	[ebp+var_A8], ecx
		mov	[ebp+var_A0], 2
		mov	esi, offset unk_6D3C40
		mov	[ebp+var_9C], bx
		mov	[ebp+var_90], ebx
		lea	eax, [edi-3FA00000h]
		mov	[ebp+var_98], 21h
		shl	eax, 9
		mov	[ebp+var_A4], eax
		mov	al, [ecx+60h]
		and	al, 7
		mov	[ebp+var_8C], ebx
		cmp	al, 2
		jz	short loc_555410
		lea	esi, [ecx+80h]

loc_555410:				; CODE XREF: MiDeleteTopLevelSessionMapping(x)+8Ej
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	edx, [ebp+var_A4]
		lea	ecx, [ebp+var_A0]
		and	dword ptr [esi+4], 0
		mov	bl, al
		push	0
		push	1
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		nop
		push	ds:dword_40F9FC
		lea	ecx, [edi-3FA00000h]
		push	ds:_ZeroPte
		call	MiWriteTopLevelPxe
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList
		mov	ecx, [ebp+var_A8]
		mov	dl, bl
		call	MiUnlockWorkingSetExclusive
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiDeleteTopLevelSessionMapping@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSessionUnlinkProcess proc near	; CODE XREF: MiDereferenceSessionFinal+108p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0055551D SIZE 0000006E BYTES
; FUNCTION CHUNK AT 005DF539 SIZE 000000D5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		mov	ecx, offset dword_6D3540
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, edx
		stosd
		lea	edx, [ebp+var_C]
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [esi+124h]
		add	esi, 120h
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_5554E9
		cmp	[eax], esi
		pop	edi
		pop	esi
		jnz	short loc_5554E9
		mov	[eax], ecx
		mov	[ecx+4], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5DF539
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_5DF551
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5DF549

loc_5554DE:				; CODE XREF: MiSessionUnlinkProcess+8A0D4j
					; MiSessionUnlinkProcess+8A0F1j
		mov	cl, byte ptr [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn
; 

loc_5554E9:				; CODE XREF: MiSessionUnlinkProcess+32j
					; MiSessionUnlinkProcess+38j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

ExPoolCleanupExpansionTable:		; CODE XREF: MiCheckSessionPoolAllocations()+8Ap
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	eax, 6C6F6F50h
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], edi
		mov	[ebp+var_4], eax
		cmp	ds:_PoolHitTag,	eax
		jnz	loc_5DF566
		int	3		; Trap to Debugger
		jmp	loc_5DF566
MiSessionUnlinkProcess endp

; 
; START	OF FUNCTION CHUNK FOR MiSessionUnlinkProcess

loc_55551D:				; CODE XREF: MiSessionUnlinkProcess+8A15Cj
					; MiSessionUnlinkProcess+8A176j ...
		imul	edx, ecx, 30h
		mov	[ebp+var_C], edx
		mov	eax, [edx+ebx]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_4]
		cmp	[ebp+var_8], eax
		jnz	loc_5DF5D1
		lea	edi, [ebx+10h]
		add	edi, edx

loc_55553A:				; CODE XREF: MiSessionUnlinkProcess+E5j
					; MiSessionUnlinkProcess+EAj
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[ebp+var_14], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_55553A
		cmp	edx, [ebp+var_14]
		jnz	short loc_55553A
		mov	eax, [ebp+var_C]
		mov	edi, [ebp+var_18]
		add	eax, 4
		add	eax, [ebp+var_1C]
		neg	edi
		lock xadd [eax], edi
		mov	esi, [ebp+var_20]

loc_555571:				; CODE XREF: MiSessionUnlinkProcess+8A199j
		mov	ecx, esi
		call	ExGetHeapFromVA
		xor	ecx, ecx
		mov	edx, esi
		push	ecx
		push	ecx
		push	ecx
		mov	ecx, eax
		call	RtlpHpFreeHeap
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; END OF FUNCTION CHUNK	FOR MiSessionUnlinkProcess
; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall RtlHpHeapManagerCleanup(x)
_RtlHpHeapManagerCleanup@4 proc	near	; CODE XREF: ExCleanupSessionHeapManager()+39p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		push	3
		pop	edi
		lea	esi, [ebx+1C50h]

loc_55559C:				; CODE XREF: RtlHpHeapManagerCleanup(x)+1Cj
		mov	ecx, [esi]
		test	ecx, ecx
		jnz	short loc_5555BD

loc_5555A2:				; CODE XREF: RtlHpHeapManagerCleanup(x)+36j
		add	esi, 8
		sub	edi, 1
		jnz	short loc_55559C
		lea	ecx, [ebx+8]
		call	_RtlCSparseBitmapCleanup@4 ; RtlCSparseBitmapCleanup(x)
		pop	edi
		pop	esi
		lea	ecx, [ebx+40h]
		pop	ebx
		jmp	_RtlCSparseBitmapCleanup@4 ; RtlCSparseBitmapCleanup(x)
; 

loc_5555BD:				; CODE XREF: RtlHpHeapManagerCleanup(x)+14j
		call	RtlpHpHeapDestroy
		jmp	short loc_5555A2
_RtlHpHeapManagerCleanup@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExCleanupSessionHeapManager()
_ExCleanupSessionHeapManager@0 proc near
					; CODE XREF: ExInitializeSessionHeapManager:loc_55F478p
					; MiDereferenceSessionFinal+97p ...
		mov	eax, large fs:124h
		push	esi
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		mov	esi, [eax+1D8h]
		mov	ecx, [esi+1C78h]
		test	ecx, ecx
		jz	short loc_5555EC
		call	RtlpHpHeapDestroy

loc_5555EC:				; CODE XREF: ExCleanupSessionHeapManager()+21j
		mov	ecx, [esi+1C7Ch]
		test	ecx, ecx
		jz	short loc_5555FB
		call	RtlpHpHeapDestroy

loc_5555FB:				; CODE XREF: ExCleanupSessionHeapManager()+30j
		mov	ecx, esi
		call	_RtlHpHeapManagerCleanup@4 ; RtlHpHeapManagerCleanup(x)
		push	65537048h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
_ExCleanupSessionHeapManager@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpHeapDestroy proc near		; CODE XREF: RtlHpHeapManagerCleanup(x):loc_5555BDp
					; ExCleanupSessionHeapManager()+23p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DF60E SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		lea	esi, [ecx+44h]
		mov	[ebp+var_4], ecx
		test	byte ptr [esi+4], 1
		mov	eax, [esi]
		push	edi
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], esi
		jnz	loc_5DF60E

loc_555637:				; CODE XREF: RtlpHpHeapDestroy+8A004j
					; RtlpHpHeapDestroy+8A00Bj
		mov	cl, [esi+4]
		movzx	ebx, cl
		and	ebx, 1
		test	eax, eax
		jz	short loc_555699
		mov	esi, [ebp+var_C]

loc_555647:				; CODE XREF: RtlpHpHeapDestroy+64j
					; RtlpHpHeapDestroy+81j ...
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_555657
		mov	edx, eax
		test	ebx, ebx
		jnz	short loc_55566F
		mov	eax, ecx
		jmp	short loc_555671
; 

loc_555657:				; CODE XREF: RtlpHpHeapDestroy+3Bj
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_555676
		mov	edx, eax
		test	ebx, ebx
		jnz	loc_555750
		mov	eax, ecx
		jmp	loc_555752
; 

loc_55566F:				; CODE XREF: RtlpHpHeapDestroy+41j
		xor	eax, ecx

loc_555671:				; CODE XREF: RtlpHpHeapDestroy+45j
		and	dword ptr [edx], 0
		jmp	short loc_555647
; 

loc_555676:				; CODE XREF: RtlpHpHeapDestroy+4Cj
		mov	edi, [eax+8]
		and	edi, 0FFFFFFFCh
		test	ebx, ebx
		jnz	loc_5DF620

loc_555684:				; CODE XREF: RtlpHpHeapDestroy+8A012j
					; RtlpHpHeapDestroy+8A01Aj
		push	esi
		push	eax
		call	_RtlpHpLargeAllocationDestroy@8	; RtlpHpLargeAllocationDestroy(x,x)
		test	edi, edi
		jz	short loc_555693
		mov	eax, edi
		jmp	short loc_555647
; 

loc_555693:				; CODE XREF: RtlpHpHeapDestroy+7Dj
		mov	esi, [ebp+var_10]
		mov	cl, [esi+4]

loc_555699:				; CODE XREF: RtlpHpHeapDestroy+32j
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0
		test	cl, 1
		jnz	loc_55575B

loc_5556A9:				; CODE XREF: RtlpHpHeapDestroy+14Fj
		mov	edi, [ebp+var_4]
		lea	ebx, [edi+210h]

loc_5556B2:				; CODE XREF: RtlpHpHeapDestroy+C6j
		mov	esi, [ebx]
		test	esi, esi
		jz	short loc_5556D8
		xor	esi, ebx
		lea	ecx, [edi+200h]
		mov	edx, esi
		call	_RtlpHpVsSubsegmentCleanup@8 ; RtlpHpVsSubsegmentCleanup(x,x)
		push	1
		mov	edx, esi
		lea	ecx, [edi+200h]
		call	_RtlpHpVsSubsegmentFree@12 ; RtlpHpVsSubsegmentFree(x,x,x)
		jmp	short loc_5556B2
; 

loc_5556D8:				; CODE XREF: RtlpHpHeapDestroy+A6j
		mov	ecx, [ebp+var_4]
		lea	ecx, [ecx+2C0h]
		call	_RtlpHpLfhContextCleanup@4 ; RtlpHpLfhContextCleanup(x)
		mov	ecx, [ebp+var_4]
		lea	ecx, [ecx+100h]
		call	_RtlpHpSegContextCleanup@4 ; RtlpHpSegContextCleanup(x)
		mov	ecx, [ebp+var_4]
		lea	ecx, [ecx+180h]
		call	_RtlpHpSegContextCleanup@4 ; RtlpHpSegContextCleanup(x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		mov	eax, [ecx+4]
		mov	edx, [ecx]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+0C0h]
		sub	eax, ecx
		mov	[ebp+var_14], edx
		mov	[ebp+var_8], eax
		test	byte ptr [ecx+16h], 1
		push	dword ptr [ecx+4]
		push	dword ptr [ecx]
		jnz	short loc_555764
		cmp	dh, 2
		lea	ecx, [ebp+var_4]
		lea	edx, [ebp+var_8]
		sbb	eax, eax
		and	eax, 1000000h
		add	eax, 8000h
		push	eax
		call	_RtlpHpFreeVA@20 ; RtlpHpFreeVA(x,x,x,x,x)

loc_555744:				; CODE XREF: RtlpHpHeapDestroy+159j
		xor	edx, edx
		lea	ecx, [ebp+var_14]
		call	_RtlpHpRegisterEnvironment@8 ; RtlpHpRegisterEnvironment(x,x)
		leave
		retn
; 

loc_555750:				; CODE XREF: RtlpHpHeapDestroy+52j
		xor	eax, ecx

loc_555752:				; CODE XREF: RtlpHpHeapDestroy+5Aj
		and	dword ptr [edx+4], 0
		jmp	loc_555647
; 

loc_55575B:				; CODE XREF: RtlpHpHeapDestroy+93j
		mov	byte ptr [esi+4], 1
		jmp	loc_5556A9
; 

loc_555764:				; CODE XREF: RtlpHpHeapDestroy+117j
		call	_RtlpHpMetadataFree@12 ; RtlpHpMetadataFree(x,x,x)
		jmp	short loc_555744
RtlpHpHeapDestroy endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall RtlpHpSegContextCleanup(x)
_RtlpHpSegContextCleanup@4 proc	near	; CODE XREF: RtlpHpHeapDestroy+DFp
					; RtlpHpHeapDestroy+EDp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		lea	esi, [edi+44h]

loc_555775:				; CODE XREF: RtlpHpSegContextCleanup(x)+2Ej
		cmp	[esi], esi
		jz	short loc_55579C
		mov	edx, [esi+4]
		cmp	[edx], esi
		jnz	short loc_55579F
		mov	eax, [edx+4]
		cmp	[eax], edx
		jnz	short loc_55579F
		push	1
		mov	[esi+4], eax
		mov	ecx, edi
		push	7FFFFFFFh
		mov	[eax], esi
		call	RtlpHpSegSegmentFree
		jmp	short loc_555775
; 

loc_55579C:				; CODE XREF: RtlpHpSegContextCleanup(x)+Bj
		pop	edi
		pop	esi
		retn
; 

loc_55579F:				; CODE XREF: RtlpHpSegContextCleanup(x)+12j
					; RtlpHpSegContextCleanup(x)+19j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_RtlpHpSegContextCleanup@4 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpSegSegmentFree proc near		; CODE XREF: RtlpHpSegContextCleanup(x)+29p
					; RtlpHpSegContextCompact+FEA34p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DF62F SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	esi, [edi]
		not	esi
		inc	esi
		cmp	[ebp+arg_4], 0
		jz	short loc_5557E4
		mov	eax, [edi+20h]
		mov	edx, [edi+1Ch]
		push	eax
		push	edx
		call	_RtlpHpEnvGetHeapManager@8 ; RtlpHpEnvGetHeapManager(x,x)
		mov	edx, ebx
		shr	esi, 14h
		add	esi, esi
		push	esi
		sub	edx, [eax+4]
		lea	ecx, [eax+8]
		shr	edx, 14h
		add	edx, edx
		call	RtlCSparseBitmapBitsClear

loc_5557E4:				; CODE XREF: RtlpHpSegSegmentFree+19j
		mov	al, [edi+9]
		and	al, 7
		cmp	al, 1
		mov	eax, [ebp+arg_0]
		jnb	loc_5DF62F

loc_5557F4:				; CODE XREF: RtlpHpSegSegmentFree+89E90j
					; RtlpHpSegSegmentFree+89E9Fj
		push	eax
		mov	edx, ebx
		mov	ecx, edi
		call	RtlpHpSegMgrRelease
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
RtlpHpSegSegmentFree endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpSegMgrRelease proc near		; CODE XREF: RtlpHpSegSegmentFree+55p
					; RtlpHpSegMgrAllocate+DD185p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DF648 SIZE 000000B1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		and	[esp+14h+var_C], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	[esp+20h+var_8], ebx
		mov	edi, [esi]
		mov	al, [esi+9]
		not	edi
		inc	edi
		and	al, 7
		mov	[esp+20h+var_10], edi
		cmp	al, 1
		jnb	loc_5DF648

loc_555839:				; CODE XREF: RtlpHpSegMgrRelease+89EECj
		test	ebx, ebx
		jz	short loc_555855
		push	dword ptr [esi+20h]
		lea	edx, [esp+24h+var_10]
		push	dword ptr [esi+1Ch]
		lea	ecx, [esp+28h+var_8]
		push	8000h
		call	_RtlpHpFreeVA@20 ; RtlpHpFreeVA(x,x,x,x,x)

loc_555855:				; CODE XREF: RtlpHpSegMgrRelease+33j
					; RtlpHpSegMgrRelease+89E7Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
RtlpHpSegMgrRelease endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLfhContextCleanup(x)
_RtlpHpLfhContextCleanup@4 proc	near	; CODE XREF: RtlpHpHeapDestroy+D1p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, 81h
		mov	[ebp+var_C], ebx
		lea	esi, [edi+80h]
		mov	[ebp+var_8], esi

loc_55587C:				; CODE XREF: RtlpHpLfhContextCleanup(x)+30j
		mov	eax, [esi]
		test	al, 1
		jz	short loc_555895

loc_555882:				; CODE XREF: RtlpHpLfhContextCleanup(x)+73j
		add	esi, 4
		sub	ebx, 1
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], ebx
		jnz	short loc_55587C
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_555895:				; CODE XREF: RtlpHpLfhContextCleanup(x)+22j
		mov	edx, [esi]
		and	[ebp+var_10], 0
		mov	[ebp+var_4], edx
		movzx	eax, byte ptr [edx+2]
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	short loc_5558CA
		mov	esi, [ebp+var_10]
		mov	ebx, edx

loc_5558AE:				; CODE XREF: RtlpHpLfhContextCleanup(x)+61j
		mov	edx, [ebx+34h]
		mov	ecx, edi
		mov	edx, [edx+esi*4]
		call	RtlpHpLfhOwnerCleanup
		inc	esi
		cmp	esi, [ebp+var_14]
		jb	short loc_5558AE
		mov	esi, [ebp+var_8]
		mov	ebx, [ebp+var_C]
		mov	edx, [ebp+var_4]

loc_5558CA:				; CODE XREF: RtlpHpLfhContextCleanup(x)+49j
		mov	ecx, edi
		call	RtlpHpLfhOwnerCleanup
		jmp	short loc_555882
_RtlpHpLfhContextCleanup@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpLfhOwnerCleanup proc near		; CODE XREF: RtlpHpLfhContextCleanup(x)+58p
					; RtlpHpLfhContextCleanup(x)+6Ep

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DF6F9 SIZE 0000005F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		movzx	eax, byte ptr [edi+1]
		lea	ecx, [edi+14h]
		mov	eax, [ebx+eax*4+80h]
		mov	[ebp+var_4], eax
		mov	eax, [ecx]
		cmp	eax, ecx
		jnz	loc_5DF6F9

loc_5558FC:				; CODE XREF: RtlpHpLfhOwnerCleanup+89E7Fj
		lea	esi, [edi+0Ch]

loc_5558FF:				; CODE XREF: RtlpHpLfhOwnerCleanup+75j
		mov	edx, [esi]
		xor	ecx, ecx
		cmp	edx, esi
		jnz	short loc_55590C
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_55590C:				; CODE XREF: RtlpHpLfhOwnerCleanup+31j
		cmp	[edx+4], esi
		jnz	short loc_55594B
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	short loc_55594B
		mov	[esi], eax
		mov	[eax+4], esi
		cmp	[edx+10h], cx
		jbe	short loc_555926
		dec	dword ptr [edi+4]

loc_555926:				; CODE XREF: RtlpHpLfhOwnerCleanup+4Dj
		mov	ax, [edx+12h]
		xor	ecx, ecx
		mov	[edx+10h], ax
		inc	ecx
		movzx	eax, word ptr [edx+1Eh]
		push	0
		push	[ebp+var_4]
		mov	byte ptr [edx+16h], 2
		mov	[eax+edx], cx
		mov	ecx, ebx
		call	_RtlpHpLfhSubsegmentFree@16 ; RtlpHpLfhSubsegmentFree(x,x,x,x)
		jmp	short loc_5558FF
; 

loc_55594B:				; CODE XREF: RtlpHpLfhOwnerCleanup+3Bj
					; RtlpHpLfhOwnerCleanup+42j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
RtlpHpLfhOwnerCleanup endp		; AL = character to display


;  S U B	R O U T	I N E 


MiFreeSessionSpaceMap proc near		; CODE XREF: MiDereferenceSessionFinal+8Bp

; FUNCTION CHUNK AT 005DF758 SIZE 00000023 BYTES

		mov	eax, large fs:124h
		xor	ecx, ecx
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		cmp	[eax+78h], ecx
		jnz	loc_5DF758
		retn
MiFreeSessionSpaceMap endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnlinkSessionWorkingSet proc near	; CODE XREF: MiDereferenceSessionFinal+61p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005DF77B SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		mov	ecx, offset dword_6D3540
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		lea	ecx, [esi+0C0h]
		lea	edx, [ebp+var_C]
		call	MiUnlinkWorkingSet
		test	ds:byte_70EFC6,	1
		jnz	loc_5DF76B
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_5DF783
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5DF77B

loc_5559CC:				; CODE XREF: MiFreeSessionSpaceMap+89E26j
					; MiUnlinkSessionWorkingSet+89E25j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		leave
		retn
MiUnlinkSessionWorkingSet endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMarkSessionDeletePending proc	near	; CODE XREF: MiDereferenceSessionFinal+2Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005DF798 SIZE 000000CB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		mov	ecx, offset dword_6D3540
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		or	dword ptr [esi+4], 2
		xor	edi, edi
		cmp	[esi+3Ch], edi
		jnz	loc_5DF798
		test	ds:byte_70EFC6,	1
		jnz	loc_5DF83A
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_5DF852
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5DF84A

loc_555A3A:				; CODE XREF: MiMarkSessionDeletePending+89E6Bj
					; MiMarkSessionDeletePending+89E84j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_555A43:				; CODE XREF: MiMarkSessionDeletePending+89E4Dj
					; MiMarkSessionDeletePending+89E5Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiMarkSessionDeletePending endp


;  S U B	R O U T	I N E 


; __stdcall PopDiagGetDriverName(x, x, x)
_PopDiagGetDriverName@12 proc near	; CODE XREF: PopDiagTraceIrpFinish(x)+158p
					; PopDiagTraceDeviceAcquireIrp(x,x)+5Ap ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		test	ecx, ecx
		jz	short loc_555A76
		mov	eax, [ecx+8]
		mov	ecx, [eax+20h]
		test	ecx, ecx
		jz	short loc_555A76
		movzx	eax, word ptr [eax+1Ch]
		test	ax, ax
		jz	short loc_555A76
		push	eax
		push	ecx
		mov	edx, 80h
		mov	ecx, esi
		call	_RtlStringCbCopyNW@16 ;	RtlStringCbCopyNW(x,x,x,x)

loc_555A72:				; CODE XREF: PopDiagGetDriverName(x,x,x)+33j
		pop	esi
		retn	4
; 

loc_555A76:				; CODE XREF: PopDiagGetDriverName(x,x,x)+7j
					; PopDiagGetDriverName(x,x,x)+11j ...
		mov	eax, 0C0000001h
		jmp	short loc_555A72
_PopDiagGetDriverName@12 endp

; 
		align 2

MiOrderTrimList:			; CODE XREF: .text:00516C30p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp-98h], edx
		lea	edi, [ebp-24h]
		mov	edx, ecx
		xor	eax, eax
		push	8
		pop	ecx
		rep stosd
		lea	edi, [edx+0F04h]
		mov	[ebp-0A0h], edx
		mov	[ebp-0A4h], edi
		cmp	[edi], edi
		jz	loc_555CE5
		mov	eax, [edx+0F00h]
		and	dword ptr [ebp-90h], 0
		push	0Ch
		mov	[ebp-9Ch], eax
		lea	eax, [ebp-88h]
		pop	ecx

loc_555ADE:				; CODE XREF: .text:00555AE9j
		mov	[eax+4], eax
		mov	[eax], eax
		add	eax, 8
		sub	ecx, 1
		jnz	short loc_555ADE

loc_555AEB:				; CODE XREF: .text:00555BE7j
		mov	ebx, [edi]
		cmp	ebx, edi
		jz	loc_555BEC
		cmp	[ebx+4], edi
		jnz	loc_555CE9
		mov	eax, [ebx]
		cmp	[eax+4], ebx
		jnz	loc_555CE9
		lea	esi, [ebx-10h]
		mov	[edi], eax
		lea	edx, [ebp-24h]
		mov	[eax+4], edi
		mov	ecx, esi
		call	MiUpdateClaimDistribution
		mov	ecx, [ebp-98h]
		test	ecx, ecx
		jz	loc_5DF863
		xor	eax, eax
		mov	[ebp-94h], eax
		cmp	ecx, 8
		jnb	short loc_555B55
		add	ecx, 6
		push	8
		lea	edx, [esi+ecx*4]
		pop	ecx
		sub	ecx, [ebp-98h]

loc_555B45:				; CODE XREF: .text:00555B4Dj
		add	eax, [edx]
		lea	edx, [edx+4]
		sub	ecx, 1
		jnz	short loc_555B45

loc_555B4F:				; CODE XREF: .text:005DF873j
		mov	[ebp-94h], eax

loc_555B55:				; CODE XREF: .text:00555B34j
		mov	al, [esi+60h]
		mov	[ebp-89h], al
		test	al, 7
		jnz	short loc_555B75
		lea	ecx, [esi-240h]
		call	_MiIsStoreProcess@4 ; MiIsStoreProcess(x)
		test	eax, eax
		jnz	loc_555CC9

loc_555B75:				; CODE XREF: .text:00555B60j
		cmp	byte ptr [esi+62h], 2
		jz	loc_5DF878

loc_555B7F:				; CODE XREF: .text:005DF881j
		mov	edx, [ebp-94h]
		test	edx, edx
		jz	loc_555CDD
		test	byte ptr [ebp-89h], 80h
		jnz	loc_555CD1

loc_555B9A:				; CODE XREF: .text:00555CD7j
		xor	ecx, ecx

loc_555B9C:				; CODE XREF: .text:00555BABj
		mov	eax, 80000h
		shr	eax, cl
		cmp	edx, eax
		jnb	short loc_555BAD
		inc	ecx
		cmp	ecx, 9
		jb	short loc_555B9C

loc_555BAD:				; CODE XREF: .text:00555BA5j
					; .text:00555CE0j
		cmp	ecx, 0Ah
		jnb	short loc_555BC9
		mov	esi, [ebp-90h]
		lea	eax, [esi+edx]
		cmp	eax, esi
		jb	loc_5DF88E
		mov	[ebp-90h], eax

loc_555BC9:				; CODE XREF: .text:00555BB0j
					; .text:00555CCCj ...
		lea	eax, [ebp-88h]
		lea	eax, [eax+ecx*8]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_555CE9
		mov	[ebx], ecx
		mov	[ebx+4], eax
		mov	[ecx+4], ebx
		mov	[eax], ebx
		jmp	loc_555AEB
; 

loc_555BEC:				; CODE XREF: .text:00555AEFj
		xor	ebx, ebx
		lea	ecx, [ebp-88h]
		mov	eax, ebx

loc_555BF6:				; CODE XREF: .text:00555C07j
		mov	esi, [ecx]
		lea	edx, [eax+1]
		cmp	esi, ecx
		jnz	short loc_555C0B
		mov	eax, edx
		add	ecx, 8
		cmp	eax, 0Ch
		jb	short loc_555BF6
		jmp	short loc_555C69
; 

loc_555C0B:				; CODE XREF: .text:00555BFDj
		mov	[edi], esi
		mov	[esi+4], edi
		cmp	edx, 0Ch
		jnb	short loc_555C54
		mov	edi, eax
		shl	edi, 3

loc_555C1A:				; CODE XREF: .text:00555C4Aj
		mov	esi, edx
		lea	ecx, [ebp-88h]
		shl	esi, 3
		add	ecx, esi
		mov	ebx, [ecx]
		cmp	ebx, ecx
		jz	short loc_555C46
		mov	eax, [ebp+edi-84h]
		mov	[eax], ebx
		mov	ecx, [ecx]
		mov	eax, [ebp+edi-84h]
		mov	edi, esi
		mov	[ecx+4], eax
		mov	eax, edx

loc_555C46:				; CODE XREF: .text:00555C2Bj
		inc	edx
		cmp	edx, 0Ch
		jb	short loc_555C1A
		mov	edi, [ebp-0A4h]
		xor	ebx, ebx

loc_555C54:				; CODE XREF: .text:00555C13j
		mov	eax, [ebp+eax*8-84h]
		mov	ecx, [ebp-0A0h]
		mov	[ecx+0F08h], eax
		mov	[eax], edi

loc_555C69:				; CODE XREF: .text:00555C09j
		mov	edi, [ebp-9Ch]
		lea	esi, [ebp-24h]
		push	8
		pop	ecx
		add	edi, 4E4h
		rep movsd
		mov	edi, [ebp-9Ch]
		push	2
		pop	esi
		lea	edx, [edi+4FCh]

loc_555C8C:				; CODE XREF: .text:00555C94j
		add	ebx, [edx]
		lea	edx, [edx+4]
		sub	esi, 1
		jnz	short loc_555C8C
		mov	ecx, [ebp-0A0h]
		xor	edx, edx
		mov	[edi+4E0h], ebx
		call	MiComputeAgeDistribution
		mov	[edi+4BEh], ax
		mov	eax, [ebp-90h]
		mov	byte ptr [edi+2Eh], 1

loc_555CBA:				; CODE XREF: .text:00555CE7j
		mov	ecx, [ebp-4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_555CC9:				; CODE XREF: .text:00555B6Fj
		push	0Bh

loc_555CCB:				; CODE XREF: .text:005DF889j
		pop	ecx
		jmp	loc_555BC9
; 

loc_555CD1:				; CODE XREF: .text:00555B94j
		mov	eax, [esi+48h]
		cmp	eax, [esi+3Ch]
		ja	loc_555B9A

loc_555CDD:				; CODE XREF: .text:00555B87j
		push	0Bh
		pop	ecx
		jmp	loc_555BAD
; 

loc_555CE5:				; CODE XREF: .text:00555ABCj
		xor	eax, eax
		jmp	short loc_555CBA
; 

loc_555CE9:				; CODE XREF: .text:00555AF8j
					; .text:00555B03j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dw 0CCCCh
		dd 0CCCCCCCCh
; Exported entry 1019. IoTestDependency

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoTestDependency(x,	x, x, x)
		public _IoTestDependency@16
_IoTestDependency@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		xor	esi, esi
		push	edi
		test	eax, eax
		jz	short loc_555D4A
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_555D4A
		cmp	eax, ecx
		jz	short loc_555D4A
		mov	eax, [eax+0B0h]
		mov	edi, [eax+2Ch]
		mov	eax, [ecx+0B0h]
		mov	edx, [eax+2Ch]
		test	edi, edi
		jz	short loc_555D3E
		test	edx, edx
		jz	short loc_555D3E
		push	[ebp+arg_C]
		mov	ecx, edi
		push	[ebp+arg_8]
		call	PipFindDependencyNodePath

loc_555D36:				; CODE XREF: IoTestDependency(x,x,x,x)+54j
					; IoTestDependency(x,x,x,x)+5Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	10h
; 

loc_555D3E:				; CODE XREF: IoTestDependency(x,x,x,x)+2Fj
					; IoTestDependency(x,x,x,x)+33j
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		mov	eax, [ebp+arg_C]
		mov	[eax], esi
		jmp	short loc_555D36
; 

loc_555D4A:				; CODE XREF: IoTestDependency(x,x,x,x)+Ej
					; IoTestDependency(x,x,x,x)+15j ...
		mov	esi, 0C000000Dh
		jmp	short loc_555D36
_IoTestDependency@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipFindDependencyNodePath proc near	; CODE XREF: IoTestDependency(x,x,x,x)+3Dp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DF89A SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PiDependencyEdgeWriteLock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		push	[ebp+arg_4]
		lea	eax, [ebp+var_4]
		mov	edx, esi
		push	eax
		mov	ecx, edi
		call	PipDependencyGraphDepthFirstSearch
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PiDependencyEdgeWriteLock
		jnz	loc_5DF89A
		xor	eax, eax
		lock and [ecx],	eax

loc_555D9C:				; CODE XREF: PipFindDependencyNodePath+89B50j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_4], 0
		mov	eax, [ebp+arg_0]
		pop	edi
		pop	esi
		pop	ebx
		jnz	loc_5DF8A7
		and	dword ptr [eax], 0

locret_555DB7:				; CODE XREF: PipFindDependencyNodePath+89B61j
		leave
		retn	8
PipFindDependencyNodePath endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipDependencyGraphDepthFirstSearch proc	near ; CODE XREF: PipFindDependencyNodePath+2Ep
					; PipDependencyGraphDepthFirstSearch+89B08p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DF8B8 SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_4], edx
		and	dword ptr [eax], 0
		and	dword ptr [edi], 0
		cmp	ecx, edx
		jz	short loc_555DEE
		push	ebx
		lea	ebx, [ecx+8]
		push	esi
		mov	esi, [ebx]

loc_555DDD:				; CODE XREF: PipDependencyGraphDepthFirstSearch+89B17j
		cmp	esi, ebx
		jnz	loc_5DF8B8
		xor	al, al

loc_555DE7:				; CODE XREF: PipDependencyGraphDepthFirstSearch+89B2Bj
		pop	esi
		pop	ebx

loc_555DE9:				; CODE XREF: PipDependencyGraphDepthFirstSearch+34j
		pop	edi
		leave
		retn	8
; 

loc_555DEE:				; CODE XREF: PipDependencyGraphDepthFirstSearch+18j
		mov	al, 1
		jmp	short loc_555DE9
PipDependencyGraphDepthFirstSearch endp


;  S U B	R O U T	I N E 


; __stdcall PopThermalSxEntry()
_PopThermalSxEntry@0 proc near		; CODE XREF: PAGELK:0071F01Ep
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopSystemThermalInfo
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		push	4
		pop	ecx
		mov	dword_6C1F84, eax
		call	PopThermalStandbyEndTracking
		xor	ebx, ebx
		cmp	dword_6C1F84, ebx
		jz	short loc_555E34
		mov	dword_6C1F84, ebx

loc_555E34:				; CODE XREF: PopThermalSxEntry()+3Aj
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopPolicyDeviceLock
		call	ExAcquirePushLockSharedEx
		mov	esi, _PopThermal
		jmp	short loc_555E83
; 

loc_555E64:				; CODE XREF: PopThermalSxEntry()+DFj
					; PopThermalSxEntry()+F6j
		mov	byte ptr [esi+180h], 1
		cmp	[edi+4], ebx
		jz	short loc_555E73
		mov	[edi+4], ebx

loc_555E73:				; CODE XREF: PopThermalSxEntry()+7Cj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	esi, [esi]

loc_555E83:				; CODE XREF: PopThermalSxEntry()+70j
		cmp	esi, offset _PopThermal
		jz	short loc_555EED
		mov	eax, large fs:124h
		lea	edi, [esi+150h]
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[edi+4], eax
		cmp	[esi+71h], bl
		jz	short loc_555ECB
		mov	dl, [esi+30h]
		lea	ecx, [esi+180h]
		call	_PopThermalUpdatePassiveTimeTracking@8 ; PopThermalUpdatePassiveTimeTracking(x,x)
		mov	ecx, esi
		call	PopTraceThermalZonePassiveHistogram

loc_555ECB:				; CODE XREF: PopThermalSxEntry()+C2j
		cmp	[esi+181h], bl
		jbe	short loc_555E64
		mov	dl, [esi+25h]
		lea	ecx, [esi+180h]
		call	_PopThermalUpdateActiveTimeTracking@8 ;	PopThermalUpdateActiveTimeTracking(x,x)
		mov	ecx, esi
		call	PopTraceThermalZoneActiveActivity
		jmp	loc_555E64
; 

loc_555EED:				; CODE XREF: PopThermalSxEntry()+97j
		cmp	dword_6C2044, ebx
		jnz	short loc_555F10

loc_555EF5:				; CODE XREF: PopThermalSxEntry()+124j
		xor	edx, edx
		mov	ecx, offset _PopPolicyDeviceLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	cl, 1
		pop	edi
		pop	esi
		pop	ebx
		jmp	PopCoolingSxTransition
; 

loc_555F10:				; CODE XREF: PopThermalSxEntry()+101j
		mov	dword_6C2044, ebx
		jmp	short loc_555EF5
_PopThermalSxEntry@0 endp


;  S U B	R O U T	I N E 


PopThermalSxExit proc near		; CODE XREF: PAGELK:0071F2E6p
		mov	edi, edi
		push	ebx
		xor	ebx, ebx
		push	esi
		push	edi
		cmp	_PoResumeFromHibernate,	bl
		jz	short loc_555F3D
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		cmp	_PopThermalHibernateInitiated, bl
		jnz	sub_5DF8EC

loc_555F38:				; CODE XREF: sub_5DF8EC+16j
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_555F3D:				; CODE XREF: PopThermalSxExit+Dj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopPolicyDeviceLock
		call	ExAcquirePushLockSharedEx
		mov	esi, _PopThermal

loc_555F5D:				; CODE XREF: PopThermalSxExit+B0j
		cmp	esi, offset _PopThermal
		jz	short loc_555FCA
		mov	eax, large fs:124h
		lea	edi, [esi+150h]
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[edi+4], eax
		call	KeQueryInterruptTime
		mov	[esi+188h], eax
		mov	[esi+190h], eax
		mov	eax, edx
		mov	[esi+18Ch], edx
		mov	[esi+194h], eax
		mov	[esi+180h], bl
		cmp	[edi+4], ebx
		jz	short loc_555FB8
		mov	[edi+4], ebx

loc_555FB8:				; CODE XREF: PopThermalSxExit+9Bj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	esi, [esi]
		jmp	short loc_555F5D
; 

loc_555FCA:				; CODE XREF: PopThermalSxExit+4Bj
		cmp	dword_6C2044, ebx
		jnz	short loc_555FED

loc_555FD2:				; CODE XREF: PopThermalSxExit+DBj
		xor	edx, edx
		mov	ecx, offset _PopPolicyDeviceLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	cl, cl
		pop	edi
		pop	esi
		pop	ebx
		jmp	PopCoolingSxTransition
; 

loc_555FED:				; CODE XREF: PopThermalSxExit+B8j
		mov	dword_6C2044, ebx
		jmp	short loc_555FD2
PopThermalSxExit endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopTraceThermalZonePassiveHistogram proc near ;	CODE XREF: PopThermalSxEntry()+D4p
					; PopThermalTelemetryWorker(x)+68p ...

var_D0		= dword	ptr -0D0h
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DF907 SIZE 00000081 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, ecx
		mov	edx, 67446F50h
		push	esi
		push	edi
		mov	ecx, [ebx+18h]
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	esi, eax
		test	esi, esi
		jz	loc_5DF907
		mov	ecx, [esi+0B0h]
		mov	edi, [ecx+14h]

loc_556030:				; CODE XREF: PopTraceThermalZonePassiveHistogram+89913j
		test	edi, edi
		jz	short loc_556083
		lea	ecx, [ebx+180h]
		lea	edx, [ebp+var_D0]
		call	_PopDiagSnapPassiveHistogram@8 ; PopDiagSnapPassiveHistogram(x,x)
		test	al, al
		jnz	short loc_556052
		cmp	_PopThermalTelemetryVerbosity, 0
		jz	short loc_556083

loc_556052:				; CODE XREF: PopTraceThermalZonePassiveHistogram+51j
		mov	ebx, [ebx+39Ch]
		test	ebx, ebx
		jnz	short loc_556061
		mov	ebx, offset ??_C@_11LOCGONAA@@FNODOBFM@

loc_556061:				; CODE XREF: PopTraceThermalZonePassiveHistogram+64j
		cmp	dword_6B23F8, 5
		jbe	short loc_556083
		push	4000h
		push	0
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_5DF90E

loc_556083:				; CODE XREF: PopTraceThermalZonePassiveHistogram+3Cj
					; PopTraceThermalZonePassiveHistogram+5Aj ...
		test	esi, esi
		jz	short loc_556093
		mov	edx, 67446F50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_556093:				; CODE XREF: PopTraceThermalZonePassiveHistogram+8Fj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopTraceThermalZonePassiveHistogram endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopCoolingSxTransition proc near	; CODE XREF: PopThermalSxEntry()+119j
					; PopThermalSxExit+D0j

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005DF988 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	[ebp+var_1], cl
		mov	ecx, offset _PopCoolingExtensionLock
		push	edi
		call	_PopAcquireRwLockExclusive@4 ; PopAcquireRwLockExclusive(x)
		mov	edi, _PopCoolingExtensionList
		jmp	short loc_5560CA
; 

loc_5560C0:				; CODE XREF: PopCoolingSxTransition+45j
		lea	ecx, [edi+10h]
		call	_PopReleaseRwLock@4 ; PopReleaseRwLock(x)

loc_5560C8:				; CODE XREF: PopCoolingSxTransition+34j
		mov	edi, [edi]

loc_5560CA:				; CODE XREF: PopCoolingSxTransition+1Cj
		cmp	edi, offset _PopCoolingExtensionList
		jz	short loc_556138
		cmp	byte ptr [edi+20h], 0
		jz	short loc_5560C8
		lea	ecx, [edi+10h]
		call	_PopAcquireRwLockExclusive@4 ; PopAcquireRwLockExclusive(x)
		lea	ebx, [edi+8]
		mov	esi, [ebx]

loc_5560E5:				; CODE XREF: PopCoolingSxTransition+7Bj
		cmp	esi, ebx
		jz	short loc_5560C0
		cmp	byte ptr [esi+0Ah], 0
		jz	short loc_55611B
		cmp	[ebp+var_1], 0
		jz	short loc_55611F
		cmp	dword ptr [edi+44h], 0
		jz	short loc_55610D
		mov	dl, [esi+8]
		lea	ecx, [esi+18h]
		call	_PopThermalUpdatePassiveTimeTracking@8 ; PopThermalUpdatePassiveTimeTracking(x,x)
		mov	ecx, esi
		call	PopTraceThermalRequestPassiveHistogram

loc_55610D:				; CODE XREF: PopCoolingSxTransition+57j
		cmp	dword ptr [edi+40h], 0
		jnz	loc_5DF988

loc_556117:				; CODE XREF: PopCoolingSxTransition+898FCj
		mov	byte ptr [esi+18h], 1

loc_55611B:				; CODE XREF: PopCoolingSxTransition+4Bj
					; PopCoolingSxTransition+94j
		mov	esi, [esi]
		jmp	short loc_5560E5
; 

loc_55611F:				; CODE XREF: PopCoolingSxTransition+51j
		call	KeQueryInterruptTime
		mov	[esi+20h], eax
		mov	[esi+28h], eax
		mov	eax, edx
		mov	[esi+24h], edx
		mov	[esi+2Ch], eax
		mov	byte ptr [esi+18h], 0
		jmp	short loc_55611B
; 

loc_556138:				; CODE XREF: PopCoolingSxTransition+2Ej
		mov	ecx, offset _PopCoolingExtensionLock
		call	_PopReleaseRwLock@4 ; PopReleaseRwLock(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PopCoolingSxTransition endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopTraceThermalRequestPassiveHistogram proc near ; CODE	XREF: PopCoolingSxTransition+66p
					; PopCoolingTelemetryWorker()+7Ep ...

var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DF9A3 SIZE 00000087 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0DCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_D4], 0
		mov	edx, 67446F50h
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		xor	esi, esi
		mov	ecx, [ebx+10h]
		mov	ecx, [ecx+18h]
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	edi, eax
		test	edi, edi
		jz	loc_5DF9A3
		mov	eax, [edi+0B0h]
		mov	eax, [eax+14h]

loc_55618E:				; CODE XREF: PopTraceThermalRequestPassiveHistogram+8985Dj
		mov	[ebp+var_D8], eax
		test	eax, eax
		jz	loc_556225
		push	ecx
		mov	ecx, [ebx+0Ch]
		lea	eax, [ebp+var_D4]
		push	eax
		xor	edx, edx
		call	PoStoreDiagnosticContext
		push	50455654h
		push	[ebp+var_D4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_556225
		push	ecx
		mov	ecx, [ebx+0Ch]
		lea	eax, [ebp+var_D4]
		push	eax
		mov	edx, esi
		call	PoStoreDiagnosticContext
		test	eax, eax
		js	short loc_556225
		mov	eax, [esi+8]
		lea	ecx, [ebx+18h]
		add	eax, esi
		lea	edx, [ebp+var_D0]
		mov	[ebp+var_D4], eax
		call	_PopDiagSnapPassiveHistogram@8 ; PopDiagSnapPassiveHistogram(x,x)
		test	al, al
		jnz	short loc_556202
		cmp	_PopThermalTelemetryVerbosity, 0
		jz	short loc_556225

loc_556202:				; CODE XREF: PopTraceThermalRequestPassiveHistogram+AFj
		cmp	dword_6B23F8, 5
		jbe	short loc_556225
		push	4000h
		xor	ebx, ebx
		mov	ecx, offset dword_6B23F8
		push	ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_5DF9AA

loc_556225:				; CODE XREF: PopTraceThermalRequestPassiveHistogram+4Ej
					; PopTraceThermalRequestPassiveHistogram+7Cj ...
		test	edi, edi
		jz	short loc_556235
		mov	edx, 67446F50h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_556235:				; CODE XREF: PopTraceThermalRequestPassiveHistogram+DFj
		test	esi, esi
		jz	short loc_556244
		push	50455654h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_556244:				; CODE XREF: PopTraceThermalRequestPassiveHistogram+EFj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopTraceThermalRequestPassiveHistogram endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoStoreDiagnosticContext proc near	; CODE XREF: PopTraceThermalRequestPassiveHistogram+61p
					; PopTraceThermalRequestPassiveHistogram+8Bp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DFA2A SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax]
		mov	esi, edx
		mov	[ebp+var_C], eax
		mov	ebx, ecx
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		push	0
		push	eax
		call	_PoStoreRequester@16 ; PoStoreRequester(x,x,x,x)
		mov	ecx, [ebx+1Ch]
		mov	edi, eax
		test	edi, edi
		setns	al
		mov	[ebp+var_1], al
		test	ecx, ecx
		jz	loc_5DFA2A
		mov	edx, [ebp+var_8]
		add	edx, 3
		add	edx, esi
		and	edx, 0FFFFFFFCh
		mov	eax, edx
		sub	eax, esi
		mov	[ebp+var_8], eax
		add	eax, ecx
		cmp	[ebp+var_1], 0
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		jz	short loc_5562D6
		cmp	[ebp+var_C], eax
		jb	short loc_5562D6
		mov	ecx, [ebp+var_8]
		mov	[esi], eax
		lea	eax, [ebx+23h]
		mov	[esi+14h], ecx
		and	eax, 0FFFFFFFCh
		push	dword ptr [ebx+1Ch] ; size_t
		push	eax		; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_5562CD:				; CODE XREF: PoStoreDiagnosticContext+897E8j
		mov	eax, edi

loc_5562CF:				; CODE XREF: PoStoreDiagnosticContext+87j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_5562D6:				; CODE XREF: PoStoreDiagnosticContext+57j
					; PoStoreDiagnosticContext+5Cj
		mov	eax, 0C0000023h
		jmp	short loc_5562CF
PoStoreDiagnosticContext endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagSnapPassiveHistogram(x, x)
_PopDiagSnapPassiveHistogram@8 proc near
					; CODE XREF: PopTraceThermalZonePassiveHistogram+4Ap
					; PopTraceThermalRequestPassiveHistogram+A8p

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		lea	ebx, [ecx+18h]
		mov	[ebp+var_1], 0
		xor	edi, edi

loc_5562F4:				; CODE XREF: PopDiagSnapPassiveHistogram(x,x)+57j
		mov	ecx, [ebx+0A8h]
		mov	esi, [ebx]
		mov	edx, [ebx+0ACh]
		sub	esi, ecx
		mov	eax, [ebx+4]
		push	0
		push	989680h
		sbb	eax, edx
		mov	[ebx], ecx
		push	eax
		push	esi
		mov	[ebx+4], edx
		call	__aulldiv
		mov	ecx, [ebp+var_8]
		mov	[ecx+edi*4], eax
		cmp	edi, 14h
		jnb	short loc_55632B
		test	eax, eax
		jnz	short loc_55633C

loc_55632B:				; CODE XREF: PopDiagSnapPassiveHistogram(x,x)+47j
		mov	al, [ebp+var_1]

loc_55632E:				; CODE XREF: PopDiagSnapPassiveHistogram(x,x)+63j
		inc	edi
		add	ebx, 8
		cmp	edi, 15h
		jb	short loc_5562F4
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_55633C:				; CODE XREF: PopDiagSnapPassiveHistogram(x,x)+4Bj
		mov	al, 1
		mov	[ebp+var_1], al
		jmp	short loc_55632E
_PopDiagSnapPassiveHistogram@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopTraceThermalZoneActiveActivity proc near ; CODE XREF: PopThermalSxEntry()+F1p
					; PopThermalTelemetryWorker(x)+86p ...

var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C1		= dword	ptr -0C1h
var_98		= dword	ptr -98h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DFA41 SIZE 000000F0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0DCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_C8], 0
		mov	edx, 67446F50h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	byte ptr [ebp+var_C1], 0
		mov	ecx, [edi+18h]
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	esi, eax
		test	esi, esi
		jz	loc_5DFA41
		mov	ecx, [esi+0B0h]
		mov	ebx, [ecx+14h]

loc_55638C:				; CODE XREF: PopTraceThermalZoneActiveActivity+896FFj
		test	ebx, ebx
		jz	short loc_5563F1
		lea	eax, [ebp+var_C1+1]
		push	eax
		lea	eax, [ebp+var_C1]
		push	eax
		lea	ecx, [edi+180h]
		lea	edx, [ebp+var_C8]
		call	_PopDiagSnapActiveActivity@16 ;	PopDiagSnapActiveActivity(x,x,x,x)
		cmp	[ebp+var_C8], 0
		jz	short loc_5563F1
		test	al, al
		jz	loc_5DFA48

loc_5563C0:				; CODE XREF: PopTraceThermalZoneActiveActivity+89711j
		mov	edi, [edi+39Ch]
		test	edi, edi
		jnz	short loc_5563CF
		mov	edi, offset ??_C@_11LOCGONAA@@FNODOBFM@

loc_5563CF:				; CODE XREF: PopTraceThermalZoneActiveActivity+84j
		cmp	dword_6B23F8, 5
		jbe	short loc_5563F1
		push	4000h
		push	0
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_5DFA5A

loc_5563F1:				; CODE XREF: PopTraceThermalZoneActiveActivity+4Aj
					; PopTraceThermalZoneActiveActivity+72j ...
		test	esi, esi
		jz	short loc_556401
		mov	edx, 67446F50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_556401:				; CODE XREF: PopTraceThermalZoneActiveActivity+AFj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopTraceThermalZoneActiveActivity endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagSnapActiveActivity(x, x, x, x)
_PopDiagSnapActiveActivity@16 proc near	; CODE XREF: PopTraceThermalZoneActiveActivity+66p
					; PopTraceThermalRequestActiveActivity(x)+C5p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], edx
		xor	bl, bl
		mov	[ebp+var_1], bl
		cmp	[edi+1], bl
		jbe	short loc_556479
		lea	ebx, [edi+168h]

loc_556434:				; CODE XREF: PopDiagSnapActiveActivity(x,x,x,x)+64j
		mov	ecx, [ebx+50h]
		mov	esi, [ebx]
		mov	edx, [ebx+54h]
		sub	esi, ecx
		mov	eax, [ebx+4]
		push	0
		push	989680h
		sbb	eax, edx
		mov	[ebx], ecx
		push	eax
		push	esi
		mov	[ebx+4], edx
		call	__aulldiv
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+arg_4]
		mov	[edx+ecx*4], eax
		test	eax, eax
		jz	short loc_556467
		mov	[ebp+var_1], 1

loc_556467:				; CODE XREF: PopDiagSnapActiveActivity(x,x,x,x)+51j
		movzx	eax, byte ptr [edi+1]
		inc	ecx
		add	ebx, 8
		mov	[ebp+var_8], ecx
		cmp	ecx, eax
		jb	short loc_556434
		mov	bl, [ebp+var_1]

loc_556479:				; CODE XREF: PopDiagSnapActiveActivity(x,x,x,x)+1Cj
		mov	eax, [edi+210h]
		mov	esi, [edi+208h]
		mov	edx, [edi+214h]
		sub	esi, eax
		mov	ecx, [edi+20Ch]
		push	0
		push	989680h
		sbb	ecx, edx
		mov	[edi+208h], eax
		push	ecx
		push	esi
		mov	[edi+20Ch], edx
		call	__aulldiv
		mov	ecx, [ebp+var_C]
		mov	dl, [edi+1]
		pop	edi
		pop	esi
		mov	[ecx], eax
		mov	al, bl
		mov	ecx, [ebp+arg_0]
		pop	ebx
		mov	[ecx], dl
		leave
		retn	8
_PopDiagSnapActiveActivity@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopThermalStandbyEndTracking proc near	; CODE XREF: PopThermalSxEntry()+2Dp
					; PopCheckAndHandleThermalConditions+829EEp ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DFB31 SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	byte_6C1F95, 0
		mov	al, byte_6C1F94
		push	esi
		mov	esi, ecx
		mov	byte ptr [ebp+var_4], al
		mov	byte_6C1F94, 0
		jnz	loc_5DFB31

loc_5564EB:				; CODE XREF: PopThermalStandbyEndTracking+8969Dj
		pop	esi
		leave
		retn
PopThermalStandbyEndTracking endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiComputeTrimAmount proc near		; CODE XREF: MiTrimOrAgeWorkingSet+3EDp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005DFB68 SIZE 00000095 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		push	esi
		push	edi
		mov	[ebp+var_C], edx
		mov	eax, [edx+2Ch]
		mov	ecx, [edx+34h]
		mov	[ebp+var_1C], eax
		sub	eax, ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_20], eax
		jz	loc_55661C
		mov	eax, dword_6D5E00
		cmp	eax, [edx+28h]
		jnb	loc_5DFB68

loc_556525:				; CODE XREF: MiComputeTrimAmount+8968Dj
		mov	eax, [ebx+0Ch]
		mov	esi, [ebx+48h]
		mov	edi, esi
		mov	[ebp+var_10], esi
		mov	eax, [eax+14h]
		mov	[ebp+var_14], eax
		cmp	edi, eax
		jbe	loc_55661C
		mov	cl, [ebx+60h]
		mov	ch, cl
		push	0
		pop	eax
		and	ch, 7
		jnz	loc_556620
		test	cl, cl
		js	loc_5DFB80
		test	byte ptr [ebx-144h], 40h
		jnz	short loc_55656D

loc_556560:				; CODE XREF: MiComputeTrimAmount+135j
					; MiComputeTrimAmount+89695j ...
		mov	ecx, [ebx+3Ch]
		cmp	edi, ecx
		jbe	loc_55662E
		sub	edi, ecx

loc_55656D:				; CODE XREF: MiComputeTrimAmount+70j
					; MiComputeTrimAmount+142j
		mov	cl, [edx+1]
		test	cl, cl
		jz	loc_5DFB97
		movzx	ecx, cl
		mov	[ebp+var_8], ecx
		push	8
		pop	ecx
		cmp	[ebp+var_8], ecx
		jnb	loc_55661C
		mov	esi, [ebp+var_8]
		sub	ecx, esi
		lea	edx, [esi+6]
		lea	edx, [ebx+edx*4]
		mov	[ebp+var_8], edx
		mov	edx, [ebp+var_C]
		mov	esi, [ebp+var_8]

loc_55659E:				; CODE XREF: MiComputeTrimAmount+B8j
		add	eax, [esi]
		lea	esi, [esi+4]
		sub	ecx, 1
		jnz	short loc_55659E
		mov	esi, [ebp+var_10]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_55661C

loc_5565B2:				; CODE XREF: MiComputeTrimAmount+896B9j
		mov	cl, [edx]
		mov	[ebp+var_1], cl
		and	cl, 7Fh
		cmp	cl, 1
		ja	loc_5DFBAC
		xor	ecx, ecx
		mov	esi, eax
		cmp	byte ptr [ebx+62h], 2
		setz	cl
		lea	ecx, ds:1[ecx*2]
		shr	esi, cl
		mov	ecx, [edx+38h]
		cmp	ecx, eax
		jb	short loc_5565F4
		imul	eax, 64h
		xor	edx, edx
		push	64h
		div	ecx
		xor	edx, edx
		imul	eax, [ebp+var_8]
		pop	ecx
		div	ecx
		cmp	esi, eax
		jb	short loc_55663D

loc_5565F4:				; CODE XREF: MiComputeTrimAmount+EEj
					; MiComputeTrimAmount+151j ...
		cmp	esi, edi
		ja	short loc_556635

loc_5565F8:				; CODE XREF: MiComputeTrimAmount+149j
					; MiComputeTrimAmount+896D2j
		mov	eax, [ebp+var_20]
		cmp	esi, eax
		ja	short loc_556639

loc_5565FF:				; CODE XREF: MiComputeTrimAmount+14Dj
		movzx	eax, [ebp+var_1]
		mov	ecx, dword_6D5D40
		and	eax, 7Fh
		inc	dword ptr [ecx+eax*4+53Ch]
		mov	eax, esi

loc_556615:				; CODE XREF: MiComputeTrimAmount+130j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_55661C:				; CODE XREF: MiComputeTrimAmount+23j
					; MiComputeTrimAmount+4Aj ...
		xor	eax, eax
		jmp	short loc_556615
; 

loc_556620:				; CODE XREF: MiComputeTrimAmount+5Bj
		cmp	ch, 1
		jnz	loc_556560
		jmp	loc_5DFB8E
; 

loc_55662E:				; CODE XREF: MiComputeTrimAmount+77j
		mov	edi, eax
		jmp	loc_55656D
; 

loc_556635:				; CODE XREF: MiComputeTrimAmount+108j
		mov	esi, edi
		jmp	short loc_5565F8
; 

loc_556639:				; CODE XREF: MiComputeTrimAmount+10Fj
		mov	esi, eax
		jmp	short loc_5565FF
; 

loc_55663D:				; CODE XREF: MiComputeTrimAmount+104j
					; MiComputeTrimAmount+8970Aj
		mov	esi, eax
		jmp	short loc_5565F4
MiComputeTrimAmount endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiDisconnectInterruptCommon proc near	; CODE XREF: KeDisconnectInterrupt+54p
					; KiDisconnectSecondaryInterrupt(x,x)+84p

var_36		= byte ptr -36h
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DFBFD SIZE 000000A2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+48h+var_20]
		mov	esi, edx
		stosd
		mov	ebx, ecx
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	[esp+48h+var_24], ecx
		mov	[esp+48h+var_34], ebx
		stosd
		mov	[esp+48h+var_36], dl
		mov	[esp+48h+var_35], dl
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+48h+var_10]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+48h+var_30]
		stosd
		stosd
		stosd
		mov	[esp+48h+var_2C], ecx
		mov	ecx, [esi+5Ch]
		mov	eax, large fs:124h
		cmp	ecx, eax
		jz	short loc_5566B8
		push	edx
		push	1
		lea	eax, [esp+50h+var_20]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+48h+var_20]
		xor	edx, edx
		mov	[esp+48h+var_30], eax

loc_5566B8:				; CODE XREF: KiDisconnectInterruptCommon+5Dj
		test	ebx, ebx
		jnz	loc_5DFBFD
		mov	ecx, [esi+34h]
		lea	eax, [esp+48h+var_10]
		mov	edi, edx
		lea	edx, [esp+48h+var_36]
		push	eax
		call	_KiAcquireInterruptConnectLock@12 ; KiAcquireInterruptConnectLock(x,x,x)
		mov	bl, [esp+48h+var_36]

loc_5566D7:				; CODE XREF: KiDisconnectInterruptCommon+895E1j
		cmp	byte ptr [esi+33h], 0
		jz	short loc_55673B
		lea	eax, [esi+3Ch]
		test	byte ptr [eax],	2
		jnz	short loc_55673B
		xor	ecx, ecx
		cmp	[esi+3Ah], cx
		ja	loc_5DFC28
		cmp	[esp+48h+var_34], ecx
		mov	ecx, esi
		jnz	loc_5DFC3F
		mov	edx, [esp+48h+var_24]
		call	KiDisconnectInterruptInternal
		mov	esi, eax

loc_556708:				; CODE XREF: KiDisconnectInterruptCommon+89609j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	eax, [esp+48h+var_10]
		push	eax
		call	KeRevertToUserGroupAffinityThread

loc_55671A:				; CODE XREF: KiDisconnectInterruptCommon+89635j
		cmp	[esp+48h+var_35], 0
		jnz	loc_5DFC7C

loc_556725:				; CODE XREF: KiDisconnectInterruptCommon+8963Fj
					; KiDisconnectInterruptCommon+89658j
		mov	ecx, [esp+48h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_55673B:				; CODE XREF: KiDisconnectInterruptCommon+99j
					; KiDisconnectInterruptCommon+A1j ...
		mov	esi, 0C00000EFh
		jmp	loc_5DFC46
KiDisconnectInterruptCommon endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiDisconnectInterruptInternal proc near	; CODE XREF: KiDisconnectInterruptCommon+BFp
					; KiProcessPendingDisconnect(x,x,x)+23p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005DFC9F SIZE 000000AE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		xor	eax, eax
		mov	[ebp+var_C], edx
		push	esi
		push	edi
		lea	edi, [ebp+var_1C]
		mov	[ebp+var_1], 0
		stosd
		mov	ebx, ecx
		mov	[ebp+var_8], ebx
		cmp	byte ptr [ebx+33h], 0
		stosd
		stosd
		stosd
		mov	eax, 0C00000EFh
		jz	short loc_5567AE
		mov	ecx, [ebx+2Ch]
		lea	edx, [ebp+var_1C]
		call	KiGetVectorInfo
		mov	esi, [ebp+var_18]
		cmp	byte ptr [esi+31h], 0
		jz	loc_5DFC9F

loc_556789:				; CODE XREF: KiDisconnectInterruptInternal+89564j
		mov	al, [ebp+var_1]

loc_55678C:				; CODE XREF: KiDisconnectInterruptInternal+8956Cj
		cmp	[ebp+var_1C], 2
		jz	loc_5DFCB7

loc_556796:				; CODE XREF: KiDisconnectInterruptInternal+89573j
		push	[ebp+var_C]
		call	ds:__imp__HalDisableInterrupt@4	; HalDisableInterrupt(x)
		xor	edx, edx
		mov	ecx, ebx
		call	KiConnectVectorAndInterruptObject
		xor	eax, eax

loc_5567AA:				; CODE XREF: KiDisconnectInterruptInternal+895DDj
		mov	byte ptr [ebx+33h], 0

loc_5567AE:				; CODE XREF: KiDisconnectInterruptInternal+29j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
KiDisconnectInterruptInternal endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiConnectVectorAndInterruptObject proc near ; CODE XREF: KiDisconnectInterruptInternal+5Dp
					; KiDisconnectInterruptInternal+8958Fp	...

var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4], edx
		lea	edi, [ebp+var_14]
		mov	ebx, ecx
		stosd
		lea	edx, [ebp+var_14]
		mov	esi, [ebx+2Ch]
		mov	ecx, esi
		stosd
		stosd
		stosd
		call	KiGetVectorInfo
		mov	eax, [ebp+var_4]
		test	eax, eax
		jnz	loc_5DFD2D
		mov	eax, large fs:20h
		and	dword ptr [eax+esi*4+41E0h], 0

loc_5567F3:				; CODE XREF: KiDisconnectInterruptInternal+89602j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
KiConnectVectorAndInterruptObject endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 960. IoReportInterruptInactive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoReportInterruptInactive
IoReportInterruptInactive proc near

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DFD4D SIZE 0000007C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edx, [ecx]
		mov	eax, edx
		sub	eax, 1
		jnz	loc_5DFD4D

loc_556816:				; CODE XREF: IoReportInterruptInactive+8955Cj
		mov	ecx, [ecx+4]
		call	_IopMaskInterrupt@4 ; IopMaskInterrupt(x)

loc_55681E:				; CODE XREF: IoReportInterruptInactive+8957Bj
					; IoReportInterruptInactive+89594j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
IoReportInterruptInactive endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IopMaskInterrupt(x)
_IopMaskInterrupt@4 proc near		; CODE XREF: IoReportInterruptInactive+1Bp
					; IoReportInterruptInactive+89586p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	edx, [esi-5Ch]
		not	edx
		movzx	eax, dl
		shr	edx, 8
		mov	bl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		mov	ecx, edx
		shr	ecx, 8
		add	bl, ds:_RtlpBitsClearTotal[eax]
		lea	eax, [esi+0E4h]
		push	eax
		lea	eax, [esi-58h]
		push	eax
		movzx	eax, dl
		mov	dl, ds:_RtlpBitsClearTotal[ecx]
		lea	ecx, [esi+104h]
		add	dl, ds:_RtlpBitsClearTotal[eax]
		add	dl, bl
		call	KeMaskInterrupt
		pop	esi
		pop	ebx
		retn
_IopMaskInterrupt@4 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall KeFreeInterrupt(x)
_KeFreeInterrupt@4 proc	near		; CODE XREF: IoDisconnectInterrupt+12Cp
					; IopConnectInterrupt+A1666p
		mov	edx, ecx
		mov	ecx, [edx+0D0h]
		add	ecx, 4058h
		jmp	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
_KeFreeInterrupt@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeDisconnectInterrupt proc near		; CODE XREF: KeConnectInterrupt+849C3p
					; IoDisconnectInterrupt+8Fp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DFDC9 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		push	edi
		push	[ebp+arg_0]
		mov	bl, dl
		mov	[ebp+var_10], esi
		call	KeMaskInterrupt
		mov	ecx, [ebp+arg_0]
		call	KiIsInterruptTypeSecondary
		mov	[ebp+var_1], al
		mov	ecx, esi
		movzx	eax, bl
		mov	edx, eax
		mov	[ebp+var_C], eax
		call	KiIntSteerDisable
		test	bl, bl
		jz	short loc_556908
		mov	eax, [ebp+var_C]
		mov	[ebp+var_8], eax

loc_5568CD:				; CODE XREF: KeDisconnectInterrupt+77j
		cmp	[ebp+var_1], 0
		mov	ebx, [esi]
		jnz	loc_5DFDC9
		push	[ebp+arg_0]
		mov	edx, ebx
		xor	ecx, ecx
		call	KiDisconnectInterruptCommon

loc_5568E5:				; CODE XREF: KeDisconnectInterrupt+89547j
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		lea	eax, [ebx+3Ch]
		lock or	[eax], edx
		test	ecx, ecx
		js	short loc_55691B
		cmp	ecx, 128h
		jz	short loc_55691F

loc_5568FC:				; CODE XREF: KeDisconnectInterrupt+91j
					; KeDisconnectInterrupt+98j
		add	esi, 4
		sub	[ebp+var_8], 1
		jnz	short loc_5568CD
		mov	esi, [ebp+var_10]

loc_556908:				; CODE XREF: KeDisconnectInterrupt+39j
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		call	_KiIntRedirectDisconnect@8 ; KiIntRedirectDisconnect(x,x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_55691B:				; CODE XREF: KeDisconnectInterrupt+66j
		mov	edi, ecx
		jmp	short loc_5568FC
; 

loc_55691F:				; CODE XREF: KeDisconnectInterrupt+6Ej
		mov	edi, 128h
		jmp	short loc_5568FC
KeDisconnectInterrupt endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiIntSteerDisable proc near		; CODE XREF: KeDisconnectInterrupt+32p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_13		= byte ptr -13h
var_12		= byte ptr -12h
var_11		= dword	ptr -11h
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005DFDD8 SIZE 000000D2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	eax, [edi]
		mov	esi, [eax+64h]
		mov	[ebp+var_8], esi
		test	esi, esi
		jz	loc_5569F9
		mov	edx, offset _PPM_ETW_INTERRUPT_STEERING_STATE_DISCONNECT
		mov	ecx, esi
		call	KiIntSteerLogState
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _KiIntTrackSpinlock
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		xor	edx, edx
		test	ebx, ebx
		jz	short loc_556981

loc_556969:				; CODE XREF: KiIntSteerDisable+56j
		mov	ecx, [edi+edx*4]
		push	0FFFFFFFBh
		pop	esi
		lea	eax, [ecx+3Ch]
		lock and [eax],	esi
		and	dword ptr [ecx+64h], 0
		inc	edx
		cmp	edx, ebx
		jb	short loc_556969
		mov	esi, [ebp+var_8]

loc_556981:				; CODE XREF: KiIntSteerDisable+41j
		mov	ecx, [esi]
		mov	edi, [esi+8]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	short loc_556A00
		cmp	[eax], esi
		jnz	short loc_556A00
		mov	ebx, 6B725449h
		mov	[eax], ecx
		push	ebx
		push	esi
		mov	[ecx+4], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lea	eax, [edi+8]
		cmp	[eax], eax
		jnz	short loc_5569D9
		dec	_KiIntTrackRootCount
		mov	ecx, [edi]
		mov	eax, [edi+4]
		cmp	[ecx+4], edi
		jnz	short loc_556A00
		cmp	[eax], edi
		jnz	short loc_556A00
		mov	[eax], ecx
		xor	edx, edx
		mov	[ecx+4], eax
		inc	edx
		push	ecx
		lea	ecx, [edi+80h]
		call	_KiIntSteerUpdateDeviceInterruptMask@12	; KiIntSteerUpdateDeviceInterruptMask(x,x,x)
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5569D9:				; CODE XREF: KiIntSteerDisable+82j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _KiIntTrackSpinlock
		jnz	loc_5DFDD8
		xor	eax, eax
		lock and [ecx],	eax

loc_5569F0:				; CODE XREF: KiIntSteerDisable+894BAj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5569F9:				; CODE XREF: KiIntSteerDisable+18j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
; 

loc_556A00:				; CODE XREF: KiIntSteerDisable+66j
					; KiIntSteerDisable+6Aj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

KeMaskInterrupt:			; CODE XREF: IopMaskInterrupt(x)+4Ap
					; KeDisconnectInterrupt+18p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		and	[ebp+var_24], 0
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		lea	edi, [ebp+var_11+1]
		mov	[ebp+var_1C], ecx
		mov	ecx, [ebp+arg_0]
		stosd
		mov	[ebp+var_12], dl
		mov	[ebp+var_20], ecx
		stosd
		stosd
		call	KiIsInterruptTypeSecondary
		xor	ecx, ecx
		test	al, al
		setnz	cl
		xor	edx, edx
		xor	al, al
		mov	[ebp+var_18], ecx
		xor	esi, esi
		mov	byte ptr [ebp+var_11], al
		inc	edx
		cmp	[ebp+var_12], al
		jbe	short loc_556A8A
		xor	edi, edi
		inc	edi

loc_556A57:				; CODE XREF: KiIntSteerDisable+15Cj
		mov	ecx, [ebp+var_1C]
		movzx	eax, al
		mov	edx, [ecx+eax*4]
		add	edx, 3Ch
		mov	eax, [edx]

loc_556A65:				; CODE XREF: KiIntSteerDisable+147j
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_556A65
		test	al, 1
		jnz	loc_5DFDE5
		mov	al, byte ptr [ebp+var_11]
		inc	al
		mov	byte ptr [ebp+var_11], al
		cmp	al, [ebp+var_12]
		jb	short loc_556A57
		mov	ecx, [ebp+var_18]
		xor	edx, edx
		inc	edx

loc_556A8A:				; CODE XREF: KiIntSteerDisable+12Cj
		mov	edi, [ebp+var_20]
		cmp	[edi+8], esi
		jnz	loc_556B25
		mov	edi, [edi+38h]
		mov	[ebp+var_18], edi
		cmp	ecx, edx
		jz	loc_5DFDEF
		mov	cl, 1Fh
		mov	[ebp+var_13], 0
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ch, [ebp+var_12]
		xor	cl, cl
		mov	byte ptr [ebp+var_11], al
		movzx	eax, large byte	ptr fs:51h
		mov	[ebp+var_20], eax
		test	ch, ch
		jz	short loc_556AF5
		mov	edx, [ebp+var_1C]

loc_556ACA:				; CODE XREF: KiIntSteerDisable+1B9j
		mov	edi, [ebp+var_20]
		movzx	eax, cl
		mov	eax, [edx+eax*4]
		cmp	[eax+34h], edi
		mov	edi, [ebp+var_18]
		jz	short loc_556AE3
		inc	cl
		cmp	cl, ch
		jb	short loc_556ACA
		jmp	short loc_556AF5
; 

loc_556AE3:				; CODE XREF: KiIntSteerDisable+1B3j
		mov	ecx, [eax+2Ch]
		mov	edx, edi
		call	KiMaskInterruptInternal
		mov	esi, eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_13], al

loc_556AF5:				; CODE XREF: KiIntSteerDisable+19Fj
					; KiIntSteerDisable+1BBj
		mov	cl, byte ptr [ebp+var_11]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_13], 0
		jz	loc_5DFE05

loc_556B08:				; CODE XREF: KiIntSteerDisable+894C4j
					; KiIntSteerDisable+894DAj ...
		lea	eax, [esi-128h]
		neg	eax
		sbb	eax, eax
		and	eax, esi

loc_556B14:				; CODE XREF: KiIntSteerDisable+201j
		mov	ecx, [ebp-4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_556B25:				; CODE XREF: KiIntSteerDisable+16Aj
		xor	eax, eax
		jmp	short loc_556B14
KiIntSteerDisable endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiMaskInterruptInternal	proc near	; CODE XREF: KiIntSteerDisable+1C2p
					; KiIntSteerDisable+89503p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch

; FUNCTION CHUNK AT 005DFEAA SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		mov	esi, edx
		lea	edx, [ebp+var_10]
		stosd
		stosd
		stosd
		call	KiGetVectorInfo
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_556B86
		cmp	eax, 2
		jz	loc_5DFEAA
		cmp	eax, 1
		jnz	short loc_556B8D
		mov	eax, [ebp+var_C]
		mov	eax, [eax+3Ch]
		and	al, 1
		movsx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFED8h
		add	eax, 128h

loc_556B75:				; CODE XREF: KiMaskInterruptInternal+68j
		test	eax, eax
		jnz	short loc_556B82

loc_556B79:				; CODE XREF: KiMaskInterruptInternal+89394j
		push	0
		push	esi
		call	off_6B1300	; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)

loc_556B82:				; CODE XREF: KiMaskInterruptInternal+4Dj
					; KiMaskInterruptInternal+61j ...
		pop	edi
		pop	esi
		leave
		retn
; 

loc_556B86:				; CODE XREF: KiMaskInterruptInternal+22j
		mov	eax, 80000025h
		jmp	short loc_556B82
; 

loc_556B8D:				; CODE XREF: KiMaskInterruptInternal+30j
		mov	eax, 0C0000001h
		jmp	short loc_556B75
KiMaskInterruptInternal	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRotatedToFrameBuffer(x)
_MiRotatedToFrameBuffer@4 proc near	; CODE XREF: .text:00451309p
					; .text:00455713p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	ecx, [edi]
		nop
		mov	edx, [edi+4]
		mov	eax, ecx
		and	eax, 1
		or	eax, esi
		jz	loc_556C42
		nop
		shrd	ecx, edx, 0Ch
		and	ecx, 1FFFFFFh
		imul	esi, ecx, 1Ch
		add	esi, ds:_MmPfnDatabase
		cmp	ecx, dword_6D07B0
		ja	short loc_556C3D
		mov	eax, dword_6D35B8
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_556C3D
		mov	eax, edi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	ecx, [eax-40000000h]
		nop
		mov	ebx, [eax-3FFFFFFCh]
		mov	edx, [esi+4]
		mov	eax, edx
		or	eax, 80000000h
		cmp	eax, edi
		jnz	short loc_556C23
		mov	eax, [esi+18h]
		shrd	ecx, ebx, 0Ch
		and	eax, offset loc_7FFFFF
		and	ecx, 1FFFFFFh
		cmp	eax, ecx
		jz	short loc_556C42

loc_556C23:				; CODE XREF: MiRotatedToFrameBuffer(x)+77j
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_556C3D
		test	dword ptr [esi+18h], 800000h
		jnz	short loc_556C3D
		test	edx, edx
		js	short loc_556C3D
		jnz	short loc_556C42

loc_556C3D:				; CODE XREF: MiRotatedToFrameBuffer(x)+3Bj
					; MiRotatedToFrameBuffer(x)+52j ...
		xor	eax, eax
		inc	eax
		jmp	short loc_556C44
; 

loc_556C42:				; CODE XREF: MiRotatedToFrameBuffer(x)+1Bj
					; MiRotatedToFrameBuffer(x)+8Dj ...
		xor	eax, eax

loc_556C44:				; CODE XREF: MiRotatedToFrameBuffer(x)+ACj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiRotatedToFrameBuffer@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1697. PoFxReportDevicePoweredOn

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoFxReportDevicePoweredOn
PoFxReportDevicePoweredOn proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005DFECD SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	0FFFFFFFDh
		pop	edi
		mov	ebx, [esi+1Ch]
		lea	edx, [esi+10h]
		mov	eax, [edx]

loc_556C6A:				; CODE XREF: PoFxReportDevicePoweredOn+24j
		mov	ecx, eax
		and	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_556C6A
		test	al, 2
		jz	short loc_556C97
		mov	ecx, esi
		call	_PopFxGetDeviceDStateReason@4 ;	PopFxGetDeviceDStateReason(x)
		mov	ecx, [esi+20h]
		xor	edx, edx
		push	eax
		push	1
		inc	edx
		call	PopPepDeviceDState
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	PopDiagTraceFxDevicePowerState

loc_556C97:				; CODE XREF: PoFxReportDevicePoweredOn+28j
		lea	eax, [ebx+2Ch]
		push	eax
		mov	[esp+24h+var_8], eax
		call	ExAcquireSpinLockExclusive
		mov	byte ptr [esp+20h+var_C], al
		xor	edi, edi
		lea	eax, [ebx+44h]
		xchg	edi, [eax]
		and	[esp+20h+var_10], 0
		mov	[esp+20h+var_4], edi
		test	edi, edi
		jle	loc_556D6D
		mov	eax, [esi+1Ch]
		mov	ecx, [eax+40h]
		cmp	edi, ecx
		jg	loc_5DFECD
		mov	edx, 0FFFFF7FEh
		lea	eax, [esi+10h]
		lock and [eax],	edx
		mov	eax, [esi+1Ch]
		sub	ecx, edi
		xor	ebx, ebx
		mov	[eax+40h], ecx
		mov	edx, [esi+1Ch]
		add	edx, 0A8h
		mov	eax, [edx]

loc_556CEE:				; CODE XREF: PoFxReportDevicePoweredOn+A8j
		mov	ecx, eax
		or	ecx, ebx
		lock cmpxchg [edx], ecx
		jnz	short loc_556CEE
		test	al, 4
		jz	short loc_556D2F
		mov	eax, [esi+23Ch]
		mov	ecx, edi
		mov	[esp+20h+var_10], edi

loc_556D08:				; CODE XREF: PoFxReportDevicePoweredOn+DFj
		xor	ebx, ebx
		test	eax, eax
		jz	short loc_556D26

loc_556D0E:				; CODE XREF: PoFxReportDevicePoweredOn+D2j
		push	2
		push	ebx
		push	esi
		call	_PoFxIdleComponent@12 ;	PoFxIdleComponent(x,x,x)
		mov	eax, [esi+23Ch]
		inc	ebx
		cmp	ebx, eax
		jb	short loc_556D0E
		mov	ecx, [esp+20h+var_10]

loc_556D26:				; CODE XREF: PoFxReportDevicePoweredOn+BEj
		sub	ecx, 1
		mov	[esp+20h+var_10], ecx
		jnz	short loc_556D08

loc_556D2F:				; CODE XREF: PoFxReportDevicePoweredOn+ACj
		mov	eax, [esi+1Ch]
		mov	ebx, [eax+0A0h]

loc_556D38:				; CODE XREF: PoFxReportDevicePoweredOn+123j
		push	[esp+20h+var_C]
		push	[esp+24h+var_8]
		call	ExReleaseSpinLockExclusive
		cmp	_PopPoFxSystemIrpWaitForReportDevicePoweredReg,	0
		jnz	loc_5DFEDC
		mov	eax, [esi+238h]
		test	al, al
		js	loc_5DFEDC

loc_556D60:				; CODE XREF: PoFxReportDevicePoweredOn+892A8j
					; PoFxReportDevicePoweredOn+892CBj
		test	edi, edi
		jz	short loc_556D73

loc_556D64:				; CODE XREF: PoFxReportDevicePoweredOn+146j
					; PoFxReportDevicePoweredOn+14Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_556D6D:				; CODE XREF: PoFxReportDevicePoweredOn+6Cj
		mov	ebx, [esp+20h+var_10]
		jmp	short loc_556D38
; 

loc_556D73:				; CODE XREF: PoFxReportDevicePoweredOn+114j
		xor	edi, edi
		lea	ecx, [esi+10h]
		mov	eax, [ecx]

loc_556D7A:				; CODE XREF: PoFxReportDevicePoweredOn+134j
		mov	edx, eax
		or	edx, edi
		lock cmpxchg [ecx], edx
		jnz	short loc_556D7A
		mov	ecx, esi
		test	eax, 2000h
		jnz	short loc_556D96
		xor	edx, edx
		call	PopFxCompleteDevicePowerRequired
		jmp	short loc_556D64
; 

loc_556D96:				; CODE XREF: PoFxReportDevicePoweredOn+13Dj
		xor	dl, dl
		call	_PopFxDerefAndCompleteDirectedPowerTransition@8	; PopFxDerefAndCompleteDirectedPowerTransition(x,x)
		jmp	short loc_556D64
PoFxReportDevicePoweredOn endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSessionRemoveImage proc near		; CODE XREF: MiUnloadSystemImage+D3p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 005DFF1E SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_8], ecx
		mov	edi, ebx
		mov	byte ptr [ebp+var_1], 0
		xor	eax, eax
		stosd
		stosd
		stosd
		mov	edi, [ecx+18h]
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		mov	ecx, large fs:124h
		mov	esi, offset unk_6D3C40
		mov	[ebp+var_10], eax
		mov	ecx, [ecx+80h]
		mov	ecx, [ecx+180h]
		add	ecx, 34h
		mov	[ebp+var_C], ecx
		mov	cl, [eax+60h]
		and	cl, 7
		cmp	cl, 2
		jz	short loc_556DF5
		lea	esi, [eax+80h]

loc_556DF5:				; CODE XREF: MiSessionRemoveImage+4Dj
		push	esi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [esi+4], 0
		lea	ecx, [ebp+var_1]
		mov	[ebp+var_2], al
		call	_MmLockLoadedModuleListExclusive@4 ; MmLockLoadedModuleListExclusive(x)
		mov	ecx, edi
		call	_MiSessionLookupImage@4	; MiSessionLookupImage(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5DFF1E
		sub	dword ptr [esi+20h], 1
		jz	short loc_556E4C
		xor	esi, esi

loc_556E23:				; CODE XREF: MiSessionRemoveImage+13Bj
		push	offset _PsLoadedModuleSpinLock
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	dl, [ebp+var_2]
		mov	ecx, [ebp+var_10]
		call	MiUnlockWorkingSetExclusive
		test	esi, esi
		jnz	short loc_556E6A

loc_556E45:				; CODE XREF: MiSessionRemoveImage+CEj
					; MiSessionRemoveImage+DCj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_556E4C:				; CODE XREF: MiSessionRemoveImage+7Fj
		mov	ecx, [esi]
		mov	edx, esi
		push	0FFFFFFFCh
		pop	edi
		test	ecx, ecx
		jnz	short loc_556E7E
		mov	ecx, [esi+8]

loc_556E5A:				; CODE XREF: MiSessionRemoveImage+C8j
		and	ecx, edi
		jz	short loc_556E8F
		cmp	[ecx+4], edx
		jz	short loc_556E8F
		mov	edx, ecx
		mov	ecx, [ecx+8]
		jmp	short loc_556E5A
; 

loc_556E6A:				; CODE XREF: MiSessionRemoveImage+A3j
		cmp	byte ptr [esi+24h], 1
		jnz	short loc_556E45
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		push	0
		call	MiHandleDriverNonPagedSections
		jmp	short loc_556E45
; 

loc_556E7E:				; CODE XREF: MiSessionRemoveImage+B5j
		cmp	dword ptr [ecx+4], 0
		jz	short loc_556E8F

loc_556E84:				; CODE XREF: MiSessionRemoveImage+EDj
		mov	eax, [ecx+4]
		mov	ecx, eax
		cmp	dword ptr [eax+4], 0
		jnz	short loc_556E84

loc_556E8F:				; CODE XREF: MiSessionRemoveImage+BCj
					; MiSessionRemoveImage+C1j ...
		test	ecx, ecx
		jz	short loc_556EE0
		mov	eax, [ecx+18h]

loc_556E96:				; CODE XREF: MiSessionRemoveImage+142j
		mov	ecx, [esi+4]
		mov	edx, esi
		mov	[ebx], eax
		test	ecx, ecx
		jnz	short loc_556EB3
		mov	ecx, [esi+8]

loc_556EA4:				; CODE XREF: MiSessionRemoveImage+111j
		and	ecx, edi
		jz	short loc_556EC3
		cmp	[ecx], edx
		jz	short loc_556EC3
		mov	edx, ecx
		mov	ecx, [ecx+8]
		jmp	short loc_556EA4
; 

loc_556EB3:				; CODE XREF: MiSessionRemoveImage+FFj
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_556EC3

loc_556EB9:				; CODE XREF: MiSessionRemoveImage+121j
		mov	eax, [edx]
		mov	ecx, edx
		mov	edx, eax
		test	eax, eax
		jnz	short loc_556EB9

loc_556EC3:				; CODE XREF: MiSessionRemoveImage+106j
					; MiSessionRemoveImage+10Aj ...
		test	ecx, ecx
		jnz	short loc_556EE4
		xor	eax, eax

loc_556EC9:				; CODE XREF: MiSessionRemoveImage+149j
		push	esi
		push	[ebp+var_C]
		mov	[ebx+4], eax
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		mov	eax, [esi+28h]
		mov	[ebx+8], eax
		jmp	loc_556E23
; 

loc_556EE0:				; CODE XREF: MiSessionRemoveImage+F1j
		xor	eax, eax
		jmp	short loc_556E96
; 

loc_556EE4:				; CODE XREF: MiSessionRemoveImage+125j
		mov	eax, [ecx+14h]
		and	eax, edi
		jmp	short loc_556EC9
MiSessionRemoveImage endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopPowerDispatch proc near		; DATA XREF: PiSwPdoDriverEntry(x,x)+24o
					; PipPnPDriverEntry(x,x)+24o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	esi, esi
		mov	edx, 0C00000BBh
		mov	ecx, [edi+60h]
		movzx	eax, byte ptr [ecx+1]
		sub	eax, esi
		jz	short loc_556F3A
		sub	eax, 1
		jz	loc_5DFF31
		sub	eax, 1
		jnz	short loc_556F35
		mov	eax, [ecx+8]
		sub	eax, esi
		jnz	short loc_556F3E

loc_556F1D:				; CODE XREF: IopPowerDispatch+50j
		cmp	esi, edx
		jz	short loc_556F52

loc_556F21:				; CODE XREF: IopPowerDispatch+4Cj
					; IopPowerDispatch+64j	...
		mov	[edi+18h], esi

loc_556F24:				; CODE XREF: IopPowerDispatch+69j
		xor	dl, dl
		mov	ecx, edi
		call	IofCompleteRequest
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
; 

loc_556F35:				; CODE XREF: IopPowerDispatch+28j
		sub	eax, 1
		jz	short loc_556F21

loc_556F3A:				; CODE XREF: IopPowerDispatch+1Aj
					; IopPowerDispatch+55j
		mov	esi, edx
		jmp	short loc_556F1D
; 

loc_556F3E:				; CODE XREF: IopPowerDispatch+2Fj
		sub	eax, 1
		jnz	short loc_556F3A
		push	dword ptr [ecx+0Ch]
		push	1
		push	[ebp+arg_0]
		call	PoSetPowerState
		jmp	short loc_556F21
; 

loc_556F52:				; CODE XREF: IopPowerDispatch+33j
		mov	esi, [edi+18h]
		jmp	short loc_556F24
IopPowerDispatch endp

; 
		align 4
		dd 0CCCCCCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiEmptyAccessLogs proc near		; DATA XREF: MmSetAccessLogging+9Eo

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DFF46 SIZE 000000A4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		xor	eax, eax
		lea	edi, [esp+3Ch+var_1C]
		pop	ecx
		rep stosd
		lea	edi, [esp+38h+var_28]
		mov	ecx, offset dword_6D3180
		stosd
		lea	edx, [esp+38h+var_28]
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		xor	esi, esi
		cmp	dword_6D3154, esi
		jnz	loc_5DFF46
		xor	edi, edi
		inc	edi

loc_556FA6:				; CODE XREF: MiEmptyAccessLogs+15Bj
		test	ds:byte_70EFC6,	1
		mov	dword_6D3150, 2
		jnz	loc_5DFFA2
		mov	eax, [esp+38h+var_28]
		test	eax, eax
		jnz	loc_5DFFBC
		mov	edx, [esp+38h+var_24]
		lea	eax, [esp+38h+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+38h+var_28]
		cmp	eax, ecx
		jnz	loc_5DFFB3

loc_556FE3:				; CODE XREF: MiEmptyAccessLogs+89052j
					; MiEmptyAccessLogs+8906Aj
		mov	cl, [esp+38h+var_20]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	ecx, ecx

loc_556FEF:				; CODE XREF: MiEmptyAccessLogs+C0j
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_557040
		lea	ebx, [edi+240h]
		mov	eax, offset unk_6D3C58
		mov	cl, [ebx+60h]
		and	cl, 7
		cmp	cl, 2
		jz	short loc_557016
		lea	eax, [ebx+98h]

loc_557016:				; CODE XREF: MiEmptyAccessLogs+B2j
		cmp	[eax], esi
		jnz	short loc_55701E

loc_55701A:				; CODE XREF: MiEmptyAccessLogs+E2j
		mov	ecx, edi
		jmp	short loc_556FEF
; 

loc_55701E:				; CODE XREF: MiEmptyAccessLogs+BCj
		lea	eax, [esp+38h+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, edi
		call	KiStackAttachProcess
		mov	ecx, ebx
		call	MiDrainSystemAccessLog
		xor	edx, edx
		lea	ecx, [esp+38h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	short loc_55701A
; 

loc_557040:				; CODE XREF: MiEmptyAccessLogs+9Cj
		xor	ecx, ecx

loc_557042:				; CODE XREF: MiEmptyAccessLogs+119j
		call	_MiGetNextSession@8 ; MiGetNextSession(x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_557077
		lea	edx, [esp+38h+var_1C]
		mov	ecx, edi
		call	MmAttachSession
		test	eax, eax
		js	short loc_557073
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		mov	ecx, eax
		call	MiDrainSystemAccessLog
		lea	edx, [esp+34h+var_18]
		mov	ecx, edi
		call	MmDetachSession

loc_557073:				; CODE XREF: MiEmptyAccessLogs+FEj
		mov	ecx, edi
		jmp	short loc_557042
; 

loc_557077:				; CODE XREF: MiEmptyAccessLogs+EFj
		push	3
		mov	edi, offset unk_6D3640
		pop	ebx

loc_55707F:				; CODE XREF: MiEmptyAccessLogs+138j
		cmp	[edi+3Ch], esi
		jz	short loc_55708B
		mov	ecx, edi
		call	MiDrainSystemAccessLog

loc_55708B:				; CODE XREF: MiEmptyAccessLogs+126j
		add	edi, 100h
		sub	ebx, 1
		jnz	short loc_55707F
		xor	edi, edi
		push	esi
		inc	edi
		push	esi
		mov	ecx, edi
		call	_MiCheckAndProcessCcAccessLog@12 ; MiCheckAndProcessCcAccessLog(x,x,x)
		lea	edx, [esp+38h+var_28]
		mov	ecx, offset dword_6D3180
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	dword_6D3150, 2
		jnz	loc_556FA6
		cmp	dword_6D3154, esi
		jnz	short loc_55712F
		mov	ebx, dword_6D3260
		mov	dword_6D3260, esi

loc_5570D1:				; CODE XREF: MiEmptyAccessLogs+1D5j
		test	ds:byte_70EFC6,	1
		mov	dword_6D3150, esi
		jnz	loc_5DFFCB
		mov	eax, [esp+38h+var_28]
		test	eax, eax
		jnz	short loc_557133
		mov	edx, [esp+38h+var_24]
		lea	eax, [esp+38h+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+38h+var_28]
		cmp	eax, ecx
		jnz	loc_5DFFDC

loc_557106:				; CODE XREF: MiEmptyAccessLogs+1E1j
					; MiEmptyAccessLogs+8907Bj
		mov	cl, [esp+38h+var_20]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jz	short loc_55711B
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_55711B:				; CODE XREF: MiEmptyAccessLogs+1B6j
					; MiEmptyAccessLogs+89041j
		mov	ecx, [esp+38h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_55712F:				; CODE XREF: MiEmptyAccessLogs+167j
		mov	ebx, esi
		jmp	short loc_5570D1
; 

loc_557133:				; CODE XREF: MiEmptyAccessLogs+18Ej
					; MiEmptyAccessLogs+89089j
		mov	[esp+38h+var_28], esi
		add	eax, 4
		lock xor [eax],	edi
		jmp	short loc_557106
MiEmptyAccessLogs endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCheckAndProcessCcAccessLog(x, x, x)
_MiCheckAndProcessCcAccessLog@12 proc near ; CODE XREF:	MiEmptyAccessLogs+141p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dword_6D3140, 0
		push	esi
		mov	esi, ecx
		jz	short loc_557181
		xor	ecx, ecx
		mov	eax, offset dword_6D3140
		xchg	ecx, [eax]
		test	ecx, ecx
		jz	short loc_557181
		mov	edx, [ebp+arg_0]
		sub	edx, [ecx+10h]
		mov	eax, [ebp+arg_4]
		sbb	eax, [ecx+14h]
		cmp	eax, dword_6FB604
		ja	short loc_55717C
		jb	short loc_557186
		cmp	edx, _PfKernelGlobals
		jbe	short loc_557186

loc_55717C:				; CODE XREF: MiCheckAndProcessCcAccessLog(x,x,x)+30j
					; MiCheckAndProcessCcAccessLog(x,x,x)+48j
		call	_MiQueuePageAccessLog@4	; MiQueuePageAccessLog(x)

loc_557181:				; CODE XREF: MiCheckAndProcessCcAccessLog(x,x,x)+Fj
					; MiCheckAndProcessCcAccessLog(x,x,x)+1Cj ...
		pop	esi
		pop	ebp
		retn	8
; 

loc_557186:				; CODE XREF: MiCheckAndProcessCcAccessLog(x,x,x)+32j
					; MiCheckAndProcessCcAccessLog(x,x,x)+3Aj
		test	esi, esi
		jnz	short loc_55717C
		xor	edx, edx
		call	_MiReturnCcAccessLog@8 ; MiReturnCcAccessLog(x,x)
		jmp	short loc_557181
_MiCheckAndProcessCcAccessLog@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipWriteWnodeToObject proc near	; CODE XREF: WmipProcessEvent+DCp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005DFFEA SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_8], edx
		lea	edi, [ebp+var_18]
		mov	ebx, ecx
		stosd
		lea	edx, [ebp+var_18]
		mov	ecx, offset _WmipCancelSpinLock
		mov	[ebp+var_C], ebx
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	esi, [ebx+30h]
		test	esi, esi
		jz	short loc_5571D7
		mov	ecx, esi
		call	_WmipClearIrpObjectList@4 ; WmipClearIrpObjectList(x)
		xor	ecx, ecx
		lea	eax, [esi+38h]
		xchg	ecx, [eax]
		neg	ecx
		sbb	ecx, ecx
		and	esi, ecx

loc_5571D7:				; CODE XREF: WmipWriteWnodeToObject+2Dj
		xor	ebx, ebx
		mov	[ebp+var_4], 1
		test	ds:byte_70EFC6,	1
		jnz	loc_5DFFEA
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	loc_5E0002
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jnz	loc_5DFFFA

loc_55720F:				; CODE XREF: WmipWriteWnodeToObject+88E61j
					; WmipWriteWnodeToObject+88E7Aj
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_55724E
		mov	edx, [ebp+var_8]
		mov	eax, [esi+60h]
		mov	ecx, [esi+0Ch]
		mov	edi, [edx]
		cmp	edi, [eax+4]
		ja	short loc_557275
		push	edi		; size_t
		push	edx		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	byte ptr [ebp+var_4], bl

loc_55723A:				; CODE XREF: WmipWriteWnodeToObject+F2j
		xor	dl, dl
		mov	[esi+1Ch], edi
		mov	ecx, esi
		mov	[esi+18h], ebx
		call	IofCompleteRequest
		cmp	byte ptr [ebp+var_4], bl
		jz	short loc_55726C

loc_55724E:				; CODE XREF: WmipWriteWnodeToObject+86j
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		cmp	[ebp+arg_0], dl
		push	[ebp+var_8]	; void *
		setnz	dl
		dec	edx
		and	edx, 14h
		add	edx, 3Ch
		add	edx, ecx
		call	WmipQueueNotification
		mov	ebx, eax

loc_55726C:				; CODE XREF: WmipWriteWnodeToObject+B8j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
; 

loc_557275:				; CODE XREF: WmipWriteWnodeToObject+96j
		push	38h
		pop	eax
		mov	[ecx+30h], edi
		mov	edi, eax
		mov	[ecx], eax
		mov	dword ptr [ecx+2Ch], 20h
		jmp	short loc_55723A
WmipWriteWnodeToObject endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopTimeoutWakeTracking proc near	; CODE XREF: PopWakeSourceTimeoutWorker(x)+8p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= byte ptr -14h
var_10		= dword	ptr -10h

; FUNCTION CHUNK AT 005E0013 SIZE 000000CC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+28h+var_1C]
		mov	esi, ecx
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+28h+var_10]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		xor	edi, edi
		inc	eax
		push	edi
		push	eax
		lea	eax, [esp+30h+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	edx, [esp+28h+var_1C]
		mov	ecx, offset _PopWakeSourceLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		cmp	esi, _PopCurrentWakeInfo
		jnz	loc_5573C7
		and	_PopCurrentWakeInfo, edi
		cmp	_PopWakeSourceWorkInProgress, 0
		mov	_PopPendingWakeInfo, esi
		jnz	loc_5E0013

loc_5572F5:				; CODE XREF: PopTimeoutWakeTracking+88DA3j
					; PopTimeoutWakeTracking+88DB1j
		test	ds:byte_70EFC6,	1
		jnz	loc_5E003E
		mov	eax, [esp+28h+var_1C]
		test	eax, eax
		jnz	loc_5E0058
		mov	edx, [esp+28h+var_18]
		lea	eax, [esp+28h+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+28h+var_1C]
		cmp	eax, ecx
		jnz	loc_5E004F

loc_557328:				; CODE XREF: PopTimeoutWakeTracking+88DC2j
					; PopTimeoutWakeTracking+88DE1j
		mov	cl, [esp+28h+var_14]
		call	ebx
		test	edi, edi
		jnz	loc_5E006E

loc_557336:				; CODE XREF: PopTimeoutWakeTracking+88DF2j
		mov	edi, offset _PopWakeSourceLock
		lea	edx, [esp+28h+var_1C]
		mov	ecx, edi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	esi, _PopPendingWakeInfo
		jnz	short loc_5573C7
		mov	eax, _PopWakeInfoList
		mov	ecx, offset _PopWakeInfoList
		cmp	[eax+4], ecx
		jnz	loc_55740E
		inc	_PopWakeInfoCount
		and	_PopPendingWakeInfo, 0
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[eax+4], esi
		test	ds:byte_70EFC6,	1
		mov	_PopWakeInfoList, esi
		jnz	loc_5E007F
		mov	eax, [esp+28h+var_1C]
		test	eax, eax
		jnz	loc_5E0099
		mov	edx, [esp+28h+var_18]
		lea	eax, [esp+28h+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+28h+var_1C]
		cmp	eax, ecx
		jnz	loc_5E0090

loc_5573AF:				; CODE XREF: PopTimeoutWakeTracking+88E03j
					; PopTimeoutWakeTracking+88E22j
		mov	cl, [esp+28h+var_14]
		call	ebx
		mov	ecx, esi
		call	PopFinalizeWakeInfo
		lea	edx, [esp+28h+var_1C]
		mov	ecx, edi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)

loc_5573C7:				; CODE XREF: PopTimeoutWakeTracking+4Ej
					; PopTimeoutWakeTracking+C4j
		mov	ecx, esi
		call	PopWakeInfoDereference
		test	ds:byte_70EFC6,	1
		jnz	loc_5E00AF
		mov	eax, [esp+28h+var_1C]
		test	eax, eax
		jnz	loc_5E00C9
		mov	edx, [esp+28h+var_18]
		lea	eax, [esp+28h+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+28h+var_1C]
		cmp	eax, ecx
		jnz	loc_5E00C0

loc_557401:				; CODE XREF: PopTimeoutWakeTracking+88E33j
					; PopTimeoutWakeTracking+88E52j
		mov	cl, [esp+28h+var_14]
		call	ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_55740E:				; CODE XREF: PopTimeoutWakeTracking+D3j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PopTimeoutWakeTracking endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDereferenceWakeInfos	proc near	; CODE XREF: PopGetWakeSource+A5p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E00DF SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4], ecx
		lea	edi, [ebp+var_10]
		mov	ebx, edx
		stosd
		lea	edx, [ebp+var_10]
		mov	ecx, offset _PopWakeSourceLock
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edi, [ebp+var_4]
		xor	esi, esi
		test	edi, edi
		jz	short loc_55744F

loc_557442:				; CODE XREF: PopDereferenceWakeInfos+39j
		mov	ecx, [ebx+esi*4]
		call	PopWakeInfoDereference
		inc	esi
		cmp	esi, edi
		jb	short loc_557442

loc_55744F:				; CODE XREF: PopDereferenceWakeInfos+2Cj
		test	ds:byte_70EFC6,	1
		jnz	loc_5E00DF
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_5E00F7
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jnz	loc_5E00EF

loc_55747E:				; CODE XREF: PopDereferenceWakeInfos+88CD6j
					; PopDereferenceWakeInfos+88CF3j
		mov	cl, [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	206D654Dh
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PopDereferenceWakeInfos	endp

; 
		align 4

;  S U B	R O U T	I N E 


PopWakeInfoDereference proc near	; CODE XREF: PopTimeoutWakeTracking+141p
					; PopDereferenceWakeInfos+31p ...

; FUNCTION CHUNK AT 005E010C SIZE 00000019 BYTES

		or	eax, 0FFFFFFFFh
		lock xadd [ecx+8], eax
		jz	loc_5E010C
		retn
PopWakeInfoDereference endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopGetCurrentWakeInfos proc near	; CODE XREF: PopGetWakeSource+3Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005E0125 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	ebx, ecx
		stosd
		mov	ecx, offset _PopWakeSourceLock
		stosd
		stosd
		xor	edi, edi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	esi, _PopWakeInfoCount
		test	esi, esi
		jz	short loc_557511
		push	206D654Dh
		mov	eax, esi
		shl	eax, 2
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_557552
		mov	eax, _PopWakeInfoList
		xor	ecx, ecx
		mov	edx, offset _PopWakeInfoList

loc_5574FD:				; CODE XREF: PopGetCurrentWakeInfos+67j
		cmp	eax, edx
		jz	short loc_557511
		cmp	ecx, esi
		jnb	short loc_557511
		mov	[edi+ecx*4], eax
		lock inc dword ptr [eax+8]
		mov	eax, [eax]
		inc	ecx
		jmp	short loc_5574FD
; 

loc_557511:				; CODE XREF: PopGetCurrentWakeInfos+2Cj
					; PopGetCurrentWakeInfos+57j ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5E0125
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_5E013D
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5E0135

loc_557540:				; CODE XREF: PopGetCurrentWakeInfos+88C88j
					; PopGetCurrentWakeInfos+88CA5j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	[ebx], edi
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_557552:				; CODE XREF: PopGetCurrentWakeInfos+47j
		xor	esi, esi
		jmp	short loc_557511
PopGetCurrentWakeInfos endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopRunMaximumIrpWorkers()
_PopRunMaximumIrpWorkers@0 proc	near	; CODE XREF: PAGELK:0071EBE1p

var_14		= dword	ptr -14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		mov	esi, offset _PopIrpWorkerMutex
		stosd
		mov	ecx, esi
		stosd
		stosd
		stosd
		stosd
		call	ExAcquireFastMutex
		mov	eax, _PopIrpWorkerPendingCount
		xor	ebx, ebx
		push	0Fh
		pop	edi
		sub	edi, eax
		mov	_PopCreateIrpWorkerAllowed, bl
		sub	edi, _PopIrpWorkerCount
		mov	ecx, esi
		add	eax, edi
		mov	_PopIrpWorkerPendingCount, eax
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		push	edi
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		call	_KeInitializeSemaphore@12 ; KeInitializeSemaphore(x,x,x)
		mov	esi, ebx
		test	edi, edi
		jz	short loc_5575D6

loc_5575AE:				; CODE XREF: PopRunMaximumIrpWorkers()+68j
		lea	ecx, [ebp+var_14]
		call	PopCreateDynamicIrpWorker
		test	eax, eax
		js	short loc_5575BB
		inc	esi

loc_5575BB:				; CODE XREF: PopRunMaximumIrpWorkers()+62j
		sub	edi, 1
		jnz	short loc_5575AE
		test	esi, esi
		jz	short loc_5575D6

loc_5575C4:				; CODE XREF: PopRunMaximumIrpWorkers()+7Ej
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		call	KeWaitForSingleObject
		sub	esi, 1
		jnz	short loc_5575C4

loc_5575D6:				; CODE XREF: PopRunMaximumIrpWorkers()+56j
					; PopRunMaximumIrpWorkers()+6Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopRunMaximumIrpWorkers@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


PopCreateDynamicIrpWorker proc near	; CODE XREF: PopRunMaximumIrpWorkers()+5Bp
					; PopIrpWorkerControl+7DB0Bp

; FUNCTION CHUNK AT 005E0152 SIZE 00000030 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, offset _PopDynamicIrpWorkerLookaside
		push	edi
		mov	ecx, ebx
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_5E0152
		mov	edx, edi
		mov	[edi], esi
		mov	ecx, offset PopIrpWorker
		call	_PopCreatePowerThread@8	; PopCreatePowerThread(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_5E0157
		xor	esi, esi
		test	esi, esi
		js	loc_5E0157

loc_55761B:				; CODE XREF: PopCreateDynamicIrpWorker+88BA1j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
PopCreateDynamicIrpWorker endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmPerfApplyLatencyHint	proc near	; CODE XREF: PpmPerfApplyLatencyHints()+2Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E0182 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	edx, _PpmCurrentProfile
		push	ebx
		imul	ebx, dword_6C2D0C, 0F0h
		push	esi
		mov	esi, [ecx+4]
		push	edi
		mov	edi, [ecx]
		add	ebx, edx
		mov	eax, [esi+4]
		mov	[ebp+var_8], eax
		mov	edx, [ebx+58h]
		call	PpmGetPerfPolicyClass
		movzx	eax, al
		mov	[ebp+var_4], eax
		movzx	ecx, byte ptr [ebx+eax+6Dh]
		cmp	edx, 1
		jz	short loc_557693
		cmp	edx, 3
		jz	short loc_557693
		cmp	edx, 5
		jz	short loc_55768E
		cmp	edx, 6
		jz	short loc_55768E
		cmp	ds:_PpmPerfBoostAtGuaranteed, 0
		jnz	short loc_55768E
		push	64h
		pop	eax

loc_55767C:				; CODE XREF: PpmPerfApplyLatencyHint+6Fj
					; PpmPerfApplyLatencyHint+74j
		cmp	ecx, eax
		jnb	short loc_557698

loc_557680:				; CODE XREF: PpmPerfApplyLatencyHint+78j
		cmp	ecx, [esi+28h]
		ja	loc_5E0182

loc_557689:				; CODE XREF: PpmPerfApplyLatencyHint+88B7Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_55768E:				; CODE XREF: PpmPerfApplyLatencyHint+47j
					; PpmPerfApplyLatencyHint+4Cj ...
		mov	eax, [esi+8]
		jmp	short loc_55767C
; 

loc_557693:				; CODE XREF: PpmPerfApplyLatencyHint+3Dj
					; PpmPerfApplyLatencyHint+42j
		mov	eax, [edi+58h]
		jmp	short loc_55767C
; 

loc_557698:				; CODE XREF: PpmPerfApplyLatencyHint+5Cj
		mov	ecx, eax
		jmp	short loc_557680
PpmPerfApplyLatencyHint	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 311. ExAcquireSharedWaitForExclusive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExAcquireSharedWaitForExclusive
ExAcquireSharedWaitForExclusive	proc near
					; CODE XREF: FsRtlAcquireFileForModWriteEx:loc_5BDD6Dp
					; FsRtlAcquireFileForModWriteEx+119494p ...

var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_7		= byte ptr  0Fh

; FUNCTION CHUNK AT 005E01A6 SIZE 0000034A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [ebp+var_14]
		stosd
		push	7
		pop	ecx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_30]
		rep stosd
		inc	eax
		test	[esi+0Eh], al
		jnz	loc_5E01A6
		mov	edi, large fs:124h
		lea	ecx, [esi+34h]
		mov	eax, dword ptr ds:byte_70EFC4
		lea	edx, [ebp+var_14]
		inc	large dword ptr	fs:423Ch
		and	eax, 20000h
		mov	[ebp+arg_0], edi
		mov	[ebp+var_4], eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		xor	ebx, ebx

loc_5576F7:				; CODE XREF: ExAcquireSharedWaitForExclusive+118j
					; ExAcquireSharedWaitForExclusive+88B43j
		cmp	[esi+20h], ebx
		jnz	short loc_557777
		mov	ecx, esi
		call	_ExpTryAcquireResourceShared@4 ; ExpTryAcquireResourceShared(x)
		mov	ecx, [esi+1Ch]
		mov	edi, [ebp+arg_0]
		and	ecx, 7
		mov	[ebp+arg_7], al
		or	ecx, 8
		xor	eax, eax
		mov	[esi+18h], edi
		inc	eax
		mov	[esi+1Ch], ecx
		test	ds:byte_70EFC6,	al
		jnz	loc_5E04B2
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	loc_5E04CA
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jnz	loc_5E04C2

loc_557749:				; CODE XREF: ExAcquireSharedWaitForExclusive+88E1Bj
		xor	ebx, ebx
		inc	ebx

loc_55774C:				; CODE XREF: ExAcquireSharedWaitForExclusive+88E34j
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:4244h
		inc	large dword ptr	fs:41E4h
		cmp	[ebp+var_4], 0
		jnz	loc_5E04DB

loc_55776D:				; CODE XREF: ExAcquireSharedWaitForExclusive+88E49j
		mov	al, [ebp+arg_7]

loc_557770:				; CODE XREF: ExAcquireSharedWaitForExclusive+1B9j
					; ExAcquireSharedWaitForExclusive+88C06j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_557777:				; CODE XREF: ExAcquireSharedWaitForExclusive+58j
		mov	ax, [esi+0Eh]
		mov	ecx, 80h
		and	ax, cx
		mov	ecx, [ebp+arg_0]
		movzx	eax, ax
		test	ax, ax
		jnz	loc_5E01B7

loc_557792:				; CODE XREF: ExAcquireSharedWaitForExclusive+88B1Dj
		cmp	[esi+2Ch], ebx
		jnz	loc_5E01C5
		call	_ExpGetThreadResourceHint@4 ; ExpGetThreadResourceHint(x)
		push	eax
		xor	eax, eax
		mov	edx, ecx
		inc	eax
		mov	ecx, esi
		push	eax
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	@ExpFindCurrentThread@24 ; ExpFindCurrentThread(x,x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jz	loc_5576F7
		mov	edi, [ecx+4]
		mov	eax, edi
		and	eax, 7
		cmp	[ecx], ebx
		jnz	loc_5E02AD
		mov	edi, [ebp+arg_0]
		or	eax, 8
		mov	[ecx], edi
		mov	[ecx+4], eax
		mov	ecx, esi
		call	_ExpTryAcquireResourceShared@4 ; ExpTryAcquireResourceShared(x)
		mov	edi, [ebp+var_8]
		mov	edi, [edi+4]

loc_5577E8:				; CODE XREF: ExAcquireSharedWaitForExclusive+88C16j
		xor	eax, eax
		shr	edi, 3
		inc	eax
		test	ds:byte_70EFC6,	al
		jnz	loc_5E02BD
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	loc_5E02D5
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jnz	loc_5E02CD

loc_55781C:				; CODE XREF: ExAcquireSharedWaitForExclusive+88C26j
					; ExAcquireSharedWaitForExclusive+88C3Fj
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	ecx, [edi-1]
		neg	ecx
		sbb	ecx, ecx
		xor	edx, edx
		and	ecx, 10h
		xor	eax, eax
		inc	edx
		add	ecx, 10041h
		cmp	edi, edx
		setnz	al
		lea	eax, ds:4244h[eax*4]
		inc	dword ptr fs:[eax]
		inc	large dword ptr	fs:4248h
		cmp	[ebp+var_4], ebx
		jnz	loc_5E02E6

loc_557859:				; CODE XREF: ExAcquireSharedWaitForExclusive+88C52j
		mov	al, dl
		jmp	loc_557770
ExAcquireSharedWaitForExclusive	endp


;  S U B	R O U T	I N E 


; __stdcall ExpTryAcquireResourceShared(x)
_ExpTryAcquireResourceShared@4 proc near ; CODE	XREF: ExAcquireSharedWaitForExclusive+5Cp
					; ExAcquireSharedWaitForExclusive+13Bp	...
		mov	eax, ecx
		mov	ecx, [eax+20h]
		test	ecx, ecx
		jnz	short loc_557877

loc_557869:				; CODE XREF: ExpTryAcquireResourceShared(x)+21j
		xor	edx, edx
		inc	edx
		inc	ecx
		mov	[eax+0Ch], dx
		mov	[eax+20h], ecx
		mov	al, dl
		retn
; 

loc_557877:				; CODE XREF: ExpTryAcquireResourceShared(x)+7j
		test	byte ptr [eax+0Eh], 80h
		jnz	short loc_557883
		cmp	dword ptr [eax+2Ch], 0
		jz	short loc_557869

loc_557883:				; CODE XREF: ExpTryAcquireResourceShared(x)+1Bj
		xor	al, al
		retn
_ExpTryAcquireResourceShared@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1684. PoFxNotifySurprisePowerOn

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoFxNotifySurprisePowerOn
PoFxNotifySurprisePowerOn proc near

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E04F0 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	esi, esi
		jz	short loc_5578D9
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]

loc_5578A3:				; CODE XREF: PoFxNotifySurprisePowerOn+4Fj
		mov	dl, 1
		call	PopFxLockDevice
		mov	edi, eax
		test	edi, edi
		jnz	short loc_5578B6

loc_5578B0:				; CODE XREF: PoFxNotifySurprisePowerOn+4Bj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_5578B6:				; CODE XREF: PoFxNotifySurprisePowerOn+22j
		mov	ecx, [edi+20h]
		call	PopPepSurprisePowerOn
		or	ecx, 0FFFFFFFFh
		lock xadd [edi+80h], ecx
		dec	ecx
		jz	loc_5E04F0

loc_5578D0:				; CODE XREF: PoFxNotifySurprisePowerOn+88C74j
		mov	ecx, esi
		call	_PopDirectedDripsNotifyFxSurprisePoweredOn@4 ; PopDirectedDripsNotifyFxSurprisePoweredOn(x)
		jmp	short loc_5578B0
; 

loc_5578D9:				; CODE XREF: PoFxNotifySurprisePowerOn+Cj
		xor	ecx, ecx
		jmp	short loc_5578A3
PoFxNotifySurprisePowerOn endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsNotifyFxSurprisePoweredOn(x)
_PopDirectedDripsNotifyFxSurprisePoweredOn@4 proc near
					; CODE XREF: PoFxNotifySurprisePowerOn+46p
		test	ecx, ecx
		jz	short loc_5578FD
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]

loc_5578EB:				; CODE XREF: PopDirectedDripsNotifyFxSurprisePoweredOn(x)+21j
		test	eax, eax
		jz	short locret_5578FC
		mov	eax, [eax+1E4h]
		test	eax, 30000h
		jnz	short loc_557901

locret_5578FC:				; CODE XREF: PopDirectedDripsNotifyFxSurprisePoweredOn(x)+Fj
		retn
; 

loc_5578FD:				; CODE XREF: PopDirectedDripsNotifyFxSurprisePoweredOn(x)+2j
		xor	eax, eax
		jmp	short loc_5578EB
; 

loc_557901:				; CODE XREF: PopDirectedDripsNotifyFxSurprisePoweredOn(x)+1Cj
		xor	ecx, ecx
		inc	ecx
		jmp	_PopDirectedDripsStartDisengageTimer@4 ; PopDirectedDripsStartDisengageTimer(x)
_PopDirectedDripsNotifyFxSurprisePoweredOn@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPepSurprisePowerOn proc near		; CODE XREF: PoFxNotifySurprisePowerOn+2Dp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E0505 SIZE 0000003E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	edi
		mov	edi, ecx
		lea	eax, [edi+2Ch]
		push	eax
		call	ExAcquireSpinLockExclusive
		xor	ecx, ecx
		mov	byte ptr [ebp+var_4], al
		mov	byte ptr [edi+4Dh], 1
		cmp	[edi+5Ch], ecx
		jz	loc_5E0505

loc_55792E:				; CODE XREF: PopPepSurprisePowerOn+88BFEj
					; PopPepSurprisePowerOn+88C09j	...
		push	[ebp+var_4]
		xor	edx, edx
		mov	ecx, edi
		push	1
		call	PopPepReleaseActivityLink
		pop	edi
		leave
		retn
PopPepSurprisePowerOn endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiDiscardTransitionPteEx(x,	x)
_MiDiscardTransitionPteEx@8 proc near	; CODE XREF: .text:0045D23Fp
					; .text:0045EBD4p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		xor	edx, edx
		mov	ecx, edi
		mov	esi, eax
		call	_MiRestoreTransitionPte@8 ; MiRestoreTransitionPte(x,x)
		and	dword ptr [edi+10h], 0FF800000h
		mov	ecx, esi
		and	dword ptr [edi+18h], 7FFFFFFFh
		and	byte ptr [edi+16h], 0C7h
		and	byte ptr [edi+17h], 0DFh
		or	dword ptr [edi+10h], 40000000h
		or	ebx, 2
		mov	edx, ebx
		pop	edi
		pop	esi
		pop	ebx
		jmp	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
_MiDiscardTransitionPteEx@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopReleaseWakeSourceSpinLock proc near	; CODE XREF: PopUpdateWakeSourceWorker(x)+50p
					; PopUpdateWakeSourceWorker(x)+156p ...

; FUNCTION CHUNK AT 005E0543 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ds:byte_70EFC6,	1
		push	esi
		mov	esi, ecx
		jnz	loc_5E0543
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5E0557
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5E0550

loc_5579C0:				; CODE XREF: PopReleaseWakeSourceSpinLock+88BBDj
					; PopReleaseWakeSourceSpinLock+88BD8j
		mov	cl, [esi+8]
		pop	esi
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
PopReleaseWakeSourceSpinLock endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopAcquireWakeSourceSpinLock(x)
_PopAcquireWakeSourceSpinLock@4	proc near ; CODE XREF: PopHandleWakeSources+65p
					; PopNewWakeInfo+51p ...
		mov	edx, ecx
		mov	ecx, offset _PopWakeSourceLock
		jmp	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
_PopAcquireWakeSourceSpinLock@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceRtcWakeInfo	proc near	; CODE XREF: PopValidateRTCWake+B9p

var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1E9		= dword	ptr -1E9h
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005E056B SIZE 00000233 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, _PopFixedWakeSourceMask
		mov	eax, ecx
		shr	eax, 3
		push	ebx
		and	eax, 1
		mov	[ebp+var_1F4], ecx
		push	esi
		mov	[ebp+var_1F8], eax
		xor	esi, esi
		mov	eax, ecx
		mov	[ebp+var_1F0], edx
		push	edi
		push	dword_6C272C
		shr	ecx, 2
		push	dword_6C2728
		and	ecx, 1
		shr	eax, 4
		and	eax, 1
		mov	[ebp+var_200], ecx
		lea	ecx, [ebp+var_210]
		mov	[ebp+var_210], esi
		mov	[ebp+var_20C], esi
		mov	[ebp+var_228], esi
		mov	[ebp+var_224], esi
		mov	[ebp+var_218], esi
		mov	[ebp+var_214], esi
		mov	[ebp+var_220], esi
		mov	[ebp+var_21C], esi
		mov	[ebp+var_1FC], eax
		call	_PopDiagInterruptTimeToSystemTime@12 ; PopDiagInterruptTimeToSystemTime(x,x,x)
		push	dword_6C2744
		lea	ecx, [ebp+var_218]
		push	dword_6C2740
		call	_PopDiagInterruptTimeToSystemTime@12 ; PopDiagInterruptTimeToSystemTime(x,x,x)
		push	dword_6C2704
		lea	ecx, [ebp+var_220]
		push	dword_6C2700
		call	_PopDiagInterruptTimeToSystemTime@12 ; PopDiagInterruptTimeToSystemTime(x,x,x)
		push	[ebp+arg_14]
		lea	ecx, [ebp+var_228]
		push	[ebp+arg_10]
		call	_PopDiagInterruptTimeToSystemTime@12 ; PopDiagInterruptTimeToSystemTime(x,x,x)
		mov	eax, _PopPendingUserPresenceDuringSystemSleep
		xor	ebx, ebx
		test	eax, eax
		push	4
		setnz	bl
		cmp	dword_6B23F8, 5
		mov	[ebp+var_204], ebx
		pop	edi
		jbe	short loc_557AE8
		push	4000h
		push	esi
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_5E056B

loc_557AE8:				; CODE XREF: PopDiagTraceRtcWakeInfo+F6j
		push	4
		pop	ebx

loc_557AEB:				; CODE XREF: PopDiagTraceRtcWakeInfo+88DC1j
		cmp	_PopDiagHandleRegistered, 0
		jz	loc_557C71
		mov	esi, dword_6C1D74
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_RTC_WAKE_INFO
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	loc_557C71
		lea	eax, [ebp+var_1F0]
		mov	[ebp+var_E0], ebx
		mov	[ebp+var_E8], eax
		xor	ecx, ecx
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_E4], ecx
		mov	[ebp+var_D8], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_C8], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_1F4]
		mov	[ebp+var_A8], eax
		lea	eax, [ebp+var_1F8]
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_1FC]
		mov	[ebp+var_88], eax
		lea	eax, [ebp+var_200]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_210]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_218]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+arg_C]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_220]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_228]
		push	8
		pop	edx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_204]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_E8]
		push	eax
		push	0Eh
		push	ecx
		push	offset _POP_ETW_EVENT_RTC_WAKE_INFO
		push	esi
		push	edi
		mov	[ebp+var_DC], ecx
		mov	[ebp+var_D4], ecx
		mov	[ebp+var_D0], ebx
		mov	[ebp+var_CC], ecx
		mov	[ebp+var_C4], ecx
		mov	[ebp+var_C0], ebx
		mov	[ebp+var_BC], ecx
		mov	[ebp+var_B4], ecx
		mov	[ebp+var_B0], ebx
		mov	[ebp+var_AC], ecx
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_94], ecx
		mov	[ebp+var_90], ebx
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_84], ecx
		mov	[ebp+var_80], ebx
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_557C71:				; CODE XREF: PopDiagTraceRtcWakeInfo+11Aj
					; PopDiagTraceRtcWakeInfo+13Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
PopDiagTraceRtcWakeInfo	endp


;  S U B	R O U T	I N E 


; __stdcall PopFxIdleDevicesFromSx(x)
_PopFxIdleDevicesFromSx@4 proc near	; CODE XREF: PoBroadcastSystemState+354p
					; PoBroadcastSystemState:loc_729639p
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _PopFxDeviceListLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	esi, _PopFxDeviceList

loc_557CA7:				; CODE XREF: PopFxIdleDevicesFromSx(x)+46j
		cmp	esi, offset _PopFxDeviceList
		jz	short loc_557CE2
		mov	edi, [esi+1Ch]
		test	edi, edi
		jz	short loc_557CC6
		mov	eax, [esi+238h]
		test	al, 1
		jnz	short loc_557CC6
		cmp	byte ptr [edi+78h], 1
		jb	short loc_557CCA

loc_557CC6:				; CODE XREF: PopFxIdleDevicesFromSx(x)+32j
					; PopFxIdleDevicesFromSx(x)+3Cj ...
		mov	esi, [esi]
		jmp	short loc_557CA7
; 

loc_557CCA:				; CODE XREF: PopFxIdleDevicesFromSx(x)+42j
		mov	ecx, [edi+10h]
		call	PoFxIdleDevice
		mov	ecx, 0FFFFEFFFh
		lea	eax, [edi+0A8h]
		lock and [eax],	ecx
		jmp	short loc_557CC6
; 

loc_557CE2:				; CODE XREF: PopFxIdleDevicesFromSx(x)+2Bj
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_557CF7
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_557CF7:				; CODE XREF: PopFxIdleDevicesFromSx(x)+6Cj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_PopFxIdleDevicesFromSx@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopFxActivateDevicesForSx(x)
_PopFxActivateDevicesForSx@4 proc near	; CODE XREF: PopFxPrepareDevicesForShutdown()+20Bp
					; PoBroadcastSystemState+3B0p ...
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	ebx, ecx
		nop
		mov	edi, offset _PopFxDeviceListLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	esi, _PopFxDeviceList
		cmp	esi, offset _PopFxDeviceList
		jz	short loc_557D5B

loc_557D3D:				; CODE XREF: PopFxActivateDevicesForSx(x)+46j
		mov	edi, [esi+1Ch]
		test	edi, edi
		jz	short loc_557D4C
		movzx	eax, byte ptr [edi+78h]
		cmp	eax, ebx
		jb	short loc_557D86

loc_557D4C:				; CODE XREF: PopFxActivateDevicesForSx(x)+34j
					; PopFxActivateDevicesForSx(x)+80j ...
		mov	esi, [esi]
		cmp	esi, offset _PopFxDeviceList
		jnz	short loc_557D3D
		mov	edi, offset _PopFxDeviceListLock

loc_557D5B:				; CODE XREF: PopFxActivateDevicesForSx(x)+2Dj
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_557D70
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_557D70:				; CODE XREF: PopFxActivateDevicesForSx(x)+59j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
; 

loc_557D86:				; CODE XREF: PopFxActivateDevicesForSx(x)+3Cj
		mov	eax, [esi+238h]
		test	al, 1
		jnz	short loc_557D4C
		mov	ecx, [edi+10h]
		xor	dl, dl
		push	0
		call	PopFxActivateDevice
		mov	ecx, 1000h
		lea	eax, [edi+0A8h]
		lock or	[eax], ecx
		jmp	short loc_557D4C
_PopFxActivateDevicesForSx@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 959. IoReportInterruptActive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoReportInterruptActive
IoReportInterruptActive	proc near

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E079E SIZE 0000007C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edx, [ecx]
		mov	eax, edx
		sub	eax, 1
		jnz	loc_5E079E

loc_557DCA:				; CODE XREF: IoReportInterruptActive+889F9j
		mov	ecx, [ecx+4]
		call	_IopUnmaskInterrupt@4 ;	IopUnmaskInterrupt(x)

loc_557DD2:				; CODE XREF: IoReportInterruptActive+88A18j
					; IoReportInterruptActive+88A31j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
IoReportInterruptActive	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IopUnmaskInterrupt(x)
_IopUnmaskInterrupt@4 proc near		; CODE XREF: IoReportInterruptActive+1Bp
					; IoReportInterruptActive+88A23p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	edx, [esi-5Ch]
		not	edx
		movzx	eax, dl
		shr	edx, 8
		mov	bl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		mov	ecx, edx
		shr	ecx, 8
		add	bl, ds:_RtlpBitsClearTotal[eax]
		lea	eax, [esi-58h]
		push	eax
		movzx	eax, dl
		mov	dl, ds:_RtlpBitsClearTotal[ecx]
		lea	ecx, [esi+104h]
		add	dl, ds:_RtlpBitsClearTotal[eax]
		add	dl, bl
		call	KeUnmaskInterrupt
		pop	esi
		pop	ebx
		retn
_IopUnmaskInterrupt@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeUnmaskInterrupt proc near		; CODE XREF: IopUnmaskInterrupt(x)+43p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E081A SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	bh, dl
		push	edi
		mov	edi, ecx
		mov	ecx, esi
		call	KiIsInterruptTypeSecondary
		xor	ecx, ecx
		test	al, al
		setnz	cl
		xor	bl, bl
		mov	[ebp+var_4], ecx
		test	bh, bh
		jz	short loc_557E75

loc_557E4D:				; CODE XREF: KeUnmaskInterrupt+4Aj
		movzx	eax, bl
		push	0FFFFFFFEh
		pop	esi
		mov	edx, [edi+eax*4]
		add	edx, 3Ch
		mov	eax, [edx]

loc_557E5B:				; CODE XREF: KeUnmaskInterrupt+3Dj
		mov	ecx, eax
		and	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_557E5B
		mov	esi, [ebp+arg_0]
		test	al, 1
		jz	short loc_557EA7
		inc	bl
		cmp	bl, bh
		jb	short loc_557E4D
		mov	ecx, [ebp+var_4]

loc_557E75:				; CODE XREF: KeUnmaskInterrupt+25j
		cmp	dword ptr [esi+8], 0
		jnz	short loc_557EAE
		mov	edi, [edi]
		mov	eax, [esi+38h]

loc_557E80:				; DATA XREF: .text:SwapContext()o
		cmp	ecx, 1
		jz	loc_5E081A
		push	0
		push	eax
		call	off_6B1304	; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)

loc_557E92:				; CODE XREF: KeUnmaskInterrupt+889FEj
		mov	ecx, eax

loc_557E94:				; CODE XREF: KeUnmaskInterrupt+86j
		lea	eax, [ecx-128h]
		neg	eax
		sbb	eax, eax
		and	eax, ecx

loc_557EA0:				; CODE XREF: KeUnmaskInterrupt+8Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_557EA7:				; CODE XREF: KeUnmaskInterrupt+44j
		mov	ecx, 127h
		jmp	short loc_557E94
; 

loc_557EAE:				; CODE XREF: KeUnmaskInterrupt+53j
		xor	eax, eax
		jmp	short loc_557EA0
KeUnmaskInterrupt endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoFlushAll(x)
_CmpDoFlushAll@4 proc near		; CODE XREF: NtFlushKey(x)+18Ep
					; CmReconcileAndValidateAllHives()+4Dp	...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	ds:_CmpNoWrite,	0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], ecx
		jnz	short loc_557F1D
		call	CmpGetLastHive
		mov	edi, eax
		test	edi, edi
		jz	short loc_557F1D
		xor	ecx, ecx
		jmp	short loc_557F04
; 

loc_557ED6:				; CODE XREF: CmpDoFlushAll(x)+5Bj
		lea	ebx, [esi+430h]
		mov	ecx, ebx
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_557EFE
		test	byte ptr [esi+64h], 2
		jnz	short loc_557EF7
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		call	CmpFlushHive

loc_557EF7:				; CODE XREF: CmpDoFlushAll(x)+39j
		mov	ecx, ebx
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_557EFE:				; CODE XREF: CmpDoFlushAll(x)+33j
		cmp	esi, edi
		jz	short loc_557F0F
		mov	ecx, esi

loc_557F04:				; CODE XREF: CmpDoFlushAll(x)+22j
		call	CmpGetNextHive
		mov	esi, eax
		test	esi, esi
		jnz	short loc_557ED6

loc_557F0F:				; CODE XREF: CmpDoFlushAll(x)+4Ej
		mov	ecx, esi
		call	_CmpQuitNextHive@4 ; CmpQuitNextHive(x)
		mov	ecx, edi
		call	_CmpDereferenceHive@4 ;	CmpDereferenceHive(x)

loc_557F1D:				; CODE XREF: CmpDoFlushAll(x)+13j
					; CmpDoFlushAll(x)+1Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpDoFlushAll@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxUpdateDeviceAccountingEnhanced proc near ;	CODE XREF: PopPepDeviceDState+E9p
					; PopPepDeviceDState+18Dp

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E0829 SIZE 0000006B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		lea	esi, [ecx+160h]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	loc_5E0829
		js	loc_5E0829

loc_557F52:				; CODE XREF: PopFxUpdateDeviceAccountingEnhanced+8890Dj
					; PopFxUpdateDeviceAccountingEnhanced+8891Cj ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5E0885
		xor	eax, eax
		lock and [esi],	eax

loc_557F64:				; CODE XREF: PopFxUpdateDeviceAccountingEnhanced+8896Dj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
PopFxUpdateDeviceAccountingEnhanced endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall wil_details_StagingConfig_Load(void *,int,int,int,int)
wil_details_StagingConfig_Load proc near
					; CODE XREF: wil_StagingConfig_QueryFeatureState+4Cp

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E0894 SIZE 00000189 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		push	34h		; size_t
		xor	esi, esi
		mov	[ebp+var_30], edx
		mov	edi, ecx
		mov	[ebp+var_20], ebx
		push	esi		; int
		push	edi		; void *
		mov	[ebp+var_C], edi
		mov	[ebp+var_34], esi
		call	_memset
		mov	eax, [ebp+var_30]
		add	esp, 0Ch
		neg	ebx
		mov	[edi], eax
		mov	[ebp+var_24], esi
		sbb	ebx, ebx
		and	ebx, 0C8h
		test	eax, eax
		jnz	loc_5E0894
		mov	eax, ds:___WIL_WNF_WIL_MACHINE_FEATURE_STORE
		mov	ecx, ds:dword_411064

loc_557FCD:				; CODE XREF: wil_details_StagingConfig_Load+8892Bj
		mov	[ebp+var_14], ecx
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_20]
		mov	[ebp+var_18], eax
		xor	ecx, ecx
		lea	eax, [edi+8]
		mov	[ebp+var_1C], ebx
		push	eax
		push	ecx
		push	ecx
		lea	eax, [ebp+var_18]
		push	eax
		call	_ZwQueryWnfStateData@24	; ZwQueryWnfStateData(x,x,x,x,x,x)
		mov	[ebp+var_28], eax
		push	10h
		pop	edx
		test	eax, eax
		jnz	short loc_558005
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jz	loc_5E08A4
		mov	esi, ecx

loc_558005:				; CODE XREF: wil_details_StagingConfig_Load+82j
					; wil_details_StagingConfig_Load+88993j
		cmp	eax, 0C0000023h
		jz	loc_5E08A4
		test	eax, eax
		jnz	loc_5E0A03
		test	esi, esi
		jz	loc_5E0A03
		mov	edx, [ebp+var_1C]
		cmp	edx, 4
		ja	short loc_558097

loc_558028:				; CODE XREF: wil_details_StagingConfig_Load+128j
		push	10h
		pop	ecx
		cmp	edx, ecx
		jnb	loc_5E0916

loc_558033:				; CODE XREF: wil_details_StagingConfig_Load+889A6j
					; wil_details_StagingConfig_Load+889B6j ...
		mov	[ebp+var_1C], ecx
		xor	eax, eax
		mov	edi, esi
		stosd
		stosd
		stosd
		stosd
		mov	edi, [ebp+var_C]
		mov	[esi+2], cx
		mov	word ptr [esi],	202h
		mov	edx, [ebp+var_1C]
		mov	[edi+14h], esi
		movzx	ecx, word ptr [esi+2]
		add	ecx, esi
		mov	[edi+18h], ecx
		movzx	eax, word ptr [esi+4]
		imul	eax, 0Ch
		add	eax, ecx
		mov	[edi+1Ch], eax

loc_558065:				; CODE XREF: wil_details_StagingConfig_Load+88A55j
					; wil_details_StagingConfig_Load+88A5Fj ...
		mov	ecx, [ebp+var_24]
		mov	[edi+24h], esi
		mov	[edi+28h], edx
		test	ecx, ecx
		jnz	short loc_558077
		mov	ebx, 0C8h

loc_558077:				; CODE XREF: wil_details_StagingConfig_Load+FCj
		xor	eax, eax
		mov	[edi+2Ch], ebx
		cmp	esi, ecx
		setz	al
		mov	[edi+30h], eax
		xor	eax, eax

loc_558086:				; CODE XREF: wil_details_StagingConfig_Load+8899Dj
					; wil_details_StagingConfig_Load+88AA4j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_558097:				; CODE XREF: wil_details_StagingConfig_Load+B2j
		mov	al, [esi]
		mov	[edi+0Ch], al
		jmp	short loc_558028
wil_details_StagingConfig_Load endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceEsState(x, x, x, x,	x, x, x, x)
_PopTraceEsState@32 proc near		; CODE XREF: PopEsSnapTelemetry+83p

var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	dword_6B23F8, 5
		mov	cl, _PopEsLastUserAwaySetting
		mov	eax, _PopEsReason
		push	ebx
		mov	bl, _PopEsAcOnline
		push	esi
		mov	esi, _PopEsLastBatteryThreshold
		push	edi
		mov	edi, _PopEsMode
		jbe	loc_5581F3
		mov	[ebp+var_B0], eax
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_88], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C8], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_B4]
		mov	[ebp+var_68], eax
		movzx	eax, bl
		xor	ebx, ebx
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_BC]
		and	[ebp+var_84], 0
		and	[ebp+var_7C], 0
		and	[ebp+var_74], 0
		and	[ebp+var_6C], 0
		and	[ebp+var_64], 0
		and	[ebp+var_5C], 0
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_38], eax
		movzx	eax, cl
		mov	[ebp+var_AC], eax
		lea	eax, [ebp+var_AC]
		push	4
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_B4], edx
		pop	edx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_A8]
		push	eax
		push	0Ah
		push	ebx
		push	ebx
		push	(offset	loc_41EFC6+2)
		push	offset dword_6B23F8
		mov	[ebp+var_80], 4
		mov	[ebp+var_70], 8
		mov	[ebp+var_60], edx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_BC], edi
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_C0], esi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_D0], 1000000h
		mov	[ebp+var_CC], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], 8
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_5581F3:				; CODE XREF: PopTraceEsState(x,x,x,x,x,x,x,x)+3Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_PopTraceEsState@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceSessionDisplayStateChange(x, x,	x, x)
_PopDiagTraceSessionDisplayStateChange@16 proc near ; CODE XREF: NtPowerInformation+EFEp
					; PopPowerInformationInternal+171318p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	[ebp+var_38], edx
		push	esi
		mov	esi, offset _POP_ETW_EVENT_SESSION_DISPLAY_OFF
		test	cl, cl
		jnz	short loc_558228
		mov	esi, offset _POP_ETW_EVENT_SESSION_DISPLAY_ON

loc_558228:				; CODE XREF: PopDiagTraceSessionDisplayStateChange(x,x,x,x)+1Dj
		cmp	_PopDiagHandleRegistered, 0
		jz	short loc_55828E
		push	ebx
		mov	ebx, _PopDiagHandle
		push	edi
		mov	edi, dword_6C1D74
		push	esi
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jz	short loc_55828C
		lea	eax, [ebp+var_38]
		xor	edx, edx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_0]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	esi
		push	edi
		push	ebx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_55828C:				; CODE XREF: PopDiagTraceSessionDisplayStateChange(x,x,x,x)+45j
		pop	edi
		pop	ebx

loc_55828E:				; CODE XREF: PopDiagTraceSessionDisplayStateChange(x,x,x,x)+2Bj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopDiagTraceSessionDisplayStateChange@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcDeleteBcbs	proc near		; CODE XREF: CcDeleteSharedCacheMap+2E2p
					; CcSetFileSizesEx+1178D7p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005E0A1D SIZE 00000145 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+20h+var_C]
		stosd
		mov	ebx, ecx
		stosd
		stosd
		call	CcGetPartition
		mov	[esp+20h+var_10], eax
		lea	eax, [ebx+10h]
		mov	edi, [eax]

loc_5582C5:				; CODE XREF: CcDeleteBcbs+3Bj
					; CcDeleteBcbs+8888Cj
		cmp	edi, eax
		jz	short loc_5582E0
		lea	esi, [edi-10h]
		mov	edx, 2FDh
		lea	ecx, [esi+10h]
		mov	edi, [ecx]
		cmp	[esi], dx
		jnz	short loc_5582C5
		jmp	loc_5E0A1D
; 

loc_5582E0:				; CODE XREF: CcDeleteBcbs+29j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
CcDeleteBcbs	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KiIntRedirectDisconnect(x, x)
_KiIntRedirectDisconnect@8 proc	near	; CODE XREF: KeDisconnectInterrupt+81p
		mov	eax, [ecx]
		push	edi
		mov	edi, [eax+0C8h]
		test	edi, edi
		jz	short loc_558317
		push	esi
		xor	esi, esi
		test	edx, edx
		jz	short loc_55830B

loc_5582FC:				; CODE XREF: KiIntRedirectDisconnect(x,x)+21j
		mov	eax, [ecx+esi*4]
		and	dword ptr [eax+0C8h], 0
		inc	esi
		cmp	esi, edx
		jb	short loc_5582FC

loc_55830B:				; CODE XREF: KiIntRedirectDisconnect(x,x)+12j
		push	5249654Bh
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi

loc_558317:				; CODE XREF: KiIntRedirectDisconnect(x,x)+Bj
		xor	eax, eax
		pop	edi
		retn
_KiIntRedirectDisconnect@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCSparseBitmapCleanup(x)
_RtlCSparseBitmapCleanup@4 proc	near	; CODE XREF: RtlHpHeapManagerCleanup(x)+21p
					; RtlHpHeapManagerCleanup(x)+2Cj

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	ecx, [ebx+4]
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	short loc_5583A9
		push	esi
		mov	esi, [ebx+8]
		mov	edx, 0FFFh
		add	esi, 7
		mov	eax, 0FFFFF000h
		shr	esi, 3
		push	edi
		add	esi, edx
		and	esi, eax
		mov	edi, esi
		shr	edi, 0Ch
		add	edi, 7
		shr	edi, 3
		add	edi, edx
		and	edi, eax
		cmp	dword ptr [ebx], 0
		jz	short loc_558376
		movzx	eax, byte ptr [ebx+1Ah]
		movzx	edx, byte ptr [ebx+19h]
		push	1
		push	eax
		push	edx
		mov	edx, esi
		call	_RtlpEnvRegisterFaultRange@20 ;	RtlpEnvRegisterFaultRange(x,x,x,x,x)
		mov	eax, [ebx+4]
		mov	[ebp+var_4], eax

loc_558376:				; CODE XREF: RtlCSparseBitmapCleanup(x)+3Fj
		movzx	ecx, byte ptr [ebx+1Bh]
		xor	eax, eax
		inc	eax
		xor	edx, edx
		call	__allshl
		dec	esi
		lea	edx, [ebp+var_8]
		push	8000h
		lea	ecx, [eax+edi]
		neg	eax
		add	ecx, esi
		and	ecx, eax
		mov	eax, [ebp+var_4]
		mov	[ebp+var_8], ecx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_4], eax
		call	_RtlpHpEnvFreeVA@12 ; RtlpHpEnvFreeVA(x,x,x)
		pop	edi
		pop	esi

loc_5583A9:				; CODE XREF: RtlCSparseBitmapCleanup(x)+12j
		pop	ebx
		leave
		retn
_RtlCSparseBitmapCleanup@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpVaMgrCtxAllocatorDereference proc	near
					; CODE XREF: RtlpHpRegisterEnvironment(x,x):loc_55FB8Fp

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		imul	esi, [edx], 1Ch
		mov	ebx, ecx
		lea	eax, [ebx+34h]
		push	eax
		add	esi, ebx
		call	ExAcquireSpinLockExclusive
		mov	[ebp+var_1], al
		mov	eax, 0FFFFh
		add	[esi+52h], ax
		jz	loc_5E0B48

loc_5583D6:				; CODE XREF: CcDeleteBcbs+888BFj
		lea	eax, [ebx+34h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		pop	ebx
		leave
		retn
RtlpHpVaMgrCtxAllocatorDereference endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiTimerExpirationDpc proc near		; DATA XREF: KeInitializeTimerTable+33o

var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005E0B62 SIZE 0000009A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0FCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0FCh+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		lea	eax, [esp+108h+var_D8]
		push	0D0h		; size_t
		push	esi		; int
		push	eax		; void *
		mov	[esp+114h+var_F0], esi
		mov	[esp+114h+var_EC], esi
		call	_memset
		add	esp, 0Ch
		test	ds:dword_70EFC8, 20000h
		jnz	loc_5E0B62

loc_558438:				; CODE XREF: KiTimerExpirationDpc+887A1j
		mov	ebx, large fs:20h
		mov	edi, 0FFDF0018h
		mov	[esp+108h+var_F8], ebx
		mov	[esp+108h+var_F4], esi
		mov	eax, [edi]
		mov	[esp+108h+var_CC], eax
		lea	eax, [edi-4]
		mov	eax, [eax]
		mov	[esp+108h+var_D0], eax
		lea	eax, [edi+4]
		mov	eax, [eax]
		cmp	[esp+108h+var_CC], eax
		jnz	loc_5E0B92

loc_55846A:				; CODE XREF: KiTimerExpirationDpc+887D1j
		cli
		mov	[esp+108h+var_F0], esi
		mov	esi, ds:0FFDF000Ch
		mov	edi, ds:0FFDF0008h
		cmp	esi, ds:0FFDF0010h
		jnz	loc_5E0BC2

loc_558487:				; CODE XREF: KiTimerExpirationDpc+887F8j
		cmp	ds:_KiSerializeTimerExpiration,	0
		jz	loc_5E0BE9
		cmp	byte ptr [ebx+3D0h], 0
		jz	short loc_5584B1
		mov	edx, ds:_KiProcessorBlock
		mov	ecx, edi
		mov	eax, esi
		shrd	ecx, eax, 12h
		mov	[edx+3AA8h], ecx

loc_5584B1:				; CODE XREF: KiTimerExpirationDpc+AFj
					; KiTimerExpirationDpc+8880Bj
		sti
		mov	edx, [ebp+arg_8]
		lea	eax, [esp+108h+var_D8]
		push	eax
		push	ecx
		push	esi
		push	edi
		mov	ecx, ebx
		call	KiTimerExpiration
		mov	dword ptr [ebx+21F4h], 0
		cmp	byte ptr [ebx+3D0h], 0
		jz	short loc_5584E9
		lea	eax, [esp+108h+var_D8]
		mov	dl, 1
		push	eax
		push	1
		push	esi
		push	edi
		mov	ecx, ebx
		call	KiTimer2Expiration

loc_5584E9:				; CODE XREF: KiTimerExpirationDpc+E9j
		mov	ecx, [esp+108h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
KiTimerExpirationDpc endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteSessionPdes(x, x)
_MiDeleteSessionPdes@8 proc near	; CODE XREF: MiUnloadSystemImage+19Ep

var_18		= dword	ptr -18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		push	edi
		push	6
		mov	esi, ecx
		lea	edi, [ebp+var_18]
		pop	ecx
		xor	eax, eax
		rep stosd
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		lea	ecx, [ebp+var_18]
		shl	edx, 12h
		push	ecx
		push	0
		push	1
		push	edx
		shl	esi, 12h
		mov	dl, 21h
		push	esi
		mov	ecx, eax
		call	_MiDeletePagablePteRange@28 ; MiDeletePagablePteRange(x,x,x,x,x,x,x)
		mov	esi, [ebp+var_18]
		mov	edi, offset _MiSystemPartition
		mov	edx, esi
		mov	ecx, edi
		call	MiReturnCommit
		push	1
		mov	edx, esi
		mov	ecx, edi
		call	_MiReturnSystemCharges@12 ; MiReturnSystemCharges(x,x,x)
		pop	edi
		pop	esi
		leave
		retn
_MiDeleteSessionPdes@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1685. PoFxPowerControl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoFxPowerControl
PoFxPowerControl proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005E0BFC SIZE 0000005E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	ecx, [edi+80h]
		lock inc dword ptr [ecx]
		cmp	byte ptr [edi+7Ch], 0
		jnz	loc_5E0BFC
		mov	eax, [ebp+arg_18]
		xor	esi, esi
		mov	edx, [edi+20h]
		mov	ebx, 0C00000BBh
		mov	[ebp+arg_0], edx
		test	eax, eax
		jnz	short loc_5585AD

loc_55858C:				; CODE XREF: PoFxPowerControl+55j
		cmp	byte ptr [edx+4Ch], 0
		jnz	loc_5E0C1F

loc_558596:				; CODE XREF: PoFxPowerControl+886E8j
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		dec	eax
		jz	loc_5E0C47

loc_5585A4:				; CODE XREF: PoFxPowerControl+886C0j
					; PoFxPowerControl+886FBj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	1Ch
; 

loc_5585AD:				; CODE XREF: PoFxPowerControl+30j
		mov	[eax], esi
		jmp	short loc_55858C
PoFxPowerControl endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpServiceMainThreadBoost proc near	; CODE XREF: PfpScenCtxScenarioSet+E0p

var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005E0C5A SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	eax, [ebx+4]
		mov	[ebp+var_8], eax
		cmp	[ebx], edi
		jz	loc_5E0C5A
		mov	dword ptr [eax+58h], 1
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [esi+40h]
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [ebp+var_8]
		inc	dword ptr [esi+44h]
		mov	eax, [esi+44h]
		mov	[ecx+5Ch], eax
		cmp	[esi+38h], edi
		jnz	short loc_55860B
		mov	eax, [ebx]
		push	0Ch
		push	eax
		mov	[esi+38h], eax
		mov	[ebx], edi
		call	KeSetActualBasePriorityThread
		mov	[esi+3Ch], eax

loc_55860B:				; CODE XREF: PfpServiceMainThreadBoost+45j
		test	ds:byte_70EFC6,	1
		jnz	loc_5E0C64
		xor	ecx, ecx
		lea	eax, [esi+40h]
		lock and [eax],	ecx

loc_558620:				; CODE XREF: PfpServiceMainThreadBoost+886BDj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp+var_8]
		push	edi
		add	esi, 20h
		push	esi
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		mov	eax, [ebp+var_8]
		push	eax
		push	offset PfpPowerActionDpcRoutine
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	0FFFFFFFFh
		push	0F4143E00h
		push	[ebp+var_8]
		xor	edx, edx
		mov	ecx, esi
		push	edi
		call	KiSetTimerEx
		mov	[ebx+4], edi

loc_55865C:				; CODE XREF: PfpServiceMainThreadBoost+886ADj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PfpServiceMainThreadBoost endp

; 
		align 8
; Exported entry 2033. RtlDeleteElementGenericTableAvlEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlDeleteElementGenericTableAvlEx
RtlDeleteElementGenericTableAvlEx proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E0C74 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	edi, [esi+20h]
		jz	loc_5E0C74

loc_55867E:				; CODE XREF: RtlDeleteElementGenericTableAvlEx+88616j
		inc	dword ptr [esi+24h]
		mov	edx, edi
		mov	ecx, esi
		call	_DeleteNodeFromTree@8 ;	DeleteNodeFromTree(x,x)
		dec	dword ptr [esi+18h]
		and	dword ptr [esi+14h], 0
		and	dword ptr [esi+10h], 0
		push	edi
		push	esi
		call	dword ptr [esi+30h]
		pop	edi
		pop	esi
		pop	ebp
		retn	8
RtlDeleteElementGenericTableAvlEx endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall BiZwDeleteKey(x)
_BiZwDeleteKey@4 proc near		; CODE XREF: BiDeleteKey+45p
		mov	edi, edi
		push	ecx
		call	_ZwDeleteKey@4	; ZwDeleteKey(x)
		retn
_BiZwDeleteKey@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpPowerActionDpcRoutine proc near	; DATA XREF: PfpServiceMainThreadBoost+88o
					; PfpStartLoggingHardFaultEvents+7Eo

arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E0C83 SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ebx, offset unk_6D48B0
		mov	ecx, ebx
		mov	esi, [edi+58h]
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	esi, esi
		jz	short loc_5586FF
		cmp	dword_6D48A8, 0
		mov	eax, dword_6D48B4
		jnz	loc_5E0C83

loc_5586DA:				; CODE XREF: PfpPowerActionDpcRoutine+5Dj
					; PfpPowerActionDpcRoutine+6Aj	...
		test	ds:byte_70EFC6,	1
		jnz	loc_5E0CAB
		xor	eax, eax
		lock and [ebx],	eax

loc_5586EC:				; CODE XREF: PfpPowerActionDpcRoutine+8860Bj
		test	edi, edi
		jz	short loc_5586F8
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5586F8:				; CODE XREF: PfpPowerActionDpcRoutine+44j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_5586FF:				; CODE XREF: PfpPowerActionDpcRoutine+1Cj
		mov	eax, dword_6D48B8
		cmp	eax, [edi+5Ch]
		jnz	short loc_5586DA
		push	0FFFFFFFEh
		pop	ecx
		mov	eax, offset byte_6FB62C
		lock and [eax],	ecx
		jmp	short loc_5586DA
PfpPowerActionDpcRoutine endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExWakeTimersPause proc near		; CODE XREF: PAGELK:0071F0CEp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005E0CBA SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_18], 0
		mov	ecx, offset _ExpWakeTimerLock
		and	[ebp+var_14], 0
		push	ebx
		push	esi
		push	edi
		lock bts dword ptr [ecx], 0
		jb	loc_5E0CBA

loc_558739:				; CODE XREF: ExWakeTimersPause+885ACj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_1], al
		call	KeQueryInterruptTime
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_18]
		push	eax
		mov	[ebp+var_8], edx
		call	KeQuerySystemTime
		mov	esi, _ExpWakeTimerList

loc_55875C:				; CODE XREF: ExWakeTimersPause+90j
					; ExWakeTimersPause+885BBj
		cmp	esi, offset _ExpWakeTimerList
		jz	short loc_5587A8
		lea	edi, [esi-94h]
		mov	esi, [esi]
		lea	ebx, [edi+28h]
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	dword ptr [edi+90h], 0
		jz	short loc_558794
		push	[ebp+var_8]
		mov	dl, 1
		mov	ecx, edi
		push	[ebp+var_C]
		push	[ebp+var_14]
		push	[ebp+var_18]
		call	ExpTimerPause

loc_558794:				; CODE XREF: ExWakeTimersPause+67j
		test	ds:byte_70EFC6,	1
		jnz	loc_5E0CC7
		xor	eax, eax
		lock and [ebx],	eax
		jmp	short loc_55875C
; 

loc_5587A8:				; CODE XREF: ExWakeTimersPause+4Cj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
ExWakeTimersPause endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExWakeTimersResume proc	near		; CODE XREF: PAGELK:0071FACAp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005E0CD6 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_1], al
		call	KeQueryInterruptTime
		mov	esi, _ExpWakeTimerList
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], edx

loc_5587DB:				; CODE XREF: ExWakeTimersResume+71j
					; ExWakeTimersResume+8852Aj
		cmp	esi, offset _ExpWakeTimerList
		jz	short loc_558829
		lea	edi, [esi-94h]
		mov	esi, [esi]
		lea	ebx, [edi+28h]
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	dword ptr [edi+90h], 0
		jz	short loc_558815
		mov	eax, [edi+9Ch]
		test	eax, eax
		jnz	short loc_55884B

loc_558808:				; CODE XREF: ExWakeTimersResume+9Bj
		push	[ebp+var_8]
		mov	ecx, edi
		push	[ebp+var_C]
		call	ExpTimerResume

loc_558815:				; CODE XREF: ExWakeTimersResume+46j
					; ExWakeTimersResume+99j
		test	ds:byte_70EFC6,	1
		jnz	loc_5E0CD6
		xor	eax, eax
		lock and [ebx],	eax
		jmp	short loc_5587DB
; 

loc_558829:				; CODE XREF: ExWakeTimersResume+2Bj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		or	eax, 0FFFFFFFFh
		mov	ecx, offset _ExpWakeTimerLock
		lock xadd [ecx], eax
		test	al, 2
		jnz	loc_5E0CE5

loc_558846:				; CODE XREF: ExWakeTimersResume+88531j
					; ExWakeTimersResume+8853Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_55884B:				; CODE XREF: ExWakeTimersResume+50j
		test	byte ptr [eax+64h], 8
		jnz	short loc_558815
		jmp	short loc_558808
ExWakeTimersResume endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopActionRetrieveInitialState proc near	; CODE XREF: PAGELK:0071EDBCp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E0CF7 SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, dword_6C26C4
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		push	6
		pop	ebx
		cmp	eax, 4
		jz	loc_5E0D07
		push	5
		pop	ecx
		cmp	eax, ecx
		jz	loc_5E0D07
		cmp	eax, ebx
		jz	loc_5E0D07
		cmp	eax, 7
		jz	loc_5E0CF7
		mov	ecx, _PopPolicy
		mov	eax, [ecx+48h]
		mov	[edi], eax
		mov	eax, [ecx+44h]
		cmp	eax, [esi]
		jg	short loc_5588F6

loc_55889F:				; CODE XREF: PopActionRetrieveInitialState+A4j
					; PopActionRetrieveInitialState+884AEj	...
		mov	eax, [esi]
		cmp	eax, [edi]
		jle	short loc_5588A7
		mov	[edi], eax

loc_5588A7:				; CODE XREF: PopActionRetrieveInitialState+4Fj
		mov	eax, [ebp+arg_4]
		mov	byte ptr [eax],	1
		cmp	[esi], ebx
		jz	short loc_5588FA
		test	dword_6C26CC, 80000000h
		jz	short loc_5588CD
		mov	ecx, dword_6C26D4
		cmp	ecx, 2
		jz	short loc_5588FA
		cmp	ecx, 1
		jz	short loc_5588FA

loc_5588CD:				; CODE XREF: PopActionRetrieveInitialState+67j
					; PopActionRetrieveInitialState+A9j
		call	PopFastS4Check
		test	al, al
		jnz	loc_5E0D10

loc_5588DA:				; CODE XREF: PopActionRetrieveInitialState+884CAj
		test	dword_6C26CC, 10000000h
		jnz	short loc_5588E8
		mov	esi, edi

loc_5588E8:				; CODE XREF: PopActionRetrieveInitialState+90j
		mov	eax, [ebp+arg_0]
		mov	ecx, [esi]
		pop	edi
		pop	esi
		mov	[eax], ecx
		pop	ebx
		pop	ebp
		retn	8
; 

loc_5588F6:				; CODE XREF: PopActionRetrieveInitialState+49j
		mov	[esi], eax
		jmp	short loc_55889F
; 

loc_5588FA:				; CODE XREF: PopActionRetrieveInitialState+5Bj
					; PopActionRetrieveInitialState+72j ...
		mov	byte ptr [eax],	0
		jmp	short loc_5588CD
PopActionRetrieveInitialState endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmTryAcquireLock(x)
_PpmTryAcquireLock@4 proc near		; CODE XREF: PoLatencySensitivityHint+F5p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		dec	word ptr [eax+13Eh]
		nop
		xor	ebx, ebx
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	offset unk_6C2B24
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	KeWaitForSingleObject
		mov	ecx, large fs:124h
		test	eax, eax
		jnz	short loc_558947
		mov	bl, 1
		mov	_PpmPerfPolicyLock, ecx

loc_558942:				; CODE XREF: PpmTryAcquireLock(x)+4Cj
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_558947:				; CODE XREF: PpmTryAcquireLock(x)+38j
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	short loc_558942
_PpmTryAcquireLock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtSetTimer	proc near		; DATA XREF: .text:00580C60o

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005E0D23 SIZE 00000034 BYTES
; FUNCTION CHUNK AT 005E0D77 SIZE 00000038 BYTES

		push	20h
		push	offset dword_6A4AE0
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ecx
		mov	byte ptr [ebp+var_20], cl
		mov	[ebp+var_1C], ecx
		mov	bl, cl
		mov	eax, large fs:124h
		mov	bh, [eax+15Ah]
		test	bh, bh
		jnz	loc_5E0D23
		mov	esi, [ebp+arg_4]
		mov	al, [ebp+arg_10]
		test	al, al
		jz	short loc_558992
		cmp	_PoPowerDownActionInProgress, cl
		jz	short loc_558992
		mov	bl, 1

loc_558992:				; CODE XREF: NtSetTimer+38j
					; NtSetTimer+40j ...
		cmp	[ebp+arg_14], 0
		jl	short loc_5589FA
		test	al, al
		jz	short loc_5589A4
		test	bl, bl
		jz	loc_5E0D77

loc_5589A4:				; CODE XREF: NtSetTimer+4Cj
					; NtSetTimer+88445j
		push	[ebp+arg_18]
		push	0
		push	[ebp+arg_14]
		push	[ebp+var_20]
		push	[ebp+var_1C]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	esi
		mov	dl, bh
		mov	ecx, [ebp+arg_0]
		call	ExpSetTimer
		mov	esi, eax
		test	esi, esi
		js	loc_5E0D98
		cmp	esi, 40000025h
		jz	loc_5E0D98

loc_5589D9:				; CODE XREF: NtSetTimer+8844Ej
					; NtSetTimer+8845Cj
		test	esi, esi
		js	short loc_5589E6
		test	bl, bl
		jz	short loc_5589E6
		mov	esi, 40000025h

loc_5589E6:				; CODE XREF: NtSetTimer+8Dj
					; NtSetTimer+91j
		mov	eax, esi

loc_5589E8:				; CODE XREF: NtSetTimer+B1j
					; sub_5E0D65+Dj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_5589FA:				; CODE XREF: NtSetTimer+48j
		mov	eax, 0C00000F4h
		jmp	short loc_5589E8
NtSetTimer	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPulseLowAvailableEvent proc near	; CODE XREF: MiComputeSystemTrimCriteria+323p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005E0DAF SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		stosd
		stosd
		mov	eax, [esi+0A0h]
		mov	eax, [eax+4]
		test	eax, eax
		jnz	short loc_558A7E
		lea	ecx, [esi+0A80h]
		lea	edx, [ebp+var_C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [esi+0A0h]
		xor	esi, esi
		cmp	[ecx+4], esi
		jnz	short loc_558A46
		push	esi
		push	esi
		push	ecx
		call	KePulseEvent

loc_558A46:				; CODE XREF: MiPulseLowAvailableEvent+3Aj
		test	ds:byte_70EFC6,	1
		jnz	loc_5E0DAF
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_5E0DC7
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5E0DBF

loc_558A75:				; CODE XREF: MiPulseLowAvailableEvent+883B8j
					; MiPulseLowAvailableEvent+883D1j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_558A7E:				; CODE XREF: MiPulseLowAvailableEvent+1Fj
		pop	edi
		pop	esi
		leave
		retn
MiPulseLowAvailableEvent endp


;  S U B	R O U T	I N E 


; __stdcall PopFxDeliverDevicePowerRequired(x, x)
_PopFxDeliverDevicePowerRequired@8 proc	near ; CODE XREF: PopFxProcessWork+390p
					; PopFxIdleTimeoutDpcRoutine+8190Cp ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		lea	edi, [esi+14h]
		mov	eax, [edi]
		cmp	eax, 2
		jnz	short loc_558AB6
		mov	ecx, [esi+1Ch]
		xor	dl, dl
		push	1
		call	PopDiagTraceFxDevicePowerRequirement
		mov	eax, [esi+48h]
		test	eax, eax
		jz	short loc_558AC2
		push	dword ptr [esi+64h]
		call	eax

loc_558AAD:				; CODE XREF: PopFxDeliverDevicePowerRequired(x,x)+43j
		push	0FFFFFFBFh
		pop	ecx
		lea	eax, [esi+10h]
		lock and [eax],	ecx

loc_558AB6:				; CODE XREF: PopFxDeliverDevicePowerRequired(x,x)+11j
		mov	edx, ebx
		mov	ecx, esi
		pop	edi
		pop	esi
		pop	ebx
		jmp	PopFxCompleteDevicePowerRequired
; 

loc_558AC2:				; CODE XREF: PopFxDeliverDevicePowerRequired(x,x)+24j
		lock dec dword ptr [edi]
		jmp	short loc_558AAD
_PopFxDeliverDevicePowerRequired@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopReplaceCompletionPort(x,	x, x)
_IopReplaceCompletionPort@12 proc near	; CODE XREF: .text:00522562p

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	edi, 0C0000001h
		lea	eax, [esi+70h]
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	ecx, [esi+6Ch]
		mov	[ebp+var_1], al
		test	ecx, ecx
		jz	short loc_558B3F
		lea	eax, [esi+74h]
		cmp	[eax], eax
		jnz	short loc_558B3F
		cmp	dword ptr [ecx+8], 0
		jnz	short loc_558B3F
		mov	ecx, [ecx]
		call	ObfDereferenceObject
		and	dword ptr [esi+2Ch], 0F1FFFFFFh
		test	ebx, ebx
		jz	short loc_558B28
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [esi+6Ch]
		mov	[eax], ebx
		mov	ecx, [esi+6Ch]
		mov	eax, [ebp+arg_0]
		mov	[ecx+4], eax
		jmp	short loc_558B3D
; 

loc_558B28:				; CODE XREF: IopReplaceCompletionPort(x,x,x)+47j
		push	0
		push	dword ptr [esi+6Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+6Ch], 0
		or	dword ptr [esi+2Ch], 400h

loc_558B3D:				; CODE XREF: IopReplaceCompletionPort(x,x,x)+5Ej
		xor	edi, edi

loc_558B3F:				; CODE XREF: IopReplaceCompletionPort(x,x,x)+28j
					; IopReplaceCompletionPort(x,x,x)+2Fj ...
		mov	dl, [ebp+var_1]
		mov	ecx, [ebp+var_8]
		call	KfReleaseSpinLock
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_IopReplaceCompletionPort@12 endp

; 
		align 8
; Exported entry 2054. RtlEnumerateGenericTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlEnumerateGenericTable
RtlEnumerateGenericTable proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005E0DD8 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, [edi]
		test	esi, esi
		jnz	loc_5E0DD8
		xor	eax, eax

loc_558B6E:				; CODE XREF: RtlEnumerateGenericTable+882AEj
		pop	edi
		pop	esi
		pop	ebp
		retn	8
RtlEnumerateGenericTable endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeAdjustInterruptTime(x, x,	x)
_KeAdjustInterruptTime@12 proc near	; CODE XREF: KiSetSystemTimeDpc+19Bp
					; xHalTscSynchronization(x,x)+6p ...

var_28		= byte ptr -28h
var_27		= word ptr -27h
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	bl, cl
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_27], ax
		mov	[ebp+var_25], al
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		cmp	edi, eax
		jg	short loc_558BAA
		jl	short loc_558BF7
		cmp	esi, eax
		jb	short loc_558BF7

loc_558BAA:				; CODE XREF: KeAdjustInterruptTime(x,x,x)+2Ej
		mov	eax, large fs:20h
		push	0FFFFh
		mov	eax, [eax+3CCh]
		mov	[ebp+var_24], eax
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		lea	ecx, [ebp-28h]
		mov	[ebp+var_10], eax
		push	ecx
		push	offset KiCalibrateTimeAdjustment
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_28], bl
		mov	[ebp+var_C], 1
		call	KeIpiGenericCall
		mov	al, 1

loc_558BE6:				; CODE XREF: KeAdjustInterruptTime(x,x,x)+85j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_558BF7:				; CODE XREF: KeAdjustInterruptTime(x,x,x)+30j
					; KeAdjustInterruptTime(x,x,x)+34j
		xor	al, al
		jmp	short loc_558BE6
_KeAdjustInterruptTime@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsNotifyWaitWakeIrpCompletion(x)
_PopDirectedDripsNotifyWaitWakeIrpCompletion@4 proc near
					; CODE XREF: PopRequestCompletion+123p
		test	ecx, ecx
		jz	short loc_558C1B
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]

loc_558C09:				; CODE XREF: PopDirectedDripsNotifyWaitWakeIrpCompletion(x)+21j
		test	eax, eax
		jz	short locret_558C1A
		mov	eax, [eax+1E4h]
		test	eax, 30000h
		jnz	short loc_558C1F

locret_558C1A:				; CODE XREF: PopDirectedDripsNotifyWaitWakeIrpCompletion(x)+Fj
		retn
; 

loc_558C1B:				; CODE XREF: PopDirectedDripsNotifyWaitWakeIrpCompletion(x)+2j
		xor	eax, eax
		jmp	short loc_558C09
; 

loc_558C1F:				; CODE XREF: PopDirectedDripsNotifyWaitWakeIrpCompletion(x)+1Cj
		xor	ecx, ecx
		jmp	_PopDirectedDripsStartDisengageTimer@4 ; PopDirectedDripsStartDisengageTimer(x)
_PopDirectedDripsNotifyWaitWakeIrpCompletion@4 endp


;  S U B	R O U T	I N E 


; __stdcall CcCancelMmWaitForUninitializeCacheMap(x)
_CcCancelMmWaitForUninitializeCacheMap@4 proc near ; CODE XREF:	CcWriteBehindInternal+752p
					; CcWriteBehindInternal+127CADp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [esi+0B0h]

loc_558C32:				; CODE XREF: CcCancelMmWaitForUninitializeCacheMap(x)+38j
					; CcCancelMmWaitForUninitializeCacheMap(x)+46j
		mov	edx, [edi]
		test	edx, edx
		jz	short loc_558C60
		test	dl, 1
		jz	short loc_558C6A
		and	edx, 0FFFFFFFEh
		push	0
		push	0
		mov	eax, [edx]
		mov	[edi], eax
		lea	eax, [edx+4]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		inc	_CcDbgNumberOfAbortedTeardowns
		or	dword ptr [esi+60h], 8000h
		jmp	short loc_558C32
; 

loc_558C60:				; CODE XREF: CcCancelMmWaitForUninitializeCacheMap(x)+10j
		and	dword ptr [esi+60h], 0FFFEFFFFh
		pop	edi
		pop	esi
		retn
; 

loc_558C6A:				; CODE XREF: CcCancelMmWaitForUninitializeCacheMap(x)+15j
		mov	edi, edx
		jmp	short loc_558C32
_CcCancelMmWaitForUninitializeCacheMap@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTimestampTargetProcessor(x, x, x, x)
_PopTimestampTargetProcessor@16	proc near ; DATA XREF: PopCaptureTimeOnProcZero()+32o

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_8]
		push	0
		push	0
		push	[ebp+arg_C]
		rdtsc
		mov	[ecx], eax
		mov	[ecx+4], edx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	ebp
		retn	10h
_PopTimestampTargetProcessor@16	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFlushCacheMdl(x, x, x)
_MiFlushCacheMdl@12 proc near		; CODE XREF: MiReferenceIoPages+376p
					; MiReferenceIoPages+DCC8Cp

var_A4		= dword	ptr -0A4h
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	98h		; size_t
		lea	eax, [ebp+var_A4]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		inc	dword_6D06DC
		call	KeInvalidateAllCaches
		mov	ecx, [ebp+var_8]
		xor	eax, eax
		xor	ecx, ebp
		inc	eax
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_MiFlushCacheMdl@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


BgLibraryEnable	proc near		; CODE XREF: BgkNotifyDisplayOwnershipChange+130p
					; BgkAcquireDisplayOwnership()+32p ...

; FUNCTION CHUNK AT 005E0E0B SIZE 00000029 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	dl, dl
		jnz	loc_5E0E0B

loc_558CE3:				; CODE XREF: BgLibraryEnable+8813Fj
		test	esi, esi
		jz	loc_5E0E1A
		test	dl, dl
		jnz	short loc_558CF9
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	al, al
		jnz	short loc_558D19

loc_558CF9:				; CODE XREF: BgLibraryEnable+17j
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		test	byte ptr dword_6B6BB8, 1
		jz	short loc_558D20
		mov	ecx, esi
		call	BgpFwLibraryEnable
		mov	esi, eax

loc_558D10:				; CODE XREF: BgLibraryEnable+4Fj
		call	BgpFwReleaseLock
		mov	eax, esi
		pop	esi
		retn
; 

loc_558D19:				; CODE XREF: BgLibraryEnable+21j
		mov	eax, 0C0000001h
		pop	esi
		retn
; 

loc_558D20:				; CODE XREF: BgLibraryEnable+2Fj
		mov	esi, 0C00000BBh
		jmp	short loc_558D10
BgLibraryEnable	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnmapLargePages proc near		; CODE XREF: MmUnmapIoSpace+87p
					; MiRemoveFromSystemSpace+11EB8Ep ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E0E34 SIZE 0000006D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, ecx
		cmp	edi, 9
		jnz	short loc_558D40
		push	0Dh
		pop	edi
		mov	[ebp+arg_0], edi

loc_558D40:				; CODE XREF: MiUnmapLargePages+10j
		test	edx, 1FFFFFh
		jnz	loc_5E0E34

loc_558D4C:				; CODE XREF: MiUnmapLargePages+88174j
		push	0
		push	edi
		add	edx, ebx
		mov	ecx, ebx
		call	_MiReturnSystemVa@16 ; MiReturnSystemVa(x,x,x,x)
		pop	edi
		pop	ebx
		leave
		retn	4
MiUnmapLargePages endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1706. PoGetSystemWake

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoGetSystemWake(x)
		public _PoGetSystemWake@4
_PoGetSystemWake@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		movsx	eax, byte ptr [ecx+22h]
		add	eax, 3
		imul	eax, 24h
		mov	eax, [eax+ecx]
		cmp	byte ptr [eax+68h], 0
		jnz	short loc_558D89
		mov	al, [eax+90h]

loc_558D85:				; CODE XREF: PoGetSystemWake(x)+27j
		pop	ebp
		retn	4
; 

loc_558D89:				; CODE XREF: PoGetSystemWake(x)+19j
		xor	al, al
		jmp	short loc_558D85
_PoGetSystemWake@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PsTransferProcessQuotaToSharedQuota(x, x, x)
_PsTransferProcessQuotaToSharedQuota@12	proc near
					; CODE XREF: AlpcpTransferQuotaMessage(x)+32p
		cmp	ecx, ds:_PsInitialSystemProcess
		jz	short loc_558DB6
		mov	eax, [ecx+188h]
		test	edx, edx
		jz	short loc_558DAC
		neg	edx
		add	ecx, 10Ch
		lock xadd [ecx], edx

loc_558DAC:				; CODE XREF: PsTransferProcessQuotaToSharedQuota(x,x,x)+10j
		lock inc dword ptr [eax+200h]

locret_558DB3:				; CODE XREF: PsTransferProcessQuotaToSharedQuota(x,x,x)+2Bj
		retn	4
; 

loc_558DB6:				; CODE XREF: PsTransferProcessQuotaToSharedQuota(x,x,x)+6j
		xor	eax, eax
		inc	eax
		jmp	short locret_558DB3
_PsTransferProcessQuotaToSharedQuota@12	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopCheckPowerSourceAfterRtcWakeCancel proc near	; CODE XREF: PAGELK:loc_71EC31p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E0EA1 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		xor	esi, esi
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		push	esi
		push	esi
		mov	edi, offset _PopCheckPowerSourceAfterRtcWakeCompleted
		mov	[ebp+var_8], esi
		push	edi
		mov	[ebp+var_4], esi
		call	KeWaitForSingleObject
		test	eax, eax
		jnz	loc_5E0EA1

loc_558DE7:				; CODE XREF: PopCheckPowerSourceAfterRtcWakeCancel+880FEj
					; PopCheckPowerSourceAfterRtcWakeCancel+88109j
		pop	edi
		pop	esi
		leave
		retn
PopCheckPowerSourceAfterRtcWakeCancel endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCheckSystemTrimEndCriteria proc near	; CODE XREF: .text:00516C82p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E0ECA SIZE 00000188 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_8], ecx
		push	edi
		mov	edi, [ecx+0F00h]
		mov	al, [esi+2]
		cmp	al, 3
		jnz	loc_5E0ECA

loc_558E0D:				; CODE XREF: MiCheckSystemTrimEndCriteria+880E0j
		mov	eax, [edi+4C8h]
		cmp	[esi+34h], eax
		jb	short loc_558E2A
		xor	eax, eax

loc_558E1A:				; CODE XREF: MiCheckSystemTrimEndCriteria+41j
		mov	[edi+4C8h], eax

loc_558E20:				; CODE XREF: MiCheckSystemTrimEndCriteria+880ECj
					; MiCheckSystemTrimEndCriteria+880FBj ...
		xor	eax, eax
		inc	eax

loc_558E23:				; CODE XREF: MiCheckSystemTrimEndCriteria+88261j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_558E2A:				; CODE XREF: MiCheckSystemTrimEndCriteria+2Aj
		sub	eax, [esi+2Ch]
		jmp	short loc_558E1A
MiCheckSystemTrimEndCriteria endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopWakeSourceTimeoutDpc(x, x, x, x)
_PopWakeSourceTimeoutDpc@16 proc near	; DATA XREF: PopHandleWakeSources+9Do

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	1
		push	ecx
		and	dword ptr [ecx], 0
		lea	eax, [ecx-18h]
		mov	dword ptr [ecx+8], offset _PopWakeSourceTimeoutWorker@4	; PopWakeSourceTimeoutWorker(x)
		mov	[ecx+0Ch], eax
		call	ExQueueWorkItem
		pop	ebp
		retn	10h
_PopWakeSourceTimeoutDpc@16 endp


;  S U B	R O U T	I N E 


MiDelayFaultingThread proc near		; CODE XREF: .text:loc_467CBBp

; FUNCTION CHUNK AT 005E1052 SIZE 00000018 BYTES

		mov	edi, edi
		push	ecx
		cmp	ecx, 1
		jz	loc_5E1052
		cmp	ecx, 2
		jz	loc_5E1059
		push	offset _Mi10Milliseconds
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		pop	ecx
		retn
MiDelayFaultingThread endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1316. KeSynchronizeTimeToQpc

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSynchronizeTimeToQpc(x, x)
		public _KeSynchronizeTimeToQpc@8
_KeSynchronizeTimeToQpc@8 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		lea	ecx, [ebp+arg_0]
		push	eax
		mov	edx, eax
		call	KiUpdateTimeAssist
		leave
		retn	8
_KeSynchronizeTimeToQpc@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


PfpScenCtxWaiterTimedOut proc near	; CODE XREF: PfpScenCtxScenarioSet+A8p
					; PfpScenCtxPrefetchWait+BBp

; FUNCTION CHUNK AT 005E106A SIZE 0000000B BYTES

		mov	eax, [ecx+4]
		and	eax, 0FFFFFFFBh
		or	eax, 8
		mov	[ecx+4], eax
		mov	eax, [ecx+18h]
		test	eax, eax
		jnz	loc_5E106A
		retn
PfpScenCtxWaiterTimedOut endp


;  S U B	R O U T	I N E 


PopIgnoreBatteryStatusChange proc near	; CODE XREF: PAGELK:0071ECA4p

; FUNCTION CHUNK AT 005E1075 SIZE 00000027 BYTES

		xor	eax, eax
		mov	ecx, offset unk_6C2588
		xchg	eax, [ecx]
		test	eax, eax
		jnz	loc_5E1075

loc_558EC9:				; CODE XREF: PopIgnoreBatteryStatusChange+881C9j
					; PopIgnoreBatteryStatusChange+881DFj
		mov	byte_6C25E8, 1
		retn
PopIgnoreBatteryStatusChange endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmCheckResumePpmEngineFromSx()
_PpmCheckResumePpmEngineFromSx@0 proc near ; CODE XREF:	PAGELK:loc_71F203p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, offset _PpmPerfPolicyLock
		mov	ecx, esi
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		cmp	ds:_PpmHeteroHgsEnabled, 0
		jz	short loc_558F12
		mov	eax, ds:_PpmHeteroHgsTableMdl
		xor	edx, edx
		mov	ecx, 17D0h
		mov	eax, [eax+1Ch]
		shld	edx, eax, 0Ch
		shl	eax, 0Ch
		or	eax, 1
		wrmsr
		xor	eax, eax
		inc	ecx
		inc	eax
		xor	edx, edx
		wrmsr

loc_558F12:				; CODE XREF: PpmCheckResumePpmEngineFromSx()+1Bj
		mov	_PpmCheckForceDisarm, 0
		call	_PpmCheckReInit@0 ; PpmCheckReInit()
		xor	ecx, ecx
		call	PpmPerfUpdateQosDisableReasons
		mov	ecx, esi
		mov	ds:byte_70EDF0,	0
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		pop	esi
		leave
		retn
_PpmCheckResumePpmEngineFromSx@0 endp


;  S U B	R O U T	I N E 


; __stdcall PpmCheckPausePpmEngineForSx()
_PpmCheckPausePpmEngineForSx@0 proc near ; CODE	XREF: PAGELK:0071F865p
		mov	edi, edi
		push	esi
		mov	esi, offset _PpmPerfPolicyLock
		mov	ecx, esi
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		xor	ecx, ecx
		call	PpmPerfUpdateQosDisableReasons
		mov	ds:byte_70EDF0,	1
		mov	_PpmCheckForceDisarm, 1
		call	_PpmCheckReInit@0 ; PpmCheckReInit()
		mov	ecx, esi
		pop	esi
		jmp	_PpmReleaseLock@4 ; PpmReleaseLock(x)
_PpmCheckPausePpmEngineForSx@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcNotifyWriteBehindHelper(x, x)
_CcNotifyWriteBehindHelper@8 proc near	; DATA XREF: CcNotifyWriteBehind(x)+8o
					; MiFlushAllFilesystemPages(x)+B4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	CcNotifyWriteBehindInternal
		mov	al, 1
		pop	ebp
		retn	8
_CcNotifyWriteBehindHelper@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiSetFirmwareModified proc near		; CODE XREF: BiSetFirmwareModifiedFromObject(x,x)+1Ep
					; BiOpenSystemStore+14Bp ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DF3D7 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		test	dl, dl
		mov	[ebp+var_4], 1
		mov	edx, (offset off_5A7432+2)
		jnz	loc_5DF3D7
		push	(offset	off_5A7454+2)
		call	_BiDeleteRegistryValue@12 ; BiDeleteRegistryValue(x,x,x)
		leave
		retn
BiSetFirmwareModified endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiWasFirmwareModified proc near		; CODE XREF: BiCloseStore+17p
					; BiOpenSystemStore+11Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DF3EB SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		lea	eax, [ebp+var_8]
		xor	ebx, ebx
		push	eax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ebx
		push	eax
		push	4
		push	(offset	off_5A7454+2)
		mov	edx, (offset off_5A7432+2)
		mov	[ebp+var_8], ebx
		call	BiGetRegistryValue
		test	eax, eax
		jns	loc_5DF3EB

loc_558FDA:				; CODE XREF: BiWasFirmwareModified+86458j
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
BiWasFirmwareModified endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiZwEnumerateKey(x,	x, x, x, x, x)
_BiZwEnumerateKey@24 proc near		; CODE XREF: BiEnumerateSubKeys+17Ap

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	0
		push	edx
		push	ecx
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		pop	ebp
		retn	10h
_BiZwEnumerateKey@24 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiZwQueryValueKey(x, x, x, x, x, x)
_BiZwQueryValueKey@24 proc near		; CODE XREF: BiGetRegistryValue+7Fp
					; BiGetRegistryValue+BDp

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	2
		push	edx
		push	ecx
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		pop	ebp
		retn	10h
_BiZwQueryValueKey@24 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiZwOpenKey(x, x, x)
_BiZwOpenKey@12	proc near		; CODE XREF: BiCreateKey+104p
					; BiOpenKey+8Ap ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		pop	ebp
		retn	4
_BiZwOpenKey@12	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiZwSetSecurityObject(x, x,	x)
_BiZwSetSecurityObject@12 proc near	; CODE XREF: BiCreateKey+E8p
					; BiOpenKey+F0p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		push	4
		push	ecx
		call	_ZwSetSecurityObject@12	; ZwSetSecurityObject(x,x,x)
		pop	ebp
		retn	4
_BiZwSetSecurityObject@12 endp


;  S U B	R O U T	I N E 


; __stdcall BiIsOfflineHandle(x)
_BiIsOfflineHandle@4 proc near		; CODE XREF: BcdForciblyUnloadStore+7p
					; BcdFlushStore+6p ...
		and	cl, 1
		mov	al, cl
		retn
_BiIsOfflineHandle@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiZwCreateKey(x, x,	x, x, x, x, x)
_BiZwCreateKey@28 proc near		; CODE XREF: BiCreateKey+CCp

arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	0
		push	0
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		pop	ebp
		retn	14h
_BiZwCreateKey@28 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiZwSetValueKey(x, x, x, x,	x, x)
_BiZwSetValueKey@24 proc near		; CODE XREF: BiSetRegistryValue+51p

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	0
		push	edx
		push	ecx
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		pop	ebp
		retn	10h
_BiZwSetValueKey@24 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiZwQueryKey(x, x, x, x, x)
_BiZwQueryKey@20 proc near		; CODE XREF: BiEnumerateSubKeys+64p
					; BiGetKeyName+2Ep ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		pop	ebp
		retn	0Ch
_BiZwQueryKey@20 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall BiZwDeleteValueKey(x, x)
_BiZwDeleteValueKey@8 proc near		; CODE XREF: BiDeleteRegistryValue(x,x,x)+50p
		mov	edi, edi
		push	edx
		push	ecx
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		retn
_BiZwDeleteValueKey@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 393. ExIsProcessorFeaturePresent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExIsProcessorFeaturePresent(x)
		public _ExIsProcessorFeaturePresent@4
_ExIsProcessorFeaturePresent@4 proc near ; CODE	XREF: PopBcdSetupResumeObject+A9p
					; PiIsDriverBlocked+AFEA5p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	eax, 40h
		jnb	short loc_5590C1
		mov	al, [eax-20FD8Ch]

loc_5590BD:				; CODE XREF: ExIsProcessorFeaturePresent(x)+19j
		pop	ebp
		retn	4
; 

loc_5590C1:				; CODE XREF: ExIsProcessorFeaturePresent(x)+Bj
		xor	al, al
		jmp	short loc_5590BD
_ExIsProcessorFeaturePresent@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall BiIsSynchFirmwareEntries(x)
_BiIsSynchFirmwareEntries@4 proc near	; CODE XREF: BcdForciblyUnloadStore+2Ep
					; BcdCloseStore+2Cp
		shr	cl, 1
		not	cl
		and	cl, 1
		mov	al, cl
		retn
_BiIsSynchFirmwareEntries@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 724. InbvNotifyDisplayOwnershipChange

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall InbvNotifyDisplayOwnershipChange(x,	x)
		public _InbvNotifyDisplayOwnershipChange@8
_InbvNotifyDisplayOwnershipChange@8 proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, dword_6D4D4C
		test	eax, eax
		jz	short loc_5590EE
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_5590EE
		pop	ebp
		jmp	eax
; 

loc_5590EE:				; CODE XREF: InbvNotifyDisplayOwnershipChange(x,x)+Cj
					; InbvNotifyDisplayOwnershipChange(x,x)+13j
		mov	eax, 0C0000002h
		pop	ebp
		retn	8
_InbvNotifyDisplayOwnershipChange@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BgkNotifyDisplayOwnershipChange	proc near ; CODE XREF: BgkSetDisplayOwnership(x)+Ap
					; BgkNotifyDisplayOwnershipLost(x)+18p	...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E109C SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		cmp	byte_6D4AB8, al
		push	ebx
		push	edi
		push	7
		pop	ecx
		lea	edi, [ebp+var_20]
		rep stosd
		mov	al, [ebp+arg_0]
		jnz	loc_5591D6

loc_559128:				; CODE XREF: BgkNotifyDisplayOwnershipChange+E0j
		cmp	al, byte_6D4C7B
		jz	loc_5591F1
		push	esi
		test	al, al
		jnz	loc_5591F5
		test	edx, edx
		jnz	loc_5E10CD
		cmp	dword_6D4D54, edx
		jz	loc_559265

loc_559151:				; CODE XREF: BgkNotifyDisplayOwnershipChange+87FDBj
		call	_BgDisplayFade@0 ; BgDisplayFade()
		xor	ebx, ebx
		mov	esi, offset unk_6B5B9C
		mov	ecx, esi
		mov	byte_6D4C7A, bl
		mov	byte_6D4C79, bl
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	ecx, esi
		call	@ExRundownCompleted@4 ;	ExRundownCompleted(x)
		call	_BgLibraryDisable@0 ; BgLibraryDisable()
		mov	esi, eax
		test	esi, esi
		js	loc_5E10D8
		mov	ecx, dword_6D4C74
		mov	byte_6D4C7B, bl
		mov	byte_6D4C78, bl
		test	ecx, ecx
		jz	short loc_5591A7
		call	_BgConsoleDestroyInterface@4 ; BgConsoleDestroyInterface(x)
		mov	dword_6D4C74, ebx

loc_5591A7:				; CODE XREF: BgkNotifyDisplayOwnershipChange+A2j
					; BgkNotifyDisplayOwnershipChange+87FEFj
		push	ebx
		xor	edx, edx
		xor	ecx, ecx
		call	_BgSetFrameBufferAccess@12 ; BgSetFrameBufferAccess(x,x,x)
		call	BgkpUnlockBgfxCodeSection
		mov	eax, dword_6D4AAC
		test	eax, eax
		jnz	loc_5E10EC

loc_5591C3:				; CODE XREF: BgkNotifyDisplayOwnershipChange+15Aj
					; BgkNotifyDisplayOwnershipChange+162j	...
		mov	eax, esi

loc_5591C5:				; CODE XREF: BgkNotifyDisplayOwnershipChange+11Cj
					; BgkNotifyDisplayOwnershipChange+172j	...
		pop	esi

loc_5591C6:				; CODE XREF: BgkNotifyDisplayOwnershipChange+FBj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_5591D6:				; CODE XREF: BgkNotifyDisplayOwnershipChange+2Aj
		test	al, al
		jnz	loc_559128
		call	_BgkResumeFinished@0 ; BgkResumeFinished()
		xor	ebx, ebx
		mov	byte_6D4C7B, bl
		mov	dword_6D4AAC, ebx

loc_5591F1:				; CODE XREF: BgkNotifyDisplayOwnershipChange+36j
		xor	eax, eax
		jmp	short loc_5591C6
; 

loc_5591F5:				; CODE XREF: BgkNotifyDisplayOwnershipChange+3Fj
		mov	eax, dword_6D4D54
		test	eax, eax
		jz	loc_5E109C
		lea	ecx, [ebp+var_24]
		xor	ebx, ebx
		push	ecx
		lea	ecx, [ebp+var_20]
		mov	[ebp+var_24], ebx
		push	ecx
		push	ebx
		call	eax
		test	eax, eax
		js	short loc_5591C5
		mov	eax, [ebp+var_24]
		mov	dword_6D4AAC, eax
		call	BgkpLockBgfxCodeSection
		xor	dl, dl
		lea	ecx, [ebp+var_20]
		call	BgLibraryEnable
		mov	esi, eax
		test	esi, esi
		js	short loc_55923A
		mov	byte_6D4C7B, 1

loc_55923A:				; CODE XREF: BgkNotifyDisplayOwnershipChange+139j
		call	_BgConsoleGetInterface@4 ; BgConsoleGetInterface(x)
		mov	dword_6D4C74, eax
		test	eax, eax
		jnz	loc_5E10A6

loc_55924C:				; CODE XREF: BgkNotifyDisplayOwnershipChange+87FC2j
		cmp	byte_6D4C7B, bl
		jz	loc_5591C3
		test	eax, eax
		jz	loc_5591C3
		jmp	loc_5E10BF
; 

loc_559265:				; CODE XREF: BgkNotifyDisplayOwnershipChange+53j
		mov	eax, 0C00000F0h
		jmp	loc_5591C5
BgkNotifyDisplayOwnershipChange	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall BgpFwGetCurrentIrql()
_BgpFwGetCurrentIrql@0 proc near	; CODE XREF: BgFreeContext(x)+Dp
					; BgGetContext()+6p ...
		jmp	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
_BgpFwGetCurrentIrql@0 endp


;  S U B	R O U T	I N E 


; __stdcall BgpTxtRegionSize(x)
_BgpTxtRegionSize@4 proc near		; CODE XREF: ResFwConfigureDisplayStringResources+64p
					; AnFwConfigureProgressResources(x)+9Cp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_5592BA
		test	byte ptr [esi+30h], 1
		jz	short loc_5592BA
		mov	ecx, [esi+14h]
		push	edi
		push	50h
		pop	edi
		test	ecx, ecx
		jz	short loc_55929F
		push	dword ptr [ecx+8]
		mov	edx, [ecx+4]
		mov	ecx, [ecx]
		call	_BgpGxReservePoolRectangleSize@12 ; BgpGxReservePoolRectangleSize(x,x,x)
		add	edi, eax

loc_55929F:				; CODE XREF: BgpTxtRegionSize(x)+18j
		mov	ecx, [esi+18h]
		test	ecx, ecx
		jz	short loc_5592B5
		push	dword ptr [ecx+8]
		mov	edx, [ecx+4]
		mov	ecx, [ecx]
		call	_BgpGxReservePoolRectangleSize@12 ; BgpGxReservePoolRectangleSize(x,x,x)
		add	edi, eax

loc_5592B5:				; CODE XREF: BgpTxtRegionSize(x)+2Ej
		mov	eax, edi
		pop	edi
		pop	esi
		retn
; 

loc_5592BA:				; CODE XREF: BgpTxtRegionSize(x)+7j
					; BgpTxtRegionSize(x)+Dj
		xor	eax, eax
		pop	esi
		retn
_BgpTxtRegionSize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpGxRectangleSize(x, x, x)
_BgpGxRectangleSize@12 proc near	; CODE XREF: AnFwConfigureProgressResources(x)+7Dp
					; BgpGxReservePoolRectangleSize(x,x,x)+8p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		imul	ecx, edx
		imul	ecx, [ebp+arg_0]
		lea	eax, [ecx+7]
		shr	eax, 3
		add	eax, 40h
		pop	ebp
		retn	4
_BgpGxRectangleSize@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BgpFwLibraryEnable proc	near		; CODE XREF: BgLibraryEnable+33p
					; BgpFwLibraryInitialize+89p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E10F9 SIZE 00000120 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, dword_6B6BB8
		push	ebx
		push	esi
		push	edi
		mov	esi, eax
		mov	edi, 0C00h
		and	esi, edi
		mov	ebx, ecx
		test	al, 2
		jnz	loc_5E10F9

loc_5592FC:				; CODE XREF: BgpFwLibraryEnable+87E29j
		cmp	byte ptr [ebx],	0
		jz	short loc_55931F
		cmp	byte ptr [ebx+1], 0
		jnz	short loc_55931F
		cmp	esi, edi
		jnz	short loc_559353
		mov	eax, dword_6B6B7C
		test	al, al
		jnz	loc_5E1188

loc_559318:				; CODE XREF: BgpFwLibraryEnable+87EB5j
					; BgpFwLibraryEnable+87EC4j ...
		mov	eax, 0C00000BBh
		jmp	short loc_55934C
; 

loc_55931F:				; CODE XREF: BgpFwLibraryEnable+27j
					; BgpFwLibraryEnable+2Dj ...
		cmp	esi, edi
		jz	short loc_55932A

loc_559323:				; CODE XREF: BgpFwLibraryEnable+D9j
		xor	ecx, ecx
		call	ResFwBackgroundTransition

loc_55932A:				; CODE XREF: BgpFwLibraryEnable+49j
		push	7
		pop	ecx
		mov	esi, ebx
		mov	edi, offset _BgInternal
		rep movsd
		cmp	dword_6B6B70, 1
		jz	loc_5E1203

loc_559343:				; CODE XREF: BgpFwLibraryEnable+87F3Cj
		or	dword_6B6BB8, 2

loc_55934A:				; CODE XREF: BgpFwLibraryEnable+87E23j
		xor	eax, eax

loc_55934C:				; CODE XREF: BgpFwLibraryEnable+45j
					; BgpFwLibraryEnable+87E4Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_559353:				; CODE XREF: BgpFwLibraryEnable+31j
		mov	al, [ebx+2]
		xor	ecx, ecx
		cmp	dword ptr [ebx+10h], 4
		setnz	cl
		add	ecx, 3
		cmp	al, 1
		jz	short loc_5593B6
		cmp	al, 3
		jz	short loc_5593B6
		mov	eax, [ebx+0Ch]
		imul	eax, [ebx+4]

loc_559371:				; CODE XREF: BgpFwLibraryEnable+E5j
		mov	esi, [ebx+18h]
		imul	ecx, eax
		push	404h
		push	ecx
		push	0
		push	esi
		mov	[esp+20h+var_4], ecx
		call	_MmMapIoSpaceEx@16 ; MmMapIoSpaceEx(x,x,x,x)
		mov	[ebx+18h], eax
		test	eax, eax
		jz	loc_5E1106

loc_559394:				; CODE XREF: BgpFwLibraryEnable+87E44j
		mov	byte ptr [ebx+1], 1
		cmp	byte ptr dword_6B6B7C, 0
		jnz	loc_5E112C

loc_5593A5:				; CODE XREF: BgpFwLibraryEnable+87E5Bj
					; BgpFwLibraryEnable+87EABj
		push	7
		pop	ecx
		mov	esi, ebx
		mov	edi, offset dword_6B6B7C
		rep movsd
		jmp	loc_559323
; 

loc_5593B6:				; CODE XREF: BgpFwLibraryEnable+8Cj
					; BgpFwLibraryEnable+90j
		mov	eax, [ebx+0Ch]
		imul	eax, [ebx+8]
		jmp	short loc_559371
BgpFwLibraryEnable endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall BgQueryBootGraphicsInformation(x, x)
_BgQueryBootGraphicsInformation@8 proc near
					; CODE XREF: BgkQueryBootGraphicsInformation(x,x)+7j
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	al, al
		jnz	short loc_5593FE
		test	esi, esi
		jz	short loc_55940C
		cmp	edi, 4
		jge	short loc_55940C
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		test	byte ptr dword_6B6BB8, 1
		jz	short loc_559405
		mov	edx, esi
		mov	ecx, edi
		call	BgpFwQueryBootGraphicsInformation
		mov	esi, eax

loc_5593F4:				; CODE XREF: BgQueryBootGraphicsInformation(x,x)+4Aj
		call	BgpFwReleaseLock
		mov	eax, esi

loc_5593FB:				; CODE XREF: BgQueryBootGraphicsInformation(x,x)+43j
					; BgQueryBootGraphicsInformation(x,x)+51j
		pop	edi
		pop	esi
		retn
; 

loc_5593FE:				; CODE XREF: BgQueryBootGraphicsInformation(x,x)+10j
		mov	eax, 0C0000001h
		jmp	short loc_5593FB
; 

loc_559405:				; CODE XREF: BgQueryBootGraphicsInformation(x,x)+27j
		mov	esi, 0C0000001h
		jmp	short loc_5593F4
; 

loc_55940C:				; CODE XREF: BgQueryBootGraphicsInformation(x,x)+14j
					; BgQueryBootGraphicsInformation(x,x)+19j
		mov	eax, 0C000000Dh
		jmp	short loc_5593FB
_BgQueryBootGraphicsInformation@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall RaspLoadEmptyGlyph(x, x)
_RaspLoadEmptyGlyph@8 proc near		; CODE XREF: RaspLoadGlyphData+61p
		mov	edi, edi
		push	esi
		push	edi
		push	3Eh
		mov	edi, ecx
		pop	ecx
		call	RaspAllocateMemory
		mov	esi, eax
		test	esi, esi
		jz	short loc_559448
		push	3Eh		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		lea	eax, [esi+2Eh]
		mov	[edi], esi
		mov	[esi+26h], eax
		add	esp, 0Ch
		add	eax, 8
		mov	[esi+2Ah], eax
		xor	eax, eax

loc_559445:				; CODE XREF: RaspLoadEmptyGlyph(x,x)+39j
		pop	edi
		pop	esi
		retn
; 

loc_559448:				; CODE XREF: RaspLoadEmptyGlyph(x,x)+12j
		mov	eax, 0C000009Ah
		jmp	short loc_559445
_RaspLoadEmptyGlyph@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall BgpFwQueryPerformanceCounter(x)
_BgpFwQueryPerformanceCounter@4	proc near ; CODE XREF: AnFwpProgressAnimationManual+16p
					; AnFwpProgressAnimationManual+13Fp ...
		mov	edi, edi
		push	ecx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		retn
_BgpFwQueryPerformanceCounter@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BgpFwReleaseLock proc near		; CODE XREF: BgLibraryEnable:loc_558D10p
					; BgQueryBootGraphicsInformation(x,x):loc_5593F4p ...

; FUNCTION CHUNK AT 005E1219 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, dword_6B6BB8
		mov	ecx, 0C00h
		and	eax, ecx
		cmp	eax, ecx
		jz	short loc_559493
		test	ds:byte_70EFC6,	1
		push	ebx
		mov	bl, byte_6D4C18
		jnz	loc_5E1219
		xor	ecx, ecx
		mov	eax, offset dword_6FB700
		lock and [eax],	ecx

loc_55948D:				; CODE XREF: BgpFwReleaseLock+87DCCj
		cmp	bl, 2
		jbe	short loc_559495
		pop	ebx

loc_559493:				; CODE XREF: BgpFwReleaseLock+13j
		pop	ebp
		retn
; 

loc_559495:				; CODE XREF: BgpFwReleaseLock+36j
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
BgpFwReleaseLock endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall BgpFwAcquireLock()
_BgpFwAcquireLock@0 proc near		; CODE XREF: BgLibraryEnable:loc_558CF9p
					; BgQueryBootGraphicsInformation(x,x)+1Bp ...
		mov	eax, dword_6B6BB8
		mov	ecx, 0C00h
		and	eax, ecx
		cmp	eax, ecx
		jz	short locret_5594D3
		push	ebx
		push	esi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, al
		mov	esi, offset dword_6FB700
		cmp	bl, 2
		jbe	short loc_5594D4

loc_5594C4:				; CODE XREF: BgpFwAcquireLock()+49j
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		pop	esi
		mov	byte_6D4C18, bl
		pop	ebx

locret_5594D3:				; CODE XREF: BgpFwAcquireLock()+Ej
		retn
; 

loc_5594D4:				; CODE XREF: BgpFwAcquireLock()+22j
					; BgpFwAcquireLock()+3Dj
		mov	ecx, esi
		call	@KeTestSpinLock@4 ; KeTestSpinLock(x)
		test	al, al
		jz	short loc_5594D4
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		jmp	short loc_5594C4
_BgpFwAcquireLock@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BgpTxtDisplayCharacter proc near	; CODE XREF: BgpDisplayCharacterEx(x,x,x,x,x,x,x,x,x,x)+69p
					; AnFwpProgressAnimationManual+F1p ...

var_44		= byte ptr -44h
var_43		= byte ptr -43h
var_42		= byte ptr -42h
var_41		= byte ptr -41h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005E122B SIZE 00000109 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, ecx
		mov	[esp+44h+var_3C], edx
		mov	[esp+44h+var_28], eax
		push	ebx
		xor	ebx, ebx
		mov	ecx, [eax+14h]
		mov	[esp+48h+var_14], ecx
		mov	ecx, [eax+18h]
		add	eax, 1Ch
		mov	[esp+48h+var_38], eax
		push	esi
		mov	esi, ebx
		mov	[esp+4Ch+var_4], ebx
		mov	al, [eax+10h]
		and	al, 1
		mov	[esp+4Ch+var_20], ebx
		cmp	word ptr [esp+4Ch+var_3C], 20h
		mov	dl, al
		push	edi
		mov	[esp+50h+var_24], ebx
		mov	edi, ebx
		mov	[esp+50h+var_10], ebx
		mov	[esp+50h+var_C], ebx
		mov	[esp+50h+var_1C], ebx
		mov	[esp+50h+var_18], ebx
		mov	[esp+50h+var_34], esi
		mov	[esp+50h+var_2C], ebx
		mov	[esp+50h+var_40], ecx
		mov	[esp+50h+var_41], bl
		mov	[esp+50h+var_30], ebx
		mov	[esp+50h+var_43], al
		jb	short loc_5595D3
		test	al, al
		jz	loc_55960E
		push	[esp+50h+var_38]
		mov	edx, [esp+54h+var_3C]
		mov	ecx, offset _TxtpTextCache
		call	_TxtpGetCacheEntry@12 ;	TxtpGetCacheEntry(x,x,x)
		mov	[esp+50h+var_20], eax
		test	eax, eax
		jz	loc_55960A
		mov	esi, [eax+20h]
		mov	[esp+50h+var_42], bl

loc_55958B:				; CODE XREF: BgpTxtDisplayCharacter+186j
					; BgpTxtDisplayCharacter+1CCj ...
		mov	ecx, [esp+50h+var_28]
		mov	eax, [ecx+4]
		mov	[esp+50h+var_C], eax
		mov	eax, [ecx]
		add	[esp+50h+var_10], eax
		test	[ebp+arg_0], 1
		jnz	short loc_5595C3
		test	dword_6B6BB8, 1000000h
		jnz	short loc_5595C3
		lea	edx, [esp+50h+var_10]
		mov	ecx, esi
		call	BgpGxDrawRectangle
		mov	edi, eax
		test	edi, edi
		js	loc_5596D2

loc_5595C3:				; CODE XREF: BgpTxtDisplayCharacter+B4j
					; BgpTxtDisplayCharacter+C0j
		mov	dl, [esp+50h+var_42]
		test	dl, dl
		jnz	loc_5596BD

loc_5595CF:				; CODE XREF: BgpTxtDisplayCharacter+1B2j
					; BgpTxtDisplayCharacter+1EAj ...
		mov	ecx, [esp+50h+var_40]

loc_5595D3:				; CODE XREF: BgpTxtDisplayCharacter+70j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	loc_5E12F4

loc_5595DE:				; CODE XREF: BgpTxtDisplayCharacter+87E0Ej
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jnz	loc_5E12FF

loc_5595E9:				; CODE XREF: BgpTxtDisplayCharacter+87E19j
		cmp	[esp+50h+var_20], 0
		jz	loc_5596DB

loc_5595F4:				; CODE XREF: BgpTxtDisplayCharacter+1F1j
					; BgpTxtDisplayCharacter+201j ...
		cmp	[esp+50h+var_41], 0
		jnz	loc_5E1322

loc_5595FF:				; CODE XREF: BgpTxtDisplayCharacter+87D72j
					; BgpTxtDisplayCharacter+87E43j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_55960A:				; CODE XREF: BgpTxtDisplayCharacter+92j
		mov	ecx, [esp+50h+var_40]

loc_55960E:				; CODE XREF: BgpTxtDisplayCharacter+74j
		mov	edi, [esp+50h+var_38]
		push	dword ptr [edi]
		call	_BgpGxFillRectangle@8 ;	BgpGxFillRectangle(x,x)
		push	[ebp+arg_10]
		mov	eax, [ecx+4]
		mov	edx, edi
		mov	[esp+54h+var_18], eax
		mov	eax, [ecx]
		push	ecx
		mov	[esp+58h+var_1C], eax
		lea	eax, [esp+58h+var_30]
		push	eax
		push	1
		push	[esp+60h+var_C]
		push	[esp+64h+var_10]
		push	[esp+68h+var_3C]
		call	BgpRasPrintGlyph
		mov	edi, eax
		test	edi, edi
		js	loc_5E122B
		mov	al, [esp+50h+var_43]
		test	al, al
		jz	loc_5E124D
		mov	edx, [esp+50h+var_40]

loc_55965E:				; CODE XREF: BgpTxtDisplayCharacter+87D96j
		mov	esi, [esp+50h+var_14]
		test	esi, esi
		jnz	loc_5E1287
		mov	esi, edx

loc_55966C:				; CODE XREF: BgpTxtDisplayCharacter+87DDBj
		mov	[esp+50h+var_42], al
		test	al, al
		jz	loc_55958B
		call	_BgpGetBitsPerPixel@0 ;	BgpGetBitsPerPixel()
		cmp	esi, edx
		jnz	loc_5E12CC

loc_559685:				; CODE XREF: BgpTxtDisplayCharacter+87DE3j
		push	ebx
		lea	ecx, [esp+54h+var_2C]
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	BgpGxConvertRectangleEx
		mov	edi, eax
		mov	al, [esp+50h+var_43]
		mov	dl, al
		test	edi, edi
		js	loc_5595CF
		cmp	esi, [esp+50h+var_40]
		jnz	loc_5E12E4

loc_5596AE:				; CODE XREF: BgpTxtDisplayCharacter+87E03j
		mov	ebx, [esp+50h+var_2C]
		mov	esi, ebx
		mov	[esp+50h+var_42], al
		jmp	loc_55958B
; 

loc_5596BD:				; CODE XREF: BgpTxtDisplayCharacter+DDj
		mov	edx, [esp+50h+var_3C]
		mov	ecx, offset _TxtpTextCache
		push	ebx
		push	[esp+54h+var_38]
		call	TxtpAddCacheEntry
		mov	edi, eax

loc_5596D2:				; CODE XREF: BgpTxtDisplayCharacter+D1j
		mov	dl, [esp+50h+var_42]
		jmp	loc_5595CF
; 

loc_5596DB:				; CODE XREF: BgpTxtDisplayCharacter+102j
		cmp	esi, ecx
		jz	loc_5595F4
		test	dl, dl
		jz	loc_5E130A
		test	edi, edi
		jns	loc_5595F4
		jmp	loc_5E130A
BgpTxtDisplayCharacter endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TxtpGetCacheEntry(x, x, x)
_TxtpGetCacheEntry@12 proc near		; CODE XREF: BgpTxtDisplayCharacter+87p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ecx]
		xor	ebx, ebx
		cmp	esi, ecx
		jz	short loc_55975F
		push	edi
		mov	edi, [ebp+arg_0]

loc_55970B:				; CODE XREF: TxtpGetCacheEntry(x,x,x)+1Dj
		cmp	[esi+8], dx
		jz	short loc_559719

loc_559711:				; CODE XREF: TxtpGetCacheEntry(x,x,x)+26j
					; TxtpGetCacheEntry(x,x,x)+2Ej	...
		mov	esi, [esi]
		cmp	esi, ecx
		jnz	short loc_55970B
		jmp	short loc_55975E
; 

loc_559719:				; CODE XREF: TxtpGetCacheEntry(x,x,x)+17j
		mov	eax, [esi+0Ch]
		cmp	eax, [edi]
		jnz	short loc_559711
		mov	eax, [esi+10h]
		cmp	eax, [edi+4]
		jnz	short loc_559711
		mov	eax, [esi+14h]
		cmp	eax, [edi+8]
		jnz	short loc_559711
		mov	eax, [esi+18h]
		cmp	eax, [edi+0Ch]
		jnz	short loc_559711
		mov	eax, [esi]
		mov	ebx, esi
		cmp	[eax+4], esi
		jnz	short loc_559767
		mov	edx, [esi+4]
		cmp	[edx], esi
		jnz	short loc_559767
		mov	[edx], eax
		mov	[eax+4], edx
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_559767
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[eax+4], esi
		mov	[ecx], esi

loc_55975E:				; CODE XREF: TxtpGetCacheEntry(x,x,x)+1Fj
		pop	edi

loc_55975F:				; CODE XREF: TxtpGetCacheEntry(x,x,x)+Dj
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	4
; 

loc_559767:				; CODE XREF: TxtpGetCacheEntry(x,x,x)+47j
					; TxtpGetCacheEntry(x,x,x)+4Ej	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_TxtpGetCacheEntry@12 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BgpGxDrawRectangle proc	near		; CODE XREF: BgpTxtDisplayCharacter+C8p
					; BgpClearScreen(x)+10Dp ...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E1334 SIZE 0000004E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	40h		; size_t
		xor	esi, esi
		mov	[ebp+var_50], edx
		lea	eax, [ebp+var_48]
		mov	edi, ecx
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_4C], esi
		call	_BgpGetBitsPerPixel@0 ;	BgpGetBitsPerPixel()
		mov	ebx, esi
		cmp	[edi+8], eax
		jnz	loc_5E1334

loc_5597AA:				; CODE XREF: BgpGxDrawRectangle+87BFAj
		mov	edx, [ebp+var_50]
		mov	ecx, edi
		call	GxpWriteFrameBufferPixels
		mov	edi, eax
		test	ebx, ebx
		jnz	loc_5E136B

loc_5597BE:				; CODE XREF: BgpGxDrawRectangle+87C04j
					; BgpGxDrawRectangle+87C11j
		mov	eax, edi

loc_5597C0:				; CODE XREF: BgpGxDrawRectangle+87BEDj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
BgpGxDrawRectangle endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

GxpWriteFrameBufferPixels proc near	; CODE XREF: BgpGxDrawRectangle+43p

var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E1382 SIZE 000001B6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_54], edx
		lea	edi, [ebp+var_C8]
		xor	esi, esi
		stosd
		mov	ebx, ecx
		push	40h		; size_t
		push	esi		; int
		mov	[ebp+var_90], ebx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_84]
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_48]
		push	eax		; void *
		call	_memset
		xor	eax, eax
		mov	[ebp+var_78], esi
		lea	edi, [ebp+var_BC]
		mov	[ebp+var_74], esi
		stosd
		add	esp, 0Ch
		mov	[ebp+var_88], esi
		mov	[ebp+var_70], esi
		stosd
		stosd
		call	_BgpGetBitsPerPixel@0 ;	BgpGetBitsPerPixel()
		mov	esi, eax
		mov	eax, dword_6B6B68
		mov	[ebp+var_9C], eax
		mov	eax, dword_6B6B64
		mov	[ebp+var_98], eax
		mov	eax, dword_6B6B6C
		mov	[ebp+var_94], eax
		test	ebx, ebx
		jz	loc_5E152E
		cmp	dword ptr [ebx+4], 0
		jz	loc_5E152E
		cmp	dword ptr [ebx], 0
		jz	loc_5E152E
		cmp	[ebx+8], esi
		jnz	loc_5E152E
		mov	edi, [ebp+var_54]
		test	edi, edi
		jz	loc_5E152E
		test	byte ptr dword_6B6BB8, 2
		jz	loc_5E1382
		push	1
		lea	eax, [ebp+var_78]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_BC]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_9C]
		push	eax
		call	GxpAdjustRectangleToFrameBuffer
		test	eax, eax
		js	loc_5599A3
		cmp	byte ptr _BgInternal, 0
		jz	loc_5E138C
		mov	edi, [edi+4]
		mov	eax, [ebx+14h]
		mov	edx, [ebp+var_94]
		mov	ecx, [ebp+var_54]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+var_BC]
		imul	edi, edx
		shr	esi, 3
		imul	eax, esi
		mov	[ebp+var_6C], esi
		add	edi, [ecx]
		imul	edi, esi
		mov	[ebp+var_64], eax
		mov	al, byte_6B6B62
		mov	[ebp+var_49], al
		movzx	eax, al
		add	edi, dword_6B6B78
		sub	eax, 0
		jnz	loc_5E1446

loc_559910:				; CODE XREF: GxpWriteFrameBufferPixels+87C7Ej
		mov	eax, [ebx+4]
		mov	[ebp+var_5C], eax
		imul	eax, esi
		mov	[ebp+var_58], eax
		mov	[ebp+var_84], eax
		mov	eax, [ebx]
		mov	[ebp+var_60], eax

loc_559927:				; CODE XREF: GxpWriteFrameBufferPixels+87CAAj
		imul	edx, esi
		cmp	[ebp+var_49], 0
		mov	[ebp+var_80], eax
		mov	[ebp+var_68], eax
		mov	[ebp+var_88], edx
		mov	[ebp+var_7C], edx
		jnz	loc_5E147F
		test	eax, eax
		jz	short loc_559977
		mov	esi, [ebp+var_58]
		mov	ebx, eax
		mov	eax, [ebp+var_50]

loc_55994F:				; CODE XREF: GxpWriteFrameBufferPixels+19Cj
		push	esi		; size_t
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [ebp+var_50]
		add	esp, 0Ch
		add	eax, [ebp+var_64]
		add	edi, [ebp+var_88]
		mov	[ebp+var_50], eax
		sub	ebx, 1
		jnz	short loc_55994F
		mov	ebx, [ebp+var_90]
		mov	esi, [ebp+var_6C]

loc_559977:				; CODE XREF: GxpWriteFrameBufferPixels+175j
					; GxpWriteFrameBufferPixels+87CC8j ...
		cmp	dword_6B6CE4, 0
		jnz	short loc_5599B2

loc_559980:				; CODE XREF: GxpWriteFrameBufferPixels+1F1j
					; GxpWriteFrameBufferPixels+87C71j
		xor	edi, edi

loc_559982:				; CODE XREF: GxpWriteFrameBufferPixels+87C6Bj
					; GxpWriteFrameBufferPixels+87C8Ej ...
		mov	eax, [ebp+var_B8]
		mov	[ebx], eax
		mov	eax, [ebp+var_BC]
		mov	[ebx+4], eax
		mov	ebx, [ebp+var_54]
		mov	eax, [ebp+var_78]
		mov	[ebx], eax
		mov	eax, [ebp+var_74]
		mov	[ebx+4], eax
		mov	eax, edi

loc_5599A3:				; CODE XREF: GxpWriteFrameBufferPixels+E7j
					; GxpWriteFrameBufferPixels+87BB7j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_5599B2:				; CODE XREF: GxpWriteFrameBufferPixels+1AEj
		mov	edx, [ebp+var_54]
		lea	ecx, [ebp+var_84]
		push	esi
		call	BgfxGrowDirtyRect
		jmp	short loc_559980
GxpWriteFrameBufferPixels endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

GxpAdjustRectangleToFrameBuffer	proc near ; CODE XREF: GxpWriteFrameBufferPixels+E0p
					; GxpReadFrameBufferPixels+D3p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005E1538 SIZE 000000BB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	al, byte_6B6B62
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		lea	edi, [ebp+var_34]
		mov	[ebp+var_C], edx
		mov	[ebp+var_28], ebx
		mov	ecx, [ebx]
		movsd
		mov	[ebp+var_14], ecx
		mov	[ebp+var_18], ecx
		mov	ecx, [ebx+4]
		movsd
		mov	[ebp+var_8], ecx
		mov	[ebp+var_10], ecx
		mov	ecx, [edx]
		mov	ebx, ecx
		mov	edx, [edx+4]
		movsd
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_20], ecx
		mov	ecx, edx
		mov	[ebp+var_24], edx
		xor	edx, edx
		mov	[ebp+var_1], al
		mov	esi, [edi]
		mov	[ebp+var_1C], esi
		cmp	esi, ebx
		jb	loc_559ABD
		mov	edi, [edi+4]
		cmp	edi, ecx
		jb	loc_559ABD
		mov	esi, [ebp+var_34]
		mov	ah, [ebp+arg_C]
		sub	esi, ebx
		cmp	[ebp+var_8], esi
		ja	loc_5E1538

loc_559A36:				; CODE XREF: GxpAdjustRectangleToFrameBuffer+87B7Fj
		mov	esi, [ebp+var_30]
		sub	esi, ecx
		cmp	[ebp+var_14], esi
		ja	loc_5E1548
		mov	esi, [ebp+var_18]

loc_559A47:				; CODE XREF: GxpAdjustRectangleToFrameBuffer+87B8Fj
		cmp	al, 2
		jz	loc_5E1558
		cmp	al, 3
		jz	loc_5E1558

loc_559A57:				; CODE XREF: GxpAdjustRectangleToFrameBuffer+87B9Bj
					; GxpAdjustRectangleToFrameBuffer+87BDCj
		cmp	al, 1
		jz	loc_5E15A5
		cmp	al, 3
		jz	loc_5E15A5

loc_559A67:				; CODE XREF: GxpAdjustRectangleToFrameBuffer+87BCCj
					; GxpAdjustRectangleToFrameBuffer+87BE8j ...
		mov	esi, [ebp+var_8]

loc_559A6A:				; CODE XREF: GxpAdjustRectangleToFrameBuffer+87C13j
		cmp	[ebp+var_34], ebx
		jb	short loc_559ABD
		cmp	[ebp+var_30], ecx
		jb	short loc_559ABD
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_559A83
		mov	edi, [ebp+var_14]
		mov	[eax+4], edi
		mov	[eax], esi

loc_559A83:				; CODE XREF: GxpAdjustRectangleToFrameBuffer+B5j
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_559A95
		mov	esi, [ebp+var_20]
		mov	[eax], esi
		mov	esi, [ebp+var_24]
		mov	[eax+4], esi

loc_559A95:				; CODE XREF: GxpAdjustRectangleToFrameBuffer+C4j
		mov	edi, [ebp+arg_0]
		lea	esi, [ebp+var_34]
		mov	eax, [ebp+var_C]
		movsd
		mov	[eax+4], ecx
		mov	ecx, [ebp+var_28]
		mov	[eax], ebx
		mov	eax, [ebp+var_10]
		movsd
		mov	[ecx+4], eax
		movsd
		mov	esi, [ebp+var_18]
		mov	[ecx], esi

loc_559AB4:				; CODE XREF: GxpAdjustRectangleToFrameBuffer+FEj
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	10h
; 

loc_559ABD:				; CODE XREF: GxpAdjustRectangleToFrameBuffer+50j
					; GxpAdjustRectangleToFrameBuffer+5Bj ...
		mov	edx, 0C000000Dh
		jmp	short loc_559AB4
GxpAdjustRectangleToFrameBuffer	endp


;  S U B	R O U T	I N E 


; __stdcall BgpGetBitsPerPixel()
_BgpGetBitsPerPixel@0 proc near		; CODE XREF: BgpTxtDisplayCharacter+18Cp
					; BgpGxDrawRectangle+2Ep ...
		mov	ecx, dword_6B6B70
		cmp	ecx, 4
		jz	short loc_559ADD
		xor	eax, eax
		cmp	ecx, 5
		setnz	al
		dec	eax
		and	eax, 1Fh
		inc	eax
		retn
; 

loc_559ADD:				; CODE XREF: BgpGetBitsPerPixel()+9j
		push	18h
		pop	eax
		retn
_BgpGetBitsPerPixel@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BgpRasPrintGlyph proc near		; CODE XREF: BgpTxtDisplayCharacter+153p
					; BgpTxtDisplayString(x,x,x,x,x)+16Cp

var_D8		= dword	ptr -0D8h
var_A4		= dword	ptr -0A4h
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4D		= byte ptr -4Dh
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_38		= dword	ptr -38h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005E15F3 SIZE 00000115 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8C], eax
		mov	ebx, edx
		mov	eax, [ebp+arg_18]
		push	40h		; size_t
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_4C]
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_88], ecx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_D8]
		push	32h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		and	[ebp+var_6C], 0
		lea	edi, [ebp+var_A4]
		and	[ebp+var_98], 0
		xor	eax, eax
		and	[ebp+arg_C], 1
		xor	esi, esi
		and	[ebp+var_58], esi
		add	esp, 0Ch
		and	[ebp+var_68], esi
		and	[ebp+var_7C], esi
		stosd
		mov	[ebp+var_80], esi
		mov	[ebp+var_4D], 0
		stosd
		stosd
		mov	eax, [ebp+var_8C]
		mov	edi, [ebp+var_74]
		and	[eax], esi
		xor	eax, eax
		and	[ebp+var_64], eax
		mov	[ebp+var_54], eax
		mov	[ebp+var_78], eax
		test	edi, edi
		jnz	short loc_559B86
		lea	edi, [ebp+var_A4]
		mov	[ebp+var_74], edi

loc_559B86:				; CODE XREF: BgpRasPrintGlyph+99j
		mov	ecx, [ebp+arg_0]
		push	20h
		pop	edx
		cmp	cx, dx
		jb	loc_559D6F
		mov	eax, [ebx+8]
		lea	edx, [ebp+var_58]
		push	edx
		push	eax
		mov	edx, ecx
		mov	[ebp+var_60], eax
		push	dword ptr [eax+14h]
		mov	ecx, offset _RaspBitmapCache
		push	dword ptr [ebx+0Ch]
		call	_RaspGetCacheEntry@24 ;	RaspGetCacheEntry(x,x,x,x,x,x)
		mov	ebx, [ebp+var_58]
		test	ebx, ebx
		jnz	loc_559C5F
		mov	eax, dword_6B6BB8
		and	eax, 4
		push	ebx
		pop	ecx
		setnz	cl
		test	eax, eax
		mov	eax, [ebp+var_5C]
		mov	[ebp+var_64], ecx
		jnz	short loc_559BE2
		cmp	[edi], esi
		jnz	short loc_559BE2
		test	byte ptr [eax+10h], 1
		jz	loc_5E15F3

loc_559BE2:				; CODE XREF: BgpRasPrintGlyph+F0j
					; BgpRasPrintGlyph+F4j	...
		push	edi
		lea	edx, [ebp+var_6C]
		push	edx
		lea	edx, [ebp+var_68]
		push	edx
		lea	edx, [ebp+var_7C]
		push	edx
		mov	edx, [ebp+arg_0]
		push	ecx
		push	ecx
		push	ecx
		mov	ecx, eax
		call	RaspRasterize
		mov	esi, eax
		mov	[ebp+var_80], esi
		test	esi, esi
		js	loc_5E1619
		cmp	[ebp+var_4D], 0
		jnz	loc_5E15FC
		lea	ebx, [ebp+var_D8]

loc_559C19:				; CODE XREF: BgpRasPrintGlyph+87B26j
		mov	edx, [edi+8]
		mov	ecx, [ebp+var_60]
		mov	eax, [ebp+var_5C]
		mov	esi, [ebp+arg_0]
		push	4
		mov	ecx, [ecx+14h]
		mov	eax, [eax+0Ch]
		mov	[ebx+18h], eax
		mov	eax, [ebp+var_60]
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+var_68]
		mov	[ebx+1Ch], eax
		mov	eax, [ebp+var_6C]
		mov	[ebx+20h], eax
		pop	eax
		mov	[ebx+24h], eax
		mov	[ebx+28h], eax
		mov	eax, [ebp+var_7C]
		mov	[ebx+8], eax
		mov	eax, [ebp+var_64]
		mov	[ebx+2Ch], si
		mov	[ebx+14h], ecx
		mov	[ebx+2Eh], edx
		mov	[ebp+var_64], eax

loc_559C5F:				; CODE XREF: BgpRasPrintGlyph+D5j
		mov	eax, [ebx+8]
		xor	edx, edx
		mov	[ebp+var_68], eax
		mov	ecx, [ebx+1Ch]
		mov	[ebp+var_58], ecx
		mov	eax, [eax]
		div	dword ptr [ebx+28h]
		mov	ecx, [ebp+var_5C]
		mov	[ebp+var_6C], eax
		mov	eax, [ebp+var_60]
		movsx	edx, word ptr [eax+42h]
		call	_RaspScale@8	; RaspScale(x,x)
		mov	ecx, eax
		call	_BgpFmRoundUp@4	; BgpFmRoundUp(x)
		mov	esi, eax
		mov	eax, [ebx+20h]
		add	esi, [ebp+arg_8]
		test	eax, eax
		js	short loc_559C9F
		cmp	eax, esi
		ja	loc_5E1638

loc_559C9F:				; CODE XREF: BgpRasPrintGlyph+1B3j
		sub	esi, eax
		mov	[ebp+var_60], esi

loc_559CA4:				; CODE XREF: BgpRasPrintGlyph+87B70j
		mov	ecx, [ebp+var_6C]
		lea	eax, [ecx+esi]
		mov	esi, [ebp+var_88]
		cmp	[esi], eax
		jb	loc_5E16E1
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+var_58]
		add	eax, edx
		cmp	[esi+4], eax
		jb	loc_5E16E1
		cmp	byte ptr [ebp+arg_C], 0
		jz	loc_5E165F
		lea	eax, [ebp+var_4C]
		mov	edi, eax
		mov	[ebp+var_54], eax
		mov	eax, [ebp+var_5C]
		push	10h
		pop	ecx
		rep movsd
		test	byte ptr [eax+10h], 1
		jz	loc_5E1657
		mov	edx, [ebp+var_48]
		mov	[ebp+var_58], edx

loc_559CF3:				; CODE XREF: BgpRasPrintGlyph+87B78j
		mov	eax, [ebp+var_6C]
		mov	esi, [ebp+var_80]
		mov	edi, [ebp+var_74]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+var_44]
		shr	eax, 3
		imul	eax, edx
		imul	eax, [ebp+var_60]
		add	[ebp+var_38], eax
		mov	eax, [ebp+var_54]

loc_559D12:				; CODE XREF: BgpRasPrintGlyph+87BB4j
		push	[ebp+var_5C]
		mov	ecx, [ebp+var_68]
		mov	edx, eax
		push	dword ptr [ebx+28h]
		push	dword ptr [ebx+24h]
		call	_RaspAntiAlias@20 ; RaspAntiAlias(x,x,x,x,x)
		cmp	byte ptr [ebp+arg_C], 0
		jz	loc_5E169B

loc_559D2F:				; CODE XREF: BgpRasPrintGlyph+87BE9j
		cmp	[ebp+var_4D], 0
		mov	eax, [ebp+var_8C]
		mov	ecx, [ebp+var_58]
		mov	[eax], ecx
		jnz	loc_5E16D0

loc_559D44:				; CODE XREF: BgpRasPrintGlyph+87BFAj
					; BgpRasPrintGlyph+87C04j
		test	esi, esi
		js	loc_5E1619

loc_559D4C:				; CODE XREF: BgpRasPrintGlyph+87B51j
		mov	al, [ebp+var_4D]

loc_559D4F:				; CODE XREF: BgpRasPrintGlyph+87B44j
		test	al, al
		jnz	short loc_559D90

loc_559D53:				; CODE XREF: BgpRasPrintGlyph+87B3Cj
		cmp	[ebp+var_64], 0
		jnz	short loc_559D90

loc_559D59:				; CODE XREF: BgpRasPrintGlyph+2B6j
		mov	eax, [ebp+var_7C]
		test	eax, eax
		jz	short loc_559D6C
		cmp	dword ptr [edi], 0
		jnz	short loc_559D6C
		mov	ecx, eax
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_559D6C:				; CODE XREF: BgpRasPrintGlyph+27Cj
					; BgpRasPrintGlyph+281j ...
		mov	eax, [ebp+var_54]

loc_559D6F:				; CODE XREF: BgpRasPrintGlyph+ADj
		cmp	byte ptr [ebp+arg_C], 0
		jz	loc_5E16EB

loc_559D79:				; CODE XREF: BgpRasPrintGlyph+87C0Bj
					; BgpRasPrintGlyph+87C14j ...
		and	dword ptr [edi+8], 0
		mov	eax, esi
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
; 

loc_559D90:				; CODE XREF: BgpRasPrintGlyph+26Fj
					; BgpRasPrintGlyph+275j
		test	esi, esi
		jns	short loc_559D6C
		test	ebx, ebx
		jnz	short loc_559D6C
		jmp	short loc_559D59
BgpRasPrintGlyph endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BgpGxConvertRectangleEx	proc near	; CODE XREF: BgpTxtDisplayCharacter+1A3p
					; BgpGxConvertRectangle(x,x)+1Bp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_7		= byte ptr  0Fh

; FUNCTION CHUNK AT 005E1708 SIZE 00000093 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		xor	ecx, ecx
		mov	[ebp+var_14], edi
		test	[ebp+arg_4], 1
		mov	byte ptr [ebp+var_1], cl
		mov	[ebp+var_1C], ecx
		jnz	loc_5E1708
		mov	eax, [edi]
		mov	[ebp+var_20], eax
		mov	eax, [edi+4]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_C]
		mov	[ebp+arg_7], cl
		mov	[ebp+var_C], ecx
		lea	ecx, [ebp+var_24]
		push	eax
		call	_BgpGxRectangleCreate@12 ; BgpGxRectangleCreate(x,x,x)
		test	eax, eax
		js	short loc_559E18
		mov	esi, [ebp+var_C]
		mov	edx, [ebp+var_8]

loc_559DE5:				; CODE XREF: BgpGxConvertRectangleEx+879A2j
		mov	eax, [edi+8]
		mov	ecx, [edi+14h]
		mov	[ebp+var_8], eax
		shr	[ebp+var_8], 3
		mov	[ebp+var_10], esi
		push	ebx
		mov	ebx, [esi+14h]
		cmp	eax, edx
		jnz	short loc_559E1E
		cmp	[ebp+arg_7], 0
		jnz	short loc_559E15
		push	dword ptr [edi+0Ch] ; size_t
		push	ecx		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_559E10:				; CODE XREF: BgpGxConvertRectangleEx+D3j
					; BgpGxConvertRectangleEx+D9j
		mov	eax, [ebp+arg_0]
		mov	[eax], esi

loc_559E15:				; CODE XREF: BgpGxConvertRectangleEx+67j
		xor	eax, eax
		pop	ebx

loc_559E18:				; CODE XREF: BgpGxConvertRectangleEx+43j
					; BgpGxConvertRectangleEx+8797Cj
		pop	edi
		pop	esi
		leave
		retn	8
; 

loc_559E1E:				; CODE XREF: BgpGxConvertRectangleEx+61j
		cmp	edx, 4
		jz	loc_5E1741
		mov	eax, [esi+4]
		imul	eax, [esi]
		mov	[ebp+var_C], edx
		shr	[ebp+var_C], 3
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	short loc_559E69
		mov	esi, [ebp+var_C]
		mov	edi, eax

loc_559E40:				; CODE XREF: BgpGxConvertRectangleEx+C7j
		mov	al, [ecx+2]
		mov	[ebx+2], al
		mov	al, [ecx+1]
		mov	[ebx+1], al
		mov	al, [ecx]
		mov	[ebx], al
		cmp	edx, 20h
		jnz	short loc_559E59
		mov	byte ptr [ebx+3], 0

loc_559E59:				; CODE XREF: BgpGxConvertRectangleEx+B9j
		add	ecx, [ebp+var_8]
		add	ebx, esi
		sub	edi, 1
		jnz	short loc_559E40
		mov	esi, [ebp+var_10]

loc_559E66:				; CODE XREF: BgpGxConvertRectangleEx+879FCj
		mov	edi, [ebp+var_14]

loc_559E69:				; CODE XREF: BgpGxConvertRectangleEx+9Fj
					; BgpGxConvertRectangleEx+879AEj
		cmp	[ebp+arg_7], 0
		jz	short loc_559E10
		or	dword ptr [edi+10h], 10h
		jmp	short loc_559E10
BgpGxConvertRectangleEx	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall BgpFoGetTextMetrics(x, x)
_BgpFoGetTextMetrics@8 proc near	; CODE XREF: BgpConsoleSetPointSize(x,x,x,x,x,x)+35p
					; BgpConsoleSetPointSize(x,x,x,x,x,x)+7Cp ...
		test	ecx, ecx
		jz	short loc_559E8A
		test	edx, edx
		jz	short loc_559E8A
		push	edx
		add	edx, 4
		call	_BgpRasGetGlyphTextCellDimensions@12 ; BgpRasGetGlyphTextCellDimensions(x,x,x)
		xor	eax, eax
		retn
; 

loc_559E8A:				; CODE XREF: BgpFoGetTextMetrics(x,x)+2j
					; BgpFoGetTextMetrics(x,x)+6j
		mov	eax, 0C000000Dh
		retn
_BgpFoGetTextMetrics@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpRasGetGlyphTextCellDimensions(x,	x, x)
_BgpRasGetGlyphTextCellDimensions@12 proc near ; CODE XREF: BgpFoGetTextMetrics(x,x)+Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		mov	edi, [ebx+8]
		movsx	edx, word ptr [edi+3Ch]
		call	_RaspScale@8	; RaspScale(x,x)
		movsx	esi, word ptr [edi+40h]
		mov	ecx, ebx
		movsx	edx, word ptr [edi+3Eh]
		sub	edx, esi
		mov	[ebp+var_8], eax
		call	_RaspScale@8	; RaspScale(x,x)
		mov	ecx, eax
		call	_BgpFmRoundUp@4	; BgpFmRoundUp(x)
		mov	ecx, [ebp+var_4]
		add	eax, 2
		mov	[ecx], eax
		mov	ecx, [ebp+var_8]
		call	_BgpFmRoundDefault@4 ; BgpFmRoundDefault(x)
		mov	ecx, [ebp+arg_0]
		pop	edi
		pop	esi
		pop	ebx
		mov	[ecx], eax
		leave
		retn	4
_BgpRasGetGlyphTextCellDimensions@12 endp


;  S U B	R O U T	I N E 


; __stdcall RaspScale(x, x)
_RaspScale@8	proc near		; CODE XREF: BgpRasPrintGlyph+19Dp
					; BgpRasGetGlyphTextCellDimensions(x,x,x)+16p ...
		mov	edi, edi
		push	ebx
		mov	ebx, [ecx+8]
		push	esi
		push	edi
		mov	edi, edx
		mov	eax, [ebx+4Ch]
		mul	dword ptr [ecx+0Ch]
		mov	esi, eax
		mov	ecx, edx
		mov	eax, edi
		cdq
		push	edx
		push	eax
		push	ecx
		push	esi
		call	__allmul
		mov	edi, eax
		mov	esi, edx
		movzx	eax, word ptr [ebx+58h]
		push	0
		cdq
		push	48h
		push	edx
		shld	esi, edi, 6
		push	eax
		shl	edi, 6
		call	__allmul
		push	edx
		push	eax
		push	esi
		push	edi
		call	__alldiv
		pop	edi
		pop	esi
		pop	ebx
		retn
_RaspScale@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RaspRasterize	proc near		; CODE XREF: BgpRasPrintGlyph+115p
					; RaspGetXExtent+BAp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 005E179B SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	eax, ecx
		xor	ecx, ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_18]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], ecx
		lea	ecx, [ebp+var_10]
		push	edi
		push	ecx
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_14], eax
		push	ecx
		mov	ecx, [eax+8]
		call	RaspGetUnscaledGlyphData
		mov	ebx, [ebp+var_C]
		mov	esi, eax
		test	esi, esi
		js	short loc_559FCD
		mov	ecx, [ebp+var_14]
		mov	edx, ebx
		call	RaspScaleCoordinates
		mov	esi, eax
		test	esi, esi
		js	short loc_559FCD
		push	edi
		lea	edx, [ebp+var_4]
		mov	ecx, ebx
		call	_RaspCreatePointList@12	; RaspCreatePointList(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_559FBA
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	edi
		push	[ebp+arg_14]
		push	eax
		push	[ebp+arg_8]
		push	ecx
		push	ecx
		mov	ecx, ebx
		call	RaspScanConvert
		mov	ecx, [ebp+var_8]
		mov	esi, eax
		test	esi, esi
		js	loc_5E179B
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		mov	eax, [ebp+arg_10]
		mov	ecx, [ecx+4]
		shr	ecx, 2
		mov	[eax], ecx

loc_559FBA:				; CODE XREF: RaspRasterize+5Aj
					; RaspRasterize+87873j	...
		cmp	[ebp+var_4], 0
		jz	short loc_559FCD
		cmp	dword ptr [edi], 0
		jnz	short loc_559FCD
		mov	ecx, [ebp+var_4]
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_559FCD:				; CODE XREF: RaspRasterize+39j
					; RaspRasterize+49j ...
		test	ebx, ebx
		jz	short loc_559FDD
		cmp	dword ptr [edi], 0
		jnz	short loc_559FDD
		mov	ecx, ebx
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_559FDD:				; CODE XREF: RaspRasterize+A5j
					; RaspRasterize+AAj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
RaspRasterize	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RaspDestroySegmentList(x, x, x)
_RaspDestroySegmentList@12 proc	near	; CODE XREF: RaspScanConvert+242p
					; RaspCreateSegmentList+8673Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	eax, ecx
		mov	[ebp+var_4], edx
		xor	ebx, ebx
		mov	[ebp+var_8], eax
		push	edi
		mov	edi, [ebp+arg_0]
		test	edx, edx
		jz	short loc_55A028
		push	esi
		lea	esi, [eax+0Ch]

loc_55A004:				; CODE XREF: RaspDestroySegmentList(x,x,x)+3Cj
		lea	eax, [esi-0Ch]
		test	eax, eax
		jz	short loc_55A024
		mov	al, [esi]
		cmp	al, 3
		jz	short loc_55A05E

loc_55A011:				; CODE XREF: RaspDestroySegmentList(x,x,x)+7Fj
					; RaspDestroySegmentList(x,x,x)+84j ...
		cmp	al, 4
		jz	short loc_55A078

loc_55A015:				; CODE XREF: RaspDestroySegmentList(x,x,x)+A5j
		cmp	al, 5
		jz	short loc_55A03A

loc_55A019:				; CODE XREF: RaspDestroySegmentList(x,x,x)+6Aj
					; RaspDestroySegmentList(x,x,x)+6Fj ...
		mov	edx, [ebp+var_4]

loc_55A01C:				; CODE XREF: RaspDestroySegmentList(x,x,x)+97j
					; RaspDestroySegmentList(x,x,x)+9Cj
		add	esi, 0Dh
		inc	ebx
		cmp	ebx, edx
		jb	short loc_55A004

loc_55A024:				; CODE XREF: RaspDestroySegmentList(x,x,x)+23j
		mov	eax, [ebp+var_8]
		pop	esi

loc_55A028:				; CODE XREF: RaspDestroySegmentList(x,x,x)+18j
		cmp	dword ptr [edi], 0
		pop	edi
		pop	ebx
		jnz	short locret_55A036
		mov	ecx, eax
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

locret_55A036:				; CODE XREF: RaspDestroySegmentList(x,x,x)+47j
		leave
		retn	4
; 

loc_55A03A:				; CODE XREF: RaspDestroySegmentList(x,x,x)+31j
		mov	ecx, [esi-0Ch]
		test	ecx, ecx
		jz	short loc_55A04B
		cmp	dword ptr [edi], 0
		jnz	short loc_55A04B
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_55A04B:				; CODE XREF: RaspDestroySegmentList(x,x,x)+59j
					; RaspDestroySegmentList(x,x,x)+5Ej
		mov	ecx, [esi-4]
		test	ecx, ecx
		jz	short loc_55A019
		cmp	dword ptr [edi], 0
		jnz	short loc_55A019
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		jmp	short loc_55A019
; 

loc_55A05E:				; CODE XREF: RaspDestroySegmentList(x,x,x)+29j
		mov	ecx, [esi-0Ch]
		mov	al, 3
		test	ecx, ecx
		jz	short loc_55A011
		cmp	dword ptr [edi], 0
		jnz	short loc_55A011
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		mov	al, [esi]
		mov	edx, [ebp+var_4]
		jmp	short loc_55A011
; 

loc_55A078:				; CODE XREF: RaspDestroySegmentList(x,x,x)+2Dj
		mov	ecx, [esi-4]
		test	ecx, ecx
		jz	short loc_55A01C
		cmp	dword ptr [edi], 0
		jnz	short loc_55A01C
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		mov	al, [esi]
		jmp	short loc_55A015
_RaspDestroySegmentList@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall BgpFwFreeMemory(x)
_BgpFwFreeMemory@4 proc	near		; CODE XREF: BgpRasPrintGlyph+285p
					; RaspRasterize+9Ep ...
		mov	edi, edi
		push	esi
		lea	esi, [ecx-0Ch]
		mov	eax, [esi]
		cmp	eax, 4B434742h
		jz	short loc_55A0DA
		cmp	eax, 4B424742h
		jnz	short loc_55A0D5
		lea	edx, [esi-8]
		push	ebx
		mov	ebx, [edx]
		push	edi
		cmp	[ebx+4], edx
		jnz	short loc_55A0FA
		mov	edi, [edx+4]
		cmp	[edi], edx
		jnz	short loc_55A0FA
		push	20h
		mov	[edi], ebx
		pop	edx
		mov	[ebx+4], edi
		pop	edi
		pop	ebx

loc_55A0C1:				; CODE XREF: BgpFwFreeMemory(x)+4Aj
		sub	ecx, edx
		cmp	dword ptr [esi+4], 1000h
		jnb	short loc_55A0E2
		push	eax
		push	ecx

loc_55A0CE:				; CODE XREF: BgpFwFreeMemory(x)+6Aj
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
; 

loc_55A0D5:				; CODE XREF: BgpFwFreeMemory(x)+14j
		push	10h
		pop	edx
		jmp	short loc_55A0C1
; 

loc_55A0DA:				; CODE XREF: BgpFwFreeMemory(x)+Dj
		mov	ecx, esi
		pop	esi
		jmp	_BgpFwReserveFree@4 ; BgpFwReserveFree(x)
; 

loc_55A0E2:				; CODE XREF: BgpFwFreeMemory(x)+3Cj
		mov	esi, [esi+8]
		push	esi
		push	ecx
		call	MmUnmapLockedPages
		xor	edx, edx
		mov	ecx, esi
		call	_MiFreePagesFromMdl@8 ;	MiFreePagesFromMdl(x,x)
		push	0
		push	esi
		jmp	short loc_55A0CE
; 

loc_55A0FA:				; CODE XREF: BgpFwFreeMemory(x)+20j
					; BgpFwFreeMemory(x)+27j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall BgpFwReserveFree(x)
_BgpFwReserveFree@4:			; CODE XREF: BgpFwFreeMemory(x)+4Fj
		mov	edi, edi
		push	esi
		push	dword ptr [ecx+4]
		mov	esi, ecx
		sub	esi, dword_6D4BF8
		sub	esi, 4
		push	esi
		push	offset dword_6D4C0C
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		cmp	esi, dword_6D4C04
		jb	short loc_55A126
		pop	esi
		retn
; 

loc_55A126:				; CODE XREF: BgpFwFreeMemory(x)+94j
		mov	dword_6D4C04, esi
		pop	esi
		retn
_BgpFwFreeMemory@4 endp	; sp = -0Ch


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RaspGetUnscaledGlyphData proc near	; CODE XREF: RaspRasterize+2Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005E17B6 SIZE 00000041 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_C], 0
		lea	eax, [ebp+var_C]
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		push	eax
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], esi
		mov	ecx, [edi+0Ch]
		call	RaspMapCharacterCodeToGlyphIndex
		test	eax, eax
		js	loc_5E17B6
		mov	ebx, [ebp+var_C]

loc_55A162:				; CODE XREF: RaspGetUnscaledGlyphData+8768Aj
		lea	eax, [ebp+var_4]
		movzx	edx, bx
		push	eax
		mov	ecx, edi
		call	RaspMapGlyphIndexToLocation
		test	eax, eax
		js	loc_5E17BD

loc_55A178:				; CODE XREF: RaspGetUnscaledGlyphData+876A7j
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		movzx	eax, bx
		mov	ebx, [ebp+arg_8]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_8]
		push	ebx
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	RaspLoadGlyphData
		mov	esi, [ebp+var_8]
		mov	edi, eax
		test	edi, edi
		js	short loc_55A1BC
		mov	ecx, esi
		call	_RaspConvertDeltas@4 ; RaspConvertDeltas(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_55A1BC
		push	[ebp+arg_4]
		movzx	edx, word ptr [ebp+var_C]
		mov	ecx, [ebp+var_10]
		push	esi
		call	RaspLoadBearings
		mov	edi, eax

loc_55A1BC:				; CODE XREF: RaspGetUnscaledGlyphData+6Dj
					; RaspGetUnscaledGlyphData+7Aj	...
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_55A1C7
		mov	[eax], esi
		xor	esi, esi

loc_55A1C7:				; CODE XREF: RaspGetUnscaledGlyphData+93j
		test	esi, esi
		jnz	loc_5E17E2

loc_55A1CF:				; CODE XREF: RaspGetUnscaledGlyphData+876B7j
					; RaspGetUnscaledGlyphData+876C4j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
RaspGetUnscaledGlyphData endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RaspScanConvert	proc near		; CODE XREF: RaspRasterize+6Ep

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005E17F7 SIZE 0000005F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		test	byte ptr [ebp+arg_8], 1
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_14], edx
		mov	edi, ecx
		mov	[ebp+var_18], 0
		mov	[ebp+var_1C], 0
		mov	[ebp+var_20], 0
		mov	[ebp+var_10], 0
		mov	[ebp+var_C], 0
		jnz	loc_5E17F7
		mov	byte ptr [ebp+arg_8+3],	0

loc_55A221:				; CODE XREF: RaspScanConvert+8761Bj
		push	[ebp+arg_14]
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		movzx	eax, word ptr [edi+18h]
		push	eax
		call	RaspCreateSegmentList
		mov	esi, eax
		test	esi, esi
		js	loc_55A412
		movzx	edx, word ptr [edi+18h]
		mov	ecx, [edi+0Eh]
		sub	edx, 2
		mov	[ebp+var_2C], edx
		call	_BgpFmRoundUp@4	; BgpFmRoundUp(x)
		mov	ecx, [edi+6]
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		call	_BgpFmRoundUp@4	; BgpFmRoundUp(x)
		mov	esi, [ebp+var_14]
		sub	ebx, eax
		inc	ebx
		cmp	ebx, 1
		jz	loc_55A49B

loc_55A26E:				; CODE XREF: RaspScanConvert+2D0j
		mov	edi, [ebp+var_2C]
		mov	ecx, edx
		shl	ecx, 4
		add	ecx, esi
		mov	eax, [edi+ecx+19h]
		add	eax, [edi+ecx+11h]
		mov	esi, [edx+ecx+8]
		mov	edx, [edx+ecx]
		sub	eax, edx
		sub	eax, esi
		mov	ecx, eax
		call	_BgpFmRoundDefault@4 ; BgpFmRoundDefault(x)
		lea	ecx, ds:0[ebx*4]
		mov	edi, eax
		mov	bl, byte ptr [ebp+arg_8+3]
		lea	eax, [edx+esi]
		shl	edi, 2
		mov	edx, 1
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_3C], ecx
		lea	ecx, [ebp+var_40]
		mov	[ebp+var_30], eax
		mov	[ebp+var_40], edi
		mov	[ebp+var_38], edi
		test	bl, bl
		jnz	loc_5E1800
		push	[ebp+arg_14]
		lea	eax, [ebp+var_10]
		push	eax
		call	_RaspRectangleCreate@16	; RaspRectangleCreate(x,x,x,x)
		mov	ecx, [ebp+var_10]
		mov	esi, eax

loc_55A2D4:				; CODE XREF: RaspScanConvert+8763Ej
		mov	[ebp+var_4], ecx
		test	esi, esi
		js	loc_5E183D
		mov	eax, [ecx+0Ch]
		push	eax		; size_t
		mov	eax, [ecx+14h]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		cmp	[ebp+var_C], 0
		jz	loc_55A4B5
		test	bl, bl
		jnz	loc_5E1823
		mov	edx, [ebp+arg_14]
		lea	ecx, ds:0[edi*4]
		call	RaspAllocateMemory
		mov	ebx, eax
		mov	[ebp+arg_8], ebx
		test	ebx, ebx
		jz	loc_5E1835

loc_55A31F:				; CODE XREF: RaspScanConvert+87650j
		xor	esi, esi
		mov	[ebp+var_14], 0
		lea	eax, ds:0[edi*4]
		mov	[ebp+var_28], esi
		cmp	[ebp+var_2C], esi
		jle	loc_55A3EA
		jmp	short loc_55A340
; 
		align 10h

loc_55A340:				; CODE XREF: RaspScanConvert+15Bj
					; RaspScanConvert+204j
		push	eax		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		shr	eax, 2
		add	esp, 0Ch
		sub	ecx, eax
		mov	eax, esi
		shl	ecx, 2
		and	eax, 3
		sub	ecx, eax
		mov	eax, [ebp+var_18]
		shl	ecx, 4
		mov	[ebp+var_34], ecx
		test	eax, eax
		jz	short loc_55A3A2
		mov	esi, [ebp+var_C]
		mov	[ebp+var_24], eax

loc_55A373:				; CODE XREF: RaspScanConvert+1BDj
		lea	eax, [ebp+var_20]
		mov	edx, ecx
		push	eax
		lea	eax, [ebp+var_1C]
		mov	ecx, esi
		push	eax
		call	_RaspTestIntersection@16 ; RaspTestIntersection(x,x,x,x)
		mov	ebx, [ebp+var_1C]
		cmp	ebx, 7FFFFFFFh
		jnz	loc_55A43B

loc_55A393:				; CODE XREF: RaspScanConvert+269j
					; RaspScanConvert+2A6j
		mov	ecx, [ebp+var_34]
		add	esi, 0Dh
		sub	[ebp+var_24], 1
		jnz	short loc_55A373
		mov	ebx, [ebp+arg_8]

loc_55A3A2:				; CODE XREF: RaspScanConvert+18Bj
		mov	ecx, [ebp+var_4]
		mov	edx, 80h
		mov	esi, [ebp+var_14]
		xor	eax, eax
		shr	esi, 3
		add	esi, [ecx+14h]
		mov	ecx, [ebp+var_14]
		and	ecx, 7
		sar	edx, cl
		test	edi, edi
		jle	short loc_55A3D0

loc_55A3C1:				; CODE XREF: RaspScanConvert+1EEj
		cmp	dword ptr [ebx+eax*4], 0
		jnz	short loc_55A432

loc_55A3C7:				; CODE XREF: RaspScanConvert+254j
		shr	dl, 1
		jz	short loc_55A436

loc_55A3CB:				; CODE XREF: RaspScanConvert+259j
		inc	eax
		cmp	eax, edi
		jl	short loc_55A3C1

loc_55A3D0:				; CODE XREF: RaspScanConvert+1DFj
		mov	esi, [ebp+var_28]
		lea	eax, ds:0[edi*4]
		add	[ebp+var_14], edi
		inc	esi
		mov	[ebp+var_28], esi
		cmp	esi, [ebp+var_2C]
		jl	loc_55A340

loc_55A3EA:				; CODE XREF: RaspScanConvert+155j
		mov	eax, [ebp+arg_C]
		xor	esi, esi
		mov	ecx, [ebp+var_4]
		mov	[eax], ecx
		mov	eax, [ebp+arg_10]
		mov	ecx, [ebp+var_8]
		mov	[eax], ecx
		mov	eax, [ebp+arg_14]
		cmp	ebx, offset unk_B16388
		jz	short loc_55A415
		cmp	[eax], esi
		jnz	short loc_55A415
		mov	ecx, ebx

loc_55A40D:				; CODE XREF: RaspScanConvert+87671j
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_55A412:				; CODE XREF: RaspScanConvert+5Aj
					; RaspScanConvert+87633j ...
		mov	eax, [ebp+arg_14]

loc_55A415:				; CODE XREF: RaspScanConvert+225j
					; RaspScanConvert+229j	...
		mov	edi, [ebp+var_C]
		test	edi, edi
		jz	short loc_55A427
		mov	edx, [ebp+var_18]
		mov	ecx, edi
		push	eax
		call	_RaspDestroySegmentList@12 ; RaspDestroySegmentList(x,x,x)

loc_55A427:				; CODE XREF: RaspScanConvert+23Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_55A432:				; CODE XREF: RaspScanConvert+1E5j
		or	[esi], dl
		jmp	short loc_55A3C7
; 

loc_55A436:				; CODE XREF: RaspScanConvert+1E9j
		mov	dl, 80h
		inc	esi
		jmp	short loc_55A3CB
; 

loc_55A43B:				; CODE XREF: RaspScanConvert+1ADj
		mov	ecx, esi
		call	RaspGetSegmentDirection
		xor	ecx, ecx
		mov	[ebp+var_10], eax
		test	edi, edi
		jle	loc_55A393
		nop

loc_55A450:				; CODE XREF: RaspScanConvert+2A4j
		mov	edx, ecx
		mov	eax, ecx
		and	eax, 3
		shr	edx, 2
		lea	eax, [eax+edx*4]
		shl	eax, 4
		add	eax, [ebp+var_30]
		cmp	byte ptr [esi+0Ch], 1
		jz	short loc_55A48B
		mov	edx, [ebp+var_20]
		cmp	edx, 7FFFFFFFh
		jnz	short loc_55A491
		cmp	eax, ebx
		jg	short loc_55A481

loc_55A478:				; CODE XREF: RaspScanConvert+2AFj
					; RaspScanConvert+2B9j
		mov	eax, [ebp+arg_8]
		mov	edx, [ebp+var_10]
		add	[eax+ecx*4], edx

loc_55A481:				; CODE XREF: RaspScanConvert+296j
					; RaspScanConvert+2ADj	...
		inc	ecx
		cmp	ecx, edi
		jl	short loc_55A450
		jmp	loc_55A393
; 

loc_55A48B:				; CODE XREF: RaspScanConvert+287j
		cmp	eax, ebx
		jg	short loc_55A481
		jmp	short loc_55A478
; 

loc_55A491:				; CODE XREF: RaspScanConvert+292j
		cmp	eax, ebx
		jl	short loc_55A481
		cmp	eax, edx
		jg	short loc_55A481
		jmp	short loc_55A478
; 

loc_55A49B:				; CODE XREF: RaspScanConvert+88j
		mov	ecx, edx
		shl	ecx, 4
		add	ecx, esi
		mov	ecx, [edx+ecx+15h]
		call	_BgpFmRoundDefault@4 ; BgpFmRoundDefault(x)
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		jmp	loc_55A26E
; 

loc_55A4B5:				; CODE XREF: RaspScanConvert+115j
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		mov	[eax], ecx
		mov	eax, [ebp+arg_10]
		mov	ecx, [ebp+var_8]
		pop	ebx
		mov	[eax], ecx
		xor	eax, eax
		mov	esp, ebp
		pop	ebp
		retn	18h
RaspScanConvert	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RaspTestIntersection(x, x, x, x)
_RaspTestIntersection@16 proc near	; CODE XREF: RaspScanConvert+19Fp

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		push	ebx
		push	esi
		mov	esi, [ecx]
		push	edi
		mov	edi, edx
		mov	[ebp+var_34], ecx
		mov	eax, [esi+8]
		add	eax, [esi]
		cdq
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], edx
		shld	edx, eax, 10h
		shl	eax, 10h
		mov	[ebp+var_1C], eax
		mov	eax, [esi+0Ch]
		add	eax, [esi+4]
		mov	[ebp+var_20], edx
		cdq
		mov	[ebp+var_54], eax
		mov	ebx, eax
		mov	eax, edx
		mov	[ebp+var_58], edx
		mov	edx, [ecx+4]
		mov	ecx, [ecx+8]
		shld	eax, ebx, 10h
		mov	[ebp+var_50], edx
		mov	[ebp+var_30], eax
		mov	eax, [edx+0Ch]
		add	eax, [edx+4]
		cdq
		mov	[ebp+var_2C], eax
		mov	[ebp+var_24], edx
		shld	edx, eax, 10h
		shl	ebx, 10h
		shl	eax, 10h
		mov	[ebp+var_28], eax
		mov	eax, [ecx+8]
		add	eax, [ecx]
		mov	[ebp+var_C], edx
		cdq
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], edx
		shld	edx, eax, 10h
		shl	eax, 10h
		mov	[ebp+var_38], eax
		mov	eax, [ecx+0Ch]
		add	eax, [ecx+4]
		mov	[ebp+var_3C], edx
		cdq
		mov	ecx, edx
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], ecx
		shld	ecx, eax, 10h
		shl	eax, 10h
		mov	[ebp+var_18], eax
		mov	eax, edi
		mov	edi, [ebp+var_30]
		cdq
		mov	[ebp+var_8], ecx
		mov	esi, edx
		mov	ecx, eax
		mov	[ebp+var_60], edx
		mov	edx, [ebp+var_18]
		shld	esi, ecx, 10h
		mov	[ebp+var_5C], eax
		mov	eax, [ebp+var_8]
		shl	ecx, 10h
		cmp	ebx, edx
		jnz	short loc_55A597
		cmp	edi, eax
		jz	loc_55A927

loc_55A597:				; CODE XREF: RaspTestIntersection(x,x,x,x)+BDj
		cmp	ebx, ecx
		jnz	short loc_55A5A3
		cmp	edi, esi
		jz	loc_55A879

loc_55A5A3:				; CODE XREF: RaspTestIntersection(x,x,x,x)+C9j
					; RaspTestIntersection(x,x,x,x)+459j ...
		cmp	edx, ecx
		jnz	short loc_55A5AF
		cmp	eax, esi
		jz	loc_55A879

loc_55A5AF:				; CODE XREF: RaspTestIntersection(x,x,x,x)+D5j
		mov	eax, [ebp+var_34]
		mov	al, [eax+0Ch]
		mov	[ebp+var_2], al
		mov	[ebp+var_1], al
		cmp	al, 1
		jz	loc_55A888
		mov	[ebp+var_1], al
		mov	eax, [ebp+var_28]
		cmp	eax, ecx
		jnz	short loc_55A5D6
		cmp	[ebp+var_C], esi
		jz	loc_55A994

loc_55A5D6:				; CODE XREF: RaspTestIntersection(x,x,x,x)+FBj
					; RaspTestIntersection(x,x,x,x)+3BBj ...
		cmp	[ebp+var_1], 1
		jz	loc_55A890
		cmp	edi, esi
		jl	short loc_55A625
		jg	short loc_55A5EA
		cmp	ebx, ecx
		jbe	short loc_55A61B

loc_55A5EA:				; CODE XREF: RaspTestIntersection(x,x,x,x)+114j
		cmp	[ebp+var_C], esi
		jl	short loc_55A61B
		jg	short loc_55A5F5
		cmp	eax, ecx
		jbe	short loc_55A61B

loc_55A5F5:				; CODE XREF: RaspTestIntersection(x,x,x,x)+11Fj
		cmp	[ebp+var_8], esi
		jg	short loc_55A600
		jl	short loc_55A61B
		cmp	edx, ecx
		jbe	short loc_55A61B

loc_55A600:				; CODE XREF: RaspTestIntersection(x,x,x,x)+128j
					; RaspTestIntersection(x,x,x,x)+163j ...
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 7FFFFFFFh
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 7FFFFFFFh

loc_55A612:				; CODE XREF: RaspTestIntersection(x,x,x,x):loc_55A976j
					; RaspTestIntersection(x,x,x,x)+4B2j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_55A61B:				; CODE XREF: RaspTestIntersection(x,x,x,x)+118j
					; RaspTestIntersection(x,x,x,x)+11Dj ...
		cmp	edi, esi
		jg	short loc_55A63B
		jl	short loc_55A625
		cmp	ebx, ecx
		jnb	short loc_55A63B

loc_55A625:				; CODE XREF: RaspTestIntersection(x,x,x,x)+112j
					; RaspTestIntersection(x,x,x,x)+14Fj
		cmp	[ebp+var_C], esi
		jg	short loc_55A63B
		jl	short loc_55A630
		cmp	eax, ecx
		jnb	short loc_55A63B

loc_55A630:				; CODE XREF: RaspTestIntersection(x,x,x,x)+15Aj
		cmp	[ebp+var_8], esi
		jl	short loc_55A600
		jg	short loc_55A63B
		cmp	edx, ecx
		jb	short loc_55A600

loc_55A63B:				; CODE XREF: RaspTestIntersection(x,x,x,x)+14Dj
					; RaspTestIntersection(x,x,x,x)+153j ...
		shld	[ebp+var_C], eax, 1
		add	eax, eax
		sub	edx, eax
		mov	eax, [ebp+var_8]
		sbb	eax, [ebp+var_C]
		add	edx, ebx
		adc	eax, edi
		or	edx, eax
		jz	loc_55A9A8
		mov	ecx, [ebp+var_50]
		mov	ebx, [ebp+var_2C]
		mov	esi, [ebp+var_14]
		mov	edi, [ebp+var_58]
		mov	eax, [ecx+8]
		add	eax, [ecx]
		cdq
		mov	[ebp+var_34], eax
		mov	eax, ebx
		mov	[ebp+var_38], edx
		mov	edx, [ebp+var_24]
		mov	ecx, edx
		shld	ecx, eax, 1
		add	eax, eax
		sub	esi, eax
		mov	eax, [ebp+var_10]
		sbb	eax, ecx
		mov	ecx, [ebp+var_54]
		add	esi, ecx
		mov	[ebp+var_14], esi
		adc	eax, edi
		sub	ebx, ecx
		push	eax
		sbb	edx, edi
		mov	[ebp+var_10], eax
		shld	edx, ebx, 1
		push	esi
		add	ebx, ebx
		mov	[ebp+var_24], edx
		sub	ecx, [ebp+var_5C]
		mov	[ebp+var_2C], ebx
		sbb	edi, [ebp+var_60]
		push	edi
		push	ecx
		call	__allmul
		mov	esi, eax
		mov	edi, edx
		mov	eax, [ebp+var_24]
		push	eax
		push	ebx
		push	eax
		shld	edi, esi, 2
		push	ebx
		shl	esi, 2
		call	__allmul
		sub	eax, esi
		sbb	edx, edi
		test	edx, edx
		jg	short loc_55A6DB
		jl	loc_55A600
		test	eax, eax
		jb	loc_55A600

loc_55A6DB:				; CODE XREF: RaspTestIntersection(x,x,x,x)+1FBj
		push	edx
		push	eax
		call	_BgpFmSqrt@12	; BgpFmSqrt(x,x,x)
		push	0FFFFFFFFh
		push	0FFFF0000h
		push	[ebp+var_24]
		mov	ebx, eax
		mov	[ebp+var_3C], edx
		push	[ebp+var_2C]
		call	__allmul
		mov	esi, edx
		mov	edi, eax
		mov	edx, [ebp+var_14]
		mov	ecx, ebx
		shld	[ebp+var_10], edx, 1
		push	[ebp+var_10]
		mov	eax, [ebp+var_3C]
		add	edx, edx
		add	ecx, edi
		mov	[ebp+var_14], edx
		push	edx
		adc	eax, esi
		push	eax
		push	ecx
		call	__alldiv
		push	[ebp+var_10]
		sub	edi, ebx
		mov	[ebp+var_C], eax
		push	[ebp+var_14]
		sbb	esi, [ebp+var_3C]
		push	esi
		push	edi
		mov	[ebp+var_24], edx
		call	__alldiv
		push	[ebp+var_40]
		mov	[ebp+var_2C], eax
		mov	ebx, 0
		push	[ebp+var_44]
		mov	eax, 10000h
		mov	[ebp+var_20], edx
		sub	eax, [ebp+var_C]
		mov	[ebp+var_60], eax
		sbb	ebx, [ebp+var_24]
		push	ebx
		push	eax
		call	__allmul
		push	[ebp+var_38]
		mov	edi, eax
		mov	esi, edx
		push	[ebp+var_34]
		push	[ebp+var_24]
		push	[ebp+var_C]
		call	__allmul
		shld	edx, eax, 1
		push	ebx
		push	[ebp+var_60]
		add	eax, eax
		add	edi, eax
		adc	esi, edx
		push	esi
		push	edi
		call	__allmul
		mov	ecx, [ebp+var_24]
		mov	edi, eax
		mov	eax, [ebp+var_C]
		mov	esi, edx
		push	ecx
		push	eax
		push	ecx
		push	eax
		call	__allmul
		push	[ebp+var_48]
		push	[ebp+var_4C]
		push	edx
		push	eax
		call	__allmul
		add	edi, eax
		push	1
		adc	esi, edx
		push	0
		push	esi
		push	edi
		call	__alldiv
		mov	ecx, [ebp+arg_0]
		mov	ebx, 0
		push	[ebp+var_40]
		mov	[ebp+var_3C], eax
		push	[ebp+var_44]
		mov	[ecx], eax
		mov	eax, 10000h
		sub	eax, [ebp+var_2C]
		mov	[ebp+var_60], eax
		sbb	ebx, [ebp+var_20]
		push	ebx
		push	eax
		call	__allmul
		push	[ebp+var_38]
		mov	edi, eax
		mov	esi, edx
		push	[ebp+var_34]
		push	[ebp+var_20]
		push	[ebp+var_2C]
		call	__allmul
		mov	ecx, [ebp+var_60]
		shld	edx, eax, 1
		push	ebx
		add	eax, eax
		add	edi, eax
		push	ecx
		adc	esi, edx
		push	esi
		push	edi
		call	__allmul
		mov	ebx, [ebp+var_2C]
		mov	edi, eax
		mov	eax, [ebp+var_20]
		mov	esi, edx
		push	eax
		push	ebx
		push	eax
		push	ebx
		call	__allmul
		push	[ebp+var_48]
		push	[ebp+var_4C]
		push	edx
		push	eax
		call	__allmul
		add	edi, eax
		push	1
		push	0
		adc	esi, edx
		push	esi
		push	edi
		call	__alldiv
		mov	esi, [ebp+arg_4]
		mov	edx, [ebp+var_24]
		mov	[esi], eax
		test	edx, edx
		jl	loc_55A93C
		mov	ecx, [ebp+var_C]
		jg	loc_55A93C
		test	ecx, ecx
		jb	loc_55A93C
		test	edx, edx
		jl	short loc_55A86E
		jg	loc_55A93C
		cmp	ecx, 10000h
		ja	loc_55A93C

loc_55A86E:				; CODE XREF: RaspTestIntersection(x,x,x,x)+38Aj
		mov	edi, [ebp+arg_0]
		mov	ecx, [ebp+var_3C]
		jmp	loc_55A94A
; 

loc_55A879:				; CODE XREF: RaspTestIntersection(x,x,x,x)+CDj
					; RaspTestIntersection(x,x,x,x)+D9j
		mov	eax, [ebp+var_34]
		add	ecx, 1
		adc	esi, 0
		mov	al, [eax+0Ch]
		mov	[ebp+var_1], al

loc_55A888:				; CODE XREF: RaspTestIntersection(x,x,x,x)+EDj
		mov	eax, [ebp+var_28]
		jmp	loc_55A5D6
; 

loc_55A890:				; CODE XREF: RaspTestIntersection(x,x,x,x)+10Aj
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 7FFFFFFFh
		cmp	edi, esi
		jl	short loc_55A8C2
		jg	short loc_55A8A3
		cmp	ebx, ecx
		jbe	short loc_55A8C2

loc_55A8A3:				; CODE XREF: RaspTestIntersection(x,x,x,x)+3CDj
		mov	eax, [ebp+var_8]
		cmp	eax, esi
		jg	short loc_55A8B0
		jl	short loc_55A8C5
		cmp	edx, ecx
		jbe	short loc_55A8C5

loc_55A8B0:				; CODE XREF: RaspTestIntersection(x,x,x,x)+3D8j
					; RaspTestIntersection(x,x,x,x)+403j ...
		mov	eax, [ebp+arg_0]
		pop	edi
		pop	esi
		pop	ebx
		mov	dword ptr [eax], 7FFFFFFFh
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_55A8C2:				; CODE XREF: RaspTestIntersection(x,x,x,x)+3CBj
					; RaspTestIntersection(x,x,x,x)+3D1j
		mov	eax, [ebp+var_8]

loc_55A8C5:				; CODE XREF: RaspTestIntersection(x,x,x,x)+3DAj
					; RaspTestIntersection(x,x,x,x)+3DEj
		cmp	edi, esi
		jg	short loc_55A8D9
		jl	short loc_55A8CF
		cmp	ebx, ecx
		jnb	short loc_55A8D9

loc_55A8CF:				; CODE XREF: RaspTestIntersection(x,x,x,x)+3F9j
		cmp	eax, esi
		jg	short loc_55A8D9
		jl	short loc_55A8B0
		cmp	edx, ecx
		jb	short loc_55A8B0

loc_55A8D9:				; CODE XREF: RaspTestIntersection(x,x,x,x)+3F7j
					; RaspTestIntersection(x,x,x,x)+3FDj ...
		mov	eax, [ebp+var_38]
		sub	ecx, ebx
		mov	edx, [ebp+var_3C]
		sbb	esi, edi
		sub	eax, [ebp+var_1C]
		sbb	edx, [ebp+var_20]
		push	edx
		push	eax
		push	esi
		push	ecx
		call	__allmul
		mov	ecx, [ebp+var_18]
		sub	ecx, ebx
		mov	ebx, [ebp+var_8]
		sbb	ebx, edi
		push	ebx
		push	ecx
		push	edx
		push	eax
		call	__alldiv
		add	eax, [ebp+var_1C]
		push	0
		adc	edx, [ebp+var_20]
		push	10000h
		push	edx
		push	eax
		call	__alldiv
		mov	ecx, [ebp+arg_0]
		pop	edi
		pop	esi
		pop	ebx
		mov	[ecx], eax
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_55A927:				; CODE XREF: RaspTestIntersection(x,x,x,x)+C1j
		cmp	ebx, ecx
		jnz	loc_55A5A3
		cmp	edi, esi
		jnz	loc_55A5A3
		jmp	loc_55A600
; 

loc_55A93C:				; CODE XREF: RaspTestIntersection(x,x,x,x)+371j
					; RaspTestIntersection(x,x,x,x)+37Aj ...
		mov	edi, [ebp+arg_0]
		mov	ecx, 7FFFFFFFh
		mov	dword ptr [edi], 7FFFFFFFh

loc_55A94A:				; CODE XREF: RaspTestIntersection(x,x,x,x)+3A4j
		mov	edx, [ebp+var_20]
		test	edx, edx
		jl	short loc_55A987
		jg	short loc_55A987
		test	ebx, ebx
		jb	short loc_55A987
		test	edx, edx
		jl	short loc_55A965
		jg	short loc_55A987
		cmp	ebx, 10000h
		ja	short loc_55A987

loc_55A965:				; CODE XREF: RaspTestIntersection(x,x,x,x)+489j
					; RaspTestIntersection(x,x,x,x)+4C2j
		cmp	ecx, eax
		jle	short loc_55A976
		mov	[edi], eax
		pop	edi
		mov	[esi], ecx
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_55A976:				; CODE XREF: RaspTestIntersection(x,x,x,x)+497j
		jnz	loc_55A612
		mov	dword ptr [esi], 7FFFFFFFh
		jmp	loc_55A612
; 

loc_55A987:				; CODE XREF: RaspTestIntersection(x,x,x,x)+47Fj
					; RaspTestIntersection(x,x,x,x)+481j ...
		mov	dword ptr [esi], 7FFFFFFFh
		mov	eax, 7FFFFFFFh
		jmp	short loc_55A965
; 

loc_55A994:				; CODE XREF: RaspTestIntersection(x,x,x,x)+100j
		mov	dl, [ebp+var_2]
		add	ecx, 1
		mov	[ebp+var_1], dl
		mov	edx, [ebp+var_18]
		adc	esi, 0
		jmp	loc_55A5D6
; 

loc_55A9A8:				; CODE XREF: RaspTestIntersection(x,x,x,x)+180j
		mov	eax, [ebp+var_38]
		sub	ecx, ebx
		mov	edx, [ebp+var_3C]
		sbb	esi, edi
		sub	eax, [ebp+var_1C]
		sbb	edx, [ebp+var_20]
		push	edx
		push	eax
		push	esi
		push	ecx
		call	__allmul
		mov	ecx, [ebp+var_18]
		sub	ecx, ebx
		mov	ebx, [ebp+var_8]
		sbb	ebx, edi
		push	ebx
		push	ecx
		push	edx
		push	eax
		call	__alldiv
		add	eax, [ebp+var_1C]
		push	0
		adc	edx, [ebp+var_20]
		push	10000h
		push	edx
		push	eax
		call	__alldiv
		mov	ecx, [ebp+arg_0]
		pop	edi
		pop	esi
		pop	ebx
		mov	[ecx], eax
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 7FFFFFFFh
		mov	esp, ebp
		pop	ebp
		retn	8
_RaspTestIntersection@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 


RaspGetSegmentDirection	proc near	; CODE XREF: RaspScanConvert+25Dp

; FUNCTION CHUNK AT 005E1856 SIZE 0000001C BYTES

		mov	eax, [ecx+8]
		mov	edx, [ecx]
		push	ebx
		push	esi
		mov	ebx, [eax+4]
		mov	esi, ebx
		sub	esi, [edx+0Ch]
		sub	esi, [edx+4]
		push	edi
		mov	edi, [eax+0Ch]
		add	esi, edi
		jz	loc_5E1856

loc_55AA1E:				; CODE XREF: RaspGetSegmentDirection+86E6Dj
		test	esi, esi
		jle	short loc_55AA29
		xor	eax, eax
		inc	eax

loc_55AA25:				; CODE XREF: RaspGetSegmentDirection+2Ej
					; RaspGetSegmentDirection+32j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_55AA29:				; CODE XREF: RaspGetSegmentDirection+20j
		jns	short loc_55AA30
		or	eax, 0FFFFFFFFh
		jmp	short loc_55AA25
; 

loc_55AA30:				; CODE XREF: RaspGetSegmentDirection:loc_55AA29j
					; RaspGetSegmentDirection+86E5Aj
		xor	eax, eax
		jmp	short loc_55AA25
RaspGetSegmentDirection	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpFmSqrt(x, x, x)
_BgpFmSqrt@12	proc near		; CODE XREF: RaspTestIntersection(x,x,x,x)+20Dp

var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jl	loc_55AB8F
		mov	ebx, [ebp+arg_0]
		jg	short loc_55AA60
		test	ebx, ebx
		jz	loc_55AB8F

loc_55AA60:				; CODE XREF: BgpFmSqrt(x,x,x)+16j
		xor	esi, esi
		xor	edi, edi
		mov	eax, ebx
		add	eax, 1
		adc	ecx, esi
		shrd	eax, ecx, 1
		sar	ecx, 1
		js	short loc_55AA94
		jg	short loc_55AA80
		test	eax, eax
		jz	short loc_55AA94
		lea	esp, [esp+0]

loc_55AA80:				; CODE XREF: BgpFmSqrt(x,x,x)+33j
					; BgpFmSqrt(x,x,x)+4Cj	...
		sub	eax, esi
		sbb	ecx, edi
		add	esi, 1
		adc	edi, 0
		cmp	ecx, edi
		jg	short loc_55AA80
		jl	short loc_55AA94
		cmp	eax, esi
		ja	short loc_55AA80

loc_55AA94:				; CODE XREF: BgpFmSqrt(x,x,x)+31j
					; BgpFmSqrt(x,x,x)+37j	...
		shld	edi, esi, 10h
		shl	esi, 10h
		mov	eax, esi
		or	eax, edi
		jz	loc_55AB8F
		push	edi
		push	esi
		push	edi
		push	esi
		call	__allmul
		add	eax, 0
		adc	edx, ebx
		shld	edi, esi, 1
		push	edi
		add	esi, esi
		push	esi
		push	edx
		push	eax
		call	__alldiv
		mov	esi, edx
		mov	edi, eax
		push	esi
		push	edi
		push	esi
		push	edi
		call	__allmul
		add	eax, 0
		adc	edx, ebx
		shld	esi, edi, 1
		push	esi
		add	edi, edi
		push	edi
		push	edx
		push	eax
		call	__alldiv
		mov	esi, edx
		mov	edi, eax
		push	esi
		push	edi
		push	esi
		push	edi
		call	__allmul
		add	eax, 0
		adc	edx, ebx
		shld	esi, edi, 1
		push	esi
		add	edi, edi
		push	edi
		push	edx
		push	eax
		call	__alldiv
		mov	esi, edx
		mov	edi, eax
		push	esi
		push	edi
		push	esi
		push	edi
		call	__allmul
		add	eax, 0
		adc	edx, ebx
		shld	esi, edi, 1
		push	esi
		add	edi, edi
		push	edi
		push	edx
		push	eax
		call	__alldiv
		mov	esi, edx
		mov	edi, eax
		push	esi
		push	edi
		push	esi
		push	edi
		call	__allmul
		add	eax, 0
		adc	edx, ebx
		shld	esi, edi, 1
		push	esi
		add	edi, edi
		push	edi
		push	edx
		push	eax
		call	__alldiv
		mov	esi, edx
		mov	edi, eax
		push	esi
		push	edi
		push	esi
		push	edi
		call	__allmul
		add	eax, 0
		adc	edx, ebx
		shld	esi, edi, 1
		push	esi
		add	edi, edi
		push	edi
		push	edx
		push	eax
		call	__alldiv
		mov	esi, edx
		mov	edi, eax
		push	esi
		push	edi
		push	esi
		push	edi
		call	__allmul
		add	eax, 0
		adc	edx, ebx
		shld	esi, edi, 1
		push	esi
		add	edi, edi
		push	edi
		push	edx
		push	eax
		call	__alldiv

loc_55AB88:				; CODE XREF: BgpFmSqrt(x,x,x)+153j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_55AB8F:				; CODE XREF: BgpFmSqrt(x,x,x)+Dj
					; BgpFmSqrt(x,x,x)+1Aj	...
		xor	eax, eax
		xor	edx, edx
		jmp	short loc_55AB88
_BgpFmSqrt@12	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall BgpFmRoundUp(x)
_BgpFmRoundUp@4	proc near		; CODE XREF: BgpRasPrintGlyph+1A4p
					; BgpRasGetGlyphTextCellDimensions(x,x,x)+31p ...
		mov	eax, ecx
		sar	eax, 6
		test	ecx, ecx
		js	short loc_55ABA6
		test	cl, 3Fh
		jz	short locret_55ABA5
		inc	eax

locret_55ABA5:				; CODE XREF: BgpFmRoundUp(x)+Cj
		retn
; 

loc_55ABA6:				; CODE XREF: BgpFmRoundUp(x)+7j
		or	eax, 0FC000000h
		retn
_BgpFmRoundUp@4	endp


;  S U B	R O U T	I N E 


; __stdcall BgpFmRoundDefault(x)
_BgpFmRoundDefault@4 proc near		; CODE XREF: BgpRasGetGlyphTextCellDimensions(x,x,x)+41p
					; RaspScanConvert+ADp ...
		mov	eax, ecx
		sar	eax, 6
		test	ecx, ecx
		js	short loc_55ABBC

loc_55ABB5:				; CODE XREF: BgpFmRoundDefault(x)+15j
		test	cl, 20h
		jz	short locret_55ABBB
		inc	eax

locret_55ABBB:				; CODE XREF: BgpFmRoundDefault(x)+Cj
		retn
; 

loc_55ABBC:				; CODE XREF: BgpFmRoundDefault(x)+7j
		or	eax, 0FC000000h
		jmp	short loc_55ABB5
_BgpFmRoundDefault@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RaspRectangleCreate(x, x, x, x)
_RaspRectangleCreate@16	proc near	; CODE XREF: RaspScanConvert+EAp
					; BgpRasPrintGlyph+87B9Dp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	eax, edx
		mov	edx, [ebp+arg_4]
		push	edi
		mov	[ebp+var_4], eax
		mov	esi, [ebx+4]
		imul	esi, [ebx]
		imul	esi, eax
		add	esi, 7
		shr	esi, 3
		add	esi, 40h
		mov	ecx, esi
		call	RaspAllocateMemory
		mov	edi, eax
		test	edi, edi
		jz	short loc_55AC0E
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		push	esi
		push	edi
		call	_BgpGxInitializeRectangle@16 ; BgpGxInitializeRectangle(x,x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	[ecx], edi

loc_55AC07:				; CODE XREF: RaspRectangleCreate(x,x,x,x)+4Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_55AC0E:				; CODE XREF: RaspRectangleCreate(x,x,x,x)+30j
		mov	eax, 0C0000017h
		jmp	short loc_55AC07
_RaspRectangleCreate@16	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpGxInitializeRectangle(x,	x, x, x)
_BgpGxInitializeRectangle@16 proc near	; CODE XREF: RaspRectangleCreate(x,x,x,x)+39p
					; RaspScanConvert+8762Ap ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	short loc_55AC6C
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_55AC6C
		mov	edi, [ecx+4]
		mov	ebx, [ecx]
		mov	ecx, ebx
		imul	ecx, edi
		imul	ecx, edx
		add	ecx, 7
		shr	ecx, 3
		lea	eax, [ecx+40h]
		cmp	eax, [ebp+arg_4]
		ja	short loc_55AC65
		lea	eax, [esi+40h]
		mov	[esi], edi
		mov	[esi+14h], eax
		xor	eax, eax
		mov	[esi+4], ebx
		mov	[esi+8], edx
		mov	dword ptr [esi+10h], 8
		mov	[esi+0Ch], ecx

loc_55AC5E:				; CODE XREF: BgpGxInitializeRectangle(x,x,x,x)+54j
					; BgpGxInitializeRectangle(x,x,x,x)+5Bj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_55AC65:				; CODE XREF: BgpGxInitializeRectangle(x,x,x,x)+2Cj
		mov	eax, 0C000009Ah
		jmp	short loc_55AC5E
; 

loc_55AC6C:				; CODE XREF: BgpGxInitializeRectangle(x,x,x,x)+Aj
					; BgpGxInitializeRectangle(x,x,x,x)+11j
		mov	eax, 0C000000Dh
		jmp	short loc_55AC5E
_BgpGxInitializeRectangle@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RaspCreatePointList(x, x, x)
_RaspCreatePointList@12	proc near	; CODE XREF: RaspRasterize+51p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		mov	edx, [ebp+arg_0]
		movzx	eax, word ptr [edi+18h]
		imul	ecx, eax, 11h
		call	RaspAllocateMemory
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_55ACF4
		movzx	eax, word ptr [edi+18h]
		imul	eax, 11h
		push	esi
		xor	esi, esi
		push	eax		; size_t
		push	esi		; int
		push	ebx		; void *
		call	_memset
		xor	eax, eax
		add	esp, 0Ch
		cmp	ax, [edi+18h]
		jnb	short loc_55ACE1
		lea	ecx, [ebx+10h]

loc_55ACB6:				; CODE XREF: RaspCreatePointList(x,x,x)+6Bj
		mov	eax, [edi+26h]
		mov	eax, [eax+esi*4]
		mov	[ecx-10h], eax
		mov	eax, [edi+2Ah]
		mov	eax, [eax+esi*4]
		mov	[ecx-0Ch], eax
		mov	eax, [edi+22h]
		test	eax, eax
		jz	short loc_55ACD5
		test	byte ptr [eax+esi], 1
		jnz	short loc_55ACEF

loc_55ACD5:				; CODE XREF: RaspCreatePointList(x,x,x)+59j
					; RaspCreatePointList(x,x,x)+7Ej
		movzx	eax, word ptr [edi+18h]
		inc	esi
		add	ecx, 11h
		cmp	esi, eax
		jb	short loc_55ACB6

loc_55ACE1:				; CODE XREF: RaspCreatePointList(x,x,x)+3Dj
		mov	eax, [ebp+var_4]
		pop	esi
		mov	[eax], ebx
		xor	eax, eax

loc_55ACE9:				; CODE XREF: RaspCreatePointList(x,x,x)+85j
		pop	edi
		pop	ebx
		leave
		retn	4
; 

loc_55ACEF:				; CODE XREF: RaspCreatePointList(x,x,x)+5Fj
		mov	byte ptr [ecx],	1
		jmp	short loc_55ACD5
; 

loc_55ACF4:				; CODE XREF: RaspCreatePointList(x,x,x)+20j
		mov	eax, 0C000009Ah
		jmp	short loc_55ACE9
_RaspCreatePointList@12	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RaspLoadBearings proc near		; CODE XREF: RaspGetUnscaledGlyphData+87p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E1872 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	eax, [edi+8]
		movzx	ecx, word ptr [edi+44h]
		mov	edx, [edi+30h]
		mov	[ebp+var_8], ecx
		mov	eax, [eax+8]
		cmp	esi, ecx
		jnb	loc_55ADE2
		lea	ecx, [ebp+var_4]
		push	ecx		; void *
		push	4		; size_t
		lea	edx, [edx+esi*4]
		mov	ecx, eax
		call	_FioFwReadBytesAtOffset@16 ; FioFwReadBytesAtOffset(x,x,x,x)
		test	eax, eax
		js	loc_55ADDB
		mov	ax, word ptr [ebp+var_4+2]
		mov	ch, al
		mov	cl, ah
		mov	ax, word ptr [ebp+var_4]
		movzx	esi, cx
		mov	ch, al
		mov	cl, ah
		movzx	ebx, cx
		test	ebx, ebx
		jz	loc_5E1872

loc_55AD61:				; CODE XREF: RaspLoadBearings+12Aj
					; RaspLoadBearings+86BA4j
		test	si, si
		js	loc_55AE32

loc_55AD6A:				; CODE XREF: RaspLoadBearings+138j
		mov	edx, [ebp+arg_0]
		mov	ecx, [edx+12h]
		movsx	edx, si
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edx
		mov	eax, [esi+0Ah]
		sub	eax, ecx
		add	eax, edx
		cmp	ebx, eax
		jl	loc_55AE2B

loc_55AD8B:				; CODE XREF: RaspLoadBearings+131j
		movzx	edx, word ptr [esi+18h]
		mov	ecx, [esi+26h]
		mov	eax, [ebp+var_10]
		sub	eax, [ebp+var_C]
		mov	[ecx+edx*4], eax
		mov	eax, [esi+12h]
		sub	eax, [ebp+var_C]
		add	eax, ebx
		mov	[ecx+edx*4+4], eax
		mov	edx, [ebp+arg_0]
		movsx	eax, word ptr [edi+3Eh]
		movzx	esi, word ptr [esi+18h]
		movsx	ecx, word ptr [edi+40h]
		mov	edx, [edx+2Ah]
		add	ecx, eax
		mov	[edx+esi*4], ecx
		movsx	eax, word ptr [edi+3Eh]
		movsx	ecx, word ptr [edi+40h]
		add	ecx, eax
		mov	eax, [ebp+arg_0]
		mov	[edx+esi*4+4], ecx
		add	word ptr [eax+18h], 2
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx
		xor	eax, eax

loc_55ADDB:				; CODE XREF: RaspLoadBearings+41j
					; RaspLoadBearings+FEj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_55ADE2:				; CODE XREF: RaspLoadBearings+29j
		lea	ecx, [edx+ecx*4]
		lea	edx, [ebp+var_4]
		mov	[ebp+var_10], ecx
		push	edx		; void *
		lea	edx, [ecx-4]
		mov	ecx, eax
		push	4		; size_t
		call	_FioFwReadBytesAtOffset@16 ; FioFwReadBytesAtOffset(x,x,x,x)
		test	eax, eax
		js	short loc_55ADDB
		mov	ax, word ptr [ebp+var_4]
		sub	esi, [ebp+var_8]
		mov	ch, al
		mov	cl, ah
		lea	eax, [ebp+var_C]
		movzx	ebx, cx
		mov	ecx, [edi+8]
		push	eax		; void *
		mov	eax, [ebp+var_10]
		mov	ecx, [ecx+8]
		lea	edx, [eax+esi*2]
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		test	eax, eax
		js	short loc_55ADDB
		mov	esi, [ebp+var_C]
		jmp	loc_55AD61
; 

loc_55AE2B:				; CODE XREF: RaspLoadBearings+89j
		mov	ebx, eax
		jmp	loc_55AD8B
; 

loc_55AE32:				; CODE XREF: RaspLoadBearings+68j
		xor	esi, esi
		jmp	loc_55AD6A
RaspLoadBearings endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RaspMapGlyphIndexToLocation proc near	; CODE XREF: RaspGetUnscaledGlyphData+3Dp
					; RaspGetUnscaledGlyphData+87699p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E18A5 SIZE 0000005A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_55AEB3
		movzx	eax, word ptr [esi+38h]
		push	ebx
		push	edi
		test	ax, ax
		jnz	loc_5E18A5
		mov	eax, [esi+34h]
		mov	ecx, [esi+8]
		lea	ebx, [eax+edx*2]
		mov	ecx, [ecx+8]
		lea	eax, [ebp+var_4]
		push	eax		; void *
		mov	edx, ebx
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		test	eax, eax
		js	short loc_55AEA7
		movzx	eax, word ptr [ebp+var_4]
		lea	edx, [ebx+2]
		mov	edi, [ebp+arg_0]
		add	eax, eax
		mov	ecx, [esi+8]
		mov	[edi], eax
		lea	eax, [ebp+var_4]
		mov	ecx, [ecx+8]
		push	eax		; void *
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		test	eax, eax
		js	short loc_55AEA7
		movzx	eax, word ptr [ebp+var_4]
		add	eax, eax
		cmp	[edi], eax

loc_55AEA3:				; CODE XREF: RaspMapGlyphIndexToLocation+86AB6j
		jz	short loc_55AEAE

loc_55AEA5:				; CODE XREF: RaspMapGlyphIndexToLocation+77j
		xor	eax, eax

loc_55AEA7:				; CODE XREF: RaspMapGlyphIndexToLocation+3Ej
					; RaspMapGlyphIndexToLocation+5Fj ...
		pop	edi
		pop	ebx

loc_55AEA9:				; CODE XREF: RaspMapGlyphIndexToLocation+7Ej
		pop	esi
		leave
		retn	4
; 

loc_55AEAE:				; CODE XREF: RaspMapGlyphIndexToLocation:loc_55AEA3j
		or	dword ptr [edi], 0FFFFFFFFh
		jmp	short loc_55AEA5
; 

loc_55AEB3:				; CODE XREF: RaspMapGlyphIndexToLocation+14j
		mov	eax, 0C0000001h
		jmp	short loc_55AEA9
RaspMapGlyphIndexToLocation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	FioFwReadUshortAtOffset(void *)
_FioFwReadUshortAtOffset@12 proc near	; CODE XREF: RaspLoadBearings+11Ep
					; RaspMapGlyphIndexToLocation+37p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	esi		; void *
		push	2		; size_t
		call	_FioFwReadBytesAtOffset@16 ; FioFwReadBytesAtOffset(x,x,x,x)
		test	eax, eax
		js	short loc_55AEDB
		mov	ax, [esi]
		mov	ch, al
		mov	cl, ah
		xor	eax, eax
		mov	[esi], cx

loc_55AEDB:				; CODE XREF: FioFwReadUshortAtOffset(x,x,x)+13j
		pop	esi
		pop	ebp
		retn	4
_FioFwReadUshortAtOffset@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RaspInitializeGlyphData	proc near	; CODE XREF: RaspLoadGlyphData+4Ep

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E18FF SIZE 00000071 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		and	[ebp+var_C], 0
		xor	eax, eax
		and	[ebp+var_14], 0
		mov	[ebp+var_18], ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_10], esi
		push	edi
		lea	edi, [ebp+var_34]
		stosd
		stosd
		stosw
		test	ecx, ecx
		jz	loc_5E1966
		mov	edx, [ecx+28h]
		test	edx, edx
		jz	loc_5E1966
		mov	eax, [ecx+8]
		add	esi, edx
		mov	edx, esi
		mov	ebx, [eax+8]
		lea	eax, [ebp+var_34]
		push	eax		; void *
		mov	ecx, ebx
		mov	[ebp+var_8], ebx
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		lea	eax, [ebp+var_34+2]
		mov	ecx, ebx
		push	eax		; void *
		lea	edx, [esi+2]
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		lea	eax, [ebp+var_30]
		mov	ecx, ebx
		push	eax		; void *
		lea	edx, [esi+4]
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		lea	eax, [ebp+var_30+2]
		mov	ecx, ebx
		push	eax		; void *
		lea	edx, [esi+6]
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		lea	eax, [ebp+var_2C]
		add	esi, 8
		push	eax		; void *
		mov	edx, esi
		mov	ecx, ebx
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		mov	ax, word ptr [ebp+var_34]
		test	ax, ax
		js	loc_5E18FF
		jz	loc_5E1909
		movsx	edi, ax
		mov	ecx, ebx
		lea	eax, [ebp+var_14]
		push	eax		; void *
		lea	esi, [esi+edi*2]
		mov	edx, esi
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		inc	[ebp+var_14]
		lea	eax, [ebp+var_C]
		push	eax		; void *
		lea	edx, [esi+2]
		mov	ecx, ebx
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		mov	eax, [ebp+var_C]
		add	edi, 1Fh
		mov	edx, [ebp+arg_4]
		movzx	ecx, ax
		mov	eax, [ebp+var_14]
		movzx	eax, ax
		imul	eax, 9
		add	eax, ecx
		lea	edi, [eax+edi*2]
		mov	ecx, edi
		call	RaspAllocateMemory
		mov	esi, eax
		mov	[ebp+var_28], eax
		test	esi, esi
		jz	loc_5E195C
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		movsx	eax, word ptr [ebp+var_30]
		mov	ebx, esi
		mov	dx, word ptr [ebp+var_34]
		add	esp, 0Ch
		movsx	ecx, word ptr [ebp+var_34+2]
		mov	edi, [ebp+var_10]
		mov	[esi+6], eax
		add	edi, 0Ah
		movsx	eax, word ptr [ebp+var_30+2]
		mov	[esi+0Ah], eax
		movsx	eax, word ptr [ebp+var_2C]
		mov	[esi+0Eh], eax
		mov	eax, [ebp+var_C]
		mov	[esi+16h], ax
		mov	eax, [ebp+var_14]
		mov	[esi+18h], ax
		mov	eax, [ebp+var_18]
		mov	[esi], dx
		mov	[esi+2], ecx
		mov	[esi+12h], ecx
		mov	eax, [eax+28h]
		add	edi, eax
		mov	[ebp+var_1C], esi
		xor	eax, eax
		add	esi, 2Eh
		mov	[ebp+var_4], ebx
		mov	[ebx+1Ah], esi
		cmp	ax, dx
		jge	short loc_55B053
		mov	ebx, [ebp+var_8]
		movzx	eax, dx
		mov	[ebp+var_10], eax

loc_55B03A:				; CODE XREF: RaspInitializeGlyphData+16Ej
		push	esi		; void *
		mov	edx, edi
		mov	ecx, ebx
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		add	edi, 2
		add	esi, 2
		sub	[ebp+var_10], 1
		jnz	short loc_55B03A
		mov	ebx, [ebp+var_4]

loc_55B053:				; CODE XREF: RaspInitializeGlyphData+14Fj
		mov	ecx, [ebp+var_C]
		add	edi, 2
		movzx	eax, cx
		mov	edx, edi
		mov	ecx, [ebp+var_8]
		push	esi		; void *
		push	eax		; size_t
		mov	[ebx+1Eh], esi
		call	_FioFwReadBytesAtOffset@16 ; FioFwReadBytesAtOffset(x,x,x,x)
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+arg_4]
		movzx	eax, cx
		add	esi, eax
		add	edi, eax
		mov	eax, [ebp+var_14]
		movzx	eax, ax
		mov	ecx, eax
		mov	[ebp+var_20], esi
		mov	[ebp+var_24], edi
		mov	[ebx+22h], esi
		mov	[ebp+var_10], eax
		call	RaspAllocateMemory
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_5E194D
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		push	eax		; void *
		push	[ebp+var_10]	; size_t
		call	_FioFwReadBytesAtOffset@16 ; FioFwReadBytesAtOffset(x,x,x,x)
		xor	ecx, ecx
		xor	ebx, ebx
		mov	[ebp+var_C], ecx
		cmp	[ebp+var_10], ecx
		jbe	short loc_55B0ED
		mov	edi, [ebp+var_4]
		mov	esi, [ebp+var_10]

loc_55B0BC:				; CODE XREF: RaspInitializeGlyphData+205j
		mov	eax, [ebp+var_14]
		movsx	edx, cx
		mov	ecx, [edi+22h]
		mov	al, [ebx+eax]
		mov	[edx+ecx], al
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+var_C]
		inc	ecx
		mov	[ebp+var_C], ecx
		test	byte ptr [ebx+eax], 8
		jnz	loc_55B202

loc_55B0DF:				; CODE XREF: RaspInitializeGlyphData+353j
		movsx	eax, cx
		inc	ebx
		cmp	eax, esi
		jl	short loc_55B0BC
		mov	esi, [ebp+var_20]
		mov	edi, [ebp+var_24]

loc_55B0ED:				; CODE XREF: RaspInitializeGlyphData+1D4j
		mov	ecx, [ebp+var_4]
		add	edi, ebx
		mov	ebx, [ebp+var_10]
		add	esi, ebx
		and	[ebp+var_18], 0
		mov	[ecx+26h], esi
		test	ebx, ebx
		jz	short loc_55B15C
		xor	edx, edx
		mov	[ebp+var_10], edx

loc_55B107:				; CODE XREF: RaspInitializeGlyphData+274j
		lea	eax, [esi+edx*4]
		and	dword ptr [eax], 0
		mov	[ebp+var_24], eax
		mov	eax, [ecx+22h]
		mov	al, [edx+eax]
		test	al, 2
		jz	loc_55B1E4
		mov	ecx, [ebp+var_8]
		lea	eax, [esi+edx*4]
		push	eax		; void *
		push	1		; size_t
		mov	edx, edi
		call	_FioFwReadBytesAtOffset@16 ; FioFwReadBytesAtOffset(x,x,x,x)
		mov	eax, [ebp+var_1C]
		inc	edi
		mov	ecx, [ebp+var_10]
		mov	eax, [eax+22h]
		test	byte ptr [ecx+eax], 10h
		jz	loc_55B1D1

loc_55B142:				; CODE XREF: RaspInitializeGlyphData+2F6j
					; RaspInitializeGlyphData+31Dj
		mov	ecx, [ebp+var_4]

loc_55B145:				; CODE XREF: RaspInitializeGlyphData+306j
		mov	eax, [ebp+var_18]
		inc	eax
		movsx	edx, ax
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], edx
		cmp	edx, ebx
		jl	short loc_55B107
		mov	esi, [ebp+var_28]
		mov	esi, [esi+26h]

loc_55B15C:				; CODE XREF: RaspInitializeGlyphData+220j
		and	[ebp+var_18], 0
		lea	edx, [ebx+2]
		lea	edx, [esi+edx*4]
		mov	[ebp+var_10], edx
		mov	[ecx+2Ah], edx
		test	ebx, ebx
		jz	short loc_55B1B3
		xor	esi, esi

loc_55B172:				; CODE XREF: RaspInitializeGlyphData+2D1j
		lea	edx, [edx+esi*4]
		and	dword ptr [edx], 0
		mov	eax, [ecx+22h]
		mov	al, [esi+eax]
		test	al, 4
		jz	short loc_55B1DB
		mov	ecx, [ebp+var_8]
		push	edx		; void *
		push	1		; size_t
		mov	edx, edi
		call	_FioFwReadBytesAtOffset@16 ; FioFwReadBytesAtOffset(x,x,x,x)
		mov	eax, [ebp+var_1C]
		inc	edi
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_4]
		mov	eax, [eax+22h]
		test	byte ptr [esi+eax], 20h
		jnz	short loc_55B1A5
		neg	dword ptr [edx+esi*4]

loc_55B1A5:				; CODE XREF: RaspInitializeGlyphData+2C0j
					; RaspInitializeGlyphData+302j
		mov	eax, [ebp+var_18]
		inc	eax
		movsx	esi, ax
		mov	[ebp+var_18], eax
		cmp	esi, ebx
		jl	short loc_55B172

loc_55B1B3:				; CODE XREF: RaspInitializeGlyphData+28Ej
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	eax, [ebp+arg_4]
		cmp	dword ptr [eax], 0
		jnz	short loc_55B1C8
		mov	ecx, [ebp+var_14]
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_55B1C8:				; CODE XREF: RaspInitializeGlyphData+2DEj
					; RaspInitializeGlyphData+86A68j
		xor	eax, eax

loc_55B1CA:				; CODE XREF: RaspInitializeGlyphData+86A24j
					; RaspInitializeGlyphData+86A81j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_55B1D1:				; CODE XREF: RaspInitializeGlyphData+25Cj
		lea	eax, [esi+ecx*4]
		neg	dword ptr [eax]
		jmp	loc_55B142
; 

loc_55B1DB:				; CODE XREF: RaspInitializeGlyphData+2A0j
		test	al, 20h
		jz	short loc_55B238

loc_55B1DF:				; CODE XREF: RaspInitializeGlyphData+369j
		mov	edx, [ebp+var_10]
		jmp	short loc_55B1A5
; 

loc_55B1E4:				; CODE XREF: RaspInitializeGlyphData+238j
		test	al, 10h
		jnz	loc_55B145
		mov	eax, [ebp+var_24]
		mov	edx, edi
		mov	ecx, [ebp+var_8]
		push	eax		; void *
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		add	edi, 2
		jmp	loc_55B142
; 

loc_55B202:				; CODE XREF: RaspInitializeGlyphData+1F9j
		mov	dl, [ebx+eax+1]
		test	dl, dl
		jz	short loc_55B232
		mov	esi, [ebp+var_C]
		movzx	ecx, dl
		mov	[ebp+var_18], ecx

loc_55B213:				; CODE XREF: RaspInitializeGlyphData+347j
		mov	ecx, [edi+22h]
		mov	al, [ebx+eax]
		movsx	edx, si
		inc	esi
		sub	[ebp+var_18], 1
		mov	[edx+ecx], al
		mov	eax, [ebp+var_14]
		jnz	short loc_55B213
		mov	[ebp+var_C], esi
		mov	esi, [ebp+var_10]
		mov	ecx, [ebp+var_C]

loc_55B232:				; CODE XREF: RaspInitializeGlyphData+328j
		inc	ebx
		jmp	loc_55B0DF
; 

loc_55B238:				; CODE XREF: RaspInitializeGlyphData+2FDj
		mov	ecx, [ebp+var_8]
		push	edx		; void *
		mov	edx, edi
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		mov	ecx, [ebp+var_4]
		add	edi, 2
		jmp	short loc_55B1DF
RaspInitializeGlyphData	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	FioFwReadBytesAtOffset(size_t,void *)
_FioFwReadBytesAtOffset@16 proc	near	; CODE XREF: RaspLoadBearings+3Ap
					; RaspLoadBearings+F7p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [edx+esi]
		cmp	eax, [ecx+4]
		ja	short loc_55B275
		mov	eax, [ecx]
		push	esi		; size_t
		add	eax, edx
		push	eax		; void *
		push	[ebp+arg_4]	; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax

loc_55B270:				; CODE XREF: FioFwReadBytesAtOffset(x,x,x,x)+2Ej
		pop	esi
		pop	ebp
		retn	8
; 

loc_55B275:				; CODE XREF: FioFwReadBytesAtOffset(x,x,x,x)+Fj
		mov	eax, 0C000000Dh
		jmp	short loc_55B270
_FioFwReadBytesAtOffset@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RaspCreateSegmentList proc near		; CODE XREF: RaspScanConvert+51p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005E1970 SIZE 0000005E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], ebx
		cmp	eax, 2
		jb	loc_5E1970
		mov	ecx, [ecx+1Ah]
		push	esi
		xor	esi, esi
		mov	[ebp+arg_0], ecx
		add	eax, 0FFFFFFFEh
		mov	[ebp+var_1C], esi
		push	edi
		mov	edx, esi
		mov	[ebp+var_24], eax
		mov	edi, esi
		jz	loc_55B55F
		add	ebx, 10h

loc_55B2B6:				; CODE XREF: RaspCreateSegmentList+77j
		lea	eax, [edi+1]
		mov	[ebp+var_20], eax
		mov	ecx, eax
		mov	eax, [ebp+arg_0]
		movzx	eax, word ptr [eax+edx*2]
		cmp	edi, eax
		jz	loc_55B4F0

loc_55B2CD:				; CODE XREF: RaspCreateSegmentList+27Bj
		test	byte ptr [ebx],	1
		jnz	short loc_55B2E3
		imul	eax, ecx, 11h
		mov	ecx, [ebp+var_4]
		test	byte ptr [eax+ecx+10h],	1
		jnz	loc_55B4B3

loc_55B2E3:				; CODE XREF: RaspCreateSegmentList+54j
		mov	eax, [ebp+var_1C]
		inc	eax
		mov	[ebp+var_1C], eax

loc_55B2EA:				; CODE XREF: RaspCreateSegmentList+23Aj
		mov	edi, [ebp+var_20]
		add	ebx, 11h
		cmp	edi, [ebp+var_24]
		jb	short loc_55B2B6
		test	eax, eax
		jz	loc_55B55F
		mov	edx, [ebp+arg_C]
		imul	edi, eax, 0Dh
		mov	ecx, edi
		call	RaspAllocateMemory
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	loc_5E197A
		push	edi		; size_t
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	edi, [ebp+var_20]
		mov	ecx, esi
		add	esp, 0Ch
		mov	[ebp+var_8], ecx
		mov	ebx, esi
		add	edi, 8

loc_55B32D:				; CODE XREF: RaspCreateSegmentList+185j
		lea	eax, [ebx-1]
		mov	[ebp+var_14], eax
		lea	eax, [ebx+1]
		mov	[ebp+var_28], eax
		lea	edx, [ebx+2]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C], edx
		test	ebx, ebx
		jz	loc_55B52E
		test	ecx, ecx
		jnz	loc_55B420

loc_55B355:				; CODE XREF: RaspCreateSegmentList+1AFj
					; RaspCreateSegmentList+2B8j
		movzx	eax, word ptr [eax+ecx*2]
		mov	[ebp+var_18], eax
		dec	eax
		cmp	ebx, eax
		mov	eax, [ebp+arg_0]
		jz	loc_55B513

loc_55B368:				; CODE XREF: RaspCreateSegmentList+2A4j
					; RaspCreateSegmentList+2DEj
		cmp	ebx, [ebp+var_18]
		jz	loc_55B4FC

loc_55B371:				; CODE XREF: RaspCreateSegmentList+292j
		mov	edx, [ebp+var_4]
		imul	eax, ebx, 11h
		add	edx, eax
		mov	[ebp+var_18], edx
		test	byte ptr [edx+10h], 1
		jnz	loc_55B43A
		test	ebx, ebx
		jz	loc_5E1984

loc_55B38E:				; CODE XREF: RaspCreateSegmentList+8671Aj
		test	ecx, ecx
		jz	short loc_55B3A3
		mov	eax, [ebp+arg_0]
		movzx	eax, word ptr [eax+ecx*2-2]
		inc	eax
		cmp	ebx, eax
		jz	loc_5E199B

loc_55B3A3:				; CODE XREF: RaspCreateSegmentList+114j
					; RaspCreateSegmentList+86731j
		imul	eax, [ebp+var_10], arg_8+1
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_18]
		push	[ebp+arg_C]
		add	ecx, eax
		imul	eax, [ebp+var_14], arg_8+1
		mov	[ebp+var_10], ecx
		add	eax, [ebp+var_4]
		test	byte ptr [ecx+10h], 1
		mov	ecx, eax
		jnz	loc_55B4BB
		call	_RaspInterpolatePoint@12 ; RaspInterpolatePoint(x,x,x)
		mov	[edi-8], eax
		test	eax, eax
		jz	loc_5E19B2
		mov	ecx, [ebp+var_18]
		push	[ebp+arg_C]
		mov	edx, [ebp+var_10]
		mov	[edi-4], ecx
		call	_RaspInterpolatePoint@12 ; RaspInterpolatePoint(x,x,x)
		mov	[edi], eax
		test	eax, eax
		jz	loc_5E19B2
		mov	byte ptr [edi+4], 5

loc_55B3F7:				; CODE XREF: RaspCreateSegmentList+216j
					; RaspCreateSegmentList+228j ...
		mov	ecx, [ebp+var_8]
		add	edi, 0Dh

loc_55B3FD:				; CODE XREF: RaspCreateSegmentList+86714j
					; RaspCreateSegmentList+8672Bj
		inc	ebx
		cmp	ebx, [ebp+var_24]
		jb	loc_55B32D
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+var_20]

loc_55B40D:				; CODE XREF: RaspCreateSegmentList+8674Dj
		mov	edx, [ebp+arg_8]
		mov	[edx], ecx
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		mov	eax, esi

loc_55B419:				; CODE XREF: RaspCreateSegmentList+2EFj
		pop	edi
		pop	esi

loc_55B41B:				; CODE XREF: RaspCreateSegmentList+866F9j
		pop	ebx
		leave
		retn	10h
; 

loc_55B420:				; CODE XREF: RaspCreateSegmentList+D3j
		movzx	eax, word ptr [eax+ecx*2-2]
		inc	eax
		cmp	ebx, eax
		mov	eax, [ebp+arg_0]
		jnz	loc_55B355
		movzx	edx, word ptr [eax+ecx*2]
		jmp	loc_55B531
; 

loc_55B43A:				; CODE XREF: RaspCreateSegmentList+104j
		imul	eax, [ebp+var_10], arg_8+1
		add	eax, [ebp+var_4]
		mov	[ebp+var_14], eax
		test	byte ptr [eax+10h], 1
		jnz	loc_55B4DF
		imul	eax, [ebp+var_C], arg_8+1
		mov	ecx, [ebp+var_8]
		add	eax, [ebp+var_4]
		mov	[ebp+var_18], eax
		mov	al, [eax+10h]
		mov	[edi-8], edx
		mov	edx, [ebp+var_14]
		mov	[edi-4], edx
		mov	edx, [ebp+var_18]
		and	al, 1
		jnz	loc_55B525
		push	[ebp+arg_C]
		mov	ecx, [ebp+var_14]
		call	_RaspInterpolatePoint@12 ; RaspInterpolatePoint(x,x,x)
		mov	[edi], eax
		test	eax, eax
		jz	loc_5E19B2
		mov	ecx, [ebp+var_8]
		mov	al, 4

loc_55B48C:				; CODE XREF: RaspCreateSegmentList+2ADj
		mov	[edi+4], al
		cmp	[ebp+var_10], ebx
		jbe	loc_55B3F7
		mov	eax, [ebp+arg_0]
		mov	ebx, [ebp+var_28]
		movzx	eax, word ptr [eax+ecx*2]
		cmp	ebx, eax
		jnz	loc_55B3F7
		inc	ecx
		mov	[ebp+var_8], ecx
		jmp	loc_55B3F7
; 

loc_55B4B3:				; CODE XREF: RaspCreateSegmentList+61j
		mov	eax, [ebp+var_1C]
		jmp	loc_55B2EA
; 

loc_55B4BB:				; CODE XREF: RaspCreateSegmentList+146j
		call	_RaspInterpolatePoint@12 ; RaspInterpolatePoint(x,x,x)
		mov	[edi-8], eax
		test	eax, eax
		jz	loc_5E19B2
		mov	ecx, [ebp+var_18]
		mov	edx, [ebp+var_10]
		mov	[edi-4], ecx
		mov	[edi], edx
		mov	byte ptr [edi+4], 3
		jmp	loc_55B3F7
; 

loc_55B4DF:				; CODE XREF: RaspCreateSegmentList+1CCj
		mov	[edi-8], edx
		mov	[edi-4], eax
		mov	[edi], eax
		mov	byte ptr [edi+4], 1
		jmp	loc_55B3F7
; 

loc_55B4F0:				; CODE XREF: RaspCreateSegmentList+4Bj
		test	edx, edx
		jnz	short loc_55B539
		mov	ecx, esi

loc_55B4F6:				; CODE XREF: RaspCreateSegmentList+2C6j
		inc	edx
		jmp	loc_55B2CD
; 

loc_55B4FC:				; CODE XREF: RaspCreateSegmentList+EFj
		test	ecx, ecx
		jnz	short loc_55B544
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], 1

loc_55B50A:				; CODE XREF: RaspCreateSegmentList+2D9j
		inc	ecx
		mov	[ebp+var_8], ecx
		jmp	loc_55B371
; 

loc_55B513:				; CODE XREF: RaspCreateSegmentList+E6j
		test	ecx, ecx
		jz	short loc_55B557
		movzx	edx, word ptr [eax+ecx*2-2]
		inc	edx
		mov	[ebp+var_C], edx
		jmp	loc_55B368
; 

loc_55B525:				; CODE XREF: RaspCreateSegmentList+1F0j
		mov	[edi], edx
		mov	al, 2
		jmp	loc_55B48C
; 

loc_55B52E:				; CODE XREF: RaspCreateSegmentList+CBj
		movzx	edx, word ptr [eax]

loc_55B531:				; CODE XREF: RaspCreateSegmentList+1B9j
		mov	[ebp+var_14], edx
		jmp	loc_55B355
; 

loc_55B539:				; CODE XREF: RaspCreateSegmentList+276j
		mov	eax, [ebp+arg_0]
		movzx	ecx, word ptr [eax+edx*2-2]
		inc	ecx
		jmp	short loc_55B4F6
; 

loc_55B544:				; CODE XREF: RaspCreateSegmentList+282j
		movzx	eax, word ptr [eax+ecx*2-2]
		lea	edx, [eax+1]
		add	eax, 2
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], eax
		jmp	short loc_55B50A
; 

loc_55B557:				; CODE XREF: RaspCreateSegmentList+299j
		mov	[ebp+var_C], esi
		jmp	loc_55B368
; 

loc_55B55F:				; CODE XREF: RaspCreateSegmentList+31j
					; RaspCreateSegmentList+7Bj
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		mov	[ecx], esi

loc_55B566:				; CODE XREF: RaspCreateSegmentList+86703j
		mov	edx, [ebp+arg_8]
		mov	[edx], esi
		jmp	loc_55B419
RaspCreateSegmentList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RaspInterpolatePoint(x, x, x)
_RaspInterpolatePoint@12 proc near	; CODE XREF: RaspCreateSegmentList+14Cp
					; RaspCreateSegmentList+168p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	11h
		mov	edi, edx
		mov	ebx, ecx
		mov	edx, [ebp+arg_0]
		pop	ecx
		call	RaspAllocateMemory
		mov	esi, eax
		test	esi, esi
		jz	short loc_55B5D6
		mov	eax, [ebx]
		add	eax, [edi]
		cdq
		sub	eax, edx
		sar	eax, 1
		mov	[esi], eax
		mov	eax, [ebx+4]
		add	eax, [edi+4]
		cdq
		sub	eax, edx
		sar	eax, 1
		mov	[esi+4], eax
		mov	eax, [ebx+8]
		add	eax, [edi+8]
		cdq
		sub	eax, edx
		sar	eax, 1
		mov	[esi+8], eax
		mov	eax, [ebx+0Ch]
		add	eax, [edi+0Ch]
		cdq
		sub	eax, edx
		sar	eax, 1
		mov	[esi+0Ch], eax
		mov	al, [ebx+10h]
		or	al, [edi+10h]
		or	al, 1
		mov	[esi+10h], al
		mov	eax, esi

loc_55B5CF:				; CODE XREF: RaspInterpolatePoint(x,x,x)+68j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_55B5D6:				; CODE XREF: RaspInterpolatePoint(x,x,x)+1Bj
		xor	eax, eax
		jmp	short loc_55B5CF
_RaspInterpolatePoint@12 endp


;  S U B	R O U T	I N E 


RaspAllocateMemory proc	near		; CODE XREF: RaspLoadEmptyGlyph(x,x)+9p
					; RaspScanConvert+12Dp	...

; FUNCTION CHUNK AT 005E19CE SIZE 0000001E BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	esi, [edi+8]
		mov	ecx, [edi]
		add	esi, 0Fh
		and	esi, 0FFFFFFF0h
		test	ecx, ecx
		jnz	loc_5E19CE
		mov	ecx, ebx
		call	BgpFwAllocateMemory
		mov	edx, eax
		test	edx, edx
		jz	short loc_55B609
		lea	ecx, [esi+ebx]
		mov	[edi+8], ecx

loc_55B609:				; CODE XREF: RaspAllocateMemory+27j
					; RaspAllocateMemory+86406j ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		retn
RaspAllocateMemory endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BgpFwAllocateMemory proc near		; CODE XREF: RaspAllocateMemory+1Ep
					; BcpGetProgressMessages(x,x,x)+2Bp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005E19EC SIZE 00000057 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jz	loc_5E19EC
		mov	eax, dword_6B6BB8
		test	eax, 800h
		jnz	short loc_55B670
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		xor	esi, esi
		test	eax, 8000h
		jz	short loc_55B661
		mov	[ebp+var_1], 1
		mov	[ebp+var_C], 4B424742h
		push	20h

loc_55B64A:				; CODE XREF: BgpFwAllocateMemory+5Ej
		pop	ebx
		lea	eax, [ebp+var_8]
		mov	edx, ebx
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jns	short loc_55B677

loc_55B65A:				; CODE XREF: BgpFwAllocateMemory+6Fj
					; BgpFwAllocateMemory+A1j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_55B661:				; CODE XREF: BgpFwAllocateMemory+2Bj
		mov	[ebp+var_1], 0
		mov	[ebp+var_C], 4B494742h
		push	10h
		jmp	short loc_55B64A
; 

loc_55B670:				; CODE XREF: BgpFwAllocateMemory+1Dj
		call	BgpFwReserveAllocate
		leave
		retn
; 

loc_55B677:				; CODE XREF: BgpFwAllocateMemory+48j
		mov	eax, [ebp+var_8]
		cmp	eax, 0FFFFEFFFh
		jnb	short loc_55B65A
		cmp	eax, 1000h
		jb	loc_5E19F0
		push	5
		push	1
		add	eax, 0FFFh
		and	eax, 0FFFFF000h
		push	eax
		mov	[ebp+var_8], eax
		xor	eax, eax
		push	eax
		push	eax
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		push	eax
		push	eax
		call	_MmAllocatePagesForMdlEx@36 ; MmAllocatePagesForMdlEx(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_55B65A
		test	byte ptr [esi+6], 5
		jnz	short loc_55B718
		push	40000010h
		xor	eax, eax
		push	eax
		push	eax
		push	1
		push	eax
		push	esi
		call	MmMapLockedPagesSpecifyCache

loc_55B6CB:				; CODE XREF: BgpFwAllocateMemory+10Bj
					; BgpFwAllocateMemory+86410j
		test	eax, eax
		jz	loc_5E1A25
		cmp	[ebp+var_1], 0
		lea	edi, [eax+ebx]
		jz	short loc_55B6FC
		mov	ecx, dword_6B6C5C
		lea	eax, [edi-14h]
		mov	edx, offset dword_6B6C5C
		cmp	[ecx+4], edx
		jnz	short loc_55B71D
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[ecx+4], eax
		mov	dword_6B6C5C, eax

loc_55B6FC:				; CODE XREF: BgpFwAllocateMemory+CAj
		mov	eax, [ebp+var_C]
		mov	[edi-0Ch], eax
		mov	eax, [ebp+var_8]
		mov	[edi-8], eax
		mov	[edi-4], esi
		test	edi, edi
		jnz	loc_55B65A
		jmp	loc_5E1A25
; 

loc_55B718:				; CODE XREF: BgpFwAllocateMemory+A7j
		mov	eax, [esi+0Ch]
		jmp	short loc_55B6CB
; 

loc_55B71D:				; CODE XREF: BgpFwAllocateMemory+DDj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
BgpFwAllocateMemory endp		; AL = character to display


;  S U B	R O U T	I N E 


BgpFwReserveAllocate proc near		; CODE XREF: BgpFwAllocateMemory:loc_55B670p

; FUNCTION CHUNK AT 005E1A43 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	dword_6D4C04
		lea	esi, [ecx+0Fh]
		mov	ebx, offset dword_6D4C0C
		and	esi, 0FFFFFFF0h
		add	esi, 10h
		push	esi
		push	ebx
		call	RtlFindClearBitsAndSet
		mov	edx, eax
		mov	eax, dword_6D4C14
		lea	ecx, [eax-10h]
		cmp	edx, ecx
		ja	loc_5E1A43

loc_55B753:				; CODE XREF: BgpFwReserveAllocate+86338j
		add	eax, 0FFFFFFF0h
		cmp	edx, eax
		ja	short loc_55B77D
		lea	eax, [edx+esi]
		mov	dword_6D4C04, eax
		mov	eax, dword_6D4BF8
		add	eax, 10h
		add	eax, edx
		and	dword ptr [eax-4], 0
		mov	dword ptr [eax-0Ch], 4B434742h
		mov	[eax-8], esi

loc_55B77A:				; CODE XREF: BgpFwReserveAllocate+5Dj
		pop	esi
		pop	ebx
		retn
; 

loc_55B77D:				; CODE XREF: BgpFwReserveAllocate+36j
		xor	eax, eax
		jmp	short loc_55B77A
BgpFwReserveAllocate endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RaspConvertDeltas(x)
_RaspConvertDeltas@4 proc near		; CODE XREF: RaspGetUnscaledGlyphData+71p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		cmp	[ecx], ax
		jle	short loc_55B804
		movzx	edi, word ptr [ecx+0Ah]
		movzx	ebx, word ptr [ecx+18h]
		mov	edx, [ecx+26h]
		mov	esi, [ecx+2Ah]
		mov	[ebp+var_C], edi
		movzx	edi, word ptr [ecx+2]
		mov	[ebp+var_10], edi
		movzx	edi, word ptr [ecx+0Eh]
		movzx	ecx, word ptr [ecx+6]
		mov	[ebp+var_18], ecx
		xor	ecx, ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], edi
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		cmp	cx, bx
		jnb	short loc_55B804
		mov	cx, ax
		mov	bx, ax

loc_55B7D0:				; CODE XREF: RaspConvertDeltas(x)+80j
		add	bx, [edx]
		add	cx, [esi]
		mov	[edx], bx
		mov	[esi], cx
		movzx	edi, word ptr [edx]
		cmp	di, word ptr [ebp+var_C]
		jg	short loc_55B80B
		cmp	di, word ptr [ebp+var_10]
		jl	short loc_55B80B
		cmp	cx, word ptr [ebp+var_14]
		jg	short loc_55B80B
		cmp	cx, word ptr [ebp+var_18]
		jl	short loc_55B80B
		add	edx, 4
		add	esi, 4
		inc	eax
		cmp	ax, word ptr [ebp+var_1C]
		jb	short loc_55B7D0

loc_55B804:				; CODE XREF: RaspConvertDeltas(x)+10j
					; RaspConvertDeltas(x)+46j
		xor	eax, eax

loc_55B806:				; CODE XREF: RaspConvertDeltas(x)+8Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_55B80B:				; CODE XREF: RaspConvertDeltas(x)+61j
					; RaspConvertDeltas(x)+67j ...
		mov	eax, 0C0000001h
		jmp	short loc_55B806
_RaspConvertDeltas@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RaspLoadGlyphData proc near		; CODE XREF: RaspGetUnscaledGlyphData+61p
					; RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+227p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005E1A5F SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	short loc_55B87A
		mov	eax, [esi+28h]
		test	eax, eax
		jz	short loc_55B87A
		cmp	edi, 0FFFFFFFFh
		jz	short loc_55B86D
		and	[esp+10h+var_4], 0
		lea	ecx, [esp+10h+var_4]
		push	ecx		; void *
		mov	ecx, [esi+8]
		lea	edx, [eax+edi]
		mov	ecx, [ecx+8]
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		cmp	word ptr [esp+10h+var_4], 0
		mov	edx, edi
		push	[ebp+arg_8]
		mov	ecx, esi
		push	[ebp+arg_4]
		jl	loc_5E1A5F
		call	RaspInitializeGlyphData

loc_55B865:				; CODE XREF: RaspLoadGlyphData+66j
					; RaspLoadGlyphData+6Dj ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_55B86D:				; CODE XREF: RaspLoadGlyphData+1Ej
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		call	_RaspLoadEmptyGlyph@8 ;	RaspLoadEmptyGlyph(x,x)
		jmp	short loc_55B865
; 

loc_55B87A:				; CODE XREF: RaspLoadGlyphData+12j
					; RaspLoadGlyphData+19j
		mov	eax, 0C0000001h
		jmp	short loc_55B865
RaspLoadGlyphData endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RaspMapCharacterCodeToGlyphIndex proc near ; CODE XREF:	RaspGetUnscaledGlyphData+24p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E1A6C SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		mov	esi, ebx
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_55B8B4
		mov	eax, [edi+8]
		mov	[ebp+var_4], eax

loc_55B89D:				; CODE XREF: RaspMapCharacterCodeToGlyphIndex+30j
		cmp	[eax+esi*2], dx
		ja	short loc_55B8AF
		mov	eax, [edi+0Ch]
		cmp	dx, [eax+esi*2]
		jbe	short loc_55B8B4
		mov	eax, [ebp+var_4]

loc_55B8AF:				; CODE XREF: RaspMapCharacterCodeToGlyphIndex+1Fj
		inc	esi
		cmp	esi, ecx
		jb	short loc_55B89D

loc_55B8B4:				; CODE XREF: RaspMapCharacterCodeToGlyphIndex+13j
					; RaspMapCharacterCodeToGlyphIndex+28j
		cmp	esi, ecx
		jz	short loc_55B8E7
		mov	eax, [edi+14h]
		mov	[ebp+var_4], eax
		movzx	ecx, word ptr [eax+esi*2]
		test	cx, cx
		jnz	loc_5E1A6C
		mov	eax, [edi+10h]
		mov	ax, [eax+esi*2]
		add	ax, dx
		movzx	eax, ax

loc_55B8D8:				; CODE XREF: RaspMapCharacterCodeToGlyphIndex+8620Dj
		mov	ecx, [ebp+arg_0]
		mov	[ecx], ax

loc_55B8DE:				; CODE XREF: RaspMapCharacterCodeToGlyphIndex+6Aj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
; 

loc_55B8E7:				; CODE XREF: RaspMapCharacterCodeToGlyphIndex+34j
		mov	ebx, 0C0000001h
		jmp	short loc_55B8DE
RaspMapCharacterCodeToGlyphIndex endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RaspScaleCoordinates proc near		; CODE XREF: RaspRasterize+40p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E1A94 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, edx
		mov	edx, [ecx+8]
		push	esi
		movzx	eax, word ptr [edx+58h]
		mov	esi, eax
		test	ax, ax
		jz	loc_5E1A94
		mov	eax, [edx+4Ch]
		mul	dword ptr [ecx+0Ch]
		push	edi
		mov	edi, eax
		mov	eax, edx
		shld	eax, edi, 6
		mov	[ebp+var_4], eax
		mov	eax, esi
		xor	esi, esi
		cdq
		push	esi
		push	48h
		push	edx
		shl	edi, 6
		push	eax
		mov	[ebp+var_10], edi
		mov	[ebp+var_14], esi
		call	__allmul
		push	[ebp+var_4]
		mov	[ebp+var_C], eax
		movsx	eax, word ptr [ebx+2]
		mov	[ebp+var_8], edx
		cdq
		push	edi
		push	edx
		push	eax
		call	__allmul
		push	[ebp+var_8]
		push	[ebp+var_C]
		push	edx
		push	eax
		call	__alldiv
		push	[ebp+var_4]
		mov	[ebx+2], eax
		movsx	eax, word ptr [ebx+6]
		cdq
		push	edi
		push	edx
		push	eax
		call	__allmul
		push	[ebp+var_8]
		push	[ebp+var_C]
		push	edx
		push	eax
		call	__alldiv
		push	[ebp+var_4]
		mov	[ebx+6], eax
		movsx	eax, word ptr [ebx+0Ah]
		cdq
		push	edi
		push	edx
		push	eax
		call	__allmul
		push	[ebp+var_8]
		push	[ebp+var_C]
		push	edx
		push	eax
		call	__alldiv
		push	[ebp+var_4]
		mov	[ebx+0Ah], eax
		movsx	eax, word ptr [ebx+0Eh]
		cdq
		push	edi
		push	edx
		push	eax
		call	__allmul
		push	[ebp+var_8]
		push	[ebp+var_C]
		push	edx
		push	eax
		call	__alldiv
		push	[ebp+var_4]
		mov	[ebx+0Eh], eax
		movsx	eax, word ptr [ebx+12h]
		cdq
		push	edi
		push	edx
		push	eax
		call	__allmul
		push	[ebp+var_8]
		push	[ebp+var_C]
		push	edx
		push	eax
		call	__alldiv
		mov	[ebx+12h], eax
		xor	eax, eax
		cmp	ax, [ebx+18h]
		jnb	short loc_55BA3E

loc_55B9E4:				; CODE XREF: RaspScaleCoordinates+14Ej
		push	[ebp+var_4]
		movzx	edi, si
		mov	esi, [ebx+26h]
		push	[ebp+var_10]
		movsx	eax, word ptr [esi+edi*4]
		cdq
		push	edx
		push	eax
		call	__allmul
		push	[ebp+var_8]
		push	[ebp+var_C]
		push	edx
		push	eax
		call	__alldiv
		push	[ebp+var_4]
		mov	[esi+edi*4], eax
		mov	esi, [ebx+2Ah]
		push	[ebp+var_10]
		movsx	eax, word ptr [esi+edi*4]
		cdq
		push	edx
		push	eax
		call	__allmul
		push	[ebp+var_8]
		push	[ebp+var_C]
		push	edx
		push	eax
		call	__alldiv
		mov	[esi+edi*4], eax
		mov	esi, [ebp+var_14]
		inc	esi
		mov	[ebp+var_14], esi
		cmp	si, [ebx+18h]
		jb	short loc_55B9E4

loc_55BA3E:				; CODE XREF: RaspScaleCoordinates+F4j
		xor	eax, eax
		pop	edi

loc_55BA41:				; CODE XREF: RaspScaleCoordinates+861ABj
		pop	esi
		pop	ebx
		leave
		retn
RaspScaleCoordinates endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall GxpBitsToBytes(x)
_GxpBitsToBytes@4 proc near		; CODE XREF: TxtpAddCacheEntry+7Ep
		lea	eax, [ecx+7]
		shr	eax, 3
		retn
_GxpBitsToBytes@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RaspAntiAlias(x, x,	x, x, x)
_RaspAntiAlias@20 proc near		; CODE XREF: BgpRasPrintGlyph+23Ep

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ecx
		mov	[ebp+var_10], edx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, edx
		mov	ebx, [eax+14h]
		mov	[ebp+var_C], eax
		mov	eax, esi
		push	edi
		mov	edi, [ebp+arg_4]
		imul	eax, edi
		mov	[ebp+var_14], 0
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_8]
		mov	eax, [eax]
		push	eax
		call	_BgpGxFillRectangle@8 ;	BgpGxFillRectangle(x,x)
		mov	eax, ecx
		cmp	dword ptr [eax], 0
		jbe	loc_55BB8E
		mov	eax, [ebp+var_C]
		xor	edx, edx
		mov	eax, [eax+4]
		div	edi
		mov	edi, [ebp+var_10]
		xor	ecx, ecx

loc_55BAA2:				; CODE XREF: RaspAntiAlias(x,x,x,x,x)+138j
		mov	edx, [edi+4]
		imul	edx, ecx
		mov	ecx, [edi+14h]
		mov	[ebp+var_8], 0
		lea	ecx, [ecx+edx*4]
		mov	[ebp+var_1C], ecx
		test	eax, eax
		jz	loc_55BB7F
		mov	ecx, [ebp+arg_4]

loc_55BAC3:				; CODE XREF: RaspAntiAlias(x,x,x,x,x)+126j
		xor	eax, eax
		xor	edi, edi
		mov	[ebp+var_4], eax
		mov	[ebp+var_18], edi
		test	ecx, ecx
		jz	short loc_55BB28

loc_55BAD1:				; CODE XREF: RaspAntiAlias(x,x,x,x,x)+D3j
		test	esi, esi
		jz	short loc_55BB1D
		mov	eax, [ebp+var_14]
		imul	eax, ecx
		mov	ecx, [ebp+var_C]
		add	eax, edi
		mov	edi, [ebp+var_4]
		imul	eax, [ecx+4]
		mov	ecx, [ebp+var_8]
		imul	ecx, esi
		add	eax, ecx
		nop

loc_55BAF0:				; CODE XREF: RaspAntiAlias(x,x,x,x,x)+BFj
		movzx	ecx, al
		mov	edx, 80h
		and	ecx, 7
		sar	edx, cl
		mov	ecx, eax
		shr	ecx, 3
		test	[ecx+ebx], dl
		jnz	loc_55BB97

loc_55BB0B:				; CODE XREF: RaspAntiAlias(x,x,x,x,x)+148j
		inc	eax
		sub	esi, 1
		jnz	short loc_55BAF0
		mov	esi, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_4], edi
		mov	edi, [ebp+var_18]

loc_55BB1D:				; CODE XREF: RaspAntiAlias(x,x,x,x,x)+83j
		inc	edi
		mov	[ebp+var_18], edi
		cmp	edi, ecx
		jb	short loc_55BAD1
		mov	eax, [ebp+var_4]

loc_55BB28:				; CODE XREF: RaspAntiAlias(x,x,x,x,x)+7Fj
		imul	eax, 0FFh
		xor	edx, edx
		div	[ebp+var_20]
		push	eax
		mov	eax, [ebp+arg_8]
		mov	edx, [eax+4]
		mov	ecx, [eax]
		call	_BgpGxBlendColor@12 ; BgpGxBlendColor(x,x,x)
		mov	edx, [ebp+var_1C]
		mov	ecx, eax
		shr	ecx, 10h
		mov	edi, [ebp+var_8]
		inc	edi
		mov	[edx+2], cl
		mov	ecx, eax
		mov	[edx], al
		mov	eax, [ebp+var_C]
		shr	ecx, 8
		mov	[edx+1], cl
		mov	ecx, [ebp+arg_4]
		mov	byte ptr [edx+3], 0FFh
		add	edx, 4
		mov	eax, [eax+4]
		mov	[ebp+var_1C], edx
		xor	edx, edx
		div	ecx
		mov	[ebp+var_8], edi
		cmp	edi, eax
		jb	loc_55BAC3
		mov	edi, [ebp+var_10]

loc_55BB7F:				; CODE XREF: RaspAntiAlias(x,x,x,x,x)+6Aj
		mov	ecx, [ebp+var_14]
		inc	ecx
		mov	[ebp+var_14], ecx
		cmp	ecx, [edi]
		jb	loc_55BAA2

loc_55BB8E:				; CODE XREF: RaspAntiAlias(x,x,x,x,x)+3Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_55BB97:				; CODE XREF: RaspAntiAlias(x,x,x,x,x)+B5j
		inc	edi
		jmp	loc_55BB0B
_RaspAntiAlias@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpGxBlendColor(x, x, x)
_BgpGxBlendColor@12 proc near		; CODE XREF: RaspAntiAlias(x,x,x,x,x)+ECp
					; BgpGxBlendRectangle(x,x,x,x)+15Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], eax
		xor	edx, edx
		shr	eax, 10h
		movzx	eax, al
		push	ebx
		push	esi
		movzx	esi, [ebp+arg_0]
		mov	ebx, 0FFh
		imul	eax, esi
		shr	ecx, 10h
		push	edi
		mov	edi, ebx
		and	[ebp+var_4], 0
		sub	edi, esi
		div	ebx
		mov	ebx, eax
		movzx	eax, cl
		imul	eax, edi
		mov	ecx, 0FFh
		cdq
		idiv	ecx
		xor	edx, edx
		add	bl, al
		mov	eax, [ebp+var_8]
		shr	eax, 8
		movzx	eax, al
		imul	eax, esi
		mov	byte ptr [ebp+var_4+2],	bl
		div	ecx
		mov	ecx, [ebp+var_C]
		mov	ebx, eax
		shr	ecx, 8
		movzx	eax, cl
		mov	ecx, 0FFh
		imul	eax, edi
		cdq
		idiv	ecx
		xor	edx, edx
		add	bl, al
		mov	eax, [ebp+var_8]
		movzx	eax, al
		imul	eax, esi
		mov	esi, 0FFh
		mov	byte ptr [ebp+var_4+1],	bl
		div	ecx
		mov	ecx, eax
		mov	eax, [ebp+var_C]
		movzx	eax, al
		imul	eax, edi
		pop	edi
		cdq
		idiv	esi
		pop	esi
		add	cl, al
		mov	byte ptr [ebp+var_4], cl
		mov	eax, [ebp+var_4]
		pop	ebx
		leave
		retn	4
_BgpGxBlendColor@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpGxFillRectangle(x, x)
_BgpGxFillRectangle@8 proc near		; CODE XREF: BgpTxtDisplayCharacter+128p
					; RaspAntiAlias(x,x,x,x,x)+33p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ecx+4]
		imul	edx, [ecx]
		push	esi
		mov	esi, [ecx+14h]
		test	edx, edx
		jz	short loc_55BC82
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	bl, byte ptr [ebp+arg_0+3]
		mov	bh, byte ptr [ebp+arg_0+2]
		push	edi

loc_55BC60:				; CODE XREF: BgpGxFillRectangle(x,x)+3Cj
		mov	[esi+2], bh
		mov	[esi+1], ah
		mov	[esi], al
		mov	edi, [ecx+8]
		cmp	edi, 20h
		jnz	short loc_55BC76
		mov	[esi+3], bl
		mov	edi, [ecx+8]

loc_55BC76:				; CODE XREF: BgpGxFillRectangle(x,x)+2Cj
		shr	edi, 3
		add	esi, edi
		sub	edx, 1
		jnz	short loc_55BC60
		pop	edi
		pop	ebx

loc_55BC82:				; CODE XREF: BgpGxFillRectangle(x,x)+11j
		and	dword ptr [ecx+10h], 0FFFFFFEFh
		pop	esi
		pop	ebp
		retn	4
_BgpGxFillRectangle@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RaspGetCacheEntry(x, x, x, x, x, x)
_RaspGetCacheEntry@24 proc near		; CODE XREF: BgpRasPrintGlyph+CBp
					; RaspGetXExtent+69p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx]
		push	edi
		xor	edi, edi
		cmp	eax, ecx
		jz	short loc_55BCEA
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi

loc_55BC9F:				; CODE XREF: RaspGetCacheEntry(x,x,x,x,x,x)+1Dj
		cmp	[eax+2Ch], dx
		jz	short loc_55BCAD

loc_55BCA5:				; CODE XREF: RaspGetCacheEntry(x,x,x,x,x,x)+2Aj
					; RaspGetCacheEntry(x,x,x,x,x,x)+2Fj ...
		mov	eax, [eax]
		cmp	eax, ecx
		jnz	short loc_55BC9F
		jmp	short loc_55BCE8
; 

loc_55BCAD:				; CODE XREF: RaspGetCacheEntry(x,x,x,x,x,x)+17j
		mov	esi, [ebp+arg_0]
		cmp	[eax+18h], esi
		mov	esi, [ebp+arg_8]
		jnz	short loc_55BCA5
		cmp	[eax+14h], ebx
		jnz	short loc_55BCA5
		cmp	[eax+0Ch], esi
		jnz	short loc_55BCA5
		mov	edx, [eax]
		mov	edi, eax
		cmp	[edx+4], eax
		jnz	short loc_55BCF4
		mov	esi, [eax+4]
		cmp	[esi], eax
		jnz	short loc_55BCF4
		mov	[esi], edx
		mov	[edx+4], esi
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_55BCF4
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[edx+4], eax
		mov	[ecx], eax

loc_55BCE8:				; CODE XREF: RaspGetCacheEntry(x,x,x,x,x,x)+1Fj
		pop	esi
		pop	ebx

loc_55BCEA:				; CODE XREF: RaspGetCacheEntry(x,x,x,x,x,x)+Cj
		mov	eax, [ebp+arg_C]
		mov	[eax], edi
		pop	edi
		pop	ebp
		retn	10h
; 

loc_55BCF4:				; CODE XREF: RaspGetCacheEntry(x,x,x,x,x,x)+3Dj
					; RaspGetCacheEntry(x,x,x,x,x,x)+44j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_RaspGetCacheEntry@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BgpFwQueryBootGraphicsInformation proc near
					; CODE XREF: BgQueryBootGraphicsInformation(x,x)+2Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E1A9E SIZE 00000128 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		xor	eax, eax
		mov	ebx, edx
		mov	[ebp+var_8], eax
		mov	edx, eax
		push	esi
		mov	esi, eax
		push	edi
		test	ecx, ecx
		jnz	short loc_55BD59
		push	8
		pop	ecx
		mov	esi, offset dword_6B6B98
		mov	edi, ebx
		rep movsd
		mov	[ebx+14h], eax
		test	byte ptr dword_6B6BB8, 2
		jz	short loc_55BD33
		mov	dword ptr [ebx+14h], 1

loc_55BD33:				; CODE XREF: BgpFwQueryBootGraphicsInformation+30j
		mov	al, byte_6B6B62
		cmp	al, 1
		jz	loc_5E1A9E
		cmp	al, 3
		jz	loc_5E1A9E

loc_55BD48:				; CODE XREF: BgpFwQueryBootGraphicsInformation+85DB0j
		movzx	eax, byte_6B6B62
		mov	[ebx+1Ch], eax

loc_55BD52:				; CODE XREF: BgpFwQueryBootGraphicsInformation+7Dj
					; BgpFwQueryBootGraphicsInformation+85DC5j ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn
; 

loc_55BD59:				; CODE XREF: BgpFwQueryBootGraphicsInformation+18j
		cmp	ecx, 2
		jz	loc_5E1AAF
		cmp	ecx, 3
		jnz	loc_5E1AC4
		push	20h
		pop	ecx
		mov	esi, offset unk_6B6C64
		mov	edi, ebx
		rep movsd
		jmp	short loc_55BD52
BgpFwQueryBootGraphicsInformation endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDeviceCompletionRoutine(x, x, x)
_PnpDeviceCompletionRoutine@12 proc near ; DATA	XREF: PipEnumerateDevice+A0o
					; PnpStartDeviceNode+C4o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		xor	ebx, ebx
		push	edi
		mov	edi, [ebp+arg_4]
		mov	eax, [esi+8]
		mov	[eax+24h], ebx
		cmp	[edi+21h], bl
		jnz	short loc_55BDFE

loc_55BD95:				; CODE XREF: PnpDeviceCompletionRoutine(x,x,x)+8Bj
		mov	eax, [edi+1Ch]
		mov	[esi+1Ch], eax
		mov	eax, [edi+18h]
		mov	[esi+18h], eax
		lock inc dword ptr [esi+20h]
		cmp	[esi+18h], ebx
		jl	short loc_55BDEE

loc_55BDAA:				; CODE XREF: PnpDeviceCompletionRoutine(x,x,x)+7Dj
					; PnpDeviceCompletionRoutine(x,x,x)+82j
		mov	edx, esi
		call	PnpDeviceCompletionQueueDispatchedEntryCompleted
		cmp	dword ptr [esi+10h], 30Dh
		mov	ecx, [esi+8]
		jnz	short loc_55BDE3
		lea	edx, [ecx+14h]
		mov	ecx, offset _KMPnPEvt_DeviceEnum_Stop
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)

loc_55BDCA:				; CODE XREF: PnpDeviceCompletionRoutine(x,x,x)+72j
		mov	ecx, esi
		call	_PnpDeviceCompletionRequestDestroy@4 ; PnpDeviceCompletionRequestDestroy(x)
		push	edi
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		pop	edi
		pop	esi
		mov	eax, 0C0000016h
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_55BDE3:				; CODE XREF: PnpDeviceCompletionRoutine(x,x,x)+41j
		mov	edx, [esi+18h]
		push	ebx
		call	PnpTraceStartDevice
		jmp	short loc_55BDCA
; 

loc_55BDEE:				; CODE XREF: PnpDeviceCompletionRoutine(x,x,x)+2Ej
		mov	ecx, edi
		call	_IoFindDeviceThatFailedIrp@4 ; IoFindDeviceThatFailedIrp(x)
		test	eax, eax
		jz	short loc_55BDAA
		mov	ebx, [eax+8]
		jmp	short loc_55BDAA
; 

loc_55BDFE:				; CODE XREF: PnpDeviceCompletionRoutine(x,x,x)+19j
		mov	dword ptr [esi+14h], 1
		jmp	short loc_55BD95
_PnpDeviceCompletionRoutine@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PnpDeviceCompletionRequestDestroy(x)
_PnpDeviceCompletionRequestDestroy@4 proc near
					; CODE XREF: PnpDeviceCompletionRoutine(x,x,x)+52p
					; PnpDeviceCompletionProcessCompletedRequest+69p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		or	eax, 0FFFFFFFFh
		lock xadd [esi+20h], eax
		jnz	short loc_55BE3E
		mov	eax, [esi+8]
		push	dword ptr [eax+10h]
		call	_IoAllocateWorkItem@4 ;	IoAllocateWorkItem(x)
		test	eax, eax
		jz	short loc_55BE3E
		push	esi
		mov	edx, offset _PnpDeviceCompletionRequestDestroyWorkItem@12 ; PnpDeviceCompletionRequestDestroyWorkItem(x,x,x)
		mov	ecx, eax
		call	IopQueueWorkItemProlog
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		pop	esi
		jmp	ExQueueWorkItemFromIo
; 

loc_55BE3E:				; CODE XREF: PnpDeviceCompletionRequestDestroy(x)+Dj
					; PnpDeviceCompletionRequestDestroy(x)+1Cj
		pop	esi
		retn
_PnpDeviceCompletionRequestDestroy@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpDeviceCompletionQueueDispatchedEntryCompleted proc near
					; CODE XREF: PnpDeviceCompletionRoutine(x,x,x)+32p
					; PipEnumerateDevice+A1D1Fp

; FUNCTION CHUNK AT 005E1BC6 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset dword_6CC468
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edi, [esi]
		mov	edx, [esi+4]
		cmp	[edi+4], esi
		jnz	short loc_55BE9F
		cmp	[edx], esi
		jnz	short loc_55BE9F
		mov	[edx], edi
		mov	[edi+4], edx
		mov	edx, esi
		dec	dword_6CC448
		call	_PnpDeviceCompletionQueueAddCompletedRequest@8 ; PnpDeviceCompletionQueueAddCompletedRequest(x,x)
		test	ds:byte_70EFC6,	1
		mov	ecx, offset dword_6CC468
		jnz	loc_5E1BC6
		xor	eax, eax
		lock and [ecx],	eax

loc_55BE93:				; CODE XREF: PnpDeviceCompletionQueueDispatchedEntryCompleted+85D8Ej
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_55BE9F:				; CODE XREF: PnpDeviceCompletionQueueDispatchedEntryCompleted+24j
					; PnpDeviceCompletionQueueDispatchedEntryCompleted+28j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
PnpDeviceCompletionQueueDispatchedEntryCompleted endp ;	AL = character to display


;  S U B	R O U T	I N E 


; __stdcall PnpDeviceCompletionQueueAddCompletedRequest(x, x)
_PnpDeviceCompletionQueueAddCompletedRequest@8 proc near
					; CODE XREF: PnpDeviceCompletionQueueDispatchedEntryCompleted+37p
		mov	eax, dword_6CC450
		mov	ecx, offset dword_6CC44C
		cmp	[eax], ecx
		jnz	short loc_55BED5
		push	0
		push	1
		mov	[edx], ecx
		mov	[edx+4], eax
		push	0
		mov	[eax], edx
		push	offset unk_6CC454
		mov	dword_6CC450, edx
		call	KeReleaseSemaphore
		neg	eax
		sbb	eax, eax
		inc	eax
		retn
; 

loc_55BED5:				; CODE XREF: PnpDeviceCompletionQueueAddCompletedRequest(x,x)+Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PnpDeviceCompletionQueueAddCompletedRequest@8 endp ; AL = character to	display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipSetDevNodeState proc	near		; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+75p
					; PnpRemoveLockedDeviceNode(x,x,x)+2FAp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005E1BD3 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_C], edx
		push	edi
		mov	esi, ecx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_1], bl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PnpSpinLock
		mov	[ebp+var_2], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [esi+0ACh]
		mov	edi, [ebp+var_C]
		mov	[ebp+var_10], eax
		cmp	eax, edi
		jz	short loc_55BF62
		mov	edx, [esi+0B0h]
		mov	ecx, eax
		call	PipAreDriversLoadedWorker
		mov	ecx, esi
		mov	ebx, eax
		call	_PipIsDevNodeDNStarted@4 ; PipIsDevNodeDNStarted(x)
		mov	ecx, [esi+104h]
		mov	edx, [ebp+var_10]
		mov	[esi+0B0h], edx
		mov	[ebp+var_8], eax
		mov	[esi+0ACh], edi
		mov	[esi+ecx*4+0B4h], edx
		xor	edx, edx
		mov	eax, [esi+104h]
		push	14h
		inc	eax
		mov	[ebp+var_1], 1
		pop	edi
		div	edi
		mov	[esi+104h], edx

loc_55BF62:				; CODE XREF: PipSetDevNodeState+39j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PnpSpinLock
		jnz	loc_5E1BD3
		xor	eax, eax
		lock and [ecx],	eax

loc_55BF79:				; CODE XREF: PipSetDevNodeState+85D01j
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_1], 0
		jz	short loc_55BFB2
		mov	edi, [esi+18h]
		test	edi, edi
		jz	short loc_55BFB2
		mov	edx, [esi+0B0h]
		mov	ecx, [esi+0ACh]
		call	PipAreDriversLoadedWorker
		cmp	eax, ebx
		jnz	short loc_55BFC6
		mov	ecx, esi
		call	_PipIsDevNodeDNStarted@4 ; PipIsDevNodeDNStarted(x)
		mov	ebx, [ebp+var_8]
		cmp	eax, ebx
		jnz	short loc_55BFC9

loc_55BFB2:				; CODE XREF: PipSetDevNodeState+ACj
					; PipSetDevNodeState+B3j ...
		cmp	[ebp+var_C], 314h
		jz	loc_5E1BE0

loc_55BFBF:				; CODE XREF: PipSetDevNodeState+85D0Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_55BFC6:				; CODE XREF: PipSetDevNodeState+C8j
		mov	ebx, [ebp+var_8]

loc_55BFC9:				; CODE XREF: PipSetDevNodeState+D6j
		push	0Bh
		mov	edx, edi
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		mov	ecx, esi
		call	_PipIsDevNodeDNStarted@4 ; PipIsDevNodeDNStarted(x)
		cmp	eax, ebx
		jz	short loc_55BFB2
		mov	edx, [esi+18h]
		push	1Ah
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		jmp	short loc_55BFB2
PipSetDevNodeState endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpDeviceCompletionQueueIsEmpty	proc near
					; CODE XREF: PnpDeviceCompletionProcessCompletedRequests(x,x,x):loc_864BD2p

; FUNCTION CHUNK AT 005E1BED SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset dword_6CC468
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	_PnpDeviceCompletionQueue, offset _PnpDeviceCompletionQueue
		jnz	short loc_55C021
		cmp	dword_6CC44C, offset dword_6CC44C
		jnz	short loc_55C021
		inc	esi

loc_55C021:				; CODE XREF: PnpDeviceCompletionQueueIsEmpty+28j
					; PnpDeviceCompletionQueueIsEmpty+34j
		test	ds:byte_70EFC6,	1
		jnz	loc_5E1BED
		xor	eax, eax
		lock and [edi],	eax

loc_55C033:				; CODE XREF: PnpDeviceCompletionQueueIsEmpty+85C0Dj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn
PnpDeviceCompletionQueueIsEmpty	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoFxIdleDevice	proc near		; CODE XREF: PopFxIdleDevicesFromSx(x)+4Bp
					; PopFxClearDeviceConstraints(x)+1C5p ...

var_6		= byte ptr -6
var_5		= byte ptr -5
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E1BFC SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		test	ecx, ecx
		jz	loc_5E1BFC
		mov	eax, [ecx+0B0h]
		mov	edi, [eax+14h]

loc_55C063:				; CODE XREF: PoFxIdleDevice+85BBCj
		test	edi, edi
		jz	short loc_55C0C0
		lea	ebx, [edi+2Ch]
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	[esp+18h+var_5], al
		lea	edx, [edi+0A8h]
		mov	eax, [edi+40h]
		xor	ebx, ebx
		mov	[esp+18h+var_4], eax
		mov	eax, [edx]

loc_55C085:				; CODE XREF: PoFxIdleDevice+4Bj
		mov	ecx, eax
		or	ecx, ebx
		lock cmpxchg [edx], ecx
		jnz	short loc_55C085
		lea	ebx, [edi+2Ch]
		test	al, 4
		jnz	short loc_55C0C7

loc_55C096:				; CODE XREF: PoFxIdleDevice+90j
		mov	eax, [esp+18h+var_4]
		xor	esi, esi
		dec	eax
		mov	[edi+40h], eax
		mov	eax, [edx]

loc_55C0A2:				; CODE XREF: PoFxIdleDevice+68j
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_55C0A2
		test	al, 4
		jnz	short loc_55C0D6

loc_55C0B0:				; CODE XREF: PoFxIdleDevice+92j
					; PoFxIdleDevice+9Dj ...
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+18h+var_5]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_55C0C0:				; CODE XREF: PoFxIdleDevice+23j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_55C0C7:				; CODE XREF: PoFxIdleDevice+52j
		mov	eax, [edi+28h]
		mov	eax, [eax+238h]
		test	al, 1
		jz	short loc_55C096
		jmp	short loc_55C0B0
; 

loc_55C0D6:				; CODE XREF: PoFxIdleDevice+6Cj
		mov	edi, [edi+28h]
		cmp	[edi+23Ch], esi
		jbe	short loc_55C0B0

loc_55C0E1:				; CODE XREF: PoFxIdleDevice+B1j
		push	2
		push	esi
		push	edi
		call	_PoFxIdleComponent@12 ;	PoFxIdleComponent(x,x,x)
		inc	esi
		cmp	esi, [edi+23Ch]
		jnb	short loc_55C0B0
		jmp	short loc_55C0E1
PoFxIdleDevice	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpDeviceCompletionQueueRemoveCompletedRequest proc near ; CODE	XREF: PipEnumerateDevice+C3p
					; PnpStartDeviceNode+F2p

; FUNCTION CHUNK AT 005E1C03 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	esi, edx
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset unk_6CC454
		call	KeWaitForSingleObject
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset dword_6CC468
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edi, [esi]
		mov	edx, [esi+4]
		cmp	[edi+4], esi
		jnz	short loc_55C15B
		cmp	[edx], esi
		jnz	short loc_55C15B
		mov	[edx], edi
		mov	ecx, offset dword_6CC468
		mov	[edi+4], edx
		test	ds:byte_70EFC6,	1
		jnz	loc_5E1C03
		xor	eax, eax
		lock and [ecx],	eax

loc_55C14C:				; CODE XREF: PnpDeviceCompletionQueueRemoveCompletedRequest+85B15j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn
; 

loc_55C15B:				; CODE XREF: PnpDeviceCompletionQueueRemoveCompletedRequest+34j
					; PnpDeviceCompletionQueueRemoveCompletedRequest+38j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
PnpDeviceCompletionQueueRemoveCompletedRequest endp ; AL = character to	display


;  S U B	R O U T	I N E 


; __stdcall PoFxActivateDevice(x)
_PoFxActivateDevice@4 proc near		; CODE XREF: PopPepInitializeVetoMasks(x,x)+123p
					; PiProcessQueryDeviceState+2Cp ...
		mov	edi, edi
		push	ecx
		push	0
		xor	dl, dl
		call	PopFxActivateDevice
		pop	ecx
		retn
_PoFxActivateDevice@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxActivateDevice proc near		; CODE XREF: PoFxActivateDeviceForSystemTransition(x,x)+6p
					; PopFxActivateDevicesForSx(x)+89p ...

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005E1C10 SIZE 0000005A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	[ebp+var_2], dl
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	loc_5E1C10
		mov	eax, [ecx+0B0h]
		mov	edi, [eax+14h]

loc_55C18C:				; CODE XREF: PopFxActivateDevice+85AA4j
		lea	ebx, [edi+2Ch]
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	edx, [edi+40h]
		lea	esi, [edi+0A8h]
		mov	[ebp+var_1], al
		xor	ebx, ebx
		mov	eax, [esi]

loc_55C1A5:				; CODE XREF: PopFxActivateDevice+3Fj
		mov	ecx, eax
		or	ecx, ebx
		lock cmpxchg [esi], ecx
		jnz	short loc_55C1A5
		lea	ebx, [edi+2Ch]
		test	al, 4
		jnz	short loc_55C1F1

loc_55C1B6:				; CODE XREF: PopFxActivateDevice+8Ej
		inc	edx
		xor	esi, esi
		mov	[edi+40h], edx
		xor	ebx, ebx
		lea	edx, [edi+0A8h]
		mov	eax, [edx]

loc_55C1C6:				; CODE XREF: PopFxActivateDevice+60j
		mov	ecx, eax
		or	ecx, ebx
		lock cmpxchg [edx], ecx
		jnz	short loc_55C1C6
		lea	ebx, [edi+2Ch]
		test	al, 4
		jnz	short loc_55C203

loc_55C1D7:				; CODE XREF: PopFxActivateDevice+A7j
					; PopFxActivateDevice+B9j
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jnz	short loc_55C22B

loc_55C1EA:				; CODE XREF: PopFxActivateDevice+13Cj
					; PopFxActivateDevice+85AB8j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_55C1F1:				; CODE XREF: PopFxActivateDevice+46j
		mov	eax, [edi+28h]
		mov	eax, [eax+238h]
		test	al, 1
		jz	short loc_55C1B6
		jmp	loc_5E1C17
; 

loc_55C203:				; CODE XREF: PopFxActivateDevice+67j
		mov	esi, [edi+28h]
		mov	ecx, esi
		call	PopFxAddRefDevice
		xor	edi, edi
		cmp	[esi+23Ch], edi
		jbe	short loc_55C1D7

loc_55C217:				; CODE XREF: PopFxActivateDevice+BBj
		push	2
		push	edi
		push	esi
		call	_PoFxActivateComponent@12 ; PoFxActivateComponent(x,x,x)
		inc	edi
		cmp	edi, [esi+23Ch]
		jnb	short loc_55C1D7
		jmp	short loc_55C217
; 

loc_55C22B:				; CODE XREF: PopFxActivateDevice+7Aj
		xor	edx, edx
		mov	ebx, edx
		cmp	[esi+23Ch], edx
		jbe	short loc_55C28E

loc_55C237:				; CODE XREF: PopFxActivateDevice+11Ej
		mov	eax, [esi+240h]
		mov	edi, [eax+ebx*4]
		mov	eax, [edi+34h]
		test	eax, 3FFFFFFFh
		jz	loc_5E1C44
		push	edx
		push	edx
		push	edx
		push	edx
		lea	eax, [edi+40h]
		push	eax
		call	KeWaitForSingleObject
		xor	edx, edx
		cmp	[edi+34h], edx
		jge	loc_5E1C44
		cmp	[ebp+var_2], dl
		jnz	short loc_55C2B5

loc_55C26B:				; CODE XREF: PopFxActivateDevice+150j
		cmp	_PopPoFxSystemIrpWaitForReportDevicePoweredReg,	edx
		jnz	loc_5E1C2B
		mov	eax, [esi+238h]
		test	al, al
		js	loc_5E1C2B

loc_55C285:				; CODE XREF: PopFxActivateDevice+85AC0j
					; PopFxActivateDevice+85AD1j
		inc	ebx
		cmp	ebx, [esi+23Ch]
		jb	short loc_55C237

loc_55C28E:				; CODE XREF: PopFxActivateDevice+C7j
		push	edx
		push	edx
		push	edx
		push	edx
		lea	eax, [esi+148h]
		push	eax
		call	KeWaitForSingleObject
		or	eax, 0FFFFFFFFh
		lock xadd [esi+80h], eax
		dec	eax
		jnz	loc_55C1EA
		jmp	loc_5E1C55
; 

loc_55C2B5:				; CODE XREF: PopFxActivateDevice+FBj
		xor	ecx, ecx
		lea	eax, [esi+10h]
		inc	ecx
		lock or	[eax], ecx
		jmp	short loc_55C26B
PopFxActivateDevice endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpDeviceCompletionQueueAddDispatchedRequest proc near ; CODE XREF: PipEnumerateDevice+6Ap
					; PnpStartDeviceNode+BCp

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005E1C6A SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset dword_6CC468
		mov	[ebp+var_1], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, dword_6CC444
		xor	ebx, ebx
		mov	eax, offset _PnpDeviceCompletionQueue
		cmp	_PnpDeviceCompletionQueue, eax
		setz	bl
		cmp	[ecx], eax
		jnz	short loc_55C32F
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		inc	dword_6CC448
		test	ds:byte_70EFC6,	1
		mov	dword_6CC444, esi
		jnz	loc_5E1C6A
		xor	eax, eax
		lock and [edi],	eax

loc_55C31F:				; CODE XREF: PnpDeviceCompletionQueueAddDispatchedRequest+859B4j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_55C32F:				; CODE XREF: PnpDeviceCompletionQueueAddDispatchedRequest+38j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall IoFindDeviceThatFailedIrp(x)
_IoFindDeviceThatFailedIrp@4:		; CODE XREF: PnpDeviceCompletionRoutine(x,x,x)+76p
					; PopDiagTraceIrpFinish(x)+14Dp ...
		xor	edx, edx
		push	esi
		movsx	esi, byte ptr [ecx+22h]
		cmp	[ecx+18h], edx
		jge	short loc_55C35F
		imul	eax, esi, 24h
		add	eax, 4Ch
		add	eax, ecx
		test	esi, esi
		jz	short loc_55C35F

loc_55C34C:				; CODE XREF: PnpDeviceCompletionQueueAddDispatchedRequest+9Dj
		test	byte ptr [eax+3], 2
		jz	short loc_55C357
		mov	eax, [eax+14h]
		pop	esi
		retn
; 

loc_55C357:				; CODE XREF: PnpDeviceCompletionQueueAddDispatchedRequest+90j
		inc	edx
		sub	eax, 24h
		cmp	edx, esi
		jb	short loc_55C34C

loc_55C35F:				; CODE XREF: PnpDeviceCompletionQueueAddDispatchedRequest+7Ej
					; PnpDeviceCompletionQueueAddDispatchedRequest+8Aj
		xor	eax, eax
		pop	esi
		retn
PnpDeviceCompletionQueueAddDispatchedRequest endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCollapseEnumRequests(x)
_PiCollapseEnumRequests@4 proc near	; CODE XREF: PipProcessDevNodeTree+3C1p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, offset _PnpSpinLock
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	edx, _PnpEnumerationRequestList
		mov	esi, offset _PnpEnumerationRequestList
		mov	ebx, [edi+4]
		mov	cl, al
		mov	[ebp+var_1], cl
		cmp	edx, esi
		jnz	short loc_55C3D0

loc_55C390:				; CODE XREF: PiCollapseEnumRequests(x)+ACj
		mov	dl, cl
		mov	ecx, offset _PnpSpinLock
		call	KfReleaseSpinLock
		mov	esi, [ebx]

loc_55C39E:				; CODE XREF: PiCollapseEnumRequests(x)+6Aj
		cmp	esi, edi
		jnz	short loc_55C3AD
		cmp	ebx, [edi+4]
		pop	edi
		pop	esi
		setnz	al
		pop	ebx
		leave
		retn
; 

loc_55C3AD:				; CODE XREF: PiCollapseEnumRequests(x)+3Cj
		mov	eax, [esi+8]
		mov	dl, 1
		mov	ecx, [eax+0B0h]
		mov	ecx, [ecx+14h]
		call	_PiMarkDeviceTreeForReenumeration@8 ; PiMarkDeviceTreeForReenumeration(x,x)
		mov	ecx, [esi+8]
		call	ObfDereferenceObject
		and	dword ptr [esi+8], 0
		mov	esi, [esi]
		jmp	short loc_55C39E
; 

loc_55C3D0:				; CODE XREF: PiCollapseEnumRequests(x)+2Aj
					; PiCollapseEnumRequests(x)+A7j
		cmp	byte ptr [edx+10h], 0
		mov	eax, [edx]
		jnz	short loc_55C40D
		mov	ecx, [edx+0Ch]
		cmp	ecx, 9
		jl	short loc_55C407
		cmp	ecx, 0Ah
		jg	short loc_55C415

loc_55C3E5:				; CODE XREF: PiCollapseEnumRequests(x)+B6j
		cmp	[eax+4], edx
		jnz	short loc_55C41C
		mov	ecx, [edx+4]
		cmp	[ecx], edx
		jnz	short loc_55C41C
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	short loc_55C41C
		mov	[edx], edi
		mov	[edx+4], ecx
		mov	[ecx], edx
		mov	[edi+4], edx

loc_55C407:				; CODE XREF: PiCollapseEnumRequests(x)+7Aj
					; PiCollapseEnumRequests(x)+B4j
		mov	edx, eax
		cmp	eax, esi
		jnz	short loc_55C3D0

loc_55C40D:				; CODE XREF: PiCollapseEnumRequests(x)+72j
		mov	cl, [ebp+var_1]
		jmp	loc_55C390
; 

loc_55C415:				; CODE XREF: PiCollapseEnumRequests(x)+7Fj
		cmp	ecx, 0Eh
		jnz	short loc_55C407
		jmp	short loc_55C3E5
; 

loc_55C41C:				; CODE XREF: PiCollapseEnumRequests(x)+84j
					; PiCollapseEnumRequests(x)+8Bj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_PiCollapseEnumRequests@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopRequestCompletion proc near		; DATA XREF: PopRequestPowerIrp+A2o

var_6		= byte ptr -6
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005E1C79 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	al, [esi+7Dh]
		mov	edi, [esi+78h]
		mov	[ebp+var_1], al
		mov	al, [esi+68h]
		mov	byte ptr [ebp+arg_8+3],	al
		mov	[ebp-5], al
		test	edi, edi
		jnz	short loc_55C492

loc_55C448:				; CODE XREF: PopRequestCompletion+72j
					; PopRequestCompletion+7Ej
		mov	ecx, [esi+84h]
		test	ecx, ecx
		jz	short loc_55C46A
		lea	eax, [ebx+18h]
		push	eax
		push	dword ptr [esi+88h]
		push	dword ptr [esi+70h]
		push	dword ptr [ebp-5]
		push	dword ptr [esi+8Ch]
		call	ecx

loc_55C46A:				; CODE XREF: PopRequestCompletion+2Ej
		cmp	byte ptr [ebp+arg_8+3],	0
		mov	ecx, ebx
		jz	loc_55C4FC
		call	PopDequeueQuerySetIrp
		test	edi, edi
		jnz	short loc_55C4A2

loc_55C47F:				; CODE XREF: PopRequestCompletion+84j
					; PopRequestCompletion+8Aj ...
		mov	ecx, ebx
		call	_PopFreeIrp@4	; PopFreeIrp(x)
		pop	edi
		pop	esi
		mov	eax, 0C0000016h
		pop	ebx
		leave
		retn	0Ch
; 

loc_55C492:				; CODE XREF: PopRequestCompletion+24j
		cmp	al, 2
		jnz	short loc_55C448
		push	dword ptr [ebx+18h]
		mov	ecx, edi
		call	PopFxNotifyPreDIrpCompletion
		jmp	short loc_55C448
; 

loc_55C4A2:				; CODE XREF: PopRequestCompletion+5Bj
		cmp	byte ptr [esi+68h], 2
		jnz	short loc_55C47F
		cmp	dword ptr [esi+6Ch], 1
		jnz	short loc_55C47F
		mov	al, [ebp+var_1]
		test	al, al
		jz	short loc_55C47F
		cmp	dword ptr [esi+70h], 1
		jz	short loc_55C4DF

loc_55C4BB:				; CODE XREF: PopRequestCompletion+D8j
		test	al, al
		jz	short loc_55C47F

loc_55C4BF:				; CODE XREF: PopRequestCompletion+D4j
		push	dword ptr [esi+94h]
		mov	edx, [esi+70h]
		mov	ecx, [edi+20h]
		push	1
		call	PopPepDeviceDState
		mov	edx, [esi+70h]
		mov	ecx, [edi+1Ch]
		call	PopDiagTraceFxDevicePowerState
		jmp	short loc_55C47F
; 

loc_55C4DF:				; CODE XREF: PopRequestCompletion+97j
		push	0FFFFFFFDh
		lea	edx, [edi+10h]
		pop	ebx
		mov	eax, [edx]

loc_55C4E7:				; CODE XREF: PopRequestCompletion+CDj
		mov	ecx, eax
		and	ecx, ebx
		lock cmpxchg [edx], ecx
		jnz	short loc_55C4E7
		mov	ebx, [ebp+arg_4]
		test	al, 2
		jnz	short loc_55C4BF
		xor	al, al
		jmp	short loc_55C4BB
; 

loc_55C4FC:				; CODE XREF: PopRequestCompletion+4Ej
		call	_PopDiagTraceIrpFinish@4 ; PopDiagTraceIrpFinish(x)
		mov	eax, [ebx+18h]
		test	eax, eax
		jns	short loc_55C531

loc_55C508:				; CODE XREF: PopRequestCompletion+11Ej
					; PopRequestCompletion+128j
		test	edi, edi
		jz	loc_55C47F
		mov	ecx, [edi+20h]
		mov	dl, 1
		call	_PopPepDeviceWaitWake@8	; PopPepDeviceWaitWake(x,x)
		or	eax, 0FFFFFFFFh
		lock xadd [edi+80h], eax
		dec	eax
		jnz	loc_55C47F
		jmp	loc_5E1C89
; 

loc_55C531:				; CODE XREF: PopRequestCompletion+E4j
		cmp	byte ptr [esi+90h], 0
		jnz	loc_5E1C79

loc_55C53E:				; CODE XREF: PopRequestCompletion+85862j
		test	eax, eax
		js	short loc_55C508
		mov	ecx, [esi+0Ch]
		call	_PopDirectedDripsNotifyWaitWakeIrpCompletion@4 ; PopDirectedDripsNotifyWaitWakeIrpCompletion(x)
		jmp	short loc_55C508
PopRequestCompletion endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFreeIrp(x)
_PopFreeIrp@4	proc near		; CODE XREF: PopRequestCompletion+5Fp
					; PopSystemIrpCompletion+8Bp

var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		xor	eax, eax
		lea	edx, [ebp+var_14]
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		mov	ebx, ecx
		stosd
		mov	ecx, offset _PopIrpLock
		stosd
		stosd
		movsx	eax, byte ptr [ebx+22h]
		add	eax, 3
		imul	eax, 24h
		mov	esi, [eax+ebx]
		mov	eax, [esi+10h]
		mov	edi, [esi+78h]
		mov	[ebp+var_4], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_8], eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_55C5EE
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_55C5EE
		mov	[eax], ecx
		mov	[ecx+4], eax
		lea	ecx, [ebp+var_14]
		call	KeReleaseInStackQueuedSpinLock
		test	edi, edi
		jnz	short loc_55C5D9

loc_55C5A9:				; CODE XREF: PopFreeIrp(x)+91j
					; PopFreeIrp(x)+97j
		mov	edx, esi
		mov	ecx, offset _PopIrpDataLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		push	ebx
		call	_IoFreeIrp@4	; IoFreeIrp(x)

loc_55C5BB:				; CODE XREF: PopFreeIrp(x)+A0j
		mov	ecx, [ebp+var_4]
		mov	esi, 72496F50h
		mov	edx, esi
		call	ObfDereferenceObjectWithTag
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	ObfDereferenceObjectWithTag
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_55C5D9:				; CODE XREF: PopFreeIrp(x)+5Bj
		cmp	byte ptr [esi+68h], 2
		jnz	short loc_55C5A9
		cmp	dword ptr [esi+6Ch], 1
		jnz	short loc_55C5A9
		mov	ecx, edi
		call	PopFxReleasePowerIrp
		jmp	short loc_55C5BB
; 

loc_55C5EE:				; CODE XREF: PopFreeIrp(x)+43j
					; PopFreeIrp(x)+4Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_PopFreeIrp@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDequeueQuerySetIrp proc near		; CODE XREF: PopRequestCompletion+54p
					; PopSystemIrpCompletion+84p

var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005E1C9E SIZE 0000038A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+28h+var_C]
		stosd
		mov	esi, ecx
		stosd
		stosd
		call	_PopDiagTraceIrpFinish@4 ; PopDiagTraceIrpFinish(x)
		mov	ecx, esi
		call	PopDisableIrpWatchdog
		lea	eax, [esp+28h+var_14]
		xor	edi, edi
		mov	[esp+28h+var_10], eax
		mov	[esp+28h+var_14], eax
		movsx	eax, byte ptr [esi+22h]
		add	eax, 3
		imul	eax, 24h
		mov	ecx, [eax+esi]
		mov	[esp+28h+var_18], ecx
		mov	eax, [ecx+0Ch]
		test	eax, eax
		jz	loc_5E1C9E
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]

loc_55C64C:				; CODE XREF: PopDequeueQuerySetIrp+856ACj
		xor	edx, edx
		xor	ebx, ebx
		inc	edx
		cmp	[ecx+6Ch], edx
		lea	edx, [esp+28h+var_C]
		mov	ecx, offset _PopIrpLock
		setnz	bl
		lea	ebx, ds:98h[ebx*8]
		add	ebx, eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	[ebx], edi
		cmp	esi, _PopInrushIrp
		jz	loc_5E1CA5

loc_55C67C:				; CODE XREF: PopDequeueQuerySetIrp+8574Dj
					; PopDequeueQuerySetIrp+85760j
		mov	eax, [ebx+4]
		test	eax, eax
		jnz	loc_5E1D59

loc_55C687:				; CODE XREF: PopDequeueQuerySetIrp+85747j
					; PopDequeueQuerySetIrp+8579Bj	...
		test	ds:byte_70EFC6,	1
		jnz	loc_5E1DBB
		mov	eax, [esp+28h+var_C]
		test	eax, eax
		jnz	short loc_55C705
		mov	edx, [esp+28h+var_8]
		lea	eax, [esp+28h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+28h+var_C]
		cmp	eax, ecx
		jnz	short loc_55C6FC

loc_55C6B2:				; CODE XREF: PopDequeueQuerySetIrp+857D3j
		xor	ebx, ebx
		inc	ebx

loc_55C6B5:				; CODE XREF: PopDequeueQuerySetIrp+11Ej
		mov	cl, [esp+28h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_55C6BF:				; CODE XREF: PopDequeueQuerySetIrp+8580Fj
		mov	edi, [esp+28h+var_14]
		lea	eax, [esp+28h+var_14]
		cmp	edi, eax
		jnz	loc_5E1DCC
		mov	eax, [esp+28h+var_18]
		cmp	byte ptr [eax+68h], 2
		jnz	short loc_55C6DE
		cmp	[eax+6Ch], ebx
		jz	short loc_55C6E5

loc_55C6DE:				; CODE XREF: PopDequeueQuerySetIrp+E3j
					; PopDequeueQuerySetIrp+FCj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_55C6E5:				; CODE XREF: PopDequeueQuerySetIrp+E8j
		or	eax, 0FFFFFFFFh
		lock xadd _PopPendingSetPowerDeviceIrps, eax
		jnz	short loc_55C6DE
		push	2
		pop	ecx
		call	PopDeepSleepClearDisengageReason
		jmp	short loc_55C6DE
; 

loc_55C6FC:				; CODE XREF: PopDequeueQuerySetIrp+BCj
		lea	ecx, [esp+28h+var_C]
		call	KxWaitForLockChainValid

loc_55C705:				; CODE XREF: PopDequeueQuerySetIrp+A6j
		xor	ebx, ebx
		mov	[esp+28h+var_C], edi
		add	eax, 4
		inc	ebx
		lock xor [eax],	ebx
		jmp	short loc_55C6B5
PopDequeueQuerySetIrp endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDisableIrpWatchdog proc near		; CODE XREF: PopDequeueQuerySetIrp+20p

var_C		= dword	ptr -0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		movsx	eax, byte ptr [ecx+22h]
		add	eax, 3
		imul	eax, 24h
		mov	esi, [eax+ecx]
		cmp	byte ptr [esi+74h], 0
		jz	short loc_55C74A
		lea	eax, [esi+20h]
		push	eax
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		test	al, al
		jz	loc_5E1E0D

loc_55C74A:				; CODE XREF: PopDisableIrpWatchdog+23j
		pop	edi
		pop	esi
		leave
		retn
PopDisableIrpWatchdog endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceIrpFinish(x)
_PopDiagTraceIrpFinish@4 proc near	; CODE XREF: PopRequestCompletion:loc_55C4FCp
					; PopDequeueQuerySetIrp+19p

var_C2		= byte ptr -0C2h
var_C1		= byte ptr -0C1h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0C4h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[esp+0D0h+var_C0], ecx
		call	PopDiagTraceIrpFinishTelemetry
		cmp	_PopDiagHandleRegistered, 0
		jz	loc_55C84F
		push	offset _POP_ETW_EVENT_IRPFINISH
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_55C84F
		mov	ecx, [esp+0D0h+var_C0]
		mov	ebx, offset ??_C@_11LOCGONAA@@FNODOBFM@
		movsx	eax, byte ptr [ecx+22h]
		add	eax, 3
		imul	eax, 24h
		mov	esi, [eax+ecx]
		mov	eax, [ecx+18h]
		mov	[esp+0D0h+var_BC], eax
		mov	dl, [esi+68h]
		mov	edi, [esi+6Ch]
		mov	[esp+0D0h+var_C1], dl
		test	eax, eax
		js	loc_55C892

loc_55C7D0:				; CODE XREF: PopDiagTraceIrpFinish(x)+146j
					; PopDiagTraceIrpFinish(x)+163j ...
		cmp	edi, 1
		jz	loc_55C864

loc_55C7D9:				; CODE XREF: PopDiagTraceIrpFinish(x)+119j
					; PopDiagTraceIrpFinish(x)+13Fj
		push	4
		pop	ecx
		lea	eax, [esp+0D0h+var_C0]
		mov	[esp+0D0h+var_B0], ecx
		mov	[esp+0D0h+var_A0], ecx
		xor	esi, esi
		mov	ecx, ebx
		mov	[esp+0D0h+var_B8], eax
		lea	eax, [esp+0D0h+var_BC]
		mov	[esp+0D0h+var_B4], esi
		mov	[esp+0D0h+var_AC], esi
		mov	[esp+0D0h+var_A8], eax
		mov	[esp+0D0h+var_A4], esi
		lea	edx, [ecx+2]
		mov	[esp+0D0h+var_9C], esi

loc_55C80B:				; CODE XREF: PopDiagTraceIrpFinish(x)+C6j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_55C80B
		sub	ecx, edx
		mov	[esp+0D0h+var_98], ebx
		sar	ecx, 1
		mov	[esp+0D0h+var_94], esi
		mov	[esp+0D0h+var_8C], esi
		lea	eax, ds:2[ecx*2]
		mov	[esp+0D0h+var_90], eax
		lea	eax, [esp+0D0h+var_B8]
		push	eax
		push	3
		push	esi
		push	offset _POP_ETW_EVENT_IRPFINISH
		push	dword_6C1D74
		push	_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_55C84F:				; CODE XREF: PopDiagTraceIrpFinish(x)+2Fj
					; PopDiagTraceIrpFinish(x)+4Dj
		mov	ecx, [esp+0D0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_55C864:				; CODE XREF: PopDiagTraceIrpFinish(x)+85j
		cmp	dl, 2
		jnz	loc_55C7D9
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_55C8C0
		mov	eax, [eax+0B0h]
		mov	ecx, [eax+14h]

loc_55C87D:				; CODE XREF: PopDiagTraceIrpFinish(x)+174j
		mov	eax, [esp+0D0h+var_BC]
		cdq
		push	edx
		push	eax
		push	17h
		xor	edx, edx
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		jmp	loc_55C7D9
; 

loc_55C892:				; CODE XREF: PopDiagTraceIrpFinish(x)+7Cj
		test	edi, edi
		jnz	loc_55C7D0
		push	ecx
		call	_IoFindDeviceThatFailedIrp@4 ; IoFindDeviceThatFailedIrp(x)
		lea	edx, [esp+0D4h+var_88]
		mov	ecx, eax
		call	_PopDiagGetDriverName@12 ; PopDiagGetDriverName(x,x,x)
		mov	dl, [esp+0D0h+var_C1]
		test	eax, eax
		js	loc_55C7D0
		lea	ebx, [esp+0D0h+var_88]
		jmp	loc_55C7D0
; 

loc_55C8C0:				; CODE XREF: PopDiagTraceIrpFinish(x)+124j
		xor	ecx, ecx
		jmp	short loc_55C87D
_PopDiagTraceIrpFinish@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceIrpFinishTelemetry proc near ; CODE	XREF: PopDiagTraceIrpFinish(x)+23p

var_14C		= dword	ptr -14Ch
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 16Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	cl, 1
		movsx	eax, byte ptr [edi+22h]
		add	eax, 3
		imul	eax, 24h
		mov	esi, [eax+edi]
		mov	eax, [edi+18h]
		mov	[ebp+var_13C], eax
		call	KiQueryUnbiasedInterruptTime
		mov	ebx, [esi+1Ch]
		mov	[ebp+var_14C], edx
		mov	edx, [esi+18h]
		mov	ecx, edx
		or	ecx, ebx
		mov	[ebp+var_140], eax
		jz	short loc_55C941
		cmp	byte ptr [esi+74h], 0
		jz	short loc_55C941
		mov	ecx, eax
		mov	eax, [ebp+var_14C]
		sub	ecx, edx
		push	0
		push	2710h
		sbb	eax, ebx
		push	eax
		push	ecx
		call	__aulldiv
		mov	ebx, eax
		cmp	ebx, 1388h
		jnb	loc_5E1E22

loc_55C941:				; CODE XREF: PopDiagTraceIrpFinishTelemetry+4Dj
					; PopDiagTraceIrpFinishTelemetry+53j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopDiagTraceIrpFinishTelemetry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxNotifyPreDIrpCompletion proc near	; CODE XREF: PopRequestCompletion+79p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		xor	eax, eax
		lea	edx, [edi+238h]
		lock cmpxchg [edx], esi
		test	al, 20h
		jnz	short loc_55C971

loc_55C96B:				; CODE XREF: PopFxNotifyPreDIrpCompletion+37j
					; sub_5E2028+76j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_55C971:				; CODE XREF: PopFxNotifyPreDIrpCompletion+19j
		lea	edx, [edi+10h]
		xor	esi, esi
		mov	eax, [edx]

loc_55C978:				; CODE XREF: PopFxNotifyPreDIrpCompletion+30j
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_55C978
		test	eax, 2000h
		jz	short loc_55C96B
		jmp	sub_5E2028
PopFxNotifyPreDIrpCompletion endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxReleasePowerIrp proc near		; CODE XREF: PopFreeIrp(x)+9Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E20A3 SIZE 00000073 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edi
		mov	eax, [edi+1Ch]
		add	eax, 2Ch
		push	eax
		call	ExAcquireSpinLockExclusive
		push	0FFFFFFEFh
		mov	bh, al
		lea	edx, [edi+10h]
		pop	eax
		lock and [edx],	eax
		mov	eax, [edi+128h]
		mov	esi, [edi+130h]
		mov	[ebp+var_10], eax
		mov	eax, [edi+138h]
		mov	[ebp+var_C], eax
		mov	eax, [edi+140h]
		xor	edi, edi
		mov	[ebp+var_8], eax
		mov	eax, [edx]

loc_55C9DA:				; CODE XREF: PopFxReleasePowerIrp+54j
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_55C9DA
		mov	edi, [ebp+var_4]
		test	al, 20h
		jnz	loc_5E20A3
		push	0
		push	0
		lea	eax, [edi+148h]
		xor	bl, bl
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		or	eax, 0FFFFFFFFh
		lock xadd [edi+80h], eax
		dec	eax
		jz	loc_5E20E7

loc_55CA13:				; CODE XREF: PopFxReleasePowerIrp+8572Dj
					; PopFxReleasePowerIrp+85754j ...
		mov	eax, [edi+1Ch]
		add	eax, 2Ch
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bl, bl
		jnz	loc_5E20FC

loc_55CA2F:				; CODE XREF: PopFxReleasePowerIrp+85783j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PopFxReleasePowerIrp endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceFxDevicePowerState proc near ; CODE	XREF: PoFxReportDevicePoweredOn+44p
					; PopRequestCompletion+B6p

var_2C		= dword	ptr -2Ch
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E2116 SIZE 00000048 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_2C], ecx
		mov	eax, ebx
		cdq
		push	edx
		push	eax
		push	6
		xor	edx, edx
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		cmp	_PopDiagHandleRegistered, 0
		jz	short loc_55CA87
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_DEVICE_POWER_STATE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5E2116

loc_55CA85:				; CODE XREF: PopDiagTraceFxDevicePowerState+85725j
		pop	edi
		pop	esi

loc_55CA87:				; CODE XREF: PopDiagTraceFxDevicePowerState+2Dj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopDiagTraceFxDevicePowerState endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1718. PoRequestPowerIrp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoRequestPowerIrp(x, x, x, x, x, x)
		public _PoRequestPowerIrp@24
_PoRequestPowerIrp@24 proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_14]
		mov	dl, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	PopRequestPowerIrp
		pop	ebp
		retn	18h
_PoRequestPowerIrp@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopRequestPowerIrp proc	near		; CODE XREF: PoRequestPowerIrp(x,x,x,x,x,x)+19p
					; PopScanIdleList(x,x,x)+17Bp ...

var_12		= byte ptr -12h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005E215E SIZE 0000009E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		and	[esp+14h+var_C], 0
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		mov	ecx, [ebp+arg_10]
		mov	[esp+18h+var_4], edx
		push	esi
		push	edi
		test	ecx, ecx
		jnz	loc_55CCB9

loc_55CAE2:				; CODE XREF: PopRequestPowerIrp+201j
		and	[esp+20h+var_8], 0
		test	bl, bl
		jz	loc_55CC3D
		cmp	bl, 2
		jnz	loc_55CC74

loc_55CAF8:				; CODE XREF: PopRequestPowerIrp+1BBj
		cmp	_PopCurrentBroadcast, 0
		mov	byte ptr [esp+20h+var_10], 1
		jz	loc_55CC3D

loc_55CB0A:				; CODE XREF: PopRequestPowerIrp+186j
		mov	esi, [ebp+arg_0]
		lea	eax, [esp+20h+var_C]
		push	eax
		lea	eax, [esp+24h+var_8]
		mov	ecx, edx
		push	eax
		push	[ebp+arg_8]
		xor	eax, eax
		test	bl, bl
		push	[ebp+arg_4]
		setnz	al
		push	[ebp+arg_C]
		push	[esp+34h+var_10]
		push	esi
		push	eax
		push	ebx
		call	PopAllocateIrp
		test	eax, eax
		js	loc_55CBF0
		cmp	eax, 103h
		jz	loc_55CBF0
		mov	edi, [esp+20h+var_8]
		test	edi, edi
		jz	loc_5E2168
		mov	eax, [edi+60h]
		mov	edx, [ebp+arg_10]
		mov	ecx, [esp+20h+var_C]
		mov	dword ptr [eax-8], offset PopRequestCompletion
		mov	[eax-4], ecx
		mov	byte ptr [eax-21h], 0E0h
		test	edx, edx
		jnz	loc_55CCC2

loc_55CB74:				; CODE XREF: PopRequestPowerIrp+20Aj
		mov	eax, [edi+60h]
		mov	[esp+20h+var_10], eax
		test	bl, bl
		jz	loc_55CC47
		mov	dword ptr [eax-1Ch], 1
		mov	[eax-18h], esi
		cmp	_PopCurrentBroadcast, 0
		jz	short loc_55CBC9
		mov	ecx, [ecx+78h]
		test	ecx, ecx
		jnz	loc_55CC2D

loc_55CBA1:				; CODE XREF: PopRequestPowerIrp+179j
		mov	edx, dword_6C2314
		mov	ecx, dword_6C2318
		shr	edx, 0Ch
		push	1
		and	edx, 0Fh
		call	PopMapInternalActionToIrpAction
		mov	ecx, [esp+20h+var_10]
		mov	[ecx-14h], eax
		mov	eax, dword_6C2314
		mov	[ecx-20h], eax

loc_55CBC9:				; CODE XREF: PopRequestPowerIrp+D8j
					; PopRequestPowerIrp+17Fj
		mov	eax, [esp+20h+var_C]
		mov	esi, [eax+78h]
		test	esi, esi
		jnz	short loc_55CBF9

loc_55CBD4:				; CODE XREF: PopRequestPowerIrp+140j
					; PopRequestPowerIrp+152j ...
		test	ds:dword_70EFD0, 8000h
		jnz	loc_5E21EB

loc_55CBE4:				; CODE XREF: PopRequestPowerIrp+8573Bj
		mov	ecx, edi
		call	PopQueueQuerySetIrp

loc_55CBEB:				; CODE XREF: PopRequestPowerIrp+1B3j
		mov	eax, 103h

loc_55CBF0:				; CODE XREF: PopRequestPowerIrp+7Bj
					; PopRequestPowerIrp+86j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_55CBF9:				; CODE XREF: PopRequestPowerIrp+116j
		cmp	bl, 2
		jnz	short loc_55CBD4
		xor	edx, edx
		lea	ecx, [esi+238h]
		xor	eax, eax
		lock cmpxchg [ecx], edx
		test	al, 20h
		jz	short loc_55CBD4
		xor	ebx, ebx
		lea	edx, [esi+10h]
		mov	eax, [edx]

loc_55CC17:				; CODE XREF: PopRequestPowerIrp+163j
		mov	ecx, eax
		or	ecx, ebx
		lock cmpxchg [edx], ecx
		jnz	short loc_55CC17
		test	eax, 2000h
		jz	short loc_55CBD4
		jmp	loc_5E2199
; 

loc_55CC2D:				; CODE XREF: PopRequestPowerIrp+DFj
		call	_PopFxGetDeviceDStateReason@4 ;	PopFxGetDeviceDStateReason(x)
		cmp	eax, 1
		jz	loc_55CBA1
		jmp	short loc_55CBC9
; 

loc_55CC3D:				; CODE XREF: PopRequestPowerIrp+2Dj
					; PopRequestPowerIrp+48j
		mov	byte ptr [esp+20h+var_10], 0
		jmp	loc_55CB0A
; 

loc_55CC47:				; CODE XREF: PopRequestPowerIrp+C1j
		mov	ebx, [esp+20h+var_C]
		mov	edx, [ebx+78h]
		test	edx, edx
		jnz	short loc_55CC82

loc_55CC52:				; CODE XREF: PopRequestPowerIrp+1FBj
		mov	edx, edi
		mov	[eax-20h], esi
		call	PopDiagTraceIrpStart
		mov	ecx, [esp+20h+var_10]
		push	dword ptr [ebp+4]
		mov	edx, [esp+24h+var_8]
		mov	ecx, [ecx-10h]
		call	IofCallDriverSpecifyReturn
		jmp	loc_55CBEB
; 

loc_55CC74:				; CODE XREF: PopRequestPowerIrp+36j
		cmp	bl, 3
		jz	loc_55CAF8
		jmp	loc_5E215E
; 

loc_55CC82:				; CODE XREF: PopRequestPowerIrp+194j
		add	edx, 10h
		xor	esi, esi
		mov	eax, [edx]

loc_55CC89:				; CODE XREF: PopRequestPowerIrp+1D5j
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_55CC89
		mov	esi, [ebp+arg_0]
		and	al, 1
		mov	[ebx+7Ch], al
		xor	al, 1
		mov	[ebx+7Dh], al
		mov	ecx, [ebx+78h]
		jz	loc_5E2172
		mov	ecx, [ecx+20h]
		xor	dl, dl
		call	_PopPepDeviceWaitWake@8	; PopPepDeviceWaitWake(x,x)

loc_55CCB3:				; CODE XREF: PopRequestPowerIrp+856D8j
		mov	eax, [esp+20h+var_10]
		jmp	short loc_55CC52
; 

loc_55CCB9:				; CODE XREF: PopRequestPowerIrp+20j
		xor	eax, eax
		xchg	eax, [ecx]
		jmp	loc_55CAE2
; 

loc_55CCC2:				; CODE XREF: PopRequestPowerIrp+B2j
		mov	eax, edi
		xchg	eax, [edx]
		jmp	loc_55CB74
PopRequestPowerIrp endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopAllocateIrp	proc near		; CODE XREF: PopRequestPowerIrp+74p
					; PopNotifyDevice+68p

var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 005E21FC SIZE 00000122 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_14], ecx
		lea	edi, [ebp+var_28]
		xor	ebx, ebx
		stosd
		mov	edx, 72496F50h
		mov	[ebp+var_8], ebx
		stosd
		stosd
		mov	eax, [ebp+arg_1C]
		xor	edi, edi
		mov	[ebp+var_C], edi
		and	dword ptr [eax], 0
		mov	eax, [ebp+arg_20]
		and	dword ptr [eax], 0
		call	IoGetAttachedDeviceReferenceWithTag
		mov	ecx, [ebp+var_14]
		mov	esi, eax
		mov	edx, 72496F50h
		mov	[ebp+var_4], esi
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	edx, eax
		mov	[ebp+var_18], edx
		test	edx, edx
		jz	loc_5E21FC
		mov	eax, [edx+0B0h]
		mov	ecx, [eax+14h]

loc_55CD2A:				; CODE XREF: PopAllocateIrp+85532j
		mov	[ebp+var_1C], ecx
		test	ecx, ecx
		jz	loc_5E2203
		mov	dl, [ebp+arg_0]
		mov	esi, [ebp+arg_8]
		cmp	dl, 2
		jnz	short loc_55CD4A
		cmp	[ebp+arg_4], 1
		jz	loc_55CEDB

loc_55CD4A:				; CODE XREF: PopAllocateIrp+72j
		mov	eax, 0C00002B6h
		mov	[ebp+arg_8], eax

loc_55CD52:				; CODE XREF: PopAllocateIrp+24Ej
		test	eax, eax
		jns	loc_55CF1F
		test	dl, dl
		jz	loc_55CF3C
		and	[ebp+arg_10], 0

loc_55CD66:				; CODE XREF: PopAllocateIrp+27Aj
		or	[ebp+var_C], 0FFFFFFFFh
		xor	edi, edi
		mov	[ebp+var_10], 0FFF85EE0h

loc_55CD73:				; CODE XREF: PopAllocateIrp+855A5j
		test	edi, edi
		jnz	loc_5E2276

loc_55CD7B:				; CODE XREF: PopAllocateIrp+855B2j
					; PopAllocateIrp+855C5j
		inc	edi
		mov	ecx, offset _PopIrpDataLookaside
		mov	[ebp+var_1C], edi
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_5E2296
		xor	ebx, ebx

loc_55CD95:				; CODE XREF: PopAllocateIrp+8560Ej
		test	ebx, ebx
		jnz	loc_5E22AA

loc_55CD9D:				; CODE XREF: PopAllocateIrp+855E6j
					; PopAllocateIrp+855F9j
		mov	eax, [ebp+var_4]
		inc	ebx
		push	0
		mov	[ebp+var_1C], ebx
		mov	al, [eax+30h]
		inc	al
		movzx	eax, al
		push	eax
		call	IoAllocateIrp
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5E22CA

loc_55CDBE:				; CODE XREF: PopAllocateIrp+265j
					; PopAllocateIrp+8559Dj
		push	0C00000BBh
		push	ebx
		call	_IoReuseIrp@8	; IoReuseIrp(x,x)
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	_IovUtilWatermarkIrp@8 ; IovUtilWatermarkIrp(x,x)
		and	dword ptr [ebx+1Ch], 0
		lea	eax, [ebx+58h]
		push	98h		; size_t
		push	0		; int
		push	edi		; void *
		mov	[eax+4], eax
		mov	[eax], eax
		call	_memset
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		mov	eax, [ebp+var_18]
		mov	dl, [ebp+arg_0]
		mov	[edi+10h], ecx
		mov	[edi+0Ch], eax
		mov	eax, [ebp+arg_4]
		mov	[edi+68h], dl
		mov	[edi+6Ch], eax
		mov	eax, [ebp+arg_10]
		mov	[edi+70h], esi
		mov	[edi+8], ebx
		mov	[edi+78h], eax
		xor	eax, eax
		inc	eax
		lock xadd _PopCurrentIrpSequenceID, eax
		inc	eax
		mov	[edi+80h], eax
		mov	eax, [ebp+arg_14]
		mov	[edi+84h], eax
		mov	eax, [ebp+arg_18]
		mov	[edi+88h], eax
		mov	eax, [ebp+var_14]
		mov	[edi+8Ch], eax
		mov	eax, [ebx+60h]
		and	dword ptr [eax-10h], 0
		mov	[eax-4], edi
		add	dword ptr [ebx+60h], 0FFFFFFDCh
		mov	eax, [ebx+60h]
		dec	byte ptr [ebx+23h]
		mov	[eax-23h], dl
		lea	edx, [ebp+var_28]
		mov	[eax-10h], ecx
		mov	ecx, offset _PopIrpLock
		mov	byte ptr [eax-24h], 16h
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, dword_6C2AC4
		mov	ecx, offset _PopIrpList
		cmp	[eax], ecx
		jnz	loc_55CF4B
		mov	[edi], ecx
		lea	ecx, [ebp+var_28]
		mov	[edi+4], eax
		mov	[eax], edi
		mov	dword_6C2AC4, edi
		call	KeReleaseInStackQueuedSpinLock
		mov	eax, [ebp+arg_1C]
		xor	esi, esi
		mov	[ebp+var_4], esi
		mov	[eax], ebx
		mov	eax, [ebp+arg_20]
		mov	[eax], edi
		xor	eax, eax
		mov	[ebp+var_18], eax
		xor	edi, edi
		mov	[ebp+arg_8], eax

loc_55CEAB:				; CODE XREF: PopAllocateIrp+287j
		test	ebx, ebx
		jz	loc_5E220B

loc_55CEB3:				; CODE XREF: PopAllocateIrp+85543j
					; PopAllocateIrp+8554Ej ...
		test	edi, edi
		jnz	loc_5E22EB

loc_55CEBB:				; CODE XREF: PopAllocateIrp+8562Bj
		mov	eax, [ebp+var_4]
		test	eax, eax
		jnz	loc_5E22FC

loc_55CEC6:				; CODE XREF: PopAllocateIrp+8563Cj
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	loc_5E230D

loc_55CED1:				; CODE XREF: PopAllocateIrp+8564Dj
		mov	eax, [ebp+arg_8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_55CEDB:				; CODE XREF: PopAllocateIrp+78j
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	esi
		call	PopFxAllocatePowerIrp
		mov	[ebp+arg_8], eax
		test	eax, eax
		jns	short loc_55CF07
		cmp	eax, 0C00002B6h
		jnz	loc_5E2238

loc_55CF07:				; CODE XREF: PopAllocateIrp+22Ej
		mov	ebx, [ebp+var_8]
		mov	edi, [ebp+var_C]
		cmp	eax, 103h
		jz	short loc_55CF50
		mov	ecx, [ebp+var_1C]
		mov	dl, [ebp+arg_0]
		jmp	loc_55CD52
; 

loc_55CF1F:				; CODE XREF: PopAllocateIrp+88j
		mov	eax, [ecx+28h]
		mov	[ebp+arg_10], eax
		mov	ecx, [eax+8]
		mov	eax, [ebp+var_4]
		mov	al, [eax+30h]
		cmp	al, [ecx+22h]
		jle	loc_55CDBE
		jmp	loc_5E2243
; 

loc_55CF3C:				; CODE XREF: PopAllocateIrp+90j
		xor	dl, dl
		call	PopFxLockDevice
		mov	[ebp+arg_10], eax
		jmp	loc_55CD66
; 

loc_55CF4B:				; CODE XREF: PopAllocateIrp+1ABj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_55CF50:				; CODE XREF: PopAllocateIrp+246j
					; PopAllocateIrp+85572j ...
		mov	esi, [ebp+var_4]
		jmp	loc_55CEAB
PopAllocateIrp	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopQueueQuerySetIrp proc near		; CODE XREF: PopRequestPowerIrp+12Ap
					; PopNotifyDevice+EEp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= byte ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005E231E SIZE 0000009A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		xor	eax, eax
		mov	[ebp+var_1], 0
		push	esi
		push	edi
		lea	edi, [ebp+var_1C]
		mov	esi, ecx
		stosd
		mov	ecx, [esi+60h]
		stosd
		mov	[ebp+var_10], ecx
		stosd
		movsx	eax, byte ptr [esi+22h]
		add	eax, 3
		imul	eax, 24h
		mov	edi, [eax+esi]
		mov	eax, [edi+0Ch]
		test	eax, eax
		jz	loc_5E231E
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		mov	[ebp+var_8], eax

loc_55CF9B:				; CODE XREF: PopQueueQuerySetIrp+853CAj
		mov	eax, [edi+10h]
		xor	edx, edx
		inc	edx
		mov	[ebp+var_C], eax
		cmp	byte ptr [edi+68h], 2
		jnz	short loc_55CFB3
		cmp	[edi+6Ch], edx
		jz	loc_55D073

loc_55CFB3:				; CODE XREF: PopQueueQuerySetIrp+50j
					; PopQueueQuerySetIrp+128j ...
		mov	eax, [edi+6Ch]
		xor	ebx, ebx
		cmp	eax, edx
		setnz	bl
		lea	ebx, ds:98h[ebx*8]
		add	ebx, [ebp+var_8]
		cmp	eax, edx
		jnz	short loc_55CFDA
		cmp	byte ptr [edi+68h], 2
		jnz	short loc_55CFDA
		cmp	[ecx-18h], edx
		jz	loc_55D099

loc_55CFDA:				; CODE XREF: PopQueueQuerySetIrp+71j
					; PopQueueQuerySetIrp+77j ...
		xor	edi, edi
		lea	edx, [ebp+var_1C]
		mov	ecx, offset _PopIrpLock
		mov	[esi+40h], edi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	dl, [ebp+var_1]
		test	dl, dl
		jnz	loc_5E2341

loc_55CFF7:				; CODE XREF: PopQueueQuerySetIrp+8540Aj
		mov	eax, [ebx+4]
		test	eax, eax
		jnz	loc_5E2369
		mov	[ebx+4], esi
		cmp	[ebx], edi
		jnz	loc_5E2373
		test	dl, dl
		jnz	loc_5E237A

loc_55D015:				; CODE XREF: PopQueueQuerySetIrp+85446j
		mov	[ebx], esi
		mov	[ebx+4], edi

loc_55D01A:				; CODE XREF: PopQueueQuerySetIrp+8541Dj
		test	ds:byte_70EFC6,	1
		jnz	loc_5E23A8
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	loc_55D10B
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jnz	loc_55D103

loc_55D049:				; CODE XREF: PopQueueQuerySetIrp+1BFj
					; PopQueueQuerySetIrp+8545Bj
		mov	cl, [ebp+var_14]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_55D06E
		mov	edx, esi
		call	PopDiagTraceIrpStart
		mov	ecx, esi
		call	_PopEnableIrpWatchdog@4	; PopEnableIrpWatchdog(x)
		mov	ecx, [ebp+var_C]
		mov	edx, esi
		call	IofCallDriver

loc_55D06E:				; CODE XREF: PopQueueQuerySetIrp+FCj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_55D073:				; CODE XREF: PopQueueQuerySetIrp+55j
		mov	eax, edx
		lock xadd _PopPendingSetPowerDeviceIrps, eax
		inc	eax
		cmp	eax, edx
		jnz	loc_55CFB3
		push	2
		pop	ecx
		call	PopDeepSleepSetDisengageReason
		mov	ecx, [ebp+var_10]
		xor	edx, edx
		inc	edx
		jmp	loc_55CFB3
; 

loc_55D099:				; CODE XREF: PopQueueQuerySetIrp+7Cj
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[ebp+var_2], al
		mov	eax, [ebp+var_C]
		mov	ecx, eax
		test	eax, eax
		jz	short loc_55D0C7

loc_55D0AD:				; CODE XREF: PopQueueQuerySetIrp+16Dj
		test	dword ptr [ecx+1Ch], 4000h
		jnz	loc_5E2327
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+18h]
		test	ecx, ecx
		jnz	short loc_55D0AD

loc_55D0C7:				; CODE XREF: PopQueueQuerySetIrp+153j
					; PopQueueQuerySetIrp+853D5j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	edi, [eax+468h]
		jnz	loc_5E2332
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_55D11C
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jnz	short loc_55D12D

loc_55D0F5:				; CODE XREF: PopQueueQuerySetIrp+1D3j
					; PopQueueQuerySetIrp+853E4j
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_55CFDA
; 

loc_55D103:				; CODE XREF: PopQueueQuerySetIrp+EBj
		lea	ecx, [ebp+var_1C]
		call	KxWaitForLockChainValid

loc_55D10B:				; CODE XREF: PopQueueQuerySetIrp+D4j
		xor	ecx, ecx
		mov	[ebp+var_1C], edi
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_55D049
; 

loc_55D11C:				; CODE XREF: PopQueueQuerySetIrp+18Cj
					; PopQueueQuerySetIrp+1DCj
		xor	ecx, ecx
		mov	dword ptr [edi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	short loc_55D0F5
; 

loc_55D12D:				; CODE XREF: PopQueueQuerySetIrp+19Bj
		mov	ecx, edi
		call	KxWaitForLockChainValid
		jmp	short loc_55D11C
PopQueueQuerySetIrp endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEnableIrpWatchdog(x)
_PopEnableIrpWatchdog@4	proc near	; CODE XREF: PopQueueQuerySetIrp+107p
					; PopDequeueQuerySetIrp+85801p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		movsx	eax, byte ptr [ecx+22h]
		add	eax, 3
		imul	eax, 24h
		push	ebx
		mov	ebx, [eax+ecx]
		mov	ecx, ebx
		call	_PopComputeWatchdogTimeout@4 ; PopComputeWatchdogTimeout(x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_55D1A6
		push	esi
		push	edi
		push	ebx
		push	offset _PopIrpWatchdog@16 ; PopIrpWatchdog(x,x,x,x)
		lea	edi, [ebx+48h]
		mov	byte ptr [ebx+74h], 1
		push	edi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	0
		lea	esi, [ebx+20h]
		push	esi
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	0FFFFFFFFh
		push	0FF676980h
		push	0
		push	[ebp+var_4]
		call	__allmul
		push	edx
		push	eax
		push	edi
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	KiSetTimerEx
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		pop	edi
		mov	[ebx+18h], eax
		mov	[ebx+1Ch], edx
		pop	esi

loc_55D1A6:				; CODE XREF: PopEnableIrpWatchdog(x)+20j
		pop	ebx
		leave
		retn
_PopEnableIrpWatchdog@4	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopComputeWatchdogTimeout(x)
_PopComputeWatchdogTimeout@4 proc near	; CODE XREF: PoQueryWatchdogTime+F8p
					; PoQueryWatchdogTime+137p ...
		mov	eax, [ecx+6Ch]
		test	eax, eax
		jnz	short loc_55D1B7
		cmp	dword ptr [ecx+70h], 1
		jz	short loc_55D1C8

loc_55D1B7:				; CODE XREF: PopComputeWatchdogTimeout(x)+5j
		cmp	eax, 1
		jz	short loc_55D1C2

loc_55D1BC:				; CODE XREF: PopComputeWatchdogTimeout(x)+1Cj
		mov	eax, ds:_PopWatchdogSleepTimeout
		retn
; 

loc_55D1C2:				; CODE XREF: PopComputeWatchdogTimeout(x)+10j
		cmp	dword ptr [ecx+70h], 1
		jnz	short loc_55D1BC

loc_55D1C8:				; CODE XREF: PopComputeWatchdogTimeout(x)+Bj
		mov	eax, ds:_PopWatchdogResumeTimeout
		retn
_PopComputeWatchdogTimeout@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceIrpStart proc near		; CODE XREF: PopRequestPowerIrp+19Bp
					; PopQueueQuerySetIrp+100p ...

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_76		= dword	ptr -76h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E23B8 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 90h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_90], 0
		and	[ebp+var_8C], 0
		mov	[ebp+var_88], edx
		movsx	eax, byte ptr [edx+22h]
		add	eax, 3
		imul	eax, 24h
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax+edx]
		mov	dl, [edi+68h]
		mov	byte ptr [ebp+var_76+1], dl
		mov	esi, [edi+6Ch]
		mov	[ebp+var_7C], esi
		mov	al, [edi+70h]
		dec	al
		mov	byte ptr [ebp+var_76], al
		mov	eax, [edi+0Ch]
		test	eax, eax
		jz	loc_5E23B8
		mov	eax, [eax+0B0h]
		mov	ecx, [eax+14h]

loc_55D22F:				; CODE XREF: PopDiagTraceIrpStart+851ECj
		mov	[ebp+var_80], ecx
		lea	ebx, [ecx+14h]
		mov	ax, [ebx]
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_84], eax
		cmp	dword ptr [ecx+8], 0
		jz	loc_5E23BF

loc_55D24E:				; CODE XREF: PopDiagTraceIrpStart+8520Bj
		cmp	esi, 1
		jz	loc_55D346

loc_55D257:				; CODE XREF: PopDiagTraceIrpStart+17Bj
					; PopDiagTraceIrpStart+190j
		cmp	_PopDiagHandleRegistered, 0
		jz	loc_55D337
		mov	esi, dword_6C1D74
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_IRPSTART
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	loc_55D337
		lea	eax, [ebp+var_88]
		mov	[ebp+var_4C], 1
		mov	[ebp+var_76+2],	eax
		xor	edx, edx
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_70], edx
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_76+1]
		push	4
		pop	ecx
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_84]
		push	5
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_68], edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_58], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], 2
		mov	[ebp+var_28], edx
		pop	ecx
		cmp	word ptr [ebp+var_84], dx
		jbe	short loc_55D305
		movzx	ecx, word ptr [ebx]
		mov	eax, [ebx+4]
		mov	[ebp+var_24], eax
		mov	eax, ecx
		push	6
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], edx
		pop	ecx

loc_55D305:				; CODE XREF: PopDiagTraceIrpStart+11Ej
		mov	eax, ecx
		lea	edx, [ebp+var_76]
		add	eax, eax
		mov	[ebp+eax*8+var_76+2], edx
		xor	edx, edx
		mov	[ebp+eax*8+var_70], edx
		mov	[ebp+eax*8+var_6C], 1
		mov	[ebp+eax*8+var_68], edx
		lea	eax, [ebp+var_76+2]
		push	eax
		lea	eax, [ecx+1]
		push	eax
		push	edx
		push	offset _POP_ETW_EVENT_IRPSTART
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_55D337:				; CODE XREF: PopDiagTraceIrpStart+90j
					; PopDiagTraceIrpStart+B0j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_55D346:				; CODE XREF: PopDiagTraceIrpStart+83j
		cmp	dl, 2
		jnz	loc_55D257
		mov	eax, [edi+70h]
		cdq
		push	edx
		push	eax
		push	16h
		xor	edx, edx
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		jmp	loc_55D257
PopDiagTraceIrpStart endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxAllocatePowerIrp proc near		; CODE XREF: PopAllocateIrp+224p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005E23DE SIZE 00000161 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_10]
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	[eax], ebx
		mov	esi, ecx
		mov	eax, [ebp+arg_14]
		push	edi
		mov	edi, edx
		mov	[eax], ebx
		lea	eax, [esi+2Ch]
		push	eax
		mov	[ebp+var_C], eax
		call	ExAcquireSpinLockExclusive
		mov	esi, [esi+28h]
		mov	[ebp+var_1], al
		mov	[ebp+var_8], esi
		test	esi, esi
		jnz	short loc_55D3BF
		mov	edi, 0C00002B6h

loc_55D39D:				; CODE XREF: PopFxAllocatePowerIrp+A7j
					; PopFxAllocatePowerIrp+E1j ...
		push	[ebp+var_C]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jnz	loc_55D44A

loc_55D3B6:				; CODE XREF: PopFxAllocatePowerIrp+F7j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_55D3BF:				; CODE XREF: PopFxAllocatePowerIrp+32j
		cmp	[ebp+arg_C], bl
		jnz	short loc_55D3D6
		lea	ecx, [esi+80h]
		lock inc dword ptr [ecx]
		cmp	[esi+7Ch], bl
		jnz	loc_5E23DE

loc_55D3D6:				; CODE XREF: PopFxAllocatePowerIrp+5Ej
		lea	ebx, [esi+10h]
		xor	edx, edx
		mov	eax, [ebx]

loc_55D3DD:				; CODE XREF: PopFxAllocatePowerIrp+81j
		mov	ecx, eax
		or	ecx, edx
		lock cmpxchg [ebx], ecx
		jnz	short loc_55D3DD
		mov	edx, eax
		push	10h
		pop	eax
		and	edx, eax
		xor	esi, esi
		mov	eax, [ebx]

loc_55D3F2:				; CODE XREF: PopFxAllocatePowerIrp+96j
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [ebx], ecx
		jnz	short loc_55D3F2
		mov	esi, [ebp+var_8]
		test	edx, edx
		jnz	loc_5E23FF
		xor	edi, edi
		test	al, 10h
		jnz	short loc_55D39D
		xor	edx, edx
		mov	eax, [ebx]

loc_55D411:				; CODE XREF: PopFxAllocatePowerIrp+B5j
		mov	ecx, eax
		or	ecx, edx
		lock cmpxchg [ebx], ecx
		jnz	short loc_55D411
		test	al, 20h
		jnz	loc_5E24B3
		push	10h
		pop	eax
		lock or	[ebx], eax
		lea	eax, [esi+148h]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	ecx, [ebp+arg_10]
		mov	eax, [esi+8]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_14]
		mov	eax, [esi+0Ch]
		mov	[ecx], eax
		jmp	loc_55D39D
; 

loc_55D44A:				; CODE XREF: PopFxAllocatePowerIrp+4Cj
		mov	ecx, [esi+1Ch]
		mov	eax, edi
		cdq
		push	edx
		push	eax
		push	15h
		xor	edx, edx
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		jmp	loc_55D3B6
PopFxAllocatePowerIrp endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopIrpWorker	proc near		; DATA XREF: PopCreateDynamicIrpWorker+21o
					; PopInitializeIrpWorkers()+B9o

var_4A		= byte ptr -4Ah
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
var_42		= byte ptr -42h
var_41		= byte ptr -41h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E253F SIZE 000000A3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		lea	edi, [esp+50h+var_24]
		xor	edx, edx
		stosd
		push	6
		pop	ecx
		mov	[esp+50h+var_30], edx
		stosd
		mov	[esp+50h+var_2C], edx
		mov	[esp+50h+var_41], dl
		stosd
		xor	eax, eax
		lea	edi, [esp+50h+var_18]
		rep stosd
		mov	eax, large fs:124h
		mov	[esp+50h+var_10], eax
		test	esi, esi
		jz	loc_55D762
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_55D4B5
		push	edx
		push	1
		push	edx
		push	eax
		call	KeReleaseSemaphore

loc_55D4B5:				; CODE XREF: PopIrpWorker+49j
		mov	edx, esi
		mov	ecx, offset _PopDynamicIrpWorkerLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		or	[esp+50h+var_2C], 0FFFFFFFFh
		lea	ebx, [esp+50h+var_30]
		mov	[esp+50h+var_30], 0FA0A1F00h
		mov	[esp+50h+var_40], ebx
		mov	[esp+50h+var_4], 0

loc_55D4DB:				; CODE XREF: PopIrpWorker+30Dj
		mov	edi, offset _PopIrpWorkerMutex
		mov	ecx, edi
		call	ExAcquireFastMutex
		mov	eax, dword_6C0064
		mov	ecx, offset _PopIrpThreadList
		dec	_PopIrpWorkerPendingCount
		inc	_PopIrpWorkerCount
		cmp	[eax], ecx
		jnz	loc_55D776
		mov	[esp+50h+var_18], ecx
		lea	ecx, [esp+50h+var_18]
		mov	[esp+50h+var_14], eax
		mov	[eax], ecx
		mov	eax, ecx
		mov	ecx, edi
		mov	dword_6C0064, eax
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_55D521:				; CODE XREF: PopIrpWorker+1E7j
		push	ebx
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _PopIrpWorkerSemaphore
		call	KeWaitForSingleObject
		cmp	eax, 102h
		jz	loc_55D6F3
		lea	edx, [esp+50h+var_24]
		mov	ecx, offset _PopIrpLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ebx, _PopIrpWorkerList
		cmp	dword ptr [ebx+4], offset _PopIrpWorkerList
		jnz	loc_55D776
		mov	eax, [ebx]
		cmp	[eax+4], ebx
		jnz	loc_55D776
		mov	_PopIrpWorkerList, eax
		lea	ecx, [esp+50h+var_24]
		mov	dword ptr [eax+4], offset _PopIrpWorkerList
		call	KeReleaseInStackQueuedSpinLock
		mov	ecx, edi
		call	ExAcquireFastMutex
		mov	ecx, _PopIrpWorkerInFlightCount
		inc	ecx
		cmp	_PopCreateIrpWorkerAllowed, 0
		mov	_PopIrpWorkerInFlightCount, ecx
		jnz	loc_55D750

loc_55D59E:				; CODE XREF: PopIrpWorker+2F7j
					; PopIrpWorker+850F3j ...
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, [ebx+8]
		add	ebx, 0FFFFFFA8h
		mov	ecx, ebx
		mov	edi, [eax+14h]
		mov	dl, [eax+1]
		push	edi
		call	_PoDeviceAcquireIrp@12 ; PoDeviceAcquireIrp(x,x,x)
		movsx	eax, byte ptr [ebx+22h]
		add	eax, 3
		imul	eax, 24h
		mov	esi, [eax+ebx]
		cmp	byte ptr [esi+68h], 2
		jnz	short loc_55D5D6
		cmp	dword ptr [esi+6Ch], 1
		jz	loc_55D659

loc_55D5D6:				; CODE XREF: PopIrpWorker+16Aj
					; PopIrpWorker+1FCj ...
		mov	[esp+50h+var_C], ebx
		mov	[esp+50h+var_8], edi
		test	dword ptr [edi+1Ch], 2000h
		mov	[esp+50h+var_42], 0
		jz	short loc_55D64C

loc_55D5EC:				; CODE XREF: PopIrpWorker+1F2j
					; PopIrpWorker+85148j
		mov	ecx, [edi+8]
		push	ebx
		push	edi
		call	dword ptr [ecx+90h]
		cmp	[esp+58h+var_4A], 0
		jnz	loc_5E25AD

loc_55D602:				; CODE XREF: PopIrpWorker+85157j
		mov	eax, large fs:124h
		xor	ecx, ecx
		cmp	[eax+13Ch], ecx
		jnz	loc_5E25BC
		mov	[esp+58h+var_14], ecx
		mov	edx, 72496F50h
		mov	[esp+58h+var_10], ecx
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	edi, offset _PopIrpWorkerMutex
		mov	ecx, edi
		call	ExAcquireFastMutex
		dec	_PopIrpWorkerInFlightCount
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_55D643:				; CODE XREF: PopIrpWorker+2DEj
		mov	ebx, [esp+58h+var_48]
		jmp	loc_55D521
; 

loc_55D64C:				; CODE XREF: PopIrpWorker+18Aj
		cmp	ebx, _PopInrushIrp
		jnz	short loc_55D5EC
		jmp	loc_5E2594
; 

loc_55D659:				; CODE XREF: PopIrpWorker+170j
		cmp	[esi+10h], edi
		jnz	loc_55D5D6
		mov	eax, [esi+0Ch]
		mov	edx, [esi+78h]
		mov	[esp+50h+var_3C], edx
		test	eax, eax
		jz	loc_5E258D
		mov	eax, [eax+0B0h]
		mov	ecx, [eax+14h]

loc_55D67D:				; CODE XREF: PopIrpWorker+8512Fj
		mov	eax, [ecx+58h]
		mov	[esp+50h+var_38], eax
		mov	eax, [esi+70h]
		mov	[ecx+58h], eax
		test	edx, edx
		jz	loc_55D5D6
		mov	ecx, edx
		call	_PopFxGetDeviceDStateReason@4 ;	PopFxGetDeviceDStateReason(x)
		mov	[esp+50h+var_34], eax
		mov	[esi+94h], eax
		mov	byte ptr [esi+7Ch], 0
		cmp	eax, 1
		jnz	short loc_55D6AF
		mov	[esi+7Ch], al

loc_55D6AF:				; CODE XREF: PopIrpWorker+24Aj
		mov	edx, [esi+70h]
		cmp	edx, [esp+50h+var_38]
		setnz	al
		mov	[esi+7Dh], al
		jz	loc_55D5D6
		mov	ecx, [esp+50h+var_3C]
		cmp	edx, 1
		jz	short loc_55D6DF
		mov	eax, [esp+50h+var_34]

loc_55D6CF:				; CODE XREF: PopIrpWorker+291j
		mov	ecx, [ecx+20h]
		push	eax
		push	0
		call	PopPepDeviceDState
		jmp	loc_55D5D6
; 

loc_55D6DF:				; CODE XREF: PopIrpWorker+269j
		push	2
		lea	eax, [ecx+10h]
		pop	edx
		lock or	[eax], edx
		mov	eax, [esi+94h]
		mov	edx, [esi+70h]
		jmp	short loc_55D6CF
; 

loc_55D6F3:				; CODE XREF: PopIrpWorker+D6j
		mov	ecx, edi
		call	ExAcquireFastMutex
		cmp	_PopCreateIrpWorkerAllowed, bl
		jz	short loc_55D772
		mov	edx, _PopIrpWorkerCount
		dec	edx
		cmp	_PopIrpWorkerInFlightCount, edx
		jz	loc_5E253F

loc_55D715:				; CODE XREF: PopIrpWorker+850EBj
		mov	ecx, [esp+50h+var_18]
		lea	esi, [esp+50h+var_18]
		mov	eax, [esp+50h+var_14]
		cmp	[ecx+4], esi
		jnz	short loc_55D776
		cmp	[eax], esi
		jnz	short loc_55D776
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	_PopIrpWorkerCount, edx

loc_55D735:				; CODE XREF: PopIrpWorker+314j
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	bl, bl
		jnz	loc_55D643
		push	0
		call	PsTerminateSystemThread
		jmp	loc_5E25D9
; 

loc_55D750:				; CODE XREF: PopIrpWorker+138j
		mov	eax, _PopIrpWorkerCount
		cmp	ecx, eax
		jnz	loc_55D59E
		jmp	loc_5E2550
; 

loc_55D762:				; CODE XREF: PopIrpWorker+3Fj
		mov	ebx, edx
		mov	[esp+50h+var_40], edx
		mov	[esp+50h+var_4], 1
		jmp	loc_55D4DB
; 

loc_55D772:				; CODE XREF: PopIrpWorker+2A0j
					; PopIrpWorker+850E5j
		mov	bl, 1
		jmp	short loc_55D735
; 

loc_55D776:				; CODE XREF: PopIrpWorker+9Fj
					; PopIrpWorker+F7j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PopIrpWorker	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall IopPoHandleIrp(x)
@IopPoHandleIrp@4 proc near		; CODE XREF: IofCallDriver+57p
					; IopfCallDriver+45p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	edx, [ebp+var_4]
		push	esi
		mov	esi, ecx
		call	PoHandleIrp
		test	al, al
		jnz	short loc_55D7AA
		mov	eax, [esi+60h]
		push	esi
		mov	ecx, [eax+14h]
		movzx	eax, byte ptr [eax]
		push	ecx
		mov	edx, [ecx+8]
		call	dword ptr [edx+eax*4+38h]

loc_55D7A7:				; CODE XREF: IopPoHandleIrp(x)+31j
		pop	esi
		leave
		retn
; 

loc_55D7AA:				; CODE XREF: IopPoHandleIrp(x)+17j
		mov	eax, [ebp+var_4]
		jmp	short loc_55D7A7
@IopPoHandleIrp@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoHandleIrp	proc near		; CODE XREF: IopPoHandleIrp(x)+10p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E25E2 SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		xor	eax, eax
		mov	[ebp+var_8], edx
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	esi, ecx
		stosd
		mov	edx, [esi+60h]
		stosd
		mov	[ebp+var_C], edx
		stosd
		movsx	eax, byte ptr [esi+22h]
		add	eax, 3
		imul	eax, 24h
		mov	ecx, [eax+esi]
		mov	eax, [edx+14h]
		mov	[ebp+var_4], eax
		mov	edx, [ecx+14h]
		test	edx, edx
		jz	short loc_55D82C
		push	edx
		mov	dl, [ecx+68h]
		mov	ecx, esi
		call	_PoDeviceReleaseIrp@12 ; PoDeviceReleaseIrp(x,x,x)
		mov	eax, [ebp+var_4]
		lea	edi, [eax+1Ch]
		mov	ecx, [edi]
		mov	ebx, edi
		test	ecx, 8000h
		jnz	short loc_55D82F
		test	ecx, 2000h
		jnz	short loc_55D88A

loc_55D80D:				; CODE XREF: PoHandleIrp+E5j
		xor	bl, bl

loc_55D80F:				; CODE XREF: PoHandleIrp+89j
		push	eax
		mov	eax, [ebp+var_C]
		mov	ecx, esi
		mov	dl, [eax+1]
		call	_PoDeviceAcquireIrp@12 ; PoDeviceAcquireIrp(x,x,x)
		test	bl, bl
		jnz	loc_5E25E2

loc_55D825:				; CODE XREF: PoHandleIrp+D8j
					; PoHandleIrp+84E55j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_55D82C:				; CODE XREF: PoHandleIrp+36j
		lea	ebx, [eax+1Ch]

loc_55D82F:				; CODE XREF: PoHandleIrp+53j
					; PoHandleIrp+EBj
		mov	edi, ebx
		mov	bl, 1
		test	dword ptr [edi], 8000h
		jnz	short loc_55D80F

loc_55D83B:				; CODE XREF: PoHandleIrp+84E38j
		lea	edx, [ebp+var_18]
		mov	ecx, offset _PopIrpLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, esi
		call	PopDispatchQuerySetIrp
		test	ds:byte_70EFC6,	1
		jnz	loc_5E260A
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	short loc_55D8A5
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jnz	short loc_55D89D

loc_55D876:				; CODE XREF: PoHandleIrp+105j
					; PoHandleIrp+84E65j
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_8]
		mov	dword ptr [eax], 103h
		jmp	short loc_55D825
; 

loc_55D88A:				; CODE XREF: PoHandleIrp+5Bj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		mov	eax, [ebp+var_4]
		jnz	loc_55D80D
		jmp	short loc_55D82F
; 

loc_55D89D:				; CODE XREF: PoHandleIrp+C4j
		lea	ecx, [ebp+var_18]
		call	KxWaitForLockChainValid

loc_55D8A5:				; CODE XREF: PoHandleIrp+B1j
		lea	ecx, [eax+4]
		mov	[ebp+var_18], 0
		xor	eax, eax
		inc	eax
		lock xor [ecx],	eax
		jmp	short loc_55D876
PoHandleIrp	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoDeviceReleaseIrp(x, x, x)
_PoDeviceReleaseIrp@12 proc near	; CODE XREF: .text:005245ACp
					; .text:005246C4p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dl, 2
		jnz	short loc_55D8E1

loc_55D8C2:				; CODE XREF: PoDeviceReleaseIrp(x,x,x)+2Cj
		movsx	eax, byte ptr [ecx+22h]
		mov	edx, [ebp+arg_0]
		add	eax, 3
		imul	eax, 24h
		push	esi
		mov	esi, [eax+ecx]
		call	_PopDiagTraceDeviceReleaseIrp@8	; PopDiagTraceDeviceReleaseIrp(x,x)
		and	dword ptr [esi+14h], 0
		pop	esi

loc_55D8DD:				; CODE XREF: PoDeviceReleaseIrp(x,x,x)+2Ej
		pop	ebp
		retn	4
; 

loc_55D8E1:				; CODE XREF: PoDeviceReleaseIrp(x,x,x)+8j
		cmp	dl, 3
		jz	short loc_55D8C2
		jmp	short loc_55D8DD
_PoDeviceReleaseIrp@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceDeviceReleaseIrp(x, x)
_PopDiagTraceDeviceReleaseIrp@8	proc near ; CODE XREF: PoDeviceReleaseIrp(x,x,x)+1Bp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], ecx
		jz	short loc_55D95E
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_IRP_DRIVERRELEASE
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_55D95B
		push	4
		pop	ecx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_24], eax
		xor	edx, edx
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_20], edx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_55D95B:				; CODE XREF: PopDiagTraceDeviceReleaseIrp(x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebx

loc_55D95E:				; CODE XREF: PopDiagTraceDeviceReleaseIrp(x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceDeviceReleaseIrp@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoDeviceAcquireIrp(x, x, x)
_PoDeviceAcquireIrp@12 proc near	; CODE XREF: .text:00524695p
					; PopIrpWorker+154p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dl, 2
		jnz	short loc_55D994

loc_55D974:				; CODE XREF: PoDeviceAcquireIrp(x,x,x)+2Dj
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	short loc_55D990
		movsx	eax, byte ptr [ecx+22h]
		add	eax, 3
		imul	eax, 24h
		mov	eax, [eax+ecx]
		mov	[eax+14h], edx
		call	_PopDiagTraceDeviceAcquireIrp@8	; PopDiagTraceDeviceAcquireIrp(x,x)

loc_55D990:				; CODE XREF: PoDeviceAcquireIrp(x,x,x)+Fj
					; PoDeviceAcquireIrp(x,x,x)+2Fj
		pop	ebp
		retn	4
; 

loc_55D994:				; CODE XREF: PoDeviceAcquireIrp(x,x,x)+8j
		cmp	dl, 3
		jz	short loc_55D974
		jmp	short loc_55D990
_PoDeviceAcquireIrp@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceDeviceAcquireIrp(x, x)
_PopDiagTraceDeviceAcquireIrp@8	proc near ; CODE XREF: PoDeviceAcquireIrp(x,x,x)+21p

var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0BCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		push	esi
		mov	esi, edx
		mov	[ebp+var_B8], ecx
		mov	[ebp+var_BC], esi
		jz	loc_55DA9C
		push	ebx
		mov	ebx, offset _POP_ETW_EVENT_IRP_DRIVERACQUIRE
		push	ebx
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_55DA9B
		push	ecx
		lea	edx, [ebp+var_84]
		mov	ecx, esi
		call	_PopDiagGetDriverName@12 ; PopDiagGetDriverName(x,x,x)
		lea	edx, [ebp+var_84]
		test	eax, eax
		js	loc_55DAA9

loc_55DA09:				; CODE XREF: PopDiagTraceDeviceAcquireIrp(x,x)+112j
		push	edi
		push	4
		pop	ecx
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_AC], ecx
		mov	[ebp+var_9C], ecx
		xor	edi, edi
		mov	ecx, edx
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_BC]
		mov	[ebp+var_B0], edi
		mov	[ebp+var_A8], edi
		mov	[ebp+var_A4], eax
		mov	[ebp+var_A0], edi
		lea	esi, [ecx+2]
		mov	[ebp+var_98], edi

loc_55DA50:				; CODE XREF: PopDiagTraceDeviceAcquireIrp(x,x)+BDj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_55DA50
		sub	ecx, esi
		mov	[ebp+var_94], edx
		sar	ecx, 1
		mov	[ebp+var_90], edi
		mov	[ebp+var_88], edi
		lea	eax, ds:2[ecx*2]
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_B4]
		push	eax
		push	3
		push	edi
		push	ebx
		push	dword_6C1D74
		push	_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	edi

loc_55DA9B:				; CODE XREF: PopDiagTraceDeviceAcquireIrp(x,x)+4Bj
		pop	ebx

loc_55DA9C:				; CODE XREF: PopDiagTraceDeviceAcquireIrp(x,x)+2Bj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_55DAA9:				; CODE XREF: PopDiagTraceDeviceAcquireIrp(x,x)+67j
		mov	edx, offset ??_C@_11LOCGONAA@@FNODOBFM@
		jmp	loc_55DA09
_PopDiagTraceDeviceAcquireIrp@8	endp

; 
		align 4

;  S U B	R O U T	I N E 


PopDispatchQuerySetIrp proc near	; CODE XREF: PoHandleIrp+9Ap

; FUNCTION CHUNK AT 005E261A SIZE 00000021 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, 72496F50h
		mov	ecx, [esi+60h]
		or	byte ptr [ecx+3], 1
		mov	ecx, [ecx+14h]
		call	ObfReferenceObjectWithTag
		cmp	esi, _PopInrushIrp
		lea	eax, [esi+58h]
		pop	esi
		mov	ecx, offset _PopIrpWorkerList
		jz	loc_5E261A
		mov	edx, dword_6C2334
		cmp	[edx], ecx
		jnz	short loc_55DB09
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	dword_6C2334, eax

loc_55DAF8:				; CODE XREF: PopDispatchQuerySetIrp+84B82j
		push	0
		push	1
		push	0
		push	offset _PopIrpWorkerSemaphore
		call	KeReleaseSemaphore
		retn
; 

loc_55DB09:				; CODE XREF: PopDispatchQuerySetIrp+36j
					; PopDispatchQuerySetIrp+84B6Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
PopDispatchQuerySetIrp endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPepDeviceDState proc	near		; CODE XREF: PoFxReportDevicePoweredOn+3Ap
					; PopRequestCompletion+ABp ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= word ptr -2
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E263B SIZE 000000A2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		mov	ebx, edx
		mov	edx, [ebp+arg_0]
		mov	[esp+20h+var_10], ebx
		push	esi
		push	edi
		mov	edi, ecx
		test	dl, dl
		jnz	short loc_55DB97
		cmp	ebx, 1
		jle	short loc_55DB4F
		push	2
		lea	esi, [edi+54h]
		pop	eax
		xchg	eax, [esi]
		push	0
		push	4
		pop	edx
		call	_PopPepUpdateConstraints@12 ; PopPepUpdateConstraints(x,x,x)
		cmp	[ebp+arg_4], 1
		jnz	loc_55DCBF

loc_55DB4C:				; CODE XREF: PopPepDeviceDState+1BBj
		lock dec dword ptr [esi]

loc_55DB4F:				; CODE XREF: PopPepDeviceDState+20j
					; PopPepDeviceDState+1B5j
		mov	edx, [edi+78h]
		cmp	edx, ebx
		jz	short loc_55DB61
		mov	ecx, [edi+18h]
		push	0
		push	ebx
		call	PopPlNotifyDeviceDState

loc_55DB61:				; CODE XREF: PopPepDeviceDState+46j
					; PopPepDeviceDState+A1j
		mov	edx, [ebp+arg_0]

loc_55DB64:				; CODE XREF: PopPepDeviceDState+8Cj
					; PopPepDeviceDState+96j
		cmp	byte ptr [edi+4Ch], 0
		jnz	short loc_55DBB1
		cmp	byte ptr [edi+130h], 0
		jnz	short loc_55DBB1

loc_55DB73:				; CODE XREF: PopPepDeviceDState+10Aj
					; PopPepDeviceDState+192j
		mov	eax, [ebp+arg_0]
		test	al, al
		jz	short loc_55DB8E
		mov	edx, [edi+78h]
		cmp	edx, ebx
		jz	short loc_55DB8E
		mov	ecx, [edi+18h]
		push	eax
		push	ebx
		call	PopPlNotifyDeviceDState
		mov	[edi+78h], ebx

loc_55DB8E:				; CODE XREF: PopPepDeviceDState+6Aj
					; PopPepDeviceDState+71j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_55DB97:				; CODE XREF: PopPepDeviceDState+1Bj
		cmp	ebx, 1
		jnz	short loc_55DB64
		or	eax, 0FFFFFFFFh
		lock xadd [edi+54h], eax
		jnz	short loc_55DB64
		push	ebx
		push	4
		pop	edx
		call	_PopPepUpdateConstraints@12 ; PopPepUpdateConstraints(x,x,x)
		jmp	short loc_55DB61
; 

loc_55DBB1:				; CODE XREF: PopPepDeviceDState+5Aj
					; PopPepDeviceDState+63j
		cmp	ebx, 4
		jnz	loc_55DCA5
		and	[esp+28h+var_1C], 0

loc_55DBBF:				; CODE XREF: PopPepDeviceDState+19Fj
		mov	eax, [edi+78h]
		cmp	eax, 4
		jnz	loc_55DCB2
		and	[esp+28h+var_18], 0

loc_55DBD0:				; CODE XREF: PopPepDeviceDState+1ACj
		test	dl, dl
		jnz	short loc_55DBFF
		cmp	eax, ebx
		jz	short loc_55DBFF
		cmp	ebx, 1
		jz	loc_55DCCE

loc_55DBE1:				; CODE XREF: PopPepDeviceDState+1CCj
					; PopPepDeviceDState+219j
		mov	edx, [esp+28h+var_1C]
		mov	ecx, [esp+28h+var_18]
		push	1
		call	PopPepUpdateIdleStateRefCount
		mov	ecx, [edi+18h]
		mov	edx, ebx
		push	0
		call	PopFxUpdateDeviceAccountingEnhanced
		mov	edx, [ebp+arg_0]

loc_55DBFF:				; CODE XREF: PopPepDeviceDState+C4j
					; PopPepDeviceDState+C8j
		cmp	byte ptr [edi+4Ch], 0
		jnz	loc_5E263B

loc_55DC09:				; CODE XREF: PopPepDeviceDState+84B5Cj
		cmp	byte ptr [ebp+arg_0], 0
		jz	loc_55DB8E
		mov	eax, [edi+78h]
		cmp	eax, ebx
		jz	loc_55DB73
		xor	cl, cl
		cmp	_PopFxPerfQueryOnDevicePowerChanges, 0
		jnz	loc_5E266F

loc_55DC2D:				; CODE XREF: PopPepDeviceDState+84B7Cj
					; PopPepDeviceDState+84B8Ej ...
		cmp	eax, 1
		jnz	short loc_55DC85
		and	[esp+28h+var_14], 0
		cmp	dword ptr [edi+84h], 0
		jbe	short loc_55DC85
		mov	ebx, [esp+28h+var_14]
		lea	esi, [edi+128h]

loc_55DC4A:				; CODE XREF: PopPepDeviceDState+171j
		imul	eax, [esi-10h],	18h
		xor	edx, edx
		mov	ecx, [esi]
		push	0
		mov	ecx, [eax+ecx+10h]
		call	PopPepUpdateIdleStateRefCount
		mov	eax, [esi-4]
		mov	edx, [esi-98h]
		dec	eax
		mov	ecx, [edi+18h]
		push	1
		push	eax
		call	PopFxUpdateComponentAccountingEnhanced
		inc	ebx
		lea	esi, [esi+0A8h]
		cmp	ebx, [edi+84h]
		jb	short loc_55DC4A
		mov	ebx, [esp+28h+var_10]

loc_55DC85:				; CODE XREF: PopPepDeviceDState+122j
					; PopPepDeviceDState+130j
		mov	edx, [esp+28h+var_1C]
		mov	ecx, [esp+28h+var_18]
		push	0
		call	PopPepUpdateIdleStateRefCount
		mov	ecx, [edi+18h]
		mov	edx, ebx
		push	1
		call	PopFxUpdateDeviceAccountingEnhanced
		jmp	loc_55DB73
; 

loc_55DCA5:				; CODE XREF: PopPepDeviceDState+A6j
		mov	eax, [edi+ebx*4+5Ch]
		mov	[esp+28h+var_1C], eax
		jmp	loc_55DBBF
; 

loc_55DCB2:				; CODE XREF: PopPepDeviceDState+B7j
		mov	ecx, [edi+eax*4+5Ch]
		mov	[esp+28h+var_18], ecx
		jmp	loc_55DBD0
; 

loc_55DCBF:				; CODE XREF: PopPepDeviceDState+38j
		cmp	[ebp+arg_4], 2
		jnz	loc_55DB4F
		jmp	loc_55DB4C
; 

loc_55DCCE:				; CODE XREF: PopPepDeviceDState+CDj
		and	[esp+28h+var_14], 0
		cmp	dword ptr [edi+84h], 0
		jbe	loc_55DBE1
		lea	ebx, [edi+128h]

loc_55DCE6:				; CODE XREF: PopPepDeviceDState+213j
		mov	esi, [ebx-10h]
		xor	ecx, ecx
		mov	edx, [ebx]
		imul	eax, esi, 18h
		push	1
		mov	edx, [eax+edx+10h]
		call	PopPepUpdateIdleStateRefCount
		mov	edx, [ebx-98h]
		mov	ecx, [edi+18h]
		push	0
		push	esi
		call	PopFxUpdateComponentAccountingEnhanced
		mov	eax, [esp+28h+var_14]
		lea	ebx, [ebx+0A8h]
		inc	eax
		mov	[esp+28h+var_14], eax
		cmp	eax, [edi+84h]
		jb	short loc_55DCE6
		mov	ebx, [esp+28h+var_10]
		jmp	loc_55DBE1
PopPepDeviceDState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPlNotifyDeviceDState	proc near	; CODE XREF: PopPepDeviceDState+4Ep
					; PopPepDeviceDState+78p

var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005E26DD SIZE 0000021B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, [eax+304h]
		mov	[ebp+var_BC], eax
		mov	[ebp+var_C4], esi
		test	esi, esi
		jnz	loc_5E26DD

loc_55DD60:				; CODE XREF: PopPlNotifyDeviceDState+849BDj
					; PopPlNotifyDeviceDState+849C9j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
PopPlNotifyDeviceDState	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopFxGetDeviceDStateReason(x)
_PopFxGetDeviceDStateReason@4 proc near	; CODE XREF: PoFxReportDevicePoweredOn+2Cp
					; PopRequestPowerIrp:loc_55CC2Dp ...
		mov	edi, edi
		push	esi
		push	edi
		lea	esi, [ecx+10h]
		xor	edx, edx
		mov	eax, [esi]

loc_55DD7D:				; CODE XREF: PopFxGetDeviceDStateReason(x)+13j
		mov	ecx, eax
		or	ecx, edx
		lock cmpxchg [esi], ecx
		jnz	short loc_55DD7D
		mov	edx, eax
		xor	edi, edi
		mov	eax, [esi]

loc_55DD8D:				; CODE XREF: PopFxGetDeviceDStateReason(x)+23j
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [esi], ecx
		jnz	short loc_55DD8D
		mov	ecx, eax
		and	ecx, 1
		pop	edi
		pop	esi
		and	edx, 2000h
		jnz	short loc_55DDAE
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
; 

loc_55DDAE:				; CODE XREF: PopFxGetDeviceDStateReason(x)+32j
		push	2
		pop	eax
		retn
_PopFxGetDeviceDStateReason@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepUpdateConstraints(x, x, x)
_PopPepUpdateConstraints@12 proc near	; CODE XREF: PopPepDevicePoweredOn(x,x,x)+41p
					; PopPepDeviceDState+2Fp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		lea	eax, [esi+2Ch]
		push	eax
		call	ExAcquireSpinLockExclusive
		push	3
		xor	edx, edx
		mov	byte ptr [ebp+var_10], al
		mov	ecx, esi
		mov	byte ptr [esi+4Dh], 1
		call	_PopPepCountReadyActivities@12 ; PopPepCountReadyActivities(x,x,x)
		and	[ebp+var_8], 0
		cmp	dword ptr [esi+84h], 0
		mov	[ebp+var_C], eax
		jbe	short loc_55DE13
		lea	edi, [esi+0D0h]

loc_55DDF3:				; CODE XREF: PopPepUpdateConstraints(x,x,x)+5Fj
		mov	eax, [edi-38h]
		and	eax, 1
		or	eax, 0
		jnz	short loc_55DE79

loc_55DDFE:				; CODE XREF: PopPepUpdateConstraints(x,x,x)+104j
					; PopPepUpdateConstraints(x,x,x)+11Cj ...
		mov	eax, [ebp+var_8]
		add	edi, 0A8h
		inc	eax
		mov	[ebp+var_8], eax
		cmp	eax, [esi+84h]
		jb	short loc_55DDF3

loc_55DE13:				; CODE XREF: PopPepUpdateConstraints(x,x,x)+39j
		push	3
		xor	edx, edx
		mov	ecx, esi
		call	PopPepPromoteActivities
		push	3
		xor	edx, edx
		mov	ecx, esi
		call	_PopPepCountReadyActivities@12 ; PopPepCountReadyActivities(x,x,x)
		mov	ecx, [ebp+var_C]
		mov	edx, eax
		call	_PopPepRequestWork@8 ; PopPepRequestWork(x,x)
		push	[ebp+var_10]
		xor	edx, edx
		mov	ecx, esi
		push	1
		call	PopPepReleaseActivityLink
		cmp	[ebp+arg_0], 0
		jnz	short loc_55DE72
		xor	ecx, ecx
		mov	ebx, ecx
		cmp	[esi+84h], ecx
		jbe	short loc_55DE72
		lea	edi, [esi+0A8h]

loc_55DE59:				; CODE XREF: PopPepUpdateConstraints(x,x,x)+BEj
		mov	eax, [edi-10h]
		and	eax, 1
		or	eax, ecx
		jnz	short loc_55DEE0

loc_55DE63:				; CODE XREF: PopPepUpdateConstraints(x,x,x)+13Aj
		inc	ebx
		add	edi, 0A8h
		cmp	ebx, [esi+84h]
		jb	short loc_55DE59

loc_55DE72:				; CODE XREF: PopPepUpdateConstraints(x,x,x)+93j
					; PopPepUpdateConstraints(x,x,x)+9Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_55DE79:				; CODE XREF: PopPepUpdateConstraints(x,x,x)+4Aj
		cmp	[ebp+arg_0], 0
		lea	ecx, [edi-48h]
		lea	ebx, [edi-28h]
		jnz	short loc_55DED3
		push	edi
		push	1
		xor	edx, edx
		lea	ecx, [edi-18h]
		push	1
		inc	edx
		call	_PopPepCancelActivityRange@20 ;	PopPepCancelActivityRange(x,x,x,x,x)
		mov	eax, [ebp+var_4]
		push	ebx
		and	dword ptr [edi+eax*4+30h], 0
		call	_KeResetEvent@4	; KeResetEvent(x)
		lea	ecx, [edi-48h]

loc_55DEA6:				; CODE XREF: PopPepUpdateConstraints(x,x,x)+12Cj
		push	dword ptr [ebp+arg_0]
		mov	edx, ecx
		mov	ecx, esi
		call	_PopPepUpdateIdleState@12 ; PopPepUpdateIdleState(x,x,x)
		cmp	[ebp+arg_0], 0
		jnz	loc_55DDFE
		mov	eax, [edi-14h]
		cmp	dword ptr [eax], 0
		jnz	short loc_55DEF1
		push	0
		push	0
		push	ebx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_55DDFE
; 

loc_55DED3:				; CODE XREF: PopPepUpdateConstraints(x,x,x)+D1j
		mov	eax, [edi+54h]
		mov	edx, [ebp+var_4]
		dec	eax
		mov	[ecx+edx*4+78h], eax
		jmp	short loc_55DEA6
; 

loc_55DEE0:				; CODE XREF: PopPepUpdateConstraints(x,x,x)+AFj
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	edi
		call	KeWaitForSingleObject
		xor	ecx, ecx
		jmp	loc_55DE63
; 

loc_55DEF1:				; CODE XREF: PopPepUpdateConstraints(x,x,x)+110j
		mov	byte ptr [eax+10h], 1
		jmp	loc_55DDFE
_PopPepUpdateConstraints@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxLockDevice	proc near		; CODE XREF: PoFxNotifySurprisePowerOn+19p
					; PopAllocateIrp+272p ...

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005E28F8 SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1], dl
		xor	esi, esi
		test	edi, edi
		jz	short loc_55DF56
		push	ebx
		lea	ebx, [edi+2Ch]
		push	ebx
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		cmp	[ebp+var_1], 0
		mov	esi, [edi+28h]
		mov	[ebp+var_2], al
		jz	short loc_55DF42
		lea	edx, [edi+0A8h]
		xor	edi, edi
		mov	eax, [edx]

loc_55DF2D:				; CODE XREF: PopFxLockDevice+3Bj
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_55DF2D
		and	al, 4
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	esi, eax

loc_55DF42:				; CODE XREF: PopFxLockDevice+27j
		test	esi, esi
		jnz	short loc_55DF5C

loc_55DF46:				; CODE XREF: PopFxLockDevice+6Fj
					; PopFxLockDevice+84A19j
		push	ebx
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx

loc_55DF56:				; CODE XREF: PopFxLockDevice+11j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_55DF5C:				; CODE XREF: PopFxLockDevice+4Aj
		lea	ecx, [esi+80h]
		lock inc dword ptr [ecx]
		cmp	byte ptr [esi+7Ch], 0
		jz	short loc_55DF46
		jmp	loc_5E28F8
PopFxLockDevice	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IofCallDriverSpecifyReturn proc	near	; CODE XREF: PopRequestPowerIrp+1AEp
					; VerifierPoCallDriver(x,x)+2Dp
					; DATA XREF: ...

; FUNCTION CHUNK AT 005E2918 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:_IopDispatchCallDriver
		test	eax, eax
		jnz	loc_5E2918
		call	IopfCallDriver

loc_55DF87:				; CODE XREF: IofCallDriverSpecifyReturn+849B2j
		pop	ebp
		retn	4
IofCallDriverSpecifyReturn endp

; 
		align 4

;  S U B	R O U T	I N E 


IopfCallDriver	proc near		; CODE XREF: IofCallDriverSpecifyReturn+12p
					; IopPerfCallDriver(x,x)+69p ...

; FUNCTION CHUNK AT 005E292D SIZE 0000006A BYTES

		mov	edi, edi
		push	ecx
		dec	byte ptr [edx+23h]
		mov	al, [edx+23h]
		push	ebx
		push	esi
		mov	esi, ecx
		test	al, al
		jle	loc_5E292D
		mov	eax, [edx+60h]
		sub	eax, 24h
		mov	[edx+60h], eax
		mov	bl, [eax]
		mov	[eax+14h], esi
		cmp	bl, 16h
		jnz	short loc_55DFBF
		mov	al, [eax+1]
		cmp	al, 2
		jz	short loc_55DFCF
		cmp	al, 3
		jz	short loc_55DFCF

loc_55DFBF:				; CODE XREF: IopfCallDriver+26j
		mov	ecx, [esi+8]
		movzx	eax, bl
		push	edx
		push	esi
		call	dword ptr [ecx+eax*4+38h]

loc_55DFCB:				; CODE XREF: IopfCallDriver+4Aj
		pop	esi
		pop	ebx
		pop	ecx
		retn
; 

loc_55DFCF:				; CODE XREF: IopfCallDriver+2Dj
					; IopfCallDriver+31j
		mov	ecx, edx
		call	@IopPoHandleIrp@4 ; IopPoHandleIrp(x)
		jmp	short loc_55DFCB
IopfCallDriver	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPepCompleteComponentIdleStateChangeActivity proc near ; DATA	XREF: .text:004012FCo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	edi
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_55E056
		mov	eax, [edi+34h]
		xor	edx, edx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	[eax+0Ch], edx
		mov	eax, [edi+34h]
		mov	[eax+10h], dl
		cmp	[edi+98h], dl
		jnz	loc_5E293B

loc_55E006:				; CODE XREF: IopfCallDriver+849B2j
					; IopfCallDriver+849D8j ...
		cmp	[edi+90h], edx
		jz	short loc_55E05B

loc_55E00E:				; CODE XREF: PopPepCompleteComponentIdleStateChangeActivity+90j
		push	edx
		mov	edx, edi
		mov	ecx, ebx
		call	_PopPepUpdateIdleState@12 ; PopPepUpdateIdleState(x,x,x)
		mov	edx, edi
		mov	ecx, ebx
		call	_PopPepTryPowerDownComponent@8 ; PopPepTryPowerDownComponent(x,x)
		mov	esi, [edi+90h]
		imul	ecx, [edi+94h],	18h
		mov	eax, [edi+0A0h]
		imul	edx, esi, 18h
		push	0
		mov	ecx, [ecx+eax+10h]
		mov	edx, [edx+eax+10h]
		call	PopPepUpdateIdleStateRefCount
		mov	edx, [edi+8]
		mov	ecx, [ebx+18h]
		push	1
		push	esi
		call	PopFxUpdateComponentAccountingEnhanced
		pop	esi
		pop	ebx

loc_55E056:				; CODE XREF: PopPepCompleteComponentIdleStateChangeActivity+Dj
		pop	edi
		leave
		retn	8
; 

loc_55E05B:				; CODE XREF: PopPepCompleteComponentIdleStateChangeActivity+34j
		push	edx
		push	edx
		lea	eax, [edi+20h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		xor	edx, edx
		jmp	short loc_55E00E
PopPepCompleteComponentIdleStateChangeActivity endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxUpdateComponentAccountingEnhanced proc near ; CODE	XREF: PopPepDeviceDState+15Fp
					; PopPepDeviceDState+1F9p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E2997 SIZE 0000006D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+240h]
		push	ebx
		push	esi
		mov	esi, [eax+edx*4]
		add	esi, 90h
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	loc_5E2997
		js	loc_5E2997

loc_55E0A0:				; CODE XREF: PopFxUpdateComponentAccountingEnhanced+84933j
					; PopFxUpdateComponentAccountingEnhanced+84943j ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5E29F5
		xor	eax, eax
		lock and [esi],	eax

loc_55E0B2:				; CODE XREF: PopFxUpdateComponentAccountingEnhanced+84995j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
PopFxUpdateComponentAccountingEnhanced endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPepUpdateIdleStateRefCount proc near	; CODE XREF: PopPepDeviceDState+DDp
					; PopPepDeviceDState+14Ap ...

var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_8E		= byte ptr -8Eh
var_8D		= byte ptr -8Dh
var_8C		= dword	ptr -8Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E2A04 SIZE 000001B3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	esi, edx
		push	80h		; size_t
		push	eax		; int
		mov	[ebp+var_9C], eax
		mov	ebx, ecx
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_8C]
		push	eax		; void *
		mov	[ebp+var_94], esi
		call	_memset
		mov	edi, ebx
		mov	[ebp+var_8D], 0
		xor	edi, esi
		xor	cl, cl
		xor	esi, esi
		mov	[ebp+var_8E], cl
		add	esp, 0Ch
		cmp	[ebp+arg_0], esi
		jnz	short loc_55E141

loc_55E11F:				; CODE XREF: PopPepUpdateIdleStateRefCount+87j
		and	edi, ebx
		bsf	ecx, edi
		mov	[ebp+var_98], ecx
		jnz	loc_5E2A04

loc_55E130:				; CODE XREF: PopPepUpdateIdleStateRefCount+84AE0j
					; PopPepUpdateIdleStateRefCount+84AF2j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_55E141:				; CODE XREF: PopPepUpdateIdleStateRefCount+5Dj
		mov	ebx, [ebp+var_94]
		jmp	short loc_55E11F
PopPepUpdateIdleStateRefCount endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopPepDeviceWaitWake(x, x)
_PopPepDeviceWaitWake@8	proc near	; CODE XREF: PopRequestCompletion+F3p
					; PopRequestPowerIrp+1F2p
		mov	edi, edi
		push	esi
		lea	esi, [ecx+50h]
		test	dl, dl
		jnz	short loc_55E16C
		xor	eax, eax
		inc	eax
		lock xadd [esi], eax
		inc	eax
		cmp	eax, 1

loc_55E15F:				; CODE XREF: PopPepDeviceWaitWake(x,x)+29j
		jnz	short loc_55E16A
		push	edx
		push	5
		pop	edx
		call	_PopPepUpdateConstraints@12 ; PopPepUpdateConstraints(x,x,x)

loc_55E16A:				; CODE XREF: PopPepDeviceWaitWake(x,x):loc_55E15Fj
		pop	esi
		retn
; 

loc_55E16C:				; CODE XREF: PopPepDeviceWaitWake(x,x)+8j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		jmp	short loc_55E15F
_PopPepDeviceWaitWake@8	endp

; 
		align 2

;  S U B	R O U T	I N E 


MiSetNonPagedPoolNoSteal proc near	; CODE XREF: MiGetPhysicalAddress+99p

; FUNCTION CHUNK AT 005E2CC7 SIZE 00000017 BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi]
		nop
		mov	ecx, [edi+4]
		mov	eax, esi
		and	eax, 200h
		or	eax, 0
		jz	short loc_55E191

loc_55E18E:				; CODE XREF: MiSetNonPagedPoolNoSteal+3Ej
		pop	edi
		pop	esi
		retn
; 

loc_55E191:				; CODE XREF: MiSetNonPagedPoolNoSteal+16j
		push	ebx

loc_55E192:				; CODE XREF: MiSetNonPagedPoolNoSteal+84B5Dj
		mov	ebx, esi
		mov	eax, esi
		or	ebx, 220h
		mov	edx, ecx
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	loc_5E2CC7
		cmp	edx, ecx
		jnz	loc_5E2CC7

loc_55E1B3:				; CODE XREF: MiSetNonPagedPoolNoSteal+84B63j
		pop	ebx
		jmp	short loc_55E18E
MiSetNonPagedPoolNoSteal endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeFlushMultipleRangeCurrentTb proc near	; CODE XREF: .text:00453E9Ep
					; MiFlushTbList+22Cp ...

var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E2CDE SIZE 00000073 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_C], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_1C]
		mov	byte ptr [ebp+var_8], 0
		stosd
		mov	ebx, edx
		mov	[ebp+var_10], ebx
		mov	esi, ecx
		stosd
		stosd
		mov	eax, ds:_HvlEnlightenments
		test	eax, (offset loc_7FFFFF+1)
		jnz	loc_5E2CDE

loc_55E1F2:				; CODE XREF: KeFlushMultipleRangeCurrentTb+84B2Aj
					; KeFlushMultipleRangeCurrentTb+84B61j
		test	esi, esi
		jz	short loc_55E20C
		mov	edi, ebx
		mov	ebx, esi

loc_55E1FA:				; CODE XREF: KeFlushMultipleRangeCurrentTb+51j
		push	dword ptr [edi]
		call	_KiFlushRangeTb@8 ; KiFlushRangeTb(x,x)
		lea	edi, [edi+4]
		sub	ebx, 1
		jnz	short loc_55E1FA
		mov	ebx, [ebp+var_10]

loc_55E20C:				; CODE XREF: KeFlushMultipleRangeCurrentTb+3Ej
					; KeFlushMultipleRangeCurrentTb+84B5Bj
		cmp	ds:_VmTbFlushEnabled, 0
		jnz	loc_5E2D1C

loc_55E219:				; CODE XREF: KeFlushMultipleRangeCurrentTb+84B72j
		cmp	_ExTbFlushActive, 0
		jnz	loc_5E2D2D

loc_55E226:				; CODE XREF: KeFlushMultipleRangeCurrentTb+84B96j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
KeFlushMultipleRangeCurrentTb endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiFlushRangeTb(x, x)
_KiFlushRangeTb@8 proc near		; CODE XREF: KeFlushMultipleRangeCurrentTb+46p
					; KeFlushMultipleRangeTb+15E0D4p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, edx
		shr	eax, 0Ah
		and	eax, 3
		imul	ecx, eax, 9
		mov	eax, edx
		push	esi
		mov	esi, 1000h
		shl	esi, cl
		and	eax, 3FFh
		jmp	short loc_55E261
; 

loc_55E25C:				; CODE XREF: KiFlushRangeTb(x,x)+2Cj
		add	edx, esi
		sub	eax, 1

loc_55E261:				; CODE XREF: KiFlushRangeTb(x,x)+22j
		invlpg	byte ptr [edx]
		jnz	short loc_55E25C
		pop	esi
		pop	ebp
		retn	4
_KiFlushRangeTb@8 endp

; 
		align 10h
; Exported entry 1172. KeInitializeInterrupt

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	KeInitializeInterrupt(void *,int,int,int,int,int,int,char,char,int,char,int,int)
		public _KeInitializeInterrupt@52
_KeInitializeInterrupt@52 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= byte ptr  24h
arg_20		= byte ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= byte ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		mov	edx, [ebp+arg_4] ; int
		push	eax		; int
		push	eax		; char
		push	[ebp+arg_30]	; int
		mov	ecx, [ebp+arg_0] ; void	*
		push	[ebp+arg_2C]	; int
		push	dword ptr [ebp+arg_28] ; char
		push	[ebp+arg_24]	; int
		push	dword ptr [ebp+arg_20] ; char
		push	dword ptr [ebp+arg_1C] ; char
		push	[ebp+arg_18]	; int
		push	eax		; int
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		call	KeInitializeInterruptEx
		pop	ebp
		retn	34h
_KeInitializeInterrupt@52 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall KeInitializeInterruptEx(void *,int,int,int,int,int,int,int,char,char,int,char,int,int,char,int)
KeInitializeInterruptEx	proc near	; CODE XREF: KeInitializeInterrupt(x,x,x,x,x,x,x,x,x,x,x,x,x)+31p
					; IopConnectInterrupt+1DEp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= byte ptr  20h
arg_1C		= byte ptr  24h
arg_20		= dword	ptr  28h
arg_24		= byte ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= byte ptr  38h
arg_34		= dword	ptr  3Ch

; FUNCTION CHUNK AT 005E2D5B SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	ebx, 0D0h
		mov	edi, ecx
		push	ebx		; size_t
		push	0		; int
		push	edi		; void *
		mov	esi, edx
		call	_memset
		add	esp, 0Ch
		mov	[edi+2], bx
		push	16h
		pop	eax
		mov	[edi], ax
		mov	eax, [ebp+arg_4]
		mov	[edi+18h], eax
		test	esi, esi
		jz	short loc_55E33D

loc_55E2DB:				; CODE XREF: KeInitializeInterruptEx+A4j
		mov	ebx, [ebp+arg_C]
		mov	[edi+0Ch], esi
		test	ebx, ebx
		jz	short loc_55E350
		mov	eax, ebx

loc_55E2E7:				; CODE XREF: KeInitializeInterruptEx+ACj
		mov	cl, [ebp+arg_1C]
		mov	[edi+24h], eax
		mov	eax, [ebp+arg_14]
		mov	[edi+2Ch], eax
		mov	eax, [ebp+arg_20]
		mov	[edi+40h], eax
		mov	al, [ebp+arg_24]
		mov	[edi+38h], al
		mov	al, [ebp+arg_18]
		mov	[edi+31h], cl
		mov	[edi+30h], al
		test	cl, cl
		jz	loc_5E2D5B

loc_55E310:				; CODE XREF: KeInitializeInterruptEx+84AC1j
		mov	eax, [ebp+arg_28]
		mov	edx, ebx
		push	[ebp+arg_2C]
		mov	[edi+34h], eax
		mov	ecx, edi
		mov	al, [ebp+arg_30]
		mov	[edi+39h], al
		mov	eax, [ebp+arg_34]
		mov	[edi+60h], eax
		and	dword ptr [edi+3Ch], 0
		call	_KiInitializeInterrupt@12 ; KiInitializeInterrupt(x,x,x)
		mov	byte ptr [edi+33h], 0
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	38h
; 

loc_55E33D:				; CODE XREF: KeInitializeInterruptEx+2Fj
		mov	eax, [ebp+arg_0]
		mov	esi, offset _KiInterruptMessageDispatch@8 ; KiInterruptMessageDispatch(x,x)
		mov	[edi+10h], eax
		mov	eax, [ebp+arg_8]
		mov	[edi+14h], eax
		jmp	short loc_55E2DB
; 

loc_55E350:				; CODE XREF: KeInitializeInterruptEx+39j
		lea	eax, [edi+1Ch]
		and	dword ptr [eax], 0
		jmp	short loc_55E2E7
KeInitializeInterruptEx	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInitializeInterrupt(x, x,	x)
_KiInitializeInterrupt@12 proc near	; CODE XREF: KeInitializeInterruptEx+83p

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	al, [ebp+arg_0]
		or	dword ptr [ecx+20h], 0FFFFFFFFh
		or	dword ptr [ecx+4Ch], 0FFFFFFFFh
		mov	[ecx+32h], al
		cmp	edx, 0FFFFFFFFh
		jz	short loc_55E38B
		cmp	edx, 0FFFFFFFDh
		jz	short loc_55E38B
		mov	eax, offset _KiSpuriousDispatchNoEOI@0 ; KiSpuriousDispatchNoEOI()
		cmp	edx, 0FFFFFFFEh
		jz	short loc_55E384
		mov	eax, offset _KiInterruptDispatch@0 ; KiInterruptDispatch()

loc_55E384:				; CODE XREF: KiInitializeInterrupt(x,x,x)+25j
					; KiInitializeInterrupt(x,x,x)+38j
		mov	[ecx+28h], eax
		pop	ebp
		retn	4
; 

loc_55E38B:				; CODE XREF: KiInitializeInterrupt(x,x,x)+16j
					; KiInitializeInterrupt(x,x,x)+1Bj
		mov	eax, offset _KiInterruptDispatchNoLockNoEtwNoStack@0 ; KiInterruptDispatchNoLockNoEtwNoStack()
		jmp	short loc_55E384
_KiInitializeInterrupt@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeAllocateInterrupt(x)
_KeAllocateInterrupt@4 proc near	; CODE XREF: IopConnectInterrupt+190p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edi
		mov	eax, [edi+338h]
		lea	ebx, [edi+4058h]
		mov	ecx, ebx
		movzx	esi, word ptr [eax+8Ah]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jz	short loc_55E3CB

loc_55E3C0:				; CODE XREF: KeAllocateInterrupt(x)+76j
		mov	[eax+0D0h], edi

loc_55E3C6:				; CODE XREF: KeAllocateInterrupt(x)+7Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_55E3CB:				; CODE XREF: KeAllocateInterrupt(x)+2Cj
		mov	ecx, esi
		mov	[ebp+var_8], ecx

loc_55E3D0:				; CODE XREF: KeAllocateInterrupt(x)+78j
		mov	edx, ecx
		mov	ecx, 1000h
		call	_MmAllocateIndependentPages@8 ;	MmAllocateIndependentPages(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_55E40C
		push	10h
		pop	edi

loc_55E3E5:				; CODE XREF: KeAllocateInterrupt(x)+65j
		mov	edx, esi
		mov	ecx, ebx
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		add	esi, 100h
		sub	edi, 1
		jnz	short loc_55E3E5
		mov	ecx, ebx
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edi, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		test	eax, eax
		jnz	short loc_55E3C0
		jmp	short loc_55E3D0
; 

loc_55E40C:				; CODE XREF: KeAllocateInterrupt(x)+4Ej
		xor	eax, eax
		jmp	short loc_55E3C6
_KeAllocateInterrupt@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeConnectInterrupt proc	near		; CODE XREF: IopConnectInterrupt+22Cp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E2D70 SIZE 0000006D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	bh, dl
		mov	ecx, [ebp+arg_0]
		call	KiIsInterruptTypeSecondary
		mov	dl, al
		mov	[ebp+var_1], 0
		xor	bl, bl
		mov	[ebp+var_2], dl
		test	bh, bh
		jz	short loc_55E470

loc_55E43A:				; CODE XREF: KeConnectInterrupt+5Ej
		movzx	eax, bl
		mov	ecx, [edi+eax*4]
		or	dword ptr [ecx+3Ch], 1
		test	dl, dl
		jnz	loc_5E2D70
		call	KiConnectInterruptInternal

loc_55E451:				; CODE XREF: KeConnectInterrupt+84965j
		mov	esi, eax
		test	esi, esi
		js	loc_5E2DC4
		cmp	esi, 127h
		jz	loc_5E2D7A

loc_55E467:				; CODE XREF: KeConnectInterrupt+8496Ej
		mov	dl, [ebp+var_2]
		inc	bl
		cmp	bl, bh
		jb	short loc_55E43A

loc_55E470:				; CODE XREF: KeConnectInterrupt+28j
		mov	ecx, [ebp+arg_0]
		add	ecx, 8
		movzx	eax, bh
		mov	[ebp+var_10], ecx
		mov	edx, eax
		push	ecx
		mov	ecx, edi
		mov	[ebp+var_C], eax
		call	KiIntSteerConnect
		mov	esi, eax
		test	esi, esi
		js	loc_5E2DC4
		xor	bl, bl
		test	bh, bh
		jz	short loc_55E4B3
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		mov	bl, bh

loc_55E4A0:				; CODE XREF: KeConnectInterrupt+A1j
		mov	eax, [ecx]
		push	0FFFFFFFEh
		pop	esi
		add	eax, 3Ch
		lock and [eax],	esi
		lea	ecx, [ecx+4]
		sub	edx, 1
		jnz	short loc_55E4A0

loc_55E4B3:				; CODE XREF: KeConnectInterrupt+87j
		cmp	[ebp+var_1], 0
		jnz	loc_5E2D83
		push	[ebp+arg_0]
		call	ds:__imp__HalEnableInterrupt@4 ; HalEnableInterrupt(x)
		mov	esi, eax
		test	esi, esi
		js	loc_5E2DC4
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		call	_KiIntSteerEnable@8 ; KiIntSteerEnable(x,x)

loc_55E4DA:				; CODE XREF: KeConnectInterrupt+849AFj
		test	esi, esi
		js	loc_5E2DC4

loc_55E4E2:				; CODE XREF: KeConnectInterrupt+849B6j
					; KeConnectInterrupt+849C8j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
KeConnectInterrupt endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIntSteerEnable(x,	x)
_KiIntSteerEnable@8 proc near		; CODE XREF: KeConnectInterrupt+C5p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	edi
		mov	edi, ecx
		mov	eax, [edi]
		mov	eax, [eax+64h]
		test	eax, eax
		jz	short loc_55E55C
		cmp	byte ptr [eax+28h], 0
		jz	short loc_55E563
		mov	eax, [eax+8]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_4], eax
		push	esi
		mov	eax, [eax+68h]
		xor	esi, esi
		inc	ebx
		cmp	eax, 2
		jnz	short loc_55E54D
		call	_KiIntRedirectEnable@8 ; KiIntRedirectEnable(x,x)
		mov	ecx, eax

loc_55E520:				; CODE XREF: KiIntSteerEnable(x,x)+6Ej
		test	ecx, ecx
		js	short loc_55E546

loc_55E524:				; CODE XREF: KiIntSteerEnable(x,x)+67j
		mov	eax, [ebp+var_4]
		mov	[eax+6Ch], bl
		mov	eax, offset _KiIntTrackRootEnabled
		xchg	ebx, [eax]
		test	edx, edx
		jz	short loc_55E546

loc_55E535:				; CODE XREF: KiIntSteerEnable(x,x)+58j
		mov	eax, [edi+esi*4]
		push	4
		pop	ebx
		add	eax, 3Ch
		lock or	[eax], ebx
		inc	esi
		cmp	esi, edx
		jb	short loc_55E535

loc_55E546:				; CODE XREF: KiIntSteerEnable(x,x)+36j
					; KiIntSteerEnable(x,x)+47j
		pop	esi
		pop	ebx

loc_55E548:				; CODE XREF: KiIntSteerEnable(x,x)+75j
					; KiIntSteerEnable(x,x)+79j
		mov	eax, ecx
		pop	edi
		leave
		retn
; 

loc_55E54D:				; CODE XREF: KiIntSteerEnable(x,x)+2Bj
		cmp	eax, ebx
		jnz	short loc_55E555
		mov	ecx, esi
		jmp	short loc_55E524
; 

loc_55E555:				; CODE XREF: KiIntSteerEnable(x,x)+63j
		mov	ecx, 0C00000BBh
		jmp	short loc_55E520
; 

loc_55E55C:				; CODE XREF: KiIntSteerEnable(x,x)+10j
		mov	ecx, 0C00000BBh
		jmp	short loc_55E548
; 

loc_55E563:				; CODE XREF: KiIntSteerEnable(x,x)+16j
		xor	ecx, ecx
		jmp	short loc_55E548
_KiIntSteerEnable@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiIntSteerConnect proc near		; CODE XREF: KeConnectInterrupt+74p

var_28		= dword	ptr -28h
var_24		= word ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E2DDD SIZE 00000067 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_8], ecx
		lea	edi, [ebp+var_28]
		xor	ecx, ecx
		stosd
		mov	esi, edx
		mov	[ebp+var_1C], esi
		mov	byte ptr [ebp+var_C], cl
		mov	[ebp+var_10], ecx
		stosd
		mov	[ebp+var_14], ecx
		stosd
		mov	eax, _KiIntSteerEtwHandle
		or	eax, dword_6FBC0C
		jz	loc_55E7F0

loc_55E59F:				; CODE XREF: KiIntSteerConnect+29Dj
		mov	ebx, [ebp+arg_0]
		lea	eax, [ebp+var_C]
		push	eax
		lea	edx, [ebp+var_10]
		mov	ecx, ebx
		call	KiIntSteerGetLineInformation
		test	eax, eax
		js	loc_5E2DDD
		push	6B725449h
		push	80h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_18], edx
		test	edx, edx
		jz	loc_5E2DED
		mov	eax, [ebp+var_8]
		lea	edi, [edx+30h]
		mov	[edx+10h], eax
		xor	eax, eax
		mov	[edx+0Ch], esi
		mov	esi, ebx
		mov	[edx+18h], eax
		mov	[edx+1Ch], eax
		mov	[edx+20h], eax
		mov	[edx+24h], eax
		mov	al, byte ptr [ebp+var_C]
		push	14h
		pop	ecx
		mov	[edx+28h], al
		rep movsd
		mov	esi, [ebp+var_1C]
		xor	ecx, ecx
		mov	edi, [ebp+var_8]
		test	esi, esi
		jz	short loc_55E643

loc_55E60C:				; CODE XREF: KiIntSteerConnect+D9j
		mov	eax, [edi+ecx*4]
		and	dword ptr [eax+68h], 0
		and	dword ptr [eax+6Ch], 0
		and	dword ptr [eax+78h], 0
		and	dword ptr [eax+7Ch], 0
		and	dword ptr [eax+80h], 0
		and	dword ptr [eax+84h], 0
		and	dword ptr [eax+90h], 0
		and	dword ptr [eax+94h], 0
		inc	ecx
		mov	[eax+64h], edx
		cmp	ecx, esi
		jb	short loc_55E60C

loc_55E643:				; CODE XREF: KiIntSteerConnect+A2j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _KiIntTrackSpinlock
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		xor	edx, edx
		cmp	[ebx], edx
		jz	loc_55E7BB

loc_55E660:				; CODE XREF: KiIntSteerConnect+25Fj
					; KiIntSteerConnect+27Aj
		push	6B725449h
		push	0A8h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5E2E1F
		lea	eax, [ebp+var_14]
		mov	edx, esi
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		push	[ebp+var_C]
		mov	eax, [ebp+arg_0]
		push	ecx
		push	eax
		mov	ecx, edi
		call	_KiIntSteerChooseInitialTargetProcessors@28 ; KiIntSteerChooseInitialTargetProcessors(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_55E762
		push	0A8h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	esi, [ebp+arg_0]
		lea	eax, [ebx+8]
		mov	dx, [ebp+var_24]
		lea	edi, [ebx+18h]
		mov	[eax+4], eax
		xor	ecx, ecx
		mov	[eax], eax
		add	esp, 0Ch
		mov	eax, [ebp+var_10]
		mov	[ebx+10h], eax
		mov	[ebx+6Ch], cl
		mov	[ebx+7Ch], ecx
		mov	ax, [esi+18h]
		mov	[ebx+74h], ax
		mov	eax, [ebp+var_14]
		mov	[ebx+68h], eax
		mov	eax, [ebp+var_28]
		mov	[ebx+70h], ecx
		lea	ecx, [ebx+80h]
		mov	[ecx+4], dx
		mov	[ecx], eax
		push	14h
		mov	[ebx+90h], dx
		mov	[ebx+8Ch], eax
		cmp	dword ptr [ebx+68h], 2
		pop	ecx
		rep movsd
		jnz	short loc_55E71A
		mov	eax, [ebp+var_8]
		mov	eax, [eax]
		mov	eax, [eax+0C8h]
		mov	[ebx+0A0h], eax

loc_55E71A:				; CODE XREF: KiIntSteerConnect+19Fj
		mov	eax, dword_6C74EC
		mov	ecx, offset _KiIntTrackRootList
		cmp	[eax], ecx
		jnz	loc_55E80A
		mov	[ebx], ecx
		lea	esi, [ebx+80h]
		mov	[ebx+4], eax
		xor	edx, edx
		mov	[eax], ebx
		inc	_KiIntTrackRootCount
		push	ecx
		mov	ecx, esi
		mov	dword_6C74EC, ebx
		call	_KiIntSteerUpdateDeviceInterruptMask@12	; KiIntSteerUpdateDeviceInterruptMask(x,x,x)
		cmp	dword ptr [ebx+68h], 0
		jz	short loc_55E75E
		mov	edx, esi
		mov	ecx, ebx
		call	_KiIntSteerSetDestination@8 ; KiIntSteerSetDestination(x,x)

loc_55E75E:				; CODE XREF: KiIntSteerConnect+1EBj
		xor	esi, esi
		test	esi, esi

loc_55E762:				; CODE XREF: KiIntSteerConnect+133j
		jnz	loc_5E2E24

loc_55E768:				; CODE XREF: KiIntSteerConnect+848B2j
		mov	eax, [ebp+var_18]
		mov	[eax+8], ebx
		add	ebx, 8
		mov	ecx, [ebx+4]
		cmp	[ecx], ebx
		jnz	loc_55E80A
		mov	[eax+4], ecx
		mov	edx, (offset loc_406AF7+1)
		mov	[eax], ebx
		mov	[ecx], eax
		mov	ecx, eax
		mov	[ebx+4], eax
		call	KiIntSteerLogState

loc_55E792:				; CODE XREF: KiIntSteerConnect+848CAj
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _KiIntTrackSpinlock
		jnz	loc_5E2E37
		xor	eax, eax
		lock and [ecx],	eax

loc_55E7A9:				; CODE XREF: KiIntSteerConnect+848D7j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi

loc_55E7B4:				; CODE XREF: KiIntSteerConnect+84880j
					; KiIntSteerConnect+8488Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_55E7BB:				; CODE XREF: KiIntSteerConnect+F2j
		mov	ebx, _KiIntTrackRootList
		cmp	ebx, offset _KiIntTrackRootList
		jz	loc_55E660
		mov	ecx, [ebp+var_10]

loc_55E7D0:				; CODE XREF: KiIntSteerConnect+278j
		mov	eax, [ebx+10h]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_55E7E7

loc_55E7D8:				; CODE XREF: KiIntSteerConnect+281j
		mov	ebx, [ebx]
		cmp	ebx, offset _KiIntTrackRootList
		jnz	short loc_55E7D0
		jmp	loc_55E660
; 

loc_55E7E7:				; CODE XREF: KiIntSteerConnect+26Ej
		cmp	eax, ecx
		jnz	short loc_55E7D8
		jmp	loc_5E2DF7
; 

loc_55E7F0:				; CODE XREF: KiIntSteerConnect+31j
		push	offset _KiIntSteerEtwHandle
		push	ecx
		push	offset _KiIntSteerEventTraceControlCallback@36 ; KiIntSteerEventTraceControlCallback(x,x,x,x,x,x,x,x,x)
		push	offset _INTSTEER_ETW_PROVIDER
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		jmp	loc_55E59F
; 

loc_55E80A:				; CODE XREF: KiIntSteerConnect+1BEj
					; KiIntSteerConnect+20Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
KiIntSteerConnect endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiIntSteerLogState proc	near		; CODE XREF: KiIntSteerDisable+25p
					; KiIntSteerConnect+225p ...

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E2E44 SIZE 00000094 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 78h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		mov	ecx, esi
		call	_KiIntSteerEtwEventEnabled@4 ; KiIntSteerEtwEventEnabled(x)
		test	al, al
		jnz	loc_5E2E44

loc_55E837:				; CODE XREF: KiIntSteerLogState+846C3j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
KiIntSteerLogState endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIntSteerChooseInitialTargetProcessors(x, x, x, x,	x, x, x)
_KiIntSteerChooseInitialTargetProcessors@28 proc near ;	CODE XREF: KiIntSteerConnect+12Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		xor	eax, eax
		push	edi
		mov	edi, esi
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], ecx
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		xor	edi, edi
		lea	ebx, [eax+14h]
		push	ebx
		push	dword ptr [eax+10h]
		push	[ebp+arg_8]
		call	_KeIntSteerGetSteeringMode@20 ;	KeIntSteerGetSteeringMode(x,x,x,x,x)
		mov	edx, eax
		mov	[ebp+arg_C], edx
		cmp	edx, 2
		jnz	short loc_55E895
		push	[ebp+arg_0]
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		call	_KiIntRedirectConnnect@12 ; KiIntRedirectConnnect(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_55E8C7
		mov	edx, [ebp+arg_C]

loc_55E895:				; CODE XREF: KiIntSteerChooseInitialTargetProcessors(x,x,x,x,x,x,x)+36j
		movzx	ecx, word ptr [ebx+4]
		mov	[esi+4], cx
		test	edx, edx
		jz	short loc_55E8D0
		mov	eax, dword_6C7528[ecx*4]
		xor	ebx, ebx
		test	eax, eax
		jz	short loc_55E8DC
		bsf	ecx, eax

loc_55E8B1:				; CODE XREF: KiIntSteerChooseInitialTargetProcessors(x,x,x,x,x,x,x)+99j
		xor	eax, eax
		mov	[esi+4], ebx
		inc	eax
		mov	[esi+8], ebx
		shl	eax, cl
		mov	[esi], eax

loc_55E8BE:				; CODE XREF: KiIntSteerChooseInitialTargetProcessors(x,x,x,x,x,x,x)+94j
		test	edi, edi
		js	short loc_55E8C7
		mov	eax, [ebp+arg_10]
		mov	[eax], edx

loc_55E8C7:				; CODE XREF: KiIntSteerChooseInitialTargetProcessors(x,x,x,x,x,x,x)+4Aj
					; KiIntSteerChooseInitialTargetProcessors(x,x,x,x,x,x,x)+7Aj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_55E8D0:				; CODE XREF: KiIntSteerChooseInitialTargetProcessors(x,x,x,x,x,x,x)+59j
		mov	eax, [ebx]
		mov	[esi], eax
		or	dword_6C7508, eax
		jmp	short loc_55E8BE
; 

loc_55E8DC:				; CODE XREF: KiIntSteerChooseInitialTargetProcessors(x,x,x,x,x,x,x)+66j
		or	ecx, 0FFFFFFFFh
		jmp	short loc_55E8B1
_KiIntSteerChooseInitialTargetProcessors@28 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeIntSteerGetSteeringMode(x, x, x, x, x)
_KeIntSteerGetSteeringMode@20 proc near	; CODE XREF: KiIntSteerChooseInitialTargetProcessors(x,x,x,x,x,x,x)+29p
					; ExpQueryInterruptSteeringInformation+84030p

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	ecx, ecx
		cmp	_KiIntSteerEnabled, cl
		jz	short loc_55E930
		cmp	[ebp+arg_0], cl
		jz	short loc_55E930
		mov	eax, [ebp+arg_8]
		cmp	[eax+4], cx
		jnz	short loc_55E930
		mov	eax, [eax]
		cmp	eax, ds:dword_70E328
		jnz	short loc_55E930
		mov	eax, _KiInterruptControllerInfo
		mov	edx, eax
		and	edx, 1
		jz	short loc_55E91A
		cmp	[ebp+arg_4], ecx
		jz	short loc_55E936

loc_55E91A:				; CODE XREF: KeIntSteerGetSteeringMode(x,x,x,x,x)+31j
		shr	eax, 1
		and	eax, 1
		cmp	[ebp+arg_4], 1
		jnz	short loc_55E930
		test	eax, eax
		jnz	short loc_55E936
		test	edx, edx
		jz	short loc_55E930
		push	2
		pop	ecx

loc_55E930:				; CODE XREF: KeIntSteerGetSteeringMode(x,x,x,x,x)+Dj
					; KeIntSteerGetSteeringMode(x,x,x,x,x)+12j ...
		mov	eax, ecx
		pop	ebp
		retn	0Ch
; 

loc_55E936:				; CODE XREF: KeIntSteerGetSteeringMode(x,x,x,x,x)+36j
					; KeIntSteerGetSteeringMode(x,x,x,x,x)+45j
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_55E930
_KeIntSteerGetSteeringMode@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiIntSteerGetLineInformation proc near	; CODE XREF: KiIntSteerConnect+43p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E2ED8 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	eax, ecx
		mov	[ebp+var_C], edx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_8], eax
		push	edi
		mov	edi, [eax]
		or	esi, 0FFFFFFFFh
		inc	ebx
		test	edi, edi
		jz	short loc_55E973
		cmp	edi, 3
		jnz	short loc_55E990
		xor	eax, eax

loc_55E962:				; CODE XREF: KiIntSteerGetLineInformation+52j
					; KiIntSteerGetLineInformation+59j
		mov	ecx, [ebp+var_C]
		pop	edi
		mov	[ecx], esi
		mov	ecx, [ebp+arg_0]
		pop	esi
		mov	[ecx], bl
		pop	ebx
		leave
		retn	4
; 

loc_55E973:				; CODE XREF: KiIntSteerGetLineInformation+1Dj
		mov	eax, [eax+30h]
		push	eax
		push	edi
		mov	[ebp+var_4], eax
		call	off_6B1308	; xHalpIsInterruptTypeSecondary(x,x)
		test	al, al
		jnz	loc_5E2ED8
		xor	eax, eax

loc_55E98B:				; CODE XREF: KiIntSteerGetLineInformation+845ABj
		mov	esi, [ebp+var_4]
		jmp	short loc_55E962
; 

loc_55E990:				; CODE XREF: KiIntSteerGetLineInformation+22j
		mov	eax, 0C00000BBh
		jmp	short loc_55E962
KiIntSteerGetLineInformation endp

; 
		align 4

;  S U B	R O U T	I N E 


KiIsInterruptTypeSecondary proc	near	; CODE XREF: KeDisconnectInterrupt+20p
					; KiIntSteerDisable+110p ...

; FUNCTION CHUNK AT 005E2EEC SIZE 00000017 BYTES

		cmp	_KiSecondaryInterruptServicesEnabled, 0
		jnz	loc_5E2EEC

loc_55E9A5:				; CODE XREF: KiIsInterruptTypeSecondary+84557j
		xor	al, al
		retn
KiIsInterruptTypeSecondary endp


;  S U B	R O U T	I N E 


; __stdcall KiIntRedirectEnable(x, x)
_KiIntRedirectEnable@8 proc near	; CODE XREF: KiIntSteerEnable(x,x)+2Dp
		test	edx, edx
		jz	short loc_55E9BF
		mov	eax, [ecx]
		mov	eax, [eax+0C8h]
		test	eax, eax
		jz	short loc_55E9BF
		mov	byte ptr [eax+0Ch], 1
		xor	eax, eax
		retn
; 

loc_55E9BF:				; CODE XREF: KiIntRedirectEnable(x,x)+2j
					; KiIntRedirectEnable(x,x)+Ej
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_KiIntRedirectEnable@8 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIntRedirectConnnect(x, x,	x)
_KiIntRedirectConnnect@12 proc near	; CODE XREF: KiIntSteerChooseInitialTargetProcessors(x,x,x,x,x,x,x)+41p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_4]
		xor	esi, esi
		mov	[ebp+var_4], esi
		call	_KiIntRedirectAllocateObject@8 ; KiIntRedirectAllocateObject(x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_55E9FC
		test	edi, edi
		jz	short loc_55E9FC
		mov	ecx, [ebp+var_4]

loc_55E9EE:				; CODE XREF: KiIntRedirectConnnect(x,x,x)+36j
		mov	eax, [ebx+esi*4]
		inc	esi
		mov	[eax+0C8h], ecx
		cmp	esi, edi
		jb	short loc_55E9EE

loc_55E9FC:				; CODE XREF: KiIntRedirectConnnect(x,x,x)+21j
					; KiIntRedirectConnnect(x,x,x)+25j
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	4
_KiIntRedirectConnnect@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIntRedirectAllocateObject(x, x)
_KiIntRedirectAllocateObject@8 proc near ; CODE	XREF: KiIntRedirectConnnect(x,x,x)+18p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	5249654Bh
		push	10h
		push	200h
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_55EA4E
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		push	edi
		mov	edi, esi
		stosd
		stosd
		stosd
		mov	ax, [ecx+18h]
		mov	[esi+4], ax
		mov	eax, [ecx+14h]
		mov	[esi], eax
		xor	eax, eax
		mov	[esi+0Ch], al
		pop	edi

loc_55EA48:				; CODE XREF: KiIntRedirectAllocateObject(x,x)+4Dj
		mov	[ebx], esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_55EA4E:				; CODE XREF: KiIntRedirectAllocateObject(x,x)+22j
		mov	eax, 0C000009Ah
		jmp	short loc_55EA48
_KiIntRedirectAllocateObject@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSetSystemTimeDpc proc	near		; DATA XREF: KeSetSystemTime(x,x,x)+26o

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005E2F03 SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		and	[esp+1Ch+var_14], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		or	ebx, 0FFFFFFFFh
		push	edi
		mov	eax, ebx
		lock xadd [esi], eax
		dec	eax
		mov	edi, eax
		mov	ecx, 80000000h
		not	edi
		and	edi, ecx
		test	eax, 7FFFFFFFh
		jnz	loc_55EB7B
		mov	eax, [esi+4]
		or	eax, edi
		mov	[esi], eax
		jmp	short loc_55EAA9
; 

loc_55EA95:				; CODE XREF: KiSetSystemTimeDpc+51j
		lea	ecx, [esp+28h+var_14]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		and	eax, 80000000h

loc_55EAA5:				; CODE XREF: KiSetSystemTimeDpc+129j
		cmp	eax, edi
		jnz	short loc_55EA95

loc_55EAA9:				; CODE XREF: KiSetSystemTimeDpc+3Dj
		mov	ecx, large fs:20h
		mov	dl, 1
		mov	[esp+28h+var_18], ecx
		call	_KiSelectActiveTimerTable@8 ; KiSelectActiveTimerTable(x,x)
		cmp	byte ptr [ecx+3D0h], 0
		mov	edi, [ebp+arg_4]
		mov	[esp+28h+var_8], eax
		jnz	loc_55EB95

loc_55EACF:				; CODE XREF: KiSetSystemTimeDpc+1A2j
					; KiSetSystemTimeDpc+1BEj ...
		and	[esp+28h+var_C], 0
		mov	eax, ebx
		lock xadd [esi], eax
		dec	eax
		mov	ebx, eax
		mov	ecx, 80000000h
		not	ebx
		and	ebx, ecx
		test	eax, 7FFFFFFFh
		jnz	loc_55EB84
		mov	eax, [esi+4]
		or	eax, ebx
		mov	[esi], eax
		jmp	short loc_55EB0E
; 

loc_55EAFA:				; CODE XREF: KiSetSystemTimeDpc+B6j
		lea	ecx, [esp+28h+var_C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		and	eax, 80000000h

loc_55EB0A:				; CODE XREF: KiSetSystemTimeDpc+132j
		cmp	eax, ebx
		jnz	short loc_55EAFA

loc_55EB0E:				; CODE XREF: KiSetSystemTimeDpc+A2j
		mov	eax, [edi+10h]
		or	eax, [edi+14h]
		mov	ebx, [esp+28h+var_18]
		jz	short loc_55EB5D
		mov	eax, [esp+28h+var_8]
		test	eax, eax
		jnz	loc_55EC19

loc_55EB26:				; CODE XREF: KiSetSystemTimeDpc+1CDj
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		dec	eax
		mov	edi, eax
		mov	ecx, 80000000h
		not	edi
		and	edi, ecx
		test	eax, 7FFFFFFFh
		jnz	short loc_55EB8A
		mov	eax, [esi+4]
		or	eax, edi
		mov	[esi], eax
		jmp	short loc_55EB5D
; 

loc_55EB49:				; CODE XREF: KiSetSystemTimeDpc+105j
		lea	ecx, [esp+28h+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		and	eax, 80000000h

loc_55EB59:				; CODE XREF: KiSetSystemTimeDpc+13Dj
		cmp	eax, edi
		jnz	short loc_55EB49

loc_55EB5D:				; CODE XREF: KiSetSystemTimeDpc+C2j
					; KiSetSystemTimeDpc+F1j
		mov	eax, [ebp+arg_8]
		lock dec dword ptr [eax]
		push	2
		push	0
		push	1
		xor	edx, edx
		mov	ecx, ebx
		call	KiExitDispatcher
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_55EB7B:				; CODE XREF: KiSetSystemTimeDpc+30j
		mov	eax, [esi]
		and	eax, ecx
		jmp	loc_55EAA5
; 

loc_55EB84:				; CODE XREF: KiSetSystemTimeDpc+95j
		mov	eax, [esi]
		and	eax, ecx
		jmp	short loc_55EB0A
; 

loc_55EB8A:				; CODE XREF: KiSetSystemTimeDpc+E8j
		mov	eax, [esi]
		and	[esp+28h+var_4], 0
		and	eax, ecx
		jmp	short loc_55EB59
; 

loc_55EB95:				; CODE XREF: KiSetSystemTimeDpc+73j
		mov	eax, 0FFDF0018h
		and	[esp+28h+var_10], 0
		mov	ecx, [eax]
		mov	eax, [edi+0Ch]
		mov	[eax+4], ecx
		mov	eax, 0FFDF0014h
		mov	ecx, [eax]
		mov	eax, [edi+0Ch]
		mov	[eax], ecx
		mov	eax, 0FFDF001Ch
		mov	ecx, [eax]
		mov	eax, [edi+0Ch]
		cmp	[eax+4], ecx
		jnz	loc_5E2F03

loc_55EBC6:				; CODE XREF: KiSetSystemTimeDpc+844E2j
		mov	eax, [edi+8]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	eax, [edi+0Ch]
		mov	[edi+10h], ecx
		mov	[edi+14h], edx
		sub	ecx, [eax]
		sbb	edx, [eax+4]
		mov	eax, [edi+4]
		mov	[edi+10h], ecx
		mov	[edi+14h], edx
		push	edx
		push	ecx
		test	al, 1
		jz	short loc_55EC28
		shr	eax, 1
		and	al, 1
		mov	cl, al
		call	_KeAdjustInterruptTime@12 ; KeAdjustInterruptTime(x,x,x)
		test	al, al
		jz	loc_55EACF
		mov	ecx, [edi+10h]
		mov	eax, [edi+14h]
		neg	ecx
		mov	byte ptr [edi],	1
		adc	eax, 0
		mov	[edi+10h], ecx
		neg	eax
		mov	[edi+14h], eax
		jmp	loc_55EACF
; 

loc_55EC19:				; CODE XREF: KiSetSystemTimeDpc+CAj
		push	edi
		mov	edx, eax
		mov	ecx, ebx
		call	KiAdjustTimerDueTimes
		jmp	loc_55EB26
; 

loc_55EC28:				; CODE XREF: KiSetSystemTimeDpc+193j
		mov	edx, eax
		xor	ecx, ecx
		call	KiUpdateSystemTime
		jmp	loc_55EACF
KiSetSystemTimeDpc endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAdjustTimerDueTimes proc near		; CODE XREF: KiSetSystemTimeDpc+1C8p
					; KiAdjustTimersAfterDripsExit(x,x,x)+D3p

var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= dword	ptr -5
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E2F3D SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		and	[ebp+var_10], 0
		mov	eax, edx
		mov	[ebp+var_C], ecx
		lea	ecx, [ebp+var_28]
		push	ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_28], ecx
		lea	ecx, [eax+40h]
		push	esi
		push	edi
		mov	[ebp+var_1C], eax
		mov	byte ptr [ebp+var_5], 0
		mov	[ebp+var_14], ecx

loc_55EC60:				; CODE XREF: KiAdjustTimerDueTimes+6Dj
		xor	ebx, ebx
		mov	esi, ecx

loc_55EC64:				; CODE XREF: KiAdjustTimerDueTimes+55j
		and	[ebp+var_18], 0

loc_55EC68:				; CODE XREF: KiAdjustTimerDueTimes+84315j
		lock bts dword ptr [esi], 0
		jb	loc_5E2F3D
		lea	eax, [esi+4]
		mov	edi, [eax]

loc_55EC78:				; CODE XREF: KiAdjustTimerDueTimes+BFj
		cmp	edi, eax
		jnz	short loc_55ECA7
		xor	eax, eax
		lock and [esi],	eax
		inc	ebx
		add	esi, 18h
		cmp	ebx, 100h
		jb	short loc_55EC64
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+var_14]
		inc	eax
		add	ecx, 1800h
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], ecx
		cmp	eax, 1
		jb	short loc_55EC60
		jmp	short loc_55ED02
; 

loc_55ECA7:				; CODE XREF: KiAdjustTimerDueTimes+44j
		mov	eax, [ebp+arg_0]
		lea	ecx, [edi-18h]
		mov	dh, [ecx+1]
		mov	edi, [edi]
		mov	[ebp+var_20], ecx
		mov	dl, [eax]
		mov	al, dh
		and	al, 1
		cmp	al, dl
		jz	short loc_55ECF2
		test	dl, dl
		jz	short loc_55ECC8
		test	dh, 2
		jnz	short loc_55ECF2

loc_55ECC8:				; CODE XREF: KiAdjustTimerDueTimes+8Bj
		push	ecx
		mov	edx, ecx
		mov	ecx, [ebp+var_1C]
		push	ebx
		call	KiRemoveEntryTimer
		mov	ecx, [ebp+var_24]
		lea	edx, [ebp+var_28]
		mov	eax, [ebp+var_20]
		add	eax, 18h
		cmp	[ecx], edx
		jnz	loc_55EE02
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[ebp+var_24], eax

loc_55ECF2:				; CODE XREF: KiAdjustTimerDueTimes+87j
					; KiAdjustTimerDueTimes+90j
		lea	eax, [esi+4]
		jmp	short loc_55EC78
; 

loc_55ECF7:				; CODE XREF: KiAdjustTimerDueTimes+186j
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	KiTimerWaitTest

loc_55ED02:				; CODE XREF: KiAdjustTimerDueTimes+6Fj
					; KiAdjustTimerDueTimes+1A4j ...
		mov	eax, [ebp+var_28]
		lea	ecx, [ebp+var_28]
		cmp	eax, ecx
		jz	loc_55EDDF
		lea	esi, [eax-18h]
		lea	eax, [esi+18h]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_55EE02
		cmp	[ecx], eax
		jnz	loc_55EE02
		mov	eax, [ebp+arg_0]
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ebx, [esi+10h]
		mov	edx, ebx
		mov	edi, [eax+10h]
		sub	edx, edi
		mov	ecx, [esi+14h]
		mov	eax, [eax+14h]
		mov	[ebp+var_20], edi
		mov	edi, ecx
		sbb	edi, eax
		test	eax, eax
		jl	short loc_55ED5F
		jg	loc_5E2F5B
		cmp	[ebp+var_20], 0
		jnb	loc_5E2F5B

loc_55ED5F:				; CODE XREF: KiAdjustTimerDueTimes+117j
		cmp	edi, ecx
		ja	short loc_55ED71
		jb	loc_5E2F50
		cmp	edx, ebx
		jb	loc_5E2F50

loc_55ED71:				; CODE XREF: KiAdjustTimerDueTimes+12Bj
					; KiAdjustTimerDueTimes+84320j	...
		or	dword ptr [esi], 80h
		mov	eax, edi
		mov	ebx, [esi+20h]
		mov	ecx, edx
		shrd	ecx, eax, 12h
		mov	[esi+14h], edi
		xor	eax, eax
		lea	edi, [ebp+var_38]
		movzx	ecx, cl
		stosd
		mov	[esi+10h], edx
		mov	edx, esi
		stosd
		stosd
		stosd
		mov	eax, [esi]
		mov	edi, [ebp+var_C]
		mov	[ebp+var_38], eax
		mov	byte ptr [ebp+var_38+2], cl
		mov	eax, [ebp+var_38]
		mov	[esi], eax
		mov	eax, [ebp+arg_0]
		cmp	byte ptr [eax+18h], 0
		jnz	short loc_55EDFC
		push	0

loc_55EDB1:				; CODE XREF: KiAdjustTimerDueTimes+1CAj
		push	ecx
		push	ebx
		mov	ecx, edi
		call	KiInsertTimerTable
		test	al, al
		jz	loc_55ECF7
		test	ds:dword_70EFC8, 20000h
		jnz	loc_5E2F76
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		jmp	loc_55ED02
; 

loc_55EDDF:				; CODE XREF: KiAdjustTimerDueTimes+D4j
		mov	eax, [ebp+var_C]
		cmp	byte ptr [eax+3D0h], 0
		mov	eax, [ebp+arg_0]
		jz	short loc_55EE07

loc_55EDEE:				; CODE XREF: KiAdjustTimerDueTimes+1D7j
		mov	ecx, eax
		call	KiAdjustTimer2DueTimes

loc_55EDF5:				; CODE XREF: KiAdjustTimerDueTimes+1D5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_55EDFC:				; CODE XREF: KiAdjustTimerDueTimes+177j
		lea	eax, [ebp+var_5]
		push	eax
		jmp	short loc_55EDB1
; 

loc_55EE02:				; CODE XREF: KiAdjustTimerDueTimes+ACj
					; KiAdjustTimerDueTimes+E8j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_55EE07:				; CODE XREF: KiAdjustTimerDueTimes+1B6j
		cmp	byte ptr [eax+18h], 0
		jz	short loc_55EDF5
		jmp	short loc_55EDEE
KiAdjustTimerDueTimes endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAdjustTimer2DueTimes proc near	; CODE XREF: KiAdjustTimerDueTimes+1BAp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 005E2F86 SIZE 00000053 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_8], ecx
		lea	eax, [ebp+var_30]
		mov	byte ptr [ebp+var_1], bl
		push	edi
		mov	edi, eax
		mov	[ebp+var_2C], eax
		mov	edx, ebx
		mov	[ebp+var_30], edi
		mov	ecx, offset _KiTimer2Collections
		mov	[ebp+var_14], edx
		mov	[ebp+var_18], ecx

loc_55EE3B:				; CODE XREF: KiAdjustTimer2DueTimes+48j
		mov	eax, [ecx+4]
		test	al, 1
		jnz	short loc_55EEB0
		mov	esi, eax

loc_55EE44:				; CODE XREF: KiAdjustTimer2DueTimes+ACj
		test	esi, esi
		jnz	short loc_55EEBE

loc_55EE48:				; CODE XREF: KiAdjustTimer2DueTimes+A3j
					; KiAdjustTimer2DueTimes+193j
		add	ecx, 10h
		inc	edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_18], ecx
		cmp	ecx, offset _KiNextTimer2DueTime
		jl	short loc_55EE3B
		lea	eax, [ebp+var_30]
		cmp	edi, eax
		jz	short loc_55EE8A

loc_55EE61:				; CODE XREF: KiAdjustTimer2DueTimes+70j
		lea	eax, [ebp+var_1]
		mov	dl, 1
		lea	ecx, [edi-10h]
		mov	edi, [edi]
		push	eax
		call	KiInsertTimer2
		cmp	byte ptr [ebp+var_1], 0
		jnz	loc_55EFC4

loc_55EE7B:				; CODE XREF: KiAdjustTimer2DueTimes+1B6j
		lea	eax, [ebp+var_30]
		cmp	edi, eax
		jnz	short loc_55EE61
		test	bl, bl
		jnz	loc_55EFCB

loc_55EE8A:				; CODE XREF: KiAdjustTimer2DueTimes+4Fj
					; KiAdjustTimer2DueTimes+1C0j
		mov	eax, dword_6CB15C
		mov	ecx, dword_6CB158
		push	eax
		push	ecx
		call	KeQueryInterruptTime
		push	edx
		push	eax
		call	_KiShouldActivateHRTimerClock@16 ; KiShouldActivateHRTimerClock(x,x,x,x)
		test	al, al
		jnz	loc_55EFD5

loc_55EEAB:				; CODE XREF: KiAdjustTimer2DueTimes+1CAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_55EEB0:				; CODE XREF: KiAdjustTimer2DueTimes+30j
		cmp	eax, 1
		jz	short loc_55EE48
		mov	esi, ecx
		or	esi, 1
		xor	esi, eax
		jmp	short loc_55EE44
; 

loc_55EEBE:				; CODE XREF: KiAdjustTimer2DueTimes+36j
		xor	eax, eax
		cmp	edx, 2
		setnl	al
		imul	eax, 0Ch
		mov	[ebp+var_28], eax

loc_55EECC:				; CODE XREF: KiAdjustTimer2DueTimes+187j
		mov	edx, esi
		mov	ecx, esi
		sub	edx, eax
		mov	eax, [esi+4]
		mov	[ebp+var_24], edx
		test	eax, eax
		jnz	short loc_55EEEC

loc_55EEDC:				; CODE XREF: KiAdjustTimer2DueTimes+DAj
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jz	short loc_55EEFE
		cmp	[esi], ecx
		jz	short loc_55EEFE
		mov	ecx, esi
		jmp	short loc_55EEDC
; 

loc_55EEEC:				; CODE XREF: KiAdjustTimer2DueTimes+CAj
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_55EEFE

loc_55EEF4:				; CODE XREF: KiAdjustTimer2DueTimes+ECj
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_55EEF4

loc_55EEFE:				; CODE XREF: KiAdjustTimer2DueTimes+D2j
					; KiAdjustTimer2DueTimes+D6j ...
		mov	ecx, [ebp+var_8]
		mov	al, [edx+40h]
		cmp	al, [ecx]
		jz	loc_55EF92
		test	al, al
		jnz	short loc_55EF16
		test	byte ptr [edx+41h], 2
		jnz	short loc_55EF92

loc_55EF16:				; CODE XREF: KiAdjustTimer2DueTimes+FEj
		lea	edi, [edx-10h]
		mov	ecx, edi
		call	KiRemoveTimer2
		mov	eax, [ebp+var_8]
		mov	ebx, [edi+28h]
		mov	[ebp+var_10], ebx
		mov	ebx, [edi+2Ch]
		mov	ecx, [eax+14h]
		mov	edx, [eax+10h]
		mov	[ebp+var_C], ebx
		xor	ebx, ebx
		cmp	ecx, ebx
		jl	short loc_55EF49
		jg	loc_5E2F86
		cmp	edx, ebx
		jnb	loc_5E2F86

loc_55EF49:				; CODE XREF: KiAdjustTimer2DueTimes+129j
		neg	edx
		mov	[ebp+var_20], edx
		adc	ecx, ebx
		neg	ecx
		push	ecx
		push	edx
		push	[ebp+var_C]
		mov	[ebp+var_1C], ecx
		xor	ecx, ecx
		push	[ebp+var_10]
		call	KiTimer2ComputeDueTime
		mov	ecx, [edi+30h]
		mov	[edi+28h], eax
		mov	eax, ecx
		mov	[edi+2Ch], edx
		mov	edx, [edi+34h]
		and	eax, edx
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_55EFA8

loc_55EF79:				; CODE XREF: KiAdjustTimer2DueTimes+1ADj
					; KiAdjustTimer2DueTimes+8419Dj ...
		mov	eax, [ebp+var_30]
		lea	ecx, [ebp+var_30]
		mov	edi, [ebp+var_24]
		cmp	[eax+4], ecx
		jnz	short loc_55EFBF
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[eax+4], edi
		mov	[ebp+var_30], edi

loc_55EF92:				; CODE XREF: KiAdjustTimer2DueTimes+F6j
					; KiAdjustTimer2DueTimes+104j
		mov	eax, [ebp+var_28]
		test	esi, esi
		jnz	loc_55EECC
		mov	ecx, [ebp+var_18]
		mov	edx, [ebp+var_14]
		jmp	loc_55EE48
; 

loc_55EFA8:				; CODE XREF: KiAdjustTimer2DueTimes+167j
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	edx
		push	ecx
		xor	ecx, ecx
		call	KiTimer2ComputeDueTime
		mov	[edi+30h], eax
		mov	[edi+34h], edx
		jmp	short loc_55EF79
; 

loc_55EFBF:				; CODE XREF: KiAdjustTimer2DueTimes+175j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_55EFC4:				; CODE XREF: KiAdjustTimer2DueTimes+65j
		mov	bl, 1
		jmp	loc_55EE7B
; 

loc_55EFCB:				; CODE XREF: KiAdjustTimer2DueTimes+74j
		call	_KiRequestTimer2Expiration@0 ; KiRequestTimer2Expiration()
		jmp	loc_55EE8A
; 

loc_55EFD5:				; CODE XREF: KiAdjustTimer2DueTimes+95j
		call	_KiSendClockInterruptToClockOwner@0 ; KiSendClockInterruptToClockOwner()
		jmp	loc_55EEAB
KiAdjustTimer2DueTimes endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiUpdateSystemTime proc	near		; CODE XREF: KiSetSystemTimeDpc+1D6p
					; KeSetTimeAdjustment(x,x)+79p	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E2FD9 SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], edx
		mov	edi, ecx
		mov	ebx, 0FFDF0340h
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	ecx, ebx
		mov	[ebp+var_1], al
		call	RtlWriteAcquireTickLock
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, edx
		mov	[ebp+var_8], eax
		push	ecx
		push	eax
		mov	[ebp+var_C], ecx
		call	KiComputeNewSystemTime
		mov	ebx, [ebp+arg_0]
		mov	esi, eax
		mov	eax, [ebp+arg_4]
		mov	ecx, ebx
		or	ecx, eax
		jz	short loc_55F047
		mov	esi, ds:0FFDF0014h
		mov	edx, ds:0FFDF0018h
		add	esi, ebx
		adc	edx, eax
		and	_KiSystemTimeErrorAccumulator, 0
		and	dword_6D4B0C, 0

loc_55F047:				; CODE XREF: KiUpdateSystemTime+47j
		mov	eax, [ebp+var_8]
		mov	ds:0FFDF0348h, eax
		mov	eax, [ebp+var_C]
		mov	ds:0FFDF034Ch, eax
		mov	ds:0FFDF001Ch, edx
		mov	ds:0FFDF0014h, esi
		mov	ds:0FFDF0018h, edx
		test	edi, edi
		jnz	loc_5E2FD9

loc_55F071:				; CODE XREF: KiUpdateSystemTime+84010j
		mov	eax, 0FFDF0340h
		mov	ebx, 0FFDF0340h
		push	0
		pop	edi
		mov	ecx, [eax]
		mov	eax, [eax+4]
		add	ecx, 1
		mov	[ebx], ecx
		mov	ecx, ebx
		mov	ebx, [ebp+arg_0]
		adc	eax, edi
		mov	[ecx+4], eax
		mov	eax, [ebp+var_10]
		test	al, 1
		jnz	short loc_55F0B9
		test	al, 4
		jz	loc_5E2FF5
		mov	ds:_KeBootTime,	esi
		mov	ds:dword_70E2EC, edx
		mov	ds:_KeBootTimeBias, edi
		mov	ds:dword_70E73C, edi

loc_55F0B9:				; CODE XREF: KiUpdateSystemTime+B7j
					; KiUpdateSystemTime+84030j
		cmp	[ebp+var_1], 0
		pop	edi
		pop	esi
		pop	ebx
		jz	short locret_55F0C3
		sti

locret_55F0C3:				; CODE XREF: KiUpdateSystemTime+E0j
		leave
		retn	8
KiUpdateSystemTime endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1192. KeInvalidateAllCaches

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeInvalidateAllCaches
KeInvalidateAllCaches proc near		; CODE XREF: KeInvalidateRangeAllCachesNoIpi:loc_4BAE31p
					; MiChangePageAttributeContiguous(x,x,x)+D6p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E3015 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, al
		cmp	bl, 1Fh
		jnb	short loc_55F0F8
		call	ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()

loc_55F0F8:				; CODE XREF: KeInvalidateAllCaches+24j
		mov	ecx, offset _KiCacheFlushTimeStamp
		call	_KxSetTimeStampBusy@4 ;	KxSetTimeStampBusy(x)
		test	al, al
		jz	loc_55F1AC
		mov	ecx, offset _KiReverseStallIpiLock
		cmp	bl, 1Fh
		jnb	short loc_55F182
		mov	eax, large fs:20h
		lea	edi, [ebp+var_10]
		mov	[ebp+var_14], eax
		mov	esi, offset _KeActiveProcessors
		mov	eax, ds:_KeNumberProcessors
		dec	eax
		mov	[ebp+var_18], eax
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_14]
		mov	ecx, [ebp+var_8]
		mov	eax, [esi+3CCh]
		btr	ecx, eax
		mov	[ebp+var_8], ecx
		mov	ecx, offset _KiReverseStallIpiLock
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edi, [ebp+var_18]
		test	edi, edi
		jz	short loc_55F17D
		push	ecx
		push	ecx
		lea	eax, [esi+2124h]
		push	eax
		push	ecx
		lea	edx, [ebp+var_10]
		mov	ecx, esi
		call	_KiIpiSendSynchronousPacket@24 ; KiIpiSendSynchronousPacket(x,x,x,x,x,x)
		mov	ecx, large fs:20h

loc_55F16F:				; CODE XREF: KeInvalidateAllCaches+AFj
		mov	eax, [ecx+2120h]
		test	eax, eax
		jz	short loc_55F17D
		pause
		jmp	short loc_55F16F
; 

loc_55F17D:				; CODE XREF: KeInvalidateAllCaches+86j
					; KeInvalidateAllCaches+ABj
		mov	ecx, offset _KiReverseStallIpiLock

loc_55F182:				; CODE XREF: KeInvalidateAllCaches+46j
		wbinvd
		cmp	bl, 1Fh
		jnb	short loc_55F1A5
		test	edi, edi
		jz	short loc_55F193
		inc	dword ptr [esi+2124h]

loc_55F193:				; CODE XREF: KeInvalidateAllCaches+BFj
		test	ds:byte_70EFC6,	1
		jnz	loc_5E3015
		xor	eax, eax
		lock and [ecx],	eax

loc_55F1A5:				; CODE XREF: KeInvalidateAllCaches+BBj
					; KeInvalidateAllCaches+83F51j
		lock inc ds:_KiCacheFlushTimeStamp

loc_55F1AC:				; CODE XREF: KeInvalidateAllCaches+38j
		cmp	bl, 1Fh
		jnb	short loc_55F1B9
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_55F1B9:				; CODE XREF: KeInvalidateAllCaches+E3j
		mov	ecx, [ebp+var_4]
		mov	al, 1
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
KeInvalidateAllCaches endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIpiSendSynchronousPacket(x, x, x,	x, x, x)
_KiIpiSendSynchronousPacket@24 proc near ; CODE	XREF: KeInvalidateAllCaches+97p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_6		= word ptr -6
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		xor	eax, eax
		xor	ebx, ebx
		mov	[ebp+var_6], ax
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], ebx
		push	edi
		mov	edi, edx
		xor	edx, edx
		inc	edx
		mov	[esi+2160h], eax
		mov	[esi+2164h], ebx
		mov	[esi+2168h], ebx
		mov	eax, [edi+8]
		mov	[esi+216Ch], eax
		mov	dword ptr [esi+2170h], offset _KiInvalidateAllCachesTarget@16 ;	KiInvalidateAllCachesTarget(x,x,x,x)
		mov	ecx, [esi+216Ch]
		mov	eax, [esi+216Ch]
		dec	ecx
		test	eax, ecx
		mov	eax, esi
		jz	short loc_55F279

loc_55F222:				; CODE XREF: KiIpiSendSynchronousPacket(x,x,x,x,x,x)+B1j
		mov	_KiSynchPacket,	eax
		xor	eax, eax
		mov	[esi+2120h], edx
		mov	[ebp+var_8], ax
		mov	eax, [edi+8]
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], edi

loc_55F23C:				; CODE XREF: KiIpiSendSynchronousPacket(x,x,x,x,x,x)+98j
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_55F264
		mov	eax, [ebp+var_4]
		push	10h
		pop	ecx
		mov	eax, ds:_KiProcessorBlock[eax*4]
		add	eax, 21A0h
		lock or	[eax], ecx
		jmp	short loc_55F23C
; 

loc_55F264:				; CODE XREF: KiIpiSendSynchronousPacket(x,x,x,x,x,x)+81j
		inc	dword ptr [esi+40B0h]
		push	edi
		push	ebx
		call	ds:__imp__HalRequestIpi@8 ; HalRequestIpi(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_55F279:				; CODE XREF: KiIpiSendSynchronousPacket(x,x,x,x,x,x)+56j
		or	eax, edx
		jmp	short loc_55F222
_KiIpiSendSynchronousPacket@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlHpHeapManagerStart proc near		; CODE XREF: ExInitializeSessionHeapManager+B7p
					; RtlHpKInitializeHeapManager()+67p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005E3022 SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		xor	eax, eax
		mov	edx, [ebp+arg_4]
		cmp	ebx, 1
		push	esi
		mov	esi, [ebp+arg_0]
		setz	al
		push	edi
		push	eax
		mov	eax, [ebp+arg_8]
		mov	edi, ecx
		shrd	edx, eax, 14h
		push	ebx
		add	edx, edx
		lea	ecx, [edi+8]
		mov	[edi+4], esi
		call	RtlCSparseBitmapStart
		test	eax, eax
		js	short loc_55F2DA
		mov	eax, [ebp+arg_4]
		mov	edx, ebx
		push	ecx
		dec	eax
		lea	ecx, [edi+30h]
		push	eax
		push	esi
		call	_RtlpHpVaMgrCtxStart@20	; RtlpHpVaMgrCtxStart(x,x,x,x,x)
		test	eax, eax
		js	short loc_55F2DA
		test	[ebp+arg_C], 2
		jnz	short loc_55F2E2

loc_55F2CE:				; CODE XREF: RtlHpHeapManagerStart+95j
		test	[ebp+arg_C], 1
		jnz	loc_5E3022

loc_55F2D8:				; CODE XREF: RtlHpHeapManagerStart+83DD3j
		xor	eax, eax

loc_55F2DA:				; CODE XREF: RtlHpHeapManagerStart+33j
					; RtlHpHeapManagerStart+48j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	10h
; 

loc_55F2E2:				; CODE XREF: RtlHpHeapManagerStart+4Ej
		and	[ebp+arg_4], 0
		mov	al, bl
		and	[ebp+arg_8], 0
		and	al, 3
		add	al, al
		mov	word ptr [ebp+arg_4+1],	1
		or	al, 1
		mov	byte ptr [ebp+arg_4], al
		mov	eax, [ebp+arg_4]
		mov	[ebp+arg_4], eax
		lea	eax, [ebp+arg_4]
		push	0
		push	eax
		lea	eax, [edi+1C5Ch]
		push	eax
		call	_RtlpHpMetadataHeapCreate@12 ; RtlpHpMetadataHeapCreate(x,x,x)
		jmp	short loc_55F2CE
RtlHpHeapManagerStart endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpMetadataHeapCreate(x,	x, x)
_RtlpHpMetadataHeapCreate@12 proc near	; CODE XREF: RtlHpHeapManagerStart+90p
					; DATA XREF: RtlpHpMetadataHeapStart(x,x,x)+17o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		mov	eax, [eax+4]
		push	eax
		push	ecx
		push	ecx
		xor	ecx, ecx
		call	RtlpHpHeapCreate
		test	eax, eax
		jz	short loc_55F343
		mov	ecx, [ebp+arg_0]
		mov	[ecx-4], eax
		xor	eax, eax
		inc	eax

loc_55F33D:				; CODE XREF: RtlpHpMetadataHeapCreate(x,x,x)+2Fj
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_55F343:				; CODE XREF: RtlpHpMetadataHeapCreate(x,x,x)+1Cj
		xor	eax, eax
		jmp	short loc_55F33D
_RtlpHpMetadataHeapCreate@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExInitializeSessionHeapManager proc near ; CODE	XREF: MiSessionCreate+A4p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E3056 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:20h
		sub	esp, 0Ch
		mov	eax, [eax+338h]
		push	ebx
		push	esi
		push	edi
		movzx	eax, word ptr [eax+8Ah]
		mov	edi, edx
		push	0
		or	eax, 80000000h
		mov	ebx, ecx
		push	eax
		push	65537048h
		mov	edx, 1C80h
		mov	ecx, 200h
		call	ExpAllocatePoolWithTagFromNode
		mov	esi, eax
		test	esi, esi
		jz	loc_5E3056
		push	1C80h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		and	[ebp+var_8], 0
		lea	edx, [ebp+var_8]
		or	word ptr [ebp+var_8+2],	1
		xor	eax, eax
		mov	ecx, 200h
		add	esp, 0Ch
		mov	word ptr [ebp+var_8], cx
		or	eax, 5
		mov	ecx, esi
		mov	[ebp+var_4], eax
		call	_RtlHpHeapManagerInitialize@8 ;	RtlHpHeapManagerInitialize(x,x)
		mov	eax, large fs:124h
		xor	ecx, ecx
		push	ecx
		push	ecx
		sub	edi, ebx
		mov	[ebp+var_8], ecx
		mov	eax, [eax+80h]
		push	edi
		push	ebx
		push	2
		mov	eax, [eax+180h]
		mov	byte ptr [ebp+var_8], 4
		pop	edx
		mov	[eax+1D8h], esi
		mov	eax, [ebp+var_8]
		mov	[esi+1C74h], ecx
		mov	ecx, esi
		mov	[esi+1C70h], eax
		call	RtlHpHeapManagerStart
		mov	edi, eax
		test	edi, edi
		js	short loc_55F46D
		push	dword ptr [esi+1C74h]
		lea	edx, [esi+1C78h]
		mov	ecx, 40000000h
		push	dword ptr [esi+1C70h]
		call	_ExCreateHeap@16 ; ExCreateHeap(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_55F46D
		push	dword ptr [esi+1C74h]
		lea	ebx, [esi+1C7Ch]
		xor	ecx, ecx
		push	dword ptr [esi+1C70h]
		mov	edx, ebx
		call	_ExCreateHeap@16 ; ExCreateHeap(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_55F46D
		mov	eax, [ebx]
		or	dword ptr [eax+298h], 2
		or	byte ptr [eax+109h], 8
		or	byte ptr [eax+189h], 8
		call	_ExInitializeSessionPoolTrackTable@0 ; ExInitializeSessionPoolTrackTable()
		xor	esi, esi
		xor	edi, edi

loc_55F46D:				; CODE XREF: ExInitializeSessionHeapManager+C0j
					; ExInitializeSessionHeapManager+E2j ...
		test	esi, esi
		jnz	short loc_55F478

loc_55F471:				; CODE XREF: ExInitializeSessionHeapManager+135j
					; ExInitializeSessionHeapManager+83D13j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_55F478:				; CODE XREF: ExInitializeSessionHeapManager+127j
		call	_ExCleanupSessionHeapManager@0 ; ExCleanupSessionHeapManager()
		jmp	short loc_55F471
ExInitializeSessionHeapManager endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall RtlHpHeapManagerInitialize(x, x)
_RtlHpHeapManagerInitialize@8 proc near	; CODE XREF: ExInitializeSessionHeapManager+77p
					; RtlHpKInitializeHeapManager()+34p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	edi, edx
		push	1C40h		; size_t
		push	0		; int
		lea	eax, [ebx+30h]
		push	eax		; void *
		call	_memset
		push	2Ch		; size_t
		lea	esi, [ebx+4]
		mov	dword ptr [ebx], offset	_RtlpHpHeapGlobals
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 18h
		lea	ecx, [esi+4]	; void *
		push	28h
		pop	edx
		call	_RtlCSparseBitmapInitialize@8 ;	RtlCSparseBitmapInitialize(x,x)
		lea	ecx, [ebx+30h]	; void *
		call	_RtlpHpVaMgrCtxInitialize@4 ; RtlpHpVaMgrCtxInitialize(x)
		mov	eax, [edi]
		mov	[ebx+1C68h], eax
		mov	eax, [edi+4]
		push	3
		mov	[ebx+1C6Ch], eax
		add	ebx, 1C54h
		pop	esi

loc_55F4DC:				; CODE XREF: RtlHpHeapManagerInitialize(x,x)+68j
		push	ebx
		call	_RtlRunOnceInitialize@4	; RtlRunOnceInitialize(x)
		add	ebx, 8
		sub	esi, 1
		jnz	short loc_55F4DC
		pop	edi
		pop	esi
		pop	ebx
		retn
_RtlHpHeapManagerInitialize@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExCreateHeap(x, x, x, x)
_ExCreateHeap@16 proc near		; CODE XREF: ExInitializeSessionHeapManager+D9p
					; ExInitializeSessionHeapManager+FAp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	[ebp+arg_4]
		mov	esi, edx
		push	[ebp+arg_0]
		push	ecx
		call	RtlpHpHeapCreate
		test	eax, eax
		jz	short loc_55F511
		mov	[esi], eax
		xor	eax, eax

loc_55F50B:				; CODE XREF: ExCreateHeap(x,x,x,x)+28j
		pop	esi
		pop	ecx
		pop	ebp
		retn	8
; 

loc_55F511:				; CODE XREF: ExCreateHeap(x,x,x,x)+17j
		mov	eax, 0C0000017h
		jmp	short loc_55F50B
_ExCreateHeap@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVaMgrCtxStart(x, x, x, x, x)
_RtlpHpVaMgrCtxStart@20	proc near	; CODE XREF: RtlHpHeapManagerStart+41p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		sub	esp, 14h
		shr	eax, 14h
		test	[ebp+arg_4], 0FFFFFh
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jz	short loc_55F536
		inc	eax

loc_55F536:				; CODE XREF: RtlpHpVaMgrCtxStart(x,x,x,x,x)+1Bj
		push	ecx
		push	esi
		push	eax
		lea	ecx, [edi+8]
		call	_RtlSparseArrayStart@20	; RtlSparseArrayStart(x,x,x,x,x)
		test	eax, eax
		js	short loc_55F579
		mov	eax, [ebp+arg_0]
		and	[ebp+var_C], 0
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		or	[ebp+var_14], 0FFFFFFFFh
		mov	[edi], esi
		xor	esi, esi
		mov	[edi+4], eax

loc_55F55F:				; CODE XREF: RtlpHpVaMgrCtxStart(x,x,x,x,x)+5Dj
		push	ecx
		lea	edx, [ebp+var_14]
		mov	[ebp+var_10], esi
		mov	ecx, edi
		call	_RtlpHpVaMgrCtxAllocatorReference@12 ; RtlpHpVaMgrCtxAllocatorReference(x,x,x)
		test	eax, eax
		js	short loc_55F579
		inc	esi
		cmp	esi, 4
		jl	short loc_55F55F
		xor	eax, eax

loc_55F579:				; CODE XREF: RtlpHpVaMgrCtxStart(x,x,x,x,x)+2Bj
					; RtlpHpVaMgrCtxStart(x,x,x,x,x)+57j
		pop	edi
		pop	esi
		leave
		retn	0Ch
_RtlpHpVaMgrCtxStart@20	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpHeapCreate proc near		; CODE XREF: RtlpHpMetadataHeapCreate(x,x,x)+15p
					; ExCreateHeap(x,x,x,x)+10p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005E3060 SIZE 0000003D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edx, edx
		mov	edi, ecx
		inc	edx
		lea	ecx, [ebp+arg_4]
		call	_RtlpHpRegisterEnvironment@8 ; RtlpHpRegisterEnvironment(x,x)
		test	eax, eax
		js	loc_55F72D
		call	ds:__imp__HalQueryMaximumProcessorCount@0 ; HalQueryMaximumProcessorCount()
		mov	[esp+28h+var_1C], eax
		test	eax, eax
		jz	loc_5E3060

loc_55F5C0:				; CODE XREF: RtlpHpHeapCreate+83AE7j
		mov	esi, [ebp+arg_8]
		mov	edx, eax	; int
		push	esi
		push	[ebp+arg_4]
		mov	ecx, edi
		call	RtlpHpHeapAllocate
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5E306C
		mov	eax, [ebp+arg_4]
		mov	[ebx+4], esi
		xor	esi, esi
		mov	[ebx], eax
		mov	dword ptr [ebx+8], 0DDEEDDEEh
		mov	[ebx+0Ch], edi
		cmp	ah, 2
		jnb	loc_5E307D

loc_55F5F7:				; CODE XREF: RtlpHpHeapCreate+83B00j
		test	edi, 4000000h
		jnz	loc_5E3085

loc_55F603:				; CODE XREF: RtlpHpHeapCreate+83B08j
		mov	edi, [ebp+arg_8]
		lea	ecx, [ebx+80h]
		push	edi		; int
		push	eax		; int
		push	esi		; char
		push	ecx		; int
		lea	eax, [ebx+200h]
		push	eax		; int
		lea	eax, [ebx+2C0h]
		push	eax		; int
		push	ebx		; int
		lea	ecx, [ebx+100h]	; void *
		call	_RtlpHpSegContextInitialize@36 ; RtlpHpSegContextInitialize(x,x,x,x,x,x,x,x,x)
		push	edi		; int
		push	[ebp+arg_4]	; int
		lea	eax, [ebx+80h]
		push	esi		; char
		push	eax		; int
		xor	esi, esi
		lea	ecx, [ebx+180h]	; void *
		push	esi		; int
		push	esi		; int
		push	ebx		; int
		call	_RtlpHpSegContextInitialize@36 ; RtlpHpSegContextInitialize(x,x,x,x,x,x,x,x,x)
		mov	edx, [ebp+arg_4]
		mov	al, dl
		mov	[ebx+40h], esi
		and	al, 1
		mov	[ebx+44h], esi
		mov	[ebx+48h], esi
		mov	[ebx+0B4h], esi
		test	dword ptr [ebx+0Ch], 20000000h
		jnz	loc_5E308D

loc_55F669:				; CODE XREF: RtlpHpHeapCreate+83B18j
		push	edi
		push	edx
		mov	[esp+30h+var_18], offset _RtlpHpSegVsAllocate@20 ; RtlpHpSegVsAllocate(x,x,x,x,x)
		mov	[esp+30h+var_14], offset _RtlpHpSegLfhVsFree@16	; RtlpHpSegLfhVsFree(x,x,x,x)
		mov	[esp+30h+var_10], offset _RtlpHpSegLfhVsCommit@12 ; RtlpHpSegLfhVsCommit(x,x,x)
		mov	[esp+30h+var_C], offset	_RtlpHpSegLfhVsDecommit@12 ; RtlpHpSegLfhVsDecommit(x,x,x)
		mov	[esp+30h+var_8], esi
		call	_RtlpHpEnvGetHeapManager@8 ; RtlpHpEnvGetHeapManager(x,x)
		mov	esi, eax
		movzx	edi, dl
		and	edi, 1
		lea	edx, [ebx+100h]	; int
		lea	ecx, [ebx+200h]	; void *
		lea	eax, [esi+1C6Ch]
		push	eax		; int
		push	0		; int
		push	edi		; int
		lea	eax, [esp+34h+var_18]
		push	eax		; int
		call	RtlpHpVsContextInitialize
		lea	eax, [esi+1C68h]
		mov	[esp+28h+var_18], offset _RtlpHpSegLfhAllocate@20 ; RtlpHpSegLfhAllocate(x,x,x,x,x)
		push	eax		; int
		lea	eax, [ebx+80h]
		mov	[esp+2Ch+var_8], offset	_RtlpHpSegLfhExtendContext@8 ; RtlpHpSegLfhExtendContext(x,x)
		push	eax		; int
		lea	eax, [esp+30h+var_18]
		push	eax		; int
		push	edi		; char
		push	[esp+38h+var_1C] ; int
		lea	esi, [ebx+100h]
		mov	edx, esi	; int
		lea	ecx, [ebx+2C0h]	; void *
		call	_RtlpHpLfhContextInitialize@28 ; RtlpHpLfhContextInitialize(x,x,x,x,x,x,x)
		lea	eax, [ebx+54h]
		push	eax
		call	_RtlRunOnceInitialize@4	; RtlRunOnceInitialize(x)
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	RtlpHpSegContextReserve
		test	eax, eax
		js	short loc_55F731
		mov	esi, ebx
		xor	ebx, ebx

loc_55F713:				; CODE XREF: RtlpHpHeapCreate+1B3j
		test	ebx, ebx
		jnz	short loc_55F735

loc_55F717:				; CODE XREF: RtlpHpHeapCreate+1AFj
					; RtlpHpHeapCreate+1BCj ...
		mov	ecx, [esp+28h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_55F72D:				; CODE XREF: RtlpHpHeapCreate+28j
		xor	esi, esi
		jmp	short loc_55F717
; 

loc_55F731:				; CODE XREF: RtlpHpHeapCreate+18Dj
		xor	esi, esi
		jmp	short loc_55F713
; 

loc_55F735:				; CODE XREF: RtlpHpHeapCreate+195j
		mov	ecx, ebx
		call	RtlpHpHeapDestroy
		jmp	short loc_55F717
RtlpHpHeapCreate endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall RtlpHpSegContextInitialize(void *,int,int,int,int,int,char,int,int)
_RtlpHpSegContextInitialize@36 proc near ; CODE	XREF: RtlpHpHeapCreate+A5p
					; RtlpHpHeapCreate+C1p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		push	80h		; size_t
		xor	edi, edi
		mov	esi, ecx
		push	edi		; int
		push	esi		; void *
		call	_memset
		mov	eax, 1000h
		mov	edx, [ebp+arg_14]
		bsr	eax, eax
		xor	ecx, ecx
		mov	dword ptr [esi], 0FFF00000h
		mov	[esi+4], al
		inc	ecx
		bsf	eax, ecx
		mov	[esi+6], cl
		add	esp, 0Ch
		mov	ecx, [ebp+arg_C]
		mov	[esi+5], al
		sub	ecx, esi
		mov	al, [ebp+arg_10]
		mov	[esi+9], al
		lea	eax, [esi+44h]
		mov	dword ptr [esi+0Ch], 7F000h
		mov	word ptr [esi+7], 407h
		mov	[esi+40h], edi
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ecx+10h]
		mov	[esi+50h], edi
		mov	[esi+54h], edi
		mov	[esi+10h], ax
		mov	eax, [ebp+arg_4]
		mov	[esi+14h], eax
		mov	eax, [ebp+arg_8]
		mov	[esi+18h], eax
		mov	eax, [ebp+arg_18]
		mov	[esi+20h], eax
		mov	eax, [ebp+arg_0]
		pop	edi
		mov	[esi+12h], cx
		mov	[esi+1Ch], edx
		mov	[esi+24h], eax
		pop	esi
		leave
		retn	1Ch
_RtlpHpSegContextInitialize@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpSegContextReserve	proc near	; CODE XREF: RtlpHpHeapCreate+186p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E309D SIZE 00000074 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, 100h
		mov	[ebp+var_4], ebx
		mov	esi, [ebx]
		not	esi
		movzx	ecx, byte ptr [ebx+6]
		sub	edi, ecx
		mov	cl, [ebx+5]
		shl	edi, cl
		xor	ebx, ebx
		lea	eax, [esi+edx]
		inc	esi
		xor	edx, edx
		div	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_C], eax
		lea	esi, [esi+0FFFh]
		shr	esi, 0Ch
		test	eax, eax
		jnz	loc_5E309D

loc_55F813:				; CODE XREF: RtlpHpSegContextReserve+83934j
					; RtlpHpSegContextReserve+8393Ej
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
RtlpHpSegContextReserve	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall RtlpHpLfhContextInitialize(void *,int,int,char,int,int,int)
_RtlpHpLfhContextInitialize@28 proc near ; CODE	XREF: RtlpHpHeapCreate+172p

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	2C0h		; size_t
		mov	ebx, ecx
		mov	esi, edx
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	al, [ebp+arg_4]
		lea	edi, [ebx+4]
		mov	[ebx+1Dh], al
		add	esp, 0Ch
		mov	eax, [ebp+arg_C]
		sub	eax, ebx
		mov	[ebx], esi
		mov	esi, [ebp+arg_8]
		mov	[ebx+1Eh], ax
		mov	eax, [ebp+arg_10]
		push	5
		pop	ecx
		rep movsd
		mov	eax, [eax]
		mov	[ebx+20h], eax
		mov	eax, _RtlpHpHeapGlobals
		xor	eax, ebx
		xor	[ebx+4], eax
		mov	eax, [ebx+8]
		xor	eax, _RtlpHpHeapGlobals
		xor	eax, ebx
		mov	[ebx+8], eax
		mov	eax, _RtlpHpHeapGlobals
		xor	eax, ebx
		xor	[ebx+0Ch], eax
		mov	eax, [ebx+10h]
		xor	eax, _RtlpHpHeapGlobals
		xor	eax, ebx
		mov	[ebx+10h], eax
		mov	eax, [ebx+14h]
		test	eax, eax
		jz	short loc_55F89E
		xor	eax, _RtlpHpHeapGlobals
		xor	eax, ebx
		mov	[ebx+14h], eax

loc_55F89E:				; CODE XREF: RtlpHpLfhContextInitialize(x,x,x,x,x,x,x)+75j
		mov	eax, [ebp+arg_0]
		cmp	eax, 8
		ja	short loc_55F913

loc_55F8A6:				; CODE XREF: RtlpHpLfhContextInitialize(x,x,x,x,x,x,x)+FAj
		mov	[ebx+1Ch], al
		cmp	al, 1
		jbe	short loc_55F8CB
		push	40h
		pop	ecx
		movzx	eax, al
		sub	ecx, eax
		push	3Eh
		pop	edx
		sub	edx, ecx
		lea	eax, [ecx+3Dh]
		imul	edx, eax
		shr	edx, 1
		add	edx, offset dword_406B18
		mov	[ebx+18h], edx

loc_55F8CB:				; CODE XREF: RtlpHpLfhContextInitialize(x,x,x,x,x,x,x)+8Fj
		xor	eax, eax
		lea	edi, [ebx+80h]
		xor	esi, esi
		mov	ecx, 81h
		inc	eax
		mov	[ebp+arg_8], esi
		mov	word ptr [ebp+arg_8], ax
		mov	eax, [ebp+arg_8]
		rep stosd
		mov	edi, 7F7F7F7Fh

loc_55F8EC:				; CODE XREF: RtlpHpLfhContextInitialize(x,x,x,x,x,x,x)+EEj
		call	_RtlpHeapGenerateRandomValue64@0 ; RtlpHeapGenerateRandomValue64()
		and	eax, edi
		and	edx, edi
		mov	_RtlpLowFragHeapRandomData[esi], eax
		mov	dword_6BEB44[esi], edx
		add	esi, 8
		cmp	esi, 100h
		jb	short loc_55F8EC
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
; 

loc_55F913:				; CODE XREF: RtlpHpLfhContextInitialize(x,x,x,x,x,x,x)+88j
		push	8
		pop	eax
		jmp	short loc_55F8A6
_RtlpHpLfhContextInitialize@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpHeapAllocate proc	near		; CODE XREF: RtlpHpHeapCreate+4Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E3111 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], 580h
		push	edi
		mov	ecx, edx
		call	_RtlpHpLfhContextMaximumExtension@4 ; RtlpHpLfhContextMaximumExtension(x)
		mov	edx, [ebp+var_4]
		xor	edi, edi
		push	[ebp+arg_4]
		mov	ebx, [ebp+arg_0]
		add	edx, eax
		push	ebx
		mov	[ebp+var_C], 1000h
		lea	eax, [edx-1]
		and	eax, 0FFFh
		sub	edx, eax
		add	edx, 0FFFh
		mov	[ebp+var_4], edx
		call	_RtlpHpMetadataHeapCtxGet@8 ; RtlpHpMetadataHeapCtxGet(x,x)
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	loc_55FA51

loc_55F96E:				; CODE XREF: RtlpHpHeapAllocate+13Fj
					; RtlpHpHeapAllocate+14Cj ...
		push	[ebp+arg_4]
		cmp	bh, 2
		lea	edx, [ebp+var_4]
		push	ebx
		sbb	edi, edi
		lea	ecx, [ebp+var_8]
		and	esi, 40000000h
		and	edi, 1000000h
		neg	esi
		mov	eax, edi
		sbb	esi, esi
		or	eax, 2000h
		and	esi, 3Ch
		add	esi, 4
		push	esi
		push	eax
		push	0
		call	RtlpHpAllocVA
		test	eax, eax
		js	loc_55FAB1
		push	[ebp+arg_4]
		mov	eax, edi
		lea	edx, [ebp+var_C]
		push	ebx
		push	esi
		or	eax, 1000h
		lea	ecx, [ebp+var_8]
		push	eax
		push	0
		call	RtlpHpAllocVA
		test	eax, eax
		js	loc_55FAB1
		mov	esi, [ebp+var_8]
		and	[ebp+var_8], 0
		and	[ebp+var_10], 0

loc_55F9D8:				; CODE XREF: RtlpHpHeapAllocate+194j
		push	580h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		lea	eax, [esi+580h]
		mov	ecx, 0FFFEh
		mov	[esi+0B8h], eax
		add	esp, 0Ch
		mov	eax, [ebp+var_C]
		add	eax, esi
		mov	[esi+0BCh], eax
		mov	eax, [ebp+var_4]
		add	eax, esi
		mov	[esi+0C0h], eax
		mov	ax, [esi+16h]
		and	ax, cx
		or	ax, word ptr [ebp+var_10]
		mov	[esi+16h], ax
		lea	eax, [esi+80h]
		mov	ecx, [ebp+var_4]
		shr	ecx, 0Ch
		lock xadd [eax], ecx
		mov	ecx, [ebp+var_C]
		lea	eax, [esi+84h]
		shr	ecx, 0Ch
		lock xadd [eax], ecx

loc_55FA3E:				; CODE XREF: RtlpHpHeapAllocate+17Aj
					; RtlpHpHeapAllocate+19Bj
		cmp	[ebp+var_8], 0
		jnz	loc_5E3111

loc_55FA48:				; CODE XREF: RtlpHpHeapAllocate+8380Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_55FA51:				; CODE XREF: RtlpHpHeapAllocate+50j
		test	esi, 40000000h
		jnz	loc_55F96E
		mov	eax, ebx
		shr	eax, 10h
		test	al, al
		jnz	loc_55F96E
		cmp	edx, [ecx+18Ch]
		jnb	loc_55F96E
		push	[ebp+arg_4]
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		inc	eax
		mov	edx, 1000h
		push	ebx
		push	eax
		mov	[ebp+var_10], eax
		call	_RtlpHpMetadataAlloc@20	; RtlpHpMetadataAlloc(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_55FA3E
		push	[ebp+arg_4]
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_C]
		sub	ecx, edx
		push	ebx
		push	0
		push	ecx
		add	edx, esi
		mov	ecx, esi
		call	RtlpHpMetadataCommit
		jmp	loc_55F9D8
; 

loc_55FAB1:				; CODE XREF: RtlpHpHeapAllocate+8Dj
					; RtlpHpHeapAllocate+AFj
		xor	esi, esi
		jmp	short loc_55FA3E
RtlpHpHeapAllocate endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall RtlpHpLfhContextMaximumExtension(x)
_RtlpHpLfhContextMaximumExtension@4 proc near ;	CODE XREF: RtlpHpHeapAllocate+1Ap
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		cmp	esi, 8
		ja	short loc_55FB04

loc_55FAC2:				; CODE XREF: RtlpHpLfhContextMaximumExtension(x)+51j
		mov	edx, _RtlpHpLfhPerfFlags
		lea	ecx, [esi-1]
		shr	edx, 0Ah
		and	ecx, 3
		and	edx, 1
		imul	eax, esi, 5
		mov	ebx, edx
		shl	ebx, 6
		sub	eax, ecx
		lea	ecx, [ebx+43h]
		add	ecx, eax
		lea	eax, [ecx-1]
		and	eax, 3Fh
		sub	ecx, eax
		lea	edi, [ecx+3Fh]
		test	edx, edx
		jnz	short loc_55FB09

loc_55FAF2:				; CODE XREF: RtlpHpLfhContextMaximumExtension(x)+56j
		lea	eax, [ebx+40h]
		imul	eax, esi
		add	eax, edi
		pop	edi
		pop	esi
		imul	eax, 81h
		pop	ebx
		retn
; 

loc_55FB04:				; CODE XREF: RtlpHpLfhContextMaximumExtension(x)+Aj
		push	8
		pop	esi
		jmp	short loc_55FAC2
; 

loc_55FB09:				; CODE XREF: RtlpHpLfhContextMaximumExtension(x)+3Aj
		lea	edi, [ecx+7Fh]
		jmp	short loc_55FAF2
_RtlpHpLfhContextMaximumExtension@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpRegisterEnvironment(x, x)
_RtlpHpRegisterEnvironment@8 proc near	; CODE XREF: RtlpHpHeapDestroy+139p
					; RtlpHpHeapCreate+21p	...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		xor	edi, edi
		mov	ecx, edi
		mov	edx, [esi]
		mov	eax, edx
		mov	ebx, [esi+4]
		shr	eax, 18h
		mov	[ebp+var_C], edx
		mov	[ebp+var_14], ecx
		test	al, al
		jnz	short loc_55FB89
		or	[ebp+var_20], 0FFFFFFFFh

loc_55FB3A:				; CODE XREF: RtlpHpRegisterEnvironment(x,x)+7Fj
		mov	eax, edx
		shr	edx, 10h
		shr	eax, 8
		test	byte ptr [ebp+var_C], 8
		movzx	eax, al
		mov	[ebp+var_1C], eax
		movzx	eax, dl
		mov	[ebp+var_18], eax
		jnz	short loc_55FB96

loc_55FB54:				; CODE XREF: RtlpHpRegisterEnvironment(x,x)+8Ej
		push	ebx
		push	dword ptr [esi]
		mov	[ebp+var_10], ebx
		call	_RtlpHpEnvGetHeapManager@8 ; RtlpHpEnvGetHeapManager(x,x)
		lea	edx, [ebp+var_20]
		lea	ecx, [eax+30h]
		cmp	[ebp+var_4], edi
		jz	short loc_55FB8F
		push	ecx
		call	_RtlpHpVaMgrCtxAllocatorReference@12 ; RtlpHpVaMgrCtxAllocatorReference(x,x,x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_55FB9E
		inc	al
		mov	[esi+4], ebx
		mov	byte ptr [ebp+var_C+3],	al
		mov	eax, [ebp+var_C]
		mov	[esi], eax

loc_55FB82:				; CODE XREF: RtlpHpRegisterEnvironment(x,x)+86j
					; RtlpHpRegisterEnvironment(x,x)+95j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_55FB89:				; CODE XREF: RtlpHpRegisterEnvironment(x,x)+26j
		dec	eax
		mov	[ebp+var_20], eax
		jmp	short loc_55FB3A
; 

loc_55FB8F:				; CODE XREF: RtlpHpRegisterEnvironment(x,x)+5Aj
		call	RtlpHpVaMgrCtxAllocatorDereference
		jmp	short loc_55FB82
; 

loc_55FB96:				; CODE XREF: RtlpHpRegisterEnvironment(x,x)+44j
		or	ecx, 1
		mov	[ebp+var_14], ecx
		jmp	short loc_55FB54
; 

loc_55FB9E:				; CODE XREF: RtlpHpRegisterEnvironment(x,x)+65j
		mov	edi, 0C000009Ah
		jmp	short loc_55FB82
_RtlpHpRegisterEnvironment@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVaMgrCtxAllocatorReference(x,	x, x)
_RtlpHpVaMgrCtxAllocatorReference@12 proc near
					; CODE XREF: RtlpHpVaMgrCtxStart(x,x,x,x,x)+50p
					; RtlpHpRegisterEnvironment(x,x)+5Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	[ebp+var_C], esi
		lea	ebx, [edi+34h]
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	[ebp+var_1], al
		mov	edx, esi
		lea	eax, [ebp+var_8]
		mov	ecx, edi
		push	eax
		push	2
		call	_RtlpHpVaMgrCtxAllocatorFind@16	; RtlpHpVaMgrCtxAllocatorFind(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_55FC0E
		movzx	eax, word ptr [esi+16h]
		mov	ecx, 0FFFFh
		cmp	ax, cx
		jz	short loc_55FC3E
		inc	eax
		mov	[esi+16h], ax

loc_55FBF0:				; CODE XREF: RtlpHpVaMgrCtxAllocatorReference(x,x,x)+6Dj
					; RtlpHpVaMgrCtxAllocatorReference(x,x,x)+96j ...
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_55FC42
		movzx	eax, byte ptr [esi+18h]

loc_55FC07:				; CODE XREF: RtlpHpVaMgrCtxAllocatorReference(x,x,x)+9Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_55FC0E:				; CODE XREF: RtlpHpVaMgrCtxAllocatorReference(x,x,x)+35j
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_55FBF0
		mov	esi, ecx
		mov	[ebp+var_8], 1Ch
		mov	eax, esi
		sub	eax, edi
		sub	eax, 3Ch
		cdq
		idiv	[ebp+var_8]
		mov	edx, edi
		push	eax
		push	ecx
		push	[ebp+var_C]
		call	_RtlpHpVaMgrStart@20 ; RtlpHpVaMgrStart(x,x,x,x,x)
		test	eax, eax
		js	short loc_55FC3E
		inc	dword ptr [edi+38h]
		jmp	short loc_55FBF0
; 

loc_55FC3E:				; CODE XREF: RtlpHpVaMgrCtxAllocatorReference(x,x,x)+43j
					; RtlpHpVaMgrCtxAllocatorReference(x,x,x)+91j
		xor	esi, esi
		jmp	short loc_55FBF0
; 

loc_55FC42:				; CODE XREF: RtlpHpVaMgrCtxAllocatorReference(x,x,x)+5Bj
		or	eax, 0FFFFFFFFh
		jmp	short loc_55FC07
_RtlpHpVaMgrCtxAllocatorReference@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVaMgrCtxAllocatorFind(x, x, x, x)
_RtlpHpVaMgrCtxAllocatorFind@16	proc near
					; CODE XREF: RtlpHpVaMgrCtxAllocatorReference(x,x,x)+2Cp
					; RtlpHpAllocVA+113AA7p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		xor	eax, eax
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, [ebx+38h]
		lea	ecx, [ebx+3Ch]
		test	edi, edi
		jz	short loc_55FC85

loc_55FC61:				; CODE XREF: RtlpHpVaMgrCtxAllocatorFind(x,x,x,x)+37j
		cmp	dword ptr [ecx+0Ch], 0
		jz	short loc_55FCAB
		push	[ebp+arg_0]
		inc	eax
		mov	[ebp+var_4], eax
		call	_RtlpHpVaMgrCtxAllocatorCompare@12 ; RtlpHpVaMgrCtxAllocatorCompare(x,x,x)
		test	eax, eax
		jnz	short loc_55FCA7
		mov	eax, [ebp+var_4]

loc_55FC7A:				; CODE XREF: RtlpHpVaMgrCtxAllocatorFind(x,x,x,x)+65j
					; RtlpHpVaMgrCtxAllocatorFind(x,x,x,x)+69j
		add	ecx, 1Ch
		cmp	eax, edi
		jb	short loc_55FC61
		test	esi, esi
		jnz	short loc_55FC95

loc_55FC85:				; CODE XREF: RtlpHpVaMgrCtxAllocatorFind(x,x,x,x)+17j
		cmp	edi, 0FFh
		jnb	short loc_55FC95
		imul	eax, edi, 1Ch
		lea	esi, [ebx+3Ch]
		add	esi, eax

loc_55FC95:				; CODE XREF: RtlpHpVaMgrCtxAllocatorFind(x,x,x,x)+3Bj
					; RtlpHpVaMgrCtxAllocatorFind(x,x,x,x)+43j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_55FC9E
		mov	[eax], esi

loc_55FC9E:				; CODE XREF: RtlpHpVaMgrCtxAllocatorFind(x,x,x,x)+52j
		xor	eax, eax

loc_55FCA0:				; CODE XREF: RtlpHpVaMgrCtxAllocatorFind(x,x,x,x)+61j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_55FCA7:				; CODE XREF: RtlpHpVaMgrCtxAllocatorFind(x,x,x,x)+2Dj
		mov	eax, ecx
		jmp	short loc_55FCA0
; 

loc_55FCAB:				; CODE XREF: RtlpHpVaMgrCtxAllocatorFind(x,x,x,x)+1Dj
		test	esi, esi
		jnz	short loc_55FC7A
		mov	esi, ecx
		jmp	short loc_55FC7A
_RtlpHpVaMgrCtxAllocatorFind@16	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVaMgrCtxAllocatorCompare(x, x, x)
_RtlpHpVaMgrCtxAllocatorCompare@12 proc	near
					; CODE XREF: RtlpHpVaMgrCtxAllocatorFind(x,x,x,x)+26p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	bl, [ecx+1Ah]
		movzx	eax, bl
		shr	eax, 1
		and	eax, 3
		cmp	eax, [edx+4]
		jz	short loc_55FCD1

loc_55FCCA:				; CODE XREF: RtlpHpVaMgrCtxAllocatorCompare(x,x,x)+24j
					; RtlpHpVaMgrCtxAllocatorCompare(x,x,x)+2Cj ...
		xor	eax, eax

loc_55FCCC:				; CODE XREF: RtlpHpVaMgrCtxAllocatorCompare(x,x,x)+4Bj
		pop	ebx
		pop	ebp
		retn	4
; 

loc_55FCD1:				; CODE XREF: RtlpHpVaMgrCtxAllocatorCompare(x,x,x)+14j
		movzx	eax, byte ptr [ecx+19h]
		cmp	eax, [edx+8]
		jnz	short loc_55FCCA
		mov	eax, [ecx+10h]
		cmp	eax, [edx+10h]
		jnz	short loc_55FCCA
		cmp	[ebp+arg_0], 0
		jz	short loc_55FCF1
		movzx	eax, word ptr [ecx+14h]
		cmp	eax, [ebp+arg_0]
		jnz	short loc_55FCCA

loc_55FCF1:				; CODE XREF: RtlpHpVaMgrCtxAllocatorCompare(x,x,x)+32j
		shr	bl, 3
		xor	bl, [edx+0Ch]
		test	bl, 1
		jnz	short loc_55FCCA
		xor	eax, eax
		inc	eax
		jmp	short loc_55FCCC
_RtlpHpVaMgrCtxAllocatorCompare@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVaMgrStart(x,	x, x, x, x)
_RtlpHpVaMgrStart@20 proc near		; CODE XREF: RtlpHpVaMgrCtxAllocatorReference(x,x,x)+8Ap

arg_0		= dword	ptr  8
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, ecx
		xor	ecx, ecx
		mov	ebx, edx
		xor	edx, edx
		inc	ecx
		mov	[esi], edx
		cmp	[edi+4], edx
		jz	short loc_55FD1F
		mov	dl, cl

loc_55FD1F:				; CODE XREF: RtlpHpVaMgrStart(x,x,x,x,x)+19j
		mov	eax, [edi+10h]
		mov	[esi+10h], eax
		push	2
		pop	eax
		mov	[esi+14h], ax
		mov	al, [ebp+arg_8]
		mov	[esi+18h], al
		mov	al, [edi+8]
		mov	[esi+16h], cx
		mov	cl, [edi+0Ch]
		mov	[esi+19h], al
		and	cl, 1
		mov	al, [edi+4]
		and	al, 3
		shl	cl, 2
		or	cl, al
		mov	[esi+0Ch], ebx
		mov	al, [esi+1Ah]
		add	cl, cl
		and	al, 0FEh
		or	al, dl
		and	al, 0F1h
		or	cl, al
		xor	eax, eax
		pop	edi
		mov	[esi+1Ah], cl
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_RtlpHpVaMgrStart@20 endp


;  S U B	R O U T	I N E 


; int __fastcall RtlpHpVaMgrCtxInitialize(void *)
_RtlpHpVaMgrCtxInitialize@4 proc near	; CODE XREF: RtlHpHeapManagerInitialize(x,x)+3Dp
		mov	edi, edi
		push	esi
		push	edi
		push	1C20h		; size_t
		xor	edi, edi
		mov	esi, ecx
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [esi+10h]	; void *
		push	24h
		pop	edx
		call	_RtlCSparseBitmapInitialize@8 ;	RtlCSparseBitmapInitialize(x,x)
		add	esi, 40h
		mov	eax, 0FFh

loc_55FD92:				; CODE XREF: RtlpHpVaMgrCtxInitialize(x)+44j
		mov	[esi-4], edi
		mov	[esi+8], edi
		mov	[esi+0Ch], edi
		mov	[esi+10h], edi
		mov	[esi+14h], edi
		mov	[esi], edi
		lea	esi, [esi+1Ch]
		mov	[esi-18h], edi
		sub	eax, 1
		jnz	short loc_55FD92
		pop	edi
		pop	esi
		retn
_RtlpHpVaMgrCtxInitialize@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; int __fastcall RtlCSparseBitmapInitialize(void *,size_t)
_RtlCSparseBitmapInitialize@8 proc near	; CODE XREF: RtlHpHeapManagerInitialize(x,x)+35p
					; RtlpHpVaMgrCtxInitialize(x)+1Dp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		push	edi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		or	dword ptr [ebx+10h], 0FFFFFFFFh
		lea	esi, [edi-20h]
		add	esp, 0Ch
		cmp	edi, esi
		sbb	eax, eax
		not	eax
		pop	edi
		and	eax, esi
		pop	esi
		mov	[ebx+1Ch], eax
		pop	ebx
		retn
_RtlCSparseBitmapInitialize@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSparseArrayStart(x, x, x, x, x)
_RtlSparseArrayStart@20	proc near	; CODE XREF: RtlpHpVaMgrCtxStart(x,x,x,x,x)+24p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		push	10h
		pop	edi
		and	[ebp+var_4], 0
		mov	esi, ecx
		bsf	eax, edi
		push	8
		pop	ecx
		mov	[esi+4], eax
		mov	eax, [ebp+arg_0]
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_55FE31
		mov	eax, [ebp+var_4]
		mul	edi
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_55FE31
		mov	edx, [ebp+var_4]
		lea	ecx, [esi+8]
		push	1
		push	[ebp+arg_4]
		call	RtlCSparseBitmapStart
		test	eax, eax
		js	short loc_55FE31
		xor	eax, eax

loc_55FE31:				; CODE XREF: RtlSparseArrayStart(x,x,x,x,x)+2Bj
					; RtlSparseArrayStart(x,x,x,x,x)+3Bj ...
		pop	edi
		pop	esi
		leave
		retn	0Ch
_RtlSparseArrayStart@20	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlCSparseBitmapStart proc near		; CODE XREF: RtlHpHeapManagerStart+2Cp
					; RtlSparseArrayStart(x,x,x,x,x)+48p

var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E312C SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	eax, eax
		push	esi
		mov	esi, ecx
		mov	ecx, [ebp+arg_4]
		mov	[ebp+arg_4], eax
		test	ecx, ecx
		push	edi
		mov	[esi+0Ch], eax
		mov	[esi+14h], eax
		setnz	al
		mov	[esi+18h], al
		mov	al, [ebp+arg_0]
		mov	[esi+19h], al
		mov	[esi+1Ah], cl
		mov	[esi+8], edx
		cmp	edx, 7FFFFFFFh
		ja	loc_5E312C
		lea	ebx, [edx+7]
		mov	eax, 0FFFFF000h
		shr	ebx, 3
		mov	edx, 0FFFh
		add	ebx, edx
		and	ebx, eax
		mov	edi, ebx
		shr	edi, 0Ch
		add	edi, 7
		shr	edi, 3
		add	edi, edx
		and	edi, eax
		mov	eax, edi
		mov	[ebp+var_4], edi
		shr	eax, 0Ch
		add	eax, 7
		shr	eax, 3
		cmp	eax, [esi+1Ch]
		ja	loc_5E312C
		push	0
		push	ecx
		lea	eax, [edi+ebx]
		mov	[ebp+arg_4], eax
		lea	edx, [ebp+arg_4]
		movzx	eax, cl
		lea	ecx, [esi+4]
		push	eax
		movzx	eax, [ebp+arg_0]
		push	eax
		push	4
		push	102000h
		push	0
		call	RtlpHpEnvAllocVA
		test	eax, eax
		js	short loc_55FF32
		bsf	eax, [ebp+arg_4]
		mov	ecx, [esi+4]
		mov	edx, ebx
		mov	[esi+1Bh], al
		movzx	eax, byte ptr [esi+1Ah]
		push	0
		push	eax
		movzx	eax, byte ptr [esi+19h]
		push	eax
		call	_RtlpEnvRegisterFaultRange@20 ;	RtlpEnvRegisterFaultRange(x,x,x,x,x)
		test	eax, eax
		js	short loc_55FF32
		mov	eax, [esi+4]
		add	eax, ebx
		mov	[esi], eax
		cmp	edi, 1000h
		ja	short loc_55FF30
		movzx	eax, byte ptr [esi+1Ah]
		lea	edx, [ebp+var_4]
		push	0
		push	ecx
		push	eax
		movzx	eax, byte ptr [esi+19h]
		mov	ecx, esi
		push	eax
		push	4
		push	40001000h
		push	0
		call	RtlpHpEnvAllocVA
		test	eax, eax
		js	short loc_55FF32
		mov	dword ptr [esi+20h], 1

loc_55FF30:				; CODE XREF: RtlCSparseBitmapStart+CBj
		xor	eax, eax

loc_55FF32:				; CODE XREF: RtlCSparseBitmapStart+9Bj
					; RtlCSparseBitmapStart+BCj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
RtlCSparseBitmapStart endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpEnvRegisterFaultRange(x, x, x, x, x)
_RtlpEnvRegisterFaultRange@20 proc near	; CODE XREF: RtlCSparseBitmapCleanup(x)+4Fp
					; RtlCSparseBitmapStart+B5p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 1
		push	esi
		jz	short loc_55FF6B
		push	21h
		pop	esi

loc_55FF49:				; CODE XREF: RtlpEnvRegisterFaultRange(x,x,x,x,x)+3Fj
		xor	eax, eax
		cmp	[ebp+arg_8], eax
		setz	al
		push	eax
		push	esi
		call	MmManageFaultRange
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFF66h
		add	eax, 0C000009Ah
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_55FF6B:				; CODE XREF: RtlpEnvRegisterFaultRange(x,x,x,x,x)+Aj
		mov	esi, [ebp+arg_4]
		neg	esi
		sbb	esi, esi
		and	esi, 1FFh
		inc	esi
		jmp	short loc_55FF49
_RtlpEnvRegisterFaultRange@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmManageFaultRange proc	near		; CODE XREF: RtlpEnvRegisterFaultRange(x,x,x,x,x)+19p

var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_3		= byte ptr  0Bh
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E3136 SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		xor	eax, eax
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		lea	edi, [ebp+var_1C]
		mov	ebx, ecx
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	eax, [edx-1]
		add	eax, ebx
		and	[ebp+arg_4], 1
		jz	loc_5600F3
		xor	esi, esi
		mov	edx, offset unk_6CF370
		xor	eax, eax
		mov	[ebp+var_8], eax

loc_55FFB1:				; CODE XREF: MmManageFaultRange+4Ej
		cmp	dword ptr [edx], 0
		lea	edi, [edx-0Ch]
		jz	loc_5600D3

loc_55FFBD:				; CODE XREF: MmManageFaultRange+831BDj
		add	eax, 14h
		inc	esi
		add	edx, 14h
		mov	[ebp+var_8], eax
		cmp	eax, 28h
		jb	short loc_55FFB1
		mov	edx, [ebp+var_4]

loc_55FFCF:				; CODE XREF: MmManageFaultRange+172j
		cmp	esi, 2
		jnz	short loc_55FFFD
		push	0
		push	40h
		push	14h
		mov	edx, 7641694Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_5E313E
		mov	edx, [ebp+var_4]
		mov	[edi+0Ch], ebx
		lea	eax, [edx-1]
		add	eax, ebx
		mov	[edi+10h], eax

loc_55FFFD:				; CODE XREF: MmManageFaultRange+56j
					; MmManageFaultRange+180j
					; DATA XREF: ...
		test	[ebp+arg_0], 20h

loc_560001:				; DATA XREF: .text:004088ACo
		jz	loc_560101
		mov	eax, large fs:124h
		mov	esi, [eax+80h]
		test	dword ptr [esi+0FCh], 10000h
		jz	loc_5E3145
		mov	esi, [esi+180h]	; DATA XREF: BiIsVolumePartitionInformationRetained+B0o
		add	esi, 2434h

loc_56002F:				; CODE XREF: MmManageFaultRange+18Aj
		push	offset unk_6CF35C
		mov	[ebp+var_8], esi
		call	ExAcquireSpinLockExclusive
		cmp	[ebp+arg_4], 0
		mov	esi, [esi]
		mov	[ebp+arg_3], al
		jz	loc_56010B
		mov	byte ptr [ebp+arg_4], 0
		test	esi, esi
		jz	short loc_56007E
		mov	ecx, [edi+0Ch]

loc_560056:				; CODE XREF: MmManageFaultRange+FCj
		cmp	ecx, [esi+10h]
		ja	short loc_560063
		mov	eax, [edi+10h]
		cmp	eax, [esi+0Ch]
		jb	short loc_560070

loc_560063:				; CODE XREF: MmManageFaultRange+DDj
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_560076
		mov	byte ptr [ebp+arg_4], 1
		jmp	short loc_56007E
; 

loc_560070:				; CODE XREF: MmManageFaultRange+E5j
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_56007A

loc_560076:				; CODE XREF: MmManageFaultRange+ECj
		mov	esi, eax
		jmp	short loc_560056
; 

loc_56007A:				; CODE XREF: MmManageFaultRange+F8j
		mov	byte ptr [ebp+arg_4], 0

loc_56007E:				; CODE XREF: MmManageFaultRange+D5j
					; MmManageFaultRange+F2j
		push	edi
		push	[ebp+arg_4]
		push	esi
		push	[ebp+var_8]
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		xor	esi, esi

loc_56008D:				; CODE XREF: MmManageFaultRange+1C6j
		push	offset unk_6CF35C
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+arg_3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jnz	short loc_5600AE

loc_5600A4:				; CODE XREF: MmManageFaultRange+14Bj
					; MmManageFaultRange+155j
		xor	eax, eax
		inc	eax

loc_5600A7:				; CODE XREF: MmManageFaultRange+831C4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_5600AE:				; CODE XREF: MmManageFaultRange+126j
		mov	eax, offset unk_6CF364

loc_5600B3:				; CODE XREF: MmManageFaultRange+147j
		cmp	esi, eax
		jz	loc_5E315E
		add	eax, 14h
		cmp	eax, offset dword_6CF38C
		jb	short loc_5600B3

loc_5600C5:				; CODE XREF: MmManageFaultRange+831E4j
		test	esi, esi
		jz	short loc_5600A4
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_5600A4
; 

loc_5600D3:				; CODE XREF: MmManageFaultRange+3Bj
		mov	ecx, ebx
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	loc_5E3136
		mov	edx, [ebp+var_4]
		lea	eax, [edx-1]
		add	eax, ebx
		mov	[edi+10h], eax
		jmp	loc_55FFCF
; 

loc_5600F3:				; CODE XREF: MmManageFaultRange+23j
		mov	[ebp+var_10], ebx
		lea	edi, [ebp+var_1C]
		mov	[ebp+var_C], eax
		jmp	loc_55FFFD
; 

loc_560101:				; CODE XREF: MmManageFaultRange:loc_560001j
		mov	esi, offset unk_6CF360
		jmp	loc_56002F
; 

loc_56010B:				; CODE XREF: MmManageFaultRange+C9j
		test	esi, esi
		jz	short loc_56011F
		mov	ecx, [edi+0Ch]

loc_560112:				; CODE XREF: MmManageFaultRange+1D0j
		cmp	ecx, [esi+10h]
		ja	short loc_560147
		mov	eax, [edi+10h]
		cmp	eax, [esi+0Ch]
		jb	short loc_560150

loc_56011F:				; CODE XREF: MmManageFaultRange+191j
					; MmManageFaultRange+1D2j
		mov	ecx, [ebp+var_4]
		cmp	[esi+0Ch], ebx
		jnz	loc_5E314F
		lea	eax, [ecx-1]
		add	eax, ebx
		cmp	[esi+10h], eax
		jnz	loc_5E314F
		push	esi
		push	[ebp+var_8]
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		jmp	loc_56008D
; 

loc_560147:				; CODE XREF: MmManageFaultRange+199j
		mov	esi, [esi+4]

loc_56014A:				; CODE XREF: MmManageFaultRange+1D6j
		test	esi, esi
		jnz	short loc_560112
		jmp	short loc_56011F
; 

loc_560150:				; CODE XREF: MmManageFaultRange+1A1j
		mov	esi, [esi]
		jmp	short loc_56014A
MmManageFaultRange endp


;  S U B	R O U T	I N E 


; __stdcall ExInitializeSessionPoolTrackTable()
_ExInitializeSessionPoolTrackTable@0 proc near
					; CODE XREF: ExInitializeSessionHeapManager+11Cp
		cmp	_ExpSessionPoolTrackTable, 0
		jz	short loc_56015E
		retn
; 

loc_56015E:				; CODE XREF: ExInitializeSessionPoolTrackTable()+7j
		call	_MiSessionPoolTrackTable@0 ; MiSessionPoolTrackTable()
		mov	_ExpSessionPoolTrackTable, eax
		call	_MiSessionPoolTrackTableSize@0 ; MiSessionPoolTrackTableSize()
		mov	_ExpSessionPoolTrackTableSize, eax
		dec	eax
		mov	_ExpSessionPoolTrackTableMask, eax
		retn
_ExInitializeSessionPoolTrackTable@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakeZeroedPageTables(x, x, x, x)
_MiMakeZeroedPageTables@16 proc	near	; CODE XREF: MiReserveDriverPtes+10Fp
					; MiMapSystemImage+D4p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	MiMakeZeroedPageTablesEx
		pop	ebp
		retn	8
_MiMakeZeroedPageTables@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMarkSessionMasterProcess proc	near	; CODE XREF: MiSessionCreateInternal(x)+313p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E3165 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		mov	ebx, edx
		mov	esi, ecx
		stosd
		stosd
		call	_MiSessionAddProcess@8 ; MiSessionAddProcess(x,x)
		lea	edx, [ebp+var_10]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [esi+2A0h]
		add	ebx, 10h
		mov	[ebp+var_4], eax
		shr	eax, 8
		or	al, 1
		mov	byte ptr [ebp+var_4+1],	al
		mov	ax, word ptr [ebp+var_4]
		mov	[esi+2A0h], ax
		add	esi, 120h
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jnz	short loc_56022C
		mov	[esi], ebx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[ebx+4], esi
		test	ds:byte_70EFC6,	1
		pop	edi
		pop	esi
		pop	ebx
		jnz	loc_5E3165
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_5E317D
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jnz	loc_5E3175

loc_560221:				; CODE XREF: MiMarkSessionMasterProcess+82FE0j
					; MiMarkSessionMasterProcess+82FFDj
		mov	cl, [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn
; 

loc_56022C:				; CODE XREF: MiMarkSessionMasterProcess+53j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
MiMarkSessionMasterProcess endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapContiguousMemoryLarge proc	near	; CODE XREF: MiMapContiguousMemory+17Ap

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005E3192 SIZE 000000EC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	[eax], ebx
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		inc	edx
		shr	eax, 3
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_4], edx
		push	3
		pop	ecx
		mov	[ebp+var_18], ecx
		cmp	eax, edx
		jz	loc_5603C1
		cmp	eax, ecx
		jnz	short loc_56027C
		test	byte ptr [ebp+arg_0], 7
		jz	short loc_56027C
		mov	[ebp+var_4], 2

loc_56027C:				; CODE XREF: MiMapContiguousMemoryLarge+3Bj
					; MiMapContiguousMemoryLarge+41j ...
		cmp	esi, dword_6D07B0
		jbe	loc_5E3192
		mov	[ebp+var_20], ebx

loc_56028B:				; CODE XREF: MiMapContiguousMemoryLarge+82F7Aj
		mov	eax, ebx
		mov	[ebp+var_14], ebx

loc_560290:				; CODE XREF: MiMapContiguousMemoryLarge+82F8Cj
		mov	[ebp+var_24], ebx
		test	edi, edi
		jz	loc_5E3248
		lea	edx, [eax+16h]
		mov	[ebp+var_10], edx

loc_5602A1:				; CODE XREF: MiMapContiguousMemoryLarge+99j
		lea	ecx, [ebx+esi]
		mov	[ebp+var_28], ecx
		cmp	ecx, dword_6D07B0
		jbe	loc_5E31C3

loc_5602B3:				; CODE XREF: MiMapContiguousMemoryLarge+82FF4j
		test	eax, eax
		jnz	short loc_5602CD
		test	ebx, ebx
		jz	loc_56038A

loc_5602BF:				; CODE XREF: MiMapContiguousMemoryLarge+18Aj
		inc	ebx
		add	edx, 1Ch
		mov	[ebp+var_24], ebx
		mov	[ebp+var_10], edx
		cmp	ebx, edi
		jb	short loc_5602A1

loc_5602CD:				; CODE XREF: MiMapContiguousMemoryLarge+83j
					; MiMapContiguousMemoryLarge+82FB2j
		mov	ecx, [ebp+var_4]

loc_5602D0:				; CODE XREF: MiMapContiguousMemoryLarge+82FE0j
		mov	eax, [ebp+var_8]

loc_5602D3:				; CODE XREF: MiMapContiguousMemoryLarge+8301Bj
		cmp	ebx, edi
		jnz	loc_5603C9
		cmp	[ebp+var_20], 0
		jnz	loc_5E3252
		test	eax, eax
		jnz	loc_5E3252
		and	[ebp+arg_4], eax
		mov	edx, esi
		push	ecx
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+arg_4]
		push	eax
		push	ecx
		xor	ecx, ecx
		push	edi
		inc	ecx
		call	MiReferenceIoPages
		test	eax, eax
		js	loc_5603C9
		mov	edx, [ebp+arg_4]
		lea	eax, [edx-1]
		test	eax, edx
		jnz	loc_5E326E
		mov	eax, [ebp+var_1C]
		mov	ecx, esi
		and	ecx, 1FFFFFFh
		sub	ecx, [eax+14h]
		mov	eax, [eax+18h]
		mov	ax, [eax+ecx*2]
		movzx	ebx, ax
		mov	word ptr [ebp+arg_4], ax
		shr	ebx, 0Eh

loc_56033A:				; CODE XREF: MiMapContiguousMemoryLarge+83023j
		mov	ecx, esi
		call	MiSearchNumaNodeTable
		mov	eax, [eax+4]
		inc	eax
		push	eax
		push	ecx
		push	9
		pop	edx
		mov	ecx, edi
		call	MiGetPageTablesForLargeMap
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	loc_5E325A
		push	ebx
		push	[ebp+arg_0]
		mov	edx, ecx
		mov	ecx, offset unk_6D3940
		push	0
		push	edi
		push	esi
		call	MiMapWithLargePages
		cmp	[ebp+var_1C], 0
		mov	ecx, [ebp+var_C]
		jz	short loc_560381
		mov	eax, [ebp+arg_8]
		or	dword ptr [eax], 1

loc_560381:				; CODE XREF: MiMapContiguousMemoryLarge+147j
					; MiMapContiguousMemoryLarge+19Aj ...
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	0Ch
; 

loc_56038A:				; CODE XREF: MiMapContiguousMemoryLarge+87j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edx, edi
		mov	ecx, esi
		mov	bl, al
		call	MiIoSpaceIsConstant
		mov	cl, bl
		mov	[ebp+var_8], eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	loc_5E323E
		mov	ebx, [ebp+var_24]

loc_5603B6:				; CODE XREF: MiMapContiguousMemoryLarge+82FE9j
		mov	edx, [ebp+var_10]
		mov	eax, [ebp+var_14]
		jmp	loc_5602BF
; 

loc_5603C1:				; CODE XREF: MiMapContiguousMemoryLarge+33j
		mov	[ebp+var_4], ebx
		jmp	loc_56027C
; 

loc_5603C9:				; CODE XREF: MiMapContiguousMemoryLarge+A3j
					; MiMapContiguousMemoryLarge+D5j ...
		mov	ecx, [ebp+var_C]
		jmp	short loc_560381
MiMapContiguousMemoryLarge endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapWithLargePages proc near		; CODE XREF: MiMapContiguousMemoryLarge+13Bp
					; MiInsertInSystemSpace+11EA1Ap ...

var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005E327E SIZE 000000CA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[esp+30h+var_1C], ecx
		mov	ecx, ds:_MiLargePageSizes[eax*4]
		xor	edx, edx
		mov	eax, [ebp+arg_4]
		div	ecx
		mov	esi, [ebp+arg_C]
		mov	ebx, eax
		shr	edi, 9
		imul	ebx, ecx
		and	edi, offset loc_7FFFF8
		mov	[esp+30h+var_C], eax
		sub	edi, 40000000h
		mov	eax, [ebp+arg_0]
		and	esi, 7
		mov	[esp+30h+var_8], ecx
		mov	[esp+30h+var_10], edx
		mov	[esp+30h+var_18], ebx
		mov	[esp+30h+var_14], edi
		cmp	eax, dword_6D07B0
		jbe	loc_5E327E

loc_560430:				; CODE XREF: MiMapWithLargePages+82EC7j
		cmp	[ebp+arg_10], 0
		jz	loc_5605E0
		cmp	[ebp+arg_10], 2
		jnz	short loc_560443
		or	esi, 18h

loc_560443:				; CODE XREF: MiMapWithLargePages+70j
					; MiMapWithLargePages+215j
		mov	edx, [ebp+arg_0]

loc_560446:				; CODE XREF: MiMapWithLargePages+82EE7j
					; MiMapWithLargePages+82EEFj ...
		or	esi, 0A0000000h
		cmp	[esp+30h+var_10], 0
		mov	[ebp+arg_C], esi
		jnz	loc_56055C

loc_56045A:				; CODE XREF: MiMapWithLargePages+20Dj
		mov	edx, [ebp+arg_0]
		or	esi, 4000000h
		shr	edi, 9
		xor	ecx, ecx
		and	edi, offset loc_7FFFF8
		push	esi
		sub	edi, 40000000h
		call	MiMakeValidPte
		mov	ecx, [esp+30h+var_1C]
		mov	ebx, eax
		mov	eax, [esp+30h+var_C]
		xor	esi, esi
		mov	[esp+30h+var_18], edx
		lea	eax, [edi+eax*8]
		mov	[esp+30h+var_10], eax
		call	MiLockWorkingSetShared
		mov	[esp+30h+var_1D], al
		cmp	edi, [esp+30h+var_10]
		jnb	short loc_560511
		mov	eax, [esp+30h+var_8]
		mov	ecx, 1000h
		mul	ecx
		mov	[esp+30h+var_C], edx
		mov	edx, [esp+30h+var_18]
		mov	[esp+30h+var_8], eax

loc_5604B7:				; CODE XREF: MiMapWithLargePages+12Ej
		test	esi, esi
		jz	short loc_560535
		test	edi, 0FFFh
		jz	loc_5E3338

loc_5604C7:				; CODE XREF: MiMapWithLargePages+189j
		push	edx
		push	ebx
		mov	ecx, edi
		call	MiWriteTopLevelPxe
		mov	ecx, [esp+30h+var_8]
		mov	edx, [esp+30h+var_18]
		add	ecx, ebx
		mov	eax, [esp+30h+var_C]
		adc	eax, edx
		xor	ecx, ebx
		xor	eax, edx
		and	ecx, 0FFFFF000h
		and	eax, 1Fh
		add	edi, 8
		xor	edx, eax
		xor	ebx, ecx
		mov	[esp+30h+var_18], edx
		cmp	edi, [esp+30h+var_10]
		jb	short loc_5604B7
		test	esi, esi
		jz	short loc_56050D
		mov	ecx, [esp+30h+var_1C]
		mov	edx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_56050D:				; CODE XREF: MiMapWithLargePages+132j
		mov	al, [esp+30h+var_1D]

loc_560511:				; CODE XREF: MiMapWithLargePages+D0j
		mov	ecx, [esp+30h+var_1C]
		mov	dl, al
		call	MiUnlockWorkingSetShared
		mov	eax, [ebp+arg_4]
		mov	ecx, [esp+30h+var_14]
		dec	eax
		lea	edx, [ecx+eax*8]
		call	MiReplicatePteChange
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_560535:				; CODE XREF: MiMapWithLargePages+EBj
					; MiMapWithLargePages+82F75j
		mov	ecx, [esp+30h+var_1C]
		mov	esi, edi
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		push	0
		mov	edx, esi
		call	MiLockPageTableInternal
		mov	edx, [esp+30h+var_18]
		jmp	loc_5604C7
; 

loc_56055C:				; CODE XREF: MiMapWithLargePages+86j
		mov	eax, [ebp+arg_4]
		lea	ebx, [edi+ebx*8]
		add	edx, [esp+30h+var_18]
		xor	ecx, ecx
		push	esi
		lea	eax, [edi+eax*8]
		mov	[esp+34h+var_10], eax
		call	MiMakeValidPte
		mov	edi, eax
		mov	[esp+30h+var_18], edx
		cmp	ebx, [esp+30h+var_10]
		jnb	short loc_5605D7
		mov	esi, edx

loc_560583:				; CODE XREF: MiMapWithLargePages+204j
		and	[esp+30h+var_18], 0
		mov	ecx, ebx
		mov	edx, esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5E32CB
		mov	eax, edi

loc_56059B:				; CODE XREF: MiMapWithLargePages+82F16j
					; MiMapWithLargePages+82F28j ...
		mov	[ebx+4], edx
		nop
		cmp	[esp+30h+var_18], 0
		mov	[ebx], eax
		jnz	loc_5E332A

loc_5605AC:				; CODE XREF: MiMapWithLargePages+82F65j
		mov	ecx, edi
		mov	eax, 1000h
		add	ecx, eax
		mov	eax, esi
		adc	eax, 0
		xor	ecx, edi
		xor	eax, esi
		and	ecx, 0FFFFF000h
		and	eax, 1Fh
		add	ebx, 8
		xor	edi, ecx
		xor	esi, eax
		cmp	ebx, [esp+30h+var_10]
		jb	short loc_560583
		mov	esi, [ebp+arg_C]

loc_5605D7:				; CODE XREF: MiMapWithLargePages+1B1j
		mov	edi, [esp+30h+var_14]
		jmp	loc_56045A
; 

loc_5605E0:				; CODE XREF: MiMapWithLargePages+66j
		or	esi, 8
		jmp	loc_560443
MiMapWithLargePages endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiWriteTopLevelPxe proc	near		; CODE XREF: .text:00458DAFp
					; .text:004723A4p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E3348 SIZE 0000006C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	ebx, ecx
		stosd
		mov	ecx, offset dword_6D3540
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	esi, [ebp+arg_0]
		xor	edi, edi
		inc	edi
		mov	eax, esi
		and	eax, edi
		or	eax, 0
		jz	short loc_560679
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		xor	edi, edi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5E3348

loc_56062D:				; CODE XREF: MiWriteTopLevelPxe+82D73j
					; MiWriteTopLevelPxe+82D91j ...
		mov	[ebx+4], edx
		nop
		mov	[ebx], esi
		test	edi, edi
		jnz	short loc_560684

loc_560637:				; CODE XREF: MiWriteTopLevelPxe+A3j
		xor	edi, edi
		inc	edi

loc_56063A:				; CODE XREF: MiWriteTopLevelPxe+9Aj
		test	ds:byte_70EFC6,	1
		jnz	loc_5E338A
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_5E33A2
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5E339A

loc_560669:				; CODE XREF: MiWriteTopLevelPxe+82DADj
					; MiWriteTopLevelPxe+82DC7j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_560679:				; CODE XREF: MiWriteTopLevelPxe+2Fj
		mov	[ebx], esi
		nop
		mov	eax, [ebp+arg_4]
		mov	[ebx+4], eax
		jmp	short loc_56063A
; 

loc_560684:				; CODE XREF: MiWriteTopLevelPxe+4Dj
		push	edx
		push	esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	short loc_560637
MiWriteTopLevelPxe endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetPageTablesForLargeMap proc	near	; CODE XREF: MiMapContiguousMemoryLarge+11Ap
					; MiInsertInSystemSpace+11E7F0p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E33B4 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	eax, edx
		mov	ebx, ecx
		mov	[ebp+var_C], eax
		push	esi
		push	edi
		cmp	eax, 9
		jnz	loc_5E33B4
		push	0Dh
		pop	eax
		mov	[ebp+var_8], eax

loc_5606AF:				; CODE XREF: MiGetPageTablesForLargeMap+82D29j
		mov	esi, ebx
		and	ecx, 0FFFFFE00h
		shr	esi, 9
		mov	[ebp+var_4], ecx
		test	ebx, 1FFh
		jnz	short loc_5606F1

loc_5606C5:				; CODE XREF: MiGetPageTablesForLargeMap+64j
		mov	edx, eax
		mov	ecx, esi
		call	MiObtainSystemVa
		mov	edi, eax
		test	edi, edi
		jz	loc_5E33CE
		mov	ecx, edi
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		cmp	ebx, [ebp+var_4]
		jnz	short loc_5606F4

loc_5606E8:				; CODE XREF: MiGetPageTablesForLargeMap+92j
		mov	eax, edi

loc_5606EA:				; CODE XREF: MiGetPageTablesForLargeMap+82D42j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_5606F1:				; CODE XREF: MiGetPageTablesForLargeMap+35j
		inc	esi
		jmp	short loc_5606C5
; 

loc_5606F4:				; CODE XREF: MiGetPageTablesForLargeMap+58j
		mov	edx, [ebp+var_C]
		xor	eax, eax
		push	[ebp+arg_4]
		cmp	edx, 0Ch
		push	edx
		setz	al
		lea	edx, [ebx-8000001h]
		push	eax
		mov	eax, [ebp+var_4]
		lea	edx, [ecx+edx*8]
		lea	ecx, [ecx+eax*8]
		add	ecx, 0C0000000h
		call	MiMakeZeroedPageTablesEx
		test	eax, eax
		jnz	short loc_5606E8
		jmp	loc_5E33BC
MiGetPageTablesForLargeMap endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlStringCchCopyNW proc	near		; CODE XREF: PiDevCfgParsePropertyKeyName(x,x,x)+9Bp
					; AslPathSplit+64p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E33D5 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		test	edx, edx
		jz	short loc_56075C
		cmp	edx, 7FFFFFFFh
		ja	short loc_56075C

loc_56073B:				; CODE XREF: RtlStringCchCopyNW+39j
		test	eax, eax
		js	short loc_560763
		cmp	[ebp+arg_4], 7FFFFFFEh
		ja	loc_5E33D5
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	ecx
		call	sub_56076C

loc_560758:				; CODE XREF: RtlStringCchCopyNW+3Dj
					; RtlStringCchCopyNW+82CB7j
		pop	ebp
		retn	8
; 

loc_56075C:				; CODE XREF: RtlStringCchCopyNW+9j
					; RtlStringCchCopyNW+11j
		mov	eax, 0C000000Dh
		jmp	short loc_56073B
; 

loc_560763:				; CODE XREF: RtlStringCchCopyNW+15j
		test	edx, edx
		jz	short loc_560758
		jmp	loc_5E33DA
RtlStringCchCopyNW endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_56076C	proc near		; CODE XREF: RtlStringCbCopyNW(x,x,x,x)+2Fp
					; RtlStringCchCopyNW+2Bp ...

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	edx, edx
		jz	short loc_5607B7
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_8]
		sub	eax, ecx
		push	edi

loc_56077F:				; CODE XREF: sub_56076C+2Aj
		test	esi, esi
		jz	short loc_560798
		movzx	edi, word ptr [eax+ecx]
		test	di, di
		jz	short loc_560798
		mov	[ecx], di
		add	ecx, 2
		dec	esi
		sub	edx, 1
		jnz	short loc_56077F

loc_560798:				; CODE XREF: sub_56076C+15j
					; sub_56076C+1Ej
		pop	edi
		pop	esi
		test	edx, edx
		jz	short loc_5607B7

loc_56079E:				; CODE XREF: sub_56076C+4Ej
		neg	edx
		sbb	edx, edx
		and	edx, 7FFFFFFBh
		xor	eax, eax
		mov	[ecx], ax
		lea	eax, [edx-7FFFFFFBh]
		pop	ebp
		retn	0Ch
; 

loc_5607B7:				; CODE XREF: sub_56076C+7j
					; sub_56076C+30j
		sub	ecx, 2
		jmp	short loc_56079E
sub_56076C	endp

; 

IopErrorLogGetEntry:			; CODE XREF: IopErrorLogThread:loc_868282p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _IopErrorLogLock
		mov	[ebp-1], al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ebx, _IopErrorLogListHead
		mov	ecx, offset _IopErrorLogListHead
		cmp	ebx, ecx
		jnz	short loc_560811
		xor	ebx, ebx
		mov	_IopErrorLogSessionPending, bl

loc_5607F0:				; CODE XREF: .text:00560825j
		test	ds:byte_70EFC6,	1
		jnz	loc_5E33E4
		xor	eax, eax
		lock and [esi],	eax

loc_560802:				; CODE XREF: .text:005E33EEj
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_560811:				; CODE XREF: .text:005607E6j
		mov	eax, [ebx]
		cmp	[ebx+4], ecx
		jnz	short loc_560827
		cmp	[eax+4], ebx
		jnz	short loc_560827
		mov	_IopErrorLogListHead, eax
		mov	[eax+4], ecx
		jmp	short loc_5607F0
; 

loc_560827:				; CODE XREF: .text:00560816j
					; .text:0056081Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1251. KeRegisterBugCheckReasonCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeRegisterBugCheckReasonCallback
KeRegisterBugCheckReasonCallback proc near ; CODE XREF:	HvlPhase1Initialize+86BD7p
					; SmPrepareForFatalHeapCorruption(x,x,x,x,x)+B6p ...

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005E33F3 SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	cl, 1Fh
		push	edi
		inc	ebx
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	esi, offset _KeBugCheckCallbackLock
		mov	[ebp+var_1], al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, [ebp+arg_0]
		cmp	byte ptr [edx+18h], 0
		jnz	loc_5608FD
		mov	edi, [ebp+arg_8]
		mov	eax, edi
		sub	eax, 4
		jz	loc_5E33F3
		dec	eax
		mov	esi, offset _KeBugCheckReasonCallbackListHead
		sub	eax, ebx
		jz	loc_5E33F3

loc_56087E:				; CODE XREF: KeRegisterBugCheckReasonCallback+82BC6j
		mov	ecx, esi
		call	_KiCheckForDuplicateBugCheckCallback@8 ; KiCheckForDuplicateBugCheckCallback(x,x)
		test	al, al
		jnz	loc_5E33FD
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_C]
		mov	[edx+8], eax
		add	eax, edi
		add	eax, ecx
		mov	[edx+14h], edi
		mov	[edx+0Ch], ecx
		mov	[edx+10h], eax
		mov	[edx+18h], bl
		cmp	edi, 7
		jz	short loc_5608E5
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_5608F8
		mov	[edx], eax
		mov	[edx+4], esi
		mov	[eax+4], edx
		mov	[esi], edx

loc_5608BC:				; CODE XREF: KeRegisterBugCheckReasonCallback+C4j
		mov	esi, offset _KeBugCheckCallbackLock

loc_5608C1:				; CODE XREF: KeRegisterBugCheckReasonCallback+CDj
		test	ds:byte_70EFC6,	1
		jnz	loc_5E3407
		xor	eax, eax
		lock and [esi],	eax

loc_5608D3:				; CODE XREF: KeRegisterBugCheckReasonCallback+82BDFj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	10h
; 

loc_5608E5:				; CODE XREF: KeRegisterBugCheckReasonCallback+77j
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_5608F8
		mov	[edx], esi
		mov	[edx+4], eax
		mov	[eax], edx
		mov	[esi+4], edx
		jmp	short loc_5608BC
; 

loc_5608F8:				; CODE XREF: KeRegisterBugCheckReasonCallback+7Ej
					; KeRegisterBugCheckReasonCallback+B8j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5608FD:				; CODE XREF: KeRegisterBugCheckReasonCallback+2Aj
					; KeRegisterBugCheckReasonCallback+82BD0j
		xor	bl, bl
		jmp	short loc_5608C1
KeRegisterBugCheckReasonCallback endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiCheckForDuplicateBugCheckCallback(x, x)
_KiCheckForDuplicateBugCheckCallback@8 proc near
					; CODE XREF: KeRegisterBugCheckReasonCallback+4Ep
					; KeRegisterBugCheckCallback+31p
		mov	eax, [ecx]

loc_560904:				; CODE XREF: KiCheckForDuplicateBugCheckCallback(x,x)+Cj
		cmp	eax, ecx
		jz	short loc_560910
		cmp	eax, edx
		jz	short loc_560923
		mov	eax, [eax]
		jmp	short loc_560904
; 

loc_560910:				; CODE XREF: KiCheckForDuplicateBugCheckCallback(x,x)+4j
		mov	eax, [ecx+4]

loc_560913:				; CODE XREF: KiCheckForDuplicateBugCheckCallback(x,x)+1Cj
		cmp	eax, ecx
		jz	short loc_560920
		cmp	eax, edx
		jz	short loc_560923
		mov	eax, [eax+4]
		jmp	short loc_560913
; 

loc_560920:				; CODE XREF: KiCheckForDuplicateBugCheckCallback(x,x)+13j
		xor	al, al
		retn
; 

loc_560923:				; CODE XREF: KiCheckForDuplicateBugCheckCallback(x,x)+8j
					; KiCheckForDuplicateBugCheckCallback(x,x)+17j
		mov	al, 1
		retn
_KiCheckForDuplicateBugCheckCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInvalidateAllCachesTarget(x, x, x, x)
_KiInvalidateAllCachesTarget@16	proc near
					; DATA XREF: KiIpiSendSynchronousPacket(x,x,x,x,x,x)+3Bo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		wbinvd
		call	KiIpiSignalPacketDoneAndStall
		pop	ebp
		retn	10h
_KiInvalidateAllCachesTarget@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiIpiSignalPacketDoneAndStall proc near	; CODE XREF: KiInvalidateAllCachesTarget(x,x,x,x)+Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E3416 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, edx
		xor	eax, eax
		push	esi
		mov	esi, large fs:20h
		push	edi
		mov	edi, [ebx]
		mov	[ebp+var_4], edi
		mov	edi, ecx
		and	edi, 0FFFFFFFEh
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], esi
		test	cl, 1
		jnz	short loc_5609D7
		mov	esi, [esi+3C8h]
		lea	edx, [edi+216Ch]
		mov	eax, [edx]

loc_560975:				; CODE XREF: KiIpiSignalPacketDoneAndStall+41j
		mov	ecx, eax
		xor	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_560975
		mov	esi, [ebp+var_8]
		cmp	[esi+3C8h], eax
		jz	short loc_5609B5

loc_56098A:				; CODE XREF: KiIpiSignalPacketDoneAndStall+99j
		mov	eax, [ebp+var_4]
		cmp	[ebx], eax
		jnz	short loc_5609B0
		lea	edi, [esi+21A0h]

loc_560997:				; CODE XREF: KiIpiSignalPacketDoneAndStall+72j
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	al, 4
		jnz	loc_5E3416

loc_5609A9:				; CODE XREF: KiIpiSignalPacketDoneAndStall+82AEBj
					; KiIpiSignalPacketDoneAndStall+82AFEj
		mov	eax, [ebp+var_4]
		cmp	[ebx], eax
		jz	short loc_560997

loc_5609B0:				; CODE XREF: KiIpiSignalPacketDoneAndStall+53j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_5609B5:				; CODE XREF: KiIpiSignalPacketDoneAndStall+4Cj
		xor	eax, eax

loc_5609B7:				; CODE XREF: KiIpiSignalPacketDoneAndStall+A1j
		mov	[edi+2160h], eax
		mov	[edi+2164h], eax
		mov	[edi+2168h], eax
		mov	[edi+2170h], eax
		mov	[edi+2120h], eax
		jmp	short loc_56098A
; 

loc_5609D7:				; CODE XREF: KiIpiSignalPacketDoneAndStall+29j
		mov	[edi+216Ch], eax
		jmp	short loc_5609B7
KiIpiSignalPacketDoneAndStall endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSessionUpdateImageCharges(x)
_MiSessionUpdateImageCharges@4 proc near ; CODE	XREF: MiDriverLoadSucceeded+193p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	ecx, [esi+18h]
		call	_MiSessionLookupImage@4	; MiSessionLookupImage(x)
		mov	ecx, esi
		mov	ebx, eax
		call	_MiCountSystemImageCommitment@4	; MiCountSystemImageCommitment(x)
		mov	edi, [ebx+28h]
		mov	[ebp+var_4], eax
		sub	edi, eax
		jz	short loc_560A34
		mov	ecx, large fs:124h
		mov	edx, edi
		mov	ecx, [ecx+80h]
		mov	esi, [ecx+180h]
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit
		mov	eax, [ebp+var_4]
		neg	edi
		mov	[ebx+28h], eax
		lea	eax, [esi+20h]
		lock xadd [eax], edi

loc_560A34:				; CODE XREF: MiSessionUpdateImageCharges(x)+24j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
_MiSessionUpdateImageCharges@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCountSystemImageCommitment(x)
_MiCountSystemImageCommitment@4	proc near ; CODE XREF: MiSessionUpdateImageCharges(x)+17p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		mov	esi, ecx
		push	edi
		test	byte ptr [esi+70h], 12h
		mov	edi, [esi+18h]
		jnz	loc_560C63
		mov	ecx, edi
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	loc_560C63
		mov	ecx, [esi+3Ch]
		test	ecx, ecx
		jz	loc_560C63
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	[ebp+var_10], eax
		cmp	dword ptr [eax+58h], 0
		jz	loc_560C63
		mov	ecx, dword_6D07D0
		mov	eax, edi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_18], eax
		mov	[ebp+var_8], eax
		mov	eax, edi
		shr	eax, 15h
		cmp	edi, ecx
		jb	short loc_560AD4
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_560ACD
		cmp	edi, ecx
		jb	short loc_560AD4
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jnz	short loc_560AD4

loc_560ACD:				; CODE XREF: MiCountSystemImageCommitment(x)+82j
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		jmp	short loc_560ADC
; 

loc_560AD4:				; CODE XREF: MiCountSystemImageCommitment(x)+79j
					; MiCountSystemImageCommitment(x)+86j ...
		xor	ecx, ecx
		inc	ecx
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)

loc_560ADC:				; CODE XREF: MiCountSystemImageCommitment(x)+96j
		mov	[ebp+var_C], eax
		xor	edx, edx
		mov	eax, [ebp+var_10]
		mov	ecx, edi
		xor	esi, esi
		mov	eax, [eax+1Ch]
		and	eax, 800h
		mov	[ebp+var_1C], eax
		call	MiFreePrivateFixupEntryForSystemImage
		mov	[ebp+var_14], eax
		mov	edi, offset unk_6D3C40
		mov	eax, [ebp+var_C]
		mov	cl, [eax+60h]
		and	cl, 7
		cmp	cl, 2
		jz	short loc_560B14
		lea	edi, [eax+80h]

loc_560B14:				; CODE XREF: MiCountSystemImageCommitment(x)+D0j
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+var_10]
		and	[edi+4], esi
		add	ecx, 50h
		mov	byte ptr [ebp+var_4+3],	al
		jmp	loc_560C4B
; 

loc_560B2B:				; CODE XREF: MiCountSystemImageCommitment(x)+212j
		mov	eax, [ecx+24h]
		mov	edi, [ecx+1Ch]
		and	eax, 3FFFFFFFh
		sub	edi, eax
		mov	al, [ecx+10h]
		and	al, 3Eh
		cmp	al, 8
		jb	short loc_560B51

loc_560B41:				; CODE XREF: MiCountSystemImageCommitment(x)+121j
		mov	eax, [ebp+var_8]
		add	esi, edi
		lea	eax, [eax+edi*8]
		mov	[ebp+var_8], eax
		jmp	loc_560C46
; 

loc_560B51:				; CODE XREF: MiCountSystemImageCommitment(x)+103j
		mov	eax, [ecx]
		test	byte ptr [eax+1Ch], 20h
		jz	short loc_560B5F
		cmp	dword ptr [ecx+0Ch], 0
		jnz	short loc_560B41

loc_560B5F:				; CODE XREF: MiCountSystemImageCommitment(x)+11Bj
		test	edi, edi
		jz	loc_560C46
		mov	eax, [ebp+var_8]

loc_560B6A:				; CODE XREF: MiCountSystemImageCommitment(x)+201j
		mov	edx, [ebp+var_14]
		test	edx, edx
		jz	short loc_560B97
		mov	ecx, eax
		mov	eax, [edx+14h]
		sub	ecx, [ebp+var_18]
		sar	ecx, 3
		mov	edx, ecx
		and	cl, 7
		mov	eax, [eax+4]
		shr	edx, 3
		mov	al, [edx+eax]
		sar	al, cl
		test	al, 1
		jnz	loc_560C30
		mov	eax, [ebp+var_8]

loc_560B97:				; CODE XREF: MiCountSystemImageCommitment(x)+133j
		and	[ebp+var_28], 0
		and	[ebp+var_24], 0
		mov	ecx, [eax]
		nop
		mov	edx, [eax+4]
		mov	eax, ecx
		or	eax, edx
		jz	loc_560C31
		cmp	[ebp+var_1C], 0
		jnz	short loc_560C30
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_560C19
		nop
		shrd	ecx, edx, 0Ch
		mov	edx, [ebp+var_8]
		and	ecx, 1FFFFFFh
		shl	edx, 9
		imul	eax, ecx, 1Ch
		mov	ecx, [ebp+var_C]
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_24], eax
		call	MiLocateWsle
		mov	al, [eax]
		and	al, 0Fh
		cmp	al, 9
		jz	short loc_560C30
		mov	ecx, [ebp+var_24]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_560C30
		test	dword ptr [ecx+18h], 800000h
		jnz	short loc_560C0A
		mov	eax, [ecx+4]
		test	eax, eax
		js	short loc_560C0A
		jnz	short loc_560C30

loc_560C0A:				; CODE XREF: MiCountSystemImageCommitment(x)+1C3j
					; MiCountSystemImageCommitment(x)+1CAj
		mov	eax, [ecx+8]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_560C31
		jmp	short loc_560C30
; 

loc_560C19:				; CODE XREF: MiCountSystemImageCommitment(x)+181j
		mov	eax, ecx
		and	eax, 400h
		or	eax, 0
		jz	short loc_560C30
		push	edx
		push	ecx
		call	_MI_PROTO_FORMAT_COMBINED@8 ; MI_PROTO_FORMAT_COMBINED(x,x)
		test	al, al
		jz	short loc_560C31

loc_560C30:				; CODE XREF: MiCountSystemImageCommitment(x)+152j
					; MiCountSystemImageCommitment(x)+177j	...
		inc	esi

loc_560C31:				; CODE XREF: MiCountSystemImageCommitment(x)+16Dj
					; MiCountSystemImageCommitment(x)+1D9j	...
		mov	eax, [ebp+var_8]
		add	eax, 8
		mov	[ebp+var_8], eax
		sub	edi, 1
		jnz	loc_560B6A
		mov	ecx, [ebp+var_10]

loc_560C46:				; CODE XREF: MiCountSystemImageCommitment(x)+110j
					; MiCountSystemImageCommitment(x)+125j
		mov	ecx, [ecx+8]
		test	ecx, ecx

loc_560C4B:				; CODE XREF: MiCountSystemImageCommitment(x)+EAj
		mov	[ebp+var_10], ecx
		jnz	loc_560B2B
		mov	dl, byte ptr [ebp+var_4+3]
		mov	ecx, [ebp+var_C]
		call	MiUnlockWorkingSetExclusive
		mov	eax, esi
		jmp	short loc_560C69
; 

loc_560C63:				; CODE XREF: MiCountSystemImageCommitment(x)+25j
					; MiCountSystemImageCommitment(x)+34j ...
		mov	eax, [esi+20h]
		shr	eax, 0Ch

loc_560C69:				; CODE XREF: MiCountSystemImageCommitment(x)+225j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_MiCountSystemImageCommitment@4	endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFreePrivateFixupEntryForSystemImage proc near
					; CODE XREF: MiCountSystemImageCommitment(x)+B7p
					; MiUnloadSystemImage+416p ...

var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005E343F SIZE 00000039 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		push	offset unk_6CF554
		mov	[ebp+var_8], edx
		mov	ebx, ecx
		xor	edi, edi
		call	ExAcquireSpinLockExclusive
		mov	esi, dword_6CF540
		mov	[ebp+var_1], al
		mov	eax, offset dword_6CF540

loc_560C9C:				; CODE XREF: MiFreePrivateFixupEntryForSystemImage+37j
		cmp	esi, eax
		jz	short loc_560CC8
		mov	edi, esi
		cmp	ebx, [esi+8]
		jz	short loc_560CAB
		mov	esi, [esi]
		jmp	short loc_560C9C
; 

loc_560CAB:				; CODE XREF: MiFreePrivateFixupEntryForSystemImage+33j
		cmp	[ebp+var_8], 0
		jz	loc_5E343F
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_560D08
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_560D08
		mov	[ecx], eax
		mov	[eax+4], ecx

loc_560CC8:				; CODE XREF: MiFreePrivateFixupEntryForSystemImage+2Cj
		push	offset unk_6CF554
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_8], 0
		jnz	short loc_560CE8

loc_560CE1:				; CODE XREF: MiFreePrivateFixupEntryForSystemImage+94j
		xor	eax, eax

loc_560CE3:				; CODE XREF: MiFreePrivateFixupEntryForSystemImage+827E2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_560CE8:				; CODE XREF: MiFreePrivateFixupEntryForSystemImage+6Dj
		push	0
		cmp	esi, offset dword_6CF540
		jz	loc_5E3459
		push	dword ptr [edi+14h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_560CE1
; 

loc_560D08:				; CODE XREF: MiFreePrivateFixupEntryForSystemImage+48j
					; MiFreePrivateFixupEntryForSystemImage+4Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall PopBatteryWakeDpc(x, x, x, x)
_PopBatteryWakeDpc@16:			; DATA XREF: PopBatteryInit()+C8o
		mov	edi, edi
		push	esi
		xor	esi, esi
		xor	eax, eax
		inc	esi
		mov	byte_6C25E8, al
		cmp	_PopBatteryInitiateIgnoreStatusDuringBoot, al
		jz	short loc_560D2B
		push	11h
		mov	_PopBatteryInitiateIgnoreStatusDuringBoot, al
		pop	esi

loc_560D2B:				; CODE XREF: MiFreePrivateFixupEntryForSystemImage+AFj
		push	eax
		push	eax
		push	offset unk_6C25D8
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		xor	eax, eax
		mov	ecx, offset unk_6C2588
		xchg	eax, [ecx]
		mov	ecx, esi
		call	_PopBatteryQueueWork@4 ; PopBatteryQueueWork(x)
		pop	esi
		retn	10h
MiFreePrivateFixupEntryForSystemImage endp ; sp	= -1Ch

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopRefreshEstimateAfterSpoilingDpc(x, x, x,	x)
_PopRefreshEstimateAfterSpoilingDpc@16 proc near ; DATA	XREF: PopBatteryInit()+FFo
		xor	ecx, ecx
		inc	ecx
		call	_PopBatteryQueueWork@4 ; PopBatteryQueueWork(x)
		retn	10h
_PopRefreshEstimateAfterSpoilingDpc@16 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopBatteryCheckTriggerArmed()
_PopBatteryCheckTriggerArmed@0 proc near ; CODE	XREF: PopBatteryApplyCompositeState+104p
					; PopBatteryCheckTriggerp
		cmp	dword_6C2564, 0
		ja	short loc_560D6D
		cmp	dword_6C2568, 0
		ja	short loc_560D6D
		xor	al, al
		retn
; 

loc_560D6D:				; CODE XREF: PopBatteryCheckTriggerArmed()+7j
					; PopBatteryCheckTriggerArmed()+10j
		mov	al, 1
		retn
_PopBatteryCheckTriggerArmed@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopBatteryTraceSystemBatteryStatus proc	near ; CODE XREF: PopBatteryApplyCompositeState+FFp
					; PopBatteryEtwCallback(x,x,x,x,x,x,x,x,x)+56p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E352C SIZE 0000006E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, offset _BATTERY_EVT_SYSTEM_BATTERY_STATUS_CHANGE
		test	cl, cl
		jnz	short loc_560DC2

loc_560D8C:				; CODE XREF: PopBatteryTraceSystemBatteryStatus+57j
		cmp	_PopBatteryEtwRegistered, 0
		jz	short loc_560DB5
		push	ebx
		mov	ebx, _PopBatteryEtwHandle
		push	edi
		mov	edi, dword_6C1CD4
		push	esi
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5E352C

loc_560DB3:				; CODE XREF: PopBatteryTraceSystemBatteryStatus+82825j
		pop	edi
		pop	ebx

loc_560DB5:				; CODE XREF: PopBatteryTraceSystemBatteryStatus+23j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_560DC2:				; CODE XREF: PopBatteryTraceSystemBatteryStatus+1Aj
		mov	esi, offset _BATTERY_EVT_SYSTEM_BATTERY_STATUS_RUNDOWN
		jmp	short loc_560D8C
PopBatteryTraceSystemBatteryStatus endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 268. DbgPrintEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl DbgPrintEx(int,int,char *,char)
		public _DbgPrintEx
_DbgPrintEx	proc near		; CODE XREF: LdrLoadAlternateResourceModuleEx+262p
					; CcInitializePartition+491p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+arg_C]
		push	1		; char
		push	eax		; va_list
		push	[ebp+arg_8]	; char *
		mov	ecx, offset ??_C@_00CNPNBAHC@@FNODOBFM@
		push	[ebp+arg_4]	; int
		call	vDbgPrintExWithPrefixInternal
		pop	ecx
		pop	ebp
		retn
_DbgPrintEx	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopUpdateAcDcState proc	near		; CODE XREF: PopBatteryApplyCompositeState+5Ap

var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h

; FUNCTION CHUNK AT 005E359A SIZE 00000058 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_20]
		push	8
		pop	ecx
		rep stosd
		cmp	dword_6C2D0C, esi
		jnz	loc_5E359A
		xor	bl, bl

loc_560E15:				; CODE XREF: PopUpdateAcDcState+827FDj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
PopUpdateAcDcState endp


;  S U B	R O U T	I N E 


; __stdcall PopBatteryQueueWork(x)
_PopBatteryQueueWork@4 proc near	; CODE XREF: MiFreePrivateFixupEntryForSystemImage+D0p
					; PopRefreshEstimateAfterSpoilingDpc(x,x,x,x)+3p ...
		mov	edi, edi
		push	esi
		mov	esi, offset _PopBatteryWorkRequests
		mov	eax, [esi]

loc_560E26:				; CODE XREF: PopBatteryQueueWork(x)+12j
		mov	edx, eax
		or	edx, ecx
		lock cmpxchg [esi], edx
		jnz	short loc_560E26
		pop	esi
		test	eax, eax
		jnz	short locret_560E41
		push	1
		push	offset _PopBatteryWorkItem
		call	ExQueueWorkItem

locret_560E41:				; CODE XREF: PopBatteryQueueWork(x)+17j
		retn
_PopBatteryQueueWork@4 endp

; 
		align 8
; Exported entry 2184. RtlInterlockedClearBitRun

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlInterlockedClearBitRun
RtlInterlockedClearBitRun proc near	; CODE XREF: MiLogPinDriverAddressesWorker+B0p
					; EtwpFreeUserBufferSpace(x,x,x)+4Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005E35F2 SIZE 0000004E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	ecx, ebx
		push	esi
		mov	eax, [eax+4]
		and	ebx, 1Fh
		mov	esi, [ebp+arg_8]
		shr	ecx, 5
		push	edi
		lea	edi, [eax+ecx*4]
		lea	eax, [ebx+esi]
		cmp	eax, 20h
		ja	loc_5E35F2
		cmp	esi, 20h
		jz	short loc_560E90
		xor	eax, eax
		mov	ecx, esi
		inc	eax
		shl	eax, cl
		mov	ecx, ebx
		dec	eax
		shl	eax, cl
		not	eax

loc_560E86:				; CODE XREF: RtlInterlockedClearBitRun+827F3j
		lock and [edi],	eax

loc_560E89:				; CODE XREF: RtlInterlockedClearBitRun+4Ej
					; RtlInterlockedClearBitRun+827E6j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_560E90:				; CODE XREF: RtlInterlockedClearBitRun+2Ej
		mov	dword ptr [edi], 0
		jmp	short loc_560E89
RtlInterlockedClearBitRun endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiQueuePinDriverAddressLog proc	near	; CODE XREF: MiGetPhysicalAddress+EBp
					; MmBuildMdlForNonPagedPool+108A46p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E3640 SIZE 00000089 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		cmp	_PoAllProcIntrDisabled,	0
		push	esi
		mov	esi, edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], esi
		jz	short loc_560EB7

loc_560EB2:				; CODE XREF: MiQueuePinDriverAddressLog+26j
					; MiQueuePinDriverAddressLog+2Fj ...
		pop	esi
		leave
		retn	8
; 

loc_560EB7:				; CODE XREF: MiQueuePinDriverAddressLog+18j
		mov	eax, _KiBugCheckActive
		test	al, 3
		jnz	short loc_560EB2
		cmp	_KdEnteredDebugger, 0
		jnz	short loc_560EB2
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		push	2
		pop	ecx
		mov	[ebp+var_1], al
		cmp	al, cl
		jnb	short loc_560EDF
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()

loc_560EDF:				; CODE XREF: MiQueuePinDriverAddressLog+3Fj
		push	ebx
		push	edi
		or	edi, 0FFFFFFFFh
		test	byte ptr word_6C68BA, 1
		jz	loc_5E369A
		xor	ecx, ecx

loc_560EF3:				; CODE XREF: MiQueuePinDriverAddressLog+EEj
		mov	edx, dword_6C6760
		lea	eax, [edi+1]
		mov	edi, dword_6C6764
		cmp	eax, edx
		mov	[ebp+var_18], eax
		sbb	esi, esi
		mov	[ebp+var_8], edx
		and	esi, eax
		mov	[ebp+var_C], edi
		lea	ebx, [edx-1]

loc_560F14:				; CODE XREF: MiQueuePinDriverAddressLog+827BFj
		mov	eax, ebx
		mov	[ebp+var_14], ecx
		sub	eax, esi
		inc	eax
		cmp	eax, 1
		jb	loc_5E3640
		mov	eax, ebx
		xor	edx, edx
		shr	eax, 5
		mov	ecx, esi
		and	ecx, 1Fh
		inc	edx
		shl	edx, cl
		dec	edx
		lea	eax, [edi+eax*4]
		mov	[ebp+var_10], eax
		mov	eax, esi
		shr	eax, 5
		lea	edi, [edi+eax*4]
		mov	eax, [edi]
		or	eax, edx
		cmp	eax, 0FFFFFFFFh
		jz	loc_56108C

loc_560F50:				; CODE XREF: MiQueuePinDriverAddressLog+205j
		sub	edi, [ebp+var_C]
		not	eax
		bsf	eax, eax
		sar	edi, 2
		shl	edi, 5
		add	edi, eax
		mov	[ebp+var_14], eax
		cmp	edi, ebx
		ja	loc_5610A2
		cmp	edi, 0FFFFFFFFh
		jz	loc_5610A5

loc_560F74:				; CODE XREF: MiQueuePinDriverAddressLog+827CDj
		push	1
		push	edi
		push	offset dword_6C6760
		call	RtlInterlockedSetClearRun
		push	0
		pop	ecx
		test	eax, eax
		jz	loc_560EF3

loc_560F8C:				; CODE XREF: MiQueuePinDriverAddressLog+827C7j
		mov	esi, [ebp+var_1C]
		mov	ebx, 800h
		cmp	edi, ebx
		jnb	loc_5E369A
		mov	eax, [ebp+var_20]
		xor	edx, edx
		inc	edx
		and	eax, 0FFFFF001h
		and	esi, edx
		add	esi, esi
		or	esi, eax
		mov	eax, ds:_MiFlags
		shr	eax, 4
		or	esi, edx
		and	eax, 3
		jz	short loc_560FCA
		cmp	eax, edx
		jnz	loc_561081
		or	esi, 100h

loc_560FCA:				; CODE XREF: MiQueuePinDriverAddressLog+122j
					; MiQueuePinDriverAddressLog+1EFj
		mov	cl, [ebp+var_1]
		push	2
		pop	eax
		cmp	cl, al
		jnb	loc_5E366A

loc_560FD8:				; CODE XREF: MiQueuePinDriverAddressLog+827D7j
					; MiQueuePinDriverAddressLog+827E2j
		cmp	_KdDebuggerEnabled, 0
		jnz	loc_5E367F

loc_560FE5:				; CODE XREF: MiQueuePinDriverAddressLog+827F6j
					; MiQueuePinDriverAddressLog+827FDj
		mov	ebx, [ebp+arg_0]
		mov	eax, ebx
		and	eax, edx
		xor	edx, edx
		or	eax, edx
		jz	loc_5610B4
		mov	eax, ebx
		and	eax, 800h
		or	eax, edx
		jz	short loc_561004
		or	esi, 8

loc_561004:				; CODE XREF: MiQueuePinDriverAddressLog+167j
		mov	eax, [ebp+arg_4]
		and	eax, 80000000h
		or	edx, eax
		jnz	short loc_561013
		or	esi, 10h

loc_561013:				; CODE XREF: MiQueuePinDriverAddressLog+176j
		nop
		mov	eax, [ebp+arg_4]
		shrd	ebx, eax, 0Ch
		and	ebx, 1FFFFFFh
		test	ds:_MiFlags, 8000000h
		jz	short loc_561062
		cmp	ebx, dword_6D07B0
		ja	short loc_561062
		mov	eax, dword_6D35B8
		mov	edx, ebx
		shr	edx, 5
		mov	ecx, ebx
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		xor	edx, edx
		shr	eax, cl
		inc	edx
		and	eax, edx
		jz	short loc_5610B9
		mov	eax, ds:_MmPfnDatabase
		imul	ecx, ebx, 1Ch
		cmp	[ecx+eax+14h], dx
		mov	cl, [ebp+var_1]
		ja	short loc_5610AF

loc_561062:				; CODE XREF: MiQueuePinDriverAddressLog+193j
					; MiQueuePinDriverAddressLog+19Bj ...
		push	2
		mov	_MiPinDriverAddressLog[edi*4], esi
		pop	ebx

loc_56106C:				; CODE XREF: MiQueuePinDriverAddressLog+8282Cj
		pop	edi
		cmp	cl, bl
		pop	ebx
		jnb	loc_560EB2
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_560EB2
; 

loc_561081:				; CODE XREF: MiQueuePinDriverAddressLog+126j
		or	esi, 200h
		jmp	loc_560FCA
; 

loc_56108C:				; CODE XREF: MiQueuePinDriverAddressLog+B2j
		mov	ecx, [ebp+var_10]

loc_56108F:				; CODE XREF: MiQueuePinDriverAddressLog+203j
		add	edi, 4
		cmp	edi, ecx
		ja	short loc_5610A2
		mov	eax, [edi]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_56108F
		jmp	loc_560F50
; 

loc_5610A2:				; CODE XREF: MiQueuePinDriverAddressLog+CDj
					; MiQueuePinDriverAddressLog+1FCj
		or	edi, 0FFFFFFFFh

loc_5610A5:				; CODE XREF: MiQueuePinDriverAddressLog+D6j
		mov	edx, [ebp+var_8]
		xor	ecx, ecx
		jmp	loc_5E3643
; 

loc_5610AF:				; CODE XREF: MiQueuePinDriverAddressLog+1C8j
		or	esi, 20h
		jmp	short loc_561062
; 

loc_5610B4:				; CODE XREF: MiQueuePinDriverAddressLog+158j
		or	esi, 4
		jmp	short loc_561062
; 

loc_5610B9:				; CODE XREF: MiQueuePinDriverAddressLog+1B6j
		mov	cl, [ebp+var_1]
		jmp	short loc_561062
MiQueuePinDriverAddressLog endp


;  S U B	R O U T	I N E 


KeIsBugCheckActive proc	near		; CODE XREF: RtlQueryFeatureConfiguration(x,x,x,x)+2Ap
					; KiSendThawExecution(x)+33p ...

; FUNCTION CHUNK AT 005E36C9 SIZE 0000000C BYTES

		mov	eax, _KiBugCheckActive
		test	al, 3
		jnz	loc_5E36C9
		xor	al, al
		retn
KeIsBugCheckActive endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2361. RtlTimeToTimeFields

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlTimeToTimeFields(x, x)
		public _RtlTimeToTimeFields@8
_RtlTimeToTimeFields@8 proc near	; CODE XREF: ExpSetSystemTime+98ABp
					; ExpRefreshTimeZoneInformation(x)+21Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ecx
		mov	ecx, [ebp+arg_0]
		call	RtlpTimeToTimeFields
		pop	ebp
		retn	8
_RtlTimeToTimeFields@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpTimeToTimeFields proc near		; CODE XREF: RtlTimeToTimeFields(x,x)+Cp
					; WheapGetTimestamp(x)+2Dp ...

var_30		= dword	ptr -30h
var_26		= word ptr -26h
var_24		= word ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

; FUNCTION CHUNK AT 005E36D5 SIZE 000000F7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_20], edx
		push	esi
		push	edi
		lea	edi, [ebp+var_30]
		stosd
		stosd
		stosd
		stosd
		mov	eax, _ExLeapSecondData
		test	eax, eax
		jz	loc_5E37C2
		cmp	byte ptr [eax],	0
		jz	loc_5E37C2
		mov	ebx, [eax+4]
		lea	edx, [ebp+var_10]
		and	[ebp+var_10], 0
		xor	esi, esi
		mov	[ebp+var_18], ebx
		lock or	[edx], esi
		mov	esi, [ecx]
		xor	edx, edx
		mov	edi, [ecx+4]
		xor	ecx, ecx
		and	[ebp+var_8], edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_10], ecx
		test	ebx, ebx
		jnz	loc_5E36D5

loc_561143:				; CODE XREF: RtlpTimeToTimeFields+82687j
		mov	eax, edx
		mov	ebx, ecx
		mov	edx, (offset loc_98967E+2)
		imul	edx
		sub	esi, eax
		mov	[ebp+var_1C], esi
		sbb	edi, edx
		mov	[ebp+var_18], edi
		and	ebx, 2
		jnz	loc_5E3776

loc_561161:				; CODE XREF: RtlpTimeToTimeFields+8269Cj
		lea	edx, [ebp+var_30]
		lea	ecx, [ebp+var_1C]
		call	_RtlpTimeToTimeFieldsNoLeapSeconds@8 ; RtlpTimeToTimeFieldsNoLeapSeconds(x,x)
		mov	eax, [ebp+var_10]
		test	al, 1
		jnz	loc_5E37B1
		test	al, 4
		jnz	loc_5E378B
		mov	ax, [ebp+var_24]

loc_561183:				; CODE XREF: RtlpTimeToTimeFields+826AEj
		test	ebx, ebx
		jnz	loc_5E379D

loc_56118B:				; CODE XREF: RtlpTimeToTimeFields+826C2j
					; RtlpTimeToTimeFields+826C9j ...
		mov	edi, [ebp+var_20]
		lea	esi, [ebp+var_30]
		movsd
		movsd
		movsd
		movsd

loc_561195:				; CODE XREF: RtlpTimeToTimeFields+826DDj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
RtlpTimeToTimeFields endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpTimeToTimeFieldsNoLeapSeconds(x, x)
_RtlpTimeToTimeFieldsNoLeapSeconds@8 proc near ; CODE XREF: RtlpTimeToTimeFields+7Dp
					; RtlpTimeToTimeFields:loc_5E37C2p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		lea	edx, [ebp+var_4]
		push	eax
		mov	[ebp+var_10], ebx
		call	TimeToDaysAndFraction
		mov	edi, [ebp+var_4]
		xor	edx, edx
		push	7
		pop	ecx
		lea	eax, [edi+1]
		div	ecx
		mov	ecx, edi
		mov	[ebx+0Eh], dx
		call	_ElapsedDaysToYears@4 ;	ElapsedDaysToYears(x)
		mov	ebx, eax
		xor	edx, edx
		mov	ecx, 190h
		imul	esi, ebx, 0FFFFFE93h
		div	ecx
		mov	ecx, ebx
		mov	[ebp+var_4], ebx
		sub	esi, eax
		shr	ecx, 2
		sub	esi, ecx
		xor	edx, edx
		mov	eax, ebx
		push	64h
		pop	ecx
		div	ecx
		mov	ecx, [ebp+var_4]
		lea	ebx, [edi+esi]
		add	ebx, eax
		inc	ecx
		xor	edx, edx
		mov	eax, ecx
		mov	esi, 190h
		div	esi
		test	edx, edx
		jz	short loc_561295
		push	64h
		xor	edx, edx
		mov	eax, ecx
		pop	esi
		div	esi
		test	edx, edx
		jz	short loc_561228
		test	cl, 3
		jz	short loc_561295

loc_561228:				; CODE XREF: RtlpTimeToTimeFieldsNoLeapSeconds(x,x)+85j
		movzx	eax, ds:_NormalYearDayToMonth[ebx]
		mov	[ebp+var_C], eax
		movsx	eax, ds:_NormalYearDaysPrecedingMonth[eax*2]

loc_56123A:				; CODE XREF: RtlpTimeToTimeFieldsNoLeapSeconds(x,x)+10Bj
		sub	ebx, eax
		xor	edx, edx
		mov	eax, [ebp+var_8]
		mov	ecx, 3E8h
		div	ecx
		push	3Ch
		mov	edi, edx
		mov	esi, eax
		xor	edx, edx
		pop	ecx
		div	ecx
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_4]
		add	ecx, 641h
		push	3Ch
		mov	[edx], cx
		mov	ecx, [ebp+var_C]
		inc	ecx
		mov	[edx+2], cx
		lea	ecx, [ebx+1]
		mov	ebx, edx
		xor	edx, edx
		mov	[ebx+4], cx
		pop	ecx
		div	ecx
		mov	[ebx+0Ch], di
		mov	[ebx+6], ax
		mov	eax, esi
		mov	[ebx+8], dx
		xor	edx, edx
		div	ecx
		pop	edi
		pop	esi
		mov	[ebx+0Ah], dx
		pop	ebx
		leave
		retn
; 

loc_561295:				; CODE XREF: RtlpTimeToTimeFieldsNoLeapSeconds(x,x)+78j
					; RtlpTimeToTimeFieldsNoLeapSeconds(x,x)+8Aj
		movzx	eax, ds:_LeapYearDayToMonth[ebx]
		mov	[ebp+var_C], eax
		movsx	eax, ds:_LeapYearDaysPrecedingMonth[eax*2]
		jmp	short loc_56123A
_RtlpTimeToTimeFieldsNoLeapSeconds@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ElapsedDaysToYears(x)
_ElapsedDaysToYears@4 proc near		; CODE XREF: RtlpTimeToTimeFieldsNoLeapSeconds(x,x)+37p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		xor	edx, edx
		mov	eax, ebx
		mov	ecx, 23AB1h
		div	ecx
		mov	ecx, 37BB49h
		imul	edx, eax, 0FFFDC54Fh
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		add	ebx, edx
		xor	edx, edx
		imul	eax, ebx, 64h
		add	eax, 4Bh
		div	ecx
		xor	edx, edx
		mov	edi, eax
		imul	ecx, edi, 0FFFF7154h
		add	ebx, ecx
		mov	ecx, 5B5h
		mov	eax, ebx
		div	ecx
		xor	edx, edx
		mov	esi, eax
		imul	ecx, esi, 5B5h
		sub	ebx, ecx
		mov	ecx, 8EADh
		imul	eax, ebx, 64h
		add	eax, 4Bh
		div	ecx
		mov	ecx, [ebp+var_4]
		lea	ecx, [edi+ecx*4]
		imul	ecx, 19h
		pop	edi
		add	ecx, esi
		pop	esi
		pop	ebx
		lea	eax, [eax+ecx*4]
		leave
		retn
_ElapsedDaysToYears@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

TimeToDaysAndFraction proc near		; CODE XREF: RtlpTimeToTimeFieldsNoLeapSeconds(x,x)+1Fp
					; RtlTimeToElapsedTimeFields(x,x)+1Cp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	0Dh
		push	ds:dword_411084
		mov	edi, edx
		push	ds:_Magic10000
		push	dword ptr [ecx+4]
		push	dword ptr [ecx]
		call	_RtlExtendedMagicDivide@20 ; RtlExtendedMagicDivide(x,x,x,x,x)
		push	1Ah
		push	ds:dword_41107C
		mov	esi, eax
		push	ds:_Magic86400000
		push	edx
		push	esi
		call	_RtlExtendedMagicDivide@20 ; RtlExtendedMagicDivide(x,x,x,x,x)
		mov	[edi], eax
		imul	eax, 5265C00h
		pop	edi
		sub	esi, eax
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		pop	esi
		pop	ebp
		retn	4
TimeToDaysAndFraction endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1115. KeConnectInterruptForHal

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeConnectInterruptForHal(x)
		public _KeConnectInterruptForHal@4
_KeConnectInterruptForHal@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		call	KiConnectInterruptInternal
		pop	ebp
		retn	4
_KeConnectInterruptForHal@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiConnectInterruptInternal proc	near	; CODE XREF: KeConnectInterrupt+3Cp
					; KeConnectInterruptForHal(x)+Ap

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_13		= byte ptr -13h
var_12		= byte ptr -12h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E37CC SIZE 00000095 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_13], dl
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_28]
		mov	[ebp+var_12], 1Fh
		stosd
		mov	esi, ecx
		stosd
		mov	ecx, [esi+34h]
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	edi, [esi+2Ch]
		mov	bl, al
		mov	[ebp+var_18], eax
		mov	ah, [esi+30h]
		mov	[ebp+var_11], bl
		cmp	ah, 1Fh
		ja	loc_561479
		cmp	ecx, ds:_KeNumberProcessors
		jnb	loc_561471

loc_5613D9:				; CODE XREF: KiConnectInterruptInternal+F1j
		mov	al, [esi+31h]
		cmp	al, ah
		jb	loc_5E37CC

loc_5613E4:				; CODE XREF: KiConnectInterruptInternal+82452j
		cmp	[esi+32h], bl
		jnz	loc_561479
		test	dl, dl
		jnz	short loc_5613FD
		lea	eax, [ebp+var_10]
		push	eax
		lea	edx, [ebp+var_12]
		call	_KiAcquireInterruptConnectLock@12 ; KiAcquireInterruptConnectLock(x,x,x)

loc_5613FD:				; CODE XREF: KiConnectInterruptInternal+6Dj
		cmp	[esi+33h], bl
		jnz	short loc_561437
		lea	edx, [ebp+var_28]
		mov	ecx, edi
		call	KiGetVectorInfo
		mov	ebx, [ebp+var_28]
		test	ebx, ebx
		jnz	short loc_561480
		mov	bl, 1
		lea	eax, [esi+4]
		mov	[esi+33h], bl
		mov	[eax+4], eax
		mov	[eax], eax
		cmp	byte ptr [esi+31h], 0
		jz	loc_5E37D9
		mov	eax, large fs:20h
		mov	[eax+edi*4+41E0h], esi

loc_561437:				; CODE XREF: KiConnectInterruptInternal+7Ej
					; KiConnectInterruptInternal+10Aj ...
		cmp	[ebp+var_13], 0
		jnz	short loc_56144F
		mov	cl, [ebp+var_12]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	eax, [ebp+var_10]
		push	eax
		call	KeRevertToUserGroupAffinityThread

loc_56144F:				; CODE XREF: KiConnectInterruptInternal+B9j
		test	bl, bl
		jz	short loc_561479
		mov	eax, [ebp+var_18]
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 127h

loc_561462:				; CODE XREF: KiConnectInterruptInternal+FCj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_561471:				; CODE XREF: KiConnectInterruptInternal+51j
		test	dl, dl
		jnz	loc_5613D9

loc_561479:				; CODE XREF: KiConnectInterruptInternal+45j
					; KiConnectInterruptInternal+65j ...
		mov	eax, 0C00000EFh
		jmp	short loc_561462
; 

loc_561480:				; CODE XREF: KiConnectInterruptInternal+8Fj
		cmp	ebx, 3
		jnz	loc_5E37E8

loc_561489:				; CODE XREF: KiConnectInterruptInternal+8246Aj
					; KiConnectInterruptInternal+82477j ...
		mov	bl, [ebp+var_11]
		jmp	short loc_561437
KiConnectInterruptInternal endp


;  S U B	R O U T	I N E 


KiGetVectorInfo	proc near		; CODE XREF: KiDisconnectInterruptInternal+31p
					; KiConnectVectorAndInterruptObject+21p ...

; FUNCTION CHUNK AT 005E3861 SIZE 0000000C BYTES

		cmp	ds:_KiKvaShadow, 0
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jz	loc_5E3861
		mov	ebx, _IDTShadow[edi*8]

loc_5614A9:				; CODE XREF: KiGetVectorInfo+823DAj
		mov	eax, large fs:1Ch
		mov	ecx, large fs:1Ch
		mov	dword ptr [esi+8], offset _KiInterruptDispatch@0 ; KiInterruptDispatch()
		mov	dword ptr [esi+0Ch], offset _KiChainedDispatch@0 ; KiChainedDispatch()
		mov	eax, [eax+38h]
		movzx	edx, word ptr [eax+edi*8+6]
		mov	eax, [ecx+38h]
		shl	edx, 10h
		movzx	eax, word ptr [eax+edi*8]
		or	edx, eax
		mov	eax, large fs:20h
		mov	eax, [eax+edi*4+41E0h]
		mov	[esi+4], eax
		cmp	edx, ebx
		jnz	short loc_56150F
		test	eax, eax
		jnz	short loc_5614F6
		and	[esi], eax

loc_5614F2:				; CODE XREF: KiGetVectorInfo+7Fj
					; KiGetVectorInfo+87j ...
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_5614F6:				; CODE XREF: KiGetVectorInfo+60j
		mov	eax, [eax+28h]
		cmp	eax, offset _KiChainedDispatch@0 ; KiChainedDispatch()
		jz	short loc_561517
		cmp	eax, offset _KiInterruptDispatch@0 ; KiInterruptDispatch()
		jnz	short loc_56150F
		mov	dword ptr [esi], 1
		jmp	short loc_5614F2
; 

loc_56150F:				; CODE XREF: KiGetVectorInfo+5Cj
					; KiGetVectorInfo+77j
		mov	dword ptr [esi], 3
		jmp	short loc_5614F2
; 

loc_561517:				; CODE XREF: KiGetVectorInfo+70j
		mov	dword ptr [esi], 2
		jmp	short loc_5614F2
KiGetVectorInfo	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiAcquireInterruptConnectLock(x, x,	x)
_KiAcquireInterruptConnectLock@12 proc near ; CODE XREF: KiDisconnectInterruptCommon+8Cp
					; KiConnectInterruptInternal+76p ...

var_C		= dword	ptr -0Ch
var_8		= word ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	ecx, ds:_KiProcessorBlock[ecx*4]
		xor	eax, eax
		push	esi
		push	edi
		push	[ebp+arg_0]
		lea	edi, [ebp+var_C]
		mov	esi, edx
		stosd
		stosd
		stosd
		movzx	eax, byte ptr [ecx+3C5h]
		mov	[ebp+var_8], ax
		mov	eax, [ecx+3C8h]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_C]
		push	eax
		call	KeSetSystemGroupAffinityThread
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		pop	edi
		mov	[esi], al
		pop	esi
		leave
		retn	4
_KiAcquireInterruptConnectLock@12 endp

; 
		align 10h
; Exported entry 1725. PoSetPowerState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoSetPowerState
PoSetPowerState	proc near		; CODE XREF: IopPowerDispatch+5Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005E386D SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax+0B0h]
		xor	esi, esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopIrpSerialLock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebp+arg_4]
		sub	eax, esi
		jz	short loc_5615EC
		sub	eax, 1
		jnz	short loc_5615C4
		mov	ecx, [edi+8]
		mov	esi, ecx
		mov	eax, [ebp+arg_8]
		shr	esi, 4
		and	esi, 0Fh
		cmp	esi, eax
		jz	short loc_5615C4
		and	eax, 0Fh
		and	ecx, 0FFFFFF0Fh
		shl	eax, 4
		or	eax, ecx

loc_5615C1:				; CODE XREF: PoSetPowerState+93j
		mov	[edi+8], eax

loc_5615C4:				; CODE XREF: PoSetPowerState+2Fj
					; PoSetPowerState+41j ...
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopIrpSerialLock
		jnz	loc_5E386D
		xor	eax, eax
		lock and [ecx],	eax

loc_5615DB:				; CODE XREF: PoSetPowerState+82305j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_5615EC:				; CODE XREF: PoSetPowerState+2Aj
		mov	edx, [edi+8]
		mov	esi, edx
		mov	eax, [ebp+arg_8]
		and	esi, 0Fh
		cmp	esi, eax
		jz	short loc_5615C4
		and	edx, 0FFFFFFF0h
		and	eax, 0Fh
		or	eax, edx
		jmp	short loc_5615C1
PoSetPowerState	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KeFlushCurrentTbImmediately()
_KeFlushCurrentTbImmediately@0 proc near ; CODE	XREF: PopHandleNextState(x,x):loc_71C118p
					; KeLoadMTRR+13Ep ...
		jmp	_KeFlushCurrentTb@0 ; KeFlushCurrentTb()
_KeFlushCurrentTbImmediately@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmPerfUpdateQosDisableReasons proc near ; CODE	XREF: PpmCheckResumePpmEngineFromSx()+4Ep
					; PpmCheckPausePpmEngineForSx()+11p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E387A SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		call	KeQueryInterruptTime
		mov	edi, edx
		mov	esi, eax
		xor	edx, edx
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], edi
		cmp	ds:byte_70EDF0,	dl
		jnz	short loc_561670
		sub	esi, ds:_PpmPerfQosDisableAccounting
		sbb	edi, ds:dword_70ED3C
		add	ds:dword_70ED40, esi
		adc	ds:dword_70ED44, edi
		cmp	ds:_PpmPerfQosEnabled, dl
		jnz	loc_5E387A

loc_561655:				; CODE XREF: PpmPerfUpdateQosDisableReasons+8227Aj
		mov	ecx, edx

loc_561657:				; CODE XREF: PpmPerfUpdateQosDisableReasons+5Cj
		xor	eax, eax
		inc	eax
		shl	eax, cl
		test	ds:_PpmPerfQosDisableReasons, eax
		jnz	short loc_5616A6

loc_561664:				; CODE XREF: PpmPerfUpdateQosDisableReasons+A8j
		inc	ecx
		cmp	ecx, 9
		jb	short loc_561657
		mov	esi, [ebp+var_4]
		mov	edi, [ebp+var_8]

loc_561670:				; CODE XREF: PpmPerfUpdateQosDisableReasons+23j
		test	ebx, ebx
		jz	short loc_561693
		mov	eax, ds:_PpmPerfQosDisableAccounting
		or	eax, ds:dword_70ED3C
		mov	ecx, [ebx]
		jz	short loc_56168B
		cmp	ds:_PpmPerfQosDisableReasons, ecx
		jz	short loc_56168D

loc_56168B:				; CODE XREF: PpmPerfUpdateQosDisableReasons+75j
		mov	dl, 1

loc_56168D:				; CODE XREF: PpmPerfUpdateQosDisableReasons+7Dj
		mov	ds:_PpmPerfQosDisableReasons, ecx

loc_561693:				; CODE XREF: PpmPerfUpdateQosDisableReasons+66j
		mov	ds:dword_70ED3C, edi
		mov	al, dl
		pop	edi
		mov	ds:_PpmPerfQosDisableAccounting, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_5616A6:				; CODE XREF: PpmPerfUpdateQosDisableReasons+56j
		add	ds:dword_70ED60[ecx*8],	esi
		adc	ds:dword_70ED64[ecx*8],	edi
		jmp	short loc_561664
PpmPerfUpdateQosDisableReasons endp


;  S U B	R O U T	I N E 


; __stdcall PpmCheckCustomRun(x)
_PpmCheckCustomRun@4 proc near		; CODE XREF: PoLatencySensitivityHint+105p
					; PopIntSteerSetMode(x,x,x,x)+33p ...
		and	_PpmPerfPolicyLock, 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, esi
		mov	bl, al
		call	PpmCheckStart
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, large fs:124h
		pop	esi
		pop	ebx
		jmp	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
_PpmCheckCustomRun@4 endp


;  S U B	R O U T	I N E 


; __stdcall PpmPerfSetAllDomainsToUpdate()
_PpmPerfSetAllDomainsToUpdate@0	proc near ; CODE XREF: PpmPerfReApplyStates()+Dp
					; PpmPerfUpdateDomainPolicy:loc_86B028p
		mov	eax, ds:_PpmPerfDomainHead
		mov	ecx, offset _PpmPerfDomainHead

loc_5616F2:				; CODE XREF: PpmPerfSetAllDomainsToUpdate()+18j
		cmp	eax, ecx
		jnz	short loc_5616F7
		retn
; 

loc_5616F7:				; CODE XREF: PpmPerfSetAllDomainsToUpdate()+Cj
		mov	byte ptr [eax+215h], 1
		mov	eax, [eax]
		jmp	short loc_5616F2
_PpmPerfSetAllDomainsToUpdate@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmPerfCalculateQosClassPolicies proc near ; CODE XREF:	PpmPerfUpdateDomainPolicy+38p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_23		= byte ptr -23h
var_22		= byte ptr -22h
var_21		= byte ptr -21h
Source2		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_B		= byte ptr -0Bh
var_A		= byte ptr -0Ah
var_9		= byte ptr -9
var_8		= byte ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E388B SIZE 00000291 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, _PpmCurrentProfile
		mov	edx, ecx
		push	ebx
		push	esi
		push	edi
		mov	ecx, [edx+8]
		mov	[ebp+var_30], edx
		call	PpmGetPerfPolicyClass
		movzx	edi, al
		xor	esi, esi
		and	[ebp+var_38], esi
		xor	al, al
		mov	[ebp+var_21], al
		xor	ebx, ebx
		mov	[ebp+var_23], al
		mov	eax, dword_6C2D0C
		mov	[ebp+var_3C], edi
		mov	[ebp+var_34], esi
		mov	[ebp+var_48], eax
		mov	[ebp+var_28], ebx

loc_56174C:				; CODE XREF: PpmPerfCalculateQosClassPolicies+18Bj
		push	7
		xor	eax, eax
		lea	edi, [ebp+Source2]
		pop	ecx
		rep stosd
		mov	eax, ebx
		sub	eax, 0
		jz	loc_56193A
		sub	eax, 1
		jz	short loc_561789
		sub	eax, 1
		jz	loc_56192F
		sub	eax, 1
		jnz	loc_561919
		mov	ecx, _PpmMultimediaQosProfile
		lea	esi, [edx+90h]
		mov	[ebp+var_34], esi
		jmp	short loc_56178F
; 

loc_561789:				; CODE XREF: PpmPerfCalculateQosClassPolicies+62j
		mov	ecx, _PpmEntryLevelPerfProfile

loc_56178F:				; CODE XREF: PpmPerfCalculateQosClassPolicies+85j
					; PpmPerfCalculateQosClassPolicies+233j
		test	ecx, ecx
		jnz	loc_5E389D

loc_561797:				; CODE XREF: PpmPerfCalculateQosClassPolicies+222j
		xor	ebx, ebx

loc_561799:				; CODE XREF: PpmPerfCalculateQosClassPolicies+24Dj
					; PpmPerfCalculateQosClassPolicies+82196j
		test	ebx, ebx
		jnz	loc_561954
		and	[ebp+var_4C], ebx
		and	[ebp+var_50], ebx
		and	[ebp+var_44], ebx
		xor	edx, edx

loc_5617AC:				; CODE XREF: PpmPerfCalculateQosClassPolicies+26Aj
		xor	eax, eax
		mov	[ebp+var_40], edx
		mov	[ebp+var_2C], eax
		test	esi, esi
		jz	loc_561971
		lea	edi, [ebp+Source2]
		push	7
		pop	ecx
		rep movsd
		cmp	ds:_PopHeteroSystem, eax
		jnz	loc_5E38AC
		push	40h
		pop	esi
		mov	[ebp+var_2C], esi

loc_5617D6:				; CODE XREF: PpmPerfCalculateQosClassPolicies+821ACj
		cmp	ds:_PpmPerfQosGroupPolicyDisable, eax
		jnz	loc_5E38B3

loc_5617E2:				; CODE XREF: PpmPerfCalculateQosClassPolicies+821BAj
		cmp	ds:_PpmPerfSchedulerDirectedPerfStatesSupported, al
		jnz	short loc_5617F3
		or	esi, 80h
		mov	[ebp+var_2C], esi

loc_5617F3:				; CODE XREF: PpmPerfCalculateQosClassPolicies+E6j
		test	ebx, ebx
		jnz	loc_5E38C1
		or	esi, 2

loc_5617FE:				; CODE XREF: PpmPerfCalculateQosClassPolicies+821F3j
		mov	[ebp+var_2C], esi

loc_561801:				; CODE XREF: PpmPerfCalculateQosClassPolicies+821D2j
					; PpmPerfCalculateQosClassPolicies+821EAj
		mov	eax, _PpmCurrentProfile
		push	10h		; size_t
		add	eax, 8
		push	offset _GUID_POWER_POLICY_PROFILE_LOW_LATENCY ;	void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_5E38FA

loc_561821:				; CODE XREF: PpmPerfCalculateQosClassPolicies+821FEj
		cmp	_PpmPerfMaxOverrideEnabled, 0
		jz	short loc_561830
		or	esi, 10h
		mov	[ebp+var_2C], esi

loc_561830:				; CODE XREF: PpmPerfCalculateQosClassPolicies+126j
		cmp	ds:_PpmPerfQosDisableRefcount, 0
		ja	loc_5E3905

loc_56183D:				; CODE XREF: PpmPerfCalculateQosClassPolicies+82209j
		test	esi, esi
		jz	loc_5E3910
		mov	ebx, [ebp+var_28]
		mov	edi, [ebp+var_30]
		imul	eax, ebx, 1Ch
		add	edi, 90h
		push	1Ch		; Length
		add	edi, eax
		lea	eax, [ebp+Source2]
		push	eax		; Source2
		push	edi		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 1Ch
		jnz	short loc_56186B
		mov	[ebp+var_21], 1

loc_56186B:				; CODE XREF: PpmPerfCalculateQosClassPolicies+163j
		mov	edx, [ebp+var_30]
		lea	esi, [ebp+Source2]
		mov	eax, [ebp+var_2C]
		push	7
		pop	ecx
		rep movsd
		mov	esi, [ebp+var_34]
		mov	[edx+ebx*4+11Ch], eax

loc_561883:				; CODE XREF: PpmPerfCalculateQosClassPolicies+82415j
		mov	eax, [ebp+var_38]

loc_561886:				; CODE XREF: PpmPerfCalculateQosClassPolicies+3E9j
		inc	ebx
		mov	[ebp+var_28], ebx
		cmp	ebx, 5
		jb	loc_56174C
		cmp	eax, 1
		lea	edi, [edx+130h]
		setnbe	al
		xor	ebx, ebx
		mov	[edx+13Ah], al
		mov	al, [ebp+var_23]
		mov	[edx+80h], al
		lea	eax, [edx+90h]
		mov	ecx, eax
		mov	[ebp+var_48], eax
		mov	[ebp+var_38], ecx

loc_5618BE:				; CODE XREF: PpmPerfCalculateQosClassPolicies+203j
		xor	edx, edx
		mov	[ebp+var_40], eax
		mov	[edi], dx
		xor	esi, esi

loc_5618C8:				; CODE XREF: PpmPerfCalculateQosClassPolicies+1F1j
		cmp	ebx, esi
		jz	short loc_5618DA
		push	1Ch		; Length
		push	eax		; Source2
		push	ecx		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 1Ch
		jnz	short loc_5618E3

loc_5618DA:				; CODE XREF: PpmPerfCalculateQosClassPolicies+1C8j
		movzx	eax, word ptr [edi]
		bts	eax, esi
		mov	[edi], ax

loc_5618E3:				; CODE XREF: PpmPerfCalculateQosClassPolicies+1D6j
		mov	eax, [ebp+var_40]
		inc	esi
		mov	ecx, [ebp+var_38]
		add	eax, 1Ch
		mov	[ebp+var_40], eax
		cmp	esi, 5
		jb	short loc_5618C8
		mov	eax, [ebp+var_48]
		inc	ebx
		add	ecx, 1Ch
		add	edi, 2
		mov	[ebp+var_38], ecx
		cmp	ebx, 5
		jb	short loc_5618BE
		mov	ecx, [ebp+var_4]
		mov	al, [ebp+var_21]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_561919:				; CODE XREF: PpmPerfCalculateQosClassPolicies+70j
		sub	eax, 1
		jnz	short loc_56193A
		cmp	_PpmMultimediaQosProfile, eax
		jz	loc_561797
		jmp	loc_5E388B
; 

loc_56192F:				; CODE XREF: PpmPerfCalculateQosClassPolicies+67j
		mov	ecx, _PpmBackgroundProfile
		jmp	loc_56178F
; 

loc_56193A:				; CODE XREF: PpmPerfCalculateQosClassPolicies+59j
					; PpmPerfCalculateQosClassPolicies+21Aj
		mov	ebx, _PpmCurrentProfile
		imul	eax, dword_6C2D0C, 0F0h
		add	ebx, 20h

loc_56194D:				; CODE XREF: PpmPerfCalculateQosClassPolicies+821A5j
		add	ebx, eax
		jmp	loc_561799
; 

loc_561954:				; CODE XREF: PpmPerfCalculateQosClassPolicies+99j
		mov	eax, [ebx+4]
		mov	edi, [ebx]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_4C], edi
		mov	ecx, [ebx+eax*8]
		mov	edx, [ebx+eax*8+4]
		mov	[ebp+var_44], ecx
		jmp	loc_5617AC
; 

loc_561971:				; CODE XREF: PpmPerfCalculateQosClassPolicies+B4j
					; PpmPerfCalculateQosClassPolicies+82211j
		mov	eax, [ebp+var_28]
		cmp	eax, 3
		jz	loc_5E3918
		mov	ecx, [ebp+var_40]

loc_561980:				; CODE XREF: PpmPerfCalculateQosClassPolicies+82233j
		sub	eax, 3
		neg	eax
		sbb	eax, eax
		and	eax, esi
		cmp	ds:_PpmPerfEppViaPerfControl, 0
		mov	esi, [ebp+var_3C]
		mov	edx, eax
		mov	[ebp+var_34], edx
		jnz	loc_5E393A

loc_56199E:				; CODE XREF: PpmPerfCalculateQosClassPolicies+8223Fj
					; PpmPerfCalculateQosClassPolicies+8224Cj ...
		mov	ecx, [ebp+var_44]
		test	edx, edx
		jnz	loc_5E3960

loc_5619A9:				; CODE XREF: PpmPerfCalculateQosClassPolicies+82275j
		movzx	eax, byte ptr [ebx+esi+1Ah]
		mov	[ebp+var_18], eax

loc_5619B1:				; CODE XREF: PpmPerfCalculateQosClassPolicies+82261j
					; PpmPerfCalculateQosClassPolicies+8226Fj
		test	edx, edx
		jnz	loc_5E397C

loc_5619B9:				; CODE XREF: PpmPerfCalculateQosClassPolicies+8228Fj
		movzx	eax, byte ptr [ebx+esi+1Ch]
		mov	[ebp+Source2], eax

loc_5619C1:				; CODE XREF: PpmPerfCalculateQosClassPolicies+8227Cj
					; PpmPerfCalculateQosClassPolicies+82289j
		mov	eax, [ebx+esi*4+2Ch]
		mov	esi, [ebp+var_30]
		mov	edi, [esi+58h]
		test	eax, eax
		jnz	loc_5E3996

loc_5619D3:				; CODE XREF: PpmPerfCalculateQosClassPolicies+822B1j
		mov	ecx, edi

loc_5619D5:				; CODE XREF: PpmPerfCalculateQosClassPolicies+822ABj
		test	edx, edx
		jnz	loc_5E39B8

loc_5619DD:				; CODE XREF: PpmPerfCalculateQosClassPolicies+822C2j
		mov	[ebp+var_1C], ecx

loc_5619E0:				; CODE XREF: PpmPerfCalculateQosClassPolicies+822CBj
		cmp	ds:_PpmPerfAutonomousActivityWindowViaPerfControl, 0
		jnz	loc_5E39D2

loc_5619ED:				; CODE XREF: PpmPerfCalculateQosClassPolicies+822D8j
					; PpmPerfCalculateQosClassPolicies+822E4j
		mov	esi, [ebp+var_4C]
		test	edx, edx
		jnz	loc_5E39EB

loc_5619F8:				; CODE XREF: PpmPerfCalculateQosClassPolicies+82309j
		mov	al, [ebx+38h]
		mov	[ebp+var_A], al

loc_5619FE:				; CODE XREF: PpmPerfCalculateQosClassPolicies+822EFj
					; PpmPerfCalculateQosClassPolicies+822F9j ...
		test	edx, edx
		jnz	loc_5E3A10
		mov	edi, [ebp+var_3C]

loc_561A09:				; CODE XREF: PpmPerfCalculateQosClassPolicies+8232Bj
		mov	al, [ebx+edi+4Dh]
		mov	[ebp+var_9], al

loc_561A10:				; CODE XREF: PpmPerfCalculateQosClassPolicies+82315j
					; PpmPerfCalculateQosClassPolicies+82325j
		mov	al, [ebx+10h]
		mov	edi, [ebp+var_30]
		cmp	al, 1
		jz	loc_5E3A32
		cmp	al, 2
		jnz	short loc_561A2C
		cmp	byte ptr [edi+7Ch], 0
		jnz	loc_5E3A32

loc_561A2C:				; CODE XREF: PpmPerfCalculateQosClassPolicies+31Ej
		xor	al, al

loc_561A2E:				; CODE XREF: PpmPerfCalculateQosClassPolicies+82332j
		test	edx, edx
		jnz	loc_5E3A39

loc_561A36:				; CODE XREF: PpmPerfCalculateQosClassPolicies+82343j
		mov	[ebp+var_B], al

loc_561A39:				; CODE XREF: PpmPerfCalculateQosClassPolicies+8233Dj
		cmp	byte ptr [ebx+4Ch], 0
		jz	short loc_561A49
		cmp	byte ptr [edi+7Fh], 0
		jnz	loc_5E3A4A

loc_561A49:				; CODE XREF: PpmPerfCalculateQosClassPolicies+33Bj
		mov	al, 1

loc_561A4B:				; CODE XREF: PpmPerfCalculateQosClassPolicies+8234Aj
		mov	[ebp+var_22], al
		test	edx, edx
		jnz	loc_5E3A51

loc_561A56:				; CODE XREF: PpmPerfCalculateQosClassPolicies+8235Cj
		mov	[ebp+var_C], al
		test	al, al
		jz	short loc_561A61
		mov	[ebp+var_23], 1

loc_561A61:				; CODE XREF: PpmPerfCalculateQosClassPolicies+359j
					; PpmPerfCalculateQosClassPolicies+82356j
		mov	ebx, [ebp+Source2]
		mov	esi, [ebp+var_18]
		cmp	ebx, esi
		jb	loc_5E3A63

loc_561A6F:				; CODE XREF: PpmPerfCalculateQosClassPolicies+82366j
		cmp	ecx, esi
		jb	loc_5E3A6D

loc_561A77:				; CODE XREF: PpmPerfCalculateQosClassPolicies+82370j
		mov	edx, [ebp+var_28]
		cmp	edx, 4
		jz	loc_5E3A77

loc_561A83:				; CODE XREF: PpmPerfCalculateQosClassPolicies+823B0j
					; PpmPerfCalculateQosClassPolicies+823B8j ...
		cmp	[ebp+var_22], 0
		jz	short loc_561AF6
		mov	eax, ds:_PpmHeteroQosBias[edx*4]
		cmp	eax, 1
		jnz	loc_5E3ACA

loc_561A99:				; CODE XREF: PpmPerfCalculateQosClassPolicies+823D1j
					; PpmPerfCalculateQosClassPolicies+823EAj
		mov	[ebp+var_8], 1

loc_561A9D:				; CODE XREF: PpmPerfCalculateQosClassPolicies+3F8j
		imul	ebx, edx, 1Ch
		lea	eax, [ebp+Source2]
		push	1Ch		; Length
		push	eax		; Source2
		add	ebx, 90h
		add	ebx, edi
		push	ebx		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 1Ch
		jnz	short loc_561AF0

loc_561AB9:				; CODE XREF: PpmPerfCalculateQosClassPolicies+3F2j
		mov	edx, [ebp+var_30]
		lea	esi, [ebp+Source2]
		mov	eax, [ebp+var_28]
		mov	edi, ebx
		push	7
		pop	ecx
		and	dword ptr [edx+eax*4+11Ch], 0
		rep movsd
		mov	esi, [ebp+var_34]
		test	esi, esi
		jnz	loc_5E3AF1

loc_561ADC:				; CODE XREF: PpmPerfCalculateQosClassPolicies+82401j
		mov	eax, [ebp+var_38]
		mov	esi, ebx
		mov	ebx, [ebp+var_28]
		inc	eax
		mov	[ebp+var_34], esi
		mov	[ebp+var_38], eax
		jmp	loc_561886
; 

loc_561AF0:				; CODE XREF: PpmPerfCalculateQosClassPolicies+3B5j
		mov	[ebp+var_21], 1
		jmp	short loc_561AB9
; 

loc_561AF6:				; CODE XREF: PpmPerfCalculateQosClassPolicies+385j
					; PpmPerfCalculateQosClassPolicies+823DAj ...
		mov	[ebp+var_8], 0
		jmp	short loc_561A9D
PpmPerfCalculateQosClassPolicies endp


;  S U B	R O U T	I N E 


PpmPerfClearBootOverrides proc near	; CODE XREF: PopPerfBoostPowerRequest(x,x,x):loc_86AF1Ep

; FUNCTION CHUNK AT 005E3B1C SIZE 00000011 BYTES

		cmp	ds:_PpmPerfBootHeteroPolicyOverrideEnabled, 0
		jnz	short loc_561B06

locret_561B05:				; CODE XREF: PpmPerfClearBootOverrides+18j
		retn
; 

loc_561B06:				; CODE XREF: PpmPerfClearBootOverrides+7j
		and	ds:_PpmPerfBootHeteroPolicyOverrideEnabled, 0
		cmp	ds:_PopHeteroSystem, 0
		jz	short locret_561B05
		jmp	loc_5E3B1C
PpmPerfClearBootOverrides endp

; 
		align 10h
; Exported entry 1709. PoLatencySensitivityHint

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoLatencySensitivityHint
PoLatencySensitivityHint proc near	; CODE XREF: PopPerfBoostPowerRequest(x,x,x)+32p
					; PopPowerInformationInternal+171289p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E3B2D SIZE 000000A7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ebx
		cmp	esi, 4
		jz	loc_5E3B2D

loc_561B48:				; CODE XREF: PoLatencySensitivityHint+82019j
		mov	ecx, _PpmCurrentProfile
		mov	edx, ebx
		imul	eax, dword_6C2D0C, 0F0h
		add	eax, ecx

loc_561B5C:				; CODE XREF: PoLatencySensitivityHint+46j
		cmp	[eax+edx+6Dh], bl
		jnz	short loc_561B6D
		inc	edx
		cmp	edx, 2
		jb	short loc_561B5C
		jmp	loc_561C2A
; 

loc_561B6D:				; CODE XREF: PoLatencySensitivityHint+40j
		push	edi
		mov	[ebp+var_30], esi
		cmp	_PpmEtwRegistered, bl
		jz	short loc_561B9B
		mov	edi, dword_6BFD04
		mov	eax, _PpmEtwHandle
		push	offset _PPM_ETW_LATENCY_SENSITIVITY_HINT
		push	edi
		push	eax
		mov	[ebp+var_1C], eax
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5E3B3E

loc_561B9B:				; CODE XREF: PoLatencySensitivityHint+57j
					; PoLatencySensitivityHint+82046j
		call	KeQueryInterruptTime
		mov	edi, eax
		mov	[ebp+var_15], bl
		add	edi, _PpmCheckPeriod
		mov	eax, edx
		lea	edx, [ebp+var_24]
		mov	[ebp+var_2C], ebx
		adc	eax, dword_6C0494
		mov	ecx, offset _PpmPerfLatencyBoostExpiration
		push	eax
		push	edi
		mov	[ebp+var_1C], eax
		mov	[ebp+var_28], ebx
		call	PpmInterlockedUpdateTimeNoFence
		test	al, al
		jz	short loc_561BD3
		mov	[ebp+var_15], 1

loc_561BD3:				; CODE XREF: PoLatencySensitivityHint+ADj
		cmp	esi, 4
		jz	loc_5E3B6B

loc_561BDC:				; CODE XREF: PoLatencySensitivityHint+82066j
		mov	al, [ebp+var_15]

loc_561BDF:				; CODE XREF: PoLatencySensitivityHint+82060j
		pop	edi
		test	al, al
		jz	short loc_561C2A
		mov	[ebp+var_1C], ebx
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, _PpmCheckLastExecutionTime
		mov	eax, dword_6C049C
		cmp	[ebp+var_20], eax
		jb	short loc_561C06
		ja	short loc_561C08
		cmp	[ebp+var_24], ecx
		ja	short loc_561C08

loc_561C06:				; CODE XREF: PoLatencySensitivityHint+DDj
		mov	bl, 1

loc_561C08:				; CODE XREF: PoLatencySensitivityHint+DFj
					; PoLatencySensitivityHint+E4j
		cmp	esi, 4
		jz	loc_5E3B8B

loc_561C11:				; CODE XREF: PoLatencySensitivityHint+82079j
					; PoLatencySensitivityHint+82084j ...
		test	bl, bl
		jz	short loc_561C2A
		call	_PpmTryAcquireLock@4 ; PpmTryAcquireLock(x)
		test	al, al
		jz	loc_5E3BB1
		push	3
		pop	ecx
		call	_PpmCheckCustomRun@4 ; PpmCheckCustomRun(x)

loc_561C2A:				; CODE XREF: PoLatencySensitivityHint+48j
					; PoLatencySensitivityHint+C2j	...
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
PoLatencySensitivityHint endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSessionInsertImage proc near		; CODE XREF: MiGetSystemAddressForImage+1E3p
					; MmLoadSystemImageEx(x,x,x,x,x,x)+217p

var_78		= dword	ptr -78h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_6		= dword	ptr -6
var_2		= byte ptr -2
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 00561D97 SIZE 0000006D BYTES
; FUNCTION CHUNK AT 005E3BD4 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		push	ebx
		push	esi
		push	edi
		push	54h		; size_t
		lea	eax, [ebp+var_78]
		mov	[ebp+var_C], ecx
		mov	ebx, edx
		mov	byte ptr [ebp+var_1], 0
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_1C], ebx
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		mov	[ebp+var_18], eax
		add	eax, 34h
		mov	[ebp+var_10], eax
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		push	0
		push	40h
		push	34h
		mov	esi, eax
		mov	edx, 69486D4Dh
		pop	ecx
		mov	[ebp+var_14], esi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_5E3BD4
		mov	eax, [ebx]
		mov	ebx, [eax+4]
		test	ebx, ebx
		jz	short loc_561CC0
		push	0
		mov	edx, ebx
		mov	ecx, offset _MiSystemPartition
		call	MiChargeCommit
		test	eax, eax
		jz	loc_5E3BDE

loc_561CC0:				; CODE XREF: MiSessionInsertImage+6Ej
		mov	ecx, ebx
		shl	ecx, 0Ch
		call	_MiBytesToMapSystemImage@4 ; MiBytesToMapSystemImage(x)
		mov	cl, [esi+60h]
		and	cl, 7
		mov	[ebp+var_20], eax
		cmp	cl, 2
		jz	loc_5E3BF0
		sub	esi, 0FFFFFF80h

loc_561CDF:				; CODE XREF: MiSessionInsertImage+81FBBj
		push	esi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [esi+4], 0
		lea	ecx, [ebp+var_1]
		mov	[ebp+var_2], al
		call	_MmLockLoadedModuleListExclusive@4 ; MmLockLoadedModuleListExclusive(x)
		mov	esi, [ebp+var_10]
		xor	edx, edx
		mov	byte ptr [ebp+var_6], dl
		mov	esi, [esi]
		test	esi, esi
		jnz	loc_5E3BFA

loc_561D06:				; CODE XREF: MiSessionInsertImage+180j
					; MiSessionInsertImage+1C5j
		push	34h		; size_t
		push	edx		; int
		push	edi		; void *
		call	_memset
		mov	ecx, [ebp+var_C]
		add	esp, 0Ch
		mov	eax, ecx
		mov	[edi+28h], ebx
		or	eax, 3
		mov	dword ptr [edi+20h], 1
		mov	[edi+14h], eax
		dec	ecx
		mov	eax, [ebp+var_20]
		add	eax, ecx
		mov	[edi+18h], eax
		mov	eax, [ebp+var_18]
		push	edi
		push	[ebp+var_6]
		mov	eax, [eax+8]
		push	esi
		push	[ebp+var_10]
		mov	[edi+1Ch], eax
		mov	eax, [ebp+var_1C]
		mov	[edi+2Ch], eax
		mov	dword ptr [edi+30h], 0FFFFFFFEh
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		push	offset _PsLoadedModuleSpinLock
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	dl, [ebp+var_2]
		mov	ecx, [ebp+var_14]
		call	MiUnlockWorkingSetExclusive
		mov	eax, [ebp+var_18]
		add	eax, 20h
		lock xadd [eax], ebx
		mov	eax, [ebp+var_1C]
		lea	edx, [edi+0Ch]
		push	3
		lea	ecx, [ebp+var_78]
		mov	[ebp+var_78], eax
		call	MiManageSubsectionView
		xor	esi, esi

loc_561D90:				; CODE XREF: MiSessionInsertImage+1BFj
		mov	eax, esi

loc_561D92:				; CODE XREF: MiSessionInsertImage+81F9Fj
					; MiSessionInsertImage+81FB1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiSessionInsertImage endp

; 
; START	OF FUNCTION CHUNK FOR MiSessionInsertImage

loc_561D97:				; CODE XREF: MiSessionInsertImage+16Bj
					; MiSessionInsertImage+81FC3j
		cmp	ecx, [esi+18h]
		jbe	short loc_561DA7
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_561DFB

loc_561DA3:				; CODE XREF: MiSessionInsertImage+17Bj
		mov	esi, eax
		jmp	short loc_561D97
; 

loc_561DA7:				; CODE XREF: MiSessionInsertImage+160j
		mov	eax, [esi+14h]
		and	eax, 0FFFFFFFCh
		cmp	ecx, eax
		jnb	short loc_561DBF
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_561DA3
		mov	byte ptr [ebp+var_6], dl
		jmp	loc_561D06
; 

loc_561DBF:				; CODE XREF: MiSessionInsertImage+175j
		inc	dword ptr [esi+20h]
		push	offset _PsLoadedModuleSpinLock
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	dl, [ebp+var_2]
		mov	ecx, [ebp+var_14]
		call	MiUnlockWorkingSetExclusive
		push	0
		push	edi
		mov	esi, 110h
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, ebx
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit
		jmp	short loc_561D90
; 

loc_561DFB:				; CODE XREF: MiSessionInsertImage+167j
		mov	byte ptr [ebp+var_6], 1
		jmp	loc_561D06
; END OF FUNCTION CHUNK	FOR MiSessionInsertImage

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ApiSetpSearchForApiSet proc near	; CODE XREF: ApiSetResolveToHost+86p
					; ApiSetValidateSchemaFormat(x,x)+E8p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= word ptr  8

; FUNCTION CHUNK AT 005E3C02 SIZE 00000008 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	eax, edx
		push	esi
		mov	[ebp+var_14], eax
		mov	ebx, eax
		movzx	eax, [ebp+arg_0]
		xor	esi, esi
		mov	[ebp+var_4], esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10], edi
		test	eax, eax
		jz	short loc_561E59
		mov	ecx, [edi+18h]
		mov	edi, ecx
		mov	[ebp+var_8], eax

loc_561E30:				; CODE XREF: ApiSetpSearchForApiSet+4Bj
		movzx	edx, word ptr [ebx]
		lea	eax, [edx-41h]
		cmp	ax, 19h
		jbe	loc_5E3C02

loc_561E40:				; CODE XREF: ApiSetpSearchForApiSet+81E01j
		imul	esi, edi
		add	ebx, 2
		movzx	eax, dx
		add	esi, eax
		sub	[ebp+var_8], 1
		jnz	short loc_561E30
		mov	edi, [ebp+var_10]
		mov	[ebp+var_4], esi
		xor	esi, esi

loc_561E59:				; CODE XREF: ApiSetpSearchForApiSet+22j
		mov	eax, [edi+0Ch]
		mov	ebx, esi
		sub	eax, 1
		js	short loc_561EC3
		mov	edx, [edi+14h]
		mov	[ebp+var_C], edx

loc_561E69:				; CODE XREF: ApiSetpSearchForApiSet+8Bj
		lea	ecx, [ebx+eax]
		sar	ecx, 1
		push	0
		lea	edx, [edx+ecx*8]
		mov	esi, [edx+edi]
		cmp	[ebp+var_4], esi
		mov	[ebp+var_10], esi
		pop	esi
		jb	short loc_561E93
		mov	ebx, [ebp+var_10]
		cmp	[ebp+var_4], ebx
		jbe	short loc_561E98
		lea	ebx, [ecx+1]

loc_561E8A:				; CODE XREF: ApiSetpSearchForApiSet+92j
		mov	edx, [ebp+var_C]
		cmp	ebx, eax
		jle	short loc_561E69
		jmp	short loc_561EC3
; 

loc_561E93:				; CODE XREF: ApiSetpSearchForApiSet+79j
		lea	eax, [ecx-1]
		jmp	short loc_561E8A
; 

loc_561E98:				; CODE XREF: ApiSetpSearchForApiSet+81j
		imul	esi, [edx+edi+4], 18h
		add	esi, [edi+10h]
		add	esi, edi
		jz	short loc_561EC3
		mov	eax, [esi+0Ch]
		push	1
		shr	eax, 1
		push	eax
		mov	eax, [esi+4]
		add	eax, edi
		push	eax
		movzx	eax, [ebp+arg_0]
		push	eax
		push	[ebp+var_14]
		call	_RtlCompareUnicodeStrings@20 ; RtlCompareUnicodeStrings(x,x,x,x,x)
		test	eax, eax
		jnz	short loc_561ECC

loc_561EC3:				; CODE XREF: ApiSetpSearchForApiSet+5Dj
					; ApiSetpSearchForApiSet+8Dj ...
		mov	eax, esi

loc_561EC5:				; CODE XREF: ApiSetpSearchForApiSet+CAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_561ECC:				; CODE XREF: ApiSetpSearchForApiSet+BDj
		xor	eax, eax
		jmp	short loc_561EC5
ApiSetpSearchForApiSet endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiIpiGenericCallTarget proc near	; DATA XREF: KeIpiGenericCall+56o

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005E3C0A SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_18], 0
		and	[ebp+var_14], 0
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		lock dec dword ptr [ebx]

loc_561EE9:				; CODE XREF: KiIpiGenericCallTarget+92j
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_561F64
		mov	eax, ds:_KiBarrierWait
		test	eax, eax
		jnz	short loc_561F5D
		test	byte ptr ds:_HvlEnlightenments,	20h
		jnz	short loc_561F5D
		lea	eax, [ebp+var_18]
		push	eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		and	[ebp+var_4], 0
		mov	edi, edx
		mov	[ebp+arg_C], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		lock or	[eax], ecx
		mov	esi, 0FFDF0350h
		mov	ecx, 12Ch
		mov	eax, [esi]
		mov	esi, [esi+4]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_14]
		mul	ecx
		mov	edx, 12Ch
		mov	ecx, eax
		mov	eax, [ebp+var_18]
		mul	edx
		add	ecx, edx
		mov	edx, [ebp+var_8]
		add	eax, edx
		adc	ecx, esi
		cmp	edi, ecx
		jb	short loc_561F5D
		mov	ecx, [ebp+arg_C]
		ja	loc_5E3C0A
		cmp	ecx, eax
		ja	loc_5E3C0A

loc_561F5D:				; CODE XREF: KiIpiGenericCallTarget+26j
					; KiIpiGenericCallTarget+2Fj ...
		call	KiPollFreezeExecution
		jmp	short loc_561EE9
; 

loc_561F64:				; CODE XREF: KiIpiGenericCallTarget+1Dj
		push	[ebp+arg_8]
		call	[ebp+arg_4]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
KiIpiGenericCallTarget endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2202. RtlIpv6AddressToStringExW

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlIpv6AddressToStringExW
RtlIpv6AddressToStringExW proc near

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005E3C3F SIZE 0000005A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 90h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_8C], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_90], eax
		push	ebx
		movzx	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, [ebp+arg_10]
		test	ecx, ecx
		jz	short loc_562028
		test	edi, edi
		jz	short loc_562028
		test	eax, eax
		jz	loc_5E3C31

loc_561FBA:				; CODE XREF: KiIpiGenericCallTarget+81D6Aj
		lea	eax, [ebp+var_88]
		test	bx, bx
		jnz	loc_5E3C3F

loc_561FC9:				; CODE XREF: RtlIpv6AddressToStringExW+81CD9j
		push	eax
		push	ecx
		call	RtlIpv6AddressToStringW
		mov	esi, eax
		mov	eax, [ebp+var_8C]
		test	eax, eax
		jnz	loc_5E3C54

loc_561FE0:				; CODE XREF: RtlIpv6AddressToStringExW+81CF8j
		test	bx, bx
		jnz	loc_5E3C73

loc_561FE9:				; CODE XREF: RtlIpv6AddressToStringExW+81D1Ej
		lea	eax, [ebp+var_88]
		sub	esi, eax
		mov	eax, [edi]
		sar	esi, 1
		inc	esi
		mov	[edi], esi
		cmp	eax, esi
		jb	short loc_562028
		lea	eax, [esi+esi]
		push	eax		; size_t
		lea	eax, [ebp+var_88]
		push	eax		; void *
		push	[ebp+var_90]	; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax

loc_562017:				; CODE XREF: RtlIpv6AddressToStringExW+B7j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
; 

loc_562028:				; CODE XREF: RtlIpv6AddressToStringExW+36j
					; RtlIpv6AddressToStringExW+3Aj ...
		mov	eax, 0C000000Dh
		jmp	short loc_562017
RtlIpv6AddressToStringExW endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2203. RtlIpv6AddressToStringW

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlIpv6AddressToStringW
RtlIpv6AddressToStringW	proc near	; CODE XREF: RtlIpv6AddressToStringExW+55p
					; AdtpBuildIPv6Strings(x,x,x,x,x)+61p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E3C99 SIZE 000000DF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], 8
		lea	eax, [ebx+5Ch]
		mov	[ebp+var_8], eax
		cmp	[esi], di
		jz	loc_56216B

loc_56205D:				; CODE XREF: RtlIpv6AddressToStringW+13Bj
					; RtlIpv6AddressToStringW+145j	...
		mov	edx, 0FFFDh
		mov	ecx, edi
		mov	eax, edi
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_C], eax
		test	[esi+8], dx
		jz	loc_562198

loc_562076:				; CODE XREF: RtlIpv6AddressToStringW+16Dj
					; RtlIpv6AddressToStringW+81D05j
		mov	edx, edi
		mov	ebx, eax

loc_56207A:				; CODE XREF: RtlIpv6AddressToStringW+5Aj
		cmp	[esi+edx*2], di
		jz	loc_56211B
		lea	eax, [edx+1]
		mov	[ebp+var_C], eax

loc_56208A:				; CODE XREF: RtlIpv6AddressToStringW+104j
					; RtlIpv6AddressToStringW+81D0Dj
		inc	edx
		cmp	edx, [ebp+var_10]
		jl	short loc_56207A
		mov	eax, ecx
		mov	[ebp+var_4], ebx
		sub	eax, ebx
		mov	ebx, [ebp+arg_4]
		cmp	eax, 1
		jg	loc_562163
		mov	ecx, edi
		mov	eax, edi
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_4], eax

loc_5620AD:				; CODE XREF: RtlIpv6AddressToStringW+D3j
					; RtlIpv6AddressToStringW+132j
		cmp	edi, ecx
		jl	loc_56213D

loc_5620B5:				; CODE XREF: RtlIpv6AddressToStringW+10Bj
		test	edi, edi
		jz	short loc_5620D6
		cmp	edi, ecx
		jz	short loc_5620D6
		mov	eax, [ebp+var_8]
		sub	eax, ebx
		push	offset ??_C@_13EBCNDICG@?$AA?3@FNODOBFM@
		sar	eax, 1
		push	eax
		push	ebx
		call	_swprintf_s
		add	esp, 0Ch
		lea	ebx, [ebx+eax*2]

loc_5620D6:				; CODE XREF: RtlIpv6AddressToStringW+83j
					; RtlIpv6AddressToStringW+87j
		mov	ax, [esi+edi*2]
		mov	ch, al
		mov	cl, ah
		movzx	eax, cx
		push	eax
		mov	eax, [ebp+var_8]
		sub	eax, ebx
		push	offset ??_C@_15LHNHECKK@?$AA?$CF?$AAx@FNODOBFM@	; "%x"
		sar	eax, 1
		push	eax
		push	ebx
		call	_swprintf_s
		mov	ecx, [ebp+arg_0]
		add	esp, 10h

loc_5620FB:				; CODE XREF: RtlIpv6AddressToStringW+12Dj
		mov	edx, [ebp+var_10]
		lea	ebx, [ebx+eax*2]
		mov	eax, [ebp+var_4]
		inc	edi
		cmp	edi, edx
		jl	short loc_5620AD
		cmp	edx, 8
		jb	loc_5E3D46

loc_562112:				; CODE XREF: RtlIpv6AddressToStringW+81D3Fj
		mov	eax, ebx

loc_562114:				; CODE XREF: RtlIpv6AddressToStringW+81CDFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_56211B:				; CODE XREF: RtlIpv6AddressToStringW+4Aj
		mov	ecx, edx
		sub	ecx, eax
		mov	eax, [ebp+arg_0]
		sub	eax, ebx
		inc	ecx
		cmp	ecx, eax
		mov	eax, [ebp+var_C]
		jle	loc_5E3D3E
		lea	ecx, [edx+1]
		mov	ebx, eax
		mov	[ebp+arg_0], ecx
		jmp	loc_56208A
; 

loc_56213D:				; CODE XREF: RtlIpv6AddressToStringW+7Bj
		cmp	eax, edi
		jg	loc_5620B5
		mov	eax, [ebp+var_8]
		sub	eax, ebx
		push	(offset	loc_5A5935+1)
		sar	eax, 1
		push	eax
		push	ebx
		call	_swprintf_s
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		lea	edi, [ecx-1]
		jmp	short loc_5620FB
; 

loc_562163:				; CODE XREF: RtlIpv6AddressToStringW+69j
		mov	eax, [ebp+var_4]
		jmp	loc_5620AD
; 

loc_56216B:				; CODE XREF: RtlIpv6AddressToStringW+23j
		cmp	[esi+2], di
		jnz	loc_56205D
		cmp	[esi+4], di
		jnz	loc_56205D
		cmp	[esi+6], di
		jnz	loc_56205D
		cmp	[esi+0Ch], di
		jz	loc_56205D
		jmp	loc_5E3C99
; 

loc_562198:				; CODE XREF: RtlIpv6AddressToStringW+3Cj
		mov	edx, 0FE5Eh
		cmp	[esi+0Ah], dx
		jnz	loc_562076
		jmp	loc_5E3D32
RtlIpv6AddressToStringW	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmPerfApplyProcessorStates()
_PpmPerfApplyProcessorStates@0 proc near ; DATA	XREF: .text:004049B8o
					; .text:00404A18o

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= word ptr -18h
var_16		= word ptr -16h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		xor	ebx, ebx
		push	esi
		mov	esi, ds:_PpmPerfDomainHead
		mov	[ebp+var_16], ax
		inc	eax
		push	edi
		mov	[ebp+var_14], ebx
		mov	edi, offset _PpmPerfDomainHead
		mov	word ptr [ebp+var_10], ax
		mov	word ptr [ebp+var_10+2], ax
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx

loc_5621E6:				; CODE XREF: PpmPerfApplyProcessorStates()+13Aj
		cmp	esi, edi
		jnz	loc_5622C8
		xor	eax, eax
		mov	[ebp+var_18], ax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_20], eax

loc_562200:				; CODE XREF: PpmPerfApplyProcessorStates()+85j
					; PpmPerfApplyProcessorStates()+95j ...
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_562251
		mov	ecx, [ebp+var_14]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	esi, eax
		mov	edi, [esi+3EA4h]
		cmp	[edi+6Ch], bl
		jz	short loc_562236
		mov	dl, 1
		mov	ecx, esi
		call	PpmPerfApplyProcessorState
		test	al, al
		jz	short loc_562200
		mov	[edi+6Ch], bl

loc_562236:				; CODE XREF: PpmPerfApplyProcessorStates()+78j
		xor	dl, dl
		mov	ecx, esi
		call	PpmPerfApplyProcessorState
		test	al, al
		jz	short loc_562200
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_14]
		btr	eax, ecx
		mov	[ebp+var_8], eax
		jmp	short loc_562200
; 

loc_562251:				; CODE XREF: PpmPerfApplyProcessorStates()+63j
		mov	edx, [ebp+var_8]
		not	edx
		movzx	eax, dl
		shr	edx, 8
		pop	edi
		pop	esi
		mov	bl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		mov	ecx, edx
		shr	ecx, 8
		add	bl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, bl
		movzx	eax, cl
		mov	_PpmCheckCount,	eax
		pop	ebx
		jz	short loc_5622F9
		xor	eax, eax
		mov	[ebp+var_18], ax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_20], eax

loc_5622A3:				; CODE XREF: PpmPerfApplyProcessorStates()+11Aj
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5622EB
		mov	ecx, [ebp+var_14]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		push	2
		pop	edx
		mov	ecx, eax
		call	_PpmPerfQueueAction@8 ;	PpmPerfQueueAction(x,x)
		jmp	short loc_5622A3
; 

loc_5622C8:				; CODE XREF: PpmPerfApplyProcessorStates()+3Cj
		cmp	[esi+216h], bl
		jz	short loc_5622E4
		lea	eax, [ebp+var_10]
		push	eax
		push	eax
		lea	eax, [esi+0Ch]
		push	eax
		call	_KeOrAffinityEx@12 ; KeOrAffinityEx(x,x,x)
		mov	[esi+216h], bl

loc_5622E4:				; CODE XREF: PpmPerfApplyProcessorStates()+122j
		mov	esi, [esi]
		jmp	loc_5621E6
; 

loc_5622EB:				; CODE XREF: PpmPerfApplyProcessorStates()+106j
		xor	eax, eax

loc_5622ED:				; CODE XREF: PpmPerfApplyProcessorStates()+14Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_5622F9:				; CODE XREF: PpmPerfApplyProcessorStates()+E3j
		mov	al, 1
		jmp	short loc_5622ED
_PpmPerfApplyProcessorStates@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmPerfApplyProcessorState proc	near	; CODE XREF: PpmPerfAction(x,x,x,x)+6Ep
					; PpmPerfAction(x,x,x,x)+77p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E3D78 SIZE 000000BD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[esp+24h+var_10], edx
		push	edi
		xor	ebx, ebx
		mov	[esp+28h+var_C], ebx
		mov	eax, [esi+3EA4h]
		lea	edx, [esi+3EA0h]
		mov	edi, [edx]
		mov	[esp+28h+var_4], eax
		mov	eax, [edi+8]
		mov	[esp+28h+var_18], eax
		cmp	edx, eax
		jz	short loc_56233C
		mov	cl, bl
		cmp	[edi+7Eh], bl
		jz	short loc_56233E

loc_56233C:				; CODE XREF: PpmPerfApplyProcessorState+35j
		mov	cl, 1

loc_56233E:				; CODE XREF: PpmPerfApplyProcessorState+3Cj
		mov	byte ptr [esp+28h+var_14], cl
		cmp	byte ptr [esp+28h+var_10], bl
		jz	short loc_562354
		cmp	byte ptr [edi+79h], 0FDh
		jz	short loc_562354
		mov	cl, 1
		mov	byte ptr [esp+28h+var_14], cl

loc_562354:				; CODE XREF: PpmPerfApplyProcessorState+48j
					; PpmPerfApplyProcessorState+4Ej
		mov	eax, large fs:20h
		cmp	esi, eax
		jnz	loc_5623F5

loc_562362:				; CODE XREF: PpmPerfApplyProcessorState+FFj
					; PpmPerfApplyProcessorState+10Aj
		push	ebx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, eax
		mov	eax, large fs:20h
		cmp	eax, esi
		jnz	loc_5E3D78
		push	edx
		push	ecx
		mov	ecx, esi
		call	_PpmContinueActiveTimeAccumulation@12 ;	PpmContinueActiveTimeAccumulation(x,x,x)

loc_562382:				; CODE XREF: PpmPerfApplyProcessorState+81AC9j
		mov	ecx, [esp+2Ch+var_8]
		cmp	byte ptr [ecx+6Dh], 0
		lea	eax, [ecx+70h]
		mov	[esp+2Ch+var_1C], eax
		jnz	loc_5E3DD5
		mov	bh, bl
		mov	[esp+2Ch+var_1C], eax

loc_56239D:				; CODE XREF: PpmPerfApplyProcessorState+81AECj
		push	[esp+2Ch+var_14]
		mov	dl, byte ptr [esp+30h+var_18]
		mov	ecx, esi
		call	PpmPerfArbitratorApplyProcessorState
		cmp	byte ptr [esp+2Ch+var_10], 0
		mov	bl, al
		jnz	loc_5E3DEF

loc_5623B9:				; CODE XREF: PpmPerfApplyProcessorState+81B13j
					; PpmPerfApplyProcessorState+81B1Aj
		test	bl, bl
		jz	short loc_5623EC
		lea	eax, [esi+3EA0h]
		cmp	eax, [edi+8]
		jz	short loc_56240D

loc_5623C8:				; CODE XREF: PpmPerfApplyProcessorState+114j
					; PpmPerfApplyProcessorState+81B32j
		cmp	byte ptr [esp+2Ch+var_14], 0
		jnz	short loc_5623EC
		mov	ecx, esi
		call	PpmEventLegacyProcessorPerfStateChange
		lea	ecx, [esi+3D70h]
		call	PpmScaleIdleStateValues
		lea	ecx, [esi+3EA0h]
		call	PpmEventTraceExpectedUtility

loc_5623EC:				; CODE XREF: PpmPerfApplyProcessorState+BDj
					; PpmPerfApplyProcessorState+CFj ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5623F5:				; CODE XREF: PpmPerfApplyProcessorState+5Ej
		cmp	edx, [esp+28h+var_18]
		jz	short loc_5623EC
		test	cl, cl
		jz	loc_562362
		cmp	[edi+7Bh], bl
		jnz	short loc_5623EC
		jmp	loc_562362
; 

loc_56240D:				; CODE XREF: PpmPerfApplyProcessorState+C8j
		mov	eax, [edi+4Ch]
		test	eax, eax
		jz	short loc_5623C8
		jmp	loc_5E3E1D
PpmPerfApplyProcessorState endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmPerfArbitratorApplyProcessorState proc near
					; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+4ACp
					; PpmPerfApplyProcessorState+A9p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E3E35 SIZE 0000018F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_10], edx
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_1], cl
		xor	ecx, ecx
		push	esi
		mov	esi, [ebx+3EA4h]
		inc	ecx
		cmp	ds:_PpmPerfQosEnabled, 0
		mov	eax, [ebx+3EA0h]
		push	edi
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_8], esi
		mov	[ebp+var_18], eax
		mov	[ebp+var_2], 0
		jnz	loc_5E3E35
		xor	edi, edi

loc_56245B:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+81A21j
		mov	edx, [eax+13Ch]
		mov	[ebp+var_C], edi
		mov	[ebp+var_14], edx
		cmp	edi, [ebx+3F0Ch]
		jnz	loc_5E3E40
		add	esi, 58h
		cmp	[esi], edx
		jz	loc_5E3E8B
		test	edi, edi
		jnz	loc_5E3E93

loc_562486:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+81A8Cj
		mov	[esi], edx
		mov	al, cl

loc_56248A:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+81A74j
		test	al, al
		jz	loc_56251F
		cmp	byte ptr [ebp+arg_0], 0
		jz	short loc_56249B
		and	dword ptr [esi], 0

loc_56249B:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+7Cj
		mov	ecx, [ebp+var_8]
		push	0Ah
		lea	edx, [ecx+30h]
		mov	eax, [edx+8]
		mov	[ecx+60h], eax
		mov	eax, [edx+0Ch]
		mov	[ecx+5Ch], eax
		lea	eax, [edi+8]
		imul	esi, eax, 28h
		mov	edi, edx
		mov	eax, [ebp+var_18]
		pop	ecx
		add	esi, eax
		rep movsd
		mov	ecx, [ebp+arg_0]
		push	ecx
		mov	ecx, [ebp+var_8]
		push	[ebp+var_10]
		mov	ecx, [ecx+4]
		call	dword ptr [eax+48h]
		cmp	ds:_PopHeteroSystem, 0
		mov	edi, [ebp+var_C]
		jnz	loc_5E3EAB

loc_5624DF:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+81AAFj
					; PpmPerfArbitratorApplyProcessorState+81B1Ej
		call	_KiIsQosGroupingActive@0 ; KiIsQosGroupingActive()
		test	al, al
		jnz	loc_5E3F3D

loc_5624EC:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+81B95j
		xor	eax, eax
		inc	eax
		cmp	byte ptr [ebp+arg_0], 0
		jnz	short loc_56251A
		mov	dl, al

loc_5624F7:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+103j
		test	dl, dl
		jz	short loc_562513
		push	dword ptr [ebx+3F0Ch]
		movzx	edx, byte ptr [ebp+var_10]
		lea	ecx, [ebx+3EA0h]
		call	PpmEventProcessorPerfStateChange
		xor	eax, eax
		inc	eax

loc_562513:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+DFj
					; PpmPerfArbitratorApplyProcessorState+81A38j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_56251A:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+D9j
					; PpmPerfArbitratorApplyProcessorState+108j
		mov	dl, [ebp+var_2]
		jmp	short loc_5624F7
; 

loc_56251F:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+72j
		xor	eax, eax
		inc	eax
		jmp	short loc_56251A
PpmPerfArbitratorApplyProcessorState endp


;  S U B	R O U T	I N E 


; __stdcall KiIsQosGroupingActive()
_KiIsQosGroupingActive@0 proc near	; CODE XREF: KiCheckPreferredHeteroProcessor(x,x,x)+78p
					; PpmPerfArbitratorApplyProcessorState:loc_5624DFp ...
		mov	eax, ds:_KiHeteroSchedulerOptions
		test	al, 1
		jnz	short loc_562545
		test	ds:_KiVelocityFlags, 800h
		jz	short loc_562542
		cmp	ds:_KeHeteroSystemQos, 0
		jnz	short loc_56254A

loc_562542:				; CODE XREF: KiIsQosGroupingActive()+13j
		xor	al, al
		retn
; 

loc_562545:				; CODE XREF: KiIsQosGroupingActive()+7j
		shr	eax, 1
		and	al, 1
		retn
; 

loc_56254A:				; CODE XREF: KiIsQosGroupingActive()+1Cj
		mov	al, 1
		retn
_KiIsQosGroupingActive@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmEventProcessorPerfStateChange proc near
					; CODE XREF: PpmPerfArbitratorApplyProcessorState+F1p

var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E3FC4 SIZE 00000117 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ecx
		mov	[ebp+var_D8], edx
		xor	ecx, ecx
		mov	[ebp+var_9C], 3
		mov	[ebp+var_C8], ecx
		mov	[ebp+var_A0], ecx
		movzx	eax, byte ptr [esi-3ADBh]
		mov	word ptr [ebp+var_C8], ax
		mov	al, [esi-3ADCh]
		mov	byte ptr [ebp+var_C8+2], al
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_A4], eax
		mov	[ebp+var_98], ecx
		cmp	_PpmEtwRegistered, cl
		jz	short loc_5625DC
		push	ebx
		mov	ebx, _PpmEtwHandle
		push	edi
		mov	edi, dword_6BFD04
		push	offset _PPM_ETW_PROCESSOR_PERF_STATE_CHANGE
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5E3FC4

loc_5625DA:				; CODE XREF: PpmEventProcessorPerfStateChange+81B88j
		pop	edi
		pop	ebx

loc_5625DC:				; CODE XREF: PpmEventProcessorPerfStateChange+68j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
PpmEventProcessorPerfStateChange endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmEventTraceExpectedUtility proc near	; CODE XREF: PpmPerfApplyProcessorState+E9p

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E40DB SIZE 000000D2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], 3
		push	edi
		xor	edi, edi
		cmp	_PpmEtwRegistered, 0
		mov	[ebp+var_68], edi
		movzx	eax, byte ptr [esi-3ADBh]
		mov	word ptr [ebp+var_68], ax
		mov	al, [esi-3ADCh]
		mov	byte ptr [ebp+var_68+2], al
		lea	eax, [ebp+var_68]
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], edi
		jz	short loc_56265E
		mov	eax, dword_6BFD04
		push	offset _PPM_ETW_EXPECTED_UTILITY
		push	eax
		mov	[ebp+var_7C], eax
		mov	eax, _PpmEtwHandle
		push	eax
		mov	[ebp+var_80], eax
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5E40DB

loc_56265E:				; CODE XREF: PpmEventTraceExpectedUtility+4Cj
					; PpmEventTraceExpectedUtility+81BBCj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PpmEventTraceExpectedUtility endp


;  S U B	R O U T	I N E 


PpmScaleIdleStateValues	proc near	; CODE XREF: PpmPerfApplyProcessorState+DEp
					; PpmResetIdlePolicy(x)+11p

; FUNCTION CHUNK AT 005E41AD SIZE 0000007A BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		cmp	byte ptr [esi+34h], 0
		jnz	loc_5E41AD

loc_56267D:				; CODE XREF: PpmScaleIdleStateValues+81B49j
					; PpmScaleIdleStateValues+81B57j ...
		pop	edi
		pop	esi
		pop	ebx
		retn
PpmScaleIdleStateValues	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmEventLegacyProcessorPerfStateChange proc near ; CODE	XREF: PpmPerfApplyProcessorState+D3p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E4227 SIZE 0000009A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		test	ds:dword_70EFD0, 8000h
		push	edi
		push	6
		mov	edx, [esi+3EA4h]
		lea	edi, [ebp+var_20]
		pop	ecx
		rep stosd
		mov	ecx, [edx+30h]
		mov	edi, [esi+3EA0h]
		mov	ebx, [edx+3Ch]
		mov	[ebp+var_34], ecx
		jnz	loc_5E4227
		xor	edi, edi

loc_5626CA:				; CODE XREF: PpmEventLegacyProcessorPerfStateChange+81C0Aj
		mov	eax, _WmiPerfStateEventEnabled
		test	eax, eax
		jnz	loc_5E4291

loc_5626D7:				; CODE XREF: PpmEventLegacyProcessorPerfStateChange+81C3Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PpmEventLegacyProcessorPerfStateChange endp


;  S U B	R O U T	I N E 


; __stdcall PpmPerfQueueAction(x, x)
_PpmPerfQueueAction@8 proc near		; CODE XREF: PpmPerfApplyProcessorStates()+115p
					; PpmParkReportUnparkedCores+129EA0p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	ecx, edx
		inc	esi
		shl	esi, cl
		lea	edx, [edi+3E88h]
		mov	eax, [edx]

loc_5626FB:				; CODE XREF: PpmPerfQueueAction(x,x)+1Dj
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_5626FB
		test	eax, eax
		jnz	short loc_562719
		push	eax
		push	eax
		push	eax
		lea	ecx, [edi+3E68h]
		xor	edx, edx
		call	KiInsertQueueDpc

loc_562719:				; CODE XREF: PpmPerfQueueAction(x,x)+21j
		pop	edi
		pop	esi
		retn
_PpmPerfQueueAction@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1194. KeIpiGenericCall

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeIpiGenericCall
KeIpiGenericCall proc near		; CODE XREF: KeAdjustInterruptTime(x,x,x)+6Bp
					; MiZeroPageCalibrate+15Bp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E42C1 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	esi, ds:__imp_@KfRaiseIrql@4 ; KfRaiseIrql(x)
		mov	bl, al
		cmp	bl, 1Bh
		jnb	short loc_562744
		mov	cl, 1Bh
		call	esi

loc_562744:				; CODE XREF: KeIpiGenericCall+1Cj
		and	[ebp+var_8], 0
		push	0FFFFh
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	ecx, offset _KiReverseStallIpiLock
		mov	[ebp+var_4], eax
		lea	edi, [eax-1]
		mov	[ebp+var_C], edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	edi, edi
		jz	short loc_56278C
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	eax
		push	[ebp+arg_4]
		xor	edx, edx
		inc	ecx
		push	[ebp+arg_0]
		push	offset KiIpiGenericCallTarget
		call	_KiIpiSendPacket@24 ; KiIpiSendPacket(x,x,x,x,x,x)
		jmp	short loc_56278C
; 

loc_562784:				; CODE XREF: KeIpiGenericCall+70j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx

loc_56278C:				; CODE XREF: KeIpiGenericCall+45j
					; KeIpiGenericCall+60j
		mov	eax, [ebp+var_4]
		cmp	eax, 1
		jnz	short loc_562784
		mov	cl, 1Dh
		call	esi
		push	[ebp+arg_4]
		mov	[ebp+var_4], 0
		call	[ebp+arg_0]
		cmp	[ebp+var_C], 0
		mov	edi, eax
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		jz	short loc_5627D1
		cmp	bl, 1Bh
		ja	short loc_5627BC
		mov	cl, 1Bh
		call	esi

loc_5627BC:				; CODE XREF: KeIpiGenericCall+94j
		mov	edx, large fs:20h
		jmp	short loc_5627C7
; 

loc_5627C5:				; CODE XREF: KeIpiGenericCall+ADj
		pause

loc_5627C7:				; CODE XREF: KeIpiGenericCall+A1j
		mov	eax, [edx+2120h]
		test	eax, eax
		jnz	short loc_5627C5

loc_5627D1:				; CODE XREF: KeIpiGenericCall+8Fj
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _KiReverseStallIpiLock
		jnz	loc_5E42C1
		xor	eax, eax
		lock and [ecx],	eax

loc_5627E8:				; CODE XREF: KeIpiGenericCall+81BA7j
		mov	cl, bl
		call	esi
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
KeIpiGenericCall endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepDeleteSessionLowboxEntries proc near	; CODE XREF: SepDeReferenceLogonSession+118p
					; SepDeleteLogonSessionTrack+A65E5p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005E42CE SIZE 00000609 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		cmp	_g_SessionLowboxMap, 0
		jnz	loc_5E42CE
		leave
		retn
SepDeleteSessionLowboxEntries endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepQueueWorkItem proc near		; CODE XREF: SepAdtLogAuditRecord(x)+17Cp
					; SepInformLsaOfDeletedLogon+4Dp

var_14		= byte ptr -14h
var_13		= byte ptr -13h
var_12		= byte ptr -12h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E48D7 SIZE 000000BA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+20h+var_C]
		stosd
		mov	ebx, edx
		xor	edx, edx
		mov	esi, ecx
		mov	byte ptr [esp+20h+var_10+3], dl
		mov	byte ptr [esp+20h+var_10+2], dl
		mov	ecx, [ebx+2Ch]
		stosd
		stosd
		call	PsGetServerSiloState
		xor	ecx, ecx
		inc	ecx
		cmp	eax, ecx
		jnz	loc_5E48D7
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_56284F
		mov	[edi], dl

loc_56284F:				; CODE XREF: SepQueueWorkItem+3Dj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	byte ptr [esp+20h+var_10+1], al
		cmp	al, 2
		jz	loc_5E48E7
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	eax, eax
		inc	eax
		push	eax
		lea	eax, [esi+10h]
		push	eax
		call	ExAcquireResourceExclusiveLite
		mov	eax, [esi+68h]

loc_56287F:				; CODE XREF: SepQueueWorkItem+820E8j
		test	eax, eax
		jnz	loc_5E491B
		mov	eax, [esi+70h]
		test	eax, eax
		jz	loc_56291F
		push	ebx
		call	eax
		xor	ecx, ecx
		mov	[esp+24h+var_11], al
		inc	ecx

loc_56289C:				; CODE XREF: SepQueueWorkItem+11Aj
		test	al, al
		jz	loc_562932
		mov	eax, ecx
		lock xadd [esi+60h], eax
		inc	eax
		mov	dl, [esp+24h+var_13]
		mov	[ebx+28h], eax
		cmp	dl, 2
		jz	loc_5E48FB
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_56292D
		mov	[ebx], esi
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	[esi+4], ebx

loc_5628CD:				; CODE XREF: SepQueueWorkItem+82108j
		mov	eax, ecx
		lock xadd [esi+5Ch], eax
		inc	eax
		cmp	eax, ecx
		jnz	short loc_562936
		mov	bl, cl

loc_5628DB:				; CODE XREF: SepQueueWorkItem+12Cj
		xor	eax, eax
		inc	eax

loc_5628DE:				; CODE XREF: SepQueueWorkItem+8211Aj
					; SepQueueWorkItem+82122j
		cmp	dl, 2
		jz	loc_5E4935
		lea	ecx, [esi+10h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	edi, edi
		inc	edi

loc_5628F7:				; CODE XREF: SepQueueWorkItem+82148j
		test	bl, bl
		jz	short loc_562912
		lea	eax, [esi+4Ch]
		and	dword ptr [eax], 0
		push	edi
		push	eax
		mov	dword ptr [eax+8], offset SepRmCallLsa
		mov	[eax+0Ch], esi
		call	ExQueueWorkItem

loc_562912:				; CODE XREF: SepQueueWorkItem+EBj
		mov	al, [esp+24h+var_11]

loc_562916:				; CODE XREF: SepQueueWorkItem+820D4j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_56291F:				; CODE XREF: SepQueueWorkItem+7Ej
		xor	ecx, ecx
		inc	ecx
		mov	al, cl
		mov	byte ptr [esp+20h+var_10+3], cl
		jmp	loc_56289C
; 

loc_56292D:				; CODE XREF: SepQueueWorkItem+B3j
					; SepQueueWorkItem+820F5j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_562932:				; CODE XREF: SepQueueWorkItem+90j
		mov	dl, [esp+24h+var_13]

loc_562936:				; CODE XREF: SepQueueWorkItem+C9j
		mov	bl, [esp+24h+var_12]
		jmp	short loc_5628DB
SepQueueWorkItem endp


;  S U B	R O U T	I N E 


PsGetServerSiloState proc near		; CODE XREF: SepQueueWorkItem+28p
					; PspCompleteServerSiloShutdown(x)+5p ...

; FUNCTION CHUNK AT 005E4991 SIZE 0000000D BYTES

		test	ecx, ecx
		jnz	loc_5E4991
		xor	eax, eax
		inc	eax
		retn
PsGetServerSiloState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepRmCallLsa	proc near		; DATA XREF: SepQueueWorkItem+F5o

var_36		= byte ptr -36h
var_32		= byte ptr -32h
var_31		= dword	ptr -31h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E499E SIZE 00000115 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		and	[esp+34h+var_31+1], 0
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+40h+var_1C]
		xor	esi, esi
		rep stosd
		mov	al, byte ptr _SepRmAuditingEnabled
		lea	edi, [esp+40h+var_2C]
		mov	[esp+40h+var_32], al
		inc	esi
		xor	eax, eax
		mov	[esp+40h+var_20], esi
		cmp	ds:_AdtpRegisteredWithEtw, 0
		stosd
		stosd
		stosd
		jz	loc_562AF6

loc_56299A:				; CODE XREF: SepRmCallLsa+1D4j
		cmp	[esp+40h+var_32], 0
		jz	short loc_5629B3
		mov	ecx, ds:_SepRmLsaCallProcess
		lea	eax, [esp+40h+var_1C]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess

loc_5629B3:				; CODE XREF: SepRmCallLsa+57j
		xor	esi, esi
		inc	esi

loc_5629B6:				; CODE XREF: SepRmCallLsa+170j
		xor	edi, edi
		test	byte ptr [ebx+78h], 1
		jz	loc_5E49BB
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	eax, eax
		lea	esi, [ebx+10h]
		inc	eax
		push	eax
		push	esi
		call	ExAcquireResourceExclusiveLite
		mov	ecx, [ebx]
		cmp	ecx, ebx
		jz	loc_5E499E
		mov	eax, [ebx+64h]
		inc	eax
		cmp	[ecx+28h], eax
		jnz	short loc_562A0B
		mov	edi, ecx
		mov	eax, [ecx]
		cmp	[ecx+4], ebx
		jnz	loc_562B26
		cmp	[eax+4], ecx
		jnz	loc_562B26
		mov	[ebx], eax
		mov	[eax+4], ebx

loc_562A0B:				; CODE XREF: SepRmCallLsa+A6j
					; SepRmCallLsa+8205Bj ...
		mov	ecx, esi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	edi, edi
		jz	loc_5E49B8

loc_562A26:				; CODE XREF: SepRmCallLsa+82123j
		xor	eax, eax
		inc	eax
		cmp	[edi+18h], eax
		jnz	loc_562AE6
		mov	eax, [edi+10h]
		test	byte ptr [eax+14h], 2
		jnz	loc_562AE6
		mov	eax, large fs:124h
		lea	edx, [esp+40h+var_31]
		mov	ecx, [edi+2Ch]
		mov	byte ptr [esp+40h+var_31], 0
		mov	esi, [eax+390h]
		mov	[eax+390h], ecx
		mov	ecx, [edi+10h]
		call	_AdtpWriteToEtw@8 ; AdtpWriteToEtw(x,x)
		mov	ecx, large fs:124h
		mov	[ecx+390h], esi
		test	eax, eax
		js	loc_5E4A70

loc_562A7A:				; CODE XREF: SepRmCallLsa+82139j
					; SepRmCallLsa+82145j
		mov	eax, [edi+8]
		cmp	eax, 4
		jnz	loc_5E4A92

loc_562A86:				; CODE XREF: SepRmCallLsa+82153j
		push	0
		push	dword ptr [edi+10h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_562A90:				; CODE XREF: SepRmCallLsa+1A3j
					; SepRmCallLsa+1ACj ...
		lock inc dword ptr [ebx+64h]
		or	eax, 0FFFFFFFFh
		lock xadd [ebx+5Ch], eax
		dec	eax
		mov	ecx, [edi+2Ch]
		mov	[esp+40h+var_20], eax
		test	ecx, ecx
		jnz	loc_5E4AA0

loc_562AAC:				; CODE XREF: SepRmCallLsa+82166j
		push	edi
		call	dword ptr [ebx+74h]
		xor	esi, esi
		inc	esi

loc_562AB3:				; CODE XREF: SepRmCallLsa+82077j
					; SepRmCallLsa+8211Dj
		cmp	[esp+44h+var_24], 0
		jnz	loc_5629B6
		cmp	[esp+44h+var_36], 0
		jz	short loc_562AD0
		xor	edx, edx
		lea	ecx, [esp+44h+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_562AD0:				; CODE XREF: SepRmCallLsa+17Bj
		xor	eax, eax

loc_562AD2:				; CODE XREF: SepRmCallLsa+1B9j
					; SepRmCallLsa+1DCj
		mov	ecx, [esp+44h+var_8]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_562AE6:				; CODE XREF: SepRmCallLsa+E4j
					; SepRmCallLsa+F1j
		cmp	[esp+40h+var_32], 0
		jz	short loc_562A90
		mov	ecx, edi
		call	SepRmDispatchDataToLsa
		jmp	short loc_562A90
; 

loc_562AF6:				; CODE XREF: SepRmCallLsa+4Cj
		lea	ecx, [esp+40h+var_31+1]
		call	_SepAdtOpenEtwReadyEvent@4 ; SepAdtOpenEtwReadyEvent(x)
		test	eax, eax
		js	short loc_562AD2
		push	0
		push	esi
		push	[esp+48h+var_31+1]
		call	NtWaitForSingleObject
		push	[esp+40h+var_31+1]
		mov	esi, eax
		call	NtClose
		test	esi, esi
		jns	loc_56299A
		mov	eax, esi
		jmp	short loc_562AD2
; 

loc_562B26:				; CODE XREF: SepRmCallLsa+AFj
					; SepRmCallLsa+B8j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
SepRmCallLsa	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepRmDispatchDataToLsa proc near	; CODE XREF: SepRmCallLsa+1A7p
					; SepAdtLogAuditRecord(x)+152p

var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_108		= dword	ptr -108h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E4AB3 SIZE 00000124 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 214h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, 100h
		lea	eax, [ebp+var_208]
		push	ebx		; size_t
		xor	esi, esi
		mov	edi, ecx
		push	esi		; int
		push	eax		; void *
		call	_memset
		push	ebx		; size_t
		lea	eax, [ebp+var_108]
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [edi+2Ch]
		add	esp, 18h
		xor	edx, edx
		mov	[ebp+var_210], edx
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		lea	ebx, [eax+1C0h]
		cmp	[ebx+4], edx
		jz	loc_562C5C
		mov	ax, [edi+1Ch]
		xor	ecx, ecx
		add	ax, 20h
		mov	[ebp+var_F0], edx
		mov	word ptr [ebp+var_208+2], ax
		inc	ecx
		add	eax, 0FFFFFFE8h
		mov	word ptr [ebp+var_208],	ax
		movzx	eax, word ptr [edi+24h]
		mov	word ptr [ebp+var_108],	ax
		add	eax, 18h
		mov	word ptr [ebp+var_108+2], ax
		mov	eax, [edi+18h]
		mov	[ebp+var_1F0], eax
		mov	eax, [edi+8]
		mov	[ebp+var_20C], eax
		cmp	eax, ecx
		jnz	loc_5E4AB3
		mov	eax, [edi+1Ch]
		mov	[ebp+var_1EC], ecx
		cmp	eax, 0E0h
		ja	short loc_562C60
		push	eax		; size_t
		lea	eax, [edi+10h]
		push	eax		; void *
		lea	eax, [ebp+var_1E8]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_562C00:				; CODE XREF: SepRmDispatchDataToLsa+82001j
					; SepRmDispatchDataToLsa+8203Bj ...
		test	esi, esi
		js	short loc_562C4B
		cmp	dword ptr [edi+18h], 3
		jnz	loc_5E4B7C
		cmp	dword ptr [edi+20h], 0
		jnz	loc_5E4B7C
		lea	eax, [ebp+var_208]
		push	eax
		push	dword ptr [ebx+4]
		call	_ZwRequestPort@8 ; ZwRequestPort(x,x)

loc_562C27:				; CODE XREF: SepRmDispatchDataToLsa+82066j
		mov	esi, eax
		test	esi, esi
		js	short loc_562C3E
		mov	eax, [edi+20h]
		test	eax, eax
		jnz	loc_5E4B97

loc_562C38:				; CODE XREF: SepRmDispatchDataToLsa+8207Ej
		mov	esi, [ebp+var_F0]

loc_562C3E:				; CODE XREF: SepRmDispatchDataToLsa+FFj
		cmp	[ebp+var_1EC], 3
		jz	loc_5E4BAF

loc_562C4B:				; CODE XREF: SepRmDispatchDataToLsa+D6j
					; SepRmDispatchDataToLsa+139j ...
		mov	eax, esi

loc_562C4D:				; CODE XREF: SepRmDispatchDataToLsa+132j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_562C5C:				; CODE XREF: SepRmDispatchDataToLsa+59j
		xor	eax, eax
		jmp	short loc_562C4D
; 

loc_562C60:				; CODE XREF: SepRmDispatchDataToLsa+BEj
					; SepRmDispatchDataToLsa+81F8Dj
		mov	esi, 0C000000Dh
		jmp	short loc_562C4B
SepRmDispatchDataToLsa endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 808. IoCsqRemoveIrp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCsqRemoveIrp(x, x)
		public _IoCsqRemoveIrp@8
_IoCsqRemoveIrp@8 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	edi
		push	eax
		xor	ebx, ebx
		push	esi
		mov	byte ptr [ebp+var_4], bl
		mov	[esi+1Ch], ebx
		call	dword ptr [esi+10h]
		mov	edi, [ebp+arg_4]
		mov	edi, [edi+4]
		test	edi, edi
		jz	short loc_562CAD
		xor	ecx, ecx
		lea	eax, [edi+38h]
		xchg	ecx, [eax]
		test	ecx, ecx
		jz	short loc_562CAD
		push	edi
		push	esi
		call	dword ptr [esi+8]
		mov	eax, [ebp+arg_4]
		mov	[eax+4], ebx
		mov	[edi+4Ch], ebx
		mov	ebx, edi

loc_562CAD:				; CODE XREF: IoCsqRemoveIrp(x,x)+24j
					; IoCsqRemoveIrp(x,x)+2Fj
		push	[ebp+var_4]
		push	esi
		call	dword ptr [esi+14h]
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_IoCsqRemoveIrp@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


IoGetDeviceInstanceName	proc near	; CODE XREF: WmipGetGuidObjectInstanceInfo+1Fp
					; WmipTranslatePDOInstanceNames+CFp ...

; FUNCTION CHUNK AT 005E4BD7 SIZE 000000F3 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	loc_5E4CB0
		mov	eax, [esi+0B0h]
		mov	edx, [eax+14h]
		test	edx, edx
		jz	loc_5E4BD7
		test	dword ptr [edx+10Ch], 20000h
		jnz	loc_5E4BD7
		push	ecx
		add	edx, 14h
		mov	ecx, edi
		call	_PnpConcatenateUnicodeStrings@12 ; PnpConcatenateUnicodeStrings(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		retn
IoGetDeviceInstanceName	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDeviceCompletionRequestDestroyWorkItem(x, x, x)
_PnpDeviceCompletionRequestDestroyWorkItem@12 proc near
					; DATA XREF: PnpDeviceCompletionRequestDestroy(x)+1Fo

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ecx, [esi+24h]
		test	ecx, ecx
		jz	short loc_562D1B
		call	_PnpDisableWatchdog@4 ;	PnpDisableWatchdog(x)
		and	dword ptr [esi+24h], 0

loc_562D1B:				; CODE XREF: PnpDeviceCompletionRequestDestroyWorkItem(x,x,x)+Ej
		push	[ebp+arg_8]
		call	IoFreeWorkItem
		push	31706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		pop	ebp
		retn	0Ch
_PnpDeviceCompletionRequestDestroyWorkItem@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDemoteLargeFreePage(x, x,	x, x, x)
_MiDemoteLargeFreePage@20 proc near	; CODE XREF: MiTradePage(x,x)+2EBp

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_8], ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_1], al
		push	1Ch
		pop	ecx
		mov	ebx, ds:_MiLargePageSizes[edi*4]
		neg	ebx
		and	ebx, esi
		imul	esi, ebx, 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	ecx
		mov	ecx, eax
		call	MiSearchNumaNodeTable
		mov	ecx, [ebp+var_8]
		push	28h
		imul	eax, [eax+4], 280h
		add	eax, [ecx+10h]
		cmp	[ebp+var_1], 2
		mov	[ebp+arg_0], eax
		pop	eax
		jnb	short loc_562D9A
		test	[ebp+arg_4], 8
		jnz	short loc_562D9A
		push	38h
		pop	eax

loc_562D9A:				; CODE XREF: MiDemoteLargeFreePage(x,x,x,x,x)+5Bj
					; MiDemoteLargeFreePage(x,x,x,x,x)+61j
		push	[ebp+arg_8]
		mov	edx, ebx
		push	eax
		push	edi
		call	_MiTryUnlinkNodeLargePage@20 ; MiTryUnlinkNodeLargePage(x,x,x,x,x)
		test	eax, eax
		jz	short loc_562DCE
		mov	ecx, [ebp+arg_0]
		lea	eax, [edi+1]
		push	0
		push	eax
		push	edi
		mov	edx, esi
		call	_MiInsertDemotedPages@20 ; MiInsertDemotedPages(x,x,x,x,x)
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		inc	eax

loc_562DC7:				; CODE XREF: MiDemoteLargeFreePage(x,x,x,x,x)+9Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_562DCE:				; CODE XREF: MiDemoteLargeFreePage(x,x,x,x,x)+74j
		xor	eax, eax
		jmp	short loc_562DC7
_MiDemoteLargeFreePage@20 endp

; 
		align 8
; Exported entry 1059. IoWMIWriteEvent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoWMIWriteEvent
IoWMIWriteEvent	proc near		; CODE XREF: PpmFireWmiEvent(x,x,x,x)+44p
					; PpmWmiFireIdleAccountingEvent(x,x,x)+62p

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E4CCA SIZE 0000006E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		cmp	_WmipServiceDeviceObject, 0
		push	ebx
		push	esi
		push	edi
		jz	loc_5E4CC0
		mov	edi, [ebp+arg_0]
		mov	esi, [edi+2Ch]
		test	esi, 60000h
		jnz	loc_5E4CCA

loc_562E03:				; CODE XREF: IoWMIWriteEvent+81F36j
		push	77696D57h
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5E4D2E
		mov	esi, [edi+4]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _WmipRegistrationSpinLock
		mov	[esp+10h+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, esi
		call	_WmipDoFindRegEntryByDevice@4 ;	WmipDoFindRegEntryByDevice(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_562E46
		lock inc dword ptr [esi+18h]

loc_562E46:				; CODE XREF: IoWMIWriteEvent+68j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _WmipRegistrationSpinLock
		jnz	loc_5E4D21
		xor	eax, eax
		lock and [ecx],	eax

loc_562E5D:				; CODE XREF: IoWMIWriteEvent+81F51j
		mov	cl, [esp+10h+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [edi+8]
		mov	edx, ebx
		mov	[edi+28h], eax
		mov	ecx, offset _WmipNPEvent
		push	offset _WmipNPNotificationSpinlock
		mov	[ebx+8], esi
		mov	[ebx+0Ch], edi
		call	@ExfInterlockedInsertTailList@12 ; ExfInterlockedInsertTailList(x,x,x)
		xor	eax, eax
		inc	eax
		lock xadd _WmipEventWorkItems, eax
		inc	eax
		cmp	eax, 1
		jnz	short loc_562EA0
		push	eax
		push	offset _WmipEventWorkQueueItem
		call	ExQueueWorkItem

loc_562EA0:				; CODE XREF: IoWMIWriteEvent+BBj
		xor	eax, eax

loc_562EA2:				; CODE XREF: IoGetDeviceInstanceName+82007j
					; IoWMIWriteEvent+81F08j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
IoWMIWriteEvent	endp

; 
		align 10h
; Exported entry 694. HviIsAnyHypervisorPresent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public HviIsAnyHypervisorPresent
HviIsAnyHypervisorPresent proc near	; CODE XREF: KiRestoreFeatureBits()+C8p
					; KiDetectHardwareSpecControlFeatures(x,x,x,x,x):loc_56B2B8p ...

var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E4D38 SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_19], 0
		lea	edi, [ebp+var_18]
		xor	ecx, ecx
		stosd
		push	ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		inc	eax
		lea	edi, [ebp+var_18]
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		test	[ebp+var_10], 80000000h
		jnz	loc_5E4D38

loc_562EF9:				; CODE XREF: HviIsAnyHypervisorPresent+81EB3j
		mov	al, [ebp+var_19]

loc_562EFC:				; CODE XREF: HviIsAnyHypervisorPresent+81EADj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
HviIsAnyHypervisorPresent endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopEsUpdateState proc near		; CODE XREF: PopEsWorker+C3p

var_2C		= dword	ptr -2Ch
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005E4D68 SIZE 00000079 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_2], cl
		lea	edi, [ebp+var_2C]
		push	8
		pop	ecx
		xor	eax, eax
		xor	ebx, ebx
		rep stosd
		lea	ecx, [ebp+var_2C]
		mov	[ebp+var_8], ebx
		mov	[ebp+var_1], bl
		call	_PopCurrentPowerState@4	; PopCurrentPowerState(x)
		mov	edi, _PopEsReason
		lea	edx, [ebp+var_8]
		lea	ecx, [ebp+var_2C]
		call	PopEsEvaluateNextState
		mov	[ebp+var_C], eax
		cmp	eax, _PopEsState
		jnz	short loc_562F79

loc_562F50:				; CODE XREF: PopEsUpdateState+6Fj
		mov	esi, [ebp+var_8]
		cmp	esi, edi
		jnz	short loc_562F7D
		mov	al, [ebp+var_1]

loc_562F5A:				; CODE XREF: PopEsUpdateState+76j
		cmp	[ebp+var_2], 0
		jnz	loc_5E4D68
		test	bl, bl
		jnz	loc_5E4D68
		test	al, al
		jnz	loc_5E4D68

loc_562F74:				; CODE XREF: PopEsUpdateState+81ED0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_562F79:				; CODE XREF: PopEsUpdateState+42j
		mov	bl, 1
		jmp	short loc_562F50
; 

loc_562F7D:				; CODE XREF: PopEsUpdateState+49j
		mov	al, 1
		mov	[ebp+var_1], al
		jmp	short loc_562F5A
PopEsUpdateState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPluginComponentIdleState proc near	; CODE XREF: PopFxProcessWork+35Ap
					; PoFxCompleteIdleState+81DDEp

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, ecx
		push	edi
		test	esi, esi
		jz	short loc_562F9F
		push	8
		pop	ecx
		xor	eax, eax
		mov	edi, esi
		rep stosd

loc_562F9F:				; CODE XREF: PopPluginComponentIdleState+10j
		push	esi
		push	ecx
		mov	ecx, [ebx+20h]
		call	PopPepNotifyIdleState
		test	al, al
		jz	short loc_562FB5
		test	esi, esi
		jz	loc_5CA422

loc_562FB5:				; CODE XREF: PopPluginComponentIdleState+27j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
PopPluginComponentIdleState endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPepNotifyIdleState proc near		; CODE XREF: PopPluginComponentIdleState+20p

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E4DE1 SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	eax, edx
		mov	esi, ecx
		push	edi
		imul	edi, eax, 0A8h
		xor	bl, bl
		mov	[ebp+var_4], eax
		add	edi, esi
		cmp	[esi+4Ch], bl
		jnz	loc_5E4DE1

loc_562FE1:				; CODE XREF: PopPepNotifyIdleState+81E41j
		push	[ebp+arg_4]
		lea	edx, [edi+88h]
		push	ecx
		push	6
		push	1
		mov	ecx, esi
		call	_PopPepProcessEvent@24 ; PopPepProcessEvent(x,x,x,x,x,x)
		mov	edx, [ebp+var_4]
		mov	bl, al
		mov	ecx, [esi+18h]
		push	1
		push	dword ptr [edi+118h]
		push	dword ptr [edi+11Ch]
		call	PopPlNotifyDeviceFState

loc_563011:				; CODE XREF: PopPepNotifyIdleState+81E3Bj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	8
PopPepNotifyIdleState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPepStartComponentIdleStateChangeActivity proc near ;	DATA XREF: .text:004012F8o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005E4E04 SIZE 0000007C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	eax, eax
		test	edi, edi
		jz	short loc_5630A8
		mov	ebx, [edi+34h]
		mov	esi, [ebp+arg_0]
		mov	ecx, [ebx+0Ch]
		test	ecx, ecx
		jnz	short loc_563072
		mov	ecx, [edi+90h]
		mov	[edi+94h], ecx
		mov	edx, [ebx+8]
		mov	[edi+90h], edx
		cmp	[esi+4Ch], al
		jnz	loc_5E4E04
		push	eax
		push	edx
		mov	edx, [edi+8]
		push	ecx
		mov	ecx, [esi+18h]
		call	PopPlNotifyDeviceFState
		push	2
		pop	edx
		mov	[ebx+0Ch], edx
		mov	ecx, edx
		xor	eax, eax

loc_563072:				; CODE XREF: PopPepStartComponentIdleStateChangeActivity+20j
		cmp	ecx, 1
		jz	loc_5E4E0B

loc_56307B:				; CODE XREF: PopPepStartComponentIdleStateChangeActivity+81E54j
					; PopPepStartComponentIdleStateChangeActivity+81E61j
		cmp	dword ptr [ebx+0Ch], 2
		jnz	short loc_5630B1
		mov	ecx, [ebp+arg_8]
		mov	dword ptr [ecx], 1
		mov	eax, [esi+18h]
		mov	[ecx+4], eax
		mov	eax, [edi+8]
		mov	[ecx+8], eax
		mov	eax, [edi+90h]
		mov	[ecx+0Ch], eax
		mov	al, 1
		mov	dword ptr [ebx+0Ch], 3

loc_5630A8:				; CODE XREF: PopPepStartComponentIdleStateChangeActivity+13j
					; PopPepStartComponentIdleStateChangeActivity+99j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_5630B1:				; CODE XREF: PopPepStartComponentIdleStateChangeActivity+65j
		xor	eax, eax
		jmp	short loc_5630A8
PopPepStartComponentIdleStateChangeActivity endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPlNotifyDeviceFState	proc near	; CODE XREF: PopPepNotifyIdleState+4Ep
					; PopPepStartComponentIdleStateChangeActivity+49p ...

var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 005E4E80 SIZE 000001FE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0F0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ecx+240h]
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax+edx*4]
		mov	[ebp+var_E0], edx
		mov	[ebp+var_D8], ecx
		mov	[ebp+var_D4], eax
		cmp	dword ptr [eax+16Ch], 0
		jnz	loc_5E4E80

loc_5630F6:				; CODE XREF: PopPlNotifyDeviceFState+81DD7j
					; PopPlNotifyDeviceFState+81DE4j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
PopPlNotifyDeviceFState	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 897. IoInvalidateDeviceState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoInvalidateDeviceState
IoInvalidateDeviceState	proc near

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E507E SIZE 00000100 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		test	edi, edi
		jz	loc_5E5159
		mov	eax, [edi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_5E507E
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_5E507E
		cmp	dword ptr [eax+0ACh], 308h
		jnz	short loc_56315D
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	0Bh
		pop	edx
		mov	ecx, edi
		call	PnpRequestDeviceAction

loc_56315D:				; CODE XREF: IoInvalidateDeviceState+40j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
IoInvalidateDeviceState	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl CompareLangIDs(const void	*,const	void *)
?CompareLangIDs@@YAHPBX0@Z proc	near	; DATA XREF: DownLevelLangIDToLanguageName+27o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		movzx	ecx, word ptr [eax]
		mov	eax, [ebp+arg_4]
		movzx	eax, word ptr [eax+4]
		cmp	ax, cx
		jz	short loc_563183
		sbb	eax, eax
		and	eax, 2
		dec	eax
		pop	ebp
		retn
; 

loc_563183:				; CODE XREF: CompareLangIDs(void const *,void const *)+15j
		xor	eax, eax
		pop	ebp
		retn
?CompareLangIDs@@YAHPBX0@Z endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 896. IoInvalidateDeviceRelations

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoInvalidateDeviceRelations
IoInvalidateDeviceRelations proc near	; CODE XREF: PiSwIrpStartCreateWorker+1C8p
					; IopPnPDispatch+69C3Cp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E517E SIZE 000000F9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		test	edi, edi
		jz	loc_5E5259
		mov	eax, [edi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_5E517E
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_5E517E
		mov	edx, [ebp+arg_4]
		mov	eax, edx
		sub	eax, esi
		jnz	short loc_5631E5

loc_5631CB:				; CODE XREF: IoInvalidateDeviceRelations+66j
		push	esi
		push	esi
		neg	edx
		push	esi
		push	esi
		sbb	edx, edx
		push	esi
		add	edx, 9

loc_5631D7:				; CODE XREF: IoInvalidateDeviceRelations+75j
		mov	ecx, edi
		call	PnpRequestDeviceAction

loc_5631DE:				; CODE XREF: IoInvalidateDeviceState+82060j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_5631E5:				; CODE XREF: IoInvalidateDeviceRelations+3Dj
		sub	eax, 1
		jz	short loc_563203
		sub	eax, 1
		jz	short loc_5631F9
		sub	eax, 3
		jz	short loc_5631CB
		jmp	loc_5E5169
; 

loc_5631F9:				; CODE XREF: IoInvalidateDeviceRelations+61j
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	5

loc_563200:				; CODE XREF: IoInvalidateDeviceRelations+7Ej
					; IoInvalidateDeviceState+8206Dj
		pop	edx
		jmp	short loc_5631D7
; 

loc_563203:				; CODE XREF: IoInvalidateDeviceRelations+5Cj
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	14h
		jmp	short loc_563200
IoInvalidateDeviceRelations endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlULongLongMult(x,	x, x, x, x)
_RtlULongLongMult@20 proc near		; CODE XREF: PpmConvertTime+49p
					; RtlLongLongMult(x,x,x,x,x)+3Fp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		cmp	[ebp+arg_4], 0
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, 0C0000095h
		mov	ecx, [ebp+arg_C]
		jnz	short loc_563248
		test	ecx, ecx
		jnz	short loc_56324C
		mov	eax, [ebp+arg_8]
		mul	[ebp+arg_0]
		mov	[esi], eax
		mov	[esi+4], edx

loc_56323D:				; CODE XREF: RtlULongLongMult(x,x,x,x,x)+90j
		xor	edi, edi

loc_56323F:				; CODE XREF: RtlULongLongMult(x,x,x,x,x)+99j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_563248:				; CODE XREF: RtlULongLongMult(x,x,x,x,x)+20j
		test	ecx, ecx
		jnz	short loc_56329E

loc_56324C:				; CODE XREF: RtlULongLongMult(x,x,x,x,x)+24j
		mov	eax, [ebp+arg_8]
		mul	[ebp+arg_4]
		mov	ebx, eax
		xor	eax, eax
		or	eax, edx
		jnz	short loc_56329E
		mov	eax, ecx
		mul	[ebp+arg_0]
		mov	ecx, eax
		xor	eax, eax
		or	eax, edx
		jnz	short loc_56329E
		push	ebx
		push	eax
		push	ecx
		push	eax
		lea	ecx, [ebp+var_8]
		call	_RtlULongLongAdd@20 ; RtlULongLongAdd(x,x,x,x,x)
		test	eax, eax
		js	short loc_56329E
		mov	eax, [ebp+arg_8]
		lea	ecx, [ebp+var_8]
		mul	[ebp+arg_0]
		push	edx
		push	eax
		push	[ebp+var_4]
		push	[ebp+var_8]
		call	_RtlULongLongAdd@20 ; RtlULongLongAdd(x,x,x,x,x)
		test	eax, eax
		js	short loc_56329E
		mov	eax, [ebp+var_8]
		mov	[esi], eax
		mov	eax, [ebp+var_4]
		mov	[esi+4], eax
		jmp	short loc_56323D
; 

loc_56329E:				; CODE XREF: RtlULongLongMult(x,x,x,x,x)+3Ej
					; RtlULongLongMult(x,x,x,x,x)+4Cj ...
		or	dword ptr [esi], 0FFFFFFFFh
		or	dword ptr [esi+4], 0FFFFFFFFh
		jmp	short loc_56323F
_RtlULongLongMult@20 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 759. IoCallDriver
; Exported entry 1662. PoCallDriver

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoCallDriver(x, x)
		public _PoCallDriver@8
_PoCallDriver@8	proc near		; CODE XREF: IoCancelFileOpen(x,x)+A4p
					; ViFilterDispatchPower(x,x)+7Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi	; IoCallDriver
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	IofCallDriver
		pop	ebp
		retn	8
_PoCallDriver@8	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1010. IoStartNextPacket

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoStartNextPacket
IoStartNextPacket proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+0B0h]
		test	dword ptr [eax+24h], 100h
		jz	loc_5E5269
		xor	eax, eax
		cmp	[ebp+arg_4], al
		setnz	al
		xor	edx, edx
		dec	eax
		and	eax, 0FFFFFF80h
		add	eax, 0A0h
		push	eax
		call	IopStartNextPacketByKeyEx

loc_5632FA:				; CODE XREF: IoInvalidateDeviceRelations+820E6j
		pop	ebp
		retn	8
IoStartNextPacket endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopStartNextPacketByKeyEx proc near	; CODE XREF: IoStartNextPacket+2Fp
					; IoStartNextPacketByKey(x,x,x)+2Cp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E5277 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		mov	ecx, [ebp+arg_0]
		push	edi
		mov	edi, [esi+0B0h]

loc_563315:				; CODE XREF: IopStartNextPacketByKeyEx+8Aj
		xor	eax, eax
		inc	eax
		lock xadd [edi+1Ch], eax
		inc	eax
		mov	ebx, [esi+0B0h]
		mov	edx, [ebx+24h]
		cmp	eax, 1
		jg	short loc_563391
		and	edx, 0FFFFFF1Fh
		mov	edi, ecx
		mov	[ebx+24h], edx
		and	edi, 80h
		mov	eax, [esi+0B0h]
		and	dword ptr [eax+20h], 0
		test	cl, 40h
		jnz	loc_5E5277
		test	cl, 20h
		jz	short loc_56335E
		mov	edx, edi
		mov	ecx, esi
		call	IopStartNextPacket

loc_56335E:				; CODE XREF: IopStartNextPacketByKeyEx+55j
					; IopStartNextPacketByKeyEx+A4j ...
		mov	ecx, [esi+0B0h]
		or	eax, 0FFFFFFFFh
		add	ecx, 1Ch
		lock xadd [ecx], eax
		jnz	short loc_56338A
		mov	edi, [esi+0B0h]
		mov	ecx, [edi+24h]
		mov	eax, [edi+20h]
		and	ecx, 0E0h
		mov	[ebp+var_4], eax
		test	cl, 60h
		jnz	short loc_563315

loc_56338A:				; CODE XREF: IopStartNextPacketByKeyEx+70j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_563391:				; CODE XREF: IopStartNextPacketByKeyEx+2Cj
		or	edx, ecx
		mov	ecx, [ebp+var_4]
		mov	[ebx+24h], edx
		mov	eax, [esi+0B0h]
		mov	[eax+20h], ecx
		jmp	short loc_56335E
IopStartNextPacketByKeyEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopStartNextPacket proc	near		; CODE XREF: IopStartNextPacketByKeyEx+5Bp
					; IoInvalidateDeviceRelations+820E1p

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005E5289 SIZE 000000D8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	bl, bl
		mov	[ebp+var_1], bl
		mov	esi, ecx
		test	edi, edi
		jnz	loc_5E5289

loc_5633BE:				; CODE XREF: IopStartNextPacket+81EF2j
		and	dword ptr [esi+14h], 0
		lea	ecx, [esi+60h]
		push	ecx
		call	KeRemoveDeviceQueue
		test	eax, eax
		jnz	short loc_5633DC
		test	edi, edi
		jnz	loc_5E5308

loc_5633D7:				; CODE XREF: IopStartNextPacket+4Ej
					; IopStartNextPacket+81FB8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_5633DC:				; CODE XREF: IopStartNextPacket+29j
		lea	ebx, [eax-40h]
		mov	[esi+14h], ebx
		test	edi, edi
		jnz	loc_5E529B

loc_5633EA:				; CODE XREF: IopStartNextPacket+81F5Fj
		mov	eax, [esi+8]
		push	ebx
		push	esi
		call	dword ptr [eax+30h]
		jmp	short loc_5633D7
IopStartNextPacket endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCreatePowerThread(x, x)
_PopCreatePowerThread@8	proc near	; CODE XREF: PopCreateDynamicIrpWorker+26p
					; PopInitializeIrpWorkers()+A3p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		push	edx
		xor	edi, edi
		mov	[ebp+var_20], 18h
		push	ecx
		push	edi
		push	edi
		lea	eax, [ebp+var_20]
		mov	[ebp+var_8], edi
		push	eax
		mov	esi, 1FFFFFh
		mov	[ebp+var_4], edi
		push	esi
		lea	eax, [ebp+var_4]
		mov	[ebp+var_1C], edi
		push	eax
		mov	[ebp+var_14], 200h
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_56347B
		push	edi
		lea	eax, [ebp+var_8]
		mov	ebx, 72496F50h
		push	eax
		push	ebx
		push	edi
		push	ds:_PsThreadType
		push	esi
		push	[ebp+var_4]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_563479
		push	0Dh
		push	[ebp+var_8]
		call	KeSetActualBasePriorityThread
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		call	ObfDereferenceObjectWithTag

loc_563479:				; CODE XREF: PopCreatePowerThread(x,x)+6Fj
		mov	eax, edi

loc_56347B:				; CODE XREF: PopCreatePowerThread(x,x)+46j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopCreatePowerThread@8	endp

; 

MiAddPrivateFixupEntryForSystemImage:	; CODE XREF: MiGetSystemAddressForImage+199p
		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+4], ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp-0Ch], edx
		push	0
		pop	ecx
		push	0
		mov	eax, [edi]
		mov	edx, 69536D4Dh
		push	40h
		mov	eax, [eax+4]
		test	al, 1Fh
		setnz	cl
		shr	eax, 5
		add	ecx, 2
		add	ecx, eax
		shl	ecx, 2
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp-8], eax
		test	eax, eax
		jz	loc_5E5373
		push	0
		push	40h
		push	1Ch
		mov	edx, 6946694Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5E5369
		mov	ecx, [ebp-8]
		mov	edx, edi
		call	_MiInitializePrivateFixupBitmap@8 ; MiInitializePrivateFixupBitmap(x,x)
		mov	ecx, [ebp-0Ch]
		mov	eax, [ebp-8]
		mov	[esi+14h], eax
		mov	[esi+18h], edi
		mov	[esi+8], ecx
		mov	eax, [edi]
		mov	eax, [eax+4]
		shl	eax, 0Ch
		dec	eax
		add	eax, ecx
		mov	[esi+0Ch], eax
		mov	eax, [edi]
		mov	eax, [eax+18h]
		mov	[esi+10h], eax
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		cmp	ecx, edx
		jb	short loc_563549
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_5E537A
		cmp	ecx, edx
		jb	short loc_563549
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_5E537A

loc_563549:				; CODE XREF: .text:00563529j
					; .text:0056353Aj ...
		mov	edi, offset unk_6CF554
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	ecx, dword_6CF544
		mov	[ebp-1], al
		mov	eax, offset dword_6CF540
		cmp	[ecx], eax
		jnz	short loc_56358E
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		push	edi
		mov	dword_6CF544, esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		inc	eax

loc_563585:				; CODE XREF: .text:005E5375j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_56358E:				; CODE XREF: .text:00563564j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		align 8
; Exported entry 2252. RtlMapSecurityErrorToNtStatus

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlMapSecurityErrorToNtStatus
RtlMapSecurityErrorToNtStatus proc near

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E539B SIZE 00000086 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, 80090316h
		cmp	eax, ecx
		jle	loc_5E539B
		cmp	eax, 80090324h
		jz	short loc_5635D4
		cmp	eax, 80090331h
		jz	short loc_5635C6 ; case	-0x7FF6FCFE
		cmp	eax, 8009035Dh
		jz	short loc_5635CD ; case	-0x7FF6FCF8

loc_5635C2:				; CODE XREF: RtlMapSecurityErrorToNtStatus+33j
					; RtlMapSecurityErrorToNtStatus+3Aj ...
		pop	ebp		; default
		retn	4
; 

loc_5635C6:				; CODE XREF: RtlMapSecurityErrorToNtStatus+21j
					; RtlMapSecurityErrorToNtStatus+81E14j
					; DATA XREF: ...
		mov	eax, 0C00000BBh	; case -0x7FF6FCFE
		jmp	short loc_5635C2 ; default
; 

loc_5635CD:				; CODE XREF: RtlMapSecurityErrorToNtStatus+28j
					; RtlMapSecurityErrorToNtStatus+81E14j
					; DATA XREF: ...
		mov	eax, 0C000000Dh	; case -0x7FF6FCF8
		jmp	short loc_5635C2 ; default
; 

loc_5635D4:				; CODE XREF: RtlMapSecurityErrorToNtStatus+1Aj
		mov	eax, 0C0000133h
		jmp	short loc_5635C2 ; default
RtlMapSecurityErrorToNtStatus endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpUnregisterPlugPlayNotification proc near
					; CODE XREF: IoUnregisterPlugPlayNotification(x)+Bp
					; IoUnregisterPlugPlayNotificationEx(x)+Bp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005E546B SIZE 000000B8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	bl, dl
		xor	bh, bh
		mov	[ebp+var_2], bl
		mov	ecx, offset _PnpNotificationInProgressLock
		mov	[ebp+var_1], bh
		mov	esi, [edi+24h]
		call	ExAcquireFastMutex
		cmp	ds:_PnpNotificationInProgress, bh
		jnz	loc_5E546B

loc_56360C:				; CODE XREF: PnpUnregisterPlugPlayNotification+81F14j
		mov	ecx, offset _PnpNotificationInProgressLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	bl, bl
		jz	short loc_56367C
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	dword ptr [edi+28h]
		call	ExAcquireResourceExclusiveLite

loc_563632:				; CODE XREF: PnpUnregisterPlugPlayNotification+A2j
					; PnpUnregisterPlugPlayNotification+ABj
		cmp	byte ptr [edi+22h], 0
		jnz	loc_5E54FA

loc_56363C:				; CODE XREF: PnpUnregisterPlugPlayNotification+81F20j
		mov	byte ptr [edi+22h], 1
		test	bl, bl
		jz	short loc_563663
		mov	ecx, [edi+28h]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		jz	short loc_563663
		mov	ecx, esi
		call	ExAcquireFastMutex

loc_563663:				; CODE XREF: PnpUnregisterPlugPlayNotification+66j
					; PnpUnregisterPlugPlayNotification+7Ej
		mov	ecx, edi
		call	_PnpDereferenceNotify@4	; PnpDereferenceNotify(x)

loc_56366A:				; CODE XREF: PnpUnregisterPlugPlayNotification+81F28j
		test	esi, esi
		jz	short loc_563675
		mov	ecx, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_563675:				; CODE XREF: PnpUnregisterPlugPlayNotification+90j
					; PnpUnregisterPlugPlayNotification+81F42j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
; 

loc_56367C:				; CODE XREF: PnpUnregisterPlugPlayNotification+3Cj
		test	esi, esi
		jz	short loc_563632
		mov	ecx, esi
		call	ExAcquireFastMutex
		jmp	short loc_563632
PnpUnregisterPlugPlayNotification endp

; 
		align 4
		db 2 dup(0CCh)
; 
; Exported entry 1124. KeDeregisterBugCheckReasonCallback

		public KeDeregisterBugCheckReasonCallback
KeDeregisterBugCheckReasonCallback:
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	esi, offset _KeBugCheckCallbackLock
		mov	[ebp-1], al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [ebp+8]
		xor	ebx, ebx
		cmp	byte ptr [ecx+18h], 1
		jnz	short loc_5636D0
		mov	[ecx+18h], bl
		mov	edx, [ecx]
		mov	eax, [ecx+4]
		cmp	[edx+4], ecx
		jnz	short loc_5636F3
		cmp	[eax], ecx
		jnz	short loc_5636F3
		mov	[eax], edx
		mov	bl, 1
		mov	[edx+4], eax

loc_5636D0:				; CODE XREF: .text:005636B6j
		test	ds:byte_70EFC6,	1
		jnz	loc_5E5523
		xor	eax, eax
		lock and [esi],	eax

loc_5636E2:				; CODE XREF: .text:005E552Dj
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
; 

loc_5636F3:				; CODE XREF: .text:005636C3j
					; .text:005636C7j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1369. MmAllocateContiguousMemorySpecifyCache

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmAllocateContiguousMemorySpecifyCache(x, x, x, x, x, x, x,	x)
		public _MmAllocateContiguousMemorySpecifyCache@32
_MmAllocateContiguousMemorySpecifyCache@32 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	80000000h
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_MmAllocateContiguousMemorySpecifyCacheNode@36 ; MmAllocateContiguousMemorySpecifyCacheNode(x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	20h
_MmAllocateContiguousMemorySpecifyCache@32 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1370. MmAllocateContiguousMemorySpecifyCacheNode

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmAllocateContiguousMemorySpecifyCacheNode(x, x, x,	x, x, x, x, x, x)
		public _MmAllocateContiguousMemorySpecifyCacheNode@36
_MmAllocateContiguousMemorySpecifyCacheNode@36 proc near
					; CODE XREF: MmAllocateContiguousMemorySpecifyCache(x,x,x,x,x,x,x,x)+22p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_1C], 1
		jz	short loc_56376F
		xor	eax, eax
		cmp	[ebp+arg_1C], 2
		setnz	al
		dec	eax
		and	eax, 200h
		add	eax, 204h

loc_56374D:				; CODE XREF: MmAllocateContiguousMemorySpecifyCacheNode(x,x,x,x,x,x,x,x,x)+44j
		push	[ebp+arg_20]
		push	eax
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	MmAllocateContiguousNodeMemory
		pop	ebp
		retn	24h
; 

loc_56376F:				; CODE XREF: MmAllocateContiguousMemorySpecifyCacheNode(x,x,x,x,x,x,x,x,x)+9j
		push	40h
		pop	eax
		jmp	short loc_56374D
_MmAllocateContiguousMemorySpecifyCacheNode@36 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1037. IoValidateDeviceIoControlAccess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoValidateDeviceIoControlAccess
IoValidateDeviceIoControlAccess	proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005E5532 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_4], 3
		jz	short loc_5637C4
		mov	eax, [ebp+arg_0]
		mov	edx, [eax+60h]
		mov	cl, [edx]
		cmp	cl, 0Eh
		jnz	loc_5E5532

loc_563796:				; CODE XREF: IoValidateDeviceIoControlAccess+81DC1j
		cmp	byte ptr [eax+20h], 0
		jz	short loc_5637B7
		mov	al, [edx+2]
		movzx	ecx, al
		shr	ecx, 1
		and	ecx, 2
		movzx	eax, al
		and	eax, 1
		or	ecx, eax
		and	ecx, dword ptr [ebp+arg_4]
		cmp	ecx, dword ptr [ebp+arg_4]
		jnz	short loc_5637BD

loc_5637B7:				; CODE XREF: IoValidateDeviceIoControlAccess+20j
		xor	eax, eax

loc_5637B9:				; CODE XREF: IoValidateDeviceIoControlAccess+48j
					; IoValidateDeviceIoControlAccess+4Fj
		pop	ebp
		retn	8
; 

loc_5637BD:				; CODE XREF: IoValidateDeviceIoControlAccess+3Bj
		mov	eax, 0C0000022h
		jmp	short loc_5637B9
; 

loc_5637C4:				; CODE XREF: IoValidateDeviceIoControlAccess+9j
					; IoValidateDeviceIoControlAccess+81DBBj
		mov	eax, 0C000000Dh
		jmp	short loc_5637B9
IoValidateDeviceIoControlAccess	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmUpdateProcessorPolicyCallback(x,	x, x)
_PpmUpdateProcessorPolicyCallback@12 proc near ; DATA XREF: PpmUpdateProcessorPolicy+D4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		mov	edx, [ecx+3EA4h]
		mov	ecx, [ecx+3EA0h]
		call	PpmUpdateTargetProcessorPolicy
		xor	eax, eax
		pop	ebp
		retn	0Ch
_PpmUpdateProcessorPolicyCallback@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmUpdateTargetProcessorPolicy proc near
					; CODE XREF: PpmUpdateProcessorPolicyCallback(x,x,x)+1Ap

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E5540 SIZE 0000008A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	eax, edx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], eax
		push	edi
		mov	ebx, [eax+4]
		mov	edi, [ebp+arg_0]
		mov	eax, [esi+30h]
		test	eax, eax
		jz	short loc_56381E
		test	byte ptr [edi],	20h
		jz	short loc_56381E
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		mov	edx, [edx+34h]
		call	eax

loc_56381E:				; CODE XREF: PpmUpdateTargetProcessorPolicy+1Bj
					; PpmUpdateTargetProcessorPolicy+20j
		mov	eax, [esi+34h]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jnz	loc_5E5540

loc_56382C:				; CODE XREF: PpmUpdateTargetProcessorPolicy+81D51j
					; PpmUpdateTargetProcessorPolicy+81D62j
		mov	eax, [esi+38h]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jnz	loc_5E5559

loc_56383A:				; CODE XREF: PpmUpdateTargetProcessorPolicy+81D71j
					; PpmUpdateTargetProcessorPolicy+81D82j
		mov	eax, [esi+3Ch]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jnz	loc_5E5579

loc_563848:				; CODE XREF: PpmUpdateTargetProcessorPolicy+81D8Aj
					; PpmUpdateTargetProcessorPolicy+81DA9j ...
		mov	eax, [esi+2Ch]
		test	eax, eax
		jnz	loc_5E55AF

loc_563853:				; CODE XREF: PpmUpdateTargetProcessorPolicy+81DC3j
					; PpmUpdateTargetProcessorPolicy+81DD3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
PpmUpdateTargetProcessorPolicy endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlpOplockBreakToNone	proc near	; CODE XREF: FsRtlCheckOplockEx2+661p
					; FsRtlOplockBreakToNoneEx(x,x,x,x,x,x)+71p ...

var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h

; FUNCTION CHUNK AT 005E55CA SIZE 0000028D BYTES

		push	28h
		push	offset dword_6A4CC8
		call	__SEH_prolog4
		mov	[ebp+var_28], edx
		mov	esi, ecx
		xor	eax, eax
		lea	edi, [ebp+var_38]
		stosd
		stosd
		stosd
		stosd
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		test	esi, esi
		jz	short loc_5638A4
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [esi+48h]
		xor	edx, edx
		inc	edx
		cmp	eax, edx
		jz	short loc_563895
		test	eax, 6000h
		jz	loc_5E55CA

loc_563895:				; CODE XREF: FsRtlpOplockBreakToNone+2Ej
					; FsRtlpOplockBreakToNone+81D85j ...
		mov	[ebp+var_20], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	nullsub_3

loc_5638A4:				; CODE XREF: FsRtlpOplockBreakToNone+21j
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	30h
FsRtlpOplockBreakToNone	endp

; [00000001 BYTES: COLLAPSED FUNCTION nullsub_3. PRESS KEYPAD "+" TO EXPAND]
		align 4
		db 2 dup(0CCh)
; Exported entry 1012. IoStartPacket

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoStartPacket
IoStartPacket	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005E585F SIZE 00000101 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	cl, 2
		push	edi
		mov	edi, [ebp+arg_0]
		mov	byte ptr [ebp+arg_0+3],	0
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ebx, [ebp+arg_C]
		mov	byte ptr [ebp+arg_4+3],	al
		test	ebx, ebx
		jnz	loc_5E585F

loc_5638E6:				; CODE XREF: IoStartPacket+81FAFj
		mov	eax, [ebp+arg_8]
		lea	ecx, [esi+40h]
		lea	edx, [edi+60h]
		test	eax, eax
		jnz	loc_5E5872
		push	ecx
		push	edx
		call	KeInsertDeviceQueue

loc_5638FE:				; CODE XREF: IoStartPacket+81FBDj
		test	al, al
		jnz	short loc_563925
		mov	[edi+14h], esi
		test	ebx, ebx
		jnz	loc_5E5880

loc_56390D:				; CODE XREF: IoStartPacket+8202Aj
		mov	eax, [edi+8]
		push	esi
		push	edi
		call	dword ptr [eax+30h]

loc_563915:				; CODE XREF: IoStartPacket+69j
					; IoStartPacket+82043j	...
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_563925:				; CODE XREF: IoStartPacket+42j
		test	ebx, ebx
		jz	short loc_563915
		jmp	loc_5E58ED
IoStartPacket	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepLinkLogonSessions proc near		; CODE XREF: PAGE:007E9C92p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E5960 SIZE 0000005C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		push	6
		mov	[esp+44h+var_24], ecx
		lea	edi, [esp+44h+var_18]
		pop	ecx
		push	[ebp+arg_0]
		xor	esi, esi
		mov	[esp+44h+var_1C], edx
		push	ds:dword_A94CB4
		xor	eax, eax
		mov	[esp+48h+var_2C], esi
		push	ds:_SeCreateTokenPrivilege
		rep stosd
		mov	ebx, esi
		mov	[esp+4Ch+var_30], esi
		mov	[esp+4Ch+var_20], esi
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_5E5960
		mov	eax, [esp+40h+var_24]
		mov	eax, [eax+0C0h]
		cmp	[eax+20h], esi
		jnz	loc_5E5993
		mov	eax, ds:_SeTokenObjectType
		lea	ecx, [esp+40h+var_28]
		push	esi
		push	ecx
		push	[ebp+arg_0]
		mov	[esp+4Ch+var_28], esi
		push	eax
		push	88h
		push	[esp+54h+var_1C]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, [esp+40h+var_28]
		mov	edi, eax
		test	edi, edi
		js	loc_5E5965
		mov	edx, [ebx+0C0h]
		cmp	[edx+20h], esi
		jnz	loc_5E5993
		mov	eax, [esp+40h+var_24]
		mov	ecx, [eax+0C0h]
		cmp	ecx, edx
		jz	loc_5E599A
		cmp	dword ptr [eax+0A8h], 1
		jnz	loc_5E5993
		cmp	dword ptr [ebx+0A8h], 1
		jnz	loc_5E5993
		lea	ecx, [esp+40h+var_30]
		mov	[esp+40h+var_18], 18h
		push	ecx		; int
		push	esi		; int
		push	esi		; int
		push	esi		; size_t
		push	1		; int
		push	esi		; char
		lea	edx, [esp+58h+var_18]
		mov	[esp+58h+var_14], esi
		mov	ecx, eax
		mov	[esp+58h+var_C], esi
		mov	[esp+58h+var_10], esi
		mov	[esp+58h+var_8], esi
		mov	[esp+58h+var_4], esi
		call	_SepDuplicateToken@32 ;	SepDuplicateToken(x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_5E5965
		lea	eax, [esp+40h+var_2C]
		mov	ecx, ebx
		push	eax		; int
		push	esi		; int
		push	esi		; int
		push	esi		; size_t
		push	1		; int
		push	esi		; char
		lea	edx, [esp+58h+var_18]
		call	_SepDuplicateToken@32 ;	SepDuplicateToken(x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_5E5965
		mov	ecx, [esp+40h+var_30]
		lea	edx, [esp+40h+var_20]
		lea	ecx, [ecx+18h]
		call	_SepReferenceLogonSession@8 ; SepReferenceLogonSession(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_563B24
		mov	ecx, [esp+40h+var_30]
		mov	eax, [ecx+0C0h]
		mov	[eax+20h], ecx
		mov	eax, [esp+40h+var_2C]
		mov	edx, [eax+0C0h]
		mov	eax, [esp+40h+var_30]
		mov	ecx, [eax+0C0h]
		mov	eax, [edx+4]
		mov	[ecx+0Ch], eax
		mov	eax, [edx+8]
		mov	[ecx+10h], eax
		mov	eax, [esp+40h+var_30]
		mov	eax, [eax+0C0h]
		or	dword ptr [eax+18h], 2
		mov	ecx, [esp+40h+var_2C]
		mov	eax, [ecx+0C0h]
		mov	[eax+20h], ecx
		mov	eax, [esp+40h+var_30]
		mov	edx, [eax+0C0h]
		mov	eax, [esp+40h+var_2C]
		mov	ecx, [eax+0C0h]
		mov	eax, [edx+4]
		mov	[ecx+0Ch], eax
		mov	eax, [edx+8]
		mov	[ecx+10h], eax
		mov	eax, [esp+40h+var_2C]
		mov	eax, [eax+0C0h]
		or	dword ptr [eax+18h], 4
		cmp	ds:_SeTokenLeakTracking, esi
		jnz	loc_5E59A5

loc_563AF0:				; CODE XREF: SepLinkLogonSessions+82089j
		mov	ecx, [esp+40h+var_2C]
		call	_SepStopReferencingLogonSession@4 ; SepStopReferencingLogonSession(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_563B24
		mov	ecx, [esp+40h+var_30]
		call	_SepStopReferencingLogonSession@4 ; SepStopReferencingLogonSession(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_563B24

loc_563B0E:				; CODE XREF: SepLinkLogonSessions+82053j
					; SepLinkLogonSessions+82060j ...
		test	ebx, ebx
		jz	short loc_563B19
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_563B19:				; CODE XREF: SepLinkLogonSessions+1E2j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_563B24:				; CODE XREF: SepLinkLogonSessions+13Aj
					; SepLinkLogonSessions+1CFj ...
		mov	esi, [esp+40h+var_20]
		jmp	loc_5E5965
SepLinkLogonSessions endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeIRTimer(x, x, x, x, x)
_KeInitializeIRTimer@20	proc near	; CODE XREF: ExAllocateTimer+C5p
					; PopInitializeIRTimer(x,x,x,x,x,x,x)+20p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		push	esi
		or	eax, 2
		mov	esi, ecx
		push	eax
		push	[ebp+arg_0]
		call	_KiInitializeTimer2@16 ; KiInitializeTimer2(x,x,x,x)
		mov	eax, [ebp+arg_4]
		mov	cl, [eax]
		mov	[esi+2], cl
		mov	al, [eax+2]
		movzx	edx, al
		movzx	ecx, cl
		mov	[esi+3], al
		call	_ExCheckValidIRTimerId@8 ; ExCheckValidIRTimerId(x,x)
		pop	esi
		test	al, al
		jz	short loc_563B67
		pop	ebp
		retn	0Ch
; 

loc_563B67:				; CODE XREF: KeInitializeIRTimer(x,x,x,x,x)+33j
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_KeInitializeIRTimer@20	endp		; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall ExCheckValidIRTimerId(x, x)
_ExCheckValidIRTimerId@8 proc near	; CODE XREF: KeInitializeIRTimer(x,x,x,x,x)+2Bp
					; ExpCheckIRTimerAccess+74p ...
		cmp	cx, 10h
		jnb	short loc_563B87
		movzx	eax, cx
		imul	eax, 0Ch
		movzx	eax, ds:byte_403D40[eax]
		cmp	dx, ax
		jnb	short loc_563B87
		mov	al, 1
		retn
; 

loc_563B87:				; CODE XREF: ExCheckValidIRTimerId(x,x)+4j
					; ExCheckValidIRTimerId(x,x)+16j
		xor	al, al
		retn
_ExCheckValidIRTimerId@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxQueueWorkOrder proc near		; CODE XREF: PopFxIdleComponent+1D8p
					; PoFxCompleteDevicePowerNotRequired+8183Cp ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E59BC SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		push	esi
		mov	esi, edx
		inc	eax
		lock xadd [esi+10h], eax
		inc	eax
		cmp	eax, 1
		jnz	short loc_563BC7
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_563BAC
		call	PopFxAddRefDevice

loc_563BAC:				; CODE XREF: PopFxQueueWorkOrder+1Bj
		mov	eax, ds:_PspSystemPartition
		mov	edx, esi
		push	0
		push	30h
		mov	ecx, [eax+8]
		call	ExpTryQueueWorkItem
		test	al, al
		jz	loc_5E59BC

loc_563BC7:				; CODE XREF: PopFxQueueWorkOrder+14j
					; PopFxQueueWorkOrder+81E53j
		pop	esi
		pop	ebp
		retn	8
PopFxQueueWorkOrder endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxComponentWork proc	near		; DATA XREF: PAGE:0089B00Fo

var_20		= dword	ptr -20h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E59E2 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		push	8
		pop	ecx
		lea	edi, [esp+30h+var_20]
		or	esi, 0FFFFFFFFh
		rep stosd
		mov	edi, [ebp+arg_0]
		lea	ebx, [edi+24h]

loc_563BEE:				; CODE XREF: PopFxComponentWork+38j
		mov	edx, [edi+10h]
		lea	eax, [esp+30h+var_20]
		mov	ecx, [edi+30h]
		push	eax
		call	PopFxIdleWorker
		mov	eax, esi
		lock xadd [ebx], eax
		jnz	short loc_563BEE
		mov	eax, [edi+30h]
		lock xadd [eax+80h], esi
		dec	esi
		jz	loc_5E59E2

loc_563C18:				; CODE XREF: PopFxComponentWork+81E25j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
PopFxComponentWork endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1170. KeInitializeEnumerationContextFromGroup

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeEnumerationContextFromGroup(x, x)
		public _KeInitializeEnumerationContextFromGroup@8
_KeInitializeEnumerationContextFromGroup@8 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	edx, [eax]
		mov	ax, [eax+4]
		and	dword ptr [ecx], 0
		mov	[ecx+8], ax
		mov	[ecx+4], edx
		pop	ebp
		retn	8
_KeInitializeEnumerationContextFromGroup@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


KiLoadFastSyscallMachineSpecificRegisters proc near
					; CODE XREF: KeRestoreProcessorSpecificFeatures()+20p
					; KiConfigureDynamicProcessor()+30p ...

; FUNCTION CHUNK AT 005E59F6 SIZE 00000014 BYTES

		cmp	_KiFastSystemCallIsIA32, 0
		jz	short loc_563C92
		push	esi
		mov	esi, large fs:20h
		mov	ecx, 174h
		push	8
		xor	edx, edx
		pop	eax
		wrmsr
		add	ecx, 2
		cmp	ds:_KiKvaShadow, dl
		jz	loc_5E59F6
		mov	eax, large fs:1Ch
		mov	esi, [eax+38h]
		mov	eax, offset _KiFastCallEntryShadow
		wrmsr
		lea	eax, [esi+3000h]

loc_563C88:				; CODE XREF: KiLoadFastSyscallMachineSpecificRegisters+81DBFj
		xor	edx, edx
		mov	ecx, 175h
		wrmsr
		pop	esi

loc_563C92:				; CODE XREF: KiLoadFastSyscallMachineSpecificRegisters+7j
		xor	eax, eax
		retn
KiLoadFastSyscallMachineSpecificRegisters endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 739. IoAllocateController

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoAllocateController(x, x, x, x)
		public _IoAllocateController@16
_IoAllocateController@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[esi+48h], eax
		lea	eax, [esi+34h]
		push	eax
		lea	eax, [edi+8]
		mov	[esi+44h], ebx
		push	eax
		call	KeInsertDeviceQueue
		test	al, al
		jnz	short loc_563CD5
		push	[ebp+arg_C]
		push	0
		push	dword ptr [esi+14h]
		push	esi
		call	ebx
		cmp	eax, 2
		jz	short loc_563CDC

loc_563CD5:				; CODE XREF: IoAllocateController(x,x,x,x)+29j
					; IoAllocateController(x,x,x,x)+48j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_563CDC:				; CODE XREF: IoAllocateController(x,x,x,x)+39j
		push	edi
		call	_IoFreeController@4 ; IoFreeController(x)
		jmp	short loc_563CD5
_IoAllocateController@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KvfCommitFeatureStates proc near	; CODE XREF: CmpAcceptBoot+5p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E5A0A SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_1C], 18h
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_4], edi
		push	eax
		push	0C0000000h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_18], edi
		push	eax
		mov	[ebp+var_10], 240h
		mov	[ebp+var_14], offset _KvfVelocityKeyName
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_563D45
		mov	esi, [ebp+var_4]
		mov	eax, _KvfFeatureStates
		test	al, 2
		jnz	loc_5E5A0A

loc_563D3B:				; CODE XREF: KvfCommitFeatureStates+81D43j
		test	esi, esi
		jz	short loc_563D45
		push	esi
		call	_ZwClose@4	; ZwClose(x)

loc_563D45:				; CODE XREF: KvfCommitFeatureStates+45j
					; KvfCommitFeatureStates+59j
		pop	edi
		pop	esi
		leave
		retn
KvfCommitFeatureStates endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2194. RtlIpv4AddressToStringExW

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlIpv4AddressToStringExW
RtlIpv4AddressToStringExW proc near

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005E5A2C SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_34], ecx
		push	ebx
		movzx	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_C]
		test	eax, eax
		jz	short loc_563DCE
		test	edi, edi
		jz	short loc_563DCE
		test	ecx, ecx
		jz	loc_5E5A2C

loc_563D83:				; CODE XREF: RtlIpv4AddressToStringExW+81CE7j
		lea	ecx, [ebp+var_30]
		push	ecx
		push	eax
		call	_RtlIpv4AddressToStringW@8 ; RtlIpv4AddressToStringW(x,x)
		mov	esi, eax
		test	bx, bx
		jnz	loc_5E5A3A

loc_563D98:				; CODE XREF: RtlIpv4AddressToStringExW+81D0Dj
		lea	eax, [ebp+var_30]
		sub	esi, eax
		sar	esi, 1
		inc	esi
		cmp	[edi], esi
		jb	short loc_563DCC
		lea	eax, [esi+esi]
		push	eax		; size_t
		lea	eax, [ebp+var_30]
		push	eax		; void *
		push	[ebp+var_34]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[edi], esi
		xor	eax, eax

loc_563DBB:				; CODE XREF: RtlIpv4AddressToStringExW+85j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_563DCC:				; CODE XREF: RtlIpv4AddressToStringExW+54j
		mov	[edi], esi

loc_563DCE:				; CODE XREF: RtlIpv4AddressToStringExW+27j
					; RtlIpv4AddressToStringExW+2Bj ...
		mov	eax, 0C000000Dh
		jmp	short loc_563DBB
RtlIpv4AddressToStringExW endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2195. RtlIpv4AddressToStringW

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIpv4AddressToStringW(x, x)
		public _RtlIpv4AddressToStringW@8
_RtlIpv4AddressToStringW@8 proc	near	; CODE XREF: RtlIpv4AddressToStringExW+3Ap
					; AdtpBuildIPv4Strings(x,x,x,x,x)+63p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		movzx	eax, byte ptr [ecx+3]
		push	eax
		movzx	eax, byte ptr [ecx+2]
		push	eax
		movzx	eax, byte ptr [ecx+1]
		push	eax
		movzx	eax, byte ptr [ecx]
		push	eax
		push	offset ??_C@_1BI@IEJCOLMP@?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu@FNODOBFM@
		push	10h
		push	esi
		call	_swprintf_s
		add	esp, 1Ch
		lea	eax, [esi+eax*2]
		pop	esi
		pop	ebp
		retn	8
_RtlIpv4AddressToStringW@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertLargeTbFlushEntry(x, x, x)
_MiInsertLargeTbFlushEntry@12 proc near	; CODE XREF: MiDeleteSystemPageTable+26Bp
					; MiFlushValidPteFromTb(x,x,x,x):loc_4EB55Bp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	eax, ecx
		mov	ebx, edx
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		mov	[ebp+var_4], eax

loc_563E27:				; CODE XREF: MiInsertLargeTbFlushEntry(x,x,x)+2Aj
		push	esi
		shl	edi, 9
		mov	ecx, eax
		push	1
		mov	edx, edi
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	eax, [ebp+var_4]
		inc	esi
		cmp	esi, ebx
		jbe	short loc_563E27
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiInsertLargeTbFlushEntry@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1731. PoSetUserPresent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoSetUserPresent
PoSetUserPresent proc near		; CODE XREF: PAGELK:0071FB1Ap

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E5A60 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		xor	bl, bl
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_563E70
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		inc	bl

loc_563E70:				; CODE XREF: PoSetUserPresent+1Dj
		test	ds:dword_70EFD0, 8000h
		jnz	loc_5E5A60

loc_563E80:				; CODE XREF: PoSetUserPresent+81C3Ej
		mov	edx, [ebp+arg_0]
		push	4
		pop	ecx
		call	PopSetSystemState
		test	bl, bl
		jz	short loc_563E94
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_563E94:				; CODE XREF: PoSetUserPresent+43j
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
PoSetUserPresent endp

; 
		align 4

;  S U B	R O U T	I N E 


PopSetSystemState proc near		; CODE XREF: PoSetUserPresent+3Cp
					; PoSetSystemState(x)+1Fp ...

; FUNCTION CHUNK AT 005E5A8D SIZE 0000000D BYTES

		mov	edi, edi
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, edx
		test	ebx, 0FFFFFFF8h
		jnz	short loc_563ECF
		call	_PopDiagTraceSetSystemState@4 ;	PopDiagTraceSetSystemState(x)
		test	bl, 1
		jnz	loc_5E5A8D

loc_563EC3:				; CODE XREF: PopSetSystemState+81BF1j
		test	bl, 4
		jz	short loc_563ECF
		mov	ecx, esi
		call	PopUserPresentSet

loc_563ECF:				; CODE XREF: PopSetSystemState+Fj
					; PopSetSystemState+22j
		pop	esi
		pop	ebx
		pop	ecx
		retn
PopSetSystemState endp

; 
		align 4

;  S U B	R O U T	I N E 


PopUserPresentSet proc near		; CODE XREF: PopSetSystemState+26p

; FUNCTION CHUNK AT 005E5A9A SIZE 00000063 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		xor	esi, esi
		test	_PopSimulate, 40000h
		push	edi
		mov	edi, ecx
		jnz	loc_5E5A9A

loc_563EED:				; CODE XREF: PopUserPresentSet+81BEBj
		cmp	byte_6C26C1, 3
		jz	loc_5E5AC4
		xor	ebx, ebx
		mov	eax, offset _PopUserPresentSetStatus
		inc	ebx
		xchg	ebx, [eax]
		xor	ecx, ecx
		mov	edx, offset unk_6C2D14
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	loc_5E5ADB
		mov	eax, _PopFullWake
		push	2
		pop	ecx
		test	al, 3
		jz	short loc_563F54

loc_563F25:				; CODE XREF: PopUserPresentSet+93j
		call	_PopResetIdleTime@4 ; PopResetIdleTime(x)
		test	ebx, ebx
		jnz	short loc_563F50
		push	1
		push	offset _PopUserPresentWorkItem
		mov	dword_6C2138, offset PopUserPresentSetWorker
		mov	dword_6C213C, edi
		mov	_PopUserPresentWorkItem, esi
		call	ExQueueWorkItem

loc_563F50:				; CODE XREF: PopUserPresentSet+58j
					; PopUserPresentSet+81C02j ...
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_563F54:				; CODE XREF: PopUserPresentSet+4Fj
		mov	eax, offset _PopFullWake
		lock or	[eax], ecx
		xor	ecx, ecx
		inc	ecx
		call	_PopSetNotificationWork@4 ; PopSetNotificationWork(x)
		push	2
		pop	ecx
		jmp	short loc_563F25
PopUserPresentSet endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceSetSystemState(x)
_PopDiagTraceSetSystemState@4 proc near	; CODE XREF: PopSetSystemState+11p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_18], ecx
		jz	short loc_563FCF
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_SETSYSTEMSTATE
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_563FCC
		lea	eax, [ebp+var_18]
		mov	[ebp+var_C], 4
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], ecx
		push	eax
		push	1
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_563FCC:				; CODE XREF: PopDiagTraceSetSystemState(x)+3Cj
		pop	edi
		pop	esi
		pop	ebx

loc_563FCF:				; CODE XREF: PopDiagTraceSetSystemState(x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceSetSystemState@4 endp

; 
		align 10h
; Exported entry 488. FsRtlChangeBackingFileObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlChangeBackingFileObject(x, x, x, x)
		public _FsRtlChangeBackingFileObject@16
_FsRtlChangeBackingFileObject@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 0
		jnz	short loc_56401B
		mov	eax, [ebp+arg_8]
		sub	eax, 0
		jnz	short loc_564004
		push	1

loc_563FF5:				; CODE XREF: FsRtlChangeBackingFileObject(x,x,x,x)+4Bj
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	MmChangeSectionBackingFile

loc_564000:				; CODE XREF: FsRtlChangeBackingFileObject(x,x,x,x)+39j
					; FsRtlChangeBackingFileObject(x,x,x,x)+40j ...
		pop	ebp
		retn	10h
; 

loc_564004:				; CODE XREF: FsRtlChangeBackingFileObject(x,x,x,x)+11j
		sub	eax, 1
		jz	short loc_564029
		sub	eax, 1
		jnz	short loc_564022
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	CcChangeBackingFileObject
		jmp	short loc_564000
; 

loc_56401B:				; CODE XREF: FsRtlChangeBackingFileObject(x,x,x,x)+9j
		mov	eax, 0C00000F2h
		jmp	short loc_564000
; 

loc_564022:				; CODE XREF: FsRtlChangeBackingFileObject(x,x,x,x)+2Cj
		mov	eax, 0C00000F1h
		jmp	short loc_564000
; 

loc_564029:				; CODE XREF: FsRtlChangeBackingFileObject(x,x,x,x)+27j
		push	2
		jmp	short loc_563FF5
_FsRtlChangeBackingFileObject@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcChangeBackingFileObject proc near	; CODE XREF: FsRtlChangeBackingFileObject(x,x,x,x)+34p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= byte ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E5AFD SIZE 00000886 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 58h
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_10], edx
		lea	edi, [ebp+var_50]
		mov	esi, ecx
		stosd
		xor	edx, edx
		stosd
		stosd
		mov	edi, offset _CcChangeSharedCacheMapFileLock
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		lea	edx, [ebp+var_50]
		mov	ecx, offset _CcMasterLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [ebp+var_10]
		test	esi, esi
		jnz	loc_5E5AFD

loc_56407D:				; CODE XREF: CcChangeBackingFileObject+81AD5j
		mov	eax, [ecx+14h]
		mov	eax, [eax+4]
		test	eax, eax
		jz	loc_5E5D24
		test	dword ptr [eax+60h], 100000h
		jnz	loc_5E5EFF
		lea	edi, [eax+44h]
		mov	eax, [edi]
		and	eax, 0FFFFFFF8h
		mov	[ebp+var_44], eax
		test	esi, esi
		jnz	loc_5E6109

loc_5640AB:				; CODE XREF: CcChangeBackingFileObject+820DDj
		mov	edx, ecx
		mov	ecx, edi
		call	@ObFastReplaceObject@8 ; ObFastReplaceObject(x,x)
		xor	esi, esi
		test	ds:byte_70EFC6,	1
		jnz	loc_5E6321
		mov	eax, [ebp+var_50]
		test	eax, eax
		jnz	loc_5E6339
		mov	edx, [ebp+var_4C]
		lea	eax, [ebp+var_50]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_50]
		cmp	eax, ecx
		jnz	loc_5E6331

loc_5640E5:				; CODE XREF: CcChangeBackingFileObject+822FEj
					; CcChangeBackingFileObject+82317j
		mov	cl, [ebp+var_48]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		or	ecx, 0FFFFFFFFh
		mov	edx, offset _CcChangeSharedCacheMapFileLock
		mov	[ebp+var_8], ecx
		mov	eax, ecx
		lock xadd [edx], eax
		test	al, 2
		jnz	loc_5E634A

loc_564107:				; CODE XREF: CcChangeBackingFileObject+8231Ej
					; CcChangeBackingFileObject+8232Bj
		mov	eax, offset _CcChangeSharedCacheMapFileLock
		mov	edi, esi
		mov	[ebp+var_20], edi
		test	eax, 7FFFFFFCh
		jz	loc_56422D
		mov	edx, large fs:124h
		mov	ecx, dword_6D07D0
		shr	eax, 15h
		cmp	ecx, offset _CcChangeSharedCacheMapFileLock
		push	0FFFFFFFFh
		mov	[ebp+var_40], ecx
		mov	[ebp+var_C], edx
		pop	ecx
		ja	short loc_564146
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_564158

loc_564146:				; CODE XREF: CcChangeBackingFileObject+10Dj
		cmp	[ebp+var_40], offset _CcChangeSharedCacheMapFileLock
		ja	short loc_564168
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jnz	short loc_564168

loc_564158:				; CODE XREF: CcChangeBackingFileObject+116j
		mov	ecx, [edx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_8], eax

loc_564168:				; CODE XREF: CcChangeBackingFileObject+11Fj
					; CcChangeBackingFileObject+128j
		dec	word ptr [edx+13Eh]
		nop
		inc	byte ptr [edx+1E6h]
		nop
		mov	al, [edx+1E6h]
		mov	edx, offset _CcChangeSharedCacheMapFileLock
		push	ecx
		mov	ecx, [ebp+var_C]
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_40], ecx
		test	ecx, ecx
		jz	loc_56428C
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], esi
		jl	loc_5642A4

loc_5641AD:				; CODE XREF: CcChangeBackingFileObject+27Ej
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_20], edi
		mov	[ecx+2Ch], eax
		nop
		mov	[ecx+10h], esi
		mov	esi, [ebp+var_C]
		push	30h
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		cdq
		pop	ecx
		idiv	ecx
		xor	edx, edx
		inc	edx
		mov	ecx, eax
		mov	al, dl
		shl	al, cl
		cmp	byte ptr [ebp+var_4+3],	dl
		jnz	loc_5E635E
		or	[esi+1E4h], al

loc_5641F4:				; CODE XREF: CcChangeBackingFileObject+271j
					; CcChangeBackingFileObject+8233Cj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_40], eax
		jnz	short loc_564250

loc_564207:				; CODE XREF: CcChangeBackingFileObject+257j
					; CcChangeBackingFileObject+82350j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_56422D
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_56422D
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_56422D:				; CODE XREF: CcChangeBackingFileObject+E8j
					; CcChangeBackingFileObject+1F0j ...
		mov	ecx, [ebp+var_10]
		mov	esi, 746C6644h
		mov	edx, esi
		call	ObfReferenceObjectWithTag
		push	esi
		push	[ebp+var_44]
		call	ObDereferenceObjectDeferDeleteWithTag

loc_564245:				; CODE XREF: CcChangeBackingFileObject+81D6Aj
					; CcChangeBackingFileObject+8215Aj ...
		xor	eax, eax

loc_564247:				; CODE XREF: CcChangeBackingFileObject+81CF1j
					; CcChangeBackingFileObject+820D6j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_564250:				; CODE XREF: CcChangeBackingFileObject+1D7j
		test	edi, 8000h
		jz	short loc_564261
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_564261:				; CODE XREF: CcChangeBackingFileObject+228j
		test	byte ptr [ebp+var_20+2], 1
		jnz	short loc_5642B1

loc_564267:				; CODE XREF: CcChangeBackingFileObject+293j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_56427B
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_56427B:				; CODE XREF: CcChangeBackingFileObject+240j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_564207
		jmp	loc_5E636F
; 

loc_56428C:				; CODE XREF: CcChangeBackingFileObject+167j
		mov	ecx, [ebp+var_C]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jz	loc_5E5C0F
		mov	esi, ecx
		jmp	loc_5641F4
; 

loc_5642A4:				; CODE XREF: CcChangeBackingFileObject+179j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_40]
		jmp	loc_5641AD
; 

loc_5642B1:				; CODE XREF: CcChangeBackingFileObject+237j
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]
		jmp	short loc_564267
CcChangeBackingFileObject endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceFxComponentIdleState proc near ; CODE XREF:	PopFxProcessWork+34Dp
					; PoFxCompleteIdleState+81DCFp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E6383 SIZE 0000004D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_3C], edx
		push	ebx
		push	[ebp+arg_0]
		mov	[ebp+var_38], ecx
		push	8
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		cmp	_PopDiagHandleRegistered, bl
		jz	short loc_564316
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_COMPONENT_IDLE_STATE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5E6383

loc_564314:				; CODE XREF: PopDiagTraceFxComponentIdleState+82107j
		pop	edi
		pop	esi

loc_564316:				; CODE XREF: PopDiagTraceFxComponentIdleState+2Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
PopDiagTraceFxComponentIdleState endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopResurrectDriver proc	near		; CODE XREF: IopLoadDriver+668p

; FUNCTION CHUNK AT 005E63D0 SIZE 00000096 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		push	0Ah
		pop	ecx
		mov	edi, [esi+4]
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		test	byte ptr [esi+8], 1
		mov	bl, al
		jnz	short loc_564358
		test	edi, edi
		jz	short loc_564358
		mov	ecx, [edi+0B0h]
		test	byte ptr [ecx+10h], 1
		jnz	loc_5E63D0

loc_564358:				; CODE XREF: IopResurrectDriver+1Cj
					; IopResurrectDriver+20j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+468h]
		jnz	loc_5E643C
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5E6452
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5E644B

loc_56438E:				; CODE XREF: IopResurrectDriver+82120j
					; IopResurrectDriver+8213Bj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, 0C000010Eh

loc_56439B:				; CODE XREF: IopResurrectDriver+82111j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn
IopResurrectDriver endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PpmCheckUpdateDeliveredPerformanceIfTracingEnabled()
_PpmCheckUpdateDeliveredPerformanceIfTracingEnabled@0 proc near
		cmp	_PpmEtwRegistered, 0
		jz	short loc_5643C9
		push	offset _PPM_ETW_DELIVERED_PERF_CHANGE
		push	dword_6BFD04
		push	_PpmEtwHandle
		call	EtwEventEnabled
		test	al, al
		jnz	PpmCheckSnapAllDeliveredPerformance

loc_5643C9:				; CODE XREF: PpmCheckUpdateDeliveredPerformanceIfTracingEnabled()+7j
		mov	al, 1
		retn
_PpmCheckUpdateDeliveredPerformanceIfTracingEnabled@0 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1134. KeExpandKernelStackAndCallout

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeExpandKernelStackAndCallout(x, x,	x)
		public _KeExpandKernelStackAndCallout@12
_KeExpandKernelStackAndCallout@12 proc near ; CODE XREF: IovpLogStackTrace(x)+62p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	2
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	KeExpandKernelStackAndCalloutInternal
		pop	ebp
		retn	0Ch
_KeExpandKernelStackAndCallout@12 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2117. RtlGetCurrentServiceSessionId

;  S U B	R O U T	I N E 


; __stdcall RtlGetCurrentServiceSessionId()
		public _RtlGetCurrentServiceSessionId@0
_RtlGetCurrentServiceSessionId@0 proc near
					; CODE XREF: SepValidateReferencedCachedHandles+1282B2p
					; RtlpGetTokenNamedObjectPath(x,x,x,x)+278p
		call	_KeIsExecutingInArbitraryThreadContext@0 ; KeIsExecutingInArbitraryThreadContext()
		test	eax, eax
		jnz	short loc_564413
		mov	eax, large fs:124h
		push	eax
		call	_PsGetThreadServerSilo@4 ; PsGetThreadServerSilo(x)
		test	eax, eax
		jz	short loc_564413
		mov	eax, [eax+2F8h]
		jmp	short loc_564418
; 

loc_564413:				; CODE XREF: RtlGetCurrentServiceSessionId()+7j
					; RtlGetCurrentServiceSessionId()+17j
		mov	eax, offset _PspHostSiloGlobals

loc_564418:				; CODE XREF: RtlGetCurrentServiceSessionId()+1Fj
		mov	eax, [eax+28Ch]
		mov	eax, [eax]
		retn
_RtlGetCurrentServiceSessionId@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmSetAccessLogging proc	near		; CODE XREF: PfTAccessTracingCleanup(x,x,x)+3Ap
					; PfTAccessTracingStart(x,x,x)+41p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E6466 SIZE 00000072 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4], ecx
		lea	edi, [ebp+var_10]
		mov	esi, edx
		stosd
		lea	edx, [ebp+var_10]
		mov	ecx, offset dword_6D3180
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebp+var_4]
		mov	dword_6D3158, esi
		xor	esi, esi
		mov	dword_6D3154, eax
		test	eax, eax
		jz	short loc_5644AA
		test	ds:byte_70EFC6,	1
		jnz	loc_5E6466
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_5E647E
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jnz	loc_5E6476

loc_564489:				; CODE XREF: MmSetAccessLogging+8204Fj
					; MmSetAccessLogging+82068j
		mov	cl, [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	dword_6D3260, esi
		jnz	short loc_5644A6
		push	esi
		push	esi
		push	offset unk_6D3264
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)

loc_5644A6:				; CODE XREF: MmSetAccessLogging+76j
					; MmSetAccessLogging+E3j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_5644AA:				; CODE XREF: MmSetAccessLogging+36j
		mov	eax, dword_6D3150
		xor	edi, edi
		inc	edi
		test	eax, eax
		jnz	loc_5E648F
		push	edi
		push	offset dword_6D3144
		mov	dword_6D314C, offset MiEmptyAccessLogs
		mov	dword_6D3150, edi
		mov	dword_6D3144, esi
		call	ExQueueWorkItem

loc_5644DB:				; CODE XREF: MmSetAccessLogging+82070j
					; MmSetAccessLogging+82080j
		test	ds:byte_70EFC6,	1
		jnz	loc_5E64A7
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	loc_5E64B7

loc_5644F3:				; CODE XREF: MmSetAccessLogging+820B1j
		mov	[ebp+var_10], esi
		add	eax, 4
		lock xor [eax],	edi

loc_5644FC:				; CODE XREF: MmSetAccessLogging+82090j
					; MmSetAccessLogging+820A6j
		mov	cl, [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_5644A6
MmSetAccessLogging endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 741. IoAllocateErrorLogEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoAllocateErrorLogEntry(x, x)
		public _IoAllocateErrorLogEntry@8
_IoAllocateErrorLogEntry@8 proc	near	; CODE XREF: IopDisassociateThreadIrp()+187p
					; FsRtlLogCcFlushError(x,x,x,x,x)+15Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_56453C
		movzx	eax, word ptr [ecx]
		cmp	ax, 3
		jz	short loc_564537
		cmp	ax, 4
		jnz	short loc_56453C
		mov	edx, ecx
		xor	ecx, ecx

loc_56452B:				; CODE XREF: IoAllocateErrorLogEntry(x,x)+2Ej
		push	[ebp+arg_4]
		call	IopAllocateErrorLogEntry

loc_564533:				; CODE XREF: IoAllocateErrorLogEntry(x,x)+32j
		pop	ebp
		retn	8
; 

loc_564537:				; CODE XREF: IoAllocateErrorLogEntry(x,x)+13j
		mov	edx, [ecx+8]
		jmp	short loc_56452B
; 

loc_56453C:				; CODE XREF: IoAllocateErrorLogEntry(x,x)+Aj
					; IoAllocateErrorLogEntry(x,x)+19j
		xor	eax, eax
		jmp	short loc_564533
_IoAllocateErrorLogEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopAllocateErrorLogEntry proc near	; CODE XREF: IoAllocateErrorLogEntry(x,x)+22p
					; IoAllocateGenericErrorLogEntry(x)+7p

var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005E64D8 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	[ebp+var_4], ecx
		mov	cl, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		lea	eax, [ecx-30h]
		mov	edi, edx
		cmp	al, 68h
		ja	loc_5645DE
		lea	ebx, [ecx+3]
		mov	ecx, offset _IopErrorLogAllocation
		and	ebx, 0FCh
		add	ebx, 20h
		mov	eax, ebx
		lock xadd [ecx], eax
		cmp	eax, 64000h
		ja	short loc_5645D8
		push	72456F49h
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5E64E9
		mov	eax, [ebp+var_4]
		test	eax, eax
		jnz	loc_5E64D8

loc_56459F:				; CODE XREF: IopAllocateErrorLogEntry+81FA4j
		test	edi, edi
		jz	short loc_5645AF
		mov	edx, 746C6644h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag

loc_5645AF:				; CODE XREF: IopAllocateErrorLogEntry+61j
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		mov	[esi+2], bx
		mov	[esi+0Ch], ecx
		mov	[esi+10h], edi
		push	0Bh
		pop	eax
		mov	[esi], ax
		lea	eax, [esi+20h]

loc_5645D1:				; CODE XREF: IopAllocateErrorLogEntry+A0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_5645D8:				; CODE XREF: IopAllocateErrorLogEntry+38j
					; IopAllocateErrorLogEntry+81FAEj
		neg	ebx
		lock xadd [ecx], ebx

loc_5645DE:				; CODE XREF: IopAllocateErrorLogEntry+16j
		xor	eax, eax
		jmp	short loc_5645D1
IopAllocateErrorLogEntry endp

; 
		align 8
; Exported entry 1220. KeQueryEffectivePriorityThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryEffectivePriorityThread(x)
		public _KeQueryEffectivePriorityThread@4
_KeQueryEffectivePriorityThread@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		xor	edx, edx
		mov	ecx, esi
		call	KiIsThreadRankNonZero
		test	al, al
		jnz	short loc_56460A
		movsx	eax, byte ptr [esi+87h]

loc_564605:				; CODE XREF: KeQueryEffectivePriorityThread(x)+25j
		pop	esi
		pop	ebp
		retn	4
; 

loc_56460A:				; CODE XREF: KeQueryEffectivePriorityThread(x)+14j
		xor	eax, eax
		inc	eax
		jmp	short loc_564605
_KeQueryEffectivePriorityThread@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmEndHighPerfRequest proc near		; CODE XREF: PopIssueActionRequest+327p
					; PoClearBroadcast()+2Ap ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E64F3 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _PpmHighPerfRequestLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	ds:_PpmHighPerfDuration[esi*4],	0
		jz	loc_5646F3
		cmp	_PpmHighPerfDeferredEndDisabled, 0
		jnz	loc_5646F3
		inc	_PpmHighPerfDeferredEndCount
		call	KeQueryInterruptTime
		imul	edi, ds:_PpmHighPerfDuration[esi*4], 2710h
		mov	[esp+18h+var_8], eax
		mov	[esp+18h+var_4], edx
		call	KeQueryInterruptTime
		mov	ecx, dword_6C206C
		mov	esi, eax
		add	esi, edi
		adc	edx, 0
		cmp	ecx, edx
		jb	short loc_56468D
		ja	short loc_5646A4
		cmp	_PpmHighPerfDeferredEndTime, esi
		ja	short loc_5646A4

loc_56468D:				; CODE XREF: PpmEndHighPerfRequest+71j
		call	KeQueryInterruptTime
		add	eax, edi
		mov	ecx, edx
		mov	_PpmHighPerfDeferredEndTime, eax
		adc	ecx, 0
		mov	dword_6C206C, ecx

loc_5646A4:				; CODE XREF: PpmEndHighPerfRequest+73j
					; PpmEndHighPerfRequest+7Bj
		mov	eax, _PpmHighPerfDeferredEndTime
		sub	eax, [esp+18h+var_8]
		sbb	ecx, [esp+18h+var_4]
		neg	eax
		adc	ecx, 0
		xor	edx, edx
		neg	ecx
		push	ecx
		push	eax
		push	offset _PpmHighPerfEndDpc
		push	0
		mov	ecx, offset _PpmHighPerfEndTimer
		call	KiSetTimerEx
		mov	edi, offset _PpmHighPerfRequestLock

loc_5646D2:				; CODE XREF: PpmEndHighPerfRequest+F1j
		test	ds:byte_70EFC6,	1
		jnz	loc_5E64F3
		xor	eax, eax
		lock and [edi],	eax

loc_5646E4:				; CODE XREF: PpmEndHighPerfRequest+81EEDj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5646F3:				; CODE XREF: PpmEndHighPerfRequest+2Cj
					; PpmEndHighPerfRequest+39j
		mov	ecx, _PpmHighPerfPowerRequest
		push	4
		pop	edx
		call	PoClearPowerRequestInternal
		jmp	short loc_5646D2
PpmEndHighPerfRequest endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepTriggerComponentIdleStateChangeActivity(x, x,	x)
_PopPepTriggerComponentIdleStateChangeActivity@12 proc near ; DATA XREF: .text:004012F4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_56472F
		push	esi
		mov	esi, [ebp+arg_8]
		test	esi, esi
		js	short loc_564734

loc_564719:				; CODE XREF: PopPepTriggerComponentIdleStateChangeActivity(x,x,x)+3Aj
		cmp	dword ptr [edi+90h], 0
		mov	eax, [edi+34h]
		jnz	short loc_564740
		and	esi, 7FFFFFFFh
		mov	[eax+4], esi

loc_56472E:				; CODE XREF: PopPepTriggerComponentIdleStateChangeActivity(x,x,x)+40j
		pop	esi

loc_56472F:				; CODE XREF: PopPepTriggerComponentIdleStateChangeActivity(x,x,x)+Bj
		pop	edi
		pop	ebp
		retn	0Ch
; 

loc_564734:				; CODE XREF: PopPepTriggerComponentIdleStateChangeActivity(x,x,x)+13j
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		call	_PopPepTryPowerUpComponent@8 ; PopPepTryPowerUpComponent(x,x)
		jmp	short loc_564719
; 

loc_564740:				; CODE XREF: PopPepTriggerComponentIdleStateChangeActivity(x,x,x)+1Fj
		and	dword ptr [eax+4], 0
		jmp	short loc_56472E
_PopPepTriggerComponentIdleStateChangeActivity@12 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1679. PoFxCompleteIdleState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoFxCompleteIdleState
PoFxCompleteIdleState proc near

var_20		= dword	ptr -20h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E6502 SIZE 00000045 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	8
		pop	ecx
		lea	edi, [esp+30h+var_20]
		rep stosd
		mov	eax, [esi+240h]
		mov	edi, [ebp+arg_4]
		mov	ebx, [eax+edi*4]
		or	eax, 0FFFFFFFFh
		lock xadd [ebx+58h], eax
		jz	loc_5E6502

loc_564782:				; CODE XREF: PoFxCompleteIdleState+81DE5j
					; PoFxCompleteIdleState+81DF6j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
PoFxCompleteIdleState endp

; 
		align 10h
; Exported entry 1061. IoWriteErrorLogEntry

		public IoWriteErrorLogEntry
IoWriteErrorLogEntry:			; CODE XREF: IopDisassociateThreadIrp()+198p
					; FsRtlLogCcFlushError(x,x,x,x,x)+20Cp	...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+8]
		add	esi, 0FFFFFFE0h
		cmp	_IopErrorLogDisabledThisBoot, 0
		jnz	loc_5E6547
		push	ebx
		push	edi
		lea	eax, [esi+18h]
		push	eax
		call	KeQuerySystemTime
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _IopErrorLogLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, dword_6CCE6C
		mov	eax, offset _IopErrorLogListHead
		add	esi, 4
		cmp	[ecx], eax
		jnz	short loc_56483C
		cmp	_IopErrorLogSessionPending, 0
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	dword_6CCE6C, esi
		jnz	short loc_56481B
		and	dword_6CCB6C, 0
		and	_IopErrorLogWorkItem, 0
		push	1
		push	offset _IopErrorLogWorkItem
		mov	_IopErrorLogSessionPending, 1
		mov	dword_6CCB68, offset IopErrorLogThread
		call	ExQueueWorkItem

loc_56481B:				; CODE XREF: .text:005647EEj
		test	ds:byte_70EFC6,	1
		jnz	loc_5E657B
		xor	eax, eax
		lock and [edi],	eax

loc_56482D:				; CODE XREF: .text:005E6585j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	ebx

loc_564837:				; CODE XREF: .text:005E6576j
		pop	esi
		pop	ebp
		retn	4
; 

loc_56483C:				; CODE XREF: .text:005647D8j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		db 2 dup(0CCh)
; Exported entry 635. FsRtlProcessFileLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlProcessFileLock
FsRtlProcessFileLock proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005E658A SIZE 00000052 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, [ebx+60h]
		mov	[esp+20h+var_10], esi
		mov	[esp+20h+var_C], esi
		movzx	eax, byte ptr [edi+1]
		sub	eax, 1
		jz	short loc_5648CA
		sub	eax, 1
		jnz	loc_5E658A
		mov	eax, [edi+0Ch]
		push	esi
		push	[ebp+arg_8]
		mov	[esp+28h+var_8], eax
		push	dword ptr [edi+8]
		mov	eax, [edi+10h]
		push	ebx
		mov	[esp+30h+var_4], eax
		call	_IoGetRequestorProcess@4 ; IoGetRequestorProcess(x)
		mov	esi, [ebp+arg_0]
		push	eax
		push	dword ptr [edi+4]
		lea	eax, [esp+34h+var_8]
		push	eax
		push	dword ptr [edi+18h]
		push	esi
		call	FsRtlFastUnlockSingle

loc_5648A6:				; CODE XREF: FsRtlProcessFileLock+81D91j
		mov	edx, [ebp+arg_8]
		lea	ecx, [esp+20h+var_10]
		push	0
		push	ecx
		mov	ecx, [esi]
		push	eax
		push	ebx
		mov	[esp+30h+var_10], eax
		call	FsRtlCompleteLockIrpReal

loc_5648BD:				; CODE XREF: FsRtlProcessFileLock+CDj
					; FsRtlProcessFileLock+81D63j
		mov	eax, [esp+20h+var_10]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_5648CA:				; CODE XREF: FsRtlProcessFileLock+25j
		mov	eax, [edi+0Ch]
		mov	cl, [edi+2]
		push	esi
		push	[ebp+arg_8]
		mov	[esp+28h+var_8], eax
		mov	eax, [edi+10h]
		mov	[esp+28h+var_4], eax
		lea	eax, [esp+28h+var_10]
		push	ebx
		push	eax
		mov	al, cl
		and	cl, 1
		shr	al, 1
		and	al, 1
		movzx	eax, al
		push	eax
		movzx	eax, cl
		push	eax
		push	dword ptr [edi+8]
		push	ebx
		call	_IoGetRequestorProcess@4 ; IoGetRequestorProcess(x)
		push	eax
		push	dword ptr [edi+4]
		lea	eax, [esp+44h+var_8]
		push	eax
		push	dword ptr [edi+18h]
		push	[ebp+arg_0]
		call	FsRtlPrivateLock
		jmp	short loc_5648BD
FsRtlProcessFileLock endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlCompleteLockIrpReal proc near	; CODE XREF: sub_4E26DD+61p
					; FsRtlProcessFileLock+72p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005E65DC SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	loc_5E65DC
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_564931
		and	dword ptr [eax+48h], 0

loc_564931:				; CODE XREF: FsRtlCompleteLockIrpReal+15j
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		push	ecx
		push	edx
		mov	[ecx+18h], eax
		call	esi
		mov	esi, eax

loc_564940:				; CODE XREF: FsRtlCompleteLockIrpReal+81CD6j
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		pop	esi
		pop	ebp
		retn	10h
FsRtlCompleteLockIrpReal endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall KeQueryCycleCounterFrequency(x, x)
_KeQueryCycleCounterFrequency@8	proc near
					; CODE XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+1Ap
					; KeUpdateGroupSchedulingConstants+26p	...
		mov	edi, edi
		push	esi
		mov	esi, [ecx+3C0h]
		xor	ecx, ecx
		test	dl, dl
		jnz	short loc_56496E
		push	edi
		mov	edi, 0F4240h
		mov	eax, ecx
		mul	edi
		mov	ecx, eax
		mov	eax, esi
		mul	edi
		pop	edi
		add	ecx, edx
		mov	esi, eax

loc_56496E:				; CODE XREF: KeQueryCycleCounterFrequency(x,x)+Dj
		mov	eax, esi
		mov	edx, ecx
		pop	esi
		retn
_KeQueryCycleCounterFrequency@8	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1294. KeSetImportanceDpc

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetImportanceDpc(x, x)
		public _KeSetImportanceDpc@8
_KeSetImportanceDpc@8 proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	cl, [ebp+arg_4]
		mov	[eax+1], cl
		pop	ebp
		retn	8
_KeSetImportanceDpc@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlpOplockSendModernAppTermination proc near
					; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+9C0p
					; FsRtlpRemoveAndCompleteRHIrp(x,x,x,x,x,x,x)+CDp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005E65F1 SIZE 0000004D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	[ebp+var_1], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		test	edx, edx
		jz	loc_5E65F1

loc_5649A5:				; CODE XREF: FsRtlpOplockSendModernAppTermination+81C6Aj
		push	74725346h
		mov	edi, 1000h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5E6613
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		xor	ecx, ecx
		mov	[ebp+var_1], 1
		add	esp, 0Ch
		inc	ecx
		add	ebx, 24h
		mov	edx, [ebx]

loc_5649D9:				; CODE XREF: FsRtlpOplockSendModernAppTermination+6Cj
		cmp	edx, ebx
		jz	short loc_5649FA
		cmp	ecx, 400h
		jnb	loc_5E6620
		mov	eax, [edx+10h]
		mov	eax, [eax+0E4h]
		mov	[esi+ecx*4], eax
		inc	ecx
		mov	edx, [edx]
		jmp	short loc_5649D9
; 

loc_5649FA:				; CODE XREF: FsRtlpOplockSendModernAppTermination+4Fj
		lea	eax, [ecx-1]
		mov	[esi], eax

loc_5649FF:				; CODE XREF: FsRtlpOplockSendModernAppTermination+81CADj
		push	1
		push	edi
		push	esi
		call	FsRtlSendModernAppTermination
		cmp	[ebp+var_1], 0
		jz	short loc_564A16
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_564A16:				; CODE XREF: FsRtlpOplockSendModernAppTermination+80j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
FsRtlpOplockSendModernAppTermination endp

; 
		align 10h
; Exported entry 660. FsRtlSendModernAppTermination

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlSendModernAppTermination
FsRtlSendModernAppTermination proc near	; CODE XREF: FsRtlpOplockSendModernAppTermination+77p
					; Phase1InitializationDiscard(x)+B97p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005E663E SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		test	edx, edx
		jz	loc_5E663E
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	loc_5E663E

loc_564A4B:				; CODE XREF: FsRtlSendModernAppTermination+81C2Bj
		cmp	ecx, 1000h
		ja	short loc_564A91
		mov	eax, [ebp+arg_8]
		sub	eax, esi
		jz	loc_5E6650
		sub	eax, 1
		jnz	short loc_564A98
		mov	eax, ds:_WNF_FSRL_OPLOCK_BREAK
		mov	[ebp+var_C], eax
		mov	eax, ds:dword_41109C

loc_564A70:				; CODE XREF: FsRtlSendModernAppTermination+81C3Dj
		push	esi
		push	esi
		push	esi
		push	esi
		push	ecx
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_C]
		push	edx
		push	eax
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)

loc_564A82:				; CODE XREF: FsRtlSendModernAppTermination+76j
					; FsRtlSendModernAppTermination+7Dj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_564A91:				; CODE XREF: FsRtlSendModernAppTermination+31j
		mov	eax, 80000005h
		jmp	short loc_564A82
; 

loc_564A98:				; CODE XREF: FsRtlSendModernAppTermination+41j
		mov	eax, 0C000000Dh
		jmp	short loc_564A82
FsRtlSendModernAppTermination endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopSessionChangeWorker(x)
_IopSessionChangeWorker@4 proc near	; DATA XREF: NtNotifyChangeSession+164o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	0
		push	esi
		push	_IopSessionCallbackObject
		call	_ExNotifyCallback@12 ; ExNotifyCallback(x,x,x)
		mov	ecx, [esi+20h]
		call	_MmSetSessionObjectIoEvent@4 ; MmSetSessionObjectIoEvent(x)
		mov	ecx, [esi+20h]
		call	ObfDereferenceObject
		mov	eax, [esi+1Ch]
		test	eax, eax
		jnz	short loc_564ADB

loc_564ACE:				; CODE XREF: IopSessionChangeWorker(x)+43j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		pop	ebp
		retn	4
; 

loc_564ADB:				; CODE XREF: IopSessionChangeWorker(x)+2Cj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_564ACE
_IopSessionChangeWorker@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmIsSessionInCurrentServerSilo(x)
_MmIsSessionInCurrentServerSilo@4 proc near ; CODE XREF: PopGetSettingNotificationName+1AAp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		mov	ecx, large fs:124h
		stosd
		stosd
		stosd
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		lea	ecx, [eax+1]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		cmp	ecx, esi
		jnz	short loc_564B20
		mov	al, 1
		jmp	loc_564BDB
; 

loc_564B20:				; CODE XREF: MmIsSessionInCurrentServerSilo(x)+31j
		push	ebx
		xor	bl, bl
		call	_KeIsExecutingInArbitraryThreadContext@0 ; KeIsExecutingInArbitraryThreadContext()
		test	eax, eax
		jz	short loc_564B30
		xor	edi, edi
		jmp	short loc_564B3E
; 

loc_564B30:				; CODE XREF: MmIsSessionInCurrentServerSilo(x)+44j
		mov	eax, large fs:124h
		push	eax
		call	_PsGetThreadServerSilo@4 ; PsGetThreadServerSilo(x)
		mov	edi, eax

loc_564B3E:				; CODE XREF: MmIsSessionInCurrentServerSilo(x)+48j
		lea	edx, [ebp+var_C]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, dword_6D05D8
		jmp	short loc_564B63
; 

loc_564B53:				; CODE XREF: MmIsSessionInCurrentServerSilo(x)+7Fj
		mov	eax, [ecx-50h]
		cmp	esi, eax
		ja	short loc_564B60
		jnb	short loc_564B69
		mov	ecx, [ecx]
		jmp	short loc_564B63
; 

loc_564B60:				; CODE XREF: MmIsSessionInCurrentServerSilo(x)+72j
		mov	ecx, [ecx+4]

loc_564B63:				; CODE XREF: MmIsSessionInCurrentServerSilo(x)+6Bj
					; MmIsSessionInCurrentServerSilo(x)+78j
		test	ecx, ecx
		jnz	short loc_564B53
		jmp	short loc_564B8A
; 

loc_564B69:				; CODE XREF: MmIsSessionInCurrentServerSilo(x)+74j
		test	ecx, ecx
		jz	short loc_564B8A
		cmp	[ecx+23F8h], edi
		jnz	short loc_564B8A
		cmp	eax, esi
		jnz	short loc_564B8A
		test	byte ptr [ecx-54h], 2
		lea	eax, [ecx-48h]
		mov	edx, [eax]
		jnz	short loc_564B8A
		cmp	edx, eax
		jz	short loc_564B8A
		mov	bl, 1

loc_564B8A:				; CODE XREF: MmIsSessionInCurrentServerSilo(x)+81j
					; MmIsSessionInCurrentServerSilo(x)+85j ...
		test	ds:byte_70EFC6,	1
		jz	short loc_564BA0
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_564BCF
; 

loc_564BA0:				; CODE XREF: MmIsSessionInCurrentServerSilo(x)+ABj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_564BBF
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_564BCF
		call	KxWaitForLockChainValid

loc_564BBF:				; CODE XREF: MmIsSessionInCurrentServerSilo(x)+BFj
		lea	ecx, [eax+4]
		mov	[ebp+var_C], 0
		xor	eax, eax
		inc	eax
		lock xor [ecx],	eax

loc_564BCF:				; CODE XREF: MmIsSessionInCurrentServerSilo(x)+B8j
					; MmIsSessionInCurrentServerSilo(x)+D2j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, bl
		pop	ebx

loc_564BDB:				; CODE XREF: MmIsSessionInCurrentServerSilo(x)+35j
		pop	edi
		pop	esi
		leave
		retn
_MmIsSessionInCurrentServerSilo@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 919. IoQueryFullDriverPath

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoQueryFullDriverPath(x, x)
		public _IoQueryFullDriverPath@8
_IoQueryFullDriverPath@8 proc near	; CODE XREF: PiGetDriverImageDirectory(x,x)+39p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, [eax+14h]
		test	esi, esi
		jz	short loc_564C23
		movzx	edx, word ptr [esi+26h]
		xor	ecx, ecx
		inc	ecx
		call	IopVerifierExAllocatePool
		mov	ecx, [ebp+arg_4]
		mov	[ecx+4], eax
		test	eax, eax
		jz	short loc_564C2A
		mov	ax, [esi+26h]
		mov	[ecx+2], ax
		lea	eax, [esi+24h]
		push	eax
		push	ecx
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		xor	eax, eax

loc_564C1E:				; CODE XREF: IoQueryFullDriverPath(x,x)+44j
					; IoQueryFullDriverPath(x,x)+4Bj
		pop	esi
		pop	ebp
		retn	8
; 

loc_564C23:				; CODE XREF: IoQueryFullDriverPath(x,x)+Ej
		mov	eax, 0C0000225h
		jmp	short loc_564C1E
; 

loc_564C2A:				; CODE XREF: IoQueryFullDriverPath(x,x)+24j
		mov	eax, 0C000009Ah
		jmp	short loc_564C1E
_IoQueryFullDriverPath@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmSessionSetUnloadAddress proc near	; CODE XREF: ExpInitializeSessionDriver(x,x)+3Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005E6662 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		xor	ebx, ebx
		stosd
		inc	ebx
		stosd
		stosd
		mov	eax, large fs:124h
		mov	esi, [ecx+34h]
		mov	eax, [eax+80h]
		mov	edi, [eax+180h]
		test	esi, esi
		jz	short loc_564CBA

loc_564C61:				; CODE XREF: MmSessionSetUnloadAddress+8Aj
		lea	edx, [ebp+var_C]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	dword ptr [edi+1DCh], 0
		jnz	short loc_564C7D
		mov	[edi+1DCh], esi

loc_564C7D:				; CODE XREF: MmSessionSetUnloadAddress+43j
		test	ds:byte_70EFC6,	1
		jnz	loc_5E6662
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_5E667A
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5E6672

loc_564CAC:				; CODE XREF: MmSessionSetUnloadAddress+81A3Bj
					; MmSessionSetUnloadAddress+81A55j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_564CBA:				; CODE XREF: MmSessionSetUnloadAddress+2Dj
		mov	esi, ebx
		jmp	short loc_564C61
MmSessionSetUnloadAddress endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertSessionWorkingSet(x)
_MiInsertSessionWorkingSet@4 proc near	; CODE XREF: MiAllowWorkingSetExpansion+87p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, dword_6D35C4
		push	esi
		mov	esi, ecx
		mov	ecx, offset dword_6D35C0
		lea	eax, [esi+50h]
		cmp	[edx], ecx
		jnz	short loc_564D24
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	ecx, dword_6D05D8
		mov	dword_6D35C4, eax
		mov	edx, [esi+8]
		mov	byte ptr [ebp+var_4], 0
		test	ecx, ecx
		jz	short loc_564D0F

loc_564CF6:				; CODE XREF: MiInsertSessionWorkingSet(x)+46j
		cmp	edx, [ecx-50h]
		jb	short loc_564D06
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_564D29

loc_564D02:				; CODE XREF: MiInsertSessionWorkingSet(x)+4Cj
		mov	ecx, eax
		jmp	short loc_564CF6
; 

loc_564D06:				; CODE XREF: MiInsertSessionWorkingSet(x)+3Bj
		mov	eax, [ecx]
		test	eax, eax
		jnz	short loc_564D02
		mov	byte ptr [ebp+var_4], al

loc_564D0F:				; CODE XREF: MiInsertSessionWorkingSet(x)+36j
					; MiInsertSessionWorkingSet(x)+6Fj
		lea	eax, [esi+58h]
		push	eax
		push	[ebp+var_4]
		push	ecx
		push	offset dword_6D05D8
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		pop	esi
		leave
		retn
; 

loc_564D24:				; CODE XREF: MiInsertSessionWorkingSet(x)+19j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_564D29:				; CODE XREF: MiInsertSessionWorkingSet(x)+42j
		mov	byte ptr [ebp+var_4], 1
		jmp	short loc_564D0F
_MiInsertSessionWorkingSet@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopThermalCoolingPowerSettingCallback(void *,int,int,int)
PopThermalCoolingPowerSettingCallback proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005E668C SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopThermalLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		mov	dword_6C2194, eax
		push	offset _GUID_SYSTEM_COOLING_POLICY ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_564DB6

loc_564D73:				; CODE XREF: PopThermalCoolingPowerSettingCallback+8Aj
					; PopThermalCoolingPowerSettingCallback+96j
		cmp	_PopPlatformAoAc, 0
		jnz	loc_5E668C

loc_564D80:				; CODE XREF: PopThermalCoolingPowerSettingCallback+81963j
		mov	eax, dword_6C2D48

loc_564D85:				; CODE XREF: PopThermalCoolingPowerSettingCallback+8196Cj
		cmp	eax, _PopCoolingMode
		jnz	loc_5E66A1

loc_564D91:				; CODE XREF: PopThermalCoolingPowerSettingCallback+8197Bj
		cmp	dword_6C2194, 0
		jz	short loc_564DA1
		and	dword_6C2194, 0

loc_564DA1:				; CODE XREF: PopThermalCoolingPowerSettingCallback+68j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	10h
; 

loc_564DB6:				; CODE XREF: PopThermalCoolingPowerSettingCallback+41j
		cmp	[ebp+arg_8], 4
		jnz	short loc_564D73
		mov	eax, [ebp+arg_4]
		mov	eax, [eax]
		mov	dword_6C2D48, eax
		jmp	short loc_564D73
PopThermalCoolingPowerSettingCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxIdleTimeoutDpcRoutine proc	near	; DATA XREF: PopFxCreateDeviceCommon(x,x,x,x,x)+93o

var_6		= byte ptr -6
var_2		= byte ptr -2
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E66B0 SIZE 0000003D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ebx, [edi+0C8h]
		mov	[esp+0Fh], al
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	edx, [edi+10h]
		xor	esi, esi
		mov	eax, [edx]

loc_564DF5:				; CODE XREF: PopFxIdleTimeoutDpcRoutine+35j
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_564DF5
		test	al, 4
		jz	loc_5E66D0
		push	0FFFFFFFBh
		pop	eax
		lock and [edx],	eax
		mov	eax, [edi+18h]
		push	esi
		cmp	eax, 2
		jnz	loc_5E66B0
		mov	ecx, [edi+1Ch]
		xor	dl, dl
		call	PopDiagTraceFxDevicePowerRequirement
		push	dword ptr [edi+64h]
		call	dword ptr [edi+4Ch]
		push	40h
		pop	ecx
		lea	eax, [edi+10h]
		lock or	[eax], ecx
		or	eax, 0FFFFFFFFh
		lea	ecx, [edi+18h]
		lock xadd [ecx], eax
		jnz	loc_5E66BD

loc_564E43:				; CODE XREF: PopFxIdleTimeoutDpcRoutine+81903j
					; PopFxIdleTimeoutDpcRoutine+81911j
		test	ds:byte_70EFC6,	1
		jnz	loc_5E66DE
		xor	eax, eax
		lock and [ebx],	eax

loc_564E55:				; CODE XREF: PopFxIdleTimeoutDpcRoutine+81920j
		mov	cl, [esp+0Fh]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
PopFxIdleTimeoutDpcRoutine endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 924. IoQueueThreadIrp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoQueueThreadIrp(x)
		public _IoQueueThreadIrp@4
_IoQueueThreadIrp@4 proc near		; CODE XREF: PiPagePathSetState+5Ep
					; PipSendGuestAssignedNotification(x,x)+44p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	IopQueueThreadIrp
		pop	ebp
		retn	4
_IoQueueThreadIrp@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PpmPerfForceDomainStates()
_PpmPerfForceDomainStates@0 proc near
		mov	ecx, ds:_PpmPerfDomainHead
		push	edi
		mov	edi, offset _PpmPerfDomainHead
		cmp	ecx, edi
		jz	short loc_564EC2
		push	esi

loc_564E91:				; CODE XREF: PpmPerfForceDomainStates()+3Fj
		cmp	byte ptr [ecx+215h], 0
		jz	short loc_564EBB
		xor	edx, edx
		mov	byte ptr [ecx+214h], 1
		cmp	[ecx+1Ch], edx
		jbe	short loc_564EBB
		xor	esi, esi

loc_564EAA:				; CODE XREF: PpmPerfForceDomainStates()+39j
		mov	eax, [ecx+24h]
		lea	esi, [esi+78h]
		inc	edx
		mov	byte ptr [eax+esi-0Ch],	1
		cmp	edx, [ecx+1Ch]
		jb	short loc_564EAA

loc_564EBB:				; CODE XREF: PpmPerfForceDomainStates()+18j
					; PpmPerfForceDomainStates()+26j
		mov	ecx, [ecx]
		cmp	ecx, edi
		jnz	short loc_564E91
		pop	esi

loc_564EC2:				; CODE XREF: PpmPerfForceDomainStates()+Ej
		mov	al, 1
		pop	edi
		retn
_PpmPerfForceDomainStates@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlpModifyThreadPriorities proc near	; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+23Fp
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4E9p ...

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005E66ED SIZE 00000065 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		jz	short loc_564F11
		mov	edx, large fs:124h
		mov	ecx, [esi+0Ch]
		mov	dword ptr [ebp+arg_0], edx
		test	ecx, ecx
		jnz	short loc_564F24
		test	edi, edi
		jz	loc_5E66ED
		mov	ecx, [edi+14h]
		add	edi, 18h

loc_564EF7:				; CODE XREF: FsRtlpModifyThreadPriorities+61j
		test	ecx, ecx
		jz	loc_5E66ED
		push	esi
		push	edi
		lea	eax, [esi+10h]
		push	eax
		call	FsRtlpDoBoost

loc_564F0A:				; CODE XREF: FsRtlpModifyThreadPriorities+57j
					; FsRtlpModifyThreadPriorities+8182Ej ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_564F11:				; CODE XREF: FsRtlpModifyThreadPriorities+10j
		test	edi, edi
		jz	loc_5E671C
		test	byte ptr [edi+18h], 20h
		jz	short loc_564F0A
		jmp	loc_5E673C
; 

loc_564F24:				; CODE XREF: FsRtlpModifyThreadPriorities+21j
		lea	edi, [esi+48h]
		jmp	short loc_564EF7
FsRtlpModifyThreadPriorities endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlpDoBoost	proc near		; CODE XREF: FsRtlpModifyThreadPriorities+3Fp
					; FsRtlpModifyThreadPriorities+81840p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005E6752 SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		xor	bl, bl
		push	edi
		mov	eax, [esi+2FCh]
		and	eax, 0E00h
		cmp	eax, 400h
		jb	loc_5E6752

loc_564F51:				; CODE XREF: FsRtlpDoBoost+8182Ej
					; FsRtlpDoBoost+81836j
		mov	cl, [edx+87h]
		movzx	edi, cl
		cmp	cl, 0Fh
		jnb	short loc_564FA2
		mov	edx, edi

loc_564F61:				; CODE XREF: FsRtlpDoBoost+7Bj
		mov	eax, [ebp+arg_0]
		movzx	eax, byte ptr [eax]
		cmp	eax, edx
		ja	short loc_564F72
		cmp	cl, 0Fh
		jnb	short loc_564FA7
		mov	eax, edi

loc_564F72:				; CODE XREF: FsRtlpDoBoost+3Fj
					; FsRtlpDoBoost+80j
		mov	ecx, [ebp+arg_0]
		mov	[ecx], al
		mov	cl, [esi+87h]
		test	bl, bl
		jnz	short loc_564F85
		cmp	al, cl
		jbe	short loc_564F9B

loc_564F85:				; CODE XREF: FsRtlpDoBoost+55j
		cmp	al, cl
		jbe	short loc_564F93
		movzx	edx, al
		mov	ecx, esi
		call	KeSetPriorityBoost

loc_564F93:				; CODE XREF: FsRtlpDoBoost+5Dj
		test	bl, bl
		jnz	loc_5E6765

loc_564F9B:				; CODE XREF: FsRtlpDoBoost+59j
					; FsRtlpDoBoost+81867j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_564FA2:				; CODE XREF: FsRtlpDoBoost+33j
		push	0Fh
		pop	edx
		jmp	short loc_564F61
; 

loc_564FA7:				; CODE XREF: FsRtlpDoBoost+44j
		push	0Fh
		pop	eax
		jmp	short loc_564F72
FsRtlpDoBoost	endp


;  S U B	R O U T	I N E 


KiEnableFastSyscallReturn proc near	; CODE XREF: KeRestoreProcessorSpecificFeatures()+25p
					; KiInitMachineDependent+116p

; FUNCTION CHUNK AT 005E6796 SIZE 00000012 BYTES

		mov	edx, _KiSystemCallExitAdjust
		push	ebx
		mov	bl, _KiSystemCallExitAdjusted
		movzx	eax, bl
		cmp	eax, edx
		jz	loc_5E6796

loc_564FC4:				; CODE XREF: KiEnableFastSyscallReturn+817F7j
		mov	cl, ds:byte_599E11
		movzx	eax, cl
		add	eax, edx
		cmp	eax, 80h
		jb	short loc_564FD8

loc_564FD6:				; CODE XREF: KiEnableFastSyscallReturn+817F1j
		pop	ebx
		retn
; 

loc_564FD8:				; CODE XREF: KiEnableFastSyscallReturn+28j
		test	bl, bl
		jnz	short loc_564FF3

loc_564FDC:				; CODE XREF: KiEnableFastSyscallReturn+49j
		add	cl, dl
		mov	_KiSystemCallExitAdjusted, dl
		mov	ds:byte_599E11,	cl
		mov	_KiFastCallCopyDoneOnce, 1
		pop	ebx
		retn
; 

loc_564FF3:				; CODE XREF: KiEnableFastSyscallReturn+2Ej
		sub	cl, bl
		jmp	short loc_564FDC
KiEnableFastSyscallReturn endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 830. IoFreeController

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoFreeController(x)
		public _IoFreeController@4
_IoFreeController@4 proc near		; CODE XREF: IoAllocateController(x,x,x,x)+43p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		add	esi, 8

loc_565008:				; CODE XREF: IoFreeController(x)+2Fj
		push	esi
		call	KeRemoveDeviceQueue
		test	eax, eax
		jnz	short loc_565017

loc_565012:				; CODE XREF: IoFreeController(x)+2Dj
		pop	esi
		pop	ebp
		retn	4
; 

loc_565017:				; CODE XREF: IoFreeController(x)+14j
		push	dword ptr [eax+14h]
		add	eax, 0FFFFFFCCh
		push	0
		push	dword ptr [eax+14h]
		push	eax
		call	dword ptr [eax+44h]
		cmp	eax, 2
		jnz	short loc_565012
		jmp	short loc_565008
_IoFreeController@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 551. FsRtlInitializeFileLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlInitializeFileLock(x, x, x)
		public _FsRtlInitializeFileLock@12
_FsRtlInitializeFileLock@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	eax, [ebp+arg_4]
		mov	[ecx], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+0Ch], edx
		mov	[ecx+4], eax
		mov	[ecx+8], dl
		mov	[ecx+3Ch], edx
		pop	ebp
		retn	0Ch
_FsRtlInitializeFileLock@12 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 397. ExLocalTimeToSystemTime

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExLocalTimeToSystemTime(x, x)
		public _ExLocalTimeToSystemTime@8
_ExLocalTimeToSystemTime@8 proc	near	; CODE XREF: ExUpdateSystemTimeFromCmos+8Fp
					; ExpRefreshTimeZoneInformation(x)+5C3p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	eax, [eax+268h]
		mov	ecx, [eax+1B8h]
		mov	esi, [eax+1BCh]
		mov	eax, [ebp+arg_0]
		mov	edx, [eax]
		add	edx, ecx
		mov	ecx, [eax+4]
		mov	eax, [ebp+arg_4]
		adc	ecx, esi
		pop	esi
		mov	[eax], edx
		mov	[eax+4], ecx
		pop	ebp
		retn	8
_ExLocalTimeToSystemTime@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 530. FsRtlGetNextFileLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlGetNextFileLock
FsRtlGetNextFileLock proc near

var_3E		= byte ptr -3Eh
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= byte ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005E67A8 SIZE 000001FC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		xor	eax, eax
		mov	[esp+44h+var_34], eax
		mov	[esp+44h+var_38], eax
		mov	[esp+44h+var_3E], al
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	ebx, [eax+0Ch]
		test	ebx, ebx
		jz	short loc_56513A
		lea	edx, [eax+10h]
		push	0Ah
		pop	ecx
		mov	esi, edx
		mov	[esp+50h+var_2C], edx
		lea	edi, [esp+50h+var_28]
		rep movsd
		mov	esi, [eax+38h]
		mov	[esp+50h+var_3C], esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[esp+13h], al
		lea	eax, [ebx+10h]
		mov	ecx, eax
		mov	[esp+50h+var_30], eax
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	[ebp+arg_4], 0
		jz	loc_5E67A8
		mov	eax, [ebx+18h]
		test	eax, eax
		jnz	loc_5E694C
		mov	eax, [ebx+14h]
		test	eax, eax
		jnz	loc_5E696D

loc_56510D:				; CODE XREF: FsRtlGetNextFileLock+817CFj
					; FsRtlGetNextFileLock+817FDj ...
		mov	ebx, esi

loc_56510F:				; CODE XREF: FsRtlGetNextFileLock+8189Dj
					; FsRtlGetNextFileLock+818D0j
		test	ds:byte_70EFC6,	1
		jnz	loc_5E6979
		mov	eax, [esp+50h+var_30]
		xor	edx, edx
		lock and [eax],	edx

loc_565125:				; CODE XREF: FsRtlGetNextFileLock+818EFj
		mov	cl, [esp+13h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	byte ptr [esp+50h+var_34], 0
		jnz	loc_5E698A

loc_56513A:				; CODE XREF: FsRtlGetNextFileLock+24j
		xor	eax, eax

loc_56513C:				; CODE XREF: FsRtlGetNextFileLock+81909j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
FsRtlGetNextFileLock endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpApplyRewaitBoost(x)
_ExpApplyRewaitBoost@4 proc near	; DATA XREF: ExpAcquireSharedStarveExclusive+377o
					; ExpAcquireResourceExclusiveLite:loc_51E01Ao ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		mov	edx, 0FF00h
		mov	ecx, [ebp+arg_0]
		push	eax
		call	ExpApplyPriorityBoost
		pop	ebp
		retn	4
_ExpApplyRewaitBoost@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvlEnlightenProcessor proc near		; CODE XREF: HvlpInitializeBootProcessor(x)+D8p
					; PopHandleNextState(x,x)+1EEp	...

var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E69A4 SIZE 00000223 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		mov	[esp+28h+var_18], edx
		mov	[esp+28h+var_14], edx
		mov	[esp+28h+var_8], edx
		mov	[esp+28h+var_4], edx
		cmp	ds:_HvlHypervisorConnected, dl
		jnz	loc_5E69A4

loc_565190:				; CODE XREF: HvlEnlightenProcessor+8184Bj
					; HvlEnlightenProcessor+81A3Bj	...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
HvlEnlightenProcessor endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmHighPerfRequestExpiration proc near	; DATA XREF: PopInitializeHighPerfPowerRequest+Do

; FUNCTION CHUNK AT 005E6BC7 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _PpmHighPerfRequestLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		call	KeQueryInterruptTime
		cmp	edx, dword_6C206C
		ja	short loc_5651CC
		jb	short loc_5651F4
		cmp	eax, _PpmHighPerfDeferredEndTime
		jb	short loc_5651F4

loc_5651CC:				; CODE XREF: PpmHighPerfRequestExpiration+28j
		xor	esi, esi
		cmp	_PpmHighPerfDeferredEndCount, esi
		jbe	short loc_5651ED

loc_5651D6:				; CODE XREF: PpmHighPerfRequestExpiration+53j
		mov	ecx, _PpmHighPerfPowerRequest
		push	4
		pop	edx
		call	PoClearPowerRequestInternal
		inc	esi
		cmp	esi, _PpmHighPerfDeferredEndCount
		jb	short loc_5651D6

loc_5651ED:				; CODE XREF: PpmHighPerfRequestExpiration+3Cj
		and	_PpmHighPerfDeferredEndCount, 0

loc_5651F4:				; CODE XREF: PpmHighPerfRequestExpiration+2Aj
					; PpmHighPerfRequestExpiration+32j
		test	ds:byte_70EFC6,	1
		jnz	loc_5E6BC7
		xor	eax, eax
		lock and [edi],	eax

loc_565206:				; CODE XREF: PpmHighPerfRequestExpiration+81A39j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	10h
PpmHighPerfRequestExpiration endp


;  S U B	R O U T	I N E 


; __stdcall CmpEnableLazyFlushDpcRoutine(x, x, x, x)
_CmpEnableLazyFlushDpcRoutine@16 proc near ; DATA XREF:	CmpCmdInit+11o
		xor	ecx, ecx
		inc	ecx
		call	_CmpEnableLazyFlush@4 ;	CmpEnableLazyFlush(x)
		retn	10h
_CmpEnableLazyFlushDpcRoutine@16 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmpEnableLazyFlush(x)
_CmpEnableLazyFlush@4 proc near		; CODE XREF: CmpEnableLazyFlushDpcRoutine(x,x,x,x)+3p
					; CmpCoalescingCallback(x,x,x)+3Bp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		not	esi
		mov	edi, offset _CmpHoldLazyFlush
		mov	eax, [edi]

loc_565231:				; CODE XREF: CmpEnableLazyFlush(x)+17j
		mov	edx, eax
		and	edx, esi
		lock cmpxchg [edi], edx
		jnz	short loc_565231
		cmp	eax, ecx
		jnz	short loc_565252
		xor	esi, esi

loc_565241:				; CODE XREF: CmpEnableLazyFlush(x)+2Ej
		push	1
		xor	edx, edx
		mov	ecx, esi
		call	CmpArmLazyWriter
		inc	esi
		cmp	esi, 3
		jb	short loc_565241

loc_565252:				; CODE XREF: CmpEnableLazyFlush(x)+1Bj
		pop	edi
		pop	esi
		retn
_CmpEnableLazyFlush@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2086. RtlFindLongestRunClear

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlFindLongestRunClear
RtlFindLongestRunClear proc near	; CODE XREF: RtlpHpFixedVsAllocate+96p
					; MiGetSystemPteStatistics(x,x,x)+24p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E6BD6 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	1
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_0]
		call	RtlFindClearRuns
		cmp	eax, 1
		jnz	loc_5E6BD6
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_8]
		mov	[ecx], eax
		mov	eax, [ebp+var_4]

locret_565285:				; CODE XREF: RtlFindLongestRunClear+81984j
		leave
		retn	8
RtlFindLongestRunClear endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopLoadCrashdumpDriver proc near	; CODE XREF: IoGetDumpStack(x,x,x,x)+9p
					; IopInitializeCrashDump+50p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E6BE3 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_2C], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_4], edi
		cmp	_CrashdmpImageEntry, edi
		jnz	loc_56535F
		push	offset ??_C@_1FE@LIAPLLLG@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@FNODOBFM@
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4]
		xor	edx, edx
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	22h
		push	edi
		lea	ecx, [ebp+var_10]
		call	_MmLoadSystemImageEx@24	; MmLoadSystemImageEx(x,x,x,x,x,x)
		test	eax, eax
		js	loc_565361
		push	[ebp+var_4]
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jz	loc_5E6BE3
		mov	esi, [eax+28h]
		add	esi, [ebp+var_4]
		mov	[ebp+var_30], offset _IoArcBootDeviceName
		mov	[ebp+var_14], offset _PoHiberFileRoot
		call	_IopGetPhysicalMemoryBlock@0 ; IopGetPhysicalMemoryBlock()
		mov	[ebp+var_2C], eax
		test	eax, eax
		jz	short loc_565365
		mov	eax, _IopReportBugCheckProgress
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_30]
		push	offset _CrashdmpCallTable
		push	eax
		mov	[ebp+var_28], offset _IopLoadCrashdmpImage@24 ;	IopLoadCrashdmpImage(x,x,x,x,x,x)
		mov	[ebp+var_24], offset MmUnloadSystemImage
		mov	[ebp+var_20], offset _HvlGetEncryptedData@20 ; HvlGetEncryptedData(x,x,x,x,x)
		mov	[ebp+var_18], edi
		mov	_CrashdmpCallTable, 1
		mov	dword_6D4AC0, 0Bh
		call	esi
		test	eax, eax
		js	short loc_565361
		mov	eax, [ebp+var_8]
		mov	_CrashdmpImageEntry, eax
		mov	eax, [ebp+var_4]
		mov	_CrashdmpImageBase, eax

loc_56535F:				; CODE XREF: IopLoadCrashdumpDriver+21j
		xor	eax, eax

loc_565361:				; CODE XREF: IopLoadCrashdumpDriver+4Cj
					; IopLoadCrashdumpDriver+C3j ...
		pop	edi
		pop	esi
		leave
		retn
; 

loc_565365:				; CODE XREF: IopLoadCrashdumpDriver+80j
		mov	eax, 0C000009Ah
		jmp	short loc_565361
IopLoadCrashdumpDriver endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpOplockEnqueueRH(x, x)
_FsRtlpOplockEnqueueRH@8 proc near	; CODE XREF: FsRtlpRemoveAndCompleteRHIrp(x,x,x,x,x,x,x)+B7p

var_2C		= dword	ptr -2Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx]
		sub	esp, 2Ch
		push	esi
		push	edi
		mov	edi, edx
		cmp	[eax+4], ecx
		jnz	short loc_5653B3
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[eax+4], edi
		lea	eax, [ebp+var_2C]
		push	2Ch		; size_t
		push	0		; int
		push	eax		; void *
		mov	[ecx], edi
		call	_memset
		mov	ecx, [edi+0Ch]
		lea	edx, [ebp+var_2C]
		add	esp, 0Ch
		mov	[ebp+var_4], edi
		call	IoSetOplockPrivateFoExt
		mov	esi, eax
		test	esi, esi
		js	short loc_5653B8

loc_5653AD:				; CODE XREF: FsRtlpOplockEnqueueRH(x,x)+53j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_5653B3:				; CODE XREF: FsRtlpOplockEnqueueRH(x,x)+11j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5653B8:				; CODE XREF: FsRtlpOplockEnqueueRH(x,x)+3Fj
		mov	ecx, edi
		call	_FsRtlpOplockDequeueRH@4 ; FsRtlpOplockDequeueRH(x)
		jmp	short loc_5653AD
_FsRtlpOplockEnqueueRH@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2581. VfFailDeviceNode

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public VfFailDeviceNode
VfFailDeviceNode proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005E6BED SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	_ViDdiInitialized, 0
		jnz	loc_5E6BED

loc_5653D8:				; CODE XREF: VfFailDeviceNode+81831j
					; VfFailDeviceNode+81841j
		pop	ebp
		retn
VfFailDeviceNode endp

; 
		align 10h
; Exported entry 2586. VfIsVerificationEnabled

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public VfIsVerificationEnabled
VfIsVerificationEnabled	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E6C1F SIZE 0000005F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	_ViDdiInitialized, 0
		jnz	loc_5E6C1F

loc_5653F2:				; CODE XREF: VfIsVerificationEnabled+8184Fj
					; VfIsVerificationEnabled+81888j
		xor	eax, eax

loc_5653F4:				; CODE XREF: VfIsVerificationEnabled+81860j
					; VfIsVerificationEnabled+81879j ...
		pop	ebp
		retn	8
VfIsVerificationEnabled	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopIdleCancelAoAcDozeS4Timer proc near	; CODE XREF: PopIdleGlobalUserPresenceCallback(x,x,x,x)+37p
					; PopUpdateSystemIdleContext(x)+D9p ...

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005E6C96 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	ebx, ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _PopIdleAoAcDozeS4Lock
		mov	[ebp+var_1], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	byte_6C22E4, bl
		jnz	sub_5E6C7E

loc_565426:				; CODE XREF: sub_5E6C7E+13j
		test	ds:byte_70EFC6,	1
		jnz	loc_5E6C96
		xor	eax, eax
		lock and [edi],	eax

loc_565438:				; CODE XREF: PopIdleCancelAoAcDozeS4Timer+818A8j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bl, bl
		jnz	short loc_56544C

loc_565445:				; CODE XREF: PopIdleCancelAoAcDozeS4Timer+5Bj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_56544C:				; CODE XREF: PopIdleCancelAoAcDozeS4Timer+4Bj
		mov	ecx, esi
		call	_PopTraceSystemIdleS0LowPowerDozeTimerCancelled@4 ; PopTraceSystemIdleS0LowPowerDozeTimerCancelled(x)
		jmp	short loc_565445
PopIdleCancelAoAcDozeS4Timer endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 240. CcSetReadAheadGranularityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcSetReadAheadGranularityEx(x, x)
		public _CcSetReadAheadGranularityEx@8
_CcSetReadAheadGranularityEx@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		mov	ecx, [eax+18h]
		test	edx, edx
		jz	short loc_56549C
		mov	eax, [edx+4]
		dec	eax
		mov	[ecx+4], eax
		mov	eax, [edx+8]
		test	eax, eax
		jz	short loc_5654A0
		or	dword ptr [ecx], 200000h
		mov	[ecx+54h], eax

loc_565483:				; CODE XREF: CcSetReadAheadGranularityEx(x,x)+49j
		push	esi
		mov	esi, (offset loc_7FFFFF+1)
		cmp	eax, esi
		ja	short loc_5654A5

loc_56548D:				; CODE XREF: CcSetReadAheadGranularityEx(x,x)+4Ej
		mov	eax, [edx+0Ch]
		pop	esi
		test	eax, eax
		jnz	short loc_5654AA
		mov	dword ptr [ecx+58h], 32h

loc_56549C:				; CODE XREF: CcSetReadAheadGranularityEx(x,x)+10j
					; CcSetReadAheadGranularityEx(x,x)+53j
		pop	ebp
		retn	8
; 

loc_5654A0:				; CODE XREF: CcSetReadAheadGranularityEx(x,x)+1Ej
		mov	eax, [ecx+54h]
		jmp	short loc_565483
; 

loc_5654A5:				; CODE XREF: CcSetReadAheadGranularityEx(x,x)+31j
		mov	[ecx+54h], esi
		jmp	short loc_56548D
; 

loc_5654AA:				; CODE XREF: CcSetReadAheadGranularityEx(x,x)+39j
		mov	[ecx+58h], eax
		jmp	short loc_56549C
_CcSetReadAheadGranularityEx@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 432. ExSetResourceOwnerPointer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExSetResourceOwnerPointer
ExSetResourceOwnerPointer proc near	; CODE XREF: CcSetBcbOwnerPointer(x,x)+1Fp
					; CcSetBcbOwnerPointer(x,x)+36p

var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00565502 SIZE 0000001F BYTES
; FUNCTION CHUNK AT 00565525 SIZE 00000005 BYTES
; FUNCTION CHUNK AT 005E6CA5 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	0
		test	byte ptr [ecx+0Eh], 1
		jnz	loc_5E6CA5
		mov	edx, [ebp+arg_4]
		call	ExpSetResourceOwnerPointerEx
		pop	ebp
		retn	8
ExSetResourceOwnerPointer endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopEventCalloutDispatch	proc near	; CODE XREF: PopDispatchFullWake(x)+34p
					; PopPolicyTimeChange()+32p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00565521 SIZE 00000004 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10h
		cmp	_PsWin32CalloutsEstablished, 0
		mov	[esp+10h+var_8], ecx
		mov	[esp+10h+var_4], edx
		jz	short loc_56551D
		cmp	ecx, 1
		jz	loc_5E6CB5
		push	0
		cmp	ecx, 0Ah
		jz	short loc_565521
		push	2
PopEventCalloutDispatch	endp

; START	OF FUNCTION CHUNK FOR ExSetResourceOwnerPointer

loc_565502:				; CODE XREF: PopEventCalloutDispatch+4Fj
					; ExSetResourceOwnerPointer+8180Dj
		push	3
		lea	edx, [esp+14h]
		pop	ecx
		call	PopInvokeWin32Callout
		mov	eax, large fs:124h
		cmp	dword ptr [eax+13Ch], 0
		jnz	short loc_565525

loc_56551D:				; CODE XREF: PopEventCalloutDispatch+1Aj
		mov	esp, ebp
		pop	ebp
		retn
; END OF FUNCTION CHUNK	FOR ExSetResourceOwnerPointer
; 
; START	OF FUNCTION CHUNK FOR PopEventCalloutDispatch

loc_565521:				; CODE XREF: PopEventCalloutDispatch+2Aj
		push	0
		jmp	short loc_565502
; END OF FUNCTION CHUNK	FOR PopEventCalloutDispatch
; 
; START	OF FUNCTION CHUNK FOR ExSetResourceOwnerPointer

loc_565525:				; CODE XREF: ExSetResourceOwnerPointer+67j
		push	20h
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
; END OF FUNCTION CHUNK	FOR ExSetResourceOwnerPointer ;	AL = character to display
; 
		dw 0CCCCh
		align 10h
; Exported entry 2123. RtlGetEnabledExtendedFeatures

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetEnabledExtendedFeatures(x, x)
		public _RtlGetEnabledExtendedFeatures@8
_RtlGetEnabledExtendedFeatures@8 proc near
					; CODE XREF: SymCryptInitEnvWindowsKernelmodeWin8_1nLater(x)+85p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:0FFDF03D8h
		or	eax, ds:0FFDF0708h
		mov	edx, ds:0FFDF03DCh
		or	edx, ds:0FFDF070Ch
		and	eax, [ebp+arg_0]
		and	edx, [ebp+arg_4]
		pop	ebp
		retn	8
_RtlGetEnabledExtendedFeatures@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopQueueWorkItem(x,	x)
_PopQueueWorkItem@8 proc near		; CODE XREF: PopCheckForIdleness(x,x,x,x)+169p
					; PopBsdHandleRequest(x)+29j ...
		xor	eax, eax
		push	ebx
		xor	bl, bl
		inc	eax
		lock xadd [ecx+10h], eax
		inc	eax
		cmp	eax, 1
		jnz	short loc_565570
		push	edx
		push	ecx
		call	ExQueueWorkItem
		inc	bl

loc_565570:				; CODE XREF: PopQueueWorkItem(x,x)+Fj
		mov	al, bl
		pop	ebx
		retn
_PopQueueWorkItem@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmEventDomainPerfStateChange proc near	; CODE XREF: PpmPerfApplyDomainState+4D0p

var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_6C		= dword	ptr -6Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E6CC6 SIZE 0000026A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0E4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_C8], ebx
		mov	eax, [ebx+140h]
		mov	[ebp+var_C0], eax
		mov	eax, [ebx+14Ch]
		mov	[ebp+var_C4], eax
		mov	eax, _WmiPerfStateDomainEventEnabled
		test	eax, eax
		jnz	loc_5E6CC6

loc_5655BB:				; CODE XREF: PpmEventDomainPerfStateChange+8179Ej
		cmp	_PpmEtwRegistered, 0
		jz	short loc_5655E2
		push	offset _PPM_ETW_DOMAIN_PERF_STATE_CHANGE
		push	dword_6BFD04
		push	_PpmEtwHandle
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5E6D17

loc_5655E2:				; CODE XREF: PpmEventDomainPerfStateChange+4Ej
					; PpmEventDomainPerfStateChange+819B7j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PpmEventDomainPerfStateChange endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoNotifySystemTimeSet(x, x,	x)
_PoNotifySystemTimeSet@12 proc near	; CODE XREF: ExpSetSystemTime+74p
					; ExpRefreshSystemTime()+CEp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	_PsWin32CalloutsEstablished, 0
		push	ebx
		jz	short loc_565657
		mov	eax, [ecx]
		push	[ebp+arg_0]
		mov	_PopTimeChangeInfo, eax
		mov	eax, [ecx+4]
		mov	dword_6C3D34, eax
		mov	eax, [edx]
		mov	dword_6C3D38, eax
		mov	eax, [edx+4]
		mov	dword_6C3D3C, eax
		call	EtwTraceSystemTimeChange
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, _ExCbSetSystemTime
		xor	edx, edx
		push	0
		push	0
		mov	bl, al
		call	ExNotifyWithProcessing
		push	10h
		pop	ecx
		call	PopGetPolicyWorker
		call	PopCheckForWork
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_565657:				; CODE XREF: PoNotifySystemTimeSet(x,x,x)+Dj
		pop	ebx
		pop	ebp
		retn	4
_PoNotifySystemTimeSet@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetSystemTime(x, x, x)
_KeSetSystemTime@12 proc near		; CODE XREF: ExpSetSystemTime+5Fp
					; ExpRefreshSystemTime()+106p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_C		= byte ptr -0Ch
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	esi
		push	edi
		push	8
		xor	eax, eax
		lea	edi, [ebp+var_24]
		mov	esi, ecx
		pop	ecx
		rep stosd
		mov	byte ptr [ebp+var_24], al
		mov	[ebp+var_C], al
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	offset KiSetSystemTimeDpc
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], edx
		call	_KeGenericCallDpc@8 ; KeGenericCallDpc(x,x)
		pop	edi
		pop	esi
		leave
		retn	4
_KeSetSystemTime@12 endp


;  S U B	R O U T	I N E 


sub_565698	proc near		; CODE XREF: PAGE:007BE348p
					; PAGE:0083AD58p

; FUNCTION CHUNK AT 005E6F30 SIZE 0000005B BYTES

		cmp	_ViVerifierEnabled, 0
		jnz	loc_5E6F30

loc_5656A5:				; CODE XREF: sub_565698+818ABj
		push	20206F49h
		push	8
		push	200h
		call	ExAllocatePoolWithQuotaTag

locret_5656B6:				; CODE XREF: sub_565698+818D2j
		retn
sub_565698	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiSessionReferenceImage(x)
_MiSessionReferenceImage@4 proc	near	; CODE XREF: MmChangeImageProtection(x,x,x,x)+F2p
					; MiResolveImageReferences+3A8p
		call	_MiSessionLookupImage@4	; MiSessionLookupImage(x)
		test	eax, eax
		jz	short loc_5656C8
		inc	dword ptr [eax+20h]
		xor	eax, eax
		inc	eax
		retn
; 

loc_5656C8:				; CODE XREF: MiSessionReferenceImage(x)+7j
		xor	eax, eax
		retn
_MiSessionReferenceImage@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PpmBeginHighPerfRequest()
_PpmBeginHighPerfRequest@0 proc	near	; CODE XREF: PopIssueActionRequest+EDp
					; PoUserShutdownInitiated+C7p ...
		mov	edi, edi
		push	ecx
		mov	ecx, _PpmHighPerfPowerRequest
		test	ecx, ecx
		jz	short loc_5656E3
		push	4
		pop	edx
		call	PoSetPowerRequestInternal
		pop	ecx
		retn
; 

loc_5656E3:				; CODE XREF: PpmBeginHighPerfRequest()+Bj
		mov	eax, 0C0000001h
		pop	ecx
		retn
_PpmBeginHighPerfRequest@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlBootStatusDisableFlushing(x)
_RtlBootStatusDisableFlushing@4	proc near ; CODE XREF: PAGELK:0071F22Ap
					; PopUnlockAfterSleepWorker(x)+3Ap ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		cmp	_BootStatDisableFlush, cl
		jz	short locret_565726
		mov	_BootStatDisableFlush, cl
		test	cl, cl
		jnz	short locret_565726
		cmp	_BootStatFileHandleAcquired, cl
		jz	short locret_565726
		mov	eax, _BootStatFileHandle
		test	eax, eax
		jz	short locret_565726
		lea	ecx, [ebp+var_8]
		push	ecx
		push	eax
		call	_ZwFlushBuffersFile@8 ;	ZwFlushBuffersFile(x,x)

locret_565726:				; CODE XREF: RtlBootStatusDisableFlushing(x)+15j
					; RtlBootStatusDisableFlushing(x)+1Fj ...
		leave
		retn
_RtlBootStatusDisableFlushing@4	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 881. IoGetRequestorSessionId

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoGetRequestorSessionId
IoGetRequestorSessionId	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+50h]
		test	ecx, ecx
		jz	loc_5E6F7B
		mov	ecx, [ecx+150h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		lea	ecx, [eax+1]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		xor	eax, eax

loc_56575C:				; CODE XREF: sub_565698+818EEj
		pop	ebp
		retn	8
IoGetRequestorSessionId	endp


;  S U B	R O U T	I N E 


; __stdcall PpmPerfCommitPerformance()
_PpmPerfCommitPerformance@0 proc near	; DATA XREF: .text:004049BCo
					; .text:00404A1Co
		mov	ecx, _PpmPerfControlCommitPerformance
		jmp	PpmPerfControlExecuteAction
_PpmPerfCommitPerformance@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


PpmPerfControlExecuteAction proc near	; CODE XREF: PpmCheckAcquireProcessorPerformance()+3Cp
					; PpmPerfCommitPerformance()+6j

; FUNCTION CHUNK AT 005E6F8B SIZE 0000000E BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jnz	loc_5E6F8B

loc_565779:				; CODE XREF: PpmPerfControlExecuteAction+81828j
		setz	al
		pop	esi
		retn
PpmPerfControlExecuteAction endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 411. ExRealTimeIsUniversal

;  S U B	R O U T	I N E 


; __stdcall ExRealTimeIsUniversal()
		public _ExRealTimeIsUniversal@0
_ExRealTimeIsUniversal@0 proc near
		cmp	_ExpRealTimeIsUniversal, 0
		setnz	al
		retn
_ExRealTimeIsUniversal@0 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1676. PoFxCompleteDevicePowerNotRequired

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoFxCompleteDevicePowerNotRequired
PoFxCompleteDevicePowerNotRequired proc	near

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E6F99 SIZE 00000095 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		or	edi, 0FFFFFFFFh
		lock xadd [esi+18h], edi
		dec	edi
		jz	loc_5E6F99

loc_5657AD:				; CODE XREF: PoFxCompleteDevicePowerNotRequired+81865j
		test	edi, edi
		js	loc_5E6FFE
		pop	edi
		pop	esi
		pop	ebp
		retn	4
PoFxCompleteDevicePowerNotRequired endp

; 
		align 10h
; Exported entry 1141. KeFindFirstSetRightGroupAffinity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeFindFirstSetRightGroupAffinity(x)
		public _KeFindFirstSetRightGroupAffinity@4
_KeFindFirstSetRightGroupAffinity@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_5657D6
		bsf	eax, eax

locret_5657D2:				; CODE XREF: KeFindFirstSetRightGroupAffinity(x)+19j
		leave
		retn	4
; 

loc_5657D6:				; CODE XREF: KeFindFirstSetRightGroupAffinity(x)+Dj
		or	eax, 0FFFFFFFFh
		jmp	short locret_5657D2
_KeFindFirstSetRightGroupAffinity@4 endp

; 
		align 10h
; Exported entry 1461. MmQuerySystemSize

;  S U B	R O U T	I N E 


; __stdcall MmQuerySystemSize()
		public _MmQuerySystemSize@0
_MmQuerySystemSize@0 proc near
		push	2
		pop	eax
		retn
_MmQuerySystemSize@0 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1314. KeSweepLocalCaches

;  S U B	R O U T	I N E 


; __stdcall KeSweepLocalCaches()
		public _KeSweepLocalCaches@0
_KeSweepLocalCaches@0 proc near
		wbinvd
		retn
_KeSweepLocalCaches@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrpGetParentLangId proc near		; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+4E2p
					; LdrResFallbackLangList+E2B94p

var_15C		= dword	ptr -15Ch
var_B0		= dword	ptr -0B0h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F539A SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 15Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, edx
		test	esi, esi
		jz	short loc_565821
		push	2
		push	55h
		lea	edx, [ebp+var_B0]
		call	DownLevelLangIDToLanguageName
		test	eax, eax
		jnz	loc_5F539A

loc_565821:				; CODE XREF: LdrpGetParentLangId+1Aj
		mov	eax, 0C000000Dh

loc_565826:				; CODE XREF: LdrpGetParentLangId+8FBDEj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
LdrpGetParentLangId endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DownLevelLangIDToLanguageName proc near	; CODE XREF: LdrLoadAlternateResourceModuleEx+13Dp
					; LdrpGetParentLangId+26p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F53D1 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	word ptr [ebp+var_4], cx
		push	edi
		mov	edi, edx
		test	esi, esi
		js	short loc_5658C2
		test	edi, edi
		jz	loc_5F53D1

loc_565852:				; CODE XREF: DownLevelLangIDToLanguageName+8FBA5j
		test	[ebp+arg_4], 0FFFFFFFDh
		jnz	short loc_5658C2
		push	offset ?CompareLangIDs@@YAHPBX0@Z ; int	__cdecl	(*)(const void *,const void *)
		push	0Ch		; size_t
		push	1B4h		; size_t
		lea	eax, [ebp+var_4]
		push	offset off_4022C0 ; void *
		push	eax		; void *
		call	_bsearch
		mov	ecx, eax
		add	esp, 14h
		test	ecx, ecx
		jz	short loc_5658C2
		test	byte ptr [ebp+arg_4], 2
		jnz	short loc_56588D
		call	IsNeutralLanguageItem
		test	eax, eax
		jnz	short loc_5658C2

loc_56588D:				; CODE XREF: DownLevelLangIDToLanguageName+4Ej
		mov	edx, [ecx]
		mov	ecx, edx
		lea	ebx, [ecx+2]

loc_565894:				; CODE XREF: DownLevelLangIDToLanguageName+69j
		mov	ax, [ecx]
		add	ecx, 2
		test	ax, ax
		jnz	short loc_565894
		sub	ecx, ebx
		sar	ecx, 1
		lea	ebx, [ecx+1]
		test	edi, edi
		jz	short loc_5658B9
		push	ebx
		push	edx
		mov	edx, esi
		mov	ecx, edi
		call	StringCchCopyNW
		test	eax, eax
		js	short loc_5658C2

loc_5658B9:				; CODE XREF: DownLevelLangIDToLanguageName+74j
		mov	eax, ebx

loc_5658BB:				; CODE XREF: DownLevelLangIDToLanguageName+90j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_5658C2:				; CODE XREF: DownLevelLangIDToLanguageName+14j
					; DownLevelLangIDToLanguageName+25j ...
		xor	eax, eax
		jmp	short loc_5658BB
DownLevelLangIDToLanguageName endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

StringCchCopyNW	proc near		; CODE XREF: DownLevelLangIDToLanguageName+7Cp
					; DownLevelGetParentLanguageName(x,x,x,x)+68p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F5529 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		test	edx, edx
		jz	short loc_5658FA
		cmp	edx, 7FFFFFFFh
		ja	short loc_5658FA

loc_5658D9:				; CODE XREF: StringCchCopyNW+39j
		test	eax, eax
		js	short loc_565901
		cmp	[ebp+arg_4], 7FFFFFFEh
		ja	loc_5F5529
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	ecx
		call	sub_56590A

loc_5658F6:				; CODE XREF: StringCchCopyNW+3Dj
					; StringCchCopyNW+8FC6Dj
		pop	ebp
		retn	8
; 

loc_5658FA:				; CODE XREF: StringCchCopyNW+9j
					; StringCchCopyNW+11j
		mov	eax, 80070057h
		jmp	short loc_5658D9
; 

loc_565901:				; CODE XREF: StringCchCopyNW+15j
		test	edx, edx
		jz	short loc_5658F6
		jmp	loc_5F552E
StringCchCopyNW	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_56590A	proc near		; CODE XREF: StringCchCopyNW+2Bp

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	edx, edx
		jz	short loc_565955
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_8]
		sub	eax, ecx
		push	edi

loc_56591D:				; CODE XREF: sub_56590A+2Aj
		test	esi, esi
		jz	short loc_565936
		movzx	edi, word ptr [eax+ecx]
		test	di, di
		jz	short loc_565936
		mov	[ecx], di
		add	ecx, 2
		dec	esi
		sub	edx, 1
		jnz	short loc_56591D

loc_565936:				; CODE XREF: sub_56590A+15j
					; sub_56590A+1Ej
		pop	edi
		pop	esi
		test	edx, edx
		jz	short loc_565955

loc_56593C:				; CODE XREF: sub_56590A+4Ej
		neg	edx
		sbb	edx, edx
		and	edx, 7FF8FF86h
		xor	eax, eax
		mov	[ecx], ax
		lea	eax, [edx-7FF8FF86h]
		pop	ebp
		retn	0Ch
; 

loc_565955:				; CODE XREF: sub_56590A+7j
					; sub_56590A+30j
		sub	ecx, 2
		jmp	short loc_56593C
sub_56590A	endp


;  S U B	R O U T	I N E 


IsNeutralLanguageItem proc near		; CODE XREF: DownLevelLangIDToLanguageName+50p
					; DownLevelLanguageNameToLangID(x,x):loc_56DCD3p

; FUNCTION CHUNK AT 005F5538 SIZE 0000000F BYTES

		cmp	dword ptr [ecx+8], 7Ch
		jz	loc_5F5538

loc_565964:				; CODE XREF: IsNeutralLanguageItem+8FBE3j
		xor	eax, eax
		retn
IsNeutralLanguageItem endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

OpenGlobalizationUserSettingsKey proc near ; CODE XREF:	NtSetDefaultLocale+4Cp
					; ExpSetPendingUILanguage+CAp

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F5547 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_565990
		call	GetGlobalizationUserModelType
		sub	eax, 1
		jnz	loc_5F5547
		push	esi
		push	8
		call	RtlOpenCurrentUser

loc_56598B:				; CODE XREF: OpenGlobalizationUserSettingsKey+2Dj
					; OpenGlobalizationUserSettingsKey+8FBEEj ...
		pop	esi
		pop	ebp
		retn	4
; 

loc_565990:				; CODE XREF: OpenGlobalizationUserSettingsKey+Bj
		mov	eax, 0C000000Dh
		jmp	short loc_56598B
OpenGlobalizationUserSettingsKey endp

; 
		align 4

;  S U B	R O U T	I N E 


GetGlobalizationUserModelType proc near	; CODE XREF: OpenGlobalizationUserSettingsKey+Dp

; FUNCTION CHUNK AT 005F557A SIZE 00000014 BYTES

		mov	ecx, dword_6D4B2C
		test	ecx, ecx
		jz	short loc_5659A5

loc_5659A2:				; CODE XREF: GetGlobalizationUserModelType+23j
		mov	eax, ecx
		retn
; 

loc_5659A5:				; CODE XREF: GetGlobalizationUserModelType+8j
		call	RtlIsMultiSessionSku
		test	al, al
		jz	loc_5F557A
		xor	ecx, ecx
		inc	ecx

loc_5659B5:				; CODE XREF: GetGlobalizationUserModelType+8FBF1j
		mov	dword_6D4B2C, ecx
		jmp	short loc_5659A2
GetGlobalizationUserModelType endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BapdWriteEtwEvents proc	near		; CODE XREF: BapdpProcessEtwEvents+94p
					; PopBootLoaderTraceEtwEvents(x)+1Ap

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_39		= byte ptr -39h
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F6822 SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_6C], offset _GUID_NULL
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_70], eax
		push	edi
		mov	edi, eax
		mov	[ebp+var_50], eax
		mov	ebx, eax
		mov	[ebp+var_4C], eax
		mov	[ebp+var_78], eax
		mov	ecx, offset _BOOTENV_ETW_PROVIDER
		mov	[ebp+var_60], eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_68], eax
		mov	[ebp+var_64], eax
		lea	eax, [esi+edx]
		mov	[ebp+var_74], eax
		mov	dl, 1
		lea	eax, [ebp+var_60]
		mov	[ebp+var_58], edi
		push	eax
		mov	[ebp+var_54], ebx
		call	_BapdRegisterEtwProvider@12 ; BapdRegisterEtwProvider(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_48], ecx
		test	ecx, ecx
		js	loc_565B80
		lea	eax, [ebp+var_68]
		mov	[ebp+var_39], bl
		push	eax
		xor	dl, dl
		mov	ecx, offset _BOOT_PROVIDER_GUID
		call	_BapdRegisterEtwProvider@12 ; BapdRegisterEtwProvider(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_48], ecx
		test	ecx, ecx
		js	loc_565B80

loc_565A43:				; CODE XREF: BapdWriteEtwEvents+13Ej
		cmp	esi, [ebp+var_74]
		jnb	loc_565B73
		cmp	dword ptr [esi+8], 6
		jnz	loc_565AF1
		lea	edx, [ebp+var_70]
		push	edx
		lea	edx, [ebp+var_38]
		push	edx
		push	dword ptr [esi+40h]
		lea	ecx, [esi+30h]
		lea	edx, [esi+44h]
		call	_BapdpParseEventParts@20 ; BapdpParseEventParts(x,x,x,x,x)
		lea	eax, [esi+20h]
		push	10h		; size_t
		push	eax		; void *
		push	offset _BOOTENV_ETW_PROVIDER ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_565B32
		mov	eax, [ebp+var_60]
		mov	edx, [ebp+var_5C]

loc_565A8D:				; CODE XREF: BapdWriteEtwEvents+1B0j
		mov	[ebp+var_40], eax
		mov	[ebp+var_44], edx

loc_565A93:				; CODE XREF: BapdWriteEtwEvents+235j
					; BapdWriteEtwEvents+23Fj ...
		lea	ecx, [esi+30h]
		push	ecx
		push	edx
		push	eax
		call	EtwEventEnabled
		test	al, al
		jnz	short loc_565B01

loc_565AA2:				; CODE XREF: BapdWriteEtwEvents+16Cj
		push	10h
		pop	eax
		push	eax		; size_t
		lea	eax, [esi+20h]
		push	eax		; void *
		push	offset _BOOTENV_ETW_PROVIDER ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_565AF1
		movzx	edx, word ptr [esi+30h]
		mov	eax, edx
		cmp	eax, 0Bh
		jz	loc_565C21
		push	10h
		pop	ecx
		cmp	ax, cx
		jz	loc_5F6837
		cmp	eax, 14h
		jz	loc_565C7B
		cmp	eax, 1Dh
		jz	loc_5F6837
		cmp	edx, 20h
		jz	loc_565BC2

loc_565AF1:				; CODE XREF: BapdWriteEtwEvents+92j
					; BapdWriteEtwEvents+FBj ...
		mov	eax, [esi+4]
		add	esi, 7
		add	esi, eax
		and	esi, 0FFFFFFF8h
		jmp	loc_565A43
; 

loc_565B01:				; CODE XREF: BapdWriteEtwEvents+E2j
		movzx	ecx, byte ptr [esi+0Fh]
		lea	eax, [ebp+var_38]
		push	eax
		push	[ebp+var_70]
		neg	ecx
		lea	eax, [esi+10h]
		sbb	ecx, ecx
		and	ecx, eax
		lea	eax, [esi+30h]
		push	ecx
		push	eax
		push	[ebp+var_44]
		push	[ebp+var_40]
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	[ebp+var_48], eax
		test	eax, eax
		jns	loc_565AA2
		jmp	short loc_565B80
; 

loc_565B32:				; CODE XREF: BapdWriteEtwEvents+C3j
		push	10h
		pop	eax
		push	eax		; size_t
		lea	eax, [esi+20h]
		push	eax		; void *
		push	offset _BOOT_PROVIDER_GUID ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_565BE1
		push	10h
		pop	eax
		push	eax		; size_t
		lea	eax, [esi+20h]
		push	eax		; void *
		push	[ebp+var_6C]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		mov	eax, edi
		jnz	loc_565C28
		mov	edx, ebx
		jmp	loc_565A8D
; 

loc_565B73:				; CODE XREF: BapdWriteEtwEvents+88j
		call	_ExIsSoftBoot@0	; ExIsSoftBoot()
		test	al, al
		jnz	loc_5F6844

loc_565B80:				; CODE XREF: BapdWriteEtwEvents+5Fj
					; BapdWriteEtwEvents+7Fj ...
		mov	eax, [ebp+var_60]
		or	eax, [ebp+var_5C]
		jz	short loc_565B93
		push	[ebp+var_5C]
		push	[ebp+var_60]
		call	EtwUnregister

loc_565B93:				; CODE XREF: BapdWriteEtwEvents+1C8j
		mov	ecx, [ebp+var_68]
		mov	eax, ecx
		mov	edx, [ebp+var_64]
		or	eax, edx
		jz	short loc_565BA6
		push	edx
		push	ecx
		call	EtwUnregister

loc_565BA6:				; CODE XREF: BapdWriteEtwEvents+1DFj
		mov	eax, edi
		or	eax, ebx
		jnz	loc_565C8B

loc_565BB0:				; CODE XREF: BapdWriteEtwEvents+2D4j
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_48]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_565BC2:				; CODE XREF: BapdWriteEtwEvents+12Dj
		push	offset ??_C@_1CK@CHAEGJLO@?$AAB?$AAo?$AAo?$AAt?$AAm?$AAg?$AAr?$AAU?$AAs?$AAe?$AAr?$AAI?$AAn?$AAp?$AAu@FNODOBFM@	; "BootmgrUserInputTime"

loc_565BC7:				; CODE XREF: BapdWriteEtwEvents+268j
		lea	eax, [ebp+var_50]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_50]
		push	eax
		lea	ecx, [esi+44h]
		call	_BapdpWriteEventDataToRegistry@12 ; BapdpWriteEventDataToRegistry(x,x,x)
		jmp	loc_565AF1
; 

loc_565BE1:				; CODE XREF: BapdWriteEtwEvents+18Bj
		cmp	[ebp+var_39], 0
		mov	ecx, [ebp+var_64]
		mov	edx, ecx
		mov	eax, [ebp+var_68]
		mov	[ebp+var_40], eax
		mov	[ebp+var_44], edx
		jnz	loc_565A93
		cmp	byte ptr [esi+33h], 0Bh
		jnz	loc_565A93
		push	[ebp+var_30]
		push	[ebp+var_38]
		push	2
		push	ecx
		push	eax
		call	EtwSetInformation
		mov	eax, [ebp+var_40]
		mov	edx, [ebp+var_44]
		mov	[ebp+var_39], 1
		jmp	loc_565A93
; 

loc_565C21:				; CODE XREF: BapdWriteEtwEvents+106j
		push	offset ??_C@_1BC@PIAIECI@?$AAP?$AAO?$AAS?$AAT?$AAT?$AAi?$AAm?$AAe@FNODOBFM@
		jmp	short loc_565BC7
; 

loc_565C28:				; CODE XREF: BapdWriteEtwEvents+1A8j
		or	eax, ebx
		jnz	sub_5F680E

loc_565C30:				; CODE XREF: sub_5F680E+Fj
		cmp	byte ptr [esi+33h], 0Bh
		lea	eax, [ebp+var_58]
		lea	ebx, [esi+20h]
		push	eax
		setnz	dl
		mov	ecx, ebx
		call	_BapdRegisterEtwProvider@12 ; BapdRegisterEtwProvider(x,x,x)
		mov	edi, [ebp+var_58]
		mov	ecx, eax
		mov	[ebp+var_48], ecx
		test	ecx, ecx
		js	short loc_565C97
		cmp	byte ptr [esi+33h], 0Bh
		mov	[ebp+var_6C], ebx
		mov	ebx, [ebp+var_54]
		mov	[ebp+var_40], edi
		mov	[ebp+var_44], ebx
		jnz	short loc_565C72
		push	[ebp+var_30]
		push	[ebp+var_38]
		push	2
		push	ebx
		push	edi
		call	EtwSetInformation

loc_565C72:				; CODE XREF: BapdWriteEtwEvents+2A3j
		mov	edx, ebx
		mov	eax, edi
		jmp	loc_565A93
; 

loc_565C7B:				; CODE XREF: BapdWriteEtwEvents+11Bj
		xor	eax, eax
		cmp	[esi+44h], eax
		jnz	loc_565AF1
		jmp	loc_5F6822
; 

loc_565C8B:				; CODE XREF: BapdWriteEtwEvents+1ECj
		push	ebx
		push	edi
		call	EtwUnregister
		jmp	loc_565BB0
; 

loc_565C97:				; CODE XREF: BapdWriteEtwEvents+291j
		mov	ebx, [ebp+var_54]
		jmp	loc_565B80
BapdWriteEtwEvents endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BapdpParseEventParts(x, x, x, x, x)
_BapdpParseEventParts@20 proc near	; CODE XREF: BapdWriteEtwEvents+A9p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	byte ptr [ecx+3], 0Bh
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		jz	short loc_565CD3

loc_565CB4:				; CODE XREF: BapdpParseEventParts(x,x,x,x,x)+36j
					; BapdpParseEventParts(x,x,x,x,x)+40j ...
		mov	eax, [ebp+arg_4]
		xor	ebx, ebx
		mov	[eax], esi
		xor	esi, esi
		mov	[eax+4], esi
		inc	ebx
		mov	[eax+8], ecx
		mov	[eax+0Ch], esi

loc_565CC7:				; CODE XREF: BapdpParseEventParts(x,x,x,x,x)+9Aj
		mov	eax, [ebp+arg_8]
		pop	edi
		pop	esi
		mov	[eax], ebx
		pop	ebx
		leave
		retn	0Ch
; 

loc_565CD3:				; CODE XREF: BapdpParseEventParts(x,x,x,x,x)+12j
		cmp	ecx, 7
		jb	short loc_565CB4
		movzx	edx, word ptr [esi]
		push	3
		pop	ebx
		cmp	edx, ebx
		jb	short loc_565CB4
		lea	eax, [ecx-4]
		cmp	edx, eax
		ja	short loc_565CB4
		lea	eax, [edx+esi]
		mov	[ebp+arg_0], eax
		movzx	eax, word ptr [eax]
		mov	[ebp+var_4], eax
		cmp	eax, 4
		jb	short loc_565CB4
		mov	edi, ecx
		sub	edi, edx
		cmp	eax, edi
		ja	short loc_565CB4
		mov	ecx, [ebp+arg_4]
		mov	[ecx+8], edx
		mov	edx, [ebp+arg_0]
		mov	[ecx], esi
		xor	esi, esi
		mov	[ecx+18h], eax
		add	eax, edx
		sub	edi, [ebp+var_4]
		mov	[ecx+0Ch], esi
		mov	[ecx+1Ch], esi
		mov	[ecx+4], esi
		mov	byte ptr [ecx+0Ch], 2
		mov	[ecx+10h], edx
		mov	[ecx+14h], esi
		mov	byte ptr [ecx+1Ch], 1
		mov	[ecx+20h], eax
		mov	[ecx+24h], esi
		mov	[ecx+28h], edi
		mov	[ecx+2Ch], esi
		jmp	short loc_565CC7
_BapdpParseEventParts@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BapdRegisterEtwProvider(x, x, x)
_BapdRegisterEtwProvider@12 proc near	; CODE XREF: BapdWriteEtwEvents+53p
					; BapdWriteEtwEvents+73p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	bl, dl
		push	edi
		push	esi
		xor	edi, edi
		push	edi
		push	edi
		push	ecx
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		test	eax, eax
		js	short loc_565D7E
		test	bl, bl
		jz	short loc_565D75
		movzx	eax, word ptr ds:?Traits@?1??EnableManifestedProviderForMicrosoftTelemetry@@9@9	; `EnableManifestedProviderForMicrosoftTelemetry'::`2'::Traits
		push	eax
		push	offset ?Traits@?1??EnableManifestedProviderForMicrosoftTelemetry@@9@9 ;	`EnableManifestedProviderForMicrosoftTelemetry'::`2'::Traits
		push	2
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		call	EtwSetInformation

loc_565D75:				; CODE XREF: BapdRegisterEtwProvider(x,x,x)+1Ej
		xor	eax, eax

loc_565D77:				; CODE XREF: BapdRegisterEtwProvider(x,x,x)+47j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_565D7E:				; CODE XREF: BapdRegisterEtwProvider(x,x,x)+1Aj
		mov	[esi], edi
		mov	[esi+4], edi
		jmp	short loc_565D77
_BapdRegisterEtwProvider@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 396. ExIsSoftBoot

;  S U B	R O U T	I N E 


; __stdcall ExIsSoftBoot()
		public _ExIsSoftBoot@0
_ExIsSoftBoot@0	proc near		; CODE XREF: BapdWriteEtwEvents:loc_565B73p
					; BapdRecordFirmwareBootStats+87p ...
		mov	eax, dword_6BBFD8
		xor	ecx, ecx
		and	eax, 4
		or	eax, ecx
		jnz	short loc_565D9B

loc_565D98:				; CODE XREF: ExIsSoftBoot()+13j
		mov	al, cl
		retn
; 

loc_565D9B:				; CODE XREF: ExIsSoftBoot()+Cj
		mov	cl, 1
		jmp	short loc_565D98
_ExIsSoftBoot@0	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PopOpenPowerKey(x)
_PopOpenPowerKey@4 proc	near		; CODE XREF: PopDiagTraceHiberStats+3Ep
					; PopReadSystemAwayModePolicy+3Bp ...
		mov	edi, edi
		push	ecx
		push	2001Fh
		mov	edx, offset _PopRegKey ; "Control\\Session Manager\\Power"
		call	_PopOpenKey@12	; PopOpenKey(x,x,x)
		pop	ecx
		retn
_PopOpenPowerKey@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopOpenKey(x, x, x)
_PopOpenKey@12	proc near		; CODE XREF: PopOpenPowerKey(x)+Dp
					; PpmInitIllegalThrottleLogging+2Ep ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		xor	eax, eax
		mov	[ebp+var_2C], 18h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_14], eax
		mov	ebx, edx
		mov	[ebp+var_10], eax
		mov	edi, ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_8]
		mov	[ebp+var_20], 240h
		push	eax
		mov	[ebp+var_24], offset _CmRegistryMachineSystemCurrentControlSet
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_565E5F
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_8]
		xor	ebx, ebx
		push	ebx
		push	ebx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_14]
		push	ebx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		push	ebx
		push	eax
		push	[ebp+arg_0]
		lea	eax, [ebp+var_C]
		mov	[ebp+var_2C], 18h
		push	eax
		mov	[ebp+var_20], 240h
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_565E68
		mov	eax, [ebp+var_C]
		mov	[edi], eax

loc_565E52:				; CODE XREF: PopOpenKey(x,x,x)+B7j
		cmp	[ebp+var_8], ebx
		jz	short loc_565E5F
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_565E5F:				; CODE XREF: PopOpenKey(x,x,x)+51j
					; PopOpenKey(x,x,x)+A1j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_565E68:				; CODE XREF: PopOpenKey(x,x,x)+97j
		mov	[ebp+var_C], ebx
		jmp	short loc_565E52
_PopOpenKey@12	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpMarkDeviceStackExtensionFlag proc near ; CODE	XREF: IopDoDeferredSetInterfaceState(x)+28p
					; PiProcessNewDeviceNode+2E6p ...

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 005C4E25 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	esi, ecx
		mov	edi, edx
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	bl, al
		test	esi, esi
		jz	short loc_565EA5
		mov	dl, [ebp+arg_0]

loc_565E8D:				; CODE XREF: PpMarkDeviceStackExtensionFlag+33j
		mov	ecx, [esi+0B0h]
		test	dl, dl
		jnz	short loc_565EEA
		mov	eax, edi
		not	eax
		and	[ecx+10h], eax

loc_565E9E:				; CODE XREF: PpMarkDeviceStackExtensionFlag+7Dj
		mov	esi, [esi+10h]
		test	esi, esi
		jnz	short loc_565E8D

loc_565EA5:				; CODE XREF: PpMarkDeviceStackExtensionFlag+18j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+468h]
		jnz	loc_5C4E25
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5C4E3B
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5C4E34

loc_565EDB:				; CODE XREF: PpMarkDeviceStackExtensionFlag+5EFBFj
					; PpMarkDeviceStackExtensionFlag+5EFDAj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_565EEA:				; CODE XREF: PpMarkDeviceStackExtensionFlag+25j
		or	[ecx+10h], edi
		jmp	short loc_565E9E
PpMarkDeviceStackExtensionFlag endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PnpSetDeviceInstanceStartedEvent(x)
_PnpSetDeviceInstanceStartedEvent@4 proc near ;	CODE XREF: PipProcessStartPhase3+93p
		mov	edi, edi
		push	ecx
		add	ecx, 14h
		call	PnpSetDeviceInstanceStartedEventFromDeviceInstance
		pop	ecx
		retn
_PnpSetDeviceInstanceStartedEvent@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpSetDeviceInstanceStartedEventFromDeviceInstance proc	near
					; CODE XREF: PnpSetDeviceInstanceStartedEvent(x)+6p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C4E4F SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	dword_6CC5E4, 0
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		jnz	loc_5C4E4F
		movzx	eax, word ptr [eax]
		add	eax, 46h
		mov	[ebp+var_4], eax
		lea	ecx, [eax+48h]
		call	_PnpCreateDeviceEventEntry@4 ; PnpCreateDeviceEventEntry(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_565F94
		mov	eax, [ebp+var_4]
		lea	edi, [ebx+48h]
		xor	ecx, ecx
		mov	esi, offset _GUID_DEVICE_ARRIVAL
		mov	[ebx+10h], ecx
		mov	[ebx+8], ecx
		mov	[ebx+1Ch], ecx
		mov	[ebx+20h], ecx
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_8]
		mov	dword ptr [ebx+58h], 0Bh
		mov	[ebx+5Ch], ecx
		mov	[ebx+60h], ecx
		mov	[ebx+64h], eax
		mov	[ebx+68h], ecx
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_565F7C
		movzx	eax, word ptr [esi]
		push	eax		; size_t
		push	ecx		; void *
		lea	eax, [ebx+6Ch]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_565F7C:				; CODE XREF: PnpSetDeviceInstanceStartedEventFromDeviceInstance+6Bj
		movzx	eax, word ptr [esi]
		xor	ecx, ecx
		shr	eax, 1
		mov	[ebx+eax*2+6Ch], cx
		mov	ecx, ebx
		call	PnpInsertEventInQueue

loc_565F8F:				; CODE XREF: PnpSetDeviceInstanceStartedEventFromDeviceInstance+9Bj
					; PnpSetDeviceInstanceStartedEventFromDeviceInstance+5EF56j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_565F94:				; CODE XREF: PnpSetDeviceInstanceStartedEventFromDeviceInstance+31j
		mov	eax, 0C000009Ah
		jmp	short loc_565F8F
PnpSetDeviceInstanceStartedEventFromDeviceInstance endp

; 
		align 4

;  S U B	R O U T	I N E 


; __fastcall PpvUtilTestStartedPdoStack(x)
@PpvUtilTestStartedPdoStack@4 proc near	; CODE XREF: PipProcessStartPhase3+9Ep
		cmp	_PpvUtilVerifierEnabled, 0
		jnz	@VfMajorTestStartedPdoStack@4 ;	VfMajorTestStartedPdoStack(x)
		retn
@PpvUtilTestStartedPdoStack@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpIrpDeviceEnumerated(x)
_PnpIrpDeviceEnumerated@4 proc near	; CODE XREF: PiProcessNewDeviceNode+924p

var_24		= dword	ptr -24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	esi
		push	edi
		push	9
		mov	esi, ecx
		lea	edi, [ebp+var_24]
		pop	ecx
		xor	eax, eax
		lea	edx, [ebp+var_24]
		push	eax
		rep stosd
		push	eax
		push	0C00000BBh
		mov	ecx, esi
		mov	word ptr [ebp+var_24], 191Bh
		call	IopSynchronousCall
		pop	edi
		pop	esi
		leave
		retn
_PnpIrpDeviceEnumerated@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepCacheHwIdHash(x)
_KsepCacheHwIdHash@4 proc near		; DATA XREF: KsepEngineInitialize+41o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		mov	eax, [ebp+arg_0]
		push	0
		push	1
		add	eax, 14h
		push	eax
		call	RtlHashUnicodeString
		mov	eax, [ebp+var_4]
		leave
		retn	4
_KsepCacheHwIdHash@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 971. IoResolveDependency

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoResolveDependency
IoResolveDependency proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005C4E59 SIZE 000000B7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	cl, 1
		mov	ebx, edi
		call	_PnpAcquireDependencyRelationsLock@4 ; PnpAcquireDependencyRelationsLock(x)
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_8], 1
		mov	[ebp+var_4], eax
		call	PipQueryBindingResolution
		mov	esi, [ebp+arg_4]
		mov	ecx, eax
		test	ecx, ecx
		jnz	loc_5C4E59

loc_56603D:				; CODE XREF: IoResolveDependency+5EE70j
		test	esi, esi
		jz	loc_5C4EC3
		mov	eax, [esi+0B0h]
		mov	eax, [eax+2Ch]

loc_56604E:				; CODE XREF: IoResolveDependency+5EEBFj
		test	eax, eax
		jnz	short loc_5660BB
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], esi
		call	PipCreateDependencyNode
		mov	edi, eax
		test	edi, edi
		jz	loc_5C4ECA
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_PipAddBindingId@8 ; PipAddBindingId(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_5C4ED4
		mov	ecx, edi
		call	_PipDereferenceDependencyNode@4	; PipDereferenceDependencyNode(x)

loc_566085:				; CODE XREF: IoResolveDependency+D0j
					; IoResolveDependency+5EE79j ...
		test	esi, esi
		jz	short loc_56609A
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jnz	loc_5C4EE9

loc_56609A:				; CODE XREF: IoResolveDependency+81j
					; IoResolveDependency+5EEEDj ...
		mov	ecx, esi
		call	_PipAddtoRebuildPowerRelationsQueue@4 ;	PipAddtoRebuildPowerRelationsQueue(x)
		mov	ecx, esi
		call	PipAddDependentsToRebuildPowerRelationsQueue
		call	_PnpReleaseDependencyRelationsLock@0 ; PnpReleaseDependencyRelationsLock()
		call	_PipProcessRebuildPowerRelationsQueue@0	; PipProcessRebuildPowerRelationsQueue()

loc_5660B2:				; CODE XREF: IoResolveDependency+D7j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_5660BB:				; CODE XREF: IoResolveDependency+4Aj
		test	esi, esi
		jz	short loc_5660C8
		mov	eax, [esi+0B0h]
		mov	edi, [eax+2Ch]

loc_5660C8:				; CODE XREF: IoResolveDependency+B7j
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_PipAddBindingId@8 ; PipAddBindingId(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_566085

loc_5660D8:				; CODE XREF: IoResolveDependency+5EE5Cj
					; IoResolveDependency+5EEC9j ...
		call	_PnpReleaseDependencyRelationsLock@0 ; PnpReleaseDependencyRelationsLock()
		jmp	short loc_5660B2
IoResolveDependency endp

; 
		align 10h

;  S U B	R O U T	I N E 


IopVerifierExAllocatePool proc near	; CODE XREF: IoAllocateWorkItem(x)+Dp
					; IopBuildAsynchronousFsdRequest+125p ...

; FUNCTION CHUNK AT 005C4F10 SIZE 00000034 BYTES

		cmp	_ViVerifierEnabled, 0
		jnz	loc_5C4F10

loc_5660ED:				; CODE XREF: IopVerifierExAllocatePool+5EE43j
		push	20206F49h
		push	edx
		push	ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		retn
IopVerifierExAllocatePool endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDiagnosticTraceElamDecision(x, x, x, x)
_PnpDiagnosticTraceElamDecision@16 proc	near ; CODE XREF: PnpDoPolicyCheck+35p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, dword_6D4DF4
		push	esi
		push	edi
		mov	edi, _PnpEtwHandle
		xor	esi, esi
		mov	eax, edi
		mov	[ebp+var_38], edx
		or	eax, ebx
		jz	short loc_56617B
		push	offset _KMPnPEvt_EarlyLaunch_PolicyCheck
		push	ebx
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_56617B
		lea	eax, [ebp+var_38]
		mov	[ebp+var_30], esi
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_0]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	esi
		push	offset _KMPnPEvt_EarlyLaunch_PolicyCheck
		push	ebx
		push	edi
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	esi, eax

loc_56617B:				; CODE XREF: PnpDiagnosticTraceElamDecision(x,x,x,x)+2Aj
					; PnpDiagnosticTraceElamDecision(x,x,x,x)+3Aj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PnpDiagnosticTraceElamDecision@16 endp


;  S U B	R O U T	I N E 


; __stdcall PnpWaitForBootDevicesDeleted()
_PnpWaitForBootDevicesDeleted@0	proc near ; CODE XREF: IopInitializeBootDrivers:loc_AB43EAp
					; PipInitializeCoreDriversByGroup+F2p
		mov	edi, edi
		push	ecx
		call	_PnpWaitForEmptyDeviceEventQueue@0 ; PnpWaitForEmptyDeviceEventQueue()
		xor	ecx, ecx
		test	eax, eax
		setns	cl
		mov	eax, ecx
		pop	ecx
		retn
_PnpWaitForBootDevicesDeleted@0	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopPnPCompleteRequest(x, x,	x)
_IopPnPCompleteRequest@12 proc near	; CODE XREF: IopPnPDispatch+F8p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	[ecx+18h], edx
		xor	dl, dl
		mov	[ecx+1Ch], eax
		call	IofCompleteRequest
		pop	ebp
		retn	4
_IopPnPCompleteRequest@12 endp

; 
		align 10h
; Exported entry 2190. RtlIoDecodeMemIoResource

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlIoDecodeMemIoResource
RtlIoDecodeMemIoResource proc near	; CODE XREF: PnpFilterResourceRequirementsList+4D3p
					; IopGenericScoreRequirement+2Ep ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005C4F44 SIZE 00000062 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		push	ebx
		push	esi
		push	edi
		mov	al, [edx+1]
		mov	esi, ecx
		mov	ebx, ecx
		mov	edi, ecx
		cmp	al, 1
		jz	short loc_5661E2
		cmp	al, 3
		jnz	loc_5C4F44

loc_5661E2:				; CODE XREF: RtlIoDecodeMemIoResource+18j
		mov	esi, [edx+8]
		mov	edi, [edx+0Ch]

loc_5661E8:				; CODE XREF: RtlIoDecodeMemIoResource+5EDA7j
					; RtlIoDecodeMemIoResource+5EDCBj ...
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_5661F4
		mov	[eax], edi
		mov	[eax+4], ecx

loc_5661F4:				; CODE XREF: RtlIoDecodeMemIoResource+2Dj
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_566206
		mov	eax, [edx+10h]
		mov	[ecx], eax
		mov	eax, [edx+14h]
		mov	[ecx+4], eax

loc_566206:				; CODE XREF: RtlIoDecodeMemIoResource+39j
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_566218
		mov	ecx, [edx+18h]
		mov	[eax], ecx
		mov	ecx, [edx+1Ch]
		mov	[eax+4], ecx

loc_566218:				; CODE XREF: RtlIoDecodeMemIoResource+4Bj
		pop	edi
		mov	eax, esi
		mov	edx, ebx
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
RtlIoDecodeMemIoResource endp

; 
		align 8
; Exported entry 1982. RtlCmEncodeMemIoResource

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlCmEncodeMemIoResource
RtlCmEncodeMemIoResource proc near	; CODE XREF: IopInitializeResourceMap+201p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005C4FA6 SIZE 000000B0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	al, byte ptr [ebp+arg_4]
		mov	edx, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+arg_14]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_10]
		cmp	al, 3
		jnz	short loc_56628C

loc_566243:				; CODE XREF: RtlCmEncodeMemIoResource+7Aj
		cmp	al, 1
		jz	short loc_566290

loc_566247:				; CODE XREF: RtlCmEncodeMemIoResource+6Fj
		mov	ecx, [ebp+arg_0]
		mov	[ecx+4], edi
		mov	[ecx+8], ebx
		cmp	al, 1
		jz	short loc_56629B
		mov	ax, [ecx+2]
		mov	edi, 0F1FFh
		and	ax, di
		movzx	ebx, ax
		movzx	edi, ax
		mov	[ecx+2], ax
		test	edx, edx
		jb	short loc_56627D
		ja	loc_5C4FA6
		cmp	esi, 0FFFFFFFFh
		ja	loc_5C4FA6

loc_56627D:				; CODE XREF: RtlCmEncodeMemIoResource+44j
		mov	byte ptr [ecx],	3

loc_566280:				; CODE XREF: RtlCmEncodeMemIoResource+76j
		mov	[ecx+0Ch], esi

loc_566283:				; CODE XREF: RtlCmEncodeMemIoResource+5EDBFj
					; RtlCmEncodeMemIoResource+5EE10j
		xor	eax, eax

loc_566285:				; CODE XREF: RtlCmEncodeMemIoResource+81j
					; RtlCmEncodeMemIoResource+5EE29j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	18h
; 

loc_56628C:				; CODE XREF: RtlCmEncodeMemIoResource+19j
		cmp	al, 1
		jnz	short loc_5662A0

loc_566290:				; CODE XREF: RtlCmEncodeMemIoResource+1Dj
		test	edx, edx
		jnz	short loc_5662A4
		cmp	esi, 0FFFFFFFFh
		jbe	short loc_566247
		jmp	short loc_5662A4
; 

loc_56629B:				; CODE XREF: RtlCmEncodeMemIoResource+2Aj
		mov	byte ptr [ecx],	1
		jmp	short loc_566280
; 

loc_5662A0:				; CODE XREF: RtlCmEncodeMemIoResource+66j
		cmp	al, 7
		jz	short loc_566243

loc_5662A4:				; CODE XREF: RtlCmEncodeMemIoResource+6Aj
					; RtlCmEncodeMemIoResource+71j
		mov	eax, 0C000000Dh
		jmp	short loc_566285
RtlCmEncodeMemIoResource endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeNonPagedPoolThresholds proc	near
					; CODE XREF: MiPerformMemoryChange(x,x,x,x,x):loc_627E36p
					; MiInitializeNonPagedPool():loc_AB55AFp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C5056 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		mov	ecx, offset unk_6D58C0
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, dword_6D35D8
		mov	ecx, dword_6D5D88
		cmp	eax, ecx
		ja	short loc_566335

loc_5662EB:				; CODE XREF: MiInitializeNonPagedPoolThresholds+8Bj
		test	ds:byte_70EFC6,	1
		mov	_MiState, eax
		jnz	loc_5C5056
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_5C506E
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5C5066

loc_56631F:				; CODE XREF: MiInitializeNonPagedPoolThresholds+5EDB5j
					; MiInitializeNonPagedPoolThresholds+5EDD2j
		mov	cl, byte ptr [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		call	MiSignalNonPagedPoolWatchers
		pop	edi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_566335:				; CODE XREF: MiInitializeNonPagedPoolThresholds+3Dj
		mov	eax, ecx
		jmp	short loc_5662EB
MiInitializeNonPagedPoolThresholds endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSignalNonPagedPoolWatchers proc near	; CODE XREF: MiInitializeNonPagedPoolThresholds+7Cp
					; MiInitializeMemoryEvents(x)+A7p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005C5083 SIZE 00000088 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		mov	ecx, offset unk_6D58C0
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	dword_6D4EDC, 0
		jz	loc_5C5083
		mov	edi, dword_6CF344
		push	5
		pop	ecx
		call	MiFreePoolPagesLeft
		mov	esi, eax
		lea	ecx, [edi-1400h]
		add	ecx, esi
		xor	ebx, ebx
		cmp	edi, ecx
		mov	ecx, dword_6D4EDC
		jnb	loc_5C50C4
		cmp	[ecx+4], ebx
		jnz	short loc_56639C
		push	ebx
		push	ebx
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_56639C:				; CODE XREF: MiSignalNonPagedPoolWatchers+58j
					; MiSignalNonPagedPoolWatchers+5ED8Dj ...
		mov	ecx, dword_6D4ED8
		lea	eax, [edi-800h]
		add	eax, esi
		cmp	edi, eax
		jnb	loc_5C50D8
		cmp	[ecx+4], ebx
		jz	short loc_5663BD
		push	ecx
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_5663BD:				; CODE XREF: MiSignalNonPagedPoolWatchers+7Bj
					; MiSignalNonPagedPoolWatchers+5EDA1j ...
		test	ds:byte_70EFC6,	1
		jnz	loc_5C50EE
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5663F6
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5C50FE

loc_5663E8:				; CODE XREF: MiSignalNonPagedPoolWatchers+5ED6Aj
					; MiSignalNonPagedPoolWatchers+5ED85j ...
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_5663F6:				; CODE XREF: MiSignalNonPagedPoolWatchers+95j
					; MiSignalNonPagedPoolWatchers+5EDCCj
		mov	[ebp+var_C], ebx
		jmp	loc_5C50B6
MiSignalNonPagedPoolWatchers endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFreeLargeInitializationCodePages proc	near ; CODE XREF: MiFreeInitializationCode+136p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C510B SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jnz	loc_5C510B
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_MiAddExpansionNonPagedPool@8 ;	MiAddExpansionNonPagedPool(x,x)

loc_566421:				; CODE XREF: MiFreeLargeInitializationCodePages+5ED17j
					; MiFreeLargeInitializationCodePages+5ED65j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
MiFreeLargeInitializationCodePages endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAddExpansionNonPagedPool(x, x)
_MiAddExpansionNonPagedPool@8 proc near	; CODE XREF: MiFreeLargeInitializationCodePages+1Ep
					; MiInitializeNonPagedPool()+136p ...

var_4C		= dword	ptr -4Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		test	esi, esi
		jz	loc_56657D
		push	0
		push	80h
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		imul	ebx, edi, 1Ch
		xor	edi, edi
		mov	[ebp+var_C], eax
		imul	eax, esi, 1Ch
		push	1Ch
		mov	[ebp+var_10], edx
		add	ebx, ds:_MmPfnDatabase
		mov	[ebp+var_8], edi
		add	eax, ebx
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_14], eax
		pop	ecx

loc_56646D:				; CODE XREF: MiAddExpansionNonPagedPool(x,x)+146j
		mov	eax, ebx
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	ecx
		mov	ecx, eax
		call	MiSearchNumaNodeTable
		cmp	esi, [eax+4]
		jz	short loc_5664AD
		test	edi, edi
		jz	short loc_566495
		xor	edx, edx
		mov	ecx, edi
		call	MiReturnPhysicalPoolPages
		and	[ebp+var_8], 0

loc_566495:				; CODE XREF: MiAddExpansionNonPagedPool(x,x)+5Ej
		mov	eax, ebx
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, eax
		call	MiSearchNumaNodeTable
		mov	esi, [eax+4]

loc_5664AD:				; CODE XREF: MiAddExpansionNonPagedPool(x,x)+5Aj
		mov	ecx, ebx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		and	dword ptr [ebx+10h], 0C0000000h
		mov	[ebp+var_1], al
		mov	eax, 7FFFFFFFh
		and	[ebx+18h], eax
		xor	eax, eax
		and	byte ptr [ebx+16h], 0C7h
		and	dword ptr [ebx+18h], 8FFFFFFFh
		and	byte ptr [ebx+17h], 0DFh
		and	dword ptr [ebx+18h], 0FF800000h
		mov	edx, [ebx+18h]
		mov	[ebx+14h], ax
		mov	eax, [ebp+var_C]
		mov	[ebx+8], eax
		mov	eax, [ebp+var_10]
		mov	[ebx+0Ch], eax
		mov	al, [ebx+16h]
		or	byte ptr [ebx+17h], 10h
		and	al, 0C0h
		cmp	al, 40h
		jz	short loc_56650D
		xor	edx, edx
		mov	ecx, ebx
		push	3
		inc	edx
		call	MiChangePageAttribute
		mov	edx, [ebx+18h]

loc_56650D:				; CODE XREF: MiAddExpansionNonPagedPool(x,x)+D4j
		xor	eax, eax
		mov	dword ptr [ebx+4], 0FFFFFFF8h
		push	7
		pop	ecx
		lea	edi, [ebp+var_30]
		and	edx, 0FF7FFFFFh
		rep stosd
		push	7
		mov	[ebp+var_18], edx
		lea	edi, [ebp+var_4C]
		pop	ecx
		rep stosd
		mov	al, [ebx+16h]
		mov	ecx, 7FFFFFFFh
		mov	[ebx+18h], edx
		and	al, 0FDh
		and	edx, 0FCFFFFFFh
		or	al, 5
		mov	[ebp+var_34], edx
		mov	[ebx+18h], edx
		mov	[ebx+16h], al
		lea	eax, [ebx+10h]
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_8]
		mov	edi, ebx
		push	1Ch
		pop	ecx
		mov	[ebx], eax
		add	ebx, ecx
		mov	[ebp+var_8], edi
		cmp	ebx, [ebp+var_14]
		jb	loc_56646D
		xor	edx, edx
		mov	ecx, edi
		call	MiReturnPhysicalPoolPages

loc_56657D:				; CODE XREF: MiAddExpansionNonPagedPool(x,x)+11j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiAddExpansionNonPagedPool@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializePageFaultResources()
_MiInitializePageFaultResources@0 proc near ; CODE XREF: MiInitNucleus(x)+455p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	esi, esi

loc_56658D:				; CODE XREF: MiInitializePageFaultResources()+9Aj
		and	dword_6D3490[esi*8], 0
		xor	ebx, ebx
		and	dword_6D3494[esi*8], 0
		mov	ecx, esi
		and	dword_6D34A0[esi*8], 0
		and	dword_6D34A4[esi*8], 0
		test	esi, esi
		setnz	bl
		lea	ebx, ds:8[ebx*8]
		mov	edx, ebx
		mov	[ebp+var_4], ebx
		mov	byte_6D34B0[esi], bl
		call	_MiAllocateInPageSupportBlock@8	; MiAllocateInPageSupportBlock(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_56664C
		mov	edi, esi
		mov	dword_6D34B4[esi*4], ecx
		neg	edi
		sbb	edi, edi
		and	edi, 0FFFFFC40h
		add	edi, 4C8h
		mov	eax, edi
		imul	eax, ebx
		lea	ebx, [ecx+78h]
		add	eax, ecx
		mov	dword_6D34BC[esi*4], eax

loc_5665FD:				; CODE XREF: MiInitializePageFaultResources()+94j
		mov	eax, [ebx]
		test	esi, esi
		jz	short loc_566647
		and	eax, 0FFFFFFBFh

loc_566606:				; CODE XREF: MiInitializePageFaultResources()+C8j
		lea	ecx, [ebx-78h]
		mov	[ebx], eax
		call	_MiInsertInPageBlock@4 ; MiInsertInPageBlock(x)
		add	ebx, edi
		sub	[ebp+var_4], 1
		jnz	short loc_5665FD
		inc	esi
		cmp	esi, 2
		jl	loc_56658D
		push	10h
		pop	edx
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		test	eax, eax
		jz	short loc_56664C
		and	dword_6D34C8, 0
		mov	dword_6D34C4, eax
		xor	eax, eax
		inc	eax

loc_566642:				; CODE XREF: MiInitializePageFaultResources()+CCj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_566647:				; CODE XREF: MiInitializePageFaultResources()+7Fj
		or	eax, 40h
		jmp	short loc_566606
; 

loc_56664C:				; CODE XREF: MiInitializePageFaultResources()+4Fj
					; MiInitializePageFaultResources()+AFj
		xor	eax, eax
		jmp	short loc_566642
_MiInitializePageFaultResources@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFillGapAddresses(x, x, x)
_MiFillGapAddresses@12 proc near	; CODE XREF: MiFillPfnGaps()+28p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		push	esi
		push	edi
		mov	esi, offset loc_7FFFF8
		mov	edi, 40000000h

loc_566666:				; CODE XREF: MiFillGapAddresses(x,x,x)+30j
		shr	ecx, 9
		shr	edx, 9
		and	ecx, esi
		and	edx, esi
		sub	ecx, edi
		sub	edx, edi
		mov	[ebp+eax*8+var_10], ecx
		mov	[ebp+eax*8+var_C], edx
		inc	eax
		cmp	eax, 2
		jb	short loc_566666
		push	1
		push	[ebp+arg_0]
		lea	eax, [ebp+var_10]
		push	eax
		call	MiFillGapPtes
		pop	edi
		pop	esi
		leave
		retn	4
_MiFillGapAddresses@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFillGapPtes	proc near		; CODE XREF: MiFillGapAddresses(x,x,x)+3Bp
					; MiFillGapPtes+77p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005C5168 SIZE 00000067 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	eax, edx
		mov	edx, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], eax
		mov	ecx, [edx+ebx*8]
		cmp	esi, ecx
		jb	loc_5C5168

loc_5666B8:				; CODE XREF: MiFillGapPtes+5EAD4j
		mov	ecx, [edx+ebx*8+4]
		cmp	eax, ecx
		ja	loc_566768

loc_5666C4:				; CODE XREF: MiFillGapPtes+D7j
		cmp	esi, eax
		ja	short loc_5666E9
		push	edi

loc_5666C9:				; CODE XREF: MiFillGapPtes+50j
		mov	ecx, [esi]
		nop
		mov	eax, [esi+4]
		mov	[ebp+var_8], eax
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_566714
		test	ebx, ebx
		jnz	short loc_5666EF

loc_5666E0:				; CODE XREF: MiFillGapPtes+62j
					; MiFillGapPtes+CDj
		add	esi, 8
		cmp	esi, [ebp+var_4]
		jbe	short loc_5666C9
		pop	edi

loc_5666E9:				; CODE XREF: MiFillGapPtes+30j
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_5666EF:				; CODE XREF: MiFillGapPtes+48j
		and	ecx, 80h
		or	ecx, 0
		jnz	short loc_5666E0
		lea	eax, [ebx-1]
		mov	ecx, esi
		push	eax
		push	[ebp+arg_4]
		shl	ecx, 9
		push	edx
		lea	edx, [ecx+0FF8h]
		call	MiFillGapPtes
		jmp	short loc_566760
; 

loc_566714:				; CODE XREF: MiFillGapPtes+44j
		mov	eax, ebx
		mov	ecx, ebx
		neg	eax
		sbb	eax, eax
		and	eax, 88000003h
		add	eax, 20000001h
		neg	ecx
		push	eax
		mov	eax, [ebp+arg_4]
		sbb	ecx, ecx
		not	ecx
		and	ecx, esi
		mov	edx, [eax+ebx*4]
		call	MiMakeValidPte
		and	[ebp+arg_8], 0
		mov	ecx, esi
		mov	edi, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5C516F
		mov	ecx, [ebp+arg_8]

loc_566752:				; CODE XREF: MiFillGapPtes+5EAECj
					; MiFillGapPtes+5EAFAj	...
		mov	[esi+4], edx
		nop
		mov	[esi], edi
		test	ecx, ecx
		jnz	loc_5C51C1

loc_566760:				; CODE XREF: MiFillGapPtes+7Cj
					; MiFillGapPtes+5EB34j
		mov	edx, [ebp+arg_0]
		jmp	loc_5666E0
; 

loc_566768:				; CODE XREF: MiFillGapPtes+28j
		mov	eax, ecx
		mov	[ebp+var_4], ecx
		jmp	loc_5666C4
MiFillGapPtes	endp


;  S U B	R O U T	I N E 


; __stdcall MiInitializePfnListHead(x, x)
_MiInitializePfnListHead@8 proc	near	; CODE XREF: MiInitializePartition+AAp
					; MiInitializePartition+B6p ...
		and	dword ptr [ecx], 0
		mov	eax, offset loc_7FFFFF
		and	dword ptr [ecx+10h], 0
		mov	[ecx+4], edx
		mov	[ecx+8], eax
		mov	[ecx+0Ch], eax
		retn
_MiInitializePfnListHead@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall MiInitializeSlabAllocator(void	*,int,int)
_MiInitializeSlabAllocator@12 proc near	; CODE XREF: MiInitializePartition+12Dp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	48h		; size_t
		mov	edi, ecx
		mov	esi, edx
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	[edi+1Ch], eax
		mov	eax, offset loc_7FFFFF
		mov	[edi+18h], esi
		and	dword ptr [edi+34h], 0
		mov	dword ptr [edi+28h], 2
		mov	[edi+2Ch], eax
		mov	[edi+30h], eax
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_MiInitializeSlabAllocator@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiInitializeCombining(x, x)
_MiInitializeCombining@8 proc near	; CODE XREF: MiInitializePartition+3ABp
		mov	[edx], ecx
		add	ecx, 0E24h
		push	esi
		xor	esi, esi
		cmp	[ecx], esi
		jnz	short loc_5667DA
		mov	[ecx+4], ecx
		mov	[ecx], ecx

loc_5667DA:				; CODE XREF: MiInitializeCombining(x,x)+Dj
		lea	eax, [edx+24h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edx+34h]
		push	10h
		mov	[edx+2Ch], esi
		pop	ecx

loc_5667EB:				; CODE XREF: MiInitializeCombining(x,x)+30j
		mov	[eax-4], esi
		mov	[eax], esi
		lea	eax, [eax+8]
		sub	ecx, 1
		jnz	short loc_5667EB
		pop	esi
		retn
_MiInitializeCombining@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeNuma(x)
_MiInitializeNuma@4 proc near		; CODE XREF: MiInitializePartition+374p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		movzx	eax, ds:_KeNumberNodes
		mov	edx, ecx
		push	ebx
		mov	ebx, dword_6D069C
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], eax
		push	edi
		mov	edi, [edx+10h]
		test	eax, eax
		jz	loc_5668D1

loc_566826:				; CODE XREF: MiInitializeNuma(x)+D1j
		and	dword ptr [edi+1FCh], 0
		mov	eax, esi
		and	dword ptr [edi+204h], 0
		mov	[edi+1E4h], esi
		mov	byte ptr [edi+140h], 8
		mov	byte ptr [edi+142h], 8
		mov	cl, byte_6D068C
		shl	eax, cl
		mov	[edi+1E0h], eax
		cmp	edx, offset _MiSystemPartition
		jnz	short loc_566884
		xor	edx, edx
		mov	ecx, ebx

loc_566864:				; CODE XREF: MiInitializeNuma(x)+85j
		and	dword ptr [ecx], 0
		lea	eax, [edx-1]
		and	dword ptr [ecx+4], 0
		lea	ecx, [ecx+18h]
		neg	eax
		sbb	eax, eax
		and	eax, 5
		inc	edx
		mov	[ecx-10h], eax
		cmp	edx, 2
		jl	short loc_566864
		mov	edx, [ebp+var_4]

loc_566884:				; CODE XREF: MiInitializeNuma(x)+64j
		push	esi
		mov	ecx, edx
		call	MiInitializeChannelOrdering
		xor	ecx, ecx
		lea	edx, [edi+180h]

loc_566894:				; CODE XREF: MiInitializeNuma(x)+BFj
		mov	eax, dword_6D06D0
		inc	eax
		mov	[edx], eax
		mov	eax, ecx
		shr	eax, 5
		lea	edx, [edx+8]
		add	eax, 64h
		add	ecx, 100h
		lea	eax, [edi+eax*4]
		mov	[edx-4], eax
		cmp	ecx, 200h
		jb	short loc_566894
		mov	edx, [ebp+var_4]
		inc	esi
		add	edi, 280h
		add	ebx, 48h
		cmp	esi, [ebp+var_8]
		jb	loc_566826

loc_5668D1:				; CODE XREF: MiInitializeNuma(x)+26j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiInitializeNuma@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiZeroNodePages	proc near		; DATA XREF: MiZeroBootLargePages+17Ao

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= byte ptr -28h
var_24		= dword	ptr -24h
var_20		= word ptr -20h
var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005C51CF SIZE 00000111 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [esp+80h+var_C]
		xor	ecx, ecx
		stosd
		mov	esi, [ebx+30h]
		push	ecx
		push	ecx
		stosd
		mov	[esp+88h+var_64], ecx
		mov	[esp+88h+var_68], esi
		mov	[ebx+10h], ecx
		stosd
		xor	eax, eax
		lea	edi, [esp+88h+var_30]
		stosd
		stosd
		stosd
		lea	eax, [ebx+38h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [ebx+34h]
		lea	edi, [esp+80h+var_24]
		mov	[esp+80h+var_44], eax
		xor	edx, edx
		imul	eax, 280h
		add	eax, [esi+10h]
		mov	[esp+80h+var_34], eax
		movzx	ecx, word ptr [eax+270h]
		lea	esi, [eax+264h]
		movsd
		movsd
		movsd
		mov	ax, [esp+80h+var_20]
		mov	[ebx+4Ch], ax
		mov	eax, ecx
		mov	esi, dword_6D06C4
		div	esi
		mov	[esp+80h+var_50], esi
		mov	esi, eax
		xor	eax, eax
		inc	eax
		mov	[esp+80h+var_70], esi
		test	esi, esi
		jz	loc_5C51CF

loc_566966:				; CODE XREF: MiZeroNodePages+5E8FFj
		xor	edi, edi
		mov	[ebx+1], al
		lea	eax, [ebx+8]
		imul	ecx, esi, 1Ch
		push	edi
		mov	byte ptr [ebx],	7
		mov	edx, 20206D4Dh
		mov	byte ptr [ebx+2], 4
		mov	[ebx+4], edi
		mov	[eax+4], eax
		mov	[eax], eax
		push	40h
		mov	[ebx+54h], esi
		mov	[ebx+68h], esi
		mov	[ebx+60h], edi
		mov	[ebx+6Ch], esi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[esp+80h+var_58], eax
		test	eax, eax
		jz	loc_5C51DA

loc_5669A5:				; CODE XREF: MiZeroNodePages+5E915j
		mov	[ebx+64h], eax
		xor	ecx, ecx
		rdtsc
		mov	[esp+80h+var_3C], eax
		lea	eax, [esp+80h+var_54]
		mov	[ebx+74h], esi
		mov	[esp+80h+var_38], edx
		mov	[esp+80h+var_54], edi
		lock or	[eax], ecx
		mov	[esp+80h+var_6C], edi
		test	esi, esi
		jz	loc_5C52B3
		mov	eax, [esp+80h+var_58]
		add	eax, 0Ch
		xor	esi, esi
		mov	[esp+80h+var_5C], eax

loc_5669DB:				; CODE XREF: MiZeroNodePages+1E9j
		push	esi
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	esi, [esp+80h+var_24]
		xor	edx, edx
		lea	edi, [esp+80h+var_18]
		mov	[esp+80h+var_60], edx
		movsd
		mov	[esp+80h+var_C], edx
		movsd
		movsd
		mov	esi, [esp+80h+var_24]
		test	esi, esi
		jz	short loc_566A47
		mov	edi, [esp+80h+var_50]
		xor	ecx, ecx
		mov	[esp+80h+var_18], ecx
		test	edi, edi
		jz	short loc_566A47
		mov	bl, cl

loc_566A11:				; CODE XREF: MiZeroNodePages+164j
		test	esi, esi
		jz	short loc_566A3C
		bsf	eax, esi
		bts	ecx, eax
		mov	[esp+80h+var_4C], eax
		mov	[esp+80h+var_18], ecx
		test	bl, bl
		jnz	short loc_566A2D
		or	edx, ecx
		mov	[esp+80h+var_C], edx

loc_566A2D:				; CODE XREF: MiZeroNodePages+14Fj
		mov	eax, ecx
		not	eax
		and	esi, eax
		inc	bl
		movzx	eax, bl
		cmp	eax, edi
		jb	short loc_566A11

loc_566A3C:				; CODE XREF: MiZeroNodePages+13Dj
		mov	ebx, [ebp+arg_0]
		mov	[esp+80h+var_24], esi
		mov	[esp+80h+var_60], edx

loc_566A47:				; CODE XREF: MiZeroNodePages+129j
					; MiZeroNodePages+137j
		xor	eax, eax
		mov	ecx, ebx
		lea	edx, [eax+1]
		call	_MiCreateZeroThreadContext@8 ; MiCreateZeroThreadContext(x,x)
		mov	[esp+80h+var_48], eax
		test	eax, eax
		jz	loc_5C5205
		mov	ecx, [esp+80h+var_6C]
		lea	esi, [esp+80h+var_18]
		mov	[eax+4Ch], ecx
		lea	ecx, [eax+58h]
		mov	edi, ecx
		movsd
		movsd
		movsd
		xor	esi, esi
		push	esi
		push	ecx
		push	eax
		push	offset MiZeroLargePageThread
		push	esi
		push	esi
		push	esi
		push	1FFFFFh
		lea	eax, [esp+0A0h+var_64]
		push	eax
		call	PsCreateSystemThreadEx
		test	eax, eax
		js	loc_5C51F0
		push	esi
		push	[esp+84h+var_64]
		call	ObCloseHandle
		mov	eax, [esp+80h+var_60]
		or	[ebx+48h], eax
		mov	edi, [esp+80h+var_6C]
		mov	eax, [esp+80h+var_5C]
		inc	edi
		add	eax, 1Ch
		mov	[esp+80h+var_6C], edi
		mov	[esp+80h+var_5C], eax
		cmp	edi, [esp+80h+var_70]
		jb	loc_5669DB

loc_566AC5:				; CODE XREF: MiZeroNodePages+5E956j
		mov	esi, [esp+80h+var_68]

loc_566AC9:				; CODE XREF: MiZeroNodePages+5E9D8j
		test	edi, edi
		jz	loc_5C52B7
		mov	edx, ebx
		mov	ecx, esi
		call	MiZeroPageCalibrate
		push	[esp+80h+var_44]
		call	_MiGetOptimalProcessorWriteCount@8 ; MiGetOptimalProcessorWriteCount(x,x)
		mov	[ebx+70h], eax

loc_566AE6:				; CODE XREF: MiZeroNodePages+5E9EAj
		push	0
		push	0
		lea	eax, [ebx+38h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		test	edi, edi
		jz	short loc_566B01
		push	ecx
		xor	edx, edx
		mov	ecx, ebx
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)

loc_566B01:				; CODE XREF: MiZeroNodePages+21Fj
		xor	edi, edi
		lea	eax, [esp+80h+var_40]
		mov	[esp+80h+var_40], edi
		xor	ecx, ecx
		lock or	[eax], ecx
		rdtsc
		sub	eax, [esp+80h+var_3C]
		mov	[ebx+18h], eax
		sbb	edx, [esp+80h+var_38]
		or	eax, 0FFFFFFFFh
		mov	[ebx+1Ch], edx
		lock xadd [esi+0DCCh], eax
		dec	eax
		jnz	short loc_566B3E
		xor	eax, eax
		lea	ecx, [esi+0DD4h]
		lea	edx, [eax+1]
		call	KeSignalGate

loc_566B3E:				; CODE XREF: MiZeroNodePages+256j
		xor	eax, eax
		inc	eax
		cmp	[esi+0DFCh], al
		jz	loc_5C52C5
		mov	ecx, [esp+80h+var_34]
		mov	edx, ebx
		call	_MiPreserveBootDecisions@8 ; MiPreserveBootDecisions(x,x)
		xor	eax, eax
		inc	eax
		mov	[esi+0DB5h], al

loc_566B61:				; CODE XREF: MiZeroNodePages+5EA05j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
MiZeroNodePages	endp


;  S U B	R O U T	I N E 


; __stdcall MiCreateZeroThreadContext(x, x)
_MiCreateZeroThreadContext@8 proc near	; CODE XREF: MiZeroNodePages+178p
					; MiInitializePartitionThreads(x)+65p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	0
		push	40h
		push	6Ch
		mov	edi, edx
		mov	ebx, ecx
		mov	edx, 20206D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_566C00
		test	edi, edi
		jz	short loc_566B92
		mov	byte ptr [esi+2Ch], 1

loc_566B92:				; CODE XREF: MiCreateZeroThreadContext(x,x)+22j
		mov	edi, offset dword_6D35E0
		mov	edx, 200h
		mov	ecx, edi
		call	MiReservePtes
		test	eax, eax
		jz	short loc_566BF9
		mov	edx, 100h
		mov	[esi+30h], eax
		mov	ecx, edi
		call	MiReservePtes
		mov	edi, eax
		test	edi, edi
		jz	short loc_566BF9
		push	100h
		push	0
		mov	[esi+34h], edi
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[edi], eax
		nop
		mov	[edi+4], edx
		mov	edx, 0FFh

loc_566BD6:				; CODE XREF: MiCreateZeroThreadContext(x,x)+84j
		mov	eax, ds:_ZeroPte
		mov	ecx, edi
		add	edi, 8
		mov	[edi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[ecx+0Ch], eax
		sub	edx, 1
		jnz	short loc_566BD6
		mov	[esi+38h], ebx
		mov	eax, esi

loc_566BF5:				; CODE XREF: MiCreateZeroThreadContext(x,x)+98j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_566BF9:				; CODE XREF: MiCreateZeroThreadContext(x,x)+3Bj
					; MiCreateZeroThreadContext(x,x)+50j
		mov	ecx, esi
		call	_MiDeleteZeroThreadContext@4 ; MiDeleteZeroThreadContext(x)

loc_566C00:				; CODE XREF: MiCreateZeroThreadContext(x,x)+1Ej
		xor	eax, eax
		jmp	short loc_566BF5
_MiCreateZeroThreadContext@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPreserveBootDecisions(x, x)
_MiPreserveBootDecisions@8 proc	near	; CODE XREF: MiZeroNodePages+27Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_C], ecx
		mov	esi, edx
		mov	ecx, 100h
		push	ebx
		push	40h
		mov	edx, 20206D4Dh
		mov	[ebp+var_4], esi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_566CB0
		push	edi
		push	40h
		pop	ecx
		mov	edi, eax
		mov	edx, 20206D4Dh
		rep movsd
		mov	edi, [ebp+var_4]
		push	ebx
		push	40h
		imul	esi, [edi+6Ch],	1Ch
		mov	ecx, esi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_566C66
		push	esi		; size_t
		push	dword ptr [edi+64h] ; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	esp, 0Ch

loc_566C66:				; CODE XREF: MiPreserveBootDecisions(x,x)+50j
		mov	esi, [ebp+var_8]
		mov	[esi+64h], eax
		mov	edi, [edi+0FCh]
		test	edi, edi
		jz	short loc_566CA0
		mov	eax, [edi]
		mov	edx, 20206D4Dh
		shl	eax, 4
		push	ebx
		push	40h
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_566CA0
		push	[ebp+var_8]	; size_t
		push	edi		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_566CA0:				; CODE XREF: MiPreserveBootDecisions(x,x)+70j
					; MiPreserveBootDecisions(x,x)+8Dj
		mov	eax, [ebp+var_C]
		mov	[esi+0FCh], ebx
		pop	edi
		mov	[eax+230h], esi

loc_566CB0:				; CODE XREF: MiPreserveBootDecisions(x,x)+2Bj
		pop	esi
		pop	ebx
		leave
		retn
_MiPreserveBootDecisions@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiZeroPageCalibrate proc near		; CODE XREF: MiZeroNodePages+1FFp
					; MiZeroNodePages+5E9E5p ...

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C52E0 SIZE 0000005F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	40h		; size_t
		lea	eax, [ebp+var_48]
		mov	[ebp+var_50], edx
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		mov	ecx, [ebp+var_50]
		add	esp, 0Ch
		test	ecx, ecx
		jz	loc_5C52E0
		mov	esi, [ecx+34h]
		imul	ebx, esi, 280h
		add	ebx, [edi+10h]
		mov	[ebx+244h], ecx
		mov	eax, _MmPerProcessorZeroCalibrationBytes
		mov	[ebp+var_54], eax
		test	eax, eax
		jnz	short loc_566D0F
		mov	eax, (offset loc_7FFFFF+1)
		mov	[ebp+var_54], eax

loc_566D0F:				; CODE XREF: MiZeroPageCalibrate+51j
		mov	ecx, [ecx+54h]
		mov	edx, 655A694Dh
		imul	ecx, eax
		push	esi
		push	0
		push	40h
		mov	[ebp+var_58], ecx
		call	ExAllocatePoolMm
		mov	[ebx+238h], eax
		test	eax, eax
		jz	loc_5C52E9
		mov	eax, [ebp+var_58]
		mov	[ebx+23Ch], eax

loc_566D3E:				; CODE XREF: MiZeroPageCalibrate+5E63Cj
		mov	eax, [ebp+var_50]
		mov	edx, 655A694Dh
		push	esi
		push	0
		push	40h
		mov	eax, [eax+54h]
		shl	eax, 4
		mov	ecx, eax
		mov	[ebp+var_58], eax
		call	ExAllocatePoolMm
		mov	esi, eax
		test	esi, esi
		jz	loc_5C52F5
		push	[ebp+var_58]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebx+22Ch]
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_5C5304

loc_566D81:				; CODE XREF: MiZeroPageCalibrate+5E658j
		mov	eax, [ebp+var_50]
		mov	[ebx+22Ch], esi
		mov	esi, [ebp+var_54]
		mov	eax, [eax+54h]
		mov	[ebx+218h], eax
		mov	[ebx+220h], esi

loc_566D9C:				; CODE XREF: MiZeroPageCalibrate+5E64Bj
		mov	eax, [ebp+var_50]
		mov	ecx, [eax+54h]
		lea	eax, [edi+0E00h]
		lock xadd [eax], ecx
		mov	ecx, [ebp+var_50]

loc_566DAF:				; CODE XREF: MiZeroPageCalibrate+5E630j
		lea	edx, [edi+0E04h]
		or	eax, 0FFFFFFFFh
		lock xadd [edx], eax
		jnz	loc_5C5311
		cmp	byte ptr [edi+0DFCh], 1
		jz	short loc_566E3A
		mov	ecx, edi
		mov	[ebp+var_C], edi
		call	MiTimeSingleLargePageZero
		lea	ecx, [ebp+var_48]
		call	MiAllocateCalibrationResultsMemory
		mov	[ebp+var_49], al
		cmp	al, 21h
		jz	loc_566E6D
		mov	ecx, [edi+0E00h]
		cmp	byte ptr [edi+0DFCh], 0
		mov	[ebp+var_40], ecx
		mov	[ebp+var_38], esi
		jnz	short loc_566E6D
		mov	eax, [edi+0E00h]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	offset MiZeroPageCalibrateIsr
		call	KeIpiGenericCall
		mov	al, [ebp+var_49]

loc_566E17:				; CODE XREF: MiZeroPageCalibrate+1C0j
		cmp	al, 21h
		jz	short loc_566E23
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_566E23:				; CODE XREF: MiZeroPageCalibrate+165j
		cmp	[ebp+var_10], 0
		jnz	loc_5C5330

loc_566E2D:				; CODE XREF: MiZeroPageCalibrate+5E686j
		mov	ecx, edi
		call	MiComputeRunTimeZeroComparisons
		lea	edx, [edi+0E04h]

loc_566E3A:				; CODE XREF: MiZeroPageCalibrate+115j
		movzx	eax, ds:_KeNumberNodes
		push	0
		mov	[edx], eax
		lea	eax, [edi+0E08h]
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_566E53:				; CODE XREF: MiZeroPageCalibrate+5E65Fj
					; MiZeroPageCalibrate+5E677j
		test	ebx, ebx
		jz	short loc_566E5E
		mov	ecx, ebx
		call	_MiReleaseZeroCalibrationResources@4 ; MiReleaseZeroCalibrationResources(x)

loc_566E5E:				; CODE XREF: MiZeroPageCalibrate+1A1j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_566E6D:				; CODE XREF: MiZeroPageCalibrate+12Ej
					; MiZeroPageCalibrate+147j
		mov	byte ptr [edi+0DFCh], 0
		jmp	short loc_566E17
MiZeroPageCalibrate endp


;  S U B	R O U T	I N E 


; __stdcall MiReleaseZeroCalibrationResources(x)
_MiReleaseZeroCalibrationResources@4 proc near ; CODE XREF: MiZeroPageCalibrate+1A5p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+238h]
		test	eax, eax
		jz	short loc_566E94
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+238h], 0

loc_566E94:				; CODE XREF: MiReleaseZeroCalibrationResources(x)+Dj
		pop	esi
		retn
_MiReleaseZeroCalibrationResources@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiComputeRunTimeZeroComparisons	proc near ; CODE XREF: MiZeroPageCalibrate+17Bp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C533F SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		push	edi
		mov	edi, [ecx+10h]
		xor	esi, esi
		xor	ecx, ecx
		mov	[ebp+var_C], esi
		cmp	cx, ds:_KeNumberNodes
		jnb	loc_566FFA
		add	edi, 218h
		mov	[ebp+var_4], edi
		push	ebx

loc_566EC3:				; CODE XREF: MiComputeRunTimeZeroComparisons+15Bj
		mov	eax, [edi+40h]
		or	eax, [edi+44h]
		jz	loc_566FDD
		cmp	dword ptr [edi+10h], 0
		jz	loc_566FDD
		mov	ecx, [edi]
		mov	edx, 20206D4Dh
		push	0
		shl	ecx, 3
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_18], ebx
		test	ebx, ebx
		jz	loc_566FDD
		mov	eax, [edi+14h]
		and	[ebp+var_8], 0
		and	[ebp+var_10], 0
		mov	[ebp+var_14], eax
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_566F8A
		mov	esi, [ebp+var_4]
		mov	ecx, eax
		shl	ecx, 4

loc_566F15:				; CODE XREF: MiComputeRunTimeZeroComparisons+EAj
		mov	edi, [esi]
		mov	ebx, eax
		dec	eax
		xor	edx, edx
		mov	[ebp+var_1C], eax
		sub	ecx, 10h
		mov	eax, [esi+8]
		imul	eax, edi
		mov	esi, [ebp+var_14]
		mov	[ebp+var_20], ecx
		push	0
		div	ebx
		mov	edx, [ecx+esi+8]
		mov	ecx, [ecx+esi+0Ch]
		shld	ecx, edx, 15h
		push	eax
		shl	edx, 15h
		push	ecx
		push	edx
		call	__aulldiv
		mov	esi, [ebp+var_4]
		mov	ecx, eax
		cmp	ebx, edi
		jz	short loc_566F6A
		mov	edi, [ebp+var_10]
		cmp	edi, edx
		ja	short loc_566F6A
		mov	eax, [ebp+var_8]
		jb	loc_5C533F
		cmp	eax, ecx
		jb	loc_5C533F

loc_566F6A:				; CODE XREF: MiComputeRunTimeZeroComparisons+B8j
					; MiComputeRunTimeZeroComparisons+BFj ...
		mov	eax, [ebp+var_1C]
		mov	ebx, [ebp+var_18]
		mov	[ebp+var_8], ecx
		mov	[ebp+var_10], edx
		mov	[ebx+eax*8], ecx
		mov	ecx, [ebp+var_20]
		mov	[ebx+eax*8+4], edx
		test	eax, eax
		jnz	short loc_566F15
		mov	esi, [ebp+var_C]
		mov	edi, [ebp+var_4]

loc_566F8A:				; CODE XREF: MiComputeRunTimeZeroComparisons+73j
		mov	edx, [ebx+4]
		mov	ecx, [ebx]
		mov	[ebp+var_18], ecx
		mov	[ebp+var_1C], edx
		cmp	[edi+44h], edx
		jb	short loc_566FFE
		ja	short loc_566FA1
		cmp	[edi+40h], ecx
		jbe	short loc_566FFE

loc_566FA1:				; CODE XREF: MiComputeRunTimeZeroComparisons+102j
		mov	eax, [edi]
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	short loc_566FDA
		mov	esi, eax

loc_566FAC:				; CODE XREF: MiComputeRunTimeZeroComparisons+13Dj
		push	dword ptr [edi+44h]
		dec	esi
		push	dword ptr [edi+40h]
		push	dword ptr [ebx+esi*8+4]
		push	dword ptr [ebx+esi*8]
		call	__allmul
		push	[ebp+var_1C]
		push	[ebp+var_18]
		push	edx
		push	eax
		call	__aulldiv
		mov	[ebx+esi*8], eax
		mov	[ebx+esi*8+4], edx
		test	esi, esi
		jnz	short loc_566FAC
		mov	esi, [ebp+var_C]

loc_566FDA:				; CODE XREF: MiComputeRunTimeZeroComparisons+110j
					; MiComputeRunTimeZeroComparisons+16Cj
		mov	[edi+48h], ebx

loc_566FDD:				; CODE XREF: MiComputeRunTimeZeroComparisons+31j
					; MiComputeRunTimeZeroComparisons+3Bj ...
		movzx	eax, ds:_KeNumberNodes
		inc	esi
		add	edi, 280h
		mov	[ebp+var_C], esi
		mov	[ebp+var_4], edi
		cmp	esi, eax
		jb	loc_566EC3
		pop	ebx

loc_566FFA:				; CODE XREF: MiComputeRunTimeZeroComparisons+1Bj
		pop	edi
		pop	esi
		leave
		retn
; 

loc_566FFE:				; CODE XREF: MiComputeRunTimeZeroComparisons+100j
					; MiComputeRunTimeZeroComparisons+107j
		inc	dword_6C68D4
		jmp	short loc_566FDA
MiComputeRunTimeZeroComparisons	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocateCalibrationResultsMemory proc	near ; CODE XREF: MiZeroPageCalibrate+124p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C534E SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ds:_KeNumberProcessors
		mov	esi, ecx
		mov	ebx, edi
		shl	ebx, 4

loc_56701C:				; CODE XREF: MiAllocateCalibrationResultsMemory+5E359j
		push	0
		push	40h
		mov	edx, 20206D4Dh
		mov	ecx, ebx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_5C5364
		mov	cl, 1Bh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	cl, al
		cmp	edi, ds:_KeNumberProcessors
		jnz	loc_5C534E
		mov	eax, [ebp+var_4]
		mov	[esi+1Ch], eax
		mov	al, cl
		mov	[esi+4], edi
		mov	[esi], edi

loc_56705A:				; CODE XREF: MiAllocateCalibrationResultsMemory+5E367j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiAllocateCalibrationResultsMemory endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiTimeSingleLargePageZero proc near	; CODE XREF: MiZeroPageCalibrate+11Cp

var_64		= dword	ptr -64h
var_60		= word ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005C5372 SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		mov	edx, ecx
		mov	ecx, dword_6D06C4
		xor	esi, esi
		mov	[ebp+var_38], edx
		mov	[ebp+var_28], ecx
		stosd
		stosd
		xor	eax, eax
		cmp	si, ds:_KeNumberNodes

loc_567096:				; CODE XREF: MiTimeSingleLargePageZero+285j
		mov	[ebp+var_20], eax
		jnb	loc_5672EA
		imul	ebx, eax, 280h
		lea	edi, [ebp+var_4C]
		add	ebx, [edx+10h]
		xor	edx, edx
		mov	[ebp+var_40], ebx
		movzx	eax, word ptr [ebx+270h]
		lea	esi, [ebx+264h]
		div	ecx
		movsd
		mov	[ebp+var_34], eax
		movsd
		movsd
		test	eax, eax
		jz	loc_5C5372

loc_5670CD:				; CODE XREF: MiTimeSingleLargePageZero+5E318j
		mov	ecx, eax
		mov	edx, 20206D4Dh
		push	0
		shl	ecx, 3
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_2C], ecx
		test	ecx, ecx
		jz	loc_5672C5
		and	[ebp+var_24], 0
		lea	edi, [ebp+var_64]
		xor	eax, eax
		xor	ebx, ebx
		stosd
		stosd
		stosd
		mov	eax, [ebp+var_40]
		xor	edi, edi
		mov	[ebp+var_30], edi
		mov	[eax+234h], ecx
		mov	ecx, [ebp+var_4C]
		test	ecx, ecx
		jz	loc_5671DB
		mov	esi, [ebp+var_20]

loc_567117:				; CODE XREF: MiTimeSingleLargePageZero+175j
		xor	eax, eax
		mov	[ebp+var_11], 0
		cmp	[ebp+var_28], 0
		lea	edi, [ebp+var_64]
		stosd
		stosd
		stosd
		jbe	short loc_567191
		mov	esi, [ebp+var_64]
		mov	edi, ebx
		and	edi, 1

loc_567131:				; CODE XREF: MiTimeSingleLargePageZero+129j
		and	[ebp+var_3C], 0
		test	edi, edi
		jnz	loc_5671E3
		test	ecx, ecx
		jz	loc_5C537D
		bsr	ecx, ecx

loc_567148:				; CODE XREF: MiTimeSingleLargePageZero+18Ej
					; MiTimeSingleLargePageZero+5E320j
		mov	ecx, ds:_KiProcessorBlock[ecx*4]
		xor	edx, edx
		movzx	eax, byte ptr [ecx+3C5h]
		movzx	ecx, byte ptr [ecx+3C4h]
		mov	[ebp+var_60], ax
		xor	eax, eax
		inc	eax
		call	__allshl
		mov	ecx, [ebp+var_4C]
		or	esi, eax
		mov	eax, esi
		not	eax
		and	ecx, eax
		mov	[ebp+var_4C], ecx
		jz	short loc_56718B
		mov	dl, [ebp+var_11]
		inc	dl
		movzx	eax, dl
		mov	[ebp+var_11], dl
		cmp	eax, [ebp+var_28]
		jb	short loc_567131

loc_56718B:				; CODE XREF: MiTimeSingleLargePageZero+119j
		mov	[ebp+var_64], esi
		mov	esi, [ebp+var_20]

loc_567191:				; CODE XREF: MiTimeSingleLargePageZero+C7j
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_64]
		push	eax
		call	KeSetSystemGroupAffinityThread
		mov	ecx, [ebp+var_38]
		push	esi
		call	_MiTimeSingleLargePageZeroWorker@8 ; MiTimeSingleLargePageZeroWorker(x,x)
		mov	ecx, [ebp+var_2C]
		add	[ebp+var_24], eax
		mov	edi, [ebp+var_30]
		adc	edi, edx
		mov	[ecx+ebx*8], eax
		lea	eax, [ebp+var_10]
		push	eax
		mov	[ecx+ebx*8+4], edx
		mov	[ebp+var_30], edi
		call	KeRevertToUserGroupAffinityThread
		inc	ebx
		cmp	ebx, 3
		jnb	short loc_5671F3

loc_5671CB:				; CODE XREF: MiTimeSingleLargePageZero+29Cj
		cmp	ebx, [ebp+var_34]
		jz	short loc_5671DB
		mov	ecx, [ebp+var_4C]
		test	ecx, ecx
		jnz	loc_567117

loc_5671DB:				; CODE XREF: MiTimeSingleLargePageZero+AEj
					; MiTimeSingleLargePageZero+16Ej
		mov	eax, [ebp+var_24]
		jmp	loc_5672AC
; 

loc_5671E3:				; CODE XREF: MiTimeSingleLargePageZero+D7j
		test	ecx, ecx
		jz	loc_5C537D
		bsf	ecx, ecx
		jmp	loc_567148
; 

loc_5671F3:				; CODE XREF: MiTimeSingleLargePageZero+169j
		xor	eax, eax
		lea	edi, [ebx-3]
		and	[ebp+var_1C], eax
		mov	ecx, edi
		mov	[ebp+var_18], eax
		cmp	edi, ebx
		jnb	short loc_56721C
		mov	edx, [ebp+var_2C]

loc_567207:				; CODE XREF: MiTimeSingleLargePageZero+1B7j
		mov	eax, [edx+ecx*8]
		add	[ebp+var_18], eax
		mov	eax, [edx+ecx*8+4]
		adc	[ebp+var_1C], eax
		inc	ecx
		cmp	ecx, ebx
		jb	short loc_567207
		mov	eax, [ebp+var_18]

loc_56721C:				; CODE XREF: MiTimeSingleLargePageZero+1A2j
		push	0
		push	3
		push	[ebp+var_1C]
		push	eax
		call	__aulldiv
		push	0
		mov	ecx, edx
		mov	[ebp+var_18], eax
		push	0Ah
		push	ecx
		push	eax
		mov	[ebp+var_1C], ecx
		call	__aulldiv
		mov	ecx, edx
		mov	edx, [ebp+var_18]
		sub	edx, eax
		mov	[ebp+var_58], edx
		mov	edx, [ebp+var_1C]
		sbb	edx, ecx
		add	eax, [ebp+var_18]
		mov	[ebp+var_54], edx
		adc	ecx, [ebp+var_1C]
		mov	[ebp+var_50], eax
		mov	[ebp+var_3C], ecx
		cmp	edi, ebx
		jnb	short loc_56728C
		mov	eax, [ebp+var_2C]
		mov	esi, [ebp+var_50]

loc_567264:				; CODE XREF: MiTimeSingleLargePageZero+225j
		mov	ecx, [eax+edi*8+4]
		mov	edx, [eax+edi*8]
		cmp	ecx, [ebp+var_54]
		ja	short loc_567277
		jb	short loc_567287
		cmp	edx, [ebp+var_58]
		jb	short loc_567287

loc_567277:				; CODE XREF: MiTimeSingleLargePageZero+20Ej
		cmp	ecx, [ebp+var_3C]
		jb	short loc_567282
		ja	short loc_567287
		cmp	edx, esi
		ja	short loc_567287

loc_567282:				; CODE XREF: MiTimeSingleLargePageZero+21Aj
		inc	edi
		cmp	edi, ebx
		jb	short loc_567264

loc_567287:				; CODE XREF: MiTimeSingleLargePageZero+210j
					; MiTimeSingleLargePageZero+215j ...
		mov	esi, [ebp+var_20]
		cmp	edi, ebx

loc_56728C:				; CODE XREF: MiTimeSingleLargePageZero+1FCj
		jnz	short loc_5672F9
		mov	eax, [ebp+var_34]
		xor	edx, edx
		div	[ebp+var_28]
		sub	eax, ebx
		add	dword_6C68DC, eax
		mov	eax, [ebp+var_1C]
		mul	ebx
		mov	edi, eax
		mov	eax, [ebp+var_18]
		mul	ebx
		add	edi, edx

loc_5672AC:				; CODE XREF: MiTimeSingleLargePageZero+17Ej
		push	0
		push	ebx
		push	edi
		push	eax
		call	__aulldiv
		mov	ebx, [ebp+var_40]
		mov	[ebx+258h], eax
		mov	[ebx+25Ch], edx

loc_5672C5:				; CODE XREF: MiTimeSingleLargePageZero+87j
		cmp	dword ptr [ebx+234h], 0
		jz	loc_5C5385

loc_5672D2:				; CODE XREF: MiTimeSingleLargePageZero+5E362j
		mov	eax, [ebp+var_20]
		movzx	ecx, ds:_KeNumberNodes
		inc	eax
		mov	edx, [ebp+var_38]
		cmp	eax, ecx
		mov	ecx, [ebp+var_28]
		jmp	loc_567096
; 

loc_5672EA:				; CODE XREF: MiTimeSingleLargePageZero+39j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_5672F9:				; CODE XREF: MiTimeSingleLargePageZero:loc_56728Cj
		mov	edi, [ebp+var_30]
		jmp	loc_5671CB
MiTimeSingleLargePageZero endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiTimeSingleLargePageZeroWorker(x, x)
_MiTimeSingleLargePageZeroWorker@8 proc	near ; CODE XREF: MiTimeSingleLargePageZero+142p
					; MiTimeSingleLargePageZero+5E344p

var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= byte ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_99		= byte ptr -99h
var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0F0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	esi, [ebp+arg_0]
		lea	edi, [ebp+var_98]
		mov	[ebp+var_C4], ecx
		stosd
		lea	ecx, [ebp+var_98]
		push	esi
		mov	[ebp+var_CC], esi
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_EC]
		stosd
		stosd
		stosd
		stosd
		call	_MiInitializeColorTable@8 ; MiInitializeColorTable(x,x)
		push	80h		; size_t
		lea	eax, [ebp+var_8C]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	ebx, ebx
		mov	[ebp+var_BC], ebx
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+var_A8], edi

loc_567373:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+447j
		xor	eax, eax
		mov	cl, 2
		mov	[ebp+var_A0], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		and	[ebp+var_D0], 0
		xor	ecx, ecx
		mov	[ebp+var_99], al
		rdtsc
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_B8], edx
		lock or	[eax], ecx
		push	ecx
		mov	ecx, [ebp+var_C4]
		lea	eax, [ebp+var_98]
		push	2
		push	eax
		push	1
		push	1
		push	esi
		push	1
		xor	edx, edx
		call	_MiUnlinkNodeLargePages@36 ; MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_AC], ecx
		test	ecx, ecx
		jnz	short loc_567415
		mov	cl, [ebp+var_99]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_C4]
		mov	eax, 200h
		push	1
		push	2
		push	0
		push	eax
		push	esi
		mov	edx, eax
		call	_MiGetLargePagesDemoteAsNeeded@28 ; MiGetLargePagesDemoteAsNeeded(x,x,x,x,x,x,x)
		mov	[ebp+var_A0], eax
		test	eax, eax
		jz	loc_5675FA
		mov	ecx, eax
		call	_MiFreeLargePageChain@4	; MiFreeLargePageChain(x)
		dec	ebx
		dec	edi
		jmp	loc_567738
; 

loc_567415:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+CFj
		mov	eax, ecx
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	edi
		cdq
		idiv	edi
		push	4
		mov	edx, ecx
		mov	[ebp+var_C8], eax
		pop	ecx
		call	_MiMakeProtectionPfnCompatible@8 ; MiMakeProtectionPfnCompatible(x,x)
		mov	edx, 200h
		mov	[ebp+var_A4], eax
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		mov	edi, eax
		test	edi, edi
		jnz	short loc_56745A
		inc	eax
		mov	[ebp+var_A0], eax
		jmp	loc_567582
; 

loc_56745A:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+14Aj
		mov	eax, [ebp+var_A4]
		mov	ecx, edi
		mov	edx, [ebp+var_C8]
		or	eax, 0A0000000h
		push	eax
		call	MiMakeValidPte
		mov	[ebp+var_A4], eax
		mov	eax, edi
		shl	eax, 9
		mov	[ebp+var_B0], eax
		lea	eax, [edi+1000h]
		mov	[ebp+var_D4], edx
		mov	[ebp+var_C0], eax
		cmp	edi, eax
		jnb	loc_56755C
		mov	esi, [ebp+var_A4]
		mov	ebx, edx

loc_5674A6:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+248j
		and	[ebp+var_A4], 0
		mov	ecx, edi
		mov	edx, ebx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_567509
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5674EA
		xor	ecx, ecx
		mov	eax, esi
		inc	ecx
		cmp	byte ptr word_6D07B8+1,	0
		mov	[ebp+var_A4], ecx
		jnz	short loc_56750B
		and	eax, ecx

loc_5674D9:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+205j
		or	eax, 0
		mov	eax, esi
		jz	short loc_56750B
		mov	edx, ebx
		or	edx, 80000000h
		jmp	short loc_56750B
; 

loc_5674EA:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+1BFj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		mov	eax, esi
		jz	short loc_56750B
		and	eax, 1
		jmp	short loc_5674D9
; 

loc_567509:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+1B6j
		mov	eax, esi

loc_56750B:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+1D3j
					; MiTimeSingleLargePageZeroWorker(x,x)+1DCj ...
		mov	[edi+4], edx
		nop
		cmp	[ebp+var_A4], 0
		mov	[edi], eax
		jz	short loc_567523
		push	edx
		push	eax
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_567523:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+216j
		mov	edx, esi
		mov	eax, ebx
		add	edx, 1000h
		adc	eax, 0
		xor	edx, esi
		xor	eax, ebx
		and	edx, 0FFFFF000h
		and	eax, 1Fh
		add	edi, 8
		xor	esi, edx
		xor	ebx, eax
		cmp	edi, [ebp+var_C0]
		jb	loc_5674A6
		mov	esi, [ebp+var_CC]
		mov	ebx, [ebp+var_BC]

loc_56755C:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+196j
		mov	ecx, [ebp+var_B0]
		mov	edx, 200000h
		call	_KeZeroPages	; KiZeroPages(x,x)
		push	200h
		lea	edx, [edi-1000h]
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_567582:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+153j
		mov	edi, [ebp+var_AC]
		and	[ebp+var_D8], 0
		add	edi, 10h
		jmp	short loc_5675A5
; 

loc_567594:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+2A1j
					; MiTimeSingleLargePageZeroWorker(x,x)+2A8j
		lea	ecx, [ebp+var_D8]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_567594

loc_5675A5:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+290j
		lock bts dword ptr [edi], 1Fh
		jb	short loc_567594
		xor	eax, eax
		lea	edi, [ebp+var_EC]
		stosd
		lea	ecx, [ebp+var_EC]
		stosd
		stosd
		stosd
		mov	eax, [ebp+var_C8]
		mov	edi, [ebp+var_A0]
		and	[ebp+var_E4], 0
		mov	[ebp+var_EC], eax
		mov	[ebp+var_E8], edi
		mov	[ebp+var_E0], 2
		call	_MiInsertLargePageInNodeList@4 ; MiInsertLargePageInNodeList(x)
		dec	edi
		neg	edi
		sbb	edi, edi
		and	edi, [ebp+var_AC]
		mov	[ebp+var_A0], edi

loc_5675FA:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+FFj
		and	[ebp+var_DC], 0
		lea	eax, [ebp+var_DC]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	cl, [ebp+var_99]
		rdtsc
		mov	edi, eax
		mov	[ebp+var_B0], edx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_A0], 0
		jz	loc_56775B
		sub	edi, [ebp+var_B4]
		mov	eax, [ebp+var_B0]
		sbb	eax, [ebp+var_B8]
		mov	[ebp+ebx*8+var_8C], edi
		mov	[ebp+ebx*8+var_88], eax
		cmp	ebx, 2
		jb	loc_567732
		mov	ecx, [ebp+var_A8]
		xor	edx, edx
		xor	edi, edi
		cmp	ecx, ebx
		ja	short loc_567679

loc_567666:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+375j
		add	edx, [ebp+ecx*8+var_8C]
		adc	edi, [ebp+ecx*8+var_88]
		inc	ecx
		cmp	ecx, ebx
		jbe	short loc_567666

loc_567679:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+362j
		push	0
		push	3
		push	edi
		push	edx
		call	__aulldiv
		push	0
		push	0Ah
		mov	ebx, edx
		mov	edi, eax
		push	ebx
		push	edi
		mov	[ebp+var_A0], edi
		call	__aulldiv
		mov	ecx, edx
		mov	edx, edi
		sub	edx, eax
		mov	[ebp+var_B4], edx
		mov	edx, ebx
		sbb	edx, ecx
		add	eax, edi
		mov	[ebp+var_B8], eax
		mov	eax, [ebp+var_BC]
		adc	ecx, ebx
		mov	[ebp+var_C0], ecx
		mov	ecx, [ebp+var_A8]
		mov	[ebp+var_B0], edx
		cmp	ecx, eax
		ja	loc_56777B
		mov	esi, [ebp+var_B8]
		mov	edi, [ebp+var_B4]

loc_5676DF:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+418j
		mov	edx, [ebp+ecx*8+var_8C]
		mov	[ebp+var_AC], edx
		mov	edx, [ebp+ecx*8+var_88]
		cmp	edx, [ebp+var_B0]
		jb	short loc_56771C
		ja	short loc_567705
		cmp	[ebp+var_AC], edi
		jb	short loc_56771C

loc_567705:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+3F9j
		cmp	edx, [ebp+var_C0]
		ja	short loc_56771C
		jb	short loc_567717
		cmp	[ebp+var_AC], esi
		ja	short loc_56771C

loc_567717:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+40Bj
		inc	ecx
		cmp	ecx, eax
		jbe	short loc_5676DF

loc_56771C:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+3F7j
					; MiTimeSingleLargePageZeroWorker(x,x)+401j ...
		mov	esi, [ebp+var_CC]
		mov	edi, [ebp+var_A0]
		cmp	ecx, eax
		ja	short loc_56777B
		mov	ebx, [ebp+var_BC]

loc_567732:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+350j
		mov	edi, [ebp+var_A8]

loc_567738:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+10Ej
		inc	ebx
		inc	edi
		mov	[ebp+var_BC], ebx
		mov	[ebp+var_A8], edi
		cmp	ebx, 10h
		jb	loc_567373
		xor	edi, edi
		xor	ebx, ebx
		mov	[ebp+var_A0], edi
		jmp	short loc_567781
; 

loc_56775B:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+327j
		push	80h		; size_t
		lea	eax, [ebp+var_8C]
		push	0		; int
		push	eax		; void *
		call	_memset
		xor	edi, edi
		add	esp, 0Ch
		mov	[ebp+var_A0], edi
		xor	ebx, ebx

loc_56777B:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+3CBj
					; MiTimeSingleLargePageZeroWorker(x,x)+428j
		mov	eax, edi
		or	eax, ebx
		jnz	short loc_5677CB

loc_567781:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+457j
		xor	edx, edx
		xor	esi, esi
		xor	ecx, ecx

loc_567787:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+4AFj
		mov	eax, [ebp+ecx*8+var_8C]
		mov	edi, [ebp+ecx*8+var_88]
		mov	[ebp+var_B8], eax
		or	eax, edi
		mov	[ebp+var_B4], edi
		jz	short loc_5677B3
		add	edx, [ebp+var_B8]
		adc	esi, edi
		inc	ecx
		cmp	ecx, 10h
		jb	short loc_567787

loc_5677B3:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+4A1j
		mov	edi, [ebp+var_A0]
		test	ecx, ecx
		jz	short loc_5677CB
		push	0
		push	ecx
		push	esi
		push	edx
		call	__aulldiv
		mov	edi, eax
		mov	ebx, edx

loc_5677CB:				; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+47Dj
					; MiTimeSingleLargePageZeroWorker(x,x)+4B9j
		mov	ecx, [ebp+var_8]
		mov	eax, edi
		pop	edi
		pop	esi
		mov	edx, ebx
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_MiTimeSingleLargePageZeroWorker@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeColorTable(x, x)
_MiInitializeColorTable@8 proc near	; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+45p
					; MiZeroPageThread+7F213p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		inc	ecx
		call	ExGenRandom
		mov	cl, byte_6D068C
		and	eax, dword_6D06D0
		mov	edx, [ebp+arg_0]
		shl	edx, cl
		or	edx, eax
		xor	esi, esi
		mov	[edi+8], edx

loc_567809:				; CODE XREF: MiInitializeColorTable(x,x)+38j
		xor	ecx, ecx
		inc	ecx
		call	ExGenRandom
		mov	[edi+esi*4], eax
		inc	esi
		cmp	esi, 2
		jb	short loc_567809
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_MiInitializeColorTable@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDescribePageRun(x, x, x)
_MiDescribePageRun@12 proc near		; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+282p
					; MiRemovePhysicalMemory(x,x,x)+F7p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		lea	ecx, [esi+eax]
		mov	[ebp+var_4], ecx
		cmp	esi, ecx
		jz	short loc_567898

loc_56783A:				; CODE XREF: MiDescribePageRun(x,x,x)+76j
		mov	edx, eax
		mov	ecx, esi
		call	MiRestrictRangeToNode
		push	0
		push	40h
		push	18h
		mov	edx, 6F4E6D4Dh
		mov	[ebp+arg_0], eax
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_5678A7
		mov	eax, [ebp+arg_0]
		mov	ecx, esi
		and	dword ptr [edi+14h], 0
		mov	[edi+8], esi
		mov	[edi+0Ch], eax
		call	MiSearchNumaNodeTable
		mov	eax, [eax+4]
		mov	[edi+10h], eax
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jnz	short loc_5678A2
		add	esi, [ebp+arg_0]
		mov	[edi+4], eax
		mov	[edi], ebx
		mov	[eax], edi
		mov	eax, [ebp+var_4]
		mov	[ebx+4], edi
		sub	eax, esi
		inc	dword ptr [ebx+8]
		cmp	esi, [ebp+var_4]
		jnz	short loc_56783A

loc_567898:				; CODE XREF: MiDescribePageRun(x,x,x)+18j
		xor	eax, eax
		inc	eax

loc_56789B:				; CODE XREF: MiDescribePageRun(x,x,x)+89j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_5678A2:				; CODE XREF: MiDescribePageRun(x,x,x)+5Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5678A7:				; CODE XREF: MiDescribePageRun(x,x,x)+3Bj
		xor	eax, eax
		jmp	short loc_56789B
_MiDescribePageRun@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeUnusablePfns(x,	x, x, x, x, x, x)
_MiInitializeUnusablePfns@28 proc near	; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+20Cp
					; MiDoGangAssignment(x,x)+DCp ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= word ptr -20h
var_1E		= byte ptr -1Eh
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_34]
		xor	eax, eax
		mov	[ebp+var_4], ebx
		push	7
		pop	ecx
		rep stosd
		mov	eax, ebx
		mov	esi, edx
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		imul	ecx, esi, 1Ch
		mov	[ebp+var_18], esi
		mov	[ebp+var_8], eax
		add	ecx, ebx
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_C], ecx
		test	ebx, 1800h
		jz	short loc_567904
		push	0
		push	ecx
		push	1
		push	0
		mov	edx, esi
		mov	ecx, eax
		call	_MiCreateInitialLargeLeafPfns@24 ; MiCreateInitialLargeLeafPfns(x,x,x,x,x,x)
		jmp	loc_567B8A
; 

loc_567904:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+41j
		xor	edi, edi
		lea	edx, [ebp+var_34]
		inc	edi
		mov	ecx, edi
		call	_MiCreatePfnTemplate@8 ; MiCreatePfnTemplate(x,x)
		push	6
		pop	ecx
		mov	[ebp+arg_4], ecx
		push	2
		pop	eax
		test	bl, bl
		jns	short loc_56793B
		mov	eax, [ebp+var_1C]
		mov	edx, offset dword_6D07B4
		and	eax, 0BFFFFFFFh
		or	eax, 30000000h
		mov	[ebp+var_1C], eax
		mov	eax, esi
		lock xadd [edx], eax
		jmp	short loc_567971
; 

loc_56793B:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+70j
		test	bl, 40h
		jz	short loc_567949
		mov	[ebp+var_30], 0C0000000h
		jmp	short loc_567971
; 

loc_567949:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+92j
		test	bl, 2
		jz	short loc_56796B
		test	[ebp+arg_10], 2
		jz	short loc_567958
		mov	ecx, eax
		jmp	short loc_56796E
; 

loc_567958:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+A6j
		mov	eax, [ebp+var_24]
		and	eax, 0C0000001h
		mov	[ebp+var_20], di
		or	eax, edi
		mov	[ebp+var_24], eax
		jmp	short loc_567971
; 

loc_56796B:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+A0j
		push	5
		pop	ecx

loc_56796E:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+AAj
		mov	[ebp+arg_4], ecx

loc_567971:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+8Dj
					; MiInitializeUnusablePfns(x,x,x,x,x,x,x)+9Bj ...
		mov	al, [ebp+var_1E]
		xor	edi, edi
		and	al, 0F8h
		or	al, cl
		mov	[ebp+var_1E], al
		test	bl, 0C0h
		jz	short loc_5679DF
		mov	eax, [ebp+var_24]
		and	eax, 0C0000001h
		push	edi
		or	eax, 1
		push	80h
		mov	[ebp+var_24], eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[ebp+var_2C], eax
		lea	ecx, [ebp+var_34]
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_28], edx
		and	eax, 0FFFFFFFDh
		mov	edx, large fs:124h
		or	eax, 7FFFFDh
		mov	[ebp+var_1C], eax
		push	1
		mov	edx, [edx+80h]
		call	_MiSetPageTablePfnBuddy@12 ; MiSetPageTablePfnBuddy(x,x,x)
		or	[ebp+var_24], 40000000h
		mov	ecx, offset dword_6D3620
		push	2
		pop	eax
		mov	[ebp+var_20], ax
		mov	eax, esi
		lock xadd [ecx], eax

loc_5679DF:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+D4j
		test	bl, 2
		jz	loc_567B7C
		mov	esi, [ebp+arg_8]
		mov	ecx, esi
		call	_MiMakeSubsectionPte@4 ; MiMakeSubsectionPte(x)
		movzx	ebx, word ptr [esi+10h]
		mov	esi, [ebp+arg_C]
		mov	ecx, esi
		or	[ebp+var_1C], 80000000h
		shr	ebx, 1
		mov	[ebp+var_2C], eax
		and	ebx, 1Fh
		mov	[ebp+var_28], edx
		call	_MiGetContainingPageTable@4 ; MiGetContainingPageTable(x)
		mov	edx, [ebp+var_1C]
		imul	ecx, eax, 1Ch
		add	ecx, ds:_MmPfnDatabase
		mov	[ebp+var_10], ecx
		mov	ecx, edx
		xor	ecx, eax
		and	ecx, offset loc_7FFFFF
		xor	edx, ecx
		cmp	[ebp+arg_4], 6
		mov	[ebp+var_1C], edx
		jnz	short loc_567A43
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		push	ebx
		call	MiMakeValidPte
		jmp	short loc_567A4D
; 

loc_567A43:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+188j
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)

loc_567A4D:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+195j
		mov	ebx, eax
		mov	eax, [ebp+var_4]
		jmp	loc_567B2C
; 

loc_567A57:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+286j
		mov	[ebp+var_30], esi
		mov	edi, eax
		push	7
		pop	ecx
		lea	esi, [ebp+var_34]
		mov	eax, ebx
		rep movsd
		mov	esi, [ebp+arg_C]
		and	eax, 1
		xor	edi, edi
		or	eax, edi
		jz	loc_567AFA
		mov	ecx, esi
		mov	dword ptr [ebp+arg_10],	edx
		mov	[ebp+arg_8], edi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_567AC6
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_567AA9
		cmp	byte ptr word_6D07B8+1,	0
		mov	[ebp+arg_8], 1
		jnz	short loc_567AC1

loc_567AA0:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+213j
		mov	eax, edx
		or	eax, 80000000h
		jmp	short loc_567AC8
; 

loc_567AA9:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+1E2j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_567AA0

loc_567AC1:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+1F2j
		mov	eax, dword ptr [ebp+arg_10]
		jmp	short loc_567AC8
; 

loc_567AC6:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+1D9j
		mov	eax, edx

loc_567AC8:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+1FBj
					; MiInitializeUnusablePfns(x,x,x,x,x,x,x)+218j
		mov	[esi+4], eax
		nop
		mov	ecx, ebx
		mov	[esi], ecx
		cmp	[ebp+arg_8], edi
		jz	short loc_567AE1
		push	eax
		push	ecx
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		mov	edx, [ebp+arg_4]

loc_567AE1:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+227j
		mov	ecx, ebx
		mov	eax, edx
		and	ecx, 0FFFFF000h
		add	ecx, 1000h
		adc	eax, edi
		xor	eax, edx
		and	eax, 1Fh
		jmp	short loc_567B11
; 

loc_567AFA:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+1C4j
		mov	[esi], ebx
		nop
		mov	ecx, ebx
		mov	[esi+4], edx
		add	ecx, 1000h
		mov	eax, edx
		adc	eax, edi
		xor	eax, edx
		and	eax, 3Fh

loc_567B11:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+24Cj
		xor	ecx, ebx
		xor	edx, eax
		mov	eax, [ebp+var_4]
		and	ecx, 0FFFFF000h
		add	esi, 8
		xor	ebx, ecx
		add	eax, 1Ch
		mov	[ebp+arg_C], esi
		mov	[ebp+var_4], eax

loc_567B2C:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+1A6j
		mov	[ebp+arg_4], edx
		cmp	eax, [ebp+var_C]
		jnz	loc_567A57
		mov	ebx, [ebp+var_10]
		mov	[ebp+var_14], edi
		lea	esi, [ebx+10h]
		jmp	short loc_567B51
; 

loc_567B43:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+2A3j
					; MiInitializeUnusablePfns(x,x,x,x,x,x,x)+2AAj
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_567B43

loc_567B51:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+295j
		lock bts dword ptr [esi], 1Fh
		jb	short loc_567B43
		mov	edi, [ebp+var_18]
		mov	ecx, ebx
		mov	edx, edi
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		push	edi
		push	[ebp+var_8]
		push	offset dword_6D35B4
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		jmp	short loc_567B8A
; 

loc_567B7C:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+136j
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_34]
		push	eax
		mov	edx, esi
		call	_MiCreateInitialPfns@12	; MiCreateInitialPfns(x,x,x)

loc_567B8A:				; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+53j
					; MiInitializeUnusablePfns(x,x,x,x,x,x,x)+2CEj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_MiInitializeUnusablePfns@28 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreateInitialPfns(x, x, x)
_MiCreateInitialPfns@12	proc near	; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+2D9p
					; MxCreateFreePfns(x)+2A0p

var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, ecx
		push	edi
		push	7
		pop	ecx
		mov	ebx, edx
		lea	edi, [ebp+var_20]
		rep movsd
		imul	ecx, ebx, 1Ch
		push	1Ch
		mov	[ebp+var_4], ebx
		pop	esi
		mov	[ebp+arg_0], ecx
		lea	edx, [ecx+eax]
		cmp	eax, edx
		jz	short loc_567BDA
		push	esi
		pop	ebx

loc_567BC1:				; CODE XREF: MiCreateInitialPfns(x,x,x)+3Dj
		mov	edi, eax
		lea	esi, [ebp+var_20]
		push	7
		add	eax, ebx
		pop	ecx
		rep movsd
		cmp	eax, edx
		jnz	short loc_567BC1
		mov	ebx, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		push	1Ch
		pop	esi

loc_567BDA:				; CODE XREF: MiCreateInitialPfns(x,x,x)+2Bj
		sub	eax, ecx
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	esi
		push	ebx
		push	eax
		push	offset dword_6D35B4
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiCreateInitialPfns@12	endp


;  S U B	R O U T	I N E 


MiRestrictRangeToNode proc near		; CODE XREF: MiDescribePageRun(x,x,x)+1Ep
					; MiInitializeDynamicPfns(x,x,x,x,x,x)+188p ...

; FUNCTION CHUNK AT 005C53C7 SIZE 0000001E BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	MiSearchNumaNodeTable
		mov	ecx, [eax+8]
		lea	eax, [edi+esi]
		cmp	eax, ecx
		ja	short loc_567C21

loc_567C0F:				; CODE XREF: MiRestrictRangeToNode+2Dj
		cmp	dword_6D06B4, 0
		jnz	loc_5C53C7

loc_567C1C:				; CODE XREF: MiRestrictRangeToNode+5D7DEj
					; MiRestrictRangeToNode+5D7E8j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_567C21:				; CODE XREF: MiRestrictRangeToNode+15j
		mov	esi, ecx
		sub	esi, edi
		jmp	short loc_567C0F
MiRestrictRangeToNode endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RunningHash	proc near		; CODE XREF: ComputeEventEntryHash+1Bp
					; ComputeEventEntryHash+3Dp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, ecx
		cmp	[ebp+arg_0], esi
		jbe	short loc_567C53

loc_567C38:				; CODE XREF: RunningHash+29j
		movzx	eax, byte ptr [esi+edx]
		add	eax, [edi]
		imul	ecx, eax, 401h
		mov	eax, ecx
		shr	eax, 6
		xor	eax, ecx
		inc	esi
		mov	[edi], eax
		cmp	esi, [ebp+arg_0]
		jb	short loc_567C38

loc_567C53:				; CODE XREF: RunningHash+Ej
		pop	edi
		pop	esi
		pop	ebp
		retn	4
RunningHash	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeSystemVaRange proc near	; CODE XREF: MiInitializeDynamicVa+7Cp
					; MiInitializeDynamicVa+94p ...

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00567D7C SIZE 00000018 BYTES
; FUNCTION CHUNK AT 005C53E5 SIZE 0000006E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		cmp	esi, 80000000h
		jb	loc_5C53E5
		sub	edi, esi
		shr	esi, 15h
		push	offset dword_6D2E64
		lea	eax, dword_6D3994[esi]
		mov	[ebp+var_8], eax
		call	ExAcquireSpinLockExclusive
		mov	[ebp+var_1], al
		test	edi, edi
		jz	short loc_567CC6
		mov	edx, [ebp+var_8]
		lea	ecx, dword_6D0BD4[esi*4]
		dec	edi
		shr	edi, 15h
		inc	edi

loc_567CA1:				; CODE XREF: MiInitializeSystemVaRange+6Aj
		mov	al, [edx]
		test	al, al
		jz	short loc_567CEC
		movzx	eax, al
		dec	dword_6D3D54[eax*4]

loc_567CB1:				; CODE XREF: MiInitializeSystemVaRange+A8j
		mov	eax, [ebp+arg_0]
		add	ecx, 4
		mov	[edx], al
		inc	dword_6D3D54[eax*4]
		inc	edx
		sub	edi, 1
		jnz	short loc_567CA1

loc_567CC6:				; CODE XREF: MiInitializeSystemVaRange+36j
		mov	eax, dword_6D4254
		pop	edi
		pop	esi
		cmp	eax, dword_6D07C8
		jb	short loc_567D04

loc_567CD5:				; CODE XREF: MiInitializeSystemVaRange+AFj
		push	offset dword_6D2E64
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn	4
; 

loc_567CEC:				; CODE XREF: MiInitializeSystemVaRange+4Bj
		sub	dword_6D4254, 200000h
		mov	eax, [ecx]
		and	eax, 80000001h
		or	eax, 1
		mov	[ecx], eax
		jmp	short loc_567CB1
; 

loc_567D04:				; CODE XREF: MiInitializeSystemVaRange+79j
		mov	dword_6D07C8, eax
		jmp	short loc_567CD5
MiInitializeSystemVaRange endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiStoreChargeReservedPages(x)
_MiStoreChargeReservedPages@4 proc near	; CODE XREF: MiInitSystem+12Ep
		push	6
		push	0
		push	20h
		pop	edx
		mov	ecx, offset _MiSystemPartition
		call	MiAcquireNonPagedResources
		test	eax, eax
		js	short loc_567D2C
		or	dword_6D4E44, 4
		xor	eax, eax
		inc	eax
		retn
; 

loc_567D2C:				; CODE XREF: MiStoreChargeReservedPages(x)+13j
		xor	eax, eax
		retn
_MiStoreChargeReservedPages@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUpdatePageThresholdsDpc proc near	; DATA XREF: MiInitializeWorkingSetManagerParameters+1CCo

var_4		= dword	ptr -4
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		or	ebx, 0FFFFFFFFh
		push	edi
		mov	eax, ebx
		lock xadd [esi], eax
		dec	eax
		mov	edi, eax
		mov	ecx, 80000000h
		not	edi
		and	edi, ecx
		test	eax, 7FFFFFFFh
		jz	loc_5C53F7
		jmp	short loc_567D6F
; 

loc_567D62:				; CODE XREF: MiUpdatePageThresholdsDpc+45j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	ecx, 80000000h

loc_567D6F:				; CODE XREF: MiUpdatePageThresholdsDpc+30j
		mov	eax, [esi]
		and	eax, ecx
		cmp	eax, edi
		jnz	short loc_567D62
		jmp	loc_5C541F
MiUpdatePageThresholdsDpc endp

; 
; START	OF FUNCTION CHUNK FOR MiInitializeSystemVaRange

loc_567D7C:				; CODE XREF: MiInitializeSystemVaRange+133j
		lea	ecx, [ebp+arg_C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		and	eax, 80000000h

loc_567D8B:				; CODE XREF: MiInitializeSystemVaRange+5D7F4j
		cmp	eax, edi
		jnz	short loc_567D7C
		jmp	loc_5C5439
; END OF FUNCTION CHUNK	FOR MiInitializeSystemVaRange

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUpdateAvailableEvents	proc near	; CODE XREF: .text:0045F520p
					; .text:00470A2Ep ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005C5460 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		lea	ecx, [esi+0A80h]
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edi, [esi+0FC0h]
		xor	ebx, ebx
		mov	eax, [esi+0A0h]
		cmp	edi, [esi+0B2Ch]
		jbe	sub_5C5453
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_567DD7:				; CODE XREF: sub_5C5453+8j
		mov	eax, [esi+0A4h]
		cmp	edi, [esi+0B30h]
		jbe	short loc_567E2A
		push	ebx
		push	ebx
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_567DED:				; CODE XREF: MiUpdateAvailableEvents+9Cj
		test	ds:byte_70EFC6,	1
		jnz	loc_5C5460
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_5C5478
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5C5470

loc_567E1C:				; CODE XREF: MiUpdateAvailableEvents+5D6D7j
					; MiUpdateAvailableEvents+5D6F0j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_567E2A:				; CODE XREF: MiUpdateAvailableEvents+4Fj
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		jmp	short loc_567DED
MiUpdateAvailableEvents	endp

; 
		align 8
; Exported entry 272. DbgSetDebugFilterState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgSetDebugFilterState(x, x, x)
		public _DbgSetDebugFilterState@12
_DbgSetDebugFilterState@12 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	NtSetDebugFilterState
		pop	ecx
		pop	ebp
		retn	0Ch
_DbgSetDebugFilterState@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KsepShimDbChanged proc near		; CODE XREF: KseQueryDeviceData:loc_878E9Bp
					; KseQueryDeviceDataList(x,x,x,x)+64p

var_2E		= byte ptr -2Eh
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005DC849 SIZE 00000095 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		sub	esp, 38h
		mov	eax, large fs:124h
		and	[esp+38h+var_8], 0
		and	[esp+38h+var_4], 0
		push	esi
		dec	word ptr [eax+13Ch]
		push	edi
		nop
		xor	edx, edx
		mov	ecx, offset _KsepShimDbLock
		call	ExAcquirePushLockExclusiveEx
		and	[esp+40h+var_2C], 0
		lea	edx, [esp+40h+var_8]
		mov	ecx, offset aSystemrootAp_1 ; "\\SystemRoot\\AppPatch\\drvmain.sdb"
		call	KsepShimDatabaseTime
		xor	esi, esi
		inc	esi
		test	eax, eax
		js	short loc_567EEB
		mov	ecx, dword_6C7478
		mov	eax, ecx
		mov	edx, dword_6C747C
		or	eax, edx
		jz	loc_5680A5
		mov	edi, [esp+40h+var_8]
		mov	eax, [esp+40h+var_4]
		cmp	edi, ecx
		jnz	loc_5DC849
		cmp	eax, edx
		jnz	loc_5DC849

loc_567ECB:				; CODE XREF: KsepShimDbChanged+265j
		and	[esp+40h+var_8], 0
		lea	edx, [esp+40h+var_8]
		and	[esp+40h+var_4], 0
		mov	ecx, offset aSystemrootAppp ; "\\SystemRoot\\AppPatch\\drvpatch.sdb"
		call	KsepShimDatabaseTime
		test	eax, eax
		jns	loc_5DC858

loc_567EEB:				; CODE XREF: KsepShimDbChanged+49j
					; KsepShimDbChanged+74A35j ...
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _KsepShimDbLock
		mov	[esp+40h+var_28], edx
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_568052

loc_567F07:				; CODE XREF: KsepShimDbChanged+20Dj
		xor	edi, edi
		mov	[esp+40h+var_24], edi
		test	ecx, 7FFFFFFCh
		jz	loc_568026
		mov	esi, large fs:124h
		mov	eax, dword_6D07D0
		shr	ecx, 15h
		mov	[esp+40h+var_C], esi
		mov	[esp+40h+var_20], eax
		cmp	eax, offset _KsepShimDbLock
		ja	short loc_567F5E
		mov	eax, ecx
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_56803C
		mov	eax, [esp+40h+var_20]
		cmp	eax, offset _KsepShimDbLock
		ja	short loc_567F5E
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_56803C

loc_567F5E:				; CODE XREF: KsepShimDbChanged+E3j
					; KsepShimDbChanged+FDj ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _KsepShimDbLock
		mov	[esp+44h+var_2D], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[esp+40h+var_20], ecx
		test	ecx, ecx
		jz	loc_5680BC
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_5680CF

loc_567FA4:				; CODE XREF: KsepShimDbChanged+286j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+40h+var_24], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		cdq
		push	30h
		pop	ecx
		idiv	ecx
		mov	ecx, eax
		xor	eax, eax
		inc	eax
		shl	al, cl
		cmp	[esp+40h+var_2D], 1
		jnz	loc_5DC8B7
		or	[esi+1E4h], al

loc_567FED:				; CODE XREF: KsepShimDbChanged+272j
					; KsepShimDbChanged+74A72j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+40h+var_C], eax
		jnz	short loc_568064

loc_568001:				; CODE XREF: KsepShimDbChanged+248j
					; KsepShimDbChanged+74A87j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_568026
		nop
		lea	ecx, [esi+70h]
		cmp	[ecx], ecx
		jnz	loc_5680DD

loc_568026:				; CODE XREF: KsepShimDbChanged+C1j
					; KsepShimDbChanged+1C6j ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [esp+40h+var_2C]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_56803C:				; CODE XREF: KsepShimDbChanged+EEj
					; KsepShimDbChanged+106j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[esp+40h+var_28], eax
		jmp	loc_567F5E
; 

loc_568052:				; CODE XREF: KsepShimDbChanged+AFj
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _KsepShimDbLock
		jmp	loc_567F07
; 

loc_568064:				; CODE XREF: KsepShimDbChanged+1ADj
		test	edi, 8000h
		jz	short loc_568075
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_568075:				; CODE XREF: KsepShimDbChanged+218j
		test	byte ptr [esp+40h+var_24+2], 1
		jnz	short loc_5680E7

loc_56807C:				; CODE XREF: KsepShimDbChanged+2A5j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_568090
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_568090:				; CODE XREF: KsepShimDbChanged+231j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_568001
		jmp	loc_5DC8C9
; 

loc_5680A5:				; CODE XREF: KsepShimDbChanged+5Bj
		mov	eax, [esp+40h+var_8]
		mov	dword_6C7478, eax
		mov	eax, [esp+40h+var_4]

loc_5680B2:				; CODE XREF: KsepShimDbChanged+74A01j
		mov	dword_6C747C, eax
		jmp	loc_567ECB
; 

loc_5680BC:				; CODE XREF: KsepShimDbChanged+13Aj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_567FED
		jmp	loc_5DC8A1
; 

loc_5680CF:				; CODE XREF: KsepShimDbChanged+14Cj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [esp+40h+var_20]
		jmp	loc_567FA4
; 

loc_5680DD:				; CODE XREF: KsepShimDbChanged+1CEj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_568026
; 

loc_5680E7:				; CODE XREF: KsepShimDbChanged+228j
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]
		jmp	short loc_56807C
KsepShimDbChanged endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlUnicodeStringCopyStringEx proc near	; CODE XREF: PiDevCfgBuildDriverConfigurationId(x,x)+11Fp
					; PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+3C5p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E2BB7 SIZE 000000A6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_18], ecx
		xor	ebx, ebx
		mov	ecx, [ebp+arg_4]
		mov	edi, ebx
		push	ecx
		mov	ecx, [ebp+var_18]
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], ebx
		call	sub_568240
		mov	esi, eax
		test	esi, esi
		js	loc_5681E0
		test	ecx, ecx
		jz	short loc_568138
		movzx	edi, word ptr [ecx+2]
		mov	eax, [ecx+4]
		mov	[ebp+var_8], eax
		shr	edi, 1

loc_568138:				; CODE XREF: RtlUnicodeStringCopyStringEx+30j
		test	esi, esi
		js	loc_5681E0
		mov	eax, [ebp+arg_4]
		mov	edx, edi
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ebx
		test	eax, 100h
		jnz	loc_5E2BB7

loc_56815C:				; CODE XREF: RtlUnicodeStringCopyStringEx+7AAC0j
					; RtlUnicodeStringCopyStringEx+7AACDj
		mov	esi, ebx
		test	eax, 0FFFFE000h
		jnz	loc_5E2BCC
		test	edi, edi
		jz	loc_5E2BD3
		push	ecx
		push	[ebp+var_4]
		lea	eax, [ebp+var_C]
		mov	edx, edi
		push	eax
		call	RtlWideCharArrayCopyStringWorker
		mov	ebx, [ebp+var_C]
		mov	esi, eax
		mov	ecx, [ebp+var_8]
		mov	eax, edi
		sub	eax, ebx
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], eax
		lea	edx, [ecx+ebx*2]
		mov	[ebp+var_14], edx
		test	esi, esi
		js	loc_5E2C13
		mov	ecx, [ebp+arg_4]
		test	ecx, 200h
		jnz	loc_5E2BF6

loc_5681AF:				; CODE XREF: RtlUnicodeStringCopyStringEx+7AAFEj
					; RtlUnicodeStringCopyStringEx+7AB14j
		mov	edx, [ebp+var_8]

loc_5681B2:				; CODE XREF: RtlUnicodeStringCopyStringEx+7AAE2j
					; RtlUnicodeStringCopyStringEx+7AB24j ...
		mov	ecx, [ebp+var_18]
		test	ecx, ecx
		jz	short loc_5681BF
		lea	eax, [ebx+ebx]
		mov	[ecx], ax

loc_5681BF:				; CODE XREF: RtlUnicodeStringCopyStringEx+BDj
		test	esi, esi
		js	loc_5E2C4C

loc_5681C7:				; CODE XREF: RtlUnicodeStringCopyStringEx+7AB5Ej
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_5681E0
		xor	eax, eax
		mov	[ecx], ax
		lea	eax, [edx+edx]
		mov	[ecx+2], ax
		mov	eax, [ebp+var_14]
		mov	[ecx+4], eax

loc_5681E0:				; CODE XREF: RtlUnicodeStringCopyStringEx+28j
					; RtlUnicodeStringCopyStringEx+40j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
RtlUnicodeStringCopyStringEx endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlWideCharArrayCopyStringWorker proc near ; CODE XREF:	RtlUnicodeStringCopyStringEx+81p
					; RtlUnicodeStringCopyString(x,x)+3Bp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005E2C5D SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, esi
		push	edi
		mov	edi, 7FFFh
		test	edx, edx
		jz	loc_5E2C5D
		sub	ecx, eax

loc_568208:				; CODE XREF: RtlWideCharArrayCopyStringWorker+36j
		test	edi, edi
		jz	short loc_568222
		movzx	esi, word ptr [eax]
		test	si, si
		jz	short loc_568222
		mov	[ecx+eax], si
		add	eax, 2
		dec	edi
		inc	ebx
		sub	edx, 1
		jnz	short loc_568208

loc_568222:				; CODE XREF: RtlWideCharArrayCopyStringWorker+20j
					; RtlWideCharArrayCopyStringWorker+28j
		push	0
		pop	esi
		test	edx, edx
		jz	short loc_568237

loc_568229:				; CODE XREF: RtlWideCharArrayCopyStringWorker+4Fj
					; RtlWideCharArrayCopyStringWorker+7AA76j ...
		mov	ecx, [ebp+arg_0]
		mov	eax, esi
		pop	edi
		pop	esi
		mov	[ecx], ebx
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_568237:				; CODE XREF: RtlWideCharArrayCopyStringWorker+3Dj
		test	edi, edi
		jz	short loc_568229
		jmp	loc_5E2C5D
RtlWideCharArrayCopyStringWorker endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_568240	proc near		; CODE XREF: RtlUnicodeStringCopyStringEx+1Fp

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005E2C70 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		test	ecx, ecx
		jz	loc_5E2C70

loc_56824F:				; CODE XREF: sub_568240+7AA3Dj
		push	ebx
		movzx	ebx, word ptr [ecx]
		test	bl, 1
		jnz	short loc_568280
		movzx	edx, word ptr [ecx+2]
		test	dl, 1
		jnz	short loc_568280
		cmp	bx, dx
		ja	short loc_568280
		push	esi
		mov	esi, 0FFFEh
		cmp	dx, si
		pop	esi
		ja	short loc_568280
		cmp	[ecx+4], eax
		jz	loc_5E2C82

loc_56827B:				; CODE XREF: sub_568240+45j
					; sub_568240+7AA4Ej
		pop	ebx

loc_56827C:				; CODE XREF: sub_568240+7AA37j
		pop	ebp
		retn	4
; 

loc_568280:				; CODE XREF: sub_568240+16j
					; sub_568240+1Fj ...
		mov	eax, 0C000000Dh
		jmp	short loc_56827B
sub_568240	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall BCryptCloseAlgorithmProvider(x, x)
_BCryptCloseAlgorithmProvider@8	proc near ; CODE XREF: SecureDump_Init+7E380p
					; SecureDump_EncryptSymmetricKeyWithPublicKey()+186p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, 0C0000002h
		mov	ecx, _SepBCryptExtensionHost
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_5682B8
		push	0
		push	edi
		call	dword ptr [eax+10h]
		mov	ecx, _SepBCryptExtensionHost
		mov	esi, eax
		add	ecx, 24h
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_5682B8:				; CODE XREF: BCryptCloseAlgorithmProvider(x,x)+18j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_BCryptCloseAlgorithmProvider@8	endp

; 
		align 2

; __stdcall PnpBootDeviceWait(x, x, x, x)
_PnpBootDeviceWait@16:			; CODE XREF: IopInitializeBootDrivers+480p
					; VhdInitialize+F603p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp-14h], edx
		push	edi
		lea	eax, [ebp-1Ch]
		mov	[ebp-1Ch], edi
		push	eax
		mov	ebx, ecx
		mov	[ebp-18h], edi
		mov	[ebp-0Ch], edi
		mov	[ebp-4], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	6Eh
		pop	eax
		push	6Ch
		mov	[ebp-22h], ax
		lea	ecx, [ebp-4]
		pop	eax
		mov	[ebp-24h], ax
		xor	edx, edx
		push	20019h
		lea	eax, [ebp-24h]
		mov	dword ptr [ebp-20h], offset ??_C@_1GO@MBBBLOKI@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@
		push	eax
		mov	esi, edi
		call	_IopOpenRegistryKeyEx@16 ; IopOpenRegistryKeyEx(x,x,x,x)
		test	eax, eax
		js	short loc_56836B
		mov	ecx, [ebp-4]
		lea	eax, [ebp-0Ch]
		push	eax
		push	edi
		mov	edx, offset ??_C@_1DC@IJMJJODK@?$AAP?$AAo?$AAl?$AAl?$AAB?$AAo?$AAo?$AAt?$AAP?$AAa?$AAr?$AAt?$AAi?$AAt?$AAi@FNODOBFM@
		call	IopGetRegistryValue
		mov	edi, eax
		test	edi, edi
		js	short loc_56835D
		mov	edx, [ebp-0Ch]
		cmp	dword ptr [edx+0Ch], 4
		jnz	short loc_568350
		mov	ecx, [edx+8]
		mov	ecx, [edx+ecx]
		cmp	ecx, 0C8h
		jb	short loc_568355
		mov	esi, 2BF20h
		cmp	ecx, esi
		ja	short loc_568355
		mov	esi, ecx
		jmp	short loc_568355
; 

loc_568350:				; CODE XREF: .text:00568333j
		mov	edi, 0C0000001h

loc_568355:				; CODE XREF: .text:00568341j
					; .text:0056834Aj ...
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_56835D:				; CODE XREF: .text:0056832Aj
		push	dword ptr [ebp-4]
		call	_ZwClose@4	; ZwClose(x)
		test	edi, edi
		jns	short loc_56836D
		xor	edi, edi

loc_56836B:				; CODE XREF: .text:00568312j
		mov	esi, edi

loc_56836D:				; CODE XREF: .text:00568367j
		or	dword ptr [ebp-0Ch], 0FFFFFFFFh
		lea	eax, [ebp-1Ch]
		push	eax
		mov	dword ptr [ebp-10h], 0FFE17B80h
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp-1Ch]
		push	eax
		push	dword ptr [ebp+0Ch]
		push	ebx
		call	dword ptr [ebp+8]
		mov	edi, eax
		test	edi, edi
		jns	short loc_5683C7

loc_568392:				; CODE XREF: .text:005683C1j
		test	esi, esi
		jle	short loc_5683C3
		lea	eax, [ebp-10h]
		push	eax
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		lea	eax, [ebp-1Ch]
		sub	esi, 0C8h
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp-1Ch]
		push	eax
		push	dword ptr [ebp+0Ch]
		push	ebx
		call	dword ptr [ebp+8]
		mov	edi, eax
		test	edi, edi
		js	short loc_568392

loc_5683C3:				; CODE XREF: .text:00568394j
		test	edi, edi
		js	short loc_5683D9

loc_5683C7:				; CODE XREF: .text:00568390j
		lea	eax, [ebp-1Ch]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	8
; 

loc_5683D9:				; CODE XREF: .text:005683C5j
		push	15h
		xor	edx, edx
		pop	ecx
		call	HeadlessKernelAddLogEntry
		push	dword ptr [ebp-14h]
		lea	eax, [ebp-1Ch]
		push	0
		push	edi
		push	eax
		push	7Bh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCreateUnicodeFromAnsiBuffer(x, x)
_IopCreateUnicodeFromAnsiBuffer@8 proc near ; CODE XREF: IopCreateArcName+2C9p
					; IopCreateArcName+367p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	esi
		push	edx
		push	eax
		mov	esi, ecx
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	RtlAnsiStringToUnicodeString
		pop	esi
		leave
		retn
_IopCreateUnicodeFromAnsiBuffer@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl RtlStringCchPrintfA(char *,int,char *,char)
RtlStringCchPrintfA proc near		; CODE XREF: IopCreateArcName+2B6p
					; IopCreateArcName+354p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005E2C99 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		test	eax, eax
		jz	short loc_568457
		cmp	eax, 7FFFFFFFh
		ja	short loc_568457

loc_568437:				; CODE XREF: RtlStringCchPrintfA+3Aj
		test	ecx, ecx
		js	loc_5E2C99
		lea	ecx, [ebp+arg_C]
		mov	edx, eax	; int
		push	ecx		; va_list
		push	[ebp+arg_8]	; char *
		push	ecx		; int
		mov	ecx, [ebp+arg_0] ; char	*
		call	sub_54A41E
		mov	ecx, eax

loc_568453:				; CODE XREF: RtlStringCchPrintfA+7A879j
					; RtlStringCchPrintfA+7A885j
		mov	eax, ecx
		pop	ebp
		retn
; 

loc_568457:				; CODE XREF: RtlStringCchPrintfA+Cj
					; RtlStringCchPrintfA+13j
		mov	ecx, 0C000000Dh
		jmp	short loc_568437
RtlStringCchPrintfA endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry  25.

;  S U B	R O U T	I N E 


; __stdcall ClipInitHandles()
		public _ClipInitHandles@0
_ClipInitHandles@0 proc	near		; CODE XREF: ExInitLicenseData+43p
		mov	edi, edi
		push	ecx
		mov	eax, ds:_SeExports
		push	offset _g_kernelCallbacks
		push	0
		mov	ds:dword_A93EE0, offset	ExUpdateLicenseData
		mov	ds:dword_A93EE4, offset	ntoskrnl_27
		mov	ds:dword_A93EE8, offset	_ExUpdateOsPfnInRegistry@16 ; ExUpdateOsPfnInRegistry(x,x,x,x)
		mov	ds:dword_A93EEC, eax
		call	ds:__imp__ClipSpInitialize@8 ; ClipSpInitialize(x,x)
		call	sub_8820B8
		pop	ecx
		retn
_ClipInitHandles@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ExpQueryLicenseValueFromBlobHelper(int,void *,int,int)
ExpQueryLicenseValueFromBlobHelper proc	near ; CODE XREF: SLQueryLicenseValueInternal+1ABp
					; SLQueryLicenseValueInternal+1F7p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00568569 SIZE 00000012 BYTES
; FUNCTION CHUNK AT 005E2CAC SIZE 00000013 BYTES

		push	10h
		push	offset dword_6A4B48
		call	__SEH_prolog4
		mov	edi, edx
		mov	esi, ecx
		mov	[ebp+var_20], esi
		and	[ebp+var_1C], 0
		and	[ebp+ms_exc.disabled], 0
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+5B80h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		cmp	byte ptr [esi+5B78h], 1
		jnz	short loc_5684EC
		cmp	dword ptr [esi+5B74h], 0
		jz	short loc_568569

loc_5684EC:				; CODE XREF: ExpQueryLicenseValueFromBlobHelper+3Dj
		mov	eax, [esi]
		test	eax, eax
		jz	loc_5E2CAC

loc_5684F6:				; CODE XREF: ExpQueryLicenseValueFromBlobHelper+7A816j
		mov	eax, [eax]
		cmp	eax, 18h
		jz	short loc_568569
		jb	short loc_568572
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		push	[ebp+arg_4]	; void *
		push	[ebp+arg_0]	; int
		mov	edx, edi
		mov	ecx, esi
		call	ExpQueryLicenseValueFromBlob
		mov	[ebp+var_1C], eax

loc_568517:				; CODE XREF: ExpQueryLicenseValueFromBlobHelper+CCj
					; ExpQueryLicenseValueFromBlobHelper+D5j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_568538
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
ExpQueryLicenseValueFromBlobHelper endp


;  S U B	R O U T	I N E 


sub_568538	proc near		; CODE XREF: ExpQueryLicenseValueFromBlobHelper+7Ap
					; sub_5E2CBF+3j
		add	esi, 5B80h
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_568560

loc_56854C:				; CODE XREF: sub_568538+2Fj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		retn
; 

loc_568560:				; CODE XREF: sub_568538+12j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_56854C
sub_568538	endp

; 
; START	OF FUNCTION CHUNK FOR ExpQueryLicenseValueFromBlobHelper

loc_568569:				; CODE XREF: ExpQueryLicenseValueFromBlobHelper+46j
					; ExpQueryLicenseValueFromBlobHelper+57j
		mov	[ebp+var_1C], 0C0000034h
		jmp	short loc_568517
; 

loc_568572:				; CODE XREF: ExpQueryLicenseValueFromBlobHelper+59j
					; ExpQueryLicenseValueFromBlobHelper+7A810j
		mov	[ebp+var_1C], 0C000003Eh
		jmp	short loc_568517
; END OF FUNCTION CHUNK	FOR ExpQueryLicenseValueFromBlobHelper
; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PnpSetDeviceInstancePropertyChangeEvent(x)
_PnpSetDeviceInstancePropertyChangeEvent@4 proc	near
					; CODE XREF: PnpSetDevicePropertyData+10Ap
		add	ecx, 14h
		jmp	$+5
_PnpSetDeviceInstancePropertyChangeEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpSetDeviceInstancePropertyChangeEventFromDeviceInstance proc near
					; CODE XREF: PiCMSetObjectProperty+197p
					; PiCMDeleteDevice(x,x,x,x,x,x)+276p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005E2D51 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	dword_6CC5E4, 0
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		jnz	loc_5E2D51
		movzx	eax, word ptr [eax]
		add	eax, 46h
		mov	[ebp+var_4], eax
		lea	ecx, [eax+48h]
		call	_PnpCreateDeviceEventEntry@4 ; PnpCreateDeviceEventEntry(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_56861A
		mov	eax, [ebp+var_4]
		lea	edi, [ebx+48h]
		mov	esi, offset _GUID_DEVICE_PROPERTY_CHANGED
		mov	dword ptr [ebx+58h], 9
		xor	ecx, ecx
		mov	[ebx+64h], eax
		mov	[ebx+10h], ecx
		mov	[ebx+8], ecx
		movsd
		mov	[ebx+1Ch], ecx
		mov	[ebx+20h], ecx
		mov	[ebx+5Ch], ecx
		movsd
		mov	[ebx+60h], ecx
		mov	[ebx+68h], ecx
		movsd
		movsd
		mov	esi, [ebp+var_8]
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_568602
		movzx	eax, word ptr [esi]
		push	eax		; size_t
		push	ecx		; void *
		lea	eax, [ebx+6Ch]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_568602:				; CODE XREF: PnpSetDeviceInstancePropertyChangeEventFromDeviceInstance+6Bj
		movzx	eax, word ptr [esi]
		xor	ecx, ecx
		shr	eax, 1
		mov	[ebx+eax*2+6Ch], cx
		mov	ecx, ebx
		call	PnpInsertEventInQueue

loc_568615:				; CODE XREF: PnpSetDeviceInstancePropertyChangeEventFromDeviceInstance+9Bj
					; PnpSetDeviceInstancePropertyChangeEventFromDeviceInstance+7A7D2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_56861A:				; CODE XREF: PnpSetDeviceInstancePropertyChangeEventFromDeviceInstance+31j
		mov	eax, 0C000009Ah
		jmp	short loc_568615
PnpSetDeviceInstancePropertyChangeEventFromDeviceInstance endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopThermalUpdateTelemetryClientCount proc near ; CODE XREF: PopThermalZoneAdd+F5p
					; PopAssociateThermalRequest+198p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F3B50 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, large fs:124h
		sub	esp, 14h
		dec	word ptr [eax+13Ch]
		push	ebx
		push	esi
		push	edi
		mov	bl, cl
		nop
		mov	edi, offset _PopThermalTelemetryLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	esi, esi
		mov	dword_6C2054, eax
		test	bl, bl
		jz	loc_5F3B50
		mov	eax, _PopThermalTelemetryClientCount
		inc	eax
		mov	_PopThermalTelemetryClientCount, eax
		cmp	eax, 1
		jz	short loc_568696

loc_568673:				; CODE XREF: PopThermalUpdateTelemetryClientCount+A1j
					; PopThermalUpdateTelemetryClientCount+8B535j ...
		cmp	dword_6C2054, esi
		jz	short loc_568681
		mov	dword_6C2054, esi

loc_568681:				; CODE XREF: PopThermalUpdateTelemetryClientCount+57j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_568696:				; CODE XREF: PopThermalUpdateTelemetryClientCount+4Fj
		or	[esp+20h+var_8], 0FFFFFFFFh
		lea	eax, [esp+20h+var_10]
		or	[esp+20h+var_4], 0FFFFFFFFh
		push	eax
		push	esi
		push	esi
		push	0FFFFFF36h
		push	0D5964000h
		push	offset _PopThermalTelemetryTimer
		mov	[esp+38h+var_10], esi
		mov	[esp+38h+var_C], esi
		call	KeSetTimer2
		jmp	short loc_568673
PopThermalUpdateTelemetryClientCount endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopGetDope	proc near		; CODE XREF: PoRegisterDeviceForIdleDetection:loc_5E8219p
					; PAGE:00885B5Fp ...

; FUNCTION CHUNK AT 005F3B6D SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ecx
		push	edi
		mov	edi, [ebx+0B0h]
		cmp	dword ptr [edi+0Ch], 0
		jnz	short loc_568750
		push	esi
		push	45504F44h
		push	44h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_56874F
		push	44h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+18h], ebx
		lea	eax, [esi+1Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopDopeGlobalLock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	dword ptr [edi+0Ch], 0
		jnz	short loc_568728
		mov	[edi+0Ch], esi
		xor	esi, esi

loc_568728:				; CODE XREF: PopGetDope+5Bj
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopDopeGlobalLock
		jnz	loc_5F3B6D
		xor	eax, eax
		lock and [ecx],	eax

loc_56873F:				; CODE XREF: PopGetDope+8B4AFj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jnz	loc_5F3B7A

loc_56874F:				; CODE XREF: PopGetDope+2Bj
					; PopGetDope+8B4BFj
		pop	esi

loc_568750:				; CODE XREF: PopGetDope+13j
		mov	eax, [edi+0Ch]
		pop	edi
		pop	ebx
		pop	ebp
		retn
PopGetDope	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopVideoPowerSettingCallback(void *,int,int,int)
_PopVideoPowerSettingCallback@16 proc near

var_E8		= dword	ptr -0E8h
var_28		= dword	ptr -28h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0ECh
		push	ebx
		push	esi
		push	edi
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		mov	esi, 0C000000Dh
		push	offset _GUID_VIDEO_POWERDOWN_TIMEOUT ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_5687D6
		cmp	[ebp+arg_8], 4
		jnz	short loc_5687D6
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_5687D6
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	esi, _PopPolicy
		lea	edi, [esp+0F8h+var_E8]
		mov	eax, [ebx]
		xor	dl, dl
		push	3Ah
		pop	ecx
		rep movsd
		mov	[esp+0F8h+var_28], eax
		mov	cl, 1
		push	0E8h
		lea	eax, [esp+0FCh+var_E8]
		push	eax
		call	PopApplyPolicy
		mov	esi, eax
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		push	[ebp+arg_C]	; int
		push	4		; int
		push	ebx		; int
		push	[ebp+arg_0]	; void *
		call	PopAdaptivePowerSettingCallback

loc_5687D6:				; CODE XREF: PopVideoPowerSettingCallback(x,x,x,x)+2Aj
					; PopVideoPowerSettingCallback(x,x,x,x)+30j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_PopVideoPowerSettingCallback@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopGetPowerSettingValue(int,void *,int,int)
_PopGetPowerSettingValue@24 proc near	; CODE XREF: PopScanIdleList(x,x,x)+27Bp
					; PopScanIdleList(x,x,x)+2DAp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, offset _PopSettingLock
		push	edi
		mov	ecx, ebx
		call	ExAcquireFastMutex
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_56880B
		cmp	edi, 1
		jz	short loc_56880B
		mov	edi, dword_6C2D0C

loc_56880B:				; CODE XREF: PopGetPowerSettingValue(x,x,x,x,x,x)+1Cj
					; PopGetPowerSettingValue(x,x,x,x,x,x)+21j
		or	edx, 0FFFFFFFFh
		mov	ecx, esi
		call	_PopFindPowerSettingConfiguration@8 ; PopFindPowerSettingConfiguration(x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_56885E
		mov	ecx, [edx+edi*4+30h]
		test	ecx, ecx
		jz	short loc_56885E
		mov	eax, [ebp+arg_C]
		mov	ecx, [ecx+4]
		mov	[eax], ecx
		cmp	ecx, 4
		ja	short loc_568857
		mov	eax, [edx+edi*4+30h]
		xor	esi, esi
		push	ecx		; size_t
		add	eax, 0Ch
		push	eax		; void *
		push	[ebp+arg_4]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_568846:				; CODE XREF: PopGetPowerSettingValue(x,x,x,x,x,x)+7Aj
					; PopGetPowerSettingValue(x,x,x,x,x,x)+81j
		mov	ecx, ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	10h
; 

loc_568857:				; CODE XREF: PopGetPowerSettingValue(x,x,x,x,x,x)+4Cj
		mov	esi, 0C0000206h
		jmp	short loc_568846
; 

loc_56885E:				; CODE XREF: PopGetPowerSettingValue(x,x,x,x,x,x)+37j
					; PopGetPowerSettingValue(x,x,x,x,x,x)+3Fj
		mov	esi, 0C000000Dh
		jmp	short loc_568846
_PopGetPowerSettingValue@24 endp

; 
		align 10h
; Exported entry 1110. KeCheckProcessorAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeCheckProcessorAffinityEx(x, x)
		public _KeCheckProcessorAffinityEx@8
_KeCheckProcessorAffinityEx@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	eax, [eax+8]
		shr	eax, cl
		and	eax, 1
		pop	ebp
		retn	8
_KeCheckProcessorAffinityEx@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSwapProcessOrStack(x)
_KeSwapProcessOrStack@4	proc near	; DATA XREF: .text:00449025o
					; MiIdealClusterPage(x,x,x,x,x,x,x,x)+5E6o ...

var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		push	17h
		push	eax
		call	KeSetPriorityThread
		mov	esi, offset _KiProcessOutSwapListHead
		mov	edi, offset _KiProcessInSwapListHead
		mov	ebx, offset _KiStackInSwapListHead
		lea	esp, [esp+0]

loc_5688C0:				; CODE XREF: KeSwapProcessOrStack(x)+72j
					; KeSwapProcessOrStack(x)+79j
		push	0
		push	0
		push	0
		push	0
		push	offset _KiSwapEvent
		call	KeWaitForSingleObject
		xor	ecx, ecx
		mov	eax, 1
		mov	edx, offset _KiStackOutSwapRequest
		lock cmpxchg [edx], ecx
		cmp	eax, 1
		jz	short loc_568912

loc_5688E7:				; CODE XREF: KeSwapProcessOrStack(x)+87j
		xor	ecx, ecx
		xchg	ecx, [esi]
		test	ecx, ecx
		jz	short loc_5688F4
		call	KiOutSwapProcesses

loc_5688F4:				; CODE XREF: KeSwapProcessOrStack(x)+5Dj
		xor	ecx, ecx
		xchg	ecx, [edi]
		test	ecx, ecx
		jnz	short loc_56890B

loc_5688FC:				; CODE XREF: KeSwapProcessOrStack(x)+80j
		xor	ecx, ecx
		xchg	ecx, [ebx]
		test	ecx, ecx
		jz	short loc_5688C0
		call	_KiInSwapKernelStacks@4	; KiInSwapKernelStacks(x)
		jmp	short loc_5688C0
; 

loc_56890B:				; CODE XREF: KeSwapProcessOrStack(x)+6Aj
		call	KiInSwapProcesses
		jmp	short loc_5688FC
; 

loc_568912:				; CODE XREF: KeSwapProcessOrStack(x)+55j
		call	KiOutSwapKernelStacks
		jmp	short loc_5688E7
_KeSwapProcessOrStack@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCheckDiskName(x,	x, x)
_IopCheckDiskName@12 proc near		; CODE XREF: IopGetBootDiskInformationLite+14Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, ecx
		xor	ecx, ecx
		mov	[ebp+var_4], eax
		push	edi
		push	ecx
		mov	edi, edx
		mov	[ebp+var_C], ecx
		push	edi
		push	eax
		mov	[ebp+var_8], ecx
		mov	bl, cl
		mov	[esi], ecx
		call	_RtlPrefixString@12 ; RtlPrefixString(x,x,x)
		test	al, al
		jz	short loc_568986
		mov	eax, [ebp+var_4]
		mov	bl, 1
		movzx	eax, word ptr [eax]
		add	eax, [edi+4]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	0Ah
		pop	edi
		cmp	word ptr [ebp+var_C], di
		jbe	short loc_568986
		push	0
		lea	eax, [ebp+var_C]
		push	eax
		push	offset dword_401BB0
		call	_RtlPrefixString@12 ; RtlPrefixString(x,x,x)
		test	al, al
		jz	short loc_568986
		mov	ecx, [ebp+var_8]
		push	esi
		push	edi
		add	ecx, edi
		push	ecx
		call	RtlCharToInteger

loc_568986:				; CODE XREF: IopCheckDiskName(x,x,x)+2Bj
					; IopCheckDiskName(x,x,x)+49j ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
_IopCheckDiskName@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EmpQueueRuleUpdateState	proc near	; CODE XREF: EmpProviderDeregisterEntry(x)+42p
					; EmpProviderRegister+1E8p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F3B8A SIZE 0000003A BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		push	edi
		mov	[ebp+var_C], edx
		mov	edi, ecx
		xor	edx, edx
		mov	ecx, offset _EmpEvaluationQueueLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, _EmpRuleUpdateQueue
		xor	esi, esi
		inc	esi

loc_5689C5:				; CODE XREF: EmpQueueRuleUpdateState+46j
		test	eax, eax
		jz	short loc_5689D8
		lea	ecx, [eax-4]
		cmp	[ecx], edi
		jz	loc_568B48
		mov	eax, [eax]
		jmp	short loc_5689C5
; 

loc_5689D8:				; CODE XREF: EmpQueueRuleUpdateState+37j
					; EmpQueueRuleUpdateState+1BAj
		push	75714D45h
		push	0Ch
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_568A0E
		mov	ecx, [ebp+var_C]
		mov	[eax+8], ecx
		lea	ecx, [eax+4]
		mov	[eax], edi
		mov	eax, _EmpRuleUpdateQueue
		mov	[ecx], eax
		cmp	_EmpWorkerBusy,	0
		mov	_EmpRuleUpdateQueue, ecx
		jz	loc_568B6E

loc_568A0E:				; CODE XREF: EmpQueueRuleUpdateState+57j
					; EmpQueueRuleUpdateState+1C4j	...
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _EmpEvaluationQueueLock
		mov	[ebp+var_8], edx
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_568B87

loc_568A29:				; CODE XREF: EmpQueueRuleUpdateState+204j
		xor	edi, edi
		mov	[ebp+var_C], edi
		test	ecx, 7FFFFFFCh
		jz	loc_568B3F
		mov	esi, large fs:124h
		mov	eax, dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], eax
		cmp	eax, offset _EmpEvaluationQueueLock
		ja	short loc_568A7C
		mov	eax, ecx
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_568B59
		mov	eax, [ebp+var_20]
		cmp	eax, offset _EmpEvaluationQueueLock
		ja	short loc_568A7C
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_568B59

loc_568A7C:				; CODE XREF: EmpQueueRuleUpdateState+C4j
					; EmpQueueRuleUpdateState+DDj ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _EmpEvaluationQueueLock
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_568BD9
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_568BEC

loc_568AC0:				; CODE XREF: EmpQueueRuleUpdateState+264j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		cdq
		push	30h
		pop	ecx
		idiv	ecx
		mov	ecx, eax
		xor	eax, eax
		inc	eax
		shl	al, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	loc_5F3B9F
		or	[esi+1E4h], al

loc_568B07:				; CODE XREF: EmpQueueRuleUpdateState+251j
					; EmpQueueRuleUpdateState+8B21Bj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jnz	short loc_568B99

loc_568B1A:				; CODE XREF: EmpQueueRuleUpdateState+23Ej
					; EmpQueueRuleUpdateState+8B22Fj
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_568B3F
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_568BF9

loc_568B3F:				; CODE XREF: EmpQueueRuleUpdateState+A4j
					; EmpQueueRuleUpdateState+1A1j	...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_568B48:				; CODE XREF: EmpQueueRuleUpdateState+3Ej
		test	ecx, ecx
		jz	loc_5689D8
		and	dword ptr [ecx+8], 0
		jmp	loc_568A0E
; 

loc_568B59:				; CODE XREF: EmpQueueRuleUpdateState+CFj
					; EmpQueueRuleUpdateState+E6j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_8], eax
		jmp	loc_568A7C
; 

loc_568B6E:				; CODE XREF: EmpQueueRuleUpdateState+78j
		mov	eax, esi
		mov	ecx, offset _EmpWorkerBusy
		xchg	eax, [ecx]
		push	esi
		push	offset _EmpRuleUpdateWorker
		call	ExQueueWorkItem
		jmp	loc_568A0E
; 

loc_568B87:				; CODE XREF: EmpQueueRuleUpdateState+93j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _EmpEvaluationQueueLock
		jmp	loc_568A29
; 

loc_568B99:				; CODE XREF: EmpQueueRuleUpdateState+188j
		test	edi, 8000h
		jz	short loc_568BAA
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_568BAA:				; CODE XREF: EmpQueueRuleUpdateState+20Fj
		test	byte ptr [ebp+var_C+2],	1
		jnz	short loc_568C03

loc_568BB0:				; CODE XREF: EmpQueueRuleUpdateState+283j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_568BC4
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_568BC4:				; CODE XREF: EmpQueueRuleUpdateState+227j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_568B1A
		jmp	loc_5F3BB0
; 

loc_568BD9:				; CODE XREF: EmpQueueRuleUpdateState+118j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_568B07
		jmp	loc_5F3B8A
; 

loc_568BEC:				; CODE XREF: EmpQueueRuleUpdateState+12Aj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]
		jmp	loc_568AC0
; 

loc_568BF9:				; CODE XREF: EmpQueueRuleUpdateState+1A9j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_568B3F
; 

loc_568C03:				; CODE XREF: EmpQueueRuleUpdateState+21Ej
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]
		jmp	short loc_568BB0
EmpQueueRuleUpdateState	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlStringCbCopyNA proc near		; CODE XREF: EmpParseTargetRuleStringIndexList+F3p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F3BC4 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		test	edx, edx
		jz	short loc_568C4A
		cmp	edx, 7FFFFFFFh
		ja	short loc_568C4A

loc_568C29:				; CODE XREF: RtlStringCbCopyNA+39j
		test	eax, eax
		js	short loc_568C46
		cmp	[ebp+arg_4], 7FFFFFFEh
		ja	loc_5F3BC4
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	ecx
		call	sub_54E094

loc_568C46:				; CODE XREF: RtlStringCbCopyNA+15j
					; RtlStringCbCopyNA+8AFB6j
		pop	ebp
		retn	8
; 

loc_568C4A:				; CODE XREF: RtlStringCbCopyNA+9j
					; RtlStringCbCopyNA+11j
		mov	eax, 0C000000Dh
		jmp	short loc_568C29
RtlStringCbCopyNA endp

; 
		align 2

;  S U B	R O U T	I N E 


; int __fastcall EmpSearchCallbackDatabase(void	*)
_EmpSearchCallbackDatabase@4 proc near	; CODE XREF: EmpProviderRegister+185p
					; EmpParseCallbacks+A8p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, _EmpCallbackListHead
		mov	ebx, ecx
		push	edi

loc_568C5F:				; CODE XREF: EmpSearchCallbackDatabase(x)+28j
		xor	edi, edi
		test	esi, esi
		jz	short loc_568C7C
		push	10h		; size_t
		lea	edi, [esi-1Ch]
		push	ebx		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_568C7C
		mov	esi, [esi]
		jmp	short loc_568C5F
; 

loc_568C7C:				; CODE XREF: EmpSearchCallbackDatabase(x)+11j
					; EmpSearchCallbackDatabase(x)+24j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_EmpSearchCallbackDatabase@4 endp


;  S U B	R O U T	I N E 


; int __fastcall EmpSearchEntryDatabase(void *)
_EmpSearchEntryDatabase@4 proc near	; CODE XREF: EmpProviderRegister+EAp
					; EmProviderRegisterEntry(x,x,x,x)+40p	...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, _EmpEntryListHead
		mov	ebx, ecx
		push	edi

loc_568C8F:				; CODE XREF: EmpSearchEntryDatabase(x)+28j
		xor	edi, edi
		test	esi, esi
		jz	short loc_568CAC
		push	10h		; size_t
		lea	edi, [esi-14h]
		push	ebx		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_568CAC
		mov	esi, [esi]
		jmp	short loc_568C8F
; 

loc_568CAC:				; CODE XREF: EmpSearchEntryDatabase(x)+11j
					; EmpSearchEntryDatabase(x)+24j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_EmpSearchEntryDatabase@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopAddBootDiskInformation proc near	; CODE XREF: IopGetBootDiskInformationLite+198p
					; IopGetBootDiskInformationLite+26E2Bp

var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F3BD1 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], esi
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_568CED
		push	ebx
		lea	ebx, [esi+4]
		mov	esi, eax

loc_568CD2:				; CODE XREF: IopAddBootDiskInformation+8AF28j
		push	18h		; size_t
		push	edx		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_5F3BD1

loc_568CE6:				; CODE XREF: IopAddBootDiskInformation+8AF2Ej
		mov	esi, [ebp+var_C]
		mov	edx, [ebp+var_4]
		pop	ebx

loc_568CED:				; CODE XREF: IopAddBootDiskInformation+18j
		mov	eax, [edx+18h]
		imul	ecx, edi, 1Ch
		or	[ecx+esi+1Ch], eax
		mov	eax, [esi]
		cmp	edi, eax
		jnz	short loc_568D0C
		lea	edi, [esi+4]
		inc	eax
		mov	[esi], eax
		add	edi, ecx
		push	7
		pop	ecx
		mov	esi, edx
		rep movsd

loc_568D0C:				; CODE XREF: IopAddBootDiskInformation+49j
		pop	edi
		pop	esi
		leave
		retn
IopAddBootDiskInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmIdleSelectStates proc near		; CODE XREF: PoIdle(x)+40Fp

var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_46		= byte ptr -46h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_36		= byte ptr -36h
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005F3BE5 SIZE 00000453 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_B8], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_B0], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_B4], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_BC], eax
		mov	eax, [ebp+arg_14]
		push	ebx
		mov	[ebp+var_84], eax
		mov	ebx, edx
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		mov	esi, [ecx+3D70h]
		push	edi
		lea	edi, [ebp+var_34]
		mov	[ebp+var_40], ecx
		stosd
		mov	[ebp+var_80], edx
		mov	[ebp+var_46], 1
		mov	[ebp+var_36], 0
		stosd
		mov	[ebp+var_35], 0
		mov	[ebp+var_88], 0
		mov	[ebp+var_7C], 0
		stosd
		mov	eax, [ecx+3D74h]
		mov	edi, ds:_PpmPlatformStates
		mov	[ebp+var_AC], eax
		mov	eax, _PopFxSystemLatencyHint
		mov	[ebp+var_3C], 0
		mov	[ebp+var_A8], 0FFFFFFFFh
		mov	[ebp+var_6C], edi
		mov	[ebp+var_54], 0
		mov	[ebp+var_58], 0
		mov	[ebp+var_70], 0
		mov	[ebp+var_90], 0
		mov	[ebp+var_8C], 0
		mov	[ebp+var_78], 0
		mov	[ebp+var_74], 0
		mov	[ebp+var_A0], 0
		mov	[ebp+var_9C], 0
		mov	[ebp+var_94], 0
		mov	[ebp+var_A4], eax
		call	PpmIdleEvaluateConstraints
		mov	ecx, [ebp+var_80]
		mov	[ebx+4], edx
		xor	dl, dl
		mov	[ebx], eax
		lea	ebx, [esi+54h]
		mov	dword ptr [ebx], 10001h
		mov	dword ptr [ebx+4], 0
		mov	dword ptr [ebx+8], 0
		mov	eax, [ecx+4]
		push	eax
		mov	eax, [ecx]
		mov	ecx, [ebp+var_40]
		push	eax
		call	PpmComputeIdleDurationHint
		mov	eax, [esi+6Ch]
		mov	[ebp+var_68], 0FFFFFFFFh
		test	eax, eax
		jnz	loc_5F3BE5

loc_568E58:				; CODE XREF: PpmIdleSelectStates+8AEE6j
		mov	eax, [ebp+var_40]
		cmp	byte ptr [eax+3DA5h], 0
		jnz	loc_5F3BFB

loc_568E68:				; CODE XREF: PpmIdleSelectStates+8AEF2j
		test	edi, edi
		jnz	loc_5F3C07
		mov	edi, [ebp+var_3C]

loc_568E73:				; CODE XREF: PpmIdleSelectStates+8B153j
		mov	eax, [esi+20h]
		xor	bl, bl
		mov	ecx, [esi+0E4h]
		mov	bh, 1
		mov	[ebp+var_70], ecx
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	0		; int
		push	ecx		; void *
		call	_memset
		mov	eax, [esi+28h]
		add	esp, 0Ch
		cmp	dword ptr [esi+0ECh], 0
		mov	[ebp+var_88], eax
		mov	eax, [esi+2Ch]
		mov	[ebp+var_7C], eax
		mov	[ebp+var_4C], 0
		jbe	loc_5F3EA8
		mov	edx, [ebp+var_70]
		xor	ecx, ecx
		add	edx, 8
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_60], edx
		jmp	short loc_568ED0
; 
		align 10h

loc_568ED0:				; CODE XREF: PpmIdleSelectStates+1B7j
					; PpmIdleSelectStates+8B255j
		cmp	[ebp+var_6C], 0
		mov	eax, [esi+0F0h]
		mov	edi, [eax+ecx+4]
		mov	ecx, [ebp+var_40]
		jnz	short loc_568EF8
		mov	eax, [esi+20h]
		dec	eax
		cmp	edi, eax
		jnz	short loc_568EF8
		cmp	byte ptr [esi+0BCh], 0
		jnz	loc_5F3EAF

loc_568EF8:				; CODE XREF: PpmIdleSelectStates+1D1j
					; PpmIdleSelectStates+1D9j ...
		cmp	bl, 1
		jz	loc_5F3EC9

loc_568F01:				; CODE XREF: PpmIdleSelectStates+8B1BBj
		xor	bl, bl

loc_568F03:				; CODE XREF: PpmIdleSelectStates+8B1B4j
		test	bh, bh
		jz	short loc_568F39
		mov	edx, [ebp+var_80]
		lea	eax, [ebp+var_8C]
		push	eax
		lea	eax, [ebp+var_94]
		xor	bh, bh
		push	eax
		lea	eax, [ebp+var_A0]
		push	eax
		lea	eax, [ebp+var_78]
		push	eax
		mov	eax, [edx+4]
		push	0
		push	0
		push	eax
		mov	eax, [edx]
		mov	dl, bl
		push	eax
		push	0
		call	_PpmEstimateIdleDuration@44 ; PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)

loc_568F39:				; CODE XREF: PpmIdleSelectStates+1F5j
		test	edi, edi
		jnz	loc_5F3ED0
		mov	[ebp+var_3C], edi
		xor	edx, edx
		mov	[ebp+var_44], edi

loc_568F49:				; CODE XREF: PpmIdleSelectStates+8B205j
					; PpmIdleSelectStates+8B20Dj
		mov	ecx, [ebp+var_AC]
		push	[ebp+var_44]
		imul	eax, edi, 3E8h
		add	ecx, 50h
		push	edx
		add	ecx, eax
		call	PpmIdleUpdateSelectionStatistics
		mov	ecx, [ebp+var_3C]
		mov	eax, ecx
		mov	edx, [ebp+var_44]
		or	eax, edx
		jnz	loc_5F3F22
		mov	ecx, [ebp+var_70]
		mov	eax, edi
		mov	edx, [ebp+var_4C]
		shl	eax, 4
		add	eax, edi
		mov	[ebp+var_90], edx
		mov	[ecx], edi
		cmp	byte ptr [esi+eax*4+14Ah], 0
		jz	loc_5F3F82
		cmp	[ebp+var_6C], 0
		jnz	loc_5F3F70

loc_568FA0:				; CODE XREF: PpmIdleSelectStates+8B26Cj
		xor	al, al

loc_568FA2:				; CODE XREF: PpmIdleSelectStates+8B274j
		mov	ecx, [ebp+var_84]
		mov	[ecx], al

loc_568FAA:				; CODE XREF: PpmIdleSelectStates+8B19Aj
		mov	eax, [ebp+var_84]
		cmp	byte ptr [eax],	0
		jnz	loc_5F3F89

loc_568FB9:				; CODE XREF: PpmIdleSelectStates+8B28Fj
		test	ds:dword_70EFC8, 200000h
		jnz	loc_5F3FA4

loc_568FC9:				; CODE XREF: PpmIdleSelectStates+8B2E3j
					; PpmIdleSelectStates+8B323j
		mov	ax, word ptr [ebp+var_8C]
		or	[esi+30h], ax
		mov	al, [ebp+var_36]
		mov	[esi+7], al
		mov	al, [ebp+var_35]
		mov	[esi+6], al
		mov	eax, [ebp+var_A0]
		mov	ecx, [ebp+var_B4]
		mov	[esi+0A8h], eax
		mov	eax, [ebp+var_9C]
		mov	[esi+0ACh], eax
		mov	eax, [ebp+var_78]
		mov	[esi+0A0h], eax
		mov	eax, [ebp+var_74]
		mov	[esi+0A4h], eax
		mov	al, byte ptr [ebp+var_94]
		mov	[esi+0BDh], al
		mov	eax, [ebp+var_B0]
		mov	[eax], edi
		mov	eax, [ebp+var_A8]
		mov	[ecx], eax
		mov	eax, [ebp+var_B8]
		mov	ecx, [ebp+var_88]
		pop	edi
		pop	esi
		mov	[eax], bl
		mov	eax, [ebp+var_BC]
		pop	ebx
		mov	[eax], ecx
		mov	ecx, [ebp+var_7C]
		mov	[eax+4], ecx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
PpmIdleSelectStates endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmIdleUpdateSelectionStatistics proc near ; CODE XREF:	PpmIdleSelectStates+24Ep
					; PpmIdleSelectStates+8B081p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F4038 SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	esi
		mov	esi, ecx
		mov	ecx, [ebp+arg_0]
		mov	eax, ecx
		or	eax, edx
		jnz	loc_5F4038
		xor	edx, edx

loc_569076:				; CODE XREF: PpmIdleUpdateSelectionStatistics+8AFF7j
					; PpmIdleUpdateSelectionStatistics+8B00Dj ...
		add	dword ptr [esi+edx*8], 1
		adc	dword ptr [esi+edx*8+4], 0

loc_56907F:				; CODE XREF: PpmIdleUpdateSelectionStatistics+8B020j
		pop	esi
		pop	ebp
		retn	8
PpmIdleUpdateSelectionStatistics endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmComputeIdleDurationHint proc	near	; CODE XREF: PpmIdleSelectStates+131p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F408D SIZE 00000060 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		mov	ebx, [ecx+3D70h]
		mov	al, dl
		xor	edx, edx
		mov	[ebp+var_1], al
		push	esi
		push	edi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_10], ebx
		cmp	[ecx+3D0h], dl
		jnz	loc_56914C
		cmp	ds:_KiSerializeTimerExpiration,	edx
		jz	loc_56914C
		mov	esi, edx
		mov	edi, edx
		mov	edx, _PpmPlatformIdleHint
		mov	eax, dword_6FD5DC
		mov	[ebp+var_8], eax
		movzx	eax, dx
		or	eax, esi
		mov	[ebp+var_C], edx
		jnz	loc_5F408D

loc_5690EC:				; CODE XREF: PpmComputeIdleDurationHint+8B064j
		mov	al, [ebp+var_1]

loc_5690EF:				; CODE XREF: PpmComputeIdleDurationHint+CCj
		lea	edx, [ebp+var_18]
		push	edx
		lea	edx, [ebp+var_1C]
		push	edx
		lea	edx, [ebp+var_30]
		push	edx
		lea	edx, [ebp+var_38]
		push	edx
		push	esi
		push	edi
		push	[ebp+arg_4]
		mov	dl, al
		push	[ebp+arg_0]
		push	0
		call	_PpmEstimateIdleDuration@44 ; PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)
		mov	ax, word ptr [ebp+var_18]
		or	[ebx+30h], ax
		mov	eax, [ebp+var_30]
		mov	[ebx+0A8h], eax
		mov	eax, [ebp+var_2C]
		mov	[ebx+0ACh], eax
		mov	al, byte ptr [ebp+var_1C]
		mov	[ebx+0BDh], al
		mov	eax, [ebp+var_38]
		pop	edi
		mov	[ebx+0A0h], eax
		mov	eax, [ebp+var_34]
		pop	esi
		mov	[ebx+0A4h], eax
		pop	ebx
		leave
		retn	8
; 

loc_56914C:				; CODE XREF: PpmComputeIdleDurationHint+36j
					; PpmComputeIdleDurationHint+42j
		mov	edi, edx
		mov	esi, edx
		jmp	short loc_5690EF
PpmComputeIdleDurationHint endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmIdleEvaluateConstraints proc	near	; CODE XREF: PpmIdleSelectStates+101p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F40ED SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		lea	ecx, [ebp+var_8]
		mov	ebx, [edi+3D70h]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	[esi], eax
		mov	eax, [ebp+var_8]
		mov	[ebx+90h], eax
		mov	eax, [ebp+var_4]
		mov	[ebx+94h], eax
		mov	ecx, [edi+3E28h]
		add	ecx, [edi+3D80h]
		mov	eax, [edi+3E2Ch]
		adc	eax, [edi+3D84h]
		mov	[ebx+98h], ecx
		mov	[ebx+9Ch], eax
		mov	al, [edi+3ED4h]
		mov	[ebx+0BAh], al
		mov	al, [edi+3DA0h]
		mov	[ebx+0B8h], al
		mov	al, [edi+3DA1h]
		mov	[ebx+0B9h], al
		mov	byte ptr [ebx+0BBh], 1
		cmp	byte ptr [edi+3D0h], 0
		mov	[esi+4], edx
		jnz	short loc_569238

loc_5691E5:				; CODE XREF: PpmIdleEvaluateConstraints+EDj
		mov	byte ptr [ebx+0BCh], 0

loc_5691EC:				; CODE XREF: PpmIdleEvaluateConstraints+8AFABj
		cmp	byte ptr [ebx+1], 0
		jnz	loc_5F4102
		or	eax, 0FFFFFFFFh

loc_5691F9:				; CODE XREF: PpmIdleEvaluateConstraints+8AFBCj
		mov	[ebx+0B0h], eax
		cmp	ds:_PpmIdleRespectIdleStateMax,	0
		jz	short loc_569246
		mov	ecx, _PpmCurrentProfile
		imul	eax, dword_6C2D0C, 0F0h
		mov	al, [eax+ecx+0BEh]
		mov	[ebx+0BEh], al
		test	al, al
		jnz	loc_5F4113

loc_56922D:				; CODE XREF: PpmIdleEvaluateConstraints+FBj
					; PpmIdleEvaluateConstraints+8AFCAj
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_569238:				; CODE XREF: PpmIdleEvaluateConstraints+91j
		call	PoAllProcessorsDeepIdle
		test	al, al
		jz	short loc_5691E5
		jmp	loc_5F40ED
; 

loc_569246:				; CODE XREF: PpmIdleEvaluateConstraints+B4j
		mov	byte ptr [ebx+0BEh], 0
		jmp	short loc_56922D
PpmIdleEvaluateConstraints endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoAllProcessorsDeepIdle	proc near	; CODE XREF: PpmIdleEvaluateConstraints:loc_569238p
					; KePrepareClockTimerForIdle(x,x,x,x,x)+AAp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F4121 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, large fs:20h
		push	edi
		mov	ecx, [esi+338h]
		mov	eax, [esi+3CCh]
		mov	edx, [ecx+84h]
		movzx	edi, word ptr [ecx+8Ah]
		btr	edx, eax
		movzx	eax, byte ptr [esi+3C4h]
		mov	ecx, [ecx+40h]
		btr	ecx, eax
		cmp	ecx, edx
		jz	loc_5F4121

loc_569294:				; CODE XREF: PoAllProcessorsDeepIdle+8AEF2j
		xor	al, al

loc_569296:				; CODE XREF: PoAllProcessorsDeepIdle+8AEF9j
		pop	edi
		pop	esi
		leave
		retn
PoAllProcessorsDeepIdle	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiZeroLargePageThread proc near		; DATA XREF: MiZeroNodePages+1A1o

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F414E SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		mov	ebx, 1
		push	0
		push	0
		push	0
		stosd
		push	0
		stosd
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+38h]
		mov	eax, [eax+4Ch]
		mov	[ebp+var_4], ecx
		mov	edx, [ecx+30h]
		mov	esi, [ecx+64h]
		lea	edi, ds:0[eax*8]
		sub	edi, eax
		mov	[ebp+var_8], edx
		mov	eax, [ecx+34h]
		lea	eax, [eax+eax*4]
		shl	eax, 7
		add	eax, [edx+10h]
		mov	[ebp+var_C], eax
		lea	eax, [ecx+38h]
		push	eax
		call	KeWaitForSingleObject

loc_5692F6:				; CODE XREF: MiZeroLargePageThread+13Fj
		mov	ecx, [ebp+arg_0]
		call	_MiZeroLargePages@4 ; MiZeroLargePages(x)
		mov	eax, [ebp+var_8]
		cmp	byte ptr [eax+0DFCh], 1
		jz	loc_5F4171
		test	ebx, ebx
		jnz	loc_56940D

loc_569316:				; CODE XREF: MiZeroLargePageThread+175j
		mov	eax, [ebp+var_4]
		add	eax, 10h
		mov	[ebp+var_18], 0
		mov	[ebp+var_14], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_10], al
		jnz	loc_5F414E
		mov	eax, [ebp+var_4]
		lea	edx, [ebp+var_18]
		add	eax, 10h
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_569400

loc_56934F:				; CODE XREF: MiZeroLargePageThread+168j
					; MiZeroLargePageThread+8AEBCj
		test	ebx, ebx
		mov	ebx, [ebp+var_4]
		jnz	loc_56941A

loc_56935A:				; CODE XREF: MiZeroLargePageThread+17Ej
					; MiZeroLargePageThread+194j
		mov	al, [esi+edi*4+4]
		and	al, 0FDh
		mov	[esi+edi*4+4], al
		mov	al, [esi+edi*4+4]
		or	al, 4
		mov	[esi+edi*4+4], al
		mov	al, [esi+edi*4+4]
		test	al, 1
		jnz	short loc_569390
		mov	al, [esi+edi*4+4]
		or	al, 1
		mov	[esi+edi*4+4], al
		add	dword ptr [ebx+74h], 0FFFFFFFFh
		jnz	short loc_569390
		mov	eax, [ebp+var_C]
		mov	byte ptr [eax+272h], 0

loc_569390:				; CODE XREF: MiZeroLargePageThread+D4j
					; MiZeroLargePageThread+E4j
		mov	eax, [ebp+arg_0]
		mov	ebx, [eax+3Ch]
		mov	dword ptr [eax+3Ch], 0
		test	ds:byte_70EFC6,	1
		jnz	loc_5F4161
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	short loc_5693EC
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jnz	short loc_5693E4

loc_5693C4:				; CODE XREF: MiZeroLargePageThread+15Ej
					; MiZeroLargePageThread+8AECCj
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jz	short loc_5693DD
		mov	edx, 1
		mov	ecx, ebx
		call	MiDereferencePageRunsEx

loc_5693DD:				; CODE XREF: MiZeroLargePageThread+12Fj
		xor	ebx, ebx
		jmp	loc_5692F6
; 

loc_5693E4:				; CODE XREF: MiZeroLargePageThread+122j
		lea	ecx, [ebp+var_18]
		call	KxWaitForLockChainValid

loc_5693EC:				; CODE XREF: MiZeroLargePageThread+10Fj
		mov	[ebp+var_18], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx
		jmp	short loc_5693C4
; 

loc_569400:				; CODE XREF: MiZeroLargePageThread+A9j
		lea	ecx, [ebp+var_18]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_56934F
; 

loc_56940D:				; CODE XREF: MiZeroLargePageThread+70j
		mov	ecx, [ebp+arg_0]
		call	_MiSignalZeroingPassComplete@4 ; MiSignalZeroingPassComplete(x)
		jmp	loc_569316
; 

loc_56941A:				; CODE XREF: MiZeroLargePageThread+B4j
		cmp	byte ptr [ebx+58h], 0
		jnz	loc_56935A
		mov	edx, 5
		mov	byte ptr [ebx+58h], 1
		mov	ecx, ebx
		call	_MiWakeZeroingThreads@8	; MiWakeZeroingThreads(x,x)
		jmp	loc_56935A
MiZeroLargePageThread endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSignalZeroingPassComplete(x)
_MiSignalZeroingPassComplete@4 proc near ; CODE	XREF: MiZeroLargePageThread+170p
					; MiDeleteZeroThreadContext(x)+39p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ecx+38h]
		test	ecx, ecx
		jz	short locret_569459
		lea	edx, [ecx+54h]
		cmp	dword ptr [edx], 0
		jz	short locret_569459
		or	eax, 0FFFFFFFFh
		lock xadd [edx], eax
		dec	eax
		jz	short loc_56945B

locret_569459:				; CODE XREF: MiSignalZeroingPassComplete(x)+Bj
					; MiSignalZeroingPassComplete(x)+13j
		leave
		retn
; 

loc_56945B:				; CODE XREF: MiSignalZeroingPassComplete(x)+1Dj
		xor	edx, edx
		inc	edx
		call	KeSignalGate
		leave
		retn
_MiSignalZeroingPassComplete@4 endp

; 
		align 10h
; Exported entry 2007. RtlCrc64

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCrc64(x,	x, x, x)
		public _RtlCrc64@16
_RtlCrc64@16	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	offset _Crc64Ctrl
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	RtlpComputeCrcInternal
		pop	ebp
		retn	10h
_RtlCrc64@16	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpComputeCrcInternal proc near	; CODE XREF: RtlCrc64(x,x,x,x)+16p
					; PopEnsureErratumSubscribed(x)+36p ...

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005F4182 SIZE 0000007D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		push	ebx
		mov	eax, edx
		mov	edx, ecx
		mov	ecx, [ebp+arg_8]
		push	esi
		push	edi
		mov	[ebp+var_38], eax
		mov	esi, [ecx+18h]
		mov	ebx, esi
		mov	edi, [ecx+1Ch]
		mov	ecx, edx
		xor	ebx, [ebp+arg_0]
		neg	ecx
		mov	[ebp+var_48], edi
		xor	edi, [ebp+arg_4]
		mov	[ebp+var_34], edx
		mov	[ebp+var_40], esi
		mov	[ebp+var_4], ebx
		mov	[ebp+arg_4], edi
		and	ecx, 7
		jnz	loc_5F4182

loc_5694CF:				; CODE XREF: RtlpComputeCrcInternal+8AD3Fj
		mov	ecx, eax
		and	ecx, 1Fh
		sub	eax, ecx
		cmp	eax, 40h
		jb	loc_569C19
		add	eax, 0FFFFFFE0h
		mov	[ebp+var_38], ecx
		mov	ecx, [ebp+var_4]
		add	eax, edx
		xor	esi, esi
		mov	[ebp+var_44], eax
		mov	eax, [ebp+arg_4]
		xor	ebx, ebx
		xor	edi, edi
		mov	[ebp+var_10], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_C], eax
		cmp	edx, [ebp+var_44]
		jnb	loc_569979
		mov	eax, [ebp+arg_8]
		mov	eax, [eax+8]

loc_569517:				; CODE XREF: RtlpComputeCrcInternal+4E0j
		mov	ebx, [edx]
		xor	ebx, ecx
		mov	esi, [edx+4]
		mov	ecx, [edx+8]
		xor	ecx, edi
		xor	esi, [ebp+var_C]
		mov	[ebp+arg_4], ecx
		mov	ecx, [edx+10h]
		xor	ecx, [ebp+var_14]
		mov	[ebp+var_4], ecx
		mov	ecx, [ebp+var_34]
		mov	edi, [edx+0Ch]
		prefetcht1 byte	ptr [edx+100h]
		mov	ecx, [ecx+18h]
		xor	ecx, [ebp+var_1C]
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+var_34]
		mov	edx, [edx+14h]
		xor	edx, [ebp+var_18]
		xor	edi, [ebp+var_10]
		mov	ecx, [ecx+1Ch]
		xor	ecx, [ebp+var_20]
		mov	[ebp+var_28], ecx
		movzx	ecx, bl
		mov	[ebp+var_3C], ebx
		mov	ebx, [eax+ecx*8+3800h]
		mov	ecx, [eax+ecx*8+3804h]
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+arg_4]
		movzx	ecx, cl
		mov	[ebp+var_24], ebx
		mov	ebx, [ebp+var_3C]
		shrd	ebx, esi, 8
		shrd	[ebp+arg_4], edi, 8
		mov	[ebp+var_3C], ebx
		mov	ebx, [eax+ecx*8+3800h]
		mov	ecx, [eax+ecx*8+3804h]
		mov	[ebp+var_10], ecx
		mov	ecx, [ebp+var_4]
		shrd	[ebp+var_4], edx, 8
		movzx	ecx, cl
		shr	edx, 8
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_30], edx
		mov	ebx, [eax+ecx*8+3800h]
		mov	ecx, [eax+ecx*8+3804h]
		mov	edx, [ebp+var_8]
		mov	[ebp+var_18], ecx
		movzx	ecx, dl
		mov	[ebp+var_14], ebx
		shr	edi, 8
		shr	esi, 8
		mov	ebx, [eax+ecx*8+3800h]
		mov	ecx, [eax+ecx*8+3804h]
		mov	[ebp+var_20], ecx
		mov	ecx, [ebp+var_28]
		shrd	edx, ecx, 8
		mov	[ebp+var_1C], ebx
		mov	ebx, [ebp+var_3C]
		shr	ecx, 8
		mov	[ebp+var_8], edx
		movzx	edx, bl
		mov	[ebp+var_28], ecx
		shrd	ebx, esi, 8
		mov	ecx, [eax+edx*8+3000h]
		xor	[ebp+var_24], ecx
		mov	ecx, [eax+edx*8+3004h]
		xor	[ebp+var_C], ecx
		mov	ecx, [ebp+arg_4]
		shrd	[ebp+arg_4], edi, 8
		movzx	edx, cl
		shr	esi, 8
		shr	edi, 8
		mov	ecx, [eax+edx*8+3000h]
		xor	[ebp+var_2C], ecx
		mov	ecx, [eax+edx*8+3004h]
		xor	[ebp+var_10], ecx
		mov	ecx, [ebp+var_4]
		movzx	edx, cl
		mov	ecx, [eax+edx*8+3000h]
		xor	[ebp+var_14], ecx
		mov	ecx, [eax+edx*8+3004h]
		xor	[ebp+var_18], ecx
		mov	edx, [ebp+var_30]
		shrd	[ebp+var_4], edx, 8
		mov	ecx, [ebp+var_8]
		shr	edx, 8
		mov	[ebp+var_30], edx
		movzx	edx, cl
		mov	ecx, [eax+edx*8+3000h]
		xor	[ebp+var_1C], ecx
		mov	ecx, [eax+edx*8+3004h]
		xor	[ebp+var_20], ecx
		mov	ecx, [ebp+var_28]
		shrd	[ebp+var_8], ecx, 8
		movzx	edx, bl
		shr	ecx, 8
		mov	[ebp+var_28], ecx
		shrd	ebx, esi, 8
		mov	ecx, [eax+edx*8+2800h]
		xor	[ebp+var_24], ecx
		mov	ecx, [eax+edx*8+2804h]
		xor	[ebp+var_C], ecx
		mov	ecx, [ebp+arg_4]
		movzx	edx, cl
		shrd	[ebp+arg_4], edi, 8
		mov	ecx, [eax+edx*8+2800h]
		xor	[ebp+var_2C], ecx
		mov	ecx, [eax+edx*8+2804h]
		xor	[ebp+var_10], ecx
		mov	ecx, [ebp+var_4]
		movzx	edx, cl
		shr	edi, 8
		shr	esi, 8
		mov	ecx, [eax+edx*8+2800h]
		xor	[ebp+var_14], ecx
		mov	ecx, [eax+edx*8+2804h]
		xor	[ebp+var_18], ecx
		mov	ecx, [ebp+var_30]
		shrd	[ebp+var_4], ecx, 8
		shr	ecx, 8
		mov	[ebp+var_30], ecx
		mov	ecx, [ebp+var_8]
		movzx	edx, cl
		mov	ecx, [eax+edx*8+2800h]
		xor	[ebp+var_1C], ecx
		mov	ecx, [eax+edx*8+2804h]
		xor	[ebp+var_20], ecx
		mov	ecx, [ebp+var_28]
		shrd	[ebp+var_8], ecx, 8
		movzx	edx, bl
		shr	ecx, 8
		mov	[ebp+var_28], ecx
		shrd	ebx, esi, 8
		mov	ecx, [eax+edx*8+2000h]
		xor	[ebp+var_24], ecx
		mov	ecx, [eax+edx*8+2004h]
		xor	[ebp+var_C], ecx
		mov	ecx, [ebp+arg_4]
		movzx	edx, cl
		shrd	[ebp+arg_4], edi, 8
		mov	ecx, [eax+edx*8+2000h]
		xor	[ebp+var_2C], ecx
		mov	ecx, [eax+edx*8+2004h]
		xor	[ebp+var_10], ecx
		mov	ecx, [ebp+var_4]
		movzx	edx, cl
		shr	esi, 8
		shr	edi, 8
		mov	ecx, [eax+edx*8+2000h]
		xor	[ebp+var_14], ecx
		mov	ecx, [eax+edx*8+2004h]
		xor	[ebp+var_18], ecx
		mov	ecx, [ebp+var_30]
		shrd	[ebp+var_4], ecx, 8
		shr	ecx, 8
		mov	[ebp+var_30], ecx
		mov	ecx, [ebp+var_8]
		movzx	edx, cl
		mov	ecx, [eax+edx*8+2000h]
		xor	[ebp+var_1C], ecx
		mov	ecx, [eax+edx*8+2004h]
		xor	[ebp+var_20], ecx
		mov	ecx, [ebp+var_28]
		shrd	[ebp+var_8], ecx, 8
		movzx	edx, bl
		shr	ecx, 8
		mov	[ebp+var_28], ecx
		shrd	ebx, esi, 8
		mov	ecx, [eax+edx*8+1800h]
		xor	[ebp+var_24], ecx
		mov	ecx, [eax+edx*8+1804h]
		xor	[ebp+var_C], ecx
		mov	ecx, [ebp+arg_4]
		movzx	edx, cl
		shrd	[ebp+arg_4], edi, 8
		mov	ecx, [eax+edx*8+1800h]
		xor	[ebp+var_2C], ecx
		mov	ecx, [eax+edx*8+1804h]
		xor	[ebp+var_10], ecx
		mov	ecx, [ebp+var_4]
		movzx	edx, cl
		shr	esi, 8
		shr	edi, 8
		mov	ecx, [eax+edx*8+1800h]
		xor	[ebp+var_14], ecx
		mov	ecx, [eax+edx*8+1804h]
		xor	[ebp+var_18], ecx
		mov	ecx, [ebp+var_30]
		shrd	[ebp+var_4], ecx, 8
		shr	ecx, 8
		mov	[ebp+var_30], ecx
		mov	ecx, [ebp+var_8]
		movzx	edx, cl
		mov	ecx, [eax+edx*8+1800h]
		xor	[ebp+var_1C], ecx
		mov	ecx, [eax+edx*8+1804h]
		xor	[ebp+var_20], ecx
		mov	ecx, [ebp+var_28]
		shrd	[ebp+var_8], ecx, 8
		movzx	edx, bl
		shr	ecx, 8
		mov	[ebp+var_28], ecx
		shrd	ebx, esi, 8
		mov	ecx, [eax+edx*8+1000h]
		xor	[ebp+var_24], ecx
		mov	ecx, [eax+edx*8+1004h]
		xor	[ebp+var_C], ecx
		mov	ecx, [ebp+arg_4]
		movzx	edx, cl
		shrd	[ebp+arg_4], edi, 8
		mov	ecx, [eax+edx*8+1000h]
		xor	[ebp+var_2C], ecx
		mov	ecx, [eax+edx*8+1004h]
		xor	[ebp+var_10], ecx
		mov	ecx, [ebp+var_4]
		movzx	edx, cl
		shr	esi, 8
		shr	edi, 8
		mov	ecx, [eax+edx*8+1000h]
		xor	[ebp+var_14], ecx
		mov	ecx, [eax+edx*8+1004h]
		xor	[ebp+var_18], ecx
		mov	ecx, [ebp+var_30]
		shrd	[ebp+var_4], ecx, 8
		shr	ecx, 8
		mov	[ebp+var_30], ecx
		mov	ecx, [ebp+var_8]
		movzx	edx, cl
		mov	ecx, [eax+edx*8+1000h]
		xor	[ebp+var_1C], ecx
		mov	ecx, [eax+edx*8+1004h]
		xor	[ebp+var_20], ecx
		mov	ecx, [ebp+var_28]
		shrd	[ebp+var_8], ecx, 8
		shr	ecx, 8
		mov	[ebp+var_28], ecx
		movzx	ecx, bl
		shrd	ebx, esi, 8
		mov	edx, [eax+ecx*8+800h]
		mov	ecx, [eax+ecx*8+804h]
		xor	edx, [eax+ebx*8]
		xor	ecx, [eax+ebx*8+4]
		xor	[ebp+var_C], ecx
		xor	[ebp+var_24], edx
		mov	ebx, [ebp+arg_4]
		movzx	ecx, bl
		shrd	ebx, edi, 8
		mov	edi, [ebp+var_2C]
		mov	edx, [eax+ecx*8+800h]
		mov	ecx, [eax+ecx*8+804h]
		xor	edx, [eax+ebx*8]
		xor	ecx, [eax+ebx*8+4]
		xor	edi, edx
		xor	[ebp+var_10], ecx
		mov	ebx, [ebp+var_4]
		mov	edx, [ebp+var_30]
		movzx	ecx, bl
		shrd	ebx, edx, 8
		mov	edx, [eax+ecx*8+800h]
		mov	ecx, [eax+ecx*8+804h]
		xor	edx, [eax+ebx*8]
		xor	ecx, [eax+ebx*8+4]
		xor	[ebp+var_14], edx
		xor	[ebp+var_18], ecx
		mov	ebx, [ebp+var_8]
		mov	edx, [ebp+var_28]
		movzx	ecx, bl
		shrd	ebx, edx, 8
		mov	edx, [eax+ecx*8+800h]
		mov	ecx, [eax+ecx*8+804h]
		xor	edx, [eax+ebx*8]
		xor	[ebp+var_1C], edx
		xor	ecx, [eax+ebx*8+4]
		mov	edx, [ebp+var_34]
		xor	[ebp+var_20], ecx
		add	edx, 20h
		mov	ecx, [ebp+var_24]
		mov	[ebp+var_34], edx
		cmp	edx, [ebp+var_44]
		jb	loc_569517
		mov	eax, [ebp+var_C]

loc_569979:				; CODE XREF: RtlpComputeCrcInternal+7Bj
		mov	ebx, [edx]
		xor	ebx, ecx
		mov	ecx, [edx+4]
		mov	[ebp+var_4], ebx
		xor	ecx, eax
		mov	eax, [ebp+arg_8]
		mov	esi, [ebp+var_4]
		mov	[ebp+arg_4], ecx
		mov	ecx, [eax+4]
		movzx	eax, bl
		mov	ebx, [ebp+arg_4]
		shrd	esi, ebx, 8
		xor	esi, [ecx+eax*8]
		shr	ebx, 8
		xor	ebx, [ecx+eax*8+4]
		mov	eax, esi
		movzx	eax, al
		mov	[ebp+var_4], esi
		shrd	esi, ebx, 8
		xor	esi, [ecx+eax*8]
		shr	ebx, 8
		xor	ebx, [ecx+eax*8+4]
		mov	eax, esi
		movzx	eax, al
		mov	[ebp+var_4], esi
		shrd	esi, ebx, 8
		xor	esi, [ecx+eax*8]
		shr	ebx, 8
		xor	ebx, [ecx+eax*8+4]
		mov	eax, esi
		movzx	eax, al
		mov	[ebp+var_4], esi
		shrd	esi, ebx, 8
		xor	esi, [ecx+eax*8]
		shr	ebx, 8
		xor	ebx, [ecx+eax*8+4]
		mov	eax, esi
		movzx	eax, al
		mov	[ebp+var_4], esi
		shrd	esi, ebx, 8
		xor	esi, [ecx+eax*8]
		shr	ebx, 8
		xor	ebx, [ecx+eax*8+4]
		mov	eax, esi
		movzx	eax, al
		mov	[ebp+var_4], esi
		shrd	esi, ebx, 8
		xor	esi, [ecx+eax*8]
		shr	ebx, 8
		xor	ebx, [ecx+eax*8+4]
		mov	eax, esi
		movzx	eax, al
		mov	[ebp+var_4], esi
		shrd	esi, ebx, 8
		xor	esi, [ecx+eax*8]
		shr	ebx, 8
		xor	ebx, [ecx+eax*8+4]
		mov	eax, esi
		movzx	eax, al
		mov	[ebp+var_4], esi
		shrd	esi, ebx, 8
		xor	esi, [ecx+eax*8]
		shr	ebx, 8
		xor	ebx, [ecx+eax*8+4]
		mov	[ebp+arg_4], ebx
		mov	ebx, esi
		xor	ebx, [edx+8]
		mov	eax, [ebp+arg_4]
		xor	ebx, edi
		xor	eax, [edx+0Ch]
		mov	edi, eax
		mov	[ebp+arg_4], eax
		xor	edi, [ebp+var_10]
		movzx	eax, bl
		shrd	ebx, edi, 8
		mov	[ebp+var_4], esi
		shr	edi, 8
		xor	ebx, [ecx+eax*8]
		xor	edi, [ecx+eax*8+4]
		movzx	eax, bl
		shrd	ebx, edi, 8
		xor	ebx, [ecx+eax*8]
		shr	edi, 8
		xor	edi, [ecx+eax*8+4]
		movzx	eax, bl
		shrd	ebx, edi, 8
		shr	edi, 8
		xor	edi, [ecx+eax*8+4]
		xor	ebx, [ecx+eax*8]
		movzx	eax, bl
		shrd	ebx, edi, 8
		shr	edi, 8
		xor	edi, [ecx+eax*8+4]
		xor	ebx, [ecx+eax*8]
		movzx	eax, bl
		shrd	ebx, edi, 8
		shr	edi, 8
		xor	edi, [ecx+eax*8+4]
		xor	ebx, [ecx+eax*8]
		movzx	eax, bl
		shrd	ebx, edi, 8
		shr	edi, 8
		xor	edi, [ecx+eax*8+4]
		xor	ebx, [ecx+eax*8]
		movzx	eax, bl
		shrd	ebx, edi, 8
		shr	edi, 8
		xor	edi, [ecx+eax*8+4]
		xor	ebx, [ecx+eax*8]
		movzx	eax, bl
		shrd	ebx, edi, 8
		shr	edi, 8
		xor	edi, [ecx+eax*8+4]
		xor	ebx, [ecx+eax*8]
		xor	edi, [edx+14h]
		xor	edi, [ebp+var_18]
		xor	ebx, [edx+10h]
		xor	ebx, [ebp+var_14]
		movzx	eax, bl
		shrd	ebx, edi, 8
		shr	edi, 8
		xor	edi, [ecx+eax*8+4]
		xor	ebx, [ecx+eax*8]
		movzx	eax, bl
		shrd	ebx, edi, 8
		shr	edi, 8
		xor	edi, [ecx+eax*8+4]
		xor	ebx, [ecx+eax*8]
		movzx	eax, bl
		shrd	ebx, edi, 8
		shr	edi, 8
		xor	edi, [ecx+eax*8+4]
		xor	ebx, [ecx+eax*8]
		movzx	eax, bl
		shrd	ebx, edi, 8
		shr	edi, 8
		xor	edi, [ecx+eax*8+4]
		xor	ebx, [ecx+eax*8]
		movzx	eax, bl
		shrd	ebx, edi, 8
		shr	edi, 8
		xor	ebx, [ecx+eax*8]
		xor	edi, [ecx+eax*8+4]
		movzx	eax, bl
		shrd	ebx, edi, 8
		shr	edi, 8
		xor	ebx, [ecx+eax*8]
		xor	edi, [ecx+eax*8+4]
		movzx	eax, bl
		shrd	ebx, edi, 8
		shr	edi, 8
		xor	ebx, [ecx+eax*8]
		xor	edi, [ecx+eax*8+4]
		movzx	eax, bl
		shrd	ebx, edi, 8
		shr	edi, 8
		xor	ebx, [ecx+eax*8]
		xor	ebx, [edx+18h]
		xor	edi, [ecx+eax*8+4]
		xor	edi, [edx+1Ch]
		mov	[ebp+var_4], ebx
		mov	ebx, [ebp+var_1C]
		xor	edi, [ebp+var_20]
		xor	[ebp+var_4], ebx
		mov	ebx, [ebp+var_4]
		movzx	eax, bl
		shrd	ebx, edi, 8
		mov	esi, [ebp+var_40]
		shr	edi, 8
		xor	edi, [ecx+eax*8+4]
		xor	ebx, [ecx+eax*8]
		movzx	eax, bl
		shrd	ebx, edi, 8
		shr	edi, 8
		xor	edi, [ecx+eax*8+4]
		xor	ebx, [ecx+eax*8]
		movzx	eax, bl
		shrd	ebx, edi, 8
		shr	edi, 8
		xor	edi, [ecx+eax*8+4]
		xor	ebx, [ecx+eax*8]
		movzx	eax, bl
		shrd	ebx, edi, 8
		shr	edi, 8
		xor	edi, [ecx+eax*8+4]
		xor	ebx, [ecx+eax*8]
		movzx	eax, bl
		shrd	ebx, edi, 8
		shr	edi, 8
		xor	edi, [ecx+eax*8+4]
		xor	ebx, [ecx+eax*8]
		movzx	eax, bl
		shrd	ebx, edi, 8
		shr	edi, 8
		xor	edi, [ecx+eax*8+4]
		xor	ebx, [ecx+eax*8]
		movzx	eax, bl
		shrd	ebx, edi, 8
		shr	edi, 8
		xor	ebx, [ecx+eax*8]
		xor	edi, [ecx+eax*8+4]
		movzx	eax, bl
		shrd	ebx, edi, 8
		shr	edi, 8
		xor	ebx, [ecx+eax*8]
		xor	edi, [ecx+eax*8+4]
		add	edx, 20h

loc_569C19:				; CODE XREF: RtlpComputeCrcInternal+49j
		xor	ecx, ecx
		cmp	[ebp+var_38], ecx
		ja	loc_5F41D4

loc_569C24:				; CODE XREF: RtlpComputeCrcInternal+8AD6Aj
		mov	edx, [ebp+var_48]
		xor	esi, ebx
		xor	edx, edi
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
RtlpComputeCrcInternal endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvlStartBootLogicalProcessors proc near	; CODE XREF: KeStartAllProcessors+183p

var_CF0		= dword	ptr -0CF0h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F41FF SIZE 0000027E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0CF4h
		mov	eax, ds:_KiMaximumGroupSize
		push	ebx
		push	esi
		push	edi
		push	8
		mov	[ebp+var_10], eax
		lea	edi, [ebp+var_34]
		xor	eax, eax
		test	byte ptr ds:_HvlpFlags,	2
		pop	ecx
		rep stosd
		jnz	loc_5F41FF

loc_569C63:				; CODE XREF: HvlStartBootLogicalProcessors+8A842j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
HvlStartBootLogicalProcessors endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiConfigureCpuSetSchedulingInformation proc near
					; CODE XREF: KiConfigureSchedulingInformation(x,x)+2ACp
					; KeConfigureHeteroProcessors(x,x,x)+1E7p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F447D SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	edi
		mov	ebx, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _KiCpuSetLock
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, offset _KiCpuSetSequence
		call	RtlWriteAcquireTickLock
		movzx	ecx, byte ptr [ebx+3C4h]
		lea	edx, [ebx+4038h]
		mov	al, [ebx+3C5h]
		shl	ecx, 4
		add	ecx, ds:_KiCpuSetData
		push	5
		pop	edi
		push	esi
		mov	[ecx], al
		mov	al, [ebx+3C4h]
		mov	[ecx+1], al
		mov	eax, [ebx+402Ch]
		bsf	eax, eax
		mov	[ebp+var_8], eax
		mov	[ecx+2], al
		xor	eax, eax

loc_569CCD:				; CODE XREF: KiConfigureCpuSetSchedulingInformation+73j
		mov	esi, [edx]
		test	esi, esi
		jz	short loc_569CD5
		mov	eax, esi

loc_569CD5:				; CODE XREF: KiConfigureCpuSetSchedulingInformation+69j
		add	edx, 4
		sub	edi, 1
		jnz	short loc_569CCD
		pop	esi
		test	eax, eax
		jz	short loc_569CEB
		bsf	eax, eax
		mov	[ebp+var_C], eax
		mov	[ecx+3], al

loc_569CEB:				; CODE XREF: KiConfigureCpuSetSchedulingInformation+78j
		mov	eax, [ebx+338h]
		pop	edi
		mov	eax, [eax+84h]
		bsf	eax, eax
		mov	[ecx+4], al
		mov	[ebp+var_10], eax
		mov	al, [ebx+3ED0h]
		mov	[ecx+5], al
		mov	al, [ebx+3ED1h]
		mov	[ecx+6], al
		mov	ecx, offset _KiCpuSetLock
		mov	eax, ds:_KiCpuSetSequence
		mov	edx, ds:dword_70E6F4
		add	eax, 1
		mov	ds:_KiCpuSetSequence, eax
		adc	edx, 0
		test	ds:byte_70EFC6,	1
		mov	ds:dword_70E6F4, edx
		pop	ebx
		jnz	loc_5F447D
		xor	eax, eax
		lock and [ecx],	eax

loc_569D47:				; CODE XREF: KiConfigureCpuSetSchedulingInformation+8A81Dj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn
KiConfigureCpuSetSchedulingInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiConfigureNodeSchedulingInformation(x)
_KiConfigureNodeSchedulingInformation@4	proc near
					; CODE XREF: KiConfigureAllSchedulingInformation()+61p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	al, _KiSMTProcessorsPresent
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1], al
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_8], ebx
		mov	edx, [esi+84h]
		mov	ecx, edx
		test	ecx, ecx
		jz	short loc_569DC5

loc_569D78:				; CODE XREF: KiConfigureNodeSchedulingInformation(x)+6Ej
		and	[ebp+var_8], 0
		bsf	eax, ecx
		cmp	[ebp+var_1], 0
		mov	[ebp+var_8], eax
		mov	edi, ds:_KiProcessorBlock[eax*4]
		jz	short loc_569DA6
		mov	eax, [edi+402Ch]
		cmp	eax, [edi+3C8h]
		jz	short loc_569DB6
		or	byte ptr [esi+0A5h], 20h
		jmp	short loc_569DB6
; 

loc_569DA6:				; CODE XREF: KiConfigureNodeSchedulingInformation(x)+3Bj
		movzx	eax, byte ptr [edi+3C5h]
		mov	eax, [edi+eax*4+401Ch]
		and	eax, edx

loc_569DB6:				; CODE XREF: KiConfigureNodeSchedulingInformation(x)+49j
					; KiConfigureNodeSchedulingInformation(x)+52j
		mov	edi, [ebp+var_8]
		not	eax
		bts	ebx, edi
		and	ecx, eax
		jnz	short loc_569D78
		mov	[ebp+var_8], ebx

loc_569DC5:				; CODE XREF: KiConfigureNodeSchedulingInformation(x)+24j
		mov	ebx, edx
		xor	edi, edi
		test	ebx, ebx
		jz	short loc_569DEA

loc_569DCD:				; CODE XREF: KiConfigureNodeSchedulingInformation(x)+96j
		and	[ebp+var_C], 0
		bsf	eax, ebx
		bts	edi, eax
		mov	ecx, ds:_KiProcessorBlock[eax*4]
		mov	eax, [ecx+4034h]
		not	eax
		and	ebx, eax
		jnz	short loc_569DCD

loc_569DEA:				; CODE XREF: KiConfigureNodeSchedulingInformation(x)+79j
		xor	ebx, ebx
		test	edx, edx
		jz	short loc_569E0F

loc_569DF0:				; CODE XREF: KiConfigureNodeSchedulingInformation(x)+BBj
		and	[ebp+var_C], 0
		bsf	ecx, edx
		btr	edx, ecx
		mov	eax, ds:_KiProcessorBlock[ecx*4]
		mov	eax, [eax+4020h]
		or	ebx, eax
		not	eax
		and	edx, eax
		jnz	short loc_569DF0

loc_569E0F:				; CODE XREF: KiConfigureNodeSchedulingInformation(x)+9Cj
		mov	eax, [ebp+var_8]
		mov	[esi+10Ch], edi
		pop	edi
		mov	[esi+90h], ebx
		mov	[esi+94h], eax
		pop	esi
		pop	ebx
		leave
		retn
_KiConfigureNodeSchedulingInformation@4	endp

; 
		align 2

; __stdcall KeShadowProcessorArea(x)
_KeShadowProcessorArea@4:		; CODE XREF: Phase1InitializationDiscard(x)+6B8p
		mov	edx, [ecx+38h]
		add	ecx, 120h
		sub	edx, 3000h
		call	KiShadowProcessorAllocation
		test	eax, eax
		jz	short loc_569E43
		retn
; 

loc_569E43:				; CODE XREF: .text:00569E40j
		push	7Dh
		call	_KeBugCheck@4	; KeBugCheck(x)
; 
		dw 0CCCCh
		align 10h
; Exported entry 1099. KeAllocateProcessorProfileStructures

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeAllocateProcessorProfileStructures
KeAllocateProcessorProfileStructures proc near

var_E		= byte ptr -0Eh
var_D		= byte ptr -0Dh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005F448A SIZE 00000041 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		cmp	[ebp+arg_C], 0
		push	ebx
		push	esi
		push	edi
		jnz	short loc_569E9A
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, large fs:20h
		mov	edx, [ebp+arg_8]
		mov	ecx, [edx]
		mov	[esi+4078h], ecx
		mov	ecx, [edx]
		add	ecx, 28h
		mov	[esi+407Ch], ecx
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax

loc_569E91:				; CODE XREF: KeAllocateProcessorProfileStructures+14Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_569E9A:				; CODE XREF: KeAllocateProcessorProfileStructures+12j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[esp+20h+var_E], al
		xor	ebx, ebx
		mov	eax, [ebp+arg_8]
		mov	[esp+20h+var_D], bl
		mov	[eax], ebx
		mov	eax, [ebp+arg_0]
		imul	edi, eax, 0A0h
		imul	eax, [ebp+arg_4]
		add	edi, eax
		mov	[esp+20h+var_8], eax
		mov	[esp+20h+var_C], edi
		cmp	ds:_KiKvaShadow, bl
		jz	short loc_569EDE
		add	edi, 0FFFh
		and	edi, 0FFFFF000h
		mov	[esp+20h+var_C], edi

loc_569EDE:				; CODE XREF: KeAllocateProcessorProfileStructures+7Cj
		xor	edx, edx
		mov	ecx, edi
		call	_MmAllocateIndependentPages@8 ;	MmAllocateIndependentPages(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5F448A
		push	edi		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		cmp	ds:_KiKvaShadow, bl
		jz	short loc_569F1A
		mov	edx, edi
		mov	ecx, esi
		call	MmCreateShadowMapping
		test	eax, eax
		jz	loc_5F4494
		mov	[esp+20h+var_D], 1

loc_569F1A:				; CODE XREF: KeAllocateProcessorProfileStructures+B2j
		add	[esp+20h+var_8], esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[esp+20h+var_E], al
		mov	eax, large fs:20h
		mov	ecx, eax
		mov	[esp+20h+var_4], eax
		call	_KiIsIntelPebsSupported@4 ; KiIsIntelPebsSupported(x)
		test	al, al
		jz	short loc_569FA0
		mov	eax, [esp+20h+var_4]
		mov	eax, [eax+4078h]
		test	eax, eax
		jnz	loc_5F449E
		mov	ecx, ebx
		cmp	[ebp+arg_0], ecx
		jbe	short loc_569F7C
		mov	edx, [esp+20h+var_8]
		mov	edi, [ebp+arg_0]
		add	edx, 20h

loc_569F60:				; CODE XREF: KeAllocateProcessorProfileStructures+126j
		mov	eax, ecx
		mov	[edx+4], ebx
		imul	eax, [ebp+arg_4]
		add	eax, esi
		inc	ecx
		mov	[edx], eax
		lea	edx, [edx+0A0h]
		cmp	ecx, edi
		jb	short loc_569F60
		mov	edi, [esp+20h+var_C]

loc_569F7C:				; CODE XREF: KeAllocateProcessorProfileStructures+104j
		mov	eax, [ebp+arg_8]
		mov	esi, ebx
		mov	ecx, [esp+20h+var_8]
		mov	[eax], ecx

loc_569F87:				; CODE XREF: KeAllocateProcessorProfileStructures+155j
					; KeAllocateProcessorProfileStructures+8A63Fj ...
		mov	cl, [esp+20h+var_E]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jnz	loc_5F44AD

loc_569F99:				; CODE XREF: KeAllocateProcessorProfileStructures+8A676j
		mov	eax, ebx
		jmp	loc_569E91
; 

loc_569FA0:				; CODE XREF: KeAllocateProcessorProfileStructures+EBj
		mov	ebx, 0C00000BBh
		jmp	short loc_569F87
KeAllocateProcessorProfileStructures endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIsIntelPebsSupported(x)
_KiIsIntelPebsSupported@4 proc near	; CODE XREF: KeAllocateProcessorProfileStructures+E4p
					; KeProcessorProfileControlArea(x,x,x)+93p

var_14		= dword	ptr -14h
var_C		= byte ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		cmp	byte ptr [ecx+3BEh], 1
		stosd
		stosd
		stosd
		stosd
		jnz	short loc_56A01C
		mov	ecx, 1A0h
		rdmsr
		mov	ecx, eax
		and	ecx, 80h
		or	ecx, 0
		jz	short loc_56A01C
		and	eax, 1000h
		or	eax, 0
		jnz	short loc_56A01C
		inc	eax
		lea	edi, [ebp+var_14]
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		test	[ebp+var_C], 4
		jz	short loc_56A01C
		mov	al, 1

loc_56A00D:				; CODE XREF: KiIsIntelPebsSupported(x)+76j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_56A01C:				; CODE XREF: KiIsIntelPebsSupported(x)+25j
					; KiIsIntelPebsSupported(x)+39j ...
		xor	al, al
		jmp	short loc_56A00D
_KiIsIntelPebsSupported@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiConfigureInitialNodes(x)
_KiConfigureInitialNodes@4 proc	near	; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+24Ep
		mov	al, byte ptr ds:_KiMaximumGroupSize
		or	ds:byte_711665,	2
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	ds:byte_711664,	al
		mov	edi, offset _ExNode0
		mov	esi, ecx
		inc	ebx
		mov	ds:_KeNodeBlock, edi
		or	ds:dword_711654, ebx
		mov	ecx, edi
		call	KiCommitNodeAssignment
		mov	[esi+338h], edi
		xor	edx, edx
		or	ds:dword_711608, ebx
		mov	ecx, esi
		mov	[esi+2238h], bl
		call	KiAddProcessorToGroupDatabase
		push	0Fh
		mov	eax, offset unk_AFE080
		pop	ecx

loc_56A074:				; CODE XREF: KiConfigureInitialNodes(x)+6Bj
		mov	ds:_KeNodeBlock[ebx*4],	eax
		mov	[eax+8Ah], bx
		inc	ebx
		add	eax, 140h
		sub	ecx, 1
		jnz	short loc_56A074
		pop	edi
		pop	esi
		pop	ebx
		retn
_KiConfigureInitialNodes@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAddProcessorToGroupDatabase proc near	; CODE XREF: KiConfigureInitialNodes(x)+47p
					; KiStartDynamicProcessor(x,x,x,x)+258p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F44CB SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		mov	eax, [edi+338h]
		mov	[ebp+var_C], eax
		movzx	esi, word ptr [eax+88h]
		mov	ebx, ds:_KiGroupBlock[esi*8]
		inc	ebx
		bsr	ecx, ebx
		mov	[edi+3C8h], ebx
		mov	al, [eax+88h]
		mov	[edi+3C5h], al
		mov	[edi+3C4h], cl
		or	ds:_KiGroupBlock[esi*8], ebx
		cmp	ds:_KeForceGroupAwareness, 0
		mov	[ebp+var_4], ecx
		jnz	loc_5F44CB
		cmp	byte ptr [edi+3C5h], 0
		jnz	loc_5F44F0
		mov	[edi+10h], cl
		mov	esi, ecx

loc_56A102:				; CODE XREF: KiAddProcessorToGroupDatabase+8A44Fj
					; KiAddProcessorToGroupDatabase+8A459j	...
		movzx	ecx, byte ptr [edi+3C5h]
		mov	eax, [edi+3CCh]
		shl	ecx, 6
		add	ecx, esi
		push	5
		mov	ds:_KiProcessorIndexToNumberMappingTable[eax*4], ecx
		mov	ds:_KiProcessorNumberToIndexMappingTable[ecx*4], eax
		mov	eax, [ebp+var_C]
		add	eax, 0ACh
		pop	ecx

loc_56A12D:				; CODE XREF: KiAddProcessorToGroupDatabase+ADj
		test	edx, edx
		jnz	short loc_56A136
		or	[eax-4], ebx
		or	[eax], ebx

loc_56A136:				; CODE XREF: KiAddProcessorToGroupDatabase+9Dj
		or	[eax+4], ebx
		add	eax, 0Ch
		sub	ecx, 1
		jnz	short loc_56A12D
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
KiAddProcessorToGroupDatabase endp


;  S U B	R O U T	I N E 


; __stdcall KiIsKvaLeakSimulated()
_KiIsKvaLeakSimulated@0	proc near	; CODE XREF: KiEnableKvaShadowing(x,x):loc_724B17p
		mov	eax, _KiFeatureSimulations
		shr	eax, 4
		and	al, 1
		retn
_KiIsKvaLeakSimulated@0	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiIsKvaShadowDisabled()
_KiIsKvaShadowDisabled@0 proc near	; CODE XREF: KiEnableKvaShadowing(x,x)+5p
		mov	eax, _KiFeatureSettings
		shr	eax, 1
		and	al, 1
		retn
_KiIsKvaShadowDisabled@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReadWriteAnyLevelShadowPte proc near	; CODE XREF: MiMakeShadowPageTableRange(x,x,x,x,x)+46p
					; MiInitializeShadowPageTable+C0p ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005F450D SIZE 000000E5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, large fs:124h
		and	[ebp+var_30], 0
		and	[ebp+var_2C], 0
		mov	[ebp+var_1C], edx
		mov	eax, [eax+80h]
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, [eax+304h]
		mov	[ebp+var_14], ebx
		push	edi
		cmp	edx, 2
		jge	short loc_56A1A7

loc_56A18E:				; CODE XREF: MiReadWriteAnyLevelShadowPte+49j
		mov	[ebp+esi*4+var_30], ecx
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		inc	esi
		cmp	esi, 2
		jl	short loc_56A18E

loc_56A1A7:				; CODE XREF: MiReadWriteAnyLevelShadowPte+30j
		mov	ecx, [ebp+arg_8]
		mov	edi, ebx
		xor	ebx, ebx
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+arg_4]
		mov	al, 21h
		xor	edx, edx
		mov	[ebp+var_1], al
		mov	[ebp+var_2], al
		mov	[ebp+var_28], ebx
		mov	[ebp+var_8], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_10], ecx

loc_56A1CA:				; CODE XREF: MiReadWriteAnyLevelShadowPte+E6j
		mov	ecx, [ebp+esi*4+var_34]
		dec	esi
		mov	[ebp+arg_8], ecx
		cmp	esi, 1
		jnz	loc_56A2BC
		add	ecx, 3FA00000h
		sar	ecx, 3
		sub	ecx, 400h
		cmp	ecx, 200h
		jnb	loc_5F450D
		mov	eax, dword_6D0628
		lea	edi, [eax+ecx*8]

loc_56A1FE:				; CODE XREF: MiReadWriteAnyLevelShadowPte+8A3BAj
		mov	ecx, [ebp+arg_8]

loc_56A201:				; CODE XREF: MiReadWriteAnyLevelShadowPte+1A2j
		cmp	[ebp+arg_0], 0
		jnz	short loc_56A263

loc_56A207:				; CODE XREF: MiReadWriteAnyLevelShadowPte+10Aj
		and	[ebp+arg_4], 0
		and	[ebp+arg_8], 0
		mov	ebx, [edi]
		nop
		mov	edx, [edi+4]
		mov	[ebp+var_8], edx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], edx
		test	esi, esi
		jz	short loc_56A23C
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	short loc_56A23C
		mov	eax, ebx
		and	eax, 80h
		or	eax, 0
		jnz	loc_5F45CF

loc_56A23C:				; CODE XREF: MiReadWriteAnyLevelShadowPte+C4j
					; MiReadWriteAnyLevelShadowPte+CEj ...
		mov	al, [ebp+var_1]
		cmp	esi, [ebp+var_1C]
		jnz	short loc_56A1CA
		cmp	al, 21h
		jz	short loc_56A257
		mov	ecx, [ebp+var_14]
		mov	dl, al
		push	80000000h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)

loc_56A257:				; CODE XREF: MiReadWriteAnyLevelShadowPte+EAj
		mov	edx, [ebp+var_8]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_56A263:				; CODE XREF: MiReadWriteAnyLevelShadowPte+A9j
		cmp	esi, [ebp+var_1C]
		jnz	short loc_56A207
		mov	ecx, [ebp+var_10]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_5F45C1
		mov	eax, [ebp+var_C]
		test	esi, esi
		jnz	short loc_56A28C
		or	ecx, 100h
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], ecx

loc_56A28C:				; CODE XREF: MiReadWriteAnyLevelShadowPte+122j
		and	[ebp+var_18], 0
		mov	edx, eax
		mov	[ebp+arg_8], ecx
		mov	ecx, edi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5F4532

loc_56A2A4:				; CODE XREF: MiReadWriteAnyLevelShadowPte+8A3EDj
					; MiReadWriteAnyLevelShadowPte+8A3FEj ...
		mov	ecx, [ebp+arg_8]

loc_56A2A7:				; CODE XREF: MiReadWriteAnyLevelShadowPte+8A40Dj
		mov	[edi+4], edx
		nop
		cmp	[ebp+var_18], 0
		mov	[edi], ecx
		jnz	loc_5F45B3

loc_56A2B7:				; CODE XREF: MiReadWriteAnyLevelShadowPte+8A460j
		mov	edx, [ebp+var_8]
		jmp	short loc_56A23C
; 

loc_56A2BC:				; CODE XREF: MiReadWriteAnyLevelShadowPte+79j
		cmp	al, 21h
		jnz	loc_5F451B

loc_56A2C4:				; CODE XREF: MiReadWriteAnyLevelShadowPte+8A3D1j
		nop
		mov	eax, edx
		mov	ecx, ebx
		shrd	ecx, eax, 0Ch
		push	80000000h
		and	ecx, 1FFFFFFh
		lea	edx, [ebp+var_2]
		call	MiMapPageInHyperSpaceWorker
		mov	ecx, [ebp+arg_8]
		mov	edx, eax
		mov	eax, ecx
		mov	[ebp+var_14], edx
		shr	eax, 3
		and	eax, 1FFh
		lea	edi, [edx+eax*8]
		mov	al, [ebp+var_2]
		mov	edx, [ebp+var_8]
		mov	[ebp+var_1], al
		jmp	loc_56A201
MiReadWriteAnyLevelShadowPte endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiGetLeafVa(x)
_MiGetLeafVa@4	proc near		; CODE XREF: MiDeleteEmptyPageTableCommit(x)+47p
					; MiDeleteEmptyPageTableCommit(x)+63p ...
		mov	eax, 0C0000000h

loc_56A309:				; CODE XREF: MiGetLeafVa(x)+14j
		cmp	ecx, eax
		jb	short loc_56A31A
		cmp	ecx, 0C07FFFFFh
		ja	short loc_56A31A
		shl	ecx, 9
		jmp	short loc_56A309
; 

loc_56A31A:				; CODE XREF: MiGetLeafVa(x)+7j
					; MiGetLeafVa(x)+Fj
		mov	eax, ecx
		retn
_MiGetLeafVa@4	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiPageTablesNeeded(x, x, x)
_MiPageTablesNeeded@12 proc near	; CODE XREF: MmCreateShadowMapping+84p
		mov	edi, edi
		push	ebx
		push	esi
		xor	eax, eax
		mov	esi, ecx
		push	edi
		mov	edi, eax
		mov	ebx, offset loc_7FFFF8

loc_56A32E:				; CODE XREF: MiPageTablesNeeded(x,x,x)+39j
		shr	esi, 9
		shr	edx, 9
		and	esi, ebx
		and	edx, ebx
		sub	esi, 40000000h
		sub	edx, 40000000h
		cmp	edi, 1
		jl	short loc_56A353
		mov	ecx, edx
		inc	eax
		sub	ecx, esi
		sar	ecx, 3
		add	eax, ecx

loc_56A353:				; CODE XREF: MiPageTablesNeeded(x,x,x)+29j
		inc	edi
		cmp	edi, 1
		jle	short loc_56A32E
		pop	edi
		pop	esi
		pop	ebx
		retn	4
_MiPageTablesNeeded@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmSetPageProtection proc near		; CODE XREF: KiShadowProcessorAllocation+2Cp
					; MmAllocateIsrStack(x,x)+46p ...

var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_9C		= dword	ptr -9Ch
var_90		= dword	ptr -90h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F45F2 SIZE 00000009 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [ebp+var_A4]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		mov	edi, edx
		mov	[ebp+var_AC], esi
		call	_memset
		add	esp, 0Ch
		mov	ecx, esi
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	loc_56A57B
		mov	ecx, [ebp+arg_0]
		call	_MiMakeProtectionMask@4	; MiMakeProtectionMask(x)
		mov	ebx, eax
		cmp	ebx, 0FFFFFFFFh
		jz	loc_56A57B
		cmp	ebx, 8
		jnb	loc_56A57B
		mov	ecx, ebx
		and	ecx, 5
		cmp	cl, 5
		jz	loc_56A57B
		test	bl, 2
		jnz	loc_5F45E0

loc_56A3DA:				; CODE XREF: MiReadWriteAnyLevelShadowPte+8A491j
		mov	ecx, esi
		mov	esi, edi
		shr	ecx, 9
		and	esi, 0FFFh
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		neg	esi
		mov	[ebp+var_B0], ecx
		sbb	esi, esi
		or	eax, 0A0000000h
		neg	esi
		shr	edi, 0Ch
		push	eax
		xor	edx, edx
		add	esi, edi
		call	MiMakeValidPte
		and	[ebp+var_90], 0
		lea	ecx, [ebp+var_A4]
		push	0
		mov	[ebp+var_A8], edx
		mov	edi, eax
		mov	edx, [ebp+var_AC]
		push	esi
		mov	[ebp+var_9C], 21h
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		test	esi, esi
		jz	loc_56A530
		mov	eax, [ebp+var_B0]
		and	ebx, 4
		mov	ecx, [ebp+var_A8]

loc_56A455:				; CODE XREF: MmSetPageProtection+1CAj
		and	[ebp+var_B8], 0
		mov	edx, [eax]
		and	[ebp+var_BC], 0
		mov	[ebp+var_B8], edx
		nop
		mov	eax, [eax+4]
		mov	[ebp+var_C4], edx
		mov	[ebp+var_C0], eax
		nop
		shrd	edx, eax, 0Ch
		and	edi, 0FFFh
		and	ecx, 0FFFFFFE0h
		and	edx, 1FFFFFFh
		mov	[ebp+var_B4], edx
		mov	eax, edx
		xor	edx, edx
		shld	edx, eax, 0Ch
		shl	eax, 0Ch
		or	edx, ecx
		mov	ecx, [ebp+var_B4]
		or	eax, edi
		imul	edi, ecx, 1Ch
		mov	[ebp+var_A8], eax
		mov	[ebp+var_AC], edx
		add	edi, ds:_MmPfnDatabase
		mov	[ebp+var_B4], edi
		test	ebx, ebx
		jnz	loc_56A54E
		cmp	ecx, dword_6D07B0
		ja	loc_5F45F2
		mov	eax, dword_6D35B8
		mov	edx, ecx
		mov	edi, [ebp+var_A8]
		and	ecx, 1Fh
		shr	edx, 5
		mov	eax, [eax+edx*4]
		shr	eax, cl
		mov	ecx, [ebp+var_AC]
		and	eax, 1
		jz	short loc_56A50F
		mov	ecx, [ebp+var_B4]
		xor	edx, edx
		call	MiLockPageAndSetDirty
		mov	ecx, [ebp+var_AC]

loc_56A50F:				; CODE XREF: MmSetPageProtection+19Aj
					; MmSetPageProtection+219j ...
		or	edi, 20h
		nop
		mov	eax, [ebp+var_B0]
		mov	[eax], edi
		mov	[eax+4], ecx
		add	eax, 8
		mov	[ebp+var_B0], eax
		sub	esi, 1
		jnz	loc_56A455

loc_56A530:				; CODE XREF: MmSetPageProtection+E0j
		lea	ecx, [ebp+var_A4]
		call	MiFlushTbList
		mov	al, 1

loc_56A53D:				; CODE XREF: MmSetPageProtection+21Dj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_56A54E:				; CODE XREF: MmSetPageProtection+167j
		mov	ecx, [ebp+var_B8]
		mov	edi, eax
		and	ecx, 42h
		mov	[ebp+var_A8], edx
		or	ecx, 0
		jz	short loc_56A573
		mov	edx, [ebp+var_AC]
		or	edi, 42h
		mov	[ebp+var_A8], edx

loc_56A573:				; CODE XREF: MmSetPageProtection+202j
		mov	ecx, [ebp+var_A8]
		jmp	short loc_56A50F
; 

loc_56A57B:				; CODE XREF: MmSetPageProtection+41j
					; MmSetPageProtection+54j ...
		xor	al, al
		jmp	short loc_56A53D
MmSetPageProtection endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMarkPxeAsShadowed proc near		; CODE XREF: MiInitializeShadowPageTable+1B3p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005F45FB SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		lea	esi, [ecx+3FA00000h]
		sar	esi, 3
		mov	ecx, offset dword_6D3540
		sub	esi, 400h
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, esi
		and	esi, 7
		shr	ecx, 3
		add	ecx, offset dword_6D2BD4
		pop	edi
		movsx	eax, byte ptr [ecx]
		bts	eax, esi
		mov	[ecx], al
		test	ds:byte_70EFC6,	1
		pop	esi
		jnz	loc_5F45FB
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_5F4613
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5F460B

loc_56A5F5:				; CODE XREF: MiMarkPxeAsShadowed+8A086j
					; MiMarkPxeAsShadowed+8A0A3j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn
MiMarkPxeAsShadowed endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiQueryProcessorNode proc near		; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+92p
					; KeStartAllProcessors+1D4p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F4628 SIZE 000000A1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		cmp	ebx, ds:_KeNumberProcessors
		jb	loc_5F4628
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		movzx	eax, word ptr [edi]
		mov	[ebp+arg_0], eax
		mov	eax, _KiNumaQueryProcessorNode
		test	eax, eax
		jz	loc_5F4685
		push	edi
		push	edx
		push	ebx
		call	eax
		mov	esi, eax
		test	esi, esi
		jnz	loc_5F464C
		mov	eax, 0FFFFh
		cmp	[edi], ax
		jnz	short loc_56A656
		mov	ecx, edi
		call	_KiFindFirstAvailableNode@4 ; KiFindFirstAvailableNode(x)
		mov	esi, eax

loc_56A652:				; CODE XREF: KiQueryProcessorNode+8A052j
					; KiQueryProcessorNode+8A094j
		test	esi, esi
		jnz	short loc_56A682

loc_56A656:				; CODE XREF: KiQueryProcessorNode+47j
		movzx	eax, word ptr [edi]
		mov	eax, ds:_KeNodeBlock[eax*4]
		test	byte ptr [eax+0A5h], 2
		jz	short loc_56A68B

loc_56A669:				; CODE XREF: KiQueryProcessorNode+90j
		mov	eax, [ebp+var_4]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_5F4699

loc_56A675:				; CODE XREF: KiQueryProcessorNode+8A0A5j
		test	byte ptr ds:_HvlpFlags,	2
		jnz	loc_5F46AA

loc_56A682:				; CODE XREF: KiQueryProcessorNode+54j
					; KiQueryProcessorNode+8A063j ...
		pop	edi
		mov	eax, esi
		pop	esi

loc_56A686:				; CODE XREF: KiQueryProcessorNode+8A047j
		pop	ebx
		leave
		retn	4
; 

loc_56A68B:				; CODE XREF: KiQueryProcessorNode+67j
		mov	esi, 0C0000225h
		jmp	short loc_56A669
KiQueryProcessorNode endp


;  S U B	R O U T	I N E 


; __stdcall KiFindFirstAvailableNode(x)
_KiFindFirstAvailableNode@4 proc near	; CODE XREF: KiQueryProcessorNode+4Bp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	di, ds:_KeNumberNodes
		xor	eax, eax
		xor	esi, esi
		mov	ebx, ecx
		cmp	ax, di
		jnb	short loc_56A6D4

loc_56A6A9:				; CODE XREF: KiFindFirstAvailableNode(x)+40j
		movzx	eax, si
		mov	ecx, ds:_KeNodeBlock[eax*4]
		test	byte ptr [ecx+0A5h], 2
		jz	short loc_56A6CE
		call	_KiIsNodeFull@4	; KiIsNodeFull(x)
		test	al, al
		jnz	short loc_56A6CE
		mov	[ebx], si
		xor	eax, eax

loc_56A6CA:				; CODE XREF: KiFindFirstAvailableNode(x)+47j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_56A6CE:				; CODE XREF: KiFindFirstAvailableNode(x)+28j
					; KiFindFirstAvailableNode(x)+31j
		inc	esi
		cmp	si, di
		jb	short loc_56A6A9

loc_56A6D4:				; CODE XREF: KiFindFirstAvailableNode(x)+15j
		mov	eax, 0C0000225h
		jmp	short loc_56A6CA
_KiFindFirstAvailableNode@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KiIsNodeFull(x)
_KiIsNodeFull@4	proc near		; CODE XREF: KiFindFirstAvailableNode(x)+2Ap
					; KiQueryProcessorNode+8A073p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, [esi+84h]
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		cmp	cl, [esi+0A4h]
		pop	esi
		setz	al
		pop	ebx
		retn
_KiIsNodeFull@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiCommitNodeAssignment proc near	; CODE XREF: KiConfigureInitialNodes(x)+2Cp
					; KePerformGroupConfiguration(x)+20j

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F46C9 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		movzx	eax, word ptr [ecx+88h]
		mov	cx, ds:_KeNumberNodes
		mov	[ebp+var_4], eax
		xor	eax, eax
		cmp	ax, cx
		mov	ax, word_6D4E28
		jnb	short loc_56A7B0
		push	ebx
		push	esi
		mov	edx, offset _KeNodeBlock
		push	edi
		movzx	edi, cx
		mov	esi, edx
		mov	[ebp+var_C], edx
		mov	edx, [ebp+var_4]
		mov	[ebp+var_10], edi

loc_56A760:				; CODE XREF: KiCommitNodeAssignment+68j
		mov	ecx, [esi]
		mov	bl, [ecx+0A5h]
		test	bl, 2
		jz	short loc_56A786
		cmp	[ecx+88h], dx
		jnz	short loc_56A786
		or	bl, 4
		mov	[ecx+88h], ax
		mov	[ecx+0A5h], bl

loc_56A786:				; CODE XREF: KiCommitNodeAssignment+47j
					; KiCommitNodeAssignment+50j
		add	esi, 4
		sub	edi, 1
		jnz	short loc_56A760
		mov	edx, [ebp+var_C]
		mov	edi, [ebp+var_10]

loc_56A794:				; CODE XREF: KiCommitNodeAssignment+87j
		mov	ecx, [edx]
		mov	bl, [ecx+0A5h]
		test	bl, 4
		jz	loc_5F46C9

loc_56A7A5:				; CODE XREF: KiCommitNodeAssignment+89FA8j
					; KiCommitNodeAssignment+89FB5j ...
		add	edx, 4
		sub	edi, 1
		jnz	short loc_56A794
		pop	edi
		pop	esi
		pop	ebx

loc_56A7B0:				; CODE XREF: KiCommitNodeAssignment+24j
		inc	ax
		mov	word_6D4E28, ax
		leave
		retn
KiCommitNodeAssignment endp


;  S U B	R O U T	I N E 


; __stdcall KiInitializeTimer2Data()
_KiInitializeTimer2Data@0 proc near	; CODE XREF: KeInitializeTimerTable:loc_888067p
		push	5
		mov	eax, offset unk_6CB148
		or	edx, 0FFFFFFFFh
		pop	ecx

loc_56A7C5:				; CODE XREF: KiInitializeTimer2Data()+1Ej
		and	dword ptr [eax-8], 0
		and	dword ptr [eax-4], 0
		mov	[eax], edx
		lea	eax, [eax+10h]
		mov	[eax-0Ch], edx
		sub	ecx, 1
		jnz	short loc_56A7C5
		mov	_KiNextTimer2DueTime, edx
		mov	dword_6CB194, edx
		retn
_KiInitializeTimer2Data@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KiExtendedSupervisorStateSupported()
_KiExtendedSupervisorStateSupported@0 proc near	; CODE XREF: INIT:00AC0053p
		mov	eax, ds:_KeFeatureBits
		and	eax, 400000h
		or	eax, 0
		jz	short loc_56A804
		mov	eax, ds:0FFDF05F0h
		or	eax, ds:0FFDF05F4h
		jnz	short loc_56A810

loc_56A804:				; CODE XREF: KiExtendedSupervisorStateSupported()+Dj
		cmp	ds:_KiIptMsrMask, 0
		ja	short loc_56A810
		xor	al, al
		retn
; 

loc_56A810:				; CODE XREF: KiExtendedSupervisorStateSupported()+1Aj
					; KiExtendedSupervisorStateSupported()+23j
		mov	al, 1
		retn
_KiExtendedSupervisorStateSupported@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiExecuteDpc(x)
_KiExecuteDpc@4	proc near		; DATA XREF: MmCanThreadFault()+29o
					; MiZeroInParallelWorker(x)+57o ...

var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0DCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0DCh+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [esp+0E4h+var_D4]
		push	edi
		push	0CCh		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	edi, large fs:124h
		add	esp, 0Ch
		push	1Fh
		push	edi
		call	KeSetPriorityThread
		lea	eax, [edi+5Ch]
		lock bts dword ptr [eax], 8
		mov	ecx, [esi+3CCh]
		xor	edx, edx
		call	_KiSetSystemAffinityThreadToProcessor@8	; KiSetSystemAffinityThreadToProcessor(x,x)
		xor	eax, eax
		lea	ebx, [esi+223Eh]
		inc	eax
		mov	[esi+2255h], al

loc_56A87D:				; CODE XREF: KiExecuteDpc(x)+C4j
		and	[esp+0E8h+var_D8], 0
		lea	eax, [esi+2228h]
		push	ecx
		push	5
		pop	edx
		mov	ecx, eax
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop

loc_56A8A1:				; CODE XREF: KiExecuteDpc(x)+B6j
		xor	ecx, ecx
		inc	ecx
		mov	ax, cx
		xchg	ax, [ebx]
		cli
		push	ecx
		lea	eax, [esp+0ECh+var_D8]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	KiExecuteAllDpcs
		sti
		lea	edx, [esi+21F8h]
		mov	ecx, ebx
		call	_KiTryToEndDpcProcessing@8 ; KiTryToEndDpcProcessing(x,x)
		test	al, al
		jz	short loc_56A8A1
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	short loc_56A87D
_KiExecuteDpc@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSetSystemAffinityThreadToProcessor(x, x)
_KiSetSystemAffinityThreadToProcessor@8	proc near ; CODE XREF: KiExecuteDpc(x)+55p
					; KiDeregisterNmiSxCallback(x,x,x)+9Dp	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		xor	eax, eax
		and	[ebp+var_4], 0
		inc	eax
		shl	eax, cl
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_C]
		push	edx
		push	eax
		call	KeSetSystemGroupAffinityThread
		leave
		retn
_KiSetSystemAffinityThreadToProcessor@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDeleteBootRange proc near		; CODE XREF: MmFreeBootRegistry():loc_888FF9p
					; MmFreeLoaderBlock+3D7p ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5

; FUNCTION CHUNK AT 005F46EE SIZE 00000086 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_14], edx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_40]
		push	6
		pop	ecx
		rep stosd
		mov	eax, ebx
		mov	[ebp+var_20], ebx
		shr	eax, 9
		mov	ecx, offset loc_7FFFF8
		and	eax, ecx
		mov	esi, offset unk_6D3C40
		add	eax, 0C0000000h
		mov	[ebp+var_10], eax
		mov	edi, eax
		lea	eax, [edx-1]
		lea	eax, [ebx+eax*8]
		mov	ebx, offset unk_6D37C0
		shr	eax, 9
		and	eax, ecx
		sub	eax, 40000000h
		mov	[ebp+var_C], eax
		mov	al, byte_6D37A0
		and	al, 7
		cmp	al, 2
		jz	short loc_56A95B
		mov	esi, ebx

loc_56A95B:				; CODE XREF: MiDeleteBootRange+59j
		push	esi
		call	ExAcquireSpinLockExclusive
		xor	edx, edx
		mov	[ebp+var_5], al
		mov	[esi+4], edx
		cmp	edi, [ebp+var_C]
		ja	short loc_56A9C2
		mov	ebx, [ebp+var_C]

loc_56A971:				; CODE XREF: MiDeleteBootRange+BAj
		mov	ecx, [edi]
		nop
		mov	eax, [edi+4]
		shrd	ecx, eax, 0Ch
		mov	[ebp+var_18], edx
		and	ecx, 1FFFFFFh
		imul	eax, ecx, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_1C], eax
		lea	esi, [eax+10h]
		lock bts dword ptr [esi], 1Fh
		jb	loc_5F46EE

loc_56A99E:				; CODE XREF: MiDeleteBootRange+89E08j
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		add	edi, 8
		push	0
		pop	edx
		cmp	edi, ebx
		jbe	short loc_56A971
		mov	al, [ebp+var_5]
		mov	ebx, offset unk_6D37C0

loc_56A9C2:				; CODE XREF: MiDeleteBootRange+6Ej
		mov	esi, offset unk_6D3740
		mov	dl, al
		mov	ecx, esi
		call	MiUnlockWorkingSetExclusive
		mov	edi, [ebp+var_14]
		lea	eax, [ebp+var_40]
		push	eax
		push	1
		push	edi
		push	[ebp+var_20]
		xor	edx, edx
		mov	ecx, esi
		call	_MiDeleteSystemPagableVm@24 ; MiDeleteSystemPagableVm(x,x,x,x,x,x)
		mov	eax, large fs:124h
		mov	[ebp+var_1C], eax
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceSharedLite
		mov	al, byte_6D37A0
		and	al, 7
		cmp	al, 2
		jz	loc_5F470B

loc_56AA12:				; CODE XREF: MiDeleteBootRange+89E12j
		push	ebx
		call	ExAcquireSpinLockExclusive
		xor	edx, edx
		mov	[ebp+var_5], al
		mov	[ebx+4], edx
		mov	ebx, [ebp+var_C]
		cmp	[ebp+var_10], ebx
		ja	short loc_56AA8A
		mov	edi, [ebp+var_10]

loc_56AA2B:				; CODE XREF: MiDeleteBootRange+182j
		mov	ecx, [edi]
		nop
		mov	eax, [edi+4]
		shrd	ecx, eax, 0Ch
		mov	[ebp+var_28], edx
		and	ecx, 1FFFFFFh
		imul	eax, ecx, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_20], eax
		lea	esi, [eax+10h]
		lock bts dword ptr [esi], 1Fh
		jb	loc_5F4715

loc_56AA58:				; CODE XREF: MiDeleteBootRange+89E2Fj
		or	edx, 0FFFFFFFFh
		mov	ecx, eax
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	eax, [esi]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jz	short loc_56AAD4

loc_56AA76:				; CODE XREF: MiDeleteBootRange:loc_56AB15j
					; MiDeleteBootRange+24Ej
		mov	al, [ebp+var_5]
		xor	edx, edx

loc_56AA7B:				; CODE XREF: MiDeleteBootRange+295j
		add	edi, 8
		cmp	edi, ebx
		jbe	short loc_56AA2B
		mov	edi, [ebp+var_14]
		mov	esi, offset unk_6D3740

loc_56AA8A:				; CODE XREF: MiDeleteBootRange+128j
		mov	dl, al
		mov	ecx, esi
		call	MiUnlockWorkingSetExclusive
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite
		mov	ecx, [ebp+var_1C]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	esi, offset _MiSystemPartition
		mov	edx, edi
		mov	ecx, esi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jnz	loc_56AB98

loc_56AABB:				; CODE XREF: MiDeleteBootRange+2A3j
		sub	edi, [ebp+var_3C]
		mov	ecx, esi
		mov	edx, edi
		call	MiReturnCommit
		sub	dword_6D361C, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_56AAD4:				; CODE XREF: MiDeleteBootRange+176j
		mov	ecx, edi
		shl	ecx, 9
		lea	esi, [ecx+1000h]
		cmp	ecx, esi
		jnb	short loc_56AB15
		xor	ebx, ebx

loc_56AAE5:				; CODE XREF: MiDeleteBootRange+210j
		mov	edx, [ecx]
		nop
		mov	eax, [ecx+4]
		mov	[ebp+var_20], eax
		mov	eax, edx
		and	eax, 0C01h
		or	eax, ebx
		jnz	short loc_56AB10
		and	edx, 3E0h
		mov	eax, edx
		or	eax, ebx
		jnz	loc_5F4732

loc_56AB09:				; CODE XREF: MiDeleteBootRange+89E40j
		add	ecx, 8
		cmp	ecx, esi
		jb	short loc_56AAE5

loc_56AB10:				; CODE XREF: MiDeleteBootRange+1F9j
					; MiDeleteBootRange+89E3Aj
		mov	ebx, [ebp+var_C]
		cmp	ecx, esi

loc_56AB15:				; CODE XREF: MiDeleteBootRange+1E3j
		jnz	loc_56AA76
		mov	ecx, _PsLoadedModuleList
		mov	esi, edi
		shl	esi, 12h

loc_56AB26:				; CODE XREF: MiDeleteBootRange+24Aj
		mov	edx, [ecx+18h]
		mov	eax, edx
		shr	eax, 12h
		and	eax, 3FF8h
		sub	eax, 3FA00000h
		cmp	edi, eax
		jnb	loc_5F4743

loc_56AB40:				; CODE XREF: MiDeleteBootRange+89E69j
		mov	ecx, [ecx]
		cmp	ecx, offset _PsLoadedModuleList
		jnz	short loc_56AB26

loc_56AB4A:				; CODE XREF: MiDeleteBootRange+89E71j
		test	ecx, ecx
		jz	loc_56AA76
		mov	dl, [ebp+var_5]
		mov	ecx, offset unk_6D3740
		call	MiUnlockWorkingSetExclusive
		push	0
		push	0Ch
		lea	edx, [esi+200000h]
		mov	ecx, esi
		call	_MiReturnSystemVa@16 ; MiReturnSystemVa(x,x,x,x)
		mov	al, byte_6D37A0
		mov	esi, offset unk_6D3C40
		and	al, 7
		cmp	al, 2
		jz	short loc_56AB85
		mov	esi, offset unk_6D37C0

loc_56AB85:				; CODE XREF: MiDeleteBootRange+280j
		push	esi
		call	ExAcquireSpinLockExclusive
		xor	edx, edx
		mov	[ebp+var_5], al
		mov	[esi+4], edx
		jmp	loc_56AA7B
; 

loc_56AB98:				; CODE XREF: MiDeleteBootRange+1B7j
		mov	edx, offset dword_6D5E40
		lock xadd [edx], eax
		jmp	loc_56AABB
MiDeleteBootRange endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiRegisterForDisableFgBoostDecayRegistryNotification proc near
					; CODE XREF: KiDisableFgBoostDecayRegistryChangeHandler(x)+3Cp
					; INIT:00AC01A5p

; FUNCTION CHUNK AT 005F4774 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	esi
		call	_KiGetDisableFgBoostDecayRegKeyHandle@0	; KiGetDisableFgBoostDecayRegKeyHandle()
		test	eax, eax
		js	short loc_56ABF8
		push	1
		xor	esi, esi
		mov	dword_6CB428, offset _KiDisableFgBoostDecayRegistryChangeHandler@4 ; KiDisableFgBoostDecayRegistryChangeHandler(x)
		push	esi
		push	esi
		push	esi
		push	4
		push	offset _KiDisableFgBoostDecayRegistryChangeIoStatus
		push	1
		push	offset _KiDisableFgBoostDecayRegistryChangeWork
		push	esi
		push	_KiDisableFgBoostDecayRegistryHandle
		mov	dword_6CB42C, esi
		mov	_KiDisableFgBoostDecayRegistryChangeWork, esi
		call	_ZwNotifyChangeKey@40 ;	ZwNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_5F4774

loc_56ABF8:				; CODE XREF: KiRegisterForDisableFgBoostDecayRegistryNotification+11j
					; KiRegisterForDisableFgBoostDecayRegistryNotification+89BDFj
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
KiRegisterForDisableFgBoostDecayRegistryNotification endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIsDisableFgBoostDecayFeatureStateSet()
_KiIsDisableFgBoostDecayFeatureStateSet@0 proc near ; CODE XREF: KiInitializeVelocity()+9Ap

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], esi
		call	_KiGetDisableFgBoostDecayRegKeyHandle@0	; KiGetDisableFgBoostDecayRegKeyHandle()
		test	eax, eax
		js	short loc_56AC34
		push	esi
		push	4
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		push	offset ??_C@_1CI@BPFKPPAM@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAF?$AAG?$AAB?$AAo?$AAo?$AAs?$AAt?$AAD@FNODOBFM@
		push	_KiDisableFgBoostDecayRegistryHandle
		call	RtlQueryImageFileKeyOption
		test	eax, eax
		jns	short loc_56AC39

loc_56AC30:				; CODE XREF: KiIsDisableFgBoostDecayFeatureStateSet()+3Ej
		test	esi, esi
		jnz	short loc_56AC3E

loc_56AC34:				; CODE XREF: KiIsDisableFgBoostDecayFeatureStateSet()+13j
		xor	al, al

loc_56AC36:				; CODE XREF: KiIsDisableFgBoostDecayFeatureStateSet()+42j
		pop	esi
		leave
		retn
; 

loc_56AC39:				; CODE XREF: KiIsDisableFgBoostDecayFeatureStateSet()+30j
		mov	esi, [ebp+var_4]
		jmp	short loc_56AC30
; 

loc_56AC3E:				; CODE XREF: KiIsDisableFgBoostDecayFeatureStateSet()+34j
		mov	al, 1
		jmp	short loc_56AC36
_KiIsDisableFgBoostDecayFeatureStateSet@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiGetDisableFgBoostDecayRegKeyHandle()
_KiGetDisableFgBoostDecayRegKeyHandle@0	proc near
					; CODE XREF: KiRegisterForDisableFgBoostDecayRegistryNotification+Ap
					; KiIsDisableFgBoostDecayFeatureStateSet()+Cp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		sub	esp, 18h
		cmp	_KiDisableFgBoostDecayRegistryHandle, eax
		jnz	short locret_56AC82
		mov	[ebp+var_14], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	11h
		push	offset _KiDisableFgBoostDecayRegistryHandle
		mov	[ebp+var_18], 18h
		mov	[ebp+var_C], 240h
		mov	[ebp+var_10], offset _KiDisableFgBoostDecayRegKeyName
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)

locret_56AC82:				; CODE XREF: KiGetDisableFgBoostDecayRegKeyHandle()+10j
		leave
		retn
_KiGetDisableFgBoostDecayRegKeyHandle@0	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1179. KeInitializeThreadedDpc

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeThreadedDpc(x, x, x)
		public _KeInitializeThreadedDpc@12
_KeInitializeThreadedDpc@12 proc near	; CODE XREF: KiInitializeProcessor+5Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		and	dword ptr [ecx+1Ch], 0
		and	dword ptr [ecx+8], 0
		mov	[ecx+0Ch], eax
		mov	eax, [ebp+arg_8]
		mov	dword ptr [ecx], 11Ah
		mov	[ecx+10h], eax
		pop	ebp
		retn	0Ch
_KeInitializeThreadedDpc@12 endp


;  S U B	R O U T	I N E 


; __stdcall InbvSetProgressBarSubset(x,	x)
_InbvSetProgressBarSubset@8 proc near	; CODE XREF: Phase1Initialization(x)+29p
					; INIT:00ABFC59p
		mov	eax, dword_6D4D4C
		test	eax, eax
		jz	short locret_56ACC0
		mov	eax, [eax+38h]
		test	eax, eax
		jnz	short loc_56ACC1

locret_56ACC0:				; CODE XREF: InbvSetProgressBarSubset(x,x)+7j
		retn
; 

loc_56ACC1:				; CODE XREF: InbvSetProgressBarSubset(x,x)+Ej
		push	edx
		push	ecx
		call	eax
		retn
_InbvSetProgressBarSubset@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopQueryPowerButtonBugcheckConfiguration proc near
					; CODE XREF: PopPowerButtonBugcheckConfigure+58p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F478A SIZE 0000004B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		mov	esi, edx
		mov	ebx, ecx
		xor	ecx, ecx
		push	offset _PopPowerButtonBugcheckRegName ;	"PowerButtonBugcheck"
		mov	[ebp+var_24], ecx
		stosd
		mov	[ebp+var_20], ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ecx
		stosd
		mov	[ebp+var_1C], ecx
		mov	[esi], ecx
		stosd
		stosd
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset _PopOneSettingPowerButtonBugcheckRegName	; "OneSettingPowerButtonBugcheck"
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_1C]
		push	eax
		push	14h
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		lea	eax, [ebp+var_24]
		push	eax
		push	ebx
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		push	4
		pop	edi
		test	eax, eax
		jns	loc_5F478A

loc_56AD39:				; CODE XREF: PopQueryPowerButtonBugcheckConfiguration+89AC7j
					; PopQueryPowerButtonBugcheckConfiguration+89AD0j
		lea	eax, [ebp+var_1C]
		push	eax
		push	14h
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		lea	eax, [ebp+var_2C]
		push	eax
		push	ebx
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_56AD86
		cmp	[ebp+var_14], edi
		jnz	short loc_56AD86
		cmp	[ebp+var_10], edi
		jnz	short loc_56AD86
		cmp	[ebp+var_C], 0
		jz	loc_5F47C6
		mov	dword ptr [esi], 1
		mov	dword_6BFDB4, 2

loc_56AD77:				; CODE XREF: PopQueryPowerButtonBugcheckConfiguration+C5j
					; PopQueryPowerButtonBugcheckConfiguration+89AECj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_56AD86:				; CODE XREF: PopQueryPowerButtonBugcheckConfiguration+8Bj
					; PopQueryPowerButtonBugcheckConfiguration+90j	...
		mov	eax, 0C0000001h
		jmp	short loc_56AD77
PopQueryPowerButtonBugcheckConfiguration endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopWin32kPowerSettingCallback(x, x,	x, x)
_PopWin32kPowerSettingCallback@16 proc near

var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	[ebp+arg_8], 4
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		jnz	short loc_56ADDE
		test	eax, eax
		jz	short loc_56ADDE
		mov	eax, [eax]
		xor	ecx, ecx
		push	edi
		lea	edi, [ebp+var_18]
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	14h
		pop	edx
		call	_PopBroadcastSessionInfo@12 ; PopBroadcastSessionInfo(x,x,x)
		xor	eax, eax
		pop	edi

loc_56ADCF:				; CODE XREF: PopWin32kPowerSettingCallback(x,x,x,x)+55j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_56ADDE:				; CODE XREF: PopWin32kPowerSettingCallback(x,x,x,x)+1Dj
					; PopWin32kPowerSettingCallback(x,x,x,x)+21j
		mov	eax, 0C000000Dh
		jmp	short loc_56ADCF
_PopWin32kPowerSettingCallback@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvlpTryConfigureInterface proc near	; CODE XREF: HvlRestoreEnlightenment(x)+18p
					; HvlPhase0Initialize+40p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F47D5 SIZE 0000010C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_28], 0
		xor	eax, eax
		and	[ebp+var_24], 0
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	ebx, ecx
		stosd
		mov	[ebp+var_2C], ebx
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_18]
		push	eax
		call	HviGetHypervisorFeatures
		mov	ecx, [ebp+var_14]
		xor	eax, eax
		and	ecx, 1000h
		mov	[ebp+var_19], 1
		or	eax, ecx
		jnz	short loc_56AE31
		mov	[ebp+var_19], 0

loc_56AE31:				; CODE XREF: HvlpTryConfigureInterface+45j
		call	_HviIsHypervisorMicrosoftCompatible@0 ;	HviIsHypervisorMicrosoftCompatible()
		test	al, al
		jnz	loc_5F47D5

loc_56AE3E:				; CODE XREF: HvlpTryConfigureInterface+89A0Aj
		and	ds:_HvlpHypercallCodeVa, 0
		mov	eax, 0C0351000h

loc_56AE4A:				; CODE XREF: HvlpTryConfigureInterface+89ACBj
					; HvlpTryConfigureInterface+89AF6j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
HvlpTryConfigureInterface endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 719. InbvDisplayString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public InbvDisplayString
InbvDisplayString proc near		; CODE XREF: Phase1InitializationDiscard(x)+3E7p
					; Phase1InitializationDiscard(x)+7ADp ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F48E1 SIZE 00000031 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	byte_6D4D48, 0
		jnz	loc_5F48E1

loc_56AE70:				; CODE XREF: InbvDisplayString+89A99j
					; InbvDisplayString+89AA4j
		xor	al, al

loc_56AE72:				; CODE XREF: InbvDisplayString+89AAFj
		pop	ebp
		retn	4
InbvDisplayString endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopComputeCounterShifts	proc near	; CODE XREF: PoInitSystem+7Fp
					; PoInitSystem+94p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F4912 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		bsr	ecx, [ebp+arg_4]
		mov	[esi], eax
		mov	[edx], eax
		jnz	loc_5F4912
		bsr	ecx, [ebp+arg_0]
		jz	short loc_56AEA9
		cmp	ecx, 0Eh
		jbe	short loc_56AE9F
		lea	eax, [ecx-0Eh]
		mov	[esi], eax

loc_56AE9F:				; CODE XREF: PopComputeCounterShifts+22j
		cmp	ecx, 13h
		jbe	short loc_56AEA9
		lea	eax, [ecx-13h]

loc_56AEA7:				; CODE XREF: PopComputeCounterShifts+89AA4j
		mov	[edx], eax

loc_56AEA9:				; CODE XREF: PopComputeCounterShifts+1Dj
					; PopComputeCounterShifts+2Cj
		pop	esi
		leave
		retn	8
PopComputeCounterShifts	endp


;  S U B	R O U T	I N E 


; __stdcall PopRwLockInitialize(x)
_PopRwLockInitialize@4 proc near	; CODE XREF: PopCreateIdlePhaseWatchdog()+43p
		and	dword ptr [ecx], 0
		and	dword ptr [ecx+4], 0
		retn
_PopRwLockInitialize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopInitializeIRTimer(x, x, x, x, x,	x, x)
_PopInitializeIRTimer@28 proc near	; CODE XREF: PopNetInitialize+109p
					; PopNetInitialize+122p

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_C		= word ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	8
		pop	eax
		mov	word ptr [ebp+var_4], ax
		mov	esi, ecx
		mov	ax, [ebp+arg_C]
		mov	word ptr [ebp+var_4+2],	ax
		lea	eax, [ebp+var_4]
		push	2
		push	eax
		push	0
		call	_KeInitializeIRTimer@20	; KeInitializeIRTimer(x,x,x,x,x)
		mov	edx, [ebp+arg_4]
		lea	ecx, [esi+58h]
		push	0
		call	_PopInitializeWorkItem@12 ; PopInitializeWorkItem(x,x,x)
		pop	esi
		leave
		retn	14h
_PopInitializeIRTimer@28 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopPowerSourceChangeCallback(void *,int,int,int)
PopPowerSourceChangeCallback proc near

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005F491F SIZE 000000D1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, [ebp+arg_0]
		lea	edi, [ebp+var_18]
		xor	eax, eax
		mov	ebx, [ebp+arg_4]
		stosd
		push	10h
		mov	[ebp+var_20], ebx
		stosd
		stosd
		stosd
		stosd
		pop	edi
		push	edi		; size_t
		push	esi		; void *
		push	(offset	loc_407FB3+5) ;	void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_5F491F

loc_56AF30:				; CODE XREF: PopPowerSourceChangeCallback+89A42j
		cmp	[ebp+arg_8], 4
		jnz	loc_5F4936
		test	ebx, ebx
		jz	loc_5F4936
		xor	bl, bl
		mov	[ebp+var_19], bl
		cmp	_PopLidOpened, bl
		jz	loc_5F4940

loc_56AF53:				; CODE XREF: PopPowerSourceChangeCallback+89A58j
					; PopPowerSourceChangeCallback+89A63j
		push	edi		; size_t
		push	esi		; void *
		push	(offset	loc_407FB3+5) ;	void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_56AF72
		cmp	_PopPlatformAoAc, al
		jnz	loc_5F4956

loc_56AF72:				; CODE XREF: PopPowerSourceChangeCallback+76j
					; PopPowerSourceChangeCallback+89A7Ej ...
		push	edi		; size_t
		push	esi		; void *
		mov	esi, offset _GUID_BATTERY_COUNT
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_5F497C
		lea	edi, [ebp+var_18]
		test	bl, bl
		jnz	loc_5F49B3
		mov	esi, (offset loc_407FB3+5)
		xor	edx, edx
		push	5
		pop	ebx
		inc	edx
		movsd
		movsd
		movsd
		movsd
		mov	esi, ebx

loc_56AFA6:				; CODE XREF: PopPowerSourceChangeCallback+89AC0j
		test	dl, dl
		jz	short loc_56AFC0

loc_56AFAA:				; CODE XREF: PopPowerSourceChangeCallback+89AD4j
		mov	eax, [ebp+var_20]
		xor	ecx, ecx
		mov	eax, [eax]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	14h
		pop	edx
		call	_PopBroadcastSessionInfo@12 ; PopBroadcastSessionInfo(x,x,x)

loc_56AFC0:				; CODE XREF: PopPowerSourceChangeCallback+BAj
		cmp	[ebp+var_19], 0
		jnz	loc_5F49DA
		call	_TtmIsEnabled@0	; TtmIsEnabled()
		test	al, al
		jnz	loc_5F49C7

loc_56AFD7:				; CODE XREF: PopPowerSourceChangeCallback+89AE7j
					; PopPowerSourceChangeCallback+89AFDj
		xor	eax, eax

loc_56AFD9:				; CODE XREF: PopPowerSourceChangeCallback+89A4Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
PopPowerSourceChangeCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopInitilizeAcDcSettings proc near	; CODE XREF: PopBatteryApplyCompositeState+A035Ap
					; PoInitSystem+409p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F49F0 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_4]
		xor	ebx, ebx
		push	eax		; void *
		push	4		; Length
		mov	esi, (offset loc_407FB3+5)
		mov	[ebp+var_4], ebx
		push	ebx		; int
		or	edx, 0FFFFFFFFh
		mov	ecx, esi
		call	PopSetPowerSettingValue
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	eax		; void *
		inc	ecx
		or	edx, 0FFFFFFFFh
		push	4		; Length
		mov	[ebp+var_4], ecx
		push	ecx		; int
		mov	ecx, esi
		call	PopSetPowerSettingValue
		mov	edi, offset _PopSettingLock
		mov	ecx, edi
		call	ExAcquireFastMutex
		or	edx, 0FFFFFFFFh
		mov	ecx, esi
		call	_PopFindPowerSettingConfiguration@8 ; PopFindPowerSettingConfiguration(x,x)
		cmp	[eax+28h], ebx
		jnz	short loc_56B06A
		cmp	[eax+2Ch], ebx
		jnz	short loc_56B06A

loc_56B045:				; CODE XREF: PopInitilizeAcDcSettings+86j
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		cmp	_PopOsInitPhase, 3
		jb	short loc_56B065
		test	bl, bl
		jnz	loc_5F49F0

loc_56B05D:				; CODE XREF: PopInitilizeAcDcSettings+89A10j
		push	20h
		pop	ecx
		call	_PopSetNotificationWork@4 ; PopSetNotificationWork(x)

loc_56B065:				; CODE XREF: PopInitilizeAcDcSettings+69j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_56B06A:				; CODE XREF: PopInitilizeAcDcSettings+54j
					; PopInitilizeAcDcSettings+59j
		or	dword ptr [eax+24h], 1
		mov	bl, 1
		jmp	short loc_56B045
PopInitilizeAcDcSettings endp

; 
		align 8
; Exported entry 688. HviGetHypervisorFeatures

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public HviGetHypervisorFeatures
HviGetHypervisorFeatures proc near	; CODE XREF: HvlpTryConfigureInterface+2Fp
					; KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+90p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F49FF SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		call	_HviIsHypervisorMicrosoftCompatible@0 ;	HviIsHypervisorMicrosoftCompatible()
		xor	ecx, ecx
		test	al, al
		jnz	loc_5F49FF
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	[eax+4], ecx
		mov	[eax+8], ecx
		mov	[eax+0Ch], ecx

loc_56B09D:				; CODE XREF: HviGetHypervisorFeatures+899A1j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
HviGetHypervisorFeatures endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1191. KeInterlockedSetProcessorAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInterlockedSetProcessorAffinityEx(x, x)
		public _KeInterlockedSetProcessorAffinityEx@8
_KeInterlockedSetProcessorAffinityEx@8 proc near
					; CODE XREF: KiComputeGroupSchedulingRank+16B685p
					; KiForceIdleParkUnparkProcessor(x,x):loc_621825p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		add	edx, 8
		push	esi
		xor	esi, esi
		inc	esi
		shl	esi, cl
		mov	eax, [edx]

loc_56B0C0:				; CODE XREF: KeInterlockedSetProcessorAffinityEx(x,x)+1Ej
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_56B0C0
		mov	ecx, eax
		and	esi, ecx
		neg	esi
		sbb	esi, esi
		neg	esi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_KeInterlockedSetProcessorAffinityEx@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSetHardwareSpeculationControlFeatures(x, x, x)
_KiSetHardwareSpeculationControlFeatures@12 proc near
					; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+1AAp

var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		push	6
		mov	ebx, ecx
		mov	[esp+2Ch+var_19], 0
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+28h+var_18]
		rep stosd
		lea	eax, [esp+0Fh]
		mov	ecx, ebx
		push	eax
		push	[ebp+arg_4]
		lea	edx, [esp+30h+var_18]
		push	[ebp+arg_0]
		call	_KiDetectHardwareSpecControlFeatures@20	; KiDetectHardwareSpecControlFeatures(x,x,x,x,x)
		mov	edi, [esp+28h+var_18]
		xor	edx, edx
		mov	eax, edi
		and	eax, 20h
		or	eax, edx
		jz	short loc_56B128
		or	byte ptr [ebx+21B9h], 4

loc_56B128:				; CODE XREF: KiSetHardwareSpeculationControlFeatures(x,x,x)+43j
		cmp	[ebx+3CCh], edx
		jnz	short loc_56B182
		or	ds:dword_70E764, edx
		xor	eax, eax
		mov	edx, [esp+28h+var_10]
		or	eax, edi
		mov	esi, [esp+28h+var_8]
		mov	ecx, [esp+28h+var_4]
		mov	ds:_KiSpeculationFeatures, eax
		mov	al, [esp+28h+var_C]
		mov	ds:dword_70E768, edx
		mov	_KiSsbdMsr, edx
		xor	edx, edx
		mov	ds:_KiCpu0HardwareFlags, edi
		mov	ds:dword_70E770, esi
		mov	ds:dword_70E774, ecx
		mov	byte ptr ds:dword_70E76C, al
		mov	_KiSsbdBit, esi
		mov	dword_6B3FCC, ecx
		jmp	short loc_56B18B
; 

loc_56B182:				; CODE XREF: KiSetHardwareSpeculationControlFeatures(x,x,x)+52j
		mov	eax, ds:_KiCpu0HardwareFlags
		cmp	eax, edi
		jnz	short loc_56B1B6

loc_56B18B:				; CODE XREF: KiSetHardwareSpeculationControlFeatures(x,x,x)+A4j
		cmp	[esp+28h+var_19], 0
		jz	short loc_56B19C
		mov	ds:_KiMicrocodeTrackerEnabled, 1

loc_56B19C:				; CODE XREF: KiSetHardwareSpeculationControlFeatures(x,x,x)+B4j
		and	edi, 400000h
		or	edi, edx
		jz	short loc_56B1AD
		or	byte ptr [ebx+21B8h], 20h

loc_56B1AD:				; CODE XREF: KiSetHardwareSpeculationControlFeatures(x,x,x)+C8j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_56B1B6:				; CODE XREF: KiSetHardwareSpeculationControlFeatures(x,x,x)+ADj
		push	edx
		push	edi
		push	eax
		push	53524249h
		push	5Dh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_KiSetHardwareSpeculationControlFeatures@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlGetImplementedPhysicalBits(x)
_HvlGetImplementedPhysicalBits@4 proc near ; CODE XREF:	PAGELK:007264FFp

var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		mov	esi, ecx
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_14]
		push	eax
		call	HviGetEnlightenmentInformation
		mov	eax, [ebp+var_C]
		and	eax, 7Fh
		jnz	short loc_56B206
		xor	al, al

loc_56B1F8:				; CODE XREF: HvlGetImplementedPhysicalBits(x)+44j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_56B206:				; CODE XREF: HvlGetImplementedPhysicalBits(x)+2Ej
		mov	[esi], eax
		mov	al, 1
		jmp	short loc_56B1F8
_HvlGetImplementedPhysicalBits@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiDetectHardwareSpecControlFeatures(x, x, x, x, x)
_KiDetectHardwareSpecControlFeatures@20	proc near
					; CODE XREF: KiSetHardwareSpeculationControlFeatures(x,x,x)+31p
					; KiIsKvaShadowNeededForBranchConfusion(x)+20p	...

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_40		= byte ptr -40h
var_3F		= byte ptr -3Fh
var_3E		= byte ptr -3Eh
var_3D		= byte ptr -3Dh
var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_70], eax
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	[ebp+var_6C], edx
		stosd
		xor	ebx, ebx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_54], 48h
		stosd
		mov	[ebp+var_4C], 4
		mov	[ebp+var_48], ebx
		mov	[ebp+var_3D], bl
		stosd
		mov	[ebp+var_40], bl
		mov	[ebp+var_3E], 1
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_3C]
		stosd
		stosd
		stosd
		stosd
		mov	eax, ebx
		mov	[ebp+var_60], eax
		mov	edi, ebx
		mov	[ebp+var_58], eax
		mov	al, [ecx+3BEh]
		mov	[ebp+var_68], edi
		mov	[ebp+var_5C], edi
		mov	[ebp+var_3F], al
		call	_HviIsHypervisorMicrosoftCompatible@0 ;	HviIsHypervisorMicrosoftCompatible()
		mov	esi, 1000h
		test	al, al
		jz	short loc_56B2B8
		lea	eax, [ebp+var_3C]
		push	eax
		call	HviGetEnlightenmentInformation
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_2C]
		push	eax
		call	HviGetHypervisorFeatures
		mov	ecx, [ebp+var_28]
		mov	eax, ebx
		and	ecx, esi
		mov	edi, ebx
		or	eax, ecx
		jz	short loc_56B2C4
		test	[ebp+var_3C], esi
		jnz	short loc_56B2C4
		mov	[ebp+var_3E], bl
		jmp	short loc_56B2C4
; 

loc_56B2B8:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+78j
		call	HviIsAnyHypervisorPresent
		neg	al
		sbb	al, al
		and	[ebp+var_3E], al

loc_56B2C4:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+A0j
					; KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+A5j ...
		xor	eax, eax
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		lea	ebx, [ebp+var_18]
		mov	[ebx], eax
		mov	[ebx+4], esi
		push	7
		mov	[ebx+8], ecx
		pop	eax
		mov	[ebx+0Ch], edx
		cmp	[ebp+var_18], eax
		jb	loc_56B3F8
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		lea	ebx, [ebp+var_18]
		mov	[ebx], eax
		mov	[ebx+4], esi
		mov	[ebx+8], ecx
		mov	[ebx+0Ch], edx
		mov	eax, [ebp+var_C]
		test	eax, 20000000h
		jz	short loc_56B358
		mov	ecx, 10Ah
		rdmsr
		mov	edx, eax
		mov	eax, [ebp+var_60]
		mov	ecx, edx
		and	ecx, 2
		jz	short loc_56B32C
		or	edi, 1
		mov	[ebp+var_60], eax
		mov	[ebp+var_68], edi
		mov	[ebp+var_5C], edi
		mov	[ebp+var_58], eax

loc_56B32C:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+10Fj
		test	ecx, ecx
		setnz	cl
		mov	[ebp+var_40], cl
		mov	[ebp+var_3D], cl
		test	dl, 10h
		jz	short loc_56B355
		or	edi, 100h
		mov	[ebp+var_60], eax
		mov	[ebp+var_68], edi
		mov	[ebp+var_5C], edi
		mov	[ebp+var_58], eax
		mov	[ebp+var_3D], 1
		mov	[ebp+var_40], cl

loc_56B355:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+12Ej
		mov	eax, [ebp+var_C]

loc_56B358:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+FCj
					; KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+1EEj
		cmp	[ebp+var_3F], 2
		jnz	loc_56B3FF
		mov	eax, 80000000h
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		lea	ebx, [ebp+var_18]
		mov	[ebx], eax
		mov	eax, 80000008h
		mov	[ebx+4], esi
		mov	[ebx+8], ecx
		xor	ecx, ecx
		mov	[ebx+0Ch], edx
		cmp	[ebp+var_18], eax
		jb	short loc_56B3A2
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		lea	ebx, [ebp+var_18]
		mov	[ebx], eax
		mov	[ebx+4], esi
		mov	[ebx+8], ecx
		mov	[ebx+0Ch], edx
		mov	ecx, [ebp+var_14]

loc_56B3A2:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+17Cj
		mov	eax, [ebp+var_60]
		test	ecx, 1000h
		jz	short loc_56B3BA
		or	edi, 4
		mov	[ebp+var_58], eax
		mov	[ebp+var_5C], edi
		mov	[ebp+var_3D], 1

loc_56B3BA:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+19Fj
		test	ecx, 4000h
		jz	short loc_56B3CF
		or	edi, 10h
		mov	[ebp+var_58], eax
		mov	[ebp+var_5C], edi
		mov	[ebp+var_3D], 1

loc_56B3CF:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+1B4j
		test	ecx, 8000h
		jz	short loc_56B3E4
		or	edi, 40h
		mov	[ebp+var_58], eax
		mov	[ebp+var_5C], edi
		mov	[ebp+var_3D], 1

loc_56B3E4:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+1C9j
		lea	edx, [ebp+var_5C]
		call	_KiDetectAmdSsbdSupport@8 ; KiDetectAmdSsbdSupport(x,x)
		mov	esi, [ebp+var_58]
		mov	ebx, [ebp+var_5C]
		test	al, al
		jnz	short loc_56B43D
		jmp	short loc_56B441
; 

loc_56B3F8:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+D7j
		xor	eax, eax
		jmp	loc_56B358
; 

loc_56B3FF:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+150j
		mov	ebx, [ebp+var_68]
		mov	esi, [ebp+var_60]
		test	eax, 4000000h
		jz	short loc_56B419
		or	ebx, 14h
		mov	[ebp+var_58], esi
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_3D], 1

loc_56B419:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+1FEj
		test	eax, 8000000h
		jz	short loc_56B42D
		or	ebx, 44h
		mov	[ebp+var_58], esi
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_3D], 1

loc_56B42D:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+212j
		test	eax, eax
		jns	short loc_56B441
		or	ebx, 80h
		mov	[ebp+var_58], esi
		mov	[ebp+var_5C], ebx

loc_56B43D:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+1E8j
		mov	[ebp+var_3D], 1

loc_56B441:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+1EAj
					; KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+223j
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		and	eax, 1000000h
		or	eax, ecx
		jnz	short loc_56B458
		cmp	ds:_KiKvaShadowMode, 1
		jnz	short loc_56B461

loc_56B458:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+241j
		or	ebx, 20h
		mov	[ebp+var_58], esi
		mov	[ebp+var_5C], ebx

loc_56B461:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+24Aj
		mov	eax, ebx
		and	eax, 14h
		cmp	eax, 14h
		jnz	loc_56B50C
		cmp	[ebp+var_3E], cl
		jz	short loc_56B480
		test	_KiFeatureSettings, 8000h
		jz	short loc_56B4E0

loc_56B480:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+266j
		mov	edx, [ebp+var_64]
		mov	eax, [edx+21C8h]
		test	al, 2
		jz	short loc_56B499
		or	ebx, 400h
		mov	[ebp+var_58], esi
		mov	[ebp+var_5C], ebx

loc_56B499:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+27Fj
		test	al, 4
		jz	short loc_56B4BE
		or	ebx, 800h
		mov	[ebp+var_58], esi
		test	_KiFeatureSettings, 4000h
		mov	[ebp+var_5C], ebx
		jz	short loc_56B4BE
		or	ebx, 1
		mov	[ebp+var_58], esi
		mov	[ebp+var_5C], ebx

loc_56B4BE:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+28Fj
					; KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+2A7j
		cmp	[ebp+var_3F], 1
		jnz	short loc_56B4E3
		cmp	[ebp+var_3E], cl
		jnz	short loc_56B4CE
		cmp	[ebp+var_40], cl
		jz	short loc_56B4D2

loc_56B4CE:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+2BBj
		test	al, 3
		jz	short loc_56B50F

loc_56B4D2:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+2C0j
		or	ebx, 1000h
		mov	[ebp+var_58], esi
		mov	[ebp+var_5C], ebx
		jmp	short loc_56B4E3
; 

loc_56B4E0:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+272j
		mov	edx, [ebp+var_64]

loc_56B4E3:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+2B6j
					; KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+2D2j
		cmp	[ebp+var_3F], 2
		jnz	short loc_56B50F
		or	ebx, 1000h
		mov	[ebp+var_58], esi
		mov	eax, ebx
		mov	[ebp+var_5C], ebx
		and	eax, 40h
		or	eax, ecx
		jz	short loc_56B50F
		or	ebx, 4000h
		mov	[ebp+var_58], esi
		mov	[ebp+var_5C], ebx
		jmp	short loc_56B50F
; 

loc_56B50C:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+25Dj
		mov	edx, [ebp+var_64]

loc_56B50F:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+2C4j
					; KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+2DBj ...
		mov	edi, ds:_KeFeatureBits2
		mov	eax, edi
		and	eax, 20000h
		or	eax, ecx
		jz	short loc_56B538
		test	_KiFeatureSettings, 400000h
		jnz	short loc_56B538
		or	ebx, 2000h
		mov	[ebp+var_58], esi
		mov	[ebp+var_5C], ebx

loc_56B538:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+312j
					; KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+31Ej
		mov	ecx, edx
		call	_KiIsBranchConfusionPresent@4 ;	KiIsBranchConfusionPresent(x)
		test	eax, eax
		jz	short loc_56B54F
		or	ebx, 8000h
		mov	[ebp+var_58], esi
		mov	[ebp+var_5C], ebx

loc_56B54F:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+335j
		mov	ecx, [ebp+var_64]
		call	_KiIsTsaPresent@4 ; KiIsTsaPresent(x)
		mov	edx, 2000000h
		test	eax, eax
		jz	short loc_56B568
		or	ebx, edx
		mov	[ebp+var_58], esi
		mov	[ebp+var_5C], ebx

loc_56B568:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+352j
		mov	cl, [ebp+var_3F]
		cmp	cl, 2
		jnz	short loc_56B57C
		mov	eax, edi
		and	eax, edx
		xor	edx, edx
		or	eax, edx
		jz	short loc_56B587
		jmp	short loc_56B57E
; 

loc_56B57C:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+362j
		xor	edx, edx

loc_56B57E:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+36Ej
		or	ebx, 8
		mov	[ebp+var_58], esi
		mov	[ebp+var_5C], ebx

loc_56B587:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+36Cj
		mov	byte ptr [ebp+var_50], dl
		cmp	cl, 1
		jnz	loc_56B627
		mov	ch, [ebp+var_3E]
		mov	eax, edi
		and	eax, 4000000h
		or	eax, edx
		jnz	short loc_56B5B6
		test	ch, ch
		jnz	short loc_56B5AA
		cmp	[ebp+var_40], ch
		jz	short loc_56B5B6

loc_56B5AA:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+397j
		or	ebx, 10000h
		mov	[ebp+var_58], esi
		mov	[ebp+var_5C], ebx

loc_56B5B6:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+393j
					; KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+39Cj
		mov	eax, ebx
		and	eax, 10000h
		or	eax, edx
		jz	short loc_56B627
		and	edi, 8000000h
		mov	eax, edi
		or	eax, edx
		jz	short loc_56B5D9
		or	ebx, 20000h
		mov	[ebp+var_58], esi
		mov	[ebp+var_5C], ebx

loc_56B5D9:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+3BFj
		cmp	ds:_KiTsxSupported, 0
		jz	short loc_56B5E8
		mov	byte ptr [ebp+var_50], 3
		jmp	short loc_56B627
; 

loc_56B5E8:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+3D4j
		or	edi, edx
		jnz	short loc_56B623
		mov	eax, [ebp+var_64]
		cmp	byte ptr [eax+14h], 6
		jnz	short loc_56B61B
		mov	cl, [eax+17h]
		cmp	cl, 97h
		jnz	short loc_56B60B
		mov	al, [eax+16h]
		cmp	al, 2
		jz	short loc_56B623
		cmp	al, 5
		jz	short loc_56B623
		mov	eax, [ebp+var_64]

loc_56B60B:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+3EFj
		cmp	cl, 9Ah
		jnz	short loc_56B61B
		mov	al, [eax+16h]
		cmp	al, 3
		jz	short loc_56B623
		cmp	al, 4
		jz	short loc_56B623

loc_56B61B:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+3E7j
					; KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+402j
		mov	byte ptr [ebp+var_50], 1
		test	ch, ch
		jz	short loc_56B627

loc_56B623:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+3DEj
					; KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+3F6j ...
		mov	byte ptr [ebp+var_50], 2

loc_56B627:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+381j
					; KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+3B3j ...
		test	_KiFeatureSettings, 10000h
		jz	short loc_56B63F
		and	ebx, 0FFFFF7FEh
		mov	[ebp+var_58], esi
		mov	[ebp+var_5C], ebx

loc_56B63F:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+425j
		mov	edi, [ebp+var_64]
		mov	ecx, edi
		call	_KiIsSrsoPresent@4 ; KiIsSrsoPresent(x)
		test	eax, eax
		jz	short loc_56B659
		or	ebx, 200000h
		mov	[ebp+var_58], esi
		mov	[ebp+var_5C], ebx

loc_56B659:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+43Fj
		cmp	[ebp+var_3F], 2
		jnz	short loc_56B66B
		or	ebx, 400000h
		mov	[ebp+var_58], esi
		mov	[ebp+var_5C], ebx

loc_56B66B:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+451j
		mov	ecx, edi
		call	_KiIsRfdsPresent@4 ; KiIsRfdsPresent(x)
		test	eax, eax
		jz	short loc_56B69A
		mov	eax, ds:dword_70E77C
		or	ebx, 800000h
		and	eax, 10h
		mov	[ebp+var_5C], ebx
		or	edx, eax
		mov	[ebp+var_58], esi
		jz	short loc_56B69A
		or	ebx, 1000000h
		mov	[ebp+var_58], esi
		mov	[ebp+var_5C], ebx

loc_56B69A:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+468j
					; KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+480j
		mov	edi, [ebp+var_6C]
		lea	esi, [ebp+var_5C]
		push	6
		pop	ecx
		rep movsd
		mov	ecx, [ebp+var_70]
		test	ecx, ecx
		jz	short loc_56B6B1
		mov	al, [ebp+var_3D]
		mov	[ecx], al

loc_56B6B1:				; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+49Ej
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_KiDetectHardwareSpecControlFeatures@20	endp

; 
		align 8
; Exported entry 686. HviGetEnlightenmentInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public HviGetEnlightenmentInformation
HviGetEnlightenmentInformation proc near ; CODE	XREF: HvlGetImplementedPhysicalBits(x)+23p
					; KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+7Ep ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F4A1E SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		call	_HviIsHypervisorMicrosoftCompatible@0 ;	HviIsHypervisorMicrosoftCompatible()
		xor	ecx, ecx
		test	al, al
		jnz	loc_5F4A1E
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	[eax+4], ecx
		mov	[eax+8], ecx
		mov	[eax+0Ch], ecx

loc_56B6ED:				; CODE XREF: HviGetEnlightenmentInformation+89370j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
HviGetEnlightenmentInformation endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 695. HviIsHypervisorMicrosoftCompatible

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HviIsHypervisorMicrosoftCompatible()
		public _HviIsHypervisorMicrosoftCompatible@0
_HviIsHypervisorMicrosoftCompatible@0 proc near
					; CODE XREF: HvlpTryConfigureInterface:loc_56AE31p
					; HviGetHypervisorFeatures+8p ...

var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_14]
		push	eax
		call	HviGetHypervisorInterface
		cmp	[ebp+var_14], 31237648h
		mov	ecx, [ebp+var_4]
		setz	al
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_HviIsHypervisorMicrosoftCompatible@0 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 689. HviGetHypervisorInterface

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public HviGetHypervisorInterface
HviGetHypervisorInterface proc near	; CODE XREF: HviIsHypervisorMicrosoftCompatible()+20p
					; HvlpHvIdentityInfoCallback(x,x,x,x)+3Ep ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F4A3D SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		call	HviIsAnyHypervisorPresent
		xor	ecx, ecx
		test	al, al
		jnz	loc_5F4A3D
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	[eax+4], ecx
		mov	[eax+8], ecx
		mov	[eax+0Ch], ecx

loc_56B761:				; CODE XREF: HviGetHypervisorInterface+8931Bj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
HviGetHypervisorInterface endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiGetIptInfo	proc near		; CODE XREF: KiInitializeXSave+5Bp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F4A5C SIZE 000000CF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[ebp+var_28], edx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_24]
		stosd
		stosd
		stosd
		stosd
		mov	edi, ecx
		and	dword ptr [edi], 0
		and	dword ptr [edx], 0
		call	KiGetCpuVendor
		cmp	eax, 1
		jnz	short loc_56B7C7
		xor	eax, eax
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		lea	ebx, [ebp+var_14]
		mov	[ebx], eax
		mov	[ebx+4], esi
		mov	[ebx+8], ecx
		mov	[ebx+0Ch], edx
		cmp	[ebp+var_14], 14h
		jnb	loc_5F4A5C

loc_56B7C7:				; CODE XREF: KiGetIptInfo+3Aj
					; KiGetIptInfo+89326j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
KiGetIptInfo	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiGetXSaveSupportedFeatures proc near	; CODE XREF: KiInitializeXSave+4Ep

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F4B2B SIZE 000000D5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_18], ecx
		lea	edi, [ebp+var_14]
		xor	ecx, ecx
		stosd
		push	ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		inc	eax
		lea	edi, [ebp+var_14]
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		xor	ebx, ebx
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		test	[ebp+var_C], 4000000h
		mov	[ebp+var_20], ebx
		jz	loc_5F4BF0
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		xor	ecx, ecx
		push	0Dh
		stosd
		stosd
		stosd
		pop	eax
		push	ebx
		cpuid
		mov	esi, ebx
		lea	edi, [ebp+var_14]
		pop	ebx
		nop
		mov	[edi], eax
		xor	ebx, ebx
		mov	[edi+4], esi
		mov	[edi+8], ecx
		xor	ecx, ecx
		mov	[edi+0Ch], edx
		mov	edx, [ebp+var_18]
		or	ecx, [ebp+var_14]
		mov	eax, [ebp+var_8]
		or	eax, ebx
		mov	[edx], ecx
		and	ecx, 3
		mov	[edx+4], eax
		cmp	ecx, 3
		jnz	loc_5F4BF3
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		xor	ecx, ecx
		push	0Dh
		inc	ecx
		stosd
		stosd
		stosd
		pop	eax
		push	ebx
		cpuid
		mov	esi, ebx
		lea	edi, [ebp+var_14]
		pop	ebx
		nop
		mov	ebx, [ebp+var_18]
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		xor	edx, edx
		mov	ecx, [ebp+var_14]
		mov	eax, ecx
		and	eax, 0Ah
		cmp	al, 0Ah
		mov	eax, [ebx+14h]
		setz	dl
		and	ecx, 1
		add	edx, edx
		and	eax, 0FFFFFFFCh
		or	edx, ecx
		or	edx, eax
		xor	eax, eax
		mov	[ebx+14h], edx
		test	dl, 2
		jnz	loc_5F4B2B
		mov	ecx, eax
		mov	edx, eax

loc_56B8BD:				; CODE XREF: KiGetXSaveSupportedFeatures+8935Fj
		mov	[ebx+218h], ecx
		mov	edi, 240h
		mov	[ebx+21Ch], edx
		mov	ecx, 0A0h
		mov	[ebx+18h], eax
		lea	eax, [ebx+1Ch]
		mov	[eax], ecx
		push	2
		mov	[ebp+var_2C], eax
		lea	eax, [ebx+2Ch]
		mov	[ebx+20h], ecx
		pop	ecx
		mov	dword ptr [ebx+24h], 80h
		mov	[ebp+var_1C], edi
		mov	[ebp+var_24], ecx
		mov	[ebp+var_28], eax

loc_56B8F7:				; CODE XREF: KiGetXSaveSupportedFeatures+151j
		xor	eax, eax
		xor	edx, edx
		inc	eax
		call	__allshl
		mov	esi, [ebx]
		mov	ecx, [ebx+4]
		and	esi, eax
		and	ecx, edx
		mov	[ebp+var_30], eax
		or	esi, ecx
		mov	[ebp+var_34], edx
		jnz	short loc_56B945
		mov	edx, [ebp+var_28]

loc_56B917:				; CODE XREF: KiGetXSaveSupportedFeatures+1B6j
					; KiGetXSaveSupportedFeatures+89376j
		mov	ecx, [ebp+var_24]
		add	edx, 8
		inc	ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], ecx
		cmp	ecx, 40h
		jb	short loc_56B8F7
		test	byte ptr [ebx+14h], 2
		mov	[ebx+10h], edi
		jnz	loc_5F4B51

loc_56B936:				; CODE XREF: KiGetXSaveSupportedFeatures+89415j
					; KiGetXSaveSupportedFeatures+89425j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_56B945:				; CODE XREF: KiGetXSaveSupportedFeatures+13Cj
		mov	ecx, [ebp+var_24]
		lea	edi, [ebp+var_14]
		xor	eax, eax
		stosd
		push	0Dh
		stosd
		stosd
		stosd
		pop	eax
		push	ebx
		cpuid
		mov	esi, ebx
		lea	edi, [ebp+var_14]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	edx, [ebp+var_28]
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+var_10]
		mov	edi, [ebp+var_1C]
		mov	[edx], eax
		add	eax, ecx
		mov	[edx-4], ecx
		cmp	edi, eax
		jnb	short loc_56B985
		mov	edi, eax
		mov	[ebp+var_1C], edi

loc_56B985:				; CODE XREF: KiGetXSaveSupportedFeatures+1A8j
		test	byte ptr [ebp+var_C], 2
		mov	ebx, [ebp+var_18]
		jz	short loc_56B917
		jmp	loc_5F4B3A
KiGetXSaveSupportedFeatures endp

; 
		align 4

;  S U B	R O U T	I N E 


PpmHvUseNativeAlgorithms proc near	; CODE XREF: PoInitializePrcb+6Cp
					; PpmIdleRegisterDefaultStates+13p ...

; FUNCTION CHUNK AT 005F4C00 SIZE 0000001D BYTES

		cmp	ds:_HvlHypervisorConnected, 0
		jnz	loc_5F4C00
		mov	al, 1
		retn
PpmHvUseNativeAlgorithms endp


;  S U B	R O U T	I N E 


; __stdcall OBJECT_HEADER_TO_CREATOR_INFO(x)
_OBJECT_HEADER_TO_CREATOR_INFO@4 proc near ; CODE XREF:	ObCreateObjectTypeEx+389p
		mov	al, [ecx+0Eh]
		add	ecx, 0FFFFFFF0h
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		retn
_OBJECT_HEADER_TO_CREATOR_INFO@4 endp


;  S U B	R O U T	I N E 


ExInitializeProcessor proc near		; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+29Dp
					; ExpInitSystemPhase1+73p

; FUNCTION CHUNK AT 005F4C1D SIZE 00000054 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	43497845h
		push	80h
		push	200h
		mov	bl, dl
		mov	edi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_56B9FC
		push	offset _ExSystemLookasideListHead
		push	20h
		push	43497845h
		push	2DCh
		mov	edx, 200h
		mov	ecx, esi
		call	_ExInitializeSystemLookasideList@24 ; ExInitializeSystemLookasideList(x,x,x,x,x,x)
		mov	[edi+5E0h], esi

loc_56B9FC:				; CODE XREF: ExInitializeProcessor+21j
		test	bl, bl
		jnz	loc_5F4C1D

loc_56BA04:				; CODE XREF: ExInitializeProcessor+892B6j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		retn
ExInitializeProcessor endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeRegisterObjectTypeMandatoryPolicy proc near ;	CODE XREF: PspInitPhase0+2DAp
					; PspInitPhase0+38Dp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F4C71 SIZE 00000073 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	[ebp+var_10], edx
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		mov	byte ptr [ebp+var_4+3],	0
		nop
		mov	edi, offset _SepMandatoryObjectTypePolicyLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	edx, _SepMandatoryObjectTypePolicyCount
		xor	ecx, ecx
		test	edx, edx
		jz	short loc_56BA7C
		mov	eax, offset _SepMandatoryObjectTypePolicy

loc_56BA5C:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+60j
		cmp	esi, [eax]
		jz	loc_5F4C71
		inc	ecx
		add	eax, 14h
		cmp	ecx, edx
		jb	short loc_56BA5C
		mov	al, byte ptr [ebp+var_4+3]

loc_56BA6F:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+89269j
		cmp	ecx, 20h
		jnb	loc_5F4C78
		test	al, al
		jnz	short loc_56BA9A

loc_56BA7C:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+4Bj
		imul	eax, ecx, 14h
		and	dword_6BE78C[eax], 0
		and	dword_6BE784[eax], 0
		inc	edx
		mov	_SepMandatoryObjectTypePolicy[eax], esi
		mov	_SepMandatoryObjectTypePolicyCount, edx

loc_56BA9A:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+70j
		imul	eax, ecx, 14h
		mov	ecx, [ebp+var_10]
		or	dword_6BE784[eax], 1
		mov	dword_6BE788[eax], ecx
		test	cl, 1
		jz	short loc_56BABC
		or	dword_6BE78C[eax], 100h

loc_56BABC:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+A6j
		test	cl, 2
		jz	short loc_56BACB
		or	dword_6BE78C[eax], 200h

loc_56BACB:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+B5j
		test	cl, 4
		jnz	loc_5F4C84

loc_56BAD4:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+89284j
		and	[ebp+var_10], 0

loc_56BAD8:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+89275j
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_8], edx
		mov	eax, edx
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_5F4C93

loc_56BAEC:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+8928Bj
					; SeRegisterObjectTypeMandatoryPolicy+8929Bj
		xor	edi, edi
		mov	eax, offset _SepMandatoryObjectTypePolicyLock
		mov	[ebp+var_C], edi
		test	eax, 7FFFFFFCh
		jz	loc_56BC07
		mov	esi, large fs:124h
		mov	ecx, eax
		mov	eax, dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], eax
		cmp	eax, offset _SepMandatoryObjectTypePolicyLock
		ja	short loc_56BB45
		mov	eax, ecx
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_56BC1F
		mov	eax, [ebp+var_20]
		cmp	eax, offset _SepMandatoryObjectTypePolicyLock
		ja	short loc_56BB45
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_56BC1F

loc_56BB45:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+113j
					; SeRegisterObjectTypeMandatoryPolicy+12Cj ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _SepMandatoryObjectTypePolicyLock
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_56BC74
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_56BC87

loc_56BB89:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+285j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	loc_5F4CBF
		or	[esi+1E4h], dl

loc_56BBCF:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+272j
					; SeRegisterObjectTypeMandatoryPolicy+892C1j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jnz	short loc_56BC34

loc_56BBE2:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+25Fj
					; SeRegisterObjectTypeMandatoryPolicy+892D5j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_56BC07
		nop
		lea	ecx, [esi+70h]
		cmp	[ecx], ecx
		jnz	loc_56BC94

loc_56BC07:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+F1j
					; SeRegisterObjectTypeMandatoryPolicy+1EFj ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [ebp+var_10]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_56BC1F:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+11Ej
					; SeRegisterObjectTypeMandatoryPolicy+135j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_8], eax
		jmp	loc_56BB45
; 

loc_56BC34:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+1D6j
		test	edi, 8000h
		jz	short loc_56BC45
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_56BC45:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+230j
		test	byte ptr [ebp+var_C+2],	1
		jnz	short loc_56BC9E

loc_56BC4B:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+2A4j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_56BC5F
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_56BC5F:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+248j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_56BBE2
		jmp	loc_5F4CD0
; 

loc_56BC74:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+167j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_56BBCF
		jmp	loc_5F4CAA
; 

loc_56BC87:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+179j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]
		jmp	loc_56BB89
; 

loc_56BC94:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+1F7j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_56BC07
; 

loc_56BC9E:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+23Fj
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]
		jmp	short loc_56BC4B
SeRegisterObjectTypeMandatoryPolicy endp


;  S U B	R O U T	I N E 


; __stdcall WheapCallErrorSourceInitialize(x, x)
_WheapCallErrorSourceInitialize@8 proc near
					; CODE XREF: WheapInitializeDeferredErrorSources(x)+3Ep
					; WheaInitializeProcessor(x,x)+70p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		xor	edx, edx
		inc	edx
		cmp	dword ptr [esi+20h], 10h
		jz	short loc_56BCE3
		push	0
		call	_WheapGetErrorSourceFunction@12	; WheapGetErrorSourceFunction(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_56BCF9
		push	dword ptr [esi+28h]
		lea	eax, [esi+50h]
		push	eax
		push	edi
		call	ecx

loc_56BCD8:				; CODE XREF: WheapCallErrorSourceInitialize(x,x)+47j
		mov	edi, eax

loc_56BCDA:				; CODE XREF: WheapCallErrorSourceInitialize(x,x)+3Dj
					; WheapCallErrorSourceInitialize(x,x)+4Ej
		lock dec dword ptr [esi+4Ch]
		mov	eax, edi
		pop	edi
		pop	esi
		retn
; 

loc_56BCE3:				; CODE XREF: WheapCallErrorSourceInitialize(x,x)+Fj
		xor	edi, edi
		push	edi
		call	_WheapGetErrorSourceFunction@12	; WheapGetErrorSourceFunction(x,x,x)
		test	eax, eax
		jz	short loc_56BCDA
		push	dword ptr [esi+6Ch]
		push	dword ptr [esi+28h]
		call	eax
		jmp	short loc_56BCD8
; 

loc_56BCF9:				; CODE XREF: WheapCallErrorSourceInitialize(x,x)+1Cj
		mov	edi, 0C0000002h
		jmp	short loc_56BCDA
_WheapCallErrorSourceInitialize@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapInitializeErrorRecordWrapper(x, x, x)
_WheapInitializeErrorRecordWrapper@12 proc near	; CODE XREF: WheapAllocErrorRecord(x,x)+66p
					; WheapInitializeErrorSource+96p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		or	dword ptr [ecx+22h], 0FFFFFFFFh
		mov	[ecx+18h], eax
		mov	eax, 210h
		mov	[ecx+8], edx
		push	ebx
		push	esi
		push	edi
		mov	esi, offset _WHEA_RECORD_CREATOR_GUID
		mov	[ecx+20h], ax
		lea	edi, [ecx+5Ch]
		mov	dword ptr [ecx+1Ch], 52455043h
		lea	ebx, [ecx+9Ch]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+arg_0]
		mov	ax, [esi+2Ch]
		mov	[ecx+26h], ax
		lea	eax, [edx-1Ch]
		mov	dword ptr [ecx+28h], 3
		xor	edx, edx
		mov	[ecx+30h], eax
		mov	eax, [esi+2Ch]
		imul	ecx, eax, 48h
		sub	ecx, 0FFFFFF80h
		test	eax, eax
		jz	short loc_56BD7B

loc_56BD5E:				; CODE XREF: WheapInitializeErrorRecordWrapper(x,x,x)+79j
		mov	[ebx], ecx
		lea	ebx, [ebx+48h]
		mov	eax, [esi+30h]
		mov	[ebx-44h], eax
		mov	eax, 300h
		mov	[ebx-40h], ax
		add	ecx, [esi+30h]
		inc	edx
		cmp	edx, [esi+2Ch]
		jb	short loc_56BD5E

loc_56BD7B:				; CODE XREF: WheapInitializeErrorRecordWrapper(x,x,x)+5Cj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_WheapInitializeErrorRecordWrapper@12 endp


;  S U B	R O U T	I N E 


; __stdcall WheapCallErrorSourceCorrect(x)
_WheapCallErrorSourceCorrect@4 proc near ; CODE	XREF: WheapInitializeErrorSource+2Ap
		mov	edi, edi
		push	esi
		push	0
		xor	edx, edx
		mov	esi, ecx
		call	_WheapGetErrorSourceFunction@12	; WheapGetErrorSourceFunction(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_56BDA6
		lea	eax, [esi+30h]
		push	eax
		lea	eax, [esi+50h]
		push	eax
		call	ecx

loc_56BDA0:				; CODE XREF: WheapCallErrorSourceCorrect(x)+29j
		lock dec dword ptr [esi+4Ch]
		pop	esi
		retn
; 

loc_56BDA6:				; CODE XREF: WheapCallErrorSourceCorrect(x)+12j
		mov	eax, 0C0000002h
		jmp	short loc_56BDA0
_WheapCallErrorSourceCorrect@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapGetErrorSourceFunction(x, x, x)
_WheapGetErrorSourceFunction@12	proc near
					; CODE XREF: WheapCallErrorSourceInitialize(x,x)+13p
					; WheapCallErrorSourceInitialize(x,x)+36p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		test	esi, esi
		jz	loc_56BE7A
		cmp	dword ptr [esi+20h], 10h
		ja	loc_56BE7A
		cmp	[ebp+arg_0], 0
		push	ebx
		jnz	short loc_56BDFA
		cmp	dword ptr [esi+5Ch], 3
		jz	loc_56BE79
		jmp	short loc_56BDF1
; 

loc_56BDDE:				; CODE XREF: WheapGetErrorSourceFunction(x,x,x)+48j
		lea	ecx, [ebx+1]
		mov	eax, ebx
		lea	edi, [esi+4Ch]
		lock cmpxchg [edi], ecx
		push	0
		pop	edi
		cmp	eax, ebx
		jz	short loc_56BDFA

loc_56BDF1:				; CODE XREF: WheapGetErrorSourceFunction(x,x,x)+2Ej
		mov	ebx, [esi+4Ch]
		test	ebx, ebx
		jns	short loc_56BDDE
		jmp	short loc_56BE79
; 

loc_56BDFA:				; CODE XREF: WheapGetErrorSourceFunction(x,x,x)+22j
					; WheapGetErrorSourceFunction(x,x,x)+41j
		sub	edx, edi
		jz	short loc_56BE60
		sub	edx, 1
		jz	short loc_56BE45
		sub	edx, 1
		jz	short loc_56BE39
		sub	edx, 1
		jz	short loc_56BE2D
		sub	edx, 1
		jnz	short loc_56BE79
		mov	eax, [esi+20h]
		cmp	eax, 10h
		jnz	short loc_56BE22
		mov	edi, [esi+0A0h]
		jmp	short loc_56BE79
; 

loc_56BE22:				; CODE XREF: WheapGetErrorSourceFunction(x,x,x)+6Aj
		imul	eax, 24h
		mov	edi, dword_6FD67C[eax]
		jmp	short loc_56BE79
; 

loc_56BE2D:				; CODE XREF: WheapGetErrorSourceFunction(x,x,x)+5Dj
		imul	eax, [esi+20h],	24h
		mov	edi, dword_6FD678[eax]
		jmp	short loc_56BE79
; 

loc_56BE39:				; CODE XREF: WheapGetErrorSourceFunction(x,x,x)+58j
		imul	eax, [esi+20h],	24h
		mov	edi, dword_6FD674[eax]
		jmp	short loc_56BE79
; 

loc_56BE45:				; CODE XREF: WheapGetErrorSourceFunction(x,x,x)+53j
		mov	eax, [esi+20h]
		cmp	eax, 10h
		jnz	short loc_56BE55
		mov	edi, [esi+9Ch]
		jmp	short loc_56BE79
; 

loc_56BE55:				; CODE XREF: WheapGetErrorSourceFunction(x,x,x)+9Dj
		imul	eax, 24h
		mov	edi, dword_6FD670[eax]
		jmp	short loc_56BE79
; 

loc_56BE60:				; CODE XREF: WheapGetErrorSourceFunction(x,x,x)+4Ej
		mov	eax, [esi+20h]
		cmp	eax, 10h
		jnz	short loc_56BE70
		mov	edi, [esi+0A4h]
		jmp	short loc_56BE79
; 

loc_56BE70:				; CODE XREF: WheapGetErrorSourceFunction(x,x,x)+B8j
		imul	eax, 24h
		mov	edi, dword_6FD66C[eax]

loc_56BE79:				; CODE XREF: WheapGetErrorSourceFunction(x,x,x)+28j
					; WheapGetErrorSourceFunction(x,x,x)+4Aj ...
		pop	ebx

loc_56BE7A:				; CODE XREF: WheapGetErrorSourceFunction(x,x,x)+Dj
					; WheapGetErrorSourceFunction(x,x,x)+17j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_WheapGetErrorSourceFunction@12	endp

; 

; __stdcall WheapAddErrorSource(x, x)
_WheapAddErrorSource@8:			; CODE XREF: WheaAddErrorSource+89p
					; WheapInitializeErrorSourceTable(x,x)+D4p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, offset unk_6F9ADC
		push	edi
		push	edi
		push	edi
		push	edi
		push	ebx
		mov	esi, edx
		call	KeWaitForSingleObject
		mov	eax, dword_6F9AD0
		mov	ecx, offset dword_6F9AD4
		mov	[esi+6Ch], eax
		mov	eax, dword_6F9AD8
		cmp	[eax], ecx
		jnz	short loc_56BED7
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6F9AD8, esi
		lock inc dword_6F9ACC
		lock inc dword_6F9AD0
		push	edi
		push	edi
		push	ebx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_56BED7:				; CODE XREF: .text:0056BEAEj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 684. HeadlessDispatch

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	HeadlessDispatch(int,int,int,void *,int)
		public HeadlessDispatch
HeadlessDispatch proc near		; CODE XREF: BgkDisplayStringEx(x)+3Fp
					; BvgaDisplayString(x)+41p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005F4CE4 SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, _HeadlessGlobals
		test	eax, eax
		jnz	loc_5F4CE4

loc_56BEF5:				; CODE XREF: HeadlessDispatch+88E06j
		mov	eax, [ebp+arg_0]
		cmp	eax, 15h
		jnz	short loc_56BF07

loc_56BEFD:				; CODE XREF: HeadlessDispatch+88E28j
		mov	eax, 0C0000001h

loc_56BF02:				; CODE XREF: HeadlessDispatch+4Cj
					; HeadlessDispatch+53j	...
		pop	ecx
		pop	ebp
		retn	14h
; 

loc_56BF07:				; CODE XREF: HeadlessDispatch+19j
		cmp	eax, 10h
		jnz	loc_5F4D07

loc_56BF10:				; CODE XREF: HeadlessDispatch+88E31j
					; HeadlessDispatch+88E3Aj ...
		cmp	[ebp+arg_C], 0
		jz	short loc_56BF30
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_56BF30
		push	dword ptr [eax]	; size_t
		push	0		; int
		push	[ebp+arg_C]	; void *
		call	_memset
		add	esp, 0Ch

loc_56BF2C:				; CODE XREF: HeadlessDispatch+88E4Cj
		xor	eax, eax
		jmp	short loc_56BF02
; 

loc_56BF30:				; CODE XREF: HeadlessDispatch+32j
					; HeadlessDispatch+39j
		mov	eax, 0C000000Dh
		jmp	short loc_56BF02
HeadlessDispatch endp

; 
		align 4

;  S U B	R O U T	I N E 


PiDmaGuardInitialize proc near		; CODE XREF: PnpBootPhaseComplete+2Ap
					; IopInitializePlugPlayServices(x,x)+8AEp ...

; FUNCTION CHUNK AT 005F4D39 SIZE 0000000F BYTES
; FUNCTION CHUNK AT 005F4D57 SIZE 0000002A BYTES

		mov	edi, edi
		push	ecx
		test	ecx, ecx
		jz	short loc_56BF50
		cmp	ecx, 1
		jz	short loc_56BF57
		cmp	ecx, 2
		jnz	short loc_56BF68
		call	PipDmgInitPhaseTwo
		pop	ecx
		retn
; 

loc_56BF50:				; CODE XREF: PiDmaGuardInitialize+5j
		call	PipDmgInitPhaseZero
		pop	ecx
		retn
; 

loc_56BF57:				; CODE XREF: PiDmaGuardInitialize+Aj
		cmp	_PipDmaGuardPolicy, 0
		jnz	loc_5F4D39

loc_56BF64:				; CODE XREF: PiDmaGuardInitialize+88E0Bj
		xor	eax, eax
		pop	ecx
		retn
; 

loc_56BF68:				; CODE XREF: PiDmaGuardInitialize+Fj
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

IopInterlockedInsertHeadList:		; CODE XREF: IoRegisterLastChanceShutdownNotification(x)+32p
					; IoRegisterShutdownNotification(x)+32p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	edi, ecx
		mov	esi, edx
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, [edi]
		mov	bl, al
		cmp	[ecx+4], edi
		jnz	short loc_56BFD7
		mov	eax, large fs:20h
		mov	[esi], ecx
		mov	[esi+4], edi
		mov	[ecx+4], esi
		mov	[edi], esi
		lea	esi, [eax+468h]
		test	ds:byte_70EFC6,	1
		jnz	loc_5F4D57
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5F4D6D
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5F4D66

loc_56BFCB:				; CODE XREF: PiDmaGuardInitialize+88E29j
					; PiDmaGuardInitialize+88E44j
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_56BFD7:				; CODE XREF: PiDmaGuardInitialize+51j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
PiDmaGuardInitialize endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipAllocRegEntry proc near		; CODE XREF: WmipRegisterDevice+8Bp
					; WmipInitializeDataStructs+79p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F4D81 SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	[ebp+var_4], ecx
		mov	ebx, edx
		push	edi
		mov	ecx, offset _WmipRegLookaside
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_56C087
		push	8
		pop	ecx
		xor	eax, eax
		mov	edi, esi
		rep stosd
		mov	eax, [ebp+var_4]
		xor	edi, edi
		push	edi
		push	edi
		push	edi
		and	ebx, 0FF000001h
		mov	[esi+8], eax
		push	edi
		or	ebx, 1
		push	offset _WmipSMMutex
		mov	[esi+18h], ebx
		call	KeWaitForSingleObject
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _WmipRegistrationSpinLock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, off_6B29D4
		mov	eax, offset _WmipInUseRegEntryHead
		inc	_WmipInUseRegEntryCount
		cmp	[ecx], eax
		jnz	short loc_56C08E
		mov	[esi+4], ecx
		mov	[esi], eax
		mov	[ecx], esi
		mov	ecx, offset _WmipRegistrationSpinLock
		test	ds:byte_70EFC6,	1
		mov	off_6B29D4, esi
		jnz	loc_5F4D81
		xor	eax, eax
		lock and [ecx],	eax

loc_56C074:				; CODE XREF: WmipAllocRegEntry+88DADj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	edi
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)

loc_56C087:				; CODE XREF: WmipAllocRegEntry+1Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_56C08E:				; CODE XREF: WmipAllocRegEntry+72j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

IopSetFsRegistrationInProgress:		; CODE XREF: IoRegisterFileSystem+25p
					; IoRegisterFileSystem+D2p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	0Ah
		mov	bl, cl
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, large fs:20h
		mov	bh, al
		test	ds:byte_70EFC6,	1
		mov	_IopFsRegistrationInProgress, bl
		lea	esi, [ecx+468h]
		jnz	loc_5F4D8E
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5F4DA4
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5F4D9D

loc_56C0E4:				; CODE XREF: WmipAllocRegEntry+88DBCj
					; WmipAllocRegEntry+88DD7j
		pop	esi
		mov	cl, bh
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
WmipAllocRegEntry endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __fastcall SymCryptInit()
@SymCryptInit@0	proc near		; CODE XREF: HvInitializeHashLibrary()+7p
		mov	ecx, (offset loc_640004+1)
		jmp	@SymCryptInitEnvWindowsKernelmodeWin8_1nLater@4	; SymCryptInitEnvWindowsKernelmodeWin8_1nLater(x)
@SymCryptInit@0	endp

; 
		align 10h
; Exported entry 1366. MmAdjustWorkingSetSize

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmAdjustWorkingSetSize(x, x, x, x)
		public _MmAdjustWorkingSetSize@16
_MmAdjustWorkingSetSize@16 proc	near	; CODE XREF: CmpInitializeRegistryProcess()+D6p
					; PspApplyWorkingSetLimitsToProcess+17F3ABp ...

var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp-1]
		mov	ecx, [ebp+arg_0]
		push	eax
		push	0
		push	[ebp+arg_C]
		mov	[ebp+var_1], 0
		push	[ebp+arg_8]
		call	MmAdjustWorkingSetSizeEx
		leave
		retn	10h
_MmAdjustWorkingSetSize@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmSiProcessTupleStartFromHandle	proc near ; CODE XREF: CmpInitializeRegistryProcess()+B5p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F4DB8 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [esp+10h+var_4]
		push	ebx
		push	eax
		push	ebx
		push	ebx
		mov	edi, edx
		mov	[esp+20h+var_4], ebx
		push	1FFFFFh
		push	edi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_5F4DB8
		mov	eax, [esp+10h+var_4]
		mov	esi, ebx
		mov	_CmpRegistryProcess, edi
		mov	dword_6CDE84, eax

loc_56C168:				; CODE XREF: CmSiProcessTupleStartFromHandle+88C98j
					; CmSiProcessTupleStartFromHandle+88CA8j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
CmSiProcessTupleStartFromHandle	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpInitializeLoadOptions proc near	; CODE XREF: CmInitSystem1(x)+4B1p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_98		= dword	ptr  0A0h

; FUNCTION CHUNK AT 005F4DD3 SIZE 0000005C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		lea	eax, [ebp+var_8]
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edi
		push	dword ptr [esi+78h]
		mov	[ebp+var_4], edi
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		mov	ecx, [ebp+var_8]
		xor	eax, eax
		mov	ds:_CmpLoadOptions, ax
		push	30394D43h
		lea	eax, ds:2[ecx*2]
		mov	ds:word_AFD0C2,	ax
		movzx	eax, cx
		lea	eax, ds:2[eax*2]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ds:dword_AFD0C4, eax
		push	edi
		test	eax, eax
		jz	loc_5F4DD3
		lea	eax, [ebp+var_8]
		push	eax
		push	offset _CmpLoadOptions
		call	RtlAnsiStringToUnicodeString
		movzx	ecx, word ptr [ebp+var_8]
		xor	edx, edx
		mov	eax, ds:dword_AFD0C4
		pop	edi
		pop	esi
		mov	[eax+ecx*2], dx
		add	ds:_CmpLoadOptions, 2
		leave
		retn
CmpInitializeLoadOptions endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSetSystemRegistryString(x, x, x)
_CmpSetSystemRegistryString@12 proc near ; CODE	XREF: CmpSetSystemValues+C2p
					; CmpSetSystemValues+DFp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		cmp	[ebp+arg_0], 0
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jz	short loc_56C254
		push	[ebp+arg_0]
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlCreateUnicodeStringFromAsciiz@8 ; RtlCreateUnicodeStringFromAsciiz(x,x)
		test	al, al
		jz	short loc_56C269
		movzx	eax, word ptr [ebp+var_8]
		add	eax, 2
		push	eax
		push	[ebp+var_4]
		push	1
		push	0
		push	esi
		push	edi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax

loc_56C23D:				; CODE XREF: CmpSetSystemRegistryString(x,x,x)+6Dj
					; CmpSetSystemRegistryString(x,x,x)+74j
		cmp	[ebp+var_4], 0
		jz	short loc_56C24C
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_56C24C:				; CODE XREF: CmpSetSystemRegistryString(x,x,x)+47j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	4
; 

loc_56C254:				; CODE XREF: CmpSetSystemRegistryString(x,x,x)+19j
		push	esi
		push	edi
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		lea	esi, [eax+3FFFFFCCh]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jmp	short loc_56C23D
; 

loc_56C269:				; CODE XREF: CmpSetSystemRegistryString(x,x,x)+29j
		mov	esi, 0C0000001h
		jmp	short loc_56C23D
_CmpSetSystemRegistryString@12 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2155. RtlInitAnsiStringEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlInitAnsiStringEx(x, x)
		public _RtlInitAnsiStringEx@8
_RtlInitAnsiStringEx@8 proc near	; CODE XREF: RtlInitUTF8StringEx(x,x)+6j
					; RtlCreateUnicodeStringFromAsciiz(x,x)+16p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		and	dword ptr [edx], 0
		mov	[edx+4], ecx
		test	ecx, ecx
		jz	short loc_56C2AB
		push	esi
		lea	esi, [ecx+1]

loc_56C28F:				; CODE XREF: RtlInitAnsiStringEx(x,x)+1Ej
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_56C28F
		sub	ecx, esi
		pop	esi
		cmp	ecx, 0FFFEh
		ja	short loc_56C2B1
		lea	eax, [ecx+1]
		mov	[edx], cx
		mov	[edx+2], ax

loc_56C2AB:				; CODE XREF: RtlInitAnsiStringEx(x,x)+13j
		xor	eax, eax

loc_56C2AD:				; CODE XREF: RtlInitAnsiStringEx(x,x)+40j
		pop	ebp
		retn	8
; 

loc_56C2B1:				; CODE XREF: RtlInitAnsiStringEx(x,x)+29j
		mov	eax, 0C0000106h
		jmp	short loc_56C2AD
_RtlInitAnsiStringEx@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpNotifyMachineHiveLoaded(x)
_CmpNotifyMachineHiveLoaded@4 proc near	; CODE XREF: CmpFinishSystemHivesLoad(x)+34Dp
					; CmpFinishSystemHivesLoad(x)+3E1p ...
		xor	eax, eax
		imul	ecx, 78h
		inc	eax
		lock xadd dword_6B1694[ecx], eax
		inc	eax
		cmp	eax, 1
		jnz	short locret_56C2D8
		push	eax
		push	dword_6B1690[ecx]
		call	ExQueueWorkItem

locret_56C2D8:				; CODE XREF: CmpNotifyMachineHiveLoaded(x)+12j
		retn
_CmpNotifyMachineHiveLoaded@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlUnicodeStringCopyString(x, x)
_RtlUnicodeStringCopyString@8 proc near	; CODE XREF: CmpFinishSystemHivesLoad(x)+86p
					; IopDeviceRemovalForResetComplete(x)+AEp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		push	esi
		push	edi
		sub	esp, 0Ch
		mov	edi, edx
		lea	edx, [ebp+var_8]
		mov	esi, ecx
		push	eax
		call	RtlUnicodeStringValidateDestWorker
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_56C324
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_C]
		and	[ebp+var_C], 0
		push	ecx
		mov	ecx, [ebp+var_8]
		push	edi
		push	eax
		call	RtlWideCharArrayCopyStringWorker
		mov	ecx, eax
		mov	eax, [ebp+var_C]
		add	eax, eax
		mov	[esi], ax

loc_56C324:				; CODE XREF: RtlUnicodeStringCopyString(x,x)+29j
		pop	edi
		mov	eax, ecx
		pop	esi
		leave
		retn
_RtlUnicodeStringCopyString@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl RtlUnicodeStringPrintf(int,wchar_t *,char)
_RtlUnicodeStringPrintf	proc near	; CODE XREF: CmpOpenDevicesControlSet+79p
					; CmSetAcpiHwProfile+9B9D4p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		lea	edx, [ebp+var_8]
		push	esi
		mov	esi, [ebp+arg_0]
		sub	esp, 0Ch
		mov	ecx, esi
		push	eax
		call	RtlUnicodeStringValidateDestWorker
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_56C379
		mov	edx, [ebp+var_4] ; size_t
		lea	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_8] ; wchar_t *
		and	[ebp+var_C], 0
		push	eax		; va_list
		push	[ebp+arg_4]	; wchar_t *
		lea	eax, [ebp+var_C]
		push	eax		; int
		call	RtlWideCharArrayVPrintfWorker
		mov	ecx, eax
		mov	eax, [ebp+var_C]
		add	eax, eax
		mov	[esi], ax

loc_56C379:				; CODE XREF: _RtlUnicodeStringPrintf+29j
		mov	eax, ecx
		pop	esi
		leave
		retn
_RtlUnicodeStringPrintf	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall RtlWideCharArrayVPrintfWorker(wchar_t *,size_t,int,wchar_t *,va_list)
RtlWideCharArrayVPrintfWorker proc near	; CODE XREF: _RtlUnicodeStringPrintf+40p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	[ebp+arg_8]	; va_list
		mov	esi, edx
		xor	edi, edi
		push	[ebp+arg_4]	; wchar_t *
		push	esi		; size_t
		push	ecx		; wchar_t *
		call	__vsnwprintf
		add	esp, 10h
		test	eax, eax
		js	short loc_56C3AE
		cmp	eax, esi
		ja	short loc_56C3AE

loc_56C3A1:				; CODE XREF: RtlWideCharArrayVPrintfWorker+37j
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_56C3AE:				; CODE XREF: RtlWideCharArrayVPrintfWorker+1Dj
					; RtlWideCharArrayVPrintfWorker+21j
		mov	edi, 80000005h
		mov	eax, esi
		jmp	short loc_56C3A1
RtlWideCharArrayVPrintfWorker endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlUnicodeStringValidateDestWorker proc	near
					; CODE XREF: RtlUnicodeStringCopyString(x,x)+20p
					; _RtlUnicodeStringPrintf+20p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		and	dword ptr [ebx], 0
		push	ecx
		and	dword ptr [edi], 0
		call	RtlUnicodeStringValidateWorker
		test	eax, eax
		js	short loc_56C3E8
		test	esi, esi
		jz	short loc_56C3E8
		mov	ecx, [esi+4]
		mov	[edi], ecx
		movzx	ecx, word ptr [esi+2]
		shr	ecx, 1
		mov	[ebx], ecx

loc_56C3E8:				; CODE XREF: RtlUnicodeStringValidateDestWorker+1Dj
					; RtlUnicodeStringValidateDestWorker+21j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
RtlUnicodeStringValidateDestWorker endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMappedPageWriter proc	near		; DATA XREF: MiFlushAllFilesystemPages(x)+45o
					; MiEnablePartitionMappedWrites+24o

var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_98		= dword	ptr -98h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F4E2F SIZE 000000A3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0BCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0BCh+var_4], eax
		push	ebx
		mov	ebx, large fs:124h
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	6
		pop	ecx
		push	12h
		lea	edi, [esp+0CCh+var_B0]
		mov	[esp+0CCh+var_B8], ebx
		rep stosd
		push	ebx
		call	KeSetPriorityThread
		or	dword ptr [ebx+300h], 2
		lea	edx, [esi+9DCh]
		mov	[esp+0C8h+var_B4], eax
		xor	ecx, ecx

loc_56C443:				; CODE XREF: MiMappedPageWriter+5Ej
		mov	[esp+ecx*4+0C8h+var_B0], edx
		inc	ecx
		add	edx, 10h
		cmp	ecx, 4
		jb	short loc_56C443
		lea	eax, [esi+3Ch]
		mov	[esp+ecx*4+0C8h+var_B0], eax
		lea	eax, [esi+1CCh]
		mov	[esp+ecx*4+0C8h+var_AC], eax
		mov	eax, large fs:124h
		mov	dword ptr [eax+2D4h], 3

loc_56C471:				; CODE XREF: MiMappedPageWriter+19Ej
					; MiMappedPageWriter+1C8j
		or	edx, 0FFFFFFFFh
		mov	[esp+0C8h+var_BC], edx

loc_56C478:				; CODE XREF: MiMappedPageWriter+143j
					; MiMappedPageWriter+164j
		cmp	edx, 0FFFFFFFFh
		jz	loc_56C566
		mov	eax, [esi+10C0h]
		mov	ecx, [esi+1118h]
		cmp	eax, ecx
		jbe	loc_56C566
		sub	eax, ecx
		cmp	eax, 10h
		jb	loc_56C559

loc_56C4A0:				; CODE XREF: MiMappedPageWriter+170j
					; MiMappedPageWriter+197j ...
		mov	ecx, [esi+40h]
		test	ecx, ecx
		jnz	short loc_56C4B0
		cmp	edx, 4
		jb	loc_56C5A4

loc_56C4B0:				; CODE XREF: MiMappedPageWriter+B5j
					; MiMappedPageWriter+1C2j
		mov	eax, [esi+10C0h]
		cmp	eax, [esi+1118h]
		jz	loc_56C58C
		lea	ebx, [esi+154h]
		mov	eax, [ebx]
		cmp	eax, [esi+150h]
		jnb	loc_5F4E47
		push	1
		push	10h
		pop	edx
		mov	ecx, esi
		call	_MiAllocateModWriterEntry@12 ; MiAllocateModWriterEntry(x,x,x)
		mov	edi, eax

loc_56C4E4:				; CODE XREF: MiMappedPageWriter+88A59j
		test	edi, edi
		jz	loc_5F4E4E
		push	0A0h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [edi], 61h
		mov	[edi+78h], esi

loc_56C505:				; CODE XREF: MiMappedPageWriter+88A99j
		test	edi, edi
		jz	loc_5F4E2F
		xor	eax, eax
		inc	eax
		lock xadd [ebx], eax
		inc	eax
		cmp	eax, [esi+158h]
		ja	short loc_56C599

loc_56C51D:				; CODE XREF: MiMappedPageWriter+1AFj
		mov	edx, [esp+0C8h+var_BC]
		mov	ecx, esi
		and	dword ptr [edi+7Ch], 0
		push	edi
		call	MiGatherMappedPages
		mov	edx, [esp+0C8h+var_BC]
		test	eax, eax
		jnz	loc_56C478
		lock dec dword ptr [ebx]
		test	byte ptr [edi+14h], 1
		jnz	loc_5F4E8E
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	_MiFreeModWriterEntry@8	; MiFreeModWriterEntry(x,x)

loc_56C550:				; CODE XREF: MiMappedPageWriter+88AC8j
		mov	edx, [esp+0C8h+var_BC]
		jmp	loc_56C478
; 

loc_56C559:				; CODE XREF: MiMappedPageWriter+AAj
		cmp	dword ptr [esi+1C8h], 0
		jnz	loc_56C4A0

loc_56C566:				; CODE XREF: MiMappedPageWriter+8Bj
					; MiMappedPageWriter+9Fj
		lea	eax, [esp+0C8h+var_98]
		push	eax
		push	0
		push	0
		push	0
		push	8
		push	1
		lea	eax, [esp+0E0h+var_B0]
		push	eax
		push	6
		call	KeWaitForMultipleObjects
		mov	edx, eax
		mov	[esp+0C8h+var_BC], edx
		jmp	loc_56C4A0
; 

loc_56C58C:				; CODE XREF: MiMappedPageWriter+CCj
		test	ecx, ecx
		jz	loc_56C471
		jmp	loc_5F4DE0
; 

loc_56C599:				; CODE XREF: MiMappedPageWriter+12Bj
		mov	[esi+158h], eax
		jmp	loc_56C51D
; 

loc_56C5A4:				; CODE XREF: MiMappedPageWriter+BAj
		imul	eax, edx, 14h
		cmp	dword ptr [eax+esi+888h], offset loc_7FFFFF
		jnz	loc_56C4B0
		jmp	loc_56C471
MiMappedPageWriter endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWorkerFactoryManagerThread proc near	; DATA XREF: ExpWorkerFactoryInitialization+115o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005F4ED2 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd

loc_56C5D1:				; CODE XREF: ExpWorkerFactoryManagerThread+88942j
		xor	ebx, ebx

loc_56C5D3:				; CODE XREF: ExpWorkerFactoryManagerThread+B6j
					; ExpWorkerFactoryManagerThread+11Ej ...
		push	ebx
		push	ebx
		push	offset _ExpWorkerFactoryManagerQueue
		call	_KeRemoveQueue@12 ; KeRemoveQueue(x,x,x)
		cmp	eax, offset _ExpWorkerFactoryThreadCreationBlock
		jz	loc_56C733
		lea	edx, [ebp+var_C]
		cmp	[eax+18h], ebx
		jz	loc_56C67F
		lea	esi, [eax-0D0h]
		mov	edi, [esi+4]
		mov	ecx, edi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	[esi+60h], ebx
		jnz	short loc_56C619
		mov	edx, [esi+50h]
		mov	eax, [esi+48h]
		cmp	edx, eax
		ja	loc_56C6E1

loc_56C619:				; CODE XREF: ExpWorkerFactoryManagerThread+4Bj
					; ExpWorkerFactoryManagerThread+13Bj
		cmp	byte ptr [edi+15h], 0
		jnz	loc_5F4EDF
		lea	eax, [esi+0D0h]
		mov	edx, offset _ExpWorkerFactoryManagerQueue
		push	eax
		lea	ecx, [esi+78h]
		call	KeRegisterObjectNotification

loc_56C637:				; CODE XREF: ExpWorkerFactoryManagerThread+88926j
		test	ds:byte_70EFC6,	1
		jnz	loc_5F4EE9
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_56C71E
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_56C716

loc_56C666:				; CODE XREF: ExpWorkerFactoryManagerThread+170j
					; ExpWorkerFactoryManagerThread+88936j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		test	bl, bl
		pop	ebx
		jz	loc_56C5D3
		jmp	loc_5F4EF9
; 

loc_56C67F:				; CODE XREF: ExpWorkerFactoryManagerThread+32j
		lea	esi, [eax-0ECh]
		mov	ecx, [esi+4]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		and	dword ptr [esi+68h], 0FFFFFBFFh
		test	dword ptr [esi+68h], 200h
		jnz	short loc_56C6FE

loc_56C69D:				; CODE XREF: ExpWorkerFactoryManagerThread+149j
		test	ds:byte_70EFC6,	1
		jnz	loc_5F4EC2
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_56C751
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5F4ED2

loc_56C6CC:				; CODE XREF: ExpWorkerFactoryManagerThread+19Fj
					; MiMappedPageWriter+88ADDj
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_56C6D5:				; CODE XREF: ExpWorkerFactoryManagerThread+156j
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	loc_56C5D3
; 

loc_56C6E1:				; CODE XREF: ExpWorkerFactoryManagerThread+55j
		mov	ecx, [esi+38h]
		sub	edx, eax
		mov	eax, [esi+3Ch]
		neg	ecx
		adc	eax, ebx
		neg	eax
		push	eax
		push	ecx
		mov	ecx, [edi+4]
		call	_KeTimeOutQueueWaiters@16 ; KeTimeOutQueueWaiters(x,x,x,x)
		jmp	loc_56C619
; 

loc_56C6FE:				; CODE XREF: ExpWorkerFactoryManagerThread+DDj
		mov	ecx, esi
		call	_ExpTryEnterWorkerFactoryAwayMode@4 ; ExpTryEnterWorkerFactoryAwayMode(x)
		test	al, al
		jz	short loc_56C69D
		push	ebx
		lea	edx, [ebp+var_C]
		mov	ecx, esi
		call	ExpWorkerFactoryCheckCreate
		jmp	short loc_56C6D5
; 

loc_56C716:				; CODE XREF: ExpWorkerFactoryManagerThread+A2j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_56C71E:				; CODE XREF: ExpWorkerFactoryManagerThread+8Bj
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_56C666
; 

loc_56C733:				; CODE XREF: ExpWorkerFactoryManagerThread+26j
		call	_ExpWorkerFactoryDeferredThreadCreation@0 ; ExpWorkerFactoryDeferredThreadCreation()
		push	offset _ExpWorkerFactoryThreadCreationBlock
		mov	edx, offset _ExpWorkerFactoryManagerQueue
		mov	ecx, offset _ExpWorkerFactoryThreadCreationTimer
		call	KeRegisterObjectNotification
		jmp	loc_56C5D3
; 

loc_56C751:				; CODE XREF: ExpWorkerFactoryManagerThread+F1j
					; ExpWorkerFactoryManagerThread+8891Cj
		xor	ecx, ecx
		mov	[ebp+var_C], ebx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_56C6CC
ExpWorkerFactoryManagerThread endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiModifiedPageWriter proc near		; DATA XREF: MiFlushAllFilesystemPages(x)+39o
					; MiInsertPageFileInList+1ABo

var_D8		= dword	ptr -0D8h
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005F4F05 SIZE 00000169 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, large fs:124h
		push	12h
		mov	[esi+238h], edi
		push	edi
		or	dword ptr [edi+300h], 2
		mov	[ebp+var_98], edi
		call	KeSetActualBasePriorityThread
		mov	[ebp+var_A8], eax
		lea	ecx, [esi+3Ch]
		lea	eax, [esi+1A4h]
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_A0], eax
		lea	eax, [esi+210h]
		mov	[ebp+var_14], eax
		lea	eax, [esi+228h]
		mov	[ebp+var_10], eax
		lea	eax, [esi+18Ch]
		mov	[ebp+var_C], eax
		lea	eax, [esi+260h]
		mov	[ebp+var_18], ecx
		mov	[ebp+var_8], eax

loc_56C7E1:				; CODE XREF: MiModifiedPageWriter+EAj
					; MiModifiedPageWriter+326j ...
		and	dword ptr [esi+1ECh], 0
		and	dword ptr [esi+1F0h], 0
		mov	byte ptr [esi+176h], 0
		nop
		cmp	dword ptr [esi+2C0h], 0
		jz	short loc_56C80D
		cmp	dword ptr [esi+2D4h], 0
		jz	loc_56CACE

loc_56C80D:				; CODE XREF: MiModifiedPageWriter+9Cj
					; MiModifiedPageWriter+378j
		lea	eax, [ebp+var_D8]
		push	eax
		push	0
		push	0
		push	0
		push	13h
		push	1
		lea	eax, [ebp+var_A4]
		push	eax
		push	2
		call	KeWaitForMultipleObjects
		mov	byte ptr [esi+176h], 1
		test	eax, eax
		jz	loc_5F4F60

loc_56C83B:				; CODE XREF: MiModifiedPageWriter+225j
					; MiModifiedPageWriter+258j ...
		cmp	dword ptr [esi+40h], 0
		jnz	loc_5F4F60
		cmp	dword ptr [esi+1118h], 0
		jz	short loc_56C7E1
		dec	word ptr [edi+13Eh]
		nop
		cmp	dword ptr [esi+2C0h], 0
		jz	short loc_56C86C
		cmp	dword ptr [esi+2D4h], 0
		jz	loc_56C9DB

loc_56C86C:				; CODE XREF: MiModifiedPageWriter+FBj
					; MiModifiedPageWriter+285j
		lea	ebx, [esi+220h]
		cmp	[ebx], ebx
		jnz	short loc_56C8B6
		mov	ecx, edi
		mov	byte ptr [esi+175h], 1
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		lea	eax, [ebp+var_90]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	13h
		push	1
		lea	eax, [ebp+var_18]
		push	eax
		push	5
		call	KeWaitForMultipleObjects
		test	eax, eax
		jz	loc_5F4F60
		dec	word ptr [edi+13Eh]
		nop
		mov	byte ptr [esi+175h], 0

loc_56C8B6:				; CODE XREF: MiModifiedPageWriter+112j
		cmp	dword ptr [esi+190h], 0
		jnz	loc_5F4F05

loc_56C8C3:				; CODE XREF: MiModifiedPageWriter+887B6j
					; MiModifiedPageWriter+887C8j
		cmp	dword ptr [esi+214h], 0
		jnz	loc_56C9EC

loc_56C8D0:				; CODE XREF: MiModifiedPageWriter+2B6j
					; MiModifiedPageWriter+2E5j
		cmp	dword ptr [esi+264h], 0
		jnz	loc_5F4F2F

loc_56C8DD:				; CODE XREF: MiModifiedPageWriter+887E0j
		mov	ecx, esi
		call	MiCheckFreeModifiedReservations
		cmp	[ebx], ebx
		jz	loc_56CAC2
		lea	edx, [esi+2B8h]
		mov	eax, [edx]
		test	al, 1
		jnz	loc_56CA8D

loc_56C8FC:				; CODE XREF: MiModifiedPageWriter+330j
					; MiModifiedPageWriter+342j
		mov	ecx, esi
		call	_MiUseLowIoPriorityForModifiedPages@4 ;	MiUseLowIoPriorityForModifiedPages(x)
		test	eax, eax
		jz	loc_56C9BF
		mov	eax, [esi+1118h]
		cmp	eax, [esi+1A0h]
		jb	loc_56CA81
		push	4
		pop	eax
		push	eax
		push	edi
		mov	[esi+19Ch], eax
		call	KeSetActualBasePriorityThread
		mov	[ebp+var_94], eax
		xor	ecx, ecx

loc_56C935:				; CODE XREF: MiModifiedPageWriter+274j
		mov	ebx, [ebx]
		lea	edx, [esi+220h]
		cmp	[ebx+4], edx
		jnz	loc_56CADF
		mov	eax, [ebx]
		cmp	[eax+4], ebx
		jnz	loc_56CADF
		mov	[edx], eax
		mov	[eax+4], edx
		mov	eax, [ebx+14h]
		and	eax, 0FFFFFFE3h
		mov	dword ptr [ebx], 61h
		or	eax, ecx
		mov	ecx, edi
		mov	[ebx+14h], eax
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		lea	eax, [ebx+80h]
		mov	ecx, ebx
		mov	[ebx+7Ch], eax
		call	MiGatherPagefilePages
		mov	ecx, [ebp+var_94]
		cmp	ecx, 0FFFFFFFFh
		jz	loc_56C83B
		cmp	dword ptr [edi+150h], offset _KiInitialProcess
		jz	loc_5F4F58
		movsx	eax, byte ptr [edi+87h]

loc_56C9A4:				; CODE XREF: MiModifiedPageWriter+887F9j
		cmp	eax, 12h
		jz	short loc_56C9B0
		push	ecx
		push	edi
		call	KeSetActualBasePriorityThread

loc_56C9B0:				; CODE XREF: MiModifiedPageWriter+245j
		mov	dword ptr [esi+19Ch], 12h
		jmp	loc_56C83B
; 

loc_56C9BF:				; CODE XREF: MiModifiedPageWriter+1A3j
		cmp	dword ptr [esi+188h], 0
		jnz	loc_5F4F47

loc_56C9CC:				; CODE XREF: MiModifiedPageWriter+887F1j
		or	[ebp+var_94], 0FFFFFFFFh
		push	8
		pop	ecx
		jmp	loc_56C935
; 

loc_56C9DB:				; CODE XREF: MiModifiedPageWriter+104j
		xor	edx, edx
		mov	ecx, offset unk_718320
		call	?SmDrainSList@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAT_SLIST_HEADER@@K@Z ;	SMKM_STORE_MGR<SM_TRAITS>::SmDrainSList(_SLIST_HEADER *,ulong)
		jmp	loc_56C86C
; 

loc_56C9EC:				; CODE XREF: MiModifiedPageWriter+168j
		lea	eax, [esi+210h]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		and	[ebp+var_9C], 0
		lea	eax, [ebp+var_9C]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	edx, [esi+0F4Ch]
		mov	[ebp+var_94], edx
		test	edx, edx
		jz	loc_56C8D0
		lea	ebx, [esi+0F54h]

loc_56CA24:				; CODE XREF: MiModifiedPageWriter+2D7j
		mov	ecx, [ebx]
		mov	al, [ecx+76h]
		test	al, 1
		jnz	short loc_56CA4C

loc_56CA2D:				; CODE XREF: MiModifiedPageWriter+2F6j
					; MiModifiedPageWriter+31Dj
		add	ebx, 4
		sub	edx, 1
		mov	[ebp+var_94], edx
		jnz	short loc_56CA24
		mov	edi, [ebp+var_98]
		lea	ebx, [esi+220h]
		jmp	loc_56C8D0
; 

loc_56CA4C:				; CODE XREF: MiModifiedPageWriter+2C9j
		and	al, 0FEh
		xor	edi, edi
		mov	[ecx+76h], al
		mov	eax, [ebx]
		cmp	[eax+24h], edi
		jbe	short loc_56CA2D

loc_56CA5A:				; CODE XREF: MiModifiedPageWriter+315j
		mov	eax, [eax+20h]
		mov	ecx, [eax+edi*4]
		test	ecx, ecx
		jz	short loc_56CA71
		cmp	dword ptr [ecx], 99887711h
		jnz	short loc_56CA71
		call	MiMakePagefileWriterEntryAvailable

loc_56CA71:				; CODE XREF: MiModifiedPageWriter+300j
					; MiModifiedPageWriter+308j
		mov	eax, [ebx]
		inc	edi
		cmp	edi, [eax+24h]
		jb	short loc_56CA5A
		mov	edx, [ebp+var_94]
		jmp	short loc_56CA2D
; 

loc_56CA81:				; CODE XREF: MiModifiedPageWriter+1B5j
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_56C7E1
; 

loc_56CA8D:				; CODE XREF: MiModifiedPageWriter+194j
		test	eax, 0FFFFFFFEh
		jnz	loc_56C8FC
		xor	eax, eax
		xor	ecx, ecx
		inc	eax
		lock cmpxchg [edx], ecx
		cmp	eax, 1
		jnz	loc_56C8FC
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		lea	eax, [esi+1A4h]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		jmp	loc_56C7E1
; 

loc_56CAC2:				; CODE XREF: MiModifiedPageWriter+184j
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_56C83B
; 

loc_56CACE:				; CODE XREF: MiModifiedPageWriter+A5j
		xor	edx, edx
		mov	ecx, offset unk_718320
		call	?SmDrainSList@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAT_SLIST_HEADER@@K@Z ;	SMKM_STORE_MGR<SM_TRAITS>::SmDrainSList(_SLIST_HEADER *,ulong)
		jmp	loc_56C80D
; 

loc_56CADF:				; CODE XREF: MiModifiedPageWriter+1DEj
					; MiModifiedPageWriter+1E9j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __fastcall PpmIdleDefaultExecute(x, x, x, x, x, x, x,	x)
@PpmIdleDefaultExecute@32:		; DATA XREF: PpmIdleRegisterDefaultStates+78o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		movzx	edi, si
		mov	ebx, edi
		test	di, di
		jz	short loc_56CB03
		push	48h
		xor	eax, eax
		xor	edx, edx
		pop	ecx
		wrmsr

loc_56CB03:				; CODE XREF: MiModifiedPageWriter+396j
		shr	esi, 10h
		test	si, si
		jz	short loc_56CB10
		call	_KeExecuteVerw@0 ; KeExecuteVerw()

loc_56CB10:				; CODE XREF: MiModifiedPageWriter+3A7j
		call	ds:__imp__HalProcessorIdle@0 ; HalProcessorIdle()
		test	di, di
		jz	short loc_56CB25
		mov	eax, ebx
		push	48h
		cdq
		pop	ecx
		wrmsr
		jmp	short loc_56CB28
; 

loc_56CB25:				; CODE XREF: MiModifiedPageWriter+3B7j
		lfence	eax

loc_56CB28:				; CODE XREF: MiModifiedPageWriter+3C1j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ecx
		pop	ebp
		retn	18h
MiModifiedPageWriter endp ; sp = -0E8h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiZeroPageCalibrateIsr proc near	; DATA XREF: MiZeroPageCalibrate+156o

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F506E SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	edx, large fs:20h
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		movzx	esi, ds:_KeNumberNodes
		mov	[ebp+var_14], edx
		mov	ecx, [ebx+3Ch]
		mov	[ebp+var_C], ecx
		push	edi
		test	esi, esi
		jz	short loc_56CB8E
		movzx	edi, byte ptr [edx+3C5h]
		mov	edx, [ecx+10h]
		mov	ebx, [ebp+var_14]
		add	edx, 264h

loc_56CB70:				; CODE XREF: MiZeroPageCalibrateIsr+88545j
		cmp	di, [edx+4]
		jnz	loc_5F506E
		mov	ecx, [edx]
		test	[ebx+3C8h], ecx
		jz	loc_5F506E

loc_56CB88:				; CODE XREF: MiZeroPageCalibrateIsr+8854Bj
		mov	ebx, [ebp+arg_0]
		mov	ecx, [ebp+var_C]

loc_56CB8E:				; CODE XREF: MiZeroPageCalibrateIsr+29j
		imul	edi, eax, 280h
		add	edi, [ecx+10h]
		mov	cl, 1Fh
		mov	[ebp+var_8], edi
		mov	eax, [edi+244h]
		mov	[ebp+var_28], eax
		mov	eax, [eax+54h]
		mov	[edi+248h], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_1], al
		mov	ecx, 80000000h

loc_56CBBC:				; CODE XREF: MiZeroPageCalibrateIsr+228j
		mov	eax, [ebx+20h]
		and	[ebp+var_20], 0
		shl	eax, 4
		add	eax, [ebx+1Ch]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_14]
		mov	eax, [eax+4D4h]
		mov	[ebp+var_34], eax
		mov	dword ptr [eax+2828h], 0
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		dec	eax
		mov	esi, eax
		not	esi
		and	esi, ecx
		test	eax, 7FFFFFFFh
		jz	short loc_56CC37

loc_56CBF7:				; CODE XREF: MiZeroPageCalibrateIsr+DAj
		mov	eax, [ebx]
		and	eax, ecx
		cmp	eax, esi
		jz	short loc_56CC0E
		lea	ecx, [ebp+var_20]
		call	KeYieldProcessorEx
		mov	ecx, 80000000h
		jmp	short loc_56CBF7
; 

loc_56CC0E:				; CODE XREF: MiZeroPageCalibrateIsr+CBj
		and	[ebp+var_24], 0
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		dec	eax
		mov	esi, eax
		not	esi
		and	esi, ecx
		test	eax, 7FFFFFFFh
		jnz	loc_56CDA8
		mov	eax, [ebx+4]
		or	eax, esi
		mov	[ebx], eax
		jmp	loc_56CCEF
; 

loc_56CC37:				; CODE XREF: MiZeroPageCalibrateIsr+C3j
		mov	eax, [ebx+4]
		xor	edi, edi
		or	eax, esi
		mov	[ebx], eax
		mov	eax, [ebp+var_C]
		mov	esi, [eax+10h]
		xor	eax, eax
		cmp	ax, ds:_KeNumberNodes
		jnb	short loc_56CC8A
		add	esi, 248h

loc_56CC57:				; CODE XREF: MiZeroPageCalibrateIsr+156j
		cmp	dword ptr [esi], 0
		jz	loc_5F5082
		mov	ecx, [esi]
		xor	edx, edx
		mov	eax, [esi-0Ch]
		div	ecx
		and	eax, 0FFFFF000h

loc_56CC6E:				; CODE XREF: MiZeroPageCalibrateIsr+88552j
		mov	[esi-8], eax
		movzx	eax, ds:_KeNumberNodes
		mov	dword ptr [esi+4], 0
		add	esi, 280h
		inc	edi
		cmp	edi, eax
		jb	short loc_56CC57

loc_56CC8A:				; CODE XREF: MiZeroPageCalibrateIsr+11Dj
		and	[ebp+var_18], 0
		xor	ecx, ecx
		rdtsc
		mov	dword ptr [ebx+24h], 0
		mov	[ebx+30h], eax
		lea	eax, [ebp+var_18]
		mov	[ebx+34h], edx
		lock or	[eax], ecx
		and	[ebp+var_1C], ecx
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		dec	eax
		mov	esi, eax
		mov	edi, 80000000h
		not	esi
		and	esi, edi
		test	eax, 7FFFFFFFh
		jz	loc_56CEBB

loc_56CCC6:				; CODE XREF: MiZeroPageCalibrateIsr+1A8j
		mov	eax, [ebx]
		and	eax, edi
		cmp	eax, esi
		jz	loc_56CEC2
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		jmp	short loc_56CCC6
; 

loc_56CCDC:				; CODE XREF: MiZeroPageCalibrateIsr+1BBj
		lea	ecx, [ebp+var_24]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		and	eax, 80000000h

loc_56CCEB:				; CODE XREF: MiZeroPageCalibrateIsr+27Aj
		cmp	eax, esi
		jnz	short loc_56CCDC

loc_56CCEF:				; CODE XREF: MiZeroPageCalibrateIsr+100j
					; MiZeroPageCalibrateIsr+393j
		mov	ecx, [ebp+var_14]
		mov	edx, [ebp+var_28]
		movzx	eax, byte ptr [ecx+3C5h]
		cmp	ax, [edx+4Ch]
		jnz	short loc_56CD0D
		mov	eax, [ecx+3C8h]
		test	[edx+48h], eax
		jnz	short loc_56CD70

loc_56CD0D:				; CODE XREF: MiZeroPageCalibrateIsr+1CEj
					; MiZeroPageCalibrateIsr+250j ...
		mov	ecx, ds:_KeNumberProcessors
		lea	edx, [ebx+24h]
		xor	eax, eax
		inc	eax
		lock xadd [edx], eax
		inc	eax
		cmp	eax, ecx
		jz	loc_56CE1C
		mov	esi, [ebp+var_34]
		and	[ebp+var_38], 0
		mov	eax, [esi+2828h]
		test	eax, eax
		jnz	short loc_56CD52

loc_56CD37:				; CODE XREF: MiZeroPageCalibrateIsr+218j
		lea	ecx, [ebp+var_38]
		call	KeYieldProcessorEx
		mov	ebx, [esi+2828h]
		mov	[ebp+var_10], ebx
		test	ebx, ebx
		jz	short loc_56CD37
		mov	ebx, [ebp+arg_0]

loc_56CD4F:				; CODE XREF: MiZeroPageCalibrateIsr+362j
					; MiZeroPageCalibrateIsr+384j
		mov	eax, [ebp+var_10]

loc_56CD52:				; CODE XREF: MiZeroPageCalibrateIsr+203j
		mov	ecx, 80000000h
		cmp	eax, 1
		jz	loc_56CBBC
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_56CD70:				; CODE XREF: MiZeroPageCalibrateIsr+1D9j
		xor	eax, eax
		inc	eax
		lock xadd [edi+24Ch], eax
		inc	eax
		cmp	eax, [edi+248h]
		ja	short loc_56CD0D
		mov	ecx, [edi+240h]
		dec	eax
		imul	eax, ecx
		add	eax, [edi+238h]
		cmp	dword ptr [ebx+28h], 1
		jz	short loc_56CDB1
		push	ecx		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_56CDBB
; 

loc_56CDA8:				; CODE XREF: MiZeroPageCalibrateIsr+F3j
		mov	eax, [ebx]
		and	eax, ecx
		jmp	loc_56CCEB
; 

loc_56CDB1:				; CODE XREF: MiZeroPageCalibrateIsr+266j
		mov	edx, ecx
		mov	ecx, eax
		call	_KeZeroPages	; KiZeroPages(x,x)

loc_56CDBB:				; CODE XREF: MiZeroPageCalibrateIsr+274j
		xor	eax, eax
		lea	ecx, [edi+250h]
		inc	eax
		lock xadd [ecx], eax
		inc	eax
		cmp	eax, [edi+248h]
		jnz	loc_56CD0D
		and	[ebp+var_2C], 0
		lea	eax, [ebp+var_2C]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	esi, [ebp+var_8]
		rdtsc
		mov	edi, eax
		sub	edi, [ebx+30h]
		mov	ecx, [esi+22Ch]
		mov	esi, [esi+248h]
		sbb	edx, [ebx+34h]
		mov	eax, [ebx+28h]
		shl	esi, 4
		add	esi, ecx
		mov	[esi+eax*8-10h], edi
		mov	edi, [ebp+var_8]
		mov	[esi+eax*8-0Ch], edx
		mov	dword ptr [edi+250h], 0
		jmp	loc_56CD0D
; 

loc_56CE1C:				; CODE XREF: MiZeroPageCalibrateIsr+1EEj
		and	[ebp+var_30], 0
		lea	eax, [ebp+var_30]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	esi, [ebp+var_10]
		mov	ecx, [ebx+28h]
		rdtsc
		sub	eax, [ebx+30h]
		sbb	edx, [ebx+34h]
		mov	[esi+ecx*8-10h], eax
		mov	eax, [ebp+var_C]
		mov	[esi+ecx*8-0Ch], edx
		xor	esi, esi
		and	[ebp+var_10], esi
		mov	dx, ds:_KeNumberNodes
		mov	ecx, [eax+10h]
		cmp	word ptr [ebp+var_10], dx
		jnb	short loc_56CE7E
		add	ecx, 248h

loc_56CE5C:				; CODE XREF: MiZeroPageCalibrateIsr+347j
		cmp	dword ptr [ecx], 0
		jz	short loc_56CE66
		dec	dword ptr [ecx]
		dec	dword ptr [ebx+20h]

loc_56CE66:				; CODE XREF: MiZeroPageCalibrateIsr+32Dj
		mov	dx, ds:_KeNumberNodes
		add	ecx, 280h
		inc	esi
		movzx	eax, dx
		cmp	esi, eax
		jb	short loc_56CE5C
		mov	eax, [ebp+var_C]

loc_56CE7E:				; CODE XREF: MiZeroPageCalibrateIsr+322j
		xor	esi, esi
		inc	esi
		cmp	dword ptr [ebx+20h], 0
		mov	ecx, esi
		mov	[ebp+var_10], ecx
		jz	short loc_56CECA

loc_56CE8C:				; CODE XREF: MiZeroPageCalibrateIsr+3DCj
		xor	edx, edx
		cmp	ds:_KeNumberProcessors,	edx
		jbe	loc_56CD4F

loc_56CE9A:				; CODE XREF: MiZeroPageCalibrateIsr+382j
		mov	eax, ds:_KiProcessorBlock[edx*4]
		inc	edx
		mov	eax, [eax+4D4h]
		mov	[eax+2828h], ecx
		cmp	edx, ds:_KeNumberProcessors
		jb	short loc_56CE9A
		jmp	loc_56CD4F
; 

loc_56CEBB:				; CODE XREF: MiZeroPageCalibrateIsr+18Ej
		mov	eax, [ebx+4]
		or	eax, esi
		mov	[ebx], eax

loc_56CEC2:				; CODE XREF: MiZeroPageCalibrateIsr+19Aj
		mov	edi, [ebp+var_8]
		jmp	loc_56CCEF
; 

loc_56CECA:				; CODE XREF: MiZeroPageCalibrateIsr+358j
		cmp	dword ptr [ebx+28h], 0
		jnz	short loc_56CF13
		mov	[ebx+28h], esi
		xor	esi, esi
		mov	eax, [eax+0E00h]
		mov	di, ds:_KeNumberNodes
		mov	[ebx+20h], eax
		mov	eax, [ebp+var_C]
		mov	edx, [eax+10h]
		xor	eax, eax
		cmp	ax, di
		jnb	short loc_56CF0B
		add	edx, 248h

loc_56CEF8:				; CODE XREF: MiZeroPageCalibrateIsr+3D7j
		mov	eax, [edx-30h]
		inc	esi
		mov	[edx], eax
		lea	edx, [edx+280h]
		movzx	eax, di
		cmp	esi, eax
		jb	short loc_56CEF8

loc_56CF0B:				; CODE XREF: MiZeroPageCalibrateIsr+3BEj
					; MiZeroPageCalibrateIsr+438j
		mov	edi, [ebp+var_8]
		jmp	loc_56CE8C
; 

loc_56CF13:				; CODE XREF: MiZeroPageCalibrateIsr+39Cj
		mov	ecx, [ebp+var_C]
		lea	esi, [ebx+8]
		push	2
		pop	eax
		mov	[ebp+var_10], eax
		mov	eax, [ecx+0DF8h]
		mov	[ebx+38h], eax
		lea	eax, [ecx+0DE4h]
		push	6
		pop	ecx
		mov	edi, eax
		mov	[ebp+var_34], eax
		rep movsd
		mov	ecx, [ebp+var_C]
		movzx	edi, dx
		mov	esi, [ecx+10h]
		test	edi, edi
		jz	short loc_56CF60
		add	esi, 218h

loc_56CF4B:				; CODE XREF: MiZeroPageCalibrateIsr+429j
		mov	ecx, esi
		call	MiComputeOptimalWriteProcessors
		add	esi, 280h
		sub	edi, 1
		jnz	short loc_56CF4B
		mov	eax, [ebp+var_34]

loc_56CF60:				; CODE XREF: MiZeroPageCalibrateIsr+411j
		mov	ecx, eax
		call	MiComputeOptimalWriteProcessors
		mov	ecx, [ebp+var_10]
		jmp	short loc_56CF0B
MiZeroPageCalibrateIsr endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiComputeOptimalWriteProcessors	proc near ; CODE XREF: MiZeroPageCalibrateIsr+41Bp
					; MiZeroPageCalibrateIsr+430p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F5089 SIZE 00000008 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_8], esi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		mov	ecx, [esi+14h]
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], eax
		test	ecx, ecx
		jz	loc_56D0DE
		mov	eax, [esi]
		mov	edx, ebx
		mov	[ebp+var_1C], eax
		lea	eax, [esi+0Ch]
		mov	esi, ebx
		mov	[ebp+var_C], edx
		push	edi
		mov	edi, [ebp+var_8]
		mov	[ebp+var_10], eax
		mov	[ebp+var_4], esi

loc_56CFBC:				; CODE XREF: MiComputeOptimalWriteProcessors+138j
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_56D003
		mov	ebx, eax

loc_56CFC5:				; CODE XREF: MiComputeOptimalWriteProcessors+92j
		mov	eax, [edx+ecx]
		mov	edi, [edx+ecx+4]
		mov	[ebp+var_14], eax
		or	eax, edi
		mov	[ebp+var_18], edi
		jz	short loc_56CFF8
		mov	eax, edi
		cmp	eax, [ebp+edx+var_40]
		ja	short loc_56CFF8
		mov	eax, [ebp+var_14]
		jb	short loc_56CFE9
		cmp	eax, [ebp+edx+var_44]
		jnb	short loc_56CFF8

loc_56CFE9:				; CODE XREF: MiComputeOptimalWriteProcessors+75j
		mov	[ebp+edx+var_44], eax
		mov	eax, [ebp+var_18]
		mov	[ebp+edx+var_40], eax
		mov	[ebp+esi+var_34], ecx

loc_56CFF8:				; CODE XREF: MiComputeOptimalWriteProcessors+68j
					; MiComputeOptimalWriteProcessors+70j ...
		add	ecx, 10h
		sub	ebx, 1
		jnz	short loc_56CFC5
		mov	edi, [ebp+var_8]

loc_56D003:				; CODE XREF: MiComputeOptimalWriteProcessors+55j
		mov	eax, [ebp+esi+var_34]
		test	eax, eax
		jz	short loc_56D07E
		mov	edi, [ebp+edx+var_44]
		push	ebx
		push	0Ah
		mov	[ebp+esi+var_2C], eax
		mov	esi, [ebp+edx+var_40]
		push	esi
		push	edi
		mov	[ebp+var_18], eax
		call	__aulldiv
		add	eax, edi
		mov	ecx, edx
		mov	edi, [ebp+var_8]
		mov	edx, [ebp+var_C]
		adc	ecx, esi
		mov	[ebp+var_14], eax
		mov	[ebp+var_20], ecx
		mov	eax, [edi+14h]
		mov	ecx, [ebp+var_18]
		mov	[ebp+var_24], eax
		cmp	ecx, eax
		jbe	loc_5F5089
		mov	edi, [ebp+var_14]
		mov	ebx, [ebp+var_20]

loc_56D04D:				; CODE XREF: MiComputeOptimalWriteProcessors+10Bj
		mov	esi, [edx+ecx-0Ch]
		sub	ecx, 10h
		mov	eax, [edx+ecx]
		mov	[ebp+var_20], eax
		or	eax, esi
		jz	loc_56D0E2
		cmp	esi, ebx
		ja	short loc_56D0E2
		jb	short loc_56D06D
		cmp	[ebp+var_20], edi
		jnb	short loc_56D0E2

loc_56D06D:				; CODE XREF: MiComputeOptimalWriteProcessors+FAj
		mov	esi, [ebp+var_4]
		mov	[ebp+esi+var_2C], ecx

loc_56D074:				; CODE XREF: MiComputeOptimalWriteProcessors+179j
		cmp	ecx, [ebp+var_24]
		ja	short loc_56D04D
		mov	edi, [ebp+var_8]
		xor	ebx, ebx

loc_56D07E:				; CODE XREF: MiComputeOptimalWriteProcessors+9Dj
					; MiComputeOptimalWriteProcessors+88120j
		mov	eax, [ebp+esi+var_2C]
		add	edx, 8
		sub	eax, [edi+14h]
		add	esi, 4
		mov	edi, [ebp+var_10]
		add	[ebp+var_10], 4
		sar	eax, 4
		inc	eax
		mov	[ebp+var_C], edx
		mov	[edi], eax
		mov	edi, [ebp+var_8]
		mov	[ebp+var_4], esi
		cmp	edx, 8
		jle	loc_56CFBC
		push	2
		or	eax, 0FFFFFFFFh
		pop	edx
		mov	edi, eax

loc_56D0B2:				; CODE XREF: MiComputeOptimalWriteProcessors+169j
		mov	ecx, [ebp+ebx*4+var_2C]
		test	ecx, ecx
		jz	short loc_56D0D1
		mov	esi, [ecx+ebx*8]
		mov	ecx, [ecx+ebx*8+4]
		cmp	ecx, edi
		jb	short loc_56D0CB
		ja	short loc_56D0D1
		cmp	esi, eax
		jnb	short loc_56D0D1

loc_56D0CB:				; CODE XREF: MiComputeOptimalWriteProcessors+157j
		mov	edx, ebx
		mov	eax, esi
		mov	edi, ecx

loc_56D0D1:				; CODE XREF: MiComputeOptimalWriteProcessors+14Cj
					; MiComputeOptimalWriteProcessors+159j	...
		inc	ebx
		cmp	ebx, 1
		jle	short loc_56D0B2
		mov	edi, [ebp+var_8]
		mov	[edi+4], edx
		pop	edi

loc_56D0DE:				; CODE XREF: MiComputeOptimalWriteProcessors+31j
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_56D0E2:				; CODE XREF: MiComputeOptimalWriteProcessors+F0j
					; MiComputeOptimalWriteProcessors+F8j ...
		mov	esi, [ebp+var_4]
		jmp	short loc_56D074
MiComputeOptimalWriteProcessors	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_MuiRegAllocArray proc near		; CODE XREF: RtlpLoadInstallLanguageFallback+40p
					; _RtlpMuiRegValidateInstalled+9818Dp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	2
		pop	eax
		mul	edx
		xor	esi, esi
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		mov	[ebp+var_4], esi
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_56D14D
		cmp	[ebp+var_4], esi
		jz	short loc_56D14D
		mov	eax, large fs:20h
		xor	ecx, ecx
		mov	edx, [ebp+var_4]
		inc	ecx
		push	edi
		push	esi
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	72746C6Dh
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		test	edi, edi
		jz	short loc_56D14A
		push	[ebp+var_4]	; size_t
		push	esi		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch

loc_56D14A:				; CODE XREF: _MuiRegAllocArray+53j
		mov	esi, edi
		pop	edi

loc_56D14D:				; CODE XREF: _MuiRegAllocArray+1Dj
					; _MuiRegAllocArray+22j
		mov	eax, esi
		pop	esi
		leave
		retn
_MuiRegAllocArray endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_SafeAllocBlob	proc near		; CODE XREF: RtlpMuiRegCreateLanguages(x)+1Cp
					; RtlpMuiRegCreateLanguageConfigList(x)+1Fp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, edx
		mul	[ebp+arg_0]
		push	esi
		push	edi
		push	edx
		xor	edi, edi
		mov	esi, ecx
		push	eax
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_56D212
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_56D212
		mov	eax, [ebp+arg_4]
		lea	ecx, [ebp+var_8]
		mul	[ebp+arg_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_56D212
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_56D212
		mov	ecx, [ebp+arg_C]
		mov	eax, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_56D1C5
		mov	[ecx], eax

loc_56D1C5:				; CODE XREF: _SafeAllocBlob+6Fj
		test	eax, eax
		jz	short loc_56D20E
		mov	eax, large fs:20h
		xor	ecx, ecx
		mov	edx, [ebp+var_4]
		inc	ecx
		push	edi
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	72746C6Dh
		call	ExpAllocatePoolWithTagFromNode
		mov	esi, eax
		test	esi, esi
		jz	short loc_56D206
		push	[ebp+var_4]	; size_t
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch

loc_56D206:				; CODE XREF: _SafeAllocBlob+A5j
					; _SafeAllocBlob+BEj
		mov	eax, esi

loc_56D208:				; CODE XREF: _SafeAllocBlob+C2j
		pop	edi
		pop	esi
		leave
		retn	10h
; 

loc_56D20E:				; CODE XREF: _SafeAllocBlob+75j
		mov	esi, edi
		jmp	short loc_56D206
; 

loc_56D212:				; CODE XREF: _SafeAllocBlob+24j
					; _SafeAllocBlob+3Aj ...
		xor	eax, eax
		jmp	short loc_56D208
_SafeAllocBlob	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpMuiRegAddAlternateCodePage proc near ; CODE	XREF: RtlpMuiRegAddLanguageByName+7Bp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F5091 SIZE 00000167 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+30h+var_10], ecx
		push	offset ??_C@_1CE@GCKIPCGP@?$AAA?$AAl?$AAt?$AAe?$AAr?$AAn?$AAa?$AAt?$AAe?$AAC?$AAo?$AAd?$AAe?$AAP?$AAa@FNODOBFM@	; "AlternateCodePage"
		lea	eax, [esp+34h+var_8]
		mov	[esp+34h+var_C], edi
		push	eax
		mov	ebx, edx
		mov	[esp+38h+var_14], edi
		mov	[esp+38h+var_1C], 7
		mov	[esp+38h+var_20], edi
		mov	[esp+38h+var_18], edi
		mov	[esp+38h+var_8], edi
		mov	[esp+38h+var_4], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ecx		; int
		lea	eax, [esp+34h+var_20]
		mov	ecx, ebx
		push	eax		; int
		push	edi		; void *
		lea	eax, [esp+3Ch+var_1C]
		push	eax		; int
		lea	edx, [esp+40h+var_8]
		call	LdrpQueryValueKey
		cmp	eax, 0C0000034h
		jnz	loc_5F5091

loc_56D27D:				; CODE XREF: RtlpMuiRegAddAlternateCodePage+87E81j
					; RtlpMuiRegAddAlternateCodePage+87E8Cj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
RtlpMuiRegAddAlternateCodePage endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_RtlpRemovePendingDeleteLanguages proc near ; CODE XREF: _RtlpMuiRegValidateInstalled+171p

var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22A		= word ptr -22Ah
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F51F8 SIZE 000000D3 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFE0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 258h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		xor	esi, esi
		mov	[ebp+var_22A], dx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_228], esi
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_234], esi
		mov	[ebp+var_230], eax
		mov	[ebp+var_23C], esi
		mov	[ebp+var_238], esi
		test	edi, edi
		jz	short loc_56D320
		push	offset ??_C@_1KC@FOBDNNHK@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@
		lea	eax, [ebp+var_23C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_228]
		xor	edx, edx
		push	eax
		push	ecx
		lea	ecx, [ebp+var_23C]
		call	_LdrpOpenKey@16	; LdrpOpenKey(x,x,x,x)
		test	eax, eax
		jns	loc_5F51F8

loc_56D30B:				; CODE XREF: _RtlpRemovePendingDeleteLanguages+88031j
					; _RtlpRemovePendingDeleteLanguages+88042j
		xor	eax, eax

loc_56D30D:				; CODE XREF: _RtlpRemovePendingDeleteLanguages+A1j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_56D320:				; CODE XREF: _RtlpRemovePendingDeleteLanguages+57j
		mov	eax, 0C000000Dh
		jmp	short loc_56D30D
_RtlpRemovePendingDeleteLanguages endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_IsMachineLanguageListInMutableLocation	proc near ; CODE XREF: _RtlpMuiRegLoadInstalled+88p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F52CB SIZE 0000005E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	offset aRegistryMach_4 ; "\\Registry\\Machine\\OSDATA\\System\\Current"...
		lea	eax, [ebp+var_18]
		xor	ebx, ebx
		push	eax
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ebx
		push	eax
		push	ecx
		xor	edx, edx
		lea	ecx, [ebp+var_18]
		call	_LdrpOpenKey@16	; LdrpOpenKey(x,x,x,x)
		test	eax, eax
		jns	loc_5F52CB

loc_56D361:				; CODE XREF: _IsMachineLanguageListInMutableLocation+87FDDj
					; _IsMachineLanguageListInMutableLocation+87FE7j ...
		cmp	[ebp+var_4], 0
		jnz	loc_5F531C

loc_56D36B:				; CODE XREF: _IsMachineLanguageListInMutableLocation+87FFCj
		mov	al, bl
		pop	ebx
		leave
		retn
_IsMachineLanguageListInMutableLocation	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_RtlpMuiRegLoadInstalledFromKey	proc near ; CODE XREF: _RtlpMuiRegLoadInstalled:loc_893AC1p

var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F5329 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFE0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 258h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		or	[ebp+var_248], 0FFFFFFFFh
		lea	eax, [ebp+var_238]
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_24C], ecx
		push	edx
		mov	esi, edi
		mov	[ebp+var_23C], edi
		push	eax
		mov	[ebp+var_224], esi
		mov	[ebp+var_238], edi
		mov	[ebp+var_234], edi
		mov	[ebp+var_228], edi
		mov	[ebp+var_230], edi
		mov	[ebp+var_22C], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_22C]
		xor	edx, edx
		push	eax
		push	ecx
		lea	ecx, [ebp+var_238]
		call	_LdrpOpenKey@16	; LdrpOpenKey(x,x,x,x)
		test	eax, eax
		js	loc_56D5B7

loc_56D3FE:				; CODE XREF: _RtlpMuiRegLoadInstalledFromKey+F0j
		lea	eax, [ebp+var_23C]
		push	eax
		push	200h
		lea	eax, [ebp+var_220]
		push	eax
		push	edi
		push	esi
		push	[ebp+var_22C]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_56D462
		cmp	edi, 8000001Ah
		jnz	loc_56D58E

loc_56D430:				; CODE XREF: _RtlpMuiRegLoadInstalledFromKey+101j
					; _RtlpMuiRegLoadInstalledFromKey+13Dj	...
		cmp	[ebp+var_228], 0
		jz	short loc_56D44B
		push	[ebp+var_228]
		call	NtClose
		and	[ebp+var_228], 0

loc_56D44B:				; CODE XREF: _RtlpMuiRegLoadInstalledFromKey+C7j
		inc	esi
		mov	[ebp+var_224], esi
		cmp	edi, 8000001Ah
		jz	loc_56D58C
		xor	edi, edi
		jmp	short loc_56D3FE
; 

loc_56D462:				; CODE XREF: _RtlpMuiRegLoadInstalledFromKey+B2j
		mov	eax, [ebp+var_214]
		lea	ecx, [eax+18h]
		cmp	ecx, 200h
		ja	short loc_56D430
		shr	eax, 1
		xor	ecx, ecx
		mov	word ptr [ebp+eax*2+var_210], cx
		lea	eax, [ebp+var_210]
		push	eax
		lea	eax, [ebp+var_238]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, [ebp+var_22C]
		lea	eax, [ebp+var_228]
		push	eax
		push	ecx
		lea	ecx, [ebp+var_238]
		call	_LdrpOpenKey@16	; LdrpOpenKey(x,x,x,x)
		test	eax, eax
		js	short loc_56D430
		push	offset ??_C@_19BIEPDBPA@?$AAT?$AAy?$AAp?$AAe@FNODOBFM@ ; "Type"
		lea	eax, [ebp+var_238]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		pop	eax
		mov	[ebp+var_244], eax
		lea	edx, [ebp+var_238]
		mov	[ebp+var_240], eax
		lea	eax, [ebp+var_240]
		push	ecx		; int
		mov	ecx, [ebp+var_228]
		push	eax		; int
		lea	eax, [ebp+var_230]
		push	eax		; void *
		lea	eax, [ebp+var_244]
		push	eax		; int
		call	LdrpQueryValueKey
		test	eax, eax
		js	loc_56D430
		mov	esi, [ebp+var_230]
		mov	ecx, esi
		call	_ValidateRegistrLangType@4 ; ValidateRegistrLangType(x)
		test	eax, eax
		js	short loc_56D581
		and	esi, 419Fh
		mov	ecx, esi
		mov	[ebp+var_230], esi
		and	ecx, 7
		jz	short loc_56D581
		mov	eax, ecx
		neg	eax
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_56D581
		mov	ecx, esi
		and	ecx, 180h
		jz	loc_5F5329
		mov	eax, ecx
		mov	edx, esi
		neg	eax
		and	eax, ecx
		cmp	eax, ecx
		jnz	loc_5F5329

loc_56D54A:				; CODE XREF: _RtlpMuiRegLoadInstalledFromKey+87FCDj
		mov	ecx, edx
		and	ecx, 18h
		jz	short loc_56D581
		mov	eax, ecx
		neg	eax
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_56D581
		test	dl, 8
		jnz	short loc_56D5BB

loc_56D560:				; CODE XREF: _RtlpMuiRegLoadInstalledFromKey+250j
		mov	edx, [ebp+var_228]
		lea	eax, [ebp+var_248]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_24C]
		lea	eax, [ebp+var_210]
		push	esi
		push	eax
		call	RtlpMuiRegAddLanguageByName

loc_56D581:				; CODE XREF: _RtlpMuiRegLoadInstalledFromKey+19Dj
					; _RtlpMuiRegLoadInstalledFromKey+1B0j	...
		mov	esi, [ebp+var_224]
		jmp	loc_56D430
; 

loc_56D58C:				; CODE XREF: _RtlpMuiRegLoadInstalledFromKey+E8j
		xor	edi, edi

loc_56D58E:				; CODE XREF: _RtlpMuiRegLoadInstalledFromKey+BAj
		cmp	[ebp+var_22C], 0
		jz	short loc_56D5A2
		push	[ebp+var_22C]
		call	NtClose

loc_56D5A2:				; CODE XREF: _RtlpMuiRegLoadInstalledFromKey+225j
		mov	eax, edi

loc_56D5A4:				; CODE XREF: _RtlpMuiRegLoadInstalledFromKey+249j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_56D5B7:				; CODE XREF: _RtlpMuiRegLoadInstalledFromKey+88j
		xor	eax, eax
		jmp	short loc_56D5A4
; 

loc_56D5BB:				; CODE XREF: _RtlpMuiRegLoadInstalledFromKey+1EEj
		test	dl, 4
		jz	short loc_56D581
		jmp	short loc_56D560
_RtlpMuiRegLoadInstalledFromKey	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpGetNameFromLangInfoNode proc near	; CODE XREF: _RtlpMuiRegValidateInstalled+137p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F5342 SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		xor	esi, esi
		push	edi
		test	ecx, ecx
		jz	short loc_56D63E
		test	edx, edx
		jz	short loc_56D63E
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_56D63E
		movzx	eax, word ptr [edx+6]
		test	ax, ax
		jle	loc_5F5342
		mov	edx, [ecx+18h]
		movsx	ecx, ax
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	eax, [edx+0Ch]
		movsx	ecx, word ptr [eax+ecx*2]
		mov	eax, [edx+10h]
		lea	eax, [eax+ecx*2]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	eax, word ptr [edi+2]
		cmp	word ptr [ebp+var_C], ax
		ja	short loc_56D637
		push	[ebp+var_8]
		mov	ecx, [edi+4]
		mov	edx, eax
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		test	eax, eax
		js	short loc_56D637
		mov	ax, word ptr [ebp+var_C]
		mov	[edi], ax

loc_56D62F:				; CODE XREF: RtlpGetNameFromLangInfoNode+7Aj
					; RtlpGetNameFromLangInfoNode+87DA9j
		mov	eax, esi

loc_56D631:				; CODE XREF: RtlpGetNameFromLangInfoNode+81j
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_56D637:				; CODE XREF: RtlpGetNameFromLangInfoNode+53j
					; RtlpGetNameFromLangInfoNode+64j ...
		mov	esi, 0C00000E5h
		jmp	short loc_56D62F
; 

loc_56D63E:				; CODE XREF: RtlpGetNameFromLangInfoNode+Ej
					; RtlpGetNameFromLangInfoNode+12j ...
		mov	eax, 0C000000Dh
		jmp	short loc_56D631
RtlpGetNameFromLangInfoNode endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlpMuiRegCreateKernelRegistryInfo(size_t,int,int,int,int)
RtlpMuiRegCreateKernelRegistryInfo proc	near ; CODE XREF: MUIRegistrySystemRoutine(x)+26p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005F5376 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		mov	eax, edx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], eax
		xor	ebx, ebx
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	loc_5F5380
		test	eax, eax
		jz	loc_5F5380
		cmp	[ebp+arg_0], ebx
		jz	loc_5F5380
		cmp	[ebp+arg_8], ebx
		jz	loc_5F5380
		cmp	[ebp+arg_10], ebx
		jz	loc_5F5380
		call	_RtlpMuiRegCreateRegistryInfo@0	; RtlpMuiRegCreateRegistryInfo()
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		test	ebx, ebx
		jz	loc_5F5376
		mov	ecx, ebx
		call	RtlpMuiRegLoadRegistryInfo
		mov	esi, eax
		test	esi, esi
		js	loc_56D7B0
		mov	ecx, [ebx+14h]
		movzx	edx, word ptr [ecx+6]
		test	edx, edx
		jz	short loc_56D6E5
		mov	ecx, [ecx+0Ch]
		mov	ebx, [ebp+var_4]

loc_56D6C0:				; CODE XREF: RtlpMuiRegCreateKernelRegistryInfo+97j
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_4], eax
		and	eax, 9020h
		cmp	eax, 20h
		jnz	short loc_56D6D7
		test	byte ptr [ebp+var_4], 3
		jz	short loc_56D6D7
		inc	ebx

loc_56D6D7:				; CODE XREF: RtlpMuiRegCreateKernelRegistryInfo+88j
					; RtlpMuiRegCreateKernelRegistryInfo+8Ej
		add	ecx, 1Ch
		sub	edx, 1
		jnz	short loc_56D6C0
		mov	[ebp+var_4], ebx
		mov	ebx, [ebp+var_8]

loc_56D6E5:				; CODE XREF: RtlpMuiRegCreateKernelRegistryInfo+72j
		mov	ecx, [ebp+arg_0]
		mov	esi, [ebp+arg_8]
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+arg_4]
		mov	[ecx], eax
		and	[esi], edi
		xor	edi, edi
		inc	edi
		test	edx, edx
		jz	short loc_56D70C
		push	0
		push	edi
		mov	ecx, ebx
		call	RtlpMuiRegGetInstalledLanguageIndexByLangId
		test	eax, eax
		js	short loc_56D70C
		mov	[esi], edi

loc_56D70C:				; CODE XREF: RtlpMuiRegCreateKernelRegistryInfo+B4j
					; RtlpMuiRegCreateKernelRegistryInfo+C2j
		mov	esi, [ebp+arg_10]
		mov	edx, [ebp+arg_C]
		and	dword ptr [esi], 0
		test	edx, edx
		jz	short loc_56D729
		push	0
		push	edi
		mov	ecx, ebx
		call	RtlpMuiRegGetInstalledLanguageIndexByLangId
		test	eax, eax
		js	short loc_56D729
		mov	[esi], edi

loc_56D729:				; CODE XREF: RtlpMuiRegCreateKernelRegistryInfo+D1j
					; RtlpMuiRegCreateKernelRegistryInfo+DFj
		and	[ebp+arg_0], 0
		lea	eax, [ebp+arg_0]
		push	eax
		xor	edx, edx
		mov	ecx, ebx
		call	_RtlpMuiRegSerializeRegistryInfo
		mov	esi, eax
		test	esi, esi
		js	short loc_56D7B0
		cmp	[ebp+arg_0], 0
		jz	loc_56D7D1
		mov	eax, large fs:20h
		mov	ecx, edi
		mov	edx, [ebp+arg_0]
		push	0
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	72746C6Dh
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		test	edi, edi
		jz	short loc_56D7D5
		push	[ebp+arg_0]	; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch

loc_56D788:				; CODE XREF: RtlpMuiRegCreateKernelRegistryInfo+18Dj
		test	edi, edi
		jz	short loc_56D7D5
		lea	eax, [ebp+arg_0]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	_RtlpMuiRegSerializeRegistryInfo
		mov	esi, eax
		test	esi, esi
		js	loc_5F5385
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		mov	[eax], edi
		mov	eax, [ebp+arg_0]
		mov	[ecx], eax

loc_56D7B0:				; CODE XREF: RtlpMuiRegCreateKernelRegistryInfo+63j
					; RtlpMuiRegCreateKernelRegistryInfo+F8j ...
		test	ebx, ebx
		jz	short loc_56D7C8
		mov	edx, 0FFFh
		mov	ecx, ebx
		call	RtlpMuiRegFreeRegistryInfo
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_56D7C8:				; CODE XREF: RtlpMuiRegCreateKernelRegistryInfo+16Cj
					; RtlpMuiRegCreateKernelRegistryInfo+87D35j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_56D7D1:				; CODE XREF: RtlpMuiRegCreateKernelRegistryInfo+FEj
		xor	edi, edi
		jmp	short loc_56D788
; 

loc_56D7D5:				; CODE XREF: RtlpMuiRegCreateKernelRegistryInfo+132j
					; RtlpMuiRegCreateKernelRegistryInfo+144j
		mov	esi, 0C0000017h
		jmp	short loc_56D7B0
RtlpMuiRegCreateKernelRegistryInfo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpMuiRegLoadLicInformation proc near	; CODE XREF: RtlpMuiRegLoadRegistryInfo+14p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F53DE SIZE 0000014B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		or	[esp+4Ch+var_18], 0FFFFFFFFh
		push	ebx
		push	esi
		xor	esi, esi
		mov	[esp+54h+var_28], ecx
		mov	[esp+54h+var_3C], esi
		mov	ebx, esi
		mov	[esp+54h+var_8], esi
		mov	[esp+54h+var_4], esi
		mov	[esp+54h+var_38], esi
		mov	[esp+54h+var_48], esi
		mov	[esp+54h+var_4C], esi
		mov	[esp+54h+var_44], esi
		mov	[esp+54h+var_24], esi
		mov	[esp+54h+var_40], ebx
		mov	[esp+54h+var_30], esi
		mov	[esp+54h+var_20], esi
		mov	[esp+54h+var_1C], esi
		push	edi
		mov	edi, esi
		mov	[esp+58h+var_34], edi
		test	ecx, ecx
		jz	loc_5F53DE
		lea	eax, [esp+58h+var_4C]
		mov	ecx, offset ??_C@_1CK@MPIDPHBP@?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AAE?$AAx?$AAc?$AAl?$AAu?$AAd?$AAe?$AAd@FNODOBFM@
		push	eax
		lea	eax, [esp+5Ch+var_48]
		push	eax
		lea	edx, [esp+60h+var_38]
		call	RtlpGetWindowsPolicy
		test	eax, eax
		jns	loc_5F53EA

loc_56D855:				; CODE XREF: RtlpMuiRegLoadLicInformation+87C27j
		lea	eax, [esp+58h+var_4C]
		mov	ecx, offset ??_C@_1DE@JIOMGOFI@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAM?$AAU?$AAI?$AA?9?$AAN?$AAu?$AAm?$AAb@FNODOBFM@
		push	eax
		lea	eax, [esp+5Ch+var_48]
		push	eax
		lea	edx, [esp+60h+var_38]
		call	RtlpGetWindowsPolicy
		test	eax, eax
		js	short loc_56D884
		mov	ecx, [esp+58h+var_4C]
		mov	eax, [ecx]
		mov	[esp+58h+var_18], eax
		call	ExFreeHeapPool
		mov	[esp+58h+var_4C], esi

loc_56D884:				; CODE XREF: RtlpMuiRegLoadLicInformation+93j
		lea	eax, [esp+58h+var_4C]
		mov	ecx, (offset off_5A7CF0+2)
		push	eax
		lea	eax, [esp+5Ch+var_48]
		push	eax
		lea	edx, [esp+60h+var_38]
		call	RtlpGetWindowsPolicy
		test	eax, eax
		js	loc_56D9A6
		mov	ecx, [esp+58h+var_48]
		lea	esi, [ecx+4]
		mov	[esp+58h+var_14], esi
		test	esi, esi
		jz	loc_5F5408
		mov	eax, large fs:20h
		xor	ecx, ecx
		push	0
		mov	edx, esi
		inc	ecx
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	72746C6Dh
		call	ExpAllocatePoolWithTagFromNode
		mov	[esp+58h+var_44], eax
		test	eax, eax
		jz	short loc_56D8F9
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [esp+64h+var_44]
		add	esp, 0Ch

loc_56D8F9:				; CODE XREF: RtlpMuiRegLoadLicInformation+10Bj
		mov	ecx, [esp+58h+var_48]
		xor	edx, edx

loc_56D8FF:				; CODE XREF: RtlpMuiRegLoadLicInformation+87C34j
		mov	[esp+58h+var_10], eax
		test	eax, eax
		jz	loc_5F5415
		push	ecx		; size_t
		push	[esp+5Ch+var_4C] ; void	*
		push	eax		; void *
		call	_memcpy
		mov	eax, [esp+64h+var_44]
		add	esp, 0Ch
		mov	[esp+58h+var_2C], eax
		xor	esi, esi
		push	offset ??_C@_13PJJBFPED@?$AA?$DL@FNODOBFM@ ; wchar_t *
		push	eax		; wchar_t *
		call	_wcspbrk
		mov	[esp+60h+var_24], eax
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_5F5429

loc_56D93C:				; CODE XREF: RtlpMuiRegLoadLicInformation+87C9Bj
		mov	eax, [esp+58h+var_2C]
		xor	ecx, ecx
		cmp	[eax], cx
		jz	short loc_56D969
		push	eax
		lea	eax, [esp+5Ch+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+58h+var_3C]
		push	eax
		lea	eax, [esp+5Ch+var_8]
		push	eax
		call	_RtlCultureNameToLCID@8	; RtlCultureNameToLCID(x,x)
		test	al, al
		jnz	loc_5F547C

loc_56D969:				; CODE XREF: RtlpMuiRegLoadLicInformation+169j
					; RtlpMuiRegLoadLicInformation+87CA1j
		test	esi, esi
		jnz	short loc_56D976
		mov	ecx, [esp+58h+var_44]
		call	ExFreeHeapPool

loc_56D976:				; CODE XREF: RtlpMuiRegLoadLicInformation+18Fj
		mov	eax, esi
		neg	eax
		sbb	eax, eax
		and	eax, [esp+58h+var_14]
		neg	esi
		mov	[esp+58h+var_24], eax
		sbb	esi, esi
		and	esi, [esp+58h+var_10]
		cmp	[esp+58h+var_4C], 0
		mov	[esp+58h+var_44], esi
		jz	short loc_56D9A0
		mov	ecx, [esp+58h+var_4C]
		call	ExFreeHeapPool

loc_56D9A0:				; CODE XREF: RtlpMuiRegLoadLicInformation+1B9j
		xor	esi, esi
		mov	[esp+58h+var_4C], esi

loc_56D9A6:				; CODE XREF: RtlpMuiRegLoadLicInformation+C2j
		lea	eax, [esp+58h+var_4C]
		mov	ecx, offset ??_C@_1DO@NJNPPJHL@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAM?$AAU?$AAI?$AA?9?$AAL?$AAa?$AAn?$AAg@FNODOBFM@
		push	eax
		lea	eax, [esp+5Ch+var_48]
		push	eax
		lea	edx, [esp+60h+var_38]
		call	RtlpGetWindowsPolicy
		test	eax, eax
		js	loc_56DAC4
		mov	eax, [esp+58h+var_48]
		lea	esi, [eax+4]
		mov	[esp+58h+var_14], esi
		test	esi, esi
		jz	loc_5F5482
		mov	eax, large fs:20h
		xor	ecx, ecx
		push	ecx
		mov	edx, esi
		inc	ecx
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	72746C6Dh
		call	ExpAllocatePoolWithTagFromNode
		mov	ebx, eax
		mov	[esp+58h+var_40], ebx
		test	ebx, ebx
		jz	short loc_56DA19
		push	esi		; size_t
		xor	eax, eax
		push	eax		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch

loc_56DA19:				; CODE XREF: RtlpMuiRegLoadLicInformation+22Ej
		mov	eax, [esp+58h+var_48]
		xor	edx, edx

loc_56DA1F:				; CODE XREF: RtlpMuiRegLoadLicInformation+87CAEj
		mov	[esp+58h+var_C], ebx
		test	ebx, ebx
		jz	loc_5F548F
		push	eax		; size_t
		push	[esp+5Ch+var_4C] ; void	*
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[esp+58h+var_2C], ebx
		xor	eax, eax
		mov	esi, eax
		push	offset ??_C@_13PJJBFPED@?$AA?$DL@FNODOBFM@ ; wchar_t *
		push	ebx		; wchar_t *
		call	_wcspbrk
		mov	[esp+60h+var_10], eax
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_5F5495

loc_56DA5A:				; CODE XREF: RtlpMuiRegLoadLicInformation+87D09j
		mov	eax, [esp+58h+var_2C]
		xor	ecx, ecx
		cmp	[eax], cx
		jz	short loc_56DA87
		push	eax
		lea	eax, [esp+5Ch+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+58h+var_3C]
		push	eax
		lea	eax, [esp+5Ch+var_8]
		push	eax
		call	_RtlCultureNameToLCID@8	; RtlCultureNameToLCID(x,x)
		test	al, al
		jnz	loc_5F54EA

loc_56DA87:				; CODE XREF: RtlpMuiRegLoadLicInformation+287j
					; RtlpMuiRegLoadLicInformation+87D0Fj
		test	esi, esi
		jnz	short loc_56DA92
		mov	ecx, ebx
		call	ExFreeHeapPool

loc_56DA92:				; CODE XREF: RtlpMuiRegLoadLicInformation+2ADj
		mov	eax, esi
		mov	ebx, esi
		neg	eax
		sbb	eax, eax
		and	eax, [esp+58h+var_14]
		neg	ebx
		mov	[esp+58h+var_30], eax
		sbb	ebx, ebx
		and	ebx, [esp+58h+var_C]
		cmp	[esp+58h+var_4C], 0
		mov	[esp+58h+var_40], ebx
		jz	short loc_56DABE
		mov	ecx, [esp+58h+var_4C]
		call	ExFreeHeapPool

loc_56DABE:				; CODE XREF: RtlpMuiRegLoadLicInformation+2D7j
		xor	esi, esi
		mov	[esp+58h+var_4C], esi

loc_56DAC4:				; CODE XREF: RtlpMuiRegLoadLicInformation+1E4j
		lea	eax, [esp+58h+var_4C]
		mov	ecx, offset ??_C@_1DA@HOOFFHMM@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAM?$AAU?$AAI?$AA?9?$AAL?$AAa?$AAn?$AAg@FNODOBFM@
		push	eax
		lea	eax, [esp+5Ch+var_48]
		push	eax
		lea	edx, [esp+60h+var_38]
		call	RtlpGetWindowsPolicy
		test	eax, eax
		js	loc_56DC22
		mov	eax, [esp+58h+var_48]
		lea	esi, [eax+4]
		mov	[esp+58h+var_10], esi
		test	esi, esi
		jz	loc_5F54F0
		mov	eax, large fs:20h
		xor	ecx, ecx
		push	ecx
		mov	edx, esi
		inc	ecx
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	72746C6Dh
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		mov	[esp+58h+var_34], edi
		test	edi, edi
		jz	short loc_56DB37
		push	esi		; size_t
		xor	eax, eax
		push	eax		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch

loc_56DB37:				; CODE XREF: RtlpMuiRegLoadLicInformation+34Cj
		mov	eax, [esp+58h+var_48]
		xor	edx, edx

loc_56DB3D:				; CODE XREF: RtlpMuiRegLoadLicInformation+87D1Cj
		mov	[esp+58h+var_14], edi
		test	edi, edi
		jz	loc_5F541B
		push	eax		; size_t
		push	[esp+5Ch+var_4C] ; void	*
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[esp+58h+var_2C], edi
		xor	eax, eax
		mov	esi, eax
		push	offset ??_C@_13PJJBFPED@?$AA?$DL@FNODOBFM@ ; wchar_t *
		push	edi		; wchar_t *
		call	_wcspbrk
		mov	[esp+60h+var_C], eax
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_56DBC2
		mov	ebx, [esp+58h+var_2C]
		mov	edi, eax

loc_56DB7A:				; CODE XREF: RtlpMuiRegLoadLicInformation+3D8j
		xor	eax, eax
		mov	[edi], ax
		add	edi, 2
		push	ebx
		lea	eax, [esp+5Ch+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+58h+var_3C]
		push	eax
		lea	eax, [esp+5Ch+var_8]
		push	eax
		call	_RtlCultureNameToLCID@8	; RtlCultureNameToLCID(x,x)
		test	al, al
		jz	short loc_56DBA1
		inc	esi

loc_56DBA1:				; CODE XREF: RtlpMuiRegLoadLicInformation+3C2j
		push	offset ??_C@_13PJJBFPED@?$AA?$DL@FNODOBFM@ ; wchar_t *
		push	edi		; wchar_t *
		mov	ebx, edi
		call	_wcspbrk
		mov	edi, eax
		pop	ecx
		pop	ecx
		test	edi, edi
		jnz	short loc_56DB7A
		mov	edi, [esp+58h+var_34]
		mov	[esp+58h+var_2C], ebx
		mov	ebx, [esp+58h+var_40]

loc_56DBC2:				; CODE XREF: RtlpMuiRegLoadLicInformation+396j
		mov	eax, [esp+58h+var_2C]
		xor	ecx, ecx
		cmp	[eax], cx
		jz	short loc_56DBEC
		push	eax
		lea	eax, [esp+5Ch+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+58h+var_3C]
		push	eax
		lea	eax, [esp+5Ch+var_8]
		push	eax
		call	_RtlCultureNameToLCID@8	; RtlCultureNameToLCID(x,x)
		test	al, al
		jz	short loc_56DBEC
		inc	esi

loc_56DBEC:				; CODE XREF: RtlpMuiRegLoadLicInformation+3EFj
					; RtlpMuiRegLoadLicInformation+40Dj
		test	esi, esi
		jz	loc_5F54FD

loc_56DBF4:				; CODE XREF: RtlpMuiRegLoadLicInformation+87D28j
		mov	eax, esi
		mov	edi, esi
		neg	eax
		sbb	eax, eax
		and	eax, [esp+58h+var_10]
		neg	edi
		mov	[esp+58h+var_20], eax
		sbb	edi, edi
		and	edi, [esp+58h+var_14]
		cmp	[esp+58h+var_4C], 0
		jz	short loc_56DC1C
		mov	ecx, [esp+58h+var_4C]
		call	ExFreeHeapPool

loc_56DC1C:				; CODE XREF: RtlpMuiRegLoadLicInformation+435j
		xor	esi, esi
		mov	[esp+58h+var_4C], esi

loc_56DC22:				; CODE XREF: RtlpMuiRegLoadLicInformation+302j
					; RtlpMuiRegLoadLicInformation+87C48j
		mov	ecx, [esp+58h+var_4C]
		test	ecx, ecx
		jnz	short loc_56DC75

loc_56DC2A:				; CODE XREF: RtlpMuiRegLoadLicInformation+49Ej
		mov	eax, [esp+58h+var_44]
		test	eax, eax
		jnz	loc_5F5509

loc_56DC36:				; CODE XREF: RtlpMuiRegLoadLicInformation+87D2Fj
					; RtlpMuiRegLoadLicInformation+87D48j
		mov	ecx, [esp+58h+var_28]

loc_56DC3A:				; CODE XREF: RtlpMuiRegLoadLicInformation+87C09j
		mov	edx, [esp+58h+var_1C]
		or	dword ptr [ecx], 800h
		mov	[ecx+4Ch], eax
		mov	eax, [esp+58h+var_24]
		mov	[ecx+58h], eax
		mov	eax, [esp+58h+var_30]
		mov	[ecx+60h], eax
		mov	eax, [esp+58h+var_20]
		mov	[ecx+50h], edi
		pop	edi
		mov	[ecx+54h], eax
		mov	eax, esi
		mov	[ecx+44h], edx
		mov	edx, [esp+54h+var_18]
		pop	esi
		mov	[ecx+5Ch], ebx
		mov	[ecx+48h], edx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_56DC75:				; CODE XREF: RtlpMuiRegLoadLicInformation+44Cj
		call	ExFreeHeapPool
		jmp	short loc_56DC2A
RtlpMuiRegLoadLicInformation endp


;  S U B	R O U T	I N E 


; int __fastcall DownLevelLanguageNameToLangID(void *)
_DownLevelLanguageNameToLangID@8 proc near ; CODE XREF:	LdrpGetParentLangId+8FBD1p
					; LdrResSearchResource(x,x,x,x,x,x,x,x)+21Cp ...
		mov	edi, edi
		push	ebx
		mov	ebx, edx
		push	esi
		test	ecx, ecx
		jz	short loc_56DCCF
		test	ebx, 0FFFFFFFDh
		jnz	short loc_56DCCF
		push	offset ?CompareLangName@@YAHPBX0@Z ; int __cdecl (*)(const void	*,const	void *)
		push	4		; size_t
		push	1B4h		; size_t
		mov	esi, (offset loc_401BEF+1)
		push	esi		; void *
		push	ecx		; void *
		call	_bsearch
		add	esp, 14h
		test	eax, eax
		jz	short loc_56DCCF
		sub	eax, esi
		sar	eax, 2
		movsx	eax, word ptr ds:(loc_418C0F+1)[eax*2]
		imul	ecx, eax, 0Ch
		add	ecx, offset off_4022C0
		test	bl, 2
		jz	short loc_56DCD3

loc_56DCC8:				; CODE XREF: DownLevelLanguageNameToLangID(x,x)+5Ej
		mov	ax, [ecx+4]

loc_56DCCC:				; CODE XREF: DownLevelLanguageNameToLangID(x,x)+55j
		pop	esi
		pop	ebx
		retn
; 

loc_56DCCF:				; CODE XREF: DownLevelLanguageNameToLangID(x,x)+8j
					; DownLevelLanguageNameToLangID(x,x)+10j ...
		xor	eax, eax
		jmp	short loc_56DCCC
; 

loc_56DCD3:				; CODE XREF: DownLevelLanguageNameToLangID(x,x)+4Aj
		call	IsNeutralLanguageItem
		test	eax, eax
		jz	short loc_56DCC8
		jmp	short loc_56DCCF
_DownLevelLanguageNameToLangID@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RaspGetXExtent	proc near		; CODE XREF: BcpGetCharacterMaxResourceProfile(x,x,x,x)+49p
					; BgpRasGetGlyphAdvanceWidth(x,x,x,x,x)+29p

var_60		= dword	ptr -60h
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005F558E SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		push	ebx
		push	esi
		push	edi
		push	32h		; size_t
		xor	edi, edi
		mov	[ebp+var_14], edx
		lea	eax, [ebp+var_60]
		mov	[ebp+var_C], ecx
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+var_C]
		mov	esi, edi
		mov	ebx, edi
		mov	[ebp+var_1C], edi
		mov	ecx, edi
		mov	[ebp+var_10], edi
		xor	eax, eax
		mov	[ebp+var_20], esi
		lea	edi, [ebp+var_2C]
		mov	[ebp+var_4], ebx
		stosd
		add	esp, 0Ch
		mov	[ebp+var_8], ecx
		stosd
		stosd
		mov	edi, [ebp+arg_C]
		mov	eax, [edi]
		mov	[ebp+arg_C], eax
		cmp	dx, 20h
		jb	short loc_56DD5F
		mov	eax, [ebp+var_14]
		lea	esi, [ebp+var_10]
		push	esi
		mov	ecx, [eax+8]
		push	ecx
		mov	[ebp+var_18], ecx
		push	dword ptr [ecx+14h]
		mov	ecx, offset _RaspBitmapCache
		push	dword ptr [eax+0Ch]
		call	_RaspGetCacheEntry@24 ;	RaspGetCacheEntry(x,x,x,x,x,x)
		mov	esi, [ebp+var_10]
		test	esi, esi
		jz	short loc_56DD7F

loc_56DD53:				; CODE XREF: RaspGetXExtent+128j
					; RaspGetXExtent+13Aj
		mov	ecx, [esi+1Ch]
		mov	eax, [esi+2Eh]
		mov	esi, [ebp+var_20]
		mov	[edi+8], eax

loc_56DD5F:				; CODE XREF: RaspGetXExtent+4Ej
					; RaspGetXExtent+878BBj
		cmp	[ebp+arg_C], 0
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jnz	loc_5F559E
		test	esi, esi
		js	loc_5F559E

loc_56DD76:				; CODE XREF: RaspGetXExtent+878C2j
					; RaspGetXExtent+878CBj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_56DD7F:				; CODE XREF: RaspGetXExtent+73j
		mov	ebx, [ebp+var_14]
		lea	eax, [ebp+var_1C]
		mov	edx, [ebp+var_C]
		push	edi
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		push	ecx
		push	ecx
		mov	ecx, ebx
		call	RaspRasterize
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		js	loc_5F5593
		cmp	[ebp+arg_C], 0
		jnz	short loc_56DE1D
		push	32h
		lea	edx, [ebp+var_2C]
		pop	ecx
		call	RaspAllocateMemory
		mov	esi, eax
		test	esi, esi
		jz	loc_5F558E

loc_56DDC5:				; CODE XREF: RaspGetXExtent+142j
		cmp	[ebp+arg_C], 0
		mov	eax, [ebx+0Ch]
		mov	edx, [edi+8]
		mov	ecx, [ebp+var_18]
		mov	ebx, [ebp+var_C]
		push	4
		mov	ecx, [ecx+14h]
		mov	[esi+18h], eax
		mov	eax, [ebp+var_18]
		mov	[esi+0Ch], eax
		mov	eax, [ebp+var_8]
		mov	[esi+1Ch], eax
		mov	eax, [ebp+var_1C]
		mov	[esi+20h], eax
		pop	eax
		mov	[esi+2Ch], bx
		mov	ebx, [ebp+var_4]
		mov	[esi+14h], ecx
		mov	[esi+24h], eax
		mov	[esi+28h], eax
		mov	[esi+8], ebx
		mov	[esi+2Eh], edx
		jnz	loc_56DD53
		mov	edx, esi
		mov	ecx, offset _RaspBitmapCache
		call	_RaspAddCacheEntry@8 ; RaspAddCacheEntry(x,x)
		jmp	loc_56DD53
; 

loc_56DE1D:				; CODE XREF: RaspGetXExtent+D0j
		lea	esi, [ebp+var_60]
		jmp	short loc_56DDC5
RaspGetXExtent	endp


;  S U B	R O U T	I N E 


; __stdcall RaspFreeMemory(x, x)
_RaspFreeMemory@8 proc near		; CODE XREF: TxtpAddCacheEntry+9D8p
					; TxtpAddCacheEntry+9E2p
		cmp	dword ptr [edx], 0
		jz	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		retn
_RaspFreeMemory@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _SysCtxInternalEnumSubkeyCallback(x, x, x)
__SysCtxInternalEnumSubkeyCallback@12 proc near	; CODE XREF: _RegRtlEnumKeyWithCallback+131p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		push	dword ptr [eax+8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	dword ptr [eax]
		call	dword ptr [eax+4]
		pop	ebp
		retn	0Ch
__SysCtxInternalEnumSubkeyCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxInternalEnumKeyCallback(x, x, x, x)
__PnpCtxInternalEnumKeyCallback@16 proc	near
					; DATA XREF: _PnpCtxRegEnumKeyWithCallback(x,x,x,x)+2Eo

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		push	dword ptr [eax+8]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	dword ptr [eax]
		call	dword ptr [eax+4]
		pop	ebp
		retn	10h
__PnpCtxInternalEnumKeyCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpAeThresholdInitWorker(x,	x, x, x)
_ExpAeThresholdInitWorker@16 proc near	; DATA XREF: ExpAeThresholdInitialization+91o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		xor	ecx, ecx
		or	eax, 0FFFFFFFFh
		push	edi
		mov	edi, [ebp+arg_C]
		mov	[esp+20h+var_10], ecx
		mov	[esp+20h+var_C], ecx
		lock xadd [edi], eax
		dec	eax
		mov	esi, eax
		mov	edx, 80000000h
		not	esi
		and	esi, edx
		test	eax, 7FFFFFFFh
		jnz	loc_56DF1C
		mov	eax, [edi+4]
		or	eax, esi
		mov	[edi], eax

loc_56DEA0:				; CODE XREF: ExpAeThresholdInitWorker(x,x,x,x)+DAj
		mov	esi, [ebp+arg_4]
		mov	edi, 400h

loc_56DEA8:				; CODE XREF: ExpAeThresholdInitWorker(x,x,x,x)+66j
		mov	ecx, esi
		call	_ExpAeMeasureContention@4 ; ExpAeMeasureContention(x)
		mov	ecx, [esp+20h+var_10]
		add	ecx, eax
		mov	eax, [esp+20h+var_C]
		mov	[esp+20h+var_10], ecx
		adc	eax, edx
		mov	[esp+20h+var_C], eax
		sub	edi, 1
		jnz	short loc_56DEA8
		lock inc dword ptr [esi+88h]
		lea	edx, [esi+80h]
		mov	[esp+20h+var_8], edx

loc_56DED9:				; CODE XREF: ExpAeThresholdInitWorker(x,x,x,x)+A5j
					; ExpAeThresholdInitWorker(x,x,x,x)+ABj
		mov	edi, [edx]
		mov	ebx, edi
		mov	edx, [edx+4]
		add	ebx, ecx
		mov	ecx, edx
		mov	[esp+20h+var_4], edx
		adc	ecx, eax
		mov	eax, edi
		nop
		mov	esi, [esp+20h+var_8]
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [esp+20h+var_10]
		mov	esi, edx
		mov	edx, [esp+20h+var_8]
		cmp	eax, edi
		mov	eax, [esp+20h+var_C]
		jnz	short loc_56DED9
		cmp	esi, [esp+20h+var_4]
		jnz	short loc_56DED9
		mov	eax, [ebp+arg_8]
		lock dec dword ptr [eax]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_56DF1C:				; CODE XREF: ExpAeThresholdInitWorker(x,x,x,x)+33j
		mov	eax, [edi]
		mov	[esp+20h+var_4], ecx
		and	eax, edx
		jmp	short loc_56DF36
; 

loc_56DF26:				; CODE XREF: ExpAeThresholdInitWorker(x,x,x,x)+D8j
		lea	ecx, [esp+20h+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		and	eax, 80000000h

loc_56DF36:				; CODE XREF: ExpAeThresholdInitWorker(x,x,x,x)+C4j
		cmp	eax, esi
		jnz	short loc_56DF26
		jmp	loc_56DEA0
_ExpAeThresholdInitWorker@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpAeMeasureContention(x)
_ExpAeMeasureContention@4 proc near	; CODE XREF: ExpAeThresholdInitWorker(x,x,x,x)+4Ap
					; ExpAeThresholdInitialization+68p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		rdtsc
		mov	edi, [ebx]
		mov	[ebp+var_4], eax
		mov	eax, edi
		mov	[ebp+var_8], edx
		lea	esi, [edi+1]
		lock cmpxchg [ebx], esi
		mov	esi, eax
		cmp	esi, edi
		jnz	short loc_56DF72

loc_56DF65:				; CODE XREF: ExpAeMeasureContention(x)+41j
		rdtsc
		sub	eax, [ebp+var_4]
		pop	edi
		sbb	edx, [ebp+var_8]
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_56DF72:				; CODE XREF: ExpAeMeasureContention(x)+23j
					; ExpAeMeasureContention(x)+3Fj
		mov	ecx, esi
		inc	esi
		mov	eax, ecx
		lock cmpxchg [ebx], esi
		mov	esi, eax
		cmp	esi, ecx
		jnz	short loc_56DF72
		jmp	short loc_56DF65
_ExpAeMeasureContention@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeBalanceSetManager proc near		; DATA XREF: MiIsWorkingSetTrimThread()+Co
					; MiInitSystem+33o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F55E2 SIZE 0000008B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		push	11h
		push	eax
		call	KeSetPriorityThread
		xor	edi, edi
		push	edi
		push	ds:_KeMaximumIncrement
		push	edi
		push	8F0D180h
		call	__aulldiv
		mov	_KiStackProtectTime, eax
		mov	eax, dword_6D5D40
		push	8
		pop	ebx
		add	eax, 48h
		mov	[ebp+var_4], ebx
		mov	[ebp+var_14], offset _KiBalanceSetManagerPeriodicEvent
		mov	[ebp+var_10], eax

loc_56DFCE:				; CODE XREF: KeBalanceSetManager+9Cj
					; KeBalanceSetManager+EEj ...
		push	edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	1
		lea	eax, [ebp+var_14]
		push	eax
		push	2
		call	KeWaitForMultipleObjects
		sub	eax, edi
		jnz	loc_56E0B6
		mov	eax, _IopIrpCreditsEnabled
		cmp	eax, 1
		jg	loc_5F55E2

loc_56DFF6:				; CODE XREF: KeBalanceSetManager+8766Dj
					; KeBalanceSetManager+876D7j
		call	_ExAdjustLookasideDepth@0 ; ExAdjustLookasideDepth()
		call	_EtwAdjustTraceBuffers@0 ; EtwAdjustTraceBuffers()
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	_MiWorkingSetManager@8 ; MiWorkingSetManager(x,x)
		call	_PsEnforceExecutionLimits@0 ; PsEnforceExecutionLimits()
		sub	ebx, 1
		mov	[ebp+var_4], ebx
		jz	short loc_56E07F

loc_56E019:				; CODE XREF: KeBalanceSetManager+111j
					; KeBalanceSetManager+12Dj
		cmp	_PopEnergyEstimationEnabled, 0
		jz	short loc_56DFCE
		mov	[ebp+var_C], edi

loc_56E025:				; CODE XREF: KeBalanceSetManager+876E4j
		mov	edx, ds:dword_7186C4
		mov	eax, ds:_KeTickCount
		mov	[ebp+var_8], eax
		cmp	edx, ds:dword_7186C8
		jnz	loc_5F5660
		mov	ecx, ds:0FFDF0004h
		mov	eax, ecx
		mul	edx
		mov	edi, eax
		mov	esi, edx
		mov	eax, ecx
		mul	[ebp+var_8]
		shld	esi, edi, 8
		shrd	eax, edx, 18h
		shl	edi, 8
		shr	edx, 18h
		add	edi, eax
		adc	esi, edx
		shrd	edi, esi, 0Ch
		cmp	_KiTimelineBitmapTime, edi
		jnz	short loc_56E077

loc_56E070:				; CODE XREF: KeBalanceSetManager+F9j
		xor	edi, edi
		jmp	loc_56DFCE
; 

loc_56E077:				; CODE XREF: KeBalanceSetManager+EAj
		mov	_KiTimelineBitmapTime, edi
		jmp	short loc_56E070
; 

loc_56E07F:				; CODE XREF: KeBalanceSetManager+93j
		push	8
		pop	ebx
		xor	ecx, ecx
		mov	[ebp+var_4], ebx
		inc	ecx
		mov	edx, offset _KiStackOutSwapRequest
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	short loc_56E019
		push	edi
		push	1
		push	offset _KiSwapEvent
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	edi
		push	1
		push	offset _KiStackProtectNotifyEvent
		call	KePulseEvent
		jmp	loc_56E019
; 

loc_56E0B6:				; CODE XREF: KeBalanceSetManager+5Ej
		sub	eax, 1
		jnz	loc_56DFCE
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		inc	edx
		call	_MiWorkingSetManager@8 ; MiWorkingSetManager(x,x)
		jmp	loc_56DFCE
KeBalanceSetManager endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcQueueLazyWriteScanThread proc	near	; DATA XREF: CcInitializePartition+246o

var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= byte ptr -0B4h
var_AE		= byte ptr -0AEh
var_AD		= byte ptr -0ADh
var_AC		= dword	ptr -0ACh
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F566D SIZE 0000010B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		and	[ebp+var_C0], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		lea	edi, [ebp+var_BC]
		xor	esi, esi
		stosd
		xor	cl, cl
		stosd
		stosd
		lea	eax, [ebx+0F4h]
		mov	[ebp+var_1C], eax
		lea	eax, [ebx+104h]
		mov	[ebp+var_18], eax
		lea	eax, [ebx+114h]
		mov	[ebp+var_14], eax
		lea	eax, [ebx+124h]
		mov	[ebp+var_10], eax
		lea	eax, [ebx+134h]
		mov	[ebp+var_C], eax
		lea	eax, [ebx+2A0h]
		mov	[ebp+var_C4], eax
		mov	[ebp+var_8], eax

loc_56E13F:				; CODE XREF: CcQueueLazyWriteScanThread+1C2j
		mov	[ebp+var_AD], 0
		test	cl, cl
		jz	short loc_56E151
		mov	ecx, ebx
		call	CcDereferencePartition

loc_56E151:				; CODE XREF: CcQueueLazyWriteScanThread+76j
		lea	eax, [ebp+var_AC]
		push	eax
		push	0
		push	0
		push	0
		xor	eax, eax
		push	8
		inc	eax
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	6
		call	KeWaitForMultipleObjects
		sub	eax, 0
		jz	loc_5F568F
		sub	eax, 1
		jz	loc_56E299
		sub	eax, 1
		jnz	loc_5F566D
		push	4
		pop	esi

loc_56E18D:				; CODE XREF: CcQueueLazyWriteScanThread+1D3j
					; CcQueueLazyWriteScanThread+875D0j
		lea	edi, [ebx+28Ch]
		mov	edx, [edi]
		lea	ecx, [edx+1]

loc_56E198:				; CODE XREF: CcQueueLazyWriteScanThread+875D8j
		xor	eax, eax
		inc	eax
		cmp	ecx, eax
		jbe	loc_5F574D
		mov	eax, edx
		lock cmpxchg [edi], ecx
		mov	ecx, eax
		cmp	ecx, edx
		jnz	loc_5F56A7
		xor	eax, eax
		inc	eax
		cmp	_CcNumberOfExternalCaches, 0
		mov	[ebp+var_AE], al
		ja	loc_5F56AF

loc_56E1C9:				; CODE XREF: CcQueueLazyWriteScanThread+875E7j
					; CcQueueLazyWriteScanThread+875F5j ...
		mov	dl, [ebp+var_AD]
		mov	ecx, ebx
		call	CcAdjustWriteBehindThreadPoolIfNeeded
		lea	edx, [ebp+var_BC]
		lea	ecx, [ebx+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edx, esi
		mov	ecx, ebx
		call	CcIsLazyWriteScanQueued
		test	al, al
		jnz	loc_56E2CD
		xor	eax, eax
		inc	eax
		push	eax
		call	CcSetLazyWriteScanQueued
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jnz	loc_5F570F
		mov	eax, [ebp+var_BC]
		test	eax, eax
		jnz	loc_56E2B5
		mov	edx, [ebp+var_B8]
		lea	eax, [ebp+var_BC]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_BC]
		cmp	eax, ecx
		jnz	short loc_56E2AA

loc_56E237:				; CODE XREF: CcQueueLazyWriteScanThread+1F6j
					; CcQueueLazyWriteScanThread+8764Bj
		mov	cl, [ebp+var_B4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	edx, [ebp+var_C0]
		mov	ecx, ebx
		call	_CcAllocateWorkQueueEntry@8 ; CcAllocateWorkQueueEntry(x,x)
		test	eax, eax
		js	loc_5F5722
		mov	ecx, [ebp+var_C0]
		xor	edx, edx
		cmp	esi, 8
		setz	dl
		dec	edx
		mov	byte ptr [ecx+48h], 3
		and	edx, 10h
		mov	[ecx+8], esi
		mov	eax, [ecx+4Ch]
		add	edx, 94h
		add	edx, ebx
		add	eax, 0B4h
		cmp	eax, edx
		jz	loc_56E31B
		call	CcPostWorkQueueRegular

loc_56E28E:				; CODE XREF: CcQueueLazyWriteScanThread+244j
					; CcQueueLazyWriteScanThread+24Ej
		mov	cl, [ebp+var_AE]
		jmp	loc_56E13F
; 

loc_56E299:				; CODE XREF: CcQueueLazyWriteScanThread+A9j
		push	2

loc_56E29B:				; CODE XREF: CcQueueLazyWriteScanThread+875B1j
					; CcQueueLazyWriteScanThread+875B8j
		xor	ecx, ecx
		inc	ecx
		pop	esi
		mov	[ebp+var_AD], cl
		jmp	loc_56E18D
; 

loc_56E2AA:				; CODE XREF: CcQueueLazyWriteScanThread+163j
		lea	ecx, [ebp+var_BC]
		call	KxWaitForLockChainValid

loc_56E2B5:				; CODE XREF: CcQueueLazyWriteScanThread+143j
		xor	ecx, ecx
		mov	[ebp+var_BC], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_56E237
; 

loc_56E2CD:				; CODE XREF: CcQueueLazyWriteScanThread+11Dj
					; CcQueueLazyWriteScanThread+87676j
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jnz	loc_5F56D9
		mov	eax, [ebp+var_BC]
		test	eax, eax
		jnz	loc_5F56F7
		mov	edx, [ebp+var_B8]
		lea	eax, [ebp+var_BC]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_BC]
		cmp	eax, ecx
		jnz	loc_5F56EC

loc_56E30A:				; CODE XREF: CcQueueLazyWriteScanThread+87615j
					; CcQueueLazyWriteScanThread+87638j
		mov	cl, [ebp+var_B4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_56E28E
; 

loc_56E31B:				; CODE XREF: CcQueueLazyWriteScanThread+1B1j
		call	CcPostWorkQueueCachemapUninit
		jmp	loc_56E28E
CcQueueLazyWriteScanThread endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpAvlCompareKeyNames(x, x, x)
_EtwpAvlCompareKeyNames@12 proc	near	; DATA XREF: EtwpEnableKeyProviders+5Bo
					; EtwpInitializeAutoLoggers+6Fo

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_8]
		push	ebx
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_56E334:				; CODE XREF: EtwpAvlCompareKeyNames(x,x,x)+17j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_56E334
		sub	ecx, edx
		mov	edx, [ebp+arg_4]
		push	esi
		sar	ecx, 1
		lea	esi, [edx+2]

loc_56E34A:				; CODE XREF: EtwpAvlCompareKeyNames(x,x,x)+2Dj
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, bx
		jnz	short loc_56E34A
		push	1
		push	ecx
		push	[ebp+arg_8]
		sub	edx, esi
		sar	edx, 1
		push	edx
		push	[ebp+arg_4]
		call	_RtlCompareUnicodeStrings@20 ; RtlCompareUnicodeStrings(x,x,x,x,x)
		pop	esi
		test	eax, eax
		js	short loc_56E375
		xor	ebx, ebx
		test	eax, eax
		setle	bl
		inc	ebx

loc_56E375:				; CODE XREF: EtwpAvlCompareKeyNames(x,x,x)+45j
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	0Ch
_EtwpAvlCompareKeyNames@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSetupTimeIncrement proc near		; CODE XREF: KeInitializeClock+118p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F5778 SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	eax, ecx
		xor	ebx, ebx
		mov	ecx, 1388h
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	byte ptr [ebp+var_1], bl
		push	esi
		push	edi
		cmp	eax, ecx
		ja	loc_5F5778

loc_56E3A1:				; CODE XREF: KiSetupTimeIncrement+873FEj
		mov	edi, [ebp+arg_4]
		mov	esi, 2625Ah
		mov	edx, [ebp+arg_0]
		mov	ds:_KeMinimumIncrement,	ecx
		cmp	edi, ebx
		ja	short loc_56E3C4
		jb	loc_5F577F
		cmp	edx, esi
		jb	loc_5F577F

loc_56E3C4:				; CODE XREF: KiSetupTimeIncrement+38j
					; KiSetupTimeIncrement+87405j
		mov	ecx, ds:_KiMinDynamicTickDuration
		mov	ds:_KeMaximumIncrement,	esi
		cmp	eax, ecx
		ja	loc_5F5786

loc_56E3D8:				; CODE XREF: KiSetupTimeIncrement+87412j
		mov	eax, ds:dword_70505C
		cmp	edi, eax
		ja	short loc_56E3F8
		jb	short loc_56E3EB
		cmp	edx, ds:_KiMaxDynamicTickDuration
		jnb	short loc_56E3F8

loc_56E3EB:				; CODE XREF: KiSetupTimeIncrement+65j
		mov	eax, edi
		mov	ds:_KiMaxDynamicTickDuration, edx
		mov	ds:dword_70505C, eax

loc_56E3F8:				; CODE XREF: KiSetupTimeIncrement+63j
					; KiSetupTimeIncrement+6Dj
		cmp	eax, ebx
		ja	short loc_56E40E
		jb	loc_5F5793
		cmp	ds:_KiMaxDynamicTickDuration, ecx
		jb	loc_5F5793

loc_56E40E:				; CODE XREF: KiSetupTimeIncrement+7Ej
					; KiSetupTimeIncrement+87423j
		lea	eax, [ebp+arg_4+3]
		mov	_KiTickOffset, esi
		xor	ecx, ecx
		mov	byte ptr [ebp+arg_4+3],	bl
		push	eax
		mov	edx, esi
		inc	ecx
		call	RtlpComputeFraction
		mov	cl, byte ptr [ebp+arg_4+3]
		mov	ds:_KiMaximumIncrementReciprocal, eax
		neg	cl
		lea	eax, [ebp+var_C]
		mov	ds:_KiMaximumIncrementShiftCount, cl
		push	eax
		mov	ds:dword_70E66C, edx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, [ebp+var_C]
		mov	ebx, edx
		mov	esi, [ebp+var_8]
		lea	edx, [ebp+var_1]
		mov	edi, eax
		mov	ds:_KeTimeAdjustmentFrequency, ecx
		mov	ds:dword_70E724, esi
		call	RtlGenerateQpcToIncrementConstants
		mov	ecx, [ebp+var_C]
		mov	ds:0FFDF0300h, ecx
		mov	ecx, [ebp+var_8]
		mov	ds:0FFDF0304h, ecx
		mov	ds:0FFDF0360h, eax
		mov	al, byte ptr [ebp+var_1]
		mov	ds:0FFDF0364h, edx
		xor	edx, edx
		mov	ds:0FFDF0369h, al
		mov	eax, ds:0FFDF0360h
		mov	ds:0FFDF0358h, eax
		mov	eax, ds:0FFDF0364h
		mov	ds:0FFDF035Ch, eax
		mov	al, ds:0FFDF0369h
		mov	ds:0FFDF0368h, al
		mov	eax, (offset loc_98967E+2)
		div	ds:_KeMaximumIncrement
		mov	ds:0FFDF0348h, edi
		mov	ds:0FFDF034Ch, ebx
		mov	ds:0FFDF0350h, edi
		pop	edi
		pop	esi
		mov	ds:0FFDF0354h, ebx
		mov	ds:_KiBalanceSetManagerPeriod, eax
		mov	_KiBalanceSetManagerCount, eax
		pop	ebx
		leave
		retn	8
KiSetupTimeIncrement endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlGenerateQpcToIncrementConstants proc	near ; CODE XREF: KiSetupTimeIncrement+E2p
					; KeSetTimeAdjustment(x,x)+53p

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	[ebp+var_8], edx
		lea	eax, [ebp-1]
		mov	edx, ecx
		mov	[ebp+var_1], 0
		push	eax
		mov	ecx, (offset loc_98967E+2)
		call	RtlpComputeFraction
		mov	cl, [ebp+var_1]
		test	cl, cl
		js	sub_5F57A4

loc_56E506:				; CODE XREF: sub_5F57A4+30j
		mov	esi, [ebp+var_8]
		mov	[esi], cl
		pop	esi
		leave
		retn
RtlGenerateQpcToIncrementConstants endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpComputeFraction proc near		; CODE XREF: KiSetupTimeIncrement+A4p
					; RtlGenerateQpcToIncrementConstants+1Ap

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F57D9 SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [ebp+arg_0]
		and	[ebp+var_1C], 0
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		bsr	ecx, edx
		mov	[ebp+var_8], ebx
		mov	byte ptr [eax],	0
		jz	loc_5F57D9
		mov	al, 1Fh
		sub	al, cl

loc_56E535:				; CODE XREF: RtlpComputeFraction+872CDj
		add	al, 20h
		push	esi
		mov	[ebp+var_1], al
		movzx	ecx, al
		mov	eax, edx
		push	edi
		xor	edx, edx
		call	__allshl
		push	ebx
		push	0
		push	ebx
		push	edx
		push	eax
		call	__aulldvrm
		mov	edi, ebx
		pop	ebx
		nop
		mov	esi, ecx
		mov	[ebp+var_C], eax
		mov	ecx, edx
		push	ecx
		push	eax
		mov	[ebp+var_10], ecx
		call	RtlpCountLeadingZeroes64
		movzx	ecx, al
		mov	edx, edi
		mov	[ebp+var_2], al
		mov	eax, esi
		mov	[ebp+var_14], ecx
		call	__allshl
		push	ebx
		push	0
		push	[ebp+var_8]
		push	edx
		push	eax
		call	__aulldvrm
		mov	[ebp+var_18], ebx
		pop	ebx
		nop
		mov	[ebp+var_1C], ecx
		mov	esi, eax
		mov	eax, [ebp+var_C]
		mov	edi, edx
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_14]
		call	__allshl
		mov	ecx, [ebp+var_1C]
		mov	ebx, eax
		mov	eax, [ebp+var_18]
		add	ebx, esi
		adc	edx, edi
		shld	eax, ecx, 1
		pop	edi
		add	ecx, ecx
		pop	esi
		test	eax, eax
		jb	short loc_56E5C8
		ja	loc_5F57E0
		cmp	ecx, [ebp+var_8]
		ja	loc_5F57E0

loc_56E5C8:				; CODE XREF: RtlpComputeFraction+A9j
					; RtlpComputeFraction+872DEj ...
		mov	eax, [ebp+arg_0]
		mov	cl, 40h
		sub	cl, [ebp+var_1]
		sub	cl, [ebp+var_2]
		mov	[eax], cl
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
RtlpComputeFraction endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpCountLeadingZeroes64 proc near	; CODE XREF: RtlpComputeFraction+55p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F5805 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		bsr	edx, [ebp+arg_4]
		push	1Fh
		pop	eax
		jz	short loc_56E5FE
		mov	cl, al
		sub	cl, dl

loc_56E5EF:				; CODE XREF: RtlpCountLeadingZeroes64+24j
		cmp	cl, 20h
		jnb	loc_5F5805
		mov	al, cl

locret_56E5FA:				; CODE XREF: RtlpCountLeadingZeroes64+87237j
		leave
		retn	8
; 

loc_56E5FE:				; CODE XREF: RtlpCountLeadingZeroes64+Dj
		mov	cl, 20h
		jmp	short loc_56E5EF
RtlpCountLeadingZeroes64 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspRegisterResource proc near		; CODE XREF: PsInitializeQuotaSystem(x)+9Ap
					; PsInitializeQuotaSystem(x)+A5p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F5818 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ds:_PspResourceFlags[ecx*8], dl
		mov	ds:dword_70EF4C[ecx*8],	eax
		test	dl, 2
		jnz	loc_5F5818
		or	eax, 0FFFFFFFFh

loc_56E624:				; CODE XREF: PspRegisterResource+87223j
		mov	ds:_PspDefaultResourceLimits[ecx*4], eax
		pop	ebp
		retn	4
PspRegisterResource endp

; 
		align 10h

;  S U B	R O U T	I N E 


KvfInitFeatureStates proc near		; CODE XREF: INIT:00ACD2F9p

; FUNCTION CHUNK AT 005F582A SIZE 0000002B BYTES

		mov	edx, _KvfFeatureStates
		cmp	edx, 8
		jnb	loc_5F582A

loc_56E63F:				; CODE XREF: KvfInitFeatureStates+87202j
		mov	eax, [ecx+84h]
		test	byte ptr [eax+54h], 1
		jz	loc_5F5837

locret_56E64F:				; CODE XREF: KvfInitFeatureStates+8720Aj
		retn
KvfInitFeatureStates endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExInitializePoolHeapManagement proc near ; CODE	XREF: MiInitNucleus(x)+2B1p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F5855 SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_C], ebx
		call	_RtlHpKInitializeHeapManager@0 ; RtlHpKInitializeHeapManager()
		test	eax, eax
		js	loc_56E7A9
		xor	eax, eax
		mov	_RtlpHpLfhPerfFlags, 0FFh
		lea	edi, [ebp+var_20]
		xor	edx, edx	; int
		stosd
		stosd
		stosd
		mov	eax, edx
		mov	[ebp+var_8], eax
		cmp	dword_6D8E70, eax
		jbe	loc_56E72A
		mov	ebx, offset unk_6D9F00

loc_56E69B:				; CODE XREF: ExInitializePoolHeapManagement+D1j
		cmp	[ebp+var_1C], 0
		mov	ecx, edx
		mov	[ebp+var_14], edx
		mov	word ptr [ebp+var_14], 103h
		mov	byte ptr [ebp+var_14+2], al
		ja	loc_5F5855

loc_56E6B3:				; CODE XREF: ExInitializePoolHeapManagement+8720Aj
		push	edx
		push	[ebp+var_14]
		lea	edx, [ebp+var_4]
		call	_ExCreateHeap@16 ; ExCreateHeap(x,x,x,x)
		test	eax, eax
		js	loc_56E7A9
		cmp	[ebp+var_1C], 0
		mov	ecx, [ebp+var_4]
		mov	[ebx-107Ch], ecx
		ja	loc_5F585F

loc_56E6DA:				; CODE XREF: ExInitializePoolHeapManagement+8723Bj
		push	ecx		; int
		mov	ecx, ebx	; void *
		call	_RtlpDynamicLookasideInitialize@12 ; RtlpDynamicLookasideInitialize(x,x,x)
		mov	eax, [ebp+var_4]
		lea	edx, [ebp+var_4]
		push	0
		push	[ebp+var_14]
		mov	ecx, 40000000h
		mov	[eax+1Ch], ebx
		call	_ExCreateHeap@16 ; ExCreateHeap(x,x,x,x)
		test	eax, eax
		js	loc_56E7A9
		mov	eax, [ebp+var_4]
		mov	[ebx-1080h], eax
		add	ebx, 20C0h
		mov	eax, [ebp+var_8]
		inc	eax
		push	0
		mov	[ebp+var_8], eax
		pop	edx
		cmp	eax, dword_6D8E70
		jb	loc_56E69B
		mov	ebx, [ebp+var_C]

loc_56E72A:				; CODE XREF: ExInitializePoolHeapManagement+40j
		mov	[ebp+var_14], edx
		xor	ecx, ecx
		push	edx
		mov	byte ptr [ebp+var_14+2], dl
		lea	edx, [ebp+var_4]
		mov	word ptr [ebp+var_14], 103h
		push	[ebp+var_14]
		call	_ExCreateHeap@16 ; ExCreateHeap(x,x,x,x)
		test	eax, eax
		js	short loc_56E7A9
		mov	eax, [ebp+var_4]
		lea	edx, [ebp+var_4]
		push	0
		push	[ebp+var_14]
		mov	ecx, 40000000h
		or	dword ptr [eax+298h], 2
		or	byte ptr [eax+109h], 8
		or	byte ptr [eax+189h], 8
		mov	dword_6F9A84, eax
		call	_ExCreateHeap@16 ; ExCreateHeap(x,x,x,x)
		test	eax, eax
		js	short loc_56E7A9
		mov	eax, [ebp+var_4]
		or	dword ptr [eax+298h], 2
		or	byte ptr [eax+109h], 8
		or	byte ptr [eax+189h], 8
		mov	dword_6F9A80, eax
		call	ExInitializePoolTracker
		test	eax, eax
		js	short loc_56E7A9
		mov	ecx, offset _ExpPoolFlags
		lock or	[ecx], ebx

loc_56E7A9:				; CODE XREF: ExInitializePoolHeapManagement+1Bj
					; ExInitializePoolHeapManagement+71j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
ExInitializePoolHeapManagement endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExInitializePagedHeaps()
_ExInitializePagedHeaps@0 proc near	; CODE XREF: MiInitSystem+21Bp

var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, esi
		mov	[ebp+var_4], esi
		push	edi
		cmp	dword_6D8E70, ebx
		jbe	loc_56E851
		mov	edi, offset unk_6D8EC0

loc_56E7D1:				; CODE XREF: ExInitializePagedHeaps()+A1j
		mov	[ebp+var_C], esi
		lea	edx, [ebp+var_4] ; int
		push	esi
		mov	byte ptr [ebp+var_C+2],	bl
		mov	ecx, 40000000h
		mov	byte ptr [ebp+var_C], 2
		push	[ebp+var_C]
		call	_ExCreateHeap@16 ; ExCreateHeap(x,x,x,x)
		test	eax, eax
		js	loc_56E8BE
		mov	esi, [ebp+var_4]
		push	ecx		; int
		mov	ecx, edi	; void *
		mov	[edi-38h], esi
		call	_RtlpDynamicLookasideInitialize@12 ; RtlpDynamicLookasideInitialize(x,x,x)
		mov	[esi+1Ch], edi
		lea	edx, [ebp+var_4]
		xor	esi, esi
		xor	ecx, ecx
		mov	[ebp+var_14], esi
		push	esi
		mov	byte ptr [ebp+var_14+2], bl
		mov	byte ptr [ebp+var_14], 0Ah
		push	[ebp+var_14]
		call	_ExCreateHeap@16 ; ExCreateHeap(x,x,x,x)
		test	eax, eax
		js	loc_56E8BE
		mov	eax, [ebp+var_4]
		mov	[edi-34h], eax
		add	edi, 20C0h
		or	dword ptr [eax+298h], 2
		or	byte ptr [eax+109h], 8
		or	byte ptr [eax+189h], 8
		inc	ebx
		cmp	ebx, dword_6D8E70
		jb	short loc_56E7D1

loc_56E851:				; CODE XREF: ExInitializePagedHeaps()+18j
		mov	[ebp+var_14], esi
		lea	edx, [ebp+var_4]
		push	esi
		mov	byte ptr [ebp+var_14], 2
		xor	ecx, ecx
		push	[ebp+var_14]
		call	_ExCreateHeap@16 ; ExCreateHeap(x,x,x,x)
		test	eax, eax
		js	short loc_56E8BE
		mov	eax, [ebp+var_4]
		lea	edx, [ebp+var_4]
		push	8
		pop	ebx
		mov	[ebp+var_14], esi
		xor	ecx, ecx
		or	dword ptr [eax+298h], 2
		or	[eax+109h], bl
		or	[eax+189h], bl
		push	esi
		mov	byte ptr [ebp+var_14], 0Ah
		push	[ebp+var_14]
		mov	dword_6F9A88, eax
		call	_ExCreateHeap@16 ; ExCreateHeap(x,x,x,x)
		test	eax, eax
		js	short loc_56E8BE
		mov	eax, [ebp+var_4]
		or	dword ptr [eax+298h], 2
		or	[eax+109h], bl
		or	[eax+189h], bl
		mov	dword_6F9A8C, eax
		mov	eax, esi

loc_56E8BE:				; CODE XREF: ExInitializePagedHeaps()+40j
					; ExInitializePagedHeaps()+73j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExInitializePagedHeaps@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; int __fastcall RtlpDynamicLookasideInitialize(void *,int,int)
_RtlpDynamicLookasideInitialize@12 proc	near ; CODE XREF: ExInitializePoolHeapManagement+8Dp
					; ExInitializePagedHeaps()+4Fp
		mov	edi, edi
		push	esi
		push	edi
		push	1040h		; size_t
		xor	edi, edi
		mov	esi, ecx
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [esi+8], 2Fh
		mov	dword ptr [esi+0Ch], 10h
		add	esi, 4Ah
		push	40h
		pop	eax

loc_56E8EF:				; CODE XREF: RtlpDynamicLookasideInitialize(x,x,x)+50j
		mov	[esi-0Ah], edi
		lea	esi, [esi+40h]
		mov	[esi-46h], edi
		mov	dword ptr [esi-42h], 1000000h
		mov	[esi-3Eh], edi
		mov	[esi-3Ah], edi
		mov	[esi-36h], edi
		mov	[esi-32h], edi
		mov	[esi-2Eh], edi
		mov	[esi-2Ah], edi
		sub	eax, 1
		jnz	short loc_56E8EF
		pop	edi
		pop	esi
		retn	4
_RtlpDynamicLookasideInitialize@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlHpKInitializeHeapManager()
_RtlHpKInitializeHeapManager@0 proc near ; CODE	XREF: ExInitializePoolHeapManagement+14p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		call	_RtlHpGlobalsInitialize@0 ; RtlHpGlobalsInitialize()
		and	[ebp+var_8], 0
		lea	edx, [ebp+var_8]
		xor	eax, eax
		mov	ecx, 200h
		xor	ebx, ebx
		mov	word ptr [ebp+var_8], cx
		or	eax, 5
		inc	ebx
		or	word ptr [ebp+var_8+2],	bx
		mov	ecx, offset _ExPoolState
		mov	[ebp+var_4], eax
		call	_RtlHpHeapManagerInitialize@8 ;	RtlHpHeapManagerInitialize(x,x)
		movzx	eax, ds:_KeNumberNodes
		push	10h
		pop	ecx
		mov	dword_6D8E70, eax
		cmp	eax, ecx
		ja	short loc_56E98D

loc_56E968:				; CODE XREF: RtlHpKInitializeHeapManager()+77j
		mov	esi, ds:_MmSystemRangeStart
		xor	edi, edi
		sub	edi, esi
		mov	eax, ebx
		push	2
		sbb	eax, 0
		mov	edx, ebx
		push	eax
		push	edi
		push	esi
		mov	ecx, offset _ExPoolState
		call	RtlHpHeapManagerStart
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_56E98D:				; CODE XREF: RtlHpKInitializeHeapManager()+4Aj
		mov	dword_6D8E70, ecx
		jmp	short loc_56E968
_RtlHpKInitializeHeapManager@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall RtlHpGlobalsInitialize()
_RtlHpGlobalsInitialize@0 proc near	; CODE XREF: RtlHpKInitializeHeapManager()+Bp
					; ExpInitSystemPhase0()+DDp
		mov	edi, edi
		push	edi
		push	7
		pop	ecx
		xor	eax, eax
		mov	edi, offset _RtlpHpHeapGlobals
		rep stosd
		call	_RtlpHeapGenerateRandomValue64@0 ; RtlpHeapGenerateRandomValue64()
		mov	_RtlpHpHeapGlobals, eax
		call	_RtlpHeapGenerateRandomValue64@0 ; RtlpHeapGenerateRandomValue64()
		mov	dword_6BEC64, eax
		mov	dword_6BEC68, offset _RtlpHeapFailureInfo
		pop	edi
		retn
_RtlHpGlobalsInitialize@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall InbvSetFunction(x)
_InbvSetFunction@4 proc	near		; CODE XREF: BgkNotifyDisplayOwnershipChange+87FE8p
					; InbvDriverInitialize(x,x,x)+34p
		mov	eax, dword_6D4D44
		push	esi
		mov	esi, ecx
		cmp	eax, 3
		jnz	short loc_56EA09

loc_56E9D3:				; CODE XREF: InbvSetFunction(x)+46j
		mov	eax, dword_6D4D4C
		test	eax, eax
		jz	short loc_56E9E7
		mov	eax, [eax+44h]
		test	eax, eax
		jz	short loc_56E9E7
		push	0
		call	eax

loc_56E9E7:				; CODE XREF: InbvSetFunction(x)+14j
					; InbvSetFunction(x)+1Bj
		mov	ecx, offset off_6B2C20
		cmp	esi, 4
		jnz	short loc_56EA10

loc_56E9F1:				; CODE XREF: InbvSetFunction(x)+4Fj
		xor	eax, eax
		mov	dword_6D4D4C, ecx
		cmp	esi, 4
		pop	esi
		setz	al
		add	eax, 3
		mov	dword_6D4D44, eax
		retn
; 

loc_56EA09:				; CODE XREF: InbvSetFunction(x)+Bj
		cmp	eax, 4
		jz	short loc_56E9D3
		pop	esi
		retn
; 

loc_56EA10:				; CODE XREF: InbvSetFunction(x)+29j
		mov	ecx, offset off_6B2C80
		jmp	short loc_56E9F1
_InbvSetFunction@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


InbvDetermineFunction proc near		; CODE XREF: InbvDriverInitialize(x,x,x)+Fp

var_C		= dword	ptr -0Ch

; FUNCTION CHUNK AT 005F5890 SIZE 0000001A BYTES

		mov	edx, dword_6D4D44
		push	esi
		mov	esi, ecx
		test	edx, edx
		jz	short loc_56EA29

loc_56EA25:				; CODE XREF: InbvDetermineFunction+70j
		mov	eax, edx
		pop	esi
		retn
; 

loc_56EA29:				; CODE XREF: InbvDetermineFunction+Bj
		mov	eax, [esi+78h]
		push	ebx
		mov	bl, 1
		test	eax, eax
		jz	short loc_56EA56
		push	eax		; char *
		call	__strupr
		mov	[esp+0Ch+var_C], offset	??_C@_05NDBNEPKH@NOVGA@FNODOBFM@ ; "NOVGA"
		push	eax		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		neg	eax
		sbb	al, al
		not	al
		and	bl, al
		mov	edx, dword_6D4D44

loc_56EA56:				; CODE XREF: InbvDetermineFunction+19j
		mov	eax, [esi+84h]
		cmp	dword ptr [eax+0DCh], 0
		jz	loc_5F5890
		mov	eax, offset off_6B2C80
		test	bl, bl
		jz	short loc_56EA8A

loc_56EA72:				; CODE XREF: InbvDetermineFunction+77j
		mov	dword_6D4D4C, eax
		movzx	eax, bl
		lea	edx, ds:1[eax*2]

loc_56EA81:				; CODE XREF: InbvDetermineFunction+86E8Dj
		mov	dword_6D4D44, edx

loc_56EA87:				; CODE XREF: InbvDetermineFunction+86E7Aj
		pop	ebx
		jmp	short loc_56EA25
; 

loc_56EA8A:				; CODE XREF: InbvDetermineFunction+58j
		mov	eax, offset off_6B2C20
		jmp	short loc_56EA72
InbvDetermineFunction endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BvgaSetDisplayOwnership(x)
_BvgaSetDisplayOwnership@4 proc	near	; DATA XREF: .data:006B2CC4o

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jnz	short loc_56EAA9
		push	2
		pop	eax

loc_56EAA0:				; CODE XREF: BvgaSetDisplayOwnership(x)+19j
		mov	_BvgaDisplayState, eax
		pop	ebp
		retn	4
; 

loc_56EAA9:				; CODE XREF: BvgaSetDisplayOwnership(x)+9j
		xor	eax, eax
		jmp	short loc_56EAA0
_BvgaSetDisplayOwnership@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgkSetDisplayOwnership(x)
_BgkSetDisplayOwnership@4 proc near	; DATA XREF: .data:006B2C64o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_0]
		call	BgkNotifyDisplayOwnershipChange
		pop	ebp
		retn	4
_BgkSetDisplayOwnership@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BcpGetProgressMessages(x, x, x)
_BcpGetProgressMessages@12 proc	near	; CODE XREF: BgpBcInitializeCriticalMode+18Dp
					; BgpBcInitializeCriticalMode+1C0p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		call	BcpFindMessage
		mov	ebx, eax
		push	offset ??_C@_15FBMLFFBN@?$AA?$CF?$AA1@FNODOBFM@	; wchar_t *
		push	ebx		; wchar_t *
		call	_wcsstr
		mov	esi, eax
		mov	[ebp+var_8], eax
		pop	ecx
		sub	esi, ebx
		pop	ecx
		lea	ecx, [esi+2]
		call	BgpFwAllocateMemory
		mov	edi, eax
		test	edi, edi
		jz	short loc_56EB24
		push	esi		; size_t
		push	ebx		; void *
		push	edi		; void *
		call	_memcpy
		mov	ecx, [ebp+var_8]
		xor	eax, eax
		shr	esi, 1
		add	ecx, 4
		add	esp, 0Ch
		mov	[edi+esi*2], ax
		mov	eax, [ebp+var_4]
		mov	[eax], edi
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		xor	eax, eax

loc_56EB1D:				; CODE XREF: BcpGetProgressMessages(x,x,x)+67j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_56EB24:				; CODE XREF: BcpGetProgressMessages(x,x,x)+34j
		mov	eax, 0C0000017h
		jmp	short loc_56EB1D
_BcpGetProgressMessages@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpConsoleSetPointSize(x, x, x, x, x, x)
_BgpConsoleSetPointSize@24 proc	near	; CODE XREF: TxtpAddCacheEntry+B20p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		xor	ebx, ebx
		push	5
		pop	esi
		push	20h
		pop	eax
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_4], eax

loc_56EB51:				; CODE XREF: BgpConsoleSetPointSize(x,x,x,x,x,x)+6Ej
		inc	eax
		lea	edx, [ebp+var_14]
		add	eax, esi
		mov	ecx, edi
		shr	eax, 1
		mov	[ebp+arg_8], eax
		mov	[edi+0Ch], eax
		call	_BgpFoGetTextMetrics@8 ; BgpFoGetTextMetrics(x,x)
		test	eax, eax
		js	short loc_56EBAD
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		div	[ebp+var_10]
		cmp	[ebp+var_8], eax
		ja	short loc_56EBB4
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		div	[ebp+var_14]
		cmp	[ebp+var_C], eax
		ja	short loc_56EBB4
		cmp	[ebp+var_10], 3Bh
		ja	short loc_56EBB4
		cmp	[ebp+var_14], 1Ah
		ja	short loc_56EBB4
		mov	esi, [ebp+arg_8]
		mov	bl, 1
		mov	eax, [ebp+var_4]

loc_56EB98:				; CODE XREF: BgpConsoleSetPointSize(x,x,x,x,x,x)+8Fj
		cmp	esi, eax
		jnz	short loc_56EB51
		test	bl, bl
		jz	short loc_56EBBD
		mov	edx, [ebp+arg_C]
		mov	ecx, edi
		mov	[edi+0Ch], esi
		call	_BgpFoGetTextMetrics@8 ; BgpFoGetTextMetrics(x,x)

loc_56EBAD:				; CODE XREF: BgpConsoleSetPointSize(x,x,x,x,x,x)+3Cj
					; BgpConsoleSetPointSize(x,x,x,x,x,x)+96j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_56EBB4:				; CODE XREF: BgpConsoleSetPointSize(x,x,x,x,x,x)+49j
					; BgpConsoleSetPointSize(x,x,x,x,x,x)+56j ...
		mov	eax, [ebp+arg_8]
		dec	eax
		mov	[ebp+var_4], eax
		jmp	short loc_56EB98
; 

loc_56EBBD:				; CODE XREF: BgpConsoleSetPointSize(x,x,x,x,x,x)+72j
		mov	eax, 0C0000001h
		jmp	short loc_56EBAD
_BgpConsoleSetPointSize@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BcpGetMaxResourceProfile(x,	x)
_BcpGetMaxResourceProfile@8 proc near	; CODE XREF: BgpBcInitializeCriticalMode+269p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_C], ecx
		xor	eax, eax
		push	esi
		push	edi
		and	[ebx], eax
		and	[ebx+4], eax
		xor	esi, esi
		mov	[ebp+var_4], esi

loc_56EBE0:				; CODE XREF: BcpGetMaxResourceProfile(x,x)+78j
		mov	ecx, ds:_BcpStringsAndSizes[esi]
		cmp	ecx, (offset loc_40372B+5)
		jz	short loc_56EC43

loc_56EBEE:				; CODE XREF: BcpGetMaxResourceProfile(x,x)+89j
		mov	edi, [ecx+4]
		xor	eax, eax
		movzx	ecx, word ptr [ecx]
		mov	edx, ds:dword_404B5C[esi]
		shr	ecx, 1
		push	eax
		mov	[ebp+var_10], edi
		mov	[ebp+var_14], edx
		mov	[ebp+var_8], ecx
		pop	edi
		jz	short loc_56EC2C
		mov	esi, ecx

loc_56EC0D:				; CODE XREF: BcpGetMaxResourceProfile(x,x)+63j
		mov	eax, [ebp+var_10]
		push	ebx
		push	[ebp+var_C]
		mov	cx, [eax+edi*2]
		call	_BcpGetCharacterMaxResourceProfile@16 ;	BcpGetCharacterMaxResourceProfile(x,x,x,x)
		test	eax, eax
		js	short loc_56EC29
		mov	edx, [ebp+var_14]
		inc	edi
		cmp	edi, esi
		jb	short loc_56EC0D

loc_56EC29:				; CODE XREF: BcpGetMaxResourceProfile(x,x)+5Bj
		mov	esi, [ebp+var_4]

loc_56EC2C:				; CODE XREF: BcpGetMaxResourceProfile(x,x)+45j
		test	eax, eax
		js	short loc_56EC3E

loc_56EC30:				; CODE XREF: BcpGetMaxResourceProfile(x,x)+8Bj
		add	esi, 8
		mov	[ebp+var_4], esi
		cmp	esi, 0D0h
		jb	short loc_56EBE0

loc_56EC3E:				; CODE XREF: BcpGetMaxResourceProfile(x,x)+6Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_56EC43:				; CODE XREF: BcpGetMaxResourceProfile(x,x)+28j
		test	dword_6B6BB8, 20000h
		jz	short loc_56EBEE
		jmp	short loc_56EC30
_BcpGetMaxResourceProfile@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BcpGetCharacterMaxResourceProfile(x, x, x, x)
_BcpGetCharacterMaxResourceProfile@16 proc near
					; CODE XREF: BcpGetMaxResourceProfile(x,x)+54p

var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, unk_6B58D8[edx*4]
		push	edi
		mov	[ebp+var_8], ecx
		lea	edi, [ebp+var_28]
		push	5
		pop	ecx
		rep movsd
		mov	esi, [ebp+arg_4]
		xor	ebx, ebx
		mov	[ebp+var_4], eax

loc_56EC7A:				; CODE XREF: BcpGetCharacterMaxResourceProfile(x,x,x,x)+75j
		mov	eax, [eax]
		lea	edi, [ebp+var_14]
		and	[ebp+arg_0], 0
		lea	edx, [ebp+var_28]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_14]
		push	eax
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+arg_0]
		push	eax
		call	RaspGetXExtent
		mov	edx, eax
		test	edx, edx
		js	short loc_56ECC9
		mov	ecx, [esi+4]
		cmp	ecx, [ebp+arg_0]
		jb	short loc_56ECD7

loc_56ECAE:				; CODE XREF: BcpGetCharacterMaxResourceProfile(x,x,x,x)+88j
		mov	eax, [esi]
		mov	[esi+4], ecx
		cmp	eax, [ebp+var_C]
		jb	short loc_56ECD2

loc_56ECB8:				; CODE XREF: BcpGetCharacterMaxResourceProfile(x,x,x,x)+83j
		mov	[esi], eax
		inc	ebx
		mov	eax, [ebp+var_4]
		add	eax, 48h
		mov	[ebp+var_4], eax
		cmp	ebx, 5
		jl	short loc_56EC7A

loc_56ECC9:				; CODE XREF: BcpGetCharacterMaxResourceProfile(x,x,x,x)+52j
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	8
; 

loc_56ECD2:				; CODE XREF: BcpGetCharacterMaxResourceProfile(x,x,x,x)+64j
		mov	eax, [ebp+var_C]
		jmp	short loc_56ECB8
; 

loc_56ECD7:				; CODE XREF: BcpGetCharacterMaxResourceProfile(x,x,x,x)+5Aj
		mov	ecx, [ebp+arg_0]
		jmp	short loc_56ECAE
_BcpGetCharacterMaxResourceProfile@16 endp


;  S U B	R O U T	I N E 


; __stdcall BgkpTryEnableConsole()
_BgkpTryEnableConsole@0	proc near	; CODE XREF: BgkInitialize+9Cp
		cmp	byte_6D4C7B, 0
		jz	short locret_56ECF7
		cmp	dword_6D4C74, 0
		jz	short locret_56ECF7
		xor	eax, eax
		mov	ecx, offset unk_6B5B9C
		xchg	eax, [ecx]

locret_56ECF7:				; CODE XREF: BgkpTryEnableConsole()+7j
					; BgkpTryEnableConsole()+10j
		retn
_BgkpTryEnableConsole@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvlPhase1Initialize proc near		; CODE XREF: INIT:00ACD689p

var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F58AA SIZE 0000008F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	edi
		call	HviIsAnyHypervisorPresent
		test	al, al
		jnz	loc_5F58AA

loc_56ED16:				; CODE XREF: HvlPhase1Initialize+86BB9j
					; HvlPhase1Initialize+86BDCj
		cmp	ds:_HvlHypervisorConnected, 0
		jnz	loc_5F58D9

loc_56ED23:				; CODE XREF: HvlPhase1Initialize+86C3Cj
		xor	eax, eax
		pop	edi
		leave
		retn
HvlPhase1Initialize endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStringCbCopyExA(x, x, x,	x, x, x)
_RtlStringCbCopyExA@24 proc near	; CODE XREF: INIT:00ACD7BEp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_4], (offset loc_ADC77A+4)
		push	ebx
		mov	esi, 100h
		mov	edi, ecx
		push	ecx
		mov	edx, esi
		call	RtlStringExValidateDestA
		test	eax, eax
		js	short loc_56ED97
		push	ebx
		push	ecx
		lea	ecx, [ebp+var_4]
		call	RtlStringExValidateSrcA
		test	eax, eax
		js	short loc_56ED8A
		push	ecx
		push	[ebp+var_4]
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], ebx
		push	eax
		mov	ecx, edi
		call	RtlStringCopyWorkerA
		sub	esi, [ebp+var_8]
		test	eax, eax
		js	short loc_56ED8E

loc_56ED76:				; CODE XREF: RtlStringCbCopyExA(x,x,x,x,x,x)+64j
		test	eax, eax
		js	short loc_56ED8E

loc_56ED7A:				; CODE XREF: RtlStringCbCopyExA(x,x,x,x,x,x)+6Dj
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_56ED83
		mov	[ecx], esi

loc_56ED83:				; CODE XREF: RtlStringCbCopyExA(x,x,x,x,x,x)+57j
					; RtlStringCbCopyExA(x,x,x,x,x,x)+6Bj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_56ED8A:				; CODE XREF: RtlStringCbCopyExA(x,x,x,x,x,x)+33j
		mov	[edi], bl
		jmp	short loc_56ED76
; 

loc_56ED8E:				; CODE XREF: RtlStringCbCopyExA(x,x,x,x,x,x)+4Cj
					; RtlStringCbCopyExA(x,x,x,x,x,x)+50j
		cmp	eax, 80000005h
		jnz	short loc_56ED83
		jmp	short loc_56ED7A
; 

loc_56ED97:				; CODE XREF: RtlStringCbCopyExA(x,x,x,x,x,x)+25j
		mov	[edi], bl
		jmp	short loc_56ED83
_RtlStringCbCopyExA@24 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlStringExValidateSrcA	proc near	; CODE XREF: RtlStringCbCopyExA(x,x,x,x,x,x)+2Cp
					; RtlStringCbCatExA(x,x,x,x,x,x)+3Dp ...

arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F5939 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_4], 100h
		jnz	loc_5F5939

loc_56EDAE:				; CODE XREF: RtlStringExValidateSrcA+86BA0j
					; RtlStringExValidateSrcA+86BACj
		xor	eax, eax
		pop	ebp
		retn	8
RtlStringExValidateSrcA	endp


;  S U B	R O U T	I N E 


; __stdcall SddlBaseInitialize()
_SddlBaseInitialize@0 proc near		; CODE XREF: SepInitializationPhase1():loc_896CA2p
		jmp	InitializeSidLookupTable
_SddlBaseInitialize@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopInitializeIoRate()
_IopInitializeIoRate@0 proc near	; CODE XREF: INIT:00AC2EA6p

var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_12		= word ptr -12h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_8], 0
		xor	eax, eax
		and	[ebp+var_4], 0
		mov	ecx, offset _IopIoRateExtensionHost
		push	6
		mov	[ebp+var_12], ax
		pop	eax
		push	0Bh
		mov	word ptr [ebp+var_18], ax
		pop	eax
		push	3
		mov	word ptr [ebp+var_18+2], ax
		pop	eax
		mov	[ebp+var_14], ax
		lea	eax, [ebp+var_18]
		push	eax
		mov	[ebp+var_10], 200h
		mov	[ebp+var_C], (offset loc_40377F+1)
		call	ExRegisterHost
		test	eax, eax
		js	short loc_56EE07
		leave
		retn
; 

loc_56EE07:				; CODE XREF: IopInitializeIoRate()+49j
		and	_IopIoRateExtensionHost, 0
		leave
		retn
_IopInitializeIoRate@0 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1845. PsIsDiskCountersEnabled

;  S U B	R O U T	I N E 


; __stdcall PsIsDiskCountersEnabled()
		public _PsIsDiskCountersEnabled@0
_PsIsDiskCountersEnabled@0 proc	near	; CODE XREF: ExpPcwHostCallback+119p
		cmp	ds:_PsDisableDiskCounters, 0
		setz	al
		retn
_PsIsDiskCountersEnabled@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepInitProcessAuditSd proc near		; CODE XREF: SepInitializationPhase1()+1F0p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F594D SIZE 000001A7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_SepProcessAuditSd
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		test	eax, eax
		jnz	loc_5F594D

loc_56EE3A:				; CODE XREF: SepInitProcessAuditSd+86B39j
		cmp	ds:_SepProcessAccessesToAudit, esi
		jnz	loc_5F5960

loc_56EE46:				; CODE XREF: SepInitProcessAuditSd+86C93j
					; SepInitProcessAuditSd+86CB8j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
SepInitProcessAuditSd endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall SepInitializeSessionLowboxStructures()
_SepInitializeSessionLowboxStructures@0	proc near
					; CODE XREF: SepVariableInitialization()+1A05p
		xor	ecx, ecx
		mov	eax, ecx

loc_56EE50:				; CODE XREF: SepInitializeSessionLowboxStructures()+1Cj
		mov	byte_6C45D0[eax], cl
		mov	dword_6C45CC[eax], ecx
		mov	_g_SessionLowboxArray[eax], ecx
		add	eax, 14h
		cmp	eax, 64h
		jb	short loc_56EE50
		mov	_LowboxSessionMapLock, ecx
		mov	_g_SessionLowboxMap, ecx
		retn
_SepInitializeSessionLowboxStructures@0	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDereferenceSegmentThread proc	near	; DATA XREF: MiIssuePageExtendRequest(x,x,x,x)+A8o
					; MiEnablePartitionMappedWrites+1Do

var_E4		= dword	ptr -0E4h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F5AF4 SIZE 000000A6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0E4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, large fs:124h
		push	edi
		mov	edi, [ebp+arg_0]
		push	13h
		push	esi
		mov	byte ptr [edi+419h], 1
		call	KeSetPriorityThread
		or	dword ptr [esi+300h], 2
		lea	eax, [edi+3Ch]
		mov	[ebp+var_24], eax
		xor	ebx, ebx
		lea	eax, [edi+360h]
		mov	[ebp+var_8], offset unk_6D2E94
		mov	[ebp+var_20], eax
		cmp	edi, offset _MiSystemPartition
		lea	eax, [edi+3B8h]
		mov	[ebp+var_1C], eax
		setz	bl
		lea	eax, [edi+370h]
		add	ebx, 7
		mov	[ebp+var_18], eax
		lea	eax, [edi+3F0h]
		mov	[ebp+var_14], eax
		lea	eax, [edi+43Ch]
		mov	[ebp+var_10], eax
		lea	eax, [edi+468h]
		mov	[ebp+var_C], eax

loc_56EF01:				; CODE XREF: MiDereferenceSegmentThread+B5j
					; MiDereferenceSegmentThread+C8j ...
		lea	eax, [ebp+var_E4] ; default
		push	eax
		push	0
		push	0
		push	0
		push	12h
		push	1
		lea	eax, [ebp+var_24]
		push	eax
		push	ebx
		call	KeWaitForMultipleObjects
		mov	esi, eax
		cmp	esi, 1
		jz	short loc_56EF2A
		mov	ecx, edi
		call	_MiDeleteEmptySubsections@4 ; MiDeleteEmptySubsections(x)

loc_56EF2A:				; CODE XREF: MiDereferenceSegmentThread+A9j
		cmp	esi, 7		; switch 8 cases
		ja	short loc_56EF01 ; default
		jmp	ds:off_56EF6C[esi*4] ; switch jump

loc_56EF36:				; DATA XREF: .text:off_56EF6Co
		xor	edx, edx	; case 0x2
		mov	ecx, edi
		inc	edx
		call	MiProcessDereferenceList
		jmp	short loc_56EF01 ; default
; 

loc_56EF42:				; CODE XREF: MiDereferenceSegmentThread+B7j
					; DATA XREF: .text:off_56EF6Co
		lea	eax, [edi+468h]	; case 0x6
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	ecx, edi
		call	_MiFreeClonePool@4 ; MiFreeClonePool(x)
		jmp	short loc_56EF01 ; default
; 

loc_56EF57:				; CODE XREF: MiDereferenceSegmentThread+B7j
					; DATA XREF: .text:off_56EF6Co
		lea	eax, [edi+360h]	; case 0x1
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	ecx, edi
		call	_MiDeleteEmptySubsections@4 ; MiDeleteEmptySubsections(x)
		jmp	short loc_56EF01 ; default
MiDereferenceSegmentThread endp

; 
off_56EF6C	dd offset loc_5F5B57	; DATA XREF: MiDereferenceSegmentThread+B7r
		dd offset loc_56EF57	; jump table for switch	statement
		dd offset loc_56EF36
		dd offset loc_5F5B00
		dd offset loc_5F5B4B
		dd offset loc_5F5AF4
		dd offset loc_56EF42
		dd offset loc_5F5B1A

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeCommitment proc near	; CODE XREF: MiInitializePartition+66581p
					; MiInitNucleus(x)+24Ap

var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F5B9A SIZE 0000000B BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		mov	[ebp+var_C], esi
		push	edi
		cmp	esi, offset _MiSystemPartition
		jnz	loc_5F5B9A
		cmp	dword ptr [esi+0F48h], 4000h
		sbb	eax, eax
		and	eax, 0FFFFFC00h
		add	eax, 500h
		mov	[esi+0D9Ch], eax

loc_56EFD7:				; CODE XREF: MiInitializeCommitment+86C14j
		mov	[esi+0D98h], ecx
		mov	al, [esi+117h]
		and	al, 0FDh
		mov	[esi+0E8h], ecx
		or	al, 4
		mov	dword ptr [esi+0F8h], 1
		push	ecx
		mov	[esi+117h], al
		lea	eax, [esi+100h]
		push	ecx
		push	eax
		mov	[esi+0FCh], ecx
		mov	[esi+0F4h], esi
		mov	[esi+110h], ecx
		mov	byte ptr [esi+114h], 0FFh
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, dword_6D06D4
		mov	edi, [esi+0FC0h]
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_56F063
		mov	edx, [esi+958h]
		mov	eax, [esi+954h]
		add	edx, 4
		mov	esi, eax
		add	esi, 4

loc_56F04A:				; CODE XREF: MiInitializeCommitment+D2j
		movzx	eax, word ptr [esi]
		lea	esi, [esi+8]
		movzx	ecx, word ptr [edx]
		add	edi, eax
		add	edi, ecx
		lea	edx, [edx+8]
		sub	[ebp+var_4], 1
		jnz	short loc_56F04A
		mov	esi, [ebp+var_C]

loc_56F063:				; CODE XREF: MiInitializeCommitment+A8j
		mov	edx, [esi+0F48h]
		mov	ecx, esi
		push	0
		push	0
		push	edx
		mov	[esi+1000h], edi
		call	MiIncreaseCommitLimits
		mov	edx, [esi+0F48h]
		cmp	edx, edi
		jz	short loc_56F090
		push	2
		sub	edx, edi
		mov	ecx, esi
		call	MiChargeCommit

loc_56F090:				; CODE XREF: MiInitializeCommitment+F7j
		cmp	esi, offset _MiSystemPartition
		jnz	short loc_56F0B9
		mov	eax, [esi+10BCh]
		mov	dword_6D361C, eax
		mov	eax, dword_6D3620
		sub	dword_6D361C, eax
		mov	eax, dword_6D3634
		sub	dword_6D361C, eax

loc_56F0B9:				; CODE XREF: MiInitializeCommitment+10Aj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
MiInitializeCommitment endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiIncreaseCommitLimits proc near	; CODE XREF: MiInitializeCommitment+EAp
					; MiInsertPartitionPages(x,x,x,x,x)+2ADp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005F5BA5 SIZE 00000053 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		mov	esi, ecx
		mov	ebx, edx
		lea	edx, [ebp+var_10]
		stosd
		lea	ecx, [esi+0D98h]
		stosd
		xor	eax, eax
		inc	eax
		mov	[ebp+var_4], eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [esi+0D84h]
		mov	edi, [ebp+arg_0]
		lea	eax, [ecx+edi]
		cmp	eax, ecx
		jb	loc_56F1A9
		test	ebx, ebx
		jz	short loc_56F122
		cmp	[ebp+arg_4], 0
		jnz	loc_5F5BA5
		cmp	dword ptr [esi+0DA0h], 0
		jnz	loc_5F5BA9

loc_56F11C:				; CODE XREF: MiIncreaseCommitLimits+86AF4j
					; MiIncreaseCommitLimits+86B04j
		add	[esi+1114h], ebx

loc_56F122:				; CODE XREF: MiIncreaseCommitLimits+41j
		test	edi, edi
		jz	short loc_56F12C
		add	[esi+0D84h], edi

loc_56F12C:				; CODE XREF: MiIncreaseCommitLimits+62j
		mov	ecx, esi
		call	_MiComputeCommitThresholds@4 ; MiComputeCommitThresholds(x)
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	short loc_56F165
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	MiUpdatePageFileList
		push	2
		pop	ecx
		lea	eax, [esi+10BCh]
		lock xadd [eax], ecx
		mov	eax, [esi+0F4Ch]
		mov	[esi+eax*4+0F54h], edi
		inc	eax
		mov	[esi+0F4Ch], eax

loc_56F165:				; CODE XREF: MiIncreaseCommitLimits+76j
		mov	ebx, [ebp+var_4]

loc_56F168:				; CODE XREF: MiIncreaseCommitLimits+E9j
		test	ds:byte_70EFC6,	1
		jnz	loc_5F5BCB
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_5F5BE3
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jnz	loc_5F5BDB

loc_56F197:				; CODE XREF: MiIncreaseCommitLimits+86B14j
					; MiIncreaseCommitLimits+86B31j
		mov	cl, [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
; 

loc_56F1A9:				; CODE XREF: MiIncreaseCommitLimits+39j
		xor	ebx, ebx
		jmp	short loc_56F168
MiIncreaseCommitLimits endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiComputeCommitThresholds(x)
_MiComputeCommitThresholds@4 proc near	; CODE XREF: MiIncreaseCommitLimits+6Cp
					; MiInsertPartitionPages(x,x,x,x,x)+34Cp ...
		mov	edi, edi
		push	esi
		mov	esi, [ecx+1114h]
		xor	edx, edx
		push	edi
		push	0Ah
		mov	eax, esi
		pop	edi
		div	edi
		mov	edx, eax
		mov	eax, 10000h
		cmp	edx, eax
		jbe	short loc_56F1CE
		mov	edx, eax

loc_56F1CE:				; CODE XREF: MiComputeCommitThresholds(x)+1Cj
		mov	eax, esi
		sub	eax, edx
		mov	edx, 100000h
		mov	[ecx+0D94h], eax
		mov	eax, esi
		shr	eax, 2
		cmp	eax, edx
		jbe	short loc_56F1E8
		mov	eax, edx

loc_56F1E8:				; CODE XREF: MiComputeCommitThresholds(x)+36j
		sub	esi, eax
		xor	edx, edx
		pop	edi
		mov	[ecx+0D90h], esi
		inc	edx
		pop	esi
		jmp	$+5
_MiComputeCommitThresholds@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSyncCommitSignals proc near		; CODE XREF: .text:004595ABp
					; .text:004799EEp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005F5BF8 SIZE 000000CE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	ebx, edx
		stosd
		mov	esi, ecx
		stosd
		stosd
		test	ebx, ebx
		jz	loc_5F5BF8
		mov	[ebp+var_4], 21h

loc_56F21D:				; CODE XREF: MiSyncCommitSignals+86A0Cj
		mov	eax, [esi+10BCh]
		xor	edx, edx
		cmp	eax, [esi+0D90h]
		jnb	loc_5F5C0B
		mov	ecx, [esi+0A8h]
		cmp	[ecx+4], edx
		jnz	short loc_56F244
		push	edx
		push	edx
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_56F244:				; CODE XREF: MiSyncCommitSignals+40j
		mov	ecx, [esi+0ACh]
		xor	edi, edi
		inc	edi
		cmp	[ecx+4], edi
		jnz	short loc_56F263
		push	ecx
		call	_KeResetEvent@4	; KeResetEvent(x)
		push	dword ptr [esi+0B0h]

loc_56F25E:				; CODE XREF: MiSyncCommitSignals+86A77j
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_56F263:				; CODE XREF: MiSyncCommitSignals+56j
					; MiSyncCommitSignals+86A70j
		test	ebx, ebx
		jz	loc_5F5C76

loc_56F26B:				; CODE XREF: MiSyncCommitSignals+86AC7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiSyncCommitSignals endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRescanPagefileBitmaps(x)
_MiRescanPagefileBitmaps@4 proc	near	; CODE XREF: MiFindFreePageFileSpace+397p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		mov	[ebp+var_4], edi
		call	MiInitializePagefileBitmapsCache
		mov	eax, [esi]
		mov	ebx, [esi+64h]
		mov	[ebp+var_14], eax
		mov	eax, [esi+38h]
		mov	[ebp+var_8], ebx
		mov	eax, [eax+10h]
		mov	[ebp+var_10], eax

loc_56F29B:				; CODE XREF: MiRescanPagefileBitmaps(x)+49j
					; MiRescanPagefileBitmaps(x)+61j
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		push	0FFFFFFFFh
		push	ecx
		lea	ecx, [ebp+var_14]
		call	_RtlFindNextClearRunUlong@20 ; RtlFindNextClearRunUlong(x,x,x,x,x)
		test	eax, eax
		jz	short loc_56F2D3
		mov	ecx, [ebp+var_4]
		lea	edi, [ecx+eax]
		cmp	eax, [ebx+1Ch]
		jbe	short loc_56F29B
		lea	edx, [ebp+var_8]
		push	edx
		mov	edx, [esi+38h]
		push	eax
		push	ecx
		add	edx, 4
		mov	ecx, esi
		call	MiRescanPageFileBitmapPortion
		mov	ebx, [ebp+var_8]
		jmp	short loc_56F29B
; 

loc_56F2D3:				; CODE XREF: MiRescanPagefileBitmaps(x)+3Ej
		lea	eax, [esi+64h]
		push	0
		pop	edi
		cmp	[eax], eax
		jz	short loc_56F2E5

loc_56F2DD:				; CODE XREF: MiRescanPagefileBitmaps(x)+78j
		mov	[esi+50h], edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_56F2E5:				; CODE XREF: MiRescanPagefileBitmaps(x)+6Bj
		mov	edi, [ebx+1Ch]
		jmp	short loc_56F2DD
_MiRescanPagefileBitmaps@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUpdateReserveClusterInfo proc	near	; CODE XREF: MiAdjustModifiedPageLoad+F43F9p
					; MiFinishPageFileExtension(x,x,x)+6Bp	...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F5CC6 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		lea	esi, [ecx+208h]
		test	edx, edx
		jnz	loc_5F5CC6
		mov	eax, [esi]
		and	eax, 0FFFFFE00h
		or	eax, 200h
		add	eax, 400h
		xchg	eax, [esi]

loc_56F311:				; CODE XREF: MiUpdateReserveClusterInfo+869EFj
		pop	esi
		pop	ebp
		retn	4
MiUpdateReserveClusterInfo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUpdatePageFileList proc near		; CODE XREF: MiIncreaseCommitLimits+7Dp
					; MiInsertPageFileInList+144p ...

var_6		= byte ptr -6
var_5		= byte ptr -5
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F5CDE SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		cmp	dword ptr [esi+1Ch], 0
		jz	short loc_56F382
		push	edi
		push	offset unk_6D3484
		lea	edi, [esi+94h]
		call	ExAcquireSpinLockExclusive
		mov	[ebp+var_1], al
		test	ebx, ebx
		jz	loc_5F5CDE
		mov	edx, [esi+1Ch]
		mov	eax, 100h
		or	[esi+74h], ax
		mov	ecx, dword_6D3480
		mov	[ebp+var_5], 0
		test	ecx, ecx
		jnz	short loc_56F386

loc_56F35F:				; CODE XREF: MiUpdatePageFileList+89j
					; MiUpdatePageFileList+8Fj
		push	edi
		push	dword ptr [ebp-5]
		push	ecx
		push	offset dword_6D3480
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)

loc_56F36E:				; CODE XREF: MiUpdatePageFileList+869D3j
		push	offset unk_6D3484
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi

loc_56F382:				; CODE XREF: MiUpdatePageFileList+11j
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_56F386:				; CODE XREF: MiUpdatePageFileList+47j
					; MiUpdatePageFileList+7Ej
		cmp	edx, [ecx-78h]
		jb	short loc_56F396
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_56F3A1

loc_56F392:				; CODE XREF: MiUpdatePageFileList+84j
		mov	ecx, eax
		jmp	short loc_56F386
; 

loc_56F396:				; CODE XREF: MiUpdatePageFileList+73j
		mov	eax, [ecx]
		test	eax, eax
		jnz	short loc_56F392
		mov	[ebp+var_5], al
		jmp	short loc_56F35F
; 

loc_56F3A1:				; CODE XREF: MiUpdatePageFileList+7Aj
		mov	[ebp+var_5], 1
		jmp	short loc_56F35F
MiUpdatePageFileList endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializePagefileBitmapsCache proc near ; CODE XREF:	MiRescanPagefileBitmaps(x)+12p
					; MiCheckFreeModifiedReservations+D2146p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F5CEE SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ecx
		xor	ecx, ecx
		push	ebx
		push	esi
		push	edi
		lea	ebx, [eax+54h]
		mov	[ebp+var_8], eax
		mov	[ebx], ecx
		lea	edi, [eax+64h]
		mov	[ebx+4], ecx
		mov	[eax+5Ch], ecx
		mov	[eax+60h], ecx
		mov	esi, [eax+6Ch]
		push	4000h		; size_t
		push	ecx		; int
		push	esi		; void *
		lea	eax, [esi+3FE0h]
		mov	[edi+4], edi
		mov	[edi], edi
		mov	[ebp+var_4], eax
		call	_memset
		mov	edx, [ebp+var_4]
		add	esp, 0Ch
		cmp	esi, edx
		jnb	short loc_56F413
		mov	eax, [edi+4]

loc_56F3F4:				; CODE XREF: MiInitializePagefileBitmapsCache+69j
		mov	ecx, esi
		cmp	[eax], edi
		jnz	loc_56F4CA
		mov	[esi], edi
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[edi+4], esi
		add	esi, 20h
		cmp	esi, edx
		jnb	short loc_56F413
		mov	eax, ecx
		jmp	short loc_56F3F4
; 

loc_56F413:				; CODE XREF: MiInitializePagefileBitmapsCache+47j
					; MiInitializePagefileBitmapsCache+65j
		or	dword ptr [esi+1Ch], 0FFFFFFFFh
		or	dword ptr [esi+18h], 0FFFFFFFFh
		test	byte ptr [ebx+4], 1
		mov	eax, [ebx]
		jnz	loc_5F5CEE

loc_56F427:				; CODE XREF: MiInitializePagefileBitmapsCache+8694Cj
					; MiInitializePagefileBitmapsCache+86953j
		movzx	edx, byte ptr [ebx+4]
		and	edx, 1
		mov	byte ptr [ebp+var_4], 0
		test	eax, eax
		jz	short loc_56F453

loc_56F436:				; CODE XREF: MiInitializePagefileBitmapsCache+A9j
		mov	ecx, [eax+4]
		test	edx, edx
		jz	short loc_56F447
		test	ecx, ecx
		jz	loc_5F5D00
		xor	ecx, eax

loc_56F447:				; CODE XREF: MiInitializePagefileBitmapsCache+93j
		test	ecx, ecx
		jz	loc_5F5D00
		mov	eax, ecx
		jmp	short loc_56F436
; 

loc_56F453:				; CODE XREF: MiInitializePagefileBitmapsCache+8Cj
					; MiInitializePagefileBitmapsCache+8695Cj
		push	esi
		push	[ebp+var_4]
		push	eax
		push	ebx
		call	RtlRbInsertNodeEx
		mov	ebx, [ebp+var_8]
		add	ebx, 5Ch
		test	byte ptr [ebx+4], 1
		mov	ecx, [ebx]
		jnz	loc_5F5D09

loc_56F470:				; CODE XREF: MiInitializePagefileBitmapsCache+86967j
					; MiInitializePagefileBitmapsCache+8696Ej
		movzx	edx, byte ptr [ebx+4]
		and	edx, 1
		mov	byte ptr [ebp+var_4], 0
		test	ecx, ecx
		jz	short loc_56F4B0
		mov	edi, [esi+18h]

loc_56F482:				; CODE XREF: MiInitializePagefileBitmapsCache+F2j
		cmp	edi, [ecx+0Ch]
		jb	short loc_56F49C
		mov	eax, [ecx+4]
		test	edx, edx
		jz	short loc_56F494
		test	eax, eax
		jz	short loc_56F4CF
		xor	eax, ecx

loc_56F494:				; CODE XREF: MiInitializePagefileBitmapsCache+E4j
		test	eax, eax
		jz	short loc_56F4CF

loc_56F498:				; CODE XREF: MiInitializePagefileBitmapsCache+102j
		mov	ecx, eax
		jmp	short loc_56F482
; 

loc_56F49C:				; CODE XREF: MiInitializePagefileBitmapsCache+DDj
		mov	eax, [ecx]
		test	edx, edx
		jz	short loc_56F4A8
		test	eax, eax
		jz	short loc_56F4AC
		xor	eax, ecx

loc_56F4A8:				; CODE XREF: MiInitializePagefileBitmapsCache+F8j
		test	eax, eax
		jnz	short loc_56F498

loc_56F4AC:				; CODE XREF: MiInitializePagefileBitmapsCache+FCj
		mov	byte ptr [ebp+var_4], 0

loc_56F4B0:				; CODE XREF: MiInitializePagefileBitmapsCache+D5j
					; MiInitializePagefileBitmapsCache+12Bj
		lea	eax, [esi+0Ch]
		push	eax
		push	[ebp+var_4]
		push	ecx
		push	ebx
		call	RtlRbInsertNodeEx
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		or	dword ptr [eax+50h], 0FFFFFFFFh
		leave
		retn
; 

loc_56F4CA:				; CODE XREF: MiInitializePagefileBitmapsCache+50j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_56F4CF:				; CODE XREF: MiInitializePagefileBitmapsCache+E8j
					; MiInitializePagefileBitmapsCache+EEj
		mov	byte ptr [ebp+var_4], 1
		jmp	short loc_56F4B0
MiInitializePagefileBitmapsCache endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiReservePageHash(x)
_MiReservePageHash@4 proc near		; CODE XREF: MiCreatePagefile+1B3p
					; MiCreatePagingFile+962D2p
		mov	edi, edi
		push	esi
		mov	eax, ecx
		xor	esi, esi
		push	4
		pop	ecx
		mul	ecx
		mov	ecx, eax
		and	eax, 0FFFh
		or	eax, esi
		jz	short loc_56F4EE
		inc	esi

loc_56F4EE:				; CODE XREF: MiReservePageHash(x)+15j
		shrd	ecx, edx, 0Ch
		lea	edx, [esi+ecx]
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		test	eax, eax
		jz	short loc_56F508
		shl	eax, 9
		pop	esi
		retn
; 

loc_56F508:				; CODE XREF: MiReservePageHash(x)+2Bj
		xor	eax, eax
		pop	esi
		retn
_MiReservePageHash@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSynchronousPageWrite(x, x, x, x, x, x, x)
_MiSynchronousPageWrite@28 proc	near	; CODE XREF: MiZeroPageFileFirstPage(x)+90p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	IoSynchronousPageWriteEx
		pop	ecx
		pop	ebp
		retn	14h
_MiSynchronousPageWrite@28 endp

; 
		align 4

;  S U B	R O U T	I N E 


MiCheckPageFileMapping proc near	; CODE XREF: MiCreatePagingFile+49Ap

; FUNCTION CHUNK AT 005F5D1B SIZE 00000018 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	dword ptr [esi+14h], 0
		jz	short loc_56F574
		push	ebx
		push	edi
		mov	edi, offset dword_6CF3C0
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_56F560
		cmp	dword ptr [eax], 0
		jnz	loc_5F5D1B
		cmp	dword ptr [eax+8], 0
		jnz	loc_5F5D1B

loc_56F560:				; CODE XREF: MiCheckPageFileMapping+1Fj
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax

loc_56F570:				; CODE XREF: MiCheckPageFileMapping+86802j
		pop	edi
		pop	ebx
		pop	esi
		retn
; 

loc_56F574:				; CODE XREF: MiCheckPageFileMapping+9j
		xor	eax, eax
		pop	esi
		retn
MiCheckPageFileMapping endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoConfigureCrashDump proc near		; CODE XREF: PoBroadcastSystemState+B208p
					; PAGE:loc_7B3D58p ...

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F5D33 SIZE 000000AB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		and	[esp+54h+var_54], 0
		xor	eax, eax
		and	[esp+54h+var_50], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, offset ??_C@_1CA@FABIEJON@?$AAC?$AA?3?$AA?2?$AAp?$AAa?$AAg?$AAe?$AAf?$AAi?$AAl?$AAe?$AA?4?$AAs?$AAy?$AAs@FNODOBFM@	; "C:\\pagefile.sys"
		push	edi
		lea	edi, [esp+60h+var_48]
		push	8
		pop	ecx
		rep movsd
		lea	edi, [esp+60h+var_28]
		push	8
		pop	ecx
		rep stosd
		test	dl, dl
		jnz	short loc_56F5C0
		xor	edx, edx
		call	_IopReadDumpRegistry@8 ; IopReadDumpRegistry(x,x)

loc_56F5C0:				; CODE XREF: IoConfigureCrashDump+3Fj
		mov	esi, large fs:124h
		mov	[esp+60h+var_4C], esi
		dec	word ptr [esi+13Ch]
		nop
		sub	ebx, 0
		jnz	loc_5F5D33
		push	1
		mov	edi, offset _IopCrashDumpLock
		push	edi
		call	ExAcquireResourceExclusiveLite
		test	al, al
		jz	short loc_56F61D
		call	_IopDisableCrashDump@0 ; IopDisableCrashDump()
		mov	esi, eax
		call	_IopRemoveDumpCapsuleSupport@0 ; IopRemoveDumpCapsuleSupport()

loc_56F5F9:				; CODE XREF: IoConfigureCrashDump+86808j
					; IoConfigureCrashDump+86849j ...
		mov	ecx, edi
		call	ExReleaseResourceLite

loc_56F600:				; CODE XREF: IoConfigureCrashDump+AAj
					; IoConfigureCrashDump+867C5j ...
		mov	ecx, [esp+60h+var_4C]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [esp+60h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_56F61D:				; CODE XREF: IoConfigureCrashDump+73j
		mov	esi, 0C0000001h
		jmp	short loc_56F600
IoConfigureCrashDump endp


;  S U B	R O U T	I N E 


; __stdcall IopRemoveDumpCapsuleSupport()
_IopRemoveDumpCapsuleSupport@0 proc near ; CODE	XREF: IoConfigureCrashDump+7Cp
					; IoConfigureCrashDump+86842p ...
		cmp	_CapsuleTriageDumpBlockInitialized, 1
		jz	short loc_56F630

loc_56F62D:				; CODE XREF: IopRemoveDumpCapsuleSupport()+2Bj
		xor	eax, eax
		retn
; 

loc_56F630:				; CODE XREF: IopRemoveDumpCapsuleSupport()+7j
		mov	eax, _CapsuleTriageDumpBlock
		test	eax, eax
		jz	short loc_56F648
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	_CapsuleTriageDumpBlock, 0

loc_56F648:				; CODE XREF: IopRemoveDumpCapsuleSupport()+13j
		mov	_CapsuleTriageDumpBlockInitialized, 0
		jmp	short loc_56F62D
_IopRemoveDumpCapsuleSupport@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IopDisableCrashDump()
_IopDisableCrashDump@0 proc near	; CODE XREF: IoConfigureCrashDump+75p
					; IoConfigureCrashDump+867FFp
		xor	eax, eax
		cmp	_CrashdmpImageEntry, eax
		jz	short locret_56F682
		mov	ecx, dword_6D4AD4
		test	ecx, ecx
		jz	short locret_56F682
		cmp	_CrashdmpInitialized, al
		jz	short locret_56F682
		call	ecx
		test	eax, eax
		js	short locret_56F682
		and	_CrashdmpDumpBlock, 0
		mov	_CrashdmpInitialized, 0

locret_56F682:				; CODE XREF: IopDisableCrashDump()+8j
					; IopDisableCrashDump()+12j ...
		retn
_IopDisableCrashDump@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


SecureDump_GetSecureDumpSettings proc near
					; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+3Fp
					; IopInitializeCrashDump+60p ...

; FUNCTION CHUNK AT 005F5DDE SIZE 0000000E BYTES

		test	ecx, ecx
		jz	short loc_56F6BC
		cmp	_SecureDmpEncryptionContext, 2
		jnz	loc_5F5DDE
		mov	al, byte_6CF2C4
		mov	[ecx], al
		mov	eax, dword_6CF2E8
		mov	[ecx+4], eax
		cmp	dword_6CF2F4, 1
		setz	al
		mov	[ecx+1], al
		mov	eax, dword_6CF2FC
		mov	[ecx+8], eax

loc_56F6B9:				; CODE XREF: SecureDump_GetSecureDumpSettings+86763j
		xor	eax, eax
		retn
; 

loc_56F6BC:				; CODE XREF: SecureDump_GetSecureDumpSettings+2j
		mov	eax, 0C000000Dh
		retn
SecureDump_GetSecureDumpSettings endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopReadDumpRegistry(x, x)
_IopReadDumpRegistry@8 proc near	; CODE XREF: IoConfigureCrashDump+43p
					; IopInitializeCrashDump+29p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		push	7Eh
		pop	eax
		xor	edi, edi
		mov	word ptr [ebp+var_10], ax
		add	eax, 2
		mov	[ebp+var_8], edi
		push	edi
		mov	word ptr [ebp+var_10+2], ax
		lea	ecx, [ebp+var_8]
		push	20019h
		lea	eax, [ebp+var_10]
		mov	[ebp+var_C], (offset off_5A440A+2)
		mov	esi, edx
		mov	[ebp+var_4], edi
		push	eax
		xor	edx, edx
		call	IopOpenRegistryKey
		test	eax, eax
		js	short loc_56F76D
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		mov	edx, (offset loc_5A44A9+1)
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_56F733
		mov	ecx, [ebp+var_4]
		cmp	[ecx+0Ch], edi
		jz	short loc_56F72C
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		mov	_IopAutoReboot,	eax

loc_56F72C:				; CODE XREF: IopReadDumpRegistry(x,x)+5Dj
		push	edi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_56F733:				; CODE XREF: IopReadDumpRegistry(x,x)+55j
		test	esi, esi
		jz	short loc_56F764
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		mov	edx, offset ??_C@_1CC@BHHAOCEE@?$AAC?$AAr?$AAa?$AAs?$AAh?$AAD?$AAu?$AAm?$AAp?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe@FNODOBFM@
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_56F764
		mov	ecx, [ebp+var_4]
		cmp	[ecx+0Ch], edi
		jz	short loc_56F75D
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		mov	[esi], eax

loc_56F75D:				; CODE XREF: IopReadDumpRegistry(x,x)+91j
		push	edi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_56F764:				; CODE XREF: IopReadDumpRegistry(x,x)+73j
					; IopReadDumpRegistry(x,x)+89j
		push	edi
		push	[ebp+var_8]
		call	ObCloseHandle

loc_56F76D:				; CODE XREF: IopReadDumpRegistry(x,x)+3Fj
		pop	edi
		pop	esi
		leave
		retn
_IopReadDumpRegistry@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall CcInitializePartition(void *)
CcInitializePartition proc near		; CODE XREF: INIT:00AC326Bp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F5DEC SIZE 00000093 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	edi, 2C0h
		push	edi		; size_t
		mov	ebx, ecx
		mov	[ebp+var_8], eax
		push	eax		; int
		mov	esi, edx
		push	ebx		; void *
		mov	[ebp+var_4], esi
		call	_memset
		mov	[ebx+4], esi
		lea	eax, [ebx+10h]
		mov	[eax+4], eax
		lea	ecx, [ebx+18h]
		mov	[eax], eax
		mov	edx, 800h
		mov	dword ptr [ebx], 2C002F7h
		lea	eax, [ebx+8]
		mov	[eax+4], eax
		add	esp, 0Ch
		mov	[eax], eax
		xor	esi, esi
		mov	dword ptr [ebx+28Ch], 1
		lea	eax, [ebx+30h]
		mov	[eax+4], eax
		inc	esi
		mov	[eax], eax
		lea	eax, [ebx+24h]
		mov	[ebx+20h], edx
		mov	[eax], ecx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[ecx+4], eax
		xor	ecx, ecx
		mov	[ebx+2Ch], edx
		lea	eax, [ebx+8Ch]
		mov	[ebx+40h], ecx
		mov	[ebx+80h], ecx
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ebx+94h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ebx+9Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ebx+0A4h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ebx+0ACh]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ebx+0BCh]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ebx+0B4h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ebx+0CCh]
		push	ecx
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ebx+0F4h]
		push	esi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	edi, edi
		lea	eax, [ebx+104h]
		push	edi
		push	esi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	esi
		lea	eax, [ebx+114h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	esi
		lea	eax, [ebx+124h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	esi
		lea	eax, [ebx+134h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	eax, eax
		push	eax
		push	eax
		lea	eax, [ebx+290h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	eax, eax
		push	eax
		push	eax
		lea	eax, [ebx+2A0h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	eax, eax
		lea	edi, [ebx+198h]
		stosd
		lea	esi, [ebx+148h]
		push	0Ah
		pop	ecx
		push	50h		; size_t
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebx+1A8h]
		rep stosd
		xor	edi, edi
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		push	ebx
		push	offset _CcScanDpc@16 ; CcScanDpc(x,x,x,x)
		push	esi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	edi
		lea	eax, [ebx+168h]
		push	eax
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		cmp	byte ptr ds:dword_7051D4, 0
		jnz	loc_5F5DEC
		mov	esi, [ebp+var_4]
		mov	ecx, esi
		call	_MmGetNumberOfPhysicalPagesForPartitionObject@4	; MmGetNumberOfPhysicalPagesForPartitionObject(x)
		shr	eax, 3
		mov	[ebx+1B0h], eax
		mov	[ebx+1ACh], eax
		mov	[ebx+1A8h], eax
		xor	eax, eax
		inc	eax

loc_56F921:				; CODE XREF: CcInitializePartition+866D7j
		mov	[ebx+0C8h], eax
		xor	edx, edx
		mov	ecx, esi
		mov	dword ptr [ebx+1C8h], 0Ah
		mov	[ebx+1C0h], edx
		mov	[ebx+1C4h], edx
		call	_MmGetNumberOfPhysicalPagesForPartitionObject@4	; MmGetNumberOfPhysicalPagesForPartitionObject(x)
		imul	eax, 0Ah
		mov	[ebx+1BCh], edx
		mov	[ebx+1B8h], eax
		mov	eax, _ExCriticalWorkerThreads
		dec	eax
		mov	[ebx+84h], eax
		mov	eax, _CcMaxCachemapUninitWorkerThreads
		mov	[ebx+0D8h], eax
		mov	eax, [ebx+1A8h]
		mov	edi, eax
		shr	edi, 2
		shr	eax, 1
		add	edi, eax
		cmp	_CcAzure_LazyWriterPercentageOfNumProcs, edx
		jnz	loc_5F5E4E

loc_56F987:				; CODE XREF: CcInitializePartition+866FCj
					; CcInitializePartition+86708j
		or	dword ptr [ebx+284h], 0FFFFFFFFh
		lea	eax, [ebx+204h]
		mov	[ebx+1B4h], edi
		mov	[ebx+28Ah], dl
		mov	[ebx+44h], edx
		mov	[ebx+48h], dl
		mov	[ebx+240h], edx
		push	ebx
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ebx+264h]
		push	offset CcQueueLazyWriteScanThread
		mov	[eax+4], eax
		mov	[eax], eax
		push	edx
		mov	[ebx+270h], edx
		mov	[ebx+274h], edx
		mov	dword ptr [ebx+278h], 20h
		mov	dword ptr [ebx+27Ch], 5
		mov	[ebx+280h], edx
		mov	eax, [esi+38h]
		push	eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_24], 18h
		push	eax
		push	1FFFFFh
		lea	eax, [ebx+2B0h]
		mov	[ebp+var_20], edx
		push	eax
		mov	[ebp+var_18], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], edx
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_56FC0B
		mov	ecx, ebx
		call	CcInitializePartitionVacbs
		test	al, al
		jz	loc_56FC0B
		xor	eax, eax
		mov	edi, eax
		cmp	[ebx+84h], eax
		jbe	short loc_56FAA8

loc_56FA3B:				; CODE XREF: CcInitializePartition+334j
		push	71576343h
		push	24h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_56FC0B
		or	dword ptr [ecx+14h], 0FFFFFFFFh
		lea	esi, [ebx+8Ch]
		xor	eax, eax
		mov	dword ptr [ecx+10h], 1
		mov	[ecx+20h], ebx
		mov	[ecx+18h], edi
		mov	dword ptr [ecx+8], offset CcWorkerThread
		mov	[ecx+0Ch], ecx
		mov	[ecx], eax
		mov	edx, [ebx+90h]
		cmp	[edx], esi
		jnz	loc_56FC13
		lea	esi, [ebx+8Ch]
		inc	edi
		mov	[ecx], esi
		mov	esi, [ebp+var_4]
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[ebx+90h], ecx
		cmp	edi, [ebx+84h]
		jb	short loc_56FA3B

loc_56FAA8:				; CODE XREF: CcInitializePartition+2C7j
		mov	ecx, [ebx+0C8h]
		mov	edi, eax
		test	ecx, ecx
		jz	short loc_56FB23

loc_56FAB4:				; CODE XREF: CcInitializePartition+3AFj
		push	71576343h
		push	24h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_56FC0B
		or	dword ptr [ecx+14h], 0FFFFFFFFh
		lea	esi, [ebx+0BCh]
		xor	eax, eax
		mov	dword ptr [ecx+10h], 2
		mov	[ecx+20h], ebx
		mov	[ecx+18h], edi
		mov	dword ptr [ecx+8], offset CcWorkerThread
		mov	[ecx+0Ch], ecx
		mov	[ecx], eax
		mov	edx, [ebx+0C0h]
		cmp	[edx], esi
		jnz	loc_56FC13
		lea	esi, [ebx+0BCh]
		inc	edi
		mov	[ecx], esi
		mov	esi, [ebp+var_4]
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[ebx+0C0h], ecx
		mov	ecx, [ebx+0C8h]
		cmp	edi, ecx
		jb	short loc_56FAB4

loc_56FB23:				; CODE XREF: CcInitializePartition+340j
		xor	edi, edi
		mov	[ebp+var_C], eax
		cmp	[ebx+0D8h], eax
		jbe	short loc_56FBA8

loc_56FB30:				; CODE XREF: CcInitializePartition+42Ej
		push	71576343h
		push	24h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_56FC0B
		mov	ecx, [ebp+var_C]
		lea	esi, [ebx+0CCh]
		or	dword ptr [eax+14h], 0FFFFFFFFh
		mov	dword ptr [eax+10h], 5
		mov	[eax+20h], ebx
		mov	[eax+18h], ecx
		mov	dword ptr [eax+8], offset CcCachemapUninitWorkerThread
		mov	[eax+0Ch], eax
		mov	[eax], edi
		mov	edx, [ebx+0D0h]
		cmp	[edx], esi
		mov	esi, [ebp+var_4]
		jnz	loc_56FC13
		lea	edi, [ebx+0CCh]
		inc	ecx
		mov	[eax], edi
		mov	edi, [ebp+var_8]
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ebx+0D0h], eax
		mov	[ebp+var_C], ecx
		cmp	ecx, [ebx+0D8h]
		jb	short loc_56FB30
		mov	ecx, [ebx+0C8h]

loc_56FBA8:				; CODE XREF: CcInitializePartition+3BCj
		push	70546343h
		lea	eax, ds:8[ecx*8]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	short loc_56FC0B
		mov	eax, [ebx+0C8h]
		lea	eax, ds:8[eax*8]
		push	eax		; size_t
		push	edi		; int
		push	ecx		; void *
		call	_memset
		mov	eax, [ebp+var_C]
		add	esp, 0Ch
		mov	ecx, ebx
		mov	[ebx+1D0h], eax
		call	CcInitializeAsyncRead
		test	al, al
		jz	short loc_56FC0B
		push	esi
		push	ebx		; char
		push	offset ??_C@_0EG@HBELDCKM@CcInitializePartition?3?5Initiali@FNODOBFM@ ;	"CcInitializePartition:	Initialized Part"...
		push	2		; int
		push	7Fh		; int
		mov	byte ptr [ebp+var_8], 1
		call	_DbgPrintEx
		add	esp, 14h

loc_56FC0B:				; CODE XREF: CcInitializePartition+2A8j
					; CcInitializePartition+2B7j ...
		mov	al, byte ptr [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_56FC13:				; CODE XREF: CcInitializePartition+311j
					; CcInitializePartition+38Aj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
CcInitializePartition endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcInitializeAsyncRead proc near		; CODE XREF: CcInitializePartition+479p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F5E7F SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		push	6
		mov	esi, ecx
		lea	edi, [ebp+var_2C]
		pop	ecx
		xor	eax, eax
		xor	ebx, ebx
		rep stosd
		mov	eax, _CcMaxNestingLevel
		mov	edi, 71576343h
		push	edi
		mov	[ebp+var_10], ebx
		lea	eax, ds:8[eax*8]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+244h], eax
		mov	eax, _CcMaxNestingLevel
		push	edi
		lea	eax, ds:8[eax*8]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+250h], eax
		mov	eax, _CcMaxNestingLevel
		push	edi
		lea	eax, ds:8[eax*8]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+254h], eax
		mov	eax, _CcMaxNestingLevel
		inc	eax
		imul	eax, 194h
		push	edi
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+25Ch], eax
		mov	eax, _CcMaxNestingLevel
		inc	eax
		push	edi
		shl	eax, 4
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+258h], eax
		mov	eax, _CcMaxNestingLevel
		push	edi
		lea	eax, ds:4[eax*4]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+248h], eax
		mov	eax, _CcMaxNestingLevel
		push	edi
		lea	eax, ds:4[eax*4]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+24Ch], eax
		cmp	[esi+244h], ebx
		jz	loc_56FF28
		cmp	[esi+250h], ebx
		jz	loc_56FF28
		cmp	[esi+254h], ebx
		jz	loc_56FF28
		cmp	[esi+25Ch], ebx
		jz	loc_56FF28
		cmp	[esi+258h], ebx
		jz	loc_56FF28
		cmp	[esi+248h], ebx
		jz	loc_56FF28
		test	eax, eax
		jz	loc_56FF28
		mov	edi, ebx
		mov	[ebp+var_8], ebx
		mov	ecx, ebx
		mov	[ebp+var_C], ebx

loc_56FD62:				; CODE XREF: CcInitializeAsyncRead+256j
		mov	eax, [esi+244h]
		mov	edx, edi
		shl	edx, 3
		add	eax, edx
		push	ebx
		push	1
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [esi+250h]
		add	eax, edx
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [esi+254h]
		add	eax, edx
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [esi+258h]
		add	eax, ecx
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [esi+248h]
		mov	[eax+edi*4], ebx
		mov	eax, [esi+24Ch]
		mov	[eax+edi*4], ebx
		mov	eax, _CcMaxAsyncReadWorkerThreads
		shl	eax, 2
		push	eax		; size_t
		mov	eax, [esi+25Ch]
		add	eax, [ebp+var_8]
		push	0FFh		; int
		push	eax		; void *
		call	_memset
		mov	eax, [esi+25Ch]
		add	esp, 0Ch
		mov	ecx, [ebp+var_8]
		mov	[ecx+eax], ebx
		xor	eax, eax
		inc	eax
		mov	[ebp+var_4], eax
		cmp	_CcMaxAsyncReadWorkerThreads, eax
		jbe	short loc_56FE57

loc_56FDEB:				; CODE XREF: CcInitializeAsyncRead+23Dj
		push	71576343h
		push	24h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_56FF28
		mov	edx, [ebp+var_4]
		mov	[eax+18h], edx
		mov	edx, edi
		mov	dword ptr [eax+10h], 3
		mov	[eax+20h], esi
		mov	[eax+14h], edi
		mov	dword ptr [eax+8], offset _CcAsyncReadWorkerThread@4 ; CcAsyncReadWorkerThread(x)
		mov	[eax+0Ch], eax
		mov	[eax], ebx
		mov	ecx, [esi+244h]
		shl	edx, 3
		add	ecx, edx
		mov	edx, [ecx+4]
		mov	[ebp+var_14], edx
		cmp	[edx], ecx
		jnz	loc_56FF2F
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	edx, [ebp+var_4]
		inc	edx
		mov	[ecx+4], eax
		mov	[ebp+var_4], edx
		cmp	edx, _CcMaxAsyncReadWorkerThreads
		jb	short loc_56FDEB

loc_56FE57:				; CODE XREF: CcInitializeAsyncRead+1D1j
		mov	ecx, [ebp+var_C]
		inc	edi
		add	[ebp+var_8], 194h
		add	ecx, 10h
		mov	[ebp+var_C], ecx
		cmp	edi, _CcMaxNestingLevel
		jbe	loc_56FD62
		mov	[esi+260h], ebx
		mov	[ebp+var_8], ebx

loc_56FE7D:				; CODE XREF: CcInitializeAsyncRead+308j
		push	71576343h
		push	24h
		push	200h
		mov	[ebp+var_2C], 18h
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_56FF28
		mov	ecx, [ebp+var_8]
		mov	dword ptr [edi+10h], 3
		mov	[edi+20h], esi
		mov	[edi+18h], ebx
		mov	[edi+14h], ecx
		mov	dword ptr [edi+8], offset _CcAsyncReadWorkerThread@4 ; CcAsyncReadWorkerThread(x)
		mov	[edi+0Ch], edi
		mov	[edi], ebx
		mov	eax, [esi+248h]
		inc	dword ptr [eax+ecx*4]
		xor	eax, eax
		inc	eax
		lock xadd [esi+28Ch], eax
		inc	eax
		cmp	eax, 1
		jle	short loc_56FF34

loc_56FEE3:				; CODE XREF: CcInitializeAsyncRead+321j
		mov	eax, [esi+4]
		push	edi
		push	offset CcAsyncReadWorker
		push	ebx
		mov	eax, [eax+38h]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	1FFFFFh
		lea	eax, [ebp+var_10]
		push	eax
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_5F5E7F
		push	[ebp+var_10]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [ebp+var_8]
		inc	eax
		mov	[ebp+var_8], eax
		cmp	eax, _CcMaxNestingLevel
		jbe	loc_56FE7D
		mov	bl, 1

loc_56FF28:				; CODE XREF: CcInitializeAsyncRead+F6j
					; CcInitializeAsyncRead+102j ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_56FF2F:				; CODE XREF: CcInitializeAsyncRead+220j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_56FF34:				; CODE XREF: CcInitializeAsyncRead+2C9j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_56FEE3
CcInitializeAsyncRead endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcInitializePartitionVacbs proc	near	; CODE XREF: CcInitializePartition+2B0p

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F5E96 SIZE 000000EB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	ebx, ebx
		push	esi
		inc	ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1], bl

loc_56FF4D:				; CODE XREF: CcInitializePartitionVacbs+E9j
		mov	eax, [edi+26Ch]
		cmp	eax, _CcMinimumFreeHighPriorityVacbs
		jnb	loc_57008F
		push	4
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		xor	dl, dl
		mov	[ebp+var_2], al
		mov	ecx, edi
		call	CcGetVacbFromFreeList
		mov	ebx, eax
		mov	eax, large fs:20h
		lea	esi, [eax+438h]
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jnz	loc_5F5E96
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5F5EAC
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5F5EA5

loc_56FFAD:				; CODE XREF: CcInitializePartitionVacbs+85F64j
					; CcInitializePartitionVacbs+85F7Fj
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jz	short loc_57002A
		mov	ecx, [edi+4]
		call	MmReserveViewInSystemCache
		mov	[ebx], eax
		push	4
		pop	ecx
		test	eax, eax
		jz	loc_5F5F11
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[ebp+var_2], al
		mov	edx, ebx
		xor	eax, eax
		mov	ecx, edi
		inc	eax
		push	eax
		call	_CcSetVacbInFreeList@12	; CcSetVacbInFreeList(x,x,x)
		mov	eax, large fs:20h
		xor	ebx, ebx
		inc	ebx
		lea	esi, [eax+438h]
		test	ds:byte_70EFC6,	bl
		jnz	loc_5F5EEA

loc_56FFFF:				; DATA XREF: .text:off_40857Eo
					; .text:off_5A7186o
		mov	eax, [esi]

loc_570001:				; DATA XREF: .text:0040CDCCo
		test	eax, eax

loc_570003:				; DATA XREF: .text:00425E0Co
					; .text:0042555Co ...
		jnz	loc_5F5F00
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5F5EF9

loc_57001C:				; CODE XREF: CcInitializePartitionVacbs+85FB8j
					; CcInitializePartitionVacbs+85FD0j
		mov	cl, [ebp+var_2]

loc_57001F:				; CODE XREF: CcInitializePartitionVacbs+151j
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_56FF4D
; 

loc_57002A:				; CODE XREF: CcInitializePartitionVacbs+7Cj
		call	CcAllocateInitializeVacbArray
		mov	esi, eax
		test	esi, esi
		jz	short loc_570097
		push	4
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	edx, esi
		mov	ecx, edi
		mov	bl, al
		call	CcInsertVacbArray
		xor	ecx, ecx
		inc	ecx
		cmp	_CcVacbArraysAllocated,	ecx
		jnz	short loc_570056
		mov	[esi+4], ecx

loc_570056:				; CODE XREF: CcInitializePartitionVacbs+115j
					; DATA XREF: .text:0040CD64o ...
		mov	eax, large fs:20h
		lea	esi, [eax+438h]

loc_570062:				; DATA XREF: .text:005A3CB0o
		test	ds:byte_70EFC6,	cl
		jnz	loc_5F5EC0
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5F5ED9

loc_570078:				; DATA XREF: .text:005A3C70o
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5F5ECF

loc_57008B:				; CODE XREF: CcInitializePartitionVacbs+85F8Ej
					; CcInitializePartitionVacbs+85FA9j
		mov	cl, bl
		jmp	short loc_57001F
; 

loc_57008F:				; CODE XREF: CcInitializePartitionVacbs+1Dj
					; CcInitializePartitionVacbs+86040j
		mov	al, [ebp+var_1]

loc_570092:				; CODE XREF: CcInitializePartitionVacbs+15Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_570097:				; CODE XREF: CcInitializePartitionVacbs+F7j
		xor	al, al
		jmp	short loc_570092
CcInitializePartitionVacbs endp

; 
		align 4

;  S U B	R O U T	I N E 


CcInsertVacbArray proc near		; CODE XREF: CcInitializePartitionVacbs+107p
					; CcGetVirtualAddress+153282p

; FUNCTION CHUNK AT 005F5F81 SIZE 000000A1 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		xor	eax, eax
		mov	ebx, ecx
		cmp	_CcVacbArraysAllocated,	1
		push	edi
		ja	loc_5F5FB5
		mov	esi, eax

loc_5700B4:				; CODE XREF: CcInsertVacbArray+80j
		mov	ecx, _CcVacbArrays
		cmp	[ecx+esi*4], eax
		jnz	short loc_570118

loc_5700BF:				; DATA XREF: .text:0040CDDCo
		mov	[ecx+esi*4], edx
		mov	[edx], esi
		cmp	esi, _CcVacbArraysHighestUsedIndex
		ja	short loc_570120

loc_5700CC:				; CODE XREF: CcInsertVacbArray+82j
					; CcInsertVacbArray+8Aj
		cmp	esi, 1
		jz	loc_5F5FA7
		mov	esi, eax
		lea	ecx, [edx+18h]

loc_5700DA:				; CODE XREF: CcInsertVacbArray+76j
		cmp	[ecx-8], eax
		jnz	loc_5F5F81
		mov	edx, dword_6CE66C
		cmp	dword ptr [edx], offset	_CcVacbFreeList
		jnz	short loc_570128
		mov	dword ptr [ecx], offset	_CcVacbFreeList
		mov	[ecx+4], edx
		mov	[edx], ecx
		inc	_CcNumberOfFreeVacbs
		mov	dword_6CE66C, ecx

loc_570108:				; CODE XREF: CcInsertVacbArray+85F06j
		inc	esi
		add	ecx, 18h
		cmp	esi, 1554h
		jb	short loc_5700DA
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_570118:				; CODE XREF: CcInsertVacbArray+21j
		inc	esi
		cmp	esi, 1
		jb	short loc_5700B4
		jmp	short loc_5700CC
; 

loc_570120:				; CODE XREF: CcInsertVacbArray+2Ej
		mov	_CcVacbArraysHighestUsedIndex, esi
		jmp	short loc_5700CC
; 

loc_570128:				; CODE XREF: CcInsertVacbArray+53j
					; CcInsertVacbArray+85EF0j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
CcInsertVacbArray endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcAllocateInitializeVacbArray proc near	; CODE XREF: CcInitializePartitionVacbs:loc_57002Ap
					; CcGetVirtualAddress:loc_5B0D2Ap

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F6022 SIZE 0000008F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	4
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, _CcVacbArraysAllocated
		xor	edi, edi
		inc	edi
		mov	bl, al
		cmp	ecx, edi
		jnb	loc_5F5FC9
		mov	eax, large fs:20h
		inc	ecx
		test	ds:byte_70EFC6,	1
		mov	_CcVacbArraysAllocated,	ecx
		lea	esi, [eax+438h]
		jnz	loc_5F6022
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5F6038
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5F6031

loc_57018F:				; CODE XREF: CcAllocateInitializeVacbArray+85EFEj
					; CcAllocateInitializeVacbArray+85F16j
		mov	cl, bl
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	ebx
		push	61566343h
		mov	edi, 20000h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5F6049
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esi+20h]
		mov	ecx, 1554h

loc_5701CC:				; CODE XREF: CcAllocateInitializeVacbArray+A6j
		mov	[eax], esi
		lea	eax, [eax+18h]
		sub	ecx, 1
		jnz	short loc_5701CC

loc_5701D6:				; CODE XREF: CcAllocateInitializeVacbArray+85F7Ej
		mov	eax, esi

loc_5701D8:				; CODE XREF: CcInsertVacbArray+85F81j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
CcAllocateInitializeVacbArray endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 988. IoSetGenericIrpExtension

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IoSetGenericIrpExtension(int,void *,__int16,char)
		public IoSetGenericIrpExtension
IoSetGenericIrpExtension proc near	; CODE XREF: StRtlIoStorInfoSetNvCachePriority(x,x)+4Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 005F60B1 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	si, [ebp+arg_8]
		cmp	si, 4
		ja	short loc_570227
		cmp	[ebp+arg_C], 0
		jz	loc_5F60B1

loc_5701FC:				; CODE XREF: IoSetGenericIrpExtension+85EDCj
		mov	ecx, [ebp+arg_0]
		push	2
		pop	edx
		call	IopAllocateIrpExtension
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_57022E
		movzx	eax, si
		push	eax		; size_t
		push	[ebp+arg_4]	; void *
		lea	eax, [ecx+4]
		push	eax		; void *
		call	_memcpy

loc_57021D:				; DATA XREF: .text:0040CDE0o
		add	esp, 0Ch
		xor	eax, eax

loc_570222:				; CODE XREF: IoSetGenericIrpExtension+4Aj
					; IoSetGenericIrpExtension+51j	...
		pop	esi
		pop	ebp
		retn	10h
; 

loc_570227:				; CODE XREF: IoSetGenericIrpExtension+Ej
		mov	eax, 0C000000Dh
		jmp	short loc_570222
; 

loc_57022E:				; CODE XREF: IoSetGenericIrpExtension+29j
		mov	eax, 0C000009Ah
		jmp	short loc_570222
IoSetGenericIrpExtension endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFreeUnusedPfnPagesDpc	proc near	; DATA XREF: MiFreeUnusedPfnPages+73o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005702CE SIZE 00000018 BYTES
; FUNCTION CHUNK AT 005F60CE SIZE 000000B9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		or	ebx, 0FFFFFFFFh
		push	edi
		mov	eax, ebx
		lock xadd [esi], eax
		dec	eax
		mov	edi, eax
		mov	ecx, 80000000h
		not	edi
		and	edi, ecx
		test	eax, 7FFFFFFFh
		jnz	short loc_5702C1
		mov	eax, [esi+4]
		or	eax, edi
		mov	edi, offset unk_6D3C40
		mov	[esi], eax
		mov	al, byte_6D37A0
		and	al, 7
		cmp	al, 2
		jz	short loc_57027F
		mov	edi, offset unk_6D37C0

loc_57027F:				; CODE XREF: MiFreeUnusedPfnPagesDpc+42j
		push	edi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [edi+4], 0
		push	offset unk_6D4EB0
		mov	byte ptr [ebp+arg_C+3],	al
		call	ExAcquireSpinLockExclusive
		cmp	dword_6D4E5C, 0
		mov	edi, [ebp+arg_4]
		jnz	loc_5F60CE
		mov	ecx, edi
		call	MiFreedUnusedPfnPagesWorker
		xor	eax, eax
		jmp	loc_5F612C
; 

loc_5702B4:				; CODE XREF: MiFreeUnusedPfnPagesDpc+91j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	ecx, 80000000h

loc_5702C1:				; CODE XREF: MiFreeUnusedPfnPagesDpc+2Bj
		mov	eax, [esi]
		and	eax, ecx
		cmp	eax, edi
		jnz	short loc_5702B4
		jmp	loc_5F6153
MiFreeUnusedPfnPagesDpc	endp

; 
; START	OF FUNCTION CHUNK FOR MiFreeUnusedPfnPagesDpc

loc_5702CE:				; CODE XREF: MiFreeUnusedPfnPagesDpc+A9j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		and	eax, 80000000h

loc_5702DD:				; CODE XREF: MiFreeUnusedPfnPagesDpc+85F4Cj
		cmp	eax, edi
		jnz	short loc_5702CE
		jmp	loc_5F616D
; END OF FUNCTION CHUNK	FOR MiFreeUnusedPfnPagesDpc

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFreedUnusedPfnPagesWorker proc near	; CODE XREF: MiFreeUnusedPfnPagesDpc+72p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F6187 SIZE 00000053 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		cmp	dword ptr [ecx], 0
		push	ebx
		push	esi
		push	edi
		jnz	short loc_570300
		mov	byte_6D4EB4, 1

loc_570300:				; CODE XREF: MiFreedUnusedPfnPagesWorker+11j
		xor	esi, esi

loc_570302:				; CODE XREF: MiFreedUnusedPfnPagesWorker+B7j
					; MiFreedUnusedPfnPagesWorker+DEj ...
		mov	ecx, dword_6D07B0
		lea	eax, [ecx+1]
		cmp	esi, eax
		jz	loc_5704A2
		mov	eax, ds:_MmPhysicalMemoryBlock
		test	eax, eax
		jnz	loc_5F6187

loc_570320:				; CODE XREF: MiFreedUnusedPfnPagesWorker+85EE0j
		sub	ecx, esi
		inc	ecx

loc_570323:				; CODE XREF: MiFreedUnusedPfnPagesWorker+85EBBj
		mov	eax, esi
		test	ecx, ecx
		jz	loc_5704A2
		lea	esi, [ecx+eax]
		mov	edi, offset loc_7FFFF8
		mov	ecx, ds:_MmPfnDatabase
		imul	eax, 1Ch
		imul	ebx, esi, 1Ch
		mov	[esp+28h+var_4], esi
		lea	edx, [ecx+0FFFh]
		add	edx, eax
		add	ebx, ecx
		shr	edx, 9
		shr	ebx, 9
		and	edx, edi
		add	edx, 0C0000000h
		and	ebx, edi
		sub	ebx, 40000000h
		mov	[esp+28h+var_10], edx
		mov	[esp+28h+var_8], ebx
		jmp	short loc_57039B
; 

loc_57036F:				; CODE XREF: MiFreedUnusedPfnPagesWorker+A7j
					; MiFreedUnusedPfnPagesWorker+FCj
		cmp	dword ptr [edi], 0
		jz	short loc_5703E4

loc_570374:				; CODE XREF: MiFreedUnusedPfnPagesWorker+110j
		mov	eax, 1000h

loc_570379:				; CODE XREF: MiFreedUnusedPfnPagesWorker+195j
		add	eax, 0FFFh
		and	eax, 0FFFFF000h
		sub	ebx, eax
		add	edi, eax
		cmp	ebx, 1000h
		jnb	short loc_57036F
		mov	edx, [esp+28h+var_10]
		mov	ebx, [esp+28h+var_8]
		mov	esi, [esp+28h+var_4]

loc_57039B:				; CODE XREF: MiFreedUnusedPfnPagesWorker+87j
		cmp	edx, ebx
		jnb	loc_570302
		mov	eax, ebx
		sub	eax, edx
		lea	edx, [esp+28h+var_1C]
		push	ecx
		sar	eax, 3
		shl	eax, 0Ch
		push	ecx
		lea	ecx, [esp+30h+var_10]
		mov	[esp+30h+var_1C], eax
		call	MiGetNextNonGapPfnPage
		mov	edi, eax
		test	edi, edi
		jz	loc_570302
		mov	eax, [esp+28h+var_1C]
		and	eax, 0FFFFF000h
		mov	[esp+28h+var_14], eax
		jz	loc_570302
		push	1Ch
		mov	ebx, eax
		pop	esi
		jmp	short loc_57036F
; 

loc_5703E4:				; CODE XREF: MiFreedUnusedPfnPagesWorker+8Cj
		push	0
		push	ebx
		push	edi
		call	_RtlCompareMemoryUlong@12 ; RtlCompareMemoryUlong(x,x,x)
		mov	[esp+28h+var_14], eax
		cmp	eax, 1000h
		jb	loc_570374

loc_5703FC:				; DATA XREF: .text:0040D0E8o
		mov	eax, edi
		mov	[esp+28h+var_18], edi
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	esi
		imul	eax, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[esp+28h+var_1C], eax
		cmp	eax, edi
		jz	short loc_57043F
		mov	ecx, eax
		call	MmIsAddressValidEx
		test	al, al
		jz	loc_5F61CB
		push	0
		push	esi
		push	[esp+30h+var_1C]
		call	_RtlCompareMemoryUlong@12 ; RtlCompareMemoryUlong(x,x,x)
		cmp	eax, esi
		jnz	loc_5F61CB

loc_57043F:				; CODE XREF: MiFreedUnusedPfnPagesWorker+134j
					; MiFreedUnusedPfnPagesWorker+85EEFj
		mov	eax, [esp+28h+var_14]
		and	eax, 0FFFFF000h
		add	eax, edi
		mov	[esp+28h+var_1C], eax
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	esi
		imul	edx, eax, 1Ch
		mov	eax, [esp+28h+var_1C]
		add	edx, ds:_MmPfnDatabase
		mov	[esp+28h+var_C], edx
		cmp	edx, eax
		jnz	short loc_570480

loc_57046C:				; CODE XREF: MiFreedUnusedPfnPagesWorker+1BAj
					; MiFreedUnusedPfnPagesWorker+1CCj
		mov	ecx, [esp+28h+var_18]
		mov	edx, eax
		call	MiPfnRangeIsZero
		mov	eax, [esp+28h+var_14]
		jmp	loc_570379
; 

loc_570480:				; CODE XREF: MiFreedUnusedPfnPagesWorker+184j
		lea	ecx, [edx+1Ch]
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_5704A9
		push	0
		push	esi
		push	[esp+30h+var_C]
		call	_RtlCompareMemoryUlong@12 ; RtlCompareMemoryUlong(x,x,x)
		cmp	eax, esi
		jnz	short loc_5704A9
		mov	eax, [esp+28h+var_1C]
		jmp	short loc_57046C
; 

loc_5704A2:				; CODE XREF: MiFreedUnusedPfnPagesWorker+27j
					; MiFreedUnusedPfnPagesWorker+41j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5704A9:				; CODE XREF: MiFreedUnusedPfnPagesWorker+1A4j
					; MiFreedUnusedPfnPagesWorker+1B4j
		mov	eax, [esp+28h+var_1C]
		sub	eax, 1000h
		jmp	short loc_57046C
MiFreedUnusedPfnPagesWorker endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetNextNonGapPfnPage proc near	; CODE XREF: MiFreedUnusedPfnPagesWorker+D5p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F61DA SIZE 000000DD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_10], 0
		mov	eax, edx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx]
		mov	edx, 40000000h
		mov	[ebp+var_1C], ecx
		mov	ecx, offset loc_7FFFF8
		mov	[ebp+var_18], eax
		test	edi, edi
		jz	loc_5F61DA

loc_5704DF:				; CODE XREF: MiGetNextNonGapPfnPage+85D33j
		mov	eax, [eax]
		test	eax, eax
		jz	loc_5F61EC
		shr	eax, 0Ch
		lea	ebx, [edi+eax*8]
		mov	eax, ebx
		shl	eax, 9
		mov	[ebp+var_14], eax

loc_5704F7:				; CODE XREF: MiGetNextNonGapPfnPage+85D5Fj
		sub	ebx, 8

loc_5704FA:				; CODE XREF: MiGetNextNonGapPfnPage+85D59j
		and	[ebp+var_8], 0
		xor	ecx, ecx
		xor	esi, esi
		mov	[ebp+var_C], ecx
		cmp	edi, ebx
		ja	loc_5705E7

loc_57050D:				; CODE XREF: MiGetNextNonGapPfnPage+85D8Cj
		lea	eax, [ebp+var_10]
		mov	edx, ebx
		push	eax
		push	7
		push	2
		push	0
		mov	ecx, edi
		call	MiGetNextPageTable
		mov	edi, eax
		test	edi, edi
		jz	loc_5705AA
		mov	edx, [ebp+var_10]
		test	edx, edx
		jz	loc_5F6218
		mov	[ebp+var_C], edi
		mov	esi, edi
		test	edx, edx
		jz	short loc_570561
		mov	eax, [ebp+var_8]
		mov	ecx, offset loc_7FFFF8

loc_570546:				; CODE XREF: MiGetNextNonGapPfnPage+A8j
		test	eax, eax
		jnz	loc_5F6297

loc_57054E:				; CODE XREF: MiGetNextNonGapPfnPage+85DEDj
		shr	esi, 9
		and	esi, ecx

loc_570553:				; DATA XREF: .text:0040CD40o
		sub	esi, 40000000h
		sub	edx, 1
		jnz	short loc_570546
		mov	[ebp+var_8], eax

loc_570561:				; CODE XREF: MiGetNextNonGapPfnPage+88j
		add	esi, 8
		mov	edx, 0C07FFFFFh
		mov	ecx, 0C0000000h

loc_57056E:				; CODE XREF: MiGetNextNonGapPfnPage+C5j
		cmp	esi, ecx
		jb	short loc_57057B
		cmp	esi, edx
		ja	short loc_57057B
		shl	esi, 9
		jmp	short loc_57056E
; 

loc_57057B:				; CODE XREF: MiGetNextNonGapPfnPage+BCj
					; MiGetNextNonGapPfnPage+C0j
		mov	eax, edi
		cmp	edi, ecx
		jb	short loc_57058C

loc_570581:				; CODE XREF: MiGetNextNonGapPfnPage+D6j
		cmp	eax, edx
		ja	short loc_57058C
		shl	eax, 9
		cmp	eax, ecx
		jnb	short loc_570581

loc_57058C:				; CODE XREF: MiGetNextNonGapPfnPage+CBj
					; MiGetNextNonGapPfnPage+CFj
		sub	ebx, edi
		sub	esi, eax
		sar	ebx, 3
		mov	eax, esi
		shr	eax, 0Ch
		lea	ecx, [ebx+1]
		cmp	eax, ecx
		ja	short loc_5705D9

loc_57059F:				; CODE XREF: MiGetNextNonGapPfnPage+12Bj
					; MiGetNextNonGapPfnPage+85DDEj
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	loc_5F62A6

loc_5705AA:				; CODE XREF: MiGetNextNonGapPfnPage+70j
					; MiGetNextNonGapPfnPage+85D92j ...
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jz	short loc_5705E7
		mov	edx, [ebp+var_14]
		mov	eax, esi
		shr	eax, 0Ch
		lea	edi, [ecx+eax*8]
		shl	ecx, 9
		lea	eax, [esi+ecx]
		cmp	eax, edx
		ja	short loc_5705E1

loc_5705C6:				; CODE XREF: MiGetNextNonGapPfnPage+131j
					; MiGetNextNonGapPfnPage+137j
		mov	eax, [ebp+var_18]
		mov	[eax], esi
		mov	eax, [ebp+var_1C]
		mov	[eax], edi
		mov	eax, ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_5705D9:				; CODE XREF: MiGetNextNonGapPfnPage+E9j
		lea	esi, [ebx+1]
		shl	esi, 0Ch
		jmp	short loc_57059F
; 

loc_5705E1:				; CODE XREF: MiGetNextNonGapPfnPage+110j
		mov	esi, edx
		sub	esi, ecx
		jmp	short loc_5705C6
; 

loc_5705E7:				; CODE XREF: MiGetNextNonGapPfnPage+53j
					; MiGetNextNonGapPfnPage+FBj
		xor	ecx, ecx
		xor	esi, esi
		jmp	short loc_5705C6
MiGetNextNonGapPfnPage endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPfnRangeIsZero proc near		; CODE XREF: MiFreedUnusedPfnPagesWorker+18Cp

var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F62B7 SIZE 000000AC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		xor	eax, eax
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		lea	edi, [ebp+var_2C]
		mov	ebx, ecx
		stosd
		stosd
		stosd
		mov	eax, ds:_MxPfnAllocation
		shl	eax, 0Ch
		add	eax, ds:_MmPfnDatabase
		cmp	edx, eax
		ja	loc_5F62B7

loc_57061C:				; CODE XREF: MiPfnRangeIsZero+85CCEj
		cmp	ebx, edx
		jnb	loc_570787
		and	[ebp+var_14], 0
		xor	eax, eax
		xor	edx, edx
		mov	[ebp+var_10], eax
		mov	[ebp+var_18], edx

loc_570632:				; CODE XREF: MiPfnRangeIsZero+14Dj
		mov	ecx, ebx
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		mov	esi, ebx
		xor	edx, edx
		shr	esi, 9
		mov	edi, eax
		and	esi, offset loc_7FFFF8
		inc	edx
		push	2
		sub	esi, 40000000h
		mov	[ebp+var_C], edx
		pop	ecx
		mov	[ebp+var_8], ecx
		test	edi, edi
		jg	loc_5707CD

loc_570660:				; CODE XREF: MiPfnRangeIsZero+1FCj
					; MiPfnRangeIsZero+210j
		mov	ecx, edx
		shl	ecx, 0Ch
		lea	eax, [ecx-1]
		test	eax, ebx
		jnz	loc_570803
		mov	eax, [ebp+var_4]
		sub	eax, ebx
		cmp	eax, ecx
		jb	loc_570803
		mov	eax, [esi]
		and	eax, 20h
		or	eax, 0
		jnz	loc_57078C

loc_57068B:				; CODE XREF: MiPfnRangeIsZero+1DAj
		mov	edx, edi
		mov	[ebp+var_20], edx
		cmp	edi, 2
		jge	loc_570723
		mov	ebx, [ebp+var_8]

loc_57069C:				; CODE XREF: MiPfnRangeIsZero+85D37j
		mov	eax, [esi]
		mov	[ebp+var_8], eax
		nop
		mov	ecx, [esi+4]
		mov	[ebp+var_1C], ecx
		cmp	edi, edx
		jnz	loc_5F62D6

loc_5706B0:				; CODE XREF: MiPfnRangeIsZero+85CEEj
					; MiPfnRangeIsZero+85D00j
		push	ebx
		mov	edx, edi
		mov	ecx, esi
		call	_MiPreparePfnDatabasePageForFree@12 ; MiPreparePfnDatabasePageForFree(x,x,x)
		mov	eax, [ebp+var_14]
		add	eax, [ebp+var_C]
		mov	[ebp+var_14], eax
		nop
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_1C]
		shrd	eax, ecx, 0Ch
		and	eax, 1FFFFFFh
		imul	ecx, eax, 1Ch
		mov	eax, [ebp+ebx*4+var_2C]
		add	ecx, ds:_MmPfnDatabase
		mov	[ebp+ebx*4+var_2C], ecx
		xor	ebx, ebx
		inc	ebx
		mov	[ecx], eax
		cmp	edi, ebx
		jz	loc_5F62F3

loc_5706F1:				; CODE XREF: MiPfnRangeIsZero+85D11j
		mov	edx, edi
		mov	ecx, esi
		call	MiReplacePfnWithGapMapping
		mov	ecx, esi
		and	ecx, 0FFFFF000h
		call	_MiGetContainingPageTable@4 ; MiGetContainingPageTable(x)
		imul	ecx, eax, 1Ch
		mov	eax, ds:_MmPfnDatabase
		mov	eax, [ecx+eax+10h]
		and	eax, 3FFFFFFFh

loc_570718:				; DATA XREF: .text:0040CE60o
		cmp	eax, ebx
		jz	loc_5F6304
		add	esi, 8

loc_570723:				; CODE XREF: MiPfnRangeIsZero+A5j
					; MiPfnRangeIsZero+85D2Ej
		mov	ebx, esi

loc_570725:				; CODE XREF: MiPfnRangeIsZero+148j
		cmp	ebx, 0C07FFFFFh
		ja	short loc_570738
		shl	ebx, 9
		cmp	ebx, 0C0000000h
		jnb	short loc_570725

loc_570738:				; CODE XREF: MiPfnRangeIsZero+13Dj
					; MiPfnRangeIsZero+21Ej ...
		cmp	ebx, [ebp+var_4]
		jb	loc_570632
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_5F6346

loc_57074C:				; CODE XREF: MiPfnRangeIsZero+85D62j
		mov	ebx, [ebp+var_14]
		mov	ecx, offset dword_6D3634
		mov	eax, ebx
		neg	eax
		lock xadd [ecx], eax
		mov	esi, offset _MiSystemPartition
		lea	edx, [ebp+var_2C]
		push	0
		mov	ecx, esi
		call	_MiFreeLargeZeroPages@12 ; MiFreeLargeZeroPages(x,x,x)
		mov	edx, ebx
		mov	ecx, esi
		call	MiReturnCommit
		mov	edx, ebx
		mov	ecx, esi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jnz	loc_5F6355

loc_570787:				; CODE XREF: MiPfnRangeIsZero+30j
					; MiPfnRangeIsZero+85D70j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_57078C:				; CODE XREF: MiPfnRangeIsZero+97j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		shr	eax, 3
		mov	edx, 200h
		and	eax, 1FFh
		shr	ecx, 9
		mov	ebx, 40000000h
		sub	edx, eax
		sub	ecx, ebx
		test	edi, edi
		jg	short loc_57081A

loc_5707AE:				; CODE XREF: MiPfnRangeIsZero+85CE3j
		mov	eax, esi
		xor	eax, ecx
		test	eax, 0FFFFF000h
		jnz	short loc_5707C0
		mov	edx, ecx
		sub	edx, esi
		sar	edx, 3

loc_5707C0:				; CODE XREF: MiPfnRangeIsZero+1C9j
		push	edi
		mov	ecx, esi
		call	MiClearSystemAccessBits
		jmp	loc_57068B
; 

loc_5707CD:				; CODE XREF: MiPfnRangeIsZero+6Cj
		mov	eax, edi

loc_5707CF:				; CODE XREF: MiPfnRangeIsZero+1F4j
		shr	esi, 9
		dec	ecx
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		sub	eax, 1
		jnz	short loc_5707CF
		mov	[ebp+var_8], ecx
		cmp	ecx, 2
		jz	loc_570660
		mov	edx, ds:dword_4102F0[ecx*4]
		dec	ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], edx
		jmp	loc_570660
; 

loc_570803:				; CODE XREF: MiPfnRangeIsZero+7Cj
					; MiPfnRangeIsZero+89j
		mov	ecx, ebx
		call	_MiDemoteValidLargePageOneLevel@4 ; MiDemoteValidLargePageOneLevel(x)
		test	eax, eax
		jnz	loc_570738
		lea	ebx, [esi+8]
		jmp	loc_5F632A
; 

loc_57081A:				; CODE XREF: MiPfnRangeIsZero+1BEj
		mov	eax, edi
		jmp	loc_5F62C1
MiPfnRangeIsZero endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReplacePfnWithGapMapping proc	near	; CODE XREF: MiPfnRangeIsZero+107p

var_A0		= dword	ptr -0A0h
var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F6363 SIZE 00000050 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, dword_6D3518
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		cmp	eax, dword_6D351C
		jnz	loc_5F6385
		push	98h		; size_t
		lea	eax, [ebp+var_A0]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [esi]
		add	esp, 0Ch
		nop
		and	[ebp+var_8C], 0
		mov	[ebp+var_98], 21h
		test	edi, edi
		jnz	loc_5F6363

loc_570880:				; CODE XREF: MiReplacePfnWithGapMapping+85B4Aj
		push	esi
		mov	edx, edi
		lea	ecx, [ebp+var_A0]
		call	_MiInsertRecursiveTbFlushEntries@12 ; MiInsertRecursiveTbFlushEntries(x,x,x)

loc_57088E:				; CODE XREF: MiReplacePfnWithGapMapping+85B5Ej
		mov	eax, ds:_ZeroPte
		mov	[esi], eax
		nop
		mov	eax, ds:dword_40F9FC
		lea	ecx, [ebp+var_A0]
		mov	[esi+4], eax
		call	MiFlushTbList

loc_5708A9:				; CODE XREF: MiReplacePfnWithGapMapping+85B8Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
MiReplacePfnWithGapMapping endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPreparePfnDatabasePageForFree(x, x, x)
_MiPreparePfnDatabasePageForFree@12 proc near ;	CODE XREF: MiPfnRangeIsZero+C7p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ecx]
		push	edi
		mov	[ebp+var_8], edx
		nop
		mov	eax, [ecx+4]
		nop
		shrd	esi, eax, 0Ch
		mov	ebx, 7FFFFFFFh
		and	esi, 1FFFFFFh
		imul	esi, 1Ch
		add	esi, ds:_MmPfnDatabase
		test	edx, edx
		jnz	short loc_570917
		cmp	[ebp+arg_0], 2
		jnz	short loc_570917
		and	[ebp+arg_0], edx
		lea	edi, [esi+10h]
		jmp	short loc_570904
; 

loc_5708F6:				; CODE XREF: MiPreparePfnDatabasePageForFree(x,x,x)+4Aj
					; MiPreparePfnDatabasePageForFree(x,x,x)+51j
		lea	ecx, [ebp+arg_0]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_5708F6

loc_570904:				; CODE XREF: MiPreparePfnDatabasePageForFree(x,x,x)+3Cj
		lock bts dword ptr [edi], 1Fh
		jb	short loc_5708F6
		mov	eax, 0FFFFh
		add	[esi+14h], ax
		lock and [edi],	ebx

loc_570917:				; CODE XREF: MiPreparePfnDatabasePageForFree(x,x,x)+2Ej
					; MiPreparePfnDatabasePageForFree(x,x,x)+34j
		mov	eax, [esi+18h]
		and	eax, offset loc_7FFFFF
		imul	ebx, eax, 1Ch
		add	ebx, ds:_MmPfnDatabase
		and	[ebp+var_4], 0
		lea	edi, [ebx+10h]
		jmp	short loc_57093F
; 

loc_570931:				; CODE XREF: MiPreparePfnDatabasePageForFree(x,x,x)+85j
					; MiPreparePfnDatabasePageForFree(x,x,x)+8Cj
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_570931

loc_57093F:				; CODE XREF: MiPreparePfnDatabasePageForFree(x,x,x)+77j
		lock bts dword ptr [edi], 1Fh
		jb	short loc_570931
		or	edx, 0FFFFFFFFh
		mov	ecx, ebx
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		cmp	[ebp+var_8], 0
		jnz	short loc_57096E
		mov	eax, ds:_ZeroPte
		mov	[esi+8], eax
		mov	eax, ds:dword_40F9FC
		mov	[esi+0Ch], eax

loc_57096E:				; CODE XREF: MiPreparePfnDatabasePageForFree(x,x,x)+A4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiPreparePfnDatabasePageForFree@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiClearSystemAccessBits	proc near	; CODE XREF: MiPfnRangeIsZero+1D5p
					; MiPfnRangeIsZero+85CFBp

var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_9C		= dword	ptr -9Ch
var_90		= dword	ptr -90h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F63B3 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [ebp+var_A4]
		mov	edi, edx
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		and	[ebp+var_90], 0
		mov	eax, esi
		shl	eax, 9
		add	esp, 0Ch
		mov	[ebp+var_9C], 21h
		mov	[ebp+var_B0], eax
		test	edi, edi
		jz	short loc_570A14
		mov	eax, edi
		mov	[ebp+var_A8], edi

loc_5709D0:				; CODE XREF: MiClearSystemAccessBits+96j
		mov	edx, [esi]
		nop
		mov	ecx, [esi+4]
		mov	[ebp+var_AC], ecx
		mov	ecx, edx
		and	ecx, 20h
		or	ecx, 0
		jz	short loc_570A00
		mov	ecx, [ebp+var_AC]
		mov	ebx, edx
		mov	eax, edx
		and	ebx, 0FFFFFFDFh
		mov	edx, ecx
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	eax, [ebp+var_A8]

loc_570A00:				; CODE XREF: MiClearSystemAccessBits+6Ej
		add	esi, 8
		sub	eax, 1
		mov	[ebp+var_A8], eax
		jnz	short loc_5709D0
		mov	eax, [ebp+var_B0]

loc_570A14:				; CODE XREF: MiClearSystemAccessBits+50j
		cmp	[ebp+arg_0], 0
		jnz	loc_5F63B3
		push	0
		push	edi
		mov	edx, eax
		lea	ecx, [ebp+var_A4]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)

loc_570A2E:				; CODE XREF: MiClearSystemAccessBits+85A44j
					; MiClearSystemAccessBits+85A61j
		lea	ecx, [ebp+var_A4]
		call	MiFlushTbList
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
MiClearSystemAccessBits	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDemoteValidLargePageOneLevel(x)
_MiDemoteValidLargePageOneLevel@4 proc near ; CODE XREF: MiPfnRangeIsZero+217p

var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_179		= dword	ptr -179h
var_16C		= dword	ptr -16Ch
var_160		= dword	ptr -160h
var_B0		= dword	ptr -0B0h
var_A0		= dword	ptr -0A0h
var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1D4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_A0]
		push	98h		; size_t
		push	ebx		; int
		push	eax		; void *
		mov	edi, ecx
		mov	[ebp+var_184], ebx
		mov	byte ptr [ebp+var_179],	bl
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_179+1]
		push	0D8h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_98], 21h
		mov	ecx, edi
		mov	[ebp+var_8C], ebx
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		mov	esi, edi
		mov	[ebp+var_1A0], eax
		shr	esi, 12h
		mov	ecx, 200000h
		and	esi, 3FF8h
		mov	[ebp+var_1B4], ecx
		sub	esi, 3FA00000h
		mov	[ebp+var_1A4], esi
		cmp	eax, 1
		jz	short loc_570B04
		dec	eax

loc_570AE1:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+ACj
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		shl	ecx, 9
		sub	esi, 40000000h
		sub	eax, 1
		jnz	short loc_570AE1
		mov	[ebp+var_1B4], ecx
		mov	[ebp+var_1A4], esi

loc_570B04:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+94j
		mov	[ebp+var_190], ebx
		mov	[ebp+var_18C], ebx
		mov	ebx, [esi]
		nop
		mov	eax, [esi+4]
		mov	[ebp+var_180], eax
		mov	[ebp+var_1D0], ebx
		mov	[ebp+var_1CC], eax
		nop
		mov	ecx, ebx
		mov	[ebp+var_16C], offset _MiSystemPartition
		shrd	ecx, eax, 0Ch
		mov	[ebp+var_160], 4
		and	ecx, 1FFFFFFh
		mov	[ebp+var_1A8], ecx
		call	MiSearchNumaNodeTable
		lea	edx, [ebp+var_B0]
		mov	ecx, edi
		mov	eax, [eax+4]
		inc	eax
		push	eax
		call	_MiInitializeColorBase@12 ; MiInitializeColorBase(x,x,x)
		lea	eax, [ebp+var_184]
		xor	edx, edx
		push	eax
		inc	edx
		lea	ecx, [ebp+var_179+1]
		call	MiGetPageTablePages
		test	eax, eax
		jns	short loc_570B86
		xor	eax, eax
		jmp	loc_570F75
; 

loc_570B86:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+133j
		mov	eax, [ebp+var_184]
		push	1Ch
		pop	ecx
		and	dword ptr [eax], 0
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	ecx
		mov	ecx, esi
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		mov	[ebp+var_19C], eax
		mov	eax, [ecx-40000000h]
		nop
		mov	ecx, [ecx-3FFFFFFCh]
		nop
		shrd	eax, ecx, 0Ch
		mov	ecx, 80000004h
		and	eax, 1FFFFFFh
		mov	[ebp+var_1C0], eax
		mov	eax, [ebp+var_180]
		shrd	ebx, eax, 8
		and	ebx, 1
		mov	eax, ebx
		mov	[ebp+var_1BC], ebx
		or	eax, 0
		jz	short loc_570BF6
		cmp	[ebp+var_1A0], 1
		jnz	short loc_570BF6
		mov	ecx, 0A0000004h

loc_570BF6:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+19Cj
					; MiDemoteValidLargePageOneLevel(x)+1A5j
		mov	edx, [ebp+var_1A8]
		push	ecx
		mov	ecx, esi
		shl	ecx, 9
		call	MiMakeValidPte
		mov	ecx, [ebp+var_19C]
		mov	edi, edx
		mov	esi, eax
		mov	[ebp+var_18C], edi
		push	80000000h
		lea	edx, [ebp+var_179]
		mov	[ebp+var_190], esi
		call	MiMapPageInHyperSpaceWorker
		mov	[ebp+var_1B8], eax
		mov	ebx, eax
		mov	[ebp+var_194], esi
		mov	[ebp+var_180], edi

loc_570C41:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+2F6j
		and	[ebp+var_1B0], 0
		mov	ecx, ebx
		mov	[ebp+var_198], esi
		mov	edx, edi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	loc_570CE1
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_570C91
		cmp	byte ptr word_6D07B8+1,	0
		mov	[ebp+var_1B0], 1
		jnz	short loc_570CE1
		mov	ecx, esi
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_570CE1
		mov	eax, ecx
		or	edx, 80000000h
		jmp	short loc_570CE7
; 

loc_570C91:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+21Cj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_570CD5
		mov	ecx, [ebp+var_194]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_570CD5
		mov	edx, [ebp+var_180]
		mov	eax, ecx
		mov	edi, [ebp+var_18C]
		or	edx, 80000000h
		mov	esi, [ebp+var_190]
		jmp	short loc_570CE7
; 

loc_570CD5:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+25Dj
					; MiDemoteValidLargePageOneLevel(x)+26Dj
		mov	edi, [ebp+var_18C]
		mov	esi, [ebp+var_190]

loc_570CE1:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+20Fj
					; MiDemoteValidLargePageOneLevel(x)+22Fj ...
		mov	eax, [ebp+var_198]

loc_570CE7:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+245j
					; MiDemoteValidLargePageOneLevel(x)+289j
		mov	[ebx+4], edx
		nop
		cmp	[ebp+var_1B0], 0
		mov	[ebx], eax
		jz	short loc_570CFF
		push	edx
		push	eax
		mov	ecx, ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_570CFF:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+2AAj
		mov	eax, esi
		mov	edx, 0FFFFF000h
		and	eax, edx
		mov	ecx, edi
		add	eax, 1000h
		adc	ecx, 0
		xor	eax, esi
		xor	ecx, edi
		and	eax, edx
		and	ecx, 1Fh
		xor	esi, eax
		xor	edi, ecx
		mov	[ebp+var_194], esi
		add	ebx, 8
		mov	[ebp+var_180], edi
		mov	[ebp+var_190], esi
		mov	[ebp+var_18C], edi
		test	ebx, 0FFFh
		jnz	loc_570C41
		mov	dl, byte ptr [ebp+var_179]
		mov	ecx, [ebp+var_1B8]
		push	80000000h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		cmp	[ebp+var_1A0], 1
		mov	edi, 80000004h
		mov	esi, [ebp+var_1A4]
		mov	ebx, [ebp+var_1BC]
		jz	short loc_570D7B
		mov	edi, 84000004h

loc_570D7B:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+32Aj
		or	ebx, 0
		jz	short loc_570D86
		or	edi, 20000000h

loc_570D86:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+334j
		mov	edx, [ebp+var_1A8]
		or	edi, 8000000h
		push	edi
		mov	ecx, esi
		call	MiMakeValidPte
		mov	ecx, [ebp+var_19C]
		mov	ebx, edx
		push	0A00h
		push	[ebp+var_1C0]
		mov	edi, eax
		mov	[ebp+var_18C], ebx
		mov	edx, esi
		mov	[ebp+var_190], edi
		call	MiInitializePfnForOtherProcess
		mov	ecx, [ebp+var_184]
		and	[ebp+var_1AC], 0
		lea	eax, [ecx+10h]
		mov	[ebp+var_180], eax
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_570E11
		mov	esi, eax

loc_570DE1:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+3A6j
					; MiDemoteValidLargePageOneLevel(x)+3ADj
		lea	ecx, [ebp+var_1AC]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_570DE1
		lock bts dword ptr [esi], 1Fh
		jb	short loc_570DE1
		mov	ecx, [ebp+var_184]
		mov	ebx, [ebp+var_18C]
		mov	edi, [ebp+var_190]
		mov	esi, [ebp+var_1A4]

loc_570E11:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+393j
		mov	eax, 200h
		mov	edx, eax
		mov	[ebp+var_194], eax
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	eax, [ebp+var_180]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	ecx, [ebp+var_19C]
		xor	eax, eax
		and	ecx, 1FFFFFFh
		and	ebx, 0FFFFFFE0h
		shld	eax, ecx, 0Ch
		and	edi, 0FFFh
		mov	edx, esi
		shl	ecx, 0Ch
		or	eax, ebx
		mov	ebx, [ebp+var_1A0]
		or	ecx, edi
		push	eax
		push	ecx
		push	ebx
		mov	ecx, esi
		call	MiTransformValidPteInPlace
		cmp	ebx, 1
		jnz	short loc_570E79
		xor	edx, edx
		lea	ecx, [ebp+var_A0]
		push	esi
		inc	edx
		call	_MiInsertLargeTbFlushEntry@12 ;	MiInsertLargeTbFlushEntry(x,x,x)

loc_570E79:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+41Ej
		imul	edi, [ebp+var_1A8], 1Ch
		lea	ebx, [esi+8]
		add	edi, ds:_MmPfnDatabase
		mov	[ebp+var_180], edi
		add	edi, 3800h
		mov	esi, [ebp+var_180]
		shl	ebx, 9

loc_570E9E:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+4DEj
		and	[ebp+var_1C4], 0
		sub	edi, 1Ch
		mov	[ebp+var_184], edi
		sub	ebx, 8
		lea	eax, [edi+10h]
		mov	[ebp+var_1AC], eax
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_570EE7
		mov	esi, eax

loc_570EC3:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+488j
					; MiDemoteValidLargePageOneLevel(x)+48Fj
		lea	ecx, [ebp+var_1C4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_570EC3
		lock bts dword ptr [esi], 1Fh
		jb	short loc_570EC3
		mov	edi, [ebp+var_184]
		mov	esi, [ebp+var_180]

loc_570EE7:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+475j
		test	byte ptr [edi+17h], 10h
		jnz	short loc_570F16
		test	dword ptr [edi+18h], (offset loc_7FFFFF+1)
		jz	short loc_570F02
		push	0
		push	ecx
		mov	edx, edi
		mov	ecx, esi
		call	_MiConvertLargePfnToSmall@16 ; MiConvertLargePfnToSmall(x,x,x,x)

loc_570F02:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+4AAj
		mov	[edi+4], ebx
		mov	eax, [edi+18h]
		xor	eax, [ebp+var_19C]
		and	eax, offset loc_7FFFFF
		xor	[edi+18h], eax

loc_570F16:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+4A1j
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		sub	[ebp+var_194], 1
		jnz	loc_570E9E
		cmp	[ebp+var_1A0], 1
		mov	esi, [ebp+var_1A4]
		jnz	short loc_570F5B
		mov	eax, [ebp+var_1B4]
		mov	ecx, offset _MiSystemPartition
		mov	edx, [ebp+var_1A8]
		push	1
		push	0
		shr	eax, 0Ch
		push	eax
		call	MiUpdateLargePageBitMap

loc_570F5B:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+4F1j
		shl	esi, 12h
		mov	edx, esi
		mov	ecx, esi
		call	MiReplicatePteChange
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList
		xor	eax, eax
		inc	eax

loc_570F75:				; CODE XREF: MiDemoteValidLargePageOneLevel(x)+137j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiDemoteValidLargePageOneLevel@4 endp


;  S U B	R O U T	I N E 


; __stdcall WdipSemClearFrequentScenarioTable()
_WdipSemClearFrequentScenarioTable@0 proc near
					; CODE XREF: WdipSemInitializeGlobalState()+84p
					; WdipSemShutdown()+79p
		push	204h		; size_t
		push	0		; int
		push	offset _WdipSemFrequentScenarioTable ; void *
		call	_memset
		and	dword_6BCA44, 0
		add	esp, 0Ch
		retn
_WdipSemClearFrequentScenarioTable@0 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 868. IoGetGenericIrpExtension

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IoGetGenericIrpExtension(int,void *,__int16)
		public IoGetGenericIrpExtension
IoGetGenericIrpExtension proc near	; CODE XREF: StRtlIoStorInfoSetNvCachePriority(x,x)+23p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h

; FUNCTION CHUNK AT 005F63DC SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	bx, [ebp+arg_8]
		push	edi
		mov	edi, 0C0000225h
		cmp	bx, 4
		ja	short loc_570FDB
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	2
		pop	edx
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jnz	loc_5F63DC

loc_570FD2:				; CODE XREF: IoGetGenericIrpExtension+85459j
		mov	eax, edi
		pop	esi

loc_570FD5:				; CODE XREF: IoGetGenericIrpExtension+3Aj
		pop	edi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_570FDB:				; CODE XREF: IoGetGenericIrpExtension+14j
		mov	eax, 0C000000Dh
		jmp	short loc_570FD5
IoGetGenericIrpExtension endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcAsyncReadWorker proc near		; DATA XREF: CcInitializeAsyncRead+2CFo

var_26C		= dword	ptr -26Ch
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F6404 SIZE 0000012F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 26Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_234], ecx
		mov	[ebp+var_20C], 3
		mov	[ebp+var_220], eax
		mov	[ebp+var_224], eax
		test	ecx, ecx
		jz	loc_5F6524
		mov	eax, [ecx+18h]
		mov	edx, [ecx+14h]
		push	esi
		mov	esi, [ecx+20h]
		push	edi
		mov	[ebp+var_218], eax
		lea	edi, [ebp+var_204]
		xor	eax, eax
		mov	[ebp+var_214], edx
		push	40h
		pop	ecx
		rep stosd
		push	40h
		pop	ecx
		lea	edi, [ebp+var_104]
		mov	[ebp+var_210], esi
		rep stosd
		mov	ecx, [esi+258h]
		mov	eax, edx
		shl	eax, 4
		add	ecx, eax
		mov	[ebp+var_230], eax
		imul	eax, edx, 194h
		mov	[ebp+var_208], ecx
		mov	[ebp+var_23C], ecx
		add	eax, [esi+25Ch]
		mov	[ebp+var_21C], eax
		lea	eax, [esi+290h]
		mov	[ebp+var_238], eax

loc_571095:				; CODE XREF: CcAsyncReadWorker+1C9j
					; CcAsyncReadWorker+8553Aj
		cmp	ebx, 3Fh
		jnb	short loc_5710AB
		mov	eax, [esi+250h]
		lea	eax, [eax+edx*8]
		cmp	[eax], eax
		jnz	loc_5712FE

loc_5710AB:				; CODE XREF: CcAsyncReadWorker+B6j
		test	ebx, ebx
		jz	loc_571273
		push	ecx
		mov	edx, ebx
		lea	ecx, [ebp+var_104]
		call	MmWaitMultipleForCacheManagerPrefetch
		mov	edi, eax
		cmp	edi, ebx
		sbb	edx, edx
		neg	edx

loc_5710C9:				; CODE XREF: CcAsyncReadWorker+2BBj
					; CcAsyncReadWorker+8542Aj
		mov	[ebp+var_20C], edx

loc_5710CF:				; CODE XREF: CcAsyncReadWorker+85435j
		mov	ecx, [ebp+var_208]

loc_5710D5:				; CODE XREF: CcAsyncReadWorker+327j
		mov	eax, edx
		sub	eax, 0
		jz	loc_5711B6
		sub	eax, 1
		jnz	loc_5F64E4
		cmp	edi, ebx
		jnb	loc_57119E
		lea	eax, [ebp+var_204]
		lea	eax, [eax+edi*4]
		lfence	eax
		mov	esi, [eax]
		mov	[ebp+var_228], eax
		test	esi, esi
		jz	loc_5F650F
		mov	eax, [esi+20h]
		test	eax, eax
		jz	loc_5F650F
		push	73416343h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ecx, ecx
		mov	byte ptr [esi+48h], 6
		lea	eax, [ebp+var_104]
		mov	[esi+20h], ecx
		lea	eax, [eax+edi*4]
		mov	[ebp+var_22C], eax
		mov	[eax], ecx
		lea	eax, [ebp+var_204]
		lea	eax, [eax+edi*4]
		mov	[eax], ecx
		mov	eax, [esi+8]
		cmp	dword ptr [eax+170h], 1
		jz	loc_5712A2

loc_571158:				; CODE XREF: CcAsyncReadWorker+2C7j
		xor	edx, edx
		mov	ecx, esi
		call	CcPostWorkQueueAsyncRead

loc_571161:				; CODE XREF: CcAsyncReadWorker+2DBj
		dec	ebx
		cmp	edi, ebx
		jb	loc_5712C2

loc_57116A:				; CODE XREF: CcAsyncReadWorker+317j
		and	[ebp+edi*4+var_104], 0
		and	[ebp+edi*4+var_204], 0
		mov	ecx, [ebp+var_218]
		mov	eax, [ebp+var_21C]
		lock dec dword ptr [eax+ecx*4]
		mov	ecx, [ebp+var_208]
		mov	esi, [ebp+var_210]
		test	ecx, ecx
		jz	loc_5F641C

loc_57119E:				; CODE XREF: CcAsyncReadWorker+109j
					; CcAsyncReadWorker+28Cj ...
		cmp	[ebp+var_218], 0
		mov	edx, [ebp+var_214]
		jz	loc_571095
		jmp	loc_5F651A
; 

loc_5711B6:				; CODE XREF: CcAsyncReadWorker+F8j
		lea	edi, [esi+260h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx

loc_5711C5:				; CODE XREF: CcAsyncReadWorker+266j
		mov	eax, [esi+250h]
		mov	ecx, [ebp+var_214]
		lea	edx, [eax+ecx*8]
		cmp	[edx], edx
		jz	short loc_57124D
		cmp	ebx, 3Fh
		jnb	loc_5F647C
		mov	ecx, esi
		call	CcFindNextWorkQueueEntry
		xor	edx, edx
		mov	ecx, edi
		mov	esi, eax
		call	ExReleasePushLockEx
		mov	ecx, esi
		call	CcAsyncReadPrefetch
		test	al, al
		jz	loc_5F6469
		mov	eax, [esi+20h]
		mov	ecx, [eax]
		test	ecx, ecx
		jz	loc_5F6433
		mov	eax, [ebp+var_218]
		mov	[ebp+ebx*4+var_104], ecx
		mov	ecx, [ebp+var_21C]
		mov	[ebp+ebx*4+var_204], esi
		inc	ebx
		lock inc dword ptr [ecx+eax*4]
		cmp	ebx, 3Fh
		sbb	eax, eax
		and	[ebp+var_208], eax

loc_571239:				; CODE XREF: CcAsyncReadWorker+85482j
					; CcAsyncReadWorker+85495j
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [ebp+var_210]
		jmp	loc_5711C5
; 

loc_57124D:				; CODE XREF: CcAsyncReadWorker+1F4j
		mov	edi, [ebp+var_220]

loc_571253:				; CODE XREF: CcAsyncReadWorker+854CBj
		xor	edx, edx
		lea	ecx, [esi+260h]
		call	ExReleasePushLockEx
		test	edi, edi
		jnz	loc_5F64B2

loc_571268:				; CODE XREF: CcAsyncReadWorker+85505j
		mov	ecx, [ebp+var_208]
		jmp	loc_57119E
; 

loc_571273:				; CODE XREF: CcAsyncReadWorker+CBj
		lea	eax, [ebp+var_26C]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	8
		push	1
		lea	eax, [ebp+var_23C]
		push	eax
		push	2
		call	KeWaitForMultipleObjects
		mov	edi, eax
		test	edi, edi
		jnz	loc_5F6404
		xor	edx, edx
		jmp	loc_5710C9
; 

loc_5712A2:				; CODE XREF: CcAsyncReadWorker+170j
		cmp	dword ptr [esi+1Ch], 20000h
		ja	loc_571158
		mov	ecx, esi
		call	CcCompleteAsyncRead
		mov	ecx, esi
		call	_CcFreeWorkQueueEntry@4	; CcFreeWorkQueueEntry(x)
		jmp	loc_571161
; 

loc_5712C2:				; CODE XREF: CcAsyncReadWorker+182j
		mov	eax, ebx
		lea	esi, [ebp+var_200]
		sub	eax, edi
		lea	esi, [esi+edi*4]
		shl	eax, 2
		lea	edx, [ebp+var_100]
		lea	edx, [edx+edi*4]
		mov	ecx, eax
		mov	edi, [ebp+var_228]
		shr	ecx, 2
		rep movsd
		mov	edi, [ebp+var_22C]
		mov	esi, edx
		shr	eax, 2
		mov	ecx, eax
		rep movsd
		mov	edi, ebx
		jmp	loc_57116A
; 

loc_5712FE:				; CODE XREF: CcAsyncReadWorker+C3j
		xor	edx, edx
		lea	edi, [ebx+1]
		mov	[ebp+var_20C], edx
		jmp	loc_5710D5
CcAsyncReadWorker endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1698. PoFxSetComponentLatency

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoFxSetComponentLatency
PoFxSetComponentLatency	proc near

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005F6533 SIZE 0000007B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	edx, ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ecx, [eax+1Ch]
		push	edi
		mov	edi, [ebp+arg_C]
		push	edi
		push	esi
		push	9
		mov	[ebp+var_48], eax
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], edi
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ecx
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		cmp	_PopDiagHandleRegistered, 0
		jnz	loc_5F6533

loc_57135F:				; CODE XREF: PoFxSetComponentLatency+8523Dj
					; PoFxSetComponentLatency+85295j
		mov	ecx, [ebp+var_48]
		mov	edx, ebx
		push	edi
		push	esi
		mov	ecx, [ecx+20h]
		call	PopPepComponentSetLatency
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
PoFxSetComponentLatency	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPepComponentSetLatency proc near	; CODE XREF: PoFxSetComponentLatency+55p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F65AE SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	ebx, [ecx+88h]
		imul	eax, edx, 0A8h
		push	edi
		mov	edi, [ebp+arg_4]
		push	edi
		mov	[ebp+var_4], ecx
		add	ebx, eax
		mov	byte ptr [ebp+var_8], 0
		push	esi
		mov	ecx, ebx
		call	_PopPepComponentGetLatencyIdleState@12 ; PopPepComponentGetLatencyIdleState(x,x,x)
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		mov	[ebp+arg_4], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		push	6
		call	PopPepLockActivityLink
		mov	byte ptr [ebp+var_C], al
		mov	eax, [ebp+arg_4]
		mov	[ebx+54h], edi
		mov	edi, [ebp+var_4]
		mov	[ebx+50h], esi
		cmp	[ebx+7Ch], eax
		jnz	loc_5F65AE

loc_5713DC:				; CODE XREF: PopPepComponentSetLatency+85268j
		push	[ebp+var_8]
		mov	edx, ebx
		mov	ecx, edi
		push	[ebp+var_C]
		call	PopPepReleaseActivityLink
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
PopPepComponentSetLatency endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxInsertDevice proc near		; CODE XREF: PoFxRegisterCoreDevice+B0p
					; PopFxRegisterDevice+FDp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F65ED SIZE 00000051 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		sub	esp, 28h
		dec	word ptr [eax+13Ch]
		push	esi
		push	edi
		nop
		mov	esi, offset _PopFxDeviceListLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, dword_6C39A4
		mov	edx, offset _PopFxDeviceList
		cmp	[ecx], edx
		jnz	loc_571610
		mov	eax, [ebx+8]
		mov	[eax], edx
		or	edx, 0FFFFFFFFh
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	dword_6C39A4, eax
		mov	eax, edx
		mov	[ebp+var_8], edx
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_5F65ED

loc_571460:				; CODE XREF: PopFxInsertDevice+851FDj
					; PopFxInsertDevice+8520Dj
		xor	edi, edi
		mov	[ebp+var_C], edi
		test	esi, 7FFFFFFCh
		jz	loc_57157A
		mov	esi, large fs:124h
		mov	ecx, offset _PopFxDeviceListLock
		mov	eax, dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], eax
		cmp	eax, offset _PopFxDeviceListLock
		ja	short loc_5714B8
		mov	eax, ecx
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_571591
		mov	eax, [ebp+var_20]
		cmp	eax, offset _PopFxDeviceListLock
		ja	short loc_5714B8
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_571591

loc_5714B8:				; CODE XREF: PopFxInsertDevice+9Ej
					; PopFxInsertDevice+B7j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _PopFxDeviceListLock
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_5715E6
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_5715F9

loc_5714FC:				; CODE XREF: PopFxInsertDevice+20Fj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	loc_5F6619
		or	[esi+1E4h], dl

loc_571542:				; CODE XREF: PopFxInsertDevice+1FCj
					; PopFxInsertDevice+85233j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jnz	short loc_5715A6

loc_571555:				; CODE XREF: PopFxInsertDevice+1E9j
					; PopFxInsertDevice+85247j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_57157A
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_571606

loc_57157A:				; CODE XREF: PopFxInsertDevice+79j
					; PopFxInsertDevice+17Aj ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_571591:				; CODE XREF: PopFxInsertDevice+A9j
					; PopFxInsertDevice+C0j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_8], eax
		jmp	loc_5714B8
; 

loc_5715A6:				; CODE XREF: PopFxInsertDevice+161j
		test	edi, 8000h
		jz	short loc_5715B7
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5715B7:				; CODE XREF: PopFxInsertDevice+1BAj
		test	byte ptr [ebp+var_C+2],	1
		jnz	short loc_571615

loc_5715BD:				; CODE XREF: PopFxInsertDevice+233j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5715D1
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5715D1:				; CODE XREF: PopFxInsertDevice+1D2j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_571555
		jmp	loc_5F662A
; 

loc_5715E6:				; CODE XREF: PopFxInsertDevice+F2j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_571542
		jmp	loc_5F6604
; 

loc_5715F9:				; CODE XREF: PopFxInsertDevice+104j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]
		jmp	loc_5714FC
; 

loc_571606:				; CODE XREF: PopFxInsertDevice+182j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_57157A
; 

loc_571610:				; CODE XREF: PopFxInsertDevice+45j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_571615:				; CODE XREF: PopFxInsertDevice+1C9j
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]
		jmp	short loc_5715BD
PopFxInsertDevice endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxAssignDeviceToDevNode(x, x)
_PopFxAssignDeviceToDevNode@8 proc near	; CODE XREF: PopFxRegisterDevice+CDp
					; PopFxUnregisterDevice(x)+71p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		lea	ebx, [esi+2Ch]
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	[ebp+var_1], al
		lea	ecx, [esi+0A8h]
		test	edi, edi
		jz	short loc_571687
		push	0FFFFFFF7h
		pop	eax
		lock and [ecx],	eax
		push	0
		push	0
		lea	eax, [esi+30h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)

loc_57165E:				; CODE XREF: PopFxAssignDeviceToDevNode(x,x)+65j
		mov	ecx, [esi+44h]
		mov	eax, [esi+40h]
		sub	eax, ecx
		mov	dword ptr [esi+44h], 0
		push	ebx
		mov	[esi+40h], eax
		mov	[esi+28h], edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_571687:				; CODE XREF: PopFxAssignDeviceToDevNode(x,x)+21j
		push	0FFFFFFFBh
		pop	eax
		lock and [ecx],	eax
		jmp	short loc_57165E
_PopFxAssignDeviceToDevNode@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPlRegisterComponent proc near	; CODE XREF: PopPlRegisterDeviceIterator(x,x)+4Ap
					; PAGE:0089B2DDp

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F663E SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopPowerPlane,	0
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jnz	loc_5F663E

loc_5716B7:				; CODE XREF: PopPlRegisterComponent+84FB9j
					; PopPlRegisterComponent+84FC8j ...
		cmp	dword_6B23F8, 5
		ja	short loc_5716CF

loc_5716C0:				; CODE XREF: PopPlRegisterComponent+F6j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_5716CF:				; CODE XREF: PopPlRegisterComponent+2Ej
		xor	ebx, ebx
		mov	[ebp+var_8C], 1
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_64], ebx
		mov	[ebp+var_68], eax
		lea	edx, [ebp+var_10]
		xor	eax, eax
		mov	[ebp+var_5C], ebx
		cmp	[esi+16Ch], ebx
		push	2
		setnz	al
		mov	[ebp+var_58], esi
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_90]
		pop	edi
		mov	[ebp+var_48], eax
		mov	eax, [esi+6Ch]
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_94]
		push	4
		pop	ecx
		mov	[ebp+var_38], eax
		mov	eax, [esi+30h]
		mov	[ebp+var_40], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_60], edi
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], 10h
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_2C], ebx
		movzx	ecx, word ptr [eax+70h]
		mov	eax, [eax+74h]
		mov	[ebp+var_18], eax
		mov	eax, ecx
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_88]
		push	eax
		push	8
		push	ecx
		push	ecx
		push	1
		push	ecx
		mov	[ebp+var_28], edx
		mov	edx, offset loc_420A90
		push	ecx
		mov	ecx, offset dword_6B23F8
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], ebx
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)
		jmp	loc_5716C0
PopPlRegisterComponent endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPlRegisterDevice proc near		; CODE XREF: PopPlRegisterDeviceIterator(x,x)+2Ap
					; PAGE:0089B2B2p

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F6669 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ecx
		mov	ecx, _PopPowerPlane
		push	edi
		test	ecx, ecx
		jnz	loc_5F6669

loc_5717B3:				; CODE XREF: PopPlRegisterDevice+84EE7j
					; PopPlRegisterDevice+84EF6j
		xor	edi, edi
		cmp	dword_6B23F8, 5
		ja	short loc_5717D5

loc_5717BE:				; CODE XREF: PopPlRegisterDevice+DBj
		cmp	[esi+304h], edi
		mov	ecx, [ebp+var_4]
		setnz	al
		xor	ecx, ebp
		pop	edi
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_5717D5:				; CODE XREF: PopPlRegisterDevice+30j
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_54], edi
		mov	[ebp+var_58], eax
		xor	edx, edx
		lea	eax, [ebp+var_30]
		mov	[ebp+var_4C], edi
		mov	[ebp+var_48], eax
		inc	edx
		mov	eax, [esi+74h]
		mov	[ebp+var_38], eax
		movzx	eax, word ptr [esi+70h]
		mov	[ebp+var_30], eax
		xor	eax, eax
		cmp	[esi+304h], edi
		push	2
		setnz	al
		mov	[ebp+var_7C], edx
		pop	ecx
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_80]
		push	4
		mov	[ebp+var_28], eax
		mov	eax, [esi+23Ch]
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_50], ecx
		mov	[ebp+var_40], ecx
		pop	ecx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	7
		push	ecx
		push	ecx
		push	edx
		push	ecx
		mov	[ebp+var_20], ecx
		mov	edx, offset loc_420A2D
		mov	[ebp+var_10], ecx
		push	ecx
		mov	ecx, offset dword_6B23F8
		mov	[ebp+var_44], edi
		mov	[ebp+var_3C], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_2C], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_C], edi
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)
		jmp	loc_5717BE
PopPlRegisterDevice endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxRegisterDeviceWithPep proc	near	; CODE XREF: PAGE:0089B29Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F6687 SIZE 00000052 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_8], ecx
		xor	esi, esi
		mov	eax, edx
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], esi
		push	edi
		test	ebx, ebx
		jnz	loc_5F6687
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopFxPluginLock
		call	ExAcquirePushLockSharedEx
		mov	ebx, _PopFxPluginList
		mov	edi, [ebp+arg_0]

loc_5718B1:				; CODE XREF: PopFxRegisterDeviceWithPep+84E57j
		cmp	ebx, offset _PopFxPluginList
		jnz	loc_5F66A1

loc_5718BD:				; CODE XREF: PopFxRegisterDeviceWithPep+84E4Fj
		push	11h
		xor	edx, edx
		mov	ebx, offset _PopFxPluginLock
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jnz	short loc_571907

loc_5718D0:				; CODE XREF: PopFxRegisterDeviceWithPep+A2j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ebx, [ebp+var_8]

loc_5718E6:				; CODE XREF: PopFxRegisterDeviceWithPep+84E30j
		test	esi, esi
		jnz	loc_5F66C8

loc_5718EE:				; CODE XREF: PopFxRegisterDeviceWithPep+84E68j
		mov	ecx, [ebp+var_C]
		lea	eax, [edi+20h]
		push	eax
		push	esi
		push	[ebp+arg_4]
		mov	edx, edi
		call	PopPepRegisterDevice
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_571907:				; CODE XREF: PopFxRegisterDeviceWithPep+62j
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_5718D0
PopFxRegisterDeviceWithPep endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPepInsertDevice proc	near		; CODE XREF: PopPepRegisterDevice+30Dp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F66D9 SIZE 00000051 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		sub	esp, 28h
		dec	word ptr [eax+13Ch]
		push	esi
		push	edi
		mov	esi, edx
		nop
		xor	edx, edx
		mov	ecx, offset _PopPepVetoMaskReadyLock
		call	ExAcquirePushLockSharedEx
		mov	edi, offset _PopPepDeviceListLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, offset _PopPepDeviceList
		cmp	_PopPepLastCheckedDevice, ecx
		jz	loc_571B38

loc_571967:				; CODE XREF: PopPepInsertDevice+22Ej
		mov	eax, dword_6C08CC
		cmp	[eax], ecx
		jnz	loc_571B79
		mov	[esi+4], eax
		or	edx, 0FFFFFFFFh
		mov	[esi], ecx
		mov	[eax], esi
		mov	eax, edx
		mov	dword_6C08CC, esi
		mov	[ebp+var_8], edx
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_5F66D9

loc_571995:				; CODE XREF: PopPepInsertDevice+84DCBj
					; PopPepInsertDevice+84DDBj
		xor	edi, edi
		mov	eax, offset _PopPepDeviceListLock
		mov	[ebp+var_C], edi
		test	eax, 7FFFFFFCh
		jz	loc_571AB0
		mov	esi, large fs:124h
		mov	ecx, eax
		mov	eax, dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], eax
		cmp	eax, offset _PopPepDeviceListLock
		ja	short loc_5719EE
		mov	eax, ecx
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_571AE3
		mov	eax, [ebp+var_20]
		cmp	eax, offset _PopPepDeviceListLock
		ja	short loc_5719EE
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_571AE3

loc_5719EE:				; CODE XREF: PopPepInsertDevice+B6j
					; PopPepInsertDevice+CFj ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _PopPepDeviceListLock
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_571B43
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_571B56

loc_571A32:				; CODE XREF: PopPepInsertDevice+24Ej
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	loc_5F6705
		or	[esi+1E4h], dl

loc_571A78:				; CODE XREF: PopPepInsertDevice+23Bj
					; PopPepInsertDevice+84E01j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jnz	short loc_571AF8

loc_571A8B:				; CODE XREF: PopPepInsertDevice+21Dj
					; PopPepInsertDevice+84E15j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_571AB0
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_571B63

loc_571AB0:				; CODE XREF: PopPepInsertDevice+94j
					; PopPepInsertDevice+192j ...
		push	11h
		xor	edx, edx
		mov	esi, offset _PopPepVetoMaskReadyLock
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	loc_571B6D

loc_571AC7:				; CODE XREF: PopPepInsertDevice+264j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_571AE3:				; CODE XREF: PopPepInsertDevice+C1j
					; PopPepInsertDevice+D8j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_8], eax
		jmp	loc_5719EE
; 

loc_571AF8:				; CODE XREF: PopPepInsertDevice+179j
		test	edi, 8000h
		jz	short loc_571B09
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_571B09:				; CODE XREF: PopPepInsertDevice+1EEj
		test	byte ptr [ebp+var_C+2],	1
		jnz	short loc_571B7E

loc_571B0F:				; CODE XREF: PopPepInsertDevice+27Ej
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_571B23
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_571B23:				; CODE XREF: PopPepInsertDevice+206j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_571A8B
		jmp	loc_5F6716
; 

loc_571B38:				; CODE XREF: PopPepInsertDevice+51j
		mov	_PopPepLastCheckedDevice, esi
		jmp	loc_571967
; 

loc_571B43:				; CODE XREF: PopPepInsertDevice+10Aj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_571A78
		jmp	loc_5F66F0
; 

loc_571B56:				; CODE XREF: PopPepInsertDevice+11Cj
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]
		jmp	loc_571A32
; 

loc_571B63:				; CODE XREF: PopPepInsertDevice+19Aj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_571AB0
; 

loc_571B6D:				; CODE XREF: PopPepInsertDevice+1B1j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_571AC7
; 

loc_571B79:				; CODE XREF: PopPepInsertDevice+5Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_571B7E:				; CODE XREF: PopPepInsertDevice+1FDj
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]
		jmp	loc_571B0F
PopPepInsertDevice endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepComponentGetLatencyIdleState(x, x, x)
_PopPepComponentGetLatencyIdleState@12 proc near ; CODE	XREF: PopPepComponentSetLatency+2Ap
					; PopPepRegisterDevice+2ABp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ecx+9Ch]
		sub	edx, 1
		jnz	short loc_571BAA

loc_571BA4:				; CODE XREF: PopPepComponentGetLatencyIdleState(x,x,x)+32j
		mov	eax, edx
		pop	ebp
		retn	8
; 

loc_571BAA:				; CODE XREF: PopPepComponentGetLatencyIdleState(x,x,x)+Ej
		push	esi
		imul	esi, edx, 18h
		add	esi, [ecx+0A0h]

loc_571BB4:				; CODE XREF: PopPepComponentGetLatencyIdleState(x,x,x)+3Aj
		mov	eax, [esi+4]
		cmp	eax, [ebp+arg_4]
		jb	short loc_571BC5
		ja	short loc_571BC8
		mov	eax, [esi]
		cmp	eax, [ebp+arg_0]
		ja	short loc_571BC8

loc_571BC5:				; CODE XREF: PopPepComponentGetLatencyIdleState(x,x,x)+26j
					; PopPepComponentGetLatencyIdleState(x,x,x)+3Cj
		pop	esi
		jmp	short loc_571BA4
; 

loc_571BC8:				; CODE XREF: PopPepComponentGetLatencyIdleState(x,x,x)+28j
					; PopPepComponentGetLatencyIdleState(x,x,x)+2Fj
		sub	esi, 18h
		sub	edx, 1
		jnz	short loc_571BB4
		jmp	short loc_571BC5
_PopPepComponentGetLatencyIdleState@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxCreateDeviceCommon(x, x, x, x,	x)
_PopFxCreateDeviceCommon@20 proc near	; CODE XREF: PopFxAcpiRegisterDevice(x,x,x,x,x)+23p
					; PAGE:0089AE69p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	esi, esi
		lea	edx, [ebp+var_10]
		push	edi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		call	_PopFxDuplicateUniqueId@8 ; PopFxDuplicateUniqueId(x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		js	loc_571D0C
		push	4D584650h
		mov	edi, 310h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_571C1D
		mov	esi, 0C000009Ah
		jmp	loc_571D0E
; 

loc_571C1D:				; CODE XREF: PopFxCreateDeviceCommon(x,x,x,x,x)+3Fj
		push	edi		; size_t
		push	esi		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [ebp+var_10]
		add	esp, 0Ch
		mov	[ebx+70h], eax
		mov	eax, [ebp+var_C]
		mov	[ebx+74h], eax
		lea	eax, [ebx+68h]
		push	1
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ebx+148h]
		push	esi
		push	eax
		mov	[ebx+4], ebx
		mov	[ebx], ebx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	1
		lea	eax, [ebx+0D0h]
		mov	[ebx+0C8h], esi
		push	eax
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	ebx
		push	offset PopFxIdleTimeoutDpcRoutine
		lea	eax, [ebx+0F8h]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		lea	edi, [ebx+26Ch]
		mov	dword ptr [ebx+0B4h], offset _PopFxDeviceWork@4	; PopFxDeviceWork(x)
		push	esi
		lea	eax, [ebx+290h]
		mov	[ebx+0B8h], ebx
		push	eax
		mov	[ebx+0ACh], esi
		mov	[ebx+2F0h], esi
		mov	dword ptr [edi+8], offset _PopFxDirectedPowerTransitionWorker@4	; PopFxDirectedPowerTransitionWorker(x)
		mov	[edi+0Ch], ebx
		mov	[edi], esi
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		lea	esi, [ebx+288h]
		push	esi
		push	offset _PopFxDirectedWorkOrderWatchdog@16 ; PopFxDirectedWorkOrderWatchdog(x,x,x,x)
		lea	eax, [ebx+2B8h]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	18h
		push	0
		push	0
		push	4D584650h
		lea	eax, [ebx+94h]
		mov	[ebx+2D8h], edi
		push	eax
		mov	[ebx+284h], esi
		call	IoInitializeRemoveLockEx
		mov	ecx, [ebp+arg_4]
		test	cl, 4
		push	0
		pop	eax
		setnz	al
		inc	eax
		mov	[ebx+78h], eax
		mov	eax, [ebp+arg_8]
		mov	[ebx+238h], ecx
		mov	[eax], ebx
		mov	esi, [ebp+var_8]
		jmp	short loc_571D21
; 

loc_571D0C:				; CODE XREF: PopFxCreateDeviceCommon(x,x,x,x,x)+20j
		mov	esi, eax

loc_571D0E:				; CODE XREF: PopFxCreateDeviceCommon(x,x,x,x,x)+46j
		cmp	[ebp+var_C], 0
		jz	short loc_571D21
		push	4D584650h
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_571D21:				; CODE XREF: PopFxCreateDeviceCommon(x,x,x,x,x)+138j
					; PopFxCreateDeviceCommon(x,x,x,x,x)+140j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PopFxCreateDeviceCommon@20 endp

; 
		align 10h
; Exported entry 893. IoInitializeRemoveLockEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoInitializeRemoveLockEx
IoInitializeRemoveLockEx proc near	; CODE XREF: PopFxCreateDeviceCommon(x,x,x,x,x)+115p
					; PAGE:0089AE8Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005F672A SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_571D5E
		push	ebx
		xor	ebx, ebx
		cmp	[ebp+arg_10], 18h
		jnz	loc_5F672A

loc_571D4A:				; CODE XREF: IoInitializeRemoveLockEx+84A3Bj
		xor	eax, eax
		mov	[esi], bl
		inc	eax
		push	ebx
		push	eax
		mov	[esi+4], eax
		lea	eax, [esi+8]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)

loc_571D5D:				; CODE XREF: IoInitializeRemoveLockEx+849FEj
		pop	ebx

loc_571D5E:				; CODE XREF: IoInitializeRemoveLockEx+Bj
		pop	esi
		pop	ebp
		retn	14h
IoInitializeRemoveLockEx endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxDuplicateUniqueId(x, x)
_PopFxDuplicateUniqueId@8 proc near	; CODE XREF: PopFxCreateDeviceCommon(x,x,x,x,x)+16p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		movzx	ecx, word ptr [edi]
		movzx	eax, word ptr [edi+2]
		lea	esi, [ecx+2]
		cmp	eax, esi
		jb	short loc_571DCB
		lea	eax, [ecx+2]
		movzx	eax, ax
		mov	[ebp+var_8], eax
		movzx	eax, ax
		push	4D584650h
		push	eax
		push	200h
		mov	[ebp+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_571DD2
		push	[ebp+var_4]	; size_t
		push	dword ptr [edi+4] ; void *
		push	esi		; void *
		call	_memcpy
		mov	ax, [edi]
		add	esp, 0Ch
		mov	[ebx], ax
		mov	eax, [ebp+var_8]
		mov	[ebx+2], ax
		xor	eax, eax
		mov	[ebx+4], esi

loc_571DC6:				; CODE XREF: PopFxDuplicateUniqueId(x,x)+6Cj
					; PopFxDuplicateUniqueId(x,x)+73j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_571DCB:				; CODE XREF: PopFxDuplicateUniqueId(x,x)+1Aj
		mov	eax, 0C000000Dh
		jmp	short loc_571DC6
; 

loc_571DD2:				; CODE XREF: PopFxDuplicateUniqueId(x,x)+3Fj
		mov	eax, 0C000009Ah
		jmp	short loc_571DC6
_PopFxDuplicateUniqueId@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpStartDevice(x, x, x)
_PnpStartDevice@12 proc	near		; CODE XREF: PnpStartDeviceNode+CAp
					; PnpStartDeviceNode+92DA8p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		test	edi, edi
		jz	short loc_571E49
		mov	eax, [edi+0B0h]
		mov	esi, [eax+14h]

loc_571DF6:				; CODE XREF: PnpStartDevice(x,x,x)+71j
		mov	dl, 1
		mov	ecx, esi
		call	_PoFxPrepareDevice@8 ; PoFxPrepareDevice(x,x)
		push	[ebp+arg_0]
		xor	eax, eax
		mov	dword ptr [esi+58h], 1
		mov	[ebp+var_18], eax
		lea	edx, [ebp+var_24]
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	eax, [esi+11Ch]
		push	ebx
		mov	[ebp+var_20], eax
		mov	eax, [esi+120h]
		push	ecx
		mov	ecx, edi
		mov	[ebp+var_24], 1Bh
		mov	[ebp+var_1C], eax
		call	PnpSendIrp
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_571E49:				; CODE XREF: PnpStartDevice(x,x,x)+11j
		xor	esi, esi
		jmp	short loc_571DF6
_PnpStartDevice@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoFxPrepareDevice(x, x)
_PoFxPrepareDevice@8 proc near		; CODE XREF: PnpStartDevice(x,x,x)+20p
					; PipProcessDevNodeTree+340p ...

var_A		= byte ptr -0Ah
var_9		= byte ptr -9
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+18h+var_9], dl
		xor	ecx, ecx
		lea	ebx, [edi+0A8h]
		mov	eax, [ebx]

loc_571E71:				; CODE XREF: PoFxPrepareDevice(x,x)+2Bj
		mov	edx, eax
		or	edx, ecx
		lock cmpxchg [ebx], edx
		jnz	short loc_571E71
		test	al, 1
		jnz	loc_571F75
		xor	edx, edx
		mov	eax, [ebx]

loc_571E87:				; CODE XREF: PoFxPrepareDevice(x,x)+41j
		mov	ecx, eax
		or	ecx, edx
		lock cmpxchg [ebx], ecx
		jnz	short loc_571E87
		test	al, 2
		jnz	short loc_571EB1
		lea	edx, [esp+18h+var_8]
		mov	ecx, edi
		call	PopFxFindDeviceAndAllocateUniqueId
		cmp	eax, 0C0000056h
		jz	loc_571F5B
		push	2
		pop	eax
		lock or	[ebx], eax

loc_571EB1:				; CODE XREF: PoFxPrepareDevice(x,x)+45j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopFxPluginLock
		call	ExAcquirePushLockSharedEx
		mov	esi, _PopFxPluginList
		xor	eax, eax
		mov	[esp+18h+var_4], eax
		cmp	esi, offset _PopFxPluginList
		jz	short loc_571F11

loc_571EDF:				; CODE XREF: PoFxPrepareDevice(x,x)+A6j
		mov	edx, edi
		mov	ecx, esi
		call	_PopPluginPrepareDevice@8 ; PopPluginPrepareDevice(x,x)
		test	al, al
		jnz	short loc_571EFC
		mov	esi, [esi]
		cmp	esi, offset _PopFxPluginList
		jnz	short loc_571EDF
		mov	eax, [esp+18h+var_4]
		jmp	short loc_571F11
; 

loc_571EFC:				; CODE XREF: PoFxPrepareDevice(x,x)+9Cj
		push	1
		lea	eax, [edi+48h]
		mov	edx, esi
		push	eax
		mov	ecx, edi
		call	_PopDiagTraceFxDevicePreparation@16 ; PopDiagTraceFxDevicePreparation(x,x,x,x)
		mov	eax, esi
		test	esi, esi
		jnz	short loc_571F18

loc_571F11:				; CODE XREF: PoFxPrepareDevice(x,x)+8Fj
					; PoFxPrepareDevice(x,x)+ACj
		cmp	[esp+18h+var_9], 0
		jz	short loc_571F2E

loc_571F18:				; CODE XREF: PoFxPrepareDevice(x,x)+C1j
		mov	[edi+50h], eax
		xor	eax, eax
		inc	eax
		lock or	[ebx], eax
		push	0
		push	0
		lea	eax, [edi+30h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)

loc_571F2E:				; CODE XREF: PoFxPrepareDevice(x,x)+C8j
		push	11h
		xor	edx, edx
		mov	esi, offset _PopFxPluginLock
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_571F48
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_571F48:				; CODE XREF: PoFxPrepareDevice(x,x)+F1j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_571F5B:				; CODE XREF: PoFxPrepareDevice(x,x)+57j
		mov	eax, [esp+18h+var_8]
		test	eax, eax
		jz	short loc_571F75
		push	18h
		push	66466F50h
		add	eax, 94h
		push	eax
		call	IoReleaseRemoveLockEx

loc_571F75:				; CODE XREF: PoFxPrepareDevice(x,x)+2Fj
					; PoFxPrepareDevice(x,x)+113j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PoFxPrepareDevice@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxQueryBiosDeviceName(x,	x)
_PopFxQueryBiosDeviceName@8 proc near	; CODE XREF: PopFxFindDeviceAndAllocateUniqueId+1Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ecx
		mov	ebx, edx
		xor	edx, edx
		mov	[ebp+var_C], eax
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_4], edx
		push	ecx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_8], edx
		push	ecx
		push	edx
		push	edx
		push	edx
		push	edx
		push	offset _DEVPKEY_Device_BiosDeviceName
		push	dword ptr [eax+10h]
		mov	edi, edx
		mov	esi, edx
		call	IoGetDevicePropertyData
		mov	ecx, eax
		cmp	ecx, 0C0000023h
		jnz	short loc_571FE8
		cmp	[ebp+var_4], 0FFFEh
		jnb	short loc_572020
		push	4D584650h
		push	[ebp+var_4]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_572027
		movzx	esi, word ptr [ebp+var_4]
		xor	ecx, ecx

loc_571FE8:				; CODE XREF: PopFxQueryBiosDeviceName(x,x)+3Fj
		test	ecx, ecx
		js	short loc_572020
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		movzx	eax, si
		push	eax
		mov	eax, [ebp+var_C]
		push	0
		push	0
		push	offset _DEVPKEY_Device_BiosDeviceName
		push	dword ptr [eax+10h]
		call	IoGetDevicePropertyData
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_572020
		lea	eax, [esi-2]
		mov	[ebx+2], si
		mov	[ebx], ax
		mov	[ebx+4], edi

loc_572020:				; CODE XREF: PopFxQueryBiosDeviceName(x,x)+48j
					; PopFxQueryBiosDeviceName(x,x)+6Aj ...
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn
; 

loc_572027:				; CODE XREF: PopFxQueryBiosDeviceName(x,x)+60j
		mov	ecx, 0C000009Ah
		jmp	short loc_572020
_PopFxQueryBiosDeviceName@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxFindAcpiDeviceByUniqueId proc near	; CODE XREF: PopFxAcpiPrepareDevice(x,x,x,x)+Cp
					; PAGE:0089AE2Bp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F6770 SIZE 00000076 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	eax, edx
		mov	[ebp+var_8], ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], eax
		test	eax, eax
		mov	eax, large fs:124h
		push	edi
		setnz	[ebp+var_1]
		mov	edi, 0C0000225h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopFxDeviceListLock
		call	ExAcquirePushLockSharedEx
		mov	ebx, _PopFxAcpiDeviceList

loc_57206E:				; CODE XREF: PopFxFindAcpiDeviceByUniqueId+8479Aj
		cmp	ebx, offset _PopFxAcpiDeviceList
		jnz	loc_5F6770
		mov	bl, [ebp+var_1]

loc_57207D:				; CODE XREF: PopFxFindAcpiDeviceByUniqueId+84793j
					; PopFxFindAcpiDeviceByUniqueId+847A1j
		push	11h
		xor	edx, edx
		mov	ecx, offset _PopFxDeviceListLock
		pop	eax
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	short loc_5720B0

loc_572090:				; CODE XREF: PopFxFindAcpiDeviceByUniqueId+8Cj
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	edi, edi
		jns	loc_5F67D4

loc_5720A9:				; CODE XREF: PopFxFindAcpiDeviceByUniqueId+847A8j
					; PopFxFindAcpiDeviceByUniqueId+847B3j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_5720B0:				; CODE XREF: PopFxFindAcpiDeviceByUniqueId+60j
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, offset _PopFxDeviceListLock
		jmp	short loc_572090
PopFxFindAcpiDeviceByUniqueId endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _tlgWriteEx_EtwWriteEx(x, x, x, x, x, x, x,	x, x)
__tlgWriteEx_EtwWriteEx@36 proc	near	; CODE XREF: PopPlRegisterComponent+F1p
					; PopPlRegisterDevice+D6p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		movzx	eax, byte ptr [edx]
		shl	eax, 18h
		push	ebx
		mov	[esp+1Ch+var_10], eax
		xor	ebx, ebx
		movzx	eax, word ptr [edx+1]
		push	esi
		mov	[esp+20h+var_C], eax
		mov	esi, ecx
		mov	eax, [edx+3]
		mov	ecx, [ebp+arg_18]
		mov	[esp+20h+var_8], eax
		mov	eax, [edx+7]
		add	edx, 0Bh
		mov	[esp+20h+var_4], eax
		mov	eax, [esi+4]
		mov	[ecx], eax
		mov	[ecx+4], ebx
		mov	eax, [esi+4]
		push	ecx
		push	[ebp+arg_14]
		movzx	eax, word ptr [eax]
		mov	[ecx+8], eax
		push	ebx
		mov	dword ptr [ecx+0Ch], 2
		mov	[ecx+10h], edx
		mov	[ecx+14h], ebx
		movzx	eax, word ptr [edx]
		push	ebx
		push	[ebp+arg_8]
		mov	[ecx+18h], eax
		mov	eax, offset __TraceLoggingMetadataEnd
		push	ebx
		mov	dword ptr [ecx+1Ch], 1
		sub	eax, offset __TraceLoggingMetadata
		push	ebx
		mov	[esp+3Ch+var_14], eax
		lea	eax, [esp+3Ch+var_10]
		push	eax
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		call	EtwWriteEx
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
__tlgWriteEx_EtwWriteEx@36 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall IopSymlinkRegistryInitCallback(x)
_IopSymlinkRegistryInitCallback@4 proc near ; DATA XREF: .data:006B2D48o
		push	0
		call	_IopSymlinkRegistryCallback@4 ;	IopSymlinkRegistryCallback(x)
		xor	eax, eax
		retn	4
_IopSymlinkRegistryInitCallback@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl CompareLangName(const void *,const void *)
?CompareLangName@@YAHPBX0@Z proc near	; DATA XREF: DownLevelLanguageNameToLangID(x,x)+12o
					; DownLevelGetParentLanguageName(x,x,x,x)+Eo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [eax]
		movzx	ecx, word ptr [esi]
		test	cx, cx
		jz	short loc_5721BA
		push	5Fh
		mov	[ebp+arg_0], 19h
		pop	ebx

loc_57217E:				; CODE XREF: CompareLangName(void const	*,void const *)+5Cj
		movzx	edx, word ptr [edi]
		test	dx, dx
		jz	short loc_5721BA
		lea	eax, [ecx-41h]
		cmp	ax, word ptr [ebp+arg_0]
		jbe	short loc_5721D2

loc_57218F:				; CODE XREF: CompareLangName(void const	*,void const *)+79j
		lea	eax, [edx-41h]
		cmp	ax, word ptr [ebp+arg_0]
		jbe	short loc_5721D7

loc_572198:				; CODE XREF: CompareLangName(void const	*,void const *)+7Ej
		cmp	cx, bx
		jz	short loc_5721ED

loc_57219D:				; CODE XREF: CompareLangName(void const	*,void const *)+94j
		cmp	dx, bx
		jz	short loc_5721F2

loc_5721A2:				; CODE XREF: CompareLangName(void const	*,void const *)+99j
		movzx	eax, dx
		movzx	ecx, cx
		sub	ecx, eax
		jnz	short loc_5721CB
		add	esi, 2
		add	edi, 2
		movzx	ecx, word ptr [esi]
		test	cx, cx
		jnz	short loc_57217E

loc_5721BA:				; CODE XREF: CompareLangName(void const	*,void const *)+16j
					; CompareLangName(void const *,void const *)+28j
		movzx	ecx, word ptr [esi]
		test	cx, cx
		jnz	short loc_5721DC
		cmp	[edi], cx
		jnz	short loc_5721DC
		xor	eax, eax
		jmp	short loc_5721CD
; 

loc_5721CB:				; CODE XREF: CompareLangName(void const	*,void const *)+4Ej
		mov	eax, ecx

loc_5721CD:				; CODE XREF: CompareLangName(void const	*,void const *)+6Dj
					; CompareLangName(void const *,void const *)+8Fj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
; 

loc_5721D2:				; CODE XREF: CompareLangName(void const	*,void const *)+31j
		or	ecx, 20h
		jmp	short loc_57218F
; 

loc_5721D7:				; CODE XREF: CompareLangName(void const	*,void const *)+3Aj
		or	edx, 20h
		jmp	short loc_572198
; 

loc_5721DC:				; CODE XREF: CompareLangName(void const	*,void const *)+64j
					; CompareLangName(void const *,void const *)+69j
		xor	eax, eax
		test	cx, cx
		setnz	al
		lea	eax, ds:0FFFFFFFFh[eax*2]
		jmp	short loc_5721CD
; 

loc_5721ED:				; CODE XREF: CompareLangName(void const	*,void const *)+3Fj
		push	2Dh
		pop	ecx
		jmp	short loc_57219D
; 

loc_5721F2:				; CODE XREF: CompareLangName(void const	*,void const *)+44j
		push	2Dh
		pop	edx
		jmp	short loc_5721A2
?CompareLangName@@YAHPBX0@Z endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiStoreEvictThread proc	near		; DATA XREF: MmStoreRegister+5Do

var_B6		= byte ptr -0B6h
var_B5		= byte ptr -0B5h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_60		= dword	ptr -60h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F67E6 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0BCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0BCh+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, [esp+0C8h+var_60]
		push	58h		; size_t
		xor	ebx, ebx
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [edi+4]
		push	ebx
		push	ebx
		push	ebx
		push	1Ah
		push	eax
		call	KeWaitForSingleObject
		mov	ebx, [edi]
		mov	esi, [edi+14h]
		push	0
		push	edi
		mov	[esp+0D0h+var_B0], ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jnz	loc_5F67E6
		push	8
		push	esi
		xor	edx, edx
		lea	ecx, [esp+0D0h+var_60]
		call	_KiInitializeTimer2@16 ; KiInitializeTimer2(x,x,x,x)
		or	[esp+0C8h+var_98], 0FFFFFFFFh
		lea	eax, [esp+0C8h+var_A0]
		or	[esp+0C8h+var_94], 0FFFFFFFFh
		push	eax
		push	esi
		push	23C34600h
		push	0FFFFFFFFh
		push	0DC3CBA00h
		lea	eax, [esp+0DCh+var_60]
		mov	[esp+0DCh+var_A0], esi
		push	eax
		mov	[esp+0E0h+var_9C], esi
		call	KeSetTimer2
		lea	esi, [ebx+2E0h]
		lea	eax, [esp+0C8h+var_60]
		mov	[esp+0C8h+var_A8], esi
		mov	[esp+0C8h+var_A4], eax

loc_5722A1:				; CODE XREF: MiStoreEvictThread+13Ej
		lea	eax, [esp+0C8h+var_90]
		push	eax
		push	0
		push	0
		push	0
		push	12h
		push	1
		lea	eax, [esp+0E0h+var_A8]
		push	eax
		push	2
		call	KeWaitForMultipleObjects
		test	eax, eax
		jnz	short loc_5722C6
		push	esi
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_5722C6:				; CODE XREF: MiStoreEvictThread+C6j
					; MiStoreEvictThread+186j
		mov	esi, [ebx+2C8h]
		xor	edi, edi
		mov	eax, [ebx+0F4Ch]
		mov	[esp+0C8h+var_AC], esi
		mov	[esp+0C8h+var_B4], eax
		test	eax, eax
		jz	short loc_572304
		lea	esi, [ebx+0F54h]
		mov	ebx, eax

loc_5722E8:				; CODE XREF: MiStoreEvictThread+102j
		mov	eax, [esi]
		mov	[esp+0C8h+var_B4], eax
		test	byte ptr [eax+74h], 40h
		jnz	short loc_57233B

loc_5722F4:				; CODE XREF: MiStoreEvictThread+155j
					; MiStoreEvictThread+15Bj
		inc	edi
		add	esi, 4
		cmp	edi, ebx
		jb	short loc_5722E8
		mov	ebx, [esp+0C8h+var_B0]
		mov	esi, [esp+0C8h+var_AC]

loc_572304:				; CODE XREF: MiStoreEvictThread+E6j
		lea	edi, [ebx+2D8h]
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	[esp+0C8h+var_B5], al
		cmp	esi, [ebx+2C8h]
		jnz	short loc_57236E
		test	esi, esi
		jnz	short loc_572355

loc_572320:				; CODE XREF: MiStoreEvictThread+174j
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+0C8h+var_B5]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	esi, [ebx+2E0h]
		jmp	loc_5722A1
; 

loc_57233B:				; CODE XREF: MiStoreEvictThread+FAj
		mov	ecx, eax
		call	MiStoreEvictPageFile
		mov	eax, [esp+0C8h+var_B4]
		cmp	dword ptr [eax+70h], 100h
		jb	short loc_5722F4
		dec	edi
		sub	esi, 4
		jmp	short loc_5722F4
; 

loc_572355:				; CODE XREF: MiStoreEvictThread+126j
		and	dword ptr [ebx+2C8h], 0
		lea	eax, [ebx+2F8h]
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_572320
; 

loc_57236E:				; CODE XREF: MiStoreEvictThread+122j
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+0C8h+var_B5]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_5722C6
MiStoreEvictThread endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStringCchCatW(x,	x, x)
_RtlStringCchCatW@12 proc near		; CODE XREF: SdbpCreateSearchDBContext(x,x,x,x,x,x)+144p
					; SshpQueryRegistryULong(x,x,x)+75p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, edx
		xor	edx, edx
		mov	[ebp+var_4], edx
		mov	eax, edx
		push	edi
		mov	edi, ecx
		test	esi, esi
		jz	short loc_5723D0
		cmp	esi, 7FFFFFFFh
		ja	short loc_5723D0

loc_5723A3:				; CODE XREF: RtlStringCchCatW(x,x,x)+51j
		test	eax, eax
		js	short loc_5723CA
		lea	eax, [ebp+var_4]
		mov	edx, esi
		push	eax
		call	sub_4EBA32
		mov	edx, [ebp+var_4]
		test	eax, eax
		js	short loc_5723CA
		push	ecx
		push	[ebp+arg_0]
		sub	esi, edx
		push	ecx
		lea	ecx, [edi+edx*2]
		mov	edx, esi
		call	RtlStringCopyWorkerW

loc_5723CA:				; CODE XREF: RtlStringCchCatW(x,x,x)+21j
					; RtlStringCchCatW(x,x,x)+33j
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_5723D0:				; CODE XREF: RtlStringCchCatW(x,x,x)+15j
					; RtlStringCchCatW(x,x,x)+1Dj
		mov	eax, 0C000000Dh
		jmp	short loc_5723A3
_RtlStringCchCatW@12 endp

; 
		align 4

PnpReleaseBootResourcesForFilteredRequirements:
					; CODE XREF: IopReleaseFilteredBootResources+B4p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		push	ebx
		push	esi
		push	edi
		push	38h
		lea	eax, [ebp-7Ch]
		mov	esi, ecx
		push	0
		push	eax
		mov	[ebp-10h], esi
		call	_memset
		mov	esi, [esi]
		lea	edi, [ebp-44h]
		add	esp, 0Ch
		xor	eax, eax
		xor	ebx, ebx
		push	0Ah
		pop	ecx
		rep stosd
		test	esi, esi
		jz	loc_5F67FD
		mov	eax, [esi+0B0h]
		mov	edi, [eax+14h]

loc_572417:				; CODE XREF: .text:005F67FFj
		mov	edx, [edi+168h]
		test	edx, edx
		jz	loc_5F6804
		push	1
		call	PnpCmResourcesToIoResources
		mov	ebx, eax
		mov	[ebp-1Ch], ebx
		test	ebx, ebx
		jz	loc_5F6804
		lea	edx, [ebp-2Ch]
		mov	dword ptr [ebp-3Ch], 4
		lea	ecx, [ebp-44h]
		mov	[ebp-30h], ebx
		mov	[ebp-44h], esi
		call	IopResourceRequirementsListToReqList
		mov	esi, eax
		test	esi, esi
		js	loc_572506
		mov	ecx, [ebp-2Ch]
		test	ecx, ecx
		jz	loc_572512
		mov	eax, [ebp-10h]
		xor	esi, esi
		mov	edx, [ecx+18h]
		mov	[ebp-0Ch], edx
		mov	[ebp-8], esi
		mov	eax, [eax+18h]
		mov	eax, [eax+0Ch]
		mov	eax, [eax]
		mov	[ebp-14h], eax
		mov	eax, [edi+10h]
		mov	[ebp-6Ch], eax
		xor	eax, eax
		mov	[ebp-64h], eax
		mov	[ebp-60h], eax
		mov	[ebp-50h], eax
		mov	dword ptr [ebp-68h], 4
		mov	[ebp-4], eax
		cmp	[edx+10h], eax
		jbe	short loc_572509
		lea	eax, [edx+14h]
		mov	ecx, esi
		mov	[ebp-10h], eax

loc_5724A7:				; CODE XREF: .text:00572504j
		mov	eax, [eax]
		mov	edi, [eax+0B0h]
		test	edi, edi
		jz	short loc_5724F4
		mov	eax, [ebp-14h]
		xor	ecx, ecx
		mov	edx, [eax+10h]
		test	edx, edx
		jz	short loc_5724EA
		lea	ebx, [eax+14h]

loc_5724C2:				; CODE XREF: .text:005724E2j
		mov	eax, [ebx]
		mov	eax, [eax+0B0h]
		mov	[ebp-18h], eax
		test	eax, eax
		jz	short loc_5724DC
		mov	esi, [ebp-18h]
		mov	al, [edi+8]
		cmp	al, [esi+8]
		jz	short loc_5724E4

loc_5724DC:				; CODE XREF: .text:005724CFj
		inc	ecx
		add	ebx, 4
		cmp	ecx, edx
		jb	short loc_5724C2

loc_5724E4:				; CODE XREF: .text:005724DAj
		mov	esi, [ebp-8]
		mov	ebx, [ebp-1Ch]

loc_5724EA:				; CODE XREF: .text:005724BDj
		cmp	ecx, edx
		jz	short loc_572525

loc_5724EE:				; CODE XREF: .text:00572586j
		mov	edx, [ebp-0Ch]
		mov	ecx, [ebp-4]

loc_5724F4:				; CODE XREF: .text:005724B1j
		mov	eax, [ebp-10h]
		inc	ecx
		add	eax, 4
		mov	[ebp-4], ecx
		mov	[ebp-10h], eax
		cmp	ecx, [edx+10h]
		jb	short loc_5724A7

loc_572506:				; CODE XREF: .text:00572455j
					; .text:0057256Fj ...
		mov	ecx, [ebp-2Ch]

loc_572509:				; CODE XREF: .text:0057249Dj
		test	ecx, ecx
		jz	short loc_572512
		call	_IopFreeReqList@4 ; IopFreeReqList(x)

loc_572512:				; CODE XREF: .text:00572460j
					; .text:0057250Bj
		test	ebx, ebx
		jz	short loc_57251E
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_57251E:				; CODE XREF: .text:00572514j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_572525:				; CODE XREF: .text:005724ECj
		lea	eax, [ebp-7Ch]
		mov	[ebp-78h], eax
		mov	[ebp-7Ch], eax
		lea	eax, [edi+14h]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_572591
		mov	[ebp-78h], ecx
		lea	edx, [ebp-7Ch]
		mov	[ebp-7Ch], eax
		mov	[ecx], edx
		mov	ecx, edx
		push	ecx
		push	ecx
		mov	[eax+4], ecx
		xor	edx, edx
		push	eax
		mov	ecx, edi
		call	IopCallArbiter
		mov	ecx, [ebp-7Ch]
		lea	edx, [ebp-7Ch]
		mov	esi, eax
		mov	eax, [ebp-78h]
		cmp	[ecx+4], edx
		jnz	short loc_572591
		cmp	[eax], edx
		jnz	short loc_572591
		mov	[eax], ecx
		mov	[ecx+4], eax
		test	esi, esi
		js	short loc_572506
		push	ecx
		push	ecx
		push	0
		push	2
		pop	edx
		mov	ecx, edi
		call	IopCallArbiter
		mov	esi, eax
		mov	[ebp-8], esi
		test	esi, esi
		jns	loc_5724EE
		jmp	loc_572506
; 

loc_572591:				; CODE XREF: .text:00572536j
					; .text:00572562j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dw 0CCCCh
		dd 0CCCCCCCCh
; Exported entry 2451. SeConvertStringSidToSid

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeConvertStringSidToSid
SeConvertStringSidToSid	proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F687D SIZE 000000DB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		push	edi
		test	esi, esi
		jz	short loc_57260F
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_57260F
		lea	eax, [ebp+var_8]
		mov	edx, ebx
		push	eax
		mov	ecx, esi
		call	LocalpConvertStringSidToSid
		mov	edi, eax
		test	edi, edi
		js	loc_5F687D
		lea	eax, [ebp+var_4]
		xor	edx, edx
		push	eax		; int
		xor	eax, eax
		push	eax		; size_t
		push	ecx		; int
		push	ecx		; int
		push	eax		; int
		mov	ecx, esi
		call	LookupSidInTable
		mov	ecx, eax
		mov	[ebp+arg_0], ecx
		test	ecx, ecx
		jnz	loc_5F68B7

loc_5725F7:				; CODE XREF: SeConvertStringSidToSid+84320j
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jnz	short loc_572607

loc_5725FE:				; CODE XREF: SeConvertStringSidToSid+78j
					; SeConvertStringSidToSid+84300j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_572607:				; CODE XREF: SeConvertStringSidToSid+60j
		lea	edx, [esi+2]
		jmp	loc_5F6938
; 

loc_57260F:				; CODE XREF: SeConvertStringSidToSid+1Bj
					; SeConvertStringSidToSid+22j
		mov	edi, 0C000000Dh
		jmp	short loc_5725FE
SeConvertStringSidToSid	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	SMKM_STORE_MGR<struct SM_TRAITS>::SmStart(struct SMKM_STORE_MGR<struct SM_TRAITS> *, void *, unsigned long)
?SmStart@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGJPAU1@PAXK@Z proc near
					; CODE XREF: SmFirstTimeInit+3A9p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		mov	[esi+46Ch], edx
		call	SMKM_STORE_MGR_SM_TRAITS___SmStorePrepare
		test	eax, eax
		js	short loc_57264C
		test	byte ptr [esi+464h], 20h
		jz	short loc_57264A
		push	[ebp+arg_0]
		lea	ecx, [esi+308h]
		mov	edx, esi
		call	?SmCompressCtxStart@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGJPAU_SM_COMPRESS_CONTEXT@1@PAU1@K@Z ; SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxStart(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *,SMKM_STORE_MGR<SM_TRAITS> *,ulong)
		test	eax, eax
		js	short loc_57264C

loc_57264A:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmStart(SMKM_STORE_MGR<SM_TRAITS> *,void *,ulong)+1Ej
		xor	eax, eax

loc_57264C:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmStart(SMKM_STORE_MGR<SM_TRAITS> *,void *,ulong)+15j
					; SMKM_STORE_MGR<SM_TRAITS>::SmStart(SMKM_STORE_MGR<SM_TRAITS> *,void *,ulong)+32j
		pop	esi
		pop	ebp
		retn	4
?SmStart@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGJPAU1@PAXK@Z endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	SMKM_STORE_MGR<struct SM_TRAITS>::SmCompressCtxStart(struct SMKM_STORE_MGR<struct SM_TRAITS>::_SM_COMPRESS_CONTEXT *, struct SMKM_STORE_MGR<struct SM_TRAITS> *, unsigned long)
?SmCompressCtxStart@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGJPAU_SM_COMPRESS_CONTEXT@1@PAU1@K@Z proc near
					; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmStart(SMKM_STORE_MGR<SM_TRAITS> *,void *,ulong)+2Bp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, edx
		push	eax
		lea	eax, [esi+50h]
		push	eax
		push	[ebp+arg_0]
		call	_RtlGetCompressionWorkSpaceSize@12 ; RtlGetCompressionWorkSpaceSize(x,x,x)
		test	eax, eax
		js	short loc_57269B
		push	0
		mov	edx, edi
		mov	ecx, esi
		call	SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThread
		test	eax, eax
		js	short loc_57269B
		xor	eax, eax
		mov	edx, edi
		inc	eax
		mov	ecx, esi
		push	eax
		mov	[esi+34h], eax
		call	SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThread
		test	eax, eax
		js	short loc_57269B
		xor	eax, eax

loc_57269B:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxStart(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *,SMKM_STORE_MGR<SM_TRAITS> *,ulong)+22j
					; SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxStart(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT	*,SMKM_STORE_MGR<SM_TRAITS> *,ulong)+31j ...
		pop	edi
		pop	esi
		leave
		retn	4
?SmCompressCtxStart@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGJPAU_SM_COMPRESS_CONTEXT@1@PAU1@K@Z endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmStorePrepare proc near
					; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmStart(SMKM_STORE_MGR<SM_TRAITS> *,void *,ulong)+Ep

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F6958 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], 15h
		mov	eax, 100201h
		mov	[ebp+var_10], 100080h
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		mov	eax, [esi+464h]
		test	al, 2
		jz	short loc_5726D7
		mov	[ebp+var_4], 100015h

loc_5726D7:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStorePrepare+2Cj
		test	al, 1
		jz	short loc_572708

loc_5726DB:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStorePrepare+842DBj
		push	2
		lea	ecx, [esi+3ACh]
		lea	edx, [ebp+var_8]
		call	SmFpPreAllocate
		test	eax, eax
		js	short loc_572705
		push	2
		lea	ecx, [esi+368h]
		lea	edx, [ebp+var_10]
		call	SmFpPreAllocate
		test	eax, eax
		js	short loc_572705
		xor	eax, eax

loc_572705:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStorePrepare+4Bj
					; SMKM_STORE_MGR_SM_TRAITS___SmStorePrepare+5Fj
		pop	esi
		leave
		retn
; 

loc_572708:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStorePrepare+37j
		xor	ecx, ecx
		jmp	loc_5F6958
SMKM_STORE_MGR_SM_TRAITS___SmStorePrepare endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmFpPreAllocate	proc near		; CODE XREF: SmFirstTimeInit+43Bp
					; SmFirstTimeInit+459p	...

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_3C		= dword	ptr -3Ch
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F6982 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	44h		; size_t
		lea	eax, [ebp+var_50]
		mov	[ebp+var_5C], ecx
		push	0		; int
		push	eax		; void *
		mov	esi, edx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_4C]
		push	0
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [ebp+arg_0]
		lea	eax, [esi+eax*4]
		mov	[ebp+var_60], eax
		cmp	esi, eax
		jnb	loc_572816

loc_572758:				; CODE XREF: SmFpPreAllocate+100j
		mov	ecx, [esi]
		mov	ebx, ecx
		and	[ebp+var_58], 0
		and	ebx, 0Fh
		mov	eax, ecx
		shr	eax, 4
		mov	word ptr [ebp+ebx*2+var_1C], ax
		test	ecx, 0FF00000h
		jbe	loc_57280A
		mov	[ebp+var_54], 8

loc_572780:				; CODE XREF: SmFpPreAllocate+F4j
		push	70466D73h
		push	8
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_5F6982
		xor	edx, edx
		mov	[edi], edx
		mov	[edi+4], edx
		mov	eax, [esi]
		mov	ecx, eax
		and	ecx, 0Fh
		shr	eax, 4
		cmp	ecx, 2
		jz	loc_57286D
		cmp	ecx, 3
		jz	loc_57287D
		movzx	eax, ax
		cmp	ecx, 5
		jnb	loc_57285A
		push	70466D73h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)

loc_5727DA:				; CODE XREF: SmFpPreAllocate+158j
					; SmFpPreAllocate+168j
		test	eax, eax
		jz	loc_5F6982

loc_5727E2:				; CODE XREF: SmFpPreAllocate+187j
		mov	ecx, [ebp+var_58]
		add	[ebp+var_54], 8
		inc	ecx
		mov	[edi+4], eax
		mov	eax, [ebp+ebx*4+var_3C]
		mov	[edi], eax
		mov	eax, [esi]
		shr	eax, 14h
		movzx	eax, al
		mov	[ebp+ebx*4+var_3C], edi
		mov	[ebp+var_58], ecx
		cmp	ecx, eax
		jb	loc_572780

loc_57280A:				; CODE XREF: SmFpPreAllocate+63j
		add	esi, 4
		cmp	esi, [ebp+var_60]
		jb	loc_572758

loc_572816:				; CODE XREF: SmFpPreAllocate+42j
		push	[ebp+var_5C]
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		lea	esi, [ebp+var_1C]
		mov	eax, [ebp+var_5C]
		push	6
		pop	ecx
		push	eax
		lea	edi, [eax+34h]
		movsd
		movsd
		movsd
		lea	edi, [eax+14h]
		lea	esi, [ebp+var_3C]
		rep movsd
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	esi, esi

loc_572847:				; CODE XREF: SmFpPreAllocate+84281j
					; SmFpPreAllocate+8428Fj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_57285A:				; CODE XREF: SmFpPreAllocate+B4j
		push	6D526D73h
		shl	eax, 0Ch
		push	eax
		call	_MmAllocateMappingAddress@8 ; MmAllocateMappingAddress(x,x)
		jmp	loc_5727DA
; 

loc_57286D:				; CODE XREF: SmFpPreAllocate+9Fj
		movzx	ecx, ax
		shl	ecx, 0Ch
		call	SmKmAllocateMdlForLock
		jmp	loc_5727DA
; 

loc_57287D:				; CODE XREF: SmFpPreAllocate+A8j
		push	edx
		movzx	ecx, ax
		xor	edx, edx
		shl	ecx, 0Ch
		inc	edx
		call	_SmAcquireReleaseCharges@12 ; SmAcquireReleaseCharges(x,x,x)
		test	eax, eax
		jz	loc_5F6982
		mov	eax, [ebp+var_54]
		jmp	loc_5727E2
SmFpPreAllocate	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1436. MmMapLockedPagesWithReservedMapping

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmMapLockedPagesWithReservedMapping
MmMapLockedPagesWithReservedMapping proc near ;	CODE XREF: SmFpAllocate+12333Bp
					; PnprCopyReservedMapping()+2CBp ...

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005F69A4 SIZE 0000004B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		mov	ecx, [eax+18h]
		add	ecx, [eax+10h]
		mov	ebx, [eax+14h]
		and	ecx, 0FFFh
		add	ebx, 0FFFh
		add	ebx, ecx
		push	offset unk_6D340C
		shr	ebx, 0Ch
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	edi, [ebp+arg_0]
		mov	edx, edi
		mov	esi, dword_6D3410
		and	edx, 0FFFFF000h
		mov	[ebp+var_1], al
		jmp	short loc_5728EA
; 

loc_5728E8:				; CODE XREF: MmMapLockedPagesWithReservedMapping+55j
		mov	esi, [esi]

loc_5728EA:				; CODE XREF: MmMapLockedPagesWithReservedMapping+44j
					; MmMapLockedPagesWithReservedMapping+131j
		test	esi, esi
		jz	loc_5F69B0
		mov	ecx, [esi+0Ch]
		cmp	edx, ecx
		jb	short loc_5728E8
		mov	eax, [esi+10h]
		shl	eax, 0Ch
		add	eax, ecx
		cmp	edx, eax
		jnb	loc_5729D0
		test	esi, esi
		jz	loc_5F69B0
		push	offset unk_6D340C
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esi+14h]
		cmp	eax, [ebp+arg_4]
		jnz	loc_5F69A4
		test	byte ptr [esi+18h], 1
		jnz	loc_5F69C5
		mov	edi, [esi+0Ch]
		mov	ecx, [esi+10h]
		mov	esi, ecx

loc_572942:				; CODE XREF: MmMapLockedPagesWithReservedMapping+8413Ej
		cmp	ebx, ecx
		ja	loc_5729D8
		mov	eax, edi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		add	eax, 0C0000000h
		mov	edx, eax
		mov	[ebp+arg_4], eax
		lea	esi, [edx+esi*8]

loc_572961:				; CODE XREF: MmMapLockedPagesWithReservedMapping+D2j
		cmp	edx, esi
		jnb	short loc_572976
		mov	ecx, [edx]
		nop
		or	ecx, [edx+4]
		jnz	loc_5F69E5
		add	edx, 8
		jmp	short loc_572961
; 

loc_572976:				; CODE XREF: MmMapLockedPagesWithReservedMapping+C1j
		mov	esi, [ebp+arg_8]
		add	esi, 1Ch

loc_57297C:				; CODE XREF: MmMapLockedPagesWithReservedMapping+115j
		mov	edi, [esi]
		cmp	edi, dword_6D07B0
		ja	short loc_5729B1
		mov	eax, dword_6D35B8
		mov	edx, edi
		shr	edx, 5
		mov	ecx, edi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_5729B1
		imul	ecx, edi, 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	_MiLegitimatePageForDriversToMap@4 ; MiLegitimatePageForDriversToMap(x)
		test	eax, eax
		js	short loc_5729D8

loc_5729B1:				; CODE XREF: MmMapLockedPagesWithReservedMapping+E2j
					; MmMapLockedPagesWithReservedMapping+FBj
		add	esi, 4
		sub	ebx, 1
		jnz	short loc_57297C
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_4]
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_8]
		call	MiMapMdlCommon

loc_5729C9:				; CODE XREF: MmMapLockedPagesWithReservedMapping+138j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_5729D0:				; CODE XREF: MmMapLockedPagesWithReservedMapping+61j
		mov	esi, [esi+4]
		jmp	loc_5728EA
; 

loc_5729D8:				; CODE XREF: MmMapLockedPagesWithReservedMapping+A2j
					; MmMapLockedPagesWithReservedMapping+10Dj ...
		xor	eax, eax
		jmp	short loc_5729C9
MmMapLockedPagesWithReservedMapping endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiRemoveMappingNode proc near		; CODE XREF: MmFreeMappingAddress+13p

var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F69EF SIZE 00000031 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	offset unk_6D340C
		mov	[ebp+var_8], edx
		mov	ebx, ecx
		call	ExAcquireSpinLockExclusive
		mov	esi, dword_6D3410
		mov	edi, ebx
		mov	[ebp+var_1], al
		and	edi, 0FFFFF000h
		jmp	short loc_572A0A
; 

loc_572A08:				; CODE XREF: MiRemoveMappingNode+3Bj
		mov	esi, [esi]

loc_572A0A:				; CODE XREF: MiRemoveMappingNode+2Aj
					; MiRemoveMappingNode+4Cj
		test	esi, esi
		jz	loc_5F69EF
		mov	ecx, [esi+0Ch]
		cmp	edi, ecx
		jb	short loc_572A08
		mov	eax, [esi+10h]
		shl	eax, 0Ch
		add	eax, ecx
		cmp	edi, eax
		jb	short loc_572A2A
		mov	esi, [esi+4]
		jmp	short loc_572A0A
; 

loc_572A2A:				; CODE XREF: MiRemoveMappingNode+47j
		test	esi, esi
		jz	loc_5F69EF
		push	esi
		push	offset dword_6D3410
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		push	offset unk_6D340C
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
MiRemoveMappingNode endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertMappingNode(x)
_MiInsertMappingNode@4 proc near	; CODE XREF: MmAllocateMappingAddressEx+BAp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		push	offset unk_6D340C
		mov	edi, [esi+0Ch]
		call	ExAcquireSpinLockExclusive
		mov	edx, dword_6D3410
		mov	bl, al
		mov	byte ptr [ebp+var_4], 0
		test	edx, edx
		jz	short loc_572A9F

loc_572A80:				; CODE XREF: MiInsertMappingNode(x)+36j
		cmp	edi, [edx+0Ch]
		jb	short loc_572A90
		mov	eax, [edx+4]
		test	eax, eax
		jz	short loc_572A9B

loc_572A8C:				; CODE XREF: MiInsertMappingNode(x)+3Cj
		mov	edx, eax
		jmp	short loc_572A80
; 

loc_572A90:				; CODE XREF: MiInsertMappingNode(x)+2Bj
		mov	eax, [edx]
		test	eax, eax
		jnz	short loc_572A8C
		mov	byte ptr [ebp+var_4], al
		jmp	short loc_572A9F
; 

loc_572A9B:				; CODE XREF: MiInsertMappingNode(x)+32j
		mov	byte ptr [ebp+var_4], 1

loc_572A9F:				; CODE XREF: MiInsertMappingNode(x)+26j
					; MiInsertMappingNode(x)+41j
		push	esi
		push	[ebp+var_4]
		push	edx
		push	offset dword_6D3410
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		push	offset unk_6D340C
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiInsertMappingNode@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapMdlCommon	proc near		; CODE XREF: MmMapLockedPagesWithReservedMapping+122p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005F6A20 SIZE 0000008D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	[esp+28h+var_10], ebx
		mov	edi, [ebx+18h]
		mov	ecx, [ebx+10h]
		mov	eax, [ebx+14h]
		add	ecx, edi
		add	eax, 0FFFh
		and	ecx, 0FFFh
		add	ecx, eax
		mov	eax, edx
		shr	ecx, 0Ch
		shl	eax, 9
		add	eax, edi
		mov	[esp+28h+var_18], ecx
		mov	[esp+28h+var_C], eax
		xor	eax, eax
		lea	edi, [ebx+1Ch]
		mov	[esp+28h+var_8], eax
		mov	ebx, edx
		mov	[esp+28h+var_4], eax
		mov	[esp+28h+var_1C], edi

loc_572B17:				; CODE XREF: MiMapMdlCommon+F9j
		mov	edi, [edi]
		push	4
		pop	esi
		cmp	edi, dword_6D07B0
		ja	loc_5F6A2F
		mov	eax, dword_6D35B8
		mov	edx, edi
		shr	edx, 5
		mov	ecx, edi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_5F6A2F
		imul	esi, edi, 1Ch
		xor	eax, eax
		add	esi, ds:_MmPfnDatabase
		cmp	[esi+14h], ax
		jz	loc_5F6A05

loc_572B5A:				; CODE XREF: MiRemoveMappingNode+8402Fj
					; MiRemoveMappingNode+8403Fj
		mov	al, [esi+16h]
		and	al, 0C0h
		cmp	al, 0C0h
		jz	loc_5F6A20

loc_572B67:				; CODE XREF: MiMapMdlCommon+83F64j
		push	4
		mov	edx, esi
		pop	ecx
		call	_MiMakeProtectionPfnCompatible@8 ; MiMakeProtectionPfnCompatible(x,x)
		mov	esi, eax

loc_572B73:				; CODE XREF: MiMapMdlCommon+83F77j
					; MiMapMdlCommon+83F80j
		mov	edi, [esp+28h+var_1C]
		or	esi, 0A0000000h
		push	esi
		mov	ecx, ebx
		mov	edx, [edi]
		call	MiMakeValidPte
		mov	esi, eax
		mov	ecx, ebx
		xor	eax, eax
		mov	[esp+28h+var_1C], eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_5F6A4B
		mov	ecx, [esp+28h+var_1C]

loc_572BA2:				; CODE XREF: MiMapMdlCommon+83F99j
					; MiMapMdlCommon+83FA7j ...
		mov	[ebx+4], edx
		nop
		mov	[ebx], esi
		test	ecx, ecx
		jnz	loc_5F6A9F

loc_572BB0:				; CODE XREF: MiMapMdlCommon+83FE2j
		add	edi, 4
		add	ebx, 8
		sub	[esp+28h+var_18], 1
		mov	[esp+28h+var_1C], edi
		jnz	loc_572B17
		mov	ebx, [esp+28h+var_10]
		xor	ecx, ecx
		mov	edx, [esp+28h+var_C]
		inc	ecx
		mov	ax, [ebx+6]
		or	ax, cx
		mov	[ebx+0Ch], edx
		movzx	ecx, ax
		mov	[ebx+6], cx
		test	cl, 10h
		jnz	short loc_572BF1

loc_572BE6:				; CODE XREF: MiMapMdlCommon+132j
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_572BF1:				; CODE XREF: MiMapMdlCommon+11Ej
		or	ecx, 20h
		mov	[ebx+6], cx
		jmp	short loc_572BE6
MiMapMdlCommon	endp


;  S U B	R O U T	I N E 


; __stdcall _CmDevicePropertyWrite(x, x)
__CmDevicePropertyWrite@8 proc near	; CODE XREF: _CmSetDeviceRegPropWorker+63p
					; _CmIsDeviceRegPropWritable(x,x,x):loc_89EA7Bp
		cmp	edx, 25h
		ja	short loc_572C10
		movzx	eax, ds:byte_572C1E[edx]
		jmp	ds:off_572C16[eax*4]

loc_572C0D:				; DATA XREF: .text:00572C1Ao
		mov	al, 1
		retn
; 

loc_572C10:				; CODE XREF: _CmDevicePropertyWrite(x,x)+3j
					; _CmDevicePropertyWrite(x,x)+Cj
					; DATA XREF: ...
		xor	al, al
		retn
__CmDevicePropertyWrite@8 endp

; 
		db 8Dh
		db 49h,	0
off_572C16	dd offset loc_572C10	; DATA XREF: _CmDevicePropertyWrite(x,x)+Cr
		dd offset loc_572C0D
byte_572C1E	db 0			; DATA XREF: _CmDevicePropertyWrite(x,x)+5r
		db 1
		dd 1000101h, 1010000h, 1010101h, 1010001h, 101h, 10000h
		dd 1010101h, 1,	1000001h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpCleanupParameterAllocations(x, x, x)
_AdtpCleanupParameterAllocations@12 proc near ;	CODE XREF: AdtpWriteToEtwEx(x,x)+1D1p
					; AdtpWriteToEtw(x,x)+302p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		cmp	[ebp+arg_0], esi
		jbe	short loc_572C6A

loc_572C5B:				; CODE XREF: AdtpCleanupParameterAllocations(x,x,x)+24j
		cmp	byte ptr [esi+ebx], 0
		jnz	short loc_572C73

loc_572C61:				; CODE XREF: AdtpCleanupParameterAllocations(x,x,x)+36j
		inc	esi
		add	edi, 10h
		cmp	esi, [ebp+arg_0]
		jb	short loc_572C5B

loc_572C6A:				; CODE XREF: AdtpCleanupParameterAllocations(x,x,x)+15j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_572C73:				; CODE XREF: AdtpCleanupParameterAllocations(x,x,x)+1Bj
		mov	ecx, [edi]
		call	ExFreeHeapPool
		jmp	short loc_572C61
_AdtpCleanupParameterAllocations@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwWriteKMSecurityEvent(x, x, x, x)
_EtwWriteKMSecurityEvent@16 proc near	; CODE XREF: AdtpWriteToEtwEx(x,x)+1A6p
					; AdtpWriteToEtw(x,x)+2D7p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		mov	eax, [eax+1F0h]
		push	ecx
		push	ecx
		push	[ebp+arg_4]
		mov	dl, [eax+8A0h]
		push	[ebp+arg_0]
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	esi
		push	ecx
		push	ecx
		push	ecx
		lea	ecx, [eax+10h]
		call	_EtwpEventWriteFull@72 ; EtwpEventWriteFull(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		pop	esi
		pop	ebp
		retn	8
_EtwWriteKMSecurityEvent@16 endp ; sp =	-40h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AdtpPackageParameters proc near		; CODE XREF: AdtpWriteToEtwEx(x,x)+BEp
					; AdtpWriteToEtw(x,x)+C0p

var_30		= byte ptr -30h
var_2F		= byte ptr -2Fh
var_2E		= dword	ptr -2Eh
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005F6AAD SIZE 0000052B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		xor	eax, eax
		xor	ebx, ebx
		and	[esp+38h+var_20], eax
		push	esi
		xor	esi, esi
		mov	[esp+3Ch+var_2E+2], eax
		mov	[esp+3Ch+var_28], esi
		push	edi
		test	ecx, ecx
		jz	loc_5F6AB7
		test	edx, edx
		jnz	loc_5F6AAD	; default
		mov	edx, [ecx+8]
		lea	edi, [ecx+18h]
		mov	[esp+40h+var_10], edx
		mov	ecx, edx

loc_572CF4:				; CODE XREF: AdtpPackageParameters+83E0Dj
		push	2
		pop	edx
		mov	[esp+40h+var_1C], edi
		mov	[esp+40h+var_24], edx
		cmp	ecx, edx
		jbe	loc_572DB4

loc_572D07:				; CODE XREF: AdtpPackageParameters+F2j
		cmp	bx, 2Ah
		jnb	loc_5F6AAD	; default
		cmp	ax, 0Eh
		jnb	loc_5F6AAD	; default
		imul	esi, edx, 14h
		mov	[esp+40h+var_18], esi
		mov	ecx, [esi+edi]
		mov	[esp+40h+var_14], ecx
		cmp	ecx, 23h	; switch 36 cases
		ja	loc_5F6AAD	; default
		jmp	ds:off_57305C[ecx*4] ; switch jump

loc_572D39:				; DATA XREF: .text:off_57305Co
		movzx	ecx, bx		; case 0xA
		lea	eax, [edi+8]
		shl	ecx, 4
		add	eax, esi
		add	ecx, [ebp+arg_C]
		mov	[ecx], eax
		and	dword ptr [ecx+4], 0
		mov	dword ptr [ecx+8], 4

loc_572D54:				; CODE XREF: AdtpPackageParameters+83E68j
		and	dword ptr [ecx+0Ch], 0
		jmp	short loc_572D9C
; 

loc_572D5A:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		mov	esi, [esi+edi+10h] ; case 0x2
		mov	ecx, esi
		call	_AdtpIsCorrectlyFormedUnicodeString@4 ;	AdtpIsCorrectlyFormedUnicodeString(x)
		test	al, al
		jz	loc_5F6AAD	; default
		call	_AdtpSubstituteDriveLetter@4 ; AdtpSubstituteDriveLetter(x)
		mov	edx, esi

loc_572D74:				; CODE XREF: AdtpPackageParameters+368j
		mov	eax, [ebp+arg_14]
		movzx	ecx, bx
		add	eax, ecx
		shl	ecx, 4
		add	ecx, [ebp+arg_C]
		push	eax
		lea	eax, [esp+44h+var_20]
		push	eax
		push	[ebp+arg_4]
		call	AdtpEtwBuildString

loc_572D90:				; CODE XREF: AdtpPackageParameters+12Ej
					; AdtpPackageParameters+356j ...
		mov	[esp+40h+var_28], eax
		test	eax, eax
		js	short loc_572DB0

loc_572D98:				; CODE XREF: AdtpPackageParameters+284j
					; AdtpPackageParameters+339j
		mov	edx, [esp+40h+var_24]

loc_572D9C:				; CODE XREF: AdtpPackageParameters+A0j
					; AdtpPackageParameters+2E7j
		mov	eax, [esp+40h+var_2E+2]

loc_572DA0:				; CODE XREF: AdtpPackageParameters+83E20j
					; AdtpPackageParameters+83FA8j
		inc	ebx

loc_572DA1:				; CODE XREF: AdtpPackageParameters+840D8j
					; AdtpPackageParameters+840FFj
		inc	edx
		mov	[esp+40h+var_24], edx
		cmp	edx, [esp+40h+var_10]
		jb	loc_572D07

loc_572DB0:				; CODE XREF: AdtpPackageParameters+DEj
					; AdtpPackageParameters+1A3j ...
		mov	esi, [esp+40h+var_28]

loc_572DB4:				; CODE XREF: AdtpPackageParameters+49j
					; AdtpPackageParameters+83DFAj	...
		mov	eax, [ebp+arg_10]
		pop	edi
		mov	[eax], bx
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_572DC5:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		mov	eax, [ebp+arg_14] ; case 0x15
		mov	ecx, [esi+edi+8]
		movzx	edx, bx
		add	eax, edx
		shl	edx, 4
		add	edx, [ebp+arg_C]
		push	eax
		lea	eax, [esp+44h+var_20]
		push	eax
		push	[ebp+arg_4]
		push	edx
		call	AdtpBuildMessageString
		jmp	short loc_572D90
; 

loc_572DE8:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		xor	edx, edx	; case 0x5
		movzx	eax, ax
		mov	[esp+40h+var_2F], dl
		mov	byte ptr [esp+40h+var_2E], dl
		mov	byte ptr [esp+40h+var_2E+1], dl
		mov	[esp+40h+var_18], edx
		mov	edx, [ebp+arg_8]
		lea	edx, [edx+eax*8]
		lea	eax, [edi+8]
		mov	[esp+40h+var_C], edx
		add	eax, esi
		mov	[esp+40h+var_8], eax
		lea	eax, [esp+40h+var_2E+1]
		push	eax
		lea	eax, [edx+8]
		push	eax
		lea	eax, [esp+48h+var_2E]
		push	eax
		push	edx
		lea	edx, [ecx-23h]
		neg	edx
		lea	eax, [esp+21h]
		push	eax
		sbb	edx, edx
		lea	eax, [esp+54h+var_18]
		not	edx
		lea	ecx, [edi+8]
		and	edx, eax
		add	ecx, esi
		call	AdtpBuildLogonIdStrings
		cmp	[esp+40h+var_14], 23h
		mov	[esp+40h+var_28], eax
		jz	loc_57302B
		mov	ecx, [edi+10h]
		xor	dl, dl

loc_572E51:				; CODE XREF: AdtpPackageParameters+37Bj
		mov	[esp+40h+var_18], ecx
		mov	[esp+40h+var_2F], dl
		test	eax, eax
		js	loc_572DB0
		mov	eax, [esi+edi]
		cmp	eax, 5
		jnz	loc_573038

loc_572E6D:				; CODE XREF: AdtpPackageParameters+383j
		test	ecx, ecx
		jz	loc_573046

loc_572E75:				; CODE XREF: AdtpPackageParameters+39Cj
		movzx	eax, byte ptr [ecx+1]
		mov	esi, [esp+40h+var_18]

loc_572E7D:				; CODE XREF: AdtpPackageParameters+84199j
		lea	ecx, ds:8[eax*4]
		movzx	edx, bx
		mov	eax, edx
		shl	eax, 4
		add	eax, [ebp+arg_C]
		mov	[eax+8], ecx
		mov	ecx, [ebp+arg_14]
		mov	[eax], esi
		and	dword ptr [eax+4], 0
		and	dword ptr [eax+0Ch], 0
		inc	ebx
		mov	al, [esp+40h+var_2F]
		mov	[edx+ecx], al

loc_572EA7:				; CODE XREF: AdtpPackageParameters+841A0j
					; AdtpPackageParameters+841A8j	...
		mov	eax, [esp+40h+var_C]
		movzx	esi, bx
		mov	edi, [ebp+arg_8]
		mov	ecx, esi
		shl	ecx, 4
		movzx	edx, word ptr [eax]
		mov	eax, [eax+4]
		add	edx, 2
		add	ecx, [ebp+arg_C]
		and	dword ptr [ecx+4], 0
		and	dword ptr [ecx+0Ch], 0
		inc	ebx
		mov	[ecx], eax
		mov	al, byte ptr [esp+40h+var_2E]
		mov	[ecx+8], edx
		mov	ecx, [ebp+arg_14]
		mov	[esi+ecx], al
		mov	eax, [esp+40h+var_2E+2]
		mov	ecx, [ebp+arg_8]
		inc	eax
		mov	[esp+40h+var_2E+2], eax
		movzx	eax, ax
		movzx	esi, bx
		movzx	edx, word ptr [ecx+eax*8]
		mov	ecx, esi
		mov	eax, [edi+eax*8+4]
		add	edx, 2
		mov	edi, [esp+40h+var_1C]
		shl	ecx, 4
		add	ecx, [ebp+arg_C]
		and	dword ptr [ecx+4], 0
		mov	[ecx], eax
		mov	al, byte ptr [esp+40h+var_2E+1]
		mov	[ecx+8], edx
		xor	edx, edx
		mov	[ecx+0Ch], edx
		inc	ebx
		mov	ecx, [ebp+arg_14]
		inc	[esp+40h+var_2E+2]
		mov	[esi+ecx], al
		mov	ecx, [esp+40h+var_8]
		movzx	eax, bx
		shl	eax, 4
		add	eax, [ebp+arg_C]
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	dword ptr [eax+8], 8
		mov	[eax+0Ch], edx
		jmp	loc_572D98
; 

loc_572F41:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		movzx	eax, ds:byte_A9AAD1 ; case 0x6
		mov	esi, [ebp+arg_C]
		push	2
		lea	ecx, ds:8[eax*4]
		movzx	eax, bx
		shl	eax, 4
		add	eax, esi
		and	dword ptr [eax+4], 0
		and	dword ptr [eax+0Ch], 0
		inc	ebx
		mov	dword ptr [eax], offset	_AdtpNullSid
		mov	[eax+8], ecx
		pop	eax

loc_572F6F:				; CODE XREF: AdtpPackageParameters+2C8j
		movzx	ecx, bx
		shl	ecx, 4
		add	ecx, esi
		call	_AdtpEtwBuildDashString@4 ; AdtpEtwBuildDashString(x)
		inc	ebx
		sub	eax, 1
		jnz	short loc_572F6F
		movzx	eax, bx
		shl	eax, 4
		add	eax, esi
		mov	dword ptr [eax], offset	_AdtpNullLuid

loc_572F90:				; CODE XREF: AdtpPackageParameters+84113j
		and	dword ptr [eax+4], 0
		mov	dword ptr [eax+8], 8

loc_572F9B:				; CODE XREF: AdtpPackageParameters+83FD0j
		and	dword ptr [eax+0Ch], 0
		jmp	loc_572D9C
; 

loc_572FA4:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		mov	ecx, [esi+edi+10h] ; case 0x4
		mov	[esp+40h+var_14], ecx
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:8[eax*4]
		mov	[esp+40h+var_18], eax
		cmp	[esi+edi+4], eax
		jb	loc_5F6FCE
		push	ecx
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_5F6FCE
		mov	ecx, [esp+40h+var_14]
		movzx	eax, bx
		shl	eax, 4
		add	eax, [ebp+arg_C]
		and	dword ptr [eax+4], 0
		and	dword ptr [eax+0Ch], 0
		mov	[eax], ecx
		mov	ecx, [esp+40h+var_18]
		mov	[eax+8], ecx
		jmp	loc_572D98
; 

loc_572FF6:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		mov	eax, [ebp+arg_14] ; case 0x22
		mov	ecx, [esi+edi+10h]
		movzx	edx, bx
		add	eax, edx
		shl	edx, 4
		add	edx, [ebp+arg_C]
		push	eax
		call	AdtpBuildMultiSzStringListString
		jmp	loc_572D90
; 

loc_573013:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		mov	edx, [esi+edi+10h] ; case 0x1
		mov	ecx, edx
		call	_AdtpIsCorrectlyFormedUnicodeString@4 ;	AdtpIsCorrectlyFormedUnicodeString(x)
		test	al, al
		jnz	loc_572D74
		jmp	loc_5F6AAD	; default
; 

loc_57302B:				; CODE XREF: AdtpPackageParameters+18Ej
		mov	dl, [esp+40h+var_2F]
		mov	ecx, [esp+40h+var_18]
		jmp	loc_572E51
; 

loc_573038:				; CODE XREF: AdtpPackageParameters+1AFj
		cmp	eax, 23h
		jz	loc_572E6D
		jmp	loc_5F6E42
; 

loc_573046:				; CODE XREF: AdtpPackageParameters+1B7j
		mov	ecx, offset _AdtpNullSid
		mov	[esp+40h+var_2F], 0
		mov	[esp+40h+var_18], ecx
		jmp	loc_572E75
AdtpPackageParameters endp

; 
		align 4
off_57305C	dd offset loc_5F6ACA	; DATA XREF: AdtpPackageParameters+7Ar
		dd offset loc_573013	; jump table for switch	statement
		dd offset loc_572D5A
		dd offset loc_5F6ADD
		dd offset loc_572FA4
		dd offset loc_572DE8
		dd offset loc_572F41
		dd offset loc_5F6B25
		dd offset loc_5F6E70
		dd offset loc_5F6B72
		dd offset loc_572D39
		dd offset loc_572D39
		dd offset loc_5F6B05
		dd offset loc_5F6C65
		dd offset loc_5F6B05
		dd offset loc_5F6B05
		dd offset loc_5F6C8D
		dd offset loc_5F6CB3
		dd offset loc_5F6DBC
		dd offset loc_5F6CD9
		dd offset loc_5F6D95
		dd offset loc_572DC5
		dd offset loc_5F6AAD
		dd offset loc_5F6E04
		dd offset loc_5F6ED0
		dd offset loc_5F6AAD
		dd offset loc_572DE8
		dd offset loc_572D39
		dd offset loc_5F6DD0
		dd offset loc_5F6F76
		dd offset loc_5F6F60
		dd offset loc_5F6F1F
		dd offset loc_5F6AAD
		dd offset loc_572DE8
		dd offset loc_572FF6
		dd offset loc_572DE8

;  S U B	R O U T	I N E 


; __stdcall AdtpIsCorrectlyFormedUnicodeString(x)
_AdtpIsCorrectlyFormedUnicodeString@4 proc near	; CODE XREF: AdtpPackageParameters+A8p
					; AdtpPackageParameters+361p
		test	ecx, ecx
		jz	short loc_5730F9
		mov	ax, [ecx+2]
		cmp	ax, [ecx]
		jb	short loc_5730FC

loc_5730F9:				; CODE XREF: AdtpIsCorrectlyFormedUnicodeString(x)+2j
		mov	al, 1
		retn
; 

loc_5730FC:				; CODE XREF: AdtpIsCorrectlyFormedUnicodeString(x)+Bj
		xor	al, al
		retn
_AdtpIsCorrectlyFormedUnicodeString@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AdtpBuildMultiSzStringListString proc near ; CODE XREF:	AdtpPackageParameters+351p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00573175 SIZE 00000072 BYTES
; FUNCTION CHUNK AT 005F6FD8 SIZE 000000E8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	eax, ecx
		mov	esi, edx
		xor	edx, edx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_18], edx
		push	edi
		test	eax, eax
		jz	loc_5F70AC
		mov	edi, [eax+4]
		test	edi, edi
		jz	loc_5F70AC
		movzx	ebx, word ptr [eax]
		push	1
		shr	ebx, 1
		pop	ecx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_10], edx
		jnz	loc_5F6FD8

loc_573147:				; CODE XREF: AdtpBuildMultiSzStringListString+83F0Bj
		lea	eax, [ecx-1]
		cmp	eax, ebx
		ja	loc_5F7010
		mov	ebx, [ebp+var_18]

loc_573155:				; CODE XREF: AdtpBuildMultiSzStringListString+83F2Aj
		push	2
		mov	eax, ecx
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_C]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		jns	loc_5F702F

loc_57316E:				; CODE XREF: AdtpBuildMultiSzStringListString+DEj
					; AdtpBuildMultiSzStringListString+E5j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
AdtpBuildMultiSzStringListString endp

; 
; START	OF FUNCTION CHUNK FOR AdtpBuildMultiSzStringListString

loc_573175:				; CODE XREF: AdtpBuildMultiSzStringListString+83F36j
		mov	eax, large fs:20h
		xor	ecx, ecx
		mov	edx, [ebp+var_C]
		inc	ecx
		push	0
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	6B416553h
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		test	edi, edi
		jz	short loc_5731E0
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax],	1
		test	ebx, ebx
		jnz	loc_5F7046
		mov	ecx, [ebp+var_8]

loc_5731B7:				; CODE XREF: AdtpBuildMultiSzStringListString+83F5Bj
		xor	eax, eax
		mov	ebx, eax
		cmp	[ebp+var_14], eax
		ja	loc_5F7060

loc_5731C4:				; CODE XREF: AdtpBuildMultiSzStringListString+83FA7j
		mov	eax, [ebp+var_4]
		xor	ecx, ecx
		mov	[edi+eax*2-2], cx
		mov	eax, [ebp+var_C]
		mov	[esi], edi
		mov	[esi+4], ecx
		mov	[esi+8], eax
		mov	[esi+0Ch], ecx

loc_5731DC:				; CODE XREF: AdtpBuildMultiSzStringListString+83FAEj
					; AdtpBuildMultiSzStringListString+83FBBj
		xor	eax, eax
		jmp	short loc_57316E
; 

loc_5731E0:				; CODE XREF: AdtpBuildMultiSzStringListString+A4j
		mov	eax, 0C0000017h
		jmp	short loc_57316E
; END OF FUNCTION CHUNK	FOR AdtpBuildMultiSzStringListString
; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpDevNodeInsertIntoTree	proc near	; CODE XREF: PipProcessEnumeratedChildDevice+72p
					; IopInitializeDeviceInstanceKey+108p ...

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F70C0 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PnpSpinLock
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, [ebx+54h]
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		inc	esi
		mov	[edi+54h], esi
		xor	ecx, ecx
		mov	[edi+8], ebx
		lock or	[eax], ecx
		mov	eax, [ebx+0Ch]
		test	eax, eax
		jz	short loc_573250
		mov	[eax], edi

loc_573228:				; CODE XREF: PpDevNodeInsertIntoTree+6Bj
		mov	[ebx+0Ch], edi
		mov	ecx, offset _PnpSpinLock
		test	ds:byte_70EFC6,	1
		pop	edi
		pop	esi
		pop	ebx
		jnz	loc_5F70C0
		xor	eax, eax
		lock and [ecx],	eax

loc_573245:				; CODE XREF: PpDevNodeInsertIntoTree+83EE0j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn
; 

loc_573250:				; CODE XREF: PpDevNodeInsertIntoTree+3Cj
		mov	[ebx+4], edi
		jmp	short loc_573228
PpDevNodeInsertIntoTree	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall RtlpFindRegTziForCurrentYear(void *,int,__int16)
RtlpFindRegTziForCurrentYear proc near	; CODE XREF: RtlpCheckDynamicTimeZoneInformation+69p
					; RtlpUpdateDynamicTimeZones+23Cp

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
arg_0		= word ptr  8

; FUNCTION CHUNK AT 005F70CD SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 90h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		push	2Ch		; size_t
		mov	ebx, ecx
		mov	[ebp+var_90], edx
		push	0		; int
		push	ebx		; void *
		mov	esi, 0C000000Dh
		call	_memset
		movsx	edi, [ebp+arg_0]
		lea	eax, [ebp+var_14]
		add	esp, 0Ch
		push	0Ah
		push	5
		push	eax
		push	edi
		call	__itow_s
		add	esp, 10h
		test	eax, eax
		jnz	loc_5733AC
		push	70h		; size_t
		xor	esi, esi
		lea	eax, [ebp+var_84]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_80], 124h
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_7C], offset _szFirstEntry ; "FirstEntry"
		mov	[ebp+var_78], eax
		mov	ecx, 4000000h
		lea	eax, [ebp+var_88]
		mov	[ebp+var_74], ecx
		push	0FFFFFFFCh
		pop	edx
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_14]
		push	esi
		push	esi
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_84]
		push	eax
		push	[ebp+var_90]
		mov	[ebp+var_8C], edx
		push	40000000h
		mov	[ebp+var_64], 124h
		mov	[ebp+var_60], offset _szLastEntry ; "LastEntry"
		mov	[ebp+var_58], ecx
		mov	[ebp+var_88], edx
		mov	[ebp+var_48], 120h
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], 3000000h
		mov	dword ptr [ebx], 0FFFFFFD4h
		call	_RtlQueryRegistryValuesEx@20 ; RtlQueryRegistryValuesEx(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_5733AC
		mov	eax, [ebp+var_88]
		mov	ecx, [ebp+var_8C]
		cmp	eax, 0FFFFFFFCh
		jz	loc_5F70CD
		cmp	ecx, 0FFFFFFFCh
		jz	loc_5F70CD

loc_57335B:				; CODE XREF: RtlpFindRegTziForCurrentYear+83E7Cj
		test	esi, esi
		js	short loc_5733AC
		cmp	edi, eax
		jle	short loc_5733BF

loc_573363:				; CODE XREF: RtlpFindRegTziForCurrentYear+16Dj
		cmp	edi, eax
		movzx	eax, ax
		jle	short loc_5733C5

loc_57336A:				; CODE XREF: RtlpFindRegTziForCurrentYear+172j
		push	0Ah
		push	5
		lea	ecx, [ebp+var_14]
		cwde
		push	ecx
		push	eax
		call	__itow_s
		add	esp, 10h
		test	eax, eax
		jnz	short loc_5733CA
		push	eax
		push	eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_48], 124h
		push	eax
		push	[ebp+var_90]
		mov	[ebp+var_3C], 3000000h
		push	40000000h
		mov	dword ptr [ebx], 0FFFFFFD4h
		call	_RtlQueryRegistryValuesEx@20 ; RtlQueryRegistryValuesEx(x,x,x,x,x)
		mov	esi, eax

loc_5733AC:				; CODE XREF: RtlpFindRegTziForCurrentYear+49j
					; RtlpFindRegTziForCurrentYear+E5j ...
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_5733BF:				; CODE XREF: RtlpFindRegTziForCurrentYear+10Bj
		cmp	edi, ecx
		jge	short loc_5733AC
		jmp	short loc_573363
; 

loc_5733C5:				; CODE XREF: RtlpFindRegTziForCurrentYear+112j
		movzx	eax, cx
		jmp	short loc_57336A
; 

loc_5733CA:				; CODE XREF: RtlpFindRegTziForCurrentYear+128j
		mov	esi, 0C000003Eh
		jmp	short loc_5733AC
RtlpFindRegTziForCurrentYear endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIntSteerSetMode(x, x, x,	x)
_PopIntSteerSetMode@16 proc near

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_8], 4
		jnz	short loc_573410
		mov	eax, [ebp+arg_4]
		mov	eax, [eax]
		cmp	eax, 4
		jz	short loc_573417
		mov	_PpmIntSteerMode, eax
		xor	eax, eax

loc_5733EE:				; CODE XREF: PopIntSteerSetMode(x,x,x,x)+48j
		mov	ecx, offset _PpmPerfPolicyLock
		mov	_PpmIntSteerDisabled, eax
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		call	_PpmCheckReInit@0 ; PpmCheckReInit()
		push	4
		pop	ecx
		call	_PpmCheckCustomRun@4 ; PpmCheckCustomRun(x)
		xor	eax, eax

loc_57340C:				; CODE XREF: PopIntSteerSetMode(x,x,x,x)+43j
		pop	ebp
		retn	10h
; 

loc_573410:				; CODE XREF: PopIntSteerSetMode(x,x,x,x)+9j
		mov	eax, 0C000000Dh
		jmp	short loc_57340C
; 

loc_573417:				; CODE XREF: PopIntSteerSetMode(x,x,x,x)+13j
		xor	eax, eax
		inc	eax
		jmp	short loc_5733EE
_PopIntSteerSetMode@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmInstallFeedbackCounters proc	near	; CODE XREF: PpmRegisterPerfStates+56Fp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_12		= byte ptr -12h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F70D7 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_18], edx
		lea	edi, [ebp+var_10]
		mov	esi, ecx
		stosd
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_28], ebx
		mov	ecx, [esi+3CCh]
		stosd
		mov	[ebp+var_24], ebx
		stosd
		xor	eax, eax
		inc	eax
		shl	eax, cl
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		call	KeSetSystemGroupAffinityThread
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	ebx
		mov	[ebp+var_12], al
		lea	edi, [esi+3DB0h]
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		push	edx
		push	eax
		mov	ecx, esi
		call	_PpmContinueActiveTimeAccumulation@12 ;	PpmContinueActiveTimeAccumulation(x,x,x)
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	ecx, edi
		mov	[ebp+var_11], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, [ebp+var_18]
		lea	ecx, [edi+18h]
		mov	esi, ebx
		mov	[ebp+var_1C], ecx
		lea	ebx, [edi+38h]

loc_5734A2:				; CODE XREF: PpmInstallFeedbackCounters+D6j
		mov	eax, [edx+esi*4]
		test	eax, eax
		jz	short loc_5734E5
		cmp	byte ptr [eax+22h], 0
		jnz	loc_5F70D7

loc_5734B3:				; CODE XREF: PpmInstallFeedbackCounters+83CC5j
		mov	[ecx], eax
		mov	eax, [edi+2Ch]
		push	64h
		pop	ecx
		mul	ecx
		push	64h
		mov	ecx, eax
		mov	eax, [edi+28h]
		pop	edx
		mul	edx
		add	ecx, edx
		mov	[ebx], eax
		mov	[ebx+4], ecx
		lea	eax, [ebp+var_20]
		mov	ecx, [ebp+var_18]
		mov	dl, 1
		push	eax
		mov	ecx, [ecx+esi*4]
		call	PpmPerfFeedbackCounterRead
		mov	ecx, [ebp+var_1C]
		mov	edx, [ebp+var_18]

loc_5734E5:				; CODE XREF: PpmInstallFeedbackCounters+8Bj
		inc	esi
		add	ecx, 4
		add	ebx, 8
		mov	[ebp+var_1C], ecx
		cmp	esi, 2
		jb	short loc_5734A2
		xor	eax, eax
		cmp	[edi+1Ch], eax
		jnz	short loc_573540
		cmp	[edi+18h], eax
		jz	short loc_573506
		mov	[edi+80h], al

loc_573506:				; CODE XREF: PpmInstallFeedbackCounters+E2j
					; PpmInstallFeedbackCounters+12Bj
		test	ds:byte_70EFC6,	1
		jnz	loc_5F70E6
		xor	eax, eax
		lock and [edi],	eax

loc_573518:				; CODE XREF: PpmInstallFeedbackCounters+83CD4j
		cmp	[ebp+var_11], 0
		jz	short loc_57351F
		sti

loc_57351F:				; CODE XREF: PpmInstallFeedbackCounters+100j
		mov	cl, [ebp+var_12]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	eax, [ebp+var_10]
		push	eax
		call	KeRevertToUserGroupAffinityThread
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_573540:				; CODE XREF: PpmInstallFeedbackCounters+DDj
		mov	byte ptr [edi+80h], 1
		jmp	short loc_573506
PpmInstallFeedbackCounters endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmPerfFeedbackCounterRead proc	near	; CODE XREF: PpmInstallFeedbackCounters+BEp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F70F5 SIZE 0000006C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		xor	eax, eax
		push	esi
		mov	esi, ecx
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		cmp	byte ptr [esi+21h], 0
		mov	eax, [esi]
		mov	ecx, [esi+24h]
		mov	[ebp+var_8], esi
		jz	short loc_5735AE
		push	ebx
		push	edi
		lea	edi, [ebp+var_28]
		push	edi
		lea	edi, [ebp+var_20]
		push	edi
		call	eax
		mov	ebx, [esi+10h]
		mov	ecx, [ebp+var_20]
		mov	edx, [esi+14h]
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], edx
		cmp	ecx, ebx
		jnz	loc_5F70F5
		cmp	eax, edx
		jnz	loc_5F70F5
		mov	ecx, [esi+18h]

loc_5735A2:				; CODE XREF: PpmPerfFeedbackCounterRead+83C12j
		mov	eax, [ebp+arg_0]
		pop	edi
		pop	ebx
		mov	[eax], ecx

loc_5735A9:				; CODE XREF: PpmPerfFeedbackCounterRead+69j
		pop	esi
		leave
		retn	4
; 

loc_5735AE:				; CODE XREF: PpmPerfFeedbackCounterRead+25j
		mov	edx, [ebp+arg_0]
		call	eax
		jmp	short loc_5735A9
PpmPerfFeedbackCounterRead endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PpmCheckApplyParkConstraints()
_PpmCheckApplyParkConstraints@0	proc near ; CODE XREF: PpmCheckInitProcessors+E3p
					; PpmReapplyPerfPolicy+9Ep ...
		push	4
		pop	ecx
		jmp	_PpmCheckCustomRun@4 ; PpmCheckCustomRun(x)
_PpmCheckApplyParkConstraints@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmParkRegisterParking proc near	; CODE XREF: PpmCheckInitProcessors:loc_8A06C0p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= word ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= word ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F7161 SIZE 00000244 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+64h+var_4], eax
		xor	eax, eax
		and	[esp+64h+var_38], 0
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+70h+var_10]
		and	[esp+70h+var_64], 0
		stosd
		mov	esi, offset _PpmParkStateLock
		and	[esp+70h+var_48], 0
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+70h+var_28]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+70h+var_1C]
		stosd
		stosd
		stosd
		xor	eax, eax
		xor	edi, edi
		mov	[esp+70h+var_2C], eax
		mov	[esp+70h+var_50], edi
		cmp	_PpmParkNodes, eax
		jz	short loc_573695
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, _PpmParkHistograms
		mov	ecx, offset _PpmParkStateLock
		mov	edi, _PpmParkNumNodes
		mov	esi, _PpmParkNodes
		mov	[esp+70h+var_2C], eax
		xor	eax, eax
		test	ds:byte_70EFC6,	1
		mov	[esp+70h+var_50], edi
		mov	[esp+70h+var_48], esi
		mov	_PpmParkNumNodes, eax
		mov	_PpmParkNodes, eax
		mov	_PpmParkHistograms, eax
		jnz	loc_5F7161
		lock and [ecx],	eax

loc_57366C:				; CODE XREF: PpmParkRegisterParking+83BABj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	short loc_573695
		add	esi, 6Ah

loc_57367B:				; CODE XREF: PpmParkRegisterParking+D5j
		cmp	dword ptr [esi-42h], 0
		jz	short loc_57368A
		test	byte ptr [esi],	8
		jnz	loc_5F716E

loc_57368A:				; CODE XREF: PpmParkRegisterParking+C1j
					; PpmParkRegisterParking+83BDBj
		add	esi, 0D0h
		sub	edi, 1
		jnz	short loc_57367B

loc_573695:				; CODE XREF: PpmParkRegisterParking+5Aj
					; PpmParkRegisterParking+B8j
		xor	ebx, ebx
		xor	eax, eax
		xor	esi, esi
		mov	[esp+70h+var_5C], ebx
		cmp	ax, ds:_KeNumberNodes
		jnb	short loc_5736CE

loc_5736A8:				; CODE XREF: PpmParkRegisterParking+10Aj
		lea	eax, [esp+70h+var_64]
		push	eax
		push	0
		push	esi
		call	_KeQueryNodeActiveAffinity@12 ;	KeQueryNodeActiveAffinity(x,x,x)
		cmp	word ptr [esp+70h+var_64], 0
		jz	short loc_5736BE
		inc	ebx

loc_5736BE:				; CODE XREF: PpmParkRegisterParking+FDj
		movzx	eax, ds:_KeNumberNodes
		inc	esi
		cmp	esi, eax
		jb	short loc_5736A8
		mov	[esp+70h+var_5C], ebx

loc_5736CE:				; CODE XREF: PpmParkRegisterParking+E8j
		imul	esi, ebx, 0D0h
		push	704D5050h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		xor	ecx, ecx
		mov	[esp+70h+var_60], ebx
		mov	[esp+70h+var_34], ecx
		test	ebx, ebx
		jz	loc_573AD9
		push	esi		; size_t
		push	ecx		; int
		push	ebx		; void *
		call	_memset
		mov	eax, ds:_PpmParkUseCoreGranularity
		add	esp, 0Ch
		test	eax, eax
		mov	_PpmParkGranularity, 1
		setnz	cl
		cmp	eax, 2
		mov	_PpmParkCoreMask, cl
		setz	_PpmParkUnparkCores
		test	cl, cl
		jz	loc_5737C3
		mov	eax, dword_6B5BAC
		xor	ebx, ebx
		mov	[esp+70h+var_24], eax
		mov	[esp+70h+var_28], offset _PpmCheckRegistered

loc_57373F:				; CODE XREF: PpmParkRegisterParking+59Dj
		mov	[esp+70h+var_58], ebx

loc_573743:				; CODE XREF: PpmParkRegisterParking+1EBj
					; PpmParkRegisterParking+83BE7j
		lea	eax, [esp+70h+var_28]
		push	eax
		lea	eax, [esp+74h+var_38]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5737B0
		mov	ecx, [esp+70h+var_38]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ebx, [eax+402Ch]
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		cmp	[esp+70h+var_58], 0
		jz	loc_573B58
		mov	ebx, [esp+70h+var_58]
		movzx	eax, cl
		cmp	ebx, eax
		jz	short loc_573743
		jmp	loc_5F719E
; 

loc_5737B0:				; CODE XREF: PpmParkRegisterParking+196j
		cmp	_PpmParkCoreMask, 0
		jz	short loc_5737BF
		mov	_PpmParkGranularity, bl

loc_5737BF:				; CODE XREF: PpmParkRegisterParking+1F9j
		mov	ebx, [esp+70h+var_60]

loc_5737C3:				; CODE XREF: PpmParkRegisterParking+168j
		xor	esi, esi
		xor	ecx, ecx
		xor	eax, eax
		mov	[esp+70h+var_4C], esi
		mov	[esp+70h+var_58], ecx
		cmp	ax, ds:_KeNumberNodes
		jnb	loc_573999
		mov	eax, [esp+70h+var_48]
		add	eax, 28h
		mov	[esp+70h+var_64], 1Ch
		mov	[esp+70h+var_30], eax

loc_5737F1:				; CODE XREF: PpmParkRegisterParking+3D1j
		push	0
		lea	eax, [esp+74h+var_1C]
		mov	[esp+74h+var_54], ebx
		push	eax
		push	ecx
		call	_KeQueryNodeActiveAffinity@12 ;	KeQueryNodeActiveAffinity(x,x,x)
		mov	dx, [esp+70h+var_18]
		test	dx, dx
		jnz	loc_5F71AA
		mov	eax, dword_6B5BAC

loc_573815:				; CODE XREF: PpmParkRegisterParking+83BEEj
		mov	edi, [esp+70h+var_1C]
		and	edi, eax
		mov	[esp+70h+var_1C], edi
		jz	loc_573970
		mov	esi, ebx
		add	ebx, 0D0h
		mov	[esp+70h+var_3C], ebx
		xor	bl, bl
		xor	eax, eax
		mov	[esp+70h+var_40], eax
		mov	[esi+4], dx
		mov	[esi+8], edi

loc_573840:				; CODE XREF: PpmParkRegisterParking+2EDj
		mov	[esp+70h+var_44], eax
		mov	ecx, eax
		test	bl, bl
		jnz	loc_573B60

loc_57384E:				; CODE XREF: PpmParkRegisterParking+5B1j
		and	[esp+70h+var_28], 0
		mov	[esp+70h+var_24], edi
		mov	edi, [esp+70h+var_44]
		mov	[esp+70h+var_20], dx

loc_573860:				; CODE XREF: PpmParkRegisterParking+2C4j
					; PpmParkRegisterParking+2D4j
		lea	eax, [esp+70h+var_28]
		push	eax
		lea	eax, [esp+74h+var_38]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_573894
		mov	ecx, [esp+70h+var_38]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		cmp	[eax+3ED0h], bl
		jnz	short loc_573860
		inc	byte ptr [esi+edi+58h]
		mov	eax, [eax+3C8h]
		or	[esi+edi*4+0Ch], eax
		jmp	short loc_573860
; 

loc_573894:				; CODE XREF: PpmParkRegisterParking+2B3j
		mov	eax, [esp+70h+var_40]
		inc	bl
		mov	edi, [esp+70h+var_1C]
		inc	eax
		mov	dx, [esp+70h+var_18]
		mov	[esp+70h+var_40], eax
		cmp	bl, 2
		jb	short loc_573840
		mov	edx, [esp+70h+var_54]
		lea	ecx, [esi+58h]
		cmp	byte ptr [ecx],	0
		mov	al, [edx+59h]
		jz	loc_5F71B1

loc_5738C0:				; CODE XREF: PpmParkRegisterParking+83C05j
		test	al, al
		jnz	short loc_5738C8
		or	byte ptr [esi+6Ah], 4

loc_5738C8:				; CODE XREF: PpmParkRegisterParking+304j
		push	2
		xor	ebx, ebx
		mov	edx, ecx
		pop	edi

loc_5738CF:				; CODE XREF: PpmParkRegisterParking+322j
		mov	cl, [edx]
		movzx	eax, cl
		add	ebx, eax
		mov	[edx+0Ah], cl
		mov	[edx+0Fh], cl
		inc	edx
		sub	edi, 1
		jnz	short loc_5738CF
		mov	ecx, [esp+70h+var_4C]
		lea	edx, [esi+28h]
		and	[esp+70h+var_8], edi
		add	ecx, 3
		and	[esp+70h+var_C], edi
		imul	eax, ebx, 3
		add	ecx, eax
		xor	eax, eax
		inc	eax
		mov	[esp+70h+var_4C], ecx
		mov	word ptr [esp+70h+var_10], ax
		lea	ecx, [esp+70h+var_10]
		mov	word ptr [esp+70h+var_10+2], ax
		mov	eax, [esi+8]
		mov	[esp+70h+var_8], eax
		mov	eax, [esp+70h+var_50]
		cmp	[esp+70h+var_58], eax
		sbb	eax, eax
		and	eax, [esp+70h+var_30]
		push	eax
		call	_PpmIdleInitializeConcurrency@12 ; PpmIdleInitializeConcurrency(x,x,x)
		test	eax, eax
		js	loc_5F7310
		movzx	eax, byte ptr [esi+58h]
		cmp	ebx, eax
		jnz	loc_5F71C8

loc_57393D:				; CODE XREF: PpmParkRegisterParking+83C8Cj
		xor	eax, eax
		mov	[esi+6], bl
		mov	[esi+5Fh], bl
		inc	eax
		mov	[esi+61h], bl
		mov	ecx, ds:_PpmParkMultiparkGranularity
		cmp	ecx, eax
		jb	short loc_573955
		mov	ecx, eax

loc_573955:				; CODE XREF: PpmParkRegisterParking+393j
		mov	eax, ebx
		xor	edx, edx
		div	ecx
		mov	cl, _PpmParkGranularity
		mov	ebx, [esp+70h+var_3C]
		mov	[esi+69h], al
		cmp	al, cl
		jb	loc_5F724F

loc_573970:				; CODE XREF: PpmParkRegisterParking+261j
					; PpmParkRegisterParking+83C94j
		mov	ecx, [esp+70h+var_58]
		movzx	eax, ds:_KeNumberNodes
		inc	ecx
		add	[esp+70h+var_30], 0D0h
		add	[esp+70h+var_64], 34h
		mov	[esp+70h+var_58], ecx
		cmp	ecx, eax
		jb	loc_5737F1
		mov	esi, [esp+70h+var_4C]

loc_573999:				; CODE XREF: PpmParkRegisterParking+21Aj
		push	704D5050h
		shl	esi, 3
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[esp+70h+var_34], ebx
		test	ebx, ebx
		jz	loc_5F7310
		push	esi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	edi, ebx
		add	esp, 0Ch
		mov	ebx, [esp+70h+var_5C]
		test	ebx, ebx
		jz	loc_573A6E
		mov	esi, [esp+70h+var_60]
		add	esi, 50h
		mov	[esp+70h+var_44], ebx
		mov	[esp+70h+var_40], esi

loc_5739E3:				; CODE XREF: PpmParkRegisterParking+4AAj
		movzx	eax, byte ptr [esi-4Ah]
		mov	ecx, edi
		inc	eax
		mov	[esi-20h], edi
		mov	[esi], eax
		shl	eax, 3
		add	edi, eax
		mov	[esi-1Ch], edi
		add	edi, eax
		push	eax		; size_t
		mov	[esi-18h], edi
		add	edi, eax
		mov	eax, [esi-28h]
		add	eax, 20h
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		mov	eax, [esi]
		add	esp, 0Ch
		shl	eax, 3
		push	eax		; size_t
		mov	eax, [esi-28h]
		add	eax, 20h
		push	eax		; void *
		push	dword ptr [esi-1Ch] ; void *
		call	_memcpy
		mov	ecx, [esi-28h]
		add	esp, 0Ch
		mov	eax, [ecx+18h]
		mov	[esi-10h], eax
		mov	eax, [ecx+1Ch]
		mov	[esi-0Ch], eax
		mov	ecx, [esi-28h]
		mov	eax, [ecx+18h]
		mov	[esi-8], eax
		mov	eax, [ecx+1Ch]
		lea	ecx, [esi+8]
		mov	[esi-4], eax
		mov	al, [esi-4Ah]
		mov	[esp+70h+var_3C], ecx
		cmp	al, [ecx]
		jnz	loc_5F7257

loc_573A57:				; CODE XREF: PpmParkRegisterParking+83D3Ej
		add	esi, 0D0h
		sub	ebx, 1
		mov	[esp+70h+var_40], esi
		mov	[esp+70h+var_44], ebx
		jnz	loc_5739E3

loc_573A6E:				; CODE XREF: PpmParkRegisterParking+410j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _PpmParkStateLock
		mov	bl, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	ds:byte_70EFC6,	1
		mov	edi, [esp+70h+var_5C]
		mov	eax, [esp+70h+var_60]
		mov	ecx, [esp+70h+var_34]
		mov	_PpmParkNumNodes, edi
		mov	_PpmParkNodes, eax
		mov	_PpmParkHistograms, ecx
		jnz	loc_5F7301
		xor	eax, eax
		lock and [esi],	eax

loc_573AB1:				; CODE XREF: PpmParkRegisterParking+83D4Dj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		xor	ecx, ecx
		mov	[esp+70h+var_60], eax
		mov	[esp+70h+var_34], ecx

loc_573AC5:				; CODE XREF: PpmParkRegisterParking+83D5Aj
		test	eax, eax
		jnz	loc_5F731D

loc_573ACD:				; CODE XREF: PpmParkRegisterParking+83DB2j
		mov	eax, [esp+70h+var_34]
		test	eax, eax
		jnz	loc_5F7375

loc_573AD9:				; CODE XREF: PpmParkRegisterParking+134j
					; PpmParkRegisterParking+83DC2j
		mov	eax, [esp+70h+var_48]
		test	eax, eax
		jz	short loc_573B29
		cmp	[esp+70h+var_50], 0
		jbe	short loc_573B1E
		lea	esi, [eax+28h]

loc_573AEB:				; CODE XREF: PpmParkRegisterParking+55Aj
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5F7385

loc_573AF5:				; CODE XREF: PpmParkRegisterParking+83DD2j
		push	2
		lea	edi, [esi+48h]
		pop	ebx

loc_573AFB:				; CODE XREF: PpmParkRegisterParking+54Dj
		mov	eax, [edi]
		test	eax, eax
		jnz	loc_5F7395

loc_573B05:				; CODE XREF: PpmParkRegisterParking+83DE2j
		add	edi, 4
		sub	ebx, 1
		jnz	short loc_573AFB
		add	esi, 0D0h
		sub	[esp+70h+var_50], 1
		jnz	short loc_573AEB
		mov	eax, [esp+70h+var_48]

loc_573B1E:				; CODE XREF: PpmParkRegisterParking+528j
		push	704D5050h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_573B29:				; CODE XREF: PpmParkRegisterParking+521j
		mov	eax, [esp+70h+var_2C]
		test	eax, eax
		jz	short loc_573B3C
		push	704D5050h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_573B3C:				; CODE XREF: PpmParkRegisterParking+571j
		call	PpmParkApplyPolicy
		call	_PpmParkParkingAvailable@0 ; PpmParkParkingAvailable()
		mov	ecx, [esp+70h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_573B58:				; CODE XREF: PpmParkRegisterParking+1DCj
		movzx	ebx, cl
		jmp	loc_57373F
; 

loc_573B60:				; CODE XREF: PpmParkRegisterParking+28Aj
		mov	eax, ds:_PpmHeteroPolicy
		neg	eax
		sbb	eax, eax
		and	ecx, eax
		mov	[esp+70h+var_44], ecx
		jmp	loc_57384E
PpmParkRegisterParking endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmCheckArmPeriod proc near		; CODE XREF: PpmCheckReInit()+CFp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F73A5 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	ecx, _PpmCurrentProfile
		imul	eax, dword_6C2D0C, 0F0h
		push	ebx
		push	esi
		push	edi
		imul	edi, [eax+ecx+34h], 2710h
		xor	eax, eax
		mov	ecx, dword_6C047C
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], edi
		cmp	eax, ecx
		ja	short loc_573BBB
		jb	loc_5F73A5
		cmp	edi, _PpmCheckMinimumPeriod
		jbe	loc_5F73A5

loc_573BBB:				; CODE XREF: PpmCheckArmPeriod+33j
		mov	ecx, eax
		mov	[ebp+var_8], ecx

loc_573BC0:				; CODE XREF: PpmCheckArmPeriod+8383Aj
		mov	al, _PpmCheckArmed
		mov	[ebp+var_C], offset _PpmCheckLastExecutionTime
		test	al, al
		jz	short loc_573BE9
		cmp	edi, _PpmCheckPeriod
		jnz	short loc_573C30
		cmp	ecx, dword_6C0494
		jnz	short loc_573C30

loc_573BE0:				; CODE XREF: PpmCheckArmPeriod+F1j
		test	al, al
		jz	short loc_573BE9

loc_573BE4:				; CODE XREF: PpmCheckArmPeriod+BAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_573BE9:				; CODE XREF: PpmCheckArmPeriod+5Aj
					; PpmCheckArmPeriod+6Ej
		mov	dword_6C0494, ecx
		xor	ecx, ecx
		mov	_PpmCheckPeriod, edi
		call	_PpmCheckResetProcessors@4 ; PpmCheckResetProcessors(x)

loc_573BFC:				; CODE XREF: PpmCheckArmPeriod+ADj
					; PpmCheckArmPeriod+B1j
		mov	esi, _PpmCheckLastExecutionTime
		mov	eax, esi
		mov	edi, dword_6C049C
		mov	edx, edi
		mov	[ebp+var_10], edi
		nop
		mov	edi, [ebp+var_C]
		xor	ebx, ebx
		inc	ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_10]
		cmp	eax, esi
		jnz	short loc_573BFC
		cmp	edx, edi
		jnz	short loc_573BFC
		mov	_PpmCheckArmed,	1
		jmp	short loc_573BE4
; 

loc_573C30:				; CODE XREF: PpmCheckArmPeriod+62j
					; PpmCheckArmPeriod+6Aj
		mov	edi, [ebp+var_C]

loc_573C33:				; CODE XREF: PpmCheckArmPeriod+DDj
					; PpmCheckArmPeriod+E2j
		mov	esi, _PpmCheckLastExecutionTime
		mov	eax, esi
		mov	ecx, dword_6C049C
		mov	edx, ecx
		mov	[ebp+var_10], ecx
		nop
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_573C33
		cmp	edx, [ebp+var_10]
		jnz	short loc_573C33
		mov	edi, [ebp+var_4]
		xor	al, al
		mov	ecx, [ebp+var_8]
		mov	_PpmCheckArmed,	al
		jmp	loc_573BE0
PpmCheckArmPeriod endp


;  S U B	R O U T	I N E 


; __stdcall PpmPerfClearResponsivenessHints()
_PpmPerfClearResponsivenessHints@0 proc	near ; CODE XREF: PpmCheckReInit()+BBp
		mov	ecx, ds:_PpmPerfDomainHead
		push	edi
		mov	edi, offset _PpmPerfDomainHead
		cmp	ecx, edi
		jz	short loc_573CA3
		push	esi

loc_573C7B:				; CODE XREF: PpmPerfClearResponsivenessHints()+36j
		xor	edx, edx
		mov	byte ptr [ecx+8Ch], 0
		cmp	[ecx+1Ch], edx
		jbe	short loc_573C9C
		xor	esi, esi

loc_573C8B:				; CODE XREF: PpmPerfClearResponsivenessHints()+30j
		mov	eax, [ecx+24h]
		lea	esi, [esi+78h]
		inc	edx
		mov	byte ptr [eax+esi-4Ch],	0
		cmp	edx, [ecx+1Ch]
		jb	short loc_573C8B

loc_573C9C:				; CODE XREF: PpmPerfClearResponsivenessHints()+1Dj
		mov	ecx, [ecx]
		cmp	ecx, edi
		jnz	short loc_573C7B
		pop	esi

loc_573CA3:				; CODE XREF: PpmPerfClearResponsivenessHints()+Ej
		pop	edi
		retn
_PpmPerfClearResponsivenessHints@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopInterruptSteeringEnabled()
_PopInterruptSteeringEnabled@0 proc near ; CODE	XREF: PpmCheckReInit():loc_8A089Bp
		cmp	_PpmIntSteerDisabled, 0
		jnz	short loc_573CBB
		cmp	_KiIntSteerEnabled, 0
		jz	short loc_573CBB
		mov	al, 1
		retn
; 

loc_573CBB:				; CODE XREF: PopInterruptSteeringEnabled()+7j
					; PopInterruptSteeringEnabled()+10j
		xor	al, al
		retn
_PopInterruptSteeringEnabled@0 endp


;  S U B	R O U T	I N E 


PpmPerfCheckRequired proc near		; CODE XREF: PpmCheckReInit()+39p

; FUNCTION CHUNK AT 005F73B3 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		xor	edx, edx
		mov	ebx, offset _PpmPerfDomainHead
		push	edi
		mov	edi, ecx
		mov	esi, edx

loc_573CCE:				; CODE XREF: PpmPerfCheckRequired+35j
		mov	al, [edi+esi+1Ah]
		mov	cl, [edi+esi+1Ch]
		cmp	al, cl
		jnz	short loc_573D05
		cmp	al, 64h
		jnz	short loc_573CEF
		cmp	cl, al
		jnz	short loc_573CEF
		mov	eax, [edi+38h]
		cmp	eax, 1
		jz	short loc_573CFB
		cmp	eax, 3
		jz	short loc_573CFB

loc_573CEF:				; CODE XREF: PpmPerfCheckRequired+1Ej
					; PpmPerfCheckRequired+22j ...
		inc	esi
		cmp	esi, 2
		jb	short loc_573CCE

loc_573CF5:				; CODE XREF: PpmPerfCheckRequired+49j
		pop	edi
		pop	esi
		mov	al, dl
		pop	ebx
		retn
; 

loc_573CFB:				; CODE XREF: PpmPerfCheckRequired+2Aj
					; PpmPerfCheckRequired+2Fj
		mov	eax, ds:_PpmPerfDomainHead
		jmp	loc_5F73BF
; 

loc_573D05:				; CODE XREF: PpmPerfCheckRequired+1Aj
					; PpmPerfCheckRequired+836F9j
		mov	dl, 1
		jmp	short loc_573CF5
PpmPerfCheckRequired endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmParkApplyPolicy proc	near		; CODE XREF: PpmParkRegisterParking:loc_573B3Cp
					; PpmParkSetLpiCap(x,x,x)+124p	...

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= word ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= word ptr -0Ch
var_8		= word ptr -8
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F73C8 SIZE 000001E7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_4C]
		stosd
		xor	edx, edx
		mov	[ebp+var_2C], edx
		stosd
		stosd
		cmp	_PpmParkNodes, edx
		jz	loc_573FE9
		mov	eax, _PpmCurrentProfile
		imul	ecx, dword_6C2D0C, 0F0h
		add	ecx, eax
		mov	[ebp+var_40], ecx
		mov	ax, [ecx+0ACh]
		mov	[ebp+var_8], ax
		mov	ax, [ecx+0AEh]
		xor	ecx, ecx
		mov	[ebp+var_C], ax
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		xor	ecx, ecx
		cmp	[eax+3EA0h], ecx
		jz	loc_573FFA
		mov	byte ptr [ebp+var_1C], 20h

loc_573D6F:				; CODE XREF: PpmParkApplyPolicy+302j
		mov	edi, _PpmParkLpiCap
		xor	edx, edx
		push	ebx
		push	esi
		mov	esi, _PpmParkNumNodes
		mov	eax, edi
		div	esi
		movzx	ecx, _PpmParkGranularity
		xor	edx, edx
		mov	ebx, eax
		div	ecx
		sub	ebx, edx
		xor	edx, edx
		mov	[ebp+var_28], ebx
		mov	ebx, _PpmParkThermalCap
		mov	eax, ebx
		div	esi
		xor	edx, edx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_18], eax
		div	ecx
		sub	[ebp+var_18], edx
		xor	edx, edx
		mov	[ebp+var_38], edx
		test	esi, esi
		jz	loc_573F74
		mov	eax, edx

loc_573DBD:				; CODE XREF: PpmParkApplyPolicy+261j
		mov	cl, byte ptr [ebp+var_28]
		imul	ebx, eax, 0D0h
		mov	al, _PpmParkGranularity
		mov	[ebp+var_3], al
		movzx	eax, al
		add	ebx, _PpmParkNodes
		mov	ch, [ebx+6]
		movzx	esi, ch
		sub	esi, eax
		mov	eax, [ebp+var_28]
		movzx	eax, al
		cmp	eax, esi
		jg	loc_5F73C8

loc_573DED:				; CODE XREF: PpmParkApplyPolicy+836C3j
		movzx	eax, cl
		sub	edi, eax
		mov	[ebx+5Eh], cl
		mov	eax, [ebp+var_18]
		mov	cl, al
		movzx	eax, al
		mov	[ebp+var_3C], edi
		cmp	eax, esi
		jg	loc_5F73D2

loc_573E08:				; CODE XREF: PpmParkApplyPolicy+836CDj
		movzx	eax, cl
		lea	edi, [ebx+20h]
		sub	[ebp+var_10], eax
		mov	esi, edx
		mov	[ebx+60h], cl
		mov	[ebp+var_3], dl
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_14], esi
		mov	[ebp+var_34], edi

loc_573E25:				; CODE XREF: PpmParkApplyPolicy+218j
		mov	al, [ebx+esi+58h]
		test	al, al
		jz	loc_573FF2
		movzx	edi, al
		xor	edx, edx
		movzx	eax, byte ptr [ebp+esi+var_C]
		imul	eax, edi
		push	64h
		pop	ecx
		push	64h
		add	eax, 32h
		div	ecx
		mov	cl, _PpmParkGranularity
		mov	[ebp+var_1], al
		movzx	esi, cl
		mov	[ebp+var_4], cl
		movzx	ecx, al
		mov	eax, edi
		sub	eax, ecx
		cdq
		idiv	esi
		mov	eax, [ebp+var_14]
		add	[ebp+var_1], dl
		xor	edx, edx
		pop	ecx
		movzx	eax, byte ptr [ebp+eax+var_8]
		imul	eax, edi
		add	eax, 32h
		div	ecx
		movzx	ecx, al
		mov	[ebp+var_2], al
		sub	edi, ecx
		mov	eax, edi
		mov	cl, [ebp+var_1]
		cdq
		idiv	esi
		mov	al, [ebp+var_2]
		add	al, dl
		cmp	[ebp+var_14], 0
		mov	[ebp+var_2], al
		jnz	loc_5F73DC

loc_573E99:				; CODE XREF: PpmParkApplyPolicy+836D7j
					; PpmParkApplyPolicy+836E2j
		test	al, al
		jz	short loc_573EA8
		mov	dl, [ebp+var_4]
		cmp	dl, al
		ja	loc_5F73F1

loc_573EA8:				; CODE XREF: PpmParkApplyPolicy+191j
					; PpmParkApplyPolicy+836ECj
		cmp	cl, al
		jb	loc_5F73FB

loc_573EB0:				; CODE XREF: PpmParkApplyPolicy+836F4j
		mov	edi, [ebp+var_34]
		xor	edx, edx
		mov	ax, [ebx+4]
		mov	esi, edx
		mov	[ebp+var_44], ax
		mov	[ebp+var_4C], edx
		mov	ecx, [edi-14h]
		mov	[ebp+var_48], ecx

loc_573EC8:				; CODE XREF: PpmParkApplyPolicy+1DEj
					; PpmParkApplyPolicy+836FFj
		lea	eax, [ebp+var_4C]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_573EEF
		mov	ecx, [ebp+var_2C]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		cmp	byte ptr [eax+3F14h], 0
		jz	short loc_573EC8
		jmp	loc_5F7403
; 

loc_573EEF:				; CODE XREF: PpmParkApplyPolicy+1CDj
		mov	edx, [ebp+var_20]
		mov	eax, esi
		or	edx, [edi]
		or	[ebp+var_24], eax
		mov	cl, [ebp+var_1]
		mov	[ebp+var_30], esi
		mov	esi, [ebp+var_14]
		mov	[edi], eax
		mov	al, [ebp+var_2]
		add	[ebp+var_3], al
		mov	[ebp+var_20], edx
		mov	[ebx+esi+5Ch], cl
		mov	[ebx+esi+5Ah], al

loc_573F15:				; CODE XREF: PpmParkApplyPolicy+2EBj
		inc	esi
		add	edi, 4
		mov	[ebp+var_14], esi
		mov	[ebp+var_34], edi
		cmp	esi, 2
		jb	loc_573E25
		mov	eax, [ebp+var_24]
		cmp	edx, eax
		jnz	loc_5F740E

loc_573F33:				; CODE XREF: PpmParkApplyPolicy+83711j
		cmp	[ebp+var_3], 0
		jz	loc_5F7420

loc_573F3D:				; CODE XREF: PpmParkApplyPolicy+8372Aj
		mov	eax, ds:_PpmHeteroPolicy
		xor	edx, edx
		cmp	eax, 2
		jz	loc_5F7439
		cmp	eax, 3
		jz	loc_5F7463

loc_573F56:				; CODE XREF: PpmParkApplyPolicy+83754j
					; PpmParkApplyPolicy+8375Dj ...
		mov	eax, [ebp+var_38]
		mov	esi, _PpmParkNumNodes
		inc	eax
		mov	edi, [ebp+var_3C]
		mov	[ebp+var_38], eax
		movzx	eax, ax
		cmp	eax, esi
		jb	loc_573DBD
		mov	ebx, [ebp+var_10]

loc_573F74:				; CODE XREF: PpmParkApplyPolicy+ABj
					; PpmParkApplyPolicy+83791j ...
		test	edi, edi
		jnz	loc_5F7497

loc_573F7C:				; CODE XREF: PpmParkApplyPolicy+83799j
					; PpmParkApplyPolicy+837F4j ...
		test	ebx, ebx
		jnz	loc_5F74FA

loc_573F84:				; CODE XREF: PpmParkApplyPolicy+837FCj
		mov	edi, edx
		test	esi, esi
		jz	short loc_573FD0

loc_573F8A:				; CODE XREF: PpmParkApplyPolicy+2C2j
		imul	esi, edx, 0D0h
		add	esi, _PpmParkNodes
		mov	bl, [esi+5Eh]
		movzx	edx, byte ptr [esi+6]
		movzx	eax, bl
		mov	ecx, edx
		sub	ecx, eax
		movzx	eax, byte ptr [esi+5Fh]
		cmp	eax, ecx
		jnz	loc_5F755C
		movzx	eax, byte ptr [esi+60h]
		sub	edx, eax
		movzx	eax, byte ptr [esi+61h]
		cmp	eax, edx
		jnz	loc_5F755C

loc_573FC2:				; CODE XREF: PpmParkApplyPolicy+83875j
		inc	edi
		movzx	edx, di
		cmp	edx, _PpmParkNumNodes
		jb	short loc_573F8A
		xor	edx, edx

loc_573FD0:				; CODE XREF: PpmParkApplyPolicy+27Ej
		mov	eax, [ebp+var_40]
		pop	esi
		pop	ebx
		mov	eax, [eax+0B0h]
		test	eax, eax
		jnz	loc_5F7584
		mov	ds:_PpmParkSoftParkingEnabled, dl

loc_573FE9:				; CODE XREF: PpmParkApplyPolicy+1Cj
					; PpmParkApplyPolicy+838A0j
		mov	_KeSoftParkedQueueThreshold, edx
		pop	edi
		leave
		retn
; 

loc_573FF2:				; CODE XREF: PpmParkApplyPolicy+121j
		mov	edx, [ebp+var_20]
		jmp	loc_573F15
; 

loc_573FFA:				; CODE XREF: PpmParkApplyPolicy+5Bj
		mov	eax, ds:_PpmParkInitialClass1UnParkCount
		push	20h
		pop	edx
		mov	[ebp+var_1C], edx
		cmp	eax, edx
		jbe	short loc_574011

loc_574009:				; CODE XREF: PpmParkApplyPolicy+30Aj
		mov	byte ptr [ebp+var_8+1],	cl
		jmp	loc_573D6F
; 

loc_574011:				; CODE XREF: PpmParkApplyPolicy+2FDj
		mov	byte ptr [ebp+var_1C], al
		jmp	short loc_574009
PpmParkApplyPolicy endp


;  S U B	R O U T	I N E 


; __stdcall PpmCheckResetProcessors(x)
_PpmCheckResetProcessors@4 proc	near	; CODE XREF: PpmCheckArmPeriod+83p
					; PpmRegisterPerfStates+6B3p
		test	ecx, ecx
		jnz	short loc_57402E
		mov	ecx, offset _PpmCheckRegistered

loc_57401F:				; CODE XREF: PpmCheckResetProcessors(x)+1Bj
		push	0
		push	0
		mov	edx, offset _PpmCheckReset@12 ;	PpmCheckReset(x,x,x)
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)
		retn
; 

loc_57402E:				; CODE XREF: PpmCheckResetProcessors(x)+2j
		add	ecx, 0Ch
		jmp	short loc_57401F
_PpmCheckResetProcessors@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmPerfResetHistory proc near		; CODE XREF: PpmPerfRecordUtility+12A317p
					; PpmPerfResetHistoryAll()+3Ep	...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F75AF SIZE 00000065 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ecx+10h]
		test	esi, esi
		jnz	loc_5F75AF

loc_574046:				; CODE XREF: PpmPerfResetHistory+835DBj
		pop	esi
		leave
		retn
PpmPerfResetHistory endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmCheckReset(x, x,	x)
_PpmCheckReset@12 proc near		; DATA XREF: PpmCheckResetProcessors(x)+Do

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		lea	ecx, [ecx+3EA0h]
		call	_PpmResetPerfTimes@4 ; PpmResetPerfTimes(x)
		xor	eax, eax
		pop	ebp
		retn	0Ch
_PpmCheckReset@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmResetPerfTimes(x)
_PpmResetPerfTimes@4 proc near		; CODE XREF: PpmCheckReset(x,x,x)+Ep
					; PpmCheckProcessorInit(x,x,x)+Fp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ecx+8]
		mov	[ebp+var_4], ebx
		push	esi
		push	edi
		test	ebx, ebx
		jz	short loc_5740CD
		lea	esi, [ecx-3EA0h]
		add	ebx, 20h
		mov	ecx, esi
		call	PpmResetPerformanceAccumulation
		push	ebx
		push	0
		push	0
		mov	dl, 1
		mov	ecx, esi
		call	PpmSnapPerformanceAccumulation
		mov	edx, [ebp+var_4]
		mov	esi, ebx
		push	18h
		pop	ecx
		lea	edi, [edx+0E0h]
		rep movsd
		mov	eax, [ebx]
		mov	[edx+8], eax
		mov	eax, [ebx+4]
		mov	[edx+0Ch], eax
		mov	eax, [ebx+8]
		mov	[edx], eax
		mov	eax, [ebx+0Ch]
		mov	[edx+4], eax
		mov	eax, [ebx+10h]
		mov	[edx+10h], eax
		mov	eax, [ebx+14h]
		mov	[edx+14h], eax
		mov	eax, [ebx+58h]
		mov	[edx+18h], eax

loc_5740CD:				; CODE XREF: PpmResetPerfTimes(x)+11j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PpmResetPerfTimes@4 endp


;  S U B	R O U T	I N E 


PpmResetPerformanceAccumulation	proc near ; CODE XREF: PpmResetPerfTimes(x)+1Ep

; FUNCTION CHUNK AT 005F7614 SIZE 00000018 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	eax, eax
		mov	edx, [esi+3D54h]
		and	edx, 4
		or	eax, edx
		jnz	loc_5F7614

loc_5740EA:				; CODE XREF: PpmResetPerformanceAccumulation+83555j
		rdtsc
		push	0
		mov	[esi+3DB8h], eax
		mov	[esi+3DBCh], edx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	[esi+3DD0h], eax
		mov	[esi+3DD4h], edx
		pop	esi
		retn
PpmResetPerformanceAccumulation	endp


;  S U B	R O U T	I N E 


; __stdcall PpmQueryTime()
_PpmQueryTime@0	proc near		; CODE XREF: PpmIdleInitializeConcurrency(x,x,x)+E6p
					; PopPdcIdleResiliencyCallback(x,x)+47p
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		retn
_PpmQueryTime@0	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1313. KeSubtractAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSubtractAffinityEx(x, x, x)
		public _KeSubtractAffinityEx@12
_KeSubtractAffinityEx@12 proc near	; CODE XREF: KiIpiSendRequest+12A15Ap
					; PpmCheckContinueExecution+129EE3p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax+8]
		mov	eax, [ebp+arg_0]
		not	ecx
		and	ecx, [eax+8]
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_574147
		xor	edx, edx
		mov	[eax+8], ecx
		inc	edx
		and	dword ptr [eax+4], 0
		mov	[eax+2], dx
		mov	[eax], dx

loc_574147:				; CODE XREF: KeSubtractAffinityEx(x,x,x)+18j
		xor	eax, eax
		test	ecx, ecx
		setnz	al
		pop	ebp
		retn	0Ch
_KeSubtractAffinityEx@12 endp

; 
		align 8
; Exported entry 1214. KeQueryActiveProcessorAffinity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryActiveProcessorAffinity(x)
		public _KeQueryActiveProcessorAffinity@4
_KeQueryActiveProcessorAffinity@4 proc near ; CODE XREF: PpmRegisterPerfStates+7Bp
					; PpmCheckInitProcessors+4Ep ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, offset _KeActiveProcessors
		movsd
		movsd
		movsd
		mov	eax, ds:_KeNumberProcessors
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_KeQueryActiveProcessorAffinity@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmHeteroDetectHgsCores	proc near	; CODE XREF: PopInitializeHeteroProcessors(x)+CDp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= word ptr -10h
var_E		= word ptr -0Eh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F762C SIZE 0000018B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		xor	eax, eax
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_E], ax
		mov	[ebp+var_8], ebx
		cmp	ds:_PpmHeteroHgsEnabled, al
		jnz	loc_5F762C

loc_574199:				; CODE XREF: PpmHeteroDetectHgsCores+834BCj
					; PpmHeteroDetectHgsCores+8363Cj
		pop	edi
		pop	ebx
		leave
		retn
PpmHeteroDetectHgsCores	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmHeteroUpdateHgsConfiguration	proc near ; CODE XREF: PopInitializeHeteroProcessors(x)+A9p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= word ptr -28h
var_26		= word ptr -26h
var_24		= dword	ptr -24h
var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F77B7 SIZE 000003EC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		and	[ebp+var_24], eax
		push	ebx
		xor	bl, bl
		mov	[ebp+var_26], ax
		mov	[ebp+var_1D], bl
		cmp	ds:_PpmHeteroHgsEnabled, al
		jnz	loc_5F77B7

loc_5741CB:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+8361Fj
					; PpmHeteroUpdateHgsConfiguration+83634j ...
		mov	ecx, [ebp+var_4]
		mov	al, bl
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PpmHeteroUpdateHgsConfiguration	endp

; 
		align 10h
; Exported entry 1197. KeIsEqualAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeIsEqualAffinityEx(x, x)
		public _KeIsEqualAffinityEx@8
_KeIsEqualAffinityEx@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	eax, [eax+8]
		sub	eax, [ecx+8]
		neg	eax
		sbb	eax, eax
		inc	eax
		pop	ebp
		retn	8
_KeIsEqualAffinityEx@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpLazyWriteWorker proc	near		; DATA XREF: CmpInitializeLazyWriters+6Eo

var_12		= byte ptr -12h
var_10		= dword	ptr -10h
var_A		= byte ptr -0Ah
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F7BA3 SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	[esp+18h+var_8], eax
		mov	[esp+18h+var_4], eax
		mov	[esp+0Fh], al

loc_574219:				; CODE XREF: CmpLazyWriteWorker+92j
		push	eax
		push	eax
		push	1
		push	eax
		lea	eax, [esi+48h]
		push	eax
		call	KeWaitForSingleObject
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	edi, [esi+58h]
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		and	dword ptr [esi+64h], 0
		mov	dword ptr [esi+60h], 2
		test	ds:byte_70EFC6,	1
		jnz	loc_5F7BA3
		xor	eax, eax
		lock and [edi],	eax

loc_574256:				; CODE XREF: CmpLazyWriteWorker+839B3j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	eax, [esp+18h+var_8]
		push	eax
		lea	eax, [esp+13h]
		push	eax
		call	dword ptr [esi+5Ch]
		cmp	ds:_CmpCannotWriteConfiguration, 0
		mov	bl, al
		jnz	short loc_57428E

loc_574276:				; CODE XREF: CmpLazyWriteWorker+9Aj
					; CmpLazyWriteWorker+839C6j ...
		movzx	edx, bl
		lea	eax, [esp+20h+var_10]
		neg	edx
		mov	ecx, esi
		sbb	edx, edx
		and	edx, eax
		call	_CmpCompleteLazyWrite@8	; CmpCompleteLazyWrite(x,x)
		xor	eax, eax
		jmp	short loc_574219
; 

loc_57428E:				; CODE XREF: CmpLazyWriteWorker+7Aj
		cmp	esi, offset _CmpLazyWriterData
		jnz	short loc_574276
		jmp	loc_5F7BB2
CmpLazyWriteWorker endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiLockAndInsertPageInFreeList(x)
_MiLockAndInsertPageInFreeList@4 proc near
					; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+69Fp
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+C7Ap ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, edi
		mov	esi, eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		push	2
		pop	edx
		mov	ecx, esi
		mov	bl, al
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		mov	eax, 7FFFFFFFh
		lea	ecx, [edi+10h]
		lock and [ecx],	eax
		mov	cl, bl
		pop	edi
		pop	esi
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_MiLockAndInsertPageInFreeList@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiUpdateTimer2Collections(x)
_KiUpdateTimer2Collections@4 proc near	; CODE XREF: KeSetTimer2+32Ap
					; KiExpireTimer2+F1DD2p
		mov	edi, edi
		push	ebx
		mov	bl, [ecx+51h]
		and	bl, 1Eh
		xor	edx, edx

loc_5742E7:				; CODE XREF: KiUpdateTimer2Collections(x)+19j
		cmp	ds:_KiTimer2Combinations[edx], bl
		jz	short loc_5742F9

loc_5742EF:				; CODE XREF: KiUpdateTimer2Collections(x)+2Fj
		add	edx, 3
		cmp	edx, 12h
		jb	short loc_5742E7
		pop	ebx
		retn
; 

loc_5742F9:				; CODE XREF: KiUpdateTimer2Collections(x)+11j
		mov	al, ds:byte_4102E1[edx]
		mov	[ecx+52h], al
		mov	al, ds:byte_4102E2[edx]
		mov	[ecx+53h], al
		jmp	short loc_5742EF
_KiUpdateTimer2Collections@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdtLogAuditRecord(x)
_SepAdtLogAuditRecord@4	proc near	; CODE XREF: SeReportSecurityEventWithSubCategory+1FAp
					; SepAuditAssignPrimaryToken+1FCp ...

var_26		= dword	ptr -26h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		cmp	_SepRmAuditingEnabled, 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+38h+var_26+2], edi
		jnz	short loc_574340
		test	byte ptr [edi+14h], 2
		jnz	loc_57451F

loc_574340:				; CODE XREF: SepAdtLogAuditRecord(x)+26j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		xor	ebx, ebx
		mov	byte ptr [esp+38h+var_26+1], al
		cmp	al, 2
		push	69416553h
		setnz	bl
		dec	ebx
		and	ebx, 1FFh
		push	30h
		inc	ebx
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_574388
		cmp	dword ptr [edi+4], 209h
		jz	loc_57451F
		mov	ecx, 0C000009Ah
		call	_SepAuditFailedRaisedIrql@4 ; SepAuditFailedRaisedIrql(x)
		jmp	loc_57451F
; 

loc_574388:				; CODE XREF: SepAdtLogAuditRecord(x)+5Cj
		and	dword ptr [esi+20h], 0
		xor	eax, eax
		and	dword ptr [esi+24h], 0
		inc	eax
		mov	[esi+0Ch], eax
		mov	[esi+18h], eax
		call	_KeIsExecutingInArbitraryThreadContext@0 ; KeIsExecutingInArbitraryThreadContext()
		test	eax, eax
		jz	short loc_5743A6
		xor	eax, eax
		jmp	short loc_5743B2
; 

loc_5743A6:				; CODE XREF: SepAdtLogAuditRecord(x)+92j
		mov	eax, large fs:124h
		push	eax
		call	_PsGetThreadServerSilo@4 ; PsGetThreadServerSilo(x)

loc_5743B2:				; CODE XREF: SepAdtLogAuditRecord(x)+96j
		mov	[esi+2Ch], eax
		test	eax, eax
		jz	short loc_5743C5
		mov	edx, 69416553h
		mov	ecx, eax
		call	ObfReferenceObjectWithTag

loc_5743C5:				; CODE XREF: SepAdtLogAuditRecord(x)+A9j
		push	ebx
		lea	eax, [esi+8]
		mov	ecx, edi
		lea	edx, [esi+10h]
		push	eax
		call	SepAdtMarshallAuditRecord
		mov	ebx, eax
		mov	[esp+38h+var_20], ebx
		test	ebx, ebx
		js	loc_5744C4
		cmp	_SepRmAuditingEnabled, 0
		jnz	short loc_57441D
		mov	eax, [esi+10h]
		test	byte ptr [eax+14h], 2
		jz	short loc_57441D
		mov	ecx, [esi+2Ch]
		test	ecx, ecx
		jz	short loc_574408
		mov	edx, 69416553h
		call	ObfDereferenceObjectWithTag
		mov	eax, [esi+10h]

loc_574408:				; CODE XREF: SepAdtLogAuditRecord(x)+EBj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_57451F
; 

loc_57441D:				; CODE XREF: SepAdtLogAuditRecord(x)+DBj
					; SepAdtLogAuditRecord(x)+E4j
		mov	eax, [esi+10h]
		mov	ebx, 209h
		mov	eax, [eax+0Ch]
		mov	[esi+1Ch], eax
		cmp	[edi+4], ebx
		jnz	short loc_574479
		test	byte ptr [edi+14h], 10h
		jz	short loc_574479
		cmp	eax, 0E0h
		ja	loc_5744FD
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+38h+var_1C]
		rep stosd
		mov	ecx, ds:_SepRmLsaCallProcess
		lea	eax, [esp+38h+var_1C]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		mov	ecx, esi
		call	SepRmDispatchDataToLsa
		xor	edx, edx
		lea	ecx, [esp+38h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	edi, [esp+38h+var_26+2]
		jmp	loc_5744FD
; 

loc_574479:				; CODE XREF: SepAdtLogAuditRecord(x)+120j
					; SepAdtLogAuditRecord(x)+126j
		lea	eax, [esp+38h+var_26]
		mov	byte ptr [esp+38h+var_26], 0
		push	eax
		mov	edx, esi
		mov	ecx, offset _SepLsaAuditQueueInfo
		call	SepQueueWorkItem
		test	al, al
		jnz	short loc_5744FD
		mov	ecx, [esi+2Ch]
		test	ecx, ecx
		jz	short loc_5744A4
		mov	edx, 69416553h
		call	ObfDereferenceObjectWithTag

loc_5744A4:				; CODE XREF: SepAdtLogAuditRecord(x)+18Aj
		push	0
		push	dword ptr [esi+10h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	byte ptr [esp+38h+var_26], 0
		jnz	short loc_5744FD
		mov	ecx, 0C0000001h
		jmp	short loc_5744F8
; 

loc_5744C4:				; CODE XREF: SepAdtLogAuditRecord(x)+CEj
		mov	ecx, [esi+2Ch]
		test	ecx, ecx
		jz	short loc_5744D5
		mov	edx, 69416553h
		call	ObfDereferenceObjectWithTag

loc_5744D5:				; CODE XREF: SepAdtLogAuditRecord(x)+1BBj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	_SepAdtLastAuditFailStatus, ebx
		lock inc _SepAdtAuditFailureCount
		mov	ebx, 209h
		cmp	[edi+4], ebx
		jz	short loc_5744FD
		mov	ecx, [esp+38h+var_20]

loc_5744F8:				; CODE XREF: SepAdtLogAuditRecord(x)+1B4j
		call	_SepAuditFailedRaisedIrql@4 ; SepAuditFailedRaisedIrql(x)

loc_5744FD:				; CODE XREF: SepAdtLogAuditRecord(x)+12Dj
					; SepAdtLogAuditRecord(x)+166j	...
		cmp	_SepAdtAuditFailureCount, 0
		jz	short loc_57451F
		cmp	byte ptr [esp+38h+var_26+1], 2
		jnb	short loc_57451F
		cmp	[edi+4], ebx
		jz	short loc_57451F
		mov	ecx, _SepAdtLastAuditFailStatus
		xor	dl, dl
		call	_SepAdtLogAuditFailureEvent@8 ;	SepAdtLogAuditFailureEvent(x,x)

loc_57451F:				; CODE XREF: SepAdtLogAuditRecord(x)+2Cj
					; SepAdtLogAuditRecord(x)+65j ...
		mov	ecx, [esp+38h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_SepAdtLogAuditRecord@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepAdtMarshallAuditRecord proc near	; CODE XREF: SepAdtLogAuditRecord(x)+C1p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F7BCF SIZE 00000134 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		lea	eax, [ecx+18h]
		mov	[ebp+var_C], ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], eax
		xor	esi, esi
		mov	[ebp+var_8], edi
		mov	edx, eax
		mov	[ebp+var_10], esi
		mov	eax, [ecx+8]
		mov	ebx, esi
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	short loc_57458E

loc_57455E:				; CODE XREF: SepAdtMarshallAuditRecord+5Aj
		cmp	dword ptr [edx], 11h
		jz	loc_5F7BCF
		mov	ecx, [edx+4]
		add	ecx, 3
		and	ecx, 0FFFFFFFCh

loc_574570:				; CODE XREF: SepAdtMarshallAuditRecord+836B4j
					; SepAdtMarshallAuditRecord+836E1j
		lea	eax, [ecx+ebx]
		cmp	eax, ebx
		jb	loc_5F7C18
		mov	ecx, [ebp+var_10]
		mov	ebx, eax
		mov	eax, [ebp+var_14]
		inc	ecx
		add	edx, 14h
		mov	[ebp+var_10], ecx
		cmp	ecx, eax
		jb	short loc_57455E

loc_57458E:				; CODE XREF: SepAdtMarshallAuditRecord+2Aj
		imul	eax, 14h
		push	70416553h
		add	eax, 18h
		add	ebx, eax
		push	ebx
		push	[ebp+arg_4]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi], eax
		test	eax, eax
		mov	eax, [ebp+arg_0]
		jz	loc_5F7C22
		xor	ecx, ecx
		cmp	[ebp+arg_4], 1
		setnz	cl
		add	ecx, 4
		mov	[eax], ecx
		mov	ecx, [ebp+var_C]
		imul	eax, [ecx+8], 14h
		add	eax, 18h
		push	eax		; size_t
		push	ecx		; void *
		push	dword ptr [edi]	; void *
		call	_memcpy
		mov	eax, [edi]
		add	esp, 0Ch
		mov	[ebp+arg_0], esi
		mov	[eax+0Ch], ebx
		mov	eax, [edi]
		or	dword ptr [eax+14h], 1
		mov	eax, [ebp+var_C]
		mov	edx, [edi]
		mov	ecx, [eax+8]
		imul	ebx, ecx, 14h
		add	ebx, 18h
		add	ebx, edx
		test	ecx, ecx
		jz	loc_57468F
		lea	eax, [edx+28h]
		mov	ecx, esi
		mov	[ebp+arg_4], eax
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+arg_4]

loc_574609:				; CODE XREF: SepAdtMarshallAuditRecord+157j
		mov	eax, [eax]
		dec	eax
		cmp	eax, 21h
		ja	short loc_57466D
		movzx	eax, ds:byte_5746DE[eax]
		jmp	ds:off_5746C6[eax*4]

loc_57461F:				; DATA XREF: .text:off_5746C6o
		mov	eax, [ebp+var_4]
		mov	esi, ebx
		mov	ecx, [ebp+var_8]
		mov	edi, [eax+10h]
		mov	eax, ebx
		sub	eax, [ecx]
		add	ebx, 8
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		movzx	eax, word ptr [edi]
		push	eax		; size_t
		push	dword ptr [edi+4] ; void *
		push	ebx		; void *
		call	_memcpy
		movzx	eax, word ptr [edi]
		add	esp, 0Ch
		mov	ecx, [ebp+var_8]
		mov	[esi], ax
		mov	[esi+2], ax
		mov	eax, ebx
		sub	eax, [ecx]
		mov	[esi+4], eax
		movzx	eax, word ptr [edi]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		add	ebx, eax

loc_574665:				; CODE XREF: SepAdtMarshallAuditRecord+837CCj
		mov	edx, [ebp+arg_4]
		xor	esi, esi

loc_57466A:				; CODE XREF: SepAdtMarshallAuditRecord+18Fj
					; SepAdtMarshallAuditRecord+83774j
		mov	ecx, [ebp+arg_0]

loc_57466D:				; CODE XREF: SepAdtMarshallAuditRecord+DDj
					; SepAdtMarshallAuditRecord+E6j ...
		mov	edi, [ebp+var_C]
		inc	ecx
		mov	eax, [ebp+var_4]
		add	edx, 14h
		add	eax, 14h
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_4], eax
		cmp	ecx, [edi+8]
		mov	edi, [ebp+var_8]
		mov	[ebp+arg_4], edx
		jb	loc_574609

loc_57468F:				; CODE XREF: SepAdtMarshallAuditRecord+C3j
					; SepAdtMarshallAuditRecord+836EBj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_574698:				; CODE XREF: SepAdtMarshallAuditRecord+E6j
					; SepAdtMarshallAuditRecord+8370Dj
					; DATA XREF: ...
		mov	eax, [ebp+var_4]
		push	dword ptr [eax+4] ; size_t
		push	dword ptr [eax+10h] ; void *
		push	ebx		; void *
		call	_memcpy
		mov	edx, [ebp+arg_4]
		mov	eax, ebx
		sub	eax, [edi]
		add	esp, 0Ch
		mov	[edx], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+4]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		add	ebx, eax
		jmp	short loc_57466A
SepAdtMarshallAuditRecord endp

; 
		db 8Dh
		db 49h,	0
off_5746C6	dd offset loc_57461F	; DATA XREF: SepAdtMarshallAuditRecord+E6r
		dd offset loc_574698
		dd offset loc_5F7C44
		dd offset loc_5F7C2E
		dd offset loc_5F7C39
		dd offset loc_57466D
byte_5746DE	db 0			; DATA XREF: SepAdtMarshallAuditRecord+DFr
		align 10h
		dd 5050105h, 5010105h, 5010505h, 5020505h, 3050505h, 5050101h
		dd 1010105h, 10401h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleInstallDefaultStates(x, x, x)
_PpmIdleInstallDefaultStates@12	proc near ; DATA XREF: PpmIdleRegisterDefaultStates+C5o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		push	ecx
		lea	eax, [edx+3D70h]
		push	edx
		mov	[ecx+8], eax
		call	PpmInstallNewIdleStates
		pop	ebp
		retn	0Ch
_PpmIdleInstallDefaultStates@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmInstallNewIdleStates	proc near	; CODE XREF: PpmIdleInstallDefaultStates(x,x,x)+19p
					; DATA XREF: PpmUpdateIdleStates+9Ao

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005F7D03 SIZE 000000AE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	ebx
		mov	[ebp+var_34], ecx
		xor	ebx, ebx
		push	esi
		mov	esi, [ebp+arg_4]
		lea	eax, [ecx+3D70h]
		mov	ecx, [eax]
		inc	edx
		mov	[ebp+var_38], esi
		mov	[ebp+var_20], eax
		test	ecx, ecx
		jz	loc_574B1C
		cmp	[ebp+arg_8], edx
		jz	loc_574B0A
		mov	cl, [ecx+1]
		mov	[ebp+var_11], cl
		mov	ecx, eax
		call	PpmUpdateProcessorIdleAccounting
		xor	edx, edx
		inc	edx

loc_574773:				; CODE XREF: PpmInstallNewIdleStates+3FDj
		push	edi
		mov	edi, [esi+44h]
		mov	[ebp+var_2C], edi
		test	edi, edi
		jz	loc_5F7D03
		mov	ecx, ebx
		mov	[ebp+var_1C], ecx
		cmp	[esi+0Fh], dl
		jnz	short loc_5747A9
		test	edi, edi
		jz	short loc_5747A9
		lea	eax, [esi+48h]
		mov	edx, edi

loc_574795:				; CODE XREF: PpmInstallNewIdleStates+82j
		test	dword ptr [eax], 100h
		jnz	short loc_57479E
		inc	ecx

loc_57479E:				; CODE XREF: PpmInstallNewIdleStates+79j
		add	eax, 18h
		sub	edx, 1
		jnz	short loc_574795
		mov	[ebp+var_1C], ecx

loc_5747A9:				; CODE XREF: PpmInstallNewIdleStates+68j
					; PpmInstallNewIdleStates+6Cj
		mov	eax, [esi+40h]
		imul	edx, edi, 44h
		add	edx, 10Fh
		and	edx, 0FFFFFFFCh
		mov	[ebp+var_3C], edx
		lea	edx, [edx+eax*8]
		mov	eax, ecx
		shl	eax, 4
		lea	ecx, [edx+7]
		add	ecx, eax
		mov	[ebp+var_44], eax
		imul	eax, edi, 3E8h
		and	ecx, 0FFFFFFF8h
		mov	[ebp+var_28], ecx
		mov	[ebp+var_40], edx
		add	eax, 2Fh
		add	eax, ecx
		lea	ecx, ds:0Fh[edi*4]
		and	eax, 0FFFFFFF8h
		add	ecx, eax
		mov	[ebp+var_48], eax
		mov	eax, _PpmIdleVetoList
		and	ecx, 0FFFFFFF8h
		mov	[ebp+var_18], ecx
		mov	[ebp+var_24], ecx
		test	eax, eax
		jnz	loc_5F7D0D

loc_574804:				; CODE XREF: PpmInstallNewIdleStates+835F8j
		push	694D5050h
		push	ecx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_30], esi
		test	esi, esi
		jz	loc_5F7D1F
		push	[ebp+var_18]	; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		mov	ecx, [ebp+var_38]
		add	esp, 0Ch
		mov	eax, [ebp+arg_8]
		mov	[esi+24h], eax
		mov	eax, [ecx+28h]
		mov	[esi+28h], eax
		mov	eax, [ecx+2Ch]
		mov	[esi+2Ch], eax
		mov	al, [ecx+0Fh]
		mov	[esi], al
		mov	al, [ecx+0Ch]
		mov	[esi+2], al
		mov	al, [ecx+0Eh]
		mov	[esi+8], al
		mov	[esi+40h], ebx
		mov	[esi+20h], edi
		mov	eax, [ecx+10h]
		mov	[esi+60h], eax
		mov	eax, [ecx+18h]
		mov	[esi+6Ch], eax
		mov	eax, [ecx+1Ch]
		mov	[esi+70h], eax
		mov	eax, [ecx+20h]
		mov	[esi+74h], eax
		mov	eax, [ecx+30h]
		mov	[esi+68h], eax
		mov	eax, [ecx+24h]
		mov	[esi+64h], eax
		mov	eax, [ecx+34h]
		mov	[esi+78h], eax
		mov	eax, [ecx+14h]
		mov	[esi+7Ch], eax
		mov	eax, [ecx+38h]
		mov	[esi+80h], eax
		mov	eax, [ecx+3Ch]
		mov	[esi+84h], eax
		mov	eax, [ecx+8]
		mov	[esi+88h], eax
		mov	eax, [ecx+40h]
		mov	[esi+0C0h], eax
		mov	eax, [ebp+var_3C]
		add	eax, esi
		mov	[esi+0C8h], eax
		xor	eax, eax
		inc	eax
		mov	[esi+0FCh], eax
		lea	eax, [esi+104h]
		mov	[esi+108h], eax
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	loc_574B24
		mov	edx, [ebp+var_44]
		mov	[esi+0ECh], eax
		mov	eax, [ebp+var_40]
		add	eax, esi
		mov	[esi+0F0h], eax
		add	edx, eax

loc_5748EF:				; CODE XREF: PpmInstallNewIdleStates+404j
		xor	eax, eax
		mov	[esi+4Ch], ebx
		inc	eax
		mov	[esi+50h], ebx
		mov	[esi+48h], ax
		mov	[esi+4Ah], ax
		mov	eax, [ebp+var_24]
		add	eax, esi
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], eax
		test	edi, edi
		jz	loc_5749E0
		lea	eax, [edx+4]
		lea	edx, [ecx+48h]
		mov	[ebp+var_24], eax
		lea	ecx, [esi+118h]
		mov	esi, eax

loc_574924:				; CODE XREF: PpmInstallNewIdleStates+2B5j
		mov	eax, [edx+10h]
		mov	[ecx], eax
		mov	eax, [edx+14h]
		mov	[ecx+4], eax
		xor	eax, eax
		inc	eax
		mov	[ecx-8], ebx
		mov	[ecx-0Ch], ax
		mov	[ecx-0Ah], ax
		mov	[ecx-4], ebx
		mov	eax, [edx]
		shr	eax, 3
		and	al, 0Fh
		mov	[ecx+30h], al
		mov	al, [edx]
		and	al, 1
		mov	[ecx+32h], al
		mov	eax, [edx]
		shr	eax, 2
		and	al, 1
		mov	[ecx+33h], al
		mov	eax, [edx]
		shr	eax, 1
		and	al, 1
		mov	[ecx+34h], al
		mov	eax, [edx]
		test	eax, eax
		js	loc_574B2B

loc_57496E:				; CODE XREF: PpmInstallNewIdleStates+414j
		shr	eax, 7
		and	al, 1
		mov	[ecx+35h], al
		mov	eax, [edx]
		shr	eax, 8
		and	al, 1
		mov	[ecx+36h], al
		mov	eax, [edx]
		shr	eax, 1Eh
		and	al, 1
		mov	[ecx+37h], al
		mov	eax, [edx+4]
		mov	[ecx+8], eax
		mov	eax, [edx+0Ch]
		mov	[ecx+10h], eax
		mov	eax, [edx+8]
		mov	[ecx+0Ch], eax
		lea	eax, [ecx+1Ch]
		mov	[ecx+20h], eax
		mov	[eax], eax
		cmp	[ebp+var_1C], ebx
		ja	loc_574B3B

loc_5749AD:				; CODE XREF: PpmInstallNewIdleStates+420j
					; PpmInstallNewIdleStates+8360Ej
		mov	eax, _PpmIdleVetoList
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	loc_5F7D35

loc_5749BD:				; CODE XREF: PpmInstallNewIdleStates+83627j
		lea	eax, [esi-4]
		test	eax, eax
		jnz	loc_574B4D

loc_5749C8:				; CODE XREF: PpmInstallNewIdleStates+431j
		mov	eax, [ebp+var_1C]

loc_5749CB:				; CODE XREF: PpmInstallNewIdleStates+445j
		inc	eax
		add	edx, 18h
		add	ecx, 44h
		mov	[ebp+var_1C], eax
		cmp	eax, edi
		jb	loc_574924
		mov	esi, [ebp+var_30]

loc_5749E0:				; CODE XREF: PpmInstallNewIdleStates+1EBj
		mov	edi, [ebp+var_28]
		mov	eax, [ebp+var_48]
		add	edi, esi
		add	eax, esi
		mov	[esi+0E4h], eax
		mov	eax, [ebp+var_2C]
		mov	[edi], eax
		cmp	_PpmIdleVetoList, ebx
		jnz	loc_5F7D4E

loc_574A01:				; CODE XREF: PpmInstallNewIdleStates+8362Ej
					; PpmInstallNewIdleStates+83650j
		mov	ecx, offset _PpmIdleVetoLock
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, [ebp+var_20]
		xor	eax, eax
		inc	eax
		mov	ecx, [edx]
		mov	[edx], esi
		mov	[ebp+var_18], ecx
		test	ds:byte_70EFC6,	al
		jnz	loc_5F7D77
		xor	eax, eax
		mov	edx, offset _PpmIdleVetoLock
		lock and [edx],	eax

loc_574A2E:				; CODE XREF: PpmInstallNewIdleStates+83665j
		mov	edx, [ebp+var_20]
		cmp	[ebp+var_11], bl
		jnz	loc_5F7D8C

loc_574A3A:				; CODE XREF: PpmInstallNewIdleStates+83670j
		test	ecx, ecx
		jz	loc_574B6C
		mov	eax, [ecx+10h]
		cmp	eax, [ebp+var_2C]
		jnb	loc_574B6C

loc_574A4E:				; CODE XREF: PpmInstallNewIdleStates+44Cj
		mov	ecx, esi
		mov	[ecx+10h], eax
		mov	al, [ebp+var_11]
		mov	[esi+1], al
		mov	ecx, [edx+4]
		mov	[ebp+var_28], ecx
		mov	[edx+4], edi
		test	ecx, ecx
		jz	loc_574B73
		mov	eax, [ecx+18h]
		mov	[edi+18h], eax
		mov	eax, [ecx+1Ch]
		mov	[edi+1Ch], eax
		cmp	[ecx], ebx
		jbe	short loc_574A9E
		lea	edx, [ecx+28h]
		mov	esi, ebx

loc_574A7F:				; CODE XREF: PpmInstallNewIdleStates+374j
		mov	eax, [edx]
		lea	edx, [edx+3E8h]
		add	[edi+18h], eax
		mov	eax, [edx-3E4h]
		adc	[edi+1Ch], eax
		inc	esi
		cmp	esi, [ecx]
		jb	short loc_574A7F
		mov	esi, [ebp+var_30]

loc_574A9B:				; CODE XREF: PpmInstallNewIdleStates+468j
		mov	edx, [ebp+var_20]

loc_574A9E:				; CODE XREF: PpmInstallNewIdleStates+356j
		mov	ecx, edx
		call	_PpmResetIdlePolicy@4 ;	PpmResetIdlePolicy(x)
		mov	eax, [ebp+var_28]
		test	eax, eax
		jz	short loc_574AB3
		mov	eax, [eax+8]
		inc	eax
		mov	[edi+8], eax

loc_574AB3:				; CODE XREF: PpmInstallNewIdleStates+388j
		xor	eax, eax
		mov	[ebp+var_C], ebx
		inc	eax
		xor	ecx, ecx
		mov	word ptr [ebp+var_10], ax
		mov	word ptr [ebp+var_10+2], ax
		mov	eax, [ebp+var_34]
		mov	eax, [eax+3CCh]
		bts	ecx, eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_8], ecx
		push	eax
		mov	ecx, esi
		call	_PpmDeepestHardwareIdleState@4 ; PpmDeepestHardwareIdleState(x)
		movzx	eax, al
		push	eax
		call	off_6B129C	; RtlEndStrongEnumerationHashTable(x,x)
		xor	eax, eax
		inc	eax
		cmp	[esi+24h], eax
		jz	short loc_574AF7
		cmp	[esi], al
		jz	loc_5F7D97

loc_574AF7:				; CODE XREF: PpmInstallNewIdleStates+3CBj
					; PpmInstallNewIdleStates+8368Aj
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	short loc_574B09
		push	694D5050h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_574B09:				; CODE XREF: PpmInstallNewIdleStates+3DAj
					; PpmInstallNewIdleStates+835E6j ...
		pop	edi

loc_574B0A:				; CODE XREF: PpmInstallNewIdleStates+3Bj
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_574B1C:				; CODE XREF: PpmInstallNewIdleStates+32j
		mov	[ebp+var_11], bl
		jmp	loc_574773
; 

loc_574B24:				; CODE XREF: PpmInstallNewIdleStates+1B1j
		mov	edx, ebx
		jmp	loc_5748EF
; 

loc_574B2B:				; CODE XREF: PpmInstallNewIdleStates+246j
		xor	eax, eax
		inc	eax
		mov	[ecx+14h], eax
		mov	[ecx+31h], al
		mov	eax, [edx]
		jmp	loc_57496E
; 

loc_574B3B:				; CODE XREF: PpmInstallNewIdleStates+285j
		cmp	ds:_PpmIdleDisableStatesAtBoot,	2
		jnz	loc_5749AD
		jmp	loc_5F7D29
; 

loc_574B4D:				; CODE XREF: PpmInstallNewIdleStates+2A0j
		test	dword ptr [edx], 100h
		jnz	loc_5749C8
		sub	esi, 10h
		xor	eax, eax
		inc	eax
		mov	[esi-3], al
		mov	eax, [ebp+var_1C]
		mov	[esi], eax
		jmp	loc_5749CB
; 

loc_574B6C:				; CODE XREF: PpmInstallNewIdleStates+31Aj
					; PpmInstallNewIdleStates+326j
		mov	eax, ebx
		jmp	loc_574A4E
; 

loc_574B73:				; CODE XREF: PpmInstallNewIdleStates+342j
		mov	edx, [ebp+var_34]
		mov	eax, ds:_KeMaximumIncrement
		mov	edx, [edx+0Ch]
		mul	dword ptr [edx+194h]
		mov	[edi+18h], eax
		mov	[edi+1Ch], edx
		jmp	loc_574A9B
PpmInstallNewIdleStates	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PpmDeepestHardwareIdleState(x)
_PpmDeepestHardwareIdleState@4 proc near ; CODE	XREF: PpmInstallNewIdleStates+3B6p
		mov	al, 1
		test	ecx, ecx
		jz	short locret_574BB3
		mov	edx, [ecx+20h]
		test	edx, edx
		jz	short locret_574BB3
		add	ecx, 148h
		push	ebx

loc_574BA4:				; CODE XREF: PpmDeepestHardwareIdleState(x)+20j
		mov	bl, [ecx]
		cmp	bl, al
		ja	short loc_574BB4

loc_574BAA:				; CODE XREF: PpmDeepestHardwareIdleState(x)+26j
		add	ecx, 44h
		sub	edx, 1
		jnz	short loc_574BA4
		pop	ebx

locret_574BB3:				; CODE XREF: PpmDeepestHardwareIdleState(x)+4j
					; PpmDeepestHardwareIdleState(x)+Bj
		retn
; 

loc_574BB4:				; CODE XREF: PpmDeepestHardwareIdleState(x)+18j
		mov	al, bl
		jmp	short loc_574BAA
_PpmDeepestHardwareIdleState@4 endp


;  S U B	R O U T	I N E 


; __stdcall PpmResetIdlePolicy(x)
_PpmResetIdlePolicy@4 proc near		; CODE XREF: PpmInstallNewIdleStates+37Ep
					; PpmApplyIdlePolicyChanges(x,x,x)+Ep
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	dword ptr [esi], 0
		jz	short loc_574BE0
		call	_PpmApplyIdlePolicy@4 ;	PpmApplyIdlePolicy(x)
		mov	ecx, esi
		call	PpmScaleIdleStateValues
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, [esi+4]
		push	edx
		push	eax
		call	_PpmResetProcessorIdleAccounting@12 ; PpmResetProcessorIdleAccounting(x,x,x)

loc_574BE0:				; CODE XREF: PpmResetIdlePolicy(x)+8j
		pop	esi
		retn
_PpmResetIdlePolicy@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmResetProcessorIdleAccounting(x, x, x)
_PpmResetProcessorIdleAccounting@12 proc near ;	CODE XREF: PoIdle(x)+440p
					; PpmResetIdlePolicy(x)+23p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		push	0Ah
		pop	ecx
		mov	eax, [esi+8]
		mov	edi, esi
		mov	ebx, [esi]
		mov	[ebp+var_C], eax
		xor	eax, eax
		mov	[ebp+var_8], ebx
		rep stosd
		test	ebx, ebx
		jz	short loc_574C6B
		mov	[ebp+var_4], ebx
		lea	ebx, [esi+0D0h]

loc_574C10:				; CODE XREF: PpmResetProcessorIdleAccounting(x,x,x)+50j
		push	0Ah
		pop	ecx
		xor	eax, eax
		mov	edi, esi
		push	340h		; size_t
		push	eax		; int
		rep stosd
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		add	ebx, 3E8h
		sub	[ebp+var_4], 1
		jnz	short loc_574C10
		mov	ebx, [ebp+var_8]
		lea	eax, [esi+0D8h]
		mov	edx, ebx

loc_574C3F:				; CODE XREF: PpmResetProcessorIdleAccounting(x,x,x)+87j
		or	dword ptr [eax-98h], 0FFFFFFFFh
		mov	ecx, eax
		or	dword ptr [eax-94h], 0FFFFFFFFh
		push	1Ah
		pop	edi

loc_574C52:				; CODE XREF: PpmResetProcessorIdleAccounting(x,x,x)+7Dj
		or	dword ptr [ecx], 0FFFFFFFFh
		lea	ecx, [ecx+20h]
		or	dword ptr [ecx-1Ch], 0FFFFFFFFh
		sub	edi, 1
		jnz	short loc_574C52
		add	eax, 3E8h
		sub	edx, 1
		jnz	short loc_574C3F

loc_574C6B:				; CODE XREF: PpmResetProcessorIdleAccounting(x,x,x)+23j
		mov	eax, [ebp+var_C]
		inc	eax
		mov	[esi], ebx
		and	dword ptr [esi+20h], 0
		mov	[esi+8], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+10h], eax
		mov	eax, [ebp+arg_4]
		pop	edi
		mov	[esi+14h], eax
		pop	esi
		pop	ebx
		leave
		retn	8
_PpmResetProcessorIdleAccounting@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PpmApplyIdlePolicy(x)
_PpmApplyIdlePolicy@4 proc near		; CODE XREF: PpmResetIdlePolicy(x)+Ap
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, _PpmCurrentProfile
		mov	edx, ecx
		imul	esi, dword_6C2D0C, 0F0h
		push	ds:dword_70ED2C
		mov	ebx, [edx]
		push	ds:_PopQpcFrequency
		push	0
		push	0F4240h
		mov	al, [esi+edi+0B4h]
		mov	[edx+34h], al
		mov	cl, [esi+edi+0BCh]
		mov	[edx+33h], cl
		mov	al, [esi+edi+0BDh]
		push	0
		mov	[edx+32h], al
		mov	[edx+31h], cl
		mov	[edx+30h], al
		push	dword ptr [esi+edi+0B8h]
		call	PpmConvertTime
		pop	edi
		pop	esi
		mov	[ebx+0B4h], eax
		pop	ebx
		retn
_PpmApplyIdlePolicy@4 endp


;  S U B	R O U T	I N E 


PpmUpdateProcessorIdleAccounting proc near ; CODE XREF:	PpmInstallNewIdleStates+49p
					; PpmTranslateIdleAccounting(x,x,x)+Fp

; FUNCTION CHUNK AT 005F7DB1 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	edi
		mov	edi, [ebx]
		cmp	byte ptr [edi+5], 0
		jz	loc_574DD8
		mov	edx, [ebx+8]
		and	dword ptr [ebx+8], 0
		mov	eax, [ebx+4]
		push	esi
		mov	esi, [ebx+0Ch]
		and	dword ptr [ebx+0Ch], 0
		imul	ecx, [edi+14h],	3E8h
		add	eax, ecx
		add	[ebx+10h], edx
		adc	[ebx+14h], esi
		add	[eax+28h], edx
		adc	[eax+2Ch], esi
		cmp	dword ptr [edi+44h], 3
		jnz	loc_574DEA
		cmp	dword ptr [edi+40h], 0
		jl	loc_574DEF
		inc	dword ptr [eax+38h]
		xor	ecx, ecx
		xor	ebx, ebx

loc_574D48:				; CODE XREF: PpmUpdateProcessorIdleAccounting+70j
		cmp	esi, ds:dword_705204[ebx]
		jb	short loc_574D66
		ja	short loc_574D5A
		cmp	edx, ds:_PpmIdleIntervalLimits[ebx]
		jb	short loc_574D66

loc_574D5A:				; CODE XREF: PpmUpdateProcessorIdleAccounting+5Cj
		add	ebx, 18h
		inc	ecx
		cmp	ebx, 270h
		jb	short loc_574D48

loc_574D66:				; CODE XREF: PpmUpdateProcessorIdleAccounting+5Aj
					; PpmUpdateProcessorIdleAccounting+64j
		cmp	ecx, 1Ah
		jnb	loc_574DF4
		shl	ecx, 5
		add	[ecx+eax+0D0h],	edx
		adc	[ecx+eax+0D4h],	esi
		inc	dword ptr [ecx+eax+0E8h]
		cmp	esi, [ecx+eax+0DCh]
		ja	short loc_574DA3
		jb	loc_5F7DB1
		cmp	edx, [ecx+eax+0D8h]
		jb	loc_5F7DB1

loc_574DA3:				; CODE XREF: PpmUpdateProcessorIdleAccounting+9Aj
					; PpmUpdateProcessorIdleAccounting+830CBj
		cmp	esi, [ecx+eax+0E4h]
		jb	short loc_574DBF
		ja	loc_5F7DC4
		cmp	edx, [ecx+eax+0E0h]
		ja	loc_5F7DC4

loc_574DBF:				; CODE XREF: PpmUpdateProcessorIdleAccounting+B6j
					; PpmUpdateProcessorIdleAccounting+103j ...
		cmp	esi, [eax+44h]
		ja	short loc_574DCB
		jb	short loc_574DF9
		cmp	edx, [eax+40h]
		jb	short loc_574DF9

loc_574DCB:				; CODE XREF: PpmUpdateProcessorIdleAccounting+CEj
					; PpmUpdateProcessorIdleAccounting+10Bj
		cmp	esi, [eax+4Ch]
		jb	short loc_574DD7
		ja	short loc_574E01
		cmp	edx, [eax+48h]
		ja	short loc_574E01

loc_574DD7:				; CODE XREF: PpmUpdateProcessorIdleAccounting+DAj
					; PpmUpdateProcessorIdleAccounting+F9j	...
		pop	esi

loc_574DD8:				; CODE XREF: PpmUpdateProcessorIdleAccounting+Cj
		and	dword ptr [edi+40h], 0
		mov	dword ptr [edi+44h], 3
		mov	byte ptr [edi+5], 0
		pop	edi
		pop	ebx
		retn
; 

loc_574DEA:				; CODE XREF: PpmUpdateProcessorIdleAccounting+3Dj
		inc	dword ptr [eax+30h]
		jmp	short loc_574DD7
; 

loc_574DEF:				; CODE XREF: PpmUpdateProcessorIdleAccounting+47j
		inc	dword ptr [eax+34h]
		jmp	short loc_574DD7
; 

loc_574DF4:				; CODE XREF: PpmUpdateProcessorIdleAccounting+75j
		inc	dword ptr [eax+3Ch]
		jmp	short loc_574DBF
; 

loc_574DF9:				; CODE XREF: PpmUpdateProcessorIdleAccounting+D0j
					; PpmUpdateProcessorIdleAccounting+D5j
		mov	[eax+40h], edx
		mov	[eax+44h], esi
		jmp	short loc_574DCB
; 

loc_574E01:				; CODE XREF: PpmUpdateProcessorIdleAccounting+DCj
					; PpmUpdateProcessorIdleAccounting+E1j
		mov	[eax+48h], edx
		mov	[eax+4Ch], esi
		jmp	short loc_574DD7
PpmUpdateProcessorIdleAccounting endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BgfxGrowDirtyRect proc near		; CODE XREF: GxpWriteFrameBufferPixels+1ECp

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F7DD7 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	esi, edx
		mov	ecx, dword_6B6CF0
		push	edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edi, dword_6B6CEC
		mov	edx, [esi]
		mov	eax, [edi]
		cmp	eax, edx
		jbe	short loc_574E31
		mov	eax, edx

loc_574E31:				; CODE XREF: BgfxGrowDirtyRect+23j
		mov	[edi], eax
		xor	edx, edx
		mov	eax, [ebx]
		div	[ebp+arg_0]
		mov	edx, dword_6B6CEC
		mov	ecx, [esi]
		add	ecx, eax
		mov	eax, [edx+4]
		cmp	eax, ecx
		jnb	short loc_574E4D
		mov	eax, ecx

loc_574E4D:				; CODE XREF: BgfxGrowDirtyRect+3Fj
		mov	[edx+4], eax
		mov	edx, dword_6B6CEC
		mov	ecx, [esi+4]
		mov	eax, [edx+8]
		cmp	eax, ecx
		jbe	short loc_574E62
		mov	eax, ecx

loc_574E62:				; CODE XREF: BgfxGrowDirtyRect+54j
		mov	ecx, [ebx+4]
		mov	[edx+8], eax
		mov	edx, dword_6B6CEC
		add	ecx, [esi+4]
		pop	edi
		pop	esi
		mov	eax, [edx+0Ch]
		pop	ebx
		cmp	eax, ecx
		jnb	short loc_574E7D
		mov	eax, ecx

loc_574E7D:				; CODE XREF: BgfxGrowDirtyRect+6Fj
		mov	[edx+0Ch], eax
		mov	eax, dword_6B6CE4
		inc	dword ptr [eax]
		test	ds:byte_70EFC6,	1
		mov	eax, dword_6B6CF0
		jnz	loc_5F7DD7
		xor	ecx, ecx
		lock and [eax],	ecx

loc_574E9E:				; CODE XREF: BgfxGrowDirtyRect+82FD7j
		pop	ebp
		retn	4
BgfxGrowDirtyRect endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	FioFwReadUlongAtOffset(void *)
_FioFwReadUlongAtOffset@12 proc	near	; CODE XREF: RaspMapGlyphIndexToLocation+86A82p
					; RaspMapGlyphIndexToLocation+86AA4p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	esi		; void *
		push	4		; size_t
		call	_FioFwReadBytesAtOffset@16 ; FioFwReadBytesAtOffset(x,x,x,x)
		test	eax, eax
		js	short loc_574EBF
		mov	eax, [esi]
		bswap	eax
		mov	[esi], eax
		xor	eax, eax

loc_574EBF:				; CODE XREF: FioFwReadUlongAtOffset(x,x,x)+13j
		pop	esi
		pop	ebp
		retn	4
_FioFwReadUlongAtOffset@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpGetRegistryDword(x, x, x)
_PnpGetRegistryDword@12	proc near	; CODE XREF: PipDmgGetDriverDmarCompatLevel+97p
					; PiDmaGuardProcessRegistry+13p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, [ebp+arg_0]
		xor	ebx, ebx
		push	eax
		push	ebx
		mov	[edi], ebx
		mov	[ebp+arg_0], ebx
		call	IopGetRegistryValue
		mov	ecx, [ebp+arg_0]
		mov	esi, eax
		test	esi, esi
		jns	short loc_574EF6

loc_574EE9:				; CODE XREF: PnpGetRegistryDword(x,x,x)+43j
					; PnpGetRegistryDword(x,x,x)+53j
		test	ecx, ecx
		jnz	short loc_574F09

loc_574EED:				; CODE XREF: PnpGetRegistryDword(x,x,x)+4Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_574EF6:				; CODE XREF: PnpGetRegistryDword(x,x,x)+23j
		call	_PnpValidateRegistryDword@4 ; PnpValidateRegistryDword(x)
		test	al, al
		jz	short loc_574F12
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		mov	[edi], eax
		jmp	short loc_574EE9
; 

loc_574F09:				; CODE XREF: PnpGetRegistryDword(x,x,x)+27j
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_574EED
; 

loc_574F12:				; CODE XREF: PnpGetRegistryDword(x,x,x)+39j
		mov	esi, 0C0000229h
		jmp	short loc_574EE9
_PnpGetRegistryDword@12	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PnpValidateRegistryDword(x)
_PnpValidateRegistryDword@4 proc near	; CODE XREF: PnpGetRegistryDword(x,x,x):loc_574EF6p
					; PipDmgInitReadGroupPolicy()+70p ...
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_574F29
		cmp	dword ptr [ecx+0Ch], 4
		jnz	short loc_574F29
		mov	al, 1
		retn
; 

loc_574F29:				; CODE XREF: PnpValidateRegistryDword(x)+4j
					; PnpValidateRegistryDword(x)+Aj
		xor	al, al
		retn
_PnpValidateRegistryDword@4 endp


;  S U B	R O U T	I N E 


; __stdcall AdtpDbInitializePrivilegeObject()
_AdtpDbInitializePrivilegeObject@0 proc	near ; CODE XREF: AdtpInitializeAuditingCommon()+27p
		mov	edi, edi
		push	esi
		xor	eax, eax
		xor	esi, esi
		push	edi
		mov	_AdtpWellKnownPrivilegeMaxLen, ax
		mov	edi, offset _AdtpKnownPrivilege

loc_574F3F:				; CODE XREF: AdtpDbInitializePrivilegeObject()+3Dj
		push	ds:off_404AB8[esi*4]
		lea	eax, [esi+2]
		cdq
		push	edi
		mov	[edi+8], eax
		mov	[edi+0Ch], edx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	eax, word ptr [edi]
		cmp	_AdtpWellKnownPrivilegeMaxLen, ax
		jb	short loc_574F70

loc_574F62:				; CODE XREF: AdtpDbInitializePrivilegeObject()+4Aj
		inc	esi
		add	edi, 10h
		cmp	esi, 23h
		jb	short loc_574F3F
		pop	edi
		xor	eax, eax
		pop	esi
		retn
; 

loc_574F70:				; CODE XREF: AdtpDbInitializePrivilegeObject()+34j
		mov	_AdtpWellKnownPrivilegeMaxLen, ax
		jmp	short loc_574F62
_AdtpDbInitializePrivilegeObject@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_574F78	proc near		; CODE XREF: AdtpInitializeDriveLetters+29p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	1Fh
		mov	esi, offset ??_C@_1BO@LJHGOKGD@?$AA?2?$AAD?$AAo?$AAs?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAs?$AA?2?$AAA?$AA?3@NNGAKEGL@ ; "\\DosDevices\\A:"
		pop	edx
		sub	esi, ecx

loc_574F89:				; CODE XREF: sub_574F78+2Dj
		lea	eax, [edx+7FFFFFDFh]
		test	eax, eax
		jz	short loc_574FA7
		movzx	eax, word ptr [esi+ecx]
		test	ax, ax
		jz	short loc_574FA7
		mov	[ecx], ax
		add	ecx, 2
		sub	edx, 1
		jnz	short loc_574F89

loc_574FA7:				; CODE XREF: sub_574F78+19j
					; sub_574F78+22j
		pop	esi
		test	edx, edx
		jz	short loc_574FC5

loc_574FAC:				; CODE XREF: sub_574F78+50j
		neg	edx
		sbb	edx, edx
		and	edx, 7FF8FF86h
		xor	eax, eax
		mov	[ecx], ax
		lea	eax, [edx-7FF8FF86h]
		leave
		retn	0Ch
; 

loc_574FC5:				; CODE XREF: sub_574F78+32j
		sub	ecx, 2
		jmp	short loc_574FAC
sub_574F78	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiComputeHash64(x)
_MiComputeHash64@4 proc	near		; CODE XREF: MiCombinePte(x,x,x)+FDp
					; MiPerformCombineScan(x,x,x,x)+24p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, 878608F5h
		mov	[ebp+var_4], 200h
		mov	edi, 0DE5DF13Fh
		lea	ebx, [ecx+0FF0h]

loc_574FEA:				; CODE XREF: MiComputeHash64(x)+C2j
		mov	ecx, [ebx+8]
		mov	eax, esi
		shrd	eax, edi, 2
		shrd	edi, esi, 2
		mov	esi, [ebx+0Ch]
		add	ecx, eax
		mov	edx, ecx
		adc	esi, edi
		mov	edi, [ebx-2Ch]
		shrd	edx, esi, 3
		shrd	esi, ecx, 3
		add	edx, [ebx]
		mov	ecx, [ebx-8]
		mov	eax, edx
		adc	esi, [ebx+4]
		lea	ebx, [ebx-40h]
		shrd	eax, esi, 5
		shrd	esi, edx, 5
		mov	edx, [ebx+3Ch]
		add	ecx, eax
		mov	eax, ecx
		adc	edx, esi
		mov	esi, [ebx+34h]
		shrd	eax, edx, 7
		shrd	edx, ecx, 7
		mov	ecx, [ebx+30h]
		add	ecx, eax
		mov	eax, ecx
		adc	esi, edx
		mov	edx, [ebx+2Ch]
		shrd	eax, esi, 0Bh
		shrd	esi, ecx, 0Bh
		mov	ecx, [ebx+28h]
		xor	ecx, eax
		xor	edx, esi
		mov	esi, [ebx+24h]
		mov	eax, ecx
		shrd	eax, edx, 0Dh
		shrd	edx, ecx, 0Dh
		mov	ecx, [ebx+20h]
		add	ecx, eax
		mov	eax, ecx
		adc	esi, edx
		mov	edx, [ebx+1Ch]
		shrd	eax, esi, 11h
		shrd	esi, ecx, 11h
		mov	ecx, [ebx+18h]
		add	ecx, eax
		mov	eax, ecx
		adc	edx, esi
		mov	esi, [ebx+10h]
		shrd	eax, edx, 13h
		shrd	edx, ecx, 13h
		add	esi, eax
		adc	edi, edx
		sub	[ebp+var_4], 8
		jnz	loc_574FEA
		mov	edx, edi
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiComputeHash64@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStringCchCatNW(x, x, x, x)
_RtlStringCchCatNW@16 proc near		; CODE XREF: SepRmFetchGlobalSacl+52p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, edx
		xor	edx, edx
		mov	[ebp+var_4], edx
		mov	eax, edx
		push	edi
		mov	edi, ecx
		test	esi, esi
		jz	short loc_5750F3
		cmp	esi, 7FFFFFFFh
		ja	short loc_5750F3

loc_5750BB:				; CODE XREF: RtlStringCchCatNW(x,x,x,x)+5Cj
		test	eax, eax
		js	short loc_5750ED
		lea	eax, [ebp+var_4]
		mov	edx, esi
		push	eax
		call	sub_4EBA32
		mov	edx, [ebp+var_4]
		test	eax, eax
		js	short loc_5750ED
		cmp	[ebp+arg_4], 7FFFFFFEh
		ja	short loc_5750FA
		push	[ebp+arg_4]
		sub	esi, edx
		push	[ebp+arg_0]
		push	ecx
		lea	ecx, [edi+edx*2]
		mov	edx, esi
		call	sub_56076C

loc_5750ED:				; CODE XREF: RtlStringCchCatNW(x,x,x,x)+21j
					; RtlStringCchCatNW(x,x,x,x)+33j ...
		pop	edi
		pop	esi
		leave
		retn	8
; 

loc_5750F3:				; CODE XREF: RtlStringCchCatNW(x,x,x,x)+15j
					; RtlStringCchCatNW(x,x,x,x)+1Dj
		mov	eax, 0C000000Dh
		jmp	short loc_5750BB
; 

loc_5750FA:				; CODE XREF: RtlStringCchCatNW(x,x,x,x)+3Cj
		mov	eax, 0C000000Dh
		jmp	short loc_5750ED
_RtlStringCchCatNW@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepBuildCapPolicyTable proc near	; CODE XREF: SepRmCapUpdateWrkr+16p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F7DE6 SIZE 0000009B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		mov	eax, edx
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		mov	[esp+24h+var_4], eax
		push	edi
		mov	[eax], esi
		mov	edi, 201h
		lea	eax, [esp+28h+var_10]
		mov	[esp+28h+var_8], ebx
		push	eax
		mov	edx, edi
		mov	[esp+2Ch+var_10], esi
		mov	ecx, offset ??_C@_1KC@MMLCOCMI@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@
		mov	[esp+2Ch+var_14], esi
		mov	[esp+2Ch+var_18], esi
		mov	[esp+2Ch+var_1C], esi
		mov	[esp+2Ch+var_C], esi
		call	_SepRegOpenKey@12 ; SepRegOpenKey(x,x,x)
		test	eax, eax
		js	loc_5751DC
		lea	eax, [esp+28h+var_14]
		mov	edx, edi
		push	eax
		mov	ecx, offset ??_C@_1KO@LFEDCLJF@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@
		call	_SepRegOpenKey@12 ; SepRegOpenKey(x,x,x)
		test	eax, eax
		js	short loc_5751DC
		lea	eax, [esp+28h+var_18]
		mov	edx, edi
		push	eax
		mov	ecx, (offset off_5A5C88+2)
		call	_SepRegOpenKey@12 ; SepRegOpenKey(x,x,x)
		test	eax, eax
		js	short loc_5751DC
		mov	ecx, [esp+28h+var_14]
		lea	eax, [esp+28h+var_1C]
		push	eax
		lea	eax, [esp+2Ch+var_C]
		mov	edx, ebx
		push	eax
		call	SepReadAndPopulateCapes
		mov	edi, eax
		test	edi, edi
		js	short loc_5751E0
		mov	ebx, [esp+28h+var_C]
		test	ebx, ebx
		jnz	loc_5F7DE6

loc_5751A3:				; CODE XREF: SepBuildCapPolicyTable+DCj
					; SepBuildCapPolicyTable+82D3Bj ...
		cmp	[esp+28h+var_18], 0
		jz	short loc_5751B3
		push	[esp+28h+var_18]
		call	_ZwClose@4	; ZwClose(x)

loc_5751B3:				; CODE XREF: SepBuildCapPolicyTable+A6j
		cmp	[esp+28h+var_14], 0
		jz	short loc_5751C3
		push	[esp+28h+var_14]
		call	_ZwClose@4	; ZwClose(x)

loc_5751C3:				; CODE XREF: SepBuildCapPolicyTable+B6j
		cmp	[esp+28h+var_10], 0
		jz	short loc_5751D3
		push	[esp+28h+var_10]
		call	_ZwClose@4	; ZwClose(x)

loc_5751D3:				; CODE XREF: SepBuildCapPolicyTable+C6j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5751DC:				; CODE XREF: SepBuildCapPolicyTable+4Aj
					; SepBuildCapPolicyTable+63j ...
		mov	edi, esi
		jmp	short loc_5751A3
; 

loc_5751E0:				; CODE XREF: SepBuildCapPolicyTable+93j
					; SepBuildCapPolicyTable+82D01j
		mov	esi, [esp+28h+var_1C]
		jmp	loc_5F7E4A
SepBuildCapPolicyTable endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlUnicodeStringCatString(x, x)
_RtlUnicodeStringCatString@8 proc near	; CODE XREF: PopGenerateDeviceFriendlyName+B1p
					; PopGenerateDeviceFriendlyName+D3p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		push	ecx
		mov	[ebp+var_8], edx
		mov	esi, ecx
		xor	edi, edi
		xor	ebx, ebx
		call	sub_4344FE
		test	eax, eax
		js	short loc_575248
		test	esi, esi
		jz	short loc_575248
		movzx	edi, word ptr [esi+2]
		movzx	ebx, word ptr [esi]
		mov	ecx, [esi+4]
		shr	edi, 1
		shr	ebx, 1

loc_57521D:				; CODE XREF: RtlUnicodeStringCatString(x,x)+61j
		test	eax, eax
		js	short loc_575243
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ecx
		push	[ebp+var_8]
		sub	edi, ebx
		lea	ecx, [ecx+ebx*2]
		push	eax
		mov	edx, edi
		call	RtlWideCharArrayCopyStringWorker
		mov	ecx, [ebp+var_4]
		add	ecx, ebx
		add	ecx, ecx
		mov	[esi], cx

loc_575243:				; CODE XREF: RtlUnicodeStringCatString(x,x)+35j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_575248:				; CODE XREF: RtlUnicodeStringCatString(x,x)+1Fj
					; RtlUnicodeStringCatString(x,x)+23j
		mov	ecx, [ebp+var_4]
		jmp	short loc_57521D
_RtlUnicodeStringCatString@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PnpCompleteSystemStartProcess()
_PnpCompleteSystemStartProcess@0 proc near ; CODE XREF:	.text:0054F229p
		mov	edi, edi
		push	esi
		xor	esi, esi
		xor	edx, edx
		push	esi
		mov	ecx, offset _KMPnPEvt_SystemStartLegacyEnum_Start
		call	_PnpDiagnosticTrace@12 ; PnpDiagnosticTrace(x,x,x)
		push	esi
		xor	edx, edx
		mov	ecx, offset _KMPnPEvt_SystemStartDriverReinit_Start
		call	_PnpDiagnosticTrace@12 ; PnpDiagnosticTrace(x,x,x)
		mov	cl, 1
		call	_IopCallDriverReinitializationRoutines@4 ; IopCallDriverReinitializationRoutines(x)
		push	esi
		xor	edx, edx
		mov	ecx, offset _KMPnPEvt_SystemStartDriverReinit_Stop
		call	_PnpDiagnosticTrace@12 ; PnpDiagnosticTrace(x,x,x)
		push	esi
		push	esi
		push	offset _PnpSystemDeviceEnumerationComplete
		mov	_PnPInitialized, 1
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		call	_PiInitReleaseCachedGroupInformation@0 ; PiInitReleaseCachedGroupInformation()
		call	PpReleaseBootDDB
		call	KseShimDatabaseBootRelease
		push	esi
		xor	edx, edx
		mov	ecx, offset _KMPnPEvt_SystemStartLegacyEnum_Stop
		call	_PnpDiagnosticTrace@12 ; PnpDiagnosticTrace(x,x,x)
		mov	ecx, _PnpEtwHandle
		mov	eax, ecx
		mov	edx, dword_6D4DF4
		or	eax, edx
		jz	short loc_5752D5
		push	esi
		push	esi
		push	offset _PnpDriverInitPhaseActivityId
		push	offset _KMPnPEvt_DriverInitPhase_Stop
		push	edx
		push	ecx
		call	_EtwWriteEndScenario@24	; EtwWriteEndScenario(x,x,x,x,x,x)

loc_5752D5:				; CODE XREF: PnpCompleteSystemStartProcess()+72j
		pop	esi
		retn
_PnpCompleteSystemStartProcess@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PnpFreeUnicodeStringList(x,	x)
_PnpFreeUnicodeStringList@8 proc near	; CODE XREF: PiInitReleaseCachedGroupInformation()+11p
					; PnpRegMultiSzToUnicodeStrings+160CBp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		test	edi, edi
		jz	short loc_57530B
		test	esi, esi
		jz	short loc_575303
		push	ebx
		lea	ebx, [edi+4]

loc_5752EC:				; CODE XREF: PnpFreeUnicodeStringList(x,x)+28j
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_5752FA
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5752FA:				; CODE XREF: PnpFreeUnicodeStringList(x,x)+18j
		add	ebx, 8
		sub	esi, 1
		jnz	short loc_5752EC
		pop	ebx

loc_575303:				; CODE XREF: PnpFreeUnicodeStringList(x,x)+Ej
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_57530B:				; CODE XREF: PnpFreeUnicodeStringList(x,x)+Aj
		pop	edi
		pop	esi
		retn
_PnpFreeUnicodeStringList@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpQueryPartitionRegistryInformation proc near
					; CODE XREF: EtwpContainerResumeWnfCallback(x,x,x,x,x,x)+2Ep
					; EtwInitializeSiloState+249p

var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_78		= dword	ptr -78h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005F7E81 SIZE 00000070 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0E4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0E4h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[esp+0ECh+var_C0], eax
		mov	eax, [ebp+arg_C]
		mov	ebx, edx
		push	edi
		mov	edi, [ebp+arg_8]
		mov	[esp+0F0h+var_C4], ecx
		mov	ecx, [ebp+arg_4]
		mov	[esp+0F0h+var_BC], eax
		lea	eax, [esp+0F0h+var_B8]
		push	offset ??_C@_1GG@KMAKALDL@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@
		push	eax
		mov	[esp+0F8h+var_C8], ecx
		mov	[esp+0F8h+var_E0], esi
		mov	[esp+0F8h+var_B8], esi
		mov	[esp+0F8h+var_B4], esi
		mov	[esp+0F8h+var_E4], esi
		mov	[esp+0F8h+var_D4], esi
		mov	[ecx], esi
		mov	[esp+0F8h+var_DC], esi
		mov	[esp+0F8h+var_D8], esi
		mov	[esp+0F8h+var_D0], esi
		mov	[esp+0F8h+var_CC], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+0F0h+var_B8]
		mov	[esp+0F0h+var_B0], 18h
		mov	[esp+0F0h+var_A8], eax
		lea	eax, [esp+0F0h+var_B0]
		push	eax
		push	20019h
		lea	eax, [esp+0F8h+var_E0]
		mov	[esp+0F8h+var_AC], esi
		push	eax
		mov	[esp+0FCh+var_A4], 240h
		mov	[esp+0FCh+var_A0], esi
		mov	[esp+0FCh+var_9C], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_575505
		push	70h		; size_t
		xor	esi, esi
		lea	eax, [esp+0F4h+var_78]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+0F0h+var_70], offset ??_C@_1BM@FDCLHDIB@?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAT?$AAy?$AAp?$AAe@FNODOBFM@
		lea	eax, [esp+0F0h+var_98]
		mov	[esp+0F0h+var_54], offset ??_C@_1BI@HJOCIGHC@?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAI?$AAd@FNODOBFM@
		mov	[esp+0F0h+var_6C], eax
		mov	edx, offset EtwpQueryRegistryCallback
		xor	ecx, ecx
		mov	[esp+0F0h+var_78], edx
		push	4
		pop	eax
		mov	[esp+0F0h+var_68], eax
		inc	ecx
		mov	[esp+0F0h+var_98], eax
		mov	eax, [esp+0F0h+var_C8]
		mov	[esp+0F0h+var_94], eax
		lea	eax, [esp+0F0h+var_90]
		mov	[esp+0F0h+var_50], eax
		lea	eax, [esp+0F0h+var_D4]
		mov	[esp+0F0h+var_48], eax
		lea	eax, [esp+0F0h+var_DC]
		mov	[esp+0F0h+var_8C], eax
		lea	eax, [esp+0F0h+var_88]
		mov	[esp+0F0h+var_34], eax
		lea	eax, [esp+0F0h+var_D4]
		mov	[esp+0F0h+var_2C], eax
		lea	eax, [esp+0F0h+var_D0]
		push	esi
		push	esi
		mov	[esp+0F8h+var_84], eax
		lea	eax, [esp+0F8h+var_78]
		push	eax
		push	[esp+0FCh+var_E0]
		mov	[esp+100h+var_5C], edx
		push	40000000h
		mov	[esp+104h+var_4C], ecx
		mov	[esp+104h+var_90], ecx
		mov	[esp+104h+var_40], edx
		mov	[esp+104h+var_38], offset ??_C@_1CO@GMOLDGFF@?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAC?$AAo?$AAr?$AAr?$AAe?$AAl@FNODOBFM@ ; "ContainerCorrelationId"
		mov	[esp+104h+var_30], ecx
		mov	[esp+104h+var_88], ecx
		call	_RtlQueryRegistryValuesEx@20 ; RtlQueryRegistryValuesEx(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_575505
		xor	esi, esi
		lea	ecx, [esp+0F0h+var_DC]
		mov	[edi], esi
		mov	[edi+4], esi
		mov	edi, [esp+0F0h+var_C4]
		mov	edx, edi
		call	StringToGuidNoBrackets
		test	eax, eax
		jz	short loc_5754C7
		mov	esi, offset _GUID_NULL
		movsd
		movsd
		movsd
		movsd
		xor	esi, esi

loc_5754C7:				; CODE XREF: EtwpQueryPartitionRegistryInformation+1ACj
		movzx	eax, word ptr [esp+0F0h+var_DC]
		push	eax
		push	[esp+0F4h+var_D8]
		lea	eax, [esp+0F8h+var_E4]
		push	eax
		push	esi
		push	esi
		call	RtlUnicodeToUTF8N
		test	eax, eax
		jz	loc_5F7E81

loc_5754E5:				; CODE XREF: EtwpQueryPartitionRegistryInformation+82B7Bj
					; EtwpQueryPartitionRegistryInformation+82B99j	...
		mov	edi, [esp+0F0h+var_BC]
		lea	ecx, [esp+0F0h+var_D0]
		mov	edx, edi
		call	StringToGuidNoBrackets
		mov	esi, eax
		test	esi, esi
		jz	short loc_575505
		mov	esi, offset _GUID_NULL
		movsd
		movsd
		movsd
		movsd
		xor	esi, esi

loc_575505:				; CODE XREF: EtwpQueryPartitionRegistryInformation+B0j
					; EtwpQueryPartitionRegistryInformation+192j ...
		cmp	[esp+0F0h+var_E0], 0
		jz	short loc_575515
		push	[esp+0F0h+var_E0]
		call	_ZwClose@4	; ZwClose(x)

loc_575515:				; CODE XREF: EtwpQueryPartitionRegistryInformation+1FCj
		lea	eax, [esp+0F0h+var_DC]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esp+0F0h+var_D0]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [esp+0F0h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
EtwpQueryPartitionRegistryInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

StringToGuidNoBrackets proc near	; CODE XREF: EtwpQueryPartitionRegistryInformation+1A5p
					; EtwpQueryPartitionRegistryInformation+1E1p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F7EF1 SIZE 000000FE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		test	ecx, ecx
		jz	short loc_57555F
		mov	ebx, [ecx+4]
		mov	[ebp+var_4], ebx
		test	ebx, ebx
		jnz	loc_5F7EF1

loc_57555F:				; CODE XREF: StringToGuidNoBrackets+Dj
					; StringToGuidNoBrackets+829B7j ...
		mov	eax, 0C000000Dh

loc_575564:				; CODE XREF: StringToGuidNoBrackets+82AA8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
StringToGuidNoBrackets endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpReadPerSiloConfigParameters(x)
_EtwpReadPerSiloConfigParameters@4 proc	near ; CODE XREF: EtwInitializeSiloState+53p

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 70h
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+78h+var_70], 40h
		push	offset ??_C@_1GO@GHPNNIDM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@
		lea	eax, [esp+7Ch+var_68]
		mov	[esp+7Ch+var_6C], edi
		push	eax
		mov	esi, ecx
		mov	[esp+80h+var_68], edi
		mov	[esp+80h+var_64], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+78h+var_68]
		mov	[esp+78h+var_50], 18h
		mov	[esp+78h+var_48], eax
		lea	eax, [esp+78h+var_50]
		push	eax
		push	20019h
		lea	eax, [esp+80h+var_6C]
		mov	[esp+80h+var_4C], edi
		push	eax
		mov	[esp+84h+var_44], 240h
		mov	[esp+84h+var_40], edi
		mov	[esp+84h+var_3C], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_575669
		push	38h		; size_t
		lea	eax, [esp+7Ch+var_38]
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+78h+var_38], offset EtwpQueryRegistryCallback
		lea	eax, [esp+78h+var_60]
		mov	[esp+78h+var_30], (offset loc_5A6849+1)
		mov	[esp+78h+var_2C], eax
		push	4
		pop	eax
		mov	[esp+78h+var_28], eax
		mov	[esp+78h+var_60], eax
		lea	eax, [esp+78h+var_70]
		push	edi
		push	edi
		mov	[esp+80h+var_5C], eax
		lea	eax, [esp+80h+var_38]
		push	eax
		push	[esp+84h+var_6C]
		push	40000000h
		call	_RtlQueryRegistryValuesEx@20 ; RtlQueryRegistryValuesEx(x,x,x,x,x)
		test	eax, eax
		js	short loc_575669
		mov	eax, [esp+78h+var_70]
		mov	ecx, 100h
		cmp	eax, ecx
		ja	short loc_57565C
		cmp	eax, 20h
		jb	short loc_575660

loc_575644:				; CODE XREF: EtwpReadPerSiloConfigParameters(x)+FDj
					; EtwpReadPerSiloConfigParameters(x)+103j
		mov	[esi+8], eax
		cmp	[esp+78h+var_6C], edi
		jz	short loc_575656
		push	[esp+78h+var_6C]
		call	_ZwClose@4	; ZwClose(x)

loc_575656:				; CODE XREF: EtwpReadPerSiloConfigParameters(x)+E1j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_57565C:				; CODE XREF: EtwpReadPerSiloConfigParameters(x)+D3j
		mov	eax, ecx
		jmp	short loc_575663
; 

loc_575660:				; CODE XREF: EtwpReadPerSiloConfigParameters(x)+D8j
		push	20h
		pop	eax

loc_575663:				; CODE XREF: EtwpReadPerSiloConfigParameters(x)+F4j
		mov	[esp+78h+var_70], eax
		jmp	short loc_575644
; 

loc_575669:				; CODE XREF: EtwpReadPerSiloConfigParameters(x)+6Ej
					; EtwpReadPerSiloConfigParameters(x)+C6j
		mov	eax, [esp+78h+var_70]
		jmp	short loc_575644
_EtwpReadPerSiloConfigParameters@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BapdpProcessEtwEvents proc near		; CODE XREF: BootApplicationPersistentDataProcess(x)+7Cp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F7FEF SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_14], 9C9A0652h
		xor	esi, esi
		mov	[ebp+var_10], 4AD66BE7h
		mov	[ebp+var_C], 0EA50B79Dh
		xor	edi, edi
		mov	[ebp+var_8], 0B41E03D2h

loc_5756A7:				; CODE XREF: BapdpProcessEtwEvents+9Ej
		and	[ebp+var_18], 0
		lea	eax, [ebp+var_18]
		push	eax		; int
		push	0		; void *
		push	edi		; int
		lea	edx, [ebp+var_14] ; void *
		call	_BapdpQueryData@20 ; BapdpQueryData(x,x,x,x,x)
		test	eax, eax
		jns	short loc_5756C5
		cmp	eax, 0C0000023h
		jnz	short loc_575710

loc_5756C5:				; CODE XREF: BapdpProcessEtwEvents+4Cj
		cmp	[ebp+var_18], ebx
		jbe	short loc_5756ED
		test	esi, esi
		jnz	loc_5F7FEF

loc_5756D2:				; CODE XREF: BapdpProcessEtwEvents+82987j
		push	64506142h
		push	[ebp+var_18]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_57571C
		mov	ebx, [ebp+var_18]

loc_5756ED:				; CODE XREF: BapdpProcessEtwEvents+58j
		lea	eax, [ebp+var_18]
		push	eax		; int
		push	esi		; void *
		push	edi		; int
		lea	edx, [ebp+var_14] ; void *
		call	_BapdpQueryData@20 ; BapdpQueryData(x,x,x,x,x)
		test	eax, eax
		js	short loc_575710
		mov	edx, [ebp+var_18]
		mov	ecx, esi
		call	BapdWriteEtwEvents
		test	eax, eax
		js	short loc_575710
		inc	edi
		jmp	short loc_5756A7
; 

loc_575710:				; CODE XREF: BapdpProcessEtwEvents+53j
					; BapdpProcessEtwEvents+8Dj ...
		test	esi, esi
		jz	short loc_57571C
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_57571C:				; CODE XREF: BapdpProcessEtwEvents+78j
					; BapdpProcessEtwEvents+A2j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
BapdpProcessEtwEvents endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BapdpMarshallBootDataToRegistry	proc near
					; CODE XREF: BootApplicationPersistentDataProcess(x)+86p

var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F7FFC SIZE 00000345 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_A0], 0
		and	[ebp+var_A4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, dword_6FD470
		xor	ebx, ebx
		mov	esi, edi
		mov	[ebp+var_80], 729AF26Eh
		mov	[ebp+var_7C], 43F585FAh
		mov	[ebp+var_78], 45F20CB8h
		mov	[ebp+var_74], 55C1EB74h
		test	esi, esi
		jz	short loc_5757B7

loc_57577C:				; CODE XREF: BapdpMarshallBootDataToRegistry+81j
		cmp	esi, offset dword_6FD470
		jz	short loc_5757AF
		mov	ecx, [esi+8]
		mov	esi, [esi]
		mov	eax, [ecx+20h]
		test	eax, eax
		jz	short loc_5757AB
		cmp	eax, 2
		ja	short loc_5757AB
		push	10h		; size_t
		lea	eax, [ebp+var_80]
		push	eax		; void *
		lea	eax, [ecx+10h]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_5757C6

loc_5757AB:				; CODE XREF: BapdpMarshallBootDataToRegistry+62j
					; BapdpMarshallBootDataToRegistry+67j ...
		test	esi, esi
		jnz	short loc_57577C

loc_5757AF:				; CODE XREF: BapdpMarshallBootDataToRegistry+56j
		test	ebx, ebx
		jnz	loc_5F7FFC

loc_5757B7:				; CODE XREF: BapdpMarshallBootDataToRegistry+4Ej
					; BapdpMarshallBootDataToRegistry+82BFFj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_5757C6:				; CODE XREF: BapdpMarshallBootDataToRegistry+7Dj
		inc	ebx
		jmp	short loc_5757AB
BapdpMarshallBootDataToRegistry	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 456. ExVerifySuite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExVerifySuite(x)
		public _ExVerifySuite@4
_ExVerifySuite@4 proc near		; CODE XREF: VfTriageActionTaken()+22p
					; VfTriageActionTaken()+2Dp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		cmp	ecx, 12h
		jg	short loc_5757ED
		xor	eax, eax
		inc	eax
		shl	eax, cl
		test	ds:0FFDF02D0h, eax
		setnz	al

loc_5757E9:				; CODE XREF: ExVerifySuite(x)+21j
		pop	ebp
		retn	4
; 

loc_5757ED:				; CODE XREF: ExVerifySuite(x)+Bj
		xor	al, al
		jmp	short loc_5757E9
_ExVerifySuite@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpTraceStartDevice proc near		; CODE XREF: PnpDeviceCompletionRoutine(x,x,x)+6Dp
					; PnpStartDeviceNode+92E07p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F8341 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], ecx
		mov	ebx, edx
		push	edi
		mov	edi, esi
		test	eax, eax
		jnz	loc_5F8341

loc_57580F:				; CODE XREF: PnpTraceStartDevice+82B67j
		mov	edx, [ebp+var_4]
		mov	ecx, offset _KMPnPEvt_DeviceStart_Stop
		push	esi
		push	edi
		push	ebx
		add	edx, 14h
		call	PnpDiagnosticTraceDeviceOperation
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	4
PnpTraceStartDevice endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpDiagnosticTraceDeviceOperation proc near ; CODE XREF: PnpTraceStartDevice+2Bp
					; PipCallDriverAddDeviceQueryRoutine+6D150p ...

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005F835E SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_3C], 4
		movzx	ecx, word ptr [edx]
		mov	ax, cx
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_64], eax
		mov	eax, [edx+4]
		mov	edx, [ebp+arg_4]
		push	edi
		xor	edi, edi
		mov	[ebp+var_54], eax
		mov	[ebp+var_60], edi
		mov	eax, ecx
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_58], edi
		mov	[ebp+var_50], edi
		mov	[ebp+var_48], edi
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], edi
		mov	[ebp+var_38], edi
		push	2
		pop	ebx
		mov	[ebp+var_5C], ebx
		test	edx, edx
		jnz	loc_5F835E
		mov	ecx, edi

loc_575897:				; CODE XREF: PnpDiagnosticTraceDeviceOperation+82B3Bj
		movzx	eax, cx
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], edi
		test	edx, edx
		jnz	short loc_5758F5
		mov	eax, edi

loc_5758B2:				; CODE XREF: PnpDiagnosticTraceDeviceOperation+CCj
		mov	[ebp+var_24], eax
		movzx	eax, cx
		mov	ecx, esi
		add	eax, eax
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	6
		pop	edx
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], edi
		call	_PnpDiagnosticTrace@12 ; PnpDiagnosticTrace(x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_5758F5:				; CODE XREF: PnpDiagnosticTraceDeviceOperation+82j
		mov	eax, [edx+4]
		jmp	short loc_5758B2
PnpDiagnosticTraceDeviceOperation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpvUtilCallAddDevice proc near		; CODE XREF: PnpCallAddDevice+70p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F836C SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	_PpvUtilVerifierEnabled, 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		jnz	loc_5F836C

loc_575914:				; CODE XREF: PpvUtilCallAddDevice+82A7Cj
		push	ebx
		push	edi
		call	[ebp+arg_0]

loc_575919:				; CODE XREF: PpvUtilCallAddDevice+82AA2j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
PpvUtilCallAddDevice endp ; sp = -8

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1703. PoFxStartDevicePowerManagement

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoFxStartDevicePowerManagement
PoFxStartDevicePowerManagement proc near ; CODE	XREF: PoFxEnableDStateReporting(x,x)+95p
					; PoFxRegisterDebugger+F7C6p

var_A		= byte ptr -0Ah
var_9		= byte ptr -9
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F83A1 SIZE 00000045 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, [edi+20h]
		mov	esi, [edi+1Ch]
		call	PopPepDeviceStarted
		mov	ecx, [edi+24h]
		test	ecx, ecx
		jnz	loc_5F83A1

loc_57594D:				; CODE XREF: PoFxStartDevicePowerManagement+82A8Cj
		xor	ebx, ebx
		test	esi, esi
		jz	short loc_5759D1
		lea	eax, [esi+2Ch]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	[esp+18h+var_9], al
		mov	eax, [esi+40h]
		mov	ecx, [edi+238h]
		mov	[esp+18h+var_8], eax
		test	cl, 1
		jnz	loc_5F83B7

loc_575976:				; CODE XREF: PoFxStartDevicePowerManagement+82AA2j
		test	eax, eax
		jz	short loc_5759AB
		mov	ecx, [edi+23Ch]

loc_575980:				; CODE XREF: PoFxStartDevicePowerManagement+83j
		mov	[esp+18h+var_4], ebx
		test	ecx, ecx
		jz	short loc_5759A2

loc_575988:				; CODE XREF: PoFxStartDevicePowerManagement+74j
		push	2
		push	ebx
		push	edi
		call	_PoFxActivateComponent@12 ; PoFxActivateComponent(x,x,x)
		mov	ecx, [edi+23Ch]
		inc	ebx
		cmp	ebx, ecx
		jb	short loc_575988
		mov	eax, [esp+18h+var_8]
		xor	ebx, ebx

loc_5759A2:				; CODE XREF: PoFxStartDevicePowerManagement+60j
		sub	eax, 1
		mov	[esp+18h+var_8], eax
		jnz	short loc_575980

loc_5759AB:				; CODE XREF: PoFxStartDevicePowerManagement+52j
					; PoFxStartDevicePowerManagement+82A93j
		push	4
		pop	ecx
		lea	eax, [esi+0A8h]
		lock or	[eax], ecx
		lea	eax, [esi+2Ch]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+18h+var_9]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, esi
		call	PopDiagTraceFxDeviceStartPowerManagement

loc_5759D1:				; CODE XREF: PoFxStartDevicePowerManagement+2Bj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopFxDeviceListLock
		call	ExAcquirePushLockSharedEx
		mov	al, _PopFxEnableShutdownActiveBias
		xor	edx, edx
		push	11h
		mov	[esp+1Ch+var_9], al
		mov	ecx, offset _PopFxDeviceListLock
		pop	eax
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	short loc_575A46

loc_575A07:				; CODE XREF: PoFxStartDevicePowerManagement+12Aj
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	[esp+18h+var_9], 0
		jnz	loc_5F83CD

loc_575A23:				; CODE XREF: PoFxStartDevicePowerManagement+82ABBj
		cmp	[edi+23Ch], ebx
		jbe	short loc_575A3D

loc_575A2B:				; CODE XREF: PoFxStartDevicePowerManagement+115j
		push	1
		push	ebx
		push	edi
		call	_PoFxIdleComponent@12 ;	PoFxIdleComponent(x,x,x)
		inc	ebx
		cmp	ebx, [edi+23Ch]
		jb	short loc_575A2B

loc_575A3D:				; CODE XREF: PoFxStartDevicePowerManagement+103j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_575A46:				; CODE XREF: PoFxStartDevicePowerManagement+DFj
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, offset _PopFxDeviceListLock
		jmp	short loc_575A07
PoFxStartDevicePowerManagement endp


;  S U B	R O U T	I N E 


PopPepDeviceStarted proc near		; CODE XREF: PoFxStartDevicePowerManagement+17p

; FUNCTION CHUNK AT 005F83E6 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	esi, [edi+2Ch]
		push	esi
		call	ExAcquireSpinLockExclusive
		push	esi
		mov	bl, al
		mov	dword ptr [edi+7Ch], 1
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopPepDeviceListLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		cmp	ds:_PopPepPlatformState, 0
		jnz	loc_5F83E6

loc_575AA2:				; CODE XREF: PopPepDeviceStarted+829A3j
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_575AC6

loc_575AB0:				; CODE XREF: PopPepDeviceStarted+7Bj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
; 

loc_575AC6:				; CODE XREF: PopPepDeviceStarted+5Cj
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_575AB0
PopPepDeviceStarted endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfFbBufferListAllocate proc near	; CODE XREF: PfTStart+140p
					; PfTStart+178p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F83FA SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		mov	eax, edi
		lea	ecx, [ebx+40h]
		mov	[ebp+var_8], ecx
		lock xadd [ecx], eax
		add	eax, edi
		cmp	eax, [ebx+34h]
		jg	loc_5F83FA
		xor	edx, edx
		lea	eax, [edi-10h]
		div	[ebp+arg_0]
		push	dword ptr [ebx+24h]
		and	eax, 0FFFFFFFCh
		push	edi
		push	dword ptr [ebx+28h]
		mov	[ebp+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_5F8401
		and	dword ptr [eax], 0
		lea	edx, [eax+10h]
		mov	ecx, [ebp+arg_0]
		mov	[eax+4], ecx
		mov	ecx, [ebp+var_4]
		mov	[eax+0Ch], edi
		add	edi, eax
		mov	[ebp+var_8], edi
		mov	[eax+8], ecx
		lea	edi, [edx+ecx]
		mov	[ebp+arg_0], edx
		cmp	edi, [ebp+var_8]
		ja	short loc_575B60

loc_575B3F:				; CODE XREF: PfFbBufferListAllocate+8Bj
		push	0
		push	0
		push	ecx
		mov	ecx, ebx
		call	PfFbBufferListInsertInFree
		mov	ecx, [ebp+var_4]
		add	edi, ecx
		mov	edx, [ebp+arg_0]
		add	edx, ecx
		mov	[ebp+arg_0], edx
		cmp	edi, [ebp+var_8]
		jbe	short loc_575B3F
		mov	eax, [ebp+var_C]

loc_575B60:				; CODE XREF: PfFbBufferListAllocate+6Dj
		lea	ecx, [ebx+18h]
		mov	edx, eax
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		xor	eax, eax

loc_575B6C:				; CODE XREF: PfFbBufferListAllocate+8293Fj
		pop	edi
		pop	ebx
		leave
		retn	4
PfFbBufferListAllocate endp

; 
		align 8
; Exported entry 2191. RtlIoEncodeMemIoResource

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlIoEncodeMemIoResource
RtlIoEncodeMemIoResource proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

; FUNCTION CHUNK AT 005F8414 SIZE 00000213 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_20]
		mov	edx, [ebp+arg_14]
		mov	ecx, [ebp+arg_10]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_24]
		push	ebx
		mov	ebx, [ebp+arg_C]
		mov	[ebp+arg_24], eax
		mov	al, byte ptr [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_8]
		cmp	al, 3
		jnz	short loc_575C17

loc_575B9F:				; CODE XREF: RtlIoEncodeMemIoResource+8289Ej
		cmp	al, 1
		jz	short loc_575C1F

loc_575BA3:				; CODE XREF: RtlIoEncodeMemIoResource+B9j
		cmp	byte ptr [ebp+arg_4], 1
		mov	eax, [ebp+arg_18]
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[esi+10h], eax
		mov	eax, [ebp+arg_1C]
		mov	[esi+14h], eax
		mov	eax, [ebp+var_4]
		mov	[esi+18h], eax
		mov	eax, [ebp+arg_24]
		mov	[esi+1Ch], eax
		jz	short loc_575C3E
		mov	ax, [esi+4]
		mov	ecx, 0F1FFh
		and	ax, cx
		movzx	ecx, ax
		mov	[ebp+arg_24], ecx
		mov	ecx, [ebp+arg_10]
		mov	[esi+4], ax
		test	ebx, ebx
		jb	short loc_575BF1
		ja	loc_5F8421
		cmp	edi, 0FFFFFFFFh
		ja	loc_5F8421

loc_575BF1:				; CODE XREF: RtlIoEncodeMemIoResource+68j
		test	edx, edx
		jb	short loc_575C04
		ja	loc_5F8421
		cmp	ecx, 0FFFFFFFFh
		ja	loc_5F8421

loc_575C04:				; CODE XREF: RtlIoEncodeMemIoResource+7Bj
		mov	byte ptr [esi+1], 3

loc_575C08:				; CODE XREF: RtlIoEncodeMemIoResource+CAj
		mov	[esi+8], edi
		mov	[esi+0Ch], ecx

loc_575C0E:				; CODE XREF: RtlIoEncodeMemIoResource+82AA0j
		xor	eax, eax

loc_575C10:				; CODE XREF: RtlIoEncodeMemIoResource+82AAAj
		pop	esi

loc_575C11:				; CODE XREF: RtlIoEncodeMemIoResource+C4j
		pop	edi
		pop	ebx
		leave
		retn	28h
; 

loc_575C17:				; CODE XREF: RtlIoEncodeMemIoResource+25j
		cmp	al, 1
		jnz	loc_5F8414

loc_575C1F:				; CODE XREF: RtlIoEncodeMemIoResource+29j
		test	ebx, ebx
		jb	short loc_575C2A
		ja	short loc_575C37
		cmp	edi, 0FFFFFFFFh
		ja	short loc_575C37

loc_575C2A:				; CODE XREF: RtlIoEncodeMemIoResource+A9j
		test	edx, edx
		jnz	short loc_575C37
		cmp	ecx, 0FFFFFFFFh
		jbe	loc_575BA3

loc_575C37:				; CODE XREF: RtlIoEncodeMemIoResource+ABj
					; RtlIoEncodeMemIoResource+B0j	...
		mov	eax, 0C000000Dh
		jmp	short loc_575C11
; 

loc_575C3E:				; CODE XREF: RtlIoEncodeMemIoResource+4Bj
		mov	byte ptr [esi+1], 1
		jmp	short loc_575C08
RtlIoEncodeMemIoResource endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRebuildLargePagesThread(x)
_MiRebuildLargePagesThread@4 proc near	; DATA XREF: MiInitializePartitionThreads(x)+42o
					; MiInitSystem+41o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	esi
		push	edi
		push	0Ch
		push	eax
		call	KeSetPriorityThread
		mov	esi, [ebp+arg_0]
		xor	edi, edi
		lea	eax, [esi+3Ch]
		mov	[ebp+var_8], eax
		lea	eax, [esi+0B1Ch]
		mov	[ebp+var_4], eax

loc_575C6F:				; CODE XREF: MiRebuildLargePagesThread(x)+44j
					; MiRebuildLargePagesThread(x)+4Dj
		push	edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		push	2
		call	KeWaitForMultipleObjects
		sub	eax, edi
		jz	short loc_575C93
		sub	eax, 1
		jnz	short loc_575C6F
		mov	ecx, esi
		call	MiRebuildLargeZeroPage
		jmp	short loc_575C6F
; 

loc_575C93:				; CODE XREF: MiRebuildLargePagesThread(x)+3Fj
		pop	edi
		pop	esi
		leave
		retn	4
_MiRebuildLargePagesThread@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopCheckAndHandleThermalConditions proc	near ; CODE XREF: PopThermalWorker+E6p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F8627 SIZE 0000022C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_1C]
		mov	esi, ecx
		stosd
		xor	bh, bh
		xor	bl, bl
		stosd
		stosd
		stosd
		mov	edi, [esi+18h]
		cmp	[esi+0B2h], bh
		jnz	loc_5F8627

loc_575CC3:				; CODE XREF: PopCheckAndHandleThermalConditions+82991j
					; PopCheckAndHandleThermalConditions+829ABj
		cmp	byte ptr [esi+0B1h], 0
		jnz	loc_5F864A
		test	bl, bl
		jnz	loc_5F865D

loc_575CD8:				; CODE XREF: PopCheckAndHandleThermalConditions+82AC9j
		cmp	byte ptr [esi+0C0h], 0
		setnz	dl
		cmp	[esi+29h], dl
		jnz	loc_5F8768

loc_575CEB:				; CODE XREF: PopCheckAndHandleThermalConditions+82AD8j
		mov	al, [esi+0B3h]
		cmp	[esi+28h], al
		jnz	loc_5F8777

loc_575CFA:				; CODE XREF: PopCheckAndHandleThermalConditions+82B89j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PopCheckAndHandleThermalConditions endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceThermalZoneEnumeration proc	near ; CODE XREF: PopThermalWorker+231p
					; PopThermalWorker+8AB40p

var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_120		= dword	ptr -120h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F8853 SIZE 000002E4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1E8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		xor	eax, eax
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_1BC], eax
		push	esi
		mov	esi, ecx
		mov	ecx, [ebp+arg_0]
		push	edi
		mov	[ebp+var_1DC], ebx
		mov	[ebp+var_1D8], esi
		mov	[ebp+var_1CC], eax
		mov	[ebp+var_1C8], eax
		mov	[ebp+var_1C0], eax
		mov	[ebp+var_1B8], eax
		cmp	_PopDiagHandleRegistered, al
		jnz	loc_5F8853

loc_575D57:				; CODE XREF: PopDiagTraceThermalZoneEnumeration+82E20j
					; PopDiagTraceThermalZoneEnumeration+82E32j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
PopDiagTraceThermalZoneEnumeration endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EmpEvaluateUpdateRuleEvalState proc near ; CODE	XREF: EmpUpdateRuleState+8Cp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F8B37 SIZE 00000133 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ecx
		mov	[ebp+var_C], edx
		push	ebx
		push	esi
		push	edi
		mov	esi, [eax+4]
		xor	edi, edi
		mov	ecx, edi
		mov	[ebp+var_18], eax
		mov	[ebp+var_8], ecx
		mov	ebx, [esi+28h]
		mov	[ebp+var_14], ebx
		cmp	[esi+14h], cl
		jz	short loc_575DD3
		mov	edx, edi
		mov	[ebp+var_10], edx
		test	ebx, ebx
		jnz	short loc_575DDC

loc_575D99:				; CODE XREF: EmpEvaluateUpdateRuleEvalState+82E3Dj
					; EmpEvaluateUpdateRuleEvalState+82E48j ...
		mov	edx, edi
		test	ebx, ebx
		jnz	loc_5F8BED

loc_575DA3:				; CODE XREF: EmpEvaluateUpdateRuleEvalState+82E99j
		mov	edx, ecx
		mov	ecx, [ebp+var_18]
		push	ebx
		call	EmpEvaluateTargetRule
		cmp	eax, 2
		jz	short loc_575DCE
		test	ebx, ebx
		jnz	loc_5F8C06

loc_575DBB:				; CODE XREF: EmpEvaluateUpdateRuleEvalState+69j
					; EmpEvaluateUpdateRuleEvalState+82EEAj
		mov	[esi+10h], edi
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	loc_5F8C5A

loc_575DC9:				; CODE XREF: EmpEvaluateUpdateRuleEvalState+72j
					; EmpEvaluateUpdateRuleEvalState+82E35j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_575DCE:				; CODE XREF: EmpEvaluateUpdateRuleEvalState+49j
		push	2
		pop	edi
		jmp	short loc_575DBB
; 

loc_575DD3:				; CODE XREF: EmpEvaluateUpdateRuleEvalState+26j
		mov	dword ptr [esi+10h], 1
		jmp	short loc_575DC9
; 

loc_575DDC:				; CODE XREF: EmpEvaluateUpdateRuleEvalState+2Fj
		mov	ecx, [esi+2Ch]
		jmp	loc_5F8B37
EmpEvaluateUpdateRuleEvalState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EmpEvaluatePermuteRuleEntries proc near	; CODE XREF: EmpEvaluateUpdateRuleEvalState+82EBAp
					; EmpEvaluatePermuteRuleEntries+82EC7p

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 005F8C6A SIZE 0000007B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		test	edx, edx
		jnz	loc_5F8C6A

loc_575DF6:				; CODE XREF: EmpEvaluatePermuteRuleEntries+82EF4j
		mov	bl, 1

loc_575DF8:				; CODE XREF: EmpEvaluatePermuteRuleEntries+82E92j
					; EmpEvaluatePermuteRuleEntries+82EAFj	...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	8
EmpEvaluatePermuteRuleEntries endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeOptimizeSpecCtrlSettings(x)
_KeOptimizeSpecCtrlSettings@4 proc near	; DATA XREF: INIT:00AC2E3Do

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		and	[esp+24h+var_1C], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:20h
		push	2
		mov	[esp+34h+var_20], edi
		pop	edx
		mov	ecx, [edi+402Ch]
		mov	[esp+30h+var_24], offset _KiSpeculationFeatures
		lea	eax, [ecx-1]
		test	eax, ecx
		jz	short loc_575E67
		mov	edi, [esp+30h+var_24]
		jmp	short loc_575E3F
; 

loc_575E3E:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+5Aj
		pop	edx

loc_575E3F:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+3Aj
					; KeOptimizeSpecCtrlSettings(x)+5Fj
		mov	esi, ds:_KiSpeculationFeatures
		mov	ebx, esi
		mov	ecx, ds:dword_70E764
		or	ebx, edx
		mov	eax, esi
		mov	edx, ecx
		nop
		lock cmpxchg8b qword ptr [edi]
		push	2
		cmp	eax, esi
		jnz	short loc_575E3E
		cmp	edx, ecx
		pop	edx
		jnz	short loc_575E3F
		mov	edi, [esp+2Ch+var_1C]

loc_575E67:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+34j
		cmp	ds:_HvlHypervisorConnected, 0
		jz	short loc_575EA3
		call	_HvlIsCoreSharingPossible@0 ; HvlIsCoreSharingPossible()
		test	al, al
		jz	short loc_575EA3
		mov	edi, [esp+2Ch+var_20]

loc_575E7D:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+97j
					; KeOptimizeSpecCtrlSettings(x)+9Bj
		mov	esi, ds:_KiSpeculationFeatures
		mov	ebx, esi
		mov	ecx, ds:dword_70E764
		or	ebx, 2
		mov	eax, esi
		mov	edx, ecx
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_575E7D
		cmp	edx, ecx
		jnz	short loc_575E7D
		mov	edi, [esp+2Ch+var_1C]

loc_575EA3:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+6Cj
					; KeOptimizeSpecCtrlSettings(x)+75j
		mov	ebx, 80h
		test	byte ptr _KiFeatureSettings, bl
		jz	short loc_575EE8
		mov	edi, [esp+2Ch+var_20]

loc_575EB4:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+D5j
					; KeOptimizeSpecCtrlSettings(x)+DBj
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 100h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_575EB4
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_575EB4
		mov	edi, [esp+2Ch+var_1C]
		mov	ebx, 80h

loc_575EE8:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+ACj
		cmp	byte ptr [edi+3BEh], 2
		jnz	short loc_575EFC
		mov	edx, [esp+2Ch+var_20]
		mov	ecx, edi
		call	_KiDetectAmdNonArchSsbdSupport@8 ; KiDetectAmdNonArchSsbdSupport(x,x)

loc_575EFC:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+EDj
		mov	ecx, ds:_KiSpeculationFeatures
		xor	edx, edx
		mov	eax, ds:dword_70E764
		and	ecx, ebx
		or	ecx, edx
		jz	loc_575FCE
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 100h
		or	ecx, edx
		jnz	loc_575FCE
		mov	eax, _KiFeatureSettings
		test	al, 8
		jz	short loc_575F63
		mov	edi, [esp+2Ch+var_20]

loc_575F39:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+157j
					; KeOptimizeSpecCtrlSettings(x)+15Dj
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 40h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_575F39
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_575F39
		jmp	short loc_575FCA
; 

loc_575F63:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+131j
		test	al, 10h
		jz	short loc_575FCE
		cmp	_KiSsbdMsr, 48h
		mov	edi, [esp+2Ch+var_20]
		jnz	short loc_575FA2

loc_575F74:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+196j
					; KeOptimizeSpecCtrlSettings(x)+19Cj
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, ebx
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, 80h
		cmp	eax, esi
		jnz	short loc_575F74
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_575F74
		jmp	short loc_575FCA
; 

loc_575FA2:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+170j
					; KeOptimizeSpecCtrlSettings(x)+1C0j ...
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 40h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_575FA2
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_575FA2

loc_575FCA:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+15Fj
					; KeOptimizeSpecCtrlSettings(x)+19Ej
		mov	edi, [esp+2Ch+var_1C]

loc_575FCE:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+10Bj
					; KeOptimizeSpecCtrlSettings(x)+124j ...
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 4
		or	ecx, 0
		jnz	short loc_576011
		mov	edi, [esp+2Ch+var_20]

loc_575FE5:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+203j
					; KeOptimizeSpecCtrlSettings(x)+209j
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 8
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_575FE5
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_575FE5
		mov	edi, [esp+2Ch+var_1C]

loc_576011:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+1DDj
		mov	eax, _KiFeatureSettings
		test	al, 4
		jz	loc_5760AC
		mov	edi, [esp+2Ch+var_20]

loc_576022:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+240j
					; KeOptimizeSpecCtrlSettings(x)+246j
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 4
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_576022
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_576022
		mov	edi, [esp+2Ch+var_1C]

loc_57604E:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+2ACj
					; KeOptimizeSpecCtrlSettings(x)+2E5j ...
		xor	ebx, ebx

loc_576050:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+317j
					; KeOptimizeSpecCtrlSettings(x)+32Ej
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, (offset loc_7FFFFF+1)
		or	ecx, ebx
		jz	loc_5761A9
		mov	edx, [esp+2Ch+var_20]
		call	_KiIsRfdsMitigationSupported@8 ; KiIsRfdsMitigationSupported(x,x)
		test	eax, eax
		jnz	loc_576135
		mov	edi, edx

loc_57607C:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+29Dj
					; KeOptimizeSpecCtrlSettings(x)+2A3j
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 40000h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_57607C
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_57607C
		jmp	loc_5761A3
; 

loc_5760AC:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+216j
		test	al, 1
		jz	short loc_57604E
		mov	edi, [esp+2Ch+var_20]

loc_5760B4:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+2D2j
					; KeOptimizeSpecCtrlSettings(x)+2D8j
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 4
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_5760B4
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_5760B4
		cmp	ds:_HvlHypervisorConnected, 0
		mov	edi, [esp+2Ch+var_1C]
		jz	loc_57604E
		test	byte ptr ds:_HvlpFlags,	2
		jz	loc_57604E
		call	_HvlIsCoreSharingPossible@0 ; HvlIsCoreSharingPossible()
		test	al, al
		jz	loc_57604E
		mov	ecx, ds:_KiSpeculationFeatures
		xor	ebx, ebx
		mov	eax, ds:dword_70E764
		and	ecx, 40h
		or	ecx, ebx
		jz	loc_576050
		push	2
		pop	eax
		mov	[edi+21BCh], ax
		mov	[edi+21C0h], ax
		jmp	loc_576050
; 

loc_576135:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+272j
		call	_KiIsRfdsMitigationDesired@8 ; KiIsRfdsMitigationDesired(x,x)
		test	eax, eax
		jnz	short loc_57616D
		mov	edi, edx

loc_576140:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+361j
					; KeOptimizeSpecCtrlSettings(x)+367j
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 20000h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_576140
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_576140
		jmp	short loc_5761A3
; 

loc_57616D:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+33Aj
		cmp	ds:_KiKvaShadow, 0
		jnz	short loc_5761A9
		mov	edi, edx

loc_576178:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+399j
					; KeOptimizeSpecCtrlSettings(x)+39Fj
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 80000h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_576178
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_576178

loc_5761A3:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+2A5j
					; KeOptimizeSpecCtrlSettings(x)+369j
		mov	edi, [esp+2Ch+var_1C]
		xor	ebx, ebx

loc_5761A9:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+261j
					; KeOptimizeSpecCtrlSettings(x)+372j
		mov	eax, ds:_KiSpeculationFeatures
		mov	ecx, ds:dword_70E764
		mov	[esp+2Ch+var_14], eax
		and	ecx, 80000h
		mov	eax, ebx
		or	eax, ecx
		push	10h
		pop	eax
		jz	short loc_5761D5
		or	byte ptr [edi+21B8h], 40h
		mov	[edi+4F08h], ax

loc_5761D5:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+3C3j
		mov	ecx, [ebp+arg_0]
		mov	edx, 80000000h
		test	ecx, ecx
		jz	short loc_576225
		mov	[esp+2Ch+var_8], ebx
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		dec	eax
		mov	esi, eax
		not	esi
		and	esi, edx
		test	eax, 7FFFFFFFh
		jnz	short loc_576203
		mov	eax, [ecx+4]
		or	eax, esi
		mov	[ecx], eax
		jmp	short loc_576225
; 

loc_576203:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+3F6j
		mov	eax, [ecx]
		and	eax, edx
		cmp	eax, esi
		jz	short loc_576225
		mov	edi, ecx

loc_57620D:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+41Dj
		lea	ecx, [esp+2Ch+var_8]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		and	eax, 80000000h
		cmp	eax, esi
		jnz	short loc_57620D
		mov	edi, [esp+2Ch+var_1C]

loc_576225:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+3DDj
					; KeOptimizeSpecCtrlSettings(x)+3FFj ...
		mov	eax, ds:_KiSpeculationFeatures
		mov	ecx, ds:dword_70E764
		mov	[esp+2Ch+var_14], eax
		and	ecx, 4
		mov	eax, ebx
		or	eax, ecx
		jnz	loc_576C1E
		mov	eax, ds:_KiSpeculationFeatures
		mov	ecx, ds:dword_70E764
		mov	[esp+2Ch+var_14], eax
		and	ecx, 8
		mov	eax, ebx
		or	eax, ecx
		jnz	loc_576C1E
		mov	edi, [esp+2Ch+var_20]

loc_576261:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+47Fj
					; KeOptimizeSpecCtrlSettings(x)+485j
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 10h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_576261
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_576261
		mov	edi, [esp+2Ch+var_1C]
		xor	edx, edx
		inc	edx
		xor	ebx, ebx
		or	byte ptr [edi+21B9h], 2
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, edx
		or	ecx, ebx
		jz	loc_57652C
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 4000h
		or	ecx, ebx
		mov	[esp+2Ch+var_18], edx
		jz	short loc_5762D0
		push	3
		pop	eax
		mov	[esp+2Ch+var_18], eax
		jmp	short loc_5762D4
; 

loc_5762D0:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+4C3j
		mov	eax, [esp+2Ch+var_18]

loc_5762D4:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+4CCj
		mov	[edi+21BCh], ax
		mov	esi, 80h
		mov	[edi+21C0h], ax
		mov	eax, ds:_KiSpeculationFeatures
		mov	ecx, ds:dword_70E764
		mov	[esp+2Ch+var_14], eax
		and	ecx, 40h
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_576316
		mov	eax, ds:_KiSpeculationFeatures
		mov	ecx, ds:dword_70E764
		mov	[esp+2Ch+var_14], eax
		and	ecx, esi
		mov	eax, ebx
		or	eax, ecx
		jz	short loc_57633C

loc_576316:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+4FBj
		movzx	eax, word ptr [edi+21BCh]
		lea	ecx, [esp+2Ch+var_18]
		mov	[esp+2Ch+var_18], eax
		call	_KiAddSpecCtrlSsbdBit@4	; KiAddSpecCtrlSsbdBit(x)
		mov	eax, [esp+2Ch+var_18]
		mov	[edi+21BCh], ax
		mov	[edi+21C0h], ax

loc_57633C:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+512j
		xor	eax, eax
		lea	edx, [edi+21BEh]
		inc	eax
		mov	[edx], ax
		mov	eax, ds:_KiSpeculationFeatures
		mov	ecx, ds:dword_70E764
		mov	[esp+2Ch+var_14], eax
		and	ecx, 40h
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_576377
		mov	eax, ds:_KiSpeculationFeatures
		mov	ecx, ds:dword_70E764
		mov	[esp+2Ch+var_14], eax
		and	ecx, esi
		mov	eax, ebx
		or	eax, ecx
		jz	short loc_57637E

loc_576377:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+55Cj
		mov	ecx, edx
		call	_KiAddSpecCtrlSsbdBit@4	; KiAddSpecCtrlSsbdBit(x)

loc_57637E:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+573j
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 4000h
		or	ecx, ebx
		jz	short loc_576399
		push	2
		pop	eax
		or	[edx], ax

loc_576399:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+58Fj
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 2000h
		or	ecx, ebx
		jz	short loc_5763B1
		or	[edx], si

loc_5763B1:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+5AAj
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 10000h
		or	ecx, ebx
		jz	loc_5764EE
		test	_KiFeatureSettings, (offset loc_7FFFFF+1)
		mov	edi, [esp+2Ch+var_20]
		jnz	short loc_57640A

loc_5763DA:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+5FBj
					; KeOptimizeSpecCtrlSettings(x)+601j
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 100000h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_5763DA
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_5763DA
		jmp	loc_5764E8
; 

loc_57640A:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+5D6j
		mov	al, byte ptr ds:dword_70E76C
		test	al, al
		jz	short loc_57645D

loc_576413:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+634j
					; KeOptimizeSpecCtrlSettings(x)+63Aj
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, (offset loc_7FFFFF+1)
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_576413
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_576413
		mov	edi, [esp+2Ch+var_1C]
		mov	al, byte ptr ds:dword_70E76C
		shl	al, 3
		xor	al, [edi+21B9h]
		and	al, 18h
		xor	[edi+21B9h], al
		jmp	loc_5764EC
; 

loc_57645D:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+60Fj
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 20000h
		or	ecx, ebx
		jz	short loc_5764BD

loc_576472:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+693j
					; KeOptimizeSpecCtrlSettings(x)+699j
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 400000h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_576472
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_576472
		mov	edi, [esp+2Ch+var_1C]
		mov	ecx, 400h
		or	[edi+21BCh], cx
		or	[edi+21C0h], cx
		or	[edi+21BEh], cx
		jmp	short loc_5764EC
; 

loc_5764BD:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+66Ej
					; KeOptimizeSpecCtrlSettings(x)+6DEj ...
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 200000h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_5764BD
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_5764BD

loc_5764E8:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+603j
		mov	edi, [esp+2Ch+var_1C]

loc_5764EC:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+656j
					; KeOptimizeSpecCtrlSettings(x)+6B9j
		xor	ebx, ebx

loc_5764EE:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+5C2j
		mov	eax, ds:_KiSpeculationFeatures
		mov	esi, 80h
		mov	ecx, ds:dword_70E764
		mov	[esp+2Ch+var_14], eax
		and	ecx, esi
		mov	eax, ebx
		or	eax, ecx
		jz	loc_576CD0
		xor	edx, edx
		inc	edx

loc_576511:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+72Fj
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 10h
		or	ecx, ebx
		jz	short loc_576533
		mov	[edi+21BEh], dx
		jmp	short loc_576560
; 

loc_57652C:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+4A6j
		mov	esi, 80h
		jmp	short loc_576511
; 

loc_576533:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+71Fj
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 40h
		or	ecx, ebx
		jz	short loc_576560
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		push	2
		pop	eax
		and	ecx, eax
		or	ecx, ebx
		jz	short loc_576560
		mov	[edi+21BEh], ax

loc_576560:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+728j
					; KeOptimizeSpecCtrlSettings(x)+741j ...
		mov	ecx, ds:_KiSpeculationFeatures
		lea	edx, [edi+21BEh]
		mov	eax, ds:dword_70E764
		and	ecx, 4000h
		or	ecx, ebx
		jz	short loc_576581
		push	2
		pop	eax
		or	[edx], ax

loc_576581:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+777j
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 2000h
		or	ecx, ebx
		jz	short loc_57659F
		lea	edx, [edi+21BEh]
		or	[edx], si

loc_57659F:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+792j
		mov	eax, ds:_KiSpeculationFeatures
		mov	ecx, ds:dword_70E764
		mov	[esp+2Ch+var_14], eax
		and	ecx, 40h
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_5765CE
		mov	eax, ds:_KiSpeculationFeatures
		mov	ecx, ds:dword_70E764
		mov	[esp+2Ch+var_14], eax
		and	ecx, esi
		mov	eax, ebx
		or	eax, ecx
		jz	short loc_5765D5

loc_5765CE:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+7B3j
		mov	ecx, edx
		call	_KiAddSpecCtrlSsbdBit@4	; KiAddSpecCtrlSsbdBit(x)

loc_5765D5:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+7CAj
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		xor	eax, eax
		inc	eax
		and	ecx, eax
		or	ecx, ebx
		jnz	loc_576CD0
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_57663D
		mov	[esp+2Ch+var_4], ebx
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		dec	eax
		mov	esi, eax
		mov	edx, 80000000h
		not	esi
		and	esi, edx
		test	eax, 7FFFFFFFh
		jnz	short loc_57661B
		mov	eax, [ecx+4]
		or	eax, esi
		mov	[ecx], eax
		jmp	short loc_57663D
; 

loc_57661B:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+80Ej
		mov	eax, [ecx]
		and	eax, edx
		cmp	eax, esi
		jz	short loc_57663D
		mov	edi, ecx

loc_576625:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+835j
		lea	ecx, [esp+2Ch+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		and	eax, 80000000h
		cmp	eax, esi
		jnz	short loc_576625
		mov	edi, [esp+2Ch+var_1C]

loc_57663D:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+7F0j
					; KeOptimizeSpecCtrlSettings(x)+817j ...
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		push	2
		pop	edx
		and	ecx, edx
		or	ecx, ebx
		jz	short loc_5766D0
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 4000h
		or	ecx, ebx
		jnz	short loc_5766D0
		cmp	ds:_HvlHypervisorConnected, cl
		jnz	short loc_5766D0
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 10h
		or	ecx, ebx
		jnz	short loc_576692
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 40h
		or	ecx, ebx
		jz	short loc_5766D0

loc_576692:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+87Cj
		mov	edi, [esp+2Ch+var_20]

loc_576696:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+8B6j
					; KeOptimizeSpecCtrlSettings(x)+8BCj
		mov	esi, ds:_KiSpeculationFeatures
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		push	2
		pop	eax
		or	ecx, eax
		mov	[esp+2Ch+var_14], edx
		mov	eax, esi
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_576696
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_576696
		mov	edi, [esp+2Ch+var_1C]
		push	2
		pop	edx
		or	byte ptr [edi+21B9h], 1
		xor	ebx, ebx

loc_5766D0:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+84Dj
					; KeOptimizeSpecCtrlSettings(x)+862j ...
		test	byte ptr _KiFeatureSettings, 20h
		jz	short loc_57672C
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, edx
		or	ecx, ebx
		jz	short loc_57672C
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 40h
		or	ecx, ebx
		jz	short loc_57672C
		mov	edi, [esp+2Ch+var_20]

loc_576700:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+920j
					; KeOptimizeSpecCtrlSettings(x)+926j
		mov	esi, ds:_KiSpeculationFeatures
		xor	eax, eax
		mov	edx, ds:dword_70E764
		inc	eax
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, eax
		mov	eax, esi
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_576700
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_576700
		jmp	short loc_5767A9
; 

loc_57672C:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+8D5j
					; KeOptimizeSpecCtrlSettings(x)+8E6j ...
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, edx
		or	ecx, ebx
		jz	short loc_5767B2
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 40h
		or	ecx, ebx
		jz	short loc_5767B2
		mov	eax, ds:_KiSpeculationFeatures
		mov	ecx, ds:dword_70E764
		mov	[esp+2Ch+var_14], eax
		and	ecx, 100h
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_5767B2
		cmp	ds:_HvlHypervisorConnected, al
		jz	short loc_5767B2
		call	_HvlIsCoreSharingPossible@0 ; HvlIsCoreSharingPossible()
		test	al, al
		jz	short loc_5767B2
		mov	edi, [esp+2Ch+var_20]

loc_57677F:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+99Fj
					; KeOptimizeSpecCtrlSettings(x)+9A5j
		mov	esi, ds:_KiSpeculationFeatures
		xor	eax, eax
		mov	edx, ds:dword_70E764
		inc	eax
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, eax
		mov	eax, esi
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_57677F
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_57677F

loc_5767A9:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+928j
		mov	edi, [esp+2Ch+var_1C]
		xor	ebx, ebx
		push	2
		pop	edx

loc_5767B2:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+939j
					; KeOptimizeSpecCtrlSettings(x)+94Bj ...
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, edx
		or	ecx, ebx
		jz	short loc_57683A
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 40h
		or	ecx, ebx
		jz	short loc_57683A
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 4000h
		or	ecx, ebx
		jz	short loc_57683A
		mov	eax, ds:_KiSpeculationFeatures
		mov	ecx, ds:dword_70E764
		mov	[esp+2Ch+var_14], eax
		and	ecx, 100h
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_57683A
		mov	edi, [esp+2Ch+var_20]

loc_576809:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+A2Aj
					; KeOptimizeSpecCtrlSettings(x)+A30j
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 800h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_576809
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_576809
		mov	edi, [esp+2Ch+var_1C]
		xor	ebx, ebx

loc_57683A:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+9BFj
					; KeOptimizeSpecCtrlSettings(x)+9D1j ...
		cmp	byte ptr [edi+3BEh], 2
		jnz	short loc_576895
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 10h
		or	ecx, ebx
		jnz	short loc_576895
		test	byte ptr _KiFeatureSettings, 40h
		jnz	short loc_576895
		mov	edi, [esp+2Ch+var_20]

loc_576862:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+A80j
					; KeOptimizeSpecCtrlSettings(x)+A86j
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_4], edx
		or	ecx, 20h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_576862
		cmp	edx, [esp+2Ch+var_4]
		jnz	short loc_576862
		mov	edi, [esp+2Ch+var_1C]
		xor	ebx, ebx
		jmp	loc_576CD0
; 

loc_576895:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+A3Fj
					; KeOptimizeSpecCtrlSettings(x)+A51j ...
		mov	ecx, edi
		call	_KiIsBranchConfusionPresent@4 ;	KiIsBranchConfusionPresent(x)
		test	eax, eax
		jz	loc_57694D
		mov	edi, [esp+2Ch+var_20]

loc_5768A8:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+AC5j
					; KeOptimizeSpecCtrlSettings(x)+AC9j
		mov	esi, ds:_KiSpeculationFeatures
		mov	ebx, esi
		mov	ecx, ds:dword_70E764
		or	ebx, 8000h
		mov	eax, esi
		mov	edx, ecx
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_5768A8
		cmp	edx, ecx
		jnz	short loc_5768A8
		mov	edx, edi
		mov	edi, [esp+2Ch+var_1C]
		mov	ecx, edi
		call	_KiIsBranchConfusionMitigationDesired@8	; KiIsBranchConfusionMitigationDesired(x,x)
		test	eax, eax
		jnz	short loc_57690D
		mov	edi, edx

loc_5768E0:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+B01j
					; KeOptimizeSpecCtrlSettings(x)+B07j
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 1000h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_5768E0
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_5768E0
		jmp	short loc_576947
; 

loc_57690D:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+ADAj
		mov	ecx, edi
		call	_KiIsBranchConfusionMitigationSupported@8 ; KiIsBranchConfusionMitigationSupported(x,x)
		test	eax, eax
		jnz	short loc_57694B
		mov	edi, [esp+2Ch+var_20]

loc_57691C:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+B3Dj
					; KeOptimizeSpecCtrlSettings(x)+B43j
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 2000h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_57691C
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_57691C

loc_576947:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+B09j
		mov	edi, [esp+2Ch+var_1C]

loc_57694B:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+B14j
		xor	ebx, ebx

loc_57694D:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+A9Cj
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 2000000h
		or	ecx, ebx
		jz	loc_5769E9
		call	_KiIsTsaMitigationDesired@4 ; KiIsTsaMitigationDesired(x)
		test	eax, eax
		jnz	short loc_5769A0
		mov	edi, [esp+2Ch+var_20]

loc_576973:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+B94j
					; KeOptimizeSpecCtrlSettings(x)+B9Aj
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 2000000h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_576973
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_576973
		jmp	short loc_5769DA
; 

loc_5769A0:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+B6Bj
		mov	ecx, edi
		call	_KiIsTsaMitigationSupported@4 ;	KiIsTsaMitigationSupported(x)
		test	eax, eax
		jnz	short loc_5769E2
		mov	edi, [esp+2Ch+var_20]

loc_5769AF:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+BD0j
					; KeOptimizeSpecCtrlSettings(x)+BD6j
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 4000000h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_5769AF
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_5769AF

loc_5769DA:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+B9Cj
		mov	edi, [esp+2Ch+var_1C]
		xor	ebx, ebx
		jmp	short loc_5769E9
; 

loc_5769E2:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+BA7j
		or	byte ptr [edi+21B9h], 20h

loc_5769E9:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+B5Ej
					; KeOptimizeSpecCtrlSettings(x)+BDEj
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 200000h
		or	ecx, ebx
		jz	short loc_576A7A
		mov	edx, [esp+2Ch+var_20]
		call	_KiIsSrsoMitigationSupported@8 ; KiIsSrsoMitigationSupported(x,x)
		test	eax, eax
		jnz	short loc_576A3A
		mov	edi, edx

loc_576A0D:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+C2Ej
					; KeOptimizeSpecCtrlSettings(x)+C34j
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 10000h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_576A0D
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_576A0D
		jmp	short loc_576A74
; 

loc_576A3A:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+C07j
		mov	ecx, edi
		call	_KiIsSrsoMitigationDesired@8 ; KiIsSrsoMitigationDesired(x,x)
		test	eax, eax
		jnz	short loc_576A7A
		mov	edi, [esp+2Ch+var_20]

loc_576A49:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+C6Aj
					; KeOptimizeSpecCtrlSettings(x)+C70j
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 8000h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_576A49
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_576A49

loc_576A74:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+C36j
		mov	edi, [esp+2Ch+var_1C]
		xor	ebx, ebx

loc_576A7A:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+BFAj
					; KeOptimizeSpecCtrlSettings(x)+C41j
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 10000h
		or	ecx, ebx
		jz	loc_576BB7
		test	_KiFeatureSettings, (offset loc_7FFFFF+1)
		mov	edi, [esp+2Ch+var_20]
		jnz	short loc_576AD3

loc_576AA3:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+CC4j
					; KeOptimizeSpecCtrlSettings(x)+CCAj
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 100000h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_576AA3
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_576AA3
		jmp	loc_576BB1
; 

loc_576AD3:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+C9Fj
		mov	al, byte ptr ds:dword_70E76C
		test	al, al
		jz	short loc_576B26

loc_576ADC:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+CFDj
					; KeOptimizeSpecCtrlSettings(x)+D03j
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, (offset loc_7FFFFF+1)
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_576ADC
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_576ADC
		mov	edi, [esp+2Ch+var_1C]
		mov	al, byte ptr ds:dword_70E76C
		shl	al, 3
		xor	al, [edi+21B9h]
		and	al, 18h
		xor	[edi+21B9h], al
		jmp	loc_576BB5
; 

loc_576B26:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+CD8j
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	ecx, 20000h
		or	ecx, ebx
		jz	short loc_576B86

loc_576B3B:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+D5Cj
					; KeOptimizeSpecCtrlSettings(x)+D62j
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 400000h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_576B3B
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_576B3B
		mov	edi, [esp+2Ch+var_1C]
		mov	eax, 400h
		or	[edi+21BCh], ax
		or	[edi+21C0h], ax
		or	[edi+21BEh], ax
		jmp	short loc_576BB5
; 

loc_576B86:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+D37j
					; KeOptimizeSpecCtrlSettings(x)+DA7j ...
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch+var_14], edx
		or	ecx, 200000h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_576B86
		cmp	edx, [esp+2Ch+var_14]
		jnz	short loc_576B86

loc_576BB1:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+CCCj
		mov	edi, [esp+2Ch+var_1C]

loc_576BB5:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+D1Fj
					; KeOptimizeSpecCtrlSettings(x)+D82j
		xor	ebx, ebx

loc_576BB7:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+C8Bj
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_576C07
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		dec	eax
		mov	esi, eax
		mov	edx, 80000000h
		not	esi
		and	esi, edx
		test	eax, 7FFFFFFFh
		jnz	short loc_576BE1
		mov	eax, [ecx+4]
		or	eax, esi
		mov	[ecx], eax
		jmp	short loc_576C07
; 

loc_576BE1:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+DD4j
		mov	eax, [ecx]
		and	eax, edx
		mov	[esp+2Ch], ebx
		cmp	eax, esi
		jz	short loc_576C07
		mov	edi, ecx

loc_576BEF:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+DFFj
		lea	ecx, [esp+2Ch]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		and	eax, 80000000h
		cmp	eax, esi
		jnz	short loc_576BEF
		mov	edi, [esp+2Ch+var_1C]

loc_576C07:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+DBAj
					; KeOptimizeSpecCtrlSettings(x)+DDDj ...
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	@KiUpdateSpeculationControl@4 ;	KiUpdateSpeculationControl(x)
		jmp	loc_576CD0
; 

loc_576C1E:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+439j
					; KeOptimizeSpecCtrlSettings(x)+455j
		mov	eax, ds:_KiSpeculationFeatures
		mov	ecx, ds:dword_70E764
		mov	eax, ebx
		and	ecx, 80h
		or	eax, ecx
		jz	short loc_576C96
		mov	edi, [esp+2Ch+var_20]

loc_576C39:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+E57j
					; KeOptimizeSpecCtrlSettings(x)+E5Dj
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch], edx
		or	ecx, 40h
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_576C39
		cmp	edx, [esp+2Ch]
		jnz	short loc_576C39

loc_576C61:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+E8Aj
					; KeOptimizeSpecCtrlSettings(x)+E90j
		mov	esi, ds:_KiSpeculationFeatures
		mov	eax, esi
		mov	edx, ds:dword_70E764
		mov	ecx, edx
		mov	[esp+2Ch], edx
		and	ecx, 0FFFFFF7Fh
		nop
		mov	edi, [esp+2Ch+var_20]
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [esp+2Ch+var_1C]
		cmp	eax, esi
		jnz	short loc_576C61
		cmp	edx, [esp+2Ch]
		jnz	short loc_576C61
		xor	ebx, ebx

loc_576C96:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+E31j
		mov	eax, ds:_KiSpeculationFeatures
		mov	ecx, ds:dword_70E764
		mov	eax, ebx
		and	ecx, 40h
		or	eax, ecx
		jz	short loc_576CD0
		movzx	eax, word ptr [edi+21BCh]
		lea	ecx, [esp+2Ch+var_18]
		mov	[esp+2Ch+var_18], eax
		call	_KiAddSpecCtrlSsbdBit@4	; KiAddSpecCtrlSsbdBit(x)
		mov	eax, [esp+2Ch+var_18]
		mov	[edi+21BCh], ax
		mov	[edi+21C0h], ax

loc_576CD0:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+706j
					; KeOptimizeSpecCtrlSettings(x)+7E5j ...
		movzx	eax, word ptr [edi+21BCh]
		mov	[edi+21BAh], ax
		mov	edx, eax
		test	ax, ax
		jz	short loc_576CEB
		push	48h
		cdq
		pop	ecx
		wrmsr

loc_576CEB:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+EE1j
		mov	eax, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		and	eax, 40h
		or	ebx, eax
		jz	short loc_576D01
		call	_KiSetNonArchSsbd@0 ; KiSetNonArchSsbd()

loc_576D01:				; CODE XREF: KeOptimizeSpecCtrlSettings(x)+EF8j
		mov	ecx, edi
		call	_KiSetVirtualMitigationControl@4 ; KiSetVirtualMitigationControl(x)
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_KeOptimizeSpecCtrlSettings@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AdtpNormalizeAuditInfoHelper proc near	; CODE XREF: AdtpWriteToEtwEx(x,x)+69p
					; AdtpWriteToEtw(x,x)+69p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F8CE5 SIZE 000000A0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], esi
		test	esi, esi
		jz	loc_5F8CE5
		test	edx, edx
		jnz	short loc_576D82
		test	byte ptr [esi+14h], 1
		jz	short loc_576D82
		mov	ebx, [esi+8]
		lea	ecx, [esi+28h]
		mov	edx, esi
		mov	[ebp+var_4], edx

loc_576D43:				; CODE XREF: AdtpNormalizeAuditInfoHelper+81FE9j
		test	ebx, ebx
		jz	short loc_576D82
		push	edi

loc_576D48:				; CODE XREF: AdtpNormalizeAuditInfoHelper+6Bj
		mov	edi, [ecx-10h]
		lea	eax, [edi-1]
		cmp	eax, 21h
		ja	short loc_576D79
		movzx	eax, ds:byte_576D98[eax]
		jmp	ds:off_576D88[eax*4]

loc_576D61:				; DATA XREF: .text:off_576D88o
		mov	eax, [ecx]
		add	eax, edx
		mov	[ecx], eax
		cmp	edi, 2
		jz	short loc_576D76
		cmp	edi, 1
		jz	short loc_576D76
		cmp	edi, 22h
		jnz	short loc_576D79

loc_576D76:				; CODE XREF: AdtpNormalizeAuditInfoHelper+56j
					; AdtpNormalizeAuditInfoHelper+5Bj
		add	[eax+4], edx

loc_576D79:				; CODE XREF: AdtpNormalizeAuditInfoHelper+3Dj
					; AdtpNormalizeAuditInfoHelper+46j ...
		add	ecx, 14h
		sub	ebx, 1
		jnz	short loc_576D48
		pop	edi

loc_576D82:				; CODE XREF: AdtpNormalizeAuditInfoHelper+1Cj
					; AdtpNormalizeAuditInfoHelper+22j ...
		pop	esi
		pop	ebx
		leave
		retn
AdtpNormalizeAuditInfoHelper endp

; 
		align 4
off_576D88	dd offset loc_576D61	; DATA XREF: AdtpNormalizeAuditInfoHelper+46r
		dd offset loc_5F8D02
		dd offset loc_5F8D3F
		dd offset loc_576D79
byte_576D98	db 0			; DATA XREF: AdtpNormalizeAuditInfoHelper+3Fr
		align 2
		dw 3
		dd 30303h, 3030300h, 1030300h, 3030302h, 303h, 30300h
		dd 0
; 
		add	eax, [eax]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

McGenControlCallbackV2 proc near	; DATA XREF: McGenEventRegister_EtwRegister(x,x,x,x)+13o

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 005F8D85 SIZE 00000075 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_20]
		push	edi
		test	esi, esi
		jz	loc_576EAE
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		sub	eax, ecx
		jz	loc_5F8D92
		sub	eax, 1
		jnz	loc_5F8DCD
		mov	al, [ebp+arg_8]
		mov	edx, ecx
		mov	[esi+28h], al
		mov	eax, [ebp+arg_C]
		mov	[esi+10h], eax
		mov	eax, [ebp+arg_10]
		mov	[esi+14h], eax
		mov	eax, [ebp+arg_14]
		mov	[esi+18h], eax
		mov	eax, [ebp+arg_18]
		mov	[esi+1Ch], eax
		xor	eax, eax
		mov	dword ptr [esi+24h], 1
		cmp	ax, [esi+2Ah]
		jnb	short loc_576E87

loc_576E16:				; CODE XREF: McGenControlCallbackV2+CBj
		mov	eax, [esi+34h]
		mov	cl, [esi+28h]
		cmp	[edx+eax], cl
		ja	loc_5F8D85

loc_576E25:				; CODE XREF: McGenControlCallbackV2+81FD3j
		mov	eax, [esi+30h]
		mov	edi, [eax+edx*8]
		mov	ebx, [eax+edx*8+4]
		mov	eax, edi
		or	eax, ebx
		jz	short loc_576E61
		mov	ecx, [esi+10h]
		mov	eax, [esi+14h]
		and	ecx, edi
		and	eax, ebx
		or	ecx, eax
		jz	short loc_576EB7
		mov	eax, [esi+1Ch]
		mov	ecx, [esi+18h]
		mov	[esp+10h+var_4], eax
		mov	eax, ecx
		and	eax, edi
		mov	edi, [esp+10h+var_4]
		and	edi, ebx
		cmp	eax, ecx
		jnz	short loc_576EB7
		cmp	edi, [esp+10h+var_4]
		jnz	short loc_576EB7

loc_576E61:				; CODE XREF: McGenControlCallbackV2+79j
		mov	bl, 1

loc_576E63:				; CODE XREF: McGenControlCallbackV2+FFj
		mov	eax, [esi+2Ch]
		mov	ecx, edx
		shr	ecx, 5
		mov	edi, edx
		and	edi, 1Fh
		lea	ecx, [eax+ecx*4]
		mov	eax, [ecx]
		test	bl, bl
		jz	short loc_576EBB
		bts	eax, edi

loc_576E7C:				; CODE XREF: McGenControlCallbackV2+104j
		mov	[ecx], eax
		inc	edx
		movzx	eax, word ptr [esi+2Ah]
		cmp	edx, eax
		jb	short loc_576E16

loc_576E87:				; CODE XREF: McGenControlCallbackV2+5Aj
					; McGenControlCallbackV2+8201Dj
		push	1
		mov	edi, offset unk_6CDB08
		push	edi
		call	ExAcquireResourceSharedLite
		mov	esi, _FsRtlTieringHeatData
		mov	ebx, offset _FsRtlTieringHeatData

loc_576E9F:				; CODE XREF: McGenControlCallbackV2+8203Bj
		cmp	esi, ebx
		jnz	loc_5F8DDC
		mov	ecx, edi
		call	ExReleaseResourceLite

loc_576EAE:				; CODE XREF: McGenControlCallbackV2+11j
					; McGenControlCallbackV2+81FF1j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_576EB7:				; CODE XREF: McGenControlCallbackV2+87j
					; McGenControlCallbackV2+9Fj ...
		xor	bl, bl
		jmp	short loc_576E63
; 

loc_576EBB:				; CODE XREF: McGenControlCallbackV2+BDj
		btr	eax, edi
		jmp	short loc_576E7C
McGenControlCallbackV2 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpAllocateKeyNameEntry(x,	x)
_EtwpAllocateKeyNameEntry@8 proc near	; DATA XREF: EtwpEnableKeyProviders+56o
					; EtwpInitializeAutoLoggers+6Ao

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	74777445h
		push	[ebp+arg_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	8
_EtwpAllocateKeyNameEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetCpuSetsProcess(x, x, x, x)
_KeSetCpuSetsProcess@16	proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+127Fp
					; PAGE:007AA55Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, edx
		mov	[ebp+var_4], ecx
		xor	esi, esi
		mov	ecx, edi
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], esi
		call	_KiValidateCpuSetMasks@8 ; KiValidateCpuSetMasks(x,x)
		test	eax, eax
		js	short loc_576F61
		xor	ebx, ebx
		cmp	[ebp+arg_4], ebx
		setz	bl
		lea	ebx, ds:428h[ebx*4]
		add	ebx, [ebp+var_4]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+arg_0+3],	al
		mov	eax, [ebp+var_4]
		add	eax, 34h
		push	eax
		mov	[ebp+arg_4], eax
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		cmp	[ebp+var_C], esi
		jz	short loc_576F2F
		mov	esi, [edi]

loc_576F2F:				; CODE XREF: KeSetCpuSetsProcess(x,x,x,x)+53j
		mov	ecx, [ebp+var_4]
		lea	edx, [ebp+var_8]
		mov	[ebx], esi
		call	_KiUpdateThreadCpuSetAffinitiesProcess@8 ; KiUpdateThreadCpuSetAffinitiesProcess(x,x)
		push	[ebp+arg_4]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	esi, large fs:20h
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		mov	dl, byte ptr [ebp+arg_0+3]
		mov	ecx, esi
		call	KiCheckForThreadDispatch
		xor	eax, eax

loc_576F61:				; CODE XREF: KeSetCpuSetsProcess(x,x,x,x)+24j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_KeSetCpuSetsProcess@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeUpdateThreadCpuSets(x)
_KeUpdateThreadCpuSets@4 proc near	; CODE XREF: NtSetInformationThread+9F5p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		mov	bl, al
		call	KiUpdateThreadCpuSetAffinitiesFromDpcLevel
		mov	esi, large fs:20h
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		mov	dl, bl
		mov	ecx, esi
		call	KiCheckForThreadDispatch
		pop	esi
		pop	ebx
		leave
		retn
_KeUpdateThreadCpuSets@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiUpdateThreadCpuSetAffinitiesProcess(x, x)
_KiUpdateThreadCpuSetAffinitiesProcess@8 proc near
					; CODE XREF: KeSetCpuSetsProcess(x,x,x,x)+5Fp
					; KeRecomputeCpuSetAffinityProcess(x)+25p
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, edx
		push	edi
		lea	edi, [ecx+2Ch]
		mov	esi, [edi]
		and	dword ptr [ebx], 0
		jmp	short loc_576FC6
; 

loc_576FB7:				; CODE XREF: KiUpdateThreadCpuSetAffinitiesProcess(x,x)+22j
		lea	ecx, [esi-1D4h]
		mov	edx, ebx
		call	KiUpdateThreadCpuSetAffinitiesFromDpcLevel
		mov	esi, [esi]

loc_576FC6:				; CODE XREF: KiUpdateThreadCpuSetAffinitiesProcess(x,x)+Fj
		cmp	esi, edi
		jnz	short loc_576FB7
		pop	edi
		pop	esi
		pop	ebx
		retn
_KiUpdateThreadCpuSetAffinitiesProcess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiUpdateThreadCpuSetAffinitiesFromDpcLevel proc	near
					; CODE XREF: KeUpdateThreadCpuSets(x)+1Bp
					; KiUpdateThreadCpuSetAffinitiesProcess(x,x)+19p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F8DFA SIZE 0000004A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		lea	ebx, [esi+2Ch]

loc_576FE3:				; CODE XREF: KiUpdateThreadCpuSetAffinitiesFromDpcLevel+81E3Aj
		lock bts dword ptr [ebx], 0
		jb	loc_5F8DFA
		mov	eax, [esi+16Ch]
		mov	edx, edi
		mov	ecx, esi
		mov	[ebp+var_8], eax
		call	_KiUpdateThreadCpuSets@8 ; KiUpdateThreadCpuSets(x,x)
		mov	edi, eax
		mov	eax, [esi+16Ch]
		mov	dword ptr [ebx], 0
		test	ds:dword_70EFD0, 8000000h
		jnz	loc_5F8E0D

loc_57701E:				; CODE XREF: KiUpdateThreadCpuSetAffinitiesFromDpcLevel+81E4Fj
		test	edi, edi
		jnz	loc_5F8E22

loc_577026:				; CODE XREF: KiUpdateThreadCpuSetAffinitiesFromDpcLevel+81E64j
					; KiUpdateThreadCpuSetAffinitiesFromDpcLevel+81E71j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
KiUpdateThreadCpuSetAffinitiesFromDpcLevel endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiUpdateThreadCpuSets(x, x)
_KiUpdateThreadCpuSets@8 proc near	; CODE XREF: KiUpdateThreadCpuSetAffinitiesFromDpcLevel+2Dp
					; KeSetSelectedCpuSetsThread(x,x,x)+80p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	ebx, edx
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		test	byte ptr [edi+58h], 8
		jnz	short loc_57708A
		lea	eax, [ebp+var_4]
		push	eax
		lea	edx, [ebp+var_8]
		call	KiAcquireThreadStateLock
		mov	ecx, edi
		mov	byte ptr [ebp+var_C], al
		call	KiComputeThreadAffinity
		push	ebx
		push	[ebp+var_4]
		mov	ebx, [ebp+var_8]
		lea	edx, [edi+164h]
		push	ebx
		push	[ebp+var_C]
		mov	ecx, edi
		call	KiRescheduleThreadAfterAffinityChange
		mov	esi, eax
		test	ebx, ebx
		jnz	short loc_577091

loc_57707D:				; CODE XREF: KiUpdateThreadCpuSets(x,x)+70j
		mov	eax, [ebp+var_4]
		test	eax, eax
		jnz	short loc_57709E

loc_577084:				; CODE XREF: KiUpdateThreadCpuSets(x,x)+77j
		neg	esi
		sbb	esi, esi
		and	esi, ebx

loc_57708A:				; CODE XREF: KiUpdateThreadCpuSets(x,x)+1Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_577091:				; CODE XREF: KiUpdateThreadCpuSets(x,x)+4Fj
		xor	ecx, ecx
		lea	eax, [ebx+2224h]
		lock and [eax],	ecx
		jmp	short loc_57707D
; 

loc_57709E:				; CODE XREF: KiUpdateThreadCpuSets(x,x)+56j
		xor	ecx, ecx
		lock and [eax],	ecx
		jmp	short loc_577084
_KiUpdateThreadCpuSets@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiGetProcessorInformation(x, x, x, x)
_KiGetProcessorInformation@16 proc near	; CODE XREF: KiIntersectFeaturesWithPolicy+82p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_4]
		push	esi
		push	edi
		mov	[ebp+var_24], eax
		lea	edi, [ebp+var_14]
		xor	eax, eax
		mov	[ebp+var_18], ecx
		stosd
		xor	ecx, ecx
		push	ebx
		mov	[ebp+var_1C], edx
		stosd
		stosd
		stosd
		xor	eax, eax
		cpuid
		mov	esi, ebx
		lea	edi, [ebp+var_14]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	ecx, [ebp+var_18]
		mov	[edi+0Ch], edx
		lea	edi, [ebp+var_14]
		mov	eax, [ebp+var_10]
		push	ebx
		mov	[ecx], eax
		mov	eax, [ebp+var_C]
		mov	[ecx+8], eax
		mov	eax, [ebp+var_8]
		mov	[ecx+4], eax
		xor	eax, eax
		stosd
		xor	ecx, ecx
		stosd
		stosd
		stosd
		xor	eax, eax
		inc	eax
		lea	edi, [ebp+var_14]
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	ecx, [ebp+var_1C]
		mov	[edi+0Ch], edx
		mov	eax, [ebp+var_14]
		pop	edi
		mov	[ecx], eax
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+var_C]
		pop	esi
		pop	ebx
		mov	[ecx], eax
		mov	ecx, [ebp+var_24]
		mov	eax, [ebp+var_8]
		mov	[ecx], eax
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_KiGetProcessorInformation@16 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2372. RtlUdiv128

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlUdiv128(x, x, x,	x, x, x, x)
		public _RtlUdiv128@28
_RtlUdiv128@28	proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_8]
		mov	[ebp+arg_C], eax
		mov	[ebp+arg_4], ecx
		mov	[ebp+var_4], 40h
		push	esi

loc_577177:				; CODE XREF: RtlUdiv128(x,x,x,x,x,x,x)+81j
		shld	[ebp+arg_4], ebx, 1
		mov	edx, ecx
		mov	esi, ecx
		mov	ecx, eax
		sar	edx, 1Fh
		xor	eax, eax
		shr	ecx, 1Fh
		or	eax, [ebp+arg_4]
		add	ebx, ebx
		or	ebx, ecx
		sar	esi, 1Fh
		mov	ecx, eax
		mov	eax, [ebp+arg_C]
		shld	eax, edi, 1
		mov	[ebp+arg_4], ecx
		mov	[ebp+arg_C], eax
		add	edi, edi
		mov	eax, ebx
		or	eax, edx
		mov	[ebp+var_8], eax
		mov	eax, ecx
		or	eax, esi
		cmp	eax, [ebp+arg_14]
		jb	short loc_5771EA
		ja	short loc_5771BF
		mov	eax, [ebp+var_8]
		cmp	eax, [ebp+arg_10]
		jb	short loc_5771EA

loc_5771BF:				; CODE XREF: RtlUdiv128(x,x,x,x,x,x,x)+61j
		mov	eax, [ebp+arg_C]
		or	edi, 1
		sub	ebx, [ebp+arg_10]
		mov	[ebp+arg_C], eax
		sbb	ecx, [ebp+arg_14]
		mov	[ebp+arg_4], ecx

loc_5771D1:				; CODE XREF: RtlUdiv128(x,x,x,x,x,x,x)+99j
		sub	[ebp+var_4], 1
		jnz	short loc_577177
		mov	eax, [ebp+arg_18]
		pop	esi
		test	eax, eax
		jnz	short loc_5771EF

loc_5771DF:				; CODE XREF: RtlUdiv128(x,x,x,x,x,x,x)+A0j
		mov	edx, [ebp+arg_C]
		mov	eax, edi
		pop	edi
		pop	ebx
		leave
		retn	1Ch
; 

loc_5771EA:				; CODE XREF: RtlUdiv128(x,x,x,x,x,x,x)+5Fj
					; RtlUdiv128(x,x,x,x,x,x,x)+69j
		mov	eax, [ebp+arg_C]
		jmp	short loc_5771D1
; 

loc_5771EF:				; CODE XREF: RtlUdiv128(x,x,x,x,x,x,x)+89j
		mov	[eax], ebx
		mov	[eax+4], ecx
		jmp	short loc_5771DF
_RtlUdiv128@28	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 740. IoAllocateDriverObjectExtension

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoAllocateDriverObjectExtension
IoAllocateDriverObjectExtension	proc near

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005F8E44 SIZE 0000005E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		mov	[ebp+var_1], 0
		and	dword ptr [ebx], 0
		cmp	eax, 0FFFFFFF7h
		ja	loc_5F8E98
		push	76697244h
		lea	edi, [eax+8]
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5F8E98
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	edi, [ebp+arg_4]
		add	esp, 0Ch
		mov	[esi+4], edi
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	byte ptr [ebp+arg_C+3],	al
		mov	eax, [ebp+arg_0]
		mov	[ebp+arg_8], 1
		mov	ecx, [eax+18h]
		mov	edx, [ecx+14h]
		mov	ecx, edx
		test	ecx, ecx
		jnz	loc_5F8E44

loc_57726F:				; CODE XREF: IoAllocateDriverObjectExtension+81C5Bj
		mov	[esi], edx
		mov	eax, [eax+18h]
		mov	[eax+14h], esi
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_1], al

loc_57727D:				; CODE XREF: IoAllocateDriverObjectExtension+81C55j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	edi, [eax+468h]
		jnz	loc_5F8E5C
		mov	eax, [edi]
		test	eax, eax
		jnz	loc_5F8E72
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jnz	loc_5F8E6B

loc_5772B3:				; CODE XREF: IoAllocateDriverObjectExtension+81C6Aj
					; IoAllocateDriverObjectExtension+81C85j
		mov	cl, byte ptr [ebp+arg_C+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_1], 0
		jz	loc_5F8E86
		lea	eax, [esi+8]
		mov	[ebx], eax
		xor	eax, eax

loc_5772CD:				; CODE XREF: IoAllocateDriverObjectExtension+81C97j
					; IoAllocateDriverObjectExtension+81CA1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
IoAllocateDriverObjectExtension	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipUpdateDeviceProducts	proc near	; DATA XREF: PnpBootPhaseComplete+6Fo

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= word ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F8EA2 SIZE 00000161 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+7Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+88h+var_24], eax
		lea	eax, [esp+88h+var_60]
		mov	[esp+88h+var_40], edi
		push	eax
		push	0Fh
		mov	esi, edi
		mov	[esp+90h+var_3C], edi
		pop	edx
		mov	[esp+8Ch+var_30], edi
		mov	ebx, edi
		mov	[esp+8Ch+var_2C], edi
		mov	[esp+8Ch+var_64], esi
		mov	[esp+8Ch+var_68], edi
		mov	[esp+8Ch+var_70], edi
		mov	[esp+8Ch+var_60], edi
		mov	[esp+8Ch+var_6C], edi
		mov	[esp+8Ch+var_50], edi
		mov	[esp+8Ch+var_78], edi
		mov	[esp+8Ch+var_44], edi
		mov	[esp+8Ch+var_5C], edi
		mov	[esp+8Ch+var_48], edi
		mov	[esp+8Ch+var_38], edi
		mov	dword ptr [esp+8Ch+var_34], edi
		mov	[esp+8Ch+var_58], edi
		mov	[esp+8Ch+var_74], edi
		mov	[esp+8Ch+var_20], edi
		mov	[esp+8Ch+var_1C], edi
		mov	[esp+8Ch+var_4C], edi
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		test	eax, eax
		js	loc_5F8FEF
		mov	edx, [esp+88h+var_60]
		lea	eax, [esp+88h+var_50]
		push	eax
		push	20019h
		push	edi
		push	offset ??_C@_1CG@OKDMALDI@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AA?2?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt@FNODOBFM@ ; "Current\\ProductIds"
		xor	ecx, ecx
		call	__PnpCtxRegOpenKey@24 ;	_PnpCtxRegOpenKey(x,x,x,x,x,x)
		cmp	eax, 0C0000034h
		jz	loc_5F8FEF
		lea	eax, [esp+98h+var_88]
		push	eax		; int
		push	edi		; int
		push	edi		; void *
		push	edi		; int
		push	(offset	off_5A4B20+2) ;	void *
		push	edi		; int
		push	offset ??_C@_1DC@IPENELJD@?$AAD?$AAy?$AAn?$AAa?$AAm?$AAi?$AAc?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAe@FNODOBFM@	; int
		call	RtlGetPersistedStateLocation
		test	eax, eax
		jns	loc_5F8FEF
		cmp	eax, 80000005h
		jnz	loc_5F8FEF
		push	6E697050h
		push	[esp+9Ch+var_88]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[esp+98h+var_64], ebx
		test	ebx, ebx
		jz	loc_5F8FE8
		lea	eax, [esp+98h+var_88]
		push	eax		; int
		push	[esp+9Ch+var_88] ; int
		push	ebx		; void *
		push	edi		; int
		push	(offset	off_5A4B20+2) ;	void *
		push	edi		; int
		push	offset ??_C@_1DC@IPENELJD@?$AAD?$AAy?$AAn?$AAa?$AAm?$AAi?$AAc?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAe@FNODOBFM@	; int
		call	RtlGetPersistedStateLocation
		test	eax, eax
		js	loc_5F8FE8
		push	edi
		lea	eax, [esp+9Ch+var_78]
		xor	edx, edx
		push	eax
		push	edi
		push	2001Fh
		push	edi
		push	ebx
		xor	ecx, ecx
		call	__PnpCtxRegCreateTree@32 ; _PnpCtxRegCreateTree(x,x,x,x,x,x,x,x)
		test	eax, eax
		jnz	loc_5F8FE8
		lea	eax, [esp+98h+var_40]
		push	eax
		lea	edx, [esp+9Ch+var_50]
		lea	ecx, [esp+9Ch+var_30]
		call	KeQueryBootTimeValues
		mov	eax, [esp+98h+var_40]
		sub	[esp+98h+var_50], eax
		mov	eax, [esp+98h+var_3C]
		sbb	[esp+98h+var_4C], eax
		lea	eax, [esp+98h+var_54]
		mov	edx, [esp+98h+var_78]
		push	edi
		push	edi
		push	edi
		push	eax
		lea	eax, [esp+0A8h+var_58]
		push	eax
		call	__PnpCtxRegQueryInfoKey@28 ; _PnpCtxRegQueryInfoKey(x,x,x,x,x,x,x)
		test	eax, eax
		jnz	loc_5F8FE8
		cmp	[esp+98h+var_58], esi
		jbe	loc_577571
		mov	eax, [esp+98h+var_54]
		inc	eax
		mov	[esp+98h+var_54], eax
		add	eax, eax
		push	6E697050h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+98h+var_84], edi
		test	edi, edi
		jz	loc_577672
		xor	edi, edi
		mov	[esp+98h+var_70], edi
		cmp	[esp+98h+var_58], esi
		jbe	loc_57756F
		mov	ebx, eax

loc_57749C:				; CODE XREF: PipUpdateDeviceProducts+28Dj
		mov	edx, [esp+98h+var_80]
		mov	eax, [esp+98h+var_54]
		mov	[esp+98h+var_74], eax
		test	edx, edx
		jz	short loc_5774B6
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)
		and	[esp+98h+var_80], 0

loc_5774B6:				; CODE XREF: PipUpdateDeviceProducts+1D6j
		mov	edx, [esp+98h+var_78]
		lea	eax, [esp+98h+var_74]
		push	eax
		push	ebx
		push	edi
		call	__PnpCtxRegEnumKey@20 ;	_PnpCtxRegEnumKey(x,x,x,x,x)
		test	eax, eax
		js	loc_577558
		mov	edx, [esp+98h+var_78]
		lea	eax, [esp+98h+var_80]
		push	eax
		push	2001Fh
		push	0
		push	ebx
		xor	ecx, ecx
		call	__PnpCtxRegOpenKey@24 ;	_PnpCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_577558
		mov	edx, [esp+0A8h+var_90]
		lea	eax, [esp+0A8h+var_98]
		push	eax
		lea	eax, [esp+0ACh+var_34]
		mov	[esp+0ACh+var_98], 0Eh
		push	eax
		lea	eax, [esp+0B0h+var_78]
		push	eax
		push	offset ??_C@_1O@FDGFDJPD@?$AAS?$AAo?$AAu?$AAr?$AAc?$AAe@FNODOBFM@
		call	__PnpCtxRegQueryValue@24 ; _PnpCtxRegQueryValue(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_577558
		cmp	[esp+0A8h+var_78], 1
		jnz	short loc_577558
		cmp	[esp+0A8h+var_98], 0Eh
		jnz	short loc_577558
		lea	eax, [esp+0A8h+var_34]
		push	offset ??_C@_1O@FAMJMIMO@?$AAS?$AAM?$AAB?$AAI?$AAO?$AAS@FNODOBFM@ ; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_577558
		mov	edx, [esp+0A8h+var_70]
		lea	eax, [esp+0A8h+var_98]
		xor	ecx, ecx
		push	eax
		push	ecx
		push	ecx
		push	ebx
		mov	[esp+0B8h+var_98], ecx
		call	__PnpCtxRegQueryValue@24 ; _PnpCtxRegQueryValue(x,x,x,x,x,x)
		cmp	eax, 0C0000034h
		jz	loc_5F8EA2

loc_577558:				; CODE XREF: PipUpdateDeviceProducts+1F4j
					; PipUpdateDeviceProducts+214j	...
		inc	edi
		mov	[esp+0A8h+var_80], edi
		cmp	edi, [esp+0A8h+var_68]
		jb	loc_57749C
		mov	ebx, [esp+0A8h+var_74]
		mov	[esp+0A8h+var_84], esi

loc_57756F:				; CODE XREF: PipUpdateDeviceProducts+1C0j
		xor	edi, edi

loc_577571:				; CODE XREF: PipUpdateDeviceProducts+18Aj
		mov	edx, [esp+0A8h+var_70]
		lea	eax, [esp+0A8h+var_7C]
		push	edi
		push	eax
		lea	eax, [esp+0B0h+var_58]
		push	eax
		push	edi
		push	edi
		call	__PnpCtxRegQueryInfoKey@28 ; _PnpCtxRegQueryInfoKey(x,x,x,x,x,x,x)
		test	eax, eax
		jnz	loc_57766E
		mov	ebx, [esp+0A8h+var_58]
		test	ebx, ebx
		jz	loc_57766A
		mov	eax, [esp+0A8h+var_7C]
		inc	eax
		mov	[esp+0A8h+var_7C], eax
		add	eax, eax
		push	6E697050h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+0A8h+var_6C], eax
		test	eax, eax
		jz	loc_57766A
		test	ebx, ebx
		jz	loc_57766A
		mov	esi, [esp+0A8h+var_7C]
		jmp	short loc_5775D1
; 

loc_5775CD:				; CODE XREF: PipUpdateDeviceProducts+38Cj
		mov	eax, [esp+0A8h+var_6C]

loc_5775D1:				; CODE XREF: PipUpdateDeviceProducts+2F7j
		mov	edx, [esp+0A8h+var_8C]
		mov	[esp+0A8h+var_7C], esi
		test	edx, edx
		jz	short loc_5775EB
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)
		and	[esp+0A8h+var_8C], 0
		mov	eax, [esp+0A8h+var_6C]

loc_5775EB:				; CODE XREF: PipUpdateDeviceProducts+307j
		mov	edx, [esp+0A8h+var_70]
		lea	ecx, [esp+0A8h+var_7C]
		push	0		; int
		push	0		; void *
		push	0		; int
		push	ecx		; int
		push	eax		; void *
		push	edi		; int
		call	__PnpCtxRegEnumValue@32	; _PnpCtxRegEnumValue(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_57765D
		mov	edx, [esp+0A8h+var_88]
		lea	eax, [esp+0A8h+var_54]
		push	eax
		lea	eax, [esp+0ACh+var_8C]
		xor	ecx, ecx
		push	eax
		mov	eax, [esp+0B0h+var_6C]
		push	0
		push	20006h
		push	0
		push	eax
		call	__PnpCtxRegCreateKey@32	; _PnpCtxRegCreateKey(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_57765D
		cmp	[esp+0A8h+var_54], 1
		jz	loc_5F8F7A

loc_577637:				; CODE XREF: PipUpdateDeviceProducts+81CBDj
		mov	edx, [esp+0A8h+var_8C]
		lea	eax, [esp+0A8h+var_98]
		xor	ecx, ecx
		push	eax
		push	ecx
		push	ecx
		push	offset ??_C@_1BA@LIACFDLB@?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@FNODOBFM@
		mov	[esp+0B8h+var_98], ecx
		call	__PnpCtxRegQueryValue@24 ; _PnpCtxRegQueryValue(x,x,x,x,x,x)
		cmp	eax, 0C0000034h
		jz	loc_5F8F96

loc_57765D:				; CODE XREF: PipUpdateDeviceProducts+32Fj
					; PipUpdateDeviceProducts+356j	...
		inc	edi
		cmp	edi, ebx
		jb	loc_5775CD
		mov	esi, [esp+0A8h+var_84]

loc_57766A:				; CODE XREF: PipUpdateDeviceProducts+2C1j
					; PipUpdateDeviceProducts+2E5j	...
		mov	ebx, [esp+0A8h+var_74]

loc_57766E:				; CODE XREF: PipUpdateDeviceProducts+2B5j
		mov	edi, [esp+0A8h+var_94]

loc_577672:				; CODE XREF: PipUpdateDeviceProducts+1B0j
					; PipUpdateDeviceProducts+81D16j ...
		mov	edx, [esp+0A8h+var_8C]
		test	edx, edx
		jz	short loc_57767F
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)

loc_57767F:				; CODE XREF: PipUpdateDeviceProducts+3A4j
		mov	edx, [esp+0A8h+var_70]
		test	edx, edx
		jz	short loc_57768C
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)

loc_57768C:				; CODE XREF: PipUpdateDeviceProducts+3B1j
		mov	edx, [esp+0A8h+var_90]
		test	edx, edx
		jz	short loc_577699
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)

loc_577699:				; CODE XREF: PipUpdateDeviceProducts+3BEj
		mov	edx, [esp+0A8h+var_88]
		test	edx, edx
		jz	short loc_5776A6
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)

loc_5776A6:				; CODE XREF: PipUpdateDeviceProducts+3CBj
		mov	eax, [esp+0A8h+var_6C]
		test	eax, eax
		jz	short loc_5776B6
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5776B6:				; CODE XREF: PipUpdateDeviceProducts+3D8j
		test	edi, edi
		jz	short loc_5776C2
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5776C2:				; CODE XREF: PipUpdateDeviceProducts+3E4j
		test	esi, esi
		jnz	loc_5F8FF6

loc_5776CA:				; CODE XREF: PipUpdateDeviceProducts+81D2Aj
		test	ebx, ebx
		jz	short loc_5776D6
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5776D6:				; CODE XREF: PipUpdateDeviceProducts+3F8j
		mov	eax, [esp+0A8h+var_44]
		test	eax, eax
		jz	short loc_5776E6
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5776E6:				; CODE XREF: PipUpdateDeviceProducts+408j
		mov	ecx, [esp+0A8h+var_24]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
PipUpdateDeviceProducts	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAssignInitialPageAttribute(x, x)
_MiAssignInitialPageAttribute@8	proc near ; CODE XREF: .text:0047FCDDp
					; MiInsertPhysicalPteMapping+8D354p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, dword_6D3058
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		cmp	eax, large fs:124h
		jz	short loc_577757
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	bl, al

loc_577720:				; CODE XREF: MiAssignInitialPageAttribute(x,x)+5Bj
		mov	dl, [esi+16h]
		mov	cl, dl
		and	cl, 0C0h
		cmp	cl, 0C0h
		jnz	short loc_57773B
		mov	eax, [ebp+var_4]
		and	dl, 3Fh
		shl	al, 6
		or	dl, al
		mov	[esi+16h], dl

loc_57773B:				; CODE XREF: MiAssignInitialPageAttribute(x,x)+2Dj
		cmp	bl, 21h
		jz	short loc_577753
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_577753:				; CODE XREF: MiAssignInitialPageAttribute(x,x)+40j
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_577757:				; CODE XREF: MiAssignInitialPageAttribute(x,x)+19j
		mov	bl, 21h
		jmp	short loc_577720
_MiAssignInitialPageAttribute@8	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmInitIllegalThrottleLogging proc near	; CODE XREF: PoInitSystem:loc_AC191Bp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F9003 SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		lea	ecx, [ebp+var_1C]
		push	edi
		push	2001Fh
		mov	edx, offset _PopRegKey ; "Control\\Session Manager\\Power"
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		call	_PopOpenKey@12	; PopOpenKey(x,x,x)
		test	eax, eax
		js	short loc_5777D3
		push	offset _PopProcessorThrottleLogIntervalRegKey ;	"ProcessorThrottleLogInterval"
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_20]
		push	eax
		push	14h
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		lea	eax, [ebp+var_28]
		push	eax
		push	[ebp+var_1C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_5F9003

loc_5777CB:				; CODE XREF: PpmInitIllegalThrottleLogging+818ABj
					; PpmInitIllegalThrottleLogging+818B5j	...
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_5777D3:				; CODE XREF: PpmInitIllegalThrottleLogging+35j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PpmInitIllegalThrottleLogging endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInsertViewOfPhysicalSection proc near	; CODE XREF: MiMapViewOfPhysicalSection+1F7p

var_30		= dword	ptr -30h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F9037 SIZE 0000007B BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, [edx+1Ch]
		and	eax, 0E80h
		mov	[ebp+var_18], edx
		or	eax, 100h
		shr	eax, 7
		mov	[ebp+var_30], eax
		mov	eax, [edx+0Ch]
		push	esi
		push	edi
		mov	edi, 0FFFFFh
		mov	esi, ecx
		and	eax, edi
		lea	ecx, ds:0C0000000h[eax*8]
		mov	eax, [edx+10h]
		and	eax, edi
		mov	[ebp+var_8], ecx
		mov	ecx, large fs:124h
		xor	edi, edi
		mov	[ebp+var_14], ecx
		lea	eax, ds:0C0000000h[eax*8]
		dec	word ptr [ecx+13Eh]
		mov	[ebp+var_1C], eax
		lea	eax, [esi+240h]
		mov	[ebp+var_10], eax
		nop
		lea	eax, [edx+18h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_14]
		or	byte ptr [ecx+304h], 80h
		nop
		mov	ecx, [ebp+var_18]
		mov	edx, esi
		push	1
		call	MiInsertVad
		mov	esi, [ebp+var_10]
		mov	ecx, esi
		call	MiLockWorkingSetShared
		mov	byte ptr [ebp+var_10], al
		mov	eax, [ebp+var_8]
		cmp	eax, [ebp+var_1C]
		ja	short loc_5778DB
		mov	ecx, [ebx+8]

loc_577892:				; CODE XREF: MiInsertViewOfPhysicalSection+ECj
		test	edi, edi
		jz	loc_577A25
		test	eax, 0FFFh
		jz	loc_5F9037

loc_5778A5:				; CODE XREF: MiInsertViewOfPhysicalSection+278j
		push	[ebp+var_30]
		mov	edx, ecx
		mov	ecx, eax
		call	MiInsertPhysicalPteMapping
		mov	eax, [ebp+var_8]
		add	eax, 8
		mov	[ebp+var_8], eax
		test	al, 78h
		jz	loc_577A5D

loc_5778C2:				; CODE XREF: MiInsertViewOfPhysicalSection+2ABj
		mov	ecx, [ebx+8]
		inc	ecx
		mov	[ebx+8], ecx
		cmp	eax, [ebp+var_1C]
		jbe	short loc_577892
		test	edi, edi
		jz	short loc_5778DB
		mov	edx, edi
		mov	ecx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_5778DB:				; CODE XREF: MiInsertViewOfPhysicalSection+ADj
					; MiInsertViewOfPhysicalSection+F0j
		mov	dl, byte ptr [ebp+var_10]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		mov	eax, [ebp+var_14]
		or	edx, 0FFFFFFFFh
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_1C], edx
		and	byte ptr [eax+304h], 7Fh
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_577A90

loc_577908:				; CODE XREF: MiInsertViewOfPhysicalSection+2B8j
		xor	edi, edi
		mov	[ebp+var_18], edi
		test	ecx, 7FFFFFFCh
		jz	loc_577A12
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		cmp	ecx, edx
		push	0FFFFFFFFh
		mov	[ebp+var_30], edx
		mov	[ebp+var_10], esi
		pop	edx
		jb	short loc_577945
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_577A9D

loc_577945:				; CODE XREF: MiInsertViewOfPhysicalSection+156j
		cmp	ecx, [ebp+var_30]
		jb	short loc_577957
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jz	loc_577A9D

loc_577957:				; CODE XREF: MiInsertViewOfPhysicalSection+168j
					; MiInsertViewOfPhysicalSection+2D0j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jz	loc_577AF9
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_577B0C

loc_577998:				; CODE XREF: MiInsertViewOfPhysicalSection+334j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_18], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5F907A
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_5779E4:				; CODE XREF: MiInsertViewOfPhysicalSection+321j
					; MiInsertViewOfPhysicalSection+818ACj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_30], eax
		jnz	loc_577AB5

loc_5779FB:				; CODE XREF: MiInsertViewOfPhysicalSection+30Ej
					; MiInsertViewOfPhysicalSection+818CDj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_577A12
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_577B19

loc_577A12:				; CODE XREF: MiInsertViewOfPhysicalSection+133j
					; MiInsertViewOfPhysicalSection+224j ...
		mov	ecx, [ebp+var_14]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_577A25:				; CODE XREF: MiInsertViewOfPhysicalSection+B4j
					; MiInsertViewOfPhysicalSection+81860j
		mov	eax, [ebp+var_18]
		xor	edx, edx
		mov	ecx, [ebp+var_8]
		push	0
		push	[ebp+var_10]
		mov	eax, [eax+1Ch]
		shr	eax, 0Ch
		and	eax, 3Fh
		push	eax
		call	MiMakeSystemAddressValid
		mov	eax, [ebp+var_8]
		mov	edi, eax
		mov	ecx, [ebx+8]
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h
		jmp	loc_5778A5
; 

loc_577A5D:				; CODE XREF: MiInsertViewOfPhysicalSection+DCj
		mov	ecx, esi
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	loc_5F9045
		mov	edx, edi
		call	_MiPageTableLockIsContended@8 ;	MiPageTableLockIsContended(x,x)
		test	eax, eax
		jnz	loc_5F9045
		call	KeShouldYieldProcessor
		test	eax, eax
		jnz	loc_5F9045

loc_577A88:				; CODE XREF: MiInsertViewOfPhysicalSection+81881j
		mov	eax, [ebp+var_8]
		jmp	loc_5778C2
; 

loc_577A90:				; CODE XREF: MiInsertViewOfPhysicalSection+122j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_C]
		jmp	loc_577908
; 

loc_577A9D:				; CODE XREF: MiInsertViewOfPhysicalSection+15Fj
					; MiInsertViewOfPhysicalSection+171j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_C]
		mov	edx, eax
		mov	[ebp+var_1C], eax
		jmp	loc_577957
; 

loc_577AB5:				; CODE XREF: MiInsertViewOfPhysicalSection+215j
		test	edi, 8000h
		jz	short loc_577AC6
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_577AC6:				; CODE XREF: MiInsertViewOfPhysicalSection+2DBj
		test	byte ptr [ebp+var_18+2], 1
		jnz	loc_5F9091

loc_577AD0:				; CODE XREF: MiInsertViewOfPhysicalSection+818BBj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_577AE4
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_577AE4:				; CODE XREF: MiInsertViewOfPhysicalSection+2F7j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_5779FB
		jmp	loc_5F90A0
; 

loc_577AF9:				; CODE XREF: MiInsertViewOfPhysicalSection+1A0j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_5779E4
		jmp	loc_5F9066
; 

loc_577B0C:				; CODE XREF: MiInsertViewOfPhysicalSection+1B2j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]
		jmp	loc_577998
; 

loc_577B19:				; CODE XREF: MiInsertViewOfPhysicalSection+22Cj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_577A12
MiInsertViewOfPhysicalSection endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpFreeKeyNameEntry(x, x)
_EtwpFreeKeyNameEntry@8	proc near	; DATA XREF: EtwpEnableKeyProviders+51o
					; EtwpInitializeAutoLoggers+65o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	74777445h
		push	[ebp+arg_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	8
_EtwpFreeKeyNameEntry@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EmpRuleUpdateWorkerThread proc near	; DATA XREF: EmInitSystem+21Eo

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F90B2 SIZE 00000118 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		push	edi
		mov	edi, offset _EmpEvaluationQueueLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, _EmpRuleUpdateQueue
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_8], ecx
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_577E4A
		mov	esi, edi
		and	esi, 7FFFFFFCh
		mov	[ebp+var_20], esi

loc_577B73:				; CODE XREF: EmpRuleUpdateWorkerThread+2EBj
		test	eax, eax
		jz	short loc_577B7E
		mov	eax, [eax]
		mov	_EmpRuleUpdateQueue, eax

loc_577B7E:				; CODE XREF: EmpRuleUpdateWorkerThread+3Bj
		mov	eax, ecx
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_5F90B2

loc_577B8C:				; CODE XREF: EmpRuleUpdateWorkerThread+8157Aj
					; EmpRuleUpdateWorkerThread+81587j
		xor	edi, edi
		mov	[ebp+var_C], edi
		test	esi, esi
		jz	loc_577CA8
		mov	esi, large fs:124h
		mov	eax, offset _EmpEvaluationQueueLock
		mov	edx, dword_6D07D0
		mov	ecx, eax
		shr	ecx, 15h
		mov	[ebp+var_1C], esi
		cmp	edx, eax
		ja	short loc_577BDC
		mov	eax, ecx
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_577E2A
		mov	eax, offset _EmpEvaluationQueueLock
		cmp	edx, eax
		ja	short loc_577BDC
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_577E2A

loc_577BDC:				; CODE XREF: EmpRuleUpdateWorkerThread+7Bj
					; EmpRuleUpdateWorkerThread+93j
		or	eax, 0FFFFFFFFh

loc_577BDF:				; CODE XREF: EmpRuleUpdateWorkerThread+2FBj
		dec	word ptr [esi+13Eh]
		mov	[ebp+var_14], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	edx, offset _EmpEvaluationQueueLock
		mov	[ebp+var_1], cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_18], ecx
		test	ecx, ecx
		jz	loc_578061
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_578074

loc_577C26:				; CODE XREF: EmpRuleUpdateWorkerThread+542j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	[ebp+var_1], 1
		jnz	loc_5F90C6
		or	[esi+1E4h], dl

loc_577C6C:				; CODE XREF: EmpRuleUpdateWorkerThread+52Fj
					; EmpRuleUpdateWorkerThread+81598j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_1C], eax
		jnz	loc_577F95

loc_577C83:				; CODE XREF: EmpRuleUpdateWorkerThread+494j
					; EmpRuleUpdateWorkerThread+815C1j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_577CA8
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_578081

loc_577CA8:				; CODE XREF: EmpRuleUpdateWorkerThread+59j
					; EmpRuleUpdateWorkerThread+160j ...
		mov	edi, [ebp+var_10]
		mov	esi, offset _EmpDatabaseLock
		add	edi, 0FFFFFFFCh
		xor	edx, edx
		mov	ecx, esi
		mov	[ebp+var_10], edi
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [edi+8]
		mov	ecx, [edi]
		call	EmpUpdateRuleState
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_5F9100

loc_577CD8:				; CODE XREF: EmpRuleUpdateWorkerThread+815C8j
					; EmpRuleUpdateWorkerThread+815D5j
		xor	edi, edi
		mov	[ebp+var_C], edi
		test	esi, 7FFFFFFCh
		jz	loc_577DF8
		mov	esi, large fs:124h
		mov	eax, offset _EmpDatabaseLock
		mov	edx, dword_6D07D0
		mov	ecx, eax
		shr	ecx, 15h
		mov	[ebp+var_18], esi
		cmp	edx, eax
		ja	short loc_577D2C
		mov	eax, ecx
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_577E3A
		mov	eax, offset _EmpDatabaseLock
		cmp	edx, eax
		ja	short loc_577D2C
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_577E3A

loc_577D2C:				; CODE XREF: EmpRuleUpdateWorkerThread+1CBj
					; EmpRuleUpdateWorkerThread+1E3j
		or	eax, 0FFFFFFFFh

loc_577D2F:				; CODE XREF: EmpRuleUpdateWorkerThread+30Bj
		dec	word ptr [esi+13Eh]
		mov	[ebp+var_14], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	edx, offset _EmpDatabaseLock
		mov	[ebp+var_1], cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_1C], ecx
		test	ecx, ecx
		jz	loc_57808B
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_57809E

loc_577D76:				; CODE XREF: EmpRuleUpdateWorkerThread+56Cj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	[ebp+var_1], 1
		jnz	loc_5F9114
		or	[esi+1E4h], dl

loc_577DBC:				; CODE XREF: EmpRuleUpdateWorkerThread+559j
					; EmpRuleUpdateWorkerThread+815E6j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_1C], eax
		jnz	loc_577FD9

loc_577DD3:				; CODE XREF: EmpRuleUpdateWorkerThread+4D8j
					; EmpRuleUpdateWorkerThread+8160Fj
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_577DF8
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_5780AB

loc_577DF8:				; CODE XREF: EmpRuleUpdateWorkerThread+1A9j
					; EmpRuleUpdateWorkerThread+2B0j ...
		push	75714D45h
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, offset _EmpEvaluationQueueLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, _EmpRuleUpdateQueue
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	short loc_577E4A
		mov	esi, [ebp+var_20]
		jmp	loc_577B73
; 

loc_577E2A:				; CODE XREF: EmpRuleUpdateWorkerThread+86j
					; EmpRuleUpdateWorkerThread+9Cj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	loc_577BDF
; 

loc_577E3A:				; CODE XREF: EmpRuleUpdateWorkerThread+1D6j
					; EmpRuleUpdateWorkerThread+1ECj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	loc_577D2F
; 

loc_577E4A:				; CODE XREF: EmpRuleUpdateWorkerThread+28j
					; EmpRuleUpdateWorkerThread+2E6j
		mov	eax, ecx
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_5F917C

loc_577E58:				; CODE XREF: EmpRuleUpdateWorkerThread+81644j
					; EmpRuleUpdateWorkerThread+81651j
		xor	edi, edi
		mov	eax, offset _EmpEvaluationQueueLock
		mov	[ebp+var_14], edi
		test	eax, 7FFFFFFCh
		jz	loc_577F73
		mov	esi, large fs:124h
		mov	ecx, eax
		mov	edx, dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_1C], esi
		cmp	edx, eax
		ja	short loc_577EAB
		mov	eax, ecx
		cmp	byte ptr dword_6D3994[eax], 1
		jz	loc_577F82
		mov	eax, offset _EmpEvaluationQueueLock
		cmp	edx, eax
		ja	short loc_577EAB
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jz	loc_577F82

loc_577EAB:				; CODE XREF: EmpRuleUpdateWorkerThread+34Aj
					; EmpRuleUpdateWorkerThread+362j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	edx, offset _EmpEvaluationQueueLock
		push	[ebp+var_8]
		mov	ecx, esi
		mov	[ebp+var_1], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_5780B5
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jl	loc_5780C8

loc_577EF1:				; CODE XREF: EmpRuleUpdateWorkerThread+596j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_14], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	[ebp+var_1], 1
		jnz	loc_5F9190
		or	[esi+1E4h], dl

loc_577F37:				; CODE XREF: EmpRuleUpdateWorkerThread+583j
					; EmpRuleUpdateWorkerThread+81662j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_20], eax
		jnz	loc_57801D

loc_577F4E:				; CODE XREF: EmpRuleUpdateWorkerThread+51Cj
					; EmpRuleUpdateWorkerThread+8168Bj
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_577F73
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_5780D5

loc_577F73:				; CODE XREF: EmpRuleUpdateWorkerThread+32Dj
					; EmpRuleUpdateWorkerThread+42Bj ...
		xor	eax, eax
		mov	ecx, offset _EmpWorkerBusy
		xchg	eax, [ecx]
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_577F82:				; CODE XREF: EmpRuleUpdateWorkerThread+355j
					; EmpRuleUpdateWorkerThread+36Bj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_8], eax
		jmp	loc_577EAB
; 

loc_577F95:				; CODE XREF: EmpRuleUpdateWorkerThread+143j
		test	edi, 8000h
		jz	short loc_577FA6
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_577FA6:				; CODE XREF: EmpRuleUpdateWorkerThread+461j
		test	byte ptr [ebp+var_C+2],	1
		jnz	loc_5F90D7

loc_577FB0:				; CODE XREF: EmpRuleUpdateWorkerThread+815ADj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_577FC4
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_577FC4:				; CODE XREF: EmpRuleUpdateWorkerThread+47Dj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_577C83
		jmp	loc_5F90EC
; 

loc_577FD9:				; CODE XREF: EmpRuleUpdateWorkerThread+293j
		test	edi, 8000h
		jz	short loc_577FEA
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_577FEA:				; CODE XREF: EmpRuleUpdateWorkerThread+4A5j
		test	byte ptr [ebp+var_C+2],	1
		jnz	loc_5F9125

loc_577FF4:				; CODE XREF: EmpRuleUpdateWorkerThread+815FBj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_578008
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_578008:				; CODE XREF: EmpRuleUpdateWorkerThread+4C1j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_577DD3
		jmp	loc_5F913A
; 

loc_57801D:				; CODE XREF: EmpRuleUpdateWorkerThread+40Ej
		test	edi, 8000h
		jz	short loc_57802E
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_57802E:				; CODE XREF: EmpRuleUpdateWorkerThread+4E9j
					; DATA XREF: .text:0040CDA8o
		test	byte ptr [ebp+var_14+2], 1
		jnz	loc_5F91A1

loc_578038:				; CODE XREF: EmpRuleUpdateWorkerThread+81677j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_57804C
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_57804C:				; CODE XREF: EmpRuleUpdateWorkerThread+505j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_577F4E
		jmp	loc_5F91B6
; 

loc_578061:				; CODE XREF: EmpRuleUpdateWorkerThread+D4j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_577C6C
		jmp	loc_5F914E
; 

loc_578074:				; CODE XREF: EmpRuleUpdateWorkerThread+E6j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_18]
		jmp	loc_577C26
; 

loc_578081:				; CODE XREF: EmpRuleUpdateWorkerThread+168j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_577CA8
; 

loc_57808B:				; CODE XREF: EmpRuleUpdateWorkerThread+224j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_577DBC
		jmp	loc_5F9170
; 

loc_57809E:				; CODE XREF: EmpRuleUpdateWorkerThread+236j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_1C]
		jmp	loc_577D76
; 

loc_5780AB:				; CODE XREF: EmpRuleUpdateWorkerThread+2B8j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_577DF8
; 

loc_5780B5:				; CODE XREF: EmpRuleUpdateWorkerThread+39Fj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_577F37
		jmp	loc_5F915A
; 

loc_5780C8:				; CODE XREF: EmpRuleUpdateWorkerThread+3B1j
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]
		jmp	loc_577EF1
; 

loc_5780D5:				; CODE XREF: EmpRuleUpdateWorkerThread+433j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_577F73
EmpRuleUpdateWorkerThread endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxBalancerThread proc near
					; DATA XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThread:loc_50D46Do

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F91CA SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		push	19h
		push	eax
		mov	esi, [edi]
		call	KeSetActualBasePriorityThread
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)

loc_578105:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxBalancerThread+67j
					; SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxBalancerThread+8Cj
		push	0
		push	0
		push	0
		lea	eax, [esi+1Ch]
		push	1Ah
		push	eax
		call	KeWaitForSingleObject
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	[esp+10h+var_1], al
		lea	eax, [esi+1Ch]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	eax, [esi+34h]
		test	eax, eax
		jz	loc_5F91CA
		mov	ecx, [esi+38h]
		cmp	eax, ecx
		ja	short loc_578149

loc_57813B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxBalancerThread+72j
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+10h+var_1]
		call	ebx
		jmp	short loc_578105
; 

loc_578149:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxBalancerThread+59j
		mov	eax, [esi+8]
		mov	eax, [eax]
		shr	eax, 1
		cmp	eax, ecx
		jbe	short loc_57813B
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+10h+var_1]
		call	ebx
		mov	edx, [edi+4]
		mov	ecx, esi
		push	1
		call	SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThread
		jmp	short loc_578105
SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxBalancerThread endp

; 

PnpDeviceCompletionQueueGetCompletedRequest:
					; CODE XREF: PnpDeviceCompletionProcessCompletedRequests(x,x,x):loc_864BFCp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset unk_6CC454
		call	KeWaitForSingleObject
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset dword_6CC468
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, dword_6CC44C
		mov	eax, offset dword_6CC44C
		mov	edx, [esi]
		cmp	[esi+4], eax
		jnz	short loc_5781DB
		cmp	[edx+4], esi
		jnz	short loc_5781DB
		mov	dword_6CC44C, edx
		mov	[edx+4], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5F91F1
		xor	eax, eax
		lock and [edi],	eax

loc_5781CC:				; CODE XREF: .text:005F91FBj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn
; 

loc_5781DB:				; CODE XREF: .text:005781AAj
					; .text:005781AFj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 535. FsRtlGetVirtualDiskNestingLevel

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlGetVirtualDiskNestingLevel
FsRtlGetVirtualDiskNestingLevel	proc near

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= byte ptr -14h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005F9200 SIZE 000000AF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		push	ebx
		mov	[esp+50h+var_3C], eax
		xor	ebx, ebx
		mov	eax, [ebp+arg_8]
		inc	ebx
		mov	[esp+50h+var_38], eax
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [esp+58h+var_28]
		mov	[esp+58h+var_44], ecx
		stosd
		mov	[esp+58h+var_40], ecx
		mov	[esp+58h+var_48], ecx
		stosd
		stosd
		stosd
		mov	eax, [esi+2Ch]
		cmp	eax, 7
		jnz	loc_5F9200

loc_578237:				; CODE XREF: FsRtlGetVirtualDiskNestingLevel+8101Dj
					; FsRtlGetVirtualDiskNestingLevel+81026j ...
		push	ecx
		push	ecx
		lea	eax, [esp+60h+var_28]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	edi, edi
		push	edi
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		push	dword ptr [ebp+4] ; int
		mov	byte ptr [esp+5Ch+var_34], al
		xor	eax, eax
		mov	[esp+5Ch+var_2C], edi
		lea	edi, [esp+5Ch+var_18]
		stosd
		mov	[esp+5Ch+var_30], ebx
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esp+5Ch+var_44]
		push	eax		; int
		lea	eax, [esp+60h+var_28]
		xor	edi, edi
		push	eax		; int
		push	edi		; int
		push	14h		; int
		lea	eax, [esp+6Ch+var_18]
		push	eax		; int
		push	8		; size_t
		lea	eax, [esp+74h+var_30]
		push	eax		; void *
		push	esi		; int
		push	2D1190h		; int
		call	IopBuildDeviceIoControlRequest
		test	eax, eax
		jz	short loc_5782F1
		mov	edx, eax
		mov	ecx, esi
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jz	loc_5F922E

loc_5782A6:				; CODE XREF: FsRtlGetVirtualDiskNestingLevel+8105Aj
		test	esi, esi
		jns	loc_5F9245

loc_5782AE:				; CODE XREF: FsRtlGetVirtualDiskNestingLevel+81064j
					; FsRtlGetVirtualDiskNestingLevel+8106Ej
		lea	eax, [esi+3FFFFF66h]
		neg	eax
		sbb	eax, eax
		not	eax
		and	esi, eax

loc_5782BC:				; CODE XREF: FsRtlGetVirtualDiskNestingLevel+110j
					; FsRtlGetVirtualDiskNestingLevel+810BBj ...
		mov	ecx, [esp+58h+var_3C]
		mov	eax, [esp+58h+var_48]
		mov	[ecx], eax
		mov	eax, [esp+58h+var_38]
		test	eax, eax
		jnz	short loc_5782ED

loc_5782CE:				; CODE XREF: FsRtlGetVirtualDiskNestingLevel+109j
		push	[esp+58h+var_34]
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	eax, esi

loc_5782D9:				; CODE XREF: FsRtlGetVirtualDiskNestingLevel+81043j
		mov	ecx, [esp+58h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_5782ED:				; CODE XREF: FsRtlGetVirtualDiskNestingLevel+E6j
		mov	[eax], ebx
		jmp	short loc_5782CE
; 

loc_5782F1:				; CODE XREF: FsRtlGetVirtualDiskNestingLevel+A7j
		mov	esi, 0C000009Ah
		jmp	short loc_5782BC
FsRtlGetVirtualDiskNestingLevel	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2608. WheaAddErrorSourceDeviceDriverV1

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaAddErrorSourceDeviceDriverV1(x,	x, x, x)
		public _WheaAddErrorSourceDeviceDriverV1@16
_WheaAddErrorSourceDeviceDriverV1@16 proc near

var_4C		= dword	ptr -4Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		xor	edx, edx
		inc	edx
		push	esi
		mov	esi, [ebp+arg_4]
		cmp	[esi], edx
		jnz	short loc_578357
		mov	eax, [ebp+arg_C]
		push	edi
		push	9
		pop	ecx
		lea	edi, [ebp+var_4C]
		rep movsd
		mov	[ebp+var_28], eax
		lea	edi, [ebp+var_20]
		mov	[ebp+var_24], edx
		lea	eax, [ebp+var_4C]
		mov	esi, offset _DEFAULT_DEVICE_DRIVER_CREATOR_GUID
		push	[ebp+arg_8]
		push	eax
		movsd
		push	[ebp+arg_0]
		movsd
		movsd
		movsd
		mov	esi, offset _CPER_EMPTY_GUID
		lea	edi, [ebp+var_10]
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+var_4C], 2
		call	WheaAddErrorSourceDeviceDriver
		pop	edi

loc_578352:				; CODE XREF: WheaAddErrorSourceDeviceDriverV1(x,x,x,x)+5Ej
		pop	esi
		leave
		retn	10h
; 

loc_578357:				; CODE XREF: WheaAddErrorSourceDeviceDriverV1(x,x,x,x)+11j
		mov	eax, 0C00000F0h
		jmp	short loc_578352
_WheaAddErrorSourceDeviceDriverV1@16 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2625. WheaLogInternalEvent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public WheaLogInternalEvent
WheaLogInternalEvent proc near		; CODE XREF: IoSaveBugCheckProgress(x)+A9p
					; WheaReportHwError(x)+F5p ...

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F92AF SIZE 000000BC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+84h+var_4], eax
		cmp	_WheapEventingInitialized, 0
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		jz	loc_5F92AF
		lea	ecx, [edi+18h]
		xor	esi, esi
		mov	eax, [ecx]
		test	al, 2
		jz	loc_578449
		lea	eax, [edi+0Ch]
		mov	[esp+90h+var_64], esi
		mov	[esp+90h+var_68], eax
		lea	eax, [edi+10h]
		mov	[esp+90h+var_58], eax
		lea	eax, [edi+14h]
		push	4
		pop	edx
		mov	[esp+90h+var_48], eax
		lea	eax, [edi+8]
		mov	[esp+90h+var_28], eax
		mov	eax, [eax]
		mov	[esp+90h+var_10], eax
		lea	eax, [esp+90h+var_68]
		push	eax
		push	6
		push	esi
		push	offset _EVENT_WHEA_LOG_ENTRY
		push	dword_6B9384
		mov	[esp+0A4h+var_60], edx
		push	_WheapEtwHandle
		mov	[esp+0A8h+var_5C], esi
		mov	[esp+0A8h+var_54], esi
		mov	[esp+0A8h+var_50], edx
		mov	[esp+0A8h+var_4C], esi
		mov	[esp+0A8h+var_44], esi
		mov	[esp+0A8h+var_40], edx
		mov	[esp+0A8h+var_3C], esi
		mov	[esp+0A8h+var_38], ecx
		mov	[esp+0A8h+var_34], esi
		mov	[esp+0A8h+var_30], edx
		mov	[esp+0A8h+var_2C], esi
		mov	[esp+0A8h+var_24], esi
		mov	[esp+0A8h+var_20], edx
		mov	[esp+0A8h+var_1C], esi
		mov	[esp+0A8h+var_18], edi
		mov	[esp+0A8h+var_14], esi
		mov	[esp+0A8h+var_C], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	eax, [edi+18h]

loc_578449:				; CODE XREF: WheaLogInternalEvent+38j
		test	al, 4
		jnz	loc_5F9338

loc_578451:				; CODE XREF: WheaLogInternalEvent+81002j
		test	al, 8
		jnz	short loc_57846C

loc_578455:				; CODE XREF: WheaLogInternalEvent+10Fj
					; WheaLogInternalEvent+80F53j ...
		mov	ecx, [esp+90h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_57846C:				; CODE XREF: WheaLogInternalEvent+EFj
		mov	ecx, edi
		call	_WheaSelLogEvent@4 ; WheaSelLogEvent(x)
		jmp	short loc_578455
WheaLogInternalEvent endp

; 
		align 2

;  S U B	R O U T	I N E 


WheapIsNonHestErrorSource proc near	; CODE XREF: WheaAddErrorSource+24p
					; WheaRemoveErrorSource(x)+39p

; FUNCTION CHUNK AT 005F936B SIZE 00000030 BYTES

		cmp	ecx, 0Eh
		jl	loc_5F936B

loc_57847F:				; CODE XREF: WheapIsNonHestErrorSource+80EF8j
					; WheapIsNonHestErrorSource+80F01j ...
		mov	al, 1
		retn
WheapIsNonHestErrorSource endp


;  S U B	R O U T	I N E 


; __stdcall WheapDeviceDriverGetPacketLength(x,	x)
_WheapDeviceDriverGetPacketLength@8 proc near
					; CODE XREF: WheaAddErrorSourceDeviceDriver+12Fp
		imul	eax, edx, 48h
		add	ecx, 6Ch
		add	eax, ecx
		lea	ecx, [eax-1]
		and	ecx, 3
		sub	eax, ecx
		add	eax, 5Fh
		retn
_WheapDeviceDriverGetPacketLength@8 endp


;  S U B	R O U T	I N E 


; __stdcall ExQueueDebuggerWorker()
_ExQueueDebuggerWorker@0 proc near	; CODE XREF: KdExitDebugger(x):loc_A4B577p
					; ExpWorkerInitialization+F1p
		push	2
		xor	eax, eax
		mov	edx, offset _ExpDebuggerWork
		pop	ecx
		inc	eax
		lock cmpxchg [edx], ecx
		cmp	eax, 1
		jnz	short locret_5784B8
		push	0
		push	0
		push	offset _ExpDebuggerDpc
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)

locret_5784B8:				; CODE XREF: ExQueueDebuggerWorker()+12j
		retn
_ExQueueDebuggerWorker@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


ExpLegacyWorkerInitialization proc near	; CODE XREF: ExpWorkerInitialization+BCp

; FUNCTION CHUNK AT 005F939B SIZE 00000019 BYTES

		mov	eax, _ExpAdditionalCriticalWorkerThreads
		push	64h
		pop	edx
		cmp	eax, edx
		ja	loc_5F939B

loc_5784CA:				; CODE XREF: ExpLegacyWorkerInitialization+80EE8j
		mov	ecx, _ExpAdditionalDelayedWorkerThreads
		cmp	ecx, edx
		ja	loc_5F93A7

loc_5784D8:				; CODE XREF: ExpLegacyWorkerInitialization+80EF5j
		cmp	byte ptr ds:dword_7051D4, 0
		push	5
		pop	edx
		jnz	short loc_578546

loc_5784E4:				; CODE XREF: ExpLegacyWorkerInitialization+8Fj
		add	eax, edx
		mov	_ExCriticalWorkerThreads, eax
		lea	eax, [ecx+7]
		xor	cx, cx
		mov	_ExDelayedWorkerThreads, eax
		call	_KeIsNodeInitialized@4 ; KeIsNodeInitialized(x)
		movzx	edx, al
		mov	eax, ds:_PspSystemPartition
		neg	edx
		push	0
		sbb	edx, edx
		and	edx, ds:_KeNodeBlock
		mov	ecx, [eax+8]
		call	_ExpPartitionGetQueue@12 ; ExpPartitionGetQueue(x,x,x)
		xor	cx, cx
		mov	_ExWorkerQueue,	eax
		call	_KeIsNodeInitialized@4 ; KeIsNodeInitialized(x)
		movzx	edx, al
		mov	eax, ds:_PspSystemPartition
		neg	edx
		push	1
		sbb	edx, edx
		and	edx, ds:_KeNodeBlock
		mov	ecx, [eax+8]
		call	_ExpPartitionGetQueue@12 ; ExpPartitionGetQueue(x,x,x)
		mov	_IoWorkerQueue,	eax
		retn
; 

loc_578546:				; CODE XREF: ExpLegacyWorkerInitialization+28j
		push	0Ah
		pop	edx
		jmp	short loc_5784E4
ExpLegacyWorkerInitialization endp

; 
		align 4

;  S U B	R O U T	I N E 


KeInitializePriQueue proc near		; CODE XREF: ExpWorkQueueInitialize(x,x,x,x,x,x)+49p

; FUNCTION CHUNK AT 005F93B4 SIZE 00000011 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		push	20h
		pop	edi
		and	dword ptr [esi+4], 0
		lea	eax, [esi+8]
		mov	[eax+4], eax
		lea	ecx, [esi+110h]
		mov	[eax], eax
		lea	eax, [esi+194h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+10h]
		mov	word ptr [esi],	15h
		mov	byte ptr [esi+2], 67h

loc_57857E:				; CODE XREF: KeInitializePriQueue+43j
		mov	[eax+4], eax
		mov	[eax], eax
		add	eax, 8
		and	dword ptr [ecx], 0
		lea	ecx, [ecx+4]
		sub	edi, 1
		jnz	short loc_57857E
		test	edx, edx
		jz	loc_5F93B4

loc_578599:				; CODE XREF: KeInitializePriQueue+80E74j
		pop	edi
		mov	[esi+190h], edx
		pop	esi
		retn
KeInitializePriQueue endp


;  S U B	R O U T	I N E 


PipUpdatePostStartCharacteristics proc near
					; CODE XREF: PnpDeviceCompletionProcessCompletedRequest+7Bp
					; PnpStartDeviceNode+92DD0p

; FUNCTION CHUNK AT 005F93C5 SIZE 0000000C BYTES

		xor	edx, edx
		push	esi
		mov	esi, ecx
		test	ecx, ecx
		jz	short loc_5785C4

loc_5785AB:				; CODE XREF: PipUpdatePostStartCharacteristics+18j
		mov	eax, [esi+20h]
		mov	esi, [esi+10h]
		and	eax, 40000h
		or	edx, eax
		test	esi, esi
		jnz	short loc_5785AB
		test	edx, edx
		jnz	loc_5F93C5

loc_5785C4:				; CODE XREF: PipUpdatePostStartCharacteristics+7j
		pop	esi
		retn
PipUpdatePostStartCharacteristics endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 345. ExDisableResourceBoostLite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExDisableResourceBoostLite
ExDisableResourceBoostLite proc	near	; CODE XREF: CcAllocateInitializeBcb(x,x,x,x)+EDp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F93D1 SIZE 0000003E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		test	byte ptr [esi+0Eh], 1
		stosd
		stosd
		jnz	loc_5F93D1
		lea	ecx, [esi+34h]
		lea	edx, [ebp+var_C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		or	word ptr [esi+0Eh], 8
		test	ds:byte_70EFC6,	1
		pop	edi
		pop	esi
		jnz	loc_5F93E2
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_5F93FA
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5F93F2

loc_57862C:				; CODE XREF: ExDisableResourceBoostLite+80E21j
					; ExDisableResourceBoostLite+80E3Ej
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn	4
ExDisableResourceBoostLite endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoFxPlatformRequestHandler proc	near	; DATA XREF: PopFxPlatformRegisterInterface(x,x)+47o

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F940F SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		mov	eax, [edx]
		sub	eax, ecx
		jz	loc_5F940F
		sub	eax, 1
		jz	short loc_57866C
		sub	eax, 1
		jnz	short loc_57866C
		cmp	dword ptr [edx+8], 1
		jnz	short loc_57866C
		mov	al, _PopFxAcpiPepRegistered
		mov	[edx+0Ch], al

loc_578666:				; CODE XREF: PoFxPlatformRequestHandler+37j
					; PoFxPlatformRequestHandler+80DDFj
		mov	eax, ecx
		pop	ebp
		retn	4
; 

loc_57866C:				; CODE XREF: PoFxPlatformRequestHandler+17j
					; PoFxPlatformRequestHandler+1Cj ...
		mov	ecx, 0C00000BBh
		jmp	short loc_578666
PoFxPlatformRequestHandler endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrpSetAlternateResourceModuleHandle proc near ; CODE XREF: LdrpGetRcConfig+C1p
					; LdrLoadAlternateResourceModuleEx+210p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005F941E SIZE 000000E8 BYTES

		push	18h
		push	offset dword_6A73C8
		call	__SEH_prolog4
		mov	esi, edx
		mov	[ebp+var_24], esi
		mov	eax, ecx
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	loc_578875
		mov	ebx, [ebp+arg_C]
		test	ebx, 0FFFFFFCCh
		jnz	loc_578875
		mov	eax, ebx
		and	eax, 3
		cmp	al, 3
		jz	loc_578875
		mov	eax, ebx
		and	eax, 1
		mov	[ebp+var_1C], eax
		jz	short loc_5786C0
		test	esi, esi
		jz	loc_578875

loc_5786C0:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+42j
		call	LdrpInitMuiCrits
		xor	edi, edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	offset _MuiMutex
		call	KeWaitForSingleObject
		mov	[ebp+ms_exc.disabled], edi
		mov	eax, edi

loc_5786DA:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+8Bj
		mov	[ebp+var_20], eax
		mov	ecx, _AlternateResourceModuleCount
		cmp	eax, ecx
		jnb	short loc_578701
		mov	esi, eax
		shl	esi, 5
		mov	ecx, _AlternateResourceModules
		mov	edx, [ebp+var_28]
		cmp	[esi+ecx+4], edx
		mov	edx, [ebp+var_1C]
		jz	short loc_57874A

loc_5786FE:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+E1j
					; LdrpSetAlternateResourceModuleHandle+E7j ...
		inc	eax
		jmp	short loc_5786DA
; 

loc_578701:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+71j
		test	bl, 10h
		jnz	loc_578847
		mov	ebx, _AlternateResourceModules
		test	ebx, ebx
		jz	loc_578879
		mov	eax, _AltResMemBlockCount
		cmp	ecx, eax
		jnb	loc_5F946D

loc_578725:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+238j
					; LdrpSetAlternateResourceModuleHandle+80E5Bj
		mov	edx, edi
		mov	[ebp+var_20], edx
		mov	esi, [ebp+var_28]

loc_57872D:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+D4j
		cmp	edx, _AlternateResourceModuleCount
		jnb	loc_5787CA
		mov	ecx, edx
		shl	ecx, 5
		cmp	[ecx+ebx+4], esi
		jz	short loc_578773

loc_578744:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+10Dj
					; LdrpSetAlternateResourceModuleHandle+113j ...
		inc	edx
		mov	[ebp+var_20], edx
		jmp	short loc_57872D
; 

loc_57874A:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+88j
		test	bl, 2
		jnz	loc_5F941E

loc_578753:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+80DB4j
		test	edx, edx
		jz	short loc_5786FE
		cmp	[esi+ecx+10h], edi
		jz	short loc_5786FE
		cmp	[ebp+arg_8], 0
		jz	short loc_5786FE
		mov	dx, [ebp+arg_8]
		cmp	[esi+ecx], dx
		jnz	short loc_5786FE
		jmp	loc_5F942D
; 

loc_578773:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+CEj
		test	byte ptr [ebp+arg_C], 2
		jnz	loc_5F94D4

loc_57877D:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+80E64j
		test	byte ptr [ebp+arg_C], 1
		jz	short loc_578744
		cmp	[ecx+ebx+10h], edi
		jnz	short loc_578744
		movzx	eax, word ptr [ecx+ebx]
		cmp	ax, [ebp+arg_8]
		jz	short loc_578798
		test	ax, ax
		jnz	short loc_578744

loc_578798:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+11Dj
		mov	eax, [ebp+var_24]
		mov	eax, [eax]
		mov	[ecx+ebx+10h], eax
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	loc_5F94F1
		mov	eax, [eax]

loc_5787AE:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+80E7Fj
		mov	[ecx+ebx+14h], eax
		mov	ax, [ebp+arg_8]
		mov	[ecx+ebx], ax
		mov	eax, [ebp+arg_10]
		mov	[ecx+ebx+1Ch], eax
		mov	eax, [ebp+arg_14]
		mov	[ecx+ebx+18h], eax
		jmp	short loc_578847
; 

loc_5787CA:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+BFj
		mov	eax, esi
		and	eax, 0FFFFFFFCh
		push	eax
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jz	short loc_578847
		mov	eax, [eax+58h]
		mov	[ebp+var_28], eax
		mov	ebx, _AlternateResourceModuleCount
		mov	ecx, ebx
		shl	ecx, 5
		mov	edx, _AlternateResourceModules
		mov	[ecx+edx+4], esi
		mov	eax, [ebp+arg_4]
		mov	[ecx+edx+8], eax
		test	byte ptr [ebp+arg_C], 1
		jz	short loc_578867
		mov	esi, [ebp+var_24]
		test	esi, esi
		jz	loc_5F94F8
		mov	eax, [esi]

loc_57880E:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+80E86j
		mov	[ecx+edx+10h], eax
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	loc_5F94FF
		mov	eax, [eax]

loc_57881F:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+80E8Dj
		mov	[ecx+edx+14h], eax
		mov	eax, [ebp+arg_14]
		mov	[ecx+edx+18h], eax

loc_57882A:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+1FFj
		mov	ax, [ebp+arg_8]
		mov	[ecx+edx], ax
		mov	eax, [ebp+var_28]
		mov	[ecx+edx+0Ch], eax
		mov	eax, [ebp+arg_10]
		mov	[ecx+edx+1Ch], eax
		inc	ebx
		mov	_AlternateResourceModuleCount, ebx

loc_578847:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+90j
					; LdrpSetAlternateResourceModuleHandle+154j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_5788B1
		mov	al, 1

loc_578855:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+203j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_578867:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+18Bj
		mov	[ecx+edx+10h], edi
		mov	[ecx+edx+14h], edi
		mov	[ecx+edx+18h], edi
		jmp	short loc_57882A
; 

loc_578875:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+18j
					; LdrpSetAlternateResourceModuleHandle+27j ...
		xor	al, al
		jmp	short loc_578855
; 

loc_578879:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+9Ej
		push	69507472h
		mov	esi, 400h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_578847
		push	esi		; size_t
		push	edi		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		mov	_AlternateResourceModules, ebx
		mov	_AltResMemBlockCount, 20h
		jmp	loc_578725
LdrpSetAlternateResourceModuleHandle endp


;  S U B	R O U T	I N E 


sub_5788B1	proc near		; CODE XREF: LdrpSetAlternateResourceModuleHandle+1DAp
					; sub_5F9506+2j
		push	edi
		push	edi
		push	1
		push	offset _MuiMutex
		call	KeReleaseMutant
		retn
sub_5788B1	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IovUtilMarkStack proc near		; CODE XREF: PipCallDriverAddDevice+65Fp
					; PipCallDriverAddDevice+A1C2Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F950D SIZE 00000040 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, edx
		push	esi
		mov	esi, ecx
		test	eax, eax
		jz	short loc_5788DB
		cmp	_IovUtilVerifierEnabled, 0
		jnz	loc_5F950D

loc_5788DB:				; CODE XREF: IovUtilMarkStack+Cj
					; IovUtilMarkStack+80C57j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_578900
		mov	esi, _IovUtilVerifierEnabled
		mov	[ebp+arg_0], ecx
		test	esi, esi
		jnz	loc_5F951C

loc_5788F3:				; CODE XREF: IovUtilMarkStack+80C67j
		test	ecx, ecx
		jz	short loc_5788FB
		test	esi, esi
		jnz	short loc_57890E

loc_5788FB:				; CODE XREF: IovUtilMarkStack+35j
					; IovUtilMarkStack+47j	...
		pop	esi
		pop	ebp
		retn	8
; 

loc_578900:				; CODE XREF: IovUtilMarkStack+20j
		cmp	_IovUtilVerifierEnabled, 0
		jz	short loc_5788FB
		jmp	loc_5F952C
; 

loc_57890E:				; CODE XREF: IovUtilMarkStack+39j
		push	2
		jmp	loc_5F9542
IovUtilMarkStack endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTraceJobServerSiloMonitorCallback proc near ; CODE XREF: PspInvokeCreateCallback(x,x)+13p
					; PspInvokeCreateCallback(x,x)+25p ...

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F954D SIZE 000000D3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+7Ch+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[esp+80h+var_74], edx
		push	esi
		push	edi
		lea	edi, [esp+88h+var_68]
		mov	[esp+88h+var_70], ecx
		stosd
		stosd
		stosd
		stosd
		mov	eax, ecx
		xor	edi, edi
		mov	[esp+88h+var_78], edi
		sub	eax, edi
		jz	short loc_578991
		sub	eax, 1
		jnz	loc_5F954D
		mov	esi, offset _ServerSiloCreateCallbackStop

loc_57895B:				; CODE XREF: EtwTraceJobServerSiloMonitorCallback+80j
					; EtwTraceJobServerSiloMonitorCallback+80C41j ...
		mov	ebx, dword_6BC18C
		mov	eax, _EtwpPsProvRegHandle
		push	esi
		push	ebx
		push	eax
		mov	[esp+94h+var_6C], eax
		call	EtwEventEnabled
		test	al, al
		jnz	loc_5F9566

loc_57897A:				; CODE XREF: EtwTraceJobServerSiloMonitorCallback+80D05j
		mov	ecx, [esp+88h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_578991:				; CODE XREF: EtwTraceJobServerSiloMonitorCallback+35j
		mov	esi, (offset loc_4087EB+5)
		jmp	short loc_57895B
EtwTraceJobServerSiloMonitorCallback endp


;  S U B	R O U T	I N E 


; __stdcall RtlpGetBootStatusPath(x, x)
_RtlpGetBootStatusPath@8 proc near	; CODE XREF: RtlLockBootStatusData(x)+75p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	RtlpGetBootStatusPathFromRegistry
		test	eax, eax
		jns	short loc_5789C7
		call	_RtlIsStateSeparationEnabled@0 ; RtlIsStateSeparationEnabled()
		test	al, al
		mov	eax, offset ??_C@_1EC@POCPCOCD@?$AA?2?$AAO?$AAS?$AAD?$AAa?$AAt?$AAa?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAW?$AAi?$AAn@FNODOBFM@
		jnz	short loc_5789BD
		mov	eax, offset ??_C@_1DC@MEBGDNBI@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAb?$AAo?$AAo@FNODOBFM@

loc_5789BD:				; CODE XREF: RtlpGetBootStatusPath(x,x)+1Ej
		mov	[esi], eax
		xor	al, al

loc_5789C1:				; CODE XREF: RtlpGetBootStatusPath(x,x)+31j
		mov	[edi], al
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_5789C7:				; CODE XREF: RtlpGetBootStatusPath(x,x)+10j
		mov	al, 1
		jmp	short loc_5789C1
_RtlpGetBootStatusPath@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpGetBootStatusPathFromRegistry proc near ; CODE XREF: RtlpGetBootStatusPath(x,x)+9p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F9620 SIZE 00000076 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], ecx
		push	offset ??_C@_1GG@IBGAEKLO@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@FNODOBFM@
		lea	eax, [ebp+var_18]
		mov	[ebp+var_C], edi
		push	eax
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_18]
		mov	[ebp+var_30], 18h
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_30]
		push	eax
		push	20019h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_2C], edi
		push	eax
		mov	[ebp+var_24], 240h
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_578A62
		push	offset ??_C@_1BO@IJHFMHE@?$AAO?$AAs?$AAB?$AAo?$AAo?$AAt?$AAs?$AAt?$AAa?$AAt?$AAP?$AAa?$AAt?$AAh@FNODOBFM@
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		push	edi
		push	2
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+var_8]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	loc_5F9620
		test	esi, esi
		jns	short loc_578A69

loc_578A62:				; CODE XREF: RtlpGetBootStatusPathFromRegistry+60j
					; RtlpGetBootStatusPathFromRegistry+A2j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_578A69:				; CODE XREF: RtlpGetBootStatusPathFromRegistry+94j
		mov	esi, 0C0000001h
		jmp	short loc_578A62
RtlpGetBootStatusPathFromRegistry endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 824. IoEnumerateDeviceObjectList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoEnumerateDeviceObjectList
IoEnumerateDeviceObjectList proc near

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005F9696 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	0Ah
		pop	ecx
		xor	esi, esi
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	edx, [ebp+arg_0]
		mov	edi, [ebp+arg_8]
		mov	[ebp+var_1], al
		shr	edi, 2
		mov	ecx, [edx+4]
		jmp	short loc_578A9E
; 

loc_578A9A:				; CODE XREF: IoEnumerateDeviceObjectList+2Aj
		mov	ecx, [ecx+0Ch]
		inc	esi

loc_578A9E:				; CODE XREF: IoEnumerateDeviceObjectList+22j
		test	ecx, ecx
		jnz	short loc_578A9A
		mov	eax, [ebp+arg_C]
		cmp	edi, esi
		sbb	ebx, ebx
		and	ebx, 0C0000023h
		mov	[eax], esi
		mov	esi, [edx+4]
		mov	[ebp+arg_0], ebx
		test	edi, edi
		jz	short loc_578ADE
		mov	ebx, [ebp+arg_4]

loc_578ABE:				; CODE XREF: IoEnumerateDeviceObjectList+63j
		test	esi, esi
		jz	short loc_578ADB
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	[ebx], esi
		add	ebx, 4
		mov	esi, [esi+0Ch]
		sub	edi, 1
		jnz	short loc_578ABE

loc_578ADB:				; CODE XREF: IoEnumerateDeviceObjectList+4Aj
		mov	ebx, [ebp+arg_0]

loc_578ADE:				; CODE XREF: IoEnumerateDeviceObjectList+43j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+468h]
		jnz	loc_5F9696
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5F96AC
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5F96A5

loc_578B14:				; CODE XREF: IoEnumerateDeviceObjectList+80C2Aj
					; IoEnumerateDeviceObjectList+80C45j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
IoEnumerateDeviceObjectList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlInitializeBootStatDataCache()
_RtlInitializeBootStatDataCache@0 proc near ; CODE XREF: RtlLockBootStatusData(x)+E1p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		cmp	_BootStatDataCache, esi
		jnz	short loc_578BBD
		push	esi
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], esi
		push	eax
		push	4
		lea	eax, [ebp+var_4]
		mov	[ebp+var_14], esi
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		push	esi
		push	esi
		push	_BootStatFileHandle
		call	_ZwReadFile@36	; ZwReadFile(x,x,x,x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_578BB8
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_578BC8
		cmp	eax, 800h
		ja	short loc_578BC8
		push	66647362h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	_BootStatDataCache, eax
		test	eax, eax
		jz	short loc_578BC1
		push	esi
		lea	ecx, [ebp+var_18]
		push	ecx
		push	[ebp+var_4]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		push	esi
		push	esi
		push	_BootStatFileHandle
		call	_ZwReadFile@36	; ZwReadFile(x,x,x,x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_578BB8
		mov	eax, [ebp+var_8]
		cmp	eax, [ebp+var_4]
		jnz	short loc_578BC8

loc_578BB8:				; CODE XREF: RtlInitializeBootStatDataCache()+43j
					; RtlInitializeBootStatDataCache()+88j	...
		mov	eax, ecx
		pop	esi
		leave
		retn
; 

loc_578BBD:				; CODE XREF: RtlInitializeBootStatDataCache()+1Aj
		mov	ecx, esi
		jmp	short loc_578BB8
; 

loc_578BC1:				; CODE XREF: RtlInitializeBootStatDataCache()+67j
		mov	ecx, 0C0000017h
		jmp	short loc_578BB8
; 

loc_578BC8:				; CODE XREF: RtlInitializeBootStatDataCache()+4Aj
					; RtlInitializeBootStatDataCache()+51j	...
		mov	ecx, 0C0000001h
		jmp	short loc_578BB8
_RtlInitializeBootStatDataCache@0 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1701. PoFxSetDeviceIdleTimeout

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoFxSetDeviceIdleTimeout
PoFxSetDeviceIdleTimeout proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005F96C0 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	eax, 3FFFFFFFh
		push	esi
		push	edi
		cmp	ebx, eax
		jb	short loc_578C49
		ja	short loc_578BF2
		mov	edi, [ebp+arg_4]
		cmp	edi, 0FFFFFFFFh
		jbe	short loc_578BF7

loc_578BF2:				; CODE XREF: PoFxSetDeviceIdleTimeout+14j
		or	edi, 0FFFFFFFFh
		mov	ebx, eax

loc_578BF7:				; CODE XREF: PoFxSetDeviceIdleTimeout+1Cj
					; PoFxSetDeviceIdleTimeout+78j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, [ebp+arg_0]
		mov	byte ptr [ebp+arg_8+3],	al
		lea	ecx, [esi+0C8h]
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, esi
		mov	[esi+118h], edi
		mov	[esi+11Ch], ebx
		call	PopFxUpdateDeviceIdleTimer
		test	ds:byte_70EFC6,	1
		jnz	loc_5F96C0
		xor	ecx, ecx
		lea	eax, [esi+0C8h]
		lock and [eax],	ecx

loc_578C39:				; CODE XREF: PoFxSetDeviceIdleTimeout+80AFAj
		mov	cl, byte ptr [ebp+arg_8+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_578C49:				; CODE XREF: PoFxSetDeviceIdleTimeout+12j
		mov	edi, [ebp+arg_4]
		jmp	short loc_578BF7
PoFxSetDeviceIdleTimeout endp


;  S U B	R O U T	I N E 


PopFxUpdateDeviceIdleTimer proc	near	; CODE XREF: PoFxSetDeviceIdleTimeout+48p
					; PopFxProcessWork+F095Cp

; FUNCTION CHUNK AT 005F96D3 SIZE 0000003B BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		push	edi
		lea	edi, [esi+10h]
		mov	eax, [edi]

loc_578C5B:				; CODE XREF: PopFxUpdateDeviceIdleTimer+15j
		mov	edx, eax
		or	edx, ecx
		lock cmpxchg [edi], edx
		jnz	short loc_578C5B
		test	al, 4
		jnz	short loc_578C6C

loc_578C69:				; CODE XREF: PopFxUpdateDeviceIdleTimer+2Cj
					; PopFxUpdateDeviceIdleTimer+3Dj ...
		pop	edi
		pop	esi
		retn
; 

loc_578C6C:				; CODE XREF: PopFxUpdateDeviceIdleTimer+19j
		lea	eax, [esi+0D0h]
		push	eax
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		test	al, al
		jz	short loc_578C69
		push	0FFFFFFFBh
		pop	eax
		lock and [edi],	eax
		mov	ecx, esi
		call	_PopFxScheduleDeviceIdleTimer@4	; PopFxScheduleDeviceIdleTimer(x)
		test	al, al
		jnz	short loc_578C69
		jmp	loc_5F96D3
PopFxUpdateDeviceIdleTimer endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcRegistryChangeCallback proc near	; DATA XREF: CcSetupWatchForRegistryChanges+5Co

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F970E SIZE 000000AA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		xor	eax, eax
		push	ebx
		push	esi
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_8]
		push	edi
		push	eax
		call	KeQueryTickCount
		mov	esi, [ebp+arg_0]
		mov	ebx, [ebp+var_8]
		mov	eax, [ebp+var_4]
		sub	ebx, [esi+18h]
		lea	edi, [esi+20h]
		push	edi
		sbb	eax, [esi+1Ch]
		mov	[ebp+arg_0], eax
		xor	eax, eax
		cmp	[esi+28h], al
		setnz	al
		dec	eax
		and	eax, 0Eh
		add	eax, 46h
		push	eax		; char
		push	offset ??_C@_0FE@HKAGMKGB@CcRegistryChangeCallback?3?5Somet@FNODOBFM@ ;	"CcRegistryChangeCallback: Something of	"...
		push	2		; int
		push	7Fh		; int
		call	_DbgPrintEx
		add	esp, 14h
		cmp	byte ptr [esi+28h], 0
		jnz	short loc_578D17
		push	esi
		call	dword ptr [esi+14h]
		push	[ebp+arg_0]
		mov	eax, [ebp+var_8]
		push	ebx
		push	edi		; char
		push	offset ??_C@_0DL@PNFACCLK@CcRegistryChangeCallback?3?5Proce@FNODOBFM@ ;	"CcRegistryChangeCallback: Processed \"%w"...
		mov	[esi+18h], eax
		mov	eax, [ebp+var_4]
		push	2		; int
		push	7Fh		; int
		mov	[esi+1Ch], eax
		call	_DbgPrintEx
		add	esp, 18h

loc_578D17:				; CODE XREF: CcRegistryChangeCallback+5Dj
		xor	ebx, ebx
		lea	eax, [esi+10h]
		mov	[esi+28h], bl
		cmp	[eax], ebx
		jz	loc_5F970E

loc_578D27:				; CODE XREF: CcRegistryChangeCallback+80AA4j
					; CcRegistryChangeCallback+80AC9j
		test	esi, esi
		jz	short loc_578D6B
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_578D6B
		push	1
		push	ebx
		push	ebx
		push	1
		push	5
		lea	ecx, [ebp+var_10]
		push	ecx
		push	1
		push	esi
		push	ebx
		push	eax
		call	_ZwNotifyChangeKey@40 ;	ZwNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		lea	edi, [esi+20h]
		cmp	ebx, 103h
		jnz	loc_5F9760
		push	edi		; char
		push	offset ??_C@_0CO@DHHOFHHN@CcRegistryChangeCallback?3?5Watch@FNODOBFM@ ;	"CcRegistryChangeCallback: Watch queued	"...

loc_578D5F:				; CODE XREF: CcRegistryChangeCallback+80B00j
		push	2		; int
		push	7Fh		; int
		call	_DbgPrintEx
		add	esp, 10h

loc_578D6B:				; CODE XREF: CcRegistryChangeCallback+97j
					; CcRegistryChangeCallback+9Ej	...
		cmp	_CcRegistryWatchInitComplete, 0
		jz	loc_5F9797

loc_578D78:				; CODE XREF: CcRegistryChangeCallback+80B07j
					; CcRegistryChangeCallback+80B11j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
CcRegistryChangeCallback endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcUpdateDynamicRegistrySettings	proc near ; DATA XREF: CcSetupWatchForRegistryChanges+55o

var_DE		= byte ptr -0DEh
var_DD		= byte ptr -0DDh
var_DC		= byte ptr -0DCh
var_DB		= byte ptr -0DBh
var_DA		= byte ptr -0DAh
var_D9		= byte ptr -0D9h
var_D8		= dword	ptr -0D8h
var_D2		= byte ptr -0D2h
var_D1		= byte ptr -0D1h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= byte ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F97B8 SIZE 00000136 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0E4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0E4h+var_4], eax
		mov	eax, [ebp+arg_0]
		lea	ecx, [esp+0E4h+var_A8]
		push	ebx
		push	esi
		push	edi
		add	eax, 20h
		mov	[esp+0F0h+var_D8], ecx
		xor	ecx, ecx
		mov	[esp+0F0h+var_C8], 9Ch
		push	eax		; char
		push	offset ??_C@_0EO@NJAGNHAD@CcUpdateDynamicRegistrySettings@FNODOBFM@ ; "CcUpdateDynamicRegistrySettings:	Updati"...
		push	2		; int
		push	7Fh		; int
		mov	[esp+100h+var_DD], cl
		mov	ebx, ecx
		mov	dword ptr [esp+100h+var_BC], ecx
		mov	edi, ecx
		mov	[esp+100h+var_DC], cl
		mov	esi, ecx
		mov	[esp+100h+var_AC], ecx
		mov	[esp+100h+var_D2], cl
		mov	[esp+100h+var_DB], cl
		mov	[esp+100h+var_DA], cl
		mov	[esp+100h+var_B8], ecx
		mov	[esp+100h+var_D9], cl
		mov	[esp+100h+var_D1], cl
		call	_DbgPrintEx
		add	esp, 10h
		mov	[esp+0F0h+var_C0], (offset ??_C@_01LFCBOECM@?4@FNODOBFM@+2)
		lea	edx, [esp+0F0h+var_D0]
		mov	[esp+0F0h+var_C4], offset unk_AA00A8
		lea	ecx, [esp+0F0h+var_C4]
		mov	[esp+0F0h+var_CC], offset ??_C@_1CE@GAMHPGCI@?$AAT?$AAo?$AAp?$AAB?$AAo?$AAt?$AAt?$AAo?$AAm?$AAD?$AAP?$AAT?$AAE?$AAq?$AAu@FNODOBFM@ ; "T"
		push	22h
		pop	eax
		push	24h
		mov	word ptr [esp+0F4h+var_D0], ax
		pop	eax
		mov	word ptr [esp+0F0h+var_D0+2], ax
		lea	eax, [esp+13h]
		push	eax
		lea	eax, [esp+0F4h+var_D8]
		push	eax
		lea	eax, [esp+0F8h+var_C8]
		push	eax
		call	CcQueryRegKeyValue
		test	eax, eax
		jns	loc_5F97B8

loc_578E43:				; CODE XREF: CcUpdateDynamicRegistrySettings+80A49j
					; CcUpdateDynamicRegistrySettings+80A54j
		push	3Ch
		pop	eax
		push	3Eh
		mov	word ptr [esp+0F4h+var_D0], ax
		lea	edx, [esp+0F4h+var_D0]
		pop	eax
		mov	word ptr [esp+0F0h+var_D0+2], ax
		lea	ecx, [esp+0F0h+var_C4]
		lea	eax, [esp+13h]
		mov	[esp+0F0h+var_CC], offset ??_C@_1DO@NODDNLBC@?$AAL?$AAa?$AAz?$AAy?$AAW?$AAr?$AAi?$AAt?$AAe?$AAr?$AAP?$AAe?$AAr?$AAc?$AAe@FNODOBFM@
		push	eax
		lea	eax, [esp+0F4h+var_D8]
		push	eax
		lea	eax, [esp+0F8h+var_C8]
		push	eax
		call	CcQueryRegKeyValue
		test	eax, eax
		jns	loc_5F97D9

loc_578E7F:				; CODE XREF: CcUpdateDynamicRegistrySettings+80A6Cj
		push	1Ch
		pop	eax
		push	1Eh
		mov	word ptr [esp+0F4h+var_D0], ax
		lea	edx, [esp+0F4h+var_D0]
		pop	eax
		mov	word ptr [esp+0F0h+var_D0+2], ax
		lea	ecx, [esp+0F0h+var_C4]
		lea	eax, [esp+13h]
		mov	[esp+0F0h+var_CC], offset ??_C@_1BO@EOPFHBP@?$AAL?$AAa?$AAr?$AAg?$AAe?$AAW?$AAr?$AAi?$AAt?$AAe?$AAS?$AAi?$AAz?$AAe@FNODOBFM@
		push	eax
		lea	eax, [esp+0F4h+var_D8]
		push	eax
		lea	eax, [esp+0F8h+var_C8]
		push	eax
		call	CcQueryRegKeyValue
		test	eax, eax
		jns	loc_5F97F1

loc_578EBB:				; CODE XREF: CcUpdateDynamicRegistrySettings+80A80j
		push	36h
		pop	eax
		push	38h
		mov	word ptr [esp+0F4h+var_D0], ax
		lea	edx, [esp+0F4h+var_D0]
		pop	eax
		mov	word ptr [esp+0F0h+var_D0+2], ax
		lea	ecx, [esp+0F0h+var_C4]
		lea	eax, [esp+13h]
		mov	[esp+0F0h+var_CC], offset ??_C@_1DI@BAEMBMNO@?$AAS?$AAo?$AAf?$AAt?$AAT?$AAh?$AAr?$AAo?$AAt?$AAt?$AAl?$AAe?$AAL?$AAa?$AAr@FNODOBFM@
		push	eax
		lea	eax, [esp+0F4h+var_D8]
		push	eax
		lea	eax, [esp+0F8h+var_C8]
		push	eax
		call	CcQueryRegKeyValue
		test	eax, eax
		jns	loc_5F9805

loc_578EF7:				; CODE XREF: CcUpdateDynamicRegistrySettings+80A94j
		push	2Ah
		pop	eax
		push	2Ch
		mov	word ptr [esp+0F4h+var_D0], ax
		lea	edx, [esp+0F4h+var_D0]
		pop	eax
		mov	word ptr [esp+0F0h+var_D0+2], ax
		lea	ecx, [esp+0F0h+var_C4]
		lea	eax, [esp+13h]
		mov	[esp+0F0h+var_CC], offset ??_C@_1CM@IOHKKG@?$AAS?$AAo?$AAf?$AAt?$AAT?$AAh?$AAr?$AAo?$AAt?$AAt?$AAl?$AAe?$AAD?$AAe?$AAl@FNODOBFM@
		push	eax
		lea	eax, [esp+0F4h+var_D8]
		push	eax
		lea	eax, [esp+0F8h+var_C8]
		push	eax
		call	CcQueryRegKeyValue
		test	eax, eax
		jns	loc_5F9819

loc_578F33:				; CODE XREF: CcUpdateDynamicRegistrySettings+80AACj
		push	22h
		pop	eax
		push	24h
		mov	word ptr [esp+0F4h+var_D0], ax
		lea	edx, [esp+0F4h+var_D0]
		pop	eax
		mov	word ptr [esp+0F0h+var_D0+2], ax
		lea	ecx, [esp+0F0h+var_C4]
		lea	eax, [esp+13h]
		mov	[esp+0F0h+var_CC], (offset off_5A3D28+2)
		push	eax
		lea	eax, [esp+0F4h+var_D8]
		push	eax
		lea	eax, [esp+0F8h+var_C8]
		push	eax
		call	CcQueryRegKeyValue
		mov	edx, offset ??_C@_09GNNAFPDF@not?5found@FNODOBFM@ ; "not found"
		mov	ecx, offset ??_C@_05HDPIMK@valid@FNODOBFM@ ; "valid"
		test	eax, eax
		jns	loc_5F9831
		mov	[esp+0F0h+var_C8], edx

loc_578F7D:				; CODE XREF: CcUpdateDynamicRegistrySettings+80AC9j
		cmp	[esp+0F0h+var_D9], 0
		mov	[esp+0F0h+var_B4], ecx
		jnz	short loc_578F8C
		mov	[esp+0F0h+var_B4], edx

loc_578F8C:				; CODE XREF: CcUpdateDynamicRegistrySettings+206j
		cmp	[esp+0F0h+var_DA], 0
		mov	[esp+0F0h+var_B0], ecx
		jnz	short loc_578F9B
		mov	[esp+0F0h+var_B0], edx

loc_578F9B:				; CODE XREF: CcUpdateDynamicRegistrySettings+215j
		cmp	[esp+0F0h+var_DB], 0
		jnz	loc_5F984E

loc_578FA6:				; CODE XREF: CcUpdateDynamicRegistrySettings+80AD0j
		cmp	[esp+0F0h+var_D2], 0
		mov	eax, ecx
		jnz	short loc_578FB4
		mov	eax, offset ??_C@_09GNNAFPDF@not?5found@FNODOBFM@ ; "not found"

loc_578FB4:				; CODE XREF: CcUpdateDynamicRegistrySettings+22Dj
		cmp	[esp+0F0h+var_DC], 0
		jnz	short loc_578FC0
		mov	ecx, offset ??_C@_09GNNAFPDF@not?5found@FNODOBFM@ ; "not found"

loc_578FC0:				; CODE XREF: CcUpdateDynamicRegistrySettings+239j
		push	[esp+0F0h+var_C8]
		push	esi
		push	[esp+0F8h+var_B4]
		push	[esp+0FCh+var_B8]
		push	[esp+100h+var_B0]
		push	edi
		push	edx
		push	ebx
		push	eax
		push	[esp+114h+var_AC]
		push	ecx
		push	dword ptr [esp+11Ch+var_BC] ; char
		push	offset ??_C@_0BCN@DEKCAOI@CcUpdateDynamicRegistrySettings@FNODOBFM@ ; "CcUpdateDynamicRegistrySettings:	\n\tTopB"...
		push	2		; int
		push	7Fh		; int
		call	_DbgPrintEx
		add	esp, 3Ch
		cmp	[esp+0F0h+var_DD], 0
		jnz	loc_5F9855

loc_578FFA:				; CODE XREF: CcUpdateDynamicRegistrySettings+80AE3j
		cmp	[esp+0F0h+var_DC], 0
		jnz	loc_5F9868

loc_579005:				; CODE XREF: CcUpdateDynamicRegistrySettings+80AF1j
		cmp	[esp+0F0h+var_DB], 0
		jnz	loc_5F9876

loc_579010:				; CODE XREF: CcUpdateDynamicRegistrySettings+80B08j
					; CcUpdateDynamicRegistrySettings+80B14j
		cmp	[esp+0F0h+var_DA], 0
		jnz	loc_5F9899

loc_57901B:				; CODE XREF: CcUpdateDynamicRegistrySettings+80B28j
					; CcUpdateDynamicRegistrySettings+80B34j
		cmp	[esp+0F0h+var_D9], 0
		jnz	loc_5F98B9

loc_579026:				; CODE XREF: CcUpdateDynamicRegistrySettings+80B3Fj
					; CcUpdateDynamicRegistrySettings+80B4Aj
		cmp	[esp+0F0h+var_D1], 0
		jnz	loc_5F98CF

loc_579031:				; CODE XREF: CcUpdateDynamicRegistrySettings+80B51j
					; CcUpdateDynamicRegistrySettings+80B5Dj ...
		mov	ecx, [esp+0F0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
CcUpdateDynamicRegistrySettings	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcQueryRegKeyValue proc	near		; CODE XREF: CcUpdateDynamicRegistrySettings+B6p
					; CcUpdateDynamicRegistrySettings+F2p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005F98EE SIZE 0000007E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_28], 18h
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		mov	ebx, edx
		mov	[ebp+var_C], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	20019h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_10], ebx
		push	eax
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_20], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_5790E1
		test	ebx, ebx
		jz	loc_5F98EE
		mov	edi, [ebp+arg_0]
		mov	ebx, [ebp+arg_4]
		mov	edi, [edi]
		mov	esi, [ebx]

loc_5790A2:				; CODE XREF: CcQueryRegKeyValue+808FFj
		lea	eax, [ebp+var_C]
		push	eax
		push	edi
		push	esi
		push	1
		push	[ebp+var_10]
		push	[ebp+var_8]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	loc_5F98FD
		cmp	esi, 80000005h
		jz	loc_5F98FD

loc_5790CF:				; CODE XREF: CcQueryRegKeyValue+808BAj
					; CcQueryRegKeyValue+80909j
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		jns	loc_5F9956

loc_5790DF:				; CODE XREF: CcQueryRegKeyValue+80914j
					; CcQueryRegKeyValue+8091Fj
		mov	eax, esi

loc_5790E1:				; CODE XREF: CcQueryRegKeyValue+46j
					; CcQueryRegKeyValue+808B0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
CcQueryRegKeyValue endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfpEventHandleOutOfBuffers(x)
_PfpEventHandleOutOfBuffers@4 proc near	; DATA XREF: PfTInitialize+1CBo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, 800h
		call	PfFbBufferListAllocateTemporary
		test	eax, eax
		jns	short loc_579104
		inc	dword_6D4484

loc_579104:				; CODE XREF: PfpEventHandleOutOfBuffers(x)+14j
		pop	ebp
		retn	4
_PfpEventHandleOutOfBuffers@4 endp


;  S U B	R O U T	I N E 


PfFbBufferListAllocateTemporary	proc near ; CODE XREF: PfpEventHandleOutOfBuffers(x)+Dp
					; PfTTraceListTrim(x,x,x)+94p

; FUNCTION CHUNK AT 005F996C SIZE 0000002F BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	eax, esi
		lea	ebx, [edi+40h]
		lock xadd [ebx], eax
		add	eax, esi
		cmp	eax, [edi+34h]
		jle	loc_5F996C
		mov	eax, 0C000012Dh

loc_57912A:				; CODE XREF: PfFbBufferListAllocateTemporary+80879j
		neg	esi
		lock xadd [ebx], esi

loc_579130:				; CODE XREF: PfFbBufferListAllocateTemporary+8088Ej
		pop	edi
		pop	esi
		pop	ebx
		retn
PfFbBufferListAllocateTemporary	endp


;  S U B	R O U T	I N E 


; __stdcall PpmResetProfileSettings(x)
_PpmResetProfileSettings@4 proc	near	; CODE XREF: PpmRegisterProfiles+1B0p
					; PpmDisableProfile(x)+23p
		mov	edi, edi
		push	esi
		push	edi
		mov	eax, ecx
		mov	esi, offset dword_6BF8A0
		push	3Ch
		pop	ecx
		push	3Ch
		lea	edi, [eax+20h]
		add	eax, 110h
		rep movsd
		pop	ecx
		mov	esi, offset dword_6BF990
		mov	edi, eax
		rep movsd
		push	2
		pop	ecx
		pop	edi
		xor	edx, edx
		pop	esi

loc_57915F:				; CODE XREF: PpmResetProfileSettings(x)+42j
		mov	[eax-0F0h], edx
		mov	[eax-0ECh], edx
		mov	[eax], edx
		lea	eax, [eax+8]
		mov	[eax-4], edx
		sub	ecx, 1
		jnz	short loc_57915F
		retn
_PpmResetProfileSettings@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 318. ExAllocateCacheAwarePushLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExAllocateCacheAwarePushLock
ExAllocateCacheAwarePushLock proc near

var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00579267 SIZE 00000007 BYTES
; FUNCTION CHUNK AT 005F999B SIZE 0000010E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		xor	ecx, ecx
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_28]
		inc	ecx
		stosd
		xor	bl, bl
		push	0
		mov	[ebp+var_11], bl
		lea	edx, [ecx+7Fh]
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		and	eax, ecx
		mov	[ebp+arg_0], eax
		neg	eax
		sbb	edi, edi
		mov	eax, large fs:20h
		and	edi, 1FFh
		inc	edi
		mov	ecx, edi
		mov	[ebp+var_18], edi
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	70636C50h
		call	ExpAllocatePoolWithTagFromNode
		mov	esi, eax
		test	esi, esi
		jnz	loc_5F999B
		xor	edi, edi
		jmp	short loc_579254
; 

loc_5791F9:				; CODE XREF: ExAllocateCacheAwarePushLock+80837j
		mov	eax, large fs:20h
		xor	ebx, ebx
		push	ebx
		mov	edx, 1000h
		mov	ecx, edi
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	6C636C50h
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		test	edi, edi
		jz	short loc_579267
		push	1000h		; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, ebx

loc_57923D:				; CODE XREF: ExAllocateCacheAwarePushLock+D2j
		mov	byte ptr [edi+4], 1
		mov	[edi+8], esi
		mov	[edi], ebx
		mov	[esi+eax*4], edi
		sub	edi, 0FFFFFF80h
		inc	eax
		cmp	eax, 20h
		jb	short loc_57923D
		mov	edi, esi

loc_579254:				; CODE XREF: ExAllocateCacheAwarePushLock+79j
					; ExAllocateCacheAwarePushLock+8091Aj ...
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
ExAllocateCacheAwarePushLock endp ; sp = -38h

; 
; START	OF FUNCTION CHUNK FOR ExAllocateCacheAwarePushLock

loc_579267:				; CODE XREF: ExAllocateCacheAwarePushLock+ACj
		mov	edi, ebx
		jmp	loc_5F9A96
; END OF FUNCTION CHUNK	FOR ExAllocateCacheAwarePushLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopInterlockedInsertTailList proc near	; CODE XREF: IoRegisterBootDriverReinitialization(x,x,x)+48p
					; IoRegisterDriverReinitialization(x,x,x)+3Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005F9AA9 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	edi, ecx
		mov	esi, edx
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, [edi+4]
		mov	bl, al
		cmp	[ecx], edi
		jnz	short loc_5792D7
		mov	eax, large fs:20h
		mov	[esi], edi
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[edi+4], esi
		lea	esi, [eax+468h]
		test	ds:byte_70EFC6,	1
		jnz	loc_5F9AA9
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_5F9ABF
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	loc_5F9AB8

loc_5792CB:				; CODE XREF: IopInterlockedInsertTailList+80845j
					; IopInterlockedInsertTailList+80860j
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_5792D7:				; CODE XREF: IopInterlockedInsertTailList+1Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall PpmConvertTimeFrom(x, x, x,	x)
_PpmConvertTimeFrom@16:			; CODE XREF: PopIdleWakeInitialize()+19p
					; PopIdleWakeConvertIntervalBucketsFrom(x,x,x,x,x)+22p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ds:dword_70ED2C
		push	ds:_PopQpcFrequency
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PpmConvertTime
		pop	ebp
		retn	10h
IopInterlockedInsertTailList endp ; sp = -10h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmiQueryTraceProviderCount proc	near	; CODE XREF: EtwpUpdateFileInfoDriverState+65p

; FUNCTION CHUNK AT 005F9AD3 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		mov	edi, eax
		call	KeWaitForSingleObject
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _WmipRegistrationSpinLock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, _WmipInUseRegEntryHead
		jmp	short loc_579358
; 

loc_579337:				; CODE XREF: WmiQueryTraceProviderCount+5Cj
		mov	edx, [esi+18h]
		mov	eax, edx
		sar	eax, 4
		and	eax, 0F00000h
		bt	eax, 16h
		setb	cl
		bt	edx, 1Eh
		setb	al
		test	cl, al
		jnz	short loc_579393

loc_579356:				; CODE XREF: WmiQueryTraceProviderCount+95j
					; WmiQueryTraceProviderCount+98j
		mov	esi, [esi]

loc_579358:				; CODE XREF: WmiQueryTraceProviderCount+33j
		cmp	esi, offset _WmipInUseRegEntryHead
		jnz	short loc_579337
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _WmipRegistrationSpinLock
		jnz	loc_5F9AD3
		xor	eax, eax
		lock and [ecx],	eax

loc_579377:				; CODE XREF: WmiQueryTraceProviderCount+807D9j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn
; 

loc_579393:				; CODE XREF: WmiQueryTraceProviderCount+52j
		cmp	dword ptr [esi+8], 0
		jz	short loc_579356
		inc	edi
		jmp	short loc_579356
WmiQueryTraceProviderCount endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall SMKM_STORE_MGR_SM_TRAITS___SmInitialize(void *)
?SmInitialize@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@PAU_SMKM_STORE_MGR_PARAMS@@@Z proc	near
					; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmReInitialize(SMKM_STORE_MGR<SM_TRAITS> *)+27p
					; SmGlobalsInitialize(x)+30p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edi, ecx
		push	478h		; size_t
		push	ebx		; int
		push	edi		; void *
		mov	esi, edx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	_memset
		mov	eax, [esi]
		add	esp, 0Ch
		mov	[edi+464h], eax
		mov	ecx, edi	; void *
		mov	eax, [esi+4]
		mov	[edi+468h], eax
		call	_SmKmInitialize@8 ; SmKmInitialize(x,x)
		push	44h		; size_t
		mov	[edi+0F0h], ebx
		lea	esi, [edi+368h]
		push	ebx		; int
		mov	[edi+0F4h], ebx
		push	esi		; void *
		mov	[edi+0F8h], ebx
		call	_memset
		add	esp, 0Ch
		lea	eax, [esi+4]
		push	ebx
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	44h		; size_t
		lea	esi, [edi+3ACh]
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esi+4]
		push	ebx
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	204h		; size_t
		lea	esi, [edi+0FCh]
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, esi
		push	20h
		pop	ecx

loc_579441:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmInitialize(SMKM_STORE_MGR<SM_TRAITS> *,_SMKM_STORE_MGR_PARAMS	*)+B0j
		mov	[eax+4], eax
		mov	[eax], ebx
		add	eax, 10h
		sub	ecx, 1
		jnz	short loc_579441
		mov	[esi+200h], ebx
		lea	ecx, [edi+308h]	; void *
		mov	[edi+300h], ebx
		mov	[edi+304h], ebx
		call	?SmCompressCtxInitialize@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU_SM_COMPRESS_CONTEXT@1@@Z	; SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxInitialize(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *)
		lea	eax, [ebp+var_8]
		mov	[edi+360h], ebx
		push	eax
		mov	[edi+364h], ebx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		push	ebx
		push	2710h
		push	[ebp+var_4]
		push	[ebp+var_8]
		call	__allmul
		push	ebx
		push	0F4240h
		push	edx
		push	eax
		call	__alldiv
		push	8
		lea	ecx, [edi+3F8h]
		mov	[edi+470h], eax
		push	edi
		mov	edx, offset ?SmHighMemPriorityWatchdogTimerCallback@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU_KTIMER2@@PAX@Z ; SMKM_STORE_MGR<SM_TRAITS>::SmHighMemPriorityWatchdogTimerCallback(_KTIMER2 *,void *)
		mov	[ecx+2], bx
		call	_KiInitializeTimer2@16 ; KiInitializeTimer2(x,x,x,x)
		mov	[edi+45Ch], ebx
		mov	[edi+450h], ebx
		mov	dword ptr [edi+458h], offset SMKM_STORE_MGR_SM_TRAITS___SmHighMemPriorityWatchdogWorker
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
?SmInitialize@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@PAU_SMKM_STORE_MGR_PARAMS@@@Z endp

; 
		align 4

;  S U B	R O U T	I N E 


; int __fastcall SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxInitialize(void *)
?SmCompressCtxInitialize@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU_SM_COMPRESS_CONTEXT@1@@Z	proc near
					; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmInitialize(SMKM_STORE_MGR<SM_TRAITS> *,_SMKM_STORE_MGR_PARAMS	*)+CAp
		mov	edi, edi
		push	esi
		push	edi
		push	54h		; size_t
		xor	edi, edi
		mov	esi, ecx
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esi+4]
		mov	[eax+4], eax
		mov	[eax], edi
		lea	eax, [esi+2Ch]
		mov	[eax+4], eax
		push	edi
		mov	[eax], eax
		lea	eax, [esi+0Ch]
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		lea	eax, [esi+1Ch]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	ecx, [esi+48h]
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		lea	eax, [esi+3Ch]
		mov	[eax+4], eax
		mov	[eax], edi
		pop	edi
		mov	dword ptr [esi+4Ch], 7
		pop	esi
		retn
?SmCompressCtxInitialize@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU_SM_COMPRESS_CONTEXT@1@@Z	endp

; 
		align 2

;  S U B	R O U T	I N E 


FsFilterInit	proc near		; CODE XREF: FsRtlInitSystem()+ADp

; FUNCTION CHUNK AT 005F9AE0 SIZE 00000016 BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, 676D5346h
		xor	esi, esi
		push	edi
		push	1E4h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	_AcquireOpsReservePool,	eax
		test	eax, eax
		jz	short loc_57958F

loc_579552:				; CODE XREF: FsFilterInit+66j
		push	edi
		push	1E4h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	_ReleaseOpsReservePool,	eax
		test	eax, eax
		jz	loc_5F9AE0

loc_57956F:				; CODE XREF: FsFilterInit+805C3j
		xor	edi, edi
		inc	edi
		push	edi
		push	edi
		push	offset _AcquireOpsEvent
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		push	offset _ReleaseOpsEvent
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_57958F:				; CODE XREF: FsFilterInit+22j
		mov	esi, 0C000009Ah
		jmp	short loc_579552
FsFilterInit	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrpMapResourceFile proc near		; CODE XREF: LdrLoadAlternateResourceModuleEx+1A6p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005F9AF6 SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		lea	edi, [esp+48h+var_18]
		push	6
		pop	eax
		mov	ebx, edx
		mov	[esp+48h+var_28], esi
		mov	edx, ecx
		mov	[esp+48h+var_24], esi
		mov	ecx, eax
		mov	[esp+48h+var_3C], esi
		xor	eax, eax
		mov	[esp+48h+var_38], esi
		mov	[esp+48h+var_34], esi
		mov	[esp+48h+var_20], esi
		mov	[esp+48h+var_1C], esi
		mov	[esp+48h+var_2C], esi
		rep stosd
		test	edx, edx
		jz	loc_5F9B21
		test	ebx, ebx
		jz	loc_5F9B21
		cmp	[ebp+arg_4], eax
		jz	loc_5F9B21
		and	edx, 0FFFFFFFCh
		push	edx
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jz	loc_5F9AF6
		movzx	eax, word ptr [eax+48h]
		push	esi
		push	esi
		push	esi
		push	1
		push	5
		push	esi
		mov	[esp+60h+var_30], eax
		lea	eax, [esp+60h+var_28]
		push	esi
		push	eax
		lea	eax, [esp+68h+var_18]
		mov	[esp+68h+var_18], 18h
		push	eax
		push	80000000h
		lea	eax, [esp+70h+var_3C]
		mov	[esp+70h+var_14], esi
		push	eax
		mov	[esp+74h+var_C], 240h
		mov	[esp+74h+var_10], ebx
		mov	[esp+74h+var_8], esi
		mov	[esp+74h+var_4], esi
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_579667

loc_579651:				; CODE XREF: LdrpMapResourceFile+127j
					; LdrpMapResourceFile+1A5j ...
		cmp	[esp+48h+var_3C], 0
		jnz	loc_5F9B13

loc_57965C:				; CODE XREF: LdrpMapResourceFile+1B1j
					; LdrpMapResourceFile+80586j
		mov	eax, edi

loc_57965E:				; CODE XREF: LdrpMapResourceFile+80590j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_579667:				; CODE XREF: LdrpMapResourceFile+B9j
		push	[esp+48h+var_3C]
		mov	[esp+4Ch+var_18], 18h
		push	8000000h
		push	6
		pop	ecx
		cmp	word ptr [esp+50h+var_30], cx
		mov	[esp+50h+var_14], esi
		sbb	eax, eax
		mov	[esp+50h+var_C], 240h
		and	eax, ecx
		mov	[esp+50h+var_10], esi
		add	eax, 2
		mov	[esp+50h+var_8], esi
		push	eax
		lea	eax, [esp+54h+var_20]
		mov	[esp+54h+var_4], esi
		push	eax
		lea	eax, [esp+58h+var_18]
		push	eax
		push	0F0005h
		lea	eax, [esp+60h+var_38]
		push	eax
		call	_ZwCreateSection@28 ; ZwCreateSection(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_579651
		push	esi
		lea	eax, [esp+4Ch+var_30]
		mov	[esp+4Ch+var_30], esi
		push	eax
		push	esi
		push	esi
		push	esi
		push	[esp+5Ch+var_38]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		push	[esp+48h+var_38]
		mov	edi, eax
		call	_ZwClose@4	; ZwClose(x)
		mov	ebx, [esp+48h+var_30]
		test	edi, edi
		js	short loc_57970C
		lea	eax, [esp+48h+var_2C]
		push	eax
		lea	eax, [esp+4Ch+var_34]
		push	eax
		push	ebx
		call	_MmMapViewInSystemSpace@12 ; MmMapViewInSystemSpace(x,x,x)
		mov	esi, [esp+48h+var_34]
		mov	edi, eax
		test	edi, edi
		js	short loc_57970C
		push	esi
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jz	short loc_57974C

loc_57970C:				; CODE XREF: LdrpMapResourceFile+150j
					; LdrpMapResourceFile+16Aj ...
		test	ebx, ebx
		jz	short loc_57971C
		mov	edx, 746C6644h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_57971C:				; CODE XREF: LdrpMapResourceFile+178j
		test	edi, edi
		js	loc_5F9B00
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		mov	[eax], esi
		test	ecx, ecx
		jz	short loc_579736
		mov	eax, [esp+48h+var_2C]
		mov	[ecx], eax

loc_579736:				; CODE XREF: LdrpMapResourceFile+198j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	loc_579651
		mov	eax, [esp+48h+var_3C]
		mov	[ecx], eax
		jmp	loc_57965C
; 

loc_57974C:				; CODE XREF: LdrpMapResourceFile+174j
		mov	edi, 0C000007Bh
		jmp	short loc_57970C
LdrpMapResourceFile endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrpGetResourceFileName	proc near	; CODE XREF: LdrLoadAlternateResourceModuleEx+17Ap

var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_20D		= byte ptr -20Dh
var_20C		= dword	ptr -20Ch
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_99		= byte ptr -99h
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_85		= byte ptr -85h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005F9B2B SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 218h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_218], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_20D], dl
		mov	[ebp+var_214], eax
		push	esi
		mov	esi, [ebp+arg_8]
		test	ebx, ebx
		jz	loc_5F9B3F
		test	esi, esi
		jz	loc_5F9B3F
		test	eax, eax
		jz	loc_5F9B3F
		movzx	edx, word ptr [ebx+24h]
		movzx	ecx, word ptr [ebx+2Ch]
		push	edi
		mov	edi, edx
		sub	edi, ecx
		cmp	edi, 208h
		jnb	loc_5F9B35
		cmp	dx, cx
		jbe	loc_5F9B35
		push	edi		; size_t
		push	dword ptr [ebx+28h] ; void *
		lea	eax, [ebp+var_20C]
		push	eax		; void *
		call	_memcpy
		and	edi, 0FFFFFFFEh
		add	esp, 0Ch
		cmp	edi, 208h
		jnb	loc_5798C6
		xor	eax, eax
		mov	word ptr [ebp+edi+var_20C], ax
		cmp	[ebp+var_20D], al
		jz	loc_5798BD
		lea	ecx, [ebp+var_20C]
		lea	edx, [ecx+2]

loc_579803:				; CODE XREF: LdrpGetResourceFileName+B8j
		mov	ax, [ecx]
		add	ecx, 2
		test	ax, ax
		jnz	short loc_579803
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, [ebp+ecx*2-210h]
		lea	ecx, [ebp+var_20C]
		cmp	eax, ecx
		jbe	loc_5F9B2B

loc_579827:				; CODE XREF: LdrpGetResourceFileName+E4j
		cmp	word ptr [eax],	5Ch
		jz	short loc_57983A
		sub	eax, 2
		lea	ecx, [ebp+var_20C]
		cmp	eax, ecx
		ja	short loc_579827

loc_57983A:				; CODE XREF: LdrpGetResourceFileName+D7j
		lea	ecx, [ebp+var_20C]
		cmp	eax, ecx
		jbe	loc_5F9B2B
		xor	ecx, ecx
		mov	[eax+2], cx
		lea	eax, [ebp+var_20C]
		push	eax		; void *
		push	esi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		test	eax, eax
		js	short loc_5798AC
		push	offset ??_C@_1CC@BKLBGLAJ@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc?$AAe?$AAs@FNODOBFM@	; void *

loc_579864:				; CODE XREF: LdrpGetResourceFileName+170j
		push	esi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		test	eax, eax
		js	short loc_5798AC
		cmp	[ebp+var_20D], 0
		jnz	short loc_57988E
		push	[ebp+var_214]	; void *
		push	esi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		push	(offset	loc_5A53CA+2) ;	void *
		push	esi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)

loc_57988E:				; CODE XREF: LdrpGetResourceFileName+121j
		push	dword ptr [ebx+30h] ; void *
		push	esi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		test	eax, eax
		js	short loc_5798AC
		mov	ecx, [ebp+var_218]
		test	ecx, ecx
		jz	short loc_5798AC
		push	ecx		; void *
		push	esi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)

loc_5798AC:				; CODE XREF: LdrpGetResourceFileName+109j
					; LdrpGetResourceFileName+118j	...
		pop	edi

loc_5798AD:				; CODE XREF: LdrpGetResourceFileName+803F0j
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_5798BD:				; CODE XREF: LdrpGetResourceFileName+A0j
		lea	eax, [ebp+var_20C]
		push	eax
		jmp	short loc_579864
; 

loc_5798C6:				; CODE XREF: LdrpGetResourceFileName+8Aj
		call	___report_rangecheckfailure
		int	3		; Trap to Debugger

; __stdcall FsRtlpRequestExclusiveOplock(x, x, x, x, x,	x, x)
_FsRtlpRequestExclusiveOplock@28:	; CODE XREF: FsRtlpOplockFsctrlInternal+2E6p
					; FsRtlpOplockFsctrlInternal+F02CFp ...
		push	0CCh
		push	offset dword_6A7498
		call	__SEH_prolog4_GS
		mov	[ebp+var_90], edx
		mov	eax, ecx
		mov	[ebp+var_8C], eax
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_A4], esi
		xor	ebx, ebx
		mov	[ebp+var_84], ebx
		mov	[ebp+var_94], ebx
		mov	edi, [eax]
		mov	[ebp+var_B0], edi
		test	edi, edi
		jnz	short loc_579921
		call	FsRtlpAllocateOplock
		mov	edi, eax
		mov	[ebp+var_B0], edi
		mov	eax, [ebp+var_8C]
		mov	[eax], edi

loc_579921:				; CODE XREF: LdrpGetResourceFileName+1B6j
		mov	[ebp+var_B8], edi
		mov	ecx, [edi+4Ch]
		call	ExAcquireFastMutexUnsafe
		mov	[ebp+var_99], 1
		mov	[ebp+var_4], ebx
		mov	eax, [edi+48h]
		mov	[ebp+var_8C], eax
		test	eax, 10000h
		jz	loc_579AB1
		mov	eax, [ebp+var_90]
		cmp	byte ptr [eax],	0Dh
		jnz	loc_579AB1
		lea	ecx, [ebp+var_94]
		push	ecx
		mov	edx, [eax+18h]
		mov	ecx, edi
		call	_FsRtlpCallerIsAtomicRequestor@12 ; FsRtlpCallerIsAtomicRequestor(x,x,x)
		test	al, al
		jz	loc_579AB1
		test	[ebp+var_8C], 20000h
		jz	loc_579A0E
		mov	ecx, [ebp+var_94]
		call	_FsRtlpOplockDequeueRH@4 ; FsRtlpOplockDequeueRH(x)
		mov	ecx, [ebp+var_94]
		lea	eax, [ecx+1Ch]
		mov	edx, [eax]
		mov	[ebp+var_98], edx
		mov	edx, [eax+4]
		mov	esi, [ebp+var_98]
		cmp	[esi+4], eax
		mov	esi, [ebp+var_A4]
		jnz	short loc_579A09
		cmp	[edx], eax
		jnz	short loc_579A09
		mov	eax, [ebp+var_98]
		mov	[edx], eax
		mov	[eax+4], edx
		lea	eax, [edi+3Ch]
		cmp	[eax], eax
		jnz	short loc_5799D2
		and	dword ptr [edi+48h], 0FFFCFFFFh

loc_5799D2:				; CODE XREF: LdrpGetResourceFileName+275j
		cmp	[ecx+14h], ebx
		jz	short loc_5799E6
		mov	edx, ecx
		mov	ecx, edi
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		mov	ecx, [ebp+var_94]

loc_5799E6:				; CODE XREF: LdrpGetResourceFileName+281j
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+var_94], ebx
		mov	ecx, edi
		call	FsRtlpComputeShareableOplockState

loc_5799FA:				; CODE XREF: LdrpGetResourceFileName+36Aj
		mov	ebx, 0C00000E2h
		xor	ecx, ecx
		lea	edx, [ecx+1]
		jmp	loc_57A102
; 

loc_579A09:				; CODE XREF: LdrpGetResourceFileName+25Fj
					; LdrpGetResourceFileName+263j	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_579A0E:				; CODE XREF: LdrpGetResourceFileName+22Bj
		lea	ecx, [edi+2Ch]
		mov	eax, [ecx]

loc_579A13:				; CODE XREF: LdrpGetResourceFileName+2E6j
		cmp	eax, ecx
		jz	short loc_579A3C
		mov	edx, eax
		cmp	byte ptr [eax+1Dh], 0
		jnz	short loc_579A38
		mov	eax, [eax+4]
		mov	[ebp+var_8C], eax
		mov	ecx, edx
		call	_FsRtlpRemoveAndCompleteWaitingIrp@4 ; FsRtlpRemoveAndCompleteWaitingIrp(x)
		mov	eax, [ebp+var_8C]
		lea	ecx, [edi+2Ch]

loc_579A38:				; CODE XREF: LdrpGetResourceFileName+2C9j
		mov	eax, [eax]
		jmp	short loc_579A13
; 

loc_579A3C:				; CODE XREF: LdrpGetResourceFileName+2C1j
		mov	ecx, [ebp+var_94]
		call	_FsRtlpOplockDequeueRH@4 ; FsRtlpOplockDequeueRH(x)
		mov	ecx, [ebp+var_94]
		lea	eax, [ecx+1Ch]
		mov	edx, [eax]
		mov	[ebp+var_98], edx
		mov	edx, [eax+4]
		mov	esi, [ebp+var_98]
		cmp	[esi+4], eax
		mov	esi, [ebp+var_A4]
		jnz	short loc_579A09
		cmp	[edx], eax
		jnz	short loc_579A09
		mov	eax, [ebp+var_98]
		mov	[edx], eax
		mov	[eax+4], edx
		lea	eax, [edi+3Ch]
		cmp	[eax], eax
		jnz	short loc_579A89
		and	dword ptr [edi+48h], 0FFFCFFFFh

loc_579A89:				; CODE XREF: LdrpGetResourceFileName+32Cj
		cmp	[ecx+14h], ebx
		jz	short loc_579A9D
		mov	edx, ecx
		mov	ecx, edi
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		mov	ecx, [ebp+var_94]

loc_579A9D:				; CODE XREF: LdrpGetResourceFileName+338j
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+var_94], ebx
		mov	ecx, edi
		call	FsRtlpComputeShareableOplockState

loc_579AB1:				; CODE XREF: LdrpGetResourceFileName+1F3j
					; LdrpGetResourceFileName+202j	...
		mov	edx, [ebp+arg_10]
		mov	ecx, [ebp+arg_C]
		call	FsRtlpOplockUpperLowerCompatible
		test	al, al
		jz	loc_5799FA
		mov	edx, [ebp+arg_C]
		mov	eax, edx
		and	eax, 1000h
		mov	[ebp+var_A0], eax
		mov	ecx, [ebp+var_90]
		jz	loc_579BD3
		mov	eax, [ecx+18h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_579BD3
		push	eax
		call	MmDoesFileHaveUserWritableReferences
		test	eax, eax
		jz	loc_579BCA
		mov	eax, [esi+0Ch]
		mov	[eax+8], ebx
		or	dword ptr [eax+0Ch], 4
		cmp	dword_6B2398, 5
		jbe	loc_579BC0
		push	4000h
		push	ebx
		mov	ecx, offset dword_6B2398
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_579BC0
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_C8], ecx
		mov	[ebp+var_C4], ebx
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_60], eax
		mov	[ebp+var_5C], ebx
		push	8
		pop	edx
		mov	[ebp+var_58], edx
		mov	[ebp+var_54], ebx
		mov	ecx, [ebp+arg_C]
		mov	[ebp+var_BC], ecx
		lea	eax, [ebp+var_BC]
		mov	[ebp+var_50], eax
		mov	[ebp+var_4C], ebx
		push	4
		pop	ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], ebx
		mov	eax, [edi+48h]
		mov	[ebp+var_A8], eax
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_D0], 1000000h
		mov	[ebp+var_CC], ebx
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], ebx
		lea	eax, [ebp+var_80]
		push	eax
		push	6
		push	ecx
		mov	edx, offset loc_41B589
		mov	ecx, offset dword_6B2398
		call	__tlgWriteAgg@20 ; _tlgWriteAgg(x,x,x,x,x)

loc_579BC0:				; CODE XREF: LdrpGetResourceFileName+3B9j
					; LdrpGetResourceFileName+3D1j	...
		mov	ebx, 0C00000E2h
		jmp	loc_57A100
; 

loc_579BCA:				; CODE XREF: LdrpGetResourceFileName+3A2j
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+var_90]

loc_579BD3:				; CODE XREF: LdrpGetResourceFileName+386j
					; LdrpGetResourceFileName+394j
		cmp	edx, 0C8h
		jnz	short loc_579BF3
		mov	[edi], esi
		mov	eax, [ecx+18h]
		mov	[edi+4], eax
		mov	eax, [edi+48h]
		and	eax, 20h
		or	eax, edx
		mov	[edi+48h], eax
		jmp	loc_57A112
; 

loc_579BF3:				; CODE XREF: LdrpGetResourceFileName+485j
		mov	ecx, [edi+48h]
		test	cl, 91h
		jz	loc_579CC2
		test	cl, 10h
		jz	short loc_579C1E
		test	edx, 7000h
		jz	short loc_579C1E
		test	edx, 10000h

loc_579C12:				; CODE XREF: LdrpGetResourceFileName+4EBj
		jz	short loc_579BC0

loc_579C14:				; CODE XREF: LdrpGetResourceFileName+561j
					; LdrpGetResourceFileName+597j	...
		mov	ebx, 0C0000909h
		jmp	loc_57A10C
; 

loc_579C1E:				; CODE XREF: LdrpGetResourceFileName+4AEj
					; LdrpGetResourceFileName+4B6j
		test	cl, cl
		jns	short loc_579C41
		mov	edx, [edi+4]
		mov	ecx, [ebp+var_90]
		mov	ecx, [ecx+18h]
		push	ebx
		call	FsRtlpOplockKeysEqual
		test	al, al
		jnz	short loc_579C41
		test	[ebp+arg_C], 10000h
		jmp	short loc_579C12
; 

loc_579C41:				; CODE XREF: LdrpGetResourceFileName+4CCj
					; LdrpGetResourceFileName+4E2j
		mov	eax, [edi+48h]
		and	eax, 1F0FFDFh
		cmp	eax, 10h
		jz	short loc_579C5C
		cmp	eax, 1000h
		jz	short loc_579C5C
		cmp	eax, 1010h
		jnz	short loc_579C67

loc_579C5C:				; CODE XREF: LdrpGetResourceFileName+4F8j
					; LdrpGetResourceFileName+4FFj
		push	ebx
		xor	edx, edx
		mov	ecx, [edi+14h]
		call	_FsRtlpRemoveAndCompleteReadOnlyIrp@12 ; FsRtlpRemoveAndCompleteReadOnlyIrp(x,x,x)

loc_579C67:				; CODE XREF: LdrpGetResourceFileName+506j
		xor	ecx, ecx
		inc	ecx
		cmp	[ebp+arg_4], ecx
		jbe	short loc_579C8D
		test	[edi+48h], cl
		jz	short loc_579C8D
		test	byte ptr [ebp+arg_8], cl
		jnz	short loc_579C8D
		mov	ebx, 0C00000E2h
		test	esi, esi
		jz	loc_57A10C

loc_579C86:				; CODE XREF: LdrpGetResourceFileName+56Cj
		mov	dl, cl
		jmp	loc_57A102
; 

loc_579C8D:				; CODE XREF: LdrpGetResourceFileName+519j
					; LdrpGetResourceFileName+51Ej	...
		mov	eax, [ebp+var_90]
		mov	eax, [eax+18h]
		cmp	byte ptr [eax+25h], 0
		jz	loc_579EA7
		mov	edx, [ebp+arg_C]
		test	edx, 2000h
		jz	loc_579EA7
		test	edx, 10000h
		jnz	loc_579C14

loc_579CBB:				; CODE XREF: LdrpGetResourceFileName+844j
					; LdrpGetResourceFileName+8E8j
		mov	ebx, 0C00000E2h
		jmp	short loc_579C86
; 

loc_579CC2:				; CODE XREF: LdrpGetResourceFileName+4A5j
		test	ecx, 7000h
		jz	loc_57A0EB
		test	ecx, 1F00F00h
		jnz	loc_57A0EB
		lea	eax, [edi+24h]
		cmp	[eax], eax
		jnz	loc_57A0EB
		test	edx, 10000h
		jnz	loc_579C14
		test	edx, 7000h
		jz	loc_579BC0
		mov	eax, [ebp+var_90]
		mov	eax, [eax+18h]
		mov	[ebp+var_A8], eax
		cmp	byte ptr [eax+25h], 0
		jz	short loc_579D1E
		test	edx, 2000h
		jnz	loc_579BC0

loc_579D1E:				; CODE XREF: LdrpGetResourceFileName+5BCj
		and	ecx, 1F0FFDFh
		cmp	ecx, 1000h
		jz	loc_579FDE
		cmp	ecx, 3000h
		jz	loc_579F3C
		mov	eax, 7040h
		cmp	ecx, 5040h
		jz	short loc_579D59
		cmp	ecx, eax
		jnz	loc_579BC0
		cmp	edx, eax
		jnz	loc_579BC0

loc_579D59:				; CODE XREF: LdrpGetResourceFileName+5F3j
		cmp	edx, 5040h
		jz	short loc_579D69
		cmp	edx, eax
		jnz	loc_579BC0

loc_579D69:				; CODE XREF: LdrpGetResourceFileName+60Bj
		mov	edx, [edi+4]
		push	ebx
		mov	ecx, [ebp+var_A8]
		call	FsRtlpOplockKeysEqual
		test	al, al
		jz	loc_579BC0
		mov	eax, [edi]
		mov	[ebp+var_8C], eax
		mov	[ebp+var_B4], eax
		push	7
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	edx, [ebp+var_8C]
		mov	[edx+25h], al
		xor	ecx, ecx
		lea	eax, [edx+38h]
		xchg	ecx, [eax]
		mov	al, [edx+25h]
		mov	[ebp+var_85], al
		mov	eax, large fs:20h
		add	eax, 450h
		mov	[ebp+var_AC], eax
		test	ds:byte_70EFC6,	1
		jz	short loc_579DD5
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_579E06
; 

loc_579DD5:				; CODE XREF: LdrpGetResourceFileName+673j
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_579DFB
		mov	ecx, [eax+4]
		xor	edx, edx
		lock cmpxchg [ecx], edx
		mov	ecx, [ebp+var_AC]
		cmp	eax, ecx
		jz	short loc_579E06
		call	KxWaitForLockChainValid
		mov	ecx, eax
		mov	eax, [ebp+var_AC]

loc_579DFB:				; CODE XREF: LdrpGetResourceFileName+685j
		mov	[eax], ebx
		lea	eax, [ecx+4]
		xor	ecx, ecx
		inc	ecx
		lock xor [eax],	ecx

loc_579E06:				; CODE XREF: LdrpGetResourceFileName+67Fj
					; LdrpGetResourceFileName+698j
		mov	cl, [ebp+var_85]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_B4]
		cmp	byte ptr [eax+24h], 0
		jz	short loc_579E2A
		mov	[eax+1Ch], ebx
		mov	dword ptr [eax+18h], 0C0000120h
		jmp	short loc_579E88
; 

loc_579E2A:				; CODE XREF: LdrpGetResourceFileName+6C8j
		mov	esi, [eax+0Ch]
		mov	[ebp+var_D4], esi
		push	6
		pop	ecx
		xor	eax, eax
		mov	edi, esi
		rep stosd
		inc	eax
		mov	[esi], ax
		push	18h
		pop	ecx
		mov	[esi+2], cx
		mov	edi, [ebp+var_B0]
		mov	eax, [edi+48h]
		shr	eax, 0Ch
		and	eax, 7
		mov	[esi+4], eax
		mov	edx, [ebp+arg_C]
		shr	edx, 0Ch
		and	edx, 6
		xor	eax, eax
		cmp	[ebp+var_A0], eax
		setnz	al
		or	edx, eax
		mov	[esi+8], edx
		mov	eax, [ebp+var_B4]
		mov	[eax+1Ch], ecx
		mov	dword ptr [eax+18h], 215h
		mov	esi, [ebp+var_A4]

loc_579E88:				; CODE XREF: LdrpGetResourceFileName+6D4j
		mov	dl, 1
		mov	ecx, [ebp+var_8C]
		call	IofCompleteRequest
		mov	[edi], ebx
		mov	ecx, [edi+4]
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag
		mov	[edi+4], ebx

loc_579EA7:				; CODE XREF: LdrpGetResourceFileName+546j
					; LdrpGetResourceFileName+555j	...
		mov	[edi], esi
		mov	eax, [ebp+var_90]
		mov	eax, [eax+18h]
		mov	[edi+4], eax
		xor	edx, edx
		mov	ecx, edi
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[edi+8], eax
		mov	ecx, large fs:124h
		mov	[edi+0Ch], ecx
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag
		mov	[edi+10h], bl
		mov	eax, [edi+48h]
		and	eax, 20h
		or	eax, [ebp+arg_C]
		mov	[edi+48h], eax
		mov	eax, [ebp+var_90]
		mov	ecx, [eax+18h]
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag
		mov	eax, [esi+60h]
		mov	[ebp+var_DC], eax
		xor	ecx, ecx
		inc	ecx
		or	[eax+3], cl
		mov	[esi+1Ch], edi
		push	7
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[esi+25h], al
		cmp	byte ptr [esi+24h], 0
		jz	loc_57A07D
		xor	eax, eax
		inc	eax
		push	eax
		mov	dl, al
		mov	ecx, esi
		call	_FsRtlpCancelExclusiveIrp@12 ; FsRtlpCancelExclusiveIrp(x,x,x)
		jmp	loc_57A0E4
; 

loc_579F3C:				; CODE XREF: LdrpGetResourceFileName+5E2j
		cmp	edx, 7040h
		jnz	loc_579BC0
		lea	edx, [edi+1Ch]
		mov	eax, [edx]

loc_579F4D:				; CODE XREF: LdrpGetResourceFileName+837j
		mov	[ebp+var_8C], eax
		cmp	eax, edx
		jz	short loc_579F8D
		mov	edx, [eax+0Ch]
		mov	eax, [ebp+var_90]
		mov	ecx, [eax+18h]
		push	ebx
		call	FsRtlpOplockKeysEqual
		test	al, al
		jz	loc_579BC0
		mov	eax, [ebp+var_8C]
		cmp	[eax+1Ch], ebx
		jz	short loc_579F86
		mov	ebx, 0C00000E3h
		jmp	loc_57A100
; 

loc_579F86:				; CODE XREF: LdrpGetResourceFileName+826j
		mov	eax, [eax]
		lea	edx, [edi+1Ch]
		jmp	short loc_579F4D
; 

loc_579F8D:				; CODE XREF: LdrpGetResourceFileName+801j
		xor	ecx, ecx
		inc	ecx
		cmp	[ebp+arg_4], ecx
		jbe	short loc_579F9E
		test	byte ptr [ebp+arg_8], cl
		jz	loc_579CBB

loc_579F9E:				; CODE XREF: LdrpGetResourceFileName+83Fj
		mov	eax, [edx]

loc_579FA0:				; CODE XREF: LdrpGetResourceFileName+888j
		mov	[ebp+var_98], eax
		cmp	eax, edx
		jz	loc_579EA7
		mov	ecx, [eax+4]
		mov	[ebp+var_A0], ecx
		push	ebx
		push	ebx
		push	ebx
		mov	eax, [ebp+arg_C]
		and	eax, 7000h
		push	eax
		push	215h
		mov	edx, edi
		mov	ecx, [ecx]
		call	_FsRtlpRemoveAndCompleteRHIrp@28 ; FsRtlpRemoveAndCompleteRHIrp(x,x,x,x,x,x,x)
		mov	eax, [ebp+var_A0]
		mov	eax, [eax]
		lea	edx, [edi+1Ch]
		jmp	short loc_579FA0
; 

loc_579FDE:				; CODE XREF: LdrpGetResourceFileName+5D6j
		cmp	edx, 5040h
		jz	short loc_579FF2
		cmp	edx, 7040h
		jnz	loc_579BC0

loc_579FF2:				; CODE XREF: LdrpGetResourceFileName+890j
		lea	edx, [edi+14h]
		mov	eax, [edx]

loc_579FF7:				; CODE XREF: LdrpGetResourceFileName+8DBj
		mov	[ebp+var_8C], eax
		cmp	eax, edx
		jz	short loc_57A031
		mov	eax, [eax+8]
		mov	[ebp+var_D8], eax
		mov	edx, [eax+18h]
		mov	eax, [ebp+var_90]
		mov	ecx, [eax+18h]
		push	ebx
		call	FsRtlpOplockKeysEqual
		test	al, al
		jz	loc_579BC0
		mov	eax, [ebp+var_8C]
		mov	eax, [eax]
		lea	edx, [edi+14h]
		jmp	short loc_579FF7
; 

loc_57A031:				; CODE XREF: LdrpGetResourceFileName+8ABj
		xor	ecx, ecx
		inc	ecx
		cmp	[ebp+arg_4], ecx
		jbe	short loc_57A042
		test	byte ptr [ebp+arg_8], cl
		jz	loc_579CBB

loc_57A042:				; CODE XREF: LdrpGetResourceFileName+8E3j
		mov	eax, [edx]

loc_57A044:				; CODE XREF: LdrpGetResourceFileName+927j
		mov	[ebp+var_98], eax
		cmp	eax, edx
		jz	loc_579EA7
		mov	ecx, [eax+4]
		mov	[ebp+var_A0], ecx
		mov	eax, [ebp+arg_C]
		and	eax, 7000h
		push	eax
		mov	edx, 215h
		mov	ecx, [ecx]
		call	_FsRtlpRemoveAndCompleteReadOnlyIrp@12 ; FsRtlpRemoveAndCompleteReadOnlyIrp(x,x,x)
		mov	eax, [ebp+var_A0]
		mov	eax, [eax]
		lea	edx, [edi+14h]
		jmp	short loc_57A044
; 

loc_57A07D:				; CODE XREF: LdrpGetResourceFileName+7D0j
		mov	ecx, offset _FsRtlpExclusiveIrpCancelRoutine@8 ; FsRtlpExclusiveIrpCancelRoutine(x,x)
		lea	eax, [esi+38h]
		xchg	ecx, [eax]
		mov	al, [esi+25h]
		mov	[ebp+var_85], al
		mov	eax, large fs:20h
		lea	esi, [eax+450h]
		test	ds:byte_70EFC6,	1
		jz	short loc_57A0B1
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_57A0D8
; 

loc_57A0B1:				; CODE XREF: LdrpGetResourceFileName+94Fj
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_57A0CD
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_57A0D8
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_57A0CD:				; CODE XREF: LdrpGetResourceFileName+961j
		mov	[esi], ebx
		add	eax, 4
		xor	ecx, ecx
		inc	ecx
		lock xor [eax],	ecx

loc_57A0D8:				; CODE XREF: LdrpGetResourceFileName+95Bj
					; LdrpGetResourceFileName+970j
		mov	cl, [ebp+var_85]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_57A0E4:				; CODE XREF: LdrpGetResourceFileName+7E3j
		mov	ebx, 103h
		jmp	short loc_57A10C
; 

loc_57A0EB:				; CODE XREF: LdrpGetResourceFileName+574j
					; LdrpGetResourceFileName+580j	...
		test	edx, 10000h
		jnz	loc_579C14
		mov	ebx, 0C00000E2h
		test	esi, esi
		jz	short loc_57A10C

loc_57A100:				; CODE XREF: LdrpGetResourceFileName+471j
					; LdrpGetResourceFileName+82Dj
		mov	dl, 1

loc_57A102:				; CODE XREF: LdrpGetResourceFileName+2B0j
					; LdrpGetResourceFileName+534j
		mov	[esi+18h], ebx
		mov	ecx, esi
		call	IofCompleteRequest

loc_57A10C:				; CODE XREF: LdrpGetResourceFileName+4C5j
					; LdrpGetResourceFileName+52Cj	...
		mov	[ebp+var_84], ebx

loc_57A112:				; CODE XREF: LdrpGetResourceFileName+49Aj
		mov	[ebp+var_4], 0FFFFFFFEh
		xor	eax, eax
		inc	eax
		call	sub_57A147
		mov	eax, ebx
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
LdrpGetResourceFileName	endp


;  S U B	R O U T	I N E 


sub_57A135	proc near		; DATA XREF: .text:006A74B0o
		mov	ebx, [ebp-84h]
		mov	edi, [ebp-0B8h]
		mov	al, [ebp-99h]
sub_57A135	endp


;  S U B	R O U T	I N E 


sub_57A147	proc near		; CODE XREF: LdrpGetResourceFileName+9C8p
		test	al, al
		jz	short locret_57A153
		mov	ecx, [edi+4Ch]
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)

locret_57A153:				; CODE XREF: sub_57A147+2j
		retn
sub_57A147	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DisplayBootBitmap proc near		; CODE XREF: DisplayFilter(x)+52p
					; Phase1InitializationDiscard(x)+2A3p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F9B49 SIZE 0000014D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		mov	bl, cl
		cmp	byte_6FDE48, 0
		push	edi
		jnz	loc_5F9B49

loc_57A171:				; CODE XREF: DisplayBootBitmap+7FA05j
		mov	_ShowProgressBar, 0
		test	bl, bl
		jnz	loc_5F9B5E
		call	_InbvIsBootDriverInstalled@0 ; InbvIsBootDriverInstalled()
		test	al, al
		jnz	loc_5F9BF9
		call	_InbvReleaseResources@0	; InbvReleaseResources()

loc_57A192:				; CODE XREF: DisplayBootBitmap+7FB1Dj
					; DisplayBootBitmap+7FB3Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
DisplayBootBitmap endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall InbvReleaseResources()
_InbvReleaseResources@0	proc near	; CODE XREF: DisplayBootBitmap+39p
					; InbvRotateGuiBootDisplay(x)+4Ep
		mov	eax, dword_6D4D4C
		test	eax, eax
		jz	short locret_57A1AC
		mov	eax, [eax+54h]
		test	eax, eax
		jz	short locret_57A1AC
		jmp	eax
; 

locret_57A1AC:				; CODE XREF: InbvReleaseResources()+7j
					; InbvReleaseResources()+Ej
		retn
_InbvReleaseResources@0	endp

; 
		align 2

;  S U B	R O U T	I N E 


BvgaReleaseResources proc near		; DATA XREF: .data:006B2C74o
					; .data:006B2CD4o

; FUNCTION CHUNK AT 005F9C96 SIZE 0000001A BYTES

		mov	edi, edi
		push	esi
		xor	esi, esi
		push	edi
		inc	esi
		xor	edi, edi

loc_57A1B7:				; CODE XREF: BvgaReleaseResources+3Ej
		cmp	dword_6CD8DC[esi*4], edi
		jz	short loc_57A1E8
		call	_InbvIsBootDriverInstalled@0 ; InbvIsBootDriverInstalled()
		test	al, al
		jnz	loc_5F9C96

loc_57A1CD:				; CODE XREF: BvgaReleaseResources+7FAFDj
		push	edi
		push	dword_6CD8DC[esi*4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword_6CD8DC[esi*4], edi
		mov	___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUrlUnkUlyquivUrDIGUrlkOlyq@io[esi*4], edi

loc_57A1E8:				; CODE XREF: BvgaReleaseResources+10j
					; BvgaReleaseResources+7FAEDj ...
		inc	esi
		cmp	esi, 7
		jb	short loc_57A1B7
		pop	edi
		pop	esi
		retn
BvgaReleaseResources endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 723. InbvIsBootDriverInstalled

;  S U B	R O U T	I N E 


; __stdcall InbvIsBootDriverInstalled()
		public _InbvIsBootDriverInstalled@0
_InbvIsBootDriverInstalled@0 proc near	; CODE XREF: DisplayBootBitmap+2Cp
					; BvgaReleaseResources+12p ...
		mov	eax, dword_6D4D4C
		test	eax, eax
		jz	short loc_57A206
		mov	eax, [eax+1Ch]
		test	eax, eax
		jnz	short loc_57A209

loc_57A206:				; CODE XREF: InbvIsBootDriverInstalled()+7j
		xor	al, al
		retn
; 

loc_57A209:				; CODE XREF: InbvIsBootDriverInstalled()+Ej
		jmp	eax
_InbvIsBootDriverInstalled@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepEvntLogFlagsApplied(x, x, x, x,	x)
_KsepEvntLogFlagsApplied@20 proc near	; CODE XREF: KseQueryDeviceFlags+E5p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, _KseEtwHandle
		mov	ebx, edx
		push	edi
		mov	edi, dword_6FD4D4
		mov	eax, esi
		or	eax, edi
		mov	[ebp+var_48], ecx
		jz	short loc_57A2B6
		push	offset _KseFlagsApplied
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_57A2B6
		mov	ecx, [ebp+var_48]
		test	ecx, ecx
		jz	short loc_57A2B6
		test	ebx, ebx
		jz	short loc_57A2B6
		mov	eax, [ecx+4]
		xor	edx, edx
		mov	[ebp+var_44], eax
		movzx	eax, word ptr [ecx]
		add	eax, 2
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_34], eax
		movzx	eax, word ptr [ebx]
		add	eax, 2
		mov	[ebp+var_38], edx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+arg_0]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	edx
		push	offset _KseFlagsApplied
		push	edi
		push	esi
		mov	[ebp+var_30], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], 8
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_57A2B6:				; CODE XREF: KsepEvntLogFlagsApplied(x,x,x,x,x)+2Aj
					; KsepEvntLogFlagsApplied(x,x,x,x,x)+3Aj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_KsepEvntLogFlagsApplied@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpSaInitialize	proc near		; CODE XREF: ExpInitSystemPhase1+137p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F9CB0 SIZE 0000000B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:20h
		mov	ecx, 200h
		push	ebx
		xor	ebx, ebx
		mov	_ExSaPageGroupDescriptorArrayLock, ebx
		mov	eax, [eax+338h]
		push	ebx
		mov	_ExSaPageGroupDescriptorArray, ebx
		mov	_ExSaPageArrays, ebx
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		mov	_ExSaNonPagedSlotAllocator, ebx
		push	eax
		push	61537845h
		push	40h
		pop	edx
		mov	_ExSaPagedSlotAllocator, ebx
		call	ExpAllocatePoolWithTagFromNode
		mov	_ExSaPageGroupDescriptorArray, eax
		test	eax, eax
		jz	loc_57A48C
		push	esi
		push	edi
		push	40h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	0FFFFh
		call	KeQueryMaximumProcessorCountEx
		mov	edi, eax
		mov	ecx, 200h
		mov	eax, large fs:20h
		mov	esi, edi
		push	ebx
		shl	esi, 2
		mov	edx, esi
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	61537845h
		call	ExpAllocatePoolWithTagFromNode
		mov	_ExSaPageArrays, eax
		test	eax, eax
		jz	loc_57A48A
		push	esi		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	eax, ds:_KeNumberProcessors
		add	esp, 0Ch
		mov	[ebp+var_4], eax
		mov	esi, ebx
		test	edi, edi
		jz	short loc_57A411

loc_57A398:				; CODE XREF: ExpSaInitialize+147j
		cmp	esi, eax
		jnb	loc_5F9CB0
		mov	ecx, esi
		call	_KeGetPrcb@4	; KeGetPrcb(x)

loc_57A3A7:				; CODE XREF: ExpSaInitialize+7F9EEj
		mov	eax, [eax+338h]
		mov	ecx, 200h
		push	ebx
		movzx	eax, word ptr [eax+8Ah]
		movzx	eax, ax
		or	eax, 80000000h
		push	eax
		push	61537845h
		push	40h
		pop	edx
		call	ExpAllocatePoolWithTagFromNode
		mov	ecx, eax
		mov	eax, _ExSaPageArrays
		mov	[eax+esi*4], ecx
		test	ecx, ecx
		jz	loc_57A48A
		push	40h		; size_t
		push	ebx		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, esi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_57A409
		mov	eax, _ExSaPageArrays
		mov	eax, [eax+esi*4]
		mov	[ecx+47B4h], eax

loc_57A409:				; CODE XREF: ExpSaInitialize+131j
		mov	eax, [ebp+var_4]
		inc	esi
		cmp	esi, edi
		jb	short loc_57A398

loc_57A411:				; CODE XREF: ExpSaInitialize+CEj
		mov	eax, large fs:20h
		mov	esi, 80000000h
		push	ebx
		mov	edi, 61537845h
		mov	ecx, 200h
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, esi
		push	eax
		push	edi
		push	28h
		pop	edx
		call	ExpAllocatePoolWithTagFromNode
		mov	_ExSaNonPagedSlotAllocator, eax
		test	eax, eax
		jz	short loc_57A48A
		xor	edx, edx
		mov	ecx, eax
		call	_ExpSaAllocatorInitialize@8 ; ExpSaAllocatorInitialize(x,x)
		mov	eax, large fs:20h
		xor	ecx, ecx
		push	ebx
		inc	ecx
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, esi
		push	eax
		push	edi
		push	28h
		pop	edx
		call	ExpAllocatePoolWithTagFromNode
		mov	_ExSaPagedSlotAllocator, eax
		test	eax, eax
		jz	short loc_57A48A
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	_ExpSaAllocatorInitialize@8 ; ExpSaAllocatorInitialize(x,x)
		mov	bl, dl

loc_57A48A:				; CODE XREF: ExpSaInitialize+B1j
					; ExpSaInitialize+114j	...
		pop	edi
		pop	esi

loc_57A48C:				; CODE XREF: ExpSaInitialize+5Aj
		mov	al, bl
		pop	ebx
		leave
		retn
ExpSaInitialize	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ExpSaAllocatorInitialize(x,	x)
_ExpSaAllocatorInitialize@8 proc near	; CODE XREF: ExpSaInitialize+185p
					; ExpSaInitialize+1BBp
		mov	edi, edi
		push	esi
		xor	esi, esi
		mov	[ecx+8], esi
		mov	[ecx+10h], esi
		mov	[ecx+1Ch], esi
		mov	[ecx+20h], esi
		mov	[ecx+24h], esi
		test	dl, 1
		jz	short loc_57A4B2
		mov	dword ptr [ecx+24h], 1

loc_57A4B2:				; CODE XREF: ExpSaAllocatorInitialize(x,x)+17j
		lea	eax, [ecx+4]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ecx+0Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[ecx], esi
		mov	[ecx+14h], esi
		mov	[ecx+18h], esi
		mov	[ecx+20h], esi
		mov	dword ptr [ecx+1Ch], 3
		pop	esi
		retn
_ExpSaAllocatorInitialize@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2172. RtlInitializeSidEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _RtlInitializeSidEx
_RtlInitializeSidEx proc near		; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+194p
					; RtlCheckTokenMembershipEx(x,x,x,x)+1C6p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	[ebp+arg_8]
		mov	esi, [ebp+arg_0]
		push	[ebp+arg_4]
		push	esi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		test	eax, eax
		js	short loc_57A516
		mov	eax, [ebp+arg_8]
		movzx	ecx, al
		test	al, al
		jz	short loc_57A514
		lea	edx, [ebp+arg_8]
		add	esi, 8

loc_57A505:				; CODE XREF: _RtlInitializeSidEx+36j
		lea	edx, [edx+4]
		mov	eax, [edx]
		mov	[esi], eax
		lea	esi, [esi+4]
		sub	ecx, 1
		jnz	short loc_57A505

loc_57A514:				; CODE XREF: _RtlInitializeSidEx+21j
		xor	eax, eax

loc_57A516:				; CODE XREF: _RtlInitializeSidEx+17j
		pop	esi
		pop	ebp
		retn
_RtlInitializeSidEx endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PnpCreateResourceRequest(x)
_PnpCreateResourceRequest@4 proc near	; CODE XREF: PnpProcessAssignResources+72p
		mov	edi, edi
		push	esi
		push	edi
		imul	edi, ecx, 28h
		push	36706E50h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_57A540
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch

loc_57A540:				; CODE XREF: PnpCreateResourceRequest(x)+18j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_PnpCreateResourceRequest@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 752. IoAttachDeviceToDeviceStack

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoAttachDeviceToDeviceStack(x, x)
		public _IoAttachDeviceToDeviceStack@8
_IoAttachDeviceToDeviceStack@8 proc near ; CODE	XREF: VfFilterAttach(x,x)+11Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		call	IopAttachDeviceToDeviceStackSafe
		pop	ebp
		retn	8
_IoAttachDeviceToDeviceStack@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopCheckPowerSourceAfterRtcWakeInitialize()
_PopCheckPowerSourceAfterRtcWakeInitialize@0 proc near ; CODE XREF: PoInitSystem+58Bp
		mov	edi, edi
		push	ecx
		push	0
		push	offset _PopCheckPowerSourceAfterRtcWakeTimerWorker@4 ; PopCheckPowerSourceAfterRtcWakeTimerWorker(x)
		push	0
		mov	edx, offset _PopCheckPowerSourceAfterRtcWakeTimerCallback@8 ; PopCheckPowerSourceAfterRtcWakeTimerCallback(x,x)
		mov	ecx, offset _PopCheckPowerSourceAfterRtcWakeTimer
		call	_PopInitializeTimer@24 ; PopInitializeTimer(x,x,x,x,x,x)
		push	1
		push	0
		push	offset _PopCheckPowerSourceAfterRtcWakeCompleted
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	eax, eax
		retn
_PopCheckPowerSourceAfterRtcWakeInitialize@0 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 237. CcSetLoggedDataThreshold

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcSetLoggedDataThreshold
CcSetLoggedDataThreshold proc near

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005F9CBB SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		lea	edx, [ebp+var_18]
		xor	eax, eax
		mov	ecx, offset _CcMasterLock
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	esi, _CcVolumeCacheMapList
		xor	ebx, ebx
		mov	ecx, offset _CcVolumeCacheMapList
		inc	ebx
		xor	edi, edi
		cmp	esi, ecx
		jz	short loc_57A63A
		mov	eax, [ebp+arg_0]

loc_57A5D1:				; CODE XREF: CcSetLoggedDataThreshold+48j
		cmp	[esi+0Ch], eax
		jz	short loc_57A5DE
		mov	esi, [esi]
		cmp	esi, ecx
		jnz	short loc_57A5D1
		jmp	short loc_57A63A
; 

loc_57A5DE:				; CODE XREF: CcSetLoggedDataThreshold+42j
		mov	eax, ds:_PspSystemPartition
		mov	eax, [eax+4]
		add	eax, 40h
		mov	[ebp+var_C], edi
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_8], eax
		jnz	loc_5F9CBB
		lea	edx, [ebp+var_C]
		xchg	edx, [eax]
		test	edx, edx
		jnz	loc_5F9CCA

loc_57A609:				; CODE XREF: CcSetLoggedDataThreshold+7F733j
					; CcSetLoggedDataThreshold+7F740j
		mov	eax, [ebp+arg_4]
		mov	[esi+50h], eax
		test	ds:byte_70EFC6,	1
		jnz	loc_5F9CD7
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_57A675
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jnz	loc_5F9CE7

loc_57A63A:				; CODE XREF: CcSetLoggedDataThreshold+3Aj
					; CcSetLoggedDataThreshold+4Aj	...
		test	ds:byte_70EFC6,	1
		jnz	loc_5F9CF4
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	short loc_57A680
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jnz	loc_5F9D04

loc_57A665:				; CODE XREF: CcSetLoggedDataThreshold+F7j
					; CcSetLoggedDataThreshold+7F76Dj
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_57A675:				; CODE XREF: CcSetLoggedDataThreshold+8Fj
					; CcSetLoggedDataThreshold+7F75Dj
		mov	[ebp+var_C], edi
		add	eax, 4
		lock xor [eax],	ebx
		jmp	short loc_57A63A
; 

loc_57A680:				; CODE XREF: CcSetLoggedDataThreshold+BAj
					; CcSetLoggedDataThreshold+7F77Aj
		mov	[ebp+var_18], edi
		add	eax, 4
		lock xor [eax],	ebx
		jmp	short loc_57A665
CcSetLoggedDataThreshold endp

; 
		align 10h
; Exported entry 1095. KeAddTriageDumpDataBlock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeAddTriageDumpDataBlock
KeAddTriageDumpDataBlock proc near	; CODE XREF: IoAddTriageDumpDataBlock+7E389p
					; IopInitializeTriageDumpData+96p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005F9D11 SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	esi, esi
		jz	short loc_57A70C
		xor	edi, edi
		mov	ecx, esi
		push	edi
		call	KiValidateTriageDumpDataArray
		test	al, al
		jz	short loc_57A70C
		mov	ebx, [ebp+arg_4]
		mov	ecx, ebx
		mov	edx, [ebp+arg_8]
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_57A70C
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_57A6F5
		lea	ecx, [ebx+eax]
		mov	eax, [esi+8]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jnz	loc_5F9D11

loc_57A6D6:				; CODE XREF: KeAddTriageDumpDataBlock+7F6BEj
		cmp	eax, [esi+0Ch]
		jz	short loc_57A6FE
		mov	eax, [esi+14h]
		sub	ecx, ebx
		sub	eax, [esi+10h]
		cmp	ecx, eax
		ja	short loc_57A705
		mov	[esi+edi*8+20h], ebx
		mov	[esi+edi*8+24h], ecx
		inc	dword ptr [esi+8]
		add	[esi+10h], ecx

loc_57A6F5:				; CODE XREF: KeAddTriageDumpDataBlock+33j
					; KeAddTriageDumpDataBlock+7F69Cj
		xor	eax, eax

loc_57A6F7:				; CODE XREF: KeAddTriageDumpDataBlock+73j
					; KeAddTriageDumpDataBlock+7Aj	...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_57A6FE:				; CODE XREF: KeAddTriageDumpDataBlock+49j
		mov	eax, 0C0000023h
		jmp	short loc_57A6F7
; 

loc_57A705:				; CODE XREF: KeAddTriageDumpDataBlock+55j
		mov	eax, 0C000009Ah
		jmp	short loc_57A6F7
; 

loc_57A70C:				; CODE XREF: KeAddTriageDumpDataBlock+Dj
					; KeAddTriageDumpDataBlock+1Bj	...
		mov	eax, 0C000000Dh
		jmp	short loc_57A6F7
KeAddTriageDumpDataBlock endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiValidateTriageDumpDataArray proc near	; CODE XREF: KeAddTriageDumpDataBlock+14p
					; KiInvokeBugCheckAddTriageDumpDataCallbacks()+B7p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F9D53 SIZE 00000040 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	20h
		xor	edi, edi
		mov	esi, ecx
		pop	edx
		mov	[ebp+var_4], edi
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	loc_57A7D5
		mov	ebx, [esi+0Ch]
		cmp	[esi+8], ebx
		ja	loc_57A7D5
		push	8
		pop	ecx
		mov	eax, ebx
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_57A7D5
		mov	eax, ecx
		mov	ecx, [ebp+var_4]
		push	eax
		push	20h
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_57A7D5
		mov	edx, ebx
		lea	ecx, [esi+20h]
		shl	edx, 3
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_57A7D5
		mov	ecx, [esi]
		push	8
		pop	edx
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_57A7D5
		mov	ecx, [esi+4]
		push	8
		pop	edx
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_57A7D5
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_57A7D5
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_57A7D5
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	loc_5F9D53

loc_57A7AF:				; CODE XREF: KiValidateTriageDumpDataArray+7F648j
		mov	eax, [esi+8]
		mov	ebx, edi
		mov	[ebp+arg_0], edi
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	loc_5F9D61

loc_57A7C2:				; CODE XREF: KiValidateTriageDumpDataArray+7F67Aj
		cmp	[esi+10h], edi
		jnz	short loc_57A7D5
		cmp	edi, [esi+14h]
		ja	short loc_57A7D5
		mov	al, 1

loc_57A7CE:				; CODE XREF: KiValidateTriageDumpDataArray+C3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_57A7D5:				; CODE XREF: KiValidateTriageDumpDataArray+1Bj
					; KiValidateTriageDumpDataArray+27j ...
		xor	al, al
		jmp	short loc_57A7CE
KiValidateTriageDumpDataArray endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IopIsAddressRangeValid(x, x)
_IopIsAddressRangeValid@8 proc near	; CODE XREF: KeAddTriageDumpDataBlock+25p
					; KiValidateTriageDumpDataArray+14p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [edx+0FFFh]
		and	ecx, 0FFFh
		and	esi, 0FFFFF000h
		add	edi, ecx
		shr	edi, 0Ch
		test	edi, edi
		jz	short loc_57A819

loc_57A7FB:				; CODE XREF: IopIsAddressRangeValid(x,x)+3Dj
		cmp	esi, 10000h
		jb	short loc_57A81E
		mov	ecx, esi
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_57A81E
		add	esi, 1000h
		sub	edi, 1
		jnz	short loc_57A7FB

loc_57A819:				; CODE XREF: IopIsAddressRangeValid(x,x)+1Fj
		mov	al, 1

loc_57A81B:				; CODE XREF: IopIsAddressRangeValid(x,x)+46j
		pop	edi
		pop	esi
		retn
; 

loc_57A81E:				; CODE XREF: IopIsAddressRangeValid(x,x)+27j
					; IopIsAddressRangeValid(x,x)+32j
		xor	al, al
		jmp	short loc_57A81B
_IopIsAddressRangeValid@8 endp

; 
		align 8
; Exported entry 1183. KeInitializeTriageDumpDataArray

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeTriageDumpDataArray(x, x)
		public _KeInitializeTriageDumpDataArray@8
_KeInitializeTriageDumpDataArray@8 proc	near ; CODE XREF: IopInitializeTriageDumpData+65p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_57A865
		mov	eax, [ebp+arg_4]
		cmp	eax, 28h
		jb	short loc_57A86C
		xor	edx, edx
		mov	[ecx+4], ecx
		add	eax, 0FFFFFFE0h
		mov	[ecx], ecx
		shr	eax, 3
		mov	[ecx+0Ch], eax
		xor	eax, eax
		mov	[ecx+8], edx
		mov	[ecx+10h], edx
		mov	dword ptr [ecx+14h], 2000000h
		mov	[ecx+1Ch], edx
		mov	[ecx+18h], edx

loc_57A861:				; CODE XREF: KeInitializeTriageDumpDataArray(x,x)+42j
					; KeInitializeTriageDumpDataArray(x,x)+49j
		pop	ebp
		retn	8
; 

loc_57A865:				; CODE XREF: KeInitializeTriageDumpDataArray(x,x)+Aj
		mov	eax, 0C000000Dh
		jmp	short loc_57A861
; 

loc_57A86C:				; CODE XREF: KeInitializeTriageDumpDataArray(x,x)+12j
		mov	eax, 0C0000023h
		jmp	short loc_57A861
_KeInitializeTriageDumpDataArray@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopGetPhysicalMemoryBlock()
_IopGetPhysicalMemoryBlock@0 proc near	; CODE XREF: IopLoadCrashdumpDriver+76p
					; IoUpdateDumpPhysicalRanges()+37p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		call	_MmGetPhysicalMemoryRanges@0 ; MmGetPhysicalMemoryRanges()
		mov	edi, eax
		mov	[ebp+var_C], edi
		test	edi, edi
		jz	loc_57A959
		mov	ecx, [edi+8]
		xor	ebx, ebx
		mov	edx, [edi+0Ch]
		mov	eax, ecx
		or	eax, edx
		jz	loc_57A960

loc_57A8A9:				; CODE XREF: IopGetPhysicalMemoryBlock()+4Cj
		shrd	ecx, edx, 0Ch
		add	esi, ecx
		inc	ebx
		mov	eax, ebx
		add	eax, eax
		mov	ecx, [edi+eax*8+8]
		mov	edx, [edi+eax*8+0Ch]
		mov	eax, ecx
		or	eax, edx
		jnz	short loc_57A8A9
		mov	[ebp+var_8], esi
		test	ebx, ebx
		jz	loc_57A960
		push	8
		pop	ecx
		mov	eax, ebx
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_57A960
		mov	eax, ecx
		mov	ecx, [ebp+var_4]
		push	eax
		push	10h
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_57A960
		push	706D4443h
		push	[ebp+var_4]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_57A960
		push	[ebp+var_4]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		mov	[esi], ebx
		mov	[esi+4], eax
		test	ebx, ebx
		jz	short loc_57A951
		mov	edx, edi
		lea	edi, [esi+0Ch]

loc_57A92B:				; CODE XREF: IopGetPhysicalMemoryBlock()+D8j
		mov	ecx, [edx]
		lea	edx, [edx+10h]
		mov	eax, [edx-0Ch]
		shrd	ecx, eax, 0Ch
		mov	[edi-4], ecx
		mov	ecx, [edx-8]
		mov	eax, [edx-4]
		shrd	ecx, eax, 0Ch
		mov	[edi], ecx
		lea	edi, [edi+8]
		sub	ebx, 1
		jnz	short loc_57A92B
		mov	edi, [ebp+var_C]

loc_57A951:				; CODE XREF: IopGetPhysicalMemoryBlock()+B0j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_57A959:				; CODE XREF: IopGetPhysicalMemoryBlock()+1Dj
		mov	eax, esi

loc_57A95B:				; CODE XREF: IopGetPhysicalMemoryBlock()+F6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_57A960:				; CODE XREF: IopGetPhysicalMemoryBlock()+2Fj
					; IopGetPhysicalMemoryBlock()+53j ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		jmp	short loc_57A95B
_IopGetPhysicalMemoryBlock@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopVideoBrightnessSettingsCallback(void	*,int,int,int)
PopVideoBrightnessSettingsCallback proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005F9D93 SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, 0C000000Dh
		push	10h
		pop	ebx
		push	ebx		; size_t
		push	edi		; void *
		push	(offset	loc_408958+4) ;	void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_5F9D93
		push	ebx		; size_t
		push	edi		; void *
		push	offset _GUID_DEVICE_POWER_POLICY_VIDEO_BRIGHTNESS ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_57AA1C
		push	ebx		; size_t
		push	edi		; void *
		push	offset _GUID_DEVICE_POWER_POLICY_VIDEO_DIM_BRIGHTNESS ;	void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_57AA45
		push	ebx		; size_t
		push	edi		; void *
		push	offset _GUID_VIDEO_ADAPTIVE_DISPLAY_BRIGHTNESS ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_57AA60
		push	ebx		; size_t
		push	edi		; void *
		push	offset _GUID_ENERGY_SAVER_BRIGHTNESS ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_57AA7B
		push	ebx		; size_t
		push	edi		; void *
		push	(offset	loc_408998+4) ;	void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_57AA3C
		cmp	[ebp+arg_8], 4
		jnz	short loc_57AA3C
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_57AA3C
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	eax, [edi]
		mov	dword_6C2D2C, eax
		jmp	short loc_57AA35
; 

loc_57AA1C:				; CODE XREF: PopVideoBrightnessSettingsCallback+3Bj
		cmp	[ebp+arg_8], 4
		jnz	short loc_57AA3C
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_57AA3C
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	eax, [edi]
		mov	dword_6C2D30, eax

loc_57AA35:				; CODE XREF: PopVideoBrightnessSettingsCallback+AEj
					; PopVideoBrightnessSettingsCallback+F2j ...
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		xor	esi, esi

loc_57AA3C:				; CODE XREF: PopVideoBrightnessSettingsCallback+93j
					; PopVideoBrightnessSettingsCallback+99j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_57AA45:				; CODE XREF: PopVideoBrightnessSettingsCallback+4Ej
		cmp	[ebp+arg_8], 4
		jnz	short loc_57AA3C
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_57AA3C
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	eax, [edi]
		mov	dword_6C2D34, eax
		jmp	short loc_57AA35
; 

loc_57AA60:				; CODE XREF: PopVideoBrightnessSettingsCallback+65j
		cmp	[ebp+arg_8], 4
		jnz	short loc_57AA3C
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_57AA3C
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	eax, [edi]
		mov	dword_6C2D3C, eax
		jmp	short loc_57AA35
; 

loc_57AA7B:				; CODE XREF: PopVideoBrightnessSettingsCallback+7Cj
		cmp	[ebp+arg_8], 4
		jnz	short loc_57AA3C
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_57AA3C
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	eax, [edi]
		mov	dword_6C2D40, eax
		jmp	short loc_57AA35
PopVideoBrightnessSettingsCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmDbgMarkPfnModifiedWorker proc	near	; CODE XREF: KdRegisterDebuggerDataBlock+F8p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F9DC8 SIZE 0000005F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, offset unk_6D31D0
		mov	[ebp+var_4], 20h

loc_57AAAD:				; CODE XREF: MmDbgMarkPfnModifiedWorker+28j
		mov	eax, [esi]
		test	al, 1
		jnz	loc_5F9DC8

loc_57AAB7:				; CODE XREF: MmDbgMarkPfnModifiedWorker+7F378j
					; MmDbgMarkPfnModifiedWorker+7F38Cj
		add	esi, 4
		sub	[ebp+var_4], 1
		jnz	short loc_57AAAD
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MmDbgMarkPfnModifiedWorker endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAddZeroingThreads proc near		; CODE XREF: MiReassessZeroThreads+281p

var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F9E27 SIZE 000000FA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	edx, [ecx+38h]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_24]
		mov	[ebp+var_14], edx
		mov	esi, [edx+74h]
		mov	ecx, [edx+6Ch]
		stosd
		mov	[ebp+var_18], ecx
		stosd
		stosd
		cmp	esi, [edx+70h]
		jnz	loc_5F9E27
		inc	dword_6C68C4
		push	3

loc_57AAF8:				; CODE XREF: MiAddZeroingThreads+7F36Fj
		pop	eax

loc_57AAF9:				; CODE XREF: MiAddZeroingThreads+7F456j
		pop	edi
		pop	esi
		leave
		retn
MiAddZeroingThreads endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDiagnosticTraceElamStatus(x, x)
_PnpDiagnosticTraceElamStatus@8	proc near
					; CODE XREF: PnpNotifyEarlyLaunchStatusUpdate(x)+1Fp
					; PnpNotifyEarlyLaunchStatusUpdate(x)+58p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, dword_6D4DF4
		push	esi
		push	edi
		mov	edi, _PnpEtwHandle
		xor	esi, esi
		mov	eax, edi
		mov	[ebp+var_18], edx
		or	eax, ebx
		mov	[ebp+var_1C], ecx
		jz	short loc_57AB5F
		push	ecx
		push	ebx
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_57AB5F
		lea	eax, [ebp+var_18]
		mov	[ebp+var_10], esi
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	1
		push	esi
		push	[ebp+var_1C]
		mov	[ebp+var_C], 4
		push	ebx
		push	edi
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	esi, eax

loc_57AB5F:				; CODE XREF: PnpDiagnosticTraceElamStatus(x,x)+2Dj
					; PnpDiagnosticTraceElamStatus(x,x)+39j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PnpDiagnosticTraceElamStatus@8	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1378. MmAllocatePagesForMdl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmAllocatePagesForMdl(x, x,	x, x, x, x, x)
		public _MmAllocatePagesForMdl@28
_MmAllocatePagesForMdl@28 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_14]
		mov	eax, large fs:124h
		mov	ecx, offset _MiSystemPartition
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_18]
		push	[ebp+arg_C]
		mov	eax, [eax+16Ch]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		mov	eax, ds:_KiProcessorBlock[eax*4]
		push	[ebp+arg_0]
		push	0
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		push	eax
		push	3
		call	MiAllocatePagesForMdl
		pop	ebp
		retn	1Ch
_MmAllocatePagesForMdl@28 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiEnableGroupScheduling	proc near	; CODE XREF: .text:loc_50FE39p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F9F21 SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		lea	edx, [ebp+var_14]
		xor	ebx, ebx
		mov	ecx, offset _KiSchedulingGroupLock
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		xor	ecx, ecx
		inc	ecx
		cmp	ds:_KiGroupSchedulingEnabled, bl
		jnz	loc_57AC94
		mov	eax, offset _KiSchedulingGroupList
		push	esi
		mov	dword_6CB11C, eax
		mov	_KiSchedulingGroupList,	eax
		call	KeUpdateGroupSchedulingConstants
		mov	[ebp+var_4], ebx

loc_57AC12:				; CODE XREF: KiEnableGroupScheduling+7F365j
		mov	edx, ds:dword_7186C4
		mov	esi, ds:_KeTickCount
		cmp	edx, ds:dword_7186C8
		jnz	loc_5F9F21
		mov	eax, ds:_KiGenerationTicks
		xor	ecx, ecx
		add	eax, esi
		mov	esi, ds:_KeNumberProcessors
		mov	_KiGenerationEndTick, eax
		adc	ecx, edx
		mov	edx, ebx
		mov	dword_6CB3E4, ecx
		test	esi, esi
		jz	short loc_57AC8B

loc_57AC4C:				; CODE XREF: KiEnableGroupScheduling+C5j
		mov	ecx, ds:_KiProcessorBlock[edx*4]
		lea	eax, [ecx+3CF0h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [ecx+3CCh]
		shl	eax, 8
		sub	eax, 0FFFFFF80h
		inc	edx
		mov	[ecx+3B34h], eax
		mov	eax, _KiGenerationEndTick
		mov	[ecx+3D68h], eax
		mov	eax, dword_6CB3E4
		mov	[ecx+3D6Ch], eax
		cmp	edx, esi
		jb	short loc_57AC4C

loc_57AC8B:				; CODE XREF: KiEnableGroupScheduling+86j
		xor	eax, eax
		inc	eax
		mov	ds:_KiGroupSchedulingEnabled, al
		pop	esi

loc_57AC94:				; CODE XREF: KiEnableGroupScheduling+30j
		test	ds:byte_70EFC6,	1
		jnz	loc_5F9F2E
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	loc_5F9F46
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jnz	loc_5F9F3E

loc_57ACC3:				; CODE XREF: KiEnableGroupScheduling+7F375j
					; KiEnableGroupScheduling+7F38Ej
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	ebx
		leave
		retn
KiEnableGroupScheduling	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeUpdateGroupSchedulingConstants proc near ; CODE XREF:	KiEnableGroupScheduling+46p
					; PspReadDfssConfigurationValues()+E8p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 005F9F57 SIZE 0000005E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_1], cl
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		test	cl, cl
		jz	loc_5F9F57

loc_57ACEE:				; CODE XREF: KeUpdateGroupSchedulingConstants+7F294j
		mov	ecx, ds:_KiProcessorBlock
		xor	dl, dl
		call	_KeQueryCycleCounterFrequency@8	; KeQueryCycleCounterFrequency(x,x)
		push	0
		mov	ecx, 3E8h
		push	ecx
		push	edx
		push	eax
		call	__aulldiv
		mov	ebx, eax
		mov	edi, edx
		mov	eax, edi
		mul	ds:_PsDfssShortTermSharingMS
		push	0Ah
		mov	esi, eax
		mov	eax, ebx
		mul	ds:_PsDfssShortTermSharingMS
		mov	ds:_KiCycleDivisorShortTerm, eax
		add	esi, edx
		mov	eax, edi
		mov	ds:dword_705144, esi
		mul	ds:_PsDfssLongTermSharingMS
		mov	esi, eax
		mov	eax, ebx
		mul	ds:_PsDfssLongTermSharingMS
		add	esi, edx
		mov	ds:_KiCycleDivisorLongTerm, eax
		mov	ds:dword_70513C, esi
		mov	eax, edi
		mov	esi, ds:_PsDfssGenerationLengthMS
		mul	esi
		pop	edi
		mov	ecx, eax
		mov	eax, ebx
		mul	esi
		add	ecx, edx
		mov	ds:_KiCyclesPerGeneration, eax
		mov	ds:dword_70514C, ecx
		mov	eax, esi
		mov	ecx, ds:_PsDfssLongTermFraction1024
		mov	ds:_KiGroupSchedulingNumerator,	ecx
		mov	ecx, 3E8h
		mul	ecx
		mov	ecx, eax
		mov	eax, edx
		mul	edi
		mov	esi, eax
		mov	eax, ecx
		mul	edi
		xor	edi, edi
		push	edi
		push	ds:_KeMaximumIncrement
		add	esi, edx
		push	esi
		push	eax
		call	__aulldiv
		xor	ebx, ebx
		mov	ds:_KiGenerationTicks, eax
		inc	ebx
		xor	ecx, ecx
		push	edi
		mov	dl, bl
		call	KiAssignSchedulingGroupWeights
		cmp	[ebp+var_1], 0
		jz	loc_5F9F69

loc_57ADBB:				; CODE XREF: KeUpdateGroupSchedulingConstants+7F2E0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
KeUpdateGroupSchedulingConstants endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiZeroPageThread proc near		; DATA XREF: MiInitializePartitionThreads(x)+37o
					; MiInitSystem+48o

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005F9FB5 SIZE 000000D3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		cmp	edi, offset _MiSystemPartition
		jnz	loc_5F9FB5
		mov	ecx, edi
		call	MiZeroBootLargePages
		test	eax, eax
		js	loc_5F9FB5

loc_57ADEC:				; CODE XREF: MiZeroPageThread+7F2C3j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
MiZeroPageThread endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiZeroBootLargePages proc near		; CODE XREF: MiZeroPageThread+1Fp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005FA088 SIZE 00000087 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_1C], ecx
		lea	edi, [ebp+var_10]
		xor	esi, esi
		stosd
		push	offset dword_6D06E8
		mov	[ebp+var_28], esi
		stosd
		stosd
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	edi, [ebp+var_1C]
		mov	ecx, edi
		call	MiComputeMemoryNodeProcessorAssignments
		test	eax, eax
		jz	loc_5FA088
		push	esi
		push	esi
		lea	eax, [edi+0E08h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	ecx, [edi+0DD4h]
		mov	[ebp+var_20], esi
		lea	eax, [ecx+8]
		mov	word ptr [ecx],	107h
		mov	byte ptr [ecx+2], 4
		mov	[ecx+4], esi
		lea	ecx, [ebp+var_18]
		mov	ebx, ecx
		mov	[ebp+var_14], ecx
		movzx	ecx, ds:_KeNumberNodes
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, esi
		mov	[ebp+var_24], eax
		mov	[ebp+var_18], ebx
		mov	[ebp+var_2C], esi
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jz	loc_5FA0A9

loc_57AE88:				; CODE XREF: MiZeroBootLargePages+106j
		imul	ecx, esi, 280h
		mov	edx, 20206D4Dh
		mov	esi, [edi+10h]
		lea	edi, [ebp+var_10]
		push	0
		push	40h
		add	ecx, 264h
		add	esi, ecx
		mov	ecx, 100h
		movsd
		movsd
		movsd
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, [ebp+var_1C]
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5FA092
		mov	esi, [ebp+var_2C]
		mov	ecx, edi
		push	esi
		call	_MiAllocateZeroPageDecisionTraceBuffer@8 ; MiAllocateZeroPageDecisionTraceBuffer(x,x)
		mov	[ebx+0FCh], eax
		lea	ecx, [ebp+var_18]
		mov	[ebx+34h], esi
		mov	[ebx+30h], edi
		mov	eax, [ebp+var_14]
		cmp	[eax], ecx
		jnz	loc_57AFD3
		mov	[ebx+4], eax
		mov	[ebx], ecx
		mov	[eax], ebx
		mov	eax, [ebp+var_24]
		inc	eax
		mov	[ebp+var_14], ebx
		inc	esi
		mov	[ebp+var_24], eax
		mov	[ebp+var_2C], esi
		cmp	esi, [ebp+var_30]
		jb	short loc_57AE88
		mov	ebx, [ebp+var_18]
		mov	esi, [ebp+var_20]

loc_57AF04:				; CODE XREF: MiZeroBootLargePages+7F2AEj
					; MiZeroBootLargePages+7F2B5j
		lea	ecx, [edi+0DCCh]
		mov	[ecx], eax
		mov	[ebp+var_20], ecx
		mov	[edi+0E04h], eax

loc_57AF15:				; CODE XREF: MiZeroBootLargePages+1B0j
					; MiZeroBootLargePages+7F314j
		lea	eax, [ebp+var_18]
		cmp	ebx, eax
		jz	loc_57AFAB
		cmp	[ebx+4], eax
		jnz	loc_57AFD3
		mov	eax, [ebx]
		cmp	[eax+4], ebx
		jnz	loc_57AFD3
		mov	[ebp+var_18], eax
		lea	edx, [ebp+var_18]
		mov	[eax+4], edx
		mov	edi, ebx
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		test	esi, esi
		js	loc_5FA0B0
		mov	eax, [ebp+var_1C]
		lea	edi, [ebp+var_10]
		imul	ecx, [ebx+34h],	280h
		mov	esi, [eax+10h]
		lea	eax, [ebp+var_10]
		add	esi, 264h
		add	esi, ecx
		movsd
		movsd
		movsd
		xor	edi, edi
		push	edi
		push	eax
		push	ebx
		push	offset MiZeroNodePages
		push	edi
		push	edi
		push	edi
		push	1FFFFFh
		lea	eax, [ebp+var_28]
		push	eax
		call	PsCreateSystemThreadEx
		mov	ecx, [ebp+var_20]
		mov	esi, eax
		mov	eax, [ebp+var_28]

loc_57AF8E:				; CODE XREF: MiZeroBootLargePages+7F2C1j
		test	esi, esi
		js	loc_5FA0BC
		push	edi
		push	eax
		call	ObCloseHandle
		mov	ebx, [ebp+var_18]
		mov	edi, [ebp+var_1C]
		mov	ecx, [ebp+var_20]
		jmp	loc_57AF15
; 

loc_57AFAB:				; CODE XREF: MiZeroBootLargePages+124j
		push	ecx
		xor	edx, edx
		lea	ecx, [edi+0DD4h]
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		cmp	byte ptr [edi+0DFCh], 0
		jnz	short loc_57AFD8

loc_57AFC2:				; CODE XREF: MiZeroBootLargePages+1E7j
		mov	eax, esi

loc_57AFC4:				; CODE XREF: MiZeroBootLargePages+7F297j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_57AFD3:				; CODE XREF: MiZeroBootLargePages+E8j
					; MiZeroBootLargePages+12Dj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_57AFD8:				; CODE XREF: MiZeroBootLargePages+1CAj
		mov	esi, 0C0000001h
		jmp	short loc_57AFC2
MiZeroBootLargePages endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAllocateZeroPageDecisionTraceBuffer(x, x)
_MiAllocateZeroPageDecisionTraceBuffer@8 proc near ; CODE XREF:	MiZeroBootLargePages+CFp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		imul	eax, [ebp+arg_0], 280h
		xor	edx, edx
		push	esi
		add	eax, [ecx+10h]
		mov	esi, [eax+4]
		test	esi, esi
		jz	short loc_57B033
		shl	esi, 9
		test	esi, esi
		jz	short loc_57B033
		shr	esi, 0Ch
		mov	ecx, esi
		shl	ecx, 4
		test	ecx, ecx
		jz	short loc_57B02C
		push	edx
		push	40h
		mov	edx, 20206D4Dh
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_57B02C
		and	dword ptr [edx+4], 0
		mov	[edx], esi
		mov	dword ptr [edx+8], 1

loc_57B02C:				; CODE XREF: MiAllocateZeroPageDecisionTraceBuffer(x,x)+2Aj
					; MiAllocateZeroPageDecisionTraceBuffer(x,x)+3Dj
		mov	eax, edx

loc_57B02E:				; CODE XREF: MiAllocateZeroPageDecisionTraceBuffer(x,x)+55j
		pop	esi
		pop	ebp
		retn	4
; 

loc_57B033:				; CODE XREF: MiAllocateZeroPageDecisionTraceBuffer(x,x)+17j
					; MiAllocateZeroPageDecisionTraceBuffer(x,x)+1Ej
		xor	eax, eax
		jmp	short loc_57B02E
_MiAllocateZeroPageDecisionTraceBuffer@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall SepBuildDefaultCape(x)
_SepBuildDefaultCape@4 proc near	; CODE XREF: SepBuildDefaultCap+11p
		mov	edi, edi
		push	esi
		push	edi
		push	70536553h
		push	1Ch
		push	1
		mov	edi, ecx
		xor	esi, esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_57B083
		mov	eax, ds:_DefaultCapeName
		mov	ecx, ds:_SeDefaultCapeSd
		mov	[edx], eax
		mov	eax, ds:off_A93D84
		mov	[edx+4], eax
		mov	[edx+8], esi
		mov	[edx+0Ch], esi
		mov	dword ptr [edx+18h], 1
		mov	[edx+14h], esi
		mov	[edx+10h], ecx
		mov	[edi], edx

loc_57B07E:				; CODE XREF: SepBuildDefaultCape(x)+50j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_57B083:				; CODE XREF: SepBuildDefaultCape(x)+1Aj
		mov	esi, 0C000009Ah
		jmp	short loc_57B07E
_SepBuildDefaultCape@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepAdtDetermineInsertQueue proc	near	; DATA XREF: SepInitializeWorkList()+45o

var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005FA10F SIZE 000000A0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		push	ebx
		xor	ebx, ebx
		push	edi
		cmp	_SepCrashOnAuditFail, bl
		jnz	short loc_57B0CD
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+10h]
		cmp	dword ptr [eax+4], 1204h
		jz	short loc_57B0CD
		cmp	_SepAdtDiscardingAudits, bl
		jnz	loc_5FA10F

loc_57B0BC:				; CODE XREF: SepAdtDetermineInsertQueue+7F0FFj
		mov	eax, dword_6D717C
		cmp	eax, _SepAdtMaxListLength
		jnb	loc_5FA199

loc_57B0CD:				; CODE XREF: SepAdtDetermineInsertQueue+15j
					; SepAdtDetermineInsertQueue+24j
		mov	bl, 1

loc_57B0CF:				; CODE XREF: SepAdtDetermineInsertQueue+7F10Aj
					; SepAdtDetermineInsertQueue+7F120j
		pop	edi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
SepAdtDetermineInsertQueue endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepCacheHwIdEqual(x, x)
_KsepCacheHwIdEqual@8 proc near		; DATA XREF: KsepEngineInitialize+46o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		add	eax, 14h
		push	1
		push	eax
		mov	eax, [ebp+arg_0]
		add	eax, 14h
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		neg	eax
		sbb	eax, eax
		inc	eax
		pop	ebp
		retn	8
_KsepCacheHwIdEqual@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PspAddPartitionToGlobalList(x)
_PspAddPartitionToGlobalList@4 proc near ; CODE	XREF: KsepCacheDeviceInsertData+118p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, offset _PspActivePartitionListLock
		mov	esi, ecx
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	ecx, off_6B29A4
		mov	bl, al
		mov	eax, offset _PspActivePartitionListHead
		add	esi, 14h
		cmp	[ecx], eax
		jnz	short loc_57B142
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		push	edi
		mov	off_6B29A4, esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_57B142:				; CODE XREF: PspAddPartitionToGlobalList(x)+24j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_PspAddPartitionToGlobalList@4 endp


;  S U B	R O U T	I N E 


; __stdcall MmCreatePartition(x, x)
_MmCreatePartition@8 proc near		; CODE XREF: KsepCacheDeviceInsertData+10Bp
					; VfUtilGetAvailableSystemPages(x)+24p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		test	dl, 1
		jz	short loc_57B167
		mov	dword ptr [ebx], offset	_MiSystemPartition
		xor	eax, eax
		mov	dword_6D4EA4, ebx
		jmp	loc_57B263
; 

loc_57B167:				; CODE XREF: MmCreatePartition(x,x)+Aj
		call	_MiSizeMemoryListLocks@0 ; MiSizeMemoryListLocks()
		movzx	ecx, ds:_KeNumberNodes
		mov	edi, eax
		mov	esi, dword_6D06D4
		shl	ecx, 4
		add	ecx, esi
		shl	esi, 4
		imul	ecx, 28h
		add	ecx, 1B47h
		and	ecx, 0FFFFFFF8h
		add	ecx, edi
		add	esi, ecx
		call	_MiGetPartitionLargePageListCount@0 ; MiGetPartitionLargePageListCount()
		imul	ecx, eax, 0Ch
		mov	edx, 6150694Dh
		push	0
		push	40h
		lea	ecx, [ecx+esi]
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_57B1BC
		mov	eax, 0C000009Ah
		jmp	loc_57B263
; 

loc_57B1BC:				; CODE XREF: MmCreatePartition(x,x)+68j
		movzx	eax, ds:_KeNumberNodes
		lea	ecx, [esi+1B40h]
		imul	eax, 280h
		mov	[esi+10h], ecx
		add	ecx, eax
		mov	[esi+540h], ecx
		imul	eax, dword_6D06D4, 14h
		add	ecx, eax
		mov	[esi+544h], ecx
		imul	eax, dword_6D06D4, 14h
		add	eax, 7
		add	ecx, eax
		and	ecx, 0FFFFFFF8h
		mov	[esi+954h], ecx
		mov	eax, dword_6D06D4
		lea	ecx, [ecx+eax*8]
		mov	[esi+958h], ecx
		mov	eax, dword_6D06D4
		mov	[esi+64h], ebx
		lea	eax, [ecx+eax*8]
		mov	ecx, esi
		mov	[esi+0AC0h], eax
		add	eax, edi
		mov	[esi+0B0Ch], eax
		call	_MiAllocatePartitionId@4 ; MiAllocatePartitionId(x)
		movzx	edx, ax
		test	dx, dx
		jnz	short loc_57B243
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C0000017h
		jmp	short loc_57B263
; 

loc_57B243:				; CODE XREF: MmCreatePartition(x,x)+EAj
		mov	ecx, esi
		call	MiInitializePartition
		mov	ecx, esi
		call	_MiInitializeMemoryEvents@4 ; MiInitializeMemoryEvents(x)
		test	eax, eax
		jnz	short loc_57B267

loc_57B255:				; CODE XREF: MmCreatePartition(x,x)+12Aj
					; MmCreatePartition(x,x)+135j ...
		mov	edi, 0C000009Ah

loc_57B25A:				; CODE XREF: MmCreatePartition(x,x)+15Bj
		mov	ecx, esi
		call	_MiDeletePartition@4 ; MiDeletePartition(x)

loc_57B261:				; CODE XREF: MmCreatePartition(x,x)+15Fj
		mov	eax, edi

loc_57B263:				; CODE XREF: MmCreatePartition(x,x)+1Aj
					; MmCreatePartition(x,x)+6Fj ...
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_57B267:				; CODE XREF: MmCreatePartition(x,x)+10Bj
		xor	edx, edx
		mov	ecx, esi
		call	MiCreatePfnBitMaps
		test	eax, eax
		jz	short loc_57B255
		mov	ecx, esi
		call	MiInitializeWorkingSetManagerParameters
		test	eax, eax
		jz	short loc_57B255
		push	7270694Dh
		push	200h
		call	ExAllocateCacheAwareRundownProtection
		mov	[esi+518h], eax
		test	eax, eax
		jz	short loc_57B255
		mov	ecx, esi
		call	_MiInitializePartitionThreads@4	; MiInitializePartitionThreads(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_57B25A
		mov	[ebx], esi
		jmp	short loc_57B261
_MmCreatePartition@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipFirmwareTableHandler proc near	; DATA XREF: WmipRegisterFirmwareProviders()+5Do

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005FA1AF SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ecx, ecx
		push	edi
		test	esi, esi
		jz	loc_5FA1AF
		mov	eax, [esi+4]
		test	eax, eax
		jz	loc_57B352
		cmp	eax, 1
		jnz	loc_5FA1AF
		mov	edi, [esi+8]
		mov	edx, ecx
		push	2
		mov	[esp+14h+var_4], edi
		mov	ebx, ecx
		pop	eax
		mov	edi, ecx

loc_57B2E7:				; CODE XREF: WmipFirmwareTableHandler+D1j
		mov	ecx, [esp+10h+var_4]
		cmp	ds:_WmipFirmwareTableArray[edx*4], ecx
		push	0
		pop	ecx
		jnz	short loc_57B374
		mov	edi, ds:dword_4130E8[edx*4]
		mov	eax, [esi+0Ch]
		mov	[esi+0Ch], edi
		cmp	eax, edi
		jb	short loc_57B34B
		mov	eax, edx

loc_57B30A:				; CODE XREF: WmipFirmwareTableHandler+D7j
		cmp	ebx, 2
		jz	loc_5FA1AF
		mov	eax, ds:_WmipFirmwareTableArray[eax*4]
		push	204h
		push	edi
		push	ecx
		push	eax
		call	_MmMapIoSpaceEx@16 ; MmMapIoSpaceEx(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_57B383
		push	edi		; size_t
		lea	eax, [esi+10h]
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		push	edi
		push	ebx
		call	MmUnmapIoSpace

loc_57B342:				; CODE XREF: WmipFirmwareTableHandler+C8j
		xor	eax, eax

loc_57B344:				; CODE XREF: WmipFirmwareTableHandler+A6j
					; WmipFirmwareTableHandler+DEj	...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_57B34B:				; CODE XREF: WmipFirmwareTableHandler+5Cj
					; WmipFirmwareTableHandler+B3j
		mov	eax, 0C0000023h
		jmp	short loc_57B344
; 

loc_57B352:				; CODE XREF: WmipFirmwareTableHandler+1Ej
		mov	eax, [esi+0Ch]
		push	8
		pop	edi
		mov	[esi+0Ch], edi
		cmp	eax, edi
		jb	short loc_57B34B
		mov	edx, offset _WmipFirmwareTableArray

loc_57B364:				; CODE XREF: WmipFirmwareTableHandler+C6j
		mov	eax, [edx]
		add	edx, edi
		mov	[esi+ecx*4+10h], eax
		inc	ecx
		cmp	ecx, 2
		jb	short loc_57B364
		jmp	short loc_57B342
; 

loc_57B374:				; CODE XREF: WmipFirmwareTableHandler+4Bj
		inc	ebx
		add	edx, 2
		cmp	ebx, 2
		jb	loc_57B2E7
		jmp	short loc_57B30A
; 

loc_57B383:				; CODE XREF: WmipFirmwareTableHandler+81j
		mov	eax, 0C0000225h
		jmp	short loc_57B344
WmipFirmwareTableHandler endp

; 
		align 10h
; Exported entry 1671. PoDirectedDripsSetDeviceFlags

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoDirectedDripsSetDeviceFlags(x, x)
		public _PoDirectedDripsSetDeviceFlags@8
_PoDirectedDripsSetDeviceFlags@8 proc near ; CODE XREF:	PopPowerInformationInternal+3DEp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		test	eax, eax
		jz	short loc_57B3C2
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]

loc_57B3A7:				; CODE XREF: PoDirectedDripsSetDeviceFlags(x,x)+34j
		test	eax, eax
		jz	short loc_57B3C6
		mov	edx, [ebp+arg_4]
		test	edx, 0FFFFFFC0h
		jnz	short loc_57B3C6
		or	[eax+1E4h], edx

loc_57B3BC:				; CODE XREF: PoDirectedDripsSetDeviceFlags(x,x)+3Bj
		mov	eax, ecx
		pop	ebp
		retn	8
; 

loc_57B3C2:				; CODE XREF: PoDirectedDripsSetDeviceFlags(x,x)+Cj
		mov	eax, ecx
		jmp	short loc_57B3A7
; 

loc_57B3C6:				; CODE XREF: PoDirectedDripsSetDeviceFlags(x,x)+19j
					; PoDirectedDripsSetDeviceFlags(x,x)+24j
		mov	ecx, 0C000000Dh
		jmp	short loc_57B3BC
_PoDirectedDripsSetDeviceFlags@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopNetEvaluationWorkerCallback proc near ; DATA	XREF: PopNetInitialize+E3o

var_14		= byte ptr -14h
var_13		= byte ptr -13h
var_12		= byte ptr -12h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005FA1B9 SIZE 00000062 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		and	[esp+14h+var_10], 0
		and	[esp+14h+var_C], 0
		push	ebx
		push	esi
		push	edi
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()

loc_57B3EB:				; CODE XREF: PopNetEvaluationWorkerCallback+106j
					; PopNetEvaluationWorkerCallback+7EE48j
		mov	eax, _PopNetStandbyReason
		lea	edx, [esp+20h+var_10]
		mov	esi, _PopNetStandbyState
		lea	ecx, [esp+20h+var_C]
		xor	bl, bl
		mov	[esp+20h+var_4], esi
		xor	bh, bh
		mov	[esp+20h+var_12], bl
		mov	[esp+20h+var_13], bl
		mov	[esp+20h+var_8], eax
		call	PopNetEvaluateStateMask
		mov	edi, [esp+20h+var_C]
		cmp	edi, esi
		jz	short loc_57B43C
		cmp	esi, 2
		jz	loc_5FA1B9
		cmp	edi, 2
		jnz	short loc_57B43C

loc_57B42D:				; CODE XREF: PopNetEvaluationWorkerCallback+7EDF0j
		cmp	_PopNetResiliencyEngaged, 0
		mov	bl, 1
		jnz	loc_5FA1C3

loc_57B43C:				; CODE XREF: PopNetEvaluationWorkerCallback+4Fj
					; PopNetEvaluationWorkerCallback+5Dj ...
		mov	esi, [esp+20h+var_10]
		cmp	esi, [esp+20h+var_8]
		jz	short loc_57B493
		mov	[esp+20h+var_11], 1
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopCsResiliencyStatsLock
		mov	bh, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	_PopCsResiliencyStats, 0
		mov	_PopNetStandbyReason, esi
		jnz	loc_5FA1E2

loc_57B470:				; CODE XREF: PopNetEvaluationWorkerCallback+7EE1Bj
					; PopNetEvaluationWorkerCallback+7EE27j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopCsResiliencyStatsLock
		jnz	loc_5FA1FA
		xor	eax, eax
		lock and [ecx],	eax

loc_57B487:				; CODE XREF: PopNetEvaluationWorkerCallback+7EE3Cj
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	bh, [esp+20h+var_11]

loc_57B493:				; CODE XREF: PopNetEvaluationWorkerCallback+76j
		cmp	edi, [esp+20h+var_4]
		jz	short loc_57B4A6
		mov	bh, 1
		mov	_PopNetStandbyState, edi
		call	PopNetUpdateCsConsumptionFlags

loc_57B4A6:				; CODE XREF: PopNetEvaluationWorkerCallback+C9j
		test	bl, bl
		jz	short loc_57B4BA
		mov	cl, [esp+20h+var_13]
		call	_PopNetPublishWnfStateUpdate@4 ; PopNetPublishWnfStateUpdate(x)
		cmp	[esp+20h+var_12], 0
		jnz	short loc_57B4F0

loc_57B4BA:				; CODE XREF: PopNetEvaluationWorkerCallback+DAj
					; PopNetEvaluationWorkerCallback+129j
		test	bh, bh
		jz	short loc_57B4D9
		cmp	_PopDiagHandleRegistered, 0
		jz	loc_5FA20F
		mov	edx, esi
		mov	ecx, edi
		call	PopTraceStandbyConnectivityUpdate
		jmp	loc_57B3EB
; 

loc_57B4D9:				; CODE XREF: PopNetEvaluationWorkerCallback+EEj
		xor	eax, eax
		mov	ecx, offset unk_6BFF08
		xchg	eax, [ecx]
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_57B4F0:				; CODE XREF: PopNetEvaluationWorkerCallback+EAj
		xor	cl, cl
		call	_PopNetSetResiliencyPhaseBias@4	; PopNetSetResiliencyPhaseBias(x)
		jmp	short loc_57B4BA
PopNetEvaluationWorkerCallback endp

; 
		align 2

;  S U B	R O U T	I N E 


PopReadUlongPowerKey proc near		; CODE XREF: PopBatteryInitPhaseTwo()+14p
					; PopBatteryInitPhaseTwo()+35p

; FUNCTION CHUNK AT 005FA21B SIZE 00000029 BYTES

		mov	edi, edi
		push	esi
		mov	esi, edx
		mov	edx, ecx
		push	esi		; void *
		push	4		; int
		push	4		; size_t
		mov	ecx, offset ??_C@_1HC@HNNLMFEJ@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@
		call	PopReadRegKeyValue
		mov	ecx, eax
		test	ecx, ecx
		jns	loc_5FA21B
		mov	dword ptr [esi], 1

loc_57B520:				; CODE XREF: PopReadUlongPowerKey+7ED26j
					; PopReadUlongPowerKey+7ED38j ...
		mov	eax, ecx
		pop	esi
		retn	10h
PopReadUlongPowerKey endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopReadRegKeyValue(size_t,int,void *)
PopReadRegKeyValue proc	near		; CODE XREF: PopReadUlongPowerKey+11p
					; PopDiagTracePerfTrackData+A6525p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005FA244 SIZE 00000086 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		lea	eax, [ebp+var_14]
		push	ecx
		push	eax
		mov	ebx, edx
		mov	[ebp+var_C], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_8], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_14]
		mov	[ebp+var_2C], 18h
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_28], esi
		push	eax
		mov	[ebp+var_20], 240h
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_57B5B5
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		push	esi
		push	2
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	edi, eax
		mov	ebx, 0C0000023h
		cmp	edi, ebx
		jz	loc_5FA244

loc_57B5AD:				; CODE XREF: PopReadRegKeyValue+7ED55j
		test	edi, edi
		jns	loc_5FA280

loc_57B5B5:				; CODE XREF: PopReadRegKeyValue+58j
					; PopReadRegKeyValue+7ED38j ...
		cmp	[ebp+var_8], 0
		jz	short loc_57B5C3
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_57B5C3:				; CODE XREF: PopReadRegKeyValue+93j
		test	esi, esi
		jnz	loc_5FA2BA

loc_57B5CB:				; CODE XREF: PopReadRegKeyValue+7ED9Fj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
PopReadRegKeyValue endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeSetAffinityProcess proc near		; CODE XREF: KiInitializeDynamicProcessorDpc(x,x,x,x)+5Ap
					; PspSetProcessAffinitySafe(x,x,x,x,x)+C4p ...

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_18		= word ptr -18h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005FA2CA SIZE 00000077 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		xor	ebx, ebx
		mov	esi, ecx
		mov	[ebp+var_1E], bl
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_24], esi
		stosd
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_1D], bl
		mov	[ebp+var_30], ebx
		stosd
		xor	eax, eax
		inc	eax
		mov	[ebp+var_38], ebx
		mov	word ptr [ebp+var_3C], ax
		mov	word ptr [ebp+var_3C+2], ax
		mov	[ebp+var_34], ebx
		test	dl, 3
		jnz	loc_5FA2CA

loc_57B621:				; CODE XREF: KeSetAffinityProcess+7ECF9j
					; KeSetAffinityProcess+7ED02j
		push	ecx
		lea	eax, [ebp+var_10]
		push	eax
		call	_KeFirstGroupAffinityEx@8 ; KeFirstGroupAffinityEx(x,x)
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		stosd
		stosd
		stosd
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+var_48], al
		mov	eax, large fs:20h
		mov	[ebp+var_4C], eax
		lea	eax, [esi+34h]
		push	eax
		mov	[ebp+var_44], eax
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	ecx, esi
		cmp	[ebp+var_1D], bl
		jnz	loc_5FA2DB
		mov	esi, [ebp+var_2C]
		lea	edi, [ecx+40h]
		xor	eax, eax
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_2C]
		mov	esi, ebx
		cmp	ax, [edi]
		jnb	short loc_57B6A3

loc_57B671:				; CODE XREF: KeSetAffinityProcess+CDj
		movzx	eax, si
		mov	[ebp+var_28], eax
		cmp	[edi+eax*4+8], ebx
		jz	short loc_57B69D
		push	esi
		xor	edx, edx
		call	_KiSetIdealNodeProcessByGroup@12 ; KiSetIdealNodeProcessByGroup(x,x,x)
		mov	ecx, [ebp+var_24]
		cmp	[ebp+var_1E], bl
		jnz	short loc_57B69D
		mov	eax, [ebp+var_28]
		mov	[ebp+var_1E], 1
		mov	ax, [ecx+eax*2+70h]
		mov	[ecx+72h], ax

loc_57B69D:				; CODE XREF: KeSetAffinityProcess+A7j
					; KeSetAffinityProcess+B7j
		inc	esi
		cmp	si, [edi]
		jb	short loc_57B671

loc_57B6A3:				; CODE XREF: KeSetAffinityProcess+9Bj
					; KeSetAffinityProcess+7ED68j
		lea	edi, [ecx+2Ch]
		mov	esi, [edi]

loc_57B6A8:				; CODE XREF: KeSetAffinityProcess+107j
		cmp	esi, edi
		jz	short loc_57B6DD
		lea	ebx, [esi-1D4h]
		movzx	eax, word ptr [ebx+158h]
		lea	edx, [ebp+var_30]
		mov	[ebp+var_18], ax
		mov	eax, [ecx+eax*4+48h]
		test	eax, eax
		mov	[ebp+var_1C], eax
		mov	ecx, ebx
		lea	eax, [ebp+var_1C]
		jz	short loc_57B706

loc_57B6D0:				; CODE XREF: KeSetAffinityProcess+135j
		push	eax
		call	KiSetAffinityThread
		mov	esi, [esi]
		mov	ecx, [ebp+var_24]
		jmp	short loc_57B6A8
; 

loc_57B6DD:				; CODE XREF: KeSetAffinityProcess+D6j
					; KeSetAffinityProcess+7ED15j ...
		push	[ebp+var_44]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		push	[ebp+var_48]
		mov	ecx, [ebp+var_4C]
		lea	edx, [ebp+var_30]
		call	@KiProcessDeferredReadyList@12 ; KiProcessDeferredReadyList(x,x,x)
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_57B706:				; CODE XREF: KeSetAffinityProcess+FAj
		lea	eax, [ebp+var_10]
		jmp	short loc_57B6D0
KeSetAffinityProcess endp

; 
		align 10h
; Exported entry 640. FsRtlRegisterFileSystemFilterCallbacks

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlRegisterFileSystemFilterCallbacks(x, x)
		public _FsRtlRegisterFileSystemFilterCallbacks@8
_FsRtlRegisterFileSystemFilterCallbacks@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		test	eax, eax
		jz	short loc_57B75F
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_57B75F
		mov	ebx, [eax+18h]
		push	676D5346h
		push	dword ptr [esi]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_57B758
		push	dword ptr [esi]	; size_t
		push	esi		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebx+18h], edi
		xor	eax, eax

loc_57B751:				; CODE XREF: FsRtlRegisterFileSystemFilterCallbacks(x,x)+4Dj
					; FsRtlRegisterFileSystemFilterCallbacks(x,x)+54j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_57B758:				; CODE XREF: FsRtlRegisterFileSystemFilterCallbacks(x,x)+2Ej
		mov	eax, 0C000009Ah
		jmp	short loc_57B751
; 

loc_57B75F:				; CODE XREF: FsRtlRegisterFileSystemFilterCallbacks(x,x)+Dj
					; FsRtlRegisterFileSystemFilterCallbacks(x,x)+14j
		mov	eax, 0C000000Dh
		jmp	short loc_57B751
_FsRtlRegisterFileSystemFilterCallbacks@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	LdrpVerifyAlternateResourceModuleEx(int,wchar_t	*,int,int)
LdrpVerifyAlternateResourceModuleEx proc near
					; CODE XREF: LdrLoadAlternateResourceModuleEx+1D4p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005FA341 SIZE 00000053 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		xor	ebx, ebx
		mov	eax, 1000h
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ebx
		push	1
		test	[ebp+arg_8], eax
		jnz	loc_5FA341
		push	ebx
		call	LdrpGetRcConfig
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5FA35C
		push	0
		push	0
		mov	ecx, esi
		call	LdrpGetRcConfig
		mov	esi, eax
		test	esi, esi
		jz	short loc_57B7EA

loc_57B7AA:				; CODE XREF: LdrpVerifyAlternateResourceModuleEx+7EC29j
		push	10h		; size_t
		lea	eax, [esi+2Ch]
		push	eax		; void *
		lea	eax, [ebx+2Ch]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_57B7EA
		test	[ebp+arg_8], 1000000h
		jnz	short loc_57B7E2
		mov	ecx, [esi+74h]
		add	ecx, esi
		cmp	[ebp+arg_4], eax
		jz	short loc_57B7EA
		push	ecx		; wchar_t *
		push	[ebp+arg_4]	; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_57B7EA

loc_57B7E2:				; CODE XREF: LdrpVerifyAlternateResourceModuleEx+61j
					; LdrpVerifyAlternateResourceModuleEx+7EC03j
		mov	al, 1

loc_57B7E4:				; CODE XREF: LdrpVerifyAlternateResourceModuleEx+86j
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_57B7EA:				; CODE XREF: LdrpVerifyAlternateResourceModuleEx+42j
					; LdrpVerifyAlternateResourceModuleEx+58j ...
		xor	al, al
		jmp	short loc_57B7E4
LdrpVerifyAlternateResourceModuleEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspInsertExpansionEntry(x, x)
_PspInsertExpansionEntry@8 proc	near	; CODE XREF: PspInitializeQuotaBlock+5Bp

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, edx
		mov	[ebp+var_1], 0
		push	edi
		lea	edx, [ebp-1]
		mov	edi, ecx
		call	@PspLockQuotaExpansion@8 ; PspLockQuotaExpansion(x,x)
		lea	eax, [edi+14h]
		add	esi, 48h
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_57B82C
		mov	dl, [ebp+var_1]
		mov	[esi+4], ecx
		mov	[esi], eax
		mov	[ecx], esi
		mov	ecx, edi
		mov	[eax+4], esi
		call	PspUnlockQuotaExpansion
		pop	edi
		pop	esi
		leave
		retn
; 

loc_57B82C:				; CODE XREF: PspInsertExpansionEntry(x,x)+24j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_PspInsertExpansionEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHpMetadataCommit proc near		; CODE XREF: RtlpHpHeapExtendContext+256p
					; RtlpHpHeapAllocate+18Fp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005FA394 SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_C]
		mov	edi, edx
		mov	ebx, ecx
		push	[ebp+arg_8]
		call	_RtlpHpMetadataHeapCtxGet@8 ; RtlpHpMetadataHeapCtxGet(x,x)
		mov	[ebp+var_4], eax
		test	bx, bx
		jz	loc_5FA394
		xor	eax, eax

loc_57B858:				; CODE XREF: RtlpHpMetadataCommit+7EB87j
					; RtlpHpMetadataCommit+7EB8Dj
		lea	esi, [eax+2]
		mov	edx, ebx
		mov	eax, [ebp+var_4]
		shl	esi, 7
		add	esi, [eax]
		mov	ecx, esi
		call	_RtlpHpSegDescriptorValidate@8 ; RtlpHpSegDescriptorValidate(x,x)
		mov	edx, [ebp+arg_0]
		sub	edi, ebx
		shr	edi, 0Ch
		shr	edx, 0Ch
		cmp	[ebp+arg_4], 0
		jnz	short loc_57B87F
		neg	edx

loc_57B87F:				; CODE XREF: RtlpHpMetadataCommit+49j
		push	0
		push	0
		push	edx
		push	edi
		mov	edx, eax
		mov	ecx, esi
		call	RtlpHpSegPageRangeCommit
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
RtlpHpMetadataCommit endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeWorkingSetManagerParameters	proc near ; CODE XREF: MmCreatePartition(x,x)+12Ep
					; .text:loc_5E8FFEp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005FA3C4 SIZE 00000084 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		inc	ebx
		mov	[ebp+var_8], edi
		mov	esi, [edi+0F00h]
		mov	[ebp+var_C], esi
		test	esi, esi
		jnz	loc_5FA3C4
		push	esi
		push	40h
		mov	edx, 64576D4Dh
		mov	ecx, 584h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_C], esi
		test	esi, esi
		jz	loc_57BA77
		push	ebx
		push	0
		push	esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, 100h
		mov	[ebp+var_4], ebx
		mov	[esi+1Ch], eax
		mov	[esi+68h], eax
		mov	al, [edi+10A0h]
		and	al, 0FAh
		or	al, 2
		mov	[edi+10A0h], al

loc_57B900:				; CODE XREF: MiInitializeWorkingSetManagerParameters+7EB32j
		lea	esi, [edi+70h]
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	edi, [edi+0F48h]
		mov	bl, al
		mov	eax, [ebp+var_8]
		push	esi
		mov	byte ptr [eax+0Ch], 0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp+var_8]
		cmp	esi, offset _MiSystemPartition
		jnz	short loc_57B93E
		mov	eax, 21000h
		cmp	edi, eax
		jb	loc_5FA3CD

loc_57B93E:				; CODE XREF: MiInitializeWorkingSetManagerParameters+99j
					; MiInitializeWorkingSetManagerParameters+7EB39j
		cmp	edi, 200000h
		ja	loc_5FA3D4
		mov	eax, edi
		shr	eax, 5

loc_57B94F:				; CODE XREF: MiInitializeWorkingSetManagerParameters+7EB4Cj
		mov	ecx, 480h
		cmp	eax, ecx
		jb	loc_5FA3E7

loc_57B95C:				; CODE XREF: MiInitializeWorkingSetManagerParameters+7EB53j
		mov	ebx, [ebp+var_C]
		mov	[ebx+4D4h], eax
		cmp	edi, 80000h
		jbe	loc_5FA3EE
		lea	ecx, [edi-80000h]
		shr	ecx, 8
		add	ecx, 4000h

loc_57B980:				; CODE XREF: MiInitializeWorkingSetManagerParameters+7EB5Dj
		mov	edx, 121h
		cmp	ecx, edx
		jb	loc_5FA3F8

loc_57B98D:				; CODE XREF: MiInitializeWorkingSetManagerParameters+7EB64j
		shr	eax, 2
		mov	[ebx+4D8h], ecx
		mov	[ebx+4DCh], ecx
		cmp	eax, edx
		jb	loc_5FA3FF

loc_57B9A4:				; CODE XREF: MiInitializeWorkingSetManagerParameters+7EB6Bj
		and	[ebp+var_C], 0
		cmp	[ebp+var_4], 1
		mov	[ebx+4D0h], eax
		mov	byte ptr [ebp+var_C], 3
		jnz	short loc_57B9BE
		mov	[esi+0F00h], ebx

loc_57B9BE:				; CODE XREF: MiInitializeWorkingSetManagerParameters+120j
		push	[ebp+var_C]
		mov	ecx, esi
		call	MiSetTrimWhileAgingState
		cmp	edi, 18A88h
		jb	loc_5FA406
		mov	eax, edi
		xor	edx, edx
		mov	ecx, 3E8h
		div	ecx

loc_57B9DF:				; CODE XREF: MiInitializeWorkingSetManagerParameters+7EB73j
		cmp	eax, edi
		ja	loc_5FA40E

loc_57B9E7:				; CODE XREF: MiInitializeWorkingSetManagerParameters+7EB7Cj
					; MiInitializeWorkingSetManagerParameters+7EB85j
		cmp	[ebp+var_4], 1
		mov	[ebx+30h], eax
		jnz	short loc_57BA14
		push	0
		push	1
		lea	eax, [ebx+48h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	edx, offset _MiSystemPartition
		cmp	esi, edx
		jnz	short loc_57BA26
		push	0
		push	0
		push	offset unk_6D3548
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)

loc_57BA14:				; CODE XREF: MiInitializeWorkingSetManagerParameters+158j
		mov	edx, offset _MiSystemPartition
		cmp	esi, edx
		jnz	short loc_57BA26
		mov	eax, ds:dword_7051E8
		test	eax, eax
		jnz	short loc_57BA7B

loc_57BA26:				; CODE XREF: MiInitializeWorkingSetManagerParameters+16Ej
					; MiInitializeWorkingSetManagerParameters+185j	...
		mov	eax, [ebx+4D4h]
		lea	ecx, [eax+eax]
		cmp	ecx, edi
		ja	loc_5FA420
		mov	eax, ecx

loc_57BA39:				; CODE XREF: MiInitializeWorkingSetManagerParameters+1EAj
					; MiInitializeWorkingSetManagerParameters+7EB98j ...
		mov	[ebp+var_18], eax
		cmp	esi, edx
		jnz	short loc_57BA4A
		mov	ecx, ds:dword_7051EC
		test	ecx, ecx
		jnz	short loc_57BA84

loc_57BA4A:				; CODE XREF: MiInitializeWorkingSetManagerParameters+1A8j
					; MiInitializeWorkingSetManagerParameters+1F5j
		mov	ecx, eax
		cmp	eax, edi
		ja	short loc_57BA5B
		lea	ecx, [eax+eax]
		cmp	ecx, edi
		ja	loc_5FA43B

loc_57BA5B:				; CODE XREF: MiInitializeWorkingSetManagerParameters+1B8j
					; MiInitializeWorkingSetManagerParameters+1F3j	...
		mov	[ebp+var_14], ecx
		lea	ecx, [ebp+var_18]
		push	ecx
		push	offset MiUpdatePageThresholdsDpc
		mov	[ebp+var_10], esi
		call	_KeGenericCallDpc@8 ; KeGenericCallDpc(x,x)
		xor	eax, eax
		inc	eax

loc_57BA72:				; CODE XREF: MiInitializeWorkingSetManagerParameters+1E3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_57BA77:				; CODE XREF: MiInitializeWorkingSetManagerParameters+3Dj
		xor	eax, eax
		jmp	short loc_57BA72
; 

loc_57BA7B:				; CODE XREF: MiInitializeWorkingSetManagerParameters+18Ej
		shl	eax, 8
		test	eax, eax
		jnz	short loc_57BA39
		jmp	short loc_57BA26
; 

loc_57BA84:				; CODE XREF: MiInitializeWorkingSetManagerParameters+1B2j
		shl	ecx, 8
		test	ecx, ecx
		jnz	short loc_57BA5B
		jmp	short loc_57BA4A
MiInitializeWorkingSetManagerParameters	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1693. PoFxRegisterDripsWatchdogCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoFxRegisterDripsWatchdogCallback
PoFxRegisterDripsWatchdogCallback proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005FA448 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [esi+1Ch]
		add	edi, 2Ch
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		xor	eax, eax
		cmp	[esi+58h], eax
		jnz	loc_5FA448
		cmp	[ebp+arg_8], al
		jnz	short loc_57BADF

loc_57BABB:				; CODE XREF: PoFxRegisterDripsWatchdogCallback+59j
		mov	eax, [ebp+arg_C]
		mov	[esi+250h], eax
		mov	eax, [ebp+arg_4]
		push	edi
		mov	[esi+58h], eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_57BADF:				; CODE XREF: PoFxRegisterDripsWatchdogCallback+27j
		push	8
		pop	ecx
		lea	eax, [esi+238h]
		lock or	[eax], ecx
		jmp	short loc_57BABB
PoFxRegisterDripsWatchdogCallback endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocateMappedWriterMdls proc	near	; CODE XREF: MiEnablePartitionMappedWrites+81p

var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005FA46A SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	eax, [ebx+0F48h]
		shr	eax, 0Fh
		cmp	eax, 14h
		jb	short loc_57BB71
		mov	ecx, 80h
		cmp	eax, ecx
		ja	short loc_57BB76

loc_57BB10:				; CODE XREF: MiAllocateMappedWriterMdls+86j
					; MiAllocateMappedWriterMdls+8Aj
		xor	edi, edi
		mov	[ebx+150h], eax
		mov	[ebp+var_4], edi

loc_57BB1B:				; CODE XREF: MiAllocateMappedWriterMdls+7Aj
		push	1
		push	10h
		pop	edx
		mov	ecx, ebx
		call	_MiAllocateModWriterEntry@12 ; MiAllocateModWriterEntry(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5FA457
		push	0A0h		; size_t
		push	edi		; int
		push	esi		; void *
		call	_memset
		or	dword ptr [esi+14h], 1
		lea	eax, [ebx+15Ch]
		mov	[esi+78h], ebx
		add	esp, 0Ch
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_57BB7A
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		mov	eax, [ebp+var_4]
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, 4
		jb	short loc_57BB1B

loc_57BB6A:				; CODE XREF: PoFxRegisterDripsWatchdogCallback+7E9C8j
					; PoFxRegisterDripsWatchdogCallback+7E9D3j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_57BB71:				; CODE XREF: MiAllocateMappedWriterMdls+17j
		push	14h
		pop	eax
		jmp	short loc_57BB10
; 

loc_57BB76:				; CODE XREF: MiAllocateMappedWriterMdls+20j
		mov	eax, ecx
		jmp	short loc_57BB10
; 

loc_57BB7A:				; CODE XREF: MiAllocateMappedWriterMdls+64j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

KiSetPriorityBoost:			; CODE XREF: KiPrepareReadyThreadForRescheduling(x,x,x)+52p
					; KiQuantumEnd+169BC3p	...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	bh, [ebp+arg_0]
		push	esi
		mov	esi, edx
		mov	bl, bh
		sub	bl, [esi+87h]
		shl	bl, 4
		add	bl, [esi+15Ch]
		mov	[esi+15Ch], bl
		test	ecx, ecx
		jnz	loc_5FA46A
		push	1
		mov	dl, bh
		mov	ecx, esi
		call	KiAbProcessThreadPriorityModification
		mov	[esi+87h], bh

loc_57BBBC:				; CODE XREF: MiAllocateMappedWriterMdls+7E989j
		push	[ebp+arg_8]
		mov	ecx, esi
		push	[ebp+arg_4]
		call	_KiSetLockOwnershipQuantum@12 ;	KiSetLockOwnershipQuantum(x,x,x)
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
MiAllocateMappedWriterMdls endp	; sp = -14h

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2279. RtlPcToFileName

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlPcToFileName
RtlPcToFileName	proc near		; CODE XREF: KitLogFeatureUsage(x,x,x):loc_68CCE2p
					; PoRegisterPowerSettingCallback+1FEp

var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005FA47C SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		lea	ecx, [ebp-1]
		mov	[ebp+var_1], 0
		call	_MmLockLoadedModuleListShared@4	; MmLockLoadedModuleListShared(x)
		mov	ecx, _PsLoadedModuleList
		test	ecx, ecx
		jz	loc_5FA47C
		mov	edi, offset _PsLoadedModuleList

loc_57BBFC:				; CODE XREF: RtlPcToFileName+3Aj
					; RtlPcToFileName+44j
		cmp	ecx, edi
		jz	loc_5FA47C
		lea	edx, [ecx]
		mov	ecx, [ecx]
		mov	esi, [edx+18h]
		cmp	[ebp+arg_0], esi
		jb	short loc_57BBFC
		mov	eax, [edx+20h]
		add	eax, esi
		cmp	[ebp+arg_0], eax
		jnb	short loc_57BBFC
		lea	eax, [edx+2Ch]
		push	eax
		push	[ebp+arg_4]
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		push	offset _PsLoadedModuleSpinLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		cmp	cl, 1Bh
		jnb	short loc_57BC3E
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_57BC3E:				; CODE XREF: RtlPcToFileName+62j
		xor	eax, eax

loc_57BC40:				; CODE XREF: RtlPcToFileName+7E8C5j
		pop	edi
		pop	esi
		leave
		retn	8
RtlPcToFileName	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmHeteroHgsBackupInit proc near	; CODE XREF: NtPowerInformation+1402p

; FUNCTION CHUNK AT 005FA49E SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		cmp	ds:_PpmHeteroHgsEnabled, 0
		push	esi
		jnz	short loc_57BC79
		mov	esi, offset _PpmPerfPolicyLock
		mov	ecx, esi
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		call	PpmHeteroInitializeHgsSupport
		test	eax, eax
		jns	loc_5FA49E
		mov	ecx, esi
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)

loc_57BC79:				; CODE XREF: PpmHeteroHgsBackupInit+11j
					; PpmHeteroHgsBackupInit+7E872j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
PpmHeteroHgsBackupInit endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmHeteroInitializeHgsSupport proc near	; CODE XREF: PpmHeteroHgsBackupInit+1Fp
					; PoInitSystem+1D4p

var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005FA4BD SIZE 000000F5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_1C], 0
		cmp	ds:_PpmHeteroHgsDisabled, 0
		push	ebx
		push	esi
		push	edi
		jnz	short loc_57BCF8
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		cpuid
		mov	esi, ebx
		lea	edi, [ebp+var_14]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		cmp	[ebp+var_14], 6
		jb	short loc_57BCF8
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		xor	ecx, ecx
		push	6
		stosd
		stosd
		stosd
		pop	eax
		push	ebx
		cpuid
		mov	esi, ebx
		lea	edi, [ebp+var_14]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		test	[ebp+var_14], 80000h
		jnz	loc_5FA4BD

loc_57BCF8:				; CODE XREF: PpmHeteroInitializeHgsSupport+20j
					; PpmHeteroInitializeHgsSupport+48j
		mov	esi, 0C00000BBh

loc_57BCFD:				; CODE XREF: PpmHeteroInitializeHgsSupport+7E87Bj
					; PpmHeteroInitializeHgsSupport+7E908j	...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PpmHeteroInitializeHgsSupport endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopOpenThermalLoggingKey proc near	; CODE XREF: PopThermalWriteShutdownToRegistry(x,x)+2Bp
					; PopThermalHandlePreviousShutdown+43p	...

var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005FA5B2 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 23Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_21C], ebx
		mov	[ebp+var_218], ebx
		mov	[ebp+var_214], ebx
		push	esi
		push	edi
		mov	edi, edx
		test	cl, cl
		jnz	loc_5FA5B2
		lea	eax, [ebp+var_238]
		push	eax		; int
		push	208h		; int
		lea	eax, [ebp+var_210]
		push	eax		; void *
		push	ebx		; int
		push	offset _PopThermalLoggingDefaultRegKey ; void *
		push	ebx		; int
		push	offset ??_C@_1BO@KOODFPKJ@?$AAT?$AAh?$AAe?$AAr?$AAm?$AAa?$AAl?$AAL?$AAo?$AAg?$AAg?$AAi?$AAn?$AAg@FNODOBFM@ ; int
		call	RtlGetPersistedStateLocation
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_57BDDF
		mov	esi, ebx
		lea	eax, [ebp+var_210]

loc_57BD76:				; CODE XREF: PopOpenThermalLoggingKey+7E8ACj
		push	eax
		lea	eax, [ebp+var_21C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		push	esi
		push	ebx
		lea	eax, [ebp+var_21C]
		mov	[ebp+var_234], 18h
		mov	[ebp+var_22C], eax
		lea	eax, [ebp+var_234]
		push	ebx
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_214]
		mov	[ebp+var_230], ebx
		push	eax
		mov	[ebp+var_228], 240h
		mov	[ebp+var_224], ebx
		mov	[ebp+var_220], ebx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_57BDDF
		mov	eax, [ebp+var_214]
		mov	[edi], eax

loc_57BDDF:				; CODE XREF: PopOpenThermalLoggingKey+5Ej
					; PopOpenThermalLoggingKey+C7j
		mov	eax, ecx
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopOpenThermalLoggingKey endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1914. PsSetThreadHardErrorsAreDisabled

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSetThreadHardErrorsAreDisabled(x,	x)
		public _PsSetThreadHardErrorsAreDisabled@8
_PsSetThreadHardErrorsAreDisabled@8 proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		add	eax, 2FCh
		cmp	[ebp+arg_4], 0
		jz	short loc_57BE13
		push	10h
		pop	ecx
		lock or	[eax], ecx

loc_57BE0F:				; CODE XREF: PsSetThreadHardErrorsAreDisabled(x,x)+23j
		pop	ebp
		retn	8
; 

loc_57BE13:				; CODE XREF: PsSetThreadHardErrorsAreDisabled(x,x)+11j
		push	0FFFFFFEFh
		pop	ecx
		lock and [eax],	ecx
		jmp	short loc_57BE0F
_PsSetThreadHardErrorsAreDisabled@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SecureDump_PrepareForInit proc near	; CODE XREF: INIT:00AC2E61p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005FA5BF SIZE 000000CA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		push	7Eh
		pop	eax
		mov	ebx, edx
		mov	word ptr [ebp+var_20], ax
		add	eax, 2
		mov	[ebp+var_10], 0CA00C8h
		mov	[ebp+var_C], (offset off_5A4728+2)
		mov	word ptr [ebp+var_20+2], ax
		mov	[ebp+var_1C], (offset off_5A440A+2)
		mov	[ebp+var_18], (offset loc_A600A2+2)
		mov	[ebp+var_14], offset ??_C@_1KG@LIIDIKFP@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@
		mov	_ForceDumpDisabled, 1
		push	2
		pop	esi
		test	ebx, ebx
		jz	short loc_57BEE6
		push	6
		pop	ecx
		xor	eax, eax
		mov	byte ptr [ebx],	0
		mov	edi, offset dword_6CF2C8
		mov	edx, offset ??_C@_1BI@EOJNAKNM@?$AAG?$AAu?$AAa?$AAr?$AAd?$AAe?$AAd?$AAH?$AAo?$AAs?$AAt@FNODOBFM@ ; "GuardedHost"
		rep stosd
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		lea	ecx, [ebp+var_18]
		call	SecureDump_ReadRegistry
		mov	edi, 0C0000034h
		test	eax, eax
		jns	loc_5FA5BF
		cmp	eax, edi
		jnz	short loc_57BECF

loc_57BEA3:				; CODE XREF: SecureDump_PrepareForInit+7E7C0j
		lea	eax, [ebp+var_8]
		mov	edx, offset ??_C@_1CM@KPLJMDLH@?$AAD?$AAu?$AAm?$AAp?$AAE?$AAn?$AAc?$AAr?$AAy?$AAp?$AAt?$AAi?$AAo?$AAn?$AAE@FNODOBFM@ ; "DumpEncryptionEnabled"
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		lea	ecx, [ebp+var_20]
		call	SecureDump_ReadRegistry
		test	eax, eax
		jns	loc_5FA5E7
		cmp	eax, edi
		jnz	short loc_57BECF
		mov	_ForceDumpDisabled, 0

loc_57BECD:				; CODE XREF: SecureDump_PrepareForInit+7E7C6j
		xor	esi, esi

loc_57BECF:				; CODE XREF: SecureDump_PrepareForInit+85j
					; SecureDump_PrepareForInit+A8j ...
		cmp	_ForceDumpDisabled, 1
		jz	loc_5FA653

loc_57BEDC:				; CODE XREF: SecureDump_PrepareForInit+7E832j
		mov	_SecureDmpEncryptionContext, 1

loc_57BEE6:				; CODE XREF: SecureDump_PrepareForInit+4Ej
					; SecureDump_PrepareForInit+7E851j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
SecureDump_PrepareForInit endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SecureDump_ReadRegistry	proc near	; CODE XREF: SecureDump_PrepareForInit+71p
					; SecureDump_PrepareForInit+99p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005FA689 SIZE 00000065 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, edx
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], edi
		test	ebx, ebx
		jz	short loc_57BF4D
		cmp	[ebp+arg_8], edi
		jz	short loc_57BF4D
		push	edi
		push	20019h
		push	ecx
		xor	edx, edx
		lea	ecx, [ebp+var_4]
		call	IopOpenRegistryKey
		test	eax, eax
		js	short loc_57BF46
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		mov	edx, esi
		call	IopGetRegistryValue
		mov	edi, eax
		test	edi, edi
		jns	loc_5FA689

loc_57BF3A:				; CODE XREF: SecureDump_ReadRegistry+7E7FDj
		push	0
		push	[ebp+var_4]
		call	ObCloseHandle
		mov	eax, edi

loc_57BF46:				; CODE XREF: SecureDump_ReadRegistry+33j
					; SecureDump_ReadRegistry+66j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_57BF4D:				; CODE XREF: SecureDump_ReadRegistry+19j
					; SecureDump_ReadRegistry+1Ej
		mov	eax, 0C000000Dh
		jmp	short loc_57BF46
SecureDump_ReadRegistry	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 729. InbvSetVirtualFrameBuffer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall InbvSetVirtualFrameBuffer(x, x)
		public _InbvSetVirtualFrameBuffer@8
_InbvSetVirtualFrameBuffer@8 proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, dword_6D4D4C
		test	eax, eax
		jz	short loc_57BF72
		mov	eax, [eax+58h]
		test	eax, eax
		jz	short loc_57BF72
		pop	ebp
		jmp	eax
; 

loc_57BF72:				; CODE XREF: InbvSetVirtualFrameBuffer(x,x)+Cj
					; InbvSetVirtualFrameBuffer(x,x)+13j
		mov	eax, 0C0000002h
		pop	ebp
		retn	8
_InbvSetVirtualFrameBuffer@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BgkSetVirtualFrameBuffer proc near	; DATA XREF: .data:006B2C78o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005FA6EE SIZE 0000008A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_1], 0
		test	eax, eax
		jz	loc_5FA6EE
		mov	dword_6D4D54, eax

loc_57BF9C:				; CODE XREF: BgkSetVirtualFrameBuffer+7E779j
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		test	ebx, ebx
		jz	loc_57C0A8
		call	_BgGetDisplayContext@0 ; BgGetDisplayContext()
		lea	ecx, [ebp+var_8]
		mov	edi, eax
		call	BgGetIsColorOverridden
		cmp	byte ptr [edi],	0
		mov	byte ptr [ebp+arg_4+3],	al
		jz	loc_5FA76E
		cmp	byte ptr [edi+1], 0
		jz	loc_5FA76E
		mov	edx, [edi+10h]
		push	18h
		pop	eax
		mov	[ebp+arg_0], eax
		cmp	edx, 4
		jz	loc_5FA705
		xor	ecx, ecx
		cmp	edx, 5
		setnz	cl
		dec	ecx
		and	ecx, 1Fh
		inc	ecx

loc_57BFEE:				; CODE XREF: BgkSetVirtualFrameBuffer+7E78Bj
		mov	edx, [ebx+18h]
		mov	[ebp+var_C], ecx
		cmp	edx, 4
		jz	loc_5FA70C
		xor	eax, eax
		cmp	edx, 5
		mov	dl, byte ptr [ebp+arg_4+3]
		setnz	al
		dec	eax
		and	eax, 1Fh
		inc	eax
		mov	[ebp+arg_0], eax

loc_57C010:				; CODE XREF: BgkSetVirtualFrameBuffer+7E792j
		mov	esi, ecx
		shr	esi, 3
		imul	esi, [edi+0Ch]
		imul	esi, [edi+4]
		cmp	esi, [ebx+4]
		jnz	loc_5FA713
		cmp	byte ptr [ebx+1Ch], 0
		jz	loc_5FA730
		mov	eax, [ebx]
		test	dl, dl
		jnz	loc_5FA71D
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_57C046:				; CODE XREF: BgkSetVirtualFrameBuffer+7E7AFj
		call	_BgAcquireSpinLock@0 ; BgAcquireSpinLock()

loc_57C04B:				; CODE XREF: BgkSetVirtualFrameBuffer+7E7CBj
		cmp	[ebp+var_1], 0
		mov	eax, [ebx+8]
		jnz	loc_5FA74C
		or	dword ptr [eax+4], 0FFFFFFFFh
		mov	eax, [ebx+8]
		or	dword ptr [eax+0Ch], 0FFFFFFFFh
		xor	edx, edx
		mov	eax, [ebx+8]
		mov	[eax+8], edx
		mov	eax, [ebx+8]
		mov	[eax+10h], edx

loc_57C071:				; CODE XREF: BgkSetVirtualFrameBuffer+7E7EDj
		mov	eax, [ebx+8]
		mov	ecx, [ebp+arg_0]
		mov	[eax], edx
		cmp	[ebp+var_C], ecx
		jnz	short loc_57C0B1

loc_57C07E:				; CODE XREF: BgkSetVirtualFrameBuffer+13Aj
		mov	eax, [ebx]
		lea	edi, [edi+4]
		mov	[edi+14h], eax
		lea	esi, [ebx+0Ch]
		movsd
		movsd
		movsd
		movsd
		mov	ecx, [ebx+8]
		lea	eax, [ecx+14h]
		push	eax
		lea	edx, [ecx+4]
		call	_BgSetFrameBufferAccess@12 ; BgSetFrameBufferAccess(x,x,x)
		mov	byte_6D4C78, 1
		call	_BgReleaseSpinLock@0 ; BgReleaseSpinLock()

loc_57C0A8:				; CODE XREF: BgkSetVirtualFrameBuffer+28j
		xor	eax, eax

loc_57C0AA:				; CODE XREF: BgkSetVirtualFrameBuffer+7E79Cj
					; BgkSetVirtualFrameBuffer+7E7F7j
		pop	edi
		pop	esi
		pop	ebx

locret_57C0AD:				; CODE XREF: BgkSetVirtualFrameBuffer+7E784j
		leave
		retn	8
; 

loc_57C0B1:				; CODE XREF: BgkSetVirtualFrameBuffer+100j
		call	_BgConvertResources@4 ;	BgConvertResources(x)
		jmp	short loc_57C07E
BgkSetVirtualFrameBuffer endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1376. MmAllocateNodePagesForMdlEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmAllocateNodePagesForMdlEx(x, x, x, x, x, x, x, x,	x, x)
		public _MmAllocateNodePagesForMdlEx@40
_MmAllocateNodePagesForMdlEx@40	proc near
					; CODE XREF: MmAllocatePagesForMdlEx(x,x,x,x,x,x,x,x,x)+41p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	0
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	MmAllocatePartitionNodePagesForMdlEx
		mov	esp, ebp
		pop	ebp
		retn	28h
_MmAllocateNodePagesForMdlEx@40	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 639. FsRtlQueryMaximumVirtualDiskNestingLevel

;  S U B	R O U T	I N E 


; __stdcall FsRtlQueryMaximumVirtualDiskNestingLevel()
		public _FsRtlQueryMaximumVirtualDiskNestingLevel@0
_FsRtlQueryMaximumVirtualDiskNestingLevel@0 proc near
		mov	eax, _FsRtlVirtualDiskMaxTreeDepth
		cmp	eax, 0FFFFFFFFh
		jnz	short locret_57C10A
		call	_FsRtlpGetMaxVirtualDiskNestingLevel@0 ; FsRtlpGetMaxVirtualDiskNestingLevel()
		mov	_FsRtlVirtualDiskMaxTreeDepth, eax

locret_57C10A:				; CODE XREF: FsRtlQueryMaximumVirtualDiskNestingLevel()+8j
		retn
_FsRtlQueryMaximumVirtualDiskNestingLevel@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpGetMaxVirtualDiskNestingLevel()
_FsRtlpGetMaxVirtualDiskNestingLevel@0 proc near
					; CODE XREF: FsRtlQueryMaximumVirtualDiskNestingLevel()+Ap
					; FsRtlGetVirtualDiskNestingLevel+8107Ep ...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	2
		xor	ebx, ebx
		lea	eax, [esp+64h+var_40]
		pop	edi
		push	(offset	off_5A41EC+2)
		push	eax
		mov	[esp+68h+var_50], ebx
		mov	[esp+68h+var_4C], ebx
		mov	[esp+68h+var_38], ebx
		mov	[esp+68h+var_34], ebx
		mov	[esp+68h+var_40], ebx
		mov	[esp+68h+var_3C], ebx
		mov	[esp+68h+var_48], ebx
		mov	[esp+68h+var_44], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	(offset	off_5A4288+2)
		lea	eax, [esp+64h+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	esi, ebx

loc_57C16A:				; CODE XREF: FsRtlpGetMaxVirtualDiskNestingLevel()+EAj
		inc	esi
		mov	[esp+60h+var_30], 18h
		mov	[esp+60h+var_2C], ebx
		lea	eax, [esp+60h+var_48]
		mov	[esp+60h+var_24], 240h
		cmp	esi, 1
		jz	short loc_57C18C
		lea	eax, [esp+60h+var_40]

loc_57C18C:				; CODE XREF: FsRtlpGetMaxVirtualDiskNestingLevel()+7Aj
		mov	[esp+60h+var_28], eax
		lea	eax, [esp+60h+var_30]
		push	eax
		push	20019h
		lea	eax, [esp+68h+var_50]
		mov	[esp+68h+var_20], ebx
		push	eax
		mov	[esp+6Ch+var_1C], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_57C1F3
		push	offset ??_C@_1DA@NGKONPGD@?$AAV?$AAi?$AAr?$AAt?$AAu?$AAa?$AAl?$AAD?$AAi?$AAs?$AAk?$AAM?$AAa?$AAx?$AAT@FNODOBFM@
		lea	eax, [esp+64h+var_38]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+60h+var_4C]
		push	eax
		push	14h
		lea	eax, [esp+68h+var_18]
		push	eax
		push	2
		lea	eax, [esp+70h+var_38]
		push	eax
		push	[esp+74h+var_50]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_57C1EA
		cmp	[esp+60h+var_C], 2
		ja	short loc_57C1EA
		mov	edi, [esp+60h+var_C]

loc_57C1EA:				; CODE XREF: FsRtlpGetMaxVirtualDiskNestingLevel()+D1j
					; FsRtlpGetMaxVirtualDiskNestingLevel()+D8j
		push	[esp+60h+var_50]
		call	_ZwClose@4	; ZwClose(x)

loc_57C1F3:				; CODE XREF: FsRtlpGetMaxVirtualDiskNestingLevel()+A2j
		cmp	esi, 2
		jb	loc_57C16A
		mov	ecx, [esp+60h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_FsRtlpGetMaxVirtualDiskNestingLevel@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExLogTimeZoneInformation()
_ExLogTimeZoneInformation@0 proc near	; CODE XREF: INIT:00ABFCE9p

var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EA		= dword	ptr -0EAh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 114h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		cmp	dword_6B2A90, 5
		mov	esi, [eax+268h]
		jbe	loc_57C3E2
		mov	eax, [esi+310h]
		lea	edx, [esi+0ACh]
		mov	[ebp+var_F0], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_F0]
		mov	[ebp+var_C4], ecx
		mov	[ebp+var_C8], eax
		xor	edi, edi
		mov	eax, [esi+1B4h]
		inc	edi
		mov	[ebp+var_F4], eax
		lea	eax, [ebp+var_F4]
		mov	[ebp+var_B8], eax
		mov	eax, [esi+1B0h]
		mov	[ebp+var_F8], eax
		lea	eax, [ebp+var_F8]
		mov	[ebp+var_A8], eax
		mov	al, byte ptr _ExpRealTimeIsUniversal
		mov	byte ptr [ebp+var_EA+1], al
		lea	eax, [ebp+var_EA+1]
		mov	[ebp+var_98], eax
		mov	eax, [esi+308h]
		mov	[ebp+var_110], eax
		mov	eax, [esi+30Ch]
		push	4
		pop	ebx
		mov	[ebp+var_10C], eax
		lea	eax, [ebp+var_110]
		mov	[ebp+var_BC], ecx
		mov	[ebp+var_B4], ecx
		mov	[ebp+var_AC], ecx
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_94], ecx
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_84], ecx
		mov	[ebp+var_7C], ecx
		lea	ecx, [ebp+var_78]
		mov	[ebp+var_C0], ebx
		mov	[ebp+var_B0], ebx
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_90], edi
		mov	[ebp+var_88], eax
		mov	[ebp+var_80], 8
		call	_tlgCreate1Sz_wchar_t
		mov	al, [esi+1ACh]
		xor	edx, edx
		mov	byte ptr [ebp+var_EA], al
		lea	eax, [ebp+var_EA]
		mov	[ebp+var_68], eax
		mov	eax, [esi]
		mov	[ebp+var_FC], eax
		lea	eax, [ebp+var_FC]
		mov	[ebp+var_58], eax
		mov	eax, [esi+54h]
		mov	[ebp+var_100], eax
		lea	eax, [ebp+var_100]
		mov	[ebp+var_48], eax
		mov	eax, [esi+0A8h]
		mov	[ebp+var_104], eax
		lea	eax, [ebp+var_104]
		push	10h
		mov	[ebp+var_38], eax
		lea	eax, [esi+44h]
		pop	ecx
		mov	[ebp+var_64], edx
		mov	[ebp+var_60], edi
		mov	[ebp+var_5C], edx
		mov	[ebp+var_54], edx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edx
		lea	eax, [esi+98h]
		mov	[ebp+var_14], edx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_EA+2]
		push	eax
		push	0Eh
		push	edx
		push	edx
		push	(offset	loc_424259+4)
		push	offset dword_6B2A90
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_57C3E2:				; CODE XREF: ExLogTimeZoneInformation()+2Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_ExLogTimeZoneInformation@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoAddTriageDumpDataBlock proc near	; CODE XREF: IoReportTargetDeviceChangeAsynchronous+16E75Fp
					; IoReportTargetDeviceChangeAsynchronous+16E76Fp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005FA778 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, _IopNumTriageDumpDataBlocks
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_C], eax
		mov	edi, ecx
		mov	[ebp+var_8], 100h
		push	esi
		lea	eax, [ebp+var_C]
		mov	[ebp+var_4], offset _IopTriageDumpDataBlocks
		push	edi
		xor	ecx, ecx
		mov	edx, eax
		push	eax
		inc	ecx
		call	IopAddTriageDumpDataBlock
		mov	ecx, [ebp+var_C]
		mov	bl, al
		mov	_IopNumTriageDumpDataBlocks, ecx
		mov	ecx, _IopTriageDumpDataArray
		test	ecx, ecx
		jnz	loc_5FA778

loc_57C440:				; CODE XREF: IoAddTriageDumpDataBlock+7E38Ej
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
IoAddTriageDumpDataBlock endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopAddTriageDumpDataBlock proc near	; CODE XREF: IoAddTriageDumpDataBlock+30p
					; IopAddRunTimeTriageDataBlocks(x,x,x,x,x,x)+43p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005FA785 SIZE 00000045 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ebx, edx
		mov	[ebp+var_8], ecx
		push	edi
		test	esi, esi
		jz	short loc_57C4D4
		cmp	esi, 20000h
		jnb	short loc_57C4D4
		mov	edi, [ebp+arg_4]
		mov	edx, esi
		mov	ecx, edi
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_57C4D4
		mov	eax, [ebp+var_8]
		lea	ecx, [edi+esi]
		xor	esi, esi
		mov	[ebp+arg_8], ecx
		mov	[ebp+var_C], esi
		test	eax, eax
		jz	short loc_57C4AB

loc_57C489:				; CODE XREF: IopAddTriageDumpDataBlock+61j
		mov	ecx, [ebx]
		and	[ebp+var_4], 0
		test	ecx, ecx
		mov	edx, [ebx+8]
		mov	[ebp+var_10], ecx
		mov	ecx, [ebp+arg_8]
		jnz	loc_5FA785

loc_57C4A0:				; CODE XREF: IopAddTriageDumpDataBlock+7E37Dj
		inc	esi
		add	ebx, 0Ch
		mov	[ebp+var_C], esi
		cmp	esi, eax
		jb	short loc_57C489

loc_57C4AB:				; CODE XREF: IopAddTriageDumpDataBlock+3Fj
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	short loc_57C4D4
		mov	esi, [edx]
		cmp	esi, [edx+4]
		jnb	short loc_57C4D4
		mov	ecx, [edx+8]
		lea	eax, [esi+1]
		mov	[edx], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+esi*8], edi
		mov	[ecx+esi*8+4], eax

loc_57C4CB:				; CODE XREF: IopAddTriageDumpDataBlock+7E357j
		mov	al, 1

loc_57C4CD:				; CODE XREF: IopAddTriageDumpDataBlock+8Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_57C4D4:				; CODE XREF: IopAddTriageDumpDataBlock+15j
					; IopAddTriageDumpDataBlock+1Dj ...
		xor	al, al
		jmp	short loc_57C4CD
IopAddTriageDumpDataBlock endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	WheaWmiDispatch(int,int,int,void *,int,int)
WheaWmiDispatch	proc near		; DATA XREF: WheaWmiInit()+Do

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005FA7CA SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		sub	eax, 0
		jz	loc_5FA7F3
		sub	eax, 1
		jz	loc_5FA7E0
		sub	eax, 7
		jz	short loc_57C50F
		sub	eax, 1
		jz	loc_5FA7CA
		mov	eax, [ebp+arg_14]
		and	dword ptr [eax], 0
		mov	eax, 0C0000010h

loc_57C50B:				; CODE XREF: WheaWmiDispatch+45j
					; WheaWmiDispatch+7E303j ...
		pop	ebp
		retn	18h
; 

loc_57C50F:				; CODE XREF: WheaWmiDispatch+1Dj
		push	[ebp+arg_14]	; int
		mov	edx, [ebp+arg_8]
		push	[ebp+arg_C]	; void *
		call	WheapWmiRegisterInfo
		jmp	short loc_57C50B
WheaWmiDispatch	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	WheapWmiRegisterInfo(void *,int)
WheapWmiRegisterInfo proc near		; CODE XREF: WheaWmiDispatch+40p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005FA806 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, 8Eh
		cmp	edx, ebx
		jb	loc_5FA806
		push	esi
		push	edi
		push	ebx		; size_t
		xor	esi, esi
		push	esi		; int
		push	[ebp+arg_0]	; void *
		call	_memset
		mov	edx, [ebp+arg_0]
		add	esp, 0Ch
		push	24h
		mov	dword ptr [edx+10h], 3
		lea	ecx, [edx+28h]
		mov	edx, esi
		pop	ebx

loc_57C556:				; CODE XREF: WheapWmiRegisterInfo+63j
		mov	esi, ds:_WheapWmiGuidList[edx]
		lea	edi, [ecx-14h]
		movsd
		movsd
		movsd
		movsd
		mov	eax, ds:dword_404A98[edx]
		mov	[ecx-4], eax
		mov	eax, ds:dword_404A94[edx]
		add	edx, 0Ch
		mov	[ecx], eax
		lea	ecx, [ecx+1Ch]
		mov	dword ptr [ecx-18h], 68h
		cmp	edx, ebx
		jb	short loc_57C556
		mov	edx, [ebp+arg_0]
		mov	esi, (offset off_5A7186+2)
		push	9
		pop	ecx
		xor	eax, eax
		mov	[edx+68h], bx
		lea	edi, [edx+6Ah]
		rep movsd
		mov	ebx, 8Eh
		pop	edi
		mov	[edx], ebx
		pop	esi

loc_57C5A4:				; CODE XREF: WheapWmiRegisterInfo+7E2F8j
		mov	ecx, [ebp+arg_4]
		mov	[ecx], ebx
		pop	ebx
		pop	ebp
		retn	8
WheapWmiRegisterInfo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopInitializeOfflineCrashDump proc near	; CODE XREF: IopInitCrashDumpDuringSysInit+81p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_16		= byte ptr -16h
var_15		= dword	ptr -15h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005FA81D SIZE 0000013F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_20], 0
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		push	7Eh
		pop	eax
		xor	ebx, ebx
		mov	word ptr [ebp+var_2C], ax
		and	[ebp+var_1C], ebx
		add	eax, 2
		and	dword_6D4D88, ebx
		inc	edx
		mov	[ebp+var_15+1],	77FA9ABDh
		mov	[ebp+var_10], 4D320359h
		mov	[ebp+var_C], 0F42860BDh
		mov	[ebp+var_8], 4B788FE7h
		mov	word ptr [ebp+var_2C+2], ax
		mov	[ebp+var_28], (offset off_5A440A+2)
		mov	[ebp+var_16], 0
		mov	[ebp+var_24], edx
		mov	byte ptr [ebp+var_15], 0
		test	ecx, ecx
		jz	loc_5FA81D
		lea	esi, [ecx+0A28h]
		mov	eax, [esi]
		cmp	eax, edx
		jnb	loc_5FA82C

loc_57C629:				; CODE XREF: IopInitializeOfflineCrashDump+7E281j
		mov	dword_6D4D88, 0C0000058h

loc_57C633:				; CODE XREF: IopInitializeOfflineCrashDump+7E2AFj
					; IopInitializeOfflineCrashDump+7E34Ej	...
		cmp	[ebp+var_1C], 0
		jnz	loc_5FA94D

loc_57C63D:				; CODE XREF: IopInitializeOfflineCrashDump+7E279j
					; IopInitializeOfflineCrashDump+7E3A9j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
IopInitializeOfflineCrashDump endp


;  S U B	R O U T	I N E 


SecureDump_Init	proc near		; CODE XREF: IopInitCrashDumpDuringSysInit+23p

; FUNCTION CHUNK AT 005FA95C SIZE 000000E3 BYTES

		mov	edi, edi
		push	ebx
		xor	ebx, ebx
		cmp	_SecureDmpEncryptionContext, 1
		push	esi
		mov	esi, ebx
		jnz	short loc_57C679
		cmp	dword_6CF2CC, ebx
		jnz	loc_5FA95C
		mov	byte_6CF2C4, bl

loc_57C66F:				; CODE XREF: SecureDump_Init+7E34Fj
		mov	_SecureDmpEncryptionContext, 2

loc_57C679:				; CODE XREF: SecureDump_Init+Fj
					; SecureDump_Init+7E320j ...
		mov	eax, _SecureDmpEncryptionContext
		cmp	eax, 3
		jz	loc_5FA9A0
		cmp	eax, 2
		jnz	loc_5FA9AA
		xor	eax, eax

loc_57C692:				; CODE XREF: SecureDump_Init+7E367j
					; SecureDump_Init+7E3EEj
		pop	esi
		pop	ebx
		retn
SecureDump_Init	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopThermalIrpComplete(x, x,	x)
_PopThermalIrpComplete@12 proc near	; DATA XREF: PopThermalWorker+1B3o

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		push	1
		add	eax, 0E8h
		push	eax
		call	ExQueueWorkItem
		mov	eax, 0C0000016h
		pop	ebp
		retn	0Ch
_PopThermalIrpComplete@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PdcPoLowPower(x)
_PdcPoLowPower@4 proc near		; DATA XREF: PopPdcRegister+30o

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, [ebp+arg_0]
		mov	dword ptr [ebp+arg_0], eax
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		lea	eax, [ebp+arg_0]
		mov	ecx, offset _GUID_LOW_POWER_EPOCH ; int
		push	eax		; void *
		push	4
		pop	edx
		call	_PopSetPowerSettingValueAcDc@12	; PopSetPowerSettingValueAcDc(x,x,x)
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		xor	eax, eax
		pop	ebp
		retn	4
_PdcPoLowPower@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	MmLowPowerEpochCallback(void *,int,int,int)
_MmLowPowerEpochCallback@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	offset _GUID_LOW_POWER_EPOCH ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_57C714
		cmp	[ebp+arg_8], 4
		jnz	short loc_57C714
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_57C714
		cmp	dword ptr [eax], 0
		setnz	byte_6D3029

loc_57C714:				; CODE XREF: MmLowPowerEpochCallback(x,x,x,x)+19j
					; MmLowPowerEpochCallback(x,x,x,x)+1Fj	...
		xor	eax, eax
		pop	ebp
		retn	10h
_MmLowPowerEpochCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopFxLowPowerEpochCallback(void	*,int,int,int)
PopFxLowPowerEpochCallback proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005FAA3F SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		mov	ebx, 0C000000Dh
		push	offset _GUID_LOW_POWER_EPOCH ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_57C7B5
		cmp	[ebp+arg_8], 4
		jnz	short loc_57C7B5
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_57C7B5
		mov	al, [eax]
		mov	_PopFxLowPowerEpoch, al
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopFxPluginLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	esi, _PopFxPluginList
		xor	ebx, ebx

loc_57C775:				; CODE XREF: PopFxLowPowerEpochCallback+7E341j
		cmp	esi, offset _PopFxPluginList
		jnz	loc_5FAA3F
		mov	al, _PopFxLowPowerEpoch
		xor	edx, edx
		push	11h
		mov	_PopPepLowPowerEpoch, al
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_57C7A0
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_57C7A0:				; CODE XREF: PopFxLowPowerEpochCallback+7Dj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi

loc_57C7B5:				; CODE XREF: PopFxLowPowerEpochCallback+1Fj
					; PopFxLowPowerEpochCallback+25j ...
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	10h
PopFxLowPowerEpochCallback endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2217. RtlIsNtDdiVersionAvailable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIsNtDdiVersionAvailable(x)
		public _RtlIsNtDdiVersionAvailable@4
_RtlIsNtDdiVersionAvailable@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		shr	eax, 8
		or	eax, [ebp+arg_0]
		test	al, al
		jnz	short loc_57C7E4
		mov	eax, 0A000008h
		cmp	eax, [ebp+arg_0]
		sbb	al, al
		inc	al

loc_57C7E0:				; CODE XREF: RtlIsNtDdiVersionAvailable(x)+24j
		pop	ebp
		retn	4
; 

loc_57C7E4:				; CODE XREF: RtlIsNtDdiVersionAvailable(x)+10j
		xor	al, al
		jmp	short loc_57C7E0
_RtlIsNtDdiVersionAvailable@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcSetupWatchForRegistryChanges proc near ; CODE	XREF: .text:004FBDBEp

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 005FAA60 SIZE 0000003B BYTES

		push	30h
		push	offset dword_6A75F0
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], esi
		mov	[ebp+ms_exc.disabled], esi
		push	52576343h
		push	30h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_20], ebx
		test	ebx, ebx
		jz	loc_5FAA60
		push	30h		; size_t
		push	esi		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebx+20h]
		push	(offset	??_C@_01LFCBOECM@?4@FNODOBFM@+2)
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	dword ptr [ebx+14h], offset CcUpdateDynamicRegistrySettings
		mov	dword ptr [ebx+8], offset CcRegistryChangeCallback
		mov	[ebx+0Ch], ebx
		mov	[ebx], esi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_40]
		rep stosd
		mov	[ebp+var_40], 18h
		mov	[ebp+var_3C], esi
		mov	[ebp+var_34], 240h
		lea	eax, [ebx+20h]
		mov	[ebp+var_38], eax
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		lea	eax, [ebx+10h]
		lea	ecx, [ebp+var_40]
		push	ecx
		push	10h
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	edi, eax
		mov	[ebp+var_1C], edi
		test	edi, edi
		js	loc_5FAA6D
		push	1
		push	esi
		push	esi
		push	1
		push	5
		lea	eax, [ebp+var_28]
		push	eax
		push	1
		push	ebx
		push	esi
		push	dword ptr [ebx+10h]
		call	_ZwNotifyChangeKey@40 ;	ZwNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_1C], edi
		cmp	edi, 103h
		jnz	loc_5FAA79
		lea	eax, [ebx+20h]
		push	eax		; char
		push	offset ??_C@_0DC@FDFEGDLP@CcSetupWatchForRegistryChanges?3@FNODOBFM@ ; "CcSetupWatchForRegistryChanges:	Queued "...
		push	2		; int
		push	7Fh		; int
		call	_DbgPrintEx
		add	esp, 10h

loc_57C8D1:				; CODE XREF: CcSetupWatchForRegistryChanges+7E293j
		mov	_CcRegistryWatchInitComplete, 1

loc_57C8DB:				; CODE XREF: CcSetupWatchForRegistryChanges+7E280j
					; CcSetupWatchForRegistryChanges+7E2AEj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_57C8F7
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
CcSetupWatchForRegistryChanges endp


;  S U B	R O U T	I N E 


sub_57C8F7	proc near		; CODE XREF: CcSetupWatchForRegistryChanges+FAp
					; sub_5FAA9B+8j

; FUNCTION CHUNK AT 005FAAA8 SIZE 0000003E BYTES

		test	ebx, ebx
		jz	loc_5FAAA8
		test	edi, edi
		js	loc_5FAABD

locret_57C907:				; CODE XREF: sub_57C8F7+7E1C1j
					; sub_57C8F7+7E1EAj
		retn
sub_57C8F7	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetWsAndMakePageTablesNx()
_MiGetWsAndMakePageTablesNx@0 proc near	; CODE XREF: MmInitializeHandBuiltProcess2+26p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	esi, [eax+80h]
		add	esi, 240h
		mov	ecx, esi
		mov	[ebp+var_4], esi
		call	MiLockWorkingSetShared
		push	0
		mov	edx, 0C0603018h
		mov	ecx, esi
		mov	bl, al
		call	MiLockPageTableInternal
		mov	edi, ds:0C0603018h
		nop
		mov	esi, ds:0C060301Ch
		push	esi
		push	edi
		mov	esi, 0C0603018h
		push	2
		mov	edx, esi
		call	MiPerformSafePdeWrite
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	ecx, [ebp+var_4]
		mov	dl, bl
		call	MiUnlockWorkingSetShared
		xor	ecx, ecx
		xor	edx, edx
		inc	ecx
		call	KeFlushTb
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiGetWsAndMakePageTablesNx@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmCheckProcessorInit(x, x,	x)
_PpmCheckProcessorInit@12 proc near	; DATA XREF: PpmCheckInitProcessors+B5o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		lea	ecx, [esi+3EA0h]
		call	_PpmResetPerfTimes@4 ; PpmResetPerfTimes(x)
		mov	ecx, esi
		call	PpmHeteroHgsProcessorInit
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	0Ch
_PpmCheckProcessorInit@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmHeteroHgsProcessorInit proc near	; CODE XREF: PpmCheckProcessorInit(x,x,x)+16p
					; PpmHeteroHgsBackupProcessorInit(x,x,x)+8p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005FAAE6 SIZE 000000E6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		cmp	ds:_PpmHeteroHgsEnabled, 0
		push	ebx
		push	esi
		push	edi
		mov	[esp+38h+var_28], ecx
		jnz	loc_5FAAE6

loc_57C9CA:				; CODE XREF: PpmHeteroHgsProcessorInit+7E1A6j
					; PpmHeteroHgsProcessorInit+7E1D9j ...
		mov	ecx, [esp+38h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
PpmHeteroHgsProcessorInit endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1687. PoFxProcessorNotification

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoFxProcessorNotification
PoFxProcessorNotification proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005FABCC SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+24h]
		test	eax, eax
		jnz	loc_5FABCC

loc_57C9F5:				; CODE XREF: PoFxProcessorNotification+7E1EFj
		mov	eax, 0C0000002h

loc_57C9FA:				; CODE XREF: PoFxProcessorNotification+7E212j
		pop	ebp
		retn	0Ch
PoFxProcessorNotification endp


;  S U B	R O U T	I N E 


; __stdcall IopInitDumpCapsuleSupport()
_IopInitDumpCapsuleSupport@0 proc near	; CODE XREF: IoConfigureCrashDump+86857p
					; IoInitializeCrashDump+95808p	...
		cmp	_CapsuleTriageDumpBlockInitialized, 0
		push	esi
		jnz	short loc_57CA42
		call	_IopIsBitlockerOn@0 ; IopIsBitlockerOn()
		test	al, al
		jnz	short loc_57CA42
		push	706D4443h
		mov	esi, 21800h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	_CapsuleTriageDumpBlock, eax
		test	eax, eax
		jz	short loc_57CA46
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	_CapsuleTriageDumpBlockInitialized, 1

loc_57CA42:				; CODE XREF: IopInitDumpCapsuleSupport()+8j
					; IopInitDumpCapsuleSupport()+11j
		xor	eax, eax
		pop	esi
		retn
; 

loc_57CA46:				; CODE XREF: IopInitDumpCapsuleSupport()+2Fj
		mov	eax, 0C000009Ah
		pop	esi
		retn
_IopInitDumpCapsuleSupport@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopIsBitlockerOn()
_IopIsBitlockerOn@0 proc near		; CODE XREF: IopInitDumpCapsuleSupport()+Ap

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_10]
		push	offset ??_C@_1IG@CHPFMOHD@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@FNODOBFM@
		xor	esi, esi
		mov	[ebp+var_10], edi
		push	eax
		mov	[ebp+var_C], edi
		inc	esi
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		push	20019h
		lea	eax, [ebp+var_10]
		xor	edx, edx
		push	eax
		lea	ecx, [ebp+var_4]
		call	IopOpenRegistryKey
		test	eax, eax
		js	short loc_57CAC3
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		mov	edx, offset ??_C@_1BG@LCMMIACL@?$AAB?$AAo?$AAo?$AAt?$AAS?$AAt?$AAa?$AAt?$AAu?$AAs@FNODOBFM@
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_57CABA
		mov	ecx, [ebp+var_8]
		cmp	[ecx+0Ch], edi
		jz	short loc_57CAB3
		mov	eax, [ecx+8]
		mov	esi, [ecx+eax]

loc_57CAB3:				; CODE XREF: IopIsBitlockerOn()+5Dj
		push	edi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_57CABA:				; CODE XREF: IopIsBitlockerOn()+55j
		push	edi
		push	[ebp+var_4]
		call	ObCloseHandle

loc_57CAC3:				; CODE XREF: IopIsBitlockerOn()+3Fj
		cmp	esi, 1
		pop	edi
		setz	al
		pop	esi
		leave
		retn
_IopIsBitlockerOn@0 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 375. ExInitializeFastResource

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ExInitializeFastResource(void *,int)
		public ExInitializeFastResource
ExInitializeFastResource proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005FABF9 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 1
		ja	loc_5FABF9
		test	[ebp+arg_4], 0FFFFFFFEh
		jnz	loc_5FAC05
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi	; void *
		call	ExpInitializeResource
		mov	ax, [esi+0Eh]
		or	ax, 1
		test	byte ptr [ebp+arg_4], 1
		movzx	ecx, ax
		mov	[esi+0Eh], ax
		jnz	short loc_57CB26

loc_57CB12:				; CODE XREF: ExInitializeFastResource+5Bj
		lea	eax, [esi+18h]
		mov	ecx, esi
		mov	[eax+4], eax
		mov	[eax], eax
		call	_ExpAddResourceToSystemResourceList@4 ;	ExpAddResourceToSystemResourceList(x)
		pop	esi
		pop	ebp
		retn	8
; 

loc_57CB26:				; CODE XREF: ExInitializeFastResource+3Ej
		or	ecx, 40h
		mov	[esi+0Eh], cx
		jmp	short loc_57CB12
ExInitializeFastResource endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall ExpAddResourceToSystemResourceList(x)
_ExpAddResourceToSystemResourceList@4 proc near	; CODE XREF: ExInitializeFastResource+4Ap
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, offset _ExpResourceSpinLock
		mov	esi, ecx
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	ecx, dword_6BBC84
		mov	bl, al
		mov	eax, offset _ExpSystemResourcesList
		cmp	[ecx], eax
		jnz	short loc_57CB71
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		push	edi
		mov	dword_6BBC84, esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_57CB71:				; CODE XREF: ExpAddResourceToSystemResourceList(x)+21j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ExpAddResourceToSystemResourceList@4 endp ; AL	= character to display


;  S U B	R O U T	I N E 


; int __fastcall ExpInitializeResource(void *)
ExpInitializeResource proc near		; CODE XREF: ExInitializeFastResource+26p
		mov	edi, edi
		push	esi
		push	edi
		push	38h		; size_t
		xor	edi, edi
		mov	esi, ecx
		push	edi		; int
		push	esi		; void *
		call	_memset
		mov	[esi+4], esi
		add	esp, 0Ch
		mov	[esi], esi
		mov	[esi+10h], edi
		mov	[esi+14h], edi
		mov	[esi+34h], edi
		test	_NtGlobalFlag, 2000h
		jnz	loc_5FAC1A

loc_57CBA8:				; CODE XREF: ExInitializeFastResource+7E150j
		mov	[esi+30h], edi
		pop	edi
		pop	esi
		retn
ExpInitializeResource endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopProcessorSetPep proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005FAC27 SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	eax, [edi+24h]
		test	eax, eax
		jnz	loc_5FAC27

loc_57CBC3:				; CODE XREF: PopProcessorSetPep+7E07Ej
		mov	esi, 0C0000002h

loc_57CBC8:				; CODE XREF: PopProcessorSetPep+7E097j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
PopProcessorSetPep endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1699. PoFxSetComponentResidency

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoFxSetComponentResidency
PoFxSetComponentResidency proc near

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005FAC4A SIZE 0000007B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	edx, ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ecx, [eax+1Ch]
		push	edi
		mov	edi, [ebp+arg_C]
		push	edi
		push	esi
		push	0Ah
		mov	[ebp+var_48], eax
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], edi
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ecx
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		cmp	_PopDiagHandleRegistered, 0
		jnz	loc_5FAC4A

loc_57CC21:				; CODE XREF: PoFxSetComponentResidency+7E092j
					; PoFxSetComponentResidency+7E0EAj
		mov	ecx, [ebp+var_48]
		mov	edx, ebx
		push	edi
		push	esi
		mov	ecx, [ecx+20h]
		call	PopPepComponentSetResidency
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
PoFxSetComponentResidency endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPepComponentSetResidency proc near	; CODE XREF: PoFxSetComponentResidency+55p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005FACC5 SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		mov	ecx, [ebp+arg_4]
		mov	eax, esi
		push	edi
		imul	edi, edx, 0A8h
		and	eax, ecx
		mov	byte ptr [ebp+var_4], 0
		mov	[ebp+arg_4], ecx
		add	edi, 88h
		add	edi, ebx
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_57CC7A
		xor	esi, esi
		xor	ecx, ecx
		mov	[ebp+arg_4], ecx

loc_57CC7A:				; CODE XREF: PopPepComponentSetResidency+2Fj
		push	ecx
		push	esi
		mov	ecx, edi
		call	_PopPepComponentGetResidencyIdleState@12 ; PopPepComponentGetResidencyIdleState(x,x,x)
		mov	[ebp+var_8], eax
		mov	edx, edi
		lea	eax, [ebp+var_4]
		mov	ecx, ebx
		push	eax
		push	1
		push	6
		call	PopPepLockActivityLink
		mov	byte ptr [ebp+var_C], al
		mov	eax, [ebp+arg_4]
		mov	[edi+64h], eax
		mov	[edi+5Ch], eax
		mov	eax, [ebp+var_8]
		mov	[edi+60h], esi
		mov	[edi+58h], esi
		cmp	[edi+80h], eax
		jnz	loc_5FACC5

loc_57CCB8:				; CODE XREF: PopPepComponentSetResidency+7E0C0j
		push	[ebp+var_4]
		mov	edx, edi
		mov	ecx, ebx
		push	[ebp+var_C]
		call	PopPepReleaseActivityLink
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
PopPepComponentSetResidency endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFreeUnusedPfnPages proc near		; CODE XREF: MiInitNucleus(x)+334p
					; DATA XREF: MiFreeUnusedPfnPagesDpc+85EA5o ...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005FAD07 SIZE 000003A0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		and	[ebp+var_28], 0
		mov	[ebp+var_30], ecx
		mov	[ebp+var_14], ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_44]
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_44]
		mov	[ebp+var_2C], eax
		mov	eax, ecx
		test	ecx, ecx
		jnz	short loc_57CD03
		mov	eax, offset _MiSystemPartition
		mov	[ebp+var_14], eax

loc_57CD03:				; CODE XREF: MiFreeUnusedPfnPages+2Bj
		mov	ecx, large fs:124h
		lea	esi, [eax+6Ch]
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_18], ecx
		mov	[ebp+var_C], esi
		mov	[ebp+var_10], edi

loc_57CD19:				; CODE XREF: MiFreeUnusedPfnPages+7E20Fj
		dec	word ptr [ecx+13Eh]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		cmp	[ebp+arg_0], 0
		jnz	short loc_57CD3D
		mov	eax, [ebp+var_14]
		cmp	byte ptr [eax+74h], 1
		jz	loc_5FAEE2

loc_57CD3D:				; CODE XREF: MiFreeUnusedPfnPages+60j
		lea	eax, [ebp+var_30]
		push	eax
		push	offset MiFreeUnusedPfnPagesDpc
		call	_KeGenericCallDpc@8 ; KeGenericCallDpc(x,x)
		cmp	[ebp+var_28], 103h
		jz	loc_5FAD07
		mov	eax, [ebp+var_14]
		and	dword ptr [eax+30h], 0
		mov	byte ptr [eax+74h], 0
		mov	eax, edi
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_57CD76
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_57CD76:				; CODE XREF: MiFreeUnusedPfnPages+9Fj
		xor	edi, edi
		mov	[ebp+var_20], edi
		test	esi, 7FFFFFFCh
		jz	loc_57CEB7
		mov	eax, [ebp+var_C]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_1C], esi
		cmp	eax, edx
		jb	short loc_57CDCA
		cmp	byte ptr dword_6D3994[ecx], 1
		jz	short loc_57CDB9
		cmp	eax, edx
		jb	short loc_57CDCA
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jnz	short loc_57CDCA

loc_57CDB9:				; CODE XREF: MiFreeUnusedPfnPages+DCj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_C]

loc_57CDCA:				; CODE XREF: MiFreeUnusedPfnPages+D3j
					; MiFreeUnusedPfnPages+E0j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	edx, eax
		mov	byte ptr [ebp+arg_0+3],	cl
		mov	ecx, [ebp+var_10]
		push	ecx
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jz	loc_57CED4
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_57CE12
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_24]

loc_57CE12:				; CODE XREF: MiFreeUnusedPfnPages+13Aj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_20], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+arg_0+3],	1
		mov	edx, eax
		jnz	loc_5FB081
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_57CE5E:				; CODE XREF: MiFreeUnusedPfnPages+20Ej
					; MiFreeUnusedPfnPages+7E3C5j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+arg_0], eax
		jz	short loc_57CEAC
		test	edi, 8000h
		jz	short loc_57CE82
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_57CE82:				; CODE XREF: MiFreeUnusedPfnPages+1A9j
		test	byte ptr [ebp+var_20+2], 1
		jnz	loc_5FB098

loc_57CE8C:				; CODE XREF: MiFreeUnusedPfnPages+7E3D4j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_57CEA0
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_57CEA0:				; CODE XREF: MiFreeUnusedPfnPages+1C5j
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	short loc_57CEE3

loc_57CEAC:				; CODE XREF: MiFreeUnusedPfnPages+1A1j
					; MiFreeUnusedPfnPages+7E356j ...
		nop
		add	word ptr [esi+13Eh], 1
		jz	short loc_57CEC5

loc_57CEB7:				; CODE XREF: MiFreeUnusedPfnPages+B3j
					; MiFreeUnusedPfnPages+1FDj ...
		mov	ecx, [ebp+var_18]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_57CEBF:				; CODE XREF: MiFreeUnusedPfnPages+7E1F7j
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_57CEC5:				; CODE XREF: MiFreeUnusedPfnPages+1E7j
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_57CEB7
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_57CEB7
; 

loc_57CED4:				; CODE XREF: MiFreeUnusedPfnPages+128j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_57CE5E
		jmp	loc_5FAF85
; 

loc_57CEE3:				; CODE XREF: MiFreeUnusedPfnPages+1DCj
		push	[ebp+arg_0]
		jmp	loc_5FB072
MiFreeUnusedPfnPages endp

; 
		align 10h
; Exported entry 1250. KeRegisterBugCheckCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeRegisterBugCheckCallback
KeRegisterBugCheckCallback proc	near

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 005FB0A7 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	esi, offset _KeBugCheckCallbackLock
		mov	[ebp+var_1], al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edi, [ebp+arg_0]
		xor	bl, bl
		cmp	[edi+1Ch], bl
		jnz	short loc_57CF73
		mov	edx, edi
		mov	ecx, offset _KeBugCheckCallbackListHead
		call	_KiCheckForDuplicateBugCheckCallback@8 ; KiCheckForDuplicateBugCheckCallback(x,x)
		test	al, al
		jnz	short loc_57CF73
		mov	eax, [ebp+arg_8]
		xor	ebx, ebx
		mov	esi, [ebp+arg_4]
		inc	ebx
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+arg_10]
		mov	[edi+0Ch], eax
		add	eax, esi
		add	eax, edx
		mov	[edi+14h], ecx
		add	eax, ecx
		mov	[edi+8], esi
		mov	[edi+10h], edx
		mov	ecx, offset _KeBugCheckCallbackListHead
		mov	[edi+18h], eax
		mov	[edi+1Ch], bl
		mov	eax, _KeBugCheckCallbackListHead
		cmp	[eax+4], ecx
		jnz	short loc_57CF97
		mov	[edi], eax
		mov	esi, offset _KeBugCheckCallbackLock
		mov	[edi+4], ecx
		mov	[eax+4], edi
		mov	_KeBugCheckCallbackListHead, edi

loc_57CF73:				; CODE XREF: KeRegisterBugCheckCallback+28j
					; KeRegisterBugCheckCallback+38j
		test	ds:byte_70EFC6,	1
		jnz	loc_5FB0A7
		xor	eax, eax
		lock and [esi],	eax

loc_57CF85:				; CODE XREF: KeRegisterBugCheckCallback+7E1C1j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	14h
; 

loc_57CF97:				; CODE XREF: KeRegisterBugCheckCallback+6Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall BgpGxProcessQrCodeBitmap(x,	x)
_BgpGxProcessQrCodeBitmap@8:		; CODE XREF: BgpFwLibraryInitialize+41Ap
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	dword ptr [ebp-4], 0
		push	esi
		push	edi
		mov	edi, edx
		test	edi, edi
		jz	short loc_57CFED
		push	ecx
		lea	edx, [ebp-4]
		call	BgpGxParseBitmap
		mov	esi, eax
		test	esi, esi
		js	short loc_57CFF4
		call	_BgpGetBitsPerPixel@0 ;	BgpGetBitsPerPixel()
		mov	ecx, [ebp-4]
		cmp	[ecx+8], eax
		jz	short loc_57CFDD
		mov	edx, eax
		lea	ecx, [ebp-4]
		call	_BgpGxConvertRectangle@8 ; BgpGxConvertRectangle(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_57CFF4
		mov	ecx, [ebp-4]

loc_57CFDD:				; CODE XREF: KeRegisterBugCheckCallback+D8j
		mov	[edi], ecx

loc_57CFDF:				; CODE XREF: KeRegisterBugCheckCallback+107j
		test	ecx, ecx
		jz	short loc_57CFE7
		cmp	ecx, [edi]
		jnz	short loc_57CFF9

loc_57CFE7:				; CODE XREF: KeRegisterBugCheckCallback+F1j
					; KeRegisterBugCheckCallback+102j ...
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_57CFED:				; CODE XREF: KeRegisterBugCheckCallback+BCj
		mov	esi, 0C000000Dh
		jmp	short loc_57CFE7
; 

loc_57CFF4:				; CODE XREF: KeRegisterBugCheckCallback+CBj
					; KeRegisterBugCheckCallback+E8j
		mov	ecx, [ebp-4]
		jmp	short loc_57CFDF
; 

loc_57CFF9:				; CODE XREF: KeRegisterBugCheckCallback+F5j
		call	_BgpGxRectangleDestroy@4 ; BgpGxRectangleDestroy(x)
		jmp	short loc_57CFE7
KeRegisterBugCheckCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpGxConvertRectangle(x, x)
_BgpGxConvertRectangle@8 proc near	; CODE XREF: KeRegisterBugCheckCallback+DFp
					; BgConvertResources(x)+7j

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	ecx, [edi]
		cmp	[ecx+8], edx
		jz	short loc_57D032
		push	esi
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], esi
		push	eax
		call	BgpGxConvertRectangleEx
		mov	esi, eax
		test	esi, esi
		js	short loc_57D032
		mov	ecx, [edi]
		call	_BgpGxRectangleDestroy@4 ; BgpGxRectangleDestroy(x)
		mov	ecx, [ebp+var_4]
		mov	[edi], ecx

loc_57D032:				; CODE XREF: BgpGxConvertRectangle(x,x)+11j
					; BgpGxConvertRectangle(x,x)+24j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_BgpGxConvertRectangle@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopInitializeSystemVariableService proc	near ; CODE XREF: INIT:00AC2F05p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005FB0B6 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		xor	esi, esi
		xor	edx, edx
		push	esi
		mov	ecx, offset dword_6B2D08
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_24], esi
		call	_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 ; TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)
		push	(offset	off_5A49D4+2)
		lea	eax, [ebp+var_20]
		mov	[ebp+var_18], esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_20]
		mov	[ebp+var_3C], 18h
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_3C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_18]
		mov	[ebp+var_38], esi
		push	eax
		mov	[ebp+var_30], 240h
		mov	[ebp+var_2C], esi
		mov	[ebp+var_28], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_57D0D5
		push	offset ??_C@_1M@OAJFFPML@?$AAF?$AAl?$AAa?$AAg?$AAs@FNODOBFM@
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_24]
		push	eax
		push	10h
		lea	eax, [ebp+var_14]
		push	eax
		push	2
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_18]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_5FB0B6

loc_57D0D5:				; CODE XREF: IopInitializeSystemVariableService+6Dj
					; IopInitializeSystemVariableService+7E082j ...
		cmp	[ebp+var_18], esi
		jz	short loc_57D0E2
		push	[ebp+var_18]
		call	_ZwClose@4	; ZwClose(x)

loc_57D0E2:				; CODE XREF: IopInitializeSystemVariableService+A0j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
IopInitializeSystemVariableService endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1232. KeQueryNodeMaximumProcessorCount

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryNodeMaximumProcessorCount(x)
		public _KeQueryNodeMaximumProcessorCount@4
_KeQueryNodeMaximumProcessorCount@4 proc near

arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ax, [ebp+arg_0]
		cmp	ax, ds:_KeNumberNodes
		jnb	short loc_57D11E
		movzx	eax, ax
		lfence	eax
		mov	eax, ds:_KeNodeBlock[eax*4]
		movzx	eax, byte ptr [eax+0A4h]

loc_57D11A:				; CODE XREF: KeQueryNodeMaximumProcessorCount(x)+2Cj
		pop	ebp
		retn	4
; 

loc_57D11E:				; CODE XREF: KeQueryNodeMaximumProcessorCount(x)+10j
		xor	eax, eax
		jmp	short loc_57D11A
_KeQueryNodeMaximumProcessorCount@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WheapCheckForAndReportErrorsFromPreviousSession	proc near ; CODE XREF: INIT:00AC4501p

var_44		= dword	ptr -44h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch

; FUNCTION CHUNK AT 005FB0D7 SIZE 00000088 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	esi
		lea	eax, [esp+20h+var_14]
		xor	esi, esi
		push	eax
		lea	eax, [esp+24h+var_C]
		mov	[esp+24h+var_14], esi
		push	eax
		mov	[esp+28h+var_C], esi
		mov	[esp+28h+var_10], esi
		mov	[esp+28h+var_18], esi
		call	ds:__imp__PshedGetBootErrorPacket@8 ; PshedGetBootErrorPacket(x,x)
		test	eax, eax
		jns	short loc_57D158
		mov	[esp+28h+var_1C], esi

loc_57D158:				; CODE XREF: WheapCheckForAndReportErrorsFromPreviousSession+30j
		mov	ecx, esi
		mov	edx, esi
		mov	[esp+28h+var_10], ecx
		mov	[esp+28h+var_C], edx

loc_57D164:				; CODE XREF: WheapCheckForAndReportErrorsFromPreviousSession+7E01Bj
		lea	eax, [esp+28h+var_20]
		push	eax
		lea	eax, [esp+2Ch+var_18]
		push	eax
		lea	eax, [esp+30h+var_10]
		push	eax
		push	edx
		push	ecx
		push	esi
		call	ds:__imp__PshedReadErrorRecord@24 ; PshedReadErrorRecord(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_5FB0D7

loc_57D184:				; CODE XREF: WheapCheckForAndReportErrorsFromPreviousSession+7E021j
		mov	ecx, [esp+40h+var_34]
		test	ecx, ecx
		jnz	loc_5FB148

loc_57D190:				; CODE XREF: WheapCheckForAndReportErrorsFromPreviousSession+7E038j
		call	WheapProcessEfiBadMemoryPage
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
WheapCheckForAndReportErrorsFromPreviousSession	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WheapProcessEfiBadMemoryPage proc near	; CODE XREF: WheapCheckForAndReportErrorsFromPreviousSession:loc_57D190p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005FB15F SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], 4
		push	edi
		lea	eax, [ebp+var_4]
		mov	[ebp+var_8], edi
		push	eax
		lea	eax, [ebp+var_8]
		mov	ebx, offset _WheapHardwareErrorGuid
		push	eax
		push	ebx
		push	offset ??_C@_1DC@FLHAMKMH@?$AAU?$AAn?$AAc?$AAo?$AAr?$AAr?$AAe?$AAc?$AAt?$AAe?$AAd?$AAB?$AAa?$AAd?$AAM@FNODOBFM@
		call	ds:__imp__HalGetEnvironmentVariableEx@20 ; HalGetEnvironmentVariableEx(x,x,x,x,x)
		cmp	[ebp+var_4], edi
		jz	short loc_57D1DD
		test	eax, eax
		jns	loc_5FB15F

loc_57D1D8:				; CODE XREF: WheapProcessEfiBadMemoryPage+48j
					; WheapProcessEfiBadMemoryPage+7DFE5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_57D1DD:				; CODE XREF: WheapProcessEfiBadMemoryPage+34j
		mov	eax, 0C0000225h
		jmp	short loc_57D1D8
WheapProcessEfiBadMemoryPage endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2012. RtlCreateHashTableEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCreateHashTableEx(x, x, x, x)
		public _RtlCreateHashTableEx@16
_RtlCreateHashTableEx@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		call	RtlpCreateHashTable
		pop	ebp
		retn	10h
_RtlCreateHashTableEx@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopWnfAirplaneModeCallback proc	near	; DATA XREF: PopSetupAirplaneModeNotification()+9o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 005FB184 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ecx, [ebp+arg_0]
		lea	edi, [ebp+var_10]
		xor	eax, eax
		stosd
		push	0Ch
		stosd
		stosd
		lea	eax, [ebp+var_14]
		pop	edi
		push	eax		; int
		lea	eax, [ebp+var_10]
		mov	[ebp+var_14], edi
		push	eax		; void *
		lea	eax, [ebp+arg_C]
		push	eax		; int
		push	ecx		; int
		call	_ExQueryWnfStateData@16	; ExQueryWnfStateData(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_57D280
		cmp	[ebp+var_14], edi
		jb	short loc_57D293
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _PopCsResiliencyStatsLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	[ebp+var_10], 0
		setz	byte_6C2D64
		test	ds:byte_70EFC6,	1
		jnz	loc_5FB184
		xor	eax, eax
		lock and [edi],	eax

loc_57D278:				; CODE XREF: PopWnfAirplaneModeCallback+7DF8Aj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_57D280:				; CODE XREF: PopWnfAirplaneModeCallback+3Cj
					; PopWnfAirplaneModeCallback+91j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_57D293:				; CODE XREF: PopWnfAirplaneModeCallback+41j
		xor	esi, esi
		jmp	short loc_57D280
PopWnfAirplaneModeCallback endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PnpSerializeBoot()
_PnpSerializeBoot@0 proc near		; CODE XREF: NtSerializeBoot+2Ej
					; IoInitSystem:loc_AC0221p
		cmp	_PnPBootDriversInitialized, 0
		mov	eax, 0C0000001h
		jz	short locret_57D2B6
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _PnpSystemDeviceEnumerationComplete
		call	KeWaitForSingleObject

locret_57D2B6:				; CODE XREF: PnpSerializeBoot()+Cj
		retn
_PnpSerializeBoot@0 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 841. IoGetAffinityInterrupt

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetAffinityInterrupt(x, x)
		public _IoGetAffinityInterrupt@8
_IoGetAffinityInterrupt@8 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		mov	esi, [ebp+arg_0]
		push	eax
		push	dword ptr [esi+34h]
		call	_KeGetProcessorNumberFromIndex@8 ; KeGetProcessorNumberFromIndex(x,x)
		test	eax, eax
		js	short loc_57D2F5
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		push	edi
		mov	edi, ecx
		stosd
		stosd
		stosd
		mov	ax, word ptr [ebp+var_4]
		mov	[ecx+4], ax
		mov	eax, [esi-5Ch]
		mov	[ecx], eax
		xor	eax, eax
		pop	edi

loc_57D2F5:				; CODE XREF: IoGetAffinityInterrupt(x,x)+1Cj
		pop	esi
		leave
		retn	8
_IoGetAffinityInterrupt@8 endp


;  S U B	R O U T	I N E 


; __stdcall InitializeListHeadPte(x, x)
_InitializeListHeadPte@8 proc near	; CODE XREF: MiInitializeSystemCache(x)+17p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, esi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, edx
		mov	[esi+10h], edx
		sub	eax, 40000000h
		sar	eax, 3
		cdq
		push	eax
		push	0
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[esi], eax
		mov	[esi+4], edx
		mov	[esi+8], eax
		mov	[esi+0Ch], edx
		pop	esi
		retn
_InitializeListHeadPte@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceEsSetting(x, x, x)
_PopTraceEsSetting@12 proc near		; CODE XREF: PopEsWorker+154p

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	dword_6B23F8, 5
		mov	eax, _PopEsMode
		push	esi
		jbe	short loc_57D3A3
		mov	[ebp+var_64], eax
		xor	esi, esi
		lea	eax, [ebp+var_64]
		mov	[ebp+var_38], esi
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_2C], eax
		movzx	eax, [ebp+arg_0]
		push	4
		pop	ecx
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	5
		push	esi
		push	esi
		push	offset loc_41EF71
		push	offset dword_6B23F8
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], esi
		mov	[ebp+var_68], edx
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_57D3A3:				; CODE XREF: PopTraceEsSetting(x,x,x)+1Fj
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopTraceEsSetting@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlWorkerThread proc near		; DATA XREF: FsRtlInitializeWorkerThread()+3Ao

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 005FB193 SIZE 00000048 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [esi+10h]
		push	eax
		mov	eax, large fs:124h
		push	eax
		call	KeSetPriorityThread
		imul	eax, esi, 28h
		lea	ebx, _FsRtlWorkerQueues[eax]

loc_57D3D5:				; CODE XREF: FsRtlWorkerThread+3Dj
		push	0
		push	0
		push	ebx
		call	_KeRemoveQueue@12 ; KeRemoveQueue(x,x,x)
		mov	esi, eax
		push	dword ptr [esi+0Ch]
		call	dword ptr [esi+8]
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	al, al
		jz	short loc_57D3D5
		jmp	loc_5FB193
FsRtlWorkerThread endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 946. IoRegisterPriorityCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoRegisterPriorityCallback
IoRegisterPriorityCallback proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, 200h
		test	[edi+8], eax
		jnz	short loc_57D472
		push	esi
		push	62436F49h
		push	14h
		push	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_57D479
		mov	eax, [ebp+arg_4]
		mov	ecx, esi
		push	ebx
		mov	dword ptr [esi+4], offset _IopBoostThreadCallback@12 ; IopBoostThreadCallback(x,x,x)
		mov	[esi+8], esi
		mov	[esi+10h], edi
		mov	[esi+0Ch], eax
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		mov	eax, offset _IopUpdatePriorityCallbackRoutine
		xor	ebx, ebx
		mov	[ebp+arg_0], eax

loc_57D448:				; CODE XREF: FsRtlWorkerThread+7DE12j
		push	0
		mov	edx, esi
		mov	ecx, eax
		call	ExCompareExchangeCallBack
		test	al, al
		jz	loc_5FB1B5
		lock inc _IopUpdatePriorityCallbackRoutineCount
		or	dword ptr [edi+8], 200h
		xor	eax, eax

loc_57D46B:				; CODE XREF: FsRtlWorkerThread+7DE24j
		pop	ebx

loc_57D46C:				; CODE XREF: IoRegisterPriorityCallback+82j
		pop	esi

loc_57D46D:				; CODE XREF: IoRegisterPriorityCallback+7Bj
		pop	edi
		pop	ebp
		retn	8
; 

loc_57D472:				; CODE XREF: IoRegisterPriorityCallback+11j
		mov	eax, 0C0000718h
		jmp	short loc_57D46D
; 

loc_57D479:				; CODE XREF: IoRegisterPriorityCallback+25j
		mov	eax, 0C000009Ah
		jmp	short loc_57D46C
IoRegisterPriorityCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McGenEventRegister_EtwRegister(x, x, x, x)
_McGenEventRegister_EtwRegister@16 proc	near
					; CODE XREF: FsRtlpHeatRegisterVolume(x,x,x)+FFp
					; PnpDiagInitialize()+11p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	eax, [edx]
		or	eax, [edx+4]
		jnz	short loc_57D4A2
		push	edx
		push	[ebp+arg_0]
		push	offset McGenControlCallbackV2
		push	ecx
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)

loc_57D49E:				; CODE XREF: McGenEventRegister_EtwRegister(x,x,x,x)+24j
		pop	ebp
		retn	8
; 

loc_57D4A2:				; CODE XREF: McGenEventRegister_EtwRegister(x,x,x,x)+Dj
		xor	eax, eax
		jmp	short loc_57D49E
_McGenEventRegister_EtwRegister@16 endp


;  S U B	R O U T	I N E 


PopThermalPollingPowerSettingCallback proc near

; FUNCTION CHUNK AT 005FB1DB SIZE 000000D5 BYTES

		mov	eax, large fs:124h
		push	ebx
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopThermalLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	ebx, ebx
		mov	dword_6C2194, eax
		xor	eax, eax
		inc	eax
		cmp	_PopPdcIdleResiliency, bl
		jnz	loc_5FB1DB

loc_57D4DD:				; CODE XREF: PopThermalPollingPowerSettingCallback+7DD3Bj
					; PopThermalPollingPowerSettingCallback+7DD43j
		cmp	_PopThermalPollingMode,	ebx
		jnz	loc_5FB1EE

loc_57D4E9:				; CODE XREF: PopThermalPollingPowerSettingCallback+7DD4Ej
					; PopThermalPollingPowerSettingCallback+7DE05j
		cmp	dword_6C2194, ebx
		jz	short loc_57D4F7
		mov	dword_6C2194, ebx

loc_57D4F7:				; CODE XREF: PopThermalPollingPowerSettingCallback+49j
		xor	edx, edx
		mov	ecx, offset _PopThermalLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	eax, eax
		pop	ebx
		retn	10h
PopThermalPollingPowerSettingCallback endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1827. PsGetThreadHardErrorsAreDisabled

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetThreadHardErrorsAreDisabled(x)
		public _PsGetThreadHardErrorsAreDisabled@4
_PsGetThreadHardErrorsAreDisabled@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	al, [eax+2FCh]
		shr	al, 4
		and	al, 1
		pop	ebp
		retn	4
_PsGetThreadHardErrorsAreDisabled@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvlPhase2Initialize proc near		; CODE XREF: INIT:00AC2E16p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005FB2B0 SIZE 000000D6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	ecx, [ecx+84h]
		push	ebx
		push	esi
		push	edi
		mov	eax, [ecx+988h]
		mov	esi, [ecx+980h]
		mov	edx, [ecx+984h]
		mov	[ebp+var_20], eax
		mov	eax, [ecx+98Ch]
		mov	[ebp+var_1C], eax
		mov	eax, [ecx+990h]
		mov	[ebp+var_18], eax
		mov	eax, [ecx+994h]
		mov	[ebp+var_14], eax
		mov	eax, [ecx+998h]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+99Ch]
		mov	[ebp+var_C], eax
		mov	eax, [ecx+9A0h]
		mov	[ebp+var_28], esi
		or	esi, edx
		mov	[ebp+var_8], eax
		mov	eax, [ecx+9A4h]
		push	0
		mov	[ebp+var_24], edx
		mov	[ebp+var_4], eax
		pop	ebx
		jnz	loc_5FB2B0

loc_57D5A2:				; CODE XREF: HvlPhase2Initialize+7DDB8j
		cmp	ds:_HvlHypervisorConnected, 0
		jnz	loc_5FB2E9

loc_57D5AF:				; CODE XREF: HvlPhase2Initialize+7DE55j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
HvlPhase2Initialize endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFcWriteHighLowHigh(x, x, x)
_RtlpFcWriteHighLowHigh@12 proc	near	; CODE XREF: CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+2ABp
					; CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+2B7p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	esi, [ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	[edi+8], esi
		mov	[edi], edx
		mov	[edi+4], esi
		pop	edi
		pop	esi
		test	al, al
		jz	short loc_57D5D9
		sti

loc_57D5D9:				; CODE XREF: RtlpFcWriteHighLowHigh(x,x,x)+20j
		pop	ebp
		retn	8
_RtlpFcWriteHighLowHigh@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ExpHeapGCInitialization()
_ExpHeapGCInitialization@0 proc	near	; CODE XREF: ExpInitSystemPhase1+CFp
		mov	edi, edi
		push	ebx
		push	esi
		push	8
		xor	ebx, ebx
		mov	esi, offset _ExpHpGCTimerCallback@8 ; ExpHpGCTimerCallback(x,x)
		push	ebx
		push	ebx
		push	esi
		call	ExAllocateTimerInternal2
		mov	_ExpHpGCTimerPaged, eax
		test	eax, eax
		jz	short loc_57D628
		push	8
		push	ebx
		push	1
		push	esi
		call	ExAllocateTimerInternal2
		mov	_ExpHpGCTimerNonPaged, eax
		test	eax, eax
		jz	short loc_57D628
		mov	_ExpHpGCScheduledNonPaged, ebx
		mov	_ExpHpGCScheduledPaged,	ebx
		mov	bl, 1
		mov	_ExpHpGCInitialized, 1

loc_57D628:				; CODE XREF: ExpHeapGCInitialization()+1Cj
					; ExpHeapGCInitialization()+30j
		pop	esi
		mov	al, bl
		pop	ebx
		retn
_ExpHeapGCInitialization@0 endp	; sp = -20h

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopPassiveInterruptRealtimeWorker(x)
_IopPassiveInterruptRealtimeWorker@4 proc near
					; DATA XREF: IopCreatePassiveInterruptRealtimeThreads(x,x)+45o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp

loc_57D633:				; CODE XREF: IopPassiveInterruptRealtimeWorker(x)+16j
					; IopPassiveInterruptRealtimeWorker(x)+1Ej
		push	0
		push	0
		push	[ebp+arg_0]
		call	_KeRemoveQueue@12 ; KeRemoveQueue(x,x,x)
		cmp	eax, 80h
		jz	short loc_57D633
		push	dword ptr [eax+0Ch]
		call	dword ptr [eax+8]
		jmp	short loc_57D633
_IopPassiveInterruptRealtimeWorker@4 endp


;  S U B	R O U T	I N E 


; __stdcall WheapInitializeWorkQueue(x,	x)
_WheapInitializeWorkQueue@8 proc near	; CODE XREF: INIT:loc_AC42CEp
		mov	edi, edi
		push	esi
		push	44h		; size_t
		push	0		; int
		mov	esi, offset _WheapWorkQueue
		push	esi		; void *
		call	_memset
		and	dword_6BB408, 0
		add	esp, 0Ch
		mov	dword_6BB404, esi
		mov	_WheapWorkQueue, esi
		push	esi
		push	offset _WheapWorkQueueDpcRoutine@16 ; WheapWorkQueueDpcRoutine(x,x,x,x)
		push	offset unk_6BB410
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		and	dword_6BB430, 0
		mov	dword_6BB43C, esi
		mov	dword_6BB438, offset _WheapWorkQueueWorkerRoutine@4 ; WheapWorkQueueWorkerRoutine(x)
		mov	dword_6BB440, offset _WheapProcessWorkQueueItem@8 ; WheapProcessWorkQueueItem(x,x)
		pop	esi
		retn
_WheapInitializeWorkQueue@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopSwitchForcedShutdownSettingCallback(void *,int,int,int)
_PopSwitchForcedShutdownSettingCallback@16 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, 0C000000Dh
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	offset _GUID_ENABLE_SWITCH_FORCED_SHUTDOWN ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_57D6E8
		cmp	[ebp+arg_8], 4
		jnz	short loc_57D6E8
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_57D6E8
		xor	esi, esi
		cmp	[eax], esi
		setnz	byte_6C2D44

loc_57D6E8:				; CODE XREF: PopSwitchForcedShutdownSettingCallback(x,x,x,x)+24j
					; PopSwitchForcedShutdownSettingCallback(x,x,x,x)+2Aj ...
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	10h
_PopSwitchForcedShutdownSettingCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeEtwEnableCallback proc near		; CODE XREF: EtwpKernelProvEnableCallback(x,x,x,x,x,x,x,x,x)+12p

arg_4		= dword	ptr  0Ch
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 005FB386 SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	eax, edx
		push	ebx
		and	eax, 20h
		xor	ebx, ebx
		or	eax, ebx
		push	1
		pop	ecx
		jnz	loc_5FB386

loc_57D70F:				; CODE XREF: SeEtwEnableCallback+7DC97j
					; SeEtwEnableCallback+7DCA0j ...
		mov	byte_6D7060, bl
		mov	_SepLearningModeSettings, ebx

loc_57D71B:				; CODE XREF: SeEtwEnableCallback+7DCBFj
		and	edx, 40h
		mov	byte_6D7061, bl
		or	edx, ebx
		jnz	short loc_57D72A
		mov	cl, bl

loc_57D72A:				; CODE XREF: SeEtwEnableCallback+32j
		mov	_SepTokenSidManagementLoggingEnabled, cl
		pop	ebx
		pop	ebp
		retn	1Ch
SeEtwEnableCallback endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1003. IoSetStartIoAttributes

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoSetStartIoAttributes
IoSetStartIoAttributes proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 005FB3B8 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		mov	ecx, [ebp+arg_0]
		jz	short loc_57D755
		mov	eax, [ecx+0B0h]
		or	dword ptr [eax+24h], 100h

loc_57D755:				; CODE XREF: IoSetStartIoAttributes+Cj
		cmp	[ebp+arg_8], 0
		jnz	loc_5FB3B8

loc_57D75F:				; CODE XREF: IoSetStartIoAttributes+7DC8Bj
		pop	ebp
		retn	0Ch
IoSetStartIoAttributes endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnlockPartitionSystemThreads proc near ; CODE	XREF: MiEnablePartitionMappedWrites+D6p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005FB3CA SIZE 00000063 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	[ebp+var_28], edx
		lea	eax, [ecx+68h]
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_8], eax
		push	esi
		push	edi
		mov	[ebp+var_C], edx
		mov	ecx, edx
		lock xadd [eax], ecx
		test	cl, 2
		jnz	loc_5FB3CA

loc_57D79E:				; CODE XREF: MiUnlockPartitionSystemThreads+7DC69j
					; MiUnlockPartitionSystemThreads+7DC79j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	eax, 7FFFFFFCh
		jz	loc_57D8F2
		mov	esi, large fs:124h
		mov	ecx, eax
		mov	edx, dword_6D07D0
		shr	ecx, 15h
		cmp	eax, edx
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], esi
		pop	edx
		jb	short loc_57D7D6
		cmp	byte ptr dword_6D3994[ecx], 1
		jz	short loc_57D7E4

loc_57D7D6:				; CODE XREF: MiUnlockPartitionSystemThreads+67j
		cmp	eax, [ebp+var_20]
		jb	short loc_57D7F7
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jnz	short loc_57D7F7

loc_57D7E4:				; CODE XREF: MiUnlockPartitionSystemThreads+70j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_8]

loc_57D7F7:				; CODE XREF: MiUnlockPartitionSystemThreads+75j
					; MiUnlockPartitionSystemThreads+7Ej
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_57D903
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_57D83C
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_57D83C:				; CODE XREF: MiUnlockPartitionSystemThreads+CEj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5FB3F5
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_57D888:				; CODE XREF: MiUnlockPartitionSystemThreads+1A7j
					; MiUnlockPartitionSystemThreads+7DCA3j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jz	short loc_57D8DA
		test	edi, 8000h
		jz	short loc_57D8AC
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_57D8AC:				; CODE XREF: MiUnlockPartitionSystemThreads+13Dj
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5FB40C

loc_57D8B6:				; CODE XREF: MiUnlockPartitionSystemThreads+7DCB2j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_57D8CA
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_57D8CA:				; CODE XREF: MiUnlockPartitionSystemThreads+159j
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_5FB41B

loc_57D8DA:				; CODE XREF: MiUnlockPartitionSystemThreads+135j
					; MiUnlockPartitionSystemThreads+7DCC4j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_57D8F2
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_57D8F2
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_57D8F2:				; CODE XREF: MiUnlockPartitionSystemThreads+44j
					; MiUnlockPartitionSystemThreads+17Fj ...
		mov	ecx, [ebp+var_28]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_57D903:				; CODE XREF: MiUnlockPartitionSystemThreads+BCj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_57D888
		jmp	loc_5FB3E2
MiUnlockPartitionSystemThreads endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry   9.
; Exported entry 2598. VslQuerySecureDevice

;  S U B	R O U T	I N E 


; __stdcall VslCapturePgoData(x, x)
		public _VslCapturePgoData@8
_VslCapturePgoData@8 proc near
		mov	eax, 0C000009Dh	; ntoskrnl_9
		retn	8
_VslCapturePgoData@8 endp


;  S U B	R O U T	I N E 


PpmCheckMaintainArtificialDomain proc near

; FUNCTION CHUNK AT 005FB42D SIZE 00000025 BYTES

		cmp	ds:_PpmPerfArtificialDomainEnabled, 0
		jnz	loc_5FB42D

loc_57D931:				; CODE XREF: PpmCheckMaintainArtificialDomain+7DB29j
		mov	al, 1
		retn
PpmCheckMaintainArtificialDomain endp


;  S U B	R O U T	I N E 


; __stdcall PnpDiagnosticTraceDriverInitPhaseStart(x)
_PnpDiagnosticTraceDriverInitPhaseStart@4 proc near ; CODE XREF: INIT:00AC2E47p
		mov	ecx, _PnpEtwHandle
		mov	eax, ecx
		mov	edx, dword_6D4DF4
		or	eax, edx
		jz	short loc_57D95C
		push	0
		push	0
		push	offset _PnpDriverInitPhaseActivityId
		push	(offset	loc_408D7E+2)
		push	edx
		push	ecx
		call	EtwWriteStartScenario
		retn
; 

loc_57D95C:				; CODE XREF: PnpDiagnosticTraceDriverInitPhaseStart(x)+10j
		xor	eax, eax
		retn
_PnpDiagnosticTraceDriverInitPhaseStart@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopIrpWorkerControl proc near		; DATA XREF: PopInitializeIrpWorkers()+9Eo

; FUNCTION CHUNK AT 005FB452 SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ebx
		push	esi
		mov	esi, offset _PopIrpWorkerMutex

loc_57D96F:				; CODE XREF: PopIrpWorkerControl+7DB03j
					; PopIrpWorkerControl+7DB10j
		push	0
		push	0
		push	0
		push	0
		push	offset _PopIrpWorkerControlEvent
		xor	bl, bl
		call	KeWaitForSingleObject
		mov	ecx, esi
		call	ExAcquireFastMutex
		mov	_PopIrpWorkerRequested,	bl
		cmp	_PopCreateIrpWorkerAllowed, bl
		jnz	loc_5FB452
		jmp	loc_5FB45A
PopIrpWorkerControl endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvlDebuggerSupportInitialize proc near	; CODE XREF: Phase1InitializationDiscard(x)+C2Dp

var_D4		= dword	ptr -0D4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= word ptr -0A4h
var_A2		= word ptr -0A2h
var_A0		= byte ptr -0A0h
var_9D		= byte ptr -9Dh
var_3C		= dword	ptr -3Ch
var_2C		= word ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005FB475 SIZE 000002F7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_C0], 0
		and	[ebp+var_BC], 0
		test	byte ptr ds:_HvlpRootFlags, 8
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		jnz	loc_5FB475

loc_57D9D7:				; CODE XREF: HvlDebuggerSupportInitialize+7DAD5j
					; HvlDebuggerSupportInitialize+7DAE0j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
HvlDebuggerSupportInitialize endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSetSlabAllocatorPolicy proc near	; CODE XREF: MiMakePartitionActive+173168p
					; MiInitSystem+2D2p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

; FUNCTION CHUNK AT 005FB76C SIZE 00000076 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		stosd
		stosd
		mov	eax, ds:dword_7051F4
		xor	edi, edi
		inc	edi
		cmp	eax, edi
		jz	short loc_57DA16
		test	ds:_MiFlags, 8000h
		jnz	loc_5FB76C

loc_57DA16:				; CODE XREF: MiSetSlabAllocatorPolicy+1Ej
					; MiSetSlabAllocatorPolicy+7DD95j ...
		pop	edi
		pop	esi
		leave
		retn
MiSetSlabAllocatorPolicy endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall SymCryptCpuidExFunc(x, x, x)
@SymCryptCpuidExFunc@12	proc near	; CODE XREF: .text:0058F977p
					; .text:0058F99Ap ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	@SymCryptCpuidExFuncEnvWindowsKernelmodeWin8_1nLater@12	; SymCryptCpuidExFuncEnvWindowsKernelmodeWin8_1nLater(x,x,x)
@SymCryptCpuidExFunc@12	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IoInitializeLiveDump()
_IoInitializeLiveDump@0	proc near	; CODE XREF: INIT:00AC2F13p
		mov	edi, edi
		push	ecx
		push	offset _IopLiveDumpEtwRegHandle
		push	0
		push	offset _IopLiveDumpTracingControlCallback@36 ; IopLiveDumpTracingControlCallback(x,x,x,x,x,x,x,x,x)
		push	offset _LiveDumpProvGuid
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		push	0
		xor	edx, edx
		mov	ecx, offset dword_6B2CE0
		call	_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 ; TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)
		pop	ecx
		retn
_IoInitializeLiveDump@0	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PfLockExclusiveAcquire(x)
_PfLockExclusiveAcquire@4 proc near	; CODE XREF: PfSetSuperfetchInformation+4B8p
					; PfpParametersPropagate(x)+Dp
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		jmp	ExAcquirePushLockExclusiveEx
_PfLockExclusiveAcquire@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 402. ExQueryTimerResolution

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExQueryTimerResolution(x, x, x)
		public _ExQueryTimerResolution@12
_ExQueryTimerResolution@12 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_KeMaximumIncrement
		mov	[ecx], eax
		mov	ecx, [ebp+arg_4]
		mov	eax, ds:_KeMinimumIncrement
		mov	[ecx], eax
		mov	ecx, [ebp+arg_8]
		mov	eax, ds:_KeTimeIncrement
		mov	[ecx], eax
		pop	ebp
		retn	0Ch
_ExQueryTimerResolution@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIntSteerSetTimeUnparkTrigger(x, x, x, x)
_PopIntSteerSetTimeUnparkTrigger@16 proc near

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_8], 4
		jnz	short loc_57DAB4
		mov	eax, [ebp+arg_4]
		and	dword_6B3FEC, 0
		mov	eax, [eax]
		mov	_PpmIntSteerTriggerMax,	eax
		xor	eax, eax

loc_57DAB0:				; CODE XREF: PopIntSteerSetTimeUnparkTrigger(x,x,x,x)+27j
		pop	ebp
		retn	10h
; 

loc_57DAB4:				; CODE XREF: PopIntSteerSetTimeUnparkTrigger(x,x,x,x)+9j
		mov	eax, 0C000000Dh
		jmp	short loc_57DAB0
_PopIntSteerSetTimeUnparkTrigger@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpTracingControlCallback(x, x, x, x, x, x,	x, x, x)
_IopLiveDumpTracingControlCallback@36 proc near	; DATA XREF: IoInitializeLiveDump()+Ao

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		mov	ecx, offset _IopLiveDumpEtwEnabled
		cmp	[ebp+arg_4], eax
		setnz	al
		xchg	eax, [ecx]
		pop	ebp
		retn	24h
_IopLiveDumpTracingControlCallback@36 endp


;  S U B	R O U T	I N E 


; __stdcall IopConfigureDiskIoAttribution()
_IopConfigureDiskIoAttribution@0 proc near ; CODE XREF:	INIT:00AC29F1p
		mov	eax, _IopDiskIoAttributionBaseIoSize
		mov	ecx, 400000h
		cmp	eax, ecx
		jnb	short loc_57DAEC

loc_57DAE2:				; CODE XREF: IopConfigureDiskIoAttribution()+1Fj
		mov	ecx, 1000h
		cmp	eax, ecx
		jbe	short loc_57DAF5
		retn
; 

loc_57DAEC:				; CODE XREF: IopConfigureDiskIoAttribution()+Cj
		mov	eax, ecx
		mov	_IopDiskIoAttributionBaseIoSize, eax
		jmp	short loc_57DAE2
; 

loc_57DAF5:				; CODE XREF: IopConfigureDiskIoAttribution()+15j
		mov	_IopDiskIoAttributionBaseIoSize, ecx
		retn
_IopConfigureDiskIoAttribution@0 endp


;  S U B	R O U T	I N E 


PopCheckForAbnormalReset proc near	; CODE XREF: PoInitSystem+6D6p

; FUNCTION CHUNK AT 005FB7E2 SIZE 00000021 BYTES

		call	off_6B13B0	; BiIsLogEnabled()
		test	al, al
		jnz	loc_5FB7F8
		mov	eax, _PoOffCrashConfigTable
		cmp	eax, 1
		jnb	loc_5FB7E2

locret_57DB18:				; CODE XREF: PopCheckForAbnormalReset+7DCE9j
					; PopCheckForAbnormalReset+7DCF6j
		retn
PopCheckForAbnormalReset endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIntSteerSetPerProcTrigger(x, x, x, x)
_PopIntSteerSetPerProcTrigger@16 proc near

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_8], 4
		jnz	short loc_57DB35
		mov	eax, [ebp+arg_4]
		mov	eax, [eax]
		mov	_PpmIntSteerLoadMax, eax
		xor	eax, eax

loc_57DB31:				; CODE XREF: PopIntSteerSetPerProcTrigger(x,x,x,x)+20j
		pop	ebp
		retn	10h
; 

loc_57DB35:				; CODE XREF: PopIntSteerSetPerProcTrigger(x,x,x,x)+9j
		mov	eax, 0C000000Dh
		jmp	short loc_57DB31
_PopIntSteerSetPerProcTrigger@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiEmptyKernelStackCache	proc near	; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+481p
					; MiScrubNode(x)+DFp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005FB803 SIZE 000000A0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		test	ds:_MiFlags, 800h
		push	ebx
		push	esi
		push	edi
		jnz	loc_5FB803

loc_57DB57:				; CODE XREF: MiEmptyKernelStackCache+7DD05j
					; MiEmptyKernelStackCache+7DD62j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiEmptyKernelStackCache	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1077. KdPollBreakIn

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KdPollBreakIn
KdPollBreakIn	proc near		; CODE XREF: KdCheckForDebugBreak:loc_5DE86Ap
					; KiSystemStartup(x)+1C0p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	_KdPitchDebugger, 0
		jz	sub_5FB8A3
		cmp	_KdEventLoggingEnabled,	0
		jnz	sub_5FB8A3
		xor	al, al
		leave
		retn
KdPollBreakIn	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1080. KdRefreshDebuggerNotPresent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KdRefreshDebuggerNotPresent
KdRefreshDebuggerNotPresent proc near	; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+6F4p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005FB9D0 SIZE 0000004C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		cmp	_KdPitchDebugger, 0
		push	ebx
		jz	loc_5FB9D0

loc_57DBAA:				; CODE XREF: KdRefreshDebuggerNotPresent+7DE4Bj
		mov	al, 1

loc_57DBAC:				; CODE XREF: KdRefreshDebuggerNotPresent+7DE8Bj
		pop	ebx
		leave
		retn
KdRefreshDebuggerNotPresent endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiLockPartitionSystemThreads(x, x)
_MiLockPartitionSystemThreads@8	proc near ; CODE XREF: MiEnablePartitionMappedWrites+65p
		dec	word ptr [edx+13Eh]
		nop
		add	ecx, 68h
		xor	edx, edx
		jmp	ExAcquirePushLockExclusiveEx
_MiLockPartitionSystemThreads@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsQueryCpuQuotaInformation proc	near	; CODE XREF: PAGE:00780FEBp

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005FBA1C SIZE 0000005C BYTES
; FUNCTION CHUNK AT 005FBA8E SIZE 0000005F BYTES
; FUNCTION CHUNK AT 005FBB11 SIZE 0000002E BYTES

		push	18h
		push	offset dword_6A77A8
		call	__SEH_prolog4
		mov	edi, edx
		mov	[ebp+var_1C], ecx
		cmp	ds:_PsCpuFairShareEnabled, 0
		jnz	loc_5FBA1C
		mov	eax, 0C00001A9h

loc_57DBE5:				; CODE XREF: PsQueryCpuQuotaInformation+7DE7Dj
					; PsQueryCpuQuotaInformation+7DED6j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
PsQueryCpuQuotaInformation endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ExpDebuggerDpcRoutine(x, x,	x, x)
_ExpDebuggerDpcRoutine@16 proc near	; DATA XREF: ExpWorkerInitialization+C2o
		push	1
		push	offset _ExpDebuggerWorkItem
		call	ExQueueWorkItem
		retn	10h
_ExpDebuggerDpcRoutine@16 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 721. InbvEnableDisplayString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall InbvEnableDisplayString(x)
		public _InbvEnableDisplayString@4
_InbvEnableDisplayString@4 proc	near	; CODE XREF: Phase1InitializationDiscard(x)+27Cp

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	cl, [ebp+arg_0]
		mov	al, byte_6D4D48
		mov	byte_6D4D48, cl
		pop	ebp
		retn	4
_InbvEnableDisplayString@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfLockExclusiveRelease proc near	; CODE XREF: PfSetSuperfetchInformation+4DFp
					; PfpParametersPropagate(x)+ABj

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005FBB65 SIZE 0000004B BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_8], ecx
		push	esi
		push	edi
		mov	[ebp+var_C], edx
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_57DC5D
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]

loc_57DC5D:				; CODE XREF: PfLockExclusiveRelease+2Fj
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	loc_57DDB2
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, dword_6D07D0
		shr	eax, 15h
		cmp	ecx, edx
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], esi
		pop	edx
		jb	short loc_57DC96
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_57DCA4

loc_57DC96:				; CODE XREF: PfLockExclusiveRelease+67j
		cmp	ecx, [ebp+var_20]
		jb	short loc_57DCB7
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jnz	short loc_57DCB7

loc_57DCA4:				; CODE XREF: PfLockExclusiveRelease+70j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_C], eax

loc_57DCB7:				; CODE XREF: PfLockExclusiveRelease+75j
					; PfLockExclusiveRelease+7Ej
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_57DDC0
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_57DCFC
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_57DCFC:				; CODE XREF: PfLockExclusiveRelease+CEj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	loc_5FBB78
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl

loc_57DD48:				; CODE XREF: PfLockExclusiveRelease+1A4j
					; PfLockExclusiveRelease+7DF66j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jz	short loc_57DD9A
		test	edi, 8000h
		jz	short loc_57DD6C
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_57DD6C:				; CODE XREF: PfLockExclusiveRelease+13Dj
		test	byte ptr [ebp+var_10+2], 1
		jnz	loc_5FBB8F

loc_57DD76:				; CODE XREF: PfLockExclusiveRelease+7DF75j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_57DD8A
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_57DD8A:				; CODE XREF: PfLockExclusiveRelease+159j
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_5FBB9E

loc_57DD9A:				; CODE XREF: PfLockExclusiveRelease+135j
					; PfLockExclusiveRelease+7DF87j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_57DDB2
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_57DDB2
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_57DDB2:				; CODE XREF: PfLockExclusiveRelease+44j
					; PfLockExclusiveRelease+17Fj ...
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_57DDC0:				; CODE XREF: PfLockExclusiveRelease+BCj
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_57DD48
		jmp	loc_5FBB65
PfLockExclusiveRelease endp

; 
		align 8
; Exported entry 722. InbvInstallDisplayStringFilter

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall InbvInstallDisplayStringFilter(x)
		public _InbvInstallDisplayStringFilter@4
_InbvInstallDisplayStringFilter@4 proc near ; CODE XREF: Phase1InitializationDiscard(x)+290p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	dword_6D4D50, eax
		pop	ebp
		retn	4
_InbvInstallDisplayStringFilter@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1075. KdGetDebugDevice

;  S U B	R O U T	I N E 


; __stdcall KdGetDebugDevice()
		public _KdGetDebugDevice@0
_KdGetDebugDevice@0 proc near
		mov	eax, offset _KdDebugDevice
		retn
_KdGetDebugDevice@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __fastcall __security_check_cookie(x)
@__security_check_cookie@4 proc	near	; CODE XREF: PoTraceSystemTimerResolutionUpdate+4Fp
					; ExpUpdateTimerConfiguration(x,x,x)+60p ...

; FUNCTION CHUNK AT 005A3320 SIZE 00000028 BYTES

		cmp	ecx, ___security_cookie
		jnz	short loc_57DE0B
		retn	0
; 

loc_57DE0B:				; CODE XREF: __security_check_cookie(x)+6j
		jmp	___report_gsfailure
@__security_check_cookie@4 endp


;  S U B	R O U T	I N E 


; __stdcall ZwAccessCheck(x, x,	x, x, x, x, x, x)
_ZwAccessCheck@32 proc near

arg_0		= dword	ptr  4

		mov	eax, 0
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	20h
_ZwAccessCheck@32 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwWorkerFactoryWorkerReady(x)
_ZwWorkerFactoryWorkerReady@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 1
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwWorkerFactoryWorkerReady@4 endp ; sp	= -8


;  S U B	R O U T	I N E 


; __stdcall ZwAcceptConnectPort(x, x, x, x, x, x)
_ZwAcceptConnectPort@24	proc near	; CODE XREF: SepRmLsaConnectRequest+ECp
					; SepRmLsaConnectRequest+8CFA0p

arg_0		= dword	ptr  4

		mov	eax, 2
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwAcceptConnectPort@24	endp ; sp = -8

; Exported entry 2892. ZwYieldExecution

;  S U B	R O U T	I N E 


; __stdcall ZwYieldExecution()
		public _ZwYieldExecution@0
_ZwYieldExecution@0 proc near

arg_0		= dword	ptr  4

		mov	eax, 3
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn
_ZwYieldExecution@0 endp ; sp =	-8

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall ZwWriteVirtualMemory(x, x, x, x, x)
_ZwWriteVirtualMemory@20 proc near	; CODE XREF: SepAdtCopyToLsaSharedMemory(x,x,x,x)+46p

arg_0		= dword	ptr  4

		mov	eax, 4
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwWriteVirtualMemory@20 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwWriteRequestData(x, x, x,	x, x, x)
_ZwWriteRequestData@24 proc near

arg_0		= dword	ptr  4

		mov	eax, 5
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwWriteRequestData@24 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwWriteFileGather(x, x, x, x, x, x,	x, x, x)
_ZwWriteFileGather@36 proc near

arg_0		= dword	ptr  4

		mov	eax, 6
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	24h
_ZwWriteFileGather@36 endp ; sp	= -8

; Exported entry 2891. ZwWriteFile

;  S U B	R O U T	I N E 


; __stdcall ZwWriteFile(x, x, x, x, x, x, x, x,	x)
		public _ZwWriteFile@36
_ZwWriteFile@36	proc near		; CODE XREF: CmpDoFileWrite+109p
					; EtwpFinalizeHeader+1EEp ...

arg_0		= dword	ptr  4

		mov	eax, 7
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	24h
_ZwWriteFile@36	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwWaitLowEventPair(x)
_ZwWaitLowEventPair@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 8
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwWaitLowEventPair@4 endp ; sp	= -8


;  S U B	R O U T	I N E 


; __stdcall ZwWaitHighEventPair(x)
_ZwWaitHighEventPair@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 9
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwWaitHighEventPair@4 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwWaitForWorkViaWorkerFactory(x, x,	x, x, x)
_ZwWaitForWorkViaWorkerFactory@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 0Ah
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwWaitForWorkViaWorkerFactory@20 endp ; sp = -8

; Exported entry 2890. ZwWaitForSingleObject

;  S U B	R O U T	I N E 


; __stdcall ZwWaitForSingleObject(x, x,	x)
		public _ZwWaitForSingleObject@12
_ZwWaitForSingleObject@12 proc near	; CODE XREF: PiDrvDbUnloadNodeWaitWorkerCallback(x)+15p
					; CcDeletePartition(x)+2Fp ...

arg_0		= dword	ptr  4

		mov	eax, 0Bh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwWaitForSingleObject@12 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwWaitForMultipleObjects32(x, x, x,	x, x)
_ZwWaitForMultipleObjects32@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 0Ch
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwWaitForMultipleObjects32@20 endp ; sp = -8

; Exported entry 2889. ZwWaitForMultipleObjects

;  S U B	R O U T	I N E 


; __stdcall ZwWaitForMultipleObjects(x,	x, x, x, x)
		public _ZwWaitForMultipleObjects@20
_ZwWaitForMultipleObjects@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 0Dh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwWaitForMultipleObjects@20 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwWaitForKeyedEvent(x, x, x, x)
_ZwWaitForKeyedEvent@16	proc near

arg_0		= dword	ptr  4

		mov	eax, 0Eh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwWaitForKeyedEvent@16	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwWaitForDebugEvent(x, x, x, x)
_ZwWaitForDebugEvent@16	proc near

arg_0		= dword	ptr  4

		mov	eax, 0Fh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwWaitForDebugEvent@16	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwWaitForAlertByThreadId(x,	x)
_ZwWaitForAlertByThreadId@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 10h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwWaitForAlertByThreadId@8 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwVdmControl(x, x)
_ZwVdmControl@8	proc near

arg_0		= dword	ptr  4

		mov	eax, 11h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwVdmControl@8	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwUnsubscribeWnfStateChange(x)
_ZwUnsubscribeWnfStateChange@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 12h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwUnsubscribeWnfStateChange@4 endp ; sp = -8

; Exported entry 2888. ZwUpdateWnfStateData

;  S U B	R O U T	I N E 


; __stdcall ZwUpdateWnfStateData(x, x, x, x, x,	x, x)
		public _ZwUpdateWnfStateData@28
_ZwUpdateWnfStateData@28 proc near	; CODE XREF: FsRtlSendModernAppTermination+5Dp
					; sub_5DF8EC+11p ...

arg_0		= dword	ptr  4

		mov	eax, 13h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	1Ch
_ZwUpdateWnfStateData@28 endp ;	sp = -8

; Exported entry 2887. ZwUnmapViewOfSection

;  S U B	R O U T	I N E 


; __stdcall ZwUnmapViewOfSection(x, x)
		public _ZwUnmapViewOfSection@8
_ZwUnmapViewOfSection@8	proc near	; CODE XREF: CmpUnJoinClassOfTrust(x)+3Cp
					; RtlFileMapFree+924FDp ...

arg_0		= dword	ptr  4

		mov	eax, 14h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwUnmapViewOfSection@8	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwUnmapViewOfSectionEx(x, x, x)
_ZwUnmapViewOfSectionEx@12 proc	near

arg_0		= dword	ptr  4

		mov	eax, 15h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwUnmapViewOfSectionEx@12 endp	; sp = -8

; Exported entry 2886. ZwUnlockVirtualMemory

;  S U B	R O U T	I N E 


; __stdcall ZwUnlockVirtualMemory(x, x,	x, x)
		public _ZwUnlockVirtualMemory@16
_ZwUnlockVirtualMemory@16 proc near	; CODE XREF: CmSiUnlockViewOfSection(x,x,x,x)+1Ep
					; SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+79p ...

arg_0		= dword	ptr  4

		mov	eax, 16h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwUnlockVirtualMemory@16 endp ; sp = -8

; Exported entry 2885. ZwUnlockFile

;  S U B	R O U T	I N E 


; __stdcall ZwUnlockFile(x, x, x, x, x)
		public _ZwUnlockFile@20
_ZwUnlockFile@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 17h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwUnlockFile@20 endp ;	sp = -8

; Exported entry 2884. ZwUnloadKeyEx

;  S U B	R O U T	I N E 


; __stdcall ZwUnloadKeyEx(x, x)
		public _ZwUnloadKeyEx@8
_ZwUnloadKeyEx@8 proc near		; CODE XREF: PiDrvDbUnloadHive+31p

arg_0		= dword	ptr  4

		mov	eax, 18h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwUnloadKeyEx@8 endp ;	sp = -8

; Exported entry 2882. ZwUnloadKey2

;  S U B	R O U T	I N E 


; __stdcall ZwUnloadKey2(x, x)
		public _ZwUnloadKey2@8
_ZwUnloadKey2@8	proc near		; CODE XREF: BiUnloadHiveByName+92p
					; VrpUnloadDifferencingHive+18F9B4p ...

arg_0		= dword	ptr  4

		mov	eax, 19h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwUnloadKey2@8	endp ; sp = -8

; Exported entry 2883. ZwUnloadKey

;  S U B	R O U T	I N E 


; __stdcall ZwUnloadKey(x)
		public _ZwUnloadKey@4
_ZwUnloadKey@4	proc near		; CODE XREF: VrpUnloadDifferencingHive+A7p
					; BiUnloadHiveByName+B6p ...

arg_0		= dword	ptr  4

		mov	eax, 1Ah
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwUnloadKey@4	endp ; sp = -8

; Exported entry 2881. ZwUnloadDriver

;  S U B	R O U T	I N E 


; __stdcall ZwUnloadDriver(x)
		public _ZwUnloadDriver@4
_ZwUnloadDriver@4 proc near		; CODE XREF: PAGE:007B45A5p
					; IopUnloadDriver+2E5p	...

arg_0		= dword	ptr  4

		mov	eax, 1Bh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwUnloadDriver@4 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwUmsThreadYield(x)
_ZwUmsThreadYield@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 1Ch
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwUmsThreadYield@4 endp ; sp =	-8

; Exported entry 2880. ZwTranslateFilePath

;  S U B	R O U T	I N E 


; __stdcall ZwTranslateFilePath(x, x, x, x)
		public _ZwTranslateFilePath@16
_ZwTranslateFilePath@16	proc near	; CODE XREF: ExpSetBootEntry(x,x,x)+24Dp
					; ExpSetBootEntry(x,x,x)+2A3p ...

arg_0		= dword	ptr  4

		mov	eax, 1Dh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwTranslateFilePath@16	endp ; sp = -8

; Exported entry 2879. ZwTraceEvent

;  S U B	R O U T	I N E 


; __stdcall ZwTraceEvent(x, x, x, x)
		public _ZwTraceEvent@16
_ZwTraceEvent@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 1Eh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwTraceEvent@16 endp ;	sp = -8

; Exported entry 2878. ZwTraceControl

;  S U B	R O U T	I N E 


; __stdcall ZwTraceControl(x, x, x, x, x, x)
		public _ZwTraceControl@24
_ZwTraceControl@24 proc	near		; CODE XREF: EtwWriteStartScenario+EFp

arg_0		= dword	ptr  4

		mov	eax, 1Fh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwTraceControl@24 endp	; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwThawTransactions()
_ZwThawTransactions@0 proc near

arg_0		= dword	ptr  4

		mov	eax, 20h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn
_ZwThawTransactions@0 endp ; sp	= -8

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ZwThawRegistry()
_ZwThawRegistry@0 proc near

arg_0		= dword	ptr  4

		mov	eax, 21h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn
_ZwThawRegistry@0 endp ; sp = -8

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ZwTestAlert()
_ZwTestAlert@0	proc near

arg_0		= dword	ptr  4

		mov	eax, 22h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn
_ZwTestAlert@0	endp ; sp = -8

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ZwTerminateThread(x, x)
_ZwTerminateThread@8 proc near		; CODE XREF: RtlAssert(x,x,x,x)+AAp

arg_0		= dword	ptr  4

		mov	eax, 23h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwTerminateThread@8 endp ; sp = -8

; Exported entry 2877. ZwTerminateProcess

;  S U B	R O U T	I N E 


; __stdcall ZwTerminateProcess(x, x)
		public _ZwTerminateProcess@8
_ZwTerminateProcess@8 proc near		; CODE XREF: KiDispatchException+68Cp

arg_0		= dword	ptr  4

		mov	eax, 24h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwTerminateProcess@8 endp ; sp	= -8

; Exported entry 2876. ZwTerminateJobObject

;  S U B	R O U T	I N E 


; __stdcall ZwTerminateJobObject(x, x)
		public _ZwTerminateJobObject@8
_ZwTerminateJobObject@8	proc near

arg_0		= dword	ptr  4

		mov	eax, 25h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwTerminateJobObject@8	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwTerminateEnclave(x, x)
_ZwTerminateEnclave@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 26h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwTerminateEnclave@8 endp ; sp	= -8

; Exported entry 2875. ZwSystemDebugControl

;  S U B	R O U T	I N E 


; __stdcall ZwSystemDebugControl(x, x, x, x, x,	x)
		public _ZwSystemDebugControl@24
_ZwSystemDebugControl@24 proc near	; CODE XREF: PAGE:007A2D16p
					; PspLocateSystemDll+4Bp

arg_0		= dword	ptr  4

		mov	eax, 27h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwSystemDebugControl@24 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwSuspendThread(x, x)
_ZwSuspendThread@8 proc	near

arg_0		= dword	ptr  4

		mov	eax, 28h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwSuspendThread@8 endp	; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwSuspendProcess(x)
_ZwSuspendProcess@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 29h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwSuspendProcess@4 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwSubscribeWnfStateChange(x, x, x, x)
_ZwSubscribeWnfStateChange@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 2Ah
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwSubscribeWnfStateChange@16 endp ; sp	= -8

; Exported entry 2874. ZwStopProfile

;  S U B	R O U T	I N E 


; __stdcall ZwStopProfile(x)
		public _ZwStopProfile@4
_ZwStopProfile@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 2Bh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwStopProfile@4 endp ;	sp = -8

; Exported entry 2873. ZwStartProfile

;  S U B	R O U T	I N E 


; __stdcall ZwStartProfile(x)
		public _ZwStartProfile@4
_ZwStartProfile@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 2Ch
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwStartProfile@4 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwSinglePhaseReject(x, x)
_ZwSinglePhaseReject@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 2Dh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwSinglePhaseReject@8 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwSignalAndWaitForSingleObject(x, x, x, x)
_ZwSignalAndWaitForSingleObject@16 proc	near

arg_0		= dword	ptr  4

		mov	eax, 2Eh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwSignalAndWaitForSingleObject@16 endp	; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwShutdownWorkerFactory(x, x)
_ZwShutdownWorkerFactory@8 proc	near

arg_0		= dword	ptr  4

		mov	eax, 2Fh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwShutdownWorkerFactory@8 endp	; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwShutdownSystem(x)
_ZwShutdownSystem@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 30h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwShutdownSystem@4 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwSetWnfProcessNotificationEvent(x)
_ZwSetWnfProcessNotificationEvent@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 31h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwSetWnfProcessNotificationEvent@4 endp ; sp =	-8

; Exported entry 2872. ZwSetVolumeInformationFile

;  S U B	R O U T	I N E 


; __stdcall ZwSetVolumeInformationFile(x, x, x,	x, x)
		public _ZwSetVolumeInformationFile@20
_ZwSetVolumeInformationFile@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 32h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwSetVolumeInformationFile@20 endp ; sp = -8

; Exported entry 2871. ZwSetValueKey

;  S U B	R O U T	I N E 


; __stdcall ZwSetValueKey(x, x,	x, x, x, x)
		public _ZwSetValueKey@24
_ZwSetValueKey@24 proc near		; CODE XREF: BiZwSetValueKey(x,x,x,x,x,x)+12p
					; CmpSetSystemRegistryString(x,x,x)+3Cp ...

arg_0		= dword	ptr  4

		mov	eax, 33h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwSetValueKey@24 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwSetUuidSeed(x)
_ZwSetUuidSeed@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 34h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwSetUuidSeed@4 endp ;	sp = -8

; Exported entry 2870. ZwSetTimerResolution

;  S U B	R O U T	I N E 


; __stdcall ZwSetTimerResolution(x, x, x)
		public _ZwSetTimerResolution@12
_ZwSetTimerResolution@12 proc near	; CODE XREF: VdmpDelayInterrupt(x)+10Cp
					; VdmpDelayInterrupt(x)+154p ...

arg_0		= dword	ptr  4

		mov	eax, 35h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwSetTimerResolution@12 endp ;	sp = -8

; Exported entry 2869. ZwSetTimerEx

;  S U B	R O U T	I N E 


; __stdcall ZwSetTimerEx(x, x, x, x)
		public _ZwSetTimerEx@16
_ZwSetTimerEx@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 36h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwSetTimerEx@16 endp ;	sp = -8

; Exported entry 2868. ZwSetTimer

;  S U B	R O U T	I N E 


; __stdcall ZwSetTimer(x, x, x,	x, x, x, x)
		public _ZwSetTimer@28
_ZwSetTimer@28	proc near

arg_0		= dword	ptr  4

		mov	eax, 37h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	1Ch
_ZwSetTimer@28	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwSetThreadExecutionState(x, x)
_ZwSetThreadExecutionState@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 38h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwSetThreadExecutionState@8 endp ; sp = -8

; Exported entry 2867. ZwSetSystemTime

;  S U B	R O U T	I N E 


; __stdcall ZwSetSystemTime(x, x)
		public _ZwSetSystemTime@8
_ZwSetSystemTime@8 proc	near		; CODE XREF: ExpTimeZoneInitSiloState(x)+B5p
					; ExpTimeZoneWork(x)+29p ...

arg_0		= dword	ptr  4

		mov	eax, 39h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwSetSystemTime@8 endp	; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwSetSystemPowerState(x, x,	x)
_ZwSetSystemPowerState@12 proc near	; CODE XREF: PAGELK:0071EB3Ap
					; PopIssueActionRequest+239p ...

arg_0		= dword	ptr  4

		mov	eax, 3Ah
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwSetSystemPowerState@12 endp ; sp = -8

; Exported entry 2866. ZwSetSystemInformation

;  S U B	R O U T	I N E 


; __stdcall ZwSetSystemInformation(x, x, x)
		public _ZwSetSystemInformation@12
_ZwSetSystemInformation@12 proc	near	; CODE XREF: SmKmStoreTerminateWorker(x)+2C1p
					; IoShutdownSystem(x)+D6p ...

arg_0		= dword	ptr  4

		mov	eax, 3Bh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwSetSystemInformation@12 endp	; sp = -8

; Exported entry 2865. ZwSetSystemEnvironmentValueEx

;  S U B	R O U T	I N E 


; __stdcall ZwSetSystemEnvironmentValueEx(x, x,	x, x, x)
		public _ZwSetSystemEnvironmentValueEx@20
_ZwSetSystemEnvironmentValueEx@20 proc near ; CODE XREF: BiDeleteEfiVariable(x)+9Dp

arg_0		= dword	ptr  4

		mov	eax, 3Ch
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwSetSystemEnvironmentValueEx@20 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwSetSystemEnvironmentValue(x, x)
_ZwSetSystemEnvironmentValue@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 3Dh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwSetSystemEnvironmentValue@8 endp ; sp = -8

; Exported entry 2864. ZwSetSecurityObject

;  S U B	R O U T	I N E 


; __stdcall ZwSetSecurityObject(x, x, x)
		public _ZwSetSecurityObject@12
_ZwSetSecurityObject@12	proc near	; CODE XREF: BiZwSetSecurityObject(x,x,x)+Bp
					; .text:0058FDE5p ...

arg_0		= dword	ptr  4

		mov	eax, 3Eh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwSetSecurityObject@12	endp ; sp = -8

; Exported entry 2863. ZwSetQuotaInformationFile

;  S U B	R O U T	I N E 


; __stdcall ZwSetQuotaInformationFile(x, x, x, x)
		public _ZwSetQuotaInformationFile@16
_ZwSetQuotaInformationFile@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 3Fh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwSetQuotaInformationFile@16 endp ; sp	= -8


;  S U B	R O U T	I N E 


; __stdcall ZwSetLowWaitHighEventPair(x)
_ZwSetLowWaitHighEventPair@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 40h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwSetLowWaitHighEventPair@4 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwSetLowEventPair(x)
_ZwSetLowEventPair@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 41h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwSetLowEventPair@4 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwSetLdtEntries(x, x, x, x,	x, x)
_ZwSetLdtEntries@24 proc near

arg_0		= dword	ptr  4

		mov	eax, 42h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwSetLdtEntries@24 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwSetIRTimer(x, x)
_ZwSetIRTimer@8	proc near

arg_0		= dword	ptr  4

		mov	eax, 43h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwSetIRTimer@8	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwSetTimer2(x, x, x, x)
_ZwSetTimer2@16	proc near

arg_0		= dword	ptr  4

		mov	eax, 44h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwSetTimer2@16	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCancelTimer2(x, x)
_ZwCancelTimer2@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 45h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwCancelTimer2@8 endp ; sp = -8

; Exported entry 2862. ZwSetIoCompletionEx

;  S U B	R O U T	I N E 


; __stdcall ZwSetIoCompletionEx(x, x, x, x, x, x)
		public _ZwSetIoCompletionEx@24
_ZwSetIoCompletionEx@24	proc near

arg_0		= dword	ptr  4

		mov	eax, 46h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwSetIoCompletionEx@24	endp ; sp = -8

; Exported entry 2861. ZwSetIoCompletion

;  S U B	R O U T	I N E 


; __stdcall ZwSetIoCompletion(x, x, x, x, x)
		public _ZwSetIoCompletion@20
_ZwSetIoCompletion@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 47h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwSetIoCompletion@20 endp ; sp	= -8

; Exported entry 2860. ZwSetIntervalProfile

;  S U B	R O U T	I N E 


; __stdcall ZwSetIntervalProfile(x, x)
		public _ZwSetIntervalProfile@8
_ZwSetIntervalProfile@8	proc near

arg_0		= dword	ptr  4

		mov	eax, 48h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwSetIntervalProfile@8	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwSetInformationWorkerFactory(x, x,	x, x)
_ZwSetInformationWorkerFactory@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 49h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwSetInformationWorkerFactory@16 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwSetInformationTransactionManager(x, x, x,	x)
_ZwSetInformationTransactionManager@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 4Ah
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwSetInformationTransactionManager@16 endp ; sp = -8

; Exported entry 2858. ZwSetInformationTransaction

;  S U B	R O U T	I N E 


; __stdcall ZwSetInformationTransaction(x, x, x, x)
		public _ZwSetInformationTransaction@16
_ZwSetInformationTransaction@16	proc near

arg_0		= dword	ptr  4

		mov	eax, 4Bh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwSetInformationTransaction@16	endp ; sp = -8

; Exported entry 2857. ZwSetInformationToken

;  S U B	R O U T	I N E 


; __stdcall ZwSetInformationToken(x, x,	x, x)
		public _ZwSetInformationToken@16
_ZwSetInformationToken@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 4Ch
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwSetInformationToken@16 endp ; sp = -8

; Exported entry 2856. ZwSetInformationThread

;  S U B	R O U T	I N E 


; __stdcall ZwSetInformationThread(x, x, x, x)
		public _ZwSetInformationThread@16
_ZwSetInformationThread@16 proc	near	; CODE XREF: ExpWorkerFactoryCreateThread+1CDp
					; ExpWorkerFactoryCreateThread+16A854p	...

arg_0		= dword	ptr  4

		mov	eax, 4Dh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwSetInformationThread@16 endp	; sp = -8

; Exported entry 2855. ZwSetInformationResourceManager

;  S U B	R O U T	I N E 


; __stdcall ZwSetInformationResourceManager(x, x, x, x)
		public _ZwSetInformationResourceManager@16
_ZwSetInformationResourceManager@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 4Eh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwSetInformationResourceManager@16 endp ; sp =	-8

; Exported entry 2854. ZwSetInformationProcess

;  S U B	R O U T	I N E 


; __stdcall ZwSetInformationProcess(x, x, x, x)
		public _ZwSetInformationProcess@16
_ZwSetInformationProcess@16 proc near	; CODE XREF: RtlCreateUserStack+D2p
					; CmpInitializeRegistryProcess()+A7p ...

arg_0		= dword	ptr  4

		mov	eax, 4Fh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwSetInformationProcess@16 endp ; sp =	-8

; Exported entry 2853. ZwSetInformationObject

;  S U B	R O U T	I N E 


; __stdcall ZwSetInformationObject(x, x, x, x)
		public _ZwSetInformationObject@16
_ZwSetInformationObject@16 proc	near	; CODE XREF: CmpCmdHiveClose(x)+ECp
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+23Bp ...

arg_0		= dword	ptr  4

		mov	eax, 50h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwSetInformationObject@16 endp	; sp = -8

; Exported entry 2852. ZwSetInformationKey

;  S U B	R O U T	I N E 


; __stdcall ZwSetInformationKey(x, x, x, x)
		public _ZwSetInformationKey@16
_ZwSetInformationKey@16	proc near	; CODE XREF: IopApplyMutableTagToRegistryKey(x)+46p
					; CmpDoReDoSetKeyUserFlags(x,x)+34p ...

arg_0		= dword	ptr  4

		mov	eax, 51h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwSetInformationKey@16	endp ; sp = -8

; Exported entry 2851. ZwSetInformationJobObject

;  S U B	R O U T	I N E 


; __stdcall ZwSetInformationJobObject(x, x, x, x)
		public _ZwSetInformationJobObject@16
_ZwSetInformationJobObject@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 52h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwSetInformationJobObject@16 endp ; sp	= -8

; Exported entry 2850. ZwSetInformationFile

;  S U B	R O U T	I N E 


; __stdcall ZwSetInformationFile(x, x, x, x, x)
		public _ZwSetInformationFile@20
_ZwSetInformationFile@20 proc near	; CODE XREF: CmpDoFileSetSizeEx+B9p
					; CmpCmdHiveClose(x)+A7p ...

arg_0		= dword	ptr  4

		mov	eax, 53h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwSetInformationFile@20 endp ;	sp = -8

; Exported entry 2849. ZwSetInformationEnlistment

;  S U B	R O U T	I N E 


; __stdcall ZwSetInformationEnlistment(x, x, x,	x)
		public _ZwSetInformationEnlistment@16
_ZwSetInformationEnlistment@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 54h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwSetInformationEnlistment@16 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwSetInformationDebugObject(x, x, x, x, x)
_ZwSetInformationDebugObject@20	proc near

arg_0		= dword	ptr  4

		mov	eax, 55h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwSetInformationDebugObject@20	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwSetHighWaitLowEventPair(x)
_ZwSetHighWaitLowEventPair@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 56h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwSetHighWaitLowEventPair@4 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwSetHighEventPair(x)
_ZwSetHighEventPair@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 57h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwSetHighEventPair@4 endp ; sp	= -8


;  S U B	R O U T	I N E 


; __stdcall ZwSetEventBoostPriority(x)
_ZwSetEventBoostPriority@4 proc	near

arg_0		= dword	ptr  4

		mov	eax, 58h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwSetEventBoostPriority@4 endp	; sp = -8

; Exported entry 2848. ZwSetEvent

;  S U B	R O U T	I N E 


; __stdcall ZwSetEvent(x, x)
		public _ZwSetEvent@8
_ZwSetEvent@8	proc near		; CODE XREF: PiDrvDbLoadNodeWorkerCallback+E325Ep
					; PspShutdownCsrProcess(x,x,x)+196p

arg_0		= dword	ptr  4

		mov	eax, 59h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwSetEvent@8	endp ; sp = -8

; Exported entry 2847. ZwSetEaFile

;  S U B	R O U T	I N E 


; __stdcall ZwSetEaFile(x, x, x, x)
		public _ZwSetEaFile@16
_ZwSetEaFile@16	proc near

arg_0		= dword	ptr  4

		mov	eax, 5Ah
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwSetEaFile@16	endp ; sp = -8

; Exported entry 2846. ZwSetDriverEntryOrder

;  S U B	R O U T	I N E 


; __stdcall ZwSetDriverEntryOrder(x, x)
		public _ZwSetDriverEntryOrder@8
_ZwSetDriverEntryOrder@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 5Bh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwSetDriverEntryOrder@8 endp ;	sp = -8

; Exported entry 2845. ZwSetDefaultUILanguage

;  S U B	R O U T	I N E 


; __stdcall ZwSetDefaultUILanguage(x)
		public _ZwSetDefaultUILanguage@4
_ZwSetDefaultUILanguage@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 5Ch
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwSetDefaultUILanguage@4 endp ; sp = -8

; Exported entry 2844. ZwSetDefaultLocale

;  S U B	R O U T	I N E 


; __stdcall ZwSetDefaultLocale(x, x)
		public _ZwSetDefaultLocale@8
_ZwSetDefaultLocale@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 5Dh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwSetDefaultLocale@8 endp ; sp	= -8


;  S U B	R O U T	I N E 


; __stdcall ZwSetDefaultHardErrorPort(x)
_ZwSetDefaultHardErrorPort@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 5Eh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwSetDefaultHardErrorPort@4 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwSetDebugFilterState(x, x,	x)
_ZwSetDebugFilterState@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 5Fh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwSetDebugFilterState@12 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwSetContextThread(x, x)
_ZwSetContextThread@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 60h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwSetContextThread@8 endp ; sp	= -8


;  S U B	R O U T	I N E 


; __stdcall ZwSetCachedSigningLevel2(x,	x, x, x, x, x)
_ZwSetCachedSigningLevel2@24 proc near

arg_0		= dword	ptr  4

		mov	eax, 61h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwSetCachedSigningLevel2@24 endp ; sp = -8

; Exported entry 2843. ZwSetCachedSigningLevel

;  S U B	R O U T	I N E 


; __stdcall ZwSetCachedSigningLevel(x, x, x, x,	x)
		public _ZwSetCachedSigningLevel@20
_ZwSetCachedSigningLevel@20 proc near	; CODE XREF: sub_A16F7C+404p

arg_0		= dword	ptr  4

		mov	eax, 62h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwSetCachedSigningLevel@20 endp ; sp =	-8

; Exported entry 2842. ZwSetBootOptions

;  S U B	R O U T	I N E 


; __stdcall ZwSetBootOptions(x,	x)
		public _ZwSetBootOptions@8
_ZwSetBootOptions@8 proc near		; CODE XREF: BiSetBootOptions(x,x)+2Ap

arg_0		= dword	ptr  4

		mov	eax, 63h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwSetBootOptions@8 endp ; sp =	-8

; Exported entry 2841. ZwSetBootEntryOrder

;  S U B	R O U T	I N E 


; __stdcall ZwSetBootEntryOrder(x, x)
		public _ZwSetBootEntryOrder@8
_ZwSetBootEntryOrder@8 proc near	; CODE XREF: BiSetBootEntryOrder(x,x)+2Ap

arg_0		= dword	ptr  4

		mov	eax, 64h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwSetBootEntryOrder@8 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwSerializeBoot()
_ZwSerializeBoot@0 proc	near

arg_0		= dword	ptr  4

		mov	eax, 65h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn
_ZwSerializeBoot@0 endp	; sp = -8

; 
		align 4
; Exported entry 2840. ZwSecureConnectPort

;  S U B	R O U T	I N E 


; __stdcall ZwSecureConnectPort(x, x, x, x, x, x, x, x,	x)
		public _ZwSecureConnectPort@36
_ZwSecureConnectPort@36	proc near

arg_0		= dword	ptr  4

		mov	eax, 66h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	24h
_ZwSecureConnectPort@36	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwSaveMergedKeys(x,	x, x)
_ZwSaveMergedKeys@12 proc near		; CODE XREF: NtSaveMergedKeys(x,x,x)+101p

arg_0		= dword	ptr  4

		mov	eax, 67h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwSaveMergedKeys@12 endp ; sp = -8

; Exported entry 2839. ZwSaveKeyEx

;  S U B	R O U T	I N E 


; __stdcall ZwSaveKeyEx(x, x, x)
		public _ZwSaveKeyEx@12
_ZwSaveKeyEx@12	proc near

arg_0		= dword	ptr  4

		mov	eax, 68h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwSaveKeyEx@12	endp ; sp = -8

; Exported entry 2838. ZwSaveKey

;  S U B	R O U T	I N E 


; __stdcall ZwSaveKey(x, x)
		public _ZwSaveKey@8
_ZwSaveKey@8	proc near

arg_0		= dword	ptr  4

		mov	eax, 69h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwSaveKey@8	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwRollforwardTransactionManager(x, x)
_ZwRollforwardTransactionManager@8 proc	near

arg_0		= dword	ptr  4

		mov	eax, 6Ah
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwRollforwardTransactionManager@8 endp	; sp = -8

; Exported entry 2837. ZwRollbackTransaction

;  S U B	R O U T	I N E 


; __stdcall ZwRollbackTransaction(x, x)
		public _ZwRollbackTransaction@8
_ZwRollbackTransaction@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 6Bh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwRollbackTransaction@8 endp ;	sp = -8

; Exported entry 2835. ZwRollbackEnlistment

;  S U B	R O U T	I N E 


; __stdcall ZwRollbackEnlistment(x, x)
		public _ZwRollbackEnlistment@8
_ZwRollbackEnlistment@8	proc near

arg_0		= dword	ptr  4

		mov	eax, 6Ch
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwRollbackEnlistment@8	endp ; sp = -8

; Exported entry 2834. ZwRollbackComplete

;  S U B	R O U T	I N E 


; __stdcall ZwRollbackComplete(x, x)
		public _ZwRollbackComplete@8
_ZwRollbackComplete@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 6Dh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwRollbackComplete@8 endp ; sp	= -8


;  S U B	R O U T	I N E 


; __stdcall ZwRevertContainerImpersonation()
_ZwRevertContainerImpersonation@0 proc near

arg_0		= dword	ptr  4

		mov	eax, 6Eh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn
_ZwRevertContainerImpersonation@0 endp ; sp = -8

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ZwResumeThread(x, x)
_ZwResumeThread@8 proc near		; CODE XREF: ExpWorkerFactoryCreateThread+10Fp
					; DbgkUserReportWorkRoutine(x)+152p ...

arg_0		= dword	ptr  4

		mov	eax, 6Fh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwResumeThread@8 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwResumeProcess(x)
_ZwResumeProcess@4 proc	near

arg_0		= dword	ptr  4

		mov	eax, 70h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwResumeProcess@4 endp	; sp = -8

; Exported entry 2833. ZwRestoreKey

;  S U B	R O U T	I N E 


; __stdcall ZwRestoreKey(x, x, x)
		public _ZwRestoreKey@12
_ZwRestoreKey@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 71h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwRestoreKey@12 endp ;	sp = -8

; Exported entry 2832. ZwResetWriteWatch

;  S U B	R O U T	I N E 


; __stdcall ZwResetWriteWatch(x, x, x)
		public _ZwResetWriteWatch@12
_ZwResetWriteWatch@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 72h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwResetWriteWatch@12 endp ; sp	= -8

; Exported entry 2831. ZwResetEvent

;  S U B	R O U T	I N E 


; __stdcall ZwResetEvent(x, x)
		public _ZwResetEvent@8
_ZwResetEvent@8	proc near		; CODE XREF: PfSnVolumeCheckSeekPenalty+3Cp
					; PiDrvDbLoadNodeWorkerCallback+BCp ...

arg_0		= dword	ptr  4

		mov	eax, 73h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwResetEvent@8	endp ; sp = -8

; Exported entry 2830. ZwRequestWaitReplyPort

;  S U B	R O U T	I N E 


; __stdcall ZwRequestWaitReplyPort(x, x, x)
		public _ZwRequestWaitReplyPort@12
_ZwRequestWaitReplyPort@12 proc	near	; CODE XREF: SepRmDispatchDataToLsa+82061p

arg_0		= dword	ptr  4

		mov	eax, 74h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwRequestWaitReplyPort@12 endp	; sp = -8

; Exported entry 2829. ZwRequestPort

;  S U B	R O U T	I N E 


; __stdcall ZwRequestPort(x, x)
		public _ZwRequestPort@8
_ZwRequestPort@8 proc near		; CODE XREF: SepRmDispatchDataToLsa+F6p

arg_0		= dword	ptr  4

		mov	eax, 75h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwRequestPort@8 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwReplyWaitReplyPort(x, x)
_ZwReplyWaitReplyPort@8	proc near

arg_0		= dword	ptr  4

		mov	eax, 76h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwReplyWaitReplyPort@8	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwReplyWaitReceivePortEx(x,	x, x, x, x)
_ZwReplyWaitReceivePortEx@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 77h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwReplyWaitReceivePortEx@20 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwReplyWaitReceivePort(x, x, x, x)
_ZwReplyWaitReceivePort@16 proc	near	; CODE XREF: SepRmCommandServerThread+A6p

arg_0		= dword	ptr  4

		mov	eax, 78h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwReplyWaitReceivePort@16 endp	; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwReplyPort(x, x)
_ZwReplyPort@8	proc near

arg_0		= dword	ptr  4

		mov	eax, 79h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwReplyPort@8	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwReplacePartitionUnit(x, x, x)
_ZwReplacePartitionUnit@12 proc	near

arg_0		= dword	ptr  4

		mov	eax, 7Ah
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwReplacePartitionUnit@12 endp	; sp = -8

; Exported entry 2828. ZwReplaceKey

;  S U B	R O U T	I N E 


; __stdcall ZwReplaceKey(x, x, x)
		public _ZwReplaceKey@12
_ZwReplaceKey@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 7Bh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwReplaceKey@12 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwRenameTransactionManager(x, x)
_ZwRenameTransactionManager@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 7Ch
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwRenameTransactionManager@8 endp ; sp	= -8

; Exported entry 2827. ZwRenameKey

;  S U B	R O U T	I N E 


; __stdcall ZwRenameKey(x, x)
		public _ZwRenameKey@8
_ZwRenameKey@8	proc near		; CODE XREF: CmpDoReDoRenameKey(x,x)+2Dp

arg_0		= dword	ptr  4

		mov	eax, 7Dh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwRenameKey@8	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwRemoveProcessDebug(x, x)
_ZwRemoveProcessDebug@8	proc near

arg_0		= dword	ptr  4

		mov	eax, 7Eh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwRemoveProcessDebug@8	endp ; sp = -8

; Exported entry 2826. ZwRemoveIoCompletionEx

;  S U B	R O U T	I N E 


; __stdcall ZwRemoveIoCompletionEx(x, x, x, x, x, x)
		public _ZwRemoveIoCompletionEx@24
_ZwRemoveIoCompletionEx@24 proc	near

arg_0		= dword	ptr  4

		mov	eax, 7Fh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwRemoveIoCompletionEx@24 endp	; sp = -8

; Exported entry 2825. ZwRemoveIoCompletion

;  S U B	R O U T	I N E 


; __stdcall ZwRemoveIoCompletion(x, x, x, x, x)
		public _ZwRemoveIoCompletion@20
_ZwRemoveIoCompletion@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 80h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwRemoveIoCompletion@20 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwReleaseWorkerFactoryWorker(x)
_ZwReleaseWorkerFactoryWorker@4	proc near

arg_0		= dword	ptr  4

		mov	eax, 81h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwReleaseWorkerFactoryWorker@4	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwReleaseSemaphore(x, x, x)
_ZwReleaseSemaphore@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 82h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwReleaseSemaphore@12 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwReleaseMutant(x, x)
_ZwReleaseMutant@8 proc	near		; CODE XREF: BiReleaseBcdSyncMutant(x)+11p

arg_0		= dword	ptr  4

		mov	eax, 83h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwReleaseMutant@8 endp	; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwReleaseKeyedEvent(x, x, x, x)
_ZwReleaseKeyedEvent@16	proc near

arg_0		= dword	ptr  4

		mov	eax, 84h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwReleaseKeyedEvent@16	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwRegisterThreadTerminatePort(x)
_ZwRegisterThreadTerminatePort@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 85h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwRegisterThreadTerminatePort@4 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwRegisterProtocolAddressInformation(x, x, x, x, x)
_ZwRegisterProtocolAddressInformation@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 86h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwRegisterProtocolAddressInformation@20 endp ;	sp = -8

; Exported entry 2824. ZwRecoverTransactionManager

;  S U B	R O U T	I N E 


; __stdcall ZwRecoverTransactionManager(x)
		public _ZwRecoverTransactionManager@4
_ZwRecoverTransactionManager@4 proc near ; CODE	XREF: CmpInitCmRM+451p

arg_0		= dword	ptr  4

		mov	eax, 87h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwRecoverTransactionManager@4 endp ; sp = -8

; Exported entry 2823. ZwRecoverResourceManager

;  S U B	R O U T	I N E 


; __stdcall ZwRecoverResourceManager(x)
		public _ZwRecoverResourceManager@4
_ZwRecoverResourceManager@4 proc near	; CODE XREF: CmpInitCmRM+537p

arg_0		= dword	ptr  4

		mov	eax, 88h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwRecoverResourceManager@4 endp ; sp =	-8

; Exported entry 2822. ZwRecoverEnlistment

;  S U B	R O U T	I N E 


; __stdcall ZwRecoverEnlistment(x, x)
		public _ZwRecoverEnlistment@8
_ZwRecoverEnlistment@8 proc near	; CODE XREF: CmpRecoverEnlistment(x,x,x)+96p

arg_0		= dword	ptr  4

		mov	eax, 89h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwRecoverEnlistment@8 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwReadVirtualMemory(x, x, x, x, x)
_ZwReadVirtualMemory@20	proc near	; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+D1p

arg_0		= dword	ptr  4

		mov	eax, 8Ah
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwReadVirtualMemory@20	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwReadRequestData(x, x, x, x, x, x)
_ZwReadRequestData@24 proc near

arg_0		= dword	ptr  4

		mov	eax, 8Bh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwReadRequestData@24 endp ; sp	= -8

; Exported entry 2821. ZwReadOnlyEnlistment

;  S U B	R O U T	I N E 


; __stdcall ZwReadOnlyEnlistment(x, x)
		public _ZwReadOnlyEnlistment@8
_ZwReadOnlyEnlistment@8	proc near

arg_0		= dword	ptr  4

		mov	eax, 8Ch
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwReadOnlyEnlistment@8	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwReadFileScatter(x, x, x, x, x, x,	x, x, x)
_ZwReadFileScatter@36 proc near

arg_0		= dword	ptr  4

		mov	eax, 8Dh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	24h
_ZwReadFileScatter@36 endp ; sp	= -8

; Exported entry 2820. ZwReadFile

;  S U B	R O U T	I N E 


; __stdcall ZwReadFile(x, x, x,	x, x, x, x, x, x)
		public _ZwReadFile@36
_ZwReadFile@36	proc near		; CODE XREF: CmpDoFileRead+8Ap
					; RtlInitializeBootStatDataCache()+3Ap	...

arg_0		= dword	ptr  4

		mov	eax, 8Eh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	24h
_ZwReadFile@36	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwRaiseHardError(x,	x, x, x, x, x)
_ZwRaiseHardError@24 proc near

arg_0		= dword	ptr  4

		mov	eax, 8Fh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwRaiseHardError@24 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwRaiseException(x,	x, x)
_ZwRaiseException@12 proc near		; CODE XREF: RtlRaiseException(x)+49p
					; .text:005A2F88p ...

arg_0		= dword	ptr  4

		mov	eax, 90h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwRaiseException@12 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwQueueApcThreadEx(x, x, x,	x, x, x)
_ZwQueueApcThreadEx@24 proc near

arg_0		= dword	ptr  4

		mov	eax, 91h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwQueueApcThreadEx@24 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwQueueApcThread(x,	x, x, x, x)
_ZwQueueApcThread@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 92h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueueApcThread@20 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwQueryAuxiliaryCounterFrequency(x)
_ZwQueryAuxiliaryCounterFrequency@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 93h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwQueryAuxiliaryCounterFrequency@4 endp ; sp =	-8

; Exported entry 2818. ZwQueryWnfStateData

;  S U B	R O U T	I N E 


; __stdcall ZwQueryWnfStateData(x, x, x, x, x, x)
		public _ZwQueryWnfStateData@24
_ZwQueryWnfStateData@24	proc near	; CODE XREF: wil_details_StagingConfig_Load+75p
					; wil_details_StagingConfig_Load+88988p ...

arg_0		= dword	ptr  4

		mov	eax, 94h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwQueryWnfStateData@24	endp ; sp = -8

; Exported entry 2819. ZwQueryWnfStateNameInformation

;  S U B	R O U T	I N E 


; __stdcall ZwQueryWnfStateNameInformation(x, x, x, x, x)
		public _ZwQueryWnfStateNameInformation@20
_ZwQueryWnfStateNameInformation@20 proc	near
					; CODE XREF: RtlRaiseCustomSystemEventTrigger(x)+F6p
					; RtlRaiseCustomSystemEventTrigger(x)+124p ...

arg_0		= dword	ptr  4

		mov	eax, 95h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryWnfStateNameInformation@20 endp	; sp = -8

; Exported entry 2817. ZwQueryVolumeInformationFile

;  S U B	R O U T	I N E 


; __stdcall ZwQueryVolumeInformationFile(x, x, x, x, x)
		public _ZwQueryVolumeInformationFile@20
_ZwQueryVolumeInformationFile@20 proc near ; CODE XREF:	EtwpFinalizeHeader+4Ep
					; EtwpUpdateFileHeader+46p ...

arg_0		= dword	ptr  4

		mov	eax, 96h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryVolumeInformationFile@20 endp ;	sp = -8

; Exported entry 2816. ZwQueryVirtualMemory

;  S U B	R O U T	I N E 


; __stdcall ZwQueryVirtualMemory(x, x, x, x, x,	x)
		public _ZwQueryVirtualMemory@24
_ZwQueryVirtualMemory@24 proc near	; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+1A6p
					; sub_5DA088+Cp ...

arg_0		= dword	ptr  4

		mov	eax, 97h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwQueryVirtualMemory@24 endp ;	sp = -8

; Exported entry 2815. ZwQueryValueKey

;  S U B	R O U T	I N E 


; __stdcall ZwQueryValueKey(x, x, x, x,	x, x)
		public _ZwQueryValueKey@24
_ZwQueryValueKey@24 proc near		; CODE XREF: BiZwQueryValueKey(x,x,x,x,x,x)+12p
					; PopQueryPowerButtonBugcheckConfiguration+63p	...

arg_0		= dword	ptr  4

		mov	eax, 98h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwQueryValueKey@24 endp ; sp =	-8

; Exported entry 2814. ZwQueryTimerResolution

;  S U B	R O U T	I N E 


; __stdcall ZwQueryTimerResolution(x, x, x)
		public _ZwQueryTimerResolution@12
_ZwQueryTimerResolution@12 proc	near

arg_0		= dword	ptr  4

		mov	eax, 99h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwQueryTimerResolution@12 endp	; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwQueryTimer(x, x, x, x, x)
_ZwQueryTimer@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 9Ah
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryTimer@20 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwQuerySystemTime(x)
_ZwQuerySystemTime@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 9Bh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwQuerySystemTime@4 endp ; sp = -8

; Exported entry 2813. ZwQuerySystemInformationEx

;  S U B	R O U T	I N E 


; __stdcall ZwQuerySystemInformationEx(x, x, x,	x, x, x)
		public _ZwQuerySystemInformationEx@24
_ZwQuerySystemInformationEx@24 proc near

arg_0		= dword	ptr  4

		mov	eax, 9Ch
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwQuerySystemInformationEx@24 endp ; sp = -8

; Exported entry 2812. ZwQuerySystemInformation

;  S U B	R O U T	I N E 


; __stdcall ZwQuerySystemInformation(x,	x, x, x)
		public _ZwQuerySystemInformation@16
_ZwQuerySystemInformation@16 proc near	; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmHighMemPriorityWatchdogWorker+49p
					; ST_STORE_SM_TRAITS___StDmStart+F86B4p ...

arg_0		= dword	ptr  4

		mov	eax, 9Dh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwQuerySystemInformation@16 endp ; sp = -8

; Exported entry 2811. ZwQuerySystemEnvironmentValueEx

;  S U B	R O U T	I N E 


; __stdcall ZwQuerySystemEnvironmentValueEx(x, x, x, x,	x)
		public _ZwQuerySystemEnvironmentValueEx@20
_ZwQuerySystemEnvironmentValueEx@20 proc near ;	CODE XREF: SepRmVerifyLsaProtectionLevel+63p
					; BiDeleteEfiVariable(x)+6Dp

arg_0		= dword	ptr  4

		mov	eax, 9Eh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQuerySystemEnvironmentValueEx@20 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwQuerySystemEnvironmentValue(x, x,	x, x)
_ZwQuerySystemEnvironmentValue@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 9Fh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwQuerySystemEnvironmentValue@16 endp ; sp = -8

; Exported entry 2810. ZwQuerySymbolicLinkObject

;  S U B	R O U T	I N E 


; __stdcall ZwQuerySymbolicLinkObject(x, x, x)
		public _ZwQuerySymbolicLinkObject@12
_ZwQuerySymbolicLinkObject@12 proc near	; CODE XREF: SiTranslateSymbolicLink+8Dp
					; BiTranslateSymbolicLink+76p ...

arg_0		= dword	ptr  4

		mov	eax, 0A0h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwQuerySymbolicLinkObject@12 endp ; sp	= -8


;  S U B	R O U T	I N E 


; __stdcall ZwQuerySemaphore(x,	x, x, x, x)
_ZwQuerySemaphore@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 0A1h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQuerySemaphore@20 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwQuerySecurityPolicy(x, x,	x, x, x, x)
_ZwQuerySecurityPolicy@24 proc near

arg_0		= dword	ptr  4

		mov	eax, 0A2h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwQuerySecurityPolicy@24 endp ; sp = -8

; Exported entry 2809. ZwQuerySecurityObject

;  S U B	R O U T	I N E 


; __stdcall ZwQuerySecurityObject(x, x,	x, x, x)
		public _ZwQuerySecurityObject@20
_ZwQuerySecurityObject@20 proc near	; CODE XREF: RtlIsUntrustedObject+D20AEp
					; RtlIsUntrustedObject+D20EFp ...

arg_0		= dword	ptr  4

		mov	eax, 0A3h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQuerySecurityObject@20 endp ; sp = -8

; Exported entry 2808. ZwQuerySecurityAttributesToken

;  S U B	R O U T	I N E 


; __stdcall ZwQuerySecurityAttributesToken(x, x, x, x, x, x)
		public _ZwQuerySecurityAttributesToken@24
_ZwQuerySecurityAttributesToken@24 proc	near

arg_0		= dword	ptr  4

		mov	eax, 0A4h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwQuerySecurityAttributesToken@24 endp	; sp = -8

; Exported entry 2807. ZwQuerySection

;  S U B	R O U T	I N E 


; __stdcall ZwQuerySection(x, x, x, x, x)
		public _ZwQuerySection@20
_ZwQuerySection@20 proc	near		; CODE XREF: CmSiGetSectionLength(x,x)+20p

arg_0		= dword	ptr  4

		mov	eax, 0A5h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQuerySection@20 endp	; sp = -8

; Exported entry 2806. ZwQueryQuotaInformationFile

;  S U B	R O U T	I N E 


; __stdcall ZwQueryQuotaInformationFile(x, x, x, x, x, x, x, x,	x)
		public _ZwQueryQuotaInformationFile@36
_ZwQueryQuotaInformationFile@36	proc near

arg_0		= dword	ptr  4

		mov	eax, 0A6h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	24h
_ZwQueryQuotaInformationFile@36	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwQueryPortInformationProcess()
_ZwQueryPortInformationProcess@0 proc near

arg_0		= dword	ptr  4

		mov	eax, 0A7h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn
_ZwQueryPortInformationProcess@0 endp ;	sp = -8

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall ZwQueryPerformanceCounter(x, x)
_ZwQueryPerformanceCounter@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 0A8h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwQueryPerformanceCounter@8 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwQueryOpenSubKeysEx(x, x, x, x)
_ZwQueryOpenSubKeysEx@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 0A9h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwQueryOpenSubKeysEx@16 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwQueryOpenSubKeys(x, x)
_ZwQueryOpenSubKeys@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 0AAh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwQueryOpenSubKeys@8 endp ; sp	= -8

; Exported entry 2805. ZwQueryObject

;  S U B	R O U T	I N E 


; __stdcall ZwQueryObject(x, x,	x, x, x)
		public _ZwQueryObject@20
_ZwQueryObject@20 proc near		; CODE XREF: CmpAddToHiveFileList+6Cp
					; _RegRtlQueryKeyPathName+6Ep ...

arg_0		= dword	ptr  4

		mov	eax, 0ABh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryObject@20 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwQueryMutant(x, x,	x, x, x)
_ZwQueryMutant@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 0ACh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryMutant@20 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwQueryMultipleValueKey(x, x, x, x,	x, x)
_ZwQueryMultipleValueKey@24 proc near

arg_0		= dword	ptr  4

		mov	eax, 0ADh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwQueryMultipleValueKey@24 endp ; sp =	-8

; Exported entry 2804. ZwQueryLicenseValue

;  S U B	R O U T	I N E 


; __stdcall ZwQueryLicenseValue(x, x, x, x, x)
		public _ZwQueryLicenseValue@20
_ZwQueryLicenseValue@20	proc near	; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+190p
					; RtlGetProductInfo+A5p ...

arg_0		= dword	ptr  4

		mov	eax, 0AEh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryLicenseValue@20	endp ; sp = -8

; Exported entry 2803. ZwQueryKey

;  S U B	R O U T	I N E 


; __stdcall ZwQueryKey(x, x, x,	x, x)
		public _ZwQueryKey@20
_ZwQueryKey@20	proc near		; CODE XREF: BiZwQueryKey(x,x,x,x,x)+10p
					; BiOpenStoreKeyFromObject(x,x)+5Ap ...

arg_0		= dword	ptr  4

		mov	eax, 0AFh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryKey@20	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwQueryIoCompletion(x, x, x, x, x)
_ZwQueryIoCompletion@20	proc near

arg_0		= dword	ptr  4

		mov	eax, 0B0h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryIoCompletion@20	endp ; sp = -8

; Exported entry 2802. ZwQueryIntervalProfile

;  S U B	R O U T	I N E 


; __stdcall ZwQueryIntervalProfile(x, x)
		public _ZwQueryIntervalProfile@8
_ZwQueryIntervalProfile@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 0B1h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwQueryIntervalProfile@8 endp ; sp = -8

; Exported entry 2801. ZwQueryInstallUILanguage

;  S U B	R O U T	I N E 


; __stdcall ZwQueryInstallUILanguage(x)
		public _ZwQueryInstallUILanguage@4
_ZwQueryInstallUILanguage@4 proc near	; CODE XREF: _RtlpMuiRegLoadInstalled+1Dp

arg_0		= dword	ptr  4

		mov	eax, 0B2h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwQueryInstallUILanguage@4 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwQueryInformationWorkerFactory(x, x, x, x,	x)
_ZwQueryInformationWorkerFactory@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 0B3h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryInformationWorkerFactory@20 endp ; sp =	-8

; Exported entry 2800. ZwQueryInformationTransactionManager

;  S U B	R O U T	I N E 


; __stdcall ZwQueryInformationTransactionManager(x, x, x, x, x)
		public _ZwQueryInformationTransactionManager@20
_ZwQueryInformationTransactionManager@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 0B4h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryInformationTransactionManager@20 endp ;	sp = -8

; Exported entry 2799. ZwQueryInformationTransaction

;  S U B	R O U T	I N E 


; __stdcall ZwQueryInformationTransaction(x, x,	x, x, x)
		public _ZwQueryInformationTransaction@20
_ZwQueryInformationTransaction@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 0B5h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryInformationTransaction@20 endp ; sp = -8

; Exported entry 2798. ZwQueryInformationToken

;  S U B	R O U T	I N E 


; __stdcall ZwQueryInformationToken(x, x, x, x,	x)
		public _ZwQueryInformationToken@20
_ZwQueryInformationToken@20 proc near	; CODE XREF: RtlCheckTokenCapability(x,x,x)+14Cp
					; OpenGlobalizationUserSettingsKey_ForMua+66p ...

arg_0		= dword	ptr  4

		mov	eax, 0B6h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryInformationToken@20 endp ; sp =	-8

; Exported entry 2797. ZwQueryInformationThread

;  S U B	R O U T	I N E 


; __stdcall ZwQueryInformationThread(x,	x, x, x, x)
		public _ZwQueryInformationThread@20
_ZwQueryInformationThread@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 0B7h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryInformationThread@20 endp ; sp = -8

; Exported entry 2796. ZwQueryInformationResourceManager

;  S U B	R O U T	I N E 


; __stdcall ZwQueryInformationResourceManager(x, x, x, x, x)
		public _ZwQueryInformationResourceManager@20
_ZwQueryInformationResourceManager@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 0B8h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryInformationResourceManager@20 endp ; sp	= -8

; Exported entry 2795. ZwQueryInformationProcess

;  S U B	R O U T	I N E 


; __stdcall ZwQueryInformationProcess(x, x, x, x, x)
		public _ZwQueryInformationProcess@20
_ZwQueryInformationProcess@20 proc near	; CODE XREF: BiLogFileOwnerProcess(x,x)+19Fp
					; BiLogFileOwnerProcess(x,x)+1FEp

arg_0		= dword	ptr  4

		mov	eax, 0B9h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryInformationProcess@20 endp ; sp	= -8


;  S U B	R O U T	I N E 


; __stdcall ZwQueryInformationPort(x, x, x, x, x)
_ZwQueryInformationPort@20 proc	near

arg_0		= dword	ptr  4

		mov	eax, 0BAh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryInformationPort@20 endp	; sp = -8

; Exported entry 2794. ZwQueryInformationJobObject

;  S U B	R O U T	I N E 


; __stdcall ZwQueryInformationJobObject(x, x, x, x, x)
		public _ZwQueryInformationJobObject@20
_ZwQueryInformationJobObject@20	proc near ; CODE XREF: PAGE:0083D1ABp
					; PAGE:0083D1BFp

arg_0		= dword	ptr  4

		mov	eax, 0BBh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryInformationJobObject@20	endp ; sp = -8

; Exported entry 2793. ZwQueryInformationFile

;  S U B	R O U T	I N E 


; __stdcall ZwQueryInformationFile(x, x, x, x, x)
		public _ZwQueryInformationFile@20
_ZwQueryInformationFile@20 proc	near	; CODE XREF: CmpAdjustFileCFSafety(x,x)+D7p
					; DbgkCaptureLiveKernelDump(x)+1CFp ...

arg_0		= dword	ptr  4

		mov	eax, 0BCh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryInformationFile@20 endp	; sp = -8

; Exported entry 2792. ZwQueryInformationEnlistment

;  S U B	R O U T	I N E 


; __stdcall ZwQueryInformationEnlistment(x, x, x, x, x)
		public _ZwQueryInformationEnlistment@20
_ZwQueryInformationEnlistment@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 0BDh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryInformationEnlistment@20 endp ;	sp = -8

; Exported entry 2791. ZwQueryInformationByName

;  S U B	R O U T	I N E 


; __stdcall ZwQueryInformationByName(x,	x, x, x, x)
		public _ZwQueryInformationByName@20
_ZwQueryInformationByName@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 0BEh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryInformationByName@20 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwQueryInformationAtom(x, x, x, x, x)
_ZwQueryInformationAtom@20 proc	near

arg_0		= dword	ptr  4

		mov	eax, 0BFh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryInformationAtom@20 endp	; sp = -8

; Exported entry 2790. ZwQueryFullAttributesFile

;  S U B	R O U T	I N E 


; __stdcall ZwQueryFullAttributesFile(x, x)
		public _ZwQueryFullAttributesFile@8
_ZwQueryFullAttributesFile@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 0C0h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwQueryFullAttributesFile@8 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwQueryEvent(x, x, x, x, x)
_ZwQueryEvent@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 0C1h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwQueryEvent@20 endp ;	sp = -8

; Exported entry 2789. ZwQueryEaFile

;  S U B	R O U T	I N E 


; __stdcall ZwQueryEaFile(x, x,	x, x, x, x, x, x, x)
		public _ZwQueryEaFile@36
_ZwQueryEaFile@36 proc near

arg_0		= dword	ptr  4

		mov	eax, 0C2h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	24h
_ZwQueryEaFile@36 endp ; sp = -8

; Exported entry 2788. ZwQueryDriverEntryOrder

;  S U B	R O U T	I N E 


; __stdcall ZwQueryDriverEntryOrder(x, x)
		public _ZwQueryDriverEntryOrder@8
_ZwQueryDriverEntryOrder@8 proc	near

arg_0		= dword	ptr  4

		mov	eax, 0C3h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwQueryDriverEntryOrder@8 endp	; sp = -8

; Exported entry 2787. ZwQueryDirectoryObject

;  S U B	R O U T	I N E 


; __stdcall ZwQueryDirectoryObject(x, x, x, x, x, x, x)
		public _ZwQueryDirectoryObject@28
_ZwQueryDirectoryObject@28 proc	near	; CODE XREF: IopGetLegacyVetoListDrivers+CCp
					; BiGetNtPartitionPath+13Fp ...

arg_0		= dword	ptr  4

		mov	eax, 0C4h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	1Ch
_ZwQueryDirectoryObject@28 endp	; sp = -8

; Exported entry 2785. ZwQueryDirectoryFile

;  S U B	R O U T	I N E 


; __stdcall ZwQueryDirectoryFile(x, x, x, x, x,	x, x, x, x, x, x)
		public _ZwQueryDirectoryFile@44
_ZwQueryDirectoryFile@44 proc near	; CODE XREF: IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+23Fp
					; AslPathWildcardFindNext(x,x,x)+2EDp

arg_0		= dword	ptr  4

		mov	eax, 0C5h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	2Ch
_ZwQueryDirectoryFile@44 endp ;	sp = -8

; Exported entry 2786. ZwQueryDirectoryFileEx

;  S U B	R O U T	I N E 


; __stdcall ZwQueryDirectoryFileEx(x, x, x, x, x, x, x,	x, x, x)
		public _ZwQueryDirectoryFileEx@40
_ZwQueryDirectoryFileEx@40 proc	near

arg_0		= dword	ptr  4

		mov	eax, 0C6h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	28h
_ZwQueryDirectoryFileEx@40 endp	; sp = -8

; Exported entry 2784. ZwQueryDefaultUILanguage

;  S U B	R O U T	I N E 


; __stdcall ZwQueryDefaultUILanguage(x)
		public _ZwQueryDefaultUILanguage@4
_ZwQueryDefaultUILanguage@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 0C7h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwQueryDefaultUILanguage@4 endp ; sp =	-8

; Exported entry 2783. ZwQueryDefaultLocale

;  S U B	R O U T	I N E 


; __stdcall ZwQueryDefaultLocale(x, x)
		public _ZwQueryDefaultLocale@8
_ZwQueryDefaultLocale@8	proc near	; CODE XREF: NtInitializeNlsFiles+63p

arg_0		= dword	ptr  4

		mov	eax, 0C8h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwQueryDefaultLocale@8	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwQueryDebugFilterState(x, x)
_ZwQueryDebugFilterState@8 proc	near

arg_0		= dword	ptr  4

		mov	eax, 0C9h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwQueryDebugFilterState@8 endp	; sp = -8

; Exported entry 2782. ZwQueryBootOptions

;  S U B	R O U T	I N E 


; __stdcall ZwQueryBootOptions(x, x)
		public _ZwQueryBootOptions@8
_ZwQueryBootOptions@8 proc near		; CODE XREF: BiQueryBootOptions(x,x)+37p
					; BiQueryBootOptions(x,x)+65p ...

arg_0		= dword	ptr  4

		mov	eax, 0CAh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwQueryBootOptions@8 endp ; sp	= -8

; Exported entry 2781. ZwQueryBootEntryOrder

;  S U B	R O U T	I N E 


; __stdcall ZwQueryBootEntryOrder(x, x)
		public _ZwQueryBootEntryOrder@8
_ZwQueryBootEntryOrder@8 proc near	; CODE XREF: ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+CFp
					; ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+107p ...

arg_0		= dword	ptr  4

		mov	eax, 0CBh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwQueryBootEntryOrder@8 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwQueryAttributesFile(x, x)
_ZwQueryAttributesFile@8 proc near	; CODE XREF: BiDoesHiveExist(x)+5Ap
					; CmpOpenFileWithExtremePrejudice(x,x,x,x,x)+3Ep ...

arg_0		= dword	ptr  4

		mov	eax, 0CCh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwQueryAttributesFile@8 endp ;	sp = -8

; Exported entry 2780. ZwPulseEvent

;  S U B	R O U T	I N E 


; __stdcall ZwPulseEvent(x, x)
		public _ZwPulseEvent@8
_ZwPulseEvent@8	proc near

arg_0		= dword	ptr  4

		mov	eax, 0CDh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwPulseEvent@8	endp ; sp = -8

; Exported entry 2779. ZwProtectVirtualMemory

;  S U B	R O U T	I N E 


; __stdcall ZwProtectVirtualMemory(x, x, x, x, x)
		public _ZwProtectVirtualMemory@20
_ZwProtectVirtualMemory@20 proc	near	; CODE XREF: CmSiProtectViewOfSection(x,x,x,x,x,x)+22p
					; MiCheckForUserStackOverflow+12ACB0p ...

arg_0		= dword	ptr  4

		mov	eax, 0CEh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwProtectVirtualMemory@20 endp	; sp = -8

; Exported entry 2778. ZwPropagationFailed

;  S U B	R O U T	I N E 


; __stdcall ZwPropagationFailed(x, x, x)
		public _ZwPropagationFailed@12
_ZwPropagationFailed@12	proc near

arg_0		= dword	ptr  4

		mov	eax, 0CFh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwPropagationFailed@12	endp ; sp = -8

; Exported entry 2777. ZwPropagationComplete

;  S U B	R O U T	I N E 


; __stdcall ZwPropagationComplete(x, x,	x, x)
		public _ZwPropagationComplete@16
_ZwPropagationComplete@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 0D0h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwPropagationComplete@16 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwPrivilegeObjectAuditAlarm(x, x, x, x, x, x)
_ZwPrivilegeObjectAuditAlarm@24	proc near

arg_0		= dword	ptr  4

		mov	eax, 0D1h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwPrivilegeObjectAuditAlarm@24	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwPrivilegedServiceAuditAlarm(x, x,	x, x, x)
_ZwPrivilegedServiceAuditAlarm@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 0D2h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwPrivilegedServiceAuditAlarm@20 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwPrivilegeCheck(x,	x, x)
_ZwPrivilegeCheck@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 0D3h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwPrivilegeCheck@12 endp ; sp = -8

; Exported entry 2859. ZwSetInformationVirtualMemory

;  S U B	R O U T	I N E 


; __stdcall ZwSetInformationVirtualMemory(x, x,	x, x, x, x)
		public _ZwSetInformationVirtualMemory@24
_ZwSetInformationVirtualMemory@24 proc near
					; CODE XREF: CmSiPrefetchVirtualMemoryRange(x,x,x)+24p
					; PspMapSystemDll+F5p

arg_0		= dword	ptr  4

		mov	eax, 0D4h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwSetInformationVirtualMemory@24 endp ; sp = -8

; Exported entry 2774. ZwPrePrepareEnlistment

;  S U B	R O U T	I N E 


; __stdcall ZwPrePrepareEnlistment(x, x)
		public _ZwPrePrepareEnlistment@8
_ZwPrePrepareEnlistment@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 0D5h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwPrePrepareEnlistment@8 endp ; sp = -8

; Exported entry 2773. ZwPrePrepareComplete

;  S U B	R O U T	I N E 


; __stdcall ZwPrePrepareComplete(x, x)
		public _ZwPrePrepareComplete@8
_ZwPrePrepareComplete@8	proc near

arg_0		= dword	ptr  4

		mov	eax, 0D6h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwPrePrepareComplete@8	endp ; sp = -8

; Exported entry 2776. ZwPrepareEnlistment

;  S U B	R O U T	I N E 


; __stdcall ZwPrepareEnlistment(x, x)
		public _ZwPrepareEnlistment@8
_ZwPrepareEnlistment@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 0D7h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwPrepareEnlistment@8 endp ; sp = -8

; Exported entry 2775. ZwPrepareComplete

;  S U B	R O U T	I N E 


; __stdcall ZwPrepareComplete(x, x)
		public _ZwPrepareComplete@8
_ZwPrepareComplete@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 0D8h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwPrepareComplete@8 endp ; sp = -8

; Exported entry 2772. ZwPowerInformation

;  S U B	R O U T	I N E 


; __stdcall ZwPowerInformation(x, x, x,	x, x)
		public _ZwPowerInformation@20
_ZwPowerInformation@20 proc near	; CODE XREF: PopInvokeWin32Callout+47p
					; PopInvokeWin32Callout+F9p ...

arg_0		= dword	ptr  4

		mov	eax, 0D9h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwPowerInformation@20 endp ; sp = -8

; Exported entry  19.

;  S U B	R O U T	I N E 


; __stdcall ZwPlugPlayControl(x, x, x)
		public _ZwPlugPlayControl@12
_ZwPlugPlayControl@12 proc near		; CODE XREF: PlugPlayGetRelatedDevice(x,x,x,x,x,x)+3Cp
					; PlugPlayGetDeviceProperty+3Ep ...

arg_0		= dword	ptr  4

		mov	eax, 0DAh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwPlugPlayControl@12 endp ; sp	= -8

; Exported entry 2771. ZwOpenTransactionManager

;  S U B	R O U T	I N E 


; __stdcall ZwOpenTransactionManager(x,	x, x, x, x, x)
		public _ZwOpenTransactionManager@24
_ZwOpenTransactionManager@24 proc near

arg_0		= dword	ptr  4

		mov	eax, 0DBh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwOpenTransactionManager@24 endp ; sp = -8

; Exported entry 2770. ZwOpenTransaction

;  S U B	R O U T	I N E 


; __stdcall ZwOpenTransaction(x, x, x, x, x)
		public _ZwOpenTransaction@20
_ZwOpenTransaction@20 proc near		; CODE XREF: CmpRmUnDoPhase(x)+81p

arg_0		= dword	ptr  4

		mov	eax, 0DCh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwOpenTransaction@20 endp ; sp	= -8

; Exported entry 2769. ZwOpenTimer

;  S U B	R O U T	I N E 


; __stdcall ZwOpenTimer(x, x, x)
		public _ZwOpenTimer@12
_ZwOpenTimer@12	proc near

arg_0		= dword	ptr  4

		mov	eax, 0DDh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwOpenTimer@12	endp ; sp = -8

; Exported entry 2768. ZwOpenThreadTokenEx

;  S U B	R O U T	I N E 


; __stdcall ZwOpenThreadTokenEx(x, x, x, x, x)
		public _ZwOpenThreadTokenEx@20
_ZwOpenThreadTokenEx@20	proc near	; CODE XREF: RtlpOpenThreadToken+15p
					; BiAdjustPrivilege+50p ...

arg_0		= dword	ptr  4

		mov	eax, 0DEh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwOpenThreadTokenEx@20	endp ; sp = -8

; Exported entry 2767. ZwOpenThreadToken

;  S U B	R O U T	I N E 


; __stdcall ZwOpenThreadToken(x, x, x, x)
		public _ZwOpenThreadToken@16
_ZwOpenThreadToken@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 0DFh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwOpenThreadToken@16 endp ; sp	= -8

; Exported entry 2766. ZwOpenThread

;  S U B	R O U T	I N E 


; __stdcall ZwOpenThread(x, x, x, x)
		public _ZwOpenThread@16
_ZwOpenThread@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 0E0h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwOpenThread@16 endp ;	sp = -8

; Exported entry 2765. ZwOpenSymbolicLinkObject

;  S U B	R O U T	I N E 


; __stdcall ZwOpenSymbolicLinkObject(x,	x, x)
		public _ZwOpenSymbolicLinkObject@12
_ZwOpenSymbolicLinkObject@12 proc near	; CODE XREF: SiTranslateSymbolicLink+61p
					; SiTranslateSymbolicLink+FEp ...

arg_0		= dword	ptr  4

		mov	eax, 0E1h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwOpenSymbolicLinkObject@12 endp ; sp = -8

; Exported entry 2764. ZwOpenSession

;  S U B	R O U T	I N E 


; __stdcall ZwOpenSession(x, x,	x)
		public _ZwOpenSession@12
_ZwOpenSession@12 proc near		; CODE XREF: PnpInitializeNotifyEntry+158p

arg_0		= dword	ptr  4

		mov	eax, 0E2h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwOpenSession@12 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwOpenSemaphore(x, x, x)
_ZwOpenSemaphore@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 0E3h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwOpenSemaphore@12 endp ; sp =	-8

; Exported entry 2763. ZwOpenSection

;  S U B	R O U T	I N E 


; __stdcall ZwOpenSection(x, x,	x)
		public _ZwOpenSection@12
_ZwOpenSection@12 proc near		; CODE XREF: NtGetNlsSectionPtr+120p
					; VdmpInitialize(x)+A8p ...

arg_0		= dword	ptr  4

		mov	eax, 0E4h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwOpenSection@12 endp ; sp = -8

; Exported entry 2762. ZwOpenResourceManager

;  S U B	R O U T	I N E 


; __stdcall ZwOpenResourceManager(x, x,	x, x, x)
		public _ZwOpenResourceManager@20
_ZwOpenResourceManager@20 proc near	; CODE XREF: CmpInitCmRM+11D6A6p

arg_0		= dword	ptr  4

		mov	eax, 0E5h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwOpenResourceManager@20 endp ; sp = -8

; Exported entry 2757. ZwOpenPartition

;  S U B	R O U T	I N E 


; __stdcall ZwOpenPartition(x, x, x)
		public _ZwOpenPartition@12
_ZwOpenPartition@12 proc near		; CODE XREF: IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)+91p

arg_0		= dword	ptr  4

		mov	eax, 0E6h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwOpenPartition@12 endp ; sp =	-8

; Exported entry 2760. ZwOpenProcessTokenEx

;  S U B	R O U T	I N E 


; __stdcall ZwOpenProcessTokenEx(x, x, x, x)
		public _ZwOpenProcessTokenEx@16
_ZwOpenProcessTokenEx@16 proc near	; CODE XREF: RtlImpersonateSelfEx(x,x,x)+69p
					; RtlAcquirePrivilege+121796p ...

arg_0		= dword	ptr  4

		mov	eax, 0E7h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwOpenProcessTokenEx@16 endp ;	sp = -8

; Exported entry 2759. ZwOpenProcessToken

;  S U B	R O U T	I N E 


; __stdcall ZwOpenProcessToken(x, x, x)
		public _ZwOpenProcessToken@12
_ZwOpenProcessToken@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 0E8h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwOpenProcessToken@12 endp ; sp = -8

; Exported entry 2758. ZwOpenProcess

;  S U B	R O U T	I N E 


; __stdcall ZwOpenProcess(x, x,	x, x)
		public _ZwOpenProcess@16
_ZwOpenProcess@16 proc near		; CODE XREF: BiLogFileOwnerProcess(x,x)+181p
					; SepRmLsaConnectRequest+64p

arg_0		= dword	ptr  4

		mov	eax, 0E9h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwOpenProcess@16 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwOpenPrivateNamespace(x, x, x, x)
_ZwOpenPrivateNamespace@16 proc	near

arg_0		= dword	ptr  4

		mov	eax, 0EAh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwOpenPrivateNamespace@16 endp	; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwOpenObjectAuditAlarm(x, x, x, x, x, x, x,	x, x, x, x, x)
_ZwOpenObjectAuditAlarm@48 proc	near

arg_0		= dword	ptr  4

		mov	eax, 0EBh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	30h
_ZwOpenObjectAuditAlarm@48 endp	; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwOpenMutant(x, x, x)
_ZwOpenMutant@12 proc near		; CODE XREF: BiAcquireBcdSyncMutant+A198Ep

arg_0		= dword	ptr  4

		mov	eax, 0ECh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwOpenMutant@12 endp ;	sp = -8

; Exported entry 2756. ZwOpenKeyTransactedEx

;  S U B	R O U T	I N E 


; __stdcall ZwOpenKeyTransactedEx(x, x,	x, x, x)
		public _ZwOpenKeyTransactedEx@20
_ZwOpenKeyTransactedEx@20 proc near	; DATA XREF: NtOpenKeyTransactedEx_Stub(x,x,x,x,x)+Eo

arg_0		= dword	ptr  4

		mov	eax, 0EDh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwOpenKeyTransactedEx@20 endp ; sp = -8

; Exported entry 2755. ZwOpenKeyTransacted

;  S U B	R O U T	I N E 


; __stdcall ZwOpenKeyTransacted(x, x, x, x)
		public _ZwOpenKeyTransacted@16
_ZwOpenKeyTransacted@16	proc near	; DATA XREF: NtOpenKeyTransacted_Stub(x,x,x,x)+Eo

arg_0		= dword	ptr  4

		mov	eax, 0EEh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwOpenKeyTransacted@16	endp ; sp = -8

; Exported entry 2754. ZwOpenKeyEx

;  S U B	R O U T	I N E 


; __stdcall ZwOpenKeyEx(x, x, x, x)
		public _ZwOpenKeyEx@16
_ZwOpenKeyEx@16	proc near		; CODE XREF: _RegRtlOpenKeyTransacted+ABp
					; MfgInitSystem+F690p

arg_0		= dword	ptr  4

		mov	eax, 0EFh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwOpenKeyEx@16	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwOpenKeyedEvent(x,	x, x)
_ZwOpenKeyedEvent@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 0F0h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwOpenKeyedEvent@12 endp ; sp = -8

; Exported entry 2753. ZwOpenKey

;  S U B	R O U T	I N E 


; __stdcall ZwOpenKey(x, x, x)
		public _ZwOpenKey@12
_ZwOpenKey@12	proc near		; CODE XREF: BiZwOpenKey(x,x,x)+Ap
					; PopOpenKey(x,x,x)+48p ...

arg_0		= dword	ptr  4

		mov	eax, 0F1h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwOpenKey@12	endp ; sp = -8

; Exported entry 2752. ZwOpenJobObject

;  S U B	R O U T	I N E 


; __stdcall ZwOpenJobObject(x, x, x)
		public _ZwOpenJobObject@12
_ZwOpenJobObject@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 0F2h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwOpenJobObject@12 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwOpenIoCompletion(x, x, x)
_ZwOpenIoCompletion@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 0F3h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwOpenIoCompletion@12 endp ; sp = -8

; Exported entry 2751. ZwOpenFile

;  S U B	R O U T	I N E 


; __stdcall ZwOpenFile(x, x, x,	x, x, x)
		public _ZwOpenFile@24
_ZwOpenFile@24	proc near		; CODE XREF: DbgkPostModuleMessage(x,x,x,x,x,x)+C4p
					; BiLogFileOwnerProcess(x,x)+97p ...

arg_0		= dword	ptr  4

		mov	eax, 0F4h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwOpenFile@24	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwOpenEventPair(x, x, x)
_ZwOpenEventPair@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 0F5h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwOpenEventPair@12 endp ; sp =	-8

; Exported entry 2750. ZwOpenEvent

;  S U B	R O U T	I N E 


; __stdcall ZwOpenEvent(x, x, x)
		public _ZwOpenEvent@12
_ZwOpenEvent@12	proc near		; CODE XREF: PspShutdownCsrProcess(x,x,x)+C8p

arg_0		= dword	ptr  4

		mov	eax, 0F6h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwOpenEvent@12	endp ; sp = -8

; Exported entry 2749. ZwOpenEnlistment

;  S U B	R O U T	I N E 


; __stdcall ZwOpenEnlistment(x,	x, x, x, x)
		public _ZwOpenEnlistment@20
_ZwOpenEnlistment@20 proc near		; CODE XREF: CmpRecoverEnlistment(x,x,x)+85p

arg_0		= dword	ptr  4

		mov	eax, 0F7h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwOpenEnlistment@20 endp ; sp = -8

; Exported entry 2748. ZwOpenDirectoryObject

;  S U B	R O U T	I N E 


; __stdcall ZwOpenDirectoryObject(x, x,	x)
		public _ZwOpenDirectoryObject@12
_ZwOpenDirectoryObject@12 proc near	; CODE XREF: IopGetLegacyVetoListDrivers+61p
					; BiGetNtPartitionPath+10Fp ...

arg_0		= dword	ptr  4

		mov	eax, 0F8h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwOpenDirectoryObject@12 endp ; sp = -8

; Exported entry 2747. ZwNotifyChangeSession

;  S U B	R O U T	I N E 


; __stdcall ZwNotifyChangeSession(x, x,	x, x, x, x, x, x)
		public _ZwNotifyChangeSession@32
_ZwNotifyChangeSession@32 proc near

arg_0		= dword	ptr  4

		mov	eax, 0F9h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	20h
_ZwNotifyChangeSession@32 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwNotifyChangeMultipleKeys(x, x, x,	x, x, x, x, x, x, x, x,	x)
_ZwNotifyChangeMultipleKeys@48 proc near

arg_0		= dword	ptr  4

		mov	eax, 0FAh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	30h
_ZwNotifyChangeMultipleKeys@48 endp ; sp = -8

; Exported entry 2746. ZwNotifyChangeKey

;  S U B	R O U T	I N E 


; __stdcall ZwNotifyChangeKey(x, x, x, x, x, x,	x, x, x, x)
		public _ZwNotifyChangeKey@40
_ZwNotifyChangeKey@40 proc near		; CODE XREF: KiRegisterForDisableFgBoostDecayRegistryNotification+45p
					; CcRegistryChangeCallback+B1p	...

arg_0		= dword	ptr  4

		mov	eax, 0FBh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	28h
_ZwNotifyChangeKey@40 endp ; sp	= -8

; Exported entry 2744. ZwNotifyChangeDirectoryFile

;  S U B	R O U T	I N E 


; __stdcall ZwNotifyChangeDirectoryFile(x, x, x, x, x, x, x, x,	x)
		public _ZwNotifyChangeDirectoryFile@36
_ZwNotifyChangeDirectoryFile@36	proc near

arg_0		= dword	ptr  4

		mov	eax, 0FCh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	24h
_ZwNotifyChangeDirectoryFile@36	endp ; sp = -8

; Exported entry 2745. ZwNotifyChangeDirectoryFileEx

;  S U B	R O U T	I N E 


; __stdcall ZwNotifyChangeDirectoryFileEx(x, x,	x, x, x, x, x, x, x, x)
		public _ZwNotifyChangeDirectoryFileEx@40
_ZwNotifyChangeDirectoryFileEx@40 proc near

arg_0		= dword	ptr  4

		mov	eax, 0FDh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	28h
_ZwNotifyChangeDirectoryFileEx@40 endp ; sp = -8

; Exported entry 2740. ZwManagePartition

;  S U B	R O U T	I N E 


; __stdcall ZwManagePartition(x, x, x, x, x)
		public _ZwManagePartition@20
_ZwManagePartition@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 0FEh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwManagePartition@20 endp ; sp	= -8

; Exported entry 2743. ZwModifyDriverEntry

;  S U B	R O U T	I N E 


; __stdcall ZwModifyDriverEntry(x)
		public _ZwModifyDriverEntry@4
_ZwModifyDriverEntry@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 0FFh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwModifyDriverEntry@4 endp ; sp = -8

; Exported entry 2742. ZwModifyBootEntry

;  S U B	R O U T	I N E 


; __stdcall ZwModifyBootEntry(x)
		public _ZwModifyBootEntry@4
_ZwModifyBootEntry@4 proc near		; CODE XREF: BiModifyBootEntry(x)+25p

arg_0		= dword	ptr  4

		mov	eax, 100h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwModifyBootEntry@4 endp ; sp = -8

; Exported entry 2741. ZwMapViewOfSection

;  S U B	R O U T	I N E 


; __stdcall ZwMapViewOfSection(x, x, x,	x, x, x, x, x, x, x)
		public _ZwMapViewOfSection@40
_ZwMapViewOfSection@40 proc near	; CODE XREF: CmSiMapViewOfSection(x,x,x,x,x,x,x,x)+31p
					; RtlFileMapMapView(x,x)+CDp ...

arg_0		= dword	ptr  4

		mov	eax, 101h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	28h
_ZwMapViewOfSection@40 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwMapUserPhysicalPagesScatter(x, x,	x)
_ZwMapUserPhysicalPagesScatter@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 102h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwMapUserPhysicalPagesScatter@12 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwMapUserPhysicalPages(x, x, x)
_ZwMapUserPhysicalPages@12 proc	near

arg_0		= dword	ptr  4

		mov	eax, 103h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwMapUserPhysicalPages@12 endp	; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwMapCMFModule(x, x, x, x, x, x)
_ZwMapCMFModule@24 proc	near

arg_0		= dword	ptr  4

		mov	eax, 104h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwMapCMFModule@24 endp	; sp = -8

; Exported entry 2739. ZwMakeTemporaryObject

;  S U B	R O U T	I N E 


; __stdcall ZwMakeTemporaryObject(x)
		public _ZwMakeTemporaryObject@4
_ZwMakeTemporaryObject@4 proc near	; CODE XREF: IoDeleteSymbolicLink(x)+4Dp
					; SepCleanupLUIDDeviceMapDirectory+20Bp ...

arg_0		= dword	ptr  4

		mov	eax, 105h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwMakeTemporaryObject@4 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwMakePermanentObject(x)
_ZwMakePermanentObject@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 106h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwMakePermanentObject@4 endp ;	sp = -8

; Exported entry 2738. ZwLockVirtualMemory

;  S U B	R O U T	I N E 


; __stdcall ZwLockVirtualMemory(x, x, x, x)
		public _ZwLockVirtualMemory@16
_ZwLockVirtualMemory@16	proc near	; CODE XREF: CmSiLockViewOfSection(x,x,x,x)+1Ep
					; SmKmVirtualLockCtxLockMemory(x,x,x)+5Ep

arg_0		= dword	ptr  4

		mov	eax, 107h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwLockVirtualMemory@16	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwLockRegistryKey(x)
_ZwLockRegistryKey@4 proc near		; CODE XREF: NtLockProductActivationKeys+2C1p
					; SepZwLockRegistryKey(x)+6j

arg_0		= dword	ptr  4

		mov	eax, 108h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwLockRegistryKey@4 endp ; sp = -8

; Exported entry 2737. ZwLockProductActivationKeys

;  S U B	R O U T	I N E 


; __stdcall ZwLockProductActivationKeys(x, x)
		public _ZwLockProductActivationKeys@8
_ZwLockProductActivationKeys@8 proc near ; CODE	XREF: ExInitializeTimeRefresh+Ep

arg_0		= dword	ptr  4

		mov	eax, 109h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwLockProductActivationKeys@8 endp ; sp = -8

; Exported entry 2736. ZwLockFile

;  S U B	R O U T	I N E 


; __stdcall ZwLockFile(x, x, x,	x, x, x, x, x, x, x)
		public _ZwLockFile@40
_ZwLockFile@40	proc near

arg_0		= dword	ptr  4

		mov	eax, 10Ah
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	28h
_ZwLockFile@40	endp ; sp = -8

; Exported entry 2735. ZwLoadKeyEx

;  S U B	R O U T	I N E 


; __stdcall ZwLoadKeyEx(x, x, x, x, x, x, x, x)
		public _ZwLoadKeyEx@32
_ZwLoadKeyEx@32	proc near		; CODE XREF: PiDrvDbLoadHive+54p

arg_0		= dword	ptr  4

		mov	eax, 10Bh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	20h
_ZwLoadKeyEx@32	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwLoadKey2(x, x, x)
_ZwLoadKey2@12	proc near		; CODE XREF: BiLoadHive+F7p
					; BiLoadHive+A2F29p
					; DATA XREF: ...

arg_0		= dword	ptr  4

		mov	eax, 10Ch
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwLoadKey2@12	endp ; sp = -8

; Exported entry 2734. ZwLoadKey

;  S U B	R O U T	I N E 


; __stdcall ZwLoadKey(x, x)
		public _ZwLoadKey@8
_ZwLoadKey@8	proc near		; CODE XREF: BiLoadHive+A2F40p

arg_0		= dword	ptr  4

		mov	eax, 10Dh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwLoadKey@8	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwLoadEnclaveData(x, x, x, x, x, x,	x, x, x)
_ZwLoadEnclaveData@36 proc near

arg_0		= dword	ptr  4

		mov	eax, 10Eh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	24h
_ZwLoadEnclaveData@36 endp ; sp	= -8

; Exported entry 2733. ZwLoadDriver

;  S U B	R O U T	I N E 


; __stdcall ZwLoadDriver(x)
		public _ZwLoadDriver@4
_ZwLoadDriver@4	proc near		; CODE XREF: KsepLoadShimProvider(x)+50p
					; PAGE:007B4556p ...

arg_0		= dword	ptr  4

		mov	eax, 10Fh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwLoadDriver@4	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwListenPort(x, x)
_ZwListenPort@8	proc near

arg_0		= dword	ptr  4

		mov	eax, 110h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwListenPort@8	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwIsUILanguageComitted()
_ZwIsUILanguageComitted@0 proc near

arg_0		= dword	ptr  4

		mov	eax, 111h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn
_ZwIsUILanguageComitted@0 endp ; sp = -8

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ZwIsSystemResumeAutomatic()
_ZwIsSystemResumeAutomatic@0 proc near

arg_0		= dword	ptr  4

		mov	eax, 112h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn
_ZwIsSystemResumeAutomatic@0 endp ; sp = -8

; 
		align 4
; Exported entry 2732. ZwIsProcessInJob

;  S U B	R O U T	I N E 


; __stdcall ZwIsProcessInJob(x,	x)
		public _ZwIsProcessInJob@8
_ZwIsProcessInJob@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 113h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwIsProcessInJob@8 endp ; sp =	-8

; Exported entry 2731. ZwInitiatePowerAction

;  S U B	R O U T	I N E 


; __stdcall ZwInitiatePowerAction(x, x,	x, x)
		public _ZwInitiatePowerAction@16
_ZwInitiatePowerAction@16 proc near	; CODE XREF: PoShutdownBugCheck(x,x,x,x,x,x)+A2p

arg_0		= dword	ptr  4

		mov	eax, 114h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwInitiatePowerAction@16 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwInitializeRegistry(x)
_ZwInitializeRegistry@4	proc near	; CODE XREF: NtInitializeRegistry+30p

arg_0		= dword	ptr  4

		mov	eax, 115h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwInitializeRegistry@4	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwInitializeNlsFiles(x, x, x)
_ZwInitializeNlsFiles@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 116h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwInitializeNlsFiles@12 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwInitializeEnclave(x, x, x, x, x)
_ZwInitializeEnclave@20	proc near

arg_0		= dword	ptr  4

		mov	eax, 117h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwInitializeEnclave@20	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwImpersonateThread(x, x, x)
_ZwImpersonateThread@12	proc near

arg_0		= dword	ptr  4

		mov	eax, 118h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwImpersonateThread@12	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwImpersonateClientOfPort(x, x)
_ZwImpersonateClientOfPort@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 119h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwImpersonateClientOfPort@8 endp ; sp = -8

; Exported entry 2730. ZwImpersonateAnonymousToken

;  S U B	R O U T	I N E 


; __stdcall ZwImpersonateAnonymousToken(x)
		public _ZwImpersonateAnonymousToken@4
_ZwImpersonateAnonymousToken@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 11Ah
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwImpersonateAnonymousToken@4 endp ; sp = -8

; Exported entry 2729. ZwGetWriteWatch

;  S U B	R O U T	I N E 


; __stdcall ZwGetWriteWatch(x, x, x, x,	x, x, x)
		public _ZwGetWriteWatch@28
_ZwGetWriteWatch@28 proc near

arg_0		= dword	ptr  4

		mov	eax, 11Bh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	1Ch
_ZwGetWriteWatch@28 endp ; sp =	-8

; Exported entry 2728. ZwGetNotificationResourceManager

;  S U B	R O U T	I N E 


; __stdcall ZwGetNotificationResourceManager(x,	x, x, x, x, x, x)
		public _ZwGetNotificationResourceManager@28
_ZwGetNotificationResourceManager@28 proc near

arg_0		= dword	ptr  4

		mov	eax, 11Ch
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	1Ch
_ZwGetNotificationResourceManager@28 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwGetNlsSectionPtr(x, x, x,	x, x)
_ZwGetNlsSectionPtr@20 proc near	; CODE XREF: RtlpGetNormalization(x,x)+60p

arg_0		= dword	ptr  4

		mov	eax, 11Dh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwGetNlsSectionPtr@20 endp ; sp = -8

; Exported entry 2727. ZwGetNextThread

;  S U B	R O U T	I N E 


; __stdcall ZwGetNextThread(x, x, x, x,	x, x)
		public _ZwGetNextThread@24
_ZwGetNextThread@24 proc near

arg_0		= dword	ptr  4

		mov	eax, 11Eh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwGetNextThread@24 endp ; sp =	-8

; Exported entry 2726. ZwGetNextProcess

;  S U B	R O U T	I N E 


; __stdcall ZwGetNextProcess(x,	x, x, x, x)
		public _ZwGetNextProcess@20
_ZwGetNextProcess@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 11Fh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwGetNextProcess@20 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwGetMUIRegistryInfo(x, x, x)
_ZwGetMUIRegistryInfo@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 120h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwGetMUIRegistryInfo@12 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwGetDevicePowerState(x, x)
_ZwGetDevicePowerState@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 121h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwGetDevicePowerState@8 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwGetCurrentProcessorNumberEx(x)
_ZwGetCurrentProcessorNumberEx@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 122h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwGetCurrentProcessorNumberEx@4 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwGetCurrentProcessorNumber()
_ZwGetCurrentProcessorNumber@0 proc near

arg_0		= dword	ptr  4

		mov	eax, 123h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn
_ZwGetCurrentProcessorNumber@0 endp ; sp = -8

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall ZwGetContextThread(x, x)
_ZwGetContextThread@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 124h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwGetContextThread@8 endp ; sp	= -8


;  S U B	R O U T	I N E 


; __stdcall ZwGetCompleteWnfStateSubscription(x, x, x, x, x, x)
_ZwGetCompleteWnfStateSubscription@24 proc near

arg_0		= dword	ptr  4

		mov	eax, 125h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwGetCompleteWnfStateSubscription@24 endp ; sp	= -8

; Exported entry 2725. ZwGetCachedSigningLevel

;  S U B	R O U T	I N E 


; __stdcall ZwGetCachedSigningLevel(x, x, x, x,	x, x)
		public _ZwGetCachedSigningLevel@24
_ZwGetCachedSigningLevel@24 proc near

arg_0		= dword	ptr  4

		mov	eax, 126h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwGetCachedSigningLevel@24 endp ; sp =	-8

; Exported entry 2724. ZwFsControlFile

;  S U B	R O U T	I N E 


; __stdcall ZwFsControlFile(x, x, x, x,	x, x, x, x, x, x)
		public _ZwFsControlFile@40
_ZwFsControlFile@40 proc near		; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+1E5p
					; CmpOpenHiveFile+206p	...

arg_0		= dword	ptr  4

		mov	eax, 127h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	28h
_ZwFsControlFile@40 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwFreezeTransactions(x, x)
_ZwFreezeTransactions@8	proc near

arg_0		= dword	ptr  4

		mov	eax, 128h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwFreezeTransactions@8	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwFreezeRegistry(x)
_ZwFreezeRegistry@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 129h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwFreezeRegistry@4 endp ; sp =	-8

; Exported entry 2723. ZwFreeVirtualMemory

;  S U B	R O U T	I N E 


; __stdcall ZwFreeVirtualMemory(x, x, x, x)
		public _ZwFreeVirtualMemory@16
_ZwFreeVirtualMemory@16	proc near	; CODE XREF: RtlpHpAllocVirtBlockCommitFirst(x,x,x,x)+4Fp
					; RtlpHpAllocVirtBlockCommitFirst(x,x,x,x)+77p	...

arg_0		= dword	ptr  4

		mov	eax, 12Ah
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwFreeVirtualMemory@16	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwFreeUserPhysicalPages(x, x, x)
_ZwFreeUserPhysicalPages@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 12Bh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwFreeUserPhysicalPages@12 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwFlushWriteBuffer()
_ZwFlushWriteBuffer@0 proc near

arg_0		= dword	ptr  4

		mov	eax, 12Ch
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn
_ZwFlushWriteBuffer@0 endp ; sp	= -8

; 
		align 4
; Exported entry 2722. ZwFlushVirtualMemory

;  S U B	R O U T	I N E 


; __stdcall ZwFlushVirtualMemory(x, x, x, x)
		public _ZwFlushVirtualMemory@16
_ZwFlushVirtualMemory@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 12Dh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwFlushVirtualMemory@16 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwFlushProcessWriteBuffers()
_ZwFlushProcessWriteBuffers@0 proc near

arg_0		= dword	ptr  4

		mov	eax, 12Eh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn
_ZwFlushProcessWriteBuffers@0 endp ; sp	= -8

; 
		align 4
; Exported entry 2721. ZwFlushKey

;  S U B	R O U T	I N E 


; __stdcall ZwFlushKey(x)
		public _ZwFlushKey@4
_ZwFlushKey@4	proc near		; CODE XREF: VfClearVerifierSettings()+2F5p
					; ExpRecordShutdownTime()+90p ...

arg_0		= dword	ptr  4

		mov	eax, 12Fh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwFlushKey@4	endp ; sp = -8

; Exported entry 2720. ZwFlushInstructionCache

;  S U B	R O U T	I N E 


; __stdcall ZwFlushInstructionCache(x, x, x)
		public _ZwFlushInstructionCache@12
_ZwFlushInstructionCache@12 proc near	; CODE XREF: sub_A1BBB6+133p
					; sub_A1BD0C+16Cp ...

arg_0		= dword	ptr  4

		mov	eax, 130h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwFlushInstructionCache@12 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwFlushInstallUILanguage(x,	x)
_ZwFlushInstallUILanguage@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 131h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwFlushInstallUILanguage@8 endp ; sp =	-8

; Exported entry 2718. ZwFlushBuffersFile

;  S U B	R O U T	I N E 


; __stdcall ZwFlushBuffersFile(x, x)
		public _ZwFlushBuffersFile@8
_ZwFlushBuffersFile@8 proc near		; CODE XREF: CmpDoFileFlush+20p
					; RtlBootStatusDisableFlushing(x)+37p ...

arg_0		= dword	ptr  4

		mov	eax, 132h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwFlushBuffersFile@8 endp ; sp	= -8

; Exported entry 2719. ZwFlushBuffersFileEx

;  S U B	R O U T	I N E 


; __stdcall ZwFlushBuffersFileEx(x, x, x, x, x)
		public _ZwFlushBuffersFileEx@20
_ZwFlushBuffersFileEx@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 133h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwFlushBuffersFileEx@20 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwFindAtom(x, x, x)
_ZwFindAtom@12	proc near

arg_0		= dword	ptr  4

		mov	eax, 134h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwFindAtom@12	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwFilterToken(x, x,	x, x, x, x)
_ZwFilterToken@24 proc near

arg_0		= dword	ptr  4

		mov	eax, 135h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwFilterToken@24 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwFilterTokenEx(x, x, x, x,	x, x, x, x, x, x, x, x,	x, x)
_ZwFilterTokenEx@56 proc near

arg_0		= dword	ptr  4

		mov	eax, 136h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	38h
_ZwFilterTokenEx@56 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwFilterBootOption(x, x, x,	x, x)
_ZwFilterBootOption@20 proc near	; CODE XREF: IopInitializeInMemoryDumpData()+93p
					; PAGE:0077FB29p

arg_0		= dword	ptr  4

		mov	eax, 137h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwFilterBootOption@20 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwExtendSection(x, x)
_ZwExtendSection@8 proc	near		; CODE XREF: CmSiExtendSection(x,x,x)+Ap

arg_0		= dword	ptr  4

		mov	eax, 138h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwExtendSection@8 endp	; sp = -8

; Exported entry 2717. ZwEnumerateValueKey

;  S U B	R O U T	I N E 


; __stdcall ZwEnumerateValueKey(x, x, x, x, x, x)
		public _ZwEnumerateValueKey@24
_ZwEnumerateValueKey@24	proc near	; CODE XREF: RtlpQueryRegistryValues+307p
					; _RegRtlEnumValue+A3p	...

arg_0		= dword	ptr  4

		mov	eax, 139h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwEnumerateValueKey@24	endp ; sp = -8

; Exported entry 2716. ZwEnumerateTransactionObject

;  S U B	R O U T	I N E 


; __stdcall ZwEnumerateTransactionObject(x, x, x, x, x)
		public _ZwEnumerateTransactionObject@20
_ZwEnumerateTransactionObject@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 13Ah
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwEnumerateTransactionObject@20 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwEnumerateSystemEnvironmentValuesEx(x, x, x)
_ZwEnumerateSystemEnvironmentValuesEx@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 13Bh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwEnumerateSystemEnvironmentValuesEx@12 endp ;	sp = -8

; Exported entry 2715. ZwEnumerateKey

;  S U B	R O U T	I N E 


; __stdcall ZwEnumerateKey(x, x, x, x, x, x)
		public _ZwEnumerateKey@24
_ZwEnumerateKey@24 proc	near		; CODE XREF: BiZwEnumerateKey(x,x,x,x,x,x)+12p
					; _RtlpMuiRegLoadInstalledFromKey+A9p ...

arg_0		= dword	ptr  4

		mov	eax, 13Ch
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwEnumerateKey@24 endp	; sp = -8

; Exported entry 2714. ZwEnumerateDriverEntries

;  S U B	R O U T	I N E 


; __stdcall ZwEnumerateDriverEntries(x,	x)
		public _ZwEnumerateDriverEntries@8
_ZwEnumerateDriverEntries@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 13Dh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwEnumerateDriverEntries@8 endp ; sp =	-8

; Exported entry 2713. ZwEnumerateBootEntries

;  S U B	R O U T	I N E 


; __stdcall ZwEnumerateBootEntries(x, x)
		public _ZwEnumerateBootEntries@8
_ZwEnumerateBootEntries@8 proc near	; CODE XREF: ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+79p
					; ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+BAp ...

arg_0		= dword	ptr  4

		mov	eax, 13Eh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwEnumerateBootEntries@8 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwEnableLastKnownGood()
_ZwEnableLastKnownGood@0 proc near

arg_0		= dword	ptr  4

		mov	eax, 13Fh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn
_ZwEnableLastKnownGood@0 endp ;	sp = -8

; 
		align 10h
; Exported entry 2712. ZwDuplicateToken

;  S U B	R O U T	I N E 


; __stdcall ZwDuplicateToken(x,	x, x, x, x, x)
		public _ZwDuplicateToken@24
_ZwDuplicateToken@24 proc near		; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+108p
					; RtlIsSandboxedTokenHandle+CCC2Ap ...

arg_0		= dword	ptr  4

		mov	eax, 140h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwDuplicateToken@24 endp ; sp = -8

; Exported entry 2711. ZwDuplicateObject

;  S U B	R O U T	I N E 


; __stdcall ZwDuplicateObject(x, x, x, x, x, x,	x)
		public _ZwDuplicateObject@28
_ZwDuplicateObject@28 proc near		; CODE XREF: SepReferenceCachedTokenHandles+34p
					; PAGE:00817679p ...

arg_0		= dword	ptr  4

		mov	eax, 141h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	1Ch
_ZwDuplicateObject@28 endp ; sp	= -8


;  S U B	R O U T	I N E 


; __stdcall ZwDrawText(x)
_ZwDrawText@4	proc near

arg_0		= dword	ptr  4

		mov	eax, 142h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwDrawText@4	endp ; sp = -8

; Exported entry 2710. ZwDisplayString

;  S U B	R O U T	I N E 


; __stdcall ZwDisplayString(x)
		public _ZwDisplayString@4
_ZwDisplayString@4 proc	near

arg_0		= dword	ptr  4

		mov	eax, 143h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwDisplayString@4 endp	; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwDisableLastKnownGood()
_ZwDisableLastKnownGood@0 proc near

arg_0		= dword	ptr  4

		mov	eax, 144h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn
_ZwDisableLastKnownGood@0 endp ; sp = -8

; 
		align 4
; Exported entry 2709. ZwDeviceIoControlFile

;  S U B	R O U T	I N E 


; __stdcall ZwDeviceIoControlFile(x, x,	x, x, x, x, x, x, x, x)
		public _ZwDeviceIoControlFile@40
_ZwDeviceIoControlFile@40 proc near	; CODE XREF: PopFlushAndHold(x,x)+41p
					; SiGetDiskPartitionInformation(x,x)+3Dp ...

arg_0		= dword	ptr  4

		mov	eax, 145h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	28h
_ZwDeviceIoControlFile@40 endp ; sp = -8

; Exported entry 2708. ZwDeleteWnfStateName

;  S U B	R O U T	I N E 


; __stdcall ZwDeleteWnfStateName(x)
		public _ZwDeleteWnfStateName@4
_ZwDeleteWnfStateName@4	proc near	; CODE XREF: .text:005116FEp
					; PspProcessDelete+93p	...

arg_0		= dword	ptr  4

		mov	eax, 146h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwDeleteWnfStateName@4	endp ; sp = -8

; Exported entry 2707. ZwDeleteWnfStateData

;  S U B	R O U T	I N E 


; __stdcall ZwDeleteWnfStateData(x, x)
		public _ZwDeleteWnfStateData@8
_ZwDeleteWnfStateData@8	proc near

arg_0		= dword	ptr  4

		mov	eax, 147h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwDeleteWnfStateData@8	endp ; sp = -8

; Exported entry 2706. ZwDeleteValueKey

;  S U B	R O U T	I N E 


; __stdcall ZwDeleteValueKey(x,	x)
		public _ZwDeleteValueKey@8
_ZwDeleteValueKey@8 proc near		; CODE XREF: BiZwDeleteValueKey(x,x)+4p
					; CmpSetSystemRegistryString(x,x,x)+5Cp ...

arg_0		= dword	ptr  4

		mov	eax, 148h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwDeleteValueKey@8 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwDeletePrivateNamespace(x)
_ZwDeletePrivateNamespace@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 149h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwDeletePrivateNamespace@4 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwDeleteObjectAuditAlarm(x,	x, x)
_ZwDeleteObjectAuditAlarm@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 14Ah
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwDeleteObjectAuditAlarm@12 endp ; sp = -8

; Exported entry 2705. ZwDeleteKey

;  S U B	R O U T	I N E 


; __stdcall ZwDeleteKey(x)
		public _ZwDeleteKey@4
_ZwDeleteKey@4	proc near		; CODE XREF: BiZwDeleteKey(x)+3p
					; _RegRtlDeleteKeyTransacted(x,x,x)+2Cp ...

arg_0		= dword	ptr  4

		mov	eax, 14Bh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwDeleteKey@4	endp ; sp = -8

; Exported entry 2704. ZwDeleteFile

;  S U B	R O U T	I N E 


; __stdcall ZwDeleteFile(x)
		public _ZwDeleteFile@4
_ZwDeleteFile@4	proc near		; CODE XREF: KsepDeletePatchSdb()+41p
					; NtEnableLastKnownGood()+25Ap	...

arg_0		= dword	ptr  4

		mov	eax, 14Ch
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwDeleteFile@4	endp ; sp = -8

; Exported entry 2703. ZwDeleteDriverEntry

;  S U B	R O U T	I N E 


; __stdcall ZwDeleteDriverEntry(x)
		public _ZwDeleteDriverEntry@4
_ZwDeleteDriverEntry@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 14Dh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwDeleteDriverEntry@4 endp ; sp = -8

; Exported entry 2702. ZwDeleteBootEntry

;  S U B	R O U T	I N E 


; __stdcall ZwDeleteBootEntry(x)
		public _ZwDeleteBootEntry@4
_ZwDeleteBootEntry@4 proc near		; CODE XREF: BiDeleteBootEntry(x)+35p

arg_0		= dword	ptr  4

		mov	eax, 14Eh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwDeleteBootEntry@4 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwDeleteAtom(x)
_ZwDeleteAtom@4	proc near

arg_0		= dword	ptr  4

		mov	eax, 14Fh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwDeleteAtom@4	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwDelayExecution(x,	x)
_ZwDelayExecution@8 proc near		; CODE XREF: IovUnloadDrivers()+ADp

arg_0		= dword	ptr  4

		mov	eax, 150h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwDelayExecution@8 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwDebugContinue(x, x, x)
_ZwDebugContinue@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 151h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwDebugContinue@12 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwDebugActiveProcess(x, x)
_ZwDebugActiveProcess@8	proc near

arg_0		= dword	ptr  4

		mov	eax, 152h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwDebugActiveProcess@8	endp ; sp = -8

; Exported entry 2690. ZwCreatePartition

;  S U B	R O U T	I N E 


; __stdcall ZwCreatePartition(x, x, x, x)
		public _ZwCreatePartition@16
_ZwCreatePartition@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 153h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwCreatePartition@16 endp ; sp	= -8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateWorkerFactory(x, x,	x, x, x, x, x, x, x, x)
_ZwCreateWorkerFactory@40 proc near

arg_0		= dword	ptr  4

		mov	eax, 154h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	28h
_ZwCreateWorkerFactory@40 endp ; sp = -8

; Exported entry 2701. ZwCreateWnfStateName

;  S U B	R O U T	I N E 


; __stdcall ZwCreateWnfStateName(x, x, x, x, x,	x, x)
		public _ZwCreateWnfStateName@28
_ZwCreateWnfStateName@28 proc near	; CODE XREF: PspAllocateAndQueryProcessNotificationChannel+ACp
					; PopCreateNotificationName(x)+10Ep ...

arg_0		= dword	ptr  4

		mov	eax, 155h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	1Ch
_ZwCreateWnfStateName@28 endp ;	sp = -8

; Exported entry 2700. ZwCreateWaitCompletionPacket

;  S U B	R O U T	I N E 


; __stdcall ZwCreateWaitCompletionPacket(x, x, x)
		public _ZwCreateWaitCompletionPacket@12
_ZwCreateWaitCompletionPacket@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 156h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwCreateWaitCompletionPacket@12 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateWaitablePort(x, x, x, x, x)
_ZwCreateWaitablePort@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 157h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwCreateWaitablePort@20 endp ;	sp = -8

; Exported entry   2.

;  S U B	R O U T	I N E 


; __stdcall ZwCreateUserProcess(x, x, x, x, x, x, x, x,	x, x, x)
		public _ZwCreateUserProcess@44
_ZwCreateUserProcess@44	proc near	; CODE XREF: RtlpCreateUserProcess+1F0p

arg_0		= dword	ptr  4

		mov	eax, 158h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	2Ch
_ZwCreateUserProcess@44	endp ; sp = -8

; Exported entry 2699. ZwCreateTransactionManager

;  S U B	R O U T	I N E 


; __stdcall ZwCreateTransactionManager(x, x, x,	x, x, x)
		public _ZwCreateTransactionManager@24
_ZwCreateTransactionManager@24 proc near ; CODE	XREF: CmpInitCmRM+437p

arg_0		= dword	ptr  4

		mov	eax, 159h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwCreateTransactionManager@24 endp ; sp = -8

; Exported entry 2698. ZwCreateTransaction

;  S U B	R O U T	I N E 


; __stdcall ZwCreateTransaction(x, x, x, x, x, x, x, x,	x, x)
		public _ZwCreateTransaction@40
_ZwCreateTransaction@40	proc near

arg_0		= dword	ptr  4

		mov	eax, 15Ah
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	28h
_ZwCreateTransaction@40	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateToken(x, x,	x, x, x, x, x, x, x, x,	x, x, x)
_ZwCreateToken@52 proc near

arg_0		= dword	ptr  4

		mov	eax, 15Bh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	34h
_ZwCreateToken@52 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateLowBoxToken(x, x, x, x, x, x, x, x,	x)
_ZwCreateLowBoxToken@36	proc near

arg_0		= dword	ptr  4

		mov	eax, 15Ch
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	24h
_ZwCreateLowBoxToken@36	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateTokenEx(x, x, x, x,	x, x, x, x, x, x, x, x,	x, x, x, x, x)
_ZwCreateTokenEx@68 proc near

arg_0		= dword	ptr  4

		mov	eax, 15Dh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	44h
_ZwCreateTokenEx@68 endp ; sp =	-8

; Exported entry 2697. ZwCreateTimer

;  S U B	R O U T	I N E 


; __stdcall ZwCreateTimer(x, x,	x, x)
		public _ZwCreateTimer@16
_ZwCreateTimer@16 proc near		; CODE XREF: DbgkpWerInitializeDeferredLiveDump(x)+4Dp

arg_0		= dword	ptr  4

		mov	eax, 15Eh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwCreateTimer@16 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateThreadEx(x,	x, x, x, x, x, x, x, x,	x, x)
_ZwCreateThreadEx@44 proc near		; CODE XREF: RtlpCreateUserThreadEx+DEp
					; DbgkUserReportWorkRoutine(x)+132p ...

arg_0		= dword	ptr  4

		mov	eax, 15Fh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	2Ch
_ZwCreateThreadEx@44 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateThread(x, x, x, x, x, x, x,	x)
_ZwCreateThread@32 proc	near

arg_0		= dword	ptr  4

		mov	eax, 160h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	20h
_ZwCreateThread@32 endp	; sp = -8

; Exported entry 2696. ZwCreateSymbolicLinkObject

;  S U B	R O U T	I N E 


; __stdcall ZwCreateSymbolicLinkObject(x, x, x,	x)
		public _ZwCreateSymbolicLinkObject@16
_ZwCreateSymbolicLinkObject@16 proc near ; CODE	XREF: SeGetTokenDeviceMap+1B4p
					; IoCreateSymbolicLink(x,x)+40p ...

arg_0		= dword	ptr  4

		mov	eax, 161h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwCreateSymbolicLinkObject@16 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateSemaphore(x, x, x, x, x)
_ZwCreateSemaphore@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 162h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwCreateSemaphore@20 endp ; sp	= -8

; Exported entry 2695. ZwCreateSection

;  S U B	R O U T	I N E 


; __stdcall ZwCreateSection(x, x, x, x,	x, x, x)
		public _ZwCreateSection@28
_ZwCreateSection@28 proc near		; CODE XREF: CmSiCreateSectionForFile(x,x,x,x,x)+36p
					; LdrpMapResourceFile+11Ep ...

arg_0		= dword	ptr  4

		mov	eax, 163h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	1Ch
_ZwCreateSection@28 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateSectionEx(x, x, x, x, x, x,	x, x, x)
_ZwCreateSectionEx@36 proc near

arg_0		= dword	ptr  4

		mov	eax, 164h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	24h
_ZwCreateSectionEx@36 endp ; sp	= -8

; Exported entry 2694. ZwCreateResourceManager

;  S U B	R O U T	I N E 


; __stdcall ZwCreateResourceManager(x, x, x, x,	x, x, x)
		public _ZwCreateResourceManager@28
_ZwCreateResourceManager@28 proc near	; CODE XREF: CmpInitCmRM+516p

arg_0		= dword	ptr  4

		mov	eax, 165h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	1Ch
_ZwCreateResourceManager@28 endp ; sp =	-8

; Exported entry 2692. ZwCreateProfileEx

;  S U B	R O U T	I N E 


; __stdcall ZwCreateProfileEx(x, x, x, x, x, x,	x, x, x, x)
		public _ZwCreateProfileEx@40
_ZwCreateProfileEx@40 proc near

arg_0		= dword	ptr  4

		mov	eax, 166h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	28h
_ZwCreateProfileEx@40 endp ; sp	= -8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateProfile(x, x, x, x,	x, x, x, x, x)
_ZwCreateProfile@36 proc near

arg_0		= dword	ptr  4

		mov	eax, 167h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	24h
_ZwCreateProfile@36 endp ; sp =	-8

; Exported entry 2691. ZwCreateProcessEx

;  S U B	R O U T	I N E 


; __stdcall ZwCreateProcessEx(x, x, x, x, x, x,	x, x, x)
		public _ZwCreateProcessEx@36
_ZwCreateProcessEx@36 proc near

arg_0		= dword	ptr  4

		mov	eax, 168h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	24h
_ZwCreateProcessEx@36 endp ; sp	= -8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateProcess(x, x, x, x,	x, x, x, x)
_ZwCreateProcess@32 proc near

arg_0		= dword	ptr  4

		mov	eax, 169h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	20h
_ZwCreateProcess@32 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwCreatePrivateNamespace(x,	x, x, x)
_ZwCreatePrivateNamespace@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 16Ah
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwCreatePrivateNamespace@16 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCreatePort(x, x, x, x, x)
_ZwCreatePort@20 proc near		; CODE XREF: SeRmInitPhase1()+3Ap

arg_0		= dword	ptr  4

		mov	eax, 16Bh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwCreatePort@20 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCreatePagingFile(x, x, x,	x)
_ZwCreatePagingFile@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 16Ch
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwCreatePagingFile@16 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateNamedPipeFile(x, x,	x, x, x, x, x, x, x, x,	x, x, x, x)
_ZwCreateNamedPipeFile@56 proc near

arg_0		= dword	ptr  4

		mov	eax, 16Dh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	38h
_ZwCreateNamedPipeFile@56 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateMutant(x, x, x, x)
_ZwCreateMutant@16 proc	near		; CODE XREF: BcdInitializeBcdSyncMutant+3Dp

arg_0		= dword	ptr  4

		mov	eax, 16Eh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwCreateMutant@16 endp	; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateMailslotFile(x, x, x, x, x,	x, x, x)
_ZwCreateMailslotFile@32 proc near

arg_0		= dword	ptr  4

		mov	eax, 16Fh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	20h
_ZwCreateMailslotFile@32 endp ;	sp = -8

; Exported entry 2689. ZwCreateKeyTransacted

;  S U B	R O U T	I N E 


; __stdcall ZwCreateKeyTransacted(x, x,	x, x, x, x, x, x)
		public _ZwCreateKeyTransacted@32
_ZwCreateKeyTransacted@32 proc near	; DATA XREF: NtCreateKeyTransacted_Stub(x,x,x,x,x,x,x,x)+Eo

arg_0		= dword	ptr  4

		mov	eax, 170h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	20h
_ZwCreateKeyTransacted@32 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateKeyedEvent(x, x, x,	x)
_ZwCreateKeyedEvent@16 proc near	; CODE XREF: ExpKeyedEventInitialization+229p

arg_0		= dword	ptr  4

		mov	eax, 171h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwCreateKeyedEvent@16 endp ; sp = -8

; Exported entry 2688. ZwCreateKey

;  S U B	R O U T	I N E 


; __stdcall ZwCreateKey(x, x, x, x, x, x, x)
		public _ZwCreateKey@28
_ZwCreateKey@28	proc near		; CODE XREF: BiZwCreateKey(x,x,x,x,x,x,x)+14p
					; KvfCommitFeatureStates+3Ep ...

arg_0		= dword	ptr  4

		mov	eax, 172h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	1Ch
_ZwCreateKey@28	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateJobSet(x, x, x)
_ZwCreateJobSet@12 proc	near

arg_0		= dword	ptr  4

		mov	eax, 173h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwCreateJobSet@12 endp	; sp = -8

; Exported entry 2687. ZwCreateJobObject

;  S U B	R O U T	I N E 


; __stdcall ZwCreateJobObject(x, x, x)
		public _ZwCreateJobObject@12
_ZwCreateJobObject@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 174h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwCreateJobObject@12 endp ; sp	= -8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateIRTimer(x, x, x)
_ZwCreateIRTimer@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 175h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwCreateIRTimer@12 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateTimer2(x, x, x, x, x)
_ZwCreateTimer2@20 proc	near

arg_0		= dword	ptr  4

		mov	eax, 176h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwCreateTimer2@20 endp	; sp = -8

; Exported entry 2686. ZwCreateIoCompletion

;  S U B	R O U T	I N E 


; __stdcall ZwCreateIoCompletion(x, x, x, x)
		public _ZwCreateIoCompletion@16
_ZwCreateIoCompletion@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 177h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwCreateIoCompletion@16 endp ;	sp = -8

; Exported entry 2685. ZwCreateFile

;  S U B	R O U T	I N E 


; __stdcall ZwCreateFile(x, x, x, x, x,	x, x, x, x, x, x)
		public _ZwCreateFile@44
_ZwCreateFile@44 proc near		; CODE XREF: RtlFileMapInitializeByNtPath(x,x)+51p
					; LdrpMapResourceFile+B0p ...

arg_0		= dword	ptr  4

		mov	eax, 178h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	2Ch
_ZwCreateFile@44 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateEventPair(x, x, x)
_ZwCreateEventPair@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 179h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwCreateEventPair@12 endp ; sp	= -8

; Exported entry 2684. ZwCreateEvent

;  S U B	R O U T	I N E 


; __stdcall ZwCreateEvent(x, x,	x, x, x)
		public _ZwCreateEvent@20
_ZwCreateEvent@20 proc near		; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+273p
					; CmpCreateEvent(x,x,x)+3Bp ...

arg_0		= dword	ptr  4

		mov	eax, 17Ah
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwCreateEvent@20 endp ; sp = -8

; Exported entry 2683. ZwCreateEnlistment

;  S U B	R O U T	I N E 


; __stdcall ZwCreateEnlistment(x, x, x,	x, x, x, x, x)
		public _ZwCreateEnlistment@32
_ZwCreateEnlistment@32 proc near

arg_0		= dword	ptr  4

		mov	eax, 17Bh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	20h
_ZwCreateEnlistment@32 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateEnclave(x, x, x, x,	x, x, x, x, x)
_ZwCreateEnclave@36 proc near

arg_0		= dword	ptr  4

		mov	eax, 17Ch
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	24h
_ZwCreateEnclave@36 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateDirectoryObjectEx(x, x, x, x, x)
_ZwCreateDirectoryObjectEx@20 proc near	; CODE XREF: ObpInitializeRootNamespace+88p
					; MiCreatePartitionNamespace(x)+5Ep ...

arg_0		= dword	ptr  4

		mov	eax, 17Dh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwCreateDirectoryObjectEx@20 endp ; sp	= -8

; Exported entry 2682. ZwCreateDirectoryObject

;  S U B	R O U T	I N E 


; __stdcall ZwCreateDirectoryObject(x, x, x)
		public _ZwCreateDirectoryObject@12
_ZwCreateDirectoryObject@12 proc near	; CODE XREF: SeGetTokenDeviceMap+10Cp
					; ObpInitializeRootNamespace+D7p ...

arg_0		= dword	ptr  4

		mov	eax, 17Eh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwCreateDirectoryObject@12 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateDebugObject(x, x, x, x)
_ZwCreateDebugObject@16	proc near

arg_0		= dword	ptr  4

		mov	eax, 17Fh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwCreateDebugObject@16	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCopyFileChunk(x, x, x, x,	x, x, x, x, x, x)
_ZwCopyFileChunk@40 proc near

arg_0		= dword	ptr  4

		mov	eax, 180h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	28h
_ZwCopyFileChunk@40 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwConvertBetweenAuxiliaryCounterAndPerformanceCounter(x, x,	x, x)
_ZwConvertBetweenAuxiliaryCounterAndPerformanceCounter@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 181h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwConvertBetweenAuxiliaryCounterAndPerformanceCounter@16 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwContinue(x, x)
_ZwContinue@8	proc near		; CODE XREF: RtlUnwind+21Cp
					; RtlRaiseException(x)+3Ap ...

arg_0		= dword	ptr  4

		mov	eax, 182h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwContinue@8	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwContinueEx(x, x)
_ZwContinueEx@8	proc near

arg_0		= dword	ptr  4

		mov	eax, 183h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwContinueEx@8	endp ; sp = -8

; Exported entry 2680. ZwConnectPort

;  S U B	R O U T	I N E 


; __stdcall ZwConnectPort(x, x,	x, x, x, x, x, x)
		public _ZwConnectPort@32
_ZwConnectPort@32 proc near		; CODE XREF: SepRmLsaConnectRequest+195p

arg_0		= dword	ptr  4

		mov	eax, 184h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	20h
_ZwConnectPort@32 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCompressKey(x)
_ZwCompressKey@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 185h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwCompressKey@4 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCompleteConnectPort(x)
_ZwCompleteConnectPort@4 proc near	; CODE XREF: SepRmLsaConnectRequest+FEp

arg_0		= dword	ptr  4

		mov	eax, 186h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwCompleteConnectPort@4 endp ;	sp = -8

; Exported entry 2679. ZwCompareTokens

;  S U B	R O U T	I N E 


; __stdcall ZwCompareTokens(x, x, x)
		public _ZwCompareTokens@12
_ZwCompareTokens@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 187h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwCompareTokens@12 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwCompareSigningLevels(x, x)
_ZwCompareSigningLevels@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 188h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwCompareSigningLevels@8 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCompareObjects(x,	x)
_ZwCompareObjects@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 189h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwCompareObjects@8 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwCompactKeys(x, x)
_ZwCompactKeys@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 18Ah
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwCompactKeys@8 endp ;	sp = -8

; Exported entry 2678. ZwCommitTransaction

;  S U B	R O U T	I N E 


; __stdcall ZwCommitTransaction(x, x)
		public _ZwCommitTransaction@8
_ZwCommitTransaction@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 18Bh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwCommitTransaction@8 endp ; sp = -8

; Exported entry 2676. ZwCommitEnlistment

;  S U B	R O U T	I N E 


; __stdcall ZwCommitEnlistment(x, x)
		public _ZwCommitEnlistment@8
_ZwCommitEnlistment@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 18Ch
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwCommitEnlistment@8 endp ; sp	= -8

; Exported entry 2675. ZwCommitComplete

;  S U B	R O U T	I N E 


; __stdcall ZwCommitComplete(x,	x)
		public _ZwCommitComplete@8
_ZwCommitComplete@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 18Dh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwCommitComplete@8 endp ; sp =	-8

; Exported entry 2674. ZwCloseObjectAuditAlarm

;  S U B	R O U T	I N E 


; __stdcall ZwCloseObjectAuditAlarm(x, x, x)
		public _ZwCloseObjectAuditAlarm@12
_ZwCloseObjectAuditAlarm@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 18Eh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwCloseObjectAuditAlarm@12 endp ; sp =	-8

; Exported entry 2673. ZwClose

;  S U B	R O U T	I N E 


; __stdcall ZwClose(x)
		public _ZwClose@4
_ZwClose@4	proc near		; CODE XREF: BiZwClose(x)+3p
					; CmpTryToRundownHive+154p ...

arg_0		= dword	ptr  4

		mov	eax, 18Fh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwClose@4	endp ; sp = -8

; Exported entry 2672. ZwClearEvent

;  S U B	R O U T	I N E 


; __stdcall ZwClearEvent(x)
		public _ZwClearEvent@4
_ZwClearEvent@4	proc near

arg_0		= dword	ptr  4

		mov	eax, 190h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwClearEvent@4	endp ; sp = -8

; Exported entry 2671. ZwCancelWaitCompletionPacket

;  S U B	R O U T	I N E 


; __stdcall ZwCancelWaitCompletionPacket(x, x)
		public _ZwCancelWaitCompletionPacket@8
_ZwCancelWaitCompletionPacket@8	proc near

arg_0		= dword	ptr  4

		mov	eax, 191h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwCancelWaitCompletionPacket@8	endp ; sp = -8

; Exported entry 2670. ZwCancelTimer

;  S U B	R O U T	I N E 


; __stdcall ZwCancelTimer(x, x)
		public _ZwCancelTimer@8
_ZwCancelTimer@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 192h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwCancelTimer@8 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCancelSynchronousIoFile(x, x, x)
_ZwCancelSynchronousIoFile@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 193h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwCancelSynchronousIoFile@12 endp ; sp	= -8

; Exported entry 2669. ZwCancelIoFileEx

;  S U B	R O U T	I N E 


; __stdcall ZwCancelIoFileEx(x,	x, x)
		public _ZwCancelIoFileEx@12
_ZwCancelIoFileEx@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 194h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwCancelIoFileEx@12 endp ; sp = -8

; Exported entry 2668. ZwCancelIoFile

;  S U B	R O U T	I N E 


; __stdcall ZwCancelIoFile(x, x)
		public _ZwCancelIoFile@8
_ZwCancelIoFile@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 195h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwCancelIoFile@8 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCallEnclave(x, x,	x, x)
_ZwCallEnclave@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 196h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwCallEnclave@16 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCallbackReturn(x,	x, x)
_ZwCallbackReturn@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 197h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwCallbackReturn@12 endp ; sp = -8

; Exported entry 2667. ZwAssociateWaitCompletionPacket

;  S U B	R O U T	I N E 


; __stdcall ZwAssociateWaitCompletionPacket(x, x, x, x,	x, x, x, x)
		public _ZwAssociateWaitCompletionPacket@32
_ZwAssociateWaitCompletionPacket@32 proc near

arg_0		= dword	ptr  4

		mov	eax, 198h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	20h
_ZwAssociateWaitCompletionPacket@32 endp ; sp =	-8

; Exported entry 2666. ZwAssignProcessToJobObject

;  S U B	R O U T	I N E 


; __stdcall ZwAssignProcessToJobObject(x, x)
		public _ZwAssignProcessToJobObject@8
_ZwAssignProcessToJobObject@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 199h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwAssignProcessToJobObject@8 endp ; sp	= -8


;  S U B	R O U T	I N E 


; __stdcall ZwAreMappedFilesTheSame(x, x)
_ZwAreMappedFilesTheSame@8 proc	near

arg_0		= dword	ptr  4

		mov	eax, 19Ah
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwAreMappedFilesTheSame@8 endp	; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwApphelpCacheControl(x, x)
_ZwApphelpCacheControl@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 19Bh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwApphelpCacheControl@8 endp ;	sp = -8

; Exported entry 2665. ZwAlpcSetInformation

;  S U B	R O U T	I N E 


; __stdcall ZwAlpcSetInformation(x, x, x, x)
		public _ZwAlpcSetInformation@16
_ZwAlpcSetInformation@16 proc near	; CODE XREF: PopUmpoInitializeChannel+197p
					; PopUmpoInitializeMonitorChannel+F5p

arg_0		= dword	ptr  4

		mov	eax, 19Ch
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwAlpcSetInformation@16 endp ;	sp = -8

; Exported entry 2664. ZwAlpcSendWaitReceivePort

;  S U B	R O U T	I N E 


; __stdcall ZwAlpcSendWaitReceivePort(x, x, x, x, x, x,	x, x)
		public _ZwAlpcSendWaitReceivePort@32
_ZwAlpcSendWaitReceivePort@32 proc near	; CODE XREF: PopUmpoSendPowerMessage+98p
					; PopUmpoSendPowerMessage+F5p ...

arg_0		= dword	ptr  4

		mov	eax, 19Dh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	20h
_ZwAlpcSendWaitReceivePort@32 endp ; sp	= -8


;  S U B	R O U T	I N E 


; __stdcall ZwAlpcRevokeSecurityContext(x, x, x)
_ZwAlpcRevokeSecurityContext@12	proc near

arg_0		= dword	ptr  4

		mov	eax, 19Eh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwAlpcRevokeSecurityContext@12	endp ; sp = -8

; Exported entry 2663. ZwAlpcQueryInformationMessage

;  S U B	R O U T	I N E 


; __stdcall ZwAlpcQueryInformationMessage(x, x,	x, x, x, x)
		public _ZwAlpcQueryInformationMessage@24
_ZwAlpcQueryInformationMessage@24 proc near

arg_0		= dword	ptr  4

		mov	eax, 19Fh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwAlpcQueryInformationMessage@24 endp ; sp = -8

; Exported entry 2662. ZwAlpcQueryInformation

;  S U B	R O U T	I N E 


; __stdcall ZwAlpcQueryInformation(x, x, x, x, x)
		public _ZwAlpcQueryInformation@20
_ZwAlpcQueryInformation@20 proc	near

arg_0		= dword	ptr  4

		mov	eax, 1A0h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwAlpcQueryInformation@20 endp	; sp = -8

; Exported entry 2661. ZwAlpcOpenSenderThread

;  S U B	R O U T	I N E 


; __stdcall ZwAlpcOpenSenderThread(x, x, x, x, x, x)
		public _ZwAlpcOpenSenderThread@24
_ZwAlpcOpenSenderThread@24 proc	near

arg_0		= dword	ptr  4

		mov	eax, 1A1h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwAlpcOpenSenderThread@24 endp	; sp = -8

; Exported entry 2660. ZwAlpcOpenSenderProcess

;  S U B	R O U T	I N E 


; __stdcall ZwAlpcOpenSenderProcess(x, x, x, x,	x, x)
		public _ZwAlpcOpenSenderProcess@24
_ZwAlpcOpenSenderProcess@24 proc near

arg_0		= dword	ptr  4

		mov	eax, 1A2h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwAlpcOpenSenderProcess@24 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwAlpcImpersonateClientOfPort(x, x,	x)
_ZwAlpcImpersonateClientOfPort@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 1A3h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwAlpcImpersonateClientOfPort@12 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwAlpcImpersonateClientContainerOfPort(x, x, x)
_ZwAlpcImpersonateClientContainerOfPort@12 proc	near

arg_0		= dword	ptr  4

		mov	eax, 1A4h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwAlpcImpersonateClientContainerOfPort@12 endp	; sp = -8

; Exported entry 2659. ZwAlpcDisconnectPort

;  S U B	R O U T	I N E 


; __stdcall ZwAlpcDisconnectPort(x, x)
		public _ZwAlpcDisconnectPort@8
_ZwAlpcDisconnectPort@8	proc near	; CODE XREF: DbgkRegisterErrorPort+853FEp

arg_0		= dword	ptr  4

		mov	eax, 1A5h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwAlpcDisconnectPort@8	endp ; sp = -8

; Exported entry 2658. ZwAlpcDeleteSecurityContext

;  S U B	R O U T	I N E 


; __stdcall ZwAlpcDeleteSecurityContext(x, x, x)
		public _ZwAlpcDeleteSecurityContext@12
_ZwAlpcDeleteSecurityContext@12	proc near

arg_0		= dword	ptr  4

		mov	eax, 1A6h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwAlpcDeleteSecurityContext@12	endp ; sp = -8

; Exported entry 2657. ZwAlpcDeleteSectionView

;  S U B	R O U T	I N E 


; __stdcall ZwAlpcDeleteSectionView(x, x, x)
		public _ZwAlpcDeleteSectionView@12
_ZwAlpcDeleteSectionView@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 1A7h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwAlpcDeleteSectionView@12 endp ; sp =	-8

; Exported entry 2656. ZwAlpcDeleteResourceReserve

;  S U B	R O U T	I N E 


; __stdcall ZwAlpcDeleteResourceReserve(x, x, x)
		public _ZwAlpcDeleteResourceReserve@12
_ZwAlpcDeleteResourceReserve@12	proc near

arg_0		= dword	ptr  4

		mov	eax, 1A8h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwAlpcDeleteResourceReserve@12	endp ; sp = -8

; Exported entry 2655. ZwAlpcDeletePortSection

;  S U B	R O U T	I N E 


; __stdcall ZwAlpcDeletePortSection(x, x, x)
		public _ZwAlpcDeletePortSection@12
_ZwAlpcDeletePortSection@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 1A9h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwAlpcDeletePortSection@12 endp ; sp =	-8

; Exported entry 2654. ZwAlpcCreateSecurityContext

;  S U B	R O U T	I N E 


; __stdcall ZwAlpcCreateSecurityContext(x, x, x)
		public _ZwAlpcCreateSecurityContext@12
_ZwAlpcCreateSecurityContext@12	proc near

arg_0		= dword	ptr  4

		mov	eax, 1AAh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwAlpcCreateSecurityContext@12	endp ; sp = -8

; Exported entry 2653. ZwAlpcCreateSectionView

;  S U B	R O U T	I N E 


; __stdcall ZwAlpcCreateSectionView(x, x, x)
		public _ZwAlpcCreateSectionView@12
_ZwAlpcCreateSectionView@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 1ABh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwAlpcCreateSectionView@12 endp ; sp =	-8

; Exported entry 2652. ZwAlpcCreateResourceReserve

;  S U B	R O U T	I N E 


; __stdcall ZwAlpcCreateResourceReserve(x, x, x, x)
		public _ZwAlpcCreateResourceReserve@16
_ZwAlpcCreateResourceReserve@16	proc near

arg_0		= dword	ptr  4

		mov	eax, 1ACh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwAlpcCreateResourceReserve@16	endp ; sp = -8

; Exported entry 2651. ZwAlpcCreatePortSection

;  S U B	R O U T	I N E 


; __stdcall ZwAlpcCreatePortSection(x, x, x, x,	x, x)
		public _ZwAlpcCreatePortSection@24
_ZwAlpcCreatePortSection@24 proc near

arg_0		= dword	ptr  4

		mov	eax, 1ADh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwAlpcCreatePortSection@24 endp ; sp =	-8

; Exported entry 2650. ZwAlpcCreatePort

;  S U B	R O U T	I N E 


; __stdcall ZwAlpcCreatePort(x,	x, x)
		public _ZwAlpcCreatePort@12
_ZwAlpcCreatePort@12 proc near		; CODE XREF: PopUmpoInitializeChannel+130p
					; PopUmpoInitializeMonitorChannel+8Bp

arg_0		= dword	ptr  4

		mov	eax, 1AEh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwAlpcCreatePort@12 endp ; sp = -8

; Exported entry 2648. ZwAlpcConnectPort

;  S U B	R O U T	I N E 


; __stdcall ZwAlpcConnectPort(x, x, x, x, x, x,	x, x, x, x, x)
		public _ZwAlpcConnectPort@44
_ZwAlpcConnectPort@44 proc near		; CODE XREF: DbgkRegisterErrorPort+12Ap

arg_0		= dword	ptr  4

		mov	eax, 1AFh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	2Ch
_ZwAlpcConnectPort@44 endp ; sp	= -8

; Exported entry 2649. ZwAlpcConnectPortEx

;  S U B	R O U T	I N E 


; __stdcall ZwAlpcConnectPortEx(x, x, x, x, x, x, x, x,	x, x, x)
		public _ZwAlpcConnectPortEx@44
_ZwAlpcConnectPortEx@44	proc near

arg_0		= dword	ptr  4

		mov	eax, 1B0h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	2Ch
_ZwAlpcConnectPortEx@44	endp ; sp = -8

; Exported entry 2647. ZwAlpcCancelMessage

;  S U B	R O U T	I N E 


; __stdcall ZwAlpcCancelMessage(x, x, x)
		public _ZwAlpcCancelMessage@12
_ZwAlpcCancelMessage@12	proc near	; CODE XREF: PopUmpoProcessMessage+1711A3p

arg_0		= dword	ptr  4

		mov	eax, 1B1h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwAlpcCancelMessage@12	endp ; sp = -8

; Exported entry 2646. ZwAlpcAcceptConnectPort

;  S U B	R O U T	I N E 


; __stdcall ZwAlpcAcceptConnectPort(x, x, x, x,	x, x, x, x, x)
		public _ZwAlpcAcceptConnectPort@36
_ZwAlpcAcceptConnectPort@36 proc near	; CODE XREF: PopUmpoProcessMessage+DBp
					; sub_8D762F+1Ap ...

arg_0		= dword	ptr  4

		mov	eax, 1B2h

loc_57FFFD:				; DATA XREF: .text:0041C27Co
		lea	edx, [esp+arg_0]
		pushf

loc_580002:				; DATA XREF: .text:00425DFCo
		push	8

loc_580004:				; DATA XREF: .text:0042554Co
		call	_KiSystemService
		retn	24h
_ZwAlpcAcceptConnectPort@36 endp ; sp =	-8

; Exported entry 2644. ZwAllocateVirtualMemory

;  S U B	R O U T	I N E 


; __stdcall ZwAllocateVirtualMemory(x, x, x, x,	x, x)
		public _ZwAllocateVirtualMemory@24
_ZwAllocateVirtualMemory@24 proc near	; CODE XREF: RtlpHpAllocVirtBlockCommitFirst(x,x,x,x)+30p
					; RtlpStdExtendLowerWatermark(x,x)+78p	...

arg_0		= dword	ptr  4

		mov	eax, 1B3h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwAllocateVirtualMemory@24 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwAllocateUuids(x, x, x, x)
_ZwAllocateUuids@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 1B4h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwAllocateUuids@16 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwAllocateUserPhysicalPages(x, x, x)
_ZwAllocateUserPhysicalPages@12	proc near

arg_0		= dword	ptr  4

		mov	eax, 1B5h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
_ZwAllocateUserPhysicalPages@12	endp

; [00000003 BYTES: COLLAPSED FUNCTION nullsub_4. PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 


; __stdcall ZwAllocateUserPhysicalPagesEx(x, x,	x, x, x)
_ZwAllocateUserPhysicalPagesEx@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 1B6h
		lea	edx, [esp+arg_0]
		pushf
		push	8

loc_580054:				; DATA XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x):loc_9E42A9o
		call	_KiSystemService
		retn	14h
_ZwAllocateUserPhysicalPagesEx@20 endp ; sp = -8

; Exported entry 2643. ZwAllocateReserveObject

;  S U B	R O U T	I N E 


; __stdcall ZwAllocateReserveObject(x, x, x)
		public _ZwAllocateReserveObject@12
_ZwAllocateReserveObject@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 1B7h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwAllocateReserveObject@12 endp ; sp =	-8

; Exported entry 2642. ZwAllocateLocallyUniqueId

;  S U B	R O U T	I N E 


; __stdcall ZwAllocateLocallyUniqueId(x)
		public _ZwAllocateLocallyUniqueId@4
_ZwAllocateLocallyUniqueId@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 1B8h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwAllocateLocallyUniqueId@4 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwAlertThreadByThreadId(x)
_ZwAlertThreadByThreadId@4 proc	near

arg_0		= dword	ptr  4

		mov	eax, 1B9h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwAlertThreadByThreadId@4 endp	; sp = -8

; Exported entry 2641. ZwAlertThread

;  S U B	R O U T	I N E 


; __stdcall ZwAlertThread(x)
		public _ZwAlertThread@4
_ZwAlertThread@4 proc near

arg_0		= dword	ptr  4

		mov	eax, 1BAh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	4
_ZwAlertThread@4 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwAlertResumeThread(x, x)
_ZwAlertResumeThread@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 1BBh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwAlertResumeThread@8 endp ; sp = -8

; Exported entry 2640. ZwAdjustPrivilegesToken

;  S U B	R O U T	I N E 


; __stdcall ZwAdjustPrivilegesToken(x, x, x, x,	x, x)
		public _ZwAdjustPrivilegesToken@24
_ZwAdjustPrivilegesToken@24 proc near	; CODE XREF: RtlAcquirePrivilege+121p
					; RtlReleasePrivilege(x)+1Cp ...

arg_0		= dword	ptr  4

		mov	eax, 1BCh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwAdjustPrivilegesToken@24 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwAdjustGroupsToken(x, x, x, x, x, x)
_ZwAdjustGroupsToken@24	proc near

arg_0		= dword	ptr  4

		mov	eax, 1BDh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwAdjustGroupsToken@24	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwAdjustTokenClaimsAndDeviceGroups(x, x, x,	x, x, x, x, x, x, x, x,	x, x, x, x, x)
_ZwAdjustTokenClaimsAndDeviceGroups@64 proc near

arg_0		= dword	ptr  4

		mov	eax, 1BEh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	40h
_ZwAdjustTokenClaimsAndDeviceGroups@64 endp ; sp = -8

; Exported entry 2639. ZwAddDriverEntry

;  S U B	R O U T	I N E 


; __stdcall ZwAddDriverEntry(x,	x)
		public _ZwAddDriverEntry@8
_ZwAddDriverEntry@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 1BFh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwAddDriverEntry@8 endp ; sp =	-8

; Exported entry 2638. ZwAddBootEntry

;  S U B	R O U T	I N E 


; __stdcall ZwAddBootEntry(x, x)
		public _ZwAddBootEntry@8
_ZwAddBootEntry@8 proc near		; CODE XREF: BiAddBootEntry(x,x)+2Ap

arg_0		= dword	ptr  4

		mov	eax, 1C0h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwAddBootEntry@8 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwAddAtom(x, x, x)
_ZwAddAtom@12	proc near

arg_0		= dword	ptr  4

		mov	eax, 1C1h
		lea	edx, [esp+arg_0]
		pushf
		push	8

loc_580130:				; DATA XREF: .text:0042AA61o
		call	_KiSystemService
		retn	0Ch
_ZwAddAtom@12	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwAddAtomEx(x, x, x, x)
_ZwAddAtomEx@16	proc near

arg_0		= dword	ptr  4

		mov	eax, 1C2h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwAddAtomEx@16	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwAcquireProcessActivityReference(x, x, x)
_ZwAcquireProcessActivityReference@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 1C3h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwAcquireProcessActivityReference@12 endp ; sp	= -8


;  S U B	R O U T	I N E 


; __stdcall ZwAccessCheckByTypeResultListAndAuditAlarmByHandle(x, x, x,	x, x, x, x, x, x, x, x,	x, x, x, x, x, x)
_ZwAccessCheckByTypeResultListAndAuditAlarmByHandle@68 proc near

arg_0		= dword	ptr  4

		mov	eax, 1C4h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	44h
_ZwAccessCheckByTypeResultListAndAuditAlarmByHandle@68 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwAccessCheckByTypeResultListAndAuditAlarm(x, x, x,	x, x, x, x, x, x, x, x,	x, x, x, x, x)
_ZwAccessCheckByTypeResultListAndAuditAlarm@64 proc near

arg_0		= dword	ptr  4

		mov	eax, 1C5h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	40h
_ZwAccessCheckByTypeResultListAndAuditAlarm@64 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwAccessCheckByTypeResultList(x, x,	x, x, x, x, x, x, x, x,	x)
_ZwAccessCheckByTypeResultList@44 proc near

arg_0		= dword	ptr  4

		mov	eax, 1C6h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	2Ch
_ZwAccessCheckByTypeResultList@44 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwAccessCheckByTypeAndAuditAlarm(x,	x, x, x, x, x, x, x, x,	x, x, x, x, x, x, x)
_ZwAccessCheckByTypeAndAuditAlarm@64 proc near

arg_0		= dword	ptr  4

		mov	eax, 1C7h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	40h
_ZwAccessCheckByTypeAndAuditAlarm@64 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwAccessCheckByType(x, x, x, x, x, x, x, x,	x, x, x)
_ZwAccessCheckByType@44	proc near

arg_0		= dword	ptr  4

		mov	eax, 1C8h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	2Ch
_ZwAccessCheckByType@44	endp ; sp = -8

; Exported entry 2637. ZwAccessCheckAndAuditAlarm

;  S U B	R O U T	I N E 


; __stdcall ZwAccessCheckAndAuditAlarm(x, x, x,	x, x, x, x, x, x, x, x)
		public _ZwAccessCheckAndAuditAlarm@44
_ZwAccessCheckAndAuditAlarm@44 proc near

arg_0		= dword	ptr  4

		mov	eax, 1C9h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	2Ch
_ZwAccessCheckAndAuditAlarm@44 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwSetInformationSymbolicLink(x, x, x, x)
_ZwSetInformationSymbolicLink@16 proc near ; CODE XREF:	ObpInitializeRootNamespace+6591Dp

arg_0		= dword	ptr  4

		mov	eax, 1CAh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwSetInformationSymbolicLink@16 endp ;	sp = -8

; Exported entry 2693. ZwCreateRegistryTransaction

;  S U B	R O U T	I N E 


; __stdcall ZwCreateRegistryTransaction(x, x, x, x)
		public _ZwCreateRegistryTransaction@16
_ZwCreateRegistryTransaction@16	proc near

arg_0		= dword	ptr  4

		mov	eax, 1CBh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwCreateRegistryTransaction@16	endp ; sp = -8

; Exported entry 2761. ZwOpenRegistryTransaction

;  S U B	R O U T	I N E 


; __stdcall ZwOpenRegistryTransaction(x, x, x)
		public _ZwOpenRegistryTransaction@12
_ZwOpenRegistryTransaction@12 proc near

arg_0		= dword	ptr  4

		mov	eax, 1CCh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	0Ch
_ZwOpenRegistryTransaction@12 endp ; sp	= -8

; Exported entry 2677. ZwCommitRegistryTransaction

;  S U B	R O U T	I N E 


; __stdcall ZwCommitRegistryTransaction(x, x)
		public _ZwCommitRegistryTransaction@8
_ZwCommitRegistryTransaction@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 1CDh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwCommitRegistryTransaction@8 endp ; sp = -8

; Exported entry 2836. ZwRollbackRegistryTransaction

;  S U B	R O U T	I N E 


; __stdcall ZwRollbackRegistryTransaction(x, x)
		public _ZwRollbackRegistryTransaction@8
_ZwRollbackRegistryTransaction@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 1CEh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwRollbackRegistryTransaction@8 endp ;	sp = -8

; Exported entry 2645. ZwAllocateVirtualMemoryEx

;  S U B	R O U T	I N E 


; __stdcall ZwAllocateVirtualMemoryEx(x, x, x, x, x, x,	x)
		public _ZwAllocateVirtualMemoryEx@28
_ZwAllocateVirtualMemoryEx@28 proc near

arg_0		= dword	ptr  4

		mov	eax, 1CFh
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	1Ch
_ZwAllocateVirtualMemoryEx@28 endp ; sp	= -8


;  S U B	R O U T	I N E 


; __stdcall ZwMapViewOfSectionEx(x, x, x, x, x,	x, x, x, x)
_ZwMapViewOfSectionEx@36 proc near

arg_0		= dword	ptr  4

		mov	eax, 1D0h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	24h
_ZwMapViewOfSectionEx@36 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwManageHotPatch(x,	x, x, x)
_ZwManageHotPatch@16 proc near

arg_0		= dword	ptr  4

		mov	eax, 1D1h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	10h
_ZwManageHotPatch@16 endp ; sp = -8

; Exported entry 2681. ZwCreateCrossVmEvent

;  S U B	R O U T	I N E 


; __stdcall ZwCreateCrossVmEvent(x, x, x, x, x,	x)
		public _ZwCreateCrossVmEvent@24
_ZwCreateCrossVmEvent@24 proc near

arg_0		= dword	ptr  4

		mov	eax, 1D2h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwCreateCrossVmEvent@24 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwCreateCrossVmMutant(x, x,	x, x, x, x)
_ZwCreateCrossVmMutant@24 proc near

arg_0		= dword	ptr  4

		mov	eax, 1D3h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	18h
_ZwCreateCrossVmMutant@24 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwAcquireCrossVmMutant(x, x)
_ZwAcquireCrossVmMutant@8 proc near

arg_0		= dword	ptr  4

		mov	eax, 1D4h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	8
_ZwAcquireCrossVmMutant@8 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwPssCaptureVaSpaceBulk(x, x, x, x,	x)
_ZwPssCaptureVaSpaceBulk@20 proc near	; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+23Bp

arg_0		= dword	ptr  4

		mov	eax, 1D5h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwPssCaptureVaSpaceBulk@20 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall ZwDirectGraphicsCall(x, x, x, x, x)
_ZwDirectGraphicsCall@20 proc near

arg_0		= dword	ptr  4

		mov	eax, 1D6h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	14h
_ZwDirectGraphicsCall@20 endp ;	sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwLoadKey3(x, x, x,	x, x, x, x, x)
_ZwLoadKey3@32	proc near

arg_0		= dword	ptr  4

		mov	eax, 1D7h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	20h
_ZwLoadKey3@32	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ZwQueueApcThreadEx2(x, x, x, x, x, x, x)
_ZwQueueApcThreadEx2@28	proc near

arg_0		= dword	ptr  4

		mov	eax, 1D8h
		lea	edx, [esp+arg_0]
		pushf
		push	8
		call	_KiSystemService
		retn	1Ch
_ZwQueueApcThreadEx2@28	endp ; sp = -8

; Exported entry 1105. KeBugCheck

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeBugCheck(x)
		public _KeBugCheck@4
_KeBugCheck@4	proc near		; CODE XREF: .text:004B3066p
					; .text:0051BC4Dp ...

arg_0		= dword	ptr  8

		push	ebp
		mov	ebp, esp
		push	0
		push	0
		push	0
		push	0
		push	0
		push	[ebp+arg_0]
		call	_KiBugCheck2@24	; KiBugCheck2(x,x,x,x,x,x)

loc_580319:				; DATA XREF: KiBugCheck2(x,x,x,x,x,x):loc_5803A9o
		int	3		; Trap to Debugger
		mov	edi, edi
_KeBugCheck@4	endp

; Exported entry 1106. KeBugCheckEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeBugCheckEx(x, x, x, x, x)
		public _KeBugCheckEx@20
_KeBugCheckEx@20 proc near		; CODE XREF: .text:0043231Fp
					; SmpKeyedStoreEntryGet(x,x,x,x)+208p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_KiBugCheck2@24	; KiBugCheck2(x,x,x,x,x,x)

loc_580335:				; DATA XREF: KiBugCheck2(x,x,x,x,x,x)+63o
		int	3		; Trap to Debugger
		mov	edi, edi
_KeBugCheckEx@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiBugCheck2(x, x, x, x, x, x)
_KiBugCheck2@24	proc near		; CODE XREF: KeBugCheck(x)+10p
					; KeBugCheckEx(x,x,x,x,x)+14p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		push	ebp
		mov	ebp, esp
		pushf
		push	ebx
		push	ecx
		cli
		mov	ebx, large fs:20h
		mov	ecx, [ebx+4168h]
		push	ecx
		call	_RtlCaptureContext@4 ; RtlCaptureContext(x)
		lea	ecx, [ebx+18h]
		push	ecx
		call	_KiSaveProcessorControlState@4 ; KiSaveProcessorControlState(x)
		mov	edi, [ebx+4168h]
		pop	eax
		mov	[edi+0ACh], eax
		pop	eax
		mov	[edi+0A4h], eax
		mov	eax, [ebp+var_4]
		mov	[edi+0C0h], eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[ebx+4C0h], eax
		cmp	al, 2
		jge	short loc_580393
		mov	ecx, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)

loc_580393:				; CODE XREF: KiBugCheck2(x,x,x,x,x,x)+4Ej
		mov	edx, offset _KiBugCheck2@24 ; KiBugCheck2(x,x,x,x,x,x)
		mov	eax, [ebp+4]
		cmp	eax, offset loc_580335
		jnz	short loc_5803A9
		mov	edx, offset _KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		jmp	short loc_5803B5
; 

loc_5803A9:				; CODE XREF: KiBugCheck2(x,x,x,x,x,x)+68j
		cmp	eax, offset loc_580319
		jnz	short loc_5803BA
		mov	edx, offset _KeBugCheck@4 ; int

loc_5803B5:				; CODE XREF: KiBugCheck2(x,x,x,x,x,x)+6Fj
		mov	esi, [ebp+0]
		jmp	short loc_5803BC
; 

loc_5803BA:				; CODE XREF: KiBugCheck2(x,x,x,x,x,x)+76j
		mov	esi, ebp

loc_5803BC:				; CODE XREF: KiBugCheck2(x,x,x,x,x,x)+80j
		mov	ebx, [esi]
		add	esi, 4
		mov	[edi+0B8h], edx
		mov	[edi+0B4h], ebx
		mov	[edi+0C4h], esi
		mov	eax, [ebp+var_4]
		test	eax, 200h
		jz	short loc_5803DE
		sti

loc_5803DE:				; CODE XREF: KiBugCheck2(x,x,x,x,x,x)+A3j
		lock inc _KiHardwareTrigger
		lea	esi, [ebp+arg_0]
		push	dword ptr [esi+14h] ; int
		push	dword ptr [esi+10h] ; int
		push	dword ptr [esi+0Ch] ; int
		push	dword ptr [esi+8] ; int
		push	dword ptr [esi+4] ; int
		push	dword ptr [esi]	; int
		call	_KeBugCheck2@24	; KeBugCheck2(x,x,x,x,x,x)
		int	3		; Trap to Debugger
		nop
_KiBugCheck2@24	endp


; __stdcall KiSaveProcessorControlState(x)
_KiSaveProcessorControlState@4:		; CODE XREF: KiBugCheck2(x,x,x,x,x,x)+1Ep
					; _KeSaveStateForHibernate+13p	...
		mov	edx, [esp+4]
		mov	eax, cr0
		mov	[edx+2CCh], eax
		mov	eax, cr2
		mov	[edx+2D0h], eax
		mov	eax, cr3
		mov	[edx+2D4h], eax
		xor	eax, eax
		test	ds:_KeFeatureBits, 4
		jz	short loc_580430
		mov	eax, cr4

loc_580430:				; CODE XREF: .text:0058042Bj
		mov	[edx+2D8h], eax
		mov	eax, dr0
		mov	[edx+2DCh], eax
		mov	eax, dr1
		mov	[edx+2E0h], eax
		mov	eax, dr2
		mov	[edx+2E4h], eax
		mov	eax, dr3
		mov	[edx+2E8h], eax
		mov	eax, dr6
		mov	[edx+2ECh], eax
		xor	ecx, ecx
		mov	eax, dr7
		mov	dr7, ecx
		mov	[edx+2F0h], eax
		sgdt	fword ptr [edx+2F6h]
		sidt	fword ptr [edx+2FEh]
		str	word ptr [edx+304h]
		sldt	word ptr [edx+306h]
		mov	eax, large fs:0
		mov	[edx+310h], eax
		mov	ecx, edx
		xor	eax, eax
		xor	edx, edx
		test	dword ptr [ecx+2D8h], 40000h
		jz	short loc_5804B4
		xor	ecx, ecx
; 
		db 0Fh,	1, 0D0h
; 
		mov	ecx, [esp+4]

loc_5804B4:				; CODE XREF: .text:005804A9j
		mov	[ecx+308h], eax
		mov	[ecx+30Ch], edx
		retn	4
; Exported entry 1282. KeSaveStateForHibernate

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _KeSaveStateForHibernate
_KeSaveStateForHibernate proc near	; CODE XREF: PopSaveHiberContextWrapper(x)+1Dp

arg_0		= dword	ptr  8

		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		add	ecx, 0
		push	ecx
		call	_RtlCaptureContext@4 ; RtlCaptureContext(x)
		mov	ecx, [ebp+arg_0]
		push	ecx
		call	_KiSaveProcessorControlState@4 ; KiSaveProcessorControlState(x)
		pop	ebp
		retn
_KeSaveStateForHibernate endp ;	sp = -4

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KeGetCurrentStackPointer()
_KeGetCurrentStackPointer@0 proc near	; CODE XREF: KiExpandKernelStackAndCalloutSwitchStack+3Cp
					; KiExpandKernelStackAndCalloutSwitchStack+D0p	...

arg_0		= dword	ptr  4

		lea	eax, [esp+arg_0]
		retn
_KeGetCurrentStackPointer@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall Ke386GetTr()
_Ke386GetTr@0	proc near
		db	66h
		str	ax
		retn
_Ke386GetTr@0	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KiFxstateRestore(x)
_KiFxstateRestore@4 proc near		; CODE XREF: KeContextToKframes+2A8p
					; KeRestoreExtendedAndSupervisorState+E45EFp

arg_0		= dword	ptr  4

		mov	ecx, [esp+arg_0]
		fnstsw	ax
		bt	ax, 7
		jnb	short loc_5804FF
		fnclex

loc_5804FF:				; CODE XREF: KiFxstateRestore(x)+Bj
		ffree	st(7)
		fild	dword ptr [ecx]
		fxrstor	dword ptr [ecx]
		retn	4
_KiFxstateRestore@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KiFxstateSave(x)
_KiFxstateSave@4 proc near

arg_0		= dword	ptr  4

		mov	ecx, [esp+arg_0]
		fxsave	dword ptr [ecx]
		retn	4
_KiFxstateSave@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KiRestoreProcessorControlState(x)
_KiRestoreProcessorControlState@4 proc near ; CODE XREF: KiFreezeTargetExecution(x,x)+18Ap
					; KdpReport(x,x,x,x,x,x)+B6p ...

arg_0		= dword	ptr  4

		mov	edx, [esp+arg_0]
		mov	eax, [edx+2CCh]
		mov	cr0, eax
		mov	eax, [edx+2D0h]
		mov	cr2, eax
		mov	eax, [edx+2D4h]
		mov	cr3, eax
		test	ds:_KeFeatureBits, 4
		jz	short loc_58054C
		mov	eax, [edx+2D8h]
		mov	cr4, eax

loc_58054C:				; CODE XREF: KiRestoreProcessorControlState(x)+29j
		mov	eax, [edx+2DCh]
		mov	dr0, eax
		mov	eax, [edx+2E0h]
		mov	dr1, eax
		mov	eax, [edx+2E4h]
		mov	dr2, eax
		mov	eax, [edx+2E8h]
		mov	dr3, eax
		mov	eax, [edx+2ECh]
		mov	dr6, eax
		mov	eax, [edx+2F0h]
		mov	dr7, eax
		lgdt	fword ptr [edx+2F6h]
		lidt	fword ptr [edx+2FEh]
		mov	eax, [edx+2F8h]
		xor	ecx, ecx
		mov	cx, [edx+304h]
		add	eax, 5
		add	eax, ecx
		and	byte ptr [eax],	0FDh
		ltr	word ptr [edx+304h]
		lldt	word ptr [edx+306h]
		retn	4
_KiRestoreProcessorControlState@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiPassiveRelease()
_KiPassiveRelease@0 proc near
		retn
_KiPassiveRelease@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KeDisableInterrupts()
_KeDisableInterrupts@0 proc near	; CODE XREF: PpmIdleSnapConcurrency+1Cp
					; KiUpdateTime+83p ...
		pushf
		pop	eax
		and	eax, 200h
		shr	eax, 9
		cli
		retn
_KeDisableInterrupts@0 endp


;  S U B	R O U T	I N E 


; __stdcall KeAreInterruptsEnabled()
_KeAreInterruptsEnabled@0 proc near	; CODE XREF: MmCanThreadFault()p
					; KeContextToKframes+18p ...
		pushf
		pop	eax
		shr	eax, 9
		and	eax, 1
		retn
_KeAreInterruptsEnabled@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KiFlushCurrentRsb()
_KiFlushCurrentRsb@0 proc near		; CODE XREF: KiUpdateSpeculationControl(x)+484p
		pushf
		pop	eax
		cli
		call	sub_5806CC

loc_5805DC:				; CODE XREF: KiFlushCurrentRsb()+13p
		add	esp, 4
		call	sub_5806D4

loc_5805E4:				; CODE XREF: KiFlushCurrentRsb()+1Bp
		add	esp, 4
		call	loc_5805DC

loc_5805EC:				; CODE XREF: KiFlushCurrentRsb()+23p
		add	esp, 4
		call	loc_5805E4

loc_5805F4:				; CODE XREF: KiFlushCurrentRsb()+2Bp
		add	esp, 4
		call	loc_5805EC

loc_5805FC:				; CODE XREF: KiFlushCurrentRsb()+33p
		add	esp, 4
		call	loc_5805F4

loc_580604:				; CODE XREF: KiFlushCurrentRsb()+3Bp
		add	esp, 4
		call	loc_5805FC

loc_58060C:				; CODE XREF: KiFlushCurrentRsb()+43p
		add	esp, 4
		call	loc_580604

loc_580614:				; CODE XREF: KiFlushCurrentRsb()+4Bp
		add	esp, 4
		call	loc_58060C

loc_58061C:				; CODE XREF: KiFlushCurrentRsb()+53p
		add	esp, 4
		call	loc_580614

loc_580624:				; CODE XREF: KiFlushCurrentRsb()+5Bp
		add	esp, 4
		call	loc_58061C

loc_58062C:				; CODE XREF: KiFlushCurrentRsb()+63p
		add	esp, 4
		call	loc_580624

loc_580634:				; CODE XREF: KiFlushCurrentRsb()+6Bp
		add	esp, 4
		call	loc_58062C

loc_58063C:				; CODE XREF: KiFlushCurrentRsb()+73p
		add	esp, 4
		call	loc_580634

loc_580644:				; CODE XREF: KiFlushCurrentRsb()+7Bp
		add	esp, 4
		call	loc_58063C

loc_58064C:				; CODE XREF: KiFlushCurrentRsb()+83p
		add	esp, 4
		call	loc_580644

loc_580654:				; CODE XREF: KiFlushCurrentRsb()+8Bp
		add	esp, 4
		call	loc_58064C

loc_58065C:				; CODE XREF: KiFlushCurrentRsb()+93p
		add	esp, 4
		call	loc_580654

loc_580664:				; CODE XREF: KiFlushCurrentRsb()+9Bp
		add	esp, 4
		call	loc_58065C

loc_58066C:				; CODE XREF: KiFlushCurrentRsb()+A3p
		add	esp, 4
		call	loc_580664

loc_580674:				; CODE XREF: KiFlushCurrentRsb()+ABp
		add	esp, 4
		call	loc_58066C

loc_58067C:				; CODE XREF: KiFlushCurrentRsb()+B3p
		add	esp, 4
		call	loc_580674

loc_580684:				; CODE XREF: KiFlushCurrentRsb()+BBp
		add	esp, 4
		call	loc_58067C

loc_58068C:				; CODE XREF: KiFlushCurrentRsb()+C3p
		add	esp, 4
		call	loc_580684

loc_580694:				; CODE XREF: KiFlushCurrentRsb()+CBp
		add	esp, 4
		call	loc_58068C

loc_58069C:				; CODE XREF: KiFlushCurrentRsb()+D3p
		add	esp, 4
		call	loc_580694

loc_5806A4:				; CODE XREF: KiFlushCurrentRsb()+DBp
		add	esp, 4
		call	loc_58069C

loc_5806AC:				; CODE XREF: KiFlushCurrentRsb()+E3p
		add	esp, 4
		call	loc_5806A4

loc_5806B4:				; CODE XREF: KiFlushCurrentRsb()+EBp
		add	esp, 4
		call	loc_5806AC

loc_5806BC:				; CODE XREF: KiFlushCurrentRsb()+F3p
		add	esp, 4
		call	loc_5806B4

loc_5806C4:				; CODE XREF: sub_5806CC+3p
		add	esp, 4
		call	loc_5806BC
_KiFlushCurrentRsb@0 endp


;  S U B	R O U T	I N E 


sub_5806CC	proc near		; CODE XREF: KiFlushCurrentRsb()+3p
		add	esp, 4
		call	loc_5806C4
sub_5806CC	endp


;  S U B	R O U T	I N E 


sub_5806D4	proc near		; CODE XREF: KiFlushCurrentRsb()+Bp
		add	esp, 4
		lfence	eax
		test	eax, 200h
		jz	short locret_5806E2
		sti

locret_5806E2:				; CODE XREF: sub_5806D4+Bj
		retn
sub_5806D4	endp ; sp =  4

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall Ki386FatalExceptionHandler(x, x, x,	x)
_Ki386FatalExceptionHandler@16 proc near
					; DATA XREF: KiSwitchKernelStackAndCallout(x,x,x,x)+82o
		jmp	_KiFatalExceptionHandler@16 ; KiFatalExceptionHandler(x,x,x,x)
_Ki386FatalExceptionHandler@16 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KiCallUserMode(x, x, x, x)
_KiCallUserMode@16 proc	near		; CODE XREF: KeUserModeCallback+16Dp
					; DATA XREF: .data:006B1AC0o

arg_8		= dword	ptr  1Ch
arg_C		= dword	ptr  20h

		push	ebp
		push	ebx
		push	esi
		push	edi
		cld
		mov	ebx, large fs:124h
		mov	ecx, [esp+arg_8]
		mov	[ecx+18h], esp
		mov	ebp, large fs:0
		mov	[ecx+0Ch], ebp
		mov	eax, [ebx+6Ch]
		mov	[ecx+8], eax
		mov	edx, [esp+arg_C]
		mov	esi, edx
		sub	esi, ds:_KeKernelStackSize
		xorps	xmm0, xmm0
		xorps	xmm1, xmm1
		xorps	xmm2, xmm2
		xorps	xmm3, xmm3
		xorps	xmm4, xmm4
		xorps	xmm5, xmm5
		xorps	xmm6, xmm6
		xorps	xmm7, xmm7
		cli
		mov	[ebx+20h], ecx
		mov	[ebx+28h], edx
		mov	[ebx+24h], esi
		sub	ecx, 10h
		test	ss:_KiKvaShadow, 1
		mov	large fs:5004h,	ecx
		jnz	short loc_58075B
		mov	edi, large fs:0Ch
		mov	[edi+4], ecx

loc_58075B:				; CODE XREF: KiCallUserMode(x,x,x,x)+63j
		lea	edi, [ecx-7Ch]
		mov	[ebx+6Ch], edi
		mov	esi, eax
		mov	ecx, 23h
		rep movsd
		test	byte ptr [ebx+86h], 3
		jnz	loc_580942
		test	dword ptr [ebx], 0DF800000h
		jnz	loc_580942
		test	dword ptr [eax+70h], 20100h
		jnz	loc_580942
		mov	edx, [eax+4Ch]
		mov	large fs:0, edx
		mov	ebp, eax
		movzx	eax, large word	ptr fs:22E0h
		cmp	large fs:22DAh,	ax
		jz	short loc_5807BE
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_5807BE:				; CODE XREF: KiCallUserMode(x,x,x,x)+C0j
		btr	large word ptr fs:22D8h, 2
		jnb	short loc_5807D8
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr

loc_5807D8:				; CODE XREF: KiCallUserMode(x,x,x,x)+DCj
		btr	large word ptr fs:22D8h, 4
		jnb	loc_5808E8
		call	sub_5808DD

loc_5807ED:				; CODE XREF: KiCallUserMode(x,x,x,x)+10Cp
		add	esp, 4
		call	sub_5808E5

loc_5807F5:				; CODE XREF: KiCallUserMode(x,x,x,x)+114p
		add	esp, 4
		call	loc_5807ED

loc_5807FD:				; CODE XREF: KiCallUserMode(x,x,x,x)+11Cp
		add	esp, 4
		call	loc_5807F5

loc_580805:				; CODE XREF: KiCallUserMode(x,x,x,x)+124p
		add	esp, 4
		call	loc_5807FD

loc_58080D:				; CODE XREF: KiCallUserMode(x,x,x,x)+12Cp
		add	esp, 4
		call	loc_580805

loc_580815:				; CODE XREF: KiCallUserMode(x,x,x,x)+134p
		add	esp, 4
		call	loc_58080D

loc_58081D:				; CODE XREF: KiCallUserMode(x,x,x,x)+13Cp
		add	esp, 4
		call	loc_580815

loc_580825:				; CODE XREF: KiCallUserMode(x,x,x,x)+144p
		add	esp, 4
		call	loc_58081D

loc_58082D:				; CODE XREF: KiCallUserMode(x,x,x,x)+14Cp
		add	esp, 4
		call	loc_580825

loc_580835:				; CODE XREF: KiCallUserMode(x,x,x,x)+154p
		add	esp, 4
		call	loc_58082D

loc_58083D:				; CODE XREF: KiCallUserMode(x,x,x,x)+15Cp
		add	esp, 4
		call	loc_580835

loc_580845:				; CODE XREF: KiCallUserMode(x,x,x,x)+164p
		add	esp, 4
		call	loc_58083D

loc_58084D:				; CODE XREF: KiCallUserMode(x,x,x,x)+16Cp
		add	esp, 4
		call	loc_580845

loc_580855:				; CODE XREF: KiCallUserMode(x,x,x,x)+174p
		add	esp, 4
		call	loc_58084D

loc_58085D:				; CODE XREF: KiCallUserMode(x,x,x,x)+17Cp
		add	esp, 4
		call	loc_580855

loc_580865:				; CODE XREF: KiCallUserMode(x,x,x,x)+184p
		add	esp, 4
		call	loc_58085D

loc_58086D:				; CODE XREF: KiCallUserMode(x,x,x,x)+18Cp
		add	esp, 4
		call	loc_580865

loc_580875:				; CODE XREF: KiCallUserMode(x,x,x,x)+194p
		add	esp, 4
		call	loc_58086D

loc_58087D:				; CODE XREF: KiCallUserMode(x,x,x,x)+19Cp
		add	esp, 4
		call	loc_580875

loc_580885:				; CODE XREF: KiCallUserMode(x,x,x,x)+1A4p
		add	esp, 4
		call	loc_58087D

loc_58088D:				; CODE XREF: KiCallUserMode(x,x,x,x)+1ACp
		add	esp, 4
		call	loc_580885

loc_580895:				; CODE XREF: KiCallUserMode(x,x,x,x)+1B4p
		add	esp, 4
		call	loc_58088D

loc_58089D:				; CODE XREF: KiCallUserMode(x,x,x,x)+1BCp
		add	esp, 4
		call	loc_580895

loc_5808A5:				; CODE XREF: KiCallUserMode(x,x,x,x)+1C4p
		add	esp, 4
		call	loc_58089D

loc_5808AD:				; CODE XREF: KiCallUserMode(x,x,x,x)+1CCp
		add	esp, 4
		call	loc_5808A5

loc_5808B5:				; CODE XREF: KiCallUserMode(x,x,x,x)+1D4p
		add	esp, 4
		call	loc_5808AD

loc_5808BD:				; CODE XREF: KiCallUserMode(x,x,x,x)+1DCp
		add	esp, 4
		call	loc_5808B5

loc_5808C5:				; CODE XREF: KiCallUserMode(x,x,x,x)+1E4p
		add	esp, 4
		call	loc_5808BD

loc_5808CD:				; CODE XREF: KiCallUserMode(x,x,x,x)+1ECp
		add	esp, 4
		call	loc_5808C5

loc_5808D5:				; CODE XREF: sub_5808DD+3p
		add	esp, 4
		call	loc_5808CD
_KiCallUserMode@16 endp


;  S U B	R O U T	I N E 


sub_5808DD	proc near		; CODE XREF: KiCallUserMode(x,x,x,x)+FCp
		add	esp, 4
		call	loc_5808D5
sub_5808DD	endp


;  S U B	R O U T	I N E 


sub_5808E5	proc near		; CODE XREF: KiCallUserMode(x,x,x,x)+104p
		add	esp, 4

loc_5808E8:				; CODE XREF: KiCallUserMode(x,x,x,x)+F6j
		test	large word ptr fs:22D8h, 20h
		jz	short loc_5808FF
		xor	eax, eax
		xor	edx, edx
		mov	ecx, 1
		div	ecx

loc_5808FF:				; CODE XREF: sub_5808E5+Dj
		ldmxcsr	dword ptr [ebp+48h]
		mov	edx, ds:_KeUserCallbackDispatcher
		xor	eax, eax
		mov	ecx, [ebp+74h]
		mov	ebp, [ebp+60h]
		xor	ebx, ebx
		xor	esi, esi
		test	ss:_KiKvaShadow, 1
		jnz	_KiKernelSysretExit
		test	large word ptr fs:22D8h, 40h
		jz	short loc_580937
		verw	large word ptr fs:5028h

loc_580937:				; CODE XREF: sub_5808E5+48j
		mov	edi, 3Bh
		db	66h
		mov	fs, di
		assume fs:nothing
		sti
		sysexit

loc_580942:				; CODE XREF: KiCallUserMode(x,x,x,x)+85j
					; KiCallUserMode(x,x,x,x)+91j ...
		lea	ebp, [edi-8Ch]
		test	byte ptr [ebp+72h], 2
		jz	short loc_580969
		test	ss:_KiKvaShadow, 1
		mov	large fs:5004h,	edi
		jnz	short loc_580969
		mov	esi, large fs:0Ch
		mov	[esi+4], edi

loc_580969:				; CODE XREF: sub_5808E5+67j
					; sub_5808E5+78j
		mov	esp, ebp
		mov	eax, ds:_KiI386ExceptionChainTerminator
		mov	large fs:0, eax
		mov	eax, ds:_KeUserCallbackDispatcher
		mov	[ebp+68h], eax
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		jmp	_KiServiceExit
sub_5808E5	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSwitchKernelStackAndCallout(x, x,	x, x)
_KiSwitchKernelStackAndCallout@16 proc near
					; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+130p

var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	ebp
		mov	ebp, esp
		push	edi
		push	esi
		push	ebx
		mov	esi, esp
		mov	ecx, [ebp+arg_8]
		push	ecx
		and	ecx, 0FFFFFFFCh
		mov	ebx, large fs:124h
		lea	edi, [ecx+20h]
		mov	[ecx+18h], esi
		cli
		mov	eax, [ebx+24h]
		mov	[ecx+14h], eax
		mov	[ebx+20h], ecx
		mov	[ebx+28h], edi
		mov	edx, 0F000h
		bt	[esp+10h+var_10], 1
		jb	short loc_5809DF
		mov	edx, 3000h
		bt	[esp+10h+var_10], 0
		jb	short loc_5809DF
		mov	edx, ds:_KeKernelStackSize

loc_5809DF:				; CODE XREF: KiSwitchKernelStackAndCallout(x,x,x,x)+33j
					; KiSwitchKernelStackAndCallout(x,x,x,x)+3Fj
		sub	edi, edx
		mov	[ebx+24h], edi
		lea	esp, [ecx-10h]
		test	ss:_KiKvaShadow, 1
		mov	large fs:5004h,	esp
		jnz	short loc_580A02
		mov	edx, large fs:0Ch
		mov	[edx+4], esp

loc_580A02:				; CODE XREF: KiSwitchKernelStackAndCallout(x,x,x,x)+5Ej
		push	0
		push	esi
		push	0
		push	9
		push	dword ptr [ebp+4]
		push	0
		push	dword ptr [ebp+0]
		sub	esp, 60h
		mov	edi, ecx
		sti
		mov	ecx, [ebp+arg_4]
		push	offset _Ki386FatalExceptionHandler@16 ;	Ki386FatalExceptionHandler(x,x,x,x)
		push	ds:_KiI386ExceptionChainTerminator
		mov	large fs:0, esp
		mov	edx, [ebp+arg_C]
		test	edx, edx
		jz	short loc_580A42
		push	ecx
		mov	eax, esp
		push	edx
		push	eax
		call	MmGrowKernelStackEx
		pop	ecx
		test	eax, eax
		jnz	short loc_580A4D

loc_580A42:				; CODE XREF: KiSwitchKernelStackAndCallout(x,x,x,x)+99j
		push	[ebp+arg_0]
		lea	ebp, [esp+0Ch]
		call	ecx
		xor	eax, eax

loc_580A4D:				; CODE XREF: KiSwitchKernelStackAndCallout(x,x,x,x)+A8j
		mov	edx, [edi+0Ch]
		mov	ecx, [edi+10h]
		mov	large fs:0, edx
		mov	edx, [edi+14h]
		cli
		mov	[ebx+28h], ecx
		mov	[ebx+24h], edx
		mov	ecx, [edi+1Ch]
		mov	[ebx+20h], ecx
		mov	esp, esi
		test	byte ptr [ecx-1Ah], 2
		jnz	short loc_580A75
		sub	ecx, 10h

loc_580A75:				; CODE XREF: KiSwitchKernelStackAndCallout(x,x,x,x)+D8j
		test	ss:_KiKvaShadow, 1
		mov	large fs:5004h,	ecx
		jnz	short loc_580A90
		mov	esi, large fs:0Ch
		mov	[esi+4], ecx

loc_580A90:				; CODE XREF: KiSwitchKernelStackAndCallout(x,x,x,x)+ECj
		sti
		pop	ebx
		pop	esi
		pop	edi
		pop	ebp
		retn	10h
_KiSwitchKernelStackAndCallout@16 endp


;  S U B	R O U T	I N E 


; __stdcall NtCallbackReturn(x,	x, x)
_NtCallbackReturn@12 proc near		; CODE XREF: sub_59A968+58p
					; DATA XREF: .text:005811E0o

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_8		= dword	ptr  0Ch

		mov	eax, large fs:124h
		mov	ecx, [eax+20h]
		mov	edx, [ecx+18h]
		test	edx, edx
		jz	loc_580B7A
		mov	ebx, eax
		mov	esi, [esp+arg_0]
		mov	edi, [esp+arg_4]
		mov	ebp, [edx+14h]
		mov	eax, [edx+18h]
		mov	[ebp+0], esi
		mov	[eax], edi
		mov	ebp, [ebx+6Ch]
		mov	eax, [ecx+0Ch]
		mov	large fs:0, eax
		mov	ebp, [esp+arg_8]
		mov	edi, [ecx+8]
		cmp	ebp, 0C0000423h
		cli
		jz	short loc_580B2C

loc_580ADD:				; CODE XREF: NtCallbackReturn(x,x,x)+B4j
		and	dword ptr [edi+28h], 0
		test	byte ptr [ebx+3], 0DFh
		jnz	short loc_580B4E

loc_580AE7:				; CODE XREF: NtCallbackReturn(x,x,x)+DDj
		lea	esp, [ecx+10h]
		test	byte ptr [edi+72h], 2
		lea	eax, [edi+8Ch]
		jnz	short loc_580AF9
		sub	eax, 10h

loc_580AF9:				; CODE XREF: NtCallbackReturn(x,x,x)+5Cj
		test	ss:_KiKvaShadow, 1
		mov	large fs:5004h,	eax
		jnz	short loc_580B13
		mov	edx, large fs:0Ch
		mov	[edx+4], eax

loc_580B13:				; CODE XREF: NtCallbackReturn(x,x,x)+6Fj
		mov	[ebx+6Ch], edi
		pop	dword ptr [ebx+28h]
		pop	dword ptr [ebx+24h]
		pop	edx
		pop	dword ptr [ebx+20h]
		mov	esp, edx
		sti
		mov	eax, ebp
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_580B2C:				; CODE XREF: NtCallbackReturn(x,x,x)+43j
		mov	ecx, 0Bh
		mov	esi, [ebx+6Ch]
		test	byte ptr [esi+72h], 2
		mov	edx, edi
		lea	edi, [edi+50h]
		jz	short loc_580B42
		add	ecx, 4

loc_580B42:				; CODE XREF: NtCallbackReturn(x,x,x)+A5j
		lea	esi, [esi+50h]
		rep movsd
		mov	ecx, [ebx+20h]
		mov	edi, edx
		jmp	short loc_580ADD
; 

loc_580B4E:				; CODE XREF: NtCallbackReturn(x,x,x)+4Dj
		mov	esi, [ebx+6Ch]
		mov	edx, [esi+14h]
		mov	[edi+14h], edx
		mov	edx, [esi+18h]
		mov	[edi+18h], edx
		mov	edx, [esi+1Ch]
		mov	[edi+1Ch], edx
		mov	edx, [esi+20h]
		mov	[edi+20h], edx
		mov	edx, [esi+24h]
		mov	[edi+24h], edx
		mov	edx, [esi+28h]
		mov	[edi+28h], edx
		jmp	loc_580AE7
; 

loc_580B7A:				; CODE XREF: NtCallbackReturn(x,x,x)+Ej
		mov	eax, 0C0000258h
		retn	0Ch
_NtCallbackReturn@12 endp

; 
		align 4
_KiServiceTable	dd offset _NtAccessCheck@32 ; DATA XREF: KiInitSystem+ACo
					; NtAccessCheck(x,x,x,x,x,x,x,x)
		dd offset NtWorkerFactoryWorkerReady
		dd offset _NtAcceptConnectPort@24 ; NtAcceptConnectPort(x,x,x,x,x,x)
		dd offset _NtYieldExecution@0 ;	NtYieldExecution()
		dd offset _NtWriteVirtualMemory@20 ; NtWriteVirtualMemory(x,x,x,x,x)
		dd offset _NtWriteRequestData@24 ; NtWriteRequestData(x,x,x,x,x,x)
		dd offset _NtWriteFileGather@36	; NtWriteFileGather(x,x,x,x,x,x,x,x,x)
		dd offset _NtWriteFile@36 ; NtWriteFile(x,x,x,x,x,x,x,x,x)
		dd offset _NtSetHighWaitLowEventPair@4 ; NtSetHighWaitLowEventPair(x)
		dd offset _NtSetHighWaitLowEventPair@4 ; NtSetHighWaitLowEventPair(x)
		dd offset NtWaitForWorkViaWorkerFactory
		dd offset NtWaitForSingleObject
		dd offset _NtWaitForMultipleObjects32@20 ; NtWaitForMultipleObjects32(x,x,x,x,x)
		dd offset NtWaitForMultipleObjects
		dd offset _NtWaitForKeyedEvent@16 ; NtWaitForKeyedEvent(x,x,x,x)
		dd offset _NtWaitForDebugEvent@16 ; NtWaitForDebugEvent(x,x,x,x)
		dd offset NtWaitForAlertByThreadId
		dd offset _NtVdmControl@8 ; NtVdmControl(x,x)
		dd offset NtUnsubscribeWnfStateChange
		dd offset _NtUpdateWnfStateData@28 ; NtUpdateWnfStateData(x,x,x,x,x,x,x)
		dd offset _NtUnmapViewOfSection@8 ; NtUnmapViewOfSection(x,x)
		dd offset NtUnmapViewOfSectionEx
		dd offset _NtUnlockVirtualMemory@16 ; NtUnlockVirtualMemory(x,x,x,x)
		dd offset _NtUnlockFile@20 ; NtUnlockFile(x,x,x,x,x)
		dd offset _NtUnloadKeyEx@8 ; NtUnloadKeyEx(x,x)
		dd offset _NtUnloadKey2@8 ; NtUnloadKey2(x,x)
		dd offset _NtUnloadKey@4 ; NtUnloadKey(x)
		dd offset _NtUnloadDriver@4 ; NtUnloadDriver(x)
		dd offset _NtUmsThreadYield@4 ;	NtUmsThreadYield(x)
		dd offset _NtTranslateFilePath@16 ; NtTranslateFilePath(x,x,x,x)
		dd offset NtTraceEvent
		dd offset _NtTraceControl@24 ; NtTraceControl(x,x,x,x,x,x)
		dd offset _NtThawTransactions@0	; NtThawTransactions()
		dd offset _NtThawRegistry@0 ; NtThawRegistry()
		dd offset _NtTestAlert@0 ; NtTestAlert()
		dd offset NtTerminateThread
		dd offset NtTerminateProcess
		dd offset NtTerminateJobObject
		dd offset _NtTerminateEnclave@8	; NtTerminateEnclave(x,x)
		dd offset NtSystemDebugControl
		dd offset NtSuspendThread
		dd offset _NtSuspendProcess@4 ;	NtSuspendProcess(x)
		dd offset NtSubscribeWnfStateChange
		dd offset _NtStopProfile@4 ; NtStopProfile(x)
		dd offset _NtStartProfile@4 ; NtStartProfile(x)
		dd offset _NtSinglePhaseReject@8 ; NtSinglePhaseReject(x,x)
		dd offset _NtSignalAndWaitForSingleObject@16 ; NtSignalAndWaitForSingleObject(x,x,x,x)
		dd offset NtShutdownWorkerFactory
		dd offset _NtShutdownSystem@4 ;	NtShutdownSystem(x)
		dd offset NtSetWnfProcessNotificationEvent
		dd offset _NtSetVolumeInformationFile@20 ; NtSetVolumeInformationFile(x,x,x,x,x)
		dd offset NtSetValueKey
		dd offset NtSetUuidSeed
		dd offset _NtSetTimerResolution@12 ; NtSetTimerResolution(x,x,x)
		dd offset NtSetTimerEx
		dd offset NtSetTimer
		dd offset NtSetThreadExecutionState
		dd offset _NtSetSystemTime@8 ; NtSetSystemTime(x,x)
		dd offset _NtSetSystemPowerState@12 ; NtSetSystemPowerState(x,x,x)
		dd offset _NtSetSystemInformation@12 ; NtSetSystemInformation(x,x,x)
		dd offset _NtSetSystemEnvironmentValueEx@20 ; NtSetSystemEnvironmentValueEx(x,x,x,x,x)
		dd offset _NtSetSystemEnvironmentValue@8 ; NtSetSystemEnvironmentValue(x,x)
		dd offset NtSetSecurityObject
		dd offset _NtSetQuotaInformationFile@16	; NtSetQuotaInformationFile(x,x,x,x)
		dd offset _NtSetHighWaitLowEventPair@4 ; NtSetHighWaitLowEventPair(x)
		dd offset _NtSetHighWaitLowEventPair@4 ; NtSetHighWaitLowEventPair(x)
		dd offset _NtSetLdtEntries@24 ;	NtSetLdtEntries(x,x,x,x,x,x)
		dd offset _NtSetIRTimer@8 ; NtSetIRTimer(x,x)
		dd offset _NtSetTimer2@16 ; NtSetTimer2(x,x,x,x)
		dd offset _NtCancelTimer2@8 ; NtCancelTimer2(x,x)
		dd offset NtSetIoCompletionEx
		dd offset _NtSetIoCompletion@20	; NtSetIoCompletion(x,x,x,x,x)
		dd offset _NtSetIntervalProfile@8 ; NtSetIntervalProfile(x,x)
		dd offset _NtSetInformationWorkerFactory@16 ; NtSetInformationWorkerFactory(x,x,x,x)
		dd offset _NtSetInformationTransactionManager@16 ; NtSetInformationTransactionManager(x,x,x,x)
		dd offset _NtSetInformationTransaction@16 ; NtSetInformationTransaction(x,x,x,x)
		dd offset _NtSetInformationToken@16 ; NtSetInformationToken(x,x,x,x)
		dd offset NtSetInformationThread
		dd offset _NtSetInformationResourceManager@16 ;	NtSetInformationResourceManager(x,x,x,x)
		dd offset _NtSetInformationProcess@16 ;	NtSetInformationProcess(x,x,x,x)
		dd offset NtSetInformationObject
		dd offset NtSetInformationKey
		dd offset NtSetInformationJobObject
		dd offset _NtSetInformationFile@20 ; NtSetInformationFile(x,x,x,x,x)
		dd offset _NtSetInformationEnlistment@16 ; NtSetInformationEnlistment(x,x,x,x)
		dd offset _NtSetInformationDebugObject@20 ; NtSetInformationDebugObject(x,x,x,x,x)
		dd offset _NtSetHighWaitLowEventPair@4 ; NtSetHighWaitLowEventPair(x)
		dd offset _NtSetHighWaitLowEventPair@4 ; NtSetHighWaitLowEventPair(x)
		dd offset _NtSetEventBoostPriority@4 ; NtSetEventBoostPriority(x)
		dd offset NtSetEvent
		dd offset _NtSetEaFile@16 ; NtSetEaFile(x,x,x,x)
		dd offset _NtSetDriverEntryOrder@8 ; NtSetDriverEntryOrder(x,x)
		dd offset _NtSetDefaultUILanguage@4 ; NtSetDefaultUILanguage(x)
		dd offset NtSetDefaultLocale
		dd offset NtSetDefaultHardErrorPort
		dd offset NtSetDebugFilterState
		dd offset _NtSetContextThread@8	; NtSetContextThread(x,x)
		dd offset NtSetCachedSigningLevel2
		dd offset _NtSetCachedSigningLevel@20 ;	NtSetCachedSigningLevel(x,x,x,x,x)
		dd offset _NtSetBootOptions@8 ;	NtSetBootOptions(x,x)
		dd offset _NtSetBootEntryOrder@8 ; NtSetBootEntryOrder(x,x)
		dd offset NtSerializeBoot
		dd offset NtSecureConnectPort
		dd offset _NtSaveMergedKeys@12 ; NtSaveMergedKeys(x,x,x)
		dd offset _NtSaveKeyEx@12 ; NtSaveKeyEx(x,x,x)
		dd offset _NtSaveKey@8	; NtSaveKey(x,x)
		dd offset _NtRollforwardTransactionManager@8 ; NtRollforwardTransactionManager(x,x)
		dd offset _NtRollbackTransaction@8 ; NtRollbackTransaction(x,x)
		dd offset _NtRollbackEnlistment@8 ; NtRollbackEnlistment(x,x)
		dd offset _NtRollbackComplete@8	; NtRollbackComplete(x,x)
		dd offset _NtRevertContainerImpersonation@0 ; NtRevertContainerImpersonation()
		dd offset NtResumeThread
		dd offset _NtResumeProcess@4 ; NtResumeProcess(x)
		dd offset _NtRestoreKey@12 ; NtRestoreKey(x,x,x)
		dd offset NtResetWriteWatch
		dd offset NtResetEvent
		dd offset NtRequestWaitReplyPort
		dd offset _NtRequestPort@8 ; NtRequestPort(x,x)
		dd offset _NtReplyWaitReplyPort@8 ; NtReplyWaitReplyPort(x,x)
		dd offset NtReplyWaitReceivePortEx
		dd offset _NtReplyWaitReceivePort@16 ; NtReplyWaitReceivePort(x,x,x,x)
		dd offset NtReplyPort
		dd offset _NtReplacePartitionUnit@12 ; NtReplacePartitionUnit(x,x,x)
		dd offset _NtReplaceKey@12 ; NtReplaceKey(x,x,x)
		dd offset _NtRenameTransactionManager@8	; NtRenameTransactionManager(x,x)
		dd offset _NtRenameKey@8 ; NtRenameKey(x,x)
		dd offset _NtRemoveProcessDebug@8 ; NtRemoveProcessDebug(x,x)
		dd offset NtRemoveIoCompletionEx
		dd offset NtRemoveIoCompletion
		dd offset NtReleaseWorkerFactoryWorker
		dd offset NtReleaseSemaphore
		dd offset NtReleaseMutant
		dd offset _NtReleaseKeyedEvent@16 ; NtReleaseKeyedEvent(x,x,x,x)
		dd offset NtRegisterThreadTerminatePort
		dd offset _NtRegisterProtocolAddressInformation@20 ; NtRegisterProtocolAddressInformation(x,x,x,x,x)
		dd offset _NtRecoverTransactionManager@4 ; NtRecoverTransactionManager(x)
		dd offset _NtRecoverResourceManager@4 ;	NtRecoverResourceManager(x)
		dd offset _NtRecoverEnlistment@8 ; NtRecoverEnlistment(x,x)
		dd offset _NtReadVirtualMemory@20 ; NtReadVirtualMemory(x,x,x,x,x)
		dd offset _NtReadRequestData@24	; NtReadRequestData(x,x,x,x,x,x)
		dd offset _NtReadOnlyEnlistment@8 ; NtReadOnlyEnlistment(x,x)
		dd offset _NtReadFileScatter@36	; NtReadFileScatter(x,x,x,x,x,x,x,x,x)
		dd offset _NtReadFile@36 ; NtReadFile(x,x,x,x,x,x,x,x,x)
		dd offset _NtRaiseHardError@24 ; NtRaiseHardError(x,x,x,x,x,x)
		dd offset _NtRaiseException@12 ; NtRaiseException(x,x,x)
		dd offset _NtQueueApcThreadEx@24 ; NtQueueApcThreadEx(x,x,x,x,x,x)
		dd offset _NtQueueApcThread@20 ; NtQueueApcThread(x,x,x,x,x)
		dd offset _NtQueryAuxiliaryCounterFrequency@4 ;	NtQueryAuxiliaryCounterFrequency(x)
		dd offset NtQueryWnfStateData
		dd offset NtQueryWnfStateNameInformation
		dd offset _NtQueryVolumeInformationFile@20 ; NtQueryVolumeInformationFile(x,x,x,x,x)
		dd offset _NtQueryVirtualMemory@24 ; NtQueryVirtualMemory(x,x,x,x,x,x)
		dd offset NtQueryValueKey
		dd offset NtQueryTimerResolution
		dd offset _NtQueryTimer@20 ; NtQueryTimer(x,x,x,x,x)
		dd offset NtQuerySystemTime
		dd offset NtQuerySystemInformationEx
		dd offset NtQuerySystemInformation
		dd offset NtQuerySystemEnvironmentValueEx
		dd offset _NtQuerySystemEnvironmentValue@16 ; NtQuerySystemEnvironmentValue(x,x,x,x)
		dd offset NtQuerySymbolicLinkObject
		dd offset NtQuerySemaphore
		dd offset _NtQuerySecurityPolicy@24 ; NtQuerySecurityPolicy(x,x,x,x,x,x)
		dd offset NtQuerySecurityObject
		dd offset NtQuerySecurityAttributesToken
		dd offset NtQuerySection
		dd offset _NtQueryQuotaInformationFile@36 ; NtQueryQuotaInformationFile(x,x,x,x,x,x,x,x,x)
		dd offset _VdmpExceptionHandler@4 ; VdmpExceptionHandler(x)
		dd offset NtQueryPerformanceCounter
		dd offset _NtQueryOpenSubKeysEx@16 ; NtQueryOpenSubKeysEx(x,x,x,x)
		dd offset _NtQueryOpenSubKeys@8	; NtQueryOpenSubKeys(x,x)
		dd offset NtQueryObject
		dd offset NtQueryMutant
		dd offset _NtQueryMultipleValueKey@24 ;	NtQueryMultipleValueKey(x,x,x,x,x,x)
		dd offset NtQueryLicenseValue
		dd offset NtQueryKey
		dd offset _NtQueryIoCompletion@20 ; NtQueryIoCompletion(x,x,x,x,x)
		dd offset NtQueryIntervalProfile
		dd offset NtQueryInstallUILanguage
		dd offset _NtQueryInformationWorkerFactory@20 ;	NtQueryInformationWorkerFactory(x,x,x,x,x)
		dd offset _NtQueryInformationTransactionManager@20 ; NtQueryInformationTransactionManager(x,x,x,x,x)
		dd offset _NtQueryInformationTransaction@20 ; NtQueryInformationTransaction(x,x,x,x,x)
		dd offset _NtQueryInformationToken@20 ;	NtQueryInformationToken(x,x,x,x,x)
		dd offset NtQueryInformationThread
		dd offset _NtQueryInformationResourceManager@20	; NtQueryInformationResourceManager(x,x,x,x,x)
		dd offset _NtQueryInformationProcess@20	; NtQueryInformationProcess(x,x,x,x,x)
		dd offset _NtQueryInformationPort@20 ; NtQueryInformationPort(x,x,x,x,x)
		dd offset NtQueryInformationJobObject
		dd offset _NtQueryInformationFile@20 ; NtQueryInformationFile(x,x,x,x,x)
		dd offset _NtQueryInformationEnlistment@20 ; NtQueryInformationEnlistment(x,x,x,x,x)
		dd offset _NtQueryInformationByName@20 ; NtQueryInformationByName(x,x,x,x,x)
		dd offset NtQueryInformationAtom
		dd offset NtQueryFullAttributesFile
		dd offset NtQueryEvent
		dd offset _NtQueryEaFile@36 ; NtQueryEaFile(x,x,x,x,x,x,x,x,x)
		dd offset _NtQueryDriverEntryOrder@8 ; NtQueryDriverEntryOrder(x,x)
		dd offset _NtQueryDirectoryObject@28 ; NtQueryDirectoryObject(x,x,x,x,x,x,x)
		dd offset _NtQueryDirectoryFile@44 ; NtQueryDirectoryFile(x,x,x,x,x,x,x,x,x,x,x)
		dd offset _NtQueryDirectoryFileEx@40 ; NtQueryDirectoryFileEx(x,x,x,x,x,x,x,x,x,x)
		dd offset _NtQueryDefaultUILanguage@4 ;	NtQueryDefaultUILanguage(x)
		dd offset NtQueryDefaultLocale
		dd offset _NtQueryDebugFilterState@8 ; NtQueryDebugFilterState(x,x)
		dd offset _NtQueryBootOptions@8	; NtQueryBootOptions(x,x)
		dd offset _NtQueryBootEntryOrder@8 ; NtQueryBootEntryOrder(x,x)
		dd offset NtQueryAttributesFile
		dd offset NtPulseEvent
		dd offset NtProtectVirtualMemory
		dd offset _NtPropagationFailed@12 ; NtPropagationFailed(x,x,x)
		dd offset _NtPropagationComplete@16 ; NtPropagationComplete(x,x,x,x)
		dd offset NtPrivilegeObjectAuditAlarm
		dd offset NtPrivilegedServiceAuditAlarm
		dd offset NtPrivilegeCheck
		dd offset NtSetInformationVirtualMemory
		dd offset _NtPrePrepareEnlistment@8 ; NtPrePrepareEnlistment(x,x)
		dd offset _NtPrePrepareComplete@8 ; NtPrePrepareComplete(x,x)
		dd offset _NtPrepareEnlistment@8 ; NtPrepareEnlistment(x,x)
		dd offset _NtPrepareComplete@8 ; NtPrepareComplete(x,x)
		dd offset NtPowerInformation
		dd offset NtPlugPlayControl
		dd offset _NtOpenTransactionManager@24 ; NtOpenTransactionManager(x,x,x,x,x,x)
		dd offset _NtOpenTransaction@20	; NtOpenTransaction(x,x,x,x,x)
		dd offset _NtOpenTimer@12 ; NtOpenTimer(x,x,x)
		dd offset NtOpenThreadTokenEx
		dd offset _NtOpenThreadToken@16	; NtOpenThreadToken(x,x,x,x)
		dd offset _NtOpenThread@16 ; NtOpenThread(x,x,x,x)
		dd offset NtOpenSymbolicLinkObject
		dd offset NtOpenSession
		dd offset NtOpenSemaphore
		dd offset NtOpenSection
		dd offset _NtOpenResourceManager@20 ; NtOpenResourceManager(x,x,x,x,x)
		dd offset NtOpenPartition
		dd offset NtOpenProcessTokenEx
		dd offset _NtOpenProcessToken@12 ; NtOpenProcessToken(x,x,x)
		dd offset _NtOpenProcess@16 ; NtOpenProcess(x,x,x,x)
		dd offset NtOpenPrivateNamespace
		dd offset NtOpenObjectAuditAlarm
		dd offset NtOpenMutant
		dd offset NtOpenKeyTransactedEx
		dd offset _NtOpenKeyTransacted@16 ; NtOpenKeyTransacted(x,x,x,x)
		dd offset _NtOpenKeyEx@16 ; NtOpenKeyEx(x,x,x,x)
		dd offset _NtOpenKeyedEvent@12 ; NtOpenKeyedEvent(x,x,x)
		dd offset _NtOpenKey@12	; NtOpenKey(x,x,x)
		dd offset NtOpenJobObject
		dd offset _NtOpenIoCompletion@12 ; NtOpenIoCompletion(x,x,x)
		dd offset _NtOpenFile@24 ; NtOpenFile(x,x,x,x,x,x)
		dd offset _NtOpenEventPair@12 ;	NtOpenEventPair(x,x,x)
		dd offset NtOpenEvent
		dd offset _NtOpenEnlistment@20 ; NtOpenEnlistment(x,x,x,x,x)
		dd offset NtOpenDirectoryObject
		dd offset NtNotifyChangeSession
		dd offset NtNotifyChangeMultipleKeys
		dd offset _NtNotifyChangeKey@40	; NtNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)
		dd offset _NtNotifyChangeDirectoryFile@36 ; NtNotifyChangeDirectoryFile(x,x,x,x,x,x,x,x,x)
		dd offset _NtNotifyChangeDirectoryFileEx@40 ; NtNotifyChangeDirectoryFileEx(x,x,x,x,x,x,x,x,x,x)
		dd offset NtManagePartition
		dd offset _NtModifyDriverEntry@4 ; NtModifyDriverEntry(x)
		dd offset _NtModifyBootEntry@4 ; NtModifyBootEntry(x)
		dd offset NtMapViewOfSection
		dd offset _NtMapUserPhysicalPagesScatter@12 ; NtMapUserPhysicalPagesScatter(x,x,x)
		dd offset _NtMapUserPhysicalPages@12 ; NtMapUserPhysicalPages(x,x,x)
		dd offset _NtMapCMFModule@24 ; NtMapCMFModule(x,x,x,x,x,x)
		dd offset NtMakeTemporaryObject
		dd offset _NtMakePermanentObject@4 ; NtMakePermanentObject(x)
		dd offset _NtLockVirtualMemory@16 ; NtLockVirtualMemory(x,x,x,x)
		dd offset _NtLockRegistryKey@4 ; NtLockRegistryKey(x)
		dd offset NtLockProductActivationKeys
		dd offset _NtLockFile@40 ; NtLockFile(x,x,x,x,x,x,x,x,x,x)
		dd offset _NtLoadKeyEx@32 ; NtLoadKeyEx(x,x,x,x,x,x,x,x)
		dd offset _NtLoadKey2@12 ; NtLoadKey2(x,x,x)
		dd offset _NtLoadKey@8	; NtLoadKey(x,x)
		dd offset _NtLoadEnclaveData@36	; NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)
		dd offset _NtLoadDriver@4 ; NtLoadDriver(x)
		dd offset NtListenPort
		dd offset _NtIsUILanguageComitted@0 ; NtIsUILanguageComitted()
		dd offset _NtIsSystemResumeAutomatic@0 ; NtIsSystemResumeAutomatic()
		dd offset NtIsProcessInJob
		dd offset NtInitiatePowerAction
		dd offset NtInitializeRegistry
		dd offset NtInitializeNlsFiles
		dd offset _NtInitializeEnclave@20 ; NtInitializeEnclave(x,x,x,x,x)
		dd offset NtImpersonateThread
		dd offset _NtImpersonateClientOfPort@8 ; NtImpersonateClientOfPort(x,x)
		dd offset _NtImpersonateAnonymousToken@4 ; NtImpersonateAnonymousToken(x)
		dd offset NtGetWriteWatch
		dd offset _NtGetNotificationResourceManager@28 ; NtGetNotificationResourceManager(x,x,x,x,x,x,x)
		dd offset NtGetNlsSectionPtr
		dd offset NtGetNextThread
		dd offset NtGetNextProcess
		dd offset NtGetMUIRegistryInfo
		dd offset _NtGetDevicePowerState@8 ; NtGetDevicePowerState(x,x)
		dd offset _NtGetCurrentProcessorNumberEx@4 ; NtGetCurrentProcessorNumberEx(x)
		dd offset _NtGetCurrentProcessorNumber@0 ; NtGetCurrentProcessorNumber()
		dd offset _NtGetContextThread@8	; NtGetContextThread(x,x)
		dd offset NtGetCompleteWnfStateSubscription
		dd offset NtGetCachedSigningLevel
		dd offset _NtFsControlFile@40 ;	NtFsControlFile(x,x,x,x,x,x,x,x,x,x)
		dd offset _NtFreezeTransactions@8 ; NtFreezeTransactions(x,x)
		dd offset _NtFreezeRegistry@4 ;	NtFreezeRegistry(x)
		dd offset NtFreeVirtualMemory
		dd offset _NtFreeUserPhysicalPages@12 ;	NtFreeUserPhysicalPages(x,x,x)
		dd offset _NtFlushWriteBuffer@0	; NtFlushWriteBuffer()
		dd offset NtFlushVirtualMemory
		dd offset _NtFlushProcessWriteBuffers@0	; NtFlushProcessWriteBuffers()
		dd offset _NtFlushKey@4	; NtFlushKey(x)
		dd offset _FsRtlSyncVolumes@12 ; FsRtlSyncVolumes(x,x,x)
		dd offset NtFlushInstallUILanguage
		dd offset _NtFlushBuffersFile@8	; NtFlushBuffersFile(x,x)
		dd offset NtFlushBuffersFileEx
		dd offset NtFindAtom
		dd offset NtFilterToken
		dd offset _NtFilterTokenEx@56 ;	NtFilterTokenEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		dd offset _NtFilterBootOption@20 ; NtFilterBootOption(x,x,x,x,x)
		dd offset NtExtendSection
		dd offset NtEnumerateValueKey
		dd offset _NtEnumerateTransactionObject@20 ; NtEnumerateTransactionObject(x,x,x,x,x)
		dd offset _NtEnumerateSystemEnvironmentValuesEx@12 ; NtEnumerateSystemEnvironmentValuesEx(x,x,x)
		dd offset NtEnumerateKey
		dd offset _NtEnumerateDriverEntries@8 ;	NtEnumerateDriverEntries(x,x)
		dd offset _NtEnumerateBootEntries@8 ; NtEnumerateBootEntries(x,x)
		dd offset _NtEnableLastKnownGood@0 ; NtEnableLastKnownGood()
		dd offset NtDuplicateToken
		dd offset NtDuplicateObject
		dd offset _NtDrawText@4	; NtDrawText(x)
		dd offset _NtDisplayString@4 ; NtDisplayString(x)
		dd offset _NtDisableLastKnownGood@0 ; NtDisableLastKnownGood()
		dd offset _NtDeviceIoControlFile@40 ; NtDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		dd offset NtDeleteWnfStateName
		dd offset _NtDeleteWnfStateData@8 ; NtDeleteWnfStateData(x,x)
		dd offset NtDeleteValueKey
		dd offset _NtDeletePrivateNamespace@4 ;	NtDeletePrivateNamespace(x)
		dd offset _NtDeleteObjectAuditAlarm@12 ; NtDeleteObjectAuditAlarm(x,x,x)
		dd offset NtDeleteKey
		dd offset _NtDeleteFile@4 ; NtDeleteFile(x)
		dd offset _NtDeleteDriverEntry@4 ; NtDeleteDriverEntry(x)
		dd offset _NtDeleteBootEntry@4 ; NtDeleteBootEntry(x)
		dd offset _NtDeleteAtom@4 ; NtDeleteAtom(x)
		dd offset NtDelayExecution
		dd offset _NtDebugContinue@12 ;	NtDebugContinue(x,x,x)
		dd offset _NtDebugActiveProcess@8 ; NtDebugActiveProcess(x,x)
		dd offset _xHalAllocatePmcCounterSet@16	; xHalAllocatePmcCounterSet(x,x,x,x)
		dd offset NtCreateWorkerFactory
		dd offset NtCreateWnfStateName
		dd offset NtCreateWaitCompletionPacket
		dd offset _NtCreateWaitablePort@20 ; NtCreateWaitablePort(x,x,x,x,x)
		dd offset _NtCreateUserProcess@44 ; NtCreateUserProcess(x,x,x,x,x,x,x,x,x,x,x)
		dd offset _NtCreateTransactionManager@24 ; NtCreateTransactionManager(x,x,x,x,x,x)
		dd offset _NtCreateTransaction@40 ; NtCreateTransaction(x,x,x,x,x,x,x,x,x,x)
		dd offset _NtCreateToken@52 ; NtCreateToken(x,x,x,x,x,x,x,x,x,x,x,x,x)
		dd offset NtCreateLowBoxToken
		dd offset NtCreateTokenEx
		dd offset NtCreateTimer
		dd offset NtCreateThreadEx
		dd offset _NtCreateThread@32 ; NtCreateThread(x,x,x,x,x,x,x,x)
		dd offset NtCreateSymbolicLinkObject
		dd offset NtCreateSemaphore
		dd offset NtCreateSection
		dd offset _NtCreateSectionEx@36	; NtCreateSectionEx(x,x,x,x,x,x,x,x,x)
		dd offset _NtCreateResourceManager@28 ;	NtCreateResourceManager(x,x,x,x,x,x,x)
		dd offset _NtCreateProfileEx@40	; NtCreateProfileEx(x,x,x,x,x,x,x,x,x,x)
		dd offset _NtCreateProfile@36 ;	NtCreateProfile(x,x,x,x,x,x,x,x,x)
		dd offset NtCreateProcessEx
		dd offset _NtCreateProcess@32 ;	NtCreateProcess(x,x,x,x,x,x,x,x)
		dd offset NtCreatePrivateNamespace
		dd offset _NtCreatePort@20 ; NtCreatePort(x,x,x,x,x)
		dd offset _NtCreatePagingFile@16 ; NtCreatePagingFile(x,x,x,x)
		dd offset NtCreateNamedPipeFile
		dd offset _NtCreateMutant@16 ; NtCreateMutant(x,x,x,x)
		dd offset NtCreateMailslotFile
		dd offset NtCreateKeyTransacted
		dd offset NtCreateKeyedEvent
		dd offset _NtCreateKey@28 ; NtCreateKey(x,x,x,x,x,x,x)
		dd offset _LpcReplyWaitReplyPort@12 ; LpcReplyWaitReplyPort(x,x,x)
		dd offset NtCreateJobObject
		dd offset _NtCreateIRTimer@12 ;	NtCreateIRTimer(x,x,x)
		dd offset NtCreateTimer2
		dd offset NtCreateIoCompletion
		dd offset _NtCreateFile@44 ; NtCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		dd offset _NtOpenEventPair@12 ;	NtOpenEventPair(x,x,x)
		dd offset NtCreateEvent
		dd offset _NtCreateEnlistment@32 ; NtCreateEnlistment(x,x,x,x,x,x,x,x)
		dd offset _NtCreateEnclave@36 ;	NtCreateEnclave(x,x,x,x,x,x,x,x,x)
		dd offset _NtCreateDirectoryObjectEx@20	; NtCreateDirectoryObjectEx(x,x,x,x,x)
		dd offset _NtCreateDirectoryObject@12 ;	NtCreateDirectoryObject(x,x,x)
		dd offset _NtCreateDebugObject@16 ; NtCreateDebugObject(x,x,x,x)
		dd offset _NtCopyFileChunk@40 ;	NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)
		dd offset _NtConvertBetweenAuxiliaryCounterAndPerformanceCounter@16 ; NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(x,x,x,x)
		dd offset _NtContinue@8	; NtContinue(x,x)
		dd offset _ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment@8 ; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)
		dd offset _NtConnectPort@32 ; NtConnectPort(x,x,x,x,x,x,x,x)
		dd offset _NtCompressKey@4 ; NtCompressKey(x)
		dd offset _NtCompleteConnectPort@4 ; NtCompleteConnectPort(x)
		dd offset NtCompareTokens
		dd offset _NtCompareSigningLevels@8 ; NtCompareSigningLevels(x,x)
		dd offset _NtCompareObjects@8 ;	NtCompareObjects(x,x)
		dd offset _NtCompactKeys@8 ; NtCompactKeys(x,x)
		dd offset _NtCommitTransaction@8 ; NtCommitTransaction(x,x)
		dd offset _NtCommitEnlistment@8	; NtCommitEnlistment(x,x)
		dd offset _NtCommitComplete@8 ;	NtCommitComplete(x,x)
		dd offset NtCloseObjectAuditAlarm
		dd offset NtClose
		dd offset _NtClearEvent@4 ; NtClearEvent(x)
		dd offset NtCancelWaitCompletionPacket
		dd offset NtCancelTimer
		dd offset _NtCancelSynchronousIoFile@12	; NtCancelSynchronousIoFile(x,x,x)
		dd offset NtCancelIoFileEx
		dd offset NtCancelIoFile
		dd offset _ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete@16 ;	ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete(x,x,x,x)
		dd offset _NtCallbackReturn@12 ; NtCallbackReturn(x,x,x)
		dd offset NtAssociateWaitCompletionPacket
		dd offset NtAssignProcessToJobObject
		dd offset NtAreMappedFilesTheSame
		dd offset NtApphelpCacheControl
		dd offset _NtAlpcSetInformation@16 ; NtAlpcSetInformation(x,x,x,x)
		dd offset NtAlpcSendWaitReceivePort
		dd offset _NtAlpcRevokeSecurityContext@12 ; NtAlpcRevokeSecurityContext(x,x,x)
		dd offset NtAlpcQueryInformationMessage
		dd offset NtAlpcQueryInformation
		dd offset NtAlpcOpenSenderThread
		dd offset NtAlpcOpenSenderProcess
		dd offset NtAlpcImpersonateClientOfPort
		dd offset _NtAlpcImpersonateClientContainerOfPort@12 ; NtAlpcImpersonateClientContainerOfPort(x,x,x)
		dd offset _NtAlpcDisconnectPort@8 ; NtAlpcDisconnectPort(x,x)
		dd offset NtAlpcDeleteSecurityContext
		dd offset NtAlpcDeleteSectionView
		dd offset _NtAlpcDeleteResourceReserve@12 ; NtAlpcDeleteResourceReserve(x,x,x)
		dd offset NtAlpcDeletePortSection
		dd offset NtAlpcCreateSecurityContext
		dd offset _NtAlpcCreateSectionView@12 ;	NtAlpcCreateSectionView(x,x,x)
		dd offset NtAlpcCreateResourceReserve
		dd offset _NtAlpcCreatePortSection@24 ;	NtAlpcCreatePortSection(x,x,x,x,x,x)
		dd offset _NtAlpcCreatePort@12 ; NtAlpcCreatePort(x,x,x)
		dd offset _NtAlpcConnectPort@44	; NtAlpcConnectPort(x,x,x,x,x,x,x,x,x,x,x)
		dd offset _NtAlpcConnectPortEx@44 ; NtAlpcConnectPortEx(x,x,x,x,x,x,x,x,x,x,x)
		dd offset NtAlpcCancelMessage
		dd offset _NtAlpcAcceptConnectPort@36 ;	NtAlpcAcceptConnectPort(x,x,x,x,x,x,x,x,x)
		dd offset NtAllocateVirtualMemory
		dd offset NtAllocateUuids
		dd offset _NtAllocateUserPhysicalPages@12 ; NtAllocateUserPhysicalPages(x,x,x)
		dd offset _NtAllocateUserPhysicalPagesEx@20 ; NtAllocateUserPhysicalPagesEx(x,x,x,x,x)
		dd offset NtAllocateReserveObject
		dd offset NtAllocateLocallyUniqueId
		dd offset NtAlertThreadByThreadId
		dd offset _NtAlertThread@4 ; NtAlertThread(x)
		dd offset _NtAlertResumeThread@8 ; NtAlertResumeThread(x,x)
		dd offset NtAdjustPrivilegesToken
		dd offset NtAdjustGroupsToken
		dd offset _NtAdjustTokenClaimsAndDeviceGroups@64 ; NtAdjustTokenClaimsAndDeviceGroups(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		dd offset _NtAddDriverEntry@8 ;	NtAddDriverEntry(x,x)
		dd offset _NtAddBootEntry@8 ; NtAddBootEntry(x,x)
		dd offset _NtAddAtom@12	; NtAddAtom(x,x,x)
		dd offset NtAddAtomEx
		dd offset NtAcquireProcessActivityReference
		dd offset _NtAccessCheckByTypeResultListAndAuditAlarmByHandle@68 ; NtAccessCheckByTypeResultListAndAuditAlarmByHandle(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		dd offset _NtAccessCheckByTypeResultListAndAuditAlarm@64 ; NtAccessCheckByTypeResultListAndAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		dd offset _NtAccessCheckByTypeResultList@44 ; NtAccessCheckByTypeResultList(x,x,x,x,x,x,x,x,x,x,x)
		dd offset _NtAccessCheckByTypeAndAuditAlarm@64 ; NtAccessCheckByTypeAndAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		dd offset _NtAccessCheckByType@44 ; NtAccessCheckByType(x,x,x,x,x,x,x,x,x,x,x)
		dd offset _NtAccessCheckAndAuditAlarm@44 ; NtAccessCheckAndAuditAlarm(x,x,x,x,x,x,x,x,x,x,x)
		dd offset _NtSetInformationSymbolicLink@16 ; NtSetInformationSymbolicLink(x,x,x,x)
		dd offset NtCreateRegistryTransaction
		dd offset _NtOpenRegistryTransaction@12	; NtOpenRegistryTransaction(x,x,x)
		dd offset NtCommitRegistryTransaction
		dd offset _NtRollbackRegistryTransaction@8 ; NtRollbackRegistryTransaction(x,x)
		dd offset _NtAllocateVirtualMemoryEx@28	; NtAllocateVirtualMemoryEx(x,x,x,x,x,x,x)
		dd offset _NtMapViewOfSectionEx@36 ; NtMapViewOfSectionEx(x,x,x,x,x,x,x,x,x)
		dd offset _xHalAllocatePmcCounterSet@16	; xHalAllocatePmcCounterSet(x,x,x,x)
		dd offset _NtCreateCrossVmEvent@24 ; NtCreateCrossVmEvent(x,x,x,x,x,x)
		dd offset _NtCreateCrossVmEvent@24 ; NtCreateCrossVmEvent(x,x,x,x,x,x)
		dd offset _MmConfigureGraphicsPtes@8 ; MmConfigureGraphicsPtes(x,x)
		dd offset _NtPssCaptureVaSpaceBulk@20 ;	NtPssCaptureVaSpaceBulk(x,x,x,x,x)
		dd offset _NtDirectGraphicsCall@20 ; NtDirectGraphicsCall(x,x,x,x,x)
		dd offset _NtLoadKey3@32 ; NtLoadKey3(x,x,x,x,x,x,x,x)
		dd offset _NtQueueApcThreadEx2@28 ; NtQueueApcThreadEx2(x,x,x,x,x,x,x)
_KiServiceLimit	dd 1D9h			; DATA XREF: KiInitSystem+93r
; 

_KiArgumentTable:			; DATA XREF: KiInitSystem+B8o
		and	[eax+ebx], al
		add	[eax+ebx], dl
		and	al, 24h
		add	al, 4
		adc	al, 0Ch
		adc	al, 14h
		adc	[eax], dl
		or	[eax], cl
		add	al, 1Ch
		or	[eax+edx], cl
		adc	al, 8
		or	[esp+eax], al
		add	al, 10h
		adc	[eax], bl
; 
		dd 8000000h, 18080808h,	4100408h, 8100804h, 18140404h
		dd 1C100C04h, 0C0C0808h, 100C0814h, 8180404h, 14180810h
		dd 10101008h, 10101010h, 14101010h, 4041410h, 8100804h
		dd 0C040804h, 8141808h,	0C240008h, 808080Ch, 8000808h
		dd 80C0C04h, 1408080Ch,	0C0C0810h, 18080808h, 80C0414h
		dd 4140410h, 18140804h,	18242408h, 414180Ch, 18141418h
		dd 4140C18h, 10141018h,	1418140Ch, 241418h, 14081008h
		dd 14141814h, 14040814h, 3 dup(14141414h), 8241408h, 4282C1Ch
		dd 8080808h, 0C140808h,	0C141810h, 8080818h, 180C1408h
		dd 10140C14h, 0C0C0C10h, 100C140Ch, 3010100Ch, 1010140Ch
		dd 0C0C0C0Ch, 140C0C18h, 2830200Ch, 4142824h, 0C0C2804h
		dd 10040418h, 20280804h, 424080Ch, 8000008h, 140C0410h
		dd 1C04080Ch, 1418141Ch, 4080Ch, 28181808h, 0C100408h
		dd 4001000h, 1408080Ch,	1438180Ch, 0C141808h, 80818h, 4041C18h
		dd 8042800h, 40C0408h, 4040404h, 10080C08h, 140C1C28h
		dd 3428182Ch, 2C104424h, 1C141020h, 24281C24h, 14102024h
		dd 20103810h, 0C1C1020h, 10140C0Ch, 20140C2Ch, 100C1424h
		dd 8081028h, 0C040420h,	8080808h, 40C0808h, 0C080804h
		dd 0C10080Ch, 8080820h,	180C2010h, 0C181814h, 0C0C080Ch
		dd 0C0C0C0Ch, 2C0C1810h, 18240C2Ch, 0C140C10h, 8040404h
		dd 8401818h, 0C100C08h,	402C4044h, 10102C2Ch, 1C08080Ch
		dd 18181024h, 20141408h, 1Ch, 0
		align 10h

; __stdcall KiEncls(x, x, x, x)
_KiEncls@16:				; CODE XREF: KeAddEnclavePage(x,x,x,x,x,x)+136p
					; KeAddEnclavePage(x,x,x,x,x,x)+157p ...
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	eax, [ebp+8]
		mov	ebx, [ebp+0Ch]
		mov	ecx, [ebp+10h]
		mov	edx, [ebp+14h]
; 
		dd 5BCF010Fh, 10C25Dh
; 

; __stdcall KiEnclsDebugRead(x,	x, x, x)
_KiEnclsDebugRead@16:			; CODE XREF: KeDebugReadEnclaveMemory(x,x,x,x)+38p
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	eax, [ebp+8]
		mov	ebx, [ebp+0Ch]
		mov	ecx, [ebp+10h]
		mov	edx, [ebp+14h]
; 
		dd 8BCF010Fh, 0C25D5BC3h, 0CCCC0010h, 3	dup(0CCCCCCCCh)

;  S U B	R O U T	I N E 


; __fastcall KeCheckForZeroPage(x)
@KeCheckForZeroPage@4 proc near		; CODE XREF: MiArePageContentsZero(x,x)+84p
		lea	edx, [ecx+1000h]
		xor	eax, eax
		lea	esp, [esp+0]
		nop

loc_581520:				; CODE XREF: KeCheckForZeroPage(x)+44j
		or	eax, [ecx]
		or	eax, [ecx+4]
		or	eax, [ecx+8]
		or	eax, [ecx+0Ch]
		or	eax, [ecx+10h]
		or	eax, [ecx+14h]
		or	eax, [ecx+18h]
		or	eax, [ecx+1Ch]
		or	eax, [ecx+20h]
		or	eax, [ecx+24h]
		or	eax, [ecx+28h]
		or	eax, [ecx+2Ch]
		or	eax, [ecx+30h]
		or	eax, [ecx+34h]
		or	eax, [ecx+38h]
		or	eax, [ecx+3Ch]
		lea	ecx, [ecx+40h]
		cmp	ecx, edx
		jb	short loc_581520
		retn
@KeCheckForZeroPage@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __fastcall KiXMMIZeroPagesNoSave(x, x)
@KiXMMIZeroPagesNoSave@8 proc near	; CODE XREF: KiXMMIZeroPages(x,x)+21p

var_4		= dword	ptr -4

		xorps	xmm0, xmm0
		shr	edx, 6

loc_58155E:				; CODE XREF: KiXMMIZeroPagesNoSave(x,x)+19j
		movntps	oword ptr [ecx], xmm0
		movntps	oword ptr [ecx+10h], xmm0
		movntps	oword ptr [ecx+20h], xmm0
		movntps	oword ptr [ecx+30h], xmm0
		add	ecx, 40h
		dec	edx
		jnz	short loc_58155E
		sfence
		xchg	edx, [esp+var_4]
		retn
@KiXMMIZeroPagesNoSave@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiXMMIZeroPages(x,	x)
@KiXMMIZeroPages@8 proc	near		; DATA XREF: KiInitMachineDependent:loc_ABF1AFo

var_10		= byte ptr -10h

		push	ebp
		push	ebx
		mov	ebx, large fs:124h
		mov	eax, [ebx+4Ch]
		mov	ebp, esp
		sub	esp, 10h
		and	esp, 0FFFFFFF0h
		cli
		dec	word ptr [ebx+13Eh]
		sti
		movaps	oword ptr [esp+10h+var_10], xmm0
		call	@KiXMMIZeroPagesNoSave@8 ; KiXMMIZeroPagesNoSave(x,x)
		movaps	xmm0, oword ptr	[esp+10h+var_10]
		mov	eax, large fs:124h
		inc	word ptr [eax+13Eh]
		jnz	short loc_5815C4
		lea	eax, [eax+70h]
		cmp	eax, [eax]
		jz	short loc_5815C4
		mov	cl, 1
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)

loc_5815C4:				; CODE XREF: KiXMMIZeroPages(x,x)+37j
					; KiXMMIZeroPages(x,x)+3Ej
		mov	esp, ebp
		pop	ebx
		pop	ebp
		retn
@KiXMMIZeroPages@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __fastcall KiZeroPages(x, x)
@KiZeroPages@8	proc near		; CODE XREF: MiFreePagesFromMdl(x,x):loc_44A90Fp
					; MiFreePagesFromMdl(x,x)+BFp ...
		push	edi
		xor	eax, eax
		mov	edi, ecx
		mov	ecx, edx
		shr	ecx, 2
		rep stosd
		pop	edi
		retn
@KiZeroPages@8	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KiFlushCacheLines(x, x, x)
_KiFlushCacheLines@12 proc near		; CODE XREF: MmBuildMdlForNonPagedPool+108A81p

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_8		= dword	ptr  0Ch

		mov	ecx, [esp+arg_0]
		mov	eax, [esp+arg_4]
		mov	edx, [esp+arg_8]

loc_5815E8:				; CODE XREF: KiFlushCacheLines(x,x,x)+14j
		db	66h
		clflush	byte ptr [ecx]
		add	ecx, edx
		sub	eax, edx
		jnz	short loc_5815E8
		lock or	byte ptr [esp+0], 0
		retn	0Ch
_KiFlushCacheLines@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __fastcall ReadAMDMsr(x)
@ReadAMDMsr@4	proc near		; CODE XREF: KiDisableCacheErrataSource()+14p
		push	edi
		mov	edi, 9C5A203Ah
		rdmsr
		pop	edi
		retn
@ReadAMDMsr@4	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall WriteAMDMsr(x, x, x)
_WriteAMDMsr@12	proc near		; CODE XREF: KiDisableCacheErrataSource()+34p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	edi
		mov	ecx, [esp+arg_0]
		mov	edi, 9C5A203Ah
		mov	eax, [esp+arg_4]
		mov	edx, [esp+arg_8]
		wrmsr
		pop	edi
		retn	0Ch
_WriteAMDMsr@12	endp

; 
; START	OF FUNCTION CHUNK FOR _tcpxsum@12

loc_581620:				; CODE XREF: tcpxsum(x,x,x)+3Dj
		jmp	loc_581744
; 

loc_581625:				; CODE XREF: tcpxsum(x,x,x)+Aj
					; tcpxsum(x,x,x)+1Ej ...
		jmp	loc_581753
; 

loc_58162A:				; CODE XREF: tcpxsum(x,x,x)+45j
		jmp	loc_58173B
; END OF FUNCTION CHUNK	FOR _tcpxsum@12
; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall tcpxsum(x, x, x)
_tcpxsum@12	proc near		; CODE XREF: PopWriteHeaderPages+9Ep
					; PopWriteHeaderPages+F4p ...

arg_0		= word ptr  0Ch
arg_4		= dword	ptr  10h
arg_8		= dword	ptr  14h

; FUNCTION CHUNK AT 00581620 SIZE 0000000F BYTES

		push	ebx
		push	esi
		mov	ecx, [esp+arg_8]
		sub	eax, eax
		test	ecx, ecx
		jz	short loc_581625
		mov	esi, [esp+arg_4]
		sub	edx, edx
		test	esi, 1
		jz	short loc_581650
		mov	ah, [esi]
		inc	esi
		dec	ecx
		jz	short loc_581625

loc_581650:				; CODE XREF: tcpxsum(x,x,x)+18j
		shr	ecx, 1
		jnb	short loc_581659
		mov	al, [esi+ecx*2]
		jz	short loc_581625

loc_581659:				; CODE XREF: tcpxsum(x,x,x)+22j
		test	esi, 2
		jz	short loc_58166A
		mov	dx, [esi]
		add	esi, 2
		add	eax, edx
		dec	ecx

loc_58166A:				; CODE XREF: tcpxsum(x,x,x)+2Fj
		push	ecx
		shr	ecx, 1
		jz	short loc_581620
		mov	edx, [esi]
		add	esi, 4
		dec	ecx
		jz	short loc_58162A
		mov	ebx, ecx
		add	ecx, 1Fh
		shr	ecx, 5
		and	ebx, 1Fh
		jz	short loc_58168F
		lea	esi, [esi+ebx*4-80h]
		jmp	ds:dword_58177C[ebx*4]
; 

loc_58168F:				; CODE XREF: tcpxsum(x,x,x)+52j
					; tcpxsum(x,x,x)+105j
		adc	eax, edx
		mov	edx, [esi]

loc_581693:				; DATA XREF: .text:005817F8o
		adc	eax, edx
		mov	edx, [esi+4]

loc_581698:				; DATA XREF: .text:005817F4o
		adc	eax, edx
		mov	edx, [esi+8]

loc_58169D:				; DATA XREF: .text:005817F0o
		adc	eax, edx
		mov	edx, [esi+0Ch]

loc_5816A2:				; DATA XREF: .text:005817ECo
		adc	eax, edx
		mov	edx, [esi+10h]

loc_5816A7:				; DATA XREF: .text:005817E8o
		adc	eax, edx
		mov	edx, [esi+14h]

loc_5816AC:				; DATA XREF: .text:005817E4o
		adc	eax, edx
		mov	edx, [esi+18h]

loc_5816B1:				; DATA XREF: .text:005817E0o
		adc	eax, edx
		mov	edx, [esi+1Ch]

loc_5816B6:				; DATA XREF: .text:005817DCo
		adc	eax, edx
		mov	edx, [esi+20h]

loc_5816BB:				; DATA XREF: .text:005817D8o
		adc	eax, edx
		mov	edx, [esi+24h]

loc_5816C0:				; DATA XREF: .text:005817D4o
		adc	eax, edx
		mov	edx, [esi+28h]

loc_5816C5:				; DATA XREF: .text:005817D0o
		adc	eax, edx
		mov	edx, [esi+2Ch]

loc_5816CA:				; DATA XREF: .text:005817CCo
		adc	eax, edx
		mov	edx, [esi+30h]

loc_5816CF:				; DATA XREF: .text:005817C8o
		adc	eax, edx
		mov	edx, [esi+34h]

loc_5816D4:				; DATA XREF: .text:005817C4o
		adc	eax, edx
		mov	edx, [esi+38h]

loc_5816D9:				; DATA XREF: .text:005817C0o
		adc	eax, edx
		mov	edx, [esi+3Ch]

loc_5816DE:				; DATA XREF: .text:005817BCo
		adc	eax, edx
		mov	edx, [esi+40h]

loc_5816E3:				; DATA XREF: .text:005817B8o
		adc	eax, edx
		mov	edx, [esi+44h]

loc_5816E8:				; DATA XREF: .text:005817B4o
		adc	eax, edx
		mov	edx, [esi+48h]

loc_5816ED:				; DATA XREF: .text:005817B0o
		adc	eax, edx
		mov	edx, [esi+4Ch]

loc_5816F2:				; DATA XREF: .text:005817ACo
		adc	eax, edx
		mov	edx, [esi+50h]

loc_5816F7:				; DATA XREF: .text:005817A8o
		adc	eax, edx
		mov	edx, [esi+54h]

loc_5816FC:				; DATA XREF: .text:005817A4o
		adc	eax, edx
		mov	edx, [esi+58h]

loc_581701:				; DATA XREF: .text:005817A0o
		adc	eax, edx
		mov	edx, [esi+5Ch]

loc_581706:				; DATA XREF: .text:0058179Co
		adc	eax, edx
		mov	edx, [esi+60h]

loc_58170B:				; DATA XREF: .text:00581798o
		adc	eax, edx
		mov	edx, [esi+64h]

loc_581710:				; DATA XREF: .text:00581794o
		adc	eax, edx
		mov	edx, [esi+68h]

loc_581715:				; DATA XREF: .text:00581790o
		adc	eax, edx
		mov	edx, [esi+6Ch]

loc_58171A:				; DATA XREF: .text:0058178Co
		adc	eax, edx
		mov	edx, [esi+70h]

loc_58171F:				; DATA XREF: .text:00581788o
		adc	eax, edx
		mov	edx, [esi+74h]

loc_581724:				; DATA XREF: .text:00581784o
		adc	eax, edx
		mov	edx, [esi+78h]

loc_581729:				; DATA XREF: .text:00581780o
		adc	eax, edx
		mov	edx, [esi+7Ch]
		lea	esi, [esi+80h]
		dec	ecx
		jnz	loc_58168F

loc_58173B:				; CODE XREF: tcpxsum(x,x,x):loc_58162Aj
		adc	eax, edx
		mov	edx, 0
		adc	eax, edx

loc_581744:				; CODE XREF: tcpxsum(x,x,x):loc_581620j
		pop	ecx
		test	ecx, 1
		jz	short loc_581753
		add	ax, [esi]
		adc	eax, 0

loc_581753:				; CODE XREF: tcpxsum(x,x,x):loc_581625j
					; tcpxsum(x,x,x)+11Bj
		mov	ecx, eax
		ror	ecx, 10h
		add	eax, ecx
		mov	ebx, [esp+arg_4]
		shr	eax, 10h
		test	ebx, 1
		jz	short loc_58176D
		ror	ax, 8

loc_58176D:				; CODE XREF: tcpxsum(x,x,x)+137j
		add	ax, [esp+arg_0]
		pop	esi
		adc	eax, 0
		pop	ebx
		retn	0Ch
_tcpxsum@12	endp

; 
		align 4
dword_58177C	dd 0			; DATA XREF: tcpxsum(x,x,x)+58r
		dd offset loc_581729
		dd offset loc_581724
		dd offset loc_58171F
		dd offset loc_58171A
		dd offset loc_581715
		dd offset loc_581710
		dd offset loc_58170B
		dd offset loc_581706
		dd offset loc_581701
		dd offset loc_5816FC
		dd offset loc_5816F7
		dd offset loc_5816F2
		dd offset loc_5816ED
		dd offset loc_5816E8
		dd offset loc_5816E3
		dd offset loc_5816DE
		dd offset loc_5816D9
		dd offset loc_5816D4
		dd offset loc_5816CF
		dd offset loc_5816CA
		dd offset loc_5816C5
		dd offset loc_5816C0
		dd offset loc_5816BB
		dd offset loc_5816B6
		dd offset loc_5816B1
		dd offset loc_5816AC
		dd offset loc_5816A7
		dd offset loc_5816A2
		dd offset loc_58169D
		dd offset loc_581698
		dd offset loc_581693
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2548. TmInitSystemPhase2
; [00000006 BYTES: COLLAPSED FUNCTION TmInitSystemPhase2(). PRESS KEYPAD "+" TO	EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2547. TmInitSystem
; [00000006 BYTES: COLLAPSED FUNCTION TmInitSystem(x,x,x,x). PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1504. NtCommitComplete
; [00000006 BYTES: COLLAPSED FUNCTION NtCommitComplete(x,x). PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1505. NtCommitEnlistment
; [00000006 BYTES: COLLAPSED FUNCTION NtCommitEnlistment(x,x). PRESS KEYPAD "+"	TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1506. NtCommitTransaction
; [00000006 BYTES: COLLAPSED FUNCTION NtCommitTransaction(x,x).	PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1511. NtCreateEnlistment
; [00000006 BYTES: COLLAPSED FUNCTION NtCreateEnlistment(x,x,x,x,x,x,x,x). PRESS KEYPAD	"+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1514. NtCreateResourceManager
; [00000006 BYTES: COLLAPSED FUNCTION NtCreateResourceManager(x,x,x,x,x,x,x). PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1516. NtCreateTransaction
; [00000006 BYTES: COLLAPSED FUNCTION NtCreateTransaction(x,x,x,x,x,x,x,x,x,x).	PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1517. NtCreateTransactionManager
; [00000006 BYTES: COLLAPSED FUNCTION NtCreateTransactionManager(x,x,x,x,x,x). PRESS KEYPAD "+"	TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1523. NtEnumerateTransactionObject
; [00000006 BYTES: COLLAPSED FUNCTION NtEnumerateTransactionObject(x,x,x,x,x). PRESS KEYPAD "+"	TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1526. NtFreezeTransactions
; [00000006 BYTES: COLLAPSED FUNCTION NtFreezeTransactions(x,x). PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1529. NtGetNotificationResourceManager
; [00000006 BYTES: COLLAPSED FUNCTION NtGetNotificationResourceManager(x,x,x,x,x,x,x). PRESS KEYPAD "+"	TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1537. NtOpenEnlistment
; [00000006 BYTES: COLLAPSED FUNCTION NtOpenEnlistment(x,x,x,x,x). PRESS KEYPAD	"+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1542. NtOpenResourceManager
; [00000006 BYTES: COLLAPSED FUNCTION NtOpenResourceManager(x,x,x,x,x).	PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1546. NtOpenTransaction
; [00000006 BYTES: COLLAPSED FUNCTION NtOpenTransaction(x,x,x,x,x). PRESS KEYPAD "+" TO	EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1547. NtOpenTransactionManager
; [00000006 BYTES: COLLAPSED FUNCTION NtOpenTransactionManager(x,x,x,x,x,x). PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1548. NtPrePrepareComplete
; [00000006 BYTES: COLLAPSED FUNCTION NtPrePrepareComplete(x,x). PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1549. NtPrePrepareEnlistment
; [00000006 BYTES: COLLAPSED FUNCTION NtPrePrepareEnlistment(x,x). PRESS KEYPAD	"+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1550. NtPrepareComplete
; [00000006 BYTES: COLLAPSED FUNCTION NtPrepareComplete(x,x). PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1551. NtPrepareEnlistment
; [00000006 BYTES: COLLAPSED FUNCTION NtPrepareEnlistment(x,x).	PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1552. NtPropagationComplete
; [00000006 BYTES: COLLAPSED FUNCTION NtPropagationComplete(x,x,x,x). PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1553. NtPropagationFailed
; [00000006 BYTES: COLLAPSED FUNCTION NtPropagationFailed(x,x,x). PRESS	KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1560. NtQueryInformationEnlistment
; [00000006 BYTES: COLLAPSED FUNCTION NtQueryInformationEnlistment(x,x,x,x,x). PRESS KEYPAD "+"	TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1563. NtQueryInformationResourceManager
; [00000006 BYTES: COLLAPSED FUNCTION NtQueryInformationResourceManager(x,x,x,x,x). PRESS KEYPAD "+" TO	EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1566. NtQueryInformationTransaction
; [00000006 BYTES: COLLAPSED FUNCTION NtQueryInformationTransaction(x,x,x,x,x).	PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1567. NtQueryInformationTransactionManager
; [00000006 BYTES: COLLAPSED FUNCTION NtQueryInformationTransactionManager(x,x,x,x,x). PRESS KEYPAD "+"	TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1576. NtReadOnlyEnlistment
; [00000006 BYTES: COLLAPSED FUNCTION NtReadOnlyEnlistment(x,x). PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1577. NtRecoverEnlistment
; [00000006 BYTES: COLLAPSED FUNCTION NtRecoverEnlistment(x,x).	PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1578. NtRecoverResourceManager
; [00000006 BYTES: COLLAPSED FUNCTION NtRecoverResourceManager(x). PRESS KEYPAD	"+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1579. NtRecoverTransactionManager
; [00000006 BYTES: COLLAPSED FUNCTION NtRecoverTransactionManager(x). PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1582. NtRollbackComplete
; [00000006 BYTES: COLLAPSED FUNCTION NtRollbackComplete(x,x). PRESS KEYPAD "+"	TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1583. NtRollbackEnlistment
; [00000006 BYTES: COLLAPSED FUNCTION NtRollbackEnlistment(x,x). PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1584. NtRollbackTransaction
; [00000006 BYTES: COLLAPSED FUNCTION NtRollbackTransaction(x,x). PRESS	KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1588. NtSetInformationEnlistment
; [00000006 BYTES: COLLAPSED FUNCTION NtSetInformationEnlistment(x,x,x,x). PRESS KEYPAD	"+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1591. NtSetInformationResourceManager
; [00000006 BYTES: COLLAPSED FUNCTION NtSetInformationResourceManager(x,x,x,x).	PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1594. NtSetInformationTransaction
; [00000006 BYTES: COLLAPSED FUNCTION NtSetInformationTransaction(x,x,x,x). PRESS KEYPAD "+" TO	EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1600. NtThawTransactions
; [00000006 BYTES: COLLAPSED FUNCTION NtThawTransactions(). PRESS KEYPAD "+" TO	EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2535. TmCancelPropagationRequest
; [00000006 BYTES: COLLAPSED FUNCTION TmCancelPropagationRequest(x). PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2536. TmCommitComplete
; [00000006 BYTES: COLLAPSED FUNCTION TmCommitComplete(x,x). PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2537. TmCommitEnlistment
; [00000006 BYTES: COLLAPSED FUNCTION TmCommitEnlistment(x,x). PRESS KEYPAD "+"	TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2538. TmCommitTransaction
; [00000006 BYTES: COLLAPSED FUNCTION TmCommitTransaction(x,x).	PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2539. TmCreateEnlistment
; [00000006 BYTES: COLLAPSED FUNCTION TmCreateEnlistment(x,x,x,x,x,x,x,x,x). PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2540. TmCurrentTransaction
; [00000006 BYTES: COLLAPSED FUNCTION TmCurrentTransaction(x). PRESS KEYPAD "+"	TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2541. TmDereferenceEnlistmentKey
; [00000006 BYTES: COLLAPSED FUNCTION TmDereferenceEnlistmentKey(x,x). PRESS KEYPAD "+"	TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2542. TmEnableCallbacks
; [00000006 BYTES: COLLAPSED FUNCTION TmEnableCallbacks(x,x,x).	PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2543. TmEndPropagationRequest
; [00000006 BYTES: COLLAPSED FUNCTION TmEndPropagationRequest(x). PRESS	KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2545. TmFreezeTransactions
; [00000006 BYTES: COLLAPSED FUNCTION TmFreezeTransactions(x,x,x). PRESS KEYPAD	"+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2546. TmGetTransactionId
; [00000006 BYTES: COLLAPSED FUNCTION TmGetTransactionId(x,x). PRESS KEYPAD "+"	TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2549. TmInitializeTransactionManager
; [00000006 BYTES: COLLAPSED FUNCTION TmInitializeTransactionManager(x,x,x,x). PRESS KEYPAD "+"	TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2550. TmIsKTMCommitCoordinator
; [00000006 BYTES: COLLAPSED FUNCTION TmIsKTMCommitCoordinator(x). PRESS KEYPAD	"+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2551. TmIsTransactionActive
; [00000006 BYTES: COLLAPSED FUNCTION TmIsTransactionActive(x).	PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2552. TmPrePrepareComplete
; [00000006 BYTES: COLLAPSED FUNCTION TmPrePrepareComplete(x,x). PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2553. TmPrePrepareEnlistment
; [00000006 BYTES: COLLAPSED FUNCTION TmPrePrepareEnlistment(x,x). PRESS KEYPAD	"+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2554. TmPrepareComplete
; [00000006 BYTES: COLLAPSED FUNCTION TmPrepareComplete(x,x). PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2555. TmPrepareEnlistment
; [00000006 BYTES: COLLAPSED FUNCTION TmPrepareEnlistment(x,x).	PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2556. TmPropagationComplete
; [00000006 BYTES: COLLAPSED FUNCTION TmPropagationComplete(x,x,x,x). PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2557. TmPropagationFailed
; [00000006 BYTES: COLLAPSED FUNCTION TmPropagationFailed(x,x,x). PRESS	KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2558. TmReadOnlyEnlistment
; [00000006 BYTES: COLLAPSED FUNCTION TmReadOnlyEnlistment(x,x). PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2559. TmRecoverEnlistment
; [00000006 BYTES: COLLAPSED FUNCTION TmRecoverEnlistment(x,x).	PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2560. TmRecoverResourceManager
; [00000006 BYTES: COLLAPSED FUNCTION TmRecoverResourceManager(x). PRESS KEYPAD	"+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2561. TmRecoverTransactionManager
; [00000006 BYTES: COLLAPSED FUNCTION TmRecoverTransactionManager(x,x).	PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2562. TmReferenceEnlistmentKey
; [00000006 BYTES: COLLAPSED FUNCTION TmReferenceEnlistmentKey(x,x). PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2563. TmRenameTransactionManager
; [00000006 BYTES: COLLAPSED FUNCTION TmRenameTransactionManager(x,x). PRESS KEYPAD "+"	TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2564. TmRequestOutcomeEnlistment
; [00000006 BYTES: COLLAPSED FUNCTION TmRequestOutcomeEnlistment(x,x). PRESS KEYPAD "+"	TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2566. TmRollbackComplete
; [00000006 BYTES: COLLAPSED FUNCTION TmRollbackComplete(x,x). PRESS KEYPAD "+"	TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2567. TmRollbackEnlistment
; [00000006 BYTES: COLLAPSED FUNCTION TmRollbackEnlistment(x,x). PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2568. TmRollbackTransaction
; [00000006 BYTES: COLLAPSED FUNCTION TmRollbackTransaction(x,x). PRESS	KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2569. TmSetCurrentTransaction
; [00000006 BYTES: COLLAPSED FUNCTION TmSetCurrentTransaction(x). PRESS	KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2570. TmSinglePhaseReject
; [00000006 BYTES: COLLAPSED FUNCTION TmSinglePhaseReject(x,x).	PRESS KEYPAD "+" TO EXPAND]
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2571. TmThawTransactions
; [00000006 BYTES: COLLAPSED FUNCTION TmThawTransactions(). PRESS KEYPAD "+" TO	EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION NtSinglePhaseReject(x,x).	PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION NtSetInformationTransactionManager(x,x,x,x). PRESS KEYPAD	"+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION NtRollforwardTransactionManager(x,x). PRESS KEYPAD "+" TO	EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION NtRenameTransactionManager(x,x). PRESS KEYPAD "+"	TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION NtRegisterProtocolAddressInformation(x,x,x,x,x). PRESS KEYPAD "+"	TO EXPAND]

;  S U B	R O U T	I N E 


; __stdcall ext_ms_win_ntos_tm_l1_1_0_NtCreateTransaction(x, x,	x, x, x, x, x, x, x, x)
_ext_ms_win_ntos_tm_l1_1_0_NtCreateTransaction@40 proc near
		mov	eax, 0C00000BBh
		retn	28h
_ext_ms_win_ntos_tm_l1_1_0_NtCreateTransaction@40 endp

; Exported entry 1470. MmSetBankedSection
; Exported entry 1715. PoRegisterDeviceNotify

;  S U B	R O U T	I N E 


; __stdcall PoRegisterDeviceNotify(x, x, x, x, x, x)
		public _PoRegisterDeviceNotify@24
_PoRegisterDeviceNotify@24 proc	near
		mov	eax, 0C00000BBh	; MmSetBankedSection
		retn	18h
_PoRegisterDeviceNotify@24 endp


;  S U B	R O U T	I N E 


; __stdcall ext_ms_win_ntos_tm_l1_1_0_TmCreateEnlistment(x, x, x, x, x,	x, x, x, x)
_ext_ms_win_ntos_tm_l1_1_0_TmCreateEnlistment@36 proc near
		mov	eax, 0C00000BBh
		retn	24h
_ext_ms_win_ntos_tm_l1_1_0_TmCreateEnlistment@36 endp


;  S U B	R O U T	I N E 


; __stdcall ext_ms_win_ntos_tm_l1_1_0_TmShutdownSystem()
_ext_ms_win_ntos_tm_l1_1_0_TmShutdownSystem@0 proc near
		retn
_ext_ms_win_ntos_tm_l1_1_0_TmShutdownSystem@0 endp

; 
		align 10h
; Exported entry 2158. RtlInitString

;  S U B	R O U T	I N E 


; __stdcall RtlInitString(x, x)
		public _RtlInitString@8
_RtlInitString@8 proc near		; CODE XREF: PopEmModuleAddressMatchCallback(x,x,x,x,x,x,x)+54p
					; RtlInitUTF8String(x,x)j ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	edi
		mov	edi, [esp+arg_4]
		mov	edx, [esp+arg_0]
		mov	dword ptr [edx], 0
		mov	[edx+4], edi
		or	edi, edi
		jz	short loc_581BB4
		or	ecx, 0FFFFFFFFh
		xor	eax, eax
		repne scasb
		not	ecx
		cmp	ecx, 0FFFFh
		jbe	short loc_581BAC
		mov	ecx, 0FFFFh

loc_581BAC:				; CODE XREF: RtlInitString(x,x)+25j
		mov	[edx+2], cx
		dec	ecx
		mov	[edx], cx

loc_581BB4:				; CODE XREF: RtlInitString(x,x)+14j
		pop	edi
		retn	8
_RtlInitString@8 endp

; Exported entry 2154. RtlInitAnsiString

;  S U B	R O U T	I N E 


; __stdcall RtlInitAnsiString(x, x)
		public _RtlInitAnsiString@8
_RtlInitAnsiString@8 proc near		; CODE XREF: IopCreateUnicodeFromAnsiBuffer(x,x)+17p
					; IopCheckDiskName(x,x,x)+3Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	edi
		mov	edi, [esp+arg_4]
		mov	edx, [esp+arg_0]
		mov	dword ptr [edx], 0
		mov	[edx+4], edi
		or	edi, edi
		jz	short loc_581BEC
		or	ecx, 0FFFFFFFFh
		xor	eax, eax
		repne scasb
		not	ecx
		cmp	ecx, 0FFFFh
		jbe	short loc_581BE4
		mov	ecx, 0FFFFh

loc_581BE4:				; CODE XREF: RtlInitAnsiString(x,x)+25j
		mov	[edx+2], cx
		dec	ecx
		mov	[edx], cx

loc_581BEC:				; CODE XREF: RtlInitAnsiString(x,x)+14j
		pop	edi
		retn	8
_RtlInitAnsiString@8 endp

; Exported entry 2163. RtlInitUnicodeString

;  S U B	R O U T	I N E 


; __stdcall RtlInitUnicodeString(x, x)
		public _RtlInitUnicodeString@8
_RtlInitUnicodeString@8	proc near	; CODE XREF: SepVerifyDesktopAppxPackageName+69p
					; RtlpAllowsLowBoxAccess(x)+9Ep ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	edi
		mov	edi, [esp+arg_4]
		mov	edx, [esp+arg_0]
		mov	dword ptr [edx], 0
		mov	[edx+4], edi
		or	edi, edi
		jz	short loc_581C28
		or	ecx, 0FFFFFFFFh
		xor	eax, eax
		repne scasw
		not	ecx
		shl	ecx, 1
		cmp	ecx, 0FFFEh
		jbe	short loc_581C1F
		mov	ecx, 0FFFEh

loc_581C1F:				; CODE XREF: RtlInitUnicodeString(x,x)+28j
		mov	[edx+2], cx
		dec	ecx
		dec	ecx
		mov	[edx], cx

loc_581C28:				; CODE XREF: RtlInitUnicodeString(x,x)+14j
		pop	edi
		retn	8
_RtlInitUnicodeString@8	endp

; 
		align 10h
; Exported entry 264. DbgBreakPointWithStatus

;  S U B	R O U T	I N E 


; __stdcall DbgBreakPointWithStatus(x)
		public _DbgBreakPointWithStatus@4
_DbgBreakPointWithStatus@4 proc	near	; CODE XREF: KdCheckForDebugBreak+8BE87p
					; vDbgPrintExWithPrefixInternal+B4108p	...

arg_0		= dword	ptr  4

		mov	eax, [esp+arg_0]
_DbgBreakPointWithStatus@4 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpBreakWithStatusInstruction()
_RtlpBreakWithStatusInstruction@0 proc near ; DATA XREF: .data:006B1AA8o
		int	3		; Trap to Debugger
		retn	4
_RtlpBreakWithStatusInstruction@0 endp


;  S U B	R O U T	I N E 


; __stdcall DbgUserBreakPoint()
_DbgUserBreakPoint@0 proc near
		int	3		; Trap to Debugger
		nop
		retn
_DbgUserBreakPoint@0 endp

; 
		align 4
; Exported entry 263. DbgBreakPoint

;  S U B	R O U T	I N E 


; __stdcall DbgBreakPoint()
		public _DbgBreakPoint@0
_DbgBreakPoint@0 proc near
		int	3		; Trap to Debugger
		retn
_DbgBreakPoint@0 endp

; 
		align 10h
; Exported entry 1934. READ_REGISTER_UCHAR

;  S U B	R O U T	I N E 


; __stdcall READ_REGISTER_UCHAR(x)
		public _READ_REGISTER_UCHAR@4
_READ_REGISTER_UCHAR@4 proc near	; CODE XREF: ReadRegister8(x)+6j

arg_0		= dword	ptr  4

		mov	edx, [esp+arg_0]
		mov	al, [edx]
		retn	4
_READ_REGISTER_UCHAR@4 endp

; 
		align 4
; Exported entry 1936. READ_REGISTER_USHORT

;  S U B	R O U T	I N E 


; __stdcall READ_REGISTER_USHORT(x)
		public _READ_REGISTER_USHORT@4
_READ_REGISTER_USHORT@4	proc near	; CODE XREF: ReadRegister16(x)+6j

arg_0		= dword	ptr  4

		mov	edx, [esp+arg_0]
		mov	ax, [edx]
		retn	4
_READ_REGISTER_USHORT@4	endp

; 
		align 4
; Exported entry 1935. READ_REGISTER_ULONG

;  S U B	R O U T	I N E 


; __stdcall READ_REGISTER_ULONG(x)
		public _READ_REGISTER_ULONG@4
_READ_REGISTER_ULONG@4 proc near	; CODE XREF: ReadRegister32(x)+6j

arg_0		= dword	ptr  4

		mov	edx, [esp+arg_0]
		mov	eax, [edx]
		retn	4
_READ_REGISTER_ULONG@4 endp

; 
		align 4
; Exported entry 1931. READ_REGISTER_BUFFER_UCHAR

;  S U B	R O U T	I N E 


; __stdcall READ_REGISTER_BUFFER_UCHAR(x, x, x)
		public _READ_REGISTER_BUFFER_UCHAR@12
_READ_REGISTER_BUFFER_UCHAR@12 proc near

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_8		= dword	ptr  0Ch

		mov	eax, esi
		mov	edx, edi
		mov	ecx, [esp+arg_8]
		mov	esi, [esp+arg_0]
		mov	edi, [esp+arg_4]
		rep movsb
		mov	edi, edx
		mov	esi, eax
		retn	0Ch
_READ_REGISTER_BUFFER_UCHAR@12 endp

; 
		align 10h
; Exported entry 1933. READ_REGISTER_BUFFER_USHORT

;  S U B	R O U T	I N E 


; __stdcall READ_REGISTER_BUFFER_USHORT(x, x, x)
		public _READ_REGISTER_BUFFER_USHORT@12
_READ_REGISTER_BUFFER_USHORT@12	proc near

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_8		= dword	ptr  0Ch

		mov	eax, esi
		mov	edx, edi
		mov	ecx, [esp+arg_8]
		mov	esi, [esp+arg_0]
		mov	edi, [esp+arg_4]
		rep movsw
		mov	edi, edx
		mov	esi, eax
		retn	0Ch
_READ_REGISTER_BUFFER_USHORT@12	endp

; 
		align 4
; Exported entry 1932. READ_REGISTER_BUFFER_ULONG

;  S U B	R O U T	I N E 


; __stdcall READ_REGISTER_BUFFER_ULONG(x, x, x)
		public _READ_REGISTER_BUFFER_ULONG@12
_READ_REGISTER_BUFFER_ULONG@12 proc near ; CODE	XREF: IopLiveDumpBufferDumpData(x,x)+10Bp

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_8		= dword	ptr  0Ch

		mov	eax, esi
		mov	edx, edi
		mov	ecx, [esp+arg_8]
		mov	esi, [esp+arg_0]
		mov	edi, [esp+arg_4]
		rep movsd
		mov	edi, edx
		mov	esi, eax
		retn	0Ch
_READ_REGISTER_BUFFER_ULONG@12 endp

; 
		align 4
; Exported entry 2603. WRITE_REGISTER_UCHAR

;  S U B	R O U T	I N E 


; __stdcall WRITE_REGISTER_UCHAR(x, x)
		public _WRITE_REGISTER_UCHAR@8
_WRITE_REGISTER_UCHAR@8	proc near	; CODE XREF: WriteRegister8(x,x)j

arg_0		= dword	ptr  4
arg_4		= byte ptr  8

		mov	edx, [esp+arg_0]
		mov	al, [esp+arg_4]
		mov	[edx], al
		lock or	[esp+arg_0], edx
		retn	8
_WRITE_REGISTER_UCHAR@8	endp

; 
		align 4
; Exported entry 2605. WRITE_REGISTER_USHORT

;  S U B	R O U T	I N E 


; __stdcall WRITE_REGISTER_USHORT(x, x)
		public _WRITE_REGISTER_USHORT@8
_WRITE_REGISTER_USHORT@8 proc near	; CODE XREF: WriteRegister16(x,x)j

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8

		mov	edx, [esp+arg_0]
		mov	eax, [esp+arg_4]
		mov	[edx], ax
		lock or	[esp+arg_0], edx
		retn	8
_WRITE_REGISTER_USHORT@8 endp

; 
		align 10h
; Exported entry 2604. WRITE_REGISTER_ULONG

;  S U B	R O U T	I N E 


; __stdcall WRITE_REGISTER_ULONG(x, x)
		public _WRITE_REGISTER_ULONG@8
_WRITE_REGISTER_ULONG@8	proc near	; CODE XREF: WriteRegister32(x,x)j

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8

		mov	edx, [esp+arg_0]
		mov	eax, [esp+arg_4]
		mov	[edx], eax
		lock or	[esp+arg_0], edx
		retn	8
_WRITE_REGISTER_ULONG@8	endp

; 
		align 4
; Exported entry 2600. WRITE_REGISTER_BUFFER_UCHAR

;  S U B	R O U T	I N E 


; __stdcall WRITE_REGISTER_BUFFER_UCHAR(x, x, x)
		public _WRITE_REGISTER_BUFFER_UCHAR@12
_WRITE_REGISTER_BUFFER_UCHAR@12	proc near

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_8		= dword	ptr  0Ch

		mov	eax, esi
		mov	edx, edi
		mov	ecx, [esp+arg_8]
		mov	esi, [esp+arg_4]
		mov	edi, [esp+arg_0]
		rep movsb
		lock or	[esp+arg_0], ecx
		mov	edi, edx
		mov	esi, eax
		retn	0Ch
_WRITE_REGISTER_BUFFER_UCHAR@12	endp

; 
		align 4
; Exported entry 2602. WRITE_REGISTER_BUFFER_USHORT

;  S U B	R O U T	I N E 


; __stdcall WRITE_REGISTER_BUFFER_USHORT(x, x, x)
		public _WRITE_REGISTER_BUFFER_USHORT@12
_WRITE_REGISTER_BUFFER_USHORT@12 proc near

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_8		= dword	ptr  0Ch

		mov	eax, esi
		mov	edx, edi
		mov	ecx, [esp+arg_8]
		mov	esi, [esp+arg_4]
		mov	edi, [esp+arg_0]
		rep movsw
		lock or	[esp+arg_0], ecx
		mov	edi, edx
		mov	esi, eax
		retn	0Ch
_WRITE_REGISTER_BUFFER_USHORT@12 endp

; 
		align 4
; Exported entry 2601. WRITE_REGISTER_BUFFER_ULONG

;  S U B	R O U T	I N E 


; __stdcall WRITE_REGISTER_BUFFER_ULONG(x, x, x)
		public _WRITE_REGISTER_BUFFER_ULONG@12
_WRITE_REGISTER_BUFFER_ULONG@12	proc near

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_8		= dword	ptr  0Ch

		mov	eax, esi
		mov	edx, edi
		mov	ecx, [esp+arg_8]
		mov	esi, [esp+arg_4]
		mov	edi, [esp+arg_0]
		rep movsd
		lock or	[esp+arg_0], ecx
		mov	edi, edx
		mov	esi, eax
		retn	0Ch
_WRITE_REGISTER_BUFFER_ULONG@12	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LZNT1DecompressChunk(x, x, x, x, x)
_LZNT1DecompressChunk@20 proc near	; CODE XREF: LZNT1DecompressChunkNewThread(x,x,x,x,x,x)+A6p
					; LZNT1DecompressChunkWorkItem+18p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, [ebp+arg_8]
		sub	[ebp+arg_C], 11h
		mov	eax, [ebp+arg_4]
		sub	eax, 8
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], edi
		mov	ebx, 0Dh

loc_581D78:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+ADj
					; LZNT1DecompressChunk(x,x,x,x,x)+1E8j	...
		cmp	esi, [ebp+arg_C]
		jnb	loc_582336
		cmp	edi, [ebp+var_4]
		jnb	loc_582336
		mov	al, [esi]
		test	al, 1
		jnz	loc_581E8E
		mov	dl, [esi+1]
		mov	[edi], dl
		test	al, 2
		jnz	loc_581F54
		mov	dl, [esi+2]
		mov	[edi+1], dl
		test	al, 4
		jnz	loc_58200F
		mov	dl, [esi+3]
		mov	[edi+2], dl
		test	al, 8
		jnz	loc_5820BC
		mov	dl, [esi+4]
		mov	[edi+3], dl
		test	al, 10h
		jnz	loc_58215B
		mov	dl, [esi+5]
		mov	[edi+4], dl
		test	al, 20h
		jnz	loc_5821E8
		mov	dl, [esi+6]
		mov	[edi+5], dl
		test	al, 40h
		jnz	loc_582264
		mov	dl, [esi+7]
		mov	[edi+6], dl
		test	al, 80h
		jnz	loc_5822D2
		mov	dl, [esi+8]
		mov	[edi+7], dl
		add	esi, 9
		add	edi, 8
		jmp	loc_581D78
; 
dword_581E06	dd 0FFFFh		; DATA XREF: LZNT1DecompressChunk(x,x,x,x,x)+1F1r
					; LZNT1DecompressChunk(x,x,x,x,x)+2ACr	...
		dw 0FFFFh
		dd 3 dup(0FFFF0000h), 8000000h,	4000000h, 2000000h, 1000000h
		dd 800000h, 400000h, 200000h, 100000h, 4 dup(0)
		db 2 dup(0)
dword_581E4A	dd 0			; DATA XREF: LZNT1DecompressChunk(x,x,x,x,x)+151r
					; LZNT1DecompressChunk(x,x,x,x,x)+21Ar	...
		dw 1
		dd 30000h, 70000h, 0F0000h, 1F0000h, 3F0000h, 7F0000h
		dd 0FF0000h, 1FF0000h, 3FF0000h, 7FF0000h, 0FFF0000h, 1FFF0000h
		dd 3FFF0000h, 7FFF0000h, 0FFFF0000h
		db 2 dup(0)
; 

loc_581E8E:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+3Aj
					; LZNT1DecompressChunk(x,x,x,x,x)+1FBj
		cmp	edi, [ebp+var_8]
		ja	loc_581F41
		xor	ecx, ecx
		mov	cx, [esi+1]
		lea	edx, [esi+1]
		mov	[ebp+var_C], edx
		mov	esi, ecx
		and	ecx, ds:dword_581E4A[ebx*4]
		xchg	ebx, ecx
		shr	esi, cl
		xchg	ebx, ecx
		neg	esi
		lea	esi, [esi+edi-1]
		cmp	esi, [ebp+arg_0]
		jb	loc_58278B
		add	ecx, 3
		lea	edx, [edi+ecx]
		cmp	edx, [ebp+var_4]
		jnb	loc_582347
		rep movsb
		mov	esi, [ebp+var_C]
		sub	edi, 1
		test	al, 2
		jnz	short loc_581F54
		mov	dl, [esi+2]
		mov	[edi+1], dl
		test	al, 4
		jnz	loc_58200F
		mov	dl, [esi+3]
		mov	[edi+2], dl
		test	al, 8
		jnz	loc_5820BC
		mov	dl, [esi+4]
		mov	[edi+3], dl
		test	al, 10h
		jnz	loc_58215B
		mov	dl, [esi+5]
		mov	[edi+4], dl
		test	al, 20h
		jnz	loc_5821E8
		mov	dl, [esi+6]
		mov	[edi+5], dl
		test	al, 40h
		jnz	loc_582264
		mov	dl, [esi+7]
		mov	[edi+6], dl
		test	al, 80h
		jnz	loc_5822D2
		mov	dl, [esi+8]
		mov	[edi+7], dl
		add	esi, 9
		add	edi, 8
		jmp	loc_581D78
; 

loc_581F41:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+13Dj
		dec	ebx
		mov	edx, [ebp+arg_0]
		add	edx, ds:dword_581E06[ebx*4]
		mov	[ebp+var_8], edx
		jmp	loc_581E8E
; 

loc_581F54:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+47j
					; LZNT1DecompressChunk(x,x,x,x,x)+186j
		add	edi, 1

loc_581F57:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+2B6j
		cmp	edi, [ebp+var_8]
		ja	loc_581FFC
		xor	ecx, ecx
		mov	cx, [esi+2]
		lea	edx, [esi+1]
		mov	[ebp+var_C], edx
		mov	esi, ecx
		and	ecx, ds:dword_581E4A[ebx*4]
		xchg	ebx, ecx
		shr	esi, cl
		xchg	ebx, ecx
		neg	esi
		lea	esi, [esi+edi-1]
		cmp	esi, [ebp+arg_0]
		jb	loc_58278B
		add	ecx, 3
		lea	edx, [edi+ecx]
		cmp	edx, [ebp+var_4]
		jnb	loc_5823D1
		rep movsb
		mov	esi, [ebp+var_C]
		sub	edi, 2
		test	al, 4
		jnz	short loc_58200F
		mov	dl, [esi+3]
		mov	[edi+2], dl
		test	al, 8
		jnz	loc_5820BC
		mov	dl, [esi+4]
		mov	[edi+3], dl
		test	al, 10h
		jnz	loc_58215B
		mov	dl, [esi+5]
		mov	[edi+4], dl
		test	al, 20h
		jnz	loc_5821E8
		mov	dl, [esi+6]
		mov	[edi+5], dl
		test	al, 40h
		jnz	loc_582264
		mov	dl, [esi+7]
		mov	[edi+6], dl
		test	al, 80h
		jnz	loc_5822D2
		mov	dl, [esi+8]
		mov	[edi+7], dl
		add	esi, 9
		add	edi, 8
		jmp	loc_581D78
; 

loc_581FFC:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+206j
		dec	ebx
		mov	edx, [ebp+arg_0]
		add	edx, ds:dword_581E06[ebx*4]
		mov	[ebp+var_8], edx
		jmp	loc_581F57
; 

loc_58200F:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+55j
					; LZNT1DecompressChunk(x,x,x,x,x)+190j	...
		add	edi, 2

loc_582012:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+363j
		cmp	edi, [ebp+var_8]
		ja	loc_5820A9
		xor	ecx, ecx
		mov	cx, [esi+3]
		lea	edx, [esi+1]
		mov	[ebp+var_C], edx
		mov	esi, ecx
		and	ecx, ds:dword_581E4A[ebx*4]
		xchg	ebx, ecx
		shr	esi, cl
		xchg	ebx, ecx
		neg	esi
		lea	esi, [esi+edi-1]
		cmp	esi, [ebp+arg_0]
		jb	loc_58278B
		add	ecx, 3
		lea	edx, [edi+ecx]
		cmp	edx, [ebp+var_4]
		jnb	loc_58245B
		rep movsb
		mov	esi, [ebp+var_C]
		sub	edi, 3
		test	al, 8
		jnz	short loc_5820BC
		mov	dl, [esi+4]
		mov	[edi+3], dl
		test	al, 10h
		jnz	loc_58215B
		mov	dl, [esi+5]
		mov	[edi+4], dl
		test	al, 20h
		jnz	loc_5821E8
		mov	dl, [esi+6]
		mov	[edi+5], dl
		test	al, 40h
		jnz	loc_582264
		mov	dl, [esi+7]
		mov	[edi+6], dl
		test	al, 80h
		jnz	loc_5822D2
		mov	dl, [esi+8]
		mov	[edi+7], dl
		add	esi, 9
		add	edi, 8
		jmp	loc_581D78
; 

loc_5820A9:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+2C1j
		dec	ebx
		mov	edx, [ebp+arg_0]
		add	edx, ds:dword_581E06[ebx*4]
		mov	[ebp+var_8], edx
		jmp	loc_582012
; 

loc_5820BC:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+63j
					; LZNT1DecompressChunk(x,x,x,x,x)+19Ej	...
		add	edi, 3

loc_5820BF:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+402j
		cmp	edi, [ebp+var_8]
		ja	loc_582148
		xor	ecx, ecx
		mov	cx, [esi+4]
		lea	edx, [esi+1]
		mov	[ebp+var_C], edx
		mov	esi, ecx
		and	ecx, ds:dword_581E4A[ebx*4]
		xchg	ebx, ecx
		shr	esi, cl
		xchg	ebx, ecx
		neg	esi
		lea	esi, [esi+edi-1]
		cmp	esi, [ebp+arg_0]
		jb	loc_58278B
		add	ecx, 3
		lea	edx, [edi+ecx]
		cmp	edx, [ebp+var_4]
		jnb	loc_5824E5
		rep movsb
		mov	esi, [ebp+var_C]
		sub	edi, 4
		test	al, 10h
		jnz	short loc_58215B
		mov	dl, [esi+5]
		mov	[edi+4], dl
		test	al, 20h
		jnz	loc_5821E8
		mov	dl, [esi+6]
		mov	[edi+5], dl
		test	al, 40h
		jnz	loc_582264
		mov	dl, [esi+7]
		mov	[edi+6], dl
		test	al, 80h
		jnz	loc_5822D2
		mov	dl, [esi+8]
		mov	[edi+7], dl
		add	esi, 9
		add	edi, 8
		jmp	loc_581D78
; 

loc_582148:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+36Ej
		dec	ebx
		mov	edx, [ebp+arg_0]
		add	edx, ds:dword_581E06[ebx*4]
		mov	[ebp+var_8], edx
		jmp	loc_5820BF
; 

loc_58215B:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+71j
					; LZNT1DecompressChunk(x,x,x,x,x)+1ACj	...
		add	edi, 4

loc_58215E:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+48Fj
		cmp	edi, [ebp+var_8]
		ja	short loc_5821D5
		xor	ecx, ecx
		mov	cx, [esi+5]
		lea	edx, [esi+1]
		mov	[ebp+var_C], edx
		mov	esi, ecx
		and	ecx, ds:dword_581E4A[ebx*4]
		xchg	ebx, ecx
		shr	esi, cl
		xchg	ebx, ecx
		neg	esi
		lea	esi, [esi+edi-1]
		cmp	esi, [ebp+arg_0]
		jb	loc_58278B
		add	ecx, 3
		lea	edx, [edi+ecx]
		cmp	edx, [ebp+var_4]
		jnb	loc_58256F
		rep movsb
		mov	esi, [ebp+var_C]
		sub	edi, 5
		test	al, 20h
		jnz	short loc_5821E8
		mov	dl, [esi+6]
		mov	[edi+5], dl
		test	al, 40h
		jnz	loc_582264
		mov	dl, [esi+7]
		mov	[edi+6], dl
		test	al, 80h
		jnz	loc_5822D2
		mov	dl, [esi+8]
		mov	[edi+7], dl
		add	esi, 9
		add	edi, 8
		jmp	loc_581D78
; 

loc_5821D5:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+40Dj
		dec	ebx
		mov	edx, [ebp+arg_0]
		add	edx, ds:dword_581E06[ebx*4]
		mov	[ebp+var_8], edx
		jmp	loc_58215E
; 

loc_5821E8:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+7Fj
					; LZNT1DecompressChunk(x,x,x,x,x)+1BAj	...
		add	edi, 5

loc_5821EB:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+50Ej
		cmp	edi, [ebp+var_8]
		ja	short loc_582254
		xor	ecx, ecx
		mov	cx, [esi+6]
		lea	edx, [esi+1]
		mov	[ebp+var_C], edx
		mov	esi, ecx
		and	ecx, ds:dword_581E4A[ebx*4]
		xchg	ebx, ecx
		shr	esi, cl
		xchg	ebx, ecx
		neg	esi
		lea	esi, [esi+edi-1]
		cmp	esi, [ebp+arg_0]
		jb	loc_58278B
		add	ecx, 3
		lea	edx, [edi+ecx]
		cmp	edx, [ebp+var_4]
		jnb	loc_5825F9
		rep movsb
		mov	esi, [ebp+var_C]
		sub	edi, 6
		test	al, 40h
		jnz	short loc_582264
		mov	dl, [esi+7]
		mov	[edi+6], dl
		test	al, 80h
		jnz	loc_5822D2
		mov	dl, [esi+8]
		mov	[edi+7], dl
		add	esi, 9
		add	edi, 8
		jmp	loc_581D78
; 

loc_582254:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+49Aj
		dec	ebx
		mov	edx, [ebp+arg_0]
		add	edx, ds:dword_581E06[ebx*4]
		mov	[ebp+var_8], edx
		jmp	short loc_5821EB
; 

loc_582264:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+8Dj
					; LZNT1DecompressChunk(x,x,x,x,x)+1C8j	...
		add	edi, 6

loc_582267:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+57Cj
		cmp	edi, [ebp+var_8]
		ja	short loc_5822C2
		xor	ecx, ecx
		mov	cx, [esi+7]
		lea	edx, [esi+1]
		mov	[ebp+var_C], edx
		mov	esi, ecx
		and	ecx, ds:dword_581E4A[ebx*4]
		xchg	ebx, ecx
		shr	esi, cl
		xchg	ebx, ecx
		neg	esi
		lea	esi, [esi+edi-1]
		cmp	esi, [ebp+arg_0]
		jb	loc_58278B
		add	ecx, 3
		lea	edx, [edi+ecx]
		cmp	edx, [ebp+var_4]
		jnb	loc_582683
		rep movsb
		mov	esi, [ebp+var_C]
		sub	edi, 7
		test	al, 80h
		jnz	short loc_5822D2
		mov	dl, [esi+8]
		mov	[edi+7], dl
		add	esi, 9
		add	edi, 8
		jmp	loc_581D78
; 

loc_5822C2:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+516j
		dec	ebx
		mov	edx, [ebp+arg_0]
		add	edx, ds:dword_581E06[ebx*4]
		mov	[ebp+var_8], edx
		jmp	short loc_582267
; 

loc_5822D2:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+9Bj
					; LZNT1DecompressChunk(x,x,x,x,x)+1D6j	...
		add	edi, 7

loc_5822D5:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+5E0j
		cmp	edi, [ebp+var_8]
		ja	short loc_582326
		xor	ecx, ecx
		mov	cx, [esi+8]
		lea	edx, [esi+1]
		mov	[ebp+var_C], edx
		mov	esi, ecx
		and	ecx, ds:dword_581E4A[ebx*4]
		xchg	ebx, ecx
		shr	esi, cl
		xchg	ebx, ecx
		neg	esi
		lea	esi, [esi+edi-1]
		cmp	esi, [ebp+arg_0]
		jb	loc_58278B
		add	ecx, 3
		lea	edx, [edi+ecx]
		cmp	edx, [ebp+var_4]
		jnb	loc_58270D
		rep movsb
		mov	esi, [ebp+var_C]
		sub	edi, 8
		add	esi, 9
		add	edi, 8
		jmp	loc_581D78
; 

loc_582326:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+584j
		dec	ebx
		mov	edx, [ebp+arg_0]
		add	edx, ds:dword_581E06[ebx*4]
		mov	[ebp+var_8], edx
		jmp	short loc_5822D5
; 

loc_582336:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+27j
					; LZNT1DecompressChunk(x,x,x,x,x)+30j
		add	[ebp+arg_C], 11h

loc_58233A:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+A32j
		cmp	esi, [ebp+arg_C]
		jz	loc_582792
		mov	al, [esi]
		jmp	short loc_58234F
; 

loc_582347:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+176j
		add	[ebp+arg_C], 11h
		mov	esi, [ebp+var_C]
		dec	esi

loc_58234F:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+5F1j
		lea	ecx, [esi+1]
		cmp	ecx, [ebp+arg_C]
		jz	loc_582792
		cmp	edi, [ebp+arg_4]
		jz	loc_582792
		test	al, 1
		jnz	short loc_582370
		mov	dl, [esi+1]
		mov	[edi], dl
		inc	edi
		jmp	short loc_5823D9
; 

loc_582370:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+612j
		lea	ecx, [esi+3]
		cmp	ecx, [ebp+arg_C]
		ja	loc_58278B

loc_58237C:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+67Bj
		cmp	edi, [ebp+var_8]
		ja	short loc_5823C1
		xor	ecx, ecx
		mov	cx, [esi+1]
		lea	edx, [esi+1]
		mov	[ebp+var_C], edx
		mov	esi, ecx
		and	ecx, ds:dword_581E4A[ebx*4]
		xchg	ebx, ecx
		shr	esi, cl
		xchg	ebx, ecx
		neg	esi
		lea	esi, [esi+edi-1]
		cmp	esi, [ebp+arg_0]
		jb	loc_58278B
		add	ecx, 3
		lea	edx, [edi+ecx]
		cmp	edx, [ebp+arg_4]
		ja	loc_58278B
		rep movsb
		mov	esi, [ebp+var_C]
		jmp	short loc_5823D9
; 

loc_5823C1:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+62Bj
		dec	ebx
		mov	edx, [ebp+arg_0]
		add	edx, ds:dword_581E06[ebx*4]
		mov	[ebp+var_8], edx
		jmp	short loc_58237C
; 

loc_5823D1:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+23Fj
		add	[ebp+arg_C], 11h
		mov	esi, [ebp+var_C]
		dec	esi

loc_5823D9:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+61Aj
					; LZNT1DecompressChunk(x,x,x,x,x)+66Bj
		lea	ecx, [esi+2]
		cmp	ecx, [ebp+arg_C]
		jz	loc_582792
		cmp	edi, [ebp+arg_4]
		jz	loc_582792
		test	al, 2
		jnz	short loc_5823FA
		mov	dl, [esi+2]
		mov	[edi], dl
		inc	edi
		jmp	short loc_582463
; 

loc_5823FA:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+69Cj
		lea	ecx, [esi+4]
		cmp	ecx, [ebp+arg_C]
		ja	loc_58278B

loc_582406:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+705j
		cmp	edi, [ebp+var_8]
		ja	short loc_58244B
		xor	ecx, ecx
		mov	cx, [esi+2]
		lea	edx, [esi+1]
		mov	[ebp+var_C], edx
		mov	esi, ecx
		and	ecx, ds:dword_581E4A[ebx*4]
		xchg	ebx, ecx
		shr	esi, cl
		xchg	ebx, ecx
		neg	esi
		lea	esi, [esi+edi-1]
		cmp	esi, [ebp+arg_0]
		jb	loc_58278B
		add	ecx, 3
		lea	edx, [edi+ecx]
		cmp	edx, [ebp+arg_4]
		ja	loc_58278B
		rep movsb
		mov	esi, [ebp+var_C]
		jmp	short loc_582463
; 

loc_58244B:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+6B5j
		dec	ebx
		mov	edx, [ebp+arg_0]
		add	edx, ds:dword_581E06[ebx*4]
		mov	[ebp+var_8], edx
		jmp	short loc_582406
; 

loc_58245B:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+2FAj
		add	[ebp+arg_C], 11h
		mov	esi, [ebp+var_C]
		dec	esi

loc_582463:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+6A4j
					; LZNT1DecompressChunk(x,x,x,x,x)+6F5j
		lea	ecx, [esi+3]
		cmp	ecx, [ebp+arg_C]
		jz	loc_582792
		cmp	edi, [ebp+arg_4]
		jz	loc_582792
		test	al, 4
		jnz	short loc_582484
		mov	dl, [esi+3]
		mov	[edi], dl
		inc	edi
		jmp	short loc_5824ED
; 

loc_582484:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+726j
		lea	ecx, [esi+5]
		cmp	ecx, [ebp+arg_C]
		ja	loc_58278B

loc_582490:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+78Fj
		cmp	edi, [ebp+var_8]
		ja	short loc_5824D5
		xor	ecx, ecx
		mov	cx, [esi+3]
		lea	edx, [esi+1]
		mov	[ebp+var_C], edx
		mov	esi, ecx
		and	ecx, ds:dword_581E4A[ebx*4]
		xchg	ebx, ecx
		shr	esi, cl
		xchg	ebx, ecx
		neg	esi
		lea	esi, [esi+edi-1]
		cmp	esi, [ebp+arg_0]
		jb	loc_58278B
		add	ecx, 3
		lea	edx, [edi+ecx]
		cmp	edx, [ebp+arg_4]
		ja	loc_58278B
		rep movsb
		mov	esi, [ebp+var_C]
		jmp	short loc_5824ED
; 

loc_5824D5:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+73Fj
		dec	ebx
		mov	edx, [ebp+arg_0]
		add	edx, ds:dword_581E06[ebx*4]
		mov	[ebp+var_8], edx
		jmp	short loc_582490
; 

loc_5824E5:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+3A7j
		add	[ebp+arg_C], 11h
		mov	esi, [ebp+var_C]
		dec	esi

loc_5824ED:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+72Ej
					; LZNT1DecompressChunk(x,x,x,x,x)+77Fj
		lea	ecx, [esi+4]
		cmp	ecx, [ebp+arg_C]
		jz	loc_582792
		cmp	edi, [ebp+arg_4]
		jz	loc_582792
		test	al, 8
		jnz	short loc_58250E
		mov	dl, [esi+4]
		mov	[edi], dl
		inc	edi
		jmp	short loc_582577
; 

loc_58250E:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+7B0j
		lea	ecx, [esi+6]
		cmp	ecx, [ebp+arg_C]
		ja	loc_58278B

loc_58251A:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+819j
		cmp	edi, [ebp+var_8]
		ja	short loc_58255F
		xor	ecx, ecx
		mov	cx, [esi+4]
		lea	edx, [esi+1]
		mov	[ebp+var_C], edx
		mov	esi, ecx
		and	ecx, ds:dword_581E4A[ebx*4]
		xchg	ebx, ecx
		shr	esi, cl
		xchg	ebx, ecx
		neg	esi
		lea	esi, [esi+edi-1]
		cmp	esi, [ebp+arg_0]
		jb	loc_58278B
		add	ecx, 3
		lea	edx, [edi+ecx]
		cmp	edx, [ebp+arg_4]
		ja	loc_58278B
		rep movsb
		mov	esi, [ebp+var_C]
		jmp	short loc_582577
; 

loc_58255F:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+7C9j
		dec	ebx
		mov	edx, [ebp+arg_0]
		add	edx, ds:dword_581E06[ebx*4]
		mov	[ebp+var_8], edx
		jmp	short loc_58251A
; 

loc_58256F:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+442j
		add	[ebp+arg_C], 11h
		mov	esi, [ebp+var_C]
		dec	esi

loc_582577:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+7B8j
					; LZNT1DecompressChunk(x,x,x,x,x)+809j
		lea	ecx, [esi+5]
		cmp	ecx, [ebp+arg_C]
		jz	loc_582792
		cmp	edi, [ebp+arg_4]
		jz	loc_582792
		test	al, 10h
		jnz	short loc_582598
		mov	dl, [esi+5]
		mov	[edi], dl
		inc	edi
		jmp	short loc_582601
; 

loc_582598:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+83Aj
		lea	ecx, [esi+7]
		cmp	ecx, [ebp+arg_C]
		ja	loc_58278B

loc_5825A4:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+8A3j
		cmp	edi, [ebp+var_8]
		ja	short loc_5825E9
		xor	ecx, ecx
		mov	cx, [esi+5]
		lea	edx, [esi+1]
		mov	[ebp+var_C], edx
		mov	esi, ecx
		and	ecx, ds:dword_581E4A[ebx*4]
		xchg	ebx, ecx
		shr	esi, cl
		xchg	ebx, ecx
		neg	esi
		lea	esi, [esi+edi-1]
		cmp	esi, [ebp+arg_0]
		jb	loc_58278B
		add	ecx, 3
		lea	edx, [edi+ecx]
		cmp	edx, [ebp+arg_4]
		ja	loc_58278B
		rep movsb
		mov	esi, [ebp+var_C]
		jmp	short loc_582601
; 

loc_5825E9:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+853j
		dec	ebx
		mov	edx, [ebp+arg_0]
		add	edx, ds:dword_581E06[ebx*4]
		mov	[ebp+var_8], edx
		jmp	short loc_5825A4
; 

loc_5825F9:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+4CFj
		add	[ebp+arg_C], 11h
		mov	esi, [ebp+var_C]
		dec	esi

loc_582601:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+842j
					; LZNT1DecompressChunk(x,x,x,x,x)+893j
		lea	ecx, [esi+6]
		cmp	ecx, [ebp+arg_C]
		jz	loc_582792
		cmp	edi, [ebp+arg_4]
		jz	loc_582792
		test	al, 20h
		jnz	short loc_582622
		mov	dl, [esi+6]
		mov	[edi], dl
		inc	edi
		jmp	short loc_58268B
; 

loc_582622:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+8C4j
		lea	ecx, [esi+8]
		cmp	ecx, [ebp+arg_C]
		ja	loc_58278B

loc_58262E:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+92Dj
		cmp	edi, [ebp+var_8]
		ja	short loc_582673
		xor	ecx, ecx
		mov	cx, [esi+6]
		lea	edx, [esi+1]
		mov	[ebp+var_C], edx
		mov	esi, ecx
		and	ecx, ds:dword_581E4A[ebx*4]
		xchg	ebx, ecx
		shr	esi, cl
		xchg	ebx, ecx
		neg	esi
		lea	esi, [esi+edi-1]
		cmp	esi, [ebp+arg_0]
		jb	loc_58278B
		add	ecx, 3
		lea	edx, [edi+ecx]
		cmp	edx, [ebp+arg_4]
		ja	loc_58278B
		rep movsb
		mov	esi, [ebp+var_C]
		jmp	short loc_58268B
; 

loc_582673:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+8DDj
		dec	ebx
		mov	edx, [ebp+arg_0]
		add	edx, ds:dword_581E06[ebx*4]
		mov	[ebp+var_8], edx
		jmp	short loc_58262E
; 

loc_582683:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+54Bj
		add	[ebp+arg_C], 11h
		mov	esi, [ebp+var_C]
		dec	esi

loc_58268B:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+8CCj
					; LZNT1DecompressChunk(x,x,x,x,x)+91Dj
		lea	ecx, [esi+7]
		cmp	ecx, [ebp+arg_C]
		jz	loc_582792
		cmp	edi, [ebp+arg_4]
		jz	loc_582792
		test	al, 40h
		jnz	short loc_5826AC
		mov	dl, [esi+7]
		mov	[edi], dl
		inc	edi
		jmp	short loc_582715
; 

loc_5826AC:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+94Ej
		lea	ecx, [esi+9]
		cmp	ecx, [ebp+arg_C]
		ja	loc_58278B

loc_5826B8:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+9B7j
		cmp	edi, [ebp+var_8]
		ja	short loc_5826FD
		xor	ecx, ecx
		mov	cx, [esi+7]
		lea	edx, [esi+1]
		mov	[ebp+var_C], edx
		mov	esi, ecx
		and	ecx, ds:dword_581E4A[ebx*4]
		xchg	ebx, ecx
		shr	esi, cl
		xchg	ebx, ecx
		neg	esi
		lea	esi, [esi+edi-1]
		cmp	esi, [ebp+arg_0]
		jb	loc_58278B
		add	ecx, 3
		lea	edx, [edi+ecx]
		cmp	edx, [ebp+arg_4]
		ja	loc_58278B
		rep movsb
		mov	esi, [ebp+var_C]
		jmp	short loc_582715
; 

loc_5826FD:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+967j
		dec	ebx
		mov	edx, [ebp+arg_0]
		add	edx, ds:dword_581E06[ebx*4]
		mov	[ebp+var_8], edx
		jmp	short loc_5826B8
; 

loc_58270D:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+5B9j
		add	[ebp+arg_C], 11h
		mov	esi, [ebp+var_C]
		dec	esi

loc_582715:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+956j
					; LZNT1DecompressChunk(x,x,x,x,x)+9A7j
		lea	ecx, [esi+8]
		cmp	ecx, [ebp+arg_C]
		jz	short loc_582792
		cmp	edi, [ebp+arg_4]
		jz	short loc_582792
		test	al, 80h
		jnz	short loc_58272E
		mov	dl, [esi+8]
		mov	[edi], dl
		inc	edi
		jmp	short loc_582783
; 

loc_58272E:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+9D0j
		lea	ecx, [esi+0Ah]
		cmp	ecx, [ebp+arg_C]
		ja	short loc_58278B

loc_582736:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+A2Dj
		cmp	edi, [ebp+var_8]
		ja	short loc_582773
		xor	ecx, ecx
		mov	cx, [esi+8]
		lea	edx, [esi+1]
		mov	[ebp+var_C], edx
		mov	esi, ecx
		and	ecx, ds:dword_581E4A[ebx*4]
		xchg	ebx, ecx
		shr	esi, cl
		xchg	ebx, ecx
		neg	esi
		lea	esi, [esi+edi-1]
		cmp	esi, [ebp+arg_0]
		jb	short loc_58278B
		add	ecx, 3
		lea	edx, [edi+ecx]
		cmp	edx, [ebp+arg_4]
		ja	short loc_58278B
		rep movsb
		mov	esi, [ebp+var_C]
		jmp	short loc_582783
; 

loc_582773:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+9E5j
		dec	ebx
		mov	edx, [ebp+arg_0]
		add	edx, ds:dword_581E06[ebx*4]
		mov	[ebp+var_8], edx
		jmp	short loc_582736
; 

loc_582783:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+9D8j
					; LZNT1DecompressChunk(x,x,x,x,x)+A1Dj
		add	esi, 9
		jmp	loc_58233A
; 

loc_58278B:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+167j
					; LZNT1DecompressChunk(x,x,x,x,x)+230j	...
		mov	eax, 0C0000242h
		jmp	short loc_58279E
; 

loc_582792:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+5E9j
					; LZNT1DecompressChunk(x,x,x,x,x)+601j	...
		mov	eax, edi
		sub	eax, [ebp+arg_0]
		mov	edi, [ebp+arg_10]
		mov	[edi], eax
		xor	eax, eax

loc_58279E:				; CODE XREF: LZNT1DecompressChunk(x,x,x,x,x)+A3Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
_LZNT1DecompressChunk@20 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2942. _strupr

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; char *__cdecl	_strupr(char *)
		public __strupr
__strupr	proc near		; CODE XREF: InbvDetermineFunction+1Cp
					; KdInitSystem+178p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_5827CB
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		xor	eax, eax
		pop	ebp
		retn
; 

loc_5827CB:				; CODE XREF: __strupr+Aj
		mov	cl, [edx]
		push	esi
		mov	esi, edx
		jmp	short loc_5827E1
; 

loc_5827D2:				; CODE XREF: __strupr+37j
		lea	eax, [ecx-61h]
		cmp	al, 19h
		ja	short loc_5827DE
		sub	cl, 20h
		mov	[esi], cl

loc_5827DE:				; CODE XREF: __strupr+2Bj
		inc	esi
		mov	cl, [esi]

loc_5827E1:				; CODE XREF: __strupr+24j
		test	cl, cl
		jnz	short loc_5827D2
		mov	eax, edx
		pop	esi
		pop	ebp
		retn
__strupr	endp

; 
		align 10h
; Exported entry 2950. _vsnwprintf

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl _vsnwprintf(wchar_t *,size_t,const wchar_t *,va_list)
		public __vsnwprintf
__vsnwprintf	proc near		; CODE XREF: sub_4DC96A+17p
					; StringVPrintfWorkerW+17p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	__vsnwprintf_l
		add	esp, 14h
		pop	ebp
		retn
__vsnwprintf	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__vsnwprintf_l	proc near		; CODE XREF: __vsnwprintf+13p

var_20		= FILE ptr -20h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	[ebp+var_20._file], ebx
		mov	[ebp+var_20._charbuf], ebx
		mov	[ebp+var_20._bufsiz], ebx
		mov	[ebp+var_20._tmpfname],	ebx
		cmp	[ebp+arg_8], ebx
		jz	loc_5828B9
		mov	eax, [ebp+arg_4]
		mov	esi, [ebp+arg_0]
		test	eax, eax
		jz	short loc_58283D
		test	esi, esi
		jz	short loc_5828B9

loc_58283D:				; CODE XREF: __vsnwprintf_l+29j
		mov	[ebp+var_20._flag], 42h
		mov	[ebp+var_20._base], esi
		mov	[ebp+var_20._ptr], esi
		cmp	eax, 3FFFFFFFh
		jbe	short loc_58285A
		mov	[ebp+var_20._cnt], 7FFFFFFFh
		jmp	short loc_58285F
; 

loc_58285A:				; CODE XREF: __vsnwprintf_l+41j
		add	eax, eax
		mov	[ebp+var_20._cnt], eax

loc_58285F:				; CODE XREF: __vsnwprintf_l+4Aj
		push	edi
		push	[ebp+arg_10]
		lea	eax, [ebp+var_20]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	eax
		call	__woutput_l
		add	esp, 10h
		mov	edi, eax
		test	esi, esi
		jz	short loc_5828B4
		sub	[ebp+var_20._cnt], 1
		js	short loc_58288F
		mov	ecx, [ebp+var_20._ptr]
		mov	[ecx], bl
		mov	ecx, [ebp+var_20._ptr]
		inc	ecx
		mov	[ebp+var_20._ptr], ecx
		jmp	short loc_58289E
; 

loc_58288F:				; CODE XREF: __vsnwprintf_l+71j
		lea	eax, [ebp+var_20]
		push	eax		; FILE *
		push	ebx		; int
		call	__flsbuf_s
		pop	ecx
		pop	ecx
		mov	ecx, [ebp+var_20._ptr]

loc_58289E:				; CODE XREF: __vsnwprintf_l+7Fj
		sub	[ebp+var_20._cnt], 1
		js	short loc_5828A8
		mov	[ecx], bl
		jmp	short loc_5828B4
; 

loc_5828A8:				; CODE XREF: __vsnwprintf_l+94j
		lea	eax, [ebp+var_20]
		push	eax		; FILE *
		push	ebx		; int
		call	__flsbuf_s
		pop	ecx
		pop	ecx

loc_5828B4:				; CODE XREF: __vsnwprintf_l+6Bj
					; __vsnwprintf_l+98j
		mov	eax, edi
		pop	edi
		jmp	short loc_5828C9
; 

loc_5828B9:				; CODE XREF: __vsnwprintf_l+1Bj
					; __vsnwprintf_l+2Dj
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		or	eax, 0FFFFFFFFh

loc_5828C9:				; CODE XREF: __vsnwprintf_l+A9j
		pop	esi
		pop	ebx
		leave
		retn
__vsnwprintf_l	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2948. _vsnprintf

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl _vsnprintf(char *,size_t,const char *,va_list)
		public __vsnprintf
__vsnprintf	proc near		; CODE XREF: sub_54A41E+17p
					; RtlStringVPrintfWorkerA+17p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	__vsnprintf_l
		add	esp, 14h
		pop	ebp
		retn
__vsnprintf	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__vsnprintf_l	proc near		; CODE XREF: __vsnprintf+13p

var_20		= FILE ptr -20h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	[ebp+var_20._file], ebx
		mov	[ebp+var_20._charbuf], ebx
		mov	[ebp+var_20._bufsiz], ebx
		mov	[ebp+var_20._tmpfname],	ebx
		cmp	[ebp+arg_8], ebx
		jz	short loc_582971
		mov	eax, [ebp+arg_4]
		mov	esi, [ebp+arg_0]
		test	eax, eax
		jz	short loc_58291B
		test	esi, esi
		jz	short loc_582971

loc_58291B:				; CODE XREF: __vsnprintf_l+25j
		mov	ecx, 7FFFFFFFh
		mov	[ebp+var_20._cnt], ecx
		cmp	eax, ecx
		ja	short loc_58292A
		mov	[ebp+var_20._cnt], eax

loc_58292A:				; CODE XREF: __vsnprintf_l+35j
		push	edi
		push	[ebp+arg_10]
		lea	eax, [ebp+var_20]
		mov	[ebp+var_20._flag], 42h
		push	[ebp+arg_C]
		mov	[ebp+var_20._base], esi
		push	[ebp+arg_8]
		mov	[ebp+var_20._ptr], esi
		push	eax
		call	__output_l
		add	esp, 10h
		mov	edi, eax
		test	esi, esi
		jz	short loc_58296C
		sub	[ebp+var_20._cnt], 1
		js	short loc_582960
		mov	ecx, [ebp+var_20._ptr]
		mov	[ecx], bl
		jmp	short loc_58296C
; 

loc_582960:				; CODE XREF: __vsnprintf_l+67j
		lea	eax, [ebp+var_20]
		push	eax		; FILE *
		push	ebx		; int
		call	__flsbuf_s
		pop	ecx
		pop	ecx

loc_58296C:				; CODE XREF: __vsnprintf_l+61j
					; __vsnprintf_l+6Ej
		mov	eax, edi
		pop	edi
		jmp	short loc_582981
; 

loc_582971:				; CODE XREF: __vsnprintf_l+1Bj
					; __vsnprintf_l+29j
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		or	eax, 0FFFFFFFFh

loc_582981:				; CODE XREF: __vsnprintf_l+7Fj
		pop	esi
		pop	ebx
		leave
		retn
__vsnprintf_l	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

strtoxlX	proc near		; CODE XREF: _strtol+17p _strtolX+18p	...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		sub	esp, 14h
		mov	ecx, [ebp+arg_4]
		test	eax, eax
		jz	short loc_58299A
		mov	[eax], ecx

loc_58299A:				; CODE XREF: strtoxlX+10j
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	loc_582B56
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jz	short loc_5829BE
		cmp	esi, 2
		jl	loc_582B56
		cmp	esi, 24h
		jg	loc_582B56

loc_5829BE:				; CODE XREF: strtoxlX+24j
		mov	al, [ecx]
		lea	edi, [ecx+1]
		xor	ebx, ebx

loc_5829C5:				; CODE XREF: strtoxlX+53j
		mov	[ebp+var_1], al
		movzx	esi, al
		call	___pctype_func
		test	byte ptr [eax+esi*2], 8
		jz	short loc_5829DB
		mov	al, [edi]
		inc	edi
		jmp	short loc_5829C5
; 

loc_5829DB:				; CODE XREF: strtoxlX+4Ej
		mov	cl, [ebp+var_1]
		mov	eax, [ebp+arg_10]
		cmp	cl, 2Dh
		jnz	short loc_5829EB
		or	eax, 2
		jmp	short loc_5829F0
; 

loc_5829EB:				; CODE XREF: strtoxlX+5Ej
		cmp	cl, 2Bh
		jnz	short loc_5829F6

loc_5829F0:				; CODE XREF: strtoxlX+63j
		mov	cl, [edi]
		inc	edi
		mov	[ebp+var_1], cl

loc_5829F6:				; CODE XREF: strtoxlX+68j
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_C]
		test	eax, eax
		js	loc_582B48
		cmp	eax, 1
		jz	loc_582B48
		cmp	eax, 24h
		jg	loc_582B48
		test	eax, eax
		jnz	short loc_582A37
		cmp	cl, 30h
		jz	short loc_582A24
		push	0Ah

loc_582A21:				; CODE XREF: strtoxlX+AAj
		pop	esi
		jmp	short loc_582A56
; 

loc_582A24:				; CODE XREF: strtoxlX+97j
		mov	al, [edi]
		cmp	al, 78h
		jz	short loc_582A32
		cmp	al, 58h
		jz	short loc_582A32
		push	8
		jmp	short loc_582A21
; 

loc_582A32:				; CODE XREF: strtoxlX+A2j strtoxlX+A6j
		push	10h
		pop	esi
		jmp	short loc_582A43
; 

loc_582A37:				; CODE XREF: strtoxlX+92j
		mov	esi, eax
		cmp	eax, 10h
		jnz	short loc_582A56
		cmp	cl, 30h
		jnz	short loc_582A56

loc_582A43:				; CODE XREF: strtoxlX+AFj
		mov	al, [edi]
		cmp	al, 78h
		jz	short loc_582A4D
		cmp	al, 58h
		jnz	short loc_582A56

loc_582A4D:				; CODE XREF: strtoxlX+C1j
		mov	cl, [edi+1]
		add	edi, 2
		mov	[ebp+var_1], cl

loc_582A56:				; CODE XREF: strtoxlX+9Cj strtoxlX+B6j ...
		or	eax, 0FFFFFFFFh
		xor	edx, edx
		div	esi
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], eax

loc_582A63:				; CODE XREF: strtoxlX+158j
		movzx	eax, cl
		mov	[ebp+var_C], eax
		call	___pctype_func
		mov	ecx, [ebp+var_C]
		test	byte ptr [eax+ecx*2], 4
		jz	short loc_582A80
		movsx	ecx, [ebp+var_1]
		sub	ecx, 30h
		jmp	short loc_582AA5
; 

loc_582A80:				; CODE XREF: strtoxlX+EFj
		call	___pctype_func
		mov	ecx, [ebp+var_C]
		mov	edx, 103h
		test	[eax+ecx*2], dx
		jz	short loc_582AE0
		mov	al, [ebp+var_1]
		movsx	ecx, al
		sub	al, 61h
		cmp	al, 19h
		ja	short loc_582AA2
		add	ecx, 0FFFFFFE0h

loc_582AA2:				; CODE XREF: strtoxlX+117j
		add	ecx, 0FFFFFFC9h

loc_582AA5:				; CODE XREF: strtoxlX+F8j
		mov	eax, [ebp+var_8]
		cmp	ecx, esi
		jnb	short loc_582AE3
		or	eax, 8
		cmp	[ebp+arg_14], 0
		mov	[ebp+var_8], eax
		jnz	short loc_582AD3
		cmp	ebx, [ebp+var_10]
		jb	short loc_582AD3
		jnz	short loc_582AC4
		cmp	ecx, [ebp+var_14]
		jbe	short loc_582AD3

loc_582AC4:				; CODE XREF: strtoxlX+137j
		mov	ecx, [ebp+arg_8]
		or	eax, 4
		mov	[ebp+var_8], eax
		test	ecx, ecx
		jz	short loc_582AE6
		jmp	short loc_582AD8
; 

loc_582AD3:				; CODE XREF: strtoxlX+130j
					; strtoxlX+135j ...
		imul	ebx, esi
		add	ebx, ecx

loc_582AD8:				; CODE XREF: strtoxlX+14Bj
		mov	cl, [edi]
		inc	edi
		mov	[ebp+var_1], cl
		jmp	short loc_582A63
; 

loc_582AE0:				; CODE XREF: strtoxlX+10Bj
		mov	eax, [ebp+var_8]

loc_582AE3:				; CODE XREF: strtoxlX+124j
		mov	ecx, [ebp+arg_8]

loc_582AE6:				; CODE XREF: strtoxlX+149j
		dec	edi
		test	al, 8
		jnz	short loc_582AF6
		test	ecx, ecx
		jz	short loc_582AF2
		mov	edi, [ebp+arg_4]

loc_582AF2:				; CODE XREF: strtoxlX+167j
		xor	ebx, ebx
		jmp	short loc_582B38
; 

loc_582AF6:				; CODE XREF: strtoxlX+163j
		mov	edx, 7FFFFFFFh
		test	al, 4
		jnz	short loc_582B15
		test	al, 1
		jnz	short loc_582B38
		test	al, 2
		jz	short loc_582B11
		cmp	ebx, 80000000h
		ja	short loc_582B15
		jmp	short loc_582B38
; 

loc_582B11:				; CODE XREF: strtoxlX+17Fj
		cmp	ebx, edx
		jbe	short loc_582B38

loc_582B15:				; CODE XREF: strtoxlX+177j
					; strtoxlX+187j
		cmp	[ebp+arg_14], 0
		jnz	short loc_582B38
		mov	_gbl_errno, 22h
		test	al, 1
		jz	short loc_582B2E
		or	ebx, 0FFFFFFFFh
		jmp	short loc_582B38
; 

loc_582B2E:				; CODE XREF: strtoxlX+1A1j
		test	al, 2
		push	0
		pop	ebx
		setnz	bl
		add	ebx, edx

loc_582B38:				; CODE XREF: strtoxlX+16Ej
					; strtoxlX+17Bj ...
		test	ecx, ecx
		jz	short loc_582B3E
		mov	[ecx], edi

loc_582B3E:				; CODE XREF: strtoxlX+1B4j
		test	al, 2
		jz	short loc_582B44
		neg	ebx

loc_582B44:				; CODE XREF: strtoxlX+1BAj
		mov	eax, ebx
		jmp	short loc_582B67
; 

loc_582B48:				; CODE XREF: strtoxlX+78j strtoxlX+81j ...
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_582B65
		mov	edx, [ebp+arg_4]
		mov	[eax], edx
		jmp	short loc_582B65
; 

loc_582B56:				; CODE XREF: strtoxlX+19j strtoxlX+29j ...
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h

loc_582B65:				; CODE XREF: strtoxlX+1C7j
					; strtoxlX+1CEj
		xor	eax, eax

loc_582B67:				; CODE XREF: strtoxlX+1C0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
strtoxlX	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __int32 __cdecl strtol(const char *,char **,int)
_strtol		proc near		; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+233p
					; RtlIpv6StringToAddressA(x,x,x)+25Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	offset ___initiallocalestructinfo
		call	strtoxlX
		add	esp, 18h
		pop	ebp
		retn
_strtol		endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_strtolX	proc near		; CODE XREF: _atol+18p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	offset ___initiallocalestructinfo
		call	strtoxlX
		add	esp, 18h
		pop	ebp
		retn
_strtolX	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; unsigned __int32 __cdecl strtoul(const char *,char **,int)
_strtoul	proc near		; CODE XREF: EmpCacheBiosDate+61p
					; EmpCacheBiosDate+96p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	1
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	offset ___initiallocalestructinfo
		call	strtoxlX
		add	esp, 18h
		pop	ebp
		retn
_strtoul	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 3005. strncmp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl strncmp(const char *,const char *,size_t)
		public _strncmp
_strncmp	proc near		; CODE XREF: HvlDebuggerSupportInitialize+7DD10p
					; HvlDebuggerSupportInitialize+7DD2Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		xor	edx, edx
		push	edi
		test	esi, esi
		jz	loc_582C75
		cmp	esi, 4
		jb	short loc_582C58
		lea	edi, [esi-4]
		test	edi, edi
		jz	short loc_582C58
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]

loc_582BFD:				; CODE XREF: _strncmp+61j
		mov	bl, [eax]
		add	eax, 4
		add	ecx, 4
		test	bl, bl
		jz	short loc_582C4D
		cmp	bl, [ecx-4]
		jnz	short loc_582C4D
		mov	bl, [eax-3]
		test	bl, bl
		jz	short loc_582C47
		cmp	bl, [ecx-3]
		jnz	short loc_582C47
		mov	bl, [eax-2]
		test	bl, bl
		jz	short loc_582C41
		cmp	bl, [ecx-2]
		jnz	short loc_582C41
		mov	bl, [eax-1]
		test	bl, bl
		jz	short loc_582C3B
		cmp	bl, [ecx-1]
		jnz	short loc_582C3B
		add	edx, 4
		cmp	edx, edi
		jb	short loc_582BFD
		jmp	short loc_582C5E
; 

loc_582C3B:				; CODE XREF: _strncmp+55j _strncmp+5Aj
		movzx	ecx, byte ptr [ecx-1]
		jmp	short loc_582C51
; 

loc_582C41:				; CODE XREF: _strncmp+49j _strncmp+4Ej
		movzx	ecx, byte ptr [ecx-2]
		jmp	short loc_582C51
; 

loc_582C47:				; CODE XREF: _strncmp+3Dj _strncmp+42j
		movzx	ecx, byte ptr [ecx-3]
		jmp	short loc_582C51
; 

loc_582C4D:				; CODE XREF: _strncmp+31j _strncmp+36j
		movzx	ecx, byte ptr [ecx-4]

loc_582C51:				; CODE XREF: _strncmp+69j _strncmp+6Fj ...
		movzx	eax, bl
		sub	eax, ecx
		jmp	short loc_582C77
; 

loc_582C58:				; CODE XREF: _strncmp+18j _strncmp+1Fj
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]

loc_582C5E:				; CODE XREF: _strncmp+63j
		cmp	edx, esi
		jnb	short loc_582C75
		sub	eax, ecx

loc_582C64:				; CODE XREF: _strncmp+9Dj
		mov	bl, [eax+ecx]
		test	bl, bl
		jz	short loc_582C7C
		cmp	bl, [ecx]
		jnz	short loc_582C7C
		inc	edx
		inc	ecx
		cmp	edx, esi
		jb	short loc_582C64

loc_582C75:				; CODE XREF: _strncmp+Fj _strncmp+8Aj
		xor	eax, eax

loc_582C77:				; CODE XREF: _strncmp+80j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
; 

loc_582C7C:				; CODE XREF: _strncmp+93j _strncmp+97j
		movzx	ecx, byte ptr [ecx]
		jmp	short loc_582C51
_strncmp	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

strtoxq		proc near		; CODE XREF: __strtoi64+15p
					; __strtoui64+15p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		sub	esp, 2Ch
		mov	ecx, [ebp+arg_4]
		test	eax, eax
		jz	short loc_582C96
		mov	[eax], ecx

loc_582C96:				; CODE XREF: strtoxq+10j
		test	ecx, ecx
		jz	loc_582EB8
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_582CB7
		cmp	eax, 2
		jl	loc_582EB8
		cmp	eax, 24h
		jg	loc_582EB8

loc_582CB7:				; CODE XREF: strtoxq+21j
		push	ebx
		mov	bl, [ecx]
		xor	eax, eax
		push	edi
		mov	[ebp+var_8], eax
		lea	edi, [ecx+1]
		mov	[ebp+var_C], eax
		push	esi

loc_582CC7:				; CODE XREF: strtoxq+5Cj
		movzx	esi, bl
		call	___pctype_func
		test	byte ptr [eax+esi*2], 8
		jz	short loc_582CE0

loc_582CD5:				; CODE XREF: strtoxq+58j
		mov	al, [edi]
		inc	edi
		cmp	al, bl
		jz	short loc_582CD5
		mov	bl, al
		jmp	short loc_582CC7
; 

loc_582CE0:				; CODE XREF: strtoxq+51j
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_1], bl
		cmp	bl, 2Dh
		jnz	short loc_582CF0
		or	eax, 2
		jmp	short loc_582CF5
; 

loc_582CF0:				; CODE XREF: strtoxq+67j
		cmp	bl, 2Bh
		jnz	short loc_582CFB

loc_582CF5:				; CODE XREF: strtoxq+6Cj
		mov	bl, [edi]
		inc	edi
		mov	[ebp+var_1], bl

loc_582CFB:				; CODE XREF: strtoxq+71j
		mov	ecx, [ebp+arg_C]
		mov	[ebp+var_10], eax
		test	ecx, ecx
		jnz	short loc_582D26
		cmp	bl, 30h
		jz	short loc_582D12
		push	0Ah

loc_582D0C:				; CODE XREF: strtoxq+9Cj
		pop	ecx
		mov	[ebp+arg_C], ecx
		jmp	short loc_582D43
; 

loc_582D12:				; CODE XREF: strtoxq+86j
		mov	al, [edi]
		cmp	al, 78h
		jz	short loc_582D20
		cmp	al, 58h
		jz	short loc_582D20
		push	8
		jmp	short loc_582D0C
; 

loc_582D20:				; CODE XREF: strtoxq+94j strtoxq+98j
		push	10h
		pop	ecx
		mov	[ebp+arg_C], ecx

loc_582D26:				; CODE XREF: strtoxq+81j
		cmp	ecx, 10h
		jnz	short loc_582D43
		cmp	bl, 30h
		jnz	short loc_582D43
		mov	al, [edi]
		cmp	al, 78h
		jz	short loc_582D3A
		cmp	al, 58h
		jnz	short loc_582D43

loc_582D3A:				; CODE XREF: strtoxq+B2j
		mov	al, [edi+1]
		add	edi, 2
		mov	[ebp+var_1], al

loc_582D43:				; CODE XREF: strtoxq+8Ej strtoxq+A7j ...
		mov	eax, ecx
		cdq
		push	ebx
		mov	ecx, edx
		mov	[ebp+var_2C], eax
		push	ecx
		push	eax
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		mov	[ebp+var_28], ecx
		call	__aulldvrm
		mov	[ebp+var_20], ebx
		pop	ebx
		nop
		mov	bl, [ebp+var_1]
		xor	esi, esi
		mov	[ebp+var_24], ecx
		mov	[ebp+var_18], eax
		mov	[ebp+var_1C], edx

loc_582D6D:				; CODE XREF: strtoxq+199j
		movzx	eax, bl
		mov	[ebp+var_14], eax
		call	___pctype_func
		mov	ecx, [ebp+var_14]
		test	byte ptr [eax+ecx*2], 4
		jz	short loc_582D89
		movsx	ebx, bl
		sub	ebx, 30h
		jmp	short loc_582DB1
; 

loc_582D89:				; CODE XREF: strtoxq+FDj
		call	___pctype_func
		mov	ecx, [ebp+var_14]
		mov	edx, 103h
		test	[eax+ecx*2], dx
		jz	loc_582E20
		movsx	eax, bl
		sub	bl, 61h
		cmp	bl, 19h
		ja	short loc_582DAE
		add	eax, 0FFFFFFE0h

loc_582DAE:				; CODE XREF: strtoxq+127j
		lea	ebx, [eax-37h]

loc_582DB1:				; CODE XREF: strtoxq+105j
		mov	edx, [ebp+var_10]
		mov	eax, [ebp+var_C]
		cmp	ebx, [ebp+arg_C]
		jnb	short loc_582E26
		mov	ecx, [ebp+var_8]
		or	edx, 8
		mov	[ebp+var_10], edx
		cmp	eax, [ebp+var_1C]
		jb	short loc_582DF9
		ja	short loc_582DD1
		cmp	ecx, [ebp+var_18]
		jb	short loc_582DF9

loc_582DD1:				; CODE XREF: strtoxq+148j
		cmp	ecx, [ebp+var_18]
		jnz	short loc_582DEA
		cmp	eax, [ebp+var_1C]
		jnz	short loc_582DEA
		mov	[ebp+var_14], esi
		cmp	esi, [ebp+var_20]
		jb	short loc_582DFC
		ja	short loc_582DEA
		cmp	ebx, [ebp+var_24]
		jbe	short loc_582DFC

loc_582DEA:				; CODE XREF: strtoxq+152j strtoxq+157j ...
		mov	ebx, [ebp+arg_8]
		or	edx, 4
		mov	[ebp+var_10], edx
		test	ebx, ebx
		jz	short loc_582E29
		jmp	short loc_582E18
; 

loc_582DF9:				; CODE XREF: strtoxq+146j strtoxq+14Dj
		mov	[ebp+var_14], esi

loc_582DFC:				; CODE XREF: strtoxq+15Fj strtoxq+166j
		push	eax
		push	ecx
		push	[ebp+var_28]
		push	[ebp+var_2C]
		call	__allmul
		mov	ecx, eax
		mov	eax, edx
		add	ecx, ebx
		mov	[ebp+var_8], ecx
		adc	eax, [ebp+var_14]
		mov	[ebp+var_C], eax

loc_582E18:				; CODE XREF: strtoxq+175j
		mov	bl, [edi]
		inc	edi
		jmp	loc_582D6D
; 

loc_582E20:				; CODE XREF: strtoxq+118j
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+var_10]

loc_582E26:				; CODE XREF: strtoxq+138j
		mov	ebx, [ebp+arg_8]

loc_582E29:				; CODE XREF: strtoxq+173j
		dec	edi
		test	dl, 8
		jnz	short loc_582E3C
		test	ebx, ebx
		jz	short loc_582E36
		mov	edi, [ebp+arg_4]

loc_582E36:				; CODE XREF: strtoxq+1AFj
		xor	eax, eax
		xor	ecx, ecx
		jmp	short loc_582E9F
; 

loc_582E3C:				; CODE XREF: strtoxq+1ABj
		mov	ecx, 80000000h
		mov	esi, 7FFFFFFFh
		test	dl, 4
		jnz	short loc_582E72
		test	dl, 1
		jnz	short loc_582E99
		test	dl, 2
		jz	short loc_582E64
		cmp	eax, ecx
		ja	short loc_582E72
		mov	eax, [ebp+var_8]
		jb	short loc_582E9C
		test	eax, eax
		jnz	short loc_582E72
		jmp	short loc_582E9C
; 

loc_582E64:				; CODE XREF: strtoxq+1D1j
		cmp	eax, esi
		jb	short loc_582E99
		ja	short loc_582E72
		mov	eax, [ebp+var_8]
		cmp	eax, 0FFFFFFFFh
		jbe	short loc_582E9C

loc_582E72:				; CODE XREF: strtoxq+1C7j strtoxq+1D5j ...
		mov	_gbl_errno, 22h
		test	dl, 1
		jz	short loc_582E89
		or	eax, 0FFFFFFFFh
		or	ecx, 0FFFFFFFFh
		jmp	short loc_582E9F
; 

loc_582E89:				; CODE XREF: strtoxq+1FDj
		test	dl, 2
		jz	short loc_582E92
		xor	eax, eax
		jmp	short loc_582E9F
; 

loc_582E92:				; CODE XREF: strtoxq+20Aj
		or	eax, 0FFFFFFFFh
		mov	ecx, esi
		jmp	short loc_582E9F
; 

loc_582E99:				; CODE XREF: strtoxq+1CCj strtoxq+1E4j
		mov	eax, [ebp+var_8]

loc_582E9C:				; CODE XREF: strtoxq+1DAj strtoxq+1E0j ...
		mov	ecx, [ebp+var_C]

loc_582E9F:				; CODE XREF: strtoxq+1B8j strtoxq+205j ...
		pop	esi
		test	ebx, ebx
		jz	short loc_582EA6
		mov	[ebx], edi

loc_582EA6:				; CODE XREF: strtoxq+220j
		pop	edi
		pop	ebx
		test	dl, 2
		jz	short loc_582EB4
		neg	eax
		adc	ecx, 0
		neg	ecx

loc_582EB4:				; CODE XREF: strtoxq+229j
		mov	edx, ecx
		leave
		retn
; 

loc_582EB8:				; CODE XREF: strtoxq+16j strtoxq+26j ...
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		xor	eax, eax
		xor	edx, edx
		leave
		retn
strtoxq		endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__strtoi64	proc near		; CODE XREF: __atoi64+18p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	offset ___initiallocalestructinfo
		call	strtoxq
		add	esp, 14h
		pop	ebp
		retn
__strtoi64	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2941. _strtoui64

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __strtoui64
__strtoui64	proc near		; CODE XREF: Phase1InitializationDiscard(x)+205p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	1
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	offset ___initiallocalestructinfo
		call	strtoxq
		add	esp, 14h
		pop	ebp
		retn
__strtoui64	endp

; 
		align 10h
; Exported entry 3011. strstr

;  S U B	R O U T	I N E 


; char *__cdecl	strstr(const char *,const char *)
		public _strstr
_strstr		proc near		; CODE XREF: InbvDetermineFunction+29p
					; HvlDebuggerSupportInitialize+7DAECp ...

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8

		mov	ecx, [esp+arg_4]
		push	edi
		push	ebx
		push	esi
		mov	dl, [ecx]
		mov	edi, [esp+0Ch+arg_0]
		test	dl, dl
		jz	short loc_582FA0
		mov	dh, [ecx+1]
		test	dh, dh
		jz	short loc_582F8D

loc_582F38:				; CODE XREF: _strstr+58j _strstr+6Bj
		mov	esi, edi
		mov	ecx, [esp+0Ch+arg_4]
		mov	al, [edi]
		add	esi, 1
		cmp	al, dl
		jz	short loc_582F5E
		test	al, al
		jz	short loc_582F58

loc_582F4B:				; CODE XREF: _strstr+36j
		mov	al, [esi]
		add	esi, 1

loc_582F50:				; CODE XREF: _strstr+45j
		cmp	al, dl
		jz	short loc_582F5E
		test	al, al
		jnz	short loc_582F4B

loc_582F58:				; CODE XREF: _strstr+29j
		pop	esi
		pop	ebx
		pop	edi
		xor	eax, eax
		retn
; 

loc_582F5E:				; CODE XREF: _strstr+25j _strstr+32j
		mov	al, [esi]
		add	esi, 1
		cmp	al, dh
		jnz	short loc_582F50
		lea	edi, [esi-1]

loc_582F6A:				; CODE XREF: _strstr+69j
		mov	ah, [ecx+2]
		test	ah, ah
		jz	short loc_582F99
		mov	al, [esi]
		add	esi, 2
		cmp	al, ah
		jnz	short loc_582F38
		mov	al, [ecx+3]
		test	al, al
		jz	short loc_582F99
		mov	ah, [esi-1]
		add	ecx, 2
		cmp	al, ah
		jz	short loc_582F6A
		jmp	short loc_582F38
; 

loc_582F8D:				; CODE XREF: _strstr+16j
		xor	eax, eax
		pop	esi
		pop	ebx
		pop	edi
		mov	al, dl
		jmp	___from_strstr_to_strchr
; 

loc_582F99:				; CODE XREF: _strstr+4Fj _strstr+5Fj
		lea	eax, [edi-1]
		pop	esi
		pop	ebx
		pop	edi
		retn
; 

loc_582FA0:				; CODE XREF: _strstr+Fj
		mov	eax, edi
		pop	esi
		pop	ebx
		pop	edi
		retn
_strstr		endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __int64 __cdecl _atoi64(const	char *)
__atoi64	proc near		; CODE XREF: KiParseLoadOptions+36E9p
					; KiParseLoadOptions+3707p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jnz	short loc_582FB7
		xor	eax, eax
		xor	edx, edx
		pop	ebp
		retn
; 

loc_582FB7:				; CODE XREF: __atoi64+9j
		push	0Ah
		push	0
		push	[ebp+arg_0]
		call	__strtoi64
		add	esp, 0Ch
		pop	ebp
		retn
__atoi64	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2966. atoi

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl atoi(const char *)
		public _atoi
_atoi		proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	_atol
_atoi		endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2967. atol

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __int32 __cdecl atol(const char *)
		public _atol
_atol		proc near		; CODE XREF: _atoi+6j
					; HvlDebuggerSupportInitialize+7DC0Fp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jnz	short loc_582FED
		xor	eax, eax
		pop	ebp
		retn
; 

loc_582FED:				; CODE XREF: _atol+9j
		push	1
		push	0Ah
		push	0
		push	[ebp+arg_0]
		call	_strtolX
		add	esp, 10h
		pop	ebp
		retn
_atol		endp


;  S U B	R O U T	I N E 


; double __cdecl cos(double)
_cos		proc near
		jmp	short __cos_default
_cos		endp

; 
		align 10h
; Exported entry 2893. _CIcos

;  S U B	R O U T	I N E 


		public __CIcos
__CIcos		proc near
		jmp	short $+2
__CIcos		endp


;  S U B	R O U T	I N E 


__CIcos_default	proc near

var_C		= qword	ptr -0Ch

		sub	esp, 0Ch
		fst	[esp+0Ch+var_C]
		call	__checkTOS_withFB
		call	sub_58302F
		add	esp, 0Ch
		retn
__CIcos_default	endp


;  S U B	R O U T	I N E 


__cos_default	proc near		; CODE XREF: _cosj

arg_0		= dword	ptr  4

		lea	edx, [esp+arg_0]
		call	__fload_withFB
__cos_default	endp


;  S U B	R O U T	I N E 


sub_58302F	proc near		; CODE XREF: __CIcos_default+Bp

var_2		= word ptr -2
arg_0		= dword	ptr  6

		push	edx
		fstcw	[esp+2+var_2]
		jz	short loc_583086
		cmp	[esp+2+var_2], 27Fh
		jz	short loc_583044
		fldcw	word ptr ds:__DEFAULT_CW_in_mem

loc_583044:				; CODE XREF: sub_58302F+Dj
		fcos
		fstsw	ax
		sahf
		jp	short loc_583069

loc_58304C:				; CODE XREF: sub_58302F+4Ej
		cmp	___fastflag, 0
		jnz	__fast_exit
		mov	edx, 12h
		lea	ecx, aCos	; "cos"
		jmp	__math_exit
; 

loc_583069:				; CODE XREF: sub_58302F+1Bj
		fld	tbyte ptr ds:__pi_by_2_to_61
		fxch	st(1)

loc_583071:				; CODE XREF: sub_58302F+48j
		fprem1
		fstsw	ax
		sahf
		jp	short loc_583071
		fstp	st(1)
		fcos
		jmp	short loc_58304C
; 

loc_58307F:				; CODE XREF: sub_58302F+5Cj
					; sub_58302F+63j
		call	__convertTOStoQNaN
		jmp	short loc_5830A1
; 

loc_583086:				; CODE XREF: sub_58302F+5j
		test	eax, 0FFFFFh
		jnz	short loc_58307F
		cmp	[esp+2+arg_0], 0
		jnz	short loc_58307F
		fstp	st
		fld	__indefinite
		mov	eax, 1

loc_5830A1:				; CODE XREF: sub_58302F+55j
		cmp	___fastflag, 0
		jnz	__fast_exit
		mov	edx, 12h
		lea	ecx, aCos	; "cos"
		call	__startOneArgErrorHandling
		pop	edx
		retn
sub_58302F	endp


;  S U B	R O U T	I N E 


; double __cdecl sin(double)
_sin		proc near
		jmp	short __sin_default
_sin		endp

; 
		align 10h
; Exported entry 2894. _CIsin

;  S U B	R O U T	I N E 


		public __CIsin
__CIsin		proc near

var_C		= qword	ptr -0Ch

		jmp	short $+2

__CIsin_default:
		sub	esp, 0Ch
		fst	[esp+0Ch+var_C]
		call	__checkTOS_withFB
		call	sub_5830EF
		add	esp, 0Ch
		retn
__CIsin		endp


;  S U B	R O U T	I N E 


__sin_default	proc near		; CODE XREF: _sinj

arg_0		= dword	ptr  4

		lea	edx, [esp+arg_0]
		call	__fload_withFB
__sin_default	endp


;  S U B	R O U T	I N E 


sub_5830EF	proc near		; CODE XREF: __CIsin+Dp

var_2		= word ptr -2
arg_0		= dword	ptr  6

		push	edx
		fstcw	[esp+2+var_2]
		jz	short loc_583146
		cmp	[esp+2+var_2], 27Fh
		jz	short loc_583104
		fldcw	word ptr ds:__DEFAULT_CW_in_mem

loc_583104:				; CODE XREF: sub_5830EF+Dj
		fsin
		fstsw	ax
		sahf
		jp	short loc_583129

loc_58310C:				; CODE XREF: sub_5830EF+4Ej
		cmp	___fastflag, 0
		jnz	__fast_exit
		mov	edx, 1Eh
		lea	ecx, off_6B3BE0
		jmp	__math_exit
; 

loc_583129:				; CODE XREF: sub_5830EF+1Bj
		fld	tbyte ptr ds:__pi_by_2_to_61
		fxch	st(1)

loc_583131:				; CODE XREF: sub_5830EF+48j
		fprem1
		fstsw	ax
		sahf
		jp	short loc_583131
		fstp	st(1)
		fsin
		jmp	short loc_58310C
; 

loc_58313F:				; CODE XREF: sub_5830EF+5Cj
					; sub_5830EF+63j
		call	__convertTOStoQNaN
		jmp	short loc_583161
; 

loc_583146:				; CODE XREF: sub_5830EF+5j
		test	eax, 0FFFFFh
		jnz	short loc_58313F
		cmp	[esp+2+arg_0], 0
		jnz	short loc_58313F
		fstp	st
		fld	__indefinite
		mov	eax, 1

loc_583161:				; CODE XREF: sub_5830EF+55j
		cmp	___fastflag, 0
		jnz	__fast_exit
		mov	edx, 1Eh
		lea	ecx, off_6B3BE0
		call	__startOneArgErrorHandling
		pop	edx
		retn
sub_5830EF	endp

; Exported entry 2895. _CIsqrt

;  S U B	R O U T	I N E 


		public __CIsqrt
__CIsqrt	proc near

var_C		= qword	ptr -0Ch

		sub	esp, 0Ch
		fst	[esp+0Ch+var_C]
		call	__checkTOS_withFB
		call	sub_58319D
		add	esp, 0Ch
		retn
__CIsqrt	endp


;  S U B	R O U T	I N E 


; double __cdecl sqrt(double)
_sqrt		proc near

arg_0		= dword	ptr  4

		lea	edx, [esp+arg_0]
		call	__fload_withFB
_sqrt		endp


;  S U B	R O U T	I N E 


sub_58319D	proc near		; CODE XREF: __CIsqrt+Bp

var_2		= word ptr -2
arg_0		= dword	ptr  6
arg_4		= dword	ptr  0Ah

		push	edx
		fstcw	[esp+2+var_2]
		mov	eax, [esp+2+arg_4]
		jz	short loc_5831F9
		cmp	[esp+2+var_2], 27Fh
		jz	short loc_5831B5
		call	__load_CW

loc_5831B5:				; CODE XREF: sub_58319D+11j
		test	eax, 80000000h
		jnz	short loc_5831DB
		fsqrt

loc_5831BE:				; CODE XREF: sub_58319D+53j
					; sub_58319D+6Fj
		cmp	___fastflag, 0
		jnz	__fast_exit
		mov	edx, 5
		lea	ecx, aSqrt	; "sqrt"
		jmp	__math_exit
; 

loc_5831DB:				; CODE XREF: sub_58319D+1Dj
		test	eax, 7FF00000h
		jnz	short loc_58320E
		test	eax, 0FFFFFh
		jnz	short loc_58320E
		cmp	[esp+2+arg_0], 0
		jnz	short loc_58320E
		jmp	short loc_5831BE
; 

loc_5831F2:				; CODE XREF: sub_58319D+61j
					; sub_58319D+68j
		call	__convertTOStoQNaN
		jmp	short loc_58321B
; 

loc_5831F9:				; CODE XREF: sub_58319D+9j
		test	eax, 0FFFFFh
		jnz	short loc_5831F2
		cmp	[esp+2+arg_0], 0
		jnz	short loc_5831F2
		and	eax, 80000000h
		jz	short loc_5831BE

loc_58320E:				; CODE XREF: sub_58319D+43j
					; sub_58319D+4Aj ...
		fstp	st
		fld	__indefinite
		mov	eax, 1

loc_58321B:				; CODE XREF: sub_58319D+5Aj
		cmp	___fastflag, 0
		jnz	__fast_exit
		mov	edx, 5

loc_58322D:				; DATA XREF: .text:005A58E5o
		lea	ecx, aSqrt	; "sqrt"
		call	__startOneArgErrorHandling
		pop	edx
		retn
sub_58319D	endp

; 
		align 4
; Exported entry 2914. _global_unwind2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __global_unwind2
__global_unwind2 proc near		; CODE XREF: __except_handler2+56p
					; __except_handler3+70p

arg_0		= dword	ptr  8

		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	ebp
		push	0
		push	0
		push	offset loc_583254
		push	[ebp+arg_0]
		call	RtlUnwind

loc_583254:				; DATA XREF: __global_unwind2+Bo
		pop	ebp
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
__global_unwind2 endp


;  S U B	R O U T	I N E 


__unwind_handler proc near		; DATA XREF: __local_unwind2+Bo
					; __abnormal_termination+9o

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_C		= dword	ptr  10h
arg_10		= dword	ptr  14h

		mov	ecx, [esp+arg_0]
		test	dword ptr [ecx+4], 6
		mov	eax, 1
		jz	short locret_5832A0
		mov	eax, [esp+arg_10]
		mov	ecx, [eax-4]
		xor	ecx, eax
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		push	ebp
		mov	ebp, [eax+10h]
		mov	edx, [eax+28h]
		push	edx
		mov	edx, [eax+24h]
		push	edx
		call	__local_unwind2
		add	esp, 8
		pop	ebp
		mov	eax, [esp+arg_4]
		mov	edx, [esp+arg_C]
		mov	[edx], eax
		mov	eax, 3

locret_5832A0:				; CODE XREF: __unwind_handler+10j
		retn
__unwind_handler endp

; Exported entry 2921. _local_unwind2

;  S U B	R O U T	I N E 


		public __local_unwind2
__local_unwind2	proc near		; CODE XREF: __unwind_handler+2Cp
					; __except_handler2+63p ...

var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  10h
arg_4		= dword	ptr  14h

		push	ebx
		push	esi
		push	edi
		mov	eax, [esp+arg_0]
		push	ebp
		push	eax
		push	0FFFFFFFEh
		push	offset __unwind_handler
		push	large dword ptr	fs:0
		mov	eax, ___security_cookie
		xor	eax, esp
		push	eax
		lea	eax, [esp+18h+var_14]
		mov	large fs:0, eax

loc_5832CA:				; CODE XREF: __local_unwind2:loc_583311j
		mov	eax, [esp+18h+arg_0]
		mov	ebx, [eax+8]
		mov	esi, [eax+0Ch]
		cmp	esi, 0FFFFFFFFh
		jz	short loc_583313
		cmp	[esp+18h+arg_4], 0FFFFFFFFh
		jz	short loc_5832E6
		cmp	esi, [esp+18h+arg_4]
		jbe	short loc_583313

loc_5832E6:				; CODE XREF: __local_unwind2+3Dj
		lea	esi, [esi+esi*2]
		mov	ecx, [ebx+esi*4]
		mov	[esp+18h+var_C], ecx
		mov	[eax+0Ch], ecx
		cmp	dword ptr [ebx+esi*4+4], 0
		jnz	short loc_583311
		push	101h
		mov	eax, [ebx+esi*4+8]
		call	__NLG_Notify
		mov	eax, [ebx+esi*4+8]
		call	__NLG_Call

loc_583311:				; CODE XREF: __local_unwind2+57j
		jmp	short loc_5832CA
; 

loc_583313:				; CODE XREF: __local_unwind2+36j
					; __local_unwind2+43j
		mov	ecx, [esp+18h+var_14]
		mov	large fs:0, ecx
		add	esp, 18h
		pop	edi
		pop	esi
		pop	ebx
		retn
__local_unwind2	endp

; Exported entry 2896. _abnormal_termination

;  S U B	R O U T	I N E 


; int _abnormal_termination(void)
		public __abnormal_termination
__abnormal_termination proc near
		xor	eax, eax
		mov	ecx, large fs:0
		cmp	dword ptr [ecx+4], offset __unwind_handler
		jnz	short locret_583347
		mov	edx, [ecx+0Ch]
		mov	edx, [edx+0Ch]
		cmp	[ecx+8], edx
		jnz	short locret_583347
		mov	eax, 1

locret_583347:				; CODE XREF: __abnormal_termination+10j
					; __abnormal_termination+1Bj
		retn
__abnormal_termination endp


;  S U B	R O U T	I N E 


__NLG_Notify1	proc near
		push	ebx
		push	ecx
		mov	ebx, offset __NLG_Destination
		jmp	short loc_58335C
__NLG_Notify1	endp


;  S U B	R O U T	I N E 


__NLG_Notify	proc near		; CODE XREF: __local_unwind2+62p
					; __except_handler3+8Ep ...

arg_0		= dword	ptr  0Ch

		push	ebx
		push	ecx
		mov	ebx, offset __NLG_Destination
		mov	ecx, [esp+arg_0]

loc_58335C:				; CODE XREF: __NLG_Notify1+7j
		mov	[ebx+8], ecx
		mov	[ebx+4], eax
		mov	[ebx+0Ch], ebp
		push	ebp
		push	ecx
		push	eax
__NLG_Notify	endp


;  S U B	R O U T	I N E 


__NLG_Dispatch2	proc near
		pop	eax
		pop	ecx
		pop	ebp
		pop	ecx
		pop	ebx
		retn	4
__NLG_Dispatch2	endp ; sp =  10h


;  S U B	R O U T	I N E 


__NLG_Call	proc near		; CODE XREF: __local_unwind2+6Bp
					; __local_unwind4+7Bp
		call	eax

__NLG_Return2:
		retn
__NLG_Call	endp

; 
		align 10h
; Exported entry 2897. _alldiv

;  S U B	R O U T	I N E 


		public __alldiv
__alldiv	proc near		; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+95p
					; .text:004A7F24p ...

arg_0		= dword	ptr  10h
arg_4		= dword	ptr  14h
arg_8		= dword	ptr  18h
arg_C		= dword	ptr  1Ch

		push	edi
		push	esi
		push	ebx
		xor	edi, edi
		mov	eax, [esp+arg_4]
		or	eax, eax
		jge	short loc_5833A1
		inc	edi
		mov	edx, [esp+arg_0]
		neg	eax
		neg	edx
		sbb	eax, 0
		mov	[esp+arg_4], eax
		mov	[esp+arg_0], edx

loc_5833A1:				; CODE XREF: __alldiv+Bj
		mov	eax, [esp+arg_C]
		or	eax, eax
		jge	short loc_5833BD
		inc	edi
		mov	edx, [esp+arg_8]
		neg	eax
		neg	edx
		sbb	eax, 0
		mov	[esp+arg_C], eax
		mov	[esp+arg_8], edx

loc_5833BD:				; CODE XREF: __alldiv+27j
		or	eax, eax
		jnz	short loc_5833D9
		mov	ecx, [esp+arg_8]
		mov	eax, [esp+arg_4]
		xor	edx, edx
		div	ecx
		mov	ebx, eax
		mov	eax, [esp+arg_0]
		div	ecx
		mov	edx, ebx
		jmp	short loc_58341A
; 

loc_5833D9:				; CODE XREF: __alldiv+3Fj
		mov	ebx, eax
		mov	ecx, [esp+arg_8]
		mov	edx, [esp+arg_4]
		mov	eax, [esp+arg_0]

loc_5833E7:				; CODE XREF: __alldiv+71j
		shr	ebx, 1
		rcr	ecx, 1
		shr	edx, 1
		rcr	eax, 1
		or	ebx, ebx
		jnz	short loc_5833E7
		div	ecx
		mov	esi, eax
		mul	[esp+arg_C]
		mov	ecx, eax
		mov	eax, [esp+arg_8]
		mul	esi
		add	edx, ecx
		jb	short loc_583415
		cmp	edx, [esp+arg_4]
		ja	short loc_583415
		jb	short loc_583416
		cmp	eax, [esp+arg_0]
		jbe	short loc_583416

loc_583415:				; CODE XREF: __alldiv+85j __alldiv+8Bj
		dec	esi

loc_583416:				; CODE XREF: __alldiv+8Dj __alldiv+93j
		xor	edx, edx
		mov	eax, esi

loc_58341A:				; CODE XREF: __alldiv+57j
		dec	edi
		jnz	short loc_583424
		neg	edx
		neg	eax
		sbb	edx, 0

loc_583424:				; CODE XREF: __alldiv+9Bj
		pop	ebx
		pop	esi
		pop	edi
		retn	10h
__alldiv	endp

; 
		align 10h
; Exported entry 2898. _alldvrm

;  S U B	R O U T	I N E 


		public __alldvrm
__alldvrm	proc near		; CODE XREF: IoPropagateIrpExtensionEx+E84EEp

arg_0		= dword	ptr  10h
arg_4		= dword	ptr  14h
arg_8		= dword	ptr  18h
arg_C		= dword	ptr  1Ch

		push	edi
		push	esi
		push	ebp
		xor	edi, edi
		xor	ebp, ebp
		mov	eax, [esp+arg_4]
		or	eax, eax
		jge	short loc_583454
		inc	edi
		inc	ebp
		mov	edx, [esp+arg_0]
		neg	eax
		neg	edx
		sbb	eax, 0
		mov	[esp+arg_4], eax
		mov	[esp+arg_0], edx

loc_583454:				; CODE XREF: __alldvrm+Dj
		mov	eax, [esp+arg_C]
		or	eax, eax
		jge	short loc_583470
		inc	edi
		mov	edx, [esp+arg_8]
		neg	eax
		neg	edx
		sbb	eax, 0
		mov	[esp+arg_C], eax
		mov	[esp+arg_8], edx

loc_583470:				; CODE XREF: __alldvrm+2Aj
		or	eax, eax
		jnz	short loc_58349C
		mov	ecx, [esp+arg_8]
		mov	eax, [esp+arg_4]
		xor	edx, edx
		div	ecx
		mov	ebx, eax
		mov	eax, [esp+arg_0]
		div	ecx
		mov	esi, eax
		mov	eax, ebx
		mul	[esp+arg_8]
		mov	ecx, eax
		mov	eax, esi
		mul	[esp+arg_8]
		add	edx, ecx
		jmp	short loc_5834E3
; 

loc_58349C:				; CODE XREF: __alldvrm+42j
		mov	ebx, eax
		mov	ecx, [esp+arg_8]
		mov	edx, [esp+arg_4]
		mov	eax, [esp+arg_0]

loc_5834AA:				; CODE XREF: __alldvrm+84j
		shr	ebx, 1
		rcr	ecx, 1
		shr	edx, 1
		rcr	eax, 1
		or	ebx, ebx
		jnz	short loc_5834AA
		div	ecx
		mov	esi, eax
		mul	[esp+arg_C]
		mov	ecx, eax
		mov	eax, [esp+arg_8]
		mul	esi
		add	edx, ecx
		jb	short loc_5834D8
		cmp	edx, [esp+arg_4]
		ja	short loc_5834D8
		jb	short loc_5834E1
		cmp	eax, [esp+arg_0]
		jbe	short loc_5834E1

loc_5834D8:				; CODE XREF: __alldvrm+98j
					; __alldvrm+9Ej
		dec	esi
		sub	eax, [esp+arg_8]
		sbb	edx, [esp+arg_C]

loc_5834E1:				; CODE XREF: __alldvrm+A0j
					; __alldvrm+A6j
		xor	ebx, ebx

loc_5834E3:				; CODE XREF: __alldvrm+6Aj
		sub	eax, [esp+arg_0]
		sbb	edx, [esp+arg_4]
		dec	ebp
		jns	short loc_5834F5
		neg	edx
		neg	eax
		sbb	edx, 0

loc_5834F5:				; CODE XREF: __alldvrm+BCj
		mov	ecx, edx
		mov	edx, ebx
		mov	ebx, ecx
		mov	ecx, eax
		mov	eax, esi
		dec	edi
		jnz	short loc_583509
		neg	edx
		neg	eax
		sbb	edx, 0

loc_583509:				; CODE XREF: __alldvrm+D0j
		pop	ebp
		pop	esi
		pop	edi
		retn	10h
__alldvrm	endp

; 
		align 10h
; Exported entry 2899. _allmul

;  S U B	R O U T	I N E 


		public __allmul
__allmul	proc near		; CODE XREF: PopFxEnableWorkOrderWatchdog+30p
					; KiProcessPendingForegroundBoosts+132p ...

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_8		= dword	ptr  0Ch
arg_C		= dword	ptr  10h

		mov	eax, [esp+arg_4]
		mov	ecx, [esp+arg_C]
		or	ecx, eax
		mov	ecx, [esp+arg_8]
		jnz	short loc_583529
		mov	eax, [esp+arg_0]
		mul	ecx
		retn	10h
; 

loc_583529:				; CODE XREF: __allmul+Ej
		push	ebx
		mul	ecx
		mov	ebx, eax
		mov	eax, [esp+4+arg_0]
		mul	[esp+4+arg_C]
		add	ebx, eax
		mov	eax, [esp+4+arg_0]
		mul	ecx
		add	edx, ebx
		pop	ebx
		retn	10h
__allmul	endp

; Exported entry 2900. _alloca_probe
; Exported entry 2910. _chkstk

;  S U B	R O U T	I N E 


		public __chkstk
__chkstk	proc near		; CODE XREF: MmProbeAndLockSelectedPages+Dp
					; __alloca_probe_16+11j ...
		push	ecx		; _alloca_probe
		lea	ecx, [esp+4]
		sub	ecx, eax
		sbb	eax, eax
		not	eax
		and	ecx, eax
		mov	eax, esp
		and	eax, 0FFFFF000h

loc_583558:				; CODE XREF: __chkstk+29j
		cmp	ecx, eax
		jb	short loc_583566
		mov	eax, ecx
		pop	ecx
		xchg	eax, esp
		mov	eax, [eax]
		mov	[esp+0], eax
		retn
; 

loc_583566:				; CODE XREF: __chkstk+16j
		sub	eax, 1000h
		test	[eax], eax
		jmp	short loc_583558
__chkstk	endp

; 
		align 10h
; Exported entry 2901. _alloca_probe_16

;  S U B	R O U T	I N E 


		public __alloca_probe_16
__alloca_probe_16 proc near		; CODE XREF: KiRaiseException(x,x,x,x,x)+A5p
					; KiContinuePreviousModeUser+53p ...

arg_0		= dword	ptr  8

		push	ecx
		lea	ecx, [esp+arg_0]
		sub	ecx, eax
		and	ecx, 0Fh
		add	eax, ecx
		sbb	ecx, ecx
		or	eax, ecx
		pop	ecx
		jmp	__chkstk
__alloca_probe_16 endp

; Exported entry 2902. _alloca_probe_8

;  S U B	R O U T	I N E 


		public __alloca_probe_8
__alloca_probe_8 proc near

arg_0		= dword	ptr  8

		push	ecx
		lea	ecx, [esp+arg_0]
		sub	ecx, eax
		and	ecx, 7
		add	eax, ecx
		sbb	ecx, ecx
		or	eax, ecx
		pop	ecx
		jmp	__chkstk
__alloca_probe_8 endp

; 
		align 10h
; Exported entry 2903. _allrem

;  S U B	R O U T	I N E 


		public __allrem
__allrem	proc near		; CODE XREF: CcAcquireByteRangeForWrite+1B7p
					; EtwpApplyPredicate+52Ep ...

arg_0		= dword	ptr  0Ch
arg_4		= dword	ptr  10h
arg_8		= dword	ptr  14h
arg_C		= dword	ptr  18h

		push	ebx
		push	edi
		xor	edi, edi
		mov	eax, [esp+arg_4]
		or	eax, eax
		jge	short loc_5835C0
		inc	edi
		mov	edx, [esp+arg_0]
		neg	eax
		neg	edx
		sbb	eax, 0
		mov	[esp+arg_4], eax
		mov	[esp+arg_0], edx

loc_5835C0:				; CODE XREF: __allrem+Aj
		mov	eax, [esp+arg_C]
		or	eax, eax
		jge	short loc_5835DB
		mov	edx, [esp+arg_8]
		neg	eax
		neg	edx
		sbb	eax, 0
		mov	[esp+arg_C], eax
		mov	[esp+arg_8], edx

loc_5835DB:				; CODE XREF: __allrem+26j
		or	eax, eax
		jnz	short loc_5835FA
		mov	ecx, [esp+arg_8]
		mov	eax, [esp+arg_4]
		xor	edx, edx
		div	ecx
		mov	eax, [esp+arg_0]
		div	ecx
		mov	eax, edx
		xor	edx, edx
		dec	edi
		jns	short loc_583646
		jmp	short loc_58364D
; 

loc_5835FA:				; CODE XREF: __allrem+3Dj
		mov	ebx, eax
		mov	ecx, [esp+arg_8]
		mov	edx, [esp+arg_4]
		mov	eax, [esp+arg_0]

loc_583608:				; CODE XREF: __allrem+72j
		shr	ebx, 1
		rcr	ecx, 1
		shr	edx, 1
		rcr	eax, 1
		or	ebx, ebx
		jnz	short loc_583608
		div	ecx
		mov	ecx, eax
		mul	[esp+arg_C]
		xchg	eax, ecx
		mul	[esp+arg_8]
		add	edx, ecx
		jb	short loc_583633
		cmp	edx, [esp+arg_4]
		ja	short loc_583633
		jb	short loc_58363B
		cmp	eax, [esp+arg_0]
		jbe	short loc_58363B

loc_583633:				; CODE XREF: __allrem+83j __allrem+89j
		sub	eax, [esp+arg_8]
		sbb	edx, [esp+arg_C]

loc_58363B:				; CODE XREF: __allrem+8Bj __allrem+91j
		sub	eax, [esp+arg_0]
		sbb	edx, [esp+arg_4]
		dec	edi
		jns	short loc_58364D

loc_583646:				; CODE XREF: __allrem+56j
		neg	edx
		neg	eax
		sbb	edx, 0

loc_58364D:				; CODE XREF: __allrem+58j __allrem+A4j
		pop	edi
		pop	ebx
		retn	10h
__allrem	endp

; 
		align 10h
; Exported entry 2904. _allshl

;  S U B	R O U T	I N E 


		public __allshl
__allshl	proc near		; CODE XREF: KiTransitionSchedulingGroupGeneration+E7p
					; RtlGetSystemTimePrecise+9Ep ...
		cmp	cl, 40h
		jnb	short loc_58367A
		cmp	cl, 20h
		jnb	short loc_583670
		shld	edx, eax, cl
		shl	eax, cl
		retn
; 

loc_583670:				; CODE XREF: __allshl+8j
		mov	edx, eax
		xor	eax, eax
		and	cl, 1Fh
		shl	edx, cl
		retn
; 

loc_58367A:				; CODE XREF: __allshl+3j
		xor	eax, eax
		xor	edx, edx
		retn
__allshl	endp

; 
		align 10h
; Exported entry 2905. _allshr

;  S U B	R O U T	I N E 


		public __allshr
__allshr	proc near		; CODE XREF: CcGetVirtualAddress+208p
					; CcGetVirtualAddress+25Ep ...
		cmp	cl, 40h
		jnb	short loc_58369B
		cmp	cl, 20h
		jnb	short loc_583690
		shrd	eax, edx, cl
		sar	edx, cl
		retn
; 

loc_583690:				; CODE XREF: __allshr+8j
		mov	eax, edx
		sar	edx, 1Fh
		and	cl, 1Fh
		sar	eax, cl
		retn
; 

loc_58369B:				; CODE XREF: __allshr+3j
		sar	edx, 1Fh
		mov	eax, edx
		retn
__allshr	endp

; 
		align 10h
; Exported entry 2906. _aulldiv

;  S U B	R O U T	I N E 


		public __aulldiv
__aulldiv	proc near		; CODE XREF: KeQuerySchedulingGroupHistory+A0p
					; KeQuerySchedulingGroupHistory+ABp ...

arg_0		= dword	ptr  0Ch
arg_4		= dword	ptr  10h
arg_8		= dword	ptr  14h
arg_C		= dword	ptr  18h

		push	ebx
		push	esi
		mov	eax, [esp+arg_C]
		or	eax, eax
		jnz	short loc_5836D2
		mov	ecx, [esp+arg_8]
		mov	eax, [esp+arg_4]
		xor	edx, edx
		div	ecx
		mov	ebx, eax
		mov	eax, [esp+arg_0]
		div	ecx
		mov	edx, ebx
		jmp	short loc_583713
; 

loc_5836D2:				; CODE XREF: __aulldiv+8j
		mov	ecx, eax
		mov	ebx, [esp+arg_8]
		mov	edx, [esp+arg_4]
		mov	eax, [esp+arg_0]

loc_5836E0:				; CODE XREF: __aulldiv+3Aj
		shr	ecx, 1
		rcr	ebx, 1
		shr	edx, 1
		rcr	eax, 1
		or	ecx, ecx
		jnz	short loc_5836E0
		div	ebx
		mov	esi, eax
		mul	[esp+arg_C]
		mov	ecx, eax
		mov	eax, [esp+arg_8]
		mul	esi
		add	edx, ecx
		jb	short loc_58370E
		cmp	edx, [esp+arg_4]
		ja	short loc_58370E
		jb	short loc_58370F
		cmp	eax, [esp+arg_0]
		jbe	short loc_58370F

loc_58370E:				; CODE XREF: __aulldiv+4Ej
					; __aulldiv+54j
		dec	esi

loc_58370F:				; CODE XREF: __aulldiv+56j
					; __aulldiv+5Cj
		xor	edx, edx
		mov	eax, esi

loc_583713:				; CODE XREF: __aulldiv+20j
		pop	esi
		pop	ebx
		retn	10h
__aulldiv	endp

; 
		align 10h
; Exported entry 2907. _aulldvrm

;  S U B	R O U T	I N E 


		public __aulldvrm
__aulldvrm	proc near		; CODE XREF: MiGetProtoPteAddress+215p
					; MiLocatePagefileSubsection(x,x)+5Bp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	esi
		mov	eax, [esp+arg_C]
		or	eax, eax
		jnz	short loc_583751
		mov	ecx, [esp+arg_8]
		mov	eax, [esp+arg_4]
		xor	edx, edx
		div	ecx
		mov	ebx, eax
		mov	eax, [esp+arg_0]
		div	ecx
		mov	esi, eax
		mov	eax, ebx
		mul	[esp+arg_8]
		mov	ecx, eax
		mov	eax, esi
		mul	[esp+arg_8]
		add	edx, ecx
		jmp	short loc_583798
; 

loc_583751:				; CODE XREF: __aulldvrm+7j
		mov	ecx, eax
		mov	ebx, [esp+arg_8]
		mov	edx, [esp+arg_4]
		mov	eax, [esp+arg_0]

loc_58375F:				; CODE XREF: __aulldvrm+49j
		shr	ecx, 1
		rcr	ebx, 1
		shr	edx, 1
		rcr	eax, 1
		or	ecx, ecx
		jnz	short loc_58375F
		div	ebx
		mov	esi, eax
		mul	[esp+arg_C]
		mov	ecx, eax
		mov	eax, [esp+arg_8]
		mul	esi
		add	edx, ecx
		jb	short loc_58378D
		cmp	edx, [esp+arg_4]
		ja	short loc_58378D
		jb	short loc_583796
		cmp	eax, [esp+arg_0]
		jbe	short loc_583796

loc_58378D:				; CODE XREF: __aulldvrm+5Dj
					; __aulldvrm+63j
		dec	esi
		sub	eax, [esp+arg_8]
		sbb	edx, [esp+arg_C]

loc_583796:				; CODE XREF: __aulldvrm+65j
					; __aulldvrm+6Bj
		xor	ebx, ebx

loc_583798:				; CODE XREF: __aulldvrm+2Fj
		sub	eax, [esp+arg_0]
		sbb	edx, [esp+arg_4]
		neg	edx
		neg	eax
		sbb	edx, 0
		mov	ecx, edx
		mov	edx, ebx
		mov	ebx, ecx
		mov	ecx, eax
		mov	eax, esi
		pop	esi
		retn	10h
__aulldvrm	endp

; 
		align 10h
; Exported entry 2908. _aullrem

;  S U B	R O U T	I N E 


		public __aullrem
__aullrem	proc near		; CODE XREF: MiGenerateRandomPte(x)+36p
					; SecureDump_Encrypt_DmpData(x,x,x,x,x,x,x)+68p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	ebx
		mov	eax, [esp+arg_C]
		or	eax, eax
		jnz	short loc_5837E1
		mov	ecx, [esp+arg_8]
		mov	eax, [esp+arg_4]
		xor	edx, edx
		div	ecx
		mov	eax, [esp+arg_0]
		div	ecx
		mov	eax, edx
		xor	edx, edx
		jmp	short loc_583831
; 

loc_5837E1:				; CODE XREF: __aullrem+7j
		mov	ecx, eax
		mov	ebx, [esp+arg_8]
		mov	edx, [esp+arg_4]
		mov	eax, [esp+arg_0]

loc_5837EF:				; CODE XREF: __aullrem+39j
		shr	ecx, 1
		rcr	ebx, 1
		shr	edx, 1
		rcr	eax, 1
		or	ecx, ecx
		jnz	short loc_5837EF
		div	ebx
		mov	ecx, eax
		mul	[esp+arg_C]
		xchg	eax, ecx
		mul	[esp+arg_8]
		add	edx, ecx
		jb	short loc_58381A
		cmp	edx, [esp+arg_4]
		ja	short loc_58381A
		jb	short loc_583822
		cmp	eax, [esp+arg_0]
		jbe	short loc_583822

loc_58381A:				; CODE XREF: __aullrem+4Aj
					; __aullrem+50j
		sub	eax, [esp+arg_8]
		sbb	edx, [esp+arg_C]

loc_583822:				; CODE XREF: __aullrem+52j
					; __aullrem+58j
		sub	eax, [esp+arg_0]
		sbb	edx, [esp+arg_4]
		neg	edx
		neg	eax
		sbb	edx, 0

loc_583831:				; CODE XREF: __aullrem+1Fj
		pop	ebx
		retn	10h
__aullrem	endp

; 
		align 10h
; Exported entry 2909. _aullshr

;  S U B	R O U T	I N E 


		public __aullshr
__aullshr	proc near		; CODE XREF: RtlFindLeastSignificantBit(x,x)+28p
					; RtlpHpVsSubsegmentInitialize(x,x,x,x)+32p ...
		cmp	cl, 40h
		jnb	short loc_58385A
		cmp	cl, 20h
		jnb	short loc_583850
		shrd	eax, edx, cl
		shr	edx, cl
		retn
; 

loc_583850:				; CODE XREF: __aullshr+8j
		mov	eax, edx
		xor	edx, edx
		and	cl, 1Fh
		shr	eax, cl
		retn
; 

loc_58385A:				; CODE XREF: __aullshr+3j
		xor	eax, eax
		xor	edx, edx
		retn
__aullshr	endp

; 
		align 10h
		push	esi
		inc	ebx
		xor	[eax], esi
		pop	eax
		inc	ebx
		xor	[eax], dh
; Exported entry 2911. _except_handler2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __except_handler2
__except_handler2 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		push	edi
		push	ebp
		cld
		mov	ebx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]
		test	dword ptr [eax+4], 6
		jnz	short loc_5838F9
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_8]
		mov	[ebx+14h], eax
		mov	esi, [ebx+0Ch]
		mov	edi, [ebx+8]

loc_583897:				; CODE XREF: __except_handler2+81j
		cmp	esi, 0FFFFFFFFh
		jz	short loc_5838F2
		lea	ecx, [esi+esi*2]
		cmp	dword ptr [edi+ecx*4+4], 0
		jz	short loc_5838E0
		push	esi
		push	ebp
		mov	ebp, [ebx+10h]
		call	dword ptr [edi+ecx*4+4]
		pop	ebp
		pop	esi
		mov	ebx, [ebp+arg_4]
		or	eax, eax
		jz	short loc_5838E0
		js	short loc_5838EB
		mov	edi, [ebx+8]
		push	ebx
		call	__global_unwind2
		add	esp, 4
		mov	ebp, [ebx+10h]
		push	esi
		push	ebx
		call	__local_unwind2
		add	esp, 8
		lea	ecx, [esi+esi*2]
		mov	eax, [edi+ecx*4]
		mov	[ebx+0Ch], eax
		call	dword ptr [edi+ecx*4+8]

loc_5838E0:				; CODE XREF: __except_handler2+3Cj
					; __except_handler2+4Ej
		mov	edi, [ebx+8]
		lea	ecx, [esi+esi*2]
		mov	esi, [edi+ecx*4]
		jmp	short loc_583897
; 

loc_5838EB:				; CODE XREF: __except_handler2+50j
		mov	eax, 0
		jmp	short loc_58390E
; 

loc_5838F2:				; CODE XREF: __except_handler2+32j
		mov	eax, 1
		jmp	short loc_58390E
; 

loc_5838F9:				; CODE XREF: __except_handler2+18j
		push	ebp
		mov	ebp, [ebx+10h]
		push	0FFFFFFFFh
		push	ebx
		call	__local_unwind2
		add	esp, 8
		pop	ebp
		mov	eax, 1

loc_58390E:				; CODE XREF: __except_handler2+88j
					; __except_handler2+8Fj
		pop	ebp
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
__except_handler2 endp

; 
		align 4
		push	esi
		inc	ebx
		xor	dh, [eax]
		pop	eax
		inc	ebx
		xor	[eax], dh
; Exported entry 2912. _except_handler3

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __except_handler3
__except_handler3 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		push	edi
		push	ebp
		cld
		mov	ebx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]
		test	dword ptr [eax+4], 6
		jnz	loc_5839E9
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_8]
		mov	[ebx-4], eax
		mov	esi, [ebx+0Ch]
		mov	edi, [ebx+8]
		push	ebx
		call	__ValidateEH3RN
		add	esp, 4
		or	eax, eax
		jle	short loc_5839DB

loc_583960:				; CODE XREF: __except_handler3+B2j
		cmp	esi, 0FFFFFFFFh
		jz	short loc_5839E2
		lea	ecx, [esi+esi*2]
		mov	eax, [edi+ecx*4+4]
		or	eax, eax
		jz	short loc_5839C9
		push	esi
		push	ebp
		lea	ebp, [ebx+10h]
		xor	ebx, ebx
		xor	ecx, ecx
		xor	edx, edx
		xor	esi, esi
		xor	edi, edi
		call	eax
		pop	ebp
		pop	esi
		mov	ebx, [ebp+arg_4]
		or	eax, eax
		jz	short loc_5839C9
		js	short loc_5839D4
		mov	edi, [ebx+8]
		push	ebx
		call	__global_unwind2
		add	esp, 4
		lea	ebp, [ebx+10h]
		push	esi
		push	ebx
		call	__local_unwind2
		add	esp, 8
		lea	ecx, [esi+esi*2]
		push	1
		mov	eax, [edi+ecx*4+8]
		call	__NLG_Notify
		mov	eax, [edi+ecx*4]
		mov	[ebx+0Ch], eax
		mov	eax, [edi+ecx*4+8]
		xor	ebx, ebx
		xor	ecx, ecx
		xor	edx, edx
		xor	esi, esi
		xor	edi, edi
		call	eax

loc_5839C9:				; CODE XREF: __except_handler3+4Ej
					; __except_handler3+68j
		mov	edi, [ebx+8]
		lea	ecx, [esi+esi*2]
		mov	esi, [edi+ecx*4]
		jmp	short loc_583960
; 

loc_5839D4:				; CODE XREF: __except_handler3+6Aj
		mov	eax, 0
		jmp	short loc_5839FE
; 

loc_5839DB:				; CODE XREF: __except_handler3+3Ej
		mov	eax, [ebp+arg_0]
		or	dword ptr [eax+4], 8

loc_5839E2:				; CODE XREF: __except_handler3+43j
		mov	eax, 1
		jmp	short loc_5839FE
; 

loc_5839E9:				; CODE XREF: __except_handler3+18j
		push	ebp
		lea	ebp, [ebx+10h]
		push	0FFFFFFFFh
		push	ebx
		call	__local_unwind2
		add	esp, 8
		pop	ebp
		mov	eax, 1

loc_5839FE:				; CODE XREF: __except_handler3+B9j
					; __except_handler3+C7j
		pop	ebp
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
__except_handler3 endp


;  S U B	R O U T	I N E 


; __stdcall _seh_longjmp_unwind(x)
__seh_longjmp_unwind@4 proc near

arg_0		= dword	ptr  8

		push	ebp
		mov	ecx, [esp+arg_0]
		mov	ebp, [ecx]
		mov	eax, [ecx+1Ch]
		push	eax
		mov	eax, [ecx+18h]
		push	eax
		call	__local_unwind2
		add	esp, 8
		pop	ebp
		retn	4
__seh_longjmp_unwind@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2913. _finite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl _finite(double)
		public __finite
__finite	proc near

arg_6		= word ptr  0Eh

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, 7FF0h
		xor	eax, eax
		mov	ecx, edx
		and	cx, [ebp+arg_6]
		cmp	cx, dx
		setnz	al
		pop	ebp
		retn
__finite	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2917. _itoa

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; char *__cdecl	_itoa(int,char *,int)
		public __itoa
__itoa		proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_8], 0Ah
		jnz	short loc_583A5C
		cmp	[ebp+arg_0], 0
		jge	short loc_583A5C
		xor	eax, eax
		inc	eax
		jmp	short loc_583A5E
; 

loc_583A5C:				; CODE XREF: __itoa+9j	__itoa+Fj
		xor	eax, eax

loc_583A5E:				; CODE XREF: __itoa+14j
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	xtoa
		mov	eax, [ebp+arg_4]
		pop	ebp
		retn
__itoa		endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

xtoa		proc near		; CODE XREF: __itoa+22p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 0
		mov	ecx, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		jz	short loc_583A8C
		mov	byte ptr [ecx],	2Dh
		inc	ecx
		neg	ebx

loc_583A8C:				; CODE XREF: xtoa+12j
		mov	esi, [ebp+arg_8]
		mov	[ebp+arg_4], ecx

loc_583A92:				; CODE XREF: xtoa+46j
		xor	edx, edx
		mov	eax, ebx
		div	esi
		push	9
		mov	ebx, eax
		mov	edi, ecx
		lea	eax, [ecx+1]
		mov	[ebp+arg_0], eax
		pop	eax
		cmp	eax, edx
		sbb	al, al
		and	al, 27h
		add	al, 30h
		add	al, dl
		mov	[ecx], al
		mov	eax, [ebp+arg_0]
		mov	ecx, eax
		test	ebx, ebx
		jnz	short loc_583A92
		mov	esi, [ebp+arg_4]
		mov	[eax], bl

loc_583ABF:				; CODE XREF: xtoa+59j
		mov	al, [esi]
		mov	cl, [edi]
		mov	[edi], al
		dec	edi
		mov	[esi], cl
		inc	esi
		cmp	esi, edi
		jb	short loc_583ABF
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
xtoa		endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2919. _itow

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; wchar_t *__cdecl _itow(int,wchar_t *,int)
		public __itow
__itow		proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_8], 0Ah
		jnz	short loc_583AF0
		cmp	[ebp+arg_0], 0
		jge	short loc_583AF0
		xor	eax, eax
		inc	eax
		jmp	short loc_583AF2
; 

loc_583AF0:				; CODE XREF: __itow+9j	__itow+Fj
		xor	eax, eax

loc_583AF2:				; CODE XREF: __itow+14j
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	xtow
		mov	eax, [ebp+arg_4]
		pop	ebp
		retn
__itow		endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; wchar_t *__cdecl _ultow(unsigned __int32,wchar_t *,int)
__ultow		proc near		; CODE XREF: AdtpBuildUlongString(x,x,x,x,x,x)+79p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	xtow
		mov	eax, [ebp+arg_4]
		pop	ebp
		retn
__ultow		endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

xtow		proc near		; CODE XREF: __itow+22p __ultow+10p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 0
		mov	ecx, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		jz	short loc_583B3F
		push	2Dh
		pop	eax
		mov	[ecx], ax
		add	ecx, 2
		neg	ebx

loc_583B3F:				; CODE XREF: xtow+12j
		mov	esi, [ebp+arg_8]
		mov	[ebp+arg_4], ecx

loc_583B45:				; CODE XREF: xtow+4Fj
		xor	edx, edx
		mov	eax, ebx
		div	esi
		push	9
		mov	ebx, eax
		mov	edi, ecx
		lea	eax, [ecx+2]
		mov	[ebp+arg_0], eax
		pop	eax
		cmp	eax, edx
		sbb	eax, eax
		and	eax, 27h
		add	eax, 30h
		add	ax, dx
		mov	[ecx], ax
		mov	eax, [ebp+arg_0]
		mov	ecx, eax
		test	ebx, ebx
		jnz	short loc_583B45
		mov	esi, [ebp+arg_4]
		xor	ecx, ecx
		mov	[eax], cx

loc_583B79:				; CODE XREF: xtow+6Dj
		mov	ax, [esi]
		movzx	ecx, word ptr [edi]
		mov	[edi], ax
		sub	edi, 2
		mov	[esi], cx
		add	esi, 2
		cmp	esi, edi
		jb	short loc_583B79
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
xtow		endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2926. _snprintf

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int _snprintf(char *,size_t,const char *,...)
		public __snprintf
__snprintf	proc near

var_20		= FILE ptr -20h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	[ebp+var_20._file], ebx
		mov	[ebp+var_20._charbuf], ebx
		mov	[ebp+var_20._bufsiz], ebx
		mov	[ebp+var_20._tmpfname],	ebx
		cmp	[ebp+arg_8], ebx
		jz	short loc_583C1C
		mov	eax, [ebp+arg_4]
		mov	esi, [ebp+arg_0]
		test	eax, eax
		jz	short loc_583BC7
		test	esi, esi
		jz	short loc_583C1C

loc_583BC7:				; CODE XREF: __snprintf+25j
		mov	ecx, 7FFFFFFFh
		mov	[ebp+var_20._cnt], ecx
		cmp	eax, ecx
		ja	short loc_583BD6
		mov	[ebp+var_20._cnt], eax

loc_583BD6:				; CODE XREF: __snprintf+35j
		push	edi
		lea	eax, [ebp+arg_C]
		mov	[ebp+var_20._flag], 42h
		push	eax
		push	ebx
		push	[ebp+arg_8]
		lea	eax, [ebp+var_20]
		mov	[ebp+var_20._base], esi
		push	eax
		mov	[ebp+var_20._ptr], esi
		call	__output_l
		add	esp, 10h
		mov	edi, eax
		test	esi, esi
		jz	short loc_583C17
		sub	[ebp+var_20._cnt], 1
		js	short loc_583C0B
		mov	ecx, [ebp+var_20._ptr]
		mov	[ecx], bl
		jmp	short loc_583C17
; 

loc_583C0B:				; CODE XREF: __snprintf+66j
		lea	eax, [ebp+var_20]
		push	eax		; FILE *
		push	ebx		; int
		call	__flsbuf_s
		pop	ecx
		pop	ecx

loc_583C17:				; CODE XREF: __snprintf+60j
					; __snprintf+6Dj
		mov	eax, edi
		pop	edi
		jmp	short loc_583C2C
; 

loc_583C1C:				; CODE XREF: __snprintf+1Bj
					; __snprintf+29j
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		or	eax, 0FFFFFFFFh

loc_583C2C:				; CODE XREF: __snprintf+7Ej
		pop	esi
		pop	ebx
		leave
		retn
__snprintf	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2929. _snwprintf

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int _snwprintf(wchar_t *,size_t,const	wchar_t	*,...)
		public __snwprintf
__snwprintf	proc near

var_20		= FILE ptr -20h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	[ebp+var_20._file], ebx
		mov	[ebp+var_20._charbuf], ebx
		mov	[ebp+var_20._bufsiz], ebx
		mov	[ebp+var_20._tmpfname],	ebx
		cmp	[ebp+arg_8], ebx
		jz	loc_583CE0
		mov	eax, [ebp+arg_4]
		mov	esi, [ebp+arg_0]
		test	eax, eax
		jz	short loc_583C65
		test	esi, esi
		jz	short loc_583CE0

loc_583C65:				; CODE XREF: __snwprintf+29j
		mov	[ebp+var_20._flag], 42h
		mov	[ebp+var_20._base], esi
		mov	[ebp+var_20._ptr], esi
		cmp	eax, 3FFFFFFFh
		jbe	short loc_583C82
		mov	[ebp+var_20._cnt], 7FFFFFFFh
		jmp	short loc_583C87
; 

loc_583C82:				; CODE XREF: __snwprintf+41j
		add	eax, eax
		mov	[ebp+var_20._cnt], eax

loc_583C87:				; CODE XREF: __snwprintf+4Aj
		push	edi
		lea	eax, [ebp+arg_C]
		push	eax
		push	ebx
		push	[ebp+arg_8]
		lea	eax, [ebp+var_20]
		push	eax
		call	__woutput_l
		add	esp, 10h
		mov	edi, eax
		test	esi, esi
		jz	short loc_583CDB
		sub	[ebp+var_20._cnt], 1
		js	short loc_583CB6
		mov	ecx, [ebp+var_20._ptr]
		mov	[ecx], bl
		mov	ecx, [ebp+var_20._ptr]
		inc	ecx
		mov	[ebp+var_20._ptr], ecx
		jmp	short loc_583CC5
; 

loc_583CB6:				; CODE XREF: __snwprintf+70j
		lea	eax, [ebp+var_20]
		push	eax		; FILE *
		push	ebx		; int
		call	__flsbuf_s
		pop	ecx
		pop	ecx
		mov	ecx, [ebp+var_20._ptr]

loc_583CC5:				; CODE XREF: __snwprintf+7Ej
		sub	[ebp+var_20._cnt], 1
		js	short loc_583CCF
		mov	[ecx], bl
		jmp	short loc_583CDB
; 

loc_583CCF:				; CODE XREF: __snwprintf+93j
		lea	eax, [ebp+var_20]
		push	eax		; FILE *
		push	ebx		; int
		call	__flsbuf_s
		pop	ecx
		pop	ecx

loc_583CDB:				; CODE XREF: __snwprintf+6Aj
					; __snwprintf+97j
		mov	eax, edi
		pop	edi
		jmp	short loc_583CF0
; 

loc_583CE0:				; CODE XREF: __snwprintf+1Bj
					; __snwprintf+2Dj
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		or	eax, 0FFFFFFFFh

loc_583CF0:				; CODE XREF: __snwprintf+A8j
		pop	esi
		pop	ebx
		leave
		retn
__snwprintf	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2933. _stricmp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl _stricmp(const char *,const char *)
		public __stricmp
__stricmp	proc near		; CODE XREF: ViSetRequestedIoCallbacks(x)+26p
					; ViSetRequestedOrderDependentAPIs(x)+26p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	___ascii_stricmp
__stricmp	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2934. _strlwr

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; char *__cdecl	_strlwr(char *)
		public __strlwr
__strlwr	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	edx, esi
		mov	cl, [esi]
		jmp	short loc_583D28
; 

loc_583D19:				; CODE XREF: __strlwr+20j
		lea	eax, [ecx-41h]
		cmp	al, 19h
		ja	short loc_583D25
		add	cl, 20h
		mov	[edx], cl

loc_583D25:				; CODE XREF: __strlwr+14j
		inc	edx
		mov	cl, [edx]

loc_583D28:				; CODE XREF: __strlwr+Dj
		test	cl, cl
		jnz	short loc_583D19
		mov	eax, esi
		pop	esi
		pop	ebp
		retn
__strlwr	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2935. _strnicmp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl _strnicmp(const char *,const char	*,size_t)
		public __strnicmp
__strnicmp	proc near		; CODE XREF: MiResolveImageReferences+27Ep
					; MiResolveImageReferences+296p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	___ascii_strnicmp
__strnicmp	endp

; 
		align 10h
; Exported entry 2936. _strnset

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; char *__cdecl	_strnset(char *,int,size_t)
		public __strnset
__strnset	proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		push	ebp
		mov	ebp, esp
		push	edi
		push	ebx
		mov	edi, [ebp+arg_0]
		mov	edx, edi
		mov	ebx, [ebp+arg_8]
		xor	eax, eax
		mov	ecx, ebx
		jecxz	short loc_583D75
		repne scasb
		jnz	short loc_583D6A
		add	ecx, 1

loc_583D6A:				; CODE XREF: __strnset+15j
		sub	ebx, ecx
		mov	ecx, ebx
		mov	edi, edx
		mov	al, [ebp+arg_4]
		rep stosb

loc_583D75:				; CODE XREF: __strnset+11j
		mov	eax, edx
		pop	ebx
		pop	edi
		leave
		retn
__strnset	endp

; 
		align 10h
; Exported entry 2938. _strrev

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; char *__cdecl	_strrev(char *)
		public __strrev
__strrev	proc near

arg_0		= dword	ptr  8

		push	ebp
		mov	ebp, esp
		push	edi
		push	esi
		mov	edi, [ebp+arg_0]
		mov	edx, edi
		mov	esi, edi
		xor	eax, eax
		or	ecx, 0FFFFFFFFh
		repne scasb
		cmp	ecx, 0FFFFFFFEh
		jz	short loc_583DAF
		sub	edi, 2

loc_583D9B:				; CODE XREF: __strrev+2Dj
		cmp	esi, edi
		jnb	short loc_583DAF
		mov	ah, [esi]
		mov	al, [edi]
		mov	[esi], al
		mov	[edi], ah
		add	esi, 1
		sub	edi, 1
		jmp	short loc_583D9B
; 

loc_583DAF:				; CODE XREF: __strrev+16j __strrev+1Dj
		mov	eax, edx
		pop	esi
		pop	edi
		leave
		retn
__strrev	endp

; 
		align 10h
; Exported entry 2939. _strset

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; char *__cdecl	_strset(char *,int)
		public __strset
__strset	proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, [ebp+arg_0]
		mov	edx, edi
		xor	eax, eax
		or	ecx, 0FFFFFFFFh
		repne scasb
		add	ecx, 2
		neg	ecx
		mov	al, [ebp+arg_4]
		mov	edi, edx
		rep stosb
		mov	eax, edx
		pop	edi
		leave
		retn
__strset	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2943. _swprintf
; Exported entry 3013. swprintf

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int swprintf(wchar_t *,const wchar_t *,...)
		public _swprintf
_swprintf	proc near

var_20		= FILE ptr -20h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi	; _swprintf
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_20._file], ebx
		mov	[ebp+var_20._charbuf], ebx
		mov	[ebp+var_20._bufsiz], ebx
		mov	[ebp+var_20._tmpfname],	ebx
		cmp	[ebp+arg_4], ebx
		jz	short loc_583E72
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_583E72
		push	esi
		mov	[ebp+var_20._base], eax
		mov	[ebp+var_20._ptr], eax
		lea	eax, [ebp+arg_8]
		push	eax
		push	ebx
		push	[ebp+arg_4]
		lea	eax, [ebp+var_20]
		mov	[ebp+var_20._flag], 42h
		push	eax
		mov	[ebp+var_20._cnt], 7FFFFFFFh
		call	__woutput_l
		add	esp, 10h
		mov	esi, eax
		sub	[ebp+var_20._cnt], 1
		js	short loc_583E48
		mov	ecx, [ebp+var_20._ptr]
		mov	[ecx], bl
		mov	ecx, [ebp+var_20._ptr]
		inc	ecx
		mov	[ebp+var_20._ptr], ecx
		jmp	short loc_583E57
; 

loc_583E48:				; CODE XREF: _swprintf+52j
		lea	eax, [ebp+var_20]
		push	eax		; FILE *
		push	ebx		; int
		call	__flsbuf_s
		pop	ecx
		pop	ecx
		mov	ecx, [ebp+var_20._ptr]

loc_583E57:				; CODE XREF: _swprintf+60j
		sub	[ebp+var_20._cnt], 1
		js	short loc_583E61
		mov	[ecx], bl
		jmp	short loc_583E6D
; 

loc_583E61:				; CODE XREF: _swprintf+75j
		lea	eax, [ebp+var_20]
		push	eax		; FILE *
		push	ebx		; int
		call	__flsbuf_s
		pop	ecx
		pop	ecx

loc_583E6D:				; CODE XREF: _swprintf+79j
		mov	eax, esi
		pop	esi
		jmp	short loc_583E82
; 

loc_583E72:				; CODE XREF: _swprintf+1Aj
					; _swprintf+21j
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		or	eax, 0FFFFFFFFh

loc_583E82:				; CODE XREF: _swprintf+8Aj
		pop	ebx
		leave
		retn
_swprintf	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2952. _vswprintf

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __vswprintf
__vswprintf	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	__vswprintf_l
		add	esp, 10h
		pop	ebp
		retn
__vswprintf	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__vswprintf_l	proc near		; CODE XREF: __vswprintf+10p

var_20		= FILE ptr -20h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_20._file], ebx
		mov	[ebp+var_20._charbuf], ebx
		mov	[ebp+var_20._bufsiz], ebx
		mov	[ebp+var_20._tmpfname],	ebx
		cmp	[ebp+arg_4], ebx
		jz	short loc_583F31
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_583F31
		push	esi
		push	[ebp+arg_C]
		mov	[ebp+var_20._base], eax
		push	[ebp+arg_8]
		mov	[ebp+var_20._ptr], eax
		lea	eax, [ebp+var_20]
		push	[ebp+arg_4]
		mov	[ebp+var_20._flag], 42h
		push	eax
		mov	[ebp+var_20._cnt], 7FFFFFFFh
		call	__woutput_l
		add	esp, 10h
		mov	esi, eax
		sub	[ebp+var_20._cnt], 1
		js	short loc_583F07
		mov	ecx, [ebp+var_20._ptr]
		mov	[ecx], bl
		mov	ecx, [ebp+var_20._ptr]
		inc	ecx
		mov	[ebp+var_20._ptr], ecx
		jmp	short loc_583F16
; 

loc_583F07:				; CODE XREF: __vswprintf_l+53j
		lea	eax, [ebp+var_20]
		push	eax		; FILE *
		push	ebx		; int
		call	__flsbuf_s
		pop	ecx
		pop	ecx
		mov	ecx, [ebp+var_20._ptr]

loc_583F16:				; CODE XREF: __vswprintf_l+61j
		sub	[ebp+var_20._cnt], 1
		js	short loc_583F20
		mov	[ecx], bl
		jmp	short loc_583F2C
; 

loc_583F20:				; CODE XREF: __vswprintf_l+76j
		lea	eax, [ebp+var_20]
		push	eax		; FILE *
		push	ebx		; int
		call	__flsbuf_s
		pop	ecx
		pop	ecx

loc_583F2C:				; CODE XREF: __vswprintf_l+7Aj
		mov	eax, esi
		pop	esi
		jmp	short loc_583F41
; 

loc_583F31:				; CODE XREF: __vswprintf_l+1Aj
					; __vswprintf_l+21j
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		or	eax, 0FFFFFFFFh

loc_583F41:				; CODE XREF: __vswprintf_l+8Bj
		pop	ebx
		leave
		retn
__vswprintf_l	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2953. _wcsicmp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl _wcsicmp(const wchar_t *,const wchar_t *)
		public __wcsicmp
__wcsicmp	proc near		; CODE XREF: LdrpResSearchResourceMappedFile+506p
					; PipUpdateDeviceProducts+257p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	19h
		sub	esi, ecx
		pop	ebx

loc_583F5D:				; CODE XREF: __wcsicmp+45j
		movzx	edx, word ptr [esi+ecx]
		lea	eax, [edx-41h]
		cmp	ax, bx
		ja	short loc_583F6F
		lea	eax, [edx+20h]
		movzx	edx, ax

loc_583F6F:				; CODE XREF: __wcsicmp+1Dj
		movzx	edi, word ptr [ecx]
		lea	eax, [edi-41h]
		cmp	ax, bx
		ja	short loc_583F82
		lea	eax, [edi+20h]
		movzx	eax, ax
		jmp	short loc_583F84
; 

loc_583F82:				; CODE XREF: __wcsicmp+2Ej
		mov	eax, edi

loc_583F84:				; CODE XREF: __wcsicmp+36j
		add	ecx, 2
		test	dx, dx
		jz	short loc_583F91
		cmp	dx, ax
		jz	short loc_583F5D

loc_583F91:				; CODE XREF: __wcsicmp+40j
		pop	edi
		movzx	ecx, ax
		movzx	eax, dx
		pop	esi
		sub	eax, ecx
		pop	ebx
		pop	ebp
		retn
__wcsicmp	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2954. _wcslwr

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; wchar_t *__cdecl _wcslwr(wchar_t *)
		public __wcslwr
__wcslwr	proc near		; CODE XREF: SiGetBootDeviceNameFromRegistry(x,x)+39p
					; EtwpCovSampSplitSegments(x,x,x)+Ep

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_583FC3
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		xor	eax, eax
		pop	ebp
		retn
; 

loc_583FC3:				; CODE XREF: __wcslwr+Aj
		movzx	eax, word ptr [edx]
		push	esi
		mov	esi, edx
		test	ax, ax
		jz	short loc_583FEE
		push	edi
		mov	edi, eax

loc_583FD1:				; CODE XREF: __wcslwr+47j
		lea	eax, [edi-41h]
		cmp	ax, 19h
		ja	short loc_583FE0
		lea	eax, [edi+20h]
		mov	[esi], ax

loc_583FE0:				; CODE XREF: __wcslwr+34j
		add	esi, 2
		movzx	ecx, word ptr [esi]
		mov	edi, ecx
		test	cx, cx
		jnz	short loc_583FD1
		pop	edi

loc_583FEE:				; CODE XREF: __wcslwr+28j
		mov	eax, edx
		pop	esi
		pop	ebp
		retn
__wcslwr	endp

; 
		align 8
; Exported entry 2955. _wcslwr_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __wcslwr_s
__wcslwr_s	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jnz	short loc_584019

loc_584005:				; CODE XREF: __wcslwr_s+36j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	16h
		pop	eax
		jmp	short loc_584058
; 

loc_584019:				; CODE XREF: __wcslwr_s+Bj
		push	[ebp+arg_4]
		push	esi
		call	_wcsnlen
		pop	ecx
		pop	ecx
		cmp	eax, [ebp+arg_4]
		jb	short loc_584030
		xor	eax, eax
		mov	[esi], ax
		jmp	short loc_584005
; 

loc_584030:				; CODE XREF: __wcslwr_s+2Fj
		movzx	eax, word ptr [esi]
		test	ax, ax
		jz	short loc_584056
		mov	ecx, eax

loc_58403A:				; CODE XREF: __wcslwr_s+5Cj
		lea	eax, [ecx-41h]
		cmp	ax, 19h
		ja	short loc_584049
		lea	eax, [ecx+20h]
		mov	[esi], ax

loc_584049:				; CODE XREF: __wcslwr_s+49j
		add	esi, 2
		movzx	eax, word ptr [esi]
		mov	ecx, eax
		test	ax, ax
		jnz	short loc_58403A

loc_584056:				; CODE XREF: __wcslwr_s+3Ej
		xor	eax, eax

loc_584058:				; CODE XREF: __wcslwr_s+1Fj
		pop	esi
		pop	ebp
		retn
__wcslwr_s	endp

; 
		align 10h
; Exported entry 2956. _wcsnicmp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl _wcsnicmp(const wchar_t *,const wchar_t *,size_t)
		public __wcsnicmp
__wcsnicmp	proc near		; CODE XREF: PiDevCfgMatchDriverConfigurationId(x,x)+1Fp
					; PiDevCfgMatchDriverConfigurationId(x,x)+4Ap ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_8]
		xor	eax, eax
		test	esi, esi
		jz	short loc_5840C6
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	edi
		mov	edi, [ebp+arg_0]
		push	19h
		pop	ebx
		sub	edi, ecx
		mov	[ebp+arg_8], ebx

loc_58407F:				; CODE XREF: __wcsnicmp+5Aj
		movzx	edx, word ptr [edi+ecx]
		lea	eax, [edx-41h]
		cmp	ax, bx
		ja	short loc_584091
		lea	eax, [edx+20h]
		movzx	edx, ax

loc_584091:				; CODE XREF: __wcsnicmp+29j
		movzx	ebx, word ptr [ecx]
		lea	eax, [ebx-41h]
		cmp	ax, word ptr [ebp+arg_8]
		ja	short loc_5840A5
		lea	eax, [ebx+20h]
		movzx	eax, ax
		jmp	short loc_5840A7
; 

loc_5840A5:				; CODE XREF: __wcsnicmp+3Bj
		mov	eax, ebx

loc_5840A7:				; CODE XREF: __wcsnicmp+43j
		add	ecx, 2
		sub	esi, 1
		jz	short loc_5840BC
		test	dx, dx
		jz	short loc_5840BC
		push	19h
		pop	ebx
		cmp	dx, ax
		jz	short loc_58407F

loc_5840BC:				; CODE XREF: __wcsnicmp+4Dj
					; __wcsnicmp+52j
		movzx	ecx, ax
		movzx	eax, dx
		pop	edi
		sub	eax, ecx
		pop	ebx

loc_5840C6:				; CODE XREF: __wcsnicmp+Dj
		pop	esi
		pop	ebp
		retn
__wcsnicmp	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2957. _wcsnset

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; wchar_t *__cdecl _wcsnset(wchar_t *,wchar_t,size_t)
		public __wcsnset
__wcsnset	proc near

arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		mov	eax, ecx
		test	edx, edx
		jz	short loc_5840F6
		push	esi
		mov	si, [ebp+arg_4]

loc_5840E4:				; CODE XREF: __wcsnset+25j
		dec	edx
		cmp	word ptr [ecx],	0
		jz	short loc_5840F5
		mov	[ecx], si
		add	ecx, 2
		test	edx, edx
		jnz	short loc_5840E4

loc_5840F5:				; CODE XREF: __wcsnset+1Bj
		pop	esi

loc_5840F6:				; CODE XREF: __wcsnset+Fj
		pop	ebp
		retn
__wcsnset	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2958. _wcsnset_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __wcsnset_s
__wcsnset_s	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, [ebp+arg_C]
		test	edi, edi
		jnz	short loc_58411C
		test	ecx, ecx
		jnz	short loc_584120
		cmp	[ebp+arg_4], ecx
		jnz	short loc_584169

loc_584118:				; CODE XREF: __wcsnset_s+62j
		xor	eax, eax
		jmp	short loc_58417B
; 

loc_58411C:				; CODE XREF: __wcsnset_s+Fj
		test	ecx, ecx
		jz	short loc_584169

loc_584120:				; CODE XREF: __wcsnset_s+13j
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_584169
		xor	eax, eax
		mov	edx, ecx
		cmp	[ecx], ax
		jz	short loc_58414B
		push	ebx
		mov	bx, [ebp+arg_8]

loc_584135:				; CODE XREF: __wcsnset_s+4Aj
		test	edi, edi
		jz	short loc_58414A
		sub	esi, 1
		jz	short loc_58414A
		mov	[edx], bx
		add	edx, 2
		dec	edi
		cmp	[edx], ax
		jnz	short loc_584135

loc_58414A:				; CODE XREF: __wcsnset_s+39j
					; __wcsnset_s+3Ej
		pop	ebx

loc_58414B:				; CODE XREF: __wcsnset_s+30j
		test	edi, edi
		jnz	short loc_58415E
		jmp	short loc_584159
; 

loc_584151:				; CODE XREF: __wcsnset_s+5Ej
		sub	esi, 1
		jz	short loc_58415E
		add	edx, 2

loc_584159:				; CODE XREF: __wcsnset_s+51j
		cmp	[edx], ax
		jnz	short loc_584151

loc_58415E:				; CODE XREF: __wcsnset_s+4Fj
					; __wcsnset_s+56j
		test	esi, esi
		jnz	short loc_584118
		xor	edx, edx
		mov	[ecx], dx
		jmp	short loc_58416B
; 

loc_584169:				; CODE XREF: __wcsnset_s+18j
					; __wcsnset_s+20j ...
		xor	eax, eax

loc_58416B:				; CODE XREF: __wcsnset_s+69j
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	16h
		pop	eax

loc_58417B:				; CODE XREF: __wcsnset_s+1Cj
		pop	edi
		pop	esi
		pop	ebp
		retn
__wcsnset_s	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2959. _wcsrev

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; wchar_t *__cdecl _wcsrev(wchar_t *)
		public __wcsrev
__wcsrev	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, esi
		push	edi
		mov	edi, esi

loc_584193:				; CODE XREF: __wcsrev+18j
		movzx	eax, word ptr [esi]
		add	esi, 2
		test	ax, ax
		jnz	short loc_584193
		sub	esi, 4
		jmp	short loc_5841B5
; 

loc_5841A3:				; CODE XREF: __wcsrev+33j
		mov	cx, [esi]
		movzx	edx, word ptr [edi]
		mov	[edi], cx
		add	edi, 2
		mov	[esi], dx
		sub	esi, 2

loc_5841B5:				; CODE XREF: __wcsrev+1Dj
		cmp	edi, esi
		jb	short loc_5841A3
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn
__wcsrev	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2960. _wcsset_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __wcsset_s
__wcsset_s	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_584207
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_584207
		xor	eax, eax
		push	esi
		mov	esi, ecx
		cmp	[ecx], ax
		jz	short loc_5841F9
		push	edi
		mov	di, [ebp+arg_8]

loc_5841E8:				; CODE XREF: __wcsset_s+30j
		sub	edx, 1
		jz	short loc_5841F8
		mov	[esi], di
		add	esi, 2
		cmp	[esi], ax
		jnz	short loc_5841E8

loc_5841F8:				; CODE XREF: __wcsset_s+25j
		pop	edi

loc_5841F9:				; CODE XREF: __wcsset_s+1Bj
		pop	esi
		test	edx, edx
		jnz	short loc_584203
		mov	[ecx], dx
		jmp	short loc_584209
; 

loc_584203:				; CODE XREF: __wcsset_s+36j
		xor	eax, eax
		pop	ebp
		retn
; 

loc_584207:				; CODE XREF: __wcsset_s+Aj
					; __wcsset_s+11j
		xor	eax, eax

loc_584209:				; CODE XREF: __wcsset_s+3Bj
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	16h
		pop	eax
		pop	ebp
		retn
__wcsset_s	endp

; 
		align 10h
; Exported entry 2961. _wcsupr

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; wchar_t *__cdecl _wcsupr(wchar_t *)
		public __wcsupr
__wcsupr	proc near		; CODE XREF: PfFileInfoNotify+494p
					; PfFileInfoNotify+722p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	edx, esi
		movzx	eax, word ptr [esi]
		test	ax, ax
		jz	short loc_584253
		push	edi
		mov	edi, eax

loc_584236:				; CODE XREF: __wcsupr+30j
		lea	eax, [edi-61h]
		cmp	ax, 19h
		ja	short loc_584245
		lea	eax, [edi-20h]
		mov	[edx], ax

loc_584245:				; CODE XREF: __wcsupr+1Dj
		add	edx, 2
		movzx	ecx, word ptr [edx]
		mov	edi, ecx
		test	cx, cx
		jnz	short loc_584236
		pop	edi

loc_584253:				; CODE XREF: __wcsupr+11j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn
__wcsupr	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2964. _wtoi

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl _wtoi(const wchar_t *)
		public __wtoi
__wtoi		proc near		; CODE XREF: WmipPrepareWnodeSI+1D5p
					; WmipFindISinGEbyName+9CCDDp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	__wtol
__wtoi		endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2965. _wtol

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __int32 __cdecl _wtol(const wchar_t *)
		public __wtol
__wtol		proc near		; CODE XREF: __wtoi+6j
					; PfSnParsePrefetchParam+E6p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jnz	short loc_58427D
		xor	eax, eax
		pop	ebp
		retn
; 

loc_58427D:				; CODE XREF: __wtol+9j
		push	1
		push	0Ah
		push	0
		push	[ebp+arg_0]
		call	_wcstolX
		add	esp, 10h
		pop	ebp
		retn
__wtol		endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2968. bsearch

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void *__cdecl	bsearch(const void *,const void	*,size_t,size_t,int __cdecl (*)(const void *,const void	*))
		public _bsearch
_bsearch	proc near		; CODE XREF: DownLevelLangIDToLanguageName+3Cp
					; DownLevelLanguageNameToLangID(x,x)+25p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		lea	esi, [edi-1]
		imul	esi, ecx
		add	esi, ebx
		test	ebx, ebx
		jnz	short loc_5842B8
		test	edi, edi
		jnz	short loc_5842C2

loc_5842B8:				; CODE XREF: _bsearch+1Cj
		test	ecx, ecx
		jz	short loc_5842C2
		cmp	[ebp+arg_10], 0
		jnz	short loc_58431F

loc_5842C2:				; CODE XREF: _bsearch+20j _bsearch+24j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h

loc_5842D1:				; CODE XREF: _bsearch+8Dj _bsearch+96j
		xor	eax, eax

loc_5842D3:				; CODE XREF: _bsearch+92j _bsearch+A9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_5842D8:				; CODE XREF: _bsearch+8Bj
		mov	eax, edi
		shr	eax, 1
		mov	[ebp+arg_8], eax
		jz	short loc_58432A
		mov	edx, edi
		lea	edi, [eax-1]
		and	edx, 1
		mov	[ebp+var_4], edx
		jnz	short loc_5842F0
		mov	eax, edi

loc_5842F0:				; CODE XREF: _bsearch+56j
		imul	eax, ecx
		add	eax, ebx
		push	eax
		push	[ebp+arg_0]
		mov	[ebp+arg_4], eax
		call	[ebp+arg_10]
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_584325
		mov	ecx, [ebp+arg_C]
		jns	short loc_584317
		mov	esi, [ebp+arg_4]
		sub	esi, ecx
		cmp	[ebp+var_4], 0
		jz	short loc_58431F
		jmp	short loc_58431C
; 

loc_584317:				; CODE XREF: _bsearch+72j
		mov	ebx, [ebp+arg_4]
		add	ebx, ecx

loc_58431C:				; CODE XREF: _bsearch+7Fj
		mov	edi, [ebp+arg_8]

loc_58431F:				; CODE XREF: _bsearch+2Aj _bsearch+7Dj
		cmp	ebx, esi
		jbe	short loc_5842D8
		jmp	short loc_5842D1
; 

loc_584325:				; CODE XREF: _bsearch+6Dj
		mov	eax, [ebp+arg_4]
		jmp	short loc_5842D3
; 

loc_58432A:				; CODE XREF: _bsearch+49j
		test	edi, edi
		jz	short loc_5842D1
		push	ebx
		push	[ebp+arg_0]
		call	[ebp+arg_10]
		neg	eax
		pop	ecx
		sbb	eax, eax
		not	eax
		pop	ecx
		and	eax, ebx
		jmp	short loc_5842D3
_bsearch	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2969. bsearch_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _bsearch_s
_bsearch_s	proc near		; CODE XREF: SeQuerySecureBootPlatformManifest(x,x)+41p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		lea	esi, [edi-1]
		imul	esi, ecx
		add	esi, ebx
		test	ebx, ebx
		jnz	short loc_584368
		test	edi, edi
		jnz	short loc_584372

loc_584368:				; CODE XREF: _bsearch_s+1Cj
		test	ecx, ecx
		jz	short loc_584372
		cmp	[ebp+arg_10], 0
		jnz	short loc_5843D3

loc_584372:				; CODE XREF: _bsearch_s+20j
					; _bsearch_s+24j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h

loc_584381:				; CODE XREF: _bsearch_s+91j
					; _bsearch_s+9Aj
		xor	eax, eax

loc_584383:				; CODE XREF: _bsearch_s+96j
					; _bsearch_s+B1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_584388:				; CODE XREF: _bsearch_s+8Fj
		mov	eax, edi
		shr	eax, 1
		mov	[ebp+arg_8], eax
		jz	short loc_5843DE
		mov	edx, edi
		lea	edi, [eax-1]
		and	edx, 1
		mov	[ebp+var_4], edx
		jnz	short loc_5843A0
		mov	eax, edi

loc_5843A0:				; CODE XREF: _bsearch_s+56j
		imul	eax, ecx
		add	eax, ebx
		push	eax
		push	[ebp+arg_0]
		mov	[ebp+arg_4], eax
		push	[ebp+arg_14]
		call	[ebp+arg_10]
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_5843D9
		mov	ecx, [ebp+arg_C]
		jns	short loc_5843CB
		mov	esi, [ebp+arg_4]
		sub	esi, ecx
		cmp	[ebp+var_4], 0
		jz	short loc_5843D3
		jmp	short loc_5843D0
; 

loc_5843CB:				; CODE XREF: _bsearch_s+76j
		mov	ebx, [ebp+arg_4]
		add	ebx, ecx

loc_5843D0:				; CODE XREF: _bsearch_s+83j
		mov	edi, [ebp+arg_8]

loc_5843D3:				; CODE XREF: _bsearch_s+2Aj
					; _bsearch_s+81j
		cmp	ebx, esi
		jbe	short loc_584388
		jmp	short loc_584381
; 

loc_5843D9:				; CODE XREF: _bsearch_s+71j
		mov	eax, [ebp+arg_4]
		jmp	short loc_584383
; 

loc_5843DE:				; CODE XREF: _bsearch_s+49j
		test	edi, edi
		jz	short loc_584381
		push	ebx
		push	[ebp+arg_0]
		push	[ebp+arg_14]
		call	[ebp+arg_10]
		add	esp, 0Ch
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, ebx
		jmp	short loc_584383
_bsearch_s	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl __isascii(int)
___isascii	proc near		; CODE XREF: RtlEthernetStringToAddressA(x,x,x)+34p
					; RtlEthernetStringToAddressA(x,x,x)+56p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 80h
		sbb	eax, eax
		neg	eax
		pop	ebp
		retn
___isascii	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2970. isdigit

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl isdigit(int)
		public _isdigit
_isdigit	proc near		; CODE XREF: RtlEthernetStringToAddressA(x,x,x)+41p
					; RtlIpv4StringToAddressA(x,x,x,x)+4Fp	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		or	ecx, 0FFFFFFFFh
		cmp	eax, ecx
		jz	short loc_584424
		movzx	ecx, al

loc_584424:				; CODE XREF: _isdigit+Dj
		mov	eax, off_6B10F8
		movzx	eax, word ptr [eax+ecx*2]
		and	eax, 4
		pop	ebp
		retn
_isdigit	endp

; 
		align 8
; Exported entry 2971. islower

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl islower(int)
		public _islower
_islower	proc near		; CODE XREF: RtlEthernetStringToAddressA(x,x,x)+7Dp
					; RtlIpv4StringToAddressA(x,x,x,x)+E9p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		or	ecx, 0FFFFFFFFh
		cmp	eax, ecx
		jz	short loc_58444A
		movzx	ecx, al

loc_58444A:				; CODE XREF: _islower+Dj
		mov	eax, off_6B10F8
		movzx	eax, word ptr [eax+ecx*2]
		and	eax, 2
		pop	ebp
		retn
_islower	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2972. isprint

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl isprint(int)
		public _isprint
_isprint	proc near		; CODE XREF: SmSanitizeString(x,x)+48p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		or	ecx, 0FFFFFFFFh
		cmp	eax, ecx
		jz	short loc_584470
		movzx	ecx, al

loc_584470:				; CODE XREF: _isprint+Dj
		mov	eax, off_6B10F8
		movzx	eax, word ptr [eax+ecx*2]
		and	eax, 157h
		pop	ebp
		retn
_isprint	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2973. isspace

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl isspace(int)
		public _isspace
_isspace	proc near		; CODE XREF: ScTrimString(char *)+25p
					; ScTrimString(char *)+50p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		or	ecx, 0FFFFFFFFh
		cmp	eax, ecx
		jz	short loc_584498
		movzx	ecx, al

loc_584498:				; CODE XREF: _isspace+Dj
		mov	eax, off_6B10F8
		movzx	eax, word ptr [eax+ecx*2]
		and	eax, 8
		pop	ebp
		retn
_isspace	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2974. isupper

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl isupper(int)
		public _isupper
_isupper	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		or	ecx, 0FFFFFFFFh
		cmp	eax, ecx
		jz	short loc_5844BE
		movzx	ecx, al

loc_5844BE:				; CODE XREF: _isupper+Dj
		mov	eax, off_6B10F8
		movzx	eax, word ptr [eax+ecx*2]
		and	eax, 1
		pop	ebp
		retn
_isupper	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2978. isxdigit

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl isxdigit(int)
		public _isxdigit
_isxdigit	proc near		; CODE XREF: RtlEthernetStringToAddressA(x,x,x)+63p
					; RtlIpv4StringToAddressA(x,x,x,x)+D3p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		or	ecx, 0FFFFFFFFh
		cmp	eax, ecx
		jz	short loc_5844E4
		movzx	ecx, al

loc_5844E4:				; CODE XREF: _isxdigit+Dj
		mov	eax, off_6B10F8
		movzx	eax, word ptr [eax+ecx*2]
		and	eax, 80h
		pop	ebp
		retn
_isxdigit	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2975. iswalnum

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl iswalnum(wint_t)
		public _iswalnum
_iswalnum	proc near		; CODE XREF: PiDrvDbFindSystemFilePathToken(x,x)+6Fp
					; PiDrvDbFindSystemFilePathToken(x,x)+95p ...

arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	107h		; wctype_t
		push	dword ptr [ebp+arg_0] ;	wint_t
		call	_iswctype
		pop	ecx
		pop	ecx
		pop	ebp
		retn
_iswalnum	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl iswalpha(wint_t)
_iswalpha	proc near		; CODE XREF: PiDrvDbFindSystemFilePathToken(x,x)+88p

arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	103h		; wctype_t
		push	dword ptr [ebp+arg_0] ;	wint_t
		call	_iswctype
		pop	ecx
		pop	ecx
		pop	ebp
		retn
_iswalpha	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2976. iswdigit

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl iswdigit(wint_t)
		public _iswdigit
_iswdigit	proc near		; CODE XREF: PfSnParsePrefetchParam+B1p

arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	4		; wctype_t
		push	dword ptr [ebp+arg_0] ;	wint_t
		call	_iswctype
		pop	ecx
		pop	ecx
		pop	ebp
		retn
_iswdigit	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2977. iswspace

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl iswspace(wint_t)
		public _iswspace
_iswspace	proc near		; CODE XREF: GetNextNoneWhiteSpace(x,x)+1Dp
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+143p ...

arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	8		; wctype_t
		push	dword ptr [ebp+arg_0] ;	wint_t
		call	_iswctype
		pop	ecx
		pop	ecx
		pop	ebp
		retn
_iswspace	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2979. mbstowcs

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; size_t __cdecl mbstowcs(wchar_t *,const char *,size_t)
		public _mbstowcs
_mbstowcs	proc near

arg_0		= dword	ptr  8
s		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	esi, esi
		jz	short loc_5845BF
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jnz	short loc_584575
		xor	eax, eax
		jmp	short loc_5845CE
; 

loc_584575:				; CODE XREF: _mbstowcs+13j
		push	[ebp+s]		; s
		call	__mbstrlen
		pop	ecx
		mov	[ebp+arg_0], eax
		inc	eax
		push	eax
		push	[ebp+s]
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [edi+edi]
		push	eax
		push	esi
		call	RtlMultiByteToUnicodeN
		test	eax, eax
		jns	short loc_5845AC
		xor	eax, eax
		mov	_gbl_errno, 2Ah
		mov	[esi], ax
		or	eax, 0FFFFFFFFh
		jmp	short loc_5845CE
; 

loc_5845AC:				; CODE XREF: _mbstowcs+3Aj
		mov	eax, [ebp+arg_0]
		shr	eax, 1
		mov	[ebp+arg_0], eax
		cmp	word ptr [esi+eax*2-2],	0
		jnz	short loc_5845CE
		dec	eax
		jmp	short loc_5845CE
; 

loc_5845BF:				; CODE XREF: _mbstowcs+Cj
		mov	eax, [ebp+s]
		lea	edx, [eax+1]

loc_5845C5:				; CODE XREF: _mbstowcs+6Ej
		mov	cl, [eax]
		inc	eax
		test	cl, cl
		jnz	short loc_5845C5
		sub	eax, edx

loc_5845CE:				; CODE XREF: _mbstowcs+17j
					; _mbstowcs+4Ej ...
		pop	edi
		pop	esi
		pop	ebp
		retn
_mbstowcs	endp

; 
		align 8
; Exported entry 2980. mbtowc

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl _safecrt_mbtowc(wchar_t *,const char *,size_t)
		public __safecrt_mbtowc
__safecrt_mbtowc proc near		; CODE XREF: __woutput_l+486p
					; __woutput_l+61Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_5845FC
		cmp	[ebp+arg_8], 0
		jz	short loc_5845FC
		cmp	byte ptr [esi],	0
		jnz	short loc_584601
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_5845FC
		xor	ecx, ecx
		mov	[eax], cx

loc_5845FC:				; CODE XREF: __safecrt_mbtowc+Bj
					; __safecrt_mbtowc+11j	...
		xor	eax, eax

loc_5845FE:				; CODE XREF: __safecrt_mbtowc+40j
		pop	esi
		pop	ebp
		retn
; 

loc_584601:				; CODE XREF: __safecrt_mbtowc+16j
		lea	eax, [ebp+arg_4]
		mov	[ebp+arg_4], esi
		push	eax
		call	RtlAnsiCharToUnicodeChar
		mov	ecx, [ebp+arg_0]
		mov	[ecx], ax
		mov	eax, [ebp+arg_4]
		sub	eax, esi
		jmp	short loc_5845FE
__safecrt_mbtowc endp

; 
		align 10h
; Exported entry 2981. memchr

;  S U B	R O U T	I N E 


; void *__cdecl	memchr(const void *,int,size_t)
		public _memchr
_memchr		proc near

arg_0		= dword	ptr  4
arg_4		= byte ptr  8
arg_8		= dword	ptr  0Ch

		mov	eax, [esp+arg_8]
		push	ebx
		test	eax, eax
		jz	short loc_58467B
		mov	edx, [esp+4+arg_0]
		xor	ebx, ebx
		mov	bl, [esp+4+arg_4]
		test	edx, 3
		jz	short loc_584651

loc_58463B:				; CODE XREF: _memchr+2Fj
		mov	cl, [edx]
		add	edx, 1
		xor	cl, bl
		jz	short loc_5846B6
		sub	eax, 1
		jz	short loc_58467B
		test	edx, 3
		jnz	short loc_58463B

loc_584651:				; CODE XREF: _memchr+19j
		sub	eax, 4
		jb	short loc_584668
		push	edi
		mov	edi, ebx
		shl	ebx, 8
		add	ebx, edi
		mov	edi, ebx
		shl	ebx, 10h
		add	ebx, edi
		jmp	short loc_584682
; 

loc_584667:				; CODE XREF: _memchr+60j
		pop	edi

loc_584668:				; CODE XREF: _memchr+34j
		add	eax, 4
		jz	short loc_58467B

loc_58466D:				; CODE XREF: _memchr+59j
		mov	cl, [edx]
		add	edx, 1
		xor	cl, bl
		jz	short loc_5846B6
		sub	eax, 1
		jnz	short loc_58466D

loc_58467B:				; CODE XREF: _memchr+7j _memchr+27j ...
		pop	ebx
		retn
; 

loc_58467D:				; CODE XREF: _memchr+7Bj _memchr+93j
		sub	eax, 4
		jb	short loc_584667

loc_584682:				; CODE XREF: _memchr+45j
		mov	ecx, [edx]
		xor	ecx, ebx
		mov	edi, 7EFEFEFFh
		add	edi, ecx
		xor	ecx, 0FFFFFFFFh
		xor	ecx, edi
		add	edx, 4
		and	ecx, 81010100h
		jz	short loc_58467D
		mov	ecx, [edx-4]
		xor	cl, bl
		jz	short loc_5846C7
		xor	ch, bl
		jz	short loc_5846C1
		shr	ecx, 10h
		xor	cl, bl
		jz	short loc_5846BB
		xor	ch, bl
		jz	short loc_5846B5
		jmp	short loc_58467D
; 

loc_5846B5:				; CODE XREF: _memchr+91j
		pop	edi

loc_5846B6:				; CODE XREF: _memchr+22j _memchr+54j
		lea	eax, [edx-1]
		pop	ebx
		retn
; 

loc_5846BB:				; CODE XREF: _memchr+8Dj
		lea	eax, [edx-2]
		pop	edi
		pop	ebx
		retn
; 

loc_5846C1:				; CODE XREF: _memchr+86j
		lea	eax, [edx-3]
		pop	edi
		pop	ebx
		retn
; 

loc_5846C7:				; CODE XREF: _memchr+82j
		lea	eax, [edx-4]
		pop	edi
		pop	ebx
		retn
_memchr		endp ; sp =  8

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2982. memcmp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl memcmp(const void	*,const	void *,size_t)
		public _memcmp
_memcmp		proc near		; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+1BCp
					; EmpSearchRuleDatabase(x)+1Ap	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_8]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		push	4
		pop	edi
		jmp	short loc_5846F4
; 

loc_5846E8:				; CODE XREF: _memcmp+24j
		mov	eax, [edx]
		cmp	eax, [esi]
		jnz	short loc_5846FA
		add	edx, edi
		add	esi, edi
		sub	ecx, edi

loc_5846F4:				; CODE XREF: _memcmp+14j
		cmp	ecx, edi
		jnb	short loc_5846E8
		jmp	short loc_5846FC
; 

loc_5846FA:				; CODE XREF: _memcmp+1Aj
		mov	ecx, edi

loc_5846FC:				; CODE XREF: _memcmp+26j
		test	ecx, ecx
		jz	short loc_584711
		sub	esi, edx

loc_584702:				; CODE XREF: _memcmp+3Dj
		mov	al, [edx]
		cmp	al, [esi+edx]
		jb	short loc_58471D
		ja	short loc_584718
		inc	edx
		sub	ecx, 1
		jnz	short loc_584702

loc_584711:				; CODE XREF: _memcmp+2Cj
		xor	eax, eax

loc_584713:				; CODE XREF: _memcmp+49j _memcmp+4Ej
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
; 

loc_584718:				; CODE XREF: _memcmp+37j
		xor	eax, eax
		inc	eax
		jmp	short loc_584713
; 

loc_58471D:				; CODE XREF: _memcmp+35j
		or	eax, 0FFFFFFFFh
		jmp	short loc_584713
_memcmp		endp

; 
		align 10h
; Exported entry 2983. memcpy

; void *__cdecl	memcpy(void *,const void *,size_t)
		public _memcpy
_memcpy:				; CODE XREF: CmQueryLayeredKey+110p
					; MmProbeAndLockSelectedPages+8Cp ...
		push	ebp
		mov	ebp, esp
		push	edi
		push	esi
		mov	esi, [ebp+0Ch]
		mov	ecx, [ebp+10h]
		mov	edi, [ebp+8]
		mov	eax, ecx
		mov	edx, ecx
		add	eax, esi
		cmp	edi, esi
		jbe	short loc_584750
		cmp	edi, eax
		jb	loc_5848CC

loc_584750:				; CODE XREF: .text:00584746j
		test	edi, 3
		jnz	short loc_58476C
		shr	ecx, 2
		and	edx, 3
		cmp	ecx, 8
		jb	short loc_58478C
		rep movsd
		jmp	ds:off_58487C[edx*4]
; 

loc_58476C:				; CODE XREF: .text:00584756j
		mov	eax, edi
		mov	edx, 3
		sub	ecx, 4
		jb	short loc_584784
		and	eax, 3
		add	ecx, eax
		jmp	dword ptr ds:(loc_58478C+4)[eax*4]
; 

loc_584784:				; CODE XREF: .text:00584776j
		jmp	ds:dword_58488C[ecx*4]
; 
		align 4

loc_58478C:				; CODE XREF: .text:00584761j
					; .text:005847BEj ...
		jmp	ds:off_584810[ecx*4]
; 
		align 4
		dd offset loc_5847A0
		dd offset loc_5847CC
		dd offset loc_5847F0
; 

loc_5847A0:				; DATA XREF: .text:00584794o
		and	edx, ecx
		mov	al, [esi]
		mov	[edi], al
		mov	al, [esi+1]
		mov	[edi+1], al
		mov	al, [esi+2]
		shr	ecx, 2
		mov	[edi+2], al
		add	esi, 3
		add	edi, 3
		cmp	ecx, 8
		jb	short loc_58478C
		rep movsd
		jmp	ds:off_58487C[edx*4]
; 
		align 4

loc_5847CC:				; DATA XREF: .text:00584798o
		and	edx, ecx
		mov	al, [esi]
		mov	[edi], al
		mov	al, [esi+1]
		shr	ecx, 2
		mov	[edi+1], al
		add	esi, 2
		add	edi, 2
		cmp	ecx, 8
		jb	short loc_58478C
		rep movsd
		jmp	ds:off_58487C[edx*4]
; 
		align 10h

loc_5847F0:				; DATA XREF: .text:0058479Co
		and	edx, ecx
		mov	al, [esi]
		mov	[edi], al
		add	esi, 1
		shr	ecx, 2
		add	edi, 1
		cmp	ecx, 8
		jb	short loc_58478C
		rep movsd
		jmp	ds:off_58487C[edx*4]
; 
		align 10h
off_584810	dd offset loc_584873	; DATA XREF: .text:loc_58478Cr
		dd offset loc_584860
		dd offset loc_584858
		dd offset loc_584850
		dd offset loc_584848
		dd offset loc_584840
		dd offset loc_584838
		dd offset loc_584830
; 

loc_584830:				; CODE XREF: .text:loc_58478Cj
					; DATA XREF: .text:0058482Co
		mov	eax, [esi+ecx*4-1Ch]
		mov	[edi+ecx*4-1Ch], eax

loc_584838:				; CODE XREF: .text:loc_58478Cj
					; DATA XREF: .text:00584828o
		mov	eax, [esi+ecx*4-18h]
		mov	[edi+ecx*4-18h], eax

loc_584840:				; CODE XREF: .text:loc_58478Cj
					; DATA XREF: .text:00584824o
		mov	eax, [esi+ecx*4-14h]
		mov	[edi+ecx*4-14h], eax

loc_584848:				; CODE XREF: .text:loc_58478Cj
					; DATA XREF: .text:00584820o
		mov	eax, [esi+ecx*4-10h]
		mov	[edi+ecx*4-10h], eax

loc_584850:				; CODE XREF: .text:loc_58478Cj
					; DATA XREF: .text:0058481Co
		mov	eax, [esi+ecx*4-0Ch]
		mov	[edi+ecx*4-0Ch], eax

loc_584858:				; CODE XREF: .text:loc_58478Cj
					; DATA XREF: .text:00584818o
		mov	eax, [esi+ecx*4-8]
		mov	[edi+ecx*4-8], eax

loc_584860:				; CODE XREF: .text:loc_58478Cj
					; DATA XREF: .text:00584814o
		mov	eax, [esi+ecx*4-4]
		mov	[edi+ecx*4-4], eax
		lea	eax, ds:0[ecx*4]
		add	esi, eax
		add	edi, eax

loc_584873:				; CODE XREF: .text:loc_58478Cj
					; DATA XREF: .text:off_584810o
		jmp	ds:off_58487C[edx*4]
; 
		align 4
off_58487C	dd offset dword_58488C	; DATA XREF: .text:00584765r
					; .text:005847C2r ...
		dd offset loc_584894
		dd offset loc_5848A0
		dd offset loc_5848B4
dword_58488C	dd 5E08458Bh		; CODE XREF: .text:00584765j
					; DATA XREF: .text:loc_584784r	...
; 
		pop	edi
		leave
		retn
; 
		align 4

loc_584894:				; CODE XREF: .text:00584765j
					; DATA XREF: .text:00584880o
		mov	al, [esi]
		mov	[edi], al
		mov	eax, [ebp+8]
		pop	esi
		pop	edi
		leave
		retn
; 
		align 10h

loc_5848A0:				; CODE XREF: .text:00584765j
					; DATA XREF: .text:00584884o
		mov	al, [esi]
		mov	[edi], al
		mov	al, [esi+1]
		mov	[edi+1], al
		mov	eax, [ebp+8]
		pop	esi
		pop	edi
		leave
		retn
; 
		align 4

loc_5848B4:				; CODE XREF: .text:00584765j
					; DATA XREF: .text:00584888o
		mov	al, [esi]
		mov	[edi], al
		mov	al, [esi+1]
		mov	[edi+1], al
		mov	al, [esi+2]
		mov	[edi+2], al
		mov	eax, [ebp+8]
		pop	esi
		pop	edi
		leave
		retn
; 
		align 4

loc_5848CC:				; CODE XREF: .text:0058474Aj
		lea	esi, [esi+ecx-4]
		lea	edi, [edi+ecx-4]
		test	edi, 3
		jnz	short loc_584900
		shr	ecx, 2
		and	edx, 3
		cmp	ecx, 8
		jb	short loc_5848F4
		std
		rep movsd
		cld
		jmp	ds:off_584A18[edx*4]
; 
		align 4

loc_5848F4:				; CODE XREF: .text:005848E5j
					; .text:00584940j ...
		neg	ecx
		jmp	ds:off_5849C8[ecx*4]
; 
		align 10h

loc_584900:				; CODE XREF: .text:005848DAj
		mov	eax, edi
		mov	edx, 3
		cmp	ecx, 4
		jb	short loc_584918
		and	eax, 3
		sub	ecx, eax
		jmp	dword ptr ds:(loc_584918+4)[eax*4]
; 

loc_584918:				; CODE XREF: .text:0058490Aj
					; DATA XREF: .text:00584911r
		jmp	ds:off_584A18[ecx*4]
; 
		align 10h
		dd offset loc_58492C
		dd offset loc_584950
		dd offset loc_584978
; 

loc_58492C:				; DATA XREF: .text:00584920o
		mov	al, [esi+3]
		and	edx, ecx
		mov	[edi+3], al
		sub	esi, 1
		shr	ecx, 2
		sub	edi, 1
		cmp	ecx, 8
		jb	short loc_5848F4
		std
		rep movsd
		cld
		jmp	ds:off_584A18[edx*4]
; 
		align 10h

loc_584950:				; DATA XREF: .text:00584924o
		mov	al, [esi+3]
		and	edx, ecx
		mov	[edi+3], al
		mov	al, [esi+2]
		shr	ecx, 2
		mov	[edi+2], al
		sub	esi, 2
		sub	edi, 2
		cmp	ecx, 8
		jb	short loc_5848F4
		std
		rep movsd
		cld
		jmp	ds:off_584A18[edx*4]
; 
		align 4

loc_584978:				; DATA XREF: .text:00584928o
		mov	al, [esi+3]
		and	edx, ecx
		mov	[edi+3], al
		mov	al, [esi+2]
		mov	[edi+2], al
		mov	al, [esi+1]
		shr	ecx, 2
		mov	[edi+1], al
		sub	esi, 3
		sub	edi, 3
		cmp	ecx, 8
		jb	loc_5848F4
		std
		rep movsd
		cld
		jmp	ds:off_584A18[edx*4]
; 
		db 8Dh,	49h, 0
		dd offset loc_5849CC
		dd offset loc_5849D4
		dd offset loc_5849DC
		dd offset loc_5849E4
		dd offset loc_5849EC
		dd offset loc_5849F4
		dd offset loc_5849FC
off_5849C8	dd offset loc_584A0F	; DATA XREF: .text:005848F6r
; 

loc_5849CC:				; DATA XREF: .text:005849ACo
		mov	eax, [esi+ecx*4+1Ch]
		mov	[edi+ecx*4+1Ch], eax

loc_5849D4:				; DATA XREF: .text:005849B0o
		mov	eax, [esi+ecx*4+18h]
		mov	[edi+ecx*4+18h], eax

loc_5849DC:				; DATA XREF: .text:005849B4o
		mov	eax, [esi+ecx*4+14h]
		mov	[edi+ecx*4+14h], eax

loc_5849E4:				; DATA XREF: .text:005849B8o
		mov	eax, [esi+ecx*4+10h]
		mov	[edi+ecx*4+10h], eax

loc_5849EC:				; DATA XREF: .text:005849BCo
		mov	eax, [esi+ecx*4+0Ch]
		mov	[edi+ecx*4+0Ch], eax

loc_5849F4:				; DATA XREF: .text:005849C0o
		mov	eax, [esi+ecx*4+8]
		mov	[edi+ecx*4+8], eax

loc_5849FC:				; DATA XREF: .text:005849C4o
		mov	eax, [esi+ecx*4+4]
		mov	[edi+ecx*4+4], eax
		lea	eax, ds:0[ecx*4]
		add	esi, eax
		add	edi, eax

loc_584A0F:				; CODE XREF: .text:005848F6j
					; DATA XREF: .text:off_5849C8o
		jmp	ds:off_584A18[edx*4]
; 
		align 4
off_584A18	dd offset loc_584A28	; DATA XREF: .text:005848EBr
					; .text:loc_584918r ...
		dd offset loc_584A30
		dd offset loc_584A40
		dd offset loc_584A54
; 

loc_584A28:				; CODE XREF: .text:005848EBj
					; .text:loc_584918j ...
		mov	eax, [ebp+8]
		pop	esi
		pop	edi
		leave
		retn
; 
		align 10h

loc_584A30:				; CODE XREF: .text:005848EBj
					; .text:loc_584918j ...
		mov	al, [esi+3]
		mov	[edi+3], al
		mov	eax, [ebp+8]
		pop	esi
		pop	edi
		leave
		retn
; 
		align 10h

loc_584A40:				; CODE XREF: .text:005848EBj
					; .text:loc_584918j ...
		mov	al, [esi+3]
		mov	[edi+3], al
		mov	al, [esi+2]
		mov	[edi+2], al
		mov	eax, [ebp+8]
		pop	esi
		pop	edi
		leave
		retn
; 
		align 4

loc_584A54:				; CODE XREF: .text:005848EBj
					; .text:loc_584918j ...
		mov	al, [esi+3]
		mov	[edi+3], al
		mov	al, [esi+2]
		mov	[edi+2], al
		mov	al, [esi+1]
		mov	[edi+1], al
		mov	eax, [ebp+8]
		pop	esi
		pop	edi
		leave
		retn
; 
		align 10h
; Exported entry 2985. memmove

; void *__cdecl	memmove(void *,const void *,size_t)
		public _memmove
_memmove:				; CODE XREF: RtlCopyBitMap+77p
					; RtlpCopyBitMapTailToHead+12Dp ...
		push	ebp
		mov	ebp, esp
		push	edi
		push	esi
		mov	esi, [ebp+0Ch]
		mov	ecx, [ebp+10h]
		mov	edi, [ebp+8]
		mov	eax, ecx
		mov	edx, ecx
		add	eax, esi
		cmp	edi, esi
		jbe	short loc_584A90
		cmp	edi, eax
		jb	loc_584C0C

loc_584A90:				; CODE XREF: .text:00584A86j
		test	edi, 3
		jnz	short loc_584AAC
		shr	ecx, 2
		and	edx, 3
		cmp	ecx, 8
		jb	short loc_584ACC
		rep movsd
		jmp	ds:off_584BBC[edx*4]
; 

loc_584AAC:				; CODE XREF: .text:00584A96j
		mov	eax, edi
		mov	edx, 3
		sub	ecx, 4
		jb	short loc_584AC4
		and	eax, 3
		add	ecx, eax
		jmp	dword ptr ds:(loc_584ACC+4)[eax*4]
; 

loc_584AC4:				; CODE XREF: .text:00584AB6j
		jmp	ds:dword_584BCC[ecx*4]
; 
		align 4

loc_584ACC:				; CODE XREF: .text:00584AA1j
					; .text:00584AFEj ...
		jmp	ds:off_584B50[ecx*4]
; 
		align 4
		dd offset loc_584AE0
		dd offset loc_584B0C
		dd offset loc_584B30
; 

loc_584AE0:				; DATA XREF: .text:00584AD4o
		and	edx, ecx
		mov	al, [esi]
		mov	[edi], al
		mov	al, [esi+1]
		mov	[edi+1], al
		mov	al, [esi+2]
		shr	ecx, 2
		mov	[edi+2], al
		add	esi, 3
		add	edi, 3
		cmp	ecx, 8
		jb	short loc_584ACC
		rep movsd
		jmp	ds:off_584BBC[edx*4]
; 
		align 4

loc_584B0C:				; DATA XREF: .text:00584AD8o
		and	edx, ecx
		mov	al, [esi]
		mov	[edi], al
		mov	al, [esi+1]
		shr	ecx, 2
		mov	[edi+1], al
		add	esi, 2
		add	edi, 2
		cmp	ecx, 8
		jb	short loc_584ACC
		rep movsd
		jmp	ds:off_584BBC[edx*4]
; 
		align 10h

loc_584B30:				; DATA XREF: .text:00584ADCo
		and	edx, ecx
		mov	al, [esi]
		mov	[edi], al
		add	esi, 1
		shr	ecx, 2
		add	edi, 1
		cmp	ecx, 8
		jb	short loc_584ACC
		rep movsd
		jmp	ds:off_584BBC[edx*4]
; 
		align 10h
off_584B50	dd offset loc_584BB3	; DATA XREF: .text:loc_584ACCr
		dd offset loc_584BA0
		dd offset loc_584B98
		dd offset loc_584B90
		dd offset loc_584B88
		dd offset loc_584B80
		dd offset loc_584B78
		dd offset loc_584B70
; 

loc_584B70:				; CODE XREF: .text:loc_584ACCj
					; DATA XREF: .text:00584B6Co
		mov	eax, [esi+ecx*4-1Ch]
		mov	[edi+ecx*4-1Ch], eax

loc_584B78:				; CODE XREF: .text:loc_584ACCj
					; DATA XREF: .text:00584B68o
		mov	eax, [esi+ecx*4-18h]
		mov	[edi+ecx*4-18h], eax

loc_584B80:				; CODE XREF: .text:loc_584ACCj
					; DATA XREF: .text:00584B64o
		mov	eax, [esi+ecx*4-14h]
		mov	[edi+ecx*4-14h], eax

loc_584B88:				; CODE XREF: .text:loc_584ACCj
					; DATA XREF: .text:00584B60o
		mov	eax, [esi+ecx*4-10h]
		mov	[edi+ecx*4-10h], eax

loc_584B90:				; CODE XREF: .text:loc_584ACCj
					; DATA XREF: .text:00584B5Co
		mov	eax, [esi+ecx*4-0Ch]
		mov	[edi+ecx*4-0Ch], eax

loc_584B98:				; CODE XREF: .text:loc_584ACCj
					; DATA XREF: .text:00584B58o
		mov	eax, [esi+ecx*4-8]
		mov	[edi+ecx*4-8], eax

loc_584BA0:				; CODE XREF: .text:loc_584ACCj
					; DATA XREF: .text:00584B54o
		mov	eax, [esi+ecx*4-4]
		mov	[edi+ecx*4-4], eax
		lea	eax, ds:0[ecx*4]
		add	esi, eax
		add	edi, eax

loc_584BB3:				; CODE XREF: .text:loc_584ACCj
					; DATA XREF: .text:off_584B50o
		jmp	ds:off_584BBC[edx*4]
; 
		align 4
off_584BBC	dd offset dword_584BCC	; DATA XREF: .text:00584AA5r
					; .text:00584B02r ...
		dd offset loc_584BD4
		dd offset loc_584BE0
		dd offset loc_584BF4
dword_584BCC	dd 5E08458Bh		; CODE XREF: .text:00584AA5j
					; DATA XREF: .text:loc_584AC4r	...
; 
		pop	edi
		leave
		retn
; 
		align 4

loc_584BD4:				; CODE XREF: .text:00584AA5j
					; DATA XREF: .text:00584BC0o
		mov	al, [esi]
		mov	[edi], al
		mov	eax, [ebp+8]
		pop	esi
		pop	edi
		leave
		retn
; 
		align 10h

loc_584BE0:				; CODE XREF: .text:00584AA5j
					; DATA XREF: .text:00584BC4o
		mov	al, [esi]
		mov	[edi], al
		mov	al, [esi+1]
		mov	[edi+1], al
		mov	eax, [ebp+8]
		pop	esi
		pop	edi
		leave
		retn
; 
		align 4

loc_584BF4:				; CODE XREF: .text:00584AA5j
					; DATA XREF: .text:00584BC8o
		mov	al, [esi]
		mov	[edi], al
		mov	al, [esi+1]
		mov	[edi+1], al
		mov	al, [esi+2]
		mov	[edi+2], al
		mov	eax, [ebp+8]
		pop	esi
		pop	edi
		leave
		retn
; 
		align 4

loc_584C0C:				; CODE XREF: .text:00584A8Aj
		lea	esi, [esi+ecx-4]
		lea	edi, [edi+ecx-4]
		test	edi, 3
		jnz	short loc_584C40
		shr	ecx, 2
		and	edx, 3
		cmp	ecx, 8
		jb	short loc_584C34
		std
		rep movsd
		cld
		jmp	ds:off_584D58[edx*4]
; 
		align 4

loc_584C34:				; CODE XREF: .text:00584C25j
					; .text:00584C80j ...
		neg	ecx
		jmp	ds:off_584D08[ecx*4]
; 
		align 10h

loc_584C40:				; CODE XREF: .text:00584C1Aj
		mov	eax, edi
		mov	edx, 3
		cmp	ecx, 4
		jb	short loc_584C58
		and	eax, 3
		sub	ecx, eax
		jmp	dword ptr ds:(loc_584C58+4)[eax*4]
; 

loc_584C58:				; CODE XREF: .text:00584C4Aj
					; DATA XREF: .text:00584C51r
		jmp	ds:off_584D58[ecx*4]
; 
		align 10h
		dd offset loc_584C6C
		dd offset loc_584C90
		dd offset loc_584CB8
; 

loc_584C6C:				; DATA XREF: .text:00584C60o
		mov	al, [esi+3]
		and	edx, ecx
		mov	[edi+3], al
		sub	esi, 1
		shr	ecx, 2
		sub	edi, 1
		cmp	ecx, 8
		jb	short loc_584C34
		std
		rep movsd
		cld
		jmp	ds:off_584D58[edx*4]
; 
		align 10h

loc_584C90:				; DATA XREF: .text:00584C64o
		mov	al, [esi+3]
		and	edx, ecx
		mov	[edi+3], al
		mov	al, [esi+2]
		shr	ecx, 2
		mov	[edi+2], al
		sub	esi, 2
		sub	edi, 2
		cmp	ecx, 8
		jb	short loc_584C34
		std
		rep movsd
		cld
		jmp	ds:off_584D58[edx*4]
; 
		align 4

loc_584CB8:				; DATA XREF: .text:00584C68o
		mov	al, [esi+3]
		and	edx, ecx
		mov	[edi+3], al
		mov	al, [esi+2]
		mov	[edi+2], al
		mov	al, [esi+1]
		shr	ecx, 2
		mov	[edi+1], al
		sub	esi, 3
		sub	edi, 3
		cmp	ecx, 8
		jb	loc_584C34
		std
		rep movsd
		cld
		jmp	ds:off_584D58[edx*4]
; 
		align 4
		dd offset loc_584D0C
		dd offset loc_584D14
		dd offset loc_584D1C
		dd offset loc_584D24
		dd offset loc_584D2C
		dd offset loc_584D34
		dd offset loc_584D3C
off_584D08	dd offset loc_584D4F	; DATA XREF: .text:00584C36r
; 

loc_584D0C:				; DATA XREF: .text:00584CECo
		mov	eax, [esi+ecx*4+1Ch]
		mov	[edi+ecx*4+1Ch], eax

loc_584D14:				; DATA XREF: .text:00584CF0o
		mov	eax, [esi+ecx*4+18h]
		mov	[edi+ecx*4+18h], eax

loc_584D1C:				; DATA XREF: .text:00584CF4o
		mov	eax, [esi+ecx*4+14h]
		mov	[edi+ecx*4+14h], eax

loc_584D24:				; DATA XREF: .text:00584CF8o
		mov	eax, [esi+ecx*4+10h]
		mov	[edi+ecx*4+10h], eax

loc_584D2C:				; DATA XREF: .text:00584CFCo
		mov	eax, [esi+ecx*4+0Ch]
		mov	[edi+ecx*4+0Ch], eax

loc_584D34:				; DATA XREF: .text:00584D00o
		mov	eax, [esi+ecx*4+8]
		mov	[edi+ecx*4+8], eax

loc_584D3C:				; DATA XREF: .text:00584D04o
		mov	eax, [esi+ecx*4+4]
		mov	[edi+ecx*4+4], eax
		lea	eax, ds:0[ecx*4]
		add	esi, eax
		add	edi, eax

loc_584D4F:				; CODE XREF: .text:00584C36j
					; DATA XREF: .text:off_584D08o
		jmp	ds:off_584D58[edx*4]
; 
		align 4
off_584D58	dd offset loc_584D68	; DATA XREF: .text:00584C2Br
					; .text:loc_584C58r ...
		dd offset loc_584D70
		dd offset loc_584D80
		dd offset loc_584D94
; 

loc_584D68:				; CODE XREF: .text:00584C2Bj
					; .text:loc_584C58j ...
		mov	eax, [ebp+8]
		pop	esi
		pop	edi
		leave
		retn
; 
		align 10h

loc_584D70:				; CODE XREF: .text:00584C2Bj
					; .text:loc_584C58j ...
		mov	al, [esi+3]
		mov	[edi+3], al
		mov	eax, [ebp+8]
		pop	esi
		pop	edi
		leave
		retn
; 
		align 10h

loc_584D80:				; CODE XREF: .text:00584C2Bj
					; .text:loc_584C58j ...
		mov	al, [esi+3]
		mov	[edi+3], al
		mov	al, [esi+2]
		mov	[edi+2], al
		mov	eax, [ebp+8]
		pop	esi
		pop	edi
		leave
		retn
; 
		align 4

loc_584D94:				; CODE XREF: .text:00584C2Bj
					; .text:loc_584C58j ...
		mov	al, [esi+3]
		mov	[edi+3], al
		mov	al, [esi+2]
		mov	[edi+2], al
		mov	al, [esi+1]
		mov	[edi+1], al
		mov	eax, [ebp+8]
		pop	esi
		pop	edi
		leave
		retn
; 
		align 10h
; Exported entry 2987. memset

;  S U B	R O U T	I N E 


; void *__cdecl	memset(void *,int,size_t)
		public _memset
_memset		proc near		; CODE XREF: CmQueryLayeredKey+37p
					; CmQueryLayeredKey+72p ...

arg_0		= dword	ptr  4
arg_4		= byte ptr  8
arg_8		= dword	ptr  0Ch

		mov	edx, [esp+arg_8]
		mov	ecx, [esp+arg_0]
		test	edx, edx
		jz	short loc_584E0B
		xor	eax, eax
		mov	al, [esp+arg_4]
		push	edi
		mov	edi, ecx
		cmp	edx, 4
		jb	short loc_584DFB
		neg	ecx
		and	ecx, 3
		jz	short loc_584DDD
		sub	edx, ecx

loc_584DD3:				; CODE XREF: _memset+2Bj
		mov	[edi], al
		add	edi, 1
		sub	ecx, 1
		jnz	short loc_584DD3

loc_584DDD:				; CODE XREF: _memset+1Fj
		mov	ecx, eax
		shl	eax, 8
		add	eax, ecx
		mov	ecx, eax
		shl	eax, 10h
		add	eax, ecx
		mov	ecx, edx
		and	edx, 3
		shr	ecx, 2
		jz	short loc_584DFB
		rep stosd
		test	edx, edx
		jz	short loc_584E05

loc_584DFB:				; CODE XREF: _memset+18j _memset+43j ...
		mov	[edi], al
		add	edi, 1
		sub	edx, 1
		jnz	short loc_584DFB

loc_584E05:				; CODE XREF: _memset+49j
		mov	eax, [esp+4+arg_0]
		pop	edi
		retn
; 

loc_584E0B:				; CODE XREF: _memset+Aj
		mov	eax, [esp+arg_0]
		retn
_memset		endp

; 
		dd 4 dup(0CCCCCCCCh)
; Exported entry 2989. qsort

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void __cdecl qsort(void *,size_t,size_t,int __cdecl (*)(const	void *,const void *))
		public _qsort
_qsort		proc near		; CODE XREF: MiRevertValidPte+4CAp
					; MiTerminateWsleCluster+7D2p ...

var_124		= dword	ptr -124h
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_7C		= dword	ptr -7Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 118h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		mov	edi, [ebp+arg_4]
		push	78h		; size_t
		mov	[ebp+var_100], eax
		lea	eax, [ebp+var_7C]
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_F8], ebx
		mov	[ebp+var_FC], esi
		call	_memset
		push	78h		; size_t
		lea	eax, [ebp+var_F4]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 18h
		cmp	[ebp+var_100], 0
		jnz	short loc_584E87
		test	edi, edi
		jnz	loc_585265

loc_584E87:				; CODE XREF: _qsort+5Dj
		test	ebx, ebx
		jz	loc_585265
		test	esi, esi
		jz	loc_585265
		cmp	edi, 2
		jb	loc_585277
		lea	ecx, [edi-1]
		mov	[ebp+var_114], 0
		mov	edi, [ebp+var_100]
		imul	ecx, ebx
		add	ecx, edi

loc_584EB8:				; CODE XREF: _qsort+14Fj _qsort+440j
		mov	[ebp+var_108], ecx
		mov	edi, edi

loc_584EC0:				; CODE XREF: _qsort+409j
		mov	eax, ecx
		xor	edx, edx
		sub	eax, edi
		div	ebx
		inc	eax
		cmp	eax, 8
		ja	loc_584F74
		cmp	ecx, edi
		jbe	short loc_584F49
		lea	eax, [ebx+edi]
		mov	[ebp+var_10C], eax
		nop

loc_584EE0:				; CODE XREF: _qsort+121j
		mov	esi, eax
		cmp	esi, ecx
		ja	short loc_584F03

loc_584EE6:				; CODE XREF: _qsort+E1j
		push	edi
		push	esi
		call	[ebp+var_FC]
		add	esp, 8
		test	eax, eax
		jle	short loc_584EF7
		mov	edi, esi

loc_584EF7:				; CODE XREF: _qsort+D3j
		mov	ecx, [ebp+var_108]
		add	esi, ebx
		cmp	esi, ecx
		jbe	short loc_584EE6

loc_584F03:				; CODE XREF: _qsort+C4j
		mov	esi, ebx
		mov	edx, ecx
		cmp	edi, ecx
		jz	short loc_584F2B
		sub	edi, ecx
		lea	ecx, [ecx+0]

loc_584F10:				; CODE XREF: _qsort+103j
		mov	al, [edx]
		lea	edx, [edx+1]
		mov	cl, [edi+edx-1]
		mov	[edi+edx-1], al
		mov	[edx-1], cl
		sub	esi, 1
		jnz	short loc_584F10
		mov	ecx, [ebp+var_108]

loc_584F2B:				; CODE XREF: _qsort+E9j
		mov	edi, [ebp+var_100]
		sub	ecx, ebx
		mov	eax, [ebp+var_10C]
		mov	[ebp+var_108], ecx
		cmp	ecx, edi
		ja	short loc_584EE0

loc_584F43:				; CODE XREF: _qsort+3F5j _qsort+432j
		mov	esi, [ebp+var_FC]

loc_584F49:				; CODE XREF: _qsort+B4j
		mov	eax, [ebp+var_114]
		sub	eax, 1
		mov	[ebp+var_114], eax
		js	loc_585277
		mov	edi, [ebp+eax*4+var_7C]
		mov	ecx, [ebp+eax*4+var_F4]
		mov	[ebp+var_100], edi
		jmp	loc_584EB8
; 

loc_584F74:				; CODE XREF: _qsort+ACj
		shr	eax, 1
		imul	eax, ebx
		add	edi, eax
		mov	[ebp+var_104], eax
		push	edi
		push	[ebp+var_100]
		mov	[ebp+var_10C], edi
		call	esi
		add	esp, 8
		test	eax, eax
		mov	eax, [ebp+var_100]
		jle	short loc_584FD9
		mov	[ebp+var_110], ebx
		mov	esi, edi
		cmp	eax, edi
		jz	short loc_584FD9
		mov	ebx, [ebp+var_104]
		mov	edi, [ebp+var_110]

loc_584FB5:				; CODE XREF: _qsort+1A5j
		mov	al, [esi]
		mov	edx, esi
		sub	edx, ebx
		mov	cl, [edx]
		mov	[edx], al
		mov	[esi], cl
		inc	esi
		sub	edi, 1
		jnz	short loc_584FB5
		mov	edi, [ebp+var_10C]
		mov	ebx, [ebp+var_F8]
		mov	eax, [ebp+var_100]

loc_584FD9:				; CODE XREF: _qsort+17Bj _qsort+187j
		mov	esi, [ebp+var_108]
		push	esi
		push	eax
		call	[ebp+var_FC]
		add	esp, 8
		test	eax, eax
		jle	short loc_58501F
		mov	eax, [ebp+var_100]
		mov	edx, esi
		cmp	eax, esi
		jz	short loc_58501F
		sub	eax, esi
		mov	[ebp+var_110], eax
		mov	esi, eax

loc_585004:				; CODE XREF: _qsort+1F7j
		mov	al, [edx]
		lea	edx, [edx+1]
		mov	cl, [esi+edx-1]
		mov	[esi+edx-1], al
		mov	[edx-1], cl
		sub	ebx, 1
		jnz	short loc_585004
		mov	esi, [ebp+var_108]

loc_58501F:				; CODE XREF: _qsort+1CCj _qsort+1D8j
		push	esi
		push	edi
		call	[ebp+var_FC]
		add	esp, 8
		test	eax, eax
		mov	eax, [ebp+var_F8]
		jle	short loc_585065
		mov	ebx, eax
		mov	edx, esi
		cmp	edi, esi
		jz	short loc_585065
		mov	[ebp+var_110], edi
		sub	edi, esi

loc_585044:				; CODE XREF: _qsort+237j
		mov	al, [edx]
		lea	edx, [edx+1]
		mov	cl, [edi+edx-1]
		mov	[edi+edx-1], al
		mov	[edx-1], cl
		sub	ebx, 1
		jnz	short loc_585044
		mov	edi, [ebp+var_10C]
		mov	eax, [ebp+var_F8]

loc_585065:				; CODE XREF: _qsort+212j _qsort+21Aj
		mov	ebx, [ebp+var_108]
		mov	esi, [ebp+var_100]
		mov	[ebp+var_104], ebx

loc_585077:				; CODE XREF: _qsort+339j _qsort+341j
		cmp	edi, esi
		jbe	short loc_5850A3
		jmp	short loc_585080
; 
		align 10h

loc_585080:				; CODE XREF: _qsort+25Bj _qsort+27Fj
		add	esi, eax
		mov	[ebp+var_10C], esi
		cmp	esi, edi
		jnb	short loc_5850A3
		push	edi
		push	esi
		call	[ebp+var_FC]
		add	esp, 8
		test	eax, eax
		mov	eax, [ebp+var_F8]
		jle	short loc_585080
		jmp	short loc_5850D7
; 

loc_5850A3:				; CODE XREF: _qsort+259j _qsort+26Aj
		mov	ebx, [ebp+var_108]
		lea	esp, [esp+0]

loc_5850B0:				; CODE XREF: _qsort+2A9j
		add	esi, eax
		cmp	esi, ebx
		ja	short loc_5850CB
		push	edi
		push	esi
		call	[ebp+var_FC]
		add	esp, 8
		test	eax, eax
		mov	eax, [ebp+var_F8]
		jle	short loc_5850B0

loc_5850CB:				; CODE XREF: _qsort+294j
		mov	ebx, [ebp+var_104]
		mov	[ebp+var_10C], esi

loc_5850D7:				; CODE XREF: _qsort+281j
		mov	esi, [ebp+var_FC]
		lea	ecx, [ecx+0]

loc_5850E0:				; CODE XREF: _qsort+2DDj
		mov	eax, [ebp+var_F8]
		mov	ecx, ebx
		sub	ebx, eax
		mov	[ebp+var_104], ecx
		cmp	ebx, edi
		jbe	short loc_58510B
		push	edi
		push	ebx
		call	esi
		add	esp, 8
		test	eax, eax
		jg	short loc_5850E0
		mov	eax, [ebp+var_F8]
		mov	ecx, [ebp+var_104]

loc_58510B:				; CODE XREF: _qsort+2D2j
		mov	esi, [ebp+var_10C]
		mov	[ebp+var_104], ebx
		cmp	ebx, esi
		jb	short loc_585166
		mov	[ebp+var_118], eax
		mov	edx, ebx
		jz	short loc_585157
		sub	esi, ebx
		mov	ebx, eax
		lea	esp, [esp+0]

loc_585130:				; CODE XREF: _qsort+323j
		mov	al, [edx]
		lea	edx, [edx+1]
		mov	cl, [esi+edx-1]
		mov	[esi+edx-1], al
		mov	[edx-1], cl
		sub	ebx, 1
		jnz	short loc_585130
		mov	esi, [ebp+var_10C]
		mov	ebx, [ebp+var_104]
		mov	eax, [ebp+var_F8]

loc_585157:				; CODE XREF: _qsort+303j
		cmp	edi, ebx
		jnz	loc_585077
		mov	edi, esi
		jmp	loc_585077
; 

loc_585166:				; CODE XREF: _qsort+2F9j
		cmp	edi, ecx
		jnb	short loc_585199
		lea	ebx, [ebx+0]

loc_585170:				; CODE XREF: _qsort+375j
		sub	ecx, eax
		mov	[ebp+var_104], ecx
		cmp	ecx, edi
		jbe	short loc_585199
		push	edi
		push	ecx
		call	[ebp+var_FC]
		mov	ecx, [ebp+var_104]
		add	esp, 8
		test	eax, eax
		mov	eax, [ebp+var_F8]
		jz	short loc_585170
		jmp	short loc_5851CD
; 

loc_585199:				; CODE XREF: _qsort+348j _qsort+35Aj
		mov	esi, [ebp+var_FC]
		nop

loc_5851A0:				; CODE XREF: _qsort+3A5j
		sub	ecx, eax
		mov	[ebp+var_104], ecx
		cmp	ecx, [ebp+var_100]
		jbe	short loc_5851C7
		push	edi
		push	ecx
		call	esi
		mov	ecx, [ebp+var_104]
		add	esp, 8
		test	eax, eax
		mov	eax, [ebp+var_F8]
		jz	short loc_5851A0

loc_5851C7:				; CODE XREF: _qsort+38Ej
		mov	esi, [ebp+var_10C]

loc_5851CD:				; CODE XREF: _qsort+377j
		mov	ebx, [ebp+var_108]
		mov	ecx, ebx
		mov	edx, [ebp+var_104]
		sub	ecx, esi
		mov	edi, [ebp+var_100]
		mov	eax, edx
		sub	eax, edi
		cmp	eax, ecx
		jl	short loc_58522E
		cmp	edi, edx
		jnb	short loc_585207
		mov	eax, [ebp+var_114]
		mov	[ebp+eax*4+var_7C], edi
		mov	[ebp+eax*4+var_F4], edx
		inc	eax
		mov	[ebp+var_114], eax

loc_585207:				; CODE XREF: _qsort+3CDj
		mov	ecx, [ebp+var_108]
		mov	ebx, [ebp+var_F8]
		cmp	esi, ecx
		jnb	loc_584F43
		mov	edi, esi
		mov	esi, [ebp+var_FC]
		mov	[ebp+var_100], edi
		jmp	loc_584EC0
; 

loc_58522E:				; CODE XREF: _qsort+3C9j
		cmp	esi, ebx
		jnb	short loc_58524A
		mov	eax, [ebp+var_114]
		mov	[ebp+eax*4+var_7C], esi
		mov	[ebp+eax*4+var_F4], ebx
		inc	eax
		mov	[ebp+var_114], eax

loc_58524A:				; CODE XREF: _qsort+410j
		mov	ebx, [ebp+var_F8]
		cmp	edi, edx
		jnb	loc_584F43
		mov	esi, [ebp+var_FC]
		mov	ecx, edx
		jmp	loc_584EB8
; 

loc_585265:				; CODE XREF: _qsort+61j _qsort+69j ...
		push	0
		push	0
		push	0
		push	0
		push	0
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h

loc_585277:				; CODE XREF: _qsort+7Aj _qsort+138j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_qsort		endp

; 
		align 10h
; Exported entry 2990. qsort_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _qsort_s
_qsort_s	proc near		; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+380p

var_128		= dword	ptr -128h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_7C		= dword	ptr -7Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 11Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_100], eax
		mov	eax, [ebp+arg_10]
		push	78h		; size_t
		mov	[ebp+var_10C], eax
		lea	eax, [ebp+var_7C]
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_F8], ebx
		mov	[ebp+var_FC], esi
		call	_memset
		push	78h		; size_t
		lea	eax, [ebp+var_F4]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 18h
		cmp	[ebp+var_100], 0
		jnz	short loc_585300
		test	edi, edi
		jnz	loc_58571B

loc_585300:				; CODE XREF: _qsort_s+66j
		test	ebx, ebx
		jz	loc_58571B
		test	esi, esi
		jz	loc_58571B
		cmp	edi, 2
		jb	loc_58572D
		lea	ecx, [edi-1]
		mov	[ebp+var_118], 0
		mov	edi, [ebp+var_100]
		imul	ecx, ebx
		add	ecx, edi

loc_585331:				; CODE XREF: _qsort_s+15Fj
					; _qsort_s+486j
		mov	[ebp+var_108], ecx

loc_585337:				; CODE XREF: _qsort_s+44Fj
		mov	eax, ecx
		xor	edx, edx
		sub	eax, edi
		div	ebx
		inc	eax
		cmp	eax, 8
		ja	loc_5853F4
		cmp	ecx, edi
		jbe	short loc_5853C9
		lea	eax, [ebx+edi]
		mov	[ebp+var_110], eax

loc_585356:				; CODE XREF: _qsort_s+131j
		mov	esi, eax
		cmp	esi, ecx
		ja	short loc_585383
		lea	esp, [esp+0]

loc_585360:				; CODE XREF: _qsort_s+F1j
		push	edi
		push	esi
		push	[ebp+var_10C]
		call	[ebp+var_FC]
		add	esp, 0Ch
		test	eax, eax
		jle	short loc_585377
		mov	edi, esi

loc_585377:				; CODE XREF: _qsort_s+E3j
		mov	ecx, [ebp+var_108]
		add	esi, ebx
		cmp	esi, ecx
		jbe	short loc_585360

loc_585383:				; CODE XREF: _qsort_s+CAj
		mov	esi, ebx
		mov	edx, ecx
		cmp	edi, ecx
		jz	short loc_5853AB
		sub	edi, ecx
		lea	ecx, [ecx+0]

loc_585390:				; CODE XREF: _qsort_s+113j
		mov	al, [edx]
		lea	edx, [edx+1]
		mov	cl, [edi+edx-1]
		mov	[edi+edx-1], al
		mov	[edx-1], cl
		sub	esi, 1
		jnz	short loc_585390
		mov	ecx, [ebp+var_108]

loc_5853AB:				; CODE XREF: _qsort_s+F9j
		mov	edi, [ebp+var_100]
		sub	ecx, ebx
		mov	eax, [ebp+var_110]
		mov	[ebp+var_108], ecx
		cmp	ecx, edi
		ja	short loc_585356

loc_5853C3:				; CODE XREF: _qsort_s+43Bj
					; _qsort_s+478j
		mov	esi, [ebp+var_FC]

loc_5853C9:				; CODE XREF: _qsort_s+BBj
		mov	eax, [ebp+var_118]
		sub	eax, 1
		mov	[ebp+var_118], eax
		js	loc_58572D
		mov	edi, [ebp+eax*4+var_7C]
		mov	ecx, [ebp+eax*4+var_F4]
		mov	[ebp+var_100], edi
		jmp	loc_585331
; 

loc_5853F4:				; CODE XREF: _qsort_s+B3j
		shr	eax, 1
		imul	eax, ebx
		add	edi, eax
		mov	[ebp+var_104], eax
		push	edi
		push	[ebp+var_100]
		mov	[ebp+var_110], edi
		push	[ebp+var_10C]
		call	esi
		add	esp, 0Ch
		test	eax, eax
		mov	eax, [ebp+var_100]
		jle	short loc_585464
		mov	[ebp+var_114], ebx
		mov	esi, edi
		cmp	eax, edi
		jz	short loc_585464
		mov	ebx, [ebp+var_104]
		mov	edi, [ebp+var_114]
		jmp	short loc_585440
; 
		align 10h

loc_585440:				; CODE XREF: _qsort_s+1ABj
					; _qsort_s+1C0j
		mov	al, [esi]
		mov	edx, esi
		sub	edx, ebx
		mov	cl, [edx]
		mov	[edx], al
		mov	[esi], cl
		inc	esi
		sub	edi, 1
		jnz	short loc_585440
		mov	edi, [ebp+var_110]
		mov	ebx, [ebp+var_F8]
		mov	eax, [ebp+var_100]

loc_585464:				; CODE XREF: _qsort_s+191j
					; _qsort_s+19Dj
		mov	esi, [ebp+var_108]
		push	esi
		push	eax
		push	[ebp+var_10C]
		call	[ebp+var_FC]
		add	esp, 0Ch
		test	eax, eax
		jle	short loc_5854B0
		mov	eax, [ebp+var_100]
		mov	edx, esi
		cmp	eax, esi
		jz	short loc_5854B0
		sub	eax, esi
		mov	[ebp+var_114], eax
		mov	esi, eax

loc_585495:				; CODE XREF: _qsort_s+218j
		mov	al, [edx]
		lea	edx, [edx+1]
		mov	cl, [esi+edx-1]
		mov	[esi+edx-1], al
		mov	[edx-1], cl
		sub	ebx, 1
		jnz	short loc_585495
		mov	esi, [ebp+var_108]

loc_5854B0:				; CODE XREF: _qsort_s+1EDj
					; _qsort_s+1F9j
		push	esi
		push	edi
		push	[ebp+var_10C]
		call	[ebp+var_FC]
		add	esp, 0Ch
		test	eax, eax
		mov	eax, [ebp+var_F8]
		jle	short loc_585501
		mov	ebx, eax
		mov	edx, esi
		cmp	edi, esi
		jz	short loc_585501
		mov	[ebp+var_114], edi
		sub	edi, esi
		jmp	short loc_5854E0
; 
		align 10h

loc_5854E0:				; CODE XREF: _qsort_s+24Bj
					; _qsort_s+263j
		mov	al, [edx]
		lea	edx, [edx+1]
		mov	cl, [edi+edx-1]
		mov	[edi+edx-1], al
		mov	[edx-1], cl
		sub	ebx, 1
		jnz	short loc_5854E0
		mov	edi, [ebp+var_110]
		mov	eax, [ebp+var_F8]

loc_585501:				; CODE XREF: _qsort_s+239j
					; _qsort_s+241j
		mov	ebx, [ebp+var_108]
		mov	esi, [ebp+var_100]
		mov	[ebp+var_104], ebx

loc_585513:				; CODE XREF: _qsort_s+36Bj
					; _qsort_s+373j
		cmp	edi, esi
		jbe	short loc_585549
		jmp	short loc_585520
; 
		align 10h

loc_585520:				; CODE XREF: _qsort_s+287j
					; _qsort_s+2B5j
		add	esi, eax
		mov	[ebp+var_110], esi
		cmp	esi, edi
		jnb	short loc_585549
		push	edi
		push	esi
		push	[ebp+var_10C]
		call	[ebp+var_FC]
		add	esp, 0Ch
		test	eax, eax
		mov	eax, [ebp+var_F8]
		jle	short loc_585520
		jmp	short loc_58557D
; 

loc_585549:				; CODE XREF: _qsort_s+285j
					; _qsort_s+29Aj
		mov	ebx, [ebp+var_108]
		nop

loc_585550:				; CODE XREF: _qsort_s+2DFj
		add	esi, eax
		cmp	esi, ebx
		ja	short loc_585571
		push	edi
		push	esi
		push	[ebp+var_10C]
		call	[ebp+var_FC]
		add	esp, 0Ch
		test	eax, eax
		mov	eax, [ebp+var_F8]
		jle	short loc_585550

loc_585571:				; CODE XREF: _qsort_s+2C4j
		mov	ebx, [ebp+var_104]
		mov	[ebp+var_110], esi

loc_58557D:				; CODE XREF: _qsort_s+2B7j
		mov	esi, [ebp+var_FC]

loc_585583:				; CODE XREF: _qsort_s+316j
		mov	eax, [ebp+var_F8]
		mov	ecx, ebx
		sub	ebx, eax
		mov	[ebp+var_104], ecx
		cmp	ebx, edi
		jbe	short loc_5855B4
		push	edi
		push	ebx
		push	[ebp+var_10C]
		call	esi
		add	esp, 0Ch
		test	eax, eax
		jg	short loc_585583
		mov	eax, [ebp+var_F8]
		mov	ecx, [ebp+var_104]

loc_5855B4:				; CODE XREF: _qsort_s+305j
		mov	esi, [ebp+var_110]
		mov	[ebp+var_104], ebx
		cmp	ebx, esi
		jb	short loc_585608
		mov	[ebp+var_11C], eax
		mov	edx, ebx
		jz	short loc_5855F9
		sub	esi, ebx
		mov	ebx, eax

loc_5855D2:				; CODE XREF: _qsort_s+355j
		mov	al, [edx]
		lea	edx, [edx+1]
		mov	cl, [esi+edx-1]
		mov	[esi+edx-1], al
		mov	[edx-1], cl
		sub	ebx, 1
		jnz	short loc_5855D2
		mov	esi, [ebp+var_110]
		mov	ebx, [ebp+var_104]
		mov	eax, [ebp+var_F8]

loc_5855F9:				; CODE XREF: _qsort_s+33Cj
		cmp	edi, ebx
		jnz	loc_585513
		mov	edi, esi
		jmp	loc_585513
; 

loc_585608:				; CODE XREF: _qsort_s+332j
		cmp	edi, ecx
		jnb	short loc_58563F
		lea	esp, [esp+0]

loc_585610:				; CODE XREF: _qsort_s+3ABj
		sub	ecx, eax
		mov	[ebp+var_104], ecx
		cmp	ecx, edi
		jbe	short loc_58563F
		push	edi
		push	ecx
		push	[ebp+var_10C]
		call	[ebp+var_FC]
		mov	ecx, [ebp+var_104]
		add	esp, 0Ch
		test	eax, eax
		mov	eax, [ebp+var_F8]
		jz	short loc_585610
		jmp	short loc_585683
; 

loc_58563F:				; CODE XREF: _qsort_s+37Aj
					; _qsort_s+38Aj
		mov	esi, [ebp+var_FC]
		jmp	short loc_585650
; 
		align 10h

loc_585650:				; CODE XREF: _qsort_s+3B5j
					; _qsort_s+3EBj
		sub	ecx, eax
		mov	[ebp+var_104], ecx
		cmp	ecx, [ebp+var_100]
		jbe	short loc_58567D
		push	edi
		push	ecx
		push	[ebp+var_10C]
		call	esi
		mov	ecx, [ebp+var_104]
		add	esp, 0Ch
		test	eax, eax
		mov	eax, [ebp+var_F8]
		jz	short loc_585650

loc_58567D:				; CODE XREF: _qsort_s+3CEj
		mov	esi, [ebp+var_110]

loc_585683:				; CODE XREF: _qsort_s+3ADj
		mov	ebx, [ebp+var_108]
		mov	ecx, ebx
		mov	edx, [ebp+var_104]
		sub	ecx, esi
		mov	edi, [ebp+var_100]
		mov	eax, edx
		sub	eax, edi
		cmp	eax, ecx
		jl	short loc_5856E4
		cmp	edi, edx
		jnb	short loc_5856BD
		mov	eax, [ebp+var_118]
		mov	[ebp+eax*4+var_7C], edi
		mov	[ebp+eax*4+var_F4], edx
		inc	eax
		mov	[ebp+var_118], eax

loc_5856BD:				; CODE XREF: _qsort_s+413j
		mov	ecx, [ebp+var_108]
		mov	ebx, [ebp+var_F8]
		cmp	esi, ecx
		jnb	loc_5853C3
		mov	edi, esi
		mov	esi, [ebp+var_FC]
		mov	[ebp+var_100], edi
		jmp	loc_585337
; 

loc_5856E4:				; CODE XREF: _qsort_s+40Fj
		cmp	esi, ebx
		jnb	short loc_585700
		mov	eax, [ebp+var_118]
		mov	[ebp+eax*4+var_7C], esi
		mov	[ebp+eax*4+var_F4], ebx
		inc	eax
		mov	[ebp+var_118], eax

loc_585700:				; CODE XREF: _qsort_s+456j
		mov	ebx, [ebp+var_F8]
		cmp	edi, edx
		jnb	loc_5853C3
		mov	esi, [ebp+var_FC]
		mov	ecx, edx
		jmp	loc_585331
; 

loc_58571B:				; CODE XREF: _qsort_s+6Aj _qsort_s+72j ...
		push	0
		push	0
		push	0
		push	0
		push	0
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h

loc_58572D:				; CODE XREF: _qsort_s+83j
					; _qsort_s+148j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_qsort_s	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2991. rand

;  S U B	R O U T	I N E 


; int rand(void)
		public _rand
_rand		proc near
		imul	eax, dword_6B3C10, 343FDh
		add	eax, 269EC3h
		mov	dword_6B3C10, eax
		sar	eax, 10h
		and	eax, 7FFFh
		retn
_rand		endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2994. srand

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void __cdecl srand(unsigned int)
		public _srand
_srand		proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	dword_6B3C10, eax
		pop	ebp
		retn
_srand		endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2992. sprintf

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int sprintf(char *,const char	*,...)
		public _sprintf
_sprintf	proc near

var_20		= FILE ptr -20h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_20._file], ebx
		mov	[ebp+var_20._charbuf], ebx
		mov	[ebp+var_20._bufsiz], ebx
		mov	[ebp+var_20._tmpfname],	ebx
		cmp	[ebp+arg_4], ebx
		jz	short loc_5857E6
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_5857E6
		push	esi
		mov	[ebp+var_20._base], eax
		mov	[ebp+var_20._ptr], eax
		lea	eax, [ebp+arg_8]
		push	eax
		push	ebx
		push	[ebp+arg_4]
		lea	eax, [ebp+var_20]
		mov	[ebp+var_20._cnt], 7FFFFFFFh
		push	eax
		mov	[ebp+var_20._flag], 42h
		call	__output_l
		add	esp, 10h
		mov	esi, eax
		sub	[ebp+var_20._cnt], 1
		js	short loc_5857D5
		mov	ecx, [ebp+var_20._ptr]
		mov	[ecx], bl
		jmp	short loc_5857E1
; 

loc_5857D5:				; CODE XREF: _sprintf+52j
		lea	eax, [ebp+var_20]
		push	eax		; FILE *
		push	ebx		; int
		call	__flsbuf_s
		pop	ecx
		pop	ecx

loc_5857E1:				; CODE XREF: _sprintf+59j
		mov	eax, esi
		pop	esi
		jmp	short loc_5857F6
; 

loc_5857E6:				; CODE XREF: _sprintf+1Aj _sprintf+21j
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		or	eax, 0FFFFFFFFh

loc_5857F6:				; CODE XREF: _sprintf+6Aj
		pop	ebx
		leave
		retn
_sprintf	endp

; 
		align 10h
; Exported entry 3000. strcpy

;  S U B	R O U T	I N E 


; char *__cdecl	strcpy(char *,const char *)
		public _strcpy
_strcpy		proc near

arg_0		= dword	ptr  8

		push	edi
		mov	edi, [esp+arg_0]
		jmp	short loc_585875
_strcpy		endp

; 
		align 10h
; Exported entry 2996. strcat

;  S U B	R O U T	I N E 


; char *__cdecl	strcat(char *,const char *)
		public _strcat
_strcat		proc near

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8

		mov	ecx, [esp+arg_0]
		push	edi
		test	ecx, 3
		jz	short loc_585830

loc_58581D:				; CODE XREF: _strcat+1Cj
		mov	al, [ecx]
		add	ecx, 1
		test	al, al
		jz	short loc_585863
		test	ecx, 3
		jnz	short loc_58581D
		mov	edi, edi

loc_585830:				; CODE XREF: _strcat+Bj _strcat+36j ...
		mov	eax, [ecx]
		mov	edx, 7EFEFEFFh
		add	edx, eax
		xor	eax, 0FFFFFFFFh
		xor	eax, edx
		add	ecx, 4
		test	eax, 81010100h
		jz	short loc_585830
		mov	eax, [ecx-4]
		test	al, al
		jz	short loc_585872
		test	ah, ah
		jz	short loc_58586D
		test	eax, 0FF0000h
		jz	short loc_585868
		test	eax, 0FF000000h
		jz	short loc_585863
		jmp	short loc_585830
; 

loc_585863:				; CODE XREF: _strcat+14j _strcat+4Fj
		lea	edi, [ecx-1]
		jmp	short loc_585875
; 

loc_585868:				; CODE XREF: _strcat+48j
		lea	edi, [ecx-2]
		jmp	short loc_585875
; 

loc_58586D:				; CODE XREF: _strcat+41j
		lea	edi, [ecx-3]
		jmp	short loc_585875
; 

loc_585872:				; CODE XREF: _strcat+3Dj
		lea	edi, [ecx-4]

loc_585875:				; CODE XREF: _strcpy+5j _strcat+56j ...
		mov	ecx, [esp+4+arg_4]
		test	ecx, 3
		jz	short loc_58589E

loc_585881:				; CODE XREF: _strcat+85j
		mov	dl, [ecx]
		add	ecx, 1
		test	dl, dl
		jz	short loc_5858F0
		mov	[edi], dl
		add	edi, 1
		test	ecx, 3
		jnz	short loc_585881
		jmp	short loc_58589E
; 

loc_585899:				; CODE XREF: _strcat+A6j _strcat+C0j
		mov	[edi], edx
		add	edi, 4

loc_58589E:				; CODE XREF: _strcat+6Fj _strcat+87j
		mov	edx, 7EFEFEFFh
		mov	eax, [ecx]
		add	edx, eax
		xor	eax, 0FFFFFFFFh
		xor	eax, edx
		mov	edx, [ecx]
		add	ecx, 4
		test	eax, 81010100h
		jz	short loc_585899
		test	dl, dl
		jz	short loc_5858F0
		test	dh, dh
		jz	short loc_5858E7
		test	edx, 0FF0000h
		jz	short loc_5858DA
		test	edx, 0FF000000h
		jz	short loc_5858D2
		jmp	short loc_585899
; 

loc_5858D2:				; CODE XREF: _strcat+BEj
		mov	[edi], edx
		mov	eax, [esp+4+arg_0]
		pop	edi
		retn
; 

loc_5858DA:				; CODE XREF: _strcat+B6j
		mov	[edi], dx
		mov	eax, [esp+4+arg_0]
		mov	byte ptr [edi+2], 0
		pop	edi
		retn
; 

loc_5858E7:				; CODE XREF: _strcat+AEj
		mov	[edi], dx
		mov	eax, [esp+4+arg_0]
		pop	edi
		retn
; 

loc_5858F0:				; CODE XREF: _strcat+78j _strcat+AAj
		mov	[edi], dl
		mov	eax, [esp+4+arg_0]
		pop	edi
		retn
_strcat		endp

; 
		align 10h
; START	OF FUNCTION CHUNK FOR ___from_strstr_to_strchr

loc_585900:				; CODE XREF: ___from_strstr_to_strchr+19j
		lea	eax, [edx-1]
		pop	ebx
		retn
; END OF FUNCTION CHUNK	FOR ___from_strstr_to_strchr
; 
		align 10h
; Exported entry 2998. strchr

;  S U B	R O U T	I N E 


; char *__cdecl	strchr(const char *,int)
		public _strchr
_strchr		proc near		; CODE XREF: MiSnapThunk+18Fp
					; WmipSMBiosFindStringAndZero(x,x,x)+24p ...

arg_4		= byte ptr  8

		xor	eax, eax
		mov	al, [esp+arg_4]
_strchr		endp


;  S U B	R O U T	I N E 


___from_strstr_to_strchr proc near	; CODE XREF: _strstr+74j

arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00585900 SIZE 00000005 BYTES

		push	ebx
		mov	ebx, eax
		shl	eax, 8
		mov	edx, [esp-4+arg_4]
		test	edx, 3
		jz	short loc_58593D

loc_585928:				; CODE XREF: ___from_strstr_to_strchr+25j
		mov	cl, [edx]
		add	edx, 1
		cmp	cl, bl
		jz	short loc_585900
		test	cl, cl
		jz	short loc_585986
		test	edx, 3
		jnz	short loc_585928

loc_58593D:				; CODE XREF: ___from_strstr_to_strchr+10j
		or	ebx, eax
		push	edi
		mov	eax, ebx
		shl	ebx, 10h
		push	esi
		or	ebx, eax

loc_585948:				; CODE XREF: ___from_strstr_to_strchr+5Dj
					; ___from_strstr_to_strchr+6Cj	...
		mov	ecx, [edx]
		mov	edi, 7EFEFEFFh
		mov	eax, ecx
		mov	esi, edi
		xor	ecx, ebx
		add	esi, eax
		add	edi, ecx
		xor	ecx, 0FFFFFFFFh
		xor	eax, 0FFFFFFFFh
		xor	ecx, edi
		xor	eax, esi
		add	edx, 4
		and	ecx, 81010100h
		jnz	short loc_58598A
		and	eax, 81010100h
		jz	short loc_585948
		and	eax, 1010100h
		jnz	short loc_585984
		and	esi, 80000000h
		jnz	short loc_585948

loc_585984:				; CODE XREF: ___from_strstr_to_strchr+64j
					; ___from_strstr_to_strchr+7Dj	...
		pop	esi
		pop	edi

loc_585986:				; CODE XREF: ___from_strstr_to_strchr+1Dj
		pop	ebx
		xor	eax, eax
		retn
; 

loc_58598A:				; CODE XREF: ___from_strstr_to_strchr+56j
		mov	eax, [edx-4]
		cmp	al, bl
		jz	short loc_5859C7
		test	al, al
		jz	short loc_585984
		cmp	ah, bl
		jz	short loc_5859C0
		test	ah, ah
		jz	short loc_585984
		shr	eax, 10h
		cmp	al, bl
		jz	short loc_5859B9
		test	al, al
		jz	short loc_585984
		cmp	ah, bl
		jz	short loc_5859B2
		test	ah, ah
		jz	short loc_585984
		jmp	short loc_585948
; 

loc_5859B2:				; CODE XREF: ___from_strstr_to_strchr+94j
		pop	esi
		pop	edi
		lea	eax, [edx-1]
		pop	ebx
		retn
; 

loc_5859B9:				; CODE XREF: ___from_strstr_to_strchr+8Cj
		lea	eax, [edx-2]
		pop	esi
		pop	edi
		pop	ebx
		retn
; 

loc_5859C0:				; CODE XREF: ___from_strstr_to_strchr+81j
		lea	eax, [edx-3]
		pop	esi
		pop	edi
		pop	ebx
		retn
; 

loc_5859C7:				; CODE XREF: ___from_strstr_to_strchr+79j
		lea	eax, [edx-4]
		pop	esi
		pop	edi
		pop	ebx
		retn
___from_strstr_to_strchr endp ;	sp =  4

; 
		align 10h
; Exported entry 2999. strcmp

;  S U B	R O U T	I N E 


; int __cdecl strcmp(const char	*,const	char *)
		public _strcmp
_strcmp		proc near

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8

		mov	edx, [esp+arg_0]
		mov	ecx, [esp+arg_4]
		test	edx, 3
		jnz	short loc_585A1C

loc_5859E0:				; CODE XREF: _strcmp+3Cj _strcmp+6Aj ...
		mov	eax, [edx]
		cmp	al, [ecx]
		jnz	short loc_585A14
		or	al, al
		jz	short loc_585A10
		cmp	ah, [ecx+1]
		jnz	short loc_585A14
		or	ah, ah
		jz	short loc_585A10
		shr	eax, 10h
		cmp	al, [ecx+2]
		jnz	short loc_585A14
		or	al, al
		jz	short loc_585A10
		cmp	ah, [ecx+3]
		jnz	short loc_585A14
		add	ecx, 4
		add	edx, 4
		or	ah, ah
		jnz	short loc_5859E0
		mov	edi, edi

loc_585A10:				; CODE XREF: _strcmp+18j _strcmp+21j ...
		xor	eax, eax
		retn
; 
		align 4

loc_585A14:				; CODE XREF: _strcmp+14j _strcmp+1Dj ...
		sbb	eax, eax
		shl	eax, 1
		add	eax, 1
		retn
; 

loc_585A1C:				; CODE XREF: _strcmp+Ej
		test	edx, 1
		jz	short loc_585A3C
		mov	al, [edx]
		add	edx, 1
		cmp	al, [ecx]
		jnz	short loc_585A14
		add	ecx, 1
		or	al, al
		jz	short loc_585A10
		test	edx, 2
		jz	short loc_5859E0

loc_585A3C:				; CODE XREF: _strcmp+52j
		mov	ax, [edx]
		add	edx, 2
		cmp	al, [ecx]
		jnz	short loc_585A14
		or	al, al
		jz	short loc_585A10
		cmp	ah, [ecx+1]
		jnz	short loc_585A14
		or	ah, ah
		jz	short loc_585A10
		add	ecx, 2
		jmp	short loc_5859E0
_strcmp		endp

; 
		align 10h
; Exported entry 3002. strlen

;  S U B	R O U T	I N E 


; size_t __cdecl strlen(const char *)
		public _strlen
_strlen		proc near

arg_0		= dword	ptr  4

		mov	ecx, [esp+arg_0]
		test	ecx, 3
		jz	short loc_585A90

loc_585A6C:				; CODE XREF: _strlen+1Bj
		mov	al, [ecx]
		add	ecx, 1
		test	al, al
		jz	short loc_585AC3
		test	ecx, 3
		jnz	short loc_585A6C
		add	eax, 0
		lea	esp, [esp+0]
		lea	esp, [esp+0]

loc_585A90:				; CODE XREF: _strlen+Aj _strlen+46j ...
		mov	eax, [ecx]
		mov	edx, 7EFEFEFFh
		add	edx, eax
		xor	eax, 0FFFFFFFFh
		xor	eax, edx
		add	ecx, 4
		test	eax, 81010100h
		jz	short loc_585A90
		mov	eax, [ecx-4]
		test	al, al
		jz	short loc_585AE1
		test	ah, ah
		jz	short loc_585AD7
		test	eax, 0FF0000h
		jz	short loc_585ACD
		test	eax, 0FF000000h
		jz	short loc_585AC3
		jmp	short loc_585A90
; 

loc_585AC3:				; CODE XREF: _strlen+13j _strlen+5Fj
		lea	eax, [ecx-1]
		mov	ecx, [esp+arg_0]
		sub	eax, ecx
		retn
; 

loc_585ACD:				; CODE XREF: _strlen+58j
		lea	eax, [ecx-2]
		mov	ecx, [esp+arg_0]
		sub	eax, ecx
		retn
; 

loc_585AD7:				; CODE XREF: _strlen+51j
		lea	eax, [ecx-3]
		mov	ecx, [esp+arg_0]
		sub	eax, ecx
		retn
; 

loc_585AE1:				; CODE XREF: _strlen+4Dj
		lea	eax, [ecx-4]
		mov	ecx, [esp+arg_0]
		sub	eax, ecx
		retn
_strlen		endp

; 
		align 10h
; Exported entry 3003. strncat

;  S U B	R O U T	I N E 


; char *__cdecl	strncat(char *,const char *,size_t)
		public _strncat
_strncat	proc near

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_8		= dword	ptr  0Ch
arg_C		= dword	ptr  10h

		mov	ecx, [esp+arg_8]
		push	edi
		test	ecx, ecx
		jz	loc_585BB4
		mov	edi, [esp+4+arg_0]
		push	esi
		test	edi, 3
		push	ebx
		jz	short loc_585B1C

loc_585B0B:				; CODE XREF: _strncat+2Aj
		mov	al, [edi]
		add	edi, 1
		test	al, al
		jz	short loc_585B4D
		test	edi, 3
		jnz	short loc_585B0B

loc_585B1C:				; CODE XREF: _strncat+19j _strncat+42j ...
		mov	eax, [edi]
		mov	edx, 7EFEFEFFh
		add	edx, eax
		xor	eax, 0FFFFFFFFh
		xor	eax, edx
		add	edi, 4
		test	eax, 81010100h
		jz	short loc_585B1C
		mov	eax, [edi-4]
		test	al, al
		jz	short loc_585B5C
		test	ah, ah
		jz	short loc_585B57
		test	eax, 0FF0000h
		jz	short loc_585B52
		test	eax, 0FF000000h
		jnz	short loc_585B1C

loc_585B4D:				; CODE XREF: _strncat+22j
		sub	edi, 1
		jmp	short loc_585B5F
; 

loc_585B52:				; CODE XREF: _strncat+54j
		sub	edi, 2
		jmp	short loc_585B5F
; 

loc_585B57:				; CODE XREF: _strncat+4Dj
		sub	edi, 3
		jmp	short loc_585B5F
; 

loc_585B5C:				; CODE XREF: _strncat+49j
		sub	edi, 4

loc_585B5F:				; CODE XREF: _strncat+60j _strncat+65j ...
		mov	esi, [esp+0Ch+arg_4]
		test	esi, 3
		jnz	short loc_585B74
		mov	ebx, ecx
		shr	ecx, 2
		jnz	short loc_585BCE
		jmp	short loc_585B96
; 

loc_585B74:				; CODE XREF: _strncat+79j _strncat+9Dj
		mov	dl, [esi]
		add	esi, 1
		test	dl, dl
		jz	short loc_585BBA
		mov	[edi], dl
		add	edi, 1
		sub	ecx, 1
		jz	short loc_585BB0
		test	esi, 3
		jnz	short loc_585B74
		mov	ebx, ecx
		shr	ecx, 2
		jnz	short loc_585BCE

loc_585B96:				; CODE XREF: _strncat+82j _strncat+DCj
		mov	ecx, ebx
		and	ecx, 3
		jz	short loc_585BB0

loc_585B9D:				; CODE XREF: _strncat+BEj
		mov	dl, [esi]
		add	esi, 1
		mov	[edi], dl
		add	edi, 1
		test	dl, dl
		jz	short loc_585BB2
		sub	ecx, 1
		jnz	short loc_585B9D

loc_585BB0:				; CODE XREF: _strncat+95j _strncat+ABj
		mov	[edi], cl

loc_585BB2:				; CODE XREF: _strncat+B9j
		pop	ebx
		pop	esi

loc_585BB4:				; CODE XREF: _strncat+7j
		mov	eax, [esp+4+arg_0]
		pop	edi
		retn
; 

loc_585BBA:				; CODE XREF: _strncat+8Bj _strncat+FAj
		mov	[edi], dl
		mov	eax, [esp+0Ch+arg_0]
		pop	ebx
		pop	esi
		pop	edi
		retn
; 

loc_585BC4:				; CODE XREF: _strncat+F6j
					; _strncat+10Ej
		mov	[edi], edx
		add	edi, 4
		sub	ecx, 1
		jz	short loc_585B96

loc_585BCE:				; CODE XREF: _strncat+80j _strncat+A4j
		mov	edx, 7EFEFEFFh
		mov	eax, [esi]
		add	edx, eax
		xor	eax, 0FFFFFFFFh
		xor	eax, edx
		mov	edx, [esi]
		add	esi, 4
		test	eax, 81010100h
		jz	short loc_585BC4
		test	dl, dl
		jz	short loc_585BBA
		test	dh, dh
		jz	short loc_585C1A
		test	edx, 0FF0000h
		jz	short loc_585C0A
		test	edx, 0FF000000h
		jnz	short loc_585BC4
		mov	[edi], edx
		mov	eax, [esp+arg_C]
		pop	ebx
		pop	esi
		pop	edi
		retn
; 

loc_585C0A:				; CODE XREF: _strncat+106j
		mov	[edi], dx
		xor	edx, edx
		mov	eax, [esp+arg_C]
		mov	[edi+2], dl
		pop	ebx
		pop	esi
		pop	edi
		retn
; 

loc_585C1A:				; CODE XREF: _strncat+FEj
		mov	[edi], dx
		mov	eax, [esp+arg_C]
		pop	ebx
		pop	esi
		pop	edi
		retn
_strncat	endp ; sp =  0Ch

; 
		align 10h
; Exported entry 3006. strncpy

;  S U B	R O U T	I N E 


; char *__cdecl	strncpy(char *,const char *,size_t)
		public _strncpy
_strncpy	proc near

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_8		= dword	ptr  0Ch
arg_C		= dword	ptr  10h

		mov	ecx, [esp+arg_8]
		push	edi
		test	ecx, ecx
		jz	loc_585CCF
		push	esi
		push	ebx
		mov	ebx, ecx
		mov	esi, [esp+0Ch+arg_4]
		test	esi, 3
		mov	edi, [esp+0Ch+arg_0]
		jnz	short loc_585C5C
		shr	ecx, 2
		jnz	loc_585CDF
		jmp	short loc_585C83
; 

loc_585C5C:				; CODE XREF: _strncpy+1Fj _strncpy+45j
		mov	al, [esi]
		add	esi, 1
		mov	[edi], al
		add	edi, 1
		sub	ecx, 1
		jz	short loc_585C96
		test	al, al
		jz	short loc_585C9E
		test	esi, 3
		jnz	short loc_585C5C
		mov	ebx, ecx
		shr	ecx, 2
		jnz	short loc_585CDF

loc_585C7E:				; CODE XREF: _strncpy+ADj
		and	ebx, 3
		jz	short loc_585C96

loc_585C83:				; CODE XREF: _strncpy+2Aj _strncpy+64j
		mov	al, [esi]
		add	esi, 1
		mov	[edi], al
		add	edi, 1
		test	al, al
		jz	short loc_585CC8
		sub	ebx, 1
		jnz	short loc_585C83

loc_585C96:				; CODE XREF: _strncpy+39j _strncpy+51j
		mov	eax, [esp+0Ch+arg_0]
		pop	ebx
		pop	esi
		pop	edi
		retn
; 

loc_585C9E:				; CODE XREF: _strncpy+3Dj
		test	edi, 3
		jz	short loc_585CBC

loc_585CA6:				; CODE XREF: _strncpy+8Aj
		mov	[edi], al
		add	edi, 1
		sub	ecx, 1
		jz	loc_585D4C
		test	edi, 3
		jnz	short loc_585CA6

loc_585CBC:				; CODE XREF: _strncpy+74j
		mov	ebx, ecx
		shr	ecx, 2
		jnz	short loc_585D37

loc_585CC3:				; CODE XREF: _strncpy+9Bj
					; _strncpy+116j
		mov	[edi], al
		add	edi, 1

loc_585CC8:				; CODE XREF: _strncpy+5Fj
		sub	ebx, 1
		jnz	short loc_585CC3
		pop	ebx
		pop	esi

loc_585CCF:				; CODE XREF: _strncpy+7j
		mov	eax, [esp+4+arg_0]
		pop	edi
		retn
; 

loc_585CD5:				; CODE XREF: _strncpy+C7j _strncpy+DFj
		mov	[edi], edx
		add	edi, 4
		sub	ecx, 1
		jz	short loc_585C7E

loc_585CDF:				; CODE XREF: _strncpy+24j _strncpy+4Cj
		mov	edx, 7EFEFEFFh
		mov	eax, [esi]
		add	edx, eax
		xor	eax, 0FFFFFFFFh
		xor	eax, edx
		mov	edx, [esi]
		add	esi, 4
		test	eax, 81010100h
		jz	short loc_585CD5
		test	dl, dl
		jz	short loc_585D29
		test	dh, dh
		jz	short loc_585D1F
		test	edx, 0FF0000h
		jz	short loc_585D15
		test	edx, 0FF000000h
		jnz	short loc_585CD5
		mov	[edi], edx
		jmp	short loc_585D2D
; 

loc_585D15:				; CODE XREF: _strncpy+D7j
		and	edx, 0FFFFh
		mov	[edi], edx
		jmp	short loc_585D2D
; 

loc_585D1F:				; CODE XREF: _strncpy+CFj
		and	edx, 0FFh
		mov	[edi], edx
		jmp	short loc_585D2D
; 

loc_585D29:				; CODE XREF: _strncpy+CBj
		xor	edx, edx
		mov	[edi], edx

loc_585D2D:				; CODE XREF: _strncpy+E3j _strncpy+EDj ...
		add	edi, 4
		xor	eax, eax
		sub	ecx, 1
		jz	short loc_585D43

loc_585D37:				; CODE XREF: _strncpy+91j
		xor	eax, eax

loc_585D39:				; CODE XREF: _strncpy+111j
		mov	[edi], eax
		add	edi, 4
		sub	ecx, 1
		jnz	short loc_585D39

loc_585D43:				; CODE XREF: _strncpy+105j
		and	ebx, 3
		jnz	loc_585CC3

loc_585D4C:				; CODE XREF: _strncpy+7Ej
		mov	eax, [esp+arg_C]
		pop	ebx
		pop	esi
		pop	edi
		retn
_strncpy	endp ; sp =  0Ch

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 3008. strnlen

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _strnlen
_strnlen	proc near		; CODE XREF: strnlen_s+9p
					; EtwpSetProviderTraitsCommon+7Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		cmp	[ebp+arg_4], eax
		jbe	short loc_585D75
		mov	ecx, [ebp+arg_0]

loc_585D69:				; CODE XREF: _strnlen+19j
		cmp	byte ptr [ecx],	0
		jz	short loc_585D75
		inc	eax
		inc	ecx
		cmp	eax, [ebp+arg_4]
		jb	short loc_585D69

loc_585D75:				; CODE XREF: _strnlen+Aj _strnlen+12j
		pop	ebp
		retn
_strnlen	endp

; 
		align 10h
; Exported entry 3009. strrchr

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; char *__cdecl	strrchr(const char *,int)
		public _strrchr
_strrchr	proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, [ebp+arg_0]
		xor	eax, eax
		or	ecx, 0FFFFFFFFh
		repne scasb
		add	ecx, 1
		neg	ecx
		sub	edi, 1
		mov	al, [ebp+arg_4]
		std
		repne scasb
		add	edi, 1
		cmp	[edi], al
		jz	short loc_585DA7
		xor	eax, eax
		jmp	short loc_585DA9
; 

loc_585DA7:				; CODE XREF: _strrchr+21j
		mov	eax, edi

loc_585DA9:				; CODE XREF: _strrchr+25j
		cld
		pop	edi
		leave
		retn
_strrchr	endp

; 
		align 10h
; Exported entry 3010. strspn

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; size_t __cdecl strspn(const char *,const char	*)
		public _strspn
_strspn		proc near

var_24		= dword	ptr -24h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	ebp
		mov	ebp, esp
		push	esi
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		mov	edx, [ebp+arg_4]
		lea	ecx, [ecx+0]

loc_585DC4:				; CODE XREF: _strspn+21j
		mov	al, [edx]
		or	al, al
		jz	short loc_585DD3
		add	edx, 1
		bts	[esp+24h+var_24], eax
		jmp	short loc_585DC4
; 

loc_585DD3:				; CODE XREF: _strspn+18j
		mov	esi, [ebp+arg_0]
		or	ecx, 0FFFFFFFFh
		lea	ecx, [ecx+0]

loc_585DDC:				; CODE XREF: _strspn+3Cj
		add	ecx, 1
		mov	al, [esi]
		or	al, al
		jz	short loc_585DEE
		add	esi, 1
		bt	[esp+24h+var_24], eax
		jb	short loc_585DDC

loc_585DEE:				; CODE XREF: _strspn+33j
		mov	eax, ecx
		add	esp, 20h
		pop	esi
		leave
		retn
_strspn		endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 3016. tolower

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl tolower(int)
		public _tolower
_tolower	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		or	esi, 0FFFFFFFFh
		cmp	ebx, esi
		jz	short loc_585E10
		movzx	esi, bl

loc_585E10:				; CODE XREF: _tolower+Fj
		call	___pctype_func
		test	byte ptr [eax+esi*2], 1
		jz	short loc_585E1E
		add	ebx, 20h

loc_585E1E:				; CODE XREF: _tolower+1Dj
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn
_tolower	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 3017. toupper

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl toupper(int)
		public _toupper
_toupper	proc near		; CODE XREF: AslStringPatternMatchA+3Ap
					; AslStringPatternMatchA+48p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_8], 0
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_C]
		push	eax
		call	RtlAnsiCharToUnicodeChar
		movzx	eax, ax
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_10]
		push	2
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	2
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUpcaseUnicodeToMultiByteN
		test	eax, eax
		jns	short loc_585E69
		mov	eax, [ebp+arg_0]
		leave
		retn
; 

loc_585E69:				; CODE XREF: _toupper+38j
		cmp	[ebp+var_8], 1
		jnz	short loc_585E75
		movzx	eax, byte ptr [ebp+var_4]
		leave
		retn
; 

loc_585E75:				; CODE XREF: _toupper+43j
		mov	cx, word ptr [ebp+var_4]
		movzx	eax, cl
		shl	eax, 8
		movzx	ecx, ch
		or	eax, ecx
		leave
		retn
_toupper	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 3018. towlower

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; wchar_t __cdecl towlower(wchar_t)
		public _towlower
_towlower	proc near		; CODE XREF: EtwpCovSampCheckForSegments(x,x,x)+5Ap
					; ExpParseArcPathName(x,x,x,x,x)+57p ...

arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, dword ptr [ebp+arg_0]
		push	esi
		push	1		; wctype_t
		push	eax		; wint_t
		movzx	esi, ax
		call	_iswctype
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_585EA9
		add	esi, 20h

loc_585EA9:				; CODE XREF: _towlower+18j
		mov	ax, si
		pop	esi
		pop	ebp
		retn
_towlower	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 3019. towupper

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; wchar_t __cdecl towupper(wchar_t)
		public _towupper
_towupper	proc near		; CODE XREF: PfSnParametersVerify+37p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		call	_RtlUpcaseUnicodeChar@4	; RtlUpcaseUnicodeChar(x)
		pop	ebp
		retn
_towupper	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__vsprintf_l	proc near		; CODE XREF: _vsprintf+10p

var_20		= FILE ptr -20h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_20._file], ebx
		mov	[ebp+var_20._charbuf], ebx
		mov	[ebp+var_20._bufsiz], ebx
		mov	[ebp+var_20._tmpfname],	ebx
		cmp	[ebp+arg_4], ebx
		jz	short loc_585F31
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_585F31
		push	esi
		push	[ebp+arg_C]
		mov	[ebp+var_20._base], eax
		push	[ebp+arg_8]
		mov	[ebp+var_20._ptr], eax
		lea	eax, [ebp+var_20]
		push	[ebp+arg_4]
		mov	[ebp+var_20._cnt], 7FFFFFFFh
		push	eax
		mov	[ebp+var_20._flag], 42h
		call	__output_l
		add	esp, 10h
		mov	esi, eax
		sub	[ebp+var_20._cnt], 1
		js	short loc_585F20
		mov	ecx, [ebp+var_20._ptr]
		mov	[ecx], bl
		jmp	short loc_585F2C
; 

loc_585F20:				; CODE XREF: __vsprintf_l+53j
		lea	eax, [ebp+var_20]
		push	eax		; FILE *
		push	ebx		; int
		call	__flsbuf_s
		pop	ecx
		pop	ecx

loc_585F2C:				; CODE XREF: __vsprintf_l+5Aj
		mov	eax, esi
		pop	esi
		jmp	short loc_585F41
; 

loc_585F31:				; CODE XREF: __vsprintf_l+1Aj
					; __vsprintf_l+21j
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		or	eax, 0FFFFFFFFh

loc_585F41:				; CODE XREF: __vsprintf_l+6Bj
		pop	ebx
		leave
		retn
__vsprintf_l	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 3022. vsprintf

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl vsprintf(char *,const char *,va_list)
		public _vsprintf
_vsprintf	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	__vsprintf_l
		add	esp, 10h
		pop	ebp
		retn
_vsprintf	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 3025. wcscat

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; wchar_t *__cdecl wcscat(wchar_t *,const wchar_t *)
		public _wcscat
_wcscat		proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	edx, eax
		cmp	[eax], cx
		jz	short loc_585F83

loc_585F7B:				; CODE XREF: _wcscat+17j
		add	edx, 2
		cmp	[edx], cx
		jnz	short loc_585F7B

loc_585F83:				; CODE XREF: _wcscat+Fj
		push	esi
		mov	esi, [ebp+arg_4]
		sub	edx, esi

loc_585F89:				; CODE XREF: _wcscat+2Cj
		movzx	ecx, word ptr [esi]
		mov	[edx+esi], cx
		lea	esi, [esi+2]
		test	cx, cx
		jnz	short loc_585F89
		pop	esi
		pop	ebp
		retn
_wcscat		endp

; 
		align 10h
; Exported entry 3029. wcscpy

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; wchar_t *__cdecl wcscpy(wchar_t *,const wchar_t *)
		public _wcscpy
_wcscpy		proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		push	esi
		mov	esi, eax
		sub	esi, edx

loc_585FB0:				; CODE XREF: _wcscpy+1Dj
		movzx	ecx, word ptr [edx]
		mov	[esi+edx], cx
		lea	edx, [edx+2]
		test	cx, cx
		jnz	short loc_585FB0
		pop	esi
		pop	ebp
		retn
_wcscpy		endp

; 
		align 8
; Exported entry 3027. wcschr

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; wchar_t *__cdecl wcschr(const	wchar_t	*,wchar_t)
		public _wcschr
_wcschr		proc near		; CODE XREF: PiDevCfgParsePropertyKeyName(x,x,x)+79p
					; SmUniqueIdParseProductName(x,x,x)+37p ...

arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		movzx	ecx, word ptr [eax]
		mov	edx, ecx
		test	cx, cx
		jz	short loc_585FF2
		mov	esi, ecx

loc_585FDD:				; CODE XREF: _wcschr+28j
		cmp	si, [ebp+arg_4]
		jz	short loc_585FFA
		add	eax, 2
		movzx	ecx, word ptr [eax]
		mov	esi, ecx
		mov	edx, ecx
		test	cx, cx
		jnz	short loc_585FDD

loc_585FF2:				; CODE XREF: _wcschr+11j
		cmp	dx, [ebp+arg_4]
		jz	short loc_585FFA
		xor	eax, eax

loc_585FFA:				; CODE XREF: _wcschr+19j _wcschr+2Ej
		pop	esi
		pop	ebp
		retn
_wcschr		endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 3028. wcscmp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl wcscmp(const wchar_t *,const wchar_t *)
		public _wcscmp
_wcscmp		proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_0]
		movzx	ecx, word ptr [esi]
		movzx	edx, word ptr [edi]
		sub	edx, ecx
		jnz	short loc_586032
		mov	eax, ecx
		sub	edi, esi

loc_58601D:				; CODE XREF: _wcscmp+2Ej
		test	ax, ax
		jz	short loc_586032
		add	esi, 2
		movzx	ecx, word ptr [esi]
		movzx	edx, word ptr [edi+esi]
		mov	eax, ecx
		sub	edx, ecx
		jz	short loc_58601D

loc_586032:				; CODE XREF: _wcscmp+15j _wcscmp+1Ej
		mov	eax, edx
		shr	edx, 1Fh
		neg	eax
		shr	eax, 1Fh
		pop	edi
		sub	eax, edx
		pop	esi
		pop	ebp
		retn
_wcscmp		endp

; 
		align 8
; Exported entry 3031. wcscspn

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; size_t __cdecl wcscspn(const wchar_t *,const wchar_t *)
		public _wcscspn
_wcscspn	proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	ecx, edx
		cmp	[edx], ax
		jz	short loc_586096
		mov	esi, [ebp+arg_4]
		movzx	ebx, word ptr [esi]

loc_586064:				; CODE XREF: _wcscspn+4Cj
		mov	edi, esi
		test	bx, bx
		jz	short loc_58608E
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_4], eax
		mov	eax, ebx

loc_586073:				; CODE XREF: _wcscspn+42j
		cmp	ax, word ptr [ebp+var_4]
		jz	short loc_586096
		add	edi, 2
		movzx	eax, word ptr [edi]
		mov	edx, eax
		mov	[ebp+var_8], edx
		mov	edx, [ebp+arg_0]
		test	ax, ax
		jnz	short loc_586073
		xor	eax, eax

loc_58608E:				; CODE XREF: _wcscspn+21j
		add	ecx, 2
		cmp	[ecx], ax
		jnz	short loc_586064

loc_586096:				; CODE XREF: _wcscspn+14j _wcscspn+2Fj
		pop	edi
		sub	ecx, edx
		sar	ecx, 1
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn
_wcscspn	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 3032. wcslen

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; size_t __cdecl wcslen(const wchar_t *)
		public _wcslen
_wcslen		proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]

loc_5860AE:				; CODE XREF: _wcslen+11j
		movzx	ecx, word ptr [eax]
		add	eax, 2
		test	cx, cx
		jnz	short loc_5860AE
		sub	eax, [ebp+arg_0]
		sar	eax, 1
		dec	eax
		pop	ebp
		retn
_wcslen		endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 3033. wcsncat

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; wchar_t *__cdecl wcsncat(wchar_t *,const wchar_t *,size_t)
		public _wcsncat
_wcsncat	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	esi
		push	edi
		mov	esi, ecx

loc_5860D2:				; CODE XREF: _wcsncat+17j
		movzx	eax, word ptr [ecx]
		mov	edx, ecx
		add	ecx, 2
		test	ax, ax
		jnz	short loc_5860D2
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_5860FF
		mov	edi, [ebp+arg_4]

loc_5860E9:				; CODE XREF: _wcsncat+37j
		movzx	eax, word ptr [edi]
		dec	ecx
		mov	[edx], ax
		lea	edi, [edi+2]
		add	edx, 2
		test	ax, ax
		jz	short loc_586104
		test	ecx, ecx
		jnz	short loc_5860E9

loc_5860FF:				; CODE XREF: _wcsncat+1Ej
		xor	eax, eax
		mov	[edx], ax

loc_586104:				; CODE XREF: _wcsncat+33j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn
_wcsncat	endp

; 
		align 10h
; Exported entry 3035. wcsncmp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl wcsncmp(const wchar_t *,const wchar_t *,size_t)
		public _wcsncmp
_wcsncmp	proc near		; CODE XREF: LdrpCompareResourceNamesWithValidation(x,x,x,x,x,x)+38p
					; EtwpApplyPredicate+195p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jnz	short loc_58611E
		pop	ebp
		retn
; 

loc_58611E:				; CODE XREF: _wcsncmp+Aj
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+arg_0]
		push	esi

loc_586125:				; CODE XREF: _wcsncmp+2Dj
		sub	eax, 1
		jz	short loc_58613F
		movzx	esi, word ptr [edx]
		test	si, si
		jz	short loc_58613F
		cmp	si, [ecx]
		jnz	short loc_58613F
		add	edx, 2
		add	ecx, 2
		jmp	short loc_586125
; 

loc_58613F:				; CODE XREF: _wcsncmp+18j _wcsncmp+20j ...
		movzx	eax, word ptr [edx]
		movzx	ecx, word ptr [ecx]
		sub	eax, ecx
		pop	esi
		pop	ebp
		retn
_wcsncmp	endp

; 
		align 10h
; Exported entry 3036. wcsncpy

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; wchar_t *__cdecl wcsncpy(wchar_t *,const wchar_t *,size_t)
		public _wcsncpy
_wcsncpy	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, edi
		test	ecx, ecx
		jz	short loc_586190
		mov	edx, [ebp+arg_4]
		sub	edx, edi

loc_586168:				; CODE XREF: _wcsncpy+2Aj
		movzx	eax, word ptr [edx+edi]
		mov	[edi], ax
		add	edi, 2
		test	ax, ax
		jz	short loc_58617C
		sub	ecx, 1
		jnz	short loc_586168

loc_58617C:				; CODE XREF: _wcsncpy+25j
		test	ecx, ecx
		jz	short loc_586190
		sub	ecx, 1
		jz	short loc_586190
		xor	eax, eax
		shr	ecx, 1
		rep stosd
		adc	ecx, ecx
		rep stosw

loc_586190:				; CODE XREF: _wcsncpy+11j _wcsncpy+2Ej ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn
_wcsncpy	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 3038. wcsnlen

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _wcsnlen
_wcsnlen	proc near		; CODE XREF: __wcslwr_s+25p
					; RtlpQueryTimeZoneKeyNameRoutine(x,x,x,x,x,x)+11p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	edx, edx
		mov	eax, edx
		cmp	[ebp+arg_4], eax
		jbe	short loc_5861BB
		mov	ecx, [ebp+arg_0]

loc_5861AD:				; CODE XREF: _wcsnlen+1Dj
		cmp	[ecx], dx
		jz	short loc_5861BB
		inc	eax
		add	ecx, 2
		cmp	eax, [ebp+arg_4]
		jb	short loc_5861AD

loc_5861BB:				; CODE XREF: _wcsnlen+Cj _wcsnlen+14j
		pop	ebp
		retn
_wcsnlen	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 3039. wcsrchr

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; wchar_t *__cdecl wcsrchr(const wchar_t *,wchar_t)
		public _wcsrchr
_wcsrchr	proc near		; CODE XREF: AslPathSplit+47p
					; AslPathSplit+A2p ...

arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, ecx

loc_5861CC:				; CODE XREF: _wcsrchr+13j
		movzx	eax, word ptr [ecx]
		add	ecx, 2
		test	ax, ax
		jnz	short loc_5861CC

loc_5861D7:				; CODE XREF: _wcsrchr+23j
		sub	ecx, 2
		movzx	eax, word ptr [ecx]
		cmp	ecx, edx
		jz	short loc_5861E7
		cmp	ax, [ebp+arg_4]
		jnz	short loc_5861D7

loc_5861E7:				; CODE XREF: _wcsrchr+1Dj
		cmp	ax, [ebp+arg_4]
		jnz	short loc_5861F1
		mov	eax, ecx
		pop	ebp
		retn
; 

loc_5861F1:				; CODE XREF: _wcsrchr+29j
		xor	eax, eax
		pop	ebp
		retn
_wcsrchr	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 3040. wcsspn

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; size_t __cdecl wcsspn(const wchar_t *,const wchar_t *)
		public _wcsspn
_wcsspn		proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, edx
		push	ebx
		push	esi
		push	edi
		movzx	eax, word ptr [edx]
		test	ax, ax
		jz	short loc_58624B
		mov	esi, eax
		mov	eax, [ebp+arg_4]
		movzx	ebx, word ptr [eax]
		mov	[ebp+arg_0], ebx

loc_58621A:				; CODE XREF: _wcsspn+4Fj
		mov	edi, eax
		cmp	bx, si
		jz	short loc_586239
		movzx	ebx, bx

loc_586224:				; CODE XREF: _wcsspn+3Aj
		test	bx, bx
		jz	short loc_58624B
		add	edi, 2
		movzx	eax, word ptr [edi]
		mov	ebx, eax
		cmp	ax, si
		jnz	short loc_586224
		mov	ebx, [ebp+arg_0]

loc_586239:				; CODE XREF: _wcsspn+25j
		add	ecx, 2
		movzx	eax, word ptr [ecx]
		mov	esi, eax
		test	ax, ax
		jz	short loc_58624B
		mov	eax, [ebp+arg_4]
		jmp	short loc_58621A
; 

loc_58624B:				; CODE XREF: _wcsspn+13j _wcsspn+2Dj ...
		pop	edi
		sub	ecx, edx
		sar	ecx, 1
		pop	esi
		mov	eax, ecx
		pop	ebx
		pop	ebp
		retn
_wcsspn		endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 3041. wcsstr

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; wchar_t *__cdecl wcsstr(const	wchar_t	*,const	wchar_t	*)
		public _wcsstr
_wcsstr		proc near		; CODE XREF: BcpGetProgressMessages(x,x,x)+1Ap
					; SmUniqueIdParseProductName(x,x,x)+19p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		cmp	[ebx], ax
		jnz	short loc_586273
		mov	eax, edx
		jmp	short loc_5862BE
; 

loc_586273:				; CODE XREF: _wcsstr+11j
		movzx	eax, word ptr [edx]
		push	esi
		push	edi
		test	ax, ax
		jz	short loc_5862BA
		mov	edi, edx
		sub	edi, ebx

loc_586281:				; CODE XREF: _wcsstr+5Cj
		mov	esi, ebx
		test	ax, ax
		jz	short loc_5862A5

loc_586288:				; CODE XREF: _wcsstr+45j
		movzx	eax, word ptr [esi]
		test	ax, ax
		jz	short loc_5862C1
		movzx	ecx, word ptr [edi+esi]
		sub	ecx, eax
		jnz	short loc_5862A5
		add	esi, 2
		xor	eax, eax
		cmp	[edi+esi], ax
		jnz	short loc_586288
		jmp	short loc_5862A7
; 

loc_5862A5:				; CODE XREF: _wcsstr+2Aj _wcsstr+3Aj
		xor	eax, eax

loc_5862A7:				; CODE XREF: _wcsstr+47j
		cmp	[esi], ax
		jz	short loc_5862C1
		add	edx, 2
		add	edi, 2
		movzx	eax, word ptr [edx]
		test	ax, ax
		jnz	short loc_586281

loc_5862BA:				; CODE XREF: _wcsstr+1Fj
		xor	eax, eax

loc_5862BC:				; CODE XREF: _wcsstr+67j
		pop	edi
		pop	esi

loc_5862BE:				; CODE XREF: _wcsstr+15j
		pop	ebx
		pop	ebp
		retn
; 

loc_5862C1:				; CODE XREF: _wcsstr+32j _wcsstr+4Ej
		mov	eax, edx
		jmp	short loc_5862BC
_wcsstr		endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 3042. wcstombs

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; size_t __cdecl wcstombs(char *,const wchar_t *,size_t)
		public _wcstombs
_wcstombs	proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_4]
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], esi
		lea	edx, [ecx+2]

loc_5862DC:				; CODE XREF: _wcstombs+1Bj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_5862DC
		sub	ecx, edx
		sar	ecx, 1
		cmp	[ebp+arg_0], 0
		pop	esi
		lea	eax, ds:2[ecx*2]
		push	eax
		push	[ebp+arg_4]
		lea	eax, [ebp+var_4]
		push	eax
		jz	short loc_586316
		push	[ebp+arg_8]
		push	[ebp+arg_0]
		call	RtlUnicodeToMultiByteN

loc_58630C:				; CODE XREF: _wcstombs+51j
		test	eax, eax
		js	short loc_58631D
		mov	eax, [ebp+var_4]
		dec	eax
		leave
		retn
; 

loc_586316:				; CODE XREF: _wcstombs+35j
		call	RtlUnicodeToMultiByteSize
		jmp	short loc_58630C
; 

loc_58631D:				; CODE XREF: _wcstombs+44j
		mov	_gbl_errno, 2Ah
		or	eax, 0FFFFFFFFh
		leave
		retn
_wcstombs	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

wcstoxlX	proc near		; CODE XREF: _wcstol+17p _wcstolX+18p	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		sub	esp, 10h
		mov	ecx, [ebp+arg_4]
		test	eax, eax
		jz	short loc_586340
		mov	[eax], ecx

loc_586340:				; CODE XREF: wcstoxlX+10j
		test	ecx, ecx
		jz	loc_586508
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_586361
		cmp	eax, 2
		jl	loc_586508
		cmp	eax, 24h
		jg	loc_586508

loc_586361:				; CODE XREF: wcstoxlX+21j
		push	ebx
		push	esi
		push	edi
		movzx	edi, word ptr [ecx]
		lea	esi, [ecx+2]
		xor	ebx, ebx
		jmp	short loc_586374
; 

loc_58636E:				; CODE XREF: wcstoxlX+57j
		movzx	edi, word ptr [esi]
		add	esi, 2

loc_586374:				; CODE XREF: wcstoxlX+40j
		push	0
		push	8		; wctype_t
		push	edi		; wint_t
		call	__iswctype_l
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_58636E
		mov	eax, [ebp+arg_10]
		cmp	di, 2Dh
		jnz	short loc_586393
		or	eax, 2
		jmp	short loc_586399
; 

loc_586393:				; CODE XREF: wcstoxlX+60j
		cmp	di, 2Bh
		jnz	short loc_58639F

loc_586399:				; CODE XREF: wcstoxlX+65j
		movzx	edi, word ptr [esi]
		add	esi, 2

loc_58639F:				; CODE XREF: wcstoxlX+6Bj
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jnz	short loc_5863D9
		push	edi
		call	__wchartodigit
		pop	ecx
		test	eax, eax
		jz	short loc_5863BC
		push	0Ah

loc_5863B6:				; CODE XREF: wcstoxlX+A5j
		pop	ecx
		mov	[ebp+arg_C], ecx
		jmp	short loc_586406
; 

loc_5863BC:				; CODE XREF: wcstoxlX+86j
		movzx	eax, word ptr [esi]
		push	78h
		pop	ecx
		cmp	ax, cx
		jz	short loc_5863D3
		push	58h
		pop	ecx
		cmp	ax, cx
		jz	short loc_5863D3
		push	8
		jmp	short loc_5863B6
; 

loc_5863D3:				; CODE XREF: wcstoxlX+99j wcstoxlX+A1j
		push	10h
		pop	eax
		mov	[ebp+arg_C], eax

loc_5863D9:				; CODE XREF: wcstoxlX+7Bj
		cmp	eax, 10h
		jnz	short loc_586403
		push	edi
		call	__wchartodigit
		pop	ecx
		test	eax, eax
		jnz	short loc_586403
		movzx	eax, word ptr [esi]
		push	78h
		pop	ecx
		cmp	ax, cx
		jz	short loc_5863FC
		push	58h
		pop	ecx
		cmp	ax, cx
		jnz	short loc_586403

loc_5863FC:				; CODE XREF: wcstoxlX+C6j
		movzx	edi, word ptr [esi+2]
		add	esi, 4

loc_586403:				; CODE XREF: wcstoxlX+B0j wcstoxlX+BBj ...
		mov	ecx, [ebp+arg_C]

loc_586406:				; CODE XREF: wcstoxlX+8Ej
		or	eax, 0FFFFFFFFh
		xor	edx, edx
		div	ecx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], eax

loc_586413:				; CODE XREF: wcstoxlX+182j
		movzx	eax, di
		push	edi
		mov	[ebp+var_8], eax
		call	__wchartodigit
		mov	edx, eax
		pop	ecx
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_586472
		push	41h
		pop	eax
		cmp	ax, di
		ja	short loc_586435
		cmp	di, 5Ah
		jbe	short loc_58645B

loc_586435:				; CODE XREF: wcstoxlX+101j
		push	19h
		lea	eax, [edi-61h]
		pop	ecx
		cmp	ax, cx
		jbe	short loc_58645E
		mov	eax, [ebp+var_4]

loc_586443:				; CODE XREF: wcstoxlX+14Ej
		mov	ecx, [ebp+arg_8]

loc_586446:				; CODE XREF: wcstoxlX+173j
		sub	esi, 2
		test	al, 8
		jnz	short loc_5864B3
		test	ecx, ecx
		jz	short loc_586454
		mov	esi, [ebp+arg_4]

loc_586454:				; CODE XREF: wcstoxlX+123j
		xor	ebx, ebx
		jmp	loc_5864F5
; 

loc_58645B:				; CODE XREF: wcstoxlX+107j
		push	19h
		pop	ecx

loc_58645E:				; CODE XREF: wcstoxlX+112j
		mov	eax, [ebp+var_8]
		movzx	edx, ax
		lea	eax, [edi-61h]
		cmp	ax, cx
		ja	short loc_58646F
		add	edx, 0FFFFFFE0h

loc_58646F:				; CODE XREF: wcstoxlX+13Ej
		add	edx, 0FFFFFFC9h

loc_586472:				; CODE XREF: wcstoxlX+F9j
		mov	ecx, [ebp+arg_C]
		mov	eax, [ebp+var_4]
		cmp	edx, ecx
		jnb	short loc_586443
		or	eax, 8
		cmp	[ebp+arg_14], 0
		mov	[ebp+var_4], eax
		jnz	short loc_5864A3
		cmp	ebx, [ebp+var_C]
		jb	short loc_5864A3
		jnz	short loc_586494
		cmp	edx, [ebp+var_10]
		jbe	short loc_5864A3

loc_586494:				; CODE XREF: wcstoxlX+161j
		mov	ecx, [ebp+arg_8]
		or	eax, 4
		mov	[ebp+var_4], eax
		test	ecx, ecx
		jz	short loc_586446
		jmp	short loc_5864A8
; 

loc_5864A3:				; CODE XREF: wcstoxlX+15Aj
					; wcstoxlX+15Fj ...
		imul	ebx, ecx
		add	ebx, edx

loc_5864A8:				; CODE XREF: wcstoxlX+175j
		movzx	edi, word ptr [esi]
		add	esi, 2
		jmp	loc_586413
; 

loc_5864B3:				; CODE XREF: wcstoxlX+11Fj
		mov	edx, 7FFFFFFFh
		test	al, 4
		jnz	short loc_5864D2
		test	al, 1
		jnz	short loc_5864F5
		test	al, 2
		jz	short loc_5864CE
		cmp	ebx, 80000000h
		ja	short loc_5864D2
		jmp	short loc_5864F5
; 

loc_5864CE:				; CODE XREF: wcstoxlX+196j
		cmp	ebx, edx
		jbe	short loc_5864F5

loc_5864D2:				; CODE XREF: wcstoxlX+18Ej
					; wcstoxlX+19Ej
		cmp	[ebp+arg_14], 0
		jnz	short loc_5864F5
		mov	_gbl_errno, 22h
		test	al, 1
		jz	short loc_5864EB
		or	ebx, 0FFFFFFFFh
		jmp	short loc_5864F5
; 

loc_5864EB:				; CODE XREF: wcstoxlX+1B8j
		test	al, 2
		push	0
		pop	ebx
		setnz	bl
		add	ebx, edx

loc_5864F5:				; CODE XREF: wcstoxlX+12Aj
					; wcstoxlX+192j ...
		test	ecx, ecx
		jz	short loc_5864FB
		mov	[ecx], esi

loc_5864FB:				; CODE XREF: wcstoxlX+1CBj
		test	al, 2
		jz	short loc_586501
		neg	ebx

loc_586501:				; CODE XREF: wcstoxlX+1D1j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_586508:				; CODE XREF: wcstoxlX+16j wcstoxlX+26j ...
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		xor	eax, eax
		leave
		retn
wcstoxlX	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __int32 __cdecl wcstol(const wchar_t *,wchar_t **,int)
_wcstol		proc near		; CODE XREF: RtlIpv6StringToAddressW+CE841p
					; RtlIpv6StringToAddressW+CE888p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	offset ___initiallocalestructinfo
		call	wcstoxlX
		add	esp, 18h
		pop	ebp
		retn
_wcstol		endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_wcstolX	proc near		; CODE XREF: __wtol+18p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	offset ___initiallocalestructinfo
		call	wcstoxlX
		add	esp, 18h
		pop	ebp
		retn
_wcstolX	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 3043. wcstoul

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; unsigned __int32 __cdecl wcstoul(const wchar_t *,wchar_t **,int)
		public _wcstoul
_wcstoul	proc near		; CODE XREF: PnpStringToDwordValue(x,x)+33p
					; LocalGetAclForString+644p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	1
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	offset ___initiallocalestructinfo
		call	wcstoxlX
		add	esp, 18h
		pop	ebp
		retn
_wcstoul	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__wctomb_s_l	proc near		; CODE XREF: _wctomb+1Fp _wctomb_s+13p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+arg_8]
		push	esi
		test	ecx, ecx
		jnz	short loc_5865A8
		test	eax, eax
		jz	short loc_5865A8
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_586608
		and	dword ptr [eax], 0
		jmp	short loc_586608
; 

loc_5865A8:				; CODE XREF: __wctomb_s_l+Ej
					; __wctomb_s_l+12j
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_5865B2
		or	dword ptr [esi], 0FFFFFFFFh

loc_5865B2:				; CODE XREF: __wctomb_s_l+25j
		cmp	eax, 7FFFFFFFh
		jbe	short loc_5865CD
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	16h
		pop	eax
		jmp	short loc_58660A
; 

loc_5865CD:				; CODE XREF: __wctomb_s_l+2Fj
		test	ecx, ecx
		jnz	short loc_5865DC
		test	esi, esi
		jz	short loc_586608
		mov	eax, ___mb_cur_max
		jmp	short loc_586606
; 

loc_5865DC:				; CODE XREF: __wctomb_s_l+47j
		and	[ebp+arg_4], 0
		lea	edx, [ebp+arg_C]
		push	2
		push	edx
		lea	edx, [ebp+arg_4]
		push	edx
		push	eax
		push	ecx
		call	RtlUnicodeToMultiByteN
		test	eax, eax
		jns	short loc_5865FF
		push	2Ah
		pop	eax
		mov	_gbl_errno, eax
		jmp	short loc_58660A
; 

loc_5865FF:				; CODE XREF: __wctomb_s_l+6Bj
		test	esi, esi
		jz	short loc_586608
		mov	eax, [ebp+arg_4]

loc_586606:				; CODE XREF: __wctomb_s_l+52j
		mov	[esi], eax

loc_586608:				; CODE XREF: __wctomb_s_l+19j
					; __wctomb_s_l+1Ej ...
		xor	eax, eax

loc_58660A:				; CODE XREF: __wctomb_s_l+43j
					; __wctomb_s_l+75j
		pop	esi
		pop	ebp
		retn
__wctomb_s_l	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 3044. wctomb

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl wctomb(char *,wchar_t)
		public _wctomb
_wctomb		proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	0
		push	[ebp+arg_4]
		lea	eax, [ebp+var_4]
		or	esi, 0FFFFFFFFh
		push	___mb_cur_max
		mov	[ebp+var_4], esi
		push	[ebp+arg_0]
		push	eax
		call	__wctomb_s_l
		add	esp, 14h
		test	eax, eax
		jnz	short loc_586640
		mov	esi, [ebp+var_4]

loc_586640:				; CODE XREF: _wctomb+29j
		mov	eax, esi
		pop	esi
		leave
		retn
_wctomb		endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_wctomb_s	proc near		; CODE XREF: __output_l+4C5p
					; __output_l+82Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	__wctomb_s_l
		add	esp, 14h
		pop	ebp
		retn
_wctomb_s	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ValidateLocalCookies proc near		; CODE XREF: __except_handler4+136p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		mov	eax, [esi]
		cmp	eax, 0FFFFFFFEh
		jz	short loc_586691
		mov	ecx, [esi+4]
		add	ecx, edi
		xor	ecx, [eax+edi]
		call	@__security_check_cookie@4 ; __security_check_cookie(x)

loc_586691:				; CODE XREF: ValidateLocalCookies+12j
		mov	eax, [esi+8]
		mov	ecx, [esi+0Ch]
		add	ecx, edi
		xor	ecx, [eax+edi]
		pop	edi
		pop	esi
		pop	ebp
		jmp	@__security_check_cookie@4 ; __security_check_cookie(x)
ValidateLocalCookies endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__except_handler4 proc near		; DATA XREF: RtlWalkFrameChain+Co
					; KiContinue+Co ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+8]
		lea	esi, [ecx+10h]
		xor	edi, ___security_cookie
		mov	[ebp+var_14], 0
		mov	[ebp+var_10], 0
		mov	[ebp+var_1], 0
		mov	eax, [edi]
		mov	[ebp+var_8], 1
		cmp	eax, 0FFFFFFFEh
		jz	short loc_5866F7
		mov	ecx, [edi+4]
		add	ecx, esi
		xor	ecx, [esi+eax]
		call	@__security_check_cookie@4 ; __security_check_cookie(x)

loc_5866F7:				; CODE XREF: __except_handler4+38j
		mov	eax, [edi+8]
		mov	ecx, [edi+0Ch]
		add	ecx, esi
		xor	ecx, [esi+eax]
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		test	byte ptr [eax+4], 66h
		mov	ebx, [ecx+0Ch]
		jnz	short loc_586779
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_14]
		mov	[ecx-4], eax
		cmp	ebx, 0FFFFFFFEh
		jz	loc_5867B2
		mov	edi, edi

loc_586730:				; CODE XREF: __except_handler4+B8j
		lea	eax, [ebx+2]
		lea	eax, [ebx+eax*2]
		mov	ecx, [edi+eax*4+4]
		lea	eax, [edi+eax*4]
		mov	[ebp+var_C], eax
		mov	eax, [eax]
		mov	[ebp+arg_0], eax
		test	ecx, ecx
		jz	short loc_586760
		mov	edx, esi
		call	@_EH4_CallFilterFunc@8 ; _EH4_CallFilterFunc(x,x)
		mov	cl, 1
		mov	[ebp+var_1], cl
		test	eax, eax
		js	short loc_586770
		jg	short loc_5867BC
		mov	eax, [ebp+arg_0]
		jmp	short loc_586763
; 

loc_586760:				; CODE XREF: __except_handler4+97j
		mov	cl, [ebp+var_1]

loc_586763:				; CODE XREF: __except_handler4+AEj
		mov	ebx, eax
		cmp	eax, 0FFFFFFFEh
		jnz	short loc_586730
		test	cl, cl
		jz	short loc_5867B2
		jmp	short loc_58678E
; 

loc_586770:				; CODE XREF: __except_handler4+A7j
		mov	[ebp+var_8], 0
		jmp	short loc_58678E
; 

loc_586779:				; CODE XREF: __except_handler4+64j
		cmp	ebx, 0FFFFFFFEh
		jz	short loc_5867B2
		push	offset ___security_cookie
		push	esi
		mov	edx, 0FFFFFFFEh
		call	@_EH4_LocalUnwind@16 ; _EH4_LocalUnwind(x,x,x,x)

loc_58678E:				; CODE XREF: __except_handler4+BEj
					; __except_handler4+C7j
		mov	eax, [edi]
		cmp	eax, 0FFFFFFFEh
		jz	short loc_5867A2
		mov	ecx, [edi+4]
		add	ecx, esi
		xor	ecx, [esi+eax]
		call	@__security_check_cookie@4 ; __security_check_cookie(x)

loc_5867A2:				; CODE XREF: __except_handler4+E3j
		mov	edx, [edi+8]
		mov	ecx, [edi+0Ch]
		add	ecx, esi
		xor	ecx, [esi+edx]
		call	@__security_check_cookie@4 ; __security_check_cookie(x)

loc_5867B2:				; CODE XREF: __except_handler4+78j
					; __except_handler4+BCj ...
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5867BC:				; CODE XREF: __except_handler4+A9j
		mov	ecx, [ebp+arg_4]
		call	@_EH4_GlobalUnwind@4 ; _EH4_GlobalUnwind(x)
		mov	eax, [ebp+arg_4]
		cmp	[eax+0Ch], ebx
		jz	short loc_5867DB
		push	offset ___security_cookie
		push	esi
		mov	edx, ebx
		mov	ecx, eax
		call	@_EH4_LocalUnwind@16 ; _EH4_LocalUnwind(x,x,x,x)

loc_5867DB:				; CODE XREF: __except_handler4+11Aj
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		mov	[ecx+0Ch], eax
		call	ValidateLocalCookies
		mov	ecx, [ebp+var_C]
		add	esp, 8
		mov	edx, esi
		mov	ecx, [ecx+8]
		call	@_EH4_TransferToHandler@8 ; _EH4_TransferToHandler(x,x)
		int	3		; Trap to Debugger
__except_handler4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; wchar_t *__cdecl wcspbrk(const wchar_t *,const wchar_t *)
_wcspbrk	proc near		; CODE XREF: RtlpMuiRegLoadLicInformation+14Dp
					; RtlpMuiRegLoadLicInformation+26Bp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		movzx	edx, word ptr [ecx]
		test	dx, dx
		jz	short loc_586841
		mov	edi, [ebp+arg_4]
		movzx	ebx, word ptr [edi]

loc_586815:				; CODE XREF: _wcspbrk+43j
		mov	esi, edi
		test	bx, bx
		jz	short loc_586836
		mov	eax, ebx

loc_58681E:				; CODE XREF: _wcspbrk+38j
		cmp	ax, dx
		jz	short loc_586848
		add	esi, 2
		movzx	eax, word ptr [esi]
		mov	edi, eax
		mov	[ebp+arg_0], edi
		mov	edi, [ebp+arg_4]
		test	ax, ax
		jnz	short loc_58681E

loc_586836:				; CODE XREF: _wcspbrk+1Ej
		add	ecx, 2
		movzx	edx, word ptr [ecx]
		test	dx, dx
		jnz	short loc_586815

loc_586841:				; CODE XREF: _wcspbrk+11j
		xor	eax, eax

loc_586843:				; CODE XREF: _wcspbrk+4Ej
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
; 

loc_586848:				; CODE XREF: _wcspbrk+25j
		mov	eax, ecx
		jmp	short loc_586843
_wcspbrk	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__wcstoi64	proc near		; CODE XREF: PiNormalizeDeviceText+F6p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	offset ___initiallocalestructinfo
		call	_wcstoxq
		add	esp, 18h
		pop	ebp
		retn
__wcstoi64	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_wcstoxq	proc near		; CODE XREF: __wcstoi64+17p
					; LocalpConvertStringSidToSid+129p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		sub	esp, 2Ch
		mov	ecx, [ebp+arg_4]
		test	eax, eax
		jz	short loc_586882
		mov	[eax], ecx

loc_586882:				; CODE XREF: _wcstoxq+10j
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	loc_586B22
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_5868A6
		cmp	eax, 2
		jl	loc_586B22
		cmp	eax, 24h
		jg	loc_586B22

loc_5868A6:				; CODE XREF: _wcstoxq+24j
		movzx	ebx, word ptr [ecx]
		lea	esi, [ecx+2]
		xor	edi, edi
		mov	[ebp+var_10], ebx
		push	edi
		push	8		; wctype_t
		push	ebx		; wint_t
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], edi
		call	__iswctype_l
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_5868E7

loc_5868C7:				; CODE XREF: _wcstoxq+62j _wcstoxq+74j
		movzx	eax, word ptr [esi]
		add	esi, 2
		cmp	ax, bx
		jz	short loc_5868C7
		push	edi
		push	8		; wctype_t
		push	eax		; wint_t
		mov	ebx, eax
		call	__iswctype_l
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_5868C7
		mov	[ebp+var_10], ebx

loc_5868E7:				; CODE XREF: _wcstoxq+57j
		mov	eax, [ebp+arg_10]
		cmp	bx, 2Dh
		jnz	short loc_5868F5
		or	eax, 2
		jmp	short loc_5868FB
; 

loc_5868F5:				; CODE XREF: _wcstoxq+80j
		cmp	bx, 2Bh
		jnz	short loc_586904

loc_5868FB:				; CODE XREF: _wcstoxq+85j
		movzx	ebx, word ptr [esi]
		add	esi, 2
		mov	[ebp+var_10], ebx

loc_586904:				; CODE XREF: _wcstoxq+8Bj
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_C]
		test	eax, eax
		js	loc_586B14
		cmp	eax, 1
		jz	loc_586B14
		cmp	eax, 24h
		jg	loc_586B14
		test	eax, eax
		jnz	short loc_586958
		push	ebx
		call	__wchartodigit
		pop	ecx
		test	eax, eax
		jz	short loc_58693B
		push	0Ah

loc_586935:				; CODE XREF: _wcstoxq+E2j
		pop	eax
		mov	[ebp+arg_C], eax
		jmp	short loc_586988
; 

loc_58693B:				; CODE XREF: _wcstoxq+C3j
		movzx	eax, word ptr [esi]
		push	78h
		pop	ecx
		cmp	ax, cx
		jz	short loc_586952
		push	58h
		pop	ecx
		cmp	ax, cx
		jz	short loc_586952
		push	8
		jmp	short loc_586935
; 

loc_586952:				; CODE XREF: _wcstoxq+D6j _wcstoxq+DEj
		push	10h
		pop	eax
		mov	[ebp+arg_C], eax

loc_586958:				; CODE XREF: _wcstoxq+B8j
		cmp	eax, 10h
		jnz	short loc_586988
		push	ebx
		call	__wchartodigit
		pop	ecx
		test	eax, eax
		jnz	short loc_586985
		movzx	eax, word ptr [esi]
		push	78h
		pop	ecx
		cmp	ax, cx
		jz	short loc_58697B
		push	58h
		pop	ecx
		cmp	ax, cx
		jnz	short loc_586985

loc_58697B:				; CODE XREF: _wcstoxq+103j
		movzx	eax, word ptr [esi+2]
		add	esi, 4
		mov	[ebp+var_10], eax

loc_586985:				; CODE XREF: _wcstoxq+F8j
					; _wcstoxq+10Bj
		mov	eax, [ebp+arg_C]

loc_586988:				; CODE XREF: _wcstoxq+CBj _wcstoxq+EDj
		cdq
		push	ebx
		mov	ecx, edx
		mov	[ebp+var_2C], eax
		push	ecx
		push	eax
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		mov	[ebp+var_28], ecx
		call	__aulldvrm
		mov	[ebp+var_20], ebx
		pop	ebx
		nop
		mov	ebx, [ebp+var_10]
		mov	[ebp+var_24], ecx
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], edx

loc_5869AE:				; CODE XREF: _wcstoxq+1FBj
		movzx	eax, bx
		push	ebx
		mov	[ebp+var_10], eax
		call	__wchartodigit
		mov	[ebp+var_1C], eax
		pop	ecx
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_5869F9
		push	41h
		pop	eax
		cmp	ax, bx
		ja	short loc_5869D1
		cmp	bx, 5Ah
		jbe	short loc_5869E0

loc_5869D1:				; CODE XREF: _wcstoxq+15Bj
		push	19h
		lea	eax, [ebx-61h]
		pop	ecx
		cmp	ax, cx
		ja	loc_586A6E

loc_5869E0:				; CODE XREF: _wcstoxq+161j
		mov	eax, [ebp+var_10]
		push	19h
		movzx	ecx, ax
		lea	eax, [ebx-61h]
		pop	edx
		cmp	ax, dx
		ja	short loc_5869F4
		add	ecx, 0FFFFFFE0h

loc_5869F4:				; CODE XREF: _wcstoxq+181j
		lea	ebx, [ecx-37h]
		jmp	short loc_5869FC
; 

loc_5869F9:				; CODE XREF: _wcstoxq+153j
		mov	ebx, [ebp+var_1C]

loc_5869FC:				; CODE XREF: _wcstoxq+189j
		mov	edx, [ebp+var_C]
		mov	eax, [ebp+var_8]
		cmp	ebx, [ebp+arg_C]
		jnb	short loc_586A74
		mov	ecx, [ebp+var_4]
		or	edx, 8
		mov	[ebp+var_C], edx
		cmp	eax, [ebp+var_18]
		jb	short loc_586A44
		ja	short loc_586A1C
		cmp	ecx, [ebp+var_14]
		jb	short loc_586A44

loc_586A1C:				; CODE XREF: _wcstoxq+1A7j
		cmp	ecx, [ebp+var_14]
		jnz	short loc_586A35
		cmp	eax, [ebp+var_18]
		jnz	short loc_586A35
		mov	[ebp+var_10], edi
		cmp	edi, [ebp+var_20]
		jb	short loc_586A47
		ja	short loc_586A35
		cmp	ebx, [ebp+var_24]
		jbe	short loc_586A47

loc_586A35:				; CODE XREF: _wcstoxq+1B1j
					; _wcstoxq+1B6j ...
		mov	ebx, [ebp+arg_8]
		or	edx, 4
		mov	[ebp+var_C], edx
		test	ebx, ebx
		jz	short loc_586A77
		jmp	short loc_586A63
; 

loc_586A44:				; CODE XREF: _wcstoxq+1A5j
					; _wcstoxq+1ACj
		mov	[ebp+var_10], edi

loc_586A47:				; CODE XREF: _wcstoxq+1BEj
					; _wcstoxq+1C5j
		push	eax
		push	ecx
		push	[ebp+var_28]
		push	[ebp+var_2C]
		call	__allmul
		mov	ecx, eax
		mov	eax, edx
		add	ecx, ebx
		mov	[ebp+var_4], ecx
		adc	eax, [ebp+var_10]
		mov	[ebp+var_8], eax

loc_586A63:				; CODE XREF: _wcstoxq+1D4j
		movzx	ebx, word ptr [esi]
		add	esi, 2
		jmp	loc_5869AE
; 

loc_586A6E:				; CODE XREF: _wcstoxq+16Cj
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_C]

loc_586A74:				; CODE XREF: _wcstoxq+197j
		mov	ebx, [ebp+arg_8]

loc_586A77:				; CODE XREF: _wcstoxq+1D2j
		sub	esi, 2
		test	dl, 8
		jnz	short loc_586A8C
		test	ebx, ebx
		jz	short loc_586A86
		mov	esi, [ebp+arg_4]

loc_586A86:				; CODE XREF: _wcstoxq+213j
		mov	eax, edi
		mov	ecx, edi
		jmp	short loc_586AFF
; 

loc_586A8C:				; CODE XREF: _wcstoxq+20Fj
		mov	ecx, 80000000h
		test	dl, 4
		jnz	short loc_586AC0
		test	dl, 1
		jnz	short loc_586AF9
		test	dl, 2
		jz	short loc_586AAF
		cmp	eax, ecx
		ja	short loc_586AC0
		mov	eax, [ebp+var_4]
		jb	short loc_586AFC
		cmp	eax, edi
		ja	short loc_586AC0
		jmp	short loc_586AFC
; 

loc_586AAF:				; CODE XREF: _wcstoxq+230j
		cmp	eax, 7FFFFFFFh
		jb	short loc_586AF9
		ja	short loc_586AC0
		mov	eax, [ebp+var_4]
		cmp	eax, 0FFFFFFFFh
		jbe	short loc_586AFC

loc_586AC0:				; CODE XREF: _wcstoxq+226j
					; _wcstoxq+234j ...
		mov	eax, [ebp+arg_14]
		test	eax, eax
		jnz	short loc_586AD3
		mov	_gbl_errno, 22h
		jmp	short loc_586AD9
; 

loc_586AD3:				; CODE XREF: _wcstoxq+257j
		mov	dword ptr [eax], 22h

loc_586AD9:				; CODE XREF: _wcstoxq+263j
		test	dl, 1
		jz	short loc_586AE6
		or	eax, 0FFFFFFFFh
		or	ecx, 0FFFFFFFFh
		jmp	short loc_586AFF
; 

loc_586AE6:				; CODE XREF: _wcstoxq+26Ej
		test	dl, 2
		jz	short loc_586AEF
		mov	eax, edi
		jmp	short loc_586AFF
; 

loc_586AEF:				; CODE XREF: _wcstoxq+27Bj
		or	eax, 0FFFFFFFFh
		mov	ecx, 7FFFFFFFh
		jmp	short loc_586AFF
; 

loc_586AF9:				; CODE XREF: _wcstoxq+22Bj
					; _wcstoxq+246j
		mov	eax, [ebp+var_4]

loc_586AFC:				; CODE XREF: _wcstoxq+239j
					; _wcstoxq+23Fj ...
		mov	ecx, [ebp+var_8]

loc_586AFF:				; CODE XREF: _wcstoxq+21Cj
					; _wcstoxq+276j ...
		test	ebx, ebx
		jz	short loc_586B05
		mov	[ebx], esi

loc_586B05:				; CODE XREF: _wcstoxq+293j
		test	dl, 2
		jz	short loc_586B10
		neg	eax
		adc	ecx, edi
		neg	ecx

loc_586B10:				; CODE XREF: _wcstoxq+29Aj
		mov	edx, ecx
		jmp	short loc_586B35
; 

loc_586B14:				; CODE XREF: _wcstoxq+9Ej _wcstoxq+A7j ...
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_586B31
		mov	ecx, [ebp+arg_4]
		mov	[eax], ecx
		jmp	short loc_586B31
; 

loc_586B22:				; CODE XREF: _wcstoxq+19j _wcstoxq+29j ...
		xor	edi, edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	edi
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h

loc_586B31:				; CODE XREF: _wcstoxq+2ABj
					; _wcstoxq+2B2j
		xor	eax, eax
		xor	edx, edx

loc_586B35:				; CODE XREF: _wcstoxq+2A4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_wcstoxq	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl _iswctype_l(wint_t,wctype_t)
__iswctype_l	proc near		; CODE XREF: wcstoxlX+4Dp _wcstoxq+4Dp ...

arg_0		= word ptr  8
arg_4		= word ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	dword ptr [ebp+arg_4] ;	wctype_t
		push	dword ptr [ebp+arg_0] ;	wint_t
		call	_iswctype
		pop	ecx
		pop	ecx
		pop	ebp
		retn
__iswctype_l	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl iswctype(wint_t,wctype_t)
_iswctype	proc near		; CODE XREF: RtlIpv6StringToAddressW+5Dp
					; RtlIpv6StringToAddressW+70p ...

arg_0		= word ptr  8
arg_4		= word ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ax, [ebp+arg_0]
		mov	ecx, 100h
		movzx	edx, [ebp+arg_4]
		cmp	ax, cx
		jnb	short loc_586B75
		movzx	ecx, ax
		mov	eax, __pwctype
		movzx	eax, word ptr [eax+ecx*2]
		and	eax, edx
		pop	ebp
		retn
; 

loc_586B75:				; CODE XREF: _iswctype+15j
		xor	eax, eax
		pop	ebp
		retn
_iswctype	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl _flsbuf_s(int,FILE *)
__flsbuf_s	proc near		; CODE XREF: __vsnwprintf_l+86p
					; __vsnwprintf_l+9Fp ...

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		or	dword ptr [eax+0Ch], 20h
		or	eax, 0FFFFFFFFh
		pop	ebp
		retn
__flsbuf_s	endp

; 
		align 4
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__woutput_l	proc near		; CODE XREF: __vsnwprintf_l+5Fp
					; __snwprintf+5Ep ...

var_44C		= dword	ptr -44Ch
var_448		= word ptr -448h
var_444		= dword	ptr -444h
var_440		= dword	ptr -440h
var_43C		= dword	ptr -43Ch
var_438		= dword	ptr -438h
var_434		= dword	ptr -434h
var_430		= byte ptr -430h
var_42C		= dword	ptr -42Ch
var_428		= dword	ptr -428h
var_424		= dword	ptr -424h
var_420		= dword	ptr -420h
var_41C		= dword	ptr -41Ch
var_418		= dword	ptr -418h
var_414		= dword	ptr -414h
var_410		= dword	ptr -410h
var_40C		= dword	ptr -40Ch
var_408		= dword	ptr -408h
var_404		= word ptr -404h
var_205		= dword	ptr -205h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 450h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_410], eax
		xor	eax, eax
		push	400h		; size_t
		mov	ebx, eax
		mov	[ebp+var_444], eax
		push	eax		; int
		mov	[ebp+var_42C], eax
		mov	esi, eax
		mov	[ebp+var_418], eax
		mov	[ebp+var_420], eax
		mov	[ebp+var_414], eax
		lea	eax, [ebp+var_404]
		push	eax		; void *
		mov	[ebp+var_428], edi
		mov	[ebp+var_40C], ebx
		call	_memset
		xor	edx, edx
		add	esp, 0Ch
		mov	dword ptr [ebp+var_448], edx
		mov	[ebp+var_424], edx
		test	edi, edi
		jz	loc_5874FF
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	loc_5874FF
		mov	ecx, edx
		mov	[ebp+var_434], edx
		mov	[ebp+var_408], ecx
		mov	edi, edx
		jmp	loc_5874ED
; 

loc_586C2D:				; CODE XREF: __woutput_l+965j
		add	[ebp+arg_4], 2
		movzx	eax, dx
		test	ecx, ecx
		js	loc_5874F9
		mov	ecx, eax
		lea	eax, [edx-20h]
		cmp	ax, 5Ah
		ja	short loc_586C53
		movsx	eax, byte ptr ds:(loc_408E8E+2)[ecx]
		and	eax, 0Fh
		jmp	short loc_586C55
; 

loc_586C53:				; CODE XREF: __woutput_l+B7j
		xor	eax, eax

loc_586C55:				; CODE XREF: __woutput_l+C3j
		mov	ebx, [ebp+var_434]
		movsx	ebx, byte ptr ds:(loc_408EAF+1)[ebx+eax*8]
		mov	eax, ebx
		mov	[ebp+var_434], ebx
		mov	ebx, [ebp+var_40C]
		sar	eax, 4
		mov	[ebp+var_434], eax
		cmp	eax, 7		; switch 8 cases
		ja	loc_5874E4	; default
		jmp	ds:off_58751E[eax*4] ; switch jump

loc_586C8A:				; DATA XREF: .text:off_58751Eo
		xor	eax, eax	; case 0x1
		or	[ebp+var_418], 0FFFFFFFFh
		mov	ebx, eax
		mov	[ebp+var_414], eax
		mov	[ebp+var_42C], eax
		mov	[ebp+var_420], eax
		mov	[ebp+var_40C], ebx
		mov	[ebp+var_424], eax
		jmp	loc_5874E4	; default
; 

loc_586CB8:				; CODE XREF: __woutput_l+F5j
					; DATA XREF: .text:off_58751Eo
		push	20h		; case 0x2
		pop	eax
		sub	ecx, eax
		jz	short loc_586D07
		sub	ecx, 3
		jz	short loc_586CFF
		sub	ecx, 8
		jz	short loc_586CFA
		dec	ecx
		sub	ecx, 1
		jz	short loc_586CEC
		sub	ecx, 3
		mov	ecx, [ebp+var_408]
		jnz	loc_5874EA
		or	ebx, 8
		mov	[ebp+var_40C], ebx
		jmp	loc_5874EA
; 

loc_586CEC:				; CODE XREF: __woutput_l+13Fj
		or	ebx, 4

loc_586CEF:				; CODE XREF: __woutput_l+16Fj
					; __woutput_l+177j ...
		mov	[ebp+var_40C], ebx
		jmp	loc_5874E4	; default
; 

loc_586CFA:				; CODE XREF: __woutput_l+139j
		or	ebx, 1
		jmp	short loc_586CEF
; 

loc_586CFF:				; CODE XREF: __woutput_l+134j
		or	ebx, 80h
		jmp	short loc_586CEF
; 

loc_586D07:				; CODE XREF: __woutput_l+12Fj
		or	ebx, 2
		jmp	short loc_586CEF
; 

loc_586D0C:				; CODE XREF: __woutput_l+F5j
					; DATA XREF: .text:off_58751Eo
		push	2Ah		; case 0x3
		pop	eax
		cmp	dx, ax
		jnz	short loc_586D50
		mov	eax, [ebp+var_410]
		mov	ecx, [ebp+var_408]
		add	eax, 4
		mov	[ebp+var_410], eax
		mov	eax, [eax-4]
		mov	[ebp+var_42C], eax
		test	eax, eax
		jns	loc_5874EA
		or	ebx, 4
		neg	eax
		mov	[ebp+var_40C], ebx
		mov	[ebp+var_42C], eax
		jmp	loc_5874EA
; 

loc_586D50:				; CODE XREF: __woutput_l+184j
		imul	eax, [ebp+var_42C], arg_0+2
		add	eax, 0FFFFFFD0h
		add	eax, ecx
		mov	[ebp+var_42C], eax
		jmp	loc_5874E4	; default
; 

loc_586D67:				; CODE XREF: __woutput_l+F5j
					; DATA XREF: .text:off_58751Eo
		xor	eax, eax	; case 0x4

loc_586D69:				; CODE XREF: __woutput_l+22Cj
		mov	[ebp+var_418], eax
		jmp	loc_5874E4	; default
; 

loc_586D74:				; CODE XREF: __woutput_l+F5j
					; DATA XREF: .text:off_58751Eo
		push	2Ah		; case 0x5
		pop	eax
		cmp	dx, ax
		jnz	short loc_586DAE
		mov	ecx, [ebp+var_410]
		add	ecx, 4
		mov	[ebp+var_410], ecx
		mov	eax, [ecx-4]
		mov	ecx, [ebp+var_408]
		mov	[ebp+var_418], eax
		test	eax, eax
		jns	loc_5874EA
		or	[ebp+var_418], 0FFFFFFFFh
		jmp	loc_5874EA
; 

loc_586DAE:				; CODE XREF: __woutput_l+1ECj
		imul	eax, [ebp+var_418], arg_0+2
		add	eax, 0FFFFFFD0h
		add	eax, ecx
		jmp	short loc_586D69
; 

loc_586DBC:				; CODE XREF: __woutput_l+F5j
					; DATA XREF: .text:off_58751Eo
		push	49h		; case 0x6
		pop	eax
		sub	ecx, eax
		jz	short loc_586DEB
		sub	ecx, 1Fh
		jz	loc_586E4C
		dec	ecx
		sub	ecx, 1
		jz	short loc_586DEB
		dec	ecx
		sub	ecx, 1
		jz	short loc_586E1E
		sub	ecx, 8
		jz	short loc_586DEB
		sub	ecx, 3
		jz	short loc_586E13
		sub	ecx, 3
		jnz	loc_5874E4	; default

loc_586DEB:				; CODE XREF: __woutput_l+233j
					; __woutput_l+242j ...
		cmp	dx, ax
		jnz	short loc_586E6E
		mov	ecx, [ebp+arg_4]
		movzx	eax, word ptr [ecx]
		cmp	eax, 36h
		jnz	short loc_586E51
		cmp	word ptr [ecx+2], 34h
		jnz	short loc_586E51
		add	ecx, 4
		mov	[ebp+arg_4], ecx

loc_586E08:				; CODE XREF: __woutput_l+2E4j
		or	ebx, 8000h
		jmp	loc_586CEF
; 

loc_586E13:				; CODE XREF: __woutput_l+252j
		or	ebx, 800h
		jmp	loc_586CEF
; 

loc_586E1E:				; CODE XREF: __woutput_l+248j
		mov	eax, [ebp+arg_4]
		push	6Ch
		pop	edx
		movzx	eax, word ptr [eax]
		mov	ecx, eax
		cmp	ax, dx
		jnz	short loc_586E32
		add	[ebp+arg_4], 2

loc_586E32:				; CODE XREF: __woutput_l+29Ej
		xor	eax, eax
		cmp	cx, dx
		setz	al
		dec	eax
		and	eax, 0FFFFF010h
		add	eax, 1000h

loc_586E45:				; CODE XREF: __woutput_l+2C1j
		or	ebx, eax
		jmp	loc_586CEF
; 

loc_586E4C:				; CODE XREF: __woutput_l+238j
		push	20h
		pop	eax
		jmp	short loc_586E45
; 

loc_586E51:				; CODE XREF: __woutput_l+26Bj
					; __woutput_l+272j
		cmp	eax, 33h
		jnz	short loc_586E77
		cmp	word ptr [ecx+2], 32h
		jnz	short loc_586E77
		add	ecx, 4
		and	ebx, 0FFFF7FFFh
		mov	[ebp+arg_4], ecx
		jmp	loc_586CEF
; 

loc_586E6E:				; CODE XREF: __woutput_l+260j
		cmp	dx, 6Ah
		jz	short loc_586E08
		mov	ecx, [ebp+arg_4]

loc_586E77:				; CODE XREF: __woutput_l+2C6j
					; __woutput_l+2CDj
		movzx	eax, word ptr [ecx]
		cmp	eax, 64h
		jz	loc_5874E4	; default
		push	69h
		pop	ecx
		cmp	ax, cx
		jz	loc_5874E4	; default
		cmp	eax, 6Fh
		jz	loc_5874E4	; default
		cmp	eax, 75h
		jz	loc_5874E4	; default
		cmp	eax, 78h
		jz	loc_5874E4	; default
		cmp	eax, 58h
		jz	loc_5874E4	; default
		xor	eax, eax
		mov	[ebp+var_434], eax

loc_586EBB:				; CODE XREF: __woutput_l+F5j
					; DATA XREF: .text:off_58751Eo
		lea	eax, [ebp+var_408] ; case 0x0
		mov	[ebp+var_424], 1
		push	eax
		push	[ebp+var_428]
		push	edx
		call	write_char
		add	esp, 0Ch
		jmp	loc_5874E4	; default
; 

loc_586EE0:				; CODE XREF: __woutput_l+F5j
					; DATA XREF: .text:off_58751Eo
		push	69h		; case 0x7
		pop	eax
		cmp	ecx, eax
		ja	loc_5871E2
		jz	loc_5871D8
		sub	ecx, 43h
		jz	loc_58714E
		sub	ecx, 10h
		jz	loc_5870E8
		sub	ecx, 5
		jz	loc_587257
		dec	ecx
		sub	ecx, 1
		jz	loc_587071
		sub	ecx, 9
		jz	loc_587161
		sub	ecx, 1
		jz	loc_5871D8

loc_586F28:				; CODE XREF: __woutput_l+53Bj
					; __woutput_l+548j ...
		mov	eax, [ebp+var_414]

loc_586F2E:				; CODE XREF: __woutput_l+8D3j
		test	eax, eax
		jnz	loc_5874E4	; default
		test	bl, 40h
		jz	short loc_586F5B
		test	ebx, 100h
		jz	loc_587466
		push	2Dh

loc_586F49:				; CODE XREF: __woutput_l+8DFj
		pop	eax
		mov	word ptr [ebp+var_438],	ax
		mov	[ebp+var_420], 1

loc_586F5B:				; CODE XREF: __woutput_l+3ABj
					; __woutput_l+8E7j
		push	20h
		pop	edx

loc_586F5E:				; CODE XREF: __woutput_l+901j
		mov	eax, [ebp+var_42C]
		mov	ecx, ebx
		sub	eax, edi
		sub	eax, [ebp+var_420]
		and	ecx, 0Ch
		mov	[ebp+var_440], eax
		mov	[ebp+var_43C], ecx
		jnz	short loc_586F96
		lea	ecx, [ebp+var_408]
		push	ecx
		push	[ebp+var_428]
		push	eax
		push	edx
		call	write_multi_char
		add	esp, 10h

loc_586F96:				; CODE XREF: __woutput_l+3EFj
		lea	eax, [ebp+var_408]
		push	eax
		push	[ebp+var_428]
		lea	eax, [ebp+var_438]
		push	[ebp+var_420]
		push	eax
		call	write_string
		add	esp, 10h
		cmp	[ebp+var_43C], 8
		jnz	short loc_586FE0
		lea	eax, [ebp+var_408]
		push	eax
		push	[ebp+var_428]
		push	[ebp+var_440]
		push	30h
		pop	eax
		push	eax
		call	write_multi_char
		add	esp, 10h

loc_586FE0:				; CODE XREF: __woutput_l+431j
		cmp	[ebp+var_424], 0
		jnz	loc_58749F
		test	edi, edi
		jle	loc_58749F
		mov	ecx, esi
		mov	[ebp+var_43C], esi
		mov	eax, edi

loc_586FFF:				; CODE XREF: __woutput_l+4DCj
		push	___mb_cur_max	; size_t
		dec	eax
		mov	[ebp+var_41C], eax
		lea	eax, [ebp+var_448]
		push	ecx		; char *
		push	eax		; wchar_t *
		call	__safecrt_mbtowc
		add	esp, 0Ch
		mov	[ebp+var_44C], eax
		cmp	eax, 2
		jnz	short loc_58702D
		dec	[ebp+var_41C]

loc_58702D:				; CODE XREF: __woutput_l+497j
		test	eax, eax
		jle	loc_587494
		lea	eax, [ebp+var_408]
		push	eax
		push	[ebp+var_428]
		push	dword ptr [ebp+var_448]
		call	write_char
		mov	ecx, [ebp+var_43C]
		add	esp, 0Ch
		add	ecx, [ebp+var_44C]
		mov	eax, [ebp+var_41C]
		mov	[ebp+var_43C], ecx
		test	eax, eax
		jg	short loc_586FFF
		jmp	loc_5874B6
; 

loc_587071:				; CODE XREF: __woutput_l+382j
		mov	edx, [ebp+var_410]
		add	edx, 4
		mov	[ebp+var_410], edx
		mov	ecx, [edx-4]
		test	ecx, ecx
		jz	short loc_5870DB
		mov	esi, [ecx+4]
		test	esi, esi
		jz	short loc_5870DB
		movzx	eax, word ptr [ecx]
		mov	edx, eax
		cmp	[ecx+2], ax
		jb	loc_5874FD
		mov	edi, edx
		test	ebx, 800h
		jz	short loc_5870CE
		not	eax
		test	al, 1
		jz	loc_5874FD
		mov	eax, esi
		not	eax
		test	al, 1
		jz	loc_5874FD
		shr	edi, 1
		mov	[ebp+var_424], 1
		jmp	loc_586F28
; 

loc_5870CE:				; CODE XREF: __woutput_l+517j
		xor	eax, eax
		mov	[ebp+var_424], eax
		jmp	loc_586F28
; 

loc_5870DB:				; CODE XREF: __woutput_l+4F7j
					; __woutput_l+4FEj
		push	6
		mov	esi, offset loc_408EA8
		pop	edi
		jmp	loc_586F28
; 

loc_5870E8:				; CODE XREF: __woutput_l+36Fj
		test	ebx, 830h
		jnz	short loc_5870FB
		push	20h
		pop	eax
		or	ebx, eax
		mov	[ebp+var_40C], ebx

loc_5870FB:				; CODE XREF: __woutput_l+560j
					; __woutput_l+66Ej
		mov	eax, [ebp+var_418]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_58710B
		mov	eax, 7FFFFFFFh

loc_58710B:				; CODE XREF: __woutput_l+576j
		mov	ecx, [ebp+var_410]
		add	ecx, 4
		mov	[ebp+var_410], ecx
		mov	esi, [ecx-4]
		test	bl, 20h
		jz	loc_58721C
		test	esi, esi
		jnz	short loc_58712F
		mov	esi, offset loc_408EA8

loc_58712F:				; CODE XREF: __woutput_l+59Aj
		xor	ecx, ecx
		mov	edi, ecx
		test	eax, eax
		jle	loc_586F28

loc_58713B:				; CODE XREF: __woutput_l+5B9j
		cmp	[edi+esi], cl
		jz	loc_586F28
		inc	edi
		cmp	edi, eax
		jl	short loc_58713B
		jmp	loc_586F28
; 

loc_58714E:				; CODE XREF: __woutput_l+366j
		test	ebx, 830h
		jnz	short loc_587161
		push	20h
		pop	eax
		or	ebx, eax
		mov	[ebp+var_40C], ebx

loc_587161:				; CODE XREF: __woutput_l+38Bj
					; __woutput_l+5C6j
		mov	eax, [ebp+var_410]
		add	eax, 4
		mov	[ebp+var_424], 1
		mov	[ebp+var_410], eax
		movzx	eax, word ptr [eax-4]
		mov	dword ptr [ebp+var_448], eax
		test	bl, 20h
		jz	short loc_5871C3
		push	___mb_cur_max	; size_t
		mov	[ebp+var_430], al
		xor	eax, eax
		mov	[ebp-42Fh], al
		lea	eax, [ebp+var_430]
		push	eax		; char *
		lea	eax, [ebp+var_404]
		push	eax		; wchar_t *
		call	__safecrt_mbtowc
		add	esp, 0Ch
		test	eax, eax
		jns	short loc_5871CA
		mov	[ebp+var_414], 1
		jmp	short loc_5871CA
; 

loc_5871C3:				; CODE XREF: __woutput_l+5F9j
		mov	[ebp+var_404], ax

loc_5871CA:				; CODE XREF: __woutput_l+627j
					; __woutput_l+633j
		xor	edi, edi
		lea	esi, [ebp+var_404]
		inc	edi
		jmp	loc_586F28
; 

loc_5871D8:				; CODE XREF: __woutput_l+35Dj
					; __woutput_l+394j
		or	ebx, 40h
		push	0Ah
		jmp	loc_58729A
; 

loc_5871E2:				; CODE XREF: __woutput_l+357j
		sub	ecx, 6Eh
		jz	loc_58741B
		sub	ecx, 1
		jz	loc_587286
		sub	ecx, 1
		jz	short loc_58724D
		sub	ecx, 3
		jz	loc_5870FB
		dec	ecx
		sub	ecx, 1
		jz	short loc_587215
		sub	ecx, 3
		jnz	loc_586F28
		push	27h
		jmp	short loc_587259
; 

loc_587215:				; CODE XREF: __woutput_l+678j
		push	0Ah
		jmp	loc_5872A0
; 

loc_58721C:				; CODE XREF: __woutput_l+592j
		test	esi, esi
		jnz	short loc_587225
		mov	esi, offset aNull ; "(null)"

loc_587225:				; CODE XREF: __woutput_l+690j
		mov	[ebp+var_424], 1
		mov	edi, esi
		test	eax, eax
		jz	short loc_587244
		xor	ecx, ecx

loc_587237:				; CODE XREF: __woutput_l+6B4j
		dec	eax
		cmp	[edi], cx
		jz	short loc_587244
		add	edi, 2
		test	eax, eax
		jnz	short loc_587237

loc_587244:				; CODE XREF: __woutput_l+6A5j
					; __woutput_l+6ADj
		sub	edi, esi
		sar	edi, 1
		jmp	loc_586F28
; 

loc_58724D:				; CODE XREF: __woutput_l+669j
		mov	[ebp+var_418], 8

loc_587257:				; CODE XREF: __woutput_l+378j
		push	7

loc_587259:				; CODE XREF: __woutput_l+685j
		pop	eax
		mov	[ebp+var_444], eax
		test	bl, bl
		jns	short loc_587282
		push	30h
		pop	ecx
		add	eax, 51h
		mov	word ptr [ebp+var_438],	cx
		mov	word ptr [ebp+var_438+2], ax
		mov	[ebp+var_420], 2

loc_587282:				; CODE XREF: __woutput_l+6D4j
		push	10h
		jmp	short loc_5872A0
; 

loc_587286:				; CODE XREF: __woutput_l+660j
		push	8
		pop	edi
		mov	[ebp+var_41C], edi
		test	bl, bl
		jns	short loc_5872A7
		or	ebx, 200h
		push	edi

loc_58729A:				; CODE XREF: __woutput_l+64Fj
		mov	[ebp+var_40C], ebx

loc_5872A0:				; CODE XREF: __woutput_l+689j
					; __woutput_l+6F6j
		pop	edi
		mov	[ebp+var_41C], edi

loc_5872A7:				; CODE XREF: __woutput_l+703j
		test	ebx, 8000h
		jz	short loc_5872C2
		mov	esi, [ebp+var_410]
		add	esi, 8
		mov	ecx, [esi-8]
		mov	edx, [esi-4]

loc_5872BE:				; CODE XREF: __woutput_l+78Bj
		xor	eax, eax
		jmp	short loc_587322
; 

loc_5872C2:				; CODE XREF: __woutput_l+71Fj
		test	ebx, 1000h
		jz	short loc_5872E1
		mov	eax, [ebp+var_410]
		add	eax, 8
		mov	[ebp+var_410], eax
		mov	ecx, [eax-8]
		mov	edx, [eax-4]
		jmp	short loc_58730B
; 

loc_5872E1:				; CODE XREF: __woutput_l+73Aj
		mov	esi, [ebp+var_410]
		mov	eax, ebx
		add	esi, 4
		and	eax, 40h
		mov	[ebp+var_410], esi
		test	bl, 20h
		jz	short loc_58730F
		test	eax, eax
		jz	short loc_587304
		movsx	eax, word ptr [esi-4]
		jmp	short loc_587308
; 

loc_587304:				; CODE XREF: __woutput_l+76Ej
		movzx	eax, word ptr [esi-4]

loc_587308:				; CODE XREF: __woutput_l+774j
		cdq
		mov	ecx, eax

loc_58730B:				; CODE XREF: __woutput_l+751j
		xor	eax, eax
		jmp	short loc_587328
; 

loc_58730F:				; CODE XREF: __woutput_l+76Aj
		test	eax, eax
		jz	short loc_58731B
		mov	eax, [esi-4]
		cdq
		mov	ecx, eax
		jmp	short loc_5872BE
; 

loc_58731B:				; CODE XREF: __woutput_l+783j
		mov	ecx, [esi-4]
		xor	eax, eax
		mov	edx, eax

loc_587322:				; CODE XREF: __woutput_l+732j
		mov	[ebp+var_410], esi

loc_587328:				; CODE XREF: __woutput_l+77Fj
		test	bl, 40h
		jz	short loc_587349
		cmp	edx, eax
		jg	short loc_587349
		jl	short loc_587337
		cmp	ecx, eax
		jnb	short loc_587349

loc_587337:				; CODE XREF: __woutput_l+7A3j
		neg	ecx
		adc	edx, eax
		neg	edx
		or	ebx, 100h
		mov	[ebp+var_40C], ebx

loc_587349:				; CODE XREF: __woutput_l+79Dj
					; __woutput_l+7A1j ...
		test	ebx, 9000h
		jnz	short loc_587353
		mov	edx, eax

loc_587353:				; CODE XREF: __woutput_l+7C1j
		mov	eax, [ebp+var_418]
		test	eax, eax
		jns	short loc_587362
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_58737C
; 

loc_587362:				; CODE XREF: __woutput_l+7CDj
		and	ebx, 0FFFFFFF7h
		mov	eax, 200h
		mov	[ebp+var_40C], ebx
		mov	ebx, [ebp+var_418]
		cmp	ebx, eax
		jle	short loc_58737C
		mov	ebx, eax

loc_58737C:				; CODE XREF: __woutput_l+7D2j
					; __woutput_l+7EAj
		mov	eax, ecx
		or	eax, edx
		jnz	short loc_587388
		mov	[ebp+var_420], eax

loc_587388:				; CODE XREF: __woutput_l+7F2j
		lea	esi, [ebp+var_205]

loc_58738E:				; CODE XREF: __woutput_l+852j
		mov	eax, ebx
		mov	[ebp+var_440], esi
		dec	ebx
		mov	[ebp+var_418], ebx
		test	eax, eax
		jg	short loc_5873A7
		mov	eax, ecx
		or	eax, edx
		jz	short loc_5873E2

loc_5873A7:				; CODE XREF: __woutput_l+811j
		push	ebx
		push	0
		push	edi
		push	edx
		push	ecx
		call	__aulldvrm
		mov	[ebp+var_44C], ebx
		pop	ebx
		nop
		mov	edi, ecx
		mov	ecx, eax
		lea	eax, [edi+30h]
		cmp	eax, 39h
		jle	short loc_5873D1
		mov	eax, [ebp+var_444]
		add	eax, 30h
		add	eax, edi

loc_5873D1:				; CODE XREF: __woutput_l+836j
		mov	edi, [ebp+var_41C]
		mov	ebx, [ebp+var_418]
		mov	[esi], al
		dec	esi
		jmp	short loc_58738E
; 

loc_5873E2:				; CODE XREF: __woutput_l+817j
		mov	ebx, [ebp+var_40C]
		lea	edi, [ebp+var_205]
		sub	edi, esi
		inc	esi
		test	ebx, 200h
		jz	loc_586F28
		test	edi, edi
		jz	short loc_58740A
		cmp	byte ptr [esi],	30h
		jz	loc_586F28

loc_58740A:				; CODE XREF: __woutput_l+871j
		mov	esi, [ebp+var_440]
		inc	edi
		push	30h
		pop	eax
		mov	[esi], al
		jmp	loc_586F28
; 

loc_58741B:				; CODE XREF: __woutput_l+657j
		mov	eax, [ebp+var_410]
		add	eax, 4
		mov	[ebp+var_410], eax
		mov	eax, [eax-4]
		mov	[ebp+var_41C], eax
		call	__get_printf_count_output
		test	eax, eax
		jz	loc_5874FD
		mov	eax, [ebp+var_41C]
		mov	ecx, [ebp+var_408]
		test	bl, 20h
		jz	short loc_587456
		mov	[eax], cx
		jmp	short loc_587458
; 

loc_587456:				; CODE XREF: __woutput_l+8C1j
		mov	[eax], ecx

loc_587458:				; CODE XREF: __woutput_l+8C6j
		xor	eax, eax
		inc	eax
		mov	[ebp+var_414], eax
		jmp	loc_586F2E
; 

loc_587466:				; CODE XREF: __woutput_l+3B3j
		test	bl, 1
		jz	short loc_587472
		push	2Bh
		jmp	loc_586F49
; 

loc_587472:				; CODE XREF: __woutput_l+8DBj
		test	bl, 2
		jz	loc_586F5B
		push	20h
		pop	edx
		mov	word ptr [ebp+var_438],	dx
		mov	[ebp+var_420], 1
		jmp	loc_586F5E
; 

loc_587494:				; CODE XREF: __woutput_l+4A1j
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_408], ecx
		jmp	short loc_5874BC
; 

loc_58749F:				; CODE XREF: __woutput_l+459j
					; __woutput_l+461j
		lea	eax, [ebp+var_408]
		push	eax
		push	[ebp+var_428]
		push	edi
		push	esi
		call	write_string
		add	esp, 10h

loc_5874B6:				; CODE XREF: __woutput_l+4DEj
		mov	ecx, [ebp+var_408]

loc_5874BC:				; CODE XREF: __woutput_l+90Fj
		test	ecx, ecx
		js	short loc_5874EA
		test	bl, 4
		jz	short loc_5874EA
		lea	eax, [ebp+var_408]
		push	eax
		push	[ebp+var_428]
		push	[ebp+var_440]
		push	20h
		pop	eax
		push	eax
		call	write_multi_char
		add	esp, 10h

loc_5874E4:				; CODE XREF: __woutput_l+EFj
					; __woutput_l+125j ...
		mov	ecx, [ebp+var_408] ; default

loc_5874EA:				; CODE XREF: __woutput_l+14Aj
					; __woutput_l+159j ...
		mov	eax, [ebp+arg_4]

loc_5874ED:				; CODE XREF: __woutput_l+9Aj
		movzx	edx, word ptr [eax]
		test	dx, dx
		jnz	loc_586C2D

loc_5874F9:				; CODE XREF: __woutput_l+A8j
		mov	eax, ecx
		jmp	short loc_58750F
; 

loc_5874FD:				; CODE XREF: __woutput_l+509j
					; __woutput_l+51Dj ...
		xor	edx, edx

loc_5874FF:				; CODE XREF: __woutput_l+79j
					; __woutput_l+84j
		push	edx
		push	edx
		push	edx
		push	edx
		push	edx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		or	eax, 0FFFFFFFFh

loc_58750F:				; CODE XREF: __woutput_l+96Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
__woutput_l	endp

; 
off_58751E	dd offset loc_586EBB	; DATA XREF: __woutput_l+F5r
		dd offset loc_586C8A	; jump table for switch	statement
		dd offset loc_586CB8
		dd offset loc_586D0C
		dd offset loc_586D67
		dd offset loc_586D74
		dd offset loc_586DBC
		dd offset loc_586EE0

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

write_char	proc near		; CODE XREF: __woutput_l+345p
					; __woutput_l+4BAp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		test	byte ptr [esi+0Ch], 40h
		jz	short loc_587553
		cmp	dword ptr [esi+8], 0
		jz	short loc_587576

loc_587553:				; CODE XREF: write_char+Dj
		push	esi
		push	[ebp+arg_0]
		call	__fputwc_nolock
		pop	ecx
		pop	ecx
		mov	ecx, 0FFFFh
		cmp	ax, cx
		jnz	short loc_587576
		test	byte ptr [esi+0Ch], 20h
		jz	short loc_587576
		mov	eax, [ebp+arg_8]
		or	dword ptr [eax], 0FFFFFFFFh
		jmp	short loc_58757B
; 

loc_587576:				; CODE XREF: write_char+13j
					; write_char+28j ...
		mov	eax, [ebp+arg_8]
		inc	dword ptr [eax]

loc_58757B:				; CODE XREF: write_char+36j
		pop	esi
		pop	ebp
		retn
write_char	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

write_multi_char proc near		; CODE XREF: __woutput_l+400p
					; __woutput_l+44Ap ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jle	short loc_5875A9
		push	edi
		mov	edi, [ebp+arg_C]

loc_58758F:				; CODE XREF: write_multi_char+28j
		push	edi
		push	[ebp+arg_8]
		dec	esi
		push	[ebp+arg_0]
		call	write_char
		add	esp, 0Ch
		cmp	dword ptr [edi], 0FFFFFFFFh
		jz	short loc_5875A8
		test	esi, esi
		jg	short loc_58758F

loc_5875A8:				; CODE XREF: write_multi_char+24j
		pop	edi

loc_5875A9:				; CODE XREF: write_multi_char+Bj
		pop	esi
		pop	ebp
		retn
write_multi_char endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

write_string	proc near		; CODE XREF: __woutput_l+422p
					; __woutput_l+920p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_8]
		test	byte ptr [esi+0Ch], 40h
		jz	short loc_5875CB
		cmp	dword ptr [esi+8], 0
		jnz	short loc_5875CB
		mov	ecx, [ebp+arg_C]
		mov	eax, [ebp+arg_4]
		add	[ecx], eax
		jmp	short loc_587615
; 

loc_5875CB:				; CODE XREF: write_string+Dj
					; write_string+13j
		push	edi
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jle	short loc_587614
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_C]

loc_5875DA:				; CODE XREF: write_string+65j
		movzx	eax, word ptr [eax]
		dec	edi
		push	ebx
		push	esi
		push	eax
		call	write_char
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		add	eax, 2
		cmp	dword ptr [ebx], 0FFFFFFFFh
		mov	[ebp+arg_0], eax
		jnz	short loc_58760F
		cmp	_gbl_errno, 2Ah
		jnz	short loc_587613
		push	ebx
		push	esi
		push	3Fh
		call	write_char
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch

loc_58760F:				; CODE XREF: write_string+49j
		test	edi, edi
		jg	short loc_5875DA

loc_587613:				; CODE XREF: write_string+52j
		pop	ebx

loc_587614:				; CODE XREF: write_string+25j
		pop	edi

loc_587615:				; CODE XREF: write_string+1Dj
		pop	esi
		pop	ebp
		retn
write_string	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__output_l	proc near		; CODE XREF: __vsnprintf_l+55p
					; __snprintf+54p ...

var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_D		= dword	ptr -0Dh
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 254h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_230], eax
		xor	eax, eax
		push	200h		; size_t
		mov	ebx, eax
		mov	[ebp+var_244], eax
		push	eax		; int
		mov	[ebp+var_234], eax
		mov	esi, eax
		mov	[ebp+var_224], eax
		mov	[ebp+var_22C], eax
		mov	[ebp+var_21C], eax
		lea	eax, [ebp+var_20C]
		push	eax		; void *
		mov	[ebp+var_220], edi
		mov	[ebp+var_214], ebx
		call	_memset
		xor	edx, edx
		add	esp, 0Ch
		mov	[ebp+var_238], edx
		cmp	[ebp+var_230], edx
		jz	loc_587EF3
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	loc_587EF3
		mov	ecx, edx
		mov	[ebp+var_218], edx
		mov	[ebp+var_210], ecx
		mov	[ebp+var_23C], edx
		jmp	loc_587EDD
; 

loc_5876B9:				; CODE XREF: __output_l+8CFj
		inc	eax
		mov	[ebp+arg_4], eax
		test	ecx, ecx
		js	loc_587EED
		lea	eax, [edx-20h]
		movsx	ecx, dl
		cmp	al, 5Ah
		ja	short loc_5876DB
		movsx	eax, byte ptr ds:(loc_408E8E+2)[ecx]
		and	eax, 0Fh
		jmp	short loc_5876DD
; 

loc_5876DB:				; CODE XREF: __output_l+B5j
		xor	eax, eax

loc_5876DD:				; CODE XREF: __output_l+C1j
		mov	edi, [ebp+var_23C]
		movsx	edi, byte ptr ds:(loc_408EAF+1)[edi+eax*8]
		mov	eax, edi
		mov	[ebp+var_23C], edi
		mov	edi, [ebp+var_220]
		sar	eax, 4
		mov	[ebp+var_23C], eax
		cmp	eax, 7		; switch 8 cases
		ja	loc_587ED4	; default
		jmp	ds:off_587F14[eax*4] ; switch jump

loc_587712:				; DATA XREF: .text:off_587F14o
		xor	eax, eax	; case 0x1
		or	[ebp+var_224], 0FFFFFFFFh
		mov	ebx, eax
		mov	[ebp+var_21C], eax
		mov	[ebp+var_234], eax
		mov	[ebp+var_22C], eax
		mov	[ebp+var_214], ebx
		mov	[ebp+var_238], eax
		jmp	loc_587ED4	; default
; 

loc_587740:				; CODE XREF: __output_l+F3j
					; DATA XREF: .text:off_587F14o
		sub	ecx, 20h	; case 0x2
		jz	short loc_58778D
		sub	ecx, 3
		jz	short loc_587785
		sub	ecx, 8
		jz	short loc_587780
		dec	ecx
		sub	ecx, 1
		jz	short loc_587772
		sub	ecx, 3
		mov	ecx, [ebp+var_210]
		jnz	loc_587EDA
		or	ebx, 8
		mov	[ebp+var_214], ebx
		jmp	loc_587EDA
; 

loc_587772:				; CODE XREF: __output_l+13Bj
		or	ebx, 4

loc_587775:				; CODE XREF: __output_l+16Bj
					; __output_l+173j ...
		mov	[ebp+var_214], ebx
		jmp	loc_587ED4	; default
; 

loc_587780:				; CODE XREF: __output_l+135j
		or	ebx, 1
		jmp	short loc_587775
; 

loc_587785:				; CODE XREF: __output_l+130j
		or	ebx, 80h
		jmp	short loc_587775
; 

loc_58778D:				; CODE XREF: __output_l+12Bj
		or	ebx, 2
		jmp	short loc_587775
; 

loc_587792:				; CODE XREF: __output_l+F3j
					; DATA XREF: .text:off_587F14o
		cmp	dl, 2Ah		; case 0x3
		jnz	short loc_5877CC
		mov	eax, [edi]
		add	edi, 4
		mov	ecx, [ebp+var_210]
		mov	[ebp+var_220], edi
		mov	[ebp+var_234], eax
		test	eax, eax
		jns	loc_587EDA
		or	ebx, 4
		neg	eax
		mov	[ebp+var_214], ebx
		mov	[ebp+var_234], eax
		jmp	loc_587EDA
; 

loc_5877CC:				; CODE XREF: __output_l+17Dj
		imul	eax, [ebp+var_234], arg_0+2
		add	eax, 0FFFFFFD0h
		add	eax, ecx
		mov	[ebp+var_234], eax
		jmp	loc_587ED4	; default
; 

loc_5877E3:				; CODE XREF: __output_l+F3j
					; DATA XREF: .text:off_587F14o
		xor	eax, eax	; case 0x4

loc_5877E5:				; CODE XREF: __output_l+214j
		mov	[ebp+var_224], eax
		jmp	loc_587ED4	; default
; 

loc_5877F0:				; CODE XREF: __output_l+F3j
					; DATA XREF: .text:off_587F14o
		cmp	dl, 2Ah		; case 0x5
		jnz	short loc_587820
		mov	eax, [edi]
		add	edi, 4
		mov	ecx, [ebp+var_210]
		mov	[ebp+var_220], edi
		mov	[ebp+var_224], eax
		test	eax, eax
		jns	loc_587EDA
		or	[ebp+var_224], 0FFFFFFFFh
		jmp	loc_587EDA
; 

loc_587820:				; CODE XREF: __output_l+1DBj
		imul	eax, [ebp+var_224], arg_0+2
		add	eax, 0FFFFFFD0h
		add	eax, ecx
		jmp	short loc_5877E5
; 

loc_58782E:				; CODE XREF: __output_l+F3j
					; DATA XREF: .text:off_587F14o
		sub	ecx, 49h	; case 0x6
		jz	short loc_587857
		sub	ecx, 1Fh
		jz	short loc_5878AF
		dec	ecx
		sub	ecx, 1
		jz	short loc_587857
		dec	ecx
		sub	ecx, 1
		jz	short loc_587887
		sub	ecx, 8
		jz	short loc_587857
		sub	ecx, 3
		jz	short loc_58787C
		sub	ecx, 3
		jnz	loc_587ED4	; default

loc_587857:				; CODE XREF: __output_l+219j
					; __output_l+224j ...
		cmp	dl, 49h
		jnz	short loc_5878D2
		mov	edi, [ebp+arg_4]
		mov	al, [edi]
		cmp	al, 36h
		jnz	short loc_5878B7
		cmp	byte ptr [edi+1], 34h
		jnz	short loc_5878B7
		add	edi, 2
		mov	[ebp+arg_4], edi

loc_587871:				; CODE XREF: __output_l+2BDj
		or	ebx, 8000h
		jmp	loc_587775
; 

loc_58787C:				; CODE XREF: __output_l+234j
		or	ebx, 800h
		jmp	loc_587775
; 

loc_587887:				; CODE XREF: __output_l+22Aj
		mov	eax, [ebp+arg_4]
		mov	cl, [eax]
		cmp	cl, 6Ch
		jnz	short loc_587895
		inc	eax
		mov	[ebp+arg_4], eax

loc_587895:				; CODE XREF: __output_l+277j
		xor	eax, eax
		cmp	cl, 6Ch
		setz	al
		dec	eax
		and	eax, 0FFFFF010h
		add	eax, 1000h
		or	ebx, eax
		jmp	loc_587775
; 

loc_5878AF:				; CODE XREF: __output_l+21Ej
		or	ebx, 20h
		jmp	loc_587775
; 

loc_5878B7:				; CODE XREF: __output_l+24Bj
					; __output_l+251j
		cmp	al, 33h
		jnz	short loc_5878DA
		cmp	byte ptr [edi+1], 32h
		jnz	short loc_5878DA
		add	edi, 2
		and	ebx, 0FFFF7FFFh
		mov	[ebp+arg_4], edi
		jmp	loc_587775
; 

loc_5878D2:				; CODE XREF: __output_l+242j
		cmp	dl, 6Ah
		jz	short loc_587871
		mov	edi, [ebp+arg_4]

loc_5878DA:				; CODE XREF: __output_l+2A1j
					; __output_l+2A7j
		mov	al, [edi]
		cmp	al, 64h
		jz	loc_587ED4	; default
		cmp	al, 69h
		jz	loc_587ED4	; default
		cmp	al, 6Fh
		jz	loc_587ED4	; default
		cmp	al, 75h
		jz	loc_587ED4	; default
		cmp	al, 78h
		jz	loc_587ED4	; default
		cmp	al, 58h
		jz	loc_587ED4	; default
		xor	eax, eax
		mov	[ebp+var_23C], eax
		jmp	short loc_587918
; 

loc_587916:				; CODE XREF: __output_l+F3j
					; DATA XREF: .text:off_587F14o
		xor	eax, eax	; case 0x0

loc_587918:				; CODE XREF: __output_l+2FCj
		mov	[ebp+var_238], eax
		lea	eax, [ebp+var_210]
		push	eax
		push	[ebp+var_230]
		push	[ebp+var_248]
		call	sub_587F34
		add	esp, 0Ch
		jmp	loc_587ED4	; default
; 

loc_58793E:				; CODE XREF: __output_l+F3j
					; DATA XREF: .text:off_587F14o
		cmp	ecx, 69h	; case 0x7
		jg	loc_587B27
		jz	loc_587B13
		sub	ecx, 43h
		jz	loc_587AA0
		sub	ecx, 10h
		jz	loc_587A32
		sub	ecx, 5
		jz	loc_587B9A
		dec	ecx
		sub	ecx, 1
		jz	short loc_5879AF
		sub	ecx, 9
		jz	loc_587AB4
		sub	ecx, 1
		jz	loc_587B13

loc_587980:				; CODE XREF: __output_l+3EEj
					; __output_l+401j ...
		mov	eax, [ebp+var_21C]

loc_587986:				; CODE XREF: __output_l+74Dj
		test	eax, eax
		jnz	loc_587ED4	; default
		test	bl, 40h
		jz	loc_587D8E
		test	ebx, 100h
		jz	loc_587D6A
		mov	byte ptr [ebp+var_228],	2Dh
		jmp	loc_587D84
; 

loc_5879AF:				; CODE XREF: __output_l+354j
		mov	ecx, [edi]
		add	edi, 4
		mov	[ebp+var_220], edi
		test	ecx, ecx
		jz	short loc_587A1E
		mov	esi, [ecx+4]
		test	esi, esi
		jz	short loc_587A1E
		movzx	eax, word ptr [ecx]
		mov	edx, eax
		cmp	[ecx+2], ax
		jb	loc_587EF1
		mov	ecx, edx
		test	ebx, 800h
		jz	short loc_587A0B
		not	eax
		test	al, 1
		jz	loc_587EF1
		mov	eax, esi
		not	eax
		test	al, 1
		jz	loc_587EF1
		shr	ecx, 1
		mov	[ebp+var_218], ecx
		mov	[ebp+var_238], 1
		jmp	loc_587980
; 

loc_587A0B:				; CODE XREF: __output_l+3C4j
		xor	eax, eax
		mov	[ebp+var_218], ecx
		mov	[ebp+var_238], eax
		jmp	loc_587980
; 

loc_587A1E:				; CODE XREF: __output_l+3A4j
					; __output_l+3ABj
		mov	esi, offset loc_408EA8
		mov	[ebp+var_218], 6
		jmp	loc_587980
; 

loc_587A32:				; CODE XREF: __output_l+341j
		test	ebx, 830h
		jnz	short loc_587A46
		or	ebx, 800h
		mov	[ebp+var_214], ebx

loc_587A46:				; CODE XREF: __output_l+420j
					; __output_l+529j
		mov	eax, [ebp+var_224]
		mov	ecx, 7FFFFFFFh
		cmp	eax, 0FFFFFFFFh
		jz	short loc_587A58
		mov	ecx, eax

loc_587A58:				; CODE XREF: __output_l+43Cj
		mov	esi, [edi]
		add	edi, 4
		mov	[ebp+var_220], edi
		test	ebx, 810h
		jz	loc_587B6B
		test	esi, esi
		jnz	short loc_587A78
		mov	esi, offset aNull ; "(null)"

loc_587A78:				; CODE XREF: __output_l+459j
		mov	[ebp+var_238], 1
		mov	eax, esi
		test	ecx, ecx
		jz	short loc_587A97
		xor	edx, edx

loc_587A8A:				; CODE XREF: __output_l+47Dj
		dec	ecx
		cmp	[eax], dx
		jz	short loc_587A97
		add	eax, 2
		test	ecx, ecx
		jnz	short loc_587A8A

loc_587A97:				; CODE XREF: __output_l+46Ej
					; __output_l+476j
		sub	eax, esi
		sar	eax, 1
		jmp	loc_587B85
; 

loc_587AA0:				; CODE XREF: __output_l+338j
		test	ebx, 830h
		jnz	short loc_587AB4
		or	ebx, 800h
		mov	[ebp+var_214], ebx

loc_587AB4:				; CODE XREF: __output_l+359j
					; __output_l+48Ej
		add	edi, 4
		mov	[ebp+var_220], edi
		test	ebx, 810h
		jz	short loc_587AF5
		movzx	eax, word ptr [edi-4]
		push	eax
		push	200h
		lea	eax, [ebp+var_20C]
		push	eax
		lea	eax, [ebp+var_218]
		push	eax
		call	_wctomb_s
		add	esp, 10h
		test	eax, eax
		jz	short loc_587B08
		mov	[ebp+var_21C], 1
		jmp	short loc_587B08
; 

loc_587AF5:				; CODE XREF: __output_l+4ABj
		mov	al, [edi-4]
		mov	byte ptr [ebp+var_20C],	al
		mov	[ebp+var_218], 1

loc_587B08:				; CODE XREF: __output_l+4CFj
					; __output_l+4DBj
		lea	esi, [ebp+var_20C]
		jmp	loc_587980
; 

loc_587B13:				; CODE XREF: __output_l+32Fj
					; __output_l+362j
		or	ebx, 40h
		mov	[ebp+var_218], 0Ah
		xor	esi, esi
		jmp	loc_587BEC
; 

loc_587B27:				; CODE XREF: __output_l+329j
		sub	ecx, 6Eh
		jz	loc_587D31
		sub	ecx, 1
		jz	loc_587BCC
		sub	ecx, 1
		jz	short loc_587B90
		sub	ecx, 3
		jz	loc_587A46
		dec	ecx
		sub	ecx, 1
		jz	short loc_587B5A
		sub	ecx, 3
		jnz	loc_587980
		push	27h
		jmp	short loc_587B9C
; 

loc_587B5A:				; CODE XREF: __output_l+533j
		mov	[ebp+var_218], 0Ah

loc_587B64:				; CODE XREF: __output_l+5B2j
		xor	esi, esi
		jmp	loc_587BF2
; 

loc_587B6B:				; CODE XREF: __output_l+451j
		test	esi, esi
		jnz	short loc_587B74
		mov	esi, offset loc_408EA8

loc_587B74:				; CODE XREF: __output_l+555j
		mov	eax, esi
		jmp	short loc_587B7F
; 

loc_587B78:				; CODE XREF: __output_l+569j
		dec	ecx
		cmp	byte ptr [eax],	0
		jz	short loc_587B83
		inc	eax

loc_587B7F:				; CODE XREF: __output_l+55Ej
		test	ecx, ecx
		jnz	short loc_587B78

loc_587B83:				; CODE XREF: __output_l+564j
		sub	eax, esi

loc_587B85:				; CODE XREF: __output_l+483j
					; __output_l+714j
		mov	[ebp+var_218], eax
		jmp	loc_587980
; 

loc_587B90:				; CODE XREF: __output_l+524j
		mov	[ebp+var_224], 8

loc_587B9A:				; CODE XREF: __output_l+34Aj
		push	7

loc_587B9C:				; CODE XREF: __output_l+540j
		pop	eax
		mov	[ebp+var_244], eax
		test	bl, bl
		jns	short loc_587BC0
		add	al, 51h
		mov	byte ptr [ebp+var_228],	30h
		mov	byte ptr [ebp+var_228+1], al
		mov	[ebp+var_22C], 2

loc_587BC0:				; CODE XREF: __output_l+58Dj
		mov	[ebp+var_218], 10h
		jmp	short loc_587B64
; 

loc_587BCC:				; CODE XREF: __output_l+51Bj
		xor	esi, esi
		mov	[ebp+var_218], 8
		test	bl, bl
		jns	short loc_587BF2
		or	ebx, 200h
		mov	[ebp+var_218], 8

loc_587BEC:				; CODE XREF: __output_l+50Aj
		mov	[ebp+var_214], ebx

loc_587BF2:				; CODE XREF: __output_l+54Ej
					; __output_l+5C2j
		test	ebx, 8000h
		jz	short loc_587C04

loc_587BFA:				; CODE XREF: __output_l+5F2j
		mov	ecx, [edi]
		add	edi, 8
		mov	edx, [edi-4]
		jmp	short loc_587C43
; 

loc_587C04:				; CODE XREF: __output_l+5E0j
		test	ebx, 1000h
		jnz	short loc_587BFA
		mov	eax, ebx
		add	edi, 4
		and	eax, 40h
		mov	[ebp+var_220], edi
		test	bl, 20h
		jz	short loc_587C32
		test	eax, eax
		jz	short loc_587C29
		movsx	eax, word ptr [edi-4]
		jmp	short loc_587C2D
; 

loc_587C29:				; CODE XREF: __output_l+609j
		movzx	eax, word ptr [edi-4]

loc_587C2D:				; CODE XREF: __output_l+60Fj
		cdq
		mov	ecx, eax
		jmp	short loc_587C49
; 

loc_587C32:				; CODE XREF: __output_l+605j
		test	eax, eax
		jz	short loc_587C3E
		mov	eax, [edi-4]
		cdq
		mov	ecx, eax
		jmp	short loc_587C43
; 

loc_587C3E:				; CODE XREF: __output_l+61Cj
		mov	ecx, [edi-4]
		mov	edx, esi

loc_587C43:				; CODE XREF: __output_l+5EAj
					; __output_l+624j
		mov	[ebp+var_220], edi

loc_587C49:				; CODE XREF: __output_l+618j
		test	bl, 40h
		jz	short loc_587C6A
		cmp	edx, esi
		jg	short loc_587C6A
		jl	short loc_587C58
		cmp	ecx, esi
		jnb	short loc_587C6A

loc_587C58:				; CODE XREF: __output_l+63Aj
		neg	ecx
		adc	edx, esi
		neg	edx
		or	ebx, 100h
		mov	[ebp+var_214], ebx

loc_587C6A:				; CODE XREF: __output_l+634j
					; __output_l+638j ...
		test	ebx, 9000h
		jnz	short loc_587C74
		mov	edx, esi

loc_587C74:				; CODE XREF: __output_l+658j
		mov	eax, [ebp+var_224]
		test	eax, eax
		jns	short loc_587C83
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_587C9D
; 

loc_587C83:				; CODE XREF: __output_l+664j
		and	ebx, 0FFFFFFF7h
		mov	eax, 200h
		mov	[ebp+var_214], ebx
		mov	ebx, [ebp+var_224]
		cmp	ebx, eax
		jle	short loc_587C9D
		mov	ebx, eax

loc_587C9D:				; CODE XREF: __output_l+669j
					; __output_l+681j
		mov	eax, ecx
		or	eax, edx
		jnz	short loc_587CA9
		mov	[ebp+var_22C], esi

loc_587CA9:				; CODE XREF: __output_l+689j
		lea	esi, [ebp+var_D]

loc_587CAC:				; CODE XREF: __output_l+6E1j
		mov	eax, ebx
		mov	edi, esi
		dec	ebx
		mov	[ebp+var_224], ebx
		test	eax, eax
		jg	short loc_587CC1
		mov	eax, ecx
		or	eax, edx
		jz	short loc_587CFB

loc_587CC1:				; CODE XREF: __output_l+6A1j
		push	ebx
		push	0
		push	[ebp+var_218]
		push	edx
		push	ecx
		call	__aulldvrm
		mov	[ebp+var_250], ebx
		pop	ebx
		nop
		mov	edi, ecx
		mov	ecx, eax
		lea	eax, [edi+30h]
		cmp	eax, 39h
		jle	short loc_587CF0
		mov	eax, [ebp+var_244]
		add	eax, 30h
		add	eax, edi

loc_587CF0:				; CODE XREF: __output_l+6CBj
		mov	ebx, [ebp+var_224]
		mov	[esi], al
		dec	esi
		jmp	short loc_587CAC
; 

loc_587CFB:				; CODE XREF: __output_l+6A7j
		mov	ebx, [ebp+var_214]
		lea	eax, [ebp+var_D]
		sub	eax, esi
		inc	esi
		mov	[ebp+var_218], eax
		test	ebx, 200h
		jz	loc_587980
		test	eax, eax
		jz	short loc_587D26
		cmp	byte ptr [esi],	30h
		jz	loc_587980

loc_587D26:				; CODE XREF: __output_l+703j
		mov	esi, edi
		inc	eax
		mov	byte ptr [esi],	30h
		jmp	loc_587B85
; 

loc_587D31:				; CODE XREF: __output_l+512j
		add	edi, 4
		mov	[ebp+var_220], edi
		mov	edi, [edi-4]
		call	__get_printf_count_output
		test	eax, eax
		jz	loc_587EF1
		mov	eax, [ebp+var_210]
		test	bl, 20h
		jz	short loc_587D5A
		mov	[edi], ax
		jmp	short loc_587D5C
; 

loc_587D5A:				; CODE XREF: __output_l+73Bj
		mov	[edi], eax

loc_587D5C:				; CODE XREF: __output_l+740j
		xor	eax, eax
		inc	eax
		mov	[ebp+var_21C], eax
		jmp	loc_587986
; 

loc_587D6A:				; CODE XREF: __output_l+385j
		test	bl, 1
		jz	short loc_587D78
		mov	byte ptr [ebp+var_228],	2Bh
		jmp	short loc_587D84
; 

loc_587D78:				; CODE XREF: __output_l+755j
		test	bl, 2
		jz	short loc_587D8E
		mov	byte ptr [ebp+var_228],	20h

loc_587D84:				; CODE XREF: __output_l+392j
					; __output_l+75Ej
		mov	[ebp+var_22C], 1

loc_587D8E:				; CODE XREF: __output_l+379j
					; __output_l+763j
		mov	edi, [ebp+var_234]
		mov	eax, ebx
		sub	edi, [ebp+var_218]
		sub	edi, [ebp+var_22C]
		and	eax, 0Ch
		mov	[ebp+var_240], eax
		jnz	short loc_587DC5
		lea	eax, [ebp+var_210]
		push	eax
		push	[ebp+var_230]
		push	edi
		push	20h
		call	sub_587F7E
		add	esp, 10h

loc_587DC5:				; CODE XREF: __output_l+793j
		lea	eax, [ebp+var_210]
		push	eax
		push	[ebp+var_230]
		lea	eax, [ebp+var_228]
		push	[ebp+var_22C]
		push	eax
		call	sub_587FAC
		add	esp, 10h
		cmp	[ebp+var_240], 8
		jnz	short loc_587E08
		lea	eax, [ebp+var_210]
		push	eax
		push	[ebp+var_230]
		push	edi
		push	30h
		call	sub_587F7E
		add	esp, 10h

loc_587E08:				; CODE XREF: __output_l+7D6j
		cmp	[ebp+var_238], 0
		mov	eax, [ebp+var_218]
		jz	short loc_587E96
		test	eax, eax
		jle	short loc_587E96
		xor	ecx, ecx
		mov	[ebp+var_240], ecx
		mov	ecx, esi

loc_587E25:				; CODE XREF: __output_l+86Fj
		dec	eax
		mov	[ebp+var_24C], eax
		movzx	eax, word ptr [ecx]
		add	ecx, 2
		push	eax
		push	6
		lea	eax, [ebp+var_D+1]
		mov	[ebp+var_250], ecx
		push	eax
		lea	eax, [ebp+var_240]
		push	eax
		call	_wctomb_s
		add	esp, 10h
		test	eax, eax
		jnz	short loc_587E8B
		cmp	[ebp+var_240], eax
		jz	short loc_587E8B
		lea	eax, [ebp+var_210]
		push	eax
		push	[ebp+var_230]
		lea	eax, [ebp+var_D+1]
		push	[ebp+var_240]
		push	eax
		call	sub_587FAC
		mov	eax, [ebp+var_24C]
		add	esp, 10h
		mov	ecx, [ebp+var_250]
		test	eax, eax
		jnz	short loc_587E25
		jmp	short loc_587EAD
; 

loc_587E8B:				; CODE XREF: __output_l+838j
					; __output_l+840j
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_210], ecx
		jmp	short loc_587EB3
; 

loc_587E96:				; CODE XREF: __output_l+7FDj
					; __output_l+801j
		lea	ecx, [ebp+var_210]
		push	ecx
		push	[ebp+var_230]
		push	eax
		push	esi
		call	sub_587FAC
		add	esp, 10h

loc_587EAD:				; CODE XREF: __output_l+871j
		mov	ecx, [ebp+var_210]

loc_587EB3:				; CODE XREF: __output_l+87Cj
		test	ecx, ecx
		js	short loc_587EDA
		test	bl, 4
		jz	short loc_587EDA
		lea	eax, [ebp+var_210]
		push	eax
		push	[ebp+var_230]
		push	edi
		push	20h
		call	sub_587F7E
		add	esp, 10h

loc_587ED4:				; CODE XREF: __output_l+EDj
					; __output_l+123j ...
		mov	ecx, [ebp+var_210] ; default

loc_587EDA:				; CODE XREF: __output_l+146j
					; __output_l+155j ...
		mov	eax, [ebp+arg_4]

loc_587EDD:				; CODE XREF: __output_l+9Cj
		mov	dl, [eax]
		mov	byte ptr [ebp+var_248],	dl
		test	dl, dl
		jnz	loc_5876B9

loc_587EED:				; CODE XREF: __output_l+A7j
		mov	eax, ecx
		jmp	short loc_587F03
; 

loc_587EF1:				; CODE XREF: __output_l+3B6j
					; __output_l+3CAj ...
		xor	edx, edx

loc_587EF3:				; CODE XREF: __output_l+77j
					; __output_l+82j
		push	edx
		push	edx
		push	edx
		push	edx
		push	edx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		or	eax, 0FFFFFFFFh

loc_587F03:				; CODE XREF: __output_l+8D7j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
__output_l	endp

; 
		align 4
off_587F14	dd offset loc_587916	; DATA XREF: __output_l+F3r
		dd offset loc_587712	; jump table for switch	statement
		dd offset loc_587740
		dd offset loc_587792
		dd offset loc_5877E3
		dd offset loc_5877F0
		dd offset loc_58782E
		dd offset loc_58793E

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_587F34	proc near		; CODE XREF: __output_l+319p
					; sub_587F7E+19p ...

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		test	byte ptr [edx+0Ch], 40h
		jz	short loc_587F48
		cmp	dword ptr [edx+8], 0
		jz	short loc_587F76

loc_587F48:				; CODE XREF: sub_587F34+Cj
		sub	dword ptr [edx+4], 1
		js	short loc_587F5C
		mov	eax, [edx]
		mov	cl, [ebp+arg_0]
		mov	[eax], cl
		inc	dword ptr [edx]
		movzx	eax, cl
		jmp	short loc_587F69
; 

loc_587F5C:				; CODE XREF: sub_587F34+18j
		movsx	eax, [ebp+arg_0]
		push	edx		; FILE *
		push	eax		; int
		call	__flsbuf_s
		pop	ecx
		pop	ecx

loc_587F69:				; CODE XREF: sub_587F34+26j
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_587F76
		mov	eax, [ebp+arg_8]
		or	dword ptr [eax], 0FFFFFFFFh
		pop	ebp
		retn
; 

loc_587F76:				; CODE XREF: sub_587F34+12j
					; sub_587F34+38j
		mov	eax, [ebp+arg_8]
		inc	dword ptr [eax]
		pop	ebp
		retn
sub_587F34	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_587F7E	proc near		; CODE XREF: __output_l+7A5p
					; __output_l+7E8p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jle	short loc_587FA9
		push	edi
		mov	edi, [ebp+arg_C]

loc_587F8F:				; CODE XREF: sub_587F7E+28j
		push	edi
		push	[ebp+arg_8]
		dec	esi
		push	[ebp+arg_0]
		call	sub_587F34
		add	esp, 0Ch
		cmp	dword ptr [edi], 0FFFFFFFFh
		jz	short loc_587FA8
		test	esi, esi
		jg	short loc_587F8F

loc_587FA8:				; CODE XREF: sub_587F7E+24j
		pop	edi

loc_587FA9:				; CODE XREF: sub_587F7E+Bj
		pop	esi
		pop	ebp
		retn
sub_587F7E	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_587FAC	proc near		; CODE XREF: __output_l+7C7p
					; __output_l+859p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_8]
		test	byte ptr [esi+0Ch], 40h
		jz	short loc_587FCB
		cmp	dword ptr [esi+8], 0
		jnz	short loc_587FCB
		mov	ecx, [ebp+arg_C]
		mov	eax, [ebp+arg_4]
		add	[ecx], eax
		jmp	short loc_588013
; 

loc_587FCB:				; CODE XREF: sub_587FAC+Dj
					; sub_587FAC+13j
		push	edi
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jle	short loc_588012
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_C]

loc_587FDA:				; CODE XREF: sub_587FAC+63j
		movzx	eax, byte ptr [eax]
		dec	edi
		push	ebx
		push	esi
		push	eax
		call	sub_587F34
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		inc	eax
		cmp	dword ptr [ebx], 0FFFFFFFFh
		mov	[ebp+arg_0], eax
		jnz	short loc_58800D
		cmp	_gbl_errno, 2Ah
		jnz	short loc_588011
		push	ebx
		push	esi
		push	3Fh
		call	sub_587F34
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch

loc_58800D:				; CODE XREF: sub_587FAC+47j
		test	edi, edi
		jg	short loc_587FDA

loc_588011:				; CODE XREF: sub_587FAC+50j
		pop	ebx

loc_588012:				; CODE XREF: sub_587FAC+25j
		pop	edi

loc_588013:				; CODE XREF: sub_587FAC+1Dj
		pop	esi
		pop	ebp
		retn
sub_587FAC	endp


;  S U B	R O U T	I N E 


___pctype_func	proc near		; CODE XREF: strtoxlX+45p strtoxlX+E3p ...
		mov	eax, __pctype
		retn
___pctype_func	endp

; 
		align 10h

;  S U B	R O U T	I N E 


__trandisp1	proc near
		cmp	byte ptr [edx+0Eh], 5
		jnz	short loc_588037
		mov	bx, [ebp-0A4h]
		or	bh, 2
		and	bh, 0FEh
		mov	bl, 3Fh
		jmp	short loc_58803B
; 

loc_588037:				; CODE XREF: __trandisp1+4j
		mov	bx, 133Fh

loc_58803B:				; CODE XREF: __trandisp1+15j
		mov	[ebp-0A2h], bx
		fldcw	word ptr [ebp-0A2h]
		mov	ebx, offset unk_6B3C3D
		fxam
		mov	[ebp-94h], edx
		fstsw	word ptr [ebp-0A0h]
		mov	byte ptr [ebp-90h], 0
		wait
		mov	cl, [ebp-9Fh]
		shl	cl, 1
		sar	cl, 1
		rol	cl, 1
		mov	al, cl
		and	al, 0Fh
		xlat
		movsx	eax, al
		and	ecx, 404h
		mov	ebx, edx
		add	ebx, eax
		add	ebx, 10h
		jmp	dword ptr [ebx]
__trandisp1	endp


;  S U B	R O U T	I N E 


__trandisp2	proc near
		cmp	byte ptr [edx+0Eh], 5
		jnz	short loc_58809E
		mov	bx, [ebp-0A4h]
		or	bh, 2
		and	bh, 0FEh
		mov	bl, 3Fh
		jmp	short loc_5880A2
; 

loc_58809E:				; CODE XREF: __trandisp2+4j
		mov	bx, 133Fh

loc_5880A2:				; CODE XREF: __trandisp2+15j
		mov	[ebp-0A2h], bx
		fldcw	word ptr [ebp-0A2h]
		mov	ebx, offset unk_6B3C3D
		fxam
		mov	[ebp-94h], edx
		fstsw	word ptr [ebp-0A0h]
		mov	byte ptr [ebp-90h], 0
		fxch	st(1)
		mov	cl, [ebp-9Fh]
		fxam
		fstsw	word ptr [ebp-0A0h]
		fxch	st(1)
		mov	ch, [ebp-9Fh]
		shl	ch, 1
		sar	ch, 1
		rol	ch, 1
		mov	al, ch
		and	al, 0Fh
		xlat
		mov	ah, al
		shl	cl, 1
		sar	cl, 1
		rol	cl, 1
		mov	al, cl
		and	al, 0Fh
		xlat
		shl	ah, 1
		shl	ah, 1
		or	al, ah
		movsx	eax, al
		and	ecx, 404h
		mov	ebx, edx
		add	ebx, eax
		add	ebx, 10h
		jmp	dword ptr [ebx]
__trandisp2	endp


;  S U B	R O U T	I N E 


__rttospopde	proc near
		call	__rttosnpopde
__rttospopde	endp


;  S U B	R O U T	I N E 


__rttospop	proc near
		fxch	st(1)

__rtnospop:				; CODE XREF: __rtnospopde+5j
		fstp	st

__rttosnpop:
		retn
__rttospop	endp


;  S U B	R O U T	I N E 


__rtnospopde	proc near
		call	__rttosnpopde
		jmp	short __rtnospop
__rtnospopde	endp


;  S U B	R O U T	I N E 


__rtzeropop	proc near
		fstp	st

__rtzeronpop:
		fstp	st
		fldz
		retn
__rtzeropop	endp


;  S U B	R O U T	I N E 


__rtonepop	proc near
		fstp	st
__rtonepop	endp


;  S U B	R O U T	I N E 


__rtonenpop	proc near
		fstp	st
		fld1
		retn
__rtonenpop	endp


;  S U B	R O U T	I N E 


__tosnan1	proc near
		fstp	tbyte ptr [ebp-9Eh]
		fld	tbyte ptr [ebp-9Eh]
		test	byte ptr [ebp-97h], 40h
		jz	short loc_58814F
		mov	byte ptr [ebp-90h], 7
		retn
; 

loc_58814F:				; CODE XREF: __tosnan1+13j
		mov	byte ptr [ebp-90h], 1
		fadd	dbl_6B3C34
		retn
__tosnan1	endp


;  S U B	R O U T	I N E 


__nosnan2	proc near
		fxch	st(1)

__tosnan2:
		fstp	tbyte ptr [ebp-9Eh]
		fld	tbyte ptr [ebp-9Eh]
		test	byte ptr [ebp-97h], 40h
		jz	short loc_58817D
		mov	byte ptr [ebp-90h], 7
		jmp	short loc_588184
; 

loc_58817D:				; CODE XREF: __nosnan2+15j
		mov	byte ptr [ebp-90h], 1

loc_588184:				; CODE XREF: __nosnan2+1Ej
		faddp	st(1), st
		retn
__nosnan2	endp


;  S U B	R O U T	I N E 


__nan2		proc near
		fstp	tbyte ptr [ebp-9Eh]
		fld	tbyte ptr [ebp-9Eh]
		test	byte ptr [ebp-97h], 40h
		jz	short loc_5881BC
		fxch	st(1)
		fstp	tbyte ptr [ebp-9Eh]
		fld	tbyte ptr [ebp-9Eh]
		test	byte ptr [ebp-97h], 40h
		jz	short loc_5881BC
		mov	byte ptr [ebp-90h], 7
		jmp	short loc_5881C3
; 

loc_5881BC:				; CODE XREF: __nan2+13j __nan2+2Aj
		mov	byte ptr [ebp-90h], 1

loc_5881C3:				; CODE XREF: __nan2+33j
		faddp	st(1), st
		retn
__nan2		endp


;  S U B	R O U T	I N E 


__rtindfpop	proc near
		fstp	st

__rtindfnpop:
		fstp	st
		fld	__indefinite
		cmp	byte ptr [ebp-90h], 0
		jg	short loc_5881E0

__rttosnpopde:				; CODE XREF: __rttospopdep
					; __rtnospopdep
		mov	byte ptr [ebp-90h], 1

loc_5881E0:				; CODE XREF: __rtindfpop+11j
		or	cl, cl
		retn
__rtindfpop	endp


;  S U B	R O U T	I N E 


__rtchsifneg	proc near
		or	cl, cl
		jz	short locret_5881E9
		fchs

locret_5881E9:				; CODE XREF: __rtchsifneg+2j
		retn
__rtchsifneg	endp

; 
		align 10h

;  S U B	R O U T	I N E 


__twoToTOS	proc near
		fld	st
		frndint
		fsubr	st(1), st
		fxch	st(1)
		fchs
		f2xm1
		fld1
		faddp	st(1), st
		fscale
		fstp	st(1)
		retn
__twoToTOS	endp


;  S U B	R O U T	I N E 


__load_CW	proc near		; CODE XREF: sub_58319D+13p

arg_0		= dword	ptr  4

		mov	edx, [esp+arg_0]
		and	edx, 300h
		or	edx, 7Fh
		mov	word ptr [esp+arg_0+2],	dx
		fldcw	word ptr [esp+arg_0+2]
		retn
__load_CW	endp


;  S U B	R O U T	I N E 


__convertTOStoQNaN proc	near		; CODE XREF: sub_58302F:loc_58307Fp
					; sub_5830EF:loc_58313Fp ...
		test	eax, 80000h
		jz	short loc_588229
		mov	eax, 7
		retn
; 

loc_588229:				; CODE XREF: __convertTOStoQNaN+5j
		fadd	ds:dbl_409720
		mov	eax, 1
		retn
__convertTOStoQNaN endp


;  S U B	R O U T	I N E 


__fload_withFB	proc near		; CODE XREF: __cos_default+4p
					; __sin_default+4p ...

var_A		= tbyte	ptr -0Ah

		mov	eax, [edx+4]
		and	eax, 7FF00000h
		cmp	eax, 7FF00000h
		jz	short loc_588247
		fld	qword ptr [edx]
		retn
; 

loc_588247:				; CODE XREF: __fload_withFB+Dj
		mov	eax, [edx+4]
		sub	esp, 0Ah
		or	eax, 7FFF0000h
		mov	dword ptr [esp+0Ah+var_A+6], eax
		mov	eax, [edx+4]
		mov	ecx, [edx]
		shld	eax, ecx, 0Bh
		shl	ecx, 0Bh
		mov	[esp+4], eax
		mov	dword ptr [esp+0Ah+var_A], ecx
		fld	[esp+0Ah+var_A]
		add	esp, 0Ah
		test	eax, 0
		mov	eax, [edx+4]
		retn
__fload_withFB	endp


;  S U B	R O U T	I N E 


__checkTOS_withFB proc near		; CODE XREF: __CIcos_default+6p
					; __CIsin+8p ...

arg_4		= dword	ptr  8

		mov	eax, [esp+arg_4]
		and	eax, 7FF00000h
		cmp	eax, 7FF00000h
		jz	short loc_588289
		retn
; 

loc_588289:				; CODE XREF: __checkTOS_withFB+Ej
		mov	eax, [esp+arg_4]
		retn
__checkTOS_withFB endp


;  S U B	R O U T	I N E 


__fast_exit	proc near		; CODE XREF: sub_58302F+24j
					; sub_58302F+79j ...
		cmp	word ptr [esp+0], 27Fh
		jz	short loc_588299
		fldcw	word ptr [esp+0]

loc_588299:				; CODE XREF: __fast_exit+6j
		pop	edx
		retn
__fast_exit	endp ; sp =  4


;  S U B	R O U T	I N E 


__math_exit	proc near		; CODE XREF: sub_58302F+35j
					; sub_5830EF+35j ...
		mov	ax, [esp+0]
		cmp	ax, 27Fh
		jz	short loc_5882C3
		and	ax, 20h
		jz	short loc_5882C0
		fstsw	ax
		and	ax, 20h
		jz	short loc_5882C0
		mov	eax, 8
		call	__startOneArgErrorHandling
		pop	edx
		retn
; 

loc_5882C0:				; CODE XREF: __math_exit+Ej
					; __math_exit+17j
		fldcw	word ptr [esp+0]

loc_5882C3:				; CODE XREF: __math_exit+8j
		pop	edx
		retn
__math_exit	endp ; sp =  4


;  S U B	R O U T	I N E 


__check_overflow_exit proc near

var_8		= qword	ptr -8

		sub	esp, 8
		fst	[esp+8+var_8]
		mov	eax, dword ptr [esp+8+var_8+4]
		add	esp, 8
		and	eax, 7FF00000h
		jmp	short loc_5882ED
; 

__check_range_exit:
		sub	esp, 8
		fst	[esp+8+var_8]
		mov	eax, dword ptr [esp+8+var_8+4]
		add	esp, 8
		and	eax, 7FF00000h
		jz	short loc_58832A

loc_5882ED:				; CODE XREF: __check_overflow_exit+12j
		cmp	eax, 7FF00000h
		jz	short loc_588353
		mov	ax, [esp+0]
		cmp	ax, 27Fh
		jz	short loc_588328
		and	ax, 20h
		jnz	short loc_588325
		fstsw	ax
		and	ax, 20h
		jz	short loc_588325
		mov	eax, 8

loc_588312:				; CODE XREF: __check_overflow_exit+84j
					; __check_overflow_exit+8Cj ...
		cmp	edx, 1Dh
		jz	short loc_58831E
		call	__startOneArgErrorHandling
		pop	edx
		retn
; 

loc_58831E:				; CODE XREF: __check_overflow_exit+50j
		call	__startTwoArgErrorHandling
		pop	edx
		retn
; 

loc_588325:				; CODE XREF: __check_overflow_exit+3Dj
					; __check_overflow_exit+46j
		fldcw	word ptr [esp+0]

loc_588328:				; CODE XREF: __check_overflow_exit+37j
		pop	edx
		retn
; 

loc_58832A:				; CODE XREF: __check_overflow_exit+26j
		fld	ds:dbl_40974C
		fxch	st(1)
		fscale
		fstp	st(1)
		fld	st
		fabs
		fcomp	ds:dbl_40973C
		fstsw	ax
		sahf
		mov	eax, 4
		jnb	short loc_588312
		fmul	ds:dbl_40975C
		jmp	short loc_588312
; 

loc_588353:				; CODE XREF: __check_overflow_exit+2Dj
		fld	ds:dbl_409744
		fxch	st(1)
		fscale
		fstp	st(1)
		fld	st
		fabs
		fcomp	ds:dbl_409734
		fstsw	ax
		sahf
		mov	eax, 3
		jbe	short loc_588312
		fmul	ds:dbl_409754
		jmp	short loc_588312
__check_overflow_exit endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__startTwoArgErrorHandling proc	near	; CODE XREF: __check_overflow_exit:loc_58831Ep

var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		push	ebp
		mov	ebp, esp
		add	esp, 0FFFFFFE0h
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_C], eax
		jmp	short loc_5883A0
__startTwoArgErrorHandling endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__startOneArgErrorHandling proc	near	; CODE XREF: sub_58302F+8Ap
					; sub_5830EF+8Ap ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_8		= qword	ptr -8
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	ebp
		mov	ebp, esp
		add	esp, 0FFFFFFE0h
		mov	[ebp+var_20], eax

loc_5883A0:				; CODE XREF: __startTwoArgErrorHandling+15j
		fstp	[ebp+var_8]
		mov	[ebp+var_1C], ecx
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+arg_C]
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], ecx
		lea	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_20]
		push	eax
		push	ecx
		push	edx
		call	__87except
		add	esp, 0Ch
		fld	[ebp+var_8]
		cmp	word ptr [ebp+arg_0], 27Fh
		jz	short locret_5883D1
		fldcw	word ptr [ebp+arg_0]

locret_5883D1:				; CODE XREF: __startOneArgErrorHandling+35j
		leave
		retn
__startOneArgErrorHandling endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__ValidateEH3RN	proc near		; CODE XREF: __except_handler3+34p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	byte ptr [eax+8], 3
		mov	eax, 0
		setz	al
		pop	ebp
		retn
__ValidateEH3RN	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__decomp	proc near		; CODE XREF: __handle_exc+12Ap

var_14		= qword	ptr -14h
arg_0		= qword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		fld	[ebp+arg_0]
		fldz
		fucom	st(1)
		fnstsw	ax
		push	esi
		test	ah, 44h
		jp	short loc_588413
		fstp	st(1)
		xor	esi, esi
		jmp	loc_5884C0
; 

loc_588413:				; CODE XREF: __decomp+12j
		push	edi
		mov	di, word ptr [ebp+arg_0+6]
		movzx	eax, di
		test	eax, 7FF0h
		jnz	short loc_58849C
		mov	ecx, dword ptr [ebp+arg_0+4]
		mov	edx, dword ptr [ebp+arg_0]
		test	ecx, 0FFFFFh
		jnz	short loc_588434
		test	edx, edx
		jz	short loc_58849C

loc_588434:				; CODE XREF: __decomp+38j
		fcompp	st(1), st
		mov	esi, 0FFFFFC03h
		fnstsw	ax
		push	ebx
		xor	ebx, ebx
		test	ah, 41h
		jnz	short loc_588446
		inc	ebx

loc_588446:				; CODE XREF: __decomp+4Dj
		test	byte ptr [ebp+arg_0+6],	10h
		jnz	short loc_58846B

loc_58844C:				; CODE XREF: __decomp+6Cj
		add	ecx, ecx
		mov	dword ptr [ebp+arg_0+4], ecx
		test	edx, edx
		jns	short loc_58845B
		or	ecx, 1
		mov	dword ptr [ebp+arg_0+4], ecx

loc_58845B:				; CODE XREF: __decomp+5Dj
		add	edx, edx
		dec	esi
		test	byte ptr [ebp+arg_0+6],	10h
		jz	short loc_58844C
		mov	di, word ptr [ebp+arg_0+6]
		mov	dword ptr [ebp+arg_0], edx

loc_58846B:				; CODE XREF: __decomp+54j
		mov	eax, 0FFEFh
		and	di, ax
		test	ebx, ebx
		movzx	eax, di
		mov	word ptr [ebp+arg_0+6],	di
		pop	ebx
		jz	short loc_588488
		or	eax, 8000h
		mov	word ptr [ebp+arg_0+6],	ax

loc_588488:				; CODE XREF: __decomp+87j
		fld	[ebp+arg_0]
		push	0
		push	ecx
		push	ecx
		fstp	[esp+14h+var_14]
		call	__set_exp
		add	esp, 0Ch
		jmp	short loc_5884BF
; 

loc_58849C:				; CODE XREF: __decomp+2Aj __decomp+3Cj
		push	0
		push	ecx
		fstp	st
		push	ecx
		fstp	[esp+14h+var_14]
		call	__set_exp
		movzx	esi, di
		add	esp, 0Ch
		shr	esi, 4
		and	esi, 7FFh
		sub	esi, 3FEh

loc_5884BF:				; CODE XREF: __decomp+A4j
		pop	edi

loc_5884C0:				; CODE XREF: __decomp+18j
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		pop	esi
		pop	ebp
		retn
__decomp	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__set_exp	proc near		; CODE XREF: __decomp+9Cp __decomp+AFp

var_8		= qword	ptr -8
arg_6		= word ptr  0Eh
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_8]
		movzx	eax, [ebp+arg_6]
		fld	qword ptr [ebp+8]
		and	eax, 800Fh
		fstp	[ebp+var_8]
		lea	ecx, [ecx+3FEh]
		shl	ecx, 4
		or	ecx, eax
		mov	word ptr [ebp+var_8+6],	cx
		fld	[ebp+var_8]
		leave
		retn
__set_exp	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void __stdcall RaiseException(DWORD dwExceptionCode,DWORD dwExceptionFlags,DWORD nNumberOfArguments,const DWORD *lpArguments)
_RaiseException@16 proc	near		; CODE XREF: __raise_exc_ex+1BEp
					; DATA XREF: RaiseException(x,x,x,x)+3Ao

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_4		= dword	ptr -4
dwExceptionCode	= dword	ptr  8
dwExceptionFlags= dword	ptr  0Ch
nNumberOfArguments= dword ptr  10h
lpArguments	= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	50h		; size_t
		xor	edi, edi
		lea	eax, [ebp+var_54]
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+dwExceptionCode]
		add	esp, 0Ch
		mov	esi, [ebp+lpArguments]
		mov	[ebp+var_54], eax
		mov	eax, [ebp+dwExceptionFlags]
		and	eax, 1
		mov	[ebp+var_4C], edi
		mov	[ebp+var_50], eax
		mov	[ebp+var_48], offset _RaiseException@16	; RaiseException(x,x,x,x)
		test	esi, esi
		jz	short loc_588554
		mov	ecx, [ebp+nNumberOfArguments]
		cmp	ecx, 0Fh
		jbe	short loc_588546
		push	0Fh
		pop	ecx

loc_588546:				; CODE XREF: RaiseException(x,x,x,x)+4Bj
		mov	[ebp+var_44], ecx
		test	ecx, ecx
		jz	short loc_588557
		lea	edi, [ebp+var_40]
		rep movsd
		jmp	short loc_588557
; 

loc_588554:				; CODE XREF: RaiseException(x,x,x,x)+43j
		mov	[ebp+var_44], edi

loc_588557:				; CODE XREF: RaiseException(x,x,x,x)+55j
					; RaiseException(x,x,x,x)+5Cj
		lea	eax, [ebp+var_54]
		push	eax
		call	_RtlRaiseException@4 ; RtlRaiseException(x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_RaiseException@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__handle_exc	proc near		; CODE XREF: __87except+7Fp

var_28		= qword	ptr -28h
var_10		= qword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, ebx
		and	esi, 1Fh
		test	bl, 8
		jz	short loc_58859D
		test	[ebp+arg_8], 1
		jz	short loc_58859D
		push	1
		call	__set_statfp
		pop	ecx
		and	esi, 0FFFFFFF7h
		jmp	loc_58873C
; 

loc_58859D:				; CODE XREF: __handle_exc+15j
					; __handle_exc+1Bj
		mov	eax, ebx
		and	eax, dword ptr [ebp+arg_8]
		test	al, 4
		jz	short loc_5885B6
		push	4
		call	__set_statfp
		pop	ecx
		and	esi, 0FFFFFFFBh
		jmp	loc_58873C
; 

loc_5885B6:				; CODE XREF: __handle_exc+34j
		test	bl, 1
		jz	loc_588659
		test	[ebp+arg_8], 8
		jz	loc_588659
		push	8
		call	__set_statfp
		mov	eax, dword ptr [ebp+arg_8]
		pop	ecx
		mov	ecx, 0C00h
		and	eax, ecx
		jz	short loc_588631
		cmp	eax, 400h
		jz	short loc_58861B
		cmp	eax, 800h
		jz	short loc_588605
		cmp	eax, ecx
		jnz	short loc_588651
		mov	ecx, [ebp+arg_4]
		fldz
		fcomp	qword ptr [ecx]
		fnstsw	ax
		fld	ds:__d_max
		test	ah, 5
		jnp	short loc_58864F
		jmp	short loc_58864D
; 

loc_588605:				; CODE XREF: __handle_exc+79j
		mov	ecx, [ebp+arg_4]
		fldz
		fcomp	qword ptr [ecx]
		fnstsw	ax
		test	ah, 5
		jnp	short loc_58863F
		fld	ds:__d_max
		jmp	short loc_58864D
; 

loc_58861B:				; CODE XREF: __handle_exc+72j
		mov	ecx, [ebp+arg_4]
		fldz
		fcomp	qword ptr [ecx]
		fnstsw	ax
		test	ah, 5
		jp	short loc_588647
		fld	ds:__d_max
		jmp	short loc_58864F
; 

loc_588631:				; CODE XREF: __handle_exc+6Bj
		mov	ecx, [ebp+arg_4]
		fldz
		fcomp	qword ptr [ecx]
		fnstsw	ax
		test	ah, 5
		jp	short loc_588647

loc_58863F:				; CODE XREF: __handle_exc+A1j
		fld	ds:__d_inf
		jmp	short loc_58864F
; 

loc_588647:				; CODE XREF: __handle_exc+B7j
					; __handle_exc+CDj
		fld	ds:__d_inf

loc_58864D:				; CODE XREF: __handle_exc+93j
					; __handle_exc+A9j
		fchs

loc_58864F:				; CODE XREF: __handle_exc+91j
					; __handle_exc+BFj ...
		fstp	qword ptr [ecx]

loc_588651:				; CODE XREF: __handle_exc+7Dj
		and	esi, 0FFFFFFFEh
		jmp	loc_58873C
; 

loc_588659:				; CODE XREF: __handle_exc+49j
					; __handle_exc+53j
		test	bl, 2
		jz	loc_58873C
		test	[ebp+arg_8], 10h
		jz	loc_58873C
		mov	eax, [ebp+arg_4]
		push	edi
		mov	edi, ebx
		shr	edi, 4
		fld	qword ptr [eax]
		and	edi, 1
		fldz
		fucomp	st(1)
		fnstsw	ax
		test	ah, 44h
		jnp	loc_588727
		xor	eax, eax
		mov	[ebp+var_4], eax
		mov	[ebp+arg_0], eax
		lea	eax, [ebp+arg_0]
		push	eax
		push	ecx
		push	ecx
		fstp	[esp+28h+var_28]
		call	__decomp
		mov	edx, [ebp+arg_0]
		add	esp, 0Ch
		add	edx, 0FFFFFA00h
		fst	[ebp+var_10]
		fldz
		cmp	edx, 0FFFFFBCEh
		jge	short loc_5886BF
		xor	edi, edi
		fmulp	st(1), st
		inc	edi
		jmp	short loc_588720
; 

loc_5886BF:				; CODE XREF: __handle_exc+146j
		fcompp	st(1), st
		fnstsw	ax
		test	ah, 41h
		jnz	short loc_5886CF
		mov	[ebp+var_4], 1

loc_5886CF:				; CODE XREF: __handle_exc+156j
		mov	eax, dword ptr [ebp+var_10+6]
		mov	ecx, 0FFFFFC03h
		and	eax, 0Fh
		or	eax, 10h
		mov	word ptr [ebp+var_10+6], ax
		cmp	edx, ecx
		jge	short loc_588715
		mov	eax, dword ptr [ebp+var_10]
		sub	ecx, edx
		mov	edx, dword ptr [ebp+var_10+4]

loc_5886ED:				; CODE XREF: __handle_exc+1A3j
		test	byte ptr [ebp+var_10], 1
		jz	short loc_5886F8
		test	edi, edi
		jnz	short loc_5886F8
		inc	edi

loc_5886F8:				; CODE XREF: __handle_exc+181j
					; __handle_exc+185j
		shr	eax, 1
		test	byte ptr [ebp+var_10+4], 1
		mov	dword ptr [ebp+var_10],	eax
		jz	short loc_58870B
		or	eax, 80000000h
		mov	dword ptr [ebp+var_10],	eax

loc_58870B:				; CODE XREF: __handle_exc+191j
		shr	edx, 1
		mov	dword ptr [ebp+var_10+4], edx
		sub	ecx, 1
		jnz	short loc_5886ED

loc_588715:				; CODE XREF: __handle_exc+173j
		cmp	[ebp+var_4], 0
		fld	[ebp+var_10]
		jz	short loc_588720
		fchs

loc_588720:				; CODE XREF: __handle_exc+14Dj
					; __handle_exc+1ACj
		mov	eax, [ebp+arg_4]
		fstp	qword ptr [eax]
		jmp	short loc_58872C
; 

loc_588727:				; CODE XREF: __handle_exc+113j
		xor	edi, edi
		fstp	st
		inc	edi

loc_58872C:				; CODE XREF: __handle_exc+1B5j
		test	edi, edi
		pop	edi
		jz	short loc_588739
		push	10h
		call	__set_statfp
		pop	ecx

loc_588739:				; CODE XREF: __handle_exc+1BFj
		and	esi, 0FFFFFFFDh

loc_58873C:				; CODE XREF: __handle_exc+28j
					; __handle_exc+41j ...
		test	bl, 10h
		jz	short loc_588752
		test	[ebp+arg_8], 20h
		jz	short loc_588752
		push	20h
		call	__set_statfp
		pop	ecx
		and	esi, 0FFFFFFEFh

loc_588752:				; CODE XREF: __handle_exc+1CFj
					; __handle_exc+1D5j
		xor	eax, eax
		test	esi, esi
		pop	esi
		setz	al
		pop	ebx
		leave
		retn
__handle_exc	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl _raise_exc(DWORD Arguments,int,int,int,int,int)
__raise_exc	proc near		; CODE XREF: __87except+CEp

Arguments	= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0		; int
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		push	[ebp+arg_4]	; int
		push	[ebp+Arguments]	; Arguments
		call	__raise_exc_ex
		add	esp, 1Ch
		pop	ebp
		retn
__raise_exc	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl _raise_exc_ex(DWORD Arguments,int,int,int,int,int,int)
__raise_exc_ex	proc near		; CODE XREF: __raise_exc+19p

Arguments	= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+Arguments]
		xor	eax, eax
		mov	ebx, eax
		push	edi
		mov	[esi+4], eax
		mov	[esi+8], eax
		mov	[esi+0Ch], eax
		mov	eax, [ebp+arg_8]
		test	al, 10h
		jz	short loc_5887AA
		or	dword ptr [esi+4], 1
		mov	ebx, 0C000008Fh

loc_5887AA:				; CODE XREF: __raise_exc_ex+1Dj
		test	al, 2
		jz	short loc_5887B7
		or	dword ptr [esi+4], 2
		mov	ebx, 0C0000093h

loc_5887B7:				; CODE XREF: __raise_exc_ex+2Aj
		test	al, 1
		jz	short loc_5887C4
		or	dword ptr [esi+4], 4
		mov	ebx, 0C0000091h

loc_5887C4:				; CODE XREF: __raise_exc_ex+37j
		test	al, 4
		jz	short loc_5887D1
		or	dword ptr [esi+4], 8
		mov	ebx, 0C000008Eh

loc_5887D1:				; CODE XREF: __raise_exc_ex+44j
		test	al, 8
		jz	short loc_5887DE
		or	dword ptr [esi+4], 10h
		mov	ebx, 0C0000090h

loc_5887DE:				; CODE XREF: __raise_exc_ex+51j
		mov	edi, [ebp+arg_4]
		mov	eax, [edi]
		shl	eax, 4
		not	eax
		xor	eax, [esi+8]
		and	eax, 10h
		xor	[esi+8], eax
		mov	ecx, [edi]
		mov	eax, [esi+8]
		add	ecx, ecx
		not	ecx
		xor	ecx, eax
		and	ecx, 8
		xor	ecx, eax
		mov	[esi+8], ecx
		mov	eax, [edi]
		shr	eax, 1
		not	eax
		xor	eax, ecx
		and	eax, 4
		xor	eax, ecx
		mov	[esi+8], eax
		mov	ecx, [edi]
		shr	ecx, 3
		not	ecx
		xor	ecx, eax
		and	ecx, 2
		xor	ecx, eax
		mov	[esi+8], ecx
		mov	eax, [edi]
		shr	eax, 5
		not	eax
		xor	eax, ecx
		and	eax, 1
		xor	eax, ecx
		mov	[esi+8], eax
		call	__statfp
		test	al, 1
		jz	short loc_588843
		or	dword ptr [esi+0Ch], 10h

loc_588843:				; CODE XREF: __raise_exc_ex+BBj
		test	al, 4
		jz	short loc_58884B
		or	dword ptr [esi+0Ch], 8

loc_58884B:				; CODE XREF: __raise_exc_ex+C3j
		test	al, 8
		jz	short loc_588853
		or	dword ptr [esi+0Ch], 4

loc_588853:				; CODE XREF: __raise_exc_ex+CBj
		test	al, 10h
		jz	short loc_58885B
		or	dword ptr [esi+0Ch], 2

loc_58885B:				; CODE XREF: __raise_exc_ex+D3j
		test	al, 20h
		jz	short loc_588863
		or	dword ptr [esi+0Ch], 1

loc_588863:				; CODE XREF: __raise_exc_ex+DBj
		mov	eax, [edi]
		mov	ecx, 0C00h
		and	eax, ecx
		jz	short loc_58889B
		cmp	eax, 400h
		jz	short loc_588891
		cmp	eax, 800h
		jz	short loc_588885
		cmp	eax, ecx
		jnz	short loc_58889E
		or	dword ptr [esi], 3
		jmp	short loc_58889E
; 

loc_588885:				; CODE XREF: __raise_exc_ex+F8j
		mov	eax, [esi]
		and	eax, 0FFFFFFFEh
		or	eax, 2

loc_58888D:				; CODE XREF: __raise_exc_ex+117j
		mov	[esi], eax
		jmp	short loc_58889E
; 

loc_588891:				; CODE XREF: __raise_exc_ex+F1j
		mov	eax, [esi]
		and	eax, 0FFFFFFFDh
		or	eax, 1
		jmp	short loc_58888D
; 

loc_58889B:				; CODE XREF: __raise_exc_ex+EAj
		and	dword ptr [esi], 0FFFFFFFCh

loc_58889E:				; CODE XREF: __raise_exc_ex+FCj
					; __raise_exc_ex+101j ...
		mov	eax, [edi]
		mov	ecx, 300h
		and	eax, ecx
		jz	short loc_5888C3
		cmp	eax, 200h
		jz	short loc_5888B9
		cmp	eax, ecx
		jnz	short loc_5888CD
		and	dword ptr [esi], 0FFFFFFE3h
		jmp	short loc_5888CD
; 

loc_5888B9:				; CODE XREF: __raise_exc_ex+12Cj
		mov	eax, [esi]
		and	eax, 0FFFFFFE7h
		or	eax, 4
		jmp	short loc_5888CB
; 

loc_5888C3:				; CODE XREF: __raise_exc_ex+125j
		mov	eax, [esi]
		and	eax, 0FFFFFFEBh
		or	eax, 8

loc_5888CB:				; CODE XREF: __raise_exc_ex+13Fj
		mov	[esi], eax

loc_5888CD:				; CODE XREF: __raise_exc_ex+130j
					; __raise_exc_ex+135j
		mov	eax, [ebp+arg_C]
		shl	eax, 5
		xor	eax, [esi]
		and	eax, 1FFE0h
		xor	[esi], eax
		cmp	[ebp+arg_18], 0
		mov	eax, [esi+20h]
		jz	short loc_58890C
		and	eax, 0FFFFFFE1h
		or	eax, 1
		mov	[esi+20h], eax
		mov	eax, [ebp+arg_10]
		fld	dword ptr [eax]
		fstp	dword ptr [esi+10h]
		mov	eax, [esi+60h]
		and	eax, 0FFFFFFE1h
		or	eax, 1
		mov	[esi+60h], eax
		mov	eax, [ebp+arg_14]
		fld	dword ptr [eax]
		fstp	dword ptr [esi+50h]
		jmp	short loc_588931
; 

loc_58890C:				; CODE XREF: __raise_exc_ex+161j
		and	eax, 0FFFFFFE3h
		or	eax, 3
		mov	[esi+20h], eax
		mov	eax, [ebp+arg_10]
		fld	qword ptr [eax]
		fstp	qword ptr [esi+10h]
		mov	eax, [esi+60h]
		and	eax, 0FFFFFFE3h
		or	eax, 3
		mov	[esi+60h], eax
		mov	eax, [ebp+arg_14]
		fld	qword ptr [eax]
		fstp	qword ptr [esi+50h]

loc_588931:				; CODE XREF: __raise_exc_ex+188j
		call	__clrfp
		lea	eax, [ebp+Arguments]
		xor	esi, esi
		push	eax		; lpArguments
		push	1		; nNumberOfArguments
		push	esi		; dwExceptionFlags
		push	ebx		; dwExceptionCode
		call	_RaiseException@16 ; RaiseException(x,x,x,x)
		mov	ecx, [ebp+Arguments]
		mov	eax, [ecx+8]
		test	al, 10h
		jz	short loc_588955
		and	dword ptr [edi], 0FFFFFFFEh
		mov	eax, [ecx+8]

loc_588955:				; CODE XREF: __raise_exc_ex+1CBj
		test	al, 8
		jz	short loc_58895F
		and	dword ptr [edi], 0FFFFFFFBh
		mov	eax, [ecx+8]

loc_58895F:				; CODE XREF: __raise_exc_ex+1D5j
		test	al, 4
		jz	short loc_588969
		and	dword ptr [edi], 0FFFFFFF7h
		mov	eax, [ecx+8]

loc_588969:				; CODE XREF: __raise_exc_ex+1DFj
		test	al, 2
		jz	short loc_588973
		and	dword ptr [edi], 0FFFFFFEFh
		mov	eax, [ecx+8]

loc_588973:				; CODE XREF: __raise_exc_ex+1E9j
		test	al, 1
		jz	short loc_58897A
		and	dword ptr [edi], 0FFFFFFDFh

loc_58897A:				; CODE XREF: __raise_exc_ex+1F3j
		mov	eax, [ecx]
		mov	edx, 0FFFFF3FFh
		and	eax, 3
		sub	eax, esi
		jz	short loc_5889BD
		sub	eax, 1
		jz	short loc_5889AF
		sub	eax, 1
		jz	short loc_58899F
		sub	eax, 1
		jnz	short loc_5889BF
		or	dword ptr [edi], 0C00h
		jmp	short loc_5889BF
; 

loc_58899F:				; CODE XREF: __raise_exc_ex+20Ej
		mov	eax, [edi]
		and	eax, 0FFFFFBFFh
		or	eax, 800h

loc_5889AB:				; CODE XREF: __raise_exc_ex+239j
		mov	[edi], eax
		jmp	short loc_5889BF
; 

loc_5889AF:				; CODE XREF: __raise_exc_ex+209j
		mov	eax, [edi]
		and	eax, 0FFFFF7FFh
		or	eax, 400h
		jmp	short loc_5889AB
; 

loc_5889BD:				; CODE XREF: __raise_exc_ex+204j
		and	[edi], edx

loc_5889BF:				; CODE XREF: __raise_exc_ex+213j
					; __raise_exc_ex+21Bj ...
		mov	eax, [ecx]
		shr	eax, 2
		and	eax, 7
		sub	eax, esi
		jz	short loc_5889E4
		sub	eax, 1
		jz	short loc_5889D9
		sub	eax, 1
		jnz	short loc_5889EF
		and	[edi], edx
		jmp	short loc_5889EF
; 

loc_5889D9:				; CODE XREF: __raise_exc_ex+24Cj
		mov	eax, [edi]
		and	eax, edx
		or	eax, 200h
		jmp	short loc_5889ED
; 

loc_5889E4:				; CODE XREF: __raise_exc_ex+247j
		mov	eax, [edi]
		and	eax, edx
		or	eax, 300h

loc_5889ED:				; CODE XREF: __raise_exc_ex+260j
		mov	[edi], eax

loc_5889EF:				; CODE XREF: __raise_exc_ex+251j
					; __raise_exc_ex+255j
		cmp	[ebp+arg_18], 0
		mov	eax, [ebp+arg_14]
		pop	edi
		pop	esi
		pop	ebx
		jz	short loc_588A02
		fld	dword ptr [ecx+50h]
		fstp	dword ptr [eax]
		pop	ebp
		retn
; 

loc_588A02:				; CODE XREF: __raise_exc_ex+277j
		fld	qword ptr [ecx+50h]
		fstp	qword ptr [eax]
		pop	ebp
		retn
__raise_exc_ex	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__set_errno_from_matherr proc near	; CODE XREF: __87except+103p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	eax, 1
		jz	short loc_588A2B
		add	eax, 0FFFFFFFEh
		cmp	eax, 1
		ja	short loc_588A35
		mov	_gbl_errno, 22h
		pop	ebp
		retn
; 

loc_588A2B:				; CODE XREF: __set_errno_from_matherr+Bj
		mov	_gbl_errno, 21h

loc_588A35:				; CODE XREF: __set_errno_from_matherr+13j
		pop	ebp
		retn
__set_errno_from_matherr endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__clrfp		proc near		; CODE XREF: __raise_exc_ex:loc_588931p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		fnstsw	word ptr [ebp+var_4]
		fnclex
		movsx	eax, word ptr [ebp+var_4]
		leave
		retn
__clrfp		endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__ctrlfp	proc near		; CODE XREF: __87except+E1p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		fstcw	word ptr [ebp+var_4]
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]
		not	ecx
		and	eax, [ebp+arg_4]
		and	ecx, [ebp+var_4]
		or	ecx, eax
		movzx	eax, cx
		mov	[ebp+arg_4], eax
		fldcw	word ptr [ebp+arg_4]
		movsx	eax, word ptr [ebp+var_4]
		leave
		retn
__ctrlfp	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__set_statfp	proc near		; CODE XREF: __handle_exc+1Fp
					; __handle_exc+38p ...

var_C		= qword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		fldz
		mov	ecx, [ebp+arg_0]
		fstp	[ebp+var_C]
		test	cl, 1
		jz	short loc_588A9F
		fld	tbyte_6B3C50
		fistp	[ebp+var_4]
		wait

loc_588A9F:				; CODE XREF: __set_statfp+17j
		test	cl, 8
		jz	short loc_588AB4
		fstsw	ax
		fld	tbyte_6B3C50
		fstp	[ebp+var_C]
		wait
		fstsw	ax

loc_588AB4:				; CODE XREF: __set_statfp+26j
		test	cl, 10h
		jz	short loc_588AC3
		fld	tbyte_6B3C5C
		fstp	[ebp+var_C]
		wait

loc_588AC3:				; CODE XREF: __set_statfp+3Bj
		test	cl, 4
		jz	short loc_588AD1
		fldz
		fld1
		fdivrp	st(1), st
		fstp	st
		wait

loc_588AD1:				; CODE XREF: __set_statfp+4Aj
		test	cl, 20h
		jz	short locret_588ADC
		fldpi
		fstp	[ebp+var_C]
		wait

locret_588ADC:				; CODE XREF: __set_statfp+58j
		leave
		retn
__set_statfp	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__statfp	proc near		; CODE XREF: __raise_exc_ex+B4p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		fstsw	word ptr [ebp+var_4]
		movsx	eax, word ptr [ebp+var_4]
		leave
		retn
__statfp	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

___ascii_stricmp proc near		; CODE XREF: __stricmp+6j

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	ebp
		mov	ebp, esp
		push	edi
		push	esi
		push	ebx
		mov	esi, [ebp+arg_4]
		mov	edi, [ebp+arg_0]
		mov	al, 0FFh
		mov	edi, edi

loc_588B10:				; CODE XREF: ___ascii_stricmp+20j
					; ___ascii_stricmp+40j
		or	al, al
		jz	short loc_588B46
		mov	al, [esi]
		add	esi, 1
		mov	ah, [edi]
		add	edi, 1
		cmp	ah, al
		jz	short loc_588B10
		sub	al, 41h
		cmp	al, 1Ah
		sbb	cl, cl
		and	cl, 20h
		add	al, cl
		add	al, 41h
		xchg	ah, al
		sub	al, 41h
		cmp	al, 1Ah
		sbb	cl, cl
		and	cl, 20h
		add	al, cl
		add	al, 41h
		cmp	al, ah
		jz	short loc_588B10
		sbb	al, al
		sbb	al, 0FFh

loc_588B46:				; CODE XREF: ___ascii_stricmp+12j
		movsx	eax, al
		pop	ebx
		pop	esi
		pop	edi
		leave
		retn
___ascii_stricmp endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

___ascii_strnicmp proc near		; CODE XREF: __strnicmp+6j

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	ebp
		mov	ebp, esp
		push	edi
		push	esi
		push	ebx
		mov	ecx, [ebp+arg_8]
		or	ecx, ecx
		jz	short loc_588BAA
		mov	esi, [ebp+arg_0]
		mov	edi, [ebp+arg_4]
		mov	bh, 41h
		mov	bl, 5Ah
		mov	dh, 20h
		lea	ecx, [ecx+0]

loc_588B6C:				; CODE XREF: ___ascii_strnicmp+49j
		mov	ah, [esi]
		or	ah, ah
		mov	al, [edi]
		jz	short loc_588B9B
		or	al, al
		jz	short loc_588B9B
		add	esi, 1
		add	edi, 1
		cmp	ah, bh
		jb	short loc_588B88
		cmp	ah, bl
		ja	short loc_588B88
		add	ah, dh

loc_588B88:				; CODE XREF: ___ascii_strnicmp+30j
					; ___ascii_strnicmp+34j
		cmp	al, bh
		jb	short loc_588B92
		cmp	al, bl
		ja	short loc_588B92
		add	al, dh

loc_588B92:				; CODE XREF: ___ascii_strnicmp+3Aj
					; ___ascii_strnicmp+3Ej
		cmp	ah, al
		jnz	short loc_588BA1
		sub	ecx, 1
		jnz	short loc_588B6C

loc_588B9B:				; CODE XREF: ___ascii_strnicmp+22j
					; ___ascii_strnicmp+26j
		xor	ecx, ecx
		cmp	ah, al
		jz	short loc_588BAA

loc_588BA1:				; CODE XREF: ___ascii_strnicmp+44j
		mov	ecx, 0FFFFFFFFh
		jb	short loc_588BAA
		neg	ecx

loc_588BAA:				; CODE XREF: ___ascii_strnicmp+Bj
					; ___ascii_strnicmp+4Fj ...
		mov	eax, ecx
		pop	ebx
		pop	esi
		pop	edi
		leave
		retn
___ascii_strnicmp endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; size_t __cdecl _mbstrlen(const char *s)
__mbstrlen	proc near		; CODE XREF: _mbstowcs+1Cp

s		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+s]
		mov	[ebp+s], esi

loc_588BBE:				; CODE XREF: __mbstrlen+18j
		lea	eax, [ebp+s]
		push	eax
		call	RtlAnsiCharToUnicodeChar
		test	ax, ax
		jnz	short loc_588BBE
		mov	eax, [ebp+s]
		sub	eax, esi
		dec	eax
		pop	esi
		pop	ebp
		retn
__mbstrlen	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__wchartodigit	proc near		; CODE XREF: wcstoxlX+7Ep wcstoxlX+B3p ...

arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ax, [ebp+arg_0]
		push	30h
		pop	ecx
		cmp	ax, cx
		jb	loc_588D6B
		cmp	ax, 3Ah
		jnb	short loc_588BF8
		movzx	eax, ax
		sub	eax, ecx
		pop	ebp
		retn
; 

loc_588BF8:				; CODE XREF: __wchartodigit+19j
		mov	edx, 0FF10h
		cmp	ax, dx
		jnb	loc_588D70
		mov	edx, 660h
		cmp	ax, dx
		jb	loc_588D6B
		lea	ecx, [edx+0Ah]
		cmp	ax, cx
		jnb	short loc_588C23

loc_588C1C:				; CODE XREF: __wchartodigit+61j
					; __wchartodigit+77j ...
		movzx	eax, ax
		sub	eax, edx
		pop	ebp
		retn
; 

loc_588C23:				; CODE XREF: __wchartodigit+44j
		mov	edx, 6F0h
		cmp	ax, dx
		jb	loc_588D6B
		lea	ecx, [edx+0Ah]
		cmp	ax, cx
		jb	short loc_588C1C
		mov	edx, 966h
		cmp	ax, dx
		jb	loc_588D6B
		lea	ecx, [edx+0Ah]
		cmp	ax, cx
		jb	short loc_588C1C
		lea	edx, [ecx+76h]
		cmp	ax, dx
		jb	loc_588D6B
		lea	ecx, [edx+0Ah]
		cmp	ax, cx
		jb	short loc_588C1C
		lea	edx, [ecx+76h]
		cmp	ax, dx
		jb	loc_588D6B
		lea	ecx, [edx+0Ah]
		cmp	ax, cx
		jb	short loc_588C1C
		lea	edx, [ecx+76h]
		cmp	ax, dx
		jb	loc_588D6B
		lea	ecx, [edx+0Ah]
		cmp	ax, cx
		jb	short loc_588C1C
		lea	edx, [ecx+76h]
		cmp	ax, dx
		jb	loc_588D6B
		lea	ecx, [edx+0Ah]
		cmp	ax, cx
		jb	loc_588C1C
		mov	edx, 0C66h
		cmp	ax, dx
		jb	loc_588D6B
		lea	ecx, [edx+0Ah]
		cmp	ax, cx
		jb	loc_588C1C
		lea	edx, [ecx+76h]
		cmp	ax, dx
		jb	loc_588D6B
		lea	ecx, [edx+0Ah]
		cmp	ax, cx
		jb	loc_588C1C
		lea	edx, [ecx+76h]
		cmp	ax, dx
		jb	loc_588D6B
		lea	ecx, [edx+0Ah]
		cmp	ax, cx
		jb	loc_588C1C
		mov	edx, 0E50h
		cmp	ax, dx
		jb	short loc_588D6B
		lea	ecx, [edx+0Ah]
		cmp	ax, cx
		jb	loc_588C1C
		lea	edx, [ecx+76h]
		cmp	ax, dx
		jb	short loc_588D6B
		lea	ecx, [edx+0Ah]
		cmp	ax, cx
		jb	loc_588C1C
		add	edx, 50h
		cmp	ax, dx
		jb	short loc_588D6B
		add	ecx, 50h
		cmp	ax, cx
		jb	loc_588C1C
		mov	edx, 1040h
		cmp	ax, dx
		jb	short loc_588D6B
		lea	ecx, [edx+0Ah]
		cmp	ax, cx
		jb	loc_588C1C
		mov	edx, 17E0h
		cmp	ax, dx
		jb	short loc_588D6B
		lea	ecx, [edx+0Ah]
		cmp	ax, cx
		jb	loc_588C1C
		add	edx, 30h
		cmp	ax, dx
		jb	short loc_588D6B
		add	ecx, 30h

loc_588D62:				; CODE XREF: __wchartodigit+19Fj
		cmp	ax, cx
		jb	loc_588C1C

loc_588D6B:				; CODE XREF: __wchartodigit+Fj
					; __wchartodigit+38j ...
		or	eax, 0FFFFFFFFh
		pop	ebp
		retn
; 

loc_588D70:				; CODE XREF: __wchartodigit+2Aj
		mov	ecx, 0FF1Ah
		jmp	short loc_588D62
__wchartodigit	endp

; 
		align 4

;  S U B	R O U T	I N E 


__local_unwind4	proc near		; CODE XREF: _unwind_handler4+2Dp
					; _seh_longjmp_unwind4(x)+10p ...

var_14		= dword	ptr -14h
arg_0		= dword	ptr  10h
arg_4		= dword	ptr  14h
arg_8		= dword	ptr  18h

		push	ebx
		push	esi
		push	edi
		mov	edx, [esp+arg_0]
		mov	eax, [esp+arg_4]
		mov	ecx, [esp+arg_8]
		push	ebp
		push	edx
		push	eax
		push	ecx
		push	ecx
		push	offset _unwind_handler4
		push	large dword ptr	fs:0
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1Ch+var_14], eax
		mov	large fs:0, esp

loc_588DAA:				; CODE XREF: __local_unwind4+64j
					; __local_unwind4+80j
		mov	eax, [esp+1Ch+arg_4]
		mov	ebx, [eax+8]
		mov	ecx, [esp+1Ch+arg_0]
		xor	ebx, [ecx]
		mov	esi, [eax+0Ch]
		cmp	esi, 0FFFFFFFEh
		jz	short loc_588DFA
		mov	edx, [esp+1Ch+arg_8]
		cmp	edx, 0FFFFFFFEh
		jz	short loc_588DCC
		cmp	esi, edx
		jbe	short loc_588DFA

loc_588DCC:				; CODE XREF: __local_unwind4+4Ej
		lea	esi, [esi+esi*2]
		lea	ebx, [ebx+esi*4+10h]
		mov	ecx, [ebx]
		mov	[eax+0Ch], ecx
		cmp	dword ptr [ebx+4], 0
		jnz	short loc_588DAA
		push	101h
		mov	eax, [ebx+8]
		call	__NLG_Notify
		mov	ecx, 1
		mov	eax, [ebx+8]
		call	__NLG_Call
		jmp	short loc_588DAA
; 

loc_588DFA:				; CODE XREF: __local_unwind4+45j
					; __local_unwind4+52j
		pop	large dword ptr	fs:0
		add	esp, 18h
		pop	edi
		pop	esi
		pop	ebx
		retn
__local_unwind4	endp


;  S U B	R O U T	I N E 


_unwind_handler4 proc near		; DATA XREF: __local_unwind4+14o

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_C		= dword	ptr  10h

		mov	ecx, [esp+arg_0]
		test	dword ptr [ecx+4], 6
		mov	eax, 1
		jz	short locret_588E4D
		mov	eax, [esp+arg_4]
		mov	ecx, [eax+8]
		xor	ecx, eax
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		push	ebp
		mov	ebp, [eax+18h]
		push	dword ptr [eax+0Ch]
		push	dword ptr [eax+10h]
		push	dword ptr [eax+14h]
		call	__local_unwind4
		add	esp, 0Ch
		pop	ebp
		mov	eax, [esp+arg_4]
		mov	edx, [esp+arg_C]
		mov	[edx], eax
		mov	eax, 3

locret_588E4D:				; CODE XREF: _unwind_handler4+10j
		retn
_unwind_handler4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall _seh_longjmp_unwind4(x)
__seh_longjmp_unwind4@4	proc near

arg_0		= dword	ptr  8

		push	ebp
		mov	ecx, [esp+arg_0]
		mov	ebp, [ecx]
		push	dword ptr [ecx+1Ch]
		push	dword ptr [ecx+18h]
		push	dword ptr [ecx+28h]
		call	__local_unwind4
		add	esp, 0Ch
		pop	ebp
		retn	4
__seh_longjmp_unwind4@4	endp


;  S U B	R O U T	I N E 


; __fastcall _EH4_CallFilterFunc(x, x)
@_EH4_CallFilterFunc@8 proc near	; CODE XREF: __except_handler4+9Bp
		push	ebp
		push	esi
		push	edi
		push	ebx
		mov	ebp, edx
		xor	eax, eax
		xor	ebx, ebx
		xor	edx, edx
		xor	esi, esi
		xor	edi, edi
		call	ecx
		pop	ebx
		pop	edi
		pop	esi
		pop	ebp
		retn
@_EH4_CallFilterFunc@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __fastcall _EH4_TransferToHandler(x, x)
@_EH4_TransferToHandler@8 proc near	; CODE XREF: __except_handler4+146p
		mov	ebp, edx
		mov	esi, ecx
		mov	eax, ecx
		push	1
		call	__NLG_Notify
		xor	eax, eax
		xor	ebx, ebx
		xor	ecx, ecx
		xor	edx, edx
		xor	edi, edi
		jmp	esi
@_EH4_TransferToHandler@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall _EH4_GlobalUnwind(x)
@_EH4_GlobalUnwind@4 proc near		; CODE XREF: __except_handler4+10Fp
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	0
		push	0
		push	offset loc_588EB5
		push	ecx
		call	RtlUnwind

loc_588EB5:				; DATA XREF: _EH4_GlobalUnwind(x)+Ao
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
@_EH4_GlobalUnwind@4 endp ; sp = -10h

; 
		align 4

;  S U B	R O U T	I N E 


; __fastcall _EH4_LocalUnwind(x, x, x, x)
@_EH4_LocalUnwind@16 proc near		; CODE XREF: __except_handler4+D9p
					; __except_handler4+126p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	ebp
		mov	ebp, [esp+arg_0]
		push	edx
		push	ecx
		push	[esp+8+arg_4]
		call	__local_unwind4
		add	esp, 0Ch
		pop	ebp
		retn	8
@_EH4_LocalUnwind@16 endp

; 
		align 4

;  S U B	R O U T	I N E 


__get_printf_count_output proc near	; CODE XREF: __woutput_l+8A5p
					; __output_l+725p
		mov	ecx, ___security_cookie
		xor	eax, eax
		or	ecx, 1
		cmp	dword_6B6A64, ecx
		setz	al
		retn
__get_printf_count_output endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__fputwc_nolock	proc near		; CODE XREF: write_char+19p

arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jnz	short loc_588F0C
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		mov	eax, 0FFFFh
		pop	ebp
		retn
; 

loc_588F0C:				; CODE XREF: __fputwc_nolock+Aj
		add	dword ptr [edx+4], 0FFFFFFFEh
		js	short loc_588F20
		mov	ecx, [edx]
		mov	ax, [ebp+arg_0]
		mov	[ecx], ax
		add	dword ptr [edx], 2
		pop	ebp
		retn
; 

loc_588F20:				; CODE XREF: __fputwc_nolock+26j
		movzx	eax, [ebp+arg_0]
		push	edx
		push	eax
		call	__flswbuf
		pop	ecx
		pop	ecx
		pop	ebp
		retn
__fputwc_nolock	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__87except	proc near		; CODE XREF: __startOneArgErrorHandling+24p

var_84		= dword	ptr -84h
Arguments	= dword	ptr -80h
var_50		= qword	ptr -50h
var_40		= dword	ptr -40h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebx+10h]
		push	esi
		mov	esi, [ebx+0Ch]
		push	edi
		movzx	ecx, word ptr [eax]
		mov	[ebp+var_84], ecx
		mov	eax, [esi]
		sub	eax, 1
		jz	short loc_588FA6
		sub	eax, 1
		jz	short loc_588FA2
		sub	eax, 1
		jz	short loc_588F9E
		sub	eax, 1
		jz	short loc_588F9A
		sub	eax, 1
		jz	short loc_588FA6
		dec	eax
		sub	eax, 1
		jz	short loc_588F92
		sub	eax, 1
		jnz	short loc_589006
		push	10h
		jmp	short loc_588FA8
; 

loc_588F92:				; CODE XREF: __87except+57j
		mov	dword ptr [esi], 1
		jmp	short loc_589006
; 

loc_588F9A:				; CODE XREF: __87except+4Cj
		push	12h
		jmp	short loc_588FA8
; 

loc_588F9E:				; CODE XREF: __87except+47j
		push	11h
		jmp	short loc_588FA8
; 

loc_588FA2:				; CODE XREF: __87except+42j
		push	4
		jmp	short loc_588FA8
; 

loc_588FA6:				; CODE XREF: __87except+3Dj
					; __87except+51j
		push	8

loc_588FA8:				; CODE XREF: __87except+60j
					; __87except+6Cj ...
		pop	edi
		push	ecx
		lea	eax, [esi+18h]
		push	eax
		push	edi
		call	__handle_exc
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_589006
		push	70h		; size_t
		push	eax		; int
		lea	eax, [ebp+Arguments]
		push	eax		; void *
		call	_memset
		mov	ecx, [ebx+8]
		add	esp, 0Ch
		cmp	ecx, 10h
		jz	short loc_588FDC
		cmp	ecx, 16h
		jz	short loc_588FDC
		cmp	ecx, 1Dh
		jnz	short loc_588FE9

loc_588FDC:				; CODE XREF: __87except+A0j
					; __87except+A5j
		fld	qword ptr [esi+10h]
		fstp	[ebp+var_50]
		mov	[ebp+var_40], 3

loc_588FE9:				; CODE XREF: __87except+AAj
		lea	eax, [esi+18h]
		push	eax		; int
		lea	eax, [esi+8]
		push	eax		; int
		push	ecx		; int
		push	edi		; int
		lea	eax, [ebp+var_84]
		push	eax		; int
		lea	eax, [ebp+Arguments]
		push	eax		; Arguments
		call	__raise_exc
		add	esp, 18h

loc_589006:				; CODE XREF: __87except+5Cj
					; __87except+68j ...
		push	0FFFFh
		push	[ebp+var_84]
		call	__ctrlfp
		cmp	dword ptr [esi], 8
		pop	ecx
		pop	ecx
		jz	short loc_589031
		cmp	__matherr_flag,	0
		jnz	short loc_589031
		push	esi		; struct _exception *
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		pop	ecx
		test	eax, eax
		jnz	short loc_589039

loc_589031:				; CODE XREF: __87except+EBj
					; __87except+F4j
		push	dword ptr [esi]
		call	__set_errno_from_matherr
		pop	ecx

loc_589039:				; CODE XREF: __87except+FFj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
__87except	endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__flswbuf	proc near		; CODE XREF: __fputwc_nolock+3Cp

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		or	dword ptr [eax+0Ch], 20h
		mov	eax, 0FFFFh
		pop	ebp
		retn
__flswbuf	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 3014. swprintf_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _swprintf_s
_swprintf_s	proc near		; CODE XREF: RtlIpv6AddressToStringW+97p
					; RtlIpv6AddressToStringW+BCp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		lea	eax, [ebp+arg_C]
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_vswprintf_s
		add	esp, 10h
		pop	ebp
		retn
_swprintf_s	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 3024. vswprintf_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _vswprintf_s
_vswprintf_s	proc near		; CODE XREF: _swprintf_s+12p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_5890BF
		cmp	[ebp+arg_4], 0
		jbe	short loc_5890BF
		cmp	[ebp+arg_8], 0
		jz	short loc_5890BF
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	__swoutput_s
		add	esp, 10h
		test	eax, eax
		jns	short loc_5890D1
		xor	ecx, ecx
		mov	[esi], cx
		cmp	eax, 0FFFFFFFEh
		jnz	short loc_5890CE

loc_5890BF:				; CODE XREF: _vswprintf_s+Bj
					; _vswprintf_s+11j ...
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h

loc_5890CE:				; CODE XREF: _vswprintf_s+37j
		or	eax, 0FFFFFFFFh

loc_5890D1:				; CODE XREF: _vswprintf_s+2Dj
		pop	esi
		pop	ebp
		retn
_vswprintf_s	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

x64toa_s	proc near		; CODE XREF: __i64toa_s+2Cp
					; __ui64toa_s+16p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		xor	ebx, ebx
		mov	[ebp+var_C], esi
		push	edi
		test	esi, esi
		jz	loc_5891D7
		test	edx, edx
		jz	loc_5891D7
		mov	ecx, [ebp+arg_C]
		xor	eax, eax
		test	ecx, ecx
		mov	[esi], bl
		setnz	al
		inc	eax
		cmp	edx, eax
		ja	short loc_58911E
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx

loc_58910F:				; CODE XREF: x64toa_s+E6j
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	22h
		jmp	loc_5891E6
; 

loc_58911E:				; CODE XREF: x64toa_s+34j
		mov	eax, [ebp+arg_8]
		add	eax, 0FFFFFFFEh
		cmp	eax, 22h
		ja	loc_5891D7
		mov	edx, [ebp+arg_4]
		mov	edi, esi
		mov	[ebp+arg_C], ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_4], edi
		test	ecx, ecx
		jz	short loc_589155
		xor	eax, eax
		mov	byte ptr [esi],	2Dh
		inc	eax
		lea	edi, [esi+1]
		neg	ebx
		mov	[ebp+var_4], edi
		mov	[ebp+arg_C], eax
		adc	edx, 0
		neg	edx

loc_589155:				; CODE XREF: x64toa_s+69j
		mov	esi, [ebp+var_8]
		mov	[ebp+var_10], edi
		mov	edi, [ebp+var_4]

loc_58915E:				; CODE XREF: x64toa_s+CCj
		push	ebx
		push	0
		push	[ebp+arg_8]
		mov	[ebp+var_8], edi
		push	edx
		push	ebx
		call	__aulldvrm
		mov	[ebp+arg_4], ebx
		pop	ebx
		nop
		mov	ebx, eax
		lea	eax, [edi+1]
		mov	[ebp+arg_4], eax
		push	9
		pop	eax
		cmp	eax, ecx
		sbb	al, al
		and	al, 27h
		add	al, 30h
		add	al, cl
		mov	[edi], al
		mov	eax, [ebp+arg_C]
		inc	eax
		mov	[ebp+arg_C], eax
		test	edx, edx
		jnz	short loc_589199
		test	ebx, ebx
		jz	short loc_5891A4

loc_589199:				; CODE XREF: x64toa_s+BFj
		mov	ecx, [ebp+arg_4]
		mov	edi, ecx
		cmp	eax, esi
		jb	short loc_58915E
		jmp	short loc_5891A7
; 

loc_5891A4:				; CODE XREF: x64toa_s+C3j
		mov	ecx, [ebp+arg_4]

loc_5891A7:				; CODE XREF: x64toa_s+CEj
		mov	edi, [ebp+var_10]
		cmp	eax, esi
		mov	esi, [ebp+var_C]
		jb	short loc_5891BF
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		mov	[esi], al
		push	eax
		jmp	loc_58910F
; 

loc_5891BF:				; CODE XREF: x64toa_s+DBj
		mov	edx, [ebp+var_8]
		mov	byte ptr [ecx],	0

loc_5891C5:				; CODE XREF: x64toa_s+FDj
		mov	al, [edi]
		mov	cl, [edx]
		mov	[edx], al
		dec	edx
		mov	[edi], cl
		inc	edi
		cmp	edi, edx
		jb	short loc_5891C5
		xor	eax, eax
		jmp	short loc_5891E7
; 

loc_5891D7:				; CODE XREF: x64toa_s+17j x64toa_s+1Fj ...
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	16h

loc_5891E6:				; CODE XREF: x64toa_s+45j
		pop	eax

loc_5891E7:				; CODE XREF: x64toa_s+101j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
x64toa_s	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2915. _i64toa_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __i64toa_s
__i64toa_s	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		cmp	[ebp+arg_10], 0Ah
		jnz	short loc_589210
		cmp	[ebp+arg_4], eax
		jg	short loc_589210
		jl	short loc_58920D
		cmp	[ebp+arg_0], eax
		jnb	short loc_589210

loc_58920D:				; CODE XREF: __i64toa_s+12j
		xor	eax, eax
		inc	eax

loc_589210:				; CODE XREF: __i64toa_s+Bj
					; __i64toa_s+10j ...
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+arg_8]
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	x64toa_s
		pop	ebp
		retn
__i64toa_s	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2918. _itoa_s
; Exported entry 2922. _ltoa_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __itoa_s
__itoa_s	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi	; _itoa_s
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 0Ah
		jnz	short loc_589242
		cmp	[ebp+arg_0], 0
		jge	short loc_589242
		xor	eax, eax
		inc	eax
		jmp	short loc_589244
; 

loc_589242:				; CODE XREF: __itoa_s+9j __itoa_s+Fj
		xor	eax, eax

loc_589244:				; CODE XREF: __itoa_s+14j
		push	eax
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	xtoa_s
		pop	ebp
		retn
__itoa_s	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2944. _ui64toa_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __ui64toa_s
__ui64toa_s	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+arg_8]
		push	0
		push	[ebp+arg_10]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	x64toa_s
		pop	ebp
		retn
__ui64toa_s	endp

; 
		align 10h
; Exported entry 2946. _ultoa_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __ultoa_s
__ultoa_s	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	xtoa_s
		pop	ebp
		retn
__ultoa_s	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

xtoa_s		proc near		; CODE XREF: __itoa_s+25p
					; __ultoa_s+13p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	loc_589377
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		jz	loc_589377
		mov	edx, [ebp+arg_10]
		test	edx, edx
		mov	[ecx], al
		setnz	al
		inc	eax
		cmp	ebx, eax
		ja	short loc_5892E0
		xor	eax, eax

loc_5892CC:				; CODE XREF: xtoa_s+C1j
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	22h
		jmp	loc_589386
; 

loc_5892E0:				; CODE XREF: xtoa_s+2Ej
		mov	eax, [ebp+arg_C]
		add	eax, 0FFFFFFFEh
		cmp	eax, 22h
		ja	loc_589375
		xor	eax, eax
		mov	[ebp+arg_8], ecx
		mov	[ebp+arg_10], eax
		test	edx, edx
		jz	short loc_589311
		lea	eax, [ecx+1]
		mov	byte ptr [ecx],	2Dh
		mov	[ebp+arg_8], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+arg_10], eax
		mov	eax, [ebp+arg_0]
		neg	eax
		jmp	short loc_589314
; 

loc_589311:				; CODE XREF: xtoa_s+5Fj
		mov	eax, [ebp+arg_0]

loc_589314:				; CODE XREF: xtoa_s+75j
		mov	ecx, [ebp+arg_8]
		mov	esi, [ebp+arg_10]
		mov	[ebp+var_4], ecx

loc_58931D:				; CODE XREF: xtoa_s+B1j
		xor	edx, edx
		mov	edi, ecx
		div	[ebp+arg_C]
		push	9
		mov	[ebp+arg_8], eax
		lea	eax, [ecx+1]
		mov	[ebp+arg_0], eax
		pop	eax
		cmp	eax, edx
		sbb	al, al
		and	al, 27h
		add	al, 30h
		add	al, dl
		mov	edx, [ebp+arg_0]
		mov	[ecx], al
		inc	esi
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_58934D
		mov	ecx, edx
		cmp	esi, ebx
		jb	short loc_58931D

loc_58934D:				; CODE XREF: xtoa_s+ABj
		mov	ecx, [ebp+arg_4]
		cmp	esi, ebx
		mov	esi, [ebp+var_4]
		jb	short loc_589360
		xor	eax, eax
		mov	[ecx], al
		jmp	loc_5892CC
; 

loc_589360:				; CODE XREF: xtoa_s+BBj
		mov	byte ptr [edx],	0

loc_589363:				; CODE XREF: xtoa_s+D5j
		mov	al, [esi]
		mov	cl, [edi]
		mov	[edi], al
		dec	edi
		mov	[esi], cl
		inc	esi
		cmp	esi, edi
		jb	short loc_589363
		xor	eax, eax
		jmp	short loc_589387
; 

loc_589375:				; CODE XREF: xtoa_s+4Fj
		xor	eax, eax

loc_589377:				; CODE XREF: xtoa_s+10j xtoa_s+1Bj
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	16h

loc_589386:				; CODE XREF: xtoa_s+41j
		pop	eax

loc_589387:				; CODE XREF: xtoa_s+D9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
xtoa_s		endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

x64tow_s	proc near		; CODE XREF: __i64tow_s+2Cp
					; __ui64tow_s+16p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], edi
		test	edi, edi
		jz	loc_5894A1
		test	edx, edx
		jz	loc_5894A1
		mov	ebx, [ebp+arg_C]
		xor	eax, eax
		test	ebx, ebx
		mov	[edi], ax
		setnz	al
		inc	eax
		cmp	edx, eax
		ja	short loc_5893D9
		xor	esi, esi

loc_5893C5:				; CODE XREF: x64tow_s+E6j
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	22h
		jmp	loc_5894B2
; 

loc_5893D9:				; CODE XREF: x64tow_s+33j
		mov	eax, [ebp+arg_8]
		add	eax, 0FFFFFFFEh
		cmp	eax, 22h
		ja	loc_5894A1
		mov	edx, [ebp+arg_4]
		xor	esi, esi
		mov	eax, edi
		mov	[ebp+var_4], esi
		test	ebx, ebx
		mov	[ebp+arg_C], eax
		mov	ebx, [ebp+arg_0]
		jz	short loc_589414
		xor	ecx, ecx
		inc	ecx
		neg	ebx
		push	2Dh
		pop	eax
		mov	[edi], ax
		adc	edx, esi
		lea	eax, [edi+2]
		mov	[ebp+var_4], ecx
		mov	[ebp+arg_C], eax
		neg	edx

loc_589414:				; CODE XREF: x64tow_s+6Cj
		mov	edi, [ebp+var_8]
		mov	[ebp+var_10], eax

loc_58941A:				; CODE XREF: x64tow_s+D8j
		push	ebx
		push	esi
		push	[ebp+arg_8]
		mov	[ebp+var_8], eax
		push	edx
		push	ebx
		call	__aulldvrm
		mov	[ebp+arg_4], ebx
		pop	ebx
		nop
		mov	ebx, eax
		mov	eax, [ebp+arg_C]
		add	eax, 2
		mov	[ebp+arg_4], eax
		push	9
		pop	eax
		cmp	eax, ecx
		sbb	eax, eax
		and	eax, 27h
		add	eax, 30h
		add	ax, cx
		mov	ecx, [ebp+arg_C]
		mov	[ecx], ax
		mov	ecx, [ebp+var_4]
		inc	ecx
		mov	[ebp+var_4], ecx
		cmp	edx, esi
		ja	short loc_58945E
		cmp	ebx, esi
		jbe	short loc_589468

loc_58945E:				; CODE XREF: x64tow_s+CAj
		mov	eax, [ebp+arg_4]
		mov	[ebp+arg_C], eax
		cmp	ecx, edi
		jb	short loc_58941A

loc_589468:				; CODE XREF: x64tow_s+CEj
		cmp	ecx, edi
		mov	edi, [ebp+var_C]
		jb	short loc_589479
		xor	ecx, ecx
		mov	[edi], cx
		jmp	loc_5893C5
; 

loc_589479:				; CODE XREF: x64tow_s+DFj
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		mov	edx, [ebp+var_10]
		mov	ebx, [ebp+var_8]
		mov	[eax], cx

loc_589487:				; CODE XREF: x64tow_s+10Dj
		mov	ax, [edx]
		movzx	ecx, word ptr [ebx]
		mov	[ebx], ax
		sub	ebx, 2
		mov	[edx], cx
		add	edx, 2
		cmp	edx, ebx
		jb	short loc_589487
		xor	eax, eax
		jmp	short loc_5894B3
; 

loc_5894A1:				; CODE XREF: x64tow_s+15j x64tow_s+1Dj ...
		xor	esi, esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	16h

loc_5894B2:				; CODE XREF: x64tow_s+46j
		pop	eax

loc_5894B3:				; CODE XREF: x64tow_s+111j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
x64tow_s	endp

; 
		align 10h
; Exported entry 2916. _i64tow_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __i64tow_s
__i64tow_s	proc near		; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+5A4p
					; LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+A38p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		cmp	[ebp+arg_10], 0Ah
		jnz	short loc_5894DC
		cmp	[ebp+arg_4], eax
		jg	short loc_5894DC
		jl	short loc_5894D9
		cmp	[ebp+arg_0], eax
		jnb	short loc_5894DC

loc_5894D9:				; CODE XREF: __i64tow_s+12j
		xor	eax, eax
		inc	eax

loc_5894DC:				; CODE XREF: __i64tow_s+Bj
					; __i64tow_s+10j ...
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+arg_8]
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	x64tow_s
		pop	ebp
		retn
__i64tow_s	endp

; 
		align 8
; Exported entry 2920. _itow_s
; Exported entry 2923. _ltow_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __itow_s
__itow_s	proc near		; CODE XREF: RtlpFindRegTziForCurrentYear+3Fp
					; RtlpFindRegTziForCurrentYear+11Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi	; _itow_s
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 0Ah
		jnz	short loc_58950E
		cmp	[ebp+arg_0], 0
		jge	short loc_58950E
		xor	eax, eax
		inc	eax
		jmp	short loc_589510
; 

loc_58950E:				; CODE XREF: __itow_s+9j __itow_s+Fj
		xor	eax, eax

loc_589510:				; CODE XREF: __itow_s+14j
		push	eax
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	xtow_s
		pop	ebp
		retn
__itow_s	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2945. _ui64tow_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __ui64tow_s
__ui64tow_s	proc near		; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+4F3p
					; LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+9A4p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+arg_8]
		push	0
		push	[ebp+arg_10]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	x64tow_s
		pop	ebp
		retn
__ui64tow_s	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2947. _ultow_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __ultow_s
__ultow_s	proc near		; CODE XREF: LocalConvertAclToString+434p
					; BiDeleteElement+88p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	xtow_s
		pop	ebp
		retn
__ultow_s	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

xtow_s		proc near		; CODE XREF: __itow_s+25p
					; __ultow_s+13p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		test	esi, esi
		jz	loc_58965A
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	loc_58965A
		mov	edx, [ebp+arg_10]
		xor	eax, eax
		test	edx, edx
		mov	[esi], ax
		setnz	al
		inc	eax
		cmp	ecx, eax
		ja	short loc_5895AD
		xor	ecx, ecx

loc_589599:				; CODE XREF: xtow_s+D0j
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	22h
		jmp	loc_58966B
; 

loc_5895AD:				; CODE XREF: xtow_s+2Fj
		mov	eax, [ebp+arg_C]
		add	eax, 0FFFFFFFEh
		cmp	eax, 22h
		ja	loc_58965A
		xor	ecx, ecx
		mov	[ebp+arg_10], esi
		mov	[ebp+var_4], ecx
		test	edx, edx
		jz	short loc_5895E1
		push	2Dh
		pop	eax
		mov	[esi], ax
		lea	eax, [esi+2]
		mov	[ebp+arg_10], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		neg	eax
		jmp	short loc_5895E4
; 

loc_5895E1:				; CODE XREF: xtow_s+60j
		mov	eax, [ebp+arg_0]

loc_5895E4:				; CODE XREF: xtow_s+79j
		mov	esi, [ebp+arg_10]
		mov	ecx, [ebp+arg_8]
		mov	edi, [ebp+var_4]
		mov	[ebp+arg_10], esi

loc_5895F0:				; CODE XREF: xtow_s+BCj
		xor	edx, edx
		mov	ebx, esi
		div	[ebp+arg_C]
		push	9
		mov	[ebp+arg_8], eax
		lea	eax, [esi+2]
		mov	[ebp+arg_0], eax
		pop	eax
		cmp	eax, edx
		sbb	eax, eax
		and	eax, 27h
		add	eax, 30h
		add	ax, dx
		mov	edx, [ebp+arg_0]
		mov	[esi], ax
		inc	edi
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_589624
		mov	esi, edx
		cmp	edi, ecx
		jb	short loc_5895F0

loc_589624:				; CODE XREF: xtow_s+B6j
		mov	esi, [ebp+arg_4]
		cmp	edi, ecx
		mov	edi, [ebp+arg_10]
		push	0
		pop	ecx
		jb	short loc_58963B
		xor	edx, edx
		mov	[esi], dx
		jmp	loc_589599
; 

loc_58963B:				; CODE XREF: xtow_s+C9j
		xor	eax, eax
		mov	[edx], ax

loc_589640:				; CODE XREF: xtow_s+EEj
		mov	ax, [edi]
		movzx	ecx, word ptr [ebx]
		mov	[ebx], ax
		sub	ebx, 2
		mov	[edi], cx
		add	edi, 2
		cmp	edi, ebx
		jb	short loc_589640
		xor	eax, eax
		jmp	short loc_58966C
; 

loc_58965A:				; CODE XREF: xtow_s+Ej	xtow_s+19j ...
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	16h

loc_58966B:				; CODE XREF: xtow_s+42j
		pop	eax

loc_58966C:				; CODE XREF: xtow_s+F2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
xtow_s		endp

; 
		align 8
; Exported entry 2924. _makepath_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __makepath_s
__makepath_s	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		test	ebx, ebx
		jz	loc_589757
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	loc_589757
		mov	edx, eax
		mov	ecx, ebx
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_5896BD
		mov	al, [eax]
		test	al, al
		jz	short loc_5896BD
		push	2
		pop	edx
		cmp	esi, edx
		jbe	loc_589748
		lea	ecx, [ebx+1]
		mov	[ebx], al
		mov	byte ptr [ecx],	3Ah
		inc	ecx

loc_5896BD:				; CODE XREF: __makepath_s+29j
					; __makepath_s+2Fj
		mov	edi, [ebp+arg_C]
		test	edi, edi
		jz	short loc_5896ED
		cmp	byte ptr [edi],	0
		jz	short loc_5896ED

loc_5896C9:				; CODE XREF: __makepath_s+5Fj
		inc	edx
		cmp	edx, esi
		jnb	short loc_589748
		mov	al, [edi]
		mov	[ecx], al
		inc	ecx
		inc	edi
		cmp	byte ptr [edi],	0
		jnz	short loc_5896C9
		mov	al, [edi-1]
		cmp	al, 2Fh
		jz	short loc_5896ED
		cmp	al, 5Ch
		jz	short loc_5896ED
		inc	edx
		cmp	edx, esi
		jnb	short loc_589748
		mov	byte ptr [ecx],	5Ch
		inc	ecx

loc_5896ED:				; CODE XREF: __makepath_s+4Aj
					; __makepath_s+4Fj ...
		mov	edi, [ebp+arg_10]
		test	edi, edi
		jz	short loc_58970C
		cmp	byte ptr [edi],	0
		jz	short loc_58970C
		sub	edi, ecx

loc_5896FB:				; CODE XREF: __makepath_s+92j
		inc	edx
		cmp	edx, esi
		jnb	short loc_589748
		mov	al, [edi+ecx]
		mov	[ecx], al
		inc	ecx
		cmp	byte ptr [edi+ecx], 0
		jnz	short loc_5896FB

loc_58970C:				; CODE XREF: __makepath_s+7Aj
					; __makepath_s+7Fj
		mov	edi, [ebp+arg_14]
		test	edi, edi
		jz	short loc_589741
		mov	al, [edi]
		mov	ah, al
		test	al, al
		jz	short loc_58972A
		cmp	al, 2Eh
		jz	short loc_58972A
		inc	edx
		cmp	edx, esi
		jnb	short loc_589748
		mov	byte ptr [ecx],	2Eh
		inc	ecx
		mov	ah, [edi]

loc_58972A:				; CODE XREF: __makepath_s+A1j
					; __makepath_s+A5j
		test	ah, ah
		jz	short loc_589741
		sub	edi, ecx

loc_589730:				; CODE XREF: __makepath_s+C7j
		inc	edx
		cmp	edx, esi
		jnb	short loc_589748
		mov	al, [edi+ecx]
		mov	[ecx], al
		inc	ecx
		cmp	byte ptr [edi+ecx], 0
		jnz	short loc_589730

loc_589741:				; CODE XREF: __makepath_s+99j
					; __makepath_s+B4j
		lea	eax, [edx+1]
		cmp	eax, esi
		jbe	short loc_589750

loc_589748:				; CODE XREF: __makepath_s+36j
					; __makepath_s+54j ...
		xor	eax, eax
		mov	[ebx], al
		push	22h
		jmp	short loc_589759
; 

loc_589750:				; CODE XREF: __makepath_s+CEj
		mov	byte ptr [ecx],	0
		xor	eax, eax
		jmp	short loc_589769
; 

loc_589757:				; CODE XREF: __makepath_s+Fj
					; __makepath_s+1Aj
		push	16h

loc_589759:				; CODE XREF: __makepath_s+D6j
		pop	esi
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		mov	eax, esi

loc_589769:				; CODE XREF: __makepath_s+DDj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
__makepath_s	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2927. _snprintf_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __snprintf_s
__snprintf_s	proc near		; CODE XREF: RtlIncrementCorrelationVector(x)+70p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		lea	eax, [ebp+arg_10]
		push	eax
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	__vsnprintf_s
		add	esp, 14h
		pop	ebp
		retn
__snprintf_s	endp

; 
		align 8
; Exported entry 2949. _vsnprintf_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __vsnprintf_s
__vsnprintf_s	proc near		; CODE XREF: __snprintf_s+15p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_C]
		push	ebx
		push	esi
		xor	ebx, ebx
		push	edi
		test	ecx, ecx
		jz	short loc_5897F0
		mov	edi, [ebp+arg_8]
		mov	esi, [ebp+arg_0]
		test	edi, edi
		jnz	short loc_5897C0
		test	esi, esi
		jnz	short loc_5897C4
		cmp	[ebp+arg_4], ebx
		jnz	short loc_5897F0
		xor	eax, eax
		jmp	short loc_589800
; 

loc_5897C0:				; CODE XREF: __vsnprintf_s+19j
		test	esi, esi
		jz	short loc_5897F0

loc_5897C4:				; CODE XREF: __vsnprintf_s+1Dj
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_5897F0
		push	[ebp+arg_10]
		push	ecx
		cmp	eax, edi
		jbe	short loc_589805
		lea	eax, [edi+1]
		push	eax
		push	esi
		call	__soutput_s
		add	esp, 10h
		cmp	eax, 0FFFFFFFEh
		jz	short loc_5897FD

loc_5897E5:				; CODE XREF: __vsnprintf_s+7Aj
		test	eax, eax
		jns	short loc_589800

loc_5897E9:				; CODE XREF: __vsnprintf_s+7Fj
		mov	[esi], bl
		cmp	eax, 0FFFFFFFEh
		jnz	short loc_5897FD

loc_5897F0:				; CODE XREF: __vsnprintf_s+Fj
					; __vsnprintf_s+22j ...
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h

loc_5897FD:				; CODE XREF: __vsnprintf_s+4Bj
					; __vsnprintf_s+56j ...
		or	eax, 0FFFFFFFFh

loc_589800:				; CODE XREF: __vsnprintf_s+26j
					; __vsnprintf_s+4Fj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
; 

loc_589805:				; CODE XREF: __vsnprintf_s+39j
		push	eax
		push	esi
		call	__soutput_s
		add	esp, 10h
		cmp	eax, 0FFFFFFFEh
		jnz	short loc_5897E5
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_5897E9
		jmp	short loc_5897FD
__vsnprintf_s	endp

; 
		align 10h
; Exported entry 2928. _snscanf_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __snscanf_s
__snscanf_s	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_8], 0
		jnz	short loc_58983F
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		or	eax, 0FFFFFFFFh
		pop	ebp
		retn
; 

loc_58983F:				; CODE XREF: __snscanf_s+9j
		lea	eax, [ebp+arg_C]
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	__sinput_s
		add	esp, 10h
		pop	ebp
		retn
__snscanf_s	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2930. _snwprintf_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __snwprintf_s
__snwprintf_s	proc near		; CODE XREF: RtlQueryAtomInAtomTable+16Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		lea	eax, [ebp+arg_10]
		push	eax
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	__vsnwprintf_s
		add	esp, 14h
		pop	ebp
		retn
__snwprintf_s	endp

; 
		align 10h
; Exported entry 2951. _vsnwprintf_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __vsnwprintf_s
__vsnwprintf_s	proc near		; CODE XREF: __snwprintf_s+15p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		push	esi
		push	edi
		test	eax, eax
		jz	short loc_5898D8
		mov	edi, [ebp+arg_8]
		mov	esi, [ebp+arg_0]
		test	edi, edi
		jnz	short loc_5898A5
		test	esi, esi
		jnz	short loc_5898A9
		cmp	[ebp+arg_4], esi
		jnz	short loc_5898D8
		xor	eax, eax
		jmp	short loc_5898EA
; 

loc_5898A5:				; CODE XREF: __vsnwprintf_s+16j
		test	esi, esi
		jz	short loc_5898D8

loc_5898A9:				; CODE XREF: __vsnwprintf_s+1Aj
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_5898D8
		push	[ebp+arg_10]
		push	eax
		cmp	ecx, edi
		jbe	short loc_5898EE
		lea	eax, [edi+1]
		push	eax
		push	esi
		call	__swoutput_s
		add	esp, 10h
		cmp	eax, 0FFFFFFFEh
		jz	short loc_5898E7

loc_5898CA:				; CODE XREF: __vsnwprintf_s+7Bj
		test	eax, eax
		jns	short loc_5898EA

loc_5898CE:				; CODE XREF: __vsnwprintf_s+80j
		xor	ecx, ecx
		mov	[esi], cx
		cmp	eax, 0FFFFFFFEh
		jnz	short loc_5898E7

loc_5898D8:				; CODE XREF: __vsnwprintf_s+Cj
					; __vsnwprintf_s+1Fj ...
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h

loc_5898E7:				; CODE XREF: __vsnwprintf_s+48j
					; __vsnwprintf_s+56j ...
		or	eax, 0FFFFFFFFh

loc_5898EA:				; CODE XREF: __vsnwprintf_s+23j
					; __vsnwprintf_s+4Cj
		pop	edi
		pop	esi
		pop	ebp
		retn
; 

loc_5898EE:				; CODE XREF: __vsnwprintf_s+36j
		push	ecx
		push	esi
		call	__swoutput_s
		add	esp, 10h
		cmp	eax, 0FFFFFFFEh
		jnz	short loc_5898CA
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_5898CE
		jmp	short loc_5898E7
__vsnwprintf_s	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2931. _snwscanf_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __snwscanf_s
__snwscanf_s	proc near		; CODE XREF: SiGetBootDeviceName+84p
					; SiIsWinPeHardDiskZeroUfdBoot()+84p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_8], 0
		jnz	short loc_589929
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		or	eax, 0FFFFFFFFh
		pop	ebp
		retn
; 

loc_589929:				; CODE XREF: __snwscanf_s+9j
		lea	eax, [ebp+arg_C]
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	__swinput_s
		add	esp, 10h
		pop	ebp
		retn
__snwscanf_s	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2932. _splitpath_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __splitpath_s
__splitpath_s	proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		test	edi, edi
		jz	short loc_589967
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jnz	short loc_589975
		cmp	[ebp+arg_8], ebx
		jz	short loc_58997A

loc_589967:				; CODE XREF: __splitpath_s+13j
					; __splitpath_s+32j ...
		mov	edx, [ebp+arg_14]

loc_58996A:				; CODE XREF: __splitpath_s+4Fj
					; __splitpath_s+56j ...
		xor	ebx, ebx
		inc	ebx

loc_58996D:				; CODE XREF: __splitpath_s+85j
		mov	eax, [ebp+arg_1C]
		jmp	loc_589AC2
; 

loc_589975:				; CODE XREF: __splitpath_s+1Aj
		cmp	[ebp+arg_8], ebx
		jz	short loc_589967

loc_58997A:				; CODE XREF: __splitpath_s+1Fj
		cmp	[ebp+arg_C], ebx
		jnz	short loc_589986
		cmp	[ebp+arg_10], ebx
		jnz	short loc_589967
		jmp	short loc_58998B
; 

loc_589986:				; CODE XREF: __splitpath_s+37j
		cmp	[ebp+arg_10], ebx
		jz	short loc_589967

loc_58998B:				; CODE XREF: __splitpath_s+3Ej
		mov	edx, [ebp+arg_14]
		test	edx, edx
		jnz	short loc_589999
		cmp	[ebp+arg_18], ebx
		jnz	short loc_58996A
		jmp	short loc_58999E
; 

loc_589999:				; CODE XREF: __splitpath_s+4Aj
		cmp	[ebp+arg_18], ebx
		jz	short loc_58996A

loc_58999E:				; CODE XREF: __splitpath_s+51j
		cmp	[ebp+arg_1C], ebx
		jnz	short loc_5899AA
		cmp	[ebp+arg_20], ebx
		jnz	short loc_58996A
		jmp	short loc_5899AF
; 

loc_5899AA:				; CODE XREF: __splitpath_s+5Bj
		cmp	[ebp+arg_20], ebx
		jz	short loc_58996A

loc_5899AF:				; CODE XREF: __splitpath_s+62j
		xor	eax, eax
		mov	esi, edi
		inc	eax

loc_5899B4:				; CODE XREF: __splitpath_s+76j
		cmp	[esi], bl
		jz	short loc_5899BE
		inc	esi
		sub	eax, 1
		jnz	short loc_5899B4

loc_5899BE:				; CODE XREF: __splitpath_s+70j
		cmp	byte ptr [esi],	3Ah
		jnz	short loc_5899E4
		test	ecx, ecx
		jz	short loc_5899DF
		cmp	[ebp+arg_8], 3
		jb	short loc_58996D
		push	2
		push	edi
		push	[ebp+arg_8]
		push	ecx
		call	_strncpy_s
		mov	edx, [ebp+arg_14]
		add	esp, 10h

loc_5899DF:				; CODE XREF: __splitpath_s+7Fj
		lea	edi, [esi+1]
		jmp	short loc_5899EA
; 

loc_5899E4:				; CODE XREF: __splitpath_s+7Bj
		test	ecx, ecx
		jz	short loc_5899EA
		mov	[ecx], bl

loc_5899EA:				; CODE XREF: __splitpath_s+9Cj
					; __splitpath_s+A0j
		mov	al, [edi]
		xor	ecx, ecx
		xor	ebx, ebx
		mov	esi, edi
		test	al, al
		jz	short loc_589A41

loc_5899F6:				; CODE XREF: __splitpath_s+C8j
		cmp	al, 2Fh
		jz	short loc_589A06
		cmp	al, 5Ch
		jz	short loc_589A06
		cmp	al, 2Eh
		jnz	short loc_589A09
		mov	ebx, esi
		jmp	short loc_589A09
; 

loc_589A06:				; CODE XREF: __splitpath_s+B2j
					; __splitpath_s+B6j
		lea	ecx, [esi+1]

loc_589A09:				; CODE XREF: __splitpath_s+BAj
					; __splitpath_s+BEj
		inc	esi
		mov	al, [esi]
		test	al, al
		jnz	short loc_5899F6
		mov	[ebp+arg_0], ecx
		test	ecx, ecx
		jz	short loc_589A41
		cmp	[ebp+arg_C], 0
		jz	short loc_589A3D
		mov	eax, ecx
		sub	eax, edi
		cmp	[ebp+arg_10], eax
		jbe	loc_589ABC
		push	eax
		push	edi
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	_strncpy_s
		mov	ecx, [ebp+arg_0]
		add	esp, 10h

loc_589A3D:				; CODE XREF: __splitpath_s+D5j
		mov	edi, ecx
		jmp	short loc_589A4B
; 

loc_589A41:				; CODE XREF: __splitpath_s+AEj
					; __splitpath_s+CFj
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_589A4B
		mov	byte ptr [eax],	0

loc_589A4B:				; CODE XREF: __splitpath_s+F9j
					; __splitpath_s+100j
		test	ebx, ebx
		jz	short loc_589A92
		cmp	ebx, edi
		jb	short loc_589A92
		mov	edx, [ebp+arg_14]
		test	edx, edx
		jz	short loc_589A74
		mov	eax, ebx
		sub	eax, edi
		cmp	[ebp+arg_18], eax
		jbe	short loc_589ABC
		push	eax
		push	edi
		push	[ebp+arg_18]
		push	edx
		call	_strncpy_s
		mov	edx, [ebp+arg_14]
		add	esp, 10h

loc_589A74:				; CODE XREF: __splitpath_s+112j
		mov	eax, [ebp+arg_1C]
		test	eax, eax
		jz	short loc_589AB8
		sub	esi, ebx
		cmp	[ebp+arg_20], esi
		jbe	short loc_589ABF
		push	esi
		push	ebx
		push	[ebp+arg_20]
		push	eax
		call	_strncpy_s
		add	esp, 10h
		jmp	short loc_589AB8
; 

loc_589A92:				; CODE XREF: __splitpath_s+107j
					; __splitpath_s+10Bj
		mov	edx, [ebp+arg_14]
		test	edx, edx
		jz	short loc_589AAE
		sub	esi, edi
		cmp	[ebp+arg_18], esi
		jbe	short loc_589ABC
		push	esi
		push	edi
		push	[ebp+arg_18]
		push	edx
		call	_strncpy_s
		add	esp, 10h

loc_589AAE:				; CODE XREF: __splitpath_s+151j
		mov	eax, [ebp+arg_1C]
		test	eax, eax
		jz	short loc_589AB8
		mov	byte ptr [eax],	0

loc_589AB8:				; CODE XREF: __splitpath_s+133j
					; __splitpath_s+14Aj ...
		xor	eax, eax
		jmp	short loc_589B17
; 

loc_589ABC:				; CODE XREF: __splitpath_s+DEj
					; __splitpath_s+11Bj ...
		mov	eax, [ebp+arg_1C]

loc_589ABF:				; CODE XREF: __splitpath_s+13Aj
		mov	ebx, [ebp+var_4]

loc_589AC2:				; CODE XREF: __splitpath_s+2Aj
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_589AD2
		cmp	[ebp+arg_8], 0
		jbe	short loc_589AD2
		mov	byte ptr [ecx],	0

loc_589AD2:				; CODE XREF: __splitpath_s+181j
					; __splitpath_s+187j
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	short loc_589AE2
		cmp	[ebp+arg_10], 0
		jbe	short loc_589AE2
		mov	byte ptr [ecx],	0

loc_589AE2:				; CODE XREF: __splitpath_s+191j
					; __splitpath_s+197j
		xor	ecx, ecx
		test	edx, edx
		jz	short loc_589AEF
		cmp	[ebp+arg_18], ecx
		jbe	short loc_589AEF
		mov	[edx], cl

loc_589AEF:				; CODE XREF: __splitpath_s+1A0j
					; __splitpath_s+1A5j
		test	eax, eax
		jz	short loc_589AFB
		cmp	[ebp+arg_20], 0
		jbe	short loc_589AFB
		mov	[eax], cl

loc_589AFB:				; CODE XREF: __splitpath_s+1ABj
					; __splitpath_s+1B1j
		test	edi, edi
		jz	short loc_589B07
		test	ebx, ebx
		jnz	short loc_589B07
		push	22h
		jmp	short loc_589B16
; 

loc_589B07:				; CODE XREF: __splitpath_s+1B7j
					; __splitpath_s+1BBj
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	16h

loc_589B16:				; CODE XREF: __splitpath_s+1BFj
		pop	eax

loc_589B17:				; CODE XREF: __splitpath_s+174j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
__splitpath_s	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2937. _strnset_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __strnset_s
__strnset_s	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jnz	short loc_589B3F
		test	ecx, ecx
		jnz	short loc_589B43
		cmp	[ebp+arg_4], ecx
		jnz	short loc_589B83

loc_589B3B:				; CODE XREF: __strnset_s+59j
		xor	eax, eax
		jmp	short loc_589B95
; 

loc_589B3F:				; CODE XREF: __strnset_s+Ej
		test	ecx, ecx
		jz	short loc_589B83

loc_589B43:				; CODE XREF: __strnset_s+12j
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_589B83
		cmp	byte ptr [ecx],	0
		mov	eax, ecx
		jz	short loc_589B68
		push	ebx
		mov	ebx, [ebp+arg_8]

loc_589B55:				; CODE XREF: __strnset_s+43j
		test	esi, esi
		jz	short loc_589B67
		sub	edx, 1
		jz	short loc_589B67
		mov	[eax], bl
		inc	eax
		dec	esi
		cmp	byte ptr [eax],	0
		jnz	short loc_589B55

loc_589B67:				; CODE XREF: __strnset_s+35j
					; __strnset_s+3Aj
		pop	ebx

loc_589B68:				; CODE XREF: __strnset_s+2Dj
		test	esi, esi
		jnz	short loc_589B79
		jmp	short loc_589B74
; 

loc_589B6E:				; CODE XREF: __strnset_s+55j
		sub	edx, 1
		jz	short loc_589B79
		inc	eax

loc_589B74:				; CODE XREF: __strnset_s+4Aj
		cmp	byte ptr [eax],	0
		jnz	short loc_589B6E

loc_589B79:				; CODE XREF: __strnset_s+48j
					; __strnset_s+4Fj
		test	edx, edx
		jnz	short loc_589B3B
		xor	eax, eax
		mov	[ecx], al
		jmp	short loc_589B85
; 

loc_589B83:				; CODE XREF: __strnset_s+17j
					; __strnset_s+1Fj ...
		xor	eax, eax

loc_589B85:				; CODE XREF: __strnset_s+5Fj
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	16h
		pop	eax

loc_589B95:				; CODE XREF: __strnset_s+1Bj
		pop	esi
		pop	ebp
		retn
__strnset_s	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2940. _strset_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __strset_s
__strset_s	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_589BD6
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_589BD6
		cmp	byte ptr [ecx],	0
		mov	edx, ecx
		jz	short loc_589BCA
		push	ebx
		mov	ebx, [ebp+arg_8]

loc_589BBC:				; CODE XREF: __strset_s+29j
		sub	eax, 1
		jz	short loc_589BC9
		mov	[edx], bl
		inc	edx
		cmp	byte ptr [edx],	0
		jnz	short loc_589BBC

loc_589BC9:				; CODE XREF: __strset_s+21j
		pop	ebx

loc_589BCA:				; CODE XREF: __strset_s+18j
		test	eax, eax
		jnz	short loc_589BD2
		mov	[ecx], al
		jmp	short loc_589BD8
; 

loc_589BD2:				; CODE XREF: __strset_s+2Ej
		xor	eax, eax
		pop	ebp
		retn
; 

loc_589BD6:				; CODE XREF: __strset_s+Aj
					; __strset_s+11j
		xor	eax, eax

loc_589BD8:				; CODE XREF: __strset_s+32j
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	16h
		pop	eax
		pop	ebp
		retn
__strset_s	endp

; 
		align 10h
; Exported entry 2962. _wmakepath_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __wmakepath_s
__wmakepath_s	proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		xor	edi, edi
		test	ebx, ebx
		jz	loc_589D22
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	loc_589D22
		mov	eax, [ebp+arg_8]
		mov	edx, edi
		mov	ecx, ebx
		test	eax, eax
		jz	short loc_589C3D
		movzx	eax, word ptr [eax]
		test	ax, ax
		jz	short loc_589C3D
		push	2
		pop	edx
		cmp	esi, edx
		jbe	loc_589D12
		mov	[ebx], ax
		lea	ecx, [ebx+2]
		push	3Ah
		pop	eax
		mov	[ecx], ax
		add	ecx, edx

loc_589C3D:				; CODE XREF: __wmakepath_s+2Aj
					; __wmakepath_s+32j
		mov	edi, [ebp+arg_C]
		xor	eax, eax
		test	edi, edi
		jz	short loc_589C89
		cmp	[edi], ax
		jz	short loc_589C89

loc_589C4B:				; CODE XREF: __wmakepath_s+75j
		inc	edx
		cmp	edx, esi
		jnb	loc_589D10
		mov	ax, [edi]
		add	edi, 2
		mov	[ecx], ax
		xor	eax, eax
		add	ecx, 2
		cmp	[edi], ax
		jnz	short loc_589C4B
		movzx	eax, word ptr [edi-2]
		cmp	eax, 2Fh
		jz	short loc_589C87
		push	5Ch
		pop	edi
		cmp	ax, di
		jz	short loc_589C87
		inc	edx
		cmp	edx, esi
		jnb	loc_589D10
		mov	[ecx], di
		add	ecx, 2

loc_589C87:				; CODE XREF: __wmakepath_s+7Ej
					; __wmakepath_s+86j
		xor	eax, eax

loc_589C89:				; CODE XREF: __wmakepath_s+54j
					; __wmakepath_s+59j
		mov	edi, [ebp+arg_10]
		test	edi, edi
		jz	short loc_589CAE
		cmp	[edi], ax
		jz	short loc_589CAE
		sub	edi, ecx

loc_589C97:				; CODE XREF: __wmakepath_s+BCj
		inc	edx
		cmp	edx, esi
		jnb	short loc_589D10
		mov	ax, [edi+ecx]
		mov	[ecx], ax
		add	ecx, 2
		xor	eax, eax
		cmp	[edi+ecx], ax
		jnz	short loc_589C97

loc_589CAE:				; CODE XREF: __wmakepath_s+9Ej
					; __wmakepath_s+A3j
		mov	edi, [ebp+arg_14]
		test	edi, edi
		jz	short loc_589D09
		movzx	eax, word ptr [edi]
		mov	ebx, eax
		mov	[ebp+var_4], ebx
		mov	ebx, [ebp+arg_0]
		test	ax, ax
		jz	short loc_589CE8
		mov	ebx, eax
		mov	[ebp+var_4], ebx
		push	2Eh
		pop	ebx
		cmp	ax, bx
		mov	ebx, [ebp+arg_0]
		jz	short loc_589CE8
		inc	edx
		cmp	edx, esi
		jnb	short loc_589D10
		push	2Eh
		pop	eax
		mov	[ecx], ax
		add	ecx, 2
		movzx	eax, word ptr [edi]
		jmp	short loc_589CEB
; 

loc_589CE8:				; CODE XREF: __wmakepath_s+D3j
					; __wmakepath_s+E3j
		mov	eax, [ebp+var_4]

loc_589CEB:				; CODE XREF: __wmakepath_s+F6j
		test	ax, ax
		jz	short loc_589D09
		sub	edi, ecx

loc_589CF2:				; CODE XREF: __wmakepath_s+117j
		inc	edx
		cmp	edx, esi
		jnb	short loc_589D10
		mov	ax, [edi+ecx]
		mov	[ecx], ax
		add	ecx, 2
		xor	eax, eax
		cmp	[edi+ecx], ax
		jnz	short loc_589CF2

loc_589D09:				; CODE XREF: __wmakepath_s+C3j
					; __wmakepath_s+FEj
		lea	eax, [edx+1]
		cmp	eax, esi
		jbe	short loc_589D1B

loc_589D10:				; CODE XREF: __wmakepath_s+5Ej
					; __wmakepath_s+8Bj ...
		xor	edi, edi

loc_589D12:				; CODE XREF: __wmakepath_s+39j
		xor	eax, eax
		mov	[ebx], ax
		push	22h
		jmp	short loc_589D24
; 

loc_589D1B:				; CODE XREF: __wmakepath_s+11Ej
		xor	eax, eax
		mov	[ecx], ax
		jmp	short loc_589D34
; 

loc_589D22:				; CODE XREF: __wmakepath_s+10j
					; __wmakepath_s+1Bj
		push	16h

loc_589D24:				; CODE XREF: __wmakepath_s+129j
		pop	esi
		push	edi
		push	edi
		push	edi
		push	edi
		push	edi
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		mov	eax, esi

loc_589D34:				; CODE XREF: __wmakepath_s+130j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
__wmakepath_s	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2963. _wsplitpath_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public __wsplitpath_s
__wsplitpath_s	proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_8]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_4], eax
		test	edi, edi
		jz	short loc_589D5F
		cmp	[ebp+arg_4], eax
		jnz	short loc_589D6D
		test	edx, edx
		jz	short loc_589D71

loc_589D5F:				; CODE XREF: __wsplitpath_s+16j
					; __wsplitpath_s+31j
		mov	ebx, [ebp+arg_C]

loc_589D62:				; CODE XREF: __wsplitpath_s+3Dj
					; __wsplitpath_s+44j ...
		mov	eax, [ebp+arg_1C]
		xor	esi, esi
		inc	esi
		jmp	loc_589EEB
; 

loc_589D6D:				; CODE XREF: __wsplitpath_s+1Bj
		test	edx, edx
		jz	short loc_589D5F

loc_589D71:				; CODE XREF: __wsplitpath_s+1Fj
		mov	ebx, [ebp+arg_C]
		test	ebx, ebx
		jnz	short loc_589D7F
		cmp	[ebp+arg_10], eax
		jnz	short loc_589D62
		jmp	short loc_589D84
; 

loc_589D7F:				; CODE XREF: __wsplitpath_s+38j
		cmp	[ebp+arg_10], eax
		jz	short loc_589D62

loc_589D84:				; CODE XREF: __wsplitpath_s+3Fj
		cmp	[ebp+arg_14], eax
		jnz	short loc_589D90
		cmp	[ebp+arg_18], eax
		jnz	short loc_589D62
		jmp	short loc_589D95
; 

loc_589D90:				; CODE XREF: __wsplitpath_s+49j
		cmp	[ebp+arg_18], eax
		jz	short loc_589D62

loc_589D95:				; CODE XREF: __wsplitpath_s+50j
		cmp	[ebp+arg_1C], eax
		jnz	short loc_589DA1
		cmp	[ebp+arg_20], eax
		jnz	short loc_589D62
		jmp	short loc_589DA6
; 

loc_589DA1:				; CODE XREF: __wsplitpath_s+5Aj
		cmp	[ebp+arg_20], eax
		jz	short loc_589D62

loc_589DA6:				; CODE XREF: __wsplitpath_s+61j
		xor	eax, eax
		mov	esi, edi
		inc	eax
		xor	ecx, ecx

loc_589DAD:				; CODE XREF: __wsplitpath_s+7Aj
		cmp	[esi], cx
		jz	short loc_589DBA
		add	esi, 2
		sub	eax, 1
		jnz	short loc_589DAD

loc_589DBA:				; CODE XREF: __wsplitpath_s+72j
		cmp	word ptr [esi],	3Ah
		mov	ecx, [ebp+arg_4]
		jnz	short loc_589DE2
		test	ecx, ecx
		jz	short loc_589DDD
		cmp	edx, 3
		jb	loc_589F3C
		push	2
		push	edi
		push	edx
		push	ecx
		call	_wcsncpy_s
		add	esp, 10h

loc_589DDD:				; CODE XREF: __wsplitpath_s+87j
		lea	edi, [esi+2]
		jmp	short loc_589DEB
; 

loc_589DE2:				; CODE XREF: __wsplitpath_s+83j
		test	ecx, ecx
		jz	short loc_589DEB
		xor	eax, eax
		mov	[ecx], ax

loc_589DEB:				; CODE XREF: __wsplitpath_s+A2j
					; __wsplitpath_s+A6j
		xor	eax, eax
		mov	esi, edi
		mov	edx, eax
		mov	ebx, eax
		movzx	eax, word ptr [edi]
		test	ax, ax
		jz	short loc_589E55
		mov	ecx, eax

loc_589DFD:				; CODE XREF: __wsplitpath_s+E3j
		cmp	cx, 2Fh
		jz	short loc_589E13
		cmp	cx, 5Ch
		jz	short loc_589E13
		cmp	cx, 2Eh
		jnz	short loc_589E16
		mov	ebx, esi
		jmp	short loc_589E16
; 

loc_589E13:				; CODE XREF: __wsplitpath_s+C3j
					; __wsplitpath_s+C9j
		lea	edx, [esi+2]

loc_589E16:				; CODE XREF: __wsplitpath_s+CFj
					; __wsplitpath_s+D3j
		add	esi, 2
		movzx	eax, word ptr [esi]
		mov	ecx, eax
		test	ax, ax
		jnz	short loc_589DFD
		mov	[ebp+arg_0], edx
		test	edx, edx
		jz	short loc_589E55
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	short loc_589E51
		mov	eax, edx
		sub	eax, edi
		sar	eax, 1
		cmp	[ebp+arg_10], eax
		jbe	loc_589EE2
		push	eax
		push	edi
		push	[ebp+arg_10]
		push	ecx
		call	_wcsncpy_s
		mov	edx, [ebp+arg_0]
		add	esp, 10h

loc_589E51:				; CODE XREF: __wsplitpath_s+F1j
		mov	edi, edx
		jmp	short loc_589E61
; 

loc_589E55:				; CODE XREF: __wsplitpath_s+BBj
					; __wsplitpath_s+EAj
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	short loc_589E61
		xor	eax, eax
		mov	[ecx], ax

loc_589E61:				; CODE XREF: __wsplitpath_s+115j
					; __wsplitpath_s+11Cj
		test	ebx, ebx
		jz	short loc_589EA9
		cmp	ebx, edi
		jb	short loc_589EA9
		mov	ecx, [ebp+arg_14]
		test	ecx, ecx
		jz	short loc_589E89
		mov	eax, ebx
		sub	eax, edi
		sar	eax, 1
		cmp	[ebp+arg_18], eax
		jbe	short loc_589ED7
		push	eax
		push	edi
		push	[ebp+arg_18]
		push	ecx
		call	_wcsncpy_s
		add	esp, 10h

loc_589E89:				; CODE XREF: __wsplitpath_s+130j
		mov	eax, [ebp+arg_1C]
		test	eax, eax
		jz	short loc_589ED3
		sub	esi, ebx
		sar	esi, 1
		cmp	[ebp+arg_20], esi
		jbe	short loc_589EE5
		push	esi
		push	ebx
		push	[ebp+arg_20]
		push	eax
		call	_wcsncpy_s
		add	esp, 10h
		jmp	short loc_589ED3
; 

loc_589EA9:				; CODE XREF: __wsplitpath_s+125j
					; __wsplitpath_s+129j
		mov	ecx, [ebp+arg_14]
		test	ecx, ecx
		jz	short loc_589EC7
		sub	esi, edi
		sar	esi, 1
		cmp	[ebp+arg_18], esi
		jbe	short loc_589ED7
		push	esi
		push	edi
		push	[ebp+arg_18]
		push	ecx
		call	_wcsncpy_s
		add	esp, 10h

loc_589EC7:				; CODE XREF: __wsplitpath_s+170j
		mov	eax, [ebp+arg_1C]
		test	eax, eax
		jz	short loc_589ED3
		xor	ecx, ecx
		mov	[eax], cx

loc_589ED3:				; CODE XREF: __wsplitpath_s+150j
					; __wsplitpath_s+169j ...
		xor	eax, eax
		jmp	short loc_589F53
; 

loc_589ED7:				; CODE XREF: __wsplitpath_s+13Bj
					; __wsplitpath_s+179j
		mov	eax, [ebp+arg_1C]
		mov	ebx, [ebp+arg_C]
		mov	esi, [ebp+var_4]
		jmp	short loc_589EEE
; 

loc_589EE2:				; CODE XREF: __wsplitpath_s+FCj
		mov	eax, [ebp+arg_1C]

loc_589EE5:				; CODE XREF: __wsplitpath_s+159j
		mov	ebx, [ebp+arg_C]

loc_589EE8:				; CODE XREF: __wsplitpath_s+201j
		mov	esi, [ebp+var_4]

loc_589EEB:				; CODE XREF: __wsplitpath_s+2Aj
		mov	ecx, [ebp+arg_14]

loc_589EEE:				; CODE XREF: __wsplitpath_s+1A2j
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_589F03
		cmp	[ebp+arg_8], 0
		jbe	short loc_589F03
		xor	eax, eax
		mov	[edx], ax
		mov	eax, [ebp+arg_1C]

loc_589F03:				; CODE XREF: __wsplitpath_s+1B5j
					; __wsplitpath_s+1BBj
		test	ebx, ebx
		jz	short loc_589F12
		cmp	[ebp+arg_10], 0
		jbe	short loc_589F12
		xor	edx, edx
		mov	[ebx], dx

loc_589F12:				; CODE XREF: __wsplitpath_s+1C7j
					; __wsplitpath_s+1CDj
		test	ecx, ecx
		jz	short loc_589F21
		cmp	[ebp+arg_18], 0
		jbe	short loc_589F21
		xor	edx, edx
		mov	[ecx], dx

loc_589F21:				; CODE XREF: __wsplitpath_s+1D6j
					; __wsplitpath_s+1DCj
		test	eax, eax
		jz	short loc_589F30
		cmp	[ebp+arg_20], 0
		jbe	short loc_589F30
		xor	ecx, ecx
		mov	[eax], cx

loc_589F30:				; CODE XREF: __wsplitpath_s+1E5j
					; __wsplitpath_s+1EBj
		test	edi, edi
		jz	short loc_589F41
		test	esi, esi
		jnz	short loc_589F41
		push	22h
		jmp	short loc_589F52
; 

loc_589F3C:				; CODE XREF: __wsplitpath_s+8Cj
		mov	eax, [ebp+arg_1C]
		jmp	short loc_589EE8
; 

loc_589F41:				; CODE XREF: __wsplitpath_s+1F4j
					; __wsplitpath_s+1F8j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	16h

loc_589F52:				; CODE XREF: __wsplitpath_s+1FCj
		pop	eax

loc_589F53:				; CODE XREF: __wsplitpath_s+197j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
__wsplitpath_s	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2984. memcpy_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl memcpy_s(void *,size_t,void *,size_t)
		public _memcpy_s
_memcpy_s	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jnz	short loc_589F6F
		xor	eax, eax
		jmp	short loc_589FC8
; 

loc_589F6F:				; CODE XREF: _memcpy_s+Bj
		mov	eax, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		push	edi
		test	eax, eax
		jz	short loc_589FB4
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	short loc_589F95
		cmp	[ebp+arg_4], esi
		jb	short loc_589F95
		push	esi		; size_t
		push	edi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax
		jmp	short loc_589FC6
; 

loc_589F95:				; CODE XREF: _memcpy_s+21j
					; _memcpy_s+26j
		push	[ebp+arg_4]	; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		test	edi, edi
		jz	short loc_589FB4
		cmp	[ebp+arg_4], esi
		jnb	short loc_589FAF
		push	22h
		jmp	short loc_589FB6
; 

loc_589FAF:				; CODE XREF: _memcpy_s+4Bj
		push	16h
		pop	eax
		jmp	short loc_589FC6
; 

loc_589FB4:				; CODE XREF: _memcpy_s+1Aj
					; _memcpy_s+46j
		push	16h

loc_589FB6:				; CODE XREF: _memcpy_s+4Fj
		pop	esi
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		mov	eax, esi

loc_589FC6:				; CODE XREF: _memcpy_s+35j
					; _memcpy_s+54j
		pop	edi
		pop	ebx

loc_589FC8:				; CODE XREF: _memcpy_s+Fj
		pop	esi
		pop	ebp
		retn
_memcpy_s	endp

; 
		align 10h
; Exported entry 2986. memmove_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl memmove_s(void *,int,void	*,size_t)
		public _memmove_s
_memmove_s	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jnz	short loc_589FDE
		pop	ebp
		retn
; 

loc_589FDE:				; CODE XREF: _memmove_s+Aj
		cmp	[ebp+arg_0], 0
		push	esi
		jz	short loc_58A007
		cmp	[ebp+arg_8], 0
		jz	short loc_58A007
		cmp	[ebp+arg_4], eax
		jnb	short loc_589FF4
		push	22h
		jmp	short loc_58A009
; 

loc_589FF4:				; CODE XREF: _memmove_s+1Ej
		push	eax		; size_t
		push	[ebp+arg_8]	; void *
		push	[ebp+arg_0]	; void *
		call	_memmove
		add	esp, 0Ch
		xor	eax, eax
		jmp	short loc_58A01B
; 

loc_58A007:				; CODE XREF: _memmove_s+13j
					; _memmove_s+19j
		push	16h

loc_58A009:				; CODE XREF: _memmove_s+22j
		xor	eax, eax
		pop	esi
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		mov	eax, esi

loc_58A01B:				; CODE XREF: _memmove_s+35j
		pop	esi
		pop	ebp
		retn
_memmove_s	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2993. sprintf_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _sprintf_s
_sprintf_s	proc near		; CODE XREF: RtlEthernetAddressToStringA(x,x)+2Fp
					; RtlIpv4AddressToStringA(x,x)+25p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		lea	eax, [ebp+arg_C]
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_vsprintf_s
		add	esp, 10h
		pop	ebp
		retn
_sprintf_s	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 3023. vsprintf_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _vsprintf_s
_vsprintf_s	proc near		; CODE XREF: _sprintf_s+12p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		test	esi, esi
		jz	short loc_58A07D
		cmp	[ebp+arg_4], ebx
		jbe	short loc_58A07D
		cmp	[ebp+arg_8], ebx
		jz	short loc_58A07D
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	__soutput_s
		add	esp, 10h
		test	eax, eax
		jns	short loc_58A08D
		mov	[esi], bl
		cmp	eax, 0FFFFFFFEh
		jnz	short loc_58A08A

loc_58A07D:				; CODE XREF: _vsprintf_s+Ej
					; _vsprintf_s+13j ...
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h

loc_58A08A:				; CODE XREF: _vsprintf_s+35j
		or	eax, 0FFFFFFFFh

loc_58A08D:				; CODE XREF: _vsprintf_s+2Ej
		pop	esi
		pop	ebx
		pop	ebp
		retn
_vsprintf_s	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2995. sscanf_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _sscanf_s
_sscanf_s	proc near		; CODE XREF: RtlIncrementCorrelationVector(x)+4Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		jnz	short loc_58A0B5
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		or	eax, 0FFFFFFFFh
		pop	ebp
		retn
; 

loc_58A0B5:				; CODE XREF: _sscanf_s+9j
		mov	ecx, [ebp+arg_0]
		lea	edx, [ecx+1]

loc_58A0BB:				; CODE XREF: _sscanf_s+2Aj
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_58A0BB
		lea	eax, [ebp+arg_8]
		sub	ecx, edx
		push	eax
		push	[ebp+arg_4]
		push	ecx
		push	[ebp+arg_0]
		call	__sinput_s
		add	esp, 10h
		pop	ebp
		retn
_sscanf_s	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2997. strcat_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _strcat_s
_strcat_s	proc near		; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+FEp
					; ExpSystemErrorHandler(x,x,x,x,x)+17Ep ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_58A140
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_58A140
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jz	short loc_58A128
		mov	edx, edi

loc_58A0FC:				; CODE XREF: _strcat_s+27j
		cmp	byte ptr [edx],	0
		jz	short loc_58A107
		inc	edx
		sub	ecx, 1
		jnz	short loc_58A0FC

loc_58A107:				; CODE XREF: _strcat_s+21j
		test	ecx, ecx
		jz	short loc_58A128
		sub	edx, esi

loc_58A10D:				; CODE XREF: _strcat_s+3Cj
		mov	al, [esi]
		mov	[edx+esi], al
		inc	esi
		test	al, al
		jz	short loc_58A11C
		sub	ecx, 1
		jnz	short loc_58A10D

loc_58A11C:				; CODE XREF: _strcat_s+37j
		test	ecx, ecx
		jnz	short loc_58A124
		push	22h
		jmp	short loc_58A12A
; 

loc_58A124:				; CODE XREF: _strcat_s+40j
		xor	eax, eax
		jmp	short loc_58A152
; 

loc_58A128:				; CODE XREF: _strcat_s+1Aj
					; _strcat_s+2Bj
		push	16h

loc_58A12A:				; CODE XREF: _strcat_s+44j
		xor	ecx, ecx
		pop	esi
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		mov	[edi], cl
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		mov	eax, esi
		jmp	short loc_58A152
; 

loc_58A140:				; CODE XREF: _strcat_s+Cj
					; _strcat_s+13j
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	16h
		pop	eax

loc_58A152:				; CODE XREF: _strcat_s+48j
					; _strcat_s+60j
		pop	edi
		pop	esi
		pop	ebp
		retn
_strcat_s	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 3001. strcpy_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _strcpy_s
_strcpy_s	proc near		; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+306p
					; BiConvertBootEnvironmentDeviceToNt+A2A00p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	esi, esi
		jz	short loc_58A1AF
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_58A1AF
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jnz	short loc_58A17C
		push	16h
		jmp	short loc_58A195
; 

loc_58A17C:				; CODE XREF: _strcpy_s+1Aj
		mov	edi, esi
		sub	edi, ecx

loc_58A180:				; CODE XREF: _strcpy_s+31j
		mov	al, [ecx]
		mov	[edi+ecx], al
		inc	ecx
		test	al, al
		jz	short loc_58A18F
		sub	edx, 1
		jnz	short loc_58A180

loc_58A18F:				; CODE XREF: _strcpy_s+2Cj
		test	edx, edx
		jnz	short loc_58A1AB
		push	22h

loc_58A195:				; CODE XREF: _strcpy_s+1Ej
		xor	ecx, ecx
		pop	edi
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		mov	[esi], cl
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		mov	eax, edi
		jmp	short loc_58A1C1
; 

loc_58A1AB:				; CODE XREF: _strcpy_s+35j
		xor	eax, eax
		jmp	short loc_58A1C1
; 

loc_58A1AF:				; CODE XREF: _strcpy_s+Cj
					; _strcpy_s+13j
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	16h
		pop	eax

loc_58A1C1:				; CODE XREF: _strcpy_s+4Dj
					; _strcpy_s+51j
		pop	edi
		pop	esi
		pop	ebp
		retn
_strcpy_s	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 3004. strncat_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _strncat_s
_strncat_s	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		mov	edi, [ebp+arg_0]
		test	esi, esi
		jnz	short loc_58A1F0
		test	edi, edi
		jnz	short loc_58A1F8
		cmp	[ebp+arg_4], edi
		jnz	loc_58A298

loc_58A1E9:				; CODE XREF: _strncat_s+A2j
		xor	eax, eax
		jmp	loc_58A2AA
; 

loc_58A1F0:				; CODE XREF: _strncat_s+10j
		test	edi, edi
		jz	loc_58A298

loc_58A1F8:				; CODE XREF: _strncat_s+14j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	loc_58A298
		mov	ebx, [ebp+arg_8]
		xor	ecx, ecx
		test	esi, esi
		jz	short loc_58A210
		test	ebx, ebx
		jz	short loc_58A223

loc_58A210:				; CODE XREF: _strncat_s+40j
		mov	edx, edi

loc_58A212:				; CODE XREF: _strncat_s+50j
		cmp	[edx], cl
		jz	short loc_58A21C
		inc	edx
		sub	eax, 1
		jnz	short loc_58A212

loc_58A21C:				; CODE XREF: _strncat_s+4Aj
		mov	[ebp+arg_C], eax
		test	eax, eax
		jnz	short loc_58A227

loc_58A223:				; CODE XREF: _strncat_s+44j
		push	16h
		jmp	short loc_58A284
; 

loc_58A227:				; CODE XREF: _strncat_s+57j
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_58A240
		sub	edx, ebx

loc_58A22E:				; CODE XREF: _strncat_s+72j
		mov	al, [ebx]
		mov	[edx+ebx], al
		inc	ebx
		test	al, al
		jz	short loc_58A269
		sub	[ebp+arg_C], 1
		jnz	short loc_58A22E
		jmp	short loc_58A269
; 

loc_58A240:				; CODE XREF: _strncat_s+60j
		test	esi, esi
		jz	short loc_58A267
		mov	edi, [ebp+arg_C]
		sub	ebx, edx

loc_58A249:				; CODE XREF: _strncat_s+91j
		mov	al, [ebx+edx]
		mov	[edx], al
		inc	edx
		test	al, al
		jz	short loc_58A25D
		sub	edi, 1
		jz	short loc_58A25D
		sub	esi, 1
		jnz	short loc_58A249

loc_58A25D:				; CODE XREF: _strncat_s+87j
					; _strncat_s+8Cj
		mov	[ebp+arg_C], edi
		mov	edi, [ebp+arg_0]
		test	esi, esi
		jnz	short loc_58A269

loc_58A267:				; CODE XREF: _strncat_s+78j
		mov	[edx], cl

loc_58A269:				; CODE XREF: _strncat_s+6Cj
					; _strncat_s+74j ...
		cmp	[ebp+arg_C], ecx
		jnz	loc_58A1E9
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_58A282
		mov	eax, [ebp+arg_4]
		push	50h
		mov	[edi+eax-1], cl
		jmp	short loc_58A2A9
; 

loc_58A282:				; CODE XREF: _strncat_s+ABj
		push	22h

loc_58A284:				; CODE XREF: _strncat_s+5Bj
		pop	esi
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		mov	[edi], cl
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		mov	eax, esi
		jmp	short loc_58A2AA
; 

loc_58A298:				; CODE XREF: _strncat_s+19j
					; _strncat_s+28j ...
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	16h

loc_58A2A9:				; CODE XREF: _strncat_s+B6j
		pop	eax

loc_58A2AA:				; CODE XREF: _strncat_s+21j
					; _strncat_s+CCj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
_strncat_s	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 3007. strncpy_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _strncpy_s
_strncpy_s	proc near		; CODE XREF: __splitpath_s+8Ep
					; __splitpath_s+ECp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		test	esi, esi
		jnz	short loc_58A2E7
		test	edx, edx
		jnz	short loc_58A2EB
		cmp	[ebp+arg_4], edx
		jz	short loc_58A2F9

loc_58A2D0:				; CODE XREF: _strncpy_s+35j
					; _strncpy_s+3Cj
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	16h

loc_58A2E1:				; CODE XREF: _strncpy_s+B6j
		pop	eax

loc_58A2E2:				; CODE XREF: _strncpy_s+47j
					; _strncpy_s+CFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_58A2E7:				; CODE XREF: _strncpy_s+11j
		test	edx, edx
		jz	short loc_58A2D0

loc_58A2EB:				; CODE XREF: _strncpy_s+15j
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_58A2D0
		test	esi, esi
		jnz	short loc_58A2FD
		mov	byte ptr [edx],	0

loc_58A2F9:				; CODE XREF: _strncpy_s+1Aj
					; _strncpy_s+A6j
		xor	eax, eax
		jmp	short loc_58A2E2
; 

loc_58A2FD:				; CODE XREF: _strncpy_s+40j
		mov	edi, [ebp+arg_8]
		xor	ecx, ecx
		test	edi, edi
		jnz	short loc_58A30A
		push	16h
		jmp	short loc_58A371
; 

loc_58A30A:				; CODE XREF: _strncpy_s+50j
		mov	[ebp+var_4], edx
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_58A330
		mov	eax, edx
		sub	eax, edi
		mov	[ebp+var_4], eax

loc_58A319:				; CODE XREF: _strncpy_s+78j
		mov	esi, [ebp+var_4]
		mov	al, [edi]
		mov	[esi+edi], al
		inc	edi
		mov	esi, [ebp+arg_C]
		test	al, al
		jz	short loc_58A358
		sub	ebx, 1
		jnz	short loc_58A319
		jmp	short loc_58A358
; 

loc_58A330:				; CODE XREF: _strncpy_s+5Cj
		sub	edi, edx
		mov	edx, [ebp+var_4]

loc_58A335:				; CODE XREF: _strncpy_s+93j
		mov	al, [edi+edx]
		mov	[edx], al
		inc	edx
		test	al, al
		jz	short loc_58A349
		sub	ebx, 1
		jz	short loc_58A349
		sub	esi, 1
		jnz	short loc_58A335

loc_58A349:				; CODE XREF: _strncpy_s+89j
					; _strncpy_s+8Ej
		mov	[ebp+var_4], edx
		mov	edx, [ebp+arg_0]
		test	esi, esi
		jnz	short loc_58A358
		mov	eax, [ebp+var_4]
		mov	[eax], cl

loc_58A358:				; CODE XREF: _strncpy_s+73j
					; _strncpy_s+7Aj ...
		test	ebx, ebx
		jnz	short loc_58A2F9
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_58A36F
		mov	eax, [ebp+arg_4]
		push	50h
		mov	[edx+eax-1], cl
		jmp	loc_58A2E1
; 

loc_58A36F:				; CODE XREF: _strncpy_s+ABj
		push	22h

loc_58A371:				; CODE XREF: _strncpy_s+54j
		pop	esi
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		mov	[edx], cl
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		mov	eax, esi
		jmp	loc_58A2E2
_strncpy_s	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; 
; Exported entry 3012. strtok_s

		public _strtok_s
_strtok_s:
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		mov	eax, [ebp+0Ch]
		xor	ecx, ecx
		push	esi
		mov	esi, [ebp+8]
		push	edi
		mov	edi, [ebp+10h]
		mov	[ebp-28h], eax
		mov	[ebp-2Ch], edi
		test	edi, edi
		jz	loc_58A488
		test	eax, eax
		jz	loc_58A488
		test	esi, esi
		jnz	short loc_58A3CF
		cmp	[edi], ecx
		jz	loc_58A488

loc_58A3CF:				; CODE XREF: .text:0058A3C5j
		mov	eax, ecx
		cmp	eax, 20h

loc_58A3D4:				; CODE XREF: .text:0058A3E2j
		jnb	loc_58A4A5
		mov	[ebp+eax-24h], cl
		inc	eax
		cmp	eax, 20h
		jl	short loc_58A3D4
		mov	edi, [ebp-28h]
		push	ebx

loc_58A3E8:				; CODE XREF: .text:0058A404j
		mov	bl, [edi]
		movzx	edx, bl
		mov	ecx, edx
		and	edx, 7
		shr	ecx, 3
		movzx	eax, byte ptr [ebp+ecx-24h]
		bts	eax, edx
		inc	edi
		mov	[ebp+ecx-24h], al
		test	bl, bl
		jnz	short loc_58A3E8
		mov	edi, [ebp-2Ch]
		test	esi, esi
		jnz	short loc_58A40F
		mov	esi, [edi]

loc_58A40F:				; CODE XREF: .text:0058A40Bj
		mov	bl, [esi]
		xor	eax, eax
		movzx	edx, bl
		inc	eax
		mov	ecx, edx
		shr	edx, 3
		and	ecx, 7
		shl	eax, cl
		test	[ebp+edx-24h], al
		jz	short loc_58A44A
		mov	bh, bl

loc_58A429:				; CODE XREF: .text:0058A448j
		mov	bl, bh
		test	bh, bh
		jz	short loc_58A44A
		inc	esi
		xor	eax, eax
		inc	eax
		mov	bl, [esi]
		movzx	edx, bl
		mov	bh, bl
		mov	ecx, edx
		shr	edx, 3
		and	ecx, 7
		shl	eax, cl
		test	[ebp+edx-24h], al
		jnz	short loc_58A429

loc_58A44A:				; CODE XREF: .text:0058A425j
					; .text:0058A42Dj
		mov	ecx, esi
		mov	[ebp-28h], ecx
		test	bl, bl
		jz	short loc_58A479

loc_58A453:				; CODE XREF: .text:0058A46Ej
		movzx	edx, bl
		xor	eax, eax
		mov	ecx, edx
		inc	eax
		and	ecx, 7
		shr	edx, 3
		shl	eax, cl
		test	[ebp+edx-24h], al
		jnz	short loc_58A472
		inc	esi
		mov	bl, [esi]
		test	bl, bl
		jnz	short loc_58A453
		jmp	short loc_58A476
; 

loc_58A472:				; CODE XREF: .text:0058A467j
		mov	byte ptr [esi],	0
		inc	esi

loc_58A476:				; CODE XREF: .text:0058A470j
		mov	ecx, [ebp-28h]

loc_58A479:				; CODE XREF: .text:0058A451j
		mov	eax, ecx
		mov	[edi], esi
		sub	eax, esi
		neg	eax
		pop	ebx
		sbb	eax, eax
		and	eax, ecx
		jmp	short loc_58A497
; 

loc_58A488:				; CODE XREF: .text:0058A3B5j
					; .text:0058A3BDj ...
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		xor	eax, eax

loc_58A497:				; CODE XREF: .text:0058A486j
		mov	ecx, [ebp-4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_58A4A5:				; CODE XREF: .text:loc_58A3D4j
		call	___report_rangecheckfailure
; 
		dw 0CCCCh
		align 10h
; Exported entry 3015. swscanf_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _swscanf_s
_swscanf_s	proc near		; CODE XREF: ExProcessorCounterSetCallback+106p
					; PiDevCfgCheckDeviceNeedsUpdate(x,x)+22Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	ecx, ecx
		cmp	[ebp+arg_4], ecx
		jnz	short loc_58A4CE
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		or	eax, 0FFFFFFFFh
		pop	ebp
		retn
; 

loc_58A4CE:				; CODE XREF: _swscanf_s+Aj
		mov	edx, [ebp+arg_0]
		push	esi
		lea	esi, [edx+2]

loc_58A4D5:				; CODE XREF: _swscanf_s+2Ej
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, cx
		jnz	short loc_58A4D5
		lea	eax, [ebp+arg_8]
		sub	edx, esi
		push	eax
		push	[ebp+arg_4]
		sar	edx, 1
		push	edx
		push	[ebp+arg_0]
		call	__swinput_s
		add	esp, 10h
		pop	esi
		pop	ebp
		retn
_swscanf_s	endp

; 
		align 10h
; Exported entry 3026. wcscat_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _wcscat_s
_wcscat_s	proc near		; CODE XREF: BcdGetSystemStorePath+B6p
					; NtLockProductActivationKeys+227p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		test	ebx, ebx
		jz	short loc_58A56D
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_58A56D
		mov	esi, [ebp+arg_8]
		xor	ecx, ecx
		test	esi, esi
		jz	short loc_58A554
		mov	edi, ebx

loc_58A521:				; CODE XREF: _wcscat_s+2Cj
		cmp	[edi], cx
		jz	short loc_58A52E
		add	edi, 2
		sub	edx, 1
		jnz	short loc_58A521

loc_58A52E:				; CODE XREF: _wcscat_s+24j
		test	edx, edx
		jz	short loc_58A554
		sub	edi, esi

loc_58A534:				; CODE XREF: _wcscat_s+46j
		movzx	eax, word ptr [esi]
		mov	[edi+esi], ax
		lea	esi, [esi+2]
		test	ax, ax
		jz	short loc_58A548
		sub	edx, 1
		jnz	short loc_58A534

loc_58A548:				; CODE XREF: _wcscat_s+41j
		test	edx, edx
		jnz	short loc_58A550
		push	22h
		jmp	short loc_58A556
; 

loc_58A550:				; CODE XREF: _wcscat_s+4Aj
		xor	eax, eax
		jmp	short loc_58A57F
; 

loc_58A554:				; CODE XREF: _wcscat_s+1Dj
					; _wcscat_s+30j
		push	16h

loc_58A556:				; CODE XREF: _wcscat_s+4Ej
		pop	esi
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		xor	eax, eax
		push	ecx
		mov	[ebx], ax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		mov	eax, esi
		jmp	short loc_58A57F
; 

loc_58A56D:				; CODE XREF: _wcscat_s+Dj
					; _wcscat_s+14j
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	16h
		pop	eax

loc_58A57F:				; CODE XREF: _wcscat_s+52j
					; _wcscat_s+6Bj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
_wcscat_s	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 3030. wcscpy_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _wcscpy_s
_wcscpy_s	proc near		; CODE XREF: LocalConvertSDToStringSD_Rev1+25Bp
					; LocalGetStringForControl+A2p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	esi, esi
		jz	short loc_58A5E5
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_58A5E5
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jnz	short loc_58A5AA
		push	16h
		jmp	short loc_58A5C8
; 

loc_58A5AA:				; CODE XREF: _wcscpy_s+1Aj
		mov	edi, esi
		sub	edi, ecx

loc_58A5AE:				; CODE XREF: _wcscpy_s+36j
		movzx	eax, word ptr [ecx]
		mov	[edi+ecx], ax
		lea	ecx, [ecx+2]
		test	ax, ax
		jz	short loc_58A5C2
		sub	edx, 1
		jnz	short loc_58A5AE

loc_58A5C2:				; CODE XREF: _wcscpy_s+31j
		test	edx, edx
		jnz	short loc_58A5E1
		push	22h

loc_58A5C8:				; CODE XREF: _wcscpy_s+1Ej
		xor	ecx, ecx
		xor	eax, eax
		pop	edi
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		mov	[esi], ax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		mov	eax, edi
		jmp	short loc_58A5F7
; 

loc_58A5E1:				; CODE XREF: _wcscpy_s+3Aj
		xor	eax, eax
		jmp	short loc_58A5F7
; 

loc_58A5E5:				; CODE XREF: _wcscpy_s+Cj
					; _wcscpy_s+13j
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	16h
		pop	eax

loc_58A5F7:				; CODE XREF: _wcscpy_s+55j
					; _wcscpy_s+59j
		pop	edi
		pop	esi
		pop	ebp
		retn
_wcscpy_s	endp

; 
		align 10h
; Exported entry 3034. wcsncat_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _wcsncat_s
_wcsncat_s	proc near		; CODE XREF: NtLockProductActivationKeys+215p
					; PnprGetPluginDriverImagePath(x)+189p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_C]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_58A626
		test	edi, edi
		jnz	short loc_58A62E
		cmp	[ebp+arg_4], edi
		jnz	loc_58A6E4

loc_58A61F:				; CODE XREF: _wcsncat_s+B2j
		xor	eax, eax
		jmp	loc_58A6F6
; 

loc_58A626:				; CODE XREF: _wcsncat_s+10j
		test	edi, edi
		jz	loc_58A6E4

loc_58A62E:				; CODE XREF: _wcsncat_s+14j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	loc_58A6E4
		mov	ebx, [ebp+arg_8]
		xor	ecx, ecx
		test	edx, edx
		jz	short loc_58A646
		test	ebx, ebx
		jz	short loc_58A65C

loc_58A646:				; CODE XREF: _wcsncat_s+40j
		mov	esi, edi

loc_58A648:				; CODE XREF: _wcsncat_s+53j
		cmp	[esi], cx
		jz	short loc_58A655
		add	esi, 2
		sub	eax, 1
		jnz	short loc_58A648

loc_58A655:				; CODE XREF: _wcsncat_s+4Bj
		mov	[ebp+arg_C], eax
		test	eax, eax
		jnz	short loc_58A660

loc_58A65C:				; CODE XREF: _wcsncat_s+44j
		push	16h
		jmp	short loc_58A6CD
; 

loc_58A660:				; CODE XREF: _wcsncat_s+5Aj
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_58A67E
		sub	esi, ebx

loc_58A667:				; CODE XREF: _wcsncat_s+7Aj
		movzx	eax, word ptr [ebx]
		mov	[esi+ebx], ax
		lea	ebx, [ebx+2]
		test	ax, ax
		jz	short loc_58A6AF
		sub	[ebp+arg_C], 1
		jnz	short loc_58A667
		jmp	short loc_58A6AF
; 

loc_58A67E:				; CODE XREF: _wcsncat_s+63j
		test	edx, edx
		jz	short loc_58A6AA
		mov	edi, [ebp+arg_C]
		sub	ebx, esi

loc_58A687:				; CODE XREF: _wcsncat_s+9Ej
		movzx	eax, word ptr [ebx+esi]
		mov	[esi], ax
		add	esi, 2
		test	ax, ax
		jz	short loc_58A6A0
		sub	edi, 1
		jz	short loc_58A6A0
		sub	edx, 1
		jnz	short loc_58A687

loc_58A6A0:				; CODE XREF: _wcsncat_s+94j
					; _wcsncat_s+99j
		mov	[ebp+arg_C], edi
		mov	edi, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_58A6AF

loc_58A6AA:				; CODE XREF: _wcsncat_s+80j
		xor	eax, eax
		mov	[esi], ax

loc_58A6AF:				; CODE XREF: _wcsncat_s+74j
					; _wcsncat_s+7Cj ...
		cmp	[ebp+arg_C], ecx
		jnz	loc_58A61F
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_58A6CB
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		push	50h
		mov	[edi+eax*2-2], cx
		jmp	short loc_58A6F5
; 

loc_58A6CB:				; CODE XREF: _wcsncat_s+BBj
		push	22h

loc_58A6CD:				; CODE XREF: _wcsncat_s+5Ej
		pop	esi
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		xor	eax, eax
		push	ecx
		mov	[edi], ax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		mov	eax, esi
		jmp	short loc_58A6F6
; 

loc_58A6E4:				; CODE XREF: _wcsncat_s+19j
					; _wcsncat_s+28j ...
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	16h

loc_58A6F5:				; CODE XREF: _wcsncat_s+C9j
		pop	eax

loc_58A6F6:				; CODE XREF: _wcsncat_s+21j
					; _wcsncat_s+E2j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
_wcsncat_s	endp

; 
		align 10h
; Exported entry 3037. wcsncpy_s

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _wcsncpy_s
_wcsncpy_s	proc near		; CODE XREF: __wsplitpath_s+97p
					; __wsplitpath_s+108p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+arg_0]
		push	esi
		test	edx, edx
		jnz	short loc_58A72E
		test	ecx, ecx
		jnz	short loc_58A732
		cmp	[ebp+arg_4], ecx
		jz	short loc_58A742

loc_58A719:				; CODE XREF: _wcsncpy_s+30j
					; _wcsncpy_s+37j
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	16h

loc_58A72A:				; CODE XREF: _wcsncpy_s+AFj
		pop	eax

loc_58A72B:				; CODE XREF: _wcsncpy_s+44j
					; _wcsncpy_s+CDj
		pop	esi
		pop	ebp
		retn
; 

loc_58A72E:				; CODE XREF: _wcsncpy_s+Ej
		test	ecx, ecx
		jz	short loc_58A719

loc_58A732:				; CODE XREF: _wcsncpy_s+12j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_58A719
		test	edx, edx
		jnz	short loc_58A746
		xor	eax, eax
		mov	[ecx], ax

loc_58A742:				; CODE XREF: _wcsncpy_s+17j
					; _wcsncpy_s+9Cj
		xor	eax, eax
		jmp	short loc_58A72B
; 

loc_58A746:				; CODE XREF: _wcsncpy_s+3Bj
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jnz	short loc_58A751
		push	16h
		jmp	short loc_58A7B6
; 

loc_58A751:				; CODE XREF: _wcsncpy_s+4Bj
		push	ebx
		mov	ebx, ecx
		push	edi
		mov	edi, eax
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_58A774
		sub	ebx, esi

loc_58A75E:				; CODE XREF: _wcsncpy_s+70j
		movzx	eax, word ptr [esi]
		mov	[ebx+esi], ax
		lea	esi, [esi+2]
		test	ax, ax
		jz	short loc_58A798
		sub	edi, 1
		jnz	short loc_58A75E
		jmp	short loc_58A798
; 

loc_58A774:				; CODE XREF: _wcsncpy_s+5Aj
		sub	esi, ecx

loc_58A776:				; CODE XREF: _wcsncpy_s+8Dj
		movzx	eax, word ptr [esi+ebx]
		mov	[ebx], ax
		lea	ebx, [ebx+2]
		test	ax, ax
		jz	short loc_58A78F
		sub	edi, 1
		jz	short loc_58A78F
		sub	edx, 1
		jnz	short loc_58A776

loc_58A78F:				; CODE XREF: _wcsncpy_s+83j
					; _wcsncpy_s+88j
		test	edx, edx
		jnz	short loc_58A798
		xor	eax, eax
		mov	[ebx], ax

loc_58A798:				; CODE XREF: _wcsncpy_s+6Bj
					; _wcsncpy_s+72j ...
		test	edi, edi
		pop	edi
		pop	ebx
		jnz	short loc_58A742
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_58A7B4
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		push	50h
		mov	[ecx+eax*2-2], dx
		jmp	loc_58A72A
; 

loc_58A7B4:				; CODE XREF: _wcsncpy_s+A1j
		push	22h

loc_58A7B6:				; CODE XREF: _wcsncpy_s+4Fj
		pop	esi
		xor	eax, eax
		mov	[ecx], ax
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		mov	eax, esi
		jmp	loc_58A72B
_wcsncpy_s	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_wcstok_s	proc near		; CODE XREF: GetOperatorIndexByName(x)+95p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		test	esi, esi
		jz	loc_58A8C9
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	loc_58A8C9
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_58A809
		cmp	[esi], eax
		jz	loc_58A8C9
		test	ecx, ecx
		jnz	short loc_58A809
		mov	ecx, [esi]

loc_58A809:				; CODE XREF: _wcstok_s+27j
					; _wcstok_s+33j
		movzx	edx, word ptr [ecx]
		push	ebx
		test	dx, dx
		jz	short loc_58A858
		movzx	eax, word ptr [edi]
		mov	[ebp+var_8], eax

loc_58A818:				; CODE XREF: _wcstok_s+7Fj
		mov	[ebp+var_4], edi
		movzx	ebx, ax
		test	ax, ax
		jz	short loc_58A843
		movzx	esi, ax

loc_58A826:				; CODE XREF: _wcstok_s+69j
		movzx	ebx, si
		cmp	si, dx
		jz	short loc_58A83D
		add	edi, 2
		movzx	eax, word ptr [edi]
		mov	esi, eax
		mov	ebx, eax
		test	ax, ax
		jnz	short loc_58A826

loc_58A83D:				; CODE XREF: _wcstok_s+5Aj
		mov	edi, [ebp+arg_4]
		mov	eax, [ebp+var_8]

loc_58A843:				; CODE XREF: _wcstok_s+4Fj
		test	bx, bx
		jz	short loc_58A853
		add	ecx, 2
		movzx	edx, word ptr [ecx]
		test	dx, dx
		jnz	short loc_58A818

loc_58A853:				; CODE XREF: _wcstok_s+74j
		mov	esi, [ebp+arg_8]
		xor	eax, eax

loc_58A858:				; CODE XREF: _wcstok_s+3Ej
		mov	edx, ecx
		mov	[ebp+var_4], edx
		cmp	[ecx], ax
		jz	short loc_58A8BA
		movzx	ebx, word ptr [edi]
		mov	[ebp+var_10], ebx

loc_58A868:				; CODE XREF: _wcstok_s+D9j
		mov	[ebp+var_8], edi
		movzx	edx, bx
		test	bx, bx
		jz	short loc_58A89E
		movzx	eax, word ptr [ecx]
		movzx	esi, bx
		mov	ebx, eax
		mov	[ebp+var_C], eax

loc_58A87E:				; CODE XREF: _wcstok_s+C1j
		movzx	edx, si
		cmp	si, bx
		jz	short loc_58A895
		add	edi, 2
		movzx	eax, word ptr [edi]
		mov	esi, eax
		mov	edx, eax
		test	ax, ax
		jnz	short loc_58A87E

loc_58A895:				; CODE XREF: _wcstok_s+B2j
		mov	esi, [ebp+arg_8]
		mov	edi, [ebp+arg_4]
		mov	ebx, [ebp+var_10]

loc_58A89E:				; CODE XREF: _wcstok_s+9Fj
		test	dx, dx
		jnz	short loc_58A8AF
		add	ecx, 2
		xor	eax, eax
		cmp	[ecx], ax
		jnz	short loc_58A868
		jmp	short loc_58A8B7
; 

loc_58A8AF:				; CODE XREF: _wcstok_s+CFj
		xor	edx, edx
		mov	[ecx], dx
		add	ecx, 2

loc_58A8B7:				; CODE XREF: _wcstok_s+DBj
		mov	edx, [ebp+var_4]

loc_58A8BA:				; CODE XREF: _wcstok_s+8Ej
		mov	eax, edx
		mov	[esi], ecx
		sub	eax, ecx
		neg	eax
		pop	ebx
		sbb	eax, eax
		and	eax, edx
		jmp	short loc_58A8D8
; 

loc_58A8C9:				; CODE XREF: _wcstok_s+11j
					; _wcstok_s+1Cj ...
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		xor	eax, eax

loc_58A8D8:				; CODE XREF: _wcstok_s+F5j
		pop	edi
		pop	esi
		leave
		retn
_wcstok_s	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__output_s	proc near		; CODE XREF: __soutput_s+53p

var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_D		= dword	ptr -0Dh
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 258h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_214], eax
		xor	eax, eax
		push	200h		; size_t
		mov	ebx, eax
		mov	[ebp+var_244], eax
		push	eax		; int
		mov	[ebp+var_230], eax
		mov	esi, eax
		mov	[ebp+var_21C], eax
		mov	[ebp+var_228], eax
		mov	[ebp+var_248], eax
		lea	eax, [ebp+var_20C]
		push	eax		; void *
		mov	[ebp+var_22C], edi
		mov	[ebp+var_210], ebx
		call	_memset
		xor	eax, eax
		add	esp, 0Ch
		mov	[ebp+var_234], eax
		test	edi, edi
		jz	loc_58B19C
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	loc_58B19C
		mov	dl, [edx]
		mov	edi, eax
		mov	[ebp+var_224], eax
		mov	[ebp+var_218], edi
		mov	[ebp+var_238], eax
		mov	byte ptr [ebp+var_24C],	dl
		test	dl, dl
		jz	loc_58B194
		mov	ecx, [ebp+arg_4]

loc_58A987:				; CODE XREF: __output_s+8A3j
		inc	ecx
		cmp	[ebp+var_224], 0
		mov	[ebp+arg_4], ecx
		jl	loc_58B185
		lea	eax, [edx-20h]
		movsx	ecx, dl
		cmp	al, 5Ah
		ja	short loc_58A9AE
		movzx	eax, byte ptr ds:__d_inf[ecx]
		and	eax, 0Fh
		jmp	short loc_58A9B0
; 

loc_58A9AE:				; CODE XREF: __output_s+C4j
		xor	eax, eax

loc_58A9B0:				; CODE XREF: __output_s+D0j
		mov	ebx, [ebp+var_238]
		imul	eax, 9
		movzx	ebx, ds:___lookuptable_s[eax+ebx]
		mov	eax, ebx
		mov	[ebp+var_238], ebx
		mov	ebx, [ebp+var_210]
		shr	eax, 4
		mov	[ebp+var_238], eax
		cmp	eax, 8
		jz	loc_58B19C
		cmp	eax, 7		; switch 8 cases
		ja	loc_58B172	; default
		jmp	ds:off_58B1C0[eax*4] ; switch jump

loc_58A9F1:				; DATA XREF: .text:off_58B1C0o
		xor	eax, eax	; case 0x1
		or	[ebp+var_21C], 0FFFFFFFFh
		mov	ebx, eax
		mov	[ebp+var_248], eax
		mov	[ebp+var_230], eax
		mov	[ebp+var_228], eax
		mov	[ebp+var_210], ebx
		mov	[ebp+var_234], eax
		jmp	loc_58B172	; default
; 

loc_58AA1F:				; CODE XREF: __output_s+10Ej
					; DATA XREF: .text:off_58B1C0o
		sub	ecx, 20h	; case 0x2
		jz	short loc_58AA69
		sub	ecx, 3
		jz	short loc_58AA61
		sub	ecx, 8
		jz	short loc_58AA5C
		dec	ecx
		sub	ecx, 1
		jz	short loc_58AA4E
		sub	ecx, 3
		mov	ecx, [ebp+arg_4]
		jnz	loc_58B175
		or	ebx, 8

loc_58AA43:				; CODE XREF: __output_s+2C8j
					; __output_s+2D8j
		mov	[ebp+var_210], ebx
		jmp	loc_58B175
; 

loc_58AA4E:				; CODE XREF: __output_s+156j
		or	ebx, 4

loc_58AA51:				; CODE XREF: __output_s+183j
					; __output_s+18Bj ...
		mov	[ebp+var_210], ebx
		jmp	loc_58B172	; default
; 

loc_58AA5C:				; CODE XREF: __output_s+150j
		or	ebx, 1
		jmp	short loc_58AA51
; 

loc_58AA61:				; CODE XREF: __output_s+14Bj
		or	ebx, 80h
		jmp	short loc_58AA51
; 

loc_58AA69:				; CODE XREF: __output_s+146j
		or	ebx, 2
		jmp	short loc_58AA51
; 

loc_58AA6E:				; CODE XREF: __output_s+10Ej
					; DATA XREF: .text:off_58B1C0o
		cmp	dl, 2Ah		; case 0x3
		jnz	short loc_58AAAC
		mov	ecx, [ebp+var_214]
		add	ecx, 4
		mov	[ebp+var_214], ecx
		mov	eax, [ecx-4]
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_230], eax
		test	eax, eax
		jns	loc_58B175
		or	ebx, 4
		neg	eax
		mov	[ebp+var_210], ebx
		mov	[ebp+var_230], eax
		jmp	loc_58B175
; 

loc_58AAAC:				; CODE XREF: __output_s+195j
		imul	eax, [ebp+var_230], arg_0+2
		add	eax, 0FFFFFFD0h
		add	eax, ecx
		mov	[ebp+var_230], eax
		jmp	loc_58B172	; default
; 

loc_58AAC3:				; CODE XREF: __output_s+10Ej
					; DATA XREF: .text:off_58B1C0o
		xor	eax, eax	; case 0x4

loc_58AAC5:				; CODE XREF: __output_s+234j
		mov	[ebp+var_21C], eax
		jmp	loc_58B172	; default
; 

loc_58AAD0:				; CODE XREF: __output_s+10Ej
					; DATA XREF: .text:off_58B1C0o
		cmp	dl, 2Ah		; case 0x5
		jnz	short loc_58AB04
		mov	ecx, [ebp+var_214]
		add	ecx, 4
		mov	[ebp+var_214], ecx
		mov	eax, [ecx-4]
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_21C], eax
		test	eax, eax
		jns	loc_58B175
		or	[ebp+var_21C], 0FFFFFFFFh
		jmp	loc_58B175
; 

loc_58AB04:				; CODE XREF: __output_s+1F7j
		imul	eax, [ebp+var_21C], arg_0+2
		add	eax, 0FFFFFFD0h
		add	eax, ecx
		jmp	short loc_58AAC5
; 

loc_58AB12:				; CODE XREF: __output_s+10Ej
					; DATA XREF: .text:off_58B1C0o
		sub	ecx, 49h	; case 0x6
		jz	short loc_58AB3B
		sub	ecx, 1Fh
		jz	short loc_58AB89
		dec	ecx
		sub	ecx, 1
		jz	short loc_58AB3B
		dec	ecx
		sub	ecx, 1
		jz	short loc_58AB61
		sub	ecx, 8
		jz	short loc_58AB3B
		sub	ecx, 3
		jz	short loc_58AB56
		sub	ecx, 3
		jnz	loc_58B172	; default

loc_58AB3B:				; CODE XREF: __output_s+239j
					; __output_s+244j ...
		mov	ecx, [ebp+arg_4]
		cmp	dl, 49h
		jnz	short loc_58ABA9
		mov	eax, ecx
		mov	al, [eax]
		cmp	al, 36h
		jnz	short loc_58AB91
		cmp	byte ptr [ecx+1], 34h
		jnz	short loc_58AB91
		add	ecx, 2
		jmp	short loc_58ABAE
; 

loc_58AB56:				; CODE XREF: __output_s+254j
		or	ebx, 800h
		jmp	loc_58AA51
; 

loc_58AB61:				; CODE XREF: __output_s+24Aj
		mov	eax, [ebp+arg_4]
		mov	cl, [eax]
		cmp	cl, 6Ch
		jnz	short loc_58AB6F
		inc	eax
		mov	[ebp+arg_4], eax

loc_58AB6F:				; CODE XREF: __output_s+28Dj
		xor	eax, eax
		cmp	cl, 6Ch
		setz	al
		dec	eax
		and	eax, 0FFFFF010h
		add	eax, 1000h
		or	ebx, eax
		jmp	loc_58AA51
; 

loc_58AB89:				; CODE XREF: __output_s+23Ej
		or	ebx, 20h
		jmp	loc_58AA51
; 

loc_58AB91:				; CODE XREF: __output_s+26Dj
					; __output_s+273j
		cmp	al, 33h
		jnz	short loc_58ABB9
		cmp	byte ptr [ecx+1], 32h
		jnz	short loc_58ABB9
		add	ecx, 2
		and	ebx, 0FFFF7FFFh
		jmp	loc_58AA43
; 

loc_58ABA9:				; CODE XREF: __output_s+265j
		cmp	dl, 6Ah
		jnz	short loc_58ABB9

loc_58ABAE:				; CODE XREF: __output_s+278j
		or	ebx, 8000h
		jmp	loc_58AA43
; 

loc_58ABB9:				; CODE XREF: __output_s+2B7j
					; __output_s+2BDj ...
		mov	al, [ecx]
		cmp	al, 64h
		jz	loc_58B175
		cmp	al, 69h
		jz	loc_58B175
		cmp	al, 6Fh
		jz	loc_58B175
		cmp	al, 75h
		jz	loc_58B175
		cmp	al, 78h
		jz	loc_58B175
		cmp	al, 58h
		jz	loc_58B175
		xor	eax, eax
		mov	[ebp+var_238], eax
		jmp	short loc_58ABF7
; 

loc_58ABF5:				; CODE XREF: __output_s+10Ej
					; DATA XREF: .text:off_58B1C0o
		xor	eax, eax	; case 0x0

loc_58ABF7:				; CODE XREF: __output_s+317j
		mov	[ebp+var_234], eax
		lea	eax, [ebp+var_224]
		push	eax
		push	[ebp+var_22C]
		push	[ebp+var_24C]
		call	sub_587F34
		add	esp, 0Ch
		jmp	loc_58B172	; default
; 

loc_58AC1D:				; CODE XREF: __output_s+10Ej
					; DATA XREF: .text:off_58B1C0o
		cmp	ecx, 69h	; case 0x7
		jg	loc_58ADCD
		jz	short loc_58AC5B
		sub	ecx, 43h
		jz	loc_58AD4F
		sub	ecx, 10h
		jz	loc_58ACDC
		sub	ecx, 5
		jz	loc_58AE29
		dec	ecx
		sub	ecx, 1
		jz	short loc_58AC65
		sub	ecx, 9
		jz	loc_58AD63
		sub	ecx, 1
		jnz	loc_58AFE0

loc_58AC5B:				; CODE XREF: __output_s+34Aj
		or	ebx, 40h
		push	0Ah
		jmp	loc_58AE67
; 

loc_58AC65:				; CODE XREF: __output_s+36Bj
		mov	edx, [ebp+var_214]
		add	edx, 4
		mov	[ebp+var_214], edx
		mov	ecx, [edx-4]
		test	ecx, ecx
		jz	short loc_58ACCF
		mov	esi, [ecx+4]
		test	esi, esi
		jz	short loc_58ACCF
		movzx	eax, word ptr [ecx]
		mov	edx, eax
		cmp	[ecx+2], ax
		jb	loc_58B19C
		mov	edi, edx
		test	ebx, 800h
		jz	short loc_58ACC2
		not	eax
		test	al, 1
		jz	loc_58B19C
		mov	eax, esi
		not	eax
		test	al, 1
		jz	loc_58B19C
		shr	edi, 1
		mov	[ebp+var_234], 1
		jmp	loc_58AFDA
; 

loc_58ACC2:				; CODE XREF: __output_s+3BDj
		xor	eax, eax
		mov	[ebp+var_234], eax
		jmp	loc_58AFDA
; 

loc_58ACCF:				; CODE XREF: __output_s+39Dj
					; __output_s+3A4j
		push	6
		mov	esi, offset loc_408EA8
		pop	edi
		jmp	loc_58AFDA
; 

loc_58ACDC:				; CODE XREF: __output_s+358j
		test	ebx, 830h
		jnz	short loc_58ACF0
		or	ebx, 800h
		mov	[ebp+var_210], ebx

loc_58ACF0:				; CODE XREF: __output_s+406j
					; __output_s+507j
		mov	eax, [ebp+var_21C]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_58AD00
		mov	eax, 7FFFFFFFh

loc_58AD00:				; CODE XREF: __output_s+41Dj
		mov	ecx, [ebp+var_214]
		add	ecx, 4
		mov	[ebp+var_214], ecx
		mov	esi, [ecx-4]
		test	ebx, 810h
		jz	loc_58AE00
		test	esi, esi
		jnz	short loc_58AD27
		mov	esi, offset aNull ; "(null)"

loc_58AD27:				; CODE XREF: __output_s+444j
		mov	[ebp+var_234], 1
		mov	edi, esi
		test	eax, eax
		jz	short loc_58AD46
		xor	ecx, ecx

loc_58AD39:				; CODE XREF: __output_s+468j
		dec	eax
		cmp	[edi], cx
		jz	short loc_58AD46
		add	edi, 2
		test	eax, eax
		jnz	short loc_58AD39

loc_58AD46:				; CODE XREF: __output_s+459j
					; __output_s+461j
		sub	edi, esi
		sar	edi, 1
		jmp	loc_58AFDA
; 

loc_58AD4F:				; CODE XREF: __output_s+34Fj
		test	ebx, 830h
		jnz	short loc_58AD63
		or	ebx, 800h
		mov	[ebp+var_210], ebx

loc_58AD63:				; CODE XREF: __output_s+370j
					; __output_s+479j
		mov	edx, [ebp+var_214]
		add	edx, 4
		mov	[ebp+var_214], edx
		test	ebx, 810h
		jz	short loc_58ADB0
		movzx	eax, word ptr [edx-4]
		push	eax		; int
		push	200h		; int
		lea	eax, [ebp+var_20C]
		push	eax		; void *
		lea	eax, [ebp+var_218]
		push	eax		; int
		call	__safecrt_wctomb_s
		mov	edi, [ebp+var_218]
		add	esp, 10h
		test	eax, eax
		jz	short loc_58ADC2
		mov	[ebp+var_248], 1
		jmp	short loc_58ADC2
; 

loc_58ADB0:				; CODE XREF: __output_s+49Cj
		mov	al, [edx-4]
		xor	edi, edi
		inc	edi
		mov	byte ptr [ebp+var_20C],	al
		mov	[ebp+var_218], edi

loc_58ADC2:				; CODE XREF: __output_s+4C6j
					; __output_s+4D2j
		lea	esi, [ebp+var_20C]
		jmp	loc_58AFE0
; 

loc_58ADCD:				; CODE XREF: __output_s+344j
		sub	ecx, 6Eh
		jz	loc_58B19C
		sub	ecx, 1
		jz	short loc_58AE53
		sub	ecx, 1
		jz	short loc_58AE1F
		sub	ecx, 3
		jz	loc_58ACF0
		dec	ecx
		sub	ecx, 1
		jz	short loc_58ADFC
		sub	ecx, 3
		jnz	loc_58AFE0
		push	27h
		jmp	short loc_58AE2B
; 

loc_58ADFC:				; CODE XREF: __output_s+511j
		push	0Ah
		jmp	short loc_58AE6D
; 

loc_58AE00:				; CODE XREF: __output_s+43Cj
		test	esi, esi
		jnz	short loc_58AE09
		mov	esi, offset loc_408EA8

loc_58AE09:				; CODE XREF: __output_s+526j
		mov	edi, esi
		jmp	short loc_58AE14
; 

loc_58AE0D:				; CODE XREF: __output_s+53Aj
		dec	eax
		cmp	byte ptr [edi],	0
		jz	short loc_58AE18
		inc	edi

loc_58AE14:				; CODE XREF: __output_s+52Fj
		test	eax, eax
		jnz	short loc_58AE0D

loc_58AE18:				; CODE XREF: __output_s+535j
		sub	edi, esi
		jmp	loc_58AFDA
; 

loc_58AE1F:				; CODE XREF: __output_s+502j
		mov	[ebp+var_21C], 8

loc_58AE29:				; CODE XREF: __output_s+361j
		push	7

loc_58AE2B:				; CODE XREF: __output_s+51Ej
		pop	eax
		mov	[ebp+var_244], eax
		test	bl, bl
		jns	short loc_58AE4F
		add	al, 51h
		mov	byte ptr [ebp+var_220],	30h
		mov	byte ptr [ebp+var_220+1], al
		mov	[ebp+var_228], 2

loc_58AE4F:				; CODE XREF: __output_s+558j
		push	10h
		jmp	short loc_58AE6D
; 

loc_58AE53:				; CODE XREF: __output_s+4FDj
		push	8
		pop	edi
		mov	[ebp+var_218], edi
		test	bl, bl
		jns	short loc_58AE74
		or	ebx, 200h
		push	edi

loc_58AE67:				; CODE XREF: __output_s+384j
		mov	[ebp+var_210], ebx

loc_58AE6D:				; CODE XREF: __output_s+522j
					; __output_s+575j
		pop	edi
		mov	[ebp+var_218], edi

loc_58AE74:				; CODE XREF: __output_s+582j
		test	ebx, 8000h
		jz	short loc_58AE93
		mov	esi, [ebp+var_214]
		add	esi, 8
		mov	[ebp+var_214], esi
		mov	ecx, [esi-8]
		mov	edx, [esi-4]
		jmp	short loc_58AEEB
; 

loc_58AE93:				; CODE XREF: __output_s+59Ej
		test	ebx, 1000h
		jz	short loc_58AEB2
		mov	eax, [ebp+var_214]
		add	eax, 8
		mov	[ebp+var_214], eax
		mov	ecx, [eax-8]
		mov	edx, [eax-4]
		jmp	short loc_58AEEB
; 

loc_58AEB2:				; CODE XREF: __output_s+5BDj
		mov	esi, [ebp+var_214]
		mov	eax, ebx
		add	esi, 4
		and	eax, 40h
		mov	[ebp+var_214], esi
		test	bl, 20h
		jz	short loc_58AEDB
		test	eax, eax
		jz	short loc_58AED5
		movsx	eax, word ptr [esi-4]
		jmp	short loc_58AEE8
; 

loc_58AED5:				; CODE XREF: __output_s+5F1j
		movzx	eax, word ptr [esi-4]
		jmp	short loc_58AEE8
; 

loc_58AEDB:				; CODE XREF: __output_s+5EDj
		mov	[ebp+var_214], esi
		test	eax, eax
		jz	short loc_58AEEF
		mov	eax, [esi-4]

loc_58AEE8:				; CODE XREF: __output_s+5F7j
					; __output_s+5FDj
		cdq
		mov	ecx, eax

loc_58AEEB:				; CODE XREF: __output_s+5B5j
					; __output_s+5D4j
		xor	esi, esi
		jmp	short loc_58AEF6
; 

loc_58AEEF:				; CODE XREF: __output_s+607j
		mov	ecx, [esi-4]
		xor	esi, esi
		mov	edx, esi

loc_58AEF6:				; CODE XREF: __output_s+611j
		test	bl, 40h
		jz	short loc_58AF17
		cmp	edx, esi
		jg	short loc_58AF17
		jl	short loc_58AF05
		cmp	ecx, esi
		jnb	short loc_58AF17

loc_58AF05:				; CODE XREF: __output_s+623j
		neg	ecx
		adc	edx, esi
		neg	edx
		or	ebx, 100h
		mov	[ebp+var_210], ebx

loc_58AF17:				; CODE XREF: __output_s+61Dj
					; __output_s+621j ...
		test	ebx, 9000h
		jnz	short loc_58AF21
		mov	edx, esi

loc_58AF21:				; CODE XREF: __output_s+641j
		mov	eax, [ebp+var_21C]
		test	eax, eax
		jns	short loc_58AF30
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_58AF4A
; 

loc_58AF30:				; CODE XREF: __output_s+64Dj
		and	ebx, 0FFFFFFF7h
		mov	eax, 200h
		mov	[ebp+var_210], ebx
		mov	ebx, [ebp+var_21C]
		cmp	ebx, eax
		jle	short loc_58AF4A
		mov	ebx, eax

loc_58AF4A:				; CODE XREF: __output_s+652j
					; __output_s+66Aj
		mov	eax, ecx
		or	eax, edx
		jnz	short loc_58AF56
		mov	[ebp+var_228], esi

loc_58AF56:				; CODE XREF: __output_s+672j
		lea	esi, [ebp+var_D]

loc_58AF59:				; CODE XREF: __output_s+6CFj
		mov	eax, ebx
		mov	[ebp+var_240], esi
		dec	ebx
		mov	[ebp+var_21C], ebx
		test	eax, eax
		jg	short loc_58AF72
		mov	eax, ecx
		or	eax, edx
		jz	short loc_58AFAD

loc_58AF72:				; CODE XREF: __output_s+68Ej
		push	ebx
		push	0
		push	edi
		push	edx
		push	ecx
		call	__aulldvrm
		mov	[ebp+var_254], ebx
		pop	ebx
		nop
		mov	edi, ecx
		mov	ecx, eax
		lea	eax, [edi+30h]
		cmp	eax, 39h
		jle	short loc_58AF9C
		mov	eax, [ebp+var_244]
		add	eax, 30h
		add	eax, edi

loc_58AF9C:				; CODE XREF: __output_s+6B3j
		mov	edi, [ebp+var_218]
		mov	ebx, [ebp+var_21C]
		mov	[esi], al
		dec	esi
		jmp	short loc_58AF59
; 

loc_58AFAD:				; CODE XREF: __output_s+694j
		mov	ebx, [ebp+var_210]
		lea	edi, [ebp+var_D]
		sub	edi, esi
		inc	esi
		mov	[ebp+var_218], edi
		test	ebx, 200h
		jz	short loc_58AFE0
		test	edi, edi
		jz	short loc_58AFD0
		cmp	byte ptr [esi],	30h
		jz	short loc_58AFE0

loc_58AFD0:				; CODE XREF: __output_s+6EDj
		mov	esi, [ebp+var_240]
		inc	edi
		mov	byte ptr [esi],	30h

loc_58AFDA:				; CODE XREF: __output_s+3E1j
					; __output_s+3EEj ...
		mov	[ebp+var_218], edi

loc_58AFE0:				; CODE XREF: __output_s+379j
					; __output_s+4ECj ...
		cmp	[ebp+var_248], 0
		jnz	loc_58B172	; default
		test	bl, 40h
		jz	short loc_58B027
		test	ebx, 100h
		jz	short loc_58B003
		mov	byte ptr [ebp+var_220],	2Dh
		jmp	short loc_58B01D
; 

loc_58B003:				; CODE XREF: __output_s+71Cj
		test	bl, 1
		jz	short loc_58B011
		mov	byte ptr [ebp+var_220],	2Bh
		jmp	short loc_58B01D
; 

loc_58B011:				; CODE XREF: __output_s+72Aj
		test	bl, 2
		jz	short loc_58B027
		mov	byte ptr [ebp+var_220],	20h

loc_58B01D:				; CODE XREF: __output_s+725j
					; __output_s+733j
		mov	[ebp+var_228], 1

loc_58B027:				; CODE XREF: __output_s+714j
					; __output_s+738j
		mov	eax, [ebp+var_230]
		mov	ecx, ebx
		sub	eax, edi
		sub	eax, [ebp+var_228]
		and	ecx, 0Ch
		mov	[ebp+var_240], eax
		mov	[ebp+var_23C], ecx
		jnz	short loc_58B060
		lea	ecx, [ebp+var_224]
		push	ecx
		push	[ebp+var_22C]
		push	eax
		push	20h
		call	sub_587F7E
		add	esp, 10h

loc_58B060:				; CODE XREF: __output_s+76Aj
		lea	eax, [ebp+var_224]
		push	eax
		push	[ebp+var_22C]
		lea	eax, [ebp+var_220]
		push	[ebp+var_228]
		push	eax
		call	sub_58B32C
		add	esp, 10h
		cmp	[ebp+var_23C], 8
		jnz	short loc_58B0A8
		lea	eax, [ebp+var_224]
		push	eax
		push	[ebp+var_22C]
		push	[ebp+var_240]
		push	30h
		call	sub_587F7E
		add	esp, 10h

loc_58B0A8:				; CODE XREF: __output_s+7ADj
		cmp	[ebp+var_234], 0
		jz	short loc_58B130
		test	edi, edi
		jle	short loc_58B130
		xor	eax, eax
		mov	ecx, esi
		mov	[ebp+var_23C], eax
		mov	eax, edi

loc_58B0C1:				; CODE XREF: __output_s+847j
		dec	eax
		mov	[ebp+var_250], eax
		movzx	eax, word ptr [ecx]
		add	ecx, 2
		push	eax		; int
		push	6		; int
		lea	eax, [ebp+var_D+1]
		mov	[ebp+var_254], ecx
		push	eax		; void *
		lea	eax, [ebp+var_23C]
		push	eax		; int
		call	__safecrt_wctomb_s
		add	esp, 10h
		test	eax, eax
		jnz	short loc_58B127
		cmp	[ebp+var_23C], eax
		jz	short loc_58B127
		lea	eax, [ebp+var_224]
		push	eax
		push	[ebp+var_22C]
		lea	eax, [ebp+var_D+1]
		push	[ebp+var_23C]
		push	eax
		call	sub_58B32C
		mov	eax, [ebp+var_250]
		add	esp, 10h
		mov	ecx, [ebp+var_254]
		test	eax, eax
		jnz	short loc_58B0C1
		jmp	short loc_58B147
; 

loc_58B127:				; CODE XREF: __output_s+810j
					; __output_s+818j
		or	[ebp+var_224], 0FFFFFFFFh
		jmp	short loc_58B147
; 

loc_58B130:				; CODE XREF: __output_s+7D3j
					; __output_s+7D7j
		lea	eax, [ebp+var_224]
		push	eax
		push	[ebp+var_22C]
		push	edi
		push	esi
		call	sub_58B32C
		add	esp, 10h

loc_58B147:				; CODE XREF: __output_s+849j
					; __output_s+852j
		cmp	[ebp+var_224], 0
		jl	short loc_58B172 ; default
		test	bl, 4
		jz	short loc_58B172 ; default
		lea	eax, [ebp+var_224]
		push	eax
		push	[ebp+var_22C]
		push	[ebp+var_240]
		push	20h
		call	sub_587F7E
		add	esp, 10h

loc_58B172:				; CODE XREF: __output_s+108j
					; __output_s+13Ej ...
		mov	ecx, [ebp+arg_4] ; default

loc_58B175:				; CODE XREF: __output_s+15Ej
					; __output_s+16Dj ...
		mov	dl, [ecx]
		mov	byte ptr [ebp+var_24C],	dl
		test	dl, dl
		jnz	loc_58A987

loc_58B185:				; CODE XREF: __output_s+B6j
		mov	eax, [ebp+var_238]
		test	eax, eax
		jz	short loc_58B194
		cmp	eax, 7
		jnz	short loc_58B19C

loc_58B194:				; CODE XREF: __output_s+A2j
					; __output_s+8B1j
		mov	eax, [ebp+var_224]
		jmp	short loc_58B1AE
; 

loc_58B19C:				; CODE XREF: __output_s+73j
					; __output_s+7Ej ...
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		or	eax, 0FFFFFFFFh

loc_58B1AE:				; CODE XREF: __output_s+8BEj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
__output_s	endp

; 
		align 10h
off_58B1C0	dd offset loc_58ABF5	; DATA XREF: __output_s+10Er
		dd offset loc_58A9F1	; jump table for switch	statement
		dd offset loc_58AA1F
		dd offset loc_58AA6E
		dd offset loc_58AAC3
		dd offset loc_58AAD0
		dd offset loc_58AB12
		dd offset loc_58AC1D

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl _safecrt_wctomb_s(int,void *,int,int)
__safecrt_wctomb_s proc	near		; CODE XREF: __output_s+4B6p
					; __output_s+806p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		test	eax, eax
		jnz	short loc_58B203
		test	ebx, ebx
		jz	short loc_58B203
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_58B270
		and	dword ptr [eax], 0
		jmp	short loc_58B270
; 

loc_58B203:				; CODE XREF: __safecrt_wctomb_s+11j
					; __safecrt_wctomb_s+15j
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_58B20D
		or	dword ptr [edi], 0FFFFFFFFh

loc_58B20D:				; CODE XREF: __safecrt_wctomb_s+28j
		cmp	ebx, 7FFFFFFFh
		jbe	short loc_58B229
		xor	esi, esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		push	16h

loc_58B226:				; CODE XREF: __safecrt_wctomb_s+85j
		pop	eax
		jmp	short loc_58B272
; 

loc_58B229:				; CODE XREF: __safecrt_wctomb_s+33j
		test	eax, eax
		jnz	short loc_58B238
		test	edi, edi
		jz	short loc_58B270
		mov	eax, ___mb_cur_max
		jmp	short loc_58B26E
; 

loc_58B238:				; CODE XREF: __safecrt_wctomb_s+4Bj
		push	2
		lea	ecx, [ebp+arg_C]
		xor	esi, esi
		push	ecx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_4], esi
		push	ecx
		push	ebx
		push	eax
		call	RtlUnicodeToMultiByteN
		test	eax, eax
		jns	short loc_58B267
		test	ebx, ebx
		jz	short loc_58B263
		push	ebx		; size_t
		push	esi		; int
		push	[ebp+arg_4]	; void *
		call	_memset
		add	esp, 0Ch

loc_58B263:				; CODE XREF: __safecrt_wctomb_s+74j
		push	2Ah
		jmp	short loc_58B226
; 

loc_58B267:				; CODE XREF: __safecrt_wctomb_s+70j
		test	edi, edi
		jz	short loc_58B270
		mov	eax, [ebp+var_4]

loc_58B26E:				; CODE XREF: __safecrt_wctomb_s+56j
		mov	[edi], eax

loc_58B270:				; CODE XREF: __safecrt_wctomb_s+1Cj
					; __safecrt_wctomb_s+21j ...
		xor	eax, eax

loc_58B272:				; CODE XREF: __safecrt_wctomb_s+47j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
__safecrt_wctomb_s endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__soutput_s	proc near		; CODE XREF: __vsnprintf_s+40p
					; __vsnprintf_s+6Fp ...

var_20		= FILE ptr -20h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_20._file], eax
		mov	[ebp+var_20._charbuf], eax
		mov	[ebp+var_20._bufsiz], eax
		mov	[ebp+var_20._tmpfname],	eax
		push	edi
		test	esi, esi
		jz	short loc_58B317
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_58B2A6
		mov	[ebp+var_20._cnt], 7FFFFFFFh
		jmp	short loc_58B2B1
; 

loc_58B2A6:				; CODE XREF: __soutput_s+23j
		cmp	esi, 7FFFFFFFh
		ja	short loc_58B317
		mov	[ebp+var_20._cnt], esi

loc_58B2B1:				; CODE XREF: __soutput_s+2Cj
		push	[ebp+arg_C]
		mov	edi, [ebp+arg_0]
		lea	eax, [ebp+var_20]
		push	[ebp+arg_8]
		mov	[ebp+var_20._base], edi
		push	eax
		mov	[ebp+var_20._ptr], edi
		mov	[ebp+var_20._flag], 42h
		call	__output_s
		mov	ebx, eax
		xor	ecx, ecx
		add	esp, 0Ch
		mov	[edi+esi-1], cl
		test	ebx, ebx
		jns	short loc_58B2F0
		cmp	[ebp+var_20._cnt], ecx
		jl	short loc_58B312
		test	edi, edi
		jz	short loc_58B30E
		test	esi, esi
		jz	short loc_58B30E
		mov	[edi], cl
		jmp	short loc_58B30E
; 

loc_58B2F0:				; CODE XREF: __soutput_s+65j
		sub	[ebp+var_20._cnt], 1
		js	short loc_58B2FD
		mov	eax, [ebp+var_20._ptr]
		mov	[eax], cl
		jmp	short loc_58B30E
; 

loc_58B2FD:				; CODE XREF: __soutput_s+7Cj
		lea	eax, [ebp+var_20]
		push	eax		; FILE *
		push	ecx		; int
		call	__flsbuf_s
		pop	ecx
		pop	ecx
		cmp	eax, 0FFFFFFFFh
		jz	short loc_58B312

loc_58B30E:				; CODE XREF: __soutput_s+6Ej
					; __soutput_s+72j ...
		mov	eax, ebx
		jmp	short loc_58B327
; 

loc_58B312:				; CODE XREF: __soutput_s+6Aj
					; __soutput_s+94j
		push	0FFFFFFFEh
		pop	eax
		jmp	short loc_58B327
; 

loc_58B317:				; CODE XREF: __soutput_s+1Ej
					; __soutput_s+34j
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		or	eax, 0FFFFFFFFh

loc_58B327:				; CODE XREF: __soutput_s+98j
					; __soutput_s+9Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
__soutput_s	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_58B32C	proc near		; CODE XREF: __output_s+79Ep
					; __output_s+831p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_8]
		test	byte ptr [esi+0Ch], 40h
		jz	short loc_58B34B
		cmp	dword ptr [esi+8], 0
		jnz	short loc_58B34B
		mov	ecx, [ebp+arg_C]
		mov	eax, [ebp+arg_4]
		add	[ecx], eax
		jmp	short loc_58B378
; 

loc_58B34B:				; CODE XREF: sub_58B32C+Dj
					; sub_58B32C+13j
		push	edi
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jle	short loc_58B377
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+arg_0]

loc_58B35A:				; CODE XREF: sub_58B32C+48j
		push	eax
		movzx	eax, byte ptr [ebx]
		dec	edi
		push	esi
		push	eax
		call	sub_587F34
		mov	eax, [ebp+arg_C]
		add	esp, 0Ch
		inc	ebx
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_58B376
		test	edi, edi
		jg	short loc_58B35A

loc_58B376:				; CODE XREF: sub_58B32C+44j
		pop	ebx

loc_58B377:				; CODE XREF: sub_58B32C+25j
		pop	edi

loc_58B378:				; CODE XREF: sub_58B32C+1Dj
		pop	esi
		pop	ebp
		retn
sub_58B32C	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__swoutput_s	proc near		; CODE XREF: _vswprintf_s+23p
					; __vsnwprintf_s+3Dp ...

var_20		= FILE ptr -20h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_20._file], eax
		mov	[ebp+var_20._charbuf], eax
		mov	[ebp+var_20._bufsiz], eax
		mov	[ebp+var_20._tmpfname],	eax
		push	edi
		test	esi, esi
		jz	loc_58B451
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_58B3AE
		mov	[ebp+var_20._cnt], 7FFFFFFFh
		jmp	short loc_58B3C0
; 

loc_58B3AE:				; CODE XREF: __swoutput_s+27j
		cmp	esi, 3FFFFFFFh
		ja	loc_58B451
		lea	eax, [esi+esi]
		mov	[ebp+var_20._cnt], eax

loc_58B3C0:				; CODE XREF: __swoutput_s+30j
		push	[ebp+arg_C]
		mov	edi, [ebp+arg_0]
		lea	eax, [ebp+var_20]
		push	[ebp+arg_8]
		mov	[ebp+var_20._base], edi
		push	eax
		mov	[ebp+var_20._ptr], edi
		mov	[ebp+var_20._flag], 42h
		call	__woutput_s
		mov	ebx, eax
		add	esp, 0Ch
		xor	eax, eax
		mov	[edi+esi*2-2], ax
		test	ebx, ebx
		jns	short loc_58B401
		cmp	[ebp+var_20._cnt], eax
		jl	short loc_58B44C
		test	edi, edi
		jz	short loc_58B448
		test	esi, esi
		jz	short loc_58B448
		mov	[edi], ax
		jmp	short loc_58B448
; 

loc_58B401:				; CODE XREF: __swoutput_s+71j
		sub	[ebp+var_20._cnt], 1
		js	short loc_58B416
		mov	eax, [ebp+var_20._ptr]
		mov	byte ptr [eax],	0
		mov	eax, [ebp+var_20._ptr]
		inc	eax
		mov	[ebp+var_20._ptr], eax
		jmp	short loc_58B42B
; 

loc_58B416:				; CODE XREF: __swoutput_s+89j
		lea	eax, [ebp+var_20]
		push	eax		; FILE *
		push	0		; int
		call	__flsbuf_s
		pop	ecx
		pop	ecx
		cmp	eax, 0FFFFFFFFh
		jz	short loc_58B44C
		mov	eax, [ebp+var_20._ptr]

loc_58B42B:				; CODE XREF: __swoutput_s+98j
		sub	[ebp+var_20._cnt], 1
		js	short loc_58B436
		mov	byte ptr [eax],	0
		jmp	short loc_58B448
; 

loc_58B436:				; CODE XREF: __swoutput_s+B3j
		lea	eax, [ebp+var_20]
		push	eax		; FILE *
		push	0		; int
		call	__flsbuf_s
		pop	ecx
		pop	ecx
		cmp	eax, 0FFFFFFFFh
		jz	short loc_58B44C

loc_58B448:				; CODE XREF: __swoutput_s+7Aj
					; __swoutput_s+7Ej ...
		mov	eax, ebx
		jmp	short loc_58B461
; 

loc_58B44C:				; CODE XREF: __swoutput_s+76j
					; __swoutput_s+AAj ...
		push	0FFFFFFFEh
		pop	eax
		jmp	short loc_58B461
; 

loc_58B451:				; CODE XREF: __swoutput_s+1Ej
					; __swoutput_s+38j
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		or	eax, 0FFFFFFFFh

loc_58B461:				; CODE XREF: __swoutput_s+CEj
					; __swoutput_s+D3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
__swoutput_s	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__woutput_s	proc near		; CODE XREF: __swoutput_s+5Ep

var_450		= dword	ptr -450h
var_44C		= dword	ptr -44Ch
var_448		= word ptr -448h
var_444		= dword	ptr -444h
var_440		= dword	ptr -440h
var_43C		= dword	ptr -43Ch
var_438		= dword	ptr -438h
var_434		= dword	ptr -434h
var_430		= byte ptr -430h
var_42C		= dword	ptr -42Ch
var_428		= dword	ptr -428h
var_424		= dword	ptr -424h
var_420		= dword	ptr -420h
var_41C		= dword	ptr -41Ch
var_418		= dword	ptr -418h
var_414		= dword	ptr -414h
var_410		= dword	ptr -410h
var_40C		= dword	ptr -40Ch
var_408		= dword	ptr -408h
var_404		= word ptr -404h
var_205		= dword	ptr -205h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 454h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_40C], eax
		xor	eax, eax
		push	400h		; size_t
		mov	ebx, eax
		mov	[ebp+var_440], eax
		push	eax		; int
		mov	[ebp+var_428], eax
		mov	esi, eax
		mov	[ebp+var_410], eax
		mov	[ebp+var_41C], eax
		mov	[ebp+var_444], eax
		lea	eax, [ebp+var_404]
		push	eax		; void *
		mov	[ebp+var_424], edi
		mov	[ebp+var_408], ebx
		call	_memset
		xor	ecx, ecx
		add	esp, 0Ch
		mov	dword ptr [ebp+var_448], ecx
		mov	[ebp+var_420], ecx
		test	edi, edi
		jz	loc_58BD8A
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	loc_58BD8A
		movzx	edx, word ptr [eax]
		mov	edi, ecx
		mov	[ebp+var_414], ecx
		mov	[ebp+var_42C], ecx
		test	dx, dx
		jz	loc_58BD82
		mov	[ebp+var_44C], 69h
		mov	ecx, eax

loc_58B516:				; CODE XREF: __woutput_s+907j
		add	ecx, 2
		movzx	eax, dx
		cmp	[ebp+var_414], 0
		mov	[ebp+arg_4], ecx
		jl	loc_58BD73
		mov	ecx, eax
		lea	eax, [edx-20h]
		cmp	ax, 5Ah
		ja	short loc_58B543
		movzx	eax, byte ptr ds:__d_inf[ecx]
		and	eax, 0Fh
		jmp	short loc_58B545
; 

loc_58B543:				; CODE XREF: __woutput_s+CFj
		xor	eax, eax

loc_58B545:				; CODE XREF: __woutput_s+DBj
		mov	ebx, [ebp+var_42C]
		imul	eax, 9
		movzx	ebx, ds:___lookuptable_s[eax+ebx]
		mov	eax, ebx
		mov	[ebp+var_42C], ebx
		mov	ebx, [ebp+var_408]
		shr	eax, 4
		mov	[ebp+var_42C], eax
		cmp	eax, 8
		jz	loc_58BD8A
		cmp	eax, 7		; switch 8 cases
		ja	loc_58BD64	; default
		jmp	ds:off_58BDAE[eax*4] ; switch jump

loc_58B586:				; DATA XREF: .text:0058BDB2o
		xor	eax, eax	; case 0x1
		or	[ebp+var_410], 0FFFFFFFFh
		mov	ebx, eax
		mov	[ebp+var_444], eax
		mov	[ebp+var_428], eax
		mov	[ebp+var_41C], eax
		mov	[ebp+var_408], ebx
		mov	[ebp+var_420], eax
		jmp	loc_58BD64	; default
; 

loc_58B5B4:				; CODE XREF: __woutput_s+119j
					; DATA XREF: .text:0058BDB6o
		push	20h		; case 0x2
		pop	eax
		sub	ecx, eax
		jz	short loc_58B600
		sub	ecx, 3
		jz	short loc_58B5F8
		sub	ecx, 8
		jz	short loc_58B5F3
		dec	ecx
		sub	ecx, 1
		jz	short loc_58B5E5
		sub	ecx, 3
		mov	ecx, [ebp+arg_4]
		jnz	loc_58BD67
		or	ebx, 8

loc_58B5DA:				; CODE XREF: __woutput_s+2E5j
					; __woutput_s+2F6j
		mov	[ebp+var_408], ebx
		jmp	loc_58BD67
; 

loc_58B5E5:				; CODE XREF: __woutput_s+163j
		or	ebx, 4

loc_58B5E8:				; CODE XREF: __woutput_s+190j
					; __woutput_s+198j ...
		mov	[ebp+var_408], ebx
		jmp	loc_58BD64	; default
; 

loc_58B5F3:				; CODE XREF: __woutput_s+15Dj
		or	ebx, 1
		jmp	short loc_58B5E8
; 

loc_58B5F8:				; CODE XREF: __woutput_s+158j
		or	ebx, 80h
		jmp	short loc_58B5E8
; 

loc_58B600:				; CODE XREF: __woutput_s+153j
		or	ebx, 2
		jmp	short loc_58B5E8
; 

loc_58B605:				; CODE XREF: __woutput_s+119j
					; DATA XREF: .text:0058BDBAo
		push	2Ah		; case 0x3
		pop	eax
		cmp	dx, ax
		jnz	short loc_58B646
		mov	eax, [ebp+var_40C]
		mov	ecx, [ebp+arg_4]
		add	eax, 4
		mov	[ebp+var_40C], eax
		mov	eax, [eax-4]
		mov	[ebp+var_428], eax
		test	eax, eax
		jns	loc_58BD67
		or	ebx, 4
		neg	eax
		mov	[ebp+var_408], ebx
		mov	[ebp+var_428], eax
		jmp	loc_58BD67
; 

loc_58B646:				; CODE XREF: __woutput_s+1A5j
		imul	eax, [ebp+var_428], arg_0+2
		add	eax, 0FFFFFFD0h
		add	eax, ecx
		mov	[ebp+var_428], eax
		jmp	loc_58BD64	; default
; 

loc_58B65D:				; CODE XREF: __woutput_s+119j
					; DATA XREF: .text:0058BDBEo
		xor	eax, eax	; case 0x4

loc_58B65F:				; CODE XREF: __woutput_s+247j
		mov	[ebp+var_410], eax
		jmp	loc_58BD64	; default
; 

loc_58B66A:				; CODE XREF: __woutput_s+119j
					; DATA XREF: .text:0058BDC2o
		push	2Ah		; case 0x5
		pop	eax
		cmp	dx, ax
		jnz	short loc_58B6A1
		mov	ecx, [ebp+var_40C]
		add	ecx, 4
		mov	[ebp+var_40C], ecx
		mov	eax, [ecx-4]
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_410], eax
		test	eax, eax
		jns	loc_58BD67
		or	[ebp+var_410], 0FFFFFFFFh
		jmp	loc_58BD67
; 

loc_58B6A1:				; CODE XREF: __woutput_s+20Aj
		imul	eax, [ebp+var_410], arg_0+2
		add	eax, 0FFFFFFD0h
		add	eax, ecx
		jmp	short loc_58B65F
; 

loc_58B6AF:				; CODE XREF: __woutput_s+119j
					; DATA XREF: .text:0058BDC6o
		push	49h		; case 0x6
		pop	eax
		sub	ecx, eax
		jz	short loc_58B6DA
		sub	ecx, 1Fh
		jz	short loc_58B731
		dec	ecx
		sub	ecx, 1
		jz	short loc_58B6DA
		dec	ecx
		sub	ecx, 1
		jz	short loc_58B703
		sub	ecx, 8
		jz	short loc_58B6DA
		sub	ecx, 3
		jz	short loc_58B6F8
		sub	ecx, 3
		jnz	loc_58BD64	; default

loc_58B6DA:				; CODE XREF: __woutput_s+24Ej
					; __woutput_s+259j ...
		mov	ecx, [ebp+arg_4]
		cmp	dx, ax
		jnz	short loc_58B750
		mov	eax, ecx
		movzx	eax, word ptr [eax]
		cmp	eax, 36h
		jnz	short loc_58B736
		cmp	word ptr [ecx+2], 34h
		jnz	short loc_58B736
		add	ecx, 4
		jmp	short loc_58B756
; 

loc_58B6F8:				; CODE XREF: __woutput_s+269j
		or	ebx, 800h
		jmp	loc_58B5E8
; 

loc_58B703:				; CODE XREF: __woutput_s+25Fj
		mov	eax, [ebp+arg_4]
		push	6Ch
		pop	edx
		movzx	eax, word ptr [eax]
		mov	ecx, eax
		cmp	ax, dx
		jnz	short loc_58B717
		add	[ebp+arg_4], 2

loc_58B717:				; CODE XREF: __woutput_s+2ABj
		xor	eax, eax
		cmp	cx, dx
		setz	al
		dec	eax
		and	eax, 0FFFFF010h
		add	eax, 1000h

loc_58B72A:				; CODE XREF: __woutput_s+2CEj
		or	ebx, eax
		jmp	loc_58B5E8
; 

loc_58B731:				; CODE XREF: __woutput_s+253j
		push	20h
		pop	eax
		jmp	short loc_58B72A
; 

loc_58B736:				; CODE XREF: __woutput_s+284j
					; __woutput_s+28Bj
		cmp	eax, 33h
		jnz	short loc_58B761
		cmp	word ptr [ecx+2], 32h
		jnz	short loc_58B761
		add	ecx, 4
		and	ebx, 0FFFF7FFFh
		jmp	loc_58B5DA
; 

loc_58B750:				; CODE XREF: __woutput_s+27Aj
		cmp	dx, 6Ah
		jnz	short loc_58B761

loc_58B756:				; CODE XREF: __woutput_s+290j
		or	ebx, 8000h
		jmp	loc_58B5DA
; 

loc_58B761:				; CODE XREF: __woutput_s+2D3j
					; __woutput_s+2DAj ...
		movzx	eax, word ptr [ecx]
		cmp	eax, 64h
		jz	loc_58BD67
		cmp	ax, word ptr [ebp+var_44C]
		jz	loc_58BD67
		cmp	eax, 6Fh
		jz	loc_58BD67
		cmp	eax, 75h
		jz	loc_58BD67
		cmp	eax, 78h
		jz	loc_58BD67
		cmp	eax, 58h
		jz	loc_58BD67
		xor	eax, eax
		mov	[ebp+var_42C], eax

loc_58B7A6:				; CODE XREF: __woutput_s+119j
					; DATA XREF: .text:off_58BDAEo
		lea	eax, [ebp+var_414] ; case 0x0
		mov	[ebp+var_420], 1
		push	eax
		push	[ebp+var_424]
		push	edx
		call	sub_58BDCE
		add	esp, 0Ch
		jmp	loc_58BD64	; default
; 

loc_58B7CB:				; CODE XREF: __woutput_s+119j
					; DATA XREF: .text:0058BDCAo
		push	69h		; case 0x7
		pop	eax
		cmp	ecx, eax
		ja	loc_58B97C
		jz	short loc_58B80B
		sub	ecx, 43h
		jz	loc_58B8F2
		sub	ecx, 10h
		jz	loc_58B88C
		sub	ecx, 5
		jz	loc_58B9F1
		dec	ecx
		sub	ecx, 1
		jz	short loc_58B815
		sub	ecx, 9
		jz	loc_58B905
		sub	ecx, 1
		jnz	loc_58BBA8

loc_58B80B:				; CODE XREF: __woutput_s+370j
		or	ebx, 40h
		push	0Ah
		jmp	loc_58BA34
; 

loc_58B815:				; CODE XREF: __woutput_s+391j
		mov	edx, [ebp+var_40C]
		add	edx, 4
		mov	[ebp+var_40C], edx
		mov	ecx, [edx-4]
		test	ecx, ecx
		jz	short loc_58B87F
		mov	esi, [ecx+4]
		test	esi, esi
		jz	short loc_58B87F
		movzx	eax, word ptr [ecx]
		mov	edx, eax
		cmp	[ecx+2], ax
		jb	loc_58BD8A
		mov	edi, edx
		test	ebx, 800h
		jz	short loc_58B872
		not	eax
		test	al, 1
		jz	loc_58BD8A
		mov	eax, esi
		not	eax
		test	al, 1
		jz	loc_58BD8A
		shr	edi, 1
		mov	[ebp+var_420], 1
		jmp	loc_58BBA8
; 

loc_58B872:				; CODE XREF: __woutput_s+3E3j
		xor	eax, eax
		mov	[ebp+var_420], eax
		jmp	loc_58BBA8
; 

loc_58B87F:				; CODE XREF: __woutput_s+3C3j
					; __woutput_s+3CAj
		push	6
		mov	esi, offset loc_408EA8
		pop	edi
		jmp	loc_58BBA8
; 

loc_58B88C:				; CODE XREF: __woutput_s+37Ej
		test	ebx, 830h
		jnz	short loc_58B89F
		push	20h
		pop	eax
		or	ebx, eax
		mov	[ebp+var_408], ebx

loc_58B89F:				; CODE XREF: __woutput_s+42Cj
					; __woutput_s+530j
		mov	eax, [ebp+var_410]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_58B8AF
		mov	eax, 7FFFFFFFh

loc_58B8AF:				; CODE XREF: __woutput_s+442j
		mov	ecx, [ebp+var_40C]
		add	ecx, 4
		mov	[ebp+var_40C], ecx
		mov	esi, [ecx-4]
		test	bl, 20h
		jz	loc_58B9B6
		test	esi, esi
		jnz	short loc_58B8D3
		mov	esi, offset loc_408EA8

loc_58B8D3:				; CODE XREF: __woutput_s+466j
		xor	ecx, ecx
		mov	edi, ecx
		test	eax, eax
		jle	loc_58BBA8

loc_58B8DF:				; CODE XREF: __woutput_s+485j
		cmp	[edi+esi], cl
		jz	loc_58BBA8
		inc	edi
		cmp	edi, eax
		jl	short loc_58B8DF
		jmp	loc_58BBA8
; 

loc_58B8F2:				; CODE XREF: __woutput_s+375j
		test	ebx, 830h
		jnz	short loc_58B905
		push	20h
		pop	eax
		or	ebx, eax
		mov	[ebp+var_408], ebx

loc_58B905:				; CODE XREF: __woutput_s+396j
					; __woutput_s+492j
		mov	eax, [ebp+var_40C]
		add	eax, 4
		mov	[ebp+var_420], 1
		mov	[ebp+var_40C], eax
		movzx	eax, word ptr [eax-4]
		mov	dword ptr [ebp+var_448], eax
		test	bl, 20h
		jz	short loc_58B967
		push	___mb_cur_max	; size_t
		mov	[ebp+var_430], al
		xor	eax, eax
		mov	[ebp-42Fh], al
		lea	eax, [ebp+var_430]
		push	eax		; char *
		lea	eax, [ebp+var_404]
		push	eax		; wchar_t *
		call	__safecrt_mbtowc
		add	esp, 0Ch
		test	eax, eax
		jns	short loc_58B96E
		mov	[ebp+var_444], 1
		jmp	short loc_58B96E
; 

loc_58B967:				; CODE XREF: __woutput_s+4C5j
		mov	[ebp+var_404], ax

loc_58B96E:				; CODE XREF: __woutput_s+4F3j
					; __woutput_s+4FFj
		xor	edi, edi
		lea	esi, [ebp+var_404]
		inc	edi
		jmp	loc_58BBA8
; 

loc_58B97C:				; CODE XREF: __woutput_s+36Aj
		sub	ecx, 6Eh
		jz	loc_58BD8A
		sub	ecx, 1
		jz	loc_58BA20
		sub	ecx, 1
		jz	short loc_58B9E7
		sub	ecx, 3
		jz	loc_58B89F
		dec	ecx
		sub	ecx, 1
		jz	short loc_58B9AF
		sub	ecx, 3
		jnz	loc_58BBA8
		push	27h
		jmp	short loc_58B9F3
; 

loc_58B9AF:				; CODE XREF: __woutput_s+53Aj
		push	0Ah
		jmp	loc_58BA3A
; 

loc_58B9B6:				; CODE XREF: __woutput_s+45Ej
		test	esi, esi
		jnz	short loc_58B9BF
		mov	esi, offset aNull ; "(null)"

loc_58B9BF:				; CODE XREF: __woutput_s+552j
		mov	[ebp+var_420], 1
		mov	edi, esi
		test	eax, eax
		jz	short loc_58B9DE
		xor	ecx, ecx

loc_58B9D1:				; CODE XREF: __woutput_s+576j
		dec	eax
		cmp	[edi], cx
		jz	short loc_58B9DE
		add	edi, 2
		test	eax, eax
		jnz	short loc_58B9D1

loc_58B9DE:				; CODE XREF: __woutput_s+567j
					; __woutput_s+56Fj
		sub	edi, esi
		sar	edi, 1
		jmp	loc_58BBA8
; 

loc_58B9E7:				; CODE XREF: __woutput_s+52Bj
		mov	[ebp+var_410], 8

loc_58B9F1:				; CODE XREF: __woutput_s+387j
		push	7

loc_58B9F3:				; CODE XREF: __woutput_s+547j
		pop	eax
		mov	[ebp+var_440], eax
		test	bl, bl
		jns	short loc_58BA1C
		push	30h
		pop	ecx
		add	eax, 51h
		mov	word ptr [ebp+var_434],	cx
		mov	word ptr [ebp+var_434+2], ax
		mov	[ebp+var_41C], 2

loc_58BA1C:				; CODE XREF: __woutput_s+596j
		push	10h
		jmp	short loc_58BA3A
; 

loc_58BA20:				; CODE XREF: __woutput_s+522j
		push	8
		pop	edi
		mov	[ebp+var_418], edi
		test	bl, bl
		jns	short loc_58BA41
		or	ebx, 200h
		push	edi

loc_58BA34:				; CODE XREF: __woutput_s+3AAj
		mov	[ebp+var_408], ebx

loc_58BA3A:				; CODE XREF: __woutput_s+54Bj
					; __woutput_s+5B8j
		pop	edi
		mov	[ebp+var_418], edi

loc_58BA41:				; CODE XREF: __woutput_s+5C5j
		test	ebx, 8000h
		jz	short loc_58BA5C
		mov	esi, [ebp+var_40C]
		add	esi, 8
		mov	ecx, [esi-8]
		mov	edx, [esi-4]

loc_58BA58:				; CODE XREF: __woutput_s+64Dj
		xor	eax, eax
		jmp	short loc_58BABC
; 

loc_58BA5C:				; CODE XREF: __woutput_s+5E1j
		test	ebx, 1000h
		jz	short loc_58BA7B
		mov	eax, [ebp+var_40C]
		add	eax, 8
		mov	[ebp+var_40C], eax
		mov	ecx, [eax-8]
		mov	edx, [eax-4]
		jmp	short loc_58BAA5
; 

loc_58BA7B:				; CODE XREF: __woutput_s+5FCj
		mov	esi, [ebp+var_40C]
		mov	eax, ebx
		add	esi, 4
		and	eax, 40h
		mov	[ebp+var_40C], esi
		test	bl, 20h
		jz	short loc_58BAA9
		test	eax, eax
		jz	short loc_58BA9E
		movsx	eax, word ptr [esi-4]
		jmp	short loc_58BAA2
; 

loc_58BA9E:				; CODE XREF: __woutput_s+630j
		movzx	eax, word ptr [esi-4]

loc_58BAA2:				; CODE XREF: __woutput_s+636j
		cdq
		mov	ecx, eax

loc_58BAA5:				; CODE XREF: __woutput_s+613j
		xor	eax, eax
		jmp	short loc_58BAC2
; 

loc_58BAA9:				; CODE XREF: __woutput_s+62Cj
		test	eax, eax
		jz	short loc_58BAB5
		mov	eax, [esi-4]
		cdq
		mov	ecx, eax
		jmp	short loc_58BA58
; 

loc_58BAB5:				; CODE XREF: __woutput_s+645j
		mov	ecx, [esi-4]
		xor	eax, eax
		mov	edx, eax

loc_58BABC:				; CODE XREF: __woutput_s+5F4j
		mov	[ebp+var_40C], esi

loc_58BAC2:				; CODE XREF: __woutput_s+641j
		test	bl, 40h
		jz	short loc_58BAE3
		cmp	edx, eax
		jg	short loc_58BAE3
		jl	short loc_58BAD1
		cmp	ecx, eax
		jnb	short loc_58BAE3

loc_58BAD1:				; CODE XREF: __woutput_s+665j
		neg	ecx
		adc	edx, eax
		neg	edx
		or	ebx, 100h
		mov	[ebp+var_408], ebx

loc_58BAE3:				; CODE XREF: __woutput_s+65Fj
					; __woutput_s+663j ...
		test	ebx, 9000h
		jnz	short loc_58BAED
		mov	edx, eax

loc_58BAED:				; CODE XREF: __woutput_s+683j
		mov	eax, [ebp+var_410]
		test	eax, eax
		jns	short loc_58BAFC
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_58BB16
; 

loc_58BAFC:				; CODE XREF: __woutput_s+68Fj
		and	ebx, 0FFFFFFF7h
		mov	eax, 200h
		mov	[ebp+var_408], ebx
		mov	ebx, [ebp+var_410]
		cmp	ebx, eax
		jle	short loc_58BB16
		mov	ebx, eax

loc_58BB16:				; CODE XREF: __woutput_s+694j
					; __woutput_s+6ACj
		mov	eax, ecx
		or	eax, edx
		jnz	short loc_58BB22
		mov	[ebp+var_41C], eax

loc_58BB22:				; CODE XREF: __woutput_s+6B4j
		lea	esi, [ebp+var_205]

loc_58BB28:				; CODE XREF: __woutput_s+714j
		mov	eax, ebx
		mov	[ebp+var_43C], esi
		dec	ebx
		mov	[ebp+var_410], ebx
		test	eax, eax
		jg	short loc_58BB41
		mov	eax, ecx
		or	eax, edx
		jz	short loc_58BB7C

loc_58BB41:				; CODE XREF: __woutput_s+6D3j
		push	ebx
		push	0
		push	edi
		push	edx
		push	ecx
		call	__aulldvrm
		mov	[ebp+var_450], ebx
		pop	ebx
		nop
		mov	edi, ecx
		mov	ecx, eax
		lea	eax, [edi+30h]
		cmp	eax, 39h
		jle	short loc_58BB6B
		mov	eax, [ebp+var_440]
		add	eax, 30h
		add	eax, edi

loc_58BB6B:				; CODE XREF: __woutput_s+6F8j
		mov	edi, [ebp+var_418]
		mov	ebx, [ebp+var_410]
		mov	[esi], al
		dec	esi
		jmp	short loc_58BB28
; 

loc_58BB7C:				; CODE XREF: __woutput_s+6D9j
		mov	ebx, [ebp+var_408]
		lea	edi, [ebp+var_205]
		sub	edi, esi
		inc	esi
		test	ebx, 200h
		jz	short loc_58BBA8
		test	edi, edi
		jz	short loc_58BB9C
		cmp	byte ptr [esi],	30h
		jz	short loc_58BBA8

loc_58BB9C:				; CODE XREF: __woutput_s+72Fj
		mov	esi, [ebp+var_43C]
		inc	edi
		push	30h
		pop	eax
		mov	[esi], al

loc_58BBA8:				; CODE XREF: __woutput_s+39Fj
					; __woutput_s+407j ...
		cmp	[ebp+var_444], 0
		jnz	loc_58BD64	; default
		test	bl, 40h
		jz	short loc_58BBDA
		test	ebx, 100h
		jz	loc_58BCE9
		push	2Dh

loc_58BBC8:				; CODE XREF: __woutput_s+88Aj
		pop	eax
		mov	word ptr [ebp+var_434],	ax
		mov	[ebp+var_41C], 1

loc_58BBDA:				; CODE XREF: __woutput_s+752j
					; __woutput_s+892j
		push	20h
		pop	edx

loc_58BBDD:				; CODE XREF: __woutput_s+8ACj
		mov	eax, [ebp+var_428]
		mov	ecx, ebx
		sub	eax, edi
		sub	eax, [ebp+var_41C]
		and	ecx, 0Ch
		mov	[ebp+var_43C], eax
		mov	[ebp+var_438], ecx
		jnz	short loc_58BC15
		lea	ecx, [ebp+var_414]
		push	ecx
		push	[ebp+var_424]
		push	eax
		push	edx
		call	sub_58BE24
		add	esp, 10h

loc_58BC15:				; CODE XREF: __woutput_s+796j
		lea	eax, [ebp+var_414]
		push	eax
		push	[ebp+var_424]
		lea	eax, [ebp+var_434]
		push	[ebp+var_41C]
		push	eax
		call	sub_58BE52
		add	esp, 10h
		cmp	[ebp+var_438], 8
		jnz	short loc_58BC5F
		lea	eax, [ebp+var_414]
		push	eax
		push	[ebp+var_424]
		push	[ebp+var_43C]
		push	30h
		pop	eax
		push	eax
		call	sub_58BE24
		add	esp, 10h

loc_58BC5F:				; CODE XREF: __woutput_s+7D8j
		cmp	[ebp+var_420], 0
		jnz	loc_58BD20
		test	edi, edi
		jle	loc_58BD20
		mov	ecx, esi
		mov	[ebp+var_438], esi
		mov	eax, edi

loc_58BC7E:				; CODE XREF: __woutput_s+87Fj
		push	___mb_cur_max	; size_t
		dec	eax
		mov	[ebp+var_418], eax
		lea	eax, [ebp+var_448]
		push	ecx		; char *
		push	eax		; wchar_t *
		call	__safecrt_mbtowc
		add	esp, 0Ch
		mov	[ebp+var_450], eax
		cmp	eax, 2
		jnz	short loc_58BCAC
		dec	[ebp+var_418]

loc_58BCAC:				; CODE XREF: __woutput_s+83Ej
		test	eax, eax
		jle	short loc_58BD17
		lea	eax, [ebp+var_414]
		push	eax
		push	[ebp+var_424]
		push	dword ptr [ebp+var_448]
		call	sub_58BDCE
		mov	ecx, [ebp+var_438]
		add	esp, 0Ch
		add	ecx, [ebp+var_450]
		mov	eax, [ebp+var_418]
		mov	[ebp+var_438], ecx
		test	eax, eax
		jg	short loc_58BC7E
		jmp	short loc_58BD37
; 

loc_58BCE9:				; CODE XREF: __woutput_s+75Aj
		test	bl, 1
		jz	short loc_58BCF5
		push	2Bh
		jmp	loc_58BBC8
; 

loc_58BCF5:				; CODE XREF: __woutput_s+886j
		test	bl, 2
		jz	loc_58BBDA
		push	20h
		pop	edx
		mov	word ptr [ebp+var_434],	dx
		mov	[ebp+var_41C], 1
		jmp	loc_58BBDD
; 

loc_58BD17:				; CODE XREF: __woutput_s+848j
		or	[ebp+var_414], 0FFFFFFFFh
		jmp	short loc_58BD37
; 

loc_58BD20:				; CODE XREF: __woutput_s+800j
					; __woutput_s+808j
		lea	eax, [ebp+var_414]
		push	eax
		push	[ebp+var_424]
		push	edi
		push	esi
		call	sub_58BE52
		add	esp, 10h

loc_58BD37:				; CODE XREF: __woutput_s+881j
					; __woutput_s+8B8j
		cmp	[ebp+var_414], 0
		jl	short loc_58BD64 ; default
		test	bl, 4
		jz	short loc_58BD64 ; default
		lea	eax, [ebp+var_414]
		push	eax
		push	[ebp+var_424]
		push	[ebp+var_43C]
		push	20h
		pop	eax
		push	eax
		call	sub_58BE24
		add	esp, 10h

loc_58BD64:				; CODE XREF: __woutput_s+113j
					; __woutput_s+149j ...
		mov	ecx, [ebp+arg_4] ; default

loc_58BD67:				; CODE XREF: __woutput_s+16Bj
					; __woutput_s+17Aj ...
		movzx	edx, word ptr [ecx]
		test	dx, dx
		jnz	loc_58B516

loc_58BD73:				; CODE XREF: __woutput_s+C0j
		mov	eax, [ebp+var_42C]
		test	eax, eax
		jz	short loc_58BD82
		cmp	eax, 7
		jnz	short loc_58BD8A

loc_58BD82:				; CODE XREF: __woutput_s+9Ej
					; __woutput_s+915j
		mov	eax, [ebp+var_414]
		jmp	short loc_58BD9C
; 

loc_58BD8A:				; CODE XREF: __woutput_s+79j
					; __woutput_s+84j ...
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		or	eax, 0FFFFFFFFh

loc_58BD9C:				; CODE XREF: __woutput_s+922j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
__woutput_s	endp

; 
		db 8Dh
		db 49h,	0
off_58BDAE	dd offset loc_58B7A6	; DATA XREF: __woutput_s+119r
					; jump table for switch	statement
		dd offset loc_58B586	; case 0x1
		dd offset loc_58B5B4	; case 0x2
		dd offset loc_58B605	; case 0x3
		dd offset loc_58B65D	; case 0x4
		dd offset loc_58B66A	; case 0x5
		dd offset loc_58B6AF	; case 0x6
		dd offset loc_58B7CB	; case 0x7

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_58BDCE	proc near		; CODE XREF: __woutput_s+358p
					; __woutput_s+85Dp ...

arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	eax, [edx+0Ch]
		test	al, 40h
		jz	short loc_58BDE3
		cmp	dword ptr [edx+8], 0
		jz	short loc_58BE1C

loc_58BDE3:				; CODE XREF: sub_58BDCE+Dj
		add	dword ptr [edx+4], 0FFFFFFFEh
		push	esi
		mov	esi, 0FFFFh
		js	short loc_58BE00
		mov	eax, [edx]
		mov	cx, [ebp+arg_0]
		mov	[eax], cx
		add	dword ptr [edx], 2
		movzx	eax, cx
		jmp	short loc_58BE08
; 

loc_58BE00:				; CODE XREF: sub_58BDCE+1Fj
		or	eax, 20h
		mov	[edx+0Ch], eax
		mov	eax, esi

loc_58BE08:				; CODE XREF: sub_58BDCE+30j
		cmp	ax, si
		pop	esi
		jnz	short loc_58BE1C
		test	byte ptr [edx+0Ch], 20h
		jz	short loc_58BE1C
		mov	eax, [ebp+arg_8]
		or	dword ptr [eax], 0FFFFFFFFh
		pop	ebp
		retn
; 

loc_58BE1C:				; CODE XREF: sub_58BDCE+13j
					; sub_58BDCE+3Ej ...
		mov	eax, [ebp+arg_8]
		inc	dword ptr [eax]
		pop	ebp
		retn
sub_58BDCE	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_58BE24	proc near		; CODE XREF: __woutput_s+7A7p
					; __woutput_s+7F1p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jle	short loc_58BE4F
		push	edi
		mov	edi, [ebp+arg_C]

loc_58BE35:				; CODE XREF: sub_58BE24+28j
		push	edi
		push	[ebp+arg_8]
		dec	esi
		push	[ebp+arg_0]
		call	sub_58BDCE
		add	esp, 0Ch
		cmp	dword ptr [edi], 0FFFFFFFFh
		jz	short loc_58BE4E
		test	esi, esi
		jg	short loc_58BE35

loc_58BE4E:				; CODE XREF: sub_58BE24+24j
		pop	edi

loc_58BE4F:				; CODE XREF: sub_58BE24+Bj
		pop	esi
		pop	ebp
		retn
sub_58BE24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_58BE52	proc near		; CODE XREF: __woutput_s+7C9p
					; __woutput_s+8C9p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_8]
		test	byte ptr [esi+0Ch], 40h
		jz	short loc_58BE71
		cmp	dword ptr [esi+8], 0
		jnz	short loc_58BE71
		mov	ecx, [ebp+arg_C]
		mov	eax, [ebp+arg_4]
		add	[ecx], eax
		jmp	short loc_58BEA0
; 

loc_58BE71:				; CODE XREF: sub_58BE52+Dj
					; sub_58BE52+13j
		push	edi
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jle	short loc_58BE9F
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+arg_0]

loc_58BE80:				; CODE XREF: sub_58BE52+4Aj
		push	eax
		movzx	eax, word ptr [ebx]
		dec	edi
		push	esi
		push	eax
		call	sub_58BDCE
		mov	eax, [ebp+arg_C]
		lea	ebx, [ebx+2]
		add	esp, 0Ch
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_58BE9E
		test	edi, edi
		jg	short loc_58BE80

loc_58BE9E:				; CODE XREF: sub_58BE52+46j
		pop	ebx

loc_58BE9F:				; CODE XREF: sub_58BE52+25j
		pop	edi

loc_58BEA0:				; CODE XREF: sub_58BE52+1Dj
		pop	esi
		pop	ebp
		retn
sub_58BE52	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ReadString	proc near		; CODE XREF: ReadStringDelimited+EBp
					; __input_s+6BFp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, ebx
		and	al, 8
		movzx	eax, al
		neg	eax
		push	esi
		mov	esi, [ebp+arg_10]
		sbb	eax, eax
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		push	edi
		mov	edi, [esi]
		dec	dword ptr [ecx]
		mov	eax, [eax]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_58BEE1
		push	[ebp+arg_18]
		push	eax
		call	__ungetc_nolock
		pop	ecx
		pop	ecx
		mov	ecx, [ebp+arg_C]

loc_58BEE1:				; CODE XREF: ReadString+2Dj
		mov	eax, ebx
		and	eax, 10h
		mov	[ebp+var_4], eax
		jnz	short loc_58BEF4
		mov	edx, [ebp+arg_1C]
		dec	edx
		mov	[ebp+arg_0], edx
		jmp	short loc_58BEFA
; 

loc_58BEF4:				; CODE XREF: ReadString+45j
		mov	eax, [ebp+arg_1C]
		mov	[ebp+arg_0], eax

loc_58BEFA:				; CODE XREF: ReadString+4Ej
		mov	eax, ebx
		and	eax, 1
		mov	[ebp+arg_10], eax

loc_58BF02:				; CODE XREF: ReadString+10Ej
		test	eax, eax
		jz	short loc_58BF17
		mov	edx, [ebp+arg_14]
		mov	eax, edx
		dec	edx
		mov	[ebp+arg_14], edx
		test	eax, eax
		jz	loc_58BFE7

loc_58BF17:				; CODE XREF: ReadString+60j
		push	[ebp+arg_18]
		inc	dword ptr [ecx]
		call	_inc
		pop	ecx
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_58BFCD
		cmp	[ebp+var_4], 0
		jnz	short loc_58BF7A
		test	bl, 20h
		jz	short loc_58BF4A
		cmp	eax, 9
		jl	short loc_58BF45
		cmp	eax, 0Dh
		jle	short loc_58BF4A

loc_58BF45:				; CODE XREF: ReadString+9Aj
		cmp	eax, 20h
		jnz	short loc_58BF7A

loc_58BF4A:				; CODE XREF: ReadString+95j
					; ReadString+9Fj
		test	bl, 40h
		jz	short loc_58BFCD
		test	eax, eax
		js	short loc_58BFCD
		mov	ecx, eax
		sar	ecx, 3
		mov	[ebp+arg_1C], ecx
		cmp	eax, ecx
		jl	short loc_58BFCD
		and	eax, 7
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		mov	eax, [ebp+arg_1C]
		shl	edx, cl
		mov	ecx, [ebp+arg_4]
		movsx	eax, byte ptr [eax+ecx]
		xor	eax, [ebp+var_8]
		test	edx, eax
		jz	short loc_58BFCD

loc_58BF7A:				; CODE XREF: ReadString+90j
					; ReadString+A4j
		test	bl, 4
		jnz	short loc_58BFAB
		mov	edx, [ebp+arg_0]
		mov	eax, ebx
		and	eax, 2
		test	edx, edx
		jz	short loc_58BFB7
		mov	ecx, [esi]
		dec	edx
		mov	[ebp+arg_0], edx
		test	eax, eax
		jz	short loc_58BFA0
		lea	eax, [ebp+arg_1C]
		mov	[ecx], ax
		add	dword ptr [esi], 2
		jmp	short loc_58BFAC
; 

loc_58BFA0:				; CODE XREF: ReadString+EFj
		mov	eax, [ebp+arg_8]
		mov	al, [eax]
		mov	[ecx], al
		inc	dword ptr [esi]
		jmp	short loc_58BFAC
; 

loc_58BFAB:				; CODE XREF: ReadString+D9j
		inc	edi

loc_58BFAC:				; CODE XREF: ReadString+FAj
					; ReadString+105j
		mov	ecx, [ebp+arg_C]
		mov	eax, [ebp+arg_10]
		jmp	loc_58BF02
; 

loc_58BFB7:				; CODE XREF: ReadString+E5j
		test	eax, eax
		jz	short loc_58BFC8
		xor	eax, eax
		mov	[edi], ax

loc_58BFC0:				; CODE XREF: ReadString+127j
					; ReadString+145j
		or	eax, 0FFFFFFFFh

loc_58BFC3:				; CODE XREF: ReadString+16Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_58BFC8:				; CODE XREF: ReadString+115j
		mov	byte ptr [edi],	0
		jmp	short loc_58BFC0
; 

loc_58BFCD:				; CODE XREF: ReadString+86j
					; ReadString+A9j ...
		mov	eax, [ebp+arg_C]
		dec	dword ptr [eax]
		mov	eax, [ebp+arg_8]
		mov	eax, [eax]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_58BFE7
		push	[ebp+arg_18]
		push	eax
		call	__ungetc_nolock
		pop	ecx
		pop	ecx

loc_58BFE7:				; CODE XREF: ReadString+6Dj
					; ReadString+136j
		cmp	edi, [esi]
		jz	short loc_58BFC0
		test	bl, 4
		jnz	short loc_58C00C
		mov	eax, [ebp+arg_20]
		inc	dword ptr [eax]
		cmp	[ebp+var_4], 0
		jnz	short loc_58C00C
		mov	eax, [esi]
		test	bl, 2
		jz	short loc_58C009
		xor	ecx, ecx
		mov	[eax], cx
		jmp	short loc_58C00C
; 

loc_58C009:				; CODE XREF: ReadString+15Cj
		mov	byte ptr [eax],	0

loc_58C00C:				; CODE XREF: ReadString+14Aj
					; ReadString+155j ...
		xor	eax, eax
		jmp	short loc_58BFC3
ReadString	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ReadStringDelimited proc near		; CODE XREF: __input_s+6AFp

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_19		= byte ptr -19h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		mov	edx, [ebp+arg_4]
		push	ebx
		mov	[ebp+var_34], eax
		xor	bl, bl
		mov	eax, [ebp+arg_10]
		push	esi
		mov	[ebp+var_30], eax
		mov	eax, [ebp+arg_18]
		push	edi
		mov	[ebp+var_2C], eax
		lea	edi, [ebp+var_24]
		xor	eax, eax
		mov	[ebp+var_28], edx
		inc	dword ptr [edx]
		mov	esi, [edx]
		push	8
		pop	ecx
		rep stosd
		mov	al, [esi]
		mov	edi, [ebp+arg_0]
		cmp	al, 5Eh
		jnz	short loc_58C05C
		inc	esi
		or	edi, 8
		mov	al, [esi]

loc_58C05C:				; CODE XREF: ReadStringDelimited+44j
		cmp	al, 5Dh
		jnz	short loc_58C06D
		inc	esi
		mov	[ebp+var_19], 20h
		mov	bl, al
		mov	al, [esi]
		cmp	al, bl
		jz	short loc_58C0D6

loc_58C06D:				; CODE XREF: ReadStringDelimited+4Ej
					; ReadStringDelimited+C1j
		cmp	al, 2Dh
		jnz	short loc_58C0AF
		test	bl, bl
		jz	short loc_58C0AF
		mov	cl, [esi+1]
		cmp	cl, 5Dh
		jz	short loc_58C0AF
		cmp	bl, cl
		jnb	short loc_58C085
		mov	bh, cl
		jmp	short loc_58C0A4
; 

loc_58C085:				; CODE XREF: ReadStringDelimited+6Fj
		mov	bh, bl
		mov	bl, cl
		jmp	short loc_58C0A4
; 

loc_58C08B:				; CODE XREF: ReadStringDelimited+96j
		movzx	edx, bl
		mov	ecx, edx
		and	edx, 7
		shr	ecx, 3
		movsx	eax, byte ptr [ebp+ecx+var_24]
		bts	eax, edx
		inc	bl
		mov	byte ptr [ebp+ecx+var_24], al

loc_58C0A4:				; CODE XREF: ReadStringDelimited+73j
					; ReadStringDelimited+79j
		cmp	bl, bh
		jbe	short loc_58C08B
		push	2
		xor	bl, bl
		pop	eax
		jmp	short loc_58C0CB
; 

loc_58C0AF:				; CODE XREF: ReadStringDelimited+5Fj
					; ReadStringDelimited+63j ...
		movzx	edx, al
		mov	bl, al
		mov	ecx, edx
		and	edx, 7
		shr	ecx, 3
		movsx	eax, byte ptr [ebp+ecx+var_24]
		bts	eax, edx
		mov	byte ptr [ebp+ecx+var_24], al
		xor	eax, eax
		inc	eax

loc_58C0CB:				; CODE XREF: ReadStringDelimited+9Dj
		add	esi, eax
		mov	al, [esi]
		cmp	al, 5Dh
		jnz	short loc_58C06D
		mov	edx, [ebp+var_28]

loc_58C0D6:				; CODE XREF: ReadStringDelimited+5Bj
		test	al, al
		jnz	short loc_58C0DF
		or	eax, 0FFFFFFFFh
		jmp	short loc_58C103
; 

loc_58C0DF:				; CODE XREF: ReadStringDelimited+C8j
		push	[ebp+arg_20]
		lea	eax, [ebp+var_24]
		mov	[edx], esi
		push	[ebp+arg_1C]
		push	[ebp+var_2C]
		push	[ebp+arg_14]
		push	[ebp+var_30]
		push	[ebp+arg_C]
		push	[ebp+var_34]
		push	eax
		push	edi
		call	ReadString
		add	esp, 24h

loc_58C103:				; CODE XREF: ReadStringDelimited+CDj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
ReadStringDelimited endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_hextodec	proc near		; CODE XREF: __input_s+507p
					; __input_s+5CFp

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	ecx, [ebp+arg_0]
		mov	eax, __pctype
		movsx	edx, [ebp+arg_0]
		test	byte ptr [eax+ecx*2], 4
		jnz	short loc_58C130
		and	edx, 0FFFFFFDFh
		sub	edx, 7

loc_58C130:				; CODE XREF: _hextodec+16j
		mov	eax, edx
		pop	ebp
		retn
_hextodec	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_inc		proc near		; CODE XREF: ReadString+78p
					; __input_s+26Ep ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		sub	dword ptr [ecx+4], 1
		js	short loc_58C14C
		mov	eax, [ecx]
		movzx	edx, byte ptr [eax]
		inc	eax
		mov	[ecx], eax
		jmp	short loc_58C155
; 

loc_58C14C:				; CODE XREF: _inc+Cj
		push	ecx
		call	__filbuf_s
		pop	ecx
		mov	edx, eax

loc_58C155:				; CODE XREF: _inc+16j
		mov	eax, edx
		pop	ebp
		retn
_inc		endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__input_s	proc near		; CODE XREF: __sinput_s+47p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_6		= byte ptr -6
var_5		= byte ptr -5
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_C], edx
		push	ebx
		mov	ebx, eax
		mov	[ebp+var_1C], ebx
		push	esi
		push	edi
		test	edx, edx
		jz	loc_58C8F1
		cmp	[ebp+arg_0], eax
		jz	loc_58C8F1
		mov	cl, [edx]
		mov	esi, eax
		mov	[ebp+var_3], al
		mov	edi, eax
		mov	[ebp+var_10], edi
		mov	[ebp+var_24], esi
		mov	[ebp+var_40], esi
		test	cl, cl
		jz	loc_58C901

loc_58C1A9:				; CODE XREF: __input_s+72Dj
		mov	esi, __pctype
		movzx	eax, cl
		test	byte ptr [esi+eax*2], 8
		jz	short loc_58C1F7
		push	[ebp+arg_0]
		lea	eax, [ebp+var_10]
		dec	edi
		push	eax
		mov	[ebp+var_10], edi
		call	_whiteout
		pop	ecx
		pop	ecx
		cmp	eax, 0FFFFFFFFh
		jz	short loc_58C1DA
		push	[ebp+arg_0]
		push	eax
		call	__ungetc_nolock
		pop	ecx
		pop	ecx

loc_58C1DA:				; CODE XREF: __input_s+73j
		mov	edx, [ebp+var_C]

loc_58C1DD:				; CODE XREF: __input_s+90j
		mov	eax, __pctype
		inc	edx
		movzx	ecx, byte ptr [edx]
		test	byte ptr [eax+ecx*2], 8
		jnz	short loc_58C1DD
		mov	edi, [ebp+var_10]
		mov	[ebp+var_C], edx
		jmp	loc_58C883
; 

loc_58C1F7:				; CODE XREF: __input_s+5Cj
		mov	eax, [ebp+var_C]
		cmp	cl, 25h
		jnz	loc_58C853
		cmp	[eax+1], cl
		jz	loc_58C846
		xor	ecx, ecx
		mov	[ebp+var_4], 1
		mov	[ebp+var_28], ecx
		mov	ebx, ecx
		mov	[ebp+var_38], ecx
		mov	edi, ecx
		mov	[ebp+var_4C], ecx
		mov	dl, cl
		mov	[ebp+var_6], cl
		mov	dh, cl
		mov	[ebp+var_1], cl
		mov	[ebp+var_30], ecx

loc_58C22C:				; CODE XREF: __input_s+1E9j
		inc	eax
		mov	[ebp+var_C], eax
		mov	[ebp+arg_4], eax
		movzx	ecx, byte ptr [eax]
		test	byte ptr [esi+ecx*2], 4
		jz	short loc_58C24A
		imul	edi, 0Ah
		inc	ebx
		add	edi, 0FFFFFFD0h
		add	edi, ecx
		jmp	loc_58C33B
; 

loc_58C24A:				; CODE XREF: __input_s+E0j
		cmp	ecx, 68h
		ja	short loc_58C296
		jz	short loc_58C289
		mov	eax, ecx
		sub	eax, 2Ah
		jz	short loc_58C27C
		sub	eax, 1Ch
		jz	loc_58C33B
		sub	eax, 3
		jz	short loc_58C2B6
		sub	eax, 3
		jz	short loc_58C274
		dec	eax
		sub	eax, 1
		jmp	loc_58C337
; 

loc_58C274:				; CODE XREF: __input_s+10Fj
		inc	[ebp+var_4]
		jmp	loc_58C33B
; 

loc_58C27C:				; CODE XREF: __input_s+FCj
		mov	cl, [ebp+var_1]
		inc	cl
		mov	[ebp+var_1], cl
		jmp	loc_58C33E
; 

loc_58C289:				; CODE XREF: __input_s+F5j
		dec	[ebp+var_4]
		dec	dh

loc_58C28E:				; CODE XREF: __input_s+185j
					; __input_s+1ADj
		mov	cl, [ebp+var_1]
		jmp	loc_58C341
; 

loc_58C296:				; CODE XREF: __input_s+F3j
		mov	eax, ecx
		sub	eax, 6Ah
		jz	short loc_58C2B6
		dec	eax
		sub	eax, 1
		jz	short loc_58C2E1
		sub	eax, 8
		jz	short loc_58C2B6
		sub	eax, 3
		jz	short loc_58C2ED
		sub	eax, 3
		jnz	loc_58C339

loc_58C2B6:				; CODE XREF: __input_s+10Aj
					; __input_s+141j ...
		cmp	ecx, 49h
		jnz	short loc_58C309
		mov	eax, [ebp+var_C]
		mov	cl, [eax+1]
		cmp	cl, 36h
		jnz	short loc_58C2F4
		add	eax, 2
		cmp	byte ptr [eax],	34h
		jnz	short loc_58C2F1

loc_58C2CE:				; CODE XREF: __input_s+18Ej
		inc	[ebp+var_30]
		and	[ebp+var_20], 0
		and	[ebp+var_14], 0
		mov	[ebp+var_C], eax
		mov	[ebp+arg_4], eax
		jmp	short loc_58C28E
; 

loc_58C2E1:				; CODE XREF: __input_s+147j
		mov	eax, [ebp+var_C]
		inc	eax
		cmp	byte ptr [eax],	6Ch
		jz	short loc_58C2CE
		inc	[ebp+var_4]

loc_58C2ED:				; CODE XREF: __input_s+151j
		inc	dh
		jmp	short loc_58C33B
; 

loc_58C2F1:				; CODE XREF: __input_s+172j
		mov	eax, [ebp+var_C]

loc_58C2F4:				; CODE XREF: __input_s+16Aj
		cmp	cl, 33h
		jnz	short loc_58C31B
		add	eax, 2
		cmp	byte ptr [eax],	32h
		jnz	short loc_58C31B
		mov	[ebp+var_C], eax
		mov	[ebp+arg_4], eax
		jmp	short loc_58C28E
; 

loc_58C309:				; CODE XREF: __input_s+15Fj
		cmp	ecx, 6Ah
		jnz	short loc_58C31B
		inc	[ebp+var_30]
		and	[ebp+var_20], 0
		and	[ebp+var_14], 0
		jmp	short loc_58C33B
; 

loc_58C31B:				; CODE XREF: __input_s+19Dj
					; __input_s+1A5j ...
		mov	eax, [ebp+var_C]
		mov	al, [eax+1]
		cmp	al, 64h
		jz	short loc_58C33B
		cmp	al, 69h
		jz	short loc_58C33B
		cmp	al, 6Fh
		jz	short loc_58C33B
		cmp	al, 75h
		jz	short loc_58C33B
		cmp	al, 78h
		jz	short loc_58C33B
		cmp	al, 58h

loc_58C337:				; CODE XREF: __input_s+115j
		jz	short loc_58C33B

loc_58C339:				; CODE XREF: __input_s+156j
		inc	dl

loc_58C33B:				; CODE XREF: __input_s+EBj
					; __input_s+101j ...
		mov	cl, [ebp+var_1]

loc_58C33E:				; CODE XREF: __input_s+12Aj
		mov	eax, [ebp+var_C]

loc_58C341:				; CODE XREF: __input_s+137j
		test	dl, dl
		jz	loc_58C22C
		mov	[ebp+var_2C], ebx
		mov	ebx, [ebp+var_1C]
		mov	[ebp+var_18], edi
		mov	edi, [ebp+var_10]
		mov	[ebp+var_5], dh
		test	cl, cl
		jnz	short loc_58C36D
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_44], eax
		add	eax, 4
		mov	[ebp+arg_8], eax
		mov	eax, [eax-4]
		jmp	short loc_58C36F
; 

loc_58C36D:				; CODE XREF: __input_s+200j
		xor	eax, eax

loc_58C36F:				; CODE XREF: __input_s+211j
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_48], eax
		xor	al, al
		mov	[ebp+var_2], al
		test	dh, dh
		jnz	short loc_58C397
		mov	al, [ecx]
		cmp	al, 53h
		jz	short loc_58C393
		cmp	al, 43h
		jz	short loc_58C393
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_5], dl
		jmp	short loc_58C39A
; 

loc_58C393:				; CODE XREF: __input_s+22Bj
					; __input_s+22Fj
		mov	[ebp+var_5], 1

loc_58C397:				; CODE XREF: __input_s+225j
		or	edx, 0FFFFFFFFh

loc_58C39A:				; CODE XREF: __input_s+237j
		movzx	esi, byte ptr [ecx]
		or	esi, 20h
		cmp	esi, 6Eh
		jz	short loc_58C3E1
		cmp	esi, 63h
		jz	short loc_58C3C1
		cmp	esi, 7Bh
		jz	short loc_58C3C1
		push	[ebp+arg_0]
		lea	eax, [ebp+var_10]
		push	eax
		call	_whiteout
		mov	edi, [ebp+var_10]
		pop	ecx
		jmp	short loc_58C3CD
; 

loc_58C3C1:				; CODE XREF: __input_s+24Ej
					; __input_s+253j
		push	[ebp+arg_0]
		inc	edi
		mov	[ebp+var_10], edi
		call	_inc

loc_58C3CD:				; CODE XREF: __input_s+265j
		mov	ebx, eax
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_1C], ebx
		pop	ecx
		cmp	ebx, edx
		jz	loc_58C8DF
		mov	ecx, [ebp+var_C]

loc_58C3E1:				; CODE XREF: __input_s+249j
		cmp	[ebp+var_2C], 0
		jz	short loc_58C3F1
		cmp	[ebp+var_18], 0
		jz	loc_58C8B7

loc_58C3F1:				; CODE XREF: __input_s+28Bj
		cmp	[ebp+var_1], 0
		jnz	short loc_58C43F
		cmp	esi, 63h
		jz	short loc_58C406
		cmp	esi, 73h
		jz	short loc_58C406
		cmp	esi, 7Bh
		jnz	short loc_58C43F

loc_58C406:				; CODE XREF: __input_s+2A0j
					; __input_s+2A5j
		mov	edx, [ebp+var_44]
		add	edx, 4
		mov	[ebp+var_44], edx
		mov	eax, [edx-4]
		add	edx, 4
		mov	[ebp+arg_8], edx
		mov	[ebp+var_3C], eax
		mov	[ebp+var_48], eax
		mov	edx, [edx-4]
		cmp	edx, 1
		jnb	short loc_58C442
		cmp	[ebp+var_5], 0
		mov	esi, [ebp+var_24]
		jle	loc_58C88F
		xor	ecx, ecx
		mov	[eax], cx
		mov	eax, ecx
		jmp	loc_58C8CC
; 

loc_58C43F:				; CODE XREF: __input_s+29Bj
					; __input_s+2AAj
		mov	edx, [ebp+var_4C]

loc_58C442:				; CODE XREF: __input_s+2CAj
		cmp	esi, 70h
		ja	short loc_58C4B0
		jz	short loc_58C4AA
		mov	eax, esi
		sub	eax, 63h
		jz	short loc_58C495
		sub	eax, 1
		jz	short loc_58C464
		sub	eax, 5
		jz	short loc_58C487
		sub	eax, 5
		jz	short loc_58C476
		sub	eax, 1
		jnz	short loc_58C4CB

loc_58C464:				; CODE XREF: __input_s+2F9j
					; __input_s+354j ...
		cmp	ebx, 2Dh
		jnz	loc_58C5AB
		mov	[ebp+var_6], 1
		jmp	loc_58C5B0
; 

loc_58C476:				; CODE XREF: __input_s+303j
		cmp	[ebp+var_1], 0
		mov	ecx, edi
		jz	loc_58C7A5
		jmp	loc_58C835
; 

loc_58C487:				; CODE XREF: __input_s+2FEj
		push	64h
		pop	esi

loc_58C48A:				; CODE XREF: __input_s+36Aj
		cmp	ebx, 2Dh
		jnz	short loc_58C4F7
		mov	[ebp+var_6], 1
		jmp	short loc_58C4FC
; 

loc_58C495:				; CODE XREF: __input_s+2F4j
		cmp	[ebp+var_2C], 0
		push	10h
		pop	eax
		jnz	loc_58C7D3
		inc	[ebp+var_18]
		jmp	loc_58C7D3
; 

loc_58C4AA:				; CODE XREF: __input_s+2EDj
		mov	[ebp+var_4], 1
		jmp	short loc_58C464
; 

loc_58C4B0:				; CODE XREF: __input_s+2EBj
		mov	eax, esi
		sub	eax, 73h
		jz	loc_58C7CA
		dec	eax
		sub	eax, 1
		jz	short loc_58C464
		sub	eax, 3
		jz	short loc_58C48A
		sub	eax, 3
		jz	short loc_58C4F0

loc_58C4CB:				; CODE XREF: __input_s+308j
		movzx	eax, byte ptr [ecx]
		cmp	eax, ebx
		jnz	loc_58C894
		mov	al, [ebp+var_3]
		dec	al
		cmp	[ebp+var_1], 0
		jnz	loc_58C838
		mov	ecx, [ebp+var_44]
		mov	[ebp+arg_8], ecx
		jmp	loc_58C838
; 

loc_58C4F0:				; CODE XREF: __input_s+36Fj
		push	40h
		jmp	loc_58C7CC
; 

loc_58C4F7:				; CODE XREF: __input_s+333j
		cmp	ebx, 2Bh
		jnz	short loc_58C520

loc_58C4FC:				; CODE XREF: __input_s+339j
		sub	[ebp+var_18], 1
		jnz	short loc_58C50E
		cmp	[ebp+var_2C], 0
		jz	short loc_58C50E
		mov	[ebp+var_2], 1
		jmp	short loc_58C520
; 

loc_58C50E:				; CODE XREF: __input_s+3A6j
					; __input_s+3ACj
		push	[ebp+arg_0]
		inc	edi
		mov	[ebp+var_10], edi
		call	_inc
		mov	ebx, eax
		pop	ecx
		mov	[ebp+var_1C], ebx

loc_58C520:				; CODE XREF: __input_s+3A0j
					; __input_s+3B2j
		cmp	ebx, 30h
		jnz	loc_58C5D2
		push	[ebp+arg_0]
		inc	edi
		mov	[ebp+var_10], edi
		call	_inc
		mov	ebx, eax
		mov	[ebp+var_1C], ebx
		pop	ecx
		cmp	bl, 78h
		jz	short loc_58C57E
		cmp	bl, 58h
		jz	short loc_58C57E
		mov	[ebp+var_38], 1
		cmp	esi, 78h
		jz	short loc_58C565
		cmp	[ebp+var_2C], 0
		jz	short loc_58C560
		sub	[ebp+var_18], 1
		jnz	short loc_58C560
		inc	[ebp+var_2]

loc_58C560:				; CODE XREF: __input_s+3FBj
					; __input_s+401j
		push	6Fh

loc_58C562:				; CODE XREF: __input_s+44Fj
		pop	esi
		jmp	short loc_58C5D2
; 

loc_58C565:				; CODE XREF: __input_s+3F5j
		dec	edi
		mov	[ebp+var_10], edi
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_58C579
		push	[ebp+arg_0]
		push	ebx
		call	__ungetc_nolock
		pop	ecx
		pop	ecx

loc_58C579:				; CODE XREF: __input_s+412j
		push	30h
		pop	ebx
		jmp	short loc_58C5CF
; 

loc_58C57E:				; CODE XREF: __input_s+3E4j
					; __input_s+3E9j
		push	[ebp+arg_0]
		inc	edi
		mov	[ebp+var_10], edi
		call	_inc
		cmp	[ebp+var_2C], 0
		mov	ebx, eax
		pop	ecx
		mov	[ebp+var_1C], ebx
		jz	short loc_58C5A7
		mov	eax, [ebp+var_18]
		sub	eax, 2
		mov	[ebp+var_18], eax
		cmp	eax, 1
		jge	short loc_58C5A7
		inc	[ebp+var_2]

loc_58C5A7:				; CODE XREF: __input_s+43Aj
					; __input_s+448j
		push	78h
		jmp	short loc_58C562
; 

loc_58C5AB:				; CODE XREF: __input_s+30Dj
		cmp	ebx, 2Bh
		jnz	short loc_58C5D2

loc_58C5B0:				; CODE XREF: __input_s+317j
		sub	[ebp+var_18], 1
		jnz	short loc_58C5C0
		cmp	[ebp+var_2C], 0
		jz	short loc_58C5C0
		mov	al, 1
		jmp	short loc_58C5D5
; 

loc_58C5C0:				; CODE XREF: __input_s+45Aj
					; __input_s+460j
		push	[ebp+arg_0]
		inc	edi
		mov	[ebp+var_10], edi
		call	_inc
		pop	ecx
		mov	ebx, eax

loc_58C5CF:				; CODE XREF: __input_s+422j
		mov	[ebp+var_1C], ebx

loc_58C5D2:				; CODE XREF: __input_s+3C9j
					; __input_s+409j ...
		mov	al, [ebp+var_2]

loc_58C5D5:				; CODE XREF: __input_s+464j
		cmp	[ebp+var_30], 0
		jz	loc_58C6DC
		test	al, al
		jnz	loc_58C6BA

loc_58C5E7:				; CODE XREF: __input_s+547j
		cmp	esi, 78h
		jz	short loc_58C63E
		cmp	esi, 70h
		jz	short loc_58C63E
		mov	ecx, __pctype
		movzx	eax, bl
		test	byte ptr [ecx+eax*2], 4
		jz	loc_58C6A6
		cmp	esi, 6Fh
		jnz	short loc_58C624
		cmp	ebx, 38h
		jge	loc_58C6A6
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+var_20]
		shld	eax, ecx, 3
		mov	[ebp+var_14], eax
		shl	ecx, 3
		jmp	short loc_58C66F
; 

loc_58C624:				; CODE XREF: __input_s+4ADj
		mov	eax, [ebp+var_14]
		push	0Ah
		pop	edx
		mul	edx
		push	0Ah
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_20]
		pop	ecx
		mul	ecx
		add	[ebp+var_14], edx
		mov	ecx, eax
		jmp	short loc_58C66F
; 

loc_58C63E:				; CODE XREF: __input_s+490j
					; __input_s+495j
		mov	ecx, __pctype
		movzx	eax, bl
		test	byte ptr [ecx+eax*2], 80h
		jz	short loc_58C6A6
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+var_14]
		shld	ecx, eax, 4
		push	ebx
		shl	eax, 4
		mov	[ebp+var_14], ecx
		mov	[ebp+var_20], eax
		call	_hextodec
		pop	ecx
		mov	ecx, [ebp+var_20]
		mov	ebx, eax
		mov	[ebp+var_1C], ebx

loc_58C66F:				; CODE XREF: __input_s+4C8j
					; __input_s+4E2j
		inc	[ebp+var_38]
		lea	eax, [ebx-30h]
		cdq
		add	ecx, eax
		mov	eax, [ebp+var_14]
		mov	[ebp+var_20], ecx
		adc	eax, edx
		cmp	[ebp+var_2C], 0
		mov	[ebp+var_14], eax
		jz	short loc_58C68F
		sub	[ebp+var_18], 1
		jz	short loc_58C6C0

loc_58C68F:				; CODE XREF: __input_s+52Dj
		push	[ebp+arg_0]
		inc	edi
		mov	[ebp+var_10], edi
		call	_inc
		mov	ebx, eax
		pop	ecx
		mov	[ebp+var_1C], ebx
		jmp	loc_58C5E7
; 

loc_58C6A6:				; CODE XREF: __input_s+4A4j
					; __input_s+4B2j ...
		dec	edi
		mov	[ebp+var_10], edi
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_58C6BA
		push	[ebp+arg_0]
		push	ebx
		call	__ungetc_nolock
		pop	ecx
		pop	ecx

loc_58C6BA:				; CODE XREF: __input_s+487j
					; __input_s+553j
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+var_14]

loc_58C6C0:				; CODE XREF: __input_s+533j
		cmp	[ebp+var_6], 0
		jz	loc_58C784
		neg	ecx
		mov	[ebp+var_20], ecx
		adc	eax, 0
		neg	eax
		mov	[ebp+var_14], eax
		jmp	loc_58C784
; 

loc_58C6DC:				; CODE XREF: __input_s+47Fj
		test	al, al
		jnz	loc_58C776

loc_58C6E4:				; CODE XREF: __input_s+606j
		cmp	esi, 78h
		jz	short loc_58C715
		cmp	esi, 70h
		jz	short loc_58C715
		mov	ecx, __pctype
		movzx	eax, bl
		test	byte ptr [ecx+eax*2], 4
		jz	short loc_58C762
		cmp	esi, 6Fh
		jnz	short loc_58C70F
		cmp	ebx, 38h
		jge	short loc_58C762
		mov	eax, [ebp+var_28]
		shl	eax, 3
		jmp	short loc_58C737
; 

loc_58C70F:				; CODE XREF: __input_s+5A6j
		imul	eax, [ebp+var_28], arg_0+2
		jmp	short loc_58C737
; 

loc_58C715:				; CODE XREF: __input_s+58Dj
					; __input_s+592j
		mov	ecx, __pctype
		movzx	eax, bl
		test	byte ptr [ecx+eax*2], 80h
		jz	short loc_58C762
		shl	[ebp+var_28], 4
		push	ebx
		call	_hextodec
		mov	ebx, eax
		mov	eax, [ebp+var_28]
		pop	ecx
		mov	[ebp+var_1C], ebx

loc_58C737:				; CODE XREF: __input_s+5B3j
					; __input_s+5B9j
		inc	[ebp+var_38]
		add	eax, 0FFFFFFD0h
		add	eax, ebx
		cmp	[ebp+var_2C], 0
		mov	[ebp+var_28], eax
		jz	short loc_58C74E
		sub	[ebp+var_18], 1
		jz	short loc_58C779

loc_58C74E:				; CODE XREF: __input_s+5ECj
		push	[ebp+arg_0]
		inc	edi
		mov	[ebp+var_10], edi
		call	_inc
		mov	ebx, eax
		pop	ecx
		mov	[ebp+var_1C], ebx
		jmp	short loc_58C6E4
; 

loc_58C762:				; CODE XREF: __input_s+5A1j
					; __input_s+5ABj ...
		dec	edi
		mov	[ebp+var_10], edi
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_58C776
		push	[ebp+arg_0]
		push	ebx
		call	__ungetc_nolock
		pop	ecx
		pop	ecx

loc_58C776:				; CODE XREF: __input_s+584j
					; __input_s+60Fj
		mov	eax, [ebp+var_28]

loc_58C779:				; CODE XREF: __input_s+5F2j
		cmp	[ebp+var_6], 0
		jz	short loc_58C784
		neg	eax
		mov	[ebp+var_28], eax

loc_58C784:				; CODE XREF: __input_s+56Aj
					; __input_s+57Dj ...
		cmp	[ebp+var_38], 0
		jz	loc_58C8C6
		cmp	[ebp+var_1], 0
		jnz	loc_58C835
		mov	eax, [ebp+var_24]
		mov	ecx, [ebp+var_28]
		inc	eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_40], eax

loc_58C7A5:				; CODE XREF: __input_s+322j
		cmp	[ebp+var_30], 0
		mov	eax, [ebp+var_3C]
		jz	short loc_58C7BB
		mov	ecx, [ebp+var_20]
		mov	[eax], ecx
		mov	ecx, [ebp+var_14]
		mov	[eax+4], ecx
		jmp	short loc_58C835
; 

loc_58C7BB:				; CODE XREF: __input_s+652j
		cmp	[ebp+var_4], 0
		jz	short loc_58C7C5
		mov	[eax], ecx
		jmp	short loc_58C835
; 

loc_58C7C5:				; CODE XREF: __input_s+665j
		mov	[eax], cx
		jmp	short loc_58C835
; 

loc_58C7CA:				; CODE XREF: __input_s+35Bj
		push	20h

loc_58C7CC:				; CODE XREF: __input_s+398j
		pop	eax
		cmp	[ebp+var_2C], 0
		jz	short loc_58C7D6

loc_58C7D3:				; CODE XREF: __input_s+342j
					; __input_s+34Bj
		or	eax, 1

loc_58C7D6:				; CODE XREF: __input_s+677j
		cmp	[ebp+var_5], 0
		jle	short loc_58C7DF
		or	eax, 2

loc_58C7DF:				; CODE XREF: __input_s+680j
		cmp	[ebp+var_1], 0
		jz	short loc_58C7E8
		or	eax, 4

loc_58C7E8:				; CODE XREF: __input_s+689j
		lea	ecx, [ebp+var_40]
		push	ecx
		lea	ecx, [ebp+var_48]
		push	edx
		push	[ebp+arg_0]
		push	[ebp+var_18]
		push	ecx
		lea	ecx, [ebp+var_10]
		push	ecx
		lea	ecx, [ebp+var_1C]
		push	ecx
		cmp	esi, 7Bh
		jnz	short loc_58C816
		lea	ecx, [ebp+arg_4]
		push	ecx
		push	eax
		call	ReadStringDelimited
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_C], ecx
		jmp	short loc_58C81E
; 

loc_58C816:				; CODE XREF: __input_s+6A8j
		push	0
		push	eax
		call	ReadString

loc_58C81E:				; CODE XREF: __input_s+6BAj
		mov	ebx, [ebp+var_1C]
		add	esp, 24h
		test	eax, eax
		jnz	loc_58C8AC
		mov	eax, [ebp+var_40]
		mov	edi, [ebp+var_10]
		mov	[ebp+var_24], eax

loc_58C835:				; CODE XREF: __input_s+328j
					; __input_s+638j ...
		mov	al, [ebp+var_3]

loc_58C838:				; CODE XREF: __input_s+385j
					; __input_s+391j
		mov	edx, [ebp+var_C]
		inc	al
		inc	edx
		mov	[ebp+var_3], al
		mov	[ebp+var_C], edx
		jmp	short loc_58C873
; 

loc_58C846:				; CODE XREF: __input_s+ACj
		cmp	cl, 25h
		jnz	short loc_58C853
		inc	eax
		cmp	[eax], cl
		jnz	short loc_58C853
		mov	[ebp+var_C], eax

loc_58C853:				; CODE XREF: __input_s+A3j
					; __input_s+6EFj ...
		push	[ebp+arg_0]
		inc	edi
		mov	[ebp+var_10], edi
		call	_inc
		mov	edx, [ebp+var_C]
		mov	ebx, eax
		pop	ecx
		mov	[ebp+var_1C], ebx
		movzx	eax, byte ptr [edx]
		inc	edx
		mov	[ebp+var_C], edx
		cmp	eax, ebx
		jnz	short loc_58C8B4

loc_58C873:				; CODE XREF: __input_s+6EAj
		cmp	ebx, 0FFFFFFFFh
		jnz	short loc_58C883
		cmp	byte ptr [edx],	25h
		jnz	short loc_58C8DC
		cmp	byte ptr [edx+1], 6Eh
		jnz	short loc_58C8DC

loc_58C883:				; CODE XREF: __input_s+98j
					; __input_s+71Cj
		mov	cl, [edx]
		test	cl, cl
		jnz	loc_58C1A9
		jmp	short loc_58C8C6
; 

loc_58C88F:				; CODE XREF: __input_s+2D3j
		mov	byte ptr [eax],	0
		jmp	short loc_58C8C9
; 

loc_58C894:				; CODE XREF: __input_s+376j
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_58C8A4
		push	[ebp+arg_0]
		push	ebx
		call	__ungetc_nolock
		pop	ecx
		pop	ecx

loc_58C8A4:				; CODE XREF: __input_s+73Dj
		mov	esi, [ebp+var_24]
		xor	eax, eax
		inc	eax
		jmp	short loc_58C8CC
; 

loc_58C8AC:				; CODE XREF: __input_s+6CCj
		mov	esi, [ebp+var_40]
		mov	[ebp+var_24], esi
		jmp	short loc_58C8C9
; 

loc_58C8B4:				; CODE XREF: __input_s+717j
		or	edx, 0FFFFFFFFh

loc_58C8B7:				; CODE XREF: __input_s+291j
		cmp	ebx, edx
		jz	short loc_58C8DF
		push	[ebp+arg_0]
		push	ebx
		call	__ungetc_nolock
		pop	ecx
		pop	ecx

loc_58C8C6:				; CODE XREF: __input_s+62Ej
					; __input_s+733j
		mov	esi, [ebp+var_24]

loc_58C8C9:				; CODE XREF: __input_s+738j
					; __input_s+758j
		mov	eax, [ebp+var_34]

loc_58C8CC:				; CODE XREF: __input_s+2E0j
					; __input_s+750j
		or	edx, 0FFFFFFFFh
		cmp	ebx, edx
		jz	short loc_58C8DF
		cmp	eax, 1
		jnz	short loc_58C901
		xor	eax, eax
		jmp	short loc_58C8F4
; 

loc_58C8DC:				; CODE XREF: __input_s+721j
					; __input_s+727j
		or	edx, 0FFFFFFFFh

loc_58C8DF:				; CODE XREF: __input_s+27Ej
					; __input_s+75Fj ...
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	short loc_58C8EB
		cmp	[ebp+var_3], al
		jz	short loc_58C8ED

loc_58C8EB:				; CODE XREF: __input_s+78Aj
		mov	edx, eax

loc_58C8ED:				; CODE XREF: __input_s+78Fj
		mov	eax, edx
		jmp	short loc_58C903
; 

loc_58C8F1:				; CODE XREF: __input_s+26j
					; __input_s+2Fj
		or	esi, 0FFFFFFFFh

loc_58C8F4:				; CODE XREF: __input_s+780j
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h

loc_58C901:				; CODE XREF: __input_s+49j
					; __input_s+77Cj
		mov	eax, esi

loc_58C903:				; CODE XREF: __input_s+795j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
__input_s	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__sinput_s	proc near		; CODE XREF: __snscanf_s+2Cp
					; _sscanf_s+39p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edx
		test	eax, eax
		jz	short loc_58C959
		cmp	[ebp+arg_8], edx
		jz	short loc_58C959
		mov	ecx, [ebp+arg_4]
		cmp	ecx, 7FFFFFFFh
		ja	short loc_58C959
		push	[ebp+arg_C]
		mov	[ebp+var_18], eax
		push	[ebp+arg_8]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_20]
		push	eax
		mov	[ebp+var_14], 49h
		mov	[ebp+var_1C], ecx
		call	__input_s
		add	esp, 0Ch
		leave
		retn
; 

loc_58C959:				; CODE XREF: __sinput_s+1Bj
					; __sinput_s+20j ...
		push	edx
		push	edx
		push	edx
		push	edx
		push	edx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		or	eax, 0FFFFFFFFh
		leave
		retn
__sinput_s	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_whiteout	proc near		; CODE XREF: __input_s+69p
					; __input_s+25Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]

loc_58C975:				; CODE XREF: _whiteout+26j
		push	[ebp+arg_4]
		inc	dword ptr [esi]
		call	_inc
		pop	ecx
		cmp	eax, 0FFFFFFFFh
		jz	short loc_58C994
		mov	ecx, __pctype
		movzx	edx, al
		test	byte ptr [ecx+edx*2], 8
		jnz	short loc_58C975

loc_58C994:				; CODE XREF: _whiteout+17j
		pop	esi
		pop	ebp
		retn
_whiteout	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_58C998	proc near		; CODE XREF: sub_58CB5C+1A6p
					; __winput_s+711p

var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_10]
		push	edi
		push	[ebp+arg_18]
		mov	eax, [esi]
		mov	[ebp+arg_10], eax
		mov	eax, ebx
		and	al, 8
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		dec	dword ptr [eax]
		mov	eax, [ebp+arg_8]
		movzx	eax, word ptr [eax]
		push	eax
		call	_un_inc
		mov	edi, [ebp+arg_1C]
		pop	ecx
		pop	ecx
		mov	ecx, ebx
		and	ecx, 10h
		mov	[ebp+arg_0], ecx
		jnz	short loc_58C9E0
		dec	edi

loc_58C9E0:				; CODE XREF: sub_58C998+45j
		mov	edx, ebx
		and	edx, 1
		mov	[ebp+arg_1C], edx

loc_58C9E8:				; CODE XREF: sub_58C998+14Fj
					; sub_58C998+159j ...
		test	edx, edx
		jz	short loc_58C9FD
		mov	edx, [ebp+arg_14]
		mov	eax, edx
		dec	edx
		mov	[ebp+arg_14], edx
		test	eax, eax
		jz	loc_58CB34

loc_58C9FD:				; CODE XREF: sub_58C998+52j
		mov	eax, [ebp+arg_C]
		push	[ebp+arg_18]
		inc	dword ptr [eax]
		call	__fgetwc_nolock
		pop	ecx
		mov	ecx, [ebp+arg_8]
		movzx	edx, ax
		mov	[ebp+var_8], edx
		mov	[ecx], ax
		mov	ecx, 0FFFFh
		cmp	cx, ax
		jz	loc_58CB1B
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_58CA7F
		test	bl, 20h
		jz	short loc_58CA41
		cmp	ax, 9
		jb	short loc_58CA3C
		cmp	edx, 0Dh
		jbe	short loc_58CA41

loc_58CA3C:				; CODE XREF: sub_58C998+9Dj
		cmp	edx, 20h
		jnz	short loc_58CA7F

loc_58CA41:				; CODE XREF: sub_58C998+97j
					; sub_58C998+A2j
		test	bl, 40h
		jz	loc_58CB1B
		mov	ax, dx
		shr	ax, 3
		movzx	eax, ax
		cmp	dx, ax
		jb	loc_58CB1B
		mov	ecx, edx
		xor	edx, edx
		and	ecx, 7
		inc	edx
		shl	edx, cl
		mov	ecx, [ebp+arg_4]
		movsx	eax, byte ptr [eax+ecx]
		xor	eax, [ebp+var_4]
		test	edx, eax
		jz	loc_58CB1B
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+arg_0]

loc_58CA7F:				; CODE XREF: sub_58C998+92j
					; sub_58C998+A7j
		test	bl, 4
		jnz	short loc_58CAF6
		mov	ecx, ebx
		and	ecx, 2
		test	edi, edi
		jz	short loc_58CB02
		test	ecx, ecx
		jz	short loc_58CA9F
		mov	eax, [esi]
		mov	ecx, [ebp+arg_0]
		mov	[eax], dx
		add	dword ptr [esi], 2
		dec	edi
		jmp	short loc_58CAFA
; 

loc_58CA9F:				; CODE XREF: sub_58C998+F7j
		mov	eax, [ebp+arg_8]
		mov	al, [eax]
		cmp	edi, ___mb_cur_max
		jb	short loc_58CAB7
		mov	ecx, [esi]
		mov	[ecx], al
		mov	eax, [esi]
		movsx	eax, byte ptr [eax]
		jmp	short loc_58CADF
; 

loc_58CAB7:				; CODE XREF: sub_58C998+112j
		mov	byte ptr [ebp+var_10], al
		movsx	eax, al
		mov	[ebp+var_8], eax
		test	eax, eax
		jle	short loc_58CAC8
		cmp	eax, edi
		ja	short loc_58CB02

loc_58CAC8:				; CODE XREF: sub_58C998+12Aj
		cmp	eax, 5
		ja	short loc_58CB02
		push	eax		; size_t
		lea	eax, [ebp+var_10]
		push	eax		; void *
		push	dword ptr [esi]	; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esp, 0Ch

loc_58CADF:				; CODE XREF: sub_58C998+11Dj
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_1C]
		test	eax, eax
		jle	loc_58C9E8
		add	[esi], eax
		sub	edi, eax
		jmp	loc_58C9E8
; 

loc_58CAF6:				; CODE XREF: sub_58C998+EAj
		add	[ebp+arg_10], 2

loc_58CAFA:				; CODE XREF: sub_58C998+105j
		mov	edx, [ebp+arg_1C]
		jmp	loc_58C9E8
; 

loc_58CB02:				; CODE XREF: sub_58C998+F3j
					; sub_58C998+12Ej ...
		mov	eax, [ebp+arg_10]
		test	ecx, ecx
		jz	short loc_58CB16
		xor	ecx, ecx
		mov	[eax], cx

loc_58CB0E:				; CODE XREF: sub_58C998+181j
					; sub_58C998+1A1j
		or	eax, 0FFFFFFFFh

loc_58CB11:				; CODE XREF: sub_58C998+1C2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_58CB16:				; CODE XREF: sub_58C998+16Fj
		mov	byte ptr [eax],	0
		jmp	short loc_58CB0E
; 

loc_58CB1B:				; CODE XREF: sub_58C998+87j
					; sub_58C998+ACj ...
		mov	eax, [ebp+arg_C]
		push	[ebp+arg_18]
		dec	dword ptr [eax]
		mov	eax, [ebp+arg_8]
		movzx	eax, word ptr [eax]
		push	eax
		call	_un_inc
		pop	ecx
		pop	ecx
		mov	ecx, [ebp+arg_0]

loc_58CB34:				; CODE XREF: sub_58C998+5Fj
		mov	eax, [ebp+arg_10]
		cmp	eax, [esi]
		jz	short loc_58CB0E
		test	bl, 4
		jnz	short loc_58CB58
		mov	eax, [ebp+arg_20]
		inc	dword ptr [eax]
		test	ecx, ecx
		jnz	short loc_58CB58
		mov	eax, [esi]
		test	bl, 2
		jz	short loc_58CB55
		mov	[eax], cx
		jmp	short loc_58CB58
; 

loc_58CB55:				; CODE XREF: sub_58C998+1B6j
		mov	byte ptr [eax],	0

loc_58CB58:				; CODE XREF: sub_58C998+1A6j
					; sub_58C998+1AFj ...
		xor	eax, eax
		jmp	short loc_58CB11
sub_58C998	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_58CB5C	proc near		; CODE XREF: __winput_s+705p

var_2020	= dword	ptr -2020h
var_201C	= dword	ptr -201Ch
var_2018	= dword	ptr -2018h
var_2014	= dword	ptr -2014h
var_2010	= dword	ptr -2010h
var_200C	= dword	ptr -200Ch
var_2008	= dword	ptr -2008h
var_2004	= dword	ptr -2004h
var_1FF9	= byte ptr -1FF9h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, 2020h
		call	__chkstk
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	[ebp+var_2020],	eax
		mov	eax, [ebp+arg_10]
		push	edi
		mov	[ebp+var_201C],	eax
		xor	edi, edi
		mov	eax, [ebp+arg_18]
		push	2000h		; size_t
		mov	[ebp+var_2018],	eax
		lea	eax, [ebp+var_2004]
		push	edi		; int
		push	eax		; void *
		mov	[ebp+var_2014],	ebx
		call	_memset
		add	dword ptr [ebx], 2
		add	esp, 0Ch
		mov	esi, [ebx]
		mov	[ebp+var_2008],	esi
		push	5Eh
		movzx	eax, word ptr [esi]
		pop	edx
		mov	ecx, eax
		cmp	dx, ax
		jnz	short loc_58CBE5
		mov	edx, [ebp+arg_0]
		add	esi, 2
		or	edx, 8
		mov	[ebp+var_2008],	esi
		mov	[ebp+var_200C],	edx
		movzx	ecx, word ptr [esi]
		jmp	short loc_58CBEE
; 

loc_58CBE5:				; CODE XREF: sub_58CB5C+6Dj
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_200C],	eax

loc_58CBEE:				; CODE XREF: sub_58CB5C+87j
		push	5Dh
		movzx	eax, cx
		pop	edx
		mov	ecx, eax
		cmp	dx, ax
		jnz	short loc_58CC10
		add	esi, 2
		mov	[ebp+var_1FF9],	20h
		mov	edi, edx
		mov	[ebp+var_2008],	esi
		movzx	ecx, word ptr [esi]

loc_58CC10:				; CODE XREF: sub_58CB5C+9Dj
		movzx	eax, cx
		cmp	dx, cx
		jz	loc_58CCCB
		movzx	ecx, cx
		jmp	short loc_58CC24
; 

loc_58CC21:				; CODE XREF: sub_58CB5C+163j
		push	5Dh
		pop	edx

loc_58CC24:				; CODE XREF: sub_58CB5C+C3j
		push	2Dh
		pop	eax
		cmp	ax, cx
		jnz	short loc_58CC87
		test	di, di
		jz	short loc_58CC87
		movzx	eax, word ptr [esi+2]
		cmp	dx, ax
		jz	short loc_58CC87
		cmp	di, ax
		jnb	short loc_58CC43
		mov	ebx, eax
		jmp	short loc_58CC48
; 

loc_58CC43:				; CODE XREF: sub_58CB5C+E1j
		movzx	ebx, di
		mov	edi, eax

loc_58CC48:				; CODE XREF: sub_58CB5C+E5j
		movzx	eax, di
		mov	[ebp+var_2010],	eax
		cmp	di, bx
		ja	short loc_58CC81
		mov	esi, eax

loc_58CC58:				; CODE XREF: sub_58CB5C+11Dj
		movzx	edx, si
		mov	ecx, edx
		and	edx, 7
		shr	ecx, 3
		movsx	eax, byte ptr [ebp+ecx+var_2004]
		bts	eax, edx
		inc	esi
		mov	byte ptr [ebp+ecx+var_2004], al
		cmp	si, bx
		jbe	short loc_58CC58
		mov	esi, [ebp+var_2008]

loc_58CC81:				; CODE XREF: sub_58CB5C+F8j
		xor	edi, edi
		push	4
		jmp	short loc_58CCA9
; 

loc_58CC87:				; CODE XREF: sub_58CB5C+CEj
					; sub_58CB5C+D3j ...
		movzx	edx, cx
		movzx	edi, cx
		mov	ecx, edx
		shr	ecx, 3
		and	edx, 7
		push	2
		movsx	eax, byte ptr [ebp+ecx+var_2004]
		bts	eax, edx
		mov	byte ptr [ebp+ecx+var_2004], al

loc_58CCA9:				; CODE XREF: sub_58CB5C+129j
		pop	eax
		add	esi, eax
		push	5Dh
		pop	ebx
		mov	[ebp+var_2008],	esi
		movzx	eax, word ptr [esi]
		mov	edx, eax
		mov	ecx, eax
		cmp	bx, ax
		jnz	loc_58CC21
		mov	ebx, [ebp+var_2014]

loc_58CCCB:				; CODE XREF: sub_58CB5C+BAj
		test	ax, ax
		jnz	short loc_58CCD5
		or	eax, 0FFFFFFFFh
		jmp	short loc_58CD0A
; 

loc_58CCD5:				; CODE XREF: sub_58CB5C+172j
		push	[ebp+arg_20]
		lea	eax, [ebp+var_2004]
		mov	[ebx], esi
		push	[ebp+arg_1C]
		push	[ebp+var_2018]
		push	[ebp+arg_14]
		push	[ebp+var_201C]
		push	[ebp+arg_C]
		push	[ebp+var_2020]
		push	eax
		push	[ebp+var_200C]
		call	sub_58C998
		add	esp, 24h

loc_58CD0A:				; CODE XREF: sub_58CB5C+177j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
sub_58CB5C	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_58CD1A	proc near		; CODE XREF: __winput_s+535p
					; __winput_s+619p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		test	edx, 0FF00h
		jnz	short loc_58CD3D
		mov	eax, __pctype
		movzx	ecx, dl
		test	byte ptr [eax+ecx*2], 4
		jz	short loc_58CD3D
		movzx	eax, dx
		pop	ebp
		retn
; 

loc_58CD3D:				; CODE XREF: sub_58CD1A+Ej
					; sub_58CD1A+1Cj
		movzx	eax, dx
		and	eax, 0FFFFFFDFh
		sub	eax, 7
		pop	ebp
		retn
sub_58CD1A	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__swinput_s	proc near		; CODE XREF: __snwscanf_s+2Cp
					; _swscanf_s+3Fp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edx
		test	eax, eax
		jz	short loc_58CD9C
		cmp	[ebp+arg_8], edx
		jz	short loc_58CD9C
		mov	ecx, [ebp+arg_4]
		cmp	ecx, 3FFFFFFFh
		ja	short loc_58CD9C
		push	[ebp+arg_C]
		mov	[ebp+var_18], eax
		push	[ebp+arg_8]
		mov	[ebp+var_20], eax
		lea	eax, [ecx+ecx]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_20]
		push	eax
		mov	[ebp+var_14], 49h
		call	__winput_s
		add	esp, 0Ch
		leave
		retn
; 

loc_58CD9C:				; CODE XREF: __swinput_s+1Bj
					; __swinput_s+20j ...
		push	edx
		push	edx
		push	edx
		push	edx
		push	edx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		or	eax, 0FFFFFFFFh
		leave
		retn
__swinput_s	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_un_inc		proc near		; CODE XREF: sub_58C998+33p
					; sub_58C998+192p ...

arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, 0FFFFh
		cmp	ax, [ebp+arg_0]
		jz	short loc_58CDC4
		pop	ebp
		jmp	__ungetwc_nolock
; 

loc_58CDC4:				; CODE XREF: _un_inc+Ej
		pop	ebp
		retn
_un_inc		endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_58CDC6	proc near		; CODE XREF: __winput_s+65p
					; __winput_s+267p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]

loc_58CDD0:				; CODE XREF: sub_58CDC6+2Ej
		push	[ebp+arg_4]
		inc	dword ptr [edi]
		call	__fgetwc_nolock
		movzx	esi, ax
		mov	eax, 0FFFFh
		pop	ecx
		cmp	si, ax
		jz	short loc_58CDF6
		push	8		; wctype_t
		push	esi		; wint_t
		call	_iswctype
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_58CDD0

loc_58CDF6:				; CODE XREF: sub_58CDC6+20j
		pop	edi
		mov	ax, si
		pop	esi
		pop	ebp
		retn
sub_58CDC6	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__winput_s	proc near		; CODE XREF: __swinput_s+4Ap

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_6		= byte ptr -6
var_5		= byte ptr -5
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		push	ebx
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ebx, eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], ebx
		mov	[ebp+var_3C], eax
		test	edi, edi
		jz	loc_58D60A
		cmp	[ebp+arg_0], eax
		jz	loc_58D60A
		movzx	ecx, word ptr [edi]
		mov	esi, eax
		mov	[ebp+var_5], al
		mov	[ebp+var_C], esi
		mov	[ebp+var_20], eax
		mov	[ebp+var_34], eax
		test	cx, cx
		jz	loc_58D61C

loc_58CE47:				; CODE XREF: __winput_s+78Ej
		push	8		; wctype_t
		push	ecx		; wint_t
		call	_iswctype
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_58CE90
		push	[ebp+arg_0]
		lea	eax, [ebp+var_C]
		dec	esi
		push	[ebp+arg_0]
		mov	[ebp+var_C], esi
		push	eax
		call	sub_58CDC6
		pop	ecx
		pop	ecx
		movzx	eax, ax
		push	eax
		call	_un_inc
		pop	ecx
		pop	ecx

loc_58CE75:				; CODE XREF: __winput_s+89j
		add	edi, 2
		push	8		; wctype_t
		movzx	eax, word ptr [edi]
		push	eax		; wint_t
		call	_iswctype
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_58CE75
		xor	edx, edx
		jmp	loc_58D57F
; 

loc_58CE90:				; CODE XREF: __winput_s+55j
		movzx	eax, word ptr [edi]
		push	25h
		pop	ecx
		cmp	cx, ax
		jnz	loc_58D540
		cmp	cx, [edi+2]
		jz	loc_58D532
		xor	edx, edx
		mov	ch, 1
		mov	cl, dl
		mov	[ebp+var_28], edx
		mov	[ebp+var_30], edx
		mov	bh, dl
		mov	[ebp+var_24], edx
		mov	bl, dl
		mov	[ebp+var_10], edx
		mov	[ebp+var_44], edx
		mov	[ebp+var_6], dl
		mov	[ebp+var_2], cl
		mov	[ebp+var_3], ch
		mov	[ebp+var_2C], edx

loc_58CECE:				; CODE XREF: __winput_s+202j
		add	edi, 2
		mov	[ebp+arg_4], edi
		movzx	eax, word ptr [edi]
		mov	esi, eax
		test	eax, 0FF00h
		jnz	short loc_58CF0A
		movzx	ecx, al
		mov	eax, __pctype
		test	byte ptr [eax+ecx*2], 4
		jz	short loc_58CF04
		mov	ecx, [ebp+var_10]
		inc	[ebp+var_24]
		imul	eax, ecx, 0Ah
		add	eax, 0FFFFFFD0h
		add	eax, esi
		mov	[ebp+var_10], eax
		jmp	loc_58CFF8
; 

loc_58CF04:				; CODE XREF: __winput_s+EEj
		mov	cl, [ebp+var_2]
		mov	ch, [ebp+var_3]

loc_58CF0A:				; CODE XREF: __winput_s+E0j
		cmp	esi, 68h
		ja	short loc_58CF54
		jz	short loc_58CF45
		mov	eax, esi
		sub	eax, 2Ah
		jz	short loc_58CF3E
		sub	eax, 1Ch
		jz	loc_58CFF8
		sub	eax, 3
		jz	short loc_58CF74
		sub	eax, 3
		jz	short loc_58CF34
		dec	eax
		sub	eax, 1
		jmp	loc_58CFF4
; 

loc_58CF34:				; CODE XREF: __winput_s+12Bj
		inc	ch
		mov	[ebp+var_3], ch
		jmp	loc_58CFF8
; 

loc_58CF3E:				; CODE XREF: __winput_s+118j
		inc	bh
		jmp	loc_58CFF8
; 

loc_58CF45:				; CODE XREF: __winput_s+111j
		dec	ch
		dec	cl
		mov	[ebp+var_3], ch

loc_58CF4C:				; CODE XREF: __winput_s+1AFj
		mov	[ebp+var_2], cl
		jmp	loc_58CFF8
; 

loc_58CF54:				; CODE XREF: __winput_s+10Fj
		mov	eax, esi
		sub	eax, 6Ah
		jz	short loc_58CF74
		dec	eax
		sub	eax, 1
		jz	short loc_58CF9A
		sub	eax, 8
		jz	short loc_58CF74
		sub	eax, 3
		jz	short loc_58CFAB
		sub	eax, 3
		jnz	loc_58CFF6

loc_58CF74:				; CODE XREF: __winput_s+126j
					; __winput_s+15Bj ...
		cmp	esi, 49h
		jnz	short loc_58CFC3
		movzx	ecx, word ptr [edi+2]
		cmp	ecx, 36h
		jnz	short loc_58CFAF
		cmp	word ptr [edi+4], 34h
		jnz	short loc_58CFAF
		add	edi, 4

loc_58CF8C:				; CODE XREF: __winput_s+1A6j
		mov	[ebp+arg_4], edi

loc_58CF8F:				; CODE XREF: __winput_s+1C8j
		inc	[ebp+var_2C]
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], edx
		jmp	short loc_58CFF8
; 

loc_58CF9A:				; CODE XREF: __winput_s+161j
		cmp	word ptr [edi+2], 6Ch
		jnz	short loc_58CFA6
		add	edi, 2
		jmp	short loc_58CF8C
; 

loc_58CFA6:				; CODE XREF: __winput_s+1A1j
		inc	ch
		mov	[ebp+var_3], ch

loc_58CFAB:				; CODE XREF: __winput_s+16Bj
		inc	cl
		jmp	short loc_58CF4C
; 

loc_58CFAF:				; CODE XREF: __winput_s+182j
					; __winput_s+189j
		cmp	ecx, 33h
		jnz	short loc_58CFC8
		cmp	word ptr [edi+4], 32h
		jnz	short loc_58CFC8
		add	edi, 4
		mov	[ebp+arg_4], edi
		jmp	short loc_58CFF8
; 

loc_58CFC3:				; CODE XREF: __winput_s+179j
		cmp	esi, 6Ah
		jz	short loc_58CF8F

loc_58CFC8:				; CODE XREF: __winput_s+1B4j
					; __winput_s+1BBj
		movzx	eax, word ptr [edi+2]
		push	64h
		pop	ecx
		cmp	ax, cx
		jz	short loc_58CFF8
		cmp	eax, 69h
		jz	short loc_58CFF8
		push	6Fh
		pop	ecx
		cmp	ax, cx
		jz	short loc_58CFF8
		cmp	eax, 75h
		jz	short loc_58CFF8
		push	78h
		pop	ecx
		cmp	ax, cx
		jz	short loc_58CFF8
		push	58h
		pop	ecx
		cmp	ax, cx

loc_58CFF4:				; CODE XREF: __winput_s+131j
		jz	short loc_58CFF8

loc_58CFF6:				; CODE XREF: __winput_s+170j
		inc	bl

loc_58CFF8:				; CODE XREF: __winput_s+101j
					; __winput_s+11Dj ...
		mov	cl, [ebp+var_2]
		mov	ch, [ebp+var_3]
		test	bl, bl
		jz	loc_58CECE
		mov	[ebp+var_4], bh
		mov	ebx, [ebp+var_14]
		cmp	[ebp+var_4], dl
		jnz	short loc_58D022
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_3C], eax
		add	eax, 4
		mov	[ebp+arg_8], eax
		mov	ecx, [eax-4]
		jmp	short loc_58D024
; 

loc_58D022:				; CODE XREF: __winput_s+211j
		mov	ecx, edx

loc_58D024:				; CODE XREF: __winput_s+222j
		mov	[ebp+var_40], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_1], dl
		cmp	[ebp+var_2], dl
		jnz	short loc_58D047
		movzx	eax, word ptr [edi]
		cmp	eax, 53h
		jz	short loc_58D043
		mov	[ebp+var_2], 1
		cmp	eax, 43h
		jnz	short loc_58D047

loc_58D043:				; CODE XREF: __winput_s+23Aj
		mov	[ebp+var_2], 0FFh

loc_58D047:				; CODE XREF: __winput_s+232j
					; __winput_s+243j
		movzx	esi, word ptr [edi]
		push	6Eh
		or	esi, 20h
		pop	eax
		cmp	esi, eax
		jz	short loc_58D092
		cmp	esi, 63h
		jz	short loc_58D06D
		cmp	esi, 7Bh
		jz	short loc_58D06D
		push	[ebp+arg_0]
		lea	eax, [ebp+var_C]
		push	eax
		call	sub_58CDC6
		pop	ecx
		jmp	short loc_58D078
; 

loc_58D06D:				; CODE XREF: __winput_s+259j
					; __winput_s+25Ej
		push	[ebp+arg_0]
		inc	[ebp+var_C]
		call	__fgetwc_nolock

loc_58D078:				; CODE XREF: __winput_s+26Dj
		movzx	ebx, ax
		xor	edx, edx
		mov	eax, 0FFFFh
		mov	[ebp+var_14], ebx
		pop	ecx
		cmp	ax, bx
		jz	loc_58D5AD
		mov	ecx, [ebp+var_40]

loc_58D092:				; CODE XREF: __winput_s+254j
		cmp	[ebp+var_24], 0
		jz	short loc_58D0A2
		cmp	[ebp+var_10], 0
		jz	loc_58D591

loc_58D0A2:				; CODE XREF: __winput_s+298j
		cmp	[ebp+var_4], 0
		jnz	short loc_58D0DE
		cmp	esi, 63h
		jz	short loc_58D0B7
		cmp	esi, 73h
		jz	short loc_58D0B7
		cmp	esi, 7Bh
		jnz	short loc_58D0DE

loc_58D0B7:				; CODE XREF: __winput_s+2ADj
					; __winput_s+2B2j
		mov	eax, [ebp+var_3C]
		add	eax, 4
		mov	[ebp+var_3C], eax
		mov	ecx, [eax-4]
		add	eax, 4
		mov	[ebp+arg_8], eax
		mov	[ebp+var_40], ecx
		mov	[ebp+var_48], ecx
		mov	eax, [eax-4]
		mov	[ebp+var_44], eax
		cmp	eax, 1
		jb	loc_58D5BF

loc_58D0DE:				; CODE XREF: __winput_s+2A8j
					; __winput_s+2B7j
		cmp	esi, 70h
		ja	short loc_58D156
		jz	short loc_58D150
		mov	eax, esi
		sub	eax, 63h
		jz	short loc_58D13B
		sub	eax, 1
		jz	short loc_58D100
		sub	eax, 5
		jz	short loc_58D128
		sub	eax, 5
		jz	short loc_58D115
		sub	eax, 1
		jnz	short loc_58D171

loc_58D100:				; CODE XREF: __winput_s+2F1j
					; __winput_s+356j ...
		push	2Dh
		pop	eax
		cmp	ax, bx
		jnz	loc_58D25A
		mov	[ebp+var_6], 1
		jmp	loc_58D262
; 

loc_58D115:				; CODE XREF: __winput_s+2FBj
		mov	eax, [ebp+var_C]
		xor	edx, edx
		cmp	[ebp+var_4], dl
		jz	loc_58D49F
		jmp	loc_58D52A
; 

loc_58D128:				; CODE XREF: __winput_s+2F6j
		push	64h
		pop	eax
		mov	esi, eax

loc_58D12D:				; CODE XREF: __winput_s+36Cj
		push	2Dh
		pop	eax
		cmp	ax, bx
		jnz	short loc_58D19A
		mov	[ebp+var_6], 1
		jmp	short loc_58D1A2
; 

loc_58D13B:				; CODE XREF: __winput_s+2ECj
		cmp	[ebp+var_24], 0
		push	10h
		pop	eax
		jnz	loc_58D4CA
		inc	[ebp+var_10]
		jmp	loc_58D4CA
; 

loc_58D150:				; CODE XREF: __winput_s+2E5j
		mov	[ebp+var_3], 1
		jmp	short loc_58D100
; 

loc_58D156:				; CODE XREF: __winput_s+2E3j
		mov	eax, esi
		sub	eax, 73h
		jz	loc_58D4C1
		dec	eax
		sub	eax, 1
		jz	short loc_58D100
		sub	eax, 3
		jz	short loc_58D12D
		sub	eax, 3
		jz	short loc_58D193

loc_58D171:				; CODE XREF: __winput_s+300j
		cmp	[edi], bx
		jnz	loc_58D5D0
		dec	[ebp+var_5]
		xor	edx, edx
		cmp	[ebp+var_4], dl
		jnz	loc_58D52A
		mov	eax, [ebp+var_3C]
		mov	[ebp+arg_8], eax
		jmp	loc_58D52A
; 

loc_58D193:				; CODE XREF: __winput_s+371j
		push	40h
		jmp	loc_58D4C3
; 

loc_58D19A:				; CODE XREF: __winput_s+335j
		push	2Bh
		pop	eax
		cmp	ax, bx
		jnz	short loc_58D1C6

loc_58D1A2:				; CODE XREF: __winput_s+33Bj
		sub	[ebp+var_10], 1
		jnz	short loc_58D1B4
		cmp	[ebp+var_24], 0
		jz	short loc_58D1B4
		mov	[ebp+var_1], 1
		jmp	short loc_58D1C6
; 

loc_58D1B4:				; CODE XREF: __winput_s+3A8j
					; __winput_s+3AEj
		push	[ebp+arg_0]
		inc	[ebp+var_C]
		call	__fgetwc_nolock
		movzx	ebx, ax
		pop	ecx
		mov	[ebp+var_14], ebx

loc_58D1C6:				; CODE XREF: __winput_s+3A2j
					; __winput_s+3B4j
		push	30h
		pop	eax
		cmp	ax, bx
		jnz	loc_58D28A
		push	[ebp+arg_0]
		inc	[ebp+var_C]
		call	__fgetwc_nolock
		pop	ecx
		push	78h
		movzx	ebx, ax
		pop	ecx
		mov	[ebp+var_14], ebx
		cmp	cx, bx
		jz	short loc_58D22A
		push	58h
		pop	eax
		cmp	ax, bx
		jz	short loc_58D22A
		mov	[ebp+var_30], 1
		cmp	esi, ecx
		jz	short loc_58D215
		cmp	[ebp+var_24], 0
		jz	short loc_58D20E
		sub	[ebp+var_10], 1
		jnz	short loc_58D20E
		inc	[ebp+var_1]

loc_58D20E:				; CODE XREF: __winput_s+405j
					; __winput_s+40Bj
		push	6Fh
		pop	edx
		mov	esi, edx
		jmp	short loc_58D290
; 

loc_58D215:				; CODE XREF: __winput_s+3FFj
		push	[ebp+arg_0]
		dec	[ebp+var_C]
		push	ebx
		call	_un_inc
		pop	ecx
		pop	ecx
		push	30h
		pop	eax
		mov	ebx, eax
		jmp	short loc_58D287
; 

loc_58D22A:				; CODE XREF: __winput_s+3ECj
					; __winput_s+3F4j
		push	[ebp+arg_0]
		inc	[ebp+var_C]
		call	__fgetwc_nolock
		cmp	[ebp+var_24], 0
		movzx	ebx, ax
		pop	ecx
		mov	[ebp+var_14], ebx
		jz	short loc_58D253
		mov	eax, [ebp+var_10]
		sub	eax, 2
		mov	[ebp+var_10], eax
		cmp	eax, 1
		jge	short loc_58D253
		inc	[ebp+var_1]

loc_58D253:				; CODE XREF: __winput_s+442j
					; __winput_s+450j
		push	78h
		pop	ecx
		mov	esi, ecx
		jmp	short loc_58D28D
; 

loc_58D25A:				; CODE XREF: __winput_s+308j
		push	2Bh
		pop	eax
		cmp	ax, bx
		jnz	short loc_58D28A

loc_58D262:				; CODE XREF: __winput_s+312j
		sub	[ebp+var_10], 1
		jnz	short loc_58D278
		cmp	[ebp+var_24], 0
		jz	short loc_58D278
		push	78h
		pop	ecx
		push	6Fh
		mov	al, 1
		pop	edx
		jmp	short loc_58D293
; 

loc_58D278:				; CODE XREF: __winput_s+468j
					; __winput_s+46Ej
		push	[ebp+arg_0]
		inc	[ebp+var_C]
		call	__fgetwc_nolock
		pop	ecx
		movzx	ebx, ax

loc_58D287:				; CODE XREF: __winput_s+42Aj
		mov	[ebp+var_14], ebx

loc_58D28A:				; CODE XREF: __winput_s+3CEj
					; __winput_s+462j
		push	78h
		pop	ecx

loc_58D28D:				; CODE XREF: __winput_s+45Aj
		push	6Fh
		pop	edx

loc_58D290:				; CODE XREF: __winput_s+415j
		mov	al, [ebp+var_1]

loc_58D293:				; CODE XREF: __winput_s+478j
		cmp	[ebp+var_2C], 0
		jz	loc_58D3B7
		test	al, al
		jnz	loc_58D393

loc_58D2A5:				; CODE XREF: __winput_s+582j
		cmp	esi, ecx
		jz	short loc_58D309
		cmp	esi, 70h
		jz	short loc_58D309
		test	ebx, 0FF00h
		jnz	loc_58D385
		mov	eax, __pctype
		movzx	ecx, bl
		test	byte ptr [eax+ecx*2], 4
		jz	loc_58D385
		cmp	esi, edx
		jnz	short loc_58D2EE
		push	38h
		pop	eax
		cmp	ax, bx
		jbe	loc_58D385
		mov	eax, [ebp+var_18]
		mov	ecx, [ebp+var_1C]
		shld	eax, ecx, 3
		mov	[ebp+var_18], eax
		shl	ecx, 3
		jmp	short loc_58D342
; 

loc_58D2EE:				; CODE XREF: __winput_s+4D0j
		mov	eax, [ebp+var_18]
		push	0Ah
		pop	ecx
		mul	ecx
		push	0Ah
		mov	ecx, eax
		mov	eax, [ebp+var_1C]
		pop	edx
		mul	edx
		add	ecx, edx
		mov	[ebp+var_18], ecx
		mov	ecx, eax
		jmp	short loc_58D342
; 

loc_58D309:				; CODE XREF: __winput_s+4A9j
					; __winput_s+4AEj
		test	ebx, 0FF00h
		jnz	short loc_58D385
		mov	eax, __pctype
		movzx	ecx, bl
		test	byte ptr [eax+ecx*2], 80h
		jz	short loc_58D385
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_18]
		shld	ecx, eax, 4
		push	ebx
		shl	eax, 4
		mov	[ebp+var_18], ecx
		mov	[ebp+var_1C], eax
		call	sub_58CD1A
		pop	ecx
		mov	ecx, [ebp+var_1C]
		movzx	ebx, ax
		mov	[ebp+var_14], ebx

loc_58D342:				; CODE XREF: __winput_s+4EEj
					; __winput_s+509j
		inc	[ebp+var_30]
		movzx	eax, bx
		cdq
		add	eax, 0FFFFFFD0h
		adc	edx, 0FFFFFFFFh
		add	ecx, eax
		mov	eax, [ebp+var_18]
		adc	eax, edx
		mov	[ebp+var_1C], ecx
		cmp	[ebp+var_24], 0
		mov	[ebp+var_18], eax
		jz	short loc_58D368
		sub	[ebp+var_10], 1
		jz	short loc_58D399

loc_58D368:				; CODE XREF: __winput_s+562j
		push	[ebp+arg_0]
		inc	[ebp+var_C]
		call	__fgetwc_nolock
		pop	ecx
		push	78h
		pop	ecx
		movzx	ebx, ax
		push	6Fh
		mov	[ebp+var_14], ebx
		pop	edx
		jmp	loc_58D2A5
; 

loc_58D385:				; CODE XREF: __winput_s+4B6j
					; __winput_s+4C8j ...
		push	[ebp+arg_0]
		dec	[ebp+var_C]
		push	ebx
		call	_un_inc
		pop	ecx
		pop	ecx

loc_58D393:				; CODE XREF: __winput_s+4A1j
		mov	eax, [ebp+var_18]
		mov	ecx, [ebp+var_1C]

loc_58D399:				; CODE XREF: __winput_s+568j
		cmp	[ebp+var_6], 0
		jz	loc_58D479
		neg	ecx
		push	0
		pop	edx
		adc	eax, edx
		mov	[ebp+var_1C], ecx
		neg	eax
		mov	[ebp+var_18], eax
		jmp	loc_58D47B
; 

loc_58D3B7:				; CODE XREF: __winput_s+499j
		test	al, al
		jnz	loc_58D46B

loc_58D3BF:				; CODE XREF: __winput_s+65Aj
		cmp	esi, ecx
		jz	short loc_58D3FC
		cmp	esi, 70h
		jz	short loc_58D3FC
		test	ebx, 0FF00h
		jnz	loc_58D45D
		mov	eax, __pctype
		movzx	ecx, bl
		test	byte ptr [eax+ecx*2], 4
		jz	short loc_58D45D
		cmp	esi, edx
		jnz	short loc_58D3F6
		push	38h
		pop	eax
		cmp	ax, bx
		jbe	short loc_58D45D
		mov	ecx, [ebp+var_28]
		shl	ecx, 3
		jmp	short loc_58D426
; 

loc_58D3F6:				; CODE XREF: __winput_s+5E6j
		imul	ecx, [ebp+var_28], arg_0+2
		jmp	short loc_58D426
; 

loc_58D3FC:				; CODE XREF: __winput_s+5C3j
					; __winput_s+5C8j
		test	ebx, 0FF00h
		jnz	short loc_58D45D
		mov	eax, __pctype
		movzx	ecx, bl
		test	byte ptr [eax+ecx*2], 80h
		jz	short loc_58D45D
		shl	[ebp+var_28], 4
		push	ebx
		call	sub_58CD1A
		pop	ecx
		mov	ecx, [ebp+var_28]
		movzx	ebx, ax
		mov	[ebp+var_14], ebx

loc_58D426:				; CODE XREF: __winput_s+5F6j
					; __winput_s+5FCj
		inc	[ebp+var_30]
		add	ecx, 0FFFFFFD0h
		movzx	eax, bx
		add	ecx, eax
		cmp	[ebp+var_24], 0
		mov	[ebp+var_28], ecx
		jz	short loc_58D440
		sub	[ebp+var_10], 1
		jz	short loc_58D46E

loc_58D440:				; CODE XREF: __winput_s+63Aj
		push	[ebp+arg_0]
		inc	[ebp+var_C]
		call	__fgetwc_nolock
		pop	ecx
		push	78h
		pop	ecx
		movzx	ebx, ax
		push	6Fh
		mov	[ebp+var_14], ebx
		pop	edx
		jmp	loc_58D3BF
; 

loc_58D45D:				; CODE XREF: __winput_s+5D0j
					; __winput_s+5E2j ...
		push	[ebp+arg_0]
		dec	[ebp+var_C]
		push	ebx
		call	_un_inc
		pop	ecx
		pop	ecx

loc_58D46B:				; CODE XREF: __winput_s+5BBj
		mov	ecx, [ebp+var_28]

loc_58D46E:				; CODE XREF: __winput_s+640j
		cmp	[ebp+var_6], 0
		jz	short loc_58D479
		neg	ecx
		mov	[ebp+var_28], ecx

loc_58D479:				; CODE XREF: __winput_s+59Fj
					; __winput_s+674j
		xor	edx, edx

loc_58D47B:				; CODE XREF: __winput_s+5B4j
		cmp	[ebp+var_30], 0
		jz	loc_58D59E
		cmp	[ebp+var_4], 0
		jnz	loc_58D52A
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+var_40]
		inc	eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_34], eax
		mov	eax, [ebp+var_28]

loc_58D49F:				; CODE XREF: __winput_s+31Fj
		cmp	[ebp+var_2C], 0
		jz	short loc_58D4B2
		mov	eax, [ebp+var_1C]
		mov	[ecx], eax
		mov	eax, [ebp+var_18]
		mov	[ecx+4], eax
		jmp	short loc_58D52A
; 

loc_58D4B2:				; CODE XREF: __winput_s+6A5j
		cmp	[ebp+var_3], 0
		jz	short loc_58D4BC
		mov	[ecx], eax
		jmp	short loc_58D52A
; 

loc_58D4BC:				; CODE XREF: __winput_s+6B8j
		mov	[ecx], ax
		jmp	short loc_58D52A
; 

loc_58D4C1:				; CODE XREF: __winput_s+35Dj
		push	20h

loc_58D4C3:				; CODE XREF: __winput_s+397j
		pop	eax
		cmp	[ebp+var_24], 0
		jz	short loc_58D4CD

loc_58D4CA:				; CODE XREF: __winput_s+344j
					; __winput_s+34Dj
		or	eax, 1

loc_58D4CD:				; CODE XREF: __winput_s+6CAj
		cmp	[ebp+var_2], 0
		jle	short loc_58D4D6
		or	eax, 2

loc_58D4D6:				; CODE XREF: __winput_s+6D3j
		cmp	[ebp+var_4], 0
		jz	short loc_58D4DF
		or	eax, 4

loc_58D4DF:				; CODE XREF: __winput_s+6DCj
		lea	ecx, [ebp+var_34]
		push	ecx
		mov	ecx, [ebp+var_10]
		push	[ebp+var_44]
		push	[ebp+arg_0]
		push	ecx
		lea	ecx, [ebp+var_48]
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		lea	ecx, [ebp+var_14]
		push	ecx
		cmp	esi, 7Bh
		jnz	short loc_58D50D
		lea	ecx, [ebp+arg_4]
		push	ecx
		push	eax
		call	sub_58CB5C
		mov	edi, [ebp+arg_4]
		jmp	short loc_58D514
; 

loc_58D50D:				; CODE XREF: __winput_s+6FEj
		push	edx
		push	eax
		call	sub_58C998

loc_58D514:				; CODE XREF: __winput_s+70Dj
		mov	ebx, [ebp+var_14]
		add	esp, 24h
		xor	edx, edx
		test	eax, eax
		jnz	loc_58D5E2
		mov	esi, [ebp+var_34]
		mov	[ebp+var_20], esi

loc_58D52A:				; CODE XREF: __winput_s+325j
					; __winput_s+384j ...
		inc	[ebp+var_5]
		add	edi, 2
		jmp	short loc_58D564
; 

loc_58D532:				; CODE XREF: __winput_s+A5j
		cmp	cx, ax
		jnz	short loc_58D540
		cmp	cx, [edi+2]
		jnz	short loc_58D540
		add	edi, 2

loc_58D540:				; CODE XREF: __winput_s+9Bj
					; __winput_s+737j ...
		push	[ebp+arg_0]
		inc	esi
		mov	[ebp+var_C], esi
		call	__fgetwc_nolock
		movzx	ebx, ax
		movzx	eax, word ptr [edi]
		add	edi, 2
		mov	[ebp+var_14], ebx
		pop	ecx
		cmp	ax, bx
		jnz	loc_58D5EA
		xor	edx, edx

loc_58D564:				; CODE XREF: __winput_s+732j
		mov	eax, 0FFFFh
		cmp	ax, bx
		jnz	short loc_58D57F
		push	25h
		pop	eax
		cmp	[edi], ax
		jnz	short loc_58D5AD
		push	6Eh
		pop	eax
		cmp	[edi+2], ax
		jnz	short loc_58D5AD

loc_58D57F:				; CODE XREF: __winput_s+8Dj
					; __winput_s+76Ej
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		test	ax, ax
		jz	short loc_58D59E
		mov	esi, [ebp+var_C]
		jmp	loc_58CE47
; 

loc_58D591:				; CODE XREF: __winput_s+29Ej
		push	[ebp+arg_0]
		push	ebx
		call	_un_inc
		pop	ecx
		pop	ecx

loc_58D59C:				; CODE XREF: __winput_s+7CCj
					; __winput_s+7D0j
		xor	edx, edx

loc_58D59E:				; CODE XREF: __winput_s+681j
					; __winput_s+789j
		mov	ecx, edx

loc_58D5A0:				; CODE XREF: __winput_s+7E2j
		mov	eax, [ebp+var_20]

loc_58D5A3:				; CODE XREF: __winput_s+7FEj
		mov	esi, 0FFFFh
		cmp	si, bx
		jnz	short loc_58D5FE

loc_58D5AD:				; CODE XREF: __winput_s+28Bj
					; __winput_s+776j ...
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	short loc_58D5B9
		cmp	[ebp+var_5], al
		jz	short loc_58D5BB

loc_58D5B9:				; CODE XREF: __winput_s+7B4j
		mov	edx, eax

loc_58D5BB:				; CODE XREF: __winput_s+7B9j
		mov	eax, edx
		jmp	short loc_58D61C
; 

loc_58D5BF:				; CODE XREF: __winput_s+2DAj
		cmp	[ebp+var_2], 0
		jle	short loc_58D5CC
		xor	eax, eax
		mov	[ecx], ax
		jmp	short loc_58D59C
; 

loc_58D5CC:				; CODE XREF: __winput_s+7C5j
		mov	[ecx], dl
		jmp	short loc_58D59C
; 

loc_58D5D0:				; CODE XREF: __winput_s+376j
		push	[ebp+arg_0]
		push	ebx
		call	_un_inc
		pop	ecx
		pop	ecx
		xor	ecx, ecx
		inc	ecx
		xor	edx, edx
		jmp	short loc_58D5A0
; 

loc_58D5E2:				; CODE XREF: __winput_s+720j
		mov	eax, [ebp+var_34]
		mov	[ebp+var_20], eax
		jmp	short loc_58D5FA
; 

loc_58D5EA:				; CODE XREF: __winput_s+75Ej
		push	[ebp+arg_0]
		push	ebx
		call	_un_inc
		mov	eax, [ebp+var_20]
		xor	edx, edx
		pop	ecx
		pop	ecx

loc_58D5FA:				; CODE XREF: __winput_s+7EAj
		mov	ecx, edx
		jmp	short loc_58D5A3
; 

loc_58D5FE:				; CODE XREF: __winput_s+7ADj
		cmp	ecx, 1
		jnz	short loc_58D61C
		mov	esi, [ebp+var_20]
		xor	eax, eax
		jmp	short loc_58D60D
; 

loc_58D60A:				; CODE XREF: __winput_s+20j
					; __winput_s+29j
		or	esi, 0FFFFFFFFh

loc_58D60D:				; CODE XREF: __winput_s+80Aj
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		mov	eax, esi

loc_58D61C:				; CODE XREF: __winput_s+43j
					; __winput_s+7BFj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
__winput_s	endp

; 
		align 2

;  S U B	R O U T	I N E 


__filbuf_s	proc near		; CODE XREF: _inc+19p
		or	eax, 0FFFFFFFFh
		retn
__filbuf_s	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__ungetc_nolock	proc near		; CODE XREF: ReadString+33p
					; ReadString+13Cp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		test	edx, edx
		jz	short loc_58D691
		mov	eax, [ebp+arg_0]
		mov	[ebp+arg_4], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_58D6A0
		mov	ebx, [edx+0Ch]
		test	bl, 1
		jnz	short loc_58D653
		mov	eax, ebx
		and	al, 82h
		cmp	al, 80h
		jnz	short loc_58D6A0
		mov	eax, [ebp+arg_4]

loc_58D653:				; CODE XREF: __ungetc_nolock+20j
		mov	ecx, [edx+8]
		test	ecx, ecx
		jz	short loc_58D691
		mov	esi, [edx]
		cmp	esi, ecx
		jnz	short loc_58D667
		cmp	dword ptr [edx+4], 0
		jnz	short loc_58D6A0
		inc	esi

loc_58D667:				; CODE XREF: __ungetc_nolock+38j
		mov	ecx, ebx
		lea	edi, [esi-1]
		mov	[edx], edi
		and	ecx, 40h
		jz	short loc_58D67B
		cmp	[edi], al
		jz	short loc_58D680
		mov	[edx], esi
		jmp	short loc_58D6A0
; 

loc_58D67B:				; CODE XREF: __ungetc_nolock+4Bj
		mov	[edi], al
		mov	ebx, [edx+0Ch]

loc_58D680:				; CODE XREF: __ungetc_nolock+4Fj
		inc	dword ptr [edx+4]
		and	ebx, 0FFFFFFEFh
		or	ebx, 1
		movzx	eax, al
		mov	[edx+0Ch], ebx
		jmp	short loc_58D6A3
; 

loc_58D691:				; CODE XREF: __ungetc_nolock+Dj
					; __ungetc_nolock+32j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h

loc_58D6A0:				; CODE XREF: __ungetc_nolock+18j
					; __ungetc_nolock+28j ...
		or	eax, 0FFFFFFFFh

loc_58D6A3:				; CODE XREF: __ungetc_nolock+69j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
__ungetc_nolock	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__fgetwc_nolock	proc near		; CODE XREF: sub_58C998+6Dp
					; sub_58CDC6+Fp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_58D6CA
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		mov	eax, 0FFFFh
		pop	ebp
		retn
; 

loc_58D6CA:				; CODE XREF: __fgetwc_nolock+Aj
		add	dword ptr [edx+4], 0FFFFFFFEh
		js	short loc_58D6DC
		mov	ecx, [edx]
		movzx	eax, word ptr [ecx]
		add	ecx, 2
		mov	[edx], ecx
		pop	ebp
		retn
; 

loc_58D6DC:				; CODE XREF: __fgetwc_nolock+26j
		push	edx
		call	__filwbuf_s
		pop	ecx
		pop	ebp
		retn
__fgetwc_nolock	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__ungetwc_nolock proc near		; CODE XREF: _un_inc+11j

arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jnz	short loc_58D708
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		add	esp, 14h
		mov	eax, 0FFFFh
		pop	ebp
		retn
; 

loc_58D708:				; CODE XREF: __ungetwc_nolock+Aj
		push	ebx
		push	esi
		mov	si, [ebp+arg_0]
		mov	ebx, 0FFFFh
		push	edi
		cmp	si, bx
		jz	short loc_58D757
		mov	ecx, [edx+0Ch]
		test	cl, 1
		jnz	short loc_58D729
		mov	eax, ecx
		and	al, 82h
		cmp	al, 80h
		jnz	short loc_58D757

loc_58D729:				; CODE XREF: __ungetwc_nolock+39j
		mov	edi, [edx+8]
		mov	eax, [edx]
		add	edi, 2
		cmp	eax, edi
		jnb	short loc_58D743
		cmp	dword ptr [edx+4], 0
		jnz	short loc_58D757
		cmp	dword ptr [edx+18h], 2
		jb	short loc_58D757
		mov	eax, edi

loc_58D743:				; CODE XREF: __ungetwc_nolock+4Dj
		add	eax, 0FFFFFFFEh
		mov	[edx], eax
		and	ecx, 40h
		jz	short loc_58D75F
		cmp	[eax], si
		jz	short loc_58D762
		add	eax, 2
		mov	[edx], eax

loc_58D757:				; CODE XREF: __ungetwc_nolock+31j
					; __ungetwc_nolock+41j	...
		mov	ax, bx

loc_58D75A:				; CODE XREF: __ungetwc_nolock+8Fj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
; 

loc_58D75F:				; CODE XREF: __ungetwc_nolock+65j
		mov	[eax], si

loc_58D762:				; CODE XREF: __ungetwc_nolock+6Aj
		mov	ecx, [edx+0Ch]
		mov	ax, si
		add	dword ptr [edx+4], 2
		and	ecx, 0FFFFFFEFh
		or	ecx, 1
		mov	[edx+0Ch], ecx
		jmp	short loc_58D75A
__ungetwc_nolock endp

; 
		align 4

;  S U B	R O U T	I N E 


__filwbuf_s	proc near		; CODE XREF: __fgetwc_nolock+35p
		mov	eax, 0FFFFh
		retn
__filwbuf_s	endp

; 
		align 10h
; Exported entry 700. HvlInvokeHypercall

;  S U B	R O U T	I N E 


; __stdcall HvcallInitiateHypercall(x, x, x, x,	x, x)
		public _HvcallInitiateHypercall@24
_HvcallInitiateHypercall@24 proc near	; CODE XREF: HvlInvokeHypervisorDebugger(x,x)+35p
					; HvlNotifyLongSpinWait(x)+1Cp	...

arg_0		= dword	ptr  10h
arg_4		= dword	ptr  14h
arg_8		= dword	ptr  18h
arg_C		= dword	ptr  1Ch
arg_10		= dword	ptr  20h
arg_14		= dword	ptr  24h

		push	edi
		push	esi
		push	ebx
		mov	eax, [esp+arg_0]
		mov	edx, [esp+arg_4]
		mov	ecx, [esp+arg_8]
		mov	ebx, [esp+arg_C]
		mov	esi, [esp+arg_10]
		mov	edi, [esp+arg_14]
		call	ds:_HvcallCodeVa ; HvcallpNoHypervisorPresent()
		pop	ebx
		pop	esi
		pop	edi
		retn	18h
_HvcallInitiateHypercall@24 endp

; [00000006 BYTES: COLLAPSED FUNCTION HalInitializeBios(x,x). PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION KfLowerIrql(x). PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION HalGetInterruptVector(x,x,x,x,x,x). PRESS	KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION HalAllocateCommonBuffer(x,x,x,x).	PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION HalFreeCommonBuffer(x,x,x,x,x,x).	PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION IoFlushAdapterBuffers(x,x,x,x,x,x). PRESS	KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION IoFreeAdapterChannel(x). PRESS KEYPAD "+"	TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION IoFreeMapRegisters(x,x,x). PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION IoMapTransfer(x,x,x,x,x,x). PRESS	KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION HalReadDmaCounter(x). PRESS KEYPAD "+" TO	EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION HalGetAdapter(x,x). PRESS	KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION KeRaiseIrql(x,x).	PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION KeLowerIrql(x). PRESS KEYPAD "+" TO EXPAND]
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall SymCryptMarvin32(x, x, x, x)
@SymCryptMarvin32@16 proc near		; CODE XREF: HvpGenerateLogEntryChecksums+75p
					; HvpLogEntryCheckDataChecksum(x,x,x)+22p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, [ecx]
		mov	ecx, [ecx+4]
		push	edi
		mov	edi, edx
		cmp	eax, 7
		jbe	short loc_58D84B
		lea	edx, [eax-8]
		shr	edx, 3
		inc	edx

loc_58D813:				; CODE XREF: SymCryptMarvin32(x,x,x,x)+53j
		add	esi, [edi]
		sub	eax, 8
		xor	ecx, esi
		rol	esi, 14h
		add	esi, ecx
		rol	ecx, 9
		xor	ecx, esi
		rol	esi, 1Bh
		add	esi, [edi+4]
		add	edi, 8
		add	esi, ecx
		rol	ecx, 13h
		xor	ecx, esi
		rol	esi, 14h
		add	esi, ecx
		rol	ecx, 9
		xor	ecx, esi
		rol	esi, 1Bh
		add	esi, ecx
		rol	ecx, 13h
		sub	edx, 1
		jnz	short loc_58D813

loc_58D84B:				; CODE XREF: SymCryptMarvin32(x,x,x,x)+14j
		sub	eax, 0
		jz	short loc_58D899
		sub	eax, 1
		jz	loc_58D943
		sub	eax, 1
		jz	loc_58D91C
		sub	eax, 1
		jz	loc_58D8EF
		dec	eax
		sub	eax, 1
		jz	loc_58D92A
		sub	eax, 1
		jz	loc_58D903
		sub	eax, 1
		jz	short loc_58D8D6
		add	esi, [edi]
		xor	ecx, esi
		rol	esi, 14h
		add	esi, ecx
		rol	ecx, 9
		xor	ecx, esi
		rol	esi, 1Bh
		add	esi, ecx
		rol	ecx, 13h

loc_58D899:				; CODE XREF: SymCryptMarvin32(x,x,x,x)+58j
		mov	edx, 80h

loc_58D89E:				; CODE XREF: SymCryptMarvin32(x,x,x,x)+10Bj
					; SymCryptMarvin32(x,x,x,x)+12Fj ...
		mov	eax, [ebp+arg_4]
		add	esi, edx
		xor	ecx, esi
		rol	esi, 14h
		add	esi, ecx
		rol	ecx, 9
		xor	ecx, esi
		rol	esi, 1Bh
		add	esi, ecx
		rol	ecx, 13h
		xor	ecx, esi
		rol	esi, 14h
		add	esi, ecx
		rol	ecx, 9
		xor	ecx, esi
		rol	esi, 1Bh
		add	esi, ecx
		rol	ecx, 13h
		pop	edi
		mov	[eax], esi
		mov	[eax+4], ecx
		pop	esi
		pop	ebp
		retn	8
; 

loc_58D8D6:				; CODE XREF: SymCryptMarvin32(x,x,x,x)+8Bj
		add	esi, [edi]
		xor	ecx, esi
		rol	esi, 14h
		add	esi, ecx
		rol	ecx, 9
		xor	ecx, esi
		rol	esi, 1Bh
		add	esi, ecx
		rol	ecx, 13h
		add	edi, 4

loc_58D8EF:				; CODE XREF: SymCryptMarvin32(x,x,x,x)+6Fj
		movzx	edx, byte ptr [edi+2]
		movzx	eax, word ptr [edi]
		or	edx, 0FFFF8000h
		shl	edx, 10h
		or	edx, eax
		jmp	short loc_58D89E
; 

loc_58D903:				; CODE XREF: SymCryptMarvin32(x,x,x,x)+82j
		add	esi, [edi]
		xor	ecx, esi
		rol	esi, 14h
		add	esi, ecx
		rol	ecx, 9
		xor	ecx, esi
		rol	esi, 1Bh
		add	esi, ecx
		rol	ecx, 13h
		add	edi, 4

loc_58D91C:				; CODE XREF: SymCryptMarvin32(x,x,x,x)+66j
		movzx	edx, word ptr [edi]
		or	edx, 800000h
		jmp	loc_58D89E
; 

loc_58D92A:				; CODE XREF: SymCryptMarvin32(x,x,x,x)+79j
		add	esi, [edi]
		xor	ecx, esi
		rol	esi, 14h
		add	esi, ecx
		rol	ecx, 9
		xor	ecx, esi
		rol	esi, 1Bh
		add	esi, ecx
		rol	ecx, 13h
		add	edi, 4

loc_58D943:				; CODE XREF: SymCryptMarvin32(x,x,x,x)+5Dj
		movzx	edx, byte ptr [edi]
		or	edx, 8000h
		jmp	loc_58D89E
@SymCryptMarvin32@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall SymCryptMarvin32Append(int,void *,int)
@SymCryptMarvin32Append@12 proc	near	; CODE XREF: HvpGenerateLogEntryChecksums+4Cp
					; HvpGenerateLogEntryChecksums+18A4C5p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, [edx+18h]
		mov	[ebp+var_4], edx
		lea	eax, [ecx+edi]
		and	ecx, 3
		mov	[edx+18h], eax
		mov	[ebp+var_8], ecx
		jbe	short loc_58D9A6
		push	4
		pop	esi
		sub	esi, ecx
		cmp	edi, esi
		jb	short loc_58D9A6
		push	esi		; size_t
		lea	eax, [ecx+edx]
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		mov	edx, [ebp+var_4]
		add	esp, 0Ch
		add	ebx, esi
		sub	edi, esi
		push	4
		lea	ecx, [edx+8]
		call	@SymCryptMarvin32AppendBlocks@12 ; SymCryptMarvin32AppendBlocks(x,x,x)
		and	[ebp+var_8], 0
		mov	edx, [ebp+var_4]

loc_58D9A6:				; CODE XREF: SymCryptMarvin32Append(x,x,x)+23j
					; SymCryptMarvin32Append(x,x,x)+2Cj
		cmp	edi, 4
		jb	short loc_58D9BF
		mov	esi, edi
		lea	ecx, [edx+8]
		and	esi, 0FFFFFFFCh
		mov	edx, ebx
		push	esi
		call	@SymCryptMarvin32AppendBlocks@12 ; SymCryptMarvin32AppendBlocks(x,x,x)
		add	ebx, esi
		sub	edi, esi

loc_58D9BF:				; CODE XREF: SymCryptMarvin32Append(x,x,x)+57j
		test	edi, edi
		jz	short loc_58D9D4
		mov	eax, [ebp+var_8]
		add	eax, [ebp+var_4]
		push	edi		; size_t
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_58D9D4:				; CODE XREF: SymCryptMarvin32Append(x,x,x)+6Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
@SymCryptMarvin32Append@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall SymCryptMarvin32AppendBlocks(x, x,	x)
@SymCryptMarvin32AppendBlocks@12 proc near ; CODE XREF:	SymCryptMarvin32Append(x,x,x)+48p
					; SymCryptMarvin32Append(x,x,x)+64p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ecx+4]
		push	edi
		mov	edi, ebx
		and	edi, 0Ch
		add	edx, edi
		sub	ebx, edi
		test	edi, edi
		jz	short loc_58DA14
		cmp	edi, 4
		jz	short loc_58DA62
		cmp	edi, 8
		jz	short loc_58DA4B
		cmp	edi, 0Ch
		jz	short loc_58DA34

loc_58DA08:				; CODE XREF: SymCryptMarvin32AppendBlocks(x,x,x)+3Aj
		pop	edi
		mov	[ecx+4], esi
		pop	esi
		mov	[ecx], eax
		pop	ebx
		pop	ebp
		retn	4
; 

loc_58DA14:				; CODE XREF: SymCryptMarvin32AppendBlocks(x,x,x)+1Bj
					; SymCryptMarvin32AppendBlocks(x,x,x)+9Dj
		test	ebx, ebx
		jz	short loc_58DA08
		add	eax, [edx]
		add	edx, 10h
		xor	esi, eax
		sub	ebx, 10h
		rol	eax, 14h
		add	eax, esi
		rol	esi, 9
		xor	esi, eax
		rol	eax, 1Bh
		add	eax, esi
		rol	esi, 13h

loc_58DA34:				; CODE XREF: SymCryptMarvin32AppendBlocks(x,x,x)+2Aj
		add	eax, [edx-0Ch]
		xor	esi, eax
		rol	eax, 14h
		add	eax, esi
		rol	esi, 9
		xor	esi, eax
		rol	eax, 1Bh
		add	eax, esi
		rol	esi, 13h

loc_58DA4B:				; CODE XREF: SymCryptMarvin32AppendBlocks(x,x,x)+25j
		add	eax, [edx-8]
		xor	esi, eax
		rol	eax, 14h
		add	eax, esi
		rol	esi, 9
		xor	esi, eax
		rol	eax, 1Bh
		add	eax, esi
		rol	esi, 13h

loc_58DA62:				; CODE XREF: SymCryptMarvin32AppendBlocks(x,x,x)+20j
		add	eax, [edx-4]
		xor	esi, eax
		rol	eax, 14h
		add	eax, esi
		rol	esi, 9
		xor	esi, eax
		rol	eax, 1Bh
		add	eax, esi
		rol	esi, 13h
		jmp	short loc_58DA14
@SymCryptMarvin32AppendBlocks@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall SymCryptMarvin32ExpandSeed(x, x, x)
@SymCryptMarvin32ExpandSeed@12 proc near ; CODE	XREF: HvInitializeHashLibrary()+24p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		cmp	[ebp+arg_0], 8
		push	esi
		mov	esi, ecx
		jz	short loc_58DA93
		mov	eax, 0C8000A1h
		jmp	short loc_58DA9D
; 

loc_58DA93:				; CODE XREF: SymCryptMarvin32ExpandSeed(x,x,x)+Ej
		mov	ecx, [edx]
		mov	[esi], ecx
		mov	ecx, [edx+4]
		mov	[esi+4], ecx

loc_58DA9D:				; CODE XREF: SymCryptMarvin32ExpandSeed(x,x,x)+15j
		pop	esi
		pop	ebp
		retn	4
@SymCryptMarvin32ExpandSeed@12 endp


;  S U B	R O U T	I N E 


; __fastcall SymCryptMarvin32Init(x, x)
@SymCryptMarvin32Init@8	proc near	; CODE XREF: HvpGenerateLogEntryChecksums+34p
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, edx
		lea	edi, [ecx+8]
		movsd
		movsd
		movsd
		and	dword ptr [ecx+18h], 0
		and	dword ptr [ecx+4], 0
		pop	edi
		mov	[ecx+14h], edx
		pop	esi
		retn
@SymCryptMarvin32Init@8	endp


;  S U B	R O U T	I N E 


; __fastcall SymCryptMarvin32Result(x, x)
@SymCryptMarvin32Result@8 proc near	; CODE XREF: HvpGenerateLogEntryChecksums+63p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	esi, edx
		mov	edx, ebx
		mov	eax, [ebx+18h]
		lea	edi, [ebx+8]
		and	eax, 3
		mov	ecx, edi
		push	8
		and	dword ptr [eax+ebx], 0
		mov	byte ptr [eax+ebx], 80h
		call	@SymCryptMarvin32AppendBlocks@12 ; SymCryptMarvin32AppendBlocks(x,x,x)
		mov	eax, [edi]
		mov	[esi], eax
		mov	eax, [ebx+0Ch]
		mov	[esi+4], eax
		mov	esi, [ebx+14h]
		and	dword ptr [ebx], 0
		and	dword ptr [ebx+18h], 0
		movsd
		movsd
		movsd
		pop	edi
		pop	esi
		pop	ebx
		retn
@SymCryptMarvin32Result@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall SymCryptCpuidExFuncEnvWindowsKernelmodeWin8_1nLater(x, x, x)
@SymCryptCpuidExFuncEnvWindowsKernelmodeWin8_1nLater@12	proc near
					; CODE XREF: SymCryptCpuidExFunc(x,x,x)+6j

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, edx
		mov	ecx, [ebp+arg_0]
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
@SymCryptCpuidExFuncEnvWindowsKernelmodeWin8_1nLater@12	endp

; 

; __fastcall SymCryptFatalEnvWindowsKernelmodeWin8_1nLater(x)
@SymCryptFatalEnvWindowsKernelmodeWin8_1nLater@4: ; CODE XREF: SymCryptFatal(x)j
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	esi
		push	171h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall SymCryptInitEnvWindowsKernelmodeWin8_1nLater(x)
@SymCryptInitEnvWindowsKernelmodeWin8_1nLater@4	proc near ; CODE XREF: SymCryptInit()+5j
					; INIT:00AC0049p

var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 118h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	110h		; size_t
		lea	eax, [ebp+var_114]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		test	_g_SymCryptFlags, 1
		jnz	short loc_58DBE8
		lea	eax, [ebp+var_118]
		mov	[ebp+var_118], 114h
		push	eax
		call	RtlGetVersion
		test	eax, eax
		jns	short loc_58DB9B
		mov	ecx, 6E737276h
		call	@SymCryptFatal@4 ; SymCryptFatal(x)

loc_58DB9B:				; CODE XREF: SymCryptInitEnvWindowsKernelmodeWin8_1nLater(x)+4Fj
		cmp	[ebp+var_114], 6
		jb	short loc_58DBAF
		jnz	short loc_58DBB9
		cmp	[ebp+var_110], 3
		jnb	short loc_58DBB9

loc_58DBAF:				; CODE XREF: SymCryptInitEnvWindowsKernelmodeWin8_1nLater(x)+62j
		mov	ecx, 6E737276h
		call	@SymCryptFatal@4 ; SymCryptFatal(x)

loc_58DBB9:				; CODE XREF: SymCryptInitEnvWindowsKernelmodeWin8_1nLater(x)+64j
					; SymCryptInitEnvWindowsKernelmodeWin8_1nLater(x)+6Dj
		xor	ecx, ecx
		inc	ecx
		call	@SymCryptDetectCpuFeaturesByCpuid@4 ; SymCryptDetectCpuFeaturesByCpuid(x)
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		call	_RtlGetEnabledExtendedFeatures@8 ; RtlGetEnabledExtendedFeatures(x,x)
		and	eax, 4
		xor	edx, edx
		or	eax, edx
		jnz	short loc_58DBDA
		or	_g_SymCryptCpuFeaturesNotPresent, 10h

loc_58DBDA:				; CODE XREF: SymCryptInitEnvWindowsKernelmodeWin8_1nLater(x)+91j
		and	_g_SymCryptCpuFeaturesNotPresent, 0FFFFFFDFh
		mov	ecx, esi
		call	@SymCryptInitEnvCommon@4 ; SymCryptInitEnvCommon(x)

loc_58DBE8:				; CODE XREF: SymCryptInitEnvWindowsKernelmodeWin8_1nLater(x)+35j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
@SymCryptInitEnvWindowsKernelmodeWin8_1nLater@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall SymCryptSha256(x, x, x)
@SymCryptSha256@12 proc	near		; CODE XREF: .text:00513669p
					; KeComputeSha256(x,x,x)+6j

var_7C		= dword	ptr -7Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		lea	eax, [ebp+var_7C]
		push	esi
		push	edi
		push	78h		; size_t
		push	0		; int
		push	eax		; void *
		mov	esi, edx
		mov	edi, ecx
		call	_memset
		add	esp, 0Ch
		lea	ecx, [ebp+var_7C]
		call	@SymCryptSha256Init@4 ;	SymCryptSha256Init(x)
		push	esi		; int
		mov	edx, edi	; void *
		lea	ecx, [ebp+var_7C] ; int
		call	@SymCryptSha256Append@12 ; SymCryptSha256Append(x,x,x)
		mov	edx, ebx
		lea	ecx, [ebp+var_7C]
		call	@SymCryptSha256Result@8	; SymCryptSha256Result(x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
@SymCryptSha256@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall SymCryptSha256Append(int,void *,int)
@SymCryptSha256Append@12 proc near	; CODE XREF: SymCryptSha256(x,x,x)+3Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		add	[edi+8], esi
		mov	ebx, [edi]
		adc	dword ptr [edi+0Ch], 0
		test	ebx, ebx
		jz	short loc_58DCAE
		push	40h
		pop	eax
		sub	eax, ebx
		mov	[ebp+var_C], eax
		cmp	esi, eax
		jb	short loc_58DCAE
		push	eax		; size_t
		lea	eax, [edi+18h]
		push	edx		; void *
		add	eax, ebx
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_C]
		lea	edx, [edi+18h]
		add	[ebp+var_4], eax
		lea	ecx, [edi+58h]
		add	esp, 0Ch
		sub	esi, eax
		lea	eax, [ebp+var_8]
		push	eax
		push	40h
		call	@SymCryptSha256AppendBlocks@16 ; SymCryptSha256AppendBlocks(x,x,x,x)
		mov	edx, [ebp+var_4]
		xor	ebx, ebx

loc_58DCAE:				; CODE XREF: SymCryptSha256Append(x,x,x)+22j
					; SymCryptSha256Append(x,x,x)+2Ej
		cmp	esi, 40h
		jb	short loc_58DCCC
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		lea	ecx, [edi+58h]
		call	@SymCryptSha256AppendBlocks@16 ; SymCryptSha256AppendBlocks(x,x,x,x)
		mov	edx, [ebp+var_4]
		mov	eax, esi
		mov	esi, [ebp+var_8]
		sub	eax, esi
		add	edx, eax

loc_58DCCC:				; CODE XREF: SymCryptSha256Append(x,x,x)+61j
		test	esi, esi
		jz	short loc_58DCE2
		push	esi		; size_t
		lea	eax, [edi+18h]
		push	edx		; void *
		add	eax, ebx
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		add	ebx, esi

loc_58DCE2:				; CODE XREF: SymCryptSha256Append(x,x,x)+7Ej
		mov	[edi], ebx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
@SymCryptSha256Append@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall SymCryptSha256AppendBlocks(x, x, x, x)
@SymCryptSha256AppendBlocks@16 proc near ; CODE	XREF: SymCryptSha256Append(x,x,x)+54p
					; SymCryptSha256Append(x,x,x)+6Bp ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi		; struct _exception *
		mov	esi, ecx
		mov	[ebp+var_2C], eax
		push	9
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_28]
		rep stosd
		mov	ebx, edx
		call	@SymCryptSaveXmm@4 ; SymCryptSaveXmm(x)
		or	eax, _g_SymCryptCpuFeaturesNotPresent
		test	al, 62h
		jnz	short loc_58DD49
		lea	ecx, [ebp+var_28]
		call	@SymCryptSaveXmm@4 ; SymCryptSaveXmm(x)
		test	eax, eax
		jnz	short loc_58DD49
		push	[ebp+var_2C]
		mov	edx, ebx
		mov	ecx, esi
		push	[ebp+arg_0]
		call	@SymCryptSha256AppendBlocks_shani@16 ; SymCryptSha256AppendBlocks_shani(x,x,x,x)
		lea	ecx, [ebp+var_28]
		call	@SymCryptRestoreXmm@4 ;	SymCryptRestoreXmm(x)
		jmp	short loc_58DD58
; 

loc_58DD49:				; CODE XREF: SymCryptSha256AppendBlocks(x,x,x,x)+36j
					; SymCryptSha256AppendBlocks(x,x,x,x)+42j
		push	[ebp+var_2C]
		mov	edx, ebx
		mov	ecx, esi
		push	[ebp+arg_0]
		call	@SymCryptSha256AppendBlocks_ul1@16 ; SymCryptSha256AppendBlocks_ul1(x,x,x,x)

loc_58DD58:				; CODE XREF: SymCryptSha256AppendBlocks(x,x,x,x)+5Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
@SymCryptSha256AppendBlocks@16 endp

; 
		align 2

; __fastcall SymCryptSha256AppendBlocks_shani(x, x, x, x)
@SymCryptSha256AppendBlocks_shani@16:	; CODE XREF: SymCryptSha256AppendBlocks(x,x,x,x)+4Ep
		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+4], ebp
		mov	ebp, esp
		sub	esp, 4Ch
		movups	xmm2, oword ptr	[ecx]
		push	esi
		movups	xmm1, oword ptr	[ecx+10h]
		mov	esi, edx
		mov	edx, [ebx+8]
		movaps	xmm7, oword ptr	ds:__xmm@0c0d0e0f08090a0b0405060700010203
		movaps	xmm0, xmm2
		punpckhqdq xmm2, xmm1
		punpcklqdq xmm0, xmm1
		pshufd	xmm2, xmm2, 1Bh
		pshufd	xmm5, xmm0, 1Bh
		movaps	oword ptr [ebp-30h], xmm2
		cmp	edx, 40h
		jb	loc_58E0DC
		mov	eax, edx
		shr	eax, 6
		movups	xmm1, oword ptr	[esi]
		lea	esi, [esi+40h]
		movaps	xmm0, oword ptr	ds:_SymCryptSha256K
		movaps	xmm6, xmm2
		movups	xmm3, oword ptr	[esi-30h]
		movups	xmm4, oword ptr	[esi-20h]
; 
		db 66h
		dd 0CF00380Fh, 380F66h,	0FE0F66DFh, 6D290FC1h, 0CB380FC0h
		dd 700F66F5h, 380F0EC0h, 280FEECBh
		db 5
		dd offset loc_409910
		db 66h,	0Fh, 0FEh
; 
		retn
; 
		db 0Fh,	38h, 0CBh
		dd 700F66F5h, 380F0EC0h, 280FEECBh
		db 5
		dd offset dword_409914+0Ch
		db 66h,	0Fh, 38h
		dd 380FE700h, 0F66CBCCh, 380FC4FEh, 0F66F5CBh, 0F0EC070h
		dd 0FEECB38h
		db 28h,	5
		dd offset dword_409914+1Ch
		dw 290Fh
		dd 100FF06Dh, 280FF06Eh, 0F66F055h, 0FEF0038h, 66DCCC38h
		dd 0FC5FE0Fh, 380FFD28h, 0F66F2CBh, 0F0EC070h, 0FD6CB38h
		db 28h,	5
		dd offset dword_409914+2Ch
		dw 0F66h
		dd 4FC0F3Ah, 0F9FE0F66h, 0F055290Fh, 0F04D280Fh, 0FDCD380Fh
		dd 0C7FE0F66h, 0FD7280Fh, 66F1CB38h, 0EC0700Fh,	0CECB380Fh
		db 0Fh,	28h, 5
		dd offset dword_409944+0Ch
		db 66h
		dd 0D50F3A0Fh, 0FE0F6604h, 0CD380FD3h, 0FE0F66D7h, 0CB380FC2h
		dd 700F66F1h, 380F0EC0h, 280FCECBh
		db 5
		dd offset dword_409944+1Ch
		db 0Fh,	29h, 75h
		dd 0F2280FF0h, 0E5CC380Fh, 0F3A0F66h, 0F6604F7h, 280FF4FEh
		dd 380FF065h, 0F66F2CDh, 290FC6FEh, 380FE075h, 0F66E1CBh
		dd 0F0EC070h, 380FDE28h, 280FCCCBh
		db 5
		dd offset dword_409944+2Ch
		db 66h,	0Fh, 3Ah
		dd 0F04DA0Fh, 66EFCC38h, 0FDDFE0Fh, 0FF04D29h, 0FF06D28h
		dd 380FCA28h, 0F66DECDh, 380FC3FEh, 380FE5CBh, 0F66CECCh
		dd 0F0EC070h, 0FECCB38h, 0FE04528h, 0F66F328h, 4F00F3Ah
		dd 0C3CC380Fh, 0E045290Fh
		db 0Fh,	28h, 5
		dd offset dword_409944+3Ch
		db 0Fh
		dd 0FFACC38h, 66F06D29h, 0FF7FE0Fh, 0FF05528h, 66F3CD38h
		dd 0FC6FE0Fh, 380FEE28h, 0F66E2CBh, 0F0EC070h, 0FD4CB38h
		db 28h,	5
		dd offset dword_409944+4Ch
		dw 0F66h
; 
		cmp	cl, [edi]
		jmp	short loc_58DF80
; 
		paddd	xmm5, xmm1

loc_58DF80:				; CODE XREF: .text:0058DF7Aj
		movaps	oword ptr [ebp-10h], xmm4
		movaps	xmm1, oword ptr	[ebp-10h]
; 
		dd 0EECD380Fh, 0C5FE0F66h, 0FE5280Fh, 66CACB38h, 0EC0700Fh
		dd 0D1CB380Fh
		db 0Fh,	28h, 5
		dd offset dword_409944+5Ch
		db 66h
		dd 0E60F3A0Fh, 0FE0F6604h, 380FE065h, 0F66E5CDh, 280FC4FEh
		dd 0CB380FFCh, 700F66CAh, 380F0EC0h, 280FD1CBh
		db 5
		dd offset dword_409944+6Ch
		db 0Fh,	38h, 0CCh
		dd 3A0F66DEh, 6604FD0Fh, 0FFBFE0Fh, 66FCCD38h, 0FC7FE0Fh
		dd 380FDF28h, 0F66CACBh, 0F0EC070h, 0FD1CB38h
		db 28h,	5
		dd offset dword_409944+7Ch
		dw 380Fh
		dd 0F66F5CCh, 4DC0F3Ah,	0DEFE0F66h, 0DFCD380Fh,	0C3FE0F66h
		dd 0CACB380Fh, 0C0700F66h, 0CB380F0Eh, 5280FD1h
		dd offset dword_409944+8Ch
		dd 0F055290Fh, 0FD3280Fh, 66ECCC38h, 0D70F3A0Fh, 0FE0F6604h
		dd 6D280FD5h, 0CD380FF0h, 0FE0F66D3h, 0CB380FC2h, 700F66CDh
		dd 380F0EC0h, 280FE9CBh
		db 5
		dd offset dword_409944+9Ch
		db 0Fh,	29h, 4Dh
		dd 0CA280FF0h, 0E7CC380Fh, 0F3A0F66h, 0F6604CBh, 280FCCFEh
		dd 380FF065h, 0F66CACDh, 380FC1FEh, 0F66E5CBh, 0F0EC070h
		dd 0FECCB38h, 0F66C128h, 4C20F3Ah, 0F40EA83h, 0FD05528h
		dd 66FBCC38h, 0FF8FE0Fh, 66F9CD38h
		db 0Fh,	0FEh, 3Dh
		dd offset dword_409944+0ACh
		db 0Fh
		dd 380FC728h, 0F66E5CBh, 660EC770h, 0FD4FE0Fh
		db 28h,	3Dh
		dd offset __xmm@0c0d0e0f08090a0b0405060700010203
		dw 290Fh
		dd 380FD055h, 0F66ECCBh, 83C06DFEh, 850F01E8h, 0FFFFFCE3h
; 

loc_58E0DC:				; CODE XREF: .text:0058DDB4j
		pshufd	xmm1, oword ptr	[ebp-30h], 1Bh
		mov	eax, [ebx+0Ch]
		pshufd	xmm2, xmm5, 1Bh
		movaps	xmm0, xmm2
		punpckhqdq xmm2, xmm1
		punpcklqdq xmm0, xmm1
		movups	oword ptr [ecx], xmm0
		pop	esi
		movups	oword ptr [ecx+10h], xmm2
		mov	[eax], edx
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8

;  S U B	R O U T	I N E 


; __fastcall SymCryptSha256AppendBlocks_ul1(x, x, x, x)
@SymCryptSha256AppendBlocks_ul1@16 proc	near
					; CODE XREF: SymCryptSha256AppendBlocks(x,x,x,x)+67p

var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  4
arg_4		= dword	ptr  8

		sub	esp, 0F8h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0F8h+var_4], eax
		cmp	[esp+0F8h+arg_0], 40h
		mov	eax, ecx
		mov	ecx, [esp+0F8h+arg_4]
		mov	[esp+0F8h+var_D0], edx
		push	ebx
		mov	edx, [eax]
		mov	ebx, [eax+14h]
		mov	[esp+0FCh+var_68], edx
		mov	[esp+0FCh+var_8], edx
		mov	edx, [eax+0Ch]
		push	esi
		mov	esi, [eax+8]
		mov	[esp+100h+var_98], edx
		mov	[esp+100h+var_14], edx
		mov	edx, [eax+18h]
		push	edi
		mov	edi, [eax+10h]
		mov	[esp+104h+var_F4], ecx
		mov	ecx, [eax+4]
		mov	[esp+104h+var_F8], eax
		mov	eax, [eax+1Ch]
		mov	[esp+104h+var_A8], edx
		mov	[esp+104h+var_20], edx
		mov	edx, [esp+104h+var_68]
		mov	[esp+104h+var_94], ecx
		mov	[esp+104h+var_C], ecx
		mov	[esp+104h+var_90], esi
		mov	[esp+104h+var_10], esi
		mov	[esp+104h+var_A0], edi
		mov	[esp+104h+var_18], edi
		mov	[esp+104h+var_9C], ebx
		mov	[esp+104h+var_1C], ebx
		mov	[esp+104h+var_A4], eax
		mov	[esp+104h+var_24], eax
		jb	loc_58F817
		mov	[esp+104h+var_D8], ecx
		mov	ecx, [esp+104h+var_98]
		mov	[esp+104h+var_F0], eax
		mov	eax, [esp+104h+var_D0]
		mov	[esp+104h+var_E0], ecx
		add	eax, 8
		mov	ecx, [esp+104h+arg_0]
		mov	[esp+104h+var_DC], esi
		mov	esi, [esp+104h+var_A8]
		shr	ecx, 6
		mov	[esp+104h+var_D4], edx
		mov	[esp+104h+var_E4], edi
		mov	[esp+104h+var_E8], ebx
		mov	[esp+104h+var_EC], esi
		mov	[esp+104h+var_8C], eax
		mov	[esp+104h+var_D0], ecx

loc_58E1FC:				; CODE XREF: SymCryptSha256AppendBlocks_ul1(x,x,x,x)+1707j
		mov	eax, [eax-8]
		mov	ecx, edi
		bswap	eax
		mov	[esp+104h+var_CC], eax
		mov	eax, edi
		ror	eax, 0Bh
		ror	ecx, 19h
		xor	ecx, eax
		mov	eax, edi
		ror	eax, 6
		xor	ecx, eax
		mov	eax, esi
		add	ecx, [esp+104h+var_A4]
		xor	eax, ebx
		and	eax, edi
		mov	ebx, [esp+104h+var_98]
		xor	eax, esi
		mov	esi, [esp+104h+var_CC]
		add	eax, ecx
		add	esi, 428A2F98h
		add	esi, eax
		mov	ecx, edx
		ror	ecx, 2
		add	ebx, esi
		mov	eax, ecx
		mov	[esp+104h+var_98], ebx
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, [esp+104h+var_90]
		xor	edx, ecx
		mov	ecx, eax
		or	ecx, [esp+104h+var_94]
		add	edx, esi
		and	eax, [esp+104h+var_94]
		and	ecx, [esp+104h+var_68]
		or	ecx, eax
		mov	eax, [esp+104h+var_8C]
		add	edx, ecx
		mov	ecx, ebx
		ror	ecx, 19h
		mov	[esp+104h+var_74], edx
		mov	eax, [eax-4]
		bswap	eax
		mov	[esp+104h+var_B8], eax
		mov	eax, ebx
		mov	esi, [esp+104h+var_B8]
		ror	eax, 0Bh
		add	esi, 71374491h
		xor	ecx, eax
		mov	eax, ebx
		ror	eax, 6
		xor	ecx, eax
		mov	eax, [esp+104h+var_9C]
		add	ecx, [esp+104h+var_A8]
		xor	eax, edi
		mov	edi, [esp+104h+var_90]
		and	eax, ebx
		xor	eax, [esp+104h+var_9C]
		add	eax, ecx
		mov	ecx, edx
		ror	ecx, 2
		add	esi, eax
		mov	eax, ecx
		add	edi, esi
		ror	ecx, 0Bh
		mov	edx, ecx
		mov	[esp+104h+var_90], edi
		ror	edx, 9
		xor	edx, eax
		mov	eax, [esp+104h+var_94]
		xor	edx, ecx
		mov	ecx, eax
		or	ecx, [esp+104h+var_68]
		add	edx, esi
		and	ecx, [esp+104h+var_74]
		and	eax, [esp+104h+var_68]
		or	ecx, eax
		add	edx, ecx
		mov	[esp+104h+var_78], edx
		mov	eax, [esp+104h+var_8C]
		mov	ecx, edi
		ror	ecx, 19h
		mov	esi, [eax]
		mov	eax, edi
		ror	eax, 0Bh
		xor	ecx, eax
		mov	eax, edi
		ror	eax, 6
		xor	ecx, eax
		mov	eax, ebx
		xor	eax, [esp+104h+var_A0]
		and	eax, edi
		mov	ebx, [esp+104h+var_94]
		xor	eax, [esp+104h+var_A0]
		bswap	esi
		add	ecx, esi
		mov	[esp+104h+var_A8], esi
		add	eax, ecx
		mov	esi, [esp+104h+var_9C]
		mov	ecx, edx
		add	esi, 0B5C0FBCFh
		add	esi, eax
		ror	ecx, 2
		mov	eax, ecx
		add	ebx, esi
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, [esp+104h+var_74]
		xor	edx, ecx
		mov	ecx, eax
		and	eax, [esp+104h+var_68]
		add	edx, esi
		or	ecx, [esp+104h+var_68]
		and	ecx, [esp+104h+var_78]
		or	eax, ecx
		mov	ecx, ebx
		add	eax, edx
		ror	ecx, 19h
		mov	[esp+104h+var_70], eax
		mov	eax, [esp+104h+var_8C]
		mov	esi, [eax+4]
		mov	eax, ebx
		ror	eax, 0Bh
		xor	ecx, eax
		mov	eax, ebx
		ror	eax, 6
		xor	ecx, eax
		mov	eax, [esp+104h+var_98]
		add	ecx, [esp+104h+var_A0]
		xor	eax, edi
		mov	edi, [esp+104h+var_68]
		and	eax, ebx
		xor	eax, [esp+104h+var_98]
		add	eax, ecx
		mov	ecx, [esp+104h+var_70]
		bswap	esi
		ror	ecx, 2
		mov	[esp+104h+var_9C], esi
		add	esi, 0E9B5DBA5h
		add	esi, eax
		mov	eax, ecx
		ror	ecx, 0Bh
		add	edi, esi
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, [esp+104h+var_74]
		xor	edx, ecx
		mov	ecx, eax
		or	ecx, [esp+104h+var_78]
		add	edx, esi
		and	eax, [esp+104h+var_78]
		and	ecx, [esp+104h+var_70]
		or	ecx, eax
		mov	eax, [esp+104h+var_8C]
		add	ecx, edx
		mov	[esp+104h+var_68], ecx
		mov	esi, [eax+8]
		mov	ecx, edi
		mov	eax, edi
		ror	ecx, 19h
		ror	eax, 0Bh
		xor	ecx, eax
		mov	eax, edi
		ror	eax, 6
		xor	ecx, eax
		mov	eax, ebx
		xor	eax, [esp+104h+var_90]
		and	eax, edi
		xor	eax, [esp+104h+var_90]
		bswap	esi
		mov	[esp+104h+var_A0], esi
		add	esi, ecx
		mov	ecx, [esp+104h+var_98]
		add	esi, eax
		add	ecx, 3956C25Bh
		add	esi, ecx
		mov	ecx, [esp+104h+var_68]
		ror	ecx, 2
		mov	eax, ecx
		add	[esp+104h+var_74], esi
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, [esp+104h+var_78]
		xor	edx, ecx
		mov	ecx, eax
		or	ecx, [esp+104h+var_70]
		and	ecx, [esp+104h+var_68]
		and	eax, [esp+104h+var_70]
		or	ecx, eax
		mov	eax, [esp+104h+var_8C]
		add	ecx, esi
		mov	esi, [esp+104h+var_74]
		add	edx, ecx
		mov	ecx, esi
		ror	ecx, 19h
		mov	eax, [eax+0Ch]
		bswap	eax
		mov	[esp+104h+var_AC], eax
		mov	eax, esi
		ror	eax, 0Bh
		xor	ecx, eax
		mov	[esp+104h+var_94], edx
		mov	eax, esi
		ror	eax, 6
		xor	ecx, eax
		mov	eax, ebx
		add	ecx, [esp+104h+var_AC]
		xor	eax, edi
		and	esi, eax
		xor	esi, ebx
		add	esi, ecx
		mov	ecx, [esp+104h+var_90]
		add	ecx, 59F111F1h
		add	esi, ecx
		mov	ecx, edx
		add	[esp+104h+var_78], esi
		ror	ecx, 2
		mov	eax, ecx
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, [esp+104h+var_70]
		xor	edx, ecx
		mov	ecx, eax
		or	ecx, [esp+104h+var_68]
		and	eax, [esp+104h+var_68]
		and	ecx, [esp+104h+var_94]
		or	ecx, eax
		mov	eax, [esp+104h+var_8C]
		add	ecx, esi
		add	edx, ecx
		mov	[esp+104h+var_90], edx
		mov	eax, [eax+10h]
		bswap	eax
		mov	[esp+104h+var_B0], eax
		mov	esi, [esp+104h+var_78]
		add	ebx, 923F82A4h
		mov	ecx, esi
		mov	eax, esi
		ror	ecx, 19h
		ror	eax, 0Bh
		xor	ecx, eax
		mov	eax, esi
		ror	eax, 6
		xor	ecx, eax
		mov	eax, [esp+104h+var_74]
		add	ecx, [esp+104h+var_B0]
		xor	eax, edi
		and	esi, eax
		xor	esi, edi
		add	esi, ecx
		mov	ecx, edx
		ror	ecx, 2
		add	esi, ebx
		mov	ebx, [esp+104h+var_94]
		mov	eax, ecx
		ror	ecx, 0Bh
		mov	edx, ecx
		add	[esp+104h+var_70], esi
		ror	edx, 9
		xor	edx, eax
		mov	eax, [esp+104h+var_68]
		xor	edx, ecx
		mov	ecx, eax
		or	ecx, ebx
		and	eax, ebx
		and	ecx, [esp+104h+var_90]
		or	ecx, eax
		mov	eax, [esp+104h+var_8C]
		add	ecx, esi
		mov	esi, [esp+104h+var_70]
		add	edx, ecx
		mov	ecx, esi
		ror	ecx, 19h
		mov	eax, [eax+14h]
		bswap	eax
		mov	[esp+104h+var_B4], eax
		mov	eax, esi
		ror	eax, 0Bh
		xor	ecx, eax
		mov	[esp+104h+var_7C], edx
		mov	eax, esi
		ror	eax, 6
		xor	ecx, eax
		mov	eax, [esp+104h+var_74]
		xor	eax, [esp+104h+var_78]
		add	ecx, [esp+104h+var_B4]
		and	esi, eax
		xor	esi, [esp+104h+var_74]
		add	esi, 0AB1C5ED5h
		add	esi, ecx
		mov	ecx, edx
		ror	ecx, 2
		add	esi, edi
		mov	edi, [esp+104h+var_90]
		mov	eax, ecx
		add	[esp+104h+var_68], esi
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, ebx
		xor	edx, ecx
		and	eax, edi
		mov	ecx, ebx
		or	ecx, edi
		and	ecx, [esp+104h+var_7C]
		or	ecx, eax
		mov	eax, [esp+104h+var_8C]
		add	ecx, esi
		mov	esi, [esp+104h+var_68]
		add	edx, ecx
		mov	[esp+104h+var_6C], edx
		mov	eax, [eax+18h]
		bswap	eax
		mov	[esp+104h+var_A4], eax
		mov	ecx, esi
		mov	eax, esi
		ror	eax, 0Bh
		ror	ecx, 19h
		xor	ecx, eax
		mov	eax, esi
		ror	eax, 6
		xor	ecx, eax
		mov	eax, [esp+104h+var_78]
		xor	eax, [esp+104h+var_70]
		add	ecx, [esp+104h+var_A4]
		and	esi, eax
		xor	esi, [esp+104h+var_78]
		add	esi, ecx
		mov	ecx, [esp+104h+var_74]
		add	ecx, 0D807AA98h
		add	esi, ecx
		mov	ecx, edx
		ror	ecx, 2
		add	ebx, esi
		mov	eax, ecx
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, edi
		and	eax, [esp+104h+var_7C]
		xor	edx, ecx
		mov	ecx, edi
		or	ecx, [esp+104h+var_7C]
		and	ecx, [esp+104h+var_6C]
		or	eax, ecx
		mov	ecx, ebx
		add	eax, esi
		ror	ecx, 19h
		add	eax, edx
		mov	[esp+104h+var_80], eax
		mov	eax, [esp+104h+var_8C]
		mov	esi, [eax+1Ch]
		mov	eax, ebx
		ror	eax, 0Bh
		xor	ecx, eax
		mov	eax, ebx
		ror	eax, 6
		xor	ecx, eax
		mov	eax, [esp+104h+var_70]
		xor	eax, [esp+104h+var_68]
		and	eax, ebx
		xor	eax, [esp+104h+var_70]
		bswap	esi
		mov	[esp+104h+var_BC], esi
		add	esi, ecx
		mov	ecx, [esp+104h+var_78]
		add	esi, eax
		add	ecx, 12835B01h
		add	esi, ecx
		mov	ecx, [esp+104h+var_80]
		ror	ecx, 2
		add	edi, esi
		mov	eax, ecx
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, [esp+104h+var_7C]
		xor	edx, ecx
		mov	ecx, eax
		and	eax, [esp+104h+var_6C]
		or	ecx, [esp+104h+var_6C]
		and	ecx, [esp+104h+var_80]
		or	eax, ecx
		mov	ecx, edi
		add	eax, esi
		add	eax, edx
		ror	ecx, 19h
		mov	[esp+104h+var_74], eax
		mov	eax, [esp+104h+var_8C]
		mov	esi, [eax+20h]
		mov	eax, edi
		bswap	esi
		mov	[esp+104h+var_C0], esi
		ror	eax, 0Bh
		xor	ecx, eax
		mov	eax, edi
		ror	eax, 6
		xor	ecx, eax
		mov	eax, [esp+104h+var_68]
		add	esi, ecx
		xor	eax, ebx
		mov	ecx, [esp+104h+var_70]
		and	eax, edi
		xor	eax, [esp+104h+var_68]
		add	ecx, 243185BEh
		add	esi, eax
		add	esi, ecx
		mov	ecx, [esp+104h+var_74]
		ror	ecx, 2
		mov	eax, ecx
		add	[esp+104h+var_7C], esi
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, [esp+104h+var_80]
		xor	edx, ecx
		mov	ecx, eax
		and	eax, [esp+104h+var_6C]
		or	ecx, [esp+104h+var_6C]
		and	ecx, [esp+104h+var_74]
		or	eax, ecx
		add	eax, esi
		add	eax, edx
		mov	edx, [esp+104h+var_7C]
		mov	[esp+104h+var_70], eax
		mov	ecx, edx
		mov	eax, [esp+104h+var_8C]
		ror	ecx, 19h
		mov	esi, [eax+24h]
		mov	eax, edx
		ror	eax, 0Bh
		xor	ecx, eax
		mov	eax, edx
		ror	eax, 6
		xor	ecx, eax
		mov	eax, ebx
		xor	eax, edi
		and	eax, edx
		bswap	esi
		xor	eax, ebx
		mov	[esp+104h+var_C4], esi
		add	esi, ecx
		mov	ecx, [esp+104h+var_68]
		add	esi, eax
		add	ecx, 550C7DC3h
		add	esi, ecx
		mov	ecx, [esp+104h+var_70]
		ror	ecx, 2
		add	[esp+104h+var_6C], esi
		mov	eax, ecx
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, [esp+104h+var_80]
		xor	edx, ecx
		mov	ecx, eax
		or	ecx, [esp+104h+var_74]
		and	eax, [esp+104h+var_74]
		and	ecx, [esp+104h+var_70]
		or	eax, ecx
		add	eax, esi
		add	eax, edx
		mov	edx, [esp+104h+var_6C]
		mov	[esp+104h+var_68], eax
		mov	ecx, edx
		mov	eax, [esp+104h+var_8C]
		ror	ecx, 19h
		mov	esi, [eax+28h]
		mov	eax, edx
		bswap	esi
		mov	[esp+104h+var_C8], esi
		ror	eax, 0Bh
		xor	ecx, eax
		add	ebx, 72BE5D74h
		mov	eax, edx
		ror	eax, 6
		xor	ecx, eax
		mov	eax, edi
		xor	eax, [esp+104h+var_7C]
		add	esi, ecx
		mov	ecx, [esp+104h+var_68]
		and	eax, edx
		xor	eax, edi
		ror	ecx, 2
		add	esi, eax
		add	edi, 80DEB1FEh
		mov	eax, ecx
		add	esi, ebx
		ror	ecx, 0Bh
		mov	edx, ecx
		mov	ebx, [esp+104h+var_80]
		ror	edx, 9
		add	ebx, esi
		xor	edx, eax
		mov	[esp+104h+var_80], ebx
		mov	eax, [esp+104h+var_74]
		xor	edx, ecx
		mov	ecx, eax
		and	eax, [esp+104h+var_70]
		or	ecx, [esp+104h+var_70]
		and	ecx, [esp+104h+var_68]
		or	ecx, eax
		mov	eax, [esp+104h+var_8C]
		add	ecx, esi
		add	edx, ecx
		mov	ecx, ebx
		ror	ecx, 19h
		mov	esi, [eax+2Ch]
		mov	eax, ebx
		ror	eax, 0Bh
		xor	ecx, eax
		mov	[esp+104h+var_78], edx
		mov	eax, ebx
		mov	ebx, [esp+104h+var_7C]
		ror	eax, 6
		xor	ecx, eax
		mov	eax, ebx
		xor	eax, [esp+104h+var_6C]
		and	eax, [esp+104h+var_80]
		bswap	esi
		mov	[esp+104h+var_90], esi
		xor	eax, ebx
		add	esi, ecx
		mov	ecx, edx
		ror	ecx, 2
		add	esi, eax
		mov	eax, ecx
		add	esi, edi
		mov	edi, [esp+104h+var_74]
		ror	ecx, 0Bh
		add	edi, esi
		mov	edx, ecx
		mov	[esp+104h+var_74], edi
		ror	edx, 9
		xor	edx, eax
		mov	eax, [esp+104h+var_70]
		xor	edx, ecx
		mov	ecx, eax
		or	ecx, [esp+104h+var_68]
		and	ecx, [esp+104h+var_78]
		and	eax, [esp+104h+var_68]
		or	ecx, eax
		mov	eax, [esp+104h+var_8C]
		add	ecx, esi
		add	edx, ecx
		mov	ecx, edi
		ror	ecx, 19h
		mov	esi, [eax+30h]
		mov	eax, edi
		bswap	esi
		mov	[esp+104h+var_7C], edx
		mov	[esp+104h+var_98], esi
		ror	eax, 0Bh
		xor	ecx, eax
		mov	[esp+104h+var_84], offset dword_409944
		mov	eax, edi
		add	ebx, 9BDC06A7h
		mov	edi, [esp+104h+var_6C]
		ror	eax, 6
		xor	ecx, eax
		mov	eax, [esp+104h+var_80]
		add	esi, ecx
		xor	eax, edi
		and	eax, [esp+104h+var_74]
		mov	ecx, edx
		xor	eax, edi
		ror	ecx, 2
		add	esi, eax
		add	edi, 0C19BF174h
		mov	eax, ecx
		add	esi, ebx
		ror	ecx, 0Bh
		mov	ebx, [esp+104h+var_70]
		mov	edx, ecx
		ror	edx, 9
		add	ebx, esi
		xor	edx, eax
		mov	[esp+104h+var_70], ebx
		mov	eax, [esp+104h+var_68]
		xor	edx, ecx
		mov	ecx, eax
		and	eax, [esp+104h+var_78]
		or	ecx, [esp+104h+var_78]
		and	ecx, [esp+104h+var_7C]
		or	ecx, eax
		mov	eax, [esp+104h+var_8C]
		add	ecx, esi
		add	edx, ecx
		mov	ecx, ebx
		ror	ecx, 19h
		mov	esi, [eax+34h]
		mov	eax, ebx
		ror	eax, 0Bh
		xor	ecx, eax
		mov	[esp+104h+var_88], edx
		mov	eax, ebx
		mov	ebx, [esp+104h+var_80]
		ror	eax, 6
		xor	ecx, eax
		mov	eax, ebx
		xor	eax, [esp+104h+var_74]
		and	eax, [esp+104h+var_70]
		bswap	esi
		mov	[esp+104h+var_94], esi
		xor	eax, ebx
		add	esi, ecx
		mov	ecx, edx
		add	esi, eax
		ror	ecx, 2
		mov	eax, ecx
		add	esi, edi
		add	[esp+104h+var_68], esi
		mov	edi, [esp+104h+var_74]
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, [esp+104h+var_78]
		xor	edx, ecx
		mov	ecx, eax
		or	ecx, [esp+104h+var_7C]
		and	eax, [esp+104h+var_7C]
		and	ecx, [esp+104h+var_88]
		or	eax, ecx
		add	eax, esi
		mov	esi, [esp+104h+var_68]
		add	eax, edx
		mov	[esp+104h+var_6C], eax
		jmp	short loc_58EA97
; 

loc_58EA90:				; CODE XREF: SymCryptSha256AppendBlocks_ul1(x,x,x,x)+15F7j
		mov	ebx, [esp+104h+var_80]

loc_58EA97:				; CODE XREF: SymCryptSha256AppendBlocks_ul1(x,x,x,x)+986j
		mov	ecx, [esp+104h+var_98]
		mov	edx, ecx
		mov	eax, ecx
		ror	edx, 13h
		ror	eax, 11h
		xor	edx, eax
		mov	eax, ecx
		shr	eax, 0Ah
		xor	edx, eax
		mov	eax, [esp+104h+var_B8]
		add	edx, [esp+104h+var_CC]
		mov	ecx, eax
		ror	eax, 7
		ror	ecx, 12h
		xor	ecx, eax
		mov	eax, [esp+104h+var_B8]
		shr	eax, 3
		xor	ecx, eax
		mov	eax, esi
		add	edx, ecx
		ror	eax, 0Bh
		add	edx, [esp+104h+var_BC]
		mov	ecx, esi
		ror	ecx, 19h
		xor	ecx, eax
		mov	[esp+104h+var_CC], edx
		mov	eax, esi
		mov	[esp+104h+var_64], edx
		ror	eax, 6
		xor	ecx, eax
		mov	eax, edi
		xor	eax, [esp+104h+var_70]
		and	esi, eax
		mov	eax, [esp+104h+var_84]
		xor	esi, edi
		add	esi, ecx
		mov	ecx, [esp+104h+var_6C]
		ror	ecx, 2
		add	esi, [eax-4]
		mov	eax, ecx
		ror	ecx, 0Bh
		add	esi, ebx
		mov	ebx, [esp+104h+var_78]
		add	esi, edx
		mov	edx, ecx
		add	ebx, esi
		ror	edx, 9
		xor	edx, eax
		mov	eax, [esp+104h+var_7C]
		xor	edx, ecx
		mov	ecx, eax
		or	ecx, [esp+104h+var_88]
		add	edx, esi
		and	eax, [esp+104h+var_88]
		and	ecx, [esp+104h+var_6C]
		mov	esi, [esp+104h+var_A8]
		or	eax, ecx
		mov	ecx, [esp+104h+var_94]
		add	eax, edx
		mov	[esp+104h+var_78], eax
		mov	edx, ecx
		mov	eax, ecx
		ror	edx, 13h
		ror	eax, 11h
		xor	edx, eax
		mov	eax, ecx
		shr	eax, 0Ah
		mov	ecx, esi
		xor	edx, eax
		ror	ecx, 12h
		add	edx, [esp+104h+var_C0]
		mov	eax, esi
		ror	eax, 7
		xor	ecx, eax
		shr	esi, 3
		xor	esi, ecx
		mov	ecx, ebx
		add	esi, edx
		add	esi, [esp+104h+var_B8]
		mov	[esp+104h+var_B8], esi
		mov	[esp+104h+var_60], esi
		ror	ecx, 19h
		mov	eax, ebx
		ror	eax, 0Bh
		xor	ecx, eax
		mov	eax, ebx
		ror	eax, 6
		xor	ecx, eax
		mov	eax, [esp+104h+var_70]
		xor	eax, [esp+104h+var_68]
		add	ecx, edi
		and	eax, ebx
		mov	edi, [esp+104h+var_7C]
		xor	eax, [esp+104h+var_70]
		add	eax, ecx
		mov	ecx, [esp+104h+var_84]
		add	eax, [ecx]
		mov	ecx, [esp+104h+var_78]
		add	esi, eax
		ror	ecx, 2
		add	edi, esi
		mov	eax, ecx
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, [esp+104h+var_88]
		xor	edx, ecx
		mov	ecx, eax
		and	eax, [esp+104h+var_6C]
		add	edx, esi
		or	ecx, [esp+104h+var_6C]
		and	ecx, [esp+104h+var_78]
		or	eax, ecx
		mov	esi, [esp+104h+var_9C]
		mov	ecx, [esp+104h+var_CC]
		add	eax, edx
		mov	[esp+104h+var_7C], eax
		mov	edx, ecx
		mov	eax, ecx
		ror	edx, 13h
		ror	eax, 11h
		xor	edx, eax
		mov	eax, ecx
		shr	eax, 0Ah
		mov	ecx, esi
		xor	edx, eax
		ror	ecx, 12h
		add	edx, [esp+104h+var_C4]
		mov	eax, esi
		ror	eax, 7
		xor	ecx, eax
		shr	esi, 3
		xor	esi, ecx
		mov	eax, edi
		ror	eax, 0Bh
		mov	ecx, edi
		ror	ecx, 19h
		add	esi, edx
		xor	ecx, eax
		add	esi, [esp+104h+var_A8]
		mov	eax, edi
		mov	[esp+104h+var_A8], esi
		ror	eax, 6
		xor	ecx, eax
		mov	[esp+104h+var_5C], esi
		mov	eax, ebx
		xor	eax, [esp+104h+var_68]
		and	eax, edi
		xor	eax, [esp+104h+var_68]
		add	ecx, eax
		mov	eax, [esp+104h+var_84]
		add	ecx, [eax+4]
		add	ecx, [esp+104h+var_70]
		add	esi, ecx
		mov	ecx, [esp+104h+var_7C]
		add	[esp+104h+var_88], esi
		ror	ecx, 2
		mov	eax, ecx
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, [esp+104h+var_78]
		xor	edx, ecx
		mov	ecx, eax
		or	ecx, [esp+104h+var_6C]
		add	edx, esi
		and	eax, [esp+104h+var_6C]
		and	ecx, [esp+104h+var_7C]
		or	ecx, eax
		mov	esi, [esp+104h+var_B8]
		add	ecx, edx
		mov	[esp+104h+var_74], ecx
		mov	ecx, [esp+104h+var_A0]
		mov	edx, ecx
		mov	eax, ecx
		ror	edx, 12h
		ror	eax, 7
		xor	edx, eax
		mov	eax, ecx
		shr	eax, 3
		mov	ecx, esi
		xor	edx, eax
		ror	ecx, 13h
		add	edx, [esp+104h+var_C8]
		mov	eax, esi
		ror	eax, 11h
		xor	ecx, eax
		shr	esi, 0Ah
		xor	esi, ecx
		add	esi, edx
		mov	edx, [esp+104h+var_88]
		add	esi, [esp+104h+var_9C]
		mov	ecx, edx
		ror	ecx, 19h
		mov	eax, edx
		ror	eax, 0Bh
		xor	ecx, eax
		mov	[esp+104h+var_9C], esi
		mov	eax, edx
		mov	[esp+104h+var_58], esi
		ror	eax, 6
		xor	ecx, eax
		mov	eax, ebx
		xor	eax, edi
		and	eax, edx
		xor	eax, ebx
		add	ecx, eax
		mov	eax, [esp+104h+var_84]
		add	ecx, [eax+8]
		mov	eax, [esp+104h+var_68]
		add	ecx, esi
		mov	esi, [esp+104h+var_7C]
		add	eax, ecx
		add	[esp+104h+var_6C], eax
		mov	ecx, [esp+104h+var_74]
		ror	ecx, 2
		mov	[esp+104h+var_68], eax
		mov	eax, ecx
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		xor	edx, ecx
		mov	ecx, [esp+104h+var_78]
		or	ecx, esi
		and	esi, [esp+104h+var_78]
		and	ecx, [esp+104h+var_74]
		or	esi, ecx
		mov	ecx, [esp+104h+var_AC]
		add	esi, [esp+104h+var_68]
		mov	eax, ecx
		add	esi, edx
		ror	eax, 7
		mov	edx, ecx
		ror	edx, 12h
		xor	edx, eax
		mov	eax, ecx
		shr	eax, 3
		xor	edx, eax
		mov	eax, [esp+104h+var_A8]
		mov	ecx, eax
		add	edx, [esp+104h+var_90]
		ror	eax, 11h
		ror	ecx, 13h
		xor	ecx, eax
		mov	eax, [esp+104h+var_A8]
		shr	eax, 0Ah
		xor	eax, ecx
		add	eax, edx
		mov	edx, [esp+104h+var_6C]
		add	eax, [esp+104h+var_A0]
		mov	ecx, edx
		mov	[esp+104h+var_A0], eax
		mov	[esp+104h+var_54], eax
		mov	eax, edx
		ror	eax, 0Bh
		ror	ecx, 19h
		xor	ecx, eax
		mov	eax, edx
		ror	eax, 6
		xor	ecx, eax
		mov	eax, edi
		xor	eax, [esp+104h+var_88]
		and	eax, edx
		xor	eax, edi
		add	ecx, eax
		mov	eax, [esp+104h+var_84]
		add	ecx, [eax+0Ch]
		add	ecx, [esp+104h+var_A0]
		add	ebx, ecx
		mov	ecx, esi
		add	[esp+104h+var_78], ebx
		ror	ecx, 2
		mov	eax, ecx
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, [esp+104h+var_7C]
		xor	edx, ecx
		mov	ecx, eax
		and	eax, [esp+104h+var_74]
		or	ecx, [esp+104h+var_74]
		and	ecx, esi
		or	ecx, eax
		add	ebx, ecx
		mov	ecx, [esp+104h+var_B0]
		add	ebx, edx
		mov	eax, ecx
		ror	eax, 7
		mov	edx, ecx
		ror	edx, 12h
		xor	edx, eax
		mov	eax, ecx
		shr	eax, 3
		xor	edx, eax
		mov	eax, [esp+104h+var_9C]
		add	edx, [esp+104h+var_98]
		mov	ecx, eax
		ror	eax, 11h
		ror	ecx, 13h
		xor	ecx, eax
		mov	eax, [esp+104h+var_9C]
		shr	eax, 0Ah
		xor	eax, ecx
		add	eax, edx
		mov	edx, [esp+104h+var_78]
		add	eax, [esp+104h+var_AC]
		mov	ecx, edx
		mov	[esp+104h+var_AC], eax
		mov	[esp+104h+var_50], eax
		mov	eax, edx
		ror	eax, 0Bh
		ror	ecx, 19h
		xor	ecx, eax
		mov	eax, edx
		ror	eax, 6
		xor	ecx, eax
		mov	eax, [esp+104h+var_88]
		xor	eax, [esp+104h+var_6C]
		and	eax, edx
		xor	eax, [esp+104h+var_88]
		add	ecx, eax
		mov	eax, [esp+104h+var_84]
		add	ecx, [eax+10h]
		add	ecx, [esp+104h+var_AC]
		add	edi, ecx
		mov	ecx, ebx
		ror	ecx, 2
		mov	eax, ecx
		add	[esp+104h+var_7C], edi
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, [esp+104h+var_74]
		xor	edx, ecx
		mov	ecx, eax
		and	eax, esi
		or	ecx, esi
		and	ecx, ebx
		or	eax, ecx
		mov	ecx, [esp+104h+var_B4]
		add	eax, edi
		mov	edi, [esp+104h+var_A0]
		add	eax, edx
		mov	edx, ecx
		mov	[esp+104h+var_68], eax
		mov	eax, ecx
		ror	eax, 7
		ror	edx, 12h
		xor	edx, eax
		mov	eax, ecx
		shr	eax, 3
		mov	ecx, edi
		xor	edx, eax
		ror	ecx, 13h
		add	edx, [esp+104h+var_94]
		mov	eax, edi
		ror	eax, 11h
		xor	ecx, eax
		mov	eax, edi
		mov	edi, [esp+104h+var_7C]
		shr	eax, 0Ah
		xor	eax, ecx
		mov	ecx, edi
		add	eax, edx
		ror	ecx, 19h
		add	eax, [esp+104h+var_B0]
		mov	[esp+104h+var_B0], eax
		mov	[esp+104h+var_4C], eax
		mov	eax, edi
		ror	eax, 0Bh
		xor	ecx, eax
		mov	eax, edi
		ror	eax, 6
		xor	ecx, eax
		mov	eax, [esp+104h+var_78]
		xor	eax, [esp+104h+var_6C]
		and	eax, edi
		xor	eax, [esp+104h+var_6C]
		add	ecx, eax
		mov	eax, [esp+104h+var_84]
		add	ecx, [eax+14h]
		add	ecx, [esp+104h+var_B0]
		mov	eax, [esp+104h+var_88]
		add	eax, ecx
		mov	ecx, [esp+104h+var_68]
		add	[esp+104h+var_74], eax
		ror	ecx, 2
		mov	[esp+104h+var_88], eax
		mov	eax, ecx
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, esi
		xor	edx, ecx
		and	eax, ebx
		mov	ecx, esi
		or	ecx, ebx
		and	ecx, [esp+104h+var_68]
		or	eax, ecx
		add	eax, [esp+104h+var_88]
		add	eax, edx
		mov	ecx, [esp+104h+var_A4]
		mov	[esp+104h+var_70], eax
		mov	edx, ecx
		mov	eax, ecx
		ror	edx, 12h
		ror	eax, 7
		xor	edx, eax
		mov	eax, ecx
		shr	eax, 3
		xor	edx, eax
		mov	eax, [esp+104h+var_AC]
		add	edx, [esp+104h+var_CC]
		mov	ecx, eax
		ror	eax, 11h
		ror	ecx, 13h
		xor	ecx, eax
		mov	eax, [esp+104h+var_AC]
		shr	eax, 0Ah
		xor	eax, ecx
		add	eax, edx
		mov	edx, [esp+104h+var_74]
		add	eax, [esp+104h+var_B4]
		mov	ecx, edx
		mov	[esp+104h+var_B4], eax
		mov	[esp+104h+var_48], eax
		mov	eax, edx
		ror	eax, 0Bh
		ror	ecx, 19h
		xor	ecx, eax
		mov	eax, edx
		ror	eax, 6
		xor	ecx, eax
		mov	eax, [esp+104h+var_78]
		xor	eax, edi
		and	eax, edx
		xor	eax, [esp+104h+var_78]
		add	ecx, eax
		mov	eax, [esp+104h+var_84]
		add	ecx, [eax+18h]
		add	ecx, [esp+104h+var_B4]
		mov	eax, [esp+104h+var_6C]
		add	eax, ecx
		mov	ecx, [esp+104h+var_70]
		add	esi, eax
		mov	[esp+104h+var_6C], eax
		ror	ecx, 2
		mov	eax, ecx
		mov	[esp+104h+var_80], esi
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, ebx
		and	eax, [esp+104h+var_68]
		xor	edx, ecx
		mov	ecx, ebx
		or	ecx, [esp+104h+var_68]
		and	ecx, [esp+104h+var_70]
		or	eax, ecx
		mov	ecx, [esp+104h+var_BC]
		add	eax, [esp+104h+var_6C]
		add	eax, edx
		mov	edx, ecx
		mov	[esp+104h+var_6C], eax
		mov	eax, ecx
		ror	eax, 7
		ror	edx, 12h
		xor	edx, eax
		mov	eax, ecx
		shr	eax, 3
		xor	edx, eax
		mov	eax, [esp+104h+var_B0]
		mov	ecx, eax
		ror	eax, 11h
		ror	ecx, 13h
		xor	ecx, eax
		mov	eax, [esp+104h+var_B0]
		shr	eax, 0Ah
		xor	ecx, eax
		add	edx, [esp+104h+var_A4]
		mov	eax, esi
		add	edx, ecx
		ror	eax, 0Bh
		add	edx, [esp+104h+var_B8]
		mov	ecx, esi
		ror	ecx, 19h
		xor	ecx, eax
		mov	[esp+104h+var_A4], edx
		mov	eax, esi
		mov	[esp+104h+var_44], edx
		ror	eax, 6
		xor	ecx, eax
		mov	eax, edi
		xor	eax, [esp+104h+var_74]
		and	eax, esi
		mov	esi, [esp+104h+var_78]
		xor	eax, edi
		add	ecx, eax
		mov	eax, [esp+104h+var_84]
		add	ecx, [eax+1Ch]
		add	ecx, edx
		add	esi, ecx
		mov	ecx, [esp+104h+var_6C]
		ror	ecx, 2
		add	ebx, esi
		mov	eax, ecx
		mov	[esp+104h+var_7C], ebx
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, [esp+104h+var_68]
		xor	edx, ecx
		mov	ecx, eax
		and	eax, [esp+104h+var_70]
		or	ecx, [esp+104h+var_70]
		and	ecx, [esp+104h+var_6C]
		or	ecx, eax
		add	esi, ecx
		mov	ecx, [esp+104h+var_C0]
		mov	eax, ecx
		add	esi, edx
		ror	eax, 7
		mov	edx, ecx
		ror	edx, 12h
		xor	edx, eax
		mov	eax, ecx
		shr	eax, 3
		xor	edx, eax
		mov	eax, [esp+104h+var_B4]
		add	edx, [esp+104h+var_BC]
		mov	ecx, eax
		ror	eax, 11h
		ror	ecx, 13h
		xor	ecx, eax
		mov	eax, [esp+104h+var_B4]
		shr	eax, 0Ah
		xor	eax, ecx
		mov	ecx, ebx
		add	eax, edx
		ror	ecx, 19h
		add	eax, [esp+104h+var_A8]
		mov	[esp+104h+var_BC], eax
		mov	[esp+104h+var_40], eax
		mov	eax, ebx
		ror	eax, 0Bh
		xor	ecx, eax
		mov	eax, ebx
		mov	ebx, [esp+104h+var_80]
		ror	eax, 6
		xor	ecx, eax
		mov	eax, [esp+104h+var_74]
		xor	eax, ebx
		and	eax, [esp+104h+var_7C]
		xor	eax, [esp+104h+var_74]
		add	ecx, eax
		mov	eax, [esp+104h+var_84]
		add	ecx, [eax+20h]
		add	ecx, [esp+104h+var_BC]
		add	edi, ecx
		add	[esp+104h+var_68], edi
		mov	ecx, esi
		ror	ecx, 2
		mov	eax, ecx
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, [esp+104h+var_70]
		xor	edx, ecx
		mov	ecx, eax
		and	eax, [esp+104h+var_6C]
		or	ecx, [esp+104h+var_6C]
		and	ecx, esi
		or	ecx, eax
		add	edi, ecx
		mov	ecx, [esp+104h+var_C4]
		mov	eax, ecx
		add	edi, edx
		ror	eax, 7
		mov	edx, ecx
		ror	edx, 12h
		xor	edx, eax
		mov	eax, ecx
		shr	eax, 3
		xor	edx, eax
		mov	eax, [esp+104h+var_A4]
		add	edx, [esp+104h+var_C0]
		mov	ecx, eax
		ror	eax, 11h
		ror	ecx, 13h
		xor	ecx, eax
		mov	eax, [esp+104h+var_A4]
		shr	eax, 0Ah
		xor	eax, ecx
		add	eax, edx
		mov	edx, [esp+104h+var_68]
		add	eax, [esp+104h+var_9C]
		mov	ecx, edx
		mov	[esp+104h+var_C0], eax
		mov	[esp+104h+var_3C], eax
		mov	eax, edx
		ror	ecx, 19h
		ror	eax, 0Bh
		xor	ecx, eax
		mov	eax, edx
		ror	eax, 6
		xor	ecx, eax
		mov	eax, ebx
		xor	eax, [esp+104h+var_7C]
		and	eax, edx
		xor	eax, ebx
		mov	ebx, [esp+104h+var_74]
		add	ecx, eax
		mov	eax, [esp+104h+var_84]
		add	ecx, [eax+24h]
		add	ecx, [esp+104h+var_C0]
		add	ebx, ecx
		mov	ecx, edi
		add	[esp+104h+var_70], ebx
		ror	ecx, 2
		mov	eax, ecx
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, esi
		and	eax, [esp+104h+var_6C]
		xor	edx, ecx
		mov	ecx, esi
		or	ecx, [esp+104h+var_6C]
		and	ecx, edi
		or	ecx, eax
		add	ebx, ecx
		mov	ecx, [esp+104h+var_C8]
		add	ebx, edx
		mov	eax, ecx
		mov	edx, ecx
		ror	eax, 7
		ror	edx, 12h
		xor	edx, eax
		mov	eax, ecx
		shr	eax, 3
		xor	edx, eax
		mov	eax, [esp+104h+var_BC]
		mov	ecx, eax
		add	edx, [esp+104h+var_C4]
		ror	eax, 11h
		ror	ecx, 13h
		xor	ecx, eax
		mov	eax, [esp+104h+var_BC]
		shr	eax, 0Ah
		xor	eax, ecx
		add	eax, edx
		mov	edx, [esp+104h+var_70]
		add	eax, [esp+104h+var_A0]
		mov	ecx, edx
		mov	[esp+104h+var_C4], eax
		mov	[esp+104h+var_38], eax
		mov	eax, edx
		ror	eax, 0Bh
		ror	ecx, 19h
		xor	ecx, eax
		mov	eax, edx
		ror	eax, 6
		xor	ecx, eax
		mov	eax, [esp+104h+var_7C]
		xor	eax, [esp+104h+var_68]
		and	eax, edx
		xor	eax, [esp+104h+var_7C]
		add	ecx, eax
		mov	eax, [esp+104h+var_84]
		add	ecx, [eax+28h]
		add	ecx, [esp+104h+var_C4]
		mov	eax, [esp+104h+var_80]
		add	eax, ecx
		mov	ecx, ebx
		add	[esp+104h+var_6C], eax
		mov	[esp+104h+var_80], eax
		ror	ecx, 2
		mov	eax, ecx
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, esi
		xor	edx, ecx
		and	eax, edi
		mov	ecx, esi
		or	ecx, edi
		and	ecx, ebx
		or	eax, ecx
		mov	ecx, [esp+104h+var_90]
		add	eax, [esp+104h+var_80]
		add	eax, edx
		mov	edx, ecx
		mov	[esp+104h+var_78], eax
		mov	eax, ecx
		ror	eax, 7
		ror	edx, 12h
		xor	edx, eax
		mov	eax, ecx
		shr	eax, 3
		xor	edx, eax
		mov	eax, [esp+104h+var_C0]
		add	edx, [esp+104h+var_C8]
		mov	ecx, eax
		ror	eax, 11h
		ror	ecx, 13h
		xor	ecx, eax
		mov	eax, [esp+104h+var_C0]
		shr	eax, 0Ah
		xor	eax, ecx
		add	eax, edx
		mov	edx, [esp+104h+var_6C]
		add	eax, [esp+104h+var_AC]
		mov	ecx, edx
		mov	[esp+104h+var_C8], eax
		mov	[esp+104h+var_34], eax
		mov	eax, edx
		ror	ecx, 19h
		ror	eax, 0Bh
		xor	ecx, eax
		mov	eax, edx
		ror	eax, 6
		xor	ecx, eax
		mov	eax, [esp+104h+var_68]
		xor	eax, [esp+104h+var_70]
		and	eax, edx
		xor	eax, [esp+104h+var_68]
		add	ecx, eax
		mov	eax, [esp+104h+var_84]
		add	ecx, [eax+2Ch]
		add	ecx, [esp+104h+var_C8]
		mov	eax, [esp+104h+var_7C]
		add	eax, ecx
		mov	[esp+104h+var_7C], eax
		add	eax, esi
		mov	esi, [esp+104h+var_78]
		mov	ecx, esi
		mov	[esp+104h+var_80], eax
		ror	ecx, 2
		mov	eax, ecx
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, edi
		xor	edx, ecx
		and	eax, ebx
		add	edx, [esp+104h+var_7C]
		mov	ecx, edi
		or	ecx, ebx
		and	ecx, esi
		or	eax, ecx
		mov	ecx, [esp+104h+var_98]
		add	eax, edx
		mov	edx, ecx
		mov	[esp+104h+var_78], eax
		mov	eax, ecx
		ror	eax, 7
		ror	edx, 12h
		xor	edx, eax
		mov	eax, ecx
		shr	eax, 3
		xor	edx, eax
		mov	eax, [esp+104h+var_C4]
		add	edx, [esp+104h+var_90]
		mov	ecx, eax
		ror	eax, 11h
		ror	ecx, 13h
		xor	ecx, eax
		mov	eax, [esp+104h+var_C4]
		shr	eax, 0Ah
		xor	eax, ecx
		add	eax, edx
		mov	edx, [esp+104h+var_80]
		add	eax, [esp+104h+var_B0]
		mov	ecx, edx
		mov	[esp+104h+var_90], eax
		mov	[esp+104h+var_30], eax
		mov	eax, edx
		ror	eax, 0Bh
		ror	ecx, 19h
		xor	ecx, eax
		mov	eax, edx
		ror	eax, 6
		xor	ecx, eax
		mov	eax, [esp+104h+var_70]
		xor	eax, [esp+104h+var_6C]
		and	eax, edx
		xor	eax, [esp+104h+var_70]
		add	ecx, eax
		mov	eax, [esp+104h+var_84]
		add	ecx, [eax+30h]
		add	ecx, [esp+104h+var_90]
		mov	eax, [esp+104h+var_68]
		add	eax, ecx
		mov	ecx, [esp+104h+var_78]
		add	edi, eax
		mov	[esp+104h+var_68], eax
		mov	[esp+104h+var_74], edi
		ror	ecx, 2
		mov	eax, ecx
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, ebx
		xor	edx, ecx
		and	eax, esi
		add	edx, [esp+104h+var_68]
		mov	ecx, ebx
		or	ecx, esi
		and	ecx, [esp+104h+var_78]
		or	eax, ecx
		mov	ecx, [esp+104h+var_94]
		add	eax, edx
		mov	edx, ecx
		mov	[esp+104h+var_7C], eax
		mov	eax, ecx
		ror	eax, 7
		ror	edx, 12h
		xor	edx, eax
		mov	eax, ecx
		shr	eax, 3
		xor	edx, eax
		mov	eax, [esp+104h+var_C8]
		add	edx, [esp+104h+var_98]
		mov	ecx, eax
		ror	eax, 11h
		ror	ecx, 13h
		xor	ecx, eax
		mov	eax, [esp+104h+var_C8]
		shr	eax, 0Ah
		xor	eax, ecx
		mov	ecx, edi
		add	eax, edx
		ror	ecx, 19h
		add	eax, [esp+104h+var_B4]
		mov	[esp+104h+var_98], eax
		mov	[esp+104h+var_2C], eax
		mov	eax, edi
		ror	eax, 0Bh
		xor	ecx, eax
		mov	eax, edi
		ror	eax, 6
		xor	ecx, eax
		mov	eax, [esp+104h+var_80]
		xor	eax, [esp+104h+var_6C]
		and	eax, edi
		mov	edi, [esp+104h+var_70]
		xor	eax, [esp+104h+var_6C]
		add	ecx, eax
		mov	eax, [esp+104h+var_84]
		add	ecx, [eax+34h]
		add	ecx, [esp+104h+var_98]
		add	edi, ecx
		mov	ecx, [esp+104h+var_7C]
		ror	ecx, 2
		add	ebx, edi
		mov	eax, ecx
		mov	[esp+104h+var_70], ebx
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, esi
		and	eax, [esp+104h+var_78]
		xor	edx, ecx
		mov	ecx, esi
		add	edx, edi
		or	ecx, [esp+104h+var_78]
		and	ecx, [esp+104h+var_7C]
		or	eax, ecx
		mov	ecx, [esp+104h+var_90]
		add	eax, edx
		mov	edx, ecx
		mov	[esp+104h+var_88], eax
		mov	eax, ecx
		ror	eax, 11h
		ror	edx, 13h
		xor	edx, eax
		mov	eax, ecx
		mov	edi, [esp+104h+var_CC]
		mov	ecx, edi
		shr	eax, 0Ah
		xor	edx, eax
		ror	ecx, 12h
		add	edx, [esp+104h+var_94]
		mov	eax, edi
		ror	eax, 7
		xor	ecx, eax
		mov	eax, edi
		shr	eax, 3
		xor	eax, ecx
		mov	edi, [esp+104h+var_74]
		add	eax, edx
		mov	ecx, ebx
		add	eax, [esp+104h+var_A4]
		mov	[esp+104h+var_94], eax
		mov	[esp+104h+var_28], eax
		mov	eax, ebx
		ror	ecx, 19h
		ror	eax, 0Bh
		xor	ecx, eax
		mov	eax, ebx
		ror	eax, 6
		xor	ecx, eax
		mov	eax, [esp+104h+var_80]
		xor	eax, edi
		and	eax, ebx
		mov	ebx, [esp+104h+var_6C]
		xor	eax, [esp+104h+var_80]
		add	ecx, eax
		mov	eax, [esp+104h+var_84]
		add	ecx, [eax+38h]
		add	ecx, [esp+104h+var_94]
		add	ebx, ecx
		mov	ecx, [esp+104h+var_88]
		ror	ecx, 2
		add	esi, ebx
		mov	eax, ecx
		mov	[esp+104h+var_68], esi
		ror	ecx, 0Bh
		mov	edx, ecx
		ror	edx, 9
		xor	edx, eax
		mov	eax, [esp+104h+var_78]
		xor	edx, ecx
		mov	ecx, eax
		or	ecx, [esp+104h+var_7C]
		add	edx, ebx
		and	eax, [esp+104h+var_7C]
		and	ecx, [esp+104h+var_88]
		or	ecx, eax
		mov	eax, [esp+104h+var_84]
		add	eax, 40h
		add	ecx, edx
		mov	[esp+104h+var_6C], ecx
		mov	[esp+104h+var_84], eax
		cmp	eax, (offset __xmm@0c0d0e0f08090a0b0405060700010203+4)
		jl	loc_58EA90
		mov	eax, [esp+104h+var_F8]
		mov	edx, [esp+104h+var_D4]
		mov	edi, [esp+104h+var_E4]
		add	edx, ecx
		mov	ebx, [esp+104h+var_70]
		mov	ecx, edx
		add	ebx, [esp+104h+var_E8]
		add	edi, esi
		mov	[eax], ecx
		mov	esi, [esp+104h+var_74]
		add	esi, [esp+104h+var_EC]
		mov	[esp+104h+var_D4], ecx
		mov	ecx, [esp+104h+var_D8]
		add	ecx, [esp+104h+var_88]
		mov	[eax+4], ecx
		mov	[esp+104h+var_94], ecx
		mov	[esp+104h+var_C], ecx
		mov	[esp+104h+var_D8], ecx
		mov	ecx, [esp+104h+var_DC]
		add	ecx, [esp+104h+var_7C]
		mov	[eax+8], ecx
		mov	[esp+104h+var_90], ecx
		mov	[esp+104h+var_10], ecx
		mov	[esp+104h+var_DC], ecx
		mov	ecx, [esp+104h+var_E0]
		add	ecx, [esp+104h+var_78]
		mov	[eax+0Ch], ecx
		mov	[esp+104h+var_98], ecx
		mov	[esp+104h+var_14], ecx
		mov	[esp+104h+var_E0], ecx
		mov	ecx, edi
		mov	[eax+10h], ecx
		mov	[esp+104h+var_E4], ecx
		mov	ecx, ebx
		mov	[eax+14h], ecx
		mov	[esp+104h+var_E8], ecx
		mov	ecx, esi
		mov	[eax+18h], ecx
		mov	[esp+104h+var_EC], ecx
		mov	ecx, [esp+104h+var_80]
		add	ecx, [esp+104h+var_F0]
		mov	[eax+1Ch], ecx
		mov	eax, [esp+104h+var_8C]
		mov	[esp+104h+var_A4], ecx
		add	eax, 40h
		mov	[esp+104h+var_24], ecx
		mov	[esp+104h+var_F0], ecx
		mov	ecx, [esp+104h+arg_0]
		sub	ecx, 40h
		mov	[esp+104h+var_68], edx
		sub	[esp+104h+var_D0], 1
		mov	[esp+104h+var_8], edx
		mov	[esp+104h+var_A0], edi
		mov	[esp+104h+var_18], edi
		mov	[esp+104h+var_9C], ebx
		mov	[esp+104h+var_1C], ebx
		mov	[esp+104h+var_A8], esi
		mov	[esp+104h+var_20], esi
		mov	[esp+104h+var_8C], eax
		mov	[esp+104h+arg_0], ecx
		jnz	loc_58E1FC
		jmp	short loc_58F81E
; 

loc_58F817:				; CODE XREF: SymCryptSha256AppendBlocks_ul1(x,x,x,x)+ADj
		mov	ecx, [esp+104h+arg_0]

loc_58F81E:				; CODE XREF: SymCryptSha256AppendBlocks_ul1(x,x,x,x)+170Dj
		mov	eax, [esp+104h+var_F4]
		xor	esi, esi
		push	40h
		pop	edx
		mov	[eax], ecx
		lea	ecx, [esp+104h+var_64]
		mov	[esp+104h+var_24], esi
		mov	[esp+104h+var_20], esi
		mov	[esp+104h+var_1C], esi
		mov	[esp+104h+var_18], esi
		mov	[esp+104h+var_14], esi
		mov	[esp+104h+var_10], esi
		mov	[esp+104h+var_C], esi
		mov	[esp+104h+var_8], esi
		call	@SymCryptWipe@8	; SymCryptWipe(x,x)
		pop	edi
		mov	[esp+100h+var_F4], esi
		mov	ecx, [esp+100h+var_4]
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		add	esp, 0F8h
		retn	8
@SymCryptSha256AppendBlocks_ul1@16 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __fastcall SymCryptSha256Init(x)
@SymCryptSha256Init@4 proc near		; CODE XREF: SymCryptSha256(x,x,x)+2Fp
		mov	edi, edi
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ecx+58h]
		push	8
		mov	[ecx+8], eax
		mov	esi, offset dword_4097E4
		mov	[ecx+0Ch], eax
		mov	[ecx], eax
		pop	ecx
		rep movsd
		pop	edi
		pop	esi
		retn
@SymCryptSha256Init@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall SymCryptSha256Result(x, x)
@SymCryptSha256Result@8	proc near	; CODE XREF: SymCryptSha256(x,x,x)+44p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	eax, [esi]
		lea	edi, [esi+58h]
		mov	byte ptr [eax+esi+18h],	80h
		inc	eax
		cmp	eax, 38h
		jbe	short loc_58F8EC
		push	40h
		pop	edx
		lea	ecx, [esi+18h]
		sub	edx, eax
		add	ecx, eax
		call	@SymCryptWipe@8	; SymCryptWipe(x,x)
		lea	eax, [ebp+var_4]
		mov	ecx, edi
		push	eax
		push	40h
		lea	edx, [esi+18h]
		call	@SymCryptSha256AppendBlocks@16 ; SymCryptSha256AppendBlocks(x,x,x,x)
		xor	eax, eax

loc_58F8EC:				; CODE XREF: SymCryptSha256Result(x,x)+1Fj
		push	40h
		pop	edx
		lea	ecx, [esi+18h]
		sub	edx, eax
		add	ecx, eax
		call	@SymCryptWipe@8	; SymCryptWipe(x,x)
		mov	ecx, [esi+8]
		lea	edx, [esi+18h]
		mov	eax, [esi+0Ch]
		shld	eax, ecx, 3
		bswap	eax
		shl	ecx, 3
		mov	[esi+50h], eax
		lea	eax, [ebp+var_4]
		bswap	ecx
		push	eax
		mov	[esi+54h], ecx
		mov	ecx, edi
		push	40h
		call	@SymCryptSha256AppendBlocks@16 ; SymCryptSha256AppendBlocks(x,x,x,x)
		push	8
		mov	edx, edi
		pop	ecx

loc_58F927:				; CODE XREF: SymCryptSha256Result(x,x)+8Cj
		mov	eax, [edx]
		lea	edx, [edx+4]
		bswap	eax
		mov	[ebx], eax
		lea	ebx, [ebx+4]
		sub	ecx, 1
		jnz	short loc_58F927
		push	78h
		pop	edx
		mov	ecx, esi
		call	@SymCryptWipe@8	; SymCryptWipe(x,x)
		push	8
		pop	ecx
		mov	esi, offset dword_4097E4
		rep movsd
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
@SymCryptSha256Result@8	endp

; 
		align 2

; __fastcall SymCryptDetectCpuFeaturesByCpuid(x)
@SymCryptDetectCpuFeaturesByCpuid@4:	; CODE XREF: SymCryptInitEnvWindowsKernelmodeWin8_1nLater(x)+7Cp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp-1Ch], ecx
		xor	edi, edi
		push	edi
		xor	edx, edx
		lea	ecx, [ebp-14h]
		mov	ebx, 0FFFFF820h
		call	@SymCryptCpuidExFunc@12	; SymCryptCpuidExFunc(x,x,x)
		mov	eax, [ebp-14h]
		xor	esi, esi
		mov	[ebp-18h], eax

loc_58F984:				; CODE XREF: .text:0058F9D1j
		mov	al, byte ptr ds:_cpuidBitInfo[esi]
		movzx	ecx, al
		cmp	ecx, edi
		jz	short loc_58F9A5
		mov	edi, ecx
		lea	ecx, [ebp-14h]
		push	0
		mov	edx, edi
		call	@SymCryptCpuidExFunc@12	; SymCryptCpuidExFunc(x,x,x)
		mov	al, byte ptr ds:_cpuidBitInfo[esi]

loc_58F9A5:				; CODE XREF: .text:0058F98Fj
		movzx	eax, al
		cmp	eax, [ebp-18h]
		jg	short loc_58F9C5
		movzx	eax, byte ptr ds:(_cpuidBitInfo+1)[esi]
		xor	edx, edx
		mov	cl, byte ptr ds:loc_409A12[esi]
		inc	edx
		shl	edx, cl
		test	[ebp+eax*4-14h], edx
		jnz	short loc_58F9CB

loc_58F9C5:				; CODE XREF: .text:0058F9ABj
		or	ebx, ds:dword_409A14[esi]

loc_58F9CB:				; CODE XREF: .text:0058F9C3j
		add	esi, 8
		cmp	esi, 68h
		jb	short loc_58F984
		xor	esi, esi
		test	byte ptr [ebp-1Ch], 1
		jz	short loc_58FA00
		xor	edx, edx
		lea	ecx, [ebp-14h]
		push	esi
		inc	edx
		call	@SymCryptCpuidExFunc@12	; SymCryptCpuidExFunc(x,x,x)
		test	dword ptr [ebp-0Ch], 8000000h
		jz	short loc_58F9FD
		xor	ecx, ecx
; 
		dw 10Fh
; 
		rol	byte ptr [ebx-77CF920h], 1
		push	es
		jz	short loc_58FA00

loc_58F9FD:				; CODE XREF: .text:0058F9EEj
		or	ebx, 10h

loc_58FA00:				; CODE XREF: .text:0058F9D9j
					; .text:0058F9FBj
		test	bl, 4
		jnz	short loc_58FA57
		push	esi
		xor	edx, edx
		lea	ecx, [ebp-14h]
		call	@SymCryptCpuidExFunc@12	; SymCryptCpuidExFunc(x,x,x)
		cmp	dword ptr [ebp-10h], 68747541h
		jnz	short loc_58FA57
		cmp	dword ptr [ebp-0Ch], 444D4163h
		jnz	short loc_58FA57
		cmp	dword ptr [ebp-8], 69746E65h
		jnz	short loc_58FA57
		xor	edx, edx
		lea	ecx, [ebp-14h]
		push	esi
		inc	edx
		call	@SymCryptCpuidExFunc@12	; SymCryptCpuidExFunc(x,x,x)
		mov	eax, [ebp-14h]
		mov	ecx, eax
		sar	ecx, 8
		and	ecx, 0Fh
		cmp	ecx, 0Fh
		jb	short loc_58FA4F
		sar	eax, 14h
		movzx	eax, al
		add	ecx, eax

loc_58FA4F:				; CODE XREF: .text:0058FA45j
		cmp	ecx, 15h
		jnb	short loc_58FA57
		or	ebx, 4

loc_58FA57:				; CODE XREF: .text:0058FA03j
					; .text:0058FA17j ...
		xor	edx, edx
		mov	ecx, offset _g_SymCryptCpuid1
		push	esi
		inc	edx
		call	@SymCryptCpuidExFunc@12	; SymCryptCpuidExFunc(x,x,x)
		mov	ecx, [ebp-4]
		pop	edi
		pop	esi
		mov	_g_SymCryptCpuFeaturesNotPresent, ebx
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall SymCryptInitEnvCommon(x)
@SymCryptInitEnvCommon@4 proc near	; CODE XREF: SymCryptInitEnvWindowsKernelmodeWin8_1nLater(x)+A3p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, (offset loc_640004+1)
		cmp	ecx, esi
		jz	short loc_58FA94
		mov	ecx, 61737274h
		call	@SymCryptFatal@4 ; SymCryptFatal(x)

loc_58FA94:				; CODE XREF: SymCryptInitEnvCommon(x)+Ej
		xor	ecx, ecx
		mov	eax, offset _g_SymCryptFlags
		inc	ecx
		lock or	[eax], ecx
		mov	eax, _SymCryptBuildString
		mov	[ebp+var_4], esi
		pop	esi
		jmp	short loc_58FAAE
; 

loc_58FAAA:				; CODE XREF: SymCryptInitEnvCommon(x)+38j
		mov	byte ptr [ebp+var_4], cl
		inc	eax

loc_58FAAE:				; CODE XREF: SymCryptInitEnvCommon(x)+2Ej
		mov	cl, [eax]
		test	cl, cl
		jnz	short loc_58FAAA
		mov	eax, _g_SymCryptCpuFeaturesNotPresent
		not	eax
		mov	_g_SymCryptCpuFeaturesPresentCheck, eax
		leave
		retn
@SymCryptInitEnvCommon@4 endp

; [00000005 BYTES: COLLAPSED FUNCTION SymCryptWipe(x,x). PRESS KEYPAD "+" TO EXPAND]
		align 10h

;  S U B	R O U T	I N E 


; __fastcall SymCryptWipeAsm(x,	x)
@SymCryptWipeAsm@8 proc	near		; CODE XREF: SymCryptWipe(x,x)j
		xor	eax, eax
		cmp	edx, 8
		jb	loc_58FB22
		test	ecx, 7
		jnz	loc_58FB09

loc_58FAE7:				; CODE XREF: SymCryptWipeAsm(x,x)+4Cj
		sub	edx, 8
		lea	ebx, [ebx+0]

loc_58FAF0:				; CODE XREF: SymCryptWipeAsm(x,x)+2Bj
		mov	[ecx], eax
		mov	[ecx+4], eax
		add	ecx, 8
		sub	edx, 8
		ja	loc_58FAF0
		mov	[ecx+edx], eax
		mov	[ecx+edx+4], eax
		retn
; 

loc_58FB09:				; CODE XREF: SymCryptWipeAsm(x,x)+11j
		mov	[ecx], eax
		mov	[ecx+4], eax
		sub	eax, ecx
		and	eax, 7
		add	ecx, eax
		sub	edx, eax
		xor	eax, eax
		cmp	edx, 8
		jnb	loc_58FAE7

loc_58FB22:				; CODE XREF: SymCryptWipeAsm(x,x)+5j
		jmp	ds:off_58FB48[edx*4]

loc_58FB29:				; DATA XREF: .text:0058FB58o
		mov	[ecx], eax

locret_58FB2B:				; CODE XREF: SymCryptWipeAsm(x,x):loc_58FB22j
					; DATA XREF: .text:off_58FB48o
		retn
; 

loc_58FB2C:				; CODE XREF: SymCryptWipeAsm(x,x):loc_58FB22j
					; DATA XREF: .text:0058FB4Co
		mov	[ecx], al
		retn
; 

loc_58FB2F:				; CODE XREF: SymCryptWipeAsm(x,x):loc_58FB22j
					; DATA XREF: .text:0058FB54o
		mov	[ecx+2], al

loc_58FB32:				; CODE XREF: SymCryptWipeAsm(x,x):loc_58FB22j
					; DATA XREF: .text:0058FB50o
		mov	[ecx], ax
		retn
; 

loc_58FB36:				; CODE XREF: SymCryptWipeAsm(x,x):loc_58FB22j
					; DATA XREF: .text:0058FB5Co
		mov	[ecx], eax
		mov	[ecx+1], eax
		retn
; 

loc_58FB3C:				; CODE XREF: SymCryptWipeAsm(x,x):loc_58FB22j
					; DATA XREF: .text:0058FB60o
		mov	[ecx], eax
		mov	[ecx+2], eax
		retn
; 

loc_58FB42:				; CODE XREF: SymCryptWipeAsm(x,x):loc_58FB22j
					; DATA XREF: .text:0058FB64o
		mov	[ecx], eax
		mov	[ecx+3], eax
		retn
@SymCryptWipeAsm@8 endp

; 
off_58FB48	dd offset locret_58FB2B	; DATA XREF: SymCryptWipeAsm(x,x):loc_58FB22r
		dd offset loc_58FB2C
		dd offset loc_58FB32
		dd offset loc_58FB2F
		dd offset loc_58FB29
		dd offset loc_58FB36
		dd offset loc_58FB3C
		dd offset loc_58FB42

;  S U B	R O U T	I N E 


; __stdcall ext_ms_win_fs_clfs_l1_1_0_ClfsCreateLogFile(x, x, x, x, x, x, x, x,	x, x, x)
_ext_ms_win_fs_clfs_l1_1_0_ClfsCreateLogFile@44	proc near
		mov	eax, 0C00000BBh
		retn	2Ch
_ext_ms_win_fs_clfs_l1_1_0_ClfsCreateLogFile@44	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl _memicmp(const void *,const void *,unsigned int)
__memicmp	proc near		; CODE XREF: IopInitializeBootDrivers+431p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	___ascii_memicmp
__memicmp	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

___ascii_memicmp proc near		; CODE XREF: __memicmp+6j

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	ebp
		mov	ebp, esp
		push	edi
		push	esi
		push	ebx
		mov	ecx, [ebp+arg_8]
		or	ecx, ecx
		jz	short loc_58FBD2
		mov	esi, [ebp+arg_0]
		mov	edi, [ebp+arg_4]
		mov	bh, 41h
		mov	bl, 5Ah
		mov	dh, 20h
		lea	ecx, [ecx+0]

loc_58FB9C:				; CODE XREF: ___ascii_memicmp+45j
		mov	ah, [esi]
		add	esi, 1
		mov	al, [edi]
		add	edi, 1
		cmp	ah, al
		jz	short loc_58FBC2
		cmp	ah, bh
		jb	short loc_58FBB4
		cmp	ah, bl
		ja	short loc_58FBB4
		add	ah, dh

loc_58FBB4:				; CODE XREF: ___ascii_memicmp+2Cj
					; ___ascii_memicmp+30j
		cmp	al, bh
		jb	short loc_58FBBE
		cmp	al, bl
		ja	short loc_58FBBE
		add	al, dh

loc_58FBBE:				; CODE XREF: ___ascii_memicmp+36j
					; ___ascii_memicmp+3Aj
		cmp	ah, al
		jnz	short loc_58FBC9

loc_58FBC2:				; CODE XREF: ___ascii_memicmp+28j
		sub	ecx, 1
		jnz	short loc_58FB9C
		jmp	short loc_58FBD2
; 

loc_58FBC9:				; CODE XREF: ___ascii_memicmp+40j
		mov	ecx, 0FFFFFFFFh
		jb	short loc_58FBD2
		neg	ecx

loc_58FBD2:				; CODE XREF: ___ascii_memicmp+Bj
					; ___ascii_memicmp+47j	...
		mov	eax, ecx
		pop	ebx
		pop	esi
		pop	edi
		leave
		retn
___ascii_memicmp endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcSerializeWithLazyWriter(x, x)
_CcSerializeWithLazyWriter@8 proc near	; CODE XREF: .text:004ACB46p

var_10		= dword	ptr -10h
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_1], 1
		lea	edi, [ebp+var_10]
		mov	ebx, edx
		stosd
		test	byte ptr [ebx+60h], 20h
		stosd
		stosd
		jz	short loc_58FC50
		sub	ecx, 0FFFFFF80h
		lea	edx, [ebp+var_10]
		call	@KeAcquireInStackQueuedSpinLockAtDpcLevel@8 ; KeAcquireInStackQueuedSpinLockAtDpcLevel(x,x)
		mov	esi, [ebx+160h]
		test	esi, esi
		jnz	short loc_58FC1A
		lea	ecx, [ebp+var_10]
		call	KeReleaseInStackQueuedSpinLockFromDpcLevel
		xor	al, al
		jmp	short loc_58FC53
; 

loc_58FC1A:				; CODE XREF: CcSerializeWithLazyWriter(x,x)+32j
		and	esi, 0FFFFFFFEh
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_58FC58
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_58FC58
		mov	[eax], ecx
		mov	[ecx+4], eax
		xor	eax, eax
		mov	[esi+4], eax
		lea	ecx, [ebp+var_10]
		mov	[esi], eax
		and	dword ptr [ebx+60h], 0FFFFFFDFh
		mov	[ebx+160h], eax
		call	KeReleaseInStackQueuedSpinLockFromDpcLevel
		mov	ecx, esi
		call	_CcFreeWorkQueueEntry@4	; CcFreeWorkQueueEntry(x)

loc_58FC50:				; CODE XREF: CcSerializeWithLazyWriter(x,x)+1Dj
		mov	al, [ebp+var_1]

loc_58FC53:				; CODE XREF: CcSerializeWithLazyWriter(x,x)+3Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_58FC58:				; CODE XREF: CcSerializeWithLazyWriter(x,x)+48j
					; CcSerializeWithLazyWriter(x,x)+4Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_CcSerializeWithLazyWriter@8 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcWrapperMmCopyToCachedPage(x, x, x, x, x, x)
_CcWrapperMmCopyToCachedPage@24	proc near ; CODE XREF: CcMapAndCopyInToCache+48Bp

var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	eax, ecx
		push	esi
		xor	esi, esi
		mov	[esp+0Ch+var_4], eax
		push	edi
		mov	edi, edx
		inc	esi

loc_58FC77:				; CODE XREF: CcWrapperMmCopyToCachedPage(x,x,x,x,x,x)+44j
		push	ebx
		push	[ebp+arg_4]
		mov	edx, edi
		mov	ecx, eax
		push	[ebp+arg_0]
		call	_MmCopyToCachedPage@20 ; MmCopyToCachedPage(x,x,x,x,x)
		mov	ecx, eax
		test	bl, 8
		jz	short loc_58FCA3
		cmp	ecx, 0C000009Ah
		jnz	short loc_58FCA3
		mov	eax, [esp+1Ch+var_10]
		and	ebx, 0FFFFFFF3h
		inc	esi
		cmp	esi, 2
		jbe	short loc_58FC77

loc_58FCA3:				; CODE XREF: CcWrapperMmCopyToCachedPage(x,x,x,x,x,x)+2Fj
					; CcWrapperMmCopyToCachedPage(x,x,x,x,x,x)+37j
		mov	eax, [ebp+arg_C]
		shr	ebx, 2
		not	bl
		pop	edi
		and	bl, 1
		mov	[eax], bl
		mov	eax, ecx
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_CcWrapperMmCopyToCachedPage@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcPerfLogReadAhead(x, x, x,	x, x)
_CcPerfLogReadAhead@20 proc near	; CODE XREF: CcPerformReadAhead+350p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		mov	eax, [edx]
		mov	[esp+3Ch+var_20], eax
		mov	eax, [edx+4]
		xor	edx, edx
		push	esi
		mov	[esp+40h+var_1C], eax
		xor	esi, esi
		mov	eax, [ebp+arg_0]
		inc	edx
		mov	[esp+40h+var_18], eax
		mov	eax, [ebp+arg_4]
		push	(offset	off_401900+2)
		mov	[esp+44h+var_14], eax
		lea	eax, [esp+44h+var_28]
		push	1603h
		mov	[esp+48h+var_28], ecx
		lea	ecx, [esp+48h+var_38]
		push	80020000h
		mov	[esp+4Ch+var_24], esi
		mov	[esp+4Ch+var_C], esi
		mov	[esp+4Ch+var_10], esi
		mov	[esp+4Ch+var_38], eax
		mov	[esp+4Ch+var_34], esi
		mov	[esp+4Ch+var_30], 20h
		mov	[esp+4Ch+var_2C], esi
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [esp+40h+var_4]
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_CcPerfLogReadAhead@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcPerfLogReadAheadPrefetch(x, x, x,	x)
_CcPerfLogReadAheadPrefetch@16 proc near ; CODE	XREF: CcPerformReadAhead+367p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		mov	eax, [edx]
		mov	[esp+3Ch+var_20], eax
		mov	eax, [edx+4]
		xor	edx, edx
		push	esi
		mov	[esp+40h+var_1C], eax
		xor	esi, esi
		mov	eax, [ebp+arg_0]
		inc	edx
		mov	[esp+40h+var_18], eax
		mov	eax, [ebp+arg_4]
		push	(offset	off_401900+2)
		mov	[esp+44h+var_14], eax
		lea	eax, [esp+44h+var_28]
		push	160Bh
		mov	[esp+48h+var_28], ecx
		lea	ecx, [esp+48h+var_38]
		push	80020000h
		mov	[esp+4Ch+var_24], esi
		mov	[esp+4Ch+var_10], esi
		mov	[esp+4Ch+var_C], esi
		mov	[esp+4Ch+var_38], eax
		mov	[esp+4Ch+var_34], esi
		mov	[esp+4Ch+var_30], 20h
		mov	[esp+4Ch+var_2C], esi
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [esp+40h+var_4]
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_CcPerfLogReadAheadPrefetch@16 endp

; 
		align 2

; __stdcall CmpApplyAdminSdOnHiveFiles(x, x)
_CmpApplyAdminSdOnHiveFiles@8:		; CODE XREF: PAGE:00888D26p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	_CmpAdminSystemFileSecurityDescriptor
		mov	esi, ecx
		mov	ebx, edx
		push	4
		push	dword ptr [esi+400h]
		call	_ZwSetSecurityObject@12	; ZwSetSecurityObject(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_58FE3E
		mov	eax, [esi+410h]
		test	eax, eax
		jz	short loc_58FE08
		push	_CmpAdminSystemFileSecurityDescriptor
		push	4
		push	eax
		call	_ZwSetSecurityObject@12	; ZwSetSecurityObject(x,x,x)

loc_58FE08:				; CODE XREF: .text:0058FDF8j
		mov	eax, [esi+414h]
		test	eax, eax
		jz	short loc_58FE20
		push	_CmpAdminSystemFileSecurityDescriptor
		push	4
		push	eax
		call	_ZwSetSecurityObject@12	; ZwSetSecurityObject(x,x,x)

loc_58FE20:				; CODE XREF: .text:0058FE10j
		mov	eax, [esi+404h]
		test	eax, eax
		jz	short loc_58FE38
		push	_CmpAdminSystemFileSecurityDescriptor
		push	4
		push	eax
		call	_ZwSetSecurityObject@12	; ZwSetSecurityObject(x,x,x)

loc_58FE38:				; CODE XREF: .text:0058FE28j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_58FE3E:				; CODE XREF: .text:0058FDEEj
		push	edi
		push	ebx
		push	esi
		push	13h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 


__tlgDefineProvider_annotation__TlgCmFcpTraceLoggingHandleProv proc near
		mov	edi, edi
		retn
__tlgDefineProvider_annotation__TlgCmFcpTraceLoggingHandleProv endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall wil_details_FeatureDescriptors_SkipPadding(x)
_wil_details_FeatureDescriptors_SkipPadding@4 proc near
					; CODE XREF: NtLoadKey3(x,x,x,x,x,x,x,x):loc_73247Bp
					; wil_details_EvaluateFeatureDependencies():loc_732518p ...
		mov	eax, offset _wil_details_featureDescriptors_z
		jmp	short loc_58FE5F
; 

loc_58FE57:				; CODE XREF: wil_details_FeatureDescriptors_SkipPadding(x)+11j
		cmp	dword ptr [ecx], 0
		jnz	short loc_58FE66
		add	ecx, 4

loc_58FE5F:				; CODE XREF: wil_details_FeatureDescriptors_SkipPadding(x)+5j
		cmp	ecx, eax
		jb	short loc_58FE57
		xor	eax, eax
		retn
; 

loc_58FE66:				; CODE XREF: wil_details_FeatureDescriptors_SkipPadding(x)+Aj
		mov	eax, ecx
		retn
_wil_details_FeatureDescriptors_SkipPadding@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAdjustFileCFSafety(x, x)
_CmpAdjustFileCFSafety@8 proc near	; CODE XREF: CmpRecheckHiveVolumePolicy(x)+5Dp
					; CmpCmdHiveClose(x)+BCp ...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= word ptr -28h
var_26		= word ptr -26h
var_24		= dword	ptr -24h
var_D		= dword	ptr -0Dh
var_9		= dword	ptr -9
var_5		= byte ptr -5
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+44h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+50h+var_28], 1600h
		mov	bl, dl
		mov	[esp+50h+var_D], eax
		mov	[esp+50h+var_9], eax
		mov	edx, ecx
		mov	[esp+50h+var_5], al
		mov	esi, offset ??_C@_0BH@MBNJFEGL@$Kernel?4CFDoNotConvert@FNODOBFM@
		mov	[esp+50h+var_2C], eax
		lea	edi, [esp+50h+var_24]
		mov	[esp+50h+var_38], edx
		mov	[esp+50h+var_40], eax
		mov	[esp+50h+var_3C], eax
		mov	[esp+50h+var_34], eax
		mov	[esp+50h+var_30], eax
		push	5
		pop	ecx
		rep movsd
		movsw
		movsb
		test	bl, bl
		jz	short loc_58FEE7
		push	3
		pop	eax
		mov	[esp+50h+var_26], ax
		mov	ax, word ptr ds:??_C@_02DHLFCEDM@CM@FNODOBFM@
		mov	word ptr [esp+50h+var_D], ax
		mov	al, byte ptr ds:loc_5A3F7E
		mov	byte ptr [esp+50h+var_D+2], al
		jmp	short loc_58FEEE
; 

loc_58FEE7:				; CODE XREF: CmpAdjustFileCFSafety(x,x)+5Dj
		xor	eax, eax
		mov	[esp+50h+var_26], ax

loc_58FEEE:				; CODE XREF: CmpAdjustFileCFSafety(x,x)+7Bj
		mov	eax, _CmIoFileObjectType
		lea	ecx, [esp+50h+var_44]
		xor	esi, esi
		push	esi
		push	ecx
		mov	eax, [eax]
		push	esi
		push	eax
		push	102h
		push	edx
		mov	[esp+68h+var_44], esi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [esp+50h+var_44]
		mov	esi, eax
		test	esi, esi
		js	short loc_58FF76
		push	28h
		lea	eax, [esp+54h+var_2C]
		push	eax
		push	edi
		call	FsRtlSetKernelEaFile
		mov	esi, eax
		test	esi, esi
		js	short loc_58FF76
		test	bl, bl
		jz	short loc_58FF9A
		push	23h
		push	8
		lea	eax, [esp+58h+var_40]
		push	eax
		lea	eax, [esp+5Ch+var_34]
		push	eax
		push	[esp+60h+var_38]
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_58FF62
		push	[esp+50h+var_3C]
		push	[esp+54h+var_40]
		call	_RtlIsCloudFilesPlaceholder@8 ;	RtlIsCloudFilesPlaceholder(x,x)
		test	al, al
		jz	short loc_58FF9A
		mov	esi, 0C0000184h

loc_58FF62:				; CODE XREF: CmpAdjustFileCFSafety(x,x)+E0j
		xor	eax, eax
		mov	[esp+50h+var_26], ax
		lea	eax, [esp+50h+var_2C]
		push	28h
		push	eax
		push	edi
		call	FsRtlSetKernelEaFile

loc_58FF76:				; CODE XREF: CmpAdjustFileCFSafety(x,x)+ACj
					; CmpAdjustFileCFSafety(x,x)+BFj ...
		test	edi, edi
		jz	short loc_58FF86
		mov	edx, 746C6644h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_58FF86:				; CODE XREF: CmpAdjustFileCFSafety(x,x)+10Ej
		mov	ecx, [esp+50h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_58FF9A:				; CODE XREF: CmpAdjustFileCFSafety(x,x)+C3j
					; CmpAdjustFileCFSafety(x,x)+F1j
		xor	esi, esi
		jmp	short loc_58FF76
_CmpAdjustFileCFSafety@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDereferenceSecurityNode(x, x)
_CmpDereferenceSecurityNode@8 proc near	; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+329p
					; CmpCleanupLightWeightUoWData(x,x,x)+E9p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		lea	ecx, [ebp+var_8]
		call	_HvpGetCellContextInitialize@4 ; HvpGetCellContextInitialize(x)
		mov	eax, ecx
		push	eax
		push	ebx
		push	esi
		call	dword ptr [esi+4]
		mov	edi, eax
		mov	edx, esi
		push	ebx
		mov	ecx, edi
		call	_CmpKeySecurityDecrementReferenceCount@12 ; CmpKeySecurityDecrementReferenceCount(x,x,x)
		test	al, al
		jz	short loc_58FFF1
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edx, ebx
		mov	ecx, esi
		xor	edi, edi
		call	_CmpRemoveSecurityCellList@8 ; CmpRemoveSecurityCellList(x,x)
		mov	edx, ebx
		mov	ecx, esi
		call	HvFreeCell

loc_58FFF1:				; CODE XREF: CmpDereferenceSecurityNode(x,x)+35j
		test	edi, edi
		jz	short loc_58FFFD
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_58FFFD:				; CODE XREF: CmpDereferenceSecurityNode(x,x)+55j
		pop	edi
		pop	esi
		pop	ebx

locret_590000:				; DATA XREF: .text:0041CA9Do
		leave
		retn
_CmpDereferenceSecurityNode@8 endp

; 

; __stdcall CmpKeySecurityDecrementReferenceCount(x, x,	x)
_CmpKeySecurityDecrementReferenceCount@12: ; CODE XREF:	CmpDereferenceSecurityNode(x,x)+2Ep
					; PAGE:0074BCBBp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+0Ch]	; DATA XREF: CmpInitializeSystemHive+50o
					; CmpInitializePreloadedHive+13Bo
		test	eax, eax
		jz	short loc_59001B
		sub	eax, 1
		mov	[ecx+0Ch], eax
		setz	al
		pop	ebp
		retn	4
; 

loc_59001B:				; CODE XREF: .text:0059000Cj
		push	dword ptr [ebp+8]
		push	edx
		push	7
		push	4
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh
; 

; __stdcall CmpKeySecurityIncrementReferenceCount(x, x,	x, x)
_CmpKeySecurityIncrementReferenceCount@16:
					; CODE XREF: CmpGetSecurityDescriptorNodeEx(x,x,x,x,x,x,x)+126p
					; CmpReferenceSecurityNode(x,x)+33p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	dword ptr [ebp-4], 0
		cmp	byte ptr [ebp+0Ch], 0
		push	esi
		mov	esi, ecx
		jnz	short loc_590045
		cmp	dword ptr [esi+0Ch], 0
		jz	short loc_590063

loc_590045:				; CODE XREF: .text:0059003Dj
		mov	ecx, [esi+0Ch]
		lea	eax, [ebp-4]
		xor	edx, edx
		push	eax
		inc	edx

loc_59004F:				; DATA XREF: .text:005A4574o
					; .text:005A567Co
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_59005E
		mov	ecx, [ebp-4]
		mov	[esi+0Ch], ecx

loc_59005E:				; CODE XREF: .text:00590056j
		pop	esi
		leave
		retn	8
; 

loc_590063:				; CODE XREF: .text:00590043j
		push	dword ptr [ebp+8]
		push	edx
		push	6
		push	4
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpKeySecurityMarkDirtyForReferenceCountDecrement(x, x, x, x)
_CmpKeySecurityMarkDirtyForReferenceCountDecrement@16 proc near	; CODE XREF: PAGE:0074BC55p
					; PAGE:0074BD5Ep

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		cmp	dword ptr [edi+0Ch], 1
		jnz	short loc_5900A9
		mov	edx, [edi+4]
		mov	ecx, esi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		mov	edx, [edi+8]
		mov	ecx, esi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)

loc_5900A9:				; CODE XREF: CmpKeySecurityMarkDirtyForReferenceCountDecrement(x,x,x,x)+1Bj
		pop	edi
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	8
_CmpKeySecurityMarkDirtyForReferenceCountDecrement@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFindLowerBoundInSortedArray(x, x, x, x, x)
_CmpFindLowerBoundInSortedArray@20 proc	near
					; CODE XREF: CmpFindSecurityCellCacheIndex(x,x,x)+5Ap

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [edx+esi*8]
		cmp	edx, edi
		jnb	short loc_5900E6
		push	ebx
		mov	ebx, [ecx]

loc_5900C6:				; CODE XREF: CmpFindLowerBoundInSortedArray(x,x,x,x,x)+31j
		mov	eax, esi
		shr	eax, 1
		lea	ecx, [edx+eax*8]
		cmp	ebx, [ecx]
		ja	short loc_5900D7
		mov	esi, eax
		mov	edi, ecx
		jmp	short loc_5900E1
; 

loc_5900D7:				; CODE XREF: CmpFindLowerBoundInSortedArray(x,x,x,x,x)+1Dj
		lea	edx, [ecx+8]
		or	ecx, 0FFFFFFFFh
		sub	ecx, eax
		add	esi, ecx

loc_5900E1:				; CODE XREF: CmpFindLowerBoundInSortedArray(x,x,x,x,x)+23j
		cmp	edx, edi
		jb	short loc_5900C6
		pop	ebx

loc_5900E6:				; CODE XREF: CmpFindLowerBoundInSortedArray(x,x,x,x,x)+Fj
		pop	edi
		mov	eax, edx
		pop	esi
		pop	ebp
		retn	0Ch
_CmpFindLowerBoundInSortedArray@20 endp


;  S U B	R O U T	I N E 


; __stdcall FsRtlInitSystem2()
_FsRtlInitSystem2@0 proc near		; CODE XREF: INIT:loc_ABFD19p
		mov	edi, edi
		push	ecx
		mov	ecx, offset dword_6B2398
		call	_TlgRegisterAggregateProvider@4	; TlgRegisterAggregateProvider(x)
		pop	ecx
		retn
_FsRtlInitSystem2@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpRemoveAndCompleteRHIrp(x, x, x, x, x,	x, x)
_FsRtlpRemoveAndCompleteRHIrp@28 proc near
					; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+6FCp
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+808p ...

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= word ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1], al
		mov	ebx, [edi+8]
		and	dword ptr [edi+8], 0
		lea	esi, [ebx+25h]
		push	esi
		call	_IoAcquireCancelSpinLock@4 ; IoAcquireCancelSpinLock(x)
		xor	ecx, ecx
		lea	eax, [ebx+38h]
		xchg	ecx, [eax]
		movzx	eax, byte ptr [esi]
		push	eax
		call	IoReleaseCancelSpinLock
		mov	ecx, edi
		call	_FsRtlpOplockDequeueRH@4 ; FsRtlpOplockDequeueRH(x)
		cmp	byte ptr [ebx+24h], 0
		jnz	loc_5901FA
		mov	ecx, [ebx+0Ch]
		xor	eax, eax
		mov	edx, [ebp+arg_4]
		inc	eax
		push	18h
		and	dword ptr [ecx+10h], 0
		and	dword ptr [ecx+14h], 0
		mov	[ecx], ax
		pop	eax
		mov	[ecx+2], ax
		mov	eax, edx
		shr	eax, 0Ch
		and	eax, 7
		mov	dword ptr [ecx+4], 3
		mov	[ecx+8], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+0Ch], eax
		test	al, 2
		jz	short loc_59018C
		mov	eax, [ebp+arg_C]
		mov	[ecx+10h], eax
		mov	ax, [ebp+arg_10]
		mov	[ecx+14h], ax
		mov	eax, [ebp+arg_8]

loc_59018C:				; CODE XREF: FsRtlpRemoveAndCompleteRHIrp(x,x,x,x,x,x,x)+7Bj
		test	al, 1
		jz	short loc_5901D2
		mov	eax, [edi+18h]
		neg	edx
		mov	esi, [ebp+var_8]
		sbb	edx, edx
		and	eax, 0FF0FFFFFh
		and	edx, 0FF900000h
		add	edx, (offset loc_7FFFFF+1)
		or	edx, eax
		lea	ecx, [esi+24h]
		mov	[edi+18h], edx
		mov	edx, edi
		call	_FsRtlpOplockEnqueueRH@8 ; FsRtlpOplockEnqueueRH(x,x)
		xor	eax, eax
		mov	edx, edi
		inc	eax
		mov	ecx, esi
		push	eax
		call	FsRtlpModifyThreadPriorities
		mov	edx, edi
		mov	ecx, esi
		call	FsRtlpOplockSendModernAppTermination
		jmp	short loc_5901F2
; 

loc_5901D2:				; CODE XREF: FsRtlpRemoveAndCompleteRHIrp(x,x,x,x,x,x,x)+90j
		mov	ecx, [edi+0Ch]
		call	ObfDereferenceObject
		cmp	dword ptr [edi+14h], 0
		jz	short loc_5901EA
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)

loc_5901EA:				; CODE XREF: FsRtlpRemoveAndCompleteRHIrp(x,x,x,x,x,x,x)+E0j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5901F2:				; CODE XREF: FsRtlpRemoveAndCompleteRHIrp(x,x,x,x,x,x,x)+D2j
		mov	esi, [ebp+arg_0]
		push	18h
		pop	ecx
		jmp	short loc_590225
; 

loc_5901FA:				; CODE XREF: FsRtlpRemoveAndCompleteRHIrp(x,x,x,x,x,x,x)+40j
		mov	ecx, [edi+0Ch]
		mov	esi, 0C0000120h
		mov	[ebp+var_1], 0
		call	ObfDereferenceObject
		cmp	dword ptr [edi+14h], 0
		jz	short loc_59021B
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)

loc_59021B:				; CODE XREF: FsRtlpRemoveAndCompleteRHIrp(x,x,x,x,x,x,x)+111j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ecx, ecx

loc_590225:				; CODE XREF: FsRtlpRemoveAndCompleteRHIrp(x,x,x,x,x,x,x)+FAj
		xor	eax, eax
		mov	[ebx+1Ch], ecx
		mov	ecx, ebx
		mov	[ebx+18h], esi
		lea	edx, [eax+1]
		call	IofCompleteRequest
		mov	al, [ebp+var_1]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_FsRtlpRemoveAndCompleteRHIrp@28 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall xHalTimerWatchdogQueryDueTime(x)
_xHalTimerWatchdogQueryDueTime@4 proc near
					; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+303p
					; DATA XREF: .data:off_6B13FCo
		xor	eax, eax
		xor	edx, edx
		retn	4
_xHalTimerWatchdogQueryDueTime@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlGetReferenceTimeUsingTscPage(x)
_HvlGetReferenceTimeUsingTscPage@4 proc	near ; CODE XREF: HvlGetReferenceTime()+1Cp
					; DATA XREF: HvlpMarkHvlPagesForHibernation()+1Fo ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		and	[esp+14h+var_8], 0
		and	[esp+14h+var_4], 0
		push	ebx
		push	esi
		push	edi

loc_590262:				; CODE XREF: HvlGetReferenceTimeUsingTscPage(x)+7Aj
		mov	eax, ds:_HvlpReferenceTscPage
		mov	ebx, [eax]
		mov	[esp+20h+var_C], ebx
		test	ebx, ebx
		jz	short loc_5902C8
		mov	ecx, ds:_HvlpReferenceTscPage
		rdtsc
		mov	[esp+20h+var_14], edx
		mov	[esp+20h+var_10], eax
		mov	edx, [ecx+8]
		mov	ecx, ds:_HvlpReferenceTscPage
		mov	esi, [ecx+0Ch]
		mov	ecx, ds:_HvlpReferenceTscPage
		push	esi
		push	edx
		push	[esp+28h+var_14]
		mov	ebx, [ecx+10h]
		mov	eax, ds:_HvlpReferenceTscPage
		push	[esp+2Ch+var_10]
		mov	edi, [eax+14h]
		call	_RtlUnsignedMultiplyHigh@16 ; RtlUnsignedMultiplyHigh(x,x,x,x)
		add	eax, ebx
		mov	ebx, [esp+20h+var_C]
		mov	[esp+20h+var_8], eax
		mov	eax, ds:_HvlpReferenceTscPage
		adc	edx, edi
		mov	[esp+20h+var_4], edx
		cmp	[eax], ebx
		jnz	short loc_590262
		jmp	short loc_5902D6
; 

loc_5902C8:				; CODE XREF: HvlGetReferenceTimeUsingTscPage(x)+25j
		lea	edx, [esp+20h+var_8]
		mov	ecx, 90004h
		call	_HvlpGetRegister64@8 ; HvlpGetRegister64(x,x)

loc_5902D6:				; CODE XREF: HvlGetReferenceTimeUsingTscPage(x)+7Cj
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_5902DF
		mov	[eax], ebx

loc_5902DF:				; CODE XREF: HvlGetReferenceTimeUsingTscPage(x)+91j
		mov	eax, [esp+20h+var_8]
		mov	edx, [esp+20h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_HvlGetReferenceTimeUsingTscPage@4 endp


;  S U B	R O U T	I N E 


; __stdcall IOP_INT_TO_EXT_PRIORITY(x)
_IOP_INT_TO_EXT_PRIORITY@4 proc	near	; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+6A1p
		test	ecx, ecx
		jnz	short loc_5902F8
		push	2
		pop	eax
		retn
; 

loc_5902F8:				; CODE XREF: IOP_INT_TO_EXT_PRIORITY(x)+2j
		lea	eax, [ecx-1]
		retn
_IOP_INT_TO_EXT_PRIORITY@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 774. IoCleanupIrp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCleanupIrp(x)
		public _IoCleanupIrp@4
_IoCleanupIrp@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		cmp	word ptr [ecx],	6
		jz	short loc_590320
		push	0
		push	0
		push	2636h
		push	ecx
		push	44h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_590320:				; CODE XREF: IoCleanupIrp(x)+Cj
		xor	eax, eax
		test	byte ptr [ecx+27h], 40h
		mov	[ecx], ax
		jz	short loc_590335
		push	1
		or	edx, 0FFFFFFFFh
		call	_IopFreeIrpExtension@12	; IopFreeIrpExtension(x,x,x)

loc_590335:				; CODE XREF: IoCleanupIrp(x)+28j
		pop	ebp
		retn	4
_IoCleanupIrp@4	endp ; sp = -14h

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopDecrementCompletionContextUsageCount(x)
_IopDecrementCompletionContextUsageCount@4 proc	near ; CODE XREF: .text:00522E58p
					; PAGE:0081D6E8p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		lea	ecx, [ebx+70h]
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	esi, [ebx+6Ch]
		mov	ecx, [esi+8]
		mov	[ebp+var_4], ecx
		lea	edx, [ecx-1]
		mov	[esi+8], edx
		lea	ecx, [ebx+70h]
		mov	dl, al
		call	KfReleaseSpinLock
		mov	eax, [ebp+var_4]
		test	eax, eax
		jle	short loc_590372
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_590372:				; CODE XREF: IopDecrementCompletionContextUsageCount(x)+31j
		push	eax
		push	82h
		push	dword ptr [ebx+6Ch]
		push	ebx
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_IopDecrementCompletionContextUsageCount@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopDoesCompletionNeedsApc(x)
_IopDoesCompletionNeedsApc@4 proc near	; CODE XREF: IopCompleteIrpInFileObjectList(x,x,x):loc_44CFA8p
		mov	eax, [ecx+8]
		and	eax, 50h
		cmp	al, 50h
		jnz	short loc_5903BB
		mov	eax, [ecx+18h]
		cmp	eax, 80000016h
		jz	short loc_5903BB
		mov	edx, 0C0000000h
		and	eax, edx
		cmp	eax, edx
		jz	short loc_5903BB
		push	ecx
		call	_IoGetRequestorProcess@4 ; IoGetRequestorProcess(x)
		mov	ecx, large fs:124h
		cmp	eax, [ecx+80h]
		jz	short loc_5903BB
		mov	al, 1
		retn
; 

loc_5903BB:				; CODE XREF: IopDoesCompletionNeedsApc(x)+8j
					; IopDoesCompletionNeedsApc(x)+12j ...
		xor	al, al
		retn
_IopDoesCompletionNeedsApc@4 endp

; 

; __stdcall IopIncrementCompletionContextUsageCountAndReadData(x, x, x,	x)
_IopIncrementCompletionContextUsageCountAndReadData@16:	; CODE XREF: .text:00522C88p
					; PAGE:0081D651p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp-4], edx
		or	ebx, 0FFFFFFFFh
		lea	ecx, [edi+70h]
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	esi, [edi+6Ch]
		mov	dl, al
		test	esi, esi
		jz	short loc_5903E9
		mov	ebx, [esi+8]
		lea	eax, [ebx+1]
		mov	[esi+8], eax

loc_5903E9:				; CODE XREF: .text:005903DEj
		lea	ecx, [edi+70h]
		call	KfReleaseSpinLock
		mov	eax, [ebp-4]
		test	esi, esi
		jz	short loc_590410
		mov	byte ptr [eax],	1
		mov	eax, [ebp+8]
		mov	ecx, [esi]
		mov	[eax], ecx
		mov	eax, [ebp+0Ch]
		mov	ecx, [esi+4]
		mov	[eax], ecx
		test	ebx, ebx
		js	short loc_590425
		jmp	short loc_59041E
; 

loc_590410:				; CODE XREF: .text:005903F6j
		xor	ecx, ecx
		mov	[eax], cl
		mov	eax, [ebp+8]
		mov	[eax], ecx
		mov	eax, [ebp+0Ch]
		mov	[eax], ecx

loc_59041E:				; CODE XREF: .text:0059040Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_590425:				; CODE XREF: .text:0059040Cj
		push	ebx
		push	81h
		push	dword ptr [edi+6Ch]
		push	edi
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 


; __stdcall IopIsStandardFsctlIoControlCode(x)
_IopIsStandardFsctlIoControlCode@4 proc	near ; CODE XREF: PAGE:0081D025p
		mov	eax, 110030h
		cmp	ecx, eax
		ja	short loc_590467
		jz	short loc_590492
		sub	ecx, 90028h
		jz	short loc_590492
		sub	ecx, 7FFDCh
		jz	short loc_590492
		sub	ecx, 4
		jz	short loc_590492
		sub	ecx, 10h
		jz	short loc_590492
		sub	ecx, 4
		jz	short loc_590492
		sub	ecx, 0Ch
		jmp	short loc_59048D
; 

loc_590467:				; CODE XREF: IopIsStandardFsctlIoControlCode(x)+7j
		cmp	ecx, 110038h
		jz	short loc_590492
		cmp	ecx, 11400Ch
		jz	short loc_590492
		cmp	ecx, 117000h
		jz	short loc_590492
		cmp	ecx, 11AFFCh
		jz	short loc_590492
		cmp	ecx, 11C017h

loc_59048D:				; CODE XREF: IopIsStandardFsctlIoControlCode(x)+2Dj
		jz	short loc_590492
		xor	al, al
		retn
; 

loc_590492:				; CODE XREF: IopIsStandardFsctlIoControlCode(x)+9j
					; IopIsStandardFsctlIoControlCode(x)+11j ...
		mov	al, 1
		retn
_IopIsStandardFsctlIoControlCode@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopProcessBufferedIoCompletion(x, x)
_IopProcessBufferedIoCompletion@8 proc near ; CODE XREF: .text:00522A74p
					; IopCopyCompleteReadRequest(x,x,x,x,x)+4Ep

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	18h
		push	offset dword_6A7ED0
		call	__SEH_prolog4
		mov	esi, ecx
		mov	[ebp+var_24], esi
		lea	eax, [esi+8]
		mov	[ebp+var_1C], eax
		mov	ecx, [eax]
		test	cl, 10h
		jz	short loc_59052F
		test	cl, 40h
		jz	short loc_590515
		mov	eax, [esi+18h]
		cmp	eax, 80000016h
		jz	short loc_590515
		mov	ecx, 0C0000000h
		and	eax, ecx
		cmp	eax, ecx
		jz	short loc_590515
		and	[ebp+var_20], 0
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [esi+3Ch]
		mov	ecx, [esi+0Ch]
		cmp	eax, ecx
		jz	short loc_59050E
		push	dword ptr [esi+1Ch] ; size_t
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_59050E
; 

loc_5904EF:				; DATA XREF: .text:006A7EE4o
		mov	ecx, [ebp+ms_exc.exc_ptr]
		mov	eax, [ecx]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		lea	edx, [ebp+var_20]
		call	_IopExceptionFilter@8 ;	IopExceptionFilter(x,x)
		retn
; 

loc_590502:				; DATA XREF: .text:006A7EE8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_24]
		mov	eax, [ebp+var_28]
		mov	[esi+18h], eax

loc_59050E:				; CODE XREF: IopProcessBufferedIoCompletion(x,x)+48j
					; IopProcessBufferedIoCompletion(x,x)+57j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_590515:				; CODE XREF: IopProcessBufferedIoCompletion(x,x)+21j
					; IopProcessBufferedIoCompletion(x,x)+2Bj ...
		mov	edi, [ebp+var_1C]
		mov	ecx, [edi]
		test	cl, 20h
		jz	short loc_59052F
		push	0
		push	dword ptr [esi+0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+0Ch], 0
		mov	ecx, [edi]

loc_59052F:				; CODE XREF: IopProcessBufferedIoCompletion(x,x)+1Cj
					; IopProcessBufferedIoCompletion(x,x)+87j
		and	ecx, 0FFFFFFCFh
		mov	eax, [ebp+var_1C]
		mov	[eax], ecx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopProcessBufferedIoCompletion@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopUnlockAndFreeMdl(x)
_IopUnlockAndFreeMdl@4 proc near	; CODE XREF: IopCopyCompleteReadIrp(x,x,x)+42p
					; IopFreeCopyObjectsFromIrp(x)+21p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		push	edi
		mov	edi, ecx

loc_590554:				; CODE XREF: IopUnlockAndFreeMdl(x)+3Cj
		movzx	eax, word ptr [edi+6]
		mov	ecx, eax
		and	al, 5
		cmp	al, 1
		jnz	short loc_59056D
		push	edi
		push	dword ptr [edi+0Ch]
		call	MmUnmapLockedPages
		movzx	ecx, word ptr [edi+6]

loc_59056D:				; CODE XREF: IopUnlockAndFreeMdl(x)+16j
		test	cl, 2
		jz	short loc_590578
		push	edi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)

loc_590578:				; CODE XREF: IopUnlockAndFreeMdl(x)+28j
		mov	esi, [edi]
		push	edi
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		mov	edi, esi
		test	esi, esi
		jnz	short loc_590554
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_IopUnlockAndFreeMdl@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopUpdateIrpTransferCount(x, x)
_IopUpdateIrpTransferCount@8 proc near	; CODE XREF: .text:00522CAEp
					; IopCopyCompleteReadRequest(x,x,x,x,x)+57p
		mov	eax, [ecx+8]
		mov	ecx, [ecx+1Ch]
		test	eax, 100h
		jnz	_IopUpdateReadTransferCount@8 ;	IopUpdateReadTransferCount(x,x)
		test	eax, 200h
		jnz	_IopUpdateWriteTransferCount@8 ; IopUpdateWriteTransferCount(x,x)
		test	ecx, ecx
		jns	_IopUpdateOtherTransferCount@8 ; IopUpdateOtherTransferCount(x,x)
		retn
_IopUpdateIrpTransferCount@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopWaitForSynchronousIoEvent(x, x, x, x)
_IopWaitForSynchronousIoEvent@16 proc near ; CODE XREF:	IopWaitForSynchronousIo(x,x,x)+1Bp
					; NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+38Fp ...

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	bh, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	esi, esi
		mov	[ebp+var_1], dl
		mov	[ebp+var_8], ecx

loc_5905CA:				; CODE XREF: IopWaitForSynchronousIoEvent(x,x,x,x)+89j
		test	byte ptr [edi],	7Fh
		jnz	short loc_5905D5
		cmp	dword ptr [edi+4], 0
		jnz	short loc_59064C

loc_5905D5:				; CODE XREF: IopWaitForSynchronousIoEvent(x,x,x,x)+1Bj
		test	bh, bh
		push	0
		setz	al
		dec	al
		push	1
		and	al, dl
		movzx	eax, al
		push	eax
		push	0
		push	edi
		call	KeWaitForSingleObject
		mov	esi, eax
		cmp	esi, 101h
		jz	short loc_590600
		cmp	esi, 0C0h
		jnz	short loc_59064C

loc_590600:				; CODE XREF: IopWaitForSynchronousIoEvent(x,x,x,x)+44j
		test	bh, bh
		jnz	short loc_59063D
		mov	eax, large fs:124h
		mov	eax, [eax+2FCh]
		test	al, 1
		jnz	short loc_59063D
		mov	cl, 1
		xor	bl, bl
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		cmp	dword ptr [edi+4], 0
		mov	cl, al
		jnz	short loc_590630
		mov	eax, [ebp+var_8]
		cmp	byte ptr [eax+24h], 1
		setz	bl

loc_590630:				; CODE XREF: IopWaitForSynchronousIoEvent(x,x,x,x)+72j
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	dl, [ebp+var_1]
		test	bl, bl
		jz	short loc_5905CA

loc_59063D:				; CODE XREF: IopWaitForSynchronousIoEvent(x,x,x,x)+50j
					; IopWaitForSynchronousIoEvent(x,x,x,x)+60j
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		call	_IopCancelAlertedRequest@8 ; IopCancelAlertedRequest(x,x)
		mov	esi, 0C0000120h

loc_59064C:				; CODE XREF: IopWaitForSynchronousIoEvent(x,x,x,x)+21j
					; IopWaitForSynchronousIoEvent(x,x,x,x)+4Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_IopWaitForSynchronousIoEvent@16 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 771. IoCheckRedirectionTrustLevel

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCheckRedirectionTrustLevel(x, x, x, x, x)
		public _IoCheckRedirectionTrustLevel@20
_IoCheckRedirectionTrustLevel@20 proc near

var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		xor	eax, eax
		xor	ebx, ebx
		push	esi
		push	edi
		lea	edi, [esp+28h+var_10]
		inc	ebx
		stosd
		mov	byte ptr [esp+28h+var_18], bl
		mov	byte ptr [esp+28h+var_18+2], bl
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	[esp+28h+var_19], al
		mov	byte ptr [esp+28h+var_18+1], al
		cmp	[ebp+arg_4], al
		jz	loc_590734
		cmp	[ebp+arg_C], 2
		jz	loc_590734
		cmp	[ebp+arg_C], eax
		jz	loc_590734
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jnz	short loc_5906BA
		lea	eax, [esp+28h+var_10]
		push	eax
		call	SeCaptureSubjectContext
		lea	esi, [esp+28h+var_10]
		jmp	short loc_5906BC
; 

loc_5906BA:				; CODE XREF: IoCheckRedirectionTrustLevel(x,x,x,x,x)+4Ej
		mov	esi, edi

loc_5906BC:				; CODE XREF: IoCheckRedirectionTrustLevel(x,x,x,x,x)+5Ej
		mov	ecx, [esi+8]
		lea	eax, [esp+28h+var_18+1]
		push	eax
		lea	edx, [esp+13h]
		call	_SeTokenGetRedirectionTrustPolicy@12 ; SeTokenGetRedirectionTrustPolicy(x,x,x)
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_5906EC
		cmp	dword ptr [esi+4], 2
		jl	short loc_5906EC
		lea	eax, [esp+28h+var_18+2]
		push	eax
		lea	edx, [esp+2Ch+var_18]
		call	_SeTokenGetRedirectionTrustPolicy@12 ; SeTokenGetRedirectionTrustPolicy(x,x,x)
		push	2
		pop	esi
		jmp	short loc_5906EE
; 

loc_5906EC:				; CODE XREF: IoCheckRedirectionTrustLevel(x,x,x,x,x)+77j
					; IoCheckRedirectionTrustLevel(x,x,x,x,x)+7Dj
		mov	esi, ebx

loc_5906EE:				; CODE XREF: IoCheckRedirectionTrustLevel(x,x,x,x,x)+90j
		test	edi, edi
		jnz	short loc_5906FC
		lea	eax, [esp+28h+var_10]
		push	eax
		call	SeReleaseSubjectContext

loc_5906FC:				; CODE XREF: IoCheckRedirectionTrustLevel(x,x,x,x,x)+96j
		cmp	[esp+28h+var_19], 0
		jz	short loc_590714
		cmp	byte ptr [esp+28h+var_18], 0
		jz	short loc_590714
		mov	al, bl
		xor	ecx, ecx
		mov	byte ptr [esp+28h+var_18+3], al
		jmp	short loc_59071C
; 

loc_590714:				; CODE XREF: IoCheckRedirectionTrustLevel(x,x,x,x,x)+A7j
					; IoCheckRedirectionTrustLevel(x,x,x,x,x)+AEj
		xor	ecx, ecx
		mov	al, cl
		mov	byte ptr [esp+28h+var_18+3], cl

loc_59071C:				; CODE XREF: IoCheckRedirectionTrustLevel(x,x,x,x,x)+B8j
		cmp	byte ptr [esp+28h+var_18+1], 0
		jz	short loc_59072C
		cmp	byte ptr [esp+28h+var_18+2], 0
		jz	short loc_59072C
		mov	cl, bl

loc_59072C:				; CODE XREF: IoCheckRedirectionTrustLevel(x,x,x,x,x)+C7j
					; IoCheckRedirectionTrustLevel(x,x,x,x,x)+CEj
		test	al, al
		jnz	short loc_59073F
		test	cl, cl
		jnz	short loc_590742

loc_590734:				; CODE XREF: IoCheckRedirectionTrustLevel(x,x,x,x,x)+30j
					; IoCheckRedirectionTrustLevel(x,x,x,x,x)+3Aj ...
		xor	eax, eax

loc_590736:				; CODE XREF: IoCheckRedirectionTrustLevel(x,x,x,x,x)+118j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_59073F:				; CODE XREF: IoCheckRedirectionTrustLevel(x,x,x,x,x)+D4j
		push	2
		pop	ebx

loc_590742:				; CODE XREF: IoCheckRedirectionTrustLevel(x,x,x,x,x)+D8j
		mov	edx, large fs:124h
		cmp	esi, 2
		mov	ecx, ebx
		setz	al
		movzx	eax, al
		mov	edx, [edx+80h]
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_0]
		call	_EtwTimLogRedirectionTrustPolicy@20 ; EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)
		cmp	byte ptr [esp+28h+var_18+3], 0
		jz	short loc_590734
		mov	eax, 0C00004BCh
		jmp	short loc_590736
_IoCheckRedirectionTrustLevel@20 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 781. IoComputeRedirectionTrustLevel

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoComputeRedirectionTrustLevel(x, x, x, x)
		public _IoComputeRedirectionTrustLevel@16
_IoComputeRedirectionTrustLevel@16 proc	near

var_10		= dword	ptr -10h
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10h
		xor	eax, eax
		cmp	[ebp+arg_4], 0
		push	esi
		push	edi
		lea	edi, [esp+18h+var_10]
		stosd
		stosd
		stosd
		stosd
		jnz	short loc_5907A2
		mov	eax, [ebp+arg_C]
		mov	dword ptr [eax], 2
		jmp	short loc_5907E5
; 

loc_5907A2:				; CODE XREF: IoComputeRedirectionTrustLevel(x,x,x,x)+1Bj
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jnz	short loc_5907B9
		lea	eax, [esp+18h+var_10]
		push	eax
		call	SeCaptureSubjectContext
		lea	eax, [esp+18h+var_10]
		jmp	short loc_5907BB
; 

loc_5907B9:				; CODE XREF: IoComputeRedirectionTrustLevel(x,x,x,x)+2Dj
		mov	eax, esi

loc_5907BB:				; CODE XREF: IoComputeRedirectionTrustLevel(x,x,x,x)+3Dj
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_5907C4
		mov	ecx, [eax+8]

loc_5907C4:				; CODE XREF: IoComputeRedirectionTrustLevel(x,x,x,x)+45j
		push	ecx
		call	SeTokenIsAdmin
		xor	ecx, ecx
		test	al, al
		mov	eax, [ebp+arg_C]
		setnz	cl
		inc	ecx
		mov	[eax], ecx
		test	esi, esi
		jnz	short loc_5907E5
		lea	eax, [esp+18h+var_10]
		push	eax
		call	SeReleaseSubjectContext

loc_5907E5:				; CODE XREF: IoComputeRedirectionTrustLevel(x,x,x,x)+26j
					; IoComputeRedirectionTrustLevel(x,x,x,x)+5Fj
		pop	edi
		xor	eax, eax
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	10h
_IoComputeRedirectionTrustLevel@16 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 849. IoGetCopyInformationExtension

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetCopyInformationExtension(x, x)
		public _IoGetCopyInformationExtension@8
_IoGetCopyInformationExtension@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	9
		pop	edx
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jz	short loc_59081E
		mov	esi, [esi+68h]
		push	edi
		mov	edi, [ebp+arg_4]
		add	esi, 38h
		xor	eax, eax
		movsd
		movsd
		movsd
		movsd
		pop	edi
		jmp	short loc_590823
; 

loc_59081E:				; CODE XREF: IoGetCopyInformationExtension(x,x)+15j
		mov	eax, 0C0000225h

loc_590823:				; CODE XREF: IoGetCopyInformationExtension(x,x)+28j
		pop	esi
		pop	ebp
		retn	8
_IoGetCopyInformationExtension@8 endp


;  S U B	R O U T	I N E 


; __stdcall IopSetCopyInformationExtension(x, x)
_IopSetCopyInformationExtension@8 proc near
					; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+1D7p
					; IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+528p
		mov	edi, edi
		push	ebx
		push	esi
		push	9
		mov	ebx, edx
		mov	esi, ecx
		pop	edx
		call	_IopIrpHasValidCombinationOfExtensionTypes@8 ; IopIrpHasValidCombinationOfExtensionTypes(x,x)
		test	al, al
		jnz	short loc_590843
		mov	eax, 0C00000BBh
		jmp	short loc_590865
; 

loc_590843:				; CODE XREF: IopSetCopyInformationExtension(x,x)+12j
		push	9
		pop	edx
		mov	ecx, esi
		call	IopAllocateIrpExtension
		test	eax, eax
		jnz	short loc_590858
		mov	eax, 0C000009Ah
		jmp	short loc_590865
; 

loc_590858:				; CODE XREF: IopSetCopyInformationExtension(x,x)+27j
		push	edi
		mov	esi, ebx
		lea	edi, [eax+38h]
		xor	eax, eax
		movsd
		movsd
		movsd
		movsd
		pop	edi

loc_590865:				; CODE XREF: IopSetCopyInformationExtension(x,x)+19j
					; IopSetCopyInformationExtension(x,x)+2Ej
		pop	esi
		pop	ebx
		retn
_IopSetCopyInformationExtension@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_Servicing_CopyFileMoveFileEventLeak__private_IsEnabledDeviceUsage()
_Feature_Servicing_CopyFileMoveFileEventLeak__private_IsEnabledDeviceUsage@0 proc near
					; CODE XREF: IopCopyCompleteReadRequest(x,x,x,x,x):loc_590BA2p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		mov	eax, _Feature_Servicing_CopyFileMoveFileEventLeak__private_featureState
		test	al, 10h
		jz	short loc_590880
		and	eax, 1
		jmp	short loc_59088B
; 

loc_590880:				; CODE XREF: Feature_Servicing_CopyFileMoveFileEventLeak__private_IsEnabledDeviceUsage()+11j
		push	0
		push	eax
		push	3
		pop	ecx
		call	_Feature_Servicing_CopyFileMoveFileEventLeak__private_IsEnabledFallback@12 ; Feature_Servicing_CopyFileMoveFileEventLeak__private_IsEnabledFallback(x,x,x)

loc_59088B:				; CODE XREF: Feature_Servicing_CopyFileMoveFileEventLeak__private_IsEnabledDeviceUsage()+16j
		mov	esp, ebp
		pop	ebp
		retn
_Feature_Servicing_CopyFileMoveFileEventLeak__private_IsEnabledDeviceUsage@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_Servicing_CopyFileMoveFileEventLeak__private_IsEnabledFallback(x, x, x)
_Feature_Servicing_CopyFileMoveFileEventLeak__private_IsEnabledFallback@12 proc	near
					; CODE XREF: Feature_Servicing_CopyFileMoveFileEventLeak__private_IsEnabledDeviceUsage()+1Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	edx, (offset loc_6AB1FB+1)
		push	[ebp+arg_0]
		push	ecx
		call	_wil_details_IsEnabledFallback@20 ; wil_details_IsEnabledFallback(x,x,x,x,x)
		pop	ebp
		retn	8
_Feature_Servicing_CopyFileMoveFileEventLeak__private_IsEnabledFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCopyAbortCopyReadRequest(x)
_IopCopyAbortCopyReadRequest@4 proc near ; DATA	XREF: IopCopyCompleteReadIrp(x,x,x)+FEo
					; IopCopyCompleteReadIrp(x,x,x)+171o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		lea	eax, [ecx+28h]
		push	eax
		lea	eax, [ecx+24h]
		push	eax
		lea	eax, [ecx+20h]
		push	eax
		lea	eax, [ecx+1Ch]
		push	eax
		push	ecx
		call	_IopCopyCompleteReadRequest@20 ; IopCopyCompleteReadRequest(x,x,x,x,x)
		pop	ebp
		retn	4
_IopCopyAbortCopyReadRequest@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCopyCompleteReadIrp(x, x, x)
_IopCopyCompleteReadIrp@12 proc	near	; DATA XREF: IopFreeIrpExtension(x,x,x)+82o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		mov	esi, [esi]
		mov	[ebp+var_C], esi
		mov	eax, [esi+18h]
		mov	edi, [esi+3Ch]
		mov	ecx, [esi+50h]
		sub	edi, 30h
		mov	[ebp+var_14], eax
		mov	eax, [esi+1Ch]
		mov	[ebp+var_10], eax
		mov	al, [esi+21h]
		mov	[ebp+var_3], al
		mov	al, [esi+24h]
		mov	[ebp+var_1], al
		mov	eax, [esi+4]
		mov	[ebp+var_8], ecx
		test	eax, eax
		jz	short loc_590919
		mov	ecx, eax
		call	_IopUnlockAndFreeMdl@4 ; IopUnlockAndFreeMdl(x)
		mov	ecx, [ebp+var_8]
		mov	[esi+4], ebx

loc_590919:				; CODE XREF: IopCopyCompleteReadIrp(x,x,x)+3Ej
		test	ecx, ecx
		jz	short loc_590939
		lea	esi, [ecx+350h]
		mov	ecx, esi
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	dl, al
		mov	ecx, esi
		call	KfReleaseSpinLock
		mov	esi, [ebp+var_C]
		mov	ecx, [ebp+var_8]

loc_590939:				; CODE XREF: IopCopyCompleteReadIrp(x,x,x)+4Fj
		cmp	ecx, large fs:124h
		jnz	short loc_590987
		call	_KeAreAllApcsDisabled@0	; KeAreAllApcsDisabled()
		test	al, al
		jnz	short loc_590984
		call	_KeIsAttachedProcess@0 ; KeIsAttachedProcess()
		test	al, al
		jnz	short loc_590984
		cmp	[ebp+var_1], bl
		jnz	short loc_590990
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		lea	ecx, [ebp+arg_4]
		xor	eax, eax
		push	eax
		push	ecx
		push	eax
		push	eax
		lea	ecx, [esi+40h]
		push	ecx
		call	_IopCopyCompleteReadRequest@20 ; IopCopyCompleteReadRequest(x,x,x,x,x)
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	ebx, ebx
		jmp	loc_590A5C
; 

loc_590984:				; CODE XREF: IopCopyCompleteReadIrp(x,x,x)+7Dj
					; IopCopyCompleteReadIrp(x,x,x)+86j
		mov	ecx, [ebp+var_8]

loc_590987:				; CODE XREF: IopCopyCompleteReadIrp(x,x,x)+74j
		cmp	[ebp+var_1], bl
		jz	loc_590A30

loc_590990:				; CODE XREF: IopCopyCompleteReadIrp(x,x,x)+8Bj
		push	0Bh
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	edx, _IopDeadIrps
		mov	[ebp+var_2], al
		jmp	short loc_5909AE
; 

loc_5909A3:				; CODE XREF: IopCopyCompleteReadIrp(x,x,x)+E8j
		mov	eax, [edx]
		lea	ecx, [edx-10h]
		cmp	ecx, esi
		jz	short loc_5909F6
		mov	edx, eax

loc_5909AE:				; CODE XREF: IopCopyCompleteReadIrp(x,x,x)+D5j
		cmp	edx, offset _IopDeadIrps
		jnz	short loc_5909A3
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_590A14
		mov	eax, [ebp+var_C]
		add	esi, 40h
		push	ebx
		push	ebx
		push	ebx
		movsx	eax, byte ptr [eax+26h]
		push	offset _IopCopyAbortCopyReadRequest@4 ;	IopCopyAbortCopyReadRequest(x)
		push	offset _IopCopyCompleteReadRequest@20 ;	IopCopyCompleteReadRequest(x,x,x,x,x)
		push	eax
		push	ecx
		push	esi
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		push	[ebp+arg_8]
		push	ebx
		push	[ebp+arg_4]
		push	esi
		call	KeInsertQueueApc
		mov	dl, [ebp+var_2]
		push	0Bh
		pop	ecx
		call	KeReleaseQueuedSpinLock
		jmp	short loc_590A5C
; 

loc_5909F6:				; CODE XREF: IopCopyCompleteReadIrp(x,x,x)+DEj
		cmp	[eax+4], edx
		jnz	short loc_590A2B
		mov	ecx, [edx+4]
		cmp	[ecx], edx
		jnz	short loc_590A2B
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	ecx, [ebp+var_8]
		mov	[edx+4], edx
		mov	[edx], edx
		call	ObfDereferenceObject

loc_590A14:				; CODE XREF: IopCopyCompleteReadIrp(x,x,x)+EFj
		mov	dl, [ebp+var_2]
		push	0Bh
		pop	ecx
		call	KeReleaseQueuedSpinLock
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		call	IopDropIrp
		jmp	short loc_590A5C
; 

loc_590A2B:				; CODE XREF: IopCopyCompleteReadIrp(x,x,x)+12Dj
					; IopCopyCompleteReadIrp(x,x,x)+134j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_590A30:				; CODE XREF: IopCopyCompleteReadIrp(x,x,x)+BEj
		mov	eax, [ebp+var_C]
		add	esi, 40h
		push	ebx
		push	ebx
		push	ebx
		movsx	eax, byte ptr [eax+26h]
		push	offset _IopCopyAbortCopyReadRequest@4 ;	IopCopyAbortCopyReadRequest(x)
		push	offset _IopCopyCompleteReadRequest@20 ;	IopCopyCompleteReadRequest(x,x,x,x,x)
		push	eax
		push	ecx
		push	esi
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		push	[ebp+arg_8]
		push	ebx
		push	[ebp+arg_4]
		push	esi
		call	KeInsertQueueApc

loc_590A5C:				; CODE XREF: IopCopyCompleteReadIrp(x,x,x)+B3j
					; IopCopyCompleteReadIrp(x,x,x)+128j ...
		mov	ecx, [ebp+var_14]
		test	ecx, ecx
		js	loc_590AFB
		cmp	[ebp+var_1], 0
		jnz	loc_590AFB
		mov	eax, [edi+10h]
		mov	[ebp+arg_8], eax
		mov	ecx, [eax+60h]
		mov	eax, [edi+18h]
		mov	[ebp+arg_0], ecx
		test	byte ptr [eax+2Ch], 8
		jz	short loc_590ADB
		mov	eax, [edi+14h]
		mov	edx, [ecx-20h]
		mov	[ebp+arg_4], edx
		movzx	eax, word ptr [eax+0ACh]
		mov	ecx, eax
		test	ax, ax
		jnz	short loc_590AA2
		mov	ecx, 1000h

loc_590AA2:				; CODE XREF: IopCopyCompleteReadIrp(x,x,x)+1CFj
		lea	esi, [edx-1]
		xor	edx, edx
		add	esi, ecx
		mov	eax, esi
		div	ecx
		mov	eax, [ebp+arg_4]
		sub	esi, edx
		cmp	esi, eax
		jb	short loc_590AB8
		mov	esi, eax

loc_590AB8:				; CODE XREF: IopCopyCompleteReadIrp(x,x,x)+1E8j
		mov	ecx, [ebp+var_10]
		cmp	ecx, esi
		jnb	short loc_590AD6
		mov	eax, esi
		sub	eax, ecx
		push	eax		; size_t
		mov	eax, [ebp+arg_8]
		push	ebx		; int
		mov	eax, [eax+3Ch]
		add	eax, ecx
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_590AD6:				; CODE XREF: IopCopyCompleteReadIrp(x,x,x)+1F1j
		mov	ecx, [ebp+arg_0]
		jmp	short loc_590ADE
; 

loc_590ADB:				; CODE XREF: IopCopyCompleteReadIrp(x,x,x)+1B8j
		mov	esi, [ebp+var_10]

loc_590ADE:				; CODE XREF: IopCopyCompleteReadIrp(x,x,x)+20Dj
		mov	[ecx-20h], esi
		lea	eax, [edi+10h]
		push	ebx
		push	edi
		mov	dword ptr [edi+8], offset _IopQueueCopyWrite@4 ; IopQueueCopyWrite(x)
		mov	[edi+0Ch], eax
		mov	[edi], ebx
		call	ExQueueWorkItem
		mov	bl, 1
		jmp	short loc_590B1C
; 

loc_590AFB:				; CODE XREF: IopCopyCompleteReadIrp(x,x,x)+195j
					; IopCopyCompleteReadIrp(x,x,x)+19Fj
		mov	eax, [edi+10h]
		push	1
		push	9
		pop	edx
		mov	[eax+18h], ecx
		mov	ecx, [edi+10h]
		mov	al, [ebp+var_3]
		mov	[ecx+21h], al
		mov	eax, [ebp+arg_0]
		mov	ecx, [edi+10h]
		mov	[eax], ecx
		call	_IopFreeIrpExtension@12	; IopFreeIrpExtension(x,x,x)

loc_590B1C:				; CODE XREF: IopCopyCompleteReadIrp(x,x,x)+22Dj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	0Ch
_IopCopyCompleteReadIrp@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCopyCompleteReadRequest(x, x, x,	x, x)
_IopCopyCompleteReadRequest@20 proc near ; CODE	XREF: IopCopyAbortCopyReadRequest(x)+19p
					; IopCopyCompleteReadIrp(x,x,x)+A4p
					; DATA XREF: ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		mov	[esp+8+var_4], eax
		xor	ebx, ebx
		mov	eax, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [eax]
		add	esi, 0FFFFFFC0h
		test	dword ptr [edi+2Ch], 4000000h
		jnz	short loc_590B5D
		push	ebx
		push	ebx
		lea	eax, [edi+5Ch]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_590B5D:				; CODE XREF: IopCopyCompleteReadRequest(x,x,x,x,x)+2Aj
		mov	eax, [esi+18h]
		mov	[edi+1Ch], eax
		test	dword ptr [esi+8], 2000h
		jz	short loc_590B72
		mov	ebx, [esi+30h]
		and	ebx, 0FFFFFFFCh

loc_590B72:				; CODE XREF: IopCopyCompleteReadRequest(x,x,x,x,x)+44j
		mov	ecx, esi
		call	_IopProcessBufferedIoCompletion@8 ; IopProcessBufferedIoCompletion(x,x)
		mov	edx, ebx
		mov	ecx, esi
		call	_IopUpdateIrpTransferCount@8 ; IopUpdateIrpTransferCount(x,x)
		test	dword ptr [esi+8], 2000h
		mov	ecx, esi
		jz	short loc_590B96
		mov	edx, edi
		call	IopDequeueIrpFromFileObject
		jmp	short loc_590BA2
; 

loc_590B96:				; CODE XREF: IopCopyCompleteReadRequest(x,x,x,x,x)+65j
		mov	eax, [esp+10h+var_4]
		mov	[esi+50h], eax
		call	IopDequeueIrpFromThread

loc_590BA2:				; CODE XREF: IopCopyCompleteReadRequest(x,x,x,x,x)+6Ej
		call	_Feature_Servicing_CopyFileMoveFileEventLeak__private_IsEnabledDeviceUsage@0 ; Feature_Servicing_CopyFileMoveFileEventLeak__private_IsEnabledDeviceUsage()
		test	eax, eax
		jz	short loc_590BB7
		mov	ecx, [esi+2Ch]
		test	ecx, ecx
		jz	short loc_590BBB
		call	ObfDereferenceObject

loc_590BB7:				; CODE XREF: IopCopyCompleteReadRequest(x,x,x,x,x)+83j
		and	dword ptr [esi+2Ch], 0

loc_590BBB:				; CODE XREF: IopCopyCompleteReadRequest(x,x,x,x,x)+8Aj
		mov	edx, edi
		mov	ecx, esi
		call	IopDropIrp
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
_IopCopyCompleteReadRequest@20 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IopFreeCopyObjectsFromDataBuffer(x,	x)
_IopFreeCopyObjectsFromDataBuffer@8 proc near ;	CODE XREF: IopFreeCopyObjectsFromIrp(x)+30j
					; NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+205p ...
		mov	edi, edi
		push	ebx
		push	esi
		lea	esi, [ecx-30h]
		push	edi
		test	dl, dl
		jz	short loc_590C0D
		mov	ebx, [esi+10h]
		mov	edi, [esi+18h]
		test	ebx, ebx
		jz	short loc_590C02
		push	1
		push	9
		pop	edx
		mov	ecx, ebx
		call	_IopFreeIrpExtension@12	; IopFreeIrpExtension(x,x,x)
		push	0
		push	0
		push	dword ptr [ebx+2Ch]
		mov	edx, ebx
		mov	ecx, edi
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		jmp	short loc_590C21
; 

loc_590C02:				; CODE XREF: IopFreeCopyObjectsFromDataBuffer(x,x)+14j
		test	edi, edi
		jz	short loc_590C0D
		mov	ecx, edi
		call	ObfDereferenceObject

loc_590C0D:				; CODE XREF: IopFreeCopyObjectsFromDataBuffer(x,x)+Aj
					; IopFreeCopyObjectsFromDataBuffer(x,x)+36j
		mov	ecx, [esi+20h]
		test	ecx, ecx
		jz	short loc_590C19
		call	ObfDereferenceObject

loc_590C19:				; CODE XREF: IopFreeCopyObjectsFromDataBuffer(x,x)+44j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_590C21:				; CODE XREF: IopFreeCopyObjectsFromDataBuffer(x,x)+32j
		pop	edi
		pop	esi
		pop	ebx
		retn
_IopFreeCopyObjectsFromDataBuffer@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IopFreeCopyObjectsFromIrp(x)
_IopFreeCopyObjectsFromIrp@4 proc near	; CODE XREF: IopFreeIrpExtension(x,x,x)+70p
					; IoReuseIrp(x,x)+E6p
		mov	edi, edi
		push	esi
		push	9
		pop	edx
		mov	esi, ecx
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jz	short loc_590C5B
		mov	ecx, [esi+3Ch]
		test	ecx, ecx
		jz	short loc_590C5B
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_590C53
		mov	ecx, eax
		call	_IopUnlockAndFreeMdl@4 ; IopUnlockAndFreeMdl(x)
		and	dword ptr [esi+4], 0
		mov	ecx, [esi+3Ch]

loc_590C53:				; CODE XREF: IopFreeCopyObjectsFromIrp(x)+1Dj
		xor	dl, dl
		pop	esi
		jmp	_IopFreeCopyObjectsFromDataBuffer@8 ; IopFreeCopyObjectsFromDataBuffer(x,x)
; 

loc_590C5B:				; CODE XREF: IopFreeCopyObjectsFromIrp(x)+Fj
					; IopFreeCopyObjectsFromIrp(x)+16j
		pop	esi
		retn
_IopFreeCopyObjectsFromIrp@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopPopulateCopyWriteWorkerData(x, x, x, x, x, x, x,	x, x, x, x)
_IopPopulateCopyWriteWorkerData@44 proc	near
					; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+1E6p

var_4C		= dword	ptr -4Ch
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	[ebp+arg_1C]
		xor	ebx, ebx
		mov	[esp+4Ch+var_20], eax
		push	[ebp+arg_18]
		mov	eax, [ebp+arg_4]
		push	[ebp+arg_14]
		mov	[esp+54h+var_38], ecx
		lea	ecx, [esp+54h+var_40]
		mov	[esp+54h+var_24], edx
		mov	edx, [ebp+arg_10]
		mov	[esp+54h+var_1C], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+54h+var_3C], 10000h
		mov	[esp+54h+var_4], ebx
		mov	[esp+54h+var_40], ebx
		mov	[esp+54h+var_34], ebx
		mov	[esp+54h+var_30], ebx
		mov	[esp+54h+var_2C], ebx
		mov	[esp+54h+var_28], ebx
		mov	[esp+54h+var_18], ebx
		mov	[esp+54h+var_14], ebx
		mov	[esp+54h+var_10], ebx
		mov	[esp+54h+var_C], 0C0000000h
		mov	[esp+54h+var_8], eax
		call	_IopValidateAndGetWriteParameters@20 ; IopValidateAndGetWriteParameters(x,x,x,x,x)
		test	eax, eax
		js	short loc_590CE9
		mov	edx, [ebp+arg_20]
		lea	ecx, [esp+54h+var_4C]
		mov	eax, [esp+54h+var_40]
		mov	[edx+4], eax
		call	_IopAllocateAndPopulateWriteIrp@8 ; IopAllocateAndPopulateWriteIrp(x,x)

loc_590CE9:				; CODE XREF: IopPopulateCopyWriteWorkerData(x,x,x,x,x,x,x,x,x,x,x)+76j
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
_IopPopulateCopyWriteWorkerData@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopQueueCopyWrite(x)
_IopQueueCopyWrite@4 proc near		; DATA XREF: IopCopyCompleteReadIrp(x,x,x)+21Ao

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	1
		push	0
		push	0
		mov	edx, [ecx]
		mov	eax, [edx+8]
		shr	eax, 0Bh
		and	al, 1
		movzx	eax, al
		push	eax
		push	dword ptr [ecx+8]
		mov	ecx, [ecx+4]
		call	_IopSynchronousServiceTail@28 ;	IopSynchronousServiceTail(x,x,x,x,x,x,x)
		pop	ebp
		retn	4
_IopQueueCopyWrite@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall wil_details_FeatureReporting_ReportUsageToService(x, x, x, x, x)
_wil_details_FeatureReporting_ReportUsageToService@20 proc near
					; CODE XREF: wil_details_IsEnabledFallback(x,x,x,x,x)+3Ap
					; Feature_BamQosGrouping__private_ReportUsageFallback(x,x,x)+1Dp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	eax, edx
		mov	esi, ecx
		mov	[ebp+var_4], eax
		and	edi, 1
		mov	ecx, eax
		mov	edx, edi
		call	wil_details_MapReportingKind
		push	[ebp+arg_8]
		mov	edx, eax
		mov	ecx, esi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_wil_details_FeatureReporting_ReportUsageToServiceDirect@20 ; wil_details_FeatureReporting_ReportUsageToServiceDirect(x,x,x,x,x)
		test	eax, eax
		jz	short loc_590D6E
		mov	eax, _g_wil_details_pfnFeatureLoggingHook
		test	eax, eax
		jz	short loc_590D6E
		push	[ebp+arg_0]
		xor	edx, edx
		lea	ecx, [ebp+var_4]
		push	edx
		push	edx
		push	ecx
		push	edi
		push	edx
		push	dword ptr [esi+8]
		push	dword ptr [esi+0Ch]
		call	eax

loc_590D6E:				; CODE XREF: wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)+32j
					; wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)+3Bj
		pop	edi
		pop	esi
		leave
		retn	0Ch
_wil_details_FeatureReporting_ReportUsageToService@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall wil_details_FeatureReporting_ReportUsageToServiceDirect(x, x, x, x,	x)
_wil_details_FeatureReporting_ReportUsageToServiceDirect@20 proc near
					; CODE XREF: wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)+2Bp

var_4C		= dword	ptr -4Ch
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_24], eax
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+arg_8]
		push	edx
		push	eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_2C], ecx
		mov	ecx, [ecx+4]
		mov	[ebp+var_30], edx
		mov	edx, ebx
		push	eax
		call	_wil_details_FeatureReporting_RecordUsageInCache@16 ; wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)
		push	6
		mov	esi, eax
		lea	edi, [ebp+var_20]
		mov	eax, _g_wil_details_recordFeatureUsage
		pop	ecx
		rep movsd
		mov	esi, [ebp+var_2C]
		test	eax, eax
		jz	short loc_590DD3
		lea	ecx, [ebp+var_20]
		push	ecx
		push	dword ptr [esi+4]
		push	[ebp+var_30]
		push	ebx
		push	dword ptr [esi+0Ch]
		call	eax

loc_590DD3:				; CODE XREF: wil_details_FeatureReporting_ReportUsageToServiceDirect(x,x,x,x,x)+4Dj
		mov	ecx, [ebp+var_24]
		test	ecx, 400h
		jz	short loc_590E0A
		cmp	ebx, 0FEh
		jz	short loc_590E0A
		and	[ebp+var_24], 0
		mov	eax, [esi+0Ch]
		mov	[ebp+var_28], eax
		mov	word ptr [ebp+var_24], bx
		test	ecx, 800h
		jz	short loc_590E01
		or	word ptr [ebp+var_24+2], 1

loc_590E01:				; CODE XREF: wil_details_FeatureReporting_ReportUsageToServiceDirect(x,x,x,x,x)+86j
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlNotifyFeatureUsage@4 ; RtlNotifyFeatureUsage(x)

loc_590E0A:				; CODE XREF: wil_details_FeatureReporting_ReportUsageToServiceDirect(x,x,x,x,x)+68j
					; wil_details_FeatureReporting_ReportUsageToServiceDirect(x,x,x,x,x)+70j
		mov	ecx, [ebp+var_8]
		xor	eax, eax
		cmp	[ebp+var_10], eax
		pop	edi
		setz	al
		xor	ecx, ebp
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_wil_details_FeatureReporting_ReportUsageToServiceDirect@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall wil_details_FeatureStateCache_GetCachedFeatureEnabledState(x, x)
_wil_details_FeatureStateCache_GetCachedFeatureEnabledState@8 proc near
					; CODE XREF: wil_details_GetCurrentFeatureEnabledState(x,x)+D1p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ecx]
		push	esi
		xor	esi, esi
		test	al, 2
		jz	short loc_590E38
		mov	edx, esi
		jmp	short loc_590E3F
; 

loc_590E38:				; CODE XREF: wil_details_FeatureStateCache_GetCachedFeatureEnabledState(x,x)+Ej
		push	esi
		push	eax
		call	_wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState@16 ;	wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState(x,x,x,x)

loc_590E3F:				; CODE XREF: wil_details_FeatureStateCache_GetCachedFeatureEnabledState(x,x)+12j
		pop	esi
		leave
		retn
_wil_details_FeatureStateCache_GetCachedFeatureEnabledState@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState(x, x, x, x)
_wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState@16 proc near
					; CODE XREF: wil_details_FeatureStateCache_GetCachedFeatureEnabledState(x,x)+16p
					; wil_details_IsEnabledFallback(x,x,x,x,x)+22p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, _g_wil_details_ensureSubscribedToFeatureConfigurationChanges
		push	ebx
		push	esi
		xor	esi, esi
		mov	[esp+2Ch+var_18], ecx
		mov	[esp+2Ch+var_1C], esi
		mov	[esp+2Ch+var_10], esi
		mov	[esp+2Ch+var_C], esi
		mov	[esp+2Ch+var_20], esi
		push	edi
		mov	edi, edx
		mov	[esp+30h+var_14], edi
		test	eax, eax
		jz	short loc_590E7D
		call	eax
		mov	esi, eax
		mov	[esp+30h+var_1C], eax

loc_590E7D:				; CODE XREF: wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState(x,x,x,x)+31j
		lea	edx, [esp+30h+var_20]
		mov	ecx, edi
		call	_wil_details_GetCurrentFeatureEnabledState@8 ; wil_details_GetCurrentFeatureEnabledState(x,x)
		cmp	byte ptr [edi+10h], 0
		mov	ebx, eax
		jnz	short loc_590E9C
		mov	edi, esi
		neg	edi
		sbb	edi, edi
		and	edi, [esp+30h+var_20]
		jmp	short loc_590EA0
; 

loc_590E9C:				; CODE XREF: wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState(x,x,x,x)+4Cj
		mov	edi, [esp+30h+var_20]

loc_590EA0:				; CODE XREF: wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState(x,x,x,x)+58j
		mov	eax, [ebp+arg_0]
		mov	ecx, [esp+30h+var_18]
		mov	[esp+30h+var_10], eax

loc_590EAB:				; CODE XREF: wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState(x,x,x,x)+A6j
		mov	esi, eax
		test	edi, edi
		jz	short loc_590EC4
		test	al, 2
		jnz	short loc_590EC4
		mov	esi, ebx
		xor	esi, eax
		and	esi, 9C1h
		xor	esi, eax
		or	esi, 2

loc_590EC4:				; CODE XREF: wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState(x,x,x,x)+6Dj
					; wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState(x,x,x,x)+71j
		test	al, 4
		jnz	short loc_590ED6
		mov	eax, ebx
		xor	eax, esi
		and	eax, 400h
		xor	esi, eax
		or	esi, 4

loc_590ED6:				; CODE XREF: wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState(x,x,x,x)+84j
		push	esi
		lea	edx, [esp+34h+var_10]
		call	_wil_atomic_uint32_compare_exchange_relaxed@12 ; wil_atomic_uint32_compare_exchange_relaxed(x,x,x)
		test	eax, eax
		jnz	short loc_590EEA
		mov	eax, [esp+30h+var_10]
		jmp	short loc_590EAB
; 

loc_590EEA:				; CODE XREF: wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState(x,x,x,x)+A0j
		test	byte ptr [esp+30h+var_10], 4
		jnz	short loc_590F0E
		mov	ecx, _g_wil_details_subscribeFeatureStateCacheToConfigurationChanges
		test	ecx, ecx
		jz	short loc_590F0E
		mov	eax, [esp+30h+var_14]
		push	[esp+30h+var_1C]
		movzx	eax, byte ptr [eax+10h]
		push	eax
		push	[esp+38h+var_18]
		call	ecx

loc_590F0E:				; CODE XREF: wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState(x,x,x,x)+ADj
					; wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState(x,x,x,x)+B7j
		test	edi, edi
		jnz	short loc_590F1C
		xor	ebx, esi
		and	ebx, 9C1h
		xor	esi, ebx

loc_590F1C:				; CODE XREF: wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState(x,x,x,x)+CEj
		mov	edx, [ebp+arg_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x, x, x,	x)
_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 proc near
					; CODE XREF: wil_details_IsEnabledFallback(x,x,x,x,x)+50p
					; Feature_BamQosGrouping__private_ReportUsageFallback(x,x,x)+2Bp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, [edx]
		sub	ecx, 3
		jz	short loc_590F43
		sub	ecx, 1
		jnz	short loc_590F84
		push	20h
		jmp	short loc_590F45
; 

loc_590F43:				; CODE XREF: wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)+Ej
		push	10h

loc_590F45:				; CODE XREF: wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)+17j
		cmp	byte ptr [edx+12h], 0
		pop	esi
		jnz	short loc_590F81
		cmp	byte ptr [edx+11h], 0
		jnz	short loc_590F81
		mov	ecx, [edi]
		and	[ebp+var_4], 0
		mov	[ebp+var_8], ecx

loc_590F5B:				; CODE XREF: wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)+55j
		test	cl, 2
		jz	short loc_590F84
		mov	eax, [ebp+arg_0]
		xor	eax, ecx
		test	al, 1
		jnz	short loc_590F84
		mov	eax, esi
		lea	edx, [ebp+var_8]
		or	eax, ecx
		mov	ecx, edi
		push	eax
		call	_wil_atomic_uint32_compare_exchange_relaxed@12 ; wil_atomic_uint32_compare_exchange_relaxed(x,x,x)
		test	eax, eax
		jnz	short loc_590F84
		mov	ecx, [ebp+var_8]
		jmp	short loc_590F5B
; 

loc_590F81:				; CODE XREF: wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)+20j
					; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)+26j
		lock or	[edi], esi

loc_590F84:				; CODE XREF: wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)+13j
					; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)+34j ...
		pop	edi
		pop	esi
		leave
		retn	8
_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall wil_details_GetCurrentFeatureEnabledState(x, x)
_wil_details_GetCurrentFeatureEnabledState@8 proc near
					; CODE XREF: wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState(x,x,x,x)+41p

var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	al, [esi+10h]
		cmp	al, 3
		jz	short loc_590FA6
		cmp	al, 2
		jz	short loc_590FA6
		xor	ebx, ebx
		jmp	short loc_590FA9
; 

loc_590FA6:				; CODE XREF: wil_details_GetCurrentFeatureEnabledState(x,x)+12j
					; wil_details_GetCurrentFeatureEnabledState(x,x)+16j
		xor	ebx, ebx
		inc	ebx

loc_590FA9:				; CODE XREF: wil_details_GetCurrentFeatureEnabledState(x,x)+1Aj
		push	6
		pop	ecx
		xor	eax, eax
		mov	dword ptr [edx], 1
		lea	edi, [ebp+var_20]
		rep stosd
		mov	edi, [esi+0Ch]
		lea	ecx, [ebp+var_20]
		push	eax
		push	ebx
		mov	edx, edi
		call	wil_RtlStagingConfig_QueryFeatureState
		mov	edx, eax
		test	edx, edx
		jnz	short loc_590FDD
		push	eax
		push	ebx
		push	edi
		lea	edx, [ebp+var_20]
		xor	ecx, ecx
		call	wil_StagingConfig_QueryFeatureState
		mov	edx, eax

loc_590FDD:				; CODE XREF: wil_details_GetCurrentFeatureEnabledState(x,x)+42j
		mov	eax, [ebp+var_10]
		xor	edi, edi
		mov	ecx, [ebp+var_C]
		neg	eax
		sbb	eax, eax
		and	eax, 400h
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 800h
		or	ecx, eax
		neg	edx
		sbb	edx, edx
		and	edx, [ebp+var_20]
		and	edx, 3
		shl	edx, 7
		or	edx, ecx
		test	edx, 180h
		jnz	short loc_59101E
		movzx	eax, byte ptr [esi+13h]
		neg	eax
		sbb	eax, eax
		and	eax, 40h
		jmp	short loc_59102B
; 

loc_59101E:				; CODE XREF: wil_details_GetCurrentFeatureEnabledState(x,x)+85j
		cmp	[ebp+var_20], 2
		jnz	short loc_591029
		push	40h
		pop	eax
		jmp	short loc_59102B
; 

loc_591029:				; CODE XREF: wil_details_GetCurrentFeatureEnabledState(x,x)+98j
		mov	eax, edi

loc_59102B:				; CODE XREF: wil_details_GetCurrentFeatureEnabledState(x,x)+92j
					; wil_details_GetCurrentFeatureEnabledState(x,x)+9Dj
		or	edx, eax
		mov	ebx, edx
		shr	ebx, 6
		and	ebx, 1
		or	ebx, edx
		test	bl, 1
		jz	short loc_59108C
		mov	esi, [esi+14h]
		test	esi, esi
		jz	short loc_59108C
		jmp	short loc_591085
; 

loc_591045:				; CODE XREF: wil_details_GetCurrentFeatureEnabledState(x,x)+100j
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_59108C
		cmp	byte ptr [ecx+12h], 0
		jnz	short loc_59106C
		cmp	byte ptr [ecx+11h], 0
		jnz	short loc_59106C
		mov	edx, ecx
		mov	ecx, [ecx]
		call	_wil_details_FeatureStateCache_GetCachedFeatureEnabledState@8 ;	wil_details_FeatureStateCache_GetCachedFeatureEnabledState(x,x)
		and	eax, ebx
		test	al, 1
		push	0
		pop	eax
		setnz	al
		jmp	short loc_59107D
; 

loc_59106C:				; CODE XREF: wil_details_GetCurrentFeatureEnabledState(x,x)+C5j
					; wil_details_GetCurrentFeatureEnabledState(x,x)+CBj
		test	eax, eax
		jz	short loc_59107B
		cmp	byte ptr [ecx+13h], 0
		jz	short loc_59107B
		xor	eax, eax
		inc	eax
		jmp	short loc_59107D
; 

loc_59107B:				; CODE XREF: wil_details_GetCurrentFeatureEnabledState(x,x)+E4j
					; wil_details_GetCurrentFeatureEnabledState(x,x)+EAj
		mov	eax, edi

loc_59107D:				; CODE XREF: wil_details_GetCurrentFeatureEnabledState(x,x)+E0j
					; wil_details_GetCurrentFeatureEnabledState(x,x)+EFj
		and	ebx, 0FFFFFFFEh
		or	ebx, eax
		add	esi, 4

loc_591085:				; CODE XREF: wil_details_GetCurrentFeatureEnabledState(x,x)+B9j
		mov	eax, ebx
		and	eax, 1
		jnz	short loc_591045

loc_59108C:				; CODE XREF: wil_details_GetCurrentFeatureEnabledState(x,x)+B0j
					; wil_details_GetCurrentFeatureEnabledState(x,x)+B7j ...
		mov	edx, edi
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_wil_details_GetCurrentFeatureEnabledState@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall wil_details_IsEnabledFallback(x, x,	x, x, x)
_wil_details_IsEnabledFallback@20 proc near
					; CODE XREF: Feature_Servicing_CopyFileMoveFileEventLeak__private_IsEnabledFallback(x,x,x)+11p
					; Feature_1148767544__private_IsEnabledFallback(x,x,x)+11p ...

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	eax, edx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], eax
		mov	esi, ecx
		test	bl, 2
		jnz	short loc_5910C4
		push	[ebp+arg_8]
		mov	ecx, [eax]
		push	ebx
		call	_wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState@16 ;	wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState(x,x,x,x)
		mov	ebx, eax
		mov	edi, edx
		mov	eax, [ebp+var_4]

loc_5910C4:				; CODE XREF: wil_details_IsEnabledFallback(x,x,x,x,x)+1Aj
		test	esi, esi
		jz	short loc_5910EB
		push	edi
		push	ebx
		push	1
		mov	edx, esi
		mov	ecx, eax
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		cmp	esi, 3
		jz	short loc_5910DF
		cmp	esi, 4
		jnz	short loc_5910EB

loc_5910DF:				; CODE XREF: wil_details_IsEnabledFallback(x,x,x,x,x)+42j
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		push	edi
		push	ebx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)

loc_5910EB:				; CODE XREF: wil_details_IsEnabledFallback(x,x,x,x,x)+30j
					; wil_details_IsEnabledFallback(x,x,x,x,x)+47j
		pop	edi
		and	ebx, 1
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
_wil_details_IsEnabledFallback@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAllocateAndPopulateWriteIrp(x, x)
_IopAllocateAndPopulateWriteIrp@8 proc near
					; CODE XREF: IopPopulateCopyWriteWorkerData(x,x,x,x,x,x,x,x,x,x,x)+86p
					; IopWriteFile(x,x,x,x,x,x,x,x,x,x,x)+177p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	28h
		push	offset dword_6A8208
		call	__SEH_prolog4
		mov	[ebp+var_34], edx
		mov	esi, ecx
		mov	[ebp+var_20], esi
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		mov	ecx, [esi+8]
		call	_IopResetEvent@4 ; IopResetEvent(x)
		mov	ecx, [esi+0Ch]
		push	dword ptr [ebp+4]
		cmp	[esi+5], bl
		setz	al
		movzx	eax, al
		push	eax
		mov	dl, [ecx+30h]
		call	IopAllocateIrpExReturn
		mov	edi, eax
		mov	[ebp+var_24], edi
		test	edi, edi
		jnz	short loc_591146
		mov	[ebp+var_1C], 0C000009Ah
		jmp	loc_5912FD
; 

loc_591146:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+40j
		mov	eax, [esi+8]
		mov	[edi+64h], eax
		mov	eax, [esi]
		mov	[edi+50h], eax
		mov	[edi+54h], ebx
		mov	al, [esi+4]
		mov	[edi+20h], al
		mov	[edi+21h], bl
		mov	[edi+24h], bl
		mov	[edi+38h], ebx
		mov	[edi+8], ebx
		mov	eax, [esi+10h]
		mov	[edi+2Ch], eax
		mov	eax, [esi+1Ch]
		mov	[edi+28h], eax
		mov	eax, [esi+14h]
		mov	[edi+30h], eax
		mov	eax, [esi+18h]
		mov	[edi+34h], eax
		mov	ecx, [edi+60h]
		sub	ecx, 24h
		mov	[ebp+var_28], ecx
		mov	dword ptr [ecx], 4
		mov	eax, [esi+8]
		mov	[ecx+18h], eax
		mov	eax, [esi+8]
		test	byte ptr [eax+2Ch], 10h
		jz	short loc_5911A0
		mov	byte ptr [ecx+2], 4

loc_5911A0:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+A2j
		mov	[edi+0Ch], ebx
		mov	[edi+4], ebx
		mov	eax, [esi+0Ch]
		mov	eax, [eax+1Ch]
		test	al, 4
		jz	short loc_59122E
		mov	edx, [esi+24h]
		test	edx, edx
		jz	short loc_591228
		mov	[ebp+ms_exc.disabled], ebx
		cmp	[esi+38h], ebx
		jz	short loc_5911D1
		mov	eax, [esi+20h]
		mov	[edi+0Ch], eax
		or	dword ptr [edi+8], 10h
		mov	eax, [esi+20h]
		mov	[edi+3Ch], eax
		jmp	short loc_5911F1
; 

loc_5911D1:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+C5j
		mov	ecx, 204h
		call	sub_60F12F
		mov	[edi+0Ch], eax
		push	dword ptr [esi+24h] ; size_t
		push	dword ptr [esi+20h] ; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		or	dword ptr [edi+8], 30h

loc_5911F1:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+D7j
					; IopAllocateAndPopulateWriteIrp(x,x)+17Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_591292
; 

loc_5911FD:				; DATA XREF: .text:006A821Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_59120B:				; DATA XREF: .text:006A8220o
		mov	eax, [ebp+var_2C]

loc_59120E:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+192j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+var_1C], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp+var_20]
		mov	edi, [ebp+var_24]
		jmp	loc_5912F9
; 

loc_591228:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+BDj
		or	dword ptr [edi+8], 10h
		jmp	short loc_591292
; 

loc_59122E:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+B6j
		test	al, 10h
		jz	short loc_59128C
		mov	eax, [esi+24h]
		test	eax, eax
		jz	short loc_591292
		mov	[ebp+ms_exc.disabled], 1
		push	edi
		push	1
		push	ebx
		push	eax
		push	dword ptr [esi+20h]
		call	IoAllocateMdl
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_591355
		mov	edx, [esi+0Ch]
		mov	eax, [ebp+var_28]
		movzx	eax, byte ptr [eax]
		push	eax
		push	edx
		push	ecx
		cmp	[esi+38h], ebx
		jz	short loc_59126C
		xor	dl, dl
		jmp	short loc_59126F
; 

loc_59126C:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+16Ej
		mov	dl, [esi+4]

loc_59126F:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+172j
		call	sub_5057C4
		jmp	loc_5911F1
; 

loc_591279:				; DATA XREF: .text:006A8228o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_591287:				; DATA XREF: .text:006A822Co
		mov	eax, [ebp+var_30]
		jmp	short loc_59120E
; 

loc_59128C:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+138j
		mov	eax, [esi+20h]
		mov	[edi+3Ch], eax

loc_591292:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+100j
					; IopAllocateAndPopulateWriteIrp(x,x)+134j ...
		mov	ecx, [edi+8]
		or	ecx, 200h
		mov	[edi+8], ecx
		mov	eax, [esi+8]
		test	byte ptr [eax+2Ch], 8
		jz	short loc_5912AD
		or	ecx, 1
		mov	[edi+8], ecx

loc_5912AD:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+1ADj
		cmp	byte ptr [esi+6], 0
		jz	short loc_5912BC
		or	ecx, 800h
		mov	[edi+8], ecx

loc_5912BC:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+1B9j
		cmp	[esi+38h], ebx
		jz	short loc_5912DB
		mov	[edi+20h], bl
		mov	eax, [esi+20h]
		mov	[edi+3Ch], eax
		mov	edx, [esi+38h]
		mov	ecx, edi
		call	_IopSetCopyInformationExtension@8 ; IopSetCopyInformationExtension(x,x)
		mov	[ebp+var_1C], eax
		test	eax, eax
		js	short loc_5912FD

loc_5912DB:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+1C7j
		mov	ecx, [esi+24h]
		mov	edx, [ebp+var_28]
		mov	[edx+4], ecx
		mov	ecx, [esi+30h]
		mov	[edx+8], ecx
		mov	ecx, [esi+28h]
		mov	[edx+0Ch], ecx
		mov	eax, [esi+2Ch]
		mov	[edx+10h], eax
		mov	eax, [ebp+var_1C]

loc_5912F9:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+12Bj
		test	eax, eax
		jns	short loc_59133D

loc_5912FD:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+49j
					; IopAllocateAndPopulateWriteIrp(x,x)+1E1j
		mov	al, [esi+5]
		test	edi, edi
		jz	short loc_591315
		push	eax
		push	ebx
		push	dword ptr [esi+10h]
		mov	edx, edi
		mov	ecx, [esi+8]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		jmp	short loc_591342
; 

loc_591315:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+20Aj
		test	al, al
		jz	short loc_591321
		mov	ecx, [esi+8]
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)

loc_591321:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+21Fj
		mov	ecx, [esi+10h]
		test	ecx, ecx
		jz	short loc_591330
		call	ObfDereferenceObject
		mov	[esi+10h], ebx

loc_591330:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+22Ej
		mov	ecx, [esi+8]
		call	ObfDereferenceObject
		mov	[esi+8], ebx
		jmp	short loc_591342
; 

loc_59133D:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+203j
		mov	eax, [ebp+var_34]
		mov	[eax], edi

loc_591342:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+21Bj
					; IopAllocateAndPopulateWriteIrp(x,x)+243j
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_591355:				; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+159j
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger
_IopAllocateAndPopulateWriteIrp@8 endp


; __stdcall IopValidateAndGetWriteParameters(x,	x, x, x, x)
_IopValidateAndGetWriteParameters@20:	; CODE XREF: IopPopulateCopyWriteWorkerData(x,x,x,x,x,x,x,x,x,x,x)+6Fp
					; IopWriteFile(x,x,x,x,x,x,x,x,x,x,x)+65p
		push	24h
		push	offset dword_6A81E8
		call	__SEH_prolog4
		mov	[ebp-34h], edx
		mov	esi, ecx
		mov	[ebp-24h], esi
		xor	ebx, ebx
		mov	[ebp-20h], ebx
		mov	eax, large fs:124h
		mov	[esi], eax
		mov	al, [eax+15Ah]
		mov	[esi+4], al
		mov	edx, [esi+8]
		mov	eax, [esi+34h]
		test	byte ptr [edx+2Ch], 2
		jz	short loc_59139C
		test	eax, eax
		mov	cl, 1
		jns	short loc_59139E

loc_59139C:				; CODE XREF: .text:00591394j
		mov	cl, bl

loc_59139E:				; CODE XREF: .text:0059139Aj
		mov	[esi+5], cl
		shr	eax, 1Eh
		not	al
		and	al, 1
		mov	[esi+6], al
		push	edx
		call	IoGetRelatedDeviceObject
		mov	[esi+0Ch], eax
		mov	al, [esi+4]
		mov	[ebp-19h], al
		test	al, al
		jz	loc_59148E
		mov	[ebp-4], ebx
		mov	ecx, [esi+1Ch]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_5913D3
		mov	ecx, eax

loc_5913D3:				; CODE XREF: .text:005913CFj
		mov	eax, [ecx]
		mov	[ecx], eax
		cmp	[esi+38h], ebx
		jnz	short loc_5913F8
		mov	eax, [esi+24h]
		test	eax, eax
		jz	short loc_5913F8
		mov	ecx, [esi+20h]
		lea	edx, [ecx+eax]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_5913F6
		cmp	edx, ecx
		jnb	short loc_5913F8

loc_5913F6:				; CODE XREF: .text:005913F0j
		mov	[eax], bl

loc_5913F8:				; CODE XREF: .text:005913DAj
					; .text:005913E1j ...
		mov	eax, [esi+8]
		cmp	[eax+6Ch], ebx
		jz	short loc_591418
		cmp	[esi+14h], ebx
		jz	short loc_591418
		mov	dword ptr [ebp-20h], 0C000000Dh
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_591679
; 

loc_591418:				; CODE XREF: .text:005913FEj
					; .text:00591403j
		mov	ecx, [ebp+8]
		test	ecx, ecx
		jz	short loc_591446
		mov	edx, ecx
		test	cl, 3
		jnz	loc_5916C7
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_591435
		mov	edx, eax

loc_591435:				; CODE XREF: .text:00591431j
		nop
		mov	al, [edx]
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		mov	[esi+28h], eax
		mov	[esi+2Ch], ecx
		mov	ecx, [ebp+8]

loc_591446:				; CODE XREF: .text:0059141Dj
		mov	eax, [ebp+0Ch]
		test	eax, eax
		jz	short loc_59145F
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		jb	short loc_591459
		mov	eax, edx

loc_591459:				; CODE XREF: .text:00591455j
		nop
		mov	eax, [eax]
		mov	[esi+30h], eax

loc_59145F:				; CODE XREF: .text:0059144Bj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	al, [esi+4]
		mov	[ebp-19h], al
		jmp	short loc_5914B0
; 

loc_59146E:				; DATA XREF: .text:006A81FCo
		lea	edx, [ebp-20h]
		mov	ecx, [ebp-14h]
		call	_IopExceptionFilter@8 ;	IopExceptionFilter(x,x)
		retn
; 

loc_59147A:				; DATA XREF: .text:006A8200o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp-24h]
		jmp	loc_591679
; 

loc_59148E:				; CODE XREF: .text:005913BCj
		mov	ecx, [ebp+8]
		test	ecx, ecx
		jz	short loc_5914A0
		mov	eax, [ecx]
		mov	[esi+28h], eax
		mov	eax, [ecx+4]
		mov	[esi+2Ch], eax

loc_5914A0:				; CODE XREF: .text:00591493j
		mov	al, bl
		mov	edx, [ebp+0Ch]
		test	edx, edx
		jz	short loc_5914B0
		mov	eax, [edx]
		mov	[esi+30h], eax
		mov	al, bl

loc_5914B0:				; CODE XREF: .text:0059146Cj
					; .text:005914A7j
		test	al, al
		jz	loc_59155C
		mov	eax, [esi+8]
		test	byte ptr [eax+2Ch], 8
		jz	loc_59155C
		mov	eax, [esi+0Ch]
		mov	[ebp-24h], eax
		movzx	edi, word ptr [eax+0ACh]
		mov	[ebp-30h], edi
		test	di, di
		jz	short loc_5914F0
		movzx	edx, di
		mov	[ebp-28h], edx
		mov	[ebp+0Ch], edx
		lea	eax, [edx-1]
		test	[esi+24h], eax
		jnz	short loc_591500
		mov	eax, [ebp-24h]
		jmp	short loc_5914F5
; 

loc_5914F0:				; CODE XREF: .text:005914D8j
		mov	[ebp-28h], ebx
		mov	edx, ebx

loc_5914F5:				; CODE XREF: .text:005914EEj
		mov	[ebp+0Ch], edx
		mov	eax, [eax+5Ch]
		test	[esi+20h], eax
		jz	short loc_591524

loc_591500:				; CODE XREF: .text:005914E9j
		test	di, di
		jz	short loc_591515
		mov	eax, [esi+24h]
		xor	edx, edx
		div	dword ptr [ebp+0Ch]
		test	edx, edx
		jnz	loc_5916BE

loc_591515:				; CODE XREF: .text:00591503j
		mov	eax, [ebp-24h]
		mov	eax, [eax+5Ch]
		test	[esi+20h], eax
		jnz	loc_5916BE

loc_591524:				; CODE XREF: .text:005914FEj
		test	ecx, ecx
		jz	short loc_59155C
		mov	edx, [esi+28h]
		or	edi, 0FFFFFFFFh
		cmp	edx, edi
		jnz	short loc_591537
		cmp	[esi+2Ch], edi
		jz	short loc_59155F

loc_591537:				; CODE XREF: .text:00591530j
		cmp	edx, 0FFFFFFFEh
		jnz	short loc_591547
		cmp	[esi+2Ch], edi
		jnz	short loc_591547
		cmp	byte ptr [esi+5], 0
		jnz	short loc_59155F

loc_591547:				; CODE XREF: .text:0059153Aj
					; .text:0059153Fj
		cmp	word ptr [ebp-30h], 0
		jz	short loc_59155F
		mov	eax, [ebp-28h]
		dec	eax
		test	eax, edx
		jnz	loc_5916BE
		jmp	short loc_59155F
; 

loc_59155C:				; CODE XREF: .text:005914B2j
					; .text:005914BFj ...
		or	edi, 0FFFFFFFFh

loc_59155F:				; CODE XREF: .text:00591535j
					; .text:00591545j ...
		mov	eax, [ebp+10h]
		and	al, 6
		cmp	al, 4
		jnz	short loc_59156E
		mov	[esi+28h], edi
		mov	[esi+2Ch], edi

loc_59156E:				; CODE XREF: .text:00591566j
		mov	edx, [ebp-34h]
		test	edx, edx
		jz	short loc_5915AE
		mov	al, [ebp-19h]
		mov	[ebp+0Ch], al
		mov	eax, ds:_ExEventObjectType
		mov	[ebp-28h], ebx
		push	ebx
		lea	ecx, [ebp-28h]
		push	ecx
		push	dword ptr [ebp+0Ch]
		push	eax
		push	2
		push	edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, [ebp-28h]
		mov	[esi+10h], ecx
		mov	[ebp-20h], eax
		test	eax, eax
		js	loc_591679
		push	ecx
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	ecx, [ebp+8]

loc_5915AE:				; CODE XREF: .text:00591573j
		cmp	byte ptr [esi+5], 0
		jz	loc_5916AE
		mov	eax, [esi+8]
		mov	[ebp+10h], eax
		mov	eax, [eax+2Ch]
		and	eax, 4
		mov	[ebp-30h], eax
		mov	al, [esi+4]
		mov	[ebp+0Fh], al
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	ebx
		mov	ecx, [ebp+10h]
		add	ecx, 4Ch
		xor	edx, edx
		call	KeAbPreAcquire
		mov	[ebp-1Ah], bl
		mov	ecx, [ebp+10h]
		add	ecx, 44h
		xor	edx, edx
		inc	edx
		xchg	edx, [ecx]
		mov	[ebp-34h], edx
		test	edx, edx
		mov	edx, [ebp+10h]
		jnz	short loc_59160B
		test	eax, eax
		jz	short loc_591600
		or	byte ptr [eax+0Eh], 1

loc_591600:				; CODE XREF: .text:005915FAj
		mov	ecx, edx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, ebx
		jmp	short loc_591626
; 

loc_59160B:				; CODE XREF: .text:005915F6j
		lea	ecx, [ebp-1Ah]
		push	ecx
		push	eax
		cmp	dword ptr [ebp-30h], 0
		setnz	al
		movzx	eax, al
		push	eax
		mov	dl, [ebp+0Fh]
		mov	ecx, [ebp+10h]
		call	IopWaitAndAcquireFileObjectLock

loc_591626:				; CODE XREF: .text:00591609j
		mov	[ebp-20h], eax
		cmp	byte ptr [ebp-1Ah], 0
		jnz	short loc_591679
		lea	edx, [esi+28h]
		cmp	dword ptr [ebp+8], 0
		jnz	short loc_59163C
		cmp	[edx], ebx
		jz	short loc_591646

loc_59163C:				; CODE XREF: .text:00591636j
		cmp	dword ptr [edx], 0FFFFFFFEh
		jnz	short loc_591654
		cmp	[esi+2Ch], edi
		jnz	short loc_591654

loc_591646:				; CODE XREF: .text:0059163Aj
		mov	ecx, [esi+8]
		mov	eax, [ecx+38h]
		mov	[edx], eax
		mov	eax, [ecx+3Ch]
		mov	[edx+4], eax

loc_591654:				; CODE XREF: .text:0059163Fj
					; .text:00591644j ...
		mov	eax, [esi+2Ch]
		test	eax, eax
		jns	short loc_591679
		cmp	eax, edi
		jnz	short loc_591664
		cmp	[esi+28h], edi
		jz	short loc_591679

loc_591664:				; CODE XREF: .text:0059165Dj
		cmp	byte ptr [esi+5], 0
		jz	short loc_591672
		mov	ecx, [esi+8]
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)

loc_591672:				; CODE XREF: .text:00591668j
		mov	dword ptr [ebp-20h], 0C000000Dh

loc_591679:				; CODE XREF: .text:00591413j
					; .text:00591489j ...
		cmp	dword ptr [ebp-20h], 0
		jge	short loc_591699

loc_59167F:				; CODE XREF: .text:005916C5j
		mov	ecx, [esi+10h]
		test	ecx, ecx
		jz	short loc_59168E
		call	ObfDereferenceObject
		mov	[esi+10h], ebx

loc_59168E:				; CODE XREF: .text:00591684j
		mov	ecx, [esi+8]
		call	ObfDereferenceObject
		mov	[esi+8], ebx

loc_591699:				; CODE XREF: .text:0059167Dj
		mov	eax, [ebp-20h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_5916AE:				; CODE XREF: .text:005915B2j
		test	ecx, ecx
		jnz	short loc_591654
		mov	eax, [esi+8]
		test	dword ptr [eax+2Ch], 280h
		jnz	short loc_591654

loc_5916BE:				; CODE XREF: .text:0059150Fj
					; .text:0059151Ej ...
		mov	dword ptr [ebp-20h], 0C000000Dh
		jmp	short loc_59167F
; 

loc_5916C7:				; CODE XREF: .text:00591424j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_BamQosGrouping__private_ReportUsageFallback(x, x, x)
_Feature_BamQosGrouping__private_ReportUsageFallback@12	proc near
					; CODE XREF: KeInitializeVelocity()+13p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		or	esi, 1
		mov	edi, offset _Feature_BamQosGrouping__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_BamQosGrouping__private_ReportUsageFallback@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_DisableLowQosTimerResolution__private_ReportDeviceUsage()
_Feature_DisableLowQosTimerResolution__private_ReportDeviceUsage@0 proc	near
					; CODE XREF: KiInitializeVelocity()+95p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_DisableLowQosTimerResolution__private_featureState
		test	al, 10h
		jnz	short locret_59171C
		push	0
		push	eax
		call	_Feature_DisableLowQosTimerResolution__private_ReportUsageFallback@12 ;	Feature_DisableLowQosTimerResolution__private_ReportUsageFallback(x,x,x)

locret_59171C:				; CODE XREF: Feature_DisableLowQosTimerResolution__private_ReportDeviceUsage()+Ej
		leave
		retn
_Feature_DisableLowQosTimerResolution__private_ReportDeviceUsage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_DisableLowQosTimerResolution__private_ReportUsageFallback(x, x, x)
_Feature_DisableLowQosTimerResolution__private_ReportUsageFallback@12 proc near
					; CODE XREF: Feature_DisableLowQosTimerResolution__private_ReportDeviceUsage()+13p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		and	esi, 0FFFFFFFEh
		mov	edi, offset _Feature_DisableLowQosTimerResolution__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_DisableLowQosTimerResolution__private_ReportUsageFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_ReduceTimerWakes__private_ReportDeviceUsage()
_Feature_ReduceTimerWakes__private_ReportDeviceUsage@0 proc near
					; CODE XREF: KiInitializeVelocity()+86p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_ReduceTimerWakes__private_featureState
		test	al, 10h
		jnz	short locret_59176C
		push	0
		push	eax
		call	_Feature_ReduceTimerWakes__private_ReportUsageFallback@12 ; Feature_ReduceTimerWakes__private_ReportUsageFallback(x,x,x)

locret_59176C:				; CODE XREF: Feature_ReduceTimerWakes__private_ReportDeviceUsage()+Ej
		leave
		retn
_Feature_ReduceTimerWakes__private_ReportDeviceUsage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_ReduceTimerWakes__private_ReportUsageFallback(x, x,	x)
_Feature_ReduceTimerWakes__private_ReportUsageFallback@12 proc near
					; CODE XREF: Feature_ReduceTimerWakes__private_ReportDeviceUsage()+13p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		or	esi, 1
		mov	edi, offset _Feature_ReduceTimerWakes__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_ReduceTimerWakes__private_ReportUsageFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerAggressiveForegroundBoost__private_ReportDeviceUsage()
_Feature_SchedulerAggressiveForegroundBoost__private_ReportDeviceUsage@0 proc near
					; CODE XREF: KiInitializeVelocity()+59p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_SchedulerAggressiveForegroundBoost__private_featureState
		test	al, 10h
		jnz	short locret_5917BC
		push	0
		push	eax
		call	_Feature_SchedulerAggressiveForegroundBoost__private_ReportUsageFallback@12 ; Feature_SchedulerAggressiveForegroundBoost__private_ReportUsageFallback(x,x,x)

locret_5917BC:				; CODE XREF: Feature_SchedulerAggressiveForegroundBoost__private_ReportDeviceUsage()+Ej
		leave
		retn
_Feature_SchedulerAggressiveForegroundBoost__private_ReportDeviceUsage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerAggressiveForegroundBoost__private_ReportUsageFallback(x, x, x)
_Feature_SchedulerAggressiveForegroundBoost__private_ReportUsageFallback@12 proc near
					; CODE XREF: Feature_SchedulerAggressiveForegroundBoost__private_ReportDeviceUsage()+13p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		or	esi, 1
		mov	edi, offset _Feature_SchedulerAggressiveForegroundBoost__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_SchedulerAggressiveForegroundBoost__private_ReportUsageFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerAssistAllowRealTime__private_ReportDeviceUsage()
_Feature_SchedulerAssistAllowRealTime__private_ReportDeviceUsage@0 proc	near
					; CODE XREF: KiInitializeVelocity()+68p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_SchedulerAssistAllowRealTime__private_featureState
		test	al, 10h
		jnz	short locret_59180C
		push	0
		push	eax
		call	_Feature_SchedulerAssistAllowRealTime__private_ReportUsageFallback@12 ;	Feature_SchedulerAssistAllowRealTime__private_ReportUsageFallback(x,x,x)

locret_59180C:				; CODE XREF: Feature_SchedulerAssistAllowRealTime__private_ReportDeviceUsage()+Ej
		leave
		retn
_Feature_SchedulerAssistAllowRealTime__private_ReportDeviceUsage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerAssistAllowRealTime__private_ReportUsageFallback(x, x, x)
_Feature_SchedulerAssistAllowRealTime__private_ReportUsageFallback@12 proc near
					; CODE XREF: Feature_SchedulerAssistAllowRealTime__private_ReportDeviceUsage()+13p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		or	esi, 1
		mov	edi, offset _Feature_SchedulerAssistAllowRealTime__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_SchedulerAssistAllowRealTime__private_ReportUsageFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerAssistEnableBAM__private_ReportDeviceUsage()
_Feature_SchedulerAssistEnableBAM__private_ReportDeviceUsage@0 proc near
					; CODE XREF: KiInitializeVelocity()+35p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_SchedulerAssistEnableBAM__private_featureState
		test	al, 10h
		jnz	short locret_59185C
		push	0
		push	eax
		call	_Feature_SchedulerAssistEnableBAM__private_ReportUsageFallback@12 ; Feature_SchedulerAssistEnableBAM__private_ReportUsageFallback(x,x,x)

locret_59185C:				; CODE XREF: Feature_SchedulerAssistEnableBAM__private_ReportDeviceUsage()+Ej
		leave
		retn
_Feature_SchedulerAssistEnableBAM__private_ReportDeviceUsage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerAssistEnableBAM__private_ReportUsageFallback(x, x,	x)
_Feature_SchedulerAssistEnableBAM__private_ReportUsageFallback@12 proc near
					; CODE XREF: Feature_SchedulerAssistEnableBAM__private_ReportDeviceUsage()+13p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		or	esi, 1
		mov	edi, offset _Feature_SchedulerAssistEnableBAM__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_SchedulerAssistEnableBAM__private_ReportUsageFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerAssistForegroundBoostBias__private_ReportDeviceUsage()
_Feature_SchedulerAssistForegroundBoostBias__private_ReportDeviceUsage@0 proc near
					; CODE XREF: KiInitializeVelocity()+30p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_SchedulerAssistForegroundBoostBias__private_featureState
		test	al, 10h
		jnz	short locret_5918AC
		push	0
		push	eax
		call	_Feature_SchedulerAssistForegroundBoostBias__private_ReportUsageFallback@12 ; Feature_SchedulerAssistForegroundBoostBias__private_ReportUsageFallback(x,x,x)

locret_5918AC:				; CODE XREF: Feature_SchedulerAssistForegroundBoostBias__private_ReportDeviceUsage()+Ej
		leave
		retn
_Feature_SchedulerAssistForegroundBoostBias__private_ReportDeviceUsage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerAssistForegroundBoostBias__private_ReportUsageFallback(x, x, x)
_Feature_SchedulerAssistForegroundBoostBias__private_ReportUsageFallback@12 proc near
					; CODE XREF: Feature_SchedulerAssistForegroundBoostBias__private_ReportDeviceUsage()+13p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		and	esi, 0FFFFFFFEh
		mov	edi, offset _Feature_SchedulerAssistForegroundBoostBias__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_SchedulerAssistForegroundBoostBias__private_ReportUsageFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerAssistHRTimer__private_ReportDeviceUsage()
_Feature_SchedulerAssistHRTimer__private_ReportDeviceUsage@0 proc near
					; CODE XREF: KiInitializeVelocity()+4Dp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_SchedulerAssistHRTimer__private_featureState
		test	al, 10h
		jnz	short locret_5918FC
		push	0
		push	eax
		call	_Feature_SchedulerAssistHRTimer__private_ReportUsageFallback@12	; Feature_SchedulerAssistHRTimer__private_ReportUsageFallback(x,x,x)

locret_5918FC:				; CODE XREF: Feature_SchedulerAssistHRTimer__private_ReportDeviceUsage()+Ej
		leave
		retn
_Feature_SchedulerAssistHRTimer__private_ReportDeviceUsage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerAssistHRTimer__private_ReportUsageFallback(x, x, x)
_Feature_SchedulerAssistHRTimer__private_ReportUsageFallback@12	proc near
					; CODE XREF: Feature_SchedulerAssistHRTimer__private_ReportDeviceUsage()+13p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		or	esi, 1
		mov	edi, offset _Feature_SchedulerAssistHRTimer__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_SchedulerAssistHRTimer__private_ReportUsageFallback@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerAssistLongSpinWait__private_ReportDeviceUsage()
_Feature_SchedulerAssistLongSpinWait__private_ReportDeviceUsage@0 proc near
					; CODE XREF: KiInitializeVelocity()+77p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_SchedulerAssistLongSpinWait__private_featureState
		test	al, 10h
		jnz	short locret_59194C
		push	0
		push	eax
		call	_Feature_SchedulerAssistLongSpinWait__private_ReportUsageFallback@12 ; Feature_SchedulerAssistLongSpinWait__private_ReportUsageFallback(x,x,x)

locret_59194C:				; CODE XREF: Feature_SchedulerAssistLongSpinWait__private_ReportDeviceUsage()+Ej
		leave
		retn
_Feature_SchedulerAssistLongSpinWait__private_ReportDeviceUsage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerAssistLongSpinWait__private_ReportUsageFallback(x,	x, x)
_Feature_SchedulerAssistLongSpinWait__private_ReportUsageFallback@12 proc near
					; CODE XREF: Feature_SchedulerAssistLongSpinWait__private_ReportDeviceUsage()+13p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		or	esi, 1
		mov	edi, offset _Feature_SchedulerAssistLongSpinWait__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_SchedulerAssistLongSpinWait__private_ReportUsageFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerAssistPreemptionPriorityKick__private_ReportDeviceUsage()
_Feature_SchedulerAssistPreemptionPriorityKick__private_ReportDeviceUsage@0 proc near
					; CODE XREF: KiInitializeVelocity():loc_ABFB66p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_SchedulerAssistPreemptionPriorityKick__private_featureState
		test	al, 10h
		jnz	short locret_59199C
		push	0
		push	eax
		call	_Feature_SchedulerAssistPreemptionPriorityKick__private_ReportUsageFallback@12 ; Feature_SchedulerAssistPreemptionPriorityKick__private_ReportUsageFallback(x,x,x)

locret_59199C:				; CODE XREF: Feature_SchedulerAssistPreemptionPriorityKick__private_ReportDeviceUsage()+Ej
		leave
		retn
_Feature_SchedulerAssistPreemptionPriorityKick__private_ReportDeviceUsage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerAssistPreemptionPriorityKick__private_ReportUsageFallback(x, x, x)
_Feature_SchedulerAssistPreemptionPriorityKick__private_ReportUsageFallback@12 proc near
					; CODE XREF: Feature_SchedulerAssistPreemptionPriorityKick__private_ReportDeviceUsage()+13p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		or	esi, 1
		mov	edi, offset _Feature_SchedulerAssistPreemptionPriorityKick__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_SchedulerAssistPreemptionPriorityKick__private_ReportUsageFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerAssistReflectPriority__private_ReportUsageFallback(x, x, x)
_Feature_SchedulerAssistReflectPriority__private_ReportUsageFallback@12	proc near
					; CODE XREF: KiInitializeVelocity()+13p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		and	esi, 0FFFFFFFEh
		mov	edi, offset _Feature_SchedulerAssistReflectPriority__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_SchedulerAssistReflectPriority__private_ReportUsageFallback@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerAssistSpinLock__private_ReportDeviceUsage()
_Feature_SchedulerAssistSpinLock__private_ReportDeviceUsage@0 proc near
					; CODE XREF: KiInitializeVelocity()+41p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_SchedulerAssistSpinLock__private_featureState
		test	al, 10h
		jnz	short locret_591A22
		push	0
		push	eax
		call	_Feature_SchedulerAssistSpinLock__private_ReportUsageFallback@12 ; Feature_SchedulerAssistSpinLock__private_ReportUsageFallback(x,x,x)

locret_591A22:				; CODE XREF: Feature_SchedulerAssistSpinLock__private_ReportDeviceUsage()+Ej
		leave
		retn
_Feature_SchedulerAssistSpinLock__private_ReportDeviceUsage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerAssistSpinLock__private_ReportUsageFallback(x, x, x)
_Feature_SchedulerAssistSpinLock__private_ReportUsageFallback@12 proc near
					; CODE XREF: Feature_SchedulerAssistSpinLock__private_ReportDeviceUsage()+13p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		or	esi, 1
		mov	edi, offset _Feature_SchedulerAssistSpinLock__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_SchedulerAssistSpinLock__private_ReportUsageFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerAssistThreadFlag__private_ReportDeviceUsage()
_Feature_SchedulerAssistThreadFlag__private_ReportDeviceUsage@0	proc near
					; CODE XREF: KiInitializeVelocity()+24p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_SchedulerAssistThreadFlag__private_featureState
		test	al, 10h
		jnz	short locret_591A72
		push	0
		push	eax
		call	_Feature_SchedulerAssistThreadFlag__private_ReportUsageFallback@12 ; Feature_SchedulerAssistThreadFlag__private_ReportUsageFallback(x,x,x)

locret_591A72:				; CODE XREF: Feature_SchedulerAssistThreadFlag__private_ReportDeviceUsage()+Ej
		leave
		retn
_Feature_SchedulerAssistThreadFlag__private_ReportDeviceUsage@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerAssistThreadFlag__private_ReportUsageFallback(x, x, x)
_Feature_SchedulerAssistThreadFlag__private_ReportUsageFallback@12 proc	near
					; CODE XREF: Feature_SchedulerAssistThreadFlag__private_ReportDeviceUsage()+13p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		or	esi, 1
		mov	edi, offset _Feature_SchedulerAssistThreadFlag__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_SchedulerAssistThreadFlag__private_ReportUsageFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerFavoredCoreRotation__private_ReportDeviceUsage()
_Feature_SchedulerFavoredCoreRotation__private_ReportDeviceUsage@0 proc	near
					; CODE XREF: KeInitializeVelocity()+22p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_SchedulerFavoredCoreRotation__private_featureState
		test	al, 10h
		jnz	short locret_591AC2
		push	0
		push	eax
		call	_Feature_SchedulerFavoredCoreRotation__private_ReportUsageFallback@12 ;	Feature_SchedulerFavoredCoreRotation__private_ReportUsageFallback(x,x,x)

locret_591AC2:				; CODE XREF: Feature_SchedulerFavoredCoreRotation__private_ReportDeviceUsage()+Ej
		leave
		retn
_Feature_SchedulerFavoredCoreRotation__private_ReportDeviceUsage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerFavoredCoreRotation__private_ReportUsageFallback(x, x, x)
_Feature_SchedulerFavoredCoreRotation__private_ReportUsageFallback@12 proc near
					; CODE XREF: Feature_SchedulerFavoredCoreRotation__private_ReportDeviceUsage()+13p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		or	esi, 1
		mov	edi, offset _Feature_SchedulerFavoredCoreRotation__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_SchedulerFavoredCoreRotation__private_ReportUsageFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerQosPreemption__private_ReportDeviceUsage()
_Feature_SchedulerQosPreemption__private_ReportDeviceUsage@0 proc near
					; CODE XREF: KeInitializeVelocity()+31p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_SchedulerQosPreemption__private_featureState
		test	al, 10h
		jnz	short locret_591B12
		push	0
		push	eax
		call	_Feature_SchedulerQosPreemption__private_ReportUsageFallback@12	; Feature_SchedulerQosPreemption__private_ReportUsageFallback(x,x,x)

locret_591B12:				; CODE XREF: Feature_SchedulerQosPreemption__private_ReportDeviceUsage()+Ej
		leave
		retn
_Feature_SchedulerQosPreemption__private_ReportDeviceUsage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SchedulerQosPreemption__private_ReportUsageFallback(x, x, x)
_Feature_SchedulerQosPreemption__private_ReportUsageFallback@12	proc near
					; CODE XREF: Feature_SchedulerQosPreemption__private_ReportDeviceUsage()+13p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		or	esi, 1
		mov	edi, offset _Feature_SchedulerQosPreemption__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_SchedulerQosPreemption__private_ReportUsageFallback@12	endp


;  S U B	R O U T	I N E 


; __stdcall KeDoesSystemHaveHeterogeneousCoreTypes()
_KeDoesSystemHaveHeterogeneousCoreTypes@0 proc near
					; CODE XREF: KiConfigureSchedulingInformation(x,x)+D4p
		mov	ecx, ds:dword_70E754
		xor	edx, edx
		and	ecx, 1000h
		mov	eax, edx
		or	eax, ecx
		jz	short loc_591B5F
		inc	edx

loc_591B5F:				; CODE XREF: KeDoesSystemHaveHeterogeneousCoreTypes()+12j
		mov	eax, edx
		retn
_KeDoesSystemHaveHeterogeneousCoreTypes@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiDetectTsx()
_KiDetectTsx@0	proc near		; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+1DAp
					; INIT:loc_ABFDF5p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		cpuid
		mov	esi, ebx
		lea	edi, [ebp+var_14]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		push	7
		mov	[edi+8], ecx
		pop	eax
		mov	[edi+0Ch], edx
		cmp	[ebp+var_14], eax
		jb	short loc_591BC9
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		test	[ebp+var_10], 800h
		jnz	short loc_591BC4
		test	byte ptr [ebp+var_10], 10h
		jz	short loc_591BC9

loc_591BC4:				; CODE XREF: KiDetectTsx()+5Aj
		xor	eax, eax
		inc	eax
		jmp	short loc_591BCB
; 

loc_591BC9:				; CODE XREF: KiDetectTsx()+3Dj
					; KiDetectTsx()+60j
		xor	eax, eax

loc_591BCB:				; CODE XREF: KiDetectTsx()+65j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_KiDetectTsx@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeEstimateClockTickDuration(x, x, x, x, x, x, x, x)
_KeEstimateClockTickDuration@32	proc near
					; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+96p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ds:_KiClockState
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		cmp	byte ptr [ecx+3D0h], 0
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		mov	esi, dword_6CABA4
		push	edi
		mov	edi, _KiClockTimerNextTickTime
		mov	[ebp+var_4], 2
		jz	short loc_591C63
		test	dl, dl
		jz	short loc_591C8E
		cmp	byte ptr ds:_KiDynamicTickDisableReason, 0
		jnz	short loc_591C22
		test	eax, eax
		jz	short loc_591C24

loc_591C22:				; CODE XREF: KeEstimateClockTickDuration(x,x,x,x,x,x,x,x)+42j
		xor	dl, dl

loc_591C24:				; CODE XREF: KeEstimateClockTickDuration(x,x,x,x,x,x,x,x)+46j
		test	dl, dl
		jz	short loc_591C8E
		lea	eax, [ebp+var_4]
		mov	dl, 1
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	ebx
		push	[ebp+arg_8]
		call	_KiGetNextTimerExpirationDueTime@32 ; KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)
		mov	ecx, _KiLastRequestedTimeIncrement
		xor	eax, eax
		add	ecx, [ebp+arg_8]
		adc	eax, ebx
		cmp	eax, [ebp+var_C]
		ja	short loc_591C5A
		jb	short loc_591C88
		cmp	ecx, [ebp+var_10]
		jb	short loc_591C88

loc_591C5A:				; CODE XREF: KeEstimateClockTickDuration(x,x,x,x,x,x,x,x)+77j
		mov	[ebp+var_4], 2
		jmp	short loc_591C8E
; 

loc_591C63:				; CODE XREF: KeEstimateClockTickDuration(x,x,x,x,x,x,x,x)+35j
		lea	eax, [ebp+var_4]
		xor	dl, dl
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	ebx
		push	[ebp+arg_8]
		call	_KiGetNextTimerExpirationDueTime@32 ; KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)
		cmp	esi, [ebp+var_C]
		ja	short loc_591C8E
		jb	short loc_591C88
		cmp	edi, [ebp+var_10]
		ja	short loc_591C8E

loc_591C88:				; CODE XREF: KeEstimateClockTickDuration(x,x,x,x,x,x,x,x)+79j
					; KeEstimateClockTickDuration(x,x,x,x,x,x,x,x)+7Ej ...
		mov	esi, [ebp+var_C]
		mov	edi, [ebp+var_10]

loc_591C8E:				; CODE XREF: KeEstimateClockTickDuration(x,x,x,x,x,x,x,x)+39j
					; KeEstimateClockTickDuration(x,x,x,x,x,x,x,x)+4Cj ...
		mov	eax, edi
		or	ecx, 0FFFFFFFFh
		and	eax, esi
		cmp	eax, ecx
		jnz	short loc_591C9D
		mov	esi, ecx
		jmp	short loc_591CB5
; 

loc_591C9D:				; CODE XREF: KeEstimateClockTickDuration(x,x,x,x,x,x,x,x)+BDj
		cmp	esi, ebx
		jb	short loc_591CB1
		ja	short loc_591CA8
		cmp	edi, [ebp+arg_8]
		jbe	short loc_591CB1

loc_591CA8:				; CODE XREF: KeEstimateClockTickDuration(x,x,x,x,x,x,x,x)+C7j
		mov	ecx, edi
		sub	ecx, [ebp+arg_8]
		sbb	esi, ebx
		jmp	short loc_591CB5
; 

loc_591CB1:				; CODE XREF: KeEstimateClockTickDuration(x,x,x,x,x,x,x,x)+C5j
					; KeEstimateClockTickDuration(x,x,x,x,x,x,x,x)+CCj
		xor	ecx, ecx
		xor	esi, esi

loc_591CB5:				; CODE XREF: KeEstimateClockTickDuration(x,x,x,x,x,x,x,x)+C1j
					; KeEstimateClockTickDuration(x,x,x,x,x,x,x,x)+D5j
		mov	eax, [ebp+arg_10]
		pop	edi
		mov	[eax], ecx
		mov	ecx, [ebp+arg_14]
		mov	[eax+4], esi
		mov	eax, [ebp+var_4]
		pop	esi
		mov	[ecx], eax
		pop	ebx
		leave
		retn	18h
_KeEstimateClockTickDuration@32	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KePrepareClockTimerForIdle(x, x, x,	x, x)
_KePrepareClockTimerForIdle@20 proc near
					; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+876p

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1E		= word ptr -1Eh
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, large fs:20h
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_5C], ecx
		xor	edx, edx
		mov	[ebp+var_78], eax
		push	edi
		mov	edi, edx
		mov	[ebp+var_84], edx
		mov	[ebp+var_80], edx
		mov	[ebp+var_6C], edx
		mov	[ebp+var_74], edx
		mov	[ebp+var_70], edx
		cmp	ds:_KiDynamicTickInitialized, dl
		jz	loc_591EFD
		nop
		cmp	byte ptr ds:_KiDynamicTickDisableReason, dl
		jnz	loc_591EFD
		mov	ecx, [ebp+arg_4]
		mov	ebx, [ebp+arg_0]
		mov	eax, _KiLastRequestedTimeIncrement
		mov	[ebp+var_60], ecx
		mov	[ebp+var_64], ebx
		cmp	ecx, edx
		ja	short loc_591D44
		jb	short loc_591D3C
		cmp	ebx, eax
		ja	short loc_591D44

loc_591D3C:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+6Aj
		push	2
		pop	edi
		jmp	loc_591EC3
; 

loc_591D44:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+68j
					; KePrepareClockTimerForIdle(x,x,x,x,x)+6Ej
		mov	eax, ds:dword_70505C
		cmp	ecx, eax
		jb	short loc_591D69
		ja	short loc_591D57
		cmp	ebx, ds:_KiMaxDynamicTickDuration
		jbe	short loc_591D69

loc_591D57:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+81j
		mov	ecx, ds:_KiMaxDynamicTickDuration
		inc	dword_6CAB4C
		mov	[ebp+var_64], ecx
		mov	[ebp+var_60], eax

loc_591D69:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+7Fj
					; KePrepareClockTimerForIdle(x,x,x,x,x)+89j
		push	3
		pop	eax
		mov	ebx, offset _KiClockState
		xchg	eax, [ebx]
		mov	[ebp+var_68], eax
		call	PoAllProcessorsDeepIdle
		test	al, al
		jnz	short loc_591D87
		xor	edi, edi
		inc	edi
		jmp	loc_591EB3
; 

loc_591D87:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+B1j
		mov	ebx, [ebp+var_5C]
		test	bl, bl
		jnz	short loc_591D9E
		call	_KeIsForceIdleEngaged@0	; KeIsForceIdleEngaged()
		test	al, al
		jz	short loc_591D9E
		push	6
		jmp	loc_591EAD
; 

loc_591D9E:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+C0j
					; KePrepareClockTimerForIdle(x,x,x,x,x)+C9j
		call	KeQueryInterruptTime
		mov	ecx, edx
		mov	[ebp+var_48], eax
		lea	edx, [ebp+var_6C]
		mov	[ebp+var_50], ecx
		push	edx
		lea	edx, [ebp+var_84]
		push	edx
		push	esi
		push	ebx
		push	ecx
		mov	ecx, [ebp+var_78]
		mov	dl, 1
		push	eax
		call	_KiGetNextTimerExpirationDueTime@32 ; KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)
		cmp	[ebp+arg_8], 0
		mov	ebx, [ebp+var_80]
		mov	esi, [ebp+var_84]
		jnz	loc_591F0E
		mov	ecx, _KiLastRequestedTimeIncrement
		xor	eax, eax
		add	ecx, [ebp+var_48]
		adc	eax, [ebp+var_50]
		cmp	ebx, eax
		ja	short loc_591DF6
		jb	short loc_591DEF
		cmp	esi, ecx
		ja	short loc_591DF6

loc_591DEF:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+11Dj
		push	2
		jmp	loc_591EAD
; 

loc_591DF6:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+11Bj
					; KePrepareClockTimerForIdle(x,x,x,x,x)+121j
		cmp	byte ptr [ebp+var_5C], 0
		jnz	loc_591E82
		cmp	ds:_KiClockTimerHighLatency, 0
		jz	short loc_591E82
		mov	edx, _KiClockTimerOneShotStartTime
		mov	eax, edx
		mov	ecx, dword_6CAB2C
		or	eax, ecx
		mov	[ebp+var_6C], ecx
		jz	short loc_591E4E
		mov	ecx, _KiClockTimerOneShotEndTime
		mov	eax, dword_6CAB24
		sub	ecx, edx
		sbb	eax, [ebp+var_6C]
		test	eax, eax
		ja	short loc_591E42
		jb	short loc_591E3C
		cmp	ecx, 2710h
		jnb	short loc_591E42

loc_591E3C:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+166j
		inc	_KiDynamicTickCancellations

loc_591E42:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+164j
					; KePrepareClockTimerForIdle(x,x,x,x,x)+16Ej
		and	_KiClockTimerOneShotStartTime, edi
		and	dword_6CAB2C, edi

loc_591E4E:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+150j
		mov	ecx, [ebp+var_48]
		sub	ecx, _KiClockTimerOneShotEndTime
		mov	edx, [ebp+var_50]
		sbb	edx, dword_6CAB24
		mov	eax, ds:_KeMaximumIncrement
		test	edx, edx
		ja	short loc_591E7C
		jb	short loc_591E6F
		cmp	ecx, eax
		jnb	short loc_591E7C

loc_591E6F:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+19Dj
		cmp	_KiDynamicTickCancellations, 3
		jbe	short loc_591E82
		push	3
		jmp	short loc_591EAD
; 

loc_591E7C:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+19Bj
					; KePrepareClockTimerForIdle(x,x,x,x,x)+1A1j
		and	_KiDynamicTickCancellations, edi

loc_591E82:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+12Ej
					; KePrepareClockTimerForIdle(x,x,x,x,x)+13Bj ...
		lea	ecx, [ebp+var_54]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	ecx, _KiLastRequestedTimeIncrement
		mov	[ebp+var_50], ecx
		xor	ecx, ecx
		add	[ebp+var_50], eax
		mov	[ebp+var_58], eax
		adc	ecx, edx
		mov	[ebp+var_48], edx
		cmp	ebx, ecx
		ja	short loc_591F20
		jb	short loc_591EAB
		cmp	esi, [ebp+var_50]
		ja	short loc_591F20

loc_591EAB:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+1D8j
					; KePrepareClockTimerForIdle(x,x,x,x,x)+268j ...
		push	4

loc_591EAD:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+CDj
					; KePrepareClockTimerForIdle(x,x,x,x,x)+125j ...
		pop	edi

loc_591EAE:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+3DBj
		mov	ebx, offset _KiClockState

loc_591EB3:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+B6j
		mov	eax, [ebp+var_68]
		cmp	eax, 4
		jz	short loc_591EBD
		xchg	eax, [ebx]

loc_591EBD:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+1EDj
		test	edi, edi
		jz	short loc_591EFD
		xor	edx, edx

loc_591EC3:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+73j
		test	ds:dword_70EFC8, 100000h
		mov	[ebp+var_60], edi
		jz	short loc_591EFD
		lea	eax, [ebp+var_60]
		mov	[ebp+var_40], edx
		mov	[ebp+var_44], eax
		lea	ecx, [ebp+var_44]
		push	602h
		xor	eax, eax
		mov	[ebp+var_38], edx
		inc	eax
		push	0F59h
		push	40100000h
		mov	edx, eax
		mov	[ebp+var_3C], eax
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_591EFD:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+42j
					; KePrepareClockTimerForIdle(x,x,x,x,x)+4Fj ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_591F0E:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+105j
		lea	ecx, [ebp+var_54]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	ecx, eax
		mov	[ebp+var_48], edx
		mov	[ebp+var_58], ecx
		jmp	short loc_591F23
; 

loc_591F20:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+1D6j
					; KePrepareClockTimerForIdle(x,x,x,x,x)+1DDj
		mov	ecx, [ebp+var_58]

loc_591F23:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+252j
		mov	eax, ds:_KiMinDynamicTickDuration
		mov	[ebp+var_50], eax
		xor	eax, eax
		add	[ebp+var_50], ecx
		adc	eax, edx
		cmp	ebx, eax
		jb	loc_591EAB
		ja	short loc_591F45
		cmp	esi, [ebp+var_50]
		jbe	loc_591EAB

loc_591F45:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+26Ej
		sub	esi, ecx
		mov	ecx, [ebp+var_60]
		sbb	ebx, edx
		cmp	ebx, ecx
		jb	short loc_591F5D
		mov	eax, [ebp+var_64]
		ja	short loc_591F59
		cmp	esi, eax
		jbe	short loc_591F5D

loc_591F59:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+287j
		mov	esi, eax
		mov	ebx, ecx

loc_591F5D:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+282j
					; KePrepareClockTimerForIdle(x,x,x,x,x)+28Bj
		cmp	[ebp+arg_8], 0
		jz	short loc_591F7C
		cmp	byte ptr [ebp+var_5C], 0
		jnz	short loc_591F7C
		mov	eax, ds:_KiClockLatencyMaxDynamicTickDuration
		test	ebx, ebx
		jb	short loc_591F7C
		ja	short loc_591F78
		cmp	esi, eax
		jbe	short loc_591F7C

loc_591F78:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+2A6j
		mov	esi, eax
		xor	ebx, ebx

loc_591F7C:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+295j
					; KePrepareClockTimerForIdle(x,x,x,x,x)+29Bj ...
		lea	eax, [ebp+var_74]
		push	eax
		push	ebx
		push	esi
		push	1
		call	off_6B1390	; ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete(x,x,x,x)
		mov	cl, 1
		call	KiSetPendingTick
		test	ds:dword_70EFC8, 100000h
		mov	ecx, [ebp+var_58]
		mov	edx, [ebp+var_48]
		mov	_KiClockTimerOneShotStartTime, ecx
		mov	dword_6CAB2C, edx
		jz	short loc_592009
		xor	eax, eax
		mov	byte ptr [ebp+var_24], 1
		mov	[ebp+var_1E], ax
		xor	ecx, ecx
		mov	eax, [ebp+var_68]
		xor	edx, edx
		mov	byte ptr [ebp+var_24+1], al
		inc	edx
		mov	eax, [ebp+var_74]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_70]
		push	602h
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_24]
		push	0F57h
		mov	[ebp+var_24+2],	ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_28], ecx
		lea	ecx, [ebp+var_34]
		push	40100000h
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_34], eax
		mov	[ebp+var_2C], 18h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_58]
		mov	edx, [ebp+var_48]

loc_592009:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+2E1j
		cmp	[ebp+arg_8], 0
		jz	short loc_592016
		mov	_KiClockLatencyMeasurementEnabled, 1

loc_592016:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+341j
		call	_KeIsForceIdleEngaged@0	; KeIsForceIdleEngaged()
		test	al, al
		jz	short loc_592026
		mov	_KiForceIdleReset, 1

loc_592026:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+351j
		mov	eax, [ebp+var_78]
		mov	byte ptr [eax+3D0h], 0
		xor	eax, eax
		inc	eax
		add	dword_6CAB50, eax
		mov	[ebp+var_68], eax
		adc	dword_6CAB54, edi
		cmp	ebx, dword_6CAB8C
		ja	short loc_592060
		jb	short loc_592054
		cmp	esi, dword_6CAB88
		jnb	short loc_592060

loc_592054:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+37Ej
		mov	dword_6CAB88, esi
		mov	dword_6CAB8C, ebx

loc_592060:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+37Cj
					; KePrepareClockTimerForIdle(x,x,x,x,x)+386j
		cmp	ebx, dword_6CAB84
		jb	short loc_59207E
		ja	short loc_592072
		cmp	esi, dword_6CAB80
		jbe	short loc_59207E

loc_592072:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+39Cj
		mov	dword_6CAB80, esi
		mov	dword_6CAB84, ebx

loc_59207E:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+39Aj
					; KePrepareClockTimerForIdle(x,x,x,x,x)+3A4j
		cmp	byte ptr [ebp+var_5C], 0
		jz	short loc_59208B
		mov	_KiConsiderTimerRebasing, 1

loc_59208B:				; CODE XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+3B6j
		mov	eax, _KiHrTimerActiveCount
		mov	eax, ds:_KeNumberProcessors
		add	ecx, [ebp+var_74]
		mov	_KiClockTimerNextTickTime, ecx
		adc	edx, [ebp+var_70]
		mov	dword_6CABA4, edx
		jmp	loc_591EAE
_KePrepareClockTimerForIdle@20 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1154. KeGetEffectiveIrql

;  S U B	R O U T	I N E 


; __stdcall KeGetEffectiveIrql()
		public _KeGetEffectiveIrql@0
_KeGetEffectiveIrql@0 proc near		; CODE XREF: RtlQueryFeatureConfiguration(x,x,x,x)+1Cp
					; RtlRegisterFeatureConfigurationChangeNotification(x,x,x,x)+5p
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jnz	short loc_5920BD
		add	al, 1Fh
		retn
; 

loc_5920BD:				; CODE XREF: KeGetEffectiveIrql()+7j
		jmp	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
_KeGetEffectiveIrql@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KeIsExecutingInArbitraryThreadContext()
_KeIsExecutingInArbitraryThreadContext@0 proc near
					; CODE XREF: PsGetCurrentServerSiloGlobals()p
					; MiGetNextSession(x,x)+18p ...
		mov	cl, large fs:131h
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
_KeIsExecutingInArbitraryThreadContext@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryCycleTimeThread(x)
_KeQueryCycleTimeThread@4 proc near	; CODE XREF: PAGE:00780950p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		jmp	short loc_5920DE
; 

loc_5920DC:				; CODE XREF: KeQueryCycleTimeThread(x)+14j
		pause

loc_5920DE:				; CODE XREF: KeQueryCycleTimeThread(x)+7j
		mov	edx, [ecx+34h]
		mov	eax, [ecx+30h]
		cmp	edx, [ecx+38h]
		jnz	short loc_5920DC
		leave
		retn
_KeQueryCycleTimeThread@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiGetNextTimerExpirationDueTime(x, x, x, x,	x, x, x, x)
_KiGetNextTimerExpirationDueTime@32 proc near
					; CODE XREF: KeEstimateClockTickDuration(x,x,x,x,x,x,x,x)+62p
					; KeEstimateClockTickDuration(x,x,x,x,x,x,x,x)+9Dp ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		mov	eax, ecx
		mov	[ebp+var_1], dl
		xor	ecx, ecx
		mov	[ebp+var_1C], eax
		push	esi
		push	edi
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_2], cl
		mov	ebx, ecx
		mov	[ebp+var_38], ecx
		mov	esi, ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], edi
		cmp	[eax+8], ecx
		jz	short loc_59212A
		xor	edx, edx
		inc	edx
		jmp	loc_592425
; 

loc_59212A:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+34j
		cmp	[eax+3D0h], cl
		jnz	short loc_59214C
		cmp	ds:_KiSerializeTimerExpiration,	ecx
		jnz	short loc_59214C
		push	2
		pop	edx
		cmp	ds:_PoSkipTickMode, edx
		jz	loc_592425
		mov	dl, [ebp+var_1]

loc_59214C:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+44j
					; KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+4Cj
		mov	esi, edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], esi
		mov	[ebp+var_8], 4
		cmp	[ebp+arg_8], cl
		jnz	short loc_592180
		push	ecx
		push	[ebp+arg_4]
		mov	ecx, eax
		push	[ebp+arg_0]
		call	KiFindNextTimerDueTime
		mov	ebx, [ebp+var_28]
		mov	esi, eax
		mov	[ebp+var_14], eax
		mov	edi, edx
		mov	eax, [ebp+var_24]
		mov	[ebp+var_18], edx
		jmp	short loc_59218F
; 

loc_592180:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+72j
		call	_ExGetNextWakeTimeForDeepSleep@0 ; ExGetNextWakeTimeForDeepSleep()
		mov	ebx, eax
		mov	eax, edx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], eax

loc_59218F:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+92j
		cmp	ds:_KiGroupSchedulingEnabled, 0
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], ebx
		jz	short loc_5921AD
		cmp	[ebp+var_1], 0
		jz	short loc_5921F3
		cmp	dword_6B5A78, 0
		jnz	short loc_592207

loc_5921AD:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+B0j
					; KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+119j ...
		mov	edx, [ebp+var_8]

loc_5921B0:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+15Ej
		mov	eax, [ebp+var_1C]
		cmp	byte ptr [eax+3D0h], 0
		jz	loc_592288
		mov	cl, [ebp+arg_8]
		lea	eax, [ebp+var_2]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		lea	edx, [ebp+var_30]
		call	KiGetNextTimer2ExpirationDueTime
		cmp	[ebp+var_2C], edi
		ja	short loc_59224F
		jb	short loc_5921DF
		cmp	[ebp+var_30], esi
		jnb	short loc_59224F

loc_5921DF:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+ECj
		mov	esi, [ebp+var_30]
		mov	edi, [ebp+var_2C]
		push	6
		pop	edx
		mov	[ebp+var_14], esi
		mov	[ebp+var_18], edi
		mov	[ebp+var_8], edx
		jmp	short loc_592252
; 

loc_5921F3:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+B6j
		mov	ecx, [ebp+var_1C]
		mov	eax, dword_6B5A78
		mov	ecx, [ecx+3CCh]
		shr	eax, cl
		test	al, 1
		jz	short loc_5921AD

loc_592207:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+BFj
		mov	eax, dword_6CB3E4
		mul	ds:_KeMaximumIncrement
		mov	[ebp+var_20], eax
		mov	eax, _KiGenerationEndTick
		mul	ds:_KeMaximumIncrement
		mov	ecx, [ebp+var_20]
		add	ecx, edx
		cmp	ecx, [ebp+var_C]
		ja	short loc_5921AD
		jb	short loc_592234
		cmp	eax, ebx
		jnb	loc_5921AD

loc_592234:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+13Ej
		mov	ebx, eax
		mov	eax, ecx
		push	5
		pop	edx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_C], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_8], edx
		jmp	loc_5921B0
; 

loc_59224F:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+EAj
					; KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+F1j
		mov	edx, [ebp+var_8]

loc_592252:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+105j
		mov	eax, [ebp+var_34]
		cmp	eax, [ebp+var_C]
		ja	short loc_592288
		jb	short loc_592261
		cmp	[ebp+var_38], ebx
		jnb	short loc_592288

loc_592261:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+16Ej
		mov	ebx, [ebp+var_38]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_C], eax
		mov	[ebp+var_24], eax
		cmp	eax, edi
		ja	short loc_592288
		jb	short loc_59227A
		cmp	ebx, esi
		jnb	short loc_592288

loc_59227A:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+188j
		xor	edx, edx
		cmp	[ebp+var_2], dl
		setnz	dl
		add	edx, 6
		mov	[ebp+var_8], edx

loc_592288:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+CEj
					; KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+16Cj ...
		test	ds:_KiVelocityFlags, 2000h
		jz	loc_59235F
		xor	eax, eax
		xor	edx, edx
		mov	esi, offset _KiLastNonHrTimerExpiration
		nop
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [esi]
		mov	edi, ds:_KeNonHrTimeIncrement
		xor	esi, esi
		mov	ecx, ds:_KeMinimumIncrement
		mov	ebx, eax
		mov	eax, ds:_KePseudoHrTimeIncrement
		dec	ecx
		sub	edi, ecx
		mov	dword ptr [ebp+arg_8], eax
		mov	ecx, ds:_KeNonHrTimeIncrement
		sbb	esi, esi
		add	ebx, edi
		adc	edx, esi
		cmp	eax, ecx
		jnb	short loc_592354
		mov	esi, [ebp+var_24]
		mov	eax, [ebp+var_28]
		mov	[ebp+var_C], esi
		cmp	esi, edx
		ja	short loc_592338
		jb	short loc_5922E8
		cmp	eax, ebx
		jnb	short loc_592338

loc_5922E8:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+1F6j
		xor	edi, edi
		add	ecx, eax
		mov	[ebp+var_24], ecx
		mov	ecx, dword ptr [ebp+arg_8]
		adc	edi, esi
		mov	eax, ecx
		mov	[ebp+var_10], edi
		add	eax, [ebp+arg_0]
		push	0
		pop	esi
		adc	esi, [ebp+arg_4]
		mov	[ebp+var_C], esi
		cmp	esi, edx
		ja	short loc_592338
		jb	short loc_59230F
		cmp	eax, ebx
		jnb	short loc_592338

loc_59230F:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+21Dj
		mov	edi, edx

loc_592311:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+244j
					; KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+24Aj
		add	ecx, eax
		push	0
		pop	edx
		adc	edx, esi
		cmp	edx, [ebp+var_10]
		ja	short loc_592338
		jb	short loc_592324
		cmp	ecx, [ebp+var_24]
		ja	short loc_592338

loc_592324:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+231j
		mov	esi, edx
		mov	eax, ecx
		mov	ecx, dword ptr [ebp+arg_8]
		mov	[ebp+var_C], esi
		cmp	esi, edi
		jb	short loc_592311
		ja	short loc_592338
		cmp	eax, ebx
		jb	short loc_592311

loc_592338:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+1F4j
					; KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+1FAj ...
		mov	edx, [ebp+var_8]

loc_59233B:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+276j
		mov	esi, [ebp+var_18]
		mov	ecx, [ebp+var_C]
		cmp	esi, ecx
		jb	short loc_592364
		ja	short loc_59234E
		mov	ebx, [ebp+var_14]
		cmp	ebx, eax
		jb	short loc_592367

loc_59234E:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+259j
		mov	ebx, eax
		mov	esi, ecx
		jmp	short loc_592367
; 

loc_592354:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+1E7j
		mov	eax, [ebp+var_24]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_28]
		jmp	short loc_592338
; 

loc_59235F:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+1A6j
		mov	eax, [ebp+var_10]
		jmp	short loc_59233B
; 

loc_592364:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+257j
		mov	ebx, [ebp+var_14]

loc_592367:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+260j
					; KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+266j
		cmp	[ebp+var_1], 0
		jz	short loc_5923E0
		mov	ecx, _KiClockOwnerOneShotRequest
		mov	eax, ecx
		mov	edi, dword_6CADF4
		or	eax, edi
		jz	short loc_592393
		cmp	edi, esi
		ja	short loc_592393
		jb	short loc_592389
		cmp	ecx, ebx
		jnb	short loc_592393

loc_592389:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+297j
		push	6
		pop	edx
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		mov	esi, edi

loc_592393:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+291j
					; KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+295j ...
		cmp	_KdDebuggerNotPresent, 0
		jnz	short loc_5923E0
		cmp	_KdDebuggerEnabled, 0
		jz	short loc_5923E0
		cmp	[ebp+arg_4], esi
		ja	short loc_5923E0
		jb	short loc_5923B1
		cmp	[ebp+arg_0], ebx
		jnb	short loc_5923E0

loc_5923B1:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+2BEj
		imul	edi, ds:_KiDebugPollInterval, 2710h
		mov	ecx, ebx
		sub	ecx, [ebp+arg_0]
		mov	eax, esi
		sbb	eax, [ebp+arg_4]
		test	eax, eax
		jb	short loc_5923E0
		ja	short loc_5923CF
		cmp	ecx, edi
		jbe	short loc_5923E0

loc_5923CF:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+2DDj
		push	0
		pop	esi
		mov	ebx, edi
		add	ebx, [ebp+arg_0]
		push	8
		adc	esi, [ebp+arg_4]
		pop	edx
		mov	[ebp+var_8], edx

loc_5923E0:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+27Fj
					; KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+2AEj ...
		mov	eax, [ebp+var_1C]
		cmp	byte ptr [eax+3D0h], 0
		jz	short loc_592425
		push	[ebp+arg_C]
		call	off_6B13FC	; xHalTimerWatchdogQueryDueTime(x)
		mov	ecx, eax
		or	ecx, edx
		jz	short loc_592422
		cmp	esi, edx
		jb	short loc_592422
		ja	short loc_592405
		cmp	ebx, eax
		jbe	short loc_592422

loc_592405:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+313j
		cmp	[ebp+arg_4], edx
		jb	short loc_592419
		ja	short loc_592411
		cmp	[ebp+arg_0], eax
		jbe	short loc_592419

loc_592411:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+31Ej
		mov	ebx, [ebp+arg_0]
		mov	esi, [ebp+arg_4]
		jmp	short loc_59241D
; 

loc_592419:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+31Cj
					; KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+323j
		mov	ebx, eax
		mov	esi, edx

loc_59241D:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+32Bj
		push	9
		pop	edx
		jmp	short loc_592425
; 

loc_592422:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+30Dj
					; KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+311j ...
		mov	edx, [ebp+var_8]

loc_592425:				; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+39j
					; KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+57j	...
		mov	eax, [ebp+arg_10]
		pop	edi
		mov	[eax], ebx
		mov	[eax+4], esi
		mov	eax, [ebp+arg_14]
		pop	esi
		pop	ebx
		mov	[eax], edx
		leave
		retn	18h
_KiGetNextTimerExpirationDueTime@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiAccumulateProcessorCycleStats(x,	x, x)
@KiAccumulateProcessorCycleStats@12 proc near ;	CODE XREF: KiEndDebugAccumulation(x)+63p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	_PoGetFrequencyBucket@4	; PoGetFrequencyBucket(x)
		movzx	edx, byte ptr [esi+3ED0h]
		lea	eax, ds:773h[eax*2]
		add	eax, edx
		lea	eax, [esi+eax*8]
		mov	ecx, [eax]
		add	ecx, [ebp+arg_0]
		mov	edx, [eax+4]
		adc	edx, [ebp+arg_4]
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], ecx
		mov	[ebp+arg_4], edx

loc_592472:				; CODE XREF: KiAccumulateProcessorCycleStats(x,x,x)+5Dj
					; KiAccumulateProcessorCycleStats(x,x,x)+61j
		mov	esi, [eax]
		mov	edi, [eax+4]
		mov	eax, esi
		mov	[ebp+var_C], edi
		mov	edx, edi
		nop
		mov	edi, [ebp+var_4]
		mov	ebx, ecx
		mov	ecx, [ebp+arg_4]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_C]
		cmp	eax, esi
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		jnz	short loc_592472
		cmp	edx, edi
		jnz	short loc_592472
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
@KiAccumulateProcessorCycleStats@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiAcquireThreadLock(x)
_KiAcquireThreadLock@4 proc near	; CODE XREF: KeWaitForMultipleObjects+128EE0p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		lea	esi, [ecx+2Ch]

loc_5924B1:				; CODE XREF: KiAcquireThreadLock(x)+23j
		lock bts dword ptr [esi], 0
		jnb	short loc_5924C8

loc_5924B8:				; CODE XREF: KiAcquireThreadLock(x)+21j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5924B8
		jmp	short loc_5924B1
; 

loc_5924C8:				; CODE XREF: KiAcquireThreadLock(x)+13j
		pop	esi
		leave
		retn
_KiAcquireThreadLock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryCurrentStackInformation(x, x, x)
_KeQueryCurrentStackInformation@12 proc	near
					; CODE XREF: VfUtilCaptureViolationKernelStack(x,x)+47p
					; ViDeadlockAnalyze(x,x,x,x,x)+61p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	[ebp+arg_0]
		mov	esi, ecx
		push	edx
		call	_KeGetCurrentStackPointer@0 ; KeGetCurrentStackPointer()
		mov	edx, esi
		mov	ecx, eax
		call	KeQueryCurrentStackInformationEx
		pop	esi
		pop	ebp
		retn	4
_KeQueryCurrentStackInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiFreezeTargetExecution(x, x)
_KiFreezeTargetExecution@8 proc	near	; CODE XREF: ExTryConvertPushLockSharedToExclusiveEx+9A893j
					; KiCallInterruptServiceRoutine+ED25Dp	...

var_72		= byte ptr -72h
var_71		= byte ptr -71h
var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_5A		= byte ptr -5Ah
var_58		= dword	ptr -58h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+5Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	50h		; size_t
		lea	eax, [esp+6Ch+var_58]
		mov	ebx, edx
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		add	esp, 0Ch
		cmp	ds:_KiFreezeExecutionLock, 0
		jnz	short loc_592539
		cmp	ds:_KiFreezeLockBackup,	0
		jnz	short loc_592539
		mov	eax, _KiBugCheckActive
		test	al, 3
		jnz	short loc_592539
		int	3		; Trap to Debugger
		jmp	loc_5926C5
; 

loc_592539:				; CODE XREF: KiFreezeTargetExecution(x,x)+35j
					; KiFreezeTargetExecution(x,x)+3Ej ...
		cmp	_ViVerifierEnabled, 0
		jz	short loc_592547
		call	_VfStopBranchTracing@0 ; VfStopBranchTracing()

loc_592547:				; CODE XREF: KiFreezeTargetExecution(x,x)+56j
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	cl, 1Fh
		mov	[esp+0Fh], al
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	esi, large fs:20h
		mov	ecx, ds:0FFDF05F0h
		push	dword ptr ds:0FFDF05F4h
		or	ecx, 100h
		mov	[esp+6Ch+var_5A], al
		push	ecx
		mov	ecx, [esi+47B8h]
		call	_KeSaveSupervisorState@12 ; KeSaveSupervisorState(x,x,x)
		cmp	byte ptr [esi+11h], 0
		jnz	short loc_59259C
		cmp	_PoAllProcIntrDisabled,	0
		jnz	short loc_59259C
		mov	edx, [esi+4]
		mov	ecx, esi
		push	0
		call	_KiUpdateTotalCyclesCurrentThread@12 ; KiUpdateTotalCyclesCurrentThread(x,x,x)

loc_59259C:				; CODE XREF: KiFreezeTargetExecution(x,x)+9Bj
					; KiFreezeTargetExecution(x,x)+A4j
		push	0
		push	1
		mov	dword ptr [esi+2174h], 2
		call	off_6B12E4	; RtlEndStrongEnumerationHashTable(x,x)
		test	edi, edi
		jz	short loc_5925BD
		push	ebx
		push	edi
		call	_KiSaveProcessorState@8	; KiSaveProcessorState(x,x)
		jmp	short loc_5925DE
; 

loc_5925BD:				; CODE XREF: KiFreezeTargetExecution(x,x)+C8j
		push	dword ptr [esi+4168h]
		call	_RtlCaptureContext@4 ; RtlCaptureContext(x)
		lea	eax, [esi+18h]
		push	eax
		call	_KiSaveProcessorControlState@4 ; KiSaveProcessorControlState(x)
		mov	eax, [esi+4168h]
		add	dword ptr [eax+0C4h], 8

loc_5925DE:				; CODE XREF: KiFreezeTargetExecution(x,x)+D1j
		xor	ebx, ebx
		push	ebx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		jmp	short loc_59264F
; 

loc_5925E9:				; CODE XREF: KiFreezeTargetExecution(x,x)+16Fj
		mov	eax, _KiDebuggerOwner
		cmp	esi, eax
		setz	al
		test	al, al
		jz	short loc_592646
		push	50h		; size_t
		lea	eax, [esp+7Ch+var_68]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	[esp+84h+var_68], 80000007h
		lea	eax, [esp+84h+var_68]
		mov	[esp+84h+var_60], eax
		lea	ecx, [esp+84h+var_68]
		mov	eax, [esi+4168h]
		add	esp, 0Ch
		mov	eax, [eax+0B8h]
		mov	[esp+1Ch], eax
		mov	edx, [esi+4168h]
		push	ebx
		call	_KdpReportExceptionStateChange@12 ; KdpReportExceptionStateChange(x,x,x)
		cmp	al, 3
		jz	short loc_592646
		mov	ecx, _KiFreezeOwner
		call	_KiSetDebuggerOwner@4 ;	KiSetDebuggerOwner(x)

loc_592646:				; CODE XREF: KiFreezeTargetExecution(x,x)+10Bj
					; KiFreezeTargetExecution(x,x)+14Fj
		mov	dl, 1
		mov	ecx, esi
		call	_KiCheckStall@8	; KiCheckStall(x,x)

loc_59264F:				; CODE XREF: KiFreezeTargetExecution(x,x)+FDj
		mov	eax, [esi+2174h]
		and	al, 0Fh
		cmp	al, 2
		jz	short loc_5925E9
		push	ebx
		push	ebx
		call	off_6B12E4	; RtlEndStrongEnumerationHashTable(x,x)
		test	edi, edi
		jz	short loc_592670
		mov	ecx, edi
		call	_KiRestoreProcessorState@8 ; KiRestoreProcessorState(x,x)
		jmp	short loc_592679
; 

loc_592670:				; CODE XREF: KiFreezeTargetExecution(x,x)+17Bj
		lea	eax, [esi+18h]
		push	eax
		call	_KiRestoreProcessorControlState@4 ; KiRestoreProcessorControlState(x)

loc_592679:				; CODE XREF: KiFreezeTargetExecution(x,x)+184j
		call	_KeFlushCurrentTb@0 ; KeFlushCurrentTb()
		mov	ecx, esi
		mov	[esi+2174h], ebx
		call	_KiEndDebugAccumulation@4 ; KiEndDebugAccumulation(x)
		mov	eax, ds:0FFDF05F0h
		push	dword ptr ds:0FFDF05F4h
		mov	ecx, [esi+47B8h]
		or	eax, 100h
		push	eax
		call	_KeRestoreSupervisorState@12 ; KeRestoreSupervisorState(x,x,x)
		mov	cl, [esp+80h+var_72]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[esp+80h+var_71], bl
		jz	short loc_5926B8
		sti

loc_5926B8:				; CODE XREF: KiFreezeTargetExecution(x,x)+1CBj
		cmp	_ViVerifierEnabled, ebx
		jz	short loc_5926C5
		call	_VfStartBranchTracing@0	; VfStartBranchTracing()

loc_5926C5:				; CODE XREF: KiFreezeTargetExecution(x,x)+4Aj
					; KiFreezeTargetExecution(x,x)+1D4j
		mov	ecx, [esp+80h+var_1C]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_KiFreezeTargetExecution@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIsBranchConfusionMitigationDesired(x, x)
_KiIsBranchConfusionMitigationDesired@8	proc near
					; CODE XREF: KeOptimizeSpecCtrlSettings(x)+AD3p
					; KiIsKvaShadowNeededForBranchConfusion(x)+36p	...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		test	byte ptr _KiFeatureSettings, 5
		jnz	short loc_592713
		cmp	byte ptr [ecx+3BEh], 2
		jnz	short loc_592707
		mov	ecx, [edx]
		mov	eax, [edx+4]
		and	ecx, 10h
		or	ecx, 0
		jnz	short loc_592707
		test	byte ptr _KiFeatureSettings, 40h
		jz	short loc_592713

loc_592707:				; CODE XREF: KiIsBranchConfusionMitigationDesired(x,x)+17j
					; KiIsBranchConfusionMitigationDesired(x,x)+24j
		movzx	eax, byte ptr _KiFeatureSettings+3
		and	eax, 1
		leave
		retn
; 

loc_592713:				; CODE XREF: KiIsBranchConfusionMitigationDesired(x,x)+Ej
					; KiIsBranchConfusionMitigationDesired(x,x)+2Dj
		xor	eax, eax
		leave
		retn
_KiIsBranchConfusionMitigationDesired@8	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KiIsBranchConfusionMitigationEnabled(x)
_KiIsBranchConfusionMitigationEnabled@4	proc near
					; CODE XREF: KiUpdateSpeculationControl(x)+220p
		mov	eax, [ecx]
		mov	edx, [ecx+4]
		xor	ecx, ecx
		push	esi
		mov	esi, 8000h
		and	edx, 3000h
		and	eax, esi
		cmp	eax, esi
		jnz	short loc_592736
		cmp	edx, ecx
		jnz	short loc_592736
		inc	ecx

loc_592736:				; CODE XREF: KiIsBranchConfusionMitigationEnabled(x)+17j
					; KiIsBranchConfusionMitigationEnabled(x)+1Bj
		mov	eax, ecx
		pop	esi
		retn
_KiIsBranchConfusionMitigationEnabled@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIsBranchConfusionMitigationSupported(x, x)
_KiIsBranchConfusionMitigationSupported@8 proc near
					; CODE XREF: KeOptimizeSpecCtrlSettings(x)+B0Dp
					; KiIsKvaShadowNeededForBranchConfusion(x)+41p	...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, [edx]
		mov	eax, [edx+4]
		and	esi, 4
		or	esi, 0
		jz	short loc_59275C
		call	_KiIsHyperVCr3RspErrataPresent@4 ; KiIsHyperVCr3RspErrataPresent(x)
		test	eax, eax
		jnz	short loc_59275C
		inc	eax
		jmp	short loc_59275E
; 

loc_59275C:				; CODE XREF: KiIsBranchConfusionMitigationSupported(x,x)+14j
					; KiIsBranchConfusionMitigationSupported(x,x)+1Dj
		xor	eax, eax

loc_59275E:				; CODE XREF: KiIsBranchConfusionMitigationSupported(x,x)+20j
		pop	esi
		leave
		retn
_KiIsBranchConfusionMitigationSupported@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiIsBranchConfusionPresent(x)
_KiIsBranchConfusionPresent@4 proc near	; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+32Ep
					; KeOptimizeSpecCtrlSettings(x)+A95p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	byte ptr [esi+3BEh], 2
		jnz	short loc_592793
		mov	eax, ds:_KeFeatureBits2
		and	eax, 1000000h
		or	eax, 0
		jnz	short loc_592793
		call	HviIsAnyHypervisorPresent
		test	al, al
		jnz	short loc_59278E
		cmp	byte ptr [esi+14h], 19h
		jz	short loc_592793

loc_59278E:				; CODE XREF: KiIsBranchConfusionPresent(x)+24j
		xor	eax, eax
		inc	eax
		pop	esi
		retn
; 

loc_592793:				; CODE XREF: KiIsBranchConfusionPresent(x)+Cj
					; KiIsBranchConfusionPresent(x)+1Bj ...
		xor	eax, eax
		pop	esi
		retn
_KiIsBranchConfusionPresent@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIsKvaShadowNeededForBranchConfusion(x)
_KiIsKvaShadowNeededForBranchConfusion@4 proc near ; CODE XREF:	PAGELK:007263A7p

var_18		= dword	ptr -18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		push	edi
		push	6
		mov	esi, ecx
		lea	edi, [ebp+var_18]
		pop	ecx
		xor	eax, eax
		lea	edx, [ebp+var_18]
		rep stosd
		xor	edi, edi
		mov	ecx, esi
		push	edi
		push	edi
		push	edi
		call	_KiDetectHardwareSpecControlFeatures@20	; KiDetectHardwareSpecControlFeatures(x,x,x,x,x)
		mov	eax, [ebp+var_18]
		and	eax, 8000h
		or	eax, edi
		jz	short loc_5927E7
		lea	edx, [ebp+var_18]
		mov	ecx, esi
		call	_KiIsBranchConfusionMitigationDesired@8	; KiIsBranchConfusionMitigationDesired(x,x)
		test	eax, eax
		jz	short loc_5927E7
		mov	ecx, esi
		call	_KiIsBranchConfusionMitigationSupported@8 ; KiIsBranchConfusionMitigationSupported(x,x)
		test	eax, eax
		jz	short loc_5927E7
		xor	eax, eax
		inc	eax
		jmp	short loc_5927E9
; 

loc_5927E7:				; CODE XREF: KiIsKvaShadowNeededForBranchConfusion(x)+2Fj
					; KiIsKvaShadowNeededForBranchConfusion(x)+3Dj	...
		xor	eax, eax

loc_5927E9:				; CODE XREF: KiIsKvaShadowNeededForBranchConfusion(x)+4Dj
		pop	edi
		pop	esi
		leave
		retn
_KiIsKvaShadowNeededForBranchConfusion@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIsKvaShadowNeededForTsa(x)
_KiIsKvaShadowNeededForTsa@4 proc near	; CODE XREF: PAGELK:007263B6p

var_18		= dword	ptr -18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		push	edi
		push	6
		mov	esi, ecx
		lea	edi, [ebp+var_18]
		pop	ecx
		xor	eax, eax
		lea	edx, [ebp+var_18]
		rep stosd
		xor	edi, edi
		mov	ecx, esi
		push	edi
		push	edi
		push	edi
		call	_KiDetectHardwareSpecControlFeatures@20	; KiDetectHardwareSpecControlFeatures(x,x,x,x,x)
		mov	eax, [ebp+var_18]
		and	eax, 2000000h
		or	eax, edi
		jz	short loc_592838
		call	_KiIsTsaMitigationDesired@4 ; KiIsTsaMitigationDesired(x)
		test	eax, eax
		jz	short loc_592838
		mov	ecx, esi
		call	_KiIsTsaMitigationSupported@4 ;	KiIsTsaMitigationSupported(x)
		test	eax, eax
		jz	short loc_592838
		xor	eax, eax
		inc	eax
		jmp	short loc_59283A
; 

loc_592838:				; CODE XREF: KiIsKvaShadowNeededForTsa(x)+2Fj
					; KiIsKvaShadowNeededForTsa(x)+38j ...
		xor	eax, eax

loc_59283A:				; CODE XREF: KiIsKvaShadowNeededForTsa(x)+48j
		pop	edi
		pop	esi
		leave
		retn
_KiIsKvaShadowNeededForTsa@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiIsRfdsMitigationDesired(x, x)
_KiIsRfdsMitigationDesired@8 proc near	; CODE XREF: KeOptimizeSpecCtrlSettings(x):loc_576135p
		mov	eax, _KiFeatureSettings
		shr	eax, 1Bh
		not	eax
		and	eax, 1
		retn
_KiIsRfdsMitigationDesired@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIsRfdsMitigationSupported(x, x)
_KiIsRfdsMitigationSupported@8 proc near ; CODE	XREF: KeOptimizeSpecCtrlSettings(x)+26Bp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [edx]
		mov	eax, [edx+4]
		and	ecx, 1000000h
		or	ecx, 0
		jnz	short loc_592867
		xor	eax, eax
		leave
		retn
; 

loc_592867:				; CODE XREF: KiIsRfdsMitigationSupported(x,x)+15j
		xor	eax, eax
		inc	eax
		leave
		retn
_KiIsRfdsMitigationSupported@8 endp


;  S U B	R O U T	I N E 


; __stdcall KiIsRfdsPresent(x)
_KiIsRfdsPresent@4 proc	near		; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+461p
		cmp	byte ptr [ecx+3BEh], 1
		jnz	short loc_592886
		mov	ecx, ds:dword_70E77C
		xor	eax, eax
		and	ecx, 8
		or	eax, ecx
		jnz	short loc_592886
		inc	eax
		retn
; 

loc_592886:				; CODE XREF: KiIsRfdsPresent(x)+7j
					; KiIsRfdsPresent(x)+16j
		xor	eax, eax
		retn
_KiIsRfdsPresent@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIsSrsoMitigationDesired(x, x)
_KiIsSrsoMitigationDesired@8 proc near	; CODE XREF: KeOptimizeSpecCtrlSettings(x)+C3Ap
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		test	byte ptr _KiFeatureSettings, 5
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		jnz	short loc_5928F6
		cmp	byte ptr [edi+3BEh], 2
		jnz	short loc_5928C1
		mov	esi, [ebx]
		mov	eax, [ebx+4]
		and	esi, 10h
		or	esi, 0
		jnz	short loc_5928C1
		test	byte ptr _KiFeatureSettings, 40h
		jz	short loc_5928F6

loc_5928C1:				; CODE XREF: KiIsSrsoMitigationDesired(x,x)+1Fj
					; KiIsSrsoMitigationDesired(x,x)+2Cj
		call	_KiIsBranchConfusionPresent@4 ;	KiIsBranchConfusionPresent(x)
		test	eax, eax
		jz	short loc_5928E9
		mov	edx, ebx
		mov	ecx, edi
		call	_KiIsBranchConfusionMitigationSupported@8 ; KiIsBranchConfusionMitigationSupported(x,x)
		test	eax, eax
		jz	short loc_5928E9
		mov	edx, ebx
		mov	ecx, edi
		call	_KiIsBranchConfusionMitigationDesired@8	; KiIsBranchConfusionMitigationDesired(x,x)
		test	eax, eax
		jz	short loc_5928E9
		xor	eax, eax
		inc	eax
		jmp	short loc_5928F8
; 

loc_5928E9:				; CODE XREF: KiIsSrsoMitigationDesired(x,x)+3Ej
					; KiIsSrsoMitigationDesired(x,x)+4Bj ...
		mov	eax, _KiFeatureSettings
		shr	eax, 1Ah
		and	eax, 1
		jmp	short loc_5928F8
; 

loc_5928F6:				; CODE XREF: KiIsSrsoMitigationDesired(x,x)+16j
					; KiIsSrsoMitigationDesired(x,x)+35j
		xor	eax, eax

loc_5928F8:				; CODE XREF: KiIsSrsoMitigationDesired(x,x)+5Dj
					; KiIsSrsoMitigationDesired(x,x)+6Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KiIsSrsoMitigationDesired@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiIsSrsoMitigationEnabled(x)
_KiIsSrsoMitigationEnabled@4 proc near	; CODE XREF: KiUpdateSpeculationControl(x)+22Dp
		mov	eax, [ecx]
		mov	edx, [ecx+4]
		xor	ecx, ecx
		push	esi
		mov	esi, 200000h
		and	edx, 18000h
		and	eax, esi
		cmp	eax, esi
		jnz	short loc_59291C
		cmp	edx, ecx
		jnz	short loc_59291C
		inc	ecx

loc_59291C:				; CODE XREF: KiIsSrsoMitigationEnabled(x)+17j
					; KiIsSrsoMitigationEnabled(x)+1Bj
		mov	eax, ecx
		pop	esi
		retn
_KiIsSrsoMitigationEnabled@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIsSrsoMitigationSupported(x, x)
_KiIsSrsoMitigationSupported@8 proc near ; CODE	XREF: KeOptimizeSpecCtrlSettings(x)+C00p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [edx]
		mov	eax, [edx+4]
		and	ecx, 4
		or	ecx, 0
		jnz	short loc_592938
		xor	eax, eax
		leave
		retn
; 

loc_592938:				; CODE XREF: KiIsSrsoMitigationSupported(x,x)+12j
		xor	eax, eax
		inc	eax
		leave
		retn
_KiIsSrsoMitigationSupported@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiIsSrsoPresent(x)
_KiIsSrsoPresent@4 proc	near		; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+438p
		cmp	byte ptr [ecx+3BEh], 2
		jnz	short loc_592958
		mov	ecx, ds:dword_70E77C
		xor	eax, eax
		and	ecx, 4
		or	eax, ecx
		jnz	short loc_592958
		inc	eax
		retn
; 

loc_592958:				; CODE XREF: KiIsSrsoPresent(x)+7j
					; KiIsSrsoPresent(x)+16j
		xor	eax, eax
		retn
_KiIsSrsoPresent@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KiIsTsaMitigationDesired(x)
_KiIsTsaMitigationDesired@4 proc near	; CODE XREF: KeOptimizeSpecCtrlSettings(x)+B64p
					; KiIsKvaShadowNeededForTsa(x)+31p
		mov	eax, _KiFeatureSettings
		test	al, 5
		jz	short loc_592968
		xor	eax, eax
		retn
; 

loc_592968:				; CODE XREF: KiIsTsaMitigationDesired(x)+7j
		shr	eax, 1Eh
		and	eax, 1
		retn
_KiIsTsaMitigationDesired@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KiIsTsaMitigationSupported(x)
_KiIsTsaMitigationSupported@4 proc near	; CODE XREF: KeOptimizeSpecCtrlSettings(x)+BA0p
					; KiIsKvaShadowNeededForTsa(x)+3Cp
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		call	_KiIsHyperVCr3RspErrataPresent@4 ; KiIsHyperVCr3RspErrataPresent(x)
		test	eax, eax
		jnz	short loc_5929D9
		mov	edx, ds:dword_70E77C
		xor	edi, edi
		and	edx, 1000h
		mov	eax, edi
		or	eax, edx
		jnz	short loc_5929D4
		call	HviIsAnyHypervisorPresent
		test	al, al
		jnz	short loc_5929D9
		mov	eax, [esi+21C4h]
		mov	ecx, offset _KiVerwClearErrataVersions

loc_5929A8:				; CODE XREF: KiIsTsaMitigationSupported(x)+48j
		cmp	[ecx], eax
		jz	short loc_5929BC
		add	edi, 10h
		add	ecx, 10h
		cmp	edi, 0F0h
		jb	short loc_5929A8
		jmp	short loc_5929D4
; 

loc_5929BC:				; CODE XREF: KiIsTsaMitigationSupported(x)+3Aj
		mov	eax, [esi+3D5Ch]
		cmp	eax, [ecx+0Ch]
		jb	short loc_5929D9
		ja	short loc_5929D4
		mov	eax, [esi+3D58h]
		cmp	eax, [ecx+8]
		jb	short loc_5929D9

loc_5929D4:				; CODE XREF: KiIsTsaMitigationSupported(x)+22j
					; KiIsTsaMitigationSupported(x)+4Aj ...
		xor	eax, eax
		inc	eax
		jmp	short loc_5929DB
; 

loc_5929D9:				; CODE XREF: KiIsTsaMitigationSupported(x)+Ej
					; KiIsTsaMitigationSupported(x)+2Bj ...
		xor	eax, eax

loc_5929DB:				; CODE XREF: KiIsTsaMitigationSupported(x)+67j
		pop	edi
		pop	esi
		pop	ecx
		retn
_KiIsTsaMitigationSupported@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KiIsTsaPresent(x)
_KiIsTsaPresent@4 proc near		; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+346p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	byte ptr [esi+3BEh], 2
		jnz	short loc_592A24
		mov	eax, ds:dword_70E77C
		mov	edx, 0C00h
		and	eax, edx
		cmp	eax, edx
		jz	short loc_592A24
		call	HviIsAnyHypervisorPresent
		test	al, al
		jnz	short loc_592A1F
		mov	al, [esi+14h]
		cmp	al, 19h
		jl	short loc_592A24
		cmp	al, 1Ah
		jnz	short loc_592A1F
		mov	al, [esi+17h]
		cmp	al, 4Fh
		jbe	short loc_592A24
		sub	al, 60h
		cmp	al, 1Fh
		jbe	short loc_592A24

loc_592A1F:				; CODE XREF: KiIsTsaPresent(x)+25j
					; KiIsTsaPresent(x)+30j
		xor	eax, eax
		inc	eax
		pop	esi
		retn
; 

loc_592A24:				; CODE XREF: KiIsTsaPresent(x)+Cj
					; KiIsTsaPresent(x)+1Cj ...
		xor	eax, eax
		pop	esi
		retn
_KiIsTsaPresent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSetVirtualMitigationControl(x)
_KiSetVirtualMitigationControl@4 proc near ; CODE XREF:	KiRestoreFeatureBits()+8Dp
					; KeOptimizeSpecCtrlSettings(x)+F01p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ds:_KeFeatureBits2
		push	ebx
		push	esi
		xor	esi, esi
		and	eax, 20000000h
		or	eax, esi
		mov	ebx, ecx
		push	edi
		mov	edi, esi
		jz	short loc_592A88
		mov	ecx, 50000001h
		rdmsr
		and	eax, 1
		or	eax, esi
		jz	short loc_592A88
		mov	eax, ds:_KiSpeculationFeatures
		mov	ecx, ds:dword_70E764
		mov	eax, esi
		and	ecx, (offset loc_7FFFFF+1)
		or	eax, ecx
		jz	short loc_592A78
		mov	al, [ebx+21B9h]
		and	al, 18h
		cmp	al, 8
		jnz	short loc_592A78
		inc	edi

loc_592A78:				; CODE XREF: KiSetVirtualMitigationControl(x)+41j
					; KiSetVirtualMitigationControl(x)+4Dj
		mov	ecx, 50000002h
		rdmsr
		and	eax, 0FFFFFFFEh
		or	eax, edi
		or	edx, esi
		wrmsr

loc_592A88:				; CODE XREF: KiSetVirtualMitigationControl(x)+1Cj
					; KiSetVirtualMitigationControl(x)+2Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KiSetVirtualMitigationControl@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiIsFbClearSupported()
_KiIsFbClearSupported@0	proc near	; CODE XREF: PAGELK:007264AFp
					; KeQuerySpeculationControlInformation(x,x,x)+3BBp
		mov	ecx, ds:_KeFeatureBits2
		xor	edx, edx
		mov	eax, ecx
		and	eax, 400000h
		or	eax, edx
		jnz	short loc_592AB5
		mov	eax, ecx
		and	eax, 20h
		or	eax, edx
		jnz	short loc_592AB2
		and	ecx, 9
		cmp	ecx, 9
		jz	short loc_592AB5

loc_592AB2:				; CODE XREF: KiIsFbClearSupported()+1Aj
		xor	eax, eax
		retn
; 

loc_592AB5:				; CODE XREF: KiIsFbClearSupported()+11j
					; KiIsFbClearSupported()+22j
		xor	eax, eax
		inc	eax
		retn
_KiIsFbClearSupported@0	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIsHyperVCr3RspErrataPresent(x)
_KiIsHyperVCr3RspErrataPresent@4 proc near
					; CODE XREF: KiIsBranchConfusionMitigationSupported(x,x)+16p
					; KiIsTsaMitigationSupported(x)+7p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		cmp	byte ptr [ecx+3BEh], 2
		stosd
		stosd
		stosd
		stosd
		jnz	short loc_592B38
		call	_HviIsHypervisorVendorMicrosoft@0 ; HviIsHypervisorVendorMicrosoft()
		test	al, al
		jz	short loc_592B38
		xor	eax, eax
		lea	edi, [ebp+var_28]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_28]
		push	eax
		call	HviGetHypervisorFeatures
		mov	ecx, [ebp+var_24]
		xor	eax, eax
		and	ecx, 1000h
		or	eax, ecx
		jnz	short loc_592B38
		lea	eax, [ebp+var_14]
		push	eax
		call	_HviGetHypervisorVersion@4 ; HviGetHypervisorVersion(x)
		cmp	[ebp+var_14], 429Dh
		jnb	short loc_592B38
		cmp	[ebp+var_14], 3839h
		jnz	short loc_592B33
		mov	eax, [ebp+var_8]
		and	eax, 0FFFFFFh
		cmp	eax, 1479h
		jnb	short loc_592B38

loc_592B33:				; CODE XREF: KiIsHyperVCr3RspErrataPresent(x)+68j
		xor	eax, eax
		inc	eax
		jmp	short loc_592B3A
; 

loc_592B38:				; CODE XREF: KiIsHyperVCr3RspErrataPresent(x)+23j
					; KiIsHyperVCr3RspErrataPresent(x)+2Cj	...
		xor	eax, eax

loc_592B3A:				; CODE XREF: KiIsHyperVCr3RspErrataPresent(x)+7Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_KiIsHyperVCr3RspErrataPresent@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFindLargeNodePage(x, x, x, x, x, x, x)
_MiFindLargeNodePage@28	proc near	; CODE XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+19Ap
					; MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+B7p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		movzx	esi, ds:_KeNumberNodes
		mov	[ebp+var_4], ecx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, [edi]
		mov	eax, ds:_MiLargePageSizes[eax*4]
		mov	[ebp+var_C], eax
		cmp	edx, esi
		jnb	short loc_592B7B
		xor	ebx, ebx
		mov	[ebp+var_8], 4
		jmp	short loc_592BA8
; 

loc_592B7B:				; CODE XREF: MiFindLargeNodePage(x,x,x,x,x,x,x)+26j
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	eax, [eax+16Ch]
		mov	eax, ds:_KiProcessorBlock[eax*4]
		movzx	edx, byte ptr [eax+4C1h]
		mov	eax, dword_6D0698
		imul	ecx, edx
		lea	ebx, [eax+ecx*4]
		lea	eax, [ebx+esi*4]
		mov	[ebp+var_8], eax

loc_592BA8:				; CODE XREF: MiFindLargeNodePage(x,x,x,x,x,x,x)+31j
		mov	ecx, [ebp+arg_8]
		mov	esi, ecx
		not	esi
		and	esi, 1
		shl	esi, 2
		test	ecx, 8000h
		jz	short loc_592BC0
		or	esi, 1

loc_592BC0:				; CODE XREF: MiFindLargeNodePage(x,x,x,x,x,x,x)+73j
		test	cl, 8
		jnz	short loc_592BC8
		or	esi, 10h

loc_592BC8:				; CODE XREF: MiFindLargeNodePage(x,x,x,x,x,x,x)+7Bj
		mov	eax, [ebp+arg_4]
		mov	eax, ds:_MiLargePageSizes[eax*4]
		mov	[ebp+arg_4], eax
		mov	eax, ecx
		and	eax, 4000h
		mov	[ebp+var_10], eax

loc_592BDF:				; CODE XREF: MiFindLargeNodePage(x,x,x,x,x,x,x)+D7j
		mov	ecx, [ebp+var_4]
		push	[ebp+arg_10]
		test	eax, eax
		jz	short loc_592BFA
		push	1
		push	0
		push	edx
		mov	edx, [edi]
		push	esi
		push	1
		call	_MiGetFreeZeroLargePages@32 ; MiGetFreeZeroLargePages(x,x,x,x,x,x,x,x)
		jmp	short loc_592C09
; 

loc_592BFA:				; CODE XREF: MiFindLargeNodePage(x,x,x,x,x,x,x)+9Fj
		push	esi
		push	0
		push	[ebp+arg_4]
		push	edx
		mov	edx, [ebp+var_C]
		call	_MiGetLargePagesDemoteAsNeeded@28 ; MiGetLargePagesDemoteAsNeeded(x,x,x,x,x,x,x)

loc_592C09:				; CODE XREF: MiFindLargeNodePage(x,x,x,x,x,x,x)+B0j
		mov	edi, eax
		test	edi, edi
		jnz	short loc_592C28
		add	ebx, 4
		cmp	ebx, [ebp+var_8]
		jz	short loc_592C21
		mov	edx, [ebx]
		mov	eax, [ebp+var_10]
		mov	edi, [ebp+arg_0]
		jmp	short loc_592BDF
; 

loc_592C21:				; CODE XREF: MiFindLargeNodePage(x,x,x,x,x,x,x)+CDj
		xor	eax, eax
		jmp	loc_592CBD
; 

loc_592C28:				; CODE XREF: MiFindLargeNodePage(x,x,x,x,x,x,x)+C5j
		mov	ecx, edi
		call	_MiGetPfnPageSizeIndex@4 ; MiGetPfnPageSizeIndex(x)
		mov	ebx, [ebp+arg_0]
		push	1
		push	1
		mov	esi, ds:_MiLargePageSizes[eax*4]
		mov	[ebx], eax
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		push	esi
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, [ebp+var_4]
		mov	edx, eax
		mov	[ebp+var_C], esi
		call	MiUpdateLargePageBitMap
		mov	edx, [ebx]
		xor	eax, eax
		push	eax
		push	eax
		push	1
		push	eax
		mov	ecx, edi
		call	_MiConvertEntireLargePageToSmall@24 ; MiConvertEntireLargePageToSmall(x,x,x,x,x,x)
		test	[ebp+arg_8], 40000000h
		jnz	short loc_592CBB
		test	[ebp+arg_8], 100000h
		mov	eax, [edi+8]
		push	0
		pop	ebx
		mov	[ebp+arg_4], eax
		setnz	bl
		mov	eax, [edi+0Ch]
		inc	ebx
		mov	[ebp+var_10], eax
		mov	[ebp+arg_0], esi

loc_592C91:				; CODE XREF: MiFindLargeNodePage(x,x,x,x,x,x,x)+16Bj
		mov	edx, [ebp+arg_C]
		mov	ecx, edi
		push	ebx
		push	[ebp+arg_10]
		push	0FFFFFFF8h
		call	_MiSetPfnOwnedAndActive@20 ; MiSetPfnOwnedAndActive(x,x,x,x,x)
		mov	eax, [ebp+arg_4]
		mov	[edi+8], eax
		mov	eax, [ebp+var_10]
		mov	[edi+0Ch], eax
		add	edi, 1Ch
		sub	esi, 1
		jnz	short loc_592C91
		imul	eax, [ebp+var_C], -1Ch
		add	edi, eax

loc_592CBB:				; CODE XREF: MiFindLargeNodePage(x,x,x,x,x,x,x)+12Aj
		mov	eax, edi

loc_592CBD:				; CODE XREF: MiFindLargeNodePage(x,x,x,x,x,x,x)+DBj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_MiFindLargeNodePage@28	endp


;  S U B	R O U T	I N E 


; __stdcall MiIdentifyPfnAsNonPagedPool(x, x, x)
_MiIdentifyPfnAsNonPagedPool@12	proc near ; CODE XREF: .text:00520BE0p
					; .text:0052109Ep
		mov	eax, [ecx+4]
		push	esi
		push	edi
		lea	edi, [edx-1A0h]
		mov	dword ptr [ecx+0Ch], 0C0603000h
		mov	edx, [ecx]
		xor	esi, esi
		shld	esi, edi, 9
		and	edx, 1F3h
		and	eax, 0FE000000h
		shl	edi, 9
		or	esi, eax
		or	edi, edx
		mov	[ecx+4], esi
		or	edi, 3
		mov	[ecx], edi
		pop	edi
		pop	esi
		retn	4
_MiIdentifyPfnAsNonPagedPool@12	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiMirrorBlackPhase(x)
_MiMirrorBlackPhase@4 proc near		; CODE XREF: MmDuplicateMemory(x)+24Cp
		cmp	dword_6D3580, 0
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi]
		jz	short loc_592D15
		mov	ecx, edi
		call	_MiRemoveEnclavePagesFromMirror@4 ; MiRemoveEnclavePagesFromMirror(x)

loc_592D15:				; CODE XREF: MiMirrorBlackPhase(x)+Ej
		mov	eax, [esi+4]
		test	eax, 40Dh
		jz	short loc_592D66
		mov	ebx, 100h
		test	eax, ebx
		jz	short loc_592D37
		mov	edx, esi
		mov	ecx, offset _MiMirrorRemoveBlackChildPartitionPages@8 ;	MiMirrorRemoveBlackChildPartitionPages(x,x)
		call	MiIterateOverPartitions
		mov	eax, [esi+4]

loc_592D37:				; CODE XREF: MiMirrorBlackPhase(x)+28j
		test	al, 0C0h
		jz	short loc_592D44
		mov	ecx, esi
		call	_MiMirrorReduceBlackToActiveAndPrivatePages@4 ;	MiMirrorReduceBlackToActiveAndPrivatePages(x)
		jmp	short loc_592D61
; 

loc_592D44:				; CODE XREF: MiMirrorBlackPhase(x)+3Bj
		test	eax, ebx
		jz	short loc_592D55
		push	esi
		push	offset _MiSystemPartition
		call	_MiMirrorReduceBlackWrites@8 ; MiMirrorReduceBlackWrites(x,x)
		jmp	short loc_592D61
; 

loc_592D55:				; CODE XREF: MiMirrorBlackPhase(x)+48j
		mov	edx, esi
		mov	ecx, offset _MiMirrorReduceBlackWrites@8 ; MiMirrorReduceBlackWrites(x,x)
		call	MiIterateOverPartitions

loc_592D61:				; CODE XREF: MiMirrorBlackPhase(x)+44j
					; MiMirrorBlackPhase(x)+55j
		call	MiMirrorDiscardPageContents

loc_592D66:				; CODE XREF: MiMirrorBlackPhase(x)+1Fj
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	MiMirrorPerformBlackWrites
_MiMirrorBlackPhase@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdateLargePageSectionPfns(x, x, x)
_MiUpdateLargePageSectionPfns@12 proc near ; CODE XREF:	MiCreatePagingFileMap(x)+709p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		mov	eax, ebx
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		or	edx, 80000000h
		mov	[ebp+var_24], edi
		push	edx
		mov	edx, eax
		mov	[ebp+var_C], eax
		call	MiMakeValidPte
		mov	ecx, [ebp+arg_0]
		mov	esi, eax
		mov	eax, edx
		mov	[ebp+var_4], eax
		call	_MiMakeDemandZeroPte@4 ; MiMakeDemandZeroPte(x)
		mov	ecx, ebx
		mov	[ebp+var_28], eax
		mov	[ebp+var_2C], edx
		call	_MiGetPfnPageSizeIndex@4 ; MiGetPfnPageSizeIndex(x)
		or	[ebp+var_14], 0FFFFFFFFh
		mov	edx, eax
		mov	ecx, ds:_MiLargePageSizes[eax*4]
		lea	ecx, [edi+ecx*8]
		mov	[ebp+var_18], ecx
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	1
		push	ecx
		mov	ecx, ebx
		call	_MiConvertEntireLargePageToSmall@24 ; MiConvertEntireLargePageToSmall(x,x,x,x,x,x)
		mov	ecx, edi
		cmp	ecx, [ebp+var_18]
		jnb	loc_592F6C
		mov	eax, [ebp+var_C]
		add	ebx, 10h
		mov	[ebp+var_10], ebx

loc_592DF7:				; CODE XREF: MiUpdateLargePageSectionPfns(x,x,x)+1F6j
		cmp	[ebp+var_14], 0FFFFFFFFh
		jz	short loc_592E05
		test	edi, 0FFFh
		jnz	short loc_592E3B

loc_592E05:				; CODE XREF: MiUpdateLargePageSectionPfns(x,x,x)+8Bj
		and	[ebp+var_20], 0
		mov	eax, ecx
		and	[ebp+var_1C], 0
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	ecx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], eax
		nop
		shrd	ecx, eax, 0Ch
		mov	eax, [ebp+var_C]
		and	ecx, 1FFFFFFh
		mov	[ebp+var_14], ecx

loc_592E3B:				; CODE XREF: MiUpdateLargePageSectionPfns(x,x,x)+93j
		mov	edx, [ebp+var_4]
		mov	ecx, eax
		and	[ebp+var_8], 0
		and	ecx, 1FFFFFFh
		xor	eax, eax
		and	esi, 0FFFh
		shld	eax, ecx, 0Ch
		and	edx, 0FFFFFFE0h
		shl	ecx, 0Ch
		or	eax, edx
		or	ecx, esi
		mov	[ebp+var_4], eax
		mov	edx, ecx
		mov	esi, eax
		mov	ecx, edi
		mov	[ebp+var_1C], edx
		mov	[ebp+arg_0], edx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_592EBF
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_592EA2
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr word_6D07B8+1,	0
		jnz	short loc_592EC2

loc_592E8D:				; CODE XREF: MiUpdateLargePageSectionPfns(x,x,x)+14Dj
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jz	short loc_592EC2
		mov	esi, [ebp+var_4]
		or	esi, 80000000h
		jmp	short loc_592EC5
; 

loc_592EA2:				; CODE XREF: MiUpdateLargePageSectionPfns(x,x,x)+10Fj
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsIsSystemProcess@4 ; PsIsSystemProcess(x)
		mov	ecx, [ebp+var_8]
		test	al, al
		jz	short loc_592EC2
		mov	edx, [ebp+var_1C]
		jmp	short loc_592E8D
; 

loc_592EBF:				; CODE XREF: MiUpdateLargePageSectionPfns(x,x,x)+106j
		mov	ecx, [ebp+var_8]

loc_592EC2:				; CODE XREF: MiUpdateLargePageSectionPfns(x,x,x)+11Bj
					; MiUpdateLargePageSectionPfns(x,x,x)+125j ...
		mov	edx, [ebp+arg_0]

loc_592EC5:				; CODE XREF: MiUpdateLargePageSectionPfns(x,x,x)+130j
		mov	[edi+4], esi
		nop
		mov	[edi], edx
		test	ecx, ecx
		jz	short loc_592ED8
		push	esi
		push	edx
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_592ED8:				; CODE XREF: MiUpdateLargePageSectionPfns(x,x,x)+15Dj
		lea	esi, [ebx-10h]
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		push	1
		xor	edx, edx
		mov	ecx, esi
		mov	bl, al
		call	_MiSetPfnTbFlushStamp@12 ; MiSetPfnTbFlushStamp(x,x,x)
		mov	eax, [ebp+var_10]
		and	dword ptr [esi], 0
		push	2
		mov	ecx, [eax]
		and	ecx, 0C0000001h
		or	ecx, 1
		mov	[eax], ecx
		mov	ecx, [ebp+var_10]
		pop	eax
		mov	edx, [ecx+8]
		mov	[ecx+4], ax
		and	edx, 0FF800000h
		mov	eax, [ebp+var_28]
		mov	[ecx-8], eax
		mov	eax, [ebp+var_2C]
		mov	[ecx-4], eax
		mov	eax, [ebp+var_14]
		and	eax, offset loc_7FFFFF
		mov	[ecx-0Ch], edi
		or	edx, eax
		mov	al, [ecx+6]
		or	edx, 80000000h
		and	al, 0FEh
		mov	[ecx+8], edx
		or	al, 6
		mov	[ecx+6], al
		mov	dl, bl
		mov	ecx, esi
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		mov	eax, [ebp+var_C]
		add	edi, 8
		mov	ebx, [ebp+var_10]
		inc	eax
		mov	esi, [ebp+var_1C]
		add	ebx, 1Ch
		mov	ecx, [ebp+var_24]
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], ebx
		cmp	edi, [ebp+var_18]
		jb	loc_592DF7

loc_592F6C:				; CODE XREF: MiUpdateLargePageSectionPfns(x,x,x)+78j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiUpdateLargePageSectionPfns@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCheckRelevantKernelShadows(x)
_MiCheckRelevantKernelShadows@4	proc near ; CODE XREF: MiCheckProcessShadow+D1F91p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		or	eax, 0FFFFFFFFh
		mov	esp, ebp
		pop	ebp
		retn
_MiCheckRelevantKernelShadows@4	endp


;  S U B	R O U T	I N E 


; __stdcall MiReducePteUseCount(x, x)
_MiReducePteUseCount@8 proc near	; CODE XREF: .text:004736CEp
					; .text:004737ACp ...
		mov	eax, large fs:124h
		shr	ecx, 0Ch
		and	ecx, 7FFh
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		add	eax, 190h
		lea	ecx, [eax+ecx*2]
		call	MiDecreaseUsedPtesCount
		neg	eax
		sbb	eax, eax
		inc	eax
		retn
_MiReducePteUseCount@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetProtectionFromPte(x, x, x)
_MiGetProtectionFromPte@12 proc	near	; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+D4Ep
					; .text:0045578Ap ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, edx
		push	esi
		and	eax, 1
		xor	esi, esi
		or	eax, esi
		push	edi
		mov	edi, ecx
		jz	short loc_59300E
		and	edx, 800h
		or	edx, esi
		jz	short loc_592FD6
		push	4
		pop	ecx
		jmp	short loc_592FD9
; 

loc_592FD6:				; CODE XREF: MiGetProtectionFromPte(x,x,x)+1Fj
		xor	ecx, ecx
		inc	ecx

loc_592FD9:				; CODE XREF: MiGetProtectionFromPte(x,x,x)+24j
		mov	eax, [ebp+arg_4]
		and	eax, 80000000h
		or	esi, eax
		jnz	short loc_592FE8
		or	ecx, 2

loc_592FE8:				; CODE XREF: MiGetProtectionFromPte(x,x,x)+33j
		mov	eax, [edi+1Ch]
		shr	eax, 7
		and	eax, 1Fh
		mov	edx, eax
		shr	edx, 3
		cmp	edx, 3
		jnz	short loc_593004
		test	al, 7
		jz	short loc_59302A
		or	ecx, 18h
		jmp	short loc_59302A
; 

loc_593004:				; CODE XREF: MiGetProtectionFromPte(x,x,x)+49j
		cmp	edx, 1
		jnz	short loc_59302A
		or	ecx, 8
		jmp	short loc_59302A
; 

loc_59300E:				; CODE XREF: MiGetProtectionFromPte(x,x,x)+15j
		mov	eax, edx
		and	eax, 400h
		or	eax, esi
		jnz	short loc_593032
		and	edx, 800h
		or	edx, esi
		jz	short loc_593027
		push	18h
		jmp	short loc_593029
; 

loc_593027:				; CODE XREF: MiGetProtectionFromPte(x,x,x)+71j
		push	10h

loc_593029:				; CODE XREF: MiGetProtectionFromPte(x,x,x)+75j
		pop	ecx

loc_59302A:				; CODE XREF: MiGetProtectionFromPte(x,x,x)+4Dj
					; MiGetProtectionFromPte(x,x,x)+52j ...
		pop	edi
		mov	eax, ecx
		pop	esi
		pop	ebp
		retn	8
; 

loc_593032:				; CODE XREF: MiGetProtectionFromPte(x,x,x)+67j
		push	esi
		push	edx
		push	edi
		push	8700h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_MiGetProtectionFromPte@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiZeroWithSystemPtes(x, x, x)
_MiZeroWithSystemPtes@12 proc near	; CODE XREF: MiZeroInParallelWorker(x)+1C0p

var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= word ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	[ebp+var_BC], edx
		test	dword ptr [ebx+18h], 800000h
		mov	[ebp+var_B0], ecx
		jz	short loc_59308F
		mov	ecx, ebx
		call	_MiGetPfnPageSizeIndex@4 ; MiGetPfnPageSizeIndex(x)
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_593081
		push	2
		pop	eax

loc_593081:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+3Aj
		cmp	eax, 2
		jnb	short loc_59308F
		mov	edi, ds:_MiLargePageSizes[eax*4]
		jmp	short loc_593092
; 

loc_59308F:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+2Ej
					; MiZeroWithSystemPtes(x,x,x)+42j
		xor	edi, edi
		inc	edi

loc_593092:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+4Bj
		mov	eax, ebx
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		mov	esi, eax
		mov	eax, [ebp+var_B0]
		mov	[ebp+var_B8], esi
		test	eax, eax
		jnz	short loc_5930DA
		test	edi, edi
		jz	short loc_5930D3
		add	ebx, 16h

loc_5930B9:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+8Fj
		movzx	eax, byte ptr [ebx]
		xor	edx, edx
		shr	eax, 6
		inc	edx
		push	eax
		mov	ecx, esi
		call	MiZeroPhysicalPage
		inc	esi
		lea	ebx, [ebx+1Ch]
		sub	edi, 1
		jnz	short loc_5930B9

loc_5930D3:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+72j
		xor	eax, eax
		jmp	loc_593336
; 

loc_5930DA:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+6Ej
		mov	ecx, [ebp+var_BC]
		mov	[ebp+var_C8], ecx
		cmp	ecx, edi
		jb	short loc_5930F0
		mov	[ebp+var_C8], edi

loc_5930F0:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+A6j
		mov	esi, eax
		mov	edx, ebx
		push	4
		shl	eax, 9
		pop	ecx
		mov	[ebp+var_B4], eax
		call	_MiMakeProtectionPfnCompatible@8 ; MiMakeProtectionPfnCompatible(x,x)
		mov	edx, [ebp+var_B8]
		or	eax, 0A0000000h
		mov	ebx, esi
		push	eax
		mov	ecx, ebx
		call	MiMakeValidPte
		mov	[ebp+var_A8], eax
		mov	ecx, edx
		xor	eax, eax
		mov	[ebp+var_AC], ecx
		and	[ebp+var_C4], eax
		mov	[ebp+var_C0], eax
		test	edi, edi
		jz	loc_593314
		mov	edx, [ebp+var_A8]

loc_593144:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+2CCj
		and	[ebp+var_B8], 0
		mov	ebx, ecx
		mov	ecx, esi
		mov	[ebp+var_CC], edx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_5931BC
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_593192
		xor	ecx, ecx
		mov	eax, edx
		inc	ecx
		cmp	byte ptr word_6D07B8+1,	0
		mov	[ebp+var_B8], ecx
		jnz	short loc_5931BE
		and	eax, ecx

loc_59317D:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+170j
		or	eax, 0
		mov	eax, edx
		jz	short loc_5931BE
		mov	ebx, [ebp+var_AC]
		or	ebx, 80000000h
		jmp	short loc_5931BE
; 

loc_593192:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+123j
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsIsSystemProcess@4 ; PsIsSystemProcess(x)
		mov	edx, [ebp+var_A8]
		test	al, al
		jz	short loc_5931B4
		mov	eax, edx
		and	eax, 1
		jmp	short loc_59317D
; 

loc_5931B4:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+169j
		mov	eax, [ebp+var_CC]
		jmp	short loc_5931BE
; 

loc_5931BC:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+11Aj
		mov	eax, edx

loc_5931BE:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+137j
					; MiZeroWithSystemPtes(x,x,x)+140j ...
		mov	[esi+4], ebx
		nop
		cmp	[ebp+var_B8], 0
		mov	[esi], eax
		jz	short loc_5931DC
		push	ebx
		push	eax
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		mov	edx, [ebp+var_A8]

loc_5931DC:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+189j
		mov	eax, [ebp+var_AC]
		mov	ecx, edx
		add	ecx, 1000h
		adc	eax, 0
		xor	ecx, edx
		xor	eax, [ebp+var_AC]
		and	ecx, 0FFFFF000h
		xor	edx, ecx
		and	eax, 1Fh
		mov	ecx, [ebp+var_AC]
		add	esi, 8
		xor	ecx, eax
		mov	[ebp+var_A8], edx
		mov	eax, [ebp+var_C0]
		inc	eax
		mov	[ebp+var_AC], ecx
		mov	[ebp+var_C0], eax
		cmp	eax, [ebp+var_BC]
		jnz	loc_5932F9
		push	98h		; size_t
		lea	eax, [ebp+var_A4]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ebx, [ebp+var_B0]
		mov	edx, esi
		mov	ecx, [ebp+var_B4]
		sub	edx, ebx
		add	esp, 0Ch
		sar	edx, 3
		shl	edx, 0Ch
		call	_KeZeroPages	; KiZeroPages(x,x)
		mov	eax, [ebp+var_C4]
		inc	eax
		cmp	eax, edi
		jz	loc_593347
		mov	edx, [ebp+var_BC]
		xor	eax, eax
		mov	ecx, eax
		test	edx, edx
		jz	short loc_593298

loc_59327F:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+252j
		mov	eax, ds:_ZeroPte
		mov	[ebx+ecx*8], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[ebx+ecx*8+4], eax
		inc	ecx
		cmp	ecx, edx
		jb	short loc_59327F
		xor	eax, eax

loc_593298:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+23Bj
		push	eax
		push	edx
		mov	edx, [ebp+var_B4]
		lea	ecx, [ebp+var_A4]
		mov	[ebp+var_98], eax
		mov	[ebp+var_A4], eax
		mov	[ebp+var_A0], 0
		mov	[ebp+var_94], eax
		mov	[ebp+var_9C], 21h
		mov	[ebp+var_90], eax
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		lea	ecx, [ebp+var_A4]
		call	MiFlushTbList
		mov	edx, [ebp+var_A8]
		xor	eax, eax
		mov	ecx, [ebp+var_AC]
		mov	esi, ebx
		mov	[ebp+var_C0], eax
		jmp	short loc_5932FF
; 

loc_5932F9:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+1E8j
		mov	ebx, [ebp+var_B0]

loc_5932FF:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+2B5j
		mov	eax, [ebp+var_C4]
		inc	eax
		mov	[ebp+var_C4], eax
		cmp	eax, edi
		jb	loc_593144

loc_593314:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+F6j
		mov	eax, [ebp+var_B4]

loc_59331A:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+307j
		test	eax, eax
		jz	short loc_593330
		sub	esi, ebx
		mov	ecx, eax
		sar	esi, 3
		shl	esi, 0Ch
		mov	edx, esi
		call	_KeZeroPages	; KiZeroPages(x,x)

loc_593330:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+2DAj
		mov	eax, [ebp+var_C8]

loc_593336:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+93j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_593347:				; CODE XREF: MiZeroWithSystemPtes(x,x,x)+229j
		xor	eax, eax
		jmp	short loc_59331A
_MiZeroWithSystemPtes@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MI_PFN_IS_PROTO(x)
_MI_PFN_IS_PROTO@4 proc	near		; CODE XREF: MiComputePageCommitment(x,x,x,x,x,x)+1C7p
					; MiHandleCollidedFault(x,x,x,x,x,x)+6Bp ...
		xor	eax, eax
		cmp	[ecx+18h], eax
		setl	al
		retn
_MI_PFN_IS_PROTO@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiBadRefCount(x)
_MiBadRefCount@4 proc near		; CODE XREF: .text:0045DAD2p
					; .text:0045EA59p ...
		movzx	eax, word ptr [ecx+14h]
		push	eax
		movzx	eax, byte ptr [ecx+16h]
		sub	ecx, ds:_MmPfnDatabase
		and	eax, 7
		push	eax
		push	1Ch
		mov	eax, ecx
		pop	ecx
		cdq
		idiv	ecx
		push	eax
		push	9Ah
		push	4Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_MiBadRefCount@4 endp


; __stdcall MiBadShareCount(x)
_MiBadShareCount@4:			; CODE XREF: MiCopyOnWrite(x,x,x,x)+B4Ep
					; .text:loc_4724A3p ...
		mov	eax, [ecx+10h]
		and	eax, 3FFFFFFFh
		push	eax
		movzx	eax, byte ptr [ecx+16h]
		sub	ecx, ds:_MmPfnDatabase
		and	eax, 7
		push	eax
		push	1Ch
		mov	eax, ecx
		pop	ecx
		cdq
		idiv	ecx
		push	eax
		push	99h
		push	4Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetLargePagesDemoteAsNeeded(x, x,	x, x, x, x, x)
_MiGetLargePagesDemoteAsNeeded@28 proc near
					; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+F2p
					; MiFindLargeNodePage(x,x,x,x,x,x,x)+BCp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	[ebp+var_4], edx
		mov	edx, ecx
		mov	ecx, [ebp+arg_0]
		imul	eax, ecx, 280h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_C], edx
		add	eax, [edx+10h]
		mov	[ebp+var_14], eax
		cmp	dword ptr [eax+1DCh], 0
		jnz	short loc_5933E4
		cmp	_InitializationPhase, 0
		jnz	loc_5934C8

loc_5933E4:				; CODE XREF: MiGetLargePagesDemoteAsNeeded(x,x,x,x,x,x,x)+29j
		mov	esi, [ebp+arg_C]
		xor	edx, edx
		mov	ebx, esi
		and	ebx, 1
		jnz	short loc_5933F3
		or	esi, 1

loc_5933F3:				; CODE XREF: MiGetLargePagesDemoteAsNeeded(x,x,x,x,x,x,x)+42j
		and	[ebp+arg_C], edx
		xor	ebx, 1
		inc	ebx

loc_5933FA:				; CODE XREF: MiGetLargePagesDemoteAsNeeded(x,x,x,x,x,x,x)+117j
		lea	eax, [eax+edx*8]
		xor	edi, edi
		add	eax, 8
		mov	[ebp+var_8], eax

loc_593405:				; CODE XREF: MiGetLargePagesDemoteAsNeeded(x,x,x,x,x,x,x)+BEj
		mov	edx, ds:_MiLargePageSizes[edi*4]
		mov	[ebp+var_10], edx
		cmp	[ebp+var_4], edx
		jb	short loc_59345E
		cmp	edx, [ebp+arg_4]
		jb	short loc_59346C
		cmp	[ebp+arg_C], 0
		jnz	short loc_593422
		mov	[ebp+arg_C], edi

loc_593422:				; CODE XREF: MiGetLargePagesDemoteAsNeeded(x,x,x,x,x,x,x)+71j
		cmp	dword ptr [eax+4], 0
		jnz	short loc_59342D
		cmp	dword ptr [eax], 0
		jz	short loc_59345E

loc_59342D:				; CODE XREF: MiGetLargePagesDemoteAsNeeded(x,x,x,x,x,x,x)+7Aj
		cmp	[ebp+arg_8], 0
		jz	short loc_59343D
		mov	eax, [ebp+var_4]
		xor	edx, edx
		div	[ebp+var_10]
		jmp	short loc_593440
; 

loc_59343D:				; CODE XREF: MiGetLargePagesDemoteAsNeeded(x,x,x,x,x,x,x)+85j
		xor	eax, eax
		inc	eax

loc_593440:				; CODE XREF: MiGetLargePagesDemoteAsNeeded(x,x,x,x,x,x,x)+8Fj
		push	[ebp+arg_10]
		mov	edx, edi
		push	1
		push	0
		push	ecx
		mov	ecx, [ebp+var_C]
		push	esi
		push	eax
		call	_MiGetFreeZeroLargePages@32 ; MiGetFreeZeroLargePages(x,x,x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_5934CA
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_8]

loc_59345E:				; CODE XREF: MiGetLargePagesDemoteAsNeeded(x,x,x,x,x,x,x)+66j
					; MiGetLargePagesDemoteAsNeeded(x,x,x,x,x,x,x)+7Fj
		inc	edi
		add	eax, 98h
		mov	[ebp+var_8], eax
		cmp	edi, 2
		jb	short loc_593405

loc_59346C:				; CODE XREF: MiGetLargePagesDemoteAsNeeded(x,x,x,x,x,x,x)+6Bj
		cmp	[ebp+arg_C], 0
		jz	short loc_5934B2
		xor	eax, eax
		lea	edi, [ebp+var_20]
		stosd
		lea	edx, [ebp+var_20]
		stosd
		stosd
		lea	eax, [ecx+1]
		push	eax
		xor	ecx, ecx
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		mov	eax, [ebp+var_20]
		xor	ecx, ecx
		inc	ecx
		lock xadd [eax], ecx
		inc	ecx
		mov	eax, [ebp+var_1C]
		dec	ecx
		mov	edx, [ebp+arg_C]
		and	eax, ecx
		or	eax, [ebp+var_18]
		mov	ecx, [ebp+var_C]
		push	0
		push	esi
		push	eax
		push	[ebp+arg_10]
		call	_MiGetLargePage@24 ; MiGetLargePage(x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_5934CA

loc_5934B2:				; CODE XREF: MiGetLargePagesDemoteAsNeeded(x,x,x,x,x,x,x)+C4j
		sub	ebx, 1
		jz	short loc_5934C8
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	eax, [ebp+var_14]
		and	esi, 0FFFFFFFEh
		inc	edx
		jmp	loc_5933FA
; 

loc_5934C8:				; CODE XREF: MiGetLargePagesDemoteAsNeeded(x,x,x,x,x,x,x)+32j
					; MiGetLargePagesDemoteAsNeeded(x,x,x,x,x,x,x)+109j
		xor	eax, eax

loc_5934CA:				; CODE XREF: MiGetLargePagesDemoteAsNeeded(x,x,x,x,x,x,x)+AAj
					; MiGetLargePagesDemoteAsNeeded(x,x,x,x,x,x,x)+104j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_MiGetLargePagesDemoteAsNeeded@28 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiCreatePfnTemplate(x, x)
_MiCreatePfnTemplate@8 proc near	; CODE XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+60p
					; MxCreateFreePfns(x)+269p
		xor	eax, eax
		push	esi
		mov	esi, edx
		push	2
		pop	edx
		mov	[esi], eax
		mov	[esi+4], eax
		mov	[esi+8], eax
		mov	[esi+0Ch], eax
		mov	[esi+10h], eax
		mov	[esi+14h], eax
		mov	[esi+18h], eax
		mov	al, [esi+16h]
		xor	al, cl
		xor	ecx, ecx
		and	al, 7
		xor	al, [esi+16h]
		mov	[esi+16h], al
		mov	al, [esi+16h]
		and	al, 3Fh
		or	al, 40h
		mov	[esi+16h], al
		call	_MiDetermineNewPfnHeatState@8 ;	MiDetermineNewPfnHeatState(x,x)
		mov	edx, eax
		mov	ecx, esi
		pop	esi
		jmp	_MiSetFreeZeroPfnCold@8	; MiSetFreeZeroPfnCold(x,x)
_MiCreatePfnTemplate@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteClusterPage(x, x)
_MiDeleteClusterPage@8 proc near	; CODE XREF: .text:004717B2p

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= byte ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[ebp+var_28], edx
		push	esi
		push	edi
		lea	edi, [ebp+var_58]
		mov	ebx, ecx
		stosd
		or	edx, 0FFFFFFFFh
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[ebp+var_3C], eax
		call	_MiGetContainingPageTable@4 ; MiGetContainingPageTable(x)
		mov	[ebp+var_34], eax
		xor	edi, edi

loc_593555:				; CODE XREF: MiDeleteClusterPage(x,x)+B9j
		mov	esi, [ebx+edi*8]
		nop
		mov	ecx, [ebx+edi*8+4]
		mov	eax, esi
		or	eax, ecx
		jz	loc_5936EC
		mov	eax, esi
		and	eax, 400h
		or	eax, 0
		jz	loc_5936EC
		and	esi, 0FFFFFBFFh
		mov	[ebp+var_44], ecx
		or	esi, 1
		mov	[ebp+var_48], esi
		nop
		shrd	esi, ecx, 0Ch
		and	esi, 1FFFFFFh
		test	edi, edi
		jz	short loc_59359D
		cmp	esi, edx
		jnz	loc_5936EC

loc_59359D:				; CODE XREF: MiDeleteClusterPage(x,x)+7Dj
		imul	eax, esi, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	ecx, eax
		mov	[ebp+var_2C], eax
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jnz	loc_5936EC
		mov	eax, [ebp+var_2C]
		cmp	dword ptr [eax+18h], 0
		jl	loc_5936EC
		inc	edi
		lea	edx, [esi+1]
		mov	[ebp+var_20], edx
		cmp	edi, 10h
		jb	short loc_593555
		mov	ecx, [ebp+var_28]
		call	_MiDeleteBatch@4 ; MiDeleteBatch(x)
		mov	eax, [ebp+var_20]
		add	eax, 0FFFFFFF0h
		imul	esi, eax, 1Ch
		mov	[ebp+var_2C], eax
		mov	[ebp+var_24], eax
		push	1Ch
		pop	ecx
		add	esi, ds:_MmPfnDatabase
		mov	eax, esi
		mov	[ebp+var_28], esi
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	ecx
		mov	ecx, eax
		call	_MiPageToNode@4	; MiPageToNode(x)
		mov	edx, [ebp+var_24]
		lea	edi, [ebp+var_14]
		xor	eax, eax
		or	ecx, 0FFFFFFFFh
		stosd
		mov	[ebp+var_1C], ecx
		stosd
		stosd
		stosd
		cmp	edx, [ebp+var_20]
		jnb	loc_5936BA
		lea	edi, [esi+10h]

loc_593624:				; CODE XREF: MiDeleteClusterPage(x,x)+19Bj
		cmp	edx, [ebp+var_2C]
		jnz	short loc_59364E
		and	[ebp+var_30], 0
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_593659

loc_593634:				; CODE XREF: MiDeleteClusterPage(x,x)+12Aj
					; MiDeleteClusterPage(x,x)+131j
		lea	ecx, [ebp+var_30]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_593634
		lock bts dword ptr [edi], 1Fh
		jb	short loc_593634
		mov	edx, [ebp+var_24]
		jmp	short loc_593659
; 

loc_59364E:				; CODE XREF: MiDeleteClusterPage(x,x)+111j
		mov	ecx, esi
		call	_MiTryLockNestedPageAtDpcInline@4 ; MiTryLockNestedPageAtDpcInline(x)
		test	eax, eax
		jz	short loc_5936B7

loc_593659:				; CODE XREF: MiDeleteClusterPage(x,x)+11Cj
					; MiDeleteClusterPage(x,x)+136j
		mov	eax, [edi-0Ch]
		or	eax, 80000000h
		mov	[ebp+var_1C], edx
		cmp	eax, ebx
		jnz	loc_593849
		mov	al, [edi+6]
		mov	[ebp+var_15], al
		and	al, 7
		cmp	al, 6
		jnz	loc_593842
		xor	eax, eax
		inc	eax
		cmp	[edi+4], ax
		jnz	short loc_5936DA
		test	byte ptr [edi+7], 40h
		jnz	short loc_5936DA
		mov	ecx, esi
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jnz	short loc_5936B7
		movzx	eax, [ebp+var_15]
		add	esi, 1Ch
		shr	eax, 6
		add	edi, 1Ch
		add	ebx, 8
		inc	[ebp+eax*4+var_14]
		inc	edx
		mov	[ebp+var_24], edx
		cmp	edx, [ebp+var_20]
		jb	loc_593624

loc_5936B7:				; CODE XREF: MiDeleteClusterPage(x,x)+141j
					; MiDeleteClusterPage(x,x)+17Ej
		mov	ecx, [ebp+var_1C]

loc_5936BA:				; CODE XREF: MiDeleteClusterPage(x,x)+105j
		xor	eax, eax
		inc	eax

loc_5936BD:				; CODE XREF: MiDeleteClusterPage(x,x)+1C7j
		cmp	edx, [ebp+var_20]
		jz	short loc_5936FD
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_5936EC
		mov	ebx, [ebp+var_28]
		mov	edx, 7FFFFFFFh
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		jmp	short loc_5936E2
; 

loc_5936DA:				; CODE XREF: MiDeleteClusterPage(x,x)+16Dj
					; MiDeleteClusterPage(x,x)+173j
		mov	ecx, [ebp+var_1C]
		jmp	short loc_5936BD
; 

loc_5936DF:				; CODE XREF: MiDeleteClusterPage(x,x)+1D4j
		sub	ecx, 1Ch

loc_5936E2:				; CODE XREF: MiDeleteClusterPage(x,x)+1C2j
		lea	eax, [ecx+10h]
		lock and [eax],	edx
		cmp	ecx, ebx
		jnz	short loc_5936DF

loc_5936EC:				; CODE XREF: MiDeleteClusterPage(x,x)+4Bj
					; MiDeleteClusterPage(x,x)+5Bj	...
		xor	eax, eax

loc_5936EE:				; CODE XREF: MiDeleteClusterPage(x,x)+327j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_5936FD:				; CODE XREF: MiDeleteClusterPage(x,x)+1AAj
		mov	[ebp+var_20], esi
		add	ebx, 0FFFFFF80h
		sub	esi, 1C0h
		mov	[ebp+var_24], eax
		xor	edx, edx
		xor	eax, eax

loc_593710:				; CODE XREF: MiDeleteClusterPage(x,x)+20Bj
		mov	ecx, [ebp+eax*4+var_14]
		cmp	edx, ecx
		jnb	short loc_59371D
		mov	edx, ecx
		mov	[ebp+var_24], eax

loc_59371D:				; CODE XREF: MiDeleteClusterPage(x,x)+200j
		inc	eax
		cmp	eax, 4
		jb	short loc_593710
		push	2
		lea	edi, [esi+8]
		pop	eax

loc_593729:				; CODE XREF: MiDeleteClusterPage(x,x)+2B9j
		mov	[edi+0Ch], ax
		mov	eax, [edi+10h]
		and	eax, 70000000h
		cmp	eax, 30000000h
		jnz	short loc_593746
		push	0Ch
		pop	edx
		mov	ecx, esi
		call	MiClearPfnImageVerified

loc_593746:				; CODE XREF: MiDeleteClusterPage(x,x)+224j
		push	dword ptr [edi+4]
		xor	eax, eax
		mov	ecx, offset _MiSystemPartition
		push	dword ptr [edi]
		lea	edx, [eax+1]
		call	_MiReleasePageFileSpace@16 ; MiReleasePageFileSpace(x,x,x,x)
		mov	eax, ds:_ZeroPte
		mov	ecx, [ebp+var_24]
		mov	[edi], eax
		mov	eax, ds:dword_40F9FC
		mov	[edi+4], eax
		movzx	eax, byte ptr [edi+0Eh]
		shr	eax, 6
		cmp	eax, ecx
		jz	short loc_593784
		xor	eax, eax
		mov	edx, ecx
		inc	eax
		mov	ecx, esi
		push	eax
		call	MiChangePageAttribute

loc_593784:				; CODE XREF: MiDeleteClusterPage(x,x)+25Fj
		mov	al, [edi+0Fh]
		test	al, 10h
		jz	short loc_593790
		and	al, 0EFh
		mov	[edi+0Fh], al

loc_593790:				; CODE XREF: MiDeleteClusterPage(x,x)+273j
		mov	edx, [ebp+var_28]
		xor	eax, eax
		push	0
		inc	eax
		mov	ecx, esi
		push	eax
		call	_MiConvertLockedSmallPageToLarge@16 ; MiConvertLockedSmallPageToLarge(x,x,x,x)
		cmp	esi, [ebp+var_28]
		jz	short loc_5937B0
		lea	eax, [edi+8]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_5937B0:				; CODE XREF: MiDeleteClusterPage(x,x)+28Dj
		mov	eax, ds:_ZeroPte
		mov	[ebx], eax
		nop
		mov	eax, ds:dword_40F9FC
		add	esi, 1Ch
		mov	[ebx+4], eax
		add	edi, 1Ch
		add	ebx, 8
		push	2
		pop	eax
		cmp	esi, [ebp+var_20]
		jb	loc_593729
		mov	eax, [ebp+var_2C]
		lea	ecx, [ebp+var_58]
		and	[ebp+var_50], 0
		mov	[ebp+var_58], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_4C], 2
		mov	[ebp+var_54], eax
		call	_MiInsertLargePageInNodeList@4 ; MiInsertLargePageInNodeList(x)
		imul	ebx, [ebp+var_34], 1Ch
		add	ebx, ds:_MmPfnDatabase
		and	[ebp+var_38], 0
		lea	edi, [ebx+10h]
		jmp	short loc_593812
; 

loc_593804:				; CODE XREF: MiDeleteClusterPage(x,x)+2FAj
					; MiDeleteClusterPage(x,x)+301j
		lea	ecx, [ebp+var_38]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_593804

loc_593812:				; CODE XREF: MiDeleteClusterPage(x,x)+2ECj
		lock bts dword ptr [edi], 1Fh
		jb	short loc_593804
		push	0FFFFFFF0h
		pop	esi
		mov	edx, esi
		mov	ecx, ebx
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	ecx, [ebp+var_3C]
		add	ecx, 14Ch
		lock xadd [ecx], esi
		xor	eax, eax
		inc	eax
		jmp	loc_5936EE
; 

loc_593842:				; CODE XREF: MiDeleteClusterPage(x,x)+160j
		mov	ecx, esi
		call	_MiBadShareCount@4 ; MiBadShareCount(x)

loc_593849:				; CODE XREF: MiDeleteClusterPage(x,x)+150j
		mov	ecx, ebx
		call	_MI_READ_PTE_LOCK_FREE@4 ; MI_READ_PTE_LOCK_FREE(x)
		push	dword ptr [esi+4]
		push	eax
		push	ebx
		push	403h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

; __stdcall MiDeleteEmptyPageTable(x, x, x)
_MiDeleteEmptyPageTable@12:		; DATA XREF: MiDeleteEmptyPageTables(x,x,x)+1BBo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	ecx, ecx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	eax, [ebx+48h]
		mov	[esp+0A8h+var_98], ecx
		mov	edi, [esi]
		mov	[esp+0A8h+var_84], eax
		nop
		mov	eax, [esi+4]
		mov	[esp+0A8h+var_88], eax
		mov	eax, edi
		and	eax, 1
		or	eax, ecx
		jz	loc_593948
		mov	eax, edi
		and	eax, 80h
		or	eax, ecx
		jnz	loc_593948
		nop
		mov	edx, esi
		mov	ecx, ebx
		call	_MiIsPageTableDeletable@8 ; MiIsPageTableDeletable(x,x)
		test	eax, eax
		jz	loc_593948
		mov	eax, [ebx+0Ch]
		lea	ecx, [esp+0A8h+var_98]
		mov	[esp+0A8h+var_94], eax
		mov	eax, esi
		shl	eax, 9
		push	ecx
		mov	ecx, [ebx+10h]
		mov	edx, eax
		push	0
		mov	[esp+0B0h+var_90], eax
		call	_MiTerminateWsle@16 ; MiTerminateWsle(x,x,x,x)
		test	eax, eax
		jz	short loc_593948
		cmp	[esp+0A8h+var_98], 1
		mov	ebx, [esp+0A8h+var_94]
		jnz	short loc_5938FA
		mov	edx, [esp+0A8h+var_90]
		mov	ecx, ebx
		push	0
		push	1
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)

loc_5938FA:				; CODE XREF: MiDeleteClusterPage(x,x)+3D3j
		mov	eax, [esp+0A8h+var_88]
		and	edi, 0FFFFFFFEh
		or	edi, 400h
		mov	[esp+0A8h+var_8C], eax
		mov	[esp+0A8h+var_90], edi
		mov	[esi], edi
		nop
		xor	edx, edx
		mov	[esi+4], eax
		mov	ecx, ebx
		call	_MiFlushTbListEarly@8 ;	MiFlushTbListEarly(x,x)
		mov	ebx, [esp+0A8h+var_84]
		mov	edx, esi
		shr	edx, 3
		and	edx, 1FFh
		mov	ecx, edx
		and	edx, 7
		shr	ecx, 3
		movsx	eax, byte ptr [ecx+ebx+0Ch]
		bts	eax, edx
		mov	[ecx+ebx+0Ch], al
		cmp	dword ptr [ebx], 0
		jnz	short loc_593948
		mov	[ebx], esi

loc_593948:				; CODE XREF: MiDeleteClusterPage(x,x)+37Ej
					; MiDeleteClusterPage(x,x)+38Dj ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_MiDeleteClusterPage@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteEmptyPageTableCommit(x)
_MiDeleteEmptyPageTableCommit@4	proc near ; CODE XREF: MiDeleteEmptyPageTableTail(x)+B3p

var_C8		= dword	ptr -0C8h
var_BC		= dword	ptr -0BCh
var_78		= dword	ptr -78h
var_68		= dword	ptr -68h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0CCh
		push	ebx
		push	esi
		push	edi
		push	4Ch		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_78]
		mov	edi, ecx
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_10], edi
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_C8]
		push	4Ch		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	[ebp+var_14], ebx
		add	esp, 0Ch
		mov	ebx, [edi+48h]
		mov	[ebp+var_24], ebx
		mov	edx, [ebx+50h]
		mov	ecx, [ebx]
		mov	[ebp+var_1C], edx
		call	_MiGetLeafVa@4	; MiGetLeafVa(x)
		mov	ecx, [edi+14h]
		mov	esi, eax
		mov	[ebp+var_8], esi
		cmp	esi, ecx
		jnb	short loc_5939B1
		mov	esi, ecx
		mov	[ebp+var_8], ecx

loc_5939B1:				; CODE XREF: MiDeleteEmptyPageTableCommit(x)+56j
		mov	ecx, [ebx+4]
		add	ecx, 8
		call	_MiGetLeafVa@4	; MiGetLeafVa(x)
		lea	ebx, [eax-1]
		mov	eax, [edi+18h]
		mov	[ebp+var_C], ebx
		cmp	ebx, eax
		jbe	short loc_5939CE
		mov	ebx, eax
		mov	[ebp+var_C], eax

loc_5939CE:				; CODE XREF: MiDeleteEmptyPageTableCommit(x)+73j
		mov	eax, [edx+0Ch]
		shl	eax, 0Ch
		cmp	esi, eax
		jnz	short loc_593A13
		mov	ecx, [edx]
		mov	eax, edx
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	short loc_5939F4
		mov	eax, [ecx+4]
		jmp	short loc_5939EE
; 

loc_5939E8:				; CODE XREF: MiDeleteEmptyPageTableCommit(x)+9Cj
		mov	[ebp+var_4], eax
		mov	eax, [eax+4]

loc_5939EE:				; CODE XREF: MiDeleteEmptyPageTableCommit(x)+92j
		test	eax, eax
		jnz	short loc_5939E8
		jmp	short loc_593A40
; 

loc_5939F4:				; CODE XREF: MiDeleteEmptyPageTableCommit(x)+8Dj
		mov	ecx, [edx+8]
		and	ecx, 0FFFFFFFCh
		mov	[ebp+var_4], ecx
		jz	short loc_593A40

loc_5939FF:				; CODE XREF: MiDeleteEmptyPageTableCommit(x)+B8j
		cmp	[ecx+4], eax
		jz	short loc_593A0E
		mov	eax, ecx
		mov	ecx, [ecx+8]
		and	ecx, 0FFFFFFFCh
		jnz	short loc_5939FF

loc_593A0E:				; CODE XREF: MiDeleteEmptyPageTableCommit(x)+AEj
		mov	[ebp+var_4], ecx
		jmp	short loc_593A40
; 

loc_593A13:				; CODE XREF: MiDeleteEmptyPageTableCommit(x)+82j
		test	dword ptr [edx+1Ch], 100000h
		mov	esi, edx
		jz	short loc_593A25
		push	0Ah
		lea	edi, [ebp+var_78]
		jmp	short loc_593A2A
; 

loc_593A25:				; CODE XREF: MiDeleteEmptyPageTableCommit(x)+C8j
		push	13h
		lea	edi, [ebp+var_78]

loc_593A2A:				; CODE XREF: MiDeleteEmptyPageTableCommit(x)+CFj
		mov	eax, [ebp+var_8]
		shr	eax, 0Ch
		dec	eax
		pop	ecx
		rep movsd
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_78]
		or	eax, 1
		mov	[ebp+var_4], eax

loc_593A40:				; CODE XREF: MiDeleteEmptyPageTableCommit(x)+9Ej
					; MiDeleteEmptyPageTableCommit(x)+A9j ...
		mov	eax, [edx+10h]
		shl	eax, 0Ch
		or	eax, 0FFFh
		cmp	ebx, eax
		jnz	short loc_593A7F
		mov	esi, [edx+4]
		mov	eax, edx
		test	esi, esi
		jz	short loc_593A6A
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_593AB4

loc_593A5E:				; CODE XREF: MiDeleteEmptyPageTableCommit(x)+112j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_593A5E
		jmp	short loc_593AB4
; 

loc_593A6A:				; CODE XREF: MiDeleteEmptyPageTableCommit(x)+102j
		mov	esi, [edx+8]
		jmp	short loc_593A78
; 

loc_593A6F:				; CODE XREF: MiDeleteEmptyPageTableCommit(x)+127j
		cmp	[esi], eax
		jz	short loc_593AB4
		mov	eax, esi
		mov	esi, [esi+8]

loc_593A78:				; CODE XREF: MiDeleteEmptyPageTableCommit(x)+119j
		and	esi, 0FFFFFFFCh
		jnz	short loc_593A6F
		jmp	short loc_593AB4
; 

loc_593A7F:				; CODE XREF: MiDeleteEmptyPageTableCommit(x)+F9j
		test	dword ptr [edx+1Ch], 100000h
		mov	esi, edx
		jz	short loc_593A94
		push	0Ah
		lea	edi, [ebp+var_C8]
		jmp	short loc_593A9C
; 

loc_593A94:				; CODE XREF: MiDeleteEmptyPageTableCommit(x)+134j
		push	13h
		lea	edi, [ebp+var_C8]

loc_593A9C:				; CODE XREF: MiDeleteEmptyPageTableCommit(x)+13Ej
		pop	ecx
		rep movsd
		mov	eax, ebx
		lea	esi, [ebp+var_C8]
		shr	eax, 0Ch
		inc	eax
		or	esi, 1
		mov	[ebp+var_BC], eax

loc_593AB4:				; CODE XREF: MiDeleteEmptyPageTableCommit(x)+108j
					; MiDeleteEmptyPageTableCommit(x)+114j	...
		mov	eax, large fs:124h
		mov	ecx, [ebp+var_10]
		mov	eax, [eax+80h]
		mov	ecx, [ecx+10h]
		mov	[ebp+var_20], eax
		call	_MiLockWorkingSetExclusive@4 ; MiLockWorkingSetExclusive(x)
		mov	edx, [ebp+var_C]
		mov	bl, al
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_14]
		push	eax
		mov	byte ptr [ebp+var_18], bl
		push	[ebp+var_18]
		call	MiCaptureDeleteHierarchy
		mov	eax, [ebp+var_10]
		mov	dl, bl
		mov	ecx, [eax+10h]
		call	MiUnlockWorkingSetExclusive
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_14]
		mov	ecx, [ebp+var_8]
		push	eax
		push	[ebp+var_1C]
		push	esi
		push	[ebp+var_4]
		mov	esi, [ebp+var_20]
		push	esi
		call	_MiReturnPageTablePageCommitment@28 ; MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)
		mov	edx, [ebp+var_24]
		mov	eax, [edx+8]
		mov	ecx, [eax+0Ch]
		test	ecx, ecx
		jz	short loc_593B2C
		neg	ecx
		lea	eax, [esi+14Ch]
		lock xadd [eax], ecx
		mov	eax, [edx+8]
		and	dword ptr [eax+0Ch], 0

loc_593B2C:				; CODE XREF: MiDeleteEmptyPageTableCommit(x)+1C3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiDeleteEmptyPageTableCommit@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteEmptyPageTableTail(x)
_MiDeleteEmptyPageTableTail@4 proc near	; DATA XREF: MiDeleteEmptyPageTables(x,x,x)+1D3o

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		and	[esp+1Ch+var_18], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	ecx, [ebx+0Ch]
		call	MiFlushTbList
		mov	esi, [ebx+48h]
		mov	[esp+28h+var_8], 200h
		lea	eax, [esi+0Ch]
		mov	[esp+28h+var_4], eax
		mov	eax, [esi]
		test	eax, eax
		jz	loc_593C2E
		and	eax, 0FFFFF000h
		xor	ebx, ebx
		mov	[esp+28h+var_10], eax

loc_593B77:				; CODE XREF: MiDeleteEmptyPageTableTail(x)+E5j
		xor	eax, eax
		mov	[esp+28h+var_14], eax

loc_593B7D:				; CODE XREF: MiDeleteEmptyPageTableTail(x)+CAj
		push	eax
		push	1
		lea	eax, [esp+30h+var_8]
		push	eax
		call	RtlFindSetBits
		mov	edi, eax
		cmp	edi, [esp+28h+var_14]
		jb	short loc_593C02
		cmp	edi, 0FFFFFFFFh
		jz	short loc_593C02
		lea	eax, [esp+28h+var_18]
		push	eax
		push	edi
		lea	eax, [esp+30h+var_8]
		push	eax
		call	RtlFindNextForwardRunClear
		mov	ecx, [esp+28h+var_18]
		mov	[esp+28h+var_C], eax
		test	eax, eax
		jnz	short loc_593BB7
		mov	ecx, [esp+28h+var_8]

loc_593BB7:				; CODE XREF: MiDeleteEmptyPageTableTail(x)+7Fj
		mov	eax, [esp+28h+var_10]
		sub	ecx, edi
		mov	[esp+28h+var_14], ecx
		lea	eax, [eax+edi*8]
		mov	[esi], eax
		lea	eax, [eax+ecx*8]
		add	eax, 0FFFFFFF8h
		mov	[esi+4], eax
		test	ebx, ebx
		jnz	short loc_593BE2
		mov	eax, [ebp+arg_0]
		mov	edx, esi
		mov	ecx, [eax+10h]
		call	_MiDeletePteRun@8 ; MiDeletePteRun(x,x)
		jmp	short loc_593BEA
; 

loc_593BE2:				; CODE XREF: MiDeleteEmptyPageTableTail(x)+9Fj
		mov	ecx, [ebp+arg_0]
		call	_MiDeleteEmptyPageTableCommit@4	; MiDeleteEmptyPageTableCommit(x)

loc_593BEA:				; CODE XREF: MiDeleteEmptyPageTableTail(x)+AEj
		mov	eax, [esp+28h+var_14]
		add	eax, edi
		add	eax, [esp+28h+var_C]
		mov	[esp+28h+var_14], eax
		cmp	eax, [esp+28h+var_8]
		jb	loc_593B7D

loc_593C02:				; CODE XREF: MiDeleteEmptyPageTableTail(x)+5Ej
					; MiDeleteEmptyPageTableTail(x)+63j
		test	ebx, ebx
		jnz	short loc_593C13
		cmp	[esi+50h], ebx
		jz	short loc_593C1D
		mov	ecx, [ebp+arg_0]
		call	MiReleaseWalkLocks

loc_593C13:				; CODE XREF: MiDeleteEmptyPageTableTail(x)+D2j
		inc	ebx
		cmp	ebx, 2
		jb	loc_593B77

loc_593C1D:				; CODE XREF: MiDeleteEmptyPageTableTail(x)+D7j
		and	dword ptr [esi], 0
		lea	eax, [esp+28h+var_8]
		and	dword ptr [esi+4], 0
		push	eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)

loc_593C2E:				; CODE XREF: MiDeleteEmptyPageTableTail(x)+34j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MiDeleteEmptyPageTableTail@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteEmptyPageTables(x, x, x)
_MiDeleteEmptyPageTables@12 proc near	; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+3C1p
					; MiWriteAwePtes(x,x,x,x,x,x)+738p ...

var_194		= dword	ptr -194h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_164		= dword	ptr -164h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= byte ptr -114h
var_F4		= dword	ptr -0F4h
var_EE		= byte ptr -0EEh
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A4		= dword	ptr -0A4h
var_A0		= word ptr -0A0h
var_9C		= dword	ptr -9Ch
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8		= dword	ptr -8
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 198h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_170], edx
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_178], esi
		call	_memset
		mov	ebx, large fs:124h
		add	esp, 0Ch
		test	[ebp+arg_0], 1
		mov	edi, [ebx+80h]
		mov	[ebp+var_17C], edi
		jz	short loc_593C96
		xor	esi, esi
		jmp	loc_593D40
; 

loc_593C96:				; CODE XREF: MiDeleteEmptyPageTables(x,x,x)+53j
		mov	edx, edi
		mov	ecx, ebx
		call	_LOCK_ADDRESS_SPACE@8 ;	LOCK_ADDRESS_SPACE(x,x)
		test	byte ptr [edi+0FCh], 20h
		jnz	loc_593E93
		mov	ecx, esi
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_593E93
		mov	ecx, [ebp+var_170]
		shr	ecx, 0Ch
		cmp	ecx, [esi+10h]
		ja	loc_593E93
		mov	edx, esi
		mov	ecx, ebx
		call	_MiLockVad@8	; MiLockVad(x,x)
		mov	edx, [esi+1Ch]
		test	edx, 100000h
		jz	loc_593E8A
		mov	ecx, esi
		call	_MiVadPureReserve@4 ; MiVadPureReserve(x)
		test	eax, eax
		jz	loc_593E8A
		test	edx, 1000000h
		jnz	short loc_593D0A
		test	edx, 2000000h
		jnz	loc_593E8A

loc_593D0A:				; CODE XREF: MiDeleteEmptyPageTables(x,x,x)+C2j
		mov	eax, [esi+20h]
		mov	ecx, 0FFFFDh
		and	eax, 7FFFFFFFh
		cmp	eax, ecx
		jz	loc_593E8A
		test	dl, 4
		jnz	loc_593E8A
		cmp	eax, ecx
		jb	short loc_593D37
		cmp	eax, 0FFFFEh
		jnz	loc_593E8A

loc_593D37:				; CODE XREF: MiDeleteEmptyPageTables(x,x,x)+F0j
		mov	edx, edi
		mov	ecx, ebx
		call	_LOCK_PAGE_TABLE_COMMITMENT@8 ;	LOCK_PAGE_TABLE_COMMITMENT(x,x)

loc_593D40:				; CODE XREF: MiDeleteEmptyPageTables(x,x,x)+57j
		push	6
		add	edi, 240h
		xor	eax, eax
		pop	ecx
		mov	[ebp+var_174], edi
		lea	edi, [ebp+var_194]
		push	74h		; size_t
		push	eax		; int
		rep stosd
		lea	eax, [ebp+var_16C]
		push	eax		; void *
		call	_memset
		push	4Ch		; size_t
		lea	eax, [ebp+var_F4]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	edi, [ebp+var_174]
		lea	eax, [ebp+var_194]
		add	esp, 18h
		mov	[ebp+var_11C], esi
		mov	ecx, edi
		mov	[ebp+var_164], eax
		mov	[ebp+var_118], 80h
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		xor	ecx, ecx
		mov	[ebp+var_A4], eax
		test	ds:byte_70EFC4,	1
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_A0], cx
		mov	[ebp+var_94], ecx
		mov	[ebp+var_9C], 21h
		mov	[ebp+var_90], ecx
		mov	[ebp+var_E8], eax
		jz	short loc_593DE5
		mov	[ebp+var_114], 1

loc_593DE5:				; CODE XREF: MiDeleteEmptyPageTables(x,x,x)+1A2j
		mov	al, byte ptr [ebp+var_F4+2]
		and	al, 0E7h
		mov	[ebp+var_EC], ecx
		or	al, 4
		mov	[ebp+var_B4], offset _MiDeleteEmptyPageTable@12	; MiDeleteEmptyPageTable(x,x,x)
		mov	byte ptr [ebp+var_F4+2], al
		mov	ecx, edi
		lea	eax, [ebp+var_16C]
		mov	[ebp+var_B0], offset _MiDeleteEmptyPageTableTail@4 ; MiDeleteEmptyPageTableTail(x)
		mov	[ebp+var_AC], eax
		push	7
		pop	eax
		mov	word ptr [ebp+var_F4], ax
		mov	eax, [ebp+var_178]
		mov	[ebp+var_E0], eax
		mov	eax, [ebp+var_170]
		mov	[ebp+var_DC], eax
		mov	[ebp+var_E4], edi
		call	MiLockWorkingSetShared
		lea	ecx, [ebp+var_F4]
		mov	[ebp+var_EE], al
		call	MiWalkPageTables
		mov	dl, [ebp+var_EE]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		test	esi, esi
		jz	short loc_593E9C
		mov	edx, [ebp+var_17C]
		mov	ecx, ebx
		call	UNLOCK_PAGE_TABLE_COMMITMENT
		mov	edx, esi
		mov	ecx, ebx
		call	MiUnlockVad
		mov	edx, [ebp+var_17C]
		jmp	short loc_593E95
; 

loc_593E8A:				; CODE XREF: MiDeleteEmptyPageTables(x,x,x)+A7j
					; MiDeleteEmptyPageTables(x,x,x)+B6j ...
		mov	edx, esi
		mov	ecx, ebx
		call	MiUnlockVad

loc_593E93:				; CODE XREF: MiDeleteEmptyPageTables(x,x,x)+6Cj
					; MiDeleteEmptyPageTables(x,x,x)+7Dj ...
		mov	edx, edi

loc_593E95:				; CODE XREF: MiDeleteEmptyPageTables(x,x,x)+24Ej
		mov	ecx, ebx
		call	UNLOCK_ADDRESS_SPACE

loc_593E9C:				; CODE XREF: MiDeleteEmptyPageTables(x,x,x)+230j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_MiDeleteEmptyPageTables@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiChangePageAttributeLargeFreeZeroPage(x, x, x)
_MiChangePageAttributeLargeFreeZeroPage@12 proc	near
					; CODE XREF: MiCoalesceFreeLargePages(x,x,x)+D6p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= byte ptr -24h
var_20		= dword	ptr -20h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_20]
		stosd
		mov	ebx, ecx
		stosd
		stosd
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		push	ecx
		mov	edx, ebx
		mov	[ebp+var_5], al
		mov	ecx, offset _MiSystemPartition
		call	_MiLargePfnPromoteCandidate@12 ; MiLargePfnPromoteCandidate(x,x,x)
		test	eax, eax
		jnz	short loc_593EE0
		xor	esi, esi
		jmp	short loc_593EEF
; 

loc_593EE0:				; CODE XREF: MiChangePageAttributeLargeFreeZeroPage(x,x,x)+2Cj
		movzx	eax, byte ptr [ebx+16h]
		shr	eax, 6
		cmp	eax, [ebp+arg_0]
		jnz	short loc_593F00
		xor	esi, esi
		inc	esi

loc_593EEF:				; CODE XREF: MiChangePageAttributeLargeFreeZeroPage(x,x,x)+30j
		mov	dl, [ebp+var_5]
		mov	ecx, ebx
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		mov	eax, esi
		jmp	loc_593FEC
; 

loc_593F00:				; CODE XREF: MiChangePageAttributeLargeFreeZeroPage(x,x,x)+3Cj
		mov	eax, ebx
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, eax
		call	_MiPageToNode@4	; MiPageToNode(x)
		mov	esi, dword_6D4E50
		lea	edx, [ebp+var_20]
		imul	edi, eax, 280h
		add	esi, edi
		lea	ecx, [esi+204h]
		call	@KeAcquireInStackQueuedSpinLockAtDpcLevel@8 ; KeAcquireInStackQueuedSpinLockAtDpcLevel(x,x)
		push	8
		push	0
		push	1
		mov	edx, ebx
		mov	ecx, esi
		call	_MiUnlinkNodeLargePageHelper@20	; MiUnlinkNodeLargePageHelper(x,x,x,x,x)
		mov	eax, dword_6D4E50
		lea	ecx, [ebp+var_20]
		inc	dword ptr [edi+eax+1F4h]
		call	KeReleaseInStackQueuedSpinLockFromDpcLevel
		mov	dl, 2
		mov	ecx, ebx
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		push	1Ch
		pop	ecx
		mov	eax, ebx
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	ecx
		push	[ebp+arg_0]
		mov	esi, eax
		push	10h
		pop	edx
		mov	ecx, esi
		call	_MiChangePageAttributeContiguous@12 ; MiChangePageAttributeContiguous(x,x,x)
		mov	ecx, [ebx+8]
		mov	[ebp+var_14], ecx
		mov	ecx, [ebx+0Ch]
		mov	[ebp+var_10], ecx
		xor	ecx, ecx
		test	eax, eax
		setz	cl
		mov	[ebp+var_C], ecx
		lea	ecx, [ebp+var_14]
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		mov	eax, [ebp+var_14]
		and	[ebp+arg_0], 0
		mov	[ebx+8], eax
		mov	eax, [ebp+var_10]
		mov	[ebx+0Ch], eax
		add	ebx, 10h
		jmp	short loc_593FBB
; 

loc_593FAD:				; CODE XREF: MiChangePageAttributeLargeFreeZeroPage(x,x,x)+10Bj
					; MiChangePageAttributeLargeFreeZeroPage(x,x,x)+112j
		lea	ecx, [ebp+arg_0]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		js	short loc_593FAD

loc_593FBB:				; CODE XREF: MiChangePageAttributeLargeFreeZeroPage(x,x,x)+FDj
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_593FAD
		mov	ecx, [ebp+var_C]
		lea	edi, [ebp+var_30]
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		mov	al, [ebp+var_5]
		mov	[ebp+var_2C], ecx
		lea	ecx, [ebp+var_30]
		mov	[ebp+var_30], esi
		mov	[ebp+var_28], 5
		mov	[ebp+var_24], al
		call	_MiInsertLargePageInNodeList@4 ; MiInsertLargePageInNodeList(x)
		xor	eax, eax
		inc	eax

loc_593FEC:				; CODE XREF: MiChangePageAttributeLargeFreeZeroPage(x,x,x)+4Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiChangePageAttributeLargeFreeZeroPage@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiConvertEntireLargePageToSmall(x, x, x, x,	x, x)
_MiConvertEntireLargePageToSmall@24 proc near ;	CODE XREF: MiResolvePrivateZeroFault(x)+2C6p
					; MiGetPageChain(x,x,x,x,x,x,x)+229p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		mov	esi, ds:_MiLargePageSizes[edx*4]
		mov	eax, ecx
		sub	eax, ds:_MmPfnDatabase
		push	edi
		cdq
		push	1Ch
		pop	edi
		idiv	edi
		imul	edi, esi, 1Ch
		add	eax, esi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_8], eax
		xor	eax, eax
		mov	[ebp+var_10], offset loc_7FFFFF
		add	edi, ecx
		cmp	dword ptr [ebx+0Ch], 1
		setle	al
		xor	edx, edx
		cmp	dword ptr [ebx+8], 1
		mov	[ebp+var_1C], eax
		mov	[ebp+var_C], edx
		jnz	short loc_59406C
		mov	ecx, [ebx+14h]
		xor	eax, eax
		cmp	[ebx+0Ch], eax
		setnz	al
		add	eax, 201h
		mov	[ebp+var_C], eax
		test	ecx, ecx
		jz	short loc_59406C
		mov	[ecx], edx
		mov	[ebp+var_C], eax

loc_59406C:				; CODE XREF: MiConvertEntireLargePageToSmall(x,x,x,x,x,x)+5Aj
					; MiConvertEntireLargePageToSmall(x,x,x,x,x,x)+71j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	cl, al
		lea	esi, [edi+10h]
		mov	eax, [ebp+var_8]
		mov	byte ptr [ebp+var_4+3],	cl

loc_59407F:				; CODE XREF: MiConvertEntireLargePageToSmall(x,x,x,x,x,x)+15Ej
		sub	edi, 1Ch
		sub	esi, 1Ch
		dec	eax
		mov	[ebp+var_8], eax
		xor	eax, eax
		mov	[ebp+var_18], eax
		jmp	short loc_59409E
; 

loc_594090:				; CODE XREF: MiConvertEntireLargePageToSmall(x,x,x,x,x,x)+A8j
					; MiConvertEntireLargePageToSmall(x,x,x,x,x,x)+AFj
		lea	ecx, [ebp+var_18]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_594090

loc_59409E:				; CODE XREF: MiConvertEntireLargePageToSmall(x,x,x,x,x,x)+9Aj
		lock bts dword ptr [esi], 1Fh
		jb	short loc_594090
		push	[ebp+var_1C]
		mov	edx, edi
		push	ecx
		mov	ecx, [ebp+var_14]
		call	_MiConvertLargePfnToSmall@16 ; MiConvertLargePfnToSmall(x,x,x,x)
		mov	eax, [ebx+8]
		test	eax, eax
		jz	short loc_594116
		cmp	eax, 1
		jnz	loc_5941A4
		xor	eax, eax
		cmp	edi, [ebx+10h]
		jnz	loc_594170
		or	dword ptr [esi-0Ch], 80000000h
		lea	ecx, [esi-8]
		test	byte ptr [ebp+var_C], 1
		mov	[edi], eax
		mov	eax, ds:_ZeroPte
		mov	[ecx], eax
		mov	eax, ds:dword_40F9FC
		mov	[ecx+4], eax
		jz	short loc_594169
		test	byte ptr ds:_MiFlags, 80h
		jz	short loc_594116
		mov	eax, dword_6D30F0
		inc	eax
		mov	dword_6D30F0, eax
		test	ds:_MmPageValidationFrequency, eax
		jnz	short loc_594116
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		inc	edx
		call	_MiArePageContentsZero@8 ; MiArePageContentsZero(x,x)

loc_594116:				; CODE XREF: MiConvertEntireLargePageToSmall(x,x,x,x,x,x)+C4j
					; MiConvertEntireLargePageToSmall(x,x,x,x,x,x)+102j ...
		mov	eax, [ebp+var_8]

loc_594119:				; CODE XREF: MiConvertEntireLargePageToSmall(x,x,x,x,x,x)+1DFj
		mov	ecx, 7FFFFFFFh
		lock and [esi],	ecx
		mov	cl, byte ptr [ebp+var_4+3]
		test	al, 0Fh
		jnz	short loc_59414F
		cmp	cl, 2
		jnb	short loc_59414F
		call	KeShouldYieldProcessor
		mov	cl, byte ptr [ebp+var_4+3]
		test	eax, eax
		jz	short loc_59414C
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	cl, al
		mov	byte ptr [ebp+var_4+3],	cl

loc_59414C:				; CODE XREF: MiConvertEntireLargePageToSmall(x,x,x,x,x,x)+143j
		mov	eax, [ebp+var_8]

loc_59414F:				; CODE XREF: MiConvertEntireLargePageToSmall(x,x,x,x,x,x)+132j
					; MiConvertEntireLargePageToSmall(x,x,x,x,x,x)+137j
		cmp	edi, [ebp+var_14]
		jnz	loc_59407F
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	10h
; 

loc_594169:				; CODE XREF: MiConvertEntireLargePageToSmall(x,x,x,x,x,x)+F9j
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		jmp	short loc_594116
; 

loc_594170:				; CODE XREF: MiConvertEntireLargePageToSmall(x,x,x,x,x,x)+D4j
		cmp	[esi+4], ax
		jnz	short loc_59418C
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		mov	eax, [ebx+14h]
		test	eax, eax
		jz	short loc_594116
		inc	dword ptr [eax]
		jmp	short loc_594116
; 

loc_59418C:				; CODE XREF: MiConvertEntireLargePageToSmall(x,x,x,x,x,x)+180j
		mov	eax, [esi]
		mov	ecx, 40000000h
		test	eax, ecx
		jnz	short loc_59419B
		or	eax, ecx
		mov	[esi], eax

loc_59419B:				; CODE XREF: MiConvertEntireLargePageToSmall(x,x,x,x,x,x)+1A1j
		or	byte ptr [esi+6], 7
		jmp	loc_594116
; 

loc_5941A4:				; CODE XREF: MiConvertEntireLargePageToSmall(x,x,x,x,x,x)+C9j
		cmp	eax, 2
		jnz	loc_594116
		mov	edx, [ebp+var_10]
		xor	eax, eax
		mov	[edi], eax
		mov	ecx, edi
		mov	eax, ds:_ZeroPte
		mov	[esi-8], eax
		mov	eax, ds:dword_40F9FC
		push	1
		mov	[esi-4], eax
		call	_MiSetPfnBlink@12 ; MiSetPfnBlink(x,x,x)
		mov	eax, [ebp+var_8]
		mov	[ebp+var_10], eax
		jmp	loc_594119
_MiConvertEntireLargePageToSmall@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiConvertLargePfnToSmall(x,	x, x, x)
_MiConvertLargePfnToSmall@16 proc near	; CODE XREF: MiInitializeMdlLeafPfns(x,x,x,x,x,x)+64p
					; MiDemoteValidLargePageOneLevel(x)+4B3p ...

var_3C		= dword	ptr -3Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	esi
		mov	esi, edx
		and	byte ptr [esi+17h], 0F8h
		and	byte ptr [esi+16h], 0EFh
		cmp	esi, ecx
		jz	short loc_594209
		mov	al, [ecx+16h]
		xor	al, [esi+16h]
		and	al, 7
		xor	al, [esi+16h]
		mov	[esi+16h], al
		mov	eax, [ecx+8]
		mov	[esi+8], eax
		mov	eax, [ecx+0Ch]
		mov	[esi+0Ch], eax

loc_594209:				; CODE XREF: MiConvertLargePfnToSmall(x,x,x,x)+15j
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_20]
		push	7
		pop	ecx
		rep stosd
		mov	eax, [esi+18h]
		lea	edi, [ebp+var_3C]
		and	eax, 0FF7FFFFFh
		mov	[ebp+var_8], eax
		mov	[esi+18h], eax
		xor	eax, eax
		push	7
		pop	ecx
		rep stosd
		mov	eax, [esi+18h]
		and	eax, 0FCFFFFFFh
		cmp	[ebp+arg_4], 0
		mov	[ebp+var_24], eax
		mov	[esi+18h], eax
		pop	edi
		jz	short loc_59426E
		and	dword ptr [esi+10h], 0C0000000h
		mov	eax, 0FFFEh
		add	[esi+14h], ax
		jnz	short loc_59426E
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	edx, ds:_KiTbFlushTimeStamp
		mov	ecx, esi
		push	1
		call	_MiSetPfnTbFlushStamp@12 ; MiSetPfnTbFlushStamp(x,x,x)

loc_59426E:				; CODE XREF: MiConvertLargePfnToSmall(x,x,x,x)+67j
					; MiConvertLargePfnToSmall(x,x,x,x)+79j
		pop	esi
		leave
		retn	8
_MiConvertLargePfnToSmall@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiConvertLockedSmallPageToLarge(x, x, x, x)
_MiConvertLockedSmallPageToLarge@16 proc near ;	CODE XREF: MiDeleteClusterPage(x,x)+285p
					; MiConvertSmallPageRangeToLarge(x,x)+81p

var_54		= dword	ptr -54h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		cmp	[ebp+arg_4], 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		jz	short loc_5942B5
		push	1
		xor	edx, edx
		call	_MiSetPfnTbFlushStamp@12 ; MiSetPfnTbFlushStamp(x,x,x)
		mov	eax, [esi+10h]
		and	eax, 0C0000001h
		or	eax, 1
		mov	[esi+10h], eax
		push	2
		pop	eax
		mov	[esi+14h], ax
		cmp	esi, ebx
		jz	short loc_5942B5
		mov	al, [esi+16h]
		and	al, 0FEh
		or	al, 6
		mov	[esi+16h], al

loc_5942B5:				; CODE XREF: MiConvertLockedSmallPageToLarge(x,x,x,x)+13j
					; MiConvertLockedSmallPageToLarge(x,x,x,x)+35j
		mov	edx, [esi+18h]
		test	edx, edx
		jns	short loc_5942C2
		and	edx, 7FFFFFFFh

loc_5942C2:				; CODE XREF: MiConvertLockedSmallPageToLarge(x,x,x,x)+46j
		and	byte ptr [esi+17h], 0F8h
		lea	edi, [ebp+var_1C]
		and	dword ptr [esi+10h], 0BFFFFFFFh
		and	edx, 8F800000h
		xor	eax, eax
		mov	[esi+18h], edx
		push	7
		or	edx, 800000h
		mov	[esi], eax
		pop	ecx
		rep stosd
		mov	[ebp+var_4], edx
		mov	[esi+8], eax
		mov	[esi+0Ch], eax
		mov	[esi+4], eax
		mov	[esi+18h], edx
		mov	edx, [esi+18h]
		and	edx, 0FCFFFFFFh
		push	7
		pop	ecx
		cmp	esi, ebx
		jnz	short loc_594322
		lea	edi, [ebp+var_38]
		rep stosd
		push	0FFFFFFFEh
		pop	eax
		sub	eax, [ebp+arg_0]
		and	eax, 3
		shl	eax, 18h
		or	eax, edx
		mov	[ebp+var_20], eax
		mov	[esi+18h], eax
		jmp	short loc_59432D
; 

loc_594322:				; CODE XREF: MiConvertLockedSmallPageToLarge(x,x,x,x)+91j
		lea	edi, [ebp+var_54]
		rep stosd
		mov	[ebp+var_3C], edx
		mov	[esi+18h], edx

loc_59432D:				; CODE XREF: MiConvertLockedSmallPageToLarge(x,x,x,x)+ACj
		and	byte ptr [esi+16h], 0EFh
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiConvertLockedSmallPageToLarge@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiConvertSmallPageRangeToLarge(x, x)
_MiConvertSmallPageRangeToLarge@8 proc near ; CODE XREF: MiFreeLargePageMemory(x,x,x)+18p
					; MiDeleteSubsectionLargePages(x,x,x)+49p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		imul	edi, ecx, 1Ch
		xor	ecx, ecx
		mov	[ebp+var_10], edx
		add	edi, ds:_MmPfnDatabase
		mov	[ebp+var_14], edi
		mov	al, [edi+16h]
		and	al, 7
		cmp	al, 6
		setnz	cl
		imul	eax, ds:_MiLargePageSizes[edx*4], 1Ch
		and	[ebp+var_4], 0
		mov	[ebp+var_C], ecx
		mov	cl, 2
		mov	[ebp+var_8], eax
		lea	esi, [eax+edi]
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		cmp	edi, esi
		jnb	short loc_5943FC
		mov	eax, [ebp+var_8]
		lea	esi, [edi+10h]
		push	1Ch
		dec	eax
		xor	edx, edx
		pop	ecx
		div	ecx
		lea	edi, [eax+1]

loc_594392:				; CODE XREF: MiConvertSmallPageRangeToLarge(x,x)+C2j
		and	[ebp+var_8], 0
		jmp	short loc_5943A6
; 

loc_594398:				; CODE XREF: MiConvertSmallPageRangeToLarge(x,x)+6Cj
					; MiConvertSmallPageRangeToLarge(x,x)+73j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_594398

loc_5943A6:				; CODE XREF: MiConvertSmallPageRangeToLarge(x,x)+5Ej
		lock bts dword ptr [esi], 1Fh
		jb	short loc_594398
		push	[ebp+var_C]
		mov	edx, [ebp+var_14]
		lea	ecx, [esi-10h]
		push	[ebp+var_10]
		call	_MiConvertLockedSmallPageToLarge@16 ; MiConvertLockedSmallPageToLarge(x,x,x,x)
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	eax, [ebp+var_4]
		test	al, 0Fh
		jnz	short loc_5943F0
		cmp	bl, 2
		jnb	short loc_5943F0
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	short loc_5943ED
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al

loc_5943ED:				; CODE XREF: MiConvertSmallPageRangeToLarge(x,x)+A1j
		mov	eax, [ebp+var_4]

loc_5943F0:				; CODE XREF: MiConvertSmallPageRangeToLarge(x,x)+93j
					; MiConvertSmallPageRangeToLarge(x,x)+98j
		inc	eax
		add	esi, 1Ch
		mov	[ebp+var_4], eax
		sub	edi, 1
		jnz	short loc_594392

loc_5943FC:				; CODE XREF: MiConvertSmallPageRangeToLarge(x,x)+47j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiConvertSmallPageRangeToLarge@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreateInitialLargeLeafPfns(x, x, x, x, x,	x)
_MiCreateInitialLargeLeafPfns@24 proc near ; CODE XREF:	.text:00471432p
					; .text:004B5A9Dp ...

var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_12		= byte ptr -12h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		push	edx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	ebx
		push	offset dword_6D35B4
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		mov	eax, [ebp+arg_0]
		lea	edi, [ebp+var_28]
		imul	edx, ebx, 1Ch
		mov	esi, offset unk_6D2FB0
		push	7
		pop	ecx
		mov	eax, ds:_MiLargePageSizes[eax*4]
		mov	[ebp+var_8], eax
		add	edx, ds:_MmPfnDatabase
		cmp	[ebp+arg_C], 0
		rep movsd
		jz	short loc_594456
		or	[ebp+var_18], 80000000h

loc_594456:				; CODE XREF: MiCreateInitialLargeLeafPfns(x,x,x,x,x,x)+43j
		mov	cl, byte ptr [ebp+arg_4]
		mov	al, [ebp+var_12]
		mov	edi, [ebp+var_8]
		and	al, 3Fh
		shl	cl, 6
		or	cl, al
		mov	eax, [ebp+var_4]
		mov	[ebp+var_12], cl
		lea	ecx, [edi-1]
		mov	esi, ecx
		mov	[ebp+arg_4], ecx
		not	esi
		mov	[ebp+var_C], esi

loc_594479:				; CODE XREF: MiCreateInitialLargeLeafPfns(x,x,x,x,x,x)+D2j
		test	ecx, ebx
		jnz	short loc_594489
		sub	eax, 1
		mov	[ebp+var_4], eax
		jz	short loc_5944DE
		add	edx, 1Ch
		inc	ebx

loc_594489:				; CODE XREF: MiCreateInitialLargeLeafPfns(x,x,x,x,x,x)+71j
		dec	eax
		add	eax, ebx
		xor	eax, ebx
		test	eax, esi
		jnz	short loc_594499
		mov	eax, [ebp+var_4]
		mov	ecx, eax
		jmp	short loc_5944A4
; 

loc_594499:				; CODE XREF: MiCreateInitialLargeLeafPfns(x,x,x,x,x,x)+86j
		mov	eax, ecx
		mov	ecx, edi
		and	eax, ebx
		sub	ecx, eax
		mov	eax, [ebp+var_4]

loc_5944A4:				; CODE XREF: MiCreateInitialLargeLeafPfns(x,x,x,x,x,x)+8Dj
		imul	esi, ecx, 1Ch
		mov	[ebp+arg_0], ecx
		add	esi, edx
		mov	[ebp+arg_C], esi
		cmp	edx, esi
		jz	short loc_5944CF
		mov	eax, esi

loc_5944B5:				; CODE XREF: MiCreateInitialLargeLeafPfns(x,x,x,x,x,x)+BAj
		mov	edi, edx
		lea	esi, [ebp+var_28]
		push	7
		add	edx, 1Ch
		pop	ecx
		rep movsd
		cmp	edx, eax
		jnz	short loc_5944B5
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		mov	edi, [ebp+var_8]

loc_5944CF:				; CODE XREF: MiCreateInitialLargeLeafPfns(x,x,x,x,x,x)+A7j
		mov	esi, [ebp+var_C]
		add	ebx, ecx
		sub	eax, ecx
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_4], eax
		jnz	short loc_594479

loc_5944DE:				; CODE XREF: MiCreateInitialLargeLeafPfns(x,x,x,x,x,x)+79j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_MiCreateInitialLargeLeafPfns@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteSubsectionLargePages(x, x, x)
_MiDeleteSubsectionLargePages@12 proc near ; CODE XREF:	MiDeleteSubsectionPages(x,x)+3F3p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		and	[ebp+var_10], 0
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, edx
		and	[ebp+var_8], ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_24], edi
		test	esi, esi
		jz	short loc_594553
		push	1Ch
		pop	ecx

loc_594508:				; CODE XREF: MiDeleteSubsectionLargePages(x,x,x)+68j
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	ecx
		mov	ecx, esi
		mov	edx, eax
		mov	[ebp+var_C], edx
		call	_MiGetLeafPfnBuddy@8 ; MiGetLeafPfnBuddy(x,x)
		cmp	[ebp+arg_0], 0
		mov	edi, eax
		mov	[ebp+var_20], edi
		jnz	short loc_59458B
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		call	_MiConvertSmallPageRangeToLarge@8 ; MiConvertSmallPageRangeToLarge(x,x)
		lea	edx, [ebp+var_10]
		mov	ecx, esi
		call	_MiFreeLargePages@8 ; MiFreeLargePages(x,x)
		add	[ebp+var_8], eax
		add	ebx, 200h

loc_594547:				; CODE XREF: MiDeleteSubsectionLargePages(x,x,x)+C0j
		push	1Ch
		pop	ecx

loc_59454A:				; CODE XREF: MiDeleteSubsectionLargePages(x,x,x)+14Dj
		mov	esi, edi
		test	edi, edi
		jnz	short loc_594508
		mov	edi, [ebp+var_24]

loc_594553:				; CODE XREF: MiDeleteSubsectionLargePages(x,x,x)+1Dj
		mov	esi, [edi+1Ch]
		shl	esi, 3
		push	esi
		push	dword ptr [edi+4]
		call	_MmUnlockPreChargedPagedPool@8 ; MmUnlockPreChargedPagedPool(x,x)
		push	esi
		push	dword ptr [edi+4]
		call	_MmReturnChargesToLockPagedPool@8 ; MmReturnChargesToLockPagedPool(x,x)
		mov	esi, [edi]
		mov	eax, [ebp+var_8]
		pop	edi
		mov	ecx, [esi+48h]
		mov	edx, ecx
		sub	edx, ebx
		xor	edx, ecx
		and	edx, 0FFFFFh
		xor	edx, ecx
		mov	[esi+48h], edx
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_59458B:				; CODE XREF: MiDeleteSubsectionLargePages(x,x,x)+42j
		push	1
		push	0
		push	200h
		mov	ecx, offset _MiSystemPartition
		call	MiUpdateLargePageBitMap
		lea	eax, [esi+3800h]
		cmp	esi, eax
		jnb	short loc_594547
		mov	edi, [ebp+var_C]
		mov	eax, 200h
		add	esi, 10h
		add	ebx, eax
		mov	[ebp+var_1C], ebx
		mov	ebx, eax

loc_5945BA:				; CODE XREF: MiDeleteSubsectionLargePages(x,x,x)+145j
		lea	eax, [esi-10h]
		mov	ecx, eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [esi]
		mov	edx, 0FFFEh
		and	ecx, 0C0000000h
		mov	[ebp+var_1], al
		add	[esi+4], dx
		mov	[esi], ecx
		jnz	short loc_594607
		and	[ebp+var_18], 0
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	edx, ds:_KiTbFlushTimeStamp
		lea	ecx, [esi-10h]
		push	1
		call	_MiSetPfnTbFlushStamp@12 ; MiSetPfnTbFlushStamp(x,x,x)
		push	2
		pop	edx
		mov	ecx, edi
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		mov	al, [ebp+var_1]
		jmp	short loc_594618
; 

loc_594607:				; CODE XREF: MiDeleteSubsectionLargePages(x,x,x)+F4j
		mov	edx, 40000000h
		test	ecx, edx
		jnz	short loc_594614
		or	ecx, edx
		mov	[esi], ecx

loc_594614:				; CODE XREF: MiDeleteSubsectionLargePages(x,x,x)+128j
		or	byte ptr [esi+6], 7

loc_594618:				; CODE XREF: MiDeleteSubsectionLargePages(x,x,x)+11Fj
		mov	dl, al
		lea	ecx, [esi-10h]
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		push	1Ch
		pop	ecx
		inc	edi
		add	esi, ecx
		sub	ebx, 1
		jnz	short loc_5945BA
		mov	ebx, [ebp+var_1C]
		mov	edi, [ebp+var_20]
		jmp	loc_59454A
_MiDeleteSubsectionLargePages@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetBaseResidentPage(x)
_MiGetBaseResidentPage@4 proc near	; CODE XREF: .text:0047A59Ap
					; MiTradePage(x,x)+11Bp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	eax, edi
		mov	[ebp+var_18], esi
		sub	eax, ds:_MmPfnDatabase
		mov	ebx, edi
		cdq
		push	1Ch
		pop	ecx
		idiv	ecx
		mov	[ebp+var_14], esi
		mov	edx, offset dword_4102F8
		mov	ecx, eax
		mov	[ebp+var_4], esi
		lea	eax, [ebp+var_18]
		sub	eax, 4
		mov	[ebp+var_8], eax

loc_594670:				; CODE XREF: MiGetBaseResidentPage(x)+86j
		mov	eax, [edx]
		dec	eax
		mov	[ebp+var_C], edx
		test	eax, ecx
		jz	short loc_5946AD
		mov	edx, ds:_MmPfnDatabase
		not	eax
		and	ecx, eax
		mov	eax, [ebp+var_8]
		imul	edi, ecx, 1Ch
		add	eax, 4
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], eax
		add	edi, edx
		inc	[ebp+var_4]
		cmp	[ebp+var_4], 2
		ja	short loc_5946FC
		mov	ecx, edi
		mov	[eax], edi
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		mov	ecx, [ebp+var_10]
		mov	edx, [ebp+var_C]

loc_5946AD:				; CODE XREF: MiGetBaseResidentPage(x)+40j
		test	byte ptr [edi+1Bh], 3
		jnz	short loc_5946D8
		cmp	edx, offset _MiLargePageSizes
		jz	short loc_5946C0
		sub	edx, 4
		jmp	short loc_594670
; 

loc_5946C0:				; CODE XREF: MiGetBaseResidentPage(x)+81j
		sub	ebx, ds:_MmPfnDatabase
		push	esi
		push	ecx
		push	1Ch
		mov	eax, ebx
		pop	ecx
		cdq
		idiv	ecx
		push	eax
		push	9701h
		jmp	short loc_59470E
; 

loc_5946D8:				; CODE XREF: MiGetBaseResidentPage(x)+79j
					; MiGetBaseResidentPage(x)+BBj
		mov	eax, [ebp+esi*4+var_18]
		test	eax, eax
		jz	short loc_5946F5
		cmp	eax, edi
		jz	short loc_5946EF
		mov	ecx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	ecx

loc_5946EF:				; CODE XREF: MiGetBaseResidentPage(x)+AAj
		inc	esi
		cmp	esi, 2
		jb	short loc_5946D8

loc_5946F5:				; CODE XREF: MiGetBaseResidentPage(x)+A6j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_5946FC:				; CODE XREF: MiGetBaseResidentPage(x)+64j
		push	esi
		push	ecx
		sub	ebx, edx
		push	1Ch
		mov	eax, ebx
		pop	ecx
		cdq
		idiv	ecx
		push	eax
		push	9700h

loc_59470E:				; CODE XREF: MiGetBaseResidentPage(x)+9Ej
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

; __stdcall MiGetBaseResidentPageForBugCheck(x)
_MiGetBaseResidentPageForBugCheck@4:	; CODE XREF: MiGetPagesRemainingInResidentPage(x,x,x)+33p
					; MiMirrorRemoveInactivePages(x,x,x)+59p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		xor	edi, edi
		mov	edx, offset dword_4102F8

loc_594731:				; CODE XREF: MiGetBaseResidentPage(x)+124j
		mov	ecx, [edx]
		dec	ecx
		test	ecx, eax
		jz	short loc_59474B
		not	ecx
		and	eax, ecx
		imul	esi, eax, 1Ch
		add	esi, ds:_MmPfnDatabase
		inc	edi
		cmp	edi, 2
		ja	short loc_59475E

loc_59474B:				; CODE XREF: MiGetBaseResidentPage(x)+FEj
		test	byte ptr [esi+1Bh], 3
		jnz	short loc_594762
		cmp	edx, offset _MiLargePageSizes
		jz	short loc_59475E
		sub	edx, 4
		jmp	short loc_594731
; 

loc_59475E:				; CODE XREF: MiGetBaseResidentPage(x)+111j
					; MiGetBaseResidentPage(x)+11Fj
		xor	eax, eax
		jmp	short loc_594764
; 

loc_594762:				; CODE XREF: MiGetBaseResidentPage(x)+117j
		mov	eax, esi

loc_594764:				; CODE XREF: MiGetBaseResidentPage(x)+128j
		pop	edi
		pop	esi
		retn
_MiGetBaseResidentPage@4 endp ;	sp = -3Ch

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetFreeZeroLargePages(x, x, x, x,	x, x, x, x)
_MiGetFreeZeroLargePages@32 proc near	; CODE XREF: MiDemoteLocalLargePage(x,x,x,x)+136p
					; MiGetLargePage(x,x,x,x,x,x)+D1p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+24h+var_14], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	[esp+28h+var_18], eax
		mov	ebx, ecx
		mov	eax, [ebp+arg_14]
		mov	ecx, [ebp+arg_8]
		push	esi
		push	edi
		mov	[esp+30h+var_1C], eax
		lea	edi, [esp+30h+var_10]
		xor	eax, eax
		mov	esi, edx
		mov	edx, [ebp+arg_4]
		stosd
		or	edx, 2
		mov	[esp+30h+var_20], esi
		stosd
		stosd
		cmp	esi, 1
		jnz	short loc_5947C2
		mov	eax, [ebp+arg_C]
		mov	[esp+30h+var_C], eax
		lea	eax, [esp+30h+var_10]
		jmp	short loc_5947D7
; 

loc_5947C2:				; CODE XREF: MiGetFreeZeroLargePages(x,x,x,x,x,x,x,x)+4Bj
		mov	eax, [ebx+10h]
		imul	esi, ecx, 280h
		add	esi, 208h
		add	eax, esi
		mov	esi, [esp+30h+var_20]

loc_5947D7:				; CODE XREF: MiGetFreeZeroLargePages(x,x,x,x,x,x,x,x)+58j
		push	0
		push	edx
		push	eax
		push	[esp+3Ch+var_1C]
		mov	edx, esi
		push	[esp+40h+var_18]
		push	ecx
		push	[esp+48h+var_14]
		mov	ecx, ebx
		call	_MiUnlinkNodeLargePages@36 ; MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)
		mov	ecx, [esp+30h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
_MiGetFreeZeroLargePages@32 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetLargePageListHeadBase(x, x, x,	x, x, x)
_MiGetLargePageListHeadBase@24 proc near ; CODE	XREF: MiScrubNodeLargePages(x,x,x)+AAp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		lea	ecx, [eax+ecx*2]
		imul	eax, [ebp+arg_0], 26h
		add	ecx, [ebp+arg_8]
		add	eax, [ebp+arg_C]
		lea	eax, [eax+ecx*4]
		mov	eax, [edx+eax*4+58h]
		pop	ebp
		retn	10h
_MiGetLargePageListHeadBase@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetPagesRemainingInResidentPage(x, x, x)
_MiGetPagesRemainingInResidentPage@12 proc near
					; CODE XREF: MiAddPhysicalPagesToCrashDump(x)+5Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		and	[ebp+var_4], 0
		push	edi
		mov	eax, esi
		and	[ebp+var_8], 0
		sub	eax, ds:_MmPfnDatabase
		mov	ebx, edx
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, _KiBugCheckActive
		test	cl, 3
		mov	edi, eax
		mov	ecx, esi
		jz	short loc_594880
		call	_MiGetBaseResidentPageForBugCheck@4 ; MiGetBaseResidentPageForBugCheck(x)
		test	eax, eax
		jz	short loc_59486F
		movzx	edx, byte ptr [eax+16h]
		mov	ecx, eax
		call	_MiGetPfnPageSizeIndex@4 ; MiGetPfnPageSizeIndex(x)
		jmp	short loc_594876
; 

loc_59486F:				; CODE XREF: MiGetPagesRemainingInResidentPage(x,x,x)+3Aj
		movzx	edx, byte ptr [esi+16h]
		push	2
		pop	eax

loc_594876:				; CODE XREF: MiGetPagesRemainingInResidentPage(x,x,x)+47j
		mov	ecx, edx
		shr	ecx, 6
		and	edx, 7
		jmp	short loc_594892
; 

loc_594880:				; CODE XREF: MiGetPagesRemainingInResidentPage(x,x,x)+31j
		lea	eax, [ebp+var_8]
		push	eax
		lea	edx, [ebp+var_4]
		call	_MiGetPfnPageSizeIndexUnsynchronized@12	; MiGetPfnPageSizeIndexUnsynchronized(x,x,x)
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]

loc_594892:				; CODE XREF: MiGetPagesRemainingInResidentPage(x,x,x)+58j
		cmp	eax, 2
		jnz	short loc_59489C
		xor	esi, esi
		inc	esi
		jmp	short loc_5948A3
; 

loc_59489C:				; CODE XREF: MiGetPagesRemainingInResidentPage(x,x,x)+6Fj
		mov	esi, ds:_MiLargePageSizes[eax*4]

loc_5948A3:				; CODE XREF: MiGetPagesRemainingInResidentPage(x,x,x)+74j
		mov	eax, [ebp+arg_0]
		mov	[ebx], edx
		mov	[eax], ecx
		mov	eax, esi
		neg	eax
		and	eax, edi
		sub	eax, edi
		pop	edi
		add	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiGetPagesRemainingInResidentPage@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiGetPartitionLargePageListCount()
_MiGetPartitionLargePageListCount@0 proc near ;	CODE XREF: MmCreatePartition(x,x)+4Bp
					; MiAddPartitionToCrashDump(x,x)+5Ep ...
		mov	ecx, dword_6D2FE8
		test	ecx, ecx
		jz	short loc_5948C9
		mov	eax, ecx
		retn
; 

loc_5948C9:				; CODE XREF: MiGetPartitionLargePageListCount()+8j
		xor	edx, edx

loc_5948CB:				; CODE XREF: MiGetPartitionLargePageListCount()+20j
		mov	eax, dword_6D0740[edx]
		add	edx, 4
		shl	eax, 4
		add	ecx, eax
		cmp	edx, 8
		jb	short loc_5948CB
		movzx	eax, ds:_KeNumberNodes
		imul	eax, ecx
		mov	dword_6D2FE8, eax
		retn
_MiGetPartitionLargePageListCount@0 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetPfnPageSizeIndex(x)
_MiGetPfnPageSizeIndex@4 proc near	; CODE XREF: MiInsertLargePageInNodeList(x)+6Dp
					; MiTradePage(x,x)+12Bp ...
		mov	ecx, [ecx+18h]
		test	ecx, (offset loc_7FFFFF+1)
		jz	short loc_594909
		shr	ecx, 18h
		push	2
		and	ecx, 3
		pop	eax
		sub	eax, ecx
		cmp	eax, 2
		jnz	short locret_59490C

loc_594909:				; CODE XREF: MiGetPfnPageSizeIndex(x)+9j
		or	eax, 0FFFFFFFFh

locret_59490C:				; CODE XREF: MiGetPfnPageSizeIndex(x)+19j
		retn
_MiGetPfnPageSizeIndex@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetPfnPageSizeIndexUnsynchronized(x, x, x)
_MiGetPfnPageSizeIndexUnsynchronized@12	proc near ; CODE XREF: .text:00464F9Cp
					; MiProbeLeafPteAccess(x,x)+11Dp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		or	[ebp+var_8], 0FFFFFFFFh
		mov	eax, edx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], eax
		push	edi
		movzx	edi, byte ptr [esi+16h]
		mov	ebx, edi
		shr	edi, 6
		and	ebx, 7
		test	dword ptr [esi+18h], 800000h
		jz	short loc_594987
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		test	dword ptr [esi+18h], 800000h
		mov	[ebp+var_1], al
		jz	short loc_59497B
		mov	ecx, esi
		call	_MiGetBaseResidentPage@4 ; MiGetBaseResidentPage(x)
		mov	edx, eax
		mov	ecx, edx
		movzx	edi, byte ptr [edx+16h]
		mov	ebx, edi
		shr	edi, 6
		and	ebx, 7
		call	_MiGetPfnPageSizeIndex@4 ; MiGetPfnPageSizeIndex(x)
		mov	[ebp+var_8], eax
		cmp	edx, esi
		jz	short loc_594978
		mov	eax, 7FFFFFFFh
		lea	ecx, [edx+10h]
		lock and [ecx],	eax

loc_594978:				; CODE XREF: MiGetPfnPageSizeIndexUnsynchronized(x,x,x)+5Dj
		mov	al, [ebp+var_1]

loc_59497B:				; CODE XREF: MiGetPfnPageSizeIndexUnsynchronized(x,x,x)+3Aj
		mov	dl, al
		mov	ecx, esi
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		mov	eax, [ebp+var_C]

loc_594987:				; CODE XREF: MiGetPfnPageSizeIndexUnsynchronized(x,x,x)+29j
		mov	[eax], ebx
		mov	eax, [ebp+arg_0]
		mov	[eax], edi
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiGetPfnPageSizeIndexUnsynchronized@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeAllResidentPageBasePfns(x, x, x, x, x, x, x)
_MiInitializeAllResidentPageBasePfns@28	proc near ; CODE XREF: .text:0047141Ep
					; .text:004B5A8Bp ...

var_3C		= dword	ptr -3Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_A		= byte ptr -0Ah
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		push	esi
		push	edi
		push	7
		pop	ecx
		mov	esi, offset unk_6D2FCC
		imul	ebx, edx, 1Ch
		lea	edi, [ebp+var_20]
		rep movsd
		mov	esi, [ebp+arg_4]
		lea	edi, [ebp+var_3C]
		add	ebx, ds:_MmPfnDatabase
		push	7
		pop	ecx
		mov	eax, ds:_MiLargePageSizes[esi*4]
		mov	[ebp+var_4], eax
		xor	eax, eax
		rep stosd
		push	0FFFFFFFEh
		pop	eax
		sub	eax, esi
		shl	eax, 18h
		xor	eax, [ebp+var_8]
		and	eax, 3000000h
		xor	eax, [ebp+var_8]
		cmp	[ebp+arg_10], 0
		mov	[ebp+var_24], eax
		mov	[ebp+var_8], eax
		jz	short loc_5949F6
		or	[ebp+var_10], 80000000h

loc_5949F6:				; CODE XREF: MiInitializeAllResidentPageBasePfns(x,x,x,x,x,x,x)+55j
		mov	cl, [ebp+var_A]
		mov	al, [ebp+arg_8]
		and	cl, 3Fh
		shl	al, 6
		or	cl, al
		mov	[ebp+var_A], cl
		mov	cl, [ebp+var_A]
		mov	al, cl
		mov	byte ptr [ebp+arg_4+3],	cl
		and	al, 0FDh
		or	al, 5
		cmp	[ebp+arg_C], 0
		mov	[ebp+var_A], al
		jnz	short loc_594A2D
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		inc	edx
		call	_MiSetFreeZeroPfnCold@8	; MiSetFreeZeroPfnCold(x,x)
		mov	al, [ebp+var_A]
		mov	cl, byte ptr [ebp+arg_4+3]

loc_594A2D:				; CODE XREF: MiInitializeAllResidentPageBasePfns(x,x,x,x,x,x,x)+82j
		xor	cl, al
		and	cl, 7
		xor	al, cl
		mov	[ebp+var_A], al
		imul	eax, [ebp+arg_0], 1Ch
		add	eax, ebx
		cmp	ebx, eax
		jnb	short loc_594A55
		imul	edx, [ebp+var_4], 1Ch

loc_594A45:				; CODE XREF: MiInitializeAllResidentPageBasePfns(x,x,x,x,x,x,x)+BBj
		mov	edi, ebx
		lea	esi, [ebp+var_20]
		push	7
		add	ebx, edx
		pop	ecx
		rep movsd
		cmp	ebx, eax
		jb	short loc_594A45

loc_594A55:				; CODE XREF: MiInitializeAllResidentPageBasePfns(x,x,x,x,x,x,x)+A7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_MiInitializeAllResidentPageBasePfns@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLargePageMovesComplete(x,	x)
_MiLargePageMovesComplete@8 proc near	; CODE XREF: MiGetLargePage(x,x,x,x,x,x)+169p

var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	esi
		imul	esi, [ebp+arg_0], 280h
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		add	esi, [ecx+10h]
		stosd
		lea	ecx, [esi+204h]
		stosd
		call	@KeAcquireInStackQueuedSpinLockAtDpcLevel@8 ; KeAcquireInStackQueuedSpinLockAtDpcLevel(x,x)
		mov	edi, [esi+1F8h]
		lea	ecx, [ebp+var_C]
		dec	dword ptr [esi+1F4h]
		and	dword ptr [esi+1F8h], 0
		call	KeReleaseInStackQueuedSpinLockFromDpcLevel
		test	edi, edi
		jz	short loc_594AAC
		mov	ecx, edi
		call	_MiWakeLargePageWaiters@4 ; MiWakeLargePageWaiters(x)

loc_594AAC:				; CODE XREF: MiLargePageMovesComplete(x,x)+47j
		pop	edi
		pop	esi
		leave
		retn	4
_MiLargePageMovesComplete@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLargePagePromote(x, x, x,	x)
_MiLargePagePromote@16 proc near	; CODE XREF: MiCoalesceFreeLargePages(x,x,x)+17Ap

var_68		= dword	ptr -68h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_22		= word ptr -22h
var_20		= dword	ptr -20h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		push	ebx
		push	esi
		xor	eax, eax
		imul	esi, ecx, 1Ch
		push	edi
		lea	edi, [ebp+var_20]
		mov	[ebp+var_14], ecx
		stosd
		xor	ebx, ebx
		push	1Ch
		add	esi, ds:_MmPfnDatabase
		pop	ecx
		stosd
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		stosd
		xor	eax, eax
		mov	[ebp+var_22], ax
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	ecx
		mov	ecx, eax
		call	_MiPageToNode@4	; MiPageToNode(x)
		imul	edi, eax, 280h
		lea	edx, [ebp+var_20]
		mov	eax, dword_6D4E50
		add	eax, edi
		mov	[ebp+var_10], eax
		lea	ecx, [eax+204h]
		call	@KeAcquireInStackQueuedSpinLockAtDpcLevel@8 ; KeAcquireInStackQueuedSpinLockAtDpcLevel(x,x)
		mov	ecx, [ebp+var_10]
		cmp	[ecx+214h], ebx
		jz	short loc_594B3C
		lea	ecx, [ebp+var_20]
		call	KeReleaseInStackQueuedSpinLockFromDpcLevel
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		xor	eax, eax
		jmp	loc_594C19
; 

loc_594B3C:				; CODE XREF: MiLargePagePromote(x,x,x,x)+6Ej
		mov	eax, dword_6D4E50
		mov	[ebp+var_C], ebx
		inc	dword ptr [edi+eax+1F4h]
		mov	edi, ebx

loc_594B4D:				; CODE XREF: MiLargePagePromote(x,x,x,x)+11Fj
		push	0Ah
		push	ebx
		push	1
		mov	edx, esi
		call	_MiUnlinkNodeLargePageHelper@20	; MiUnlinkNodeLargePageHelper(x,x,x,x,x)
		mov	ecx, esi
		call	_MiIsFreshPfnFromZeroedList@4 ;	MiIsFreshPfnFromZeroedList(x)
		neg	eax
		mov	ecx, esi
		sbb	eax, eax
		add	eax, 2
		or	[ebp+var_4], eax
		call	_MiIsFreeZeroPfnCold@4 ; MiIsFreeZeroPfnCold(x)
		neg	eax
		push	7
		sbb	eax, eax
		pop	ecx
		lea	edx, [eax+2]
		xor	eax, eax
		or	edx, [ebp+var_8]
		mov	[ebp+var_8], edx
		test	edi, edi
		jnz	short loc_594BA1
		lea	edi, [ebp+var_4C]
		rep stosd
		mov	eax, [esi+18h]
		and	eax, 0FEFFFFFFh
		or	eax, 2000000h
		mov	[ebp+var_34], eax
		mov	[esi+18h], eax
		jmp	short loc_594BBE
; 

loc_594BA1:				; CODE XREF: MiLargePagePromote(x,x,x,x)+D3j
		lea	edi, [ebp+var_68]
		rep stosd
		mov	eax, [esi+18h]
		and	eax, 0FCFFFFFFh
		mov	[ebp+var_50], eax
		mov	[esi+18h], eax
		mov	al, [esi+16h]
		and	al, 0FEh
		or	al, 6
		mov	[esi+16h], al

loc_594BBE:				; CODE XREF: MiLargePagePromote(x,x,x,x)+EDj
		mov	edi, [ebp+var_C]
		add	esi, 1C0h
		mov	ecx, [ebp+var_10]
		inc	edi
		mov	[ebp+var_C], edi
		cmp	edi, 20h
		jb	loc_594B4D
		sub	esi, 3800h
		test	byte ptr [ebp+var_4], 2
		jz	short loc_594C20
		xor	ebx, ebx
		inc	ebx

loc_594BE6:				; CODE XREF: MiLargePagePromote(x,x,x,x)+193j
		xor	edx, edx

loc_594BE8:				; CODE XREF: MiLargePagePromote(x,x,x,x)+186j
					; MiLargePagePromote(x,x,x,x)+19Cj
		mov	ecx, esi
		call	_MiSetFreeZeroPfnCold@8	; MiSetFreeZeroPfnCold(x,x)

loc_594BEF:				; CODE XREF: MiLargePagePromote(x,x,x,x)+199j
		mov	ecx, [ebp+var_14]
		mov	[ebp+var_30], ecx
		lea	ecx, [ebp+var_30]
		mov	dword ptr [ebp-24h], 102h
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], 6
		call	_MiInsertLargePageInNodeList@4 ; MiInsertLargePageInNodeList(x)
		lea	ecx, [ebp+var_20]
		call	KeReleaseInStackQueuedSpinLockFromDpcLevel
		xor	eax, eax
		inc	eax

loc_594C19:				; CODE XREF: MiLargePagePromote(x,x,x,x)+85j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_594C20:				; CODE XREF: MiLargePagePromote(x,x,x,x)+12Fj
		test	dl, 2
		jz	short loc_594C3A
		xor	ecx, ecx
		call	_MiColdPageSizeSupported@4 ; MiColdPageSizeSupported(x)
		test	eax, eax
		jz	short loc_594C3A
		mov	eax, [ebp+arg_4]
		inc	ecx
		mov	edx, ecx
		mov	[eax], ecx
		jmp	short loc_594BE8
; 

loc_594C3A:				; CODE XREF: MiLargePagePromote(x,x,x,x)+171j
					; MiLargePagePromote(x,x,x,x)+17Cj
		xor	edx, edx
		xor	ecx, ecx
		call	_MiDetermineNewPfnHeatState@8 ;	MiDetermineNewPfnHeatState(x,x)
		test	eax, eax
		jz	short loc_594BE6
		test	byte ptr [ebp+var_8], 1
		jz	short loc_594BEF
		inc	edx
		jmp	short loc_594BE8
_MiLargePagePromote@16 endp


;  S U B	R O U T	I N E 


; __stdcall MiLargePfnPromoteCandidate(x, x, x)
_MiLargePfnPromoteCandidate@12 proc near ; CODE	XREF: MiCoalesceFreeLargePages(x,x,x)+6Cp
					; MiCoalesceFreeLargePages(x,x,x)+127p	...
		mov	al, [edx+16h]
		and	al, 7
		push	esi
		cmp	al, 1
		ja	short loc_594C8F
		mov	esi, [edx+18h]
		test	esi, 800000h
		jz	short loc_594C8F
		cmp	ecx, offset _MiSystemPartition
		jnz	short loc_594C8F
		test	byte ptr [edx+17h], 40h
		jnz	short loc_594C8F
		mov	ecx, edx
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jnz	short loc_594C8F
		and	esi, 3000000h
		cmp	esi, 1000000h
		jnz	short loc_594C8F
		inc	eax
		jmp	short loc_594C91
; 

loc_594C8F:				; CODE XREF: MiLargePfnPromoteCandidate(x,x,x)+8j
					; MiLargePfnPromoteCandidate(x,x,x)+13j ...
		xor	eax, eax

loc_594C91:				; CODE XREF: MiLargePfnPromoteCandidate(x,x,x)+3Dj
		pop	esi
		retn	4
_MiLargePfnPromoteCandidate@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMoveLargeZeroToFree(x, x,	x, x, x, x, x)
_MiMoveLargeZeroToFree@28 proc near	; CODE XREF: MiPurgeLargeZeroNodePages(x)+CAp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_4], edx
		mov	[ebp+var_C], ecx
		mov	eax, ds:_MiLargePageSizes[edi*4]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_C]
		lea	esi, [eax+esi*2]
		imul	eax, edi, 26h
		add	eax, [ebp+arg_10]
		lea	edi, [eax+esi*4]
		imul	eax, [ebp+arg_8], arg_4
		mov	ebx, [edx+edi*4+58h]
		mov	[ebp+arg_C], edi
		mov	edi, [edx+edi*4+68h]
		add	ebx, eax
		add	edi, eax
		mov	esi, [ebx]
		cmp	esi, ebx
		jz	loc_594DC9

loc_594CE3:				; CODE XREF: MiMoveLargeZeroToFree(x,x,x,x,x,x,x)+12Dj
		mov	eax, [esi]
		mov	[ebp+arg_10], eax
		lea	eax, [esi+10h]
		lock bts dword ptr [eax], 1Fh
		jb	loc_594DD8
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	cl, [esi+16h]
		and	cl, 0F9h
		mov	[ebp+arg_4], eax
		or	cl, 1
		mov	eax, 7FFFFFFFh
		mov	[esi+16h], cl
		lea	ecx, [esi+10h]
		lock and [ecx],	eax
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	loc_594DD3
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	loc_594DD3
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	loc_594DD3
		imul	ecx, [ebp+arg_0], 98h
		imul	edx, [ebp+arg_0], 98h
		mov	[esi+4], eax
		mov	[esi], edi
		mov	[eax], esi
		mov	[edi+4], esi
		mov	esi, [ebp+var_4]
		inc	dword ptr [ecx+esi+4]
		cmp	[ebp+arg_4], 100000h
		sbb	eax, eax
		and	eax, 8
		add	eax, 0Ch
		add	eax, esi
		inc	dword ptr [eax+edx]
		dec	dword ptr [ecx+esi]
		cmp	[ebp+arg_4], 100000h
		mov	ecx, [ebp+var_8]
		sbb	eax, eax
		neg	ecx
		and	eax, 8
		add	eax, 8
		add	eax, esi
		dec	dword ptr [eax+edx]
		mov	eax, [ebp+arg_C]
		inc	dword ptr [edi+8]
		mov	edx, [ebp+var_C]
		dec	dword ptr [ebx+8]
		inc	dword ptr [esi+eax*4+28h]
		dec	dword ptr [esi+eax*4+18h]
		lea	eax, [edx+580h]
		lock xadd [eax], ecx
		mov	ecx, [ebp+var_8]
		lea	eax, [edx+5C0h]
		lock xadd [eax], ecx
		mov	esi, [ebp+arg_10]
		cmp	esi, ebx
		jnz	loc_594CE3

loc_594DC9:				; CODE XREF: MiMoveLargeZeroToFree(x,x,x,x,x,x,x)+47j
		xor	eax, eax
		inc	eax

loc_594DCC:				; CODE XREF: MiMoveLargeZeroToFree(x,x,x,x,x,x,x)+144j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_594DD3:				; CODE XREF: MiMoveLargeZeroToFree(x,x,x,x,x,x,x)+8Dj
					; MiMoveLargeZeroToFree(x,x,x,x,x,x,x)+98j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_594DD8:				; CODE XREF: MiMoveLargeZeroToFree(x,x,x,x,x,x,x)+5Aj
		xor	eax, eax
		jmp	short loc_594DCC
_MiMoveLargeZeroToFree@28 endp


;  S U B	R O U T	I N E 


; __stdcall MiResidentPageDangleFree(x,	x)
_MiResidentPageDangleFree@8 proc near	; CODE XREF: MiFreeMdlPageRun(x,x,x)+4Dp
					; MiFreeContiguousPages(x,x)+3Bp
		imul	eax, ecx, 1Ch
		imul	ecx, ds:_MiLargePageSizes[edx*4], 1Ch
		add	eax, ds:_MmPfnDatabase
		add	ecx, eax
		jmp	short loc_594DFB
; 

loc_594DF1:				; CODE XREF: MiResidentPageDangleFree(x,x)+21j
		cmp	word ptr [eax+14h], 2
		jnz	short loc_594E03
		add	eax, 1Ch

loc_594DFB:				; CODE XREF: MiResidentPageDangleFree(x,x)+13j
		cmp	eax, ecx
		jb	short loc_594DF1
		xor	eax, eax
		inc	eax
		retn
; 

loc_594E03:				; CODE XREF: MiResidentPageDangleFree(x,x)+1Aj
		xor	eax, eax
		retn
_MiResidentPageDangleFree@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiScrubNodeLargePageList(x,	x, x, x, x, x, x, x, x,	x)
_MiScrubNodeLargePageList@40 proc near	; CODE XREF: MiScrubNodeLargePages(x,x,x)+E4p

var_F8		= dword	ptr -0F8h
var_D1		= byte ptr -0D1h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= byte ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2B		= byte ptr -2Bh
var_2A		= byte ptr -2Ah
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		push	0E8h
		push	offset dword_6A8AE0
		call	__SEH_prolog4_GS
		mov	esi, edx
		mov	[ebp+var_4C], esi
		mov	[ebp+var_94], ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_90], eax
		mov	[ebp+var_BC], esi
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_8C], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_7C], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_78], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_70], eax
		push	0Ah
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_F8]
		rep stosd
		lea	edi, [ebp+var_28]
		stosd
		stosd
		stosd
		xor	edx, edx
		mov	[ebp+var_A0], edx
		mov	[ebp+var_9C], edx
		mov	[ebp+var_A8], edx
		mov	[ebp+var_A4], edx
		xor	eax, eax
		lea	edi, [ebp+var_D0]
		stosd
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		mov	[ebp+var_84], eax
		mov	[ebp+var_54], edx
		mov	ebx, edx
		mov	[ebp+var_44], 40h
		mov	eax, ds:_MiLargePageSizes[esi*4]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_B8], eax
		cmp	[ebp+arg_8], edx
		jnz	short loc_594EB7
		mov	edi, edx
		mov	[ebp+var_34], edi
		jmp	short loc_594EE7
; 

loc_594EB7:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+A8j
		lea	edi, [ebp+var_F8]
		mov	[ebp+var_34], edi
		mov	[ebp+var_D1], 1
		mov	edx, eax
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_594EDF
		inc	eax
		jmp	loc_594FD2
; 

loc_594EDF:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+D1j
		shl	eax, 9
		mov	[ebp+var_54], eax
		xor	edx, edx

loc_594EE7:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+AFj
		imul	esi, [ebp+var_90], 280h
		mov	eax, [ebp+var_94]
		add	esi, [eax+10h]
		mov	[ebp+var_88], 1
		mov	[ebp+var_2A], 21h
		mov	ecx, [ebp+var_78]
		mov	eax, [ecx]
		mov	[ebp+var_80], eax
		mov	[ecx], edx
		mov	[ebp+var_48], edx
		mov	eax, [ebp+var_84]
		or	dword ptr [eax+300h], 100h
		mov	ecx, [ebp+var_4C]
		mov	eax, dword_6D0740[ecx*4]
		mov	[ebp+var_B0], eax
		imul	edx, ecx, 98h
		add	edx, esi
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_8C]
		lea	ecx, [eax+ecx*2]
		add	ecx, [ebp+arg_8]
		mov	eax, [ebp+var_7C]
		lea	eax, [eax+ecx*4]
		mov	eax, [edx+eax*4+58h]
		mov	[ebp+var_64], eax
		xor	esi, esi
		mov	[ebp+var_60], esi

loc_594F5E:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+24Bj
		mov	eax, [ebp+var_60]
		cmp	eax, [ebp+var_B0]
		jnb	short loc_594FA2
		mov	ecx, [ebp+var_64]
		mov	eax, [ecx+8]
		mov	[ebp+var_58], eax
		mov	[ebp+var_B4], ecx

loc_594F78:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+2C5j
					; MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+5B4j ...
		cmp	[ebp+var_58], 0
		jz	loc_595047
		mov	eax, [ebp+var_B4]
		cmp	[eax], eax
		jz	loc_595047
		mov	ecx, [ebp+var_70]
		call	_MiScrubInterrupted@4 ;	MiScrubInterrupted(x)
		test	eax, eax
		jz	short loc_594FE4
		mov	[ebp+var_88], esi

loc_594FA2:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+161j
					; MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+5A7j
		mov	edi, [ebp+var_3C]

loc_594FA5:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+5DAj
		mov	eax, [ebp+var_84]
		and	dword ptr [eax+300h], 0FFFFFEFFh
		cmp	[ebp+arg_8], 0
		jz	short loc_594FCC
		test	ebx, ebx
		jz	short loc_594FCC
		push	edi
		mov	edx, ebx
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_594FCC:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+1B3j
					; MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+1B7j
		mov	eax, [ebp+var_88]

loc_594FD2:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+D4j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
; 

loc_594FE4:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+194j
		cmp	[ebp+arg_8], 0
		jnz	short loc_594FFB
		or	[ebp+var_44], 4
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_2A], al
		jmp	short loc_594FFF
; 

loc_594FFB:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+1E2j
		and	[ebp+var_44], 0FFFFFFFBh

loc_594FFF:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+1F3j
		test	edi, edi
		jz	short loc_595006
		mov	[edi+10h], esi

loc_595006:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+1FBj
		push	edi
		push	[ebp+var_44]
		lea	eax, [ebp+var_28]
		push	eax
		push	[ebp+var_7C]
		push	[ebp+var_8C]
		push	[ebp+var_90]
		push	1
		mov	edx, [ebp+var_4C]
		mov	ecx, [ebp+var_94]
		call	_MiUnlinkNodeLargePages@36 ; MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_68], edi
		mov	[ebp+var_74], edi
		test	edi, edi
		jnz	short loc_595056
		cmp	[ebp+arg_8], eax
		jnz	short loc_595047
		mov	cl, [ebp+var_2A]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_595047:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+176j
					; MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+184j ...
		inc	[ebp+var_60]
		add	[ebp+var_64], 0Ch
		mov	edi, [ebp+var_34]
		jmp	loc_594F5E
; 

loc_595056:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+231j
		cmp	[ebp+arg_8], 0
		jnz	short loc_5950D0
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		cdq
		push	1Ch
		pop	ecx
		idiv	ecx
		mov	[ebp+var_40], eax
		mov	[ebp+var_C0], esi
		add	edi, 10h
		jmp	short loc_595089
; 

loc_595078:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+281j
					; MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+288j
		lea	ecx, [ebp+var_C0]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_595078

loc_595089:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+270j
		lock bts dword ptr [edi], 1Fh
		jb	short loc_595078
		xor	eax, eax
		lea	edi, [ebp+var_D0]
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ebp+var_40]
		mov	[ebp+var_D0], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_CC], eax
		mov	[ebp+var_C8], eax
		mov	al, [ebp+var_2A]
		mov	[ebp+var_C4], al
		lea	ecx, [ebp+var_D0]
		call	_MiInsertLargePageInNodeList@4 ; MiInsertLargePageInNodeList(x)

loc_5950C8:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+2EEj
		mov	edi, [ebp+var_34]
		jmp	loc_594F78
; 

loc_5950D0:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+254j
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	[ebp+var_29], al
		mov	edx, [ebp+var_34]
		cmp	byte ptr [edx+25h], 1
		jnz	short loc_5950F6
		mov	ecx, edx
		call	MiRemoveFaultNode
		mov	dl, [ebp+var_29]
		mov	ecx, edi
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		jmp	short loc_5950C8
; 

loc_5950F6:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+2DBj
		mov	[edx+10h], ebx
		mov	eax, [ebp+var_4C]
		mov	[edx+20h], eax
		mov	ecx, [ebp+var_54]
		mov	[edx+14h], ecx
		mov	eax, [ebp+var_3C]
		shl	eax, 0Ch
		dec	ecx
		add	eax, ecx
		mov	[edx+18h], eax
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		cdq
		push	1Ch
		pop	ecx
		idiv	ecx
		mov	esi, eax
		mov	edx, edi
		push	4
		pop	ecx
		call	_MiMakeProtectionPfnCompatible@8 ; MiMakeProtectionPfnCompatible(x,x)
		or	eax, 0A0000000h
		push	eax
		mov	edx, esi
		mov	ecx, ebx
		call	MiMakeValidPte
		mov	[ebp+var_38], eax
		mov	[ebp+var_40], edx
		mov	eax, [ebp+var_3C]
		shl	eax, 3
		mov	[ebp+var_6C], eax
		add	eax, ebx
		mov	[ebp+var_AC], eax
		xor	esi, esi
		cmp	ebx, eax
		jnb	loc_59520A
		mov	edx, [ebp+var_38]
		mov	edi, [ebp+var_40]

loc_595161:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+3FBj
		mov	[ebp+var_30], edi
		mov	[ebp+var_50], esi
		mov	ecx, ebx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_5951B6
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_59519D
		mov	[ebp+var_50], 1
		cmp	byte ptr word_6D07B8+1,	0
		jnz	short loc_5951B6

loc_59518B:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+3AEj
		mov	eax, edx
		and	eax, 1
		or	eax, esi
		jz	short loc_5951B6
		mov	eax, edi
		or	eax, 80000000h
		jmp	short loc_5951B9
; 

loc_59519D:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+373j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	eax
		call	_PsIsSystemProcess@4 ; PsIsSystemProcess(x)
		mov	edx, [ebp+var_38]
		test	al, al
		jnz	short loc_59518B

loc_5951B6:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+36Aj
					; MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+383j ...
		mov	eax, [ebp+var_30]

loc_5951B9:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+395j
		mov	[ebx+4], eax
		nop
		mov	ecx, edx
		mov	[ebx], ecx
		cmp	[ebp+var_50], esi
		jz	short loc_5951D2
		push	eax
		push	ecx
		mov	ecx, ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		mov	edx, [ebp+var_38]

loc_5951D2:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+3BEj
		mov	ecx, edx
		and	ecx, 0FFFFF000h
		mov	eax, edi
		add	ecx, 1000h
		adc	eax, esi
		xor	ecx, edx
		xor	eax, edi
		and	ecx, 0FFFFF000h
		and	eax, 1Fh
		xor	edx, ecx
		mov	[ebp+var_38], edx
		xor	edi, eax
		add	ebx, 8
		cmp	ebx, [ebp+var_AC]
		jb	loc_595161
		mov	edi, [ebp+var_68]

loc_59520A:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+34Fj
		sub	ebx, [ebp+var_6C]
		mov	[ebp+var_68], ebx
		mov	dl, [ebp+var_29]
		mov	ecx, edi
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		dec	[ebp+var_58]
		mov	[ebp+var_50], esi
		mov	eax, esi
		mov	[ebp+var_40], eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_30], edi
		imul	eax, [ebp+var_3C], arg_14
		add	eax, edi
		mov	[ebp+var_6C], eax
		mov	eax, [ebp+var_54]
		mov	[ebp+var_38], eax

loc_59523A:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+4CDj
		cmp	edi, [ebp+var_6C]
		jnb	loc_595301
		mov	[ebp+ms_exc.disabled], esi
		push	esi
		push	[ebp+var_38]
		mov	edx, edi
		mov	ecx, [ebp+var_70]
		call	_MiScrubPage@16	; MiScrubPage(x,x,x,x)
		mov	[ebp+var_5C], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_595288
; 

loc_595260:				; DATA XREF: .text:006A8AF4o
		xor	eax, eax
		inc	eax
		retn
; 

loc_595264:				; DATA XREF: .text:006A8AF8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	esi, esi
		mov	edi, [ebp+var_74]
		mov	eax, [ebp+var_B8]
		mov	[ebp+var_3C], eax
		mov	ebx, [ebp+var_68]
		mov	eax, [ebp+var_BC]
		mov	[ebp+var_4C], eax

loc_595288:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+458j
		mov	ecx, [ebp+var_30]
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	dh, al
		mov	[ebp+var_2B], dh
		mov	eax, [ebp+var_34]
		mov	dl, [eax+25h]
		mov	[ebp+var_29], dl
		mov	cl, [eax+26h]
		dec	cl
		movzx	ecx, cl
		neg	ecx
		sbb	ecx, ecx
		and	ecx, [ebp+var_5C]
		mov	[ebp+var_40], ecx
		mov	[ebp+var_5C], ecx
		cmp	dl, 1
		jz	short loc_5952D8
		test	ecx, ecx
		js	short loc_5952D8
		mov	dl, dh
		mov	ecx, [ebp+var_30]
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		add	edi, 1Ch
		mov	[ebp+var_74], edi
		add	[ebp+var_38], 1000h
		jmp	loc_59523A
; 

loc_5952D8:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+4B0j
					; MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+4B4j
		mov	ecx, eax
		call	MiRemoveFaultNode
		cmp	[ebp+var_29], 0
		jnz	short loc_5952EF
		xor	edx, edx
		mov	ecx, [ebp+var_30]
		call	_MiPageListCollision@8 ; MiPageListCollision(x,x)

loc_5952EF:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+4DDj
		mov	dl, [ebp+var_2B]
		mov	ecx, [ebp+var_30]
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		mov	[ebp+var_50], 1

loc_595301:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+437j
		cmp	[ebp+var_50], 0
		jnz	short loc_595338
		mov	ecx, [ebp+var_30]
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	[ebp+var_2B], al
		mov	ecx, [ebp+var_34]
		call	MiRemoveFaultNode
		mov	eax, [ebp+var_34]
		cmp	byte ptr [eax+25h], 0
		jnz	short loc_59532D
		xor	edx, edx
		mov	ecx, [ebp+var_30]
		call	_MiPageListCollision@8 ; MiPageListCollision(x,x)

loc_59532D:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+51Bj
		mov	dl, [ebp+var_2B]
		mov	ecx, [ebp+var_30]
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)

loc_595338:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+4FFj
		mov	eax, edi
		sub	eax, [ebp+var_30]
		cdq
		push	1Ch
		pop	ecx
		idiv	ecx
		mov	ecx, [ebp+var_48]
		add	ecx, eax
		mov	[ebp+var_48], ecx
		mov	eax, [ebp+var_80]
		cmp	ecx, eax
		jbe	short loc_595355
		mov	[ebp+var_48], eax

loc_595355:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+54Aj
		mov	ecx, [ebp+var_48]
		mov	eax, [ebp+var_78]
		mov	[eax], ecx
		mov	eax, [ebp+var_40]
		test	eax, eax
		jns	short loc_5953A7
		sub	edi, ds:_MmPfnDatabase
		mov	eax, edi
		cdq
		push	1Ch
		pop	ecx
		idiv	ecx
		mov	ecx, 1000h
		mul	ecx
		mov	[ebp+var_A4], edx
		mov	[ebp+var_A0], ecx
		mov	[ebp+var_9C], esi
		or	eax, 1
		mov	[ebp+var_A8], eax
		lea	eax, [ebp+var_A0]
		push	eax
		lea	eax, [ebp+var_A8]
		push	eax
		call	_MmMarkPhysicalMemoryAsBad@8 ; MmMarkPhysicalMemoryAsBad(x,x)

loc_5953A7:				; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+55Cj
		mov	eax, [ebp+var_48]
		cmp	eax, [ebp+var_80]
		jnb	loc_594FA2
		cmp	[ebp+var_4C], 0
		mov	edi, [ebp+var_34]
		jbe	loc_594F78
		mov	edi, [ebp+var_3C]
		push	edi
		mov	edx, ebx
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		mov	edx, edi
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_594FA5
		shl	eax, 9
		mov	[ebp+var_54], eax
		mov	edi, [ebp+var_34]
		mov	[edi+10h], ebx
		jmp	loc_594F78
_MiScrubNodeLargePageList@40 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUnlinkNodeLargePages(x, x, x, x, x, x, x,	x, x)
_MiUnlinkNodeLargePages@36 proc	near	; CODE XREF: .text:0046F2E3p
					; MiTimeSingleLargePageZeroWorker(x,x)+C0p ...

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= dword	ptr -5
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		push	ebx
		mov	ebx, [ecx+10h]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_70]
		mov	[ebp+var_38], edx
		stosd
		mov	[ebp+var_48], ecx
		mov	byte ptr [ebp+var_5], 0
		stosd
		stosd
		imul	eax, [ebp+arg_4], 280h
		add	ebx, eax
		mov	[ebp+var_4C], eax
		mov	[ebp+var_3C], ebx
		cmp	dword ptr [ebx+1DCh], 0
		jnz	short loc_595440
		test	byte ptr ds:_MiFlags, 30h
		jnz	loc_5958ED

loc_595440:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+39j
		mov	eax, ds:_MiLargePageSizes[edx*4]
		imul	edi, edx, 98h
		mov	[ebp+var_50], eax
		mov	eax, dword_6D0740[edx*4]
		mov	edx, [ebp+arg_14]
		mov	[ebp+var_14], eax
		not	edx
		xor	eax, eax
		add	edi, ebx
		inc	eax
		mov	[ebp+var_20], edi
		and	edx, eax
		test	byte ptr [ebp+arg_14], 4
		mov	[ebp+var_1C], edx
		jz	short loc_59547B
		and	[ebp+var_58], 0
		mov	[ebp+var_54], eax
		jmp	short loc_595482
; 

loc_59547B:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+78j
		and	[ebp+var_54], 0
		mov	[ebp+var_58], eax

loc_595482:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+81j
		test	byte ptr [ebp+arg_14], 2
		push	0
		pop	eax
		setnz	al
		mov	byte ptr [ebp+arg_4+3],	21h
		inc	eax
		and	[ebp+var_10], 0
		mov	[ebp+var_34], eax

loc_595498:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+418j
		xor	esi, esi

loc_59549A:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+1BBj
		mov	ebx, [ebp+var_34]
		xor	eax, eax

loc_59549F:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+C1j
		mov	ecx, [ebp+eax*4+var_58]
		cmp	dword ptr [edi+ecx*4+8], 0
		jnz	short loc_5954BB
		cmp	edx, 1
		jnz	short loc_5954B6
		cmp	dword ptr [edi+ecx*4+10h], 0
		jnz	short loc_5954BB

loc_5954B6:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+B5j
		inc	eax
		cmp	eax, ebx
		jb	short loc_59549F

loc_5954BB:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+B0j
					; MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+BCj
		mov	ebx, [ebp+var_3C]
		cmp	eax, [ebp+var_34]
		jz	short loc_5954E5
		test	esi, esi
		jz	loc_595594
		mov	eax, [ebp+arg_8]
		cmp	eax, 1
		jz	loc_5955B8
		mov	byte ptr [ebp+var_5], al
		lea	ecx, [ebp+var_5]
		lea	eax, [ebp+var_5+1]
		jmp	loc_5955C1
; 

loc_5954E5:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+C9j
		cmp	esi, 1
		jnz	loc_59558A
		xor	eax, eax
		lea	ecx, [ebp+var_70]
		cmp	[ebx+1F4h], eax
		jz	loc_5958DF
		test	byte ptr [ebp+arg_14], 10h
		jz	short loc_59554C
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_74], eax
		mov	[ebp+var_78], eax
		mov	eax, [ebx+1F8h]
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_80], 40107h
		mov	[ebx+1F8h], eax
		call	KeReleaseInStackQueuedSpinLockFromDpcLevel
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	ecx
		push	12h
		pop	edx
		lea	ecx, [ebp+var_80]
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		jmp	short loc_595586
; 

loc_59554C:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+10Bj
		call	KeReleaseInStackQueuedSpinLockFromDpcLevel
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+arg_18], 0
		jnz	loc_5958ED
		cmp	byte ptr [ebp+arg_4+3],	2
		jnz	loc_5958ED
		and	[ebp+var_44], 0
		jmp	short loc_59557C
; 

loc_595574:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+18Cj
		lea	ecx, [ebp+var_44]
		call	KeYieldProcessorEx

loc_59557C:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+17Aj
		mov	eax, [ebx+1F4h]
		test	eax, eax
		jnz	short loc_595574

loc_595586:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+152j
		xor	esi, esi
		jmp	short loc_5955B0
; 

loc_59558A:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+F0j
		test	byte ptr [ebp+arg_14], 10h
		jz	loc_5958ED

loc_595594:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+CDj
		xor	esi, esi
		mov	cl, 2
		inc	esi
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		lea	ecx, [ebx+204h]
		mov	byte ptr [ebp+arg_4+3],	al
		lea	edx, [ebp+var_70]
		call	@KeAcquireInStackQueuedSpinLockAtDpcLevel@8 ; KeAcquireInStackQueuedSpinLockAtDpcLevel(x,x)

loc_5955B0:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+190j
		mov	edx, [ebp+var_1C]
		jmp	loc_59549A
; 

loc_5955B8:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+D9j
		lea	ecx, [ebx+202h]
		lea	eax, [ecx+1]

loc_5955C1:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+E8j
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], ecx

loc_5955C7:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+24Ej
		movzx	eax, byte ptr [ecx]
		and	[ebp+var_2C], 0
		mov	esi, eax
		mov	[ebp+var_30], eax

loc_5955D3:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+245j
		xor	edx, edx

loc_5955D5:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+236j
		mov	ebx, [ebp+arg_C]
		mov	eax, [ebp+edx*4+var_58]
		mov	[ebp+var_C], ebx
		xor	ebx, ebx
		mov	[ebp+var_40], eax
		add	eax, esi
		mov	[ebp+var_44], eax

loc_5955E9:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+22Aj
		mov	edi, [ebp+var_C]
		mov	ecx, [ebp+var_20]
		lea	eax, [edi+eax*4]
		mov	edi, [ebp+var_20]
		cmp	dword ptr [ecx+eax*4+18h], 0
		mov	edi, [edi+eax*4+58h]
		jnz	short loc_59564C
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_C]
		sub	ecx, 3
		inc	eax
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		inc	ebx
		mov	[ebp+var_C], ecx
		mov	eax, ecx
		mov	ecx, [ebp+var_24]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_44]
		cmp	ebx, 3
		jbe	short loc_5955E9
		mov	eax, [ebp+var_C]
		inc	edx
		mov	[ebp+var_C], eax
		cmp	edx, [ebp+var_34]
		jb	short loc_5955D5
		mov	eax, [ebp+var_2C]
		add	esi, 2
		inc	eax
		mov	[ebp+var_2C], eax
		cmp	eax, [ebp+var_1C]
		jle	short loc_5955D3
		inc	ecx
		mov	[ebp+var_24], ecx
		cmp	ecx, [ebp+var_28]
		jnz	loc_5955C7

loc_59564C:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+206j
		mov	ecx, [ebp+arg_10]
		xor	edx, edx
		mov	eax, [ebp+var_38]
		mov	eax, [ecx+eax*4]
		div	[ebp+var_14]
		mov	ecx, [ebp+var_40]
		mov	ebx, edx
		mov	edx, [ebp+var_30]
		imul	eax, ebx, 0Ch
		add	edi, eax
		mov	eax, [ebp+var_2C]
		lea	eax, [ecx+eax*2]
		mov	ecx, [ebp+var_C]
		add	eax, edx
		lea	esi, [ecx+eax*4]
		xor	eax, eax
		cmp	[ebp+arg_18], eax
		mov	[ebp+var_44], esi
		setz	al

loc_595680:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+3F8j
		mov	[ebp+var_18], eax

loc_595683:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+3EEj
		xor	ecx, ecx
		cmp	[ebp+var_14], ecx
		jbe	short loc_5956CC
		mov	edx, [ebp+var_14]

loc_59568D:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+2CAj
		cmp	[edi], edi
		jz	short loc_59569E
		test	eax, eax
		jnz	short loc_5956C9
		mov	eax, [edi+4]
		test	byte ptr [eax+16h], 8
		jz	short loc_5956C6

loc_59569E:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+297j
		inc	ebx
		mov	eax, ebx
		cmp	ebx, edx
		jnz	short loc_5956B1
		mov	edx, [ebp+var_20]
		mov	edi, [edx+esi*4+58h]
		mov	edx, [ebp+var_14]
		jmp	short loc_5956B4
; 

loc_5956B1:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+2ABj
		add	edi, 0Ch

loc_5956B4:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+2B7j
		sub	ebx, edx
		inc	ecx
		neg	ebx
		sbb	ebx, ebx
		and	ebx, eax
		mov	eax, [ebp+var_18]
		cmp	ecx, edx
		jb	short loc_59568D
		jmp	short loc_5956C9
; 

loc_5956C6:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+2A4j
		mov	eax, [ebp+var_18]

loc_5956C9:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+29Bj
					; MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+2CCj
		mov	edx, [ebp+var_30]

loc_5956CC:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+290j
		mov	[ebp+var_24], 7FFFFFFFh
		cmp	ecx, [ebp+var_14]
		jz	loc_5957EB
		mov	ecx, [ebp+var_10]
		mov	esi, [edi+4]
		mov	[ebp+var_28], esi
		test	ecx, ecx
		jnz	short loc_5956F8
		lea	eax, [esi+10h]
		lock bts dword ptr [eax], 1Fh
		push	ecx
		pop	eax
		setnb	al
		jmp	short loc_595702
; 

loc_5956F8:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+2EFj
		mov	ecx, esi
		call	_MiTryLockNestedPageAtDpcInline@4 ; MiTryLockNestedPageAtDpcInline(x)
		mov	ecx, [ebp+var_10]

loc_595702:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+2FEj
		test	eax, eax
		jz	loc_5957F5
		cmp	[ebp+arg_18], 0
		jz	short loc_595753
		mov	esi, [edi+4]
		cmp	[esi], edi
		jnz	loc_595815
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	loc_595815
		mov	[edi+4], eax
		mov	[eax], edi
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	loc_595815
		mov	ecx, [ebp+arg_18]
		mov	edx, esi
		mov	[esi], eax
		mov	[esi+4], edi
		mov	[eax+4], esi
		mov	[edi], esi
		call	MiBeginPageAccessor
		test	eax, eax
		mov	eax, [ebp+var_28]
		jnz	short loc_59578C
		jmp	short loc_59578A
; 

loc_595753:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+316j
		push	[ebp+arg_14]
		mov	ecx, [ebp+var_3C]
		push	edx
		push	[ebp+var_38]
		mov	edx, esi
		call	_MiUnlinkNodeLargePageHelper@20	; MiUnlinkNodeLargePageHelper(x,x,x,x,x)
		test	eax, eax
		jz	short loc_595787
		test	byte ptr [ebp+arg_14], 20h
		jz	short loc_59577D
		mov	eax, [ebp+var_48]
		mov	eax, [eax+10h]
		add	eax, [ebp+var_4C]
		inc	dword ptr [eax+1F4h]

loc_59577D:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+374j
		mov	eax, [ebp+var_28]
		mov	ecx, [ebp+var_10]
		mov	[eax], ecx
		jmp	short loc_59578C
; 

loc_595787:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+36Ej
		mov	eax, [ebp+var_28]

loc_59578A:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+359j
		xor	esi, esi

loc_59578C:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+357j
					; MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+38Dj
		test	esi, esi
		jz	loc_59581A
		mov	eax, [ebp+var_38]
		inc	ebx
		mov	ecx, [ebp+arg_10]
		mov	[ebp+var_10], esi
		mov	[ecx+eax*4], ebx
		mov	eax, [ebp+arg_0]
		sub	eax, 1
		mov	[ebp+arg_0], eax
		jz	short loc_595825
		test	al, 0Fh
		jnz	short loc_5957B9
		call	KeShouldYieldProcessor
		test	eax, eax
		jnz	short loc_595825

loc_5957B9:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+3B6j
		mov	edx, [ebp+var_30]
		cmp	ebx, [ebp+var_14]
		jnz	short loc_5957DD
		mov	ecx, [ebp+var_40]
		xor	ebx, ebx
		mov	eax, [ebp+var_2C]
		lea	eax, [ecx+eax*2]
		mov	ecx, [ebp+var_C]
		add	eax, edx
		lea	eax, [ecx+eax*4]
		mov	ecx, [ebp+var_20]
		mov	edi, [ecx+eax*4+58h]
		jmp	short loc_5957E0
; 

loc_5957DD:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+3C7j
		add	edi, 0Ch

loc_5957E0:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+3E3j
		mov	eax, [ebp+var_18]
		mov	esi, [ebp+var_44]
		jmp	loc_595683
; 

loc_5957EB:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+2DEj
		test	eax, eax
		jnz	short loc_595825
		inc	eax
		jmp	loc_595680
; 

loc_5957F5:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+30Cj
		test	ecx, ecx
		jnz	short loc_595825
		lea	ecx, [ebp+var_70]
		call	KeReleaseInStackQueuedSpinLockFromDpcLevel
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [ebp+var_1C]
		mov	edi, [ebp+var_20]
		jmp	loc_595498
; 

loc_595815:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+31Dj
					; MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+328j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_59581A:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+396j
		mov	ebx, [ebp+var_24]
		add	eax, 10h
		lock and [eax],	ebx
		jmp	short loc_595828
; 

loc_595825:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+3B2j
					; MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+3BFj ...
		mov	ebx, [ebp+var_24]

loc_595828:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+42Bj
		lea	ecx, [ebp+var_70]
		call	KeReleaseInStackQueuedSpinLockFromDpcLevel
		mov	eax, [ebp+var_10]
		mov	ecx, eax
		test	eax, eax
		jz	short loc_595854

loc_595839:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+454j
		cmp	[ebp+arg_18], 0
		jz	short loc_595887
		xor	esi, esi

loc_595841:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+493j
		mov	dl, 2
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)

loc_595848:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+49Bj
		mov	ecx, esi
		test	esi, esi
		jnz	short loc_595839
		test	byte ptr [ebp+arg_14], 20h
		jnz	short loc_59585D

loc_595854:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+43Fj
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_59585D:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+45Aj
		mov	ecx, [ebp+var_10]
		test	ecx, ecx
		jz	short loc_5958DB
		test	byte ptr [ebp+arg_14], 40h
		jnz	short loc_5958DB
		movzx	eax, byte ptr [ecx+16h]
		mov	edx, [ebp+arg_C]
		shr	eax, 6
		cmp	edx, eax
		jz	short loc_5958DB
		mov	ebx, [ebp+var_50]
		mov	esi, ecx

loc_59587D:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+4DEj
		cmp	[ebp+arg_18], 0
		jz	short loc_595895
		xor	edi, edi
		jmp	short loc_595897
; 

loc_595887:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+445j
		mov	esi, [ecx]
		test	esi, esi
		jz	short loc_595841
		lea	eax, [ecx+10h]
		lock and [eax],	ebx
		jmp	short loc_595848
; 

loc_595895:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+489j
		mov	edi, [esi]

loc_595897:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+48Dj
		push	edx
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	edx, ebx
		mov	ecx, eax
		call	_MiChangePageAttributeContiguous@12 ; MiChangePageAttributeContiguous(x,x,x)
		mov	eax, [esi+8]
		lea	ecx, [ebp+var_64]
		mov	[ebp+var_64], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_60], eax
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		mov	ecx, [ebp+var_64]
		mov	edx, [ebp+arg_C]
		mov	[esi+8], ecx
		mov	ecx, [ebp+var_60]
		mov	[esi+0Ch], ecx
		mov	esi, edi
		test	edi, edi
		jnz	short loc_59587D
		mov	ecx, [ebp+var_10]

loc_5958DB:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+46Aj
					; MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+470j ...
		mov	eax, ecx
		jmp	short loc_5958EF
; 

loc_5958DF:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+101j
		call	KeReleaseInStackQueuedSpinLockFromDpcLevel
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5958ED:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+42j
					; MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+166j ...
		xor	eax, eax

loc_5958EF:				; CODE XREF: MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)+4E5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_MiUnlinkNodeLargePages@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAllocateLargeZeroPages(x,	x, x, x, x, x, x)
_MiAllocateLargeZeroPages@28 proc near	; CODE XREF: MiAllocateFastLargePagesForMdl(x,x,x)+ACp
					; MiCreateLargePfnList(x,x,x,x,x)+123p	...

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	[ebp+var_60], eax
		lea	edi, [ebp+var_2C]
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_64], ecx
		push	9
		mov	[ebp+var_38], eax
		xor	eax, eax
		pop	ecx
		rep stosd
		mov	[ebp+var_48], edx
		mov	[ebp+var_58], esi
		mov	[ebp+var_5C], ebx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, ebx
		mov	[ebp+var_2D], al
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		and	[ebp+var_3C], 0
		xor	ebx, ebx
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_44]
		mov	[ebp+var_40], eax
		mov	[ebp+var_44], eax
		mov	eax, [ebp+var_48]
		mov	[ebp+var_34], ebx
		test	eax, eax
		jz	loc_595A5D

loc_595969:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+161j
		push	[ebp+var_38]
		mov	ecx, [ebp+var_64]
		mov	edx, eax
		push	[ebp+var_5C]
		sub	edx, ebx
		push	[ebp+var_60]
		push	esi
		call	_MiGetFastLargePages@24	; MiGetFastLargePages(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_595A5D
		mov	eax, [ebp+var_38]
		and	eax, 2
		mov	[ebp+var_54], eax

loc_595992:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+156j
		mov	ecx, [edi]
		xor	edx, edx
		mov	[ebp+var_6C], ecx
		test	eax, eax
		jnz	short loc_5959A9
		mov	ecx, edi
		call	_MiIsFreshPfnFromZeroedList@4 ;	MiIsFreshPfnFromZeroedList(x)
		test	eax, eax
		jnz	short loc_5959A9
		inc	edx

loc_5959A9:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+A5j
					; MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+B0j
		mov	ecx, edi
		call	_MiGetPfnPageSizeIndex@4 ; MiGetPfnPageSizeIndex(x)
		mov	[ebp+var_68], eax
		mov	ecx, ds:_MiLargePageSizes[eax*4]
		mov	[ebp+var_34], ecx
		test	edx, edx
		jz	short loc_595A24
		cmp	[ebp+var_20], 0
		jnz	short loc_5959F3
		cmp	[ebp+var_2D], 2
		jnb	short loc_595A18
		push	esi
		lea	ecx, [ebp+var_2C]
		call	_MiCreateColorAnchors@8	; MiCreateColorAnchors(x,x)
		test	eax, eax
		jz	short loc_595A15
		mov	eax, [ebp+var_50]
		mov	ecx, [ebp+var_34]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_54]
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFFFEh
		add	eax, 2
		mov	[ebp+var_28], eax

loc_5959F3:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+CFj
		sub	edi, ds:_MmPfnDatabase
		push	ecx
		push	1Ch
		mov	eax, edi
		pop	ecx
		cdq
		idiv	ecx
		lea	ecx, [ebp+var_2C]
		mov	edx, eax
		call	_MiInsertMdlPageNeedsZero@12 ; MiInsertMdlPageNeedsZero(x,x,x)
		mov	[ebp+var_3C], 1
		jmp	short loc_595A3C
; 

loc_595A15:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+E2j
		mov	eax, [ebp+var_68]

loc_595A18:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+D5j
		push	[ebp+var_50]
		mov	edx, eax
		mov	ecx, edi
		call	MiZeroLargePage

loc_595A24:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+C9j
		mov	eax, [ebp+var_40]
		lea	ecx, [ebp+var_44]
		cmp	[eax], ecx
		jnz	loc_595B1F
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	[ebp+var_40], edi

loc_595A3C:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+11Dj
		mov	eax, [ebp+var_6C]
		mov	edi, eax
		add	ebx, [ebp+var_34]
		test	eax, eax
		mov	eax, [ebp+var_54]
		mov	[ebp+var_34], ebx
		jnz	loc_595992
		mov	eax, [ebp+var_48]
		cmp	ebx, eax
		jb	loc_595969

loc_595A5D:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+6Dj
					; MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+8Dj
		mov	edx, [ebp+var_44]
		lea	eax, [ebp+var_44]
		cmp	edx, eax
		jz	short loc_595A7F
		mov	esi, [ebp+var_4C]

loc_595A6A:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+184j
		mov	edi, [edx]
		mov	ecx, esi
		call	_MiAssembleLargePagePfnList@8 ;	MiAssembleLargePagePfnList(x,x)
		lea	eax, [ebp+var_44]
		mov	edx, edi
		cmp	edi, eax
		jnz	short loc_595A6A
		mov	esi, [ebp+var_58]

loc_595A7F:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+16Fj
		cmp	[ebp+var_3C], 0
		jz	short loc_595ADB
		lea	ecx, [ebp+var_2C]
		call	_MiZeroInParallel@4 ; MiZeroInParallel(x)
		mov	ecx, [ebp+var_20]
		xor	edi, edi
		mov	[ebp+var_3C], edi
		test	ecx, ecx
		jz	short loc_595AD3
		mov	ebx, [ebp+var_2C]
		mov	esi, [ebp+var_4C]
		add	ebx, 14h
		push	1Ch
		pop	eax

loc_595AA5:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+1D5j
		mov	edx, [ebx]
		cmp	edx, ebx
		jz	short loc_595AC3

loc_595AAB:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+1C2j
		mov	edi, [edx]
		mov	ecx, esi
		call	_MiAssembleLargePagePfnList@8 ;	MiAssembleLargePagePfnList(x,x)
		mov	edx, edi
		cmp	edi, ebx
		jnz	short loc_595AAB
		mov	ecx, [ebp+var_20]
		mov	edi, [ebp+var_3C]
		push	1Ch
		pop	eax

loc_595AC3:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+1B3j
		add	ebx, eax
		inc	edi
		mov	[ebp+var_3C], edi
		cmp	edi, ecx
		jb	short loc_595AA5
		mov	esi, [ebp+var_58]
		mov	ebx, [ebp+var_34]

loc_595AD3:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+1A1j
		lea	ecx, [ebp+var_2C]
		call	_MiDeleteColorAnchors@4	; MiDeleteColorAnchors(x)

loc_595ADB:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+18Dj
		mov	eax, [ebp+var_48]
		cmp	ebx, eax
		jz	loc_595BB4
		cmp	[ebp+var_2D], 2
		jnb	loc_595BB4
		mov	ecx, [ebp+var_38]
		test	cl, 1
		jnz	loc_595BB4
		and	[ebp+var_38], 0
		lea	edx, [ebp+var_38]
		push	edx
		push	ecx
		push	[ebp+var_5C]
		mov	ecx, [ebp+var_64]
		sub	eax, ebx
		push	[ebp+var_60]
		mov	edx, eax
		push	esi
		call	_MiFindLargePageMemory@28 ; MiFindLargePageMemory(x,x,x,x,x,x,x)
		mov	eax, [ebp+var_38]
		xor	esi, esi
		jmp	short loc_595B28
; 

loc_595B1F:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+136j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_595B24:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+234j
		mov	esi, eax
		mov	eax, [eax]

loc_595B28:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+227j
		test	eax, eax
		jnz	short loc_595B24
		jmp	short loc_595BAC
; 

loc_595B2E:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+2B8j
		mov	eax, [esi+4]
		lea	edi, [esi-0Ch]
		mov	edx, esi
		mov	ecx, esi
		test	eax, eax
		jz	short loc_595B56
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_595B5E

loc_595B44:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+256j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_595B44
		jmp	short loc_595B5E
; 

loc_595B50:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+266j
		cmp	[esi], ecx
		jz	short loc_595B5E
		mov	ecx, esi

loc_595B56:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+244j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_595B50

loc_595B5E:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+24Cj
					; MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+258j	...
		push	edx
		lea	eax, [ebp+var_38]
		push	eax
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		cmp	byte ptr [edi+8], 1
		mov	ebx, [edi]
		mov	eax, [edi+4]
		jnz	short loc_595B8B
		xor	edx, edx

loc_595B75:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+28Cj
		cmp	eax, ds:_MiLargePageSizes[edx*4]
		jz	short loc_595B84
		inc	edx
		cmp	edx, 2
		jb	short loc_595B75

loc_595B84:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+286j
		mov	ecx, ebx
		call	_MiConvertSmallPageRangeToLarge@8 ; MiConvertSmallPageRangeToLarge(x,x)

loc_595B8B:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+27Bj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_4C]
		imul	edx, ebx, 1Ch
		add	edx, ds:_MmPfnDatabase
		call	_MiAssembleLargePagePfnList@8 ;	MiAssembleLargePagePfnList(x,x)
		mov	ebx, [ebp+var_34]
		add	ebx, eax
		mov	[ebp+var_34], ebx

loc_595BAC:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+236j
		test	esi, esi
		jnz	loc_595B2E

loc_595BB4:				; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+1EAj
					; MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+1F4j	...
		mov	ecx, [ebp+var_8]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_MiAllocateLargeZeroPages@28 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAssembleLargePagePfnList(x, x)
_MiAssembleLargePagePfnList@8 proc near	; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+178p
					; MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+1B9p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, edi
		mov	edx, eax
		mov	[ebp+var_4], edx
		call	_MiGetPfnPageSizeIndex@4 ; MiGetPfnPageSizeIndex(x)
		mov	esi, eax
		mov	eax, ds:_MiLargePageSizes[esi*4]
		mov	[ebp+var_8], eax
		cmp	eax, 200h
		jb	short loc_595C31
		test	esi, esi
		jz	short loc_595C31
		mov	ecx, [ebp+var_4]
		and	edx, 0FFFFFE00h
		add	ecx, 1FFh
		add	eax, ecx
		mov	ecx, offset _MiSystemPartition
		push	0
		and	eax, 0FFFFFE00h
		push	0
		sub	eax, edx
		push	eax
		call	MiUpdateLargePageBitMap
		mov	eax, [ebp+var_8]

loc_595C31:				; CODE XREF: MiAssembleLargePagePfnList(x,x)+39j
					; MiAssembleLargePagePfnList(x,x)+3Dj
		mov	ecx, [ebx+esi*4]
		mov	[ebx+esi*4], edi
		mov	[edi], ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiAssembleLargePagePfnList@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFinishLargePageFree(x, x)
_MiFinishLargePageFree@8 proc near	; CODE XREF: .text:0047A5FDp
					; MiFreeLargePageMemory(x,x,x)+D7p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		mov	esi, edx
		push	1Ch
		stosd
		stosd
		stosd
		mov	eax, ecx
		sub	eax, ds:_MmPfnDatabase
		cdq
		pop	edi
		idiv	edi
		and	[ebp+var_8], 0
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		lea	ecx, [ebp+var_10]
		mov	[ebp+var_4], al
		call	_MiInsertLargePageInNodeList@4 ; MiInsertLargePageInNodeList(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_595C8D
		mov	edx, esi
		mov	ecx, offset _MiSystemPartition
		call	_MiFreeLargePageCharges@8 ; MiFreeLargePageCharges(x,x)

loc_595C8D:				; CODE XREF: MiFinishLargePageFree(x,x)+41j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_MiFinishLargePageFree@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiFreeLargePageCharges(x, x)
_MiFreeLargePageCharges@8 proc near	; CODE XREF: MiFreeSmallPageFromMdl(x,x)+BEp
					; MiFreeContiguousPages(x,x)+DFp ...
		test	edx, edx
		jnz	_MiReleaseNonPagedResources@8 ;	MiReleaseNonPagedResources(x,x)
		retn
_MiFreeLargePageCharges@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeLargePages(x,	x)
_MiFreeLargePages@8 proc near		; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+3EEp
					; MiDeleteSubsectionLargePages(x,x,x)+53p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		xor	ebx, ebx
		mov	eax, edx
		mov	[ebp+var_8], eax
		mov	edx, ebx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		test	ecx, ecx
		jz	short loc_595CF7

loc_595CB8:				; CODE XREF: MiFreeLargePages(x,x)+54j
		mov	eax, ecx
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	esi
		cdq
		idiv	esi
		mov	esi, eax
		call	_MiGetLeafPfnBuddy@8 ; MiGetLeafPfnBuddy(x,x)
		mov	edi, eax
		call	_MiGetPfnPageSizeIndex@4 ; MiGetPfnPageSizeIndex(x)
		push	8
		mov	edx, eax
		mov	ecx, esi
		add	ebx, ds:_MiLargePageSizes[eax*4]
		call	_MiFreeLargePageMemory@12 ; MiFreeLargePageMemory(x,x,x)
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		add	edx, eax
		mov	[ebp+var_4], edx
		test	edi, edi
		jnz	short loc_595CB8
		mov	eax, [ebp+var_8]

loc_595CF7:				; CODE XREF: MiFreeLargePages(x,x)+18j
		mov	ecx, ebx
		mov	[eax], edx
		sub	ecx, edx
		neg	ebx
		pop	edi
		sbb	ebx, ebx
		and	ebx, ecx
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_MiFreeLargePages@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetFastLargePages(x, x, x, x, x, x)
_MiGetFastLargePages@24	proc near	; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+84p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		mov	ebx, ecx
		mov	ecx, [ebp+arg_8]
		push	edi
		mov	edi, esi
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], ebx
		and	edi, 4
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		add	esi, esi
		mov	[ebp+arg_C], eax
		not	esi
		and	esi, 4
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_595D44
		or	esi, 10h

loc_595D44:				; CODE XREF: MiGetFastLargePages(x,x,x,x,x,x)+35j
		test	edi, edi
		jz	short loc_595D4B
		or	esi, 1

loc_595D4B:				; CODE XREF: MiGetFastLargePages(x,x,x,x,x,x)+3Cj
		push	[ebp+arg_C]
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		push	esi
		push	1
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_MiGetLargePagesDemoteAsNeeded@28 ; MiGetLargePagesDemoteAsNeeded(x,x,x,x,x,x,x)
		mov	edi, eax
		or	ebx, 0FFFFFFFFh
		mov	esi, edi
		test	edi, edi
		jz	short loc_595DA1

loc_595D6C:				; CODE XREF: MiGetFastLargePages(x,x,x,x,x,x)+95j
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		mov	edx, eax
		cmp	esi, edi
		jnz	short loc_595D8E
		mov	ecx, esi
		call	_MiGetPfnPageSizeIndex@4 ; MiGetPfnPageSizeIndex(x)
		mov	ebx, ds:_MiLargePageSizes[eax*4]

loc_595D8E:				; CODE XREF: MiGetFastLargePages(x,x,x,x,x,x)+74j
		mov	ecx, [ebp+var_8]
		push	1
		push	1
		push	ebx
		call	MiUpdateLargePageBitMap
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_595D6C

loc_595DA1:				; CODE XREF: MiGetFastLargePages(x,x,x,x,x,x)+60j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_MiGetFastLargePages@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeLargeUserBasePfn(x, x, x)
_MiInitializeLargeUserBasePfn@12 proc near ; CODE XREF:	.text:00463982p
					; MiMapUserLargePages(x,x,x)+1EAp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	cl, [edi+16h]
		mov	edx, [ebp+arg_0]
		and	cl, 0FEh
		and	dword ptr [edi], 0
		or	cl, 6
		shr	edx, 2
		and	edx, 1FFFFFFEh
		mov	[edi+4], esi
		mov	[edi], edx
		mov	dl, al
		mov	[edi+16h], cl
		mov	ecx, edi
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_MiInitializeLargeUserBasePfn@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertLargeUserMapping(x,	x, x, x, x, x)
_MiInsertLargeUserMapping@24 proc near	; CODE XREF: .text:0046399Ap
					; MiMapUserLargePages(x,x,x)+1FFp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	edx, [ebp+arg_4]
		mov	esi, edi
		cmp	edx, 1
		jz	short loc_595E1A
		xor	eax, eax
		inc	eax
		sub	eax, edx

loc_595E06:				; CODE XREF: MiInsertLargeUserMapping(x,x,x,x,x,x)+2Ej
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		sub	eax, 1
		jnz	short loc_595E06

loc_595E1A:				; CODE XREF: MiInsertLargeUserMapping(x,x,x,x,x,x)+15j
		mov	eax, [ebx+1Ch]
		mov	ebx, 300000h
		mov	ecx, [ebp+arg_8]
		and	eax, ebx
		cmp	eax, ebx
		jz	short loc_595E31
		or	ecx, 80000000h

loc_595E31:				; CODE XREF: MiInsertLargeUserMapping(x,x,x,x,x,x)+3Fj
		cmp	edx, 1
		jz	short loc_595E3C
		or	ecx, 4000000h

loc_595E3C:				; CODE XREF: MiInsertLargeUserMapping(x,x,x,x,x,x)+4Aj
		lea	eax, [edx-1]
		mov	edx, [ebp+arg_0]
		neg	eax
		push	ecx
		sbb	eax, eax
		mov	ecx, edi
		and	eax, 0FFFFFFF1h
		add	eax, 10h
		mov	[ebp+var_4], eax
		call	MiMakeValidPte
		mov	edi, edx
		mov	ebx, eax
		mov	ecx, edi
		cmp	esi, 0C0600000h
		jb	short loc_595E75
		mov	[ebp+arg_0], ebx
		mov	edx, ebx
		mov	[ebp+arg_8], edi
		cmp	esi, 0C0603FFFh
		jbe	short loc_595EBE

loc_595E75:				; CODE XREF: MiInsertLargeUserMapping(x,x,x,x,x,x)+79j
		mov	edx, eax
		mov	[ebp+arg_8], ecx
		mov	ecx, [esi]
		mov	[ebp+arg_0], edx
		nop
		or	ecx, [esi+4]
		jnz	short loc_595EBE
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	edx, [ebp+var_4]
		shr	ecx, 0Ch
		and	ecx, 7FFh
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		add	eax, 190h
		lea	ecx, [eax+ecx*2]
		call	_MiIncreaseUsedPtesCount@8 ; MiIncreaseUsedPtesCount(x,x)
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+arg_8]
		mov	[ebp+arg_0], edx
		mov	[ebp+arg_8], eax

loc_595EBE:				; CODE XREF: MiInsertLargeUserMapping(x,x,x,x,x,x)+89j
					; MiInsertLargeUserMapping(x,x,x,x,x,x)+99j
		cmp	[ebp+arg_4], 1
		jnz	short loc_595EF3

loc_595EC4:				; CODE XREF: MiInsertLargeUserMapping(x,x,x,x,x,x)+105j
		mov	[esi+4], edi
		nop
		mov	ecx, ebx
		mov	[esi], ebx
		add	ecx, 1000h
		lea	esi, [esi+8]
		mov	eax, edi
		adc	eax, 0
		xor	ecx, ebx
		xor	eax, edi
		and	ecx, 0FFFFF000h
		and	eax, 1Fh
		xor	ebx, ecx
		xor	edi, eax
		sub	[ebp+var_4], 1
		jnz	short loc_595EC4
		jmp	short loc_595F6B
; 

loc_595EF3:				; CODE XREF: MiInsertLargeUserMapping(x,x,x,x,x,x)+D8j
		mov	ecx, esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_595F56
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_595F29
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr word_6D07B8+1,	0
		jnz	short loc_595F58
		mov	eax, edx
		and	eax, ecx
		or	eax, 0
		jz	short loc_595F58
		mov	edi, [ebp+arg_8]
		mov	ebx, edx
		or	edi, 80000000h
		jmp	short loc_595F58
; 

loc_595F29:				; CODE XREF: MiInsertLargeUserMapping(x,x,x,x,x,x)+11Bj
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsIsSystemProcess@4 ; PsIsSystemProcess(x)
		test	al, al
		jz	short loc_595F56
		mov	ecx, [ebp+arg_0]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_595F56
		mov	edi, [ebp+arg_8]
		mov	ebx, ecx
		or	edi, 80000000h

loc_595F56:				; CODE XREF: MiInsertLargeUserMapping(x,x,x,x,x,x)+112j
					; MiInsertLargeUserMapping(x,x,x,x,x,x)+152j ...
		xor	ecx, ecx

loc_595F58:				; CODE XREF: MiInsertLargeUserMapping(x,x,x,x,x,x)+127j
					; MiInsertLargeUserMapping(x,x,x,x,x,x)+130j ...
		mov	[esi+4], edi
		nop
		mov	[esi], ebx
		test	ecx, ecx
		jz	short loc_595F6B
		push	edi
		push	ebx
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_595F6B:				; CODE XREF: MiInsertLargeUserMapping(x,x,x,x,x,x)+107j
					; MiInsertLargeUserMapping(x,x,x,x,x,x)+176j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_MiInsertLargeUserMapping@24 endp


;  S U B	R O U T	I N E 


; __stdcall MiPrepareLargePageSubPageForFree(x)
_MiPrepareLargePageSubPageForFree@4 proc near ;	CODE XREF: MiReadyLargePageToFree(x,x,x)+4Cp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		push	2
		pop	edi
		cmp	[esi+14h], di
		jz	short loc_595FA6
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	dl, al
		mov	ecx, esi
		cmp	[esi+14h], di
		jz	short loc_595FA1
		or	dword ptr [esi+10h], 40000000h
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		xor	eax, eax
		jmp	short loc_595FFC
; 

loc_595FA1:				; CODE XREF: MiPrepareLargePageSubPageForFree(x)+1Dj
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)

loc_595FA6:				; CODE XREF: MiPrepareLargePageSubPageForFree(x)+Ej
		mov	ecx, [esi+18h]
		mov	edi, 70000000h
		mov	eax, ecx
		and	eax, edi
		cmp	eax, 30000000h
		jnz	short loc_595FD8
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		push	0Ch
		pop	edx
		mov	ecx, esi
		mov	bl, al
		call	MiClearPfnImageVerified
		mov	dl, bl
		mov	ecx, esi
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		mov	ecx, [esi+18h]

loc_595FD8:				; CODE XREF: MiPrepareLargePageSubPageForFree(x)+45j
		and	ecx, edi
		cmp	ecx, 10000000h
		jnz	short loc_595FF9
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		and	dword ptr [esi+18h], 8FFFFFFFh
		mov	dl, al
		mov	ecx, esi
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)

loc_595FF9:				; CODE XREF: MiPrepareLargePageSubPageForFree(x)+6Ej
		xor	eax, eax
		inc	eax

loc_595FFC:				; CODE XREF: MiPrepareLargePageSubPageForFree(x)+2Dj
		pop	edi
		pop	esi
		pop	ebx
		retn
_MiPrepareLargePageSubPageForFree@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReadyLargePageToFree(x, x, x)
_MiReadyLargePageToFree@12 proc	near	; CODE XREF: MiFreeLargePageMemory(x,x,x)+C8p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ecx
		mov	ecx, ds:_MiLargePageSizes[edx*4]
		push	ebx
		imul	ebx, eax, 1Ch
		push	esi
		mov	[ebp+var_8], ecx
		push	edi
		mov	[ebp+var_4], eax
		xor	edi, edi
		add	ebx, ds:_MmPfnDatabase
		mov	ecx, ebx
		mov	esi, ebx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [ebp+var_8]
		mov	dl, al
		mov	[ebx], ecx
		mov	ecx, ebx
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		mov	ecx, [ebp+var_8]
		add	ecx, [ebp+var_4]
		mov	[ebp+var_C], ecx
		cmp	[ebp+var_4], ecx
		jnb	short loc_596095

loc_59604A:				; CODE XREF: MiReadyLargePageToFree(x,x,x)+6Bj
		mov	ecx, esi
		call	_MiPrepareLargePageSubPageForFree@4 ; MiPrepareLargePageSubPageForFree(x)
		test	eax, eax
		jz	short loc_596058
		inc	edi
		jmp	short loc_59605E
; 

loc_596058:				; CODE XREF: MiReadyLargePageToFree(x,x,x)+53j
		test	byte ptr [ebp+arg_0], 4
		jnz	short loc_59609E

loc_59605E:				; CODE XREF: MiReadyLargePageToFree(x,x,x)+56j
		mov	eax, [ebp+var_4]
		add	esi, 1Ch
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, [ebp+var_C]
		jb	short loc_59604A
		test	edi, edi
		jz	short loc_596095
		cmp	edi, [ebp+var_8]
		jz	short loc_596090
		mov	ecx, ebx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	esi, [ebx]
		mov	dl, al
		sub	esi, edi
		mov	ecx, ebx
		mov	[ebx], esi
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		test	esi, esi
		jnz	short loc_596095

loc_596090:				; CODE XREF: MiReadyLargePageToFree(x,x,x)+74j
		xor	eax, eax
		inc	eax
		jmp	short loc_596097
; 

loc_596095:				; CODE XREF: MiReadyLargePageToFree(x,x,x)+48j
					; MiReadyLargePageToFree(x,x,x)+6Fj ...
		xor	eax, eax

loc_596097:				; CODE XREF: MiReadyLargePageToFree(x,x,x)+93j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_59609E:				; CODE XREF: MiReadyLargePageToFree(x,x,x)+5Cj
		mov	ecx, esi
		call	_MiBadRefCount@4 ; MiBadRefCount(x)
		int	3		; Trap to Debugger

; __stdcall MiUpdateLargePagePfns(x, x,	x, x)
_MiUpdateLargePagePfns@16:		; CODE XREF: MiFindLargePageMemory(x,x,x,x,x,x,x)+FDp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		imul	eax, [ebp+arg_0], 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		imul	esi, edi, 1Ch
		xor	ebx, ebx
		add	esi, ds:_MmPfnDatabase
		add	eax, esi
		mov	[ebp+arg_0], eax

loc_5960C8:				; CODE XREF: MiReadyLargePageToFree(x,x,x)+ECj
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		call	_MiPfnZeroingNeeded@8 ;	MiPfnZeroingNeeded(x,x)
		test	eax, eax
		jz	short loc_5960E5
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		push	1
		call	_MiInsertMdlPageNeedsZero@12 ; MiInsertMdlPageNeedsZero(x,x,x)
		xor	ebx, ebx
		inc	ebx

loc_5960E5:				; CODE XREF: MiReadyLargePageToFree(x,x,x)+D4j
		add	esi, 1Ch
		inc	edi
		cmp	esi, [ebp+arg_0]
		jnz	short loc_5960C8
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_MiReadyLargePageToFree@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAddPageToHeatList(x, x, x)
_MiAddPageToHeatList@12	proc near	; CODE XREF: MiDemoteLocalLargePage(x,x,x,x)+23Dp
					; MiGetLargePage(x,x,x,x,x,x)+225p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	[ebp+arg_0]
		mov	esi, ecx
		call	_MiAddPageToHeatRanges@12 ; MiAddPageToHeatRanges(x,x,x)
		test	eax, eax
		jz	short loc_596113
		mov	ecx, esi
		call	_MiNotifyPageHeat@4 ; MiNotifyPageHeat(x)

loc_596113:				; CODE XREF: MiAddPageToHeatList(x,x,x)+12j
		pop	esi
		pop	ebp
		retn	4
_MiAddPageToHeatList@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAddPageToHeatRanges(x, x,	x)
_MiAddPageToHeatRanges@12 proc near	; CODE XREF: MiAddPageToHeatList(x,x,x)+Bp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		xor	edx, edx
		mov	edi, [esi+4]
		test	edi, edi
		jz	short loc_596139
		lea	ebx, [esi+8]
		lea	ebx, [ebx+edi*8]
		jmp	short loc_59613B
; 

loc_596139:				; CODE XREF: MiAddPageToHeatRanges(x,x,x)+17j
		mov	ebx, edx

loc_59613B:				; CODE XREF: MiAddPageToHeatRanges(x,x,x)+1Fj
		cmp	[ebp+arg_0], 2
		jnz	loc_5961FA
		test	ebx, ebx
		jz	loc_5961FA
		mov	eax, [ebx+4]
		mov	ecx, [ebx]
		mov	[ebp+var_14], eax
		mov	eax, ecx
		and	eax, 0C00h
		mov	[ebp+var_10], ecx
		or	eax, edx
		jnz	loc_5961FA
		mov	edx, ecx
		mov	ecx, 3FFh
		and	edx, ecx
		cmp	edx, ecx
		jnb	loc_5961FA
		mov	ecx, eax
		add	edx, 1
		mov	[ebp+var_18], edx
		adc	ecx, eax
		mov	eax, [ebp+var_10]
		and	[ebp+var_C], 0
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_14]
		shrd	[ebp+var_8], eax, 0Ch
		mov	eax, [ebp+var_8]
		add	eax, edx
		adc	[ebp+var_C], ecx
		mov	ecx, [ebp+var_4]
		cmp	ecx, eax
		jnz	short loc_5961C7
		xor	eax, eax
		cmp	eax, [ebp+var_C]
		jnz	short loc_5961C7
		mov	ecx, [ebp+var_10]
		xor	ecx, edx
		and	ecx, 3FFh
		xor	ecx, [ebp+var_10]
		xor	eax, [ebp+var_14]
		mov	[ebx], ecx
		mov	[ebx+4], eax

loc_5961C0:				; CODE XREF: MiAddPageToHeatRanges(x,x,x)+E0j
		xor	eax, eax
		jmp	loc_59624A
; 

loc_5961C7:				; CODE XREF: MiAddPageToHeatRanges(x,x,x)+89j
					; MiAddPageToHeatRanges(x,x,x)+90j
		mov	eax, [ebp+var_8]
		dec	eax
		cmp	ecx, eax
		jnz	short loc_5961FD
		mov	eax, ecx
		mov	ecx, 1000h
		mul	ecx
		mov	edx, 1000h
		xor	ecx, ecx
		mov	esi, eax
		mov	eax, [ebp+var_4]
		xor	esi, [ebp+var_18]
		mul	edx
		and	esi, 3FFh
		xor	esi, eax
		xor	ecx, edx
		mov	[ebx], esi
		mov	[ebx+4], ecx
		jmp	short loc_5961C0
; 

loc_5961FA:				; CODE XREF: MiAddPageToHeatRanges(x,x,x)+27j
					; MiAddPageToHeatRanges(x,x,x)+2Fj ...
		mov	ecx, [ebp+var_4]

loc_5961FD:				; CODE XREF: MiAddPageToHeatRanges(x,x,x)+B5j
		mov	eax, ecx
		mov	ecx, 1000h
		mul	ecx
		cmp	[ebp+arg_0], 2
		mov	[esi+edi*8+10h], eax
		mov	[esi+edi*8+14h], edx
		jz	short loc_59623C
		cmp	[ebp+arg_0], 1
		jnz	short loc_596224
		and	eax, 0FFFFFC0Fh
		or	eax, 0Fh
		jmp	short loc_596234
; 

loc_596224:				; CODE XREF: MiAddPageToHeatRanges(x,x,x)+100j
		cmp	[ebp+arg_0], 0
		jnz	short loc_59623C
		and	eax, 0FFFFF7FFh
		or	eax, 400h

loc_596234:				; CODE XREF: MiAddPageToHeatRanges(x,x,x)+10Aj
		mov	[esi+edi*8+14h], edx
		mov	[esi+edi*8+10h], eax

loc_59623C:				; CODE XREF: MiAddPageToHeatRanges(x,x,x)+FAj
					; MiAddPageToHeatRanges(x,x,x)+110j
		inc	dword ptr [esi+4]
		xor	eax, eax
		mov	ecx, [esi+4]
		cmp	ecx, [esi+8]
		setz	al

loc_59624A:				; CODE XREF: MiAddPageToHeatRanges(x,x,x)+AAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiAddPageToHeatRanges@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiChangePageHeatImmediate(x, x, x)
_MiChangePageHeatImmediate@12 proc near	; CODE XREF: MiZeroPage(x,x)+3DEp
					; .text:004714BFp ...

var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	esi
		push	edi
		push	84h		; size_t
		lea	eax, [ebp+var_90]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		mov	edx, [ebp+arg_0]
		add	esp, 0Ch
		test	edx, edx
		jnz	short loc_596295
		mov	ecx, esi
		call	_MiColdPageSizeSupported@4 ; MiColdPageSizeSupported(x)
		test	eax, eax
		jmp	short loc_59629F
; 

loc_596295:				; CODE XREF: MiChangePageHeatImmediate(x,x,x)+36j
		test	ds:_HvlEnlightenments, 200000h

loc_59629F:				; CODE XREF: MiChangePageHeatImmediate(x,x,x)+41j
		jz	short loc_5962C6
		and	[ebp+var_98], 0
		lea	ecx, [ebp+var_9C]
		mov	[ebp+var_9C], edx
		mov	edx, edi
		push	esi
		mov	[ebp+var_94], 1
		call	_MiAddPageToHeatList@12	; MiAddPageToHeatList(x,x,x)

loc_5962C6:				; CODE XREF: MiChangePageHeatImmediate(x,x,x):loc_59629Fj
		mov	ecx, [ebp+var_8]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_MiChangePageHeatImmediate@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiColdPageSizeSupported(x)
_MiColdPageSizeSupported@4 proc	near	; CODE XREF: MiZeroPage(x,x)+D9p
					; .text:loc_471339p ...
		mov	eax, ds:_HvlEnlightenments
		test	eax, 8400000h
		jz	short loc_5962F1
		test	ecx, ecx
		jz	short loc_5962ED
		test	eax, 8000000h
		jnz	short loc_5962F1

loc_5962ED:				; CODE XREF: MiColdPageSizeSupported(x)+Ej
		xor	eax, eax
		inc	eax
		retn
; 

loc_5962F1:				; CODE XREF: MiColdPageSizeSupported(x)+Aj
					; MiColdPageSizeSupported(x)+15j
		xor	eax, eax
		retn
_MiColdPageSizeSupported@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiDetermineNewPfnHeatState(x, x)
_MiDetermineNewPfnHeatState@8 proc near	; CODE XREF: MiCreatePfnTemplate(x,x)+35p
					; MiLargePagePromote(x,x,x,x)+18Cp ...
		mov	edi, edi
		push	esi
		xor	esi, esi
		test	ecx, ecx
		jnz	short loc_596317
		mov	ecx, edx
		call	_MiColdPageSizeSupported@4 ; MiColdPageSizeSupported(x)
		test	eax, eax
		jnz	short loc_596314
		test	ds:_HvlEnlightenments, 200000h
		jz	short loc_596317

loc_596314:				; CODE XREF: MiDetermineNewPfnHeatState(x,x)+12j
		xor	esi, esi
		inc	esi

loc_596317:				; CODE XREF: MiDetermineNewPfnHeatState(x,x)+7j
					; MiDetermineNewPfnHeatState(x,x)+1Ej
		mov	eax, esi
		pop	esi
		retn
_MiDetermineNewPfnHeatState@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertPartitionPages(x, x, x, x, x)
_MiInsertPartitionPages@20 proc	near	; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+2E2p
					; MiHotAddPartitionMemory(x,x,x)+27Cp

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_8], ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_2C]
		mov	[ebp+var_48], ecx
		stosd
		mov	ebx, edx
		xor	edx, edx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], edx
		stosd
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], edx
		stosd
		mov	edi, [ebp+arg_0]
		mov	eax, large fs:124h
		mov	[ebp+var_10], eax
		mov	[ebp+var_30], edx
		test	byte ptr [edi+0Ch], 2
		mov	eax, [edi]
		mov	[ebp+var_14], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_C], eax
		jz	short loc_5963C2
		mov	esi, edx
		jmp	short loc_596371
; 

loc_59636F:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+59j
		mov	esi, eax

loc_596371:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+51j
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_59636F
		test	esi, esi
		jz	short loc_5963BF

loc_59637B:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+9Ej
		mov	eax, [esi+4]
		mov	ecx, esi
		mov	[ebp+var_1C], esi
		test	eax, eax
		jz	short loc_5963A1
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_5963A9

loc_59638F:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+7Bj
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_59638F
		jmp	short loc_5963A9
; 

loc_59639B:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+8Bj
		cmp	[esi], ecx
		jz	short loc_5963A9
		mov	ecx, esi

loc_5963A1:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+69j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_59639B

loc_5963A9:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+71j
					; MiInsertPartitionPages(x,x,x,x,x)+7Dj ...
		mov	ecx, [ebp+var_1C]
		lea	eax, [ebp+var_4C]
		push	eax
		push	8
		pop	edx
		call	_MiActOnPartitionNodePages@12 ;	MiActOnPartitionNodePages(x,x,x)
		test	esi, esi
		jnz	short loc_59637B
		mov	ecx, [ebp+var_8]

loc_5963BF:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+5Dj
		mov	eax, [ebp+var_C]

loc_5963C2:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+4Dj
		test	byte ptr [edi+0Ch], 10h
		mov	edx, offset dword_6D301C
		mov	esi, [ebp+arg_4]
		jnz	short loc_59641F
		cmp	ecx, offset _MiSystemPartition
		jnz	short loc_5963E0
		mov	eax, esi
		lock xadd [edx], eax
		jmp	short loc_59641F
; 

loc_5963E0:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+BAj
		mov	edx, eax
		call	_MiClearPartitionPageBitMap@8 ;	MiClearPartitionPageBitMap(x,x)
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		push	esi
		call	_MiReduceCommitLimits@12 ; MiReduceCommitLimits(x,x,x)
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	MiReturnCommit
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_8]
		call	_MiLockDynamicMemoryExclusive@8	; MiLockDynamicMemoryExclusive(x,x)
		mov	ecx, [ebp+var_8]
		call	_MiMakePartitionMemoryBlock@4 ;	MiMakePartitionMemoryBlock(x)
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_8]
		call	MiUnlockDynamicMemoryExclusive
		mov	edx, offset dword_6D301C

loc_59641F:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+B2j
					; MiInsertPartitionPages(x,x,x,x,x)+C2j
		cmp	ebx, offset _MiSystemPartition
		jnz	loc_596503
		mov	eax, [edi+0Ch]
		test	al, 10h
		jnz	short loc_59643B
		neg	esi
		lock xadd [edx], esi
		mov	eax, [edi+0Ch]

loc_59643B:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+114j
		mov	edx, [ebp+var_C]
		mov	ecx, ebx
		push	1
		push	eax
		call	_MiFreePartitionTree@16	; MiFreePartitionTree(x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_14], ebx
		test	ebx, ebx
		jns	loc_596678
		and	dword ptr [edi+0Ch], 0FFFFFFFBh
		lea	esi, [ebp+var_4C]
		mov	edx, [edi+0Ch]
		lea	edi, [ebp+var_6C]
		mov	eax, [ebp+var_4C]
		mov	ebx, [ebp+var_8]
		and	[ebp+arg_4], 0
		push	8
		pop	ecx
		rep movsd
		mov	[ebp+var_68], eax
		xor	esi, esi
		mov	eax, [ebp+var_48]
		mov	[ebp+var_6C], eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_1C], ebx
		jmp	short loc_596486
; 

loc_596484:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+16Ej
		mov	esi, eax

loc_596486:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+166j
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_596484
		mov	edi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_5964F2
		mov	ebx, [ebp+arg_0]

loc_596496:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+1D1j
		mov	eax, [esi+4]
		mov	edx, esi
		mov	[ebp+arg_4], edx
		mov	ecx, esi
		test	eax, eax
		jz	short loc_5964BE
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_5964C6

loc_5964AC:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+198j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_5964AC
		jmp	short loc_5964C6
; 

loc_5964B8:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+1A8j
		cmp	[esi], ecx
		jz	short loc_5964C6
		mov	ecx, esi

loc_5964BE:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+186j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_5964B8

loc_5964C6:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+18Ej
					; MiInsertPartitionPages(x,x,x,x,x)+19Aj ...
		lea	eax, [edx+10h]
		push	eax
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	edx, [ebx+0Ch]
		add	edi, eax
		test	dl, 2
		jz	short loc_5964EB
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+var_6C]
		push	eax
		push	8
		pop	edx
		call	_MiActOnPartitionNodePages@12 ;	MiActOnPartitionNodePages(x,x,x)
		mov	edx, [ebx+0Ch]

loc_5964EB:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+1BBj
		test	esi, esi
		jnz	short loc_596496
		mov	ebx, [ebp+var_1C]

loc_5964F2:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+175j
		test	dl, 10h
		jnz	short loc_596500
		mov	eax, offset dword_6D301C
		lock xadd [eax], edi

loc_596500:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+1D9j
		mov	edi, [ebp+arg_0]

loc_596503:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+109j
		test	ebx, ebx
		jz	loc_596675
		mov	edx, [ebp+var_10]
		mov	ecx, ebx
		call	_MiLockDynamicMemoryExclusive@8	; MiLockDynamicMemoryExclusive(x,x)
		mov	eax, [ebp+var_C]
		xor	esi, esi
		jmp	short loc_59651E
; 

loc_59651C:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+206j
		mov	esi, eax

loc_59651E:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+1FEj
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_59651C
		test	esi, esi
		jz	loc_596638
		jmp	short loc_596531
; 

loc_59652E:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+316j
		mov	edi, [ebp+arg_0]

loc_596531:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+210j
		lea	eax, [esi+10h]
		mov	[ebp+arg_4], esi
		push	eax
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	ecx, [esi+4]
		mov	edx, esi
		mov	[ebp+var_1C], eax
		test	ecx, ecx
		jz	short loc_596563
		mov	esi, ecx
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_59656B

loc_596551:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+23Dj
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_596551
		jmp	short loc_59656B
; 

loc_59655D:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+24Dj
		cmp	[esi], edx
		jz	short loc_59656B
		mov	edx, esi

loc_596563:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+22Bj
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_59655D

loc_59656B:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+233j
					; MiInsertPartitionPages(x,x,x,x,x)+23Fj ...
		lea	eax, [ebx+70h]
		push	eax
		call	ExAcquireSpinLockExclusive
		push	[ebp+arg_4]
		mov	byte ptr [ebp+var_20], al
		push	[ebp+var_C]
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		test	byte ptr [edi+0Ch], 10h
		jz	short loc_59658D
		xor	edi, edi
		inc	edi
		jmp	short loc_5965A6
; 

loc_59658D:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+26Aj
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		call	_MiMergePageNodes@8 ; MiMergePageNodes(x,x)
		mov	edi, eax
		mov	byte ptr [ebx+0Ch], 1
		mov	eax, [ebp+var_1C]
		add	[ebx+0F48h], eax

loc_5965A6:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+26Fj
		push	[ebp+var_20]
		lea	eax, [ebx+70h]
		push	eax
		call	ExReleaseSpinLockExclusive
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+0Ch]
		test	cl, 10h
		jnz	short loc_5965D4
		mov	eax, [ebp+var_1C]
		mov	ecx, ebx
		push	0
		push	1
		push	eax
		mov	edx, eax
		call	MiIncreaseCommitLimits
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+0Ch]

loc_5965D4:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+29Fj
		mov	edx, [ebp+arg_4]
		push	ecx
		mov	ecx, ebx
		call	_MiFreePartitionNodePages@12 ; MiFreePartitionNodePages(x,x,x)
		cmp	edi, 1
		jnz	short loc_596630
		mov	ecx, [ebp+var_18]
		mov	byte ptr [ebp+var_8], 0
		test	ecx, ecx
		jz	short loc_596620
		mov	eax, [ebp+arg_4]
		mov	edi, 7FFFFFFFh
		mov	edx, [eax+0Ch]
		and	edx, edi

loc_5965FC:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+2FEj
		mov	eax, [ecx+0Ch]
		and	eax, edi
		cmp	edx, eax
		jb	short loc_596612
		mov	eax, [ecx+4]
		test	eax, eax
		jnz	short loc_596618
		mov	byte ptr [ebp+var_8], 1
		jmp	short loc_596620
; 

loc_596612:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+2E7j
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_59661C

loc_596618:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+2EEj
		mov	ecx, eax
		jmp	short loc_5965FC
; 

loc_59661C:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+2FAj
		mov	byte ptr [ebp+var_8], 0

loc_596620:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+2D1j
					; MiInsertPartitionPages(x,x,x,x,x)+2F4j
		push	[ebp+arg_4]
		lea	eax, [ebp+var_18]
		push	[ebp+var_8]
		push	ecx
		push	eax
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)

loc_596630:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+2C6j
		test	esi, esi
		jnz	loc_59652E

loc_596638:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+20Aj
		mov	esi, [ebp+arg_0]
		test	byte ptr [esi+0Ch], 10h
		jnz	short loc_596648
		mov	ecx, ebx
		call	_MiMakePartitionMemoryBlock@4 ;	MiMakePartitionMemoryBlock(x)

loc_596648:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+323j
		mov	edx, [ebp+var_10]
		mov	ecx, ebx
		call	MiUnlockDynamicMemoryExclusive
		test	byte ptr [esi+0Ch], 10h
		jnz	short loc_596675
		lea	ecx, [ebx+0D98h]
		lea	edx, [ebp+var_2C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, ebx
		call	_MiComputeCommitThresholds@4 ; MiComputeCommitThresholds(x)
		lea	ecx, [ebp+var_2C]
		call	KeReleaseInStackQueuedSpinLock

loc_596675:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+1E9j
					; MiInsertPartitionPages(x,x,x,x,x)+33Aj
		mov	ebx, [ebp+var_14]

loc_596678:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+133j
		mov	eax, [ebp+var_18]
		xor	esi, esi
		jmp	short loc_596683
; 

loc_59667F:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+369j
		mov	esi, eax
		mov	eax, [eax]

loc_596683:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+361j
		test	eax, eax
		jnz	short loc_59667F
		jmp	short loc_5966D2
; 

loc_596689:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+3B8j
		mov	eax, [esi+4]
		mov	edi, esi
		mov	ecx, esi
		test	eax, eax
		jz	short loc_5966AE
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_5966B6

loc_59669C:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+388j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_59669C
		jmp	short loc_5966B6
; 

loc_5966A8:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+398j
		cmp	[esi], ecx
		jz	short loc_5966B6
		mov	ecx, esi

loc_5966AE:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+376j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_5966A8

loc_5966B6:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+37Ej
					; MiInsertPartitionPages(x,x,x,x,x)+38Aj ...
		push	edi
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		push	0
		push	dword ptr [edi+14h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5966D2:				; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+36Bj
		test	esi, esi
		jnz	short loc_596689
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
_MiInsertPartitionPages@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_Leap_Seconds_Sixty_Second__private_ReportDeviceUsage()
_Feature_Leap_Seconds_Sixty_Second__private_ReportDeviceUsage@0	proc near
					; CODE XREF: PAGE:0075B4FDp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		mov	eax, _Feature_Leap_Seconds_Sixty_Second__private_featureState
		test	al, 10h
		jnz	short loc_5966FB
		push	0
		push	eax
		call	_Feature_Leap_Seconds_Sixty_Second__private_ReportUsageFallback@12 ; Feature_Leap_Seconds_Sixty_Second__private_ReportUsageFallback(x,x,x)

loc_5966FB:				; CODE XREF: Feature_Leap_Seconds_Sixty_Second__private_ReportDeviceUsage()+11j
		mov	esp, ebp
		pop	ebp
		retn
_Feature_Leap_Seconds_Sixty_Second__private_ReportDeviceUsage@0	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_Leap_Seconds_Sixty_Second__private_ReportUsageFallback(x, x, x)
_Feature_Leap_Seconds_Sixty_Second__private_ReportUsageFallback@12 proc	near
					; CODE XREF: Feature_Leap_Seconds_Sixty_Second__private_ReportDeviceUsage()+16p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		and	esi, 0FFFFFFFEh
		mov	edi, offset _Feature_Leap_Seconds_Sixty_Second__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_Leap_Seconds_Sixty_Second__private_ReportUsageFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_1148767544__private_IsEnabledDeviceUsage()
_Feature_1148767544__private_IsEnabledDeviceUsage@0 proc near
					; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+274p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		mov	eax, _Feature_1148767544__private_featureState
		test	al, 10h
		jz	short loc_59674E
		and	eax, 1
		jmp	short loc_596759
; 

loc_59674E:				; CODE XREF: Feature_1148767544__private_IsEnabledDeviceUsage()+11j
		push	0
		push	eax
		push	3
		pop	ecx
		call	_Feature_1148767544__private_IsEnabledFallback@12 ; Feature_1148767544__private_IsEnabledFallback(x,x,x)

loc_596759:				; CODE XREF: Feature_1148767544__private_IsEnabledDeviceUsage()+16j
		mov	esp, ebp
		pop	ebp
		retn
_Feature_1148767544__private_IsEnabledDeviceUsage@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_1148767544__private_IsEnabledFallback(x, x,	x)
_Feature_1148767544__private_IsEnabledFallback@12 proc near
					; CODE XREF: Feature_1148767544__private_IsEnabledDeviceUsage()+1Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	edx, offset _Feature_1148767544__private_descriptor
		push	[ebp+arg_0]
		push	ecx
		call	_wil_details_IsEnabledFallback@20 ; wil_details_IsEnabledFallback(x,x,x,x,x)
		pop	ebp
		retn	8
_Feature_1148767544__private_IsEnabledFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_3401902395__private_IsEnabledDeviceUsage()
_Feature_3401902395__private_IsEnabledDeviceUsage@0 proc near
					; CODE XREF: PoStoreRequester(x,x,x,x)+56p
					; PoStoreRequester(x,x,x,x):loc_53F9D6p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		mov	eax, _Feature_3401902395__private_featureState
		test	al, 10h
		jz	short loc_596790
		and	eax, 1
		jmp	short loc_59679B
; 

loc_596790:				; CODE XREF: Feature_3401902395__private_IsEnabledDeviceUsage()+11j
		push	0
		push	eax
		push	3
		pop	ecx
		call	_Feature_3401902395__private_IsEnabledFallback@12 ; Feature_3401902395__private_IsEnabledFallback(x,x,x)

loc_59679B:				; CODE XREF: Feature_3401902395__private_IsEnabledDeviceUsage()+16j
		mov	esp, ebp
		pop	ebp
		retn
_Feature_3401902395__private_IsEnabledDeviceUsage@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_3401902395__private_IsEnabledFallback(x, x,	x)
_Feature_3401902395__private_IsEnabledFallback@12 proc near
					; CODE XREF: Feature_3401902395__private_IsEnabledDeviceUsage()+1Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	edx, offset _Feature_3401902395__private_descriptor
		push	[ebp+arg_0]
		push	ecx
		call	_wil_details_IsEnabledFallback@20 ; wil_details_IsEnabledFallback(x,x,x,x,x)
		pop	ebp
		retn	8
_Feature_3401902395__private_IsEnabledFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_PdttSupport__private_ReportUsageFallback(x,	x, x)
_Feature_PdttSupport__private_ReportUsageFallback@12 proc near
					; CODE XREF: PoClearTransitionMarker()+132p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		and	esi, 0FFFFFFFEh
		mov	edi, offset _Feature_PdttSupport__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_PdttSupport__private_ReportUsageFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoGetRequesterOld(x, x, x)
_PoGetRequesterOld@12 proc near		; CODE XREF: .text:loc_540510p

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	0Ch
		push	offset dword_6A8DC0
		call	__SEH_prolog4
		mov	esi, edx
		test	cl, cl
		jnz	short loc_59681D
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax], 0
		mov	[eax+4], esi
		test	esi, esi
		jz	short loc_59688B
		mov	edx, 67446F50h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		jmp	short loc_59688B
; 

loc_59681D:				; CODE XREF: PoGetRequesterOld(x,x,x)+10j
		and	[ebp+var_1C], 0
		mov	eax, large fs:124h
		test	dword ptr [eax+58h], 400h
		jnz	short loc_596841
		cmp	byte ptr [eax+16Ah], 1
		jz	short loc_596841
		mov	eax, [eax+0A8h]
		jmp	short loc_596843
; 

loc_596841:				; CODE XREF: PoGetRequesterOld(x,x,x)+3Ej
					; PoGetRequesterOld(x,x,x)+47j
		xor	eax, eax

loc_596843:				; CODE XREF: PoGetRequesterOld(x,x,x)+4Fj
		test	eax, eax
		jz	short loc_596868
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [eax+0F60h]
		mov	[ebp+var_1C], eax
		jmp	short loc_596861
; 

loc_596856:				; DATA XREF: .text:006A8DD4o
		xor	eax, eax
		inc	eax
		retn
; 

loc_59685A:				; DATA XREF: .text:006A8DD8o
		mov	esp, [ebp+ms_exc.old_esp]
		and	[ebp+var_1C], 0

loc_596861:				; CODE XREF: PoGetRequesterOld(x,x,x)+64j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_596868:				; CODE XREF: PoGetRequesterOld(x,x,x)+55j
		xor	eax, eax
		cmp	[ebp+var_1C], eax
		setnz	al
		inc	eax
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[ecx+4], eax
		mov	eax, [ebp+var_1C]
		mov	[ecx+18h], eax

loc_59688B:				; CODE XREF: PoGetRequesterOld(x,x,x)+1Dj
					; PoGetRequesterOld(x,x,x)+2Bj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PoGetRequesterOld@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopBsdHandleRequest(x)
_PopBsdHandleRequest@4 proc near	; CODE XREF: PopRecordSleepCheckpoint(x)+34p
					; PopSetSleepMarker(x)+75p ...
		test	cl, 8
		jz	short loc_5968B9
		call	_PopUpdateBsdPowerTransitionReferenceTime@0 ; PopUpdateBsdPowerTransitionReferenceTime()
		push	0
		push	20h
		push	offset _PopBsdPowerTransition
		push	7
		call	_RtlSetSystemBootStatus@16 ; RtlSetSystemBootStatus(x,x,x,x)
		retn
; 

loc_5968B9:				; CODE XREF: PopBsdHandleRequest(x)+3j
		or	_PopBsdUpdateRequests, ecx
		xor	edx, edx
		inc	edx
		mov	ecx, offset _PopBsdUpdateWorkItem
		jmp	_PopQueueWorkItem@8 ; PopQueueWorkItem(x,x)
_PopBsdHandleRequest@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopWriteBsdPoInfo(x, x)
_PopWriteBsdPoInfo@8 proc near		; CODE XREF: PopBsdUpdateWorker(x)+BCp
					; PopBsdUpdateWorker(x)+CFp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		push	0
		mov	esi, edx
		mov	edi, ecx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	[ebp+var_10], eax
		mov	eax, edi
		mov	[ebp+var_C], edx
		sub	eax, 7
		jz	short loc_59694A
		sub	eax, 7
		jz	short loc_59690A
		dec	eax
		sub	eax, 1
		jz	short loc_596901
		mov	esi, 0C000000Dh
		jmp	short loc_596958
; 

loc_596901:				; CODE XREF: PopWriteBsdPoInfo(x,x)+2Cj
		push	0
		push	20h
		push	esi
		push	10h
		jmp	short loc_596951
; 

loc_59690A:				; CODE XREF: PopWriteBsdPoInfo(x,x)+26j
		push	0
		push	30h
		push	esi
		push	0Eh
		call	_RtlSetSystemBootStatus@16 ; RtlSetSystemBootStatus(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_596958
		mov	ecx, offset _PopBsdUpdateLock
		call	_PopAcquireRwLockExclusive@4 ; PopAcquireRwLockExclusive(x)
		mov	ax, word_6D4A36
		mov	edx, 0FFFFh
		cmp	ax, dx
		jnb	short loc_59693E
		inc	ax
		mov	word_6D4A36, ax

loc_59693E:				; CODE XREF: PopWriteBsdPoInfo(x,x)+68j
		mov	ecx, offset _PopBsdUpdateLock
		call	_PopReleaseRwLock@4 ; PopReleaseRwLock(x)
		jmp	short loc_596958
; 

loc_59694A:				; CODE XREF: PopWriteBsdPoInfo(x,x)+21j
		push	0
		push	20h
		push	esi
		push	7

loc_596951:				; CODE XREF: PopWriteBsdPoInfo(x,x)+3Cj
		call	_RtlSetSystemBootStatus@16 ; RtlSetSystemBootStatus(x,x,x,x)
		mov	esi, eax

loc_596958:				; CODE XREF: PopWriteBsdPoInfo(x,x)+33j
					; PopWriteBsdPoInfo(x,x)+4Ej ...
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	[ebp+var_4], edx
		lea	ecx, [ebp+var_10]
		push	esi
		lea	edx, [ebp+var_8]
		mov	[ebp+var_8], eax
		call	PopQpcTimeInMs
		mov	edx, eax
		mov	ecx, edi
		call	_PopDiagTraceBsdWriteTime@12 ; PopDiagTraceBsdWriteTime(x,x,x)
		pop	edi
		pop	esi
		leave
		retn
_PopWriteBsdPoInfo@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PpmResetPerfEngineForProcessorEx(x,	x)
_PpmResetPerfEngineForProcessorEx@8 proc near ;	CODE XREF: PopHandleNextState(x,x)+206p
					; PopHandleNextState(x,x)+244p
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		lea	esi, [ecx+3EA0h]
		mov	bl, dl
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_5969AA
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_5969AA
		test	bl, bl
		jnz	short loc_5969AE
		mov	eax, [eax+40h]
		test	eax, eax
		jz	short loc_5969B5
		mov	ecx, [ecx+4]
		call	eax

loc_5969AA:				; CODE XREF: PpmResetPerfEngineForProcessorEx(x,x)+11j
					; PpmResetPerfEngineForProcessorEx(x,x)+18j
		test	bl, bl
		jz	short loc_5969B5

loc_5969AE:				; CODE XREF: PpmResetPerfEngineForProcessorEx(x,x)+1Cj
		mov	ecx, esi
		call	_PpmResetPerfTimes@4 ; PpmResetPerfTimes(x)

loc_5969B5:				; CODE XREF: PpmResetPerfEngineForProcessorEx(x,x)+23j
					; PpmResetPerfEngineForProcessorEx(x,x)+2Cj
		pop	esi
		pop	ebx
		pop	ecx
		retn
_PpmResetPerfEngineForProcessorEx@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxDestroyDeviceCommon(x,	x)
_PopFxDestroyDeviceCommon@8 proc near	; CODE XREF: PopFxDestroyDeviceDpm(x,x)+DFp
					; PopFxAcpiRegisterDevice(x,x,x,x,x)+A6p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		mov	edi, ebx
		lea	esi, [ecx+78h]
		not	edi
		mov	eax, [esi]

loc_5969D1:				; CODE XREF: PopFxDestroyDeviceCommon(x,x)+1Fj
		mov	edx, eax
		and	edx, edi
		lock cmpxchg [esi], edx
		jnz	short loc_5969D1
		cmp	eax, ebx
		jnz	short loc_5969F6
		mov	esi, 4D584650h
		push	esi
		push	dword ptr [ecx+74h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	esi
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5969F6:				; CODE XREF: PopFxDestroyDeviceCommon(x,x)+23j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopFxDestroyDeviceCommon@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxEnforceDirectedPowerTransition(x, x, x)
_PopFxEnforceDirectedPowerTransition@12	proc near
					; CODE XREF: PopFxCompleteDirectedPowerTransition(x,x)+108p

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	eax, [esi+238h]
		test	al, 1
		jnz	short loc_596A73
		test	edi, edi
		jns	short loc_596A1A
		call	_PopDirectedDripsDiagTraceDfxPowerStateFailure@4 ; PopDirectedDripsDiagTraceDfxPowerStateFailure(x)

loc_596A1A:				; CODE XREF: PopFxEnforceDirectedPowerTransition(x,x,x)+17j
		mov	eax, _PopDirectedDripsDfxEnforcementPolicy
		test	eax, eax
		jz	short loc_596A73
		test	edi, edi
		jns	short loc_596A73
		cmp	_KdDebuggerEnabled, 0
		jz	short loc_596A40
		cmp	_KdDebuggerNotPresent, 0
		jnz	short loc_596A40
		cmp	eax, 3
		jnz	short loc_596A40
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_596A40:				; CODE XREF: PopFxEnforceDirectedPowerTransition(x,x,x)+32j
					; PopFxEnforceDirectedPowerTransition(x,x,x)+3Bj ...
		mov	eax, [esi+1Ch]
		mov	eax, [eax+1E4h]
		and	eax, 40h
		cmp	_PopDirectedDripsDfxEnforcementPolicy, 2
		jz	short loc_596A79
		test	eax, eax
		jnz	short loc_596A73
		push	eax		; int
		push	eax		; int
		push	eax		; int
		push	eax		; int
		push	eax		; int
		movzx	eax, [ebp+arg_0]
		push	eax		; int
		push	esi		; int
		push	1A9h		; int
		push	(offset	off_5A50B0+2) ;	int
		call	_DbgkWerCaptureLiveKernelDump@36 ; DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)

loc_596A73:				; CODE XREF: PopFxEnforceDirectedPowerTransition(x,x,x)+13j
					; PopFxEnforceDirectedPowerTransition(x,x,x)+25j ...
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_596A79:				; CODE XREF: PopFxEnforceDirectedPowerTransition(x,x,x)+57j
		movzx	eax, [ebp+arg_0]
		push	0
		push	eax
		push	esi
		push	6
		push	9Fh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_PopFxEnforceDirectedPowerTransition@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEstimateIdleDuration(x, x, x, x,	x, x, x, x, x, x, x)
_PpmEstimateIdleDuration@44 proc near	; CODE XREF: PpmIdlePrepare+2FBp
					; PpmIdleSelectStates+224p ...

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= word ptr -44h
var_42		= word ptr -42h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_40], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_18], eax
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_42], ax
		lea	edi, [ebp+var_10]
		stosd
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_20], ecx
		or	ebx, 0FFFFFFFFh
		mov	ecx, [ebp+arg_20]
		mov	[ebp+var_24], edx
		stosd
		mov	[ebp+var_30], ecx
		mov	[ebp+var_14], esi
		stosd
		xor	eax, eax
		mov	edi, [ebp+var_20]
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_28], eax
		mov	eax, [edi+3D70h]
		mov	al, [eax+0BCh]
		and	dword ptr [ecx], 0
		mov	[ebp+var_19], al
		xor	eax, eax
		cmp	[edi+3D0h], al
		jz	short loc_596B05
		push	8
		pop	eax
		mov	[ecx], eax

loc_596B05:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+70j
		test	dl, dl
		jz	short loc_596B0E
		or	eax, 4
		mov	[ecx], eax

loc_596B0E:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+79j
		push	[ebp+var_18]
		lea	eax, [ebp+var_38]
		mov	ecx, edi
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		mov	dl, [ebp+var_19]
		call	_KeEstimateClockTickDuration@32	; KeEstimateClockTickDuration(x,x,x,x,x,x,x,x)
		mov	edx, [edi+21D4h]
		xor	ecx, ecx
		mov	eax, edx
		mov	[ebp+var_18], ecx
		test	eax, eax
		jz	short loc_596B4A

loc_596B3A:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+B7j
		add	ecx, ds:_KeMaximumIncrement
		shr	eax, 4
		test	eax, eax
		jnz	short loc_596B3A
		mov	[ebp+var_18], ecx

loc_596B4A:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+AAj
		cmp	byte ptr [ebp+var_24], 0
		jnz	short loc_596B72
		test	edx, edx
		jz	short loc_596B72
		mov	eax, ds:_KeMaximumIncrement
		lea	ecx, [edx+1]
		xor	edx, edx
		div	ecx
		mov	ebx, eax
		cmp	ebx, 1
		jnb	short loc_596B6A
		xor	ebx, ebx
		inc	ebx

loc_596B6A:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+D7j
		mov	ecx, [ebp+var_18]
		xor	esi, esi
		mov	[ebp+var_14], esi

loc_596B72:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+C0j
					; PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+C4j
		mov	edi, [ebp+var_34]
		cmp	edi, esi
		mov	esi, [ebp+var_38]
		mov	[ebp+var_18], edi
		mov	[ebp+var_24], esi
		jb	short loc_596BA4
		ja	short loc_596B88
		cmp	esi, ebx
		jbe	short loc_596BA4

loc_596B88:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+F4j
		test	edi, edi
		ja	short loc_596B92
		jb	short loc_596B9C
		cmp	esi, ecx
		jb	short loc_596B9C

loc_596B92:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+FCj
		mov	esi, ecx
		xor	edi, edi
		mov	[ebp+var_24], esi
		mov	[ebp+var_18], edi

loc_596B9C:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+FEj
					; PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+102j
		mov	eax, [ebp+var_30]
		or	dword ptr [eax], 1
		jmp	short loc_596BB1
; 

loc_596BA4:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+F2j
					; PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+F8j
		mov	eax, edi
		mov	[ebp+var_24], esi
		mov	ebx, esi
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], edi

loc_596BB1:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+114j
		mov	eax, ds:_PpmIdleDurationExpirationTimeout
		or	eax, ds:dword_70EE3C
		jz	loc_596CB5
		mov	ecx, [ebp+var_20]
		cmp	byte ptr [ecx+3D0h], 0
		jz	loc_596CB5
		lea	ecx, [ebp+var_10]
		call	_PpmGetIdleConstrainedMask@4 ; PpmGetIdleConstrainedMask(x)
		test	al, al
		jz	loc_596CB5
		and	[ebp+var_2C], 0
		xor	eax, eax
		and	[ebp+var_20], 0
		mov	[ebp+var_44], ax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_4C]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	loc_596CB5
		mov	esi, [ebp+var_2C]
		mov	edi, [ebp+var_20]

loc_596C17:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+1C3j
		mov	ecx, [ebp+var_28]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, [eax+3D90h]
		mov	edx, [eax+3D94h]
		mov	eax, ecx
		and	eax, edx
		cmp	eax, 0FFFFFFFFh
		jz	short loc_596C42
		cmp	edx, edi
		jb	short loc_596C42
		ja	short loc_596C3E
		cmp	ecx, esi
		jbe	short loc_596C42

loc_596C3E:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+1AAj
		mov	esi, ecx
		mov	edi, edx

loc_596C42:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+1A4j
					; PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+1A8j ...
		lea	eax, [ebp+var_4C]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jz	short loc_596C17
		mov	ecx, esi
		mov	[ebp+var_20], edi
		mov	edx, edi
		mov	[ebp+var_2C], esi
		mov	esi, [ebp+var_24]
		mov	eax, ecx
		or	eax, edx
		mov	edi, [ebp+var_18]
		jz	short loc_596CB5
		mov	eax, esi
		add	eax, [ebp+arg_4]
		mov	[ebp+var_18], eax
		mov	eax, edi
		adc	eax, [ebp+arg_8]
		cmp	eax, edx
		jb	short loc_596CB5
		ja	short loc_596C81
		cmp	[ebp+var_18], ecx
		jbe	short loc_596CB5

loc_596C81:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+1ECj
		mov	eax, [ebp+var_30]
		or	dword ptr [eax], 2000h
		cmp	edx, [ebp+arg_8]
		ja	short loc_596C9B
		jb	short loc_596C96
		cmp	ecx, [ebp+arg_4]
		ja	short loc_596C9B

loc_596C96:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+201j
		xor	esi, esi
		inc	esi
		jmp	short loc_596CA0
; 

loc_596C9B:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+1FFj
					; PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+206j
		mov	esi, ecx
		sub	esi, [ebp+arg_4]

loc_596CA0:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+20Bj
		mov	eax, [ebp+var_14]
		xor	edi, edi
		cmp	edi, eax
		ja	short loc_596CB8
		jb	short loc_596CAF
		cmp	esi, ebx
		jnb	short loc_596CB8

loc_596CAF:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+21Bj
		mov	ebx, esi
		mov	eax, edi
		jmp	short loc_596CB8
; 

loc_596CB5:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+12Ej
					; PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+13Ej ...
		mov	eax, [ebp+var_14]

loc_596CB8:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+219j
					; PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+21Fj ...
		cmp	eax, [ebp+arg_10]
		ja	short loc_596CD7
		jb	short loc_596CC4
		cmp	ebx, [ebp+arg_C]
		jnb	short loc_596CD7

loc_596CC4:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+22Fj
		mov	ecx, [ebp+var_30]
		mov	ebx, [ebp+arg_C]
		mov	esi, ebx
		mov	eax, [ebp+arg_10]
		mov	edi, eax
		or	dword ptr [ecx], 1000h

loc_596CD7:				; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+22Dj
					; PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+234j
		mov	ecx, [ebp+var_3C]
		mov	[ecx], esi
		mov	[ecx+4], edi
		mov	ecx, [ebp+var_40]
		pop	edi
		pop	esi
		mov	[ecx], ebx
		mov	[ecx+4], eax
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	24h
_PpmEstimateIdleDuration@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_DirectedFx__private_ReportUsageFallback(x, x, x)
_Feature_DirectedFx__private_ReportUsageFallback@12 proc near
					; CODE XREF: PopDirectedDripsQueryEnabledMitigations(x)+5Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		and	esi, 0FFFFFFFEh
		mov	edi, offset _Feature_DirectedFx__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_DirectedFx__private_ReportUsageFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopScanIdleList(x, x, x)
_PopScanIdleList@12 proc near		; CODE XREF: PopIdleDetection(x,x,x)+14p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		xor	eax, eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_1], al
		mov	[ebp+var_C], eax
		push	ebx
		mov	ebx, eax
		mov	eax, dword_6C2D28
		mov	[ebp+var_1C], eax
		mov	eax, dword_6C2D24
		mov	[ebp+var_28], eax
		mov	eax, _PopPolicy
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10], ebx
		mov	eax, [eax+0D4h]
		mov	esi, offset _PopDopeGlobalLock
		mov	[ebp+var_20], eax
		mov	ecx, esi
		mov	eax, ds:_PopCurrentCoalescingSpindownTimeout
		mov	[ebp+var_30], edi
		mov	[ebp+var_24], eax
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	[ebp+var_2], al
		cmp	byte_6D4A50, bl
		jz	short loc_596D9C
		mov	dl, al
		mov	ecx, esi
		call	KfReleaseSpinLock
		jmp	loc_59703C
; 

loc_596D9C:				; CODE XREF: PopScanIdleList(x,x,x)+5Ej
		mov	ecx, offset _POP_ETW_EVENT_DEVICE_IDLE_START
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		mov	eax, _PopIdleDetectList
		mov	[ebp+var_14], eax
		cmp	eax, offset _PopIdleDetectList
		jz	loc_596F0E

loc_596DB9:				; CODE XREF: PopScanIdleList(x,x,x)+1CFj
		lea	esi, [eax-1Ch]
		xor	ecx, ecx
		lea	eax, [esi+4]
		xchg	ecx, [eax]
		add	[esi+0Ch], ecx
		mov	[ebp+var_2C], ecx
		test	ecx, ecx
		jnz	short loc_596DD4
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_596DDA

loc_596DD4:				; CODE XREF: PopScanIdleList(x,x,x)+9Dj
		mov	dword ptr [esi], 0

loc_596DDA:				; CODE XREF: PopScanIdleList(x,x,x)+A4j
		mov	ebx, _PopIdleScanInterval
		lock xadd [esi], ebx
		test	ebx, ebx
		jnz	short loc_596DEF
		mov	dword ptr [esi+2Ch], 1

loc_596DEF:				; CODE XREF: PopScanIdleList(x,x,x)+B8j
		cmp	[ebp+var_1C], 1
		jnz	short loc_596DFA
		mov	edi, [esi+10h]
		jmp	short loc_596DFD
; 

loc_596DFA:				; CODE XREF: PopScanIdleList(x,x,x)+C5j
		mov	edi, [esi+14h]

loc_596DFD:				; CODE XREF: PopScanIdleList(x,x,x)+CAj
		mov	ecx, [esi+24h]
		mov	eax, ecx
		sub	eax, 1
		jz	short loc_596E0B
		mov	edx, ebx
		jmp	short loc_596E69
; 

loc_596E0B:				; CODE XREF: PopScanIdleList(x,x,x)+D7j
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_596E13
		mov	edi, [ebp+var_20]

loc_596E13:				; CODE XREF: PopScanIdleList(x,x,x)+E0j
		push	ecx
		mov	ecx, [ebp+var_24]
		mov	edx, edi
		push	ebx
		call	_PopCoalescingCheck@16 ; PopCoalescingCheck(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_596E28
		inc	[ebp+var_10]

loc_596E28:				; CODE XREF: PopScanIdleList(x,x,x)+F5j
		mov	eax, [ebp+var_28]
		mov	[ebp+var_C], eax
		cmp	eax, edi
		jbe	short loc_596E35
		mov	[ebp+var_C], edi

loc_596E35:				; CODE XREF: PopScanIdleList(x,x,x)+102j
		mov	edx, [esi+3Ch]
		mov	ecx, _PopIdleScanInterval
		add	edx, ecx
		mov	eax, [esi+40h]
		test	ebx, ebx
		jnz	short loc_596E56
		add	eax, ecx
		mov	ecx, [ebp+var_C]
		cmp	eax, ecx
		jbe	short loc_596E60
		mov	edx, ecx
		mov	eax, ecx
		jmp	short loc_596E60
; 

loc_596E56:				; CODE XREF: PopScanIdleList(x,x,x)+117j
		cmp	eax, ecx
		jbe	short loc_596E5E
		sub	eax, ecx
		jmp	short loc_596E60
; 

loc_596E5E:				; CODE XREF: PopScanIdleList(x,x,x)+12Aj
		xor	eax, eax

loc_596E60:				; CODE XREF: PopScanIdleList(x,x,x)+120j
					; PopScanIdleList(x,x,x)+126j ...
		mov	ecx, [esi+24h]
		mov	[esi+3Ch], edx
		mov	[esi+40h], eax

loc_596E69:				; CODE XREF: PopScanIdleList(x,x,x)+DBj
		mov	eax, ecx
		test	edi, edi
		jz	short loc_596EC4
		cmp	edx, edi
		jb	short loc_596EC4
		cmp	dword ptr [esi+2Ch], 1
		jnz	short loc_596EC4
		test	ebx, ebx
		jnz	short loc_596E89
		test	_PopSimulate, 2000000h
		jz	short loc_596EC4

loc_596E89:				; CODE XREF: PopScanIdleList(x,x,x)+14Dj
		cmp	eax, 1
		jnz	short loc_596E96
		mov	ecx, [esi+18h]
		call	_PopDiagTraceIoCoalescingDiskIdle@4 ; PopDiagTraceIoCoalescingDiskIdle(x)

loc_596E96:				; CODE XREF: PopScanIdleList(x,x,x)+15Ej
		mov	eax, [esi+28h]
		xor	edx, edx
		mov	ecx, [esi+18h]
		push	edx
		push	edx
		push	edx
		push	offset _PopDeviceIdleCompletion@20 ; PopDeviceIdleCompletion(x,x,x,x,x)
		push	eax
		mov	dl, 2
		call	PopRequestPowerIrp
		test	eax, eax
		js	short loc_596ED0
		mov	eax, [esi+28h]
		and	dword ptr [esi+0Ch], 0
		inc	dword_6D4A4C
		mov	[esi+2Ch], eax
		jmp	short loc_596ED0
; 

loc_596EC4:				; CODE XREF: PopScanIdleList(x,x,x)+13Fj
					; PopScanIdleList(x,x,x)+143j ...
		cmp	ecx, 1
		jnz	short loc_596ED0
		test	ebx, ebx
		jnz	short loc_596ED0
		mov	[ebp+var_1], cl

loc_596ED0:				; CODE XREF: PopScanIdleList(x,x,x)+182j
					; PopScanIdleList(x,x,x)+194j ...
		push	[ebp+var_2C]
		mov	edx, ebx
		mov	ecx, esi
		call	_PopDiagTraceDeviceIdleCheck@12	; PopDiagTraceDeviceIdleCheck(x,x,x)
		mov	eax, [esi+24h]
		sub	eax, 1
		jnz	short loc_596EF0
		push	[ebp+var_C]
		mov	edx, edi
		mov	ecx, esi
		call	_PopDiagTraceDiskIdleCheck@12 ;	PopDiagTraceDiskIdleCheck(x,x,x)

loc_596EF0:				; CODE XREF: PopScanIdleList(x,x,x)+1B4j
		mov	eax, [ebp+var_14]
		mov	eax, [eax]
		mov	[ebp+var_14], eax
		cmp	eax, offset _PopIdleDetectList
		jnz	loc_596DB9
		mov	ebx, [ebp+var_10]
		mov	esi, offset _PopDopeGlobalLock
		mov	edi, [ebp+var_30]

loc_596F0E:				; CODE XREF: PopScanIdleList(x,x,x)+85j
		mov	ecx, offset _POP_ETW_EVENT_DEVICE_IDLE_END
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		mov	dl, [ebp+var_2]
		mov	ecx, esi
		call	KfReleaseSpinLock
		mov	esi, _PopIdleBackgroundIgnoreCount
		test	esi, esi
		jz	short loc_596F33
		dec	esi
		mov	_PopIdleBackgroundIgnoreCount, esi

loc_596F33:				; CODE XREF: PopScanIdleList(x,x,x)+1FCj
		mov	eax, _PopBackgroundTaskIgnoreCount
		test	eax, eax
		jz	short loc_596F42
		dec	eax
		mov	_PopBackgroundTaskIgnoreCount, eax

loc_596F42:				; CODE XREF: PopScanIdleList(x,x,x)+20Cj
		test	edi, edi
		jz	short loc_596F76
		mov	ecx, _PopIdleScanInterval
		xor	edx, edx	; Length
		lea	eax, [ecx+0B3h]
		div	ecx
		mov	ecx, [ebp+arg_4]
		cmp	[ebp+arg_0], eax
		jnz	short loc_596F62
		test	ecx, ecx
		jz	short loc_596F76

loc_596F62:				; CODE XREF: PopScanIdleList(x,x,x)+22Ej
		test	ecx, ecx
		ja	short loc_596F7D
		jb	short loc_596F6D
		cmp	[ebp+arg_0], eax
		jnb	short loc_596F7D

loc_596F6D:				; CODE XREF: PopScanIdleList(x,x,x)+238j
		mov	_PopBackgroundTaskAllowed, 0
		jmp	short loc_596F7D
; 

loc_596F76:				; CODE XREF: PopScanIdleList(x,x,x)+216j
					; PopScanIdleList(x,x,x)+232j
		mov	_PopBackgroundTaskAllowed, 1

loc_596F7D:				; CODE XREF: PopScanIdleList(x,x,x)+236j
					; PopScanIdleList(x,x,x)+23Dj ...
		test	ebx, ebx
		jz	short loc_596F8B
		cmp	[ebp+var_1], 0
		jz	loc_59703C

loc_596F8B:				; CODE XREF: PopScanIdleList(x,x,x)+251j
		test	esi, esi
		jnz	short loc_596FD1
		cmp	dword_6C2D0C, esi
		jnz	short loc_596FD1
		lea	eax, [ebp+var_18]
		mov	esi, offset _GUID_IDLE_BACKGROUND_TASK
		push	eax		; int
		push	ecx		; int
		lea	eax, [ebp+var_8]
		mov	ecx, esi
		push	eax		; void *
		push	3		; int
		call	_PopGetPowerSettingValue@24 ; PopGetPowerSettingValue(x,x,x,x,x,x)
		inc	[ebp+var_8]
		lea	eax, [ebp+var_8]
		push	eax		; void *
		push	4
		pop	edx
		mov	ecx, esi	; int
		call	_PopSetPowerSettingValueAcDc@12	; PopSetPowerSettingValueAcDc(x,x,x)
		mov	ecx, _PopIdleScanInterval
		xor	edx, edx
		lea	eax, [ecx+3Bh]
		div	ecx
		mov	_PopIdleBackgroundIgnoreCount, eax

loc_596FD1:				; CODE XREF: PopScanIdleList(x,x,x)+25Fj
					; PopScanIdleList(x,x,x)+267j
		cmp	_PopBackgroundTaskIgnoreCount, 0
		jnz	short loc_59703C
		cmp	dword_6C2D0C, 0
		jnz	short loc_59703C
		cmp	_PopSIdle, 32h
		jl	short loc_59703C
		cmp	_PopBackgroundTaskAllowed, 0
		jz	short loc_59703C
		lea	eax, [ebp+var_18]
		xor	ebx, ebx
		push	eax		; int
		push	ecx		; int
		lea	eax, [ebp+var_8]
		mov	esi, offset _GUID_BACKGROUND_TASK_NOTIFICATION
		push	eax		; void *
		push	ebx		; int
		mov	ecx, esi
		call	_PopGetPowerSettingValue@24 ; PopGetPowerSettingValue(x,x,x,x,x,x)
		inc	[ebp+var_8]
		lea	eax, [ebp+var_8]
		push	eax		; void *
		push	4		; Length
		push	ebx		; int
		or	edx, 0FFFFFFFFh
		mov	ecx, esi
		call	PopSetPowerSettingValue
		mov	ecx, _PopIdleScanInterval
		xor	edx, edx
		mov	_PopBackgroundTaskAllowed, bl
		lea	eax, [ecx+0B3h]
		div	ecx
		mov	_PopBackgroundTaskIgnoreCount, eax

loc_59703C:				; CODE XREF: PopScanIdleList(x,x,x)+69j
					; PopScanIdleList(x,x,x)+257j ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	8
_PopScanIdleList@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_Servicing_HibernateRelaxVBSPolicy__private_IsEnabledFallback(x, x, x)
_Feature_Servicing_HibernateRelaxVBSPolicy__private_IsEnabledFallback@12 proc near
					; CODE XREF: Feature_Servicing_HibernateRelaxVBSPolicy__private_IsEnabledNoReporting()+1Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	edx, (offset loc_6AAECB+1)
		push	[ebp+arg_0]
		push	ecx
		call	_wil_details_IsEnabledFallback@20 ; wil_details_IsEnabledFallback(x,x,x,x,x)
		pop	ebp
		retn	8
_Feature_Servicing_HibernateRelaxVBSPolicy__private_IsEnabledFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_Servicing_HibernateRelaxVBSPolicy__private_IsEnabledNoReporting()
_Feature_Servicing_HibernateRelaxVBSPolicy__private_IsEnabledNoReporting@0 proc	near
					; CODE XREF: PopBuildMemoryImageHeader(x,x)+1DFp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_Servicing_HibernateRelaxVBSPolicy__private_featureState
		test	al, 2
		jz	short loc_597075
		and	eax, 1
		leave
		retn
; 

loc_597075:				; CODE XREF: Feature_Servicing_HibernateRelaxVBSPolicy__private_IsEnabledNoReporting()+Ej
		push	0
		push	eax
		xor	ecx, ecx
		call	_Feature_Servicing_HibernateRelaxVBSPolicy__private_IsEnabledFallback@12 ; Feature_Servicing_HibernateRelaxVBSPolicy__private_IsEnabledFallback(x,x,x)
		leave
		retn
_Feature_Servicing_HibernateRelaxVBSPolicy__private_IsEnabledNoReporting@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SleepReliabilityDetailedDiagnostics__private_IsEnabledDeviceUsage()
_Feature_SleepReliabilityDetailedDiagnostics__private_IsEnabledDeviceUsage@0 proc near
					; CODE XREF: PopUpdatePowerActionWatchdogTimeouts()+3p
					; PopEnableSystemSleepCheckpoint()+25p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_SleepReliabilityDetailedDiagnostics__private_featureState
		test	al, 10h
		jz	short loc_597097
		and	eax, 1
		leave
		retn
; 

loc_597097:				; CODE XREF: Feature_SleepReliabilityDetailedDiagnostics__private_IsEnabledDeviceUsage()+Ej
		push	0
		push	eax
		push	3
		pop	ecx
		call	_Feature_SleepReliabilityDetailedDiagnostics__private_IsEnabledFallback@12 ; Feature_SleepReliabilityDetailedDiagnostics__private_IsEnabledFallback(x,x,x)
		leave
		retn
_Feature_SleepReliabilityDetailedDiagnostics__private_IsEnabledDeviceUsage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SleepReliabilityDetailedDiagnostics__private_IsEnabledFallback(x, x, x)
_Feature_SleepReliabilityDetailedDiagnostics__private_IsEnabledFallback@12 proc	near
					; CODE XREF: Feature_SleepReliabilityDetailedDiagnostics__private_IsEnabledDeviceUsage()+1Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	edx, offset _Feature_SleepReliabilityDetailedDiagnostics__private_descriptor
		push	[ebp+arg_0]
		push	ecx
		call	_wil_details_IsEnabledFallback@20 ; wil_details_IsEnabledFallback(x,x,x,x,x)
		pop	ebp
		retn	8
_Feature_SleepReliabilityDetailedDiagnostics__private_IsEnabledFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceBsdWriteTime(x,	x, x)
_PopDiagTraceBsdWriteTime@12 proc near	; CODE XREF: PopWriteBsdPoInfo(x,x)+AAp

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, edx
		mov	ebx, ecx
		test	edi, edi
		js	short loc_5970E9
		test	esi, esi
		jz	loc_597182

loc_5970E9:				; CODE XREF: PopDiagTraceBsdWriteTime(x,x,x)+21j
		cmp	dword_6B23F8, 5
		jbe	loc_597182
		push	2000h
		push	0
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_597182
		push	4
		pop	edx
		lea	eax, [ebp+var_70]
		mov	[ebp+var_70], ebx
		mov	[ebp+var_4C], eax
		xor	ebx, ebx
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_48], ebx
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_74]
		push	8
		pop	ecx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	6
		push	ebx
		push	ebx
		push	offset byte_41D85F
		push	offset dword_6B23F8
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_7C], esi
		mov	[ebp+var_78], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_74], edi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_84], 1000000h
		mov	[ebp+var_80], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_597182:				; CODE XREF: PopDiagTraceBsdWriteTime(x,x,x)+25j
					; PopDiagTraceBsdWriteTime(x,x,x)+32j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDiagTraceBsdWriteTime@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_PowerButtonBugcheck__private_ReportUsageFallback(x,	x, x)
_Feature_PowerButtonBugcheck__private_ReportUsageFallback@12 proc near
					; CODE XREF: PopQueryPowerButtonBugcheckEnabled()+6Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		and	esi, 0FFFFFFFEh
		mov	edi, offset _Feature_PowerButtonBugcheck__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_PowerButtonBugcheck__private_ReportUsageFallback@12 endp

; 
		align 10h
; Exported entry 1842. PsIsComponentEnabled

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsIsComponentEnabled(x)
		public _PsIsComponentEnabled@4
_PsIsComponentEnabled@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+4C8h]
		and	eax, [ebp+arg_0]
		neg	eax
		sbb	al, al
		inc	al
		pop	ebp
		retn	4
_PsIsComponentEnabled@4	endp


;  S U B	R O U T	I N E 


; __stdcall RtlSetSystemGlobalData(x, x, x)
_RtlSetSystemGlobalData@12 proc	near	; CODE XREF: ExpRefreshTimeZoneInformation(x)+595p
		mov	edi, edi
		push	esi
		mov	esi, edx
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jz	short loc_597217
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, [eax+28Ch]
		mov	eax, [esi]
		mov	[ecx+248h], eax
		jmp	short loc_59721E
; 

loc_597217:				; CODE XREF: RtlSetSystemGlobalData(x,x,x)+Cj
		mov	eax, [esi]
		mov	ds:0FFDF0240h, eax

loc_59721E:				; CODE XREF: RtlSetSystemGlobalData(x,x,x)+21j
		xor	eax, eax
		pop	esi
		retn	4
_RtlSetSystemGlobalData@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	LdrpCompareResourceNamesWithValidation(wchar_t *,int,int,int)
_LdrpCompareResourceNamesWithValidation@24 proc	near
					; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+680p
					; LdrpSearchResourceSection_U(x,x,x,x,x)+727p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	byte ptr [eax],	1
		mov	eax, [ebp+arg_8]
		mov	edi, [eax]
		test	esi, 0FFFF0000h
		jz	short loc_597287
		test	edi, edi
		js	short loc_59724A
		or	eax, 0FFFFFFFFh
		jmp	short loc_597294
; 

loc_59724A:				; CODE XREF: LdrpCompareResourceNamesWithValidation(x,x,x,x,x,x)+1Fj
		and	edi, 7FFFFFFFh
		add	edi, [ebp+arg_4]
		movzx	eax, word ptr [edi]
		push	eax		; size_t
		lea	eax, [edi+2]
		push	eax		; wchar_t *
		push	esi		; wchar_t *
		call	_wcsncmp
		mov	ecx, eax
		add	esp, 0Ch
		test	ecx, ecx
		jnz	short loc_597283
		lea	edx, [esi+2]

loc_59726D:				; CODE XREF: LdrpCompareResourceNamesWithValidation(x,x,x,x,x,x)+52j
		mov	ax, [esi]
		add	esi, 2
		test	ax, ax
		jnz	short loc_59726D
		movzx	eax, word ptr [edi]
		sub	esi, edx
		sar	esi, 1
		cmp	esi, eax
		jnz	short loc_59728B

loc_597283:				; CODE XREF: LdrpCompareResourceNamesWithValidation(x,x,x,x,x,x)+44j
		mov	eax, ecx
		jmp	short loc_597294
; 

loc_597287:				; CODE XREF: LdrpCompareResourceNamesWithValidation(x,x,x,x,x,x)+1Bj
		test	edi, edi
		jns	short loc_597290

loc_59728B:				; CODE XREF: LdrpCompareResourceNamesWithValidation(x,x,x,x,x,x)+5Dj
		xor	eax, eax
		inc	eax
		jmp	short loc_597294
; 

loc_597290:				; CODE XREF: LdrpCompareResourceNamesWithValidation(x,x,x,x,x,x)+65j
		sub	esi, edi
		mov	eax, esi

loc_597294:				; CODE XREF: LdrpCompareResourceNamesWithValidation(x,x,x,x,x,x)+24j
					; LdrpCompareResourceNamesWithValidation(x,x,x,x,x,x)+61j ...
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
_LdrpCompareResourceNamesWithValidation@24 endp


;  S U B	R O U T	I N E 


; __stdcall RtlLengthSecurityDescriptorStrict(x)
_RtlLengthSecurityDescriptorStrict@4 proc near
					; CODE XREF: CmpGetSecurityDescriptorNodeEx(x,x,x,x,x,x,x)+88p
					; CmpGetSecurityDescriptorNodeEx(x,x,x,x,x,x,x)+A1p ...
		jmp	_SepSecurityDescriptorStrictLength@4 ; SepSecurityDescriptorStrictLength(x)
_RtlLengthSecurityDescriptorStrict@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall RtlpAcquireBootStatusLock()
_RtlpAcquireBootStatusLock@0 proc near	; CODE XREF: RtlUnlockBootStatusData(x)+16p
					; RtlLockBootStatusData(x)+3Bp
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	edx, edx
		mov	ecx, offset _RtlpBootStatHandleLock
		jmp	ExAcquirePushLockExclusiveEx
_RtlpAcquireBootStatusLock@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall RtlpReleaseBootStatusLock()
_RtlpReleaseBootStatusLock@0 proc near	; CODE XREF: RtlUnlockBootStatusData(x):loc_7D733Ep
					; RtlLockBootStatusData(x):loc_7D7463p
		mov	edi, edi
		push	esi
		or	eax, 0FFFFFFFFh
		mov	esi, offset _RtlpBootStatHandleLock
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5972CE
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_5972CE:				; CODE XREF: RtlpReleaseBootStatusLock()+13j
		mov	ecx, esi
		call	KeAbPostRelease
		pop	esi
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_RtlpReleaseBootStatusLock@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpAllocVirtBlockCommitFirst(x, x, x, x)
_RtlpHpAllocVirtBlockCommitFirst@16 proc near
					; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+5BBp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	edi
		mov	ebx, edx
		add	eax, 1000h
		push	4
		push	1000h
		xor	edi, edi
		add	eax, [ebx]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], edi
		push	eax
		push	0FFFFFFFFh
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_597371
		push	esi
		mov	esi, 4000h
		cmp	[ebp+arg_0], edi
		jbe	short loc_597330
		push	esi
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	0FFFFFFFFh
		call	_ZwFreeVirtualMemory@16	; ZwFreeVirtualMemory(x,x,x,x)

loc_597330:				; CODE XREF: RtlpHpAllocVirtBlockCommitFirst(x,x,x,x)+42j
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_4]
		add	ecx, 0FFFFF000h
		add	eax, ecx
		mov	[ebp+var_C], 1000h
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_C]
		push	esi
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	0FFFFFFFFh
		call	_ZwFreeVirtualMemory@16	; ZwFreeVirtualMemory(x,x,x,x)
		mov	edx, [ebp+var_8]
		mov	ecx, edx
		mov	edi, [ebp+var_4]
		sub	ecx, [ebp+var_C]
		add	edi, [ebp+arg_0]
		sub	ecx, [ebp+arg_0]
		mov	[ebx], ecx
		mov	ecx, [ebp+arg_4]
		pop	esi
		mov	[ecx], edx

loc_597371:				; CODE XREF: RtlpHpAllocVirtBlockCommitFirst(x,x,x,x)+37j
		mov	eax, edi
		pop	edi
		pop	ebx
		leave
		retn	8
_RtlpHpAllocVirtBlockCommitFirst@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlQueryFeatureConfigurationFromBuffers(x, x, x, x)
_RtlQueryFeatureConfigurationFromBuffers@16 proc near
					; CODE XREF: wil_details_PopulateInitialConfiguredFeatureStatesFromBuffers(x)+53p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		cmp	[ebp+arg_0], 2
		push	esi
		mov	esi, edx
		jb	short loc_597392
		mov	eax, 0C000000Dh
		jmp	short loc_5973C8
; 

loc_597392:				; CODE XREF: RtlQueryFeatureConfigurationFromBuffers(x,x,x,x)+Fj
		mov	eax, [ecx]
		xor	edx, edx
		push	[ebp+arg_4]
		mov	[ebp+var_18], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_14], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_8], eax
		mov	eax, [ecx+0Ch]
		mov	ecx, esi
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edx
		lea	edx, [ebp+var_20]
		push	eax
		call	_RtlpFcQueryFeatureConfigurationFromBuffers@16 ; RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)

loc_5973C8:				; CODE XREF: RtlQueryFeatureConfigurationFromBuffers(x,x,x,x)+16j
		pop	esi
		leave
		retn	8
_RtlQueryFeatureConfigurationFromBuffers@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStackTraceHashFunction(x, x)
_RtlStackTraceHashFunction@8 proc near	; DATA XREF: RtlTraceDatabaseCreate(x,x,x,x,x)+93o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		xor	esi, esi
		lea	ebx, [eax+eax]
		mov	eax, esi
		test	ebx, ebx
		jz	short loc_5973FB
		push	edi
		mov	edi, [ebp+arg_4]

loc_5973E6:				; CODE XREF: RtlStackTraceHashFunction(x,x)+2Bj
		movzx	edx, word ptr [edi+eax*2+2]
		movzx	ecx, word ptr [edi+eax*2]
		add	eax, 2
		xor	edx, ecx
		add	esi, edx
		cmp	eax, ebx
		jb	short loc_5973E6
		pop	edi

loc_5973FB:				; CODE XREF: RtlStackTraceHashFunction(x,x)+13j
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_RtlStackTraceHashFunction@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall RtlFcpCompareFeatureToFeature(x, x)
_RtlFcpCompareFeatureToFeature@8 proc near
					; CODE XREF: RtlpFcValidateFeatureConfigurationBuffer(x,x)+86p
		mov	eax, [ecx]
		push	esi
		cmp	eax, [edx]
		ja	short loc_597428
		jb	short loc_597423
		mov	eax, [ecx+4]
		mov	ecx, [edx+4]
		and	eax, 0Fh
		and	ecx, 0Fh
		cmp	eax, ecx
		jb	short loc_597428
		ja	short loc_597423
		xor	eax, eax
		pop	esi
		retn
; 

loc_597423:				; CODE XREF: RtlFcpCompareFeatureToFeature(x,x)+7j
					; RtlFcpCompareFeatureToFeature(x,x)+19j
		or	eax, 0FFFFFFFFh
		pop	esi
		retn
; 

loc_597428:				; CODE XREF: RtlFcpCompareFeatureToFeature(x,x)+5j
					; RtlFcpCompareFeatureToFeature(x,x)+17j
		xor	eax, eax
		inc	eax
		pop	esi
		retn
_RtlFcpCompareFeatureToFeature@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall RtlpFcCompareUsageSubscriptionToUsageSubscription(x, x)
_RtlpFcCompareUsageSubscriptionToUsageSubscription@8 proc near
					; CODE XREF: RtlpFcValidateFeatureUsageSubscriptionBuffer(x,x)+70p
					; RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable(x,x,x,x)+41p	...
		mov	eax, [ecx]
		push	esi
		cmp	eax, [edx]
		ja	short loc_597463
		jb	short loc_59745E
		movzx	eax, word ptr [ecx+4]
		movzx	esi, word ptr [edx+4]
		cmp	ax, si
		ja	short loc_597463
		jb	short loc_59745E
		mov	eax, [ecx+8]
		cmp	eax, [edx+8]
		ja	short loc_597463
		jb	short loc_59745E
		mov	eax, [ecx+0Ch]
		cmp	eax, [edx+0Ch]
		ja	short loc_597463
		jb	short loc_59745E
		xor	eax, eax
		pop	esi
		retn
; 

loc_59745E:				; CODE XREF: RtlpFcCompareUsageSubscriptionToUsageSubscription(x,x)+7j
					; RtlpFcCompareUsageSubscriptionToUsageSubscription(x,x)+16j ...
		or	eax, 0FFFFFFFFh
		pop	esi
		retn
; 

loc_597463:				; CODE XREF: RtlpFcCompareUsageSubscriptionToUsageSubscription(x,x)+5j
					; RtlpFcCompareUsageSubscriptionToUsageSubscription(x,x)+14j ...
		xor	eax, eax
		inc	eax
		pop	esi
		retn
_RtlpFcCompareUsageSubscriptionToUsageSubscription@8 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpIsImmutableFeatureConfigurationPriority(x)
_RtlpIsImmutableFeatureConfigurationPriority@4 proc near
					; CODE XREF: RtlpFcAreSortedFeatureUpdatesValid(x,x)+47p
		test	ecx, ecx
		jz	short loc_597479
		cmp	ecx, 9
		jz	short loc_597479
		cmp	ecx, 0Fh
		jz	short loc_597479
		xor	al, al
		retn
; 

loc_597479:				; CODE XREF: RtlpIsImmutableFeatureConfigurationPriority(x)+2j
					; RtlpIsImmutableFeatureConfigurationPriority(x)+7j ...
		mov	al, 1
		retn
_RtlpIsImmutableFeatureConfigurationPriority@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_WCOSDeveloperMode__private_ReportUsageFallback(x, x, x)
_Feature_WCOSDeveloperMode__private_ReportUsageFallback@12 proc	near
					; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+85p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		or	esi, 1
		mov	edi, offset _Feature_WCOSDeveloperMode__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_WCOSDeveloperMode__private_ReportUsageFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_WldpDeveloperMode__private_ReportDeviceUsage()
_Feature_WldpDeveloperMode__private_ReportDeviceUsage@0	proc near
					; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x):loc_79F41Ep
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_WldpDeveloperMode__private_featureState
		test	al, 10h
		jnz	short locret_5974CA
		push	0
		push	eax
		call	_Feature_WldpDeveloperMode__private_ReportUsageFallback@12 ; Feature_WldpDeveloperMode__private_ReportUsageFallback(x,x,x)

locret_5974CA:				; CODE XREF: Feature_WldpDeveloperMode__private_ReportDeviceUsage()+Ej
		leave
		retn
_Feature_WldpDeveloperMode__private_ReportDeviceUsage@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_WldpDeveloperMode__private_ReportUsageFallback(x, x, x)
_Feature_WldpDeveloperMode__private_ReportUsageFallback@12 proc	near
					; CODE XREF: Feature_WldpDeveloperMode__private_ReportDeviceUsage()+13p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		or	esi, 1
		mov	edi, offset _Feature_WldpDeveloperMode__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_WldpDeveloperMode__private_ReportUsageFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_2543631672__private_IsEnabledDeviceUsage()
_Feature_2543631672__private_IsEnabledDeviceUsage@0 proc near
					; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2DC7p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		mov	eax, _Feature_2543631672__private_featureState
		test	al, 10h
		jz	short loc_59751A
		and	eax, 1
		jmp	short loc_597525
; 

loc_59751A:				; CODE XREF: Feature_2543631672__private_IsEnabledDeviceUsage()+11j
		push	0
		push	eax
		push	3
		pop	ecx
		call	_Feature_2543631672__private_IsEnabledFallback@12 ; Feature_2543631672__private_IsEnabledFallback(x,x,x)

loc_597525:				; CODE XREF: Feature_2543631672__private_IsEnabledDeviceUsage()+16j
		mov	esp, ebp
		pop	ebp
		retn
_Feature_2543631672__private_IsEnabledDeviceUsage@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_2543631672__private_IsEnabledFallback(x, x,	x)
_Feature_2543631672__private_IsEnabledFallback@12 proc near
					; CODE XREF: Feature_2543631672__private_IsEnabledDeviceUsage()+1Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	edx, offset _Feature_2543631672__private_descriptor
		push	[ebp+arg_0]
		push	ecx
		call	_wil_details_IsEnabledFallback@20 ; wil_details_IsEnabledFallback(x,x,x,x,x)
		pop	ebp
		retn	8
_Feature_2543631672__private_IsEnabledFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_693672248__private_IsEnabledDeviceUsage()
_Feature_693672248__private_IsEnabledDeviceUsage@0 proc	near
					; CODE XREF: SepCopyTokenAccessInformation(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+86p
					; SepCopyTokenAccessInformation(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+114p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_693672248__private_featureState
		test	al, 10h
		jz	short loc_597559
		and	eax, 1
		leave
		retn
; 

loc_597559:				; CODE XREF: Feature_693672248__private_IsEnabledDeviceUsage()+Ej
		push	0
		push	eax
		push	3
		pop	ecx
		call	_Feature_693672248__private_IsEnabledFallback@12 ; Feature_693672248__private_IsEnabledFallback(x,x,x)
		leave
		retn
_Feature_693672248__private_IsEnabledDeviceUsage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_693672248__private_IsEnabledFallback(x, x, x)
_Feature_693672248__private_IsEnabledFallback@12 proc near
					; CODE XREF: Feature_693672248__private_IsEnabledDeviceUsage()+1Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	edx, offset _Feature_693672248__private_descriptor
		push	[ebp+arg_0]
		push	ecx
		call	_wil_details_IsEnabledFallback@20 ; wil_details_IsEnabledFallback(x,x,x,x,x)
		pop	ebp
		retn	8
_Feature_693672248__private_IsEnabledFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_PPLEnforcement__private_ReportDeviceUsage()
_Feature_PPLEnforcement__private_ReportDeviceUsage@0 proc near
					; CODE XREF: SeQueryInformationToken(x,x,x):loc_81B024p
					; NtQueryInformationToken(x,x,x,x,x):loc_827EA9p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		mov	eax, _Feature_PPLEnforcement__private_featureState
		test	al, 10h
		jnz	short loc_59759B
		push	0
		push	eax
		call	_Feature_PPLEnforcement__private_ReportUsageFallback@12	; Feature_PPLEnforcement__private_ReportUsageFallback(x,x,x)

loc_59759B:				; CODE XREF: Feature_PPLEnforcement__private_ReportDeviceUsage()+11j
		mov	esp, ebp
		pop	ebp
		retn
_Feature_PPLEnforcement__private_ReportDeviceUsage@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_PPLEnforcement__private_ReportUsageFallback(x, x, x)
_Feature_PPLEnforcement__private_ReportUsageFallback@12	proc near
					; CODE XREF: Feature_PPLEnforcement__private_ReportDeviceUsage()+16p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		and	esi, 0FFFFFFFEh
		mov	edi, offset _Feature_PPLEnforcement__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_PPLEnforcement__private_ReportUsageFallback@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_RelaxTcbForUWP__private_ReportDeviceUsage()
_Feature_RelaxTcbForUWP__private_ReportDeviceUsage@0 proc near ; CODE XREF: PAGE:007EA15Bp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		mov	eax, _Feature_RelaxTcbForUWP__private_featureState
		test	al, 10h
		jnz	short loc_5975F1
		push	0
		push	eax
		call	_Feature_RelaxTcbForUWP__private_ReportUsageFallback@12	; Feature_RelaxTcbForUWP__private_ReportUsageFallback(x,x,x)

loc_5975F1:				; CODE XREF: Feature_RelaxTcbForUWP__private_ReportDeviceUsage()+11j
		mov	esp, ebp
		pop	ebp
		retn
_Feature_RelaxTcbForUWP__private_ReportDeviceUsage@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_RelaxTcbForUWP__private_ReportUsageFallback(x, x, x)
_Feature_RelaxTcbForUWP__private_ReportUsageFallback@12	proc near
					; CODE XREF: Feature_RelaxTcbForUWP__private_ReportDeviceUsage()+16p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		and	esi, 0FFFFFFFEh
		mov	edi, offset _Feature_RelaxTcbForUWP__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_RelaxTcbForUWP__private_ReportUsageFallback@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSetProcessTrustLabelAceForToken(x)
_SepSetProcessTrustLabelAceForToken@4 proc near	; CODE XREF: SepFinalizeTokenAcls(x)+1Aj

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		xor	eax, eax
		mov	[esp+4Ch+var_28], ecx
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+58h+var_10]
		xor	edx, edx
		stosd
		mov	[esp+58h+var_40], edx
		mov	byte ptr [esp+58h+var_30], dl
		mov	[esp+58h+var_3C], edx
		stosd
		mov	[esp+58h+var_34], edx
		mov	[esp+58h+var_2C], edx
		stosd
		xor	eax, eax
		lea	edi, [esp+58h+var_24]
		stosd
		stosd
		stosd
		stosd
		stosd
		test	ecx, ecx
		jnz	short loc_597681
		mov	esi, 0C000000Dh
		jmp	loc_59787C
; 

loc_597681:				; CODE XREF: SepSetProcessTrustLabelAceForToken(x)+49j
		mov	eax, [ecx+280h]
		mov	[esp+58h+var_44], eax
		lea	eax, [esp+58h+var_30]
		push	eax
		lea	eax, [esp+5Ch+var_40]
		mov	[esp+5Ch+var_38], 8
		push	eax
		push	ecx
		mov	[esp+64h+var_48], 2
		call	_ObGetObjectSecurity@12	; ObGetObjectSecurity(x,x,x)
		mov	edi, [esp+58h+var_40]
		mov	esi, eax
		test	esi, esi
		js	loc_59786E
		test	edi, edi
		jz	loc_59787C
		movzx	eax, word ptr [edi+2]
		test	al, 10h
		jz	loc_597765
		test	ax, ax
		jns	short loc_5976E2
		mov	eax, [edi+0Ch]
		test	eax, eax
		jz	loc_597765
		lea	ebx, [eax+edi]
		jmp	short loc_5976E5
; 

loc_5976E2:				; CODE XREF: SepSetProcessTrustLabelAceForToken(x)+A4j
		mov	ebx, [edi+0Ch]

loc_5976E5:				; CODE XREF: SepSetProcessTrustLabelAceForToken(x)+B4j
		test	ebx, ebx
		jz	short loc_597765
		lea	eax, [esp+58h+var_2C]
		push	eax
		push	14h
		push	ebx
		call	_RtlFindAceByType@12 ; RtlFindAceByType(x,x,x)
		mov	esi, eax
		mov	eax, [esp+58h+var_44]
		test	eax, eax
		jnz	loc_59779D
		test	esi, esi
		jz	loc_5977BE

loc_59770C:				; CODE XREF: SepSetProcessTrustLabelAceForToken(x)+173j
					; SepSetProcessTrustLabelAceForToken(x)+185j
		push	2
		push	0Ch
		lea	eax, [esp+60h+var_10]
		push	eax
		push	ebx
		call	_RtlQueryInformationAcl@16 ; RtlQueryInformationAcl(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_59786E
		mov	eax, [esp+58h+var_C]
		push	1
		mov	[esp+5Ch+var_38], eax
		lea	eax, [esp+5Ch+var_3C]
		push	4
		push	eax
		push	ebx
		call	_RtlQueryInformationAcl@16 ; RtlQueryInformationAcl(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_59786E
		mov	eax, [esp+58h+var_3C]
		mov	[esp+58h+var_48], eax
		lea	eax, [esp+58h+var_34]
		push	eax
		push	0
		push	ebx
		call	_RtlGetAce@12	; RtlGetAce(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_59786E

loc_597765:				; CODE XREF: SepSetProcessTrustLabelAceForToken(x)+9Bj
					; SepSetProcessTrustLabelAceForToken(x)+ABj ...
		mov	eax, [esp+58h+var_44]
		test	eax, eax
		jz	short loc_5977BE
		mov	ecx, [esp+58h+var_38]
		movzx	eax, byte ptr [eax+1]
		add	ecx, 10h
		push	63416553h
		lea	esi, [ecx+eax*4]
		push	esi
		push	0
		push	100h
		call	_ExAllocatePool2@16 ; ExAllocatePool2(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_5977C5
		mov	esi, 0C000009Ah
		jmp	loc_59786E
; 

loc_59779D:				; CODE XREF: SepSetProcessTrustLabelAceForToken(x)+D2j
		test	esi, esi
		jz	loc_59770C
		push	eax
		lea	eax, [esi+8]
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	loc_59770C
		and	dword ptr [esi+4], 2001Eh

loc_5977BE:				; CODE XREF: SepSetProcessTrustLabelAceForToken(x)+DAj
					; SepSetProcessTrustLabelAceForToken(x)+13Fj
		xor	esi, esi
		jmp	loc_59786E
; 

loc_5977C5:				; CODE XREF: SepSetProcessTrustLabelAceForToken(x)+165j
		push	[esp+68h+var_58] ; int
		push	esi		; size_t
		push	ebx		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_597866
		mov	ecx, [esp+68h+var_44]
		test	ecx, ecx
		jz	short loc_5977FD
		mov	eax, [esp+68h+var_1C]
		add	eax, 0FFFFFFF8h
		push	eax
		push	ecx
		push	0
		push	[esp+74h+var_58]
		push	ebx
		call	RtlAddAce
		mov	esi, eax
		test	esi, esi
		js	short loc_597866

loc_5977FD:				; CODE XREF: SepSetProcessTrustLabelAceForToken(x)+1B4j
		mov	eax, [esp+68h+var_54]
		push	2001Eh
		push	14h
		push	eax
		push	0
		push	2
		push	ebx
		call	RtlAddProcessTrustLabelAce
		mov	esi, eax
		test	esi, esi
		js	short loc_597866
		push	1
		lea	eax, [esp+6Ch+var_34]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_597866
		push	0
		push	ebx
		push	1
		lea	eax, [esp+74h+var_34]
		push	eax
		call	_RtlSetSaclSecurityDescriptor@16 ; RtlSetSaclSecurityDescriptor(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_597866
		mov	ax, [edi+2]
		mov	ecx, 2830h
		and	ax, cx
		or	word ptr [esp+68h+var_34+2], ax
		lea	eax, [esp+68h+var_34]
		push	eax
		push	1F8h
		push	[esp+70h+var_38]
		call	_ObSetSecurityObjectByPointer@12 ; ObSetSecurityObjectByPointer(x,x,x)
		mov	esi, eax

loc_597866:				; CODE XREF: SepSetProcessTrustLabelAceForToken(x)+1A8j
					; SepSetProcessTrustLabelAceForToken(x)+1CFj ...
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_59786E:				; CODE XREF: SepSetProcessTrustLabelAceForToken(x)+87j
					; SepSetProcessTrustLabelAceForToken(x)+F3j ...
		test	edi, edi
		jz	short loc_59787C
		push	[esp+68h+var_40]
		push	edi
		call	_ObReleaseObjectSecurity@8 ; ObReleaseObjectSecurity(x,x)

loc_59787C:				; CODE XREF: SepSetProcessTrustLabelAceForToken(x)+50j
					; SepSetProcessTrustLabelAceForToken(x)+8Fj ...
		mov	ecx, [esp+68h+var_14]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_SepSetProcessTrustLabelAceForToken@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SModeAdminless__private_ReportDeviceUsage()
_Feature_SModeAdminless__private_ReportDeviceUsage@0 proc near
					; CODE XREF: SepIsAdminlessEnforcementModeEnabled()+Cp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		mov	eax, _Feature_SModeAdminless__private_featureState
		test	al, 10h
		jnz	short loc_5978AB
		push	0
		push	eax
		call	_Feature_SModeAdminless__private_ReportUsageFallback@12	; Feature_SModeAdminless__private_ReportUsageFallback(x,x,x)

loc_5978AB:				; CODE XREF: Feature_SModeAdminless__private_ReportDeviceUsage()+11j
		mov	esp, ebp
		pop	ebp
		retn
_Feature_SModeAdminless__private_ReportDeviceUsage@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_SModeAdminless__private_ReportUsageFallback(x, x, x)
_Feature_SModeAdminless__private_ReportUsageFallback@12	proc near
					; CODE XREF: Feature_SModeAdminless__private_ReportDeviceUsage()+16p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		and	esi, 0FFFFFFFEh
		mov	edi, offset _Feature_SModeAdminless__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_SModeAdminless__private_ReportUsageFallback@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeTokenGetRedirectionTrustPolicy(x,	x, x)
_SeTokenGetRedirectionTrustPolicy@12 proc near
					; CODE XREF: IoCheckRedirectionTrustLevel(x,x,x,x,x)+6Ep
					; IoCheckRedirectionTrustLevel(x,x,x,x,x)+88p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceSharedLite
		mov	ecx, [esi+30h]
		mov	ebx, [esi+0B0h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, ebx
		shr	ebx, 18h
		shr	eax, 17h
		and	al, 1
		and	bl, 1
		mov	[edi], al
		mov	eax, [ebp+arg_0]
		pop	edi
		pop	esi
		mov	[eax], bl
		pop	ebx
		pop	ebp
		retn	4
_SeTokenGetRedirectionTrustPolicy@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeTokenSetRedirectionTrustPolicy(x,	x)
_SeTokenSetRedirectionTrustPolicy@8 proc near
					; CODE XREF: PspSetRedirectionTrustPolicy(x,x)+19p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	bl, dl
		mov	esi, ecx
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceExclusiveLite
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, [esi+0B0h]
		test	bl, bl
		jz	short loc_59796E
		and	eax, 0FF7FFFFFh
		or	eax, 1000000h
		jmp	short loc_597978
; 

loc_59796E:				; CODE XREF: SeTokenSetRedirectionTrustPolicy(x,x)+30j
		and	eax, 0FEFFFFFFh
		or	eax, 800000h

loc_597978:				; CODE XREF: SeTokenSetRedirectionTrustPolicy(x,x)+3Cj
		lea	ecx, [esi+34h]
		mov	[esi+0B0h], eax
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	esi
		pop	ebx
		leave
		retn
_SeTokenSetRedirectionTrustPolicy@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	B_TREE<union _SM_PAGE_KEY, struct SMKM_STORE_MGR<struct	SM_TRAITS>::SMKM_FRONTEND_ENTRY, 4096, struct B_TREE_DUMMY_NODE_POOL, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>>::BTreeSearchResultDeref(struct B_TREE<union _SM_PAGE_KEY, struct SMKM_STORE_MGR<struct SM_TRAITS>::SMKM_FRONTEND_ENTRY,	4096, struct B_TREE_DUMMY_NODE_POOL, struct B_TREE_KEY_COMPARATOR<union	_SM_PAGE_KEY>> *, struct B_TREE<union _SM_PAGE_KEY, struct SMKM_STORE_MGR<struct SM_TRAITS>::SMKM_FRONTEND_ENTRY, 4096,	struct B_TREE_DUMMY_NODE_POOL, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>>::SEARCH_RESULT	*)
?BTreeSearchResultDeref@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUSEARCH_RESULT@1@@Z proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+130F16p
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+122A27p	...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		cmp	dword ptr [edx+0Ch], 0FFFFFFFFh
		jnz	short loc_5979B7
		and	dword ptr [edx+4], 0
		jmp	short loc_5979BB
; 

loc_5979B7:				; CODE XREF: B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultDeref(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)+Cj
		and	dword ptr [edx+0Ch], 0

loc_5979BB:				; CODE XREF: B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultDeref(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)+12j
		mov	esp, ebp
		pop	ebp
		retn
?BTreeSearchResultDeref@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUSEARCH_RESULT@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static int __stdcall ST_STORE<struct SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR::Compare(void *, unsigned long const &, unsigned long const	&)
?Compare@ST_HASH_ENTRY_COMPARATOR@?$ST_STORE@USM_TRAITS@@@@SGHPAXABK1@Z	proc near
					; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+C3p
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+121p	...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [edx]
		mov	edx, eax
		and	[ebp+var_14], 0
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_C], eax
		push	esi
		push	edi
		mov	[ebp+var_4], ebx
		mov	ecx, [ebx+0ACh]
		mov	eax, [ebx+0B0h]
		shr	edx, cl
		mov	[ebp+var_8], eax
		mov	eax, [ebx+0B4h]
		bsr	edi, edx
		mov	[ebp+var_10], eax
		mov	eax, [ebx+0BCh]
		btc	edx, edi
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_0]
		imul	edx, 0Ch
		mov	eax, [eax]
		mov	ebx, eax
		shr	ebx, cl
		mov	ecx, [ebp+var_8]
		and	ecx, [ebp+var_C]
		imul	ecx, [ebp+var_10]
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_4]
		bsr	esi, ebx
		mov	eax, [eax+edi*4+24h]
		btc	ebx, esi
		add	ecx, [edx+eax]
		mov	edx, [ebp+var_14]
		mov	eax, [ecx+edx+8]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_4]
		imul	ecx, ebx, 0Ch
		mov	ebx, [ebp+var_8]
		mov	eax, [eax+esi*4+24h]
		mov	esi, [ebp+arg_0]
		and	ebx, esi
		imul	ebx, [ebp+var_10]
		add	ebx, [ecx+eax]
		mov	ecx, [ebx+edx+8]
		cmp	[ebp+var_14], ecx
		jb	short loc_597A6A
		ja	short loc_597A65
		cmp	[ebp+var_C], esi
		jb	short loc_597A6A
		ja	short loc_597A65
		xor	eax, eax
		jmp	short loc_597A6D
; 

loc_597A65:				; CODE XREF: ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR::Compare(void *,ulong const &,ulong const &)+99j
					; ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR::Compare(void *,ulong const &,ulong const &)+A0j
		xor	eax, eax
		inc	eax
		jmp	short loc_597A6D
; 

loc_597A6A:				; CODE XREF: ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR::Compare(void *,ulong const &,ulong const &)+97j
					; ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR::Compare(void *,ulong const &,ulong const &)+9Ej
		or	eax, 0FFFFFFFFh

loc_597A6D:				; CODE XREF: ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR::Compare(void *,ulong const &,ulong const &)+A4j
					; ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR::Compare(void *,ulong const &,ulong const &)+A9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
?Compare@ST_HASH_ENTRY_COMPARATOR@?$ST_STORE@USM_TRAITS@@@@SGHPAXABK1@Z	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmWorkItemQueue(x, x, x)
_SmWorkItemQueue@12 proc near		; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+C3p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	[ebp+arg_0]
		call	SMKM_STORE_SM_TRAITS___SmStWorkItemQueue
		mov	esp, ebp
		pop	ebp
		retn	4
_SmWorkItemQueue@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTransitionToRealtime(x,	x)
_EtwpTransitionToRealtime@8 proc near	; CODE XREF: NtTraceControl(x,x,x,x,x,x)+2A3p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_8], 0
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		push	edi
		mov	ecx, ebx
		mov	[esp+18h+var_4], ebx
		call	@EtwpValidateLoggerInfo@4 ; EtwpValidateLoggerInfo(x)
		test	eax, eax
		js	loc_597BD4
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		lea	eax, [esp+18h+var_8]
		mov	edx, ebx
		push	eax
		mov	ecx, esi
		call	EtwpAcquireLoggerContext
		mov	edi, eax
		test	edi, edi
		js	loc_597BCD
		mov	esi, [esp+18h+var_8]
		mov	ebx, [esi+0Ch]
		test	ebx, 540h
		jnz	loc_597BBF
		mov	edx, esi
		mov	ecx, 0A0h
		call	_EtwpCheckLoggerControlAccess@8	; EtwpCheckLoggerControlAccess(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_597BC4
		mov	edx, 1004h
		mov	ecx, esi
		call	EtwpSynchronizeWithLogger
		cmp	dword ptr [esi+248h], 0
		jz	short loc_597B24
		mov	edi, [esi+28h]
		test	edi, edi
		jnz	loc_597BC4
		mov	edi, 0C0000001h
		jmp	loc_597BC4
; 

loc_597B24:				; CODE XREF: EtwpTransitionToRealtime(x,x)+83j
		lea	eax, [esi+64h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+6Ch]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+74h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	edi, [esp+18h+var_4]
		and	ebx, 0FBFFFDD0h
		or	ebx, 100h
		test	byte ptr [edi+40h], 10h
		jz	short loc_597B5A
		or	ebx, 10h
		jmp	short loc_597B5D
; 

loc_597B5A:				; CODE XREF: EtwpTransitionToRealtime(x,x)+C9j
		and	ebx, 0FFFFFFEFh

loc_597B5D:				; CODE XREF: EtwpTransitionToRealtime(x,x)+CEj
		mov	[esi+0Ch], ebx
		lea	eax, [esi+84h]
		mov	ecx, [edi+44h]
		test	ecx, ecx
		jnz	short loc_597B80
		cmp	[eax], ecx
		jnz	short loc_597B8C
		test	bl, 10h
		jz	short loc_597B7D
		mov	ecx, 3E8h
		jmp	short loc_597B80
; 

loc_597B7D:				; CODE XREF: EtwpTransitionToRealtime(x,x)+EAj
		xor	ecx, ecx
		inc	ecx

loc_597B80:				; CODE XREF: EtwpTransitionToRealtime(x,x)+E1j
					; EtwpTransitionToRealtime(x,x)+F1j
		push	4
		mov	[eax], ecx
		mov	ecx, esi
		pop	edx
		call	EtwpSynchronizeWithLogger

loc_597B8C:				; CODE XREF: EtwpTransitionToRealtime(x,x)+E5j
		mov	edx, esi
		mov	ecx, edi
		call	EtwpGetLoggerInfoFromContext
		mov	ebx, offset _ETW_EVENT_UPDATE_TRACE
		mov	edi, eax
		push	ebx
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_597BC4
		push	ecx
		push	ecx
		mov	edx, esi
		mov	ecx, ebx
		call	_EtwpEventWriteTemplateSession@16 ; EtwpEventWriteTemplateSession(x,x,x,x)
		jmp	short loc_597BC4
; 

loc_597BBF:				; CODE XREF: EtwpTransitionToRealtime(x,x)+54j
		mov	edi, 0C00000BBh

loc_597BC4:				; CODE XREF: EtwpTransitionToRealtime(x,x)+6Aj
					; EtwpTransitionToRealtime(x,x)+8Aj ...
		mov	dl, 1
		mov	ecx, esi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_597BCD:				; CODE XREF: EtwpTransitionToRealtime(x,x)+41j
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, edi

loc_597BD4:				; CODE XREF: EtwpTransitionToRealtime(x,x)+24j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_EtwpTransitionToRealtime@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceAutoBoostClearFloor(x, x, x)
_EtwTraceAutoBoostClearFloor@12	proc near ; CODE XREF: SmpKeyedStoreEntryGet(x,x,x,x)+46Ep
					; RtlpHpLfhBucketAddSubsegment+262p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ecx+2B0h]
		mov	ecx, [ecx+150h]
		and	[ebp+var_18], 0
		and	[ebp+var_10], 0
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_0]
		push	offset loc_501A02
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_28]
		push	543h
		mov	[ebp+var_28], edx
		lea	edx, [ebp+var_1C]
		push	20000200h
		mov	[ebp+var_1C], eax
		mov	[ebp+var_14], 0Ch
		mov	ecx, [ecx+3A0h]
		push	1
		call	EtwTraceSiloKernelEvent
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_EtwTraceAutoBoostClearFloor@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceAutoBoostEntryExhaustion(x,	x)
_EtwTraceAutoBoostEntryExhaustion@8 proc near ;	CODE XREF: MiDeleteVad(x,x,x)+812p
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+5BDp ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ecx+2B0h]
		mov	ecx, [ecx+150h]
		and	[ebp+var_10], 0
		and	[ebp+var_8], 0
		push	offset loc_501A02
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_1C]
		push	544h
		mov	[ebp+var_1C], edx
		lea	edx, [ebp+var_14]
		push	20000200h
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], 8
		mov	ecx, [ecx+3A0h]
		push	1
		call	EtwTraceSiloKernelEvent
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwTraceAutoBoostEntryExhaustion@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_3257204026__private_IsEnabledDeviceUsage()
_Feature_3257204026__private_IsEnabledDeviceUsage@0 proc near
					; CODE XREF: EtwpValidateFlagExtension(x):loc_7E148Fp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_3257204026__private_featureState
		test	al, 10h
		jz	short loc_597CC1
		and	eax, 1
		leave
		retn
; 

loc_597CC1:				; CODE XREF: Feature_3257204026__private_IsEnabledDeviceUsage()+Ej
		push	0
		push	eax
		push	3
		pop	ecx
		call	_Feature_3257204026__private_IsEnabledFallback@12 ; Feature_3257204026__private_IsEnabledFallback(x,x,x)
		leave
		retn
_Feature_3257204026__private_IsEnabledDeviceUsage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_3257204026__private_IsEnabledFallback(x, x,	x)
_Feature_3257204026__private_IsEnabledFallback@12 proc near
					; CODE XREF: Feature_3257204026__private_IsEnabledDeviceUsage()+1Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	edx, offset _Feature_3257204026__private_descriptor
		push	[ebp+arg_0]
		push	ecx
		call	_wil_details_IsEnabledFallback@20 ; wil_details_IsEnabledFallback(x,x,x,x,x)
		pop	ebp
		retn	8
_Feature_3257204026__private_IsEnabledFallback@12 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpRemoveBufferFromGlobalList(x, x)
_EtwpRemoveBufferFromGlobalList@8 proc near ; CODE XREF: EtwpAdjustSiloTraceBuffers(x)+8Ap
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		call	_EtwpGetFirstBuffer@4 ;	EtwpGetFirstBuffer(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_597D12

loc_597CFC:				; CODE XREF: EtwpRemoveBufferFromGlobalList(x,x)+28j
		mov	ecx, [esi]
		cmp	[esi+8], ebx
		jz	short loc_597D18
		lea	eax, [edi+40h]
		mov	esi, ecx
		sub	esi, eax
		neg	esi
		sbb	esi, esi
		and	esi, ecx
		jnz	short loc_597CFC

loc_597D12:				; CODE XREF: EtwpRemoveBufferFromGlobalList(x,x)+12j
		xor	eax, eax

loc_597D14:				; CODE XREF: EtwpRemoveBufferFromGlobalList(x,x)+43j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_597D18:				; CODE XREF: EtwpRemoveBufferFromGlobalList(x,x)+19j
		cmp	[ecx+4], esi
		jnz	short loc_597D2D
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_597D2D
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	eax, esi
		jmp	short loc_597D14
; 

loc_597D2D:				; CODE XREF: EtwpRemoveBufferFromGlobalList(x,x)+33j
					; EtwpRemoveBufferFromGlobalList(x,x)+3Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_EtwpRemoveBufferFromGlobalList@8 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_1445264698__private_IsEnabledDeviceUsage()
_Feature_1445264698__private_IsEnabledDeviceUsage@0 proc near
					; CODE XREF: EtwpSetProviderTraitsCommon+DCp
					; EtwpSetProviderTraitsCommon+1A1p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_1445264698__private_featureState
		test	al, 10h
		jz	short loc_597D47
		and	eax, 1
		leave
		retn
; 

loc_597D47:				; CODE XREF: Feature_1445264698__private_IsEnabledDeviceUsage()+Ej
		push	0
		push	eax
		push	3
		pop	ecx
		call	_Feature_1445264698__private_IsEnabledFallback@12 ; Feature_1445264698__private_IsEnabledFallback(x,x,x)
		leave
		retn
_Feature_1445264698__private_IsEnabledDeviceUsage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_1445264698__private_IsEnabledFallback(x, x,	x)
_Feature_1445264698__private_IsEnabledFallback@12 proc near
					; CODE XREF: Feature_1445264698__private_IsEnabledDeviceUsage()+1Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	edx, offset _Feature_1445264698__private_descriptor
		push	[ebp+arg_0]
		push	ecx
		call	_wil_details_IsEnabledFallback@20 ; wil_details_IsEnabledFallback(x,x,x,x,x)
		pop	ebp
		retn	8
_Feature_1445264698__private_IsEnabledFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpApplyLevelKwFilter(x, x, x, x, x, x)
_EtwpApplyLevelKwFilter@24 proc	near	; CODE XREF: .text:00528925p
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+568p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 0
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jz	short loc_597DA6
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		push	[ebp+arg_8]
		mov	edx, esi
		mov	ecx, edi
		push	[ebp+arg_4]
		mov	bl, al
		push	[ebp+arg_0]
		call	_EtwpApplyLevelKwFilterInner@20	; EtwpApplyLevelKwFilterInner(x,x,x,x,x)
		mov	cl, bl
		mov	bh, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_597DB6
; 

loc_597DA6:				; CODE XREF: EtwpApplyLevelKwFilter(x,x,x,x,x,x)+10j
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_EtwpApplyLevelKwFilterInner@20	; EtwpApplyLevelKwFilterInner(x,x,x,x,x)
		mov	bh, al

loc_597DB6:				; CODE XREF: EtwpApplyLevelKwFilter(x,x,x,x,x,x)+36j
		pop	edi
		pop	esi
		mov	al, bh
		pop	ebx
		pop	ebp
		retn	10h
_EtwpApplyLevelKwFilter@24 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpApplyLevelKwFilterInner(x, x, x, x, x)
_EtwpApplyLevelKwFilterInner@20	proc near
					; CODE XREF: EtwpApplyLevelKwFilter(x,x,x,x,x,x)+27p
					; EtwpApplyLevelKwFilter(x,x,x,x,x,x)+41p

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+160h]
		imul	edx, 34h
		mov	edx, [eax+edx+20h]
		test	edx, edx
		jnz	short loc_597DDA
		mov	al, 1
		jmp	short loc_597E25
; 

loc_597DDA:				; CODE XREF: EtwpApplyLevelKwFilterInner(x,x,x,x,x)+14j
		mov	al, [edx+10h]
		push	esi
		push	edi
		cmp	[ebp+arg_0], al
		jbe	short loc_597DE8
		test	al, al
		jnz	short loc_597E17

loc_597DE8:				; CODE XREF: EtwpApplyLevelKwFilterInner(x,x,x,x,x)+22j
		mov	eax, [ebp+arg_4]
		or	eax, [ebp+arg_8]
		jz	short loc_597E20
		mov	ecx, [edx]
		mov	eax, [edx+4]
		and	ecx, [ebp+arg_4]
		and	eax, [ebp+arg_8]
		or	ecx, eax
		jz	short loc_597E17
		mov	ecx, [edx+8]
		mov	eax, ecx
		mov	edi, [edx+0Ch]
		mov	esi, edi
		and	eax, [ebp+arg_4]
		and	esi, [ebp+arg_8]
		cmp	eax, ecx
		jnz	short loc_597E17
		cmp	esi, edi
		jz	short loc_597E20

loc_597E17:				; CODE XREF: EtwpApplyLevelKwFilterInner(x,x,x,x,x)+26j
					; EtwpApplyLevelKwFilterInner(x,x,x,x,x)+3Dj ...
		cmp	byte ptr [edx+11h], 0
		setz	al
		jmp	short loc_597E23
; 

loc_597E20:				; CODE XREF: EtwpApplyLevelKwFilterInner(x,x,x,x,x)+2Ej
					; EtwpApplyLevelKwFilterInner(x,x,x,x,x)+55j
		mov	al, [edx+11h]

loc_597E23:				; CODE XREF: EtwpApplyLevelKwFilterInner(x,x,x,x,x)+5Ej
		pop	edi
		pop	esi

loc_597E25:				; CODE XREF: EtwpApplyLevelKwFilterInner(x,x,x,x,x)+18j
		pop	ebp
		retn	0Ch
_EtwpApplyLevelKwFilterInner@20	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 335. ExConvertPushLockExclusiveToShared

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExConvertPushLockExclusiveToShared(x)
		public _ExConvertPushLockExclusiveToShared@4
_ExConvertPushLockExclusiveToShared@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		push	11h
		pop	edx
		inc	eax
		lock cmpxchg [ecx], edx
		pop	ebp
		retn	4
_ExConvertPushLockExclusiveToShared@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry  11. ExAcquireCacheAwarePushLockExclusiveEx

;  S U B	R O U T	I N E 


; __fastcall ExAcquireCacheAwarePushLockExclusiveEx(x, x)
		public @ExAcquireCacheAwarePushLockExclusiveEx@8
@ExAcquireCacheAwarePushLockExclusiveEx@8 proc near
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		test	dl, 2
		jnz	short loc_597E61
		push	0
		xor	edx, edx
		call	KeAbPreAcquire
		mov	esi, eax
		jmp	short loc_597E63
; 

loc_597E61:				; CODE XREF: ExAcquireCacheAwarePushLockExclusiveEx(x,x)+9j
		xor	esi, esi

loc_597E63:				; CODE XREF: ExAcquireCacheAwarePushLockExclusiveEx(x,x)+16j
		push	edi
		mov	edx, esi
		mov	ecx, edi
		call	@ExfAcquireCacheAwarePushLockExclusiveEx@12 ; ExfAcquireCacheAwarePushLockExclusiveEx(x,x,x)
		test	esi, esi
		jz	short loc_597E75
		or	byte ptr [esi+0Eh], 1

loc_597E75:				; CODE XREF: ExAcquireCacheAwarePushLockExclusiveEx(x,x)+26j
		pop	edi
		pop	esi
		retn
@ExAcquireCacheAwarePushLockExclusiveEx@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry  55. ExReleaseCacheAwarePushLockExclusiveEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExReleaseCacheAwarePushLockExclusiveEx(x, x)
		public @ExReleaseCacheAwarePushLockExclusiveEx@8
@ExReleaseCacheAwarePushLockExclusiveEx@8 proc near

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	ebx, 0FFFFFFFCh
		jz	short loc_597EA5
		push	0
		push	0
		push	esi
		push	ebx
		push	152h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_597EA5:				; CODE XREF: ExReleaseCacheAwarePushLockExclusiveEx(x,x)+16j
		lea	eax, [esi+80h]
		mov	edi, esi
		cmp	esi, eax
		jnb	short loc_597ED5
		lea	ebx, [esi+80h]

loc_597EB7:				; CODE XREF: ExReleaseCacheAwarePushLockExclusiveEx(x,x)+53j
		mov	ecx, [edi]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_597ECB
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_597ECB:				; CODE XREF: ExReleaseCacheAwarePushLockExclusiveEx(x,x)+47j
		add	edi, 4
		cmp	edi, ebx
		jb	short loc_597EB7
		mov	ebx, [ebp+var_4]

loc_597ED5:				; CODE XREF: ExReleaseCacheAwarePushLockExclusiveEx(x,x)+32j
		test	bl, 2
		jnz	short loc_597EE1
		mov	ecx, esi
		call	KeAbPostRelease

loc_597EE1:				; CODE XREF: ExReleaseCacheAwarePushLockExclusiveEx(x,x)+5Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
@ExReleaseCacheAwarePushLockExclusiveEx@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry  81. ExUnblockOnAddressPushLockEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExUnblockOnAddressPushLockEx(x, x)
		public @ExUnblockOnAddressPushLockEx@8
@ExUnblockOnAddressPushLockEx@8	proc near

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		xor	eax, eax
		test	edx, 0FFFFFFFCh
		jz	short loc_597F09
		push	eax
		push	eax
		push	ecx
		push	edx
		push	152h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_597F09:				; CODE XREF: ExUnblockOnAddressPushLockEx(x,x)+Ej
		push	esi
		mov	[ebp+var_4], eax
		lea	edx, [ebp+var_4]
		xor	esi, esi
		lock or	[edx], esi
		pop	esi
		cmp	[ecx], eax
		jz	short locret_597F22
		push	eax
		xor	edx, edx
		call	ExpUnblockPushLock

locret_597F22:				; CODE XREF: ExUnblockOnAddressPushLockEx(x,x)+2Dj
		leave
		retn
@ExUnblockOnAddressPushLockEx@8	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 100. ExfUnblockPushLock

;  S U B	R O U T	I N E 


; __fastcall ExfUnblockPushLock(x, x)
		public @ExfUnblockPushLock@8
@ExfUnblockPushLock@8 proc near		; CODE XREF: CmpPerformUnloadKey+26Cp
					; CmpWorkerEngineWorker+86p ...
		push	0
		call	ExpUnblockPushLock
		retn
@ExfUnblockPushLock@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_LogErrorRecords__private_ReportUsageFallback(x, x, x)
_Feature_LogErrorRecords__private_ReportUsageFallback@12 proc near
					; CODE XREF: WheaReportHwError(x)+96p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		or	esi, 1
		mov	edi, offset _Feature_LogErrorRecords__private_descriptor
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Feature_LogErrorRecords__private_ReportUsageFallback@12 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 693. HviGetPartitionIsolationType

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HviGetPartitionIsolationType()
		public _HviGetPartitionIsolationType@0
_HviGetPartitionIsolationType@0	proc near

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+28h+var_18]
		stosd
		stosd
		stosd
		stosd
		call	_HviIsHypervisorMicrosoftCompatible@0 ;	HviIsHypervisorMicrosoftCompatible()
		test	al, al
		jz	short loc_597FE9
		mov	eax, 40000003h
		lea	edi, [esp+28h+var_18]
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		xor	eax, eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	ecx, [esp+28h+var_14]
		and	ecx, 400000h
		or	eax, ecx
		jz	short loc_597FE9
		mov	eax, 4000000Ch
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	eax, [esp+28h+var_14]
		and	eax, 0Fh
		jmp	short loc_597FEB
; 

loc_597FE9:				; CODE XREF: HviGetPartitionIsolationType()+2Aj
					; HviGetPartitionIsolationType()+57j
		xor	eax, eax

loc_597FEB:				; CODE XREF: HviGetPartitionIsolationType()+79j
		mov	ecx, [esp+28h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_HviGetPartitionIsolationType@0	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_597FFE	proc near		; CODE XREF: sub_A1BAB0+46p
					; sub_A1BAB0:loc_A1BB54p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		mov	eax, dword_6F9D20
		test	al, 10h
		jnz	short loc_598019
		push	0
		push	eax
		call	sub_59801E

loc_598019:				; CODE XREF: sub_597FFE+11j
		mov	esp, ebp
		pop	ebp
		retn
sub_597FFE	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_59801E	proc near		; CODE XREF: sub_597FFE+16p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		and	esi, 0FFFFFFFEh
		mov	edi, offset off_6AB514
		push	esi
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_wil_details_FeatureReporting_ReportUsageToService@20 ;	wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, edi
		push	esi
		push	3
		pop	ecx
		call	_wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath@16 ; wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
sub_59801E	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_CompatBuildInVb__private_IsEnabledDeviceUsage()
_Feature_CompatBuildInVb__private_IsEnabledDeviceUsage@0 proc near
					; CODE XREF: SdbpCreateSearchDBContext(x,x,x,x,x,x)+1C0p
					; SdbpMatchList(x,x,x,x,x,x,x,x)+5Dp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		mov	eax, _Feature_CompatBuildInVb__private_featureState
		test	al, 10h
		jz	short loc_59806C
		and	eax, 1
		jmp	short loc_598077
; 

loc_59806C:				; CODE XREF: Feature_CompatBuildInVb__private_IsEnabledDeviceUsage()+11j
		push	0
		push	eax
		push	3
		pop	ecx
		call	_Feature_CompatBuildInVb__private_IsEnabledFallback@12 ; Feature_CompatBuildInVb__private_IsEnabledFallback(x,x,x)

loc_598077:				; CODE XREF: Feature_CompatBuildInVb__private_IsEnabledDeviceUsage()+16j
		mov	esp, ebp
		pop	ebp
		retn
_Feature_CompatBuildInVb__private_IsEnabledDeviceUsage@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_CompatBuildInVb__private_IsEnabledFallback(x, x, x)
_Feature_CompatBuildInVb__private_IsEnabledFallback@12 proc near
					; CODE XREF: Feature_CompatBuildInVb__private_IsEnabledDeviceUsage()+1Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	edx, offset _Feature_CompatBuildInVb__private_descriptor
		push	[ebp+arg_0]
		push	ecx
		call	_wil_details_IsEnabledFallback@20 ; wil_details_IsEnabledFallback(x,x,x,x,x)
		pop	ebp
		retn	8
_Feature_CompatBuildInVb__private_IsEnabledFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckApplicationTypeAttributes(x, x, x,	x)
_SdbpCheckApplicationTypeAttributes@16 proc near
					; CODE XREF: SdbpCheckBackupApplicationAttributes(x,x,x,x,x,x,x)+15p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		mov	eax, ecx
		mov	[esp+2Ch+var_18], 1
		push	edi
		xor	edi, edi
		mov	[esp+30h+var_4], eax
		mov	ebx, edx
		mov	[esp+30h+var_14], edi
		mov	[esp+30h+var_20], ebx
		mov	esi, edi
		mov	[eax], edi

loc_5980C2:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+2B7j
		movzx	eax, word_6B6278[esi]
		mov	ecx, ebx
		mov	edx, [ebp+arg_0]
		push	eax
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	[esp+30h+var_1C], eax
		test	eax, eax
		jz	loc_59833F
		mov	edx, [ebp+arg_4]
		mov	ebx, edi
		mov	eax, [edx+8]
		mov	[esp+30h+var_8], eax
		test	eax, eax
		jz	loc_598311
		movzx	esi, word_6B627A[esi]
		mov	[esp+30h+var_10], esi
		mov	ecx, esi

loc_598101:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+ADj
		mov	esi, edi
		cmp	ebx, eax
		jnb	short loc_598139
		mov	eax, [edx+4]
		lea	ecx, [esp+30h+var_C]
		mul	ebx
		mov	[esp+30h+var_C], edi
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		mov	edx, [ebp+arg_4]
		test	eax, eax
		js	short loc_59812F
		mov	ecx, [edx+14h]
		mov	esi, [esp+30h+var_C]
		add	esi, ecx
		cmp	esi, ecx
		jnb	short loc_598131

loc_59812F:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+8Aj
		mov	esi, edi

loc_598131:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+97j
		mov	ecx, [esp+30h+var_10]
		mov	eax, [esp+30h+var_8]

loc_598139:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+6Fj
		cmp	[esi], cx
		jz	short loc_598145
		inc	ebx
		mov	esi, edi
		cmp	ebx, eax
		jb	short loc_598101

loc_598145:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+A6j
		test	esi, esi
		jz	loc_59830D
		mov	eax, [esp+30h+var_14]
		mov	ecx, 6001h
		movzx	eax, word_6B6278[eax]
		cmp	eax, ecx
		ja	loc_59825A
		jz	loc_598293
		sub	eax, 4045h
		jz	loc_598234
		sub	eax, 0FCFh
		jz	loc_598202
		sub	eax, 1
		jz	short loc_5981D0
		sub	eax, 1
		jz	short loc_59819E
		sub	eax, 1
		jz	short loc_598202
		sub	eax, 1
		jz	short loc_5981D0
		sub	eax, 1
		jnz	loc_59835C

loc_59819E:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+F3j
		mov	ebx, [esp+30h+var_20]
		mov	ecx, ebx
		mov	edx, [esp+30h+var_1C]
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		call	SdbReadQWORDTag
		mov	ecx, eax
		and	eax, edx
		cmp	eax, 0FFFFFFFFh
		jz	loc_59835C
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	edx
		push	ecx
		call	_SdbpCheckUptoVersion@16 ; SdbpCheckUptoVersion(x,x,x,x)
		jmp	loc_5982B4
; 

loc_5981D0:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+EEj
					; SdbpCheckApplicationTypeAttributes(x,x,x,x)+FDj
		mov	ebx, [esp+30h+var_20]
		mov	ecx, ebx
		mov	edx, [esp+30h+var_1C]
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		call	SdbReadQWORDTag
		mov	ecx, eax
		and	eax, edx
		cmp	eax, 0FFFFFFFFh
		jz	loc_59835C
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	edx
		push	ecx
		call	_SdbpCheckFromVersion@16 ; SdbpCheckFromVersion(x,x,x,x)
		jmp	loc_5982B4
; 

loc_598202:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+E5j
					; SdbpCheckApplicationTypeAttributes(x,x,x,x)+F8j
		mov	ebx, [esp+30h+var_20]
		mov	ecx, ebx
		mov	edx, [esp+30h+var_1C]
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		call	SdbReadQWORDTag
		mov	ecx, eax
		and	eax, edx
		cmp	eax, 0FFFFFFFFh
		jz	loc_59835C
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	edx
		push	ecx
		call	_SdbpCheckVersion@16 ; SdbpCheckVersion(x,x,x,x)
		jmp	loc_5982B4
; 

loc_598234:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+DAj
		mov	ebx, [esp+30h+var_20]
		mov	ecx, ebx
		mov	edx, [esp+30h+var_1C]
		push	0FFFFFFFFh
		call	SdbReadDWORDTag
		mov	ecx, eax
		cmp	ecx, 0FFFFFFFFh
		jz	loc_59835C
		xor	eax, eax
		cmp	ecx, [esi+8]
		setz	al
		jmp	short loc_5982B4
; 

loc_59825A:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+C9j
		cmp	eax, 6011h
		jz	short loc_598293
		cmp	eax, 6028h
		jbe	loc_59835C
		cmp	eax, 602Bh
		jbe	short loc_598293
		cmp	eax, 6042h
		jz	short loc_598293
		cmp	eax, 6044h
		jz	short loc_5982EA
		cmp	eax, 6046h
		jz	short loc_5982CB
		cmp	eax, 6048h
		jnz	loc_59835C

loc_598293:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+CFj
					; SdbpCheckApplicationTypeAttributes(x,x,x,x)+1C9j ...
		mov	ebx, [esp+30h+var_20]
		mov	ecx, ebx
		mov	edx, [esp+30h+var_1C]
		call	SdbGetStringTagPtr
		test	eax, eax
		jz	loc_59835C
		mov	edx, [esi+8]
		mov	ecx, eax
		call	AslStringPatternMatchW

loc_5982B4:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+135j
					; SdbpCheckApplicationTypeAttributes(x,x,x,x)+167j ...
		cmp	[esp+30h+var_18], edi
		jz	short loc_598309
		test	eax, eax
		jz	short loc_598309
		xor	eax, eax
		inc	eax

loc_5982C1:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+275j
		mov	esi, [esp+30h+var_14]
		mov	[esp+30h+var_18], eax
		jmp	short loc_598343
; 

loc_5982CB:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+1F0j
		mov	ebx, [esp+30h+var_20]
		mov	ecx, ebx
		mov	edx, [esp+30h+var_1C]
		call	SdbGetStringTagPtr
		test	eax, eax
		jz	short loc_59835C
		mov	edx, [esi+8]
		mov	ecx, eax
		call	_SdbpCheckFromStringVersion@8 ;	SdbpCheckFromStringVersion(x,x)
		jmp	short loc_5982B4
; 

loc_5982EA:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+1E9j
		mov	ebx, [esp+30h+var_20]
		mov	ecx, ebx
		mov	edx, [esp+30h+var_1C]
		call	SdbGetStringTagPtr
		test	eax, eax
		jz	short loc_59835C
		mov	edx, [esi+8]
		mov	ecx, eax
		call	_SdbpCheckUptoStringVersion@8 ;	SdbpCheckUptoStringVersion(x,x)
		jmp	short loc_5982B4
; 

loc_598309:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+222j
					; SdbpCheckApplicationTypeAttributes(x,x,x,x)+226j
		mov	eax, edi
		jmp	short loc_5982C1
; 

loc_59830D:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+B1j
		mov	esi, [esp+30h+var_14]

loc_598311:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+58j
		mov	ebx, [esp+30h+var_20]
		mov	eax, 6001h
		cmp	word_6B6278[esi], ax
		jz	short loc_59833F
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	SdbGetTagFromTagID
		mov	ecx, 7060h
		cmp	ax, cx
		jnz	short loc_598367
		mov	eax, edi
		mov	[esp+30h+var_18], eax
		jmp	short loc_598343
; 

loc_59833F:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+44j
					; SdbpCheckApplicationTypeAttributes(x,x,x,x)+28Bj
		mov	eax, [esp+30h+var_18]

loc_598343:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+233j
					; SdbpCheckApplicationTypeAttributes(x,x,x,x)+2A7j
		add	esi, 4
		mov	[esp+30h+var_14], esi
		cmp	esi, 40h
		jb	loc_5980C2
		mov	ecx, [esp+30h+var_4]
		xor	edi, edi
		inc	edi
		mov	[ecx], eax

loc_59835C:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+102j
					; SdbpCheckApplicationTypeAttributes(x,x,x,x)+122j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_598367:				; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+29Fj
		push	offset ??_C@_0CM@KNENAJOM@Failed?5to?5find?5Attribute?5to?5use@FNODOBFM@
		push	1316h
		push	offset ??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	short loc_59835C
_SdbpCheckApplicationTypeAttributes@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_Servicing_Opnum_Filter__private_IsEnabledDeviceUsage()
_Feature_Servicing_Opnum_Filter__private_IsEnabledDeviceUsage@0	proc near
					; CODE XREF: AdtpWriteToEtw(x,x):loc_89ED70p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_Servicing_Opnum_Filter__private_featureState
		test	al, 10h
		jz	short loc_598397
		and	eax, 1
		leave
		retn
; 

loc_598397:				; CODE XREF: Feature_Servicing_Opnum_Filter__private_IsEnabledDeviceUsage()+Ej
		push	0
		push	eax
		push	3
		pop	ecx
		call	_Feature_Servicing_Opnum_Filter__private_IsEnabledFallback@12 ;	Feature_Servicing_Opnum_Filter__private_IsEnabledFallback(x,x,x)
		leave
		retn
_Feature_Servicing_Opnum_Filter__private_IsEnabledDeviceUsage@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Feature_Servicing_Opnum_Filter__private_IsEnabledFallback(x, x, x)
_Feature_Servicing_Opnum_Filter__private_IsEnabledFallback@12 proc near
					; CODE XREF: Feature_Servicing_Opnum_Filter__private_IsEnabledDeviceUsage()+1Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	edx, (offset loc_6AB1AF+5)
		push	[ebp+arg_0]
		push	ecx
		call	_wil_details_IsEnabledFallback@20 ; wil_details_IsEnabledFallback(x,x,x,x,x)
		pop	ebp
		retn	8
_Feature_Servicing_Opnum_Filter__private_IsEnabledFallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpIsSDValidSelfRelative(x, x)
_AdtpIsSDValidSelfRelative@8 proc near	; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+109p
					; AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+140p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	ebx, edx
		test	edi, edi
		jnz	short loc_5983D9
		mov	eax, 0C000000Dh
		jmp	short loc_598412
; 

loc_5983D9:				; CODE XREF: AdtpIsSDValidSelfRelative(x,x)+12j
		push	edi
		call	_RtlValidSecurityDescriptor@4 ;	RtlValidSecurityDescriptor(x)
		test	al, al
		jnz	short loc_5983EA
		mov	eax, 0C0000079h
		jmp	short loc_598412
; 

loc_5983EA:				; CODE XREF: AdtpIsSDValidSelfRelative(x,x)+23j
		test	ebx, ebx
		jz	short loc_598410
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], esi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		call	_RtlGetControlSecurityDescriptor@12 ; RtlGetControlSecurityDescriptor(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_598410
		mov	ecx, [ebp+var_4]
		shr	ecx, 0Fh
		and	cl, 1
		mov	[ebx], cl

loc_598410:				; CODE XREF: AdtpIsSDValidSelfRelative(x,x)+2Ej
					; AdtpIsSDValidSelfRelative(x,x)+45j
		mov	eax, esi

loc_598412:				; CODE XREF: AdtpIsSDValidSelfRelative(x,x)+19j
					; AdtpIsSDValidSelfRelative(x,x)+2Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AdtpIsSDValidSelfRelative@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


__SEH_prolog4	proc near		; CODE XREF: CcPerformReadAhead+Ap
					; CcAsyncReadPrefetch+7p ...

arg_4		= dword	ptr  8

		push	offset __except_handler4
		push	large dword ptr	fs:0
		mov	eax, [esp+8+arg_4]
		mov	[esp+8+arg_4], ebp
		lea	ebp, [esp+8+arg_4]
		sub	esp, eax
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-4], eax
		xor	eax, ebp
		push	eax
		mov	[ebp-18h], esp
		push	dword ptr [ebp-8]
		mov	eax, [ebp-4]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	[ebp-8], eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		retn
__SEH_prolog4	endp ; sp = -1Ch


;  S U B	R O U T	I N E 


__SEH_epilog4	proc near		; CODE XREF: __SEH_epilog4_GS+Aj
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		push	ecx
		retn
__SEH_epilog4	endp

; 
		align 4

;  S U B	R O U T	I N E 


__SEH_prolog4_GS proc near		; CODE XREF: CmQueryLayeredKey+Ap
					; KiRaiseException(x,x,x,x,x)+Ap ...

arg_4		= dword	ptr  8

		push	offset __except_handler4
		push	large dword ptr	fs:0
		mov	eax, [esp+8+arg_4]
		mov	[esp+8+arg_4], ebp
		lea	ebp, [esp+8+arg_4]
		sub	esp, eax
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-4], eax
		xor	eax, ebp
		mov	[ebp-1Ch], eax
		push	eax
		mov	[ebp-18h], esp
		push	dword ptr [ebp-8]
		mov	eax, [ebp-4]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	[ebp-8], eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		retn
__SEH_prolog4_GS endp ;	sp = -1Ch


;  S U B	R O U T	I N E 


__SEH_epilog4_GS proc near
		mov	ecx, [ebp-1Ch]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		jmp	__SEH_epilog4
__SEH_epilog4_GS endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt0	proc near	; DATA XREF: .data:006B018Co
		push	30h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt0	endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt1	proc near	; DATA XREF: .data:006B0194o
		push	31h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt1	endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt2	proc near	; DATA XREF: .data:006B019Co
		push	32h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt2	endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt3	proc near	; DATA XREF: .data:006B01A4o
		push	33h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt3	endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt4	proc near	; DATA XREF: .data:006B01ACo
		push	34h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt4	endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt5	proc near	; DATA XREF: .data:006B01B4o
		push	35h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt5	endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt6	proc near	; DATA XREF: .data:006B01BCo
		push	36h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt6	endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt7	proc near	; DATA XREF: .data:006B01C4o
		push	37h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt7	endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt8	proc near	; DATA XREF: .data:006B01CCo
		push	38h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt8	endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt9	proc near	; DATA XREF: .data:006B01D4o
		push	39h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt9	endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt10 proc near	; DATA XREF: .data:006B01DCo
		push	3Ah
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt10 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt11 proc near	; DATA XREF: .data:006B01E4o
		push	3Bh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt11 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt12 proc near	; DATA XREF: .data:006B01ECo
		push	3Ch
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt12 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt13 proc near	; DATA XREF: .data:006B01F4o
		push	3Dh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt13 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt14 proc near	; DATA XREF: .data:006B01FCo
		push	3Eh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt14 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt15 proc near	; DATA XREF: .data:006B0204o
		push	3Fh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt15 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt16 proc near	; DATA XREF: .data:006B020Co
		push	40h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt16 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt17 proc near	; DATA XREF: .data:006B0214o
		push	41h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt17 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt18 proc near	; DATA XREF: .data:006B021Co
		push	42h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt18 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt19 proc near	; DATA XREF: .data:006B0224o
		push	43h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt19 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt20 proc near	; DATA XREF: .data:006B022Co
		push	44h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt20 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt21 proc near	; DATA XREF: .data:006B0234o
		push	45h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt21 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt22 proc near	; DATA XREF: .data:006B023Co
		push	46h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt22 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt23 proc near	; DATA XREF: .data:006B0244o
		push	47h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt23 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt24 proc near	; DATA XREF: .data:006B024Co
		push	48h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt24 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt25 proc near	; DATA XREF: .data:006B0254o
		push	49h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt25 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt26 proc near	; DATA XREF: .data:006B025Co
		push	4Ah
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt26 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt27 proc near	; DATA XREF: .data:006B0264o
		push	4Bh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt27 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt28 proc near	; DATA XREF: .data:006B026Co
		push	4Ch
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt28 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt29 proc near	; DATA XREF: .data:006B0274o
		push	4Dh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt29 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt30 proc near	; DATA XREF: .data:006B027Co
		push	4Eh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt30 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt31 proc near	; DATA XREF: .data:006B0284o
		push	4Fh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt31 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt32 proc near	; DATA XREF: .data:006B028Co
		push	50h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt32 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt33 proc near	; DATA XREF: .data:006B0294o
		push	51h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt33 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt34 proc near	; DATA XREF: .data:006B029Co
		push	52h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt34 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt35 proc near	; DATA XREF: .data:006B02A4o
		push	53h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt35 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt36 proc near	; DATA XREF: .data:006B02ACo
		push	54h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt36 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt37 proc near	; DATA XREF: .data:006B02B4o
		push	55h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt37 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt38 proc near	; DATA XREF: .data:006B02BCo
		push	56h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt38 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt39 proc near	; DATA XREF: .data:006B02C4o
		push	57h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt39 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt40 proc near	; DATA XREF: .data:006B02CCo
		push	58h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt40 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt41 proc near	; DATA XREF: .data:006B02D4o
		push	59h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt41 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt42 proc near	; DATA XREF: .data:006B02DCo
		push	5Ah
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt42 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt43 proc near	; DATA XREF: .data:006B02E4o
		push	5Bh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt43 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt44 proc near	; DATA XREF: .data:006B02ECo
		push	5Ch
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt44 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt45 proc near	; DATA XREF: .data:006B02F4o
		push	5Dh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt45 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt46 proc near	; DATA XREF: .data:006B02FCo
		push	5Eh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt46 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt47 proc near	; DATA XREF: .data:006B0304o
		push	5Fh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt47 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt48 proc near	; DATA XREF: .data:006B030Co
		push	60h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt48 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt49 proc near	; DATA XREF: .data:006B0314o
		push	61h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt49 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt50 proc near	; DATA XREF: .data:006B031Co
		push	62h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt50 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt51 proc near	; DATA XREF: .data:006B0324o
		push	63h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt51 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt52 proc near	; DATA XREF: .data:006B032Co
		push	64h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt52 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt53 proc near	; DATA XREF: .data:006B0334o
		push	65h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt53 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt54 proc near	; DATA XREF: .data:006B033Co
		push	66h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt54 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt55 proc near	; DATA XREF: .data:006B0344o
		push	67h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt55 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt56 proc near	; DATA XREF: .data:006B034Co
		push	68h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt56 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt57 proc near	; DATA XREF: .data:006B0354o
		push	69h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt57 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt58 proc near	; DATA XREF: .data:006B035Co
		push	6Ah
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt58 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt59 proc near	; DATA XREF: .data:006B0364o
		push	6Bh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt59 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt60 proc near	; DATA XREF: .data:006B036Co
		push	6Ch
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt60 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt61 proc near	; DATA XREF: .data:006B0374o
		push	6Dh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt61 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt62 proc near	; DATA XREF: .data:006B037Co
		push	6Eh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt62 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt63 proc near	; DATA XREF: .data:006B0384o
		push	6Fh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt63 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt64 proc near	; DATA XREF: .data:006B038Co
		push	70h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt64 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt65 proc near	; DATA XREF: .data:006B0394o
		push	71h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt65 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt66 proc near	; DATA XREF: .data:006B039Co
		push	72h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt66 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt67 proc near	; DATA XREF: .data:006B03A4o
		push	73h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt67 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt68 proc near	; DATA XREF: .data:006B03ACo
		push	74h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt68 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt69 proc near	; DATA XREF: .data:006B03B4o
		push	75h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt69 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt70 proc near	; DATA XREF: .data:006B03BCo
		push	76h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt70 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt71 proc near	; DATA XREF: .data:006B03C4o
		push	77h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt71 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt72 proc near	; DATA XREF: .data:006B03CCo
		push	78h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt72 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt73 proc near	; DATA XREF: .data:006B03D4o
		push	79h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt73 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt74 proc near	; DATA XREF: .data:006B03DCo
		push	7Ah
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt74 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt75 proc near	; DATA XREF: .data:006B03E4o
		push	7Bh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt75 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt76 proc near	; DATA XREF: .data:006B03ECo
		push	7Ch
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt76 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt77 proc near	; DATA XREF: .data:006B03F4o
		push	7Dh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt77 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt78 proc near	; DATA XREF: .data:006B03FCo
		push	7Eh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt78 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt79 proc near	; DATA XREF: .data:006B0404o
		push	7Fh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt79 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt80 proc near	; DATA XREF: .data:006B040Co
		push	80h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt80 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt81 proc near	; DATA XREF: .data:006B0414o
		push	81h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt81 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt82 proc near	; DATA XREF: .data:006B041Co
		push	82h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt82 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt83 proc near	; DATA XREF: .data:006B0424o
		push	83h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt83 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt84 proc near	; DATA XREF: .data:006B042Co
		push	84h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt84 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt85 proc near	; DATA XREF: .data:006B0434o
		push	85h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt85 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt86 proc near	; DATA XREF: .data:006B043Co
		push	86h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt86 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt87 proc near	; DATA XREF: .data:006B0444o
		push	87h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt87 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt88 proc near	; DATA XREF: .data:006B044Co
		push	88h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt88 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt89 proc near	; DATA XREF: .data:006B0454o
		push	89h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt89 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt90 proc near	; DATA XREF: .data:006B045Co
		push	8Ah
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt90 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt91 proc near	; DATA XREF: .data:006B0464o
		push	8Bh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt91 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt92 proc near	; DATA XREF: .data:006B046Co
		push	8Ch
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt92 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt93 proc near	; DATA XREF: .data:006B0474o
		push	8Dh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt93 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt94 proc near	; DATA XREF: .data:006B047Co
		push	8Eh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt94 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt95 proc near	; DATA XREF: .data:006B0484o
		push	8Fh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt95 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt96 proc near	; DATA XREF: .data:006B048Co
		push	90h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt96 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt97 proc near	; DATA XREF: .data:006B0494o
		push	91h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt97 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt98 proc near	; DATA XREF: .data:006B049Co
		push	92h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt98 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt99 proc near	; DATA XREF: .data:006B04A4o
		push	93h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt99 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt100 proc near	; DATA XREF: .data:006B04ACo
		push	94h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt100 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt101 proc near	; DATA XREF: .data:006B04B4o
		push	95h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt101 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt102 proc near	; DATA XREF: .data:006B04BCo
		push	96h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt102 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt103 proc near	; DATA XREF: .data:006B04C4o
		push	97h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt103 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt104 proc near	; DATA XREF: .data:006B04CCo
		push	98h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt104 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt105 proc near	; DATA XREF: .data:006B04D4o
		push	99h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt105 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt106 proc near	; DATA XREF: .data:006B04DCo
		push	9Ah
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt106 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt107 proc near	; DATA XREF: .data:006B04E4o
		push	9Bh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt107 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt108 proc near	; DATA XREF: .data:006B04ECo
		push	9Ch
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt108 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt109 proc near	; DATA XREF: .data:006B04F4o
		push	9Dh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt109 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt110 proc near	; DATA XREF: .data:006B04FCo
		push	9Eh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt110 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt111 proc near	; DATA XREF: .data:006B0504o
		push	9Fh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt111 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt112 proc near	; DATA XREF: .data:006B050Co
		push	0A0h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt112 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt113 proc near	; DATA XREF: .data:006B0514o
		push	0A1h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt113 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt114 proc near	; DATA XREF: .data:006B051Co
		push	0A2h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt114 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt115 proc near	; DATA XREF: .data:006B0524o
		push	0A3h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt115 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt116 proc near	; DATA XREF: .data:006B052Co
		push	0A4h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt116 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt117 proc near	; DATA XREF: .data:006B0534o
		push	0A5h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt117 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt118 proc near	; DATA XREF: .data:006B053Co
		push	0A6h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt118 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt119 proc near	; DATA XREF: .data:006B0544o
		push	0A7h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt119 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt120 proc near	; DATA XREF: .data:006B054Co
		push	0A8h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt120 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt121 proc near	; DATA XREF: .data:006B0554o
		push	0A9h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt121 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt122 proc near	; DATA XREF: .data:006B055Co
		push	0AAh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt122 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt123 proc near	; DATA XREF: .data:006B0564o
		push	0ABh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt123 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt124 proc near	; DATA XREF: .data:006B056Co
		push	0ACh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt124 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt125 proc near	; DATA XREF: .data:006B0574o
		push	0ADh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt125 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt126 proc near	; DATA XREF: .data:006B057Co
		push	0AEh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt126 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt127 proc near	; DATA XREF: .data:006B0584o
		push	0AFh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt127 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt128 proc near	; DATA XREF: .data:006B058Co
		push	0B0h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt128 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt129 proc near	; DATA XREF: .data:006B0594o
		push	0B1h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt129 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt130 proc near	; DATA XREF: .data:006B059Co
		push	0B2h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt130 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt131 proc near	; DATA XREF: .data:006B05A4o
		push	0B3h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt131 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt132 proc near	; DATA XREF: .data:006B05ACo
		push	0B4h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt132 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt133 proc near	; DATA XREF: .data:006B05B4o
		push	0B5h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt133 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt134 proc near	; DATA XREF: .data:006B05BCo
		push	0B6h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt134 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt135 proc near	; DATA XREF: .data:006B05C4o
		push	0B7h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt135 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt136 proc near	; DATA XREF: .data:006B05CCo
		push	0B8h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt136 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt137 proc near	; DATA XREF: .data:006B05D4o
		push	0B9h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt137 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt138 proc near	; DATA XREF: .data:006B05DCo
		push	0BAh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt138 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt139 proc near	; DATA XREF: .data:006B05E4o
		push	0BBh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt139 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt140 proc near	; DATA XREF: .data:006B05ECo
		push	0BCh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt140 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt141 proc near	; DATA XREF: .data:006B05F4o
		push	0BDh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt141 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt142 proc near	; DATA XREF: .data:006B05FCo
		push	0BEh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt142 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt143 proc near	; DATA XREF: .data:006B0604o
		push	0BFh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt143 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt144 proc near	; DATA XREF: .data:006B060Co
		push	0C0h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt144 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt145 proc near	; DATA XREF: .data:006B0614o
		push	0C1h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt145 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt146 proc near	; DATA XREF: .data:006B061Co
		push	0C2h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt146 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt147 proc near	; DATA XREF: .data:006B0624o
		push	0C3h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt147 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt148 proc near	; DATA XREF: .data:006B062Co
		push	0C4h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt148 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt149 proc near	; DATA XREF: .data:006B0634o
		push	0C5h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt149 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt150 proc near	; DATA XREF: .data:006B063Co
		push	0C6h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt150 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt151 proc near	; DATA XREF: .data:006B0644o
		push	0C7h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt151 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt152 proc near	; DATA XREF: .data:006B064Co
		push	0C8h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt152 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt153 proc near	; DATA XREF: .data:006B0654o
		push	0C9h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt153 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt154 proc near	; DATA XREF: .data:006B065Co
		push	0CAh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt154 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt155 proc near	; DATA XREF: .data:006B0664o
		push	0CBh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt155 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt156 proc near	; DATA XREF: .data:006B066Co
		push	0CCh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt156 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt157 proc near	; DATA XREF: .data:006B0674o
		push	0CDh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt157 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt158 proc near	; DATA XREF: .data:006B067Co
		push	0CEh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt158 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt159 proc near	; DATA XREF: .data:006B0684o
		push	0CFh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt159 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt160 proc near	; DATA XREF: .data:006B068Co
		push	0D0h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt160 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt161 proc near	; DATA XREF: .data:006B0694o
		push	0D1h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt161 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt162 proc near	; DATA XREF: .data:006B069Co
		push	0D2h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt162 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt163 proc near	; DATA XREF: .data:006B06A4o
		push	0D3h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt163 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt164 proc near	; DATA XREF: .data:006B06ACo
		push	0D4h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt164 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt165 proc near	; DATA XREF: .data:006B06B4o
		push	0D5h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt165 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt166 proc near	; DATA XREF: .data:006B06BCo
		push	0D6h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt166 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt167 proc near	; DATA XREF: .data:006B06C4o
		push	0D7h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt167 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt168 proc near	; DATA XREF: .data:006B06CCo
		push	0D8h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt168 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt169 proc near	; DATA XREF: .data:006B06D4o
		push	0D9h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt169 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt170 proc near	; DATA XREF: .data:006B06DCo
		push	0DAh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt170 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt171 proc near	; DATA XREF: .data:006B06E4o
		push	0DBh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt171 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt172 proc near	; DATA XREF: .data:006B06ECo
		push	0DCh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt172 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt173 proc near	; DATA XREF: .data:006B06F4o
		push	0DDh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt173 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt174 proc near	; DATA XREF: .data:006B06FCo
		push	0DEh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt174 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt175 proc near	; DATA XREF: .data:006B0704o
		push	0DFh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt175 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt176 proc near	; DATA XREF: .data:006B070Co
		push	0E0h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt176 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt177 proc near	; DATA XREF: .data:006B0714o
		push	0E1h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt177 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt178 proc near	; DATA XREF: .data:006B071Co
		push	0E2h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt178 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt179 proc near	; DATA XREF: .data:006B0724o
		push	0E3h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt179 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt180 proc near	; DATA XREF: .data:006B072Co
		push	0E4h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt180 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt181 proc near	; DATA XREF: .data:006B0734o
		push	0E5h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt181 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt182 proc near	; DATA XREF: .data:006B073Co
		push	0E6h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt182 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt183 proc near	; DATA XREF: .data:006B0744o
		push	0E7h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt183 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt184 proc near	; DATA XREF: .data:006B074Co
		push	0E8h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt184 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt185 proc near	; DATA XREF: .data:006B0754o
		push	0E9h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt185 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt186 proc near	; DATA XREF: .data:006B075Co
		push	0EAh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt186 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt187 proc near	; DATA XREF: .data:006B0764o
		push	0EBh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt187 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt188 proc near	; DATA XREF: .data:006B076Co
		push	0ECh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt188 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt189 proc near	; DATA XREF: .data:006B0774o
		push	0EDh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt189 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt190 proc near	; DATA XREF: .data:006B077Co
		push	0EEh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt190 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt191 proc near	; DATA XREF: .data:006B0784o
		push	0EFh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt191 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt192 proc near	; DATA XREF: .data:006B078Co
		push	0F0h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt192 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt193 proc near	; DATA XREF: .data:006B0794o
		push	0F1h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt193 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt194 proc near	; DATA XREF: .data:006B079Co
		push	0F2h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt194 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt195 proc near	; DATA XREF: .data:006B07A4o
		push	0F3h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt195 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt196 proc near	; DATA XREF: .data:006B07ACo
		push	0F4h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt196 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt197 proc near	; DATA XREF: .data:006B07B4o
		push	0F5h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt197 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt198 proc near	; DATA XREF: .data:006B07BCo
		push	0F6h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt198 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt199 proc near	; DATA XREF: .data:006B07C4o
		push	0F7h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt199 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt200 proc near	; DATA XREF: .data:006B07CCo
		push	0F8h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt200 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt201 proc near	; DATA XREF: .data:006B07D4o
		push	0F9h
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt201 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt202 proc near	; DATA XREF: .data:006B07DCo
		push	0FAh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt202 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt203 proc near	; DATA XREF: .data:006B07E4o
		push	0FBh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt203 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt204 proc near	; DATA XREF: .data:006B07ECo
		push	0FCh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt204 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt205 proc near	; DATA XREF: .data:006B07F4o
		push	0FDh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt205 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt206 proc near	; DATA XREF: .data:006B07FCo
		push	0FEh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt206 endp


;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt207 proc near	; DATA XREF: .data:006B0804o
		push	0FFh
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt207 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_KiEndUnexpectedRange proc near		; CODE XREF: sub_599A1C+69j
		cmp	ecx, 10h
		jnz	short loc_598D2F
		push	edx
		push	ebx
		call	PsConvertToGuiThread
		or	eax, eax
		pop	eax
		pop	edx
		mov	ebp, esp
		mov	[esi+6Ch], ebp
		jz	loc_599A6E
		lea	edx, dword_70E710
		mov	ecx, [edx+8]
		mov	edx, [edx]
		and	eax, 0FFFh
		cmp	eax, ecx
		lea	edx, [edx+ecx*4]
		jnb	short loc_598D2F
		add	edx, eax
		movsx	eax, byte ptr [edx]
		or	eax, eax
		jle	loc_599B55

loc_598D2F:				; CODE XREF: _KiEndUnexpectedRange+3j
					; _KiEndUnexpectedRange+30j
		mov	eax, 0C000001Ch
		jmp	loc_599B55
_KiEndUnexpectedRange endp

; 
		align 4

;  S U B	R O U T	I N E 


Dr_kss_a	proc near		; CODE XREF: sub_59973A+38j
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_598D4F
		test	byte ptr [ebp+6Ch], 1
		jz	loc_599778

loc_598D4F:				; CODE XREF: Dr_kss_a+7j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_599778
Dr_kss_a	endp

; 
		align 4

;  S U B	R O U T	I N E 


Dr_kass_a	proc near		; CODE XREF: Dr_kass_a+3A3j

var_2		= word ptr -2
arg_60		= dword	ptr  64h

; FUNCTION CHUNK AT 0059948C SIZE 00000099 BYTES
; FUNCTION CHUNK AT 0059B5C0 SIZE 00000076 BYTES

		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_598DCF
		test	byte ptr [ebp+6Ch], 1
		jz	loc_599165

loc_598DCF:				; CODE XREF: Dr_kass_a+7j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_599165
; 
		align 4

V86_kass_a:				; CODE XREF: Dr_kass_a+38Dj
		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_59914F
; 
		align 4

Dr_FastCallDrSave:			; CODE XREF: sub_599A1C+38j
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_598E7B
		test	byte ptr [ebp+6Ch], 1
		jz	loc_599A5A

loc_598E7B:				; CODE XREF: Dr_kass_a+B3j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_599A5A
; 

_KiAltSystemService:			; CODE XREF: _KiAltSystemServiceShadow+34j
					; _KiAltSystemServiceShadow+BDj
					; DATA XREF: ...
		push	0
		mov	[esp+4+var_2], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		assume fs:nothing
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		assume ds:nothing
		mov	es, ax
		assume es:nothing
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_598F61
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_598F61
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_598F61
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_598F61:				; CODE XREF: Dr_kass_a+177j
					; Dr_kass_a+180j ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_598F8E
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_598F8E
		lfence	eax
		jmp	loc_599118
; 
		dd 5B70F64h, 22DAh, 48B9h, 0FD23300h, 18AE930h
		db 2 dup(0)
; 

loc_598F8E:				; CODE XREF: Dr_kass_a+1ACj
					; Dr_kass_a+1B2j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_598FD6
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_598FD6:				; CODE XREF: Dr_kass_a+208j
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_598FFC
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_598FFC:				; CODE XREF: Dr_kass_a+228j
		test	edx, 2
		jz	loc_599108
		call	loc_5990FD

loc_59900D:				; CODE XREF: Dr_kass_a+25Cp
		add	esp, 4
		call	loc_599105

loc_599015:				; CODE XREF: Dr_kass_a+264p
		add	esp, 4
		call	loc_59900D

loc_59901D:				; CODE XREF: Dr_kass_a+26Cp
		add	esp, 4
		call	loc_599015

loc_599025:				; CODE XREF: Dr_kass_a+274p
		add	esp, 4
		call	loc_59901D

loc_59902D:				; CODE XREF: Dr_kass_a+27Cp
		add	esp, 4
		call	loc_599025

loc_599035:				; CODE XREF: Dr_kass_a+284p
		add	esp, 4
		call	loc_59902D

loc_59903D:				; CODE XREF: Dr_kass_a+28Cp
		add	esp, 4
		call	loc_599035

loc_599045:				; CODE XREF: Dr_kass_a+294p
		add	esp, 4
		call	loc_59903D

loc_59904D:				; CODE XREF: Dr_kass_a+29Cp
		add	esp, 4
		call	loc_599045

loc_599055:				; CODE XREF: Dr_kass_a+2A4p
		add	esp, 4
		call	loc_59904D

loc_59905D:				; CODE XREF: Dr_kass_a+2ACp
		add	esp, 4
		call	loc_599055

loc_599065:				; CODE XREF: Dr_kass_a+2B4p
		add	esp, 4
		call	loc_59905D

loc_59906D:				; CODE XREF: Dr_kass_a+2BCp
		add	esp, 4
		call	loc_599065

loc_599075:				; CODE XREF: Dr_kass_a+2C4p
		add	esp, 4
		call	loc_59906D

loc_59907D:				; CODE XREF: Dr_kass_a+2CCp
		add	esp, 4
		call	loc_599075

loc_599085:				; CODE XREF: Dr_kass_a+2D4p
		add	esp, 4
		call	loc_59907D

loc_59908D:				; CODE XREF: Dr_kass_a+2DCp
		add	esp, 4
		call	loc_599085

loc_599095:				; CODE XREF: Dr_kass_a+2E4p
		add	esp, 4
		call	loc_59908D

loc_59909D:				; CODE XREF: Dr_kass_a+2ECp
		add	esp, 4
		call	loc_599095

loc_5990A5:				; CODE XREF: Dr_kass_a+2F4p
		add	esp, 4
		call	loc_59909D

loc_5990AD:				; CODE XREF: Dr_kass_a+2FCp
		add	esp, 4
		call	loc_5990A5

loc_5990B5:				; CODE XREF: Dr_kass_a+304p
		add	esp, 4
		call	loc_5990AD

loc_5990BD:				; CODE XREF: Dr_kass_a+30Cp
		add	esp, 4
		call	loc_5990B5

loc_5990C5:				; CODE XREF: Dr_kass_a+314p
		add	esp, 4
		call	loc_5990BD

loc_5990CD:				; CODE XREF: Dr_kass_a+31Cp
		add	esp, 4
		call	loc_5990C5

loc_5990D5:				; CODE XREF: Dr_kass_a+324p
		add	esp, 4
		call	loc_5990CD

loc_5990DD:				; CODE XREF: Dr_kass_a+32Cp
		add	esp, 4
		call	loc_5990D5

loc_5990E5:				; CODE XREF: Dr_kass_a+334p
		add	esp, 4
		call	loc_5990DD

loc_5990ED:				; CODE XREF: Dr_kass_a+33Cp
		add	esp, 4
		call	loc_5990E5

loc_5990F5:				; CODE XREF: Dr_kass_a+344p
		add	esp, 4
		call	loc_5990ED

loc_5990FD:				; CODE XREF: Dr_kass_a+24Cp
		add	esp, 4
		call	loc_5990F5

loc_599105:				; CODE XREF: Dr_kass_a+254p
		add	esp, 4

loc_599108:				; CODE XREF: Dr_kass_a+246j
		test	edx, 80h
		jz	short loc_599115
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_599115:				; CODE XREF: Dr_kass_a+352j
		lfence	eax

loc_599118:				; CODE XREF: Dr_kass_a+1B7j
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kass_a

loc_59914F:				; CODE XREF: Dr_kass_a+A5j
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kass_a

loc_599165:				; CODE XREF: Dr_kass_a+Dj
					; Dr_kass_a+79j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		mov	eax, [ebp+70h]
		mov	ebx, [ebp+6Ch]
		sti
		test	eax, 20000h
		jnz	loc_599505
		test	ebx, 1
		jz	loc_599520
		mov	ecx, large fs:124h
		cmp	dword ptr [ecx+37Ch], 0
		jz	loc_599505
		mov	ecx, ebp
		call	@PsPicoSystemCallDispatch@4 ; PsPicoSystemCallDispatch(x)
		cli
		test	byte ptr [ebp+72h], 2
		jnz	short loc_5991BE
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_599234

loc_5991BE:				; CODE XREF: Dr_kass_a+3FAj
					; Dr_kass_a+476j
		mov	ebx, large fs:124h
		test	byte ptr [ebx+2], 81h
		jz	short loc_5991F0
		push	eax
		test	byte ptr [ebx+2], 1
		jz	short loc_5991DE
		push	ebx
		call	_KiCopyCounters@4 ; KiCopyCounters(x)
		test	byte ptr [ebx+2], 80h
		jz	short loc_5991EF

loc_5991DE:				; CODE XREF: Dr_kass_a+414j
		test	byte ptr [ebx+86h], 3
		jnz	short loc_5991EF
		push	1
		push	ebp
		call	KiSetupForInstrumentationReturn

loc_5991EF:				; CODE XREF: Dr_kass_a+420j
					; Dr_kass_a+429j
		pop	eax

loc_5991F0:				; CODE XREF: Dr_kass_a+40Dj
		mov	byte ptr [ebx+56h], 0
		test	byte ptr [ebx+86h], 3
		jz	short loc_599234
		mov	ebx, ebp
		mov	[ebx+40h], eax
		mov	dword ptr [ebx+34h], 23h
		mov	dword ptr [ebx+30h], 23h
		mov	ecx, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	eax
		sti
		push	ebx
		push	0
		push	1
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		pop	ecx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebx+40h]
		cli
		jmp	short loc_5991BE
; 

loc_599234:				; CODE XREF: Dr_kass_a+400j
					; Dr_kass_a+43Fj
		mov	edx, [ebp+4Ch]
		ldmxcsr	dword ptr [ebp+48h]
		mov	large fs:0, edx
		test	dword ptr [ebp+28h], 0FFFF23FFh
		jnz	loc_59948C

loc_59924F:				; CODE XREF: Dr_kass_a+6E0j
					; Dr_kass_a+70Fj
		test	dword ptr [ebp+70h], 20000h
		jnz	loc_59B5C0
		mov	edi, esp
		movaps	xmm0, oword ptr	[edi]
		movaps	xmm1, oword ptr	[edi+10h]
		movaps	xmm2, oword ptr	[edi+20h]
		movaps	xmm3, oword ptr	[edi+30h]
		movaps	xmm4, oword ptr	[edi+40h]
		movaps	xmm5, oword ptr	[edi+50h]
		movaps	xmm6, oword ptr	[edi+60h]
		movaps	xmm7, oword ptr	[edi+70h]
		test	word ptr [ebp+6Ch], 0FFF9h
		jz	loc_5994D0
		test	byte ptr [ebp+6Ch], 1
		jz	loc_5993F6
		movzx	eax, large word	ptr fs:22E0h
		cmp	large fs:22DAh,	ax
		jz	short loc_5992B5
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_5992B5:				; CODE XREF: Dr_kass_a+4E7j
		btr	large word ptr fs:22D8h, 2
		jnb	short loc_5992CF
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr

loc_5992CF:				; CODE XREF: Dr_kass_a+503j
		btr	large word ptr fs:22D8h, 4
		jnb	loc_5993DF
		call	sub_5993D4

loc_5992E4:				; CODE XREF: Dr_kass_a+533p
		add	esp, 4
		call	sub_5993DC

loc_5992EC:				; CODE XREF: Dr_kass_a+53Bp
		add	esp, 4
		call	loc_5992E4

loc_5992F4:				; CODE XREF: Dr_kass_a+543p
		add	esp, 4
		call	loc_5992EC

loc_5992FC:				; CODE XREF: Dr_kass_a+54Bp
		add	esp, 4
		call	loc_5992F4

loc_599304:				; CODE XREF: Dr_kass_a+553p
		add	esp, 4
		call	loc_5992FC

loc_59930C:				; CODE XREF: Dr_kass_a+55Bp
		add	esp, 4
		call	loc_599304

loc_599314:				; CODE XREF: Dr_kass_a+563p
		add	esp, 4
		call	loc_59930C

loc_59931C:				; CODE XREF: Dr_kass_a+56Bp
		add	esp, 4
		call	loc_599314

loc_599324:				; CODE XREF: Dr_kass_a+573p
		add	esp, 4
		call	loc_59931C

loc_59932C:				; CODE XREF: Dr_kass_a+57Bp
		add	esp, 4
		call	loc_599324

loc_599334:				; CODE XREF: Dr_kass_a+583p
		add	esp, 4
		call	loc_59932C

loc_59933C:				; CODE XREF: Dr_kass_a+58Bp
		add	esp, 4
		call	loc_599334

loc_599344:				; CODE XREF: Dr_kass_a+593p
		add	esp, 4
		call	loc_59933C

loc_59934C:				; CODE XREF: Dr_kass_a+59Bp
		add	esp, 4
		call	loc_599344

loc_599354:				; CODE XREF: Dr_kass_a+5A3p
		add	esp, 4
		call	loc_59934C

loc_59935C:				; CODE XREF: Dr_kass_a+5ABp
		add	esp, 4
		call	loc_599354

loc_599364:				; CODE XREF: Dr_kass_a+5B3p
		add	esp, 4
		call	loc_59935C

loc_59936C:				; CODE XREF: Dr_kass_a+5BBp
		add	esp, 4
		call	loc_599364

loc_599374:				; CODE XREF: Dr_kass_a+5C3p
		add	esp, 4
		call	loc_59936C

loc_59937C:				; CODE XREF: Dr_kass_a+5CBp
		add	esp, 4
		call	loc_599374

loc_599384:				; CODE XREF: Dr_kass_a+5D3p
		add	esp, 4
		call	loc_59937C

loc_59938C:				; CODE XREF: Dr_kass_a+5DBp
		add	esp, 4
		call	loc_599384

loc_599394:				; CODE XREF: Dr_kass_a+5E3p
		add	esp, 4
		call	loc_59938C

loc_59939C:				; CODE XREF: Dr_kass_a+5EBp
		add	esp, 4
		call	loc_599394

loc_5993A4:				; CODE XREF: Dr_kass_a+5F3p
		add	esp, 4
		call	loc_59939C

loc_5993AC:				; CODE XREF: Dr_kass_a+5FBp
		add	esp, 4
		call	loc_5993A4

loc_5993B4:				; CODE XREF: Dr_kass_a+603p
		add	esp, 4
		call	loc_5993AC

loc_5993BC:				; CODE XREF: Dr_kass_a+60Bp
		add	esp, 4
		call	loc_5993B4

loc_5993C4:				; CODE XREF: Dr_kass_a+613p
		add	esp, 4
		call	loc_5993BC

loc_5993CC:				; CODE XREF: sub_5993D4+3p
		add	esp, 4
		call	loc_5993C4
Dr_kass_a	endp


;  S U B	R O U T	I N E 


sub_5993D4	proc near		; CODE XREF: Dr_kass_a+523p
		add	esp, 4
		call	loc_5993CC
sub_5993D4	endp


;  S U B	R O U T	I N E 


sub_5993DC	proc near		; CODE XREF: Dr_kass_a+52Bp

arg_68		= word ptr  6Ch
arg_6C		= dword	ptr  70h

		add	esp, 4

loc_5993DF:				; CODE XREF: Dr_kass_a+51Dj
		test	large word ptr fs:22D8h, 20h
		jz	short loc_5993F6
		xor	eax, eax
		xor	edx, edx
		mov	ecx, 1
		div	ecx

loc_5993F6:				; CODE XREF: Dr_kass_a+4D1j
					; sub_5993DC+Dj
		mov	edx, [ebp+38h]
		mov	ecx, [ebp+3Ch]
		mov	eax, [ebp+40h]
		cmp	word ptr [ebp+6Ch], 8
		jz	short loc_59945B
		lea	esp, [ebp+2Ch]
		pop	gs
		test	ss:_KiKvaShadow, 1
		jz	short loc_599440
		mov	ebx, [ebp+50h]
		mov	large dword ptr	fs:5020h, 1
		mov	esi, [ebp+30h]
		mov	edi, [ebp+34h]
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	edi
		mov	large fs:5018h,	ebx
		jmp	short loc_59945B
; 

loc_599440:				; CODE XREF: sub_5993DC+37j
		test	large word ptr fs:22D8h, 40h
		jz	short loc_599454
		verw	large word ptr fs:5028h

loc_599454:				; CODE XREF: sub_5993DC+6Ej
		pop	es
		assume es:nothing
		pop	ds
		assume ds:_data
		lea	esp, [ebp+50h]
		pop	fs
		assume fs:nothing

loc_59945B:				; CODE XREF: sub_5993DC+28j
					; sub_5993DC+62j
		lea	esp, [ebp+54h]
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		add	esp, 4
		test	ss:_KiKvaShadow, 1
		jz	short locret_599489
		test	[esp-68h+arg_6C], 20000h
		jnz	_KiKernelExit
		cmp	[esp-68h+arg_68], 8
		jnz	_KiKernelExit

locret_599489:				; CODE XREF: sub_5993DC+91j
		iret
sub_5993DC	endp ; sp =  68h

; 
		align 4
; START	OF FUNCTION CHUNK FOR Dr_kass_a

loc_59948C:				; CODE XREF: Dr_kass_a+48Dj
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_5994A2
		test	dword ptr [ebp+6Ch], 1
		jz	loc_59924F

loc_5994A2:				; CODE XREF: Dr_kass_a+6D7j
		xor	ebx, ebx
		mov	esi, [ebp+14h]
		mov	edi, [ebp+18h]
		mov	dr7, ebx
		mov	dr0, esi
		mov	ebx, [ebp+1Ch]
		mov	dr1, edi
		mov	dr2, ebx
		mov	esi, [ebp+20h]
		mov	edi, [ebp+24h]
		mov	ebx, [ebp+28h]
		mov	dr3, esi
		mov	dr6, edi
		mov	dr7, ebx
		jmp	loc_59924F
; 

loc_5994D0:				; CODE XREF: Dr_kass_a+4C7j
		movzx	ebx, word ptr [ebp+0Ch]
		mov	[ebp+6Ch], ebx
		mov	ebx, [ebp+10h]
		sub	ebx, 0Ch
		mov	[ebp+64h], ebx
		mov	esi, [ebp+70h]
		mov	[ebx+8], esi
		mov	esi, [ebp+6Ch]
		mov	[ebx+4], esi
		mov	esi, [ebp+68h]
		mov	[ebx], esi
		mov	eax, [ebp+40h]
		mov	edx, [ebp+38h]
		mov	ecx, [ebp+3Ch]
		lea	esp, [ebp+54h]
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		mov	esp, [esp-64h+arg_60]
		iret
; 

loc_599505:				; CODE XREF: Dr_kass_a+3C8j
					; Dr_kass_a+3E8j
		mov	edi, esp
		mov	eax, 0C0000005h
		mov	ebx, [ebp+68h]
		mov	ecx, 2
		xor	edx, edx
		mov	esi, 0FFFFFFFFh
		call	KiDispatchTrapException

loc_599520:				; CODE XREF: Dr_kass_a+3D4j
		call	_KiSystemFatalException
; END OF FUNCTION CHUNK	FOR Dr_kass_a

;  S U B	R O U T	I N E 


_KiSystemService proc near		; CODE XREF: ZwAccessCheck(x,x,x,x,x,x,x,x)+Cp
					; ZwWorkerFactoryWorkerReady(x)+Cp ...
		push	0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		assume fs:nothing
		mov	ebx, 23h
		mov	ds, bx
		assume ds:nothing
		mov	es, bx
		assume es:nothing
		mov	esi, large fs:124h
		push	large dword ptr	fs:0
		mov	ebx, ds:_KiI386ExceptionChainTerminator
		mov	large fs:0, ebx
		sub	esp, 4Ch
		mov	ebp, esp
		movzx	ebx, byte ptr [esi+15Ah]
		mov	[ebp+44h], bl
		mov	ebx, [ebp+6Ch]
		and	ebx, 1
		mov	[esi+15Ah], bl
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_599599
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_599599
		mov	ecx, large fs:5018h
		mov	[ebp+50h], ecx

loc_599599:				; CODE XREF: _KiSystemService+62j
					; _KiSystemService+68j
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_5995BD
		lfence	eax
		jmp	loc_599753
; 
		db 64h
		dd 0DA05B70Fh, 0B9000022h, 48h,	300FD233h, 196E9h
		db 0
; 

loc_5995BD:				; CODE XREF: _KiSystemService+78j
		mov	[ebp+40h], eax
		mov	[ebp+38h], edx
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_59960B
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59960B:				; CODE XREF: _KiSystemService+D4j
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_599631
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_599631:				; CODE XREF: _KiSystemService+F4j
		test	edx, 2
		jz	loc_59973D
		call	sub_599732

loc_599642:				; CODE XREF: _KiSystemService+128p
		add	esp, 4
		call	sub_59973A

loc_59964A:				; CODE XREF: _KiSystemService+130p
		add	esp, 4
		call	loc_599642

loc_599652:				; CODE XREF: _KiSystemService+138p
		add	esp, 4
		call	loc_59964A

loc_59965A:				; CODE XREF: _KiSystemService+140p
		add	esp, 4
		call	loc_599652

loc_599662:				; CODE XREF: _KiSystemService+148p
		add	esp, 4
		call	loc_59965A

loc_59966A:				; CODE XREF: _KiSystemService+150p
		add	esp, 4
		call	loc_599662

loc_599672:				; CODE XREF: _KiSystemService+158p
		add	esp, 4
		call	loc_59966A

loc_59967A:				; CODE XREF: _KiSystemService+160p
		add	esp, 4
		call	loc_599672

loc_599682:				; CODE XREF: _KiSystemService+168p
		add	esp, 4
		call	loc_59967A

loc_59968A:				; CODE XREF: _KiSystemService+170p
		add	esp, 4
		call	loc_599682

loc_599692:				; CODE XREF: _KiSystemService+178p
		add	esp, 4
		call	loc_59968A

loc_59969A:				; CODE XREF: _KiSystemService+180p
		add	esp, 4
		call	loc_599692

loc_5996A2:				; CODE XREF: _KiSystemService+188p
		add	esp, 4
		call	loc_59969A

loc_5996AA:				; CODE XREF: _KiSystemService+190p
		add	esp, 4
		call	loc_5996A2

loc_5996B2:				; CODE XREF: _KiSystemService+198p
		add	esp, 4
		call	loc_5996AA

loc_5996BA:				; CODE XREF: _KiSystemService+1A0p
		add	esp, 4
		call	loc_5996B2

loc_5996C2:				; CODE XREF: _KiSystemService+1A8p
		add	esp, 4
		call	loc_5996BA

loc_5996CA:				; CODE XREF: _KiSystemService+1B0p
		add	esp, 4
		call	loc_5996C2

loc_5996D2:				; CODE XREF: _KiSystemService+1B8p
		add	esp, 4
		call	loc_5996CA

loc_5996DA:				; CODE XREF: _KiSystemService+1C0p
		add	esp, 4
		call	loc_5996D2

loc_5996E2:				; CODE XREF: _KiSystemService+1C8p
		add	esp, 4
		call	loc_5996DA

loc_5996EA:				; CODE XREF: _KiSystemService+1D0p
		add	esp, 4
		call	loc_5996E2

loc_5996F2:				; CODE XREF: _KiSystemService+1D8p
		add	esp, 4
		call	loc_5996EA

loc_5996FA:				; CODE XREF: _KiSystemService+1E0p
		add	esp, 4
		call	loc_5996F2

loc_599702:				; CODE XREF: _KiSystemService+1E8p
		add	esp, 4
		call	loc_5996FA

loc_59970A:				; CODE XREF: _KiSystemService+1F0p
		add	esp, 4
		call	loc_599702

loc_599712:				; CODE XREF: _KiSystemService+1F8p
		add	esp, 4
		call	loc_59970A

loc_59971A:				; CODE XREF: _KiSystemService+200p
		add	esp, 4
		call	loc_599712

loc_599722:				; CODE XREF: _KiSystemService+208p
		add	esp, 4
		call	loc_59971A

loc_59972A:				; CODE XREF: sub_599732+3p
		add	esp, 4
		call	loc_599722
_KiSystemService endp


;  S U B	R O U T	I N E 


sub_599732	proc near		; CODE XREF: _KiSystemService+118p
		add	esp, 4
		call	loc_59972A
sub_599732	endp


;  S U B	R O U T	I N E 


sub_59973A	proc near		; CODE XREF: _KiSystemService+120p
		add	esp, 4

loc_59973D:				; CODE XREF: _KiSystemService+112j
		test	edx, 80h
		jz	short loc_59974A
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_59974A:				; CODE XREF: sub_59973A+9j
		lfence	eax
		mov	eax, [ebp+40h]
		mov	edx, [ebp+38h]

loc_599753:				; CODE XREF: _KiSystemService+7Dj
		mov	ebx, gs
		mov	[ebp+2Ch], ebx
		xor	ebx, ebx
		mov	gs, bx
		assume gs:nothing
		mov	ebx, [esi+6Ch]
		mov	[ebp+38h], ebx
		mov	byte ptr [ebp+0Fh], 2
		and	dword ptr [ebp+28h], 0
		test	byte ptr [esi+3], 0DFh
		mov	[esi+6Ch], ebp
		cld
		jnz	Dr_kss_a

loc_599778:				; CODE XREF: Dr_kss_a+Dj Dr_kss_a+79j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		sti
		jmp	loc_599A6E
sub_59973A	endp


;  S U B	R O U T	I N E 


_KiFastCallEntry2 proc near		; DATA XREF: V86_kit1_a+342o

var_C		= byte ptr -0Ch

		mov	ecx, 30h
		mov	fs, cx
		mov	ecx, 23h
		mov	ds, cx
		mov	es, cx
		mov	ecx, large fs:40h
		mov	esp, [ecx+4]
		push	23h
		push	edx
		pushf
		or	byte ptr [esp+1], 1
		jmp	short KiFastCallEntryCommon
_KiFastCallEntry2 endp

; 
; START	OF FUNCTION CHUNK FOR KiFastCallEntryCommon

loc_5997B6:				; CODE XREF: KiFastCallEntryCommon+4Cj
		test	ss:_KiKvaShadow, 1
		jz	short loc_5997C9
		mov	esp, large fs:5004h
		jmp	short loc_5997D3
; 

loc_5997C9:				; CODE XREF: KiFastCallEntryCommon-51j
		mov	ecx, large fs:40h
		mov	esp, [ecx+4]

loc_5997D3:				; CODE XREF: KiFastCallEntryCommon-48j
		push	0
		push	0
		push	0
		push	0
		push	23h
		push	0
		push	20202h
		push	1Bh
		push	0
		jmp	_KiTrap06
; END OF FUNCTION CHUNK	FOR KiFastCallEntryCommon
; 
		align 10h

;  S U B	R O U T	I N E 


_KiFastCallEntry proc near		; DATA XREF: V86_kit1_a+33Ao
					; KiLoadFastSyscallMachineSpecificRegisters:loc_5E59F6o
		mov	ecx, 23h
		push	30h
		pop	fs
		mov	ds, cx
		mov	es, cx
		xor	ecx, ecx
		mov	gs, cx
		mov	ecx, large fs:40h
		mov	esp, [ecx+4]
		push	23h
		push	edx
		pushf
_KiFastCallEntry endp


;  S U B	R O U T	I N E 


KiFastCallEntryCommon proc near		; CODE XREF: _KiFastCallEntry2+23j
					; _KiShadowExitEnd+33j	...

var_54		= byte ptr -54h
var_27		= byte ptr -27h

; FUNCTION CHUNK AT 005997B6 SIZE 00000037 BYTES

		push	2
		add	edx, 8
		popf
		or	[esp+28h+var_27], 2
		push	1Bh
		push	ds:_KeI386FastSystemCallReturn
		push	0
		push	ebp
		push	ebx
		push	esi
		push	edi
		mov	ebx, large fs:1Ch
		push	3Bh
		push	dword ptr [ebx]
		mov	esi, ds:_KiI386ExceptionChainTerminator
		mov	[ebx], esi
		mov	esi, [ebx+124h]
		mov	ebp, [esi+20h]
		sub	esp, 4Ch
		mov	[esp+98h+var_54], 1
		sub	ebp, 8Ch
		mov	byte ptr [esi+15Ah], 1
		cmp	ebp, esp
		jnz	loc_5997B6
		test	ss:_KiKvaShadow, 1
		jz	short loc_59987B
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59987B
		mov	ecx, large fs:5018h
		mov	[ebp+50h], ecx

loc_59987B:				; CODE XREF: KiFastCallEntryCommon+5Aj
					; KiFastCallEntryCommon+60j
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59989F
		lfence	eax
		jmp	loc_599A35
; 
		db 64h,	0Fh, 0B7h
		dd 22DA05h, 48B900h, 0D2330000h, 96E9300Fh
		db 1, 2	dup(0)
; 

loc_59989F:				; CODE XREF: KiFastCallEntryCommon+70j
		mov	[ebp+40h], eax
		mov	[ebp+38h], edx
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_5998ED
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_5998ED:				; CODE XREF: KiFastCallEntryCommon+CCj
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_599913
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_599913:				; CODE XREF: KiFastCallEntryCommon+ECj
		test	edx, 2
		jz	loc_599A1F
		call	sub_599A14

loc_599924:				; CODE XREF: KiFastCallEntryCommon+120p
		add	esp, 4
		call	sub_599A1C

loc_59992C:				; CODE XREF: KiFastCallEntryCommon+128p
		add	esp, 4
		call	loc_599924

loc_599934:				; CODE XREF: KiFastCallEntryCommon+130p
		add	esp, 4
		call	loc_59992C

loc_59993C:				; CODE XREF: KiFastCallEntryCommon+138p
		add	esp, 4
		call	loc_599934

loc_599944:				; CODE XREF: KiFastCallEntryCommon+140p
		add	esp, 4
		call	loc_59993C

loc_59994C:				; CODE XREF: KiFastCallEntryCommon+148p
		add	esp, 4
		call	loc_599944

loc_599954:				; CODE XREF: KiFastCallEntryCommon+150p
		add	esp, 4
		call	loc_59994C

loc_59995C:				; CODE XREF: KiFastCallEntryCommon+158p
		add	esp, 4
		call	loc_599954

loc_599964:				; CODE XREF: KiFastCallEntryCommon+160p
		add	esp, 4
		call	loc_59995C

loc_59996C:				; CODE XREF: KiFastCallEntryCommon+168p
		add	esp, 4
		call	loc_599964

loc_599974:				; CODE XREF: KiFastCallEntryCommon+170p
		add	esp, 4
		call	loc_59996C

loc_59997C:				; CODE XREF: KiFastCallEntryCommon+178p
		add	esp, 4
		call	loc_599974

loc_599984:				; CODE XREF: KiFastCallEntryCommon+180p
		add	esp, 4
		call	loc_59997C

loc_59998C:				; CODE XREF: KiFastCallEntryCommon+188p
		add	esp, 4
		call	loc_599984

loc_599994:				; CODE XREF: KiFastCallEntryCommon+190p
		add	esp, 4
		call	loc_59998C

loc_59999C:				; CODE XREF: KiFastCallEntryCommon+198p
		add	esp, 4
		call	loc_599994

loc_5999A4:				; CODE XREF: KiFastCallEntryCommon+1A0p
		add	esp, 4
		call	loc_59999C

loc_5999AC:				; CODE XREF: KiFastCallEntryCommon+1A8p
		add	esp, 4
		call	loc_5999A4

loc_5999B4:				; CODE XREF: KiFastCallEntryCommon+1B0p
		add	esp, 4
		call	loc_5999AC

loc_5999BC:				; CODE XREF: KiFastCallEntryCommon+1B8p
		add	esp, 4
		call	loc_5999B4

loc_5999C4:				; CODE XREF: KiFastCallEntryCommon+1C0p
		add	esp, 4
		call	loc_5999BC

loc_5999CC:				; CODE XREF: KiFastCallEntryCommon+1C8p
		add	esp, 4
		call	loc_5999C4

loc_5999D4:				; CODE XREF: KiFastCallEntryCommon+1D0p
		add	esp, 4
		call	loc_5999CC

loc_5999DC:				; CODE XREF: KiFastCallEntryCommon+1D8p
		add	esp, 4
		call	loc_5999D4

loc_5999E4:				; CODE XREF: KiFastCallEntryCommon+1E0p
		add	esp, 4
		call	loc_5999DC

loc_5999EC:				; CODE XREF: KiFastCallEntryCommon+1E8p
		add	esp, 4
		call	loc_5999E4

loc_5999F4:				; CODE XREF: KiFastCallEntryCommon+1F0p
		add	esp, 4
		call	loc_5999EC

loc_5999FC:				; CODE XREF: KiFastCallEntryCommon+1F8p
		add	esp, 4
		call	loc_5999F4

loc_599A04:				; CODE XREF: KiFastCallEntryCommon+200p
		add	esp, 4
		call	loc_5999FC

loc_599A0C:				; CODE XREF: sub_599A14+3p
		add	esp, 4
		call	loc_599A04
KiFastCallEntryCommon endp


;  S U B	R O U T	I N E 


sub_599A14	proc near		; CODE XREF: KiFastCallEntryCommon+110p
		add	esp, 4
		call	loc_599A0C
sub_599A14	endp


;  S U B	R O U T	I N E 


sub_599A1C	proc near		; CODE XREF: KiFastCallEntryCommon+118p
		add	esp, 4

loc_599A1F:				; CODE XREF: KiFastCallEntryCommon+10Aj
		test	edx, 80h
		jz	short loc_599A2C
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_599A2C:				; CODE XREF: sub_599A1C+9j
		lfence	eax
		mov	eax, [ebp+40h]
		mov	edx, [ebp+38h]

loc_599A35:				; CODE XREF: KiFastCallEntryCommon+75j
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		mov	byte ptr [ebp+0Fh], 2
		and	dword ptr [ebp+28h], 0
		and	dword ptr [ebp+38h], 0
		mov	[esi+6Ch], ebp
		test	byte ptr [esi+3], 0DFh
		jnz	Dr_FastCallDrSave

loc_599A5A:				; CODE XREF: Dr_kass_a+B9j
					; Dr_kass_a+125j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		sti

loc_599A6E:				; CODE XREF: _KiEndUnexpectedRange+15j
					; sub_59973A+52j
		mov	edi, eax
		shr	edi, 8
		and	edi, 10h
		mov	ecx, edi
		add	edi, [esi+3Ch]
		mov	ebx, eax
		and	eax, 0FFFh
		cmp	eax, [edi+8]
		jnb	_KiEndUnexpectedRange
		cmp	ecx, 10h
		jnz	short loc_599AB1
		mov	ecx, [esi+0A8h]
		xor	esi, esi
sub_599A1C	endp


;  S U B	R O U T	I N E 


; __stdcall KiSystemServiceAccessTeb()
_KiSystemServiceAccessTeb@0 proc near	; DATA XREF: KiPreprocessAccessViolation+5Ao

; FUNCTION CHUNK AT 00599ED8 SIZE 0000000A BYTES
; FUNCTION CHUNK AT 00599F1B SIZE 0000000C BYTES

		or	esi, [ecx+0F70h]
		jz	short loc_599AB1
		push	edx
		push	eax
		push	0
		push	0
		push	0
		push	7
		call	PsInvokeWin32Callout
		pop	eax
		pop	edx

loc_599AB1:				; CODE XREF: sub_599A1C+72j
					; KiSystemServiceAccessTeb()+6j
		inc	large dword ptr	fs:6B0h
		mov	esi, edx
		xor	ecx, ecx
		mov	edx, [edi+0Ch]
		mov	edi, [edi]
		mov	cl, [edx+eax]
		mov	edx, [edi+eax*4]
		sub	esp, ecx
		shr	ecx, 2
		mov	edi, esp
		mov	eax, large fs:124h
		test	byte ptr [eax+15Ah], 0FFh
		jz	short _KiSystemServiceCopyArguments@0 ;	KiSystemServiceCopyArguments()
		cmp	esi, ds:_MmUserProbeAddress
		jnb	loc_599ED8

; __stdcall KiSystemServiceCopyArguments()
_KiSystemServiceCopyArguments@0:	; CODE XREF: KiSystemServiceAccessTeb()+43j
					; DATA XREF: KiPreprocessAccessViolation+4Fo
		rep movsd
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_599AFA
		mov	edi, [esp+0]
		mov	[eax+64h], ebx
		mov	[eax+68h], edi

loc_599AFA:				; CODE XREF: KiSystemServiceAccessTeb()+57j
		mov	ebx, edx
		test	byte ptr ds:dword_70EFC8, 40h
		setnz	byte ptr [ebp+0Eh]
		jnz	loc_599F1B

loc_599B0D:				; CODE XREF: KiSystemServiceAccessTeb()+48Aj
		call	ebx
_KiSystemServiceAccessTeb@0 endp


;  S U B	R O U T	I N E 


; __stdcall KiSystemServicePostCall()
_KiSystemServicePostCall@0 proc	near	; CODE XREF: KiSystemServiceAccessTeb()+445j
					; sub_59A968+5Dj
					; DATA XREF: ...

arg_60		= dword	ptr  64h
arg_68		= dword	ptr  6Ch

; FUNCTION CHUNK AT 00599D86 SIZE 0000008A BYTES
; FUNCTION CHUNK AT 00599E68 SIZE 00000070 BYTES
; FUNCTION CHUNK AT 00599EE2 SIZE 00000039 BYTES
; FUNCTION CHUNK AT 00599F27 SIZE 0000000E BYTES

		test	byte ptr [ebp+6Ch], 1
		jz	short loc_599B49
		mov	esi, eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		or	al, al
		jnz	loc_599EE2
		mov	eax, esi
		mov	ecx, large fs:124h
		test	byte ptr [ecx+16Ah], 0FFh
		jnz	loc_599F00
		mov	edx, [ecx+13Ch]
		or	edx, edx
		jnz	loc_599F00

loc_599B49:				; CODE XREF: KiSystemServicePostCall()+4j
		mov	esp, ebp
		cmp	byte ptr [ebp+0Eh], 0
		jnz	loc_599F27

loc_599B55:				; CODE XREF: _KiEndUnexpectedRange+39j
					; _KiEndUnexpectedRange+44j ...
		mov	ecx, large fs:124h
		mov	edx, [ebp+38h]
		mov	[ecx+6Ch], edx

_KiServiceExit:				; CODE XREF: sub_5808E5+ACj
					; NtContinue(x,x)+ACj ...
		cli
		test	byte ptr [ebp+72h], 2
		jnz	short loc_599B6F
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_599BE8

loc_599B6F:				; CODE XREF: KiSystemServicePostCall()+58j
					; KiSystemServicePostCall()+D4j
		mov	ebx, large fs:124h
		test	byte ptr [ebx+2], 81h
		jz	short loc_599BA1
		push	eax
		test	byte ptr [ebx+2], 1
		jz	short loc_599B8F
		push	ebx
		call	_KiCopyCounters@4 ; KiCopyCounters(x)
		test	byte ptr [ebx+2], 80h
		jz	short loc_599BA0

loc_599B8F:				; CODE XREF: KiSystemServicePostCall()+72j
		test	byte ptr [ebx+86h], 3
		jnz	short loc_599BA0
		push	1
		push	ebp
		call	KiSetupForInstrumentationReturn

loc_599BA0:				; CODE XREF: KiSystemServicePostCall()+7Ej
					; KiSystemServicePostCall()+87j
		pop	eax

loc_599BA1:				; CODE XREF: KiSystemServicePostCall()+6Bj
		mov	byte ptr [ebx+56h], 0
		test	byte ptr [ebx+86h], 3
		jz	short loc_599BE8
		mov	ebx, ebp
		mov	[ebx+40h], eax
		mov	dword ptr [ebx+34h], 23h
		mov	dword ptr [ebx+30h], 23h
		mov	ecx, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	eax
		sti
		push	ebx
		push	0
		push	1
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		pop	ecx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebx+40h]
		cli
		jmp	short loc_599B6F
; 
		align 4

loc_599BE8:				; CODE XREF: KiSystemServicePostCall()+5Ej
					; KiSystemServicePostCall()+9Dj
		mov	edx, [ebp+4Ch]
		ldmxcsr	dword ptr [ebp+48h]
		mov	large fs:0, edx
		mov	esi, large fs:124h
		movzx	ecx, byte ptr [ebp+44h]
		mov	[esi+15Ah], cl
		test	dword ptr [ebp+28h], 0FFFF23FFh
		jnz	loc_599E68

loc_599C14:				; CODE XREF: KiSystemServicePostCall()+369j
					; KiSystemServicePostCall()+398j
		test	dword ptr [ebp+70h], 20000h
		jnz	loc_59B5C0
		test	word ptr [ebp+6Ch], 0FFF9h
		jz	loc_599EAC
		mov	[ebp+40h], eax
		test	byte ptr [ebp+6Ch], 1
		jz	loc_599D9D
		movzx	eax, large word	ptr fs:22E0h
		cmp	large fs:22DAh,	ax
		jz	short loc_599C5C
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_599C5C:				; CODE XREF: KiSystemServicePostCall()+13Bj
		btr	large word ptr fs:22D8h, 2
		jnb	short loc_599C76
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr

loc_599C76:				; CODE XREF: KiSystemServicePostCall()+157j
		btr	large word ptr fs:22D8h, 4
		jnb	loc_599D86
		call	sub_599D7B

loc_599C8B:				; CODE XREF: KiSystemServicePostCall()+187p
		add	esp, 4
		call	sub_599D83

loc_599C93:				; CODE XREF: KiSystemServicePostCall()+18Fp
		add	esp, 4
		call	loc_599C8B

loc_599C9B:				; CODE XREF: KiSystemServicePostCall()+197p
		add	esp, 4
		call	loc_599C93

loc_599CA3:				; CODE XREF: KiSystemServicePostCall()+19Fp
		add	esp, 4
		call	loc_599C9B

loc_599CAB:				; CODE XREF: KiSystemServicePostCall()+1A7p
		add	esp, 4
		call	loc_599CA3

loc_599CB3:				; CODE XREF: KiSystemServicePostCall()+1AFp
		add	esp, 4
		call	loc_599CAB

loc_599CBB:				; CODE XREF: KiSystemServicePostCall()+1B7p
		add	esp, 4
		call	loc_599CB3

loc_599CC3:				; CODE XREF: KiSystemServicePostCall()+1BFp
		add	esp, 4
		call	loc_599CBB

loc_599CCB:				; CODE XREF: KiSystemServicePostCall()+1C7p
		add	esp, 4
		call	loc_599CC3

loc_599CD3:				; CODE XREF: KiSystemServicePostCall()+1CFp
		add	esp, 4
		call	loc_599CCB

loc_599CDB:				; CODE XREF: KiSystemServicePostCall()+1D7p
		add	esp, 4
		call	loc_599CD3

loc_599CE3:				; CODE XREF: KiSystemServicePostCall()+1DFp
		add	esp, 4
		call	loc_599CDB

loc_599CEB:				; CODE XREF: KiSystemServicePostCall()+1E7p
		add	esp, 4
		call	loc_599CE3

loc_599CF3:				; CODE XREF: KiSystemServicePostCall()+1EFp
		add	esp, 4
		call	loc_599CEB

loc_599CFB:				; CODE XREF: KiSystemServicePostCall()+1F7p
		add	esp, 4
		call	loc_599CF3

loc_599D03:				; CODE XREF: KiSystemServicePostCall()+1FFp
		add	esp, 4
		call	loc_599CFB

loc_599D0B:				; CODE XREF: KiSystemServicePostCall()+207p
		add	esp, 4
		call	loc_599D03

loc_599D13:				; CODE XREF: KiSystemServicePostCall()+20Fp
		add	esp, 4
		call	loc_599D0B

loc_599D1B:				; CODE XREF: KiSystemServicePostCall()+217p
		add	esp, 4
		call	loc_599D13

loc_599D23:				; CODE XREF: KiSystemServicePostCall()+21Fp
		add	esp, 4
		call	loc_599D1B

loc_599D2B:				; CODE XREF: KiSystemServicePostCall()+227p
		add	esp, 4
		call	loc_599D23

loc_599D33:				; CODE XREF: KiSystemServicePostCall()+22Fp
		add	esp, 4
		call	loc_599D2B

loc_599D3B:				; CODE XREF: KiSystemServicePostCall()+237p
		add	esp, 4
		call	loc_599D33

loc_599D43:				; CODE XREF: KiSystemServicePostCall()+23Fp
		add	esp, 4
		call	loc_599D3B

loc_599D4B:				; CODE XREF: KiSystemServicePostCall()+247p
		add	esp, 4
		call	loc_599D43

loc_599D53:				; CODE XREF: KiSystemServicePostCall()+24Fp
		add	esp, 4
		call	loc_599D4B

loc_599D5B:				; CODE XREF: KiSystemServicePostCall()+257p
		add	esp, 4
		call	loc_599D53

loc_599D63:				; CODE XREF: KiSystemServicePostCall()+25Fp
		add	esp, 4
		call	loc_599D5B

loc_599D6B:				; CODE XREF: KiSystemServicePostCall()+267p
		add	esp, 4
		call	loc_599D63

loc_599D73:				; CODE XREF: sub_599D7B+3p
		add	esp, 4
		call	loc_599D6B
_KiSystemServicePostCall@0 endp


;  S U B	R O U T	I N E 


sub_599D7B	proc near		; CODE XREF: KiSystemServicePostCall()+177p
		add	esp, 4
		call	loc_599D73
sub_599D7B	endp


;  S U B	R O U T	I N E 


sub_599D83	proc near		; CODE XREF: KiSystemServicePostCall()+17Fp
		add	esp, 4
sub_599D83	endp

; START	OF FUNCTION CHUNK FOR _KiSystemServicePostCall@0

loc_599D86:				; CODE XREF: KiSystemServicePostCall()+171j
		test	large word ptr fs:22D8h, 20h
		jz	short loc_599D9D
		xor	eax, eax
		xor	edx, edx
		mov	ecx, 1
		div	ecx

loc_599D9D:				; CODE XREF: KiSystemServicePostCall()+125j
					; KiSystemServicePostCall()+281j
		xorps	xmm0, xmm0
		xorps	xmm1, xmm1
		xorps	xmm2, xmm2
		xorps	xmm3, xmm3
		xorps	xmm4, xmm4
		xorps	xmm5, xmm5
		xorps	xmm6, xmm6
		xorps	xmm7, xmm7
		mov	eax, [ebp+40h]
		cmp	word ptr [ebp+6Ch], 8
		jz	short loc_599DFE
		lea	esp, [ebp+2Ch]
		pop	gs
		assume gs:nothing
		test	ss:_KiKvaShadow, 1
		jz	short loc_599DE5
		mov	ebx, [ebp+50h]
		mov	large dword ptr	fs:5020h, 0
		mov	large fs:5018h,	ebx
		jmp	short loc_599DFE
; 

loc_599DE5:				; CODE XREF: KiSystemServicePostCall()+2BDj
		test	large word ptr fs:22D8h, 40h
		jz	short loc_599DF9
		verw	large word ptr fs:5028h

loc_599DF9:				; CODE XREF: KiSystemServicePostCall()+2E0j
		lea	esp, [ebp+50h]
		pop	fs
		assume fs:nothing

loc_599DFE:				; CODE XREF: KiSystemServicePostCall()+2AEj
					; KiSystemServicePostCall()+2D4j
		lea	esp, [ebp+54h]
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		add	esp, 4
		test	[esp-68h+arg_68], 1
; END OF FUNCTION CHUNK	FOR _KiSystemServicePostCall@0
; 
_KiSystemCallExitBranch	db 75h
byte_599E11	db 2Dh			; DATA XREF: KiEnableFastSyscallReturn:loc_564FC4r
					; KiEnableFastSyscallReturn+38w
; 
		pop	edx
		pop	ecx
		popf
		jmp	edx

;  S U B	R O U T	I N E 


_KiSystemCallExit2 proc	near		; DATA XREF: KeRestoreProcessorSpecificFeatures():loc_551B77o
					; KiInitMachineDependent+E4o

arg_4		= dword	ptr  8

		test	[esp+arg_4], 100h
		jnz	short _KiSystemCallExit
		pop	edx
		add	esp, 4
		and	[esp-8+arg_4], 0FFFFFDFFh
		popf
		pop	ecx
		test	ss:_KiKvaShadow, 1
		jnz	_KiKernelSysretExit
		sti
		sysexit
_KiSystemCallExit2 endp


;  S U B	R O U T	I N E 


_KiSystemCallExit proc near		; CODE XREF: _KiSystemCallExit2+8j
					; DATA XREF: KeRestoreProcessorSpecificFeatures()+16o ...

arg_0		= word ptr  4
arg_4		= dword	ptr  8

		xor	ecx, ecx
		xor	edx, edx
		test	ss:_KiKvaShadow, 1
		jz	short locret_599E67
		test	[esp+arg_4], 20000h
		jnz	_KiKernelExit
		cmp	[esp+arg_0], 8
		jnz	_KiKernelExit

locret_599E67:				; CODE XREF: _KiSystemCallExit+Cj
		iret
_KiSystemCallExit endp

; 
; START	OF FUNCTION CHUNK FOR _KiSystemServicePostCall@0

loc_599E68:				; CODE XREF: KiSystemServicePostCall()+FFj
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_599E7E
		test	dword ptr [ebp+6Ch], 1
		jz	loc_599C14

loc_599E7E:				; CODE XREF: KiSystemServicePostCall()+360j
		xor	ebx, ebx
		mov	esi, [ebp+14h]
		mov	edi, [ebp+18h]
		mov	dr7, ebx
		mov	dr0, esi
		mov	ebx, [ebp+1Ch]
		mov	dr1, edi
		mov	dr2, ebx
		mov	esi, [ebp+20h]
		mov	edi, [ebp+24h]
		mov	ebx, [ebp+28h]
		mov	dr3, esi
		mov	dr6, edi
		mov	dr7, ebx
		jmp	loc_599C14
; 

loc_599EAC:				; CODE XREF: KiSystemServicePostCall()+118j
		movzx	ebx, word ptr [ebp+0Ch]
		mov	[ebp+6Ch], ebx
		mov	ebx, [ebp+10h]
		sub	ebx, 0Ch
		mov	[ebp+64h], ebx
		mov	esi, [ebp+70h]
		mov	[ebx+8], esi
		mov	esi, [ebp+6Ch]
		mov	[ebx+4], esi
		mov	esi, [ebp+68h]
		mov	[ebx], esi
		lea	esp, [ebp+54h]
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		mov	esp, [esp-64h+arg_60]
		iret
; END OF FUNCTION CHUNK	FOR _KiSystemServicePostCall@0
; 
; START	OF FUNCTION CHUNK FOR _KiSystemServiceAccessTeb@0

loc_599ED8:				; CODE XREF: KiSystemServiceAccessTeb()+4Bj
		mov	eax, 0C0000005h
		jmp	_KiSystemServicePostCall@0 ; KiSystemServicePostCall()
; END OF FUNCTION CHUNK	FOR _KiSystemServiceAccessTeb@0
; 
; START	OF FUNCTION CHUNK FOR _KiSystemServicePostCall@0

loc_599EE2:				; CODE XREF: KiSystemServicePostCall()+10j
		push	large dword ptr	fs:24h
		mov	large byte ptr fs:24h, 0
		cli
		push	ebp
		push	0
		push	0
		push	eax
		push	ebx
		push	4Ah
		call	_KiBugCheck2@24	; KiBugCheck2(x,x,x,x,x,x)

loc_599F00:				; CODE XREF: KiSystemServicePostCall()+26j
					; KiSystemServicePostCall()+34j
		movzx	eax, byte ptr [ecx+16Ah]
		mov	edx, [ecx+13Ch]
		push	ebp
		push	0
		push	edx
		push	eax
		push	ebx
		push	1
		call	_KiBugCheck2@24	; KiBugCheck2(x,x,x,x,x,x)
		retn
; END OF FUNCTION CHUNK	FOR _KiSystemServicePostCall@0
; 
; START	OF FUNCTION CHUNK FOR _KiSystemServiceAccessTeb@0

loc_599F1B:				; CODE XREF: KiSystemServiceAccessTeb()+6Fj
		mov	ecx, ebx
		call	@PerfInfoLogSysCallEntry@4 ; PerfInfoLogSysCallEntry(x)
		jmp	loc_599B0D
; END OF FUNCTION CHUNK	FOR _KiSystemServiceAccessTeb@0
; 
; START	OF FUNCTION CHUNK FOR _KiSystemServicePostCall@0

loc_599F27:				; CODE XREF: KiSystemServicePostCall()+40j
		push	eax
		mov	ecx, eax
		call	@PerfInfoLogSysCallExit@4 ; PerfInfoLogSysCallExit(x)
		pop	eax
		jmp	loc_599B55
; END OF FUNCTION CHUNK	FOR _KiSystemServicePostCall@0

;  S U B	R O U T	I N E 


_BBT_Exclude_Trap_Code_Begin proc near
		int	3		; Trap to Debugger
		mov	edi, edi
_BBT_Exclude_Trap_Code_Begin endp


;  S U B	R O U T	I N E 


Dr_kirscf_a	proc near		; CODE XREF: Dr_kirscf_a+325j

var_2		= word ptr -2

		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_599F4B
		test	byte ptr [ebp+6Ch], 1
		jz	loc_59A263

loc_599F4B:				; CODE XREF: Dr_kirscf_a+7j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_59A263
; 
		align 4

V86_kirscf_a:				; CODE XREF: Dr_kirscf_a+30Fj
		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_59A24D
; 
		align 4

_KiRaiseSecurityCheckFailure:		; CODE XREF: _KiRaiseSecurityCheckFailureShadow+34j
					; _KiRaiseSecurityCheckFailureShadow+BDj
					; DATA XREF: ...
		push	0
		mov	[esp+4+var_2], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		assume fs:nothing
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		mov	es, ax
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_59A05F
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59A05F
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59A05F
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_59A05F:				; CODE XREF: Dr_kirscf_a+F9j
					; Dr_kirscf_a+102j ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59A08C
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59A08C
		lfence	eax
		jmp	loc_59A216
; 
		dw 0F64h
		dd 22DA05B7h, 48B90000h, 33000000h, 0E9300FD2h,	18Ah
; 

loc_59A08C:				; CODE XREF: Dr_kirscf_a+12Ej
					; Dr_kirscf_a+134j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_59A0D4
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59A0D4:				; CODE XREF: Dr_kirscf_a+18Aj
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_59A0FA
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_59A0FA:				; CODE XREF: Dr_kirscf_a+1AAj
		test	edx, 2
		jz	loc_59A206
		call	loc_59A1FB

loc_59A10B:				; CODE XREF: Dr_kirscf_a+1DEp
		add	esp, 4
		call	loc_59A203

loc_59A113:				; CODE XREF: Dr_kirscf_a+1E6p
		add	esp, 4
		call	loc_59A10B

loc_59A11B:				; CODE XREF: Dr_kirscf_a+1EEp
		add	esp, 4
		call	loc_59A113

loc_59A123:				; CODE XREF: Dr_kirscf_a+1F6p
		add	esp, 4
		call	loc_59A11B

loc_59A12B:				; CODE XREF: Dr_kirscf_a+1FEp
		add	esp, 4
		call	loc_59A123

loc_59A133:				; CODE XREF: Dr_kirscf_a+206p
		add	esp, 4
		call	loc_59A12B

loc_59A13B:				; CODE XREF: Dr_kirscf_a+20Ep
		add	esp, 4
		call	loc_59A133

loc_59A143:				; CODE XREF: Dr_kirscf_a+216p
		add	esp, 4
		call	loc_59A13B

loc_59A14B:				; CODE XREF: Dr_kirscf_a+21Ep
		add	esp, 4
		call	loc_59A143

loc_59A153:				; CODE XREF: Dr_kirscf_a+226p
		add	esp, 4
		call	loc_59A14B

loc_59A15B:				; CODE XREF: Dr_kirscf_a+22Ep
		add	esp, 4
		call	loc_59A153

loc_59A163:				; CODE XREF: Dr_kirscf_a+236p
		add	esp, 4
		call	loc_59A15B

loc_59A16B:				; CODE XREF: Dr_kirscf_a+23Ep
		add	esp, 4
		call	loc_59A163

loc_59A173:				; CODE XREF: Dr_kirscf_a+246p
		add	esp, 4
		call	loc_59A16B

loc_59A17B:				; CODE XREF: Dr_kirscf_a+24Ep
		add	esp, 4
		call	loc_59A173

loc_59A183:				; CODE XREF: Dr_kirscf_a+256p
		add	esp, 4
		call	loc_59A17B

loc_59A18B:				; CODE XREF: Dr_kirscf_a+25Ep
		add	esp, 4
		call	loc_59A183

loc_59A193:				; CODE XREF: Dr_kirscf_a+266p
		add	esp, 4
		call	loc_59A18B

loc_59A19B:				; CODE XREF: Dr_kirscf_a+26Ep
		add	esp, 4
		call	loc_59A193

loc_59A1A3:				; CODE XREF: Dr_kirscf_a+276p
		add	esp, 4
		call	loc_59A19B

loc_59A1AB:				; CODE XREF: Dr_kirscf_a+27Ep
		add	esp, 4
		call	loc_59A1A3

loc_59A1B3:				; CODE XREF: Dr_kirscf_a+286p
		add	esp, 4
		call	loc_59A1AB

loc_59A1BB:				; CODE XREF: Dr_kirscf_a+28Ep
		add	esp, 4
		call	loc_59A1B3

loc_59A1C3:				; CODE XREF: Dr_kirscf_a+296p
		add	esp, 4
		call	loc_59A1BB

loc_59A1CB:				; CODE XREF: Dr_kirscf_a+29Ep
		add	esp, 4
		call	loc_59A1C3

loc_59A1D3:				; CODE XREF: Dr_kirscf_a+2A6p
		add	esp, 4
		call	loc_59A1CB

loc_59A1DB:				; CODE XREF: Dr_kirscf_a+2AEp
		add	esp, 4
		call	loc_59A1D3

loc_59A1E3:				; CODE XREF: Dr_kirscf_a+2B6p
		add	esp, 4
		call	loc_59A1DB

loc_59A1EB:				; CODE XREF: Dr_kirscf_a+2BEp
		add	esp, 4
		call	loc_59A1E3

loc_59A1F3:				; CODE XREF: Dr_kirscf_a+2C6p
		add	esp, 4
		call	loc_59A1EB

loc_59A1FB:				; CODE XREF: Dr_kirscf_a+1CEp
		add	esp, 4
		call	loc_59A1F3

loc_59A203:				; CODE XREF: Dr_kirscf_a+1D6p
		add	esp, 4

loc_59A206:				; CODE XREF: Dr_kirscf_a+1C8j
		test	edx, 80h
		jz	short loc_59A213
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_59A213:				; CODE XREF: Dr_kirscf_a+2D4j
		lfence	eax

loc_59A216:				; CODE XREF: Dr_kirscf_a+139j
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kirscf_a

loc_59A24D:				; CODE XREF: Dr_kirscf_a+A5j
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kirscf_a

loc_59A263:				; CODE XREF: Dr_kirscf_a+Dj
					; Dr_kirscf_a+79j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		sub	dword ptr [ebp+68h], 2
		sub	esp, 50h
		mov	ecx, esp
		mov	ebx, [ebp+68h]
		mov	dword ptr [ecx], 0C0000409h
		mov	[ecx+0Ch], ebx
		xor	eax, eax
		mov	dword ptr [ecx+4], 1
		mov	[ecx+8], eax
		mov	dword ptr [ecx+10h], 1
		mov	edx, [ebp+3Ch]
		mov	[ecx+14h], edx
		test	byte ptr [ebp+72h], 2
		jnz	short loc_59A2C1
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59A2C1
		push	ebp
		push	0
		push	ecx
		push	ebp
		push	edx
		push	139h
		call	_KiBugCheck2@24	; KiBugCheck2(x,x,x,x,x,x)
		int	3		; Trap to Debugger

loc_59A2C1:				; CODE XREF: Dr_kirscf_a+370j
					; Dr_kirscf_a+376j
		test	byte ptr [ebp+71h], 2
		jz	short loc_59A2C8
		sti

loc_59A2C8:				; CODE XREF: Dr_kirscf_a+38Dj
		push	0
		push	1
		push	ebp
		push	0
		push	ecx
		call	KiDispatchException
		add	esp, 50h
		jmp	Kei386EoiHelper@0
Dr_kirscf_a	endp

; 
		align 10h

;  S U B	R O U T	I N E 


Dr_kitx_a	proc near		; CODE XREF: sub_59A621+5Aj
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59A2F3
		test	byte ptr [ebp+6Ch], 1
		jz	loc_59A681

loc_59A2F3:				; CODE XREF: Dr_kitx_a+7j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_59A681
Dr_kitx_a	endp

; 
		align 10h

;  S U B	R O U T	I N E 


V86_kitx_a	proc near		; CODE XREF: sub_59A621+44j
		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_59A66B
V86_kitx_a	endp


;  S U B	R O U T	I N E 


_KiGetTickCount	proc near		; CODE XREF: _KiGetTickCountShadow+34j
					; _KiGetTickCountShadow+BDj
					; DATA XREF: ...

var_2		= word ptr -2
arg_0		= dword	ptr  4
arg_6		= byte ptr  0Ah
arg_C		= word ptr  10h

; FUNCTION CHUNK AT 0059A6C0 SIZE 0000000C BYTES

		cmp	[esp+arg_0], 1Bh
		jnz	short loc_59A3C6

loc_59A391:				; CODE XREF: _KiGetTickCount+4Cj
					; _KiGetTickCount+6Aj
		mov	eax, cs:_KeTickCount
		mul	cs:_ExpTickCountMultiplier
		shrd	eax, edx, 18h
		test	ss:_KiKvaShadow, 1
		jz	short locret_59A3C5
		test	[esp+arg_6], 2
		jnz	_KiKernelExit
		test	[esp+arg_0], 1
		jnz	_KiKernelExit

locret_59A3C5:				; CODE XREF: _KiGetTickCount+20j
		iret
; 

loc_59A3C6:				; CODE XREF: _KiGetTickCount+5j
		test	[esp+arg_6], 2
		jnz	loc_59A6C0
		test	byte ptr [esp+arg_0], 1
		jz	short loc_59A391
		cmp	eax, ebp
		jnz	loc_59A6C0
		and	eax, 0FFFFFFF0h
		cmp	eax, 0F0F0F0F0h
		jnz	loc_59A6C0
		cmp	ebp, 0F0F0F0F0h
		jz	short loc_59A391
		cmp	ebp, 0F0F0F0F1h
		jnz	loc_59A6C0
		push	0
		mov	[esp+4+var_2], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		mov	es, ax
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_59A47D
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59A47D
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59A47D
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_59A47D:				; CODE XREF: _KiGetTickCount+C5j
					; _KiGetTickCount+CEj ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59A4AA
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59A4AA
		lfence	eax
		jmp	loc_59A634
; 
		dd 5B70F64h, 22DAh, 48B9h, 0FD23300h, 18AE930h
		db 2 dup(0)
; 

loc_59A4AA:				; CODE XREF: _KiGetTickCount+FAj
					; _KiGetTickCount+100j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_59A4F2
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59A4F2:				; CODE XREF: _KiGetTickCount+156j
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_59A518
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_59A518:				; CODE XREF: _KiGetTickCount+176j
		test	edx, 2
		jz	loc_59A624
		call	sub_59A619

loc_59A529:				; CODE XREF: _KiGetTickCount+1AAp
		add	esp, 4
		call	sub_59A621

loc_59A531:				; CODE XREF: _KiGetTickCount+1B2p
		add	esp, 4
		call	loc_59A529

loc_59A539:				; CODE XREF: _KiGetTickCount+1BAp
		add	esp, 4
		call	loc_59A531

loc_59A541:				; CODE XREF: _KiGetTickCount+1C2p
		add	esp, 4
		call	loc_59A539

loc_59A549:				; CODE XREF: _KiGetTickCount+1CAp
		add	esp, 4
		call	loc_59A541

loc_59A551:				; CODE XREF: _KiGetTickCount+1D2p
		add	esp, 4
		call	loc_59A549

loc_59A559:				; CODE XREF: _KiGetTickCount+1DAp
		add	esp, 4
		call	loc_59A551

loc_59A561:				; CODE XREF: _KiGetTickCount+1E2p
		add	esp, 4
		call	loc_59A559

loc_59A569:				; CODE XREF: _KiGetTickCount+1EAp
		add	esp, 4
		call	loc_59A561

loc_59A571:				; CODE XREF: _KiGetTickCount+1F2p
		add	esp, 4
		call	loc_59A569

loc_59A579:				; CODE XREF: _KiGetTickCount+1FAp
		add	esp, 4
		call	loc_59A571

loc_59A581:				; CODE XREF: _KiGetTickCount+202p
		add	esp, 4
		call	loc_59A579

loc_59A589:				; CODE XREF: _KiGetTickCount+20Ap
		add	esp, 4
		call	loc_59A581

loc_59A591:				; CODE XREF: _KiGetTickCount+212p
		add	esp, 4
		call	loc_59A589

loc_59A599:				; CODE XREF: _KiGetTickCount+21Ap
		add	esp, 4
		call	loc_59A591

loc_59A5A1:				; CODE XREF: _KiGetTickCount+222p
		add	esp, 4
		call	loc_59A599

loc_59A5A9:				; CODE XREF: _KiGetTickCount+22Ap
		add	esp, 4
		call	loc_59A5A1

loc_59A5B1:				; CODE XREF: _KiGetTickCount+232p
		add	esp, 4
		call	loc_59A5A9

loc_59A5B9:				; CODE XREF: _KiGetTickCount+23Ap
		add	esp, 4
		call	loc_59A5B1

loc_59A5C1:				; CODE XREF: _KiGetTickCount+242p
		add	esp, 4
		call	loc_59A5B9

loc_59A5C9:				; CODE XREF: _KiGetTickCount+24Ap
		add	esp, 4
		call	loc_59A5C1

loc_59A5D1:				; CODE XREF: _KiGetTickCount+252p
		add	esp, 4
		call	loc_59A5C9

loc_59A5D9:				; CODE XREF: _KiGetTickCount+25Ap
		add	esp, 4
		call	loc_59A5D1

loc_59A5E1:				; CODE XREF: _KiGetTickCount+262p
		add	esp, 4
		call	loc_59A5D9

loc_59A5E9:				; CODE XREF: _KiGetTickCount+26Ap
		add	esp, 4
		call	loc_59A5E1

loc_59A5F1:				; CODE XREF: _KiGetTickCount+272p
		add	esp, 4
		call	loc_59A5E9

loc_59A5F9:				; CODE XREF: _KiGetTickCount+27Ap
		add	esp, 4
		call	loc_59A5F1

loc_59A601:				; CODE XREF: _KiGetTickCount+282p
		add	esp, 4
		call	loc_59A5F9

loc_59A609:				; CODE XREF: _KiGetTickCount+28Ap
		add	esp, 4
		call	loc_59A601

loc_59A611:				; CODE XREF: sub_59A619+3p
		add	esp, 4
		call	loc_59A609
_KiGetTickCount	endp


;  S U B	R O U T	I N E 


sub_59A619	proc near		; CODE XREF: _KiGetTickCount+19Ap
		add	esp, 4
		call	loc_59A611
sub_59A619	endp


;  S U B	R O U T	I N E 


sub_59A621	proc near		; CODE XREF: _KiGetTickCount+1A2p
		add	esp, 4

loc_59A624:				; CODE XREF: _KiGetTickCount+194j
		test	edx, 80h
		jz	short loc_59A631
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_59A631:				; CODE XREF: sub_59A621+9j
		lfence	eax

loc_59A634:				; CODE XREF: _KiGetTickCount+105j
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kitx_a

loc_59A66B:				; CODE XREF: V86_kitx_a+25j
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kitx_a

loc_59A681:				; CODE XREF: Dr_kitx_a+Dj
					; Dr_kitx_a+79j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		sti
		xor	eax, eax
		mov	ebx, [ebp+5Ch]
		mov	ecx, [ebp+3Ch]
		mov	edx, [ebp+38h]
		push	eax
		push	eax
		push	eax
		push	edx
		push	ecx
		push	ebx
		call	_NtSetLdtEntries@24 ; NtSetLdtEntries(x,x,x,x,x,x)
		mov	[ebp+40h], eax
		and	dword ptr [ebp+70h], 0FFFFFFFEh
		cmp	eax, 0
		jz	short loc_59A6BB
		or	dword ptr [ebp+70h], 1

loc_59A6BB:				; CODE XREF: sub_59A621+94j
		jmp	Kei386EoiHelper@0
sub_59A621	endp

; 
; START	OF FUNCTION CHUNK FOR _KiGetTickCount

loc_59A6C0:				; CODE XREF: _KiGetTickCount+41j
					; _KiGetTickCount+50j ...
		sub	[esp-10h+arg_C], 2
		push	0
		jmp	_KiTrap0D
; END OF FUNCTION CHUNK	FOR _KiGetTickCount

;  S U B	R O U T	I N E 


Dr_kcb_a	proc near		; CODE XREF: sub_59A968+38j
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59A6DF
		test	byte ptr [ebp+6Ch], 1
		jz	loc_59A9A6

loc_59A6DF:				; CODE XREF: Dr_kcb_a+7j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_59A9A6
Dr_kcb_a	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiCallbackReturn proc near		; CODE XREF: _KiCallbackReturnShadow+34j
					; _KiCallbackReturnShadow+BDj
					; DATA XREF: ...
		push	0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		mov	esi, large fs:124h
		push	large dword ptr	fs:0
		mov	ebx, ds:_KiI386ExceptionChainTerminator
		mov	large fs:0, ebx
		sub	esp, 4Ch
		mov	ebp, esp
		movzx	ebx, byte ptr [esi+15Ah]
		mov	[ebp+44h], bl
		mov	ebx, [ebp+6Ch]
		and	ebx, 1
		mov	[esi+15Ah], bl
		mov	[ebp+3Ch], ecx
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_59A7C7
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59A7C7
		mov	ecx, large fs:5018h
		mov	[ebp+50h], ecx

loc_59A7C7:				; CODE XREF: _KiCallbackReturn+65j
					; _KiCallbackReturn+6Bj
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59A7EB
		lfence	eax
		jmp	loc_59A981
; 
		db 64h,	0Fh, 0B7h
		dd 22DA05h, 48B900h, 0D2330000h, 96E9300Fh
		db 1, 2	dup(0)
; 

loc_59A7EB:				; CODE XREF: _KiCallbackReturn+7Bj
		mov	[ebp+40h], eax
		mov	[ebp+38h], edx
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_59A839
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59A839:				; CODE XREF: _KiCallbackReturn+D7j
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_59A85F
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_59A85F:				; CODE XREF: _KiCallbackReturn+F7j
		test	edx, 2
		jz	loc_59A96B
		call	sub_59A960

loc_59A870:				; CODE XREF: _KiCallbackReturn+12Bp
		add	esp, 4
		call	sub_59A968

loc_59A878:				; CODE XREF: _KiCallbackReturn+133p
		add	esp, 4
		call	loc_59A870

loc_59A880:				; CODE XREF: _KiCallbackReturn+13Bp
		add	esp, 4
		call	loc_59A878

loc_59A888:				; CODE XREF: _KiCallbackReturn+143p
		add	esp, 4
		call	loc_59A880

loc_59A890:				; CODE XREF: _KiCallbackReturn+14Bp
		add	esp, 4
		call	loc_59A888

loc_59A898:				; CODE XREF: _KiCallbackReturn+153p
		add	esp, 4
		call	loc_59A890

loc_59A8A0:				; CODE XREF: _KiCallbackReturn+15Bp
		add	esp, 4
		call	loc_59A898

loc_59A8A8:				; CODE XREF: _KiCallbackReturn+163p
		add	esp, 4
		call	loc_59A8A0

loc_59A8B0:				; CODE XREF: _KiCallbackReturn+16Bp
		add	esp, 4
		call	loc_59A8A8

loc_59A8B8:				; CODE XREF: _KiCallbackReturn+173p
		add	esp, 4
		call	loc_59A8B0

loc_59A8C0:				; CODE XREF: _KiCallbackReturn+17Bp
		add	esp, 4
		call	loc_59A8B8

loc_59A8C8:				; CODE XREF: _KiCallbackReturn+183p
		add	esp, 4
		call	loc_59A8C0

loc_59A8D0:				; CODE XREF: _KiCallbackReturn+18Bp
		add	esp, 4
		call	loc_59A8C8

loc_59A8D8:				; CODE XREF: _KiCallbackReturn+193p
		add	esp, 4
		call	loc_59A8D0

loc_59A8E0:				; CODE XREF: _KiCallbackReturn+19Bp
		add	esp, 4
		call	loc_59A8D8

loc_59A8E8:				; CODE XREF: _KiCallbackReturn+1A3p
		add	esp, 4
		call	loc_59A8E0

loc_59A8F0:				; CODE XREF: _KiCallbackReturn+1ABp
		add	esp, 4
		call	loc_59A8E8

loc_59A8F8:				; CODE XREF: _KiCallbackReturn+1B3p
		add	esp, 4
		call	loc_59A8F0

loc_59A900:				; CODE XREF: _KiCallbackReturn+1BBp
		add	esp, 4
		call	loc_59A8F8

loc_59A908:				; CODE XREF: _KiCallbackReturn+1C3p
		add	esp, 4
		call	loc_59A900

loc_59A910:				; CODE XREF: _KiCallbackReturn+1CBp
		add	esp, 4
		call	loc_59A908

loc_59A918:				; CODE XREF: _KiCallbackReturn+1D3p
		add	esp, 4
		call	loc_59A910

loc_59A920:				; CODE XREF: _KiCallbackReturn+1DBp
		add	esp, 4
		call	loc_59A918

loc_59A928:				; CODE XREF: _KiCallbackReturn+1E3p
		add	esp, 4
		call	loc_59A920

loc_59A930:				; CODE XREF: _KiCallbackReturn+1EBp
		add	esp, 4
		call	loc_59A928

loc_59A938:				; CODE XREF: _KiCallbackReturn+1F3p
		add	esp, 4
		call	loc_59A930

loc_59A940:				; CODE XREF: _KiCallbackReturn+1FBp
		add	esp, 4
		call	loc_59A938

loc_59A948:				; CODE XREF: _KiCallbackReturn+203p
		add	esp, 4
		call	loc_59A940

loc_59A950:				; CODE XREF: _KiCallbackReturn+20Bp
		add	esp, 4
		call	loc_59A948

loc_59A958:				; CODE XREF: sub_59A960+3p
		add	esp, 4
		call	loc_59A950
_KiCallbackReturn endp


;  S U B	R O U T	I N E 


sub_59A960	proc near		; CODE XREF: _KiCallbackReturn+11Bp
		add	esp, 4
		call	loc_59A958
sub_59A960	endp


;  S U B	R O U T	I N E 


sub_59A968	proc near		; CODE XREF: _KiCallbackReturn+123p
		add	esp, 4

loc_59A96B:				; CODE XREF: _KiCallbackReturn+115j
		test	edx, 80h
		jz	short loc_59A978
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_59A978:				; CODE XREF: sub_59A968+9j
		lfence	eax
		mov	eax, [ebp+40h]
		mov	edx, [ebp+38h]

loc_59A981:				; CODE XREF: _KiCallbackReturn+80j
		mov	ebx, gs
		mov	[ebp+2Ch], ebx
		xor	ebx, ebx
		mov	gs, bx
		assume gs:nothing
		mov	ebx, [esi+6Ch]
		mov	[ebp+38h], ebx
		mov	byte ptr [ebp+0Fh], 2
		and	dword ptr [ebp+28h], 0
		test	byte ptr [esi+3], 0DFh
		mov	[esi+6Ch], ebp
		cld
		jnz	Dr_kcb_a

loc_59A9A6:				; CODE XREF: Dr_kcb_a+Dj Dr_kcb_a+79j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		sti
		mov	ecx, [ebp+3Ch]
		push	eax
		push	edx
		push	ecx
		call	_NtCallbackReturn@12 ; NtCallbackReturn(x,x,x)
		jmp	_KiSystemServicePostCall@0 ; KiSystemServicePostCall()
sub_59A968	endp

; 
		align 4

;  S U B	R O U T	I N E 


Dr_kira_a	proc near		; CODE XREF: V86_kira_a+2A5j
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59A9DF
		test	byte ptr [ebp+6Ch], 1
		jz	loc_59ACF7

loc_59A9DF:				; CODE XREF: Dr_kira_a+7j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_59ACF7
Dr_kira_a	endp

; 
		align 4

;  S U B	R O U T	I N E 


V86_kira_a	proc near		; CODE XREF: V86_kira_a+28Fj

var_D0		= dword	ptr -0D0h
var_2		= word ptr -2

		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_59ACE1
; 
		align 4

_KiRaiseAssertion:			; CODE XREF: _KiRaiseAssertionShadow+34j
					; _KiRaiseAssertionShadow+BDj
					; DATA XREF: ...
		push	0
		mov	[esp+4+var_2], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		mov	es, ax
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_59AAF3
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59AAF3
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59AAF3
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_59AAF3:				; CODE XREF: V86_kira_a+79j
					; V86_kira_a+82j ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59AB20
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59AB20
		lfence	eax
		jmp	loc_59ACAA
; 
		dw 0F64h
		dd 22DA05B7h, 48B90000h, 33000000h, 0E9300FD2h,	18Ah
; 

loc_59AB20:				; CODE XREF: V86_kira_a+AEj
					; V86_kira_a+B4j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_59AB68
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59AB68:				; CODE XREF: V86_kira_a+10Aj
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_59AB8E
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_59AB8E:				; CODE XREF: V86_kira_a+12Aj
		test	edx, 2
		jz	loc_59AC9A
		call	loc_59AC8F

loc_59AB9F:				; CODE XREF: V86_kira_a+15Ep
		add	esp, 4
		call	loc_59AC97

loc_59ABA7:				; CODE XREF: V86_kira_a+166p
		add	esp, 4
		call	loc_59AB9F

loc_59ABAF:				; CODE XREF: V86_kira_a+16Ep
		add	esp, 4
		call	loc_59ABA7

loc_59ABB7:				; CODE XREF: V86_kira_a+176p
		add	esp, 4
		call	loc_59ABAF

loc_59ABBF:				; CODE XREF: V86_kira_a+17Ep
		add	esp, 4
		call	loc_59ABB7

loc_59ABC7:				; CODE XREF: V86_kira_a+186p
		add	esp, 4
		call	loc_59ABBF

loc_59ABCF:				; CODE XREF: V86_kira_a+18Ep
		add	esp, 4
		call	loc_59ABC7

loc_59ABD7:				; CODE XREF: V86_kira_a+196p
		add	esp, 4
		call	loc_59ABCF

loc_59ABDF:				; CODE XREF: V86_kira_a+19Ep
		add	esp, 4
		call	loc_59ABD7

loc_59ABE7:				; CODE XREF: V86_kira_a+1A6p
		add	esp, 4
		call	loc_59ABDF

loc_59ABEF:				; CODE XREF: V86_kira_a+1AEp
		add	esp, 4
		call	loc_59ABE7

loc_59ABF7:				; CODE XREF: V86_kira_a+1B6p
		add	esp, 4
		call	loc_59ABEF

loc_59ABFF:				; CODE XREF: V86_kira_a+1BEp
		add	esp, 4
		call	loc_59ABF7

loc_59AC07:				; CODE XREF: V86_kira_a+1C6p
		add	esp, 4
		call	loc_59ABFF

loc_59AC0F:				; CODE XREF: V86_kira_a+1CEp
		add	esp, 4
		call	loc_59AC07

loc_59AC17:				; CODE XREF: V86_kira_a+1D6p
		add	esp, 4
		call	loc_59AC0F

loc_59AC1F:				; CODE XREF: V86_kira_a+1DEp
		add	esp, 4
		call	loc_59AC17

loc_59AC27:				; CODE XREF: V86_kira_a+1E6p
		add	esp, 4
		call	loc_59AC1F

loc_59AC2F:				; CODE XREF: V86_kira_a+1EEp
		add	esp, 4
		call	loc_59AC27

loc_59AC37:				; CODE XREF: V86_kira_a+1F6p
		add	esp, 4
		call	loc_59AC2F

loc_59AC3F:				; CODE XREF: V86_kira_a+1FEp
		add	esp, 4
		call	loc_59AC37

loc_59AC47:				; CODE XREF: V86_kira_a+206p
		add	esp, 4
		call	loc_59AC3F

loc_59AC4F:				; CODE XREF: V86_kira_a+20Ep
		add	esp, 4
		call	loc_59AC47

loc_59AC57:				; CODE XREF: V86_kira_a+216p
		add	esp, 4
		call	loc_59AC4F

loc_59AC5F:				; CODE XREF: V86_kira_a+21Ep
		add	esp, 4
		call	loc_59AC57

loc_59AC67:				; CODE XREF: V86_kira_a+226p
		add	esp, 4
		call	loc_59AC5F

loc_59AC6F:				; CODE XREF: V86_kira_a+22Ep
		add	esp, 4
		call	loc_59AC67

loc_59AC77:				; CODE XREF: V86_kira_a+236p
		add	esp, 4
		call	loc_59AC6F

loc_59AC7F:				; CODE XREF: V86_kira_a+23Ep
		add	esp, 4
		call	loc_59AC77

loc_59AC87:				; CODE XREF: V86_kira_a+246p
		add	esp, 4
		call	loc_59AC7F

loc_59AC8F:				; CODE XREF: V86_kira_a+14Ep
		add	esp, 4
		call	loc_59AC87

loc_59AC97:				; CODE XREF: V86_kira_a+156p
		add	esp, 4

loc_59AC9A:				; CODE XREF: V86_kira_a+148j
		test	edx, 80h
		jz	short loc_59ACA7
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_59ACA7:				; CODE XREF: V86_kira_a+254j
		lfence	eax

loc_59ACAA:				; CODE XREF: V86_kira_a+B9j
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kira_a

loc_59ACE1:				; CODE XREF: V86_kira_a+25j
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kira_a

loc_59ACF7:				; CODE XREF: Dr_kira_a+Dj
					; Dr_kira_a+79j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		test	byte ptr [ebp+71h], 2
		jz	short loc_59AD11
		sti

loc_59AD11:				; CODE XREF: V86_kira_a+2C2j
		sub	dword ptr [ebp+68h], 2
		mov	ebx, [ebp+68h]
		mov	eax, 0C0000420h
		xor	ecx, ecx
		mov	edi, esp
		call	KiDispatchTrapException
		int	3		; Trap to Debugger
		nop

Dr_kui_a:				; CODE XREF: V86_kira_a+6D7j
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59AD3B
		test	byte ptr [ebp+6Ch], 1
		jz	loc_59B129

loc_59AD3B:				; CODE XREF: V86_kira_a+2E3j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_59B129
; 
		align 4

V86_kui_a:				; CODE XREF: V86_kira_a+3A0j
		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	short loc_59AE01
; 

_KiUnexpectedInterruptTail:		; CODE XREF: _KiUnexpectedInterrupt0+5j
					; _KiUnexpectedInterrupt1+5j ...
		push	ebp
		push	ebx
		push	esi
		push	edi
		sub	esp, 54h
		mov	ebp, esp
		mov	[ebp+40h], eax
		mov	[ebp+3Ch], ecx
		mov	[ebp+38h], edx
		mov	byte ptr [ebp+0Fh], 0
		test	dword ptr [ebp+70h], 20000h
		jnz	short V86_kui_a
		cmp	word ptr [ebp+6Ch], 8
		jz	short loc_59AE11
		mov	word ptr [ebp+50h], fs
		mov	word ptr [ebp+34h], ds
		mov	word ptr [ebp+30h], es
		mov	[ebp+2Ch], gs

loc_59AE01:				; CODE XREF: V86_kira_a+381j
		mov	ebx, 30h
		mov	eax, 23h
		mov	fs, bx
		mov	ds, ax
		mov	es, ax

loc_59AE11:				; CODE XREF: V86_kira_a+3A7j
		lfence	eax
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		mov	ebx, large fs:0
		mov	ecx, ds:_KiI386ExceptionChainTerminator
		mov	large fs:0, ecx
		mov	[ebp+4Ch], ebx
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_59AE97
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59AE97
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59AE97
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_59AE97:				; CODE XREF: V86_kira_a+41Dj
					; V86_kira_a+426j ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59AED0
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59AED0
		test	large word ptr fs:22D8h, 1
		jnz	short loc_59AEBA
		lfence	eax
		jmp	loc_59B05A
; 

loc_59AEBA:				; CODE XREF: V86_kira_a+464j
		movzx	eax, large word	ptr fs:22DAh
		mov	ecx, 48h
		xor	edx, edx
		wrmsr
		jmp	loc_59B05A
; 

loc_59AED0:				; CODE XREF: V86_kira_a+452j
					; V86_kira_a+458j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_59AF18
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59AF18:				; CODE XREF: V86_kira_a+4BAj
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_59AF3E
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_59AF3E:				; CODE XREF: V86_kira_a+4DAj
		test	edx, 2
		jz	loc_59B04A
		call	loc_59B03F

loc_59AF4F:				; CODE XREF: V86_kira_a+50Ep
		add	esp, 4
		call	loc_59B047

loc_59AF57:				; CODE XREF: V86_kira_a+516p
		add	esp, 4
		call	loc_59AF4F

loc_59AF5F:				; CODE XREF: V86_kira_a+51Ep
		add	esp, 4
		call	loc_59AF57

loc_59AF67:				; CODE XREF: V86_kira_a+526p
		add	esp, 4
		call	loc_59AF5F

loc_59AF6F:				; CODE XREF: V86_kira_a+52Ep
		add	esp, 4
		call	loc_59AF67

loc_59AF77:				; CODE XREF: V86_kira_a+536p
		add	esp, 4
		call	loc_59AF6F

loc_59AF7F:				; CODE XREF: V86_kira_a+53Ep
		add	esp, 4
		call	loc_59AF77

loc_59AF87:				; CODE XREF: V86_kira_a+546p
		add	esp, 4
		call	loc_59AF7F

loc_59AF8F:				; CODE XREF: V86_kira_a+54Ep
		add	esp, 4
		call	loc_59AF87

loc_59AF97:				; CODE XREF: V86_kira_a+556p
		add	esp, 4
		call	loc_59AF8F

loc_59AF9F:				; CODE XREF: V86_kira_a+55Ep
		add	esp, 4
		call	loc_59AF97

loc_59AFA7:				; CODE XREF: V86_kira_a+566p
		add	esp, 4
		call	loc_59AF9F

loc_59AFAF:				; CODE XREF: V86_kira_a+56Ep
		add	esp, 4
		call	loc_59AFA7

loc_59AFB7:				; CODE XREF: V86_kira_a+576p
		add	esp, 4
		call	loc_59AFAF

loc_59AFBF:				; CODE XREF: V86_kira_a+57Ep
		add	esp, 4
		call	loc_59AFB7

loc_59AFC7:				; CODE XREF: V86_kira_a+586p
		add	esp, 4
		call	loc_59AFBF

loc_59AFCF:				; CODE XREF: V86_kira_a+58Ep
		add	esp, 4
		call	loc_59AFC7

loc_59AFD7:				; CODE XREF: V86_kira_a+596p
		add	esp, 4
		call	loc_59AFCF

loc_59AFDF:				; CODE XREF: V86_kira_a+59Ep
		add	esp, 4
		call	loc_59AFD7

loc_59AFE7:				; CODE XREF: V86_kira_a+5A6p
		add	esp, 4
		call	loc_59AFDF

loc_59AFEF:				; CODE XREF: V86_kira_a+5AEp
		add	esp, 4
		call	loc_59AFE7

loc_59AFF7:				; CODE XREF: V86_kira_a+5B6p
		add	esp, 4
		call	loc_59AFEF

loc_59AFFF:				; CODE XREF: V86_kira_a+5BEp
		add	esp, 4
		call	loc_59AFF7

loc_59B007:				; CODE XREF: V86_kira_a+5C6p
		add	esp, 4
		call	loc_59AFFF

loc_59B00F:				; CODE XREF: V86_kira_a+5CEp
		add	esp, 4
		call	loc_59B007

loc_59B017:				; CODE XREF: V86_kira_a+5D6p
		add	esp, 4
		call	loc_59B00F

loc_59B01F:				; CODE XREF: V86_kira_a+5DEp
		add	esp, 4
		call	loc_59B017

loc_59B027:				; CODE XREF: V86_kira_a+5E6p
		add	esp, 4
		call	loc_59B01F

loc_59B02F:				; CODE XREF: V86_kira_a+5EEp
		add	esp, 4
		call	loc_59B027

loc_59B037:				; CODE XREF: V86_kira_a+5F6p
		add	esp, 4
		call	loc_59B02F

loc_59B03F:				; CODE XREF: V86_kira_a+4FEp
		add	esp, 4
		call	loc_59B037

loc_59B047:				; CODE XREF: V86_kira_a+506p
		add	esp, 4

loc_59B04A:				; CODE XREF: V86_kira_a+4F8j
		test	edx, 80h
		jz	short loc_59B057
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_59B057:				; CODE XREF: V86_kira_a+604j
		lfence	eax

loc_59B05A:				; CODE XREF: V86_kira_a+469j
					; V86_kira_a+47Fj
		lea	eax, [ebp+64h]
		lea	ecx, [ebp+68h]
		mov	ebx, ss:[eax]
		mov	ss:[eax], ecx
		mov	dword ptr [ebp+64h], 0
		cld
		mov	byte ptr [ebp+45h], 0
		mov	edi, large fs:20h
		inc	byte ptr [edi+11h]
		cmp	byte ptr [edi+11h], 1
		jnz	loc_59B117
		rdtsc
		push	edx
		mov	esi, [edi+4174h]
		mov	edx, esi
		and	esi, 7FFh
		shr	esi, 5
		mov	ecx, [edi+esi*4+4178h]
		ror	ecx, 5
		xor	ecx, eax
		mov	[edi+esi*4+4178h], ecx
		add	edx, 1
		mov	[edi+4174h], edx
		and	edx, 3FFh
		jnz	short loc_59B0C2
		mov	byte ptr [ebp+45h], 1

loc_59B0C2:				; CODE XREF: V86_kira_a+670j
		pop	edx
		mov	ecx, [edi+4]
		sub	eax, [edi+3B40h]
		sbb	edx, [edi+3B44h]
		mov	esi, [ecx+30h]
		add	esi, eax
		adc	[ecx+38h], edx
		add	[ecx+30h], eax
		adc	[ecx+34h], edx
		add	[edi+3B40h], eax
		adc	[edi+3B44h], edx
		test	edx, edx
		jnz	short loc_59B0F7
		mov	esi, [ecx+40h]
		add	esi, eax
		jnb	short loc_59B0FC

loc_59B0F7:				; CODE XREF: V86_kira_a+6A2j
		mov	esi, 0FFFFFFFFh

loc_59B0FC:				; CODE XREF: V86_kira_a+6A9j
		mov	[ecx+40h], esi
		xor	esi, esi
		test	byte ptr [ecx+2], 3Eh
		jz	short loc_59B11A
		mov	esi, 1
		push	edx
		push	eax
		mov	edx, ecx
		mov	ecx, edi
		call	KiEndThreadAccountingPeriod

loc_59B117:				; CODE XREF: V86_kira_a+634j
		mov	ecx, [edi+4]

loc_59B11A:				; CODE XREF: V86_kira_a+6B9j
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		push	ebx
		jnz	Dr_kui_a

loc_59B129:				; CODE XREF: V86_kira_a+2E9j
					; V86_kira_a+355j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		inc	large dword ptr	fs:5C0h
		mov	ebx, [esp+0D0h+var_D0]
		sub	esp, 4
		mov	eax, ebx
		shl	eax, 2
		mov	edi, fs:[eax+4300h]
		or	edi, edi
		jz	loc_59B25D
		call	dword ptr [edi+28h]
		or	al, al
		jz	loc_59B1F1

loc_59B168:				; CODE XREF: V86_kira_a+839j
		mov	ebx, edi
		cmp	byte ptr [ebp+45h], 0
		jz	short loc_59B17C
		mov	ecx, large fs:20h
		call	@KiEntropyQueueDpc@4 ; KiEntropyQueueDpc(x)

loc_59B17C:				; CODE XREF: V86_kira_a+722j
		cli
		mov	ecx, large fs:1Ch
		cmp	byte ptr [ecx+131h], 1
		jg	short loc_59B1DE
		rdtsc
		sub	eax, [ecx+3C60h]
		sbb	edx, [ecx+3C64h]
		mov	edi, [ecx+3C88h]
		add	edi, eax
		adc	[ecx+3CB0h], edx
		add	[ecx+3C88h], eax
		adc	[ecx+3C8Ch], edx
		add	[ecx+3C60h], eax
		adc	[ecx+3C64h], edx
		mov	edi, [ecx+124h]
		test	byte ptr [edi+2], 72h
		jz	short loc_59B1DE
		push	edx
		push	eax
		xor	edx, edx
		lea	ecx, [ecx+120h]
		call	KiBeginThreadAccountingPeriod
		jmp	short loc_59B1E4
; 

loc_59B1DE:				; CODE XREF: V86_kira_a+73Fj
					; V86_kira_a+77Fj
		dec	byte ptr [ecx+131h]

loc_59B1E4:				; CODE XREF: V86_kira_a+790j
		push	ebp
		push	ebx
		call	ds:__imp__HalEndSystemInterrupt@16 ; HalEndSystemInterrupt(x,x,x,x)
		jmp	Kei386EoiHelper@0
; 

loc_59B1F1:				; CODE XREF: V86_kira_a+716j
					; V86_kira_a+81Dj
		add	esp, 8
		mov	ecx, large fs:1Ch
		cmp	byte ptr [ecx+131h], 1
		jg	short loc_59B255
		rdtsc
		sub	eax, [ecx+3C60h]
		sbb	edx, [ecx+3C64h]
		mov	edi, [ecx+3C88h]
		add	edi, eax
		adc	[ecx+3CB0h], edx
		add	[ecx+3C88h], eax
		adc	[ecx+3C8Ch], edx
		add	[ecx+3C60h], eax
		adc	[ecx+3C64h], edx
		mov	edi, [ecx+124h]
		test	byte ptr [edi+2], 72h
		jz	short loc_59B255
		push	edx
		push	eax
		xor	edx, edx
		lea	ecx, [ecx+120h]
		call	KiBeginThreadAccountingPeriod
		jmp	short loc_59B25B
; 

loc_59B255:				; CODE XREF: V86_kira_a+7B6j
					; V86_kira_a+7F6j
		dec	byte ptr [ecx+131h]

loc_59B25B:				; CODE XREF: V86_kira_a+807j
		jmp	short Kei386EoiHelper@0
; 

loc_59B25D:				; CODE XREF: V86_kira_a+70Bj
		push	esp
		push	ebx
		push	1Fh
		call	ds:__imp__HalBeginSystemInterrupt@12 ; HalBeginSystemInterrupt(x,x,x)
		or	al, al
		jz	short loc_59B1F1
		test	dword ptr ds:byte_70EFC4, 4000h
		jz	short loc_59B27E
		mov	ecx, ebx
		call	@PerfInfoLogUnexpectedInterrupt@4 ; PerfInfoLogUnexpectedInterrupt(x)

loc_59B27E:				; CODE XREF: V86_kira_a+829j
		cmp	ds:_KiBugCheckUnexpectedInterrupts, 0
		jz	loc_59B168
		push	0		; int
		push	0		; int
		push	0		; int
		push	ebx		; int
		push	1		; int
		push	12h		; int
		call	_KeBugCheck2@24	; KeBugCheck2(x,x,x,x,x,x)
		nop
V86_kira_a	endp

; Exported entry 173. Kei386EoiHelper

;  S U B	R O U T	I N E 


		public Kei386EoiHelper@0
Kei386EoiHelper@0 proc near		; CODE XREF: Dr_kirscf_a+3A0j
					; sub_59A621:loc_59A6BBj ...

arg_60		= dword	ptr  64h

; FUNCTION CHUNK AT 0059B544 SIZE 00000079 BYTES

		cli
		test	byte ptr [ebp+72h], 2
		jnz	short loc_59B2A9
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59B2EC

loc_59B2A9:				; CODE XREF: Kei386EoiHelper@0+5j
					; Kei386EoiHelper@0+4Ej
		mov	ebx, large fs:124h
		test	byte ptr [ebx+2], 1
		jz	short loc_59B2BC
		push	ebx
		call	_KiCopyCounters@4 ; KiCopyCounters(x)

loc_59B2BC:				; CODE XREF: Kei386EoiHelper@0+18j
		mov	byte ptr [ebx+56h], 0
		test	byte ptr [ebx+86h], 3
		jz	short loc_59B2EC
		mov	ebx, ebp
		mov	ecx, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	eax
		sti
		push	ebx
		push	0
		push	1
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		pop	ecx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cli
		jmp	short loc_59B2A9
; 

loc_59B2EC:				; CODE XREF: Kei386EoiHelper@0+Bj
					; Kei386EoiHelper@0+2Bj
		mov	edx, [ebp+4Ch]
		ldmxcsr	dword ptr [ebp+48h]
		mov	large fs:0, edx
		test	dword ptr [ebp+28h], 0FFFF23FFh
		jnz	loc_59B544

loc_59B307:				; CODE XREF: Kei386EoiHelper@0+2B8j
					; Kei386EoiHelper@0+2E7j
		test	dword ptr [ebp+70h], 20000h
		jnz	loc_59B5C0
		mov	edi, esp
		movaps	xmm0, oword ptr	[edi]
		movaps	xmm1, oword ptr	[edi+10h]
		movaps	xmm2, oword ptr	[edi+20h]
		movaps	xmm3, oword ptr	[edi+30h]
		movaps	xmm4, oword ptr	[edi+40h]
		movaps	xmm5, oword ptr	[edi+50h]
		movaps	xmm6, oword ptr	[edi+60h]
		movaps	xmm7, oword ptr	[edi+70h]
		test	word ptr [ebp+6Ch], 0FFF9h
		jz	loc_59B588
		test	byte ptr [ebp+6Ch], 1
		jz	loc_59B4AE
		movzx	eax, large word	ptr fs:22E0h
		cmp	large fs:22DAh,	ax
		jz	short loc_59B36D
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59B36D:				; CODE XREF: Kei386EoiHelper@0+BFj
		btr	large word ptr fs:22D8h, 2
		jnb	short loc_59B387
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr

loc_59B387:				; CODE XREF: Kei386EoiHelper@0+DBj
		btr	large word ptr fs:22D8h, 4
		jnb	loc_59B497
		call	sub_59B48C

loc_59B39C:				; CODE XREF: Kei386EoiHelper@0+10Bp
		add	esp, 4
		call	sub_59B494

loc_59B3A4:				; CODE XREF: Kei386EoiHelper@0+113p
		add	esp, 4
		call	loc_59B39C

loc_59B3AC:				; CODE XREF: Kei386EoiHelper@0+11Bp
		add	esp, 4
		call	loc_59B3A4

loc_59B3B4:				; CODE XREF: Kei386EoiHelper@0+123p
		add	esp, 4
		call	loc_59B3AC

loc_59B3BC:				; CODE XREF: Kei386EoiHelper@0+12Bp
		add	esp, 4
		call	loc_59B3B4

loc_59B3C4:				; CODE XREF: Kei386EoiHelper@0+133p
		add	esp, 4
		call	loc_59B3BC

loc_59B3CC:				; CODE XREF: Kei386EoiHelper@0+13Bp
		add	esp, 4
		call	loc_59B3C4

loc_59B3D4:				; CODE XREF: Kei386EoiHelper@0+143p
		add	esp, 4
		call	loc_59B3CC

loc_59B3DC:				; CODE XREF: Kei386EoiHelper@0+14Bp
		add	esp, 4
		call	loc_59B3D4

loc_59B3E4:				; CODE XREF: Kei386EoiHelper@0+153p
		add	esp, 4
		call	loc_59B3DC

loc_59B3EC:				; CODE XREF: Kei386EoiHelper@0+15Bp
		add	esp, 4
		call	loc_59B3E4

loc_59B3F4:				; CODE XREF: Kei386EoiHelper@0+163p
		add	esp, 4
		call	loc_59B3EC

loc_59B3FC:				; CODE XREF: Kei386EoiHelper@0+16Bp
		add	esp, 4
		call	loc_59B3F4

loc_59B404:				; CODE XREF: Kei386EoiHelper@0+173p
		add	esp, 4
		call	loc_59B3FC

loc_59B40C:				; CODE XREF: Kei386EoiHelper@0+17Bp
		add	esp, 4
		call	loc_59B404

loc_59B414:				; CODE XREF: Kei386EoiHelper@0+183p
		add	esp, 4
		call	loc_59B40C

loc_59B41C:				; CODE XREF: Kei386EoiHelper@0+18Bp
		add	esp, 4
		call	loc_59B414

loc_59B424:				; CODE XREF: Kei386EoiHelper@0+193p
		add	esp, 4
		call	loc_59B41C

loc_59B42C:				; CODE XREF: Kei386EoiHelper@0+19Bp
		add	esp, 4
		call	loc_59B424

loc_59B434:				; CODE XREF: Kei386EoiHelper@0+1A3p
		add	esp, 4
		call	loc_59B42C

loc_59B43C:				; CODE XREF: Kei386EoiHelper@0+1ABp
		add	esp, 4
		call	loc_59B434

loc_59B444:				; CODE XREF: Kei386EoiHelper@0+1B3p
		add	esp, 4
		call	loc_59B43C

loc_59B44C:				; CODE XREF: Kei386EoiHelper@0+1BBp
		add	esp, 4
		call	loc_59B444

loc_59B454:				; CODE XREF: Kei386EoiHelper@0+1C3p
		add	esp, 4
		call	loc_59B44C

loc_59B45C:				; CODE XREF: Kei386EoiHelper@0+1CBp
		add	esp, 4
		call	loc_59B454

loc_59B464:				; CODE XREF: Kei386EoiHelper@0+1D3p
		add	esp, 4
		call	loc_59B45C

loc_59B46C:				; CODE XREF: Kei386EoiHelper@0+1DBp
		add	esp, 4
		call	loc_59B464

loc_59B474:				; CODE XREF: Kei386EoiHelper@0+1E3p
		add	esp, 4
		call	loc_59B46C

loc_59B47C:				; CODE XREF: Kei386EoiHelper@0+1EBp
		add	esp, 4
		call	loc_59B474

loc_59B484:				; CODE XREF: sub_59B48C+3p
		add	esp, 4
		call	loc_59B47C
Kei386EoiHelper@0 endp


;  S U B	R O U T	I N E 


sub_59B48C	proc near		; CODE XREF: Kei386EoiHelper@0+FBp
		add	esp, 4
		call	loc_59B484
sub_59B48C	endp


;  S U B	R O U T	I N E 


sub_59B494	proc near		; CODE XREF: Kei386EoiHelper@0+103p

arg_68		= word ptr  6Ch
arg_6C		= dword	ptr  70h

		add	esp, 4

loc_59B497:				; CODE XREF: Kei386EoiHelper@0+F5j
		test	large word ptr fs:22D8h, 20h
		jz	short loc_59B4AE
		xor	eax, eax
		xor	edx, edx
		mov	ecx, 1
		div	ecx

loc_59B4AE:				; CODE XREF: Kei386EoiHelper@0+A9j
					; sub_59B494+Dj
		mov	edx, [ebp+38h]
		mov	ecx, [ebp+3Ch]
		mov	eax, [ebp+40h]
		cmp	word ptr [ebp+6Ch], 8
		jz	short loc_59B513
		lea	esp, [ebp+2Ch]
		pop	gs
		assume gs:nothing
		test	ss:_KiKvaShadow, 1
		jz	short loc_59B4F8
		mov	ebx, [ebp+50h]
		mov	large dword ptr	fs:5020h, 1
		mov	esi, [ebp+30h]
		mov	edi, [ebp+34h]
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	edi
		mov	large fs:5018h,	ebx
		jmp	short loc_59B513
; 

loc_59B4F8:				; CODE XREF: sub_59B494+37j
		test	large word ptr fs:22D8h, 40h
		jz	short loc_59B50C
		verw	large word ptr fs:5028h

loc_59B50C:				; CODE XREF: sub_59B494+6Ej
		pop	es
		assume es:nothing
		pop	ds
		assume ds:_data
		lea	esp, [ebp+50h]
		pop	fs
		assume fs:nothing

loc_59B513:				; CODE XREF: sub_59B494+28j
					; sub_59B494+62j
		lea	esp, [ebp+54h]
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		add	esp, 4
		test	ss:_KiKvaShadow, 1
		jz	short locret_59B541
		test	[esp-68h+arg_6C], 20000h
		jnz	_KiKernelExit
		cmp	[esp-68h+arg_68], 8
		jnz	_KiKernelExit

locret_59B541:				; CODE XREF: sub_59B494+91j
		iret
sub_59B494	endp ; sp =  68h

; 
		align 4
; START	OF FUNCTION CHUNK FOR Kei386EoiHelper@0

loc_59B544:				; CODE XREF: Kei386EoiHelper@0+65j
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59B55A
		test	dword ptr [ebp+6Ch], 1
		jz	loc_59B307

loc_59B55A:				; CODE XREF: Kei386EoiHelper@0+2AFj
		xor	ebx, ebx
		mov	esi, [ebp+14h]
		mov	edi, [ebp+18h]
		mov	dr7, ebx
		mov	dr0, esi
		mov	ebx, [ebp+1Ch]
		mov	dr1, edi
		mov	dr2, ebx
		mov	esi, [ebp+20h]
		mov	edi, [ebp+24h]
		mov	ebx, [ebp+28h]
		mov	dr3, esi
		mov	dr6, edi
		mov	dr7, ebx
		jmp	loc_59B307
; 

loc_59B588:				; CODE XREF: Kei386EoiHelper@0+9Fj
		movzx	ebx, word ptr [ebp+0Ch]
		mov	[ebp+6Ch], ebx
		mov	ebx, [ebp+10h]
		sub	ebx, 0Ch
		mov	[ebp+64h], ebx
		mov	esi, [ebp+70h]
		mov	[ebx+8], esi
		mov	esi, [ebp+6Ch]
		mov	[ebx+4], esi
		mov	esi, [ebp+68h]
		mov	[ebx], esi
		mov	eax, [ebp+40h]
		mov	edx, [ebp+38h]
		mov	ecx, [ebp+3Ch]
		lea	esp, [ebp+54h]
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		mov	esp, [esp-64h+arg_60]
		iret
; END OF FUNCTION CHUNK	FOR Kei386EoiHelper@0
; 
		align 10h
; START	OF FUNCTION CHUNK FOR Dr_kass_a

loc_59B5C0:				; CODE XREF: Dr_kass_a+49Aj
					; KiSystemServicePostCall()+10Cj ...
		cmp	esp, ebp
		jz	short loc_59B5E5
		mov	edi, esp
		movaps	xmm0, oword ptr	[edi]
		movaps	xmm1, oword ptr	[edi+10h]
		movaps	xmm2, oword ptr	[edi+20h]
		movaps	xmm3, oword ptr	[edi+30h]
		movaps	xmm4, oword ptr	[edi+40h]
		movaps	xmm5, oword ptr	[edi+50h]
		movaps	xmm6, oword ptr	[edi+60h]
		movaps	xmm7, oword ptr	[edi+70h]

loc_59B5E5:				; CODE XREF: Dr_kass_a+2806j
		movzx	eax, large word	ptr fs:22E0h
		cmp	large fs:22DAh,	ax
		jz	short loc_59B607
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59B607:				; CODE XREF: Dr_kass_a+2839j
		btr	large word ptr fs:22D8h, 2
		jnb	short loc_59B621
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr

loc_59B621:				; CODE XREF: Dr_kass_a+2855j
		btr	large word ptr fs:22D8h, 4
		jnb	loc_59B731
		call	sub_59B726
; END OF FUNCTION CHUNK	FOR Dr_kass_a

;  S U B	R O U T	I N E 


sub_59B636	proc near		; CODE XREF: sub_59B63E+3p
		add	esp, 4
		call	sub_59B72E
sub_59B636	endp


;  S U B	R O U T	I N E 


sub_59B63E	proc near		; CODE XREF: sub_59B646+3p
		add	esp, 4
		call	sub_59B636
sub_59B63E	endp


;  S U B	R O U T	I N E 


sub_59B646	proc near		; CODE XREF: sub_59B64E+3p
		add	esp, 4
		call	sub_59B63E
sub_59B646	endp


;  S U B	R O U T	I N E 


sub_59B64E	proc near		; CODE XREF: sub_59B656+3p
		add	esp, 4
		call	sub_59B646
sub_59B64E	endp


;  S U B	R O U T	I N E 


sub_59B656	proc near		; CODE XREF: sub_59B65E+3p
		add	esp, 4
		call	sub_59B64E
sub_59B656	endp


;  S U B	R O U T	I N E 


sub_59B65E	proc near		; CODE XREF: sub_59B666+3p
		add	esp, 4
		call	sub_59B656
sub_59B65E	endp


;  S U B	R O U T	I N E 


sub_59B666	proc near		; CODE XREF: sub_59B66E+3p
		add	esp, 4
		call	sub_59B65E
sub_59B666	endp


;  S U B	R O U T	I N E 


sub_59B66E	proc near		; CODE XREF: sub_59B676+3p
		add	esp, 4
		call	sub_59B666
sub_59B66E	endp


;  S U B	R O U T	I N E 


sub_59B676	proc near		; CODE XREF: sub_59B67E+3p
		add	esp, 4
		call	sub_59B66E
sub_59B676	endp


;  S U B	R O U T	I N E 


sub_59B67E	proc near		; CODE XREF: sub_59B686+3p
		add	esp, 4
		call	sub_59B676
sub_59B67E	endp


;  S U B	R O U T	I N E 


sub_59B686	proc near		; CODE XREF: sub_59B68E+3p
		add	esp, 4
		call	sub_59B67E
sub_59B686	endp


;  S U B	R O U T	I N E 


sub_59B68E	proc near		; CODE XREF: sub_59B696+3p
		add	esp, 4
		call	sub_59B686
sub_59B68E	endp


;  S U B	R O U T	I N E 


sub_59B696	proc near		; CODE XREF: sub_59B69E+3p
		add	esp, 4
		call	sub_59B68E
sub_59B696	endp


;  S U B	R O U T	I N E 


sub_59B69E	proc near		; CODE XREF: sub_59B6A6+3p
		add	esp, 4
		call	sub_59B696
sub_59B69E	endp


;  S U B	R O U T	I N E 


sub_59B6A6	proc near		; CODE XREF: sub_59B6AE+3p
		add	esp, 4
		call	sub_59B69E
sub_59B6A6	endp


;  S U B	R O U T	I N E 


sub_59B6AE	proc near		; CODE XREF: sub_59B6B6+3p
		add	esp, 4
		call	sub_59B6A6
sub_59B6AE	endp


;  S U B	R O U T	I N E 


sub_59B6B6	proc near		; CODE XREF: sub_59B6BE+3p
		add	esp, 4
		call	sub_59B6AE
sub_59B6B6	endp


;  S U B	R O U T	I N E 


sub_59B6BE	proc near		; CODE XREF: sub_59B6C6+3p
		add	esp, 4
		call	sub_59B6B6
sub_59B6BE	endp


;  S U B	R O U T	I N E 


sub_59B6C6	proc near		; CODE XREF: sub_59B6CE+3p
		add	esp, 4
		call	sub_59B6BE
sub_59B6C6	endp


;  S U B	R O U T	I N E 


sub_59B6CE	proc near		; CODE XREF: sub_59B6D6+3p
		add	esp, 4
		call	sub_59B6C6
sub_59B6CE	endp


;  S U B	R O U T	I N E 


sub_59B6D6	proc near		; CODE XREF: sub_59B6DE+3p
		add	esp, 4
		call	sub_59B6CE
sub_59B6D6	endp


;  S U B	R O U T	I N E 


sub_59B6DE	proc near		; CODE XREF: sub_59B6E6+3p
		add	esp, 4
		call	sub_59B6D6
sub_59B6DE	endp


;  S U B	R O U T	I N E 


sub_59B6E6	proc near		; CODE XREF: sub_59B6EE+3p
		add	esp, 4
		call	sub_59B6DE
sub_59B6E6	endp


;  S U B	R O U T	I N E 


sub_59B6EE	proc near		; CODE XREF: sub_59B6F6+3p
		add	esp, 4
		call	sub_59B6E6
sub_59B6EE	endp


;  S U B	R O U T	I N E 


sub_59B6F6	proc near		; CODE XREF: sub_59B6FE+3p
		add	esp, 4
		call	sub_59B6EE
sub_59B6F6	endp


;  S U B	R O U T	I N E 


sub_59B6FE	proc near		; CODE XREF: sub_59B706+3p
		add	esp, 4
		call	sub_59B6F6
sub_59B6FE	endp


;  S U B	R O U T	I N E 


sub_59B706	proc near		; CODE XREF: sub_59B70E+3p
		add	esp, 4
		call	sub_59B6FE
sub_59B706	endp


;  S U B	R O U T	I N E 


sub_59B70E	proc near		; CODE XREF: sub_59B716+3p
		add	esp, 4
		call	sub_59B706
sub_59B70E	endp


;  S U B	R O U T	I N E 


sub_59B716	proc near		; CODE XREF: sub_59B71E+3p
		add	esp, 4
		call	sub_59B70E
sub_59B716	endp


;  S U B	R O U T	I N E 


sub_59B71E	proc near		; CODE XREF: sub_59B726+3p
		add	esp, 4
		call	sub_59B716
sub_59B71E	endp


;  S U B	R O U T	I N E 


sub_59B726	proc near		; CODE XREF: Dr_kass_a+2875p
		add	esp, 4
		call	sub_59B71E
sub_59B726	endp


;  S U B	R O U T	I N E 


sub_59B72E	proc near		; CODE XREF: sub_59B636+3p
		add	esp, 4

loc_59B731:				; CODE XREF: Dr_kass_a+286Fj
		test	large word ptr fs:22D8h, 20h
		jz	short loc_59B748
		xor	eax, eax
		xor	edx, edx
		mov	ecx, 1
		div	ecx

loc_59B748:				; CODE XREF: sub_59B72E+Dj
		lea	esp, [ebp+38h]
		pop	edx
		pop	ecx
		pop	eax
		ldmxcsr	dword ptr [ebp+48h]
		lea	esp, [ebp+54h]
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		add	esp, 4
		test	ss:_KiKvaShadow, 1
		jz	short loc_59B781
		mov	large dword ptr	fs:5018h, 3Bh
		mov	large dword ptr	fs:5020h, 0
		jmp	_KiKernelExit
; 

loc_59B781:				; CODE XREF: sub_59B72E+36j
		test	large word ptr fs:22D8h, 40h
		jz	short locret_59B795
		verw	large word ptr fs:5028h

locret_59B795:				; CODE XREF: sub_59B72E+5Dj
		iret
sub_59B72E	endp ; sp =  68h

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiDispatchTrapException	proc near	; CODE XREF: Dr_kass_a+75Fp
					; V86_kira_a+2D5p ...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
arg_0		= dword	ptr  8

		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	[esp+50h+var_50], eax
		xor	eax, eax
		mov	[esp+50h+var_4C], eax
		mov	[esp+50h+var_48], eax
		mov	[esp+50h+var_44], ebx
		mov	[esp+50h+var_40], ecx
		lea	ebx, [esp+50h+var_3C]
		mov	[ebx], edx
		mov	[ebx+4], esi
		mov	eax, [ebp+arg_0]
		mov	[ebx+8], eax
		mov	ecx, esp
		mov	esi, [ebp+0]
		pushf
		cli
		test	byte ptr [esi+72h], 2
		jz	short loc_59B7D6
		mov	eax, 1
		jmp	short loc_59B7DC
; 

loc_59B7D6:				; CODE XREF: KiDispatchTrapException+35j
		mov	eax, [esi+6Ch]
		and	eax, 1

loc_59B7DC:				; CODE XREF: KiDispatchTrapException+3Cj
		popf
		push	1
		push	eax
		push	esi
		push	0
		push	ecx
		call	KiDispatchException
		mov	ebp, esi
		mov	esp, edi
		jmp	Kei386EoiHelper@0
KiDispatchTrapException	endp


;  S U B	R O U T	I N E 


KtPfx_ExceptionHandler proc near	; DATA XREF: KiScanForPrefix+1o

var_8		= dword	ptr -8
arg_0		= dword	ptr  4
arg_4		= dword	ptr  8

		mov	eax, [esp+arg_0]
		mov	esp, [esp+arg_4]
		mov	eax, [eax]
		pop	large dword ptr	fs:0
		add	esp, 4
		pop	ebp
		test	dword ptr [ebp+6Ch], 1
		jnz	short loc_59B820
		push	ebp
		push	0
		push	0
		push	0
		push	0
		push	1Eh
		call	_KiBugCheck2@24	; KiBugCheck2(x,x,x,x,x,x)

loc_59B820:				; CODE XREF: KtPfx_ExceptionHandler+1Cj
		mov	ebx, [ebp+68h]
		mov	ecx, 2
		xor	edx, edx
		mov	esi, 0FFFFFFFFh
		lea	edi, [esp+0Ch+var_8]
		call	KiDispatchTrapException
		int	3		; Trap to Debugger
KtPfx_ExceptionHandler endp


;  S U B	R O U T	I N E 


KiScanForPrefix	proc near		; CODE XREF: V86_kit6_a+7C4p
					; sub_59F909+59Ep

var_6		= word ptr -6
arg_0		= dword	ptr  8

		push	ebp
		push	offset KtPfx_ExceptionHandler
		push	large dword ptr	fs:0
		mov	large fs:0, esp
		mov	esi, [ebp+68h]
		cmp	esi, ds:_MmUserProbeAddress
		jb	short loc_59B85E
		mov	esi, ds:_MmUserProbeAddress

loc_59B85E:				; CODE XREF: KiScanForPrefix+1Dj
		mov	ecx, 5

loc_59B863:				; CODE XREF: KiScanForPrefix+3Fj
		push	ecx
		lodsb
		mov	ecx, 0Bh
		mov	edi, offset _IDTEnd
		repne scasb
		pop	ecx
		jnz	short loc_59B881
		cmp	al, dl
		jz	short loc_59B88C
		loop	loc_59B863
		mov	eax, 0C000001Dh
		jmp	short loc_59B891
; 

loc_59B881:				; CODE XREF: KiScanForPrefix+39j
		pop	large dword ptr	fs:0
		add	esp, 8
		retn
; 

loc_59B88C:				; CODE XREF: KiScanForPrefix+3Dj
		mov	eax, 0C000001Eh

loc_59B891:				; CODE XREF: KiScanForPrefix+46j
		mov	ebx, [ebp+68h]
		pop	large dword ptr	fs:0
		lea	edi, [esp+4+arg_0]
		xor	ecx, ecx
		call	KiDispatchTrapException
		int	3		; Trap to Debugger
		nop

Dr_kit0_a:				; CODE XREF: KiScanForPrefix+394j
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59B8BB
		test	byte ptr [ebp+6Ch], 1
		jz	loc_59BBD3

loc_59B8BB:				; CODE XREF: KiScanForPrefix+76j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_59BBD3
; 
		align 4

V86_kit0_a:				; CODE XREF: KiScanForPrefix+37Ej
		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_59BBBD
; 
		align 4

_KiTrap00:				; CODE XREF: _KiTrap00Shadow+34j
					; _KiTrap00Shadow+BDj
					; DATA XREF: ...
		push	0
		mov	[esp+8+var_6], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		assume fs:nothing
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		assume ds:nothing
		mov	es, ax
		assume es:nothing
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_59B9CF
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59B9CF
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59B9CF
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_59B9CF:				; CODE XREF: KiScanForPrefix+168j
					; KiScanForPrefix+171j	...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59B9FC
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59B9FC
		lfence	eax
		jmp	loc_59BB86
; 
		dw 0F64h
		dd 22DA05B7h, 48B90000h, 33000000h, 0E9300FD2h,	18Ah
; 

loc_59B9FC:				; CODE XREF: KiScanForPrefix+19Dj
					; KiScanForPrefix+1A3j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_59BA44
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59BA44:				; CODE XREF: KiScanForPrefix+1F9j
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_59BA6A
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_59BA6A:				; CODE XREF: KiScanForPrefix+219j
		test	edx, 2
		jz	loc_59BB76
		call	loc_59BB6B

loc_59BA7B:				; CODE XREF: KiScanForPrefix+24Dp
		add	esp, 4
		call	loc_59BB73

loc_59BA83:				; CODE XREF: KiScanForPrefix+255p
		add	esp, 4
		call	loc_59BA7B

loc_59BA8B:				; CODE XREF: KiScanForPrefix+25Dp
		add	esp, 4
		call	loc_59BA83

loc_59BA93:				; CODE XREF: KiScanForPrefix+265p
		add	esp, 4
		call	loc_59BA8B

loc_59BA9B:				; CODE XREF: KiScanForPrefix+26Dp
		add	esp, 4
		call	loc_59BA93

loc_59BAA3:				; CODE XREF: KiScanForPrefix+275p
		add	esp, 4
		call	loc_59BA9B

loc_59BAAB:				; CODE XREF: KiScanForPrefix+27Dp
		add	esp, 4
		call	loc_59BAA3

loc_59BAB3:				; CODE XREF: KiScanForPrefix+285p
		add	esp, 4
		call	loc_59BAAB

loc_59BABB:				; CODE XREF: KiScanForPrefix+28Dp
		add	esp, 4
		call	loc_59BAB3

loc_59BAC3:				; CODE XREF: KiScanForPrefix+295p
		add	esp, 4
		call	loc_59BABB

loc_59BACB:				; CODE XREF: KiScanForPrefix+29Dp
		add	esp, 4
		call	loc_59BAC3

loc_59BAD3:				; CODE XREF: KiScanForPrefix+2A5p
		add	esp, 4
		call	loc_59BACB

loc_59BADB:				; CODE XREF: KiScanForPrefix+2ADp
		add	esp, 4
		call	loc_59BAD3

loc_59BAE3:				; CODE XREF: KiScanForPrefix+2B5p
		add	esp, 4
		call	loc_59BADB

loc_59BAEB:				; CODE XREF: KiScanForPrefix+2BDp
		add	esp, 4
		call	loc_59BAE3

loc_59BAF3:				; CODE XREF: KiScanForPrefix+2C5p
		add	esp, 4
		call	loc_59BAEB

loc_59BAFB:				; CODE XREF: KiScanForPrefix+2CDp
		add	esp, 4
		call	loc_59BAF3

loc_59BB03:				; CODE XREF: KiScanForPrefix+2D5p
		add	esp, 4
		call	loc_59BAFB

loc_59BB0B:				; CODE XREF: KiScanForPrefix+2DDp
		add	esp, 4
		call	loc_59BB03

loc_59BB13:				; CODE XREF: KiScanForPrefix+2E5p
		add	esp, 4
		call	loc_59BB0B

loc_59BB1B:				; CODE XREF: KiScanForPrefix+2EDp
		add	esp, 4
		call	loc_59BB13

loc_59BB23:				; CODE XREF: KiScanForPrefix+2F5p
		add	esp, 4
		call	loc_59BB1B

loc_59BB2B:				; CODE XREF: KiScanForPrefix+2FDp
		add	esp, 4
		call	loc_59BB23

loc_59BB33:				; CODE XREF: KiScanForPrefix+305p
		add	esp, 4
		call	loc_59BB2B

loc_59BB3B:				; CODE XREF: KiScanForPrefix+30Dp
		add	esp, 4
		call	loc_59BB33

loc_59BB43:				; CODE XREF: KiScanForPrefix+315p
		add	esp, 4
		call	loc_59BB3B

loc_59BB4B:				; CODE XREF: KiScanForPrefix+31Dp
		add	esp, 4
		call	loc_59BB43

loc_59BB53:				; CODE XREF: KiScanForPrefix+325p
		add	esp, 4
		call	loc_59BB4B

loc_59BB5B:				; CODE XREF: KiScanForPrefix+32Dp
		add	esp, 4
		call	loc_59BB53

loc_59BB63:				; CODE XREF: KiScanForPrefix+335p
		add	esp, 4
		call	loc_59BB5B

loc_59BB6B:				; CODE XREF: KiScanForPrefix+23Dp
		add	esp, 4
		call	loc_59BB63

loc_59BB73:				; CODE XREF: KiScanForPrefix+245p
		add	esp, 4

loc_59BB76:				; CODE XREF: KiScanForPrefix+237j
		test	edx, 80h
		jz	short loc_59BB83
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_59BB83:				; CODE XREF: KiScanForPrefix+343j
		lfence	eax

loc_59BB86:				; CODE XREF: KiScanForPrefix+1A8j
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kit0_a

loc_59BBBD:				; CODE XREF: KiScanForPrefix+114j
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kit0_a

loc_59BBD3:				; CODE XREF: KiScanForPrefix+7Cj
					; KiScanForPrefix+E8j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		test	byte ptr [ebp+72h], 2
		jnz	short loc_59BC39
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59BC00
		test	byte ptr [ebp+71h], 2
		jz	short loc_59BBF9
		sti

loc_59BBF9:				; CODE XREF: KiScanForPrefix+3BDj
		mov	eax, 0C0000094h
		jmp	short loc_59BC0E
; 

loc_59BC00:				; CODE XREF: KiScanForPrefix+3B7j
		cmp	word ptr [ebp+6Ch], 1Bh
		jnz	short loc_59BC23
		sti
		push	ebp
		call	_Ki386CheckDivideByZeroTrap@4 ;	Ki386CheckDivideByZeroTrap(x)

loc_59BC0E:				; CODE XREF: KiScanForPrefix+3C5j
					; KiScanForPrefix+3E8j
		mov	ebx, [ebp+68h]
		mov	edi, esp
		xor	ecx, ecx
		call	KiDispatchTrapException
		int	3		; Trap to Debugger

loc_59BC1B:				; CODE XREF: KiScanForPrefix+3FEj
					; KiScanForPrefix+409j
		sti
		mov	eax, 0C0000094h
		jmp	short loc_59BC0E
; 

loc_59BC23:				; CODE XREF: KiScanForPrefix+3CCj
		mov	ebx, large fs:124h
		mov	ebx, [ebx+80h]
		cmp	dword ptr [ebx+0F4h], 0
		jz	short loc_59BC1B

loc_59BC39:				; CODE XREF: KiScanForPrefix+3B1j
		push	0
		call	_Ki386VdmReflectException_A@4 ;	Ki386VdmReflectException_A(x)
		or	al, al
		jz	short loc_59BC1B
		jmp	Kei386EoiHelper@0
KiScanForPrefix	endp

; 
		align 4

;  S U B	R O U T	I N E 


Dr_kit1_a	proc near		; CODE XREF: V86_kit1_a+2F6j
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59BC5F
		test	byte ptr [ebp+6Ch], 1
		jz	loc_59BFC8

loc_59BC5F:				; CODE XREF: Dr_kit1_a+7j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_59BFC8
Dr_kit1_a	endp

; 
		align 4

;  S U B	R O U T	I N E 


V86_kit1_a	proc near		; CODE XREF: V86_kit1_a+2E0j

var_14		= byte ptr -14h
var_2		= word ptr -2
arg_0		= byte ptr  4
arg_4		= dword	ptr  8

		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_59BFB2
; 
		align 4

_KiTrap01:				; CODE XREF: _KiTrap01Shadow+7Bj
					; _KiTrap01Shadow+104j
					; DATA XREF: ...
		test	ss:_KiKvaShadow, 1
		jnz	short loc_59BD49
		test	[esp+arg_4], 20000h
		jnz	short loc_59BD49
		test	[esp+arg_0], 1
		jnz	short loc_59BD49
		push	ecx
		push	eax
		push	edx
		sub	esp, 8
		sidt	fword ptr [esp+14h+var_14]
		mov	eax, dword ptr [esp+14h+var_14+2]
		mov	ecx, 0FFh

loc_59BD26:				; CODE XREF: V86_kit1_a+6Bj
		mov	edx, ss:[eax+ecx*8-4]
		mov	dx, ss:[eax+ecx*8-8]
		cmp	[esp+14h], edx
		jz	short loc_59BD41
		loop	loc_59BD26
		add	esp, 8
		pop	edx
		pop	eax
		pop	ecx
		jmp	short loc_59BD49
; 

loc_59BD41:				; CODE XREF: V86_kit1_a+69j
		add	esp, 8
		pop	edx
		pop	eax
		pop	ecx
		iret
; 
		db 0CCh
; 

loc_59BD49:				; CODE XREF: V86_kit1_a+34j
					; V86_kit1_a+3Ej ...
		push	0
		mov	[esp+4+var_2], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		mov	es, ax
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_59BDC4
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59BDC4
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59BDC4
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_59BDC4:				; CODE XREF: V86_kit1_a+CAj
					; V86_kit1_a+D3j ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59BDF1
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59BDF1
		lfence	eax
		jmp	loc_59BF7B
; 
		db 64h
		dd 0DA05B70Fh, 0B9000022h, 48h,	300FD233h, 18AE9h
		db 0
; 

loc_59BDF1:				; CODE XREF: V86_kit1_a+FFj
					; V86_kit1_a+105j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_59BE39
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59BE39:				; CODE XREF: V86_kit1_a+15Bj
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_59BE5F
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_59BE5F:				; CODE XREF: V86_kit1_a+17Bj
		test	edx, 2
		jz	loc_59BF6B
		call	loc_59BF60

loc_59BE70:				; CODE XREF: V86_kit1_a+1AFp
		add	esp, 4
		call	loc_59BF68

loc_59BE78:				; CODE XREF: V86_kit1_a+1B7p
		add	esp, 4
		call	loc_59BE70

loc_59BE80:				; CODE XREF: V86_kit1_a+1BFp
		add	esp, 4
		call	loc_59BE78

loc_59BE88:				; CODE XREF: V86_kit1_a+1C7p
		add	esp, 4
		call	loc_59BE80

loc_59BE90:				; CODE XREF: V86_kit1_a+1CFp
		add	esp, 4
		call	loc_59BE88

loc_59BE98:				; CODE XREF: V86_kit1_a+1D7p
		add	esp, 4
		call	loc_59BE90

loc_59BEA0:				; CODE XREF: V86_kit1_a+1DFp
		add	esp, 4
		call	loc_59BE98

loc_59BEA8:				; CODE XREF: V86_kit1_a+1E7p
		add	esp, 4
		call	loc_59BEA0

loc_59BEB0:				; CODE XREF: V86_kit1_a+1EFp
		add	esp, 4
		call	loc_59BEA8

loc_59BEB8:				; CODE XREF: V86_kit1_a+1F7p
		add	esp, 4
		call	loc_59BEB0

loc_59BEC0:				; CODE XREF: V86_kit1_a+1FFp
		add	esp, 4
		call	loc_59BEB8

loc_59BEC8:				; CODE XREF: V86_kit1_a+207p
		add	esp, 4
		call	loc_59BEC0

loc_59BED0:				; CODE XREF: V86_kit1_a+20Fp
		add	esp, 4
		call	loc_59BEC8

loc_59BED8:				; CODE XREF: V86_kit1_a+217p
		add	esp, 4
		call	loc_59BED0

loc_59BEE0:				; CODE XREF: V86_kit1_a+21Fp
		add	esp, 4
		call	loc_59BED8

loc_59BEE8:				; CODE XREF: V86_kit1_a+227p
		add	esp, 4
		call	loc_59BEE0

loc_59BEF0:				; CODE XREF: V86_kit1_a+22Fp
		add	esp, 4
		call	loc_59BEE8

loc_59BEF8:				; CODE XREF: V86_kit1_a+237p
		add	esp, 4
		call	loc_59BEF0

loc_59BF00:				; CODE XREF: V86_kit1_a+23Fp
		add	esp, 4
		call	loc_59BEF8

loc_59BF08:				; CODE XREF: V86_kit1_a+247p
		add	esp, 4
		call	loc_59BF00

loc_59BF10:				; CODE XREF: V86_kit1_a+24Fp
		add	esp, 4
		call	loc_59BF08

loc_59BF18:				; CODE XREF: V86_kit1_a+257p
		add	esp, 4
		call	loc_59BF10

loc_59BF20:				; CODE XREF: V86_kit1_a+25Fp
		add	esp, 4
		call	loc_59BF18

loc_59BF28:				; CODE XREF: V86_kit1_a+267p
		add	esp, 4
		call	loc_59BF20

loc_59BF30:				; CODE XREF: V86_kit1_a+26Fp
		add	esp, 4
		call	loc_59BF28

loc_59BF38:				; CODE XREF: V86_kit1_a+277p
		add	esp, 4
		call	loc_59BF30

loc_59BF40:				; CODE XREF: V86_kit1_a+27Fp
		add	esp, 4
		call	loc_59BF38

loc_59BF48:				; CODE XREF: V86_kit1_a+287p
		add	esp, 4
		call	loc_59BF40

loc_59BF50:				; CODE XREF: V86_kit1_a+28Fp
		add	esp, 4
		call	loc_59BF48

loc_59BF58:				; CODE XREF: V86_kit1_a+297p
		add	esp, 4
		call	loc_59BF50

loc_59BF60:				; CODE XREF: V86_kit1_a+19Fp
		add	esp, 4
		call	loc_59BF58

loc_59BF68:				; CODE XREF: V86_kit1_a+1A7p
		add	esp, 4

loc_59BF6B:				; CODE XREF: V86_kit1_a+199j
		test	edx, 80h
		jz	short loc_59BF78
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_59BF78:				; CODE XREF: V86_kit1_a+2A5j
		lfence	eax

loc_59BF7B:				; CODE XREF: V86_kit1_a+10Aj
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kit1_a

loc_59BFB2:				; CODE XREF: V86_kit1_a+25j
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kit1_a

loc_59BFC8:				; CODE XREF: Dr_kit1_a+Dj
					; Dr_kit1_a+79j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		test	ss:_KiKvaShadow, 1
		jz	short loc_59C003
		mov	ecx, [ebp+68h]
		cmp	ecx, offset _KiFastCallEntryShadow
		jnz	short loc_59C021
		mov	dword ptr [ebp+68h], offset _KiFastCallEntry2Shadow
		and	dword ptr [ebp+70h], 0FFFFFEFFh
		jmp	Kei386EoiHelper@0
; 

loc_59C003:				; CODE XREF: V86_kit1_a+317j
		mov	ecx, [ebp+68h]
		cmp	ecx, offset _KiFastCallEntry
		jnz	short loc_59C021
		mov	dword ptr [ebp+68h], offset _KiFastCallEntry2
		and	dword ptr [ebp+70h], 0FFFFFEFFh
		jmp	Kei386EoiHelper@0
; 

loc_59C021:				; CODE XREF: V86_kit1_a+322j
					; V86_kit1_a+340j
		test	byte ptr [ebp+72h], 2
		jnz	short loc_59C04E
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59C035
		cmp	word ptr [ebp+6Ch], 1Bh
		jnz	short loc_59C04E

loc_59C034:				; CODE XREF: V86_kit1_a+396j
		sti

loc_59C035:				; CODE XREF: V86_kit1_a+35Fj
					; V86_kit1_a+3A3j
		and	dword ptr [ebp+70h], 0FFFFFEFFh
		mov	ebx, [ebp+68h]
		mov	eax, 80000004h
		xor	ecx, ecx
		mov	edi, esp
		call	KiDispatchTrapException
		int	3		; Trap to Debugger

loc_59C04E:				; CODE XREF: V86_kit1_a+359j
					; V86_kit1_a+366j
		mov	ebx, large fs:124h
		mov	ebx, [ebx+80h]
		cmp	dword ptr [ebx+0F4h], 0
		jz	short loc_59C034
		push	1
		call	_Ki386VdmReflectException_A@4 ;	Ki386VdmReflectException_A(x)
		test	ax, 0FFFFh
		jz	short loc_59C035
		jmp	Kei386EoiHelper@0
V86_kit1_a	endp

; 
		align 4

;  S U B	R O U T	I N E 


_KiTrap02	proc near		; CODE XREF: sub_59C2E7+169j
					; DATA XREF: sub_59C2E7+14Eo ...

var_4		= dword	ptr -4

		cli
		clts
		mov	eax, large fs:40h
		mov	ecx, large fs:124h
		mov	edi, [ecx+80h]
		mov	ecx, [edi+18h]
		test	ss:_KiKvaShadow, 1
		jz	short loc_59C0E9
		test	dword ptr [eax+24h], 20000h
		jnz	short loc_59C0DB
		test	byte ptr [eax+4Ch], 1
		jnz	short loc_59C0DB
		mov	ebx, large fs:3Ch
		lea	ebx, [ebx+6000h]
		cmp	[eax+38h], ebx
		ja	short loc_59C0E9
		sub	ebx, 1000h
		cmp	[eax+38h], ebx
		jbe	short loc_59C0E9
		mov	ebx, offset _KiKernelSysretExit
		cmp	[eax+20h], ebx
		jb	short loc_59C0E9
		mov	ebx, offset _KiShadowExitEnd
		cmp	[eax+20h], ebx
		jnb	short loc_59C0E9

loc_59C0DB:				; CODE XREF: _KiTrap02+2Aj
					; _KiTrap02+30j
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_59C0E9
		add	ecx, 20h

loc_59C0E9:				; CODE XREF: _KiTrap02+21j
					; _KiTrap02+42j ...
		mov	[eax+1Ch], ecx
		mov	cx, [edi+76h]
		mov	[eax+66h], cx
		mov	ecx, [edi+1Ch]
		test	ecx, ecx
		jz	short loc_59C0FF
		mov	cx, 48h

loc_59C0FF:				; CODE XREF: _KiTrap02+81j
		mov	[eax+60h], cx
		mov	edi, large fs:3Ch
		mov	ch, [edi+5Fh]
		mov	cl, [edi+5Ch]
		shl	ecx, 10h
		mov	cx, [edi+5Ah]
		mov	large fs:40h, ecx
		pushf
		and	[esp+4+var_4], 0FFFFBFFFh
		popf
		lea	ecx, [edi+58h]
		mov	byte ptr [ecx+5], 89h
		push	eax
		push	0
		push	0
		push	0
		push	0
		push	dword ptr [eax+50h]
		push	dword ptr [eax+38h]
		push	dword ptr [eax+24h]
		push	dword ptr [eax+4Ch]
		push	dword ptr [eax+20h]
		push	0
		push	dword ptr [eax+3Ch]
		push	dword ptr [eax+34h]
		push	dword ptr [eax+40h]
		push	dword ptr [eax+44h]
		push	dword ptr [eax+58h]
		push	large dword ptr	fs:0
		sub	esp, 4
		push	0FFh
		push	dword ptr [eax+28h]
		push	dword ptr [eax+2Ch]
		push	dword ptr [eax+30h]
		push	dword ptr [eax+54h]
		push	dword ptr [eax+48h]
		push	dword ptr [eax+5Ch]
		push	0
		push	0
		push	0
		push	0
		push	0
		push	0
		push	0
		push	0
		push	0BADB0D00h
		push	dword ptr [eax+20h]
		push	dword ptr [eax+3Ch]
		mov	ebp, esp
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		cmp	large word ptr fs:22DCh, 0
		jz	short loc_59C1CE
		mov	ecx, 48h
		rdmsr
		mov	[ebp+46h], al
		movzx	eax, large word	ptr fs:22DCh
		mov	ecx, 48h
		xor	edx, edx
		wrmsr
		test	eax, 1
		jnz	short loc_59C1EA

loc_59C1CE:				; CODE XREF: _KiTrap02+132j
		test	large byte ptr fs:22D9h, 2
		jz	loc_59C2EA
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr

loc_59C1EA:				; CODE XREF: _KiTrap02+154j
		call	sub_59C2DF

loc_59C1EF:				; CODE XREF: _KiTrap02+182p
		add	esp, 4
		call	sub_59C2E7

loc_59C1F7:				; CODE XREF: _KiTrap02+18Ap
		add	esp, 4
		call	loc_59C1EF

loc_59C1FF:				; CODE XREF: _KiTrap02+192p
		add	esp, 4
		call	loc_59C1F7

loc_59C207:				; CODE XREF: _KiTrap02+19Ap
		add	esp, 4
		call	loc_59C1FF

loc_59C20F:				; CODE XREF: _KiTrap02+1A2p
		add	esp, 4
		call	loc_59C207

loc_59C217:				; CODE XREF: _KiTrap02+1AAp
		add	esp, 4
		call	loc_59C20F

loc_59C21F:				; CODE XREF: _KiTrap02+1B2p
		add	esp, 4
		call	loc_59C217

loc_59C227:				; CODE XREF: _KiTrap02+1BAp
		add	esp, 4
		call	loc_59C21F

loc_59C22F:				; CODE XREF: _KiTrap02+1C2p
		add	esp, 4
		call	loc_59C227

loc_59C237:				; CODE XREF: _KiTrap02+1CAp
		add	esp, 4
		call	loc_59C22F

loc_59C23F:				; CODE XREF: _KiTrap02+1D2p
		add	esp, 4
		call	loc_59C237

loc_59C247:				; CODE XREF: _KiTrap02+1DAp
		add	esp, 4
		call	loc_59C23F

loc_59C24F:				; CODE XREF: _KiTrap02+1E2p
		add	esp, 4
		call	loc_59C247

loc_59C257:				; CODE XREF: _KiTrap02+1EAp
		add	esp, 4
		call	loc_59C24F

loc_59C25F:				; CODE XREF: _KiTrap02+1F2p
		add	esp, 4
		call	loc_59C257

loc_59C267:				; CODE XREF: _KiTrap02+1FAp
		add	esp, 4
		call	loc_59C25F

loc_59C26F:				; CODE XREF: _KiTrap02+202p
		add	esp, 4
		call	loc_59C267

loc_59C277:				; CODE XREF: _KiTrap02+20Ap
		add	esp, 4
		call	loc_59C26F

loc_59C27F:				; CODE XREF: _KiTrap02+212p
		add	esp, 4
		call	loc_59C277

loc_59C287:				; CODE XREF: _KiTrap02+21Ap
		add	esp, 4
		call	loc_59C27F

loc_59C28F:				; CODE XREF: _KiTrap02+222p
		add	esp, 4
		call	loc_59C287

loc_59C297:				; CODE XREF: _KiTrap02+22Ap
		add	esp, 4
		call	loc_59C28F

loc_59C29F:				; CODE XREF: _KiTrap02+232p
		add	esp, 4
		call	loc_59C297

loc_59C2A7:				; CODE XREF: _KiTrap02+23Ap
		add	esp, 4
		call	loc_59C29F

loc_59C2AF:				; CODE XREF: _KiTrap02+242p
		add	esp, 4
		call	loc_59C2A7

loc_59C2B7:				; CODE XREF: _KiTrap02+24Ap
		add	esp, 4
		call	loc_59C2AF

loc_59C2BF:				; CODE XREF: _KiTrap02+252p
		add	esp, 4
		call	loc_59C2B7

loc_59C2C7:				; CODE XREF: _KiTrap02+25Ap
		add	esp, 4
		call	loc_59C2BF

loc_59C2CF:				; CODE XREF: _KiTrap02+262p
		add	esp, 4
		call	loc_59C2C7

loc_59C2D7:				; CODE XREF: sub_59C2DF+3p
		add	esp, 4
		call	loc_59C2CF
_KiTrap02	endp


;  S U B	R O U T	I N E 


sub_59C2DF	proc near		; CODE XREF: _KiTrap02:loc_59C1EAp
		add	esp, 4
		call	loc_59C2D7
sub_59C2DF	endp


;  S U B	R O U T	I N E 


sub_59C2E7	proc near		; CODE XREF: _KiTrap02+17Ap

var_4		= dword	ptr -4
arg_88		= dword	ptr  8Ch

		add	esp, 4

loc_59C2EA:				; CODE XREF: _KiTrap02+15Ej
		lfence	eax
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		push	0
		push	ebp
		call	_KiSaveProcessorState@8	; KiSaveProcessorState(x,x)
		call	_KiHandleNmi@0	; KiHandleNmi()
		or	al, al
		jnz	loc_59C3C2
		xor	ebx, ebx
		mov	bl, large fs:51h
		cmp	ds:dword_6B0004, ebx
		jz	short loc_59C351
		lea	eax, unk_6B0000
		push	eax
		push	0
		mov	ecx, esp
		mov	edx, ebp
		call	@KiAcquireQueuedSpinLockCheckForFreeze@8 ; KiAcquireQueuedSpinLockCheckForFreeze(x,x)
		jmp	short loc_59C375
; 

loc_59C351:				; CODE XREF: sub_59C2E7+54j
		cmp	ds:dword_6B0008, 8
		jb	short loc_59C375
		jnz	short loc_59C373
		cmp	ds:_KdDebuggerNotPresent, 0
		jnz	short loc_59C373
		cmp	ds:_KdDebuggerEnabled, 0
		jz	short loc_59C373
		call	_KeEnterKernelDebugger@0 ; KeEnterKernelDebugger()

loc_59C373:				; CODE XREF: sub_59C2E7+73j
					; sub_59C2E7+7Cj ...
		jmp	short loc_59C373
; 

loc_59C375:				; CODE XREF: sub_59C2E7+68j
					; sub_59C2E7+71j
		mov	ds:dword_6B0004, ebx
		inc	ds:dword_6B0008
		push	large dword ptr	fs:24h
		mov	large dword ptr	fs:24h,	1Fh
		push	0
		call	ds:__imp__HalHandleNMI@4 ; HalHandleNMI(x)
		pop	large dword ptr	fs:24h
		dec	ds:dword_6B0008
		jnz	loc_59C455
		mov	ds:dword_6B0004, 0FFFFFFFFh
		mov	ecx, esp
		call	@KeReleaseQueuedSpinLockFromDpcLevel@4 ; KeReleaseQueuedSpinLockFromDpcLevel(x)
		add	esp, 8

loc_59C3C2:				; CODE XREF: sub_59C2E7+3Fj
		mov	eax, large fs:40h
		cmp	word ptr [eax],	58h
		jz	loc_59C455
		mov	edi, esp
		movaps	xmm0, oword ptr	[edi]
		movaps	xmm1, oword ptr	[edi+10h]
		movaps	xmm2, oword ptr	[edi+20h]
		movaps	xmm3, oword ptr	[edi+30h]
		movaps	xmm4, oword ptr	[edi+40h]
		movaps	xmm5, oword ptr	[edi+50h]
		movaps	xmm6, oword ptr	[edi+60h]
		movaps	xmm7, oword ptr	[edi+70h]
		mov	esp, ebp
		cmp	large word ptr fs:22DCh, 0
		jz	short loc_59C40D
		movzx	eax, byte ptr [ebp+46h]
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59C40D:				; CODE XREF: sub_59C2E7+117j
		ldmxcsr	dword ptr [ebp+48h]
		mov	eax, [esp+arg_88]
		mov	large fs:40h, eax
		mov	ecx, large fs:3Ch
		lea	eax, [ecx+28h]
		mov	byte ptr [eax+5], 8Bh
		pushf
		or	[esp+4+var_4], 4000h
		popf
		lea	eax, _KiTrap02
		test	ss:_KiKvaShadow, 1
		jnz	_KiKernelTaskSwitchExit
		add	esp, 90h
		iret
; 
		jmp	_KiTrap02
; 

loc_59C455:				; CODE XREF: sub_59C2E7+C1j
					; sub_59C2E7+E5j
		mov	eax, 2
		call	_KiSystemFatalException
		int	3		; Trap to Debugger
sub_59C2E7	endp


;  S U B	R O U T	I N E 


Dr_kids_a	proc near		; CODE XREF: V86_kids_a+2A5j
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59C473
		test	byte ptr [ebp+6Ch], 1
		jz	loc_59C78B

loc_59C473:				; CODE XREF: Dr_kids_a+7j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_59C78B
Dr_kids_a	endp

; 
		align 10h

;  S U B	R O U T	I N E 


V86_kids_a	proc near		; CODE XREF: V86_kids_a+28Fj

var_2		= word ptr -2

		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_59C775
; 
		align 4

_KiDebugService:			; CODE XREF: _KiDebugServiceShadow+34j
					; _KiDebugServiceShadow+BDj
					; DATA XREF: ...
		push	0
		mov	[esp+4+var_2], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		mov	es, ax
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_59C587
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59C587
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59C587
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_59C587:				; CODE XREF: V86_kids_a+79j
					; V86_kids_a+82j ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59C5B4
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59C5B4
		lfence	eax
		jmp	loc_59C73E
; 
		dw 0F64h
		dd 22DA05B7h, 48B90000h, 33000000h, 0E9300FD2h,	18Ah
; 

loc_59C5B4:				; CODE XREF: V86_kids_a+AEj
					; V86_kids_a+B4j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_59C5FC
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59C5FC:				; CODE XREF: V86_kids_a+10Aj
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_59C622
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_59C622:				; CODE XREF: V86_kids_a+12Aj
		test	edx, 2
		jz	loc_59C72E
		call	loc_59C723

loc_59C633:				; CODE XREF: V86_kids_a+15Ep
		add	esp, 4
		call	loc_59C72B

loc_59C63B:				; CODE XREF: V86_kids_a+166p
		add	esp, 4
		call	loc_59C633

loc_59C643:				; CODE XREF: V86_kids_a+16Ep
		add	esp, 4
		call	loc_59C63B

loc_59C64B:				; CODE XREF: V86_kids_a+176p
		add	esp, 4
		call	loc_59C643

loc_59C653:				; CODE XREF: V86_kids_a+17Ep
		add	esp, 4
		call	loc_59C64B

loc_59C65B:				; CODE XREF: V86_kids_a+186p
		add	esp, 4
		call	loc_59C653

loc_59C663:				; CODE XREF: V86_kids_a+18Ep
		add	esp, 4
		call	loc_59C65B

loc_59C66B:				; CODE XREF: V86_kids_a+196p
		add	esp, 4
		call	loc_59C663

loc_59C673:				; CODE XREF: V86_kids_a+19Ep
		add	esp, 4
		call	loc_59C66B

loc_59C67B:				; CODE XREF: V86_kids_a+1A6p
		add	esp, 4
		call	loc_59C673

loc_59C683:				; CODE XREF: V86_kids_a+1AEp
		add	esp, 4
		call	loc_59C67B

loc_59C68B:				; CODE XREF: V86_kids_a+1B6p
		add	esp, 4
		call	loc_59C683

loc_59C693:				; CODE XREF: V86_kids_a+1BEp
		add	esp, 4
		call	loc_59C68B

loc_59C69B:				; CODE XREF: V86_kids_a+1C6p
		add	esp, 4
		call	loc_59C693

loc_59C6A3:				; CODE XREF: V86_kids_a+1CEp
		add	esp, 4
		call	loc_59C69B

loc_59C6AB:				; CODE XREF: V86_kids_a+1D6p
		add	esp, 4
		call	loc_59C6A3

loc_59C6B3:				; CODE XREF: V86_kids_a+1DEp
		add	esp, 4
		call	loc_59C6AB

loc_59C6BB:				; CODE XREF: V86_kids_a+1E6p
		add	esp, 4
		call	loc_59C6B3

loc_59C6C3:				; CODE XREF: V86_kids_a+1EEp
		add	esp, 4
		call	loc_59C6BB

loc_59C6CB:				; CODE XREF: V86_kids_a+1F6p
		add	esp, 4
		call	loc_59C6C3

loc_59C6D3:				; CODE XREF: V86_kids_a+1FEp
		add	esp, 4
		call	loc_59C6CB

loc_59C6DB:				; CODE XREF: V86_kids_a+206p
		add	esp, 4
		call	loc_59C6D3

loc_59C6E3:				; CODE XREF: V86_kids_a+20Ep
		add	esp, 4
		call	loc_59C6DB

loc_59C6EB:				; CODE XREF: V86_kids_a+216p
		add	esp, 4
		call	loc_59C6E3

loc_59C6F3:				; CODE XREF: V86_kids_a+21Ep
		add	esp, 4
		call	loc_59C6EB

loc_59C6FB:				; CODE XREF: V86_kids_a+226p
		add	esp, 4
		call	loc_59C6F3

loc_59C703:				; CODE XREF: V86_kids_a+22Ep
		add	esp, 4
		call	loc_59C6FB

loc_59C70B:				; CODE XREF: V86_kids_a+236p
		add	esp, 4
		call	loc_59C703

loc_59C713:				; CODE XREF: V86_kids_a+23Ep
		add	esp, 4
		call	loc_59C70B

loc_59C71B:				; CODE XREF: V86_kids_a+246p
		add	esp, 4
		call	loc_59C713

loc_59C723:				; CODE XREF: V86_kids_a+14Ep
		add	esp, 4
		call	loc_59C71B

loc_59C72B:				; CODE XREF: V86_kids_a+156p
		add	esp, 4

loc_59C72E:				; CODE XREF: V86_kids_a+148j
		test	edx, 80h
		jz	short loc_59C73B
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_59C73B:				; CODE XREF: V86_kids_a+254j
		lfence	eax

loc_59C73E:				; CODE XREF: V86_kids_a+B9j
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kids_a

loc_59C775:				; CODE XREF: V86_kids_a+25j
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kids_a

loc_59C78B:				; CODE XREF: Dr_kids_a+Dj
					; Dr_kids_a+79j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		inc	dword ptr [ebp+68h]
		mov	eax, [ebp+40h]
		mov	ecx, [ebp+3Ch]
		mov	edx, [ebp+38h]
		jmp	loc_59CB07
V86_kids_a	endp

; 
		align 10h

;  S U B	R O U T	I N E 


Dr_kit3_a	proc near		; CODE XREF: V86_kit3_a+2A5j
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59C7C3
		test	byte ptr [ebp+6Ch], 1
		jz	loc_59CADB

loc_59C7C3:				; CODE XREF: Dr_kit3_a+7j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_59CADB
Dr_kit3_a	endp

; 
		align 10h

;  S U B	R O U T	I N E 


V86_kit3_a	proc near		; CODE XREF: V86_kit3_a+28Fj

var_2		= word ptr -2

		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_59CAC5
; 
		align 4

_KiTrap03:				; CODE XREF: _KiTrap03Shadow+34j
					; _KiTrap03Shadow+BDj
					; DATA XREF: ...
		push	0
		mov	[esp+4+var_2], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		mov	es, ax
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_59C8D7
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59C8D7
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59C8D7
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_59C8D7:				; CODE XREF: V86_kit3_a+79j
					; V86_kit3_a+82j ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59C904
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59C904
		lfence	eax
		jmp	loc_59CA8E
; 
		dw 0F64h
		dd 22DA05B7h, 48B90000h, 33000000h, 0E9300FD2h,	18Ah
; 

loc_59C904:				; CODE XREF: V86_kit3_a+AEj
					; V86_kit3_a+B4j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_59C94C
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59C94C:				; CODE XREF: V86_kit3_a+10Aj
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_59C972
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_59C972:				; CODE XREF: V86_kit3_a+12Aj
		test	edx, 2
		jz	loc_59CA7E
		call	loc_59CA73

loc_59C983:				; CODE XREF: V86_kit3_a+15Ep
		add	esp, 4
		call	loc_59CA7B

loc_59C98B:				; CODE XREF: V86_kit3_a+166p
		add	esp, 4
		call	loc_59C983

loc_59C993:				; CODE XREF: V86_kit3_a+16Ep
		add	esp, 4
		call	loc_59C98B

loc_59C99B:				; CODE XREF: V86_kit3_a+176p
		add	esp, 4
		call	loc_59C993

loc_59C9A3:				; CODE XREF: V86_kit3_a+17Ep
		add	esp, 4
		call	loc_59C99B

loc_59C9AB:				; CODE XREF: V86_kit3_a+186p
		add	esp, 4
		call	loc_59C9A3

loc_59C9B3:				; CODE XREF: V86_kit3_a+18Ep
		add	esp, 4
		call	loc_59C9AB

loc_59C9BB:				; CODE XREF: V86_kit3_a+196p
		add	esp, 4
		call	loc_59C9B3

loc_59C9C3:				; CODE XREF: V86_kit3_a+19Ep
		add	esp, 4
		call	loc_59C9BB

loc_59C9CB:				; CODE XREF: V86_kit3_a+1A6p
		add	esp, 4
		call	loc_59C9C3

loc_59C9D3:				; CODE XREF: V86_kit3_a+1AEp
		add	esp, 4
		call	loc_59C9CB

loc_59C9DB:				; CODE XREF: V86_kit3_a+1B6p
		add	esp, 4
		call	loc_59C9D3

loc_59C9E3:				; CODE XREF: V86_kit3_a+1BEp
		add	esp, 4
		call	loc_59C9DB

loc_59C9EB:				; CODE XREF: V86_kit3_a+1C6p
		add	esp, 4
		call	loc_59C9E3

loc_59C9F3:				; CODE XREF: V86_kit3_a+1CEp
		add	esp, 4
		call	loc_59C9EB

loc_59C9FB:				; CODE XREF: V86_kit3_a+1D6p
		add	esp, 4
		call	loc_59C9F3

loc_59CA03:				; CODE XREF: V86_kit3_a+1DEp
		add	esp, 4
		call	loc_59C9FB

loc_59CA0B:				; CODE XREF: V86_kit3_a+1E6p
		add	esp, 4
		call	loc_59CA03

loc_59CA13:				; CODE XREF: V86_kit3_a+1EEp
		add	esp, 4
		call	loc_59CA0B

loc_59CA1B:				; CODE XREF: V86_kit3_a+1F6p
		add	esp, 4
		call	loc_59CA13

loc_59CA23:				; CODE XREF: V86_kit3_a+1FEp
		add	esp, 4
		call	loc_59CA1B

loc_59CA2B:				; CODE XREF: V86_kit3_a+206p
		add	esp, 4
		call	loc_59CA23

loc_59CA33:				; CODE XREF: V86_kit3_a+20Ep
		add	esp, 4
		call	loc_59CA2B

loc_59CA3B:				; CODE XREF: V86_kit3_a+216p
		add	esp, 4
		call	loc_59CA33

loc_59CA43:				; CODE XREF: V86_kit3_a+21Ep
		add	esp, 4
		call	loc_59CA3B

loc_59CA4B:				; CODE XREF: V86_kit3_a+226p
		add	esp, 4
		call	loc_59CA43

loc_59CA53:				; CODE XREF: V86_kit3_a+22Ep
		add	esp, 4
		call	loc_59CA4B

loc_59CA5B:				; CODE XREF: V86_kit3_a+236p
		add	esp, 4
		call	loc_59CA53

loc_59CA63:				; CODE XREF: V86_kit3_a+23Ep
		add	esp, 4
		call	loc_59CA5B

loc_59CA6B:				; CODE XREF: V86_kit3_a+246p
		add	esp, 4
		call	loc_59CA63

loc_59CA73:				; CODE XREF: V86_kit3_a+14Ep
		add	esp, 4
		call	loc_59CA6B

loc_59CA7B:				; CODE XREF: V86_kit3_a+156p
		add	esp, 4

loc_59CA7E:				; CODE XREF: V86_kit3_a+148j
		test	edx, 80h
		jz	short loc_59CA8B
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_59CA8B:				; CODE XREF: V86_kit3_a+254j
		lfence	eax

loc_59CA8E:				; CODE XREF: V86_kit3_a+B9j
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kit3_a

loc_59CAC5:				; CODE XREF: V86_kit3_a+25j
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kit3_a

loc_59CADB:				; CODE XREF: Dr_kit3_a+Dj
					; Dr_kit3_a+79j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		cmp	ds:_PoHiberInProgress, 0
		jnz	short loc_59CAFE
		lock inc ds:_KiHardwareTrigger

loc_59CAFE:				; CODE XREF: V86_kit3_a+2C5j
		mov	eax, 0
		xor	ecx, ecx
		xor	edx, edx

loc_59CB07:				; CODE XREF: V86_kids_a+2CAj
		test	byte ptr [ebp+72h], 2
		jnz	short loc_59CB3E
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59CB1B
		test	byte ptr [ebp+71h], 2
		jz	short loc_59CB23
		jmp	short loc_59CB22
; 

loc_59CB1B:				; CODE XREF: V86_kit3_a+2E1j
		cmp	word ptr [ebp+6Ch], 1Bh
		jnz	short loc_59CB3E

loc_59CB22:				; CODE XREF: V86_kit3_a+2E9j
					; V86_kit3_a+322j
		sti

loc_59CB23:				; CODE XREF: V86_kit3_a+2E7j
					; V86_kit3_a+32Fj
		mov	edi, esp
		push	edx
		mov	esi, ecx
		mov	edx, eax
		mov	ecx, 3
		mov	ebx, [ebp+68h]
		dec	ebx
		mov	eax, 80000003h
		call	KiDispatchTrapException
		int	3		; Trap to Debugger

loc_59CB3E:				; CODE XREF: V86_kit3_a+2DBj
					; V86_kit3_a+2F0j
		mov	ebx, large fs:124h
		mov	ebx, [ebx+80h]
		cmp	dword ptr [ebx+0F4h], 0
		jz	short loc_59CB22
		push	3
		call	_Ki386VdmReflectException_A@4 ;	Ki386VdmReflectException_A(x)
		test	ax, 0FFFFh
		jz	short loc_59CB23
		jmp	Kei386EoiHelper@0
V86_kit3_a	endp

; 
		align 4

;  S U B	R O U T	I N E 


Dr_kit4_a	proc near		; CODE XREF: V86_kit4_a+2A5j
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59CB7B
		test	byte ptr [ebp+6Ch], 1
		jz	loc_59CE93

loc_59CB7B:				; CODE XREF: Dr_kit4_a+7j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_59CE93
Dr_kit4_a	endp

; 
		align 4

;  S U B	R O U T	I N E 


V86_kit4_a	proc near		; CODE XREF: V86_kit4_a+28Fj

var_2		= word ptr -2

		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_59CE7D
; 
		align 4

_KiTrap04:				; CODE XREF: _KiTrap04Shadow+34j
					; _KiTrap04Shadow+BDj
					; DATA XREF: ...
		push	0
		mov	[esp+4+var_2], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		mov	es, ax
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_59CC8F
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59CC8F
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59CC8F
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_59CC8F:				; CODE XREF: V86_kit4_a+79j
					; V86_kit4_a+82j ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59CCBC
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59CCBC
		lfence	eax
		jmp	loc_59CE46
; 
		dw 0F64h
		dd 22DA05B7h, 48B90000h, 33000000h, 0E9300FD2h,	18Ah
; 

loc_59CCBC:				; CODE XREF: V86_kit4_a+AEj
					; V86_kit4_a+B4j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_59CD04
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59CD04:				; CODE XREF: V86_kit4_a+10Aj
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_59CD2A
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_59CD2A:				; CODE XREF: V86_kit4_a+12Aj
		test	edx, 2
		jz	loc_59CE36
		call	loc_59CE2B

loc_59CD3B:				; CODE XREF: V86_kit4_a+15Ep
		add	esp, 4
		call	loc_59CE33

loc_59CD43:				; CODE XREF: V86_kit4_a+166p
		add	esp, 4
		call	loc_59CD3B

loc_59CD4B:				; CODE XREF: V86_kit4_a+16Ep
		add	esp, 4
		call	loc_59CD43

loc_59CD53:				; CODE XREF: V86_kit4_a+176p
		add	esp, 4
		call	loc_59CD4B

loc_59CD5B:				; CODE XREF: V86_kit4_a+17Ep
		add	esp, 4
		call	loc_59CD53

loc_59CD63:				; CODE XREF: V86_kit4_a+186p
		add	esp, 4
		call	loc_59CD5B

loc_59CD6B:				; CODE XREF: V86_kit4_a+18Ep
		add	esp, 4
		call	loc_59CD63

loc_59CD73:				; CODE XREF: V86_kit4_a+196p
		add	esp, 4
		call	loc_59CD6B

loc_59CD7B:				; CODE XREF: V86_kit4_a+19Ep
		add	esp, 4
		call	loc_59CD73

loc_59CD83:				; CODE XREF: V86_kit4_a+1A6p
		add	esp, 4
		call	loc_59CD7B

loc_59CD8B:				; CODE XREF: V86_kit4_a+1AEp
		add	esp, 4
		call	loc_59CD83

loc_59CD93:				; CODE XREF: V86_kit4_a+1B6p
		add	esp, 4
		call	loc_59CD8B

loc_59CD9B:				; CODE XREF: V86_kit4_a+1BEp
		add	esp, 4
		call	loc_59CD93

loc_59CDA3:				; CODE XREF: V86_kit4_a+1C6p
		add	esp, 4
		call	loc_59CD9B

loc_59CDAB:				; CODE XREF: V86_kit4_a+1CEp
		add	esp, 4
		call	loc_59CDA3

loc_59CDB3:				; CODE XREF: V86_kit4_a+1D6p
		add	esp, 4
		call	loc_59CDAB

loc_59CDBB:				; CODE XREF: V86_kit4_a+1DEp
		add	esp, 4
		call	loc_59CDB3

loc_59CDC3:				; CODE XREF: V86_kit4_a+1E6p
		add	esp, 4
		call	loc_59CDBB

loc_59CDCB:				; CODE XREF: V86_kit4_a+1EEp
		add	esp, 4
		call	loc_59CDC3

loc_59CDD3:				; CODE XREF: V86_kit4_a+1F6p
		add	esp, 4
		call	loc_59CDCB

loc_59CDDB:				; CODE XREF: V86_kit4_a+1FEp
		add	esp, 4
		call	loc_59CDD3

loc_59CDE3:				; CODE XREF: V86_kit4_a+206p
		add	esp, 4
		call	loc_59CDDB

loc_59CDEB:				; CODE XREF: V86_kit4_a+20Ep
		add	esp, 4
		call	loc_59CDE3

loc_59CDF3:				; CODE XREF: V86_kit4_a+216p
		add	esp, 4
		call	loc_59CDEB

loc_59CDFB:				; CODE XREF: V86_kit4_a+21Ep
		add	esp, 4
		call	loc_59CDF3

loc_59CE03:				; CODE XREF: V86_kit4_a+226p
		add	esp, 4
		call	loc_59CDFB

loc_59CE0B:				; CODE XREF: V86_kit4_a+22Ep
		add	esp, 4
		call	loc_59CE03

loc_59CE13:				; CODE XREF: V86_kit4_a+236p
		add	esp, 4
		call	loc_59CE0B

loc_59CE1B:				; CODE XREF: V86_kit4_a+23Ep
		add	esp, 4
		call	loc_59CE13

loc_59CE23:				; CODE XREF: V86_kit4_a+246p
		add	esp, 4
		call	loc_59CE1B

loc_59CE2B:				; CODE XREF: V86_kit4_a+14Ep
		add	esp, 4
		call	loc_59CE23

loc_59CE33:				; CODE XREF: V86_kit4_a+156p
		add	esp, 4

loc_59CE36:				; CODE XREF: V86_kit4_a+148j
		test	edx, 80h
		jz	short loc_59CE43
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_59CE43:				; CODE XREF: V86_kit4_a+254j
		lfence	eax

loc_59CE46:				; CODE XREF: V86_kit4_a+B9j
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kit4_a

loc_59CE7D:				; CODE XREF: V86_kit4_a+25j
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kit4_a

loc_59CE93:				; CODE XREF: Dr_kit4_a+Dj
					; Dr_kit4_a+79j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		test	byte ptr [ebp+72h], 2
		jnz	short loc_59CED8
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59CEBB
		cmp	word ptr [ebp+6Ch], 1Bh
		jnz	short loc_59CEE8
		jmp	short loc_59CEC4
; 

loc_59CEBB:				; CODE XREF: V86_kit4_a+2C8j
		test	dword ptr [ebp+70h], 200h
		jz	short loc_59CEC5

loc_59CEC4:				; CODE XREF: V86_kit4_a+2D1j
					; V86_kit4_a+2F9j ...
		sti

loc_59CEC5:				; CODE XREF: V86_kit4_a+2DAj
		mov	ebx, [ebp+68h]
		dec	ebx
		mov	eax, 0C0000095h
		xor	ecx, ecx
		mov	edi, esp
		call	KiDispatchTrapException
		int	3		; Trap to Debugger

loc_59CED8:				; CODE XREF: V86_kit4_a+2C2j
					; V86_kit4_a+316j
		push	4
		call	_Ki386VdmReflectException_A@4 ;	Ki386VdmReflectException_A(x)
		test	al, 0Fh
		jz	short loc_59CEC4
		jmp	Kei386EoiHelper@0
; 

loc_59CEE8:				; CODE XREF: V86_kit4_a+2CFj
		mov	ebx, large fs:124h
		mov	ebx, [ebx+80h]
		cmp	dword ptr [ebx+0F4h], 0
		jz	short loc_59CEC4
		jmp	short loc_59CED8
V86_kit4_a	endp


;  S U B	R O U T	I N E 


Dr_kit5_a	proc near		; CODE XREF: V86_kit5_a+2A5j
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59CF13
		test	byte ptr [ebp+6Ch], 1
		jz	loc_59D22B

loc_59CF13:				; CODE XREF: Dr_kit5_a+7j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_59D22B
Dr_kit5_a	endp

; 
		align 10h

;  S U B	R O U T	I N E 


V86_kit5_a	proc near		; CODE XREF: V86_kit5_a+28Fj

var_2		= word ptr -2

		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_59D215
; 
		align 4

_KiTrap05:				; CODE XREF: _KiTrap05Shadow+34j
					; _KiTrap05Shadow+BDj
					; DATA XREF: ...
		push	0
		mov	[esp+4+var_2], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		mov	es, ax
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_59D027
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59D027
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59D027
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_59D027:				; CODE XREF: V86_kit5_a+79j
					; V86_kit5_a+82j ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59D054
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59D054
		lfence	eax
		jmp	loc_59D1DE
; 
		dw 0F64h
		dd 22DA05B7h, 48B90000h, 33000000h, 0E9300FD2h,	18Ah
; 

loc_59D054:				; CODE XREF: V86_kit5_a+AEj
					; V86_kit5_a+B4j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_59D09C
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59D09C:				; CODE XREF: V86_kit5_a+10Aj
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_59D0C2
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_59D0C2:				; CODE XREF: V86_kit5_a+12Aj
		test	edx, 2
		jz	loc_59D1CE
		call	loc_59D1C3

loc_59D0D3:				; CODE XREF: V86_kit5_a+15Ep
		add	esp, 4
		call	loc_59D1CB

loc_59D0DB:				; CODE XREF: V86_kit5_a+166p
		add	esp, 4
		call	loc_59D0D3

loc_59D0E3:				; CODE XREF: V86_kit5_a+16Ep
		add	esp, 4
		call	loc_59D0DB

loc_59D0EB:				; CODE XREF: V86_kit5_a+176p
		add	esp, 4
		call	loc_59D0E3

loc_59D0F3:				; CODE XREF: V86_kit5_a+17Ep
		add	esp, 4
		call	loc_59D0EB

loc_59D0FB:				; CODE XREF: V86_kit5_a+186p
		add	esp, 4
		call	loc_59D0F3

loc_59D103:				; CODE XREF: V86_kit5_a+18Ep
		add	esp, 4
		call	loc_59D0FB

loc_59D10B:				; CODE XREF: V86_kit5_a+196p
		add	esp, 4
		call	loc_59D103

loc_59D113:				; CODE XREF: V86_kit5_a+19Ep
		add	esp, 4
		call	loc_59D10B

loc_59D11B:				; CODE XREF: V86_kit5_a+1A6p
		add	esp, 4
		call	loc_59D113

loc_59D123:				; CODE XREF: V86_kit5_a+1AEp
		add	esp, 4
		call	loc_59D11B

loc_59D12B:				; CODE XREF: V86_kit5_a+1B6p
		add	esp, 4
		call	loc_59D123

loc_59D133:				; CODE XREF: V86_kit5_a+1BEp
		add	esp, 4
		call	loc_59D12B

loc_59D13B:				; CODE XREF: V86_kit5_a+1C6p
		add	esp, 4
		call	loc_59D133

loc_59D143:				; CODE XREF: V86_kit5_a+1CEp
		add	esp, 4
		call	loc_59D13B

loc_59D14B:				; CODE XREF: V86_kit5_a+1D6p
		add	esp, 4
		call	loc_59D143

loc_59D153:				; CODE XREF: V86_kit5_a+1DEp
		add	esp, 4
		call	loc_59D14B

loc_59D15B:				; CODE XREF: V86_kit5_a+1E6p
		add	esp, 4
		call	loc_59D153

loc_59D163:				; CODE XREF: V86_kit5_a+1EEp
		add	esp, 4
		call	loc_59D15B

loc_59D16B:				; CODE XREF: V86_kit5_a+1F6p
		add	esp, 4
		call	loc_59D163

loc_59D173:				; CODE XREF: V86_kit5_a+1FEp
		add	esp, 4
		call	loc_59D16B

loc_59D17B:				; CODE XREF: V86_kit5_a+206p
		add	esp, 4
		call	loc_59D173

loc_59D183:				; CODE XREF: V86_kit5_a+20Ep
		add	esp, 4
		call	loc_59D17B

loc_59D18B:				; CODE XREF: V86_kit5_a+216p
		add	esp, 4
		call	loc_59D183

loc_59D193:				; CODE XREF: V86_kit5_a+21Ep
		add	esp, 4
		call	loc_59D18B

loc_59D19B:				; CODE XREF: V86_kit5_a+226p
		add	esp, 4
		call	loc_59D193

loc_59D1A3:				; CODE XREF: V86_kit5_a+22Ep
		add	esp, 4
		call	loc_59D19B

loc_59D1AB:				; CODE XREF: V86_kit5_a+236p
		add	esp, 4
		call	loc_59D1A3

loc_59D1B3:				; CODE XREF: V86_kit5_a+23Ep
		add	esp, 4
		call	loc_59D1AB

loc_59D1BB:				; CODE XREF: V86_kit5_a+246p
		add	esp, 4
		call	loc_59D1B3

loc_59D1C3:				; CODE XREF: V86_kit5_a+14Ep
		add	esp, 4
		call	loc_59D1BB

loc_59D1CB:				; CODE XREF: V86_kit5_a+156p
		add	esp, 4

loc_59D1CE:				; CODE XREF: V86_kit5_a+148j
		test	edx, 80h
		jz	short loc_59D1DB
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_59D1DB:				; CODE XREF: V86_kit5_a+254j
		lfence	eax

loc_59D1DE:				; CODE XREF: V86_kit5_a+B9j
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kit5_a

loc_59D215:				; CODE XREF: V86_kit5_a+25j
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kit5_a

loc_59D22B:				; CODE XREF: Dr_kit5_a+Dj
					; Dr_kit5_a+79j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		test	byte ptr [ebp+72h], 2
		jnz	short loc_59D2A6
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59D254
		mov	eax, 5
		call	_KiSystemFatalException

loc_59D254:				; CODE XREF: V86_kit5_a+2C8j
		cmp	word ptr [ebp+6Ch], 1Bh
		jnz	short loc_59D290

loc_59D25B:				; CODE XREF: V86_kit5_a+324j
					; V86_kit5_a+32Fj
		sti
		call	_KiHandleBound@0 ; KiHandleBound()
		cmp	eax, 0
		jz	short loc_59D27E
		cmp	eax, 1
		jz	Kei386EoiHelper@0
		cmp	eax, 2
		jz	short loc_59D2B6
		mov	eax, 5
		call	_KiSystemFatalException

loc_59D27E:				; CODE XREF: V86_kit5_a+2E4j
		mov	ebx, [ebp+68h]
		mov	edi, esp
		xor	ecx, ecx
		mov	eax, 0C000008Ch
		call	KiDispatchTrapException
		int	3		; Trap to Debugger

loc_59D290:				; CODE XREF: V86_kit5_a+2D9j
		mov	ebx, large fs:124h
		mov	ebx, [ebx+80h]
		cmp	dword ptr [ebx+0F4h], 0
		jz	short loc_59D25B

loc_59D2A6:				; CODE XREF: V86_kit5_a+2C2j
		push	5
		call	_Ki386VdmReflectException_A@4 ;	Ki386VdmReflectException_A(x)
		test	al, 0Fh
		jz	short loc_59D25B
		jmp	Kei386EoiHelper@0
; 

loc_59D2B6:				; CODE XREF: V86_kit5_a+2F2j
		sub	esp, 50h
		mov	ecx, esp
		mov	ebx, [ebp+68h]
		mov	dword ptr [ecx], 0C0000409h
		mov	[ecx+0Ch], ebx
		xor	eax, eax
		mov	dword ptr [ecx+4], 1
		mov	[ecx+8], eax
		mov	dword ptr [ecx+10h], 1
		mov	edx, 1Ch
		mov	[ecx+14h], edx
		push	0
		push	1
		push	ebp
		push	0
		push	ecx
		call	KiDispatchException
		add	esp, 50h
		jmp	Kei386EoiHelper@0
V86_kit5_a	endp

; 
		align 4

;  S U B	R O U T	I N E 


Dr_kit6_a	proc near		; CODE XREF: V86_kit6_a+288j
					; V86_kit6_a+785j
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59D30B
		test	byte ptr [ebp+6Ch], 1
		jz	loc_59DB0F

loc_59D30B:				; CODE XREF: Dr_kit6_a+7j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		test	dword ptr [ebp+70h], 20000h
		jz	short loc_59D37F
		jmp	loc_59D612
; 

loc_59D37F:				; CODE XREF: Dr_kit6_a+80j
		jmp	loc_59DB0F
Dr_kit6_a	endp


;  S U B	R O U T	I N E 


V86_kit6_a	proc near		; CODE XREF: V86_kit6_a+76Fj

var_59		= byte ptr -59h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= word ptr -2
arg_6		= byte ptr  0Ah

		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_59DAF9
; 
		align 10h

_KiTrap06:				; CODE XREF: KiFastCallEntryCommon-27j
					; _KiTrap06Shadow+34j ...
		test	[esp+arg_6], 2
		jz	loc_59D890
		push	0
		sub	esp, 64h
		mov	[esp+68h+var_2], 0
		mov	[esp+68h+var_C], ebx
		mov	[esp+68h+var_28], eax
		mov	[esp+68h+var_8], ebp
		mov	[esp+68h+var_10], esi
		mov	[esp+68h+var_14], edi
		mov	[esp+68h+var_2C], ecx
		mov	[esp+68h+var_30], edx
		mov	[esp+68h+var_59], 1
		mov	ebp, esp
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	ebx, 30h
		mov	eax, 23h
		mov	fs, bx
		mov	ds, ax
		mov	es, ax
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_59D443
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59D443
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59D443
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_59D443:				; CODE XREF: V86_kit6_a+91j
					; V86_kit6_a+9Aj ...
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_59D48B
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59D48B:				; CODE XREF: V86_kit6_a+F5j
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_59D4B1
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_59D4B1:				; CODE XREF: V86_kit6_a+115j
		test	edx, 2
		jz	loc_59D5BD
		call	loc_59D5B2

loc_59D4C2:				; CODE XREF: V86_kit6_a+149p
		add	esp, 4
		call	loc_59D5BA

loc_59D4CA:				; CODE XREF: V86_kit6_a+151p
		add	esp, 4
		call	loc_59D4C2

loc_59D4D2:				; CODE XREF: V86_kit6_a+159p
		add	esp, 4
		call	loc_59D4CA

loc_59D4DA:				; CODE XREF: V86_kit6_a+161p
		add	esp, 4
		call	loc_59D4D2

loc_59D4E2:				; CODE XREF: V86_kit6_a+169p
		add	esp, 4
		call	loc_59D4DA

loc_59D4EA:				; CODE XREF: V86_kit6_a+171p
		add	esp, 4
		call	loc_59D4E2

loc_59D4F2:				; CODE XREF: V86_kit6_a+179p
		add	esp, 4
		call	loc_59D4EA

loc_59D4FA:				; CODE XREF: V86_kit6_a+181p
		add	esp, 4
		call	loc_59D4F2

loc_59D502:				; CODE XREF: V86_kit6_a+189p
		add	esp, 4
		call	loc_59D4FA

loc_59D50A:				; CODE XREF: V86_kit6_a+191p
		add	esp, 4
		call	loc_59D502

loc_59D512:				; CODE XREF: V86_kit6_a+199p
		add	esp, 4
		call	loc_59D50A

loc_59D51A:				; CODE XREF: V86_kit6_a+1A1p
		add	esp, 4
		call	loc_59D512

loc_59D522:				; CODE XREF: V86_kit6_a+1A9p
		add	esp, 4
		call	loc_59D51A

loc_59D52A:				; CODE XREF: V86_kit6_a+1B1p
		add	esp, 4
		call	loc_59D522

loc_59D532:				; CODE XREF: V86_kit6_a+1B9p
		add	esp, 4
		call	loc_59D52A

loc_59D53A:				; CODE XREF: V86_kit6_a+1C1p
		add	esp, 4
		call	loc_59D532

loc_59D542:				; CODE XREF: V86_kit6_a+1C9p
		add	esp, 4
		call	loc_59D53A

loc_59D54A:				; CODE XREF: V86_kit6_a+1D1p
		add	esp, 4
		call	loc_59D542

loc_59D552:				; CODE XREF: V86_kit6_a+1D9p
		add	esp, 4
		call	loc_59D54A

loc_59D55A:				; CODE XREF: V86_kit6_a+1E1p
		add	esp, 4
		call	loc_59D552

loc_59D562:				; CODE XREF: V86_kit6_a+1E9p
		add	esp, 4
		call	loc_59D55A

loc_59D56A:				; CODE XREF: V86_kit6_a+1F1p
		add	esp, 4
		call	loc_59D562

loc_59D572:				; CODE XREF: V86_kit6_a+1F9p
		add	esp, 4
		call	loc_59D56A

loc_59D57A:				; CODE XREF: V86_kit6_a+201p
		add	esp, 4
		call	loc_59D572

loc_59D582:				; CODE XREF: V86_kit6_a+209p
		add	esp, 4
		call	loc_59D57A

loc_59D58A:				; CODE XREF: V86_kit6_a+211p
		add	esp, 4
		call	loc_59D582

loc_59D592:				; CODE XREF: V86_kit6_a+219p
		add	esp, 4
		call	loc_59D58A

loc_59D59A:				; CODE XREF: V86_kit6_a+221p
		add	esp, 4
		call	loc_59D592

loc_59D5A2:				; CODE XREF: V86_kit6_a+229p
		add	esp, 4
		call	loc_59D59A

loc_59D5AA:				; CODE XREF: V86_kit6_a+231p
		add	esp, 4
		call	loc_59D5A2

loc_59D5B2:				; CODE XREF: V86_kit6_a+139p
		add	esp, 4
		call	loc_59D5AA

loc_59D5BA:				; CODE XREF: V86_kit6_a+141p
		add	esp, 4

loc_59D5BD:				; CODE XREF: V86_kit6_a+133j
		test	edx, 80h
		jz	short loc_59D5CA
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_59D5CA:				; CODE XREF: V86_kit6_a+23Fj
		lfence	eax
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		mov	eax, large fs:0
		mov	[ebp+4Ch], eax
		mov	eax, dr7
		cld
		test	eax, 0FFFF23FFh
		mov	[ebp+28h], eax
		jnz	Dr_kit6_a

loc_59D612:				; CODE XREF: Dr_kit6_a+82j
					; Dr_kite_a-Ej
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		cmp	dword ptr [ecx+0F4h], 0
		jz	loc_59DB58
		mov	ecx, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	eax
		sti
		push	ebp
		call	_VdmDispatchBop@4 ; VdmDispatchBop(x)
		test	al, 0Fh
		jnz	short loc_59D65A
		push	6
		call	_Ki386VdmReflectException@4 ; Ki386VdmReflectException(x)
		test	al, 0Fh
		jnz	short loc_59D65A
		pop	ecx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_59DB58
; 

loc_59D65A:				; CODE XREF: V86_kit6_a+2BDj
					; V86_kit6_a+2C8j
		pop	ecx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cli
		test	byte ptr [ebp+72h], 2
		jz	loc_59D88B

loc_59D66C:				; CODE XREF: V86_kit6_a+501j
		mov	ebx, large fs:124h
		mov	byte ptr [ebx+56h], 0
		test	byte ptr [ebx+86h], 3
		jnz	loc_59D85F
		mov	edi, esp
		movaps	xmm0, oword ptr	[edi]
		movaps	xmm1, oword ptr	[edi+10h]
		movaps	xmm2, oword ptr	[edi+20h]
		movaps	xmm3, oword ptr	[edi+30h]
		movaps	xmm4, oword ptr	[edi+40h]
		movaps	xmm5, oword ptr	[edi+50h]
		movaps	xmm6, oword ptr	[edi+60h]
		movaps	xmm7, oword ptr	[edi+70h]
		ldmxcsr	dword ptr [ebp+48h]
		movzx	eax, large word	ptr fs:22E0h
		cmp	large fs:22DAh,	ax
		jz	short loc_59D6CB
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59D6CB:				; CODE XREF: V86_kit6_a+335j
		btr	large word ptr fs:22D8h, 2
		jnb	short loc_59D6E5
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr

loc_59D6E5:				; CODE XREF: V86_kit6_a+351j
		btr	large word ptr fs:22D8h, 4
		jnb	loc_59D7F5
		call	loc_59D7EA

loc_59D6FA:				; CODE XREF: V86_kit6_a+381p
		add	esp, 4
		call	loc_59D7F2

loc_59D702:				; CODE XREF: V86_kit6_a+389p
		add	esp, 4
		call	loc_59D6FA

loc_59D70A:				; CODE XREF: V86_kit6_a+391p
		add	esp, 4
		call	loc_59D702

loc_59D712:				; CODE XREF: V86_kit6_a+399p
		add	esp, 4
		call	loc_59D70A

loc_59D71A:				; CODE XREF: V86_kit6_a+3A1p
		add	esp, 4
		call	loc_59D712

loc_59D722:				; CODE XREF: V86_kit6_a+3A9p
		add	esp, 4
		call	loc_59D71A

loc_59D72A:				; CODE XREF: V86_kit6_a+3B1p
		add	esp, 4
		call	loc_59D722

loc_59D732:				; CODE XREF: V86_kit6_a+3B9p
		add	esp, 4
		call	loc_59D72A

loc_59D73A:				; CODE XREF: V86_kit6_a+3C1p
		add	esp, 4
		call	loc_59D732

loc_59D742:				; CODE XREF: V86_kit6_a+3C9p
		add	esp, 4
		call	loc_59D73A

loc_59D74A:				; CODE XREF: V86_kit6_a+3D1p
		add	esp, 4
		call	loc_59D742

loc_59D752:				; CODE XREF: V86_kit6_a+3D9p
		add	esp, 4
		call	loc_59D74A

loc_59D75A:				; CODE XREF: V86_kit6_a+3E1p
		add	esp, 4
		call	loc_59D752

loc_59D762:				; CODE XREF: V86_kit6_a+3E9p
		add	esp, 4
		call	loc_59D75A

loc_59D76A:				; CODE XREF: V86_kit6_a+3F1p
		add	esp, 4
		call	loc_59D762

loc_59D772:				; CODE XREF: V86_kit6_a+3F9p
		add	esp, 4
		call	loc_59D76A

loc_59D77A:				; CODE XREF: V86_kit6_a+401p
		add	esp, 4
		call	loc_59D772

loc_59D782:				; CODE XREF: V86_kit6_a+409p
		add	esp, 4
		call	loc_59D77A

loc_59D78A:				; CODE XREF: V86_kit6_a+411p
		add	esp, 4
		call	loc_59D782

loc_59D792:				; CODE XREF: V86_kit6_a+419p
		add	esp, 4
		call	loc_59D78A

loc_59D79A:				; CODE XREF: V86_kit6_a+421p
		add	esp, 4
		call	loc_59D792

loc_59D7A2:				; CODE XREF: V86_kit6_a+429p
		add	esp, 4
		call	loc_59D79A

loc_59D7AA:				; CODE XREF: V86_kit6_a+431p
		add	esp, 4
		call	loc_59D7A2

loc_59D7B2:				; CODE XREF: V86_kit6_a+439p
		add	esp, 4
		call	loc_59D7AA

loc_59D7BA:				; CODE XREF: V86_kit6_a+441p
		add	esp, 4
		call	loc_59D7B2

loc_59D7C2:				; CODE XREF: V86_kit6_a+449p
		add	esp, 4
		call	loc_59D7BA

loc_59D7CA:				; CODE XREF: V86_kit6_a+451p
		add	esp, 4
		call	loc_59D7C2

loc_59D7D2:				; CODE XREF: V86_kit6_a+459p
		add	esp, 4
		call	loc_59D7CA

loc_59D7DA:				; CODE XREF: V86_kit6_a+461p
		add	esp, 4
		call	loc_59D7D2

loc_59D7E2:				; CODE XREF: V86_kit6_a+469p
		add	esp, 4
		call	loc_59D7DA

loc_59D7EA:				; CODE XREF: V86_kit6_a+371p
		add	esp, 4
		call	loc_59D7E2

loc_59D7F2:				; CODE XREF: V86_kit6_a+379p
		add	esp, 4

loc_59D7F5:				; CODE XREF: V86_kit6_a+36Bj
		test	large word ptr fs:22D8h, 20h
		jz	short loc_59D80C
		xor	eax, eax
		xor	edx, edx
		mov	ecx, 1
		div	ecx

loc_59D80C:				; CODE XREF: V86_kit6_a+47Bj
		lea	esp, [ebp+38h]
		pop	edx
		pop	ecx
		pop	eax
		test	dword ptr [ebp+28h], 0FFFF23FFh
		jnz	short loc_59D834

loc_59D81B:				; CODE XREF: V86_kit6_a+4D9j
		lea	esp, [ebp+54h]
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		add	esp, 4
		test	ss:_KiKvaShadow, 1
		jnz	_KiKernelExit
		iret
; 

loc_59D834:				; CODE XREF: V86_kit6_a+495j
		xor	ebx, ebx
		mov	esi, [ebp+14h]
		mov	edi, [ebp+18h]
		mov	dr7, ebx
		mov	ebx, [ebp+1Ch]
		mov	dr0, esi
		mov	dr1, edi
		mov	dr2, ebx
		mov	esi, [ebp+20h]
		mov	edi, [ebp+24h]
		mov	ebx, [ebp+28h]
		mov	dr3, esi
		mov	dr6, edi
		mov	dr7, ebx
		jmp	short loc_59D81B
; 

loc_59D85F:				; CODE XREF: V86_kit6_a+2FAj
		mov	ecx, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	eax
		sti
		push	ebp
		push	0
		push	1
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		pop	ecx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cli
		test	dword ptr [ebp+70h], 20000h
		jnz	loc_59D66C

loc_59D88B:				; CODE XREF: V86_kit6_a+2E2j
		jmp	Kei386EoiHelper@0
; 

loc_59D890:				; CODE XREF: V86_kit6_a+31j
		push	0
		mov	[esp+4+var_2], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		mov	es, ax
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_59D90B
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59D90B
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59D90B
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_59D90B:				; CODE XREF: V86_kit6_a+559j
					; V86_kit6_a+562j ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59D938
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59D938
		lfence	eax
		jmp	loc_59DAC2
; 
		dw 0F64h
		dd 22DA05B7h, 48B90000h, 33000000h, 0E9300FD2h,	18Ah
; 

loc_59D938:				; CODE XREF: V86_kit6_a+58Ej
					; V86_kit6_a+594j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_59D980
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59D980:				; CODE XREF: V86_kit6_a+5EAj
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_59D9A6
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_59D9A6:				; CODE XREF: V86_kit6_a+60Aj
		test	edx, 2
		jz	loc_59DAB2
		call	loc_59DAA7

loc_59D9B7:				; CODE XREF: V86_kit6_a+63Ep
		add	esp, 4
		call	loc_59DAAF

loc_59D9BF:				; CODE XREF: V86_kit6_a+646p
		add	esp, 4
		call	loc_59D9B7

loc_59D9C7:				; CODE XREF: V86_kit6_a+64Ep
		add	esp, 4
		call	loc_59D9BF

loc_59D9CF:				; CODE XREF: V86_kit6_a+656p
		add	esp, 4
		call	loc_59D9C7

loc_59D9D7:				; CODE XREF: V86_kit6_a+65Ep
		add	esp, 4
		call	loc_59D9CF

loc_59D9DF:				; CODE XREF: V86_kit6_a+666p
		add	esp, 4
		call	loc_59D9D7

loc_59D9E7:				; CODE XREF: V86_kit6_a+66Ep
		add	esp, 4
		call	loc_59D9DF

loc_59D9EF:				; CODE XREF: V86_kit6_a+676p
		add	esp, 4
		call	loc_59D9E7

loc_59D9F7:				; CODE XREF: V86_kit6_a+67Ep
		add	esp, 4
		call	loc_59D9EF

loc_59D9FF:				; CODE XREF: V86_kit6_a+686p
		add	esp, 4
		call	loc_59D9F7

loc_59DA07:				; CODE XREF: V86_kit6_a+68Ep
		add	esp, 4
		call	loc_59D9FF

loc_59DA0F:				; CODE XREF: V86_kit6_a+696p
		add	esp, 4
		call	loc_59DA07

loc_59DA17:				; CODE XREF: V86_kit6_a+69Ep
		add	esp, 4
		call	loc_59DA0F

loc_59DA1F:				; CODE XREF: V86_kit6_a+6A6p
		add	esp, 4
		call	loc_59DA17

loc_59DA27:				; CODE XREF: V86_kit6_a+6AEp
		add	esp, 4
		call	loc_59DA1F

loc_59DA2F:				; CODE XREF: V86_kit6_a+6B6p
		add	esp, 4
		call	loc_59DA27

loc_59DA37:				; CODE XREF: V86_kit6_a+6BEp
		add	esp, 4
		call	loc_59DA2F

loc_59DA3F:				; CODE XREF: V86_kit6_a+6C6p
		add	esp, 4
		call	loc_59DA37

loc_59DA47:				; CODE XREF: V86_kit6_a+6CEp
		add	esp, 4
		call	loc_59DA3F

loc_59DA4F:				; CODE XREF: V86_kit6_a+6D6p
		add	esp, 4
		call	loc_59DA47

loc_59DA57:				; CODE XREF: V86_kit6_a+6DEp
		add	esp, 4
		call	loc_59DA4F

loc_59DA5F:				; CODE XREF: V86_kit6_a+6E6p
		add	esp, 4
		call	loc_59DA57

loc_59DA67:				; CODE XREF: V86_kit6_a+6EEp
		add	esp, 4
		call	loc_59DA5F

loc_59DA6F:				; CODE XREF: V86_kit6_a+6F6p
		add	esp, 4
		call	loc_59DA67

loc_59DA77:				; CODE XREF: V86_kit6_a+6FEp
		add	esp, 4
		call	loc_59DA6F

loc_59DA7F:				; CODE XREF: V86_kit6_a+706p
		add	esp, 4
		call	loc_59DA77

loc_59DA87:				; CODE XREF: V86_kit6_a+70Ep
		add	esp, 4
		call	loc_59DA7F

loc_59DA8F:				; CODE XREF: V86_kit6_a+716p
		add	esp, 4
		call	loc_59DA87

loc_59DA97:				; CODE XREF: V86_kit6_a+71Ep
		add	esp, 4
		call	loc_59DA8F

loc_59DA9F:				; CODE XREF: V86_kit6_a+726p
		add	esp, 4
		call	loc_59DA97

loc_59DAA7:				; CODE XREF: V86_kit6_a+62Ep
		add	esp, 4
		call	loc_59DA9F

loc_59DAAF:				; CODE XREF: V86_kit6_a+636p
		add	esp, 4

loc_59DAB2:				; CODE XREF: V86_kit6_a+628j
		test	edx, 80h
		jz	short loc_59DABF
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_59DABF:				; CODE XREF: V86_kit6_a+734j
		lfence	eax

loc_59DAC2:				; CODE XREF: V86_kit6_a+599j
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kit6_a

loc_59DAF9:				; CODE XREF: V86_kit6_a+25j
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kit6_a

loc_59DB0F:				; CODE XREF: Dr_kit6_a+Dj
					; Dr_kit6_a:loc_59D37Fj
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi

loc_59DB22:				; CODE XREF: Dr_kite_a-8j
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59DB4F
		cmp	word ptr [ebp+6Ch], 1Bh
		jz	short loc_59DB45
		mov	ebx, large fs:124h
		mov	ebx, [ebx+80h]
		cmp	dword ptr [ebx+0F4h], 0
		jnz	short loc_59DB6B

loc_59DB45:				; CODE XREF: V86_kit6_a+7A9j
		sti
		mov	dl, 0F0h
		call	KiScanForPrefix
		jmp	short loc_59DB59
; 

loc_59DB4F:				; CODE XREF: V86_kit6_a+7A2j
		test	dword ptr [ebp+70h], 200h
		jz	short loc_59DB59

loc_59DB58:				; CODE XREF: V86_kit6_a+2A2j
					; V86_kit6_a+2D1j ...
		sti

loc_59DB59:				; CODE XREF: V86_kit6_a+7C9j
					; V86_kit6_a+7D2j
		mov	eax, 0C000001Dh
		mov	ebx, [ebp+68h]
		mov	edi, esp
		xor	ecx, ecx
		call	KiDispatchTrapException
		int	3		; Trap to Debugger

loc_59DB6B:				; CODE XREF: V86_kit6_a+7BFj
		mov	ecx, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	eax
		sti
		push	ebp
		call	_VdmDispatchBop@4 ; VdmDispatchBop(x)
		test	al, 0Fh
		jnz	short loc_59DB96
		push	6
		call	_Ki386VdmReflectException@4 ; Ki386VdmReflectException(x)
		test	al, 0Fh
		jnz	short loc_59DB96
		pop	ecx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_59DB58
; 

loc_59DB96:				; CODE XREF: V86_kit6_a+7FCj
					; V86_kit6_a+807j
		pop	ecx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	Kei386EoiHelper@0
V86_kit6_a	endp

; 
		align 4

;  S U B	R O U T	I N E 


Dr_kit7_a	proc near		; CODE XREF: V86_kit7_a+2B8j
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59DBB7
		test	byte ptr [ebp+6Ch], 1
		jz	loc_59DEE2

loc_59DBB7:				; CODE XREF: Dr_kit7_a+7j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_59DEE2
Dr_kit7_a	endp

; 
		align 4

;  S U B	R O U T	I N E 


V86_kit7_a	proc near		; CODE XREF: V86_kit7_a+2A2j

var_84		= dword	ptr -84h
var_4		= dword	ptr -4

		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_59DECC
; 
		align 10h

_KiTrap07:				; CODE XREF: _KiTrap07Shadow+34j
					; _KiTrap07Shadow+BDj
					; DATA XREF: ...
		sub	esp, 4
		push	eax
		mov	eax, cr0
		mov	[esp+8+var_4], eax
		and	eax, 0FFFFFFF3h
		or	eax, 22h
		mov	cr0, eax
		pop	eax
		mov	word ptr [esp+4+var_4+2], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		mov	es, ax
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_59DCDE
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59DCDE
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59DCDE
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_59DCDE:				; CODE XREF: V86_kit7_a+8Cj
					; V86_kit7_a+95j ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59DD0B
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59DD0B
		lfence	eax
		jmp	loc_59DE95
; 
		db 64h,	0Fh, 0B7h
		dd 22DA05h, 48B900h, 0D2330000h, 8AE9300Fh
		db 1, 2	dup(0)
; 

loc_59DD0B:				; CODE XREF: V86_kit7_a+C1j
					; V86_kit7_a+C7j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_59DD53
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59DD53:				; CODE XREF: V86_kit7_a+11Dj
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_59DD79
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_59DD79:				; CODE XREF: V86_kit7_a+13Dj
		test	edx, 2
		jz	loc_59DE85
		call	loc_59DE7A

loc_59DD8A:				; CODE XREF: V86_kit7_a+171p
		add	esp, 4
		call	loc_59DE82

loc_59DD92:				; CODE XREF: V86_kit7_a+179p
		add	esp, 4
		call	loc_59DD8A

loc_59DD9A:				; CODE XREF: V86_kit7_a+181p
		add	esp, 4
		call	loc_59DD92

loc_59DDA2:				; CODE XREF: V86_kit7_a+189p
		add	esp, 4
		call	loc_59DD9A

loc_59DDAA:				; CODE XREF: V86_kit7_a+191p
		add	esp, 4
		call	loc_59DDA2

loc_59DDB2:				; CODE XREF: V86_kit7_a+199p
		add	esp, 4
		call	loc_59DDAA

loc_59DDBA:				; CODE XREF: V86_kit7_a+1A1p
		add	esp, 4
		call	loc_59DDB2

loc_59DDC2:				; CODE XREF: V86_kit7_a+1A9p
		add	esp, 4
		call	loc_59DDBA

loc_59DDCA:				; CODE XREF: V86_kit7_a+1B1p
		add	esp, 4
		call	loc_59DDC2

loc_59DDD2:				; CODE XREF: V86_kit7_a+1B9p
		add	esp, 4
		call	loc_59DDCA

loc_59DDDA:				; CODE XREF: V86_kit7_a+1C1p
		add	esp, 4
		call	loc_59DDD2

loc_59DDE2:				; CODE XREF: V86_kit7_a+1C9p
		add	esp, 4
		call	loc_59DDDA

loc_59DDEA:				; CODE XREF: V86_kit7_a+1D1p
		add	esp, 4
		call	loc_59DDE2

loc_59DDF2:				; CODE XREF: V86_kit7_a+1D9p
		add	esp, 4
		call	loc_59DDEA

loc_59DDFA:				; CODE XREF: V86_kit7_a+1E1p
		add	esp, 4
		call	loc_59DDF2

loc_59DE02:				; CODE XREF: V86_kit7_a+1E9p
		add	esp, 4
		call	loc_59DDFA

loc_59DE0A:				; CODE XREF: V86_kit7_a+1F1p
		add	esp, 4
		call	loc_59DE02

loc_59DE12:				; CODE XREF: V86_kit7_a+1F9p
		add	esp, 4
		call	loc_59DE0A

loc_59DE1A:				; CODE XREF: V86_kit7_a+201p
		add	esp, 4
		call	loc_59DE12

loc_59DE22:				; CODE XREF: V86_kit7_a+209p
		add	esp, 4
		call	loc_59DE1A

loc_59DE2A:				; CODE XREF: V86_kit7_a+211p
		add	esp, 4
		call	loc_59DE22

loc_59DE32:				; CODE XREF: V86_kit7_a+219p
		add	esp, 4
		call	loc_59DE2A

loc_59DE3A:				; CODE XREF: V86_kit7_a+221p
		add	esp, 4
		call	loc_59DE32

loc_59DE42:				; CODE XREF: V86_kit7_a+229p
		add	esp, 4
		call	loc_59DE3A

loc_59DE4A:				; CODE XREF: V86_kit7_a+231p
		add	esp, 4
		call	loc_59DE42

loc_59DE52:				; CODE XREF: V86_kit7_a+239p
		add	esp, 4
		call	loc_59DE4A

loc_59DE5A:				; CODE XREF: V86_kit7_a+241p
		add	esp, 4
		call	loc_59DE52

loc_59DE62:				; CODE XREF: V86_kit7_a+249p
		add	esp, 4
		call	loc_59DE5A

loc_59DE6A:				; CODE XREF: V86_kit7_a+251p
		add	esp, 4
		call	loc_59DE62

loc_59DE72:				; CODE XREF: V86_kit7_a+259p
		add	esp, 4
		call	loc_59DE6A

loc_59DE7A:				; CODE XREF: V86_kit7_a+161p
		add	esp, 4
		call	loc_59DE72

loc_59DE82:				; CODE XREF: V86_kit7_a+169p
		add	esp, 4

loc_59DE85:				; CODE XREF: V86_kit7_a+15Bj
		test	edx, 80h
		jz	short loc_59DE92
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_59DE92:				; CODE XREF: V86_kit7_a+267j
		lfence	eax

loc_59DE95:				; CODE XREF: V86_kit7_a+CCj
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kit7_a

loc_59DECC:				; CODE XREF: V86_kit7_a+25j
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kit7_a

loc_59DEE2:				; CODE XREF: Dr_kit7_a+Dj
					; Dr_kit7_a+79j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		test	dword ptr [ebp+64h], 4
		jnz	short loc_59DF0C
		test	dword ptr [ebp+64h], 8
		jz	short loc_59DF0C
		jmp	Kei386EoiHelper@0
; 

loc_59DF0C:				; CODE XREF: V86_kit7_a+2D8j
					; V86_kit7_a+2E1j
		mov	ecx, [ebp+68h]
		mov	eax, [ebp+64h]
		mov	edx, cr4
		push	ecx
		push	0
		push	edx
		push	eax
		push	7
		push	7Fh
		call	_KiBugCheck2@24	; KiBugCheck2(x,x,x,x,x,x)

_KiTrap08:				; DATA XREF: .data:006B004Co
					; .data:006B0864o
		cli
		clts
		mov	eax, large fs:40h
		mov	ecx, large fs:124h
		mov	edi, [ecx+80h]
		mov	ecx, [edi+18h]
		test	ss:_KiKvaShadow, 1
		jz	short loc_59DF94
		test	dword ptr [eax+24h], 20000h
		jnz	short loc_59DF86
		test	byte ptr [eax+4Ch], 1
		jnz	short loc_59DF86
		mov	ebx, large fs:3Ch
		lea	ebx, [ebx+6000h]
		cmp	[eax+38h], ebx
		ja	short loc_59DF94
		sub	ebx, 1000h
		cmp	[eax+38h], ebx
		jbe	short loc_59DF94
		mov	ebx, offset _KiKernelSysretExit
		cmp	[eax+20h], ebx
		jb	short loc_59DF94
		mov	ebx, offset _KiShadowExitEnd
		cmp	[eax+20h], ebx
		jnb	short loc_59DF94

loc_59DF86:				; CODE XREF: V86_kit7_a+329j
					; V86_kit7_a+32Fj
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_59DF94
		add	ecx, 20h

loc_59DF94:				; CODE XREF: V86_kit7_a+320j
					; V86_kit7_a+341j ...
		mov	[eax+1Ch], ecx
		mov	cx, [edi+76h]
		mov	[eax+66h], cx
		mov	ecx, [edi+1Ch]
		test	ecx, ecx
		jz	short loc_59DFAA
		mov	cx, 48h

loc_59DFAA:				; CODE XREF: V86_kit7_a+380j
		mov	[eax+60h], cx
		mov	edi, large fs:3Ch
		mov	ch, [edi+57h]
		mov	cl, [edi+54h]
		shl	ecx, 10h
		mov	cx, [edi+52h]
		mov	large fs:40h, ecx
		pushf
		and	[esp+84h+var_84], 0FFFFBFFFh
		popf
		lea	ecx, [edi+50h]
		mov	byte ptr [ecx+5], 89h

loc_59DFD9:				; CODE XREF: V86_kit7_a+3C5j
		push	0
		push	0
		push	0
		push	eax
		push	8
		push	7Fh
		call	_KiBugCheck2@24	; KiBugCheck2(x,x,x,x,x,x)
		jmp	short loc_59DFD9
V86_kit7_a	endp

; 
		align 4

;  S U B	R O U T	I N E 


Dr_kit9_a	proc near		; CODE XREF: sub_59E2B7+5Aj
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59DFFF
		test	byte ptr [ebp+6Ch], 1
		jz	loc_59E317

loc_59DFFF:				; CODE XREF: Dr_kit9_a+7j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_59E317
Dr_kit9_a	endp

; 
		align 4

;  S U B	R O U T	I N E 


V86_kit9_a	proc near		; CODE XREF: sub_59E2B7+44j
		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_59E301
V86_kit9_a	endp

; 
		align 4

;  S U B	R O U T	I N E 


_KiTrap09	proc near		; CODE XREF: _KiTrap09Shadow+34j
					; _KiTrap09Shadow+BDj
					; DATA XREF: ...

var_2		= word ptr -2

		push	0
		mov	[esp+4+var_2], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		mov	es, ax
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_59E113
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59E113
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59E113
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_59E113:				; CODE XREF: _KiTrap09+4Dj
					; _KiTrap09+56j ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59E140
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59E140
		lfence	eax
		jmp	loc_59E2CA
; 
		dw 0F64h
		dd 22DA05B7h, 48B90000h, 33000000h, 0E9300FD2h,	18Ah
; 

loc_59E140:				; CODE XREF: _KiTrap09+82j
					; _KiTrap09+88j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_59E188
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59E188:				; CODE XREF: _KiTrap09+DEj
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_59E1AE
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_59E1AE:				; CODE XREF: _KiTrap09+FEj
		test	edx, 2
		jz	loc_59E2BA
		call	sub_59E2AF

loc_59E1BF:				; CODE XREF: _KiTrap09+132p
		add	esp, 4
		call	sub_59E2B7

loc_59E1C7:				; CODE XREF: _KiTrap09+13Ap
		add	esp, 4
		call	loc_59E1BF

loc_59E1CF:				; CODE XREF: _KiTrap09+142p
		add	esp, 4
		call	loc_59E1C7

loc_59E1D7:				; CODE XREF: _KiTrap09+14Ap
		add	esp, 4
		call	loc_59E1CF

loc_59E1DF:				; CODE XREF: _KiTrap09+152p
		add	esp, 4
		call	loc_59E1D7

loc_59E1E7:				; CODE XREF: _KiTrap09+15Ap
		add	esp, 4
		call	loc_59E1DF

loc_59E1EF:				; CODE XREF: _KiTrap09+162p
		add	esp, 4
		call	loc_59E1E7

loc_59E1F7:				; CODE XREF: _KiTrap09+16Ap
		add	esp, 4
		call	loc_59E1EF

loc_59E1FF:				; CODE XREF: _KiTrap09+172p
		add	esp, 4
		call	loc_59E1F7

loc_59E207:				; CODE XREF: _KiTrap09+17Ap
		add	esp, 4
		call	loc_59E1FF

loc_59E20F:				; CODE XREF: _KiTrap09+182p
		add	esp, 4
		call	loc_59E207

loc_59E217:				; CODE XREF: _KiTrap09+18Ap
		add	esp, 4
		call	loc_59E20F

loc_59E21F:				; CODE XREF: _KiTrap09+192p
		add	esp, 4
		call	loc_59E217

loc_59E227:				; CODE XREF: _KiTrap09+19Ap
		add	esp, 4
		call	loc_59E21F

loc_59E22F:				; CODE XREF: _KiTrap09+1A2p
		add	esp, 4
		call	loc_59E227

loc_59E237:				; CODE XREF: _KiTrap09+1AAp
		add	esp, 4
		call	loc_59E22F

loc_59E23F:				; CODE XREF: _KiTrap09+1B2p
		add	esp, 4
		call	loc_59E237

loc_59E247:				; CODE XREF: _KiTrap09+1BAp
		add	esp, 4
		call	loc_59E23F

loc_59E24F:				; CODE XREF: _KiTrap09+1C2p
		add	esp, 4
		call	loc_59E247

loc_59E257:				; CODE XREF: _KiTrap09+1CAp
		add	esp, 4
		call	loc_59E24F

loc_59E25F:				; CODE XREF: _KiTrap09+1D2p
		add	esp, 4
		call	loc_59E257

loc_59E267:				; CODE XREF: _KiTrap09+1DAp
		add	esp, 4
		call	loc_59E25F

loc_59E26F:				; CODE XREF: _KiTrap09+1E2p
		add	esp, 4
		call	loc_59E267

loc_59E277:				; CODE XREF: _KiTrap09+1EAp
		add	esp, 4
		call	loc_59E26F

loc_59E27F:				; CODE XREF: _KiTrap09+1F2p
		add	esp, 4
		call	loc_59E277

loc_59E287:				; CODE XREF: _KiTrap09+1FAp
		add	esp, 4
		call	loc_59E27F

loc_59E28F:				; CODE XREF: _KiTrap09+202p
		add	esp, 4
		call	loc_59E287

loc_59E297:				; CODE XREF: _KiTrap09+20Ap
		add	esp, 4
		call	loc_59E28F

loc_59E29F:				; CODE XREF: _KiTrap09+212p
		add	esp, 4
		call	loc_59E297

loc_59E2A7:				; CODE XREF: sub_59E2AF+3p
		add	esp, 4
		call	loc_59E29F
_KiTrap09	endp


;  S U B	R O U T	I N E 


sub_59E2AF	proc near		; CODE XREF: _KiTrap09+122p
		add	esp, 4
		call	loc_59E2A7
sub_59E2AF	endp


;  S U B	R O U T	I N E 


sub_59E2B7	proc near		; CODE XREF: _KiTrap09+12Ap
		add	esp, 4

loc_59E2BA:				; CODE XREF: _KiTrap09+11Cj
		test	edx, 80h
		jz	short loc_59E2C7
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_59E2C7:				; CODE XREF: sub_59E2B7+9j
		lfence	eax

loc_59E2CA:				; CODE XREF: _KiTrap09+8Dj
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kit9_a

loc_59E301:				; CODE XREF: V86_kit9_a+25j
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kit9_a

loc_59E317:				; CODE XREF: Dr_kit9_a+Dj
					; Dr_kit9_a+79j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		sti
		mov	eax, 9
		call	_KiSystemFatalException
		int	3		; Trap to Debugger
		mov	edi, edi
sub_59E2B7	endp


;  S U B	R O U T	I N E 


Dr_kita_a	proc near		; CODE XREF: V86_kita_a+2A3j
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59E34B
		test	byte ptr [ebp+6Ch], 1
		jz	loc_59E661

loc_59E34B:				; CODE XREF: Dr_kita_a+7j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_59E661
Dr_kita_a	endp

; 
		align 4

;  S U B	R O U T	I N E 


V86_kita_a	proc near		; CODE XREF: V86_kita_a+28Dj
		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_59E64B
; 
		align 4

_KiTrap0A:				; CODE XREF: _KiTrap0AShadow+2Fj
					; _KiTrap0AShadow+BBj
					; DATA XREF: ...
		mov	word ptr [esp+2], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		mov	es, ax
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_59E45D
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59E45D
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59E45D
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_59E45D:				; CODE XREF: V86_kita_a+77j
					; V86_kita_a+80j ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59E48A
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59E48A
		lfence	eax
		jmp	loc_59E614
; 
		dd 5B70F64h, 22DAh, 48B9h, 0FD23300h, 18AE930h
		db 2 dup(0)
; 

loc_59E48A:				; CODE XREF: V86_kita_a+ACj
					; V86_kita_a+B2j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_59E4D2
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59E4D2:				; CODE XREF: V86_kita_a+108j
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_59E4F8
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_59E4F8:				; CODE XREF: V86_kita_a+128j
		test	edx, 2
		jz	loc_59E604
		call	loc_59E5F9

loc_59E509:				; CODE XREF: V86_kita_a+15Cp
		add	esp, 4
		call	loc_59E601

loc_59E511:				; CODE XREF: V86_kita_a+164p
		add	esp, 4
		call	loc_59E509

loc_59E519:				; CODE XREF: V86_kita_a+16Cp
		add	esp, 4
		call	loc_59E511

loc_59E521:				; CODE XREF: V86_kita_a+174p
		add	esp, 4
		call	loc_59E519

loc_59E529:				; CODE XREF: V86_kita_a+17Cp
		add	esp, 4
		call	loc_59E521

loc_59E531:				; CODE XREF: V86_kita_a+184p
		add	esp, 4
		call	loc_59E529

loc_59E539:				; CODE XREF: V86_kita_a+18Cp
		add	esp, 4
		call	loc_59E531

loc_59E541:				; CODE XREF: V86_kita_a+194p
		add	esp, 4
		call	loc_59E539

loc_59E549:				; CODE XREF: V86_kita_a+19Cp
		add	esp, 4
		call	loc_59E541

loc_59E551:				; CODE XREF: V86_kita_a+1A4p
		add	esp, 4
		call	loc_59E549

loc_59E559:				; CODE XREF: V86_kita_a+1ACp
		add	esp, 4
		call	loc_59E551

loc_59E561:				; CODE XREF: V86_kita_a+1B4p
		add	esp, 4
		call	loc_59E559

loc_59E569:				; CODE XREF: V86_kita_a+1BCp
		add	esp, 4
		call	loc_59E561

loc_59E571:				; CODE XREF: V86_kita_a+1C4p
		add	esp, 4
		call	loc_59E569

loc_59E579:				; CODE XREF: V86_kita_a+1CCp
		add	esp, 4
		call	loc_59E571

loc_59E581:				; CODE XREF: V86_kita_a+1D4p
		add	esp, 4
		call	loc_59E579

loc_59E589:				; CODE XREF: V86_kita_a+1DCp
		add	esp, 4
		call	loc_59E581

loc_59E591:				; CODE XREF: V86_kita_a+1E4p
		add	esp, 4
		call	loc_59E589

loc_59E599:				; CODE XREF: V86_kita_a+1ECp
		add	esp, 4
		call	loc_59E591

loc_59E5A1:				; CODE XREF: V86_kita_a+1F4p
		add	esp, 4
		call	loc_59E599

loc_59E5A9:				; CODE XREF: V86_kita_a+1FCp
		add	esp, 4
		call	loc_59E5A1

loc_59E5B1:				; CODE XREF: V86_kita_a+204p
		add	esp, 4
		call	loc_59E5A9

loc_59E5B9:				; CODE XREF: V86_kita_a+20Cp
		add	esp, 4
		call	loc_59E5B1

loc_59E5C1:				; CODE XREF: V86_kita_a+214p
		add	esp, 4
		call	loc_59E5B9

loc_59E5C9:				; CODE XREF: V86_kita_a+21Cp
		add	esp, 4
		call	loc_59E5C1

loc_59E5D1:				; CODE XREF: V86_kita_a+224p
		add	esp, 4
		call	loc_59E5C9

loc_59E5D9:				; CODE XREF: V86_kita_a+22Cp
		add	esp, 4
		call	loc_59E5D1

loc_59E5E1:				; CODE XREF: V86_kita_a+234p
		add	esp, 4
		call	loc_59E5D9

loc_59E5E9:				; CODE XREF: V86_kita_a+23Cp
		add	esp, 4
		call	loc_59E5E1

loc_59E5F1:				; CODE XREF: V86_kita_a+244p
		add	esp, 4
		call	loc_59E5E9

loc_59E5F9:				; CODE XREF: V86_kita_a+14Cp
		add	esp, 4
		call	loc_59E5F1

loc_59E601:				; CODE XREF: V86_kita_a+154p
		add	esp, 4

loc_59E604:				; CODE XREF: V86_kita_a+146j
		test	edx, 80h
		jz	short loc_59E611
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_59E611:				; CODE XREF: V86_kita_a+252j
		lfence	eax

loc_59E614:				; CODE XREF: V86_kita_a+B7j
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kita_a

loc_59E64B:				; CODE XREF: V86_kita_a+25j
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kita_a

loc_59E661:				; CODE XREF: Dr_kita_a+Dj
					; Dr_kita_a+79j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		test	byte ptr [ebp+72h], 2
		jnz	short loc_59E680
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59E693

loc_59E680:				; CODE XREF: V86_kita_a+2C0j
		test	byte ptr [ebp+71h], 40h
		sti
		jz	short loc_59E693
		and	dword ptr [ebp+70h], 0FFFFBFFFh
		jmp	Kei386EoiHelper@0
; 

loc_59E693:				; CODE XREF: V86_kita_a+2C6j
					; V86_kita_a+2CDj
		mov	eax, 0Ah
		call	_KiSystemFatalException
		lea	ecx, [ecx+0]

Dr_kitb_a:				; CODE XREF: V86_kitb_a+2A3j
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59E6B3
		test	byte ptr [ebp+6Ch], 1
		jz	loc_59E9C9

loc_59E6B3:				; CODE XREF: V86_kita_a+2EFj
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_59E9C9
V86_kita_a	endp

; 
		align 10h

;  S U B	R O U T	I N E 


V86_kitb_a	proc near		; CODE XREF: V86_kitb_a+28Dj

arg_18		= dword	ptr  1Ch

		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_59E9B3
; 
		align 4

_KiTrap0B:				; CODE XREF: _KiTrap0BShadow+2Fj
					; _KiTrap0BShadow+BBj
					; DATA XREF: ...
		mov	word ptr [esp+2], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		mov	es, ax
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_59E7C5
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59E7C5
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59E7C5
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_59E7C5:				; CODE XREF: V86_kitb_a+77j
					; V86_kitb_a+80j ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59E7F2
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59E7F2
		lfence	eax
		jmp	loc_59E97C
; 
		dd 5B70F64h, 22DAh, 48B9h, 0FD23300h, 18AE930h
		db 2 dup(0)
; 

loc_59E7F2:				; CODE XREF: V86_kitb_a+ACj
					; V86_kitb_a+B2j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_59E83A
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59E83A:				; CODE XREF: V86_kitb_a+108j
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_59E860
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_59E860:				; CODE XREF: V86_kitb_a+128j
		test	edx, 2
		jz	loc_59E96C
		call	loc_59E961

loc_59E871:				; CODE XREF: V86_kitb_a+15Cp
		add	esp, 4
		call	loc_59E969

loc_59E879:				; CODE XREF: V86_kitb_a+164p
		add	esp, 4
		call	loc_59E871

loc_59E881:				; CODE XREF: V86_kitb_a+16Cp
		add	esp, 4
		call	loc_59E879

loc_59E889:				; CODE XREF: V86_kitb_a+174p
		add	esp, 4
		call	loc_59E881

loc_59E891:				; CODE XREF: V86_kitb_a+17Cp
		add	esp, 4
		call	loc_59E889

loc_59E899:				; CODE XREF: V86_kitb_a+184p
		add	esp, 4
		call	loc_59E891

loc_59E8A1:				; CODE XREF: V86_kitb_a+18Cp
		add	esp, 4
		call	loc_59E899

loc_59E8A9:				; CODE XREF: V86_kitb_a+194p
		add	esp, 4
		call	loc_59E8A1

loc_59E8B1:				; CODE XREF: V86_kitb_a+19Cp
		add	esp, 4
		call	loc_59E8A9

loc_59E8B9:				; CODE XREF: V86_kitb_a+1A4p
		add	esp, 4
		call	loc_59E8B1

loc_59E8C1:				; CODE XREF: V86_kitb_a+1ACp
		add	esp, 4
		call	loc_59E8B9

loc_59E8C9:				; CODE XREF: V86_kitb_a+1B4p
		add	esp, 4
		call	loc_59E8C1

loc_59E8D1:				; CODE XREF: V86_kitb_a+1BCp
		add	esp, 4
		call	loc_59E8C9

loc_59E8D9:				; CODE XREF: V86_kitb_a+1C4p
		add	esp, 4
		call	loc_59E8D1

loc_59E8E1:				; CODE XREF: V86_kitb_a+1CCp
		add	esp, 4
		call	loc_59E8D9

loc_59E8E9:				; CODE XREF: V86_kitb_a+1D4p
		add	esp, 4
		call	loc_59E8E1

loc_59E8F1:				; CODE XREF: V86_kitb_a+1DCp
		add	esp, 4
		call	loc_59E8E9

loc_59E8F9:				; CODE XREF: V86_kitb_a+1E4p
		add	esp, 4
		call	loc_59E8F1

loc_59E901:				; CODE XREF: V86_kitb_a+1ECp
		add	esp, 4
		call	loc_59E8F9

loc_59E909:				; CODE XREF: V86_kitb_a+1F4p
		add	esp, 4
		call	loc_59E901

loc_59E911:				; CODE XREF: V86_kitb_a+1FCp
		add	esp, 4
		call	loc_59E909

loc_59E919:				; CODE XREF: V86_kitb_a+204p
		add	esp, 4
		call	loc_59E911

loc_59E921:				; CODE XREF: V86_kitb_a+20Cp
		add	esp, 4
		call	loc_59E919

loc_59E929:				; CODE XREF: V86_kitb_a+214p
		add	esp, 4
		call	loc_59E921

loc_59E931:				; CODE XREF: V86_kitb_a+21Cp
		add	esp, 4
		call	loc_59E929

loc_59E939:				; CODE XREF: V86_kitb_a+224p
		add	esp, 4
		call	loc_59E931

loc_59E941:				; CODE XREF: V86_kitb_a+22Cp
		add	esp, 4
		call	loc_59E939

loc_59E949:				; CODE XREF: V86_kitb_a+234p
		add	esp, 4
		call	loc_59E941

loc_59E951:				; CODE XREF: V86_kitb_a+23Cp
		add	esp, 4
		call	loc_59E949

loc_59E959:				; CODE XREF: V86_kitb_a+244p
		add	esp, 4
		call	loc_59E951

loc_59E961:				; CODE XREF: V86_kitb_a+14Cp
		add	esp, 4
		call	loc_59E959

loc_59E969:				; CODE XREF: V86_kitb_a+154p
		add	esp, 4

loc_59E96C:				; CODE XREF: V86_kitb_a+146j
		test	edx, 80h
		jz	short loc_59E979
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_59E979:				; CODE XREF: V86_kitb_a+252j
		lfence	eax

loc_59E97C:				; CODE XREF: V86_kitb_a+B7j
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kitb_a

loc_59E9B3:				; CODE XREF: V86_kitb_a+25j
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kitb_a

loc_59E9C9:				; CODE XREF: V86_kita_a+2F5j
					; V86_kita_a+361j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59EA4F
		cmp	word ptr [ebp+6Ch], 1Bh
		jz	short loc_59EA2B

loc_59E9E9:				; CODE XREF: V86_kitb_a+3CAj
					; V86_kitb_a+408j
		mov	ebx, large fs:124h
		mov	ebx, [ebx+80h]
		cmp	dword ptr [ebx+0F4h], 0
		jz	short loc_59EA2B
		mov	ecx, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	eax
		sti
		call	_Ki386VdmSegmentNotPresent@0 ; Ki386VdmSegmentNotPresent()
		test	eax, 0FFFFh
		jz	short loc_59EA24
		pop	ecx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	Kei386EoiHelper@0
; 

loc_59EA24:				; CODE XREF: V86_kitb_a+2F6j
		pop	ecx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_59EA2B:				; CODE XREF: V86_kitb_a+2C7j
					; V86_kitb_a+2DDj
		sti
		mov	edi, esp
		mov	ebx, [ebp+68h]
		mov	esi, [ebp+64h]
		and	esi, 0FFFFh
		or	esi, 3
		xor	edx, edx
		mov	ecx, 2
		mov	eax, 0C0000005h
		call	KiDispatchTrapException
		int	3		; Trap to Debugger

loc_59EA4F:				; CODE XREF: V86_kitb_a+2C0j
		mov	eax, [ebp+68h]
		mov	eax, [eax]
		lea	edx, [ebp+74h]
		cmp	al, 1Fh
		jz	loc_59EB2D
		cmp	al, 7
		jz	loc_59EB2D
		cmp	ax, 0A10Fh
		jz	loc_59EB2D
		cmp	ax, 0A90Fh
		jz	loc_59EB2D
		cmp	al, 0CFh
		jnz	loc_59EB38
		test	byte ptr [edx+4], 3
		jz	loc_59EB38
		call	sub_59EB42
		mov	eax, [ebp+68h]
		cmp	eax, offset _KiKernelSysretExit
		jb	short loc_59EAEF
		cmp	eax, offset _KiShadowExitEnd
		jnb	short loc_59EAEF
		mov	esp, large fs:501Ch
		lea	edx, [ebp+68h]
		mov	ecx, 1Ah

loc_59EAB2:				; CODE XREF: V86_kitb_a+397j
		sub	edx, 4
		push	dword ptr [edx]
		loop	loc_59EAB2
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		and	edx, 0FFFFFFF0h
		mov	ecx, 20h

loc_59EAC6:				; CODE XREF: V86_kitb_a+3ABj
		sub	edx, 4
		push	dword ptr [edx]
		loop	loc_59EAC6
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax
		jmp	loc_59E9E9
; 

loc_59EAEF:				; CODE XREF: V86_kitb_a+37Aj
					; V86_kitb_a+381j
		mov	ecx, 1Ah
		lea	edx, [ebp+68h]

loc_59EAF7:				; CODE XREF: V86_kitb_a+3DFj
		sub	edx, 4
		mov	eax, [edx]
		mov	[edx+0Ch], eax
		loop	loc_59EAF7
		mov	ecx, 8
		add	edx, 0Ch
		and	edx, 0FFFFFFF0h
		lea	eax, [esp+64h+arg_18]
		sub	edx, eax

loc_59EB15:				; CODE XREF: V86_kitb_a+3FFj
		sub	eax, 10h
		movaps	xmm0, oword ptr	[eax]
		movaps	oword ptr [eax+edx], xmm0
		loop	loc_59EB15
		sti
		add	ebp, 0Ch
		lea	esp, [eax+edx]
		jmp	loc_59E9E9
; 

loc_59EB2D:				; CODE XREF: V86_kitb_a+339j
					; V86_kitb_a+341j ...
		mov	dword ptr [edx], 0
		jmp	loc_59FB00
; 

loc_59EB38:				; CODE XREF: V86_kitb_a+35Dj
					; V86_kitb_a+367j
		mov	eax, 0Bh
		call	_KiSystemFatalException
V86_kitb_a	endp


;  S U B	R O U T	I N E 


sub_59EB42	proc near		; CODE XREF: V86_kitb_a+36Dp
					; V86_kitc_a+31Bp ...
		push	ebx
		mov	ebx, dr7
		test	ebx, 0FFFF23FFh
		mov	[ebp+28h], ebx
		jz	short loc_59EBB5
		push	edi
		push	esi
		mov	ebx, dr0
		mov	esi, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], esi
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	esi, dr6
		mov	[ebp+20h], ebx
		xor	ebx, ebx
		mov	[ebp+24h], esi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	esi, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, esi
		mov	ebx, [edi+2FCh]
		mov	esi, [edi+300h]
		mov	dr2, ebx
		mov	dr3, esi
		mov	ebx, [edi+304h]
		mov	esi, [edi+308h]
		mov	dr6, ebx
		mov	dr7, esi
		pop	esi
		pop	edi

loc_59EBB5:				; CODE XREF: sub_59EB42+Dj
		pop	ebx
		retn
sub_59EB42	endp

; 
		align 4

;  S U B	R O U T	I N E 


Dr_kitc_a	proc near		; CODE XREF: V86_kitc_a+2A3j
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59EBCB
		test	byte ptr [ebp+6Ch], 1
		jz	loc_59EEE1

loc_59EBCB:				; CODE XREF: Dr_kitc_a+7j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_59EEE1
Dr_kitc_a	endp

; 
		align 4

;  S U B	R O U T	I N E 


V86_kitc_a	proc near		; CODE XREF: V86_kitc_a+28Dj

arg_18		= dword	ptr  1Ch

		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_59EECB
; 
		align 4

_KiTrap0C:				; CODE XREF: _KiTrap0CShadow+2Fj
					; _KiTrap0CShadow+BBj
					; DATA XREF: ...
		mov	word ptr [esp+2], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		mov	es, ax
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_59ECDD
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59ECDD
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59ECDD
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_59ECDD:				; CODE XREF: V86_kitc_a+77j
					; V86_kitc_a+80j ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59ED0A
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59ED0A
		lfence	eax
		jmp	loc_59EE94
; 
		dd 5B70F64h, 22DAh, 48B9h, 0FD23300h, 18AE930h
		db 2 dup(0)
; 

loc_59ED0A:				; CODE XREF: V86_kitc_a+ACj
					; V86_kitc_a+B2j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_59ED52
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59ED52:				; CODE XREF: V86_kitc_a+108j
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_59ED78
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_59ED78:				; CODE XREF: V86_kitc_a+128j
		test	edx, 2
		jz	loc_59EE84
		call	loc_59EE79

loc_59ED89:				; CODE XREF: V86_kitc_a+15Cp
		add	esp, 4
		call	loc_59EE81

loc_59ED91:				; CODE XREF: V86_kitc_a+164p
		add	esp, 4
		call	loc_59ED89

loc_59ED99:				; CODE XREF: V86_kitc_a+16Cp
		add	esp, 4
		call	loc_59ED91

loc_59EDA1:				; CODE XREF: V86_kitc_a+174p
		add	esp, 4
		call	loc_59ED99

loc_59EDA9:				; CODE XREF: V86_kitc_a+17Cp
		add	esp, 4
		call	loc_59EDA1

loc_59EDB1:				; CODE XREF: V86_kitc_a+184p
		add	esp, 4
		call	loc_59EDA9

loc_59EDB9:				; CODE XREF: V86_kitc_a+18Cp
		add	esp, 4
		call	loc_59EDB1

loc_59EDC1:				; CODE XREF: V86_kitc_a+194p
		add	esp, 4
		call	loc_59EDB9

loc_59EDC9:				; CODE XREF: V86_kitc_a+19Cp
		add	esp, 4
		call	loc_59EDC1

loc_59EDD1:				; CODE XREF: V86_kitc_a+1A4p
		add	esp, 4
		call	loc_59EDC9

loc_59EDD9:				; CODE XREF: V86_kitc_a+1ACp
		add	esp, 4
		call	loc_59EDD1

loc_59EDE1:				; CODE XREF: V86_kitc_a+1B4p
		add	esp, 4
		call	loc_59EDD9

loc_59EDE9:				; CODE XREF: V86_kitc_a+1BCp
		add	esp, 4
		call	loc_59EDE1

loc_59EDF1:				; CODE XREF: V86_kitc_a+1C4p
		add	esp, 4
		call	loc_59EDE9

loc_59EDF9:				; CODE XREF: V86_kitc_a+1CCp
		add	esp, 4
		call	loc_59EDF1

loc_59EE01:				; CODE XREF: V86_kitc_a+1D4p
		add	esp, 4
		call	loc_59EDF9

loc_59EE09:				; CODE XREF: V86_kitc_a+1DCp
		add	esp, 4
		call	loc_59EE01

loc_59EE11:				; CODE XREF: V86_kitc_a+1E4p
		add	esp, 4
		call	loc_59EE09

loc_59EE19:				; CODE XREF: V86_kitc_a+1ECp
		add	esp, 4
		call	loc_59EE11

loc_59EE21:				; CODE XREF: V86_kitc_a+1F4p
		add	esp, 4
		call	loc_59EE19

loc_59EE29:				; CODE XREF: V86_kitc_a+1FCp
		add	esp, 4
		call	loc_59EE21

loc_59EE31:				; CODE XREF: V86_kitc_a+204p
		add	esp, 4
		call	loc_59EE29

loc_59EE39:				; CODE XREF: V86_kitc_a+20Cp
		add	esp, 4
		call	loc_59EE31

loc_59EE41:				; CODE XREF: V86_kitc_a+214p
		add	esp, 4
		call	loc_59EE39

loc_59EE49:				; CODE XREF: V86_kitc_a+21Cp
		add	esp, 4
		call	loc_59EE41

loc_59EE51:				; CODE XREF: V86_kitc_a+224p
		add	esp, 4
		call	loc_59EE49

loc_59EE59:				; CODE XREF: V86_kitc_a+22Cp
		add	esp, 4
		call	loc_59EE51

loc_59EE61:				; CODE XREF: V86_kitc_a+234p
		add	esp, 4
		call	loc_59EE59

loc_59EE69:				; CODE XREF: V86_kitc_a+23Cp
		add	esp, 4
		call	loc_59EE61

loc_59EE71:				; CODE XREF: V86_kitc_a+244p
		add	esp, 4
		call	loc_59EE69

loc_59EE79:				; CODE XREF: V86_kitc_a+14Cp
		add	esp, 4
		call	loc_59EE71

loc_59EE81:				; CODE XREF: V86_kitc_a+154p
		add	esp, 4

loc_59EE84:				; CODE XREF: V86_kitc_a+146j
		test	edx, 80h
		jz	short loc_59EE91
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_59EE91:				; CODE XREF: V86_kitc_a+252j
		lfence	eax

loc_59EE94:				; CODE XREF: V86_kitc_a+B7j
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kitc_a

loc_59EECB:				; CODE XREF: V86_kitc_a+25j
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kitc_a

loc_59EEE1:				; CODE XREF: Dr_kitc_a+Dj
					; Dr_kitc_a+79j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		test	byte ptr [ebp+72h], 2
		jnz	loc_59F03A
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59EF45
		cmp	word ptr [ebp+6Ch], 1Bh
		jnz	loc_59F03A

loc_59EF0F:				; CODE XREF: V86_kitc_a+416j
					; V86_kitc_a+452j
		sti
		mov	ebx, [ebp+68h]
		mov	edx, 10h
		mov	esi, [ebp+74h]
		cmp	word ptr [ebp+64h], 0
		jz	short loc_59EF33
		mov	esi, [ebp+64h]
		mov	edx, 0
		or	esi, 3
		and	esi, 0FFFFh

loc_59EF33:				; CODE XREF: V86_kitc_a+2E8j
		mov	eax, 0C0000005h
		mov	edi, esp
		mov	ecx, 2
		call	KiDispatchTrapException
		int	3		; Trap to Debugger

loc_59EF45:				; CODE XREF: V86_kitc_a+2CAj
		mov	eax, [ebp+68h]
		movzx	eax, byte ptr [eax]
		cmp	al, 0CFh
		jnz	loc_59F030
		call	sub_59EB42
		lea	edx, [ebp+74h]
		test	dword ptr [edx+4], 3
		jz	loc_59F030
		mov	eax, [ebp+68h]
		cmp	eax, offset _KiKernelSysretExit
		jb	short loc_59EFC2
		cmp	eax, offset _KiShadowExitEnd
		jnb	short loc_59EFC2
		mov	esp, large fs:501Ch
		lea	edx, [ebp+68h]
		mov	ecx, 1Ah

loc_59EF88:				; CODE XREF: V86_kitc_a+355j
		sub	edx, 4
		push	dword ptr [edx]
		loop	loc_59EF88
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		and	edx, 0FFFFFFF0h
		mov	ecx, 20h

loc_59EF9C:				; CODE XREF: V86_kitc_a+369j
		sub	edx, 4
		push	dword ptr [edx]
		loop	loc_59EF9C
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax
		jmp	short loc_59EFFA
; 

loc_59EFC2:				; CODE XREF: V86_kitc_a+338j
					; V86_kitc_a+33Fj
		mov	ecx, 1Ah
		lea	edx, [ebp+68h]

loc_59EFCA:				; CODE XREF: V86_kitc_a+39Aj
		sub	edx, 4
		mov	eax, [edx]
		mov	[edx+0Ch], eax
		loop	loc_59EFCA
		add	edx, 0Ch
		and	edx, 0FFFFFFF0h
		lea	eax, [esp+64h+arg_18]
		sub	edx, eax
		mov	ecx, 8

loc_59EFE8:				; CODE XREF: V86_kitc_a+3BAj
		sub	eax, 10h
		movaps	xmm0, oword ptr	[eax]
		movaps	oword ptr [eax+edx], xmm0
		loop	loc_59EFE8
		add	ebp, 0Ch
		lea	esp, [eax+edx]

loc_59EFFA:				; CODE XREF: V86_kitc_a+388j
		sti
		mov	ebx, [ebp+68h]
		mov	edx, 10h
		mov	esi, [ebp+74h]
		cmp	word ptr [ebp+64h], 0
		jz	short loc_59F01E
		mov	esi, [ebp+64h]
		and	esi, 0FFFFh
		mov	edx, 0
		or	esi, 3

loc_59F01E:				; CODE XREF: V86_kitc_a+3D3j
		mov	eax, 0C0000005h
		mov	ecx, 2
		mov	edi, esp
		call	KiDispatchTrapException
		int	3		; Trap to Debugger

loc_59F030:				; CODE XREF: V86_kitc_a+315j
					; V86_kitc_a+32Aj
		mov	eax, 0Ch
		call	_KiSystemFatalException

loc_59F03A:				; CODE XREF: V86_kitc_a+2C0j
					; V86_kitc_a+2D1j
		mov	ebx, large fs:124h
		mov	ebx, [ebx+80h]
		cmp	dword ptr [ebx+0F4h], 0
		jz	loc_59EF0F
		test	byte ptr [ebp+72h], 2
		jnz	short loc_59F081
		mov	ecx, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		sti
		mov	edi, eax
		call	VdmFixEspEbp
		push	eax
		mov	ecx, edi
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cli
		pop	eax
		test	al, 0Fh
		jz	short loc_59F081
		jmp	Kei386EoiHelper@0
; 

loc_59F081:				; CODE XREF: V86_kitc_a+420j
					; V86_kitc_a+442j
		push	0Ch
		call	_Ki386VdmReflectException_A@4 ;	Ki386VdmReflectException_A(x)
		test	al, 0Fh
		jz	loc_59EF0F
		jmp	Kei386EoiHelper@0
V86_kitc_a	endp


;  S U B	R O U T	I N E 


VdmFixEspEbp	proc near		; CODE XREF: V86_kitc_a+430p
		mov	eax, [ebp+78h]
		lar	eax, eax
		jnz	loc_59F125
		test	eax, 400000h
		jnz	short loc_59F125
		xor	edx, edx
		mov	eax, esp
		and	eax, 0FFFF0000h
		mov	ecx, [ebp+74h]
		and	ecx, 0FFFF0000h
		cmp	ecx, eax
		jnz	short loc_59F0CA
		and	dword ptr [ebp+74h], 0FFFFh
		mov	edx, 1

loc_59F0CA:				; CODE XREF: VdmFixEspEbp+27j
		mov	ecx, [ebp+60h]
		and	ecx, 0FFFF0000h
		cmp	ecx, eax
		jnz	short loc_59F0E3
		and	dword ptr [ebp+60h], 0FFFFh
		mov	edx, 1

loc_59F0E3:				; CODE XREF: VdmFixEspEbp+40j
		cmp	edx, 1
		jnz	short loc_59F125
		mov	ebx, large fs:18h
		mov	eax, [ebp+6Ch]
		mov	ecx, [ebp+68h]
		mov	edx, [ebp+5Ch]
		push	edx
		push	ecx
		push	eax
		call	_VdmTibPass1@12	; VdmTibPass1(x,x,x)
		mov	[ebp+5Ch], eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+0A8h]
		mov	dword ptr [ebp+6Ch], 1Bh
		mov	[ebp+68h], eax
		mov	eax, 1
		retn
; 

loc_59F125:				; CODE XREF: VdmFixEspEbp+6j
					; VdmFixEspEbp+11j ...
		xor	eax, eax
		retn
VdmFixEspEbp	endp


;  S U B	R O U T	I N E 


Ktd_ExceptionHandler proc near		; DATA XREF: sub_59F909+5A4o

var_62		= byte ptr -62h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_A		= word ptr -0Ah
arg_4		= dword	ptr  8

; FUNCTION CHUNK AT 0059F6BB SIZE 000000C1 BYTES
; FUNCTION CHUNK AT 0059F792 SIZE 0000007F BYTES
; FUNCTION CHUNK AT 0059FFCE SIZE 00000053 BYTES

		mov	esp, [esp+arg_4]
		pop	large dword ptr	fs:0
		add	esp, 4
		pop	ebp
		test	dword ptr [ebp+6Ch], 1
		jnz	loc_59FFCE
		push	ebp
		push	0
		push	0
		push	0
		push	0
		push	1Eh
		call	_KiBugCheck2@24	; KiBugCheck2(x,x,x,x,x,x)

Dr_kitd_a:				; CODE XREF: Ktd_ExceptionHandler+33Ej
					; sub_59F909+5Aj
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59F167
		test	byte ptr [ebp+6Ch], 1
		jz	loc_59F969

loc_59F167:				; CODE XREF: Ktd_ExceptionHandler+33j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		test	dword ptr [ebp+70h], 20000h
		jz	short loc_59F1DB
		jmp	loc_59F46C
; 

loc_59F1DB:				; CODE XREF: Ktd_ExceptionHandler+ACj
		jmp	loc_59F969
; 

V86_kitd_a:				; CODE XREF: sub_59F909+44j
		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_59F953
; 
		align 4

_KiTrap0D:				; CODE XREF: _KiGetTickCount+33Dj
					; _KiTrap0DShadow+2Fj ...
		test	byte ptr [esp+0Eh], 2
		jz	loc_59F6EC
		sub	esp, 64h
		mov	[esp+70h+var_A], 0
		mov	[esp+70h+var_14], ebx
		mov	[esp+70h+var_30], eax
		mov	[esp+70h+var_10], ebp
		mov	[esp+70h+var_18], esi
		mov	[esp+70h+var_1C], edi
		mov	[esp+70h+var_34], ecx
		mov	[esp+70h+var_38], edx
		mov	byte ptr [esp+0Fh], 1
		mov	ebp, esp
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	ebx, 30h
		mov	eax, 23h
		mov	fs, bx
		mov	ds, ax
		mov	es, ax
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_59F29D
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59F29D
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59F29D
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_59F29D:				; CODE XREF: Ktd_ExceptionHandler+147j
					; Ktd_ExceptionHandler+150j ...
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_59F2E5
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59F2E5:				; CODE XREF: Ktd_ExceptionHandler+1ABj
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_59F30B
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_59F30B:				; CODE XREF: Ktd_ExceptionHandler+1CBj
		test	edx, 2
		jz	loc_59F417
		call	loc_59F40C

loc_59F31C:				; CODE XREF: Ktd_ExceptionHandler+1FFp
		add	esp, 4
		call	loc_59F414

loc_59F324:				; CODE XREF: Ktd_ExceptionHandler+207p
		add	esp, 4
		call	loc_59F31C

loc_59F32C:				; CODE XREF: Ktd_ExceptionHandler+20Fp
		add	esp, 4
		call	loc_59F324

loc_59F334:				; CODE XREF: Ktd_ExceptionHandler+217p
		add	esp, 4
		call	loc_59F32C

loc_59F33C:				; CODE XREF: Ktd_ExceptionHandler+21Fp
		add	esp, 4
		call	loc_59F334

loc_59F344:				; CODE XREF: Ktd_ExceptionHandler+227p
		add	esp, 4
		call	loc_59F33C

loc_59F34C:				; CODE XREF: Ktd_ExceptionHandler+22Fp
		add	esp, 4
		call	loc_59F344

loc_59F354:				; CODE XREF: Ktd_ExceptionHandler+237p
		add	esp, 4
		call	loc_59F34C

loc_59F35C:				; CODE XREF: Ktd_ExceptionHandler+23Fp
		add	esp, 4
		call	loc_59F354

loc_59F364:				; CODE XREF: Ktd_ExceptionHandler+247p
		add	esp, 4
		call	loc_59F35C

loc_59F36C:				; CODE XREF: Ktd_ExceptionHandler+24Fp
		add	esp, 4
		call	loc_59F364

loc_59F374:				; CODE XREF: Ktd_ExceptionHandler+257p
		add	esp, 4
		call	loc_59F36C

loc_59F37C:				; CODE XREF: Ktd_ExceptionHandler+25Fp
		add	esp, 4
		call	loc_59F374

loc_59F384:				; CODE XREF: Ktd_ExceptionHandler+267p
		add	esp, 4
		call	loc_59F37C

loc_59F38C:				; CODE XREF: Ktd_ExceptionHandler+26Fp
		add	esp, 4
		call	loc_59F384

loc_59F394:				; CODE XREF: Ktd_ExceptionHandler+277p
		add	esp, 4
		call	loc_59F38C

loc_59F39C:				; CODE XREF: Ktd_ExceptionHandler+27Fp
		add	esp, 4
		call	loc_59F394

loc_59F3A4:				; CODE XREF: Ktd_ExceptionHandler+287p
		add	esp, 4
		call	loc_59F39C

loc_59F3AC:				; CODE XREF: Ktd_ExceptionHandler+28Fp
		add	esp, 4
		call	loc_59F3A4

loc_59F3B4:				; CODE XREF: Ktd_ExceptionHandler+297p
		add	esp, 4
		call	loc_59F3AC

loc_59F3BC:				; CODE XREF: Ktd_ExceptionHandler+29Fp
		add	esp, 4
		call	loc_59F3B4

loc_59F3C4:				; CODE XREF: Ktd_ExceptionHandler+2A7p
		add	esp, 4
		call	loc_59F3BC

loc_59F3CC:				; CODE XREF: Ktd_ExceptionHandler+2AFp
		add	esp, 4
		call	loc_59F3C4

loc_59F3D4:				; CODE XREF: Ktd_ExceptionHandler+2B7p
		add	esp, 4
		call	loc_59F3CC

loc_59F3DC:				; CODE XREF: Ktd_ExceptionHandler+2BFp
		add	esp, 4
		call	loc_59F3D4

loc_59F3E4:				; CODE XREF: Ktd_ExceptionHandler+2C7p
		add	esp, 4
		call	loc_59F3DC

loc_59F3EC:				; CODE XREF: Ktd_ExceptionHandler+2CFp
		add	esp, 4
		call	loc_59F3E4

loc_59F3F4:				; CODE XREF: Ktd_ExceptionHandler+2D7p
		add	esp, 4
		call	loc_59F3EC

loc_59F3FC:				; CODE XREF: Ktd_ExceptionHandler+2DFp
		add	esp, 4
		call	loc_59F3F4

loc_59F404:				; CODE XREF: Ktd_ExceptionHandler+2E7p
		add	esp, 4
		call	loc_59F3FC

loc_59F40C:				; CODE XREF: Ktd_ExceptionHandler+1EFp
		add	esp, 4
		call	loc_59F404

loc_59F414:				; CODE XREF: Ktd_ExceptionHandler+1F7p
		add	esp, 4

loc_59F417:				; CODE XREF: Ktd_ExceptionHandler+1E9j
		test	edx, 80h
		jz	short loc_59F424
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_59F424:				; CODE XREF: Ktd_ExceptionHandler+2F5j
		lfence	eax
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		mov	eax, large fs:0
		mov	[ebp+4Ch], eax
		mov	eax, dr7
		cld
		test	eax, 0FFFF23FFh
		mov	[ebp+28h], eax
		jnz	Dr_kitd_a

loc_59F46C:				; CODE XREF: Ktd_ExceptionHandler+AEj
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		cmp	dword ptr [ecx+0F4h], 0
		jnz	short loc_59F488
		sti
		jmp	loc_59FFCE
; 

loc_59F488:				; CODE XREF: Ktd_ExceptionHandler+358j
		mov	ecx, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	eax
		sti
		push	ebp
		call	_VdmDispatchOpcodeV86_try@4 ; VdmDispatchOpcodeV86_try(x)
		test	al, 0FFh
		jnz	short loc_59F4B6
		push	0Dh
		call	_Ki386VdmReflectException@4 ; Ki386VdmReflectException(x)
		test	al, 0Fh
		jnz	short loc_59F4B6
		pop	ecx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_59FFCE
; 

loc_59F4B6:				; CODE XREF: Ktd_ExceptionHandler+375j
					; Ktd_ExceptionHandler+380j
		pop	ecx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cli
		test	byte ptr [ebp+72h], 2
		jz	loc_59F6E7

loc_59F4C8:				; CODE XREF: Ktd_ExceptionHandler+5B9j
		mov	ebx, large fs:124h
		mov	byte ptr [ebx+56h], 0
		test	byte ptr [ebx+86h], 3
		jnz	loc_59F6BB
		mov	edi, esp
		movaps	xmm0, oword ptr	[edi]
		movaps	xmm1, oword ptr	[edi+10h]
		movaps	xmm2, oword ptr	[edi+20h]
		movaps	xmm3, oword ptr	[edi+30h]
		movaps	xmm4, oword ptr	[edi+40h]
		movaps	xmm5, oword ptr	[edi+50h]
		movaps	xmm6, oword ptr	[edi+60h]
		movaps	xmm7, oword ptr	[edi+70h]
		ldmxcsr	dword ptr [ebp+48h]
		movzx	eax, large word	ptr fs:22E0h
		cmp	large fs:22DAh,	ax
		jz	short loc_59F527
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59F527:				; CODE XREF: Ktd_ExceptionHandler+3EDj
		btr	large word ptr fs:22D8h, 2
		jnb	short loc_59F541
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr

loc_59F541:				; CODE XREF: Ktd_ExceptionHandler+409j
		btr	large word ptr fs:22D8h, 4
		jnb	loc_59F651
		call	sub_59F646

loc_59F556:				; CODE XREF: Ktd_ExceptionHandler+439p
		add	esp, 4
		call	sub_59F64E

loc_59F55E:				; CODE XREF: Ktd_ExceptionHandler+441p
		add	esp, 4
		call	loc_59F556

loc_59F566:				; CODE XREF: Ktd_ExceptionHandler+449p
		add	esp, 4
		call	loc_59F55E

loc_59F56E:				; CODE XREF: Ktd_ExceptionHandler+451p
		add	esp, 4
		call	loc_59F566

loc_59F576:				; CODE XREF: Ktd_ExceptionHandler+459p
		add	esp, 4
		call	loc_59F56E

loc_59F57E:				; CODE XREF: Ktd_ExceptionHandler+461p
		add	esp, 4
		call	loc_59F576

loc_59F586:				; CODE XREF: Ktd_ExceptionHandler+469p
		add	esp, 4
		call	loc_59F57E

loc_59F58E:				; CODE XREF: Ktd_ExceptionHandler+471p
		add	esp, 4
		call	loc_59F586

loc_59F596:				; CODE XREF: Ktd_ExceptionHandler+479p
		add	esp, 4
		call	loc_59F58E

loc_59F59E:				; CODE XREF: Ktd_ExceptionHandler+481p
		add	esp, 4
		call	loc_59F596

loc_59F5A6:				; CODE XREF: Ktd_ExceptionHandler+489p
		add	esp, 4
		call	loc_59F59E

loc_59F5AE:				; CODE XREF: Ktd_ExceptionHandler+491p
		add	esp, 4
		call	loc_59F5A6

loc_59F5B6:				; CODE XREF: Ktd_ExceptionHandler+499p
		add	esp, 4
		call	loc_59F5AE

loc_59F5BE:				; CODE XREF: Ktd_ExceptionHandler+4A1p
		add	esp, 4
		call	loc_59F5B6

loc_59F5C6:				; CODE XREF: Ktd_ExceptionHandler+4A9p
		add	esp, 4
		call	loc_59F5BE

loc_59F5CE:				; CODE XREF: Ktd_ExceptionHandler+4B1p
		add	esp, 4
		call	loc_59F5C6

loc_59F5D6:				; CODE XREF: Ktd_ExceptionHandler+4B9p
		add	esp, 4
		call	loc_59F5CE

loc_59F5DE:				; CODE XREF: Ktd_ExceptionHandler+4C1p
		add	esp, 4
		call	loc_59F5D6

loc_59F5E6:				; CODE XREF: Ktd_ExceptionHandler+4C9p
		add	esp, 4
		call	loc_59F5DE

loc_59F5EE:				; CODE XREF: Ktd_ExceptionHandler+4D1p
		add	esp, 4
		call	loc_59F5E6

loc_59F5F6:				; CODE XREF: Ktd_ExceptionHandler+4D9p
		add	esp, 4
		call	loc_59F5EE

loc_59F5FE:				; CODE XREF: Ktd_ExceptionHandler+4E1p
		add	esp, 4
		call	loc_59F5F6

loc_59F606:				; CODE XREF: Ktd_ExceptionHandler+4E9p
		add	esp, 4
		call	loc_59F5FE

loc_59F60E:				; CODE XREF: Ktd_ExceptionHandler+4F1p
		add	esp, 4
		call	loc_59F606

loc_59F616:				; CODE XREF: Ktd_ExceptionHandler+4F9p
		add	esp, 4
		call	loc_59F60E

loc_59F61E:				; CODE XREF: Ktd_ExceptionHandler+501p
		add	esp, 4
		call	loc_59F616

loc_59F626:				; CODE XREF: Ktd_ExceptionHandler+509p
		add	esp, 4
		call	loc_59F61E

loc_59F62E:				; CODE XREF: Ktd_ExceptionHandler+511p
		add	esp, 4
		call	loc_59F626

loc_59F636:				; CODE XREF: Ktd_ExceptionHandler+519p
		add	esp, 4
		call	loc_59F62E

loc_59F63E:				; CODE XREF: sub_59F646+3p
		add	esp, 4
		call	loc_59F636
Ktd_ExceptionHandler endp


;  S U B	R O U T	I N E 


sub_59F646	proc near		; CODE XREF: Ktd_ExceptionHandler+429p
		add	esp, 4
		call	loc_59F63E
sub_59F646	endp


;  S U B	R O U T	I N E 


sub_59F64E	proc near		; CODE XREF: Ktd_ExceptionHandler+431p
		add	esp, 4

loc_59F651:				; CODE XREF: Ktd_ExceptionHandler+423j
		test	large word ptr fs:22D8h, 20h
		jz	short loc_59F668
		xor	eax, eax
		xor	edx, edx
		mov	ecx, 1
		div	ecx

loc_59F668:				; CODE XREF: sub_59F64E+Dj
		lea	esp, [ebp+38h]
		pop	edx
		pop	ecx
		pop	eax
		test	dword ptr [ebp+28h], 0FFFF23FFh
		jnz	short loc_59F690

loc_59F677:				; CODE XREF: sub_59F64E+6Bj
		lea	esp, [ebp+54h]
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		add	esp, 4
		test	ss:_KiKvaShadow, 1
		jnz	_KiKernelExit
		iret
; 

loc_59F690:				; CODE XREF: sub_59F64E+27j
		xor	ebx, ebx
		mov	esi, [ebp+14h]
		mov	edi, [ebp+18h]
		mov	dr7, ebx
		mov	ebx, [ebp+1Ch]
		mov	dr0, esi
		mov	dr1, edi
		mov	dr2, ebx
		mov	esi, [ebp+20h]
		mov	edi, [ebp+24h]
		mov	ebx, [ebp+28h]
		mov	dr3, esi
		mov	dr6, edi
		mov	dr7, ebx
		jmp	short loc_59F677
sub_59F64E	endp

; 
; START	OF FUNCTION CHUNK FOR Ktd_ExceptionHandler

loc_59F6BB:				; CODE XREF: Ktd_ExceptionHandler+3B2j
		mov	ecx, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	eax
		sti
		push	ebp
		push	0
		push	1
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		pop	ecx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cli
		test	dword ptr [ebp+70h], 20000h
		jnz	loc_59F4C8

loc_59F6E7:				; CODE XREF: Ktd_ExceptionHandler+39Aj
		jmp	Kei386EoiHelper@0
; 

loc_59F6EC:				; CODE XREF: Ktd_ExceptionHandler+E9j
		mov	[esp+0Ch+var_A], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		mov	es, ax
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_59F765
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59F765
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_59F765
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_59F765:				; CODE XREF: Ktd_ExceptionHandler+60Fj
					; Ktd_ExceptionHandler+618j ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59F792
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59F792
		lfence	eax
		jmp	loc_59F91C
; END OF FUNCTION CHUNK	FOR Ktd_ExceptionHandler
; 
		dd 5B70F64h, 22DAh, 48B9h, 0FD23300h, 18AE930h
		db 2 dup(0)
; 
; START	OF FUNCTION CHUNK FOR Ktd_ExceptionHandler

loc_59F792:				; CODE XREF: Ktd_ExceptionHandler+644j
					; Ktd_ExceptionHandler+64Aj
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_59F7DA
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59F7DA:				; CODE XREF: Ktd_ExceptionHandler+6A0j
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_59F800
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_59F800:				; CODE XREF: Ktd_ExceptionHandler+6C0j
		test	edx, 2
		jz	loc_59F90C
		call	sub_59F901
; END OF FUNCTION CHUNK	FOR Ktd_ExceptionHandler

;  S U B	R O U T	I N E 


sub_59F811	proc near		; CODE XREF: sub_59F819+3p
		add	esp, 4
		call	sub_59F909
sub_59F811	endp


;  S U B	R O U T	I N E 


sub_59F819	proc near		; CODE XREF: sub_59F821+3p
		add	esp, 4
		call	sub_59F811
sub_59F819	endp


;  S U B	R O U T	I N E 


sub_59F821	proc near		; CODE XREF: sub_59F829+3p
		add	esp, 4
		call	sub_59F819
sub_59F821	endp


;  S U B	R O U T	I N E 


sub_59F829	proc near		; CODE XREF: sub_59F831+3p
		add	esp, 4
		call	sub_59F821
sub_59F829	endp


;  S U B	R O U T	I N E 


sub_59F831	proc near		; CODE XREF: sub_59F839+3p
		add	esp, 4
		call	sub_59F829
sub_59F831	endp


;  S U B	R O U T	I N E 


sub_59F839	proc near		; CODE XREF: sub_59F841+3p
		add	esp, 4
		call	sub_59F831
sub_59F839	endp


;  S U B	R O U T	I N E 


sub_59F841	proc near		; CODE XREF: sub_59F849+3p
		add	esp, 4
		call	sub_59F839
sub_59F841	endp


;  S U B	R O U T	I N E 


sub_59F849	proc near		; CODE XREF: sub_59F851+3p
		add	esp, 4
		call	sub_59F841
sub_59F849	endp


;  S U B	R O U T	I N E 


sub_59F851	proc near		; CODE XREF: sub_59F859+3p
		add	esp, 4
		call	sub_59F849
sub_59F851	endp


;  S U B	R O U T	I N E 


sub_59F859	proc near		; CODE XREF: sub_59F861+3p
		add	esp, 4
		call	sub_59F851
sub_59F859	endp


;  S U B	R O U T	I N E 


sub_59F861	proc near		; CODE XREF: sub_59F869+3p
		add	esp, 4
		call	sub_59F859
sub_59F861	endp


;  S U B	R O U T	I N E 


sub_59F869	proc near		; CODE XREF: sub_59F871+3p
		add	esp, 4
		call	sub_59F861
sub_59F869	endp


;  S U B	R O U T	I N E 


sub_59F871	proc near		; CODE XREF: sub_59F879+3p
		add	esp, 4
		call	sub_59F869
sub_59F871	endp


;  S U B	R O U T	I N E 


sub_59F879	proc near		; CODE XREF: sub_59F881+3p
		add	esp, 4
		call	sub_59F871
sub_59F879	endp


;  S U B	R O U T	I N E 


sub_59F881	proc near		; CODE XREF: sub_59F889+3p
		add	esp, 4
		call	sub_59F879
sub_59F881	endp


;  S U B	R O U T	I N E 


sub_59F889	proc near		; CODE XREF: sub_59F891+3p
		add	esp, 4
		call	sub_59F881
sub_59F889	endp


;  S U B	R O U T	I N E 


sub_59F891	proc near		; CODE XREF: sub_59F899+3p
		add	esp, 4
		call	sub_59F889
sub_59F891	endp


;  S U B	R O U T	I N E 


sub_59F899	proc near		; CODE XREF: sub_59F8A1+3p
		add	esp, 4
		call	sub_59F891
sub_59F899	endp


;  S U B	R O U T	I N E 


sub_59F8A1	proc near		; CODE XREF: sub_59F8A9+3p
		add	esp, 4
		call	sub_59F899
sub_59F8A1	endp


;  S U B	R O U T	I N E 


sub_59F8A9	proc near		; CODE XREF: sub_59F8B1+3p
		add	esp, 4
		call	sub_59F8A1
sub_59F8A9	endp


;  S U B	R O U T	I N E 


sub_59F8B1	proc near		; CODE XREF: sub_59F8B9+3p
		add	esp, 4
		call	sub_59F8A9
sub_59F8B1	endp


;  S U B	R O U T	I N E 


sub_59F8B9	proc near		; CODE XREF: sub_59F8C1+3p
		add	esp, 4
		call	sub_59F8B1
sub_59F8B9	endp


;  S U B	R O U T	I N E 


sub_59F8C1	proc near		; CODE XREF: sub_59F8C9+3p
		add	esp, 4
		call	sub_59F8B9
sub_59F8C1	endp


;  S U B	R O U T	I N E 


sub_59F8C9	proc near		; CODE XREF: sub_59F8D1+3p
		add	esp, 4
		call	sub_59F8C1
sub_59F8C9	endp


;  S U B	R O U T	I N E 


sub_59F8D1	proc near		; CODE XREF: sub_59F8D9+3p
		add	esp, 4
		call	sub_59F8C9
sub_59F8D1	endp


;  S U B	R O U T	I N E 


sub_59F8D9	proc near		; CODE XREF: sub_59F8E1+3p
		add	esp, 4
		call	sub_59F8D1
sub_59F8D9	endp


;  S U B	R O U T	I N E 


sub_59F8E1	proc near		; CODE XREF: sub_59F8E9+3p
		add	esp, 4
		call	sub_59F8D9
sub_59F8E1	endp


;  S U B	R O U T	I N E 


sub_59F8E9	proc near		; CODE XREF: sub_59F8F1+3p
		add	esp, 4
		call	sub_59F8E1
sub_59F8E9	endp


;  S U B	R O U T	I N E 


sub_59F8F1	proc near		; CODE XREF: sub_59F8F9+3p
		add	esp, 4
		call	sub_59F8E9
sub_59F8F1	endp


;  S U B	R O U T	I N E 


sub_59F8F9	proc near		; CODE XREF: sub_59F901+3p
		add	esp, 4
		call	sub_59F8F1
sub_59F8F9	endp


;  S U B	R O U T	I N E 


sub_59F901	proc near		; CODE XREF: Ktd_ExceptionHandler+6E4p
		add	esp, 4
		call	sub_59F8F9
sub_59F901	endp


;  S U B	R O U T	I N E 


sub_59F909	proc near		; CODE XREF: sub_59F811+3p

arg_0		= dword	ptr  4
arg_60		= dword	ptr  64h

; FUNCTION CHUNK AT 0059FD54 SIZE 0000027A BYTES

		add	esp, 4

loc_59F90C:				; CODE XREF: Ktd_ExceptionHandler+6DEj
		test	edx, 80h
		jz	short loc_59F919
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_59F919:				; CODE XREF: sub_59F909+9j
		lfence	eax

loc_59F91C:				; CODE XREF: Ktd_ExceptionHandler+64Fj
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kitd_a

loc_59F953:				; CODE XREF: Ktd_ExceptionHandler+DDj
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kitd_a

loc_59F969:				; CODE XREF: Ktd_ExceptionHandler+39j
					; Ktd_ExceptionHandler:loc_59F1DBj
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		test	dword ptr [ebp+6Ch], 1
		jnz	loc_59FE20
		mov	eax, [ebp+68h]
		mov	eax, [eax]
		lea	edx, [ebp+74h]
		cmp	al, 1Fh
		jz	loc_59FAFC
		cmp	al, 7
		jz	loc_59FAFC
		cmp	ax, 0A10Fh
		jz	loc_59FAFC
		cmp	ax, 0A90Fh
		jz	loc_59FAFC
		cmp	al, 0CFh
		jnz	loc_59FAE0
		mov	ax, [ebp+64h]
		and	ax, 0FFFCh
		mov	cx, [edx+4]
		and	cx, 0FFFCh
		cmp	cx, ax
		jnz	short loc_59F9EB
		mov	ebx, large fs:124h
		test	byte ptr [ebx+15Ah], 0FFh
		jz	loc_59FE20
		or	word ptr [edx+4], 3

loc_59F9EB:				; CODE XREF: sub_59F909+C7j
		test	dword ptr [edx+4], 3
		jz	loc_59FE20
		call	sub_59EB42
		mov	eax, [ebp+68h]
		cmp	eax, offset _KiKernelSysretExit
		jb	short loc_59FA57
		cmp	eax, offset _KiShadowExitEnd
		jnb	short loc_59FA57
		mov	esp, large fs:501Ch
		lea	edx, [ebp+68h]
		mov	ecx, 1Ah

loc_59FA1D:				; CODE XREF: sub_59F909+119j
		sub	edx, 4
		push	dword ptr [edx]
		loop	loc_59FA1D
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		and	edx, 0FFFFFFF0h
		mov	ecx, 20h

loc_59FA31:				; CODE XREF: sub_59F909+12Dj
		sub	edx, 4
		push	dword ptr [edx]
		loop	loc_59FA31
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax
		jmp	short loc_59FA8F
; 

loc_59FA57:				; CODE XREF: sub_59F909+FCj
					; sub_59F909+103j
		mov	ecx, 1Ah
		lea	edx, [ebp+68h]

loc_59FA5F:				; CODE XREF: sub_59F909+15Ej
		sub	edx, 4
		mov	eax, [edx]
		mov	[edx+0Ch], eax
		loop	loc_59FA5F
		add	edx, 0Ch
		and	edx, 0FFFFFFF0h
		lea	eax, [esp+7Ch+arg_0]
		sub	edx, eax
		mov	ecx, 8

loc_59FA7D:				; CODE XREF: sub_59F909+17Ej
		sub	eax, 10h
		movaps	xmm0, oword ptr	[eax]
		movaps	oword ptr [eax+edx], xmm0
		loop	loc_59FA7D
		add	ebp, 0Ch
		lea	esp, [eax+edx]

loc_59FA8F:				; CODE XREF: sub_59F909+14Cj
		sti
		mov	ebx, [ebp+68h]
		mov	esi, [ebp+64h]
		and	esi, 0FFFFh
		mov	eax, 0C0000005h
		xor	edx, edx
		mov	ecx, 2
		mov	edi, esp
		call	KiDispatchTrapException
		int	3		; Trap to Debugger

loc_59FAB0:				; CODE XREF: sub_59F909+1D9j
		shr	eax, 8
		cmp	al, 30h
		jz	short loc_59FAC4
		cmp	al, 32h
		jz	short loc_59FAC4
		cmp	al, 1
		jnz	short loc_59FAE4
		cmp	ah, 0CFh
		jnz	short loc_59FAE4

loc_59FAC4:				; CODE XREF: sub_59F909+1ACj
					; sub_59F909+1B0j
		test	dword ptr [ebp+71h], 2
		jz	short loc_59FACE
		sti

loc_59FACE:				; CODE XREF: sub_59F909+1C2j
		mov	ebx, [ebp+68h]
		mov	eax, 0C0000005h
		xor	ecx, ecx
		mov	edi, esp
		call	KiDispatchTrapException
		int	3		; Trap to Debugger

loc_59FAE0:				; CODE XREF: sub_59F909+AEj
		cmp	al, 0Fh
		jz	short loc_59FAB0

loc_59FAE4:				; CODE XREF: sub_59F909+1B4j
					; sub_59F909+1B9j
		cmp	word ptr [ebp+34h], 23h
		jz	short loc_59FAEE
		int	3		; Trap to Debugger
		jmp	short loc_59FB00
; 

loc_59FAEE:				; CODE XREF: sub_59F909+1E0j
		cmp	word ptr [ebp+30h], 23h
		jz	loc_59FE20
		int	3		; Trap to Debugger
		jmp	short loc_59FB00
; 

loc_59FAFC:				; CODE XREF: sub_59F909+8Aj
					; sub_59F909+92j ...
		xor	eax, eax
		mov	[edx], eax

loc_59FB00:				; CODE XREF: V86_kitb_a+413j
					; sub_59F909+1E3j ...
		mov	edx, [ebp+4Ch]
		ldmxcsr	dword ptr [ebp+48h]
		mov	large fs:0, edx
		test	dword ptr [ebp+28h], 0FFFF23FFh
		jnz	loc_59FD54

loc_59FB1B:				; CODE XREF: sub_59F909+45Bj
					; sub_59F909+48Aj
		test	dword ptr [ebp+70h], 20000h
		jnz	loc_59B5C0
		mov	edi, esp
		movaps	xmm0, oword ptr	[edi]
		movaps	xmm1, oword ptr	[edi+10h]
		movaps	xmm2, oword ptr	[edi+20h]
		movaps	xmm3, oword ptr	[edi+30h]
		movaps	xmm4, oword ptr	[edi+40h]
		movaps	xmm5, oword ptr	[edi+50h]
		movaps	xmm6, oword ptr	[edi+60h]
		movaps	xmm7, oword ptr	[edi+70h]
		test	word ptr [ebp+6Ch], 0FFF9h
		jz	loc_59FDEB
		cmp	word ptr [ebp+6Ch], 1Bh
		bt	word ptr [ebp+6Ch], 0
		cmc
		ja	loc_59FD98
		test	byte ptr [ebp+6Ch], 1
		jz	loc_59FCD4
		movzx	eax, large word	ptr fs:22E0h
		cmp	large fs:22DAh,	ax
		jz	short loc_59FB93
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_59FB93:				; CODE XREF: sub_59F909+278j
		btr	large word ptr fs:22D8h, 2
		jnb	short loc_59FBAD
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr

loc_59FBAD:				; CODE XREF: sub_59F909+294j
		btr	large word ptr fs:22D8h, 4
		jnb	loc_59FCBD
		call	sub_59FCB2
sub_59F909	endp


;  S U B	R O U T	I N E 


sub_59FBC2	proc near		; CODE XREF: sub_59FBCA+3p
		add	esp, 4
		call	sub_59FCBA
sub_59FBC2	endp


;  S U B	R O U T	I N E 


sub_59FBCA	proc near		; CODE XREF: sub_59FBD2+3p
		add	esp, 4
		call	sub_59FBC2
sub_59FBCA	endp


;  S U B	R O U T	I N E 


sub_59FBD2	proc near		; CODE XREF: sub_59FBDA+3p
		add	esp, 4
		call	sub_59FBCA
sub_59FBD2	endp


;  S U B	R O U T	I N E 


sub_59FBDA	proc near		; CODE XREF: sub_59FBE2+3p
		add	esp, 4
		call	sub_59FBD2
sub_59FBDA	endp


;  S U B	R O U T	I N E 


sub_59FBE2	proc near		; CODE XREF: sub_59FBEA+3p
		add	esp, 4
		call	sub_59FBDA
sub_59FBE2	endp


;  S U B	R O U T	I N E 


sub_59FBEA	proc near		; CODE XREF: sub_59FBF2+3p
		add	esp, 4
		call	sub_59FBE2
sub_59FBEA	endp


;  S U B	R O U T	I N E 


sub_59FBF2	proc near		; CODE XREF: sub_59FBFA+3p
		add	esp, 4
		call	sub_59FBEA
sub_59FBF2	endp


;  S U B	R O U T	I N E 


sub_59FBFA	proc near		; CODE XREF: sub_59FC02+3p
		add	esp, 4
		call	sub_59FBF2
sub_59FBFA	endp


;  S U B	R O U T	I N E 


sub_59FC02	proc near		; CODE XREF: sub_59FC0A+3p
		add	esp, 4
		call	sub_59FBFA
sub_59FC02	endp


;  S U B	R O U T	I N E 


sub_59FC0A	proc near		; CODE XREF: sub_59FC12+3p
		add	esp, 4
		call	sub_59FC02
sub_59FC0A	endp


;  S U B	R O U T	I N E 


sub_59FC12	proc near		; CODE XREF: sub_59FC1A+3p
		add	esp, 4
		call	sub_59FC0A
sub_59FC12	endp


;  S U B	R O U T	I N E 


sub_59FC1A	proc near		; CODE XREF: sub_59FC22+3p
		add	esp, 4
		call	sub_59FC12
sub_59FC1A	endp


;  S U B	R O U T	I N E 


sub_59FC22	proc near		; CODE XREF: sub_59FC2A+3p
		add	esp, 4
		call	sub_59FC1A
sub_59FC22	endp


;  S U B	R O U T	I N E 


sub_59FC2A	proc near		; CODE XREF: sub_59FC32+3p
		add	esp, 4
		call	sub_59FC22
sub_59FC2A	endp


;  S U B	R O U T	I N E 


sub_59FC32	proc near		; CODE XREF: sub_59FC3A+3p
		add	esp, 4
		call	sub_59FC2A
sub_59FC32	endp


;  S U B	R O U T	I N E 


sub_59FC3A	proc near		; CODE XREF: sub_59FC42+3p
		add	esp, 4
		call	sub_59FC32
sub_59FC3A	endp


;  S U B	R O U T	I N E 


sub_59FC42	proc near		; CODE XREF: sub_59FC4A+3p
		add	esp, 4
		call	sub_59FC3A
sub_59FC42	endp


;  S U B	R O U T	I N E 


sub_59FC4A	proc near		; CODE XREF: sub_59FC52+3p
		add	esp, 4
		call	sub_59FC42
sub_59FC4A	endp


;  S U B	R O U T	I N E 


sub_59FC52	proc near		; CODE XREF: sub_59FC5A+3p
		add	esp, 4
		call	sub_59FC4A
sub_59FC52	endp


;  S U B	R O U T	I N E 


sub_59FC5A	proc near		; CODE XREF: sub_59FC62+3p
		add	esp, 4
		call	sub_59FC52
sub_59FC5A	endp


;  S U B	R O U T	I N E 


sub_59FC62	proc near		; CODE XREF: sub_59FC6A+3p
		add	esp, 4
		call	sub_59FC5A
sub_59FC62	endp


;  S U B	R O U T	I N E 


sub_59FC6A	proc near		; CODE XREF: sub_59FC72+3p
		add	esp, 4
		call	sub_59FC62
sub_59FC6A	endp


;  S U B	R O U T	I N E 


sub_59FC72	proc near		; CODE XREF: sub_59FC7A+3p
		add	esp, 4
		call	sub_59FC6A
sub_59FC72	endp


;  S U B	R O U T	I N E 


sub_59FC7A	proc near		; CODE XREF: sub_59FC82+3p
		add	esp, 4
		call	sub_59FC72
sub_59FC7A	endp


;  S U B	R O U T	I N E 


sub_59FC82	proc near		; CODE XREF: sub_59FC8A+3p
		add	esp, 4
		call	sub_59FC7A
sub_59FC82	endp


;  S U B	R O U T	I N E 


sub_59FC8A	proc near		; CODE XREF: sub_59FC92+3p
		add	esp, 4
		call	sub_59FC82
sub_59FC8A	endp


;  S U B	R O U T	I N E 


sub_59FC92	proc near		; CODE XREF: sub_59FC9A+3p
		add	esp, 4
		call	sub_59FC8A
sub_59FC92	endp


;  S U B	R O U T	I N E 


sub_59FC9A	proc near		; CODE XREF: sub_59FCA2+3p
		add	esp, 4
		call	sub_59FC92
sub_59FC9A	endp


;  S U B	R O U T	I N E 


sub_59FCA2	proc near		; CODE XREF: sub_59FCAA+3p
		add	esp, 4
		call	sub_59FC9A
sub_59FCA2	endp


;  S U B	R O U T	I N E 


sub_59FCAA	proc near		; CODE XREF: sub_59FCB2+3p
		add	esp, 4
		call	sub_59FCA2
sub_59FCAA	endp


;  S U B	R O U T	I N E 


sub_59FCB2	proc near		; CODE XREF: sub_59F909+2B4p
		add	esp, 4
		call	sub_59FCAA
sub_59FCB2	endp


;  S U B	R O U T	I N E 


sub_59FCBA	proc near		; CODE XREF: sub_59FBC2+3p

arg_68		= word ptr  6Ch
arg_6C		= dword	ptr  70h

		add	esp, 4

loc_59FCBD:				; CODE XREF: sub_59F909+2AEj
		test	large word ptr fs:22D8h, 20h
		jz	short loc_59FCD4
		xor	eax, eax
		xor	edx, edx
		mov	ecx, 1
		div	ecx

loc_59FCD4:				; CODE XREF: sub_59F909+262j
					; sub_59FCBA+Dj
		mov	edx, [ebp+38h]
		mov	ecx, [ebp+3Ch]
		mov	eax, [ebp+40h]
		cmp	word ptr [ebp+6Ch], 8
		jz	short loc_59FD23
		lea	esp, [ebp+2Ch]
		pop	gs
		test	ss:_KiKvaShadow, 1
		jz	short loc_59FD0A
		mov	ebx, [ebp+50h]
		mov	large dword ptr	fs:5020h, 0
		mov	large fs:5018h,	ebx
		jmp	short loc_59FD23
; 

loc_59FD0A:				; CODE XREF: sub_59FCBA+37j
		test	large word ptr fs:22D8h, 40h
		jz	short loc_59FD1E
		verw	large word ptr fs:5028h

loc_59FD1E:				; CODE XREF: sub_59FCBA+5Aj
		lea	esp, [ebp+50h]
		pop	fs
		assume fs:nothing

loc_59FD23:				; CODE XREF: sub_59FCBA+28j
					; sub_59FCBA+4Ej ...
		lea	esp, [ebp+54h]
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		add	esp, 4
		test	ss:_KiKvaShadow, 1
		jz	short locret_59FD51
		test	[esp-68h+arg_6C], 20000h
		jnz	_KiKernelExit
		cmp	[esp-68h+arg_68], 8
		jnz	_KiKernelExit

locret_59FD51:				; CODE XREF: sub_59FCBA+7Bj
		iret
sub_59FCBA	endp ; sp =  68h

; 
		align 4
; START	OF FUNCTION CHUNK FOR sub_59F909

loc_59FD54:				; CODE XREF: sub_59F909+20Cj
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_59FD6A
		test	dword ptr [ebp+6Ch], 1
		jz	loc_59FB1B

loc_59FD6A:				; CODE XREF: sub_59F909+452j
		xor	ebx, ebx
		mov	esi, [ebp+14h]
		mov	edi, [ebp+18h]
		mov	dr7, ebx
		mov	dr0, esi
		mov	ebx, [ebp+1Ch]
		mov	dr1, edi
		mov	dr2, ebx
		mov	esi, [ebp+20h]
		mov	edi, [ebp+24h]
		mov	ebx, [ebp+28h]
		mov	dr3, esi
		mov	dr6, edi
		mov	dr7, ebx
		jmp	loc_59FB1B
; 

loc_59FD98:				; CODE XREF: sub_59F909+258j
		mov	eax, [ebp+40h]
		lea	esp, [ebp+2Ch]
		pop	gs
		test	ss:_KiKvaShadow, 1
		jz	short loc_59FDDD
		mov	large dword ptr	fs:5020h, 1
		mov	ebx, [ebp+50h]
		mov	esi, [ebp+30h]
		mov	edi, [ebp+34h]
		mov	large fs:5018h,	ebx
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	edi
		lea	esp, [ebp+38h]
		pop	edx
		pop	ecx
		jmp	loc_59FD23
; 

loc_59FDDD:				; CODE XREF: sub_59F909+49Fj
		pop	es
		assume es:nothing
		pop	ds
		assume ds:_data
		pop	edx
		pop	ecx
		lea	esp, [ebp+50h]
		pop	fs
		jmp	loc_59FD23
; 

loc_59FDEB:				; CODE XREF: sub_59F909+246j
		movzx	ebx, word ptr [ebp+0Ch]
		mov	[ebp+6Ch], ebx
		mov	ebx, [ebp+10h]
		sub	ebx, 0Ch
		mov	[ebp+64h], ebx
		mov	esi, [ebp+70h]
		mov	[ebx+8], esi
		mov	esi, [ebp+6Ch]
		mov	[ebx+4], esi
		mov	esi, [ebp+68h]
		mov	[ebx], esi
		mov	eax, [ebp+40h]
		mov	edx, [ebp+38h]
		mov	ecx, [ebp+3Ch]
		lea	esp, [ebp+54h]
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		mov	esp, [esp-64h+arg_60]
		iret
; 

loc_59FE20:				; CODE XREF: sub_59F909+7Aj
					; sub_59F909+D7j ...
		mov	eax, 0Dh
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_59FE30
		call	_KiSystemFatalException

loc_59FE30:				; CODE XREF: sub_59F909+520j
		mov	ebx, large fs:124h
		mov	ebx, [ebx+80h]
		cmp	word ptr [ebp+6Ch], 1Bh
		jz	short loc_59FE76
		cmp	dword ptr [ebx+0F4h], 0
		jnz	loc_59FFEA
		sti
		cmp	word ptr [ebp+64h], 0
		jnz	loc_59FFCE
		jmp	short loc_59FEA4
; 

loc_59FE5F:				; CODE XREF: sub_59F909+590j
					; sub_59F909+599j
		add	dword ptr [ebp+68h], 1

loc_59FE63:				; CODE XREF: sub_59F909+587j
		mov	dword ptr [edx], 0
		add	dword ptr [ebp+68h], 1
		add	dword ptr [ebp+74h], 4
		jmp	Kei386EoiHelper@0
; 

loc_59FE76:				; CODE XREF: sub_59F909+539j
		cmp	dword ptr [ebx+0F4h], 0
		jz	short loc_59FEA4
		sti
		mov	eax, [ebp+68h]
		push	eax
		call	_VdmFetchBop4@4	; VdmFetchBop4(x)
		mov	edx, ebp
		add	edx, 30h
		cmp	al, 7
		jz	short loc_59FE63
		add	edx, 20h
		cmp	ax, 0A10Fh
		jz	short loc_59FE5F
		add	edx, 0FFFFFFDCh
		cmp	ax, 0A90Fh
		jz	short loc_59FE5F

loc_59FEA4:				; CODE XREF: sub_59F909+554j
					; sub_59F909+574j
		sti
		xor	dl, dl
		call	KiScanForPrefix
		push	ebp
		push	offset Ktd_ExceptionHandler
		push	large dword ptr	fs:0
		mov	large fs:0, esp
		cmp	al, 0F4h
		jz	loc_59FFA8
		cmp	al, 0Fh
		jnz	short loc_59FF47
		lodsb
		cmp	al, 0
		jnz	short loc_59FEE9
		lodsb
		and	al, 38h
		cmp	al, 10h
		jz	loc_59FFA8
		cmp	al, 18h
		jz	loc_59FFA8
		jmp	loc_59FFC4
; 

loc_59FEE9:				; CODE XREF: sub_59F909+5C6j
		cmp	al, 1
		jnz	short loc_59FF0D
		lodsb
		and	al, 38h
		cmp	al, 10h
		jz	loc_59FFA8
		cmp	al, 18h
		jz	loc_59FFA8
		cmp	al, 30h
		jz	loc_59FFA8
		jmp	loc_59FFC4
; 

loc_59FF0D:				; CODE XREF: sub_59F909+5E2j
		cmp	al, 8
		jz	loc_59FFA8
		cmp	al, 9
		jz	loc_59FFA8
		cmp	al, 35h
		jz	loc_59FFA8
		cmp	al, 26h
		jz	short loc_59FFA8
		cmp	al, 6
		jz	short loc_59FFA8
		cmp	al, 20h
		jb	loc_59FFC4
		cmp	al, 24h
		jbe	short loc_59FFA8
		cmp	al, 30h
		jb	loc_59FFC4
		cmp	al, 33h
		jbe	short loc_59FFA8
		jmp	short loc_59FFC4
; 

loc_59FF47:				; CODE XREF: sub_59F909+5C1j
		mov	ebx, [ebp+70h]
		and	ebx, 3000h
		shr	ebx, 0Ch
		mov	ecx, [ebp+6Ch]
		and	ecx, 3
		cmp	ebx, ecx
		jge	short loc_59FFC4
		cmp	al, 0FAh
		jz	short loc_59FFA8
		cmp	al, 0FBh
		jz	short loc_59FFA8
		mov	ecx, 0Ch
		mov	edi, offset aFxAlmccuqno ; "lmno"
		repne scasb
		jnz	short loc_59FFC4
		mov	edi, large fs:1Ch
		mov	esi, [edi+3Ch]
		add	esi, 28h
		movzx	ebx, word ptr [esi]
		mov	edx, [ebp+38h]
		mov	ecx, edx
		and	ecx, 7
		shr	edx, 3
		mov	edi, [edi+40h]
		movzx	eax, word ptr [edi+66h]
		add	edx, eax
		cmp	edx, ebx
		ja	short loc_59FFA8
		add	edi, edx
		mov	edx, 1
		shl	edx, cl
		test	[edi], edx
		jz	short loc_59FFC4

loc_59FFA8:				; CODE XREF: sub_59F909+5B9j
					; sub_59F909+5CDj ...
		pop	large dword ptr	fs:0
		add	esp, 8
		mov	ebx, [ebp+68h]
		mov	edi, esp
		mov	eax, 0C0000096h
		xor	ecx, ecx
		call	KiDispatchTrapException
		int	3		; Trap to Debugger

loc_59FFC4:				; CODE XREF: sub_59F909+5DBj
					; sub_59F909+5FFj ...
		pop	large dword ptr	fs:0
		add	esp, 8
; END OF FUNCTION CHUNK	FOR sub_59F909
; START	OF FUNCTION CHUNK FOR Ktd_ExceptionHandler

loc_59FFCE:				; CODE XREF: Ktd_ExceptionHandler+16j
					; Ktd_ExceptionHandler+35Bj ...
		mov	ebx, [ebp+68h]
		xor	edx, edx
		mov	esi, 0FFFFFFFFh
		mov	eax, 0C0000005h
		mov	ecx, 2
		mov	edi, esp
		call	KiDispatchTrapException
		int	3		; Trap to Debugger

loc_59FFEA:				; CODE XREF: sub_59F909+542j
		mov	ecx, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		sti
		push	eax
		push	ebp
		call	_VdmDispatchOpcode_try@4 ; VdmDispatchOpcode_try(x)
		or	al, al
		jnz	short loc_5A0015
		push	0Dh
		call	_Ki386VdmReflectException@4 ; Ki386VdmReflectException(x)
		test	al, 0Fh
		jnz	short loc_5A0015
		pop	ecx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_59FFCE
; 

loc_5A0015:				; CODE XREF: Ktd_ExceptionHandler+ED7j
					; Ktd_ExceptionHandler+EE2j
		pop	ecx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	Kei386EoiHelper@0
; END OF FUNCTION CHUNK	FOR Ktd_ExceptionHandler
; 
; START	OF FUNCTION CHUNK FOR Dr_kite_a

loc_5A0021:				; CODE XREF: Dr_kite_a+346j
		test	dword ptr [ebp+64h], 4
		jnz	loc_5A03A4
		mov	eax, large fs:38h
		add	eax, 30h
		cmp	eax, edi

loc_5A0039:				; DATA XREF: .text:00410E34o
		jnz	loc_5A03A4
		mov	dword ptr [ebp+64h], 0
		test	byte ptr [ebp+72h], 2
		jnz	loc_59D612
		jmp	loc_59DB22
; END OF FUNCTION CHUNK	FOR Dr_kite_a
; 
		align 4

;  S U B	R O U T	I N E 


Dr_kite_a	proc near		; CODE XREF: Dr_kite_a+323j

; FUNCTION CHUNK AT 005A0021 SIZE 00000034 BYTES

		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_5A006B
		test	byte ptr [ebp+6Ch], 1
		jz	loc_5A0381

loc_5A006B:				; CODE XREF: Dr_kite_a+7j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_5A0381
; 
		align 4

V86_kite_a:				; CODE XREF: Dr_kite_a+30Dj
		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_5A036B
; 
		align 4

_KiTrap0E:				; CODE XREF: _KiTrap0EShadow+2Fj
					; _KiTrap0EShadow+BBj
					; DATA XREF: ...
		mov	word ptr [esp+2], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		assume fs:nothing
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		assume ds:nothing
		mov	es, ax
		assume es:nothing
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_5A017D
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_5A017D
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_5A017D
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_5A017D:				; CODE XREF: Dr_kite_a+F7j
					; Dr_kite_a+100j ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_5A01AA
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_5A01AA
		lfence	eax
		jmp	loc_5A0334
; 
		dd 5B70F64h, 22DAh, 48B9h, 0FD23300h, 18AE930h
		db 2 dup(0)
; 

loc_5A01AA:				; CODE XREF: Dr_kite_a+12Cj
					; Dr_kite_a+132j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_5A01F2
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_5A01F2:				; CODE XREF: Dr_kite_a+188j
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_5A0218
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_5A0218:				; CODE XREF: Dr_kite_a+1A8j
		test	edx, 2
		jz	loc_5A0324
		call	loc_5A0319

loc_5A0229:				; CODE XREF: Dr_kite_a+1DCp
		add	esp, 4
		call	loc_5A0321

loc_5A0231:				; CODE XREF: Dr_kite_a+1E4p
		add	esp, 4
		call	loc_5A0229

loc_5A0239:				; CODE XREF: Dr_kite_a+1ECp
		add	esp, 4
		call	loc_5A0231

loc_5A0241:				; CODE XREF: Dr_kite_a+1F4p
		add	esp, 4
		call	loc_5A0239

loc_5A0249:				; CODE XREF: Dr_kite_a+1FCp
		add	esp, 4
		call	loc_5A0241

loc_5A0251:				; CODE XREF: Dr_kite_a+204p
		add	esp, 4
		call	loc_5A0249

loc_5A0259:				; CODE XREF: Dr_kite_a+20Cp
		add	esp, 4
		call	loc_5A0251

loc_5A0261:				; CODE XREF: Dr_kite_a+214p
		add	esp, 4
		call	loc_5A0259

loc_5A0269:				; CODE XREF: Dr_kite_a+21Cp
		add	esp, 4
		call	loc_5A0261

loc_5A0271:				; CODE XREF: Dr_kite_a+224p
		add	esp, 4
		call	loc_5A0269

loc_5A0279:				; CODE XREF: Dr_kite_a+22Cp
		add	esp, 4
		call	loc_5A0271

loc_5A0281:				; CODE XREF: Dr_kite_a+234p
		add	esp, 4
		call	loc_5A0279

loc_5A0289:				; CODE XREF: Dr_kite_a+23Cp
		add	esp, 4
		call	loc_5A0281

loc_5A0291:				; CODE XREF: Dr_kite_a+244p
		add	esp, 4
		call	loc_5A0289

loc_5A0299:				; CODE XREF: Dr_kite_a+24Cp
		add	esp, 4
		call	loc_5A0291

loc_5A02A1:				; CODE XREF: Dr_kite_a+254p
		add	esp, 4
		call	loc_5A0299

loc_5A02A9:				; CODE XREF: Dr_kite_a+25Cp
		add	esp, 4
		call	loc_5A02A1

loc_5A02B1:				; CODE XREF: Dr_kite_a+264p
		add	esp, 4
		call	loc_5A02A9

loc_5A02B9:				; CODE XREF: Dr_kite_a+26Cp
		add	esp, 4
		call	loc_5A02B1

loc_5A02C1:				; CODE XREF: Dr_kite_a+274p
		add	esp, 4
		call	loc_5A02B9

loc_5A02C9:				; CODE XREF: Dr_kite_a+27Cp
		add	esp, 4
		call	loc_5A02C1

loc_5A02D1:				; CODE XREF: Dr_kite_a+284p
		add	esp, 4
		call	loc_5A02C9

loc_5A02D9:				; CODE XREF: Dr_kite_a+28Cp
		add	esp, 4
		call	loc_5A02D1

loc_5A02E1:				; CODE XREF: Dr_kite_a+294p
		add	esp, 4
		call	loc_5A02D9

loc_5A02E9:				; CODE XREF: Dr_kite_a+29Cp
		add	esp, 4
		call	loc_5A02E1

loc_5A02F1:				; CODE XREF: Dr_kite_a+2A4p
		add	esp, 4
		call	loc_5A02E9

loc_5A02F9:				; CODE XREF: Dr_kite_a+2ACp
		add	esp, 4
		call	loc_5A02F1

loc_5A0301:				; CODE XREF: Dr_kite_a+2B4p
		add	esp, 4
		call	loc_5A02F9

loc_5A0309:				; CODE XREF: Dr_kite_a+2BCp
		add	esp, 4
		call	loc_5A0301

loc_5A0311:				; CODE XREF: Dr_kite_a+2C4p
		add	esp, 4
		call	loc_5A0309

loc_5A0319:				; CODE XREF: Dr_kite_a+1CCp
		add	esp, 4
		call	loc_5A0311

loc_5A0321:				; CODE XREF: Dr_kite_a+1D4p
		add	esp, 4

loc_5A0324:				; CODE XREF: Dr_kite_a+1C6j
		test	edx, 80h
		jz	short loc_5A0331
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_5A0331:				; CODE XREF: Dr_kite_a+2D2j
		lfence	eax

loc_5A0334:				; CODE XREF: Dr_kite_a+137j
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kite_a

loc_5A036B:				; CODE XREF: Dr_kite_a+A5j
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kite_a

loc_5A0381:				; CODE XREF: Dr_kite_a+Dj
					; Dr_kite_a+79j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		mov	edi, cr2
		cmp	ds:_KiI386PentiumLockErrataPresent, 0
		jnz	loc_5A0021

loc_5A03A4:				; CODE XREF: Dr_kite_a-30j
					; Dr_kite_a:loc_5A0039j
		test	dword ptr [ebp+70h], 200h
		jz	loc_5A04AD

loc_5A03B1:				; CODE XREF: Dr_kite_a+45Cj
					; Dr_kite_a+469j
		mov	eax, [ebp+6Ch]
		and	eax, 1
		test	byte ptr [ebp+72h], 2
		jz	short loc_5A03C2
		mov	eax, 1

loc_5A03C2:				; CODE XREF: Dr_kite_a+363j
		sti
		push	ebp
		push	eax
		push	edi
		mov	ebx, [ebp+64h]
		push	ebx
		call	MmAccessFault
		test	eax, eax
		jl	short loc_5A0422
		cmp	ds:_PsWatchEnabled, 0
		jz	short loc_5A03E7
		mov	ecx, [ebp+68h]
		push	edi
		push	ecx
		push	eax
		call	_PsWatchWorkingSet@12 ;	PsWatchWorkingSet(x,x,x)

loc_5A03E7:				; CODE XREF: Dr_kite_a+382j
		cmp	ds:_KdpOweBreakpoint, 0
		jz	short loc_5A03F6
		push	edi
		call	_KdSetOwedBreakpoints@4	; KdSetOwedBreakpoints(x)

loc_5A03F6:				; CODE XREF: Dr_kite_a+396j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		or	al, al
		mov	bl, al
		jnz	short loc_5A040A
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)

loc_5A040A:				; CODE XREF: Dr_kite_a+3A8j
		mov	ecx, ebp
		call	@KiCheckForSListAddress@4 ; KiCheckForSListAddress(x)
		or	bl, bl
		jnz	short loc_5A041D
		mov	cl, 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5A041D:				; CODE XREF: Dr_kite_a+3BBj
		jmp	Kei386EoiHelper@0
; 

loc_5A0422:				; CODE XREF: Dr_kite_a+379j
		mov	esi, eax
		push	edi
		push	ebx
		push	ebp
		call	KiPreprocessAccessViolation
		test	al, al
		jnz	Kei386EoiHelper@0
		mov	eax, esi
		shr	ebx, 1
		and	ebx, 9
		mov	esi, [ebp+68h]
		cmp	eax, 0C0000005h
		jz	short loc_5A0473
		cmp	eax, 80000001h
		jz	short loc_5A0478
		cmp	eax, 0C00000FDh
		jz	short loc_5A0478
		cmp	eax, 0D0000006h
		jz	short loc_5A048B
		mov	edx, ebx
		mov	ebx, esi
		mov	esi, edi
		mov	edi, esp
		mov	ecx, 3
		push	eax
		mov	eax, 0C0000006h
		call	KiDispatchTrapException
		int	3		; Trap to Debugger

loc_5A0473:				; CODE XREF: Dr_kite_a+3EBj
		mov	eax, 10000004h

loc_5A0478:				; CODE XREF: Dr_kite_a+3F2j
					; Dr_kite_a+3F9j
		mov	edx, ebx
		mov	ebx, esi
		mov	esi, edi
		mov	edi, esp
		mov	ecx, 2
		call	KiDispatchTrapException
		int	3		; Trap to Debugger

loc_5A048B:				; CODE XREF: Dr_kite_a+400j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al

loc_5A0494:				; CODE XREF: Dr_kite_a+474j
		lock inc ds:_KiHardwareTrigger
		mov	ecx, [ebp+64h]
		mov	esi, [ebp+68h]
		push	ebp
		push	esi
		push	ecx
		push	eax
		push	edi
		push	0Ah
		call	_KiBugCheck2@24	; KiBugCheck2(x,x,x,x,x,x)

loc_5A04AD:				; CODE XREF: Dr_kite_a+353j
		cmp	ds:_KiFreezeFlag, 0
		jnz	loc_5A03B1
		cmp	ds:_KiBugCheckData, 0
		jnz	loc_5A03B1
		mov	eax, 0FFh
		jmp	short loc_5A0494
Dr_kite_a	endp

; 
		align 10h

;  S U B	R O U T	I N E 


Dr_kitf_a	proc near		; CODE XREF: V86_kitf_a+2A5j
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_5A04E3
		test	byte ptr [ebp+6Ch], 1
		jz	loc_5A07FB

loc_5A04E3:				; CODE XREF: Dr_kitf_a+7j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_5A07FB
Dr_kitf_a	endp

; 
		align 10h

;  S U B	R O U T	I N E 


V86_kitf_a	proc near		; CODE XREF: V86_kitf_a+28Fj

var_2		= word ptr -2

		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_5A07E5
; 
		align 4

_KiTrap0F:				; CODE XREF: _KiTrap0FShadow+34j
					; _KiTrap0FShadow+BDj
					; DATA XREF: ...
		push	0
		mov	[esp+4+var_2], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		mov	es, ax
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_5A05F7
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_5A05F7
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_5A05F7
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_5A05F7:				; CODE XREF: V86_kitf_a+79j
					; V86_kitf_a+82j ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_5A0624
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_5A0624
		lfence	eax
		jmp	loc_5A07AE
; 
		dw 0F64h
		dd 22DA05B7h, 48B90000h, 33000000h, 0E9300FD2h,	18Ah
; 

loc_5A0624:				; CODE XREF: V86_kitf_a+AEj
					; V86_kitf_a+B4j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_5A066C
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_5A066C:				; CODE XREF: V86_kitf_a+10Aj
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_5A0692
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_5A0692:				; CODE XREF: V86_kitf_a+12Aj
		test	edx, 2
		jz	loc_5A079E
		call	loc_5A0793

loc_5A06A3:				; CODE XREF: V86_kitf_a+15Ep
		add	esp, 4
		call	loc_5A079B

loc_5A06AB:				; CODE XREF: V86_kitf_a+166p
		add	esp, 4
		call	loc_5A06A3

loc_5A06B3:				; CODE XREF: V86_kitf_a+16Ep
		add	esp, 4
		call	loc_5A06AB

loc_5A06BB:				; CODE XREF: V86_kitf_a+176p
		add	esp, 4
		call	loc_5A06B3

loc_5A06C3:				; CODE XREF: V86_kitf_a+17Ep
		add	esp, 4
		call	loc_5A06BB

loc_5A06CB:				; CODE XREF: V86_kitf_a+186p
		add	esp, 4
		call	loc_5A06C3

loc_5A06D3:				; CODE XREF: V86_kitf_a+18Ep
		add	esp, 4
		call	loc_5A06CB

loc_5A06DB:				; CODE XREF: V86_kitf_a+196p
		add	esp, 4
		call	loc_5A06D3

loc_5A06E3:				; CODE XREF: V86_kitf_a+19Ep
		add	esp, 4
		call	loc_5A06DB

loc_5A06EB:				; CODE XREF: V86_kitf_a+1A6p
		add	esp, 4
		call	loc_5A06E3

loc_5A06F3:				; CODE XREF: V86_kitf_a+1AEp
		add	esp, 4
		call	loc_5A06EB

loc_5A06FB:				; CODE XREF: V86_kitf_a+1B6p
		add	esp, 4
		call	loc_5A06F3

loc_5A0703:				; CODE XREF: V86_kitf_a+1BEp
		add	esp, 4
		call	loc_5A06FB

loc_5A070B:				; CODE XREF: V86_kitf_a+1C6p
		add	esp, 4
		call	loc_5A0703

loc_5A0713:				; CODE XREF: V86_kitf_a+1CEp
		add	esp, 4
		call	loc_5A070B

loc_5A071B:				; CODE XREF: V86_kitf_a+1D6p
		add	esp, 4
		call	loc_5A0713

loc_5A0723:				; CODE XREF: V86_kitf_a+1DEp
		add	esp, 4
		call	loc_5A071B

loc_5A072B:				; CODE XREF: V86_kitf_a+1E6p
		add	esp, 4
		call	loc_5A0723

loc_5A0733:				; CODE XREF: V86_kitf_a+1EEp
		add	esp, 4
		call	loc_5A072B

loc_5A073B:				; CODE XREF: V86_kitf_a+1F6p
		add	esp, 4
		call	loc_5A0733

loc_5A0743:				; CODE XREF: V86_kitf_a+1FEp
		add	esp, 4
		call	loc_5A073B

loc_5A074B:				; CODE XREF: V86_kitf_a+206p
		add	esp, 4
		call	loc_5A0743

loc_5A0753:				; CODE XREF: V86_kitf_a+20Ep
		add	esp, 4
		call	loc_5A074B

loc_5A075B:				; CODE XREF: V86_kitf_a+216p
		add	esp, 4
		call	loc_5A0753

loc_5A0763:				; CODE XREF: V86_kitf_a+21Ep
		add	esp, 4
		call	loc_5A075B

loc_5A076B:				; CODE XREF: V86_kitf_a+226p
		add	esp, 4
		call	loc_5A0763

loc_5A0773:				; CODE XREF: V86_kitf_a+22Ep
		add	esp, 4
		call	loc_5A076B

loc_5A077B:				; CODE XREF: V86_kitf_a+236p
		add	esp, 4
		call	loc_5A0773

loc_5A0783:				; CODE XREF: V86_kitf_a+23Ep
		add	esp, 4
		call	loc_5A077B

loc_5A078B:				; CODE XREF: V86_kitf_a+246p
		add	esp, 4
		call	loc_5A0783

loc_5A0793:				; CODE XREF: V86_kitf_a+14Ep
		add	esp, 4
		call	loc_5A078B

loc_5A079B:				; CODE XREF: V86_kitf_a+156p
		add	esp, 4

loc_5A079E:				; CODE XREF: V86_kitf_a+148j
		test	edx, 80h
		jz	short loc_5A07AB
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_5A07AB:				; CODE XREF: V86_kitf_a+254j
		lfence	eax

loc_5A07AE:				; CODE XREF: V86_kitf_a+B9j
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kitf_a

loc_5A07E5:				; CODE XREF: V86_kitf_a+25j
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kitf_a

loc_5A07FB:				; CODE XREF: Dr_kitf_a+Dj
					; Dr_kitf_a+79j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		mov	eax, 0Fh
		call	_KiSystemFatalException
		int	3		; Trap to Debugger
		lea	ecx, [ecx+0]
V86_kitf_a	endp


;  S U B	R O U T	I N E 


Dr_kit10_a	proc near		; CODE XREF: Dr_kit10_a+325j

var_268		= dword	ptr -268h
var_2		= word ptr -2

		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_5A082F
		test	byte ptr [ebp+6Ch], 1
		jz	loc_5A0B47

loc_5A082F:				; CODE XREF: Dr_kit10_a+7j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_5A0B47
; 
		align 4

V86_kit10_a:				; CODE XREF: Dr_kit10_a+30Fj
		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_5A0B31
; 
		align 4

_KiTrap10:				; CODE XREF: _KiTrap10Shadow+34j
					; _KiTrap10Shadow+BDj
					; DATA XREF: ...
		push	0
		mov	[esp+4+var_2], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		mov	es, ax
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_5A0943
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_5A0943
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_5A0943
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_5A0943:				; CODE XREF: Dr_kit10_a+F9j
					; Dr_kit10_a+102j ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_5A0970
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_5A0970
		lfence	eax
		jmp	loc_5A0AFA
; 
		dw 0F64h
		dd 22DA05B7h, 48B90000h, 33000000h, 0E9300FD2h,	18Ah
; 

loc_5A0970:				; CODE XREF: Dr_kit10_a+12Ej
					; Dr_kit10_a+134j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_5A09B8
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_5A09B8:				; CODE XREF: Dr_kit10_a+18Aj
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_5A09DE
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_5A09DE:				; CODE XREF: Dr_kit10_a+1AAj
		test	edx, 2
		jz	loc_5A0AEA
		call	loc_5A0ADF

loc_5A09EF:				; CODE XREF: Dr_kit10_a+1DEp
		add	esp, 4
		call	loc_5A0AE7

loc_5A09F7:				; CODE XREF: Dr_kit10_a+1E6p
		add	esp, 4
		call	loc_5A09EF

loc_5A09FF:				; CODE XREF: Dr_kit10_a+1EEp
		add	esp, 4
		call	loc_5A09F7

loc_5A0A07:				; CODE XREF: Dr_kit10_a+1F6p
		add	esp, 4
		call	loc_5A09FF

loc_5A0A0F:				; CODE XREF: Dr_kit10_a+1FEp
		add	esp, 4
		call	loc_5A0A07

loc_5A0A17:				; CODE XREF: Dr_kit10_a+206p
		add	esp, 4
		call	loc_5A0A0F

loc_5A0A1F:				; CODE XREF: Dr_kit10_a+20Ep
		add	esp, 4
		call	loc_5A0A17

loc_5A0A27:				; CODE XREF: Dr_kit10_a+216p
		add	esp, 4
		call	loc_5A0A1F

loc_5A0A2F:				; CODE XREF: Dr_kit10_a+21Ep
		add	esp, 4
		call	loc_5A0A27

loc_5A0A37:				; CODE XREF: Dr_kit10_a+226p
		add	esp, 4
		call	loc_5A0A2F

loc_5A0A3F:				; CODE XREF: Dr_kit10_a+22Ep
		add	esp, 4
		call	loc_5A0A37

loc_5A0A47:				; CODE XREF: Dr_kit10_a+236p
		add	esp, 4
		call	loc_5A0A3F

loc_5A0A4F:				; CODE XREF: Dr_kit10_a+23Ep
		add	esp, 4
		call	loc_5A0A47

loc_5A0A57:				; CODE XREF: Dr_kit10_a+246p
		add	esp, 4
		call	loc_5A0A4F

loc_5A0A5F:				; CODE XREF: Dr_kit10_a+24Ep
		add	esp, 4
		call	loc_5A0A57

loc_5A0A67:				; CODE XREF: Dr_kit10_a+256p
		add	esp, 4
		call	loc_5A0A5F

loc_5A0A6F:				; CODE XREF: Dr_kit10_a+25Ep
		add	esp, 4
		call	loc_5A0A67

loc_5A0A77:				; CODE XREF: Dr_kit10_a+266p
		add	esp, 4
		call	loc_5A0A6F

loc_5A0A7F:				; CODE XREF: Dr_kit10_a+26Ep
		add	esp, 4
		call	loc_5A0A77

loc_5A0A87:				; CODE XREF: Dr_kit10_a+276p
		add	esp, 4
		call	loc_5A0A7F

loc_5A0A8F:				; CODE XREF: Dr_kit10_a+27Ep
		add	esp, 4
		call	loc_5A0A87

loc_5A0A97:				; CODE XREF: Dr_kit10_a+286p
		add	esp, 4
		call	loc_5A0A8F

loc_5A0A9F:				; CODE XREF: Dr_kit10_a+28Ep
		add	esp, 4
		call	loc_5A0A97

loc_5A0AA7:				; CODE XREF: Dr_kit10_a+296p
		add	esp, 4
		call	loc_5A0A9F

loc_5A0AAF:				; CODE XREF: Dr_kit10_a+29Ep
		add	esp, 4
		call	loc_5A0AA7

loc_5A0AB7:				; CODE XREF: Dr_kit10_a+2A6p
		add	esp, 4
		call	loc_5A0AAF

loc_5A0ABF:				; CODE XREF: Dr_kit10_a+2AEp
		add	esp, 4
		call	loc_5A0AB7

loc_5A0AC7:				; CODE XREF: Dr_kit10_a+2B6p
		add	esp, 4
		call	loc_5A0ABF

loc_5A0ACF:				; CODE XREF: Dr_kit10_a+2BEp
		add	esp, 4
		call	loc_5A0AC7

loc_5A0AD7:				; CODE XREF: Dr_kit10_a+2C6p
		add	esp, 4
		call	loc_5A0ACF

loc_5A0ADF:				; CODE XREF: Dr_kit10_a+1CEp
		add	esp, 4
		call	loc_5A0AD7

loc_5A0AE7:				; CODE XREF: Dr_kit10_a+1D6p
		add	esp, 4

loc_5A0AEA:				; CODE XREF: Dr_kit10_a+1C8j
		test	edx, 80h
		jz	short loc_5A0AF7
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_5A0AF7:				; CODE XREF: Dr_kit10_a+2D4j
		lfence	eax

loc_5A0AFA:				; CODE XREF: Dr_kit10_a+139j
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kit10_a

loc_5A0B31:				; CODE XREF: Dr_kit10_a+A5j
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kit10_a

loc_5A0B47:				; CODE XREF: Dr_kit10_a+Dj
					; Dr_kit10_a+79j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		mov	edi, esp
		sub	esp, 200h
		fxsave	[esp+268h+var_268]
		test	byte ptr [ebp+72h], 2
		jnz	loc_5A0C0F
		test	word ptr [ebp+6Ch], 1
		jz	short loc_5A0B85
		cmp	word ptr [ebp+6Ch], 1Bh
		jnz	loc_5A0C0F
		jmp	short loc_5A0B8E
; 

loc_5A0B85:				; CODE XREF: Dr_kit10_a+35Aj
		test	dword ptr [ebp+70h], 200h
		jz	short loc_5A0B8F

loc_5A0B8E:				; CODE XREF: Dr_kit10_a+367j
					; Dr_kit10_a+407j
		sti

loc_5A0B8F:				; CODE XREF: Dr_kit10_a+370j
					; Dr_kit10_a+42Bj
		mov	ebx, [ebp+68h]
		movzx	edx, word ptr [esp+268h+var_268]
		movzx	ecx, word ptr [esp+268h+var_268+2]
		and	edx, 3Fh
		not	edx
		and	ecx, edx
		mov	eax, 0C0000090h
		test	cl, 1
		jz	short loc_5A0BB8
		test	cl, 40h
		jz	short loc_5A0BEA
		mov	eax, 0C0000092h
		jmp	short loc_5A0BEA
; 

loc_5A0BB8:				; CODE XREF: Dr_kit10_a+38Ej
		mov	eax, 0C000008Eh
		test	cl, 4
		jnz	short loc_5A0BEA
		mov	eax, 0C0000090h
		test	cl, 2
		jnz	short loc_5A0BEA
		mov	eax, 0C0000091h
		test	cl, 8
		jnz	short loc_5A0BEA
		mov	eax, 0C0000093h
		test	cl, 10h
		jnz	short loc_5A0BEA
		mov	eax, 0C000008Fh
		test	cl, 20h
		jz	short loc_5A0BF7

loc_5A0BEA:				; CODE XREF: Dr_kit10_a+393j
					; Dr_kit10_a+39Aj ...
		mov	ecx, 1
		xor	edx, edx
		call	KiDispatchTrapException
		int	3		; Trap to Debugger

loc_5A0BF7:				; CODE XREF: Dr_kit10_a+3CCj
		mov	ecx, [ebp+68h]
		mov	eax, cr0
		mov	edx, cr4
		push	0
		push	ecx
		push	edx
		push	eax
		push	10h
		push	7Fh
		call	_KiBugCheck2@24	; KiBugCheck2(x,x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5A0C0F:				; CODE XREF: Dr_kit10_a+34Ej
					; Dr_kit10_a+361j
		mov	esi, large fs:124h
		mov	ebx, [esi+80h]
		cmp	dword ptr [ebx+0F4h], 0
		jz	loc_5A0B8E
		mov	ecx, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	eax
		sti
		push	ebp
		call	_VdmDispatchIRQ13@4 ; VdmDispatchIRQ13(x)
		test	al, 0Fh
		jnz	short loc_5A0C4C
		pop	ecx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_5A0B8F
; 

loc_5A0C4C:				; CODE XREF: Dr_kit10_a+422j
		pop	ecx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edi, esp
		jmp	Kei386EoiHelper@0
Dr_kit10_a	endp

; 
		align 4

;  S U B	R O U T	I N E 


Dr_kit11_a	proc near		; CODE XREF: Dr_kit11_a+323j

var_68		= dword	ptr -68h

		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_5A0C6F
		test	byte ptr [ebp+6Ch], 1
		jz	loc_5A0F85

loc_5A0C6F:				; CODE XREF: Dr_kit11_a+7j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_5A0F85
; 
		align 4

V86_kit11_a:				; CODE XREF: Dr_kit11_a+30Dj
		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_5A0F6F
; 
		align 4

_KiTrap11:				; CODE XREF: _KiTrap11Shadow+2Fj
					; _KiTrap11Shadow+BBj
					; DATA XREF: ...
		mov	word ptr [esp+2], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		mov	es, ax
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_5A0D81
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_5A0D81
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_5A0D81
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_5A0D81:				; CODE XREF: Dr_kit11_a+F7j
					; Dr_kit11_a+100j ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_5A0DAE
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_5A0DAE
		lfence	eax
		jmp	loc_5A0F38
; 
		dd 5B70F64h, 22DAh, 48B9h, 0FD23300h, 18AE930h
		db 2 dup(0)
; 

loc_5A0DAE:				; CODE XREF: Dr_kit11_a+12Cj
					; Dr_kit11_a+132j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_5A0DF6
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_5A0DF6:				; CODE XREF: Dr_kit11_a+188j
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_5A0E1C
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_5A0E1C:				; CODE XREF: Dr_kit11_a+1A8j
		test	edx, 2
		jz	loc_5A0F28
		call	loc_5A0F1D

loc_5A0E2D:				; CODE XREF: Dr_kit11_a+1DCp
		add	esp, 4
		call	loc_5A0F25

loc_5A0E35:				; CODE XREF: Dr_kit11_a+1E4p
		add	esp, 4
		call	loc_5A0E2D

loc_5A0E3D:				; CODE XREF: Dr_kit11_a+1ECp
		add	esp, 4
		call	loc_5A0E35

loc_5A0E45:				; CODE XREF: Dr_kit11_a+1F4p
		add	esp, 4
		call	loc_5A0E3D

loc_5A0E4D:				; CODE XREF: Dr_kit11_a+1FCp
		add	esp, 4
		call	loc_5A0E45

loc_5A0E55:				; CODE XREF: Dr_kit11_a+204p
		add	esp, 4
		call	loc_5A0E4D

loc_5A0E5D:				; CODE XREF: Dr_kit11_a+20Cp
		add	esp, 4
		call	loc_5A0E55

loc_5A0E65:				; CODE XREF: Dr_kit11_a+214p
		add	esp, 4
		call	loc_5A0E5D

loc_5A0E6D:				; CODE XREF: Dr_kit11_a+21Cp
		add	esp, 4
		call	loc_5A0E65

loc_5A0E75:				; CODE XREF: Dr_kit11_a+224p
		add	esp, 4
		call	loc_5A0E6D

loc_5A0E7D:				; CODE XREF: Dr_kit11_a+22Cp
		add	esp, 4
		call	loc_5A0E75

loc_5A0E85:				; CODE XREF: Dr_kit11_a+234p
		add	esp, 4
		call	loc_5A0E7D

loc_5A0E8D:				; CODE XREF: Dr_kit11_a+23Cp
		add	esp, 4
		call	loc_5A0E85

loc_5A0E95:				; CODE XREF: Dr_kit11_a+244p
		add	esp, 4
		call	loc_5A0E8D

loc_5A0E9D:				; CODE XREF: Dr_kit11_a+24Cp
		add	esp, 4
		call	loc_5A0E95

loc_5A0EA5:				; CODE XREF: Dr_kit11_a+254p
		add	esp, 4
		call	loc_5A0E9D

loc_5A0EAD:				; CODE XREF: Dr_kit11_a+25Cp
		add	esp, 4
		call	loc_5A0EA5

loc_5A0EB5:				; CODE XREF: Dr_kit11_a+264p
		add	esp, 4
		call	loc_5A0EAD

loc_5A0EBD:				; CODE XREF: Dr_kit11_a+26Cp
		add	esp, 4
		call	loc_5A0EB5

loc_5A0EC5:				; CODE XREF: Dr_kit11_a+274p
		add	esp, 4
		call	loc_5A0EBD

loc_5A0ECD:				; CODE XREF: Dr_kit11_a+27Cp
		add	esp, 4
		call	loc_5A0EC5

loc_5A0ED5:				; CODE XREF: Dr_kit11_a+284p
		add	esp, 4
		call	loc_5A0ECD

loc_5A0EDD:				; CODE XREF: Dr_kit11_a+28Cp
		add	esp, 4
		call	loc_5A0ED5

loc_5A0EE5:				; CODE XREF: Dr_kit11_a+294p
		add	esp, 4
		call	loc_5A0EDD

loc_5A0EED:				; CODE XREF: Dr_kit11_a+29Cp
		add	esp, 4
		call	loc_5A0EE5

loc_5A0EF5:				; CODE XREF: Dr_kit11_a+2A4p
		add	esp, 4
		call	loc_5A0EED

loc_5A0EFD:				; CODE XREF: Dr_kit11_a+2ACp
		add	esp, 4
		call	loc_5A0EF5

loc_5A0F05:				; CODE XREF: Dr_kit11_a+2B4p
		add	esp, 4
		call	loc_5A0EFD

loc_5A0F0D:				; CODE XREF: Dr_kit11_a+2BCp
		add	esp, 4
		call	loc_5A0F05

loc_5A0F15:				; CODE XREF: Dr_kit11_a+2C4p
		add	esp, 4
		call	loc_5A0F0D

loc_5A0F1D:				; CODE XREF: Dr_kit11_a+1CCp
		add	esp, 4
		call	loc_5A0F15

loc_5A0F25:				; CODE XREF: Dr_kit11_a+1D4p
		add	esp, 4

loc_5A0F28:				; CODE XREF: Dr_kit11_a+1C6j
		test	edx, 80h
		jz	short loc_5A0F35
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_5A0F35:				; CODE XREF: Dr_kit11_a+2D2j
		lfence	eax

loc_5A0F38:				; CODE XREF: Dr_kit11_a+137j
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kit11_a

loc_5A0F6F:				; CODE XREF: Dr_kit11_a+A5j
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kit11_a

loc_5A0F85:				; CODE XREF: Dr_kit11_a+Dj
					; Dr_kit11_a+79j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		test	byte ptr [ebp+72h], 2
		jnz	short loc_5A0FA5
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_5A0FE8
		sti

loc_5A0FA5:				; CODE XREF: Dr_kit11_a+340j
		mov	ebx, large fs:124h
		bt	dword ptr [ebx+60h], 2
		jnb	short loc_5A0FBF
		and	dword ptr [ebp+70h], 0FFFBFFFFh
		jmp	Kei386EoiHelper@0
; 

loc_5A0FBF:				; CODE XREF: Dr_kit11_a+355j
		mov	ebx, [ebp+68h]
		mov	edx, 10h
		mov	esi, [ebp+74h]
		cmp	word ptr [ebp+64h], 0
		jz	short loc_5A0FD6
		mov	edx, 0

loc_5A0FD6:				; CODE XREF: Dr_kit11_a+373j
		mov	eax, 80000002h
		mov	ecx, 2
		mov	edi, esp
		call	KiDispatchTrapException
		int	3		; Trap to Debugger

loc_5A0FE8:				; CODE XREF: Dr_kit11_a+346j
		mov	eax, 11h
		call	_KiSystemFatalException
		int	3		; Trap to Debugger

_KiTrap12:				; DATA XREF: .data:006B009Co
					; .data:006B08B4o
		cli
		clts
		mov	eax, large fs:40h
		mov	ecx, large fs:124h
		mov	edi, [ecx+80h]
		mov	ecx, [edi+18h]
		test	ss:_KiKvaShadow, 1
		jz	short loc_5A1064
		test	dword ptr [eax+24h], 20000h
		jnz	short loc_5A1056
		test	byte ptr [eax+4Ch], 1
		jnz	short loc_5A1056
		mov	ebx, large fs:3Ch
		lea	ebx, [ebx+6000h]
		cmp	[eax+38h], ebx
		ja	short loc_5A1064
		sub	ebx, 1000h
		cmp	[eax+38h], ebx
		jbe	short loc_5A1064
		mov	ebx, offset _KiKernelSysretExit
		cmp	[eax+20h], ebx
		jb	short loc_5A1064
		mov	ebx, offset _KiShadowExitEnd
		cmp	[eax+20h], ebx
		jnb	short loc_5A1064

loc_5A1056:				; CODE XREF: Dr_kit11_a+3C1j
					; Dr_kit11_a+3C7j
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_5A1064
		add	ecx, 20h

loc_5A1064:				; CODE XREF: Dr_kit11_a+3B8j
					; Dr_kit11_a+3D9j ...
		mov	[eax+1Ch], ecx
		mov	cx, [edi+76h]
		mov	[eax+66h], cx
		mov	ecx, [edi+1Ch]
		test	ecx, ecx
		jz	short loc_5A107A
		mov	cx, 48h

loc_5A107A:				; CODE XREF: Dr_kit11_a+418j
		mov	[eax+60h], cx
		mov	edi, large fs:3Ch
		mov	ch, [edi+0A7h]
		mov	cl, [edi+0A4h]
		shl	ecx, 10h
		mov	cx, [edi+0A2h]
		mov	large fs:40h, ecx
		pushf
		and	[esp+68h+var_68], 0FFFFBFFFh
		popf
		lea	ecx, [edi+0A0h]
		mov	byte ptr [ecx+5], 89h

loc_5A10B5:				; CODE XREF: Dr_kit11_a+469j
		push	0
		push	0
		push	0
		push	eax
		push	12h
		push	7Fh
		call	_KiBugCheck2@24	; KiBugCheck2(x,x,x,x,x,x)
		jmp	short loc_5A10B5
Dr_kit11_a	endp

; 
		align 4

;  S U B	R O U T	I N E 


Dr_kit13_a	proc near		; CODE XREF: Dr_kit13_a+325j

var_2		= word ptr -2

		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_5A10DB
		test	byte ptr [ebp+6Ch], 1
		jz	loc_5A13F3

loc_5A10DB:				; CODE XREF: Dr_kit13_a+7j
		mov	ebx, dr0
		mov	ecx, dr1
		mov	edi, dr2
		mov	[ebp+14h], ebx
		mov	[ebp+18h], ecx
		mov	[ebp+1Ch], edi
		mov	ebx, dr3
		mov	ecx, dr6
		mov	edi, dr7
		mov	[ebp+20h], ebx
		mov	[ebp+24h], ecx
		xor	ebx, ebx
		mov	[ebp+28h], edi
		mov	dr7, ebx
		mov	edi, large fs:20h
		mov	ebx, [edi+2F4h]
		mov	ecx, [edi+2F8h]
		mov	dr0, ebx
		mov	dr1, ecx
		mov	ebx, [edi+2FCh]
		mov	ecx, [edi+300h]
		mov	dr2, ebx
		mov	dr3, ecx
		mov	ebx, [edi+304h]
		mov	ecx, [edi+308h]
		mov	dr6, ebx
		mov	dr7, ecx
		jmp	loc_5A13F3
; 
		align 4

V86_kit13_a:				; CODE XREF: Dr_kit13_a+30Fj
		mov	eax, [ebp+84h]
		mov	ebx, [ebp+88h]
		mov	ecx, [ebp+7Ch]
		mov	edx, [ebp+80h]
		mov	[ebp+50h], ax
		mov	[ebp+2Ch], bx
		mov	[ebp+30h], cx
		mov	[ebp+34h], dx
		jmp	loc_5A13DD
; 
		align 4

_KiTrap13:				; CODE XREF: _KiTrap13Shadow+34j
					; _KiTrap13Shadow+BDj
					; DATA XREF: ...
		push	0
		mov	[esp+4+var_2], 0
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	fs
		mov	ebx, 30h
		mov	fs, bx
		push	large dword ptr	fs:0
		sub	esp, 8
		push	eax
		push	ecx
		push	edx
		push	ds
		push	es
		push	gs
		mov	eax, 23h
		sub	esp, 2Ch
		mov	ds, ax
		mov	es, ax
		mov	ebp, esp
		mov	byte ptr [ebp+0Fh], 1
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		test	ss:_KiKvaShadow, 1
		jz	short loc_5A11EF
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_5A11EF
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_5A11EF
		mov	ecx, large fs:5018h
		mov	edx, large fs:5010h
		mov	eax, large fs:5014h
		mov	[ebp+50h], ecx
		mov	[ebp+34h], edx
		mov	[ebp+30h], eax

loc_5A11EF:				; CODE XREF: Dr_kit13_a+F9j
					; Dr_kit13_a+102j ...
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_5A121C
		test	byte ptr [ebp+6Ch], 1
		jnz	short loc_5A121C
		lfence	eax
		jmp	loc_5A13A6
; 
		dw 0F64h
		dd 22DA05B7h, 48B90000h, 33000000h, 0E9300FD2h,	18Ah
; 

loc_5A121C:				; CODE XREF: Dr_kit13_a+12Ej
					; Dr_kit13_a+134j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+150h]
		mov	eax, [ecx+4A0h]
		mov	ecx, [ecx+4A4h]
		mov	large fs:22D0h,	eax
		mov	large fs:22D4h,	ecx
		movzx	eax, large word	ptr fs:22DCh
		cmp	large fs:22DAh,	ax
		jz	short loc_5A1264
		mov	large fs:22DAh,	ax
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_5A1264:				; CODE XREF: Dr_kit13_a+18Aj
		movzx	edx, large byte	ptr fs:22D8h
		test	edx, 8
		jz	short loc_5A128A
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr
		movzx	edx, large byte	ptr fs:22D8h

loc_5A128A:				; CODE XREF: Dr_kit13_a+1AAj
		test	edx, 2
		jz	loc_5A1396
		call	loc_5A138B

loc_5A129B:				; CODE XREF: Dr_kit13_a+1DEp
		add	esp, 4
		call	loc_5A1393

loc_5A12A3:				; CODE XREF: Dr_kit13_a+1E6p
		add	esp, 4
		call	loc_5A129B

loc_5A12AB:				; CODE XREF: Dr_kit13_a+1EEp
		add	esp, 4
		call	loc_5A12A3

loc_5A12B3:				; CODE XREF: Dr_kit13_a+1F6p
		add	esp, 4
		call	loc_5A12AB

loc_5A12BB:				; CODE XREF: Dr_kit13_a+1FEp
		add	esp, 4
		call	loc_5A12B3

loc_5A12C3:				; CODE XREF: Dr_kit13_a+206p
		add	esp, 4
		call	loc_5A12BB

loc_5A12CB:				; CODE XREF: Dr_kit13_a+20Ep
		add	esp, 4
		call	loc_5A12C3

loc_5A12D3:				; CODE XREF: Dr_kit13_a+216p
		add	esp, 4
		call	loc_5A12CB

loc_5A12DB:				; CODE XREF: Dr_kit13_a+21Ep
		add	esp, 4
		call	loc_5A12D3

loc_5A12E3:				; CODE XREF: Dr_kit13_a+226p
		add	esp, 4
		call	loc_5A12DB

loc_5A12EB:				; CODE XREF: Dr_kit13_a+22Ep
		add	esp, 4
		call	loc_5A12E3

loc_5A12F3:				; CODE XREF: Dr_kit13_a+236p
		add	esp, 4
		call	loc_5A12EB

loc_5A12FB:				; CODE XREF: Dr_kit13_a+23Ep
		add	esp, 4
		call	loc_5A12F3

loc_5A1303:				; CODE XREF: Dr_kit13_a+246p
		add	esp, 4
		call	loc_5A12FB

loc_5A130B:				; CODE XREF: Dr_kit13_a+24Ep
		add	esp, 4
		call	loc_5A1303

loc_5A1313:				; CODE XREF: Dr_kit13_a+256p
		add	esp, 4
		call	loc_5A130B

loc_5A131B:				; CODE XREF: Dr_kit13_a+25Ep
		add	esp, 4
		call	loc_5A1313

loc_5A1323:				; CODE XREF: Dr_kit13_a+266p
		add	esp, 4
		call	loc_5A131B

loc_5A132B:				; CODE XREF: Dr_kit13_a+26Ep
		add	esp, 4
		call	loc_5A1323

loc_5A1333:				; CODE XREF: Dr_kit13_a+276p
		add	esp, 4
		call	loc_5A132B

loc_5A133B:				; CODE XREF: Dr_kit13_a+27Ep
		add	esp, 4
		call	loc_5A1333

loc_5A1343:				; CODE XREF: Dr_kit13_a+286p
		add	esp, 4
		call	loc_5A133B

loc_5A134B:				; CODE XREF: Dr_kit13_a+28Ep
		add	esp, 4
		call	loc_5A1343

loc_5A1353:				; CODE XREF: Dr_kit13_a+296p
		add	esp, 4
		call	loc_5A134B

loc_5A135B:				; CODE XREF: Dr_kit13_a+29Ep
		add	esp, 4
		call	loc_5A1353

loc_5A1363:				; CODE XREF: Dr_kit13_a+2A6p
		add	esp, 4
		call	loc_5A135B

loc_5A136B:				; CODE XREF: Dr_kit13_a+2AEp
		add	esp, 4
		call	loc_5A1363

loc_5A1373:				; CODE XREF: Dr_kit13_a+2B6p
		add	esp, 4
		call	loc_5A136B

loc_5A137B:				; CODE XREF: Dr_kit13_a+2BEp
		add	esp, 4
		call	loc_5A1373

loc_5A1383:				; CODE XREF: Dr_kit13_a+2C6p
		add	esp, 4
		call	loc_5A137B

loc_5A138B:				; CODE XREF: Dr_kit13_a+1CEp
		add	esp, 4
		call	loc_5A1383

loc_5A1393:				; CODE XREF: Dr_kit13_a+1D6p
		add	esp, 4

loc_5A1396:				; CODE XREF: Dr_kit13_a+1C8j
		test	edx, 80h
		jz	short loc_5A13A3
		call	KiFlushBhbDuringTrapEntryOrExit@0

loc_5A13A3:				; CODE XREF: Dr_kit13_a+2D4j
		lfence	eax

loc_5A13A6:				; CODE XREF: Dr_kit13_a+139j
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		test	dword ptr [ebp+70h], 20000h
		jnz	V86_kit13_a

loc_5A13DD:				; CODE XREF: Dr_kit13_a+A5j
		mov	ecx, large fs:124h
		cld
		and	dword ptr [ebp+28h], 0
		test	byte ptr [ecx+3], 0DFh
		jnz	Dr_kit13_a

loc_5A13F3:				; CODE XREF: Dr_kit13_a+Dj
					; Dr_kit13_a+79j
		mov	ebx, [ebp+60h]
		mov	edi, [ebp+68h]
		mov	dword ptr [ebp+8], 0BADB0D00h
		mov	[ebp+0], ebx
		mov	[ebp+4], edi
		mov	esi, [ebp+48h]
		test	byte ptr [ebp+72h], 2
		jnz	short loc_5A1470
		test	byte ptr [ebp+6Ch], 1
		jz	short loc_5A141E
		cmp	word ptr [ebp+6Ch], 1Bh
		jnz	short loc_5A1470
		jmp	short loc_5A1427
; 

loc_5A141E:				; CODE XREF: Dr_kit13_a+34Bj
		test	dword ptr [ebp+70h], 200h
		jz	short loc_5A1428

loc_5A1427:				; CODE XREF: Dr_kit13_a+354j
					; Dr_kit13_a+3BCj
		sti

loc_5A1428:				; CODE XREF: Dr_kit13_a+35Dj
					; Dr_kit13_a+3DCj
		mov	edx, esi
		shr	edx, 7
		not	edx
		and	edx, 3Fh
		and	edx, esi
		mov	eax, 0C00002B5h
		test	edx, 7
		jnz	short loc_5A144E
		mov	eax, 0C00002B4h
		test	edx, 38h
		jz	short loc_5A1460

loc_5A144E:				; CODE XREF: Dr_kit13_a+377j
		mov	ebx, [ebp+68h]
		mov	edi, esp
		xor	edx, edx
		mov	ecx, 1
		call	KiDispatchTrapException
		int	3		; Trap to Debugger

loc_5A1460:				; CODE XREF: Dr_kit13_a+384j
		push	ebp
		push	1
		push	0
		push	eax
		push	0Dh
		push	12h
		call	_KiBugCheck2@24	; KiBugCheck2(x,x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5A1470:				; CODE XREF: Dr_kit13_a+345j
					; Dr_kit13_a+352j
		mov	ebx, large fs:124h
		mov	ebx, [ebx+80h]
		cmp	dword ptr [ebx+0F4h], 0
		jz	short loc_5A1427
		mov	ecx, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	eax
		sti
		push	ebp
		call	_VdmDispatchIRQ13@4 ; VdmDispatchIRQ13(x)
		test	al, 0Fh
		jnz	short loc_5A14A6
		pop	ecx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_5A1428
; 

loc_5A14A6:				; CODE XREF: Dr_kit13_a+3D3j
		pop	ecx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	Kei386EoiHelper@0
Dr_kit13_a	endp

; 
		dw 6A55h
		dd 6A006A02h, 6A0D6A00h, 0EE76E812h
		db 0FDh, 0FFh, 0CCh
_BBT_Exclude_Trap_Code_End db 0CCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_KiSystemFatalException	proc near	; CODE XREF: Dr_kass_a:loc_599520p
					; sub_59C2E7+173p ...
		push	ebp
		mov	ebp, esp
		push	dword ptr [ebp+0]
		push	0
		push	0
		push	0
		push	eax
		push	7Fh
		call	_KiBugCheck2@24	; KiBugCheck2(x,x,x,x,x,x)
		int	3		; Trap to Debugger
		lea	ecx, [ecx+0]
_KiSystemFatalException	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtContinue(x, x)
_NtContinue@8	proc near		; DATA XREF: .text:0058118Co

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h
arg_18		= byte ptr  20h
arg_28		= byte ptr  30h
arg_38		= byte ptr  40h
arg_48		= byte ptr  50h
arg_58		= byte ptr  60h
arg_68		= byte ptr  70h

		push	ebp
		mov	edi, ebp
		mov	ebp, esp
		mov	ebx, large fs:124h
		mov	edx, [edi+38h]
		mov	[ebx+6Ch], edx
		mov	eax, [ebp+0]
		mov	ecx, [ebp+arg_0]
		mov	esi, edi
		sub	esi, 80h
		and	esi, 0FFFFFFF0h
		mov	esp, esi
		xorps	xmm0, xmm0
		movdqa	oword ptr [esp], xmm0
		movdqa	oword ptr [esp+arg_8], xmm0
		movdqa	oword ptr [esp+arg_18],	xmm0
		movdqa	oword ptr [esp+arg_28],	xmm0
		movdqa	oword ptr [esp+arg_38],	xmm0
		movdqa	oword ptr [esp+arg_48],	xmm0
		movdqa	oword ptr [esp+arg_58],	xmm0
		movdqa	oword ptr [esp+arg_68],	xmm0
		mov	dword ptr [edi+0Fh], 1
		xor	esi, esi
		mov	[edi+38h], esi
		mov	[edi+3Ch], esi
		mov	[edi+40h], esi
		mov	[edi+2Ch], esi
		mov	esi, 23h
		mov	[edi+30h], esi
		mov	[edi+34h], esi
		push	eax
		push	0
		push	ecx
		call	KiContinue
		or	eax, eax
		jnz	short loc_5A1584
		cmp	[ebp+arg_4], 0
		jz	short loc_5A1573
		movzx	eax, byte ptr [ebx+15Ah]
		push	eax
		call	KeTestAlertThread

loc_5A1573:				; CODE XREF: NtContinue(x,x)+88j
		mov	ebp, edi
		movzx	ecx, byte ptr [ebp+arg_38+4]
		mov	[ebx+15Ah], cl
		jmp	Kei386EoiHelper@0
; 

loc_5A1584:				; CODE XREF: NtContinue(x,x)+82j
		mov	ebp, edi
		mov	esp, ebp
		jmp	_KiServiceExit
_NtContinue@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtRaiseException(x,	x, x)
_NtRaiseException@12 proc near		; DATA XREF: .text:00580DC4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_18		= byte ptr  20h
arg_28		= byte ptr  30h
arg_38		= byte ptr  40h
arg_48		= byte ptr  50h
arg_58		= byte ptr  60h
arg_68		= byte ptr  70h

		push	ebp
		mov	edi, ebp
		mov	ebp, esp
		mov	ebx, large fs:124h
		mov	edx, [edi+38h]
		mov	[ebx+6Ch], edx
		mov	eax, [edi+4Ch]
		mov	large fs:0, eax
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+arg_8]
		mov	esi, edi
		sub	esi, 80h
		and	esi, 0FFFFFFF0h
		mov	esp, esi
		xorps	xmm0, xmm0
		movdqa	oword ptr [esp], xmm0
		movdqa	oword ptr [esp+arg_8], xmm0
		movdqa	oword ptr [esp+arg_18],	xmm0
		movdqa	oword ptr [esp+arg_28],	xmm0
		movdqa	oword ptr [esp+arg_38],	xmm0
		movdqa	oword ptr [esp+arg_48],	xmm0
		movdqa	oword ptr [esp+arg_58],	xmm0
		movdqa	oword ptr [esp+arg_68],	xmm0
		mov	dword ptr [edi+0Fh], 1
		xor	esi, esi
		mov	[edi+38h], esi
		mov	[edi+3Ch], esi
		mov	[edi+40h], esi
		mov	[edi+2Ch], esi
		mov	esi, 23h
		mov	[edi+30h], esi
		mov	[edi+34h], esi
		push	edx
		push	edi
		push	0
		push	ecx
		push	eax
		call	_KiRaiseException@20 ; KiRaiseException(x,x,x,x,x)
		mov	ebp, edi
		or	eax, eax
		jnz	short loc_5A1633
		movzx	ecx, byte ptr [ebp+arg_38+4]
		mov	[ebx+15Ah], cl
		jmp	Kei386EoiHelper@0
; 

loc_5A1633:				; CODE XREF: NtRaiseException(x,x,x)+92j
		mov	esp, ebp
		jmp	_KiServiceExit
_NtRaiseException@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall Ki386VdmReflectException_A(x)
_Ki386VdmReflectException_A@4 proc near	; CODE XREF: KiScanForPrefix+402p
					; V86_kit1_a+39Ap ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  4

		sub	esp, 8
		mov	ecx, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		sti
		mov	[esp+8+var_4], eax
		mov	eax, [esp+8+arg_0]
		mov	[esp+8+var_8], eax
		call	_Ki386VdmReflectException@4 ; Ki386VdmReflectException(x)
		mov	ecx, [esp+4+var_4]
		mov	[esp+4+var_4], eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	eax
		retn	4
_Ki386VdmReflectException_A@4 endp

; 
		align 4
; Exported entry 1332. KiMcaExceptionHandlerWrapper

;  S U B	R O U T	I N E 


		public _KiMcaExceptionHandlerWrapper
_KiMcaExceptionHandlerWrapper proc near	; CODE XREF: .text:005A19B4j
					; DATA XREF: sub_5A18E7+B2o

var_4		= dword	ptr -4

		cli
		clts
		mov	eax, large fs:40h
		mov	ecx, large fs:124h
		mov	edi, [ecx+80h]
		mov	ecx, [edi+18h]
		test	ss:_KiKvaShadow, 1
		jz	short loc_5A16DD
		test	dword ptr [eax+24h], 20000h
		jnz	short loc_5A16CF
		test	byte ptr [eax+4Ch], 1
		jnz	short loc_5A16CF
		mov	ebx, large fs:3Ch
		lea	ebx, [ebx+6000h]
		cmp	[eax+38h], ebx
		ja	short loc_5A16DD
		sub	ebx, 1000h
		cmp	[eax+38h], ebx
		jbe	short loc_5A16DD
		mov	ebx, offset _KiKernelSysretExit
		cmp	[eax+20h], ebx
		jb	short loc_5A16DD
		mov	ebx, offset _KiShadowExitEnd
		cmp	[eax+20h], ebx
		jnb	short loc_5A16DD

loc_5A16CF:				; CODE XREF: _KiMcaExceptionHandlerWrapper+2Aj
					; _KiMcaExceptionHandlerWrapper+30j
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_5A16DD
		add	ecx, 20h

loc_5A16DD:				; CODE XREF: _KiMcaExceptionHandlerWrapper+21j
					; _KiMcaExceptionHandlerWrapper+42j ...
		mov	[eax+1Ch], ecx
		mov	cx, [edi+76h]
		mov	[eax+66h], cx
		mov	ecx, [edi+1Ch]
		test	ecx, ecx
		jz	short loc_5A16F3
		mov	cx, 48h

loc_5A16F3:				; CODE XREF: _KiMcaExceptionHandlerWrapper+81j
		mov	[eax+60h], cx
		mov	edi, large fs:3Ch
		mov	ch, [edi+0A7h]
		mov	cl, [edi+0A4h]
		shl	ecx, 10h
		mov	cx, [edi+0A2h]
		mov	large fs:40h, ecx
		pushf
		and	[esp+4+var_4], 0FFFFBFFFh
		popf
		lea	ecx, [edi+0A0h]
		mov	byte ptr [ecx+5], 89h
		push	eax
		push	0
		push	0
		push	0
		push	0
		push	dword ptr [eax+50h]
		push	dword ptr [eax+38h]
		push	dword ptr [eax+24h]
		push	dword ptr [eax+4Ch]
		push	dword ptr [eax+20h]
		push	0
		push	dword ptr [eax+3Ch]
		push	dword ptr [eax+34h]
		push	dword ptr [eax+40h]
		push	dword ptr [eax+44h]
		push	dword ptr [eax+58h]
		push	large dword ptr	fs:0
		sub	esp, 4
		push	0FFh
		push	dword ptr [eax+28h]
		push	dword ptr [eax+2Ch]
		push	dword ptr [eax+30h]
		push	dword ptr [eax+54h]
		push	dword ptr [eax+48h]
		push	dword ptr [eax+5Ch]
		push	0
		push	0
		push	0
		push	0
		push	0
		push	0
		push	0
		push	0
		push	0BADB0D00h
		push	dword ptr [eax+20h]
		push	dword ptr [eax+3Ch]
		mov	ebp, esp
		stmxcsr	dword ptr [ebp+48h]
		ldmxcsr	large dword ptr	fs:8
		cmp	large word ptr fs:22DCh, 0
		jz	short loc_5A17CE
		mov	ecx, 48h
		rdmsr
		mov	[ebp+46h], al
		movzx	eax, large word	ptr fs:22DCh
		mov	ecx, 48h
		xor	edx, edx
		wrmsr
		test	eax, 1
		jnz	short loc_5A17EA

loc_5A17CE:				; CODE XREF: _KiMcaExceptionHandlerWrapper+13Ej
		test	large byte ptr fs:22D9h, 2
		jz	loc_5A18EA
		mov	eax, 1
		xor	edx, edx
		mov	ecx, 49h
		wrmsr

loc_5A17EA:				; CODE XREF: _KiMcaExceptionHandlerWrapper+160j
		call	sub_5A18DF

loc_5A17EF:				; CODE XREF: _KiMcaExceptionHandlerWrapper+18Ep
		add	esp, 4
		call	sub_5A18E7

loc_5A17F7:				; CODE XREF: _KiMcaExceptionHandlerWrapper+196p
		add	esp, 4
		call	loc_5A17EF

loc_5A17FF:				; CODE XREF: _KiMcaExceptionHandlerWrapper+19Ep
		add	esp, 4
		call	loc_5A17F7

loc_5A1807:				; CODE XREF: _KiMcaExceptionHandlerWrapper+1A6p
		add	esp, 4
		call	loc_5A17FF

loc_5A180F:				; CODE XREF: _KiMcaExceptionHandlerWrapper+1AEp
		add	esp, 4
		call	loc_5A1807

loc_5A1817:				; CODE XREF: _KiMcaExceptionHandlerWrapper+1B6p
		add	esp, 4
		call	loc_5A180F

loc_5A181F:				; CODE XREF: _KiMcaExceptionHandlerWrapper+1BEp
		add	esp, 4
		call	loc_5A1817

loc_5A1827:				; CODE XREF: _KiMcaExceptionHandlerWrapper+1C6p
		add	esp, 4
		call	loc_5A181F

loc_5A182F:				; CODE XREF: _KiMcaExceptionHandlerWrapper+1CEp
		add	esp, 4
		call	loc_5A1827

loc_5A1837:				; CODE XREF: _KiMcaExceptionHandlerWrapper+1D6p
		add	esp, 4
		call	loc_5A182F

loc_5A183F:				; CODE XREF: _KiMcaExceptionHandlerWrapper+1DEp
		add	esp, 4
		call	loc_5A1837

loc_5A1847:				; CODE XREF: _KiMcaExceptionHandlerWrapper+1E6p
		add	esp, 4
		call	loc_5A183F

loc_5A184F:				; CODE XREF: _KiMcaExceptionHandlerWrapper+1EEp
		add	esp, 4
		call	loc_5A1847

loc_5A1857:				; CODE XREF: _KiMcaExceptionHandlerWrapper+1F6p
		add	esp, 4
		call	loc_5A184F

loc_5A185F:				; CODE XREF: _KiMcaExceptionHandlerWrapper+1FEp
		add	esp, 4
		call	loc_5A1857

loc_5A1867:				; CODE XREF: _KiMcaExceptionHandlerWrapper+206p
		add	esp, 4
		call	loc_5A185F

loc_5A186F:				; CODE XREF: _KiMcaExceptionHandlerWrapper+20Ep
		add	esp, 4
		call	loc_5A1867

loc_5A1877:				; CODE XREF: _KiMcaExceptionHandlerWrapper+216p
		add	esp, 4
		call	loc_5A186F

loc_5A187F:				; CODE XREF: _KiMcaExceptionHandlerWrapper+21Ep
		add	esp, 4
		call	loc_5A1877

loc_5A1887:				; CODE XREF: _KiMcaExceptionHandlerWrapper+226p
		add	esp, 4
		call	loc_5A187F

loc_5A188F:				; CODE XREF: _KiMcaExceptionHandlerWrapper+22Ep
		add	esp, 4
		call	loc_5A1887

loc_5A1897:				; CODE XREF: _KiMcaExceptionHandlerWrapper+236p
		add	esp, 4
		call	loc_5A188F

loc_5A189F:				; CODE XREF: _KiMcaExceptionHandlerWrapper+23Ep
		add	esp, 4
		call	loc_5A1897

loc_5A18A7:				; CODE XREF: _KiMcaExceptionHandlerWrapper+246p
		add	esp, 4
		call	loc_5A189F

loc_5A18AF:				; CODE XREF: _KiMcaExceptionHandlerWrapper+24Ep
		add	esp, 4
		call	loc_5A18A7

loc_5A18B7:				; CODE XREF: _KiMcaExceptionHandlerWrapper+256p
		add	esp, 4
		call	loc_5A18AF

loc_5A18BF:				; CODE XREF: _KiMcaExceptionHandlerWrapper+25Ep
		add	esp, 4
		call	loc_5A18B7

loc_5A18C7:				; CODE XREF: _KiMcaExceptionHandlerWrapper+266p
		add	esp, 4
		call	loc_5A18BF

loc_5A18CF:				; CODE XREF: _KiMcaExceptionHandlerWrapper+26Ep
		add	esp, 4
		call	loc_5A18C7

loc_5A18D7:				; CODE XREF: sub_5A18DF+3p
		add	esp, 4
		call	loc_5A18CF
_KiMcaExceptionHandlerWrapper endp


;  S U B	R O U T	I N E 


sub_5A18DF	proc near		; CODE XREF: _KiMcaExceptionHandlerWrapper:loc_5A17EAp
		add	esp, 4
		call	loc_5A18D7
sub_5A18DF	endp


;  S U B	R O U T	I N E 


sub_5A18E7	proc near		; CODE XREF: _KiMcaExceptionHandlerWrapper+186p

var_4		= dword	ptr -4
arg_88		= dword	ptr  8Ch

		add	esp, 4

loc_5A18EA:				; CODE XREF: _KiMcaExceptionHandlerWrapper+16Aj
		lfence	eax
		sub	esp, 80h
		and	esp, 0FFFFFFF0h
		mov	esi, esp
		movaps	oword ptr [esi], xmm0
		movaps	oword ptr [esi+10h], xmm1
		movaps	oword ptr [esi+20h], xmm2
		movaps	oword ptr [esi+30h], xmm3
		movaps	oword ptr [esi+40h], xmm4
		movaps	oword ptr [esi+50h], xmm5
		movaps	oword ptr [esi+60h], xmm6
		movaps	oword ptr [esi+70h], xmm7
		push	large dword ptr	fs:24h
		mov	large dword ptr	fs:24h,	1Fh
		call	ds:__imp__HalpMcaExceptionHandler@0 ; HalpMcaExceptionHandler()
		pop	large dword ptr	fs:24h
		mov	edi, esp
		movaps	xmm0, oword ptr	[edi]
		movaps	xmm1, oword ptr	[edi+10h]
		movaps	xmm2, oword ptr	[edi+20h]
		movaps	xmm3, oword ptr	[edi+30h]
		movaps	xmm4, oword ptr	[edi+40h]
		movaps	xmm5, oword ptr	[edi+50h]
		movaps	xmm6, oword ptr	[edi+60h]
		movaps	xmm7, oword ptr	[edi+70h]
		mov	esp, ebp
		cmp	large word ptr fs:22DCh, 0
		jz	short loc_5A1971
		movzx	eax, byte ptr [ebp+46h]
		mov	ecx, 48h
		xor	edx, edx
		wrmsr

loc_5A1971:				; CODE XREF: sub_5A18E7+7Bj
		ldmxcsr	dword ptr [ebp+48h]
		mov	eax, [esp+arg_88]
		mov	large fs:40h, eax
		mov	ecx, large fs:3Ch
		lea	eax, [ecx+28h]
		mov	byte ptr [eax+5], 8Bh
		pushf
		or	[esp+4+var_4], 4000h
		popf
		lea	eax, _KiMcaExceptionHandlerWrapper
		test	ss:_KiKvaShadow, 1
		jnz	_KiKernelTaskSwitchExit
		add	esp, 90h
		iret
sub_5A18E7	endp ; sp =  90h

; 
		jmp	_KiMcaExceptionHandlerWrapper
; 
		align 10h
; Exported entry 1315. KeSynchronizeExecution

;  S U B	R O U T	I N E 


; __stdcall KeSynchronizeExecution(x, x, x)
		public _KeSynchronizeExecution@12
_KeSynchronizeExecution@12 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	ebx
		mov	ebx, [esp+arg_0]
		mov	cl, [ebx+31h]
		cmp	cl, 0
		jz	short loc_5A1A41
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	eax
		mov	ebx, [ebx+24h]
		xor	eax, eax

loc_5A19D9:				; CODE XREF: KeSynchronizeExecution(x,x,x)+7Fj
		lock bts dword ptr [ebx], 0
		jb	short loc_5A1A15
		inc	large dword ptr	fs:41C0h
		cmp	eax, 0
		jz	short loc_5A19FA
		inc	large dword ptr	fs:41C4h
		add	large fs:41C8h,	eax

loc_5A19FA:				; CODE XREF: KeSynchronizeExecution(x,x,x)+2Aj
		push	[esp+4+arg_8]
		call	[esp+8+arg_4]
		lock and byte ptr [ebx], 0
		mov	ebx, eax
		pop	ecx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, ebx

loc_5A1A11:				; CODE XREF: KeSynchronizeExecution(x,x,x)+97j
		pop	ebx
		retn	0Ch
; 

loc_5A1A15:				; CODE XREF: KeSynchronizeExecution(x,x,x)+1Ej
		xor	eax, eax

loc_5A1A17:				; CODE XREF: KeSynchronizeExecution(x,x,x)+7Dj
		inc	eax
		test	ds:_HvlLongSpinCountMask, eax
		jnz	short loc_5A1A35
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	short loc_5A1A35
		push	eax
		push	ecx
		push	edx
		push	eax
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		pop	edx
		pop	ecx
		pop	eax

loc_5A1A35:				; CODE XREF: KeSynchronizeExecution(x,x,x)+5Ej
					; KeSynchronizeExecution(x,x,x)+67j
		pause
		test	dword ptr [ebx], 1
		jnz	short loc_5A1A17
		jmp	short loc_5A19D9
; 

loc_5A1A41:				; CODE XREF: KeSynchronizeExecution(x,x,x)+Bj
		push	ecx
		mov	ecx, [esp+4+arg_8]
		mov	ebx, [esp+4+arg_4]
		mov	eax, [esp+4+arg_0]
		push	ecx
		push	ebx
		push	eax
		call	_KiSynchronizePassiveInterruptExecution@12 ; KiSynchronizePassiveInterruptExecution(x,x,x)
		pop	ecx
		jmp	short loc_5A1A11
_KeSynchronizeExecution@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiChainedDispatch()
_KiChainedDispatch@0 proc near		; DATA XREF: KiGetVectorInfo+2Fo
					; KiGetVectorInfo+6Bo

var_38		= dword	ptr -38h
var_34		= byte ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
arg_0		= dword	ptr  8

		push	ebp
		mov	ebp, esp
		mov	ecx, [edi+30h]
		lea	eax, [ebp+arg_0]
		push	eax
		push	ebx
		push	ecx
		call	ds:__imp__HalBeginSystemInterrupt@12 ; HalBeginSystemInterrupt(x,x,x)
		or	al, al
		jz	loc_5A1B51
		inc	large dword ptr	fs:5C0h
		mov	ecx, esp
		call	@KiGetIsrStackToSwitch@4 ; KiGetIsrStackToSwitch(x)
		or	eax, eax
		jz	short loc_5A1A8E
		mov	esp, eax

loc_5A1A8E:				; CODE XREF: KiChainedDispatch()+2Aj
		mov	eax, [ebp+0]
		mov	[edi+54h], eax
		mov	dl, byte ptr [ebp+arg_0]
		mov	[eax+47h], dl
		sub	esp, 2Ch
		mov	[esp+38h+var_30], 0
		lea	ebx, [edi+4]
		test	dword ptr ds:byte_70EFC4, 4000h
		setnz	[esp+38h+var_34]
		jnz	loc_5A1B55

loc_5A1ABD:				; CODE XREF: KiChainedDispatch()+CCj
					; KiChainedDispatch()+EAj ...
		mov	cl, [edi+30h]
		mov	esi, [edi+24h]
		cmp	byte ptr [edi+31h], 0
		jz	loc_5A1B8C
		cmp	[edi+31h], cl
		jz	short loc_5A1ADE
		mov	cl, [edi+31h]
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esp+38h+var_38], eax

loc_5A1ADE:				; CODE XREF: KiChainedDispatch()+70j
		test	dword ptr [edi+3Ch], 1
		jnz	loc_5A1B94
		mov	edx, 1
		mov	ecx, edi
		call	KiCallInterruptServiceRoutine

loc_5A1AF7:				; CODE XREF: KiChainedDispatch()+136j
		mov	cl, [edi+30h]
		cmp	[edi+31h], cl
		jz	short loc_5A1B0C
		mov	esi, eax
		mov	ecx, [esp+38h+var_38]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi

loc_5A1B0C:				; CODE XREF: KiChainedDispatch()+9Dj
		cmp	[esp+38h+var_34], 0
		jnz	short loc_5A1B68

loc_5A1B13:				; CODE XREF: KiChainedDispatch()+12Aj
		or	al, al
		jz	short loc_5A1B22
		cmp	word ptr [edi+40h], 0
		jz	short loc_5A1B4F
		mov	[esp+38h+var_30], eax

loc_5A1B22:				; CODE XREF: KiChainedDispatch()+B5j
		mov	edi, [edi+4]
		cmp	ebx, edi
		jz	short loc_5A1B2E
		sub	edi, 4
		jmp	short loc_5A1ABD
; 

loc_5A1B2E:				; CODE XREF: KiChainedDispatch()+C7j
		sub	edi, 4
		cmp	word ptr [edi+40h], 0
		jz	short loc_5A1B4F
		test	[esp+38h+var_30], 0Fh
		jz	short loc_5A1B4F
		mov	[esp+38h+var_30], 0
		jmp	loc_5A1ABD
; 

loc_5A1B4F:				; CODE XREF: KiChainedDispatch()+BCj
					; KiChainedDispatch()+D6j ...
		mov	al, 1

loc_5A1B51:				; CODE XREF: KiChainedDispatch()+14j
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5A1B55:				; CODE XREF: KiChainedDispatch()+57j
		lea	ecx, [esp+38h+var_2C]
		mov	edx, 20004000h
		call	@EtwGetKernelTraceTimestamp@8 ;	EtwGetKernelTraceTimestamp(x,x)
		jmp	loc_5A1ABD
; 

loc_5A1B68:				; CODE XREF: KiChainedDispatch()+B1j
		movzx	edx, al
		mov	dh, [edi+2Ch]
		push	edx
		lea	eax, [esp+3Ch+var_2C]
		push	eax
		mov	ecx, edi
		call	PerfInfoLogInterrupt
		lea	ecx, [esp+3Ch+var_2C]
		mov	edx, 20004000h
		call	@EtwGetKernelTraceTimestamp@8 ;	EtwGetKernelTraceTimestamp(x,x)
		pop	eax
		jmp	short loc_5A1B13
; 

loc_5A1B8C:				; CODE XREF: KiChainedDispatch()+67j
		push	edi
		call	_KiDispatchPassiveInterrupts@4 ; KiDispatchPassiveInterrupts(x)
		jmp	short loc_5A1B4F
; 

loc_5A1B94:				; CODE XREF: KiChainedDispatch()+85j
		xor	eax, eax
		jmp	loc_5A1AF7
_KiChainedDispatch@0 endp

; 
		jmp	short _KiInterruptDispatch@0 ; KiInterruptDispatch()
; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInterruptDispatch()
_KiInterruptDispatch@0 proc near	; CODE XREF: .text:005A1B9Bj
					; DATA XREF: KiInitializeInterrupt(x,x,x)+27o ...

var_30		= byte ptr -30h
var_2C		= dword	ptr -2Ch
arg_0		= dword	ptr  8

		push	ebp
		mov	ebp, esp
		mov	ecx, [edi+31h]
		lea	eax, [ebp+arg_0]
		push	eax
		push	ebx
		push	ecx
		call	ds:__imp__HalBeginSystemInterrupt@12 ; HalBeginSystemInterrupt(x,x,x)
		or	al, al
		jz	short loc_5A1BFD
		inc	large dword ptr	fs:5C0h
		mov	ecx, esp
		call	@KiGetIsrStackToSwitch@4 ; KiGetIsrStackToSwitch(x)
		or	eax, eax
		jz	short loc_5A1BCA
		mov	esp, eax

loc_5A1BCA:				; CODE XREF: KiInterruptDispatch()+26j
		mov	eax, [ebp+0]
		mov	[edi+54h], eax
		mov	dl, byte ptr [ebp+arg_0]
		mov	[eax+47h], dl
		sub	esp, 24h
		test	dword ptr ds:byte_70EFC4, 4000h
		setnz	[esp+30h+var_30]
		jnz	short loc_5A1C01

loc_5A1BE9:				; CODE XREF: KiInterruptDispatch()+6Fj
		mov	edx, 1
		mov	ecx, edi
		call	KiCallInterruptServiceRoutine
		cmp	[esp+30h+var_30], 0
		jnz	short loc_5A1C11

loc_5A1BFB:				; CODE XREF: KiInterruptDispatch()+83j
		mov	al, 1

loc_5A1BFD:				; CODE XREF: KiInterruptDispatch()+14j
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5A1C01:				; CODE XREF: KiInterruptDispatch()+47j
		lea	ecx, [esp+30h+var_2C]
		mov	edx, 20004000h
		call	@EtwGetKernelTraceTimestamp@8 ;	EtwGetKernelTraceTimestamp(x,x)
		jmp	short loc_5A1BE9
; 

loc_5A1C11:				; CODE XREF: KiInterruptDispatch()+59j
		mov	ecx, edi
		movzx	edx, al
		mov	dh, [edi+2Ch]
		lea	eax, [esp+30h+var_2C]
		push	eax
		call	PerfInfoLogInterrupt
		jmp	short loc_5A1BFB
_KiInterruptDispatch@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInterruptDispatchNoLockNoEtwNoStack()
_KiInterruptDispatchNoLockNoEtwNoStack@0 proc near
					; DATA XREF: KiInitializeInterrupt(x,x,x):loc_55E38Bo

arg_0		= dword	ptr  8

		push	ebp
		mov	ebp, esp
		mov	ecx, [edi+31h]
		lea	eax, [ebp+arg_0]
		push	eax
		push	ebx
		push	ecx
		call	ds:__imp__HalBeginSystemInterrupt@12 ; HalBeginSystemInterrupt(x,x,x)
		or	al, al
		jz	short loc_5A1C5D
		mov	eax, [ebp+0]
		mov	[edi+54h], eax
		mov	dl, byte ptr [ebp+arg_0]
		mov	[eax+47h], dl
		xor	edx, edx
		mov	ecx, edi
		call	KiCallInterruptServiceRoutine
		mov	al, 1

loc_5A1C5D:				; CODE XREF: KiInterruptDispatchNoLockNoEtwNoStack()+14j
		mov	esp, ebp
		pop	ebp
		retn
_KiInterruptDispatchNoLockNoEtwNoStack@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KiSpuriousDispatchNoEOI()
_KiSpuriousDispatchNoEOI@0 proc	near	; DATA XREF: KiInitializeInterrupt(x,x,x)+1Do
		xor	al, al
		retn
_KiSpuriousDispatchNoEOI@0 endp

; 
; Exported entry 1333. KiUnexpectedInterrupt

		public _KiUnexpectedInterrupt
_KiUnexpectedInterrupt:
		push	12h
		call	_KeBugCheck@4	; KeBugCheck(x)
		nop
; 
		db 0CCh
		align 10h

;  S U B	R O U T	I N E 


; __fastcall KiSwapContext(x, x, x)
@KiSwapContext@12 proc near		; CODE XREF: KiSchedulerApc+285p
					; KiQuantumEnd+50Dp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  4

		push	ebx
		push	esi
		push	edi
		push	ebp
		mov	ebx, large fs:1Ch
		mov	edi, ecx
		mov	esi, edx
		movzx	ecx, [esp+10h+arg_0]
		call	near ptr _SwapContext@0	; SwapContext()
		mov	ebp, [esp+0]
		mov	edi, [esp+4]
		mov	esi, [esp+10h+var_8]
		mov	ebx, [esp+10h+var_4]
		add	esp, 10h
		retn	4
@KiSwapContext@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __fastcall KeIsContextSwapActive(x)
@KeIsContextSwapActive@4 proc near	; CODE XREF: KeQueryCurrentStackInformationEx+3Ep
		mov	ecx, [ecx+20h]
		pushf
		cli
		mov	eax, large fs:5004h
		test	ss:_KiKvaShadow, 1
		jnz	short loc_5A1CCE
		mov	eax, large fs:0Ch
		mov	eax, [eax+4]

loc_5A1CCE:				; CODE XREF: KeIsContextSwapActive(x)+13j
		test	byte ptr [ecx-1Ah], 2
		jnz	short loc_5A1CD7
		add	eax, 10h

loc_5A1CD7:				; CODE XREF: KeIsContextSwapActive(x)+22j
		popf
		cmp	eax, ecx
		setnz	al
		retn
@KeIsContextSwapActive@4 endp

; 
		align 10h
; Exported entry 1330. KiDispatchInterrupt

;  S U B	R O U T	I N E 


; __stdcall KiDispatchInterrupt(x)
		public _KiDispatchInterrupt@4
_KiDispatchInterrupt@4 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		push	ebx
		mov	ebx, large fs:1Ch
		cli
		test	byte ptr [ebx+235Ch], 3Fh
		jz	short loc_5A1D12
		push	ebp
		push	dword ptr [ebx]
		mov	edx, ds:_KiI386ExceptionChainTerminator
		mov	[ebx], edx
		mov	edx, esp
		mov	esp, [ebx+2330h]
		push	edx
		mov	ecx, [ebx+20h]
		call	KiRetireDpcList
		pop	esp
		pop	dword ptr [ebx]
		pop	ebp

loc_5A1D12:				; CODE XREF: KiDispatchInterrupt(x)+10j
		sti
		cmp	byte ptr [ebx+2359h], 0
		jnz	loc_5A1E3B
		cmp	dword ptr [ebx+128h], 0
		jz	loc_5A1E0F
		mov	ecx, [ebx+124h]
		mov	al, [esp+arg_0]
		mov	[ecx+92h], al
		test	byte ptr [ecx+2], 4
		jnz	loc_5A1E13

loc_5A1D47:				; CODE XREF: KiDispatchInterrupt(x)+142j
		sub	esp, 0Ch
		mov	[esp+0Ch+var_4], esi
		mov	[esp+0Ch+var_8], edi
		mov	[esp+0Ch+var_C], ebp
		mov	edi, [ebx+124h]
		cli
		rdtsc
		sub	eax, [ebx+3C60h]
		sbb	edx, [ebx+3C64h]
		mov	ecx, [edi+30h]
		add	ecx, eax
		adc	[edi+38h], edx
		add	[edi+30h], eax
		adc	[edi+34h], edx
		add	[ebx+3C60h], eax
		adc	[ebx+3C64h], edx
		test	edx, edx
		jnz	short loc_5A1D8F
		mov	ecx, [edi+40h]
		add	ecx, eax
		jnb	short loc_5A1D94

loc_5A1D8F:				; CODE XREF: KiDispatchInterrupt(x)+A6j
		mov	ecx, 0FFFFFFFFh

loc_5A1D94:				; CODE XREF: KiDispatchInterrupt(x)+ADj
		mov	[edi+40h], ecx
		inc	byte ptr [ebx+131h]
		test	byte ptr [edi+2], 3Eh
		jnz	loc_5A1E27

loc_5A1DA7:				; CODE XREF: KiDispatchInterrupt(x)+156j
		sti
		mov	ecx, edi
		xor	edx, edx
		call	KiAbProcessContextSwitch
		lea	ecx, [ebx+2344h]
		lock bts dword ptr [ecx], 0
		jnb	short loc_5A1DC5
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		jmp	short loc_5A1DCC
; 

loc_5A1DC5:				; CODE XREF: KiDispatchInterrupt(x)+DCj
		inc	large dword ptr	fs:41C0h

loc_5A1DCC:				; CODE XREF: KiDispatchInterrupt(x)+E3j
		mov	esi, [ebx+128h]
		and	dword ptr [ebx+128h], 0
		mov	[ebx+124h], esi
		mov	byte ptr [esi+90h], 2
		mov	byte ptr [edi+18Bh], 1Fh
		lea	ecx, [ebx+120h]
		mov	edx, edi
		call	KiQueueReadyThread
		mov	cl, 1
		call	near ptr _SwapContext@0	; SwapContext()
		mov	ebp, [esp+0Ch+var_C]
		mov	edi, [esp+0Ch+var_8]
		mov	esi, [esp+0Ch+var_4]
		add	esp, 0Ch

loc_5A1E0F:				; CODE XREF: KiDispatchInterrupt(x)+47j
					; KiDispatchInterrupt(x)+140j
		pop	ebx
		retn	4
; 

loc_5A1E13:				; CODE XREF: KiDispatchInterrupt(x)+61j
		lea	edx, [ebx+120h]
		call	@KiDeferGroupSchedulingPreemption@8 ; KiDeferGroupSchedulingPreemption(x,x)
		test	al, al
		jnz	short loc_5A1E0F
		jmp	loc_5A1D47
; 

loc_5A1E27:				; CODE XREF: KiDispatchInterrupt(x)+C1j
		push	edx
		push	eax
		mov	edx, edi
		lea	ecx, [ebx+120h]
		call	KiEndThreadAccountingPeriod
		jmp	loc_5A1DA7
; 

loc_5A1E3B:				; CODE XREF: KiDispatchInterrupt(x)+3Aj
		mov	byte ptr [ebx+2359h], 0
		call	KiQuantumEnd
		pop	ebx
		retn	4
_KiDispatchInterrupt@4 endp

; 
		align 10h
; __stdcall SwapContext()
_SwapContext@0	dd offset loc_557E80	; CODE XREF: KiSwapContext(x,x,x)+14p
					; KiDispatchInterrupt(x)+11Cp ...
		dd 90F30474h, 46C6F6EBh, 0FA510155h, 832B310Fh,	3C60h
		dd 3C888B8Bh, 931B0000h, 3C64h,	9311C803h, 3CB0h, 3C888301h
		dd 93110000h, 3C8Ch, 3C608301h,	93110000h, 3C64h, 360246F6h
		dd 1FE850Fh, 8BFE0000h,	131h, 1043FFFBh, 878B33FFh, 238h
		dd 23C978Bh, 4F8B0000h
		db 4Ch,	0FFh, 25h
		dd offset _SwapContext_NpxSave

;  S U B	R O U T	I N E 


_SwapContext_SaveIpt proc near		; CODE XREF: _SwapContext_NoNpxLoad+FEj
					; _SwapContext_NoNpxLoad+106j ...
		test	eax, 100h
		jz	short _SwapContext_NoNpxSave
		cmp	ds:_KiIptMsrMask, 0
		jz	short _SwapContext_NoNpxSave
		mov	ecx, edi
		call	@KiSaveThreadIptState@4	; KiSaveThreadIptState(x)

_SwapContext_NoNpxSave:			; CODE XREF: _SwapContext_SaveIpt+5j
					; _SwapContext_SaveIpt+Ej
					; DATA XREF: ...
		mov	[edi+48h], esp
		mov	esp, [esi+48h]
		mov	ecx, [esi+150h]
		cmp	ecx, [edi+150h]
		jz	short loc_5A1EEF
		call	@KiUpdateSpeculationControl@4 ;	KiUpdateSpeculationControl(x)

loc_5A1EEF:				; CODE XREF: _SwapContext_SaveIpt+29j
		mov	ebp, [esi+80h]
		mov	eax, [edi+80h]
		cmp	ebp, eax
		jz	short loc_5A1F65
		mov	ecx, [ebx+14h]
		lock xor [ebp+60h], ecx
		mov	ecx, [ebp+1Ch]
		or	ecx, [eax+1Ch]
		jnz	loc_5A2067

loc_5A1F12:				; CODE XREF: _SwapContext_NoNpxLoad+ADj
		mov	eax, [ebp+18h]
		test	ss:_KiKvaShadow, 1
		jz	short loc_5A1F3A
		mov	[ebx+5000h], eax
		and	dword ptr [ebx+500Ch], 0FFFFFFFDh
		bt	dword ptr [ebp+74h], 0
		jnb	short loc_5A1F3A
		or	dword ptr [ebx+500Ch], 2

loc_5A1F3A:				; CODE XREF: _SwapContext_SaveIpt+5Ej
					; _SwapContext_SaveIpt+72j
		mov	cr3, eax
		test	ss:_KiKvaShadow, 1
		jz	short loc_5A1F58
		mov	eax, cr4
		btr	eax, 7
		jnb	short loc_5A1F58
		mov	cr4, eax
		or	al, 80h
		mov	cr4, eax

loc_5A1F58:				; CODE XREF: _SwapContext_SaveIpt+86j
					; _SwapContext_SaveIpt+8Fj
		mov	eax, [edi+80h]
		mov	ecx, [ebx+14h]
		lock xor [eax+60h], ecx

loc_5A1F65:				; CODE XREF: _SwapContext_SaveIpt+3Ej
		mov	eax, [esi+20h]
		test	byte ptr [eax-1Ah], 2
		jnz	short loc_5A1F71
		sub	eax, 10h

loc_5A1F71:				; CODE XREF: _SwapContext_SaveIpt+ADj
		test	ss:_KiKvaShadow, 1
		mov	[ebx+5004h], eax
		jnz	short loc_5A1F87
		mov	edx, [ebx+0Ch]
		mov	[edx+4], eax

loc_5A1F87:				; CODE XREF: _SwapContext_SaveIpt+C0j
		mov	edx, [ebx+0Ch]
		mov	ax, [ebp+76h]
		mov	[edx+66h], ax
		cmp	ds:_KiCpuTracingFlags, 0
		jnz	loc_5A20B0

loc_5A1F9F:				; CODE XREF: _SwapContext_NoNpxLoad+EBj
					; _SwapContext_NoNpxLoad+F6j
		mov	byte ptr [edi+55h], 0
		mov	ecx, [esi+4Ch]
_SwapContext_SaveIpt endp


;  S U B	R O U T	I N E 


_SwapContext_X87Jmp proc near
		jmp	short loc_5A1FAA
; 
		fninit

loc_5A1FAA:				; CODE XREF: _SwapContext_X87Jmpj
		mov	eax, [edi+238h]
		mov	edx, [edi+23Ch]
		and	eax, 0FFDF05F0h
		and	edx, 0FFDF05F4h
		or	eax, [esi+238h]
		or	edx, [esi+23Ch]
		jmp	ds:_SwapContext_NpxLoad
_SwapContext_X87Jmp endp


;  S U B	R O U T	I N E 


_SwapContext_RestoreIpt	proc near	; CODE XREF: _SwapContext_NoNpxLoad+11Ej
					; _SwapContext_NoNpxLoad+126j ...
		test	eax, 100h
		jz	short _SwapContext_NoNpxLoad
		cmp	ds:_KiIptMsrMask, 0
		jz	short _SwapContext_NoNpxLoad
		mov	ecx, esi
		call	@KiRestoreThreadIptState@4 ; KiRestoreThreadIptState(x)
_SwapContext_RestoreIpt	endp


;  S U B	R O U T	I N E 


_SwapContext_NoNpxLoad proc near	; CODE XREF: _SwapContext_X87Jmp+27j
					; _SwapContext_RestoreIpt+5j ...

arg_10		= dword	ptr  14h

		mov	ebp, [esi+80h]
		mov	ecx, [ebx+3Ch]
		mov	eax, [esi+0A8h]
		mov	[ebx+18h], eax
		test	eax, eax
		jnz	short loc_5A2006
		mov	eax, [esi+380h]

loc_5A2006:				; CODE XREF: _SwapContext_NoNpxLoad+14j
		mov	[ecx+3Ah], ax
		shr	eax, 10h
		mov	[ecx+3Ch], al
		mov	[ecx+3Fh], ah
		mov	eax, [esi+384h]
		mov	[ecx+62h], ax
		shr	eax, 10h
		mov	[ecx+64h], al
		mov	[ecx+67h], ah
		inc	dword ptr [esi+8Ch]
		pop	dword ptr [ebx]
		pop	ecx
		test	dword ptr [ebx+235Ch], 10001h
		jnz	loc_5A211D
		cmp	byte ptr [esi+85h], 0
		jnz	short loc_5A204B
		xor	eax, eax
		retn
; 

loc_5A204B:				; CODE XREF: _SwapContext_NoNpxLoad+5Cj
		cmp	word ptr [esi+13Eh], 0
		jnz	short loc_5A2063
		test	cl, cl
		jz	short loc_5A2063
		mov	cl, 1
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)
		or	eax, esp

loc_5A2063:				; CODE XREF: _SwapContext_NoNpxLoad+69j
					; _SwapContext_NoNpxLoad+6Dj
		setz	al
		retn
; 

loc_5A2067:				; CODE XREF: _SwapContext_SaveIpt+4Dj
		mov	eax, [ebp+1Ch]
		test	eax, eax
		jz	short loc_5A2094
		mov	ecx, [ebx+3Ch]
		mov	[ecx+48h], eax
		mov	eax, [ebp+20h]
		mov	[ecx+4Ch], eax
		mov	ecx, [ebx+38h]
		mov	eax, [ebp+24h]
		mov	[ecx+108h], eax
		mov	eax, [ebp+28h]
		mov	[ecx+10Ch], eax
		mov	eax, 48h

loc_5A2094:				; CODE XREF: _SwapContext_NoNpxLoad+82j
		lldt	ax
		jmp	loc_5A1F12
; 
		dd 8B8D5052h, 120h, 85E8D68Bh, 0E9FFE9EFh, 0FFFFFDF5h
; 

loc_5A20B0:				; CODE XREF: _SwapContext_SaveIpt+DAj
		test	dword ptr ds:byte_70EFC4, 4
		jz	short loc_5A20CB
		mov	edx, esi
		mov	ecx, edi
		push	ebp
		mov	ebp, [esp-4+arg_10]
		call	EtwTraceContextSwap
		pop	ebp

loc_5A20CB:				; CODE XREF: _SwapContext_NoNpxLoad+D0j
		test	ds:_KiCpuTracingFlags, 4
		jz	loc_5A1F9F
		call	@KiResetProcessorTraceBuffer@0 ; KiResetProcessorTraceBuffer()
		jmp	loc_5A1F9F
; 

_SwapContext_Fxsave:			; DATA XREF: KiEnableNpxStateSwitching+F533o
		fxsave	dword ptr [ecx]
		jmp	_SwapContext_SaveIpt
; 
_SwapContext_Xsave db 0Fh, 0AEh, 21h	; DATA XREF: KiEnableNpxStateSwitching+F510o
; 
		jmp	_SwapContext_SaveIpt
; 

_SwapContext_Xsaveopt:			; DATA XREF: KiEnableNpxStateSwitching+52o
		mfence	dword ptr [ecx]
		jmp	_SwapContext_SaveIpt
; 

_SwapContext_Xsaves:			; DATA XREF: KiEnableNpxStateSwitching+F501o
		cmpxchg8b qword	ptr [ecx]
		jmp	_SwapContext_SaveIpt
; 

_SwapContext_Fxrstor:			; DATA XREF: KiEnableNpxStateSwitching:loc_AEB828o
		fxrstor	dword ptr [ecx]
		jmp	_SwapContext_RestoreIpt
; 

_SwapContext_Xrstor:			; DATA XREF: KiEnableNpxStateSwitching+2Ao
		lfence	dword ptr [ecx]
		jmp	_SwapContext_RestoreIpt
; 

_SwapContext_Xrstors:			; DATA XREF: KiEnableNpxStateSwitching+F4F2o
		cmpxchg8b qword	ptr [ecx]
		jmp	_SwapContext_RestoreIpt
; 

loc_5A211D:				; CODE XREF: _SwapContext_NoNpxLoad+4Fj
		mov	eax, [edi+20h]
		push	0
		push	eax
		push	esi
		push	edi
		push	0B8h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		retn
_SwapContext_NoNpxLoad endp ; sp = -0Ch

; 
		dd 0CCCCCCCCh, 24A48DCCh, 0
		align 10h

;  S U B	R O U T	I N E 


EnlightenedSwapContext proc near	; DATA XREF: HvlpEnlightenSwapContext()+5o

; FUNCTION CHUNK AT 005A2392 SIZE 00000014 BYTES

		xor	eax, eax

loc_5A2142:				; CODE XREF: EnlightenedSwapContext+26j
		cmp	byte ptr [esi+55h], 0
		jz	short loc_5A2168
		inc	eax
		test	ds:_HvlLongSpinCountMask, eax
		jnz	short loc_5A2164
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	short loc_5A2164
		push	ecx
		push	eax
		push	eax
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		pop	eax
		pop	ecx

loc_5A2164:				; CODE XREF: EnlightenedSwapContext+Fj
					; EnlightenedSwapContext+18j
		pause
		jmp	short loc_5A2142
; 

loc_5A2168:				; CODE XREF: EnlightenedSwapContext+6j
		mov	byte ptr [esi+55h], 1
		push	ecx
		cli
		rdtsc
		sub	eax, [ebx+3C60h]
		mov	ecx, [ebx+3C88h]
		sbb	edx, [ebx+3C64h]
		add	ecx, eax
		adc	[ebx+3CB0h], edx
		add	[ebx+3C88h], eax
		adc	[ebx+3C8Ch], edx
		add	[ebx+3C60h], eax
		adc	[ebx+3C64h], edx
		test	byte ptr [esi+2], 36h
		jnz	loc_5A2392
		dec	byte ptr [ebx+131h]
		sti

loc_5A21B3:				; CODE XREF: EnlightenedSwapContext+261j
		inc	dword ptr [ebx+10h]
		push	dword ptr [ebx]
		mov	eax, [edi+238h]
		mov	edx, [edi+23Ch]
		mov	ecx, [edi+4Ch]
		jmp	ds:_EnlightenedSwapContext_NpxSave
EnlightenedSwapContext endp


;  S U B	R O U T	I N E 


_EnlightenedSwapContext_SaveIpt	proc near ; CODE XREF: _EnlightenedSwapContext_Fxsave+3j
					; _EnlightenedSwapContext_Xsaveopt+3j ...

arg_8		= dword	ptr  0Ch

; FUNCTION CHUNK AT 005A235D SIZE 00000035 BYTES
; FUNCTION CHUNK AT 005A23A6 SIZE 00000035 BYTES

		test	eax, 100h
		jz	short _EnlightenedSwapContext_NoNpxSave
		cmp	ds:_KiIptMsrMask, 0
		jz	short _EnlightenedSwapContext_NoNpxSave
		mov	ecx, edi
		call	@KiSaveThreadIptState@4	; KiSaveThreadIptState(x)

_EnlightenedSwapContext_NoNpxSave:	; CODE XREF: EnlightenedSwapContext+87j
					; _EnlightenedSwapContext_SaveIpt+5j ...
		mov	[edi+48h], esp
		mov	esp, [esi+48h]
		mov	ecx, [esi+150h]
		cmp	ecx, [edi+150h]
		jz	short loc_5A21FD
		call	@KiUpdateSpeculationControl@4 ;	KiUpdateSpeculationControl(x)

loc_5A21FD:				; CODE XREF: _EnlightenedSwapContext_SaveIpt+29j
		mov	ebp, [esi+80h]
		mov	eax, [edi+80h]
		cmp	ebp, eax
		jz	short loc_5A225B
		mov	ecx, [ebx+14h]
		lock xor [ebp+60h], ecx
		mov	ecx, [ebp+1Ch]
		or	ecx, [eax+1Ch]
		jnz	loc_5A235D

loc_5A2220:				; CODE XREF: _EnlightenedSwapContext_SaveIpt+1C0j
		mov	eax, [ebp+18h]
		test	ss:_KiKvaShadow, 1
		jz	short loc_5A2248
		mov	[ebx+5000h], eax
		and	dword ptr [ebx+500Ch], 0FFFFFFFDh
		bt	dword ptr [ebp+74h], 0
		jnb	short loc_5A2248
		or	dword ptr [ebx+500Ch], 2

loc_5A2248:				; CODE XREF: _EnlightenedSwapContext_SaveIpt+5Ej
					; _EnlightenedSwapContext_SaveIpt+72j
		push	eax
		call	_HvlSwitchVirtualAddressSpace@4	; HvlSwitchVirtualAddressSpace(x)
		mov	eax, [edi+80h]
		mov	ecx, [ebx+14h]
		lock xor [eax+60h], ecx

loc_5A225B:				; CODE XREF: _EnlightenedSwapContext_SaveIpt+3Ej
		mov	eax, [esi+20h]
		test	byte ptr [eax-1Ah], 2
		jnz	short loc_5A2267
		sub	eax, 10h

loc_5A2267:				; CODE XREF: _EnlightenedSwapContext_SaveIpt+95j
		test	ss:_KiKvaShadow, 1
		mov	[ebx+5004h], eax
		jnz	short loc_5A227D
		mov	edx, [ebx+0Ch]
		mov	[edx+4], eax

loc_5A227D:				; CODE XREF: _EnlightenedSwapContext_SaveIpt+A8j
		mov	edx, [ebx+0Ch]
		mov	ax, [ebp+76h]
		mov	[edx+66h], ax
		cmp	ds:_KiCpuTracingFlags, 0
		jnz	loc_5A23A6

loc_5A2295:				; CODE XREF: _EnlightenedSwapContext_SaveIpt+1FEj
					; _EnlightenedSwapContext_SaveIpt+209j
		mov	byte ptr [edi+55h], 0
		mov	ecx, [esi+4Ch]

_EnlightenedSwapContext_X87Jmp:
		jmp	short loc_5A22A0
; 
		fninit

loc_5A22A0:				; CODE XREF: _EnlightenedSwapContext_SaveIpt:_EnlightenedSwapContext_X87Jmpj
		mov	eax, [edi+238h]
		mov	edx, [edi+23Ch]
		and	eax, 0FFDF05F0h
		and	edx, 0FFDF05F4h
		or	eax, [esi+238h]
		or	edx, [esi+23Ch]
		jmp	ds:_EnlightenedSwapContext_NpxLoad
_EnlightenedSwapContext_SaveIpt	endp


;  S U B	R O U T	I N E 


_EnlightenedSwapContext_RestoreIpt proc	near ; CODE XREF: _EnlightenedSwapContext_Fxrstor+3j
					; _EnlightenedSwapContext_Xrstor+3j ...

; FUNCTION CHUNK AT 005A2413 SIZE 00000013 BYTES

		test	eax, 100h
		jz	short _EnlightenedSwapContext_NoNpxLoad
		cmp	ds:_KiIptMsrMask, 0
		jz	short _EnlightenedSwapContext_NoNpxLoad
		mov	ecx, esi
		call	@KiRestoreThreadIptState@4 ; KiRestoreThreadIptState(x)

_EnlightenedSwapContext_NoNpxLoad:	; CODE XREF: _EnlightenedSwapContext_SaveIpt+F6j
					; _EnlightenedSwapContext_RestoreIpt+5j ...
		mov	ebp, [esi+80h]
		mov	ecx, [ebx+3Ch]
		mov	eax, [esi+0A8h]
		mov	[ebx+18h], eax
		test	eax, eax
		jnz	short loc_5A22FC
		mov	eax, [esi+380h]

loc_5A22FC:				; CODE XREF: _EnlightenedSwapContext_RestoreIpt+2Bj
		mov	[ecx+3Ah], ax
		shr	eax, 10h
		mov	[ecx+3Ch], al
		mov	[ecx+3Fh], ah
		mov	eax, [esi+384h]
		mov	[ecx+62h], ax
		shr	eax, 10h
		mov	[ecx+64h], al
		mov	[ecx+67h], ah
		inc	dword ptr [esi+8Ch]
		pop	dword ptr [ebx]
		pop	ecx
		test	dword ptr [ebx+235Ch], 10001h
		jnz	loc_5A2413
		cmp	byte ptr [esi+85h], 0
		jnz	short loc_5A2341
		xor	eax, eax
		retn
; 

loc_5A2341:				; CODE XREF: _EnlightenedSwapContext_RestoreIpt+73j
		cmp	word ptr [esi+13Eh], 0
		jnz	short loc_5A2359
		test	cl, cl
		jz	short loc_5A2359
		mov	cl, 1
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)
		or	eax, esp

loc_5A2359:				; CODE XREF: _EnlightenedSwapContext_RestoreIpt+80j
					; _EnlightenedSwapContext_RestoreIpt+84j
		setz	al
		retn
_EnlightenedSwapContext_RestoreIpt endp	; sp =	8

; 
; START	OF FUNCTION CHUNK FOR _EnlightenedSwapContext_SaveIpt

loc_5A235D:				; CODE XREF: _EnlightenedSwapContext_SaveIpt+4Dj
		mov	eax, [ebp+1Ch]
		test	eax, eax
		jz	short loc_5A238A
		mov	ecx, [ebx+3Ch]
		mov	[ecx+48h], eax
		mov	eax, [ebp+20h]
		mov	[ecx+4Ch], eax
		mov	ecx, [ebx+38h]
		mov	eax, [ebp+24h]
		mov	[ecx+108h], eax
		mov	eax, [ebp+28h]
		mov	[ecx+10Ch], eax
		mov	eax, 48h

loc_5A238A:				; CODE XREF: _EnlightenedSwapContext_SaveIpt+195j
		lldt	ax
		jmp	loc_5A2220
; END OF FUNCTION CHUNK	FOR _EnlightenedSwapContext_SaveIpt
; 
; START	OF FUNCTION CHUNK FOR EnlightenedSwapContext

loc_5A2392:				; CODE XREF: EnlightenedSwapContext+66j
		push	edx
		push	eax
		lea	ecx, [ebx+120h]
		mov	edx, esi
		call	KiBeginThreadAccountingPeriod
		jmp	loc_5A21B3
; END OF FUNCTION CHUNK	FOR EnlightenedSwapContext
; 
; START	OF FUNCTION CHUNK FOR _EnlightenedSwapContext_SaveIpt

loc_5A23A6:				; CODE XREF: _EnlightenedSwapContext_SaveIpt+C2j
		test	dword ptr ds:byte_70EFC4, 4
		jz	short loc_5A23C1
		mov	edx, esi
		mov	ecx, edi
		push	ebp
		mov	ebp, [esp+4+arg_8]
		call	EtwTraceContextSwap
		pop	ebp

loc_5A23C1:				; CODE XREF: _EnlightenedSwapContext_SaveIpt+1E3j
		test	ds:_KiCpuTracingFlags, 4
		jz	loc_5A2295
		call	@KiResetProcessorTraceBuffer@0 ; KiResetProcessorTraceBuffer()
		jmp	loc_5A2295
; END OF FUNCTION CHUNK	FOR _EnlightenedSwapContext_SaveIpt

;  S U B	R O U T	I N E 


_EnlightenedSwapContext_Fxsave proc near ; DATA	XREF: KiEnableNpxStateSwitching+F524o
		fxsave	dword ptr [ecx]
		jmp	_EnlightenedSwapContext_SaveIpt
_EnlightenedSwapContext_Fxsave endp

; 
_EnlightenedSwapContext_Xsave db 0Fh	; DATA XREF: KiEnableNpxStateSwitching:loc_AEB819o
		dd 0E2E921AEh
		db 0FDh, 2 dup(0FFh)

;  S U B	R O U T	I N E 


_EnlightenedSwapContext_Xsaveopt proc near ; DATA XREF:	KiEnableNpxStateSwitching+4Do
		mfence	dword ptr [ecx]
		jmp	_EnlightenedSwapContext_SaveIpt
_EnlightenedSwapContext_Xsaveopt endp


;  S U B	R O U T	I N E 


_EnlightenedSwapContext_Xsaves proc near ; DATA	XREF: KiEnableNpxStateSwitching:loc_AEB80Ao
		cmpxchg8b qword	ptr [ecx]
		jmp	_EnlightenedSwapContext_SaveIpt
_EnlightenedSwapContext_Xsaves endp


;  S U B	R O U T	I N E 


_EnlightenedSwapContext_Fxrstor	proc near ; DATA XREF: KiEnableNpxStateSwitching+F529o
		fxrstor	dword ptr [ecx]
		jmp	_EnlightenedSwapContext_RestoreIpt
_EnlightenedSwapContext_Fxrstor	endp


;  S U B	R O U T	I N E 


_EnlightenedSwapContext_Xrstor proc near ; DATA	XREF: KiEnableNpxStateSwitching+25o
		lfence	dword ptr [ecx]
		jmp	_EnlightenedSwapContext_RestoreIpt
_EnlightenedSwapContext_Xrstor endp


;  S U B	R O U T	I N E 


_EnlightenedSwapContext_Xrstors	proc near ; DATA XREF: KiEnableNpxStateSwitching:loc_AEB7FBo
		cmpxchg8b qword	ptr [ecx]
		jmp	_EnlightenedSwapContext_RestoreIpt
_EnlightenedSwapContext_Xrstors	endp

; 
; START	OF FUNCTION CHUNK FOR _EnlightenedSwapContext_RestoreIpt

loc_5A2413:				; CODE XREF: _EnlightenedSwapContext_RestoreIpt+66j
		mov	eax, [edi+20h]
		push	0
		push	eax
		push	esi
		push	edi
		push	0B8h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		retn
; END OF FUNCTION CHUNK	FOR _EnlightenedSwapContext_RestoreIpt
; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KeFlushCurrentTb()
_KeFlushCurrentTb@0 proc near		; CODE XREF: KxFlushEntireTb(x):loc_48E2EBp
					; KiFlushTargetEntireTb(x,x,x,x)p ...
		mov	eax, cr3
		mov	cr3, eax
		retn
_KeFlushCurrentTb@0 endp

; 

loc_5A242F:				; DATA XREF: Ki386EnableGlobalPage(x)+22o
		mov	eax, cr4
		btr	eax, 7
		jnb	short loc_5A2441
		mov	cr4, eax
		or	al, 80h
		mov	cr4, eax
		retn
; 

loc_5A2441:				; CODE XREF: .text:005A2436j
		mov	ecx, cr3
		mov	cr3, ecx
; 
byte_5A2447	db 0C3h			; DATA XREF: Ki386EnableGlobalPage(x)+2Ew
					; Ki386EnableGlobalPage(x):loc_71A2C1r

;  S U B	R O U T	I N E 


; __stdcall KiFlushDcache()
_KiFlushDcache@0 proc near
		retn
_KiFlushDcache@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __fastcall KiIdleLoop()
@KiIdleLoop@0	proc near		; CODE XREF: KiSystemStartup(x)+253j
					; DATA XREF: KiInitializeIdleThread(x,x,x,x)+15o ...
		jmp	short loc_5A2459
; 

loc_5A244E:				; CODE XREF: KiIdleLoop()+108j
		lea	ecx, [ebx+120h]
		call	@PoIdle@4	; PoIdle(x)

loc_5A2459:				; CODE XREF: KiIdleLoop()j
					; KiIdleLoop()+E9j ...
		cmp	ds:_HvlEnableIdleYield,	0
		jz	short loc_5A2464
		pause

loc_5A2464:				; CODE XREF: KiIdleLoop()+14j
		sti
		nop
		nop
		cli
		test	byte ptr [ebx+235Ch], 3Fh
		jz	short loc_5A2484
		mov	cl, 2
		call	ds:__imp_@HalClearSoftwareInterrupt@4 ;	HalClearSoftwareInterrupt(x)
		lea	ecx, [ebx+120h]
		call	KiRetireDpcList

loc_5A2484:				; CODE XREF: KiIdleLoop()+23j
		cmp	byte ptr [ebx+2359h], 0
		jz	short loc_5A24A3
		mov	cl, 2
		call	ds:__imp_@HalClearSoftwareInterrupt@4 ;	HalClearSoftwareInterrupt(x)
		mov	byte ptr [ebx+2359h], 0
		sti
		call	KiQuantumEnd
		cli

loc_5A24A3:				; CODE XREF: KiIdleLoop()+3Fj
		cmp	dword ptr [ebx+128h], 0
		jz	loc_5A254D
		sti
		mov	edi, [ebx+124h]
		lock bts dword ptr [ebx+2344h],	0
		jb	short loc_5A24CB
		inc	large dword ptr	fs:41C0h
		jmp	short loc_5A24D6
; 

loc_5A24CB:				; CODE XREF: KiIdleLoop()+74j
		lea	ecx, [ebx+2344h]
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)

loc_5A24D6:				; CODE XREF: KiIdleLoop()+7Dj
		mov	esi, [ebx+128h]
		cmp	esi, edi
		jz	short loc_5A253A
		and	dword ptr [ebx+128h], 0
		cli
		rdtsc
		sub	eax, [ebx+3C60h]
		mov	ecx, [edi+30h]
		sbb	edx, [ebx+3C64h]
		add	ecx, eax
		adc	[edi+38h], edx
		add	[edi+30h], eax
		adc	[edi+34h], edx
		add	[ebx+3C60h], eax
		adc	[ebx+3C64h], edx
		inc	byte ptr [ebx+131h]
		sti
		mov	[ebx+124h], esi
		mov	byte ptr [esi+90h], 2
		and	dword ptr [ebx+2344h], 0

loc_5A252B:				; CODE XREF: KiIdleLoop()+124j
		mov	ecx, 1
		call	near ptr _SwapContext@0	; SwapContext()
		jmp	loc_5A2459
; 

loc_5A253A:				; CODE XREF: KiIdleLoop()+92j
		and	dword ptr [ebx+128h], 0
		and	dword ptr [ebx+2344h], 0
		jmp	loc_5A2459
; 

loc_5A254D:				; CODE XREF: KiIdleLoop()+5Ej
		cmp	byte ptr [ebx+235Bh], 0
		jz	loc_5A244E
		sti
		lea	ecx, [ebx+120h]
		call	KiIdleSchedule
		test	eax, eax
		mov	esi, eax
		mov	edi, [ebx+12Ch]
		jnz	short loc_5A252B
		jmp	loc_5A2459
@KiIdleLoop@0	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall Ki386AdjustEsp0(x)
_Ki386AdjustEsp0@4 proc	near		; CODE XREF: KeContextToKframes+167D58p
					; VdmSwapContexts(x,x,x)+197p ...

arg_0		= dword	ptr  4

		mov	eax, large fs:124h
		mov	edx, [esp+arg_0]
		pushf
		cli
		mov	ecx, [eax+20h]
		test	dword ptr [edx+70h], 20000h
		jnz	short loc_5A2593
		sub	ecx, 10h

loc_5A2593:				; CODE XREF: Ki386AdjustEsp0(x)+16j
		test	ss:_KiKvaShadow, 1
		mov	large fs:5004h,	ecx
		jnz	short loc_5A25AE
		mov	edx, large fs:0Ch
		mov	[edx+4], ecx

loc_5A25AE:				; CODE XREF: Ki386AdjustEsp0(x)+2Aj
		popf
		retn	4
_Ki386AdjustEsp0@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __fastcall KiLoadLdtr(x)
@KiLoadLdtr@4	proc near		; CODE XREF: KiStackAttachProcess+90C28p
					; KiAttachProcess+8D9AAp ...
		push	esi
		push	edi
		lea	esi, [ecx+1Ch]
		xor	dx, dx
		cmp	word ptr [esi],	0
		jz	short loc_5A25D2
		mov	edi, large fs:3Ch
		add	edi, 48h
		movsd
		movsd
		mov	dx, 48h

loc_5A25D2:				; CODE XREF: KiLoadLdtr(x)+Cj
		lldt	dx
		pop	edi
		pop	esi
		call	_KiFlushDescriptors@0 ;	KiFlushDescriptors()
		retn
@KiLoadLdtr@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KiFlushDescriptors()
_KiFlushDescriptors@0 proc near		; CODE XREF: KiLoadLdtr(x)+23p
					; Ki386FlushTargetDescriptors(x,x,x,x)+9p
		xor	ax, ax
		db	66h
		mov	gs, ax
		assume gs:nothing
		push	ds
		pop	es
		retn
_KiFlushDescriptors@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Ki386VdmEnablePentiumExtentions(x)
_Ki386VdmEnablePentiumExtentions@4 proc	near ; DATA XREF: KeI386VdmInitialize()+A9o

arg_0		= dword	ptr  8

		push	ebp
		mov	ebp, esp
		pushf
		cli
		mov	eax, cr4
		test	[ebp+arg_0], 1
		jz	short loc_5A2602
		or	eax, 1
		jmp	short loc_5A2605
; 

loc_5A2602:				; CODE XREF: Ki386VdmEnablePentiumExtentions(x)+Fj
		and	eax, 0FFFFFFFEh

loc_5A2605:				; CODE XREF: Ki386VdmEnablePentiumExtentions(x)+14j
		mov	cr4, eax
		popf
		xor	eax, eax
		mov	esp, ebp
		pop	ebp
		retn	4
_Ki386VdmEnablePentiumExtentions@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


KiFlushBhbDuringTrapEntryOrExit@0 proc near ; CODE XREF: Dr_kass_a+354p
					; sub_59973A+Bp ...
		mov	eax, 0DADAh
		mov	ecx, 0DADAh
		test	large byte ptr fs:22D9h, 18h
		jnz	short loc_5A2635
		int	3		; Trap to Debugger

loc_5A2635:				; CODE XREF: KiFlushBhbDuringTrapEntryOrExit@0+12j
		mov	al, large fs:22D9h
		and	al, 18h
		cmp	al, 8
		jz	short KiFlushBhbDuringTrapEntryOrExitPreAlderLake@0
		cmp	al, 10h
		jz	short KiFlushBhbDuringTrapEntryOrExitAlderLake@0
		cmp	al, 18h
		jz	KiFlushBhbDuringTrapEntryOrExitTsx@0
		int	3		; Trap to Debugger
		retn
; 
		align 10h

KiFlushBhbDuringTrapEntryOrExitPreAlderLake@0:
					; CODE XREF: KiFlushBhbDuringTrapEntryOrExit@0+1Fj
		mov	ecx, 5
		call	sub_5A2660
		jmp	short nullsub_5
KiFlushBhbDuringTrapEntryOrExit@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 


sub_5A2660	proc near		; CODE XREF: KiFlushBhbDuringTrapEntryOrExit@0+35p
					; sub_5A2670+10j
		call	sub_5A2670
		retn
sub_5A2660	endp

; 
		align 10h

;  S U B	R O U T	I N E 


sub_5A2670	proc near		; CODE XREF: sub_5A2660p
		mov	eax, 5

loc_5A2675:				; CODE XREF: sub_5A2670+Bj
		jmp	short loc_5A2678
; 
		align 4

loc_5A2678:				; CODE XREF: sub_5A2670:loc_5A2675j
		sub	eax, 1
		jnz	short loc_5A2675
		sub	ecx, 1
		jnz	short sub_5A2660
		retn
sub_5A2670	endp

; 
		align 4
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_5. PRESS KEYPAD "+" TO EXPAND]
		align 4

;  S U B	R O U T	I N E 


KiFlushBhbDuringTrapEntryOrExitAlderLake@0 proc	near
					; CODE XREF: KiFlushBhbDuringTrapEntryOrExit@0+23j
		mov	ecx, 0Ch
		call	sub_5A26A0
		jmp	short nullsub_6
KiFlushBhbDuringTrapEntryOrExitAlderLake@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 


sub_5A26A0	proc near		; CODE XREF: KiFlushBhbDuringTrapEntryOrExitAlderLake@0+5p
					; sub_5A26B0+10j
		call	sub_5A26B0
		retn
sub_5A26A0	endp

; 
		align 10h

;  S U B	R O U T	I N E 


sub_5A26B0	proc near		; CODE XREF: sub_5A26A0p
		mov	eax, 7

loc_5A26B5:				; CODE XREF: sub_5A26B0+Bj
		jmp	short loc_5A26B8
; 
		align 4

loc_5A26B8:				; CODE XREF: sub_5A26B0:loc_5A26B5j
		sub	eax, 1
		jnz	short loc_5A26B5
		sub	ecx, 1
		jnz	short sub_5A26A0
		retn
sub_5A26B0	endp

; 
		align 4
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_6. PRESS KEYPAD "+" TO EXPAND]
		align 4

;  S U B	R O U T	I N E 


KiFlushBhbDuringTrapEntryOrExitTsx@0 proc near
					; CODE XREF: KiFlushBhbDuringTrapEntryOrExit@0+27j
		mov	ax, 7
		mov	al, 0
		lfence	eax
		int	3		; Trap to Debugger
		retn
KiFlushBhbDuringTrapEntryOrExitTsx@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KeExecuteVerw()
_KeExecuteVerw@0 proc near		; CODE XREF: PoIdle(x)+DCp
					; PoIdle(x)+2D0p ...
		verw	large word ptr fs:5028h
		retn
_KeExecuteVerw@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


OpcodeNPXV86	proc near		; CODE XREF: Ki386DispatchOpcode(x):loc_A47202p
					; Ki386DispatchOpcodeV86(x)+45p ...
		push	7
		call	_Ki386VdmReflectException@4 ; Ki386VdmReflectException(x)
		mov	eax, 1
		retn
OpcodeNPXV86	endp


;  S U B	R O U T	I N E 


KiVdmSetUserCR0	proc near		; CODE XREF: VdmOpcodeLmsw+3Dp
					; VdmOpcodeSetCrx+47p
		mov	eax, cr0
		retn
KiVdmSetUserCR0	endp

; 
		align 4

; __stdcall KiThreadStartup(x)
_KiThreadStartup@4:			; DATA XREF: KiInitializeContextThread+22Co
		xor	ebx, ebx
		xor	esi, esi
		xor	edi, edi
		mov	ecx, 1
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebp
		pop	eax
		call	eax
		pop	ecx
		or	ecx, ecx
		jz	short loc_5A2717
		jmp	Kei386EoiHelper@0
; 

loc_5A2717:				; CODE XREF: .text:005A2710j
		push	0Eh
		call	_KeBugCheck@4	; KeBugCheck(x)
; 
		dw 0CCCCh
; Exported entry  43. ExInterlockedFlushSList

;  S U B	R O U T	I N E 


; __fastcall ExInterlockedFlushSList(x)
		public @ExInterlockedFlushSList@4
@ExInterlockedFlushSList@4 proc	near	; CODE XREF: PfFbBufferListFlushStandby+12p
					; RtlpHpVsContextFree:loc_49E451p ...
		push	ebx
		push	ebp
		xor	ebx, ebx
		mov	ebp, ecx
		mov	edx, [ebp+4]
		mov	eax, [ebp+0]
		mov	ecx, 0FFFF0000h

loc_5A2731:				; CODE XREF: ExInterlockedFlushSList(x)+16j
		lock cmpxchg8b qword ptr [ebp+0]
		jnz	short loc_5A2731
		pop	ebp
		pop	ebx
		retn
@ExInterlockedFlushSList@4 endp

; 
		align 4
; Exported entry  47. ExInterlockedPopEntrySList
; Exported entry 113. InterlockedPopEntrySList

;  S U B	R O U T	I N E 


; __fastcall ExInterlockedPopEntrySList(x, x)
		public @ExInterlockedPopEntrySList@8
@ExInterlockedPopEntrySList@8 proc near	; CODE XREF: MiPaeAllocate+26p
					; MiGetInPageSupportBlock(x)+15p ...

var_4		= dword	ptr -4

		push	ebx		; ExInterlockedPopEntrySList
		push	ebp
		mov	ebp, ecx
		sub	esp, 4
		xor	eax, eax
		mov	[esp+4+var_4], eax

_ExpInterlockedPopEntrySListResume:	; CODE XREF: ExInterlockedPopEntrySList(x,x)+43j
					; ExInterlockedPopEntrySList(x,x)+4Bj
					; DATA XREF: ...
		movzx	eax, large byte	ptr fs:51h
		shl	eax, 10h
		mov	edx, [ebp+4]
		mov	ecx, eax
		shr	eax, 10h
		mov	cx, dx
		cmp	ecx, edx
		jz	short loc_5A2768
		xchg	ax, [ebp+6]
		mov	edx, ecx

loc_5A2768:				; CODE XREF: ExInterlockedPopEntrySList(x,x)+24j
		mov	eax, [ebp+0]
		or	eax, eax
		jz	short loc_5A2789
		dec	cx

_ExpInterlockedPopEntrySListFault:	; DATA XREF: MiDispatchFault+36Bo
					; MiResolveProtoPteFault(x,x,x)+D8Eo ...
		mov	ebx, [eax]

_ExpInterlockedPopEntrySListEnd:	; CODE XREF: ExInterlockedPopEntrySList(x,x)+4Fj
					; DATA XREF: KiCheckForSListAddress(x)+24o
		lock cmpxchg8b qword ptr [ebp+0]
		jz	short loc_5A278D
		mov	cx, dx
		cmp	ecx, edx
		jle	short _ExpInterlockedPopEntrySListResume
		push	esp
		call	_RtlBackoff@4	; RtlBackoff(x)
		jmp	short _ExpInterlockedPopEntrySListResume
; 

loc_5A2789:				; CODE XREF: ExInterlockedPopEntrySList(x,x)+31j
		xor	ebx, ebx
		jmp	short _ExpInterlockedPopEntrySListEnd
; 

loc_5A278D:				; CODE XREF: ExInterlockedPopEntrySList(x,x)+3Cj
		add	esp, 4
		pop	ebp
		pop	ebx
		retn
@ExInterlockedPopEntrySList@8 endp

; 
		align 4
; Exported entry  49. ExInterlockedPushEntrySList

;  S U B	R O U T	I N E 


; __fastcall ExInterlockedPushEntrySList(x, x, x)
		public @ExInterlockedPushEntrySList@12
@ExInterlockedPushEntrySList@12	proc near
		pop	dword ptr [esp+0]
		nop
@ExInterlockedPushEntrySList@12	endp

; Exported entry 114. InterlockedPushEntrySList

;  S U B	R O U T	I N E 


; __fastcall InterlockedPushEntrySList(x, x)
		public @InterlockedPushEntrySList@8
@InterlockedPushEntrySList@8 proc near	; CODE XREF: MiPaeFree+2Ep
					; MiQueuePageAccessLog(x)+55p ...
		push	ebx
		push	ebp
		mov	ebp, ecx
		mov	ebx, edx
		mov	edx, [ebp+4]
		mov	eax, [ebp+0]

loc_5A27A4:				; CODE XREF: InterlockedPushEntrySList(x,x)+17j
		mov	[ebx], eax
		mov	ecx, edx
		inc	cx
		lock cmpxchg8b qword ptr [ebp+0]
		jnz	short loc_5A27A4
		pop	ebp
		pop	ebx
		retn
@InterlockedPushEntrySList@8 endp

; Exported entry 115. InterlockedPushListSList

;  S U B	R O U T	I N E 


; __fastcall InterlockedPushListSList(x, x, x, x)
		public @InterlockedPushListSList@16
@InterlockedPushListSList@16 proc near	; CODE XREF: MiPaeAllocate+16Dp
					; MiReplenishPageSlist(x,x,x)+50Cp ...

arg_0		= dword	ptr  0Ch
arg_4		= word ptr  10h

		push	ebx
		push	ebp
		mov	ebp, ecx
		mov	ebx, edx
		mov	edx, [ebp+4]
		mov	eax, [ebp+0]

loc_5A27C0:				; CODE XREF: InterlockedPushListSList(x,x,x,x)+1Ej
		mov	ecx, [esp+arg_0]
		mov	[ecx], eax
		mov	ecx, edx
		add	cx, [esp+arg_4]
		lock cmpxchg8b qword ptr [ebp+0]
		jnz	short loc_5A27C0
		pop	ebp
		pop	ebx
		retn	8
@InterlockedPushListSList@16 endp

; 
		align 4
; Exported entry 461. FirstEntrySList

;  S U B	R O U T	I N E 


; __stdcall FirstEntrySList(x)
		public _FirstEntrySList@4
_FirstEntrySList@4 proc	near		; CODE XREF: PopMarkComponentsBootPhase+B0p

arg_0		= dword	ptr  4

		mov	eax, [esp+arg_0]
		mov	eax, [eax]
		retn	4
_FirstEntrySList@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __fastcall RtlInterlockedCompareExchange64(x,	x, x)
@RtlInterlockedCompareExchange64@12 proc near

arg_0		= dword	ptr  0Ch

		push	ebx
		push	ebp
		mov	ebp, ecx
		mov	ebx, [edx]
		mov	ecx, [edx+4]
		mov	edx, [esp+arg_0]
		mov	eax, [edx]
		mov	edx, [edx+4]
		lock cmpxchg8b qword ptr [ebp+0]
		pop	ebp
		pop	ebx
		retn	4
@RtlInterlockedCompareExchange64@12 endp


;  S U B	R O U T	I N E 


; __stdcall InterlockedCompareExchange64(x, x, x, x, x)
_InterlockedCompareExchange64@20 proc near

arg_0		= dword	ptr  0Ch
arg_4		= dword	ptr  10h
arg_8		= dword	ptr  14h
arg_C		= dword	ptr  18h
arg_10		= dword	ptr  1Ch

		push	ebx
		push	ebp
		mov	ebp, [esp+arg_0]
		mov	ebx, [esp+arg_4]
		mov	ecx, [esp+arg_8]
		mov	eax, [esp+arg_C]
		mov	edx, [esp+arg_10]
		lock cmpxchg8b qword ptr [ebp+0]
		pop	ebp
		pop	ebx
		retn	14h
_InterlockedCompareExchange64@20 endp

; 
		align 10h
; Exported entry 1984. RtlCompareMemory

;  S U B	R O U T	I N E 


; SIZE_T __stdcall RtlCompareMemory(const void *Source1,const void *Source2,SIZE_T Length)
		public _RtlCompareMemory@12
_RtlCompareMemory@12 proc near		; CODE XREF: IoReportTargetDeviceChangeAsynchronous+4Ep
					; IoReportTargetDeviceChangeAsynchronous+6Cp ...

Source1		= dword	ptr  0Ch
Source2		= dword	ptr  10h
Length		= dword	ptr  14h

		push	esi
		push	edi
		cld
		mov	esi, [esp+Source1]
		mov	edi, [esp+Source2]
		mov	ecx, [esp+Length]
		shr	ecx, 2
		jz	short loc_5A2848
		repe cmpsd
		jnz	short loc_5A285E

loc_5A2848:				; CODE XREF: RtlCompareMemory(x,x,x)+12j
		mov	ecx, [esp+Length]
		and	ecx, 3
		jz	short loc_5A2855
		repe cmpsb
		jnz	short loc_5A286B

loc_5A2855:				; CODE XREF: RtlCompareMemory(x,x,x)+1Fj
		mov	eax, [esp+Length]
		pop	edi
		pop	esi
		retn	0Ch
; 

loc_5A285E:				; CODE XREF: RtlCompareMemory(x,x,x)+16j
		sub	esi, 4
		sub	edi, 4
		mov	ecx, 4
		repe cmpsb

loc_5A286B:				; CODE XREF: RtlCompareMemory(x,x,x)+23j
		dec	esi
		sub	esi, [esp+Source1]
		mov	eax, esi
		pop	edi
		pop	esi
		retn	0Ch
_RtlCompareMemory@12 endp

; 
		align 10h
; Exported entry 1985. RtlCompareMemoryUlong

;  S U B	R O U T	I N E 


; __stdcall RtlCompareMemoryUlong(x, x,	x)
		public _RtlCompareMemoryUlong@12
_RtlCompareMemoryUlong@12 proc near	; CODE XREF: MiFreedUnusedPfnPagesWorker+102p
					; MiFreedUnusedPfnPagesWorker+14Cp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	edi
		mov	edi, [esp+arg_0]
		mov	ecx, [esp+arg_4]
		mov	eax, [esp+arg_8]
		shr	ecx, 2
		repe scasd
		jz	short loc_5A2897
		sub	edi, 4

loc_5A2897:				; CODE XREF: RtlCompareMemoryUlong(x,x,x)+12j
		sub	edi, [esp+arg_0]
		mov	eax, edi
		pop	edi
		retn	0Ch
_RtlCompareMemoryUlong@12 endp

; 
		align 10h
; Exported entry 2074. RtlFillMemory

;  S U B	R O U T	I N E 


; __stdcall RtlFillMemory(x, x,	x)
		public _RtlFillMemory@12
_RtlFillMemory@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		push	edi
		mov	edi, [esp+arg_0]
		mov	ecx, [esp+arg_4]
		mov	al, [esp+arg_8]
		mov	ah, al
		shl	eax, 10h
		mov	al, [esp+arg_8]
		mov	ah, al
		cld
		mov	edx, ecx
		and	edx, 3
		shr	ecx, 2
		rep stosd
		or	ecx, edx
		jnz	short loc_5A28DB
		pop	edi
		retn	0Ch
; 

loc_5A28DB:				; CODE XREF: RtlFillMemory(x,x,x)+25j
		rep stosb
		pop	edi
		retn	0Ch
_RtlFillMemory@12 endp

; 
		align 10h
; Exported entry 2076. RtlFillMemoryUlonglong

;  S U B	R O U T	I N E 


; __stdcall RtlFillMemoryUlonglong(x, x, x, x)
		public _RtlFillMemoryUlonglong@16
_RtlFillMemoryUlonglong@16 proc	near	; CODE XREF: MiCompletePrivateZeroFault(x,x,x)+473p
					; MiCreatePagingFileMap(x)+6BAp ...

arg_0		= dword	ptr  0Ch
arg_4		= dword	ptr  10h
arg_8		= dword	ptr  14h
arg_C		= dword	ptr  18h

		push	esi
		push	edi
		mov	ecx, [esp+arg_4]
		mov	esi, [esp+arg_0]
		mov	eax, [esp+arg_8]
		shr	ecx, 2
		sub	ecx, 2
		mov	[esi], eax
		mov	eax, [esp+arg_C]
		lea	edi, [esi+8]
		mov	[esi+4], eax
		rep movsd
		pop	edi
		pop	esi
		retn	10h
_RtlFillMemoryUlonglong@16 endp

; 
		align 10h
; Exported entry 2075. RtlFillMemoryUlong

;  S U B	R O U T	I N E 


; __stdcall RtlFillMemoryUlong(x, x, x)
		public _RtlFillMemoryUlong@12
_RtlFillMemoryUlong@12 proc near	; CODE XREF: MiFillPhysicalPages+4Cp
					; RtlSetAllBits(x)+21p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	edi
		mov	edi, [esp+arg_0]
		mov	ecx, [esp+arg_4]
		mov	eax, [esp+arg_8]
		shr	ecx, 2
		rep stosd
		pop	edi
		retn	0Ch
_RtlFillMemoryUlong@12 endp

; 
		align 10h
; Exported entry 2412. RtlZeroMemory

;  S U B	R O U T	I N E 


; __stdcall RtlZeroMemory(x, x)
		public _RtlZeroMemory@8
_RtlZeroMemory@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	edi
		mov	edi, [esp+arg_0]
		mov	ecx, [esp+arg_4]
		xor	eax, eax
		cld
		mov	edx, ecx
		and	edx, 3
		shr	ecx, 2
		rep stosd
		or	ecx, edx
		jnz	short loc_5A295E
		pop	edi
		retn	8
; 

loc_5A295E:				; CODE XREF: RtlZeroMemory(x,x)+18j
		rep stosb
		pop	edi
		retn	8
_RtlZeroMemory@8 endp

; 
		lea	esp, [esp+0]
		jmp	short _RtlMoveMemory@12	; RtlMoveMemory(x,x,x)
; 
		align 10h
; Exported entry 2254. RtlMoveMemory

;  S U B	R O U T	I N E 


; __stdcall RtlMoveMemory(x, x,	x)
		public _RtlMoveMemory@12
_RtlMoveMemory@12 proc near		; CODE XREF: .text:005A296Bj

arg_0		= dword	ptr  0Ch
arg_4		= dword	ptr  10h
arg_8		= dword	ptr  14h

		push	esi
		push	edi
		mov	esi, [esp+arg_4]
		mov	edi, [esp+arg_0]
		mov	ecx, [esp+arg_8]
		cld
		cmp	esi, edi
		jbe	short loc_5A299D

loc_5A2983:				; CODE XREF: RtlMoveMemory(x,x,x)+35j
		mov	edx, ecx
		and	edx, 3
		shr	ecx, 2
		rep movsd
		or	ecx, edx
		jnz	short loc_5A2996
		pop	edi
		pop	esi
		retn	0Ch
; 

loc_5A2996:				; CODE XREF: RtlMoveMemory(x,x,x)+1Fj
		rep movsb

loc_5A2998:				; CODE XREF: RtlMoveMemory(x,x,x):loc_5A299Dj
					; RtlMoveMemory(x,x,x)+41j
		pop	edi
		pop	esi
		retn	0Ch
; 

loc_5A299D:				; CODE XREF: RtlMoveMemory(x,x,x)+11j
		jz	short loc_5A2998
		mov	eax, edi
		sub	eax, esi
		cmp	ecx, eax
		jbe	short loc_5A2983
		std
		add	esi, ecx
		add	edi, ecx
		dec	esi
		dec	edi
		rep movsb
		cld
		jmp	short loc_5A2998
_RtlMoveMemory@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCopyMemoryNonTemporal(x,	x, x)
_RtlCopyMemoryNonTemporal@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	ebx
		mov	esi, [ebp+arg_4]
		mov	edi, [ebp+arg_0]
		mov	ecx, [ebp+arg_8]
		mov	eax, [esi]
		cld
		mov	edx, ecx
		and	ecx, 3Fh
		shr	edx, 6
		jz	loc_5A2BCF
		dec	edx
		jz	loc_5A2B53
		prefetchnta byte ptr [esi-80h]
		dec	edx
		jz	loc_5A2ADF
		prefetchnta byte ptr [esi-40h]
		dec	edx
		jz	short loc_5A2A6B

loc_5A29ED:				; CODE XREF: RtlCopyMemoryNonTemporal(x,x,x)+B5j
		prefetchnta byte ptr [esi+100h]
		mov	eax, [esi]
		mov	ebx, [esi+4]
		movnti	[edi], eax
		movnti	[edi+4], ebx
		mov	eax, [esi+8]
		mov	ebx, [esi+0Ch]
		movnti	[edi+8], eax
		movnti	[edi+0Ch], ebx
		mov	eax, [esi+10h]
		mov	ebx, [esi+14h]
		movnti	[edi+10h], eax
		movnti	[edi+14h], ebx
		mov	eax, [esi+18h]
		mov	ebx, [esi+1Ch]
		movnti	[edi+18h], eax
		movnti	[edi+1Ch], ebx
		mov	eax, [esi+20h]
		mov	ebx, [esi+24h]
		movnti	[edi+20h], eax
		movnti	[edi+24h], ebx
		mov	eax, [esi+28h]
		mov	ebx, [esi+2Ch]
		movnti	[edi+28h], eax
		movnti	[edi+2Ch], ebx
		mov	eax, [esi+30h]
		mov	ebx, [esi+34h]
		movnti	[edi+30h], eax
		movnti	[edi+34h], ebx
		mov	eax, [esi+38h]
		mov	ebx, [esi+3Ch]
		movnti	[edi+38h], eax
		movnti	[edi+3Ch], ebx
		lea	esi, [esi+40h]
		lea	edi, [edi+40h]
		dec	edx
		jnz	short loc_5A29ED

loc_5A2A6B:				; CODE XREF: RtlCopyMemoryNonTemporal(x,x,x)+37j
		mov	eax, [esi]
		mov	ebx, [esi+4]
		movnti	[edi], eax
		movnti	[edi+4], ebx
		mov	eax, [esi+8]
		mov	ebx, [esi+0Ch]
		movnti	[edi+8], eax
		movnti	[edi+0Ch], ebx
		mov	eax, [esi+10h]
		mov	ebx, [esi+14h]
		movnti	[edi+10h], eax
		movnti	[edi+14h], ebx
		mov	eax, [esi+18h]
		mov	ebx, [esi+1Ch]
		movnti	[edi+18h], eax
		movnti	[edi+1Ch], ebx
		mov	eax, [esi+20h]
		mov	ebx, [esi+24h]
		movnti	[edi+20h], eax
		movnti	[edi+24h], ebx
		mov	eax, [esi+28h]
		mov	ebx, [esi+2Ch]
		movnti	[edi+28h], eax
		movnti	[edi+2Ch], ebx
		mov	eax, [esi+30h]
		mov	ebx, [esi+34h]
		movnti	[edi+30h], eax
		movnti	[edi+34h], ebx
		mov	eax, [esi+38h]
		mov	ebx, [esi+3Ch]
		movnti	[edi+38h], eax
		movnti	[edi+3Ch], ebx
		lea	esi, [esi+40h]
		lea	edi, [edi+40h]

loc_5A2ADF:				; CODE XREF: RtlCopyMemoryNonTemporal(x,x,x)+2Cj
		mov	eax, [esi]
		mov	ebx, [esi+4]
		movnti	[edi], eax
		movnti	[edi+4], ebx
		mov	eax, [esi+8]
		mov	ebx, [esi+0Ch]
		movnti	[edi+8], eax
		movnti	[edi+0Ch], ebx
		mov	eax, [esi+10h]
		mov	ebx, [esi+14h]
		movnti	[edi+10h], eax
		movnti	[edi+14h], ebx
		mov	eax, [esi+18h]
		mov	ebx, [esi+1Ch]
		movnti	[edi+18h], eax
		movnti	[edi+1Ch], ebx
		mov	eax, [esi+20h]
		mov	ebx, [esi+24h]
		movnti	[edi+20h], eax
		movnti	[edi+24h], ebx
		mov	eax, [esi+28h]
		mov	ebx, [esi+2Ch]
		movnti	[edi+28h], eax
		movnti	[edi+2Ch], ebx
		mov	eax, [esi+30h]
		mov	ebx, [esi+34h]
		movnti	[edi+30h], eax
		movnti	[edi+34h], ebx
		mov	eax, [esi+38h]
		mov	ebx, [esi+3Ch]
		movnti	[edi+38h], eax
		movnti	[edi+3Ch], ebx
		lea	esi, [esi+40h]
		lea	edi, [edi+40h]

loc_5A2B53:				; CODE XREF: RtlCopyMemoryNonTemporal(x,x,x)+21j
		mov	eax, [esi]
		mov	ebx, [esi+4]
		movnti	[edi], eax
		movnti	[edi+4], ebx
		mov	eax, [esi+8]
		mov	ebx, [esi+0Ch]
		movnti	[edi+8], eax
		movnti	[edi+0Ch], ebx
		mov	eax, [esi+10h]
		mov	ebx, [esi+14h]
		movnti	[edi+10h], eax
		movnti	[edi+14h], ebx
		mov	eax, [esi+18h]
		mov	ebx, [esi+1Ch]
		movnti	[edi+18h], eax
		movnti	[edi+1Ch], ebx
		mov	eax, [esi+20h]
		mov	ebx, [esi+24h]
		movnti	[edi+20h], eax
		movnti	[edi+24h], ebx
		mov	eax, [esi+28h]
		mov	ebx, [esi+2Ch]
		movnti	[edi+28h], eax
		movnti	[edi+2Ch], ebx
		mov	eax, [esi+30h]
		mov	ebx, [esi+34h]
		movnti	[edi+30h], eax
		movnti	[edi+34h], ebx
		mov	eax, [esi+38h]
		mov	ebx, [esi+3Ch]
		movnti	[edi+38h], eax
		movnti	[edi+3Ch], ebx
		or	ecx, ecx
		jz	short loc_5A2BED
		prefetchnta byte ptr [esi+0]
		lea	esi, [esi+40h]
		lea	edi, [edi+40h]

loc_5A2BCF:				; CODE XREF: RtlCopyMemoryNonTemporal(x,x,x)+1Aj
		mov	edx, ecx
		and	ecx, 3
		shr	edx, 2
		jz	short loc_5A2BE7

loc_5A2BD9:				; CODE XREF: RtlCopyMemoryNonTemporal(x,x,x)+231j
		mov	eax, [esi]
		movnti	[edi], eax
		lea	esi, [esi+4]
		lea	edi, [edi+4]
		dec	edx
		jnz	short loc_5A2BD9

loc_5A2BE7:				; CODE XREF: RtlCopyMemoryNonTemporal(x,x,x)+223j
		or	ecx, ecx
		jz	short loc_5A2BED
		rep movsb

loc_5A2BED:				; CODE XREF: RtlCopyMemoryNonTemporal(x,x,x)+20Fj
					; RtlCopyMemoryNonTemporal(x,x,x)+235j
		sfence
		pop	ebx
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
_RtlCopyMemoryNonTemporal@12 endp

; 
		align 4
; Exported entry 167. RtlPrefetchMemoryNonTemporal

;  S U B	R O U T	I N E 


; __fastcall RtlPrefetchMemoryNonTemporal(x, x)
		public @RtlPrefetchMemoryNonTemporal@8
@RtlPrefetchMemoryNonTemporal@8	proc near
		mov	eax, ds:_KePrefetchNTAGranularity

loc_5A2BFD:				; CODE XREF: RtlPrefetchMemoryNonTemporal(x,x)+Dj
		prefetchnta byte ptr [ecx+0]
		add	ecx, eax
		sub	edx, eax
		ja	short loc_5A2BFD
		retn
@RtlPrefetchMemoryNonTemporal@8	endp

; 
		align 10h
; Exported entry 2229. RtlLargeIntegerAdd

;  S U B	R O U T	I N E 


; __stdcall RtlLargeIntegerAdd(x, x, x,	x)
		public _RtlLargeIntegerAdd@16
_RtlLargeIntegerAdd@16 proc near

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_8		= dword	ptr  0Ch
arg_C		= dword	ptr  10h

		mov	eax, [esp+arg_0]
		add	eax, [esp+arg_8]
		mov	edx, [esp+arg_4]
		adc	edx, [esp+arg_C]
		retn	10h
_RtlLargeIntegerAdd@16 endp

; 
		align 4
; Exported entry 2050. RtlEnlargedIntegerMultiply

;  S U B	R O U T	I N E 


; __stdcall _RtlEnlargedIntegerMultiply(x, x)
		public __RtlEnlargedIntegerMultiply@8
__RtlEnlargedIntegerMultiply@8 proc near

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8

		mov	eax, [esp+arg_0]
		imul	[esp+arg_4]
		retn	8
__RtlEnlargedIntegerMultiply@8 endp

; 
		align 10h
; Exported entry 2052. RtlEnlargedUnsignedMultiply

;  S U B	R O U T	I N E 


; __stdcall _RtlEnlargedUnsignedMultiply(x, x)
		public __RtlEnlargedUnsignedMultiply@8
__RtlEnlargedUnsignedMultiply@8	proc near

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8

		mov	eax, [esp+arg_0]
		mul	[esp+arg_4]
		retn	8
__RtlEnlargedUnsignedMultiply@8	endp

; 
		align 4
; Exported entry 2051. RtlEnlargedUnsignedDivide

;  S U B	R O U T	I N E 


; __stdcall _RtlEnlargedUnsignedDivide(x, x, x,	x)
		public __RtlEnlargedUnsignedDivide@16
__RtlEnlargedUnsignedDivide@16 proc near

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_8		= dword	ptr  0Ch
arg_C		= dword	ptr  10h

		mov	eax, [esp+arg_0]
		mov	edx, [esp+arg_4]
		mov	ecx, [esp+arg_C]
		div	[esp+arg_8]
		or	ecx, ecx
		jnz	short loc_5A2C54
		retn	10h
; 
		align 4

loc_5A2C54:				; CODE XREF: _RtlEnlargedUnsignedDivide(x,x,x,x)+12j
		mov	[ecx], edx
		retn	10h
__RtlEnlargedUnsignedDivide@16 endp

; 
		align 4
; Exported entry 2071. RtlExtendedLargeIntegerDivide

;  S U B	R O U T	I N E 


; __stdcall RtlExtendedLargeIntegerDivide(x, x,	x, x)
		public _RtlExtendedLargeIntegerDivide@16
_RtlExtendedLargeIntegerDivide@16 proc near ; CODE XREF: KiCalibrateTimeAdjustment+185p
					; RtlLargeIntegerToChar+1859BBp ...

arg_0		= dword	ptr  10h
arg_4		= dword	ptr  14h
arg_8		= dword	ptr  18h
arg_C		= dword	ptr  1Ch

		push	esi
		push	edi
		push	ebx
		mov	eax, [esp+arg_0]
		mov	edx, [esp+arg_4]
		mov	ebx, [esp+arg_8]
		or	ebx, ebx
		jz	short loc_5A2CA6
		push	ebp
		mov	ecx, 40h
		xor	esi, esi
		nop

loc_5A2C78:				; CODE XREF: RtlExtendedLargeIntegerDivide(x,x,x,x)+32j
		shl	eax, 1
		rcl	edx, 1
		rcl	esi, 1
		sbb	edi, edi
		cmp	esi, ebx
		cmc
		sbb	ebp, ebp
		or	edi, ebp
		sub	eax, edi
		and	edi, ebx
		sub	esi, edi
		dec	ecx
		jnz	short loc_5A2C78
		pop	ebp
		pop	ebx
		pop	edi
		mov	ecx, [esp-8+arg_C]
		or	ecx, ecx
		jnz	short loc_5A2CA0
		pop	esi
		retn	10h
; 
		align 10h

loc_5A2CA0:				; CODE XREF: RtlExtendedLargeIntegerDivide(x,x,x,x)+3Dj
		mov	[ecx], esi
		pop	esi
		retn	10h
; 

loc_5A2CA6:				; CODE XREF: RtlExtendedLargeIntegerDivide(x,x,x,x)+11j
		push	0C0000094h
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		pop	ebx
		pop	edi
		pop	esi
		retn	10h
_RtlExtendedLargeIntegerDivide@16 endp ; sp = -4

; 
		align 4
; Exported entry 2072. RtlExtendedMagicDivide

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlExtendedMagicDivide(x, x, x, x, x)
		public _RtlExtendedMagicDivide@20
_RtlExtendedMagicDivide@20 proc	near	; CODE XREF: TimeToDaysAndFraction+1Cp
					; TimeToDaysAndFraction+33p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, [ebp+arg_4]
		test	esi, 80000000h
		jz	short loc_5A2CD4
		neg	[ebp+arg_4]
		neg	[ebp+arg_0]
		sbb	[ebp+arg_4], 0

loc_5A2CD4:				; CODE XREF: RtlExtendedMagicDivide(x,x,x,x,x)+10j
		mov	eax, [ebp+arg_8]
		mul	[ebp+arg_0]
		mov	[ebp+var_4], edx
		mov	eax, [ebp+arg_8]
		mul	[ebp+arg_4]
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], edx
		mov	eax, [ebp+arg_C]
		mul	[ebp+arg_0]
		xor	ecx, ecx
		add	eax, [ebp+var_4]
		adc	ecx, 0
		add	eax, [ebp+var_8]
		adc	ecx, 0
		mov	[ebp+var_4], edx
		mov	eax, [ebp+arg_C]
		mul	[ebp+arg_4]
		add	eax, [ebp+var_4]
		adc	edx, 0
		add	eax, [ebp+var_C]
		adc	edx, 0
		add	eax, ecx
		adc	edx, 0
		mov	cl, [ebp+arg_10]

loc_5A2D1A:				; CODE XREF: RtlExtendedMagicDivide(x,x,x,x,x)+71j
		cmp	cl, 1Fh
		jbe	short loc_5A2D2B
		sub	cl, 1Fh
		shrd	eax, edx, 1Fh
		shr	edx, 1Fh
		jmp	short loc_5A2D1A
; 

loc_5A2D2B:				; CODE XREF: RtlExtendedMagicDivide(x,x,x,x,x)+65j
		shrd	eax, edx, cl
		shr	edx, cl
		test	esi, 80000000h
		jz	short loc_5A2D3F
		neg	edx
		neg	eax
		sbb	edx, 0

loc_5A2D3F:				; CODE XREF: RtlExtendedMagicDivide(x,x,x,x,x)+7Ej
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	14h
_RtlExtendedMagicDivide@20 endp

; 
		align 4
; Exported entry 2070. RtlExtendedIntegerMultiply

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlExtendedIntegerMultiply(x, x, x)
		public _RtlExtendedIntegerMultiply@12
_RtlExtendedIntegerMultiply@12 proc near
					; CODE XREF: RtlpTimeFieldsToTimeNoLeapSeconds(x,x)+16Fp
					; RtlSecondsSince1970ToTime(x,x)+1Dp ...

var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_8]
		xor	esi, [ebp+arg_4]
		test	[ebp+arg_4], 80000000h
		jz	short loc_5A2D65
		neg	[ebp+arg_4]
		neg	[ebp+arg_0]
		sbb	[ebp+arg_4], 0

loc_5A2D65:				; CODE XREF: RtlExtendedIntegerMultiply(x,x,x)+11j
		test	[ebp+arg_8], 80000000h
		jz	short loc_5A2D71
		neg	[ebp+arg_8]

loc_5A2D71:				; CODE XREF: RtlExtendedIntegerMultiply(x,x,x)+24j
		mov	eax, [ebp+arg_8]
		mul	[ebp+arg_0]
		push	edx
		mov	ecx, eax
		mov	eax, [ebp+arg_8]
		mul	[ebp+arg_4]
		add	eax, [esp+8+var_8]
		test	esi, 80000000h
		jz	short loc_5A2D92
		neg	eax
		neg	ecx
		sbb	eax, 0

loc_5A2D92:				; CODE XREF: RtlExtendedIntegerMultiply(x,x,x)+41j
		add	esp, 4
		pop	esi
		mov	edx, eax
		mov	eax, ecx
		pop	ebp
		retn	0Ch
_RtlExtendedIntegerMultiply@12 endp

; 
		align 10h
; Exported entry 2233. RtlLargeIntegerShiftLeft

;  S U B	R O U T	I N E 


; __stdcall RtlLargeIntegerShiftLeft(x,	x, x)
		public _RtlLargeIntegerShiftLeft@12
_RtlLargeIntegerShiftLeft@12 proc near

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_8		= dword	ptr  0Ch

		mov	ecx, [esp+arg_8]
		and	ecx, 3Fh
		cmp	ecx, 20h
		jnb	short loc_5A2DBC
		mov	eax, [esp+arg_0]
		mov	edx, [esp+arg_4]
		shld	edx, eax, cl
		shl	eax, cl
		retn	0Ch
; 

loc_5A2DBC:				; CODE XREF: RtlLargeIntegerShiftLeft(x,x,x)+Aj
		mov	edx, [esp+arg_0]
		xor	eax, eax
		shl	edx, cl
		retn	0Ch
_RtlLargeIntegerShiftLeft@12 endp

; 
		align 4
; Exported entry 2234. RtlLargeIntegerShiftRight

;  S U B	R O U T	I N E 


; __stdcall RtlLargeIntegerShiftRight(x, x, x)
		public _RtlLargeIntegerShiftRight@12
_RtlLargeIntegerShiftRight@12 proc near

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_8		= dword	ptr  0Ch

		mov	ecx, [esp+arg_8]
		and	ecx, 3Fh
		cmp	ecx, 20h
		jnb	short loc_5A2DE4
		mov	eax, [esp+arg_0]
		mov	edx, [esp+arg_4]
		shrd	eax, edx, cl
		shr	edx, cl
		retn	0Ch
; 

loc_5A2DE4:				; CODE XREF: RtlLargeIntegerShiftRight(x,x,x)+Aj
		mov	eax, [esp+arg_4]
		xor	edx, edx
		shr	eax, cl
		retn	0Ch
_RtlLargeIntegerShiftRight@12 endp

; 
		align 10h
; Exported entry 2230. RtlLargeIntegerArithmeticShift

;  S U B	R O U T	I N E 


; __stdcall RtlLargeIntegerArithmeticShift(x, x, x)
		public _RtlLargeIntegerArithmeticShift@12
_RtlLargeIntegerArithmeticShift@12 proc	near

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_8		= dword	ptr  0Ch

		mov	ecx, [esp+arg_8]
		and	ecx, 3Fh
		cmp	ecx, 20h
		jb	short loc_5A2E0C
		mov	eax, [esp+arg_4]
		sar	eax, cl
		bt	eax, 1Fh
		sbb	edx, edx
		retn	0Ch
; 
		align 4

loc_5A2E0C:				; CODE XREF: RtlLargeIntegerArithmeticShift(x,x,x)+Aj
		mov	eax, [esp+arg_0]
		mov	edx, [esp+arg_4]
		shrd	eax, edx, cl
		sar	edx, cl
		retn	0Ch
_RtlLargeIntegerArithmeticShift@12 endp

; Exported entry 2232. RtlLargeIntegerNegate

;  S U B	R O U T	I N E 


; __stdcall RtlLargeIntegerNegate(x, x)
		public _RtlLargeIntegerNegate@8
_RtlLargeIntegerNegate@8 proc near

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8

		mov	eax, [esp+arg_0]
		mov	edx, [esp+arg_4]
		neg	edx
		neg	eax
		sbb	edx, 0
		retn	8
_RtlLargeIntegerNegate@8 endp

; 
		align 10h
; Exported entry 2235. RtlLargeIntegerSubtract

;  S U B	R O U T	I N E 


; __stdcall RtlLargeIntegerSubtract(x, x, x, x)
		public _RtlLargeIntegerSubtract@16
_RtlLargeIntegerSubtract@16 proc near

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_8		= dword	ptr  0Ch
arg_C		= dword	ptr  10h

		mov	eax, [esp+arg_0]
		sub	eax, [esp+arg_8]
		mov	edx, [esp+arg_4]
		sbb	edx, [esp+arg_C]
		retn	10h
_RtlLargeIntegerSubtract@16 endp

; 
		align 4
; Exported entry 1995. RtlConvertLongToLargeInteger

;  S U B	R O U T	I N E 


; __stdcall __RtlConvertLongToLargeInteger(x)
		public ___RtlConvertLongToLargeInteger@4
___RtlConvertLongToLargeInteger@4 proc near

arg_0		= dword	ptr  4

		mov	eax, [esp+arg_0]
		cdq
		retn	4
___RtlConvertLongToLargeInteger@4 endp

; Exported entry 1997. RtlConvertUlongToLargeInteger

;  S U B	R O U T	I N E 


; __stdcall __RtlConvertUlongToLargeInteger(x)
		public ___RtlConvertUlongToLargeInteger@4
___RtlConvertUlongToLargeInteger@4 proc	near

arg_0		= dword	ptr  4

		mov	eax, [esp+arg_0]
		xor	edx, edx
		retn	4
___RtlConvertUlongToLargeInteger@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __fastcall RtlFailFast2(x, x)
@RtlFailFast2@8	proc near
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		nop
		int	3		; Trap to Debugger
@RtlFailFast2@8	endp

; Exported entry  40. ExInterlockedAddLargeStatistic

;  S U B	R O U T	I N E 


; __fastcall ExInterlockedAddLargeStatistic(x, x)
		public @ExInterlockedAddLargeStatistic@8
@ExInterlockedAddLargeStatistic@8 proc near
		lock add [ecx],	edx
		jb	short loc_5A2E6A
		retn
; 

loc_5A2E6A:				; CODE XREF: ExInterlockedAddLargeStatistic(x,x)+3j
		lock adc dword ptr [ecx+4], 0
		retn
@ExInterlockedAddLargeStatistic@8 endp

; Exported entry 112. InterlockedIncrement

;  S U B	R O U T	I N E 


; __fastcall __InterlockedIncrement(x)
		public @__InterlockedIncrement@4
@__InterlockedIncrement@4 proc near
		mov	eax, 1
		lock xadd [ecx], eax
		inc	eax
		retn
@__InterlockedIncrement@4 endp

; 
		align 4
; Exported entry 109. InterlockedDecrement

;  S U B	R O U T	I N E 


; __fastcall __InterlockedDecrement(x)
		public @__InterlockedDecrement@4
@__InterlockedDecrement@4 proc near
		mov	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		dec	eax
		retn
@__InterlockedDecrement@4 endp

; 
		align 4
; Exported entry 108. InterlockedCompareExchange

;  S U B	R O U T	I N E 


; __fastcall __InterlockedCompareExchange(x, x,	x)
		public @__InterlockedCompareExchange@12
@__InterlockedCompareExchange@12 proc near

arg_0		= dword	ptr  4

		mov	eax, [esp+arg_0]
		lock cmpxchg [ecx], edx
		retn	4
@__InterlockedCompareExchange@12 endp

; 
		align 4
; Exported entry  89. ExfInterlockedCompareExchange64

;  S U B	R O U T	I N E 


; __fastcall ExfInterlockedCompareExchange64(x,	x, x)
		public @ExfInterlockedCompareExchange64@12
@ExfInterlockedCompareExchange64@12 proc near
					; CODE XREF: VerifierExfInterlockedCompareExchange64(x,x,x)+6j
					; DATA XREF: PAGEVRFD:_pXdvExfInterlockedCompareExchange64o

arg_0		= dword	ptr  0Ch

		push	ebx
		push	ebp
		mov	ebp, ecx
		mov	ebx, [edx]
		mov	ecx, [edx+4]
		mov	edx, [esp+arg_0]
		mov	eax, [edx]
		mov	edx, [edx+4]
		lock cmpxchg8b qword ptr [ebp+0]
		pop	ebp
		pop	ebx
		retn	4
@ExfInterlockedCompareExchange64@12 endp

; Exported entry  42. ExInterlockedCompareExchange64

;  S U B	R O U T	I N E 


; __fastcall ExInterlockedCompareExchange64(x, x, x, x)
		public @ExInterlockedCompareExchange64@16
@ExInterlockedCompareExchange64@16 proc	near

arg_0		= dword	ptr  0Ch

		push	ebx
		push	ebp
		mov	ebp, ecx
		mov	ebx, [edx]
		mov	ecx, [edx+4]
		mov	edx, [esp+arg_0]
		mov	eax, [edx]
		mov	edx, [edx+4]
		lock cmpxchg8b qword ptr [ebp+0]
		pop	ebp
		pop	ebx
		retn	8
@ExInterlockedCompareExchange64@16 endp

; Exported entry 111. InterlockedExchangeAdd

;  S U B	R O U T	I N E 


; __fastcall __InterlockedExchangeAdd(x, x)
		public @__InterlockedExchangeAdd@8
@__InterlockedExchangeAdd@8 proc near
		lock xadd [ecx], edx
		mov	eax, edx
		retn
@__InterlockedExchangeAdd@8 endp

; 
		align 10h
; Exported entry 407. ExRaiseException
; Exported entry 2303. RtlRaiseException

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlRaiseException(x)
		public _RtlRaiseException@4
_RtlRaiseException@4 proc near		; CODE XREF: RaiseException(x,x,x,x)+65p
					; KiDispatchException+10DFE7p ...

var_2D0		= dword	ptr -2D0h
var_20C		= dword	ptr -20Ch
arg_0		= dword	ptr  8

		push	ebp		; ExRaiseException
		mov	ebp, esp
		lea	esp, [esp-2D0h]
		push	esp
		call	_RtlCaptureContext@4 ; RtlCaptureContext(x)
		mov	edx, [ebp+4]
		mov	eax, [ebp+arg_0]
		add	[esp+2D0h+var_20C], 4
		mov	[eax+0Ch], edx
		mov	[esp+2D0h+var_2D0], 10007h
		push	esp
		push	[ebp+arg_0]
		call	RtlDispatchException
		test	al, al
		jz	short loc_5A2F21
		mov	ecx, esp
		push	0
		push	ecx
		call	_ZwContinue@8	; ZwContinue(x,x)
		jmp	short loc_5A2F2E
; 

loc_5A2F21:				; CODE XREF: RtlRaiseException(x)+33j
		mov	ecx, esp
		push	0
		push	ecx
		push	[ebp+arg_0]
		call	_ZwRaiseException@12 ; ZwRaiseException(x,x,x)

loc_5A2F2E:				; CODE XREF: RtlRaiseException(x)+3Fj
		push	eax
		call	$+5
_RtlRaiseException@4 endp

; Exported entry 409. ExRaiseStatus
; Exported entry 2304. RtlRaiseStatus

; __stdcall RtlRaiseStatus(x)
		public _RtlRaiseStatus@4
_RtlRaiseStatus@4:			; CODE XREF: MmProbeAndLockSelectedPages:loc_431794p
					; .text:0045C62Dp ...
		push	ebp		; ExRaiseStatus
		mov	ebp, esp
		lea	esp, [esp-320h]
		push	esp
		call	_RtlCaptureContext@4 ; RtlCaptureContext(x)
		add	dword ptr [esp+0C4h], 4
		lea	ecx, [esp+2D0h]
		mov	eax, [ebp+4]
		mov	dword ptr [esp], 10007h
		mov	[ecx+0Ch], eax
		and	dword ptr [ecx+10h], 0
		mov	eax, [ebp+8]
		and	dword ptr [ecx+8], 0
		mov	[ecx], eax
		mov	dword ptr [ecx+4], 1
		push	esp
		push	ecx
		call	RtlDispatchException
		lea	ecx, [esp+2D0h]
		mov	edx, esp
		push	0
		push	edx
		push	ecx
		call	_ZwRaiseException@12 ; ZwRaiseException(x,x,x)
		push	eax
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
; 
		db 0CCh
		align 10h

;  S U B	R O U T	I N E 


; __stdcall RtlpExecuteHandlerForException(x, x, x, x, x)
_RtlpExecuteHandlerForException@20 proc	near ; CODE XREF: RtlDispatchException+1B7p
		mov	edx, offset sub_5A3016
		jmp	short ExecuteHandler@20
_RtlpExecuteHandlerForException@20 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall RtlpExecuteHandlerForUnwind(x, x, x, x, x)
_RtlpExecuteHandlerForUnwind@20	proc near ; CODE XREF: RtlUnwind+1E2p
		mov	edx, offset sub_5A303D
		lea	ecx, [ecx+0]
_RtlpExecuteHandlerForUnwind@20	endp


;  S U B	R O U T	I N E 


ExecuteHandler@20 proc near		; CODE XREF: RtlpExecuteHandlerForException(x,x,x,x,x)+5j

arg_0		= dword	ptr  10h
arg_4		= dword	ptr  14h
arg_8		= dword	ptr  18h
arg_C		= dword	ptr  1Ch
arg_10		= dword	ptr  20h

		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		xor	ebx, ebx
		xor	esi, esi
		xor	edi, edi
		push	[esp+arg_10]
		push	[esp+4+arg_C]
		push	[esp+8+arg_8]
		push	[esp+0Ch+arg_4]
		push	[esp+10h+arg_0]
		call	ExecuteHandler2@20
		pop	edi
		pop	esi
		pop	ebx
		retn	14h
ExecuteHandler@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExecuteHandler2@20 proc	near		; CODE XREF: ExecuteHandler@20+1Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		push	edx
		push	large dword ptr	fs:0
		mov	large fs:0, esp
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		mov	ecx, [ebp+arg_10]
		call	ecx
		mov	esp, large fs:0
		pop	large dword ptr	fs:0
		mov	esp, ebp
		pop	ebp
		retn	14h
ExecuteHandler2@20 endp


;  S U B	R O U T	I N E 


sub_5A3016	proc near		; DATA XREF: RtlpExecuteHandlerForException(x,x,x,x,x)o

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_C		= dword	ptr  10h

		mov	ecx, [esp+arg_0]
		test	dword ptr [ecx+4], 6
		mov	eax, 1
		jnz	short locret_5A303A
		mov	ecx, [esp+arg_4]
		mov	edx, [esp+arg_C]
		mov	eax, [ecx+8]
		mov	[edx], eax
		mov	eax, 2

locret_5A303A:				; CODE XREF: sub_5A3016+10j
		retn	10h
sub_5A3016	endp


;  S U B	R O U T	I N E 


sub_5A303D	proc near		; DATA XREF: RtlpExecuteHandlerForUnwind(x,x,x,x,x)o

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_C		= dword	ptr  10h

		mov	ecx, [esp+arg_0]
		test	dword ptr [ecx+4], 6
		mov	eax, 1
		jz	short locret_5A3061
		mov	ecx, [esp+arg_4]
		mov	edx, [esp+arg_C]
		mov	eax, [ecx+8]
		mov	[edx], eax
		mov	eax, 3

locret_5A3061:				; CODE XREF: sub_5A303D+10j
		retn	10h
sub_5A303D	endp

; Exported entry 1969. RtlCaptureContext

;  S U B	R O U T	I N E 


; __stdcall RtlCaptureContext(x)
		public _RtlCaptureContext@4
_RtlCaptureContext@4 proc near		; CODE XREF: KiBugCheck2(x,x,x,x,x,x)+15p
					; _KeSaveStateForHibernate+Ap ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  4

		push	ebx
		mov	ebx, [esp+4+arg_0]
		mov	[ebx+0B0h], eax
		mov	[ebx+0ACh], ecx
		mov	[ebx+0A8h], edx
		mov	eax, [esp+4+var_4]
		mov	[ebx+0A4h], eax
		mov	[ebx+0A0h], esi
		mov	[ebx+9Ch], edi
		jmp	short loc_5A30D5
_RtlCaptureContext@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall RtlpCaptureContext(x)
_RtlpCaptureContext@4 proc near		; CODE XREF: RtlUnwind+31p

arg_0		= dword	ptr  8

		push	ebx
		mov	ebx, [esp+arg_0]
		mov	dword ptr [ebx+0B0h], 0
		mov	dword ptr [ebx+0ACh], 0
		mov	dword ptr [ebx+0A8h], 0
		mov	dword ptr [ebx+0A4h], 0
		mov	dword ptr [ebx+0A0h], 0
		mov	dword ptr [ebx+9Ch], 0

loc_5A30D5:				; CODE XREF: RtlCaptureContext(x)+2Cj
		mov	word ptr [ebx+0BCh], cs
		mov	word ptr [ebx+98h], ds
		mov	word ptr [ebx+94h], es
		mov	word ptr [ebx+90h], fs
		mov	[ebx+8Ch], gs
		mov	word ptr [ebx+0C8h], ss
		pushf
		pop	dword ptr [ebx+0C0h]
		mov	eax, [ebp+4]
		mov	[ebx+0B8h], eax
		mov	eax, [ebp+0]
		mov	[ebx+0B4h], eax
		lea	eax, [ebp+8]
		mov	[ebx+0C4h], eax
		mov	dword ptr [ebx], 10007h
		pop	ebx
		retn	4
_RtlpCaptureContext@4 endp

; 
		align 4
; __stdcall FinalExceptionHandler(x, x,	x, x)
_FinalExceptionHandler@16 db ''
					; DATA XREF: KeI386InitializeSEHOP+3Bo
		db 'V',7,0
		align 10h

;  S U B	R O U T	I N E 


; __stdcall XSaveCHelper(x, x, x)
_XSaveCHelper@12 proc near		; CODE XREF: .text:005CDF1Dp

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_8		= dword	ptr  0Ch

		mov	ecx, [esp+arg_0]
		mov	eax, [esp+arg_4]
		mov	edx, [esp+arg_8]
		cmpxchg8b qword	ptr [ecx]
		retn	0Ch
_XSaveCHelper@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall XSaveSHelper(x, x, x)
_XSaveSHelper@12 proc near		; CODE XREF: RtlXSaveS(x,x,x)+32p

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_8		= dword	ptr  0Ch

		mov	ecx, [esp+arg_0]
		mov	eax, [esp+arg_4]
		mov	edx, [esp+arg_8]
		cmpxchg8b qword	ptr [ecx]
		retn	0Ch
_XSaveSHelper@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall XRestoreSHelper(x, x, x)
_XRestoreSHelper@12 proc near		; CODE XREF: RtlXRestoreS(x,x,x)+32p

arg_0		= dword	ptr  4
arg_4		= dword	ptr  8
arg_8		= dword	ptr  0Ch

		mov	ecx, [esp+arg_0]
		mov	eax, [esp+arg_4]
		mov	edx, [esp+arg_8]
		cmpxchg8b qword	ptr [ecx]
		retn	0Ch
_XRestoreSHelper@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiTransformValidPteInPlace proc	near	; CODE XREF: MiInitializeSystemPageTable+318p
					; MiDemoteValidLargePageOneLevel(x)+416p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 005CEAA6 SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		test	ds:_MiFlags, 4000000h
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], eax
		jnz	loc_5A3263

loc_5A31CD:				; CODE XREF: MiTransformValidPteInPlace+BCj
		mov	edi, [eax]
		mov	esi, [eax+4]
		mov	[ebp+var_4], edi
		cmp	edi, [ebp+arg_4]
		jnz	short loc_5A31DF
		cmp	esi, [ebp+arg_8]
		jz	short loc_5A325C

loc_5A31DF:				; CODE XREF: MiTransformValidPteInPlace+2Ej
					; MiTransformValidPteInPlace+2B906j ...
		mov	eax, edi

loc_5A31E1:				; CODE XREF: MiTransformValidPteInPlace+C8j
		and	eax, 20h
		or	eax, 0
		jz	short loc_5A321D
		mov	ecx, edi
		mov	eax, edi
		and	ecx, 0FFFFFFDFh
		mov	edx, esi
		mov	[ebp+var_10], ecx
		nop
		mov	edi, [ebp+var_8]
		mov	ebx, ecx
		mov	ecx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, [ebp+var_4]
		jnz	short loc_5A326B
		cmp	edx, esi
		jnz	short loc_5A326B
		mov	ecx, [ebp+var_C]
		push	edx
		mov	edx, [ebp+arg_0]
		push	eax
		call	_MiFlushValidPteFromTb@16 ; MiFlushValidPteFromTb(x,x,x,x)
		mov	edi, [ebp+var_10]
		mov	[ebp+var_4], edi

loc_5A321D:				; CODE XREF: MiTransformValidPteInPlace+3Dj
		mov	ecx, [ebp+arg_8]
		mov	eax, edi
		mov	edx, esi
		nop
		mov	ebx, [ebp+arg_4]
		mov	edi, [ebp+var_8]
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, eax
		cmp	ecx, [ebp+var_4]
		jnz	loc_5CEAA6
		cmp	edx, esi
		jnz	loc_5CEAA6
		test	ds:_MiFlags, 800h
		jnz	short loc_5A3277

loc_5A324E:				; CODE XREF: MiTransformValidPteInPlace+D0j
		mov	eax, ecx
		and	eax, 20h
		or	eax, 0
		jnz	loc_5CEAC4

loc_5A325C:				; CODE XREF: MiTransformValidPteInPlace+33j
					; MiTransformValidPteInPlace+2B915j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_5A3263:				; CODE XREF: MiTransformValidPteInPlace+1Dj
		lfence	eax
		jmp	loc_5A31CD
; 

loc_5A326B:				; CODE XREF: MiTransformValidPteInPlace+5Aj
					; MiTransformValidPteInPlace+5Ej
		mov	edi, eax
		mov	esi, edx
		mov	[ebp+var_4], edi
		jmp	loc_5A31E1
; 

loc_5A3277:				; CODE XREF: MiTransformValidPteInPlace+A2j
		or	ecx, 20h
		jmp	short loc_5A324E
MiTransformValidPteInPlace endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiProcessorStart proc near		; CODE XREF: KiSystemStartup(x):loc_71A140p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 005F55BB SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+14h+var_4], eax
		push	ebx
		push	esi
		push	edi

loc_5A3295:				; CODE XREF: KiProcessorStart+2Aj
					; KiProcessorStart+9Ej	...
		mov	eax, ds:_KiProcessorStartControl
		sub	eax, 0
		jz	short loc_5A32A8
		sub	eax, 1
		jnz	short loc_5A32BA
		pause
		jmp	short loc_5A3295
; 

loc_5A32A8:				; CODE XREF: KiProcessorStart+21j
		mov	ecx, [esp+20h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_5A32BA:				; CODE XREF: KiProcessorStart+26j
		sub	eax, 1
		jnz	loc_5F55BB
		mov	ecx, ds:dword_6CAAE4
		lea	edi, [esp+20h+var_14]
		stosd
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, ds:_KiProcessorStartData
		lea	edi, [esp+24h+var_14]
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	eax, [esp+20h+var_14]
		mov	ds:_KiProcessorStartData, eax
		mov	eax, [esp+20h+var_10]
		mov	ds:dword_6CAAE4, eax
		mov	eax, [esp+20h+var_C]
		mov	ds:dword_6CAAE8, eax
		mov	eax, [esp+20h+var_8]
		mov	ds:dword_6CAAEC, eax
		mov	ds:_KiProcessorStartControl, 1
		jmp	loc_5A3295
KiProcessorStart endp

; 
		align 10h
; START	OF FUNCTION CHUNK FOR @__security_check_cookie@4

___report_gsfailure:			; CODE XREF: __security_check_cookie(x):loc_57DE0Bj
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	dword ptr [ebp-4], 0
		mov	[ebp-4], ecx
		push	0
		push	ds:___security_cookie_complement
		push	ds:___security_cookie
		push	dword ptr [ebp-4]
		push	0F7h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; END OF FUNCTION CHUNK	FOR @__security_check_cookie@4
; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ReadCyrixRegister proc near		; CODE XREF: Ke386ConfigureCyrixProcessor+35E4p
					; Ke386ConfigureCyrixProcessor+3627p ...

var_8		= byte ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	[ebp+var_8], cl
		mov	[ebp+var_1], 0
		mov	al, [ebp+var_8]
		cli
		out	22h, al
		in	al, 23h
		sti
		mov	[ebp+var_1], al
		mov	al, [ebp+var_1]
		leave
		retn
ReadCyrixRegister endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WriteCyrixRegister proc	near		; CODE XREF: Ke386ConfigureCyrixProcessor+364Ap
					; Ke386ConfigureCyrixProcessor+3653p ...

var_8		= byte ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	[ebp+var_8], dl
		mov	[ebp+var_4], cl
		mov	al, [ebp+var_4]
		mov	cl, [ebp+var_8]
		cli
		out	22h, al
		mov	al, cl
		out	23h, al
		sti
		leave
		retn
WriteCyrixRegister endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MI_WRITE_INVALID_PTE_TB_FLUSH_NEEDED(x, x, x)
_MI_WRITE_INVALID_PTE_TB_FLUSH_NEEDED@12 proc near
					; CODE XREF: MiTerminateWsle(x,x,x,x)+101p
					; MiConvertPrivateToProto(x,x,x,x,x,x,x)+5DAp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	edx, [ecx]
		push	esi
		mov	esi, [ecx+4]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_5A33AA
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5A33AA
		or	edx, 20h

loc_5A33AA:				; CODE XREF: MI_WRITE_INVALID_PTE_TB_FLUSH_NEEDED(x,x,x)+14j
					; MI_WRITE_INVALID_PTE_TB_FLUSH_NEEDED(x,x,x)+1Dj
		mov	eax, ds:_MiFlags
		test	eax, 800h
		jz	short loc_5A33BB
		or	edx, 20h
		jmp	short loc_5A33C5
; 

loc_5A33BB:				; CODE XREF: MI_WRITE_INVALID_PTE_TB_FLUSH_NEEDED(x,x,x)+2Cj
		test	eax, 4000000h
		jz	short loc_5A33C5
		lfence	eax

loc_5A33C5:				; CODE XREF: MI_WRITE_INVALID_PTE_TB_FLUSH_NEEDED(x,x,x)+31j
					; MI_WRITE_INVALID_PTE_TB_FLUSH_NEEDED(x,x,x)+38j
		and	edx, 20h
		or	edx, 0
		pop	esi
		jnz	short loc_5A33E4
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	MI_INTERLOCKED_EXCHANGE_PTE
		and	eax, 20h
		xor	edx, edx
		or	eax, edx
		jnz	short loc_5A33F0
		jmp	short locret_5A33F3
; 

loc_5A33E4:				; CODE XREF: MI_WRITE_INVALID_PTE_TB_FLUSH_NEEDED(x,x,x)+44j
		mov	eax, [ebp+arg_0]
		mov	[ecx], eax
		nop
		mov	eax, [ebp+arg_4]
		mov	[ecx+4], eax

loc_5A33F0:				; CODE XREF: MI_WRITE_INVALID_PTE_TB_FLUSH_NEEDED(x,x,x)+58j
		xor	eax, eax
		inc	eax

locret_5A33F3:				; CODE XREF: MI_WRITE_INVALID_PTE_TB_FLUSH_NEEDED(x,x,x)+5Aj
		leave
		retn	8
_MI_WRITE_INVALID_PTE_TB_FLUSH_NEEDED@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DebugService(x, x, x, x, x)
_DebugService@20 proc near		; CODE XREF: DebugPrint(x,x,x)+13p
					; DebugPrompt(x,x)+12p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		push	ebx
		push	edi
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ecx
		push	edi
		push	ebx
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+arg_0]
		mov	ebx, [ebp+arg_4]
		mov	edi, [ebp+arg_8]
		int	2Dh		; Internal routine for MSDOS (IRET)
		int	3		; Trap to Debugger
		pop	ebx
		pop	edi
		mov	[ebp+var_4], eax
		mov	eax, [ebp+var_4]
		pop	edi
		pop	ebx
		leave
		retn	0Ch
_DebugService@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

do_decode	proc near		; CODE XREF: XpressDecode(x,x,x,x,x,x)+CDp

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], ecx
		mov	eax, [ebp+var_4]
		push	ebx
		push	ecx
		push	edx
		push	esi
		push	edi
		push	ebp
		sub	esp, 20h
		mov	edx, [eax+0Ch]
		mov	[esp+48h+var_44], edx
		mov	edx, [eax+8]
		mov	[esp+48h+var_40], edx
		mov	edx, [eax+1Ch]
		mov	[esp+48h+var_3C], edx
		mov	edx, [eax+14h]
		mov	[esp+48h+var_38], edx
		mov	edx, [eax+20h]
		mov	[esp+48h+var_34], edx
		mov	edx, [eax+24h]
		mov	[esp+48h+var_30], edx
		xor	edx, edx
		mov	[esp+48h+var_48], edx
		mov	[esp+48h+var_2C], eax
		mov	edx, [eax+4]
		mov	ebp, edx
		mov	edi, [eax+4]
		mov	ebx, [eax+18h]
		xor	eax, eax
		jmp	loc_5A354E
; 
		lea	ecx, [ecx+0]

loc_5A348E:				; CODE XREF: do_decode+69j
		mov	[edi-1], cl

loc_5A3491:				; CODE XREF: do_decode+ABj
					; do_decode+B8j ...
		inc	edi
		mov	cl, [ebx]
		inc	ebx
		add	eax, eax
		jnb	short loc_5A348E
		mov	[edi-1], cl
		jz	loc_5A354E

loc_5A34A2:				; CODE XREF: do_decode+ADj
					; do_decode+BAj ...
		xor	edx, edx
		mov	dx, [ebx]
		mov	ecx, edx
		shr	edx, 3
		add	ebx, 2
		not	edx
		and	ecx, 7
		lea	esi, [edi+edx]
		cmp	cl, 5
		ja	short loc_5A34EC
		cmp	esi, ebp
		jb	loc_5A36A3
		cmp	edx, 0FFFFFFFDh
		mov	edx, [esi]
		jnb	short loc_5A34DF
		mov	[edi], edx
		mov	edx, [esi+4]
		mov	[edi+4], edx
		lea	edi, [edi+ecx+3]
		add	eax, eax
		jnb	short loc_5A3491
		jnz	short loc_5A34A2
		jmp	short loc_5A354E
; 

loc_5A34DF:				; CODE XREF: do_decode+9Bj
		add	ecx, 3
		rep movsb
		add	eax, eax
		jnb	short loc_5A3491
		jnz	short loc_5A34A2
		jmp	short loc_5A354E
; 

loc_5A34EC:				; CODE XREF: do_decode+8Cj
		cmp	esi, ebp
		jb	loc_5A36A3
		mov	edx, [esp+48h+var_48]
		cmp	cl, 7
		jnz	short loc_5A3520
		test	edx, edx
		jz	short loc_5A350B
		xor	ecx, ecx
		mov	cl, [edx]
		xor	edx, edx
		shr	ecx, 4
		jmp	short loc_5A3515
; 

loc_5A350B:				; CODE XREF: do_decode+D0j
		xor	ecx, ecx
		mov	cl, [ebx]
		mov	edx, ebx
		and	ecx, 0Fh
		inc	ebx

loc_5A3515:				; CODE XREF: do_decode+DBj
		mov	[esp+48h+var_48], edx
		cmp	cl, 0Fh
		lea	ecx, [ecx+7]
		jz	short loc_5A3578

loc_5A3520:				; CODE XREF: do_decode+CCj
					; do_decode+155j ...
		lea	edx, [edi+ecx+3]
		add	ecx, 3
		cmp	edx, [esp+48h+var_40]
		jnb	loc_5A3634
		rep movsb
		add	eax, eax
		jnb	loc_5A3491
		jnz	loc_5A34A2
		jmp	short loc_5A354E
; 
		lea	esp, [esp+0]
		lea	esp, [esp+0]

loc_5A354E:				; CODE XREF: do_decode+58j
					; do_decode+6Ej ...
		cmp	ebx, [esp+48h+var_3C]
		jnb	loc_5A365E
		cmp	edi, [esp+48h+var_40]
		jnb	loc_5A365E
		mov	eax, [ebx]
		add	ebx, 4
		test	eax, eax
		lea	eax, [eax+eax+1]
		jns	loc_5A3491
		jmp	loc_5A34A2
; 

loc_5A3578:				; CODE XREF: do_decode+F0j
		xor	ecx, ecx
		mov	cl, [ebx]
		inc	ebx
		cmp	cl, 0FFh
		lea	ecx, [ecx+16h]
		jnz	short loc_5A3520
		xor	ecx, ecx
		mov	cx, [ebx]
		add	ebx, 2
		cmp	ecx, 115h
		jnb	short loc_5A3520
		jmp	short loc_5A359E
; 
		lea	esp, [esp+0]

loc_5A359E:				; CODE XREF: do_decode+167j
					; do_decode+18Dj
		mov	[edi-1], cl

loc_5A35A1:				; CODE XREF: do_decode+21Aj
					; do_decode+241j
		cmp	edi, [esp+48h+var_44]
		jnb	loc_5A36B7
		cmp	ebx, [esp+48h+var_38]
		jnb	loc_5A36A3
		inc	edi
		mov	cl, [ebx]
		inc	ebx
		add	eax, eax
		jnb	short loc_5A359E
		mov	[edi-1], cl
		jz	loc_5A365E

loc_5A35C6:				; CODE XREF: do_decode+220j
					; do_decode+247j
		cmp	edi, [esp+48h+var_44]
		jnb	loc_5A36A7
		cmp	ebx, [esp+48h+var_34]
		jnb	loc_5A36A3
		xor	edx, edx
		mov	dx, [ebx]
		mov	ecx, edx
		shr	edx, 3
		add	ebx, 2
		not	edx
		and	ecx, 7
		lea	esi, [edi+edx]
		cmp	esi, ebp
		jb	loc_5A36A3
		mov	edx, [esp+48h+var_48]
		cmp	cl, 7
		jnz	short loc_5A362D
		test	edx, edx
		jz	short loc_5A360E
		xor	ecx, ecx
		mov	cl, [edx]
		xor	edx, edx
		shr	ecx, 4
		jmp	short loc_5A3622
; 

loc_5A360E:				; CODE XREF: do_decode+1D3j
		cmp	ebx, [esp+48h+var_38]
		jnb	loc_5A36A3
		xor	ecx, ecx
		mov	cl, [ebx]
		mov	edx, ebx
		and	ecx, 0Fh
		inc	ebx

loc_5A3622:				; CODE XREF: do_decode+1DEj
		mov	[esp+48h+var_48], edx
		cmp	cl, 0Fh
		lea	ecx, [ecx+7]
		jz	short loc_5A367A

loc_5A362D:				; CODE XREF: do_decode+1CFj
					; do_decode+25Dj ...
		lea	edx, [edi+ecx+3]
		add	ecx, 3

loc_5A3634:				; CODE XREF: do_decode+FDj
		cmp	edx, [esp+48h+var_44]
		jbe	short loc_5A3644
		mov	ecx, [esp+48h+var_44]
		sub	ecx, edi
		rep movsb
		jmp	short loc_5A36B7
; 

loc_5A3644:				; CODE XREF: do_decode+20Aj
		rep movsb
		add	eax, eax
		jnb	loc_5A35A1
		jnz	loc_5A35C6
		jmp	short loc_5A365E
; 
		lea	esp, [esp+0]
		nop

loc_5A365E:				; CODE XREF: do_decode+124j
					; do_decode+12Ej ...
		cmp	ebx, [esp+48h+var_30]
		jnb	short loc_5A36A3
		mov	eax, [ebx]
		add	ebx, 4
		test	eax, eax
		lea	eax, [eax+eax+1]
		jns	loc_5A35A1
		jmp	loc_5A35C6
; 

loc_5A367A:				; CODE XREF: do_decode+1FDj
		cmp	ebx, [esp+48h+var_38]
		jnb	short loc_5A36A3
		xor	ecx, ecx
		mov	cl, [ebx]
		inc	ebx
		cmp	cl, 0FFh
		lea	ecx, [ecx+16h]
		jnz	short loc_5A362D
		cmp	ebx, [esp+48h+var_34]
		jnb	short loc_5A36A3
		xor	ecx, ecx
		mov	cx, [ebx]
		add	ebx, 2
		cmp	ecx, 115h
		jnb	short loc_5A362D

loc_5A36A3:				; CODE XREF: do_decode+90j
					; do_decode+C0j ...
		xor	eax, eax
		jmp	short loc_5A36C6
; 

loc_5A36A7:				; CODE XREF: do_decode+19Cj
		mov	ebx, [esp+48h+var_2C]
		mov	eax, 1
		cmp	edi, [ebx]
		jnz	short loc_5A36B7
		mov	[ebx+34h], eax

loc_5A36B7:				; CODE XREF: do_decode+177j
					; do_decode+214j ...
		mov	eax, 1
		mov	ebx, [esp+48h+var_2C]
		mov	[ebx+2Ch], ebx
		mov	[ebx+10h], edi

loc_5A36C6:				; CODE XREF: do_decode+277j
		mov	ebx, [esp+48h+var_2C]
		mov	[ebx+30h], eax
		add	esp, 20h
		pop	ebp
		pop	edi
		pop	esi
		pop	edx
		pop	ecx
		pop	ebx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
do_decode	endp

; 
		align 4
??_C@_1BE@BDEKEKBI@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAP?$AAK?$AAG@FNODOBFM@ dd offset	loc_490057
					; DATA XREF: .text:004014FCo
					; SepDesktopAppxSubProcessToken(x,x,x,x,x)+75o	...
aNPkg:
		unicode	0, <N://PKG>,0
??_C@_1BO@BOGEHPME@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAS?$AAY?$AAS?$AAA?$AAP?$AAP?$AAI?$AAD@FNODOBFM@ dd offset loc_490057
					; DATA XREF: .text:004014F4o
					; SepVerifyDesktopAppxPackageName+2Fo ...
aNSysappid:
		unicode	0, <N://SYSAPPID>,0
; 

??_C@_1BG@OLJFPOOD@?$AAW?$AAP?$AA?3?$AA?1?$AA?1?$AAS?$AAK?$AAU?$AAI?$AAD@FNODOBFM@:
					; DATA XREF: .text:0040105Co
		push	edi
		add	[eax+0], dl
		cmp	al, [eax]
		das
		add	[edi], ch
		add	[ebx+0], dl
		dec	ebx
		add	[ebp+0], dl
		dec	ecx
		add	[eax+eax+0], al
; 
		db 0
; 

??_C@_1BE@ENMIMNBJ@?$AAX?$AAB?$AAO?$AAX?$AA?3?$AA?1?$AA?1?$AAL?$AAI@FNODOBFM@:
					; DATA XREF: .text:00401054o
		pop	eax
		add	[edx+0], al
		dec	edi
		add	[eax+0], bl
		cmp	al, [eax]
		das
		add	[edi], ch
		add	[eax+eax+49h], cl
; 
		db 3 dup(0)
; 

??_C@_0L@MENOPLJP@partition?$CI@FNODOBFM@: ; DATA XREF:	.text:00401BB4o
		jo	short loc_5A379B
		jb	short near ptr loc_5A37AF+1
		imul	esi, [ecx+ebp*2+6Fh], 0CC00286Eh

??_C@_00CNPNBAHC@@FNODOBFM@:		; DATA XREF: _PopPrintEx+13o
					; _DbgPrint+Bo	...
		add	ah, cl
; 
??_C@_01LFCBOECM@?4@FNODOBFM@ dd offset	loc_5C002C+2
					; DATA XREF: HvlDebuggerSupportInitialize+7DC95o
					; HvlDebuggerSupportInitialize+7DCBBo ...
		dd offset loc_650052
		dd offset loc_690066+1
		dw 73h
aTryMachineSyst:
		unicode	0, <try\Machine\System\CurrentControlSe>
		db 74h
; 

loc_5A379B:				; CODE XREF: .text:??_C@_0L@MENOPLJP@partition?$CI@FNODOBFM@j
		add	[eax+eax+43h], bl
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+53h], bl

loc_5A37AF:				; CODE XREF: .text:005A373Aj
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ebp+0], cl
		add	gs:[ebp+0], ch
		outsd
		add	[edx+0], dh
		jns	short $+2
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+0], dh
; 
		db 0
; 

??_C@_0ED@GKJLADHL@CC?3?5Reusing?5shared?5cache?5map?5th@FNODOBFM@:
					; DATA XREF: CcInitializeCacheMapEx+1169AEo
		inc	ebx
		inc	ebx
		cmp	ah, [eax]
		push	edx
		db	65h
		jnz	short near ptr loc_5A386C+1
		imul	ebp, [esi+67h],	61687320h
		jb	short near ptr loc_5A3867+1
		and	fs:[ebx+61h], ah
		arpl	[eax+65h], bp
		and	[ebp+61h], ch
		jo	short near ptr loc_5A382D+2
		jz	short loc_5A3879
		popa
		jz	short loc_5A3834
		imul	esi, [ebx+20h],	65726C61h
		popa
		db	64h
		jns	short near ptr loc_5A383B+4
		insd
		popa
		jb	short near ptr loc_5A388D+1
		db	65h
		and	fs:[esi+6Fh], ah
		jb	short near ptr loc_5A3849+1
		db	64h, 65h
		insb

loc_5A382D:				; CODE XREF: .text:005A380Dj
		db	65h
		jz	short near ptr loc_5A3897+2
		outsd
		outsb
		and	[edx], ecx

loc_5A3834:				; CODE XREF: .text:005A3812j
		add	ah, cl

??_C@_0FA@OGCCJEAN@CC?3?5SharedCacheMap?9?$DOOpenCount?5?$DN@FNODOBFM@:
					; DATA XREF: CcGetPartition+11653Ao
		inc	ebx
		inc	ebx
		cmp	ah, [eax]
		push	ebx

loc_5A383B:				; CODE XREF: .text:005A381Cj
		push	64657261h
		inc	ebx
		popa
		arpl	[eax+65h], bp
		dec	ebp
		popa
		jo	short near ptr loc_5A3871+5

loc_5A3849:				; CODE XREF: .text:005A3828j
		db	3Eh
		dec	edi
		jo	short loc_5A38B2
		outsb
		inc	ebx
		outsd
		jnz	short near ptr loc_5A38BE+2
		jz	short near ptr loc_5A3871+3
		cmp	eax, 2030203Dh
		db	26h
		and	es:[ecx+ebp*2+72h], al
		jz	short loc_5A38DA
		push	eax
		popa
		db	67h, 65h
		jnb	near ptr 3887h

loc_5A3867:				; CODE XREF: .text:005A3801j
		cmp	eax, 2030203Dh

loc_5A386C:				; CODE XREF: .text:005A37F7j
		db	26h
		and	es:[edi+6Fh], ah

loc_5A3871:				; CODE XREF: .text:005A3852j
					; .text:005A3847j
		imul	ebp, [esi+67h],	746E6F20h
		outsd

loc_5A3879:				; CODE XREF: .text:005A380Fj
		and	[ebx+6Ch], al
		db	65h
		popa
		outsb
		dec	esp

loc_5A3880:				; DATA XREF: CcCanIWrite+1165ADo
		imul	esi, [ebx+74h],	43000A21h
		arpl	[ebx+61h], ax
		outsb
		dec	ecx
		push	edi

loc_5A388D:				; CODE XREF: .text:005A3821j
		jb	short loc_5A38F8
		jz	short near ptr loc_5A38F3+3
		cmp	ah, [eax]
		ja	short loc_5A38FE
		insb
		insb

loc_5A3897:				; CODE XREF: .text:loc_5A382Dj
		and	[ebp+6Ch], ah
		popa
		jns	short loc_5A38BE
		and	eax, 736D756Ch
		and	[edx+65h], ah
		outsw
		jb	short near ptr loc_5A390E+1
		and	[edx+65h], dh
		jz	short near ptr loc_5A391F+2
		jns	short loc_5A391A
		outsb

loc_5A38B2:				; CODE XREF: .text:005A384Bj
		and	[bx+di+73h], ah
		jns	short near ptr loc_5A3924+2
		arpl	ds:74697277h, bp

loc_5A38BE:				; CODE XREF: .text:005A389Cj
					; .text:005A3850j
		or	al, gs:[eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0FB@CFMECOPH@CcAcquireByteRange?5?$CIAcceptPage?$CJ@FNODOBFM@:
					; DATA XREF: CcAcquireByteRangeForWrite+115029o
		inc	ebx
		arpl	[ecx+63h], ax
		jno	short near ptr loc_5A3936+7
		imul	esi, [edx+65h],	65747942h
		push	edx
		popa
		outsb
		and	gs:[bx+si], ch
		inc	ecx
		arpl	[ebx+65h], sp

loc_5A38DA:				; CODE XREF: .text:005A385Fj
		jo	short near ptr loc_5A394F+1
		push	eax
		popa
		sub	gs:[bx+si], esp
		pop	ebx
		xor	[eax+25h], bh
		dec	ecx
		db	36h
		xor	al, 78h
		sub	al, 20h
		xor	[eax+25h], bh
		js	short near ptr loc_5A394D+1
		cmp	ah, [eax]

loc_5A38F3:				; CODE XREF: .text:005A388Fj
		and	eax, 30282070h

loc_5A38F8:				; CODE XREF: .text:loc_5A388Dj
		js	short loc_5A391F
		dec	ecx
		db	36h
		xor	al, 78h

loc_5A38FE:				; CODE XREF: .text:005A3893j
		sub	[eax], esp
		inc	edx
		dec	ebp
		cmp	ah, ds:69442070h
		jb	short near ptr ??_C@_0DC@FDFEGDLP@CcSetupWatchForRegistryChanges?3@FNODOBFM@+20h
		jns	short near ptr loc_5A3945+1
		and	[eax], dh

loc_5A390E:				; CODE XREF: .text:005A38A8j
		js	short near ptr loc_5A3933+2
		js	short loc_5A391C
		add	ah, cl

??_C@_0EJ@PDDMCIBN@CcSetupWatchForRegistryChanges?3@FNODOBFM@:
					; DATA XREF: CcSetupWatchForRegistryChanges+7E28Ao
		inc	ebx
		arpl	[ebx+65h], dx
		jz	short near ptr ??_C@_0DC@FDFEGDLP@CcSetupWatchForRegistryChanges?3@FNODOBFM@+31h

loc_5A391A:				; CODE XREF: .text:005A38AFj
		jo	short near ptr ??_C@_0DC@FDFEGDLP@CcSetupWatchForRegistryChanges?3@FNODOBFM@+15h

loc_5A391C:				; CODE XREF: .text:005A3910j
		popa
		jz	short near ptr ??_C@_0DC@FDFEGDLP@CcSetupWatchForRegistryChanges?3@FNODOBFM@+24h

loc_5A391F:				; CODE XREF: .text:loc_5A38F8j
					; .text:005A38ADj
		push	52726F46h

loc_5A3924:				; CODE XREF: .text:005A38B6j
		imul	esi, gs:[bp+di+74h], 68437972h
		popa
		outsb
		db	67h, 65h
		jnb	near ptr 396Dh

loc_5A3933:				; CODE XREF: .text:loc_5A390Ej
		and	[esi+61h], al

loc_5A3936:				; CODE XREF: .text:005A38C6j
		imul	ebp, [ebp+64h],	206F7420h
		outsd
		jo	short near ptr loc_5A39A0+6
		outsb
		and	[ebx+65h], cl

loc_5A3945:				; CODE XREF: .text:005A390Aj
		jns	short near ptr ??_C@_0DC@FDFEGDLP@CcSetupWatchForRegistryChanges?3@FNODOBFM@+15h
		and	[ebx+74h], dh
		popa
		jz	short loc_5A39C2

loc_5A394D:				; CODE XREF: .text:005A38EFj
		jnb	short near ptr ??_C@_0DC@FDFEGDLP@CcSetupWatchForRegistryChanges?3@FNODOBFM@+2Eh

loc_5A394F:				; CODE XREF: .text:loc_5A38DAj
		xor	[eax+25h], bh
		xor	[eax], bh
		js	short near ptr ??_C@_0DC@FDFEGDLP@CcSetupWatchForRegistryChanges?3@FNODOBFM@+18h
		and	ah, ds:0A225A77h
		add	ah, cl
; 
; char ??_C[]
??_C@_0DC@FDFEGDLP@CcSetupWatchForRegistryChanges?3@FNODOBFM@ db 'CcSetupWatchForRegistryChanges: Queued for "%wZ"',0Ah,0
					; DATA XREF: CcSetupWatchForRegistryChanges+D8o
; 

; char ??_C
??_C@_0EB@FFFDFNCH@CcSetupWatchForRegistryChanges?3@FNODOBFM@:
					; DATA XREF: CcSetupWatchForRegistryChanges+7E29Eo
		inc	ebx
		arpl	[ebx+65h], dx
		jz	short near ptr loc_5A3A09+2
		jo	short near ptr loc_5A39ED+2
		popa
		jz	short near ptr loc_5A39FD+1
		push	52726F46h

loc_5A39A0:				; CODE XREF: .text:005A393Fj
		imul	esi, gs:[bp+di+74h], 68437972h
		popa
		outsb
		db	67h, 65h
		jnb	near ptr 39E9h
		and	[esi+61h], al
		imul	ebp, [ebp+64h],	7473202Ch
		popa
		jz	short loc_5A3A32
		jnb	short near ptr loc_5A39FA+2
		xor	[eax+25h], bh

loc_5A39C2:				; CODE XREF: .text:005A394Bj
		xor	[eax], bh
		js	short near ptr loc_5A39E2+4
		outsw
		jb	short near ptr loc_5A39E2+8
		and	ah, ds:0A225A77h
		add	ah, cl

; char ??_C
??_C@_0EF@LAELPHAK@CcSetupWatchForRegistryChanges?3@FNODOBFM@:
					; DATA XREF: sub_57C8F7:loc_5FAAA8o
		inc	ebx
		arpl	[ebx+65h], dx
		jz	short near ptr loc_5A3A4C+1
		jo	short loc_5A3A31
		popa
		jz	short near ptr loc_5A3A3E+2
		push	52726F46h

loc_5A39E2:				; CODE XREF: .text:005A39C4j
					; .text:005A39C8j
		imul	esi, gs:[bp+di+74h], 68437972h
		popa
		outsb

loc_5A39ED:				; CODE XREF: .text:005A3996j
		db	67h, 65h
		jnb	near ptr 3A2Bh
		and	[ebp+72h], al
		jb	short near ptr loc_5A3A61+4
		jb	short near ptr loc_5A3A23+2
		jnz	short near ptr ??_C@_0FE@HKAGMKGB@CcRegistryChangeCallback?3?5Somet@FNODOBFM@ ;	"CcRegistryChangeCallback: Something of	"...

loc_5A39FA:				; CODE XREF: .text:005A39BDj
		db	65h
		js	short near ptr ??_C@_0FE@HKAGMKGB@CcRegistryChangeCallback?3?5Somet@FNODOBFM@+5

loc_5A39FD:				; CODE XREF: .text:005A3999j
		arpl	gs:[ebp+64h], si
		and	[ebp+65h], ch
		insd
		outsd
		jb	short near ptr ??_C@_0FE@HKAGMKGB@CcRegistryChangeCallback?3?5Somet@FNODOBFM@+1Ah

loc_5A3A09:				; CODE XREF: .text:005A3994j
		and	[ecx+6Ch], ah
		insb
		outsd
		arpl	[ecx+74h], sp
		imul	ebp, [edi+6Eh],	0CC000A21h

; char ??_C
??_C@_0FA@MMLONJKN@CcSetupWatchForRegistryChanges?3@FNODOBFM@:
					; DATA XREF: sub_57C8F7+7E1CDo
		inc	ebx
		arpl	[ebx+65h], dx
		jz	short near ptr ??_C@_0FE@HKAGMKGB@CcRegistryChangeCallback?3?5Somet@FNODOBFM@+2Bh
		jo	short near ptr ??_C@_0FE@HKAGMKGB@CcRegistryChangeCallback?3?5Somet@FNODOBFM@+0Fh
		popa
		jz	short near ptr ??_C@_0FE@HKAGMKGB@CcRegistryChangeCallback?3?5Somet@FNODOBFM@+1Eh

loc_5A3A23:				; CODE XREF: .text:005A39F6j
		push	52726F46h
		imul	esi, gs:[bp+di+74h], 68437972h

loc_5A3A31:				; CODE XREF: .text:005A39D8j
		popa

loc_5A3A32:				; CODE XREF: .text:005A39BBj
		outsb
		db	67h, 65h
		jnb	near ptr 3A71h
		and	[ecx+75h], dl
		db	65h
		jnz	short near ptr ??_C@_0FE@HKAGMKGB@CcRegistryChangeCallback?3?5Somet@FNODOBFM@+3Eh
		outsb

loc_5A3A3E:				; CODE XREF: .text:005A39DBj
		and	[bx+6Fh], dh
		jb	short near ptr ??_C@_0FE@HKAGMKGB@CcRegistryChangeCallback?3?5Somet@FNODOBFM@+47h
		db	65h
		jb	short near ptr byte_5A3A67
		jz	short near ptr ??_C@_0FE@HKAGMKGB@CcRegistryChangeCallback?3?5Somet@FNODOBFM@+49h
		jb	short near ptr ??_C@_0FE@HKAGMKGB@CcRegistryChangeCallback?3?5Somet@FNODOBFM@+48h
		popa

loc_5A3A4C:				; CODE XREF: .text:005A39D6j
		db	64h
		sub	al, 20h
		jnb	short near ptr ??_C@_0DL@PNFACCLK@CcRegistryChangeCallback?3?5Proce@FNODOBFM@+9
		popa
		jz	short near ptr ??_C@_0DL@PNFACCLK@CcRegistryChangeCallback?3?5Proce@FNODOBFM@+0Dh
		jnb	short near ptr ??_C@_0FE@HKAGMKGB@CcRegistryChangeCallback?3?5Somet@FNODOBFM@+2Bh
		xor	[eax+25h], bh
		xor	[eax], bh
		js	short near ptr ??_C@_0FE@HKAGMKGB@CcRegistryChangeCallback?3?5Somet@FNODOBFM@+15h
		outsw
		jb	short near ptr ??_C@_0FE@HKAGMKGB@CcRegistryChangeCallback?3?5Somet@FNODOBFM@+19h

loc_5A3A61:				; CODE XREF: .text:005A39F4j
		and	ah, ds:0A225A77h
; 
byte_5A3A67	db 0			; CODE XREF: .text:005A3A44j
; char ??_C[]
??_C@_0FE@HKAGMKGB@CcRegistryChangeCallback?3?5Somet@FNODOBFM@ db 'CcRegistryChangeCallback: Something of interest changed (callback'
					; CODE XREF: .text:005A39F8j
					; .text:loc_5A39FAj ...
		db ':%c), under:"%wZ"',0Ah,0
; char ??_C[]
??_C@_0DL@PNFACCLK@CcRegistryChangeCallback?3?5Proce@FNODOBFM@ db 'CcRegistryChangeCallback: Processed "%wZ", TickDiff=%I64d',0Ah,0
					; CODE XREF: .text:005A3A4Fj
					; .text:005A3A52j
					; DATA XREF: ...
		align 4

; char ??_C
??_C@_0EC@FIJIBDCC@CcRegistryChangeCallback?3?5Faile@FNODOBFM@:
					; DATA XREF: CcRegistryChangeCallback+80AACo
		inc	ebx
		arpl	[edx+65h], dx
		imul	esi, [bp+di+74h], 68437972h
		popa
		outsb
		db	67h, 65h
		inc	ebx
		popa
		insb
		insb
		bound	esp, [ecx+63h]
		imul	edi, [edx], 20h
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		outsd
		jo	short loc_5A3B84
		outsb
		and	[ebx+65h], cl
		jns	short near ptr ??_C@_0CO@DHHOFHHN@CcRegistryChangeCallback?3?5Watch@FNODOBFM@+17h
		and	[ebx+74h], dh
		popa
		jz	short near ptr loc_5A3B9F+1
		jnb	short near ptr loc_5A3B69+1
		xor	[eax+25h], bh
		xor	[eax], bh
		js	short near ptr ??_C@_0CO@DHHOFHHN@CcRegistryChangeCallback?3?5Watch@FNODOBFM@+1Ah
		and	ah, ds:0A5A77h
; 
; char ??_C[]
??_C@_0CO@DHHOFHHN@CcRegistryChangeCallback?3?5Watch@FNODOBFM@ db 'CcRegistryChangeCallback: Watch queued "%wZ"',0Ah,0
					; DATA XREF: CcRegistryChangeCallback+C8o
; 

; char ??_C
??_C@_0EF@NMKLEGFE@CcRegistryChangeCallback?3?5Faile@FNODOBFM@:
					; DATA XREF: CcRegistryChangeCallback+80AE2o
		inc	ebx

loc_5A3B69:				; CODE XREF: .text:005A3B2Bj
		arpl	[edx+65h], dx
		imul	esi, [bp+di+74h], 68437972h
		popa
		outsb
		db	67h, 65h
		inc	ebx
		popa
		insb
		insb
		bound	esp, [ecx+63h]
		imul	edi, [edx], 20h
		inc	esi
		popa

loc_5A3B84:				; CODE XREF: .text:005A3B1Dj
		imul	ebp, [ebp+64h],	74615720h
		arpl	[eax+20h], bp
		jb	short loc_5A3BF6
		jno	short near ptr ??_C@_0EO@NJAGNHAD@CcUpdateDynamicRegistrySettings@FNODOBFM@+10h
		db	65h
		jnb	short near ptr ??_C@_0EO@NJAGNHAD@CcUpdateDynamicRegistrySettings@FNODOBFM@+12h
		sub	al, 20h
		jnb	short near ptr ??_C@_0EO@NJAGNHAD@CcUpdateDynamicRegistrySettings@FNODOBFM@+16h
		popa
		jz	short near ptr ??_C@_0EO@NJAGNHAD@CcUpdateDynamicRegistrySettings@FNODOBFM@+1Ah
		jnb	short near ptr loc_5A3BDB+1

loc_5A3B9F:				; CODE XREF: .text:005A3B29j
		xor	[eax+25h], bh
		xor	[eax], bh
		js	short near ptr loc_5A3BC5+1
		and	ah, ds:0A225A77h
		add	ah, cl

??_C@_0EJ@MPHFDGKA@CcRegistryChangeCallback?3?5Watch@FNODOBFM@:
					; DATA XREF: CcRegistryChangeCallback+80AFBo
		inc	ebx
		arpl	[edx+65h], dx
		imul	esi, [bp+di+74h], 68437972h
		popa
		outsb
		db	67h, 65h
		inc	ebx
		popa
		insb
		insb
		bound	esp, [ecx+63h]

loc_5A3BC5:				; CODE XREF: .text:005A3BA4j
		imul	edi, [edx], 20h
		push	edi
		popa
		jz	short near ptr ??_C@_0EO@NJAGNHAD@CcUpdateDynamicRegistrySettings@FNODOBFM@+37h
		push	65757120h
		jnz	short near ptr ??_C@_0EO@NJAGNHAD@CcUpdateDynamicRegistrySettings@FNODOBFM@+40h
		and	fs:[edx], ah
		and	eax, 20225A77h

loc_5A3BDB:				; CODE XREF: .text:005A3B9Dj
		sub	[esi+6Fh], ah
		jb	short near ptr ??_C@_0EO@NJAGNHAD@CcUpdateDynamicRegistrySettings@FNODOBFM@+8
		dec	ecx
		insd
		insd
		db	65h
		imul	esp, fs:[ecx+74h], 72502065h
		outsd
		arpl	[ebp+73h], sp
		jnb	short loc_5A3C5B
		outsb
		sub	[bp+si], ecx

loc_5A3BF6:				; CODE XREF: .text:005A3B8Fj
		add	ah, cl
; 
; char ??_C[]
??_C@_0EO@NJAGNHAD@CcUpdateDynamicRegistrySettings@FNODOBFM@ db	'CcUpdateDynamicRegistrySettings: Updating Dynamic Registry Keys u'
					; CODE XREF: .text:005A3BDEj
					; DATA XREF: CcUpdateDynamicRegistrySettings+38o
		db 'nder: "%wZ"',0Ah,0
??_C@_1CE@GAMHPGCI@?$AAT?$AAo?$AAp?$AAB?$AAo?$AAt?$AAt?$AAo?$AAm?$AAD?$AAP?$AAT?$AAE?$AAq?$AAu@FNODOBFM@ db 'T',0
					; DATA XREF: CcUpdateDynamicRegistrySettings+8Fo
aOpbottomd:
		unicode	0, <opBottomD>
; 
		push	eax

loc_5A3C5B:				; CODE XREF: .text:005A3BF0j
		add	[eax+eax+45h], dl
		add	[ecx+0], dh
		jnz	short $+2
		popa
		add	[eax+eax+0], ch
; 
		db 0
??_C@_1DO@NODDNLBC@?$AAL?$AAa?$AAz?$AAy?$AAW?$AAr?$AAi?$AAt?$AAe?$AAr?$AAP?$AAe?$AAr?$AAc?$AAe@FNODOBFM@ dd offset loc_610049+3
					; DATA XREF: CcUpdateDynamicRegistrySettings+DFo
		dw 7Ah
		dd offset loc_570078+1
		dd offset loc_690072
		dd offset loc_650073+1
		dd offset loc_500070+2
aErcentageofnum:
		unicode	0, <ercentageOfNumProcs>,0
??_C@_1BO@EOPFHBP@?$AAL?$AAa?$AAr?$AAg?$AAe?$AAW?$AAr?$AAi?$AAt?$AAe?$AAS?$AAi?$AAz?$AAe@FNODOBFM@ dd offset loc_610049+3
					; DATA XREF: CcUpdateDynamicRegistrySettings+11Bo
		dd offset loc_670070+2
		dd offset loc_570062+3
		dd offset loc_690072
		dd offset loc_650073+1
		dd offset loc_69004E+5
		dd offset loc_65007A
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_1DI@BAEMBMNO@?$AAS?$AAo?$AAf?$AAt?$AAT?$AAh?$AAr?$AAo?$AAt?$AAt?$AAl?$AAe?$AAL?$AAa?$AAr@FNODOBFM@ proc near
					; DATA XREF: CcUpdateDynamicRegistrySettings+157o
		push	ebx
		add	[edi+0], ch
		db	66h
		add	[eax+eax+54h], dh
		add	[eax+0], ch
		jb	short $+2
		outsd
??_C@_1DI@BAEMBMNO@?$AAS?$AAo?$AAf?$AAt?$AAT?$AAh?$AAr?$AAo?$AAt?$AAt?$AAl?$AAe?$AAL?$AAa?$AAr@FNODOBFM@ endp

		add	[eax+eax+74h], dh
		add	[eax+eax+65h], ch
		add	[eax+eax+61h], cl
		add	[edx+0], dh
		add	[di+0],	ah
		push	edi
		add	[edx+0], dh
		imul	eax, [eax], 650074h
		inc	ecx
		add	[eax+eax+50h], dh
		add	[ebx+0], ah
		jz	short $+2
; 
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_1CM@IOHKKG@?$AAS?$AAo?$AAf?$AAt?$AAT?$AAh?$AAr?$AAo?$AAt?$AAt?$AAl?$AAe?$AAD?$AAe?$AAl@FNODOBFM@ proc near
					; DATA XREF: CcUpdateDynamicRegistrySettings+193o
		push	ebx
		add	[edi+0], ch
		db	66h
		add	[eax+eax+54h], dh
		add	[eax+0], ch
		jb	short $+2
		outsd
??_C@_1CM@IOHKKG@?$AAS?$AAo?$AAf?$AAt?$AAT?$AAh?$AAr?$AAo?$AAt?$AAt?$AAl?$AAe?$AAD?$AAe?$AAl@FNODOBFM@ endp

		add	[eax+eax+74h], dh
		add	[eax+eax+65h], ch
		add	[eax+eax+65h], al
		add	[eax+eax+61h], ch
		add	[ecx+0], bh
		dec	ecx
		add	[esi+0], ch
		dec	ebp
		add	[ebx+0], dh
; 
off_5A3D28	dd offset loc_4CFFFE+2	; DATA XREF: CcUpdateDynamicRegistrySettings+1CFo
aAxlazywritepag:
		unicode	0, <axLazyWritePages>,0
??_C@_05HDPIMK@valid@FNODOBFM@ db 'valid',0
					; DATA XREF: CcUpdateDynamicRegistrySettings+1ECo
??_C@_09GNNAFPDF@not?5found@FNODOBFM@ db 'not found',0
					; DATA XREF: CcUpdateDynamicRegistrySettings+1E7o
					; CcUpdateDynamicRegistrySettings+22Fo	...
; char ??_C[]
??_C@_0BCN@DEKCAOI@CcUpdateDynamicRegistrySettings@FNODOBFM@ db	'CcUpdateDynamicRegistrySettings: ',0Ah
					; DATA XREF: CcUpdateDynamicRegistrySettings+25Eo
		db 9,'TopBottom                  : 0x%04lx(%s)',0Ah
		db 9,'LazyWriterPct              : 0x%04lx(%s) (unsupported)',0Ah
		db 9,'LargeWriteSize             : 0x%04lx(%s)',0Ah
		db 9,'SoftThrottleAt             : 0x%04lx(%s)',0Ah
		db 9,'SoftThrottleDelay          : 0x%04lx(%s)',0Ah
		db 9,'MaxLazyWritePages          : 0x%04lx(%s)',0Ah,0
		align 4
; char ??_C[]
??_C@_0EG@HBELDCKM@CcInitializePartition?3?5Initiali@FNODOBFM@ db 'CcInitializePartition: Initialized Partition=%p, PartitionObject='
					; DATA XREF: CcInitializePartition+484o
		db '%p ',0Ah,0
; 

; char ??_C
??_C@_0DO@GPPKKMBF@CcDeletePartition?3?5Partition?5De@FNODOBFM@:
					; DATA XREF: CcDeletePartition(x)+15Do
		inc	ebx
		arpl	[ebp+6Ch], ax
		db	65h
		jz	short near ptr loc_5A3F3A+5
		push	eax
		popa
		jb	short near ptr loc_5A3F50+2
		imul	esi, [ecx+ebp*2+6Fh], 50203A6Eh
		popa
		jb	short near ptr loc_5A3F5A+3
		imul	esi, [ecx+ebp*2+6Fh], 6544206Eh
		insb
		db	65h
		jz	short loc_5A3F5A
		db	64h
		cmp	eax, 202C7025h
		push	eax
		popa
		jb	short near ptr loc_5A3F72+1
		imul	esi, [ecx+ebp*2+6Fh], 6A624F6Eh
		arpl	gs:[ebp+edi+25h], si
		jo	short near ptr loc_5A3F2D+1
		or	al, [eax]

; char ??_C
??_C@_0FC@KAGCNAGF@CcExitPartition?3?5Partition?5Exit@FNODOBFM@:
					; DATA XREF: CcExitPartition(x,x)+1A2o
		inc	ebx
		arpl	[ebp+78h], ax
		imul	esi, [eax+edx*2+61h], 74697472h
		imul	ebp, [edi+6Eh],	6150203Ah
		jb	short near ptr loc_5A3F96+3
		imul	esi, [ecx+ebp*2+6Fh], 7845206Eh

loc_5A3F2D:				; CODE XREF: .text:005A3F0Cj
		imul	esi, [ebp+64h],	2C70253Dh
		and	[eax+61h], dl
		jb	short near ptr loc_5A3FAD+1

loc_5A3F3A:				; CODE XREF: .text:005A3ED7j
		imul	esi, [ecx+ebp*2+6Fh], 6A624F6Eh
		arpl	gs:[ebp+edi+25h], si
		jo	short loc_5A3F69
		outsb
		outsd
		ja	short loc_5A3F6D
		db	64h, 65h
		insb

loc_5A3F50:				; CODE XREF: .text:005A3EDCj
		db	65h
		jz	short near ptr loc_5A3FBA+2
		outsb
		and	[bx+si+61h], dl
		jb	short loc_5A3FCE

loc_5A3F5A:				; CODE XREF: .text:005A3EF2j
					; .text:005A3EE7j
		imul	esi, [ecx+ebp*2+6Fh], 0A206Eh
; 
??_C@_11LOCGONAA@@FNODOBFM@ dw 0	; DATA XREF: RtlStringCchCopyExW:loc_515854o
					; PopTraceThermalZonePassiveHistogram+66o ...
; 

??_C@_0BH@MBNJFEGL@$Kernel?4CFDoNotConvert@FNODOBFM@:
					; DATA XREF: CmpAdjustFileCFSafety(x,x)+32o
		and	al, 4Bh
		db	65h
		jb	short near ptr loc_5A3FD5+2

loc_5A3F69:				; CODE XREF: .text:005A3F47j
		db	65h
		insb
		db	2Eh
		inc	ebx

loc_5A3F6D:				; CODE XREF: .text:005A3F4Bj
		inc	esi
		inc	esp
		outsd
		dec	esi
		outsd

loc_5A3F72:				; CODE XREF: .text:005A3EFDj
		jz	short loc_5A3FB7
		outsd
		outsb
		jbe	short near ptr loc_5A3FDA+3
		jb	short loc_5A3FEE
		add	ah, cl

??_C@_02DHLFCEDM@CM@FNODOBFM@:		; DATA XREF: CmpAdjustFileCFSafety(x,x)+67r
		inc	ebx
		dec	ebp

loc_5A3F7E:				; DATA XREF: CmpAdjustFileCFSafety(x,x)+72r
		add	ah, cl

; char ??_C
??_C@_0DN@OGIPNPDE@DBGK?3?5Full?5Live?5Kernel?5Dumps?5ar@FNODOBFM@:
					; DATA XREF: DbgkCaptureLiveKernelDump(x)+3Eo
		inc	esp
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]
		inc	esi
		jnz	short near ptr loc_5A3FF4+1
		insb
		and	[ecx+ebp*2+76h], cl
		and	gs:[ebx+65h], cl
		jb	short near ptr loc_5A4000+2
		db	65h
		insb

loc_5A3F96:				; CODE XREF: .text:005A3F23j
		and	[ebp+esi*2+6Dh], al
		jo	short loc_5A400F
		and	[ecx+72h], ah
		and	gs:[ecx+ebp*2+73h], ah
		popa
		bound	ebp, [ebp+64h]
		and	cs:[esi+61h], al

loc_5A3FAD:				; CODE XREF: .text:005A3F38j
		imul	ebp, [ecx+ebp*2+6Eh], 65722067h
		jno	short loc_5A402C

loc_5A3FB7:				; CODE XREF: .text:loc_5A3F72j
		db	65h
		jnb	short ??_C@_0EA@KCADKKLJ@DBGK?3?5ZwQueryInformationFile?5fa@FNODOBFM@

loc_5A3FBA:				; CODE XREF: .text:loc_5A3F50j
		or	al, cs:[eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0CM@EDLMNNDN@DBGK?3?5Could?5not?5allocate?5IoLive@FNODOBFM@:
					; DATA XREF: DbgkCaptureLiveKernelDump(x)+BEo
		inc	esp
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]
		inc	ebx
		outsd
		jnz	short loc_5A4034
		and	fs:[esi+6Fh], ch
		jz	short loc_5A3FEE

loc_5A3FCE:				; CODE XREF: .text:005A3F58j
		popa
		insb
		insb
		outsd
		arpl	[ecx+74h], sp

loc_5A3FD5:				; CODE XREF: .text:005A3F66j
		and	gs:[ecx+6Fh], cl
		dec	esp

loc_5A3FDA:				; CODE XREF: .text:005A3F76j
		imul	esi, [esi+65h],	706D7564h
		inc	ebx
		outsd
		outsb
		jz	short near ptr loc_5A4056+2
		outsd
		insb
		or	al, [eax]

; char ??_C
??_C@_0EE@OHIJFJCN@DBGK?3?5ObOpenObjectByPointerWith@FNODOBFM@:
					; DATA XREF: DbgkCaptureLiveKernelDump(x)+1AAo
		inc	esp
		inc	edx
		inc	edi
		dec	ebx

loc_5A3FEE:				; CODE XREF: .text:005A3F78j
					; .text:005A3FCCj
		cmp	ah, [eax]
		dec	edi
		bound	ecx, [edi+70h]

loc_5A3FF4:				; CODE XREF: .text:005A3F87j
		outs	dx, byte ptr gs:[esi]
		dec	edi
		bound	ebp, [edx+65h]
		arpl	[edx+eax*2+79h], si
		push	eax
		outsd

loc_5A4000:				; CODE XREF: .text:005A3F92j
		imul	ebp, [esi+74h],	69577265h
		jz	short loc_5A4071
		push	esp
		popa
		and	[bp+61h], ah

loc_5A400F:				; CODE XREF: .text:005A3F9Aj
		imul	ebp, [ebp+64h],	726F6620h
		and	[esi+69h], ah
		insb
		and	gs:73202C70h, ah
		jz	short loc_5A4085
		jz	short loc_5A409B
		jnb	short near ptr loc_5A4047+1
		xor	[eax+25h], bh
		pop	eax

loc_5A402C:				; CODE XREF: .text:005A3FB5j
		or	al, [eax]

??_C@_0EA@KCADKKLJ@DBGK?3?5ZwQueryInformationFile?5fa@FNODOBFM@:
					; CODE XREF: .text:loc_5A3FB7j
					; DATA XREF: DbgkCaptureLiveKernelDump(x)+1DBo
		inc	esp
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]

loc_5A4034:				; CODE XREF: .text:005A3FC6j
		pop	edx
		ja	short near ptr loc_5A4087+1
		jnz	short loc_5A409E
		jb	short near ptr loc_5A40B2+2
		dec	ecx
		outsb
		outsw
		jb	short near ptr loc_5A40AD+1
		popa
		jz	short loc_5A40AD
		outsd
		outsb
		inc	esi

loc_5A4047:				; CODE XREF: .text:005A4026j
		imul	ebp, [ebp+20h],	6C696166h
		db	65h
		and	fs:[esi+6Fh], ah
		jb	short loc_5A4076

loc_5A4056:				; CODE XREF: .text:005A3FE4j
		db	64h
		jnz	short near ptr loc_5A40C4+2
		jo	short near ptr loc_5A4079+2
		imul	bp, [ebp+2Ch], 7320h
		jz	short near ptr loc_5A40C4+1
		jz	short near ptr loc_5A40DA+1
		jnb	short near ptr loc_5A4087+1
		xor	[eax+25h], bh
		pop	eax
		or	al, [eax]

; char ??_C
??_C@_0CM@IKAHHJHK@DBGK?3?5Invalid?5event?5handle?5?$CFp?0?5@FNODOBFM@:
					; DATA XREF: DbgkCaptureLiveKernelDump(x)+129o
		inc	esp
		inc	edx
		inc	edi

loc_5A4071:				; CODE XREF: .text:005A4007j
		dec	ebx
		cmp	ah, [eax]
		dec	ecx
		outsb

loc_5A4076:				; CODE XREF: .text:005A4054j
		jbe	short near ptr loc_5A40D2+7
		insb

loc_5A4079:				; CODE XREF: .text:005A4059j
		imul	esp, [eax+65h],	746E6576h
		and	[eax+61h], ch
		outsb

loc_5A4085:				; CODE XREF: .text:005A4022j
		db	64h
		insb

loc_5A4087:				; CODE XREF: .text:005A4035j
					; .text:005A4066j
		and	gs:73202C70h, ah
		jz	short loc_5A40F1
		jz	short near ptr loc_5A4106+1
		jnb	short near ptr loc_5A40B2+2
		xor	[eax+25h], bh
		pop	eax
		or	al, [eax]

??_C@_0FE@HEDMKDPP@DBGK?3?5Invalid?5file?5handle?5?$CFp?0?5O@FNODOBFM@:
					; DATA XREF: DbgkCaptureLiveKernelDump(x)+177o
		inc	esp

loc_5A409B:				; CODE XREF: .text:005A4024j
		inc	edx
		inc	edi
		dec	ebx

loc_5A409E:				; CODE XREF: .text:005A4037j
		cmp	ah, [eax]
		dec	ecx
		outsb
		jbe	short near ptr loc_5A4104+1
		insb
		imul	esp, [eax+66h],	20656C69h

loc_5A40AD:				; CODE XREF: .text:005A4042j
					; .text:005A403Fj
		push	6C646E61h

loc_5A40B2:				; CODE XREF: .text:005A4039j
					; .text:005A4092j
		and	gs:4F202C70h, ah
		bound	edx, [edx+65h]
		db	66h, 65h
		jb	short near ptr loc_5A4120+5
		outsb
		arpl	[ebp+4Fh], sp

loc_5A40C4:				; CODE XREF: .text:005A4062j
					; .text:loc_5A4056j
		bound	ebp, [edx+65h]
		arpl	[edx+eax*2+79h], si
		dec	eax
		popa
		outsb
		db	64h
		insb
		db	65h
		push	edi

loc_5A40D2:				; CODE XREF: .text:loc_5A4076j
		imul	esi, [eax+ebp*2+54h], 72206761h

loc_5A40DA:				; CODE XREF: .text:005A4064j
		db	65h
		jz	short loc_5A4152
		jb	short loc_5A414D
		jnb	short near ptr loc_5A4100+1
		jnb	short loc_5A4157
		popa
		jz	short near ptr loc_5A4157+4
		jnb	short near ptr loc_5A4106+2
		xor	[eax+25h], bh
		pop	eax
		or	al, [eax]

; char ??_C
??_C@_0CB@CNBNBKEO@DBGK?3?5Calling?5IoCaptureLiveDump@FNODOBFM@:
					; DATA XREF: DbgkCaptureLiveKernelDump(x):loc_60098Ao
		inc	esp
		inc	edx
		inc	edi

loc_5A40F1:				; CODE XREF: .text:005A408Ej
		dec	ebx
		cmp	ah, [eax]
		inc	ebx
		popa
		insb
		insb
		imul	ebp, [esi+67h],	436F4920h
		popa

loc_5A4100:				; CODE XREF: .text:005A40DFj
		jo	short near ptr loc_5A4170+6
		jnz	short near ptr loc_5A4170+6

loc_5A4104:				; CODE XREF: .text:005A40A2j
		db	65h
		dec	esp

loc_5A4106:				; CODE XREF: .text:005A4090j
					; .text:005A40E6j
		imul	esi, [esi+65h],	706D7544h
		or	al, [eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0CN@OIDMEGEJ@DBGK?3?5IoCaptureLiveDump?5failed?0@FNODOBFM@:
					; DATA XREF: DbgkCaptureLiveKernelDump(x)+26Fo
		inc	esp
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]
		dec	ecx
		outsd
		inc	ebx
		popa
		jo	short loc_5A4190
		jnz	short loc_5A4190
		db	65h
		dec	esp

loc_5A4120:				; CODE XREF: .text:005A40BCj
		imul	esi, [esi+65h],	706D7544h
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	7473202Ch
		popa
		jz	short loc_5A41AA
		jnb	short loc_5A4157
		xor	[eax+25h], bh
		pop	eax
		or	al, [eax]
		int	3		; Trap to Debugger

??_C@_0EL@LPLJPMHP@DBGK?3?5ZwQueryInformationFile?5Io@FNODOBFM@:
					; DATA XREF: DbgkCaptureLiveKernelDump(x)+1EFo
		inc	esp
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]
		pop	edx
		ja	short near ptr loc_5A4191+7
		jnz	short loc_5A41AE
		jb	short loc_5A41C4
		dec	ecx
		outsb

loc_5A414D:				; CODE XREF: .text:005A40DDj
		outsw
		jb	short near ptr ??_C@_1DA@NGKONPGD@?$AAV?$AAi?$AAr?$AAt?$AAu?$AAa?$AAl?$AAD?$AAi?$AAs?$AAk?$AAM?$AAa?$AAx?$AAT@FNODOBFM@
		popa

loc_5A4152:				; CODE XREF: .text:loc_5A40DAj
		jz	short loc_5A41BD
		outsd
		outsb
		inc	esi

loc_5A4157:				; CODE XREF: .text:005A40E1j
					; .text:005A4135j ...
		imul	ebp, [ebp+20h],	74536F49h
		popa
		jz	short near ptr loc_5A41D5+2
		jnb	short loc_5A41A6
		insb
		outsd
		arpl	[ebx+2Eh], bp
		push	ebx
		jz	short loc_5A41CD
		jz	short loc_5A41E3
		jnb	short loc_5A4190

loc_5A4170:				; CODE XREF: .text:loc_5A4100j
					; .text:005A4102j
		imul	esi, [ebx+20h],	6C696166h
		jnz	short near ptr byte_5A41EB
		db	65h
		sub	al, 20h
		jnb	short loc_5A41F2
		popa
		jz	short loc_5A41F6
		jnb	short near ptr loc_5A41A1+2
		xor	[eax+25h], bh
		pop	eax
		or	al, [eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0DD@FJINFOOO@DBGK?3?5File?5was?5not?5opened?5for?5s@FNODOBFM@:
					; DATA XREF: DbgkCaptureLiveKernelDump(x)+1FCo
		inc	esp
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]

loc_5A4190:				; CODE XREF: .text:005A411Aj
					; .text:005A411Cj ...
		inc	esi

loc_5A4191:				; CODE XREF: .text:005A4145j
		imul	ebp, [ebp+20h],	20736177h
		outsb
		outsd
		jz	short loc_5A41BD
		outsd
		jo	short loc_5A4205
		outsb

loc_5A41A1:				; CODE XREF: .text:005A4181j
		db	65h
		and	fs:[esi+6Fh], ah

loc_5A41A6:				; CODE XREF: .text:005A4162j
		jb	short loc_5A41C8
		jnb	short near ptr loc_5A4222+1

loc_5A41AA:				; CODE XREF: .text:005A4133j
		outsb
		arpl	[eax+72h], bp

loc_5A41AE:				; CODE XREF: .text:005A4147j
		outsd
		outsb
		outsd
		jnz	short loc_5A4226
		and	[ecx+63h], ah
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_5A41E8+1
		or	al, [eax]

loc_5A41BD:				; CODE XREF: .text:loc_5A4152j
					; .text:005A419Bj
		int	3		; Trap to Debugger
; 
??_C@_1DA@NGKONPGD@?$AAV?$AAi?$AAr?$AAt?$AAu?$AAa?$AAl?$AAD?$AAi?$AAs?$AAk?$AAM?$AAa?$AAx?$AAT@FNODOBFM@ dd offset loc_690056
					; CODE XREF: .text:005A414Fj
					; DATA XREF: FsRtlpGetMaxVirtualDiskNestingLevel()+A4o
; 
		jb	short $+2

loc_5A41C4:				; CODE XREF: .text:005A4149j
		jz	short $+2
		jnz	short $+2

loc_5A41C8:				; CODE XREF: .text:loc_5A41A6j
		popa
		add	[eax+eax+44h], ch

loc_5A41CD:				; CODE XREF: .text:005A416Aj
		add	[ecx+0], ch
		jnb	short $+2
		imul	eax, [eax], 4Dh

loc_5A41D5:				; CODE XREF: .text:005A4160j
		add	[ecx+0], ah
		js	short $+2
		push	esp
		add	[edx+0], dh
		add	gs:[ebp+0], ah
		inc	esp

loc_5A41E3:				; CODE XREF: .text:005A416Cj
		add	[ebp+0], ah
		jo	short $+2

loc_5A41E8:				; CODE XREF: .text:005A41B9j
		jz	short $+2
; 
		db 68h
byte_5A41EB	db 0			; CODE XREF: .text:005A4177j
off_5A41EC	dd offset loc_5BFFFF+1	; DATA XREF: FsRtlpGetMaxVirtualDiskNestingLevel()+22o
		db 52h,	0
; 

loc_5A41F2:				; CODE XREF: .text:005A417Cj
		add	gs:[edi+0], ah

loc_5A41F6:				; CODE XREF: .text:005A417Fj
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa

loc_5A4205:				; CODE XREF: .text:005A419Ej
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al

loc_5A4222:				; CODE XREF: .text:005A41A8j
		jnz	short $+2
		jb	short $+2

loc_5A4226:				; CODE XREF: .text:005A41B1j
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[esi+0], al
		imul	eax, [eax], 65006Ch
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[edi+0], al
		jb	short $+2
		outsd
		add	[ebp+0], dh
		jo	short $+2
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
		dec	ebx
		add	[ebp+0], ah
		jns	short $+2
		jnb	short $+2
; 
off_5A4288	dd offset loc_5BFFFF+1	; DATA XREF: FsRtlpGetMaxVirtualDiskNestingLevel()+4Do
		dd offset loc_650052
		dd offset loc_690066+1
aStryMachineSys:
		unicode	0, <stry\Machine\System\CurrentControlSet\Services\FsDepends\>
		unicode	0, <Parameters>,0
; 

; char ??_C
??_C@_0BF@NAPPFGF@HYPERVISORDBGDEVICE?$DN@FNODOBFM@:
					; DATA XREF: HvlDebuggerSupportInitialize+7DAF1o
		dec	eax
		pop	ecx
		push	eax
		inc	ebp
		push	edx
		push	esi
		dec	ecx
		push	ebx
		dec	edi
		push	edx
		inc	esp
		inc	edx
		inc	edi
		inc	esp
		inc	ebp
		push	esi
		dec	ecx
		inc	ebx
		inc	ebp
; 
		db 3Dh
; 
		add	ah, cl

; char ??_C
??_C@_0BH@KEIMNFIN@HYPERVISORDBGACPIPATH?$DN@FNODOBFM@:
					; DATA XREF: HvlDebuggerSupportInitialize+7DB00o
		dec	eax
		pop	ecx
		push	eax
		inc	ebp
		push	edx
		push	esi
		dec	ecx
		push	ebx
		dec	edi
		push	edx
		inc	esp
		inc	edx
		inc	edi
		inc	ecx
		inc	ebx
		push	eax
		dec	ecx
		push	eax
		inc	ecx
		push	esp
		dec	eax

loc_5A4347:				; DATA XREF: HvlDebuggerSupportInitialize+7DAE6o
		cmp	eax, 5948CC00h
		push	eax
		inc	ebp
		push	edx
		push	esi
		dec	ecx
		push	ebx
		dec	edi
		push	edx
		inc	esp
		inc	edx
		inc	edi
		push	eax
		dec	edi
		push	edx
		push	esp

loc_5A435B:				; DATA XREF: HvlDebuggerSupportInitialize+7DBF6o
		cmp	eax, 4F43CC00h
		dec	ebp
; 
		db 0
; char ??_C[]
??_C@_01NEMOKFLO@?$DN@FNODOBFM@	db '=',0 ; DATA XREF: HvlDebuggerSupportInitialize+7DC75o
; 

; char ??_C
??_C@_01KICIPPFI@?2@FNODOBFM@:		; DATA XREF: HvlDebuggerSupportInitialize+7DB1Ao
		pop	esp
; 
		db 0
; 

; char ??_C
??_C@_01CLKCMJKC@?5@FNODOBFM@:		; DATA XREF: HvlDebuggerSupportInitialize:loc_5FB4FCo
		and	[eax], al

; char ??_C
??_C@_03NPGNIJG@NET@FNODOBFM@:		; DATA XREF: HvlDebuggerSupportInitialize+7DD27o
		dec	esi
		inc	ebp
		push	esp

loc_5A436B:				; DATA XREF: HvlDebuggerSupportInitialize+7DCDFo
		add	[eax+59h], cl
		push	eax
		inc	ebp
		push	edx
		push	esi
		dec	ecx
		push	ebx
		dec	edi
		push	edx
		inc	esp
		inc	edx
		inc	edi
		push	esp
		pop	ecx
		push	eax
		inc	ebp

loc_5A437D:				; DATA XREF: HvlDebuggerSupportInitialize+7DD0Ao
		cmp	eax, 3331CC00h
		cmp	[eax+eax], esi
		int	3		; Trap to Debugger
; 
??_C@_05NDBNEPKH@NOVGA@FNODOBFM@ db 'NOVGA',0 ; DATA XREF: InbvDetermineFunction+21o
; 

??_C@_1BM@GNJFGKCL@?$AA?$CI?$AAU?$AAn?$AAa?$AAv?$AAa?$AAi?$AAl?$AAa?$AAb?$AAl?$AAe?$AA?$CJ@FNODOBFM@:
					; DATA XREF: IopAttachDeviceToDeviceStackSafe+D4190o
		sub	[eax], al
		push	ebp
		add	[esi+0], ch
		popa
		add	[esi+0], dh
		popa
		add	[ecx+0], ch
		insb
		add	[ecx+0], ah
		bound	eax, [eax]
		insb
		add	[ebp+0], ah
		sub	[eax], eax
; 
		dw 0
; 

??_C@_1CG@ICFLECDK@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAO?$AAf?$AAf?$AAl?$AAi?$AAn?$AAe?$AAD?$AAu@FNODOBFM@:
					; DATA XREF: IopInitializeOfflineCrashDump+7E2BDo
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		dec	edi
		add	[esi+0], ah
		db	66h
		add	[eax+eax+69h], ch
		add	[esi+0], ch
		add	gs:[eax+eax+75h], al
		add	[ebp+0], ch
		jo	short $+2
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1DO@NFBBLGPP@?$AAO?$AAf?$AAf?$AAl?$AAi?$AAn?$AAe?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy?$AAD?$AAu@FNODOBFM@:
					; DATA XREF: IopInitializeOfflineCrashDump+7E315o
		dec	edi
		add	[esi+0], ah
		db	66h
		add	[eax+eax+69h], ch
		add	[esi+0], ch
		add	gs:[ebp+0], cl
		add	gs:[ebp+0], ch
		outsd
		add	[edx+0], dh
		jns	short $+2
		inc	esp
		add	[ebp+0], dh
		insd
		add	[eax+0], dh
		push	ebp
		add	[ebx+0], dh
		add	gs:[ebx+0], al
		popa
		add	[eax+0], dh
		popa
		add	[edx+0], ah
		imul	eax, [eax], 69006Ch
		jz	short $+2
		jns	short $+2
; 
off_5A440A	dd offset loc_5BFFFF+1	; DATA XREF: IopReadDumpRegistry(x,x)+29o
					; SecureDump_PrepareForInit+2Do ...
		dd offset loc_650052
		dd offset loc_690066+1
		dw 73h
aTryMachineSy_0:
		unicode	0, <try\Machine\System\CurrentControlSet\Control\CrashControl>
		unicode	0, <>,0
; 

??_C@_1BO@PCHGCCLM@?$AAA?$AAt?$AAt?$AAe?$AAm?$AAp?$AAt?$AAO?$AAf?$AAf?$AAl?$AAi?$AAn?$AAe@FNODOBFM@:
					; DATA XREF: IopInitializeOfflineCrashDump+7E36Eo
		inc	ecx
		add	[eax+eax+74h], dh
		add	[ebp+0], ah
		insd
		add	[eax+0], dh
		jz	short $+2
		dec	edi
		add	[esi+0], ah
		db	66h
		add	[eax+eax+69h], ch
		add	[esi+0], ch
		add	gs:[eax], al

loc_5A44A9:				; DATA XREF: IopReadDumpRegistry(x,x)+49o
		add	[ecx+0], al
		jnz	short $+2
		jz	short $+2
		outsd
		add	[edx+0], dl
		add	gs:[edx+0], ah
		outsd
		add	[edi+0], ch
		jz	short $+2
; 
		dw 0
; 

??_C@_1CC@BHHAOCEE@?$AAC?$AAr?$AAa?$AAs?$AAh?$AAD?$AAu?$AAm?$AAp?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe@FNODOBFM@:
					; DATA XREF: IopReadDumpRegistry(x,x)+7Do
		inc	ebx
		add	[edx+0], dh
		popa
		add	[ebx+0], dh
		push	75004400h
		add	[ebp+0], ch
		jo	short $+2
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 0
; 

??_C@_1BK@BNBFJDPA@?$AAD?$AAu?$AAm?$AAp?$AAI?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe@FNODOBFM@:
					; DATA XREF: IopInitializeInMemoryDumpData()+149o
		inc	esp
		add	[ebp+0], dh
		insd
		add	[eax+0], dh
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[esi+0], ch
		arpl	[eax], ax
		add	gs:[eax], al
; 
		db 0
??_C@_1FE@LIAPLLLG@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@FNODOBFM@ dd offset loc_530059+3
					; DATA XREF: IopLoadCrashdumpDriver+27o
aYstemrootSys_0:
		unicode	0, <ystemRoot\System32\Drivers\crashdmp.sys>,0
??_C@_1IG@CHPFMOHD@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@FNODOBFM@ dd offset loc_52005B+1
					; DATA XREF: IopIsBitlockerOn()+Fo
		dd offset loc_470045
		dd offset loc_530049
		dd offset loc_520052+2
		dd offset loc_5C0057+2
		dd offset _DEVPKEY_DriverDatabase_Disabled+1
		dd offset loc_48003F+4
		dd offset loc_4E0049
		dd offset loc_5C0041+4
		dd offset loc_59004F+4
		dd offset loc_540052+1
		dd offset loc_4D0045
		dd offset dword_430010+4Ch
aUrrentcontrols:
		unicode	0, <urrentControlSet\Control\BitlockerStatus>,0
; 

??_C@_1BG@LCMMIACL@?$AAB?$AAo?$AAo?$AAt?$AAS?$AAt?$AAa?$AAt?$AAu?$AAs@FNODOBFM@:
					; DATA XREF: IopIsBitlockerOn()+49o
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+53h], dh
		add	[eax+eax+61h], dh
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
; 
		dw 0
??_C@_1CA@FABIEJON@?$AAC?$AA?3?$AA?2?$AAp?$AAa?$AAg?$AAe?$AAf?$AAi?$AAl?$AAe?$AA?4?$AAs?$AAy?$AAs@FNODOBFM@:
					; DATA XREF: IoConfigureCrashDump+25o
		unicode	0, <C:\pagefile.sys>,0
??_C@_1CC@MCGNKLN@?$AAB?$AAu?$AAg?$AAC?$AAh?$AAe?$AAc?$AAk?$AAP?$AAr?$AAo?$AAg?$AAr?$AAe?$AAs@FNODOBFM@:
					; DATA XREF: IoInitializeBugCheckProgress(x,x)+11Eo
					; IoSetBugCheckProgressAndFlag(x,x)+239o
		unicode	0, <BugCheckProgress>,0
; 

??_C@_1BK@IKLNJPGD@?$AAB?$AAu?$AAg?$AAC?$AAh?$AAe?$AAc?$AAk?$AAC?$AAo?$AAd?$AAe@FNODOBFM@:
					; DATA XREF: IoInitializeBugCheckProgress(x,x)+97o
					; IoInitializeBugCheckProgress(x,x)+C0o ...
		inc	edx
		add	[ebp+0], dh
		add	[bp+di+0], al
		push	63006500h
		add	[ebx+0], ch
		inc	ebx
		add	[edi+0], ch
		add	fs:[ebp+0], ah
; 
		dw 0
; 

??_C@_1CG@CMLGNBH@?$AAB?$AAu?$AAg?$AAC?$AAh?$AAe?$AAc?$AAk?$AAP?$AAa?$AAr?$AAa?$AAm?$AAe?$AAt@FNODOBFM@:
					; DATA XREF: IoInitializeBugCheckProgress(x,x)+AAo
					; IoInitializeBugCheckProgress(x,x)+10Bo
		inc	edx
		add	[ebp+0], dh
		add	[bp+di+0], al
		push	63006500h
		add	[ebx+0], ch
		push	eax
		add	[ecx+0], ah
		jb	short $+2
		popa
		add	[ebp+0], ch
		add	gs:[eax+eax+65h], dh
		add	[edx+0], dh
		xor	[eax], eax
; 
		db 2 dup(0)
; 

??_C@_1CA@BHBGKHBP@?$AAA?$AAl?$AAl?$AAo?$AAw?$AAR?$AAe?$AAm?$AAo?$AAt?$AAe?$AAD?$AAA?$AAS?$AAD@FNODOBFM@:
					; DATA XREF: IopAllowRemoteDASD()+23o
		inc	ecx
		add	[eax+eax+6Ch], ch
		add	[edi+0], ch
		ja	short $+2
		push	edx
		add	[ebp+0], ah
		insd
		add	[edi+0], ch
		jz	short $+2
		add	gs:[eax+eax+41h], al
		add	[ebx+0], dl
		inc	esp
; 
		db 0
		db 2 dup(0)
; 

??_C@_1JM@NKOMBJJF@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@FNODOBFM@:
					; DATA XREF: IopAllowRemoteDASD()+2Eo
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[edi+0], cl
		inc	esi
		add	[eax+eax+57h], dl
		add	[ecx+0], al
		push	edx
		add	[ebp+0], al
		pop	esp
		add	[eax+0], dl
		outsd
		add	[eax+eax+69h], ch
		add	[ebx+0], ah
		imul	eax, [eax], 730065h
		pop	esp
		add	[ebp+0], cl
		imul	eax, [eax], 720063h
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		pop	esp
		add	[edi+0], dl
		imul	eax, [eax], 64006Eh
		outsd
		add	[edi+0], dh
		jnb	short $+2
		pop	esp
		add	[edx+0], dl
		add	gs:[ebp+0], ch
		outsd
		add	[esi+0], dh
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		push	ebx
		add	[eax+eax+6Fh], dh
		add	[edx+0], dh
		popa
		add	[edi+0], ah
		add	gs:[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		jnb	short $+2
; 
off_5A4728	dd offset loc_5BFFFF+1	; DATA XREF: SecureDump_PrepareForInit+22o
		dd offset loc_650052
		dd offset loc_690066+1
aStryMachineS_0:
		unicode	0, <stry\Machine\System\CurrentControlSet\Control\CrashContro>
		unicode	0, <l\EncryptionCertificates\Certificate.1>,0
; 

??_C@_1BE@KFJNGKKA@?$AAP?$AAu?$AAb?$AAl?$AAi?$AAc?$AAK?$AAe?$AAy@FNODOBFM@:
					; DATA XREF: SecureDump_PrepareForInit+7E7F2o
		push	eax
		add	[ebp+0], dh
		bound	eax, [eax]
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		dec	ebx
		add	[ebp+0], ah
		jns	short $+2
; 
		dw 0
??_C@_1CM@KPLJMDLH@?$AAD?$AAu?$AAm?$AAp?$AAE?$AAn?$AAc?$AAr?$AAy?$AAp?$AAt?$AAi?$AAo?$AAn?$AAE@FNODOBFM@:
					; DATA XREF: SecureDump_PrepareForInit+8Ao
		unicode	0, <DumpEncryptionEnabled>,0
??_C@_1BI@EOJNAKNM@?$AAG?$AAu?$AAa?$AAr?$AAd?$AAe?$AAd?$AAH?$AAo?$AAs?$AAt@FNODOBFM@:
					; DATA XREF: SecureDump_PrepareForInit+5Do
		unicode	0, <GuardedHost>,0
??_C@_1KG@LIIDIKFP@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@ dd offset loc_52005B+1
					; DATA XREF: SecureDump_PrepareForInit+3Bo
		dd offset loc_670065
aIstryMachine_0:
		unicode	0, <istry\Machine\System\CurrentControlSet\Control\CrashContr>
		unicode	0, <ol\ForceDumpsDisabled>,0
; 

??_C@_1BE@FGBADLPC@?$AAK?$AAe?$AAy?$AAL?$AAe?$AAn?$AAg?$AAt?$AAh@FNODOBFM@:
					; DATA XREF: SecureDump_EncryptSymmetricKeyWithPublicKey()+EAo
					; SecureDump_SymmetricEncryptionSetup()+9Ao
		dec	ebx
		add	[ebp+0], ah
		jns	short $+2
		dec	esp
		add	[ebp+0], ah
		outsb
		add	[edi+0], ah
		jz	short $+2

loc_5A4902:				; DATA XREF: SecureDump_SymmetricEncryptionSetup()+18o
		push	58000000h
		add	[eax+eax+53h], dl
		add	ds:45004100h, ch
		add	[ebx+0], dl
; 
off_5A4914	dd offset loc_4CFFFE+2	; DATA XREF: SecureDump_SymmetricEncryptionSetup()+13o
		dd offset loc_630068+1
aRosoftPrimitiv:
		unicode	0, <rosoft Primitive Provider>,0
; 

??_C@_1BG@GFMKNFOD@?$AAT?$AAh?$AAu?$AAm?$AAb?$AAp?$AAr?$AAi?$AAn?$AAt@FNODOBFM@:
					; DATA XREF: SecureDump_PrepareForInit+7E816o
		push	esp
		add	[eax+0], ch
		jnz	short $+2
		insd
		add	[edx+0], ah
		jo	short $+2
		jb	short $+2
		imul	eax, [eax], 74006Eh
; 
off_5A4964	dd offset loc_51FFFF+1	; DATA XREF: SecureDump_EncryptSymmetricKeyWithPublicKey()+A7o
		dd offset loc_41004E+5
off_5A496C	dd offset loc_4AFFFF+1	; DATA XREF: SecureDump_EncryptSymmetricKeyWithPublicKey()+1Eo
					; SecureDump_EncryptSymmetricKeyWithPublicKey()+87o
aEydatablob:
		unicode	0, <eyDataBlob>,0
; 

??_C@_1O@HECGKAIN@?$AAS?$AAH?$AAA?$AA2?$AA5?$AA6@FNODOBFM@:
					; DATA XREF: SecureDump_EncryptSymmetricKeyWithPublicKey()+Bo
		push	ebx
		add	[eax+0], cl
		inc	ecx
		add	[edx], dh
		add	large ds:3600h,	dh
; 
		db 0
??_C@_1CG@ONBEMBCH@?$AAM?$AAe?$AAs?$AAs?$AAa?$AAg?$AAe?$AAB?$AAl?$AAo?$AAc?$AAk?$AAL?$AAe?$AAn@FNODOBFM@ dd offset loc_65004C+1
					; DATA XREF: SecureDump_SymmetricEncryptionSetup()+C6o
aSsageblockleng:
		unicode	0, <ssageBlockLength>,0
??_C@_1BM@BJJGGDHH@?$AAR?$AAS?$AAA?$AAP?$AAU?$AAB?$AAL?$AAI?$AAC?$AAB?$AAL?$AAO?$AAB@FNODOBFM@ dd offset loc_530052
					; DATA XREF: BCryptImportKeyPair(x,x,x,x,x,x,x)+28o
		dd offset loc_50003C+5
		dd offset loc_420055
		dd offset loc_490049+3
		dd offset off_420040+3
		dd offset loc_4F0047+5
		dw 42h
off_5A49D4	dd offset loc_5BFFFF+1	; DATA XREF: IopInitializeSystemVariableService+2Bo
		dd offset loc_650052
		dd offset loc_690066+1
aStryMachineS_1:
		unicode	0, <stry\Machine\System\CurrentControlSet\Services\WindowsTru>
		unicode	0, <stedRT\Parameters>,0
; 

??_C@_1M@OAJFFPML@?$AAF?$AAl?$AAa?$AAg?$AAs@FNODOBFM@:
					; DATA XREF: IopInitializeSystemVariableService+6Fo
		inc	esi
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1GO@MBBBLOKI@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@:
					; DATA XREF: .text:00568301o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+0], dl
		outsb
		add	[eax+0], dl
; 
		dw 0
; 

??_C@_1DC@IJMJJODK@?$AAP?$AAo?$AAl?$AAl?$AAB?$AAo?$AAo?$AAt?$AAP?$AAa?$AAr?$AAt?$AAi?$AAt?$AAi@FNODOBFM@:
					; DATA XREF: .text:0056831Co
		push	eax
		add	[edi+0], ch
		insb
		add	[eax+eax+42h], ch
		add	[edi+0], ch
		outsd
		add	[eax+eax+50h], dh
		add	[ecx+0], ah
		jb	short $+2
		jz	short $+2
		imul	eax, [eax], 690074h
		outsd
		add	[esi+0], ch
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
; 
off_5A4B20	dd offset loc_5BFFFF+1	; DATA XREF: PipUpdateDeviceProducts+C3o
					; PipUpdateDeviceProducts+10Fo
		dd offset loc_650052
		dd offset loc_690066+1
aStryMachineSof:
		unicode	0, <stry\Machine\Software\Microsoft\Windows NT\CurrentVersion>
		unicode	0, <\Update\TargetingInfo\DynamicInstalled>,0
??_C@_1CG@OKDMALDI@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AA?2?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt@FNODOBFM@:
					; DATA XREF: PipUpdateDeviceProducts+A4o
		unicode	0, <Current\ProductIds>,0
??_C@_1BA@LIACFDLB@?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@FNODOBFM@ dd offset loc_650054+2
					; DATA XREF: PipUpdateDeviceProducts+370o
					; PipUpdateDeviceProducts+81BF0o ...
		dw 72h
		dd offset loc_690072+1
aOn:
		unicode	0, <on>,0
; 

; wchar_t ??_C
??_C@_1O@FAMJMIMO@?$AAS?$AAM?$AAB?$AAI?$AAO?$AAS@FNODOBFM@:
					; DATA XREF: PipUpdateDeviceProducts+251o
					; PipUpdateDeviceProducts+81CFEo
		push	ebx
		add	[ebp+0], cl
		inc	edx
		add	[ecx+0], cl
		dec	edi
		add	[ebx+0], dl
; 
		dw 0

;  S U B	R O U T	I N E 


??_C@_1O@FDGFDJPD@?$AAS?$AAo?$AAu?$AAr?$AAc?$AAe@FNODOBFM@ proc	near
					; DATA XREF: PipUpdateDeviceProducts+231o
					; PipUpdateDeviceProducts+81D05o
		push	ebx
		add	[edi+0], ch
		jnz	short $+2
		jb	short $+2
		arpl	[eax], ax
??_C@_1O@FDGFDJPD@?$AAS?$AAo?$AAu?$AAr?$AAc?$AAe@FNODOBFM@ endp

		add	gs:[eax], al
; 
		db 0
; 

??_C@_1DC@IPENELJD@?$AAD?$AAy?$AAn?$AAa?$AAm?$AAi?$AAc?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAe@FNODOBFM@:
					; DATA XREF: PipUpdateDeviceProducts+C9o
					; PipUpdateDeviceProducts+115o
		inc	esp
		add	[ecx+0], bh
		outsb
		add	[ecx+0], ah
		insd
		add	[ecx+0], ch
		arpl	[eax], ax
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[eax+eax+6Ch], ch
		add	[ebp+0], ah
		add	fs:[eax+0], dl
		jb	short $+2
		outsd
		add	[eax+eax+75h], ah
		add	[ebx+0], ah
		jz	short $+2
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BA@OJFOBGOM@?$AA0?$AA?4?$AA0?$AA?4?$AA0?$AA?4?$AA0@FNODOBFM@:
					; DATA XREF: PipUpdateDeviceProducts+81CC8o
		xor	[eax], al
		add	cs:[eax], dh
		add	[esi], ch
		add	[eax], dh
		add	[esi], ch
		add	[eax], dh
; 
		db 3 dup(0)
; 

??_C@_1BK@KBOGDDLN@?$AAC?$AAr?$AAe?$AAa?$AAt?$AAi?$AAo?$AAn?$AAT?$AAi?$AAm?$AAe@FNODOBFM@:
					; DATA XREF: PipUpdateDeviceProducts+81CB3o
		inc	ebx
		add	[edx+0], dh
		add	gs:[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
		db 2 dup(0)
; 

??_C@_1CI@GCBCBALN@?$AAD?$AAe?$AAa?$AAc?$AAt?$AAi?$AAv?$AAa?$AAt?$AAi?$AAo?$AAn?$AAV?$AAe?$AAr@FNODOBFM@:
					; DATA XREF: PipUpdateDeviceProducts+81C85o
		inc	esp
		add	[ebp+0], ah
		popa
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 610076h
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		db 2 dup(0)
; 

??_C@_1CC@IAPJKJMA@?$AAD?$AAe?$AAa?$AAc?$AAt?$AAi?$AAv?$AAa?$AAt?$AAi?$AAo?$AAn?$AAT?$AAi?$AAm@FNODOBFM@:
					; DATA XREF: PipUpdateDeviceProducts+81C6Fo
		inc	esp
		add	[ebp+0], ah
		popa
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 610076h
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1BO@OLACNIPJ@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAa?$AAt?$AAi?$AAo?$AAn?$AAT?$AAi?$AAm?$AAe@FNODOBFM@:
					; DATA XREF: PipUpdateDeviceProducts+81CEEo
		inc	ecx
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 610076h
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
off_5A4D00	dd offset loc_4E0000	; DATA XREF: McTemplateK0dzd_EtwWriteTransfer(x,x,x,x,x,x)+55o
					; McTemplateK0pz_EtwWriteTransfer(x,x,x,x,x)+55o ...
		dd offset loc_4C0054+1
		dd 4Ch

;  S U B	R O U T	I N E 


??_C@_08OMFOKBDN@NTOSPNP?3@FNODOBFM@ proc near ; DATA XREF: _IopDebugPrint+Ao
		dec	esi
		push	esp
		dec	edi
		push	ebx
		push	eax
		dec	esi
		push	eax
		cmp	al, [eax]
		int	3		; Trap to Debugger
??_C@_08OMFOKBDN@NTOSPNP?3@FNODOBFM@ endp


??_C@_1BA@IELBACJJ@?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe@FNODOBFM@:
					; DATA XREF: _MapCmDevicePropertyToRegValue:loc_516567o
					; PiCMGetDeviceIdList(x,x,x,x,x,x):loc_7D1F2Fo
		push	ebx
		add	[ebp+0], ah
		jb	short $+2
		jbe	short $+2
		imul	eax, [eax], 650063h
; 
		db 2 dup(0)
; 

??_C@_19DDCEFKEI@?$AAE?$AAn?$AAu?$AAm@FNODOBFM@:
					; DATA XREF: PiCMGetDeviceIdList(x,x,x,x,x,x):loc_7D1F36o
		inc	ebp
		add	[esi+0], ch
		jnz	short $+2
		insd
; 
		db 3 dup(0)
; 

??_C@_19KLMLHLJG@?$AAN?$AAo?$AAn?$AAe@FNODOBFM@:
					; DATA XREF: PiCMGetDeviceIdList(x,x,x,x,x,x):loc_7D1F3Do
		dec	esi
		add	[edi+0], ch
		outsb
		add	[ebp+0], ah
; 
		db 2 dup(0)
; 

??_C@_1BK@MHOOBJGI@?$AAB?$AAu?$AAs?$AAR?$AAe?$AAl?$AAa?$AAt?$AAi?$AAo?$AAn?$AAs@FNODOBFM@:
					; DATA XREF: PiCMGetDeviceIdList(x,x,x,x,x,x):loc_7D1F74o
		inc	edx
		add	[ebp+0], dh
		jnb	short $+2
		push	edx
		add	[ebp+0], ah
		insb
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BO@NCAAGMIC@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAR?$AAe?$AAl?$AAa?$AAt?$AAi?$AAo?$AAn?$AAs@FNODOBFM@:
					; DATA XREF: PiCMGetDeviceIdList(x,x,x,x,x,x):loc_7D1F7Bo
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		push	edx
		add	[ebp+0], ah
		insb
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
off_5A4D70	dd offset loc_51FFFF+1	; DATA XREF: PiCMGetDeviceIdList(x,x,x,x,x,x):loc_7D1F44o
aEmovalrelation:
		unicode	0, <emovalRelations>,0
; 

??_C@_1BO@BFLJCOAG@?$AAE?$AAj?$AAe?$AAc?$AAt?$AAR?$AAe?$AAl?$AAa?$AAt?$AAi?$AAo?$AAn?$AAs@FNODOBFM@:
					; DATA XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+72o
		inc	ebp
		add	[edx+0], ch
		add	gs:[ebx+0], ah
		jz	short $+2
		push	edx
		add	[ebp+0], ah
		insb
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BA@LEPJIIOK@?$AAU?$AAn?$AAk?$AAn?$AAo?$AAw?$AAn@FNODOBFM@:
					; DATA XREF: PopIdleWakeFinalizeWakeSource(x,x)+34o
					; PiCMGetDeviceIdList(x,x,x,x,x,x):loc_7D1F5Fo
		push	ebp
		add	[esi+0], ch
		imul	eax, [eax], 6Eh
		add	[edi+0], ch
		ja	short $+2
		outsb
; 
		db 0
		db 2 dup(0)
; 

??_C@_1M@OAHBGIFG@?$AAC?$AAl?$AAa?$AAs?$AAs@FNODOBFM@:
					; DATA XREF: _MapCmClassPropertyToRegValue(x,x):loc_55190Do
					; _MapCmDevicePropertyToRegValue:loc_5E8E2Bo ...
		inc	ebx
		add	[eax+eax+61h], ch
		add	[ebx+0], dh
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1CG@ENKBDIHB@?$AAT?$AAr?$AAa?$AAn?$AAs?$AAp?$AAo?$AAr?$AAt?$AAR?$AAe?$AAl?$AAa?$AAt?$AAi@FNODOBFM@:
					; DATA XREF: PiCMGetDeviceIdList(x,x,x,x,x,x):loc_7D1F6Do
		push	esp
		add	[edx+0], dh
		popa
		add	[esi+0], ch
		jnb	short $+2
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		push	edx
		add	[ebp+0], ah
		insb
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dw 0
; 

??_C@_0CE@NALIHKD@KDTARGET?3?5Refreshing?5KD?5connect@FNODOBFM@:
					; DATA XREF: KdRefreshDebuggerNotPresent+7DE51o
		dec	ebx
		inc	esp
		push	esp
		inc	ecx
		push	edx
		inc	edi
		inc	ebp
		push	esp
		cmp	ah, [eax]
		push	edx
		db	65h, 66h
		jb	short near ptr dword_5A4E68
		jnb	short near ptr ??_C@_0DG@HBEOGLKD@?$CFs?$CK?$CK?5?5?$CF12s?5?9?5Address?5?$CFp?5base?5at@FNODOBFM@+1
		imul	ebp, [esi+67h],	20444B20h
		arpl	[edi+6Eh], bp
		outsb
		arpl	gs:[ecx+ebp*2+6Fh], si
		outsb
		or	al, [eax]
; 
??_C@_1CI@BPFKPPAM@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAF?$AAG?$AAB?$AAo?$AAo?$AAs?$AAt?$AAD@FNODOBFM@ dd offset loc_690044
					; DATA XREF: KiIsDisableFgBoostDecayFeatureStateSet()+1Eo
					; KiDisableFgBoostDecayRegistryChangeHandler(x)+1Do
		dd offset loc_61006E+5
aBlefgboostdeca:
		unicode	0, <bleFGBoostDecay>,0
; 

??_C@_01NBENCBCI@?$CK@FNODOBFM@:	; DATA XREF: KiDumpParameterImages(x,x,x,x)+E7o
		sub	al, [eax]

??_C@_03EOCNLBMA@?$AN?6?$CK@FNODOBFM@:	; DATA XREF: KiDumpParameterImages(x,x,x,x)+E0o
					; KiBugCheckDebugBreak(x)+6Fo
		or	eax, 21002A0Ah
		add	[ebx+0], dl
		inc	ecx
		add	[ebx+0], al
		db	3Eh
		add	[eax], al

loc_5A4E51:				; DATA XREF: KiBugCheckDebugBreak(x)+60o
					; KiBugCheckProgress(x)+DAo
		add	ds:25CC000Ah, cl
; 
		db 0
		db 2 dup(0)
; 

??_C@_13HOIJIPNN@?$AA?5@FNODOBFM@:	; DATA XREF: KiBugCheckProgress(x)+92o
					; StringCbCatW(x,x,x)+3Eo
		and	[eax], al
; 
		db 2 dup(0)
; 

??_C@_1O@LHPILDCB@?$AA?$AN?$AA?$BL?$AA?$FL?$AA0?$AAK?$AA?$AN@FNODOBFM@:
					; DATA XREF: KiBugCheckProgress(x)+67o
		or	eax, 5B001B00h
		add	[eax], dh
		add	[ebx+0], cl
; 
dword_5A4E68	dd 0Dh			; CODE XREF: .text:005A4DFFj
; char ??_C[]
??_C@_0DG@HBEOGLKD@?$CFs?$CK?$CK?5?5?$CF12s?5?9?5Address?5?$CFp?5base?5at@FNODOBFM@ db '%s**  %12s - Address %p base at %p, DateStamp %08lx',0Dh,0Ah,0
					; CODE XREF: .text:005A4E03j
					; DATA XREF: KiDumpParameterImages(x,x,x,x)+104o
; char ??_C[]
??_C@_0BG@EHFEKHCI@Driver?5at?5fault?3?5?$CFs?4?6@FNODOBFM@ db 'Driver at fault: %s.',0Ah,0
					; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+74Co
; 

; char ??_C
??_C@_0FA@NGBMEEAN@?6?$CK?$CK?$CK?5Fatal?5System?5Error?3?50x?$CF08l@FNODOBFM@:
					; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+728o
		or	ch, [edx]
		sub	ch, [edx]
		and	[esi+61h], al
		jz	short loc_5A4F22
		insb
		and	[ebx+79h], dl
		jnb	short loc_5A4F3B
		db	65h
		insd
		and	[ebp+72h], al
		jb	short loc_5A4F3D
		jb	short near ptr ??_C@_06BJBFBFHM@0x?$CF08x@FNODOBFM@+2
		and	[eax], dh
		js	short loc_5A4EF9
		xor	[eax], bh
		insb
		js	short loc_5A4EE3
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah

loc_5A4EE3:				; CODE XREF: .text:005A4ED7j
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ch
		xor	[eax+25h], bh
		jo	short loc_5A4F22
		xor	[eax+25h], bh

loc_5A4EF9:				; CODE XREF: .text:005A4ED2j
		jo	short loc_5A4F27
		xor	[eax+25h], bh
		jo	short near ptr loc_5A4F2B+1
		xor	[eax+25h], bh
		jo	short near ptr loc_5A4F2D+1
		or	cl, [edx]
; 
		db 0
; 

; char ??_C
??_C@_06BJBFBFHM@0x?$CF08x@FNODOBFM@:	; CODE XREF: .text:005A4ECEj
					; DATA XREF: KiDisplayBlueScreen(x)+F6o
		xor	[eax+25h], bh
		xor	[eax], bh
		js	short $+2
		int	3		; Trap to Debugger

??_C@_15JNBOKNOG@?$AA?$AN?$AA?6@FNODOBFM@: ; DATA XREF:	KiBugCheckProgress(x)+EDo
					; KiDisplayBlueScreen(x)+1BBo ...
		or	eax, 0A00h

loc_5A4F15:				; DATA XREF: KiPassiveIsrWatchdog(x,x,x,x)+16o
		add	[edx], cl
		push	eax
		popa
		jnb	short loc_5A4F8E
		imul	esi, [esi+65h],	76656C2Dh

loc_5A4F22:				; CODE XREF: .text:005A4EBFj
					; .text:005A4EF4j
		db	65h
		insb
		and	[ecx+53h], cl

loc_5A4F27:				; CODE XREF: .text:loc_5A4EF9j
		push	edx
		and	[edi+61h], dh

loc_5A4F2B:				; CODE XREF: .text:005A4EFEj
		jz	short near ptr loc_5A4F8F+1

loc_5A4F2D:				; CODE XREF: .text:005A4F03j
		push	20676F64h
		jz	short near ptr loc_5A4F9A+3
		insd
		outs	dx, dword ptr gs:[esi]
		jnz	short near ptr loc_5A4FA8+5
		and	[eax], esp

loc_5A4F3B:				; CODE XREF: .text:005A4EC5j
		dec	ecx
		outsb

loc_5A4F3D:				; CODE XREF: .text:005A4ECCj
		jz	short near ptr loc_5A4FA2+2
		jb	short near ptr byte_5A4FB3
		jnz	short near ptr byte_5A4FB3
		jz	short near ptr loc_5A4F7E+1

loc_5A4F45:				; DATA XREF: KsepLoadShimProvider(x)+39o
		and	ds:5C000A70h, ah
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al

loc_5A4F7E:				; CODE XREF: .text:005A4F43j
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch

loc_5A4F8E:				; CODE XREF: .text:005A4F19j
		outsb

loc_5A4F8F:				; CODE XREF: .text:loc_5A4F2Bj
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl

loc_5A4F9A:				; CODE XREF: .text:005A4F32j
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], dl

loc_5A4FA2:				; CODE XREF: .text:loc_5A4F3Dj
		add	gs:[edx+0], dh
		jbe	short $+2

loc_5A4FA8:				; CODE XREF: .text:005A4F37j
		imul	eax, [eax], 650063h
		jnb	short $+2
		pop	esp
; 
		db 2 dup(0)
byte_5A4FB3	db 0			; CODE XREF: .text:005A4F3Fj
					; .text:005A4F41j
; 

; void ??_C
??_C@_13LBAGMAIH@?$AA?6@FNODOBFM@:	; DATA XREF: KsepEvntLogShimsApplied(x,x,x)+138o
		or	al, [eax]
; 
		dw 0
??_C@_1BA@CIBIBIEE@?$AA?$DM?$AAe?$AAr?$AAr?$AAo?$AAr?$AA?$DO@FNODOBFM@ dd offset locret_65003A+2
					; DATA XREF: KseDsCallbackHookAddDevice(x,x)+61o
aRror:
		unicode	0, <rror>
		dw 3Eh
		unicode	0, <>,0
; 

; char ??_C
??_C@_0FL@NHFNIKD@Without?5a?5debugger?5attached?0?5th@FNODOBFM@:
					; DATA XREF: MiNoPagesLastChance(x,x)+167o
		push	edi
		imul	esi, [eax+ebp*2+6Fh], 61207475h
		and	[ebp+62h], ah
		jnz	short loc_5A503E
		db	67h, 65h
		jb	near ptr 4FFBh
		popa
		jz	short near ptr loc_5A5050+2
		popa
		arpl	[eax+65h], bp
		db	64h
		sub	al, 20h
		jz	short near ptr loc_5A504E+1
		and	gs:[esi+6Fh], ah
		insb
		insb
		outsd
		ja	short near ptr loc_5A5058+1
		outsb
		and	[bp+si+75h], ah
		arpl	[bx+si+65h], bp
		arpl	[ebx+20h], bp
		ja	short loc_5A506D
		jnz	short near ptr loc_5A5069+3
		and	fs:[eax+61h], ch
		jbe	short near ptr loc_5A5069+2
		and	[edi+63h], ch
		arpl	[ebp+72h], si
		jb	short near ptr loc_5A5071+2
		db	64h
		or	ah, cs:20786C34h
		and	eax, 70252070h
		and	ds:78252078h, ah
		or	al, [eax]
		int	3		; Trap to Debugger
; 
??_C@_1HC@HNNLMFEJ@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@ dd offset loc_52005B+1
					; DATA XREF: PopReadUlongPowerKey+Co
; 
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah

loc_5A503E:				; CODE XREF: .text:005A4FD5j
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2

loc_5A504E:				; CODE XREF: .text:005A4FE5j
		jz	short $+2

loc_5A5050:				; CODE XREF: .text:005A4FDCj
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al

loc_5A5058:				; CODE XREF: .text:005A4FEEj
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb

loc_5A5069:				; CODE XREF: .text:005A5004j
					; .text:005A4FFEj
		add	[eax+eax+72h], dh

loc_5A506D:				; CODE XREF: .text:005A4FFCj
		add	[edi+0], ch
		insb

loc_5A5071:				; CODE XREF: .text:005A500Cj
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+0], dl
		outsd
		add	[edi+0], dh
		add	gs:[edx+0], dh
; 
		db 2 dup(0)
; 

??_C@_19KLPPDPHB@?$AAP?$AAC?$AAI?$AA?2@FNODOBFM@:
					; DATA XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+37o
		push	eax
		add	[ebx+0], al
		dec	ecx
		add	[eax+eax+0], bl

loc_5A509F:				; DATA XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+85o
		add	[ebp+0], dl
		push	ebx
		add	[edx+0], al
		pop	esp
; 
		db 0
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_17DMBMDHNL@?$AAU?$AAS?$AAB@FNODOBFM@:
					; DATA XREF: PopFxIsDevicePotentialDripsConstraint(x)+E7o
		push	ebp
		add	[ebx+0], dl
		inc	edx
; 
		db 0
off_5A50B0	dd offset loc_440000	; DATA XREF: PopFxEnforceDirectedPowerTransition(x,x,x)+6Do
aIrectedfxpower:
		unicode	0, <irectedFxPowerStateFailure>,0
??_C@_0CL@EMNGOHPB@PopCoalescing?3?5Coalescing?5timer@FNODOBFM@	db 'PopCoalescing: Coalescing timer activated',0Ah,0
					; DATA XREF: PopCoalescingSetTimer()+Ao
		align 2

??_C@_1CA@NLEIKFFC@?$AAU?$AAs?$AAe?$AAr?$AAP?$AAr?$AAe?$AAs?$AAe?$AAn?$AAc?$AAe?$AAS?$AAe?$AAt@FNODOBFM@:
					; DATA XREF: PopUserPresentSet+81BE1o
		push	ebp
		add	[ebx+0], dh
		add	gs:[edx+0], dh
		push	eax
		add	[edx+0], dh
		add	gs:[ebx+0], dh
		add	gs:[esi+0], ch
		arpl	[eax], ax
		add	gs:[ebx+0], dl
		add	gs:[eax+eax+0],	dh
; 
		db 0
; 

; char ??_C
??_C@_0LI@GLJCKFNB@?6A?5bugcheck?5occurred?5during?5the@FNODOBFM@:
					; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+1F6o
		or	al, [ecx+20h]
		bound	esi, [ebp+67h]
		arpl	[eax+65h], bp
		arpl	[ebx+20h], bp
		outsd
		arpl	[ebx+75h], sp
		jb	short loc_5A51BA
		db	65h
		and	fs:[ebp+esi*2+72h], ah
		imul	ebp, [esi+67h],	65687420h
		and	[ecx+74h], ch
		and	gs:[ebx+74h], dh
		popa
		db	67h, 65h
		jnb	near ptr 5182h
		outsd
		db	66h
		and	[eax+69h], ch
		bound	esp, [ebp+72h]
		outsb
		popa
		jz	short loc_5A51D3
		and	[ebx+75h], dh
		jnb	short loc_5A51E3
		outs	dx, byte ptr gs:[esi]
		and	fs:[edi+72h], ch
		and	[edx+65h], dh
		jnb	short near ptr loc_5A51F2+1
		insd
		db	65h
		or	al, cs:[ebp+esi*2+65h]
		and	[edi+ebp*2+20h], dh
		jbe	short near ptr loc_5A51EF+1
		jb	short near ptr loc_5A51F4+2
		imul	sp, [ebx+61h], 6974h
		outsd
		outsb
		and	[ebp+6Dh], dh
		jo	short near ptr loc_5A5205+5
		jb	short near ptr loc_5A51FD+1
		jb	short near ptr loc_5A5205+3
		insb
		jns	short loc_5A51C2
		outs	dx, byte ptr gs:[esi]
		popa
		bound	ebp, [ebp+64h]
		and	[edx+79h], ah
		and	[eax+6Fh], dl
		and	[ebp+esi*2+72h], ah
		imul	ebp, [esi+67h],	69687420h

loc_5A51BA:				; CODE XREF: .text:005A5146j
		jnb	short loc_5A51DC
		jz	short loc_5A5227
		insd
		db	65h
		sub	al, 0Ah

loc_5A51C2:				; CODE XREF: .text:005A51A0j
		jb	short loc_5A5229
		db	67h
		jnz	near ptr 5233h
		popa
		jb	short loc_5A51EA
		bound	esi, [ebp+67h]
		arpl	[eax+65h], bp
		arpl	[ebx+20h], bp

loc_5A51D3:				; CODE XREF: .text:005A516Cj
		jo	short near ptr loc_5A5245+2
		outsd
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_5A5242+2
		outsb

loc_5A51DC:				; CODE XREF: .text:loc_5A51BAj
		and	[di+61h], ch
		jns	short near ptr loc_5A51FF+3
		outsb

loc_5A51E3:				; CODE XREF: .text:005A5171j
		outsd
		jz	short near ptr loc_5A5205+1
		ja	short loc_5A5257
		jb	short near ptr loc_5A5252+3

loc_5A51EA:				; CODE XREF: .text:005A51C8j
		or	cl, cs:[edx]
; 
		db 0
; 

; char ??_C
??_C@_0LC@NEPBNGAN@Memory?5was?5accessed?5during?5this@FNODOBFM@:
					; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+20Do
		dec	ebp

loc_5A51EF:				; CODE XREF: .text:005A5189j
		db	65h
		insd
		outsd

loc_5A51F2:				; CODE XREF: .text:005A517Cj
		jb	short loc_5A526D

loc_5A51F4:				; CODE XREF: .text:005A518Bj
		and	[edi+61h], dh
		jnb	short near ptr loc_5A5218+1
		popa
		arpl	[ebx+65h], sp

loc_5A51FD:				; CODE XREF: .text:005A519Bj
		jnb	short near ptr loc_5A5271+1

loc_5A51FF:				; CODE XREF: .text:005A51E0j
		db	65h
		and	fs:[ebp+esi*2+72h], ah

loc_5A5205:				; CODE XREF: .text:005A51E4j
					; .text:005A519Dj ...
		imul	ebp, [esi+67h],	69687420h
		jnb	short near ptr loc_5A522D+1
		jz	short near ptr loc_5A5277+2
		insd
		and	gs:[eax+ebp*2+61h], dh
		jz	short near ptr loc_5A5236+2

loc_5A5218:				; CODE XREF: .text:005A51F7j
		ja	short near ptr loc_5A5277+4
		jnb	short near ptr loc_5A523B+1
		outsb
		outsd
		jz	short loc_5A5240
		jo	short near ptr loc_5A5293+1
		outsd
		jo	short near ptr loc_5A5289+1
		jb	short loc_5A5293

loc_5A5227:				; CODE XREF: .text:005A51BCj
		jns	short near ptr loc_5A5248+1

loc_5A5229:				; CODE XREF: .text:loc_5A51C2j
		insd
		popa
		jb	short loc_5A5298

loc_5A522D:				; CODE XREF: .text:005A520Cj
		db	65h
		or	ah, fs:[esi+6Fh]
		jb	short near ptr loc_5A5252+2
		jz	short near ptr loc_5A529A+4

loc_5A5236:				; CODE XREF: .text:005A5216j
		and	gs:[edx+6Fh], ah
		outsd

loc_5A523B:				; CODE XREF: .text:005A521Aj
		jz	short loc_5A525D
		jo	short loc_5A52A7
		popa

loc_5A5240:				; CODE XREF: .text:005A521Ej
		jnb	short loc_5A52A7

loc_5A5242:				; CODE XREF: .text:005A51D9j
		and	[edi+66h], ch

loc_5A5245:				; CODE XREF: .text:loc_5A51D3j
		and	[eax+69h], ch

loc_5A5248:				; CODE XREF: .text:loc_5A5227j
		bound	esp, [ebp+72h]
		outsb
		popa
		jz	short near ptr loc_5A52B2+2
		and	[eax], esp
		inc	ebx

loc_5A5252:				; CODE XREF: .text:005A5232j
					; .text:005A51E8j
		push	206B6365h

loc_5A5257:				; CODE XREF: .text:005A51E6j
		jz	short near ptr loc_5A52BF+2
		and	gs:[ebx+61h], ah

loc_5A525D:				; CODE XREF: .text:loc_5A523Bj
		insb
		insb
		jnb	short near ptr loc_5A52D4+1
		popa
		arpl	[ebx+20h], bp
		popa
		outsb
		and	fs:[eax+61h], dh
		jb	short near ptr loc_5A52CD+1

loc_5A526D:				; CODE XREF: .text:loc_5A51F2j
		insd
		db	65h
		jz	short loc_5A52D6

loc_5A5271:				; CODE XREF: .text:loc_5A51FDj
		jb	short near ptr word_5A52E6
		or	dh, [edi+ebp*2+20h]

loc_5A5277:				; CODE XREF: .text:005A520Ej
					; .text:loc_5A5218j
		imul	bp, [esi+64h], 7420h
		push	61702065h
		db	67h, 65h
		jnb	near ptr 52A6h
		jz	short near ptr ??_C@_1BK@GHDKOGJL@?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo?$AAr?$AA?5?$AA?$CF?$AAu@FNODOBFM@+8
		popa

loc_5A5289:				; CODE XREF: .text:005A5223j
		jz	short loc_5A52AB
		outsb
		db	65h, 65h
		and	fs:[edi+ebp*2+20h], dh

loc_5A5293:				; CODE XREF: .text:005A5225j
					; .text:005A5220j
		bound	esp, [ebp+20h]
		insd
		popa

loc_5A5298:				; CODE XREF: .text:005A522Bj
		jb	short near ptr loc_5A5303+2

loc_5A529A:				; CODE XREF: .text:005A5234j
		db	65h, 64h
		or	cl, cs:[edx]
; 
		db 0
??_C@_1BO@KOODFPKJ@?$AAT?$AAh?$AAe?$AAr?$AAm?$AAa?$AAl?$AAL?$AAo?$AAg?$AAg?$AAi?$AAn?$AAg@FNODOBFM@ dd offset loc_68004F+5
					; DATA XREF: PopOpenThermalLoggingKey+50o
		db 65h,	0, 72h
; 

loc_5A52A7:				; CODE XREF: .text:005A523Dj
					; .text:loc_5A5240j
		add	[ebp+0], ch
		popa

loc_5A52AB:				; CODE XREF: .text:loc_5A5289j
		add	[eax+eax+4Ch], ch
		add	[edi+0], ch

loc_5A52B2:				; CODE XREF: .text:005A524Dj
		add	[bx+0],	ah
		imul	eax, [eax], 67006Eh
; 
		db 2 dup(0)
; 

??_C@_1CK@OFEPLJJL@?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo?$AAr?$AA?5?$AA9?$AA9?$AA9?$AA9?$AA9@FNODOBFM@:
					; DATA XREF: PopDiagTraceProcessorThrottleDurationPerfTrack(x,x)+23o
					; PopDiagTraceProcessorThrottlePerfTrack(x,x)+26o
		push	eax

loc_5A52BF:				; CODE XREF: .text:loc_5A5257j
		add	[edx+0], dh
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		outsd

loc_5A52CD:				; CODE XREF: .text:005A526Bj
		add	[edx+0], dh
		and	[eax], al
		cmp	[eax], eax

loc_5A52D4:				; CODE XREF: .text:005A525Fj
		cmp	[eax], eax

loc_5A52D6:				; CODE XREF: .text:005A526Ej
		cmp	[eax], eax
		cmp	[eax], eax
		cmp	[eax], eax
		cmp	[eax], eax
		cmp	[eax], eax
		cmp	[eax], eax
		cmp	[eax], eax
		cmp	[eax], eax
; 
word_5A52E6	dw 0			; CODE XREF: .text:loc_5A5271j
; wchar_t ??_C
??_C@_1BK@GHDKOGJL@?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo?$AAr?$AA?5?$AA?$CF?$AAu@FNODOBFM@:
					; CODE XREF: .text:005A5286j
					; DATA XREF: PopDiagTraceProcessorThrottleDurationPerfTrack(x,x)+56o ...
		unicode	0, <Processor %u>,0
; 

??_C@_1CE@IFGNEOBB@?$AAI?$AAd?$AAl?$AAe?$AAP?$AAh?$AAa?$AAs?$AAe?$AAW?$AAa?$AAt?$AAc?$AAh?$AAd@FNODOBFM@:
					; DATA XREF: PopIdlePhaseWatchdogCallback(x,x,x,x,x,x)+A7o
		dec	ecx

loc_5A5303:				; CODE XREF: .text:loc_5A5298j
		add	[eax+eax+6Ch], ah
		add	[ebp+0], ah
		push	eax
		add	[eax+0], ch
		popa
		add	[ebx+0], dh
		add	gs:[edi+0], dl
		popa
		add	[eax+eax+63h], dh
		add	[eax+0], ch
		add	fs:[edi+0], ch
		add	[bx+si], al

loc_5A5325:				; DATA XREF: PopPowerButtonWorkCallback(x)+1D8o
		add	[ebp+6Eh], dl
		popa
		bound	ebp, [ebp+20h]
		jz	short loc_5A539E
		and	[ecx+74h], ah
		jz	short near ptr loc_5A538D+8
		arpl	[eax+20h], bp
		jz	short near ptr loc_5A53A6+2
		and	[ecx+63h], ah
		jz	short near ptr loc_5A53A6+1
		jbe	short near ptr loc_5A53A4+1
		and	[ebx+65h], dh
		jnb	short near ptr loc_5A53B7+1

loc_5A5345:				; DATA XREF: PopPlNotifyDeviceDState+84AABo
		imul	ebp, [edi+6Eh],	6F50000Ah
		ja	short near ptr loc_5A53B2+1
		jb	short near ptr loc_5A538D+7
		db	65h
		jbe	short near ptr loc_5A53BB+1
		arpl	[ebp+55h], sp
		outsb
		jnb	short loc_5A53C9
		arpl	gs:[ecx+66h], bp

loc_5A535D:				; DATA XREF: PopPlNotifyDeviceDState+84AB7o
		imul	esp, [ebp+64h],	6F50CC00h
		ja	short near ptr loc_5A53CA+1
		jb	short loc_5A53AC
		db	65h
		jbe	short near ptr ??_C@_0CE@CLNABMMP@LDR?3?5No?5Locale?5name?5for?5LangId?5@FNODOBFM@+4
		arpl	[ebp+44h], sp
		xor	[eax], al

??_C@_0O@HLLDCKDP@PowerDeviceD1@FNODOBFM@: ; DATA XREF:	PopPlNotifyDeviceDState+84AC3o
		push	eax
		outsd
		ja	short near ptr ??_C@_0CE@CLNABMMP@LDR?3?5No?5Locale?5name?5for?5LangId?5@FNODOBFM@+9
		jb	short loc_5A53BA
		db	65h
		jbe	short near ptr ??_C@_0CE@CLNABMMP@LDR?3?5No?5Locale?5name?5for?5LangId?5@FNODOBFM@+12h
		arpl	[ebp+44h], sp
		xor	[eax], eax

??_C@_0O@FAJOHJPM@PowerDeviceD2@FNODOBFM@: ; DATA XREF:	PopPlNotifyDeviceDState+84ACFo
		push	eax
		outsd
		ja	short near ptr ??_C@_0CE@CLNABMMP@LDR?3?5No?5Locale?5name?5for?5LangId?5@FNODOBFM@+17h
		jb	short near ptr loc_5A53C5+3
		db	65h
		jbe	short near ptr ??_C@_0CE@CLNABMMP@LDR?3?5No?5Locale?5name?5for?5LangId?5@FNODOBFM@+20h
		arpl	[ebp+44h], sp
		xor	al, [eax]

??_C@_09GOOJCAKO@Beginning@FNODOBFM@:	; DATA XREF: PopPlNotifyDeviceDState+84A6Do
					; PopPlNotifyDeviceFState+81E65o
		inc	edx

loc_5A538D:				; CODE XREF: .text:005A534Ej
					; .text:005A5332j
		imul	ebp, gs:[bp+6Eh], 676E69h

??_C@_09MIJAKHKB@Completed@FNODOBFM@:	; DATA XREF: PopPlNotifyDeviceDState+84A97o
					; PopPlNotifyDeviceFState+81EA0o
		inc	ebx
		outsd
		insd
		jo	short near ptr byte_5A5407
		db	65h
		jz	short loc_5A5403

loc_5A539E:				; CODE XREF: .text:005A532Dj
					; DATA XREF: PopPlNotifyDeviceDState+84ADAo
		add	fs:[eax+6Fh], dl
		ja	short loc_5A5409

loc_5A53A4:				; CODE XREF: .text:005A533Ej
		jb	short near ptr ??_C@_0CE@CLNABMMP@LDR?3?5No?5Locale?5name?5for?5LangId?5@FNODOBFM@+1Ah

loc_5A53A6:				; CODE XREF: .text:005A533Cj
					; .text:005A5337j
		db	65h
		jbe	short near ptr loc_5A5410+2
		arpl	[ebp+44h], sp

loc_5A53AC:				; CODE XREF: .text:005A5366j
		xor	eax, [eax]

??_C@_0BD@ODMBHIPK@PowerDeviceMaximum@FNODOBFM@:
					; DATA XREF: PopPlNotifyDeviceDState:loc_5E280Do
		push	eax
		outsd
		ja	short near ptr loc_5A5415+2

loc_5A53B2:				; CODE XREF: .text:005A534Cj
		jb	short near ptr ??_C@_19IGBJANMC@?$AA?4?$AAm?$AAu?$AAn@FNODOBFM@+4
		db	65h
		jbe	short loc_5A5420

loc_5A53B7:				; CODE XREF: .text:005A5343j
		arpl	[ebp+4Dh], sp

loc_5A53BA:				; CODE XREF: .text:005A5374j
		popa

loc_5A53BB:				; CODE XREF: .text:005A5350j
		js	short loc_5A5426
		insd
		jnz	short loc_5A542D
		add	ah, cl

??_C@_09EEKGDCPH@?$DMunknown?$DO@FNODOBFM@: ; DATA XREF: PopPlNotifyDeviceDState+84AEBo
		cmp	al, 75h
		outsb

loc_5A53C5:				; CODE XREF: .text:005A5382j
		imul	ebp, [esi+6Fh],	77h

loc_5A53C9:				; CODE XREF: .text:005A5357j
		outsb

loc_5A53CA:				; CODE XREF: .text:005A5364j
					; DATA XREF: LdrpGetResourceFileName+12Fo ...
		db	3Eh
		add	[eax+eax+0], bl
; 
		db 0
; char ??_C[]
??_C@_0CE@CLNABMMP@LDR?3?5No?5Locale?5name?5for?5LangId?5@FNODOBFM@ db 'LDR: No Locale name for LangId %d ',0Ah,0
					; CODE XREF: .text:005A5368j
					; .text:005A5372j
					; DATA XREF: ...
??_C@_19IGBJANMC@?$AA?4?$AAm?$AAu?$AAn@FNODOBFM@: ; CODE XREF: .text:loc_5A53B2j
					; DATA XREF: LdrLoadAlternateResourceModuleEx+158o
		unicode	0, <.mun>,0
??_C@_19BLMODFHL@?$AA?4?$AAm?$AAu?$AAi@FNODOBFM@ db '.',0
					; DATA XREF: LdrLoadAlternateResourceModuleEx+15Fo
aM		db 'm',0
		db 75h
; 

loc_5A5403:				; CODE XREF: .text:005A539Bj
		add	[ecx+0], ch
; 
		db 0
byte_5A5407	db 0			; CODE XREF: .text:005A5399j

;  S U B	R O U T	I N E 


; void ??_C
??_C@_1CC@BKLBGLAJ@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc?$AAe?$AAs@FNODOBFM@ proc near
					; DATA XREF: LdrpGetResourceFileName+10Bo
		push	ebx

loc_5A5409:				; CODE XREF: .text:005A53A2j
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2

loc_5A5410:				; CODE XREF: .text:loc_5A53A6j
		add	gs:[ebp+0], ch
		push	edx

loc_5A5415:				; CODE XREF: .text:005A53B0j
		add	[ebp+0], ah
		jnb	short $+2
		outsd
??_C@_1CC@BKLBGLAJ@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc?$AAe?$AAs@FNODOBFM@ endp

		add	[ebp+0], dh
		jb	short $+2

loc_5A5420:				; CODE XREF: .text:005A53B4j
		arpl	[eax], ax
		add	gs:[ebx+0], dh

loc_5A5426:				; CODE XREF: .text:loc_5A53BBj
		pop	esp
; 
		db 0
off_5A5428	dd offset loc_4CFFFE+2	; DATA XREF: LdrpResSearchResourceMappedFile:loc_54105Eo
					; LdrpGetRcConfig+69o
		db 55h
; 

loc_5A542D:				; CODE XREF: .text:005A53BEj
		add	[ecx+0], cl
; 
		db 2 dup(0)
; 

??_C@_1DA@NLFMKLPC@?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AA?5?$AAA?$AAt?$AAo?$AAm?$AA?5?$AAT?$AAa?$AAb@FNODOBFM@:
					; DATA XREF: RtlpAllowsLowBoxAccess(x):loc_509CE8o
		inc	edi
		add	[eax+eax+6Fh], ch
		add	[edx+0], ah
		popa
		add	[eax+eax+20h], ch
		add	[ecx+0], al
		jz	short $+2
		outsd
		add	[ebp+0], ch
		and	[eax], al
		push	esp
		add	[ecx+0], ah
		bound	eax, [eax]
		insb
		add	[ebp+0], ah
		and	[eax], al
		inc	ebp
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		jns	short $+2
; 
		db 2 dup(0)
; 

??_C@_1DK@PCEJDHOK@?$AAU?$AAn?$AAa?$AAb?$AAl?$AAe?$AA?5?$AAt?$AAo?$AA?5?$AAc?$AAa?$AAp?$AAt?$AAu@FNODOBFM@:
					; DATA XREF: RtlpAllowsLowBoxAccess(x):loc_509D41o
		push	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		and	[eax], al
		jz	short $+2
		outsd
		add	[eax], ah
		add	[ebx+0], ah
		popa
		add	[eax+0], dh
		jz	short $+2
		jnz	short $+2
		jb	short $+2
		add	gs:[eax], ah
		add	[ecx+0], al
		push	esp
		add	[edi+0], cl
		dec	ebp
		add	[eax], ah
		add	[esi+0], ch
		popa
		add	[ebp+0], ch
		add	gs:[esi], ch
; 
		db 3 dup(0)

;  S U B	R O U T	I N E 


??_C@_1FA@EHGIIEPM@?$AAU?$AAn?$AAa?$AAb?$AAl?$AAe?$AA?5?$AAt?$AAo?$AA?5?$AAA?$AAl?$AAl?$AAo?$AAc@FNODOBFM@ proc	near
					; DATA XREF: RtlpAllowsLowBoxAccess(x):loc_509D48o
		push	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
??_C@_1FA@EHGIIEPM@?$AAU?$AAn?$AAa?$AAb?$AAl?$AAe?$AA?5?$AAt?$AAo?$AA?5?$AAA?$AAl?$AAl?$AAo?$AAc@FNODOBFM@ endp

		add	[ebp+0], ah
		and	[eax], al
		jz	short $+2
		outsd
		add	[eax], ah
		add	[ecx+0], al
		insb
		add	[eax+eax+6Fh], ch
		add	[ebx+0], ah
		popa
		add	[eax+eax+65h], dh
		add	[eax], ah
		add	[ebx+0], dh
		jo	short $+2
		popa
		add	[ebx+0], ah
		add	gs:[eax], ah
		add	[esi+0], ah
		outsd
		add	[edx+0], dh
		and	[eax], al
		inc	ecx
		add	[eax+eax+4Fh], dl
		add	[ebp+0], cl
		and	[eax], al
		outsb
		add	[ecx+0], ah
		insd
		add	[ebp+0], ah
		add	cs:[eax], al
; 
		db 0
; char ??_C[]
??_C@_0DO@CDJIIIPD@?6?$CK?$CK?$CK?5Assertion?5failed?3?5?$CFs?$CFs?6?$CK?$CK?$CK@FNODOBFM@ db 0Ah
					; DATA XREF: RtlAssert(x,x,x,x)+3Eo
		db '*** Assertion failed: %s%s',0Ah
		db '***   Source File: %s, line %ld',0Ah
		db 0Ah,0
??_C@_0FH@DEPJAKLD@Break?5repeatedly?0?5break?5Once?0?5I@FNODOBFM@ db 'Break repeatedly, break Once, Ignore, terminate Process, or termi'
					; DATA XREF: RtlAssert(x,x,x,x)+69o
		db 'nate Thread (boipt)? ',0
		align 2

; char ??_C
??_C@_0CD@KCPGJLCO@Execute?5?8?4cxr?5?$CFp?8?5to?5dump?5conte@FNODOBFM@:
					; DATA XREF: RtlAssert(x,x,x,x)+BBo
		inc	ebp
		js	short loc_5A55EA
		arpl	[ebp+74h], si
		and	gs:[edi], ah
		arpl	cs:[eax+72h], di
		and	ds:74202770h, ah
		outsd
		and	[ebp+esi*2+6Dh], ah
		jo	short near ptr ??_C@_1DA@IFMDNCPF@?$AAP?$AAo?$AAr?$AAt?$AAa?$AAb?$AAl?$AAe?$AAO?$AAp?$AAe?$AAr?$AAa?$AAt?$AAi@FNODOBFM@+8
		arpl	[edi+6Eh], bp
		jz	short near ptr loc_5A5605+1
		js	short near ptr loc_5A5616+1
		or	al, [eax]
		int	3		; Trap to Debugger
; 
??_C@_1O@BMELCLLB@?$AAM?$AAi?$AAn?$AAi?$AAN?$AAT@FNODOBFM@ dd offset loc_69004A+3
					; DATA XREF: RtlCheckPortableOperatingSystem+9o
		dd offset loc_69006D+1
		dd offset loc_54004D+1
		align 4
??_C@_1DA@IFMDNCPF@?$AAP?$AAo?$AAr?$AAt?$AAa?$AAb?$AAl?$AAe?$AAO?$AAp?$AAe?$AAr?$AAa?$AAt?$AAi@FNODOBFM@:
					; CODE XREF: .text:005A559Aj
					; DATA XREF: RtlCheckPortableOperatingSystem+3Bo ...
		unicode	0, <PortableOperatingSystem>,0
??_C@_1EC@POCPCOCD@?$AA?2?$AAO?$AAS?$AAD?$AAa?$AAt?$AAa?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAW?$AAi?$AAn@FNODOBFM@ dd offset loc_4F005B+1
					; DATA XREF: RtlpGetBootStatusPath(x,x)+19o
		db 53h,	0
; 

loc_5A55EA:				; CODE XREF: .text:005A5583j
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		popa
		add	[edx+0], dl
		outsd
		add	[edi+0], ch
		jz	short $+2
		pop	esp
		add	[edi+0], dl
		imul	eax, [eax], 64006Eh
		outsd

loc_5A5605:				; CODE XREF: .text:005A559Fj
		add	[edi+0], dh
		jnb	short $+2
		pop	esp
		add	[edx+0], ah
		outsd
		add	[edi+0], ch
		jz	short $+2
		jnb	short $+2

loc_5A5616:				; CODE XREF: .text:005A55A1j
		jz	short $+2
		popa
		add	[eax+eax+2Eh], dh
		add	[eax+eax+61h], ah
		add	[eax+eax+0], dh
; 
		db 0
??_C@_1DC@MEBGDNBI@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAb?$AAo?$AAo@FNODOBFM@ dd offset loc_530059+3
					; DATA XREF: RtlpGetBootStatusPath(x,x)+20o
		dw 79h
aStemrootBootst:
		unicode	0, <stemRoot\bootstat.dat>,0
??_C@_1GG@IBGAEKLO@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@FNODOBFM@ dd offset loc_52005B+1
					; DATA XREF: RtlpGetBootStatusPathFromRegistry+10o
					; BapdpMarshallBootDataToRegistry:loc_5F8078o
		dd offset loc_470045
		dd offset loc_530049
		dd offset loc_520052+2
		dd offset loc_5C0057+2
		dd offset _DEVPKEY_DriverDatabase_Disabled+1
		dd offset loc_48003F+4
		dd offset loc_4E0049
		dd offset loc_5C0041+4
		dd offset loc_59004F+4
		dd offset loc_540052+1
		dd offset loc_4D0045
		dd offset dword_430010+4Ch
aUrrentcontro_0:
		unicode	0, <urrentControlSet\Control>,0
; 

??_C@_1BO@IJHFMHE@?$AAO?$AAs?$AAB?$AAo?$AAo?$AAt?$AAs?$AAt?$AAa?$AAt?$AAP?$AAa?$AAt?$AAh@FNODOBFM@:
					; DATA XREF: RtlpGetBootStatusPathFromRegistry+62o
		dec	edi
		add	[ebx+0], dh
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+73h], dh
		add	[eax+eax+61h], dh
		add	[eax+eax+50h], dh
		add	[ecx+0], ah
		jz	short $+2

loc_5A56D8:				; DATA XREF: RtlpAllocateHeap(x,x,x,x,x,x)+333o
					; RtlpCreateSplitBlock(x,x,x,x,x,x,x)+163o ...
		push	48000000h
		inc	ebp
		inc	ecx
		push	eax
		cmp	ah, [eax]
		inc	esi
		jb	short near ptr loc_5A5749+1
		and	gs:[eax+65h], cl
		popa
		jo	short near ptr loc_5A570A+2
		bound	ebp, [edi+ebp*2+63h]
		imul	esp, [eax], 25h
		jo	short near ptr loc_5A5714+1
		insd
		outsd
		imul	esp, fs:[esi+69h], 61206465h
		jz	short near ptr loc_5A571F+2
		and	eax, 66612070h
		jz	short near ptr loc_5A576A+3
		jb	short near ptr loc_5A5729+1

loc_5A570A:				; CODE XREF: .text:005A56EAj
		imul	esi, [eax+77h],	66207361h
		jb	short loc_5A5779

loc_5A5714:				; CODE XREF: .text:005A56F3j
		db	65h
		or	al, fs:[eax]

??_C@_0BD@NIMLHKID@?$CIUCRBlock?5?$CB?$DN?5NULL?$CJ@FNODOBFM@:
					; DATA XREF: RtlpDeCommitFreeBlock(x,x,x,x)+1C0o
		sub	[ebp+43h], dl
		push	edx
		inc	edx
		insb
		outsd

loc_5A571F:				; CODE XREF: .text:005A56FFj
		arpl	[ebx+20h], bp
		and	ds:4C554E20h, edi
		dec	esp

loc_5A5729:				; CODE XREF: .text:005A5708j
		sub	[eax], eax
		int	3		; Trap to Debugger

??_C@_0P@GLEGKAEG@?$CI?$CBTrailingUCR?$CJ@FNODOBFM@:
					; DATA XREF: RtlpDeCommitFreeBlock(x,x,x,x):loc_66380Co
		sub	[ecx], ah
		push	esp
		jb	short near ptr loc_5A5791+1
		imul	ebp, [ecx+ebp*2+6Eh], 52435567h
		sub	[eax], eax
		int	3		; Trap to Debugger

??_C@_0BM@PABNNLLD@?$CI?$CILONG?$CJFreeEntry?9?$DOSize?5?$DO?51?$CJ@FNODOBFM@:
					; DATA XREF: RtlpDeCommitFreeBlock(x,x,x,x)+396o
		sub	[eax], ch
		dec	esp
		dec	edi
		dec	esi
		inc	edi
		sub	[esi+72h], eax
		db	65h, 65h
		inc	ebp
		outsb

loc_5A5749:				; CODE XREF: .text:005A56E3j
		jz	short loc_5A57BD
		jns	short loc_5A577A
		db	3Eh
		push	ebx
		imul	edi, [edx+65h],	31203E20h
		sub	[eax], eax

??_C@_0BK@JLAHADFN@?$CILONG?$CJFreeEntry?9?$DOSize?5?$DO?51@FNODOBFM@:
					; DATA XREF: RtlpDeCommitFreeBlock(x,x,x,x)+50Fo
		sub	[edi+ecx*2+4Eh], cl
		inc	edi
		sub	[esi+72h], eax
		db	65h, 65h
		inc	ebp
		outsb
		jz	short loc_5A57D8
		jns	short near ptr loc_5A5794+1
		db	3Eh
		push	ebx

loc_5A576A:				; CODE XREF: .text:005A5706j
		imul	edi, [edx+65h],	31203E20h

loc_5A5771:				; DATA XREF: RtlpCreateUCREntry(x,x,x,x,x,x)+70o
		add	[eax], ch
		sub	[eax+48h], dl
		inc	ebp
		inc	ecx
		push	eax

loc_5A5779:				; CODE XREF: .text:005A5712j
		pop	edi

loc_5A577A:				; CODE XREF: .text:005A574Bj
		inc	ebp
		dec	esi
		push	esp
		push	edx
		pop	ecx
		sub	[ecx+73h], ecx
		jz	short loc_5A57D0
		outsb
		outsd
		ja	short near ptr loc_5A57F6+1
		inc	ebp
		outsb
		jz	short loc_5A57FF
		jns	short near ptr loc_5A57AD+2
		cmp	al, 3Dh

loc_5A5791:				; CODE XREF: .text:005A572Fj
		and	[ebp+6Eh], al

loc_5A5794:				; CODE XREF: .text:005A5766j
		jz	short loc_5A5808
		jns	short near ptr loc_5A57C0+1
		add	ah, cl

??_C@_0BK@FMFPHHEG@?$CIUCRBlock?9?$DOSize?5?$DO?$DN?5?$CKSize?$CJ@FNODOBFM@:
					; DATA XREF: RtlpFindAndCommitPages(x,x)+3Co
		sub	[ebp+43h], dl
		push	edx
		inc	edx
		insb
		outsd
		arpl	[ebx+2Dh], bp
		db	3Eh
		push	ebx
		imul	edi, [edx+65h],	203D3E20h

loc_5A57AD:				; CODE XREF: .text:005A578Dj
		sub	dl, [ebx+69h]
		jp	short loc_5A5817
		sub	[eax], eax

??_C@_0HE@LDFLNCMG@?$CI?$CIFreeBlock?9?$DOFlags?5?$CG?5HEAP_ENTRY@FNODOBFM@:
					; DATA XREF: RtlpInsertFreeBlock(x,x,x)+4Ao
		sub	[eax], ch
		inc	esi
		jb	short loc_5A581E
		db	65h
		inc	edx
		insb
		outsd

loc_5A57BD:				; CODE XREF: .text:loc_5A5749j
		arpl	[ebx+2Dh], bp

loc_5A57C0:				; CODE XREF: .text:005A5796j
		db	3Eh
		inc	esi
		insb
		popa
		db	67h
		jnb	near ptr 57E7h
		and	es:[eax+45h], cl
		inc	ecx
		push	eax
		pop	edi
		inc	ebp
		dec	esi

loc_5A57D0:				; CODE XREF: .text:005A5783j
		push	esp
		push	edx
		pop	ecx
		pop	edi
		inc	esp
		inc	ebp
		inc	ebx
		dec	edi

loc_5A57D8:				; CODE XREF: .text:005A5764j
		dec	ebp
		dec	ebp
		dec	ecx
		push	esp
		push	esp
		inc	ebp
		inc	esp
		sub	[eax], esp
		jl	short near ptr loc_5A585E+1
		and	[eax], ch
		push	edx
		dec	edi
		push	ebp
		dec	esi
		inc	esp
		pop	edi
		push	ebp
		push	eax
		pop	edi
		push	esp
		dec	edi
		pop	edi
		push	eax
		dec	edi
		push	edi
		inc	ebp
		push	edx

loc_5A57F6:				; CODE XREF: .text:005A5787j
		xor	ch, [eax]
		inc	esi
		jb	short near ptr loc_5A585E+2
		db	65h
		inc	edx
		insb
		outsd

loc_5A57FF:				; CODE XREF: .text:005A578Bj
		arpl	[ebx+2Ch], bp
		and	[eax+41h], dl
		inc	edi
		inc	ebp
		pop	edi

loc_5A5808:				; CODE XREF: .text:loc_5A5794j
		push	ebx
		dec	ecx
		pop	edx
		inc	ebp
		sub	[eax], esp
		cmp	eax, 5528203Dh
		dec	esp
		dec	edi
		dec	esi
		inc	edi

loc_5A5817:				; CODE XREF: .text:005A57B0j
		pop	edi
		push	eax
		push	esp
		push	edx
		sub	[esi+72h], eax

loc_5A581E:				; CODE XREF: .text:005A57B7j
		db	65h, 65h
		inc	edx
		insb
		outsd
		arpl	[ebx+29h], bp
		sub	[eax], eax

??_C@_0EB@EODAOBJI@ROUND_UP_TO_POWER2?$CIFreeBlock?0?5P@FNODOBFM@:
					; DATA XREF: RtlpInsertFreeBlock(x,x,x)+24Fo
		push	edx
		dec	edi
		push	ebp
		dec	esi
		inc	esp
		pop	edi
		push	ebp
		push	eax
		pop	edi
		push	esp
		dec	edi
		pop	edi
		push	eax
		dec	edi
		push	edi
		inc	ebp
		push	edx
		xor	ch, [eax]
		inc	esi
		jb	short near ptr loc_5A589F+4
		db	65h
		inc	edx
		insb
		outsd
		arpl	[ebx+2Ch], bp
		and	[eax+41h], dl
		inc	edi
		inc	ebp
		pop	edi
		push	ebx
		dec	ecx
		pop	edx
		inc	ebp
		sub	[eax], esp
		cmp	eax, 5528203Dh
		dec	esp
		dec	edi
		dec	esi
		inc	edi
		pop	edi
		push	eax
		push	esp
		push	edx

loc_5A585E:				; CODE XREF: .text:005A57E1j
					; .text:005A57F9j
		sub	[esi+72h], eax
		db	65h, 65h
		inc	edx
		insb
		outsd
		arpl	[ebx+0], bp
		int	3		; Trap to Debugger

??_C@_05PBFMPBMC@ffff?3@FNODOBFM@:	; DATA XREF: RtlIpv6AddressToStringW+81C85o
					; RtlIpv6AddressToStringA(x,x)+6Do
		db	66h, 66h, 66h, 66h
		cmp	al, [eax]

??_C@_0BB@JMMKNFHP@?3?3?$CFhs?$CFu?4?$CFu?4?$CFu?4?$CFu@FNODOBFM@:
					; DATA XREF: RtlIpv6AddressToStringA(x,x)+90o
		cmp	bh, [edx]
		and	eax, 75257368h
		db	2Eh
		and	eax, 75252E75h

loc_5A587D:				; DATA XREF: RtlIpv6AddressToStringA(x,x)+1E6o
		db	2Eh
		and	eax, 3ACC0075h
		and	eax, 75252E75h
		db	2Eh
		and	eax, 75252E75h
		add	ah, cl

??_C@_04MLNOPOCC@?$CF?$CF?$CFu@FNODOBFM@:
					; DATA XREF: RtlIpv6AddressToStringExA(x,x,x,x,x)+66o
		and	eax, 752525h
		int	3		; Trap to Debugger

??_C@_04KAGBCOF@?$FN?3?$CFu@FNODOBFM@:	; DATA XREF: RtlIpv6AddressToStringExA(x,x,x,x,x)+89o
		pop	ebp

loc_5A5897:				; DATA XREF: RtlIpv4AddressToStringA(x,x)+1Bo
		cmp	ah, ds:25CC0075h
		jnz	short near ptr ??_C@_0BO@GHBLPFMO@?$CF02X?9?$CF02X?9?$CF02X?9?$CF02X?9?$CF02X?9?$CF02X@FNODOBFM@+1

loc_5A589F:				; CODE XREF: .text:005A583Cj
		and	eax, 75252E75h

loc_5A58A4:				; DATA XREF: RtlIpv6AddressToStringA(x,x)+CCo
		db	2Eh
		and	eax, 3A3A0075h
		db	66h, 66h, 66h, 66h
		cmp	dh, [eax]
		cmp	ah, ds:75252E75h
		db	2Eh
		and	eax, 75252E75h
		add	ah, cl

??_C@_02MOLJINC@?3?3@FNODOBFM@:		; DATA XREF: RtlIpv6AddressToStringA(x,x)+163o
		cmp	bh, [edx]
		add	ah, cl

??_C@_01JLIPDDHJ@?3@FNODOBFM@:		; DATA XREF: RtlIpv6AddressToStringA(x,x)+187o
		cmp	al, [eax]

??_C@_02NJNOFBBI@?$CFx@FNODOBFM@:	; DATA XREF: RtlIpv6AddressToStringA(x,x)+1A9o
					; RtlIpv4AddressToStringExA(x,x,x,x)+53o
		and	eax, 3ACC0078h
; 
		db 25h,	75h, 0
; 

??_C@_0BO@GHBLPFMO@?$CF02X?9?$CF02X?9?$CF02X?9?$CF02X?9?$CF02X?9?$CF02X@FNODOBFM@:
					; CODE XREF: .text:005A589Dj
					; DATA XREF: RtlEthernetAddressToStringA(x,x)+25o
		and	eax, 2D583230h
		and	eax, 2D583230h
		and	eax, 2D583230h
		and	eax, 2D583230h
		and	eax, 2D583230h
		and	eax, (offset loc_58322D+3)

??_C@_1CC@CLPLLKPB@?$AA?3?$AA?3?$AA?$CF?$AAh?$AAs?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu?$AA?4?$AA?$CF@FNODOBFM@:
					; DATA XREF: RtlIpv6AddressToStringW+81CA6o
		cmp	al, [eax]
		cmp	al, [eax]
		and	eax, 73006800h
		add	ds:2E007500h, ah
		add	ds:2E007500h, ah
		add	ds:2E007500h, ah
		add	large ds:7500h,	ah

loc_5A590B:				; DATA XREF: RtlIpv6AddressToStringW+81CCCo
		add	[edx], bh
		add	[edx], bh
		add	[esi+0], ah
		db	66h
		add	[esi+0], ah
		db	66h
		add	[edx], bh
		add	[eax], dh
		add	[edx], bh
		add	ds:2E007500h, ah
		add	ds:2E007500h, ah
		add	ds:2E007500h, ah
		add	large ds:7500h,	ah

loc_5A5935:				; DATA XREF: RtlIpv6AddressToStringW+116o
		add	[edx], bh
		add	[edx], bh
; 
		db 3 dup(0)
; 

??_C@_13EBCNDICG@?$AA?3@FNODOBFM@:	; DATA XREF: RtlIpv6AddressToStringW+8Eo
		cmp	al, [eax]
; 
		dw 0
; 

??_C@_1BI@IEJCOLMP@?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu@FNODOBFM@:
					; DATA XREF: RtlIpv4AddressToStringW(x,x)+1Fo
		and	eax, 2E007500h
		add	ds:2E007500h, ah
		add	ds:2E007500h, ah
		add	large ds:7500h,	ah

loc_5A5957:				; DATA XREF: RtlIpv4AddressToStringExW+81CF9o
		add	[edx], bh
		add	large ds:7500h,	ah

loc_5A595F:				; DATA XREF: RtlEthernetAddressToStringW(x,x)+29o
		add	ds:32003000h, ah
		add	[eax+0], bl
		sub	eax, 30002500h
		add	[edx], dh
		add	[eax+0], bl
		sub	eax, 30002500h
		add	[edx], dh
		add	[eax+0], bl
		sub	eax, 30002500h
		add	[edx], dh
		add	[eax+0], bl
		sub	eax, 30002500h
		add	[edx], dh
		add	[eax+0], bl
		sub	eax, 30002500h
		add	[edx], dh
		add	[eax+0], bl
; 
		dw 0
??_C@_15LHNHECKK@?$AA?$CF?$AAx@FNODOBFM@: ; DATA XREF: RtlIpv6AddressToStringW+B3o
		unicode	0, <%x>,0
; 

??_C@_1BK@ONFLBCMH@?$AA?3?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu@FNODOBFM@:
					; DATA XREF: RtlIpv6AddressToStringW+81D2Bo
		cmp	al, [eax]
		and	eax, 2E007500h
		add	ds:2E007500h, ah
		add	ds:2E007500h, ah
		add	large ds:7500h,	ah

loc_5A59BB:				; DATA XREF: RtlIpv6AddressToStringExW+81CE4o
		add	ds:25002500h, ah
		add	[ebp+0], dh
; 
		db 2 dup(0)
; 

??_C@_19EPBCBBOP@?$AA?$FN?$AA?3?$AA?$CF?$AAu@FNODOBFM@:
					; DATA XREF: RtlIpv6AddressToStringExW+81D0Ao
		pop	ebp
		add	[edx], bh
		add	large ds:7500h,	ah
; 
off_5A59CF	dd offset loc_6424FE+2	; DATA XREF: RtlpVerCompare+57o
		align 4

??_C@_1CA@KNFPKGEL@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAP?$AAK?$AAG?$AAH?$AAO?$AAS?$AAT?$AAI?$AAD@FNODOBFM@:
					; DATA XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+90o
		push	edi
		add	[ecx+0], cl
		dec	esi
		add	[edx], bh
		add	[edi], ch
		add	[edi], ch
		add	[eax+0], dl
		dec	ebx
		add	[edi+0], al
		dec	eax
		add	[edi+0], cl
		push	ebx
		add	[eax+eax+49h], dl
		add	[eax+eax+0], al
; 
		db 0
; wchar_t ??_C
??_C@_17JJNMJOBL@?$AA?$CF?$AAw?$AAZ@FNODOBFM@: ; DATA XREF: RtlQueryPackageClaims+BBo
					; RtlQueryPackageClaims+FCo
		unicode	0, <%wZ>,0
; 

??_C@_1IO@MNHMIIKM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@:
					; DATA XREF: .data:006B369Co
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[esi+0], dl
		popa
		add	[eax+eax+69h], ch
		add	[eax+eax+61h], ah
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[edx+0], dl
		jnz	short $+2
		outsb
		add	[eax+eax+65h], ch
		add	[esi+0], dh
		add	gs:[eax+eax+73h], ch
; 
		db 0
		db 2 dup(0)
??_C@_0EC@DNEJJGPP@Trace?5database?3?5failing?5attempt@FNODOBFM@ db 'Trace database: failing attempt to save biiiiig trace (size %u) ',0Ah
					; DATA XREF: RtlpTraceDatabaseInternalAdd(x,x,x,x)+CCo
		db 0
??_C@_0EM@FJLCOGDC@RtlpGetBitState?$CILookupTable?0?5?$CIU@FNODOBFM@ db	'RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->B'
					; DATA XREF: RtlpPopulateListIndex(x,x):loc_66A5ADo
		db 'aseIndex))',0
??_C@_0CO@HBNLODKA@?$CIROUND_UP_TO_POWER2?$CISize?0?5PAGE_@FNODOBFM@ db	'(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)',0
					; DATA XREF: RtlpFindUCREntry(x,x)+1Bo
??_C@_1CE@CHNBNALE@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAN?$AAO?$AAA?$AAL?$AAL?$AAA?$AAP?$AAP?$AAP@FNODOBFM@ dd offset loc_490057
					; DATA XREF: SepCanTokenMatchAllPackageSid+7Do
					; SepSetTokenAllApplicationPackagesPolicy(x,x)+1Co
		dw 4Eh
aNoallapppkg:
		unicode	0, <://NOALLAPPPKG>,0
; 

??_C@_1BG@LOFAHIAF@?$AAP?$AAe?$AAr?$AAm?$AAi?$AAs?$AAs?$AAi?$AAv?$AAe@FNODOBFM@:
					; DATA XREF: SeLogAccessFailure+D5A0Fo
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		insd
		add	[ecx+0], ch
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 650076h
; 
		dw 0
; 

??_C@_1BE@DINJNKOJ@?$AAA?$AAd?$AAm?$AAi?$AAn?$AAl?$AAe?$AAs?$AAs@FNODOBFM@:
					; DATA XREF: SeLogAccessFailure+D59ECo
		inc	ecx
		add	[eax+eax+6Dh], ah
		add	[ecx+0], ch
		outsb
		add	[eax+eax+65h], ch
		add	[ebx+0], dh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1CK@ICJDEGKO@?$AAA?$AAd?$AAm?$AAi?$AAn?$AAl?$AAe?$AAs?$AAs?$AA?5?$AAP?$AAe?$AAr?$AAm?$AAi@FNODOBFM@:
					; DATA XREF: SeLogAccessFailure+D5A08o
		inc	ecx
		add	[eax+eax+6Dh], ah
		add	[ecx+0], ch
		outsb
		add	[eax+eax+65h], ch
		add	[ebx+0], dh
		jnb	short $+2
		and	[eax], al
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		insd
		add	[ecx+0], ch
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 650076h
; 
		db 2 dup(0)
; 

??_C@_1O@PFKKKDLL@?$AAN?$AAo?$AAr?$AAm?$AAa?$AAl@FNODOBFM@:
					; DATA XREF: SeLogAccessFailure+D59F3o
		dec	esi
		add	[edi+0], ch
		jb	short $+2
		insd
		add	[ecx+0], ah
		insb
; 
		db 3 dup(0)
; 

??_C@_0BL@PEIKBMNL@?6Token?5number?50x?$CFx?5?$DN?50x?$CFp?6@FNODOBFM@:
					; DATA XREF: SepCreateTokenEx+D5172o
		or	dl, [edi+ebp*2+6Bh]
		outs	dx, byte ptr gs:[esi]
		and	[esi+75h], ch
		insd
		bound	esp, [ebp+72h]
		and	[eax], dh
		js	short loc_5A5C02
		js	short loc_5A5BFF
		cmp	eax, 25783020h
		jo	short loc_5A5BF0
		add	ah, cl
; 
??_C@_1KC@MMLCOCMI@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@ dd offset loc_52005B+1
					; DATA XREF: SepBuildCapPolicyTable+2Eo
; 
		add	gs:[edi+0], ah

loc_5A5BF0:				; CODE XREF: .text:005A5BE4j
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa

loc_5A5BFF:				; CODE XREF: .text:005A5BDDj
		add	[ebx+0], ah

loc_5A5C02:				; CODE XREF: .text:005A5BDBj
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+eax+73h], cl
		add	[ecx+0], ah
		pop	esp
		add	[ebx+0], al
		add	gs:[esi+0], ch
		jz	short $+2
		jb	short $+2
		popa
		add	[eax+eax+69h], ch
		add	[edx+0], bh
		add	gs:[eax+eax+41h], ah
		add	[ebx+0], ah
		arpl	[eax], ax
		add	gs:[ebx+0], dh
		jnb	short $+2
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 730065h
; 
off_5A5C88	dd offset loc_5BFFFF+1	; DATA XREF: SepBuildCapPolicyTable+6Co
		dd offset loc_650052
		dd offset loc_690066+1
aStryMachineS_2:
		unicode	0, <stry\Machine\System\CurrentControlSet\Control\Lsa\Central>
		unicode	0, <izedAccessPolicies\CAPs>,0
??_C@_1KO@LFEDCLJF@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@ dd offset loc_52005B+1
					; DATA XREF: SepBuildCapPolicyTable+57o
		dd offset loc_670065
		dw 69h
aStryMachineS_3:
		unicode	0, <stry\Machine\System\CurrentControlSet\Control\Lsa\Central>
		unicode	0, <izedAccessPolicies\CAPEs>,0
; 

??_C@_1BO@NOPLGFGL@?$AAM?$AAe?$AAm?$AAC?$AAo?$AAm?$AAp?$AAr?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn@FNODOBFM@:
					; DATA XREF: .data:006B233Co
		dec	ebp
		add	[ebp+0], ah
		insd
		add	[ebx+0], al
		outsd
		add	[ebp+0], ch
		jo	short $+2
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1M@POLHGOIG@?$AA?$CG?$AAV?$AAe?$AAn?$AA_@FNODOBFM@:
					; DATA XREF: SmUniqueIdParseProductName(x,x,x)+Do
		add	es:[esi+0], dl
		add	gs:[esi+0], ch
		pop	edi
; 
		db 0
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1O@NMOFFKFA@?$AA?$CG?$AAP?$AAr?$AAo?$AAd?$AA_@FNODOBFM@:
					; DATA XREF: SmUniqueIdParseProductName(x,x,x):loc_673897o
		add	es:[eax+0], dl
		jb	short $+2
		outsd
		add	[eax+eax+5Fh], ah
; 
		db 3 dup(0)
??_C@_1CA@KMFLJPPI@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAU?$AAn?$AAk?$AAn?$AAo?$AAw?$AAn@FNODOBFM@ dd offset loc_44005C
					; DATA XREF: SmKmEtwAppendObjectName(x,x)+26o
aEviceUnknown:
		unicode	0, <evice\Unknown>,0
??_C@_0BM@OPJPGACH@nt?$CBstore?5memory?5compression@FNODOBFM@ db 'nt!store memory compression',0
					; DATA XREF: SmPrepareForFatalHeapCorruption(x,x,x,x,x)+A9o
					; SmPrepareForFatalPageError(x,x,x,x,x,x,x,x)+1E8o
??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@FNODOBFM@:
					; DATA XREF: SmKmStoreTerminateWorker(x)+33Bo
		unicode	0, <(null)>,0
??_C@_13COJANIEC@?$AA0@FNODOBFM@ db '0',0
					; DATA XREF: SmKmSqmAddToStream(x,x,x,x,x):loc_6762C8o
off_5A5E68	dd offset loc_55FFFD+3	; DATA XREF: VfClearVerifierSettings()+7Co
aErifieroptions:
		unicode	0, <erifierOptions>,0
; 

; char ??_C
??_C@_0EN@LOCFEIO@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@:
					; DATA XREF: VfClearVerifierSettings()+12Do
		inc	esp
		jb	short near ptr loc_5A5EF5+1
		jbe	short ??_C@_0FF@EODOLEPB@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@
		jb	short near ptr loc_5A5EB0+1
		push	esi
		db	65h
		jb	short near ptr loc_5A5EFC+2
		imul	sp, [ebp+72h], 203Ah
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		db	64h, 65h
		insb
		db	65h
		jz	short near ptr loc_5A5F0F+1
		and	[esi+65h], dl
		jb	short near ptr loc_5A5F18+1

loc_5A5EB0:				; CODE XREF: .text:005A5E8Fj
		db	66h
		jns	short loc_5A5EF7
		jb	short near ptr loc_5A5F1A+4
		jbe	short near ptr loc_5A5F1A+2
		jb	short near ptr loc_5A5F2B+1
		and	[ebx+65h], ch
		jns	short loc_5A5EDE
		jbe	short loc_5A5F21
		insb
		jnz	short loc_5A5F28
		and	[edi+69h], dh
		jz	short loc_5A5F30
		and	[ebx+74h], dh
		popa
		jz	short near ptr loc_5A5F42+1
		jnb	short near ptr loc_5A5F07+3
		and	[eax], dh
		js	short loc_5A5EF9
		js	short near ptr loc_5A5EDE+2
		add	ah, cl

??_C@_1BM@JKLADBPD@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAy?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAs@FNODOBFM@:
					; DATA XREF: VfClearVerifierSettings():loc_677122o
		push	esi
		add	[ebp+0], ah
		jb	short $+2

loc_5A5EDE:				; CODE XREF: .text:005A5EBCj
					; .text:005A5ED4j
		imul	eax, [eax], 790066h
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		jnb	short $+2
; 
		dw 0
; 

; char ??_C
??_C@_0FF@EODOLEPB@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@:
					; CODE XREF: .text:005A5E8Dj
					; DATA XREF: VfClearVerifierSettings()+15Co
		inc	esp

loc_5A5EF5:				; CODE XREF: .text:005A5E8Bj
		jb	short near ptr loc_5A5F5F+1

loc_5A5EF7:				; CODE XREF: .text:loc_5A5EB0j
		jbe	short loc_5A5F5E

loc_5A5EF9:				; CODE XREF: .text:005A5ED2j
		jb	short near ptr loc_5A5F1A+1
		push	esi

loc_5A5EFC:				; CODE XREF: .text:005A5E92j
		db	65h
		jb	short near ptr loc_5A5F67+1
		imul	sp, [ebp+72h], 203Ah
		inc	esi
		popa

loc_5A5F07:				; CODE XREF: .text:005A5ECEj
		imul	ebp, [ebp+64h],	206F7420h

loc_5A5F0F:				; CODE XREF: .text:005A5EA8j
		db	64h, 65h
		insb
		db	65h
		jz	short near ptr loc_5A5F79+1
		and	[esi+65h], dl

loc_5A5F18:				; CODE XREF: .text:005A5EAEj
		jb	short near ptr loc_5A5F81+2

loc_5A5F1A:				; CODE XREF: .text:loc_5A5EF9j
					; .text:005A5EB5j ...
		imul	sp, [ebp+72h], 6152h
		outsb

loc_5A5F21:				; CODE XREF: .text:005A5EBEj
		outs	dx, dword ptr fs:[esi]
		insd
		push	esp
		popa
		jb	short near ptr loc_5A5F89+6

loc_5A5F28:				; CODE XREF: .text:005A5EC1j
		db	65h
		jz	short near ptr loc_5A5F9C+2

loc_5A5F2B:				; CODE XREF: .text:005A5EB7j
		and	[ebx+65h], ch
		jns	short loc_5A5F50

loc_5A5F30:				; CODE XREF: .text:005A5EC6j
		jbe	short near ptr loc_5A5F91+2
		insb
		jnz	short loc_5A5F9A
		and	[edi+69h], dh
		jz	short near ptr loc_5A5FA1+1
		and	[ebx+74h], dh
		popa
		jz	short near ptr loc_5A5FB3+2
		jnb	short near ptr loc_5A5F7B+1

loc_5A5F42:				; CODE XREF: .text:005A5ECCj
		and	[eax], dh
		js	short near ptr loc_5A5F6A+1
		js	short near ptr loc_5A5F50+2
		add	ah, cl

??_C@_1CM@JGABLCCH@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAR?$AAa?$AAn?$AAd?$AAo?$AAm?$AAT@FNODOBFM@:
					; DATA XREF: VfClearVerifierSettings():loc_677151o
		push	esi
		add	[ebp+0], ah
		jb	short $+2

loc_5A5F50:				; CODE XREF: .text:005A5F2Ej
					; .text:005A5F46j
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		push	edx
		add	[ecx+0], ah

loc_5A5F5E:				; CODE XREF: .text:loc_5A5EF7j
		outsb

loc_5A5F5F:				; CODE XREF: .text:loc_5A5EF5j
		add	[eax+eax+6Fh], ah
		add	[ebp+0], ch
		push	esp

loc_5A5F67:				; CODE XREF: .text:loc_5A5EFCj
		add	[ecx+0], ah

loc_5A5F6A:				; CODE XREF: .text:005A5F44j
		jb	short $+2
		add	[di+0],	ah
		jz	short $+2
		jnb	short $+2
; 
		db 2 dup(0)
; 

; char ??_C
??_C@_0FB@KHOJFBKG@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@:
					; DATA XREF: VfClearVerifierSettings()+CFo
		inc	esp
		jb	short near ptr loc_5A5FE1+1

loc_5A5F79:				; CODE XREF: .text:005A5F12j
		jbe	short loc_5A5FE0

loc_5A5F7B:				; CODE XREF: .text:005A5F40j
		jb	short near ptr loc_5A5F9C+1
		push	esi
		db	65h
		jb	short near ptr loc_5A5FE6+4

loc_5A5F81:				; CODE XREF: .text:loc_5A5F18j
		imul	sp, [ebp+72h], 203Ah
		inc	esi
		popa

loc_5A5F89:				; CODE XREF: .text:005A5F26j
		imul	ebp, [ebp+64h],	206F7420h

loc_5A5F91:				; CODE XREF: .text:loc_5A5F30j
		db	64h, 65h
		insb
		db	65h
		jz	short near ptr loc_5A5FF7+5
		and	[esi+65h], dl

loc_5A5F9A:				; CODE XREF: .text:005A5F33j
		jb	short near ptr loc_5A5FFF+6

loc_5A5F9C:				; CODE XREF: .text:loc_5A5F7Bj
					; .text:loc_5A5F28j
		db	66h
		jns	short near ptr loc_5A5FE1+2
		jb	short loc_5A600A

loc_5A5FA1:				; CODE XREF: .text:005A5F38j
		jbe	short near ptr loc_5A6007+1
		jb	short loc_5A5FF1
		db	65h
		jbe	short loc_5A600D
		insb
		and	[ebx+65h], ch
		jns	short loc_5A5FCE
		jbe	short loc_5A6011
		insb
		jnz	short near ptr loc_5A6017+1

loc_5A5FB3:				; CODE XREF: .text:005A5F3Ej
		and	[edi+69h], dh
		jz	short loc_5A6020
		and	[ebx+74h], dh
		popa
		jz	short near ptr loc_5A6032+1
		jnb	short near ptr loc_5A5FF7+3
		and	[eax], dh
		js	short near ptr loc_5A5FE6+3
		js	short near ptr loc_5A5FCE+2
		add	ah, cl

??_C@_1CE@OMAJLJIP@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAy?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAL?$AAe?$AAv@FNODOBFM@:
					; DATA XREF: VfClearVerifierSettings()+A7o
		push	esi
		add	[ebp+0], ah
		jb	short $+2

loc_5A5FCE:				; CODE XREF: .text:005A5FACj
					; .text:005A5FC4j
		imul	eax, [eax], 790066h
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2

loc_5A5FE0:				; CODE XREF: .text:loc_5A5F79j
		dec	esp

loc_5A5FE1:				; CODE XREF: .text:005A5F77j
					; .text:loc_5A5F9Cj
		add	[ebp+0], ah
		jbe	short $+2

loc_5A5FE6:				; CODE XREF: .text:005A5FC2j
					; .text:005A5F7Ej
		add	gs:[eax+eax+0],	ch
; 
		db 0
; 

; char ??_C
??_C@_0EL@LIJEAGMD@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@:
					; DATA XREF: VfClearVerifierSettings()+FEo
		inc	esp
		jb	short near ptr loc_5A6057+1
		jbe	short loc_5A6056

loc_5A5FF1:				; CODE XREF: .text:005A5FA3j
		jb	short loc_5A6013
		push	esi
		db	65h
		jb	short near ptr byte_5A6060

loc_5A5FF7:				; CODE XREF: .text:005A5FBEj
					; .text:005A5F94j
		imul	sp, [ebp+72h], 203Ah
		inc	esi
		popa

loc_5A5FFF:				; CODE XREF: .text:loc_5A5F9Aj
		imul	ebp, [ebp+64h],	206F7420h

loc_5A6007:				; CODE XREF: .text:loc_5A5FA1j
		db	64h, 65h
		insb

loc_5A600A:				; CODE XREF: .text:005A5F9Fj
		db	65h
		jz	short near ptr loc_5A606D+5

loc_5A600D:				; CODE XREF: .text:005A5FA5j
		and	[edx+75h], dl
		insb

loc_5A6011:				; CODE XREF: .text:005A5FAEj
		db	65h
		inc	ebx

loc_5A6013:				; CODE XREF: .text:loc_5A5FF1j
		insb
		popa
		jnb	short near ptr loc_5A6088+2

loc_5A6017:				; CODE XREF: .text:005A5FB1j
		db	65h
		jnb	short near ptr loc_5A6039+1
		imul	esp, [ebp+79h],	20h
		jbe	short near ptr loc_5A6080+1

loc_5A6020:				; CODE XREF: .text:005A5FB6j
		insb
		jnz	short loc_5A6088
		and	[edi+69h], dh
		jz	short near ptr loc_5A608E+2
		and	[ebx+74h], dh
		popa
		jz	short loc_5A60A3
		jnb	short loc_5A606A
		and	[eax], dh

loc_5A6032:				; CODE XREF: .text:005A5FBCj
		js	short near ptr loc_5A6057+2
		js	short near ptr loc_5A603E+2
		add	ah, cl

??_C@_1CK@MAPACCND@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAS?$AAe?$AAt?$AAt?$AAi?$AAn?$AAg@FNODOBFM@:
					; DATA XREF: VfClearVerifierSettings():loc_6770F3o
		push	esi

loc_5A6039:				; CODE XREF: .text:loc_5A6017j
		add	[ebp+0], ah
		jb	short $+2

loc_5A603E:				; CODE XREF: .text:005A6034j
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		push	ebx
		add	[ebp+0], ah
		jz	short $+2
		jz	short $+2
		imul	eax, [eax], 67006Eh

loc_5A6056:				; CODE XREF: .text:005A5FEFj
		push	ebx

loc_5A6057:				; CODE XREF: .text:005A5FEDj
					; .text:loc_5A6032j
		add	[eax+eax+61h], dh
		add	[eax+eax+65h], dh
; 
		db 0
byte_5A6060	db 2 dup(0)		; CODE XREF: .text:005A5FF4j
; 

; char ??_C
??_C@_0FF@BIPCHIHK@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@:
					; DATA XREF: VfClearVerifierSettings()+1F2o
		inc	esp
		jb	short near ptr loc_5A60CC+2
		jbe	short loc_5A60CC
		jb	short near ptr loc_5A6088+1
		push	esi

loc_5A606A:				; CODE XREF: .text:005A602Ej
		db	65h
		jb	short loc_5A60D6

loc_5A606D:				; CODE XREF: .text:loc_5A600Aj
		imul	sp, [ebp+72h], 203Ah
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		db	64h, 65h
		insb

loc_5A6080:				; CODE XREF: .text:005A601Ej
		db	65h
		jz	short near ptr loc_5A60E7+1
		and	[esi+65h], dl
		jb	short near ptr loc_5A60EF+2

loc_5A6088:				; CODE XREF: .text:005A6021j
					; .text:005A6067j ...
		imul	sp, [ebp+72h], 7254h

loc_5A608E:				; CODE XREF: .text:005A6026j
		imul	esp, [ecx+67h],	6E6F4365h
		jz	short near ptr loc_5A60F7+5
		js	short loc_5A610D
		and	[ebx+65h], ch
		jns	short loc_5A60BE
		jbe	short near ptr loc_5A60FF+2
		insb
		jnz	short loc_5A6108

loc_5A60A3:				; CODE XREF: .text:005A602Cj
		and	[edi+69h], dh
		jz	short near ptr loc_5A610F+1
		and	[ebx+74h], dh
		popa
		jz	short loc_5A6123
		jnb	short near ptr loc_5A60E9+1
		and	[eax], dh
		js	short near ptr loc_5A60D7+2
		js	short near ptr loc_5A60BE+2
		add	ah, cl

??_C@_1CM@MEHIEDNP@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAT?$AAr?$AAi?$AAa?$AAg?$AAe?$AAC@FNODOBFM@:
					; DATA XREF: VfClearVerifierSettings():loc_6771E7o
		push	esi
		add	[ebp+0], ah
		jb	short $+2

loc_5A60BE:				; CODE XREF: .text:005A609Cj
					; .text:005A60B4j
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		push	esp
		add	[edx+0], dh

loc_5A60CC:				; CODE XREF: .text:005A6065j
					; .text:005A6063j
		imul	eax, [eax], 670061h
		add	gs:[ebx+0], al

loc_5A60D6:				; CODE XREF: .text:loc_5A606Aj
		outsd

loc_5A60D7:				; CODE XREF: .text:005A60B2j
		add	[esi+0], ch
		jz	short $+2
		add	gs:[eax+0], bh
		jz	short $+2
; 
		dw 0
; 

; char ??_C
??_C@_0FF@KGKKPAEN@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@:
					; DATA XREF: VfClearVerifierSettings()+22Ao
		inc	esp
		jb	short loc_5A6150

loc_5A60E7:				; CODE XREF: .text:loc_5A6080j
		jbe	short near ptr loc_5A614A+4

loc_5A60E9:				; CODE XREF: .text:005A60AEj
		jb	short near ptr loc_5A610A+1
		push	esi
		db	65h
		jb	short loc_5A6158

loc_5A60EF:				; CODE XREF: .text:005A6086j
		imul	sp, [ebp+72h], 203Ah
		inc	esi
		popa

loc_5A60F7:				; CODE XREF: .text:005A6095j
		imul	ebp, [ebp+64h],	206F7420h

loc_5A60FF:				; CODE XREF: .text:005A609Ej
		db	64h, 65h
		insb
		db	65h
		jz	short near ptr loc_5A6169+1
		and	[esi+65h], dl

loc_5A6108:				; CODE XREF: .text:005A60A1j
		jb	short near ptr loc_5A6171+2

loc_5A610A:				; CODE XREF: .text:loc_5A60E9j
		db	66h
		jns	short near ptr loc_5A6150+1

loc_5A610D:				; CODE XREF: .text:005A6097j
		jb	short loc_5A6178

loc_5A610F:				; CODE XREF: .text:005A60A6j
		jbe	short near ptr loc_5A6171+5
		jb	short near ptr loc_5A6184+2
		push	ebx
		jnz	short near ptr loc_5A6184+2
		jo	short loc_5A618A
		db	65h
		jnb	short near ptr loc_5A618C+2
		and	[ebx+65h], ch
		jns	short loc_5A6140
		jbe	short near ptr loc_5A6181+2
		insb

loc_5A6123:				; CODE XREF: .text:005A60ACj
		jnz	short loc_5A618A
		and	[edi+69h], dh
		jz	short near ptr loc_5A618F+3
		and	[ebx+74h], dh
		popa
		jz	short near ptr loc_5A61A4+1
		jnb	short near ptr loc_5A616B+1
		and	[eax], dh
		js	short near ptr loc_5A615A+1
		js	short near ptr loc_5A6140+2
		add	ah, cl

??_C@_1CM@FCKBPIFI@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAy?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAs?$AAS?$AAu@FNODOBFM@:
					; DATA XREF: VfClearVerifierSettings()+207o
		push	esi
		add	[ebp+0], ah
		jb	short $+2

loc_5A6140:				; CODE XREF: .text:005A611Ej
					; .text:005A6136j
		imul	eax, [eax], 790066h
		inc	esp
		add	[edx+0], dh

loc_5A614A:				; CODE XREF: .text:loc_5A60E7j
		imul	eax, [eax], 650076h

loc_5A6150:				; CODE XREF: .text:005A60E5j
					; .text:loc_5A610Aj
		jb	short $+2
		jnb	short $+2
		push	ebx
		add	[ebp+0], dh

loc_5A6158:				; CODE XREF: .text:005A60ECj
		jo	short $+2

loc_5A615A:				; CODE XREF: .text:005A6134j
		jo	short $+2
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
; 
		db 2 dup(0)
; 

; char ??_C
??_C@_0FC@NKFHKLGM@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@:
					; DATA XREF: VfClearVerifierSettings()+194o
		inc	esp
		jb	short loc_5A61D2

loc_5A6169:				; CODE XREF: .text:005A6102j
		jbe	short near ptr loc_5A61CF+1

loc_5A616B:				; CODE XREF: .text:005A6130j
		jb	short near ptr loc_5A618C+1
		push	esi
		db	65h
		jb	short loc_5A61DA

loc_5A6171:				; CODE XREF: .text:loc_5A6108j
					; .text:loc_5A610Fj
		imul	sp, [ebp+72h], 203Ah
		inc	esi

loc_5A6178:				; CODE XREF: .text:loc_5A610Dj
		popa
		imul	ebp, [ebp+64h],	206F7420h

loc_5A6181:				; CODE XREF: .text:005A6120j
		db	64h, 65h
		insb

loc_5A6184:				; CODE XREF: .text:005A6111j
					; .text:005A6114j
		db	65h
		jz	short near ptr loc_5A61E9+3
		and	[eax+64h], bl

loc_5A618A:				; CODE XREF: .text:005A6116j
					; .text:loc_5A6123j
		jbe	short near ptr loc_5A61E1+1

loc_5A618C:				; CODE XREF: .text:loc_5A616Bj
					; .text:005A6118j
		db	65h
		jb	short near ptr loc_5A61F1+7

loc_5A618F:				; CODE XREF: .text:005A6128j
		imul	sp, [ebp+72h], 704Fh
		jz	short near ptr loc_5A61FF+1
		outsd
		outsb
		jnb	short near ptr loc_5A61BA+1
		imul	esp, [ebp+79h],	20h
		jbe	short loc_5A6202
		insb
		jnz	short near ptr loc_5A6207+2

loc_5A61A4:				; CODE XREF: .text:005A612Ej
		and	[edi+69h], dh
		jz	short near ptr loc_5A6210+1
		and	[ebx+74h], dh
		popa
		jz	short near ptr loc_5A6222+2
		jnb	short near ptr loc_5A61E9+2
		and	[eax], dh
		js	short loc_5A61DA
		js	short near ptr loc_5A61BF+2

loc_5A61B7:				; DATA XREF: VfClearVerifierSettings()+171o
		add	[eax+0], bl

loc_5A61BA:				; CODE XREF: .text:005A6199j
		add	fs:[esi+0], dh
		push	esi

loc_5A61BF:				; CODE XREF: .text:005A61B5j
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		dec	edi

loc_5A61CF:				; CODE XREF: .text:loc_5A6169j
		add	[eax+0], dh

loc_5A61D2:				; CODE XREF: .text:005A6167j
		jz	short $+2
		imul	eax, [eax], 6E006Fh

loc_5A61DA:				; CODE XREF: .text:005A616Ej
					; .text:005A61B3j
		jnb	short $+2
; 
		db 2 dup(0)
; 

; char ??_C
??_C@_0FI@OBNEOIHB@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@:
					; DATA XREF: VfClearVerifierSettings()+1C3o
		inc	esp
		jb	short loc_5A624A

loc_5A61E1:				; CODE XREF: .text:loc_5A618Aj
		jbe	short near ptr loc_5A6244+4
		jb	short near ptr loc_5A6204+1
		push	esi
		db	65h
		jb	short near ptr loc_5A6251+1

loc_5A61E9:				; CODE XREF: .text:005A61AFj
					; .text:loc_5A6184j
		imul	sp, [ebp+72h], 203Ah
		inc	esi
		popa

loc_5A61F1:				; CODE XREF: .text:loc_5A618Cj
		imul	ebp, [ebp+64h],	206F7420h
		db	64h, 65h
		insb
		db	65h
		jz	short near ptr loc_5A6261+3

loc_5A61FF:				; CODE XREF: .text:005A6195j
		and	[esi+72h], dl

loc_5A6202:				; CODE XREF: .text:005A619Fj
		push	ax

loc_5A6204:				; CODE XREF: .text:005A61E3j
		db	65h
		jb	short loc_5A627A

loc_5A6207:				; CODE XREF: .text:005A61A2j
		imul	esi, [ebx+74h],	6F726854h
		jnz	short near ptr loc_5A6273+4

loc_5A6210:				; CODE XREF: .text:005A61A7j
		push	72677055h
		popa
		db	64h
		and	gs:[ebx+65h], ch
		jns	short near ptr loc_5A623A+3
		jbe	short near ptr loc_5A627B+5
		insb
		jnz	short near ptr loc_5A6286+1

loc_5A6222:				; CODE XREF: .text:005A61ADj
		and	[edi+69h], dh
		jz	short near ptr loc_5A628E+1
		and	[ebx+74h], dh
		popa
		jz	short loc_5A62A2
		jnb	short loc_5A6269
		and	[eax], dh
		js	short loc_5A6258
		js	short near ptr loc_5A623E+1

loc_5A6235:				; DATA XREF: VfClearVerifierSettings():loc_6771B8o
		add	[esi+0], dl
		jb	short $+2

loc_5A623A:				; CODE XREF: .text:005A621Bj
		db	66h
		add	[eax+0], dl

loc_5A623E:				; CODE XREF: .text:005A6233j
		add	gs:[edx+0], dh
		jnb	short $+2

loc_5A6244:				; CODE XREF: .text:loc_5A61E1j
		imul	eax, [eax], 740073h

loc_5A624A:				; CODE XREF: .text:005A61DFj
		push	esp
		add	[eax+0], ch
		jb	short $+2
		outsd

loc_5A6251:				; CODE XREF: .text:005A61E6j
		add	[ebp+0], dh
		add	[bx+si+0], ch

loc_5A6258:				; CODE XREF: .text:005A6231j
		push	ebp
		add	[eax+0], dh
		add	[bp+si+0], dh
		popa

loc_5A6261:				; CODE XREF: .text:005A61FCj
		add	[eax+eax+65h], ah
; 
		db 3 dup(0)
; 

; char ??_C
??_C@_0FF@ODGMKIGJ@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@:
					; DATA XREF: VfClearVerifierSettings()+2B7o
		inc	esp

loc_5A6269:				; CODE XREF: .text:005A622Dj
		jb	short loc_5A62D4
		jbe	short loc_5A62D2
		jb	short near ptr loc_5A628E+1
		push	esi
		db	65h
		jb	short loc_5A62DC

loc_5A6273:				; CODE XREF: .text:005A620Ej
		imul	sp, [ebp+72h], 203Ah
		inc	esi

loc_5A627A:				; CODE XREF: .text:loc_5A6204j
		popa

loc_5A627B:				; CODE XREF: .text:005A621Dj
		imul	ebp, [ebp+64h],	206F7420h
		db	64h, 65h
		insb

loc_5A6286:				; CODE XREF: .text:005A6220j
		db	65h
		jz	short near ptr ??_C@_0FE@MHHNNDFG@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@+4
		and	[esi+65h], dl
		jb	short near ptr ??_C@_0FE@MHHNNDFG@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@+0Dh

loc_5A628E:				; CODE XREF: .text:005A6225j
					; .text:005A626Dj
		imul	sp, [ebp+72h], 6954h
		jo	short near ptr byte_5A62E9
		jo	short near ptr ??_C@_0FE@MHHNNDFG@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@+0Fh
		jb	short near ptr ??_C@_0FE@MHHNNDFG@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@+23h
		outs	dx, byte ptr gs:[esi]
		db	65h
		jnb	short near ptr ??_C@_0FE@MHHNNDFG@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@+28h
		and	[ebx+65h], ch

loc_5A62A2:				; CODE XREF: .text:005A622Bj
		jns	short loc_5A62C4
		jbe	short near ptr ??_C@_0FE@MHHNNDFG@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@+1Dh
		insb
		jnz	short near ptr ??_C@_0FE@MHHNNDFG@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@+24h
		and	[edi+69h], dh
		jz	short near ptr ??_C@_0FE@MHHNNDFG@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@+2Ch
		and	[ebx+74h], dh
		popa
		jz	short near ptr ??_C@_0FE@MHHNNDFG@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@+3Fh
		jnb	short near ptr ??_C@_0FE@MHHNNDFG@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@+6
		and	[eax], dh
		js	short near ptr loc_5A62DE+1
		js	short near ptr loc_5A62C4+2
		add	ah, cl

??_C@_1CM@EFDMDBJD@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAT?$AAi?$AAp?$AAS?$AAp?$AAa?$AAr@FNODOBFM@:
					; DATA XREF: VfClearVerifierSettings():loc_6772ACo
		push	esi
		add	[ebp+0], ah
		jb	short $+2

loc_5A62C4:				; CODE XREF: .text:loc_5A62A2j
					; .text:005A62BAj
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		push	esp
		add	[ecx+0], ch

loc_5A62D2:				; CODE XREF: .text:005A626Bj
		jo	short $+2

loc_5A62D4:				; CODE XREF: .text:loc_5A6269j
		push	ebx
		add	[eax+0], dh
		popa
		add	[edx+0], dh

loc_5A62DC:				; CODE XREF: .text:005A6270j
		jnb	short $+2

loc_5A62DE:				; CODE XREF: .text:005A62B8j
		add	gs:[esi+0], ch
		add	gs:[ebx+0], dh
		jnb	short $+2
; 
		db 0
byte_5A62E9	db 0			; CODE XREF: .text:005A6294j
; char ??_C[]
??_C@_0FE@MHHNNDFG@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@ db 'Driver Verifier: Failed to delete VerifierLwspPoolTags key value '
					; CODE XREF: .text:loc_5A6286j
					; .text:005A62B4j ...
		db 'with status: 0x%x',0Ah,0
; 

??_C@_1CK@KFCLOIKL@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAL?$AAw?$AAs?$AAp?$AAP?$AAo?$AAo@FNODOBFM@:
					; DATA XREF: VfClearVerifierSettings():loc_6772DBo
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		dec	esp
		add	[edi+0], dh
		jnb	short $+2
		jo	short $+2
		push	eax
		add	[edi+0], ch
		outsd
		add	[eax+eax+54h], ch
		add	[ecx+0], ah
		add	[bp+di+0], dh
; 
		dw 0
; 

; char ??_C
??_C@_0FJ@KFCCLHMP@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@:
					; DATA XREF: VfClearVerifierSettings()+259o
		inc	esp
		jb	short near ptr loc_5A63D3+1
		jbe	short loc_5A63D2
		jb	short near ptr loc_5A638E+1
		push	esi
		db	65h
		jb	short loc_5A63DC
		imul	sp, [ebp+72h], 203Ah
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		db	64h, 65h
		insb
		db	65h
		jz	short near ptr loc_5A63ED+1
		and	[esi+65h], dl
		jb	short loc_5A63F7

loc_5A638E:				; CODE XREF: .text:005A636Dj
		imul	sp, [ebp+72h], 6954h
		jo	short loc_5A63E2
		imul	ebp, [ebp+69h],	6D754E74h
		db	65h
		jb	short loc_5A6401
		jz	short loc_5A6411
		jb	short near ptr loc_5A63C3+1
		imul	esp, [ebp+79h],	20h
		jbe	short near ptr loc_5A6409+2
		insb
		jnz	short near ptr loc_5A6411+1
		and	[edi+69h], dh
		jz	short loc_5A641A
		and	[ebx+74h], dh
		popa
		jz	short loc_5A642D
		jnb	short near ptr byte_5A63F4
		and	[eax], dh
		js	short loc_5A63E3
		js	short near ptr loc_5A63C8+2
		add	ah, cl

??_C@_1DE@OKMGEIMP@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAT?$AAi?$AAp?$AAL?$AAi?$AAm?$AAi@FNODOBFM@:
					; DATA XREF: VfClearVerifierSettings():loc_67724Eo
		push	esi

loc_5A63C3:				; CODE XREF: .text:005A63A2j
		add	[ebp+0], ah
		jb	short $+2

loc_5A63C8:				; CODE XREF: .text:005A63BEj
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh

loc_5A63D2:				; CODE XREF: .text:005A636Bj
		push	esp

loc_5A63D3:				; CODE XREF: .text:005A6369j
		add	[ecx+0], ch
		jo	short $+2
		dec	esp
		add	[ecx+0], ch

loc_5A63DC:				; CODE XREF: .text:005A6370j
		insd
		add	[ecx+0], ch
		jz	short $+2

loc_5A63E2:				; CODE XREF: .text:005A6394j
		dec	esi

loc_5A63E3:				; CODE XREF: .text:005A63BCj
		add	[ebp+0], dh
		insd
		add	[ebp+0], ah
		jb	short $+2
		popa

loc_5A63ED:				; CODE XREF: .text:005A6386j
		add	[eax+eax+6Fh], dh
		add	[edx+0], dh
; 
byte_5A63F4	db 2 dup(0)		; CODE XREF: .text:005A63B8j
; 

; char ??_C
??_C@_0FL@FCAMDLPO@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@:
					; DATA XREF: VfClearVerifierSettings()+288o
		inc	esp

loc_5A63F7:				; CODE XREF: .text:005A638Cj
		jb	short loc_5A6462
		jbe	short near ptr loc_5A645E+2
		jb	short near ptr loc_5A641C+1
		push	esi
		db	65h
		jb	short near ptr loc_5A6469+1

loc_5A6401:				; CODE XREF: .text:005A639Dj
		imul	sp, [ebp+72h], 203Ah
		inc	esi
		popa

loc_5A6409:				; CODE XREF: .text:005A63A8j
		imul	ebp, [ebp+64h],	206F7420h

loc_5A6411:				; CODE XREF: .text:005A63A0j
					; .text:005A63ABj
		db	64h, 65h
		insb
		db	65h
		jz	short near ptr loc_5A647B+1
		and	[esi+65h], dl

loc_5A641A:				; CODE XREF: .text:005A63B0j
		jb	short loc_5A6485

loc_5A641C:				; CODE XREF: .text:005A63FBj
		imul	sp, [ebp+72h], 6954h
		jo	short loc_5A6470
		imul	ebp, [ebp+69h],	6E654474h
		outsd
		insd

loc_5A642D:				; CODE XREF: .text:005A63B6j
		imul	ebp, [esi+61h],	20726F74h
		imul	esp, [ebp+79h],	20h
		jbe	short loc_5A649B
		insb
		jnz	short near ptr loc_5A649D+5
		and	[edi+69h], dh
		jz	short loc_5A64AA
		and	[ebx+74h], dh
		popa
		jz	short loc_5A64BD
		jnb	short loc_5A6484
		and	[eax], dh
		js	short loc_5A6473
		js	short near ptr loc_5A6458+2
		add	ah, cl

??_C@_1DI@MPLMMFJA@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAT?$AAi?$AAp?$AAL?$AAi?$AAm?$AAi@FNODOBFM@:
					; DATA XREF: VfClearVerifierSettings():loc_67727Do
		push	esi
		add	[ebp+0], ah
		jb	short $+2

loc_5A6458:				; CODE XREF: .text:005A644Ej
		imul	eax, [eax], 690066h

loc_5A645E:				; CODE XREF: .text:005A63F9j
		add	gs:[edx+0], dh

loc_5A6462:				; CODE XREF: .text:loc_5A63F7j
		push	esp
		add	[ecx+0], ch
		jo	short $+2
		dec	esp

loc_5A6469:				; CODE XREF: .text:005A63FEj
		add	[ecx+0], ch
		insd
		add	[ecx+0], ch

loc_5A6470:				; CODE XREF: .text:005A6422j
		jz	short $+2
		inc	esp

loc_5A6473:				; CODE XREF: .text:005A644Cj
		add	[ebp+0], ah
		outsb
		add	[edi+0], ch
		insd

loc_5A647B:				; CODE XREF: .text:005A6414j
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ah
		jz	short $+2

loc_5A6484:				; CODE XREF: .text:005A6448j
		outsd

loc_5A6485:				; CODE XREF: .text:loc_5A641Aj
		add	[edx+0], dh
; 
		db 2 dup(0)
; 

; char ??_C
??_C@_0GK@MKDMPILG@Driver?5Verifier?3?5Failed?5to?5set?5@FNODOBFM@:
					; DATA XREF: VfClearVerifierSettings()+310o
		inc	esp
		jb	short near ptr loc_5A64F5+1
		jbe	short ??_C@_0FK@HBFLDIIC@Driver?5Verifier?3?5Clearing?5Verif@FNODOBFM@
		jb	short near ptr loc_5A64AD+4
		push	esi
		db	65h
		jb	short near ptr loc_5A64FC+2
		imul	sp, [ebp+72h], 203Ah

loc_5A649B:				; CODE XREF: .text:005A6438j
		inc	esi
		popa

loc_5A649D:				; CODE XREF: .text:005A643Bj
		imul	ebp, [ebp+64h],	206F7420h
		jnb	short loc_5A650C
		jz	short loc_5A64C9
		push	esi

loc_5A64AA:				; CODE XREF: .text:005A6440j
		db	65h
		jb	short near ptr loc_5A6512+4

loc_5A64AD:				; CODE XREF: .text:005A648Fj
		imul	sp, [ebp+72h], 704Fh
		jz	short near ptr loc_5A651A+4
		outsd
		outsb
		inc	esi
		insb
		popa
		db	67h
		jnb	near ptr 64DDh

loc_5A64BD:				; CODE XREF: .text:005A6446j
		imul	esp, [ebp+79h],	20h
		jbe	short near ptr loc_5A6523+1
		insb
		jnz	short near ptr loc_5A6526+5
		and	[edi+69h], dh

loc_5A64C9:				; CODE XREF: .text:005A64A7j
		jz	short loc_5A6533
		and	[ebx+74h], dh
		popa
		jz	short near ptr loc_5A6545+1
		jnb	short near ptr loc_5A650C+1
		and	[eax], dh
		js	short loc_5A64FC
		js	short near ptr loc_5A64DC+7
		and	[edx+65h], dl

loc_5A64DC:				; CODE XREF: .text:005A64D7j
		imul	esi, [bp+di+74h], 75207972h
		jo	short near ptr loc_5A6549+1
		popa
		jz	short ??_C@_0GD@KMANJMFL@Driver?5Verifier?3?5Failed?5to?5open@FNODOBFM@
		jnb	short loc_5A650B
		popa
		bound	ebp, [edi+72h]
		jz	short loc_5A6556
		and	fs:[eax], eax

; char ??_C
??_C@_0FK@HBFLDIIC@Driver?5Verifier?3?5Clearing?5Verif@FNODOBFM@:
					; CODE XREF: .text:005A648Dj
					; DATA XREF: VfClearVerifierSettings()+303o
		inc	esp

loc_5A64F5:				; CODE XREF: .text:005A648Bj
		jb	short loc_5A6560
		jbe	short near ptr loc_5A6559+5
		jb	short near ptr loc_5A651A+1
		push	esi

loc_5A64FC:				; CODE XREF: .text:005A64D5j
					; .text:005A6492j
		db	65h
		jb	short near ptr loc_5A6561+7
		imul	sp, [ebp+72h], 203Ah
		inc	ebx
		insb
		db	65h
		popa
		jb	short loc_5A6574

loc_5A650B:				; CODE XREF: .text:005A64E9j
		outsb

loc_5A650C:				; CODE XREF: .text:005A64A5j
					; .text:005A64D1j
		and	[bp+65h], dl
		jb	short near ptr loc_5A6579+2

loc_5A6512:				; CODE XREF: .text:loc_5A64AAj
		imul	sp, [ebp+72h], 6F20h
		jo	short loc_5A658E

loc_5A651A:				; CODE XREF: .text:005A64F9j
					; .text:005A64B3j
		imul	ebp, [edi+6Eh],	72662073h
		outsd
		insd

loc_5A6523:				; CODE XREF: .text:005A64C1j
		and	[edx+65h], dl

loc_5A6526:				; CODE XREF: .text:005A64C4j
		imul	esi, [bp+di+74h], 66207972h
		outsd
		jb	short loc_5A6551
		jo	short near ptr loc_5A65A4+1

loc_5A6533:				; CODE XREF: .text:loc_5A64C9j
		db	65h
		jbe	short near ptr loc_5A6599+2
		outsb
		jz	short near ptr loc_5A65A1+1
		outsb
		and	[bp+si+65h], dh
		arpl	[ebp+72h], si
		jnb	short loc_5A65AC
		jbe	short near ptr loc_5A65A9+1

loc_5A6545:				; CODE XREF: .text:005A64CFj
		and	[ebx+72h], ah
		popa

loc_5A6549:				; CODE XREF: .text:005A64E4j
		jnb	short loc_5A65B3
		or	al, cs:[eax]

; char ??_C
??_C@_0GD@KMANJMFL@Driver?5Verifier?3?5Failed?5to?5open@FNODOBFM@:
					; CODE XREF: .text:005A64E7j
					; DATA XREF: VfClearVerifierSettings()+327o
		inc	esp
		jb	short near ptr loc_5A65B7+3

loc_5A6551:				; CODE XREF: .text:005A652Fj
		jbe	short near ptr loc_5A65B7+1
		jb	short near ptr loc_5A6574+1
		push	esi

loc_5A6556:				; CODE XREF: .text:005A64EFj
		db	65h
		jb	short near ptr loc_5A65C1+1

loc_5A6559:				; CODE XREF: .text:005A64F7j
		imul	sp, [ebp+72h], 203Ah
		inc	esi

loc_5A6560:				; CODE XREF: .text:loc_5A64F5j
		popa

loc_5A6561:				; CODE XREF: .text:loc_5A64FCj
		imul	ebp, [ebp+64h],	206F7420h
		outsd
		jo	short near ptr loc_5A65D0+1
		outsb
		and	[ebp+65h], cl
		insd
		outsd
		jb	short near ptr ??_C@_0DD@KMOJDKJL@CulpritAddress?5?$DN?5?$CFp?0?5Irp?5?$DN?5?$CFp?0?5@FNODOBFM@+0Bh

loc_5A6574:				; CODE XREF: .text:005A6509j
					; .text:005A6553j
		and	[ebp+61h], cl
		outsb
		popa

loc_5A6579:				; CODE XREF: .text:005A6510j
		db	65h
		ins	dword ptr es:[di], dx
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_5A6599+7
		imul	esp, [ebp+79h],	20h
		ja	short near ptr ??_C@_0DD@KMOJDKJL@CulpritAddress?5?$DN?5?$CFp?0?5Irp?5?$DN?5?$CFp?0?5@FNODOBFM@+0Dh
		jz	short near ptr ??_C@_0DD@KMOJDKJL@CulpritAddress?5?$DN?5?$CFp?0?5Irp?5?$DN?5?$CFp?0?5@FNODOBFM@+0Eh
		and	[ebx+74h], dh
		popa
		jz	short near ptr ??_C@_0DD@KMOJDKJL@CulpritAddress?5?$DN?5?$CFp?0?5Irp?5?$DN?5?$CFp?0?5@FNODOBFM@+21h

loc_5A658E:				; CODE XREF: .text:005A6518j
		jnb	short near ptr loc_5A65C9+1
		and	[eax], dh
		js	short near ptr loc_5A65B7+2
		js	short near ptr loc_5A6599+7
		and	[edx+65h], dl

loc_5A6599:				; CODE XREF: .text:loc_5A6533j
					; .text:005A657Ej ...
		imul	esi, [bp+di+74h], 75207972h

loc_5A65A1:				; CODE XREF: .text:005A6537j
		jo	short near ptr ??_C@_0DD@KMOJDKJL@CulpritAddress?5?$DN?5?$CFp?0?5Irp?5?$DN?5?$CFp?0?5@FNODOBFM@+25h
		popa

loc_5A65A4:				; CODE XREF: .text:005A6531j
		jz	short near ptr ??_C@_0DD@KMOJDKJL@CulpritAddress?5?$DN?5?$CFp?0?5Irp?5?$DN?5?$CFp?0?5@FNODOBFM@+29h
		jnb	short near ptr loc_5A65C6+2
		popa

loc_5A65A9:				; CODE XREF: .text:005A6543j
		bound	ebp, [edi+72h]

loc_5A65AC:				; CODE XREF: .text:005A6541j
		jz	short near ptr ??_C@_0DD@KMOJDKJL@CulpritAddress?5?$DN?5?$CFp?0?5Irp?5?$DN?5?$CFp?0?5@FNODOBFM@+31h
		and	fs:[eax], eax
		int	3		; Trap to Debugger

; char ??_C
??_C@_0CP@KGPLDNDG@CulpritAddress?5?$DN?5?$CFp?0?5Irp?5?$DN?5?$CFp?0?5@FNODOBFM@:
					; DATA XREF: ViErrorReport6(x,x,x,x)+29o
		inc	ebx

loc_5A65B3:				; CODE XREF: .text:loc_5A6549j
		jnz	short near ptr ??_C@_0DO@JGJDPOJH@CulpritAddress?5?$DN?5?$CFp?0?5DeviceObje@FNODOBFM@+0Bh
		jo	short near ptr ??_C@_0DO@JGJDPOJH@CulpritAddress?5?$DN?5?$CFp?0?5DeviceObje@FNODOBFM@+13h

loc_5A65B7:				; CODE XREF: .text:loc_5A6551j
					; .text:005A6592j ...
		imul	esi, [ecx+eax*2+64h], 73657264h
		jnb	short loc_5A65E1

loc_5A65C1:				; CODE XREF: .text:loc_5A6556j
		cmp	eax, 2C702520h

loc_5A65C6:				; CODE XREF: .text:005A65A6j
		and	[ecx+72h], cl

loc_5A65C9:				; CODE XREF: .text:loc_5A658Ej
		jo	short near ptr ??_C@_0DD@KMOJDKJL@CulpritAddress?5?$DN?5?$CFp?0?5Irp?5?$DN?5?$CFp?0?5@FNODOBFM@+9
		cmp	eax, 2C702520h

loc_5A65D0:				; CODE XREF: .text:005A656Aj
		and	[ebx+74h], dl
		popa
		jz	short near ptr ??_C@_0DO@JGJDPOJH@CulpritAddress?5?$DN?5?$CFp?0?5DeviceObje@FNODOBFM@+35h
		jnb	short near ptr ??_C@_0DD@KMOJDKJL@CulpritAddress?5?$DN?5?$CFp?0?5Irp?5?$DN?5?$CFp?0?5@FNODOBFM@+16h
		cmp	eax, 25783020h
		js	short near ptr ??_C@_0DD@KMOJDKJL@CulpritAddress?5?$DN?5?$CFp?0?5Irp?5?$DN?5?$CFp?0?5@FNODOBFM@+2Bh
		or	al, [eax]

loc_5A65E1:				; CODE XREF: .text:005A65BFj
		int	3		; Trap to Debugger
; 
; char ??_C[]
??_C@_0DD@KMOJDKJL@CulpritAddress?5?$DN?5?$CFp?0?5Irp?5?$DN?5?$CFp?0?5@FNODOBFM@ db 'CulpritAddress = %p, Irp = %p, DeviceObject = %p.',0Ah,0
					; CODE XREF: .text:loc_5A65C9j
					; .text:005A6572j ...
		align 2
; char ??_C[]
??_C@_0DO@JGJDPOJH@CulpritAddress?5?$DN?5?$CFp?0?5DeviceObje@FNODOBFM@ db 'CulpritAddress = %p, DeviceObject1 = %p, DeviceObject2 = %p.',0Ah,0
					; CODE XREF: .text:loc_5A65B3j
					; DATA XREF: ViErrorReport7(x,x,x,x)+2Ao
; char ??_C[]
??_C@_0EM@PJLILDNA@CulpritAddress?5?$DN?5?$CFp?0?5Irp?5?$DN?5?$CFp?0?5@FNODOBFM@ db 'CulpritAddress = %p, Irp = %p, ExpectedStatus = 0x%x, ActualStatu'
					; DATA XREF: ViErrorReport4(x,x,x,x,x)+2Fo
		db 's = 0x%x.',0Ah,0
; char ??_C[]
??_C@_0CA@KOPMCEDG@CulpritAddress?5?$DN?5?$CFp?0?5Irp?5?$DN?5?$CFp?4?6@FNODOBFM@ db 'CulpritAddress = %p, Irp = %p.',0Ah,0
					; DATA XREF: ViErrorReport1(x,x,x)+23o
; 

??_C@_0DC@NENOIKJC@?$CIB?$CJreak?0?5?$CII?$CJgnore?0?5?$CIW?$CJarn?5only?0@FNODOBFM@:
					; DATA XREF: VfReportIssueWithOptions(x,x,x,x,x,x)+5Fo
		sub	[edx+29h], al
		jb	short near ptr ??_C@_0CJ@BMPCEADM@CulpritAddress?5?$DN?5?$CFp?0?5DeviceObje@FNODOBFM@+22h
		popa
		imul	ebp, [eax], 28h
		dec	ecx
		sub	[edi+6Eh], esp
		outsd
		jb	short loc_5A6736
		sub	al, 20h
		sub	[edi+29h], dl
		popa
		jb	short near ptr loc_5A6746+1
		and	[edi+6Eh], ch
		insb
		jns	short near ptr ??_C@_0CJ@BMPCEADM@CulpritAddress?5?$DN?5?$CFp?0?5DeviceObje@FNODOBFM@+3
		and	[eax], ch
		push	edx
		sub	[ebp+6Dh], esp
		outsd
		jbe	short loc_5A674D
		and	[ecx+73h], ah
		jnb	short loc_5A6752
		jb	short near ptr ??_C@_0CL@GINJCKBC@CulpritAddress?5?$DN?5?$CFp?0?5Irp?5?$DN?5?$CFp?0?5@FNODOBFM@+0Dh
		aas
		and	[eax], al
; 
; char ??_C[]
??_C@_0BG@NIJPFGLB@CulpritAddress?5?$DN?5?$CFp?4?6@FNODOBFM@ db	'CulpritAddress = %p.',0Ah,0
					; DATA XREF: ViErrorReport9(x,x)+1Eo
; char ??_C[]
??_C@_0CJ@BMPCEADM@CulpritAddress?5?$DN?5?$CFp?0?5DeviceObje@FNODOBFM@ db 'CulpritAddress = %p, DeviceObject = %p.',0Ah,0
					; CODE XREF: .text:005A66DDj
					; DATA XREF: ViErrorReport8(x,x,x)+23o
		align 2

; char ??_C
??_C@_0CE@NJAPFAAD@?6?$CK?$CK?$CK?5Verifier?5assertion?5failed?5@FNODOBFM@:
					; DATA XREF: VfReportIssueWithOptions(x,x,x,x,x,x):loc_67838Fo
		or	ch, [edx]
		sub	ch, [edx]

loc_5A6736:				; CODE XREF: .text:005A66CFj
		and	[esi+65h], dl
		jb	short loc_5A67A4
		imul	sp, [ebp+72h], 6120h
		jnb	short near ptr loc_5A67B5+1
		db	65h
		jb	short near ptr loc_5A67B8+2

loc_5A6746:				; CODE XREF: .text:005A66D7j
		imul	ebp, [edi+6Eh],	69616620h

loc_5A674D:				; CODE XREF: .text:005A66E6j
		insb
		db	65h
		and	fs:[edx], ch

loc_5A6752:				; CODE XREF: .text:005A66EBj
		sub	ch, [edx]
		or	al, [eax]
; 
; char ??_C[]
??_C@_0CL@GINJCKBC@CulpritAddress?5?$DN?5?$CFp?0?5Irp?5?$DN?5?$CFp?0?5@FNODOBFM@ db 'CulpritAddress = %p, Irp = %p, IRQL = %u.',0Ah,0
					; CODE XREF: .text:005A66EDj
					; DATA XREF: ViErrorReport11(x,x,x,x)+28o
		align 2

??_C@_1BM@FDCLHDIB@?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAT?$AAy?$AAp?$AAe@FNODOBFM@:
					; DATA XREF: EtwpQueryPartitionRegistryInformation+C8o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+61h], dh
		add	[ecx+0], ch
		outsb
		add	[ebp+0], ah
		jb	short $+2
		push	esp
		add	[ecx+0], bh
		jo	short $+2
		add	gs:[eax], al
; 
		db 0
??_C@_1GG@KMAKALDL@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@ dd offset loc_52005B+1
					; DATA XREF: EtwpQueryPartitionRegistryInformation+3Fo
		dw 65h
; 

loc_5A67A4:				; CODE XREF: .text:005A6739j
		add	[bx+di+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa

loc_5A67B5:				; CODE XREF: .text:005A6741j
		add	[ebx+0], ah

loc_5A67B8:				; CODE XREF: .text:005A6743j
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+0], ch
; 
		db 0
??_C@_1CO@GMOLDGFF@?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAC?$AAo?$AAr?$AAr?$AAe?$AAl@FNODOBFM@:
					; DATA XREF: EtwpQueryPartitionRegistryInformation+173o
		unicode	0, <ContainerCorrelationId>,0
; 

??_C@_1BI@HJOCIGHC@?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAI?$AAd@FNODOBFM@:
					; DATA XREF: EtwpQueryPartitionRegistryInformation+D7o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+61h], dh
		add	[ecx+0], ch
		outsb
		add	[ebp+0], ah
		jb	short $+2
		dec	ecx
		add	[eax+eax+0], ah

loc_5A6849:				; DATA XREF: EtwpReadPerSiloConfigParameters(x)+90o
		add	[ebp+0], al
		jz	short $+2
		ja	short $+2
		dec	ebp
		add	[ecx+0], ah
		js	short $+2
		dec	esp
		add	[edi+0], ch
		add	[bx+0],	ah
		add	gs:[edx+0], dh
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1GO@GHPNNIDM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@:
					; DATA XREF: EtwpReadPerSiloConfigParameters(x)+17o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[edi+0], dl
		dec	ebp
		add	[ecx+0], cl
; 
		dw 0
; 

??_C@_1BK@DFILMBJE@?$AAS?$AAh?$AAu?$AAt?$AAd?$AAo?$AAw?$AAn?$AAT?$AAi?$AAm?$AAe@FNODOBFM@:
					; DATA XREF: ExpRecordShutdownTime()+6Ao
		push	ebx
		add	[eax+0], ch
		jnz	short $+2
		jz	short $+2
		add	fs:[edi+0], ch
		ja	short $+2
		outsb
		add	[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[eax], al

loc_5A68ED:				; DATA XREF: ExpRecordShutdownTime()+29o
		add	[eax+eax+52h], bl
		add	[ebp+0], ah
		add	[bx+di+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[edi+0], dl
		imul	eax, [eax], 64006Eh
		outsd
		add	[edi+0], dh
		jnb	short $+2
; 
		dw 0
; 

; char ??_C
??_C@_0CI@PPHKMJLE@AVRF?3?5Invalid?5handle?5?$CFp?5in?5proc@FNODOBFM@:
					; DATA XREF: ExHandleLogBadReference+950BFo
		inc	ecx
		push	esi
		push	edx
		inc	esi
		cmp	ah, [eax]
		dec	ecx
		outsb
		jbe	short near ptr loc_5A69CD+2
		insb
		imul	esp, [eax+68h],	6C646E61h
		and	gs:6E692070h, ah
		and	[eax+72h], dh
		outsd
		arpl	[ebp+73h], sp
		jnb	short near ptr ??_C@_1CK@CHAEGJLO@?$AAB?$AAo?$AAo?$AAt?$AAm?$AAg?$AAr?$AAU?$AAs?$AAe?$AAr?$AAI?$AAn?$AAp?$AAu@FNODOBFM@+1Bh
		and	eax, 0A2070h
; 
??_C@_1CK@CHAEGJLO@?$AAB?$AAo?$AAo?$AAt?$AAm?$AAg?$AAr?$AAU?$AAs?$AAe?$AAr?$AAI?$AAn?$AAp?$AAu@FNODOBFM@:
					; DATA XREF: BapdWriteEtwEvents:loc_565BC2o
					; BapdWriteEtwEvents:loc_5F6844o
		unicode	0, <BootmgrUserInputTime>,0
??_C@_1BC@PIAIECI@?$AAP?$AAO?$AAS?$AAT?$AAT?$AAi?$AAm?$AAe@FNODOBFM@ dd	offset loc_4F004F+1
					; DATA XREF: BapdWriteEtwEvents:loc_565C21o
					; BapdWriteEtwEvents+90EA0o
		dd offset loc_540052+1
		dd offset loc_690054
		dd offset loc_65006C+1
		align 4

??_C@_1DM@KEPNEABC@?$AAB?$AAo?$AAo?$AAt?$AAA?$AAp?$AAp?$AAl?$AAi?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn@FNODOBFM@:
					; DATA XREF: BapdpMarshallBootDataToRegistry:loc_5F80E3o
		inc	edx
		add	[edi+0], ch
		outsd

loc_5A69CD:				; CODE XREF: .text:005A696Cj
		add	[eax+eax+41h], dh
		add	[eax+0], dh
		jo	short $+2
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax+0], dl
		add	gs:[edx+0], dh
		jnb	short $+2
		imul	eax, [eax], 740073h
		add	gs:[esi+0], ch
		jz	short $+2
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		popa
; 
		db 3 dup(0)
; 

??_C@_1BM@NLGAGAOC@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@FNODOBFM@:
					; DATA XREF: sub_685EF9+DDo
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+75h], ah
		add	[ebx+0], ah
		jz	short $+2
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
; 
		dw 0
; 

??_C@_1BO@EDPDEJHE@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAO?$AAp?$AAt?$AAi?$AAo?$AAn?$AAs@FNODOBFM@:
					; DATA XREF: sub_685EF9+119o
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+75h], ah
		add	[ebx+0], ah
		jz	short $+2
		dec	edi
		add	[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1HI@LOGLGABO@?$AAT?$AAe?$AAr?$AAm?$AAi?$AAn?$AAa?$AAl?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe@FNODOBFM@:
					; DATA XREF: SLQueryLicenseValueInternal+84DADo
		push	esp
		add	[ebp+0], ah
		jb	short $+2
		insd
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ah
		insb
		add	[ebx+0], dl
		add	gs:[edx+0], dh
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
		sub	eax, 65005200h
		add	[ebp+0], ch
		outsd
		add	[eax+eax+65h], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		outsb
		add	[ebp+0], ah
		arpl	[eax], ax
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		sub	eax, 6C004100h
		add	[eax+eax+6Fh], ch
		add	[edi+0], dh
		inc	ecx
		add	[eax+0], dh
		jo	short $+2
		push	ebx
		add	[ebp+0], ah
		jb	short $+2
		jbe	short $+2
		add	gs:[edx+0], dh
		dec	ebp
		add	[edi+0], ch
		add	fs:[ebp+0], ah
; 
		db 2 dup(0)
; 

??_C@_1CM@BIAGPLBJ@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAE?$AAx?$AAp?$AAi?$AAr?$AAa?$AAt?$AAi@FNODOBFM@:
					; DATA XREF: SLQueryLicenseValueInternal+84D99o
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	ds:78004500h, ch
		add	[eax+0], dh
		imul	eax, [eax], 610072h
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[eax], al
		add	[ebx+0], dl	; DATA XREF: SLQueryLicenseValueInternal+84DA3o
		dec	ebp
		add	[edx+0], dl
		sub	eax, 6F004800h
		add	[ebx+0], dh
		jz	short $+2
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		add	fs:6E004500h, ch
		add	[ecx+0], ah
		bound	eax, [eax]
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
		add	[ebx+0], dl	; DATA XREF: SLQueryLicenseValueInternal+84D85o
		add	gs:[ebx+0], ah
		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 790074h
		sub	eax, 50005300h
		add	[eax+0], dl
		sub	eax, 61004C00h
		add	[ebx+0], dh
		jz	short $+2
		push	edi
		add	[ecx+0], ch
		outsb
		add	[eax+eax+6Fh], ah
		add	[edi+0], dh
		jnb	short $+2
		inc	ecx
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 610076h
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		dec	eax
		add	[edx+0], dl
		add	gs:[ebx+0], dh
		jnz	short $+2
		insb
		add	[eax+eax+0], dh
; 
		db 0
; 

??_C@_1EO@FHDGJOKE@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AA?9?$AAS?$AAP?$AAP?$AA?9?$AAL?$AAa@FNODOBFM@:
					; DATA XREF: SLQueryLicenseValueInternal+84D8Fo
		push	ebx
		add	[ebp+0], ah
		arpl	[eax], ax
		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 790074h
		sub	eax, 50005300h
		add	[eax+0], dl
		sub	eax, 61004C00h
		add	[ebx+0], dh
		jz	short $+2
		push	edi
		add	[ecx+0], ch
		outsb
		add	[eax+eax+6Fh], ah
		add	[edi+0], dh
		jnb	short $+2
		inc	ecx
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 610076h
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1EA@KEBBLPOF@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AA?9?$AAS?$AAP?$AAP?$AA?9?$AAG?$AAe@FNODOBFM@:
					; DATA XREF: SLQueryLicenseValueInternal+84D71o
		push	ebx
		add	[ebp+0], ah
		arpl	[eax], ax
		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 790074h
		sub	eax, 50005300h
		add	[eax+0], dl
		sub	eax, 65004700h
		add	[esi+0], ch
		jnz	short $+2
		imul	eax, [eax], 65006Eh
		dec	esp
		add	[edi+0], ch
		arpl	[eax], ax
		popa
		add	[eax+eax+53h], ch
		add	[eax+eax+61h], dh
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
; 
		dw 0
; 

??_C@_1DM@GNIBEDOK@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AA?9?$AAS?$AAP?$AAP?$AA?9?$AAA?$AAc@FNODOBFM@:
					; DATA XREF: SLQueryLicenseValueInternal+84D7Bo
		push	ebx
		add	[ebp+0], ah
		arpl	[eax], ax
		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 790074h
		sub	eax, 50005300h
		add	[eax+0], dl
		sub	eax, 63004100h
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	ds:74005300h, ch
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[eax+eax+61h], al
		add	[eax+eax+61h], dh
; 
		db 3 dup(0)
; char ??_C[]
??_C@_0FP@MBKODDEI@EX?3?5ExFreePool?$CI?5?$CFp?0?5?$CFIx?5?$CJ?5conta@FNODOBFM@	db 'EX: ExFreePool( %p, %Ix ) contains an ERESOURCE structure that ha'
					; DATA XREF: ExpCheckForResource(x,x)+95o
		db 's not been ExDeleteResourced',0Ah,0
		align 10h
; char ??_C[]
??_C@_0FK@GHMJMIG@EX?3?5ExFreePool?$CI?5?$CFp?0?5?$CFIx?5?$CJ?5conta@FNODOBFM@ db 'EX: ExFreePool( %p, %Ix ) contains a lookaside structure that has'
					; DATA XREF: ExpCheckForLookasideList(x,x,x,x)+45o
		db ' not been deleted first',0Ah,0
; 

??_C@_1CA@GFDMJKJ@?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc?$AAe?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@FNODOBFM@:
					; DATA XREF: ExpResourceTimeoutCaptureLiveDump(x)+23o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		outsd
		add	[ebp+0], dh
		jb	short $+2
		arpl	[eax], ax
		add	gs:[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[edi+0], ch
		jnz	short $+2
		jz	short $+2
; 
		db 2 dup(0)
; 

; char ??_C
??_C@_0EC@ECIGCEHM@Possible?5deadlock?4?5Use?5?$CBlocks?5?$CF@FNODOBFM@:
					; DATA XREF: ExpWaitForResource+E280Bo
		push	eax
		outsd
		jnb	short near ptr loc_5A6D80+1
		imul	esp, [edx+6Ch],	65642065h
		popa
		db	64h
		insb
		outsd
		arpl	[ebx+2Eh], bp
		and	[ebp+73h], dl
		and	gs:[ecx], ah
		insb
		outsd
		arpl	[ebx+73h], bp
		and	ds:6F742070h, ah
		and	[ebp+74h], ah
		db	65h
		jb	short loc_5A6DA1
		imul	ebp, [esi+65h],	65687420h
		and	[edx+65h], dh
		jnb	short near ptr loc_5A6DAD+2
		jnz	short loc_5A6DB4
		arpl	[ebp+20h], sp
		outsd
		ja	short near ptr loc_5A6DB5+1
		db	65h
		jb	short loc_5A6D55
; 
		db 0
; 

??_C@_1IA@HPIKAKLL@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@FNODOBFM@:
					; DATA XREF: MigrateOOBELanguageToInstallationLanguage()+63o
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx

loc_5A6D55:				; CODE XREF: .text:005A6D48j
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
		pop	esp
		add	[ebx+0], al

loc_5A6D80:				; CODE XREF: .text:005A6D0Cj
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh

loc_5A6DA1:				; CODE XREF: .text:005A6D31j
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd

loc_5A6DAD:				; CODE XREF: .text:005A6D3Ej
		add	[eax+eax+5Ch], ch
		add	[esi+0], cl

loc_5A6DB4:				; CODE XREF: .text:005A6D40j
		dec	esp

loc_5A6DB5:				; CODE XREF: .text:005A6D46j
		add	[ebx+0], dl
		pop	esp
		add	[eax+eax+61h], cl
		add	[esi+0], ch
		add	[di+0],	dh
		popa
		add	[edi+0], ah
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1CA@HNCMOGDF@?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAL?$AAa?$AAn?$AAg?$AAu?$AAa?$AAg?$AAe@FNODOBFM@:
					; DATA XREF: MigrateOOBELanguageToInstallationLanguage()+C2o
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[eax+eax+6Ch], ch
		add	[eax+eax+61h], cl
		add	[esi+0], ch
		add	[di+0],	dh
		popa
		add	[edi+0], ah
		add	gs:[eax], al

loc_5A6DEB:				; DATA XREF: MigrateOOBELanguageToInstallationLanguage()+13Eo
		add	[eax+0], dl
		jb	short $+2
		add	gs:[esi+0], dh
		imul	eax, [eax], 75006Fh
		jnb	short $+2
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[eax+eax+6Ch], ch
		add	[eax+eax+61h], cl
		add	[esi+0], ch
		add	[di+0],	dh
		popa
		add	[edi+0], ah
		add	gs:[eax], al
; 
		db 0
??_C@_1BK@CIGKBGGO@?$AAT?$AAa?$AAr?$AAg?$AAe?$AAt?$AAN?$AAt?$AAP?$AAa?$AAt?$AAh@FNODOBFM@ dd offset loc_610053+1
					; DATA XREF: OpenGlobalizationUserSettingsKey_ForMua+EEo
		dd offset loc_670070+2
aEtntpath:
		unicode	0, <etNtPath>,0
; 

??_C@_1DE@JGIJLCKE@?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AAi?$AAz?$AAa?$AAt?$AAi?$AAo?$AAn?$AAU?$AAs@FNODOBFM@:
					; DATA XREF: OpenGlobalizationUserSettingsKey_ForMua+F3o
		inc	edi
		add	[eax+eax+6Fh], ch
		add	[edx+0], ah
		popa
		add	[eax+eax+69h], ch
		add	[edx+0], bh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebp+0], dl
		jnb	short $+2
		add	gs:[edx+0], dh
		push	ebx
		add	[ebp+0], ah
		jz	short $+2
		jz	short $+2
		imul	eax, [eax], 67006Eh
		jnb	short $+2
; 
off_5A6E68	dd offset loc_51FFFF+1	; DATA XREF: OpenGlobalizationUserSettingsKey_ForSingleUserModel+C3o
		dd offset loc_640065
aIrectedkey:
		unicode	0, <irectedKey>,0
; void ??_C
??_C@_1IC@LJOADGCI@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@ dd offset loc_52005B+1
					; DATA XREF: OpenGlobalizationUserSettingsKey_ForMua+E9o
		dd offset loc_670065
		dw 69h
aStryMachineS_4:
		unicode	0, <stry\Machine\SYSTEM\CurrentControlSet\Control\Internation>
		unicode	0, <al>,0
??_C@_1JG@EEECFNPB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@ dd offset loc_52005B+1
					; DATA XREF: OpenGlobalizationUserSettingsKey_ForSingleUserModel:loc_68FAD6o
		dd offset loc_670065
aIstryMachine_1:
		unicode	0, <istry\Machine\System\CurrentControlSet\Control\CommonGlob>
		unicode	0, <UserSettings\>,0
??_C@_0BM@DGNKLLNF@InitErrorReportDeviceDriver@FNODOBFM@ db 'InitErrorReportDeviceDriver',0
					; DATA XREF: WheapInitErrorReportDeviceDriver(x,x)+262o

;  S U B	R O U T	I N E 


??_C@_1DC@FLHAMKMH@?$AAU?$AAn?$AAc?$AAo?$AAr?$AAr?$AAe?$AAc?$AAt?$AAe?$AAd?$AAB?$AAa?$AAd?$AAM@FNODOBFM@ proc near
					; DATA XREF: WheapProcessEfiBadMemoryPage+26o
					; WheapProcessEfiBadMemoryPage+7DFD8o ...
		push	ebp
		add	[esi+0], ch
		arpl	[eax], ax
??_C@_1DC@FLHAMKMH@?$AAU?$AAn?$AAc?$AAo?$AAr?$AAr?$AAe?$AAc?$AAt?$AAe?$AAd?$AAB?$AAa?$AAd?$AAM@FNODOBFM@ endp

		outsd
		add	[edx+0], dh
		jb	short $+2
		add	gs:[ebx+0], ah
		jz	short $+2
		add	gs:[eax+eax+42h], ah
		add	[ecx+0], ah
		add	fs:[ebp+0], cl
		add	gs:[ebp+0], ch
		outsd
		add	[edx+0], dh
		jns	short $+2
		push	eax
		add	[ecx+0], ah
		add	[di+0],	ah
; 
		dw 0

;  S U B	R O U T	I N E 


??_C@_0BN@MMNDOKOI@Unstructured_Overruns_Buffer@FNODOBFM@ proc near
					; DATA XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+CEo

; FUNCTION CHUNK AT 005A7061 SIZE 0000000E BYTES

		push	ebp
		outsb
		jnb	short loc_5A7064
		jb	short near ptr loc_5A7066+1
		arpl	[ebp+esi*2+72h], si
		db	65h, 64h
		pop	edi
		dec	edi
		jbe	short loc_5A7061
		jb	short loc_5A7070
		jnz	short loc_5A706E
		jnb	short loc_5A7061
		inc	edx
		jnz	short loc_5A706B
		db	66h, 65h
		jb	short $+4
		int	3		; Trap to Debugger
??_C@_0BN@MMNDOKOI@Unstructured_Overruns_Buffer@FNODOBFM@ endp


;  S U B	R O U T	I N E 


??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@ proc	near
					; DATA XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+DFo

arg_15B		= dword	ptr  15Fh
arg_177		= dword	ptr  17Bh
arg_1C3		= dword	ptr  1C7h
arg_1DF		= dword	ptr  1E3h

; FUNCTION CHUNK AT 005A706F SIZE 000000FF BYTES
; FUNCTION CHUNK AT 005A7170 SIZE 00000016 BYTES
; FUNCTION CHUNK AT 005A718C SIZE 0000001D BYTES
; FUNCTION CHUNK AT 005A71AC SIZE 0000002A BYTES
; FUNCTION CHUNK AT 005A7237 SIZE 0000003E BYTES
; FUNCTION CHUNK AT 005A72B5 SIZE 0000001D BYTES
; FUNCTION CHUNK AT 005A732B SIZE 00000096 BYTES
; FUNCTION CHUNK AT 005A73D9 SIZE 00000016 BYTES
; FUNCTION CHUNK AT 005A7400 SIZE 0000000F BYTES
; FUNCTION CHUNK AT 005A741C SIZE 0000000B BYTES

		inc	ebp
		jb	short near ptr loc_5A707E+1
		outsd
		jb	short loc_5A706F
		dec	edi
		jbe	short near ptr loc_5A7077+1
		jb	short near ptr loc_5A7086+1
		jnz	short loc_5A7085
		jnb	short near ptr loc_5A7077+1
		inc	edx
		jnz	short near ptr loc_5A707E+4
		db	66h, 65h
		jb	short $+4
??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@ endp


;  S U B	R O U T	I N E 


??_C@_0BL@BDDMBBNP@Unstructered_Data_Too_Soon@FNODOBFM@	proc near
					; DATA XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+A8o
		push	ebp
		outsb
		jnb	short near ptr loc_5A7096+2
		jb	short near ptr loc_5A7096+5
		arpl	[ebp+72h], si
		db	65h, 64h
		pop	edi
		inc	esp
		popa
		jz	short near ptr loc_5A7091+1
		pop	edi
		push	esp
		outsd
		outsd
		pop	edi
		push	ebx
		outsd
		outsd
		outsb
		add	ah, cl

??_C@_0BK@MFIAHGKF@Overflow_Unstructured_End@FNODOBFM@:
					; DATA XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+BDo
		dec	edi
		jbe	short near ptr loc_5A70A0+4
		jb	short near ptr loc_5A70A6+1
		insb
		outsd
		ja	short near ptr loc_5A70A0+4
		push	ebp
		outsb
		jnb	short loc_5A70BD
		jb	short near ptr loc_5A70BD+3
		arpl	[ebp+esi*2+72h], si
		db	65h, 64h
		pop	edi
		inc	ebp
		outsb

loc_5A7054:				; DATA XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+5Bo
		add	fs:[ebp+72h], al
		jb	short loc_5A70C9
		jb	short near ptr loc_5A70B9+2
		push	eax
		popa
		arpl	[ebx+65h], bp
??_C@_0BL@BDDMBBNP@Unstructered_Data_Too_Soon@FNODOBFM@	endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BN@MMNDOKOI@Unstructured_Overruns_Buffer@FNODOBFM@

loc_5A7061:				; CODE XREF: ??_C@_0BN@MMNDOKOI@Unstructured_Overruns_Buffer@FNODOBFM@+Ej
					; ??_C@_0BN@MMNDOKOI@Unstructured_Overruns_Buffer@FNODOBFM@+14j
		jz	short loc_5A70C2
		dec	esp

loc_5A7064:				; CODE XREF: ??_C@_0BN@MMNDOKOI@Unstructured_Overruns_Buffer@FNODOBFM@+2j
		outs	dx, byte ptr gs:[esi]

loc_5A7066:				; CODE XREF: ??_C@_0BN@MMNDOKOI@Unstructured_Overruns_Buffer@FNODOBFM@+4j
		jz	short loc_5A70D0
		pop	edi
		push	esp
		outsd

loc_5A706B:				; CODE XREF: ??_C@_0BN@MMNDOKOI@Unstructured_Overruns_Buffer@FNODOBFM@+17j
		outsd
		pop	edi
		push	ebx

loc_5A706E:				; CODE XREF: ??_C@_0BN@MMNDOKOI@Unstructured_Overruns_Buffer@FNODOBFM@+12j
		insd
; END OF FUNCTION CHUNK	FOR ??_C@_0BN@MMNDOKOI@Unstructured_Overruns_Buffer@FNODOBFM@
; START	OF FUNCTION CHUNK FOR ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@

loc_5A706F:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+4j
		popa

loc_5A7070:				; CODE XREF: ??_C@_0BN@MMNDOKOI@Unstructured_Overruns_Buffer@FNODOBFM@+10j
		insb
		insb
		add	ah, cl

??_C@_0CA@KJNCJDDD@Overflow_Finding_Structured_Len@FNODOBFM@:
					; DATA XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+8Do
		dec	edi
		jbe	short ??_C@_0BO@EOPDDLPJ@Next_Entry_Overruns_Structure@FNODOBFM@

loc_5A7077:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+7j
					; ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+Dj
		jb	short near ptr loc_5A70DD+2
		insb
		outsd
		ja	short ??_C@_0BO@EOPDDLPJ@Next_Entry_Overruns_Structure@FNODOBFM@
		inc	esi

loc_5A707E:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+1j
					; ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+10j
		imul	ebp, [esi+64h],	5F676E69h

loc_5A7085:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+Bj
		push	ebx

loc_5A7086:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+9j
		jz	short near ptr loc_5A70F9+1
		jnz	short near ptr loc_5A70EC+1
		jz	short loc_5A7101
		jb	short loc_5A70F3
		db	64h
		pop	edi
		dec	esp

loc_5A7091:				; CODE XREF: ??_C@_0BL@BDDMBBNP@Unstructered_Data_Too_Soon@FNODOBFM@+Fj
		outs	dx, byte ptr gs:[esi]

loc_5A7093:				; DATA XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x):loc_691975o
		add	[esi+61h], al

loc_5A7096:				; CODE XREF: ??_C@_0BL@BDDMBBNP@Unstructered_Data_Too_Soon@FNODOBFM@+2j
					; ??_C@_0BL@BDDMBBNP@Unstructered_Data_Too_Soon@FNODOBFM@+4j
		imul	ebp, [ebp+64h],	6464415Fh
		pop	edi
		push	ebx

loc_5A70A0:				; CODE XREF: ??_C@_0BL@BDDMBBNP@Unstructered_Data_Too_Soon@FNODOBFM@+1Dj
					; ??_C@_0BL@BDDMBBNP@Unstructered_Data_Too_Soon@FNODOBFM@+23j
		arpl	gs:[ecx+ebp*2+6Fh], si
		outsb

loc_5A70A6:				; CODE XREF: ??_C@_0BL@BDDMBBNP@Unstructered_Data_Too_Soon@FNODOBFM@+1Fj
		add	ah, cl

??_C@_0BI@GGEIBMFK@Failed_Add_Unstructured@FNODOBFM@:
					; DATA XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+244o
		inc	esi
		popa
		imul	ebp, [ebp+64h],	6464415Fh
		pop	edi
		push	ebp
		outsb
		jnb	short near ptr loc_5A712A+1
		jb	short near ptr loc_5A712C+2

loc_5A70B9:				; CODE XREF: ??_C@_0BL@BDDMBBNP@Unstructered_Data_Too_Soon@FNODOBFM@+3Aj
		arpl	[ebp+esi*2+72h], si

loc_5A70BD:				; CODE XREF: ??_C@_0BL@BDDMBBNP@Unstructered_Data_Too_Soon@FNODOBFM@+27j
					; ??_C@_0BL@BDDMBBNP@Unstructered_Data_Too_Soon@FNODOBFM@+29j
					; DATA XREF: ...
		db	65h
		add	fs:[edi+76h], cl

loc_5A70C2:				; CODE XREF: ??_C@_0BN@MMNDOKOI@Unstructured_Overruns_Buffer@FNODOBFM@:loc_5A7061j
		db	65h
		jb	short near ptr loc_5A712A+1
		insb
		outsd
		ja	short near ptr loc_5A7127+1

loc_5A70C9:				; CODE XREF: ??_C@_0BL@BDDMBBNP@Unstructered_Data_Too_Soon@FNODOBFM@+38j
		dec	esi
		db	65h
		js	short loc_5A7141
		pop	edi
		inc	ebp
		outsb

loc_5A70D0:				; CODE XREF: ??_C@_0BN@MMNDOKOI@Unstructured_Overruns_Buffer@FNODOBFM@:loc_5A7066j
		jz	short near ptr loc_5A7143+1
		jns	short loc_5A7133
		dec	edi
		db	66h, 66h
		jnb	short loc_5A713E
		jz	short $+2
		int	3		; Trap to Debugger

??_C@_0BO@EOPDDLPJ@Next_Entry_Overruns_Structure@FNODOBFM@:
					; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+6Bj
					; ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+71j
					; DATA XREF: ...
		dec	esi

loc_5A70DD:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@:loc_5A7077j
		db	65h
		js	short near ptr loc_5A7153+1
		pop	edi
		inc	ebp
		outsb
		jz	short loc_5A7157
		jns	short near ptr loc_5A7143+3
		dec	edi
		jbe	short loc_5A714F
		jb	short loc_5A715E

loc_5A70EC:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+7Ej
		jnz	short near ptr loc_5A715A+2
		jnb	short loc_5A714F
		push	ebx
		jz	short loc_5A7165

loc_5A70F3:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+82j
		jnz	short loc_5A7158
		jz	short near ptr loc_5A716B+1
		jb	short loc_5A715E

loc_5A70F9:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@:loc_5A7086j
					; DATA XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x):loc_6919A6o
		add	[ebp+6Eh], al
		jz	short ??_C@_1BI@ICKPNKKL@?$AAW?$AAH?$AAE?$AAA?$AA?2?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@FNODOBFM@
		jns	short loc_5A715F
		dec	eax

loc_5A7101:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+80j
		db	65h
		popa
		db	64h, 65h
		jb	short ??_C@_19MBPIHHGH@?$AAW?$AAH?$AAE?$AAA@FNODOBFM@
		dec	edi
		jbe	short near ptr byte_5A716F
		jb	short near ptr loc_5A717D+1
		jnz	short loc_5A717C
		jnb	short near ptr byte_5A716F
		push	ebx
		jz	short near ptr loc_5A7184+1
		jnz	short loc_5A7178
		jz	short loc_5A718C
		jb	short near ptr loc_5A717D+1

loc_5A7119:				; DATA XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x):loc_69199Co
		add	[edi+76h], cl
		db	65h
		jb	short near ptr loc_5A7184+1
		insb
		outsd
		ja	short near ptr loc_5A7181+1
		inc	ebp
		outsb
		jz	short loc_5A7199

loc_5A7127:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+BDj
		jns	short near ptr off_5A7186+2
		dec	esp

loc_5A712A:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+ABj
					; ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@:loc_5A70C2j
		outs	dx, byte ptr gs:[esi]

loc_5A712C:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+ADj
		db	67h
		jz	near ptr 7197h

loc_5A712F:				; DATA XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+F3o
		add	[eax+65h], cl
		popa

loc_5A7133:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+C8j
		db	64h, 65h
		jb	short near ptr loc_5A7195+1
		dec	edi
		jbe	short near ptr loc_5A719D+2
		jb	short loc_5A71AE
		jnz	short ??_C@_0CM@KNENAJOM@Failed?5to?5find?5Attribute?5to?5use@FNODOBFM@

loc_5A713E:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+CBj
		jnb	short near ptr loc_5A719D+2
		inc	edx

loc_5A7141:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+C0j
		jnz	short near ptr byte_5A71A9

loc_5A7143:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@:loc_5A70D0j
					; ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+DBj
		db	66h, 65h
		jb	short $+4
		int	3		; Trap to Debugger

??_C@_0BN@GLMPFHPA@Overflow_Entry_Header_Offset@FNODOBFM@:
					; DATA XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x):loc_6919B0o
		dec	edi
		jbe	short near ptr loc_5A71AE+2
		jb	short near ptr loc_5A71AE+5
		insb
		outsd

loc_5A714F:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+DEj
					; ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+E4j
		ja	short near ptr loc_5A71AE+2
		inc	ebp
		outsb

loc_5A7153:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@:loc_5A70DDj
		jz	short near ptr loc_5A71C3+4
		jns	short loc_5A71B6

loc_5A7157:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+D9j
		dec	eax

loc_5A7158:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@:loc_5A70F3j
		db	65h
		popa

loc_5A715A:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@:loc_5A70ECj
		db	64h, 65h
		jb	short near ptr loc_5A71BC+1

loc_5A715E:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+E0j
					; ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+EDj
		dec	edi

loc_5A715F:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+F4j
		db	66h, 66h
		jnb	short loc_5A71C8
		jz	short $+2

loc_5A7165:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+E7j
		int	3		; Trap to Debugger

??_C@_19MBPIHHGH@?$AAW?$AAH?$AAE?$AAA@FNODOBFM@:
					; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+F9j
					; DATA XREF: WheapCommitPolicy()+1Bo
		push	edi
		add	[eax+0], cl
		inc	ebp

loc_5A716B:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+EBj
		add	[ecx+0], al
; END OF FUNCTION CHUNK	FOR ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@
; 
		db 0
byte_5A716F	db 0			; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+FEj
					; ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+104j
; 
; START	OF FUNCTION CHUNK FOR ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@

??_C@_1BI@ICKPNKKL@?$AAW?$AAH?$AAE?$AAA?$AA?2?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@FNODOBFM@:
					; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+F2j
					; DATA XREF: WheapCommitPolicy()+8o
		push	edi
		add	[eax+0], cl
		inc	ebp
		add	[ecx+0], al

loc_5A7178:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+109j
		pop	esp
		add	[eax+0], dl

loc_5A717C:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+102j
		outsd

loc_5A717D:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+100j
					; ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+10Dj
		add	[eax+eax+69h], ch

loc_5A7181:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+117j
		add	[ebx+0], ah

loc_5A7184:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+107j
					; ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+112j
		jns	short $+2
; END OF FUNCTION CHUNK	FOR ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@
; 
off_5A7186	dd offset loc_56FFFF+1	; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@:loc_5A7127j
					; DATA XREF: WheapWmiRegisterInfo+68o
		dw 48h
; 
; START	OF FUNCTION CHUNK FOR ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@

loc_5A718C:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+10Bj
		inc	ebp
		add	[ecx+0], al
		pop	edi
		add	[edi+0], dl
		dec	ebp

loc_5A7195:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@:loc_5A7133j
		add	[ecx+0], cl
		pop	edi

loc_5A7199:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+11Bj
		add	[eax+0], dl
		push	edx

loc_5A719D:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+12Ej
					; ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@:loc_5A713Ej
		add	[edi+0], cl
		push	esi
		add	[ecx+0], cl
		inc	esp
		add	[ebp+0], al
		push	edx
; END OF FUNCTION CHUNK	FOR ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@
; 
byte_5A71A9	db 3 dup(0)		; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@:loc_5A7141j
; 
; START	OF FUNCTION CHUNK FOR ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@

??_C@_0CM@KNENAJOM@Failed?5to?5find?5Attribute?5to?5use@FNODOBFM@:
					; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+132j
					; DATA XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x):loc_598367o
		inc	esi
		popa

loc_5A71AE:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+130j
					; ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+13Fj ...
		imul	ebp, [ebp+64h],	206F7420h

loc_5A71B6:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+14Bj
		imul	bp, [esi+64h], 4120h

loc_5A71BC:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@:loc_5A715Aj
		jz	short near ptr loc_5A7231+1
		jb	short near ptr loc_5A7227+2
		bound	esi, [ebp+74h]

loc_5A71C3:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@:loc_5A7153j
		and	gs:[edi+ebp*2+20h], dh

loc_5A71C8:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@:loc_5A715Fj
		jnz	short near ptr loc_5A723C+1
		and	gs:[esi+6Fh], ah
		jb	short near ptr loc_5A71EF+1
		jnb	short near ptr loc_5A7235+1
		bound	esp, [eax]
		jz	short loc_5A7237
; END OF FUNCTION CHUNK	FOR ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@
; 
		dw 67h

;  S U B	R O U T	I N E 


??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@ proc near
					; DATA XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+2DBo

; FUNCTION CHUNK AT 005A7285 SIZE 00000025 BYTES
; FUNCTION CHUNK AT 005A72F5 SIZE 00000032 BYTES

		push	ebx
		bound	esi, fs:[eax+43h]
		push	416B6365h
		jo	short near ptr loc_5A7253+1
		insb
		imul	esp, [ebx+61h],	6E6F6974h
		push	esp
		jns	short loc_5A725F

loc_5A71EF:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+1C4j
		db	65h
		inc	ecx
		jz	short near ptr loc_5A7266+1
		jb	short near ptr loc_5A7257+7
		bound	esi, [ebp+74h]
		db	65h
		jnb	short $+3
		int	3		; Trap to Debugger

??_C@_0CP@DHCDBBNC@RtlStringCchCopyW?5failed?5to?5cop@FNODOBFM@:
					; DATA XREF: SdbpGetPathAppPatchPreRS3(x,x,x,x)+D2o
		push	edx
		jz	short near ptr loc_5A7269+2
		push	ebx
		jz	short near ptr loc_5A7270+4
		imul	ebp, [esi+67h],	43686343h
		outsd
		jo	short loc_5A7285
		push	edi
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	206F7420h
		arpl	[edi+70h], bp
		jns	short near ptr loc_5A723C+1
		inc	esi
		imul	ebp, [ebp+4Eh],	20656D61h
		pop	ebx

loc_5A7227:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+1B4j
		and	eax, 0CC005D78h
??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@ endp


;  S U B	R O U T	I N E 


??_C@_0BK@CIBBJEAE@SdbpGetPathAppPatchPreRS3@FNODOBFM@ proc near
					; DATA XREF: SdbpGetPathAppPatchPreRS3(x,x,x,x):loc_695318o
		push	ebx
		bound	esi, fs:[eax+47h]

loc_5A7231:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@:loc_5A71BCj
		db	65h
		jz	short near ptr loc_5A7282+2
		popa

loc_5A7235:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+1C6j
		jz	short loc_5A729F
??_C@_0BK@CIBBJEAE@SdbpGetPathAppPatchPreRS3@FNODOBFM@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@

loc_5A7237:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+1CAj
		inc	ecx
		jo	short ??_C@_0BL@JIJBPBNE@SdbpGetPathCustomSdbPreRS3@FNODOBFM@
		push	eax
		popa

loc_5A723C:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@:loc_5A71C8j
					; ??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@+43j
		jz	short near ptr loc_5A729F+2
		push	52657250h
		push	ebx
		xor	eax, [eax]

??_C@_0BL@IPDIPDIN@AslPathCombine?5failed?5?$FL?$CFx?$FN@FNODOBFM@:
					; DATA XREF: SdbpGetPathAppPatchPreRS3(x,x,x,x)+104o
					; SdbpGetPathCustomSdbPreRS3(x,x,x,x)+E7o
		inc	ecx
		jnb	short loc_5A72B5
		push	eax
		popa
		jz	short loc_5A72B5
		inc	ebx
		outsd
		insd
		bound	ebp, [ecx+6Eh]

loc_5A7253:				; CODE XREF: ??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@+Aj
		and	gs:[esi+61h], ah

loc_5A7257:				; CODE XREF: ??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@+1Bj
		imul	ebp, [ebp+64h],	78255B20h

loc_5A725F:				; CODE XREF: ??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@+15j
		pop	ebp
		add	ah, cl

??_C@_1BG@OGGJFFOD@?$AAA?$AAp?$AAp?$AAP?$AAa?$AAt?$AAc?$AAh?$AA6?$AA4@FNODOBFM@:
					; DATA XREF: SdbpGetPathAppPatchPreRS3(x,x,x,x)+27o
		inc	ecx
		add	[eax+0], dh

loc_5A7266:				; CODE XREF: ??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@+19j
		jo	short $+2
		push	eax

loc_5A7269:				; CODE XREF: ??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@+25j
		add	[ecx+0], ah
		jz	short $+2
		arpl	[eax], ax

loc_5A7270:				; CODE XREF: ??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@+28j
		push	34003600h
; END OF FUNCTION CHUNK	FOR ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@
; 
		db 3 dup(0)

;  S U B	R O U T	I N E 


??_C@_0DB@LPCMCBIC@SdbpGetProcessHostGuestArchitec@FNODOBFM@ proc near
					; DATA XREF: SdbpGetPathAppPatchPreRS3(x,x,x,x)+7Fo
					; SdbpGetPathCustomSdbPreRS3(x,x,x,x)+90o
		push	ebx
		bound	esi, fs:[eax+47h]
??_C@_0DB@LPCMCBIC@SdbpGetProcessHostGuestArchitec@FNODOBFM@ endp

		db	65h
		jz	short near ptr loc_5A72CF+1
		jb	short near ptr loc_5A72EE+3

loc_5A7282:				; CODE XREF: ??_C@_0BK@CIBBJEAE@SdbpGetPathAppPatchPreRS3@FNODOBFM@:loc_5A7231j
		arpl	[ebp+73h], sp
; START	OF FUNCTION CHUNK FOR ??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@

loc_5A7285:				; CODE XREF: ??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@+32j
		jnb	short loc_5A72CF
		outsd
		jnb	short near ptr loc_5A72FD+1
		inc	edi
		jnz	short near ptr word_5A72F2
		jnb	short loc_5A7303
		inc	ecx
		jb	short loc_5A72F5
		push	63657469h
		jz	short near ptr loc_5A730D+1
		jb	short near ptr loc_5A72FD+3
		jnb	short near ptr loc_5A72BC+1
		popaw

loc_5A729F:				; CODE XREF: ??_C@_0BK@CIBBJEAE@SdbpGetPathAppPatchPreRS3@FNODOBFM@:loc_5A7235j
					; ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@:loc_5A723Cj
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl
; END OF FUNCTION CHUNK	FOR ??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@

;  S U B	R O U T	I N E 


??_C@_0BL@JIJBPBNE@SdbpGetPathCustomSdbPreRS3@FNODOBFM@	proc near
					; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+22Ej
					; DATA XREF: SdbpGetPathCustomSdbPreRS3(x,x,x,x):loc_69546Co
		push	ebx
		bound	esi, fs:[eax+47h]
??_C@_0BL@JIJBPBNE@SdbpGetPathCustomSdbPreRS3@FNODOBFM@	endp

		db	65h
		jz	short near ptr loc_5A7301+1
		popa
		jz	short loc_5A731D
; START	OF FUNCTION CHUNK FOR ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@

loc_5A72B5:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+23Dj
					; ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+241j
		inc	ebx
		jnz	short loc_5A732B
		jz	short near ptr byte_5A7329
		insd
		push	ebx

loc_5A72BC:				; CODE XREF: ??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@+C3j
		bound	edx, fs:[eax+72h]
		db	65h
		push	edx
		push	ebx
		xor	eax, [eax]
		int	3		; Trap to Debugger

??_C@_1O@KKPPJBFG@?$AAC?$AAu?$AAs?$AAt?$AAo?$AAm@FNODOBFM@:
					; DATA XREF: SdbpGetPathCustomSdbPreRS3(x,x,x,x)+24o
		inc	ebx
		add	[ebp+0], dh
		jnb	short $+2
		jz	short $+2
		outsd

loc_5A72CF:				; CODE XREF: ??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@:loc_5A7285j
					; .text:005A727Dj
		add	[ebp+0], ch
; END OF FUNCTION CHUNK	FOR ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@
; 
		dw 0
; 

??_C@_1CA@JIADDLNO@?$AAC?$AAu?$AAs?$AAt?$AAo?$AAm?$AA?2?$AAC?$AAu?$AAs?$AAt?$AAo?$AAm?$AA6?$AA4@FNODOBFM@:
					; DATA XREF: SdbpGetPathCustomSdbPreRS3(x,x,x,x)+41o
		inc	ebx
		add	[ebp+0], dh
		jnb	short $+2
		jz	short $+2
		outsd
		add	[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jnb	short $+2
		jz	short $+2
		outsd
		add	[ebp+0], ch

loc_5A72EE:				; CODE XREF: .text:005A7280j
		add	ss:[eax+eax], dh
; 
word_5A72F2	dw 0			; CODE XREF: ??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@+B3j

;  S U B	R O U T	I N E 


; wchar_t ??_C
??_C@_19JHEHLFPM@?$AA?2?$AA?$DP?$AA?$DP?$AA?2@FNODOBFM@	proc near
					; DATA XREF: AslPathCleanUstr(x)+61o
					; AslpPathWildcardMakeLeaves(x)+7Bo
		pop	esp
??_C@_19JHEHLFPM@?$AA?2?$AA?$DP?$AA?$DP?$AA?2@FNODOBFM@	endp

; START	OF FUNCTION CHUNK FOR ??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@

loc_5A72F5:				; CODE XREF: ??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@+B8j
		add	[edi], bh
		add	[edi], bh
		add	[eax+eax+0], bl

loc_5A72FD:				; CODE XREF: ??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@+B0j
					; ??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@+C1j
					; DATA XREF: ...
		add	[eax+eax+5Ch], bl

loc_5A7301:				; CODE XREF: .text:005A72AFj
		add	[edi], bh

loc_5A7303:				; CODE XREF: ??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@+B5j
		add	[eax+eax+0], bl
		add	[eax+eax+3Fh], bl ; DATA XREF: AslPathCleanUstr(x)+42o
					; AslpPathWildcardMakeLeaves(x)+59o
		add	[edi], bh

loc_5A730D:				; CODE XREF: ??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@+BFj
		add	[eax+eax+55h], bl
		add	[esi+0], cl
		inc	ebx
		add	[eax+eax+0], bl
		add	[eax+eax+5Ch], bl ; DATA XREF: AslPathCleanUstr(x)+90o
					; AslpPathWildcardMakeLeaves(x)+A9o

loc_5A731D:				; CODE XREF: .text:005A72B3j
		add	[esi], ch
		add	[eax+eax+0], bl
		add	[eax+eax+5Ch], bl ; DATA XREF: AslPathCleanUstr(x)+ADo
					; AslpPathWildcardMakeLeaves(x)+C9o
; END OF FUNCTION CHUNK	FOR ??_C@_0CD@JMEIMFB@SdbpCheckApplicationTypeAttribu@FNODOBFM@
; 
		db 0
		db 0
byte_5A7329	db 0			; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+2AEj

;  S U B	R O U T	I N E 


??_C@_0BJ@GPOAMCLL@AslpPathWildcardPeekNode@FNODOBFM@ proc near
					; DATA XREF: AslPathWildcardFindNext(x,x,x)+12Ao
					; AslPathWildcardFindNext(x,x,x)+746o
		inc	ecx
??_C@_0BJ@GPOAMCLL@AslpPathWildcardPeekNode@FNODOBFM@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@

loc_5A732B:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+2ACj
		jnb	short near ptr loc_5A7398+1
		jo	short near ptr loc_5A7378+7
		popa
		jz	short loc_5A739A
		push	edi
		imul	ebp, [esp-0FCh+arg_15B], 50647261h
		db	65h
		imul	ecx, gs:[esi+6Fh], 64h
		db	65h
		add	ah, cl

??_C@_0CF@FHOJMFII@AslpPathWildcardPeekNode?5failed@FNODOBFM@:
					; DATA XREF: AslPathWildcardFindNext(x,x,x)+13Fo
		inc	ecx
		jnb	short near ptr loc_5A73B2+1
		jo	short near ptr loc_5A7398+1
		popa
		jz	short loc_5A73B4
		push	edi
		imul	ebp, [esp-118h+arg_177], 50647261h
		db	65h
		imul	ecx, gs:[esi+6Fh], 64h
		and	gs:[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0CI@FJNDACIF@RtlArrayGet?5failed?5to?5get?5the?5n@FNODOBFM@:
					; DATA XREF: AslPathWildcardFindNext(x,x,x):loc_A23236o
					; AslPathWildcardFindNext(x,x,x):loc_A23852o
		push	edx
		jz	short loc_5A73D9
		inc	ecx
		jb	short loc_5A73E2
		popa
		jns	short near ptr loc_5A73B5+5
		db	65h
		jz	short near ptr loc_5A7395+1
		popaw

loc_5A7378:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+323j
		imul	ebp, [ebp+64h],	206F7420h
		db	67h, 65h
		jz	near ptr 73A4h
		jz	short near ptr loc_5A73ED+1
		and	gs:[esi+65h], ch
		js	short loc_5A7400
		and	[esi+6Fh], ch
		db	64h		; DATA XREF: AslPathWildcardFindFirst(x,x,x,x)+31Co
		add	gs:[ecx+73h], al
		insb

loc_5A7395:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+369j
		jo	short near ptr ??_C@_13IMODFHAA@?$AA?9@FNODOBFM@+3
		popa

loc_5A7398:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@:loc_5A732Bj
					; ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+33Dj
		jz	short near ptr loc_5A7400+2

loc_5A739A:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+326j
		push	edi
		imul	ebp, [esp-164h+arg_1C3], 49647261h
		outsb
		imul	esi, [ebx+edx*2+74h], 6B6361h

??_C@_0BI@JOOHLFOI@AslpPathWildcardPopNode@FNODOBFM@:
					; DATA XREF: AslPathWildcardFindNext(x,x,x)+149o
		inc	ecx
		jnb	short near ptr byte_5A741B
		jo	short near ptr loc_5A7400+1
		popa

loc_5A73B2:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+33Bj
		jz	short ??_C@_1O@MKNEDAKB@?$AA?$AN?$AA?6?$AA?7?$AA?7?$AA?7?$AA?7@FNODOBFM@

loc_5A73B4:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+340j
		push	edi

loc_5A73B5:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+367j
		imul	ebp, [esp-180h+arg_1DF], 50647261h
		outsd
		jo	short near ptr loc_5A7409+5
		outsd
; END OF FUNCTION CHUNK	FOR ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@
; 
		db 64h,	65h, 0

;  S U B	R O U T	I N E 


??_C@_0BP@JCGJLENG@RtlArrayInitialize?5failed?5?$FL?$CFx?$FN@FNODOBFM@ proc near
					; DATA XREF: AslPathWildcardFindFirst(x,x,x,x)+312o

; FUNCTION CHUNK AT 005A7416 SIZE 00000005 BYTES
; FUNCTION CHUNK AT 005A743C SIZE 00000018 BYTES

		push	edx
		jz	short near ptr off_5A7432+1
		inc	ecx
		jb	short loc_5A743C
		popa
		jns	short loc_5A7416
		outsb
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		and	[esi+61h], ah
??_C@_0BP@JCGJLENG@RtlArrayInitialize?5failed?5?$FL?$CFx?$FN@FNODOBFM@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@

loc_5A73D9:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+361j
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp

loc_5A73E2:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+364j
		add	ah, cl

??_C@_13IMODFHAA@?$AA?9@FNODOBFM@:	; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@:loc_5A7395j
					; DATA XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+461o ...
		sub	eax, 0D000000h
		add	[edx], cl

loc_5A73EB:				; DATA XREF: AdtpBuildMultiSzStringListString+83F4Fr
					; AdtpBuildMultiSzStringListString+83F77r
		add	[ecx], cl

loc_5A73ED:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+37Aj
		add	[ecx], cl
; END OF FUNCTION CHUNK	FOR ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@
; 
		db 0
		db 2 dup(0)

;  S U B	R O U T	I N E 


; wchar_t ??_C
??_C@_1BC@JBLGCGBA@?$AA?$DM?$AA0?$AAx?$AA?$CF?$AA0?$AA8?$AAX?$AA?$DO@FNODOBFM@ proc near
					; DATA XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+43Fo
		cmp	al, 0
		xor	[eax], al
		js	short $+2
		and	eax, 38003000h
		add	[eax+0], bl
??_C@_1BC@JBLGCGBA@?$AA?$DM?$AA0?$AAx?$AA?$CF?$AA0?$AA8?$AAX?$AA?$DO@FNODOBFM@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@

loc_5A7400:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+380j
					; ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+3A5j ...
		db	3Eh
		add	[eax], al

loc_5A7403:				; DATA XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+490o
		add	ds:25002500h, ah

loc_5A7409:				; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+3B4j
		add	ds:75002500h, ah
; END OF FUNCTION CHUNK	FOR ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@
; 
		db 0
		db 2 dup(0)
; 

??_C@_19KCEMLJNN@?$AA?$CD?$AA?5?$AA?$CF?$AAd@FNODOBFM@:
					; DATA XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+689o
					; AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+2Do
		and	eax, [eax]
		and	[eax], al
; START	OF FUNCTION CHUNK FOR ??_C@_0BP@JCGJLENG@RtlArrayInitialize?5failed?5?$FL?$CFx?$FN@FNODOBFM@

loc_5A7416:				; CODE XREF: ??_C@_0BP@JCGJLENG@RtlArrayInitialize?5failed?5?$FL?$CFx?$FN@FNODOBFM@+7j
		and	eax, 6400h
; END OF FUNCTION CHUNK	FOR ??_C@_0BP@JCGJLENG@RtlArrayInitialize?5failed?5?$FL?$CFx?$FN@FNODOBFM@
; 
byte_5A741B	db 0			; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@+3A3j
; 
; START	OF FUNCTION CHUNK FOR ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@

; void ??_C
??_C@_1O@MKNEDAKB@?$AA?$AN?$AA?6?$AA?7?$AA?7?$AA?7?$AA?7@FNODOBFM@:
					; CODE XREF: ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@:loc_5A73B2j
					; DATA XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x):loc_697E32o ...
		or	eax, 9000A00h
		add	[ecx], cl
		add	[ecx], cl
		add	[ecx], cl
; END OF FUNCTION CHUNK	FOR ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@
; 
		db 0
		db 2 dup(0)
; 

; void ??_C
??_C@_15IOLAJFNF@?$AA?$CF?$AA?$CF@FNODOBFM@:
					; DATA XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+911o
					; AdtpFormatPrefix(x,x,x)+27o
		and	eax, 2500h
; 
		db 0
; 

; void ??_C
??_C@_13KDLDGPGJ@?$AA?7@FNODOBFM@:	; DATA XREF: AdtpFormatPrefix(x,x,x)+56o
		or	[eax], eax
; 
off_5A7432	dd offset loc_45FFFF+1	; CODE XREF: ??_C@_0BP@JCGJLENG@RtlArrayInitialize?5failed?5?$FL?$CFx?$FN@FNODOBFM@+1j
					; DATA XREF: BiSetFirmwareModified+10o	...
		dw 69h
		dd offset unk_6D0072
; 
; START	OF FUNCTION CHUNK FOR ??_C@_0BP@JCGJLENG@RtlArrayInitialize?5failed?5?$FL?$CFx?$FN@FNODOBFM@

loc_5A743C:				; CODE XREF: ??_C@_0BP@JCGJLENG@RtlArrayInitialize?5failed?5?$FL?$CFx?$FN@FNODOBFM@+4j
		ja	short $+2
		popa
		add	[edx+0], dh
		add	gs:[ebp+0], cl
		outsd
		add	[eax+eax+69h], ah
		add	[esi+0], ah
		imul	eax, [eax], 640065h
; END OF FUNCTION CHUNK	FOR ??_C@_0BP@JCGJLENG@RtlArrayInitialize?5failed?5?$FL?$CFx?$FN@FNODOBFM@
; 
off_5A7454	dd offset loc_440000	; DATA XREF: BiSetFirmwareModified+1Bo
					; BiWasFirmwareModified+18o ...
aEscription:
		unicode	0, <escription>,0
??_C@_1EM@PHONPJKB@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAq?$AAu?$AAe?$AAr?$AAy@FNODOBFM@ dd offset loc_610044+2
					; DATA XREF: BiLogFileOwnerProcess(x,x)+10Fo
		dw 69h
		dd offset loc_65006C
aDToQueryProces:
		unicode	0, <d to query processes. Status: %x>,0
; 

??_C@_1EE@DHCKIGJ@?$AAN?$AAo?$AA?5?$AAp?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAe?$AAs?$AA?5?$AAa?$AAr@FNODOBFM@:
					; DATA XREF: BiLogFileOwnerProcess(x,x)+11Fo
		dec	esi
		add	[edi+0], ch
		and	[eax], al
		jo	short $+2
		jb	short $+2
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		add	gs:[ebx+0], dh
		and	[eax], al
		popa
		add	[edx+0], dh
		add	gs:[eax], ah
		add	[ebp+0], dh
		jnb	short $+2
		imul	eax, [eax], 67006Eh
		and	[eax], al
		jz	short $+2
		push	73006900h
		add	[eax], ah
		add	[esi+0], ah
		imul	eax, [eax], 65006Ch
		add	cs:[eax], al
; 
		db 0
??_C@_1FG@IMCMKLHL@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAo?$AAp?$AAe?$AAn?$AA?5@FNODOBFM@ dd offset loc_610044+2
					; DATA XREF: BiLogFileOwnerProcess(x,x)+A1o
		dw 69h
		dd offset loc_65006C
aDToOpenFileAtt:
		unicode	0, <d to open file attributes. Status: %x>,0
??_C@_1EM@MMKFALCH@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAa?$AAl?$AAl?$AAo?$AAc@FNODOBFM@ dd offset loc_610044+2
					; DATA XREF: BiLogFileOwnerProcess(x,x)+E1o
aIledToAllocate:
		unicode	0, <iled to allocate process ID	buffer.>,0
??_C@_1FG@CNICICCJ@?$AAA?$AAt?$AAt?$AAe?$AAm?$AAp?$AAt?$AAi?$AAn?$AAg?$AA?5?$AAt?$AAo?$AA?5?$AAd@FNODOBFM@:
					; DATA XREF: BiLogFileOwnerProcess(x,x)+4Do
		unicode	0, <Attempting to determine owner of file %ws.>,0
; 

??_C@_1O@GINMMDNN@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm@FNODOBFM@:
					; DATA XREF: BiLogFileOwnerProcess(x,x):loc_698918o
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
; 
off_5A7602	dd offset loc_45FFFF+1	; DATA XREF: BiLogFileOwnerProcess(x,x)+261o
		dd offset loc_69005E+3
		dd offset loc_65006C
		dw 64h
aToQueryProcess:
		unicode	0, < to	query process info. Status: %x>,0
; 

??_C@_1CO@NHPCNFEE@?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AA?5?$AAN?$AAa?$AAm?$AAe?$AA?5?$AA?$FL?$AA?$CF@FNODOBFM@:
					; DATA XREF: BiLogFileOwnerProcess(x,x)+21Ao
		push	eax
		add	[edx+0], dh
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		and	[eax], al
		dec	esi
		add	[ecx+0], ah
		insd
		add	[ebp+0], ah
		and	[eax], al
		pop	ebx
		add	ds:5D006400h, ah
		add	[edx], bh
		add	[eax], ah
		add	ds:73007700h, ah
; 
		db 3 dup(0)
??_C@_1HC@GNNAHMPH@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAq?$AAu?$AAe?$AAr?$AAy@FNODOBFM@ dd offset loc_610044+2
					; DATA XREF: BiLogFileOwnerProcess(x,x)+259o
aIledToQueryPro:
		unicode	0, <iled to query process information for size.	Status:	%x>,0
??_C@_1GM@IKCHKJKN@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAa?$AAl?$AAl?$AAo?$AAc@FNODOBFM@ dd offset loc_610044+2
					; DATA XREF: BiLogFileOwnerProcess(x,x):loc_69896Do
		dw 69h
		dd offset loc_65006C
aDToAllocateMem:
		unicode	0, <d to allocate memory for space for process name.>,0
; 

??_C@_1EI@JACBKJGA@?$AAF?$AAo?$AAu?$AAn?$AAd?$AA?5?$AA?$CF?$AAd?$AA?5?$AAp?$AAr?$AAo?$AAc?$AAe?$AAs@FNODOBFM@:
					; DATA XREF: BiLogFileOwnerProcess(x,x)+127o
		inc	esi
		add	[edi+0], ch
		jnz	short $+2
		outsb
		add	[eax+eax+20h], ah
		add	ds:20006400h, ah
		add	[eax+0], dh
		jb	short $+2
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		add	gs:[ebx+0], dh
		and	[eax], al
		jnz	short $+2
		jnb	short $+2
		imul	eax, [eax], 67006Eh
		and	[eax], al
		jz	short $+2
		push	73006900h
		add	[eax], ah
		add	[esi+0], ah
		imul	eax, [eax], 65006Ch
		add	cs:[eax], al
; 
		db 0
??_C@_1EG@GECEKDAJ@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAo?$AAp?$AAe?$AAn?$AA?5@FNODOBFM@ dd offset loc_610044+2
					; DATA XREF: BiLogFileOwnerProcess(x,x)+273o
		dw 69h
		dd offset loc_65006C
aDToOpenProcess:
		unicode	0, <d to open process. Status: %x>,0
; 

??_C@_1DK@DKFKOOJM@?$AAS?$AAy?$AAs?$AAp?$AAa?$AAr?$AAt?$AAI?$AAs?$AAS?$AAp?$AAa?$AAc?$AAe?$AA?5@FNODOBFM@:
					; DATA XREF: BiSpacesUpdatePhysicalDevicePath(x)+4Ao
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jo	short $+2
		popa
		add	[edx+0], dh
		jz	short $+2
		dec	ecx
		add	[ebx+0], dh
		push	ebx
		add	[eax+0], dh
		popa
		add	[ebx+0], ah
		add	gs:[eax], ah
		add	[esi+0], ah
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[esi+0], ah
		outsd
		add	[edx+0], dh
		and	[eax], al
		and	eax, 7300h

loc_5A7829:				; DATA XREF: BiSpacesUpdatePhysicalDevicePath(x)+EFo
		add	[eax+eax+3Fh], bl
		add	[edi], bh
		add	[eax+eax+47h], bl
		add	[eax+eax+4Fh], cl
		add	[edx+0], al
		inc	ecx
		add	[eax+eax+52h], cl
		add	[edi+0], cl
		dec	edi
		add	[eax+eax+0], dl

loc_5A7847:				; DATA XREF: BiSpacesUpdatePhysicalDevicePath(x)+19Fo
		add	[eax+eax+44h], bl
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		pop	esp
		add	[eax+0], cl
		popa
		add	[edx+0], dh
		add	fs:[eax+eax+69h], ah
		add	[ebx+0], dh
		imul	eax, [eax], 25h
		add	[ebp+0], dh
		pop	esp
		add	[eax+0], dl
		popa
		add	[edx+0], dh
		jz	short $+2
		imul	eax, [eax], 690074h
		outsd
		add	[esi+0], ch
		and	eax, 7500h

loc_5A7885:				; DATA XREF: BiSpacesUpdatePhysicalDevicePath(x)+F4o
		add	ds:5C007300h, ah
		add	large ds:7300h,	ah

loc_5A7891:				; DATA XREF: BiSpacesUpdatePhysicalDevicePath(x)+174o
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jo	short $+2
		popa
		add	[edx+0], dh
		jz	short $+2
		inc	edi
		add	[ebp+0], ah
		jz	short $+2
		push	eax
		add	[eax+0], ch
		jns	short $+2
		jnb	short $+2
		imul	eax, [eax], 610063h
		insb
		add	[eax+0], dl
		popa
		add	[edx+0], dh
		jz	short $+2
		imul	eax, [eax], 690074h
		outsd
		add	[esi+0], ch
		jnb	short $+2
		and	[eax], al
		db	66h
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[edi+0], dh
		imul	eax, [eax], 680074h
		and	[eax], al
		add	gs:[edx+0], dh
		jb	short $+2
		outsd
		add	[edx+0], dh
		and	[eax], al
		arpl	[eax], ax
		outsd
		add	[eax+eax+65h], ah
		add	[edx], bh
		add	[eax], ah
		add	large ds:7800h,	ah

loc_5A7901:				; DATA XREF: BiMapEfiDeviceForSpaces(x,x,x)+AFo
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jo	short $+2
		popa
		add	[edx+0], dh
		jz	short $+2
		dec	ecx
		add	[ebx+0], dh
		push	ebx
		add	[eax+0], dh
		popa
		add	[ebx+0], ah
		add	gs:[eax], ah
		add	[esi+0], ah
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[esi+0], ah
		outsd
		add	[edx+0], dh
		and	[eax], al
		jo	short $+2
		popa
		add	[edx+0], dh
		jz	short $+2
		imul	eax, [eax], 690074h
		outsd
		add	[esi+0], ch
		and	[eax], al
		jo	short $+2
		popa
		add	[eax+eax+68h], dh
		add	[edx], bh
		add	[eax], ah
		add	large ds:7300h,	ah

loc_5A795B:				; DATA XREF: BgpTxtDisplayCharacter+87D48o
		add	[edx+47h], al
		inc	esi
		pop	eax
		and	[ecx+6Eh], ch
		jz	short near ptr ??_C@_1O@GAOCKAOK@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@FNODOBFM@+6
		jb	short loc_5A79D5
		popa
		insb
		and	[esi+6Fh], ah
		outsb
		jz	short loc_5A798F
		db	65h
		jb	short near ptr loc_5A79E1+3
		outsd
		jb	short loc_5A7995
		and	eax, 68632078h
		popa
		jb	short near ptr loc_5A799B+2
		and	eax, 0A2178h

; wchar_t ??_C
??_C@_15FBMLFFBN@?$AA?$CF?$AA1@FNODOBFM@: ; DATA XREF: BcpGetProgressMessages(x,x,x)+14o
		and	eax, 3100h

loc_5A7987:				; DATA XREF: BgpRasPrintGlyph+87B5Do
		add	[edx+47h], al
		inc	esi
		pop	eax
		and	[ecx+6Eh], ch

loc_5A798F:				; CODE XREF: .text:005A796Dj
		jz	short loc_5A79F6
		jb	short near ptr off_5A7A00+1
		popa
		insb

loc_5A7995:				; CODE XREF: .text:005A7973j
		and	[esi+6Fh], ah
		outsb
		jz	short near ptr ??_C@_1BI@KGJMAEC@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAF?$AAl?$AAa?$AAg?$AAs@FNODOBFM@+0Fh

loc_5A799B:				; CODE XREF: .text:005A797Bj
		db	65h
		jb	short loc_5A7A10
		outsd
		jb	short near ptr ??_C@_1BI@KGJMAEC@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAF?$AAl?$AAa?$AAg?$AAs@FNODOBFM@+15h
		arpl	[eax+61h], bp
		jb	short near ptr ??_C@_1O@GAOCKAOK@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@FNODOBFM@+2
		and	eax, 0A2178h
		int	3		; Trap to Debugger
; 
??_C@_1BI@KGJMAEC@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAF?$AAl?$AAa?$AAg?$AAs@FNODOBFM@:
					; CODE XREF: .text:005A7999j
					; DATA XREF: _MapCmDevicePropertyToRegValue:loc_516544o ...
		unicode	0, <ConfigFlags>,0
??_C@_1O@GAOCKAOK@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@FNODOBFM@: ; CODE XREF: .text:005A79A4j
					; .text:005A7963j
					; DATA XREF: ...
		unicode	0, <Driver>,0
??_C@_1BE@JODLJEMN@?$AAC?$AAl?$AAa?$AAs?$AAs?$AAG?$AAU?$AAI?$AAD@FNODOBFM@ db 'C',0
					; DATA XREF: _MapCmDevicePropertyToRegValue:loc_516596o
		db 6Ch
; 

loc_5A79D5:				; CODE XREF: .text:005A7965j
		add	[ecx+0], ah
		jnb	short $+2
		jnb	short $+2
		inc	edi
		add	[ebp+0], dl
		dec	ecx

loc_5A79E1:				; CODE XREF: .text:005A796Fj
		add	[eax+eax+0], al
; 
		db 0
; 

??_C@_1BM@BPOEEBIO@?$AAC?$AAo?$AAm?$AAp?$AAa?$AAt?$AAi?$AAb?$AAl?$AAe?$AAI?$AAD?$AAs@FNODOBFM@:
					; DATA XREF: _MapCmDevicePropertyToRegValue:loc_516561o
		inc	ebx
		add	[edi+0], ch
		insd
		add	[eax+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edx+0], ah

loc_5A79F6:				; CODE XREF: .text:loc_5A798Fj
		insb
		add	[ebp+0], ah
		dec	ecx
		add	[eax+eax+73h], al
; 
		db 0
off_5A7A00	dd offset loc_47FFFE+2	; CODE XREF: .text:005A7991j
					; DATA XREF: _MapCmDevicePropertyToRegValue:loc_5164F8o
; 
		popa
		add	[edx+0], dh
		add	fs:[edi+0], dh
		popa
		add	[edx+0], dh

loc_5A7A10:				; CODE XREF: .text:loc_5A799Bj
		add	gs:[ecx+0], cl
		inc	esp
; 
		db 3 dup(0)
??_C@_1BG@NKLOKCD@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAD?$AAe?$AAs?$AAc@FNODOBFM@ dd offset loc_650043+1
					; DATA XREF: _MapCmDevicePropertyToRegValue:loc_51653Eo
		dd offset loc_690072+4
		dd offset loc_650061+2
		dd offset loc_650043+1
		dd offset loc_630072+1
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_1BC@FCJNIDNL@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy@FNODOBFM@ proc near
					; DATA XREF: _MapCmDevicePropertyToRegValue+B4o
					; _MapCmClassPropertyToRegValue(x,x):loc_551923o
		push	ebx
		add	[ebp+0], ah
		arpl	[eax], ax
??_C@_1BC@FCJNIDNL@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy@FNODOBFM@ endp

		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 790074h
; 
		dw 0
??_C@_1BK@LMFDGODN@?$AAL?$AAo?$AAw?$AAe?$AAr?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@FNODOBFM@:
					; DATA XREF: _MapCmDevicePropertyToRegValue+7Fo
					; _MapCmClassPropertyToRegValue(x,x)+1Bo
		unicode	0, <LowerFilters>,0

;  S U B	R O U T	I N E 


??_C@_1BK@FNJCPENK@?$AAU?$AAp?$AAp?$AAe?$AAr?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@FNODOBFM@ proc near
					; DATA XREF: _MapCmDevicePropertyToRegValue:loc_51656Do
					; _MapCmClassPropertyToRegValue(x,x):loc_551907o
		push	ebp
		add	[eax+0], dh
		jo	short $+2
		add	gs:[edx+0], dh
		inc	esi
		add	[ecx+0], ch
		insb
??_C@_1BK@FNJCPENK@?$AAU?$AAp?$AAp?$AAe?$AAr?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@FNODOBFM@ endp

		add	[eax+eax+65h], dh
		add	[edx+0], dh
		jnb	short $+2
; 
		dw 0

;  S U B	R O U T	I N E 


??_C@_1BC@CCGAPGE@?$AAU?$AAI?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr@FNODOBFM@ proc near
					; DATA XREF: _MapCmDevicePropertyToRegValue:loc_51657Fo
		push	ebp
		add	[ecx+0], cl
		dec	esi
		add	[ebp+0], dh
		insd
??_C@_1BC@CCGAPGE@?$AAU?$AAI?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr@FNODOBFM@ endp

		add	[edx+0], ah
		add	gs:[edx+0], dh
; 
off_5A7A84	dd offset dword_430000	; DATA XREF: _MapCmDevicePropertyToRegValue:loc_516573o
aApabilities:
		unicode	0, <apabilities>,0
??_C@_1CI@ONPCCHIE@?$AAL?$AAo?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa@FNODOBFM@:
					; DATA XREF: _MapCmDevicePropertyToRegValue:loc_5165B4o
		unicode	0, <LocationInformation>,0
??_C@_1BK@BFIEKNFP@?$AAF?$AAr?$AAi?$AAe?$AAn?$AAd?$AAl?$AAy?$AAN?$AAa?$AAm?$AAe@FNODOBFM@:
					; DATA XREF: _MapCmDevicePropertyToRegValue:loc_516538o
		unicode	0, <FriendlyName>,0
??_C@_17FABJNEFH@?$AAM?$AAf?$AAg@FNODOBFM@ dd offset locret_66004C+1
					; DATA XREF: _MapCmDevicePropertyToRegValue:loc_516579o
		dw 67h
		db 2 dup(0)
; 

??_C@_1BE@GIMFMPPP@?$AAC?$AAl?$AAa?$AAs?$AAs?$AAD?$AAe?$AAs?$AAc@FNODOBFM@:
					; DATA XREF: _MapCmClassPropertyToRegValue(x,x):loc_55193Ao
		inc	ebx
		add	[eax+eax+61h], ch
		add	[ebx+0], dh
		jnb	short $+2
		inc	esp
		add	[ebp+0], ah
		jnb	short $+2
		arpl	[eax], ax
; 
		db 2 dup(0)
; 

??_C@_1BI@NJNACJEM@?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAI?$AAD@FNODOBFM@:
					; DATA XREF: _MapCmDevicePropertyToRegValue+50o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+61h], dh
		add	[ecx+0], ch
		outsb
		add	[ebp+0], ah
		jb	short $+2
		dec	ecx
		add	[eax+eax+0], al
; 
		db 0
??_C@_1BM@MMNDHKFB@?$AAR?$AAe?$AAm?$AAo?$AAv?$AAa?$AAl?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@FNODOBFM@ dd offset loc_650052
					; DATA XREF: _MapCmDevicePropertyToRegValue:loc_5165BAo
		dw 6Dh
aOvalpolicy:
		unicode	0, <ovalPolicy>,0
; 

??_C@_1CG@HJGMLNKH@?$AAU?$AAI?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr?$AAD?$AAe?$AAs?$AAc?$AAF?$AAo?$AAr@FNODOBFM@:
					; DATA XREF: _MapCmDevicePropertyToRegValue:loc_5E8E31o
		push	ebp
		add	[ecx+0], cl
		dec	esi
		add	[ebp+0], dh
		insd
		add	[edx+0], ah
		add	gs:[edx+0], dh
		inc	esp
		add	[ebp+0], ah
		jnb	short $+2
		arpl	[eax], ax
		inc	esi
		add	[edi+0], ch
		jb	short $+2
		insd
		add	[ecx+0], ah
		jz	short $+2
; 
off_5A7B56	dd offset loc_40FFFE+2	; DATA XREF: _MapCmDevicePropertyToRegValue:loc_516585o
		dd offset loc_640063+1
		dd offset loc_650071+1
		dw 73h
		dd 73h
??_C@_1CM@DIJFBEC@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC?$AAh?$AAa?$AAr?$AAa?$AAc?$AAt?$AAe?$AAr@FNODOBFM@	dd offset loc_650043+1
					; DATA XREF: _MapCmDevicePropertyToRegValue:loc_5165AEo
					; _MapCmClassPropertyToRegValue(x,x)+4Eo
		dd offset loc_690072+4
		dd offset loc_650061+2
		dd offset loc_68003F+4
aAracteristics:
		unicode	0, <aracteristics>,0
??_C@_1BE@DJHAJDEM@?$AAE?$AAx?$AAc?$AAl?$AAu?$AAs?$AAi?$AAv?$AAe@FNODOBFM@:
					; DATA XREF: _MapCmDevicePropertyToRegValue:loc_5165A8o
					; _MapCmClassPropertyToRegValue(x,x)+37o
		unicode	0, <Exclusive>,0
??_C@_1BG@KCOOGCNN@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAT?$AAy?$AAp?$AAe@FNODOBFM@	dd offset loc_650043+1
					; DATA XREF: _MapCmDevicePropertyToRegValue+C6o
					; _MapCmClassPropertyToRegValue(x,x):loc_551929o
		dd offset loc_690072+4
		dd offset loc_650061+2
aType_1:
		unicode	0, <Type>,0
; 

; wchar_t ??_C
??_C@_15BHOFONJE@?$AA?$CF?$AAX@FNODOBFM@:
					; DATA XREF: DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+138o
		and	eax, 5800h

loc_5A7BC3:				; DATA XREF: DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+6Co
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		db	66h
		add	[ecx+0], ch
		add	[bp+di+0], dl
		arpl	[eax], ax
		outsd
		add	[eax+0], dh
		add	gs:[eax], al

loc_5A7BDB:				; DATA XREF: SC_DISK::IsVbr(void)+41o
		add	[esi+54h], cl
		inc	esi
		push	ebx
		and	[eax], ah
		and	[eax], ah
		add	ah, cl
; 
??_C@_1KC@FOBDNNHK@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@ dd offset loc_52005B+1
					; DATA XREF: _RtlpRemovePendingDeleteLanguages+59o
		dd offset loc_670065
		dw 69h
aStryMachineS_5:
		unicode	0, <stry\Machine\System\CurrentControlSet\Control\MUI\UILangu>
		unicode	0, <ages\PendingDelete>,0
; 

; wchar_t ??_C
??_C@_13BBDEGPLJ@?$AA?$CK@FNODOBFM@:	; DATA XREF: RtlpMuiRegAddAlternateCodePage+87F4Bo
		sub	al, [eax]
; 
		dw 0
??_C@_1CE@GCKIPCGP@?$AAA?$AAl?$AAt?$AAe?$AAr?$AAn?$AAa?$AAt?$AAe?$AAC?$AAo?$AAd?$AAe?$AAP?$AAa@FNODOBFM@:
					; DATA XREF: RtlpMuiRegAddAlternateCodePage+14o
		unicode	0, <AlternateCodePage>,0
??_C@_1DO@NJNPPJHL@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAM?$AAU?$AAI?$AA?9?$AAL?$AAa?$AAn?$AAg@FNODOBFM@ dd offset loc_65004B
					; DATA XREF: RtlpMuiRegLoadLicInformation+1CEo
aRnelMuiLanguag:
		unicode	0, <rnel-MUI-Language-Disallowed>,0
; 

; wchar_t ??_C
??_C@_13PJJBFPED@?$AA?$DL@FNODOBFM@:	; DATA XREF: RtlpMuiRegLoadLicInformation+147o
					; RtlpMuiRegLoadLicInformation+265o ...
		cmp	eax, [eax]
; 
off_5A7CF0	dd offset loc_4AFFFF+1	; DATA XREF: RtlpMuiRegLoadLicInformation+ACo
aErnelMuiLangua:
		unicode	0, <ernel-MUI-Language-Allowed>,0
??_C@_1DE@JIOMGOFI@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAM?$AAU?$AAI?$AA?9?$AAN?$AAu?$AAm?$AAb@FNODOBFM@ dd offset loc_65004B
					; DATA XREF: RtlpMuiRegLoadLicInformation+7Do
		dw 72h
		dd offset loc_65006C+2
aLMuiNumberAllo:
		unicode	0, <l-MUI-Number-Allowed>,0
??_C@_1CK@MPIDPHBP@?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AAE?$AAx?$AAc?$AAl?$AAu?$AAd?$AAe?$AAd@FNODOBFM@ dd offset loc_690056+1
					; DATA XREF: RtlpMuiRegLoadLicInformation+5Do
		dd offset loc_64006D+1
		dw 6Fh
aWsexcludedproc:
		unicode	0, <wsExcludedProcs>,0
??_C@_19BIEPDBPA@?$AAT?$AAy?$AAp?$AAe@FNODOBFM@:
					; DATA XREF: _RtlpMuiRegLoadInstalledFromKey+13Fo
		unicode	0, <Type>,0
??_C@_1DA@HOOFFHMM@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAM?$AAU?$AAI?$AA?9?$AAL?$AAa?$AAn?$AAg@FNODOBFM@ dd offset loc_65004B
					; DATA XREF: RtlpMuiRegLoadLicInformation+2ECo
		dw 72h
		dd offset loc_65006C+2
aLMuiLanguageSk:
		unicode	0, <l-MUI-Language-SKU>,0
; 
; START	OF FUNCTION CHUNK FOR ExUnblockPushLockEx

loc_5A7DC2:				; CODE XREF: ExUnblockPushLockEx+Ej
		push	eax
		push	eax
		push	ecx
		push	edx
		push	152h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5A7DD0:				; CODE XREF: ExUnblockPushLockEx+23j
		push	eax
		xor	edx, edx
		call	ExpUnblockPushLock
		leave
		retn
; END OF FUNCTION CHUNK	FOR ExUnblockPushLockEx
; 
; START	OF FUNCTION CHUNK FOR KeQueryUnbiasedInterruptTime

loc_5A7DDA:				; CODE XREF: KeQueryUnbiasedInterruptTime+49j
		mov	ebx, 0FFDF000Ch
		mov	edi, eax
		lea	esi, [ebx-4]

loc_5A7DE4:				; CODE XREF: KeQueryUnbiasedInterruptTime+170F52j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	edx, [ebx]
		mov	ecx, [esi]
		cmp	edx, [edi]
		jnz	short loc_5A7DE4
		mov	esi, [ebp+var_8]
		mov	ebx, 0FFDF03B0h
		mov	edi, [ebp+var_C]
		jmp	loc_436EEF
; END OF FUNCTION CHUNK	FOR KeQueryUnbiasedInterruptTime
; 
; START	OF FUNCTION CHUNK FOR ExfAcquirePushLockExclusiveEx

loc_5A7E04:				; CODE XREF: ExfAcquirePushLockExclusiveEx+152j
		rdtsc
		mov	ecx, edx
		mov	[esp+60h+var_4C], eax
		xor	edx, edx
		mov	[esp+60h+var_40], ecx
		add	[esp+60h+var_50], eax
		adc	edx, ecx
		mov	[esp+60h+var_34], edx

loc_5A7E1C:				; CODE XREF: ExfAcquirePushLockExclusiveEx+16CA07j
		lea	eax, [esp+60h+var_10]
		xor	ecx, ecx
		xor	edx, edx
		invlpg	dl
		mov	eax, [esp+60h+var_10]
		test	al, 2
		jz	loc_43B5F7
		mov	eax, [esp+60h+var_4C]
		mov	ecx, [esp+60h+var_40]
		mov	[esp+60h+var_38], eax
		rdtsc
		mov	[esp+60h+var_4C], eax
		mov	[esp+60h+var_40], edx
		cmp	edx, ecx
		jb	loc_43B5F7
		ja	short loc_5A7E5D
		cmp	eax, [esp+60h+var_38]
		jbe	loc_43B5F7

loc_5A7E5D:				; CODE XREF: ExfAcquirePushLockExclusiveEx+16C9D1j
		cmp	edx, [esp+60h+var_34]
		ja	loc_43B5F7
		mov	eax, [esp+60h+var_50]
		jb	short loc_5A7E77
		cmp	[esp+60h+var_4C], eax
		jnb	loc_43B5F7

loc_5A7E77:				; CODE XREF: ExfAcquirePushLockExclusiveEx+16C9EBj
		mov	ebx, eax
		mov	ecx, 2
		sub	ebx, [esp+60h+var_4C]
		xor	eax, eax
		invlpg	bl
		jmp	short loc_5A7E1C
; END OF FUNCTION CHUNK	FOR ExfAcquirePushLockExclusiveEx
; 
; START	OF FUNCTION CHUNK FOR KiAbThreadUnboostCpuPriority

loc_5A7E89:				; CODE XREF: KiAbThreadUnboostCpuPriority+60j
		push	0
		push	2
		movsx	eax, bl
		push	eax
		push	esi
		push	157h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5A7E9D:				; CODE XREF: KiCheckForThreadDispatch+A3j
		mov	eax, ds:_KeTickCount
		sub	eax, [ecx+138h]
		add	[ecx+170h], eax
		jmp	loc_444787
; END OF FUNCTION CHUNK	FOR KiAbThreadUnboostCpuPriority
; 
; START	OF FUNCTION CHUNK FOR KiCheckForThreadDispatch

loc_5A7EB3:				; CODE XREF: KiCheckForThreadDispatch+2Bj
		mov	cl, 1
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	esi, esi
		jmp	loc_4447C7
; END OF FUNCTION CHUNK	FOR KiCheckForThreadDispatch
; 
; START	OF FUNCTION CHUNK FOR KeYieldProcessorEx

loc_5A7EC2:				; CODE XREF: KeYieldProcessorEx+Aj
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	loc_44CF60
		push	eax
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		retn
; END OF FUNCTION CHUNK	FOR KeYieldProcessorEx
; 
; START	OF FUNCTION CHUNK FOR KiWakeQueueWaiter

loc_5A7ED6:				; CODE XREF: KiWakeQueueWaiter+27j
					; KiWakeQueueWaiter+2Fj ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5A7EDD:				; CODE XREF: KiSignalThread+13Fj
		cmp	edx, 5
		jnz	short loc_5A7EF0
		and	cl, 0FEh
		or	cl, 6
		mov	[esi+54h], cl
		jmp	loc_44E65E
; 

loc_5A7EF0:				; CODE XREF: KiWakeQueueWaiter+15A1F0j
		cmp	edx, 3
		jnz	loc_44E65E
		mov	byte ptr [edi+9], 2
		jmp	loc_44E65E
; END OF FUNCTION CHUNK	FOR KiWakeQueueWaiter
; 
; START	OF FUNCTION CHUNK FOR KiSignalThread

loc_5A7F02:				; CODE XREF: KiSignalThread+78j
					; KiSignalThread+80j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5A7F09:				; CODE XREF: KiSignalThread+A3j
		or	dword ptr [esi+58h], 2
		jmp	loc_44E62E
; END OF FUNCTION CHUNK	FOR KiSignalThread
; 
; START	OF FUNCTION CHUNK FOR MiLockLeafPage

loc_5A7F12:				; CODE XREF: MiLockLeafPage+C1j
		mov	edx, [esp+30h+var_20]
		jmp	loc_47CC59
; END OF FUNCTION CHUNK	FOR MiLockLeafPage
; 
; START	OF FUNCTION CHUNK FOR ExpAcquireSpinLockExclusive

loc_5A7F1B:				; CODE XREF: ExpAcquireSpinLockExclusive+4Fj
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	loc_484445
		push	esi
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	loc_484447
; END OF FUNCTION CHUNK	FOR ExpAcquireSpinLockExclusive
; 
; START	OF FUNCTION CHUNK FOR ExAcquireSpinLockExclusive

loc_5A7F33:				; CODE XREF: ExAcquireSpinLockExclusive+17j
		mov	ecx, [ebp+arg_0]
		mov	dl, bl
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_484CBF
; 

loc_5A7F42:				; CODE XREF: ExAcquireSpinLockExclusive+72j
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	loc_484CF8
		push	esi
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	loc_484CFA
; END OF FUNCTION CHUNK	FOR ExAcquireSpinLockExclusive
; 
; START	OF FUNCTION CHUNK FOR KiIsThreadRankNonZero

loc_5A7F5A:				; CODE XREF: KiIsThreadRankNonZero+21j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edx, large fs:20h
		mov	cl, al
		mov	[ebp+var_1], al
		jmp	loc_48D33C
; 

loc_5A7F71:				; CODE XREF: KiIsThreadRankNonZero+3Fj
					; KiIsThreadRankNonZero+11AC79j
		movzx	ebx, byte ptr [eax+5Ch]
		shr	ebx, 3
		and	ebx, 1
		jnz	loc_48D369
		mov	eax, [eax+0F4h]
		test	eax, eax
		jnz	short loc_5A7F71
		jmp	loc_48D369
; END OF FUNCTION CHUNK	FOR KiIsThreadRankNonZero
; 
; START	OF FUNCTION CHUNK FOR KeQueryTickCount

loc_5A7F90:				; CODE XREF: KeQueryTickCount+25j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		jmp	loc_491DB6
; END OF FUNCTION CHUNK	FOR KeQueryTickCount
; 
; START	OF FUNCTION CHUNK FOR MiDecrementShareCount

loc_5A7F9D:				; CODE XREF: MiDecrementShareCount+1Ej
		sub	ecx, ds:_MmPfnDatabase
		push	edx
		movzx	eax, bl
		and	eax, 7
		push	eax
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		push	eax
		push	99h
		push	4Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5A7FCC:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+1BAj
		push	0
		push	[ebp+var_C]
		push	esi
		push	ebx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5A7FDD:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+EEj
		mov	al, 1
		lea	esi, [ebx+222h]
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_18]
		jmp	loc_49D044
; END OF FUNCTION CHUNK	FOR MiDecrementShareCount
; 
; START	OF FUNCTION CHUNK FOR RtlpHpReleaseQueuedLockExclusive

loc_5A7FF2:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+200j
		mov	edx, 1
		mov	ecx, ebx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_49D146
; 

loc_5A8003:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+22Dj
		push	[ebp+var_18]
		mov	edx, esi
		mov	ecx, ebx
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_49D05B
; 

loc_5A8014:				; CODE XREF: RtlpHpReleaseQueuedLockExclusive+186j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		mov	al, [ebp+var_1]
		jmp	loc_49D0D2
; END OF FUNCTION CHUNK	FOR RtlpHpReleaseQueuedLockExclusive
; 
; START	OF FUNCTION CHUNK FOR RtlpHpAcquireQueuedLockExclusive

loc_5A8026:				; CODE XREF: RtlpHpAcquireQueuedLockExclusive+48j
		mov	dl, bl
		mov	ecx, edi
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_49D1F0
; 

loc_5A8034:				; CODE XREF: RtlpHpAcquireQueuedLockExclusive+6Aj
					; RtlpHpAcquireQueuedLockExclusive+10AEE4j
		test	edx, 40000000h
		jnz	short loc_5A804E
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_5A8058

loc_5A804E:				; CODE XREF: RtlpHpAcquireQueuedLockExclusive+10AEBAj
		lea	ecx, [ebp+arg_0]
		call	KeYieldProcessorEx
		mov	eax, [edi]

loc_5A8058:				; CODE XREF: RtlpHpAcquireQueuedLockExclusive+10AECCj
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_5A8034
		jmp	loc_49D1F0
; END OF FUNCTION CHUNK	FOR RtlpHpAcquireQueuedLockExclusive
; 
; START	OF FUNCTION CHUNK FOR ExReleaseSpinLockExclusiveFromDpcLevel

loc_5A806B:				; CODE XREF: ExReleaseSpinLockExclusiveFromDpcLevel+Dj
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_4AB60C
; END OF FUNCTION CHUNK	FOR ExReleaseSpinLockExclusiveFromDpcLevel
; 
; START	OF FUNCTION CHUNK FOR ExAcquireSpinLockExclusiveAtDpcLevel

loc_5A807B:				; CODE XREF: ExAcquireSpinLockExclusiveAtDpcLevel+Dj
		mov	ecx, [ebp+arg_0]
		or	dl, 0FFh
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_4AB756
; END OF FUNCTION CHUNK	FOR ExAcquireSpinLockExclusiveAtDpcLevel
; 
; START	OF FUNCTION CHUNK FOR ExAcquireSpinLockSharedAtDpcLevel

loc_5A808B:				; CODE XREF: ExAcquireSpinLockSharedAtDpcLevel+Fj
		or	dl, 0FFh
		call	@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)
		jmp	loc_4BE6A8
; END OF FUNCTION CHUNK	FOR ExAcquireSpinLockSharedAtDpcLevel
; 
; START	OF FUNCTION CHUNK FOR KeReleaseInStackQueuedSpinLockFromDpcLevel

loc_5A8098:				; CODE XREF: KeReleaseInStackQueuedSpinLockFromDpcLevel+10j
		mov	edx, [ebp+4]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D397B
; END OF FUNCTION CHUNK	FOR KeReleaseInStackQueuedSpinLockFromDpcLevel
; 
; START	OF FUNCTION CHUNK FOR KiEndThreadAccountingPeriod

loc_5A80A5:				; CODE XREF: KiEndThreadAccountingPeriod+1Dj
		mov	dl, [edi+60h]
		mov	esi, [ebx+3B40h]
		sub	esi, [ebx+3B48h]
		movzx	ecx, dl
		mov	edx, [ebx+3B44h]
		sbb	edx, [ebx+3B4Ch]
		add	[ebx+ecx*8+3B50h], esi
		adc	[ebx+ecx*8+3B54h], edx
		and	al, 0EFh
		mov	dword ptr [ebx+3B48h], 0
		mov	dword ptr [ebx+3B4Ch], 0
		mov	[ebp+var_1], al
		jmp	loc_4DE953
; 

loc_5A80EF:				; CODE XREF: KiEndThreadAccountingPeriod+C0j
		mov	edx, [eax+64h]
		jmp	loc_4DEA05
; 

loc_5A80F7:				; CODE XREF: KiEndThreadAccountingPeriod+166j
		mov	eax, [ebp+var_8]
		lea	edi, [edx+8]
		shl	eax, 4
		add	edi, eax
		mov	ecx, [edi]
		add	ecx, [ebp+arg_0]
		mov	eax, [edi+4]
		adc	eax, [ebp+arg_4]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_20], eax

loc_5A8113:				; CODE XREF: KiEndThreadAccountingPeriod+C97FCj
					; KiEndThreadAccountingPeriod+C9801j
		mov	esi, [edi]
		mov	eax, esi
		mov	edx, [edi+4]
		mov	[ebp+var_1C], edx
		nop
		mov	ebx, ecx
		mov	ecx, [ebp+var_20]
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [ebp+var_10]
		cmp	eax, esi
		jnz	short loc_5A8113
		cmp	edx, [ebp+var_1C]
		jnz	short loc_5A8113
		mov	edi, [ebp+var_C]
		mov	edx, [ebp+var_14]
		jmp	loc_4DEA9C
; 

loc_5A813E:				; CODE XREF: KiEndThreadAccountingPeriod+38j
		and	al, 0BFh
		jmp	loc_4DE96E
; 

loc_5A8145:				; CODE XREF: KiEndThreadAccountingPeriod+8Cj
		cmp	byte ptr [edi+244h], 2
		mov	eax, [ebp+arg_0]
		jz	short loc_5A8165
		add	[ebx+3B78h], eax
		mov	eax, [ebp+arg_4]
		adc	[ebx+3B7Ch], eax
		jmp	loc_4DE9C2
; 

loc_5A8165:				; CODE XREF: KiEndThreadAccountingPeriod+C981Fj
		add	[ebx+3B80h], eax
		mov	eax, [ebp+arg_4]
		adc	[ebx+3B84h], eax
		jmp	loc_4DE9C2
; 

loc_5A8179:				; CODE XREF: KiEndThreadAccountingPeriod+9Bj
		mov	ecx, edi
		call	_KiEndCounterAccumulation@4 ; KiEndCounterAccumulation(x)
		jmp	loc_4DE972
; END OF FUNCTION CHUNK	FOR KiEndThreadAccountingPeriod
; 
; START	OF FUNCTION CHUNK FOR KiAccumulateCycleStats

loc_5A8185:				; CODE XREF: KiAccumulateCycleStats+93j
		mov	eax, [ebp+var_4]
		lea	edi, [ebx+8]
		shl	eax, 4
		add	edi, eax
		mov	ecx, [edi]
		add	ecx, [ebp+arg_0]
		mov	eax, [edi+4]
		adc	eax, [ebp+arg_4]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_1C], eax

loc_5A81A1:				; CODE XREF: KiAccumulateCycleStats+C95FAj
					; KiAccumulateCycleStats+C95FFj
		mov	esi, [edi]
		mov	eax, esi
		mov	edx, [edi+4]
		mov	[ebp+var_18], edx
		nop
		mov	ebx, ecx
		mov	ecx, [ebp+var_1C]
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [ebp+var_C]
		cmp	eax, esi
		jnz	short loc_5A81A1
		cmp	edx, [ebp+var_18]
		jnz	short loc_5A81A1
		mov	edi, [ebp+var_8]
		mov	ebx, [ebp+var_10]
		jmp	loc_4DEC59
; 

loc_5A81CC:				; CODE XREF: KiAccumulateCycleStats+A0j
		mov	ecx, [ebp+var_14]
		mov	eax, [ebp+var_4]
		add	ecx, 10h
		lea	eax, [ecx+eax*2]
		lea	edi, [ebx+eax*8]
		mov	ecx, [edi]
		add	ecx, [ebp+arg_0]
		mov	eax, [edi+4]
		adc	eax, [ebp+arg_4]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_1C], eax

loc_5A81EC:				; CODE XREF: KiAccumulateCycleStats+C9645j
					; KiAccumulateCycleStats+C964Aj
		mov	esi, [edi]
		mov	eax, esi
		mov	edx, [edi+4]
		mov	[ebp+var_18], edx
		nop
		mov	ebx, ecx
		mov	ecx, [ebp+var_1C]
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [ebp+var_10]
		cmp	eax, esi
		jnz	short loc_5A81EC
		cmp	edx, [ebp+var_18]
		jnz	short loc_5A81EC
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_14]
		mov	edi, [ebp+var_8]
		lea	ecx, [ecx+eax*2]
		mov	eax, [edi+36Ch]
		lea	ecx, [ecx+8]
		mov	eax, [eax+388h]
		lea	eax, [eax+ecx*8]
		mov	[ebp+var_8], eax

loc_5A822D:				; CODE XREF: KiAccumulateCycleStats+C9693j
					; KiAccumulateCycleStats+C9697j
		mov	esi, [eax]
		mov	ebx, esi
		mov	edi, [eax+4]
		mov	ecx, edi
		add	ebx, [ebp+arg_0]
		mov	eax, esi
		mov	[ebp+var_1C], edi
		mov	edx, edi
		adc	ecx, [ebp+arg_4]
		nop
		mov	edi, [ebp+var_8]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_1C]
		cmp	eax, esi
		mov	eax, [ebp+var_8]
		jnz	short loc_5A822D
		cmp	edx, edi
		jnz	short loc_5A822D
		jmp	loc_4DEC66
; END OF FUNCTION CHUNK	FOR KiAccumulateCycleStats
; 
; START	OF FUNCTION CHUNK FOR KiIpiProcessRequest

loc_5A825E:				; CODE XREF: KiIpiProcessRequest+3Dj
		push	0
		mov	edx, 40400000h
		lea	ecx, [ebp+var_28]
		mov	bl, 1
		call	EtwGetKernelTraceTimestampSilo
		jmp	loc_4DF4D5
; 

loc_5A8274:				; CODE XREF: KiIpiProcessRequest+76j
		push	[ebp+var_2C]
		mov	edx, [ebp+var_30]
		lea	ecx, [ebp+var_28]
		call	_PerfInfoLogIpiReceive@12 ; PerfInfoLogIpiReceive(x,x,x)
		jmp	loc_4DF50C
; END OF FUNCTION CHUNK	FOR KiIpiProcessRequest
; 
; START	OF FUNCTION CHUNK FOR ExTryAcquirePushLockSharedEx

loc_5A8287:				; CODE XREF: ExTryAcquirePushLockSharedEx+29j
		push	0
		push	0
		push	edx
		push	eax
		push	152h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5A8297:				; CODE XREF: ExTryAcquirePushLockSharedEx+80j
		cmp	byte ptr [esi+222h], 0
		lea	ecx, [esi+222h]
		jz	short loc_5A82B7
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [esi+1E4h]
		or	cl, al
		jmp	loc_4DF6F6
; 

loc_5A82B7:				; CODE XREF: ExTryAcquirePushLockSharedEx+C8C34j
		xor	edi, edi
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4DF714
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		mov	edx, [ebp-8]
		jmp	loc_4DF714
; 

loc_5A82D8:				; CODE XREF: ExTryAcquirePushLockSharedEx+A6j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	loc_4DF759
; 

loc_5A82E5:				; CODE XREF: ExTryAcquirePushLockSharedEx+C7j
					; ExTryAcquirePushLockSharedEx+D9j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	eax, [ebp-4]
		jmp	loc_4DF752
; END OF FUNCTION CHUNK	FOR ExTryAcquirePushLockSharedEx
; 
; START	OF FUNCTION CHUNK FOR PsGetPermanentSiloContext

loc_5A82FA:				; CODE XREF: PsGetPermanentSiloContext+21j
		add	eax, 0FFFFFFE0h
		cmp	eax, 100h
		jnb	short loc_5A8317
		mov	edx, [edx+100h]
		test	edx, edx
		jz	loc_4E79A9
		jmp	loc_4E7987
; 

loc_5A8317:				; CODE XREF: PsGetPermanentSiloContext+C09A2j
		mov	eax, 0C000000Dh
		jmp	loc_4E799D
; END OF FUNCTION CHUNK	FOR PsGetPermanentSiloContext
; 
; START	OF FUNCTION CHUNK FOR ObReferenceObjectExWithTag

loc_5A8321:				; CODE XREF: ObReferenceObjectExWithTag+20j
		add	eax, edi
		push	eax
		push	10h
		push	ebx
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5A8331:				; CODE XREF: ExReleaseSpinLockShared+Cj
		mov	edx, [ebp+4]
		mov	ecx, [ebp+8]
		call	@ExpReleaseSpinLockSharedFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockSharedFromDpcLevelInstrumented(x,x)
		jmp	loc_4EB168
; END OF FUNCTION CHUNK	FOR ObReferenceObjectExWithTag
; 
; START	OF FUNCTION CHUNK FOR ExReleaseSpinLockExclusive

loc_5A8341:				; CODE XREF: ExReleaseSpinLockExclusive+Cj
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_4F7505
; END OF FUNCTION CHUNK	FOR ExReleaseSpinLockExclusive
; 
; START	OF FUNCTION CHUNK FOR KiMoveApcState

loc_5A8351:				; CODE XREF: KiMoveApcState+22j
		mov	eax, [esi+4]
		mov	[edx], ecx
		mov	[edx+4], eax
		mov	[ecx+4], edx
		mov	[eax], edx
		jmp	loc_4F921D
; 

loc_5A8363:				; CODE XREF: KiMoveApcState+3Bj
		mov	eax, [esi+0Ch]
		mov	[ecx], edi
		mov	[edx+0Ch], eax
		mov	[edi+4], ecx
		mov	[eax], ecx
		jmp	loc_4F9236
; END OF FUNCTION CHUNK	FOR KiMoveApcState
; 
; START	OF FUNCTION CHUNK FOR KiReduceByEffectiveIdleSmtSet

loc_5A8375:				; CODE XREF: KiReduceByEffectiveIdleSmtSet+35j
		cmp	dword ptr [ecx+3B20h], 0
		jnz	loc_4FE66F
		cmp	byte ptr [ecx+11h], 0
		push	edi
		mov	edi, [ecx+4]
		jnz	short loc_5A8397
		cli
		push	0
		mov	edx, edi
		call	_KiUpdateTotalCyclesCurrentThread@12 ; KiUpdateTotalCyclesCurrentThread(x,x,x)
		sti

loc_5A8397:				; CODE XREF: KiReduceByEffectiveIdleSmtSet+A9D3Cj
		mov	ecx, [edi+40h]
		mov	eax, [edi+44h]
		pop	edi
		cmp	ecx, eax
		jnb	short loc_5A83B0
		sub	eax, ecx
		cmp	eax, ds:_KiShortExecutionCycles
		jnb	loc_4FE66F

loc_5A83B0:				; CODE XREF: KiReduceByEffectiveIdleSmtSet+A9D52j
		and	[ebx], esi
		mov	al, 1
		jmp	loc_4FE671
; END OF FUNCTION CHUNK	FOR KiReduceByEffectiveIdleSmtSet
; 
; START	OF FUNCTION CHUNK FOR KiInsertQueueInternal

loc_5A83B9:				; CODE XREF: KiInsertQueueInternal+33j
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)
		jmp	loc_503623
; 

loc_5A83D3:				; CODE XREF: KiInsertQueueInternal+57j
		cmp	byte ptr [ecx+18Bh], 0Fh
		jz	loc_503663
		jmp	loc_503647
; END OF FUNCTION CHUNK	FOR KiInsertQueueInternal
; 
; START	OF FUNCTION CHUNK FOR ExTryConvertPushLockSharedToExclusiveEx

loc_5A83E5:				; CODE XREF: ExTryConvertPushLockSharedToExclusiveEx+Bj
		push	0
		push	0
		push	esi
		push	edx
		push	152h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5A83F6:				; CODE XREF: KePollFreezeExecution+14j
		mov	ecx, 0FFFFFFFCh
		lock xadd [eax], ecx
		xor	edx, edx
		xor	ecx, ecx
		jmp	_KiFreezeTargetExecution@8 ; KiFreezeTargetExecution(x,x)
; END OF FUNCTION CHUNK	FOR ExTryConvertPushLockSharedToExclusiveEx
; 
; START	OF FUNCTION CHUNK FOR KiStackAttachProcess

loc_5A8408:				; CODE XREF: KiStackAttachProcess+27Aj
					; KiStackAttachProcess+90C14j
		lea	ecx, [ebp+var_18]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5A8408
		jmp	loc_517A75
; 

loc_5A841B:				; CODE XREF: KiStackAttachProcess+1B2j
		push	ebx
		call	_HvlSwitchVirtualAddressSpace@4	; HvlSwitchVirtualAddressSpace(x)
		jmp	loc_5179BB
; 

loc_5A8426:				; CODE XREF: KiStackAttachProcess+1DDj
		mov	ecx, edi
		call	@KiLoadLdtr@4	; KiLoadLdtr(x)
		mov	edx, [ebp+var_8]
		mov	eax, [edi+24h]
		mov	ecx, [edx+38h]
		mov	[ecx+108h], eax
		mov	eax, [edi+28h]
		mov	[ecx+10Ch], eax
		jmp	loc_5179E6
; END OF FUNCTION CHUNK	FOR KiStackAttachProcess
; 
; START	OF FUNCTION CHUNK FOR KiAttachProcess

loc_5A844A:				; CODE XREF: KiAttachProcess+1B6j
					; KiAttachProcess+8D996j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5A844A
		jmp	loc_51AC71
; 

loc_5A845D:				; CODE XREF: KiAttachProcess+124j
		push	edi
		call	_HvlSwitchVirtualAddressSpace@4	; HvlSwitchVirtualAddressSpace(x)
		jmp	loc_51ABED
; 

loc_5A8468:				; CODE XREF: KiAttachProcess+14Fj
		mov	ecx, ebx
		call	@KiLoadLdtr@4	; KiLoadLdtr(x)
		mov	edx, [ebp+arg_8]
		mov	eax, [ebx+24h]
		mov	ecx, [edx+38h]
		mov	[ecx+108h], eax
		mov	eax, [ebx+28h]
		mov	[ecx+10Ch], eax
		jmp	loc_51AC18
; END OF FUNCTION CHUNK	FOR KiAttachProcess
; 

loc_5A848C:				; CODE XREF: .text:0051B98Bj
		mov	al, 1Fh
		mov	[ebp-1], al
		jmp	loc_51B9B5
; 

loc_5A8496:				; CODE XREF: .text:005A84D6j
		mov	al, [ebp-1]

loc_5A8499:				; CODE XREF: .text:0051B9BCj
		cmp	word ptr [esi+13Eh], 0
		jnz	short loc_5A84D8
		cmp	al, 1
		jnb	short loc_5A84D8
		lea	edi, [esi+2Ch]
		mov	cl, al
		mov	dword ptr [edi], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp-1], al
		mov	dword ptr [ebp-14h], 0

loc_5A84C8:				; CODE XREF: .text:005A84EEj
		lock bts dword ptr [edi], 0
		jb	short loc_5A84E0
		cmp	byte ptr [esi+85h], 0
		jnz	short loc_5A8496

loc_5A84D8:				; CODE XREF: .text:005A84A1j
					; .text:005A84A5j
		mov	edx, [ebp-0Ch]
		jmp	loc_51B9C2
; 

loc_5A84E0:				; CODE XREF: .text:005A84CDj
					; .text:005A84ECj
		lea	ecx, [ebp-14h]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5A84E0
		jmp	short loc_5A84C8
; 

loc_5A84F0:				; CODE XREF: .text:0051BAC4j
		push	eax
		call	_HvlSwitchVirtualAddressSpace@4	; HvlSwitchVirtualAddressSpace(x)
		jmp	loc_51BACD
; 

loc_5A84FB:				; CODE XREF: .text:0051BAEFj
		mov	ecx, ebx
		call	@KiLoadLdtr@4	; KiLoadLdtr(x)
		mov	edx, [ebp-0Ch]
		mov	eax, [ebx+24h]
		mov	ecx, [edx+38h]
		mov	[ecx+108h], eax
		mov	eax, [ebx+28h]
		mov	[ecx+10Ch], eax
		jmp	loc_51BAF8
; 

loc_5A851F:				; CODE XREF: .text:0051BBC2j
		cmp	edx, 8
		jb	loc_51BBB0
		jmp	loc_51BB89
; 

loc_5A852D:				; CODE XREF: .text:0051EC59j
		mov	bl, 1
		jmp	loc_51ECFA
; 

loc_5A8534:				; CODE XREF: .text:0051EDA8j
		mov	edx, [ecx]
		cmp	[ecx+4], eax
		jnz	loc_51EE00
		cmp	[edx+4], ecx
		jnz	loc_51EE00
		push	736F6F42h
		mov	[eax], edx
		push	ecx
		mov	[edx+4], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_51ED9A
; 

loc_5A855D:				; CODE XREF: .text:0051ED5Aj
		test	ecx, ecx
		jz	loc_51EDAE
		mov	edx, [edi+348h]
		lea	eax, [edi+344h]
		cmp	[edx], eax
		jnz	loc_51EE00
		jmp	loc_51EDF0
; 

loc_5A857E:				; CODE XREF: .text:0051EDC3j
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_51EDCE
; 
; START	OF FUNCTION CHUNK FOR ExReleasePushLockSharedEx

loc_5A858D:				; CODE XREF: ExReleasePushLockSharedEx+Ej
		push	0
		push	0
		push	esi
		push	ebx
		push	152h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5A859E:				; CODE XREF: KeAbPostRelease+130j
		lea	esi, [ebx+222h]
		lock or	[esi], al
		jmp	loc_51F64C
; END OF FUNCTION CHUNK	FOR ExReleasePushLockSharedEx
; 
; START	OF FUNCTION CHUNK FOR KeAbPostRelease

loc_5A85AC:				; CODE XREF: KeAbPostRelease+1ABj
		push	0
		push	ecx
		push	esi
		push	ebx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5A85BB:				; CODE XREF: KeAbPostRelease+20Bj
		mov	edx, [ebp+var_10]
		mov	ecx, ebx
		push	esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_51F661
; END OF FUNCTION CHUNK	FOR KeAbPostRelease
; 
; START	OF FUNCTION CHUNK FOR ObfDereferenceObject

loc_5A85CB:				; CODE XREF: ObfDereferenceObject+18j
		push	746C6644h
		push	1
		xor	dl, dl
		mov	ecx, edi
		call	_ObpPushStackInfo@16 ; ObpPushStackInfo(x,x,x,x)
		jmp	loc_51F76E
; 

loc_5A85E0:				; CODE XREF: ObfDereferenceObject+38j
		push	eax
		mov	eax, edi
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [edi+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		push	1
		xor	ecx, eax
		push	ebx
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		push	eax
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5A860A:				; CODE XREF: ObfDereferenceObject+40j
		push	esi
		push	2
		push	ebx
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5A8618:				; CODE XREF: KeAbPreAcquire+35j
		xor	eax, eax
		jmp	loc_51FCDE
; END OF FUNCTION CHUNK	FOR ObfDereferenceObject
; 
; START	OF FUNCTION CHUNK FOR KeAbPreAcquire

loc_5A861F:				; CODE XREF: KeAbPreAcquire+10Dj
		push	0
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	dword ptr [ebp-4]
		push	esi
		push	192h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5A8639:				; CODE XREF: KeAbPreAcquire+1B7j
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		mov	edx, [ebp-4]
		jmp	loc_51FC75
; END OF FUNCTION CHUNK	FOR KeAbPreAcquire
; 
; START	OF FUNCTION CHUNK FOR ExAcquirePushLockExclusiveEx

loc_5A8648:				; CODE XREF: ExAcquirePushLockExclusiveEx+29j
		push	0
		push	0
		push	edx
		push	eax
		push	152h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5A8658:				; CODE XREF: ExAcquirePushLockExclusiveEx+162j
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		mov	edx, [ebp-4]
		jmp	loc_520278
; 

loc_5A8667:				; CODE XREF: ExAcquirePushLockExclusiveEx+31j
					; ExAcquirePushLockExclusiveEx+48j
		xor	edi, edi
		jmp	loc_520218
; END OF FUNCTION CHUNK	FOR ExAcquirePushLockExclusiveEx
; 
; START	OF FUNCTION CHUNK FOR ExAcquirePushLockSharedEx

loc_5A866E:				; CODE XREF: ExAcquirePushLockSharedEx+29j
		push	0
		push	0
		push	edx
		push	eax
		push	152h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5A867E:				; CODE XREF: ExAcquirePushLockSharedEx+17Aj
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		mov	edx, [ebp-4]
		jmp	loc_520440
; 

loc_5A868D:				; CODE XREF: ExAcquirePushLockSharedEx+31j
					; ExAcquirePushLockSharedEx+48j
		xor	edi, edi
		jmp	loc_5203C4
; END OF FUNCTION CHUNK	FOR ExAcquirePushLockSharedEx
; 
; START	OF FUNCTION CHUNK FOR KiAbThreadRemoveBoosts

loc_5A8694:				; CODE XREF: KiAbThreadRemoveBoosts+5Bj
		mov	eax, [edi]
		mov	ecx, ebx
		mov	edx, [ebp+var_4]
		and	eax, 1FFFFh
		push	eax
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_520485
; END OF FUNCTION CHUNK	FOR KiAbThreadRemoveBoosts
; 
; START	OF FUNCTION CHUNK FOR ExReleasePushLockExclusiveEx

loc_5A86AB:				; CODE XREF: ExReleasePushLockExclusiveEx+18j
		push	0
		push	0
		push	edx
		push	ebx
		push	152h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5A86BB:				; CODE XREF: ExReleasePushLockExclusiveEx+160j
		push	0
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	ebx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5A86CE:				; CODE XREF: ExReleasePushLockExclusiveEx+E9j
		lea	esi, [ebx+222h]
		lock or	[esi], al
		jmp	loc_5205E5
; 

loc_5A86DC:				; CODE XREF: ExReleasePushLockExclusiveEx+1BAj
		mov	edx, [ebp+var_8]
		mov	ecx, ebx
		push	esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_5205F6
; END OF FUNCTION CHUNK	FOR ExReleasePushLockExclusiveEx
; 
; START	OF FUNCTION CHUNK FOR ExReleasePushLockEx

loc_5A86EC:				; CODE XREF: ExReleasePushLockEx+1Aj
		push	0
		push	0
		push	ebx
		push	eax
		push	152h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5A86FC:				; CODE XREF: ExReleasePushLockEx+180j
		lea	esi, [ebx+222h]
		lock or	[esi], al
		jmp	loc_5208EC
; 

loc_5A870A:				; CODE XREF: ExReleasePushLockEx+1F1j
		push	0
		push	[ebp+var_8]
		push	edx
		push	ebx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5A871B:				; CODE XREF: ExReleasePushLockEx+24Aj
		mov	edx, [ebp+var_14]
		mov	ecx, ebx
		push	esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_5208FD
; END OF FUNCTION CHUNK	FOR ExReleasePushLockEx
; 
; START	OF FUNCTION CHUNK FOR KiTryUnwaitThread

loc_5A872B:				; CODE XREF: KiTryUnwaitThread+1D5j
		cmp	eax, 5
		jnz	short loc_5A8740
		and	cl, 0FEh
		or	cl, 6
		xor	bl, bl
		mov	[esi+54h], cl
		jmp	loc_5253B6
; 

loc_5A8740:				; CODE XREF: KiTryUnwaitThread+8345Ej
		mov	edx, [ebp+var_4]
		cmp	eax, 3
		jnz	loc_5253A7
		mov	byte ptr [edi+9], 2
		jmp	loc_5253A7
; 

loc_5A8755:				; CODE XREF: KiTryUnwaitThread+157j
					; KiTryUnwaitThread+15Fj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5A875C:				; CODE XREF: KiTryUnwaitThread+79j
		or	dword ptr [esi+58h], 2
		jmp	loc_525374
; END OF FUNCTION CHUNK	FOR KiTryUnwaitThread
; 
; START	OF FUNCTION CHUNK FOR IopFreeIrp

loc_5A8765:				; CODE XREF: IopFreeIrp+Fj
		push	0
		push	0
		push	2636h
		push	esi
		push	44h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5A8776:				; CODE XREF: IopFreeIrp+2Cj
		mov	ecx, esi
		call	_IopFreeReserveIrp@8 ; IopFreeReserveIrp(x,x)
		jmp	loc_5264DA
; 

loc_5A8782:				; CODE XREF: IopFreeIrp+3Ej
		xor	cl, 8
		mov	[esi+27h], cl
		lock inc dword ptr [eax+3CE4h]
		mov	cl, [esi+27h]
		jmp	loc_526444
; END OF FUNCTION CHUNK	FOR IopFreeIrp
; 
; START	OF FUNCTION CHUNK FOR KeReleaseInStackQueuedSpinLock

loc_5A8797:				; CODE XREF: KeReleaseInStackQueuedSpinLock+10j
		mov	edx, [ebp+4]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_52AC2B
; END OF FUNCTION CHUNK	FOR KeReleaseInStackQueuedSpinLock
; 
; START	OF FUNCTION CHUNK FOR KiAbEntryRemoveFromTree

loc_5A87A4:				; CODE XREF: KiAbEntryRemoveFromTree+395j
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		jmp	loc_52F3A0
; END OF FUNCTION CHUNK	FOR KiAbEntryRemoveFromTree
; 
; START	OF FUNCTION CHUNK FOR ObpIncrPointerCount

loc_5A87AE:				; CODE XREF: ObpIncrPointerCount+Bj
		push	eax
		push	10h
		lea	eax, [ecx+18h]
		push	eax
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5A87BF:				; CODE XREF: ObpTraceObjectReferenceIfActive+Fj
		push	dword ptr [ebp+8]
		push	edx
		mov	dl, 1
		call	_ObpPushStackInfo@16 ; ObpPushStackInfo(x,x,x,x)
		jmp	loc_537C67
; END OF FUNCTION CHUNK	FOR ObpIncrPointerCount
; 
; START	OF FUNCTION CHUNK FOR KiEndThreadCycleAccumulation

loc_5A87CF:				; CODE XREF: KiEndThreadCycleAccumulation+DBj
		mov	edx, [eax+64h]
		jmp	loc_539570
; 

loc_5A87D7:				; CODE XREF: KiEndThreadCycleAccumulation+181j
		mov	eax, [ebp+var_10]
		lea	edi, [ebx+8]
		shl	eax, 4
		add	edi, eax
		mov	ecx, [edi]
		add	ecx, [ebp+var_C]
		mov	eax, [edi+4]
		adc	eax, [ebp+var_8]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_38], eax

loc_5A87F3:				; CODE XREF: KiEndThreadCycleAccumulation+6F38Cj
					; KiEndThreadCycleAccumulation+6F391j
		mov	esi, [edi]
		mov	eax, esi
		mov	edx, [edi+4]
		mov	[ebp+var_34], edx
		nop
		mov	ebx, ecx
		mov	ecx, [ebp+var_38]
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [ebp+var_20]
		cmp	eax, esi
		jnz	short loc_5A87F3
		cmp	edx, [ebp+var_34]
		jnz	short loc_5A87F3
		mov	edi, [ebp+var_14]
		mov	ebx, [ebp+var_24]
		jmp	loc_539607
; 

loc_5A881E:				; CODE XREF: KiEndThreadCycleAccumulation+19Ej
		and	al, 0BFh
		jmp	loc_539624
; 

loc_5A8825:				; CODE XREF: KiEndThreadCycleAccumulation+209j
		cmp	byte ptr [edi+244h], 2
		jz	short loc_5A883F
		add	[ebx+3B78h], esi
		adc	[ebx+3B7Ch], eax
		jmp	loc_53968F
; 

loc_5A883F:				; CODE XREF: KiEndThreadCycleAccumulation+6F3ACj
		add	[ebx+3B80h], esi
		adc	[ebx+3B84h], eax
		jmp	loc_53968F
; 

loc_5A8850:				; CODE XREF: KiEndThreadCycleAccumulation+218j
		mov	ecx, edi
		call	_KiEndCounterAccumulation@4 ; KiEndCounterAccumulation(x)
		jmp	loc_539628
; END OF FUNCTION CHUNK	FOR KiEndThreadCycleAccumulation
; 
; START	OF FUNCTION CHUNK FOR KiStartThreadCycleAccumulation

loc_5A885C:				; CODE XREF: KiStartThreadCycleAccumulation+87j
		mov	ecx, [ecx+64h]
		jmp	loc_53989C
; 

loc_5A8864:				; CODE XREF: KiStartThreadCycleAccumulation+112j
		xor	dl, dl
		mov	ecx, edi
		call	@KiBeginCounterAccumulation@8 ;	KiBeginCounterAccumulation(x,x)
		jmp	loc_539918
; END OF FUNCTION CHUNK	FOR KiStartThreadCycleAccumulation
; 
; START	OF FUNCTION CHUNK FOR ObfReferenceObjectWithTag

loc_5A8872:				; CODE XREF: ObfReferenceObjectWithTag+16j
		push	edx
		push	1
		mov	dl, 1
		mov	ecx, esi
		call	_ObpPushStackInfo@16 ; ObpPushStackInfo(x,x,x,x)
		jmp	loc_53AC2C
; 

loc_5A8883:				; CODE XREF: ObfReferenceObjectWithTag+29j
		push	eax
		push	10h
		push	edi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5A8891:				; CODE XREF: ObDereferenceObjectDeferDeleteWithTag+14j
		push	[ebp+arg_4]
		xor	dl, dl
		mov	ecx, edi
		push	1
		call	_ObpPushStackInfo@16 ; ObpPushStackInfo(x,x,x,x)
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		dec	eax
		test	eax, eax
		jg	loc_53AC76
		jmp	loc_53AC7C
; END OF FUNCTION CHUNK	FOR ObfReferenceObjectWithTag
; 
; START	OF FUNCTION CHUNK FOR ObDereferenceObjectDeferDeleteWithTag

loc_5A88B4:				; CODE XREF: ObDereferenceObjectDeferDeleteWithTag+31j
		push	ecx
		mov	eax, edi
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [edi+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		push	3
		xor	ecx, eax
		push	esi
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		push	eax
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5A88DE:				; CODE XREF: ObDereferenceObjectDeferDeleteWithTag+39j
		push	eax
		push	4
		push	esi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5A88EC:				; CODE XREF: ExTryAcquirePushLockExclusiveEx+26j
		push	0
		push	0
		push	ecx
		push	edx
		push	152h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5A88FC:				; CODE XREF: ExTryAcquirePushLockExclusiveEx+181j
		mov	edx, ecx
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	loc_53AE21
; END OF FUNCTION CHUNK	FOR ObDereferenceObjectDeferDeleteWithTag
; 
; START	OF FUNCTION CHUNK FOR ExTryAcquirePushLockExclusiveEx

loc_5A890A:				; CODE XREF: ExTryAcquirePushLockExclusiveEx+114j
					; ExTryAcquirePushLockExclusiveEx+126j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp-4]
		jmp	loc_53AE5F
; END OF FUNCTION CHUNK	FOR ExTryAcquirePushLockExclusiveEx
; 
; START	OF FUNCTION CHUNK FOR PspStorageGetUnreferencedObject

loc_5A891D:				; CODE XREF: PspStorageGetUnreferencedObject+30j
		test	cl, 1
		jnz	short loc_5A892C
		mov	eax, 0C00000BBh
		jmp	locret_53CEA7
; 

loc_5A892C:				; CODE XREF: PspStorageGetUnreferencedObject+6BAB4j
		mov	eax, [ebp+arg_0]
		and	ecx, 0FFFFFFFEh
		mov	[eax], ecx
		xor	eax, eax
		jmp	locret_53CEA7
; END OF FUNCTION CHUNK	FOR PspStorageGetUnreferencedObject
; 
; START	OF FUNCTION CHUNK FOR PspGetStorageArrayIfPossible

loc_5A893B:				; CODE XREF: PspGetStorageArrayIfPossible+8j
		add	edx, 0FFFFFFE0h
		cmp	edx, 100h
		jnb	short loc_5A895E
		mov	ecx, [ecx+100h]
		test	ecx, ecx
		jnz	loc_53CEBA
		mov	eax, 0C0000225h
		jmp	loc_53CEC6
; 

loc_5A895E:				; CODE XREF: PspGetStorageArrayIfPossible+6BA98j
		mov	eax, 0C000000Dh
		jmp	loc_53CEC6
; END OF FUNCTION CHUNK	FOR PspGetStorageArrayIfPossible
; 
; START	OF FUNCTION CHUNK FOR KfReleaseSpinLock

loc_5A8968:				; CODE XREF: KfReleaseSpinLock+10j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_53D7EB
; END OF FUNCTION CHUNK	FOR KfReleaseSpinLock
; 
; START	OF FUNCTION CHUNK FOR ExpUpdateTimerResolution

loc_5A8975:				; CODE XREF: ExpUpdateTimerResolution+18j
		mov	bh, [eax]
		jmp	loc_4308A4
; 

loc_5A897C:				; CODE XREF: ExpUpdateTimerResolution+BDj
		mov	eax, ds:_ExpKernelRequestedTimerResolution
		cmp	eax, edx
		jnb	loc_430937
		mov	edx, eax
		mov	[ebp+var_4], edx
		jmp	loc_430937
; 

loc_5A8993:				; CODE XREF: ExpUpdateTimerResolution+D9j
		mov	ecx, [eax+0Ch]
		cmp	ecx, edx
		jnb	loc_430953
		test	dword ptr [eax+34h], 4000000h
		jnz	loc_430953
		mov	edx, ecx
		mov	[ebp+var_4], edx
		jmp	loc_430953
; 

loc_5A89B5:				; CODE XREF: ExpUpdateTimerResolution+53j
		mov	edx, eax
		mov	[ebp+var_4], edx
		jmp	loc_4308CD
; 

loc_5A89BF:				; CODE XREF: ExpUpdateTimerResolution+78j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4308F7
; 

loc_5A89CE:				; CODE XREF: ExpUpdateTimerResolution+3Aj
					; ExpUpdateTimerResolution+46j	...
		test	ds:byte_70EFC6,	1
		jz	short loc_5A89E3
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5A89E8
; 

loc_5A89E3:				; CODE XREF: ExpUpdateTimerResolution+178161j
		xor	eax, eax
		lock and [edi],	eax

loc_5A89E8:				; CODE XREF: ExpUpdateTimerResolution+17816Dj
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, ds:_KeTimeIncrement
		jmp	loc_43091A
; END OF FUNCTION CHUNK	FOR ExpUpdateTimerResolution
; 
; START	OF FUNCTION CHUNK FOR PoTraceSystemTimerResolutionUpdate

loc_5A89FA:				; CODE XREF: PoTraceSystemTimerResolutionUpdate+41j
		lea	eax, [ebp+var_18]
		mov	[ebp+var_C], 4
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], ecx
		push	eax
		push	1
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_4309A5
; END OF FUNCTION CHUNK	FOR PoTraceSystemTimerResolutionUpdate
; 
; START	OF FUNCTION CHUNK FOR ExpInsertTimerResolutionEntry

loc_5A8A23:				; CODE XREF: ExpInsertTimerResolutionEntry+49j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_430A72
; 

loc_5A8A32:				; CODE XREF: ExpInsertTimerResolutionEntry+BFj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_430AE8
; 

loc_5A8A41:				; CODE XREF: ExpInsertTimerResolutionEntry+D9j
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		call	_KeSetTimeAdjustment@8 ; KeSetTimeAdjustment(x,x)
		mov	[edi+0Ch], eax
		jmp	loc_430AFD
; END OF FUNCTION CHUNK	FOR ExpInsertTimerResolutionEntry
; 
; START	OF FUNCTION CHUNK FOR KiSetClockInterval

loc_5A8A53:				; CODE XREF: KiSetClockInterval+A5j
		push	1
		mov	ecx, edi
		call	PoTraceSystemTimerResolutionKernel
		jmp	loc_430BC3
; END OF FUNCTION CHUNK	FOR KiSetClockInterval
; 
; START	OF FUNCTION CHUNK FOR IopIoRateStartRateControl

loc_5A8A61:				; CODE XREF: IopIoRateStartRateControl+58j
		mov	esi, 0C0000002h
		jmp	loc_430E36
; END OF FUNCTION CHUNK	FOR IopIoRateStartRateControl
; 
; START	OF FUNCTION CHUNK FOR PsAcquireSiloHardReference

loc_5A8A6B:				; CODE XREF: PsAcquireSiloHardReference+28j
		cmp	ecx, 1
		jz	short loc_5A8A75
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5A8A75:				; CODE XREF: PsAcquireSiloHardReference+177ABEj
		mov	eax, 0C000010Ah
		jmp	loc_430FF8
; END OF FUNCTION CHUNK	FOR PsAcquireSiloHardReference
; 
; START	OF FUNCTION CHUNK FOR CmQueryLayeredKey

loc_5A8A7F:				; CODE XREF: CmQueryLayeredKey+BDj
		test	byte ptr [edi+1Ch], 1
		jz	loc_4310CB
		mov	esi, 0C0000425h
		jmp	loc_431142
; 

loc_5A8A93:				; CODE XREF: CmQueryLayeredKey+ECj
					; CmQueryLayeredKey+177CCCj
		mov	esi, 0C0000023h
		jmp	short loc_5A8AA3
; END OF FUNCTION CHUNK	FOR CmQueryLayeredKey

;  S U B	R O U T	I N E 


sub_5A8A9A	proc near		; DATA XREF: .text:006A01BCo
		mov	esp, [ebp-18h]
		mov	esi, [ebp-94h]
sub_5A8A9A	endp

; START	OF FUNCTION CHUNK FOR CmQueryLayeredKey

loc_5A8AA3:				; CODE XREF: CmQueryLayeredKey+177A90j
					; sub_5A8AC3+9j ...
		mov	[ebp+var_58], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_431142
; END OF FUNCTION CHUNK	FOR CmQueryLayeredKey

;  S U B	R O U T	I N E 


sub_5A8AB2	proc near		; DATA XREF: .text:006A0194o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-88h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5A8AB2	endp


;  S U B	R O U T	I N E 


sub_5A8AC3	proc near		; DATA XREF: .text:006A0198o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-88h]
		jmp	short loc_5A8AA3
sub_5A8AC3	endp

; 
; START	OF FUNCTION CHUNK FOR CmQueryLayeredKey

loc_5A8ACE:				; CODE XREF: CmQueryLayeredKey+ABj
		mov	ecx, [ebp+var_6C]
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	loc_431142
		cmp	edi, 6
		jnz	loc_5A8BF2
		mov	eax, large fs:124h
		mov	eax, [eax+150h]
		mov	ecx, large fs:124h
		lea	edx, [ebp+var_A4]
		push	edx
		push	eax
		push	ecx
		call	SeCaptureSubjectContextEx
		push	ecx
		lea	edx, [ebp+var_A4]
		mov	edi, [ebp+var_64]
		mov	ecx, edi
		call	KCBNeedsVirtualImage
		xor	ecx, ecx
		test	al, al
		setnz	cl
		mov	esi, [ebp+var_D4]
		push	0FFFFFFFEh
		pop	ebx
		and	esi, ebx
		or	esi, ecx
		push	ecx
		lea	edx, [ebp+var_A4]
		mov	ecx, edi
		call	KCBNeedsVirtualImage
		mov	ecx, [edi+68h]
		test	al, al
		jz	short loc_5A8B4E
		test	cl, 20h
		jnz	short loc_5A8B4E
		push	2
		pop	eax
		jmp	short loc_5A8B50
; 

loc_5A8B4E:				; CODE XREF: CmQueryLayeredKey+177B3Aj
					; CmQueryLayeredKey+177B3Fj
		xor	eax, eax

loc_5A8B50:				; CODE XREF: CmQueryLayeredKey+177B44j
		and	esi, 0FFFFFFFDh
		or	esi, eax
		cmp	ds:_CmpVEEnabled, 0
		jz	short loc_5A8B6B
		test	ecx, 1000000h
		jz	short loc_5A8B6B
		push	4
		pop	eax
		jmp	short loc_5A8B6D
; 

loc_5A8B6B:				; CODE XREF: CmQueryLayeredKey+177B54j
					; CmQueryLayeredKey+177B5Cj
		xor	eax, eax

loc_5A8B6D:				; CODE XREF: CmQueryLayeredKey+177B61j
		shr	ecx, 10h
		mov	edi, ecx
		shr	edi, 3
		and	edi, 40h
		and	ecx, 80h
		or	edi, ecx
		shr	edi, 3
		and	esi, 0FFFFFFFBh
		or	esi, eax
		and	esi, 0FFFFFFE7h
		or	edi, esi
		lea	eax, [ebp+var_A4]
		push	eax
		call	SeReleaseSubjectContext
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_5C]
		mov	dword ptr [ecx], 4
		cmp	[ebp+arg_4], 4
		jb	short loc_5A8BB6
		mov	ecx, [ebp+var_70]
		mov	[ecx], edi
		jmp	short loc_5A8BCB
; 

loc_5A8BB6:				; CODE XREF: CmQueryLayeredKey+177BA5j
					; CmQueryLayeredKey+177C22j
		mov	esi, 0C0000023h
		mov	[ebp+var_58], esi
		mov	[ebp+ms_exc.disabled], ebx
		jmp	loc_431142
; 

loc_5A8BC6:				; CODE XREF: CmQueryLayeredKey+177C24j
		mov	ecx, [ebp+var_70]
		mov	[ecx], eax

loc_5A8BCB:				; CODE XREF: CmQueryLayeredKey+177BACj
		mov	[ebp+ms_exc.disabled], ebx
		jmp	loc_5A8D33
; END OF FUNCTION CHUNK	FOR CmQueryLayeredKey

;  S U B	R O U T	I N E 


sub_5A8BD3	proc near		; DATA XREF: .text:006A01A0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-8Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_5A8BD3	endp


;  S U B	R O U T	I N E 


sub_5A8BE4	proc near		; DATA XREF: .text:006A01A4o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-8Ch]
		jmp	loc_5A8AA3
sub_5A8BE4	endp

; 
; START	OF FUNCTION CHUNK FOR CmQueryLayeredKey

loc_5A8BF2:				; CODE XREF: CmQueryLayeredKey+177ADBj
		mov	eax, [ebp+var_64]
		cmp	edi, 8
		jnz	short loc_5A8C4D
		mov	eax, [eax+10h]
		push	0FFFFFFFEh
		pop	ebx
		test	byte ptr [eax+980h], 1
		mov	eax, [ebp+var_D4]
		jz	short loc_5A8C13
		and	eax, ebx
		jmp	short loc_5A8C16
; 

loc_5A8C13:				; CODE XREF: CmQueryLayeredKey+177C05j
		or	eax, 1

loc_5A8C16:				; CODE XREF: CmQueryLayeredKey+177C09j
		mov	[ebp+ms_exc.disabled], 2
		mov	ecx, [ebp+var_5C]
		mov	dword ptr [ecx], 4
		cmp	[ebp+arg_4], 4
		jb	short loc_5A8BB6
		jmp	short loc_5A8BC6
; END OF FUNCTION CHUNK	FOR CmQueryLayeredKey

;  S U B	R O U T	I N E 


sub_5A8C2E	proc near		; DATA XREF: .text:006A01ACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-90h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5A8C2E	endp


;  S U B	R O U T	I N E 


sub_5A8C3F	proc near		; DATA XREF: .text:006A01B0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-90h]
		jmp	loc_5A8AA3
sub_5A8C3F	endp

; 
; START	OF FUNCTION CHUNK FOR CmQueryLayeredKey

loc_5A8C4D:				; CODE XREF: CmQueryLayeredKey+177BF0j
		movzx	edx, word ptr [eax+22h]
		jmp	short loc_5A8C62
; 

loc_5A8C53:				; CODE XREF: CmQueryLayeredKey+177C5Dj
		lea	ecx, [ebp+var_80]
		call	_CmpGetKcbAtLayerHeight@8 ; CmpGetKcbAtLayerHeight(x,x)
		cmp	dword ptr [eax+14h], 0FFFFFFFFh
		jnz	short loc_5A8C6C
		dec	edx

loc_5A8C62:				; CODE XREF: CmQueryLayeredKey+177C49j
		test	dx, dx
		jns	short loc_5A8C53
		mov	eax, [ebp+var_68]
		jmp	short loc_5A8C6F
; 

loc_5A8C6C:				; CODE XREF: CmQueryLayeredKey+177C57j
		mov	[ebp+var_68], eax

loc_5A8C6F:				; CODE XREF: CmQueryLayeredKey+177C62j
		cmp	edi, 5
		jnz	loc_5A8CFF
		xor	edx, edx
		mov	ecx, eax
		call	CmGetKeyFlags
		mov	[ebp+var_D4], eax
		xor	esi, esi
		mov	[ebp+var_D0], esi
		mov	edi, [ebp+var_68]
		cmp	[edi+14h], esi
		jge	short loc_5A8C9E
		inc	esi
		mov	[ebp+var_D0], esi

loc_5A8C9E:				; CODE XREF: CmQueryLayeredKey+177C8Dj
		lea	ecx, [ebp+var_80]
		call	_CmpIsKeyStackSymlink@4	; CmpIsKeyStackSymlink(x)
		test	al, al
		jz	short loc_5A8CB3
		or	esi, 2
		mov	[ebp+var_D0], esi

loc_5A8CB3:				; CODE XREF: CmQueryLayeredKey+177CA0j
		mov	eax, [edi+68h]
		shr	eax, 4
		and	eax, 0Fh
		mov	[ebp+var_CC], eax
		mov	[ebp+ms_exc.disabled], 3
		push	0Ch
		pop	eax
		mov	ecx, [ebp+var_5C]
		mov	[ecx], eax
		cmp	[ebp+arg_4], eax
		jb	loc_5A8A93
		lea	esi, [ebp+var_D4]
		mov	edi, ebx
		movsd
		movsd
		movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_5A8D33
; END OF FUNCTION CHUNK	FOR CmQueryLayeredKey

;  S U B	R O U T	I N E 


sub_5A8CEE	proc near		; DATA XREF: .text:006A01B8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-94h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5A8CEE	endp

; 
; START	OF FUNCTION CHUNK FOR CmQueryLayeredKey

loc_5A8CFF:				; CODE XREF: CmQueryLayeredKey+177C6Aj
		push	[ebp+var_6C]
		lea	edx, [ebp+var_80]
		lea	ecx, [ebp+var_50]
		call	_CmpStartKeyNodeStackFromKcbStack@12 ; CmpStartKeyNodeStackFromKcbStack(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_431142
		mov	ecx, [ebp+var_5C]
		push	ecx
		push	[ebp+arg_4]
		push	ebx
		mov	edx, edi
		lea	ecx, [ebp+var_50]
		call	_CmpQueryKeyDataFromKeyNodeStack@20 ; CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_431142

loc_5A8D33:				; CODE XREF: CmQueryLayeredKey+177BC6j
					; CmQueryLayeredKey+177CE4j
		xor	esi, esi
		jmp	loc_431142
; END OF FUNCTION CHUNK	FOR CmQueryLayeredKey
; 
; START	OF FUNCTION CHUNK FOR PspStorageEmptyArrayNonReadonly

loc_5A8D3A:				; CODE XREF: PspStorageEmptyArrayNonReadonly+2B6j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_40]
		jmp	loc_431490
; 

loc_5A8D4B:				; CODE XREF: PspStorageEmptyArrayNonReadonly+2EAj
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]
		jmp	loc_4314BE
; 

loc_5A8D60:				; CODE XREF: PspStorageEmptyArrayNonReadonly+30Ej
		push	[ebp+var_40]
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4314E2
; 

loc_5A8D72:				; CODE XREF: PspStorageEmptyArrayNonReadonly+13Bj
		lea	esi, [ecx+222h]
		lock or	[esi], dl
		mov	esi, [ebp+var_C]
		jmp	loc_431315
; 

loc_5A8D83:				; CODE XREF: PspStorageEmptyArrayNonReadonly+366j
		lea	eax, [ecx+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [ecx+330h]
		jmp	loc_43153A
; 

loc_5A8D98:				; CODE XREF: PspStorageEmptyArrayNonReadonly+391j
		push	[ebp+var_40]
		mov	edx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		mov	ecx, [ebp+var_8]
		jmp	loc_43132C
; 

loc_5A8DAA:				; CODE XREF: PspStorageEmptyArrayNonReadonly+3ACj
		push	0
		push	[ebp+var_14]
		push	[ebp+var_C]
		push	esi
		jmp	short loc_5A8DBC
; 

loc_5A8DB5:				; CODE XREF: PspStorageEmptyArrayNonReadonly+3C2j
		push	0
		push	[ebp+var_30]
		push	esi
		push	ecx

loc_5A8DBC:				; CODE XREF: PspStorageEmptyArrayNonReadonly+177BE5j
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5A8DC7:				; CODE XREF: MmProbeAndLockSelectedPages+74j
		push	0
		push	40h
		mov	edx, 72506D4Dh
		mov	ecx, ebx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_431666
		push	0C000009Ah
		jmp	loc_431794
; END OF FUNCTION CHUNK	FOR PspStorageEmptyArrayNonReadonly
; 
; START	OF FUNCTION CHUNK FOR MmProbeAndLockSelectedPages

loc_5A8DEB:				; CODE XREF: MmProbeAndLockSelectedPages+F4j
		cmp	byte ptr [ebp+arg_8], 0
		jz	loc_4316E6
		inc	ds:dword_6D309C
		mov	esi, 0C0000005h
		jmp	loc_43175A
; 

loc_5A8E05:				; CODE XREF: MmProbeAndLockSelectedPages+105j
		cmp	ecx, [esp+1088h+var_1014]
		jb	loc_4316F7
		cmp	[esp+1088h+var_100C], 0FFFFFFFFh
		jz	short loc_5A8E23
		sub	ecx, [esp+1088h+var_1014]
		shr	ecx, 0Ch
		add	ecx, [esp+1088h+var_100C]
		jmp	short loc_5A8E34
; 

loc_5A8E23:				; CODE XREF: MmProbeAndLockSelectedPages+177828j
		mov	ecx, [eax]
		nop
		mov	eax, [eax+4]
		nop
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh

loc_5A8E34:				; CODE XREF: MmProbeAndLockSelectedPages+177835j
		mov	[esp+1088h+var_101C], ecx
		mov	[esp+1088h+var_1078], 40h
		jmp	loc_43170E
; 

loc_5A8E45:				; CODE XREF: MmProbeAndLockSelectedPages+153j
		lea	ecx, [esp+1088h+var_1068]
		call	_MiProbePacketContended@4 ; MiProbePacketContended(x)
		test	eax, eax
		jz	loc_431745
		lea	ecx, [esp+1088h+var_1068]
		call	_MiUnlockProbePacketWorkingSet@4 ; MiUnlockProbePacketWorkingSet(x)
		lea	ecx, [esp+1088h+var_1068]
		call	_MiLockProbePacketWorkingSet@4 ; MiLockProbePacketWorkingSet(x)
		mov	ebx, [esp+1088h+var_1048]
		jmp	loc_431745
; 

loc_5A8E71:				; CODE XREF: MmProbeAndLockSelectedPages+186j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_431778
; END OF FUNCTION CHUNK	FOR MmProbeAndLockSelectedPages
; 
; START	OF FUNCTION CHUNK FOR MiProbeAndLockComplete

loc_5A8E7E:				; CODE XREF: MiProbeAndLockComplete+1Aj
		mov	ecx, [esi+18h]
		add	ecx, [esi+10h]
		mov	edx, [esi+14h]
		and	ecx, 0FFFh
		push	[ebp+arg_0]
		add	edx, 0FFFh
		add	edx, ecx
		mov	ecx, esi
		shr	edx, 0Ch
		call	_MiAddMdlTracker@12 ; MiAddMdlTracker(x,x,x)
		jmp	loc_4317BA
; 

loc_5A8EA7:				; CODE XREF: MiProbeAndLockComplete+22j
		push	esi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		inc	ds:dword_6D30C4
		jmp	loc_4317C2
; END OF FUNCTION CHUNK	FOR MiProbeAndLockComplete
; 
; START	OF FUNCTION CHUNK FOR SepVerifyDesktopAppxPackageName

loc_5A8EB8:				; CODE XREF: SepVerifyDesktopAppxPackageName+AFj
		push	20206553h
		push	[ebp+var_210]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_5A8EDA
		mov	esi, 0C0000017h
		jmp	loc_431AE7
; 

loc_5A8EDA:				; CODE XREF: SepVerifyDesktopAppxPackageName+17757Ej
		lea	eax, [ebp+var_210]
		push	eax		; int
		push	[ebp+var_210]	; size_t
		lea	eax, [ebp+var_224]
		push	edi		; int
		push	1		; int
		push	eax		; int
		push	ebx		; int
		call	_SeQuerySecurityAttributesToken@24 ; SeQuerySecurityAttributesToken(x,x,x,x,x,x)
		mov	esi, eax
		jmp	loc_431A05
; 

loc_5A8EFE:				; CODE XREF: SepVerifyDesktopAppxPackageName+BFj
		mov	esi, 0C000090Bh
		jmp	loc_431AE7
; 

loc_5A8F08:				; CODE XREF: SepVerifyDesktopAppxPackageName+CEj
		mov	esi, 0C000009Ah
		jmp	loc_431AD5
; 

loc_5A8F12:				; CODE XREF: SepVerifyDesktopAppxPackageName+FAj
		xor	ecx, ecx
		jmp	loc_431A61
; 

loc_5A8F19:				; CODE XREF: SepVerifyDesktopAppxPackageName+128j
					; SepVerifyDesktopAppxPackageName+1B0j
		inc	[ebp+var_214]
		test	eax, eax
		jnz	loc_431A3C
		jmp	loc_431B05
; 

loc_5A8F2C:				; CODE XREF: SepVerifyDesktopAppxPackageName+191j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_431AE7
; END OF FUNCTION CHUNK	FOR SepVerifyDesktopAppxPackageName
; 
; START	OF FUNCTION CHUNK FOR MiUpdateSystemPdes

loc_5A8F39:				; CODE XREF: MiUpdateSystemPdes+79j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5A8F58
		xor	edx, edx
		inc	edx
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	loc_431BAD
		mov	eax, ebx
		and	eax, edx
		jmp	short loc_5A8F79
; 

loc_5A8F58:				; CODE XREF: MiUpdateSystemPdes+177412j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_431BAD
		mov	eax, ebx
		and	eax, 1

loc_5A8F79:				; CODE XREF: MiUpdateSystemPdes+177428j
		or	eax, 0
		jz	loc_431BAD
		or	edi, 80000000h
		jmp	loc_431BAD
; END OF FUNCTION CHUNK	FOR MiUpdateSystemPdes
; 
; START	OF FUNCTION CHUNK FOR PsGetJobServerSilo

loc_5A8F8D:				; CODE XREF: PsGetJobServerSilo+9j
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0
		mov	eax, 0C000000Dh
		jmp	loc_431C24
; END OF FUNCTION CHUNK	FOR PsGetJobServerSilo
; 
; START	OF FUNCTION CHUNK FOR HvpGrowDirtyVectors

loc_5A8F9D:				; CODE XREF: HvpGrowDirtyVectors+72j
		mov	esi, 0C000009Ah
		jmp	loc_431D38
; 

loc_5A8FA7:				; CODE XREF: HvpGrowDirtyVectors+8Cj
		push	ebx
		push	ecx
		mov	esi, 0C000009Ah
		call	dword ptr [edi+10h]
		jmp	loc_431D38
; END OF FUNCTION CHUNK	FOR HvpGrowDirtyVectors
; 
; START	OF FUNCTION CHUNK FOR CmpDoFileFlush

loc_5A8FB6:				; CODE XREF: CmpDoFileFlush+27j
		mov	ds:_CmRegistryIODebug, 4
		mov	ds:dword_A943F4, esi
		mov	ds:dword_A943F8, eax
		jmp	loc_431E4B
; END OF FUNCTION CHUNK	FOR CmpDoFileFlush
; 
; START	OF FUNCTION CHUNK FOR MiAttemptCoalesce

loc_5A8FD0:				; CODE XREF: MiAttemptCoalesce+5Cj
					; MiAttemptCoalesce+72j
		add	ecx, edi
		mov	[ebp+arg_0], ecx
		mov	ecx, [edx]
		cmp	[ebp+arg_0], ecx
		jnb	loc_43239B
		sub	ecx, [ebp+arg_0]
		cmp	ecx, esi
		jb	loc_43239B
		mov	eax, [ebp+arg_0]
		mov	ecx, [edx+4]
		dec	eax
		add	eax, esi
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_0]
		shr	eax, 5
		lea	eax, [ecx+eax*4]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_14]
		shr	eax, 5
		lea	ecx, [ecx+eax*4]
		mov	eax, [ebp+var_8]
		mov	[ebp+var_1C], ecx
		mov	edx, [eax]
		mov	[ebp+var_10], edx
		mov	edx, [ebp+var_C]
		cmp	eax, ecx
		jnz	short loc_5A9032
		or	eax, 0FFFFFFFFh
		mov	ecx, ebx
		shr	eax, cl
		mov	ecx, [ebp+arg_0]
		shl	eax, cl
		test	[ebp+var_10], eax
		jmp	loc_432391
; 

loc_5A9032:				; CODE XREF: MiAttemptCoalesce+176CECj
		mov	ecx, [ebp+arg_0]
		or	eax, 0FFFFFFFFh
		shl	eax, cl
		test	[ebp+var_10], eax
		jnz	loc_432398
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_1C]
		add	eax, 4
		mov	[ebp+var_8], eax
		cmp	eax, ecx
		jz	short loc_5A9066

loc_5A9053:				; CODE XREF: MiAttemptCoalesce+176D34j
		cmp	dword ptr [eax], 0
		jnz	loc_432398
		add	eax, 4
		mov	[ebp+var_8], eax
		cmp	eax, ecx
		jnz	short loc_5A9053

loc_5A9066:				; CODE XREF: MiAttemptCoalesce+176D21j
		mov	ecx, [ebp+var_14]
		or	eax, 0FFFFFFFFh
		not	ecx
		shr	eax, cl
		mov	ecx, [ebp+var_8]
		test	[ecx], eax
		mov	ecx, [ebp+arg_0]
		jmp	loc_432391
; END OF FUNCTION CHUNK	FOR MiAttemptCoalesce
; 
; START	OF FUNCTION CHUNK FOR MiMakeSystemRangeAvailable

loc_5A907D:				; CODE XREF: MiMakeSystemRangeAvailable+131j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_2C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_432857
; 

loc_5A908D:				; CODE XREF: MiMakeSystemRangeAvailable+153j
		lea	ecx, [ebp+var_2C]
		call	KxWaitForLockChainValid

loc_5A9095:				; CODE XREF: MiMakeSystemRangeAvailable+13Cj
		xor	ecx, ecx
		mov	[ebp+var_2C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_432857
; 

loc_5A90AA:				; CODE XREF: MiMakeSystemRangeAvailable+64j
		movzx	eax, cl
		shl	eax, 8
		or	eax, edi
		push	eax
		push	esi
		push	[ebp+var_14]
		push	2104h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5A90C4:				; CODE XREF: HvpAllocateLogBuffers+42j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ebx, ebx

loc_5A90CE:				; CODE XREF: HvpAllocateLogBuffers+29j
		xor	ecx, ecx
		mov	[ebp+var_C], ecx
		mov	al, cl

loc_5A90D5:				; CODE XREF: MiMakeSystemRangeAvailable+176AD6j
		test	al, al
		jz	short loc_5A912D
		test	esi, esi
		jz	short loc_5A911E
		test	edi, edi
		jz	short loc_5A9111
		lea	eax, [esi+4]
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], eax
		mov	edx, edi

loc_5A90EC:				; CODE XREF: MiMakeSystemRangeAvailable+176A11j
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_5A9103
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_10]
		and	dword ptr [eax], 0

loc_5A9103:				; CODE XREF: MiMakeSystemRangeAvailable+1769F2j
		add	eax, 0Ch
		sub	edx, 1
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], edx
		jnz	short loc_5A90EC

loc_5A9111:				; CODE XREF: MiMakeSystemRangeAvailable+1769E1j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_C]
		xor	esi, esi

loc_5A911E:				; CODE XREF: MiMakeSystemRangeAvailable+1769DDj
		add	ecx, 4
		mov	[ebp+var_C], ecx
		cmp	ecx, 24h
		jz	loc_5A91ED

loc_5A912D:				; CODE XREF: MiMakeSystemRangeAvailable+1769D9j
		mov	ecx, dword ptr ds:_LogEntryChunkSizes[ecx]
		xor	edx, edx
		mov	eax, [ebp+arg_0]
		shl	ecx, 0Ch
		div	ecx
		mov	[ebp+var_20], ecx
		mov	edi, eax
		test	edx, edx
		jz	short loc_5A9147
		inc	edi

loc_5A9147:				; CODE XREF: MiMakeSystemRangeAvailable+176A46j
		imul	eax, edi, 0Ch
		push	6F494D43h
		push	eax
		push	1
		mov	[ebp+var_14], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5A91ED
		push	[ebp+var_14]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	ecx, [ebp+arg_0]
		lea	edx, [esi+4]
		add	esp, 0Ch
		xor	eax, eax

loc_5A917A:				; CODE XREF: MiMakeSystemRangeAvailable+176ACFj
		mov	[ebp+var_8], edx
		mov	[ebp+var_14], eax
		cmp	eax, edi
		jnb	short loc_5A91D9
		and	dword ptr [edx-4], 0
		mov	edx, [ebp+var_20]
		mov	[ebp+var_10], ecx
		cmp	ecx, edx
		jb	short loc_5A9195
		mov	[ebp+var_10], edx

loc_5A9195:				; CODE XREF: MiMakeSystemRangeAvailable+176A92j
		mov	eax, ecx
		sub	eax, edx
		cmp	ecx, edx
		push	6F494D43h
		sbb	ecx, ecx
		not	ecx
		and	ecx, eax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_24], ecx
		mov	ecx, [ebp+var_10]
		push	ecx
		push	5
		mov	[eax+4], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, [ebp+var_8]
		mov	[edx], eax
		test	eax, eax
		jz	short loc_5A91CF
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+var_24]
		inc	eax
		add	edx, 0Ch
		jmp	short loc_5A917A
; 

loc_5A91CF:				; CODE XREF: MiMakeSystemRangeAvailable+176AC3j
		mov	ecx, [ebp+var_C]
		mov	al, 1
		jmp	loc_5A90D5
; 

loc_5A91D9:				; CODE XREF: MiMakeSystemRangeAvailable+176A84j
		mov	eax, [ebp+var_18]
		mov	[eax], esi
		xor	esi, esi
		mov	eax, [ebp+var_1C]
		and	[ebp+arg_0], esi
		mov	[eax], edi
		jmp	loc_432A15
; 

loc_5A91ED:				; CODE XREF: MiMakeSystemRangeAvailable+176A29j
					; MiMakeSystemRangeAvailable+176A60j
		mov	[ebp+arg_0], 0C0000017h
		jmp	loc_432A15
; END OF FUNCTION CHUNK	FOR MiMakeSystemRangeAvailable
; 
; START	OF FUNCTION CHUNK FOR HvpAllocateLogBuffers

loc_5A91F9:				; CODE XREF: HvpAllocateLogBuffers+6Bj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_432A1D
; 

loc_5A9206:				; CODE XREF: HvpAllocateLogBuffers+73j
		test	edi, edi
		jz	short loc_5A9226
		lea	ebx, [esi+4]

loc_5A920D:				; CODE XREF: HvpAllocateLogBuffers+176878j
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_5A921E
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [ebx], 0

loc_5A921E:				; CODE XREF: HvpAllocateLogBuffers+176865j
		add	ebx, 0Ch
		sub	edi, 1
		jnz	short loc_5A920D

loc_5A9226:				; CODE XREF: HvpAllocateLogBuffers+17685Cj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_432A25
; END OF FUNCTION CHUNK	FOR HvpAllocateLogBuffers
; 
; START	OF FUNCTION CHUNK FOR RtlFindNextForwardRunClear

loc_5A9233:				; CODE XREF: RtlFindNextForwardRunClear+12j
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		xor	eax, eax
		jmp	loc_432C33
; END OF FUNCTION CHUNK	FOR RtlFindNextForwardRunClear
; 
; START	OF FUNCTION CHUNK FOR CmpDecrementAppHiveUnloadCount

loc_5A923F:				; CODE XREF: CmpDecrementAppHiveUnloadCount+21j
		push	0
		xor	edx, edx
		mov	ecx, offset _CmpActiveAppHiveUnloadEvent
		call	ExpUnblockPushLock
		leave
		retn
; END OF FUNCTION CHUNK	FOR CmpDecrementAppHiveUnloadCount
; 
; START	OF FUNCTION CHUNK FOR ExpUnblockPushLock

loc_5A924F:				; CODE XREF: ExpUnblockPushLock+6Ej
		push	0
		push	0
		push	1Ch
		push	edi
		call	KeWaitForSingleObject
		jmp	loc_432D14
; END OF FUNCTION CHUNK	FOR ExpUnblockPushLock
; 
; START	OF FUNCTION CHUNK FOR CmpTryToRundownHive

loc_5A9260:				; CODE XREF: CmpTryToRundownHive+52j
		mov	ecx, ebx
		call	_CmpDoesKeyHaveOpenSubkeys@4 ; CmpDoesKeyHaveOpenSubkeys(x)
		test	al, al
		jnz	short loc_5A9274
		cmp	dword ptr [ebx], 2
		jz	loc_432DE4

loc_5A9274:				; CODE XREF: CmpTryToRundownHive+46j
					; CmpTryToRundownHive+106j ...
		cmp	[ebp+var_1], 0
		jz	short loc_5A92B9
		and	dword ptr [ebx+4], 0FFFBFFFFh
		lea	eax, [esi+430h]
		xor	ecx, ecx
		xchg	ecx, [eax]
		or	eax, 0FFFFFFFFh
		lock xadd ds:_CmpActiveHiveRundownCount, eax
		jnz	short loc_5A92B9
		and	[ebp+arg_0], 0
		lea	eax, [ebp+arg_0]
		xor	ecx, ecx
		lock or	[eax], ecx
		cmp	ds:_CmpActiveHiveRundownEvent, ecx
		jz	short loc_5A92B9
		push	ecx
		xor	edx, edx
		mov	ecx, offset _CmpActiveHiveRundownEvent
		call	ExpUnblockPushLock

loc_5A92B9:				; CODE XREF: CmpTryToRundownHive+1764ECj
					; CmpTryToRundownHive+17650Aj ...
		lea	ecx, [ebp+var_18]
		call	CmpCleanupRollbackPacket
		cmp	byte ptr [edi],	0
		jz	short loc_5A92CE
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)
		mov	byte ptr [edi],	0

loc_5A92CE:				; CODE XREF: CmpTryToRundownHive+176538j
		xor	al, al
		jmp	loc_432E31
; 

loc_5A92D5:				; CODE XREF: CmpTryToRundownHive+123j
		mov	byte ptr [ebp+arg_0+3],	0
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		lea	edx, [ebp+arg_0+3]
		lea	ecx, [ebp+var_18]
		call	_CmpAbortRollbackPacket@8 ; CmpAbortRollbackPacket(x,x)
		test	eax, eax
		js	short loc_5A930F
		cmp	byte ptr [ebp+arg_0+3],	1
		jnz	short loc_5A92FE
		mov	ecx, [esi+9A0h]
		call	_CmObliterateRMTxArray@4 ; CmObliterateRMTxArray(x)

loc_5A92FE:				; CODE XREF: CmpTryToRundownHive+176565j
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		mov	cl, 1
		call	CmpLockRegistryFreezeAware
		jmp	loc_432DBE
; 

loc_5A930F:				; CODE XREF: CmpTryToRundownHive+17655Fj
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		mov	cl, 1
		call	CmpLockRegistryFreezeAware
		jmp	loc_5A9274
; 

loc_5A9320:				; CODE XREF: CmpTryToRundownHive+9Dj
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)
		mov	byte ptr [edi],	0
		jmp	loc_432E2F
; END OF FUNCTION CHUNK	FOR CmpTryToRundownHive
; 
; START	OF FUNCTION CHUNK FOR CmpDoFileRead

loc_5A932D:				; CODE XREF: CmpDoFileRead+47j
		mov	ecx, [ebp+arg_10]
		xor	edx, edx
		push	10h
		push	esi
		push	0Ch
		inc	edx
		call	SetFailureLocation
		jmp	loc_43305D
; 

loc_5A9342:				; CODE XREF: CmpDoFileRead+97j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	[esp+40h+var_20]
		call	KeWaitForSingleObject
		mov	esi, [esp+30h+var_10]
		jmp	loc_433015
; 

loc_5A935A:				; CODE XREF: CmpDoFileRead+9Fj
		mov	eax, [esp+30h+var_18]
		cmp	eax, 10000h
		jbe	loc_43301D
		shr	eax, 1
		mov	[esp+30h+var_18], eax
		jmp	loc_433045
; 

loc_5A9374:				; CODE XREF: CmpDoFileRead+C3j
		mov	ecx, [esp+30h+var_20]
		call	ObfDereferenceObject
		push	[esp+30h+var_1C]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_5A93A7
		lea	ecx, [esp+30h+var_10]
		mov	dword ptr [eax+0C8h], 1
		mov	[eax+0CCh], edi
		mov	[eax+0D0h], ecx

loc_5A93A7:				; CODE XREF: CmpDoFileRead+176413j
		lea	eax, [esp+30h+var_10]
		mov	ds:_CmRegistryIODebug, 1
		mov	ds:dword_A943F8, eax
		mov	eax, 0C0000011h
		mov	ds:dword_A943F4, edi
		jmp	loc_43305F
; 

loc_5A93CA:				; CODE XREF: CmpDoFileRead+B9j
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_5A93E7
		mov	dword ptr [eax+0C8h], 1
		mov	[eax+0CCh], edi
		mov	[eax+0D0h], esi

loc_5A93E7:				; CODE XREF: CmpDoFileRead+176457j
		mov	ds:_CmRegistryIODebug, 1
		mov	ds:dword_A943F4, edi
		mov	ds:dword_A943F8, esi
		jmp	loc_43304B
; END OF FUNCTION CHUNK	FOR CmpDoFileRead
; 
; START	OF FUNCTION CHUNK FOR CmpArmLazyWriter

loc_5A9402:				; CODE XREF: CmpArmLazyWriter+B3j
		mov	edx, [ebp+4]
		lea	ecx, dword_6B1518[ebx]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4331FE
; END OF FUNCTION CHUNK	FOR CmpArmLazyWriter
; 
; START	OF FUNCTION CHUNK FOR HvpFindNextDirtyRun

loc_5A9415:				; CODE XREF: HvpFindNextDirtyRun+B6j
		or	esi, 0FFFFFFFFh
		jmp	loc_43339C
; 

loc_5A941D:				; CODE XREF: HvpFindNextDirtyRun+C9j
		mov	ebx, [ebp+var_10]
		add	eax, esi
		mov	[ebp+var_8], eax
		cmp	eax, ebx
		jnb	loc_433439
		mov	esi, [ecx]
		cmp	esi, eax
		jbe	loc_5A9524
		mov	ecx, [ecx+4]
		lea	eax, [esi-1]
		shr	eax, 5
		lea	edi, [ecx+eax*4]
		mov	eax, [ebp+var_8]
		mov	ebx, eax
		shr	eax, 5
		mov	[ebp+var_4], ebx
		lea	edx, [ecx+eax*4]
		cmp	edx, edi
		jz	short loc_5A9494
		and	ebx, 1Fh
		mov	ecx, ds:dword_40BA68[ebx*4]
		or	ecx, [edx]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_5A9491
		mov	eax, [ebp+var_8]
		add	edx, 4
		sub	eax, ebx
		mov	ebx, eax
		mov	[ebp+var_4], eax
		add	ebx, 20h
		mov	[ebp+var_4], ebx
		cmp	edx, edi
		jnb	short loc_5A9494

loc_5A947D:				; CODE XREF: HvpFindNextDirtyRun+1761AAj
		cmp	dword ptr [edx], 0FFFFFFFFh
		jnz	short loc_5A948C
		add	edx, 4
		add	ebx, 20h
		cmp	edx, edi
		jb	short loc_5A947D

loc_5A948C:				; CODE XREF: HvpFindNextDirtyRun+1761A0j
		mov	[ebp+var_4], ebx
		jmp	short loc_5A9494
; 

loc_5A9491:				; CODE XREF: HvpFindNextDirtyRun+176184j
		mov	ebx, [ebp+var_4]

loc_5A9494:				; CODE XREF: HvpFindNextDirtyRun+176173j
					; HvpFindNextDirtyRun+17619Bj ...
		cmp	ebx, esi
		jnb	short loc_5A94AB
		mov	ecx, [ebp+var_C]
		mov	eax, [ecx+4]

loc_5A949E:				; CODE XREF: HvpFindNextDirtyRun+1761C6j
		bt	[eax], ebx
		jnb	short loc_5A94A8
		inc	ebx
		cmp	ebx, esi
		jb	short loc_5A949E

loc_5A94A8:				; CODE XREF: HvpFindNextDirtyRun+1761C1j
		mov	[ebp+var_4], ebx

loc_5A94AB:				; CODE XREF: HvpFindNextDirtyRun+1761B6j
		xor	esi, esi
		cmp	edx, edi
		jz	short loc_5A94ED
		mov	ecx, [edx]
		and	ebx, 1Fh
		mov	eax, ds:dword_40BA68[ebx*4]
		not	eax
		and	eax, ecx
		jnz	short loc_5A94EA
		mov	esi, 20h
		sub	esi, ebx
		cmp	esi, 0FFFFFFFFh
		jnb	short loc_5A950E
		add	edx, 4
		cmp	edx, edi
		jnb	short loc_5A94EA

loc_5A94D6:				; CODE XREF: HvpFindNextDirtyRun+176208j
		cmp	dword ptr [edx], 0
		jnz	short loc_5A94EA
		add	esi, 20h
		add	edx, 4
		cmp	esi, 0FFFFFFFFh
		jnb	short loc_5A950E
		cmp	edx, edi
		jb	short loc_5A94D6

loc_5A94EA:				; CODE XREF: HvpFindNextDirtyRun+1761E1j
					; HvpFindNextDirtyRun+1761F4j ...
		mov	ebx, [ebp+var_4]

loc_5A94ED:				; CODE XREF: HvpFindNextDirtyRun+1761CFj
		mov	edi, [ebp+var_C]
		lea	eax, [esi+ebx]
		mov	edx, [edi]
		cmp	eax, edx
		jnb	short loc_5A9511
		mov	ecx, [edi+4]

loc_5A94FC:				; CODE XREF: HvpFindNextDirtyRun+17622Aj
		bt	[ecx], eax
		jb	short loc_5A9511
		cmp	esi, 0FFFFFFFFh
		jnb	short loc_5A9514
		inc	eax
		inc	esi
		cmp	eax, edx
		jb	short loc_5A94FC
		jmp	short loc_5A9511
; 

loc_5A950E:				; CODE XREF: HvpFindNextDirtyRun+1761EDj
					; HvpFindNextDirtyRun+176204j
		mov	ebx, [ebp+var_4]

loc_5A9511:				; CODE XREF: HvpFindNextDirtyRun+176217j
					; HvpFindNextDirtyRun+17621Fj ...
		cmp	esi, 0FFFFFFFFh

loc_5A9514:				; CODE XREF: HvpFindNextDirtyRun+176224j
		jbe	short loc_5A9519
		or	esi, 0FFFFFFFFh

loc_5A9519:				; CODE XREF: HvpFindNextDirtyRun:loc_5A9514j
		test	esi, esi
		jnz	loc_4333B2
		mov	ebx, [ebp+var_10]

loc_5A9524:				; CODE XREF: HvpFindNextDirtyRun+176151j
		mov	eax, [ebp+var_10]
		jmp	loc_4333B5
; END OF FUNCTION CHUNK	FOR HvpFindNextDirtyRun
; 
; START	OF FUNCTION CHUNK FOR RtlCaptureStackBackTrace

loc_5A952C:				; CODE XREF: RtlCaptureStackBackTrace+3Ej
		xor	eax, eax
		mov	[ebp+arg_4], eax
		test	edi, edi
		jz	short loc_5A9550
		mov	ebx, [ebp+arg_8]

loc_5A9538:				; CODE XREF: RtlCaptureStackBackTrace+1760EBj
		lea	eax, [ecx+esi]
		cmp	eax, edx
		mov	eax, [ebp+arg_4]
		jnb	short loc_5A954D
		add	eax, [ebx+ecx*4]
		inc	ecx
		mov	[ebp+arg_4], eax
		cmp	ecx, edi
		jb	short loc_5A9538

loc_5A954D:				; CODE XREF: RtlCaptureStackBackTrace+1760E0j
		mov	ebx, [ebp+arg_C]

loc_5A9550:				; CODE XREF: RtlCaptureStackBackTrace+1760D3j
		mov	[ebx], eax
		jmp	loc_4334A8
; END OF FUNCTION CHUNK	FOR RtlCaptureStackBackTrace
; 
; START	OF FUNCTION CHUNK FOR RtlWalkFrameChain

loc_5A9557:				; CODE XREF: RtlWalkFrameChain+326j
		mov	byte ptr [eax],	0
		jmp	loc_4337FC
; 

loc_5A955F:				; CODE XREF: RtlWalkFrameChain+2C9j
					; RtlWalkFrameChain+2D6j ...
		mov	[ebp+var_4], 0FFFFFFFEh

loc_5A9566:				; CODE XREF: RtlWalkFrameChain+67j
		xor	eax, eax
		jmp	loc_433679
; 

loc_5A956D:				; CODE XREF: RtlWalkFrameChain+25Dj
		mov	eax, [ebp+var_24]
		jmp	loc_433742
; 

loc_5A9575:				; CODE XREF: RtlWalkFrameChain+220j
		cmp	edx, esi
		jbe	short loc_5A958B
		cmp	esi, ebx
		jb	short loc_5A9587
		mov	eax, esi
		sub	eax, ebx
		mov	edx, [ebp+arg_0]
		mov	[edx+eax*4], ecx

loc_5A9587:				; CODE XREF: RtlWalkFrameChain+1760ABj
		inc	esi
		mov	[ebp+var_40], esi

loc_5A958B:				; CODE XREF: RtlWalkFrameChain+1760A7j
		mov	eax, [ebp+var_24]
		jmp	loc_433745
; END OF FUNCTION CHUNK	FOR RtlWalkFrameChain

;  S U B	R O U T	I N E 


sub_5A9593	proc near		; DATA XREF: .text:006A0274o
		mov	ecx, [ebp-14h]
		mov	eax, [ecx]
		mov	eax, [eax]
		mov	[ebp-88h], eax
		mov	[ebp-8Ch], ecx
		mov	eax, 1
		retn
sub_5A9593	endp


;  S U B	R O U T	I N E 


sub_5A95AC	proc near		; DATA XREF: .text:006A0278o
		mov	esp, [ebp-18h]
		xor	esi, esi
		mov	[ebp-40h], esi
		jmp	loc_433666
sub_5A95AC	endp

; 
; START	OF FUNCTION CHUNK FOR HvpCopyDataToOffsetArray

loc_5A95B9:				; CODE XREF: HvpCopyDataToOffsetArray+60j
		test	ebx, ebx
		jz	loc_433A56
		inc	[ebp+var_8]
		add	ecx, 0Ch
		mov	[ebp+arg_0], ecx
		xor	esi, esi
		jmp	loc_433A52
; END OF FUNCTION CHUNK	FOR HvpCopyDataToOffsetArray
; 
; START	OF FUNCTION CHUNK FOR RtlFindNextForwardRunSet

loc_5A95D1:				; CODE XREF: RtlFindNextForwardRunSet+15j
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		xor	eax, eax
		jmp	loc_433B1D
; END OF FUNCTION CHUNK	FOR RtlFindNextForwardRunSet
; 
; START	OF FUNCTION CHUNK FOR UpcaseUnicodeToSingleByteNHelper

loc_5A95DD:				; CODE XREF: UpcaseUnicodeToSingleByteNHelper+A3j
		movzx	esi, dx
		mov	edx, [ebp+arg_C]
		mov	ecx, esi
		shr	ecx, 8
		movzx	edx, word ptr [edx+ecx*2]
		mov	ecx, esi
		shr	ecx, 4
		and	esi, 0Fh
		and	ecx, 0Fh
		add	edx, ecx
		mov	ecx, [ebp+arg_C]
		movzx	ecx, word ptr [ecx+edx*2]
		mov	dx, word ptr [ebp+arg_0+2]
		add	ecx, esi
		mov	esi, [ebp+arg_C]
		add	dx, [esi+ecx*2]
		jmp	loc_433C52
; END OF FUNCTION CHUNK	FOR UpcaseUnicodeToSingleByteNHelper

;  S U B	R O U T	I N E 


sub_5A9612	proc near		; CODE XREF: CcSetValidData+A6j
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp-20h]
		push	eax
		call	KeWaitForSingleObject
		jmp	loc_433F30
sub_5A9612	endp

; 
; START	OF FUNCTION CHUNK FOR IoAllocateIrp

loc_5A9624:				; CODE XREF: IoAllocateIrp+12j
		cmp	eax, 2
		jnz	short loc_5A9636
		mov	dl, byte ptr [ebp+arg_0]
		call	_IopAllocateIrpWithExtension@16	; IopAllocateIrpWithExtension(x,x,x,x)
		jmp	loc_433F6B
; 

loc_5A9636:				; CODE XREF: IoAllocateIrp+1756DDj
		push	[ebp+arg_0]
		push	0
		call	_IovAllocateIrp@16 ; IovAllocateIrp(x,x,x,x)
		jmp	loc_433F6B
; END OF FUNCTION CHUNK	FOR IoAllocateIrp
; 
; START	OF FUNCTION CHUNK FOR IoGetAttachedDeviceReferenceWithTag

loc_5A9645:				; CODE XREF: IoGetAttachedDeviceReferenceWithTag+39j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_433FC4
; END OF FUNCTION CHUNK	FOR IoGetAttachedDeviceReferenceWithTag
; 
; START	OF FUNCTION CHUNK FOR HvUnCOWReconciledPages

loc_5A9654:				; CODE XREF: HvUnCOWReconciledPages+6Cj
		mov	edx, esi
		mov	ecx, ebx
		call	_RtlMergeBitMaps@8 ; RtlMergeBitMaps(x,x)
		jmp	loc_43410A
; 

loc_5A9662:				; CODE XREF: HvUnCOWReconciledPages+22Fj
		push	20h
		pop	edi
		add	edx, 4
		jmp	short loc_5A9679
; 

loc_5A966A:				; CODE XREF: HvUnCOWReconciledPages+1755E3j
		cmp	dword ptr [edx], 0FFFFFFFFh
		jnz	loc_43412D
		add	edx, 4
		add	edi, 20h

loc_5A9679:				; CODE XREF: HvUnCOWReconciledPages+1755D0j
		cmp	edx, eax
		jb	short loc_5A966A
		jmp	loc_43412D
; 

loc_5A9682:				; CODE XREF: HvUnCOWReconciledPages+9Fj
		inc	edi
		cmp	edi, ecx
		jb	loc_434134
		jmp	loc_43413D
; 

loc_5A9690:				; CODE XREF: HvUnCOWReconciledPages:loc_434197j
		or	esi, 0FFFFFFFFh
		jmp	loc_43419D
; END OF FUNCTION CHUNK	FOR HvUnCOWReconciledPages
; 
; START	OF FUNCTION CHUNK FOR WmipUnreferenceRegEntry

loc_5A9698:				; CODE XREF: WmipUnreferenceRegEntry+Ej
		push	0
		push	0
		push	dword ptr [ecx+14h]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		retn
; END OF FUNCTION CHUNK	FOR WmipUnreferenceRegEntry
; 
; START	OF FUNCTION CHUNK FOR WmipFindRegEntryByDevice

loc_5A96A5:				; CODE XREF: WmipFindRegEntryByDevice+4Aj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_43434B
; END OF FUNCTION CHUNK	FOR WmipFindRegEntryByDevice
; 
; START	OF FUNCTION CHUNK FOR sub_4344FE

loc_5A96B2:				; CODE XREF: sub_4344FE+2Cj
		test	cx, cx
		jnz	loc_434534
		test	dx, dx
		jz	loc_434530
		jmp	loc_434534
; END OF FUNCTION CHUNK	FOR sub_4344FE
; 
; START	OF FUNCTION CHUNK FOR RtlUnicodeStringValidateWorker

loc_5A96C9:				; CODE XREF: RtlUnicodeStringValidateWorker+25j
		test	ax, ax
		jnz	loc_4346E0
		test	dx, dx
		jnz	loc_4346E0
		jmp	loc_4346DB
; END OF FUNCTION CHUNK	FOR RtlUnicodeStringValidateWorker
; 
; START	OF FUNCTION CHUNK FOR RtlWideCharArrayCopyWorker

loc_5A96E0:				; CODE XREF: RtlWideCharArrayCopyWorker+37j
		mov	ecx, [ebp+arg_0]
		mov	eax, 80000005h
		mov	[ecx], edi
		jmp	loc_43473B
; END OF FUNCTION CHUNK	FOR RtlWideCharArrayCopyWorker
; 
; START	OF FUNCTION CHUNK FOR SetFailureLocation

loc_5A96EF:				; CODE XREF: SetFailureLocation+9Cj
		movzx	eax, word ptr [esi+6]
		cmp	eax, 8
		jnb	loc_434828
		mov	ecx, [ebp+arg_0]
		imul	eax, 0Ch
		mov	[eax+esi+68h], ecx
		movzx	eax, word ptr [esi+6]
		mov	ecx, [ebp+arg_4]
		add	eax, 9
		imul	eax, 0Ch
		mov	[eax+esi], ecx
		movzx	eax, word ptr [esi+6]
		imul	eax, 0Ch
		mov	[eax+esi+70h], edi
		inc	word ptr [esi+6]
		jmp	loc_434828
; END OF FUNCTION CHUNK	FOR SetFailureLocation
; 
; START	OF FUNCTION CHUNK FOR MmEnforceWorkingSetLimit

loc_5A972A:				; CODE XREF: MmEnforceWorkingSetLimit+47j
		and	edx, 0FFFFFFF7h
		mov	bl, 80h
		mov	[esp+48h+var_34], edx
		jmp	loc_434BBF
; 

loc_5A9738:				; CODE XREF: MmEnforceWorkingSetLimit+50j
		and	edx, 0FFFFFFFDh
		test	eax, eax
		mov	[esp+48h+var_34], edx
		setnz	bl
		dec	bl
		and	bl, 80h
		add	bl, 0C0h
		jmp	loc_434BC8
; 

loc_5A9751:				; CODE XREF: MmEnforceWorkingSetLimit+67j
		lea	eax, [esp+48h+var_1C]
		mov	[esp+48h+var_24], ecx
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	KiStackAttachProcess
		jmp	loc_434BDF
; 

loc_5A9768:				; CODE XREF: MmEnforceWorkingSetLimit+A2j
		mov	edx, eax
		lea	ecx, [esp+48h+var_30]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_434C28
; 

loc_5A9778:				; CODE XREF: MmEnforceWorkingSetLimit+C8j
		and	cl, 7Fh
		mov	byte ptr [esp+48h+var_38], cl
		jmp	loc_434C40
; 

loc_5A9784:				; CODE XREF: MmEnforceWorkingSetLimit+DCj
		mov	esi, [esp+48h+var_34]
		jmp	loc_434C5E
; 

loc_5A978D:				; CODE XREF: MmEnforceWorkingSetLimit+EEj
		or	bl, 80h
		jmp	loc_434C66
; 

loc_5A9795:				; CODE XREF: MmEnforceWorkingSetLimit+F7j
		or	bl, 40h
		jmp	loc_434C6F
; 

loc_5A979D:				; CODE XREF: MmEnforceWorkingSetLimit+FFj
		test	bl, 40h
		jz	loc_434C77
		mov	eax, [edi+3Ch]
		add	eax, 6
		cmp	eax, [edi+50h]
		jb	loc_434C77
		push	0FFFFFFFAh
		mov	[esp+4Ch+var_20], 0C000004Ch
		pop	edx
		jmp	loc_434C77
; 

loc_5A97C5:				; CODE XREF: MmEnforceWorkingSetLimit+10Aj
		or	cl, 80h
		inc	eax
		mov	byte ptr [esp+48h+var_38], cl
		mov	esi, eax
		jmp	loc_434C83
; 

loc_5A97D4:				; CODE XREF: MmEnforceWorkingSetLimit+114j
		or	cl, 40h
		mov	esi, eax
		mov	byte ptr [esp+48h+var_38], cl
		jmp	loc_434C8C
; 

loc_5A97E2:				; CODE XREF: MmEnforceWorkingSetLimit+12Ej
		mov	edx, [ebp+4]
		lea	ecx, [esp+48h+var_30]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_434CC8
; 

loc_5A97F3:				; CODE XREF: MmEnforceWorkingSetLimit+150j
		lea	ecx, [esp+48h+var_30]
		call	KxWaitForLockChainValid
		jmp	loc_434CF2
; 

loc_5A9801:				; CODE XREF: MmEnforceWorkingSetLimit+164j
		xor	edx, edx
		lea	ecx, [esp+48h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_434CDC
; END OF FUNCTION CHUNK	FOR MmEnforceWorkingSetLimit
; 
; START	OF FUNCTION CHUNK FOR PsUpdateComponentPower

loc_5A9811:				; CODE XREF: PsUpdateComponentPower+12Fj
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+arg_C]
		or	eax, ecx
		jz	loc_434DE9
		lea	eax, [edi+50h]
		mov	[esp+18h+var_4], eax
		mov	edi, eax

loc_5A9828:				; CODE XREF: PsUpdateComponentPower+174AF6j
					; PsUpdateComponentPower+174AFCj
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, ecx
		mov	ecx, edx
		mov	[esp+18h+var_4], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [ebp+arg_C]
		cmp	eax, esi
		jnz	short loc_5A9828
		cmp	edx, [esp+18h+var_4]
		jnz	short loc_5A9828
		mov	eax, [esp+18h+var_8]
		add	eax, 60h
		mov	[esp+18h+var_4], eax
		mov	edi, eax

loc_5A985B:				; CODE XREF: PsUpdateComponentPower+174B27j
					; PsUpdateComponentPower+174B2Dj
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		mov	eax, esi
		add	ebx, [ebp+arg_8]
		mov	ecx, edx
		mov	[esp+18h+var_4], edx
		adc	ecx, 0
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_5A985B
		cmp	edx, [esp+18h+var_4]
		jnz	short loc_5A985B
		mov	eax, 128h
		jmp	loc_434DD3
; END OF FUNCTION CHUNK	FOR PsUpdateComponentPower
; 
; START	OF FUNCTION CHUNK FOR RtlInterlockedTimelineBitmapUpdate

loc_5A9889:				; CODE XREF: RtlInterlockedTimelineBitmapUpdate+29j
		mov	edx, edi
		sub	edx, eax
		cmp	edx, 20h
		jnb	loc_434EF7
		mov	esi, ecx
		bts	esi, edx
		cmp	esi, ecx
		jz	loc_434EF7
		mov	ebx, edi
		jmp	loc_434EE0
; END OF FUNCTION CHUNK	FOR RtlInterlockedTimelineBitmapUpdate
; 
; START	OF FUNCTION CHUNK FOR _tlgCreate1Sz_wchar_t

loc_5A98AA:				; CODE XREF: _tlgCreate1Sz_wchar_t+8j
		push	2
		mov	edx, offset ??_C@_11LOCGONAA@@FNODOBFM@
		pop	esi
		jmp	loc_4350A9
; END OF FUNCTION CHUNK	FOR _tlgCreate1Sz_wchar_t
; 
; START	OF FUNCTION CHUNK FOR MiLogProcessWorkingSetsStart

loc_5A98B7:				; CODE XREF: MiLogProcessWorkingSetsStart+38j
		mov	al, [ebx+2]
		xor	edx, edx
		mov	byte ptr [ebp+var_AD], al
		lea	eax, [ebp+var_AD]
		mov	[ebp+var_8C], eax
		mov	eax, [edi+0F00h]
		push	8
		pop	ecx
		mov	[ebp+var_88], edx
		movzx	eax, word ptr [eax+4BEh]
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_B4]
		mov	[ebp+var_7C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_6C], eax
		mov	eax, [ebx+2Ch]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_C4]
		mov	[ebp+var_5C], eax
		mov	eax, [ebx+28h]
		mov	[ebp+var_CC], eax
		lea	eax, [ebp+var_CC]
		mov	[ebp+var_4C], eax
		mov	eax, [edi+0FC0h]
		mov	[ebp+var_D4], eax
		lea	eax, [ebp+var_D4]
		mov	[ebp+var_3C], eax
		mov	eax, [edi+10C0h]
		mov	[ebp+var_DC], eax
		lea	eax, [ebp+var_DC]
		mov	[ebp+var_2C], eax
		mov	eax, [edi+1118h]
		mov	[ebp+var_E4], eax
		lea	eax, [ebp+var_E4]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_AD+1]
		push	eax
		push	0Ah
		push	ecx
		push	ecx
		push	1
		push	ecx
		mov	[ebp+var_80], edx
		mov	[ebp+var_78], edx
		mov	[ebp+var_70], edx
		mov	[ebp+var_68], edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_C0], edx
		mov	[ebp+var_58], edx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], edx
		mov	[ebp+var_C8], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], edx
		mov	[ebp+var_D0], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], edx
		mov	[ebp+var_D8], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_E0], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], edx
		mov	edx, offset loc_41CD4D
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_84], 1
		mov	[ebp+var_74], 2
		mov	[ebp+var_64], 4
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)
		jmp	loc_4350F6
; END OF FUNCTION CHUNK	FOR MiLogProcessWorkingSetsStart
; 
; START	OF FUNCTION CHUNK FOR MiLogProcessWorkingSetsStop

loc_5A99FA:				; CODE XREF: MiLogProcessWorkingSetsStop+34j
		mov	eax, [edi+0FC0h]
		mov	edx, offset loc_41CDF4
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_38], eax
		mov	eax, [edi+10C0h]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_68]
		push	8
		pop	ecx
		mov	[ebp+var_28], eax
		mov	eax, [edi+1118h]
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	5
		push	ecx
		push	ecx
		push	1
		push	ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_10], ecx
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], ebx
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)
		jmp	loc_435142
; END OF FUNCTION CHUNK	FOR MiLogProcessWorkingSetsStop
; 
; START	OF FUNCTION CHUNK FOR PsAddProcessEnergyValues

loc_5A9A6B:				; CODE XREF: PsAddProcessEnergyValues+9Cj
					; PsAddProcessEnergyValues+AEj
		or	eax, 0FFFFFFFFh
		jmp	loc_435A07
; 

loc_5A9A73:				; CODE XREF: PsAddProcessEnergyValues+C6j
					; PsAddProcessEnergyValues+D8j
		or	eax, 0FFFFFFFFh
		jmp	loc_435A31
; 

loc_5A9A7B:				; CODE XREF: PsAddProcessEnergyValues+F0j
					; PsAddProcessEnergyValues+102j
		or	eax, 0FFFFFFFFh
		jmp	loc_435A5B
; 

loc_5A9A83:				; CODE XREF: PsAddProcessEnergyValues+11Aj
					; PsAddProcessEnergyValues+12Cj
		or	eax, 0FFFFFFFFh
		jmp	loc_435A85
; 

loc_5A9A8B:				; CODE XREF: PsAddProcessEnergyValues+144j
					; PsAddProcessEnergyValues+156j
		or	eax, 0FFFFFFFFh
		jmp	loc_435AAF
; END OF FUNCTION CHUNK	FOR PsAddProcessEnergyValues
; 
; START	OF FUNCTION CHUNK FOR PspJobIoRateQueryHistory

loc_5A9A93:				; CODE XREF: PspJobIoRateQueryHistory+55j
		mov	edx, [ebp+var_8]
		mov	eax, [esi+368h]
		mov	[edx], eax
		mov	eax, [esi+36Ch]
		mov	[edx+4], eax
		mov	eax, [ebp+arg_0]
		mov	edx, [esi+370h]
		mov	[eax], ecx
		mov	ecx, edx
		mov	eax, [ebp+arg_4]
		sub	ecx, [esi+374h]
		mov	[esi+374h], edx
		mov	[eax], ecx
		jmp	loc_435C32
; END OF FUNCTION CHUNK	FOR PspJobIoRateQueryHistory
; 
; START	OF FUNCTION CHUNK FOR KeQuerySchedulingGroupHistory

loc_5A9ACA:				; CODE XREF: KeQuerySchedulingGroupHistory+CBj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_435EAB
; 

loc_5A9ADA:				; CODE XREF: KeQuerySchedulingGroupHistory+EDj
		lea	ecx, [ebp+var_18]
		call	KxWaitForLockChainValid

loc_5A9AE2:				; CODE XREF: KeQuerySchedulingGroupHistory+D6j
		xor	ecx, ecx
		mov	[ebp+var_18], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_435EAB
; END OF FUNCTION CHUNK	FOR KeQuerySchedulingGroupHistory
; 
; START	OF FUNCTION CHUNK FOR KeQueryValuesThread

loc_5A9AF7:				; CODE XREF: KeQueryValuesThread+262j
		mov	eax, [esi+148h]
		cmp	eax, [ebp+var_18]
		jnz	loc_436128
		mov	ecx, 1Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5A9B0D:				; CODE XREF: RtlCopyBitMap+5Fj
		and	ebx, 1Fh
		mov	eax, 1
		cmp	esi, 20h
		jb	loc_5A9B9E
		mov	ecx, 20h
		sub	ecx, ebx
		mov	[ebp+arg_0], ecx
		mov	ecx, [edx]
		mov	edx, 1
		mov	[ebp+arg_4], ecx
		mov	ecx, [ebp+arg_0]
		shl	eax, cl
		mov	ecx, ebx
		dec	eax
		shl	edx, cl
		mov	[ebp+var_8], eax
		mov	ecx, eax
		not	eax
		dec	edx
		mov	[ebp+var_10], eax
		mov	eax, edx
		not	eax
		mov	[ebp+var_C], edx
		mov	[ebp+var_14], eax
		mov	eax, esi
		shr	eax, 5
		mov	[ebp+var_4], eax

loc_5A9B59:				; CODE XREF: KeQueryValuesThread+173CD7j
		mov	edx, [edi]
		sub	esi, 20h
		mov	eax, [ebp+var_C]
		and	edx, ecx
		and	eax, [ebp+arg_4]
		mov	ecx, ebx
		shl	edx, cl
		mov	ecx, [ebp+arg_0]
		or	eax, edx
		mov	edx, [ebp+arg_8]
		mov	[edx], eax
		add	edx, 4
		mov	eax, [edi]
		add	edi, 4
		and	eax, [ebp+var_10]
		shr	eax, cl
		mov	ecx, [ebp+var_14]
		and	ecx, [edx]
		or	ecx, eax
		mov	[ebp+arg_8], edx
		sub	[ebp+var_4], 1
		mov	[ebp+arg_4], ecx
		mov	[edx], ecx
		mov	ecx, [ebp+var_8]
		jnz	short loc_5A9B59
		mov	eax, 1

loc_5A9B9E:				; CODE XREF: KeQueryValuesThread+173C58j
		test	esi, esi
		jz	loc_43635B
		mov	edx, [edi]
		mov	ecx, 20h
		mov	[ebp+arg_0], edx
		sub	ecx, ebx
		mov	edx, [ebp+arg_8]
		mov	[ebp+var_14], ecx
		mov	edx, [edx]
		mov	[ebp+arg_4], edx
		cmp	esi, ecx
		ja	short loc_5A9BE4
		mov	ecx, esi
		shl	eax, cl
		mov	ecx, ebx
		lea	edx, [eax-1]
		mov	eax, edx
		and	edx, [ebp+arg_0]
		shl	eax, cl
		not	eax
		shl	edx, cl
		mov	ecx, [ebp+arg_8]
		and	eax, [ebp+arg_4]
		or	eax, edx
		mov	[ecx], eax
		jmp	loc_43635B
; 

loc_5A9BE4:				; CODE XREF: KeQueryValuesThread+173CFFj
		mov	edx, eax
		shl	edx, cl
		mov	ecx, ebx
		shl	eax, cl
		dec	edx
		and	edx, [ebp+arg_0]
		dec	eax
		and	eax, [ebp+arg_4]
		shl	edx, cl
		lea	ecx, [ebx-20h]
		or	edx, eax
		add	ecx, esi
		mov	eax, [ebp+arg_8]
		mov	[eax], edx
		add	eax, 4
		mov	edx, 1
		mov	[ebp+arg_8], eax
		shl	edx, cl
		mov	ecx, [ebp+var_14]
		dec	edx
		mov	eax, edx
		not	edx
		shl	eax, cl
		and	eax, [edi]
		shr	eax, cl
		mov	ecx, [ebp+arg_8]
		and	edx, [ecx]
		or	edx, eax
		mov	[ecx], edx
		jmp	loc_43635B
; END OF FUNCTION CHUNK	FOR KeQueryValuesThread
; 
; START	OF FUNCTION CHUNK FOR RtlpCopyBitMapTailToHead

loc_5A9C2B:				; CODE XREF: RtlpCopyBitMapTailToHead+119j
		mov	esi, [eax+4]
		mov	dl, 1
		mov	eax, [ebp+var_4]
		add	esi, ebx
		shl	dl, cl
		dec	dl
		mov	eax, [eax+4]
		mov	al, [edi+eax]
		and	al, dl
		not	dl
		and	dl, [esi+edi]
		or	dl, al
		mov	eax, [ebp+var_C]
		mov	[esi+edi], dl
		mov	edx, [ebp+var_4]
		jmp	loc_43649D
; 

loc_5A9C56:				; CODE XREF: RtlpCopyBitMapTailToHead+6Ej
		add	[ebp+arg_4], 4
		add	ecx, 0FFFFFFE0h
		add	ecx, esi
		shl	edx, cl
		mov	ecx, [ebp+var_C]
		dec	edx
		mov	eax, edx
		not	edx
		shl	eax, cl
		and	eax, [ebp+var_8]
		shr	eax, cl
		mov	ecx, [ebp+arg_4]
		and	edx, [ecx]
		or	eax, edx
		mov	edx, ecx
		mov	ecx, [ebp+var_C]
		mov	[edx], eax
		xor	eax, eax
		inc	eax
		mov	edx, eax
		shl	edx, cl
		mov	ecx, esi
		dec	edx
		shl	eax, cl
		and	edx, [edi]
		shl	edx, cl
		dec	eax
		mov	ecx, [ebp+arg_0]
		and	eax, [ecx]
		jmp	loc_43640C
; END OF FUNCTION CHUNK	FOR RtlpCopyBitMapTailToHead
; 
; START	OF FUNCTION CHUNK FOR RtlpImageDirectoryEntryToDataEx

loc_5A9C99:				; CODE XREF: RtlpImageDirectoryEntryToDataEx+51j
		mov	edx, 20Bh
		cmp	ax, dx
		jnz	short loc_5A9CBA
		push	esi
		push	ecx
		push	[ebp+arg_4]
		mov	ecx, [ebp+var_4]
		mov	dl, bl
		push	[ebp+arg_0]
		call	_RtlpImageDirectoryEntryToData64@24 ; RtlpImageDirectoryEntryToData64(x,x,x,x,x,x)
		jmp	loc_436573
; 

loc_5A9CBA:				; CODE XREF: RtlpImageDirectoryEntryToDataEx+173797j
		mov	eax, 0C000000Dh
		jmp	loc_436573
; END OF FUNCTION CHUNK	FOR RtlpImageDirectoryEntryToDataEx
; 
; START	OF FUNCTION CHUNK FOR KeSetProcess

loc_5A9CC4:				; CODE XREF: KeSetProcess+94j
		push	0
		push	100h
		jmp	loc_43665E
; END OF FUNCTION CHUNK	FOR KeSetProcess
; 
; START	OF FUNCTION CHUNK FOR MiCreateNewProcessTopLevelMappings

loc_5A9CD0:				; CODE XREF: MiCreateNewProcessTopLevelMappings+34j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_43687A
; 

loc_5A9CE0:				; CODE XREF: MiCreateNewProcessTopLevelMappings+52j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid
		jmp	loc_436888
; END OF FUNCTION CHUNK	FOR MiCreateNewProcessTopLevelMappings
; 
; START	OF FUNCTION CHUNK FOR MiShadowTopLevelPxes

loc_5A9CED:				; CODE XREF: MiShadowTopLevelPxes+89j
		mov	ecx, [esp+28h+var_10]
		mov	ecx, [ecx+eax]
		mov	[esp+28h+var_14], ecx
		nop
		mov	ecx, [esp+28h+var_10]
		lea	edx, [eax+4]
		mov	eax, [eax]
		mov	[esp+28h+var_4], edx
		mov	ecx, [ecx+edx]
		mov	[esp+28h+var_18], ecx
		nop
		mov	edx, [edx]
		mov	[esp+28h+var_8], edx
		mov	edx, [esp+28h+var_C]
		cmp	[esp+28h+var_14], eax
		jnz	short loc_5A9D28
		cmp	ecx, [esp+28h+var_8]
		jz	loc_5A9DF6

loc_5A9D28:				; CODE XREF: MiShadowTopLevelPxes+1732CCj
		mov	ecx, [esp+28h+var_1C]
		mov	eax, [ecx]
		and	eax, 1
		or	eax, 0
		jz	short loc_5A9D4A
		push	[esp+28h+var_18]
		push	[esp+2Ch+var_14]
		push	1
		call	MiTransformValidPteInPlace
		jmp	loc_5A9DF6
; 

loc_5A9D4A:				; CODE XREF: MiShadowTopLevelPxes+1732E4j
		mov	ecx, [esp+28h+var_1C]
		mov	[esp+28h+var_8], 0
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_5A9DCD
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5A9D97
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	[esp+28h+var_8], 1
		jnz	short loc_5A9DCD
		mov	ecx, [esp+28h+var_14]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_5A9DCD
		mov	[esp+28h+var_14], ecx
		mov	ecx, [esp+28h+var_18]
		or	ecx, 80000000h
		jmp	short loc_5A9DD1
; 

loc_5A9D97:				; CODE XREF: MiShadowTopLevelPxes+173316j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_5A9DCD
		mov	ecx, [esp+28h+var_14]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_5A9DCD
		mov	[esp+28h+var_14], ecx
		mov	ecx, [esp+28h+var_18]
		or	ecx, 80000000h
		jmp	short loc_5A9DD1
; 

loc_5A9DCD:				; CODE XREF: MiShadowTopLevelPxes+17330Dj
					; MiShadowTopLevelPxes+173327j	...
		mov	ecx, [esp+28h+var_18]

loc_5A9DD1:				; CODE XREF: MiShadowTopLevelPxes+173345j
					; MiShadowTopLevelPxes+17337Bj
		mov	eax, [esp+28h+var_4]
		mov	[eax], ecx
		nop
		cmp	[esp+28h+var_8], 0
		mov	eax, [esp+28h+var_1C]
		mov	edx, [esp+28h+var_14]
		mov	[eax], edx
		jz	loc_436ADF
		push	ecx
		push	edx
		mov	ecx, eax
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_5A9DF6:				; CODE XREF: MiShadowTopLevelPxes+1732D2j
					; MiShadowTopLevelPxes+1732F5j
		mov	eax, [esp+28h+var_1C]
		jmp	loc_436ADF
; END OF FUNCTION CHUNK	FOR MiShadowTopLevelPxes
; 
; START	OF FUNCTION CHUNK FOR MiSyncSystemPdes

loc_5A9DFF:				; CODE XREF: MiSyncSystemPdes+3Fj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_436B5B
; END OF FUNCTION CHUNK	FOR MiSyncSystemPdes
; 
; START	OF FUNCTION CHUNK FOR MiInsertNewProcess

loc_5A9E0F:				; CODE XREF: MiInsertNewProcess+6Dj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_436C25
; 

loc_5A9E1F:				; CODE XREF: MiInsertNewProcess+8Bj
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid
		jmp	loc_436C30
; END OF FUNCTION CHUNK	FOR MiInsertNewProcess
; 
; START	OF FUNCTION CHUNK FOR MiPaeAllocate

loc_5A9E2C:				; CODE XREF: MiPaeAllocate+79j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_436CE9
; 

loc_5A9E3C:				; CODE XREF: MiPaeAllocate+9Bj
		lea	ecx, [ebp+var_18]
		call	KxWaitForLockChainValid

loc_5A9E44:				; CODE XREF: MiPaeAllocate+84j
		xor	ecx, ecx
		mov	[ebp+var_18], ebx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_436CE9
; 

loc_5A9E55:				; CODE XREF: MiPaeAllocate+C6j
		mov	edi, ecx
		jmp	loc_436D14
; 

loc_5A9E5C:				; CODE XREF: MiPaeAllocate+128j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_436D98
; 

loc_5A9E6C:				; CODE XREF: MiPaeAllocate+14Aj
		lea	ecx, [ebp+var_18]
		call	KxWaitForLockChainValid

loc_5A9E74:				; CODE XREF: MiPaeAllocate+133j
		xor	ecx, ecx
		mov	[ebp+var_18], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_436D98
; 

loc_5A9E89:				; CODE XREF: MiPaeAllocate+33j
					; MiPaeAllocate+BAj
		xor	eax, eax
		jmp	loc_436C9C
; END OF FUNCTION CHUNK	FOR MiPaeAllocate
; 
; START	OF FUNCTION CHUNK FOR MiMakePartitionActive

loc_5A9E90:				; CODE XREF: MiMakePartitionActive+35j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_436E81
; 

loc_5A9EA0:				; CODE XREF: MiMakePartitionActive+57j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_5A9EA8:				; CODE XREF: MiMakePartitionActive+40j
		mov	[ebp+var_C], 0
		add	eax, 4
		lock xor [eax],	edi
		jmp	loc_436E81
; 

loc_5A9EBA:				; CODE XREF: MiMakePartitionActive+25j
		mov	edi, 0A0h
		mov	ecx, esi
		push	0
		mov	edx, edi
		call	MiChargeCommit
		test	eax, eax
		jnz	short loc_5A9F1A
		test	ds:byte_70EFC6,	1
		jz	short loc_5A9EE4
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5A9F13
; 

loc_5A9EE4:				; CODE XREF: MiMakePartitionActive+1730B1j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5A9F03
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5A9F13
		call	KxWaitForLockChainValid

loc_5A9F03:				; CODE XREF: MiMakePartitionActive+1730C5j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5A9F13:				; CODE XREF: MiMakePartitionActive+1730BEj
					; MiMakePartitionActive+1730D8j
		xor	edi, edi
		jmp	loc_436E81
; 

loc_5A9F1A:				; CODE XREF: MiMakePartitionActive+1730A8j
		and	dword ptr [esi+4], 0FFFFFFDFh
		mov	[esi+0D9Ch], edi
		xor	edi, edi
		inc	edi
		test	ds:byte_70EFC6,	1
		jz	short loc_5A9F3D
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5A9F69
; 

loc_5A9F3D:				; CODE XREF: MiMakePartitionActive+17310Aj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5A9F5C
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5A9F69
		call	KxWaitForLockChainValid

loc_5A9F5C:				; CODE XREF: MiMakePartitionActive+17311Ej
		mov	[ebp+var_C], 0
		add	eax, 4
		lock xor [eax],	edi

loc_5A9F69:				; CODE XREF: MiMakePartitionActive+173117j
					; MiMakePartitionActive+173131j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, 0A0h
		mov	ecx, esi
		call	MiReturnCommit
		cmp	esi, offset _MiSystemPartition
		jz	loc_436E8A
		mov	ecx, esi
		call	MiSetSlabAllocatorPolicy
		jmp	loc_436E8A
; END OF FUNCTION CHUNK	FOR MiMakePartitionActive
; 
; START	OF FUNCTION CHUNK FOR PspUnlockProcessExclusive

loc_5A9F96:				; CODE XREF: PspUnlockProcessExclusive+177j
		push	0
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5A9FA9:				; CODE XREF: PspUnlockProcessExclusive+104j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]
		jmp	loc_43702A
; 

loc_5A9FC0:				; CODE XREF: PspUnlockProcessExclusive+1ABj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_4370C1
; 

loc_5A9FCF:				; CODE XREF: PspUnlockProcessExclusive+1D5j
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_43703D
; END OF FUNCTION CHUNK	FOR PspUnlockProcessExclusive
; 
; START	OF FUNCTION CHUNK FOR MmSetMemoryPriorityProcess

loc_5A9FE1:				; CODE XREF: MmSetMemoryPriorityProcess+34j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_43715E
; END OF FUNCTION CHUNK	FOR MmSetMemoryPriorityProcess
; 
; START	OF FUNCTION CHUNK FOR PspWriteProcessSecurityDomain

loc_5A9FF1:				; CODE XREF: PspWriteProcessSecurityDomain+7Bj
					; PspWriteProcessSecurityDomain+172DAAj ...
		mov	esi, eax
		mov	[ebp+var_C], edx
		nop
		mov	ebx, [ebp+arg_0]
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_5A9FF1
		cmp	edx, [ebp+var_C]
		jnz	short loc_5A9FF1
		jmp	loc_4372C0
; END OF FUNCTION CHUNK	FOR PspWriteProcessSecurityDomain
; 
; START	OF FUNCTION CHUNK FOR MiLocateLowestConflictingVad

loc_5AA00C:				; CODE XREF: MiLocateLowestConflictingVad+15j
					; MiLocateLowestConflictingVad+172D7Aj
		mov	ecx, [esi]
		mov	edx, esi
		test	ecx, ecx
		jz	short loc_5AA027
		cmp	dword ptr [ecx+4], 0
		jz	short loc_5AA03B

loc_5AA01A:				; CODE XREF: MiLocateLowestConflictingVad+172D4Dj
		mov	eax, [ecx+4]
		mov	ecx, eax
		cmp	dword ptr [eax+4], 0
		jnz	short loc_5AA01A
		jmp	short loc_5AA03B
; 

loc_5AA027:				; CODE XREF: MiLocateLowestConflictingVad+172D3Cj
		mov	ecx, [esi+8]
		jmp	short loc_5AA036
; 

loc_5AA02C:				; CODE XREF: MiLocateLowestConflictingVad+172D63j
		cmp	[ecx+4], edx
		jz	short loc_5AA03B
		mov	edx, ecx
		mov	ecx, [ecx+8]

loc_5AA036:				; CODE XREF: MiLocateLowestConflictingVad+172D54j
		and	ecx, 0FFFFFFFCh
		jnz	short loc_5AA02C

loc_5AA03B:				; CODE XREF: MiLocateLowestConflictingVad+172D42j
					; MiLocateLowestConflictingVad+172D4Fj	...
		test	ecx, ecx
		jz	short loc_5AA052
		mov	eax, [ecx+10h]
		shl	eax, 0Ch
		or	eax, 0FFFh
		cmp	eax, edi
		jb	short loc_5AA052
		mov	esi, ecx
		jmp	short loc_5AA00C
; 

loc_5AA052:				; CODE XREF: MiLocateLowestConflictingVad+172D67j
					; MiLocateLowestConflictingVad+172D76j
		mov	eax, esi
		jmp	loc_4372F1
; END OF FUNCTION CHUNK	FOR MiLocateLowestConflictingVad
; 
; START	OF FUNCTION CHUNK FOR MiMakeHyperRangeAccessible

loc_5AA059:				; CODE XREF: MiMakeHyperRangeAccessible+135j
		mov	ecx, [ebp+var_4]
		mov	edx, eax
		lea	ecx, [ecx+240h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		sub	ebx, 8
		jmp	loc_43738D
; 

loc_5AA071:				; CODE XREF: MiMakeHyperRangeAccessible+15Fj
		lea	eax, [ebp+var_30]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	_MiMakeHyperPteDemandZero@12 ; MiMakeHyperPteDemandZero(x,x,x)
		jmp	loc_43745D
; 

loc_5AA083:				; CODE XREF: MiMakeHyperRangeAccessible+D8j
		mov	ecx, offset unk_6D3C5C
		jmp	loc_4373DC
; 

loc_5AA08D:				; CODE XREF: MiMakeHyperRangeAccessible+FFj
		mov	edi, eax
		mov	[ecx], esi
		sub	edi, esi
		jmp	loc_4373FD
; 

loc_5AA098:				; CODE XREF: MiMakeHyperRangeAccessible+10Aj
		sub	eax, ebx
		add	edi, eax
		jmp	loc_437408
; 

loc_5AA0A1:				; CODE XREF: MiMakeHyperRangeAccessible+112j
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		call	_MiReturnFullProcessCommitment@8 ; MiReturnFullProcessCommitment(x,x)
		jmp	loc_437410
; END OF FUNCTION CHUNK	FOR MiMakeHyperRangeAccessible
; 
; START	OF FUNCTION CHUNK FOR MiGetNextPageTable

loc_5AA0B0:				; CODE XREF: MiGetNextPageTable+10Bj
		shl	ecx, 9
		cmp	ecx, edx
		jnb	loc_43789F
		jmp	loc_43780B
; END OF FUNCTION CHUNK	FOR MiGetNextPageTable
; 
; START	OF FUNCTION CHUNK FOR MiFillHyperPtes

loc_5AA0C0:				; CODE XREF: MiFillHyperPtes+C9j
		test	edi, 0FFFh
		jnz	loc_437981
		jmp	loc_43799F
; END OF FUNCTION CHUNK	FOR MiFillHyperPtes
; 
; START	OF FUNCTION CHUNK FOR MiAllowWorkingSetExpansion

loc_5AA0D1:				; CODE XREF: MiAllowWorkingSetExpansion+3Cj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_437B72
; END OF FUNCTION CHUNK	FOR MiAllowWorkingSetExpansion
; 
; START	OF FUNCTION CHUNK FOR MiReturnWsToExpansionList

loc_5AA0E1:				; CODE XREF: MiReturnWsToExpansionList+Fj
		push	esi
		mov	esi, ds:dword_6D5D44
		cmp	[esi+4], edx
		jnz	loc_437BD8
		mov	[eax], esi
		mov	[eax+4], edx
		mov	[esi+4], eax
		mov	ds:dword_6D5D44, eax
		pop	esi
		jmp	loc_437BCF
; END OF FUNCTION CHUNK	FOR MiReturnWsToExpansionList
; 
; START	OF FUNCTION CHUNK FOR MiHyperSpaceSize

loc_5AA104:				; CODE XREF: MiHyperSpaceSize+7j
		mov	eax, 2000h
		mov	ds:dword_6D2E90, eax
		retn
; END OF FUNCTION CHUNK	FOR MiHyperSpaceSize
; 
; START	OF FUNCTION CHUNK FOR MiDeleteFinalPageTables

loc_5AA10F:				; CODE XREF: MiDeleteFinalPageTables+A1j
		mov	eax, [ebp+var_24]
		dec	word ptr [eax+13Eh]
		nop
		add	esi, 134h
		xor	edx, edx
		mov	ecx, esi
		mov	[ebp+var_28], esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_24]
		or	byte ptr [eax+304h], 1
		nop
		lea	eax, [ebp+var_5C]
		mov	edx, edi
		push	eax
		push	0
		mov	ecx, edi
		call	_MiDeleteVirtualAddresses@16 ; MiDeleteVirtualAddresses(x,x,x,x)
		mov	eax, [ebp+var_24]
		and	byte ptr [eax+304h], 0FEh
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5AA164
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_5AA164:				; CODE XREF: MiDeleteFinalPageTables+172479j
		xor	edi, edi
		mov	[ebp+var_30], edi
		test	esi, 7FFFFFFCh
		jz	loc_5AA2F6
		mov	eax, [ebp+var_28]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_2C], esi
		cmp	eax, edx
		jb	short loc_5AA1BC
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_5AA1A7
		cmp	eax, edx
		jb	short loc_5AA1BC
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_5AA1BC

loc_5AA1A7:				; CODE XREF: MiDeleteFinalPageTables+1724B6j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_28]
		jmp	short loc_5AA1C2
; 

loc_5AA1BC:				; CODE XREF: MiDeleteFinalPageTables+1724ADj
					; MiDeleteFinalPageTables+1724BAj ...
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_38], ecx

loc_5AA1C2:				; CODE XREF: MiDeleteFinalPageTables+1724D8j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	[ebp+var_1D], dl
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_3C], ecx
		test	ecx, ecx
		jnz	short loc_5AA20D
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_5AA27D
		push	ecx
		push	[ebp+var_38]
		push	[ebp+var_28]
		push	esi
		push	162h
		jmp	loc_5AA31F
; 

loc_5AA20D:				; CODE XREF: MiDeleteFinalPageTables+172509j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5AA223
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_3C]

loc_5AA223:				; CODE XREF: MiDeleteFinalPageTables+172537j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_30], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		cmp	[ebp+var_1D], 1
		mov	ecx, eax
		jnz	short loc_5AA26D
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al
		jmp	short loc_5AA27D
; 

loc_5AA26D:				; CODE XREF: MiDeleteFinalPageTables+172577j
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_2C]

loc_5AA27D:				; CODE XREF: MiDeleteFinalPageTables+172513j
					; MiDeleteFinalPageTables+172589j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_2C], eax
		jz	short loc_5AA2DE
		test	edi, 8000h
		jz	short loc_5AA2A1
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5AA2A1:				; CODE XREF: MiDeleteFinalPageTables+1725B4j
		test	byte ptr [ebp+var_30+2], 1
		jz	short loc_5AA2B1
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5AA2B1:				; CODE XREF: MiDeleteFinalPageTables+1725C3j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5AA2C5
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5AA2C5:				; CODE XREF: MiDeleteFinalPageTables+1725D6j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5AA2DE
		push	[ebp+var_2C]
		mov	edx, [ebp+var_28]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5AA2DE:				; CODE XREF: MiDeleteFinalPageTables+1725ACj
					; MiDeleteFinalPageTables+1725EDj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_5AA2F6
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_5AA2F6
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5AA2F6:				; CODE XREF: MiDeleteFinalPageTables+17248Dj
					; MiDeleteFinalPageTables+172605j ...
		mov	ecx, [ebp+var_24]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	esi, [ebp+var_40]
		mov	edx, [ebp+var_34]
		jmp	loc_437D89
; 

loc_5AA309:				; CODE XREF: MiDeleteFinalPageTables+C6j
		sub	eax, ds:_MmPfnDatabase
		push	ecx
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		push	eax
		push	esi
		push	3453h
		push	1Ah

loc_5AA31F:				; CODE XREF: MiDeleteFinalPageTables+172526j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5AA325:				; CODE XREF: KeFlushProcessTb+Aj
		push	0
		xor	edx, edx
		call	_HvlpSlowFlushAddressSpaceTb@12	; HvlpSlowFlushAddressSpaceTb(x,x,x)
		pop	ecx
		retn
; END OF FUNCTION CHUNK	FOR MiDeleteFinalPageTables
; 
; START	OF FUNCTION CHUNK FOR MiUnlinkProcessFromSession

loc_5AA330:				; CODE XREF: MiUnlinkProcessFromSession+BBj
		mov	[ecx+1DCh], ebx
		jmp	loc_437E85
; 

loc_5AA33B:				; CODE XREF: MiUnlinkProcessFromSession+76j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_437EDC
; 

loc_5AA34B:				; CODE XREF: MiUnlinkProcessFromSession+94j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid
		jmp	loc_437EEA
; END OF FUNCTION CHUNK	FOR MiUnlinkProcessFromSession
; 
; START	OF FUNCTION CHUNK FOR MiDeleteProcessShadow

loc_5AA358:				; CODE XREF: MiDeleteProcessShadow+42j
		mov	[esp+40h+var_31], 21h
		jmp	loc_437FE1
; 

loc_5AA362:				; CODE XREF: MiDeleteProcessShadow+71j
		mov	dl, al
		mov	ecx, edi
		call	MiUnlockWorkingSetExclusive
		jmp	loc_4380E7
; 

loc_5AA370:				; CODE XREF: MiDeleteProcessShadow+ABj
					; MiDeleteProcessShadow+B3j
		mov	esi, ebx
		mov	[esp+40h+var_28], edx
		mov	ecx, edx
		mov	eax, esi
		and	ecx, 7FFFFFFFh
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, eax
		cmp	ebx, esi
		jnz	short loc_5AA395
		cmp	edx, [esp+40h+var_28]
		jz	loc_437FC1

loc_5AA395:				; CODE XREF: MiDeleteProcessShadow+172481j
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jnz	loc_437FAF
		jmp	loc_437FC1
; 

loc_5AA3A8:				; CODE XREF: MiDeleteProcessShadow+EEj
		mov	edx, eax
		lea	ecx, [esp+40h+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_43800A
; 

loc_5AA3B8:				; CODE XREF: MiDeleteProcessShadow+151j
		mov	edx, [ebp+4]
		lea	ecx, [esp+40h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_438085
; 

loc_5AA3C9:				; CODE XREF: MiDeleteProcessShadow+177j
		lea	ecx, [esp+40h+var_C]
		call	KxWaitForLockChainValid
		jmp	loc_4380FC
; END OF FUNCTION CHUNK	FOR MiDeleteProcessShadow
; 
; START	OF FUNCTION CHUNK FOR MiContractPagingFiles

loc_5AA3D7:				; CODE XREF: MiContractPagingFiles+3Fj
		cmp	dword ptr [edx+0Ch], 4000h
		ja	loc_43816B
		jmp	loc_438163
; 

loc_5AA3E9:				; CODE XREF: MiContractPagingFiles+4Fj
		lea	ebx, [edi+340h]
		push	ebx
		lea	esi, [edi+11Ch]
		call	ExAcquireSpinLockExclusive
		cmp	dword ptr [esi+10h], 0FFFFFFFFh
		mov	byte ptr [ebp+var_4], al
		jnz	short loc_5AA418
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_438173
; 

loc_5AA418:				; CODE XREF: MiContractPagingFiles+1722E4j
		push	[ebp+var_4]
		and	dword ptr [esi], 0
		xor	edx, edx
		or	byte ptr [esi+2Fh], 10h
		mov	ecx, esi
		or	dword ptr [esi+10h], 0FFFFFFFFh
		mov	[esi+0Ch], edi
		call	_MiQueuePageFileExtension@12 ; MiQueuePageFileExtension(x,x,x)
		jmp	loc_438173
; END OF FUNCTION CHUNK	FOR MiContractPagingFiles
; 
; START	OF FUNCTION CHUNK FOR MiPaeFree

loc_5AA437:				; CODE XREF: MiPaeFree+21j
		mov	ebx, ds:dword_6D0620
		lea	edx, [ebp+var_14]
		mov	edi, esi
		mov	[ebp+var_8], ebx
		mov	ecx, offset dword_6D0654
		and	edi, 0FFFFF000h
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		sub	dword ptr [edi+0Ch], 1
		jnz	loc_5AA525
		cmp	ds:dword_6D062C, 0A00h
		jbe	loc_5AA525
		mov	eax, ebx
		xor	edx, edx
		shl	eax, 5
		mov	[ebp+var_4], eax
		lea	ecx, [eax+edi]
		xor	eax, eax
		lea	ebx, [eax+1]
		mov	eax, 80h
		div	[ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_8], edx
		cmp	edx, 1
		jbe	short loc_5AA4C2
		mov	eax, [ebp+var_4]

loc_5AA496:				; CODE XREF: MiPaeFree+172300j
		cmp	ecx, esi
		jz	short loc_5AA4BB
		mov	edx, [ecx]
		mov	eax, [ecx+4]
		cmp	[edx+4], ecx
		jnz	loc_5AA55C
		cmp	[eax], ecx
		jnz	loc_5AA55C
		mov	[eax], edx
		mov	[edx+4], eax
		mov	edx, [ebp+var_8]
		mov	eax, [ebp+var_4]

loc_5AA4BB:				; CODE XREF: MiPaeFree+1722D8j
		add	ecx, eax
		inc	ebx
		cmp	ebx, edx
		jb	short loc_5AA496

loc_5AA4C2:				; CODE XREF: MiPaeFree+1722D1j
		xor	ebx, ebx
		inc	ebx
		mov	eax, ebx
		sub	eax, edx
		add	ds:dword_6D062C, eax
		test	ds:byte_70EFC6,	bl
		jz	short loc_5AA4E4
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5AA510
; 

loc_5AA4E4:				; CODE XREF: MiPaeFree+172315j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_5AA503
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_5AA510
		call	KxWaitForLockChainValid

loc_5AA503:				; CODE XREF: MiPaeFree+172329j
		mov	[ebp+var_14], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_5AA510:				; CODE XREF: MiPaeFree+172322j
					; MiPaeFree+17233Cj
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, edi
		call	_MiPaeFreePage@4 ; MiPaeFreePage(x)
		jmp	loc_4381F3
; 

loc_5AA525:				; CODE XREF: MiPaeFree+172299j
					; MiPaeFree+1722A9j
		mov	eax, ds:dword_6D0634
		mov	ecx, offset dword_6D0630
		cmp	[eax], ecx
		jnz	short loc_5AA55C
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		inc	ds:dword_6D062C
		test	ds:byte_70EFC6,	1
		mov	ds:dword_6D0634, esi
		jz	short loc_5AA561
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5AA590
; 

loc_5AA55C:				; CODE XREF: MiPaeFree+1722E2j
					; MiPaeFree+1722EAj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5AA561:				; CODE XREF: MiPaeFree+17238Dj
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_5AA580
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_5AA590
		call	KxWaitForLockChainValid

loc_5AA580:				; CODE XREF: MiPaeFree+1723A6j
		xor	ecx, ecx
		mov	[ebp+var_14], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5AA590:				; CODE XREF: MiPaeFree+17239Aj
					; MiPaeFree+1723B9j
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4381F3
; END OF FUNCTION CHUNK	FOR MiPaeFree
; 
; START	OF FUNCTION CHUNK FOR ExCleanupAutoExpandPushLock

loc_5AA59E:				; CODE XREF: ExCleanupAutoExpandPushLock+Ej
		and	ecx, 0FFFFFFF8h
		call	_ExpFreeFannedOutPushLock@4 ; ExpFreeFannedOutPushLock(x)
		jmp	loc_438212
; END OF FUNCTION CHUNK	FOR ExCleanupAutoExpandPushLock
; 
; START	OF FUNCTION CHUNK FOR MiUnlinkWorkingSet

loc_5AA5AB:				; CODE XREF: MiUnlinkWorkingSet+E8j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_43838B
; 

loc_5AA5BA:				; CODE XREF: MiUnlinkWorkingSet+105j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5AA5C1:				; CODE XREF: MiUnlinkWorkingSet+F2j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_43838B
; 

loc_5AA5D5:				; CODE XREF: MiUnlinkWorkingSet+9Bj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_438336
; END OF FUNCTION CHUNK	FOR MiUnlinkWorkingSet
; 
; START	OF FUNCTION CHUNK FOR MiPaeUpdateSelfMap

loc_5AA5E4:				; CODE XREF: MiPaeUpdateSelfMap+49j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5AA5FF
		xor	ebx, ebx
		inc	ebx
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	loc_438403
		jmp	short loc_5AA61B
; 

loc_5AA5FF:				; CODE XREF: MiPaeUpdateSelfMap+172237j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_438403

loc_5AA61B:				; CODE XREF: MiPaeUpdateSelfMap+172249j
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	loc_438403
		or	edx, 80000000h
		jmp	loc_438403
; 

loc_5AA634:				; CODE XREF: MiPaeUpdateSelfMap+58j
		push	edx
		push	esi
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_438412
; END OF FUNCTION CHUNK	FOR MiPaeUpdateSelfMap
; 
; START	OF FUNCTION CHUNK FOR CcPerfLogFlushCache

loc_5AA642:				; CODE XREF: CcPerfLogFlushCache+5Ej
		mov	ecx, eax
		xor	eax, esi
		cmp	eax, 7
		jb	loc_438669
		jmp	loc_43871C
; 

loc_5AA654:				; CODE XREF: CcPerfLogFlushCache+9Ej
		or	eax, 4
		mov	[ebp+var_14], eax
		jmp	loc_4386BA
; END OF FUNCTION CHUNK	FOR CcPerfLogFlushCache
; 
; START	OF FUNCTION CHUNK FOR CcPerfLogFlushSection

loc_5AA65F:				; CODE XREF: CcPerfLogFlushSection+30j
		mov	ecx, edi
		call	_CcSlowReferenceSharedCacheMapFileObject@4 ; CcSlowReferenceSharedCacheMapFileObject(x)
		mov	esi, eax
		jmp	loc_43876E
; 

loc_5AA66D:				; CODE XREF: CcPerfLogFlushSection+52j
		mov	ecx, eax
		xor	eax, esi
		cmp	eax, 7
		jb	loc_43877F
		jmp	loc_4387F4
; END OF FUNCTION CHUNK	FOR CcPerfLogFlushSection
; 
; START	OF FUNCTION CHUNK FOR CcScheduleReadAheadEx

loc_5AA67F:				; CODE XREF: CcScheduleReadAheadEx+3BCj
		imul	edx, [esp+58h+var_40]
		push	ebx
		push	64h
		mov	eax, edx
		mul	ecx
		push	edx
		push	eax
		call	__aulldiv
		mov	ecx, eax
		cmp	edx, ebx
		ja	short loc_5AA69D
		cmp	ecx, 0FFFFFFFFh
		jbe	short loc_5AA6A2

loc_5AA69D:				; CODE XREF: CcScheduleReadAheadEx+171D8Cj
		or	ecx, 0FFFFFFFFh
		mov	edx, ebx

loc_5AA6A2:				; CODE XREF: CcScheduleReadAheadEx+171D91j
		cmp	edx, ebx
		jb	short loc_5AA6BB
		ja	short loc_5AA6B4
		mov	eax, [esp+58h+var_20]
		cmp	ecx, eax
		jbe	loc_438B3C

loc_5AA6B4:				; CODE XREF: CcScheduleReadAheadEx+171D9Cj
		mov	eax, ecx
		jmp	loc_438B3C
; 

loc_5AA6BB:				; CODE XREF: CcScheduleReadAheadEx+171D9Aj
		mov	eax, [esp+58h+var_20]
		jmp	loc_438B3C
; 

loc_5AA6C4:				; CODE XREF: CcScheduleReadAheadEx+26Ej
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_438B83
; 

loc_5AA6D3:				; CODE XREF: CcScheduleReadAheadEx+304j
		mov	edx, [ebp+4]
		lea	ecx, [esp+58h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_438C3A
; 

loc_5AA6E4:				; CODE XREF: CcScheduleReadAheadEx+371j
		call	CcPostWorkQueueCachemapUninit
		jmp	loc_438A85
; 

loc_5AA6EE:				; CODE XREF: CcScheduleReadAheadEx+292j
		call	[esp+58h+var_10]
		mov	ecx, edi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		and	dword ptr [esi], 0FFFEFFFFh
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_5AA718
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5AA71D
; 

loc_5AA718:				; CODE XREF: CcScheduleReadAheadEx+171E00j
		xor	eax, eax
		lock and [edi],	eax

loc_5AA71D:				; CODE XREF: CcScheduleReadAheadEx+171E0Cj
		mov	cl, bl
		jmp	loc_438A7F
; 

loc_5AA724:				; CODE XREF: CcScheduleReadAheadEx+162j
		mov	edx, [ebp+4]
		mov	ecx, [esp+58h+var_14]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_438A7B
; END OF FUNCTION CHUNK	FOR CcScheduleReadAheadEx
; 
; START	OF FUNCTION CHUNK FOR CcChargeThreadForReadAhead

loc_5AA735:				; CODE XREF: CcChargeThreadForReadAhead+96j
		mov	eax, large fs:124h
		jmp	loc_438EBC
; 

loc_5AA740:				; CODE XREF: CcChargeThreadForReadAhead+17j
		push	ebx
		push	ebx
		push	0C0000420h
		push	5F8h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5AA754:				; CODE XREF: CcSetDirtyPinnedData+540j
		push	0
		push	0
		push	0C0000420h
		push	0E7Ah
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AA769:				; CODE XREF: CcSetDirtyPinnedData+7Dj
		mov	dl, al
		mov	ecx, ebx
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_438FDE
; END OF FUNCTION CHUNK	FOR CcChargeThreadForReadAhead
; 
; START	OF FUNCTION CHUNK FOR CcSetDirtyPinnedData

loc_5AA777:				; CODE XREF: CcSetDirtyPinnedData+A8j
					; CcSetDirtyPinnedData+17187Bj
		test	edx, 40000000h
		jnz	short loc_5AA791
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	short loc_5AA79F

loc_5AA791:				; CODE XREF: CcSetDirtyPinnedData+17184Dj
		lea	ecx, [esp+40h+var_28]
		call	KeYieldProcessorEx
		mov	eax, ds:dword_6CF3C0

loc_5AA79F:				; CODE XREF: CcSetDirtyPinnedData+17185Fj
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_5AA777
		jmp	loc_438FDE
; 

loc_5AA7B2:				; CODE XREF: CcSetDirtyPinnedData+B5j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_438FF5
; 

loc_5AA7C1:				; CODE XREF: CcSetDirtyPinnedData+DBj
		push	0
		push	0
		push	0C0000420h
		push	1314h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AA7D6:				; CODE XREF: CcSetDirtyPinnedData+150j
		xor	ebx, ebx
		jmp	loc_439150
; 

loc_5AA7DD:				; CODE XREF: CcSetDirtyPinnedData+4E0j
		mov	edx, edi
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	loc_439416
; 

loc_5AA7EB:				; CODE XREF: CcSetDirtyPinnedData+1CEj
					; CcSetDirtyPinnedData+1D6j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	loc_43910F
; 

loc_5AA7FB:				; CODE XREF: CcSetDirtyPinnedData+3C4j
		mov	edx, [ebp+4]
		lea	ecx, [esp+54h+var_20]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_439320
; 

loc_5AA80C:				; CODE XREF: CcSetDirtyPinnedData+2FBj
					; CcSetDirtyPinnedData+304j
		mov	[ebx+28h], eax
		mov	[ebx+2Ch], ecx
		jmp	loc_43923A
; 

loc_5AA817:				; CODE XREF: CcSetDirtyPinnedData+12Dj
		push	0
		push	0
		push	0C0000420h
		push	0EDAh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5AA82D:				; CODE XREF: CcPostWorkQueueRegular+104j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_439682
; END OF FUNCTION CHUNK	FOR CcSetDirtyPinnedData
; 
; START	OF FUNCTION CHUNK FOR CcPostWorkQueueRegular

loc_5AA837:				; CODE XREF: CcPostWorkQueueRegular+97j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4396B1
; END OF FUNCTION CHUNK	FOR CcPostWorkQueueRegular
; 
; START	OF FUNCTION CHUNK FOR IopSetDiskIoAttributionFromProcess

loc_5AA847:				; CODE XREF: IopSetDiskIoAttributionFromProcess+1Ej
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	edx, [ebp+var_4]
		push	0
		push	eax
		call	IopSetDiskIoAttributionExtension
		test	eax, eax
		js	loc_4397CC
		xor	eax, eax
		jmp	loc_4397CC
; END OF FUNCTION CHUNK	FOR IopSetDiskIoAttributionFromProcess
; 
; START	OF FUNCTION CHUNK FOR IopReferenceIoAttributionFromProcess

loc_5AA869:				; CODE XREF: IopReferenceIoAttributionFromProcess+3Bj
		mov	eax, [ebp+arg_0]
		mov	ecx, [esi+0Ch]
		mov	[eax], ecx
		jmp	loc_439920
; END OF FUNCTION CHUNK	FOR IopReferenceIoAttributionFromProcess
; 
; START	OF FUNCTION CHUNK FOR CcPerfLogWorkItemEnqueue

loc_5AA876:				; CODE XREF: CcPerfLogWorkItemEnqueue+2Dj
		mov	bl, 1
		jmp	loc_4399A7
; 

loc_5AA87D:				; CODE XREF: CcPerfLogWorkItemEnqueue+70j
		lea	eax, [edi+44h]
		mov	ecx, eax
		mov	[ebp+var_38], eax
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_5AA899
		mov	ecx, edi
		call	_CcSlowReferenceSharedCacheMapFileObject@4 ; CcSlowReferenceSharedCacheMapFileObject(x)
		mov	esi, eax

loc_5AA899:				; CODE XREF: CcPerfLogWorkItemEnqueue+170F46j
		mov	edi, [ebp+var_38]
		mov	ecx, [esi+0Ch]
		mov	[ebp+var_C], ecx
		mov	ecx, [edi]
		mov	edx, ecx
		xor	edx, esi
		cmp	edx, 7
		jnb	short loc_5AA8C3

loc_5AA8AD:				; CODE XREF: CcPerfLogWorkItemEnqueue+170F79j
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jz	short loc_5AA8CE
		mov	ecx, eax
		xor	eax, esi
		cmp	eax, 7
		jb	short loc_5AA8AD

loc_5AA8C3:				; CODE XREF: CcPerfLogWorkItemEnqueue+170F63j
		push	746C6644h
		push	esi
		call	ObDereferenceObjectDeferDeleteWithTag

loc_5AA8CE:				; CODE XREF: CcPerfLogWorkItemEnqueue+170F70j
		mov	esi, [ebp+var_34]
		jmp	loc_4399CA
; 

loc_5AA8D6:				; CODE XREF: CcPerfLogWorkItemEnqueue+13Bj
		mov	[ebp+var_7], 4
		jmp	loc_4399CA
; END OF FUNCTION CHUNK	FOR CcPerfLogWorkItemEnqueue
; 
; START	OF FUNCTION CHUNK FOR KiSetThreadSchedulingGroup

loc_5AA8DF:				; CODE XREF: KiSetThreadSchedulingGroup+32j
					; KiSetThreadSchedulingGroup+170E3Fj
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5AA8DF
		jmp	loc_439AD9
; 

loc_5AA8F2:				; CODE XREF: KiSetThreadSchedulingGroup+9Dj
		mov	ebx, large fs:20h
		mov	edx, esi
		movsx	eax, byte ptr [esi+87h]
		mov	edi, [ebp+var_4]
		mov	ecx, edi
		push	eax
		call	_KiRemoveThreadFromSharedReadyQueue@12 ; KiRemoveThreadFromSharedReadyQueue(x,x,x)
		mov	ecx, esi
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		jmp	loc_439B13
; 

loc_5AA919:				; CODE XREF: KiSetThreadSchedulingGroup+7Bj
		lea	eax, [esi+9Ch]
		mov	ecx, ebx
		and	dword ptr [eax], 0
		lea	edx, [ebp+var_14]
		mov	[ebp+var_14], eax
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		jmp	loc_439B2D
; END OF FUNCTION CHUNK	FOR KiSetThreadSchedulingGroup
; 
; START	OF FUNCTION CHUNK FOR CcPerformReadAhead

loc_5AA934:				; CODE XREF: CcPerformReadAhead+12Aj
		mov	[ebp+var_68], 1
		mov	eax, [edx+54h]
		mov	[ebp+var_6C], eax
		jmp	loc_439C86
; 

loc_5AA946:				; CODE XREF: CcPerformReadAhead+137j
		mov	edx, [ebp+4]
		mov	ecx, [ebp+var_38]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	edx, [ebp+var_44]
		mov	[ebp+var_1C], edx
		mov	esi, [ebp+var_20]
		jmp	loc_439C9B
; 

loc_5AA95F:				; CODE XREF: CcPerformReadAhead+157j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_34]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_439CD3
; 

loc_5AA96F:				; CODE XREF: CcPerformReadAhead+242j
		mov	ecx, [ebp+var_6C]
		mov	[ebp+var_1C], ecx
		test	ecx, ecx
		jz	short loc_5AA98A
		cmp	esi, ecx
		ja	short loc_5AA982
		mov	ecx, esi
		mov	[ebp+var_1C], ecx

loc_5AA982:				; CODE XREF: CcPerformReadAhead+170E25j
		mov	[ebp+var_70], ecx
		jmp	loc_439DA6
; 

loc_5AA98A:				; CODE XREF: CcPerformReadAhead+170E21j
		push	edi
		push	edi
		push	0C0000420h
		push	0A2Fh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AA99D:				; CODE XREF: CcPerformReadAhead+26Dj
		mov	eax, edx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_70], eax
		jmp	loc_439DC9
; END OF FUNCTION CHUNK	FOR CcPerformReadAhead

;  S U B	R O U T	I N E 


sub_5AA9AA	proc near		; DATA XREF: .text:006A08C8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	ecx, [eax]
		mov	[ebp-0A4h], ecx
		call	_CcExceptionFilter@4 ; CcExceptionFilter(x)
		retn
sub_5AA9AA	endp


;  S U B	R O U T	I N E 


sub_5AA9BD	proc near		; DATA XREF: .text:006A08CCo
		mov	esp, [ebp-18h]
		xor	edi, edi
		jmp	loc_439E85
sub_5AA9BD	endp

; 

loc_5AA9C7:				; DATA XREF: .text:006A08C0o
		xor	edi, edi
		jmp	sub_439EF8
; 
; START	OF FUNCTION CHUNK FOR sub_439EF8

loc_5AA9CE:				; CODE XREF: sub_439EF8+88j
		mov	edx, [ebp+4]
		lea	ecx, [esi+50h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_439F8E
; 

loc_5AA9DE:				; CODE XREF: sub_439EF8+9Dj
		mov	edx, [ebp+4]
		lea	ecx, [ebp-34h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_439FB9
; 

loc_5AA9EE:				; CODE XREF: sub_439EF8+104j
		mov	edx, [ebp+4]
		lea	ecx, [ebp-34h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_43A01C
; END OF FUNCTION CHUNK	FOR sub_439EF8
; 
; START	OF FUNCTION CHUNK FOR KiRemoveThreadFromSchedulingGroup

loc_5AA9FE:				; CODE XREF: KiRemoveThreadFromSchedulingGroup+78j
					; KiRemoveThreadFromSchedulingGroup+170980j
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5AA9FE
		jmp	loc_43A0FD
; END OF FUNCTION CHUNK	FOR KiRemoveThreadFromSchedulingGroup
; 

loc_5AAA11:				; CODE XREF: .text:0043A2E9j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_43A281
; 

loc_5AAA1B:				; CODE XREF: .text:0043A288j
		mov	edx, [ebp+4]
		lea	ecx, [ebp-10h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_43A2AC
; 
; START	OF FUNCTION CHUNK FOR MmDoesFileHaveUserWritableReferences

loc_5AAA2B:				; CODE XREF: MmDoesFileHaveUserWritableReferences+2Bj
		mov	dl, al
		mov	ecx, esi
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_43A39B
; 

loc_5AAA39:				; CODE XREF: MmDoesFileHaveUserWritableReferences+55j
					; MmDoesFileHaveUserWritableReferences+17072Cj
		test	edx, 40000000h
		jnz	short loc_5AAA53
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_5AAA60

loc_5AAA53:				; CODE XREF: MmDoesFileHaveUserWritableReferences+1706FFj
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, ds:dword_6CF3C0

loc_5AAA60:				; CODE XREF: MmDoesFileHaveUserWritableReferences+170711j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_5AAA39
		jmp	loc_43A39B
; 

loc_5AAA73:				; CODE XREF: MmDoesFileHaveUserWritableReferences+6Cj
		push	offset dword_6CF3C0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	edi
		jmp	loc_43A354
; 

loc_5AAA8D:				; CODE XREF: MmDoesFileHaveUserWritableReferences+79j
		mov	edx, [ebp+4]
		mov	ecx, offset dword_6CF3C0
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_43A3C9
; 

loc_5AAA9F:				; CODE XREF: MmDoesFileHaveUserWritableReferences+9Dj
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_43A3E9
; END OF FUNCTION CHUNK	FOR MmDoesFileHaveUserWritableReferences
; 
; START	OF FUNCTION CHUNK FOR MiDoesControlAreaHaveUserWritableReferences

loc_5AAAAE:				; CODE XREF: MiDoesControlAreaHaveUserWritableReferences+10j
					; MiDoesControlAreaHaveUserWritableReferences+19j
		cmp	ds:dword_6D525C, ecx
		jnz	short loc_5AAABC
		add	edx, 0FFFFFFFFh
		adc	esi, 0FFFFFFFFh

loc_5AAABC:				; CODE XREF: MiDoesControlAreaHaveUserWritableReferences+17068Cj
		test	esi, esi
		jnz	short loc_5AAAC9
		cmp	edx, 1
		jbe	loc_43A447

loc_5AAAC9:				; CODE XREF: MiDoesControlAreaHaveUserWritableReferences+170696j
		xor	eax, eax
		inc	eax
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR MiDoesControlAreaHaveUserWritableReferences
; 
; START	OF FUNCTION CHUNK FOR MiDereferenceControlAreaPfnList

loc_5AAACE:				; CODE XREF: MiDereferenceControlAreaPfnList+46j
		or	dl, 0FFh
		mov	ecx, ebx
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_43A4C2
; 

loc_5AAADD:				; CODE XREF: MiDereferenceControlAreaPfnList+35j
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	[ebp+var_1], al
		jmp	loc_43A4C2
; 

loc_5AAAEB:				; CODE XREF: MiDereferenceControlAreaPfnList+15Aj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5AAAF2:				; CODE XREF: MiDereferenceControlAreaPfnList+9Dj
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_43A4F9
; 

loc_5AAB01:				; CODE XREF: MiDereferenceControlAreaPfnList+90j
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_43A4F9
; END OF FUNCTION CHUNK	FOR MiDereferenceControlAreaPfnList
; 
; START	OF FUNCTION CHUNK FOR ExpWaitForSpinLockExclusiveAndAcquire

loc_5AAB15:				; CODE XREF: ExpWaitForSpinLockExclusiveAndAcquire+2Cj
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	loc_43A6C2
		push	esi
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		mov	edx, [ebp+var_4]
		jmp	loc_43A6C4
; END OF FUNCTION CHUNK	FOR ExpWaitForSpinLockExclusiveAndAcquire
; 
; START	OF FUNCTION CHUNK FOR MiInitializePageAccessLogging

loc_5AAB30:				; CODE XREF: MiInitializePageAccessLogging+34j
		test	al, al
		jnz	short loc_5AAB42
		lea	eax, [ecx-240h]
		mov	[esi+2Ch], eax
		jmp	loc_43A74F
; 

loc_5AAB42:				; CODE XREF: MiInitializePageAccessLogging+170420j
		mov	dword ptr [esi+2Ch], 1
		mov	eax, [ecx-0B8h]
		mov	[esi+30h], eax
		jmp	loc_43A74F
; END OF FUNCTION CHUNK	FOR MiInitializePageAccessLogging
; 
; START	OF FUNCTION CHUNK FOR ExAcquireAutoExpandPushLockShared

loc_5AAB57:				; CODE XREF: ExAcquireAutoExpandPushLockShared+28j
		push	0
		push	0
		push	esi
		push	eax
		push	152h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AAB67:				; CODE XREF: ExAcquireAutoExpandPushLockShared+47j
		xor	edi, edi
		jmp	loc_43A890
; 

loc_5AAB6E:				; CODE XREF: ExAcquireAutoExpandPushLockShared+189j
		mov	edx, esi
		mov	ecx, edi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	loc_43A90F
; 

loc_5AAB7C:				; CODE XREF: ExAcquireAutoExpandPushLockShared+C2j
					; ExAcquireAutoExpandPushLockShared+D3j
		mov	ecx, [edi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	loc_43A85C
; 

loc_5AAB8C:				; CODE XREF: ExAcquireAutoExpandPushLockShared+116j
		push	esi
		and	ecx, 0FFFFFFF8h
		mov	edx, edi
		call	@ExpAcquireFannedOutPushLockShared@12 ;	ExpAcquireFannedOutPushLockShared(x,x,x)
		mov	esi, eax
		jmp	loc_43A8AE
; END OF FUNCTION CHUNK	FOR ExAcquireAutoExpandPushLockShared
; 
; START	OF FUNCTION CHUNK FOR MiAllowReadInProgress

loc_5AAB9E:				; CODE XREF: MiAllowReadInProgress+15j
		and	edx, 0FFFFFFFEh
		cmp	byte ptr [edx],	5
		jnz	loc_43ABE7
		test	byte ptr [edx+1Ch], 4
		jz	loc_43ABE7
		mov	eax, 0C0000017h
		retn
; END OF FUNCTION CHUNK	FOR MiAllowReadInProgress
; 
; START	OF FUNCTION CHUNK FOR MiWaitForCollidedFaultComplete

loc_5AABBA:				; CODE XREF: MiWaitForCollidedFaultComplete+4Fj
		xor	eax, eax
		mov	dword ptr [ecx], 1
		inc	eax
		jmp	loc_43AC57
; 

loc_5AABC8:				; CODE XREF: MiWaitForCollidedFaultComplete+6Cj
		mov	dword ptr [ecx], 1
		mov	ecx, edi
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	ecx, [ebp+arg_8]
		mov	eax, [ecx]

loc_5AABDA:				; CODE XREF: MiWaitForCollidedFaultComplete+3Aj
					; MiWaitForCollidedFaultComplete+59j
		cmp	eax, 1
		jnz	loc_43AC72
		test	esi, esi
		jz	loc_43AC72
		mov	ecx, esi
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		mov	ecx, esi
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		lea	eax, [esi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		jmp	loc_43AC77
; 

loc_5AAC09:				; CODE XREF: MiWaitForCollidedFaultComplete+127j
		mov	al, [edi+17h]
		mov	ecx, edi
		and	al, 10h
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 0FFFFFBE3h
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		lea	eax, [esi-3FFFFBCCh]
		jmp	loc_43AD53
; END OF FUNCTION CHUNK	FOR MiWaitForCollidedFaultComplete
; 
; START	OF FUNCTION CHUNK FOR KeAbPostReleaseEx

loc_5AAC2D:				; CODE XREF: KeAbPostReleaseEx+18j
		mov	edi, large fs:124h
		shr	edx, 1
		movzx	eax, dl
		imul	edx, eax, 30h
		add	edx, [edi+1E8h]
		mov	[ebp+var_4], edx
		mov	eax, [edx+10h]
		and	eax, 0FFFFFFFCh
		or	eax, 80000000h
		cmp	eax, ecx
		jz	loc_43AE55
		push	0
		push	edx
		push	ecx
		push	edi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AAC67:				; CODE XREF: KeAbPostReleaseEx+61j
		mov	al, 1
		lea	esi, [edi+222h]
		mov	ecx, edx
		shl	al, cl
		lock or	[esi], al
		jmp	loc_43AEA3
; END OF FUNCTION CHUNK	FOR KeAbPostReleaseEx
; 
; START	OF FUNCTION CHUNK FOR ExBlockOnAddressPushLock

loc_5AAC7B:				; CODE XREF: ExBlockOnAddressPushLock+68j
		mov	ax, [esi]
		movzx	ecx, ax
		mov	eax, [ebp+arg_0]
		cmp	cx, [eax]
		jmp	loc_43B058
; END OF FUNCTION CHUNK	FOR ExBlockOnAddressPushLock
; 
; START	OF FUNCTION CHUNK FOR ExTimedWaitForUnblockPushLock

loc_5AAC8C:				; CODE XREF: ExTimedWaitForUnblockPushLock+40j
		rdtsc
		mov	ebx, eax
		mov	eax, edx
		xor	edx, edx
		mov	[ebp+var_C], eax
		add	ecx, ebx
		mov	[ebp+var_4], ecx
		adc	edx, eax
		mov	[ebp+var_18], edx

loc_5AACA1:				; CODE XREF: ExTimedWaitForUnblockPushLock+16FAF3j
		mov	eax, edi
		xor	ecx, ecx
		xor	edx, edx
		invlpg	dl
		mov	eax, [edi]
		test	al, 2
		jz	loc_43B289
		mov	ecx, [ebp+var_C]
		rdtsc
		mov	[ebp+var_14], ebx
		mov	ebx, eax
		mov	eax, edx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], eax
		cmp	eax, ecx
		jb	short loc_5AACF1
		ja	short loc_5AACD1
		cmp	ebx, [ebp+var_14]
		jbe	short loc_5AACF1

loc_5AACD1:				; CODE XREF: ExTimedWaitForUnblockPushLock+16FACEj
		cmp	eax, [ebp+var_18]
		ja	short loc_5AACF1
		mov	eax, [ebp+var_4]
		jb	short loc_5AACDF
		cmp	ebx, eax
		jnb	short loc_5AACF1

loc_5AACDF:				; CODE XREF: ExTimedWaitForUnblockPushLock+16FADDj
		mov	ebx, eax
		sub	ebx, [ebp+var_10]
		xor	eax, eax
		push	2
		pop	ecx
		invlpg	bl
		mov	ebx, [ebp+var_10]
		jmp	short loc_5AACA1
; 

loc_5AACF1:				; CODE XREF: ExTimedWaitForUnblockPushLock+16FACCj
					; ExTimedWaitForUnblockPushLock+16FAD3j ...
		mov	ebx, [ebp+var_8]
		jmp	loc_43B262
; 

loc_5AACF9:				; CODE XREF: ExTimedWaitForUnblockPushLock+7Ej
		mov	ecx, [ebp+var_1C]
		mov	edx, ebx
		push	1
		call	ExpUnblockPushLock
		jmp	loc_43B280
; END OF FUNCTION CHUNK	FOR ExTimedWaitForUnblockPushLock
; 
; START	OF FUNCTION CHUNK FOR ExfAcquirePushLockSharedEx

loc_5AAD0A:				; CODE XREF: ExfAcquirePushLockSharedEx+FCj
		rdtsc
		mov	ecx, edx
		mov	[esp+60h+var_48], eax
		xor	edx, edx
		mov	[esp+60h+var_40], ecx
		add	[esp+60h+var_4C], eax
		adc	edx, ecx
		mov	[esp+60h+var_34], edx

loc_5AAD22:				; CODE XREF: ExfAcquirePushLockSharedEx+16FADDj
		lea	eax, [esp+60h+var_10]
		xor	ecx, ecx
		xor	edx, edx
		invlpg	dl
		mov	eax, [esp+60h+var_10]
		test	al, 2
		jz	loc_43B3D2
		mov	eax, [esp+60h+var_48]
		mov	ecx, [esp+60h+var_40]
		mov	[esp+60h+var_38], eax
		rdtsc
		mov	[esp+60h+var_48], eax
		mov	[esp+60h+var_40], edx
		cmp	edx, ecx
		jb	loc_43B3D2
		ja	short loc_5AAD63
		cmp	eax, [esp+60h+var_38]
		jbe	loc_43B3D2

loc_5AAD63:				; CODE XREF: ExfAcquirePushLockSharedEx+16FAA7j
		cmp	edx, [esp+60h+var_34]
		ja	loc_43B3D2
		mov	eax, [esp+60h+var_4C]
		jb	short loc_5AAD7D
		cmp	[esp+60h+var_48], eax
		jnb	loc_43B3D2

loc_5AAD7D:				; CODE XREF: ExfAcquirePushLockSharedEx+16FAC1j
		mov	ebx, eax
		mov	ecx, 2
		sub	ebx, [esp+60h+var_48]
		xor	eax, eax
		invlpg	bl
		jmp	short loc_5AAD22
; END OF FUNCTION CHUNK	FOR ExfAcquirePushLockSharedEx
; 

loc_5AAD8F:				; CODE XREF: .text:0043B7E0j
		xor	esi, esi
		jmp	loc_43B8BB
; 

loc_5AAD96:				; CODE XREF: .text:0043B819j
		cmp	byte ptr [esi+222h], 0
		lea	ecx, [esi+222h]
		jz	short loc_5AADB6
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [esi+1E4h]
		or	cl, al
		jmp	loc_43B81F
; 

loc_5AADB6:				; CODE XREF: .text:005AADA3j
		test	dword ptr ds:byte_70EFC4, 200h
		mov	dword ptr [esp+1Ch], 0
		jz	short loc_5AADD5
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		mov	edx, [esp+18h]

loc_5AADD5:				; CODE XREF: .text:0043B842j
					; .text:005AADC8j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	loc_43B88D
; 

loc_5AADE2:				; CODE XREF: .text:0043B866j
					; .text:0043B879j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [esp+1Ch]
		jmp	loc_43B882
; 

loc_5AADF6:				; CODE XREF: .text:0043B906j
		mov	eax, [ebp+0Ch]
		mov	[esp+24h], eax
		cmp	dword ptr [esp+24h], 0
		jz	short loc_5AAE0B
		mov	eax, [esp+24h]
		lock inc dword ptr [eax]

loc_5AAE0B:				; CODE XREF: .text:005AAE02j
		mov	ecx, [edi+0Ch]
		mov	ecx, [ecx+28h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	loc_43B9A5
; 
; START	OF FUNCTION CHUNK FOR KeSetEventBoostPriorityEx

loc_5AAE1B:				; CODE XREF: KeSetEventBoostPriorityEx+DCj
		cmp	al, 2
		jnz	loc_5AAEF5
		mov	byte ptr [esi+9], 5
		mov	edi, [esi+0Ch]
		and	dword ptr [esi], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_18], eax
		mov	eax, [eax+4]
		mov	[ebp+var_14], eax
		jz	short loc_5AAE63
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, [ebp+var_14]
		mov	edx, esi
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_5AAE63:				; CODE XREF: KeSetEventBoostPriorityEx+16F246j
		mov	ecx, edi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		lea	ecx, [edi+8]
		cmp	[ecx], ecx
		jz	short loc_5AAEA1
		mov	eax, [edi+18h]
		cmp	eax, [edi+1Ch]
		jnb	short loc_5AAEA1
		mov	edx, [ebp+var_14]
		mov	eax, [edx+0A4h]
		cmp	eax, edi
		jnz	short loc_5AAE8F
		cmp	byte ptr [edx+18Bh], 0Fh
		jz	short loc_5AAEA1

loc_5AAE8F:				; CODE XREF: KeSetEventBoostPriorityEx+16F27Ej
		mov	ecx, [ebp+var_18]
		mov	edx, edi
		push	esi
		call	KiWakeQueueWaiter
		test	al, al
		jnz	short loc_5AAED7
		lea	ecx, [edi+8]

loc_5AAEA1:				; CODE XREF: KeSetEventBoostPriorityEx+16F269j
					; KeSetEventBoostPriorityEx+16F271j ...
		mov	eax, [edi+4]
		mov	[ebp+var_14], eax
		inc	eax
		mov	[edi+4], eax
		lea	eax, [edi+10h]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_43BCB1
		cmp	[ebp+var_14], 0
		mov	[esi], eax
		mov	[esi+4], edx
		mov	[edx], esi
		mov	[eax+4], esi
		jnz	short loc_5AAED7
		cmp	[ecx], ecx
		jz	short loc_5AAED7
		mov	ecx, [ebp+var_18]
		mov	edx, edi
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)

loc_5AAED7:				; CODE XREF: KeSetEventBoostPriorityEx+16F296j
					; KeSetEventBoostPriorityEx+16F2C1j ...
		mov	ecx, [ebp+var_10]
		lock and [edi],	ecx
		mov	edi, [ebp+var_20]
		mov	esi, [ebp+var_C]
		mov	eax, [ebp+var_8]
		sub	dword ptr [edi+4], 1
		jz	loc_43BC51
		jmp	loc_43BD4F
; 

loc_5AAEF5:				; CODE XREF: KeSetEventBoostPriorityEx+16F217j
		push	0
		mov	edx, esi
		mov	esi, [ebp+var_C]
		push	100h
		mov	ecx, esi
		call	KiTryUnwaitThread
		test	al, al
		mov	eax, [ebp+var_8]
		jz	loc_43BD4F
		dec	eax
		mov	[ebp+var_8], eax
		jmp	loc_43BD4F
; END OF FUNCTION CHUNK	FOR KeSetEventBoostPriorityEx
; 
; START	OF FUNCTION CHUNK FOR KiAbApplyWakeupBoost

loc_5AAF1C:				; CODE XREF: KiAbApplyWakeupBoost+AFj
		push	0
		push	1
		push	ecx
		push	esi
		push	157h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AAF2C:				; CODE XREF: KiAbApplyWakeupBoost+103j
		cmp	byte ptr [ebp+var_4], 20h
		jz	loc_43C0E1
		mov	edx, [edi+10h]
		mov	ecx, esi
		push	0
		push	1
		push	0
		push	0
		push	[ebp+var_4]
		and	edx, 0FFFFFFFCh
		push	0
		push	0
		push	[ebp+var_C]
		or	edx, 80000000h
		call	_EtwTraceAutoBoostSetFloor@40 ;	EtwTraceAutoBoostSetFloor(x,x,x,x,x,x,x,x,x,x)
		jmp	loc_43C0E1
; END OF FUNCTION CHUNK	FOR KiAbApplyWakeupBoost
; 
; START	OF FUNCTION CHUNK FOR KiAbFindWakeupLockEntry

loc_5AAF60:				; CODE XREF: KiAbFindWakeupLockEntry+3Bj
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[esp+28h+var_10], eax
		jmp	loc_43C164
; END OF FUNCTION CHUNK	FOR KiAbFindWakeupLockEntry

;  S U B	R O U T	I N E 


sub_5AAF7B	proc near		; DATA XREF: .text:006A08E4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5AAF7B	endp


;  S U B	R O U T	I N E 


sub_5AAF89	proc near		; DATA XREF: .text:006A08E8o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-2Ch]
		mov	edi, [eax+2Ch]
		mov	esi, [ebp-30h]
		push	esi
		call	_FsRtlIsNtstatusExpected@4 ; FsRtlIsNtstatusExpected(x)
		test	al, al
		jnz	short loc_5AAFA4
		mov	esi, 0C00000E8h

loc_5AAFA4:				; CODE XREF: sub_5AAF89+14j
		mov	[edi], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	al, al
		jmp	loc_43C394
sub_5AAF89	endp

; 
; START	OF FUNCTION CHUNK FOR CcAsyncReadPrefetch

loc_5AAFB4:				; CODE XREF: CcAsyncReadPrefetch+D6j
					; CcAsyncReadPrefetch+DFj
		mov	eax, [esi+8]
		sub	eax, [ebp+var_48]
		mov	[ebp+var_20], eax
		jmp	loc_43C2DF
; 

loc_5AAFC2:				; CODE XREF: CcAsyncReadPrefetch+14Cj
		mov	eax, ds:_CcNumberAsyncReadCacheHits
		mov	ecx, ds:dword_6FDF04
		add	eax, 1
		adc	ecx, edx
		mov	ds:_CcNumberAsyncReadCacheHits,	eax
		mov	ds:dword_6FDF04, ecx
		jmp	loc_43C367
; 

loc_5AAFE2:				; CODE XREF: CcAsyncReadPrefetch+177j
		cmp	[ebp+var_1C], 0
		jz	loc_43C377
		test	esi, esi
		jz	loc_43C386
		test	dword ptr [esi], 20000h
		jnz	loc_43C377
		push	[ebp+var_3C]
		push	ebx
		lea	eax, [ebp+var_48]
		push	eax
		push	edi
		call	CcScheduleReadAheadEx
		jmp	loc_43C377
; END OF FUNCTION CHUNK	FOR CcAsyncReadPrefetch
; [00000005 BYTES: COLLAPSED FUNCTION j_nullsub_1. PRESS KEYPAD	"+" TO EXPAND]
; 
; START	OF FUNCTION CHUNK FOR CcAsyncCopyRead

loc_5AB018:				; CODE XREF: CcAsyncCopyRead+57j
		push	0C00000E8h
		jmp	short loc_5AB02D
; 

loc_5AB01F:				; CODE XREF: CcAsyncCopyRead+9Bj
		push	73416343h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	[ebp+arg_10]

loc_5AB02D:				; CODE XREF: CcAsyncCopyRead+16EB43j
					; CcAsyncCopyRead+16EB7Cj
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5AB032:				; CODE XREF: CcAsyncCopyRead+67j
		mov	ecx, [ebp+var_C]
		test	dword ptr [ecx], 20000h
		jz	loc_43C547
		push	edi
		push	eax
		push	ebx
		push	[ebp+arg_0]
		call	CcScheduleReadAheadEx
		jmp	loc_43C547
; 

loc_5AB051:				; CODE XREF: CcAsyncCopyRead+82j
		push	0C000009Ah
		jmp	short loc_5AB02D
; 

loc_5AB058:				; CODE XREF: CcAsyncCopyRead+A3j
		mov	edi, large fs:124h
		jmp	loc_43C583
; 

loc_5AB064:				; CODE XREF: CcAsyncCopyRead+ECj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_43C5EE
; 

loc_5AB074:				; CODE XREF: CcAsyncCopyRead+10Ej
		lea	ecx, [ebp+var_18]
		call	KxWaitForLockChainValid

loc_5AB07C:				; CODE XREF: CcAsyncCopyRead+F7j
		xor	ecx, ecx
		mov	[ebp+var_18], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_43C5EE
; 

loc_5AB091:				; CODE XREF: CcAsyncCopyRead+19Ej
		push	0
		push	0
		push	0C0000420h
		push	42Ah
		jmp	short loc_5AB0AF
; 

loc_5AB0A1:				; CODE XREF: CcAsyncCopyRead+44j
					; CcAsyncCopyRead+4Dj
		push	0
		push	0
		push	0C0000420h
		push	393h

loc_5AB0AF:				; CODE XREF: CcAsyncCopyRead+16EBC5j
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5AB0B7:				; CODE XREF: CcPostWorkQueueAsyncRead+72j
		mov	eax, [edi+248h]
		cmp	dword ptr [eax+esi*4], 1
		jbe	loc_43C714
		mov	bl, 1
		jmp	loc_43C729
; END OF FUNCTION CHUNK	FOR CcAsyncCopyRead
; 
; START	OF FUNCTION CHUNK FOR CcPostWorkQueueAsyncRead

loc_5AB0CE:				; CODE XREF: CcPostWorkQueueAsyncRead+AEj
		test	ebx, ebx
		jz	loc_43C758
		mov	eax, [edi+25Ch]
		imul	ecx, esi, 65h
		add	ecx, [ebx+18h]
		and	dword ptr [eax+ecx*4], 0
		jmp	loc_43C750
; 

loc_5AB0EB:				; CODE XREF: CcPostWorkQueueAsyncRead+D3j
					; CcPostWorkQueueAsyncRead+E8j
		lea	ecx, [edi+260h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [ebp+var_10]
		add	edx, [edi+254h]
		cmp	[edx], edx
		jnz	short loc_5AB119
		mov	eax, [edi+24Ch]
		mov	ecx, [ebp+var_8]
		mov	eax, [eax+ecx*4]
		cmp	eax, ds:_CcMaxNumberCompleteAsyncReadExWorkItems
		jb	short loc_5AB132

loc_5AB119:				; CODE XREF: CcPostWorkQueueAsyncRead+16EA67j
		mov	eax, [edx+4]
		cmp	[eax], edx
		jnz	loc_43C83B
		mov	[esi], edx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[edx+4], esi
		mov	[ebp+var_1], 1

loc_5AB132:				; CODE XREF: CcPostWorkQueueAsyncRead+16EA7Bj
		xor	edx, edx
		lea	ecx, [edi+260h]
		call	ExReleasePushLockEx
		jmp	loc_43C78A
; 

loc_5AB144:				; CODE XREF: CcPostWorkQueueAsyncRead+109j
		mov	eax, [esi+2Ch]
		mov	ecx, esi
		mov	dword ptr [eax], 0C000009Ah
		call	CcCompleteAsyncRead
		mov	ecx, esi
		call	_CcFreeWorkQueueEntry@4	; CcFreeWorkQueueEntry(x)
		jmp	loc_43C758
; 

loc_5AB160:				; CODE XREF: CcPostWorkQueueAsyncRead+B6j
		and	dword ptr [ebx], 0
		xor	edx, edx
		push	dword ptr [edi+4]
		mov	ecx, ebx
		push	0FFFFFFFFh
		call	ExQueueWorkItemToPartition
		jmp	loc_43C758
; END OF FUNCTION CHUNK	FOR CcPostWorkQueueAsyncRead
; 
; START	OF FUNCTION CHUNK FOR CcShouldSpinAsyncReadWorkerThread

loc_5AB176:				; CODE XREF: CcShouldSpinAsyncReadWorkerThread+46j
					; CcShouldSpinAsyncReadWorkerThread+4Fj
		inc	eax
		cmp	eax, [ebp+var_8]
		jb	loc_43C888
		mov	ecx, [ebp+var_4]

loc_5AB183:				; CODE XREF: CcShouldSpinAsyncReadWorkerThread+3Aj
		test	esi, esi
		jz	loc_43C89F
		and	dword ptr [esi], 0
		lea	ecx, [ecx+260h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi]
		cmp	eax, edi
		jz	short loc_5AB1DE
		cmp	[eax+4], edi
		jnz	short loc_5AB1D9
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_5AB1D9
		mov	[edi], ecx
		mov	[ecx+4], edi
		mov	edi, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		mov	[esi], eax
		mov	eax, [edi+248h]
		inc	dword ptr [eax+ecx*4]
		mov	eax, ebx
		lock xadd [edi+28Ch], eax
		inc	eax
		cmp	eax, ebx
		jg	short loc_5AB1E1
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_5AB1E1
; 

loc_5AB1D9:				; CODE XREF: CcShouldSpinAsyncReadWorkerThread+16E95Cj
					; CcShouldSpinAsyncReadWorkerThread+16E963j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5AB1DE:				; CODE XREF: CcShouldSpinAsyncReadWorkerThread+16E957j
		mov	edi, [ebp+var_4]

loc_5AB1E1:				; CODE XREF: CcShouldSpinAsyncReadWorkerThread+16E988j
					; CcShouldSpinAsyncReadWorkerThread+16E98Fj
		xor	edx, edx
		lea	ecx, [edi+260h]
		call	ExReleasePushLockEx
		cmp	dword ptr [esi], 0
		jnz	loc_43C89F
		lock inc ds:_CcDbgFoundAsyncReadThreadListEmpty
		jmp	loc_43C89F
; END OF FUNCTION CHUNK	FOR CcShouldSpinAsyncReadWorkerThread
; 
; START	OF FUNCTION CHUNK FOR PopHandleSystemRequiredPowerRequestsUpdate

loc_5AB203:				; CODE XREF: PopHandleSystemRequiredPowerRequestsUpdate+52j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_43CAB4
; 

loc_5AB213:				; CODE XREF: PopHandleSystemRequiredPowerRequestsUpdate+74j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_5AB21B:				; CODE XREF: PopHandleSystemRequiredPowerRequestsUpdate+5Dj
		mov	[ebp+var_C], 0
		add	eax, 4
		lock xor [eax],	edi
		jmp	loc_43CAB4
; END OF FUNCTION CHUNK	FOR PopHandleSystemRequiredPowerRequestsUpdate
; 
; START	OF FUNCTION CHUNK FOR PopCheckForWork

loc_5AB22D:				; CODE XREF: PopCheckForWork+61j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_43CB58
; END OF FUNCTION CHUNK	FOR PopCheckForWork
; 
; START	OF FUNCTION CHUNK FOR IoReportTargetDeviceChangeAsynchronous

loc_5AB23C:				; CODE XREF: IoReportTargetDeviceChangeAsynchronous+9Fj
		sub	eax, edx
		cmp	ecx, eax
		jg	loc_43CC35
		jmp	loc_43CC0D
; 

loc_5AB24B:				; CODE XREF: IoReportTargetDeviceChangeAsynchronous+ADj
		movzx	eax, word ptr [ebx+2]
		push	38706E50h
		add	eax, 20h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_5AB2B7
		mov	edx, 4E706E50h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		lea	ecx, [edi+20h]
		mov	[edi+10h], esi
		mov	[edi+1Ch], ecx
		movzx	eax, word ptr [ebx+2]
		push	eax		; size_t
		push	ebx		; void *
		push	ecx		; void *
		call	_memcpy
		mov	eax, [ebp+arg_8]
		add	esp, 0Ch
		and	dword ptr [edi], 0
		mov	[edi+14h], eax
		mov	eax, [ebp+arg_C]
		push	1
		push	edi
		mov	[edi+18h], eax
		mov	dword ptr [edi+8], offset _PnpReportTargetDeviceChangeAsyncWorker@4 ; PnpReportTargetDeviceChangeAsyncWorker(x)
		mov	[edi+0Ch], edi
		call	ExQueueWorkItem
		mov	eax, 103h
		jmp	loc_43CC2D
; 

loc_5AB2B7:				; CODE XREF: IoReportTargetDeviceChangeAsynchronous+16E6FEj
		mov	eax, 0C000009Ah
		jmp	loc_43CC2D
; 

loc_5AB2C1:				; CODE XREF: IoReportTargetDeviceChangeAsynchronous+21j
					; IoReportTargetDeviceChangeAsynchronous+31j
		movzx	edx, word ptr [esi+2]
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_5AB2FE
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_5AB2FE
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_5AB2FE:				; CODE XREF: IoReportTargetDeviceChangeAsynchronous+16E769j
					; IoReportTargetDeviceChangeAsynchronous+16E77Dj
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_5AB39C
		mov	edx, 1F4h
		lea	edi, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		cmp	[edi], bx
		jz	short loc_5AB336
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [edi+4]
		call	IoAddTriageDumpDataBlock

loc_5AB336:				; CODE XREF: IoReportTargetDeviceChangeAsynchronous+16E7B7j
		mov	edx, [esi+0B0h]
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_5AB36A
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [esi+0B0h]

loc_5AB36A:				; CODE XREF: IoReportTargetDeviceChangeAsynchronous+16E7DDj
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_5AB39C
		lea	ecx, [eax+1Ch]
		cmp	[ecx], bx
		jz	short loc_5AB39C
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_5AB39C:				; CODE XREF: IoReportTargetDeviceChangeAsynchronous+10j
					; IoReportTargetDeviceChangeAsynchronous+16E7A1j ...
		push	ebx
		push	ebx
		push	esi
		push	2
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5AB3AC:				; CODE XREF: ExDeleteTimer+18j
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_5AB3C3
		push	0
		push	eax
		push	1
		push	9
		push	0C7h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AB3C3:				; CODE XREF: IoReportTargetDeviceChangeAsynchronous+16E848j
		mov	eax, [ecx+8]
		mov	[esi+58h], eax
		mov	eax, [ecx+0Ch]
		mov	[esi+5Ch], eax
		jmp	loc_43CD10
; END OF FUNCTION CHUNK	FOR IoReportTargetDeviceChangeAsynchronous
; 
; START	OF FUNCTION CHUNK FOR ExSetTimer

loc_5AB3D4:				; CODE XREF: ExSetTimer+18j
					; ExSetTimer+20j
		mov	edx, [ebp+arg_0]
		test	byte ptr [edx+51h], 4
		jz	loc_43CD5F
		push	0
		lea	eax, [esp+24h+var_10]
		mov	[esp+24h+var_10], edi
		push	eax
		mov	[esp+28h+var_C], ebx
		push	2
		jmp	short loc_5AB3F9
; 

loc_5AB3F4:				; CODE XREF: ExSetTimer+51j
		push	0
		push	esi
		push	1

loc_5AB3F9:				; CODE XREF: ExSetTimer+16E6BCj
					; ExSetTimer+16E6E0j
		push	9
		push	0C7h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AB405:				; CODE XREF: ExSetTimer+33j
					; ExSetTimer+3Bj
		mov	[esp+34h+var_1C], eax
		lea	eax, [esp+34h+var_1C]
		push	0
		push	eax
		mov	[esp+3Ch+var_18], ecx
		push	4
		jmp	short loc_5AB3F9
; END OF FUNCTION CHUNK	FOR ExSetTimer
; 
; START	OF FUNCTION CHUNK FOR ExpCheckForFreedEnhancedTimer

loc_5AB418:				; CODE XREF: ExpCheckForFreedEnhancedTimer+9j
		mov	eax, large fs:124h
		push	0
		movsx	eax, byte ptr [eax+15Ah]
		push	eax
		push	1
		push	ecx
		push	0C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5AB436:				; CODE XREF: PnpAllocateWatchdog+60j
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi
		jmp	loc_43CE24
; END OF FUNCTION CHUNK	FOR ExpCheckForFreedEnhancedTimer
; 
; START	OF FUNCTION CHUNK FOR ExAllocateTimer

loc_5AB444:				; CODE XREF: ExAllocateTimer+9j
		push	0
		push	dword ptr [ebp+arg_8]
		push	0
		push	9
		push	0C7h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5AB458:				; CODE XREF: ExAllocateTimerInternal2+1Bj
		mov	eax, edi
		and	eax, 2
		push	0
		pop	ecx
		setnz	cl
		mov	[ebp+var_4], eax
		xor	eax, eax
		cmp	dword ptr [ebp+arg_8], eax
		setnz	al
		cmp	ecx, eax
		jz	loc_43CE78

loc_5AB476:				; CODE XREF: ExAllocateTimerInternal2+15j
		xor	ebx, ebx
		push	ebx
		push	edi
		push	ebx
		push	9
		push	0C7h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5AB488:				; CODE XREF: PopSetWatchdog+17Ej
		xor	eax, eax
		jmp	loc_43D013
; END OF FUNCTION CHUNK	FOR ExAllocateTimer
; 
; START	OF FUNCTION CHUNK FOR PopSetWatchdog

loc_5AB48F:				; CODE XREF: PopSetWatchdog+4Cj
		push	5
		jmp	loc_43D17F
; 

loc_5AB496:				; CODE XREF: PopSetWatchdog+65j
		mov	eax, [esi+90h]
		cmp	eax, 20h
		jbe	loc_43CFBB
		mov	[ebp+var_2], 1
		mov	[ebp+var_18], eax
		call	KeQueryInterruptTime
		sub	eax, [esi+0B0h]
		push	0
		sbb	edx, [esi+0B4h]
		push	0Ah
		push	edx
		push	eax
		call	__aulldiv
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], edx
		jmp	loc_43CFBB
; 

loc_5AB4D3:				; CODE XREF: PopSetWatchdog+87j
		test	ds:byte_70EFC6,	1
		jz	short loc_5AB4E8
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5AB4ED
; 

loc_5AB4E8:				; CODE XREF: PopSetWatchdog+16E58Aj
		xor	eax, eax
		lock and [ebx],	eax

loc_5AB4ED:				; CODE XREF: PopSetWatchdog+16E596j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esi+10h]
		push	eax
		call	KeWaitForSingleObject
		call	edi
		mov	ecx, ebx
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		jmp	loc_43CFDD
; 

loc_5AB516:				; CODE XREF: PopSetWatchdog+9Ej
		mov	edx, [ebp+4]
		mov	ecx, offset _PopWatchdogLock
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_43CFFE
; 

loc_5AB528:				; CODE XREF: PopSetWatchdog+BBj
		push	[ebp+var_10]
		mov	ecx, [ebp+var_18]
		push	[ebp+var_14]
		call	_PopCacheDisplayOnPhaseDuration@12 ; PopCacheDisplayOnPhaseDuration(x,x,x)
		jmp	loc_43D011
; END OF FUNCTION CHUNK	FOR PopSetWatchdog
; 
; START	OF FUNCTION CHUNK FOR ExNotifyWithProcessing

loc_5AB53B:				; CODE XREF: ExNotifyWithProcessing+40j
		cmp	esi, edi
		jz	loc_43D26B
		mov	ebx, [ebp+var_8]

loc_5AB546:				; CODE XREF: ExNotifyWithProcessing+16E3D3j
		push	[ebp+arg_4]
		mov	edx, [esi+10h]
		xor	ecx, ecx
		push	[ebp+arg_0]
		inc	ecx
		push	ebx
		call	_ExpCallProcessing@20 ;	ExpCallProcessing(x,x,x,x,x)
		push	[ebp+arg_0]
		push	ebx
		push	dword ptr [esi+10h]
		call	dword ptr [esi+0Ch]
		push	[ebp+arg_4]
		mov	edx, [esi+10h]
		xor	ecx, ecx
		push	[ebp+arg_0]
		push	ebx
		call	_ExpCallProcessing@20 ;	ExpCallProcessing(x,x,x,x,x)
		mov	esi, [esi]
		cmp	esi, edi
		jnz	short loc_5AB546
		mov	ebx, [ebp+var_C]
		jmp	loc_43D26B
; 

loc_5AB581:				; CODE XREF: ExNotifyWithProcessing+58j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	al, [ebp+var_1]
		jmp	loc_43D207
; 

loc_5AB593:				; CODE XREF: ExNotifyWithProcessing+B8j
		test	eax, eax
		jnz	loc_43D262
		push	eax
		push	eax
		push	offset _ExpCallbackEvent
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_43D262
; 

loc_5AB5AC:				; CODE XREF: ExNotifyWithProcessing+CEj
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_43D27D
; END OF FUNCTION CHUNK	FOR ExNotifyWithProcessing
; 
; START	OF FUNCTION CHUNK FOR PopIncrementPowerSettingPendingUpdates

loc_5AB5BB:				; CODE XREF: PopIncrementPowerSettingPendingUpdates+50j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_43D3F9
; END OF FUNCTION CHUNK	FOR PopIncrementPowerSettingPendingUpdates
; 
; START	OF FUNCTION CHUNK FOR PopDecrementPowerSettingPendingUpdates

loc_5AB5CA:				; CODE XREF: PopDecrementPowerSettingPendingUpdates+4Dj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_43D464
; END OF FUNCTION CHUNK	FOR PopDecrementPowerSettingPendingUpdates
; 
; START	OF FUNCTION CHUNK FOR PopDeepSleepSetDisengageReason

loc_5AB5D9:				; CODE XREF: PopDeepSleepSetDisengageReason+44j
		cmp	ds:_PopIsForceIdleSet, 0
		jz	short loc_5AB5EE
		call	_KeClearForceIdle@0 ; KeClearForceIdle()
		mov	ds:_PopIsForceIdleSet, 0

loc_5AB5EE:				; CODE XREF: PopDeepSleepSetDisengageReason+16E158j
		mov	al, ds:_PopDeepSleepEvaluateWorkItemQueued
		test	al, al
		jnz	loc_43D4D2
		push	1
		push	offset _PopDeepSleepEvaluateWorkItem
		mov	ds:_PopDeepSleepEvaluateWorkItemQueued,	1
		call	ExQueueWorkItem
		jmp	loc_43D4D2
; 

loc_5AB613:				; CODE XREF: PopDeepSleepSetDisengageReason+56j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_43D4E9
; END OF FUNCTION CHUNK	FOR PopDeepSleepSetDisengageReason
; 
; START	OF FUNCTION CHUNK FOR PopDeepSleepClearDisengageReason

loc_5AB620:				; CODE XREF: PopDeepSleepClearDisengageReason+4Dj
		test	byte ptr ds:_PopAggressiveStandbyAppliedActions, 2
		jz	short loc_5AB635
		call	_KeSetForceIdle@0 ; KeSetForceIdle()
		mov	ds:_PopIsForceIdleSet, 1

loc_5AB635:				; CODE XREF: PopDeepSleepClearDisengageReason+16E12Fj
		mov	al, ds:_PopDeepSleepEvaluateWorkItemQueued
		test	al, al
		jnz	loc_43D54B
		push	1
		push	offset _PopDeepSleepEvaluateWorkItem
		mov	ds:_PopDeepSleepEvaluateWorkItemQueued,	1
		call	ExQueueWorkItem
		jmp	loc_43D54B
; 

loc_5AB65A:				; CODE XREF: PopDeepSleepClearDisengageReason+5Fj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_43D562
; END OF FUNCTION CHUNK	FOR PopDeepSleepClearDisengageReason
; 
; START	OF FUNCTION CHUNK FOR PopDeepSleepResiliencyPhaseAccountingUpdate

loc_5AB667:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingUpdate+34j
		push	esi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		cmp	[ebp+var_1], 0
		lea	ecx, dword_6C2400[edi*8]
		jnz	short loc_5AB692
		sub	eax, [ecx]
		sbb	edx, [ecx+4]
		add	ds:dword_6C2450[edi*8],	eax
		mov	eax, esi
		adc	ds:dword_6C2454[edi*8],	edx
		mov	edx, esi

loc_5AB692:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingUpdate+16E109j
		mov	[ecx], eax
		mov	eax, ebx
		and	eax, 3
		mov	[ecx+4], edx
		cmp	[ebp+var_1], 0
		jnz	short loc_5AB6DE
		test	eax, eax
		jz	short loc_5AB6BD
		mov	eax, ds:_PopDeepSleepDisengageReasonMask
		test	al, 3
		jnz	short loc_5AB6D0
		push	40h
		pop	esi
		test	al, 40h
		jnz	short loc_5AB6D0
		mov	esi, 3FCh
		jmp	short loc_5AB6D0
; 

loc_5AB6BD:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingUpdate+16E134j
		test	bl, 40h
		jz	short loc_5AB6D0
		test	byte ptr ds:_PopDeepSleepDisengageReasonMask, 40h
		jnz	short loc_5AB6D0
		mov	esi, 3BCh

loc_5AB6D0:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingUpdate+16E13Dj
					; PopDeepSleepResiliencyPhaseAccountingUpdate+16E144j ...
		mov	dl, 1
		mov	ecx, esi
		call	_PopDeepSleepResiliencyPhaseAccountingBegin@8 ;	PopDeepSleepResiliencyPhaseAccountingBegin(x,x)
		jmp	loc_43D5AA
; 

loc_5AB6DE:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingUpdate+16E130j
		test	eax, eax
		jz	short loc_5AB6FA
		mov	ecx, [ebp+var_8]
		test	cl, 40h
		jz	short loc_5AB6ED
		push	40h
		pop	esi

loc_5AB6ED:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingUpdate+16E178j
		mov	eax, 3BCh
		test	ecx, eax
		jz	short loc_5AB70B
		or	esi, eax
		jmp	short loc_5AB70B
; 

loc_5AB6FA:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingUpdate+16E170j
		test	bl, 40h
		jz	short loc_5AB70B
		mov	eax, 3BCh
		test	[ebp+var_8], eax
		jz	short loc_5AB70B
		mov	esi, eax

loc_5AB70B:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingUpdate+16E184j
					; PopDeepSleepResiliencyPhaseAccountingUpdate+16E188j ...
		mov	dl, 1
		mov	ecx, esi
		call	_PopDeepSleepResiliencyPhaseAccountingEnd@8 ; PopDeepSleepResiliencyPhaseAccountingEnd(x,x)
		jmp	loc_43D5AA
; 

loc_5AB719:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingUpdate+46j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_43D5C1
; END OF FUNCTION CHUNK	FOR PopDeepSleepResiliencyPhaseAccountingUpdate
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceClearDeepSleepConstraint

loc_5AB726:				; CODE XREF: PopDiagTraceClearDeepSleepConstraint+3Cj
		lea	eax, [ebp+var_18]
		mov	[ebp+var_C], 4
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], ecx
		push	eax
		push	1
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_43D612
; END OF FUNCTION CHUNK	FOR PopDiagTraceClearDeepSleepConstraint
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceSetDeepSleepConstraint

loc_5AB74F:				; CODE XREF: PopDiagTraceSetDeepSleepConstraint+3Cj
		lea	eax, [ebp+var_18]
		mov	[ebp+var_C], 4
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], ecx
		push	eax
		push	1
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_43D664
; END OF FUNCTION CHUNK	FOR PopDiagTraceSetDeepSleepConstraint
; 
; START	OF FUNCTION CHUNK FOR PpmInfoApplyMinMaxConstraint

loc_5AB778:				; CODE XREF: PpmInfoApplyMinMaxConstraint+Dj
		test	byte ptr [edx+19h], 10h
		mov	ecx, eax
		jnz	loc_43D687
		mov	ecx, esi
		jmp	loc_43D687
; END OF FUNCTION CHUNK	FOR PpmInfoApplyMinMaxConstraint
; 
; START	OF FUNCTION CHUNK FOR PoFxSendSystemLatencyUpdate

loc_5AB78B:				; CODE XREF: PoFxSendSystemLatencyUpdate+13j
		cmp	ds:_PopDeepSleepIsEnabled, 0
		jnz	short loc_5AB79D
		cmp	ds:_PopPdcIdleResiliency, 0
		jnz	short loc_5AB7AA

loc_5AB79D:				; CODE XREF: PoFxSendSystemLatencyUpdate+16E0D8j
		mov	al, ds:_PopDeepSleepIsEngaged
		test	al, al
		jz	loc_43D6D3

loc_5AB7AA:				; CODE XREF: PoFxSendSystemLatencyUpdate+16E0E1j
		mov	esi, ds:dword_7054EC
		jmp	loc_43D6DA
; 

loc_5AB7B5:				; CODE XREF: PoFxSendSystemLatencyUpdate+30j
		mov	eax, ds:_PopFxSystemLatencyLimit
		mov	bl, 1
		cmp	esi, eax
		jbe	loc_43D6F2
		and	[esp+10h+var_4], 0
		lea	eax, [esp+10h+var_4]
		mov	ds:_PopFxSystemLatencyLimit, esi
		xor	ecx, ecx
		lock or	[eax], ecx
		jmp	loc_43D6F2
; 

loc_5AB7DD:				; CODE XREF: PoFxSendSystemLatencyUpdate+6Ej
		mov	cl, 1
		call	_KeFlushProcessWriteBuffers@4 ;	KeFlushProcessWriteBuffers(x)
		jmp	loc_43D718
; END OF FUNCTION CHUNK	FOR PoFxSendSystemLatencyUpdate
; 
; START	OF FUNCTION CHUNK FOR PoFxSystemLatencyNotify

loc_5AB7E9:				; CODE XREF: PoFxSystemLatencyNotify+6Cj
					; PoFxSystemLatencyNotify+16E06Cj
		mov	eax, [esi+40h]
		test	eax, eax
		jz	short loc_5AB803
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_8], ecx
		lea	ecx, [ebp+var_8]
		push	ecx
		push	10h
		mov	[ebp+var_4], edi
		call	eax
		jmp	short loc_5AB805
; 

loc_5AB803:				; CODE XREF: PoFxSystemLatencyNotify+16E036j
		xor	al, al

loc_5AB805:				; CODE XREF: PoFxSystemLatencyNotify+16E049j
		test	al, al
		jz	short loc_5AB81C
		test	bl, bl
		jnz	short loc_5AB81C
		mov	eax, [esi+10h]
		and	eax, 80000000h
		or	eax, 0
		jnz	short loc_5AB81C
		inc	bl

loc_5AB81C:				; CODE XREF: PoFxSystemLatencyNotify+16E04Fj
					; PoFxSystemLatencyNotify+16E053j ...
		mov	esi, [esi]
		cmp	esi, offset _PopFxPluginList
		jnz	short loc_5AB7E9
		mov	edi, offset _PopFxPluginLock
		jmp	loc_43D7EE
; END OF FUNCTION CHUNK	FOR PoFxSystemLatencyNotify
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceSystemLatencyUpdate

loc_5AB830:				; CODE XREF: PopDiagTraceSystemLatencyUpdate+41j
		lea	eax, [ebp+var_18]
		mov	[ebp+var_C], 4
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		mov	[ebp+var_10], ecx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_8], ecx
		push	eax
		push	1
		push	ecx
		test	bl, bl
		jz	short loc_5AB857
		push	offset _POP_ETW_EVENT_SYSTEM_LATENCY_RUNDOWN
		jmp	short loc_5AB85C
; 

loc_5AB857:				; CODE XREF: PopDiagTraceSystemLatencyUpdate+16E024j
		push	offset _POP_ETW_EVENT_SYSTEM_LATENCY_UPDATE

loc_5AB85C:				; CODE XREF: PopDiagTraceSystemLatencyUpdate+16E02Bj
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_43D871
; END OF FUNCTION CHUNK	FOR PopDiagTraceSystemLatencyUpdate
; 
; START	OF FUNCTION CHUNK FOR PoGetPerfStateAndParkingInfo

loc_5AB868:				; CODE XREF: PoGetPerfStateAndParkingInfo+6Fj
		mov	esi, [edi+3C0h]
		push	64h
		mov	[esp+34h+var_24], esi
		pop	eax
		jmp	loc_43DCD4
; 

loc_5AB87A:				; CODE XREF: PoGetPerfStateAndParkingInfo+E2j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	esi
		push	[esp+34h+var_20]
		mov	bl, al
		push	edi
		call	_PpmGetThroughputInfoCallback@12 ; PpmGetThroughputInfoCallback(x,x,x)
		mov	cl, bl
		mov	esi, eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jns	loc_43DD04
		push	[esp+30h+var_14]
		and	[esp+34h+var_C], 0
		xor	eax, eax
		and	[esp+34h+var_8], 0
		inc	eax
		mov	word ptr [esp+34h+var_10], ax
		mov	word ptr [esp+34h+var_10+2], ax
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		mov	ecx, [esp+30h+var_8]
		mov	edx, offset _PpmGetThroughputInfoCallback@12 ; PpmGetThroughputInfoCallback(x,x,x)
		bts	ecx, eax
		mov	eax, [esp+30h+var_24]
		push	eax
		push	[esp+34h+var_20]
		mov	[esp+38h+var_8], ecx
		lea	ecx, [esp+38h+var_10]
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)
		jmp	loc_43DD04
; END OF FUNCTION CHUNK	FOR PoGetPerfStateAndParkingInfo
; 
; START	OF FUNCTION CHUNK FOR PpmPerfGetCurrentState

loc_5AB8E8:				; CODE XREF: PpmPerfGetCurrentState+17j
					; PpmPerfGetCurrentState+1Fj
		test	edx, edx
		jz	short loc_5AB8F4
		mov	eax, [ecx+3C0h]
		mov	[edx], eax

loc_5AB8F4:				; CODE XREF: PpmPerfGetCurrentState+16DBCCj
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	short loc_5AB903
		mov	eax, [ecx+3C0h]
		mov	[edx], eax

loc_5AB903:				; CODE XREF: PpmPerfGetCurrentState+16DBDBj
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_5AB90D
		and	dword ptr [eax], 0

loc_5AB90D:				; CODE XREF: PpmPerfGetCurrentState+16DBEAj
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	loc_43DD8A
		and	dword ptr [eax], 0
		jmp	loc_43DD8A
; END OF FUNCTION CHUNK	FOR PpmPerfGetCurrentState
; 
; START	OF FUNCTION CHUNK FOR RawCompletionRoutine

loc_5AB920:				; CODE XREF: RawCompletionRoutine+14j
					; RawCompletionRoutine+1Cj
		mov	ecx, [edi+18h]
		test	ecx, ecx
		jz	loc_43DE22
		test	byte ptr [ecx+2Ch], 2
		jz	loc_43DE22
		cmp	[edx+18h], ebx
		jl	loc_43DE22
		mov	eax, [edx+1Ch]
		add	[ecx+38h], eax
		adc	[ecx+3Ch], ebx
		jmp	loc_43DE22
; 

loc_5AB94C:				; CODE XREF: RawCompletionRoutine+55j
		push	ebx
		xor	edx, edx
		mov	ecx, esi
		call	RawInitiateDeleteVolume
		test	al, al
		jnz	loc_43DE39
		jmp	loc_43DE5B
; END OF FUNCTION CHUNK	FOR RawCompletionRoutine
; 

loc_5AB963:				; CODE XREF: .text:0043DF50j
		push	58h
		pop	eax
		push	eax
		push	ebx
		push	dword ptr [esi+90h]
		call	_memset
		mov	eax, [esi+90h]
		add	esp, 0Ch
		push	0Ah
		pop	ecx
		mov	[eax], cx
		mov	eax, [esi+90h]
		push	58h
		pop	ecx
		push	8
		mov	[eax+2], cx
		mov	ecx, [esi+90h]
		mov	eax, [esi+8Ch]
		pop	edx
		push	dword ptr [ebp-4]
		mov	eax, [eax+0Ch]
		mov	[ecx+0Ch], eax
		mov	eax, [esi+90h]
		mov	[eax+8], ebx
		mov	eax, [esi+8Ch]
		mov	cx, [eax+4]
		mov	eax, [esi+90h]
		and	cx, dx
		mov	[eax+4], cx
		mov	eax, [esi+8Ch]
		mov	ecx, [eax+0Ch]
		mov	eax, [esi+90h]
		mov	[ecx+24h], eax
		mov	eax, [esi+8Ch]
		mov	[esi+90h], ebx
		or	word ptr [eax+4], 4
		or	[esi+48h], edx
		call	IoReleaseVpbSpinLock
		mov	ecx, offset _RawGlobalLock
		call	ExAcquireFastMutex
		mov	ecx, [edi]
		cmp	[ecx+4], edi
		jnz	loc_43DFBA
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	loc_43DFBA
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	ecx, offset _RawDismountedQueue
		or	dword ptr [esi+48h], 6
		mov	eax, ds:dword_6BECF4
		cmp	[eax], ecx
		jnz	loc_43DFBA
		mov	[edi], ecx
		mov	ecx, offset _RawGlobalLock
		mov	[edi+4], eax
		mov	[eax], edi
		mov	ds:dword_6BECF4, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	loc_43DF35
; 

loc_5ABA49:				; CODE XREF: .text:0043DF07j
		cmp	[esi+50h], ebx
		jnz	loc_43DF35
		push	9
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[ebp-4], al
		mov	eax, [esi+8Ch]
		push	dword ptr [ebp-4]
		cmp	[eax+14h], ebx
		jnz	loc_43DF30
		call	IoReleaseVpbSpinLock
		mov	ebx, offset _RawGlobalLock
		mov	ecx, ebx
		call	ExAcquireFastMutex
		lea	eax, [esi+80h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_43DFBA
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_43DFBA
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	loc_43DF9A
; 
; START	OF FUNCTION CHUNK FOR IoReleaseVpbSpinLock

loc_5ABAAD:				; CODE XREF: IoReleaseVpbSpinLock+19j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_43DFFC
; END OF FUNCTION CHUNK	FOR IoReleaseVpbSpinLock
; 
; START	OF FUNCTION CHUNK FOR PfSnActivateTrace

loc_5ABABC:				; CODE XREF: PfSnActivateTrace+15j
		mov	esi, 0C00002B9h
		jmp	loc_43E0CF
; 

loc_5ABAC6:				; CODE XREF: PfSnActivateTrace+7Bj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_43E0C6
; END OF FUNCTION CHUNK	FOR PfSnActivateTrace
; 
; START	OF FUNCTION CHUNK FOR PopFxProcessWorkPool

loc_5ABAD3:				; CODE XREF: PopFxProcessWorkPool+D2j
		lea	edx, [esi+4]
		lea	ecx, [esi+8]
		call	@ExfInterlockedRemoveHeadList@8	; ExfInterlockedRemoveHeadList(x,x)
		and	dword ptr [eax], 0
		and	dword ptr [eax+4], 0
		push	dword ptr [eax+0Ch]
		call	dword ptr [eax+8]
		jmp	loc_43E242
; 

loc_5ABAF0:				; CODE XREF: PopFxProcessWorkPool+FFj
		mov	eax, [esp+20h+var_14]
		inc	eax
		push	2
		cdq
		pop	ecx
		idiv	ecx
		jmp	loc_43E265
; END OF FUNCTION CHUNK	FOR PopFxProcessWorkPool
; 
; START	OF FUNCTION CHUNK FOR PopFxDispatchPluginWorkOnce

loc_5ABB00:				; CODE XREF: PopFxDispatchPluginWorkOnce+8Dj
		mov	eax, [esi+40h]
		test	eax, eax
		jz	short loc_5ABB1B
		lea	ecx, [ebp+var_8]
		push	ecx
		push	0Dh
		call	eax
		test	al, al
		jz	short loc_5ABB1B
		cmp	byte ptr [ebp+var_4], bl
		jmp	loc_43E32C
; 

loc_5ABB1B:				; CODE XREF: PopFxDispatchPluginWorkOnce+16D875j
					; PopFxDispatchPluginWorkOnce+16D881j
		mov	eax, [esi+48h]
		test	eax, eax
		jz	short loc_5ABB56
		lea	ecx, [ebp+var_8]
		push	ecx
		push	0Ah
		call	eax
		test	al, al
		jz	short loc_5ABB56
		cmp	byte ptr [ebp+var_4], bl
		jz	loc_43E36C
		cmp	[ebp+var_44], 7
		jz	loc_43E32E
		cmp	[ebp+var_44], 8
		jz	loc_43E32E
		push	ebx
		push	ebx
		mov	edx, esi
		mov	ecx, 612h
		jmp	short loc_5ABB60
; 

loc_5ABB56:				; CODE XREF: PopFxDispatchPluginWorkOnce+16D890j
					; PopFxDispatchPluginWorkOnce+16D89Cj
		push	ebx
		push	esi
		push	0Dh
		pop	edx
		mov	ecx, 605h

loc_5ABB60:				; CODE XREF: PopFxDispatchPluginWorkOnce+16D8C4j
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_5ABB65:				; CODE XREF: PopFxDispatchPluginWorkOnce+BFj
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_43E35A
; END OF FUNCTION CHUNK	FOR PopFxDispatchPluginWorkOnce
; 
; START	OF FUNCTION CHUNK FOR PopFxDisableWorkOrderWatchdog

loc_5ABB74:				; CODE XREF: PopFxDisableWorkOrderWatchdog+17j
		push	0
		push	dword ptr [esi+60h]
		mov	edx, esi
		mov	ecx, 618h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_5ABB85:				; CODE XREF: PopFxDisableWorkOrderWatchdog+58j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_43E3DF
; END OF FUNCTION CHUNK	FOR PopFxDisableWorkOrderWatchdog
; 
; START	OF FUNCTION CHUNK FOR PopFxEnableWorkOrderWatchdog

loc_5ABB92:				; CODE XREF: PopFxEnableWorkOrderWatchdog+9Aj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_43E499
; END OF FUNCTION CHUNK	FOR PopFxEnableWorkOrderWatchdog
; 
; START	OF FUNCTION CHUNK FOR PopGetIdleTimesCallback

loc_5ABBA1:				; CODE XREF: PopGetIdleTimesCallback+64j
					; PopGetIdleTimesCallback+6Cj
		mov	eax, [esp+50h+var_2C]
		jmp	loc_43E756
; 

loc_5ABBAA:				; CODE XREF: PopGetIdleTimesCallback+136j
		sub	eax, 1
		jz	short loc_5ABBBC
		mov	ecx, edi
		mov	[esp+54h+var_38], edi
		mov	eax, edi
		jmp	loc_43E85A
; 

loc_5ABBBC:				; CODE XREF: PopGetIdleTimesCallback+16D499j
		lea	ecx, [esi+28h]
		lea	eax, [esi+18h]
		jmp	loc_43E856
; 

loc_5ABBC7:				; CODE XREF: PopGetIdleTimesCallback+256j
					; PopGetIdleTimesCallback+261j
		mov	eax, ds:_KeMaximumIncrement
		mul	ecx
		mov	[esi], eax
		mov	[esi+4], edx
		jmp	loc_43E992
; END OF FUNCTION CHUNK	FOR PopGetIdleTimesCallback
; 
; START	OF FUNCTION CHUNK FOR PpmConvertTime

loc_5ABBD8:				; CODE XREF: PpmConvertTime+54j
		push	esi
		push	ebx
		call	__aulldiv
		push	[ebp+arg_C]
		mov	esi, edx
		mov	edi, eax
		push	[ebp+arg_8]
		push	esi
		push	edi
		call	__allmul
		push	[ebp+arg_14]
		sub	ebx, eax
		mov	eax, [ebp+arg_4]
		push	[ebp+arg_10]
		sbb	eax, edx
		push	eax
		push	ebx
		call	__allmul
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	edx
		push	eax
		call	__aulldiv
		push	[ebp+arg_14]
		mov	ebx, eax
		mov	[ebp+arg_C], edx
		push	[ebp+arg_10]
		push	esi
		push	edi
		call	__allmul
		mov	esi, [ebp+arg_C]
		add	ebx, eax
		adc	esi, edx
		jmp	loc_43EAB9
; END OF FUNCTION CHUNK	FOR PpmConvertTime
; 
; START	OF FUNCTION CHUNK FOR PpmIdleGetCIndexForState

loc_5ABC2F:				; CODE XREF: PpmIdleGetCIndexForState+7j
		cmp	byte ptr [ecx+3Fh], 0
		jz	loc_43EB0F
		xor	eax, eax
		cmp	[ecx+40h], al
		setz	al
		inc	eax
		retn
; END OF FUNCTION CHUNK	FOR PpmIdleGetCIndexForState
; 
; START	OF FUNCTION CHUNK FOR PpmUpdateTimeAccumulation

loc_5ABC43:				; CODE XREF: PpmUpdateTimeAccumulation+2Aj
		mov	ecx, 0DB2h
		rdmsr
		mov	[ebp+var_1C], eax
		mov	[ebp+var_20], edx
		jmp	loc_43EB78
; 

loc_5ABC55:				; CODE XREF: PpmUpdateTimeAccumulation+A4j
		mov	ecx, [ebp+var_1C]
		sub	ecx, [edi+3E20h]
		mov	eax, [ebp+var_20]
		sbb	eax, [edi+3E24h]
		push	eax
		mov	eax, [ebp+var_18]
		push	ecx
		mov	ecx, esi
		sub	ecx, [edi+3DB8h]
		sbb	eax, [edi+3DBCh]
		push	eax
		mov	eax, [ebp+var_10]
		push	ecx
		push	[ebp+var_C]
		push	eax
		call	PpmConvertTime
		add	[edi+3E28h], eax
		adc	[edi+3E2Ch], edx
		jmp	loc_43EBEC
; 

loc_5ABC99:				; CODE XREF: PpmUpdateTimeAccumulation+10Aj
		mov	eax, [ebp+var_1C]
		mov	[edi+3E20h], eax
		mov	eax, [ebp+var_20]
		mov	[edi+3E24h], eax
		jmp	loc_43EC52
; END OF FUNCTION CHUNK	FOR PpmUpdateTimeAccumulation
; 
; START	OF FUNCTION CHUNK FOR PsInsertVirtualizedTimer

loc_5ABCB0:				; CODE XREF: PsInsertVirtualizedTimer+71j
		call	KeQueryInterruptTime
		mov	edi, eax
		mov	esi, edx
		lea	eax, [ebp+var_10]
		push	eax
		call	KeQuerySystemTime
		mov	ecx, [ebp+var_8]
		mov	dl, 1
		push	esi
		push	edi
		push	[ebp+var_C]
		lea	ecx, [ecx-0A0h]
		push	[ebp+var_10]
		call	ExpTimerPause
		mov	esi, [ebp+arg_0]
		jmp	loc_43ED87
; 

loc_5ABCE2:				; CODE XREF: PsInsertVirtualizedTimer+93j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_43EDAE
; 

loc_5ABCF1:				; CODE XREF: PsInsertVirtualizedTimer+ABj
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_43EDC6
; END OF FUNCTION CHUNK	FOR PsInsertVirtualizedTimer
; 
; START	OF FUNCTION CHUNK FOR ExAcquireRundownProtectionEx

loc_5ABD00:				; CODE XREF: ExAcquireRundownProtectionEx+1Aj
		mov	edx, eax
		test	al, 1
		jz	loc_43EE63
		jmp	loc_43EE79
; END OF FUNCTION CHUNK	FOR ExAcquireRundownProtectionEx
; 
; START	OF FUNCTION CHUNK FOR SmDecompressBuffer

loc_5ABD0F:				; CODE XREF: SmDecompressBuffer+3Dj
		mov	esi, 0C0000098h
		jmp	loc_43EF99
; 

loc_5ABD19:				; CODE XREF: SmDecompressBuffer+45j
		cmp	edx, 4
		jb	short loc_5ABD55
		and	[ebp+var_18], 0
		lea	eax, [ebx+0Ch]
		sub	edx, 4
		mov	[ebp+var_C], eax
		push	edx
		push	eax
		push	4
		lea	eax, [ebp+var_18]
		mov	[ebp+var_8], edx
		push	eax
		push	8
		push	edi
		push	0
		call	_RtlComputeCrc32@12 ; RtlComputeCrc32(x,x,x)
		push	eax
		call	_RtlComputeCrc32@12 ; RtlComputeCrc32(x,x,x)
		push	eax
		call	_RtlComputeCrc32@12 ; RtlComputeCrc32(x,x,x)
		cmp	eax, [ebx+8]
		jz	loc_43EEF7

loc_5ABD55:				; CODE XREF: SmDecompressBuffer+23j
					; SmDecompressBuffer+16CE76j
		mov	esi, 0C0000242h
		jmp	loc_43EF99
; 

loc_5ABD5F:				; CODE XREF: SmDecompressBuffer+5Dj
		mov	esi, 0C0000904h
		jmp	loc_43EF99
; 

loc_5ABD69:				; CODE XREF: SmDecompressBuffer+6Dj
		mov	esi, 0C000009Ah
		jmp	loc_43EF99
; 

loc_5ABD73:				; CODE XREF: SmDecompressBuffer+84j
		cmp	[ebp+var_8], edi
		jnz	loc_43EFAE
		push	edi		; size_t
		push	[ebp+var_C]	; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_10], edi
		jmp	loc_43EF79
; END OF FUNCTION CHUNK	FOR SmDecompressBuffer
; 
; START	OF FUNCTION CHUNK FOR RtlDecompressBufferXpressHuff

loc_5ABD91:				; CODE XREF: RtlDecompressBufferXpressHuff+Dj
		mov	eax, 0C00000E8h
		jmp	loc_43F2C1
; 

loc_5ABD9B:				; CODE XREF: RtlDecompressBufferXpressHuff+442j
		cmp	edi, [ebp+arg_4]
		jz	loc_43F2B4
		jmp	loc_43F11F
; 

loc_5ABDA9:				; CODE XREF: RtlDecompressBufferXpressHuff+45Aj
		lea	eax, [edx+3]
		cmp	eax, [ebp+arg_18]
		jnb	loc_43F4AB
		mov	ecx, [edx]
		add	edx, 4
		mov	[ebp+arg_8], edx
		jmp	loc_43F470
; 

loc_5ABDC2:				; CODE XREF: RtlDecompressBufferXpressHuff+496j
		cmp	edi, [ebp+arg_4]
		jz	loc_43F2B4
		jmp	loc_43F33A
; 

loc_5ABDD0:				; CODE XREF: RtlDecompressBufferXpressHuff+418j
		lea	eax, [edx+1]
		cmp	eax, [ebp+arg_18]
		jnb	loc_43F4AB
		movzx	ecx, word ptr [edx]
		add	edx, 2
		mov	[ebp+arg_8], edx
		test	ecx, ecx
		jnz	short loc_5ABDFD
		lea	eax, [edx+3]
		cmp	eax, [ebp+arg_18]
		jnb	loc_43F4AB
		mov	ecx, [edx]
		add	edx, 4
		mov	[ebp+arg_8], edx

loc_5ABDFD:				; CODE XREF: RtlDecompressBufferXpressHuff+16CDD7j
		cmp	ecx, 0Fh
		jb	loc_43F4AB
		lea	eax, [edi+3]
		add	eax, ecx
		cmp	eax, edi
		jb	loc_43F4AB
		mov	eax, [ebp+var_10]
		sub	ecx, 0Fh
		jmp	loc_43F42E
; END OF FUNCTION CHUNK	FOR RtlDecompressBufferXpressHuff
; 
; START	OF FUNCTION CHUNK FOR XpressBuildHuffmanDecodingTable

loc_5ABE1E:				; CODE XREF: XpressBuildHuffmanDecodingTable+1B8j
		mov	ecx, 2
		lea	edx, [eax+404h]
		mov	esi, 200h

loc_5ABE2E:				; CODE XREF: XpressBuildHuffmanDecodingTable+16C97Aj
		cmp	[edx], si
		jnz	short loc_5ABE63
		inc	ecx
		add	edx, 2
		cmp	ecx, 0Fh
		jbe	short loc_5ABE2E
		cmp	[eax+402h], si
		jz	short loc_5ABE63
		lea	edi, [eax+420h]
		mov	ecx, 100h
		mov	eax, ebx
		movzx	edx, ax
		mov	eax, edx
		shl	edx, 10h
		or	eax, edx
		rep stosd
		jmp	loc_43F67E
; 

loc_5ABE63:				; CODE XREF: XpressBuildHuffmanDecodingTable:loc_43F579j
					; XpressBuildHuffmanDecodingTable:loc_43F5D0j ...
		mov	eax, 0C0000242h
		jmp	loc_43F680
; END OF FUNCTION CHUNK	FOR XpressBuildHuffmanDecodingTable
; 
; START	OF FUNCTION CHUNK FOR PfSnDeactivateTrace

loc_5ABE6D:				; CODE XREF: PfSnDeactivateTrace+29j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_43FA04
; 

loc_5ABE7C:				; CODE XREF: PfSnDeactivateTrace+97j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_43FA72
; END OF FUNCTION CHUNK	FOR PfSnDeactivateTrace
; 
; START	OF FUNCTION CHUNK FOR PfSnCancelTraceTimer

loc_5ABE8B:				; CODE XREF: PfSnCancelTraceTimer+3Ej
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_43FAD1
; END OF FUNCTION CHUNK	FOR PfSnCancelTraceTimer
; 
; START	OF FUNCTION CHUNK FOR PfSnRemoveProcessTrace

loc_5ABE9A:				; CODE XREF: PfSnRemoveProcessTrace+3Cj
		mov	edx, eax
		test	al, 1
		lea	eax, [esi+esi]
		jz	loc_43FB20

loc_5ABEA7:				; CODE XREF: PfSnRemoveProcessTrace+27j
		mov	eax, esi
		and	edx, 0FFFFFFFEh
		neg	eax
		lock xadd [edx], eax
		cmp	eax, esi
		jnz	loc_43FB32
		lea	eax, [edx+14h]
		lock btr dword ptr [eax], 0
		jb	loc_43FB32
		push	0
		push	0
		lea	eax, [edx+4]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_43FB32
; 

loc_5ABEDA:				; CODE XREF: PfSnRemoveProcessTrace+5Dj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_43FB58
; END OF FUNCTION CHUNK	FOR PfSnRemoveProcessTrace
; 
; START	OF FUNCTION CHUNK FOR PfFbBufferListFlushStandby

loc_5ABEE9:				; CODE XREF: PfFbBufferListFlushStandby+34j
		mov	eax, [ebx+0Ch]
		mov	edx, ebx
		push	0
		push	dword ptr [ebx+14h]
		sub	eax, ebx
		mov	ecx, esi
		push	eax
		call	PfFbBufferListInsertInFree
		jmp	loc_43FBF8
; END OF FUNCTION CHUNK	FOR PfFbBufferListFlushStandby
; 
; START	OF FUNCTION CHUNK FOR PfFbBufferListInsertInFree

loc_5ABF02:				; CODE XREF: PfFbBufferListInsertInFree+11j
		movzx	esi, word ptr [ebx+0Ch]
		mov	ecx, ds:_KeNumberProcessors
		push	edi
		movzx	edi, word ptr [ebx+14h]
		add	edi, esi
		inc	ecx
		cmp	edi, ecx
		pop	edi
		jb	short loc_5ABF33
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebx+40h]
		neg	ecx
		lock xadd [eax], ecx
		push	dword ptr [ebx+24h]
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_43FC4B
; 

loc_5ABF33:				; CODE XREF: PfFbBufferListInsertInFree+16C315j
		mov	esi, edx
		jmp	loc_43FC19
; END OF FUNCTION CHUNK	FOR PfFbBufferListInsertInFree
; 
; START	OF FUNCTION CHUNK FOR PfTFullEventListAdd

loc_5ABF3A:				; CODE XREF: PfTFullEventListAdd+1Ej
		mov	ecx, esi
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jz	loc_43FCC6
		mov	ecx, [eax+0Ch]
		mov	edx, eax
		push	1
		push	dword ptr [eax+14h]
		sub	ecx, eax
		push	ecx
		mov	ecx, offset unk_6D4380
		call	PfFbBufferListInsertInFree
		jmp	loc_43FCB3
; END OF FUNCTION CHUNK	FOR PfTFullEventListAdd
; 
; START	OF FUNCTION CHUNK FOR KiResortScbQueue

loc_5ABF65:				; CODE XREF: KiResortScbQueue+90j
		test	ecx, ecx
		jnz	short loc_5ABF8B
		mov	eax, [edi+4]
		cmp	eax, [esi-4Ch]
		jb	loc_43FD6A
		ja	loc_43FDD1
		mov	eax, [edi]
		cmp	eax, [esi-50h]
		jbe	loc_43FD6A
		jmp	loc_43FDD1
; 

loc_5ABF8B:				; CODE XREF: KiResortScbQueue+16C245j
		xor	eax, eax
		inc	eax
		jmp	loc_43FDCD
; 

loc_5ABF93:				; CODE XREF: KiResortScbQueue+D8j
		test	edx, edx
		jnz	short loc_5ABFB9
		mov	eax, [edi+4]
		cmp	eax, [ecx-4Ch]
		jb	loc_43FE1D
		ja	loc_43FD6A
		mov	eax, [edi]
		cmp	eax, [ecx-50h]
		jbe	loc_43FE1D
		jmp	loc_43FD6A
; 

loc_5ABFB9:				; CODE XREF: KiResortScbQueue+16C273j
		xor	eax, eax
		inc	eax
		jmp	loc_43FE15
; END OF FUNCTION CHUNK	FOR KiResortScbQueue
; 
; START	OF FUNCTION CHUNK FOR KeRevertToUserGroupAffinityThread

loc_5ABFC1:				; CODE XREF: KeRevertToUserGroupAffinityThread+5Aj
					; KeRevertToUserGroupAffinityThread+16C0A9j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5ABFC1
		jmp	loc_43FF79
; 

loc_5ABFD4:				; CODE XREF: KeRevertToUserGroupAffinityThread+A8j
		push	eax
		push	[ebp+var_C]
		mov	edx, 546h
		mov	ecx, esi
		call	_EtwTraceIdealProcessor@16 ; EtwTraceIdealProcessor(x,x,x,x)
		jmp	loc_43FFD2
; 

loc_5ABFE9:				; CODE XREF: KeRevertToUserGroupAffinityThread+B8j
		mov	edx, edi
		mov	ecx, esi
		call	_EtwTraceThreadAffinity@8 ; EtwTraceThreadAffinity(x,x)
		jmp	loc_43FFE2
; END OF FUNCTION CHUNK	FOR KeRevertToUserGroupAffinityThread
; 
; START	OF FUNCTION CHUNK FOR KiSchedulerApc

loc_5ABFF7:				; CODE XREF: KiSchedulerApc+198j
		mov	edi, [ebx+0Ch]
		xor	edx, edx
		push	1
		inc	edx
		mov	ecx, ebx
		call	KiSetProcessorIdle
		test	edi, edi
		jnz	loc_44024F
		jmp	loc_4401D0
; 

loc_5AC013:				; CODE XREF: KiSchedulerApc+292j
		mov	cl, 1
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		and	dword ptr [esi+58h], 0FFFFFFBFh
		push	ebx
		push	ebx
		push	ebx
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		jmp	loc_4401D9
; 

loc_5AC02C:				; CODE XREF: KiSchedulerApc+1E6j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[esp+88h+var_64], 0
		lea	edi, [esi+2Ch]
		mov	bh, al

loc_5AC03C:				; CODE XREF: KiSchedulerApc+16C048j
		lock bts dword ptr [edi], 0
		jb	short loc_5AC06B
		mov	al, [esi+86h]
		mov	cl, bh
		mov	bl, al
		and	al, 0FDh
		shr	bl, 1
		mov	[esi+86h], al
		and	bl, 1
		mov	dword ptr [edi], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_44021E
; 

loc_5AC06B:				; CODE XREF: KiSchedulerApc+16C00Fj
					; KiSchedulerApc+16C046j
		lea	ecx, [esp+88h+var_64]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5AC06B
		jmp	short loc_5AC03C
; 

loc_5AC07C:				; CODE XREF: KiSchedulerApc+218j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[esp+88h+var_60], 0
		lea	edi, [esi+2Ch]
		mov	bl, al

loc_5AC08C:				; CODE XREF: KiSchedulerApc+16C091j
		lock bts dword ptr [edi], 0
		jb	short loc_5AC0B4
		lea	eax, [esi+78h]
		cmp	[eax], eax
		jz	short loc_5AC0A1
		or	byte ptr [esi+86h], 2

loc_5AC0A1:				; CODE XREF: KiSchedulerApc+16C066j
		mov	cl, bl
		mov	dword ptr [edi], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_44008C
; 

loc_5AC0B4:				; CODE XREF: KiSchedulerApc+16C05Fj
					; KiSchedulerApc+16C08Fj
		lea	ecx, [esp+88h+var_60]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5AC0B4
		jmp	short loc_5AC08C
; 

loc_5AC0C5:				; CODE XREF: KiSchedulerApc+8Cj
		mov	eax, [esp+88h+var_6C]
		lea	ecx, [esp+88h+var_58]
		xor	ebx, ebx
		mov	[esp+88h+var_58], eax
		inc	ebx
		push	ebx
		mov	dl, bl
		mov	[esp+8Ch+var_54], ebx
		call	DbgkForwardException
		push	ebx
		xor	dl, dl
		lea	ecx, [esp+8Ch+var_58]
		call	DbgkForwardException
		jmp	loc_4400C4
; 

loc_5AC0F1:				; CODE XREF: KiSchedulerApc+DBj
		mov	ecx, edi
		call	KiRemoveQueueApc
		jmp	loc_440113
; 

loc_5AC0FD:				; CODE XREF: KiSchedulerApc+C6j
		mov	esi, [esp+88h+var_70]
		jmp	loc_44012F
; END OF FUNCTION CHUNK	FOR KiSchedulerApc
; 
; START	OF FUNCTION CHUNK FOR KiIsProcessTerminationRequested

loc_5AC106:				; CODE XREF: KiIsProcessTerminationRequested+2Fj
		shr	eax, 12h
		mov	eax, [ebp+eax*4+var_14]
		mov	[edx], eax
		mov	al, 1
		jmp	loc_440367
; END OF FUNCTION CHUNK	FOR KiIsProcessTerminationRequested
; 
; START	OF FUNCTION CHUNK FOR KiFindReadyThread

loc_5AC116:				; CODE XREF: KiFindReadyThread+76j
		push	ecx
		mov	ecx, ebx
		call	_KiConvertDynamicHeteroPolicy@12 ; KiConvertDynamicHeteroPolicy(x,x,x)
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_14]
		jmp	loc_4403FC
; 

loc_5AC129:				; CODE XREF: KiFindReadyThread+7Ej
		mov	ecx, [ecx+338h]
		lea	eax, [eax+eax*2]
		mov	ecx, [ecx+eax*4+0B0h]
		mov	eax, [ebp+arg_4]
		and	ecx, eax
		jz	short loc_5AC142
		mov	eax, ecx

loc_5AC142:				; CODE XREF: KiFindReadyThread+16BDBEj
		mov	ecx, [ebp+var_4]
		jmp	loc_440407
; 

loc_5AC14A:				; CODE XREF: KiFindReadyThread+D8j
					; KiFindReadyThread+E0j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5AC151:				; CODE XREF: KiQueueReadyThread+39j
					; KiFindReadyThread+16BDE2j
		pause
		mov	edi, [esi+34h]
		mov	ecx, [esi+30h]
		mov	[ebp+var_C], edi
		mov	[ebp+var_10], ecx
		cmp	edi, [esi+38h]
		jnz	short loc_5AC151
		mov	edi, [ebp+var_14]
		mov	ebx, [ebp+var_C]
		jmp	loc_4407DF
; END OF FUNCTION CHUNK	FOR KiFindReadyThread
; 
; START	OF FUNCTION CHUNK FOR KiQueueReadyThread

loc_5AC16F:				; CODE XREF: KiQueueReadyThread+403j
		lea	edx, [esi+164h]
		mov	ecx, edi
		call	_KiPrcbInGroupAffinity@8 ; KiPrcbInGroupAffinity(x,x)
		test	eax, eax
		jnz	loc_440B48
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 0Ch
		jmp	loc_440B48
; 

loc_5AC191:				; CODE XREF: KiQueueReadyThread+3C5j
		push	eax
		push	[ebp+var_18]
		mov	edx, 546h
		mov	ecx, esi
		call	_EtwTraceIdealProcessor@16 ; EtwTraceIdealProcessor(x,x,x,x)
		jmp	loc_440804
; 

loc_5AC1A6:				; CODE XREF: KiQueueReadyThread+340j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 0Ch
		jmp	loc_440804
; 

loc_5AC1B3:				; CODE XREF: KiQueueReadyThread+D9j
		mov	byte ptr [eax+10h], 0
		jmp	loc_44087F
; 

loc_5AC1BC:				; CODE XREF: KiQueueReadyThread+1D2j
		mov	ebx, 1
		jmp	loc_44097A
; END OF FUNCTION CHUNK	FOR KiQueueReadyThread
; 
; START	OF FUNCTION CHUNK FOR KiUpdateGroupSchedulingRank

loc_5AC1C6:				; CODE XREF: KiUpdateGroupSchedulingRank+BDj
		test	byte ptr [esi+5Ch], 1
		jz	loc_440C00
		push	1
		mov	edx, esi
		mov	ecx, ebx
		call	KiRemoveSchedulingGroupQueue
		jmp	loc_440C00
; 

loc_5AC1E0:				; CODE XREF: KiUpdateGroupSchedulingRank+61j
		mov	edi, esi
		sub	edi, [ebx+3B34h]
		jmp	loc_440BF0
; END OF FUNCTION CHUNK	FOR KiUpdateGroupSchedulingRank
; 
; START	OF FUNCTION CHUNK FOR KiComputeGroupSchedulingRank

loc_5AC1ED:				; CODE XREF: KiComputeGroupSchedulingRank+8Bj
					; KiComputeGroupSchedulingRank+95j
		mov	[ebp+var_1], 1
		jmp	loc_440D5F
; 

loc_5AC1F6:				; CODE XREF: KiComputeGroupSchedulingRank+AEj
					; KiComputeGroupSchedulingRank+B7j
		mov	esi, [ebp+var_C]

loc_5AC1F9:				; CODE XREF: KiComputeGroupSchedulingRank+16B55Fj
					; KiComputeGroupSchedulingRank+16B564j
		mov	edi, [eax]
		mov	ebx, esi
		mov	edx, [eax+4]
		add	ebx, edi
		mov	ecx, [ebp+var_18]
		mov	eax, edi
		mov	[ebp+var_20], edx
		adc	ecx, edx
		mov	[ebp+var_1C], ebx
		nop
		mov	esi, [ebp+var_14]
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [ebp+var_C]
		cmp	eax, edi
		mov	eax, [ebp+var_14]
		jnz	short loc_5AC1F9
		cmp	edx, [ebp+var_20]
		jnz	short loc_5AC1F9
		mov	esi, [ebp+arg_0]
		test	ecx, ecx
		jg	short loc_5AC256
		jl	short loc_5AC235
		cmp	[ebp+var_1C], 0
		ja	short loc_5AC256

loc_5AC235:				; CODE XREF: KiComputeGroupSchedulingRank+16B56Dj
		mov	edi, [ebp+var_10]
		xor	ecx, ecx
		lea	eax, [edi+40h]
		xchg	ecx, [eax]
		test	ecx, ecx
		jz	loc_440D7D
		push	0
		push	0
		push	ecx
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)
		jmp	loc_440D7D
; 

loc_5AC256:				; CODE XREF: KiComputeGroupSchedulingRank+16B56Bj
					; KiComputeGroupSchedulingRank+16B573j
		mov	edi, [ebp+var_10]
		jmp	loc_440D7D
; 

loc_5AC25E:				; CODE XREF: KiComputeGroupSchedulingRank+C7j
		or	bl, 2
		mov	[ebp+var_1], 1
		mov	[esi+5Ch], bl
		mov	bh, bl
		jmp	loc_440D93
; 

loc_5AC26F:				; CODE XREF: KiComputeGroupSchedulingRank+11Cj
		mov	cl, bh
		test	ch, ch
		jz	loc_440DE2

loc_5AC279:				; CODE XREF: KiComputeGroupSchedulingRank+114j
					; KiComputeGroupSchedulingRank+142j
		mov	eax, ds:dword_70513C
		mov	ecx, [edi+8]
		push	eax
		mov	eax, ds:_KiCycleDivisorLongTerm
		push	eax
		push	0
		push	ecx
		mov	[ebp+arg_0], ecx
		call	__allmul
		shrd	eax, edx, 7
		shr	edx, 7
		push	edx
		push	eax
		mov	eax, [esi+24h]
		push	eax
		mov	eax, [esi+20h]
		push	eax
		call	__aulldiv
		mov	ecx, [esi+64h]
		inc	eax
		mov	[esi+60h], eax
		test	ecx, ecx
		jz	short loc_5AC2C6
		lock xadd [ecx], eax
		mov	eax, [esi+0Ch]
		mov	edi, [esi+8]
		mov	bl, [esi+5Ch]
		mov	[ebp+var_10], eax
		jmp	short loc_5AC2C9
; 

loc_5AC2C6:				; CODE XREF: KiComputeGroupSchedulingRank+16B5F2j
		mov	edi, [ebp+var_20]

loc_5AC2C9:				; CODE XREF: KiComputeGroupSchedulingRank+16B604j
		mov	eax, ds:dword_705144
		push	eax
		mov	eax, ds:_KiCycleDivisorShortTerm
		push	eax
		push	0
		push	[ebp+arg_0]
		call	__allmul
		mov	ecx, [ebp+var_8]
		shrd	eax, edx, 7
		shr	edx, 7
		add	eax, edi
		mov	[esi+18h], eax
		adc	edx, [ebp+var_10]
		or	bl, 4
		mov	[esi+1Ch], edx
		mov	edx, esi
		mov	[esi+5Ch], bl
		call	_KiCheckForEffectivePriorityChange@8 ; KiCheckForEffectivePriorityChange(x,x)
		mov	cl, [esi+5Ch]
		mov	edx, [ebp+var_8]
		jmp	loc_440DE2
; 

loc_5AC30C:				; CODE XREF: KiComputeGroupSchedulingRank+125j
		test	cl, 2
		mov	edx, esi
		mov	ecx, [ebp+var_8]
		push	1
		jz	short loc_5AC31F
		call	KiRemoveSchedulingGroupQueue
		jmp	short loc_5AC324
; 

loc_5AC31F:				; CODE XREF: KiComputeGroupSchedulingRank+16B656j
		call	KiResortScbQueue

loc_5AC324:				; CODE XREF: KiComputeGroupSchedulingRank+16B65Dj
		mov	edx, [ebp+var_8]
		jmp	loc_440DEB
; 

loc_5AC32C:				; CODE XREF: KiComputeGroupSchedulingRank+132j
		cmp	byte ptr [edx+2254h], 0
		jnz	loc_440DF8
		mov	eax, [edx+3CCh]
		push	eax
		push	offset _KiGroupSchedulingOverQuotaMask
		call	_KeInterlockedSetProcessorAffinityEx@8 ; KeInterlockedSetProcessorAffinityEx(x,x)
		mov	eax, [ebp+var_8]
		mov	byte ptr [eax+2254h], 1
		jmp	loc_440DF8
; END OF FUNCTION CHUNK	FOR KiComputeGroupSchedulingRank
; 
; START	OF FUNCTION CHUNK FOR KiCheckMaxOverQuotaTransition

loc_5AC359:				; CODE XREF: KiCheckMaxOverQuotaTransition+Bj
		mov	edx, esi
		mov	ecx, eax
		call	_KiChargeSchedulingGroupCycleTime@8 ; KiChargeSchedulingGroupCycleTime(x,x)
		test	al, al
		jz	loc_440E23
		or	byte ptr [esi+5Ch], 2
		mov	al, 1
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR KiCheckMaxOverQuotaTransition
; 
; START	OF FUNCTION CHUNK FOR KiAddThreadToScbQueue

loc_5AC372:				; CODE XREF: KiAddThreadToScbQueue+1Cj
		mov	eax, [esi+0F4h]
		test	eax, eax
		jz	loc_440E7E
		mov	esi, eax
		jmp	loc_440E74
; END OF FUNCTION CHUNK	FOR KiAddThreadToScbQueue
; 
; START	OF FUNCTION CHUNK FOR KiInsertSchedulingGroupQueue

loc_5AC387:				; CODE XREF: KiInsertSchedulingGroupQueue+17j
		add	edx, 0ECh
		jmp	loc_440F47
; END OF FUNCTION CHUNK	FOR KiInsertSchedulingGroupQueue
; 
; START	OF FUNCTION CHUNK FOR KiBeginThreadAccountingPeriod

loc_5AC392:				; CODE XREF: KiBeginThreadAccountingPeriod+29j
		mov	al, [ebx+60h]
		mov	eax, [esi+3B40h]
		mov	ecx, [esi+3B44h]
		mov	[esi+3B48h], eax
		mov	[esi+3B4Ch], ecx
		jmp	loc_44105F
; 

loc_5AC3B2:				; CODE XREF: KiBeginThreadAccountingPeriod+58j
		mov	ecx, [eax+64h]
		jmp	loc_44109D
; 

loc_5AC3BA:				; CODE XREF: KiBeginThreadAccountingPeriod+E9j
		mov	dl, 1
		mov	ecx, ebx
		call	@KiBeginCounterAccumulation@8 ;	KiBeginCounterAccumulation(x,x)
		jmp	loc_44111F
; 

loc_5AC3C8:				; CODE XREF: KiBeginThreadAccountingPeriod+DCj
		sti
		jmp	loc_441126
; 

loc_5AC3CE:				; CODE XREF: KiBeginThreadAccountingPeriod+116j
		xor	dl, dl
		mov	ecx, ebx
		call	@KiBeginCounterAccumulation@8 ;	KiBeginCounterAccumulation(x,x)
		jmp	loc_441126
; END OF FUNCTION CHUNK	FOR KiBeginThreadAccountingPeriod
; 
; START	OF FUNCTION CHUNK FOR PspProcessUnbindVirtualizedTimers

loc_5AC3DC:				; CODE XREF: PspProcessUnbindVirtualizedTimers+73j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4412B4
; END OF FUNCTION CHUNK	FOR PspProcessUnbindVirtualizedTimers

;  S U B	R O U T	I N E 


sub_5AC3EB	proc near		; CODE XREF: PfpLogApplicationEvent+B3j
		push	ebx
		lea	eax, [ebp-80Ch]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	edi, [ebp-80Ch]
		jmp	loc_44137F
sub_5AC3EB	endp


;  S U B	R O U T	I N E 


sub_5AC403	proc near		; CODE XREF: KiFlushQueuedDpcsWorker+16j
		push	ebx
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	cl, 2
		mov	bl, al
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx
		jmp	loc_4415A0
sub_5AC403	endp

; 
; START	OF FUNCTION CHUNK FOR KiGroupSchedulingMoveThread

loc_5AC424:				; CODE XREF: KiGroupSchedulingMoveThread+75j
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		mov	[ebp+arg_0], eax
		cmp	eax, [ebp+var_10]
		jnz	loc_441764
		mov	eax, [ebp+var_4]
		btc	edi, eax
		test	edi, edi
		jnz	loc_44174D
		mov	edx, [ebp+var_8]

loc_5AC446:				; CODE XREF: KiGroupSchedulingMoveThread+43j
		lea	ecx, [ebx+0ECh]
		test	byte ptr [ecx+4], 1
		mov	eax, [ecx]
		jz	short loc_5AC45A
		test	eax, eax
		jz	short loc_5AC46F
		xor	eax, ecx

loc_5AC45A:				; CODE XREF: KiGroupSchedulingMoveThread+16AD4Ej
		test	eax, eax
		jz	short loc_5AC46F
		push	ecx
		mov	ecx, [ebp+var_C]
		call	KiGroupSchedulingMoveThread
		test	eax, eax
		jnz	loc_44172B

loc_5AC46F:				; CODE XREF: KiGroupSchedulingMoveThread+16AD52j
					; KiGroupSchedulingMoveThread+16AD58j
		mov	eax, [esi+4]
		mov	ecx, esi
		test	eax, eax
		jz	short loc_5AC492
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_5AC49A

loc_5AC480:				; CODE XREF: KiGroupSchedulingMoveThread+16AD84j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_5AC480
		jmp	short loc_5AC49A
; 

loc_5AC48C:				; CODE XREF: KiGroupSchedulingMoveThread+16AD94j
		cmp	[esi], ecx
		jz	short loc_5AC49A
		mov	ecx, esi

loc_5AC492:				; CODE XREF: KiGroupSchedulingMoveThread+16AD72j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_5AC48C

loc_5AC49A:				; CODE XREF: KiGroupSchedulingMoveThread+16AD7Aj
					; KiGroupSchedulingMoveThread+16AD86j ...
		test	esi, esi
		jz	loc_441729
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+var_8]
		jmp	loc_44173E
; END OF FUNCTION CHUNK	FOR KiGroupSchedulingMoveThread
; 
; START	OF FUNCTION CHUNK FOR KiRemoveSchedulingGroupQueue

loc_5AC4AD:				; CODE XREF: KiRemoveSchedulingGroupQueue+4Fj
		test	byte ptr [esi+5Ch], 1
		jz	loc_44188D
		lea	ecx, [esi+0ECh]
		test	byte ptr [ecx+4], 1
		mov	eax, [ecx]
		jz	short loc_5AC4CB
		test	eax, eax
		jz	short loc_5AC4D3
		xor	eax, ecx

loc_5AC4CB:				; CODE XREF: KiRemoveSchedulingGroupQueue+16AC8Bj
		test	eax, eax
		jnz	loc_44188D

loc_5AC4D3:				; CODE XREF: KiRemoveSchedulingGroupQueue+16AC8Fj
		cmp	word ptr [esi+5Eh], 0
		mov	ecx, [ebp+var_4]
		jz	loc_441846
		jmp	loc_44188D
; END OF FUNCTION CHUNK	FOR KiRemoveSchedulingGroupQueue
; 
; START	OF FUNCTION CHUNK FOR KiIdleSchedule

loc_5AC4E6:				; CODE XREF: KiIdleSchedule+4Aj
		cmp	ds:_KeHeteroSystemVirtual, 0
		jnz	loc_4418E4
		mov	ecx, esi
		call	_KiSendHeteroRescheduleIntRequest@4 ; KiSendHeteroRescheduleIntRequest(x)
		jmp	loc_4418E4
; END OF FUNCTION CHUNK	FOR KiIdleSchedule
; 
; START	OF FUNCTION CHUNK FOR KiSearchForNewThread

loc_5AC4FF:				; CODE XREF: KiSearchForNewThread+F8j
		mov	ecx, edi
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		lea	eax, [esi+2224h]
		xor	ecx, ecx
		lock and [eax],	ecx
		lea	eax, [edi+9Ch]
		mov	[eax], ecx
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		mov	[ebp+var_4], eax
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		mov	[ebp+var_8], 0
		lea	edi, [esi+2224h]

loc_5AC533:				; CODE XREF: KiSearchForNewThread+16AC4Bj
		lock bts dword ptr [edi], 0
		jb	short loc_5AC55D
		test	bl, bl
		jz	short loc_5AC54D
		mov	eax, [esi+8]
		cmp	eax, [esi+0Ch]
		jnz	short loc_5AC54D
		mov	dword ptr [esi+8], 0

loc_5AC54D:				; CODE XREF: KiSearchForNewThread+16AC1Cj
					; KiSearchForNewThread+16AC24j
		mov	edi, [esi+8]
		test	edi, edi
		jz	loc_441941
		jmp	loc_4419EC
; 

loc_5AC55D:				; CODE XREF: KiSearchForNewThread+16AC18j
					; KiSearchForNewThread+16AC49j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5AC55D
		jmp	short loc_5AC533
; 

loc_5AC56D:				; CODE XREF: KiSearchForNewThread+63j
		mov	edi, 1
		jmp	loc_441989
; 

loc_5AC577:				; CODE XREF: KiSearchForNewThread+6Bj
		push	0
		mov	edx, 1
		mov	ecx, esi
		call	KiSetProcessorIdle
		mov	ebx, [esi+0Ch]
		test	byte ptr [ebx+2], 4
		jz	short loc_5AC59D
		mov	edx, esi
		mov	ecx, ebx
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	short loc_5AC5A3

loc_5AC59D:				; CODE XREF: KiSearchForNewThread+16AC6Cj
		mov	cl, [ebx+87h]

loc_5AC5A3:				; CODE XREF: KiSearchForNewThread+16AC7Bj
		mov	eax, [esi+33Ch]
		mov	[eax], cl
		mov	al, [esi+2238h]
		jmp	loc_441991
; 

loc_5AC5B6:				; CODE XREF: KiSearchForNewThread+73j
		mov	ecx, 1
		jmp	loc_44199B
; 

loc_5AC5C0:				; CODE XREF: KiSearchForNewThread+88j
		test	edi, edi
		jz	loc_4419E3
		jmp	loc_4419AE
; 

loc_5AC5CD:				; CODE XREF: KiSearchForNewThread+BDj
					; KiSearchForNewThread+16ACCCj
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_C]
		call	MmGetNextNode
		mov	ecx, eax
		cmp	ecx, 0FFFFFFFFh
		jz	loc_4419E3
		mov	eax, 1
		shl	eax, cl
		test	eax, edi
		jz	short loc_5AC5CD
		mov	ebx, ds:_KeNodeBlock[ecx*4]
		jmp	loc_4419C4
; 

loc_5AC5FA:				; CODE XREF: KiSearchForNewThread+DEj
		mov	ecx, ds:_KeTickCount
		sub	ecx, [edi+138h]
		add	[edi+170h], ecx
		jmp	loc_441A04
; END OF FUNCTION CHUNK	FOR KiSearchForNewThread
; 
; START	OF FUNCTION CHUNK FOR KiSelectNextThread

loc_5AC611:				; CODE XREF: KiSelectNextThread+9Bj
		test	ebx, ebx
		jz	short loc_5AC62D
		mov	ecx, esi
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		mov	eax, [ebx]
		add	esi, 9Ch
		mov	[esi], eax
		mov	[ebx], esi
		jmp	loc_441A90
; 

loc_5AC62D:				; CODE XREF: KiSelectNextThread+16AB93j
		push	1
		push	1
		push	esi
		xor	edx, edx
		mov	ecx, edi
		call	_KiAddThreadToReadyQueue@20 ; KiAddThreadToReadyQueue(x,x,x,x,x)
		jmp	loc_441ABE
; END OF FUNCTION CHUNK	FOR KiSelectNextThread
; 
; START	OF FUNCTION CHUNK FOR KiSelectLowestRankedThread

loc_5AC640:				; CODE XREF: KiSelectLowestRankedThread+10j
		mov	eax, [esi+338h]
		mov	edx, [eax]
		not	edx
		movzx	eax, dl
		shr	edx, 8
		mov	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, ds:_RtlpBitsClearTotal[edx]
		movzx	eax, cl
		cmp	eax, ds:_KiPerfIsoEnabled
		jb	short loc_5AC6C2
		mov	ecx, [esi+3C8h]
		mov	eax, [esi+402Ch]
		cmp	ecx, eax
		jz	loc_441B5A
		not	ecx
		and	ecx, eax
		mov	eax, [esi+338h]
		mov	eax, [eax+0Ch]
		test	eax, ecx
		jnz	loc_441B5A
		bsf	eax, ecx
		mov	eax, ds:_KiProcessorBlock[eax*4]
		test	dword ptr [eax+4D8h], 400h
		jnz	loc_441B5A

loc_5AC6C2:				; CODE XREF: KiSelectLowestRankedThread+16AB39j
		xor	eax, eax
		jmp	loc_441B72
; 

loc_5AC6C9:				; CODE XREF: KiSelectLowestRankedThread+50j
		lea	eax, [edi+0ECh]
		mov	ecx, [eax+4]
		test	cl, 1
		jz	short loc_5AC6E7
		cmp	ecx, 1
		jz	loc_441B9A
		or	eax, 1
		xor	eax, ecx
		jmp	short loc_5AC6E9
; 

loc_5AC6E7:				; CODE XREF: KiSelectLowestRankedThread+16AB91j
		mov	eax, ecx

loc_5AC6E9:				; CODE XREF: KiSelectLowestRankedThread+16ABA1j
		test	eax, eax
		jnz	loc_441B82
		jmp	loc_441B9A
; END OF FUNCTION CHUNK	FOR KiSelectLowestRankedThread
; 

loc_5AC6F6:				; CODE XREF: .text:00441BC0j
		mov	byte ptr [eax+10h], 1
		jmp	loc_441BC6
; 
; START	OF FUNCTION CHUNK FOR KeSetSystemGroupAffinityThread

loc_5AC6FF:				; CODE XREF: KeSetSystemGroupAffinityThread+2Aj
					; KeSetSystemGroupAffinityThread+39j ...
		mov	byte ptr [ebp+arg_0+3],	0
		jmp	loc_441E4F
; 

loc_5AC708:				; CODE XREF: KeSetSystemGroupAffinityThread+81j
					; KeSetSystemGroupAffinityThread+16A924j
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5AC708
		jmp	loc_441E6C
; 

loc_5AC71B:				; CODE XREF: KeSetSystemGroupAffinityThread+DAj
		push	eax
		push	ecx
		mov	edx, 546h
		mov	ecx, esi
		call	_EtwTraceIdealProcessor@16 ; EtwTraceIdealProcessor(x,x,x,x)
		jmp	loc_441ED0
; 

loc_5AC72E:				; CODE XREF: KeSetSystemGroupAffinityThread+EAj
		mov	edx, edi
		mov	ecx, esi
		call	_EtwTraceThreadAffinity@8 ; EtwTraceThreadAffinity(x,x)
		jmp	loc_441EE0
; END OF FUNCTION CHUNK	FOR KeSetSystemGroupAffinityThread
; 
; START	OF FUNCTION CHUNK FOR ExpWorkerFactoryCreateThread

loc_5AC73C:				; CODE XREF: ExpWorkerFactoryCreateThread+69j
		test	ds:byte_70EFC6,	1
		jz	short loc_5AC752
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5AC77D
; 

loc_5AC752:				; CODE XREF: ExpWorkerFactoryCreateThread+16A7BDj
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	short loc_5AC771
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jz	short loc_5AC77D
		call	KxWaitForLockChainValid

loc_5AC771:				; CODE XREF: ExpWorkerFactoryCreateThread+16A7D1j
		xor	ecx, ecx
		mov	[ebp+var_24], ebx
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5AC77D:				; CODE XREF: ExpWorkerFactoryCreateThread+16A7CAj
					; ExpWorkerFactoryCreateThread+16A7E4j
		mov	cl, [ebp+var_1C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4420A4
; 

loc_5AC78B:				; CODE XREF: ExpWorkerFactoryCreateThread+82j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_442030
; 

loc_5AC79B:				; CODE XREF: ExpWorkerFactoryCreateThread+14Ej
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4420FC
; 

loc_5AC7AB:				; CODE XREF: ExpWorkerFactoryCreateThread+170j
		lea	ecx, [ebp+var_24]
		call	KxWaitForLockChainValid

loc_5AC7B3:				; CODE XREF: ExpWorkerFactoryCreateThread+159j
		xor	ecx, ecx
		mov	[ebp+var_24], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_4420FC
; 

loc_5AC7C8:				; CODE XREF: ExpWorkerFactoryCreateThread+106j
		movzx	eax, ds:_KiActiveGroups
		shl	eax, 3
		push	eax
		lea	eax, [esi+40h]
		push	eax
		push	27h
		push	ebx
		call	_ZwSetInformationThread@16 ; ZwSetInformationThread(x,x,x,x)
		jmp	loc_442092
; 

loc_5AC7E4:				; CODE XREF: ExpWorkerFactoryCreateThread+195j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_442143
; 

loc_5AC7F4:				; CODE XREF: ExpWorkerFactoryCreateThread+1B7j
		lea	ecx, [ebp+var_24]
		call	KxWaitForLockChainValid

loc_5AC7FC:				; CODE XREF: ExpWorkerFactoryCreateThread+1A0j
		xor	ecx, ecx
		mov	[ebp+var_24], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_442143
; END OF FUNCTION CHUNK	FOR ExpWorkerFactoryCreateThread
; 
; START	OF FUNCTION CHUNK FOR KiProcessPendingForegroundBoosts

loc_5AC811:				; CODE XREF: KiProcessPendingForegroundBoosts+42j
		mov	ebx, ecx
		jmp	loc_4421EA
; 

loc_5AC818:				; CODE XREF: KiProcessPendingForegroundBoosts+A4j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_442251
; END OF FUNCTION CHUNK	FOR KiProcessPendingForegroundBoosts
; 
; START	OF FUNCTION CHUNK FOR KiApplyForegroundBoostThread

loc_5AC825:				; CODE XREF: KiApplyForegroundBoostThread+8Fj
		mov	al, cl
		movsx	esi, ah
		sub	al, ah
		movsx	edx, cl
		and	al, 0Fh
		mov	[ebp+var_10], edx
		mov	[edi+15Ch], al
		movzx	eax, ch
		mov	[ebp+var_14], esi
		sub	eax, 1
		jz	short loc_5AC870
		sub	eax, 1
		jz	loc_4424BC
		push	1
		sub	eax, 1
		jz	loc_442412
		mov	dl, cl
		mov	ecx, edi
		call	KiAbProcessThreadPriorityModification
		mov	bl, [ebp+var_1]
		mov	[edi+87h], bl
		jmp	loc_4424AF
; 

loc_5AC870:				; CODE XREF: KiApplyForegroundBoostThread+16A539j
		mov	edx, [ebp+var_C]
		push	esi
		mov	esi, [ebp+var_8]
		mov	ecx, esi
		push	edi
		call	_KiRemoveThreadFromAnyReadyQueue@16 ; KiRemoveThreadFromAnyReadyQueue(x,x,x,x)
		mov	bl, [ebp+var_1]
		mov	ecx, edi
		push	1
		mov	dl, bl
		call	KiAbProcessThreadPriorityModification
		mov	edx, [ebp+var_18]
		mov	ecx, edi
		push	edx
		mov	edx, [ebp+var_10]
		mov	[edi+87h], bl
		call	_KiPrepareReadyThreadForRescheduling@12	; KiPrepareReadyThreadForRescheduling(x,x,x)
		jmp	loc_4423C5
; END OF FUNCTION CHUNK	FOR KiApplyForegroundBoostThread
; 
; START	OF FUNCTION CHUNK FOR KiShouldScanSharedReadyQueue

loc_5AC8A6:				; CODE XREF: KiShouldScanSharedReadyQueue+10j
		cmp	dword ptr [ecx+4020h], 0
		jnz	loc_4425C1
		jmp	loc_4425BE
; END OF FUNCTION CHUNK	FOR KiShouldScanSharedReadyQueue
; 
; START	OF FUNCTION CHUNK FOR KeSetPriorityAndQuantumProcess

loc_5AC8B8:				; CODE XREF: KeSetPriorityAndQuantumProcess+3Fj
		xor	ebx, ebx
		inc	ebx
		jmp	loc_4428E1
; 

loc_5AC8C0:				; CODE XREF: KeSetPriorityAndQuantumProcess+C0j
					; KeSetPriorityAndQuantumProcess+16A1B4j
		lea	esi, [eax-1D4h]
		mov	al, [ebp+arg_0]
		test	al, al
		jz	short loc_5AC8D3
		mov	[esi+193h], al

loc_5AC8D3:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A02Fj
		and	[ebp+var_44], 0
		lea	ebx, [esi+2Ch]

loc_5AC8DA:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A068j
		lock bts dword ptr [ebx], 0
		jb	short loc_5AC8F6
		movsx	ecx, byte ptr [esi+15Bh]
		add	edi, ecx
		mov	[ebp+var_8], edi
		cmp	edi, 10h
		jge	short loc_5AC906
		push	10h
		jmp	short loc_5AC90D
; 

loc_5AC8F6:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A043j
					; KeSetPriorityAndQuantumProcess+16A066j
		lea	ecx, [ebp+var_44]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5AC8F6
		jmp	short loc_5AC8DA
; 

loc_5AC906:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A054j
		cmp	edi, 1Fh
		jle	short loc_5AC911
		push	1Fh

loc_5AC90D:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A058j
		pop	edi
		mov	[ebp+var_8], edi

loc_5AC911:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A06Dj
		mov	al, [esi+18Dh]
		test	al, al
		jz	short loc_5AC932
		cmp	[ebp+var_24], 10h
		jge	loc_5AC9F4
		test	al, al
		jle	short loc_5AC932
		mov	[ebp+var_8], 1Fh
		jmp	short loc_5AC93B
; 

loc_5AC932:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A07Dj
					; KeSetPriorityAndQuantumProcess+16A08Bj
		jns	short loc_5AC93B
		mov	[ebp+var_8], 10h

loc_5AC93B:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A094j
					; KeSetPriorityAndQuantumProcess:loc_5AC932j
		mov	edi, [ebp+var_38]
		mov	[ebp+var_2C], ecx
		cmp	esi, edi
		jnz	short loc_5AC967
		mov	eax, [ebp+var_20]
		cmp	byte ptr [eax+11h], 0
		jnz	short loc_5AC95F
		cli
		push	0
		mov	edx, esi
		mov	ecx, eax
		call	_KiUpdateTotalCyclesCurrentThread@12 ; KiUpdateTotalCyclesCurrentThread(x,x,x)
		mov	ecx, eax
		sti
		jmp	short loc_5AC97E
; 

loc_5AC95F:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A0B0j
		mov	ecx, [esi+30h]
		mov	edx, [esi+34h]
		jmp	short loc_5AC97E
; 

loc_5AC967:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A0A7j
		and	[ebp+var_18], 0
		and	[ebp+var_14], 0
		jmp	short loc_5AC973
; 

loc_5AC971:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A0E0j
		pause

loc_5AC973:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A0D3j
		mov	edx, [esi+34h]
		mov	ecx, [esi+30h]
		cmp	edx, [esi+38h]
		jnz	short loc_5AC971

loc_5AC97E:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A0C1j
					; KeSetPriorityAndQuantumProcess+16A0C9j
		cmp	esi, edi
		setnz	al
		movzx	eax, al
		push	eax
		push	edx
		movzx	edx, byte ptr [esi+193h]
		push	ecx
		mov	ecx, esi
		call	_KiComputeQuantumTargetThread@20 ; KiComputeQuantumTargetThread(x,x,x,x,x)
		push	0
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	_KiSetBasePriorityAndClearDecrement@12 ; KiSetBasePriorityAndClearDecrement(x,x,x)
		mov	edi, eax
		mov	[ebp+var_2], 1
		movsx	eax, byte ptr [esi+87h]
		lea	edx, [ebp+var_1C]
		push	edi
		mov	ecx, esi
		mov	[ebp+var_C], edi
		mov	[ebp+var_14], eax
		call	KiSetPriorityThread
		test	al, al
		jz	short loc_5AC9D3
		movsx	eax, byte ptr [esi+87h]
		mov	[ebp+var_1], 1
		mov	[ebp+var_C], eax

loc_5AC9D3:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A127j
		mov	ecx, [esi+0A4h]
		test	ecx, ecx
		jz	short loc_5AC9F1
		mov	al, [ecx]
		and	al, 7Fh
		cmp	al, 15h
		jnz	short loc_5AC9F1
		mov	edx, esi
		call	KiPriQueueThreadPriorityChanged
		mov	edi, [ebp+var_8]
		jmp	short loc_5AC9FA
; 

loc_5AC9F1:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A13Fj
					; KeSetPriorityAndQuantumProcess+16A147j
		mov	edi, [ebp+var_8]

loc_5AC9F4:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A083j
		mov	dword ptr [ebx], 0

loc_5AC9FA:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A153j
		cmp	[ebp+var_3C], 0
		jz	short loc_5ACA42
		cmp	[ebp+var_1], 0
		jz	short loc_5ACA1E
		push	0
		push	[ebp+var_C]
		mov	edx, 530h
		mov	[ebp+var_1], 0
		push	[ebp+var_14]
		mov	ecx, esi
		call	_EtwTracePriority@20 ; EtwTracePriority(x,x,x,x,x)

loc_5ACA1E:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A168j
		cmp	[ebp+var_2], 0
		jz	short loc_5ACA42
		xor	al, al
		mov	[ebp+var_2], al
		mov	eax, [ebp+var_2C]
		cmp	eax, edi
		jz	short loc_5ACA42
		lea	ecx, [ebp+var_8]
		mov	edx, 531h
		push	ecx
		push	edi
		push	eax
		mov	ecx, esi
		call	_EtwTracePriority@20 ; EtwTracePriority(x,x,x,x,x)

loc_5ACA42:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A162j
					; KeSetPriorityAndQuantumProcess+16A186j ...
		mov	eax, [ebp+var_10]
		mov	edi, [ebp+var_34]
		mov	eax, [eax]
		mov	[ebp+var_10], eax
		cmp	eax, [ebp+var_40]
		jnz	loc_5AC8C0
		jmp	loc_442A92
; 

loc_5ACA5B:				; CODE XREF: KeSetPriorityAndQuantumProcess+108j
		mov	[ebp+var_8], 0Fh
		jmp	loc_4429B2
; 

loc_5ACA67:				; CODE XREF: KeSetPriorityAndQuantumProcess+110j
		mov	[ebp+var_8], 1
		jmp	loc_4429B2
; 

loc_5ACA73:				; CODE XREF: KeSetPriorityAndQuantumProcess+249j
		test	al, al
		jle	loc_4429C0
		mov	[ebp+var_8], 0Fh
		jmp	loc_4429C6
; 

loc_5ACA87:				; CODE XREF: KeSetPriorityAndQuantumProcess:loc_4429C0j
		mov	[ebp+var_8], 1
		jmp	loc_4429C6
; 

loc_5ACA93:				; CODE XREF: KeSetPriorityAndQuantumProcess+272j
		mov	ecx, [esi+30h]
		mov	edx, [esi+34h]
		jmp	loc_4429E8
; 

loc_5ACA9E:				; CODE XREF: KeSetPriorityAndQuantumProcess+1CEj
		mov	edx, esi
		call	KiPriQueueThreadPriorityChanged
		jmp	loc_442A77
; 

loc_5ACAAA:				; CODE XREF: KeSetPriorityAndQuantumProcess+1DFj
		cmp	[ebp+var_1], 0
		jz	short loc_5ACAC8
		push	0
		push	[ebp+var_C]
		mov	edx, 530h
		mov	[ebp+var_1], 0
		push	[ebp+var_14]
		mov	ecx, esi
		call	_EtwTracePriority@20 ; EtwTracePriority(x,x,x,x,x)

loc_5ACAC8:				; CODE XREF: KeSetPriorityAndQuantumProcess+16A212j
		test	bl, bl
		jz	loc_442A81
		cmp	edi, [ebp+var_8]
		jz	loc_442A81
		lea	eax, [ebp+var_8]
		mov	edx, 531h
		push	eax
		push	[ebp+var_8]
		mov	ecx, esi
		push	edi
		call	_EtwTracePriority@20 ; EtwTracePriority(x,x,x,x,x)
		jmp	loc_442A81
; END OF FUNCTION CHUNK	FOR KeSetPriorityAndQuantumProcess
; 
; START	OF FUNCTION CHUNK FOR KeSetPriorityThread

loc_5ACAF2:				; CODE XREF: KeSetPriorityThread+7Ej
		mov	ecx, [esi+30h]
		mov	edx, [esi+34h]
		jmp	loc_442C3F
; 

loc_5ACAFD:				; CODE XREF: KeSetPriorityThread+F7j
		test	ebx, ebx
		jz	loc_442CA9
		push	0
		push	ebx
		push	edi
		mov	edx, 530h
		mov	ecx, esi
		call	_EtwTracePriority@20 ; EtwTracePriority(x,x,x,x,x)
		jmp	loc_442CA9
; END OF FUNCTION CHUNK	FOR KeSetPriorityThread
; 
; START	OF FUNCTION CHUNK FOR KeStartThread

loc_5ACB1A:				; CODE XREF: KeStartThread+30j
		cmp	[ebx], eax
		jz	loc_442DD0
		mov	ecx, ebx
		call	KeSelectNodeForAffinity
		mov	[ebp+var_11], 0
		movzx	ecx, word ptr [eax+58h]
		jmp	loc_442DDC
; 

loc_5ACB36:				; CODE XREF: KeStartThread+2F4j
		movzx	eax, word ptr [ebx+4]
		mov	eax, [edi+eax*4+48h]
		mov	[ebx], eax
		jmp	loc_442E50
; 

loc_5ACB45:				; CODE XREF: KeStartThread+F3j
		mov	eax, [ebp+var_30]
		movzx	edx, ax
		jmp	loc_442EBC
; 

loc_5ACB50:				; CODE XREF: KeStartThread+282j
		mov	bl, 0Fh
		jmp	loc_443022
; 

loc_5ACB57:				; CODE XREF: KeStartThread+227j
		push	ebx
		push	0FFFFFFFFh
		mov	edx, 546h
		mov	ecx, esi
		call	_EtwTraceIdealProcessor@16 ; EtwTraceIdealProcessor(x,x,x,x)
		test	ds:dword_70EFD0, 8000000h
		jz	loc_442FC7
		push	ebx
		push	0FFFFFFFFh
		mov	edx, 547h
		mov	ecx, esi
		call	_EtwTraceIdealProcessor@16 ; EtwTraceIdealProcessor(x,x,x,x)
		jmp	loc_442FC7
; END OF FUNCTION CHUNK	FOR KeStartThread
; 
; START	OF FUNCTION CHUNK FOR KiQuantumEnd

loc_5ACB8A:				; CODE XREF: KiQuantumEnd+49j
					; KiQuantumEnd+169AB8j
		pause
		mov	ebx, [esi+34h]
		mov	eax, [esi+30h]
		mov	[ebp+var_18], eax
		cmp	ebx, [esi+38h]
		jnz	short loc_5ACB8A
		jmp	loc_44312F
; 

loc_5ACB9F:				; CODE XREF: KiQuantumEnd+9Cj
		cmp	byte ptr [esi+87h], 10h
		jl	loc_443182
		mov	edx, 7Fh
		jmp	loc_4431ED
; 

loc_5ACBB6:				; CODE XREF: KiQuantumEnd+159j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 0Ch
		jmp	loc_44323F
; 

loc_5ACBC3:				; CODE XREF: KiQuantumEnd+2B5j
					; KiQuantumEnd+169AEFj
		lea	ecx, [ebp+var_40]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5ACBC3
		jmp	loc_443390
; 

loc_5ACBD6:				; CODE XREF: KiQuantumEnd+2C7j
		mov	eax, [ebp+var_14]
		xor	ecx, ecx
		lock and [eax],	ecx
		mov	ecx, 1
		jmp	loc_44347A
; 

loc_5ACBE8:				; CODE XREF: KiQuantumEnd+341j
		mov	edx, [ebp+var_30]
		push	ecx
		mov	ecx, edi
		call	_KiRemoveThreadFromSharedReadyQueue@12 ; KiRemoveThreadFromSharedReadyQueue(x,x,x)
		mov	ecx, edx
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		mov	ecx, [ebp+var_18]
		lea	eax, [edx+9Ch]
		mov	edx, [ebp+var_10]
		dec	edx
		mov	[eax], ecx
		mov	ecx, [ebp+var_34]
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], edx
		jmp	loc_443427
; 

loc_5ACC17:				; CODE XREF: KiQuantumEnd+375j
					; KiQuantumEnd+169C07j
		mov	eax, [edx-68h]
		lea	ecx, [edx-9Ch]
		mov	edx, [edx]
		xor	bh, bh
		mov	[ebp+var_18], edx
		mov	edx, [ecx+30h]
		mov	[ebp+var_24], ecx
		mov	[ebp+var_50], 0
		mov	[ebp+var_4C], 0
		mov	[ebp+var_2C], eax
		mov	[ebp+var_30], edx
		cmp	eax, [ecx+38h]
		jz	short loc_5ACC5C

loc_5ACC46:				; CODE XREF: KiQuantumEnd+169B77j
		pause
		mov	edi, [ecx+34h]
		mov	eax, [ecx+30h]
		mov	[ebp+var_2C], edi
		mov	[ebp+var_30], eax
		cmp	edi, [ecx+38h]
		jnz	short loc_5ACC46
		mov	edi, [ebp+var_8]

loc_5ACC5C:				; CODE XREF: KiQuantumEnd+169B64j
		lea	esi, [ecx+2Ch]
		mov	[ebp+var_54], 0

loc_5ACC66:				; CODE XREF: KiQuantumEnd+169C29j
		lock bts dword ptr [esi], 0
		jb	loc_5ACCFB
		mov	ecx, [ebp+var_24]
		mov	eax, [ebp+var_28]
		sub	eax, [ecx+138h]
		movsx	edx, byte ptr [ecx+87h]
		sub	eax, 12Ch
		mov	[ebp+var_4C], edx
		test	eax, eax
		jle	short loc_5ACCAE
		cmp	edx, 0Fh
		jge	short loc_5ACCAE
		push	[ebp+var_2C]
		mov	edx, ecx
		mov	bh, 1
		push	[ebp+var_30]
		xor	ecx, ecx
		push	0Fh
		call	KiSetPriorityBoost
		mov	ecx, [ebp+var_24]
		mov	edx, [ebp+var_4C]

loc_5ACCAE:				; CODE XREF: KiQuantumEnd+169BAEj
					; KiQuantumEnd+169BB3j
		mov	dword ptr [esi], 0
		test	bh, bh
		jz	short loc_5ACCC9
		test	byte ptr ds:dword_70EFC8, 1
		jz	short loc_5ACCC9
		call	_EtwTraceAntiStarvationBoost@8 ; EtwTraceAntiStarvationBoost(x,x)
		mov	ecx, [ebp+var_24]

loc_5ACCC9:				; CODE XREF: KiQuantumEnd+169BD6j
					; KiQuantumEnd+169BDFj
		lea	eax, [ecx+9Ch]
		mov	ecx, edi
		lea	edx, [ebp+var_58]
		mov	dword ptr [eax], 0
		mov	[ebp+var_58], eax
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		mov	edx, [ebp+var_18]
		test	edx, edx
		jnz	loc_5ACC17
		mov	esi, [ebp+var_1C]
		mov	ecx, [ebp+var_34]
		mov	eax, [ebp+var_10]
		jmp	loc_443460
; 

loc_5ACCFB:				; CODE XREF: KiQuantumEnd+169B8Bj
					; KiQuantumEnd+169C27j
		lea	ecx, [ebp+var_54]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5ACCFB
		jmp	loc_5ACC66
; 

loc_5ACD0E:				; CODE XREF: KiQuantumEnd+384j
					; KiQuantumEnd+38Cj
		inc	ecx
		cmp	ecx, 0Eh
		jbe	loc_443477
		jmp	loc_443472
; 

loc_5ACD1D:				; CODE XREF: KiQuantumEnd+44Bj
		lea	edx, [ecx+9Ch]
		mov	ecx, edi
		push	esi
		call	_KiRemoveThreadFromReadyQueue@12 ; KiRemoveThreadFromReadyQueue(x,x,x)
		mov	ecx, [ebp+var_60]
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		mov	eax, [ebp+var_18]
		mov	[edx], eax
		mov	eax, [ebp+var_14]
		dec	eax
		mov	[ebp+var_18], edx
		mov	edx, [ebp+var_24]
		mov	[ebp+var_14], eax
		jmp	loc_443534
; 

loc_5ACD4A:				; CODE XREF: KiQuantumEnd+47Cj
		lea	eax, [edi+2224h]
		xor	edx, edx
		lock and [eax],	edx

loc_5ACD55:				; CODE XREF: KiQuantumEnd+169D43j
		mov	edx, [ecx-68h]
		lea	ebx, [ecx-9Ch]
		mov	eax, [ebx+30h]
		mov	ecx, [ecx]
		mov	[ebp+var_18], ecx
		mov	[ebp+var_1], 0
		mov	[ebp+var_64], 0
		mov	[ebp+var_60], 0
		mov	[ebp+var_34], edx
		mov	[ebp+var_2C], eax
		cmp	edx, [ebx+38h]
		jz	short loc_5ACD99

loc_5ACD83:				; CODE XREF: KiQuantumEnd+169CB4j
		pause
		mov	edi, [ebx+34h]
		mov	edx, [ebx+30h]
		mov	[ebp+var_34], edi
		mov	[ebp+var_2C], edx
		cmp	edi, [ebx+38h]
		jnz	short loc_5ACD83
		mov	edi, [ebp+var_8]

loc_5ACD99:				; CODE XREF: KiQuantumEnd+169CA1j
		lea	esi, [ebx+2Ch]
		mov	[ebp+var_6C], 0

loc_5ACDA3:				; CODE XREF: KiQuantumEnd+169D75j
		lock bts dword ptr [esi], 0
		jb	loc_5ACE47
		mov	eax, [ebp+var_30]
		sub	eax, [ebx+138h]
		movsx	ecx, byte ptr [ebx+87h]
		sub	eax, 12Ch
		mov	[ebp+var_60], ecx
		test	eax, eax
		jle	short loc_5ACDE7
		cmp	ecx, 0Fh
		jge	short loc_5ACDE7
		push	[ebp+var_34]
		mov	edx, ebx
		mov	[ebp+var_1], 1
		push	[ebp+var_2C]
		xor	ecx, ecx
		push	0Fh
		call	KiSetPriorityBoost
		mov	ecx, [ebp+var_60]

loc_5ACDE7:				; CODE XREF: KiQuantumEnd+169CE8j
					; KiQuantumEnd+169CEDj
		cmp	[ebp+var_1], 0
		mov	dword ptr [esi], 0
		jz	short loc_5ACE05
		test	byte ptr ds:dword_70EFC8, 1
		jz	short loc_5ACE05
		mov	edx, ecx
		mov	ecx, ebx
		call	_EtwTraceAntiStarvationBoost@8 ; EtwTraceAntiStarvationBoost(x,x)

loc_5ACE05:				; CODE XREF: KiQuantumEnd+169D11j
					; KiQuantumEnd+169D1Aj
		lea	eax, [ebx+9Ch]
		mov	ecx, edi
		lea	edx, [ebp+var_70]
		mov	dword ptr [eax], 0
		mov	[ebp+var_70], eax
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		mov	ecx, [ebp+var_18]
		test	ecx, ecx
		jnz	loc_5ACD55
		mov	esi, [ebp+var_1C]
		lea	ebx, [edi+2224h]
		mov	[ebp+var_74], ecx

loc_5ACE35:				; CODE XREF: KiQuantumEnd+169D88j
		lock bts dword ptr [ebx], 0
		jb	short loc_5ACE5A
		mov	edx, [ebp+var_24]
		mov	eax, [ebp+var_14]
		jmp	loc_443562
; 

loc_5ACE47:				; CODE XREF: KiQuantumEnd+169CC8j
					; KiQuantumEnd+169D73j
		lea	ecx, [ebp+var_6C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5ACE47
		jmp	loc_5ACDA3
; 

loc_5ACE5A:				; CODE XREF: KiQuantumEnd+169D5Aj
					; KiQuantumEnd+169D86j
		lea	ecx, [ebp+var_74]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5ACE5A
		jmp	short loc_5ACE35
; 

loc_5ACE6A:				; CODE XREF: KiQuantumEnd+484j
					; KiQuantumEnd+48Cj
		mov	eax, [ebp+var_28]
		inc	eax
		cmp	eax, 0Eh
		jbe	loc_443577
		jmp	loc_443572
; 

loc_5ACE7C:				; CODE XREF: KiQuantumEnd+54Fj
		test	byte ptr [esi+2], 4
		jz	short loc_5ACE91
		mov	edx, edi
		mov	ecx, esi
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	short loc_5ACE97

loc_5ACE91:				; CODE XREF: KiQuantumEnd+169DA0j
		mov	cl, [esi+87h]

loc_5ACE97:				; CODE XREF: KiQuantumEnd+169DAFj
		mov	eax, [edi+33Ch]
		mov	[eax], cl
		cmp	[edi+8], ebx
		jnz	short loc_5ACEAE
		lea	edx, [ebp+var_C]
		mov	ecx, edi
		call	KiSelectNextThread

loc_5ACEAE:				; CODE XREF: KiQuantumEnd+169DC2j
		mov	ecx, ebx
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		mov	eax, [ebp+var_C]
		lea	ecx, [ebx+9Ch]
		mov	[ecx], eax
		xor	ebx, ebx
		mov	[ebp+var_C], ecx
		jmp	loc_4432A4
; 

loc_5ACECA:				; CODE XREF: KiQuantumEnd+1C8j
		test	ebx, ebx
		jz	short loc_5ACF35
		cmp	ebx, [edi+0Ch]
		jz	short loc_5ACF35
		cmp	[edi+8], ebx
		jz	short loc_5ACF35
		test	byte ptr [ebx+2], 4
		jz	short loc_5ACEED
		mov	edx, edi
		mov	ecx, ebx
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	short loc_5ACEF3

loc_5ACEED:				; CODE XREF: KiQuantumEnd+169DFCj
		mov	cl, [ebx+87h]

loc_5ACEF3:				; CODE XREF: KiQuantumEnd+169E0Bj
		mov	eax, [edi+33Ch]
		mov	[eax], cl
		mov	ecx, [edi+4DCh]
		mov	eax, [edi+0Ch]
		mov	[edi+8], ebx
		test	ecx, ecx
		jz	short loc_5ACF13
		cmp	ebx, eax
		setz	al
		mov	[ecx+10h], al

loc_5ACF13:				; CODE XREF: KiQuantumEnd+169E29j
		mov	al, [ebx+90h]
		cmp	al, 1
		jnz	short loc_5ACF2E
		mov	eax, ds:_KeTickCount
		sub	eax, [ebx+138h]
		add	[ebx+170h], eax

loc_5ACF2E:				; CODE XREF: KiQuantumEnd+169E3Bj
		mov	byte ptr [ebx+90h], 3

loc_5ACF35:				; CODE XREF: KiQuantumEnd+169DECj
					; KiQuantumEnd+169DF1j	...
		lea	ebx, [edi+2224h]
		xor	eax, eax
		lock and [ebx],	eax
		lea	edx, [ebp+var_C]
		mov	ecx, edi
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		mov	[ebp+var_C], 0
		mov	[ebp+var_78], 0

loc_5ACF58:				; CODE XREF: KiQuantumEnd+169E91j
		lock bts dword ptr [ebx], 0
		jnb	loc_443284

loc_5ACF63:				; CODE XREF: KiQuantumEnd+169E8Fj
		lea	ecx, [ebp+var_78]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5ACF63
		jmp	short loc_5ACF58
; END OF FUNCTION CHUNK	FOR KiQuantumEnd
; 
; START	OF FUNCTION CHUNK FOR KiGroupSchedulingQuantumEnd

loc_5ACF73:				; CODE XREF: KiGroupSchedulingQuantumEnd+40j
		lea	ecx, [ebp+var_18]
		call	KeYieldProcessorEx
		mov	edi, ds:dword_7186C4
		mov	eax, ds:_KeTickCount
		mov	[ebp+var_C], eax
		jmp	loc_443748
; 

loc_5ACF8E:				; CODE XREF: KiGroupSchedulingQuantumEnd+C7j
		mov	dl, 1
		mov	[ebp+var_1], dl
		mov	dh, dl
		mov	[ebp+var_2], dh
		cmp	ebx, edi
		jnz	loc_4437E1
		mov	[ebp+var_3], dl
		jmp	loc_4437E1
; 

loc_5ACFA8:				; CODE XREF: KiGroupSchedulingQuantumEnd+16Dj
		test	byte ptr [edi+5Ch], 1
		jz	loc_4438AD
		push	1
		mov	edx, edi
		mov	ecx, esi
		call	KiRemoveSchedulingGroupQueue
		jmp	loc_4438AD
; 

loc_5ACFC2:				; CODE XREF: KiGroupSchedulingQuantumEnd+DBj
		mov	eax, edi
		sub	eax, [esi+3B34h]
		mov	[ebp+var_C], eax
		jmp	loc_4437BB
; 

loc_5ACFD2:				; CODE XREF: KiGroupSchedulingQuantumEnd+2BAj
					; KiGroupSchedulingQuantumEnd+1698D0j
		test	ebx, ebx
		jz	short loc_5ACFE0
		mov	ebx, [ebx+0F4h]
		cmp	ebx, ecx
		jnz	short loc_5ACFD2

loc_5ACFE0:				; CODE XREF: KiGroupSchedulingQuantumEnd+1698C6j
		cmp	ecx, ebx
		jz	loc_4439CE
		cmp	[ebp+var_3], 0
		jz	loc_443818
		jmp	loc_4439CE
; 

loc_5ACFF7:				; CODE XREF: KiGroupSchedulingQuantumEnd+2DFj
		mov	byte ptr [ebx+90h], 1
		mov	ecx, ds:_KeTickCount
		mov	[ebx+138h], ecx
		test	byte ptr [edi+2], 4
		jz	short loc_5AD01F
		mov	edx, esi
		mov	ecx, edi
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	short loc_5AD025

loc_5AD01F:				; CODE XREF: KiGroupSchedulingQuantumEnd+169900j
		mov	cl, [edi+87h]

loc_5AD025:				; CODE XREF: KiGroupSchedulingQuantumEnd+16990Fj
		mov	eax, [esi+33Ch]
		mov	[eax], cl
		cmp	edi, [esi+0Ch]
		mov	eax, [esi+4DCh]
		setz	cl
		mov	[esi+8], edi
		test	eax, eax
		jz	short loc_5AD043
		mov	[eax+10h], cl

loc_5AD043:				; CODE XREF: KiGroupSchedulingQuantumEnd+169930j
		mov	al, [edi+90h]
		cmp	al, 1
		jnz	short loc_5AD05E
		mov	eax, ds:_KeTickCount
		sub	eax, [edi+138h]
		add	[edi+170h], eax

loc_5AD05E:				; CODE XREF: KiGroupSchedulingQuantumEnd+16993Dj
		mov	byte ptr [edi+90h], 3
		mov	edi, [ebx+50h]
		test	edi, edi
		jz	short loc_5AD072
		add	edi, [esi+3B34h]

loc_5AD072:				; CODE XREF: KiGroupSchedulingQuantumEnd+16995Cj
		lea	eax, [ebp+var_14]
		mov	edx, edi
		push	eax
		push	1
		push	ecx
		mov	ecx, ebx
		call	_KiGetThreadEffectiveRankNonZero@20 ; KiGetThreadEffectiveRankNonZero(x,x,x,x,x)
		mov	ecx, esi
		test	eax, eax
		jnz	short loc_5AD0A1
		push	[ebp+var_14]
		movsx	eax, byte ptr [ebx+87h]
		mov	edx, ebx
		push	1
		push	eax
		call	_KiAddThreadToPrcbQueue@20 ; KiAddThreadToPrcbQueue(x,x,x,x,x)
		jmp	loc_4438E9
; 

loc_5AD0A1:				; CODE XREF: KiGroupSchedulingQuantumEnd+169978j
		push	1
		push	ebx
		mov	edx, edi
		call	KiAddThreadToScbQueue
		jmp	loc_4438E9
; 

loc_5AD0B0:				; CODE XREF: KiGroupSchedulingQuantumEnd+200j
		cmp	[esi+8], edx
		jnz	loc_44379D
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		call	KiSelectNextThread
		jmp	loc_44379D
; END OF FUNCTION CHUNK	FOR KiGroupSchedulingQuantumEnd
; 
; START	OF FUNCTION CHUNK FOR KeSetBasePriorityThread

loc_5AD0C8:				; CODE XREF: KeSetBasePriorityThread+1Dj
		xor	eax, eax
		jmp	loc_443C60
; 

loc_5AD0CF:				; CODE XREF: KeSetBasePriorityThread+A3j
		cmp	ebx, 10h
		jge	short loc_5AD0DB
		mov	ebx, 10h
		jmp	short loc_5AD0E5
; 

loc_5AD0DB:				; CODE XREF: KeSetBasePriorityThread+1695C2j
		cmp	ebx, 1Fh
		jle	short loc_5AD0E5
		mov	ebx, 1Fh

loc_5AD0E5:				; CODE XREF: KeSetBasePriorityThread+1695C9j
					; KeSetBasePriorityThread+1695CEj
		mov	[ebp+var_8], ebx
		jmp	loc_443BF9
; 

loc_5AD0ED:				; CODE XREF: KeSetBasePriorityThread+DBj
		mov	[ebp+var_8], 0Fh
		jmp	loc_443BF9
; 

loc_5AD0F9:				; CODE XREF: KeSetBasePriorityThread+E3j
		mov	[ebp+var_8], 1
		jmp	loc_443BF9
; 

loc_5AD105:				; CODE XREF: KeSetBasePriorityThread+172j
		mov	eax, [esi+30h]
		mov	edx, [esi+34h]
		jmp	loc_443C95
; 

loc_5AD110:				; CODE XREF: KeSetBasePriorityThread+161j
		mov	edx, esi
		call	KiPriQueueThreadPriorityChanged
		jmp	loc_443C38
; 

loc_5AD11C:				; CODE XREF: KeSetBasePriorityThread+147j
		lea	eax, [ebp+var_8]
		mov	edx, 531h
		push	eax
		push	ebx
		push	[ebp+var_14]
		mov	ecx, esi
		call	_EtwTracePriority@20 ; EtwTracePriority(x,x,x,x,x)
		jmp	loc_443C5D
; END OF FUNCTION CHUNK	FOR KeSetBasePriorityThread
; 
; START	OF FUNCTION CHUNK FOR KiComputeNewPriority

loc_5AD135:				; CODE XREF: KiComputeNewPriority+1Bj
		call	_KiIsForegroundThreadWithBoost@4 ; KiIsForegroundThreadWithBoost(x)
		test	al, al
		jz	loc_443DA1
		mov	dl, [ecx+15Ch]
		mov	al, dl
		and	dl, 0Fh
		shr	al, 4
		add	al, dh
		sub	bl, al
		mov	al, [ecx+15Bh]
		add	al, dl
		cmp	bl, al
		jge	short loc_5AD162
		mov	bl, al

loc_5AD162:				; CODE XREF: KiComputeNewPriority+1693DEj
		mov	[ecx+15Ch], dl
		jmp	loc_443DC5
; END OF FUNCTION CHUNK	FOR KiComputeNewPriority
; 
; START	OF FUNCTION CHUNK FOR KiGroupSchedulingGenerationEnd

loc_5AD16D:				; CODE XREF: KiGroupSchedulingGenerationEnd+9Aj
		test	byte ptr [esi+2238h], 1
		jnz	loc_443EA8
		push	0
		xor	edx, edx
		jmp	loc_443FAA
; END OF FUNCTION CHUNK	FOR KiGroupSchedulingGenerationEnd
; 
; START	OF FUNCTION CHUNK FOR KiTransitionSchedulingGroupGeneration

loc_5AD183:				; CODE XREF: KiTransitionSchedulingGroupGeneration+172j
		mov	eax, [esi+64h]
		mov	dword ptr [eax], 0
		jmp	loc_444148
; 

loc_5AD191:				; CODE XREF: KiTransitionSchedulingGroupGeneration+2B7j
		test	eax, eax
		jnz	loc_44419F
		jmp	loc_444192
; 

loc_5AD19E:				; CODE XREF: KiTransitionSchedulingGroupGeneration+202j
		mov	eax, [edi+3CCh]
		push	eax
		push	offset _KiGroupSchedulingOverQuotaMask
		mov	byte ptr [edi+2254h], 0
		call	_KeInterlockedClearProcessorAffinityEx@8 ; KeInterlockedClearProcessorAffinityEx(x,x)
		jmp	loc_4441D8
; END OF FUNCTION CHUNK	FOR KiTransitionSchedulingGroupGeneration
; 
; START	OF FUNCTION CHUNK FOR KiMoveScbThreadsToNewReadylist

loc_5AD1BB:				; CODE XREF: KiMoveScbThreadsToNewReadylist+35j
		or	[edx+5Eh], cx
		lea	ecx, [edx+6Ch]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_1], 1
		jmp	loc_44447F
; 

loc_5AD1CE:				; CODE XREF: KiMoveScbThreadsToNewReadylist+3Dj
		test	esi, esi
		jz	loc_44447F
		mov	[ebp+var_2], 1
		jmp	loc_44447F
; 

loc_5AD1DF:				; CODE XREF: KiMoveScbThreadsToNewReadylist+91j
		mov	ecx, edi
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		mov	edi, [ebp+arg_4]
		mov	ecx, [ebp+var_18]
		mov	eax, [edi]
		mov	[ecx], eax
		mov	[edi], ecx
		jmp	loc_444500
; 

loc_5AD1F7:				; CODE XREF: KiMoveScbThreadsToNewReadylist+D1j
		mov	ecx, [esi]
		mov	edi, [esi+4]
		cmp	[ecx+4], esi
		jnz	short loc_5AD241
		cmp	[edi], esi
		jnz	short loc_5AD241
		mov	eax, [ebp+var_1C]
		mov	edx, [ebp+var_10]
		mov	[edi], ecx
		mov	[ecx+4], edi
		lea	edx, [edx+eax*8]
		mov	eax, [edx]
		mov	ebx, [edx+4]
		cmp	[eax+4], edx
		jnz	short loc_5AD241
		cmp	[ebx], edx
		jnz	short loc_5AD241
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_5AD241
		cmp	[edi], ecx
		jnz	short loc_5AD241
		mov	[ebx], ecx
		mov	eax, [ecx+4]
		mov	[edx+4], eax
		mov	eax, [ecx+4]
		mov	[eax], edx
		mov	[ecx+4], ebx
		jmp	loc_44450F
; 

loc_5AD241:				; CODE XREF: KiMoveScbThreadsToNewReadylist+168DC7j
					; KiMoveScbThreadsToNewReadylist+168DCBj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5AD246:				; CODE XREF: KiUpdateNodeAffinitizedFlag+45j
					; KiMoveScbThreadsToNewReadylist+168E34j
		bsr	eax, edi
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	eax, [eax+338h]
		mov	esi, [eax+84h]
		mov	eax, esi
		and	eax, edi
		cmp	eax, esi
		jnz	loc_44457E
		not	esi
		and	edi, esi
		jnz	short loc_5AD246
		jmp	loc_44457C
; END OF FUNCTION CHUNK	FOR KiMoveScbThreadsToNewReadylist
; 
; START	OF FUNCTION CHUNK FOR KiFastReadyThread

loc_5AD273:				; CODE XREF: KiFastReadyThread+20j
		movzx	edx, byte ptr [esi+15Fh]
		mov	ecx, esi
		push	0
		push	edx
		mov	dl, [esi+15Eh]
		call	_EtwTraceReadyThread@16	; EtwTraceReadyThread(x,x,x,x)
		jmp	loc_4445D0
; END OF FUNCTION CHUNK	FOR KiFastReadyThread
; 
; START	OF FUNCTION CHUNK FOR KiExitThreadWait

loc_5AD28F:				; CODE XREF: KiExitThreadWait+3Bj
		test	al, 8
		jz	short loc_5AD29B
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 0Ch

loc_5AD29B:				; CODE XREF: KiExitThreadWait+168C09j
		xor	esi, esi
		push	ebx
		mov	[ebp+var_4], esi
		lea	ebx, [edi+2224h]
		mov	[ebp+var_8], esi

loc_5AD2AA:				; CODE XREF: KiExitThreadWait+168C5Ej
		lock bts dword ptr [ebx], 0
		jb	short loc_5AD2D8
		cmp	[edi+8], esi
		jnz	short loc_5AD2C0
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	KiSelectNextThread

loc_5AD2C0:				; CODE XREF: KiExitThreadWait+168C2Cj
		xor	eax, eax
		lock and [ebx],	eax
		push	[ebp+var_C]
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	@KiProcessDeferredReadyList@12 ; KiProcessDeferredReadyList(x,x,x)
		pop	ebx
		jmp	loc_4446B1
; 

loc_5AD2D8:				; CODE XREF: KiExitThreadWait+168C27j
					; KiExitThreadWait+168C5Cj
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5AD2D8
		jmp	short loc_5AD2AA
; END OF FUNCTION CHUNK	FOR KiExitThreadWait
; 
; START	OF FUNCTION CHUNK FOR KiSelectIdealProcessor

loc_5AD2E8:				; CODE XREF: KiSelectIdealProcessor+48j
		and	[ebp+var_C], 0
		mov	eax, edx
		ror	eax, cl
		xor	edi, edi
		bsf	eax, eax
		inc	edi
		add	ecx, eax
		and	ecx, 1Fh
		shl	edi, cl
		jmp	loc_4448E4
; END OF FUNCTION CHUNK	FOR KiSelectIdealProcessor
; 
; START	OF FUNCTION CHUNK FOR KiInitializeContextThread

loc_5AD302:				; CODE XREF: KiInitializeContextThread+255j
		mov	dword ptr [ebx+208h], 3
		mov	dword ptr [ebx+20Ch], 80000000h
		jmp	loc_444BDB
; END OF FUNCTION CHUNK	FOR KiInitializeContextThread
; 
; START	OF FUNCTION CHUNK FOR KeTerminateThread

loc_5AD31B:				; CODE XREF: KeTerminateThread+1Aj
		mov	edx, [edx+8]
		mov	ecx, esi
		call	_KeDisableProfiling@8 ;	KeDisableProfiling(x,x)
		jmp	loc_444D9E
; 

loc_5AD32A:				; CODE XREF: KeTerminateThread+10Ej
		mov	eax, offset dword_6BEECC
		lock bts dword ptr [eax], 0
		jmp	loc_444E92
; 

loc_5AD339:				; CODE XREF: KeTerminateThread+149j
		mov	edi, offset dword_6BEECC
		lock btr dword ptr [edi], 0
		jnb	loc_444E92
		push	0FFFFh
		push	2
		pop	edx
		mov	ecx, offset _PsReaperWorkItem
		call	_ExQueueWorkItemEx@12 ;	ExQueueWorkItemEx(x,x,x)
		test	al, al
		jnz	loc_444E92
		lock bts dword ptr [edi], 0
		jmp	loc_444E92
; END OF FUNCTION CHUNK	FOR KeTerminateThread
; 
; START	OF FUNCTION CHUNK FOR KiFlushQueueApc

loc_5AD36D:				; CODE XREF: KiFlushQueueApc+2Aj
					; KiFlushQueueApc+168367j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5AD36D
		jmp	loc_445037
; 

loc_5AD380:				; CODE XREF: KiFlushQueueApc+5Dj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[ebp+var_C], 0
		lea	edi, [esi+2Ch]
		mov	[ebp+var_1], al

loc_5AD390:				; CODE XREF: KiFlushQueueApc+168393j
		lock bts dword ptr [edi], 0
		jnb	short loc_5AD3A7

loc_5AD397:				; CODE XREF: KiFlushQueueApc+168391j
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5AD397
		jmp	short loc_5AD390
; 

loc_5AD3A7:				; CODE XREF: KiFlushQueueApc+35j
					; KiFlushQueueApc+168383j
		movsx	eax, [ebp+var_2]
		add	esi, 70h
		lea	eax, [esi+eax*8]
		mov	esi, [eax]
		cmp	esi, eax
		jnz	short loc_5AD3BB
		xor	esi, esi
		jmp	short loc_5AD3DD
; 

loc_5AD3BB:				; CODE XREF: KiFlushQueueApc+1683A3j
		mov	ecx, [eax+4]
		cmp	[esi+4], eax
		jnz	short loc_5AD3F3
		cmp	[ecx], eax
		jnz	short loc_5AD3F3
		mov	[ecx], esi
		mov	[esi+4], ecx
		mov	ecx, esi

loc_5AD3CE:				; CODE XREF: KiFlushQueueApc+1683C4j
		mov	byte ptr [ecx+22h], 0
		mov	ecx, [ecx]
		cmp	ecx, esi
		jnz	short loc_5AD3CE
		mov	[eax+4], eax
		mov	[eax], eax

loc_5AD3DD:				; CODE XREF: KiFlushQueueApc+1683A7j
		mov	cl, [ebp+var_1]
		mov	dword ptr [edi], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi
		jmp	loc_44505E
; 

loc_5AD3F3:				; CODE XREF: KiFlushQueueApc+1683AFj
					; KiFlushQueueApc+1683B3j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5AD3F8:				; CODE XREF: KiComputeThreadAffinity+58j
		mov	eax, [esi+88h]
		mov	edx, ecx
		mov	[ecx], ebx
		mov	[ebp+var_C], eax
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	ecx, eax
		mov	[ebp-4], eax
		call	_KiPrcbInGroupAffinity@8 ; KiPrcbInGroupAffinity(x,x)
		test	eax, eax
		jnz	short loc_5AD453
		lea	edi, [ebp+var_20]
		stosd
		lea	ecx, [ebp+var_20]
		stosd
		stosd
		mov	ax, [esi+168h]
		mov	[ebp+var_1C], ax
		mov	[ebp+var_20], ebx
		call	KeSelectNodeForAffinity
		mov	ecx, eax
		lea	edx, [ebp+var_20]
		mov	eax, [ebp-4]
		add	eax, 3CCh
		push	eax
		push	0
		call	_KeSelectIdealProcessor@16 ; KeSelectIdealProcessor(x,x,x,x)
		mov	edi, [ebp+var_8]
		movzx	eax, ax
		jmp	short loc_5AD456
; 

loc_5AD453:				; CODE XREF: KiFlushQueueApc+168406j
		mov	eax, [ebp+var_C]

loc_5AD456:				; CODE XREF: KiFlushQueueApc+16843Fj
		mov	[esi+16Ch], eax
		mov	edx, esi
		mov	ecx, ds:_KiProcessorBlock[eax*4]
		call	_KiUpdateSharedReadyQueueAffinityThread@8 ; KiUpdateSharedReadyQueueAffinityThread(x,x)
		mov	ecx, esi
		call	KiUpdateNodeAffinitizedFlag
		xor	ebx, ebx
		inc	ebx
		mov	[ebp-4], ebx
		jmp	loc_4450D5
; END OF FUNCTION CHUNK	FOR KiFlushQueueApc
; 
; START	OF FUNCTION CHUNK FOR KiComputeThreadAffinity

loc_5AD47C:				; CODE XREF: KiComputeThreadAffinity+1Ej
		mov	ecx, offset _KiCpuSetSequence
		call	_RtlBeginReadTickLock@4	; RtlBeginReadTickLock(x)
		mov	edi, eax
		jmp	loc_4450E7
; END OF FUNCTION CHUNK	FOR KiComputeThreadAffinity
; 
; START	OF FUNCTION CHUNK FOR RtlGetSystemTimePrecise

loc_5AD48D:				; CODE XREF: RtlGetSystemTimePrecise+B8j
		mul	ebx
		mov	[ebp+var_C], 0
		add	eax, esi
		mov	ecx, edx
		adc	ecx, edi
		mov	[ebp+var_1C], ecx
		cmp	ecx, edi
		ja	short loc_5AD4B0
		jb	short loc_5AD4A9
		cmp	eax, esi
		jnb	short loc_5AD4B0

loc_5AD4A9:				; CODE XREF: RtlGetSystemTimePrecise+168383j
		mov	[ebp+var_C], 1

loc_5AD4B0:				; CODE XREF: RtlGetSystemTimePrecise+168381j
					; RtlGetSystemTimePrecise+168387j
		mov	eax, ebx
		mul	[ebp+var_10]
		mov	edi, eax
		mov	ecx, edx
		add	edi, [ebp+var_1C]
		adc	ecx, [ebp+var_C]
		jmp	loc_4451EC
; END OF FUNCTION CHUNK	FOR RtlGetSystemTimePrecise
; 
; START	OF FUNCTION CHUNK FOR KiComputeCpuSetAffinity

loc_5AD4C4:				; CODE XREF: KiComputeCpuSetAffinity+36j
		mov	ecx, [esi+428h]
		test	ecx, ecx
		jz	loc_44528A
		mov	edx, ecx
		xor	edi, edi
		jmp	loc_445292
; END OF FUNCTION CHUNK	FOR KiComputeCpuSetAffinity
; 
; START	OF FUNCTION CHUNK FOR ExTimerRundown

loc_5AD4DB:				; CODE XREF: ExTimerRundown+37j
		lea	edi, [eax-7Ch]
		mov	edx, 746C6644h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag
		test	ds:byte_70EFC6,	1
		jz	short loc_5AD4FF
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5AD504
; 

loc_5AD4FF:				; CODE XREF: ExTimerRundown+1681F1j
		xor	eax, eax
		lock and [esi],	eax

loc_5AD504:				; CODE XREF: ExTimerRundown+1681FDj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	ebx, ebx
		inc	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [edi+28h]
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	[edi+0A8h], bl
		jz	short loc_5AD53A
		mov	eax, [ebp+var_8]
		cmp	eax, [edi+34h]
		jnz	short loc_5AD53A
		mov	ecx, edi
		call	ExpCancelTimer
		lea	ebx, [eax+1]

loc_5AD53A:				; CODE XREF: ExTimerRundown+168226j
					; ExTimerRundown+16822Ej
		test	ds:byte_70EFC6,	1
		jz	short loc_5AD550
		mov	edx, [ebp+4]
		lea	ecx, [edi+28h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5AD558
; 

loc_5AD550:				; CODE XREF: ExTimerRundown+168241j
		xor	ecx, ecx
		lea	eax, [edi+28h]
		lock and [eax],	ecx

loc_5AD558:				; CODE XREF: ExTimerRundown+16824Ej
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	ecx
		mov	edx, ebx
		mov	ecx, edi
		call	ObDereferenceObjectExWithTag
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [ebp+var_C]
		jmp	loc_445333
; 

loc_5AD582:				; CODE XREF: ExTimerRundown+44j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_44534F
; END OF FUNCTION CHUNK	FOR ExTimerRundown
; 
; START	OF FUNCTION CHUNK FOR KiResumeThread

loc_5AD591:				; CODE XREF: KiResumeThread+25Ej
		push	1
		xor	edx, edx
		mov	ecx, edi
		call	_KiTraceSetTimer@12 ; KiTraceSetTimer(x,x,x)
		jmp	loc_445642
; 

loc_5AD5A1:				; CODE XREF: KiResumeThread+24Ej
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		push	0
		call	KiTimerWaitTest
		jmp	loc_445642
; 

loc_5AD5B2:				; CODE XREF: KiResumeThread+149j
					; KiResumeThread+1681E8j
		lea	ecx, [ebp+var_18]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5AD5B2
		jmp	loc_44551A
; 

loc_5AD5C5:				; CODE XREF: KiResumeThread+170j
					; KiResumeThread+191j
		mov	bl, 1
		jmp	loc_44557A
; 

loc_5AD5CC:				; CODE XREF: KiResumeThread+1C2j
		cmp	al, 2
		jnz	loc_5AD698
		mov	byte ptr [esi+9], 5
		mov	ebx, [esi+0Ch]
		and	dword ptr [esi], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_C], eax
		mov	eax, [eax+4]
		mov	dword ptr [ebp+arg_0], eax
		jz	short loc_5AD614
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, dword ptr [ebp+arg_0]
		mov	edx, esi
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_5AD614:				; CODE XREF: KiResumeThread+168227j
		mov	ecx, ebx
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		lea	ecx, [ebx+8]
		cmp	[ecx], ecx
		jz	short loc_5AD652
		mov	eax, [ebx+18h]
		cmp	eax, [ebx+1Ch]
		jnb	short loc_5AD652
		mov	edx, dword ptr [ebp+arg_0]
		mov	eax, [edx+0A4h]
		cmp	eax, ebx
		jnz	short loc_5AD640
		cmp	byte ptr [edx+18Bh], 0Fh
		jz	short loc_5AD652

loc_5AD640:				; CODE XREF: KiResumeThread+16825Fj
		mov	ecx, [ebp+var_C]
		mov	edx, ebx
		push	esi
		call	KiWakeQueueWaiter
		test	al, al
		jnz	short loc_5AD688
		lea	ecx, [ebx+8]

loc_5AD652:				; CODE XREF: KiResumeThread+16824Aj
					; KiResumeThread+168252j ...
		mov	eax, [ebx+4]
		mov	dword ptr [ebp+arg_0], eax
		inc	eax
		mov	[ebx+4], eax
		lea	eax, [ebx+10h]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_44567A
		cmp	dword ptr [ebp+arg_0], 0
		mov	[esi], eax
		mov	[esi+4], edx
		mov	[edx], esi
		mov	[eax+4], esi
		jnz	short loc_5AD688
		cmp	[ecx], ecx
		jz	short loc_5AD688
		mov	ecx, [ebp+var_C]
		mov	edx, ebx
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)

loc_5AD688:				; CODE XREF: KiResumeThread+168277j
					; KiResumeThread+1682A2j ...
		mov	eax, 0FFFFFF7Fh
		lock and [ebx],	eax
		mov	ebx, [ebp+var_4]
		jmp	loc_4455AE
; 

loc_5AD698:				; CODE XREF: KiResumeThread+1681F8j
		push	0
		push	100h
		jmp	loc_4455A5
; END OF FUNCTION CHUNK	FOR KiResumeThread
; 
; START	OF FUNCTION CHUNK FOR KiCheckIfStackExpandCalloutActive

loc_5AD6A4:				; CODE XREF: KiCheckIfStackExpandCalloutActive+7j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	ecx
		push	107h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5AD6B5:				; CODE XREF: KiRundownMutants+16820Fj
					; KiRundownMutants+168226j
		mov	[ebp-0A4h], esi
		mov	[ebp-90h], esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, large fs:20h
		mov	[ebp-98h], ecx

loc_5AD6D4:				; CODE XREF: KiRundownMutants+168070j
		mov	edi, [ebp-0A8h]
		jmp	loc_44576F
; END OF FUNCTION CHUNK	FOR KiCheckIfStackExpandCalloutActive
; 
; START	OF FUNCTION CHUNK FOR KiRundownMutants

loc_5AD6DF:				; CODE XREF: KiRundownMutants+9Cj
					; KiRundownMutants+16800Aj
		lea	ecx, [ebp+var_B8]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5AD6DF
		jmp	loc_44577B
; 

loc_5AD6F5:				; CODE XREF: KiRundownMutants+CAj
		mov	eax, [ebp+var_94]
		mov	ebx, edi
		shr	ebx, 4
		and	ebx, 3Fh
		shl	ebx, 6
		add	ebx, offset _KiObjectRundownLocks
		mov	[eax], esi
		push	ebx
		call	ExAcquireSpinLockSharedAtDpcLevel
		mov	ecx, [ebp+var_A0]
		mov	eax, [ebp+var_8C]
		cmp	eax, [ecx+1DCh]
		jnz	short loc_5AD742
		mov	ecx, edi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	eax, [ebp+var_A0]
		cmp	[edi+18h], eax
		jz	short loc_5AD748
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax

loc_5AD742:				; CODE XREF: KiRundownMutants+168042j
		mov	[ebp+var_8C], esi

loc_5AD748:				; CODE XREF: KiRundownMutants+168054j
		push	ebx
		call	ExReleaseSpinLockSharedFromDpcLevel
		cmp	[ebp+var_8C], esi
		jz	loc_5AD6D4
		mov	ebx, [ebp+var_94]
		mov	[ebp+var_BC], esi

loc_5AD766:				; CODE XREF: KiRundownMutants+16809Ej
		lock bts dword ptr [ebx], 0
		jnb	loc_4457BA

loc_5AD771:				; CODE XREF: KiRundownMutants+16809Cj
		lea	ecx, [ebp+var_BC]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5AD771
		jmp	short loc_5AD766
; 

loc_5AD784:				; CODE XREF: KiRundownMutants+197j
		cmp	al, 2
		jnz	loc_5AD8AD
		mov	byte ptr [ebx+9], 5
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_8C], eax
		add	eax, 8
		mov	[ebx], esi
		mov	[ebp+var_AC], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_B0], eax
		mov	eax, [eax+4]
		mov	[ebp+var_9C], eax
		jz	short loc_5AD7E3
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, [ebp+var_9C]
		mov	edx, ebx
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_5AD7E3:				; CODE XREF: KiRundownMutants+1680E5j
		mov	ecx, [ebp+var_8C]
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	edx, [ebp+var_AC]
		mov	ecx, [ebp+var_8C]
		cmp	[edx], edx
		jz	short loc_5AD83D
		mov	eax, [ecx+18h]
		cmp	eax, [ecx+1Ch]
		jnb	short loc_5AD83D
		mov	eax, [ebp+var_9C]
		mov	eax, [eax+0A4h]
		cmp	eax, ecx
		jnz	short loc_5AD825
		mov	eax, [ebp+var_9C]
		cmp	byte ptr [eax+18Bh], 0Fh
		jz	short loc_5AD83D

loc_5AD825:				; CODE XREF: KiRundownMutants+168130j
		mov	edx, ecx
		mov	ecx, [ebp+var_B0]
		push	ebx
		call	KiWakeQueueWaiter
		mov	ecx, [ebp+var_8C]
		test	al, al
		jnz	short loc_5AD896

loc_5AD83D:				; CODE XREF: KiRundownMutants+168118j
					; KiRundownMutants+168120j ...
		mov	eax, [ecx+4]
		mov	[ebp+var_9C], eax
		inc	eax
		mov	[ecx+4], eax
		lea	eax, [ecx+10h]
		mov	edx, [eax+4]
		mov	[ebp+var_AC], edx
		cmp	[edx], eax
		lea	edx, [ecx+8]
		jnz	loc_445868
		mov	ecx, [ebp+var_AC]
		mov	[ebx+4], ecx
		mov	[ebx], eax
		mov	[ecx], ebx
		mov	ecx, [ebp+var_8C]
		mov	[eax+4], ebx
		cmp	[ebp+var_9C], esi
		jnz	short loc_5AD896
		cmp	[edx], edx
		jz	short loc_5AD896
		mov	edx, ecx
		mov	ecx, [ebp+var_B0]
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		mov	ecx, [ebp+var_8C]

loc_5AD896:				; CODE XREF: KiRundownMutants+168157j
					; KiRundownMutants+168199j ...
		mov	eax, 0FFFFFF7Fh
		lock and [ecx],	eax
		sub	dword ptr [edi+4], 1
		jz	loc_4457F6
		jmp	loc_4458A8
; 

loc_5AD8AD:				; CODE XREF: KiRundownMutants+1680A2j
		mov	ecx, [ebp+var_98]
		mov	edx, ebx
		push	esi
		push	100h
		call	KiTryUnwaitThread
		jmp	loc_4458A8
; 

loc_5AD8C5:				; CODE XREF: KiRundownMutants+11Cj
		mov	[ebp+ebx*4+var_88], edi
		inc	ebx
		mov	[ebp+var_90], ebx
		jmp	loc_445806
; 

loc_5AD8D8:				; CODE XREF: KiRundownMutants+141j
		push	[ebp+var_B4]
		mov	ecx, [ebp+var_98]
		xor	edx, edx
		push	1
		push	1
		call	KiExitDispatcher
		mov	edi, esi
		test	ebx, ebx
		jz	loc_5AD6B5

loc_5AD8F9:				; CODE XREF: KiRundownMutants+168224j
		mov	ecx, [ebp+edi*4+var_88]
		call	KeAbPostRelease
		inc	edi
		cmp	edi, ebx
		jb	short loc_5AD8F9
		jmp	loc_5AD6B5
; 

loc_5AD90F:				; CODE XREF: KiRundownMutants+BFj
		push	esi
		push	esi
		push	edi
		push	[ebp+var_A0]
		push	4000008Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AD922:				; CODE XREF: KiRundownMutants+16Dj
					; KiRundownMutants+16824Dj
		mov	ecx, [ebp+esi*4+var_88]
		call	KeAbPostRelease
		inc	esi
		cmp	esi, ebx
		jb	short loc_5AD922
		jmp	loc_445731
; END OF FUNCTION CHUNK	FOR KiRundownMutants
; 
; START	OF FUNCTION CHUNK FOR KiContinuePreviousModeUser

loc_5AD938:				; CODE XREF: KiContinuePreviousModeUser+27j
		mov	ecx, eax
		jmp	loc_445B7B
; END OF FUNCTION CHUNK	FOR KiContinuePreviousModeUser
; 
; START	OF FUNCTION CHUNK FOR KiSetupForInstrumentationReturn

loc_5AD93F:				; CODE XREF: KiSetupForInstrumentationReturn+23j
		mov	ebx, [edi+150h]
		mov	eax, [ebx+3DCh]
		test	eax, eax
		jz	loc_445C3F
		cmp	[ebp+arg_4], 0
		jz	short loc_5AD964
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		sti
		jmp	short loc_5AD96E
; 

loc_5AD964:				; CODE XREF: KiSetupForInstrumentationReturn+167D41j
		cmp	byte ptr [esi+0Fh], 2
		jz	loc_445C3F

loc_5AD96E:				; CODE XREF: KiSetupForInstrumentationReturn+167D4Cj
		mov	edx, [edi+0A8h]
		and	[ebp+ms_exc.disabled], 0
		cmp	byte ptr [edx+1B8h], 0
		jnz	short loc_5AD9D2
		mov	eax, [edx+1ACh]
		mov	[ebp+var_1C], eax
		mov	eax, [esi+68h]
		mov	[edx+1B0h], eax
		mov	ecx, esi
		call	KiEspFromTrapFrame
		mov	[edx+1B4h], eax
		mov	eax, [ebx+3DCh]
		mov	[esi+68h], eax
		mov	ecx, [ebp+var_1C]
		test	ecx, ecx
		jz	short loc_5AD9D2
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_5AD9BB
		mov	ecx, eax

loc_5AD9BB:				; CODE XREF: KiSetupForInstrumentationReturn+167DA1j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	edx, [ebp+var_1C]
		mov	ecx, esi
		call	KiEspToTrapFrame
		jmp	short loc_5AD9D2
; END OF FUNCTION CHUNK	FOR KiSetupForInstrumentationReturn

;  S U B	R O U T	I N E 


sub_5AD9CB	proc near		; DATA XREF: .text:006A0DACo
		xor	eax, eax
		inc	eax
		retn
sub_5AD9CB	endp


;  S U B	R O U T	I N E 


sub_5AD9CF	proc near		; DATA XREF: .text:006A0DB0o
		mov	esp, [ebp-18h]
sub_5AD9CF	endp

; START	OF FUNCTION CHUNK FOR KiSetupForInstrumentationReturn

loc_5AD9D2:				; CODE XREF: KiSetupForInstrumentationReturn+167D69j
					; KiSetupForInstrumentationReturn+167D98j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+arg_4], 0
		jz	loc_445C3F
		xor	cl, cl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cli
		jmp	loc_445C3F
; END OF FUNCTION CHUNK	FOR KiSetupForInstrumentationReturn

;  S U B	R O U T	I N E 


sub_5AD9F1	proc near		; DATA XREF: .text:006A0DCCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		mov	eax, 1
		retn
sub_5AD9F1	endp


;  S U B	R O U T	I N E 


sub_5ADA01	proc near		; DATA XREF: .text:006A0DD0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-24h]
		mov	[ebp-20h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	bl, [ebp-19h]
		jmp	loc_445CDA
sub_5ADA01	endp

; 
; START	OF FUNCTION CHUNK FOR KeContextToKframes

loc_5ADA19:				; CODE XREF: KeContextToKframes+1Fj
		mov	[ebp+var_7], 1Fh
		jmp	loc_445D69
; 

loc_5ADA22:				; CODE XREF: KeContextToKframes+5Fj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+0FCh], 1000000h
		jnz	loc_445D95
		and	ecx, 0FFFDFFFFh
		mov	[edi+0C0h], ecx
		jmp	loc_445D95
; 

loc_5ADA4F:				; CODE XREF: KeContextToKframes+6Fj
		mov	[ebp+var_5], 1
		jmp	loc_445DA9
; 

loc_5ADA58:				; CODE XREF: KeContextToKframes+AFj
		mov	[ebx+6Ch], edx
		jmp	loc_445E06
; 

loc_5ADA60:				; CODE XREF: KeContextToKframes+344j
		mov	dword ptr [ebx+6Ch], 1Bh
		mov	edx, 1Bh
		jmp	loc_445E06
; 

loc_5ADA71:				; CODE XREF: KeContextToKframes+2E8j
		mov	eax, [ebx+10h]
		jmp	loc_446021
; 

loc_5ADA79:				; CODE XREF: KeContextToKframes+2FAj
		push	0
		push	ebx
		push	[ebp+var_C]
		push	eax
		push	30h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5ADA87:				; CODE XREF: KeContextToKframes+116j
		push	ebx
		call	_Ki386AdjustEsp0@4 ; Ki386AdjustEsp0(x)
		jmp	loc_445E4C
; 

loc_5ADA92:				; CODE XREF: KeContextToKframes+131j
		mov	eax, [edi+90h]
		mov	[ebx+84h], eax
		mov	eax, [edi+94h]
		mov	[ebx+7Ch], eax
		mov	eax, [edi+98h]
		mov	[ebx+80h], eax
		mov	eax, [edi+8Ch]
		mov	[ebx+88h], eax
		jmp	loc_445E9E
; 

loc_5ADAC4:				; CODE XREF: KeContextToKframes+150j
		or	eax, 3
		jmp	loc_445E86
; 

loc_5ADACC:				; CODE XREF: KeContextToKframes+3D1j
		movzx	ecx, cl
		bts	ecx, esi
		mov	[ebp+var_C], ecx
		mov	[ebp+var_6], cl
		jmp	loc_446107
; 

loc_5ADADD:				; CODE XREF: KeContextToKframes+3E8j
		or	cl, 40h
		mov	[ebp+var_6], cl
		jmp	loc_44611E
; 

loc_5ADAE8:				; CODE XREF: KeContextToKframes+419j
		mov	ecx, edi
		call	_KiSetDebugActiveMask@8	; KiSetDebugActiveMask(x,x)
		jmp	loc_445FEF
; END OF FUNCTION CHUNK	FOR KeContextToKframes
; 
; START	OF FUNCTION CHUNK FOR KiRecordDr7

loc_5ADAF4:				; CODE XREF: KiRecordDr7+Cj
		mov	eax, large fs:124h
		mov	bl, [eax+3]
		and	bl, 0DFh
		jmp	loc_44621C
; 

loc_5ADB05:				; CODE XREF: KiRecordDr7+29j
		or	dl, 10h
		mov	dword ptr [ecx], 0F0000h
		jmp	loc_446237
; 

loc_5ADB13:				; CODE XREF: KiRecordDr7+1Dj
		and	dl, 0EFh
		or	dl, 80h
		test	bl, bl
		setz	al
		mov	byte ptr [ebp+var_4], al
		jmp	loc_446237
; 

loc_5ADB26:				; CODE XREF: KiRecordDr7+31j
		cmp	bl, dl
		jz	loc_446241
		mov	ecx, large fs:124h
		call	_KiSetDebugActiveMask@8	; KiSetDebugActiveMask(x,x)
		jmp	loc_446241
; END OF FUNCTION CHUNK	FOR KiRecordDr7
; 
; START	OF FUNCTION CHUNK FOR RtlFindClearBitsAndSet

loc_5ADB3F:				; CODE XREF: RtlFindClearBitsAndSet+2Cj
		and	ecx, 0FFFFFFF8h
		jmp	loc_446307
; 

loc_5ADB47:				; CODE XREF: RtlFindClearBitsAndSet:loc_4464F0j
		push	20h
		pop	eax
		jmp	loc_4464FB
; 

loc_5ADB4F:				; CODE XREF: RtlFindClearBitsAndSet+15Bj
		push	20h
		pop	ecx
		jmp	loc_4463B4
; END OF FUNCTION CHUNK	FOR RtlFindClearBitsAndSet
; 
; START	OF FUNCTION CHUNK FOR KeSuspendThread

loc_5ADB57:				; CODE XREF: KeSuspendThread+3Dj
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0C000004Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger

loc_5ADB72:				; CODE XREF: KiSuspendThread+1F4j
		and	dword ptr [edi+10h], 0
		lea	eax, [esi+128h]
		and	dword ptr [edi+14h], 0
		mov	byte ptr [eax+9], 4
		mov	[esi+0C0h], eax
		mov	[esi+0C4h], eax
		jmp	loc_446848
; END OF FUNCTION CHUNK	FOR KeSuspendThread
; 
; START	OF FUNCTION CHUNK FOR KiSuspendThread

loc_5ADB95:				; CODE XREF: KiSuspendThread+216j
		lea	eax, [ebp+var_20]
		push	eax
		call	KeQuerySystemTime
		mov	ecx, [ebp+var_20]
		sub	ecx, [ebp+var_8]
		mov	eax, [ebp+var_1C]
		sbb	eax, [ebp+var_C]
		add	[edi+10h], ecx
		adc	[edi+14h], eax
		jmp	loc_446848
; 

loc_5ADBB5:				; CODE XREF: KiSuspendThread+1A3j
					; KiSuspendThread+1674F3j
		lea	ecx, [ebp+var_18]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5ADBB5
		jmp	loc_44686C
; 

loc_5ADBC8:				; CODE XREF: KiSuspendThread+1D3j
		mov	ecx, [ebp+var_10]
		mov	edx, esi
		push	0
		push	100h
		call	KiSignalThread
		jmp	loc_44675E
; END OF FUNCTION CHUNK	FOR KiSuspendThread
; 
; START	OF FUNCTION CHUNK FOR KeInsertQueueApc

loc_5ADBDE:				; CODE XREF: KeInsertQueueApc+4Ej
		test	dl, dl
		jnz	loc_446978
		mov	cl, 1
		jmp	loc_44697A
; 

loc_5ADBED:				; CODE XREF: KeInsertQueueApc+120j
					; KeInsertQueueApc+12Ej
		mov	edx, 5149654Bh
		mov	[esp+28h+var_19], 1
		mov	ecx, edi
		call	ObfReferenceObjectWithTag
		jmp	loc_4469AB
; 

loc_5ADC03:				; CODE XREF: KeInsertQueueApc+B5j
					; KeInsertQueueApc+BFj
		mov	esi, [esp+28h+var_18]
		xor	bl, bl
		jmp	loc_446A13
; 

loc_5ADC0E:				; CODE XREF: KeInsertQueueApc+10Dj
		test	bl, bl
		jz	short loc_5ADC38
		push	[esp+28h+var_C]
		mov	ecx, large fs:124h
		mov	edx, edi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		mov	cl, [ecx+15Ah]
		push	[esp+34h+var_8]
		push	[esp+38h+var_4]
		call	_EtwTiLogInsertQueueUserApc@28 ; EtwTiLogInsertQueueUserApc(x,x,x,x,x,x,x)

loc_5ADC38:				; CODE XREF: KeInsertQueueApc+1672ECj
		mov	edx, 5149654Bh
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		jmp	loc_446A37
; END OF FUNCTION CHUNK	FOR KeInsertQueueApc
; 
; START	OF FUNCTION CHUNK FOR KiInsertQueueApc

loc_5ADC49:				; CODE XREF: KiInsertQueueApc+9Fj
		movsx	eax, al
		lea	esi, [esi+eax*8]
		mov	eax, [esi]
		jmp	short loc_5ADC55
; 

loc_5ADC53:				; CODE XREF: KiInsertQueueApc+16706Dj
		mov	eax, [eax]

loc_5ADC55:				; CODE XREF: KiInsertQueueApc+167067j
		cmp	eax, esi
		jnz	short loc_5ADC53
		or	byte ptr [edx+86h], 1
		jmp	loc_446C53
; END OF FUNCTION CHUNK	FOR KiInsertQueueApc
; 
; START	OF FUNCTION CHUNK FOR EtwTraceMemoryAcg

loc_5ADC65:				; CODE XREF: EtwTraceMemoryAcg+36j
		lea	eax, [ebp+var_18]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	1
		push	ebx
		push	ebx
		push	1
		push	ebx
		push	ebx
		push	offset _KERNEL_MEM_EVENT_ACG
		push	esi
		push	edi
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], ebx
		call	EtwWriteEx
		jmp	loc_446EC6
; END OF FUNCTION CHUNK	FOR EtwTraceMemoryAcg
; 

loc_5ADC95:				; CODE XREF: .text:00447283j
		mov	eax, 0C0000022h
		jmp	loc_447118
; 

loc_5ADC9F:				; CODE XREF: .text:004472A4j
					; .text:004472ACj
		mov	byte ptr [ecx],	0
		jmp	loc_4472B2
; 

loc_5ADCA7:				; DATA XREF: .text:006A0EA0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0CCh], eax
		mov	eax, 1
		retn
; 

loc_5ADCBA:				; DATA XREF: .text:006A0EA4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0CCh]
		jmp	loc_447118
; 

loc_5ADCCF:				; CODE XREF: .text:00447255j
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	edx, [eax+1F0h]
		mov	eax, [ebp-70h]
		movzx	eax, ax
		mov	esi, 0FFFFh
		mov	ecx, eax
		sub	ax, si
		movzx	eax, ax
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp-68h], eax
		cmp	eax, [edx+8]
		jnb	loc_5AE02C
		mov	ecx, [ebp+10h]
		cmp	ecx, 0FFDFh
		jbe	short loc_5ADD14
		mov	eax, 0C0000095h
		jmp	loc_447118
; 

loc_5ADD14:				; CODE XREF: .text:005ADD08j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		cmp	al, 1
		jnz	loc_5AE036
		mov	dword ptr [ebp-4], 1
		lea	eax, [ecx+20h]
		test	eax, eax
		jz	short loc_5ADD55
		test	bl, 3
		jz	short loc_5ADD40
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_5ADD40:				; CODE XREF: .text:005ADD39j
		lea	edx, [ecx+20h]
		add	edx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_5ADD52
		cmp	edx, ebx
		jnb	short loc_5ADD55

loc_5ADD52:				; CODE XREF: .text:005ADD4Cj
		mov	byte ptr [eax],	0

loc_5ADD55:				; CODE XREF: .text:005ADD34j
					; .text:005ADD50j
		lea	edx, [ebx+20h]
		mov	[ebp-0F0h], edx
		movzx	eax, word ptr [ebx+6]
		mov	[ebp-0D8h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	[ebp-5Ch], edx
		mov	dword ptr [ebp-58h], 0
		mov	[ebp-54h], ecx
		mov	dword ptr [ebp-50h], 0
		mov	esi, large fs:124h
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, [eax+1F0h]
		push	ecx
		and	edi, 0F00FFh
		or	edi, 3100h
		push	edi
		push	dword ptr [ebp-0D8h]
		push	1
		push	dword ptr [ebp-68h]
		push	esi
		lea	edx, [ebp-5Ch]
		call	EtwpLogSystemEventUnsafe
		xor	eax, eax
		jmp	loc_447118
; 

loc_5ADDBE:				; DATA XREF: .text:006A0E88o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0D0h], eax
		mov	eax, 1
		retn
; 

loc_5ADDD1:				; DATA XREF: .text:006A0E8Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0D0h]
		jmp	loc_447118
; 

loc_5ADDE6:				; CODE XREF: .text:0044724Aj
		mov	ecx, large fs:124h
		mov	dl, [ecx+15Ah]
		mov	[ebp-68h], dl
		push	dword ptr [ebp-68h]
		push	0C00A0000h
		mov	eax, [ebp-70h]
		cdq
		push	edx
		push	eax
		mov	edx, 30h
		mov	ecx, ebx
		call	_EtwTraceEvent@24 ; EtwTraceEvent(x,x,x,x,x,x)
		jmp	loc_447118
; 

loc_5ADE15:				; CODE XREF: .text:0044723Fj
		mov	byte ptr [ebp-74h], 0
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	edi, [eax+1F0h]
		mov	eax, [ebp-70h]
		movzx	esi, ax
		cmp	esi, 0FFFFh
		jz	short loc_5ADE36
		test	esi, esi
		jnz	short loc_5ADE3D

loc_5ADE36:				; CODE XREF: .text:005ADE30j
		movzx	esi, byte ptr [edi+914h]

loc_5ADE3D:				; CODE XREF: .text:005ADE34j
		cmp	esi, [edi+8]
		jnb	short loc_5ADE8D
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp-6Ch], al
		lea	eax, [ebp-74h]
		push	eax
		push	dword ptr [ebp-6Ch]
		mov	edx, edi
		mov	ecx, esi
		call	_EtwpOpenLogger@16 ; EtwpOpenLogger(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_5ADE8D
		test	dword ptr [ecx+0Ch], 2000000h
		jz	short loc_5ADEAC
		movzx	eax, byte ptr [ecx+25Ah]
		shl	eax, 5
		add	eax, 948h
		add	eax, edi
		jz	short loc_5ADE97
		test	byte ptr [eax+4], 28h
		jz	short loc_5ADE97
		mov	al, 1
		jmp	short loc_5ADE99
; 

loc_5ADE8D:				; CODE XREF: .text:005ADE40j
					; .text:005ADE65j
		mov	eax, 0C0000008h
		jmp	loc_447118
; 

loc_5ADE97:				; CODE XREF: .text:005ADE81j
					; .text:005ADE87j
		xor	al, al

loc_5ADE99:				; CODE XREF: .text:005ADE8Bj
		push	dword ptr [ebp-6Ch]
		push	eax
		push	dword ptr [ebp+10h]
		mov	edx, ebx
		call	_EtwpSetMark@20	; EtwpSetMark(x,x,x,x,x)
		mov	[ebp-64h], eax
		jmp	short loc_5ADEB3
; 

loc_5ADEAC:				; CODE XREF: .text:005ADE6Ej
		mov	dword ptr [ebp-64h], 0C000000Dh

loc_5ADEB3:				; CODE XREF: .text:005ADEAAj
		push	dword ptr [ebp-74h]
		mov	edx, edi
		mov	ecx, esi
		call	_EtwpCloseLogger@12 ; EtwpCloseLogger(x,x,x)
		jmp	loc_447115
; 

loc_5ADEC4:				; CODE XREF: .text:0044732Fj
		cmp	eax, 800h
		jz	short loc_5ADF16
		cmp	eax, 900h
		jnz	loc_5AE02C
		cmp	edi, eax
		jnz	loc_5AE02C
		mov	esi, [ebp+10h]
		test	esi, esi
		jz	loc_5AE02C
		test	ebx, ebx
		jz	loc_5AE02C
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp-68h], al
		push	dword ptr [ebp-68h]
		mov	eax, ecx
		cdq
		push	edx
		push	eax
		mov	edx, esi
		mov	ecx, ebx
		call	_EtwTraceRaw@20	; EtwTraceRaw(x,x,x,x,x)
		jmp	loc_447118
; 

loc_5ADF16:				; CODE XREF: .text:005ADEC9j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp-68h], al
		push	dword ptr [ebp-68h]
		push	0C00B0000h
		mov	eax, ecx
		cdq
		push	edx
		push	eax
		mov	edx, 48h
		mov	ecx, ebx
		call	_EtwTraceEvent@24 ; EtwTraceEvent(x,x,x,x,x,x)
		jmp	loc_447118
; 

loc_5ADF43:				; CODE XREF: .text:00447361j
					; .text:00447369j
		mov	byte ptr [edx],	0
		jmp	loc_44736F
; 

loc_5ADF4B:				; CODE XREF: .text:00447383j
					; .text:0044738Bj
		mov	byte ptr [edx],	0
		jmp	loc_447391
; 

loc_5ADF53:				; CODE XREF: .text:00447408j
		mov	ecx, esi
		call	EtwpUnreferenceGuidEntry

loc_5ADF5A:				; CODE XREF: .text:004473FEj
		mov	eax, 0C0000302h
		jmp	loc_447118
; 

loc_5ADF64:				; CODE XREF: .text:004474C2j
		mov	byte ptr [ebp-5Dh], 0
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	edx, edx
		lea	ecx, [esi+16Ch]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+170h], eax
		lea	eax, [ebp-5Dh]
		push	eax
		push	1
		push	1
		xor	dl, dl
		mov	ecx, [esi+168h]
		call	EtwpUpdateEnableMask
		mov	dword ptr [esi+170h], 0
		xor	edx, edx
		lea	ecx, [esi+16Ch]
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	0
		push	0
		push	0
		push	0
		push	0
		push	dword ptr [ebp-0C4h]
		push	dword ptr [ebp-9Ch]
		push	dword ptr [ebp-0B4h]
		push	dword ptr [ebp-0B8h]
		push	dword ptr [ebp-0A0h]
		push	0
		push	ebx
		push	dword ptr [ebp-0A4h]
		push	0
		push	0
		push	0
		mov	dl, [ebp-5Dh]
		mov	ecx, [esi+168h]
		call	_EtwpWriteUserEvent@72 ; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	[ebp-64h], eax
		jmp	loc_4474C8
; 

loc_5AE004:				; DATA XREF: .text:006A0EACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0D4h], eax
		mov	eax, 1
		retn
; 

loc_5AE017:				; DATA XREF: .text:006A0EB0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0D4h]
		jmp	loc_447118
; 

loc_5AE02C:				; CODE XREF: .text:00447154j
					; .text:00447260j ...
		mov	eax, 0C000000Dh
		jmp	loc_447118
; 

loc_5AE036:				; CODE XREF: .text:00447168j
					; .text:005ADD22j
		mov	eax, 0C00000BBh
		jmp	loc_447118
; 

loc_5AE040:				; CODE XREF: .text:0044718Fj
					; .text:0044719Ej
		mov	eax, ds:_MmUserProbeAddress
		mov	byte ptr [eax],	0
		jmp	loc_4471A4
; 

loc_5AE04D:				; CODE XREF: .text:004471CAj
		mov	eax, 0C000000Dh
		mov	[ebp-0F4h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_447118
; 

loc_5AE064:				; CODE XREF: .text:004471E5j
					; .text:004471EDj
		mov	byte ptr [esi],	0
		jmp	loc_4471F3
; 

loc_5AE06C:				; DATA XREF: .text:006A0E94o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0E0h], eax
		mov	eax, 1
		retn
; 

loc_5AE07F:				; DATA XREF: .text:006A0E98o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0E0h]
		jmp	loc_447118
; 

loc_5AE094:				; CODE XREF: .text:00446F6Dj
					; .text:00446F75j
		mov	byte ptr [edx],	0
		jmp	loc_446F7B
; 

loc_5AE09C:				; CODE XREF: .text:00446FE2j
		lea	eax, [ebx+60h]
		mov	[ebp-78h], eax
		jmp	loc_446FE8
; 

loc_5AE0A7:				; CODE XREF: .text:00447108j
		mov	ecx, 8
		xor	eax, eax
		lea	edi, [ebp-3Ch]
		rep stosd
		mov	dl, [esi+36h]
		mov	edi, [ebp-6Ch]
		test	dl, dl
		jz	short loc_5AE106
		lea	eax, [ebp-0B0h]
		push	eax
		push	edi
		movzx	eax, word ptr [esi+32h]
		push	eax
		push	0
		lea	eax, [ebp-3Ch]
		push	eax
		push	dword ptr [ebp-84h]
		push	dword ptr [ebp-8Ch]
		push	dword ptr [ebp-7Ch]
		push	dword ptr [ebp-80h]
		push	dword ptr [ebp-88h]
		push	dword ptr [ebp-78h]
		push	ebx
		push	dword ptr [ebp-74h]
		push	0
		push	0
		push	0
		mov	ecx, [ebp-70h]
		mov	ecx, [ecx+168h]
		call	_EtwpWriteUserEvent@72 ; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	[ebp-64h], eax

loc_5AE106:				; CODE XREF: .text:005AE0BBj
		mov	dl, [esi+37h]
		test	dl, dl
		jz	loc_44710E
		lea	eax, [ebp-0B0h]
		push	eax
		push	edi
		movzx	eax, word ptr [esi+32h]
		push	eax
		mov	eax, [ebp-68h]
		mov	eax, [eax+168h]
		push	eax
		lea	eax, [ebp-3Ch]
		push	eax
		push	dword ptr [ebp-84h]
		push	dword ptr [ebp-8Ch]
		push	dword ptr [ebp-7Ch]
		push	dword ptr [ebp-80h]
		push	dword ptr [ebp-88h]
		push	dword ptr [ebp-78h]
		push	ebx
		push	dword ptr [ebp-74h]
		push	0
		push	0
		push	0
		mov	eax, [ebp-70h]
		mov	ecx, [eax+168h]
		call	_EtwpWriteUserEvent@72 ; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	[ebp-64h], eax
		jmp	loc_44710E
; 

loc_5AE167:				; DATA XREF: .text:006A0E7Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C8h], eax
		mov	eax, 1
		retn
; 

loc_5AE17A:				; DATA XREF: .text:006A0E80o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0C8h]
		jmp	loc_447118
; 
; START	OF FUNCTION CHUNK FOR EtwProviderEnabled

loc_5AE18F:				; CODE XREF: EtwProviderEnabled+34j
		push	[ebp+arg_10]
		mov	ecx, [esi+14h]
		mov	dl, bl
		push	[ebp+arg_C]
		add	ecx, 40h
		call	_EtwpLevelKeywordEnabled@16 ; EtwpLevelKeywordEnabled(x,x,x,x)
		test	al, al
		jnz	loc_44751A
		jmp	loc_44752C
; END OF FUNCTION CHUNK	FOR EtwProviderEnabled
; 
; START	OF FUNCTION CHUNK FOR EtwpTraceMessageVa

loc_5AE1AF:				; CODE XREF: EtwpTraceMessageVa+D1j
		mov	esi, 0C0000022h
		mov	[ebp+var_34], esi
		jmp	loc_44799E
; 

loc_5AE1BC:				; CODE XREF: EtwpTraceMessageVa+429j
		mov	esi, 0C00000BBh
		mov	[ebp+var_34], esi
		jmp	loc_44799E
; 

loc_5AE1C9:				; CODE XREF: EtwpTraceMessageVa+11Ej
		mov	esi, 0C0000206h
		mov	[ebp+var_34], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	edi, [ebp+var_48]
		jmp	loc_44799E
; 

loc_5AE1E0:				; CODE XREF: EtwpTraceMessageVa+174j
		mov	[ebp+var_40], 4
		jmp	loc_447761
; 

loc_5AE1EC:				; CODE XREF: EtwpTraceMessageVa+18Cj
		xor	esi, esi
		jmp	loc_447777
; 

loc_5AE1F3:				; CODE XREF: EtwpTraceMessageVa+1A2j
		mov	edx, 4
		jmp	loc_44778A
; 

loc_5AE1FD:				; CODE XREF: EtwpTraceMessageVa+1ACj
		xor	ecx, ecx
		jmp	loc_447797
; 

loc_5AE204:				; CODE XREF: EtwpTraceMessageVa+1BDj
		xor	eax, eax
		jmp	loc_4477A8
; 

loc_5AE20B:				; CODE XREF: EtwpTraceMessageVa+1DBj
		mov	esi, 0C0000206h
		mov	[ebp+var_34], esi
		mov	edi, [ebp+var_48]
		jmp	loc_44799E
; 

loc_5AE21B:				; CODE XREF: EtwpTraceMessageVa+207j
		mov	edx, 1
		lock xadd [eax], edx
		inc	edx
		jmp	loc_4477ED
; 

loc_5AE22A:				; CODE XREF: EtwpTraceMessageVa+212j
		cmp	eax, 0FFF8h
		jbe	short loc_5AE238
		mov	esi, 0C0000095h
		jmp	short loc_5AE249
; 

loc_5AE238:				; CODE XREF: EtwpTraceMessageVa+166C4Fj
		cmp	[ecx+8], eax
		sbb	esi, esi
		and	esi, 0BFFFFFEEh
		add	esi, 0C0000017h

loc_5AE249:				; CODE XREF: EtwpTraceMessageVa+166C56j
		mov	[ebp+var_34], esi
		mov	edi, [ebp+var_48]
		jmp	loc_44799E
; 

loc_5AE254:				; CODE XREF: EtwpTraceMessageVa+26Cj
		mov	[esi], edx
		add	esi, 4
		mov	[ebp+var_3C], esi
		jmp	loc_447852
; 

loc_5AE261:				; CODE XREF: EtwpTraceMessageVa+279j
		mov	eax, [ebp+var_44]
		mov	eax, [eax]
		mov	[esi], eax
		add	esi, 4
		jmp	loc_447884
; 

loc_5AE270:				; CODE XREF: EtwpTraceMessageVa+2C1j
		mov	cl, [ebp+var_2D]
		mov	edx, [ebp+var_54]
		jmp	loc_4478E8
; 

loc_5AE27B:				; CODE XREF: EtwpTraceMessageVa+333j
		mov	esi, 0C0000206h
		mov	[ebp+var_34], esi
		jmp	loc_447975
; 

loc_5AE288:				; CODE XREF: EtwpTraceMessageVa+349j
		mov	esi, 0C0000206h
		mov	[ebp+var_34], esi
		jmp	loc_447975
; 

loc_5AE295:				; CODE XREF: EtwpTraceMessageVa+35Ej
					; EtwpTraceMessageVa+366j
		mov	byte ptr [edx],	0
		jmp	loc_44794C
; END OF FUNCTION CHUNK	FOR EtwpTraceMessageVa

;  S U B	R O U T	I N E 


sub_5AE29D	proc near		; DATA XREF: .text:006A0F00o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-90h], eax
		mov	eax, 1
		retn
sub_5AE29D	endp


;  S U B	R O U T	I N E 


sub_5AE2B0	proc near		; DATA XREF: .text:006A0F04o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-90h]
		mov	[ebp-34h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-68h]
		jmp	loc_44797F
sub_5AE2B0	endp

; 
; START	OF FUNCTION CHUNK FOR EtwpTraceMessageVa

loc_5AE2CB:				; CODE XREF: EtwpTraceMessageVa+3ADj
		cmp	ds:_KdDebuggerNotPresent, 0
		jnz	short loc_5AE2DD
		cmp	ds:_KdPitchDebugger, 0
		jz	short loc_5AE2EA

loc_5AE2DD:				; CODE XREF: EtwpTraceMessageVa+166CF2j
		cmp	ds:_KdEventLoggingPresent, 0
		jz	loc_447993

loc_5AE2EA:				; CODE XREF: EtwpTraceMessageVa+166CFBj
		lea	edx, [ebp+var_A4]
		mov	ecx, eax
		call	_EtwpSendTraceEvent@8 ;	EtwpSendTraceEvent(x,x)
		jmp	loc_447993
; 

loc_5AE2FC:				; CODE XREF: EtwpTraceMessageVa+14Bj
		mov	esi, 0C0000095h
		mov	[ebp+var_34], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	edi, [ebp+var_48]
		jmp	loc_44799E
; END OF FUNCTION CHUNK	FOR EtwpTraceMessageVa

;  S U B	R O U T	I N E 


sub_5AE313	proc near		; DATA XREF: .text:006A0EF4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-94h], eax
		mov	eax, 1
		retn
sub_5AE313	endp


;  S U B	R O U T	I N E 


sub_5AE326	proc near		; DATA XREF: .text:006A0EF8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-94h]
		mov	[ebp-34h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-68h]
		jmp	loc_44799E
sub_5AE326	endp

; 
; START	OF FUNCTION CHUNK FOR EtwpIsEventNameFilterEnabled

loc_5AE341:				; CODE XREF: EtwpIsEventNameFilterEnabled+Ej
		imul	edx, 34h
		add	edx, eax
		cmp	[ebp+arg_C], 0
		mov	eax, [edx]
		jnz	short loc_5AE362
		mov	ecx, 80000400h
		and	eax, ecx
		cmp	eax, ecx
		jnz	loc_447AE0
		mov	edx, [edx+30h]
		jmp	short loc_5AE374
; 

loc_5AE362:				; CODE XREF: EtwpIsEventNameFilterEnabled+166880j
		mov	ecx, 80002000h
		and	eax, ecx
		cmp	eax, ecx
		jnz	loc_447AE0
		mov	edx, [edx+1Ch]

loc_5AE374:				; CODE XREF: EtwpIsEventNameFilterEnabled+166894j
		test	edx, edx
		jz	loc_447AE0
		mov	al, [edx+1]
		cmp	[ebp+arg_0], al
		jbe	short loc_5AE38C
		test	al, al
		jnz	loc_447AE0

loc_5AE38C:				; CODE XREF: EtwpIsEventNameFilterEnabled+1668B6j
		mov	eax, [ebp+arg_4]
		or	eax, [ebp+arg_8]
		jz	short loc_5AE3C8
		mov	ecx, [edx+8]
		mov	eax, [edx+0Ch]
		and	ecx, [ebp+arg_4]
		and	eax, [ebp+arg_8]
		or	ecx, eax
		jz	loc_447AE0
		mov	ecx, [edx+10h]
		mov	eax, ecx
		mov	esi, [edx+14h]
		mov	edx, esi
		and	eax, [ebp+arg_4]
		and	edx, [ebp+arg_8]
		cmp	eax, ecx
		jnz	loc_447AE0
		cmp	edx, esi
		jnz	loc_447AE0

loc_5AE3C8:				; CODE XREF: EtwpIsEventNameFilterEnabled+1668C6j
		mov	al, 1
		jmp	loc_447AE2
; END OF FUNCTION CHUNK	FOR EtwpIsEventNameFilterEnabled
; 
; START	OF FUNCTION CHUNK FOR RtlAddAtomToAtomTableEx

loc_5AE3CF:				; CODE XREF: RtlAddAtomToAtomTableEx+27j
		mov	eax, 0C000000Dh
		jmp	loc_447BD9
; 

loc_5AE3D9:				; CODE XREF: RtlAddAtomToAtomTableEx+146j
		mov	eax, edi
		mov	[ebp+var_28], eax
		mov	esi, 0C000000Dh
		jmp	loc_447C82
; 

loc_5AE3E8:				; CODE XREF: RtlAddAtomToAtomTableEx+48j
		mov	esi, 0C0000033h
		jmp	loc_447BC5
; 

loc_5AE3F2:				; CODE XREF: RtlAddAtomToAtomTableEx+10Ej
		mov	ecx, [ebp+var_24]
		test	ecx, ecx
		jz	short loc_5AE405
		lea	eax, [edi+8]
		cmp	ecx, eax
		jz	short loc_5AE405
		call	_RtlpFreeAtom@4	; RtlpFreeAtom(x)

loc_5AE405:				; CODE XREF: RtlAddAtomToAtomTableEx+1668C3j
					; RtlAddAtomToAtomTableEx+1668CAj
		mov	ecx, edi
		call	_RtlpFreeAtom@4	; RtlpFreeAtom(x)
		jmp	loc_447BC8
; 

loc_5AE411:				; CODE XREF: RtlAddAtomToAtomTableEx+BBj
		mov	esi, 0C000000Dh
		jmp	loc_447BC5
; END OF FUNCTION CHUNK	FOR RtlAddAtomToAtomTableEx

;  S U B	R O U T	I N E 


sub_5AE41B	proc near		; DATA XREF: .text:006A0F3Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5AE41B	endp


;  S U B	R O U T	I N E 


sub_5AE429	proc near		; DATA XREF: .text:006A0F40o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-34h]
		jmp	loc_447BC5
sub_5AE429	endp

; 
; START	OF FUNCTION CHUNK FOR EtwGetKernelTraceTimestampSilo

loc_5AE434:				; CODE XREF: EtwGetKernelTraceTimestampSilo+20j
		mov	ecx, [ecx+2F8h]
		jmp	loc_447D7B
; 

loc_5AE43F:				; CODE XREF: EtwGetKernelTraceTimestampSilo+88j
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		jmp	loc_447DE2
; 

loc_5AE44C:				; CODE XREF: EtwGetKernelTraceTimestampSilo+B6j
		lea	eax, [ebp+var_14]
		mov	[ebp+var_14], 0
		push	eax
		mov	[ebp+var_10], 0
		call	ds:off_6B1438	; ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig(x)
		mov	eax, [ebp+var_14]
		mov	[esi+18h], eax
		mov	eax, [ebp+var_10]
		mov	[esi+1Ch], eax
		jmp	loc_447E1A
; END OF FUNCTION CHUNK	FOR EtwGetKernelTraceTimestampSilo
; 
; START	OF FUNCTION CHUNK FOR PfHardFaultRecord

loc_5AE475:				; CODE XREF: PfHardFaultRecord+40j
		mov	[esi], edi
		mov	[esi+4], edi
		mov	[esi+8], edi
		mov	[esi+0Ch], edi
		jmp	loc_447E99
; END OF FUNCTION CHUNK	FOR PfHardFaultRecord
; 
; START	OF FUNCTION CHUNK FOR PfHardFaultLog

loc_5AE485:				; CODE XREF: PfHardFaultLog+28j
					; PfHardFaultLog+34j
		mov	eax, edi
		sub	eax, ecx
		jz	short loc_5AE4A3
		sub	eax, 1
		jz	short loc_5AE49C
		sub	eax, 1
		jnz	short loc_5AE4A3
		mov	edx, 273h
		jmp	short loc_5AE4A8
; 

loc_5AE49C:				; CODE XREF: PfHardFaultLog+1665D6j
		mov	edx, 272h
		jmp	short loc_5AE4A8
; 

loc_5AE4A3:				; CODE XREF: PfHardFaultLog+1665D1j
					; PfHardFaultLog+1665DBj
		mov	edx, 220h

loc_5AE4A8:				; CODE XREF: PfHardFaultLog+1665E2j
					; PfHardFaultLog+1665E9j
		push	esi
		push	ecx
		push	ecx
		lea	eax, [esi+20h]
		push	eax
		push	ecx
		mov	ecx, [ebx+3A0h]
		call	_EtwTraceSiloTimedEvent@28 ; EtwTraceSiloTimedEvent(x,x,x,x,x,x,x)
		jmp	loc_447EF2
; END OF FUNCTION CHUNK	FOR PfHardFaultLog
; 
; START	OF FUNCTION CHUNK FOR MiComputeImagePteIndex

loc_5AE4C0:				; CODE XREF: MiComputeImagePteIndex+50j
		test	dword ptr [edx+1Ch], 4000000h
		jz	loc_447FDA
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		push	edi
		call	_MiGetSharedProtos@12 ;	MiGetSharedProtos(x,x,x)
		mov	edx, [ebp+var_4]
		mov	ecx, eax
		jmp	loc_447FFB
; 

loc_5AE4E3:				; CODE XREF: MiComputeImagePteIndex+61j
		mov	eax, [ecx+24h]
		mov	[ebp+var_8], eax
		cmp	esi, eax
		jb	short loc_5AE501
		mov	edx, [ebp+var_8]
		mov	eax, [edi+1Ch]
		lea	eax, [edx+eax*8]
		mov	edx, [ebp+var_4]
		cmp	esi, eax
		jb	loc_447FFB

loc_5AE501:				; CODE XREF: MiComputeImagePteIndex+166567j
		mov	ecx, ebx
		jmp	loc_447FFB
; END OF FUNCTION CHUNK	FOR MiComputeImagePteIndex
; 
; START	OF FUNCTION CHUNK FOR UNLOCK_ADDRESS_SPACE_UNORDERED

loc_5AE508:				; CODE XREF: UNLOCK_ADDRESS_SPACE_UNORDERED+17Cj
		push	0
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AE51B:				; CODE XREF: UNLOCK_ADDRESS_SPACE_UNORDERED+10Dj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]
		jmp	loc_4486BF
; 

loc_5AE532:				; CODE XREF: UNLOCK_ADDRESS_SPACE_UNORDERED+1AEj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_448750
; 

loc_5AE541:				; CODE XREF: UNLOCK_ADDRESS_SPACE_UNORDERED+1D8j
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4486D2
; END OF FUNCTION CHUNK	FOR UNLOCK_ADDRESS_SPACE_UNORDERED
; 
; START	OF FUNCTION CHUNK FOR ExReferenceCallBackBlock

loc_5AE553:				; CODE XREF: ExReferenceCallBackBlock+8Aj
		mov	ecx, eax
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		jbe	loc_4489D0

loc_5AE564:				; CODE XREF: ExReferenceCallBackBlock+68j
					; ExReferenceCallBackBlock+77j
		mov	edx, [ebx]
		test	dl, 1
		jnz	short loc_5AE582

loc_5AE56B:				; CODE XREF: ExReferenceCallBackBlock+165C20j
		lea	ecx, [edx-0Eh]
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jz	loc_44898E
		mov	edx, eax
		test	al, 1
		jz	short loc_5AE56B

loc_5AE582:				; CODE XREF: ExReferenceCallBackBlock+165C09j
		and	edx, 0FFFFFFFEh
		mov	eax, 0FFFFFFF9h
		lock xadd [edx], eax
		cmp	eax, 7
		jnz	loc_44898E
		lea	eax, [edx+14h]
		lock btr dword ptr [eax], 0
		jb	loc_44898E
		push	0
		push	0
		lea	eax, [edx+4]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_44898E
; END OF FUNCTION CHUNK	FOR ExReferenceCallBackBlock
; 
; START	OF FUNCTION CHUNK FOR RtlpLookupOrCreateLowBox

loc_5AE5B7:				; CODE XREF: RtlpLookupOrCreateLowBox+78j
		xor	eax, eax
		jmp	loc_448AC2
; END OF FUNCTION CHUNK	FOR RtlpLookupOrCreateLowBox
; 
; START	OF FUNCTION CHUNK FOR RtlpQueryLowBoxId

loc_5AE5BE:				; CODE XREF: RtlpQueryLowBoxId+75j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	eax
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	edi, eax
		lea	eax, [esp+20h+var_8]
		push	eax
		push	1Dh
		push	edi
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		cmp	[esp+20h+var_8], 1
		jnz	short loc_5AE5FB
		test	esi, esi
		jz	short loc_5AE5F1
		mov	ecx, esi
		call	ObfDereferenceObject

loc_5AE5F1:				; CODE XREF: RtlpQueryLowBoxId+165A70j
		mov	esi, edi
		xor	edi, edi
		inc	edi
		jmp	loc_448BBE
; 

loc_5AE5FB:				; CODE XREF: RtlpQueryLowBoxId+165A6Cj
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	edi, [esp+20h+var_10]
		jmp	loc_448BBE
; END OF FUNCTION CHUNK	FOR RtlpQueryLowBoxId
; 
; START	OF FUNCTION CHUNK FOR RtlImageNtHeaderEx

loc_5AE60B:				; CODE XREF: RtlImageNtHeaderEx+Cj
					; RtlImageNtHeaderEx+21j ...
		mov	eax, 0C000000Dh
		jmp	loc_448CAD
; END OF FUNCTION CHUNK	FOR RtlImageNtHeaderEx
; 
; START	OF FUNCTION CHUNK FOR MiReferenceInPageFile

loc_5AE615:				; CODE XREF: MiReferenceInPageFile+A8j
		mov	ecx, [ebp+var_4]
		call	_MiCanPageMove@4 ; MiCanPageMove(x)
		test	eax, eax
		jnz	short loc_5AE62F
		and	esi, 0FFFEFFFFh
		mov	[edi+78h], esi
		jmp	loc_448E35
; 

loc_5AE62F:				; CODE XREF: MiReferenceInPageFile+1658A1j
		test	dword ptr [ebx+34h], 0C0000h
		jz	loc_448E35
		mov	eax, [ebp+var_4]
		mov	ecx, [eax+8]
		nop
		mov	eax, [eax+0Ch]
		shrd	ecx, eax, 5
		test	cl, 2
		jz	loc_448E35
		and	dword ptr [edi+78h], 0FFFEFFFFh
		jmp	loc_448E35
; END OF FUNCTION CHUNK	FOR MiReferenceInPageFile
; 
; START	OF FUNCTION CHUNK FOR MiReferenceControlAreaFile

loc_5AE65F:				; CODE XREF: MiReferenceControlAreaFile+77j
		mov	ecx, eax
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		jbe	loc_448EB1
		jmp	loc_448F0B
; END OF FUNCTION CHUNK	FOR MiReferenceControlAreaFile
; 
; START	OF FUNCTION CHUNK FOR MiIssueHardFaultIo

loc_5AE675:				; CODE XREF: MiIssueHardFaultIo+6Bj
					; MiIssueHardFaultIo+164E34j
		mov	edi, [ebp+arg_0]
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		mov	edi, [ebp+var_4]
		cmp	eax, edx
		jz	short loc_5AE693
		mov	edx, eax
		test	eax, eax
		jnz	short loc_5AE675
		jmp	loc_4498C9
; 

loc_5AE693:				; CODE XREF: MiIssueHardFaultIo+164E2Ej
		or	esi, 8
		jmp	loc_4498C9
; 

loc_5AE69B:				; CODE XREF: MiIssueHardFaultIo+91j
		push	ebx
		push	ebx
		lea	eax, [edi+10h]
		mov	[edi+30h], esi
		push	eax
		mov	[edi+34h], ebx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_4498EF
; END OF FUNCTION CHUNK	FOR MiIssueHardFaultIo
; 
; START	OF FUNCTION CHUNK FOR NtGetWriteWatch

loc_5AE6B1:				; CODE XREF: NtGetWriteWatch+E1j
		mov	eax, 0C00000F0h
		jmp	loc_44A266
; 

loc_5AE6BB:				; CODE XREF: NtGetWriteWatch+121j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, 0C00000F1h
		jmp	loc_44A266
; 

loc_5AE6CC:				; CODE XREF: NtGetWriteWatch+130j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, 0C00000F2h
		jmp	loc_44A266
; 

loc_5AE6DD:				; CODE XREF: NtGetWriteWatch+145j
		mov	ecx, eax
		jmp	loc_449AEB
; 

loc_5AE6E4:				; CODE XREF: NtGetWriteWatch+159j
					; NtGetWriteWatch+164j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, 0C00000F3h
		jmp	loc_44A266
; 

loc_5AE6F5:				; CODE XREF: NtGetWriteWatch+188j
		mov	ecx, eax
		jmp	loc_449B2E
; 

loc_5AE6FC:				; CODE XREF: NtGetWriteWatch+114j
		mov	eax, [ebp+var_570]
		mov	eax, [eax]
		mov	[ebp+var_568], eax
		jmp	loc_449B38
; 

loc_5AE70F:				; CODE XREF: NtGetWriteWatch+9AFj
		mov	eax, 0C000009Ah
		jmp	loc_44A266
; 

loc_5AE719:				; CODE XREF: NtGetWriteWatch+1F4j
		push	0
		lea	eax, [ebp+var_56C]
		push	eax
		push	77576D4Dh
		push	[ebp+var_548]
		mov	eax, ds:_PsProcessType
		push	eax
		push	8
		push	ecx
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_520], esi
		test	esi, esi
		js	loc_5AEA98
		mov	esi, [ebp+var_56C]
		jmp	loc_449BA0
; 

loc_5AE756:				; CODE XREF: NtGetWriteWatch+21Bj
		mov	esi, 0C00000F2h
		jmp	loc_44A049
; 

loc_5AE760:				; CODE XREF: NtGetWriteWatch+227j
		lea	eax, [ebp+var_434]
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	KiStackAttachProcess
		mov	[ebp+var_524], 1
		mov	eax, [ebp+var_528]
		jmp	loc_449BCD
; 

loc_5AE785:				; CODE XREF: NtGetWriteWatch+277j
		mov	esi, [ebp+var_520]
		cmp	esi, 0C00000A0h
		jnz	loc_44A04F
		jmp	loc_44A044
; 

loc_5AE79C:				; CODE XREF: NtGetWriteWatch+2C5j
		mov	ecx, eax
		shl	ecx, 0Ch
		dec	ecx
		test	ecx, edi
		jz	short loc_5AE7B0
		mov	esi, 0C00000F1h
		jmp	loc_44A049
; 

loc_5AE7B0:				; CODE XREF: NtGetWriteWatch+164E04j
		test	[ebp+var_52C], ecx
		jz	loc_449C6B
		mov	esi, 0C00000F2h
		jmp	loc_44A049
; 

loc_5AE7C6:				; CODE XREF: NtGetWriteWatch+314j
		mov	eax, [eax]
		mov	[ebp+var_578], eax
		test	eax, eax
		jnz	loc_449CB0
		jmp	loc_449CBA
; 

loc_5AE7DB:				; CODE XREF: NtGetWriteWatch+37Aj
		mov	eax, offset unk_6D3C40
		jmp	loc_449D26
; 

loc_5AE7E5:				; CODE XREF: NtGetWriteWatch+3E0j
					; NtGetWriteWatch+164E58j
		cmp	eax, 0C07FFFFFh
		ja	loc_449D86
		shl	eax, 9
		cmp	eax, 0C0000000h
		jnb	short loc_5AE7E5
		jmp	loc_449D86
; 

loc_5AE7FF:				; CODE XREF: NtGetWriteWatch+3ECj
		cmp	eax, ds:dword_6D2E88
		jb	short loc_5AE813
		cmp	eax, ds:dword_6D2E8C
		jbe	loc_449D92

loc_5AE813:				; CODE XREF: NtGetWriteWatch+164E65j
		mov	ecx, 1
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	ecx, eax
		jmp	loc_449DA4
; 

loc_5AE824:				; CODE XREF: NtGetWriteWatch+A7Ej
		test	byte ptr [ebp+arg_4], 1
		jz	short loc_5AE846
		mov	ecx, [ebp+var_530]
		mov	edx, ecx
		shr	edx, 3
		add	edx, [ebp+var_548]
		and	ecx, 7
		movsx	eax, byte ptr [edx]
		btr	eax, ecx
		mov	[edx], al

loc_5AE846:				; CODE XREF: NtGetWriteWatch+164E88j
		mov	eax, esi
		shl	eax, 9
		mov	ecx, [ebp+var_564]
		mov	[ecx], eax
		add	ecx, 4
		mov	[ebp+var_564], ecx
		mov	eax, [ebp+var_554]
		inc	eax
		mov	[ebp+var_554], eax
		cmp	eax, [ebp+var_568]
		jz	loc_44A000
		jmp	loc_44A424
; 

loc_5AE87A:				; CODE XREF: NtGetWriteWatch+4DBj
		mov	esi, [ebp+var_53C]
		mov	edx, ecx
		shr	edx, 9
		and	edx, offset loc_7FFFF8
		sub	edx, 40000000h
		mov	ecx, 200h
		cmp	eax, 1
		jbe	short loc_5AE8C2
		dec	eax

loc_5AE89C:				; CODE XREF: NtGetWriteWatch+164F20j
		shl	ecx, 9
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		shr	edx, 9
		and	edx, offset loc_7FFFF8
		sub	edx, 40000000h
		sub	eax, 1
		jnz	short loc_5AE89C

loc_5AE8C2:				; CODE XREF: NtGetWriteWatch+164EF9j
		mov	eax, esi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_53C], eax
		lea	edi, [esi+8]
		mov	[ebp+var_520], edi
		test	edi, 0FFFh
		jz	short loc_5AE932

loc_5AE8E8:				; CODE XREF: NtGetWriteWatch+164F88j
		cmp	edi, edx
		ja	short loc_5AE932
		mov	edi, [edi]
		nop
		mov	eax, [ebp+var_520]
		mov	eax, [eax+4]
		mov	[ebp+var_548], eax
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	short loc_5AE92C
		and	edi, 80h
		or	edi, 0
		mov	edi, [ebp+var_520]
		jz	short loc_5AE932
		add	edi, 8
		mov	[ebp+var_520], edi
		test	edi, 0FFFh
		jnz	short loc_5AE8E8
		jmp	short loc_5AE932
; 

loc_5AE92C:				; CODE XREF: NtGetWriteWatch+164F66j
		mov	edi, [ebp+var_520]

loc_5AE932:				; CODE XREF: NtGetWriteWatch+164F46j
					; NtGetWriteWatch+164F4Aj ...
		sub	edi, 8
		mov	[ebp+var_520], edi
		jmp	loc_449E87
; 

loc_5AE940:				; CODE XREF: NtGetWriteWatch+57Dj
		or	eax, 2
		mov	[ebp+var_524], eax
		test	byte ptr [ebp+arg_4], 1
		jz	loc_449F67
		mov	ecx, [ebp+var_530]
		mov	edx, ecx
		shr	edx, 3
		add	edx, [ebp+var_548]
		and	ecx, 7
		movsx	eax, byte ptr [edx]
		btr	eax, ecx
		mov	[edx], al
		mov	eax, [ebp+var_52C]
		mov	[ebp+var_548], eax
		mov	ecx, [ebp+var_538]

loc_5AE981:				; CODE XREF: NtGetWriteWatch+165020j
		mov	edx, [ecx]
		nop
		mov	eax, [ecx+4]
		mov	[ebp+var_590], eax
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jz	short loc_5AE9B0
		and	edx, 42h
		or	edx, 0
		jz	short loc_5AE9B0
		lea	edx, [ebp+var_4CC]
		call	MiMakePteClean
		mov	ecx, [ebp+var_538]

loc_5AE9B0:				; CODE XREF: NtGetWriteWatch+164FF5j
					; NtGetWriteWatch+164FFDj
		add	ecx, 8
		mov	[ebp+var_538], ecx
		sub	[ebp+var_548], 1
		jnz	short loc_5AE981
		mov	eax, [ebp+var_524]
		jmp	loc_449F67
; 

loc_5AE9CD:				; CODE XREF: NtGetWriteWatch+60Dj
					; NtGetWriteWatch+16503Aj
		mov	edx, eax
		mov	ecx, eax
		and	ecx, 0FFFFFFFCh
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_5AE9CD
		jmp	loc_449FB3
; 

loc_5AE9E1:				; CODE XREF: NtGetWriteWatch+723j
		xor	edx, edx
		jmp	loc_44A0D0
; 

loc_5AE9E8:				; CODE XREF: NtGetWriteWatch+A06j
		push	0
		push	[ebp+var_548]
		push	edi
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AE9FC:				; CODE XREF: NtGetWriteWatch+7E2j
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_574]
		jmp	loc_44A18E
; 

loc_5AEA10:				; CODE XREF: NtGetWriteWatch+AC5j
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_44A46B
; 

loc_5AEA21:				; CODE XREF: NtGetWriteWatch+AF8j
		push	[ebp+var_560]
		lea	edx, [edi+18h]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_44A1AE
; 

loc_5AEA36:				; CODE XREF: NtGetWriteWatch+703j
		mov	edi, [ebp+var_550]
		jmp	loc_44A1C5
; 

loc_5AEA41:				; CODE XREF: NtGetWriteWatch+837j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_44A1DD
; 

loc_5AEA4E:				; CODE XREF: NtGetWriteWatch+84Aj
		xor	edx, edx
		lea	ecx, [ebp+var_434]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_44A1F0
; 

loc_5AEA60:				; CODE XREF: NtGetWriteWatch+857j
		mov	edx, 77576D4Dh
		mov	ecx, [ebp+var_56C]
		call	ObfDereferenceObjectWithTag
		jmp	loc_44A1FD
; END OF FUNCTION CHUNK	FOR NtGetWriteWatch

;  S U B	R O U T	I N E 


sub_5AEA75	proc near		; DATA XREF: .text:006A1078o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-598h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_5AEA75	endp


;  S U B	R O U T	I N E 


sub_5AEA88	proc near		; DATA XREF: .text:006A107Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-598h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
sub_5AEA88	endp

; START	OF FUNCTION CHUNK FOR NtGetWriteWatch

loc_5AEA98:				; CODE XREF: NtGetWriteWatch+85Fj
					; NtGetWriteWatch+164DA5j
		mov	edi, [ebp+var_55C]
		jmp	loc_44A256
; END OF FUNCTION CHUNK	FOR NtGetWriteWatch

;  S U B	R O U T	I N E 


sub_5AEAA3	proc near		; DATA XREF: .text:006A106Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-59Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_5AEAA3	endp


;  S U B	R O U T	I N E 


sub_5AEAB6	proc near		; DATA XREF: .text:006A1070o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-59Ch]
		jmp	loc_44A266
sub_5AEAB6	endp

; 
; START	OF FUNCTION CHUNK FOR MiLockVadCore

loc_5AEACB:				; CODE XREF: MiLockVadCore+1Cj
		test	dl, 2
		jnz	short loc_5AEAE0
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 2
		lock cmpxchg [esi], ecx
		jmp	loc_44A4E2
; 

loc_5AEAE0:				; CODE XREF: MiLockVadCore+164626j
		and	[ebp+var_4], 0

loc_5AEAE4:				; CODE XREF: MiLockVadCore+164649j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	edx, [esi]
		test	dl, 1
		jnz	short loc_5AEAE4
		jmp	loc_44A4C1
; END OF FUNCTION CHUNK	FOR MiLockVadCore
; 
; START	OF FUNCTION CHUNK FOR MiMakePteClean

loc_5AEAF8:				; CODE XREF: MiMakePteClean+36j
					; MiMakePteClean+164600j
		cmp	edx, 0C07FFFFFh
		ja	short loc_5AEB0C
		shl	edx, 9
		inc	eax
		cmp	edx, 0C0000000h
		jnb	short loc_5AEAF8

loc_5AEB0C:				; CODE XREF: MiMakePteClean+1645F4j
		mov	[esp+20h+var_10], eax
		test	eax, eax
		jz	loc_44A546
		mov	eax, large fs:124h
		mov	edx, ecx
		push	0
		mov	esi, [eax+80h]
		lea	ecx, [esi+240h]
		call	MiLockPageTableInternal
		mov	ebx, [esp+20h+var_4]
		lea	ecx, [esi+240h]
		mov	edi, [esp+20h+var_8]
		mov	edx, [esp+20h+var_14]
		push	ebx
		push	edi
		push	0
		call	MiUnlockNestedPageTableWritePte
		push	[esp+20h+var_14]
		mov	edx, [esp+24h+var_10]
		mov	ecx, [esp+24h+var_C]
		call	_MiInsertLargeTbFlushEntry@12 ;	MiInsertLargeTbFlushEntry(x,x,x)
		jmp	loc_44A557
; END OF FUNCTION CHUNK	FOR MiMakePteClean
; 
; START	OF FUNCTION CHUNK FOR MiIsPfnEnclave

loc_5AEB64:				; CODE XREF: MiIsPfnEnclave+Bj
		mov	eax, [ecx+18h]
		and	eax, 70000000h
		cmp	eax, 10000000h
		jnz	loc_44ABED
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, ecx
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		mov	edx, eax
		jmp	short loc_5AEBA0
; 

loc_5AEB89:				; CODE XREF: MiIsPfnEnclave+163FC6j
		mov	ecx, [esi+0Ch]
		cmp	edx, ecx
		jb	short loc_5AEB9E
		mov	eax, edx
		sub	eax, ecx
		cmp	eax, [esi+10h]
		jb	short loc_5AEBA9
		mov	esi, [esi+4]
		jmp	short loc_5AEBA0
; 

loc_5AEB9E:				; CODE XREF: MiIsPfnEnclave+163FB2j
		mov	esi, [esi]

loc_5AEBA0:				; CODE XREF: MiIsPfnEnclave+163FABj
					; MiIsPfnEnclave+163FC0j
		test	esi, esi
		jnz	short loc_5AEB89
		jmp	loc_44ABED
; 

loc_5AEBA9:				; CODE XREF: MiIsPfnEnclave+163FBBj
		test	esi, esi
		jz	loc_44ABED
		xor	eax, eax
		inc	eax
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR MiIsPfnEnclave
; 
; START	OF FUNCTION CHUNK FOR MiLockPageAndSetDirty

loc_5AEBB6:				; CODE XREF: MiLockPageAndSetDirty+29j
					; MiLockPageAndSetDirty+16344Fj
		lea	ecx, [esp+18h+var_8]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_5AEBB6
		jmp	loc_44B798
; END OF FUNCTION CHUNK	FOR MiLockPageAndSetDirty
; 
; START	OF FUNCTION CHUNK FOR KiTimerExpiration

loc_5AEBCA:				; CODE XREF: KiTimerExpiration+30j
		mov	eax, ebx
		jmp	loc_44B898
; 

loc_5AEBD1:				; CODE XREF: KiTimerExpiration+A8j
		push	602h
		mov	[ebp+var_14], eax
		lea	ecx, [ebp+var_28]
		push	0F50h
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], edi
		push	40020000h
		mov	edx, 1
		mov	[ebp+var_10], 0
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], 0
		mov	[ebp+var_20], 10h
		mov	[ebp+var_1C], 0
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	edx, [ebp+var_34]
		jmp	loc_44B8FE
; 

loc_5AEC1A:				; CODE XREF: KiTimerExpiration+12Cj
		sub	eax, ecx
		mov	[ebx+2248h], eax
		jmp	loc_44B98C
; END OF FUNCTION CHUNK	FOR KiTimerExpiration
; 
; START	OF FUNCTION CHUNK FOR KiExpireTimerTable

loc_5AEC27:				; CODE XREF: KiExpireTimerTable+40j
		mov	al, [edx+3CCh]
		or	al, 0E0h
		add	al, al
		mov	byte ptr [ebp+arg_0+3],	al
		jmp	loc_44BA36
; 

loc_5AEC39:				; CODE XREF: KiExpireTimerTable+56j
		mov	eax, [edi+54h]
		cmp	eax, [ebp+arg_10]
		ja	loc_44BAB8
		jb	loc_44BA4C
		mov	eax, [edi+50h]
		cmp	eax, [ebp+arg_C]
		ja	loc_44BAB8
		jmp	loc_44BA4C
; 

loc_5AEC5C:				; CODE XREF: KiExpireTimerTable+1A5j
		mov	eax, [ebp+var_4]
		movzx	eax, byte ptr [eax-1E9Ch]
		mov	[ebp+var_10], eax
		mov	eax, edx
		shl	eax, 6
		jmp	loc_44BBAB
; 

loc_5AEC73:				; CODE XREF: KiExpireTimerTable+161j
		xor	ecx, ecx
		lea	eax, [edi+40h]
		lock and [eax],	ecx
		mov	edx, [ebp+arg_18]
		mov	ecx, [ebp+var_14]
		push	10h
		push	[ebp+var_4]
		call	KiProcessExpiredTimerList
		mov	[ebp+arg_4], 1
		cmp	esi, [esi]
		jnz	loc_44BA53
		jmp	loc_44BAB1
; 

loc_5AEC9F:				; CODE XREF: KiExpireTimerTable+151j
		push	eax
		push	ecx
		push	1
		push	8
		push	0C7h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AECAF:				; CODE XREF: KiExpireTimerTable+122j
					; KiExpireTimerTable+130j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5AECB6:				; CODE XREF: KiProcessExpiredTimerList+69j
		mov	al, 1
		jmp	loc_44BC51
; END OF FUNCTION CHUNK	FOR KiExpireTimerTable
; 
; START	OF FUNCTION CHUNK FOR KiProcessExpiredTimerList

loc_5AECBD:				; CODE XREF: KiProcessExpiredTimerList+8Fj
					; KiProcessExpiredTimerList+1630E9j ...
		lea	ecx, [ebp+var_6C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	al, al
		js	short loc_5AECBD
		lock bts dword ptr [esi], 7
		jb	short loc_5AECBD
		mov	al, [ebp+var_51]
		mov	ecx, [ebp+var_58]
		mov	edx, [ebp+var_5C]
		jmp	loc_44BC75
; 

loc_5AECE0:				; CODE XREF: KiProcessExpiredTimerList+97j
		mov	eax, [esi+10h]
		mov	[ebp+var_20], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_1C], eax
		mov	eax, [esi+20h]
		test	eax, eax
		jz	short loc_5AECFE
		mov	eax, [eax+0Ch]
		mov	[ebp+var_14], eax
		jmp	loc_44BC7D
; 

loc_5AECFE:				; CODE XREF: KiProcessExpiredTimerList+163111j
		mov	[ebp+var_14], 0
		jmp	loc_44BC7D
; 

loc_5AED0A:				; CODE XREF: KiProcessExpiredTimerList+AFj
		mov	[ebp+var_18], esi
		lea	eax, [ebp+var_20]
		mov	cl, [esi+1]
		mov	edx, 1
		push	602h
		shr	cl, 2
		push	0F51h
		mov	[ebp+var_10], cl
		lea	ecx, [ebp+var_30]
		push	40020000h
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], 0
		mov	[ebp+var_28], 18h
		mov	[ebp+var_24], 0
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	eax, [ebp+var_60]
		jmp	loc_44BC95
; 

loc_5AED55:				; CODE XREF: KiProcessExpiredTimerList+BAj
		cmp	dword ptr [ecx+3B1Ch], 0
		jz	short loc_5AED6F
		push	2
		push	0
		mov	edx, 1
		call	KiProcessThreadWaitList
		mov	eax, [ebp+var_60]

loc_5AED6F:				; CODE XREF: KiProcessExpiredTimerList+16317Cj
		cmp	[ebp+var_68], 0
		jz	short loc_5AED87
		push	0
		mov	edx, 20000080h
		lea	ecx, [ebp+var_50]
		call	EtwGetKernelTraceTimestampSilo
		mov	eax, [ebp+var_60]

loc_5AED87:				; CODE XREF: KiProcessExpiredTimerList+163193j
		mov	edx, [eax+0Ch]
		mov	ecx, [ebp+var_5C]
		mov	[ebp+var_64], edx
		call	_KiBeginDpcLog@8 ; KiBeginDpcLog(x,x)
		mov	esi, eax
		mov	eax, [ebp+var_58]
		mov	ecx, eax
		mov	dword ptr [eax+4B0h], 0
		call	KiResetGlobalDpcWatchdogProfiler
		mov	ecx, [ebp+var_58]
		mov	eax, [ebp+var_5C]
		mov	byte ptr [ecx+223Ah], 1
		mov	ecx, [eax+0Ch]
		push	ecx
		mov	ecx, [eax+8]
		push	ecx
		mov	ecx, [ebp+var_60]
		mov	eax, [ecx+10h]
		push	eax
		push	ecx
		call	[ebp+var_64]
		mov	ecx, [ebp+var_58]
		mov	edx, [ebp+var_74]
		mov	byte ptr [ecx+223Ah], 0
		mov	eax, ds:_KeTickCount
		mov	[esi+8], eax
		mov	eax, [ebp+var_70]
		mov	eax, [eax+13Ch]
		cmp	edx, eax
		jnz	short loc_5AEE1D
		cmp	[ebp+var_68], 0
		jz	loc_44BCA0
		lea	eax, [ebp+var_50]
		mov	edx, 20000080h
		push	eax
		push	400A02h
		push	4
		lea	eax, [ebp+var_64]
		mov	ecx, 0F45h
		push	eax
		call	_EtwTraceTimedEvent@24 ; EtwTraceTimedEvent(x,x,x,x,x,x)
		mov	ecx, [ebp+var_58]
		jmp	loc_44BCA0
; 

loc_5AEE1D:				; CODE XREF: KiProcessExpiredTimerList+16320Bj
		push	eax
		push	edx
		push	[ebp+var_64]
		push	5
		push	0C7h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5AEE2F:				; CODE XREF: KiTimerWaitTest+4FEj
		mov	eax, [ecx+2248h]
		mov	dword ptr [ecx+2244h], 0
		mov	[esp+0A4h+var_7C], eax
		cmp	eax, 5F5E100h
		jnb	loc_44C1E4
		mov	eax, ds:_KeTimeIncrement
		add	eax, [esp+0A4h+var_7C]
		mov	[ecx+2248h], eax
		jmp	loc_44C1E4
; END OF FUNCTION CHUNK	FOR KiProcessExpiredTimerList
; 
; START	OF FUNCTION CHUNK FOR KiTimerWaitTest

loc_5AEE62:				; CODE XREF: KiTimerWaitTest+170j
		mov	esi, 0FFDF000Ch
		lea	edi, [esi-4]

loc_5AEE6A:				; CODE XREF: KiTimerWaitTest+1631A2j
		lea	ecx, [esp+60h+var_24]
		call	KeYieldProcessorEx
		mov	edx, [esi]
		mov	ecx, 0FFDF0010h
		mov	eax, [edi]
		mov	[esp+60h+var_40], eax
		cmp	edx, [ecx]
		jnz	short loc_5AEE6A
		mov	edi, [esp+60h+var_2C]
		mov	esi, [esp+60h+var_4C]
		jmp	loc_44BE56
; 

loc_5AEE91:				; CODE XREF: KiTimerWaitTest+3D7j
		push	0
		push	100h
		call	KiTryUnwaitThread

loc_5AEE9D:				; CODE XREF: KiTimerWaitTest+317j
					; KiTimerWaitTest+327j	...
		mov	eax, [esp+60h+var_40]
		cmp	eax, esi
		jz	loc_44BD98
		mov	ecx, [esp+60h+var_50]
		jmp	loc_44BDE7
; 

loc_5AEEB2:				; CODE XREF: KiTimerWaitTest+22Bj
		push	0
		push	100h
		jmp	loc_44BD80
; 

loc_5AEEBE:				; CODE XREF: KiTimerWaitTest+3D0j
		mov	esi, 0FFDF0018h
		lea	ebx, [esi-4]
		lea	edi, [esi+4]

loc_5AEEC9:				; CODE XREF: KiTimerWaitTest+163204j
		lea	ecx, [esp+60h+var_20]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		mov	[esp+60h+var_14], eax
		mov	eax, [ebx]
		mov	[esp+60h+var_18], eax
		mov	eax, [edi]
		cmp	[esp+60h+var_14], eax
		jnz	short loc_5AEEC9
		mov	edi, [esp+60h+var_2C]
		mov	esi, [esp+60h+var_4C]
		mov	ebx, [ebp+arg_0]
		jmp	loc_44BDC6
; END OF FUNCTION CHUNK	FOR KiTimerWaitTest
; 
; START	OF FUNCTION CHUNK FOR ExpGetPoolTagInfoTarget

loc_5AEEF6:				; CODE XREF: ExpGetPoolTagInfoTarget+8Fj
		lea	eax, [eax+eax*2]
		shl	eax, 4
		push	eax		; size_t
		mov	eax, ds:_PoolTrackTableExpansion
		push	eax		; void *
		mov	eax, [ecx+8]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_44C455
; END OF FUNCTION CHUNK	FOR ExpGetPoolTagInfoTarget
; 
; START	OF FUNCTION CHUNK FOR KiAbThreadGetIoQoSPriority

loc_5AEF14:				; CODE XREF: KiAbThreadGetIoQoSPriority+7j
		cmp	dword ptr [ecx+330h], 0
		jnz	loc_44C539
		xor	eax, eax
		retn
; END OF FUNCTION CHUNK	FOR KiAbThreadGetIoQoSPriority
; 

loc_5AEF24:				; CODE XREF: .text:0044C65Dj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_44C66A
; 
; START	OF FUNCTION CHUNK FOR KiReadyOutSwappedThreads

loc_5AEF31:				; CODE XREF: KiReadyOutSwappedThreads+65j
		movzx	eax, byte ptr [ebx+15Fh]
		mov	ecx, ebx
		mov	dl, [ebx+15Eh]
		push	0
		push	eax
		call	_EtwTraceReadyThread@16	; EtwTraceReadyThread(x,x,x,x)
		jmp	loc_44C70B
; 

loc_5AEF4D:				; CODE XREF: KiReadyOutSwappedThreads+123j
		mov	eax, ds:_KeTickCount
		sub	eax, [ecx+138h]
		add	[ecx+170h], eax
		jmp	loc_44C7C9
; 

loc_5AEF63:				; CODE XREF: KiReadyOutSwappedThreads+162j
		mov	cl, 1
		call	esi
		and	dword ptr [edi+58h], 0FFFFFFBFh
		jmp	short loc_5AEF79
; 

loc_5AEF6D:				; CODE XREF: KiReadyOutSwappedThreads+9Ej
		mov	cl, 1
		call	esi
		mov	eax, [esp+20h+var_14]
		and	dword ptr [eax+58h], 0FFFFFFBFh

loc_5AEF79:				; CODE XREF: KiReadyOutSwappedThreads+1628CBj
		push	0
		push	0
		push	0
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		jmp	loc_44C744
; 

loc_5AEF89:				; CODE XREF: KiReadyOutSwappedThreads+81j
		cmp	dword ptr [edi+8], 0
		jz	loc_44C748
		mov	al, [edi+223Ah]
		test	al, al
		jnz	loc_44C748
		mov	cl, 2
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)
		jmp	loc_44C748
; END OF FUNCTION CHUNK	FOR KiReadyOutSwappedThreads
; 
; START	OF FUNCTION CHUNK FOR KiProcessThreadWaitList

loc_5AEFAE:				; CODE XREF: KiProcessThreadWaitList+B5j
		push	[ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	_EtwTraceReadyThread@16	; EtwTraceReadyThread(x,x,x,x)
		jmp	loc_44C8CB
; END OF FUNCTION CHUNK	FOR KiProcessThreadWaitList
; 
; START	OF FUNCTION CHUNK FOR KiOutSwapProcesses

loc_5AEFBE:				; CODE XREF: KiOutSwapProcesses+C5j
					; KiOutSwapProcesses+1626DBj
		lea	ecx, [esp+38h+var_10]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5AEFBE
		jmp	loc_44C9B0
; 

loc_5AEFD2:				; CODE XREF: KiOutSwapProcesses+D3j
		or	dword ptr [ebx+58h], 2
		jmp	loc_44C9D1
; 

loc_5AEFDB:				; CODE XREF: KiOutSwapProcesses+DBj
		mov	eax, ds:_KeTickCount
		sub	eax, [ebx+138h]
		cmp	byte ptr [ebx+93h], 0
		jnz	short loc_5AF001
		add	[ebx+250h], eax
		adc	dword ptr [ebx+254h], 0
		jmp	loc_44C9D1
; 

loc_5AF001:				; CODE XREF: KiOutSwapProcesses+1626FDj
		add	[ebx+258h], eax
		adc	dword ptr [ebx+25Ch], 0
		jmp	loc_44C9D1
; 

loc_5AF013:				; CODE XREF: KiOutSwapProcesses+FCj
		movzx	eax, byte ptr [ebx+15Fh]
		mov	ecx, ebx
		mov	dl, [ebx+15Eh]
		push	0
		push	eax
		call	_EtwTraceReadyThread@16	; EtwTraceReadyThread(x,x,x,x)
		jmp	loc_44C9F2
; 

loc_5AF02F:				; CODE XREF: KiOutSwapProcesses+133j
		xor	edx, edx
		mov	ecx, eax
		call	KiAbProcessContextSwitch
		lea	esi, [edi+2224h]
		mov	[esp+38h+var_8], 0

loc_5AF046:				; CODE XREF: KiOutSwapProcesses+1627FDj
		lock bts dword ptr [esi], 0
		jb	loc_5AF0DE
		mov	edx, [edi+8]
		mov	[esp+38h+var_18], edx
		mov	dword ptr [edi+8], 0
		cli
		mov	edx, [esp+38h+var_24]
		mov	ecx, edi
		push	0
		call	KiEndThreadCycleAccumulation
		sti
		mov	ecx, [esp+38h+var_18]
		mov	esi, [esp+38h+var_1C]
		mov	[edi+4], ecx
		mov	al, [ecx+90h]
		cmp	al, 1
		jnz	short loc_5AF094
		mov	eax, ds:_KeTickCount
		sub	eax, [ecx+138h]
		add	[ecx+170h], eax

loc_5AF094:				; CODE XREF: KiOutSwapProcesses+162791j
		mov	eax, [esp+38h+var_24]
		mov	edx, eax
		mov	byte ptr [ecx+90h], 2
		mov	ecx, edi
		mov	byte ptr [eax+18Bh], 20h
		mov	[eax+92h], bl
		call	KiQueueReadyThread
		push	[esp+38h+var_20]
		mov	edi, [esp+3Ch+var_24]
		mov	ecx, edi
		mov	edx, [esp+3Ch+var_18]
		call	@KiSwapContext@12 ; KiSwapContext(x,x,x)
		test	al, al
		jz	loc_44CA33
		mov	cl, 1
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		and	dword ptr [edi+58h], 0FFFFFFBFh
		jmp	short loc_5AF102
; 

loc_5AF0DE:				; CODE XREF: KiOutSwapProcesses+16275Bj
					; KiOutSwapProcesses+1627FBj
		lea	ecx, [esp+38h+var_8]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5AF0DE
		jmp	loc_5AF046
; 

loc_5AF0F2:				; CODE XREF: KiOutSwapProcesses+13Dj
		mov	cl, 1
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esp+38h+var_24]
		and	dword ptr [eax+58h], 0FFFFFFBFh

loc_5AF102:				; CODE XREF: KiOutSwapProcesses+1627ECj
		push	0
		push	0
		push	0
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		jmp	loc_44CA33
; 

loc_5AF112:				; CODE XREF: KiOutSwapProcesses+11Ej
		mov	eax, [esp+38h+var_24]
		cmp	dword ptr [eax+8], 0
		jz	loc_44CA3B
		mov	al, [eax+223Ah]
		test	al, al
		jnz	loc_44CA3B
		mov	cl, 2
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)
		jmp	loc_44CA3B
; 

loc_5AF13B:				; CODE XREF: KiOutSwapProcesses+63j
					; KiOutSwapProcesses+6Bj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5AF142:				; CODE XREF: KiReadyThread+F2j
		mov	edi, [esi+80h]
		mov	ecx, edi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	eax, [edi+7Ch]
		test	al, 7
		jz	short loc_5AF15D
		mov	edx, edi
		jmp	loc_44CC39
; 

loc_5AF15D:				; CODE XREF: KiOutSwapProcesses+162864j
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		jmp	loc_44CB65
; END OF FUNCTION CHUNK	FOR KiOutSwapProcesses
; 
; START	OF FUNCTION CHUNK FOR MmOutSwapProcess

loc_5AF16A:				; CODE XREF: MmOutSwapProcess+54j
		mov	eax, [esi+14h]
		cmp	dword ptr [eax+14h], 0
		jz	loc_44CCA0
		mov	ecx, ebx
		call	_MiReleaseCommitForResetPages@4	; MiReleaseCommitForResetPages(x)
		jmp	loc_44CCA0
; 

loc_5AF183:				; CODE XREF: MmOutSwapProcess+61j
		test	byte ptr [ebx+2A3h], 2
		jnz	loc_44CCAD
		and	[ebp+var_30], 0
		lea	edx, [ebp+var_24]
		xor	eax, eax
		mov	[ebp+var_34], 7
		inc	eax
		mov	byte ptr [ebp-32h], 4
		mov	[ebp-33h], al
		mov	ecx, offset dword_6D3540
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_28], eax
		mov	[ebp+var_2C], eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)

loc_5AF1BE:				; CODE XREF: MmOutSwapProcess+162659j
		mov	al, [ebx+2A1h]
		mov	cl, al
		shr	cl, 4
		test	al, 6
		jnz	short loc_5AF222
		test	cl, cl
		jnz	short loc_5AF222
		mov	ecx, 80h
		lea	eax, [ebx+0FCh]
		lock or	[eax], ecx
		lea	eax, [ebx+250h]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_5AF455
		cmp	[ecx], eax
		jnz	loc_5AF455
		mov	[ecx], edx
		mov	[edx+4], ecx
		and	dword ptr [eax], 0
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	loc_5AF2A4
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5AF2D3
; 

loc_5AF222:				; CODE XREF: MmOutSwapProcess+162585j
					; MmOutSwapProcess+162589j
		test	cl, cl
		jnz	loc_5AF45A
		lea	eax, [ebp+var_34]
		mov	[ebx+278h], eax
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_5AF24B
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5AF27A
; 

loc_5AF24B:				; CODE XREF: MmOutSwapProcess+1625F6j
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	short loc_5AF26A
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jz	short loc_5AF27A
		call	KxWaitForLockChainValid

loc_5AF26A:				; CODE XREF: MmOutSwapProcess+16260Aj
		xor	ecx, ecx
		mov	[ebp+var_24], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5AF27A:				; CODE XREF: MmOutSwapProcess+162603j
					; MmOutSwapProcess+16261Dj
		mov	cl, [ebp+var_1C]
		call	edi
		push	ecx
		push	12h
		pop	edx
		lea	ecx, [ebp+var_34]
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		lea	edx, [ebp+var_24]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		and	dword ptr [ebx+278h], 0
		jmp	loc_5AF1BE
; 

loc_5AF2A4:				; CODE XREF: MmOutSwapProcess+1625C6j
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	short loc_5AF2C3
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jz	short loc_5AF2D3
		call	KxWaitForLockChainValid

loc_5AF2C3:				; CODE XREF: MmOutSwapProcess+162663j
		xor	ecx, ecx
		mov	[ebp+var_24], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5AF2D3:				; CODE XREF: MmOutSwapProcess+1625D7j
					; MmOutSwapProcess+162676j
		mov	cl, [ebp+var_1C]
		call	edi
		mov	ecx, [esi+18h]
		test	ecx, ecx
		jz	short loc_5AF2E8
		call	MiEmptyPageAccessLog
		and	dword ptr [esi+18h], 0

loc_5AF2E8:				; CODE XREF: MmOutSwapProcess+162697j
		xor	esi, esi
		mov	[ebp+var_8], esi

loc_5AF2ED:				; CODE XREF: MmOutSwapProcess+1626B4j
		cmp	[ebx+60h], esi
		jz	short loc_5AF2FC
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		jmp	short loc_5AF2ED
; 

loc_5AF2FC:				; CODE XREF: MmOutSwapProcess+1626AAj
		nop
		mov	ecx, [ebx+18h]
		call	KeFlushProcessTb
		cmp	[ebx+304h], esi
		jz	short loc_5AF318
		mov	ecx, [ebx+18h]
		add	ecx, 20h
		call	KeFlushProcessTb

loc_5AF318:				; CODE XREF: MmOutSwapProcess+1626C5j
		mov	eax, [ebx+194h]
		lea	edx, [ebp+var_1]
		push	80000000h
		mov	edi, [eax+18h]
		mov	eax, [eax+1Ch]
		shrd	edi, eax, 0Ch
		and	edi, 1FFFFFFh
		imul	esi, edi, 1Ch
		mov	ecx, edi
		add	esi, ds:_MmPfnDatabase
		mov	[ebp+var_C], esi
		call	MiMapPageInHyperSpaceWorker
		mov	esi, [esi+4]
		shr	esi, 3
		and	esi, 1FFh
		lea	esi, [eax+esi*8]
		nop
		push	4
		pop	edx
		mov	ecx, edi
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		mov	ecx, edx
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], ecx
		mov	[esi], eax
		nop
		mov	[esi+4], ecx
		mov	edx, esi
		mov	ecx, ebx
		call	_MiOutSwapPageDirectoryPtes@8 ;	MiOutSwapPageDirectoryPtes(x,x)
		mov	dl, byte ptr [ebp+var_1]
		mov	ecx, esi
		push	80000000h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		mov	edi, [ebp+var_C]
		xor	edx, edx
		mov	ecx, edi
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		mov	ecx, ebx
		call	_MiOutSwapPageDirectoryPages@4 ; MiOutSwapPageDirectoryPages(x)
		lea	edx, [ebp+var_24]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		and	[ebp+var_10], 0
		lea	esi, [edi+10h]
		jmp	short loc_5AF3BF
; 

loc_5AF3B2:				; CODE XREF: MmOutSwapProcess+162777j
					; MmOutSwapProcess+16277Ej
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_5AF3B2

loc_5AF3BF:				; CODE XREF: MmOutSwapProcess+16276Aj
		lock bts dword ptr [esi], 1Fh
		jb	short loc_5AF3B2
		mov	ecx, [ebp+var_14]
		lea	eax, [ebx+1A0h]
		mov	[edi+4], eax
		mov	[eax], ecx
		mov	ecx, [ebp+var_18]
		mov	[eax+4], ecx
		xor	eax, eax
		mov	ecx, edi
		mov	[ebx+280h], eax
		mov	[ebx+284h], eax
		mov	[ebx+288h], eax
		mov	[ebx+28Ch], eax
		call	MiDecrementShareCount
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		xor	ebx, ebx
		inc	ebx
		test	ds:byte_70EFC6,	bl
		jz	short loc_5AF41B
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5AF447
; 

loc_5AF41B:				; CODE XREF: MmOutSwapProcess+1627C6j
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	short loc_5AF43A
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jz	short loc_5AF447
		call	KxWaitForLockChainValid

loc_5AF43A:				; CODE XREF: MmOutSwapProcess+1627DAj
		mov	[ebp+var_24], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_5AF447:				; CODE XREF: MmOutSwapProcess+1627D3j
					; MmOutSwapProcess+1627EDj
		mov	cl, [ebp+var_1C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_44CCAD
; 

loc_5AF455:				; CODE XREF: MmOutSwapProcess+1625A7j
					; MmOutSwapProcess+1625AFj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5AF45A:				; CODE XREF: MmOutSwapProcess+1625DEj
		xor	ebx, ebx
		inc	ebx
		test	ds:byte_70EFC6,	bl
		jz	short loc_5AF472
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5AF49E
; 

loc_5AF472:				; CODE XREF: MmOutSwapProcess+16281Dj
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	short loc_5AF491
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jz	short loc_5AF49E
		call	KxWaitForLockChainValid

loc_5AF491:				; CODE XREF: MmOutSwapProcess+162831j
		mov	[ebp+var_24], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_5AF49E:				; CODE XREF: MmOutSwapProcess+16282Aj
					; MmOutSwapProcess+162844j
		mov	cl, [ebp+var_1C]
		call	edi
		jmp	loc_44CCAD
; END OF FUNCTION CHUNK	FOR MmOutSwapProcess
; 
; START	OF FUNCTION CHUNK FOR IoSetIoCompletionEx2

loc_5AF4A8:				; CODE XREF: IoSetIoCompletionEx2+135j
		mov	eax, 0C000009Ah
		jmp	loc_44CD98
; 

loc_5AF4B2:				; CODE XREF: IoSetIoCompletionEx2+55j
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)
		mov	ecx, [ebp+arg_0]
		jmp	loc_44CD1B
; END OF FUNCTION CHUNK	FOR IoSetIoCompletionEx2
; 
; START	OF FUNCTION CHUNK FOR MmInSwapProcess

loc_5AF4CD:				; CODE XREF: MmInSwapProcess+28j
		movzx	eax, word ptr [ebx+72h]
		mov	edx, 0C0603018h
		push	eax
		lea	eax, [ebx+1A0h]
		push	0FFFFFFFFh
		and	eax, 0FFFh
		push	eax
		call	_MiMakeOutswappedPageResident@20 ; MiMakeOutswappedPageResident(x,x,x,x,x)
		mov	edi, eax
		mov	esi, edx
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], esi
		nop
		mov	ecx, edi
		lea	edx, [ebp+var_1]
		mov	eax, esi
		shrd	ecx, eax, 0Ch
		push	80000000h
		and	ecx, 1FFFFFFh
		mov	[ebp+var_C], ecx
		call	MiMapPageInHyperSpaceWorker
		mov	[ebp+var_8], eax
		xor	edx, edx
		lea	ecx, [eax+18h]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_5AF575
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5AF546
		xor	eax, eax
		lea	edx, [eax+1]
		cmp	byte ptr ds:word_6D07B8+1, al
		jnz	short loc_5AF575
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jnz	short loc_5AF56F
		jmp	short loc_5AF575
; 

loc_5AF546:				; CODE XREF: MmInSwapProcess+162693j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_5AF575
		mov	eax, [ebp+var_18]
		and	eax, 1
		or	eax, 0
		jz	short loc_5AF575
		mov	edi, [ebp+var_18]
		mov	esi, [ebp+var_14]

loc_5AF56F:				; CODE XREF: MmInSwapProcess+1626AAj
		or	esi, 80000000h

loc_5AF575:				; CODE XREF: MmInSwapProcess+16268Aj
					; MmInSwapProcess+1626A0j ...
		mov	[ecx+4], esi
		nop
		mov	[ecx], edi
		test	edx, edx
		jz	short loc_5AF586
		push	esi
		push	edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_5AF586:				; CODE XREF: MmInSwapProcess+1626E5j
		mov	dl, byte ptr [ebp+var_1]
		mov	ecx, [ebp+var_8]
		push	80000000h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		mov	edi, [ebp+var_C]
		imul	esi, edi, 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	[ebp+var_2], al
		mov	ecx, esi
		xor	eax, eax
		lea	edx, [eax+1]
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	ecx, [esi+18h]
		xor	eax, eax
		xor	ecx, edi
		inc	eax
		and	ecx, offset loc_7FFFFF
		mov	edx, ebx
		xor	[esi+18h], ecx
		mov	ecx, esi
		push	eax
		call	_MiSetPageTablePfnBuddy@12 ; MiSetPageTablePfnBuddy(x,x,x)
		test	byte ptr [esi],	1
		mov	dword ptr [esi+4], 0C0603018h
		jnz	short loc_5AF5EB
		xor	eax, eax
		mov	ecx, esi
		lea	edx, [eax+1]
		call	_MiMarkPfnTradable@8 ; MiMarkPfnTradable(x,x)

loc_5AF5EB:				; CODE XREF: MmInSwapProcess+162745j
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, edi
		mov	ecx, ebx
		call	_MiInSwapPageDirectories@8 ; MiInSwapPageDirectories(x,x)
		push	4
		pop	eax
		lea	edi, [ebx+240h]
		mov	ecx, offset dword_6D3540
		lea	edx, [ebp+var_24]
		mov	[edi+48h], eax
		mov	[edi+4Ch], eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		lea	esi, [ebx+0FCh]
		test	dword ptr [esi], 800000h
		jz	short loc_5AF641
		mov	eax, 0FF7FFFFFh
		lock and [esi],	eax
		mov	ecx, ebx
		call	MiUpdateSystemPdes

loc_5AF641:				; CODE XREF: MmInSwapProcess+162798j
		xor	edx, edx
		mov	ecx, edi
		call	MiReturnWsToExpansionList
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		test	ds:byte_70EFC6,	1
		jz	short loc_5AF668
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5AF697
; 

loc_5AF668:				; CODE XREF: MmInSwapProcess+1627C1j
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	short loc_5AF687
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jz	short loc_5AF697
		call	KxWaitForLockChainValid

loc_5AF687:				; CODE XREF: MmInSwapProcess+1627D5j
		xor	ecx, ecx
		mov	[ebp+var_24], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5AF697:				; CODE XREF: MmInSwapProcess+1627CEj
					; MmInSwapProcess+1627E8j
		mov	cl, [ebp+var_1C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	dword ptr ds:byte_70EFC4, 800h
		jz	loc_44CEC6
		mov	ecx, ebx
		call	_EtwTraceInswapProcess@4 ; EtwTraceInswapProcess(x)
		jmp	loc_44CEC6
; END OF FUNCTION CHUNK	FOR MmInSwapProcess
; 
; START	OF FUNCTION CHUNK FOR IopInsertIrpInCompletionQueue

loc_5AF6BC:				; CODE XREF: IopInsertIrpInCompletionQueue+48j
		mov	edx, edi
		lea	ecx, [ebp+var_1C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_44D03B
; 

loc_5AF6CB:				; CODE XREF: IopInsertIrpInCompletionQueue+98j
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, [ebp+var_C]
		lea	edx, [ebx+58h]
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)
		jmp	loc_44D07E
; 

loc_5AF6E6:				; CODE XREF: IopInsertIrpInCompletionQueue+107j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_44D10F
; END OF FUNCTION CHUNK	FOR IopInsertIrpInCompletionQueue
; 
; START	OF FUNCTION CHUNK FOR MiMakeSystemAddressValid

loc_5AF6F6:				; CODE XREF: MiMakeSystemAddressValid+36Ej
		mov	edi, offset unk_6D2E58
		jmp	short loc_5AF702
; 

loc_5AF6FD:				; CODE XREF: MiMakeSystemAddressValid+376j
		mov	edi, offset unk_6D2E54

loc_5AF702:				; CODE XREF: MiMakeSystemAddressValid+16228Bj
		xor	ecx, ecx
		mov	[esp+40h+var_34], ecx
		jmp	loc_44D51C
; 

loc_5AF70D:				; CODE XREF: MiMakeSystemAddressValid+9Dj
		lea	edi, [ebx+2A0h]
		jmp	loc_44D51C
; 

loc_5AF718:				; CODE XREF: MiMakeSystemAddressValid+3ECj
		mov	[esp+40h+var_34], offset unk_6D2E58
		jmp	short loc_5AF72A
; 

loc_5AF722:				; CODE XREF: MiMakeSystemAddressValid+3FAj
		mov	[esp+40h+var_34], offset unk_6D2E54

loc_5AF72A:				; CODE XREF: MiMakeSystemAddressValid+1622B0j
		mov	esi, 0C0603018h
		sub	esi, edi
		sar	esi, 3
		add	esi, esi
		jmp	loc_44D5DC
; 

loc_5AF73B:				; CODE XREF: MiMakeSystemAddressValid+157j
		lea	eax, [ecx+48h]
		lea	eax, [ebx+eax*4]
		jmp	loc_44D5D8
; 

loc_5AF746:				; CODE XREF: MiMakeSystemAddressValid+2F6j
		mov	[esp+40h+var_34], offset unk_6D2E58
		jmp	short loc_5AF758
; 

loc_5AF750:				; CODE XREF: MiMakeSystemAddressValid+2FFj
		mov	[esp+40h+var_34], offset unk_6D2E54

loc_5AF758:				; CODE XREF: MiMakeSystemAddressValid+1622DEj
		mov	eax, [esp+40h+var_34]
		mov	esi, 0C0603018h
		sub	esi, edx
		sar	esi, 3
		add	esi, esi
		jmp	loc_44D65D
; 

loc_5AF76D:				; CODE XREF: MiMakeSystemAddressValid+1D7j
		add	eax, 48h
		lea	eax, [ebx+eax*4]
		jmp	loc_44D659
; 

loc_5AF778:				; CODE XREF: MiMakeSystemAddressValid+265j
		mov	ecx, edi
		call	MiFlushTbList
		jmp	loc_44D6DB
; 

loc_5AF784:				; CODE XREF: MiMakeSystemAddressValid+275j
		call	MiUnlockWorkingSetExclusive
		jmp	loc_44D6F0
; 

loc_5AF78E:				; CODE XREF: MiMakeSystemAddressValid+2A2j
		mov	al, [ebx+60h]
		mov	esi, offset unk_6D3C40
		and	al, 7
		cmp	al, 2
		jz	short loc_5AF7A2
		lea	esi, [ebx+80h]

loc_5AF7A2:				; CODE XREF: MiMakeSystemAddressValid+16232Aj
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	eax, [ebp+arg_8]
		mov	edi, [esp+40h+var_20]
		mov	dword ptr [esi+4], 0
		mov	esi, [esp+40h+var_28]
		jmp	loc_44D4B5
; 

loc_5AF7BF:				; CODE XREF: MiMakeSystemAddressValid+29Aj
		mov	ecx, 1
		call	_MiFlushAllFilesystemPages@4 ; MiFlushAllFilesystemPages(x)
		push	[esp+40h+var_28]
		push	[esp+44h+var_C]
		push	esi
		push	1
		push	7Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5AF7DC:				; CODE XREF: ExpValidateWorkItem+7j
		push	esi
		push	edx
		push	ecx
		push	1
		jmp	short loc_5AF7E8
; END OF FUNCTION CHUNK	FOR MiMakeSystemAddressValid
; 
; START	OF FUNCTION CHUNK FOR ExpValidateWorkItem

loc_5AF7E3:				; CODE XREF: ExpValidateWorkItem+20j
		push	esi
		push	eax
		push	ecx
		push	7

loc_5AF7E8:				; CODE XREF: ExpValidateWorkItem+32j
					; MiMakeSystemAddressValid+162371j
		push	0E4h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5AF7F3:				; CODE XREF: ExQueueWorkItem+36j
		push	0FFFFFFFFh
		push	esi
		push	dword ptr [ebp+8]
		push	5
		push	0E4h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5AF806:				; CODE XREF: KiTryUnwaitThreadWithPriority+115j
		mov	eax, ds:_KeTickCount
		mov	[esi+224h], eax
		jmp	loc_44DECB
; END OF FUNCTION CHUNK	FOR ExpValidateWorkItem
; 
; START	OF FUNCTION CHUNK FOR NtReleaseWorkerFactoryWorker

loc_5AF816:				; CODE XREF: NtReleaseWorkerFactoryWorker+7Ej
		mov	edx, ebx
		lea	ecx, [esp+30h+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_44DFA2
; 

loc_5AF826:				; CODE XREF: NtReleaseWorkerFactoryWorker+99j
		mov	[esp+30h+var_18], 80h
		jmp	loc_44DFE5
; 

loc_5AF833:				; CODE XREF: NtReleaseWorkerFactoryWorker+A5j
		mov	[esp+30h+var_18], 0C0000001h
		jmp	loc_44DFE5
; 

loc_5AF840:				; CODE XREF: NtReleaseWorkerFactoryWorker+DCj
		mov	edx, [ebp+4]
		lea	ecx, [esp+30h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_44E018
; 

loc_5AF851:				; CODE XREF: NtReleaseWorkerFactoryWorker+128j
		xor	dl, dl
		mov	cl, 1
		call	IopAllocateMiniCompletionPacket
		test	eax, eax
		jz	loc_44E0D8
		push	0
		push	0
		mov	edx, eax
		mov	dword ptr [eax+0Ch], 0
		mov	ecx, esi
		mov	dword ptr [eax+10h], 0
		mov	dword ptr [eax+14h], 0
		mov	dword ptr [eax+18h], 0
		call	KeInsertQueueEx
		jmp	loc_44E0D8
; 

loc_5AF890:				; CODE XREF: NtReleaseWorkerFactoryWorker+172j
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, [esp+30h+var_14]
		mov	edx, ebx
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)
		jmp	loc_44E088
; END OF FUNCTION CHUNK	FOR NtReleaseWorkerFactoryWorker
; 
; START	OF FUNCTION CHUNK FOR ExpWorkerFactoryCheckCreate

loc_5AF8AB:				; CODE XREF: ExpWorkerFactoryCheckCreate+3Aj
		mov	edx, ebx
		lea	ecx, [ebp+var_10]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_44E1CC
; 

loc_5AF8BA:				; CODE XREF: ExpWorkerFactoryCheckCreate+1DEj
		lea	ecx, [esi+68h]
		mov	[ebp+arg_0], ecx
		mov	ecx, [ecx]
		test	ecx, 3000h
		jnz	short loc_5AF8E7
		mov	ebx, [ebp+arg_0]
		and	ecx, 0FFFFDFFFh
		or	ecx, 1000h
		mov	[ebp+var_4], 3
		mov	[ebx], ecx
		jmp	loc_44E394
; 

loc_5AF8E7:				; CODE XREF: ExpWorkerFactoryCheckCreate+161748j
		mov	eax, ecx
		and	eax, 3000h
		cmp	eax, 1000h
		jnz	loc_44E303
		test	bl, bl
		jz	loc_44E303
		mov	ebx, [ebp+arg_0]
		and	ecx, 0FFFFEFFFh
		or	ecx, 2000h
		mov	[ebp+var_4], 2
		mov	[ebx], ecx
		jmp	loc_44E394
; 

loc_5AF91E:				; CODE XREF: ExpWorkerFactoryCheckCreate+12Aj
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_44E2CD
; 

loc_5AF92D:				; CODE XREF: ExpWorkerFactoryCheckCreate+22Dj
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_44E3D0
; 

loc_5AF93C:				; CODE XREF: ExpWorkerFactoryCheckCreate+24Aj
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_5AF943:				; CODE XREF: ExpWorkerFactoryCheckCreate+237j
		mov	dword ptr [edi], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_44E3D0
; 

loc_5AF959:				; CODE XREF: ExpWorkerFactoryCheckCreate+7Cj
					; ExpWorkerFactoryCheckCreate+18Aj ...
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_44E21F
; END OF FUNCTION CHUNK	FOR ExpWorkerFactoryCheckCreate
; 

loc_5AF968:				; CODE XREF: .text:0044E7C5j
		xor	edx, edx
		mov	[ebp+10h], edx
		jmp	loc_44E7CB
; 

loc_5AF972:				; CODE XREF: .text:0044E7D6j
		lea	edx, [ebp-14h]
		mov	ecx, esi
		call	MmGetNextNode
		mov	ecx, eax
		movzx	eax, ds:_KeNumberNodes
		cmp	ecx, eax
		jb	loc_44E7B1
		jmp	loc_44E8E2
; 

loc_5AF992:				; CODE XREF: .text:0044E7FFj
		xor	ebx, ebx
		mov	[ebp+0Ch], ebx
		jmp	loc_44E805
; 

loc_5AF99C:				; CODE XREF: .text:0044E8ADj
		cmp	esi, ebx
		jnz	loc_44E880
		jmp	loc_44E908
; 
; START	OF FUNCTION CHUNK FOR MiFillPoolCommitPageTable

loc_5AF9A9:				; CODE XREF: MiFillPoolCommitPageTable+64j
		xor	ecx, ecx
		mov	[ebp+var_14], ecx
		jmp	loc_44EAE2
; 

loc_5AF9B3:				; CODE XREF: MiFillPoolCommitPageTable+A2j
		mov	eax, ds:_ZeroPte
		mov	[edi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[edi+4], eax
		jmp	loc_44EA4D
; 

loc_5AF9C8:				; CODE XREF: MiFillPoolCommitPageTable+15Dj
		push	0
		push	0
		push	edi
		push	5310h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5AF9DA:				; CODE XREF: KiCheckDueTimeExpired+8Aj
		mov	edi, 0FFDF0018h

loc_5AF9DF:				; CODE XREF: MiFillPoolCommitPageTable+161077j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	esi, [edi]
		mov	eax, 0FFDF0014h
		mov	ebx, [eax]
		add	eax, 8
		mov	eax, [eax]
		cmp	esi, eax
		jnz	short loc_5AF9DF
		mov	edi, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		jmp	loc_44EB41
; END OF FUNCTION CHUNK	FOR MiFillPoolCommitPageTable
; 
; START	OF FUNCTION CHUNK FOR ExpWorkerThread

loc_5AFA04:				; CODE XREF: ExpWorkerThread+5Fj
		mov	ecx, 38h
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_44EC85
; 

loc_5AFA10:				; CODE XREF: ExpWorkerThread+EFj
		mov	edx, 540h
		mov	ecx, eax
		call	_EtwTraceThreadWorkItem@8 ; EtwTraceThreadWorkItem(x,x)
		push	[ebp+var_18]
		call	dword ptr [ebp+var_14]
		mov	ecx, dword ptr [ebp+var_14]
		mov	edx, 541h
		call	_EtwTraceThreadWorkItem@8 ; EtwTraceThreadWorkItem(x,x)
		jmp	loc_44ED18
; 

loc_5AFA34:				; CODE XREF: ExpWorkerThread+197j
		push	ebx
		push	[ebp+var_18]
		push	dword ptr [ebp+var_14] ; char
		push	(offset	loc_A41AA7+1) ;	char *
		push	0		; int
		push	0		; int
		call	_DbgPrintEx
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		add	esp, 18h
		stosd
		stosd
		lea	eax, [ebp+var_10]
		push	eax
		call	KeRevertToUserGroupAffinityThread
		mov	edi, [ebp+var_24]
		jmp	loc_44EDBD
; 

loc_5AFA65:				; CODE XREF: ExpWorkerThread+1AEj
					; ExpWorkerThread+1C0j
		push	0
		lea	eax, [ebp+var_10]
		push	eax
		movzx	eax, word ptr [ecx+8Ah]
		push	eax
		call	_KeQueryNodeActiveAffinity@12 ;	KeQueryNodeActiveAffinity(x,x,x)
		lea	edx, [ebp+var_10]
		mov	ecx, esi
		call	_KeSetAffinityThread@8 ; KeSetAffinityThread(x,x)
		jmp	loc_44EDE6
; 

loc_5AFA87:				; CODE XREF: ExpWorkerThread+1D6j
		push	ebx
		push	[ebp+var_18]
		push	dword ptr [ebp+var_14] ; char
		push	offset _ExpWorkerActivityIdSetMessage ;	char *
		push	0		; int
		push	0		; int
		call	_DbgPrintEx
		mov	eax, large fs:124h
		add	esp, 18h
		mov	dword ptr [eax+35Ch], 0

loc_5AFAAF:				; CODE XREF: ExpWorkerThread+160E9Dj
		mov	edx, [ebp+var_20]
		jmp	loc_44ECB0
; 

loc_5AFAB7:				; CODE XREF: ExpWorkerThread+228j
		test	ebx, 8000h
		jz	short loc_5AFAAF
		jmp	loc_44EE4E
; 

loc_5AFAC4:				; CODE XREF: ExpWorkerThread+18Dj
		push	ebx
		push	[ebp+var_18]
		push	eax
		push	dword ptr [ebp+var_14]
		push	1D6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AFAD6:				; CODE XREF: ExpWorkerThread+17Bj
		push	ebx
		push	[ebp+var_18]
		shr	eax, 9
		and	eax, 7
		push	eax
		push	dword ptr [ebp+var_14]
		push	15Bh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AFAEE:				; CODE XREF: ExpWorkerThread+16Aj
		push	ebx
		push	[ebp+var_18]
		mov	ecx, esi
		call	_PsGetPagePriorityThread@4 ; PsGetPagePriorityThread(x)
		push	eax
		push	dword ptr [ebp+var_14]
		push	129h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AFB07:				; CODE XREF: ExpWorkerThread+15Cj
		push	ebx
		push	[ebp+var_18]
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		push	eax
		push	dword ptr [ebp+var_14]
		push	128h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AFB1E:				; CODE XREF: ExpWorkerThread+14Cj
		push	0
		push	ebx
		push	[ebp+var_18]
		push	dword ptr [ebp+var_14]
		push	19Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AFB31:				; CODE XREF: ExpWorkerThread+13Dj
		movzx	eax, byte ptr [esi+16Ah]
		push	esi
		push	eax
		mov	eax, [esi+80h]
		push	eax
		mov	eax, [esi+150h]
		push	eax
		push	5
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AFB4F:				; CODE XREF: ExpWorkerThread+12Aj
		push	0
		push	ebx
		push	[ebp+var_18]
		push	dword ptr [ebp+var_14]
		push	0DFh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AFB62:				; CODE XREF: ExpWorkerThread+11Cj
		push	ebx
		push	[ebp+var_18]
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	dword ptr [ebp+var_14]
		push	0E1h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AFB7D:				; CODE XREF: ExpWorkerThread+10Ej
		push	1
		push	eax
		movzx	eax, byte ptr [esi+16Ah]
		push	eax
		push	dword ptr [ebp+var_14]
		push	1
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AFB92:				; CODE XREF: ExpWorkerThread+100j
		push	0
		push	ebx
		push	[ebp+var_18]
		push	dword ptr [ebp+var_14]
		push	39h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AFBA2:				; CODE XREF: ExpWorkerThread+253j
		mov	bl, 1
		jmp	loc_44EE7B
; 

loc_5AFBA9:				; CODE XREF: ExpWorkerThread+263j
		push	0
		push	0
		push	esi
		push	0
		push	1D2h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AFBBA:				; CODE XREF: ExpWorkerThread+279j
		mov	eax, [edi+1BCh]
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_44EE9F
; END OF FUNCTION CHUNK	FOR ExpWorkerThread
; 
; START	OF FUNCTION CHUNK FOR KeRemovePriQueue

loc_5AFBCF:				; CODE XREF: KeRemovePriQueue+207j
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	loc_44F12D
		push	ebx
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	loc_44F12F
; 

loc_5AFBE7:				; CODE XREF: KeRemovePriQueue+168j
					; KeRemovePriQueue+160CD3j
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5AFBE7
		jmp	loc_44F083
; 

loc_5AFBFA:				; CODE XREF: KeRemovePriQueue+D5j
					; KeRemovePriQueue+160CE6j
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5AFBFA
		jmp	loc_44EFF0
; 

loc_5AFC0D:				; CODE XREF: KeRemovePriQueue+239j
		mov	eax, [esi+30h]
		mov	edx, [esi+34h]
		jmp	loc_44F16A
; 

loc_5AFC18:				; CODE XREF: KeRemovePriQueue+A7j
		lea	ebx, [esi+2Ch]
		mov	[ebp+var_14], 0

loc_5AFC22:				; CODE XREF: KeRemovePriQueue+160D54j
		lock bts dword ptr [ebx], 0
		jb	short loc_5AFC66
		mov	eax, [esi+0A4h]
		cmp	eax, edi
		jnz	short loc_5AFC56
		lea	eax, [esi+140h]
		mov	dword ptr [esi+0A4h], 0
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_5AFC76
		cmp	[ecx], eax
		jnz	short loc_5AFC76
		mov	[ecx], edx
		mov	[edx+4], ecx

loc_5AFC56:				; CODE XREF: KeRemovePriQueue+160D11j
		mov	dword ptr [ebx], 0
		mov	ebx, 80h
		jmp	loc_44F0E7
; 

loc_5AFC66:				; CODE XREF: KeRemovePriQueue+160D07j
					; KeRemovePriQueue+160D52j
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5AFC66
		jmp	short loc_5AFC22
; 

loc_5AFC76:				; CODE XREF: KeRemovePriQueue+10Bj
					; KeRemovePriQueue+160D2Bj ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5AFC7D:				; CODE XREF: KeRemovePriQueue+1E4j
		push	2
		push	0
		mov	edx, 1
		mov	ecx, edi
		call	KiProcessThreadWaitList
		jmp	loc_44F10A
; END OF FUNCTION CHUNK	FOR KeRemovePriQueue
; 
; START	OF FUNCTION CHUNK FOR KiBeginThreadWait

loc_5AFC92:				; CODE XREF: KiBeginThreadWait+55j
		cmp	word ptr [esi+13Eh], 0
		jnz	loc_44F24B
		cmp	dl, 1
		jnb	loc_44F24B
		mov	cl, 1
		mov	dword ptr [edi], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	0
		push	0
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	al, [ebp+var_1]
		mov	[esi+92h], al
		jmp	loc_44F210
; 

loc_5AFCD6:				; CODE XREF: KiBeginThreadWait+A2j
		mov	byte ptr [eax+esi+56h],	0
		mov	esi, 101h
		jmp	loc_44F2B7
; 

loc_5AFCE5:				; CODE XREF: KiBeginThreadWait+B9j
		mov	byte ptr [esi+56h], 0
		mov	esi, 101h
		jmp	loc_44F2B7
; END OF FUNCTION CHUNK	FOR KiBeginThreadWait
; 
; START	OF FUNCTION CHUNK FOR MiComputeFaultNode

loc_5AFCF3:				; CODE XREF: MiComputeFaultNode+9Dj
		mov	eax, [ebx+14h]
		mov	eax, [eax+16Ch]
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	eax, [eax+338h]
		movzx	esi, word ptr [eax+8Ah]
		inc	esi
		jmp	loc_44FADE
; 

loc_5AFD16:				; CODE XREF: MiComputeFaultNode+53j
		cmp	ecx, 0C07FFFFFh
		jbe	loc_44FAA6
		jmp	loc_44FA89
; END OF FUNCTION CHUNK	FOR MiComputeFaultNode
; 
; START	OF FUNCTION CHUNK FOR MmIsAddressValidEx

loc_5AFD27:				; CODE XREF: MmIsAddressValidEx+6Aj
		cmp	esi, 0C07FFFFFh
		jbe	loc_44FB9E
		jmp	loc_44FB97
; END OF FUNCTION CHUNK	FOR MmIsAddressValidEx
; 
; START	OF FUNCTION CHUNK FOR MiLinkPoolCommitChain

loc_5AFD38:				; CODE XREF: MiLinkPoolCommitChain+D3j
		push	0
		push	edi
		push	esi
		push	5308h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AFD48:				; CODE XREF: MiLinkPoolCommitChain+33j
		mov	edi, esi
		mov	[ebp+var_10], 0
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		mov	[ebp+var_C], 0
		sub	edi, 40000000h
		mov	eax, [edi]
		mov	[ebp+var_8], eax
		nop
		mov	eax, [edi+4]
		push	0
		push	300h
		mov	[ebp+var_4], eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [ebp+var_8]
		cmp	ecx, eax
		mov	eax, [ebp+var_4]
		jnz	short loc_5AFD8D
		cmp	eax, edx
		jz	short loc_5AFDAD

loc_5AFD8D:				; CODE XREF: MiLinkPoolCommitChain+15E227j
		push	eax
		push	ecx
		call	_MiIsPoolPteInUse@8 ; MiIsPoolPteInUse(x,x)
		test	eax, eax
		jz	short loc_5AFDAD
		push	0
		push	[ebp+var_8]
		shl	esi, 9
		push	esi
		push	5304h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5AFDAD:				; CODE XREF: MiLinkPoolCommitChain+15E22Bj
					; MiLinkPoolCommitChain+15E236j
		mov	ecx, [ebx+8]
		add	dword ptr [ebx+0Ch], 200h
		push	1
		push	1
		mov	eax, [ecx]
		sub	ecx, ds:_MmPfnDatabase
		mov	[ebx+8], eax
		mov	eax, 92492493h
		imul	ecx
		push	200h
		add	edx, ecx
		mov	ecx, offset _MiSystemPartition
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		mov	edx, eax
		mov	[ebp+var_8], eax
		call	MiUpdateLargePageBitMap
		movzx	eax, word ptr [ebx+2Eh]
		xor	ecx, ecx
		mov	edx, [ebp+var_8]
		shr	eax, 3
		and	eax, 1Fh
		or	eax, 0A4000000h
		push	eax
		call	MiMakeValidPte
		mov	ebx, eax
		mov	[ebp+var_C], edx
		lea	eax, [edi+3FA00000h]
		mov	[ebp+var_C], edx
		mov	ecx, edi
		cmp	eax, 3FFFh
		ja	short loc_5AFE27
		push	edx
		push	ebx
		call	MiWriteTopLevelPxe
		jmp	short loc_5AFE95
; 

loc_5AFE27:				; CODE XREF: MiLinkPoolCommitChain+15E2BCj
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_5AFE80
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5AFE58
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	ecx, 1
		jnz	short loc_5AFE82
		mov	eax, ebx
		and	eax, ecx
		or	eax, 0
		jz	short loc_5AFE82
		or	edx, 80000000h
		jmp	short loc_5AFE82
; 

loc_5AFE58:				; CODE XREF: MiLinkPoolCommitChain+15E2D7j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_5AFE80
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	short loc_5AFE80
		or	edx, 80000000h

loc_5AFE80:				; CODE XREF: MiLinkPoolCommitChain+15E2CEj
					; MiLinkPoolCommitChain+15E30Ej ...
		xor	ecx, ecx

loc_5AFE82:				; CODE XREF: MiLinkPoolCommitChain+15E2E5j
					; MiLinkPoolCommitChain+15E2EEj ...
		mov	[edi+4], edx
		nop
		mov	[edi], ebx
		test	ecx, ecx
		jz	short loc_5AFE95
		push	edx
		push	ebx
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_5AFE95:				; CODE XREF: MiLinkPoolCommitChain+15E2C5j
					; MiLinkPoolCommitChain+15E32Aj
		mov	edx, esi
		mov	ecx, esi
		call	MiReplicatePteChange
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_MiInitializeLargeNonPagedPoolLeafFrames@8 ; MiInitializeLargeNonPagedPoolLeafFrames(x,x)
		jmp	loc_451C1C
; END OF FUNCTION CHUNK	FOR MiLinkPoolCommitChain
; 
; START	OF FUNCTION CHUNK FOR KeFlushMultipleRangeTb

loc_5AFEAD:				; CODE XREF: KeFlushMultipleRangeTb+3Aj
		test	al, 2
		jnz	loc_451FE3
		cmp	ds:_KeNumberProcessors,	1
		jz	loc_451E80
		test	edi, edi
		jnz	loc_451FE3
		mov	[ebp+var_28], edi
		lea	eax, [ebp+var_28]
		xor	edx, edx
		lock or	[eax], edx
		call	ecx
		mov	esi, large fs:20h
		mov	[ebp+var_11], al
		mov	ecx, [esi+4]
		mov	ecx, [ecx+80h]
		mov	edx, [ecx+60h]
		mov	ecx, [esi+3C8h]
		not	ecx
		test	ecx, edx
		jz	short loc_5AFF06
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_451FE3
; 

loc_5AFF06:				; CODE XREF: KeFlushMultipleRangeTb+15E0B7j
		mov	ecx, [ebp+var_18]
		test	ecx, ecx
		jz	short loc_5AFF24
		mov	esi, ebx
		mov	edi, ecx

loc_5AFF11:				; CODE XREF: KeFlushMultipleRangeTb+15E0DFj
		mov	eax, [esi]
		push	eax
		call	_KiFlushRangeTb@8 ; KiFlushRangeTb(x,x)
		lea	esi, [esi+4]
		sub	edi, 1
		jnz	short loc_5AFF11
		mov	al, [ebp+var_11]

loc_5AFF24:				; CODE XREF: KeFlushMultipleRangeTb+15E0CBj
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	cl, al
		call	edi
		mov	esi, [ebp+var_18]
		jmp	short loc_5AFF39
; 

loc_5AFF33:				; CODE XREF: KeFlushMultipleRangeTb+1D0j
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)

loc_5AFF39:				; CODE XREF: KeFlushMultipleRangeTb+15E0F1j
		mov	eax, [ebp+arg_0]
		cmp	eax, 4
		jnz	loc_451F65
		mov	cl, 1
		call	_KeFlushProcessWriteBuffers@4 ;	KeFlushProcessWriteBuffers(x)
		jmp	loc_451F62
; 

loc_5AFF51:				; CODE XREF: KeFlushMultipleRangeTb+12Cj
		push	eax
		mov	edx, ebx
		mov	ecx, esi
		call	_VmFlushTb@12	; VmFlushTb(x,x,x)
		jmp	loc_451F72
; 

loc_5AFF60:				; CODE XREF: KeFlushMultipleRangeTb+139j
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	[ebp+arg_0]
		mov	edx, [ebp+var_24]
		mov	ecx, esi
		mov	bl, al
		call	_ExFlushTb@12	; ExFlushTb(x,x,x)
		mov	cl, bl
		call	edi
		jmp	loc_451F7F
; END OF FUNCTION CHUNK	FOR KeFlushMultipleRangeTb
; 
; START	OF FUNCTION CHUNK FOR MiSanitizePfnProtection

loc_5AFF80:				; CODE XREF: MiSanitizePfnProtection+60j
		cmp	edx, 8
		jnz	short loc_5AFF8F
		and	esi, 0FFFFFFEFh
		or	esi, edx
		jmp	loc_452927
; 

loc_5AFF8F:				; CODE XREF: MiSanitizePfnProtection+15D683j
		cmp	edx, 18h
		jnz	loc_452927
		or	esi, edx
		jmp	loc_452927
; END OF FUNCTION CHUNK	FOR MiSanitizePfnProtection
; 
; START	OF FUNCTION CHUNK FOR MiRevertValidPte

loc_5AFF9F:				; CODE XREF: MiRevertValidPte+31j
		shr	edx, 12h
		and	edx, 3
		mov	edi, ds:_MiVadPageIndices[edx*4]
		mov	[esp+58h+var_24], edi
		test	edi, edi
		jnz	short loc_5AFFBF
		mov	eax, 1
		sub	eax, edi
		mov	[esp+58h+var_14], eax

loc_5AFFBF:				; CODE XREF: MiRevertValidPte+15BE92j
		mov	ecx, ds:_MiVadPageSizes[edx*4]
		mov	esi, ecx
		mov	[esp+58h+var_3C], ecx
		mov	[esp+58h+var_28], esi
		lea	eax, [ecx-10h]
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFFF1h
		add	eax, 10h
		mov	[esp+58h+var_20], eax
		cmp	ecx, 10h
		jnz	loc_454171
		lea	esi, [ecx-0Fh]
		jmp	loc_45416D
; 

loc_5AFFF2:				; CODE XREF: MiRevertValidPte+7Cj
		mov	ebx, [ebp+arg_0]
		mov	eax, ebx
		and	eax, 18h
		cmp	al, 18h
		jz	loc_4541BB

loc_5B0002:				; DATA XREF: .text:00407D54o
		or	ebx, 18h
		jmp	loc_4541BB
; 

loc_5B000A:				; CODE XREF: MiRevertValidPte+8Dj
		cmp	eax, 8
		jz	loc_4541BB
		and	ebx, 0FFFFFFEFh
		or	ebx, 8
		jmp	loc_4541BB
; 

loc_5B001E:				; CODE XREF: MiRevertValidPte+95j
		and	ebx, 0FFFFFFE7h
		jmp	loc_4541BB
; 

loc_5B0026:				; CODE XREF: MiRevertValidPte+E8j
		test	bl, 2
		jz	loc_45420E
		test	esi, esi
		jz	short loc_5B00A5
		mov	[esp+58h+var_2C], esi
		lea	edi, [ecx+10h]
		mov	esi, ecx

loc_5B003C:				; CODE XREF: MiRevertValidPte+15BF70j
					; DATA XREF: .text:00410E18o
		mov	[esp+58h+var_10], 0
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_5B0061

loc_5B004B:				; CODE XREF: MiRevertValidPte+15BF38j
					; MiRevertValidPte+15BF3Fj
		lea	ecx, [esp+58h+var_10]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_5B004B
		lock bts dword ptr [edi], 1Fh
		jb	short loc_5B004B

loc_5B0061:				; CODE XREF: MiRevertValidPte+15BF29j
		push	0
		mov	edx, 1
		mov	ecx, esi
		call	_MiGetPagePrivilege@12 ; MiGetPagePrivilege(x,x,x)
		test	eax, eax
		jnz	short loc_5B007D
		lea	edx, [eax+7]
		mov	ecx, esi
		call	_MiMarkPfnVerified@8 ; MiMarkPfnVerified(x,x)

loc_5B007D:				; CODE XREF: MiRevertValidPte+15BF51j
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		add	esi, 1Ch
		add	edi, 1Ch
		sub	[esp+58h+var_2C], 1
		jnz	short loc_5B003C
		mov	edx, [ebp+arg_4]
		mov	edi, [esp+58h+var_24]
		mov	[esp+58h+var_38], esi
		mov	esi, [esp+58h+var_28]
		mov	ecx, [esp+58h+var_38]

loc_5B00A5:				; CODE XREF: MiRevertValidPte+15BF11j
		lea	eax, ds:0[esi*8]
		sub	eax, esi
		neg	eax
		lea	ecx, [ecx+eax*4]
		mov	[esp+58h+var_38], ecx
		jmp	loc_45420E
; 

loc_5B00BC:				; CODE XREF: MiRevertValidPte+A4j
					; MiRevertValidPte+C3j
		mov	[esp+58h+var_38], 0
		jmp	loc_45420E
; 

loc_5B00C9:				; CODE XREF: MiRevertValidPte+F0j
		or	ebx, 4000000h
		jmp	loc_454216
; 

loc_5B00D4:				; CODE XREF: MiRevertValidPte+149j
		cmp	ecx, 0C0603FFFh
		ja	loc_45426F
		cmp	ecx, 0C0603018h
		jnz	short loc_5B00F0
		or	esi, 80000000h
		jmp	short loc_5B00FE
; 

loc_5B00F0:				; CODE XREF: MiRevertValidPte+15BFC6j
		test	ebx, 4000000h
		jnz	short loc_5B0102
		and	esi, 7FFFFFFFh

loc_5B00FE:				; CODE XREF: MiRevertValidPte+15BFCEj
		mov	[esp+58h+var_48], esi

loc_5B0102:				; CODE XREF: MiRevertValidPte+15BFD6j
		call	_MiUserPdeOrAbove@4 ; MiUserPdeOrAbove(x)
		mov	edx, [ebp+arg_4]
		test	eax, eax
		jz	loc_45426F
		or	edi, 4
		mov	[esp+58h+var_48], esi
		jmp	loc_45426F
; 

loc_5B011E:				; CODE XREF: MiRevertValidPte+17Aj
		cmp	eax, 0C0000000h
		jb	loc_4542A0

loc_5B0129:				; CODE XREF: MiRevertValidPte+15C018j
		cmp	eax, 0C07FFFFFh
		ja	short loc_5B013A
		shl	eax, 9
		cmp	eax, 0C0000000h
		jnb	short loc_5B0129

loc_5B013A:				; CODE XREF: MiRevertValidPte+15C00Ej
		mov	[esp+58h+var_28], eax
		jmp	loc_4542A0
; 

loc_5B0143:				; CODE XREF: MiRevertValidPte+186j
		shr	eax, 15h
		mov	al, byte ptr ds:dword_6D3994[eax]
		cmp	al, 1
		jz	loc_4542C1
		cmp	al, 0Bh
		jz	loc_4542C1
		mov	eax, [esp+58h+var_28]
		add	eax, 40000000h
		cmp	eax, offset loc_7FFFFF
		jbe	loc_4542C1
		mov	eax, [esp+58h+var_28]
		cmp	eax, ds:dword_6D2E88
		jb	short loc_5B018F
		cmp	eax, ds:dword_6D2E8C
		movzx	eax, byte ptr ds:word_6D07B8+1
		jbe	loc_4542B3

loc_5B018F:				; CODE XREF: MiRevertValidPte+15C05Aj
		movzx	eax, byte ptr ds:word_6D07B8
		jmp	loc_4542B3
; 

loc_5B019B:				; CODE XREF: MiRevertValidPte+1A3j
		mov	eax, [esp+58h+var_18]
		and	al, 5
		cmp	al, 4
		jnz	loc_4542C9
		or	edi, 42h
		mov	[esp+58h+var_48], esi
		jmp	loc_4542C9
; 

loc_5B01B5:				; CODE XREF: MiRevertValidPte+1AFj
		and	edi, 0FFFFFFFBh
		mov	[esp+58h+var_48], esi
		jmp	loc_4542D5
; 

loc_5B01C1:				; CODE XREF: MiRevertValidPte+1BBj
		mov	al, byte ptr ds:word_6D07B8
		and	edi, 0FFFFFEFFh
		and	al, 1
		movzx	eax, al
		cdq
		shld	edx, eax, 8
		shl	eax, 8
		or	edi, eax
		or	esi, edx
		mov	edx, [ebp+arg_4]
		mov	[esp+58h+var_48], esi
		jmp	loc_4542E1
; 

loc_5B01E9:				; CODE XREF: MiRevertValidPte+1C7j
		and	edi, 0FFFFFEFFh
		mov	[esp+58h+var_48], esi
		jmp	loc_4542ED
; 

loc_5B01F8:				; CODE XREF: MiRevertValidPte+1D3j
		or	edi, 80h
		mov	[esp+58h+var_48], esi
		jmp	loc_4542F9
; 

loc_5B0207:				; CODE XREF: MiRevertValidPte+1DEj
		test	bl, 4
		jz	loc_454304
		or	edi, 42h
		mov	[esp+58h+var_48], esi
		jmp	loc_454304
; 

loc_5B021C:				; CODE XREF: MiRevertValidPte+256j
		mov	eax, 1
		mov	[esp+58h+var_28], eax
		jmp	loc_4543BF
; 

loc_5B022A:				; CODE XREF: MiRevertValidPte+2ABj
		mov	eax, large fs:124h
		mov	edx, ecx
		push	0
		mov	esi, [eax+80h]
		lea	ecx, [esi+240h]
		call	MiLockPageTableInternal
		mov	ebx, [esp+58h+var_48]
		lea	ecx, [esi+240h]
		mov	edx, [esp+58h+var_2C]
		push	ebx
		push	edi
		push	0
		call	MiUnlockNestedPageTableWritePte
		mov	edx, [ebp+arg_4]
		mov	ecx, [esp+58h+var_2C]
		mov	eax, [esp+58h+var_28]
		jmp	loc_4543DB
; 

loc_5B026C:				; CODE XREF: MiRevertValidPte+31Cj
		mov	cl, [esi+4]
		test	cl, 8
		jnz	short loc_5B0287
		lea	eax, [edx+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	short loc_5B0287
		or	cl, 8
		mov	[esi+4], cl

loc_5B0287:				; CODE XREF: MiRevertValidPte+15C152j
					; MiRevertValidPte+15C15Fj
		mov	ecx, [esp+58h+var_3C]
		jmp	loc_454442
; 

loc_5B0290:				; CODE XREF: MiRevertValidPte+4A6j
		and	eax, 3FFh
		lea	ecx, [eax+edx]
		cmp	ecx, eax
		jbe	loc_4544AF
		cmp	ecx, 3FFh
		ja	loc_4544AF
		push	0
		push	edx
		mov	ecx, esi
		call	_MiMergeTbFlushEntryBackwards@16 ; MiMergeTbFlushEntryBackwards(x,x,x,x)
		jmp	loc_4543F1
; 

loc_5B02BB:				; CODE XREF: MiRevertValidPte+3A8j
		mov	edi, 400h
		jmp	loc_4544D0
; 

loc_5B02C5:				; CODE XREF: MiRevertValidPte+4EDj
		mov	byte ptr [esi+5], 1
		mov	[esi+10h], eax
		jmp	loc_4543F1
; 

loc_5B02D1:				; CODE XREF: MiRevertValidPte+306j
		mov	esi, [esp+58h+var_34]
		mov	ecx, [ebp+arg_8]
		push	esi
		call	_MiInsertLargeTbFlushEntry@12 ;	MiInsertLargeTbFlushEntry(x,x,x)
		jmp	loc_4543F5
; 

loc_5B02E3:				; CODE XREF: MiRevertValidPte+40Dj
		mov	ecx, esi
		call	_MiRotatedToFrameBuffer@4 ; MiRotatedToFrameBuffer(x)
		test	eax, eax
		jz	loc_45440C
		jmp	loc_454533
; 

loc_5B02F7:				; CODE XREF: MiRevertValidPte+583j
		mov	ecx, offset _MiSystemPartition
		jmp	loc_45455F
; 

loc_5B0301:				; CODE XREF: MiRevertValidPte+451j
		push	ebx
		push	edi
		mov	edx, 1
		call	MiReleasePageFileInfo
		jmp	loc_45440C
; END OF FUNCTION CHUNK	FOR MiRevertValidPte
; 
; START	OF FUNCTION CHUNK FOR MiDeleteVaTail

loc_5B0312:				; CODE XREF: MiDeleteVaTail+9Ej
		push	edx
		lea	edx, [edi+14h]
		call	KeFlushMultipleRangeCurrentTb
		jmp	loc_455D71
; 

loc_5B0320:				; CODE XREF: MiDeleteVaTail+CDj
		mov	ecx, edx
		call	KeFlushCurrentTbOnly
		jmp	loc_455DA0
; END OF FUNCTION CHUNK	FOR MiDeleteVaTail
; 
; START	OF FUNCTION CHUNK FOR MiTerminateWsleCluster

loc_5B032C:				; CODE XREF: MiTerminateWsleCluster+79Aj
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	loc_455F51
		or	ecx, 20h
		jmp	loc_455F51
; 

loc_5B0341:				; CODE XREF: MiTerminateWsleCluster+13Bj
		or	ecx, 20h
		mov	[ebp+var_DC], edx
		jmp	loc_455F6C
; 

loc_5B034F:				; CODE XREF: MiTerminateWsleCluster+594j
		mov	eax, 0C0603018h
		jmp	loc_4563BF
; 

loc_5B0359:				; CODE XREF: MiTerminateWsleCluster+7B1j
		push	ecx
		push	[ebp+var_D0]
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_4563CB
; 

loc_5B036C:				; CODE XREF: MiTerminateWsleCluster+187j
		test	cl, 8
		jnz	loc_455FAD
		lea	eax, [edi+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	loc_455FAD
		or	cl, 8
		mov	byte ptr [ebp+var_A4], cl
		jmp	loc_455FAD
; 

loc_5B0394:				; CODE XREF: MiTerminateWsleCluster+4B1j
		and	eax, 3FFh
		lea	ecx, [eax+1]
		cmp	ecx, eax
		jbe	loc_4562D7
		cmp	ecx, 3FFh
		ja	loc_4562D7
		push	0
		push	1
		lea	ecx, [ebp+var_A8]
		call	_MiMergeTbFlushEntryBackwards@16 ; MiMergeTbFlushEntryBackwards(x,x,x,x)
		jmp	loc_456044
; 

loc_5B03C4:				; CODE XREF: MiTerminateWsleCluster+4D8j
		mov	eax, 400h
		mov	[ebp+var_B8], eax
		jmp	loc_456306
; 

loc_5B03D4:				; CODE XREF: MiTerminateWsleCluster+748j
		xor	edi, edi
		cmp	[esi+8], edi
		jbe	short loc_5B042A
		mov	ebx, [ebp+var_B4]

loc_5B03E1:				; CODE XREF: MiTerminateWsleCluster+15A602j
		mov	eax, [ebp+var_B0]
		mov	edx, [eax+edi*8]
		nop
		mov	eax, [eax+edi*8+4]
		shrd	edx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	edx, 1FFFFFFh
		lea	ecx, ds:0[edx*8]
		sub	ecx, edx
		mov	edx, ebx
		lea	eax, [eax+ecx*4]
		mov	ecx, [ebp+var_BC]
		push	eax
		call	_MiUnlockWsle@12 ; MiUnlockWsle(x,x,x)
		inc	edi
		add	ebx, 1000h
		cmp	edi, [esi+8]
		jb	short loc_5B03E1
		mov	ebx, [ebp+var_B0]

loc_5B042A:				; CODE XREF: MiTerminateWsleCluster+15A5B9j
		mov	edi, [ebp+var_B4]
		jmp	loc_45656E
; 

loc_5B0435:				; CODE XREF: MiTerminateWsleCluster+701j
		mov	edx, [ebp+var_B4]
		lea	ecx, [ebp+var_A8]
		push	0
		push	1
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		jmp	loc_456527
; 

loc_5B044F:				; CODE XREF: MiTerminateWsleCluster+772j
		mov	ebx, 2
		jmp	loc_4560F5
; 

loc_5B0459:				; CODE XREF: MiTerminateWsleCluster+2F6j
		mov	ecx, [ebp+var_B4]
		lea	edx, [ebp+var_94]
		push	edi
		call	KeFlushMultipleRangeCurrentTb
		jmp	loc_456290
; 

loc_5B0470:				; CODE XREF: MiTerminateWsleCluster+31Aj
		test	al, 2
		jnz	short loc_5B04CB
		cmp	ds:_KeNumberProcessors,	1
		jz	loc_456140
		test	ebx, ebx
		jnz	short loc_5B04CB
		mov	[ebp+var_F4], ebx
		lea	eax, [ebp+var_F4]
		xor	ecx, ecx
		lock or	[eax], ecx
		call	edi
		mov	esi, large fs:20h
		mov	[ebp+var_A9], al
		mov	ecx, [esi+4]
		mov	ecx, [ecx+80h]
		mov	edx, [ecx+60h]
		mov	ecx, [esi+3C8h]
		not	ecx
		test	ecx, edx
		jz	short loc_5B0532
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp+var_C8]

loc_5B04CB:				; CODE XREF: MiTerminateWsleCluster+15A652j
					; MiTerminateWsleCluster+15A663j
		mov	ecx, [ebp+var_B0]
		lea	eax, [ebp+var_EC]
		push	eax
		lea	edx, [ebp+var_D4]
		call	_KiPrepareFlushParameters@12 ; KiPrepareFlushParameters(x,x,x)
		lea	eax, [ebp+var_94]
		push	eax
		push	[ebp+var_B4]
		push	1
		push	ecx
		push	[ebp+var_EC]
		mov	ecx, ebx
		call	_KiFlushAffinity@4 ; KiFlushAffinity(x)
		mov	ecx, [ebp+var_D4]
		mov	edx, eax
		call	_HvlFlushRangeListTb@28	; HvlFlushRangeListTb(x,x,x,x,x,x,x)
		test	al, al
		jz	short loc_5B056A
		mov	edi, [ebp+var_B4]

loc_5B0517:				; CODE XREF: MiTerminateWsleCluster+15A748j
		mov	eax, [ebp+var_B0]
		cmp	eax, 4
		jnz	loc_456276
		mov	cl, 1
		call	_KeFlushProcessWriteBuffers@4 ;	KeFlushProcessWriteBuffers(x)
		jmp	loc_456270
; 

loc_5B0532:				; CODE XREF: MiTerminateWsleCluster+15A69Bj
		mov	edi, [ebp+var_B4]
		test	edi, edi
		jz	short loc_5B055A
		lea	esi, [ebp+var_94]
		mov	ebx, edi

loc_5B0544:				; CODE XREF: MiTerminateWsleCluster+15A732j
		mov	eax, [esi]
		push	eax
		call	_KiFlushRangeTb@8 ; KiFlushRangeTb(x,x)
		lea	esi, [esi+4]
		sub	ebx, 1
		jnz	short loc_5B0544
		mov	al, [ebp+var_A9]

loc_5B055A:				; CODE XREF: MiTerminateWsleCluster+15A71Aj
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp+var_C8]
		jmp	short loc_5B0517
; 

loc_5B056A:				; CODE XREF: MiTerminateWsleCluster+15A6EFj
		mov	edx, [ebp+var_B4]
		jmp	loc_456140
; 

loc_5B0575:				; CODE XREF: MiTerminateWsleCluster+45Dj
		push	eax
		lea	edx, [ebp+var_94]
		mov	ecx, edi
		call	_VmFlushTb@12	; VmFlushTb(x,x,x)
		jmp	loc_456283
; 

loc_5B0588:				; CODE XREF: MiTerminateWsleCluster+46Aj
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	[ebp+var_B0]
		lea	edx, [ebp+var_94]
		mov	ecx, edi
		mov	bl, al
		call	_ExFlushTb@12	; ExFlushTb(x,x,x)
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_456290
; 

loc_5B05B2:				; CODE XREF: MiTerminateWsleCluster+612j
		call	KeFlushCurrentTbOnly
		jmp	loc_456290
; END OF FUNCTION CHUNK	FOR MiTerminateWsleCluster
; 
; START	OF FUNCTION CHUNK FOR MiWalkPageTables

loc_5B05BC:				; CODE XREF: MiWalkPageTables+4AAj
		cmp	ds:dword_6D07D0, 0C0000000h
		jnb	loc_456B00

loc_5B05CC:				; CODE XREF: MiWalkPageTables+49Dj
		lea	ecx, [eax+8]
		mov	[esi+20h], ecx
		jmp	loc_456B00
; 

loc_5B05D7:				; CODE XREF: MiWalkPageTables+4BEj
		xor	ecx, ecx
		mov	[esi+20h], ecx
		jmp	loc_456B24
; 

loc_5B05E1:				; CODE XREF: MiWalkPageTables+447j
					; MiWalkPageTables+455j
		mov	edx, edi
		jmp	loc_456AAB
; 

loc_5B05E8:				; CODE XREF: MiWalkPageTables+478j
		mov	ds:dword_6D2E90, 2000h
		mov	eax, 2000h
		jmp	loc_456ACE
; 

loc_5B05FC:				; CODE XREF: MiWalkPageTables+68Fj
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	loc_456CE5
		push	eax
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		mov	ecx, [esp+0B0h+var_A0]
		jmp	loc_456CE7
; 

loc_5B0618:				; CODE XREF: MiWalkPageTables+267j
		push	[esp+0B0h+var_A0]
		push	ecx
		push	1
		call	MiPerformSafePdeWrite
		mov	edx, [esp+0B0h+var_94]
		jmp	loc_4568BD
; 

loc_5B062D:				; CODE XREF: MiWalkPageTables+6F4j
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	loc_456D4A
		push	eax
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	loc_456D4C
; 

loc_5B0645:				; CODE XREF: MiWalkPageTables+5A6j
		cmp	ds:dword_6D07D0, 0C0000000h
		jnb	loc_456C0C
		cmp	edx, 0C0603010h
		jnz	loc_456C0C
		jmp	loc_456BFC
; 

loc_5B0666:				; CODE XREF: MiWalkPageTables+39Dj
		mov	ecx, [esp+0B0h+var_90]
		mov	edx, eax
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		jmp	loc_4569FA
; 

loc_5B0676:				; CODE XREF: MiWalkPageTables+51Fj
		push	offset dword_6D2E64
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		jmp	loc_4569F6
; 

loc_5B0685:				; CODE XREF: MiWalkPageTables+3BFj
		push	offset dword_6D2E64
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		jmp	loc_456A15
; END OF FUNCTION CHUNK	FOR MiWalkPageTables
; 
; START	OF FUNCTION CHUNK FOR MiComputePxeWalkAction

loc_5B0694:				; CODE XREF: MiComputePxeWalkAction+6Bj
		mov	[ebp+var_4], 0
		mov	dword ptr [edi+20h], 0
		jmp	loc_457B61
; 

loc_5B06A7:				; CODE XREF: MiComputePxeWalkAction+8Fj
		cmp	ds:dword_6D07D0, 0C0000000h
		jnb	loc_457B85
		jmp	loc_457B10
; END OF FUNCTION CHUNK	FOR MiComputePxeWalkAction
; 
; START	OF FUNCTION CHUNK FOR MiGetNextPageTablePte

loc_5B06BC:				; CODE XREF: MiGetNextPageTablePte+EAj
		mov	ecx, 1
		call	_MiFlushAllFilesystemPages@4 ; MiFlushAllFilesystemPages(x)
		mov	ecx, large fs:124h
		push	esi
		mov	ecx, [ecx+80h]
		push	ecx
		push	edi
		push	1
		push	7Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B06DF:				; CODE XREF: MiGetNextPageTablePte+47j
		cmp	ds:dword_6D07D0, 0C0000000h
		jnb	loc_45828D
		jmp	loc_45847F
; 

loc_5B06F4:				; CODE XREF: MiGetNextPageTablePte+65j
		mov	eax, ds:dword_6D3518
		cmp	eax, ds:dword_6D351C
		jz	loc_4582AB
		nop
		shrd	edx, ecx, 0Ch
		and	edx, 1FFFFFFh
		cmp	edx, ds:dword_6D3518[edi*4]
		jz	loc_45847F
		jmp	loc_4582AB
; 

loc_5B0722:				; CODE XREF: MiGetNextPageTablePte+334j
		cmp	esi, 0C0603010h
		jnz	loc_45857A
		cmp	al, 7
		jnz	short loc_5B073B
		mov	[ebp+arg_0], offset unk_6D2E58
		jmp	short loc_5B074A
; 

loc_5B073B:				; CODE XREF: MiGetNextPageTablePte+1584F0j
		cmp	al, 5
		jnz	loc_45857A
		mov	[ebp+arg_0], offset unk_6D2E54

loc_5B074A:				; CODE XREF: MiGetNextPageTablePte+1584F9j
		mov	edi, 2
		jmp	loc_45837D
; 

loc_5B0754:				; CODE XREF: MiGetNextPageTablePte+129j
		lea	eax, [edx+120h]
		lea	eax, [eax+ecx*4]
		jmp	loc_45837A
; 

loc_5B0762:				; CODE XREF: MiGetNextPageTablePte+2E0j
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	loc_458526
		push	eax
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	loc_458528
; 

loc_5B077A:				; CODE XREF: MiGetNextPageTablePte+354j
		cmp	ds:dword_6D07D0, 0C0000000h
		jnb	short loc_5B07BE
		cmp	eax, 603010h
		jnz	short loc_5B07BE

loc_5B078D:				; CODE XREF: MiGetNextPageTablePte+34Ej
		cmp	dl, 7
		jnz	short loc_5B079B
		mov	[ebp+arg_0], offset unk_6D2E58
		jmp	short loc_5B07A7
; 

loc_5B079B:				; CODE XREF: MiGetNextPageTablePte+158550j
		cmp	dl, 5
		jnz	short loc_5B07BE
		mov	[ebp+arg_0], offset unk_6D2E54

loc_5B07A7:				; CODE XREF: MiGetNextPageTablePte+158559j
		mov	edi, 603018h
		sub	edi, eax
		mov	eax, [ebp+arg_0]
		sar	edi, 3
		add	edi, edi
		mov	[ebp+var_4], edi
		jmp	loc_458411
; 

loc_5B07BE:				; CODE XREF: MiGetNextPageTablePte+158544j
					; MiGetNextPageTablePte+15854Bj ...
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]
		jmp	loc_45840E
; 

loc_5B07CD:				; CODE XREF: MiGetNextPageTablePte+1BDj
		lea	eax, [eax+ecx*4]
		add	eax, 120h
		jmp	loc_45840E
; 

loc_5B07DA:				; CODE XREF: MiGetNextPageTablePte+282j
		lea	esi, [ecx-40000000h]
		jmp	loc_4584C8
; END OF FUNCTION CHUNK	FOR MiGetNextPageTablePte
; 

loc_5B07E5:				; CODE XREF: .text:0045987Ej
		mov	edx, eax
		lea	ecx, [ebp-20h]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_459891
; 

loc_5B07F4:				; CODE XREF: .text:004599CCj
		cmp	dword ptr [ebx+10h], 0
		lea	eax, [ebx+10h]
		jz	loc_4598E9
		cmp	ds:dword_6D5D44, eax
		jz	loc_4598E9
		mov	dword ptr [ebp-8], 1
		jmp	loc_4599F8
; 

loc_5B0819:				; CODE XREF: .text:00459A0Dj
		mov	edx, offset dword_6D3540
		lea	ecx, [ebp-14h]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_459BD8
; 

loc_5B082B:				; CODE XREF: .text:00459B97j
		mov	ecx, ds:dword_6D5D44
		cmp	dword ptr [ecx+4], offset dword_6D5D44
		jnz	loc_459C0B
		mov	[eax], ecx
		mov	dword ptr [eax+4], offset dword_6D5D44
		mov	[ecx+4], eax
		mov	ds:dword_6D5D44, eax
		jmp	loc_459A33
; 

loc_5B0854:				; CODE XREF: .text:00459A3Aj
		mov	edx, [ebp+4]
		lea	ecx, [ebp-14h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4598E9
; 

loc_5B0864:				; CODE XREF: .text:004598F0j
		mov	edx, [ebp+4]
		lea	ecx, [ebp-20h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_459918
; 

loc_5B0874:				; CODE XREF: .text:0045994Bj
		push	ecx
		push	ebx
		push	edi
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B0883:				; CODE XREF: .text:0045996Fj
		test	edi, edi
		jz	loc_459975
		mov	esi, [ebp-4]

loc_5B088E:				; CODE XREF: .text:005B08A5j
		movzx	edx, byte ptr [ebx+60h]
		mov	ecx, esi
		and	edx, 7
		call	_MiLogRemoveWsleEvent@8	; MiLogRemoveWsleEvent(x,x)
		add	esi, 1000h
		sub	edi, 1
		jnz	short loc_5B088E
		mov	esi, [ebp+14h]
		jmp	loc_459975
; 
; START	OF FUNCTION CHUNK FOR MiAgeWorkingSetTail

loc_5B08AF:				; CODE XREF: MiAgeWorkingSetTail+DAj
		mov	[esp+20h+var_10], 2
		jmp	loc_45A61D
; 

loc_5B08BC:				; CODE XREF: MiAgeWorkingSetTail+94j
		push	[esp+20h+var_C]
		call	KeFlushMultipleRangeCurrentTb
		jmp	loc_45A647
; 

loc_5B08CA:				; CODE XREF: MiAgeWorkingSetTail+3Fj
		cmp	dword ptr [edx], 0
		jz	loc_45A5E5
		push	ecx
		mov	ecx, ebx
		call	_MiQueryEPTAccessedState@12 ; MiQueryEPTAccessedState(x,x,x)
		test	eax, eax
		jz	loc_45A5E5
		mov	edx, [esi+0C0h]
		mov	ecx, ebx
		push	esi
		push	offset _MiAgeWorkingSetEPTCallback@20 ;	MiAgeWorkingSetEPTCallback(x,x,x,x,x)
		call	_MiProcessVmAccessedInfo@16 ; MiProcessVmAccessedInfo(x,x,x,x)
		mov	[esp+20h+var_8], 1
		jmp	loc_45A5BC
; 

loc_5B0903:				; CODE XREF: MiAgeWorkingSetTail+49j
		cmp	[esp+20h+var_8], 0
		jz	loc_45A5F3
		jmp	loc_45A5EF
; END OF FUNCTION CHUNK	FOR MiAgeWorkingSetTail
; 
; START	OF FUNCTION CHUNK FOR MmUnmapViewInSystemCache

loc_5B0913:				; CODE XREF: MmUnmapViewInSystemCache+B9j
		push	[esp+88h+var_3C]
		push	ebx
		push	ecx
		push	782h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B0925:				; CODE XREF: MmUnmapViewInSystemCache+124j
		or	cl, 8
		mov	[esi+4], cl
		jmp	loc_45B2EA
; 

loc_5B0930:				; CODE XREF: MmUnmapViewInSystemCache+13Bj
		lea	eax, [ecx+4]
		lea	eax, [esi+eax*4]
		mov	[esp+88h+var_28], eax
		mov	eax, [eax]
		test	eax, 0C00h
		jnz	loc_45B301
		mov	ecx, eax
		and	ecx, 3FFh
		mov	[esp+88h+var_2C], ecx
		lea	edx, [ecx+1]
		mov	ecx, eax
		shl	edx, 0Ch
		and	ecx, 0FFFFF000h
		add	edx, ecx
		cmp	edx, [esp+88h+var_6C]
		jnz	short loc_5B0997
		mov	ecx, [esp+88h+var_2C]
		lea	edx, [ecx+1]
		cmp	edx, ecx
		jbe	short loc_5B0997
		cmp	edx, 3FFh
		ja	short loc_5B0997
		lea	ecx, [eax+1]
		xor	ecx, eax
		and	ecx, 3FFh
		xor	eax, ecx
		mov	ecx, [esp+88h+var_28]
		inc	dword ptr [esi+10h]
		mov	[ecx], eax
		jmp	loc_45B368
; 

loc_5B0997:				; CODE XREF: MmUnmapViewInSystemCache+1557A7j
					; MmUnmapViewInSystemCache+1557B2j ...
		mov	ecx, [esp+88h+var_7A+2]
		jmp	loc_45B301
; 

loc_5B09A0:				; CODE XREF: MmUnmapViewInSystemCache+143j
		mov	eax, [esi+ecx*4+10h]
		lea	ebx, [esi+ecx*4]
		test	eax, 0C00h
		jnz	loc_45B309
		mov	ecx, [esp+88h+var_6C]
		mov	edx, eax
		and	edx, 0FFFFF000h
		add	ecx, 1000h
		cmp	edx, ecx
		jnz	short loc_5B09FC
		mov	ecx, eax
		and	ecx, 3FFh
		lea	edx, [ecx+1]
		cmp	edx, ecx
		jbe	short loc_5B09FC
		cmp	edx, 3FFh
		ja	short loc_5B09FC
		add	eax, 0FFFFF000h
		lea	ecx, [eax+1]
		xor	ecx, eax
		and	ecx, 3FFh
		xor	eax, ecx
		inc	dword ptr [esi+10h]
		mov	[ebx+10h], eax
		jmp	loc_45B368
; 

loc_5B09FC:				; CODE XREF: MmUnmapViewInSystemCache+155806j
					; MmUnmapViewInSystemCache+155815j ...
		mov	ecx, [esp+88h+var_7A+2]
		jmp	loc_45B309
; 

loc_5B0A05:				; CODE XREF: MmUnmapViewInSystemCache+168j
		mov	edx, 400h
		jmp	loc_45B330
; 

loc_5B0A0F:				; CODE XREF: MmUnmapViewInSystemCache+19Ej
		test	byte ptr [esi+4], 4
		jnz	loc_45B364
		push	offset _MiTbFlushSort ;	int __cdecl (*)(const void *,const void	*)
		push	4		; size_t
		push	eax		; size_t
		lea	eax, [esi+14h]
		push	eax		; void *
		call	_qsort
		add	esp, 10h
		mov	ecx, esi
		call	MiCompressTbFlushList
		mov	eax, [esi+0Ch]
		cmp	eax, [esi+8]
		jnz	loc_45B364
		test	edi, edi
		jz	loc_45B368
		mov	[esi+10h], eax

loc_5B0A4B:				; CODE XREF: MmUnmapViewInSystemCache+150j
		mov	byte ptr [esi+5], 1
		jmp	loc_45B368
; 

loc_5B0A54:				; CODE XREF: MmUnmapViewInSystemCache+72Bj
					; MmUnmapViewInSystemCache+1558A0j ...
		lea	ecx, [esp+88h+var_20]
		call	KeYieldProcessorEx
		cmp	dword ptr [ebx], 0
		jl	short loc_5B0A54
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_5B0A54
		jmp	loc_45B8F1
; 

loc_5B0A6E:				; CODE XREF: MmUnmapViewInSystemCache+55Ej
		push	edx
		mov	edx, ebx
		mov	ecx, offset unk_6D5E80
		call	_MiUnlockWsle@12 ; MiUnlockWsle(x,x,x)
		mov	edx, ebx
		mov	ecx, offset unk_6D5E80
		call	MiLocateWsle
		mov	al, [eax]
		mov	byte ptr [esp+88h+var_7A+1], al
		jmp	loc_45B724
; 

loc_5B0A92:				; CODE XREF: MmUnmapViewInSystemCache+6CAj
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	loc_45B75A
		mov	eax, [esp+88h+var_60]
		or	ecx, 20h
		mov	[esp+88h+var_60], eax
		jmp	loc_45B75A
; 

loc_5B0AAF:				; CODE XREF: MmUnmapViewInSystemCache+5A4j
		or	ecx, 20h
		jmp	loc_45B775
; 

loc_5B0AB7:				; CODE XREF: MmUnmapViewInSystemCache+502j
		push	ecx
		push	offset unk_6D5E80
		push	edx
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B0ACA:				; CODE XREF: MmUnmapViewInSystemCache+556j
		push	ecx
		push	offset unk_6D5E80
		push	ebx
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B0ADD:				; CODE XREF: MmUnmapViewInSystemCache+1F7j
		mov	eax, ds:_ZeroPte
		mov	[edi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[edi+4], eax
		jmp	loc_45B434
; 

loc_5B0AF2:				; CODE XREF: MmUnmapViewInSystemCache+296j
		mov	byte ptr [esp+88h+var_7A+1], 0
		jmp	loc_45B468
; 

loc_5B0AFC:				; CODE XREF: MmUnmapViewInSystemCache+75Cj
		mov	esi, [esp+88h+var_18]

loc_5B0B00:				; CODE XREF: MmUnmapViewInSystemCache+15594Cj
					; MmUnmapViewInSystemCache+155953j
		lea	ecx, [esp+88h+var_C]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_5B0B00
		lock bts dword ptr [esi], 1Fh
		jb	short loc_5B0B00
		mov	esi, [esp+88h+var_1C]
		mov	edx, [esp+88h+var_7A+2]
		lea	ecx, [esi+10h]
		jmp	loc_45B81E
; 

loc_5B0B25:				; CODE XREF: MmUnmapViewInSystemCache+658j
		mov	ecx, [esp+88h+var_74]
		push	2
		call	MiDecrementAndInsertStandbyPages
		mov	ecx, [esp+88h+var_68]
		xor	eax, eax
		mov	[esp+88h+var_7A+2], eax
		dec	ecx
		mov	ebx, edi
		jmp	loc_45B4CF
; 

loc_5B0B42:				; CODE XREF: MmUnmapViewInSystemCache+7A8j
		push	ecx
		push	edi
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo
		jmp	loc_45B879
; 

loc_5B0B55:				; CODE XREF: MmUnmapViewInSystemCache+2E7j
		mov	edi, [esp+88h+var_74]
		jmp	loc_45B4F5
; 

loc_5B0B5E:				; CODE XREF: MmUnmapViewInSystemCache+389j
		xor	ecx, ecx
		mov	[esp+88h+var_70], ecx
		jmp	loc_45B54F
; 

loc_5B0B69:				; CODE XREF: MmUnmapViewInSystemCache+822j
		push	[esp+88h+var_3C]
		push	[esp+8Ch+var_6C]
		push	edi
		push	783h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5B0B7F:				; CODE XREF: MiDeleteTransitionPte+3Cj
		push	ecx
		push	edx
		push	ebx
		push	402h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B0B8E:				; CODE XREF: MiDeleteTransitionPte+1C2j
		and	ecx, 0FFFFFFF9h
		jmp	loc_45BA9C
; END OF FUNCTION CHUNK	FOR MmUnmapViewInSystemCache
; 
; START	OF FUNCTION CHUNK FOR MiDeleteTransitionPte

loc_5B0B96:				; CODE XREF: MiDeleteTransitionPte+214j
		test	al, 8
		jnz	loc_45BC3A
		mov	ecx, [esi]
		sub	ecx, 10h
		mov	edx, [ecx+8]
		lea	eax, [ecx+8]
		sub	edx, eax
		neg	edx
		sbb	edx, edx
		and	edx, ecx
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_1C], edx
		mov	edx, [ebp+var_8]
		jmp	loc_45BC3A
; 

loc_5B0BBF:				; CODE XREF: MiDeleteTransitionPte+154j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_45BB7A
; 

loc_5B0BCC:				; CODE XREF: MiDeleteTransitionPte+15Fj
		call	MiInvalidateCollidedIos
		jmp	loc_45BB85
; END OF FUNCTION CHUNK	FOR MiDeleteTransitionPte
; 
; START	OF FUNCTION CHUNK FOR CcCopyReadEx

loc_5B0BD6:				; CODE XREF: CcCopyReadEx+30Aj
		mov	eax, 2
		jmp	loc_45BCDF
; 

loc_5B0BE0:				; CODE XREF: CcCopyReadEx+B5j
		push	0C00000E8h
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5B0BEA:				; CODE XREF: CcCopyReadEx+1DEj
					; CcCopyReadEx+1E7j
		mov	eax, [ebp+arg_C]
		jmp	loc_45BE2F
; END OF FUNCTION CHUNK	FOR CcCopyReadEx

;  S U B	R O U T	I N E 

; Attributes: thunk

sub_5B0BF2	proc near		; DATA XREF: .text:006A10E0o
		jmp	sub_45BFBD
sub_5B0BF2	endp

; 
; START	OF FUNCTION CHUNK FOR CcCopyReadEx

loc_5B0BF7:				; CODE XREF: CcCopyReadEx+A2j
					; CcCopyReadEx+ABj
		push	0
		push	0
		push	0C0000420h
		push	273h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5B0C0D:				; CODE XREF: CcFreeVirtualAddress+1Cj
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_45BFF2
; END OF FUNCTION CHUNK	FOR CcCopyReadEx
; 
; START	OF FUNCTION CHUNK FOR MiOffsetToProtos

loc_5B0C1C:				; CODE XREF: MiOffsetToProtos+62j
		mov	dl, al
		mov	ecx, esi
		call	@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)
		jmp	loc_45C171
; 

loc_5B0C2A:				; CODE XREF: MiOffsetToProtos+D5j
		mov	edx, [ebp+4]
		lea	ecx, [ebx+24h]
		call	@ExpReleaseSpinLockSharedFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockSharedFromDpcLevelInstrumented(x,x)
		jmp	loc_45C1D9
; 

loc_5B0C3A:				; CODE XREF: MiOffsetToProtos+169j
		mov	dl, al
		mov	ecx, esi
		call	@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)
		jmp	loc_45C278
; 

loc_5B0C48:				; CODE XREF: MiOffsetToProtos+225j
		mov	edx, [ebp+4]
		mov	ecx, [esp+88h+var_68]
		call	@ExpReleaseSpinLockSharedFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockSharedFromDpcLevelInstrumented(x,x)
		jmp	loc_45C32A
; 

loc_5B0C59:				; CODE XREF: MiOffsetToProtos+2FCj
		shr	ax, 6
		xor	ecx, ecx
		or	ecx, [esp+88h+var_78]
		movzx	eax, ax
		cdq
		mov	[esp+88h+var_60], ecx
		mov	[esp+88h+var_68], eax
		jmp	loc_45C431
; 

loc_5B0C74:				; CODE XREF: MiOffsetToProtos+302j
					; MiOffsetToProtos+39Dj ...
		cmp	[esp+88h+var_79], 21h
		jz	short loc_5B0C8E
		lea	eax, [ebx+24h]
		push	eax
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [esp+88h+var_79]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5B0C8E:				; CODE XREF: MiOffsetToProtos+13Cj
					; MiOffsetToProtos+149j ...
		xor	esi, esi
		jmp	loc_45C332
; END OF FUNCTION CHUNK	FOR MiOffsetToProtos
; 
; START	OF FUNCTION CHUNK FOR CcGetVirtualAddress

loc_5B0C95:				; CODE XREF: CcGetVirtualAddress+74j
		mov	dl, al
		mov	ecx, edi
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_45DB95
; 

loc_5B0CA3:				; CODE XREF: CcGetVirtualAddress+9Fj
					; CcGetVirtualAddress+1531F7j
		test	edx, 40000000h
		jnz	short loc_5B0CBD
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_5B0CCB

loc_5B0CBD:				; CODE XREF: CcGetVirtualAddress+1531C9j
		lea	ecx, [esp+60h+var_40]
		call	KeYieldProcessorEx
		mov	eax, ds:dword_6CF3C0

loc_5B0CCB:				; CODE XREF: CcGetVirtualAddress+1531DBj
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_5B0CA3
		mov	eax, [esp+60h+var_14]
		mov	[esp+60h+var_4C], eax
		jmp	loc_45DB8D
; 

loc_5B0CE6:				; CODE XREF: CcGetVirtualAddress+BCj
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		mov	eax, [esp+60h+var_14]
		mov	[esp+60h+var_4C], eax
		mov	eax, [esp+60h+var_18]
		mov	[esp+60h+var_50], eax
		jmp	loc_45DBAC
; 

loc_5B0D05:				; CODE XREF: CcGetVirtualAddress+E4j
		push	0
		push	0
		push	0C0000420h
		push	1314h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B0D1A:				; CODE XREF: CcGetVirtualAddress+119j
		cmp	dword ptr [ecx+26Ch], 80h
		jnb	loc_45DBFF

loc_5B0D2A:				; CODE XREF: CcGetVirtualAddress+30Dj
		call	CcAllocateInitializeVacbArray
		mov	[esp+74h+var_4C], eax
		test	eax, eax
		jz	loc_45DBFF
		cmp	[esp+74h+var_58], edi
		jnz	short loc_5B0D4C
		mov	ecx, [esp+74h+var_5C]
		mov	edx, eax
		call	_CcBuildUpHighPriorityMappings@8 ; CcBuildUpHighPriorityMappings(x,x)

loc_5B0D4C:				; CODE XREF: CcGetVirtualAddress+15325Fj
		mov	ecx, 4
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	edx, [esp+74h+var_4C]
		mov	ecx, [esp+74h+var_5C]
		mov	[esp+74h+var_65], al
		call	CcInsertVacbArray
		mov	ecx, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	eax, [ecx+438h]
		mov	[esp+74h+var_5C], eax
		jz	short loc_5B0D8D
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5B0DBB
; 

loc_5B0D8D:				; CODE XREF: CcGetVirtualAddress+15329Fj
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_5B0DAF
		mov	ecx, [eax+4]
		xor	edx, edx
		lock cmpxchg [ecx], edx
		mov	ecx, [esp+74h+var_5C]
		cmp	eax, ecx
		jz	short loc_5B0DBB
		call	KxWaitForLockChainValid
		mov	ecx, eax
		mov	eax, [esp+74h+var_5C]

loc_5B0DAF:				; CODE XREF: CcGetVirtualAddress+1532B1j
		mov	dword ptr [eax], 0
		lea	eax, [ecx+4]
		lock xor [eax],	edi

loc_5B0DBB:				; CODE XREF: CcGetVirtualAddress+1532ABj
					; CcGetVirtualAddress+1532C2j
		mov	cl, [esp+74h+var_65]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esp+74h+var_28]
		mov	edi, [esp+74h+var_2C]
		mov	[esp+74h+var_60], eax
		mov	[esp+74h+var_64], edi
		jmp	loc_45DC03
; 

loc_5B0DDA:				; CODE XREF: CcGetVirtualAddress+28Fj
		push	0
		push	0
		push	0C0000420h
		push	9FFh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B0DEF:				; CODE XREF: CcGetVirtualAddress+12Bj
					; CcGetVirtualAddress+134j
		push	0
		push	0
		push	0C0000420h
		push	56Ch
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5B0E05:				; CODE XREF: CcCopyBytesToUserBuffer+54j
		lea	eax, [ebp+var_24]
		push	eax
		push	0
		push	esi
		lea	edx, [ebp+var_2C]
		mov	ecx, ebx
		call	_CcLockSystemCacheBuffer@20 ; CcLockSystemCacheBuffer(x,x,x,x,x)
		mov	edx, eax
		mov	[ebp+var_1C], edx
		test	edx, edx
		jnz	short loc_5B0E27
		mov	edi, [ebp+var_24]
		jmp	loc_45E01D
; 

loc_5B0E27:				; CODE XREF: CcGetVirtualAddress+15333Dj
		mov	eax, [ebp+var_20]
		mov	cl, byte ptr [ebp+arg_4]
		jmp	loc_45DFD0
; END OF FUNCTION CHUNK	FOR CcGetVirtualAddress
; 
; START	OF FUNCTION CHUNK FOR CcCopyBytesToUserBuffer

loc_5B0E32:				; CODE XREF: CcCopyBytesToUserBuffer+70j
		push	edi
		mov	ecx, eax
		call	_HviCopyMemory@12 ; HviCopyMemory(x,x,x)
		jmp	loc_45DFFF
; 

loc_5B0E3F:				; CODE XREF: CcCopyBytesToUserBuffer+A1j
		add	edx, edi
		mov	[ebp+var_1C], edx
		jmp	loc_45DFD0
; END OF FUNCTION CHUNK	FOR CcCopyBytesToUserBuffer

;  S U B	R O U T	I N E 


sub_5B0E49	proc near		; DATA XREF: .text:006A111Co
		lea	edx, [ebp-28h]
		mov	ecx, [ebp-14h]
		call	_CcCopyReadExceptionFilter@8 ; CcCopyReadExceptionFilter(x,x)
		retn
sub_5B0E49	endp


;  S U B	R O U T	I N E 


sub_5B0E55	proc near		; DATA XREF: .text:006A1120o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-28h]
		cmp	edi, 0C0000005h
		jnz	short loc_5B0E6A
		mov	edi, 0C00000E8h
		jmp	short loc_5B0E79
; 

loc_5B0E6A:				; CODE XREF: sub_5B0E55+Cj
		push	edi
		call	_FsRtlIsNtstatusExpected@4 ; FsRtlIsNtstatusExpected(x)
		test	al, al
		jnz	short loc_5B0E79
		mov	edi, 0C00000E9h

loc_5B0E79:				; CODE XREF: sub_5B0E55+13j
					; sub_5B0E55+1Dj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_45E01D
sub_5B0E55	endp

; 
; START	OF FUNCTION CHUNK FOR CcCopyBytesToUserBuffer

loc_5B0E85:				; CODE XREF: CcCopyBytesToUserBuffer+B2j
		push	esi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	esi
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		jmp	loc_45E028
; END OF FUNCTION CHUNK	FOR CcCopyBytesToUserBuffer
; 
; START	OF FUNCTION CHUNK FOR MiGetVadWakeList

loc_5B0E96:				; CODE XREF: MiGetVadWakeList+32j
		mov	edi, offset unk_6D3C40
		jmp	loc_46021E
; 

loc_5B0EA0:				; CODE XREF: MiGetVadWakeList+50j
		mov	dl, al
		mov	ecx, edi
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_460259
; 

loc_5B0EAE:				; CODE XREF: MiGetVadWakeList+1BFj
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	loc_4603A5
		push	esi
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	loc_4603A7
; 

loc_5B0EC6:				; CODE XREF: MiGetVadWakeList+195j
		mov	ebx, eax
		jmp	loc_460381
; 

loc_5B0ECD:				; CODE XREF: MiGetVadWakeList+A3j
		mov	edi, offset unk_6D3C40
		jmp	loc_46028F
; 

loc_5B0ED7:				; CODE XREF: MiGetVadWakeList+BBj
		mov	edx, eax
		jmp	loc_4602C5
; 

loc_5B0EDE:				; CODE XREF: MiGetVadWakeList+F5j
		mov	ebx, 1
		mov	[ebp+var_14], ebx
		jmp	loc_4602DB
; 

loc_5B0EEB:				; CODE XREF: MiGetVadWakeList+122j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_46030E
; 

loc_5B0EFA:				; CODE XREF: MiGetVadWakeList+21Aj
					; MiGetVadWakeList+150D28j
		mov	esi, [ebx]
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, esi
		test	esi, esi
		jnz	short loc_5B0EFA
		mov	ebx, [ebp+var_14]
		jmp	loc_46031F
; 

loc_5B0F12:				; CODE XREF: MiGetVadWakeList+147j
		mov	ecx, [ebp+var_8]
		call	MiLockWorkingSetShared
		mov	dl, [ebp+var_1]
		mov	ecx, [ebp+var_8]
		call	MiUnlockWorkingSetShared
		jmp	loc_46032D
; END OF FUNCTION CHUNK	FOR MiGetVadWakeList
; 
; START	OF FUNCTION CHUNK FOR MiFinishVadDeletion

loc_5B0F2A:				; CODE XREF: MiFinishVadDeletion+B1j
		test	ecx, 100000h
		jz	short loc_5B0F3D
		dec	dword ptr [edx+0B0h]
		jmp	loc_461727
; 

loc_5B0F3D:				; CODE XREF: MiFinishVadDeletion+14F8C0j
		dec	dword ptr [edx+0B4h]
		jmp	loc_461727
; 

loc_5B0F48:				; CODE XREF: MiFinishVadDeletion+686j
		push	0
		push	[ebp+var_10]
		push	[ebp+var_18]
		push	ebx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B0F5B:				; CODE XREF: MiFinishVadDeletion+1A5j
		lea	esi, [ebx+222h]
		lock or	[esi], al
		jmp	loc_461821
; 

loc_5B0F69:				; CODE XREF: MiFinishVadDeletion+702j
		mov	edx, 1
		mov	ecx, ebx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_461D78
; 

loc_5B0F7A:				; CODE XREF: MiFinishVadDeletion+72Fj
		mov	edx, [ebp+var_18]
		mov	ecx, ebx
		push	esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_461836
; 

loc_5B0F8A:				; CODE XREF: MiFinishVadDeletion+205j
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	loc_46187B
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_46187B
; 

loc_5B0FA0:				; CODE XREF: MiFinishVadDeletion+248j
		mov	edi, offset unk_6D3C40
		jmp	loc_4618C4
; 

loc_5B0FAA:				; CODE XREF: MiFinishVadDeletion+266j
		mov	dl, al
		mov	ecx, edi
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_461902
; 

loc_5B0FB8:				; CODE XREF: MiFinishVadDeletion+62Fj
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	loc_461CA5
		push	esi
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	loc_461CA7
; 

loc_5B0FD0:				; CODE XREF: MiFinishVadDeletion+29Dj
		xor	ebx, ebx

loc_5B0FD2:				; CODE XREF: MiFinishVadDeletion+14F978j
		test	byte ptr [eax+24h], 1
		mov	ecx, [eax]
		jz	short loc_5B0FE2
		mov	[eax], ebx
		mov	ebx, eax
		mov	[esi], ecx
		jmp	short loc_5B0FE4
; 

loc_5B0FE2:				; CODE XREF: MiFinishVadDeletion+14F968j
		mov	esi, eax

loc_5B0FE4:				; CODE XREF: MiFinishVadDeletion+14F970j
		mov	eax, ecx
		test	ecx, ecx
		jnz	short loc_5B0FD2
		mov	[ebp+var_10], ebx
		mov	ebx, [ebp+var_4]
		jmp	loc_461913
; 

loc_5B0FF5:				; CODE XREF: MiFinishVadDeletion+2BEj
		mov	edi, offset unk_6D3C40
		jmp	loc_46193A
; 

loc_5B0FFF:				; CODE XREF: MiFinishVadDeletion+30Bj
		mov	esi, 1
		mov	[ebp+var_1C], esi
		jmp	loc_461981
; 

loc_5B100C:				; CODE XREF: MiFinishVadDeletion+33Fj
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_4619BB
; 

loc_5B101B:				; CODE XREF: MiFinishVadDeletion+359j
					; MiFinishVadDeletion+14F9B9j
		mov	esi, [eax]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		test	esi, esi
		jnz	short loc_5B101B
		mov	esi, [ebp+var_1C]
		jmp	loc_4619CF
; 

loc_5B1033:				; CODE XREF: MiFinishVadDeletion+367j
		mov	ecx, [ebp+var_C]
		call	MiLockWorkingSetShared
		mov	dl, byte ptr [ebp+arg_0+3]
		mov	ecx, [ebp+var_C]
		call	MiUnlockWorkingSetShared
		jmp	loc_4619DD
; 

loc_5B104B:				; CODE XREF: MiFinishVadDeletion+37Bj
		dec	word ptr [esi+13Ch]
		nop
		jmp	loc_4619F1
; 

loc_5B1058:				; CODE XREF: MiFinishVadDeletion+610j
		and	byte ptr [esi+304h], 7Fh
		lea	ecx, [ebx+18h]
		mov	[ebp+var_20], ecx
		mov	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5B107C
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [ebx+18h]

loc_5B107C:				; CODE XREF: MiFinishVadDeletion+14FA02j
		xor	edi, edi
		mov	[ebp+var_18], edi
		test	ecx, 7FFFFFFCh
		jz	loc_5B124D
		mov	esi, large fs:124h
		mov	[ebp+var_24], esi
		cmp	ecx, ds:dword_6D07D0
		jb	short loc_5B10C2
		mov	eax, ecx
		shr	eax, 15h
		mov	al, byte ptr ds:dword_6D3994[eax]
		cmp	al, 1
		jz	short loc_5B10B2
		cmp	al, 0Bh
		jnz	short loc_5B10C2

loc_5B10B2:				; CODE XREF: MiFinishVadDeletion+14FA3Cj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		lea	ecx, [ebx+18h]
		jmp	short loc_5B10C5
; 

loc_5B10C2:				; CODE XREF: MiFinishVadDeletion+14FA2Dj
					; MiFinishVadDeletion+14FA40j
		or	eax, 0FFFFFFFFh

loc_5B10C5:				; CODE XREF: MiFinishVadDeletion+14FA50j
		dec	word ptr [esi+13Eh]
		mov	[ebp+var_1C], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	byte ptr [ebp+arg_0+3],	dl
		mov	edx, ecx
		push	eax
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jnz	short loc_5B1114
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_5B118B
		mov	edi, [ebp+var_20]
		push	ecx
		push	[ebp+var_1C]
		push	edi
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B1114:				; CODE XREF: MiFinishVadDeletion+14FA81j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5B112A
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_C]

loc_5B112A:				; CODE XREF: MiFinishVadDeletion+14FAB0j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_18], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		mov	eax, 2AAAAAABh
		sub	ecx, [esi+1E8h]
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	byte ptr [ebp+arg_0+3],	1
		jnz	short loc_5B117B
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al
		jmp	short loc_5B118B
; 

loc_5B117B:				; CODE XREF: MiFinishVadDeletion+14FAF7j
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_24]

loc_5B118B:				; CODE XREF: MiFinishVadDeletion+14FA8Bj
					; MiFinishVadDeletion+14FB09j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+arg_0], eax
		jz	short loc_5B11FC
		test	edi, 8000h
		jz	short loc_5B11B2
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp+arg_0]

loc_5B11B2:				; CODE XREF: MiFinishVadDeletion+14FB34j
		test	byte ptr [ebp+var_18+2], 1
		jz	short loc_5B11C7
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp+arg_0]

loc_5B11C7:				; CODE XREF: MiFinishVadDeletion+14FB46j
		test	edi, 7FFFh
		jz	short loc_5B11E1
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority
		mov	eax, [ebp+arg_0]

loc_5B11E1:				; CODE XREF: MiFinishVadDeletion+14FB5Dj
		test	dword ptr ds:byte_70EFC4, 200h
		lea	edi, [ebx+18h]
		jz	short loc_5B11FF
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	short loc_5B11FF
; 

loc_5B11FC:				; CODE XREF: MiFinishVadDeletion+14FB2Cj
		lea	edi, [ebx+18h]

loc_5B11FF:				; CODE XREF: MiFinishVadDeletion+14FB7Ej
					; MiFinishVadDeletion+14FB8Aj
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_5B1225
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_5B1225
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5B1225:				; CODE XREF: MiFinishVadDeletion+14FBA6j
					; MiFinishVadDeletion+14FBAEj
		mov	esi, [ebp+var_8]

loc_5B1228:				; CODE XREF: MiFinishVadDeletion+14FBE0j
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		dec	word ptr [esi+13Eh]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [esi+304h], 80h
		nop
		jmp	loc_461A08
; 

loc_5B124D:				; CODE XREF: MiFinishVadDeletion+14FA17j
		lea	edi, [ebx+18h]
		jmp	short loc_5B1228
; 

loc_5B1252:				; CODE XREF: MiFinishVadDeletion+39Cj
		mov	ecx, ebx
		call	_MiUnlockAndDereferenceNestedVad@4 ; MiUnlockAndDereferenceNestedVad(x)
		jmp	loc_461B9D
; 

loc_5B125E:				; CODE XREF: MiFinishVadDeletion+699j
		mov	edx, [ebp+var_4]
		push	0
		push	[ebp+arg_0]
		add	edx, 18h
		push	edx
		push	ebx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B1275:				; CODE XREF: MiFinishVadDeletion+4A4j
		mov	al, 1
		lea	esi, [ebx+222h]
		shl	al, cl
		lock or	[esi], al
		jmp	loc_461B2A
; 

loc_5B1287:				; CODE XREF: MiFinishVadDeletion+740j
		mov	edx, 1
		mov	ecx, ebx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_461DB6
; 

loc_5B1298:				; CODE XREF: MiFinishVadDeletion+76Dj
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		push	esi
		lea	edx, [edx+18h]
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_461B3F
; 

loc_5B12AB:				; CODE XREF: MiFinishVadDeletion+532j
		mov	ecx, eax
		call	_MiWakeLargePageWaiters@4 ; MiWakeLargePageWaiters(x)
		mov	ecx, [ebp+var_8]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		jmp	loc_461BA8
; 

loc_5B12BF:				; CODE XREF: MiFinishVadDeletion+54Aj
		mov	eax, [ecx+78h]
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_461BC0
; END OF FUNCTION CHUNK	FOR MiFinishVadDeletion
; 
; START	OF FUNCTION CHUNK FOR UNLOCK_PAGE_TABLE_COMMITMENT

loc_5B12D1:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+17Cj
		push	0
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B12E4:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+E6j
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_18]
		jmp	loc_461FDC
; 

loc_5B12F9:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+1AEj
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_462094
; 

loc_5B130A:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+1DBj
		push	[ebp+var_18]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_461FF3
; 

loc_5B131C:				; CODE XREF: UNLOCK_PAGE_TABLE_COMMITMENT+16Dj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_462015
; END OF FUNCTION CHUNK	FOR UNLOCK_PAGE_TABLE_COMMITMENT
; 
; START	OF FUNCTION CHUNK FOR MiFlushSectionInternal

loc_5B1326:				; CODE XREF: MiFlushSectionInternal+80j
		or	eax, 4
		mov	[ebp+arg_C], eax
		jmp	loc_462156
; 

loc_5B1331:				; CODE XREF: MiFlushSectionInternal+AEj
		and	eax, 0FFFFFFFBh
		mov	[ebp+arg_C], eax
		jmp	loc_462184
; 

loc_5B133C:				; CODE XREF: MiFlushSectionInternal+B6j
		push	0
		push	40h
		mov	edx, 61466D4Dh
		mov	ecx, 540h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		mov	eax, [esp+150h+var_100]
		mov	[esp+150h+var_DC], ecx
		test	eax, eax
		jz	short loc_5B136E
		mov	[eax+18h], ecx
		test	ecx, ecx
		jnz	short loc_5B1376
		mov	eax, 0C000009Ah
		jmp	loc_462827
; 

loc_5B136E:				; CODE XREF: MiFlushSectionInternal+14F28Bj
		test	ecx, ecx
		jz	loc_46218C

loc_5B1376:				; CODE XREF: MiFlushSectionInternal+14F292j
		lea	eax, [ecx+2Ch]
		mov	[esp+150h+var_108], ecx
		mov	[esp+150h+var_140], eax
		lea	edi, [ecx+14h]
		lea	eax, [ecx+460h]
		mov	[esp+150h+var_FC], 8
		mov	[esp+150h+var_F8], eax

loc_5B1396:				; CODE XREF: MiFlushSectionInternal+14F312j
		push	0
		push	0
		lea	esi, [edi+4]
		push	esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [esp+150h+var_100]
		mov	[edi], eax
		mov	eax, [esp+150h+var_10C]
		mov	[edi-4], eax
		lea	eax, [edi+18h]
		mov	[edi+14h], eax
		lea	edi, [edi+8Ch]
		mov	eax, [esp+150h+var_F8]
		mov	dword ptr [edi-0A0h], 0
		mov	dword ptr [edi-98h], 0
		mov	[eax], esi
		add	eax, 4
		sub	[esp+150h+var_FC], 1
		mov	[esp+150h+var_F8], eax
		jnz	short loc_5B1396
		mov	esi, [esp+150h+var_140]
		mov	edi, [esp+150h+var_10C]
		jmp	loc_46218C
; 

loc_5B13F1:				; CODE XREF: MiFlushSectionInternal+F0j
		or	[esp+150h+var_13C], 10h
		jmp	loc_4621C6
; 

loc_5B13FB:				; CODE XREF: MiFlushSectionInternal+16Bj
		lea	eax, [edi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+150h+var_135]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esp+150h+var_DC]
		test	eax, eax
		jz	short loc_5B142D
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+150h+var_100]
		test	eax, eax
		jz	short loc_5B142D
		mov	dword ptr [eax+18h], 0

loc_5B142D:				; CODE XREF: MiFlushSectionInternal+14F344j
					; MiFlushSectionInternal+14F354j
		mov	ecx, [edi+20h]
		lea	esi, [edi+20h]
		mov	edi, [esp+150h+var_104]
		mov	eax, ecx
		xor	eax, edi
		cmp	eax, 7
		jnb	short loc_5B1456

loc_5B1440:				; CODE XREF: MiFlushSectionInternal+14F384j
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jz	short loc_5B1461
		mov	ecx, eax
		xor	eax, edi
		cmp	eax, 7
		jb	short loc_5B1440

loc_5B1456:				; CODE XREF: MiFlushSectionInternal+14F36Ej
		push	746C6644h
		push	edi
		call	ObDereferenceObjectDeferDeleteWithTag

loc_5B1461:				; CODE XREF: MiFlushSectionInternal+14F37Bj
		mov	ecx, [esp+150h+var_EC]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	eax, [esp+150h+var_120]
		mov	dword ptr [eax], 0
		mov	dword ptr [eax+4], 0
		xor	eax, eax
		jmp	loc_462827
; 

loc_5B1482:				; CODE XREF: MiFlushSectionInternal+A46j
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_462257
; 

loc_5B148E:				; CODE XREF: MiFlushSectionInternal+276j
					; MiFlushSectionInternal+290j
		mov	edx, [esp+150h+var_144]
		jmp	loc_46237C
; 

loc_5B1497:				; CODE XREF: MiFlushSectionInternal+2D9j
		mov	edx, [esp+150h+var_114]
		jmp	loc_4623C3
; 

loc_5B14A0:				; CODE XREF: MiFlushSectionInternal+363j
					; MiFlushSectionInternal+36Dj
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		jmp	loc_4622F0
; 

loc_5B14AD:				; CODE XREF: MiFlushSectionInternal+3B4j
		push	40h		; size_t
		lea	eax, [esp+154h+var_48]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		cmp	[esp+150h+var_F4], 0
		jz	short loc_5B14E0
		lea	eax, [edi+10h]
		mov	edx, 7FFFFFFFh
		lock and [eax],	edx
		mov	eax, [esp+150h+var_144]
		mov	[esp+150h+var_144], eax
		jmp	loc_462845
; 

loc_5B14E0:				; CODE XREF: MiFlushSectionInternal+14F3F6j
		lea	eax, [esp+150h+var_48]
		mov	[esp+150h+var_C4], 1
		push	eax		; void *
		push	0		; int
		push	0		; char
		xor	edx, edx
		xor	ecx, ecx
		call	_MiInitializePageFaultPacket@20	; MiInitializePageFaultPacket(x,x,x,x,x)
		mov	ecx, [esp+150h+var_130]
		mov	edx, 1
		call	_MiObtainProtoReference@8 ; MiObtainProtoReference(x,x)
		lea	eax, [esp+150h+var_C4]
		mov	edx, edi
		push	eax
		push	[esp+154h+var_134]
		lea	ecx, [esp+158h+var_48]
		push	[esp+158h+var_130]
		call	MiWaitForCollidedFaultComplete
		mov	edi, [esp+150h+var_130]
		mov	dl, 21h
		mov	byte ptr [esp+150h+var_134], dl
		jmp	loc_462618
; 

loc_5B153B:				; CODE XREF: MiFlushSectionInternal+45Cj
		mov	edx, eax
		cmp	eax, 1
		jnb	loc_462510
		jmp	loc_462ADB
; 

loc_5B154B:				; CODE XREF: MiFlushSectionInternal+489j
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_5B1567
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_5B1567:				; CODE XREF: MiFlushSectionInternal+A2Dj
					; MiFlushSectionInternal+14F48Cj
		mov	[esp+150h+var_114], 0
		jmp	loc_46259B
; 

loc_5B1574:				; CODE XREF: MiFlushSectionInternal+4C5j
		push	0
		mov	edx, 1
		mov	ecx, edi
		call	_MiGetPagePrivilege@12 ; MiGetPagePrivilege(x,x,x)
		test	al, 10h
		jz	loc_46259B
		mov	edx, 1Ch
		mov	ecx, edi
		call	MiClearPfnImageVerified
		jmp	loc_46259B
; 

loc_5B159B:				; CODE XREF: MiFlushSectionInternal+4DBj
		mov	edi, 3
		jmp	loc_4629DC
; 

loc_5B15A5:				; CODE XREF: MiFlushSectionInternal+515j
		cmp	ecx, 10h
		jnb	short loc_5B15BD
		mov	eax, large fs:124h
		test	byte ptr [eax+300h], 2
		jnz	loc_4625EB

loc_5B15BD:				; CODE XREF: MiFlushSectionInternal+14F4D8j
		mov	edi, 2
		jmp	loc_4629DC
; 

loc_5B15C7:				; CODE XREF: MiFlushSectionInternal+95Bj
		mov	eax, [esp+150h+var_140]
		mov	esi, edi
		mov	ecx, [esp+150h+var_144]
		mov	[esp+150h+var_144], ecx
		mov	eax, [eax+18h]
		mov	[esp+150h+var_11C], eax
		jmp	loc_462863
; 

loc_5B15E1:				; CODE XREF: MiFlushSectionInternal+976j
		add	eax, 2Ch
		cmp	ecx, eax
		jz	loc_462A54
		jmp	loc_462A4C
; 

loc_5B15F1:				; CODE XREF: MiFlushSectionInternal+98Ej
		mov	[eax+28h], esi
		jmp	loc_462A64
; 

loc_5B15F9:				; CODE XREF: MiFlushSectionInternal+7BDj
		push	[esp+150h+var_F8]
		mov	ecx, [ebp+arg_C]
		push	[esp+154h+var_C0]
		shr	ecx, 2
		and	cl, 4
		movzx	eax, cl
		mov	ecx, [esp+158h+var_104]
		push	eax
		push	edx
		mov	edx, [esp+160h+var_108]
		push	edi
		push	[esp+164h+var_100]
		push	[esp+168h+var_DC]
		call	_MiIssueAsynchronousFlush@36 ; MiIssueAsynchronousFlush(x,x,x,x,x,x,x,x,x)
		mov	[esp+150h+var_108], eax
		test	eax, eax
		jz	loc_5B16C2
		mov	eax, [eax+28h]
		mov	[esp+150h+var_11C], 10h
		jmp	loc_462AA7
; 

loc_5B1647:				; CODE XREF: MiFlushSectionInternal+7F2j
		mov	edx, [esp+154h+var_140]
		push	ecx
		call	_MiFlushFileOnlyMdl@16 ; MiFlushFileOnlyMdl(x,x,x,x)
		jmp	loc_4628ED
; 

loc_5B1656:				; CODE XREF: MiFlushSectionInternal+60Ej
		push	offset _Mi10Milliseconds
		jmp	short loc_5B1690
; 

loc_5B165D:				; CODE XREF: MiFlushSectionInternal+623j
		mov	eax, [esp+150h+var_FC]
		dec	eax
		mov	[esp+150h+var_FC], eax
		test	al, 1Fh
		jnz	short loc_5B168B
		cmp	[esp+150h+var_11C], 1
		jz	loc_4626F9
		cmp	edi, 1000h
		jbe	loc_4626F9
		mov	[esp+150h+var_11C], 1
		jmp	short loc_5B1699
; 

loc_5B168B:				; CODE XREF: MiFlushSectionInternal+14F598j
		push	offset _Mi30Milliseconds

loc_5B1690:				; CODE XREF: MiFlushSectionInternal+14F58Bj
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)

loc_5B1699:				; CODE XREF: MiFlushSectionInternal+14F5B9j
		mov	eax, [esp+150h+var_120]
		mov	edi, 1
		mov	dword ptr [eax], 0
		jmp	loc_4626FB
; 

loc_5B16AD:				; CODE XREF: MiFlushSectionInternal+B9Aj
		mov	ecx, [esp+150h+var_124]
		mov	edx, 7FFFFFFFh
		lock and [ecx],	edx
		or	eax, 8
		mov	[esp+150h+var_13C], eax
		jmp	short loc_5B16CF
; 

loc_5B16C2:				; CODE XREF: MiFlushSectionInternal+14F561j
		or	[esp+150h+var_13C], 1
		mov	[esp+150h+var_E0], 0

loc_5B16CF:				; CODE XREF: MiFlushSectionInternal+14F5F0j
		mov	esi, [esp+150h+var_110]
		jmp	loc_462721
; 

loc_5B16D8:				; CODE XREF: MiFlushSectionInternal+B0Fj
		mov	eax, [ecx+24h]
		mov	esi, [esp+150h+var_12C]
		and	eax, 3FFFFFFFh
		mov	ecx, [ecx+1Ch]
		sub	ecx, eax
		mov	eax, [esi+4]
		lea	eax, [eax+ecx*8]
		cmp	edx, eax
		jnz	loc_4627A4
		mov	ecx, esi
		call	_MiEndingOffset@4 ; MiEndingOffset(x)
		and	eax, 0FFFh
		jz	loc_4627A4
		add	edi, 0FFFFF000h
		add	edi, eax
		jmp	loc_4627A4
; 

loc_5B1716:				; CODE XREF: MiFlushSectionInternal+BCDj
		mov	ecx, esi
		call	_MiWaitForAsynchronousFlushes@4	; MiWaitForAsynchronousFlushes(x)
		test	eax, eax
		jns	short loc_5B1726
		or	[esp+150h+var_13C], 1

loc_5B1726:				; CODE XREF: MiFlushSectionInternal+14F64Fj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4627C3
; 

loc_5B1733:				; CODE XREF: MiFlushSectionInternal+73Cj
		push	[esp+150h+var_120]
		mov	eax, [ebp+arg_C]
		mov	edx, [esp+154h+var_E8]
		and	eax, 0FFFFFFFBh
		mov	ecx, [esp+154h+var_B8]
		push	eax
		push	[esp+158h+var_100]
		lea	edx, [edx-8]
		push	[esp+15Ch+var_D8]
		push	[esp+160h+var_BC]
		call	MiFlushSectionInternal
		jmp	loc_462827
; 

loc_5B1768:				; CODE XREF: MiFlushSectionInternal+748j
		mov	dword ptr [eax], 0C0000433h
		mov	eax, 0C0000433h
		jmp	loc_462820
; END OF FUNCTION CHUNK	FOR MiFlushSectionInternal
; 
; START	OF FUNCTION CHUNK FOR MiLockWorkingSetShared

loc_5B1778:				; CODE XREF: MiLockWorkingSetShared+26j
		mov	dl, bl
		mov	ecx, esi
		call	@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)
		jmp	loc_463CB1
; END OF FUNCTION CHUNK	FOR MiLockWorkingSetShared
; 
; START	OF FUNCTION CHUNK FOR MiChargeCommit

loc_5B1786:				; CODE XREF: MiChargeCommit+5Cj
		mov	ecx, eax
		cmp	esi, eax
		jbe	loc_463DD0
		mov	eax, [ebp+arg_0]
		jmp	loc_463DF0
; 

loc_5B1798:				; CODE XREF: MiChargeCommit+B5j
		mov	eax, [ebx+0F48h]
		shr	eax, 6
		cmp	eax, 40h
		jnb	loc_463E3B
		jmp	loc_463F91
; 

loc_5B17AF:				; CODE XREF: MiChargeCommit+100j
		mov	edi, [ebx+0D94h]
		cmp	eax, edi
		jb	short loc_5B17C8
		cmp	edx, edi
		jnb	short loc_5B17C8
		mov	ecx, ebx
		call	_MiPulseCommitSignal@4 ; MiPulseCommitSignal(x)
		mov	ecx, [esp+30h+var_20]

loc_5B17C8:				; CODE XREF: MiChargeCommit+14DA37j
					; MiChargeCommit+14DA3Bj
		test	cl, 4
		jnz	loc_5B18A1
		test	cl, 2
		jnz	loc_5B195D
		mov	eax, [esp+30h+var_10]
		cmp	eax, [ebx+0D84h]
		jz	short loc_5B1856
		test	cl, 1
		mov	ecx, ebx
		jnz	loc_5B18DB
		push	0FFh
		push	0
		mov	edx, esi
		call	_MiIssuePageExtendRequest@16 ; MiIssuePageExtendRequest(x,x,x,x)
		test	eax, eax
		jz	loc_5B18C9
		mov	edx, [ebx+10BCh]
		mov	ecx, [esp+30h+var_20]
		mov	[esp+30h+var_C], edx
		lea	eax, [edx+esi]
		mov	[esp+30h+var_18], eax
		cmp	eax, edx
		ja	loc_463E60

loc_5B1824:				; CODE XREF: MiChargeCommit+D4j
					; MiChargeCommit+ECj
		test	cl, 4
		jz	loc_5B193F
		mov	eax, [esp+30h+var_1C]
		test	eax, eax
		jnz	short loc_5B183B
		inc	ds:dword_6D30E4

loc_5B183B:				; CODE XREF: MiChargeCommit+14DAB3j
					; MiChargeCommit+14DB27j ...
		test	esi, esi
		jz	short loc_5B1898
		push	eax
		mov	edx, esi
		mov	ecx, ebx
		call	_MiConsumeOverCommit@12	; MiConsumeOverCommit(x,x,x)
		test	eax, eax
		jnz	loc_463DE2
		jmp	loc_463D92
; 

loc_5B1856:				; CODE XREF: MiChargeCommit+14DA64j
		inc	dword ptr [ebx+1130h]
		cmp	ebx, offset _MiSystemPartition
		jnz	loc_5B195D
		mov	eax, ecx
		mov	edx, esi
		and	eax, 1
		mov	ecx, ebx
		mov	[esp+30h+var_4], eax
		push	0
		lea	eax, ds:8[eax*2]
		push	eax
		call	_MiIssuePageExtendRequest@16 ; MiIssuePageExtendRequest(x,x,x,x)
		mov	ecx, [esp+30h+var_4]
		test	ecx, ecx
		jnz	loc_5B195D
		test	eax, eax
		jz	short loc_5B18F1
		mov	ecx, [esp+30h+var_20]

loc_5B1898:				; CODE XREF: MiChargeCommit+10Bj
					; MiChargeCommit+14DABDj ...
		mov	edx, [esp+30h+var_18]
		jmp	loc_463EAA
; 

loc_5B18A1:				; CODE XREF: MiChargeCommit+14DA4Bj
		mov	eax, [esp+30h+var_1C]
		test	eax, eax
		jnz	short loc_5B183B
		inc	ds:dword_6D30E0
		jmp	short loc_5B183B
; 

loc_5B18B1:				; CODE XREF: MiChargeCommit+124j
		mov	edx, ecx
		mov	ecx, ebx
		push	edi
		call	_MiApplyCommitDelay@12 ; MiApplyCommitDelay(x,x,x)
		mov	ecx, [esp+30h+var_20]
		mov	[esp+30h+var_8], 1
		jmp	short loc_5B1898
; 

loc_5B18C9:				; CODE XREF: MiChargeCommit+14DA81j
		inc	dword ptr [ebx+112Ch]
		mov	ecx, ebx
		call	_MiCauseOverCommitPopup@4 ; MiCauseOverCommitPopup(x)
		jmp	loc_5B195D
; 

loc_5B18DB:				; CODE XREF: MiChargeCommit+14DA6Bj
		inc	dword ptr [ebx+1134h]
		mov	edx, 1000h
		push	0
		push	2
		call	_MiIssuePageExtendRequest@16 ; MiIssuePageExtendRequest(x,x,x,x)
		jmp	short loc_5B195D
; 

loc_5B18F1:				; CODE XREF: MiChargeCommit+14DB12j
		test	ecx, ecx
		jnz	short loc_5B195D
		mov	ecx, ebx
		call	_MiCauseOverCommitPopup@4 ; MiCauseOverCommitPopup(x)
		jmp	short loc_5B195D
; 

loc_5B18FE:				; CODE XREF: MiChargeCommit+156j
		cmp	edx, esi
		jb	short loc_5B190F
		jmp	loc_463EDC
; 

loc_5B1907:				; CODE XREF: MiChargeCommit+164j
		cmp	edx, esi
		jnb	loc_463EEA

loc_5B190F:				; CODE XREF: MiChargeCommit+14DB80j
		xor	edx, edx
		mov	ecx, ebx
		call	MiSyncCommitSignals
		mov	ecx, [esp+30h+var_20]
		mov	eax, [esp+30h+var_C]
		jmp	loc_463EEA
; 

loc_5B1925:				; CODE XREF: MiChargeCommit+1B4j
		cmp	ecx, [ebx+0D84h]
		jnz	loc_463F3A
		call	_MiFreeExcessSegments@0	; MiFreeExcessSegments()
		mov	ecx, [esp+34h+var_18]
		jmp	loc_463F3A
; 

loc_5B193F:				; CODE XREF: MiChargeCommit+14DAA7j
		test	cl, 2
		jnz	short loc_5B195D
		inc	dword ptr [ebx+1138h]
		test	cl, 1
		jnz	short loc_5B1956
		mov	ecx, ebx
		call	_MiCauseOverCommitPopup@4 ; MiCauseOverCommitPopup(x)

loc_5B1956:				; CODE XREF: MiChargeCommit+14DBCDj
		mov	ecx, ebx
		call	_MiPulseCommitSignal@4 ; MiPulseCommitSignal(x)

loc_5B195D:				; CODE XREF: MiChargeCommit+14DA54j
					; MiChargeCommit+14DAE2j ...
		xor	eax, eax
		jmp	loc_463DE7
; END OF FUNCTION CHUNK	FOR MiChargeCommit
; 
; START	OF FUNCTION CHUNK FOR MiChargeProcessCommitment

loc_5B1964:				; CODE XREF: MiChargeProcessCommitment+4Dj
		cmp	dword ptr [ecx+158h], 0
		jz	short loc_5B1972
		call	_PsReportProcessMemoryLimitViolation@0 ; PsReportProcessMemoryLimitViolation()

loc_5B1972:				; CODE XREF: MiChargeProcessCommitment+14D97Bj
		xor	eax, eax
		jmp	loc_464021
; END OF FUNCTION CHUNK	FOR MiChargeProcessCommitment
; 
; START	OF FUNCTION CHUNK FOR MiUnlockAndDereferenceVad

loc_5B1979:				; CODE XREF: MiUnlockAndDereferenceVad+1Bj
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5B1980:				; CODE XREF: MiUnlockAndDereferenceVad+29j
		mov	[ebp+var_18], 1
		jmp	loc_4641D6
; 

loc_5B198C:				; CODE XREF: MiUnlockAndDereferenceVad+1C2j
		push	0
		push	[ebp+var_10]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B199F:				; CODE XREF: MiUnlockAndDereferenceVad+119j
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_20]
		jmp	loc_4642CF
; 

loc_5B19B4:				; CODE XREF: MiUnlockAndDereferenceVad+1FEj
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_4643A4
; 

loc_5B19C5:				; CODE XREF: MiUnlockAndDereferenceVad+22Bj
		push	[ebp+var_20]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4642E6
; 

loc_5B19D7:				; CODE XREF: MiUnlockAndDereferenceVad+17Bj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_464321
; END OF FUNCTION CHUNK	FOR MiUnlockAndDereferenceVad
; 
; START	OF FUNCTION CHUNK FOR MiUnlockFaultPageTable

loc_5B19E4:				; CODE XREF: MiUnlockFaultPageTable+1Ej
		call	_MiEmptyDeferredWorkingSetEntries@4 ; MiEmptyDeferredWorkingSetEntries(x)
		mov	edx, [esi+0Ch]
		jmp	loc_464494
; 

loc_5B19F1:				; CODE XREF: MiUnlockFaultPageTable+8Ej
					; MiUnlockFaultPageTable+D8j
		cmp	al, 7
		jnz	short loc_5B19FE
		mov	[ebp+var_4], offset unk_6D2E58
		jmp	short loc_5B1A0D
; 

loc_5B19FE:				; CODE XREF: MiUnlockFaultPageTable+14D583j
		cmp	al, 5
		jnz	loc_46450C
		mov	[ebp+var_4], offset unk_6D2E54

loc_5B1A0D:				; CODE XREF: MiUnlockFaultPageTable+14D58Cj
		mov	eax, [ebp+var_4]
		mov	edi, 0C0603018h
		sub	edi, edx
		sar	edi, 3
		add	edi, edi
		jmp	loc_4644C2
; END OF FUNCTION CHUNK	FOR MiUnlockFaultPageTable
; 
; START	OF FUNCTION CHUNK FOR MiProbeAndLockPrepare

loc_5B1A21:				; CODE XREF: MiProbeAndLockPrepare+44j
					; MiProbeAndLockPrepare+4Cj
		inc	ds:dword_6D309C
		mov	eax, 0C0000005h
		jmp	loc_464A76
; 

loc_5B1A31:				; CODE XREF: MiProbeAndLockPrepare+F0j
		mov	ecx, [esi]
		lea	eax, [ebp+var_4]
		push	eax
		xor	edx, edx
		call	MiObtainReferencedVadEx
		mov	ecx, eax
		mov	[ebp+arg_8], ecx
		test	ecx, ecx
		jnz	short loc_5B1A4F
		mov	eax, [ebp+var_4]
		jmp	loc_464A76
; 

loc_5B1A4F:				; CODE XREF: MiProbeAndLockPrepare+14D1A5j
		call	_MiVadPureReserve@4 ; MiVadPureReserve(x)
		test	eax, eax
		jnz	loc_5B1AEF
		mov	eax, [ecx+20h]
		and	eax, 7FFFFFFFh
		cmp	eax, 0FFFFDh
		jnb	loc_5B1AEF
		mov	edx, [ecx+1Ch]
		mov	eax, edx
		and	al, 70h
		cmp	al, 10h
		jz	short loc_5B1AEF
		test	edx, 100000h
		jnz	short loc_5B1A8A
		and	dl, 70h
		cmp	dl, 20h
		jnz	short loc_5B1AEF

loc_5B1A8A:				; CODE XREF: MiProbeAndLockPrepare+14D1E0j
		mov	edx, [ecx+0Ch]
		mov	eax, [ebp+arg_0]
		shl	edx, 0Ch
		mov	[ebp+arg_C], edx
		cmp	eax, edx
		jb	short loc_5B1AE0
		mov	edx, [ecx+10h]
		shl	edx, 0Ch
		or	edx, 0FFFh
		cmp	eax, edx
		ja	short loc_5B1AE0
		cmp	edi, [ebp+arg_C]
		jb	short loc_5B1AE0
		cmp	edi, edx
		ja	short loc_5B1AE0
		mov	ecx, [esi+34h]
		mov	edx, ebx
		call	MiChargeFullProcessCommitment
		mov	edi, eax
		test	edi, edi
		jns	short loc_5B1AD2
		mov	ecx, [ebp+arg_8]
		call	MiUnlockAndDereferenceVad
		mov	eax, edi
		jmp	loc_464A76
; 

loc_5B1AD2:				; CODE XREF: MiProbeAndLockPrepare+14D221j
		mov	eax, [ebp+arg_8]
		mov	[esi+48h], eax
		mov	[esi+44h], ebx
		jmp	loc_464996
; 

loc_5B1AE0:				; CODE XREF: MiProbeAndLockPrepare+14D1F8j
					; MiProbeAndLockPrepare+14D208j ...
		call	MiUnlockAndDereferenceVad
		mov	eax, 0C0000018h
		jmp	loc_464A76
; 

loc_5B1AEF:				; CODE XREF: MiProbeAndLockPrepare+14D1B6j
					; MiProbeAndLockPrepare+14D1C9j ...
		call	MiUnlockAndDereferenceVad
		mov	eax, 0C0000005h
		jmp	loc_464A76
; 

loc_5B1AFE:				; CODE XREF: MiProbeAndLockPrepare+2FDj
		mov	ecx, 3
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		and	edx, 0FFFFFFF5h
		mov	[ebp+arg_C], ebx
		mov	ecx, eax
		or	edx, 5
		mov	[ebx], ecx
		mov	[edi], edx
		jmp	loc_4649ED
; 

loc_5B1B1C:				; CODE XREF: MiProbeAndLockPrepare+17Fj
		mov	dl, al
		mov	ecx, ebx
		call	@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)
		jmp	loc_464A3E
; 

loc_5B1B2A:				; CODE XREF: MiProbeAndLockPrepare+1A4j
		xor	eax, eax
		xchg	eax, [ebx]
		jmp	loc_464A4A
; END OF FUNCTION CHUNK	FOR MiProbeAndLockPrepare
; 
; START	OF FUNCTION CHUNK FOR MiGetPageTableLockBuffer

loc_5B1B33:				; CODE XREF: MiGetPageTableLockBuffer+58j
		cmp	ds:dword_6D07D0, 0C0000000h
		jnb	loc_465D3E

loc_5B1B43:				; CODE XREF: MiGetPageTableLockBuffer+4Cj
		cmp	cl, 7
		jnz	short loc_5B1B4F
		mov	eax, offset unk_6D2E58
		jmp	short loc_5B1B5D
; 

loc_5B1B4F:				; CODE XREF: MiGetPageTableLockBuffer+14BE66j
		cmp	cl, 5
		jnz	loc_465D3E
		mov	eax, offset unk_6D2E54

loc_5B1B5D:				; CODE XREF: MiGetPageTableLockBuffer+14BE6Dj
		mov	ecx, [ebp+arg_0]
		mov	edx, 0C0603018h
		sub	edx, ebx
		sar	edx, 3
		add	edx, edx
		mov	[ecx], edx
		jmp	loc_465D1F
; END OF FUNCTION CHUNK	FOR MiGetPageTableLockBuffer
; 
; START	OF FUNCTION CHUNK FOR MiInsertVad

loc_5B1B73:				; CODE XREF: MiInsertVad+41j
		mov	edi, offset unk_6D3C40
		jmp	loc_46631D
; 

loc_5B1B7D:				; CODE XREF: MiInsertVad+5Fj
		mov	dl, al
		mov	ecx, edi
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_46635B
; 

loc_5B1B8B:				; CODE XREF: MiInsertVad+2B4j
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	loc_46658A
		push	esi
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	loc_46658C
; 

loc_5B1BA3:				; CODE XREF: MiInsertVad+34j
		mov	[ebp+var_1], 21h
		jmp	loc_466368
; 

loc_5B1BAC:				; CODE XREF: MiInsertVad+2A0j
		mov	ecx, [edi+1Ch]

loc_5B1BAF:				; CODE XREF: MiInsertVad+275j
					; MiInsertVad+28Dj
		mov	edx, [ebp+var_8]
		shr	ecx, 12h
		and	ecx, 3
		cmp	ds:_MiVadPageSizes[ecx*4], 200h
		jb	loc_46640F
		inc	dword ptr [edx+394h]
		jmp	loc_46640F
; 

loc_5B1BD4:				; CODE XREF: MiInsertVad+155j
		and	ecx, 3100000h
		cmp	ecx, 2100000h
		jz	loc_46642B
		mov	eax, [edi+24h]
		test	eax, eax
		jz	short loc_5B1BFC

loc_5B1BED:				; CODE XREF: MiInsertVad+14B92Aj
		test	dword ptr [eax+24h], 100h
		jnz	short loc_5B1BFC
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_5B1BED

loc_5B1BFC:				; CODE XREF: MiInsertVad+14B91Bj
					; MiInsertVad+14B924j
		add	eax, 4
		mov	[ebp+var_10], eax
		jmp	loc_46642B
; 

loc_5B1C07:				; CODE XREF: MiInsertVad+178j
		mov	esi, offset unk_6D3C40
		jmp	loc_466454
; 

loc_5B1C11:				; CODE XREF: MiInsertVad+1C4j
		mov	ebx, 1
		jmp	loc_46649A
; 

loc_5B1C1B:				; CODE XREF: MiInsertVad+1F4j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_4664D0
; 

loc_5B1C2A:				; CODE XREF: MiInsertVad+20Bj
					; MiInsertVad+14B968j
		mov	esi, [edi]
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, esi
		test	esi, esi
		jnz	short loc_5B1C2A
		jmp	loc_4664E1
; 

loc_5B1C3F:				; CODE XREF: MiInsertVad+219j
		mov	ecx, [ebp+var_C]
		call	MiLockWorkingSetShared
		mov	dl, [ebp+var_1]
		mov	ecx, [ebp+var_C]
		call	MiUnlockWorkingSetShared
		jmp	loc_4664EF
; 

loc_5B1C57:				; CODE XREF: MiInsertVad+224j
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		call	_MiAweViewInserter@8 ; MiAweViewInserter(x,x)
		jmp	loc_4664FA
; END OF FUNCTION CHUNK	FOR MiInsertVad
; 
; START	OF FUNCTION CHUNK FOR MiInPagePageTable

loc_5B1C66:				; CODE XREF: MiInPagePageTable+97j
					; MiInPagePageTable+14B685j
		cmp	eax, 0C07FFFFFh
		ja	short loc_5B1C77
		shl	eax, 9
		cmp	eax, 0C0000000h
		jnb	short loc_5B1C66

loc_5B1C77:				; CODE XREF: MiInPagePageTable+14B67Bj
		mov	[ebp+var_5C], eax
		jmp	loc_46668D
; 

loc_5B1C7F:				; CODE XREF: MiInPagePageTable+D8j
		test	eax, eax
		jz	loc_4666CE
		mov	ecx, ds:dword_6D0614
		mov	eax, 1
		mov	[ebp+var_4C], ecx
		jmp	loc_466725
; 

loc_5B1C9A:				; CODE XREF: MiInPagePageTable+A5j
		lea	eax, [ecx+40000000h]
		mov	[ebp+var_4C], ebx
		cmp	eax, offset loc_7FFFFF
		mov	eax, 4
		jbe	loc_466725
		jmp	loc_466720
; 

loc_5B1CB8:				; CODE XREF: MiInPagePageTable+149j
		cmp	[ebp+var_50], 0
		jnz	loc_5B1D87
		cmp	edx, 0C0000000h
		jb	loc_46673F
		cmp	edx, 0C07FFFFFh
		ja	loc_46673F
		cmp	dword ptr [edi+8], 0
		jz	loc_46673F
		mov	ebx, [ebp+var_58]
		mov	eax, [edi+4]
		push	6
		push	ebx
		push	eax
		push	edx
		push	50h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B1CF6:				; CODE XREF: MiInPagePageTable+302j
		push	0
		push	0
		push	edx
		push	4477h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B1D07:				; CODE XREF: MiInPagePageTable+315j
		push	0
		push	0
		push	edx
		push	4478h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B1D18:				; CODE XREF: MiInPagePageTable+345j
		mov	eax, [ebp+var_58]
		add	eax, 8
		cmp	eax, 0C0000000h
		jb	short loc_5B1D36

loc_5B1D25:				; CODE XREF: MiInPagePageTable+14B744j
		cmp	eax, 0C07FFFFFh
		ja	short loc_5B1D36
		shl	eax, 9
		cmp	eax, 0C0000000h
		jnb	short loc_5B1D25

loc_5B1D36:				; CODE XREF: MiInPagePageTable+14B733j
					; MiInPagePageTable+14B73Aj
		cmp	eax, edx
		jnb	short loc_5B1D46
		inc	dword ptr [esi+0Ch]
		mov	dword ptr [esi+10h], 0
		jmp	short loc_5B1D4F
; 

loc_5B1D46:				; CODE XREF: MiInPagePageTable+14B748j
		mov	edx, eax
		mov	ecx, esi
		call	MiLeapPrefetch

loc_5B1D4F:				; CODE XREF: MiInPagePageTable+14B754j
		mov	byte ptr [esi+1], 1
		jmp	loc_466760
; 

loc_5B1D58:				; CODE XREF: MiInPagePageTable+322j
		mov	ecx, [edi+8]
		mov	edx, eax
		shr	edx, 3
		and	ecx, 0FFFFFFFEh
		cmp	edx, 3
		jnz	short loc_5B1D6C
		test	al, 7
		jnz	short loc_5B1D71

loc_5B1D6C:				; CODE XREF: MiInPagePageTable+14B776j
		cmp	edx, 1
		jnz	short loc_5B1D82

loc_5B1D71:				; CODE XREF: MiInPagePageTable+14B77Aj
		test	dword ptr [ecx+28h], 4000h
		jz	short loc_5B1D82
		mov	edx, [ebp+var_50]
		jmp	loc_46679C
; 

loc_5B1D82:				; CODE XREF: MiInPagePageTable+14B77Fj
					; MiInPagePageTable+14B788j
		call	_MiAdvanceFaultList@4 ;	MiAdvanceFaultList(x)

loc_5B1D87:				; CODE XREF: MiInPagePageTable+14B6CCj
					; MiInPagePageTable+14B7AAj ...
		mov	eax, 0C0000434h
		jmp	loc_466765
; 

loc_5B1D91:				; CODE XREF: MiInPagePageTable+1B7j
		test	edx, edx
		jz	short loc_5B1D9C
		lea	eax, [edx+1Ch]
		cmp	[eax], eax
		jnz	short loc_5B1D87

loc_5B1D9C:				; CODE XREF: MiInPagePageTable+14B7A3j
		cmp	ecx, large fs:124h
		jz	loc_4667AD
		or	dword ptr [edi+24h], 4
		mov	eax, 0C0000434h
		jmp	loc_466765
; 

loc_5B1DB7:				; CODE XREF: MiInPagePageTable+382j
		mov	edx, [ebx+10h]
		mov	ebx, [ebp+var_50]
		mov	ecx, ebx
		shl	edx, 0Ch
		or	edx, 0FFFh
		add	edx, 1000h
		call	MiLeapPrefetch
		mov	byte ptr [ebx+1], 1
		mov	eax, 0C0000434h
		jmp	loc_466765
; 

loc_5B1DE1:				; CODE XREF: MiInPagePageTable+1DFj
		mov	ecx, ebx
		call	_MiVadPureReserve@4 ; MiVadPureReserve(x)
		test	eax, eax
		jnz	loc_4667D5
		cmp	[ebp+var_68], 1
		jnz	loc_4667D5
		push	[ebp+var_54]
		mov	ebx, [ebp+var_58]
		mov	esi, [ebp+var_4C]
		mov	edx, esi
		push	ebx
		push	ecx
		mov	ecx, [edi]
		call	_MiInsertLargeVadMapping@20 ; MiInsertLargeVadMapping(x,x,x,x,x)
		test	eax, eax
		jnz	short loc_5B1E44
		mov	edi, [ebp+var_74]
		mov	dl, 21h
		push	eax
		mov	ecx, edi
		call	_MiReleaseFaultState@12	; MiReleaseFaultState(x,x,x)
		push	0
		push	0
		push	esi
		push	0
		call	MmAccessFault
		mov	ecx, [ebp+var_78]
		and	byte ptr [edi+9], 0FEh
		call	MiLockWorkingSetShared
		mov	[edi+8], al
		mov	eax, 0C0000434h
		jmp	loc_466765
; 

loc_5B1E44:				; CODE XREF: MiInPagePageTable+14B820j
		cmp	ebx, 0C0600000h
		jb	short loc_5B1E54
		cmp	ebx, 0C0603FFFh
		jbe	short loc_5B1E8E

loc_5B1E54:				; CODE XREF: MiInPagePageTable+14B85Aj
		mov	eax, [ebp+var_5C]
		cmp	eax, ds:_MmHighestUserAddress
		ja	short loc_5B1E8E
		mov	eax, large fs:124h
		mov	ecx, ebx
		shr	ecx, 0Ch
		mov	edx, 1
		and	ecx, 7FFh
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		add	eax, 190h
		lea	ecx, [eax+ecx*2]
		call	_MiIncreaseUsedPtesCount@8 ; MiIncreaseUsedPtesCount(x,x)

loc_5B1E8E:				; CODE XREF: MiInPagePageTable+14B862j
					; MiInPagePageTable+14B86Dj
		mov	edx, ebx
		mov	ecx, edi
		call	_MiLargePageFault@8 ; MiLargePageFault(x,x)
		test	eax, eax
		jns	loc_5B1D87
		jmp	loc_466765
; 

loc_5B1EA4:				; CODE XREF: MiInPagePageTable+1EDj
					; MiInPagePageTable+1F8j
		mov	eax, [ebp+var_5C]
		cmp	eax, ds:_MmHighestUserAddress
		ja	loc_4667EE
		mov	eax, large fs:124h
		mov	ecx, esi
		shr	ecx, 15h
		mov	edx, 1
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		add	eax, 190h
		lea	ecx, [eax+ecx*2]
		call	_MiIncreaseUsedPtesCount@8 ; MiIncreaseUsedPtesCount(x,x)
		jmp	loc_4667EE
; 

loc_5B1EE1:				; CODE XREF: MiInPagePageTable+38Bj
		cmp	al, 3
		jz	loc_466957
		cmp	al, 5
		jnz	loc_466823
		jmp	loc_466957
; 

loc_5B1EF6:				; CODE XREF: MiInPagePageTable+290j
		mov	eax, [ebp+var_34]
		mov	[esi+14h], eax
		mov	eax, [ebp+var_30]
		mov	[esi+18h], eax
		mov	eax, [ebp+var_28]
		mov	[esi+1Ch], edx
		mov	[esi+20h], eax
		jmp	loc_466886
; 

loc_5B1F10:				; CODE XREF: MiInPagePageTable+298j
		mov	eax, ecx
		jmp	loc_466765
; 

loc_5B1F17:				; CODE XREF: MiInPagePageTable+2A2j
		mov	ebx, [ebp+var_68]
		mov	ecx, 1
		mov	eax, [esi+ebx*4+0Ch]
		mov	edx, [eax]
		and	edx, ecx

loc_5B1F27:				; CODE XREF: MiInPagePageTable+14B94Dj
		mov	eax, edx
		or	eax, 0
		jz	loc_5B1D87
		cmp	ecx, ebx
		jz	loc_466898
		sub	ecx, 1
		jnz	short loc_5B1F27
		jmp	loc_466898
; END OF FUNCTION CHUNK	FOR MiInPagePageTable
; 
; START	OF FUNCTION CHUNK FOR MiCheckProtoAccess

loc_5B1F44:				; CODE XREF: MiCheckProtoAccess+105j
		test	esi, esi
		jnz	loc_466B98
		jmp	loc_466ABB
; 

loc_5B1F51:				; CODE XREF: MiCheckProtoAccess+180j
		mov	esi, [ecx+24h]
		test	esi, esi
		jz	loc_466AC4

loc_5B1F5C:				; CODE XREF: MiCheckProtoAccess+14B5B6j
		test	byte ptr [esi+24h], 20h
		jnz	short loc_5B1F6D
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_5B1F5C
		jmp	loc_466AC4
; 

loc_5B1F6D:				; CODE XREF: MiCheckProtoAccess+14B5B0j
		test	esi, esi
		jz	loc_466AC4
		mov	eax, large fs:124h
		cmp	[esi+4], eax
		jnz	loc_466B0A
		jmp	loc_466AC4
; 

loc_5B1F89:				; CODE XREF: MiCheckProtoAccess+120j
		and	eax, 70h
		cmp	eax, 10h
		jz	loc_466B0A
		cmp	eax, 30h
		jz	loc_466B0A
		call	_MiIsVadLargePrivate@4 ; MiIsVadLargePrivate(x)
		jmp	loc_466B0A
; 

loc_5B1FA8:				; CODE XREF: MiCheckProtoAccess+12Ej
		mov	eax, [ecx+1Ch]
		and	eax, 70h
		cmp	al, 50h
		jnz	loc_466B0A
		jmp	loc_466AE4
; END OF FUNCTION CHUNK	FOR MiCheckProtoAccess
; 
; START	OF FUNCTION CHUNK FOR MiObtainReferencedVadEx

loc_5B1FBB:				; CODE XREF: MiObtainReferencedVadEx+99j
		mov	eax, 0C000010Ah
		jmp	loc_466D53
; 

loc_5B1FC5:				; CODE XREF: MiObtainReferencedVadEx+A9j
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5B1FCC:				; CODE XREF: MiObtainReferencedVadEx+213j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_466CD3
; 

loc_5B1FD6:				; CODE XREF: MiObtainReferencedVadEx+202j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_466D0D
; 

loc_5B1FE0:				; CODE XREF: MiObtainReferencedVadEx+121j
		cmp	[ebp+var_4], 0
		jz	short loc_5B202E
		and	byte ptr [edi+305h], 0BFh
		lea	ebx, [esi+18h]
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [ebx], ecx
		cmp	eax, 11h
		jz	short loc_5B2007
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_5B2007:				; CODE XREF: MiObtainReferencedVadEx+14B40Ej
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		dec	word ptr [edi+13Eh]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [edi+304h], 80h
		nop

loc_5B202E:				; CODE XREF: MiObtainReferencedVadEx+14B3F4j
		mov	ecx, esi
		call	_MiWaitForVadDeletion@4	; MiWaitForVadDeletion(x)
		mov	ecx, esi
		call	MiUnlockAndDereferenceVad
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+0FCh]
		mov	ecx, [ebp+arg_0]
		and	al, 20h
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 6Ah
		add	eax, 0C00000A0h
		mov	[ecx], eax
		jmp	loc_466D87
; 

loc_5B2060:				; CODE XREF: MiObtainReferencedVadEx+12Aj
					; MiObtainReferencedVadEx+133j
		cmp	[ebp+var_4], 0
		mov	ecx, esi
		jz	short loc_5B206F
		call	MiUnlockAndDereferenceVadShared
		jmp	short loc_5B2074
; 

loc_5B206F:				; CODE XREF: MiObtainReferencedVadEx+14B476j
		call	MiUnlockAndDereferenceVad

loc_5B2074:				; CODE XREF: MiObtainReferencedVadEx+14B47Dj
		mov	ecx, [ebp+arg_0]
		mov	dword ptr [ecx], 0C00000A0h
		jmp	loc_466D87
; 

loc_5B2082:				; CODE XREF: MiObtainReferencedVadEx+158j
		mov	eax, 0C000010Ah
		jmp	loc_466D53
; END OF FUNCTION CHUNK	FOR MiObtainReferencedVadEx
; 
; START	OF FUNCTION CHUNK FOR MmAccessFault

loc_5B208C:				; CODE XREF: MmAccessFault+3Aj
		push	edi
		push	edx
		push	esi
		push	61941h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B209B:				; CODE XREF: MmAccessFault+6EBj
		mov	ecx, esi
		call	_MiHandleEnclaveFault@4	; MiHandleEnclaveFault(x)
		jmp	loc_467118
; 

loc_5B20A7:				; CODE XREF: MmAccessFault+5F4j
		mov	ecx, 2
		jmp	loc_46740F
; 

loc_5B20B1:				; CODE XREF: MmAccessFault+618j
		lea	ecx, [esp+0C0h+var_48]
		call	_MiReleaseFaultSynchronization@4 ; MiReleaseFaultSynchronization(x)
		mov	[esp+0C0h+var_1C], 0
		mov	esi, 0C0000005h
		jmp	loc_4670CD
; 

loc_5B20CF:				; CODE XREF: MmAccessFault+625j
		mov	[esp+0C0h+var_1C], eax
		jmp	loc_46743B
; 

loc_5B20DB:				; CODE XREF: MmAccessFault+400j
		mov	eax, [eax+14h]
		mov	[esp+0C0h+var_A0], eax
		jmp	loc_467216
; 

loc_5B20E7:				; CODE XREF: MmAccessFault+3C2j
					; MmAccessFault+7D5j
		cmp	al, 7
		jnz	short loc_5B20F5
		mov	[esp+0C0h+var_B8], offset unk_6D2E58
		jmp	short loc_5B2105
; 

loc_5B20F5:				; CODE XREF: MmAccessFault+14B2D9j
		cmp	al, 5
		jnz	loc_4671E4
		mov	[esp+0C0h+var_B8], offset unk_6D2E54

loc_5B2105:				; CODE XREF: MmAccessFault+14B2E3j
		mov	eax, 0C0603018h
		sub	eax, edx
		mov	edx, eax
		mov	eax, [esp+0C0h+var_B8]
		sar	edx, 3
		add	edx, edx
		mov	[esp+0C0h+var_B0], edx
		jmp	loc_466FE7
; 

loc_5B2120:				; CODE XREF: MmAccessFault+187j
		mov	al, byte ptr [esp+0C0h+var_2C+1]
		jmp	loc_467039
; 

loc_5B212C:				; CODE XREF: MmAccessFault+236j
		call	MiUnlockWorkingSetExclusive
		jmp	loc_467051
; 

loc_5B2136:				; CODE XREF: MmAccessFault+258j
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_5B2142
		call	_MiReplenishTransitionPageHeatList@0 ; MiReplenishTransitionPageHeatList()
		jmp	short loc_5B2153
; 

loc_5B2142:				; CODE XREF: MmAccessFault+14B329j
		call	_MiProcessTransitionHeatBatch@4	; MiProcessTransitionHeatBatch(x)
		mov	ecx, [esp+0C0h+var_14]
		call	_MiFreeTransitionPageHeatList@4	; MiFreeTransitionPageHeatList(x)

loc_5B2153:				; CODE XREF: MmAccessFault+14B330j
		mov	[esp+0C0h+var_14], 0
		jmp	loc_46706E
; 

loc_5B2163:				; CODE XREF: MmAccessFault+267j
		mov	eax, [esp+0C0h+var_24]
		mov	edx, offset _MiSystemPartition
		shr	eax, 6
		not	eax
		and	eax, 1
		shl	eax, 11h
		push	eax
		push	[esp+0C4h+var_C]
		call	_MiReplenishSlabAllocator@16 ; MiReplenishSlabAllocator(x,x,x,x)
		mov	[esp+0C0h+var_10], 0
		jmp	loc_46708B
; 

loc_5B2197:				; CODE XREF: MmAccessFault+368j
		mov	ecx, [eax+18h]
		test	ecx, ecx
		jz	loc_46708B
		push	0
		push	1
		mov	edx, offset _MiSystemPartition
		call	_MiReplenishSlabAllocator@16 ; MiReplenishSlabAllocator(x,x,x,x)
		jmp	loc_46708B
; 

loc_5B21B5:				; CODE XREF: MmAccessFault+488j
		push	offset _MiShortTime
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	loc_4670AF
; 

loc_5B21C8:				; CODE XREF: MmAccessFault+350j
		push	esi
		call	_FsRtlIsTotalDeviceFailure@4 ; FsRtlIsTotalDeviceFailure(x)
		test	al, al
		jnz	loc_4670C3
		jmp	loc_46746E
; 

loc_5B21DB:				; CODE XREF: MmAccessFault+781j
		test	byte ptr [eax+1Ch], 0Ch
		jz	loc_46749C
		mov	esi, 0C00000D8h
		jmp	loc_4670DD
; 

loc_5B21EF:				; CODE XREF: MmAccessFault+694j
					; MmAccessFault+6ABj ...
		push	offset _MiShortTime
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	loc_4674D1
; 

loc_5B2202:				; CODE XREF: MmAccessFault+6DAj
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	_MiWaitForFreePage@8 ; MiWaitForFreePage(x,x)
		jmp	loc_4674F0
; 

loc_5B2213:				; CODE XREF: MmAccessFault+2C7j
		mov	eax, [esp+0C0h+var_40]
		mov	ecx, esi
		mov	edx, [esp+0C0h+var_48]
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, [esp+0C0h+var_40]
		push	eax
		mov	eax, [esp+0C4h+var_24]
		shr	eax, 6
		and	al, 1
		movzx	eax, al
		push	eax
		call	@EtwTracePageFault@16 ;	EtwTracePageFault(x,x,x,x)
		jmp	loc_4670DD
; 

loc_5B224D:				; CODE XREF: MmAccessFault+2D5j
		mov	ecx, [esp+0C0h+var_34]
		mov	edx, 0C0000017h
		call	MiCopyOnWriteCheckConditions
		jmp	loc_4670EB
; 

loc_5B2263:				; CODE XREF: MmAccessFault+71Cj
		cmp	cl, 5
		jz	loc_467377
		cmp	cl, 6
		jz	loc_46737D
		jmp	loc_467377
; END OF FUNCTION CHUNK	FOR MmAccessFault
; 

loc_5B227A:				; CODE XREF: .text:00467664j
		mov	eax, large fs:20h
		mov	edx, 1
		push	2
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		lea	ecx, [eax+eax*4]
		shl	ecx, 7
		add	ecx, ds:dword_6D4E50
		mov	edi, [ecx+1D0h]
		mov	esi, [ecx+1D4h]
		call	_MiNodeLargeFreeZeroPages@12 ; MiNodeLargeFreeZeroPages(x,x,x)
		lea	ecx, [esi+eax]
		add	ecx, edi
		cmp	ecx, 420h
		jnb	short loc_5B22D9
		mov	eax, ecx
		shr	eax, 4
		cmp	[ebp-24h], eax
		jb	short loc_5B22D9
		mov	edi, [ebp-10h]
		mov	esi, [ebp-8]
		mov	eax, [ebp-24h]
		mov	edx, [ebp-28h]
		jmp	loc_46766A
; 

loc_5B22D9:				; CODE XREF: .text:005B22BCj
					; .text:005B22C6j
		mov	edi, [ebp-10h]
		mov	esi, [ebp-8]
		mov	eax, [ebp-24h]
		mov	edx, [ebp-28h]
		test	ecx, ecx
		jnz	loc_467670
		jmp	loc_46766A
; 

loc_5B22F2:				; CODE XREF: .text:00467676j
		cmp	eax, 4000h
		jnb	short loc_5B2304
		shr	ecx, 4
		cmp	eax, ecx
		jb	loc_46767C

loc_5B2304:				; CODE XREF: .text:005B22F7j
		xor	ecx, ecx
		mov	dword ptr [edx+348h], 0
		cmp	byte ptr [edx+68h], 9
		setnl	cl
		inc	ecx
		jmp	loc_467CBB
; 

loc_5B231D:				; CODE XREF: .text:00467690j
		cmp	al, 5
		jz	loc_467696
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		jmp	loc_4676E3
; 

loc_5B2334:				; CODE XREF: .text:00467698j
		mov	esi, offset unk_6D3C40
		jmp	loc_4676A4
; 

loc_5B233E:				; CODE XREF: .text:004676B5j
		mov	dl, bl
		mov	ecx, esi
		call	@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)
		jmp	loc_4676D4
; 

loc_5B234C:				; CODE XREF: .text:004676FCj
		mov	edx, offset unk_6D3C40
		jmp	loc_467708
; 

loc_5B2356:				; CODE XREF: .text:00467712j
		cmp	dword ptr [edx+14h], 0
		jz	loc_467718
		cmp	esi, ds:dword_6D07D0
		jnb	loc_467718
		mov	ecx, esi
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		test	eax, eax
		jz	short loc_5B2386
		mov	ecx, eax
		call	_MiIsVadEligibleForCommitRelease@4 ; MiIsVadEligibleForCommitRelease(x)
		test	eax, eax
		jz	loc_467718

loc_5B2386:				; CODE XREF: .text:005B2375j
		mov	dword ptr [ebp-14h], 0C0000005h

loc_5B238D:				; CODE XREF: .text:005B23B5j
		mov	dword ptr [ebp-0Ch], 2
		jmp	loc_467D20
; 

loc_5B2399:				; CODE XREF: .text:0046772Bj
		mov	ebx, [ebp-8]
		mov	edx, edi
		mov	ecx, [ebx]
		call	_MiWaitForRotateToComplete@8 ; MiWaitForRotateToComplete(x,x)
		cmp	eax, 1
		jnz	loc_467731
		mov	dword ptr [ebp-14h], 0
		jmp	short loc_5B238D
; 

loc_5B23B7:				; CODE XREF: .text:00467771j
		cmp	al, 7
		jnz	short loc_5B23C2
		mov	esi, offset unk_6D2E58
		jmp	short loc_5B23CB
; 

loc_5B23C2:				; CODE XREF: .text:005B23B9j
		cmp	al, 5
		jnz	short loc_5B23D5
		mov	esi, offset unk_6D2E54

loc_5B23CB:				; CODE XREF: .text:005B23C0j
		xor	ecx, ecx
		mov	[ebp-18h], ecx
		jmp	loc_467788
; 

loc_5B23D5:				; CODE XREF: .text:005B23C4j
		mov	esi, offset unk_6D2DD4
		jmp	loc_467788
; 

loc_5B23DF:				; CODE XREF: .text:00467779j
		lea	esi, [edx+2A0h]
		jmp	loc_467788
; 

loc_5B23EA:				; CODE XREF: .text:00467EB7j
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	loc_467EBD
		push	edi
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		mov	ecx, [ebp-18h]
		jmp	loc_467EBF
; 

loc_5B2405:				; CODE XREF: .text:004677FBj
		cmp	esi, 0C0603018h
		jz	short loc_5B2421
		cmp	ds:dword_6D07D0, 0C0000000h
		jnb	short loc_5B244D
		cmp	esi, 0C0603010h
		jnz	short loc_5B244D

loc_5B2421:				; CODE XREF: .text:005B240Bj
		cmp	al, 7
		jnz	short loc_5B242E
		mov	dword ptr [ebp-18h], offset unk_6D2E58
		jmp	short loc_5B2439
; 

loc_5B242E:				; CODE XREF: .text:005B2423j
		cmp	al, 5
		jnz	short loc_5B244D
		mov	dword ptr [ebp-18h], offset unk_6D2E54

loc_5B2439:				; CODE XREF: .text:005B242Cj
		mov	eax, [ebp-18h]
		mov	edi, 0C0603018h
		sub	edi, esi
		sar	edi, 3
		add	edi, edi
		jmp	loc_46781A
; 

loc_5B244D:				; CODE XREF: .text:005B2417j
					; .text:005B241Fj ...
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]
		jmp	loc_467817
; 

loc_5B245C:				; CODE XREF: .text:00467806j
		lea	eax, [edx+120h]
		lea	eax, [eax+ecx*4]
		jmp	loc_467817
; 

loc_5B246A:				; CODE XREF: .text:00467F17j
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	loc_467F1D
		push	esi
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	loc_467F1F
; 

loc_5B2482:				; CODE XREF: .text:00467871j
		cmp	esi, 0C0603018h
		jz	short loc_5B249E
		cmp	ds:dword_6D07D0, 0C0000000h
		jnb	short loc_5B24CD
		cmp	esi, 0C0603010h
		jnz	short loc_5B24CD

loc_5B249E:				; CODE XREF: .text:005B2488j
		cmp	al, 7
		jnz	short loc_5B24AB
		mov	dword ptr [ebp-18h], offset unk_6D2E58
		jmp	short loc_5B24B6
; 

loc_5B24AB:				; CODE XREF: .text:005B24A0j
		cmp	al, 5
		jnz	short loc_5B24CD
		mov	dword ptr [ebp-18h], offset unk_6D2E54

loc_5B24B6:				; CODE XREF: .text:005B24A9j
		mov	eax, [ebp-18h]
		mov	edx, 0C0603018h
		sub	edx, esi
		sar	edx, 3
		add	edx, edx
		mov	[ebp-30h], edx
		jmp	loc_467890
; 

loc_5B24CD:				; CODE XREF: .text:005B2494j
					; .text:005B249Cj ...
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]
		jmp	loc_46788D
; 

loc_5B24DC:				; CODE XREF: .text:0046787Cj
		lea	eax, [edx+120h]
		lea	eax, [eax+ecx*4]
		jmp	loc_46788D
; 

loc_5B24EA:				; CODE XREF: .text:0046792Ej
		cmp	ebx, 0C0603018h
		jz	short loc_5B2506
		cmp	ds:dword_6D07D0, 0C0000000h
		jnb	short loc_5B2535
		cmp	ebx, 0C0603010h
		jnz	short loc_5B2535

loc_5B2506:				; CODE XREF: .text:005B24F0j
		cmp	al, 7
		jnz	short loc_5B2513
		mov	dword ptr [ebp-18h], offset unk_6D2E58
		jmp	short loc_5B251E
; 

loc_5B2513:				; CODE XREF: .text:005B2508j
		cmp	al, 5
		jnz	short loc_5B2535
		mov	dword ptr [ebp-18h], offset unk_6D2E54

loc_5B251E:				; CODE XREF: .text:005B2511j
		mov	eax, [ebp-18h]
		mov	edi, 0C0603018h
		sub	edi, ebx
		sar	edi, 3
		add	edi, edi
		mov	[ebp-3Ch], edi
		jmp	loc_46794D
; 

loc_5B2535:				; CODE XREF: .text:005B24FCj
					; .text:005B2504j ...
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]
		jmp	loc_46794A
; 

loc_5B2544:				; CODE XREF: .text:00467939j
		lea	eax, [edx+120h]
		lea	eax, [eax+ecx*4]
		jmp	loc_46794A
; 

loc_5B2552:				; CODE XREF: .text:00467EE7j
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	loc_467EED
		push	esi
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	loc_467EEF
; 

loc_5B256A:				; CODE XREF: .text:004679A4j
		cmp	esi, 0C0603018h
		jz	short loc_5B2586
		cmp	ds:dword_6D07D0, 0C0000000h
		jnb	short loc_5B25B2
		cmp	esi, 0C0603010h
		jnz	short loc_5B25B2

loc_5B2586:				; CODE XREF: .text:005B2570j
		cmp	al, 7
		jnz	short loc_5B2593
		mov	dword ptr [ebp-18h], offset unk_6D2E58
		jmp	short loc_5B259E
; 

loc_5B2593:				; CODE XREF: .text:005B2588j
		cmp	al, 5
		jnz	short loc_5B25B2
		mov	dword ptr [ebp-18h], offset unk_6D2E54

loc_5B259E:				; CODE XREF: .text:005B2591j
		mov	eax, [ebp-18h]
		mov	ebx, 0C0603018h
		sub	ebx, esi
		sar	ebx, 3
		add	ebx, ebx
		jmp	loc_4679C3
; 

loc_5B25B2:				; CODE XREF: .text:005B257Cj
					; .text:005B2584j ...
		shr	ecx, 5
		lea	eax, unk_6D2C54[ecx*4]
		jmp	loc_4679C0
; 

loc_5B25C1:				; CODE XREF: .text:004679AFj
		lea	eax, [edx+120h]
		lea	eax, [eax+ecx*4]
		jmp	loc_4679C0
; 

loc_5B25CF:				; CODE XREF: .text:00467E14j
		mov	ecx, edi
		call	MiUnlockFaultPageTable
		mov	dword ptr [ebp-14h], 0C0000005h
		jmp	loc_467D20
; 

loc_5B25E2:				; CODE XREF: .text:004678F5j
		mov	edx, [esi+8]
		test	dl, 1
		jz	short loc_5B25F4
		mov	eax, edx
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	1
		jz	short loc_5B2615

loc_5B25F4:				; CODE XREF: .text:005B25E8j
		mov	ecx, [esi]
		cmp	ecx, 0C0000000h
		jb	short loc_5B2615
		cmp	ecx, 0C07FFFFFh
		ja	short loc_5B2615
		mov	eax, [esi+4]
		push	8
		push	edx
		push	eax
		push	ecx
		push	50h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B2615:				; CODE XREF: .text:005B25F2j
					; .text:005B25FCj ...
		mov	edx, ebx
		mov	ecx, esi
		call	_MiLargePageFault@8 ; MiLargePageFault(x,x)
		mov	ebx, eax
		mov	[ebp-14h], ebx
		test	ebx, ebx
		js	loc_467E31
		mov	ebx, 0C0000434h
		mov	[ebp-14h], ebx
		jmp	loc_467E31
; 

loc_5B2638:				; CODE XREF: .text:00467A1Bj
		mov	dword ptr [ebp-14h], 0
		jmp	loc_467D20
; 

loc_5B2644:				; CODE XREF: .text:00467D0Fj
		mov	eax, [esi]
		cmp	eax, ds:dword_6D07D0
		jnb	loc_467A51
		mov	eax, [ebp-4Ch]
		and	eax, 0FFFFFFFDh
		mov	[esi+4], eax
		jmp	loc_467A51
; 

loc_5B2660:				; CODE XREF: .text:00467AC5j
		cmp	byte ptr [ecx],	5
		mov	edi, ecx
		mov	[ebp-18h], edi
		jnz	loc_467FFA
		or	ebx, 8
		mov	[ebp-18h], ecx
		jmp	loc_467FF7
; 

loc_5B2679:				; CODE XREF: .text:00468012j
		mov	eax, [edi+14h]
		mov	[ebp-50h], eax
		jmp	loc_468018
; 

loc_5B2684:				; CODE XREF: .text:0046802Aj
		mov	eax, [edi+4]
		cmp	dword ptr [eax+4], 1000h
		jbe	loc_467AD9
		or	ebx, 10h
		mov	[ebp-78h], ebx
		jmp	loc_467AD9
; 

loc_5B269F:				; CODE XREF: .text:00467FC3j
		mov	edi, [ebp-3Ch]
		mov	eax, [esi+4]
		push	6
		push	edi
		push	eax
		push	ecx
		push	50h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B26B1:				; CODE XREF: .text:0046821Cj
		mov	ecx, [ebx+8]
		call	MiAllowGuardFault
		test	eax, eax
		jnz	short loc_5B26C7
		mov	edi, 0C0000005h
		jmp	loc_467DD4
; 

loc_5B26C7:				; CODE XREF: .text:005B26BBj
		mov	ecx, [ebp-30h]
		mov	edx, 1
		call	MiUpdatePageTableUseCount
		and	edi, 0FFFFFFEFh
		cmp	dword ptr [ebp-1Ch], 0
		mov	[ebp-20h], edi
		jz	short loc_5B26E9
		mov	ecx, edi
		call	_MiMakePrototypePteVadLookup@4 ; MiMakePrototypePteVadLookup(x)
		jmp	short loc_5B26FC
; 

loc_5B26E9:				; CODE XREF: .text:005B26DEj
		and	edi, 1Fh
		xor	eax, eax
		shld	eax, edi, 5
		shl	edi, 5
		push	eax
		push	edi
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)

loc_5B26FC:				; CODE XREF: .text:005B26E7j
		mov	edi, [ebp-3Ch]
		mov	byte ptr [ebp-1], 2
		mov	[edi], eax
		xor	edi, edi
		mov	eax, [ebp-4Ch]
		mov	[eax-3FFFFFFCh], edx
		jmp	loc_467DD4
; 

loc_5B2715:				; CODE XREF: .text:004681CBj
		push	dword ptr [ebp-30h]
		mov	edx, esi
		mov	ecx, edi
		call	_MiPrefetchJumpVad@12 ;	MiPrefetchJumpVad(x,x,x)
		jmp	loc_467DC0
; 

loc_5B2726:				; CODE XREF: .text:00467DEDj
		call	MiUnlockWorkingSetExclusive
		jmp	loc_467DF8
; 

loc_5B2730:				; CODE XREF: .text:00467DFCj
		mov	ecx, [ebx]
		mov	edx, 1
		call	MiCheckForUserStackOverflow
		mov	edi, eax
		jmp	loc_467E02
; 

loc_5B2743:				; CODE XREF: .text:00467CF1j
		mov	edi, [ebp-10h]
		mov	dword ptr [ebp-14h], 0C0000005h
		jmp	loc_467D20
; 

loc_5B2752:				; CODE XREF: .text:00467C63j
		test	ecx, ecx
		jz	loc_467C97
		and	edx, 0A00h
		or	edx, 0
		jnz	loc_467C97
		jmp	loc_46818A
; 

loc_5B276E:				; CODE XREF: .text:00468067j
		mov	eax, ecx
		and	eax, 400h
		or	eax, 0
		jnz	loc_46806D
		xor	edx, edx
		mov	ecx, ebx
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		mov	ecx, [ebx]
		mov	esi, eax
		mov	[ebp-4Ch], ecx
		nop
		mov	eax, [ebx+4]
		mov	[ebp-44h], eax
		test	esi, esi
		jz	short loc_5B27BA
		mov	eax, [esi+8]
		mov	edx, edi
		and	edx, 0Fh
		xor	ecx, ecx
		shld	ecx, edx, 5
		and	eax, 0FFFFFC1Fh
		shl	edx, 5
		or	edx, eax
		or	[esi+0Ch], ecx
		mov	ecx, [ebp-4Ch]
		mov	[esi+8], edx

loc_5B27BA:				; CODE XREF: .text:005B2797j
		and	edi, 0Fh
		xor	eax, eax
		shld	eax, edi, 5
		and	ecx, 0FFFFFC1Fh
		or	eax, [ebp-44h]
		shl	edi, 5
		or	edi, ecx
		mov	[ebx], edi
		nop
		mov	[ebx+4], eax
		test	esi, esi
		jz	loc_46808A
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		jmp	loc_46808A
; 

loc_5B27EF:				; CODE XREF: .text:00468192j
		xor	edi, edi
		jmp	loc_4681A1
; 

loc_5B27F6:				; CODE XREF: .text:00467D2Ej
		mov	ecx, edi
		call	_MiEmptyDeferredWorkingSetEntries@4 ; MiEmptyDeferredWorkingSetEntries(x)
		mov	edx, [edi+0Ch]
		jmp	loc_467D34
; 

loc_5B2805:				; CODE XREF: .text:00467D80j
		call	MiUnlockWorkingSetExclusive
		jmp	loc_467D8B
; 
; START	OF FUNCTION CHUNK FOR MiDispatchFault

loc_5B280F:				; CODE XREF: MiDispatchFault+2C5j
		mov	eax, offset unk_6D3C40
		jmp	loc_468521
; 

loc_5B2819:				; CODE XREF: MiDispatchFault+4B0j
		cmp	ds:dword_6D07D0, 0C0000000h
		jnb	loc_468706

loc_5B2829:				; CODE XREF: MiDispatchFault+4A4j
		cmp	al, 7
		jnz	short loc_5B2834
		mov	eax, offset unk_6D2E58
		jmp	short loc_5B2841
; 

loc_5B2834:				; CODE XREF: MiDispatchFault+14A5DBj
		cmp	al, 5
		jnz	loc_468706
		mov	eax, offset unk_6D2E54

loc_5B2841:				; CODE XREF: MiDispatchFault+14A5E2j
		mov	ecx, 603018h
		sub	ecx, edx
		sar	ecx, 3
		add	ecx, ecx
		jmp	loc_468583
; 

loc_5B2852:				; CODE XREF: MiDispatchFault+3BDj
		mov	ecx, [ebp+var_40]
		mov	eax, 0C0000005h
		mov	[ebp+var_50], ecx
		jmp	loc_46873C
; 

loc_5B2862:				; CODE XREF: MiDispatchFault+3DDj
		test	[ebp+var_2B], 8
		jz	loc_468633
		mov	edx, [ebp+var_40]
		mov	eax, 0C0000005h
		mov	[ebp+var_50], edx
		jmp	loc_46836C
; 

loc_5B287C:				; CODE XREF: MiDispatchFault+407j
		mov	edx, [ebp+var_40]
		mov	[ebp+var_50], edx
		jmp	loc_46836C
; 

loc_5B2887:				; CODE XREF: MiDispatchFault+57Aj
		shrd	edx, edi, 5
		and	dl, 18h
		cmp	dl, 10h
		jnz	loc_4684B4
		mov	eax, 0C0000005h
		jmp	loc_46873C
; 

loc_5B28A1:				; CODE XREF: MiDispatchFault+491j
		sub	eax, edx
		lea	ecx, [ebp+var_48]
		mov	edx, eax
		call	MiComputeMaximumFaultCluster
		mov	cl, [ebp+var_2B]
		mov	[ebp+var_70], eax
		cmp	eax, 1
		jnz	short loc_5B28C3
		test	cl, 4
		jz	short loc_5B28C3
		and	cl, 0FBh
		mov	[ebp+var_2B], cl

loc_5B28C3:				; CODE XREF: MiDispatchFault+14A666j
					; MiDispatchFault+14A66Bj
		mov	edx, [ebp+var_40]
		mov	[ebp+var_60], 0
		mov	[ebp+var_50], edx
		jmp	loc_4683A4
; 

loc_5B28D5:				; CODE XREF: MiDispatchFault+2A1j
		mov	[ebp+var_40], eax
		jmp	loc_4683C7
; 

loc_5B28DD:				; CODE XREF: MiDispatchFault+426j
		or	dword ptr [ebx+24h], 100h
		jmp	loc_4683D6
; 

loc_5B28E9:				; CODE XREF: MiDispatchFault+1BAj
		mov	ecx, [ebx+24h]
		xor	ecx, edx
		and	ecx, 80h
		xor	[ebx+24h], ecx
		jmp	loc_468410
; END OF FUNCTION CHUNK	FOR MiDispatchFault
; 
; START	OF FUNCTION CHUNK FOR MiComputeMaximumFaultCluster

loc_5B28FC:				; CODE XREF: MiComputeMaximumFaultCluster+3Bj
		cmp	ebx, eax
		jbe	loc_468853
		jmp	loc_468851
; END OF FUNCTION CHUNK	FOR MiComputeMaximumFaultCluster
; 
; START	OF FUNCTION CHUNK FOR MiUnlockWorkingSetShared

loc_5B2909:				; CODE XREF: MiUnlockWorkingSetShared+67j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@ExpReleaseSpinLockSharedFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockSharedFromDpcLevelInstrumented(x,x)
		jmp	loc_468958
; END OF FUNCTION CHUNK	FOR MiUnlockWorkingSetShared
; 
; START	OF FUNCTION CHUNK FOR MiCheckUserVirtualAddress

loc_5B2918:				; CODE XREF: MiCheckUserVirtualAddress+2Dj
		mov	eax, ds:dword_6D0610
		mov	dword ptr [ebx], 1
		jmp	loc_469B0A
; 

loc_5B2928:				; CODE XREF: MiCheckUserVirtualAddress+39j
		test	eax, eax
		jz	loc_469A8F
		mov	eax, ds:dword_6D0614
		mov	dword ptr [ebx], 1
		jmp	loc_469B0A
; 

loc_5B2940:				; CODE XREF: MiCheckUserVirtualAddress+54j
		mov	ecx, [esi+24h]
		test	ecx, ecx
		jz	loc_469AAA

loc_5B294B:				; CODE XREF: MiCheckUserVirtualAddress+148F05j
		test	byte ptr [ecx+24h], 20h
		jnz	short loc_5B295C
		mov	ecx, [ecx]
		test	ecx, ecx
		jnz	short loc_5B294B
		jmp	loc_469AAA
; 

loc_5B295C:				; CODE XREF: MiCheckUserVirtualAddress+148EFFj
		test	ecx, ecx
		jz	loc_469AAA
		mov	eax, large fs:124h
		cmp	[ecx+4], eax
		jnz	loc_469B7C
		jmp	loc_469AAA
; 

loc_5B2978:				; CODE XREF: MiCheckUserVirtualAddress+E7j
		mov	eax, [esi+28h]
		test	eax, 1000000h
		jnz	loc_469B52
		jmp	loc_469B3D
; 

loc_5B298B:				; CODE XREF: MiCheckUserVirtualAddress+74j
		mov	eax, [esi+1Ch]
		and	eax, 70h
		cmp	al, 50h
		jnz	loc_469B7C
		jmp	loc_469ACA
; 

loc_5B299E:				; CODE XREF: MiCheckUserVirtualAddress+127j
		mov	dword ptr [ebx], 18h
		jmp	loc_469B07
; END OF FUNCTION CHUNK	FOR MiCheckUserVirtualAddress
; 
; START	OF FUNCTION CHUNK FOR MiGetProtoPteAddress

loc_5B29A9:				; CODE XREF: MiGetProtoPteAddress+206j
		mov	ecx, 200000h
		jmp	loc_469D9C
; 

loc_5B29B3:				; CODE XREF: MiGetProtoPteAddress+C3j
		test	byte ptr [edi+1Ch], 20h
		jnz	loc_469DED
		jmp	loc_469D24
; 

loc_5B29C2:				; CODE XREF: MiGetProtoPteAddress+10Cj
		test	dword ptr [edi+1Ch], 4000000h
		setnz	dl
		test	[ebp+arg_0], 2
		setz	al
		test	dl, al
		jz	loc_469CA2
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		push	esi
		mov	edx, eax
		mov	ecx, edi
		call	_MiGetSharedProtos@12 ;	MiGetSharedProtos(x,x,x)
		mov	ecx, [eax+24h]
		jmp	loc_469CA2
; END OF FUNCTION CHUNK	FOR MiGetProtoPteAddress
; 
; START	OF FUNCTION CHUNK FOR MiResolveDemandZeroFault

loc_5B29FF:				; CODE XREF: MiResolveDemandZeroFault+3DBj
		or	ecx, 8
		jmp	loc_46A92B
; 

loc_5B2A07:				; CODE XREF: MiResolveDemandZeroFault+335j
		mov	eax, [edi+4]
		cmp	dword ptr [eax+4], 1000h
		jbe	loc_46A675
		or	ecx, 10h
		mov	[ebp+var_54], ecx
		jmp	loc_46A675
; 

loc_5B2A22:				; CODE XREF: MiResolveDemandZeroFault+67j
		test	byte ptr [edi+1Ch], 8
		jz	loc_46A68D
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_5B2A3A
		mov	dl, 21h
		call	MiUnlockProtoPoolPage

loc_5B2A3A:				; CODE XREF: MiResolveDemandZeroFault+148411j
		mov	eax, 0C0000017h
		jmp	loc_46A7AC
; 

loc_5B2A44:				; CODE XREF: MiResolveDemandZeroFault+347j
		mov	eax, [ecx+14h]
		mov	eax, [eax+16Ch]
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	eax, [eax+338h]
		movzx	esi, word ptr [eax+8Ah]
		inc	esi
		jmp	loc_46A978
; 

loc_5B2A67:				; CODE XREF: MiResolveDemandZeroFault+13Ej
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	edx, [ebp+var_10]
		mov	esi, eax
		mov	[ebp+var_8], esi
		jmp	loc_46A764
; 

loc_5B2A79:				; CODE XREF: MiResolveDemandZeroFault+1C2j
		mov	ecx, [esi+1Ch]
		test	ecx, 100000h
		mov	[ebp+var_24], ecx
		mov	ecx, [ebp+var_54]
		jnz	loc_46A7E8
		mov	esi, [ebp+var_24]
		shr	esi, 12h
		and	esi, 3
		cmp	ds:_MiVadPageSizes[esi*4], 10h
		mov	esi, [ebp+var_8]
		jnz	loc_46A7E8
		mov	ecx, [ebp+var_C]
		lea	edx, [ebp+var_18]
		push	esi
		mov	[ebp+var_1], 1
		call	MiCheckUserVirtualAddress
		mov	ecx, [ebp+var_54]
		mov	edx, eax
		mov	eax, [ebp+var_18]
		jmp	loc_46A7E8
; 

loc_5B2AC5:				; CODE XREF: MiResolveDemandZeroFault+4B0j
					; MiResolveDemandZeroFault+4BEj
		mov	ecx, [ebp+arg_0]
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		xor	eax, eax
		jmp	loc_46A7AC
; 

loc_5B2AD6:				; CODE XREF: MiResolveDemandZeroFault+20Fj
		mov	ecx, esi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		lea	eax, [ecx+edx]
		mov	ecx, esi
		sar	eax, 4
		mov	edx, eax
		shr	edx, 1Fh
		add	edx, eax
		call	MiPfnReferenceCountIsZero
		jmp	loc_46A835
; 

loc_5B2AFE:				; CODE XREF: MiResolveDemandZeroFault+25Ej
		mov	[ebp+arg_0], edi
		jmp	loc_46A884
; 

loc_5B2B06:				; CODE XREF: MiResolveDemandZeroFault+29Aj
		mov	[ebp+var_14], eax
		jmp	loc_46A8C0
; END OF FUNCTION CHUNK	FOR MiResolveDemandZeroFault
; 
; START	OF FUNCTION CHUNK FOR MiAddWorkingSetEntries

loc_5B2B0E:				; CODE XREF: MiAddWorkingSetEntries+3Aj
		mov	edx, eax
		lea	ecx, [ebp+var_24]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_46D5FD
; 

loc_5B2B1D:				; CODE XREF: MiAddWorkingSetEntries+56j
		mov	edx, edi
		mov	ecx, esi
		call	_MiAddingWorkingSetPageShortly@8 ; MiAddingWorkingSetPageShortly(x,x)
		mov	ecx, [ebp+arg_4]
		jmp	loc_46D60C
; 

loc_5B2B2E:				; CODE XREF: MiAddWorkingSetEntries+18Fj
		mov	edx, offset dword_6D3540
		lea	ecx, [ebp+var_18]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_46DA01
; 

loc_5B2B40:				; CODE XREF: MiAddWorkingSetEntries+1BFj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_46D6BB
; 

loc_5B2B50:				; CODE XREF: MiAddWorkingSetEntries+3A0j
					; MiAddWorkingSetEntries+3A8j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5B2B57:				; CODE XREF: MiAddWorkingSetEntries+F7j
		push	ecx
		push	esi
		push	ebx
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B2B66:				; CODE XREF: MiAddWorkingSetEntries+11Dj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_46D6F5
; END OF FUNCTION CHUNK	FOR MiAddWorkingSetEntries
; 
; START	OF FUNCTION CHUNK FOR MiUnlinkFreeOrZeroedPage

loc_5B2B76:				; CODE XREF: MiUnlinkFreeOrZeroedPage+9Cj
		mov	eax, [esp+60h+var_2C]
		cmp	eax, [edx+8]
		jb	loc_46E182

loc_5B2B83:				; CODE XREF: MiUnlinkFreeOrZeroedPage+76j
					; MiUnlinkFreeOrZeroedPage+94j
		mov	eax, ecx
		xor	edx, edx
		mov	ecx, [esp+60h+var_2C]
		mov	[esp+60h+var_20], edx
		mov	[esp+60h+var_1C], eax
		test	eax, eax
		js	short loc_5B2BE6

loc_5B2B97:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144B04j
		add	eax, edx
		mov	edx, ds:dword_6D06B0
		sar	eax, 1
		mov	[esp+60h+var_40], edx
		mov	[esp+60h+var_18], eax
		cmp	ecx, [edx+eax*8]
		lea	edx, [edx+eax*8]
		jnb	short loc_5B2BC0
		test	eax, eax
		jz	short loc_5B2BF7
		mov	edx, [esp+60h+var_20]
		dec	eax
		mov	[esp+60h+var_1C], eax
		jmp	short loc_5B2BE2
; 

loc_5B2BC0:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144ACFj
		mov	ecx, ds:dword_6D0688
		mov	[esp+60h+var_20], ecx
		cmp	eax, ecx
		jz	short loc_5B2C07
		mov	ecx, [esp+60h+var_2C]
		cmp	ecx, [edx+8]
		jb	short loc_5B2C07
		lea	edx, [eax+1]
		mov	eax, [esp+60h+var_1C]
		mov	[esp+60h+var_20], edx

loc_5B2BE2:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144ADEj
		cmp	eax, edx
		jge	short loc_5B2B97

loc_5B2BE6:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144AB5j
		push	0
		push	0
		push	ecx
		push	6201h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B2BF7:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144AD3j
		push	0
		push	edx
		push	ecx
		push	6200h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B2C07:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144AECj
					; MiUnlinkFreeOrZeroedPage+144AF5j
		mov	ds:dword_6D0684, eax
		jmp	loc_46E182
; 

loc_5B2C11:				; CODE XREF: MiUnlinkFreeOrZeroedPage+FEj
		mov	eax, [esp+60h+var_48]
		cmp	eax, [esi+8]
		jb	loc_46E1E4
		jmp	short loc_5B2C24
; 

loc_5B2C20:				; CODE XREF: MiUnlinkFreeOrZeroedPage+DFj
					; MiUnlinkFreeOrZeroedPage+F6j
		mov	eax, [esp+60h+var_48]

loc_5B2C24:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144B3Ej
		xor	esi, esi
		mov	[esp+60h+var_18], esi
		test	ecx, ecx
		js	short loc_5B2C87
		mov	eax, [esp+60h+var_40]

loc_5B2C32:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144BA1j
		lea	edx, [esi+ecx]
		sar	edx, 1
		mov	[esp+60h+var_44], edx
		lea	esi, [eax+edx*8]
		mov	edx, [esp+60h+var_48]
		cmp	edx, [esi]
		mov	edx, [esp+60h+var_2C]
		jnb	short loc_5B2C59
		mov	ecx, [esp+60h+var_44]
		test	ecx, ecx
		jz	short loc_5B2C98
		mov	esi, [esp+60h+var_18]
		dec	ecx
		jmp	short loc_5B2C7F
; 

loc_5B2C59:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144B68j
		mov	edi, [esp+60h+var_44]
		cmp	edi, ds:dword_6D0688
		mov	edi, [esp+60h+var_24]
		jz	short loc_5B2CAB
		mov	eax, [esp+60h+var_48]
		cmp	eax, [esi+8]
		mov	eax, [esp+60h+var_40]
		jb	short loc_5B2CAB
		mov	esi, [esp+60h+var_44]
		inc	esi
		mov	[esp+60h+var_18], esi

loc_5B2C7F:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144B77j
		cmp	ecx, esi
		jge	short loc_5B2C32
		mov	eax, [esp+60h+var_48]

loc_5B2C87:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144B4Cj
		push	0
		push	0
		push	eax
		push	6201h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B2C98:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144B70j
		push	0
		push	esi
		push	[esp+7Ch+var_5C]
		push	6200h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B2CAB:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144B87j
					; MiUnlinkFreeOrZeroedPage+144B94j
		mov	eax, [esp+88h+var_6C]
		mov	ds:dword_6D0684, eax
		jmp	loc_46E1E4
; 

loc_5B2CB9:				; CODE XREF: MiUnlinkFreeOrZeroedPage+12Bj
		mov	edx, ecx
		lea	ecx, [esp+60h+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_46E579
; 

loc_5B2CC9:				; CODE XREF: MiUnlinkFreeOrZeroedPage+158j
		mov	eax, ds:dword_6D3068
		shr	ecx, 5
		mov	[esp+60h+var_20], 1
		lea	eax, [eax+ecx*4]
		mov	ecx, [esp+60h+var_48]
		and	ecx, 1Fh
		mov	[esp+60h+var_40], eax
		mov	[esp+60h+var_18], ecx
		lea	eax, [ecx+1]
		cmp	eax, 20h
		ja	short loc_5B2CFC
		mov	eax, 1
		shl	eax, cl
		jmp	short loc_5B2D6B
; 

loc_5B2CFC:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144C11j
		test	ecx, ecx
		jz	short loc_5B2D5F
		mov	edx, 20h
		mov	eax, 1
		sub	edx, ecx
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, [esp+60h+var_18]
		dec	eax
		shl	eax, cl
		mov	ecx, [esp+60h+var_40]
		lock or	[ecx], eax
		mov	eax, 1
		add	ecx, 4
		sub	eax, edx
		mov	[esp+60h+var_40], ecx
		mov	[esp+60h+var_20], eax
		cmp	eax, 20h
		jb	short loc_5B2D53
		mov	edx, eax
		shr	edx, 5

loc_5B2D3A:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144C69j
		mov	dword ptr [ecx], 0FFFFFFFFh
		sub	eax, 20h
		add	ecx, 4
		sub	edx, 1
		jnz	short loc_5B2D3A
		mov	[esp+60h+var_40], ecx
		mov	[esp+60h+var_20], eax

loc_5B2D53:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144C53j
		mov	edx, [esp+60h+var_44]
		test	eax, eax
		jz	loc_46E23E

loc_5B2D5F:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144C1Ej
		mov	ecx, [esp+60h+var_20]
		mov	eax, 1
		shl	eax, cl
		dec	eax

loc_5B2D6B:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144C1Aj
		mov	ecx, [esp+60h+var_40]
		lock or	[ecx], eax
		jmp	loc_46E23E
; 

loc_5B2D77:				; CODE XREF: MiUnlinkFreeOrZeroedPage+478j
					; MiUnlinkFreeOrZeroedPage+144CABj
		mov	edx, eax
		mov	ecx, eax
		and	edx, 0FF800000h
		or	edx, [esp+60h+var_1C]
		lock cmpxchg [edi], edx
		cmp	ecx, eax
		jnz	short loc_5B2D77
		mov	edi, [esp+60h+var_24]
		jmp	loc_46E2B5
; 

loc_5B2D96:				; CODE XREF: MiUnlinkFreeOrZeroedPage+1F4j
		mov	edx, [ebp+4]
		lea	ecx, [esp+60h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_46E300
; 

loc_5B2DA7:				; CODE XREF: MiUnlinkFreeOrZeroedPage+255j
					; MiUnlinkFreeOrZeroedPage+261j
		mov	ecx, offset _MiSystemPartition
		call	MiUpdateAvailableEvents
		jmp	loc_46E347
; 

loc_5B2DB6:				; CODE XREF: MiUnlinkFreeOrZeroedPage+270j
		mov	eax, ds:dword_6D5D40
		test	eax, eax
		jz	short loc_5B2DCA
		mov	al, [eax+2Ch]
		test	al, al
		jnz	loc_46E5A3

loc_5B2DCA:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144CDDj
		mov	ecx, offset _MiSystemPartition
		call	_MiObtainFreePages@4 ; MiObtainFreePages(x)
		lea	ecx, [esi+1]
		jmp	loc_46E5A3
; 

loc_5B2DDC:				; CODE XREF: MiUnlinkFreeOrZeroedPage+4DBj
		mov	eax, ds:dword_6D5100
		test	eax, eax
		jz	loc_46E356
		push	0
		push	0
		push	offset unk_6D50A0
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_46E356
; 

loc_5B2DFC:				; CODE XREF: MiUnlinkFreeOrZeroedPage+27Cj
		mov	ecx, [ebp+arg_0]
		test	ecx, 2000h
		jz	short loc_5B2E11
		mov	esi, 1
		jmp	loc_46E367
; 

loc_5B2E11:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144D25j
		mov	eax, large fs:124h
		mov	edx, [eax+300h]
		mov	eax, edx
		and	al, 0Ch
		cmp	al, 8
		jnz	short loc_5B2E2F
		mov	esi, 1
		jmp	loc_46E367
; 

loc_5B2E2F:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144D43j
		cmp	esi, 20h
		jnb	short loc_5B2E3B
		xor	esi, esi
		jmp	loc_46E367
; 

loc_5B2E3B:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144D52j
		test	cl, 4
		jz	short loc_5B2E4A
		mov	esi, 1
		jmp	loc_46E367
; 

loc_5B2E4A:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144D5Ej
		test	dl, 2
		jz	short loc_5B2E5E
		cmp	esi, 21h
		jb	short loc_5B2E5E
		mov	esi, 1
		jmp	loc_46E367
; 

loc_5B2E5E:				; CODE XREF: MiUnlinkFreeOrZeroedPage+144D6Dj
					; MiUnlinkFreeOrZeroedPage+144D72j
		movzx	esi, byte ptr ds:dword_6D4E44
		shr	esi, 5
		and	esi, 1
		jmp	loc_46E367
; 

loc_5B2E70:				; CODE XREF: MiUnlinkFreeOrZeroedPage+2CCj
		mov	eax, [esp+60h+var_24]
		mov	[esp+60h+var_18], eax

loc_5B2E78:				; CODE XREF: MiUnlinkFreeOrZeroedPage+2BCj
		mov	eax, [esp+60h+var_20]
		jmp	loc_46E3BA
; 

loc_5B2E81:				; CODE XREF: MiUnlinkFreeOrZeroedPage+2DDj
		xor	eax, eax
		jmp	loc_46E3C8
; 

loc_5B2E88:				; CODE XREF: MiUnlinkFreeOrZeroedPage+2FDj
		mov	edx, 1
		mov	ecx, edi
		call	_MiSetFreeZeroPfnCold@8	; MiSetFreeZeroPfnCold(x,x)
		jmp	loc_46E3E3
; 

loc_5B2E99:				; CODE XREF: MiUnlinkFreeOrZeroedPage+3E3j
		mov	eax, ds:dword_6D30F0
		inc	eax
		mov	ds:dword_6D30F0, eax
		test	ds:_MmPageValidationFrequency, eax
		jnz	loc_46E43D
		mov	ecx, [esp+60h+var_48]
		mov	edx, 1
		call	_MiArePageContentsZero@8 ; MiArePageContentsZero(x,x)
		jmp	loc_46E43D
; 

loc_5B2EC3:				; CODE XREF: MiUnlinkFreeOrZeroedPage+345j
		mov	ecx, 90h

loc_5B2EC8:				; CODE XREF: MiUnlinkFreeOrZeroedPage+338j
		xor	eax, eax
		jmp	loc_46E437
; 

loc_5B2ECF:				; CODE XREF: MiUnlinkFreeOrZeroedPage+318j
		and	ecx, 0FFFFFC9Fh
		mov	[edi+0Ch], edx
		or	ecx, 80h
		jmp	loc_46E43A
; END OF FUNCTION CHUNK	FOR MiUnlinkFreeOrZeroedPage
; 
; START	OF FUNCTION CHUNK FOR MiGetPage

loc_5B2EE3:				; CODE XREF: MiGetPage+92Aj
		mov	edx, [ebp+arg_0]
		mov	edi, ecx
		call	_MiPageAvailable@8 ; MiPageAvailable(x,x)
		test	eax, eax
		jnz	loc_46EBA0

loc_5B2EF5:				; CODE XREF: MiGetPage+D7j
					; MiGetPage+2A8j ...
		or	eax, 0FFFFFFFFh
		jmp	loc_46E70B
; 

loc_5B2EFD:				; CODE XREF: MiGetPage+5D6j
		mov	edx, [esp+60h+var_4C]
		jmp	loc_46E61A
; 

loc_5B2F06:				; CODE XREF: MiGetPage+5Cj
		movzx	edx, byte ptr [ecx]
		mov	eax, edi
		movzx	ecx, ds:byte_6D068D
		shl	edx, cl
		movzx	ecx, ds:byte_6D068C
		shl	eax, cl
		or	edx, eax
		mov	eax, ds:dword_6D06D0
		and	eax, [esp+60h+var_4C]
		or	edx, eax
		mov	eax, [esp+60h+var_3C]
		mov	[esp+60h+var_4C], edx
		jmp	loc_46E622
; 

loc_5B2F37:				; CODE XREF: MiGetPage+C8j
		mov	eax, ds:dword_6D30F0
		inc	eax
		mov	ds:dword_6D30F0, eax
		test	ds:_MmPageValidationFrequency, eax
		jnz	loc_46E68E
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		mov	edx, 1
		call	_MiArePageContentsZero@8 ; MiArePageContentsZero(x,x)
		mov	ecx, [esp+60h+var_50]
		jmp	loc_46E68E
; 

loc_5B2F7A:				; CODE XREF: MiGetPage+402j
		mov	edx, 90h

loc_5B2F7F:				; CODE XREF: MiGetPage+3EEj
		xor	eax, eax
		jmp	loc_46E9D2
; 

loc_5B2F86:				; CODE XREF: MiGetPage+3CAj
		mov	eax, [esp+60h+var_34]
		and	edx, 0FFFFFC9Fh
		jmp	loc_46E9CC
; 

loc_5B2F95:				; CODE XREF: MiGetPage+6BEj
		lock bts dword ptr [ecx], 1Fh
		jb	loc_46E76B
		mov	cl, 21h
		lea	edx, [eax+10h]
		mov	[esp+60h+var_51], cl
		jmp	loc_46ECB7
; 

loc_5B2FAE:				; CODE XREF: MiGetPage+6E5j
		mov	[esp+60h+var_20], 0
		test	al, al
		jz	loc_46ECB3
		mov	esi, [esp+60h+var_44]

loc_5B2FC2:				; CODE XREF: MiGetPage+144A0Ej
					; MiGetPage+144A15j
		lea	ecx, [esp+60h+var_20]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_5B2FC2
		lock bts dword ptr [esi], 1Fh
		jb	short loc_5B2FC2
		mov	cl, [esp+60h+var_51]
		mov	edx, [esp+60h+var_44]
		jmp	loc_46ECB3
; 

loc_5B2FE4:				; CODE XREF: MiGetPage+726j
		test	ds:byte_70EFC6,	21h
		jz	short loc_5B2FF7
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_46ECF9
; 

loc_5B2FF7:				; CODE XREF: MiGetPage+144A2Bj
		xchg	ecx, [edx]
		test	ecx, ecx
		jz	loc_46ECFD
		mov	edx, ecx
		lea	ecx, [esp+60h+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_46ECF9
; 

loc_5B3011:				; CODE XREF: MiGetPage+744j
		test	ds:byte_70EFC6,	1
		jz	short loc_5B3028
		mov	edx, [ebp+4]
		lea	ecx, [esp+60h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5B305E
; 

loc_5B3028:				; CODE XREF: MiGetPage+144A58j
		mov	eax, [esp+60h+var_C]
		test	eax, eax
		jnz	short loc_5B304B
		mov	edx, [esp+60h+var_8]
		lea	eax, [esp+60h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+60h+var_C]
		cmp	eax, ecx
		jz	short loc_5B305E
		call	KxWaitForLockChainValid

loc_5B304B:				; CODE XREF: MiGetPage+144A6Ej
		mov	[esp+60h+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5B305E:				; CODE XREF: MiGetPage+144A66j
					; MiGetPage+144A84j
		mov	eax, [esp+60h+var_44]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [esp+60h+var_51]
		cmp	cl, 21h
		jz	loc_46EE9A
		jmp	loc_46EE94
; 

loc_5B307C:				; CODE XREF: MiGetPage+756j
		test	ds:byte_70EFC6,	1
		jz	short loc_5B3093
		mov	edx, [ebp+4]
		lea	ecx, [esp+60h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5B30C9
; 

loc_5B3093:				; CODE XREF: MiGetPage+144AC3j
		mov	eax, [esp+60h+var_C]
		test	eax, eax
		jnz	short loc_5B30B6
		mov	edx, [esp+60h+var_8]
		lea	eax, [esp+60h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+60h+var_C]
		cmp	eax, ecx
		jz	short loc_5B30C9
		call	KxWaitForLockChainValid

loc_5B30B6:				; CODE XREF: MiGetPage+144AD9j
		mov	[esp+60h+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5B30C9:				; CODE XREF: MiGetPage+144AD1j
					; MiGetPage+144AEFj
		mov	ecx, [esp+60h+var_50]
		xor	edx, edx
		call	_MiReturnFreeZeroPage@8	; MiReturnFreeZeroPage(x,x)
		mov	eax, [esp+60h+var_44]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [esp+60h+var_51]
		cmp	cl, 21h
		jz	short loc_5B30EF
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5B30EF:				; CODE XREF: MiGetPage+144B27j
		mov	ecx, 1
		jmp	loc_46E76D
; 

loc_5B30F9:				; CODE XREF: MiGetPage+794j
		mov	edx, [ebp+4]
		lea	ecx, [esp+60h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_46ED80
; 

loc_5B310A:				; CODE XREF: MiGetPage+7BAj
		lea	ecx, [esp+60h+var_C]
		call	KxWaitForLockChainValid
		jmp	loc_46EEEF
; 

loc_5B3118:				; CODE XREF: MiGetPage+42Aj
		mov	eax, edx
		mov	[esp+60h+var_40], edx
		jmp	loc_46E7B0
; 

loc_5B3123:				; CODE XREF: MiGetPage+686j
		mov	eax, ds:dword_6D30F0
		inc	eax
		mov	ds:dword_6D30F0, eax
		test	ds:_MmPageValidationFrequency, eax
		jnz	loc_46E85F
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		mov	edx, 1
		call	_MiArePageContentsZero@8 ; MiArePageContentsZero(x,x)
		mov	ecx, [esp+60h+var_50]
		jmp	loc_46E85F
; 

loc_5B3166:				; CODE XREF: MiGetPage+289j
		mov	edx, 90h

loc_5B316B:				; CODE XREF: MiGetPage+275j
		xor	eax, eax
		jmp	loc_46E859
; 

loc_5B3172:				; CODE XREF: MiGetPage+251j
		mov	eax, [esp+60h+var_2C]
		and	edx, 0FFFFFC9Fh
		jmp	loc_46E853
; 

loc_5B3181:				; CODE XREF: MiGetPage+329j
		mov	[esp+60h+var_2C], 10h
		jmp	loc_46E8F7
; 

loc_5B318E:				; CODE XREF: MiGetPage+38Dj
		mov	eax, ecx
		jmp	loc_46E929
; 

loc_5B3195:				; CODE XREF: MiGetPage+8B4j
		mov	eax, ds:dword_6D30F0
		inc	eax
		mov	ds:dword_6D30F0, eax
		test	ds:_MmPageValidationFrequency, eax
		jnz	loc_46EE60
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		mov	edx, 1
		call	_MiArePageContentsZero@8 ; MiArePageContentsZero(x,x)
		jmp	loc_46EE5C
; 

loc_5B31D4:				; CODE XREF: MiGetPage+46Bj
		mov	eax, [ebp+arg_0]
		mov	edx, [esp+60h+var_4C]
		and	eax, 0FFFFBFFFh
		mov	ecx, [esp+60h+var_48]
		push	eax
		mov	[esp+64h+var_14], eax
		call	MiRemovePageAnyColor
		mov	ecx, eax
		mov	[esp+60h+var_50], ecx
		cmp	ecx, 1
		jz	loc_5B2EF5
		test	ecx, ecx
		jnz	loc_46EA31
		push	[esp+60h+var_14]
		mov	edx, [esp+64h+var_4C]
		mov	ecx, [esp+64h+var_48]
		call	_MiGetPageSlist@12 ; MiGetPageSlist(x,x,x)
		mov	ecx, eax
		mov	[esp+60h+var_50], eax
		jmp	loc_46EA31
; 

loc_5B3221:				; CODE XREF: MiGetPage+4F8j
		mov	[esp+60h+var_2C], 10h
		jmp	loc_46EAC6
; 

loc_5B322E:				; CODE XREF: MiGetPage+561j
		mov	ecx, eax
		jmp	loc_46EAFD
; 

loc_5B3235:				; CODE XREF: MiGetPage+8C2j
		mov	eax, ds:dword_6D30F0
		inc	eax
		mov	ds:dword_6D30F0, eax
		test	ds:_MmPageValidationFrequency, eax
		jnz	loc_46EE1D
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		mov	edx, 1
		call	_MiArePageContentsZero@8 ; MiArePageContentsZero(x,x)
		jmp	loc_46EE19
; 

loc_5B3274:				; CODE XREF: MiGetPage+59Bj
		mov	eax, [esp+60h+var_44]
		mov	ecx, [esp+60h+var_48]
		and	eax, 0FFFFBFFFh
		push	eax
		mov	[esp+64h+var_44], eax
		call	MiRemovePageAnyColor
		mov	ecx, eax
		mov	[esp+60h+var_50], ecx
		cmp	ecx, 1
		jz	loc_5B2EF5
		test	ecx, ecx
		jnz	loc_46EB61
		push	[esp+60h+var_44]
		mov	edx, [esp+64h+var_4C]
		mov	ecx, [esp+64h+var_48]
		call	_MiGetPageSlist@12 ; MiGetPageSlist(x,x,x)
		mov	ecx, eax
		mov	[esp+60h+var_50], eax
		jmp	loc_46EB61
; 

loc_5B32BE:				; CODE XREF: MiGetPage+601j
		test	dl, 10h
		jnz	loc_46EBC7
		mov	edi, ds:dword_6D0698
		imul	ecx, esi
		add	ecx, eax
		mov	eax, ds:dword_6D06D0
		and	eax, [esp+60h+var_4C]
		mov	edi, [edi+ecx*4]
		mov	edx, edi
		mov	cl, ds:byte_6D068C
		shl	edx, cl
		or	edx, eax
		mov	[esp+60h+var_4C], edx
		jmp	loc_46E5F0
; 

loc_5B32F3:				; CODE XREF: MiGetPage+11Bj
		xor	edx, edx
		jmp	loc_46E6F1
; 

loc_5B32FA:				; CODE XREF: MiGetPage+126j
		mov	edx, 2
		jmp	loc_46E6F1
; END OF FUNCTION CHUNK	FOR MiGetPage
; 
; START	OF FUNCTION CHUNK FOR MiBeginPageAccessor

loc_5B3304:				; CODE XREF: MiBeginPageAccessor+47j
		mov	edi, offset unk_6D2FA0
		jmp	loc_4702B2
; 

loc_5B330E:				; CODE XREF: MiBeginPageAccessor+59j
		or	dl, 0FFh
		mov	ecx, edi
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_4702E1
; 

loc_5B331D:				; CODE XREF: MiBeginPageAccessor+7Bj
					; MiBeginPageAccessor+1430EDj
		test	edx, 40000000h
		jnz	short loc_5B3337
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_5B3341

loc_5B3337:				; CODE XREF: MiBeginPageAccessor+1430C3j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]

loc_5B3341:				; CODE XREF: MiBeginPageAccessor+1430D5j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_5B331D
		jmp	loc_4702E1
; 

loc_5B3354:				; CODE XREF: MiBeginPageAccessor+86j
		mov	eax, ds:dword_6D2FA4
		test	eax, eax
		jz	short loc_5B336A

loc_5B335D:				; CODE XREF: MiBeginPageAccessor+143121j
		cmp	ebx, [eax+1Ch]
		jnb	short loc_5B3374
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_5B337F
		xor	cl, cl

loc_5B336A:				; CODE XREF: MiBeginPageAccessor+1430FBj
					; MiBeginPageAccessor+14311Dj
		mov	edx, offset dword_6D2FA4
		jmp	loc_470311
; 

loc_5B3374:				; CODE XREF: MiBeginPageAccessor+143100j
		mov	ecx, [eax+4]
		test	ecx, ecx
		jnz	short loc_5B337F
		mov	cl, 1
		jmp	short loc_5B336A
; 

loc_5B337F:				; CODE XREF: MiBeginPageAccessor+143106j
					; MiBeginPageAccessor+143119j
		mov	eax, ecx
		jmp	short loc_5B335D
; 

loc_5B3383:				; CODE XREF: MiBeginPageAccessor+CAj
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_470336
; END OF FUNCTION CHUNK	FOR MiBeginPageAccessor
; 
; START	OF FUNCTION CHUNK FOR MiLockPageLeafPageTable

loc_5B3392:				; CODE XREF: MiLockPageLeafPageTable+3F4j
		mov	edi, offset unk_6D2E54
		jmp	loc_472E8A
; 

loc_5B339C:				; CODE XREF: MiLockPageLeafPageTable+439j
		mov	[ebp+var_8], offset unk_6D2E54
		jmp	loc_472F40
; 

loc_5B33A8:				; CODE XREF: MiLockPageLeafPageTable+454j
		cmp	ds:dword_6D07D0, 0C0000000h
		jnb	loc_472EF6
		cmp	edi, 0C0603010h
		jnz	loc_472EF6
		jmp	loc_472EEA
; 

loc_5B33C9:				; CODE XREF: MiLockPageLeafPageTable+460j
		mov	[ebp+var_8], offset unk_6D2E54
		jmp	loc_472F5B
; 

loc_5B33D5:				; CODE XREF: MiLockPageLeafPageTable+20Dj
		cmp	dword ptr [esi+38h], 1
		jnz	short loc_5B33F7
		mov	eax, ecx
		and	eax, 800h
		or	eax, 0
		jnz	short loc_5B33F7
		inc	ds:dword_6D30A8
		mov	eax, 0C0000005h
		jmp	loc_472DBA
; 

loc_5B33F7:				; CODE XREF: MiLockPageLeafPageTable+140949j
					; MiLockPageLeafPageTable+140955j
		mov	[ebp+var_1], 1
		nop
		mov	eax, [ebp+var_2C]
		mov	edx, 1
		shrd	ecx, eax, 0Ch
		mov	eax, [ebp+var_1C]
		and	ecx, 1FFFFFFh
		shr	eax, 0Ch
		mov	[ebp+var_18], ecx
		mov	[ebp+var_24], edx
		mov	[ebp+var_1C], eax
		test	edi, edi
		jz	short loc_5B3449
		mov	ebx, eax

loc_5B3423:				; CODE XREF: MiLockPageLeafPageTable+1409A8j
		mov	eax, ebx
		shr	ebx, 9
		and	eax, 1FFh
		imul	eax, edx
		shl	edx, 9
		add	ecx, eax
		sub	edi, 1
		jnz	short loc_5B3423
		mov	[ebp+var_1C], ebx
		mov	ebx, [ebp+var_C]
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], ecx

loc_5B3449:				; CODE XREF: MiLockPageLeafPageTable+14098Fj
		mov	ecx, [esi]
		mov	edi, edx
		shl	edi, 0Ch
		mov	eax, ecx
		lea	edx, [edi-1]
		not	edx
		and	eax, edx
		mov	[esi+54h], eax
		lea	eax, [edi+ecx]
		mov	ecx, [ebp+var_24]
		and	eax, edx
		mov	edx, [ebp+var_10]
		dec	eax
		neg	ecx
		mov	[esi+58h], eax
		mov	eax, [ebp+var_18]
		and	ecx, eax
		or	dword ptr [esi+28h], 20h
		mov	[esi+5Ch], ecx
		mov	[esi+4Ch], eax
		jmp	loc_472CA6
; 

loc_5B3481:				; CODE XREF: MiLockPageLeafPageTable+398j
		cmp	ds:dword_6D07D0, 0C0000000h
		jnb	loc_472E2E

loc_5B3491:				; CODE XREF: MiLockPageLeafPageTable+38Cj
		cmp	al, 7
		jnz	short loc_5B349E
		mov	[ebp+var_8], offset unk_6D2E58
		jmp	short loc_5B34AD
; 

loc_5B349E:				; CODE XREF: MiLockPageLeafPageTable+140A03j
		cmp	al, 5
		jnz	loc_472E2E
		mov	[ebp+var_8], offset unk_6D2E54

loc_5B34AD:				; CODE XREF: MiLockPageLeafPageTable+140A0Cj
		mov	eax, [ebp+var_8]
		mov	edi, 0C0603018h
		sub	edi, edx
		sar	edi, 3
		add	edi, edi
		jmp	loc_472CE3
; 

loc_5B34C1:				; CODE XREF: MiLockPageLeafPageTable+584j
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	loc_47301A
		push	eax
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	loc_47301C
; 

loc_5B34D9:				; CODE XREF: MiLockPageLeafPageTable+3D3j
		mov	[ebp+var_8], offset unk_6D2E54
		jmp	loc_472F25
; END OF FUNCTION CHUNK	FOR MiLockPageLeafPageTable
; 
; START	OF FUNCTION CHUNK FOR MiInsertAndUnlockStandbyPages

loc_5B34E5:				; CODE XREF: MiInsertAndUnlockStandbyPages+E0j
		cmp	[ebp+var_4], 0FFFFFFh
		jz	short loc_5B353C
		test	ds:byte_70EFC6,	1
		jz	short loc_5B3504
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5B3535
; 

loc_5B3504:				; CODE XREF: MiInsertAndUnlockStandbyPages+13F505j
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_5B3523
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jz	short loc_5B3535
		call	KxWaitForLockChainValid

loc_5B3523:				; CODE XREF: MiInsertAndUnlockStandbyPages+13F519j
		mov	[ebp+var_1C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5B3535:				; CODE XREF: MiInsertAndUnlockStandbyPages+13F512j
					; MiInsertAndUnlockStandbyPages+13F52Cj
		mov	[ebp+var_4], 0FFFFFFh

loc_5B353C:				; CODE XREF: MiInsertAndUnlockStandbyPages+13F4FCj
		mov	edx, 4
		jmp	loc_474106
; 

loc_5B3546:				; CODE XREF: MiInsertAndUnlockStandbyPages+E8j
		mov	edi, 5
		jmp	loc_4740E4
; 

loc_5B3550:				; CODE XREF: MiInsertAndUnlockStandbyPages+1E1j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_474177
; 

loc_5B3560:				; CODE XREF: MiInsertAndUnlockStandbyPages+1ADj
		mov	edx, eax
		lea	ecx, [ebp+var_1C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4740FE
; 

loc_5B356F:				; CODE XREF: MiInsertAndUnlockStandbyPages+140j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_474028
; 

loc_5B357F:				; CODE XREF: MiInsertAndUnlockStandbyPages+BDj
					; MiInsertAndUnlockStandbyPages+CCj ...
		mov	eax, [edi+14h]
		push	eax
		push	edx
		push	[ebp+var_10]
		push	6
		push	4Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5B3591:				; CODE XREF: MiWriteCompletePfn+160j
		push	0
		mov	edx, 1
		lea	ecx, [esi+8]
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	[esp+3Ch+var_28], eax
		mov	[esp+3Ch+var_2C], edx
		jmp	loc_474736
; END OF FUNCTION CHUNK	FOR MiInsertAndUnlockStandbyPages
; 
; START	OF FUNCTION CHUNK FOR MiWriteCompletePfn

loc_5B35B0:				; CODE XREF: MiWriteCompletePfn+187j
		mov	ebx, 1
		mov	[esp+18h+var_4], ebx
		jmp	loc_4746E5
; 

loc_5B35BE:				; CODE XREF: MiWriteCompletePfn+137j
		mov	eax, [esi+0Ch]
		and	dword ptr [esi+8], 0FFFFFFFDh
		mov	[esi+0Ch], eax
		jmp	loc_4745FF
; 

loc_5B35CD:				; CODE XREF: MiWriteCompletePfn+87j
		push	0
		push	ecx
		push	edi
		push	7
		push	4Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B35DA:				; CODE XREF: MiWriteCompletePfn+76j
		mov	edx, 1
		mov	ecx, esi
		call	_MiRestoreTransitionPte@8 ; MiRestoreTransitionPte(x,x)
		jmp	loc_47477A
; END OF FUNCTION CHUNK	FOR MiWriteCompletePfn
; 
; START	OF FUNCTION CHUNK FOR MiUnlockMdlWritePages

loc_5B35EB:				; CODE XREF: MiUnlockMdlWritePages+84j
		lea	edx, [ebp-28h]
		mov	ecx, offset unk_6D5BD8
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edx, esi
		mov	ecx, offset _MiSystemPartition
		call	_MiRestockOverCommit@8 ; MiRestockOverCommit(x,x)
		test	ds:byte_70EFC6,	1
		mov	esi, eax
		mov	[ebp-8], esi
		jz	short loc_5B361F
		mov	edx, [ebx+4]
		lea	ecx, [ebp-28h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5B3650
; 

loc_5B361F:				; CODE XREF: MiUnlockMdlWritePages+13EE40j
		mov	eax, [ebp-28h]
		test	eax, eax
		jnz	short loc_5B363E
		mov	edx, [ebp-24h]
		lea	eax, [ebp-28h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-28h]
		cmp	eax, ecx
		jz	short loc_5B3650
		call	KxWaitForLockChainValid

loc_5B363E:				; CODE XREF: MiUnlockMdlWritePages+13EE54j
		mov	dword ptr [ebp-28h], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5B3650:				; CODE XREF: MiUnlockMdlWritePages+13EE4Dj
					; MiUnlockMdlWritePages+13EE67j
		mov	cl, [ebp-20h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	loc_474897
		jmp	loc_47485A
; 

loc_5B3666:				; CODE XREF: MiUnlockMdlWritePages+C1j
		mov	edx, eax
		add	eax, esi
		cmp	eax, 100h
		jbe	loc_474880
		jmp	loc_474909
; 

loc_5B367A:				; CODE XREF: MiUnlockMdlWritePages+152j
		cmp	ecx, edx
		jb	short loc_5B368B
		jmp	loc_474928
; 

loc_5B3683:				; CODE XREF: MiUnlockMdlWritePages+166j
		cmp	ecx, edx
		jnb	loc_474897

loc_5B368B:				; CODE XREF: MiUnlockMdlWritePages+13EEACj
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	MiSyncCommitSignals
		jmp	loc_474897
; 

loc_5B369C:				; CODE XREF: MiUnlockMdlWritePages+DCj
		mov	edx, 1
		jmp	loc_47496F
; 

loc_5B36A6:				; CODE XREF: MiUnlockMdlWritePages+FBj
		mov	ecx, eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_47493B
		inc	eax
		cmp	eax, 100h
		jbe	loc_4748C0
		jmp	loc_47493B
; END OF FUNCTION CHUNK	FOR MiUnlockMdlWritePages
; 
; START	OF FUNCTION CHUNK FOR MiFreeWsleList

loc_5B36C2:				; CODE XREF: MiFreeWsleList+9Aj
		mov	eax, [ebp+arg_0]
		or	eax, 2
		jmp	loc_474A43
; END OF FUNCTION CHUNK	FOR MiFreeWsleList
; 
; START	OF FUNCTION CHUNK FOR MiGetWsleContents

loc_5B36CD:				; CODE XREF: MiGetWsleContents+21j
		push	esi
		push	ecx
		push	edi
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5B36DD:				; CODE XREF: MiLocateWsle+21j
		push	eax
		push	ecx
		push	edx
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5B36ED:				; CODE XREF: MiGetPteFromCopyList+48j
		mov	eax, 1
		mov	[esp+30h+var_20], eax
		jmp	loc_479E9E
; END OF FUNCTION CHUNK	FOR MiGetWsleContents
; 
; START	OF FUNCTION CHUNK FOR MiGetPteFromCopyList

loc_5B36FB:				; CODE XREF: MiGetPteFromCopyList+89j
		mov	ebx, 0Ch
		jmp	loc_479EE7
; 

loc_5B3705:				; CODE XREF: MiGetPteFromCopyList+B0j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5B3738
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	ecx, 1
		jnz	loc_479F08
		mov	eax, ebx
		and	eax, ecx
		or	eax, 0
		jz	loc_479F08
		or	edx, 80000000h
		jmp	loc_479F08
; 

loc_5B3738:				; CODE XREF: MiGetPteFromCopyList+1398BCj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_479F06
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	loc_479F06
		or	edx, 80000000h
		jmp	loc_479F06
; 

loc_5B376D:				; CODE XREF: MiGetPteFromCopyList+C0j
		push	edx
		push	ebx
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_479F16
; 

loc_5B377B:				; CODE XREF: MiGetPteFromCopyList+E7j
		mov	edx, 9
		jmp	loc_479F41
; 

loc_5B3785:				; CODE XREF: MiGetPteFromCopyList+10Fj
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5B37AF
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	ebx, 1
		jnz	loc_479F65
		mov	eax, edi
		and	eax, ebx
		or	eax, 0
		jz	loc_479F65
		jmp	short loc_5B37D9
; 

loc_5B37AF:				; CODE XREF: MiGetPteFromCopyList+13993Cj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_479F65
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	loc_479F65

loc_5B37D9:				; CODE XREF: MiGetPteFromCopyList+13995Dj
		or	edx, 80000000h
		jmp	loc_479F65
; END OF FUNCTION CHUNK	FOR MiGetPteFromCopyList
; 
; START	OF FUNCTION CHUNK FOR MiZeroPhysicalPage

loc_5B37E4:				; CODE XREF: MiZeroPhysicalPage+59j
		mov	edx, 1
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		mov	esi, eax
		test	esi, esi
		jz	loc_47A04F
		jmp	loc_47A074
; 

loc_5B3802:				; CODE XREF: MiZeroPhysicalPage+C2j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		mov	ecx, [esp+20h+var_14]
		test	eax, eax
		jz	short loc_5B383D
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	[esp+20h+var_10], 1
		jnz	loc_47A0BC
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_47A0BC
		or	edx, 80000000h
		jmp	loc_47A0BC
; 

loc_5B383D:				; CODE XREF: MiZeroPhysicalPage+13981Dj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_47A0BC
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_47A0BC
		or	edx, 80000000h
		jmp	loc_47A0BC
; 

loc_5B3872:				; CODE XREF: MiZeroPhysicalPage+D7j
		push	edx
		push	ecx
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_47A0CD
; 

loc_5B3880:				; CODE XREF: MiZeroPhysicalPage+11Fj
		test	esi, esi
		jz	loc_47A0F3
		push	0
		mov	edx, edi
		mov	ecx, ebx
		call	MiChangePageAttribute
		jmp	loc_47A0F3
; END OF FUNCTION CHUNK	FOR MiZeroPhysicalPage
; 
; START	OF FUNCTION CHUNK FOR MmUnmapLockedPages

loc_5B3898:				; CODE XREF: MmUnmapLockedPages+1Cj
		mov	ecx, esi
		call	_MiRetardMdl@4	; MiRetardMdl(x)
		mov	edi, eax
		jmp	loc_47A8F2
; 

loc_5B38A6:				; CODE XREF: MmUnmapLockedPages+73j
		mov	eax, [esp+20h+var_10]
		mov	[esi+0Ch], eax
		jmp	loc_47A949
; 

loc_5B38B2:				; CODE XREF: MmUnmapLockedPages+BDj
					; MmUnmapLockedPages+138FF2j
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		sub	ecx, 1
		jnz	short loc_5B38B2
		jmp	loc_47A993
; 

loc_5B38C9:				; CODE XREF: MmUnmapLockedPages+E5j
		push	eax
		mov	edx, ebx
		mov	ecx, esi
		call	_MiRemovePteTracker@12 ; MiRemovePteTracker(x,x,x)
		mov	eax, [esp+20h+var_14]
		jmp	loc_47A9BB
; END OF FUNCTION CHUNK	FOR MmUnmapLockedPages
; 
; START	OF FUNCTION CHUNK FOR MiDecrementAndInsertStandbyPages

loc_5B38DC:				; CODE XREF: MiDecrementAndInsertStandbyPages+89j
		mov	esi, 1Ch
		jmp	loc_47B18F
; 

loc_5B38E6:				; CODE XREF: MiDecrementAndInsertStandbyPages+77j
					; MiDecrementAndInsertStandbyPages+80j
		mov	esi, 0Ch
		jmp	loc_47B18F
; 

loc_5B38F0:				; CODE XREF: MiDecrementAndInsertStandbyPages+D8j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5B392A
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	eax, 1
		mov	[ebp+var_4], eax
		jnz	loc_47B1DE

loc_5B390E:				; CODE XREF: MiDecrementAndInsertStandbyPages+138840j
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		mov	eax, [ebp+var_4]
		jz	loc_47B1DE
		or	edx, 80000000h
		jmp	loc_47B1DE
; 

loc_5B392A:				; CODE XREF: MiDecrementAndInsertStandbyPages+1387F7j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_5B390E
		mov	eax, [ebp+var_4]
		jmp	loc_47B1DE
; 

loc_5B394A:				; CODE XREF: MiDecrementAndInsertStandbyPages+E6j
		push	edx
		push	edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_47B1EC
; END OF FUNCTION CHUNK	FOR MiDecrementAndInsertStandbyPages
; 
; START	OF FUNCTION CHUNK FOR MiMakeValidPte

loc_5B3956:				; CODE XREF: MiMakeValidPte+F7j
		and	esi, 0FFFFFFFBh
		jmp	loc_47B3ED
; END OF FUNCTION CHUNK	FOR MiMakeValidPte
; 
; START	OF FUNCTION CHUNK FOR CcMapAndCopyInToCache

loc_5B395E:				; CODE XREF: CcMapAndCopyInToCache+F9j
		mov	[ebp+var_2B], 1
		jmp	loc_47B7B2
; 

loc_5B3967:				; CODE XREF: CcMapAndCopyInToCache+175j
		mov	dl, bl
		mov	ecx, esi
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_47B85E
; 

loc_5B3975:				; CODE XREF: CcMapAndCopyInToCache+1A2j
					; CcMapAndCopyInToCache+1382FBj
		test	edx, 40000000h
		jnz	short loc_5B398F
		mov	ecx, edx
		or	ecx, 40000000h
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_5B399F

loc_5B398F:				; CODE XREF: CcMapAndCopyInToCache+1382CBj
		lea	ecx, [ebp+var_B4]
		call	KeYieldProcessorEx
		mov	eax, ds:dword_6CF3C0

loc_5B399F:				; CODE XREF: CcMapAndCopyInToCache+1382DDj
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_5B3975
		jmp	loc_47B858
; 

loc_5B39B2:				; CODE XREF: CcMapAndCopyInToCache+1B5j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		mov	ecx, [ebp+var_29+1]
		mov	[ebp+var_20], ecx
		jmp	loc_47B875
; 

loc_5B39C7:				; CODE XREF: CcMapAndCopyInToCache+1D7j
					; CcMapAndCopyInToCache+2C3j
		push	0
		push	0
		push	0C0000420h
		push	1314h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B39DC:				; CODE XREF: CcMapAndCopyInToCache+159j
		mov	esi, offset dword_6CF3C0
		jmp	loc_47B890
; 

loc_5B39E6:				; CODE XREF: CcMapAndCopyInToCache+1EAj
		push	0
		push	0
		push	0
		push	[ebp+arg_4]
		mov	edx, eax
		mov	ecx, edi
		call	CcCanIWriteStreamEx
		test	al, al
		jz	loc_47BE43
		jmp	loc_47B8A0
; 

loc_5B3A05:				; CODE XREF: CcMapAndCopyInToCache+7C1j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_88]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_47BEA5
; 

loc_5B3A18:				; CODE XREF: CcMapAndCopyInToCache+7EFj
		lea	ecx, [ebp+var_88]
		call	KxWaitForLockChainValid
		mov	ecx, [ebp+var_29+1]
		mov	[ebp+var_20], ecx

loc_5B3A29:				; CODE XREF: CcMapAndCopyInToCache+7CFj
		mov	[ebp+var_88], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_47BEAB
; 

loc_5B3A43:				; CODE XREF: CcMapAndCopyInToCache+764j
		xor	al, al
		jmp	loc_47BC78
; 

loc_5B3A4A:				; CODE XREF: CcMapAndCopyInToCache+25Ej
		mov	dl, bl
		mov	ecx, esi
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_47B947
; 

loc_5B3A58:				; CODE XREF: CcMapAndCopyInToCache+28Bj
					; CcMapAndCopyInToCache+1383DEj
		test	edx, 40000000h
		jnz	short loc_5B3A72
		mov	ecx, edx
		or	ecx, 40000000h
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_5B3A82

loc_5B3A72:				; CODE XREF: CcMapAndCopyInToCache+1383AEj
		lea	ecx, [ebp+var_B8]
		call	KeYieldProcessorEx
		mov	eax, ds:dword_6CF3C0

loc_5B3A82:				; CODE XREF: CcMapAndCopyInToCache+1383C0j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_5B3A58
		jmp	loc_47B941
; 

loc_5B3A95:				; CODE XREF: CcMapAndCopyInToCache+29Ej
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		mov	ecx, [ebp+var_29+1]
		mov	[ebp+var_20], ecx
		jmp	loc_47B95E
; 

loc_5B3AAA:				; CODE XREF: CcMapAndCopyInToCache+247j
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		jmp	loc_47B97F
; 

loc_5B3AB5:				; CODE XREF: CcMapAndCopyInToCache+82Bj
		mov	eax, [ebp+var_68]
		sub	eax, 0FFFFFF80h
		mov	[ebp+var_70], eax
		mov	[ebp+var_74], 0
		test	ds:byte_70EFC6,	21h
		jz	short loc_5B3ADA
		mov	edx, eax
		lea	ecx, [ebp+var_74]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5B3AEB
; 

loc_5B3ADA:				; CODE XREF: CcMapAndCopyInToCache+13841Cj
		lea	edx, [ebp+var_74]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_5B3AEB
		lea	ecx, [ebp+var_74]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_5B3AEB:				; CODE XREF: CcMapAndCopyInToCache+138428j
					; CcMapAndCopyInToCache+138431j
		mov	edi, [ebx+160h]
		test	edi, edi
		jnz	short loc_5B3B1B
		lea	ecx, [ebp+var_74]
		call	KeReleaseInStackQueuedSpinLockFromDpcLevel
		lea	ecx, [ebp+var_50]
		call	KeReleaseInStackQueuedSpinLock
		push	offset _Cc5Milliseconds
		push	edi
		push	edi
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		push	0C00000D8h
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5B3B1B:				; CODE XREF: CcMapAndCopyInToCache+138443j
		mov	ecx, [edi]
		mov	eax, [edi+4]
		cmp	[ecx+4], edi
		jnz	loc_5B3BAC
		cmp	[eax], edi
		jnz	short loc_5B3BAC
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	dword ptr [edi+4], 0
		mov	dword ptr [edi], 0
		mov	dword ptr [ebx+160h], 0
		and	dword ptr [ebx+60h], 0FFFFFFDFh
		mov	[ebp+var_2C], 1
		test	ds:byte_70EFC6,	1
		jz	short loc_5B3B70
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_74]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_5B3B65:				; CODE XREF: CcMapAndCopyInToCache+1384D8j
		mov	ecx, [ebp+var_29+1]
		mov	[ebp+var_20], ecx
		jmp	loc_47BEE1
; 

loc_5B3B70:				; CODE XREF: CcMapAndCopyInToCache+1384A8j
		mov	eax, [ebp+var_74]
		test	eax, eax
		jnz	short loc_5B3B95
		mov	edx, [ebp+var_70]
		lea	eax, [ebp+var_74]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_74]
		cmp	eax, ecx
		jz	short loc_5B3B65
		call	KxWaitForLockChainValid
		mov	ecx, [ebp+var_29+1]
		mov	[ebp+var_20], ecx

loc_5B3B95:				; CODE XREF: CcMapAndCopyInToCache+1384C5j
		mov	[ebp+var_74], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_47BEE1
; 

loc_5B3BAC:				; CODE XREF: CcMapAndCopyInToCache+138473j
					; CcMapAndCopyInToCache+13847Bj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5B3BB3:				; CODE XREF: CcMapAndCopyInToCache+842j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_50]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_47BF1A
; 

loc_5B3BC3:				; CODE XREF: CcMapAndCopyInToCache+2E1j
		mov	ecx, edi
		call	_CcFreeWorkQueueEntry@4	; CcFreeWorkQueueEntry(x)
		jmp	loc_47B997
; 

loc_5B3BCF:				; CODE XREF: CcMapAndCopyInToCache+8C6j
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_47BF7C
; 

loc_5B3BDB:				; CODE XREF: CcMapAndCopyInToCache+8E6j
		mov	esi, 0C0000225h
		jmp	loc_47B9DE
; 

loc_5B3BE5:				; CODE XREF: CcMapAndCopyInToCache+377j
		xor	eax, eax
		mov	[ebp+arg_8], eax
		jmp	loc_47BA2D
; 

loc_5B3BEF:				; CODE XREF: CcMapAndCopyInToCache+465j
		test	esi, esi
		mov	eax, 1000h
		jnz	short loc_5B3BFA
		mov	eax, edi

loc_5B3BFA:				; CODE XREF: CcMapAndCopyInToCache+138546j
		sub	eax, ebx
		or	eax, ebx
		test	al, 3Fh
		jnz	short loc_5B3C1D
		or	ecx, 4
		mov	[ebp+var_20], ecx
		mov	[ebp+var_29+1],	ecx
		cmp	byte ptr [ebp+var_35], 0
		jz	loc_47BB1B
		or	ecx, 8
		mov	[ebp+var_29+1],	ecx
		jmp	short loc_5B3C27
; 

loc_5B3C1D:				; CODE XREF: CcMapAndCopyInToCache+138550j
		and	ecx, 0FFFFFFF3h
		mov	[ebp+var_29+1],	ecx
		mov	[ebp+var_19], 1

loc_5B3C27:				; CODE XREF: CcMapAndCopyInToCache+13856Bj
		mov	[ebp+var_20], ecx
		jmp	loc_47BB1B
; 

loc_5B3C2F:				; CODE XREF: CcMapAndCopyInToCache+495j
		push	0C00000E8h
		push	eax
		call	_FsRtlNormalizeNtstatus@8 ; FsRtlNormalizeNtstatus(x,x)
		push	eax
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5B3C40:				; CODE XREF: CcMapAndCopyInToCache+72Aj
		mov	dword ptr [eax+2F4h], 1
		jmp	loc_47BC94
; 

loc_5B3C4F:				; CODE XREF: CcMapAndCopyInToCache+623j
		push	eax
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5B3C55:				; CODE XREF: CcMapAndCopyInToCache+62Ej
		test	esi, esi
		mov	eax, 1000h
		jnz	short loc_5B3C61
		mov	eax, [ebp+var_78]

loc_5B3C61:				; CODE XREF: CcMapAndCopyInToCache+1385ACj
		lea	ecx, [ebp+var_CC]
		push	ecx
		push	1
		push	eax
		lea	edx, [ebp+var_8C]
		mov	ecx, [ebp+var_40]
		call	_CcLockSystemCacheBuffer@20 ; CcLockSystemCacheBuffer(x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_D4], ecx
		test	ecx, ecx
		jnz	short loc_5B3C90
		push	[ebp+var_CC]
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5B3C90:				; CODE XREF: CcMapAndCopyInToCache+1385D3j
		mov	edi, [ebp+var_8C]
		mov	dl, [ebp+var_2B]
		jmp	loc_47BCE4
; 

loc_5B3C9E:				; CODE XREF: CcMapAndCopyInToCache+658j
		mov	edx, [ebp+var_5C]
		call	_HviCopyMemory@12 ; HviCopyMemory(x,x,x)
		jmp	loc_47BD1A
; 

loc_5B3CAB:				; CODE XREF: CcMapAndCopyInToCache+685j
		push	edi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	edi
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		mov	[ebp+var_8C], 0
		jmp	loc_47BD3B
; 

loc_5B3CC6:				; CODE XREF: CcMapAndCopyInToCache+528j
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_47BBDE
; 

loc_5B3CD5:				; CODE XREF: CcMapAndCopyInToCache+56Ej
		cmp	[ebp+var_19], bl
		jz	loc_47BC24

loc_5B3CDE:				; CODE XREF: CcMapAndCopyInToCache+566j
		lea	eax, [ebp+var_94]
		push	eax
		push	[ebp+var_35]
		push	0
		mov	esi, [ebp+var_44]
		push	esi
		lea	edx, [ebp+var_58]
		mov	eax, [ebp+arg_C]
		mov	ecx, [eax+14h]
		call	_CcFlushCachePriv@24 ; CcFlushCachePriv(x,x,x,x,x,x)
		mov	eax, [ebp+var_94]
		test	eax, eax
		jns	loc_47BC27
		push	0C00000E9h
		push	eax
		call	_FsRtlNormalizeNtstatus@8 ; FsRtlNormalizeNtstatus(x,x)
		push	eax
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5B3D1B:				; DATA XREF: .text:006A11F8o
		lea	edx, [ebp+var_64]
		mov	ecx, [ebp+var_14]
		call	_CcCopyReadExceptionFilter@8 ; CcCopyReadExceptionFilter(x,x)
		retn
; END OF FUNCTION CHUNK	FOR CcMapAndCopyInToCache

;  S U B	R O U T	I N E 


sub_5B3D27	proc near		; DATA XREF: .text:006A11FCo
		mov	esp, [ebp-18h]
		cmp	dword ptr [ebp-64h], 0C0000005h
		jnz	short loc_5B3D3D
		push	0C00000E8h
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5B3D3D:				; CODE XREF: sub_5B3D27+Aj
		push	0C00000E9h
		mov	eax, [ebp-64h]
		push	eax
		call	_FsRtlNormalizeNtstatus@8 ; FsRtlNormalizeNtstatus(x,x)
		push	eax
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5B3D51:				; DATA XREF: .text:006A11F0o
		or	ebx, 0FFFFFFFFh
		mov	edx, [ebp-0D8h]
		mov	al, [ebp-2Fh]
		mov	[ebp-21h], al
		mov	eax, [ebp-0DCh]
		mov	[ebp-9Ch], eax
		mov	eax, [ebp-0E0h]
		mov	[ebp-68h], eax
		mov	edi, [ebp+20h]
		jmp	sub_47C052
sub_5B3D27	endp

; 
; START	OF FUNCTION CHUNK FOR sub_47C052

loc_5B3D7D:				; CODE XREF: sub_47C052+145j
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_47C19D
; 

loc_5B3D8C:				; CODE XREF: sub_47C052+2Bj
					; sub_47C052+35j
		mov	eax, [ebp-44h]
		mov	ebx, [ebp-3Ch]
		test	eax, eax
		jz	loc_47C090
		push	edi
		push	eax
		lea	edx, [ebp-58h]
		mov	ecx, ebx
		call	CcSetDirtyInMask
		jmp	loc_47C090
; 

loc_5B3DAB:				; CODE XREF: sub_47C052+55j
		test	cl, cl
		jnz	loc_47C0AD
		cmp	[ebx+4Ch], eax
		jb	loc_47C0AD
		mov	byte ptr [ebp-2Ch], 1
		mov	byte ptr [ebp-30h], 1
		jmp	loc_47C0AD
; 

loc_5B3DC9:				; CODE XREF: sub_47C052+77j
		xor	ecx, ecx
		jmp	loc_47C0D5
; 

loc_5B3DD0:				; CODE XREF: sub_47C052+86j
		xor	eax, eax
		jmp	loc_47C0E1
; 

loc_5B3DD7:				; CODE XREF: sub_47C052+E1j
		mov	edx, [ebp+4]
		lea	ecx, [ebp-50h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_47C153
; 

loc_5B3DE7:				; CODE XREF: sub_47C052+B6j
		cmp	dword ptr [ebp-0B0h], 0
		jnz	locret_47C0B9
		push	0C00000E9h
		push	eax
		call	_FsRtlNormalizeNtstatus@8 ; FsRtlNormalizeNtstatus(x,x)
		push	eax
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger
; END OF FUNCTION CHUNK	FOR sub_47C052
; START	OF FUNCTION CHUNK FOR MiUnlockProtoPoolPage

loc_5B3E06:				; CODE XREF: MiUnlockProtoPoolPage+2Fj
		mov	ecx, esi
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		lea	eax, [ecx+edx]
		mov	ecx, esi
		sar	eax, 4
		mov	edx, eax
		shr	edx, 1Fh
		add	edx, eax
		call	MiPfnReferenceCountIsZero
		jmp	loc_47CDB5
; END OF FUNCTION CHUNK	FOR MiUnlockProtoPoolPage
; 
; START	OF FUNCTION CHUNK FOR MiPfPutPagesInTransition

loc_5B3E2E:				; CODE XREF: MiPfPutPagesInTransition+1AAj
		mov	dl, [ebp+var_1]
		call	MiUnlockProtoPoolPage
		mov	eax, edi
		jmp	loc_47D228
; 

loc_5B3E3D:				; CODE XREF: MiPfPutPagesInTransition+456j
		push	0
		push	0
		push	ebx
		push	2
		call	MmAccessFault
		jmp	loc_47D235
; 

loc_5B3E4E:				; CODE XREF: MiPfPutPagesInTransition+42Cj
		test	byte ptr ds:dword_6D4E44, 8
		jz	loc_47D023
		test	byte ptr [edi+12h], 2
		jz	short loc_5B3E6E
		mov	al, [edi+10h]
		and	al, 0Ah
		cmp	al, 8
		jz	loc_47D023

loc_5B3E6E:				; CODE XREF: MiPfPutPagesInTransition+13706Fj
		movzx	eax, word ptr [edi+10h]
		xor	edx, edx
		shr	eax, 1
		mov	ecx, offset _MiSystemPartition
		and	eax, 1Fh
		push	eax
		call	_MiGetSlabAllocator@12 ; MiGetSlabAllocator(x,x,x)
		mov	eax, [eax+1Ch]
		lea	eax, ds:18h[eax*4]
		jmp	loc_47D028
; 

loc_5B3E93:				; CODE XREF: MiPfPutPagesInTransition+1DEj
		push	ecx
		push	edx
		call	_IS_PTE_NOT_DEMAND_ZERO@8 ; IS_PTE_NOT_DEMAND_ZERO(x,x)
		test	eax, eax
		jz	loc_47D160
		cmp	[ebp+var_18], 0
		jz	loc_47D160
		mov	[ebp+var_C], 2
		xor	edi, edi
		jmp	loc_47D023
; 

loc_5B3EBA:				; CODE XREF: MiPfPutPagesInTransition+247j
		mov	edx, [ebp+var_74]
		mov	ecx, offset _MiSystemPartition
		call	_MiPrefetchNormally@8 ;	MiPrefetchNormally(x,x)
		test	eax, eax
		jz	loc_47D172
		mov	ecx, [ebp+var_78]
		test	ecx, ecx
		jz	short loc_5B3EE3
		mov	eax, [ecx]
		test	eax, eax
		jz	loc_47D172
		dec	eax
		mov	[ecx], eax

loc_5B3EE3:				; CODE XREF: MiPfPutPagesInTransition+1370E4j
		push	1
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiObtainFaultCharges
		test	eax, eax
		jz	loc_47D172
		mov	eax, [ebp+var_90]
		mov	ecx, 1
		lock xadd [eax], ecx
		inc	ecx
		mov	eax, [ebp+var_88]
		dec	ecx
		and	ecx, [ebp+var_8C]
		mov	esi, [ebp+var_24]
		or	eax, ecx
		mov	ecx, [ebp+var_14]
		add	ecx, [ebp+var_3C]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_14]
		add	eax, 14h
		cmp	ecx, eax
		mov	ecx, offset _MiSystemPartition
		jz	short loc_5B3F4C
		movzx	edx, word ptr [edi+10h]
		push	0
		push	0
		shr	edx, 1
		push	0
		and	edx, 1Fh
		call	_MiGetSlabPage@20 ; MiGetSlabPage(x,x,x,x,x)
		jmp	short loc_5B3F68
; 

loc_5B3F4C:				; CODE XREF: MiPfPutPagesInTransition+137144j
		mov	eax, [ebp+var_4C]
		mov	edx, [ebp+var_10]
		test	byte ptr [eax],	1
		jz	short loc_5B3F5E
		push	302h
		jmp	short loc_5B3F63
; 

loc_5B3F5E:				; CODE XREF: MiPfPutPagesInTransition+137165j
		push	200h

loc_5B3F63:				; CODE XREF: MiPfPutPagesInTransition+13716Cj
		call	MiGetPage

loc_5B3F68:				; CODE XREF: MiPfPutPagesInTransition+13715Aj
		mov	[ebp+var_30], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_5B4158
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	eax, [eax+ecx*4]
		mov	[ebp+var_10], eax
		jmp	loc_47D062
; 

loc_5B3F8D:				; CODE XREF: MiPfPutPagesInTransition+2EAj
		mov	dl, al
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		mov	ecx, [ebp+var_C]
		jmp	loc_47D10D
; 

loc_5B3F9C:				; CODE XREF: MiPfPutPagesInTransition+331j
		mov	edx, [ebp+4]
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		mov	al, [ebp+var_2]
		mov	[ebp+var_1], al
		jmp	loc_47D12D
; 

loc_5B3FAF:				; CODE XREF: MiPfPutPagesInTransition+289j
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit
		push	esi
		push	[ebp+var_18]
		lea	edx, [ebp+var_30]
		or	ecx, 0FFFFFFFFh
		push	ebx
		push	1
		call	_MiInitializeReadInProgressPfn@24 ; MiInitializeReadInProgressPfn(x,x,x,x,x,x)
		mov	edi, [ebp+var_2C]
		mov	ecx, edi
		mov	eax, [ebp+var_34]
		shrd	ecx, eax, 0Ch
		and	ecx, 0Fh
		mov	[ebp+var_2C], ecx
		lea	ecx, [ebp+var_70]
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		push	[ebp+var_34]
		mov	ecx, offset _MiSystemPartition
		mov	[ebp+var_C], eax
		push	edi
		call	_MiIsPteInStore@16 ; MiIsPteInStore(x,x,x,x)
		cmp	[ebp+var_60], 2
		mov	edx, [ebp+var_18]
		mov	edi, [ebp+var_2C]
		mov	[ebp+var_34], eax
		lea	ecx, [edx+0A8h]
		mov	eax, ds:dword_6D5D94[edi*4]
		mov	[ebp+var_2C], eax
		mov	[edx+98h], ecx
		jge	short loc_5B4027
		or	dword ptr [edx+78h], 80h

loc_5B4027:				; CODE XREF: MiPfPutPagesInTransition+13722Ej
		mov	dword ptr [ecx+4], 20h
		mov	eax, 4042h
		or	[edx+0AEh], ax
		mov	eax, [ebp+var_30]
		mov	dword ptr [ecx], 0
		mov	dword ptr [ecx+10h], 0
		mov	dword ptr [ecx+18h], 0
		mov	dword ptr [ecx+14h], 1000h
		mov	ecx, [ebp+var_8]
		mov	[edx+0C4h], eax
		xor	edx, edx
		call	_MiObtainProtoReference@8 ; MiObtainProtoReference(x,x)
		mov	edx, [ebp+var_18]
		mov	eax, [ebp+var_44]
		mov	ecx, [ebp+var_8]
		mov	esi, [ebp+var_44]
		mov	[edx+5Ch], ecx
		mov	eax, [eax]
		cmp	[eax+4], esi
		jnz	loc_5B4188
		mov	[edx], eax
		mov	[edx+4], esi
		mov	[eax+4], edx
		mov	eax, esi
		mov	[eax], edx
		mov	eax, [ebp+var_14]
		mov	dl, [ebp+var_1]
		inc	dword ptr [eax+40h]
		call	MiUnlockProtoPoolPage
		cmp	[ebp+var_3C], 1
		mov	esi, [ebp+var_24]
		mov	[ebp+var_8], 0
		jnz	short loc_5B40C4
		mov	eax, [ebp+var_10]
		mov	edx, 1
		mov	ecx, [ebp+var_30]
		movzx	eax, byte ptr [eax+16h]
		shr	eax, 6
		push	eax
		call	MiZeroPhysicalPage

loc_5B40C4:				; CODE XREF: MiPfPutPagesInTransition+1372BAj
		cmp	[ebp+var_34], 0
		mov	edx, [ebp+var_18]
		mov	dword ptr [edx+88h], 0
		jnz	short loc_5B40EE
		mov	ecx, [ebp+var_C]
		xor	eax, eax
		shld	eax, ecx, 0Ch
		shl	ecx, 0Ch
		mov	[edx+3Ch], eax
		mov	eax, [edx+78h]
		mov	[edx+38h], ecx
		jmp	short loc_5B410D
; 

loc_5B40EE:				; CODE XREF: MiPfPutPagesInTransition+1372E5j
		mov	eax, [ebp+var_C]
		and	eax, 0FFFFFFFh
		shl	edi, 1Ch
		or	eax, edi
		mov	dword ptr [edx+3Ch], 0
		mov	[edx+38h], eax
		mov	eax, [edx+78h]
		or	eax, 100h

loc_5B410D:				; CODE XREF: MiPfPutPagesInTransition+1372FCj
		mov	ecx, [ebp+var_2C]
		or	eax, 200000h
		mov	[edx+7Ch], ecx
		xor	ecx, ecx
		mov	[edx+78h], eax
		mov	eax, [ebp+var_10]
		mov	[edx+90h], ebx
		mov	[edx+94h], eax
		call	_MiGetInPageSupportBlock@4 ; MiGetInPageSupportBlock(x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	loc_47D160
		push	[ebp+var_48]
		mov	edx, [ebp+var_64]
		mov	ecx, eax
		mov	dword ptr [eax+94h], 0
		call	_MiSetInPagePriority@12	; MiSetInPagePriority(x,x,x)
		jmp	loc_47D160
; 

loc_5B4158:				; CODE XREF: MiPfPutPagesInTransition+13717Ej
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_5B4174
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_5B4174:				; CODE XREF: MiPfPutPagesInTransition+137379j
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit
		jmp	loc_47D172
; 

loc_5B4188:				; CODE XREF: MiPfPutPagesInTransition+59Dj
					; MiPfPutPagesInTransition+5A5j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5B418F:				; CODE XREF: MiCheckProtoPtePageState+150j
		mov	cl, [ecx]
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	0
		push	[esp+0A4h+var_68]
		push	2
		call	MmAccessFault
		jmp	loc_47DBD0
; END OF FUNCTION CHUNK	FOR MiPfPutPagesInTransition
; 
; START	OF FUNCTION CHUNK FOR MiCheckProtoPtePageState

loc_5B41B3:				; CODE XREF: MiCheckProtoPtePageState+EEj
					; MiCheckProtoPtePageState+FCj
		mov	cl, [ecx]
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_47DBD0
; END OF FUNCTION CHUNK	FOR MiCheckProtoPtePageState
; 
; START	OF FUNCTION CHUNK FOR MmPurgeSection

loc_5B41C8:				; CODE XREF: MmPurgeSection+87j
					; MmPurgeSection+91j
		lea	eax, [edi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_47E2D4
; 

loc_5B41DE:				; CODE XREF: MmPurgeSection+F4j
		mov	[ebp+var_20], 1
		jmp	loc_47E011
; 

loc_5B41EA:				; CODE XREF: MmPurgeSection+147j
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_68]
		push	eax
		mov	edx, 20h
		call	_MiChangingSubsectionProtos@12 ; MiChangingSubsectionProtos(x,x,x)
		mov	al, byte ptr [ebp+var_9]
		jmp	loc_47E05D
; 

loc_5B4203:				; CODE XREF: MmPurgeSection+29Aj
		cmp	word ptr [esi+14h], 0
		jz	loc_47E1B0
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	1
		jmp	loc_47E1B0
; 

loc_5B4219:				; CODE XREF: MmPurgeSection+1A0j
		lea	eax, [esi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		xor	al, al
		mov	byte ptr [ebp+arg_0+3],	al
		jmp	loc_47E114
; 

loc_5B422E:				; CODE XREF: MmPurgeSection+224j
		push	ecx
		push	0
		lea	edx, [ebp+var_68]
		mov	ecx, ebx
		call	_MiSubsectionProtosCreated@16 ;	MiSubsectionProtosCreated(x,x,x,x)
		jmp	loc_47E13A
; 

loc_5B4240:				; CODE XREF: MmPurgeSection+1B9j
					; MmPurgeSection+1C5j ...
		mov	eax, [esi+4]
		push	edx
		push	eax
		push	ebx
		push	2
		push	0DEh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5B4253:				; CODE XREF: MiReservePageFileSpace+53j
		mov	ecx, ebx
		and	ecx, 0FFFFF000h
		lea	esi, [ecx+0FF8h]
		jmp	loc_47E6D1
; END OF FUNCTION CHUNK	FOR MmPurgeSection
; 
; START	OF FUNCTION CHUNK FOR MiReservePageFileSpace

loc_5B4266:				; CODE XREF: MiReservePageFileSpace+113j
		mov	edi, ebx
		sub	esi, ebx
		sub	edi, [ebp+var_8]
		sub	ecx, eax
		sar	edi, 3
		sar	esi, 3
		mov	eax, edi
		mov	[ebp+var_30], edi
		cmp	esi, ecx
		jb	short loc_5B4282
		sub	esi, ecx
		jmp	short loc_5B4288
; 

loc_5B4282:				; CODE XREF: MiReservePageFileSpace+135F7Cj
		sub	ecx, esi
		xor	esi, esi
		sub	eax, ecx

loc_5B4288:				; CODE XREF: MiReservePageFileSpace+135F80j
		mov	edi, [ebp+var_20]
		lea	esi, [ebx+esi*8]
		shl	eax, 3
		mov	ecx, ebx
		sub	ecx, eax
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], ecx
		jmp	loc_47E41C
; 

loc_5B42A0:				; CODE XREF: MiReservePageFileSpace+383j
		mov	eax, [ebp+var_1C]
		jmp	loc_47E69B
; 

loc_5B42A8:				; CODE XREF: MiReservePageFileSpace+213j
		mov	[ebp+var_44], 0
		mov	eax, 10h
		mov	[ebp+var_40], 0
		jmp	loc_47E51C
; 

loc_5B42C0:				; CODE XREF: MiReservePageFileSpace+4A2j
		mov	ecx, [ebp+var_24]
		sub	ecx, eax
		mov	eax, [ebp+var_28]
		cmp	eax, ecx
		jb	short loc_5B42D3
		sub	eax, ecx
		jmp	loc_47E547
; 

loc_5B42D3:				; CODE XREF: MiReservePageFileSpace+135FCAj
		sub	ecx, eax
		xor	eax, eax
		sub	[ebp+var_10], ecx
		jmp	loc_47E547
; 

loc_5B42DF:				; CODE XREF: MiReservePageFileSpace+27Aj
		xor	edx, edx
		cmp	[ebp+arg_0], edx
		push	ecx
		mov	ecx, [ebp+var_14]
		setnz	dl
		push	edi
		call	MiReleasePageFileInfo
		mov	ecx, [ebp+var_28]
		jmp	loc_47E580
; 

loc_5B42F9:				; CODE XREF: MiReservePageFileSpace+2B2j
		xor	edx, edx
		jmp	loc_47E5CC
; END OF FUNCTION CHUNK	FOR MiReservePageFileSpace
; 
; START	OF FUNCTION CHUNK FOR RtlFindSetBits

loc_5B4300:				; CODE XREF: RtlFindSetBits+34j
		and	edx, 0FFFFFFF8h
		jmp	loc_47EEB4
; 

loc_5B4308:				; CODE XREF: RtlFindSetBits+2CDj
					; RtlFindSetBits+2F8j
		mov	ecx, 20h
		jmp	loc_47F0F5
; 

loc_5B4312:				; CODE XREF: RtlFindSetBits+1ACj
		mov	edx, 20h
		jmp	loc_47EFA9
; 

loc_5B431C:				; CODE XREF: RtlFindSetBits+E3j
		mov	ecx, edi
		jmp	loc_47EED9
; END OF FUNCTION CHUNK	FOR RtlFindSetBits
; 
; START	OF FUNCTION CHUNK FOR KiFindNextTimerDueTime

loc_5B4323:				; CODE XREF: KiFindNextTimerDueTime+10Bj
		mov	[ebp+var_18], 0
		jmp	loc_47F2B4
; 

loc_5B432F:				; CODE XREF: KiFindNextTimerDueTime+251j
		cmp	ebx, 0FFFFFFFFh
		jz	loc_47F3B2
		jmp	loc_47F332
; 

loc_5B433D:				; CODE XREF: KiFindNextTimerDueTime+73j
		mov	ecx, [ebp+var_2C]
		movzx	ecx, byte ptr [ecx+eax*4+3AA8h]
		cmp	edx, ecx
		jnz	loc_5B45F0
		cmp	[ebp+var_1], 0
		jz	loc_5B448C
		mov	ebx, [ebp+var_18]
		mov	edi, edx
		or	edx, 0FFFFFFFFh
		shl	edi, 9
		mov	[ebp+var_C], edx
		xor	esi, esi

loc_5B436A:				; CODE XREF: KiFindNextTimerDueTime+1352AEj
		movzx	ecx, si
		mov	eax, ds:_KiPendingTimerBitmaps[ecx*8]
		cmp	edi, eax
		mov	[ebp+var_24], eax
		sbb	eax, eax
		and	eax, edi
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_24]
		dec	eax
		mov	[ebp+var_1C], eax
		mov	eax, ds:dword_70E644[ecx*8]
		mov	ecx, [ebp+var_1C]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+var_18]

loc_5B4397:				; CODE XREF: KiFindNextTimerDueTime+13528Bj
		sub	ecx, eax
		mov	[ebp+var_50], 0
		inc	ecx
		cmp	ecx, 1
		jnb	short loc_5B43AB
		or	ecx, 0FFFFFFFFh
		jmp	short loc_5B4412
; 

loc_5B43AB:				; CODE XREF: KiFindNextTimerDueTime+135204j
		mov	ecx, [ebp+var_1C]
		mov	edx, [ebp+var_20]
		shr	ecx, 5
		lea	ecx, [edx+ecx*4]
		mov	[ebp+var_3C], ecx
		mov	ecx, eax
		mov	eax, edx
		shr	ecx, 5
		lea	ecx, [eax+ecx*4]
		mov	eax, [ecx]
		mov	[ebp+var_8], ecx
		not	eax
		mov	edx, [ebp+var_C]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_5B43E7

loc_5B43D3:				; CODE XREF: KiFindNextTimerDueTime+135245j
		add	ecx, 4
		mov	[ebp+var_8], ecx
		cmp	ecx, [ebp+var_3C]
		ja	short loc_5B440C
		mov	eax, [ecx]
		not	eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5B43D3

loc_5B43E7:				; CODE XREF: KiFindNextTimerDueTime+135231j
		not	eax
		bsf	ecx, eax
		mov	eax, [ebp+var_20]
		sub	[ebp+var_8], eax
		sar	[ebp+var_8], 2
		shl	[ebp+var_8], 5
		add	[ebp+var_8], ecx
		mov	ecx, [ebp+var_8]
		cmp	ecx, [ebp+var_1C]
		ja	short loc_5B440C
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_5B440F
		jmp	short loc_5B4435
; 

loc_5B440C:				; CODE XREF: KiFindNextTimerDueTime+13523Cj
					; KiFindNextTimerDueTime+135263j
		or	ecx, 0FFFFFFFFh

loc_5B440F:				; CODE XREF: KiFindNextTimerDueTime+135268j
		mov	eax, [ebp+var_18]

loc_5B4412:				; CODE XREF: KiFindNextTimerDueTime+135209j
		test	eax, eax
		jz	short loc_5B4430
		mov	eax, [ebp+var_24]
		lea	ecx, [edi+1]
		cmp	ecx, eax
		jbe	short loc_5B4422
		mov	ecx, eax

loc_5B4422:				; CODE XREF: KiFindNextTimerDueTime+13527Ej
		dec	ecx
		xor	eax, eax
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], eax
		jmp	loc_5B4397
; 

loc_5B4430:				; CODE XREF: KiFindNextTimerDueTime+135274j
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_5B4446

loc_5B4435:				; CODE XREF: KiFindNextTimerDueTime+13526Aj
		shr	ecx, 9
		sub	ecx, ebx
		movzx	eax, cl
		cmp	eax, edx
		jnb	short loc_5B4446
		mov	edx, eax
		mov	[ebp+var_C], edx

loc_5B4446:				; CODE XREF: KiFindNextTimerDueTime+135293j
					; KiFindNextTimerDueTime+13529Fj
		inc	esi
		cmp	si, ds:_KiActiveGroups
		jb	loc_5B436A
		mov	eax, [ebp+var_14]
		mov	esi, [ebp+var_38]
		mov	edi, [ebp+var_34]
		mov	ebx, [ebp+var_10]
		cmp	edx, 0FFFFFFFFh
		jz	loc_47F21F
		mov	ecx, [ebp+arg_0]
		mov	esi, edx
		shl	esi, 12h
		xor	edi, edi
		and	ecx, 0FFFC0000h
		add	esi, ecx
		adc	edi, [ebp+arg_4]
		add	esi, ds:_KeTimeIncrement
		adc	edi, 0
		jmp	loc_47F21F
; 

loc_5B448C:				; CODE XREF: KiFindNextTimerDueTime+1351B4j
		mov	ecx, [ebp+var_2C]
		xor	edx, edx
		mov	[ebp+var_C], edx
		mov	eax, [ecx+3C8h]
		movzx	ecx, byte ptr [ecx+3C5h]
		shl	ecx, 3
		mov	[ebp+var_44], eax
		mov	[ebp+var_30], ecx
		mov	eax, ds:dword_70E644[ecx]
		mov	ecx, [ebp+var_18]
		mov	[ebp+var_48], eax

loc_5B44B6:				; CODE XREF: KiFindNextTimerDueTime+135439j
		mov	edx, ecx
		mov	ecx, [ebp+var_30]
		shl	edx, 9
		mov	[ebp+var_40], edx
		mov	ecx, ds:_KiPendingTimerBitmaps[ecx]
		cmp	edx, ecx
		mov	[ebp+var_20], ecx
		sbb	ecx, ecx
		and	ecx, edx
		mov	edx, [ebp+var_30]
		mov	[ebp+var_1C], ecx
		mov	ecx, [ebp+var_20]
		mov	eax, ds:dword_70E644[edx]
		mov	edx, [ebp+var_C]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_14]

loc_5B44E8:				; CODE XREF: KiFindNextTimerDueTime+1353ECj
		dec	ecx
		mov	[ebp+var_54], 0
		mov	[ebp+var_24], ecx
		sub	ecx, [ebp+var_1C]
		inc	ecx
		cmp	ecx, 1
		jb	short loc_5B4569
		mov	ecx, [ebp+var_24]
		mov	ebx, [ebp+var_38]
		shr	ecx, 5
		lea	ecx, [ebx+ecx*4]
		mov	[ebp+var_3C], ecx
		mov	ecx, [ebp+var_1C]
		shr	ecx, 5
		lea	ecx, [ebx+ecx*4]
		mov	ebx, [ecx]
		not	ebx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_34], ebx
		cmp	ebx, 0FFFFFFFFh
		mov	ebx, [ebp+var_10]
		jnz	short loc_5B4540

loc_5B4526:				; CODE XREF: KiFindNextTimerDueTime+13539Ej
		add	ecx, 4
		mov	[ebp+var_8], ecx
		cmp	ecx, [ebp+var_3C]
		ja	short loc_5B4569
		mov	eax, [ecx]
		not	eax
		mov	[ebp+var_34], eax
		cmp	eax, 0FFFFFFFFh
		mov	eax, [ebp+var_14]
		jz	short loc_5B4526

loc_5B4540:				; CODE XREF: KiFindNextTimerDueTime+135384j
		mov	ecx, [ebp+var_34]
		mov	ebx, [ebp+var_38]
		not	ecx
		sub	[ebp+var_8], ebx
		sar	[ebp+var_8], 2
		shl	[ebp+var_8], 5
		mov	ebx, [ebp+var_10]
		bsf	ecx, ecx
		add	[ebp+var_8], ecx
		mov	ecx, [ebp+var_8]
		cmp	ecx, [ebp+var_24]
		jbe	short loc_5B456E
		or	ecx, 0FFFFFFFFh
		jmp	short loc_5B4573
; 

loc_5B4569:				; CODE XREF: KiFindNextTimerDueTime+13535Aj
					; KiFindNextTimerDueTime+13538Fj
		or	ecx, 0FFFFFFFFh
		jmp	short loc_5B4573
; 

loc_5B456E:				; CODE XREF: KiFindNextTimerDueTime+1353C2j
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_5B459A

loc_5B4573:				; CODE XREF: KiFindNextTimerDueTime+1353C7j
					; KiFindNextTimerDueTime+1353CCj
		cmp	[ebp+var_1C], 0
		jz	short loc_5B4591
		mov	ecx, [ebp+var_40]
		inc	ecx
		cmp	ecx, [ebp+var_20]
		jbe	short loc_5B4585
		mov	ecx, [ebp+var_20]

loc_5B4585:				; CODE XREF: KiFindNextTimerDueTime+1353E0j
		mov	[ebp+var_1C], 0
		jmp	loc_5B44E8
; 

loc_5B4591:				; CODE XREF: KiFindNextTimerDueTime+1353D7j
		cmp	ecx, 0FFFFFFFFh
		jz	loc_47F21F

loc_5B459A:				; CODE XREF: KiFindNextTimerDueTime+1353D1j
		shr	ecx, 9
		inc	edx
		mov	[ebp+var_8], ecx
		sub	ecx, [ebp+var_18]
		movzx	ecx, cl
		add	edx, ecx
		mov	[ebp+var_C], edx
		cmp	edx, 100h
		ja	loc_47F21F
		mov	ecx, [ebp+var_8]
		mov	ebx, [ebp+var_48]
		mov	eax, [ebp+var_44]
		shl	ecx, 6
		test	[ecx+ebx], eax
		mov	eax, [ebp+var_14]
		mov	ebx, [ebp+var_10]
		jnz	short loc_5B45DE
		mov	ecx, [ebp+var_8]
		inc	ecx
		movzx	ecx, cl
		mov	[ebp+var_18], ecx
		jmp	loc_5B44B6
; 

loc_5B45DE:				; CODE XREF: KiFindNextTimerDueTime+13542Dj
		mov	esi, edx
		xor	edi, edi
		shl	esi, 12h
		add	esi, [ebp+arg_0]
		adc	edi, [ebp+arg_4]
		jmp	loc_47F21F
; 

loc_5B45F0:				; CODE XREF: KiFindNextTimerDueTime+B5j
					; KiFindNextTimerDueTime+1351AAj
		xor	eax, eax
		xor	edx, edx
		jmp	loc_47F234
; END OF FUNCTION CHUNK	FOR KiFindNextTimerDueTime
; 
; START	OF FUNCTION CHUNK FOR RtlFindClearBits

loc_5B45F9:				; CODE XREF: RtlFindClearBits+34j
		and	edx, 0FFFFFFF8h
		jmp	loc_47F522
; 

loc_5B4601:				; CODE XREF: RtlFindClearBits+2AFj
					; RtlFindClearBits+2D4j
		mov	ecx, 20h
		jmp	loc_47F741
; 

loc_5B460B:				; CODE XREF: RtlFindClearBits+1AAj
		mov	edx, 20h
		jmp	loc_47F617
; END OF FUNCTION CHUNK	FOR RtlFindClearBits
; 
; START	OF FUNCTION CHUNK FOR MmMapLockedPagesSpecifyCache

loc_5B4615:				; CODE XREF: MmMapLockedPagesSpecifyCache+83j
		mov	eax, ds:dword_6D3610
		cmp	edi, eax
		jnb	short loc_5B4628
		sub	eax, edi
		cmp	ecx, eax
		jb	loc_47F879

loc_5B4628:				; CODE XREF: MmMapLockedPagesSpecifyCache+134E2Cj
		mov	eax, large fs:124h
		test	byte ptr [eax+300h], 2
		jnz	loc_47F879
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jnz	loc_47F879
		inc	ds:dword_6D35F8
		jmp	loc_47F997
; 

loc_5B4657:				; CODE XREF: MmMapLockedPagesSpecifyCache+96j
		lea	eax, [ecx+1]
		mov	[esp+20h+var_C], eax
		jmp	loc_47F88C
; 

loc_5B4663:				; CODE XREF: MmMapLockedPagesSpecifyCache+B0j
		mov	eax, 2000h
		test	[esi+6], ax
		jnz	loc_47F997
		cmp	[ebp+arg_10], 0
		jnz	short loc_5B4695
		jmp	loc_47F997
; 

loc_5B467D:				; CODE XREF: MmMapLockedPagesSpecifyCache+CEj
		mov	eax, 40000000h
		jmp	loc_47F8C7
; 

loc_5B4687:				; CODE XREF: MmMapLockedPagesSpecifyCache+109j
		test	edx, 2000h
		jnz	short loc_5B469E
		cmp	[ebp+arg_10], 0
		jz	short loc_5B469E

loc_5B4695:				; CODE XREF: MmMapLockedPagesSpecifyCache+134E86j
		mov	ecx, [esp+30h+var_20]
		call	_MiIssueNoPtesBugcheck@4 ; MiIssueNoPtesBugcheck(x)

loc_5B469E:				; CODE XREF: MmMapLockedPagesSpecifyCache+134E9Dj
					; MmMapLockedPagesSpecifyCache+134EA3j
		push	[esp+30h+var_1C]
		mov	edx, [esp+34h+var_14]
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		xor	eax, eax
		jmp	loc_47F930
; 

loc_5B46B7:				; CODE XREF: MmMapLockedPagesSpecifyCache+133j
		cmp	ds:_MmProtectFreedNonPagedPool,	1
		jnz	short loc_5B46C7
		or	eax, 2
		mov	[esp+30h+var_20], eax

loc_5B46C7:				; CODE XREF: MmMapLockedPagesSpecifyCache+134ECEj
		mov	ecx, ebx
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		push	eax
		push	[esp+34h+var_20]
		xor	edx, edx
		mov	ecx, esi
		call	_MiInsertPteTracker@16 ; MiInsertPteTracker(x,x,x,x)
		movzx	ecx, word ptr [esi+6]
		jmp	loc_47F929
; END OF FUNCTION CHUNK	FOR MmMapLockedPagesSpecifyCache
; 
; START	OF FUNCTION CHUNK FOR MiReservePtes

loc_5B46E5:				; CODE XREF: MiReservePtes+6F1j
		mov	edx, edi
		mov	ecx, eax
		call	_MiCheckPteReserve@8 ; MiCheckPteReserve(x,x)
		jmp	loc_4804F8
; 

loc_5B46F3:				; CODE XREF: MiReservePtes+140j
		mov	ecx, [esp+60h+var_54]
		xor	edx, edx
		mov	eax, [esp+60h+var_3C]
		mov	[esp+60h+var_48], edx
		jmp	loc_47FFEE
; 

loc_5B4706:				; CODE XREF: MiReservePtes+198j
		and	eax, 0FFFFFFF8h
		jmp	loc_4800DD
; 

loc_5B470E:				; CODE XREF: MiReservePtes+5A1j
					; MiReservePtes+5CBj
		mov	eax, 20h
		jmp	loc_480458
; 

loc_5B4718:				; CODE XREF: MiReservePtes+3AAj
		mov	edx, 20h
		jmp	loc_480237
; 

loc_5B4722:				; CODE XREF: MiReservePtes+240j
		or	edx, 0FFFFFFFFh
		jmp	loc_4801D2
; 

loc_5B472A:				; CODE XREF: MiReservePtes+79j
		mov	edx, edi
		call	_MiCheckPteReserve@8 ; MiCheckPteReserve(x,x)
		mov	ecx, [esp+60h+var_44]
		jmp	loc_47FEFF
; END OF FUNCTION CHUNK	FOR MiReservePtes
; 
; START	OF FUNCTION CHUNK FOR MiCheckProcessorPteCache

loc_5B473A:				; CODE XREF: MiCheckProcessorPteCache+228j
		lea	edx, [ebp+var_58]
		mov	ecx, offset unk_6D35FC
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		test	ds:byte_70EFC6,	1
		jz	short loc_5B475D
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_58]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5B478E
; 

loc_5B475D:				; CODE XREF: MiCheckProcessorPteCache+1341AEj
		mov	eax, [ebp+var_58]
		test	eax, eax
		jnz	short loc_5B477C
		mov	edx, [ebp+var_54]
		lea	eax, [ebp+var_58]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_58]
		cmp	eax, ecx
		jz	short loc_5B478E
		call	KxWaitForLockChainValid

loc_5B477C:				; CODE XREF: MiCheckProcessorPteCache+1341C2j
		mov	[ebp+var_58], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5B478E:				; CODE XREF: MiCheckProcessorPteCache+1341BBj
					; MiCheckProcessorPteCache+1341D5j
		mov	cl, byte ptr [ebp+var_50]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, ds:dword_6D3608
		test	esi, esi
		jnz	loc_4807C0
		mov	edx, [ebp+var_C]
		mov	eax, [ebp+var_20]
		jmp	loc_4807F2
; 

loc_5B47B0:				; CODE XREF: MiCheckProcessorPteCache+5A5j
		mov	eax, ecx
		jmp	loc_480B4B
; 

loc_5B47B7:				; CODE XREF: MiCheckProcessorPteCache+64j
		xor	edi, edi
		jmp	loc_4806A1
; 

loc_5B47BE:				; CODE XREF: MiCheckProcessorPteCache+4C7j
		mov	[ebp+var_10], 20h
		jmp	loc_480A77
; 

loc_5B47CA:				; CODE XREF: MiCheckProcessorPteCache+502j
		mov	[ebp+var_10], 20h
		jmp	loc_480AB2
; 

loc_5B47D6:				; CODE XREF: MiCheckProcessorPteCache+1D6j
		mov	edi, 20h
		jmp	loc_480783
; 

loc_5B47E0:				; CODE XREF: MiCheckProcessorPteCache+C7j
		or	edi, 0FFFFFFFFh
		jmp	loc_4809B7
; END OF FUNCTION CHUNK	FOR MiCheckProcessorPteCache
; 
; START	OF FUNCTION CHUNK FOR RtlInterlockedSetClearRun

loc_5B47E8:				; CODE XREF: RtlInterlockedSetClearRun+14Dj
		mov	eax, [ebp+arg_0]
		sub	ecx, esi
		shr	ebx, 5
		mov	[ebp+arg_8], ecx
		mov	eax, [eax+4]
		lea	esi, [eax+ebx*4]
		lea	eax, [edi+ecx]
		cmp	eax, 20h
		jbe	short loc_5B484F
		test	edi, edi
		jz	short loc_5B4827
		mov	eax, 20h
		mov	edx, 1
		sub	eax, edi
		mov	ecx, eax
		shl	edx, cl
		mov	ecx, edi
		dec	edx
		shl	edx, cl
		not	edx
		lock and [esi],	edx
		mov	ecx, [ebp+arg_8]
		sub	ecx, eax
		add	esi, 4

loc_5B4827:				; CODE XREF: RtlInterlockedSetClearRun+133BF3j
		cmp	ecx, 20h
		jb	short loc_5B4842
		mov	eax, ecx
		shr	eax, 5

loc_5B4831:				; CODE XREF: RtlInterlockedSetClearRun+133C30j
		mov	dword ptr [esi], 0
		sub	ecx, 20h
		add	esi, 4
		sub	eax, 1
		jnz	short loc_5B4831

loc_5B4842:				; CODE XREF: RtlInterlockedSetClearRun+133C1Aj
		test	ecx, ecx
		jz	loc_480D39
		jmp	loc_5B48E5
; 

loc_5B484F:				; CODE XREF: RtlInterlockedSetClearRun+133BEFj
					; RtlInterlockedSetClearRun+133C8Aj
		cmp	ecx, 20h
		jnz	short loc_5B485F
		mov	dword ptr [esi], 0
		jmp	loc_480D39
; 

loc_5B485F:				; CODE XREF: RtlInterlockedSetClearRun+133C42j
		mov	eax, 1
		shl	eax, cl
		mov	ecx, edi
		dec	eax
		shl	eax, cl
		not	eax
		jmp	short loc_5B48EA
; 

loc_5B486F:				; CODE XREF: RtlInterlockedSetClearRun+F5j
		mov	ecx, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+arg_4], ecx
		test	[ebp+var_8], eax
		jz	loc_480CF0

loc_5B4880:				; CODE XREF: RtlInterlockedSetClearRun+D9j
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_8]
		sub	ecx, esi
		shr	ebx, 5
		mov	[ebp+arg_8], ecx
		mov	eax, [eax+4]
		lea	esi, [eax+ebx*4]
		lea	eax, [edi+ecx]
		cmp	eax, 20h
		jbe	short loc_5B484F
		test	edi, edi
		jz	short loc_5B48C2
		mov	eax, 20h
		mov	edx, 1
		sub	eax, edi
		mov	ecx, eax
		shl	edx, cl
		mov	ecx, edi
		dec	edx
		shl	edx, cl
		not	edx
		lock and [esi],	edx
		mov	ecx, [ebp+arg_8]
		sub	ecx, eax
		add	esi, 4

loc_5B48C2:				; CODE XREF: RtlInterlockedSetClearRun+133C8Ej
		cmp	ecx, 20h
		jb	short loc_5B48DD
		mov	eax, ecx
		shr	eax, 5

loc_5B48CC:				; CODE XREF: RtlInterlockedSetClearRun+133CCBj
		mov	dword ptr [esi], 0
		sub	ecx, 20h
		add	esi, 4
		sub	eax, 1
		jnz	short loc_5B48CC

loc_5B48DD:				; CODE XREF: RtlInterlockedSetClearRun+133CB5j
		test	ecx, ecx
		jz	loc_480D39

loc_5B48E5:				; CODE XREF: RtlInterlockedSetClearRun+133C3Aj
		or	eax, 0FFFFFFFFh
		shl	eax, cl

loc_5B48EA:				; CODE XREF: RtlInterlockedSetClearRun+133C5Dj
		lock and [esi],	eax
		jmp	loc_480D39
; END OF FUNCTION CHUNK	FOR RtlInterlockedSetClearRun
; 
; START	OF FUNCTION CHUNK FOR MiStoreWriteModifiedPages

loc_5B48F2:				; CODE XREF: MiStoreWriteModifiedPages+B2j
		call	_MiStoreLogFullPagefile@0 ; MiStoreLogFullPagefile()
		mov	eax, 0C000007Fh
		jmp	loc_4815D0
; 

loc_5B4901:				; CODE XREF: MiStoreWriteModifiedPages+5B3j
		push	1
		lea	edx, [ebp+var_CC]
		mov	ecx, edi
		call	_MiDerefPageFileSpaceBitmaps@12	; MiDerefPageFileSpaceBitmaps(x,x,x)
		test	eax, eax
		jz	loc_481329
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_481329
; 

loc_5B4925:				; CODE XREF: MiStoreWriteModifiedPages+162j
		xor	ebx, ebx
		jmp	loc_480EDA
; 

loc_5B492C:				; CODE XREF: MiStoreWriteModifiedPages+192j
		or	edi, 0FFFFFFFFh

loc_5B492F:				; CODE XREF: MiStoreWriteModifiedPages+5ACj
		test	ebx, ebx
		jz	loc_480F5B
		mov	edx, [ebp+var_80]
		inc	edx
		cmp	edx, ecx
		jbe	short loc_5B4941
		mov	edx, ecx

loc_5B4941:				; CODE XREF: MiStoreWriteModifiedPages+133BCDj
		dec	edx
		xor	ebx, ebx
		jmp	loc_480EF0
; 

loc_5B4949:				; CODE XREF: MiStoreWriteModifiedPages+524j
		cmp	dword ptr [eax], 5
		jbe	loc_48129A
		push	4000h
		push	2
		mov	ecx, eax
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_48129A
		mov	ecx, [ebp+var_5C]
		lea	eax, [ebp+var_D8]
		mov	[ebp+var_28], eax
		mov	edx, offset loc_41D2FD
		lea	eax, [ebp+var_DC]
		mov	[ebp+var_D8], esi
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	4
		sub	esp, 8
		mov	[ebp+var_24], 0
		mov	[ebp+var_20], 4
		mov	[ebp+var_1C], 0
		mov	[ebp+var_DC], edi
		push	1
		sub	esp, 8
		mov	[ebp+var_14], 0
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], 0
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)
		jmp	loc_48129A
; 

loc_5B49D0:				; CODE XREF: MiStoreWriteModifiedPages+5A1j
		mov	[ebp+var_6C], 1
		jmp	loc_4812A7
; 

loc_5B49DC:				; CODE XREF: MiStoreWriteModifiedPages+2D0j
		mov	[ebp+var_70], 0
		cmp	esi, 3
		jb	loc_481070
		mov	[ebp+var_64], 3
		jmp	loc_481070
; 

loc_5B49F8:				; CODE XREF: MiStoreWriteModifiedPages+2EFj
					; MiStoreWriteModifiedPages+2FAj
		mov	[ebp+var_70], 0
		jmp	loc_481070
; 

loc_5B4A04:				; CODE XREF: MiStoreWriteModifiedPages+408j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_481184
; 

loc_5B4A13:				; CODE XREF: MiStoreWriteModifiedPages+4A0j
					; MiStoreWriteModifiedPages+4ACj
		mov	ebx, [ebp+var_58]
		jmp	loc_4811F1
; 

loc_5B4A1B:				; CODE XREF: MiStoreWriteModifiedPages+4BBj
		push	[ebp+var_64]
		mov	ecx, edi
		push	[ebp+var_5C]
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_481231
; 

loc_5B4A2D:				; CODE XREF: MiStoreWriteModifiedPages+37Dj
					; MiStoreWriteModifiedPages+3AAj
		mov	eax, [ebp+var_78]
		add	eax, 18h
		lock dec dword ptr [eax]
		mov	esi, [ebp+var_58]
		cmp	ecx, 0C0000476h
		jnz	short loc_5B4A79
		lea	eax, [edi+1]
		mov	[ebp+var_80], eax
		cmp	esi, [ebp+var_64]
		jnb	short loc_5B4A88
		mov	eax, [ebp+var_54]
		lea	ecx, [ebp+var_A8]
		mov	edx, edi
		mov	eax, [eax+2D0h]
		push	eax
		push	[ebp+var_70]
		push	esi
		call	_MiStoreLogWriteIssueRetry@20 ;	MiStoreLogWriteIssueRetry(x,x,x,x,x)
		mov	eax, [ebp+var_7C]
		inc	esi
		mov	edi, [ebp+var_68]
		mov	[ebp+var_58], esi
		mov	esi, [ebp+var_74]
		jmp	loc_480E8D
; 

loc_5B4A79:				; CODE XREF: MiStoreWriteModifiedPages+133CCFj
		cmp	ecx, 0C000009Ah
		jnz	short loc_5B4A88
		mov	[ebp+var_6C], 1

loc_5B4A88:				; CODE XREF: MiStoreWriteModifiedPages+133CDAj
					; MiStoreWriteModifiedPages+133D0Fj
		mov	eax, [ebp+var_54]
		lea	edx, [ebp+var_A8]
		inc	dword ptr [eax+2D0h]
		mov	eax, [eax+2D0h]
		push	eax
		push	[ebp+var_70]
		push	esi
		push	edi
		call	_MiStoreLogWriteIssueFailure@24	; MiStoreLogWriteIssueFailure(x,x,x,x,x,x)
		jmp	loc_4812A7
; 

loc_5B4AAD:				; CODE XREF: MiStoreWriteModifiedPages+5D2j
		mov	dword ptr [ebx+2CCh], 20h
		jmp	loc_481348
; 

loc_5B4ABC:				; CODE XREF: MiStoreWriteModifiedPages+87Cj
		mov	edi, esi
		jmp	loc_4815F2
; 

loc_5B4AC3:				; CODE XREF: MiStoreWriteModifiedPages+837j
		mov	edx, ebx
		call	_MiStoreFreeWriteSupport@8 ; MiStoreFreeWriteSupport(x,x)
		jmp	loc_4815AD
; 

loc_5B4ACF:				; CODE XREF: MiStoreWriteModifiedPages+858j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4815CE
; END OF FUNCTION CHUNK	FOR MiStoreWriteModifiedPages
; 
; START	OF FUNCTION CHUNK FOR MiReleasePageFileInfo

loc_5B4ADC:				; CODE XREF: MiReleasePageFileInfo+B6j
		mov	dl, cl
		lea	ecx, [ebx+88h]
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_4817C9
; 

loc_5B4AEE:				; CODE XREF: MiReleasePageFileInfo+14Aj
		mov	[ebx+3Ch], edi
		jmp	loc_481830
; 

loc_5B4AF6:				; CODE XREF: MiReleasePageFileInfo+156j
		test	byte ptr [ebx+76h], 1
		jz	loc_48183C
		mov	[esp+38h+var_10], 1
		jmp	loc_48183C
; 

loc_5B4B0D:				; CODE XREF: MiReleasePageFileInfo+1B2j
		mov	edx, [ebp+4]
		mov	ecx, [esp+3Ch+var_1C]
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_4818A2
; 

loc_5B4B1E:				; CODE XREF: MiReleasePageFileInfo+1D1j
		mov	eax, [esp+3Ch+var_10]
		push	0
		push	0
		add	eax, 210h
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_4818B7
; END OF FUNCTION CHUNK	FOR MiReleasePageFileInfo
; 

loc_5B4B36:				; CODE XREF: .text:00481D09j
		cmp	ecx, 0FFFFFFFFh
		jnb	loc_481B39
		jmp	loc_481D0F
; 

loc_5B4B44:				; CODE XREF: .text:00481E11j
		test	esi, esi
		jz	short loc_5B4B4B
		mov	edx, [eax+4]

loc_5B4B4B:				; CODE XREF: .text:005B4B46j
		mov	eax, ds:dword_40BA68[ecx*4]
		not	eax
		or	eax, edx
		push	0
		push	eax
		jmp	loc_481B2F
; 

loc_5B4B5E:				; CODE XREF: .text:00481BBBj
		mov	eax, [edx+58h]
		lea	ecx, [edx+54h]
		test	al, 1
		jz	short loc_5B4B84
		cmp	eax, 1
		jnz	short loc_5B4B77
		xor	ecx, ecx
		mov	[ebp+8], ecx
		jmp	loc_481BC1
; 

loc_5B4B77:				; CODE XREF: .text:005B4B6Bj
		or	ecx, 1
		xor	ecx, eax
		mov	[ebp+8], ecx
		jmp	loc_481BC1
; 

loc_5B4B84:				; CODE XREF: .text:005B4B66j
		mov	ecx, eax
		mov	[ebp+8], eax
		jmp	loc_481BC1
; 
; START	OF FUNCTION CHUNK FOR MiFlushTbAsNeeded

loc_5B4B8E:				; CODE XREF: MiFlushTbAsNeeded+1D7j
		mov	eax, [ebp+var_AC]
		push	ecx
		sub	eax, ebx
		push	eax
		push	esi
		push	5100h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5B4BA6:				; CODE XREF: MiValidateInPage+94j
		mov	eax, 1
		jmp	loc_48214C
; END OF FUNCTION CHUNK	FOR MiFlushTbAsNeeded
; 
; START	OF FUNCTION CHUNK FOR MiValidateInPage

loc_5B4BB0:				; CODE XREF: MiValidateInPage+100j
		cmp	[ebp+var_8], 1
		jbe	loc_4821B6
		mov	eax, [ebp+var_10]
		or	eax, 1
		jmp	short loc_5B4BD6
; 

loc_5B4BC2:				; CODE XREF: MiValidateInPage+118j
		test	byte ptr [ebp+var_14], 2
		mov	[ebp+var_4], eax
		jz	loc_4821CE
		mov	[ebp+var_24], 3

loc_5B4BD6:				; CODE XREF: MiValidateInPage+132B10j
		mov	[ebp+var_4], eax
		jmp	loc_4821CE
; 

loc_5B4BDE:				; CODE XREF: MiValidateInPage+137j
		test	al, 1
		jz	loc_4821ED
		and	eax, 0FFFFFFFBh
		mov	[ebp+var_4], eax
		jmp	loc_4821ED
; 

loc_5B4BF1:				; CODE XREF: MiValidateInPage+152j
		test	byte ptr [edx+6], 1
		jz	short loc_5B4C01
		mov	eax, [edx+0Ch]
		push	edx
		push	eax
		call	MmUnmapLockedPages

loc_5B4C01:				; CODE XREF: MiValidateInPage+132B45j
		inc	ds:dword_6D06D8
		mov	edx, 2
		lea	ecx, [edx+2]
		call	KeFlushTb
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+var_C]
		jmp	loc_482208
; 

loc_5B4C1F:				; CODE XREF: MiValidateInPage+2B7j
		push	0C0000010h
		push	0
		push	0
		push	1
		push	0
		push	edx
		call	MmMapLockedPagesSpecifyCache
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		mov	eax, [ebp+var_4]
		jmp	loc_482370
; 

loc_5B4C3F:				; CODE XREF: MiValidateInPage+2D0j
		mov	eax, [ebp+var_20]
		cmp	dword ptr [eax+18h], 0
		jnz	loc_482386
		mov	ecx, eax
		call	_MiGetSectionStrongImageReference@4 ; MiGetSectionStrongImageReference(x)
		test	eax, eax
		js	loc_4822EA
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_10]
		jmp	loc_482386
; 

loc_5B4C66:				; CODE XREF: MiValidateInPage+302j
		mov	[ebp+var_10], 0
		jmp	loc_482217
; 

loc_5B4C72:				; CODE XREF: MiValidateInPage+284j
		mov	eax, [ebp+var_4]
		mov	[ebp+var_30], 0C0000434h
		test	al, 1
		jz	loc_48226B
		test	ds:_MiFlags, 4000h
		jz	loc_48226B
		test	dword ptr [edi+78h], 10000h
		jz	loc_48226B
		or	eax, 8
		mov	[ebp+var_4], eax
		jmp	loc_48226B
; 

loc_5B4CAC:				; CODE XREF: MiValidateInPage+1F6j
		or	edx, 842h
		mov	[ebp+var_20], 0
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_5B4D07
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5B4CEF
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	[ebp+var_20], 1
		jnz	short loc_5B4D07

loc_5B4CDB:				; CODE XREF: MiValidateInPage+132C55j
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		mov	eax, [ebp+var_8]
		jz	short loc_5B4D0A
		or	eax, 80000000h
		jmp	short loc_5B4D0A
; 

loc_5B4CEF:				; CODE XREF: MiValidateInPage+132C19j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_5B4CDB

loc_5B4D07:				; CODE XREF: MiValidateInPage+132C10j
					; MiValidateInPage+132C29j
		mov	eax, [ebp+var_8]

loc_5B4D0A:				; CODE XREF: MiValidateInPage+132C36j
					; MiValidateInPage+132C3Dj
		mov	[ecx+4], eax
		nop
		cmp	[ebp+var_20], 0
		mov	[ecx], edx
		jz	short loc_5B4D1D
		push	eax
		push	edx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_5B4D1D:				; CODE XREF: MiValidateInPage+132C64j
		test	ds:_MiFlags, 300h
		jnz	loc_4822AC
		push	1
		xor	edx, edx
		mov	ecx, esi
		call	KeFlushSingleTb
		jmp	loc_4822AC
; END OF FUNCTION CHUNK	FOR MiValidateInPage
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_SM_TRAITS___SmStWorker

loc_5B4D3D:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+A3j
		mov	ecx, 0C000009Ah
		jmp	loc_482672
; 

loc_5B4D47:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+63Bj
		mov	ecx, [esp+70h+var_4C]
		mov	al, 1
		shl	al, cl
		mov	ecx, [esp+70h+var_5C]
		lea	esi, [ecx+222h]
		lock or	[esi], al
		mov	esi, [esp+70h+var_58]
		jmp	loc_482C05
; 

loc_5B4D65:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+7FBj
		mov	edx, 1
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [esp+70h+var_5C]
		jmp	loc_482DB1
; 

loc_5B4D78:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+82Aj
		push	[esp+70h+var_40]
		lea	edx, [esi+10F8h]
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		mov	ecx, [esp+70h+var_5C]
		jmp	loc_482C1D
; 

loc_5B4D90:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+182j
		cmp	[esp+70h+var_44], 0
		jnz	loc_482738
		mov	edx, [esp+70h+var_5C]
		mov	ecx, esi
		mov	[esp+70h+var_50], 0C00002FEh
		call	?StStoreWorkItemCleanup@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@PAU_ST_WORK_ITEM@1@@Z ; ST_STORE<SM_TRAITS>::StStoreWorkItemCleanup(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)
		jmp	loc_4828DC
; 

loc_5B4DB3:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+18Ej
		test	byte ptr [edx],	7
		jnz	loc_482744
		mov	eax, 0C00002FEh
		jmp	loc_48274B
; 

loc_5B4DC6:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+2A5j
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [esp+70h+var_20]
		jmp	loc_48286B
; 

loc_5B4DDC:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+76Cj
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_482D22
; 

loc_5B4DED:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+799j
		push	[esp+70h+var_20]
		mov	edx, [esp+74h+var_4C]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_482883
; 

loc_5B4E01:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+2FDj
		nop
		add	eax, 70h
		cmp	[eax], eax
		jz	loc_4828B3
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4828B3
; 

loc_5B4E17:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+43Cj
		mov	ecx, [esp+70h+var_48]
		mov	al, 1
		shl	al, cl
		mov	ecx, [esp+70h+var_5C]
		lea	esi, [ecx+222h]
		lock or	[esi], al
		mov	esi, [esp+70h+var_58]
		jmp	loc_482A06
; 

loc_5B4E35:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+847j
		mov	edx, 1
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [esp+70h+var_5C]
		jmp	loc_482DFD
; 

loc_5B4E48:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+876j
		push	[esp+70h+var_20]
		lea	edx, [esi+10F8h]
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		mov	ecx, [esp+70h+var_5C]
		jmp	loc_482A1E
; 

loc_5B4E60:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+7CEj
		mov	eax, [esp+70h+var_20]
		push	0
		push	[esp+74h+var_4C]
		push	eax
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B4E76:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+4A4j
		push	0
		push	[esp+88h+var_54]
		push	dword ptr [esp+2Ch]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B4E8B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+73Cj
		mov	eax, [esp+98h+var_4C]
		push	0
		push	[esp+9Ch+var_68]
		push	eax
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B4EA1:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+6F8j
					; SMKM_STORE_SM_TRAITS___SmStWorker+132906j
		lea	eax, [esp+0ACh+var_4C]
		push	eax
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		cmp	dword ptr [esi+12BCh], 0
		jnz	short loc_5B4EA1
		jmp	loc_482CAE
; END OF FUNCTION CHUNK	FOR SMKM_STORE_SM_TRAITS___SmStWorker
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_SM_TRAITS___SmStWorkItemGet

loc_5B4EBD:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+2Ej
		mov	ecx, ebx
		call	@KiAcquireSpinLockInstrumented@4 ; KiAcquireSpinLockInstrumented(x)
		jmp	loc_482E9F
; 

loc_5B4EC9:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+4Dj
		mov	edi, [ecx]
		mov	eax, [edi]
		and	eax, 0FFFFFFF8h
		mov	[ecx], eax
		cmp	edi, edx
		jnz	short loc_5B4EE1
		mov	[ecx+4], ecx
		mov	dword ptr [ecx], 0
		jmp	short loc_5B4EF3
; 

loc_5B4EE1:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+132074j
		mov	ecx, [edx]
		mov	eax, ecx
		shr	eax, 3
		and	ecx, 7
		dec	eax
		shl	eax, 3
		or	ecx, eax
		mov	[edx], ecx

loc_5B4EF3:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+13207Fj
		mov	eax, [esi+112Ch]
		dec	eax
		mov	[esi+112Ch], eax
		mov	eax, [ebp+var_8]
		mov	dword ptr [eax], 1
		jmp	loc_482F5E
; 

loc_5B4F0E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+61j
		mov	edi, [ecx]
		mov	eax, [edi]
		and	eax, 0FFFFFFF8h
		mov	[ecx], eax
		cmp	edi, edx
		jnz	short loc_5B4F26
		mov	[ecx+4], ecx
		mov	dword ptr [ecx], 0
		jmp	short loc_5B4F38
; 

loc_5B4F26:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+1320B9j
		mov	ecx, [edx]
		mov	eax, ecx
		shr	eax, 3
		and	ecx, 7
		dec	eax
		shl	eax, 3
		or	ecx, eax
		mov	[edx], ecx

loc_5B4F38:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+1320C4j
		mov	eax, [esi+1128h]
		dec	eax
		mov	[esi+1128h], eax
		jmp	loc_482F5E
; 

loc_5B4F4A:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+80j
		mov	ecx, 1
		jmp	loc_482EED
; 

loc_5B4F54:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+A7j
		mov	al, [esi+10F6h]
		movzx	eax, al
		cmp	eax, 4
		jnz	short loc_5B4F6A
		mov	eax, [esi+12B8h]
		jmp	short loc_5B4F71
; 

loc_5B4F6A:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+132100j
		mov	eax, ds:?PriorityByMemoryCondition@?1??SmStGetPriorityByMemoryCondition@?$SMKM_STORE@USM_TRAITS@@@@SGJW4_SMP_MEMORY_CONDITION@@J@Z@4PAJA[eax*4]	; long * `SMKM_STORE<SM_TRAITS>::SmStGetPriorityByMemoryCondition(_SMP_MEMORY_CONDITION,long)'::`2'::PriorityByMemoryCondition

loc_5B4F71:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+132108j
		push	eax
		mov	eax, [esi+1178h]
		push	eax
		call	KeSetActualBasePriorityThread
		jmp	loc_482F0D
; 

loc_5B4F83:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+12Aj
					; SMKM_STORE_SM_TRAITS___SmStWorkItemGet+13214Cj
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		mov	eax, ds:dword_7186C4
		mov	[esi+113Ch], eax
		mov	eax, ds:_KeTickCount
		mov	[esi+1138h], eax
		mov	eax, ds:dword_7186C8
		cmp	[esi+113Ch], eax
		jnz	short loc_5B4F83
		jmp	loc_482F90
; 

loc_5B4FB3:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+136j
		cmp	byte ptr [esi+10F4h], 0
		jz	loc_482F9C
		mov	eax, [esi+958h]
		movzx	ecx, byte ptr [edi+4]
		shl	ecx, 0Ch
		mov	eax, [eax+10h]
		cmp	[eax], ecx
		jnb	short loc_5B4FDB

loc_5B4FD4:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+132179j
		add	eax, 20h
		cmp	[eax], ecx
		jb	short loc_5B4FD4

loc_5B4FDB:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+132172j
		mov	edx, [eax+8]
		mov	eax, [eax+0Ch]
		mov	ecx, [esi+1144h]
		mov	[ebp+var_8], eax
		mov	eax, [esi+1140h]
		cmp	ecx, [ebp+var_8]
		jb	loc_482FCE
		ja	short loc_5B5003
		cmp	eax, edx
		jbe	loc_482FCE

loc_5B5003:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+132199j
		sub	eax, edx
		mov	[esi+1140h], eax
		sbb	ecx, [ebp+var_8]
		mov	[esi+1144h], ecx
		jmp	loc_482F9C
; 

loc_5B5019:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemGet+143j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_482FAE
; END OF FUNCTION CHUNK	FOR SMKM_STORE_SM_TRAITS___SmStWorkItemGet
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StWorkItemProcess

loc_5B5028:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess:loc_483178j
					; DATA XREF: .text:0048338Co
		lea	edx, [ecx+23Ch]
		add	ecx, 38h
		push	esi
		call	ST_STORE_SM_TRAITS___StDmPageRetrieve
		jmp	loc_48313C
; 

loc_5B503C:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess:loc_483178j
					; DATA XREF: .text:00483390o
		mov	edx, esi
		call	?StGetStats@?$ST_STORE@USM_TRAITS@@@@SGJPAU1@PAU_ST_WORK_ITEM@1@@Z ; ST_STORE<SM_TRAITS>::StGetStats(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)
		jmp	loc_48313C
; 

loc_5B5048:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+D3j
		mov	edi, 0C0000189h
		jmp	loc_48313E
; 

loc_5B5052:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+1B8j
					; DATA XREF: .text:off_4833A4o
		mov	edi, 0C000000Dh	; case 0x5
		jmp	loc_483329	; default
; 

loc_5B505C:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+166j
		mov	eax, 4C8h
		jmp	loc_483251
; 

loc_5B5066:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+EEj
		mov	esi, [esp+20h+var_14]
		lea	ecx, [esi+38h]
		call	?StDmEtaRefresh@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z ; ST_STORE<SM_TRAITS>::StDmEtaRefresh(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)
		mov	edi, eax
		mov	eax, [esp+20h+var_10]
		mov	[esp+20h+var_10], eax
		jmp	loc_483142
; 

loc_5B5081:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+F7j
		mov	edx, esi
		mov	esi, [esp+20h+var_14]
		mov	ecx, esi
		call	?StMetaRegionsUpdate@?$ST_STORE@USM_TRAITS@@@@SGJPAU1@PAU_ST_WORK_ITEM@1@@Z ; ST_STORE<SM_TRAITS>::StMetaRegionsUpdate(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)
		mov	edi, eax
		mov	[esp+20h+var_10], 0
		jmp	loc_483142
; 

loc_5B509D:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+255j
		mov	eax, 0C8h
		mov	ecx, 7D0h
		jmp	loc_483345
; 

loc_5B50AC:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+109j
		cmp	ecx, 6
		jnz	short loc_5B511B
		mov	ecx, 0FFFFFFFEh
		lea	eax, [esi+8]
		lock and [eax],	cx
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		mov	esi, [esp+20h+var_14]
		sub	eax, [esi+10E8h]
		sbb	edx, [esi+10ECh]
		mov	[esp+20h+var_4], edx
		jnz	short loc_5B50E5
		cmp	eax, 989680h
		jb	loc_4831FF

loc_5B50E5:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+131FF8j
		lea	ecx, [esi+38h]
		mov	edx, 2
		call	ST_STORE_SM_TRAITS___StDmCheckForCompaction
		cmp	eax, 2
		jnz	loc_4831FF
		lea	ecx, [esi+38h]
		call	?StCompactionPerformEmergency@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z ; ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		mov	[esi+10E8h], eax
		mov	[esi+10ECh], edx
		jmp	loc_4831FF
; 

loc_5B511B:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+131FCFj
		mov	esi, [esp+20h+var_14]
		mov	edi, 0C000000Dh
		jmp	loc_483152
; 

loc_5B5129:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess:loc_483178j
					; DATA XREF: .text:004833A0o
		mov	eax, [esi+10h]
		mov	edx, esi
		and	al, 2
		movzx	ecx, al
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 490h
		add	ecx, 38h
		add	ecx, [esp+20h+var_14]
		call	?StDmDeviceIoCompletion@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_ST_WORK_ITEM@1@@Z ; ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)
		mov	eax, 103h
		jmp	loc_483171
; 

loc_5B5153:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+1E5j
		call	?StDmEtaRefresh@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z ; ST_STORE<SM_TRAITS>::StDmEtaRefresh(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)
		jmp	loc_4832D5
; 

loc_5B515D:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+212j
					; ST_STORE_SM_TRAITS___StWorkItemProcess+1320BEj
		mov	bl, [esi+47Ch]
		xor	edx, edx
		mov	al, bl
		mov	ecx, esi
		or	al, 3
		mov	[esi+47Ch], al
		call	ST_STORE_SM_TRAITS___StCompactionPerformInMem
		mov	cl, [esi+47Ch]
		xor	cl, bl
		and	cl, 3
		xor	[esi+47Ch], cl
		test	eax, eax
		js	loc_4832D5
		mov	edx, 1
		mov	ecx, esi
		call	ST_STORE_SM_TRAITS___StDmCheckForCompaction
		cmp	eax, 2
		jz	short loc_5B515D
		jmp	loc_4832D5
; 

loc_5B51A5:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess:loc_483178j
					; DATA XREF: .text:00483394o
		lea	eax, [esp+20h+var_8]
		mov	edx, esi
		push	eax
		call	?StChangeState@?$ST_STORE@USM_TRAITS@@@@SGJPAU1@PAU_ST_WORK_ITEM@1@PAJ@Z ; ST_STORE<SM_TRAITS>::StChangeState(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *,long *)
		mov	ebx, [esp+20h+var_8]
		jmp	loc_48313C
; 

loc_5B51BA:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+68j
		mov	ecx, [esp+20h+var_14]
		xor	edx, edx
		call	?StEmptyStore@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@K@Z ; ST_STORE<SM_TRAITS>::StEmptyStore(ST_STORE<SM_TRAITS> *,ulong)
		mov	esi, [esp+20h+var_14]
		jmp	loc_48314E
; 

loc_5B51CE:				; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+78j
		mov	ecx, [esp+20h+var_14]
		call	?StStoreWorkItemCleanup@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@PAU_ST_WORK_ITEM@1@@Z ; ST_STORE<SM_TRAITS>::StStoreWorkItemCleanup(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)
		mov	esi, [esp+20h+var_14]
		mov	eax, [esp+20h+var_C]
		jmp	loc_48315E
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StWorkItemProcess
; 
; START	OF FUNCTION CHUNK FOR KiQueryUnbiasedInterruptTime

loc_5B51E4:				; CODE XREF: KiQueryUnbiasedInterruptTime+47j
		mov	esi, 0FFDF000Ch
		lea	edi, [esi-4]

loc_5B51EC:				; CODE XREF: KiQueryUnbiasedInterruptTime+131DCFj
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	edx, [esi]
		mov	eax, 0FFDF0010h
		mov	ecx, [edi]
		cmp	edx, [eax]
		jnz	short loc_5B51EC
		mov	esi, [ebp+var_4]
		mov	edi, [ebp+var_C]
		jmp	loc_48347D
; END OF FUNCTION CHUNK	FOR KiQueryUnbiasedInterruptTime
; 
; START	OF FUNCTION CHUNK FOR MiInsertPrivateVad

loc_5B520C:				; CODE XREF: MiInsertPrivateVad+14j
		mov	eax, [edx+24Ch]
		inc	dword ptr [eax+0B0h]
		jmp	loc_4834C6
; END OF FUNCTION CHUNK	FOR MiInsertPrivateVad
; 
; START	OF FUNCTION CHUNK FOR MiGatherPagefilePages

loc_5B521D:				; CODE XREF: MiGatherPagefilePages+3Fj
		mov	edx, ecx
		mov	ecx, ebx
		call	_MiPageFileNoFreeSpace@8 ; MiPageFileNoFreeSpace(x,x)
		jmp	loc_4839D3
; 

loc_5B522B:				; CODE XREF: MiGatherPagefilePages+121j
		mov	eax, [esp+60h+var_48]
		jmp	loc_483615
; 

loc_5B5234:				; CODE XREF: MiGatherPagefilePages+16Cj
		lea	eax, [edx+254h]
		xor	edi, edi
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [esp+60h+var_34]
		mov	[esp+60h+var_4D], al
		cmp	byte ptr [ecx+25Ah], 0
		jz	short loc_5B5268
		mov	byte ptr [ecx+25Ah], 0
		mov	edi, 1
		mov	byte ptr [ecx+258h], 0
		jmp	short loc_5B5279
; 

loc_5B5268:				; CODE XREF: MiGatherPagefilePages+131D81j
		mov	al, [ecx+258h]
		test	al, al
		jz	short loc_5B5279
		movzx	ebx, al
		mov	[esp+60h+var_44], ebx

loc_5B5279:				; CODE XREF: MiGatherPagefilePages+131D96j
					; MiGatherPagefilePages+131DA0j
		lea	eax, [ecx+254h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+60h+var_4D]
		call	[esp+60h+var_2C]
		test	edi, edi
		jz	short loc_5B529F
		push	offset _Mi30Milliseconds
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)

loc_5B529F:				; CODE XREF: MiGatherPagefilePages+131DBFj
		mov	eax, [esp+60h+var_48]
		jmp	loc_483642
; 

loc_5B52A8:				; CODE XREF: MiGatherPagefilePages+579j
		mov	ebx, 100h
		mov	[esp+60h+var_44], ebx
		jmp	loc_483658
; 

loc_5B52B6:				; CODE XREF: MiGatherPagefilePages+5B5j
		mov	edx, edi
		mov	ecx, ebx
		call	_MiPageFileNoFreeSpace@8 ; MiPageFileNoFreeSpace(x,x)
		jmp	loc_4839CF
; 

loc_5B52C4:				; CODE XREF: MiGatherPagefilePages+2BFj
		lea	eax, [esi+eax*4]
		mov	[esp+60h+var_10], eax
		lea	eax, [esi+edi*4]
		mov	[esp+60h+var_C], eax
		mov	esi, eax

loc_5B52D4:				; CODE XREF: MiGatherPagefilePages+131E41j
		mov	eax, [esi]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	edi, [eax+ecx*4]
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		push	1
		mov	ecx, edi
		mov	bl, al
		call	MiWriteCompletePfn
		lea	ecx, [edi+10h]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	cl, bl
		call	[esp+60h+var_2C]
		add	esi, 4
		cmp	esi, [esp+60h+var_10]
		jb	short loc_5B52D4
		mov	edi, [esp+60h+var_24]
		mov	eax, edi
		mov	ecx, [esp+60h+var_30]
		sub	eax, ecx
		add	[esp+60h+var_20], eax
		sub	ecx, edi
		mov	edx, ecx
		mov	ecx, [esp+60h+var_34]
		push	0
		call	_MiReleaseWriteInProgressCharges@12 ; MiReleaseWriteInProgressCharges(x,x,x)
		mov	esi, [esp+60h+var_28]
		mov	ebx, [esp+60h+var_38]
		jmp	loc_483795
; 

loc_5B533F:				; CODE XREF: MiGatherPagefilePages+3B1j
		push	[esp+60h+var_14]
		mov	ecx, [esp+64h+var_8]
		push	[esp+64h+var_20]
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_483887
; 

loc_5B5355:				; CODE XREF: MiGatherPagefilePages+434j
		cmp	eax, 420h
		jnb	short loc_5B5364
		mov	ebx, 4
		dec	ecx
		jmp	short loc_5B5366
; 

loc_5B5364:				; CODE XREF: MiGatherPagefilePages+131E8Aj
		xor	ecx, ecx

loc_5B5366:				; CODE XREF: MiGatherPagefilePages+131E92j
		mov	[edx+1FCh], ecx
		jmp	loc_483920
; 

loc_5B5371:				; CODE XREF: MiGatherPagefilePages+43Fj
		mov	dword ptr [edx+1FCh], 20h
		jmp	short loc_5B5387
; 

loc_5B537D:				; CODE XREF: MiGatherPagefilePages+44Aj
		mov	dword ptr [edx+1FCh], 8

loc_5B5387:				; CODE XREF: MiGatherPagefilePages+131EABj
		mov	ebx, 4
		jmp	loc_483920
; 

loc_5B5391:				; CODE XREF: MiGatherPagefilePages+656j
		lea	esi, [ebx+8]
		mov	cl, 1
		mov	[esi], eax
		mov	dword ptr [ebx+0Ch], 0
		call	[esp+60h+var_24]
		push	0
		push	esi
		push	[esp+68h+var_40]
		mov	bl, al
		call	MiWriteComplete
		mov	cl, bl
		call	[esp+60h+var_2C]
		jmp	loc_4839CF
; 

loc_5B53BC:				; CODE XREF: MiGatherPagefilePages+611j
		mov	edi, [esp+60h+var_40]
		mov	cl, 1
		mov	dword ptr [edx], 0
		mov	eax, [esi+14h]
		mov	[edi+0Ch], eax
		call	[esp+60h+var_24]
		push	0
		lea	esi, [edi+8]
		mov	bl, al
		push	esi
		push	edi
		call	MiWriteComplete
		mov	cl, bl
		call	[esp+60h+var_2C]
		jmp	loc_4839CF
; END OF FUNCTION CHUNK	FOR MiGatherPagefilePages
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmPageAdd

loc_5B53EB:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageAdd+23j
		push	40000010h
		push	0
		push	0
		push	1
		push	0
		push	ebx
		call	MmMapLockedPagesSpecifyCache
		jmp	loc_483D4C
; 

loc_5B5403:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageAdd+39j
		shr	ebx, 0Ch
		xor	ecx, ecx
		mov	[ebp+var_8], ebx
		jmp	loc_483D68
; 

loc_5B5410:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageAdd+55j
		mov	eax, 1
		jmp	loc_483D89
; 

loc_5B541A:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageAdd+B4j
		inc	[ebp+var_14]
		add	[ebp+var_18], 1000h
		mov	ecx, [ebp+var_C]
		jmp	loc_483D70
; 

loc_5B542C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageAdd+D2j
		lea	ecx, [eax+18h]
		mov	eax, [eax+18h]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], eax
		call	KeQueryInterruptTime
		mov	ecx, eax
		mov	eax, [ebp+var_10]
		cmp	edx, [eax+0Ch]
		jb	short loc_5B5459
		ja	short loc_5B544E
		cmp	ecx, [eax+8]
		jb	short loc_5B5459

loc_5B544E:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageAdd+131727j
		push	edx
		push	ecx
		mov	ecx, eax
		call	_StIoCountsMovePeriod@12 ; StIoCountsMovePeriod(x,x,x)
		jmp	short loc_5B545C
; 

loc_5B5459:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageAdd+131725j
					; ST_STORE_SM_TRAITS___StDmPageAdd+13172Cj
		mov	eax, [ebp+var_C]

loc_5B545C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageAdd+131737j
		add	[eax], ebx
		jmp	loc_483DF8
; 

loc_5B5463:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageAdd+2Ej
		mov	edx, 0C000009Ah
		jmp	loc_483DFA
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmPageAdd
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmPageWrite

loc_5B546D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+8Cj
		mov	esi, 0C00002CAh
		jmp	short loc_5B54DB
; 

loc_5B5474:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+B1j
					; SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+C0j
		mov	eax, 20h
		mov	ecx, 69576D73h
		jmp	loc_48413A
; 

loc_5B5483:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+253j
		mov	esi, 0C000009Ah
		jmp	short loc_5B54DB
; 

loc_5B548A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+10Aj
		or	eax, 40000000h
		mov	[edi+4], eax
		jmp	loc_484010
; 

loc_5B5497:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+13Ej
		mov	ecx, [ecx+0Ch]
		jmp	loc_48405F
; 

loc_5B549F:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+164j
		mov	esi, 0C0000088h
		jmp	short loc_5B54DB
; 

loc_5B54A6:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+1E4j
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_4840EF
; 

loc_5B54B0:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+20Ej
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_48411A
; 

loc_5B54BF:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+171j
					; SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+17Dj
		push	0
		push	edx
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		push	edi
		push	esi
		push	[ebp+var_10]
		call	SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate
		mov	esi, eax
		test	esi, esi
		jns	loc_484122

loc_5B54DB:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+1AAj
					; SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+131572j ...
		mov	eax, [ebp+arg_0]
		mov	ecx, ebx
		mov	edx, [eax+10F0h]
		and	edx, 3FFh
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		test	edi, edi
		jz	short loc_5B5505
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5B5505:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+1315FBj
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_5B5515
		push	[ebp+arg_4]
		push	eax
		call	MmUnmapLockedPages

loc_5B5515:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+13160Aj
		mov	ecx, [ebp+arg_C]

loc_5B5518:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+13162Ej
		xor	eax, eax
		mov	[ecx+4], eax
		mov	eax, esi
		mov	[ecx], esi
		jmp	loc_484127
; 

loc_5B5526:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+51j
					; SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+72j
		mov	ecx, [ebp+arg_C]

loc_5B5529:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageWrite+40j
		mov	esi, 0C000000Dh
		jmp	short loc_5B5518
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmPageWrite
; 
; START	OF FUNCTION CHUNK FOR MiRemoveSecureEntry

loc_5B5530:				; CODE XREF: MiRemoveSecureEntry+34j
		mov	eax, offset unk_6D3C40
		jmp	loc_4841E0
; 

loc_5B553A:				; CODE XREF: MiRemoveSecureEntry+9Cj
		push	0
		push	edi
		push	[ebp+var_8]
		push	15001h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5B554D:				; CODE XREF: MiSetVadFlags+23j
		test	dl, 2
		jnz	short loc_5B5564
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 2
		lock cmpxchg [esi], ecx
		mov	edx, eax
		jmp	loc_4842A0
; 

loc_5B5564:				; CODE XREF: MiRemoveSecureEntry+1313B0j
		mov	[ebp+var_8], 0

loc_5B556B:				; CODE XREF: MiRemoveSecureEntry+1313D8j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	edx, [esi]
		test	dl, 1
		jnz	short loc_5B556B
		jmp	loc_4842A0
; END OF FUNCTION CHUNK	FOR MiRemoveSecureEntry
; 
; START	OF FUNCTION CHUNK FOR MiSetVadFlags

loc_5B557F:				; CODE XREF: MiSetVadFlags+39j
		mov	edx, eax
		jmp	loc_4842A0
; 

loc_5B5586:				; CODE XREF: MiSetVadFlags+6Dj
		mov	eax, [ebp+arg_0]
		and	ecx, 0FFBFFFFFh
		shl	eax, 16h
		or	ecx, eax
		jmp	loc_4842F3
; 

loc_5B5599:				; CODE XREF: MiSetVadFlags+8Dj
					; MiSetVadFlags+131326j
		mov	ecx, eax
		mov	edx, eax
		and	ecx, 0FFFFFFFCh
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_5B5599
		jmp	loc_484313
; END OF FUNCTION CHUNK	FOR MiSetVadFlags
; 
; START	OF FUNCTION CHUNK FOR MiUnlockWorkingSetExclusive

loc_5B55AD:				; CODE XREF: MiUnlockWorkingSetExclusive+76j
		mov	esi, 1
		mov	[ebp+var_C], esi
		jmp	loc_4844EC
; 

loc_5B55BA:				; CODE XREF: MiUnlockWorkingSetExclusive+AEj
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_48452A
; 

loc_5B55C9:				; CODE XREF: MiUnlockWorkingSetExclusive+CAj
					; MiUnlockWorkingSetExclusive+131167j
		mov	esi, [eax]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		test	esi, esi
		jnz	short loc_5B55C9
		mov	esi, [ebp+var_C]
		jmp	loc_484540
; END OF FUNCTION CHUNK	FOR MiUnlockWorkingSetExclusive
; 
; START	OF FUNCTION CHUNK FOR MiObtainReferencedSecureVad

loc_5B55E1:				; CODE XREF: MiObtainReferencedSecureVad+57j
		and	byte ptr [esi+304h], 0FDh
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [ebx], ecx
		cmp	eax, 11h
		jz	short loc_5B55FF
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_5B55FF:				; CODE XREF: MiObtainReferencedSecureVad+131046j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [ebp+var_4]
		mov	dword ptr [ecx], 0C000010Ah
		jmp	short loc_5B5670
; 

loc_5B5618:				; CODE XREF: MiObtainReferencedSecureVad+6Bj
		push	0
		push	[ebp+var_10]
		push	ebx
		push	15000h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B562A:				; CODE XREF: MiObtainReferencedSecureVad+7Bj
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5B5631:				; CODE XREF: MiObtainReferencedSecureVad+D7j
		mov	ecx, edi
		call	_MiWaitForVadDeletion@4	; MiWaitForVadDeletion(x)
		mov	ecx, edi
		call	MiUnlockAndDereferenceVad
		mov	ecx, [ebp+var_C]
		mov	eax, [ecx+0FCh]
		mov	ecx, [ebp+var_4]
		and	al, 20h
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 6Ah
		add	eax, 0C00000A0h
		mov	[ecx], eax
		jmp	short loc_5B5670
; 

loc_5B5660:				; CODE XREF: MiObtainReferencedSecureVad+E0j
					; MiObtainReferencedSecureVad+E9j
		mov	ecx, edi
		call	MiUnlockAndDereferenceVad
		mov	ecx, [ebp+var_4]
		mov	dword ptr [ecx], 0C00000A0h

loc_5B5670:				; CODE XREF: MiObtainReferencedSecureVad+131066j
					; MiObtainReferencedSecureVad+1310AEj
		xor	eax, eax
		jmp	loc_4846A1
; END OF FUNCTION CHUNK	FOR MiObtainReferencedSecureVad
; 
; START	OF FUNCTION CHUNK FOR SmKmStoreReference

loc_5B5677:				; CODE XREF: SmKmStoreReference+3Dj
		lea	ecx, [esi+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_48475B
; END OF FUNCTION CHUNK	FOR SmKmStoreReference
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete

loc_5B5684:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+F0j
		cmp	dword ptr [ebp-78h], 0
		jz	loc_484ABE
		jmp	loc_48488A
; 

loc_5B5693:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+35Bj
		lea	edx, [ebp-60h]
		call	?BTreeSearchResultDeref@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUSEARCH_RESULT@1@@Z ;	B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultDeref(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>	*,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)
		cmp	dword ptr [ebp-54h], 0FFFFFFFFh
		jnz	short loc_5B56AE
		mov	eax, [ebp-68h]
		mov	[ecx], edi
		mov	[ecx+4], eax
		jmp	loc_484AE4
; 

loc_5B56AE:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+130F1Fj
		mov	eax, [edi+8]
		lea	edx, [ebp-60h]
		mov	ecx, [ebp-64h]
		push	eax
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		mov	ecx, [ebp-54h]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_5B56D5
		test	ecx, ecx
		jz	short loc_5B56D5
		lea	ecx, ds:0FFFFFFFCh[ecx*8]
		add	ecx, [ebp-60h]
		jmp	short loc_5B56D8
; 

loc_5B56D5:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+130F43j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+130F47j
		lea	ecx, [ebp-58h]

loc_5B56D8:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+130F53j
		mov	eax, [ebp-68h]
		mov	[ecx], eax
		jmp	loc_484AE4
; 

loc_5B56E2:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+117j
		mov	edx, [ebp-68h]
		inc	esi
		jmp	loc_484830
; 

loc_5B56EB:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+2D3j
		push	0
		push	dword ptr [ebp-74h]
		push	dword ptr [ebp-6Ch]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B56FE:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+210j
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp-68h]
		jmp	loc_4849A6
; 

loc_5B5713:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+30Cj
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_484A92
; 

loc_5B5724:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete+339j
		push	dword ptr [ebp-74h]
		mov	edx, [ebp-6Ch]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4849BD
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue

loc_5B5736:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue+6Dj
		mov	edx, [ebp+4]
		mov	ecx, [ebp+var_4]
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_484B9C
; 

loc_5B5746:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue+CBj
		mov	ecx, [edi+8]
		mov	eax, [ecx]
		push	eax
		mov	eax, [eax+0Ch]
		push	eax
		call	MmUnmapLockedPages
		mov	eax, [edi+18h]
		mov	edx, edi
		mov	ecx, [eax]
		mov	[eax], ebx
		mov	eax, [edi+18h]
		mov	dword ptr [eax+4], 0
		mov	eax, [edi+18h]
		push	eax
		push	ecx
		call	_SmIoRequestComplete@16	; SmIoRequestComplete(x,x,x,x)
		mov	eax, [edi+44h]
		mov	ecx, [ebp+var_8]
		mov	edx, [eax+10F0h]
		and	edx, 3FFh
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_484BD5
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxProcessReadyQueue
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate

loc_5B579E:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+19Ej
		mov	edx, eax
		mov	ecx, esi
		call	KeAbPostReleaseEx
		jmp	loc_484EC4
; 

loc_5B57AC:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+553j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+568j
		test	byte ptr [ecx+7], 1
		jnz	loc_5B5AD0
		cmp	dword ptr [ebp-84h], 0
		mov	dword ptr [ebp-64h], 0C0000476h
		jnz	loc_5B5AC5
		test	byte ptr [ebx+18h], 1
		jz	loc_5B5AC5
		push	0
		push	0
		lea	eax, [ebp-0E0h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		cmp	dword ptr [ebp-88h], 0
		lea	ecx, [ebp-0E0h]
		mov	eax, [ebp-8Ch]
		mov	[eax+3F4h], ecx
		mov	[eax+3F0h], edi
		jz	short loc_5B582B
		mov	esi, [ebp-6Ch]
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_5B581F
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_5B581F:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130AF6j
		mov	ecx, esi
		call	KeAbPostRelease
		jmp	loc_5B5A1D
; 

loc_5B582B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130AE3j
		mov	edx, [ebp-6Ch]
		or	eax, 0FFFFFFFFh
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5B5845
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp-6Ch]

loc_5B5845:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130B19j
		xor	esi, esi
		mov	[ebp-84h], esi
		test	edx, 7FFFFFFCh
		jz	loc_5B5A1A
		mov	eax, large fs:124h
		mov	ecx, edx
		mov	[ebp-64h], eax
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		cmp	edx, eax
		mov	[ebp-80h], eax
		mov	eax, [ebp-64h]
		jb	short loc_5B587F
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_5B588D

loc_5B587F:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130B54j
		cmp	edx, [ebp-80h]
		jb	short loc_5B58A2
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_5B58A2

loc_5B588D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130B5Dj
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp-70h], eax
		mov	eax, [ebp-64h]
		jmp	short loc_5B58A8
; 

loc_5B58A2:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130B62j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130B6Bj
		or	ecx, 0FFFFFFFFh
		mov	[ebp-70h], ecx

loc_5B58A8:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130B80j
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	dl, [eax+1E6h]
		mov	[ebp-65h], dl
		mov	edx, [ebp-6Ch]
		push	ecx
		mov	ecx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[ebp-80h], edx
		test	edx, edx
		jnz	short loc_5B58F7
		mov	ecx, [ebp-64h]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_5B5985
		push	edx
		push	dword ptr [ebp-70h]
		push	dword ptr [ebp-6Ch]
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B58F7:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130BB2j
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		cmp	[edx+10h], esi
		jge	short loc_5B590F
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [ebp-80h]

loc_5B590F:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130BE3j
		mov	eax, [edx+2Ch]
		mov	esi, eax
		and	byte ptr [edx+0Dh], 0FEh
		and	esi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp-80h], esi
		mov	[ebp-84h], esi
		mov	[edx+2Ch], eax
		nop
		mov	ecx, [ebp-64h]
		mov	eax, 2AAAAAABh
		mov	dword ptr [edx+10h], 0
		sub	edx, [ecx+1E8h]
		imul	edx
		sar	edx, 3
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		cmp	byte ptr [ebp-65h], 1
		mov	[ebp-70h], eax
		jnz	short loc_5B596F
		movzx	eax, byte ptr [ecx+1E4h]
		mov	edx, [ebp-70h]
		bts	eax, edx
		mov	[ecx+1E4h], al
		jmp	short loc_5B5985
; 

loc_5B596F:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130C38j
		mov	ecx, [ebp-70h]
		mov	al, 1
		shl	al, cl
		mov	ecx, [ebp-64h]
		lea	esi, [ecx+222h]
		lock or	[esi], al
		mov	esi, [ebp-80h]

loc_5B5985:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130BBFj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130C4Dj
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, esi
		and	eax, 1FFFFh
		mov	[ebp-70h], eax
		jz	short loc_5B59FD
		test	esi, 8000h
		jz	short loc_5B59AD
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [ebp-64h]
		mov	eax, [ebp-70h]

loc_5B59AD:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130C7Ej
		test	byte ptr [ebp-82h], 1
		jz	short loc_5B59C6
		mov	edx, 1
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [ebp-64h]
		mov	eax, [ebp-70h]

loc_5B59C6:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130C94j
		test	esi, 7FFFh
		jz	short loc_5B59E1
		and	esi, 7FFFh
		mov	edx, esi
		call	KiAbThreadUnboostCpuPriority
		mov	ecx, [ebp-64h]
		mov	eax, [ebp-70h]

loc_5B59E1:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130CACj
		test	dword ptr ds:byte_70EFC4, 200h
		mov	esi, [ebp-6Ch]
		jz	short loc_5B5A00
		push	eax
		mov	edx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		mov	ecx, [ebp-64h]
		jmp	short loc_5B5A00
; 

loc_5B59FD:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130C76j
		mov	esi, [ebp-6Ch]

loc_5B5A00:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130CCEj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130CDBj
		nop
		add	word ptr [ecx+13Eh], 1
		jnz	short loc_5B5A1D
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	short loc_5B5A1D
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_5B5A1D
; 

loc_5B5A1A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130B33j
		mov	esi, [ebp-6Ch]

loc_5B5A1D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130B06j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130CE9j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		lea	eax, [ebp-0C8h]
		mov	dword ptr [ebp-0C8h], 0FFD9DA60h
		push	eax
		push	0
		push	0
		push	1Ah
		lea	eax, [ebp-0E0h]
		mov	dword ptr [ebp-0C4h], 0FFFFFFFFh
		push	eax
		call	KeWaitForSingleObject
		cmp	dword ptr [ebp-88h], 0
		mov	[ebp-80h], eax
		jz	short loc_5B5A7C
		mov	ecx, large fs:124h
		dec	word ptr [ecx+13Eh]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		jmp	short loc_5B5A93
; 

loc_5B5A7C:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130D40j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx

loc_5B5A93:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130D5Aj
		cmp	dword ptr [ebp-80h], 0
		mov	eax, [ebp-8Ch]
		mov	dword ptr [eax+3F4h], 0
		jnz	short loc_5B5ABE
		mov	eax, [ebp-0A0h]
		mov	dword ptr [ebp-84h], 1
		jmp	loc_484F00
; 

loc_5B5ABE:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130D87j
		mov	dword ptr [ebp-64h], 0C0000476h

loc_5B5AC5:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130AA4j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130AAEj ...
		mov	esi, [ebp-88h]
		jmp	loc_484F7B
; 

loc_5B5AD0:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130A90j
		mov	dword ptr [ebp-64h], 0C0000435h
		jmp	short loc_5B5AC5
; 

loc_5B5AD9:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+3DDj
		test	eax, eax
		js	short loc_5B5AED
		mov	eax, 0C0000154h
		jmp	loc_485118
; 

loc_5B5AE7:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+413j
		inc	edi
		jmp	loc_4850E0
; 

loc_5B5AED:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+3FDj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+130DBBj
		mov	eax, [ebp-0ACh]
		test	eax, eax
		jz	loc_484F7B
		mov	edx, [ebp-0A4h]
		push	2
		push	ecx
		mov	ecx, [ebp-8Ch]
		push	eax
		call	SMKM_STORE_MGR_SM_TRAITS___SmFeAddComplete
		jmp	loc_484F7B
; 

loc_5B5B15:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+59Ej
		push	0
		push	dword ptr [ebp-0A4h]
		push	dword ptr [ebp-6Ch]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B5B2B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+350j
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp-0B0h]
		jmp	loc_485086
; 

loc_5B5B43:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+612j
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_485338
; 

loc_5B5B54:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate+63Fj
		push	dword ptr [ebp-0A8h]
		mov	edx, [ebp-6Ch]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4850A0
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmFeAddInitiate
; 
; START	OF FUNCTION CHUNK FOR B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey

loc_5B5B69:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+25j
		add	ebx, 4
		xor	edx, edx
		mov	[esp+20h+var_C], edx
		mov	dword ptr [ebx], 0
		jmp	loc_4853C7
; 

loc_5B5B7D:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+4Fj
		push	ebx
		push	eax
		mov	edx, 8
		call	SmArrayGrow
		test	eax, eax
		jnz	short loc_5B5B97
		mov	eax, 0C000009Ah
		jmp	loc_485439
; 

loc_5B5B97:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+13081Bj
		mov	edx, 1
		jmp	loc_4853C5
; 

loc_5B5BA1:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+152j
		mov	dword ptr [ebx], 0
		mov	dword ptr [ebx+4], 0
		jmp	loc_485434
; END OF FUNCTION CHUNK	FOR B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
; 
; START	OF FUNCTION CHUNK FOR B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx

loc_5B5BB3:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+25j
		push	edi
		push	edx
		mov	edx, 8
		mov	ecx, eax
		call	SmArrayGrow
		test	eax, eax
		jnz	short loc_5B5BCF
		mov	eax, 0C000009Ah
		jmp	loc_485598
; 

loc_5B5BCF:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+1306B3j
		mov	ecx, [ebp+var_C]
		jmp	loc_48553B
; 

loc_5B5BD7:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+B5j
		mov	eax, 8
		jmp	loc_4855D0
; 

loc_5B5BE1:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+104j
		movzx	eax, word ptr [ecx]
		add	[ebp+var_4], eax
		mov	esi, [ebp+var_8]
		mov	eax, [ebp+var_4]
		jmp	short loc_5B5C08
; 

loc_5B5BEF:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+FCj
		test	eax, eax
		jns	loc_48561A
		movzx	eax, word ptr [ecx]
		mov	ecx, [ebp+var_4]
		mov	esi, [ebp+var_8]
		inc	ecx
		add	ecx, eax
		mov	[ebp+var_4], ecx
		mov	eax, ecx

loc_5B5C08:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+10Cj
					; B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+1306DDj
		mov	ecx, [ebp+var_10]
		mov	[ebx-4], ecx
		jmp	loc_485622
; 

loc_5B5C13:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+E0j
		mov	edi, [ebp+var_14]
		cmp	eax, edi
		jle	loc_485622
		shr	edx, 18h
		sub	eax, edi
		test	dl, dl
		jnz	short loc_5B5C28
		dec	eax

loc_5B5C28:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+130715j
		mov	esi, ecx
		mov	ecx, [ebp+var_10]
		mov	[ebx-4], ecx
		jmp	loc_485622
; 

loc_5B5C35:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+12Fj
					; B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+18Fj
		mov	eax, 0C000009Ah
		jmp	loc_485597
; END OF FUNCTION CHUNK	FOR B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx
; 

loc_5B5C3F:				; CODE XREF: .text:0048571Fj
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_48572A
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork

loc_5B5C4E:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+182j
		mov	ecx, [esi]
		mov	eax, ecx
		shr	eax, 3
		and	ecx, 7
		lea	eax, ds:0FFFFFFF8h[eax*8]
		or	eax, ecx
		mov	[esi], eax
		jmp	loc_485945
; 

loc_5B5C68:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+77j
		xor	edx, edx
		jmp	loc_48584D
; 

loc_5B5C6F:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+8Aj
		mov	ecx, [edi]
		mov	eax, ecx
		shr	eax, 3
		and	ecx, 7
		lea	eax, ds:0FFFFFFF8h[eax*8]
		or	eax, ecx
		mov	[edi], eax
		jmp	loc_48584D
; 

loc_5B5C89:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+B0j
		xor	ecx, ecx
		jmp	loc_48586F
; 

loc_5B5C90:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+5Dj
		mov	eax, [ebp-20h]
		mov	edi, [ebp-4]
		test	eax, eax
		jz	loc_485881
		push	eax
		push	0FFFFFFFFh
		lea	ecx, [edi+3ACh]
		mov	edx, 5
		call	SmFpFree
		jmp	loc_485881
; 

loc_5B5CB6:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+D9j
		mov	ecx, [ebp-28h]
		mov	[ebp-0Ch], ecx
		mov	eax, [ecx]
		and	eax, 0FFFFFFF8h
		mov	[ebp-28h], eax
		cmp	ecx, edx
		jnz	short loc_5B5CD7
		lea	eax, [ebp-28h]
		mov	dword ptr [ebp-28h], 0
		mov	[ebp-24h], eax
		jmp	short loc_5B5CEF
; 

loc_5B5CD7:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+130516j
		mov	ecx, [edx]
		mov	eax, ecx
		shr	eax, 3
		and	ecx, 7
		lea	eax, ds:0FFFFFFF8h[eax*8]
		or	eax, ecx
		mov	ecx, [ebp-0Ch]
		mov	[edx], eax

loc_5B5CEF:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork+130525j
		mov	edx, ecx
		mov	ecx, edi
		push	0FFFFFFFFh
		call	SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFreeResource
		jmp	loc_485881
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmIoCtxQueueWork
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue

loc_5B5CFF:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue+109j
		mov	esi, [ebp-1Ch]
		mov	edx, [ebp-20h]
		mov	dword ptr [ebp-14h], 0C000009Ah
		jmp	loc_485A2A
; 

loc_5B5D11:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue+69j
		mov	edx, [ebp-20h]
		jmp	loc_485A12
; 

loc_5B5D19:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue+A5j
		mov	eax, [edx]
		and	eax, 0FFFFFFF8h
		mov	[ebp-20h], eax
		cmp	edx, esi
		jnz	short loc_5B5D34
		lea	eax, [ebp-20h]
		mov	dword ptr [ebp-20h], 0
		mov	[ebp-1Ch], eax
		jmp	short loc_5B5D49
; 

loc_5B5D34:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue+130393j
		mov	ecx, [esi]
		mov	eax, ecx
		shr	eax, 3
		and	ecx, 7
		lea	eax, ds:0FFFFFFF8h[eax*8]
		or	eax, ecx
		mov	[esi], eax

loc_5B5D49:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue+1303A2j
		mov	ecx, [ebp-8]
		push	edi
		call	SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFreeResource
		mov	esi, [ebp-1Ch]
		mov	edx, [ebp-20h]
		jmp	loc_485A30
; 

loc_5B5D5D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue+AFj
		mov	ecx, [ebp-8]
		mov	edx, 5
		push	dword ptr [ebp-10h]
		push	edi
		lea	ecx, [ecx+3ACh]
		call	SmFpFree
		jmp	loc_485A45
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmIoCtxPrepareToQueue
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_SM_TRAITS___SmStWorkItemQueue

loc_5B5D79:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+1E3j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_485CAE
; 

loc_5B5D88:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+46j
		mov	eax, 112Ch
		mov	[ebp+var_C], eax
		mov	eax, 1120h
		jmp	loc_485B21
; 

loc_5B5D9A:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+4Fj
		test	dword ptr [ebx+4], 1000000h
		jnz	loc_485B15
		mov	eax, 1128h
		mov	[ebp+var_C], eax
		mov	eax, 1110h
		jmp	loc_485B21
; 

loc_5B5DB9:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+D9j
		cmp	byte ptr [esi+10F4h], 0
		jz	loc_485B9F
		mov	eax, [esi+958h]
		movzx	ecx, byte ptr [ebx+4]
		shl	ecx, 0Ch
		mov	edx, [eax+10h]
		cmp	[edx], ecx
		jnb	short loc_5B5DE1

loc_5B5DDA:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+13031Fj
		add	edx, 20h
		cmp	[edx], ecx
		jb	short loc_5B5DDA

loc_5B5DE1:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+130318j
		xor	eax, eax
		mov	[edx+4], ax
		mov	eax, [edx+8]
		mov	edx, [edx+0Ch]
		add	[esi+1140h], eax
		adc	[esi+1144h], edx
		jmp	loc_485B9F
; 

loc_5B5DFE:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+E6j
		mov	edx, [ebp+4]
		lea	ecx, [esi+1108h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_485BB7
; 

loc_5B5E11:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+125j
		mov	ecx, 0Ch
		jmp	short loc_5B5E43
; 

loc_5B5E18:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+12Ej
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jnz	loc_485BF4
		cmp	dword ptr [ecx+150h], offset _KiInitialProcess
		jz	short loc_5B5E3E
		movsx	ecx, byte ptr [ecx+87h]
		jmp	short loc_5B5E43
; 

loc_5B5E3E:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+130373j
		mov	ecx, 1

loc_5B5E43:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+130356j
					; SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+13037Cj
		cmp	ecx, edx
		jg	loc_485BF6
		jmp	loc_485BF4
; 

loc_5B5E50:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkItemQueue+146j
		mov	edx, 1
		jmp	loc_485C13
; END OF FUNCTION CHUNK	FOR SMKM_STORE_SM_TRAITS___SmStWorkItemQueue
; 
; START	OF FUNCTION CHUNK FOR EtwTraceSiloKernelEvent

loc_5B5E5A:				; CODE XREF: EtwTraceSiloKernelEvent+7Fj
		mov	eax, [ecx+2F8h]
		mov	esi, [eax+1F0h]
		test	esi, esi
		jz	loc_485D95
		mov	edi, [esi+924h]
		bsf	ecx, edi
		jz	loc_485D95

loc_5B5E7D:				; CODE XREF: EtwTraceSiloKernelEvent+1301B1j
		lea	eax, [edi-1]
		and	edi, eax
		lea	edx, [esi+948h]
		mov	eax, ecx
		shl	eax, 5
		add	edx, eax
		jz	short loc_5B5EBE
		mov	eax, ebx
		shr	eax, 1Dh
		mov	eax, [edx+eax*4]
		and	eax, ebx
		test	eax, 1FFFFFFFh
		jz	short loc_5B5EBE
		push	[ebp+arg_C]
		movzx	eax, byte ptr [esi+ecx*2+914h]
		mov	edx, esi
		push	[ebp+arg_8]
		mov	ecx, [ebp+var_4]
		push	[ebp+arg_0]
		push	eax
		call	EtwpLogKernelEvent

loc_5B5EBE:				; CODE XREF: EtwTraceSiloKernelEvent+13017Fj
					; EtwTraceSiloKernelEvent+130190j
		bsf	ecx, edi
		jnz	short loc_5B5E7D
		jmp	loc_485D95
; END OF FUNCTION CHUNK	FOR EtwTraceSiloKernelEvent
; 
; START	OF FUNCTION CHUNK FOR PpmPerfReadFeedback

loc_5B5EC8:				; CODE XREF: PpmPerfReadFeedback+Bj
		mov	ecx, offset @PpmPerfControlActionCallback@0 ; PpmPerfControlActionCallback()
		call	esi
		test	esi, esi
		jmp	loc_485DAF
; END OF FUNCTION CHUNK	FOR PpmPerfReadFeedback
; 
; START	OF FUNCTION CHUNK FOR PpmPerfSnapUtility

loc_5B5ED6:				; CODE XREF: PpmPerfSnapUtility+2E7j
		mov	[ebp+var_14], 64h
		jmp	loc_485F33
; 

loc_5B5EE2:				; CODE XREF: PpmPerfSnapUtility+16Ej
		mov	cl, 64h
		jmp	loc_485F94
; 

loc_5B5EE9:				; CODE XREF: PpmPerfSnapUtility+1D8j
		mov	cl, 64h
		jmp	loc_485FFE
; 

loc_5B5EF0:				; CODE XREF: PpmPerfSnapUtility+233j
		mov	cl, 64h
		jmp	loc_486059
; END OF FUNCTION CHUNK	FOR PpmPerfSnapUtility
; 
; START	OF FUNCTION CHUNK FOR PpmParkSnapNodeStatistics

loc_5B5EF7:				; CODE XREF: PpmParkSnapNodeStatistics+3Cj
		xor	ebx, ebx
		mov	[ebp+var_4], 2
		lea	edi, [esi+70h]

loc_5B5F03:				; CODE XREF: PpmParkSnapNodeStatistics+12FD7Dj
		mov	ecx, [edi]
		lea	edx, [esi+78h]
		add	edx, ebx
		call	PpmIdleSnapConcurrency
		add	ebx, 28h
		lea	edi, [edi+4]
		sub	[ebp+var_4], 1
		jnz	short loc_5B5F03
		mov	edi, [ebp+var_8]
		jmp	loc_4861DE
; END OF FUNCTION CHUNK	FOR PpmParkSnapNodeStatistics
; 
; START	OF FUNCTION CHUNK FOR PpmIdleSnapConcurrency

loc_5B5F23:				; CODE XREF: PpmIdleSnapConcurrency+8Bj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		cmp	[ebp+var_1], 0
		jz	loc_48629C
		jmp	loc_48629B
; END OF FUNCTION CHUNK	FOR PpmIdleSnapConcurrency
; 
; START	OF FUNCTION CHUNK FOR PpmParkDistributeUtility

loc_5B5F3C:				; CODE XREF: PpmParkDistributeUtility+5Bj
		xor	eax, eax
		jmp	loc_486378
; 

loc_5B5F43:				; CODE XREF: PpmParkDistributeUtility+6Fj
		inc	dl
		or	edi, [eax+3C8h]
		jmp	loc_486387
; 

loc_5B5F50:				; CODE XREF: PpmParkDistributeUtility+BFj
		mov	ecx, [ebp+var_8]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, eax
		mov	eax, [ecx+3EB4h]
		sub	eax, [ecx+3EB8h]
		cmp	ds:_PpmHeteroImplementationGeneration, 0
		jbe	short loc_5B5F7F
		mov	ecx, [ecx+3EC4h]
		test	ecx, ecx
		jz	short loc_5B5F7F
		imul	eax, ecx
		shr	eax, 10h

loc_5B5F7F:				; CODE XREF: PpmParkDistributeUtility+12FC5Dj
					; PpmParkDistributeUtility+12FC67j
		add	esi, eax
		jmp	loc_4863C0
; 

loc_5B5F86:				; CODE XREF: PpmParkDistributeUtility+C8j
		mov	bh, 1
		jmp	loc_4863DE
; 

loc_5B5F8D:				; CODE XREF: PpmParkDistributeUtility+D3j
		mov	al, bh
		mov	byte ptr [ebp+arg_4], al
		jmp	loc_4863E9
; 

loc_5B5F97:				; CODE XREF: PpmParkDistributeUtility+104j
		mov	ax, [ebp+arg_0]
		mov	[ebp+var_1C], ax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], 0

loc_5B5FAC:				; CODE XREF: PpmParkDistributeUtility+12FCE9j
					; PpmParkDistributeUtility+12FCEDj
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5B5FFF
		mov	ecx, [ebp+var_8]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	edx, [ebp+arg_4]
		xor	edi, [eax+3C8h]
		lea	esi, [eax+3EA0h]
		mov	ecx, esi
		call	_PpmHeteroNormalizedUtilityToUtility@8 ; PpmHeteroNormalizedUtilityToUtility(x,x)
		cmp	eax, [esi+14h]
		jbe	short loc_5B5FE5
		mov	[esi+14h], eax
		jmp	short loc_5B5FF7
; 

loc_5B5FE5:				; CODE XREF: PpmParkDistributeUtility+12FCCEj
		cmp	[ebp+arg_8], 0
		jz	short loc_5B5FF7
		mov	ecx, [esi+18h]
		cmp	ecx, eax
		ja	short loc_5B5FF4
		mov	ecx, eax

loc_5B5FF4:				; CODE XREF: PpmParkDistributeUtility+12FCE0j
		mov	[esi+14h], ecx

loc_5B5FF7:				; CODE XREF: PpmParkDistributeUtility+12FCD3j
					; PpmParkDistributeUtility+12FCD9j
		test	bh, bh
		jz	short loc_5B5FAC
		dec	bh
		jmp	short loc_5B5FAC
; 

loc_5B5FFF:				; CODE XREF: PpmParkDistributeUtility+12FCABj
		mov	[ebp+arg_C], edi
		jmp	loc_48641A
; 

loc_5B6007:				; CODE XREF: PpmParkDistributeUtility+130j
		xor	ecx, ecx
		jmp	loc_48644D
; 

loc_5B600E:				; CODE XREF: PpmParkDistributeUtility+220j
		mov	esi, [ecx+3EB8h]
		cmp	esi, eax
		ja	short loc_5B601A
		mov	esi, eax

loc_5B601A:				; CODE XREF: PpmParkDistributeUtility+12FD06j
		mov	[ecx+3EB4h], esi
		mov	ecx, [ebp+var_20]
		jmp	loc_486422
; 

loc_5B6028:				; CODE XREF: PpmParkDistributeUtility+1FDj
		mov	ax, [ebp+arg_0]
		xor	edi, edi
		mov	[ebp+var_1C], ax
		mov	eax, [ebp+var_18]
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], edi

loc_5B603B:				; CODE XREF: PpmParkDistributeUtility+12FD50j
					; PpmParkDistributeUtility+12FD6Aj
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5B607C
		mov	ecx, [ebp+var_8]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, [eax+3EB4h]
		cmp	ecx, 2710h
		jbe	short loc_5B603B
		mov	eax, [eax+3EC4h]
		add	ecx, 0FFFFD8F0h
		test	eax, eax
		jz	short loc_5B6078
		imul	ecx, eax
		shr	ecx, 10h

loc_5B6078:				; CODE XREF: PpmParkDistributeUtility+12FD60j
		add	edi, ecx
		jmp	short loc_5B603B
; 

loc_5B607C:				; CODE XREF: PpmParkDistributeUtility+12FD3Aj
		mov	[esi], edi
		jmp	loc_486513
; 

loc_5B6083:				; CODE XREF: PpmParkDistributeUtility+20Aj
		mov	ax, [ebp+arg_0]
		mov	[ebp+var_1C], ax
		mov	eax, [ebp+var_14]
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], 0

loc_5B6098:				; CODE XREF: PpmParkDistributeUtility+12FDB1j
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	loc_486520
		mov	ecx, [ebp+var_8]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, [eax+3EB8h]
		mov	[eax+3EB4h], ecx
		jmp	short loc_5B6098
; END OF FUNCTION CHUNK	FOR PpmParkDistributeUtility
; 
; START	OF FUNCTION CHUNK FOR KiIntSteerCalculateDistribution

loc_5B60C3:				; CODE XREF: KiIntSteerCalculateDistribution+CDj
		mov	ecx, esi
		call	_KiIntSteerComputeCpuSet@8 ; KiIntSteerComputeCpuSet(x,x)
		mov	edx, [ebp+var_8]
		test	eax, eax
		jns	loc_48665C
		jmp	loc_486633
; 

loc_5B60DA:				; CODE XREF: KiIntSteerCalculateDistribution+168j
		xor	edx, edx
		mov	[ebp+var_C], 1
		mov	[ebp+var_8], edx
		jmp	loc_48665C
; END OF FUNCTION CHUNK	FOR KiIntSteerCalculateDistribution
; 
; START	OF FUNCTION CHUNK FOR IopAllocateFileObjectExtension

loc_5B60EB:				; CODE XREF: IopAllocateFileObjectExtension+40j
		mov	edx, [ebp+4]
		mov	ecx, [ebp+var_8]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_48680E
; 

loc_5B60FB:				; CODE XREF: IopAllocateFileObjectExtension+9Ej
		mov	edx, [ebp+4]
		mov	ecx, [ebp+var_8]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_48686C
; 

loc_5B610B:				; CODE XREF: IopAllocateFileObjectExtension+B7j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_48687D
; END OF FUNCTION CHUNK	FOR IopAllocateFileObjectExtension
; 
; START	OF FUNCTION CHUNK FOR PpmParkSteerInterrupts

loc_5B6118:				; CODE XREF: PpmParkSteerInterrupts+79j
		xor	al, al
		jmp	loc_486951
; 

loc_5B611F:				; CODE XREF: PpmParkSteerInterrupts+14Cj
		mov	ecx, [ebp+var_8C]
		mov	dword ptr [eax+ebx*8], 0
		mov	dword ptr [eax+ebx*8+4], 0
		mov	eax, [ebp+var_90]
		jmp	loc_4869E4
; 

loc_5B613F:				; CODE XREF: PpmParkSteerInterrupts+438j
		mov	eax, ds:dword_6BF3C8
		mov	[ebp+var_9C], 0
		test	eax, eax
		jz	short loc_5B6157
		bsf	ecx, eax
		jmp	short loc_5B615A
; 

loc_5B6157:				; CODE XREF: PpmParkSteerInterrupts+12F880j
		or	ecx, 0FFFFFFFFh

loc_5B615A:				; CODE XREF: PpmParkSteerInterrupts+12F885j
		lea	eax, [ecx+1]
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		bts	esi, eax
		mov	[ebp+var_94], eax
		mov	eax, 1
		mov	[ebp+var_64], esi
		mov	[ebp+var_90], eax
		jmp	loc_486AEE
; 

loc_5B617F:				; CODE XREF: PpmParkSteerInterrupts+236j
		dec	ecx
		cmp	ecx, 5		; switch 6 cases
		ja	loc_486B0C	; default
		jmp	ds:off_5B63F8[ecx*4] ; switch jump

loc_5B6190:				; DATA XREF: .text:off_5B63F8o
		mov	eax, ds:_KeActiveProcessors ; case 0x0
		mov	ebx, ds:dword_70E328
		mov	edi, [ebp+var_8C]
		mov	[ebp+var_60], eax
		mov	eax, ds:dword_70E324
		mov	[ebp+var_5C], eax
		mov	[ebp+var_58], ebx
		jmp	loc_486C27
; 

loc_5B61B4:				; CODE XREF: PpmParkSteerInterrupts+12F8B9j
					; DATA XREF: .text:off_5B63F8o
		mov	ecx, [ebp+var_88] ; case 0x1
		mov	ebx, esi
		mov	[ebp+var_60], ecx
		mov	edi, eax
		mov	ecx, [ebp+var_68]
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], ebx
		jmp	loc_486C27
; 

loc_5B61CF:				; CODE XREF: PpmParkSteerInterrupts+12F8B9j
					; DATA XREF: .text:off_5B63F8o
		mov	eax, [ebp+var_C0] ; case 0x2
		mov	[ebp+var_5C], edi
		mov	edi, edx
		mov	[ebp+var_60], eax
		mov	[ebp+var_58], ebx
		jmp	loc_486C27
; 

loc_5B61E5:				; CODE XREF: PpmParkSteerInterrupts+12F8B9j
					; DATA XREF: .text:off_5B63F8o
		mov	eax, [ebp+var_9C] ; case 0x4
		xor	ebx, ebx
		add	eax, 0FFFFFFFBh
		mov	[ebp+var_60], 10001h
		bts	ebx, eax
		mov	[ebp+var_5C], 0
		mov	[ebp+var_58], ebx
		mov	edi, 1
		jmp	loc_486C27
; 

loc_5B620E:				; CODE XREF: PpmParkSteerInterrupts+28Ej
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_78]
		push	eax
		push	0
		push	0
		lea	eax, [ebp+var_6C]
		push	eax
		mov	eax, ds:dword_6C0464
		push	edi
		push	eax
		mov	eax, ds:_PpmCheckTime
		push	eax
		push	1
		call	ecx
		mov	ebx, [ebp+var_58]
		mov	esi, [ebp+var_64]
		mov	edi, [ebp+var_70]
		jmp	loc_486B66
; 

loc_5B623D:				; CODE XREF: PpmParkSteerInterrupts+2D5j
		xor	ebx, ebx
		mov	[ebp+var_60], 10001h
		xor	eax, eax
		mov	[ebp+var_5C], 0
		mov	[ebp+var_58], ebx
		cmp	eax, ecx
		mov	[ebp+var_98], eax
		jmp	loc_486BAB
; 

loc_5B625F:				; CODE XREF: PpmParkSteerInterrupts+335j
		cmp	esi, edi
		jnb	short loc_5B62B6
		xor	eax, eax
		mov	[ebp+var_AC], ax
		mov	eax, [ebp+var_64]
		mov	[ebp+var_B0], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_B4], eax

loc_5B627E:				; CODE XREF: PpmParkSteerInterrupts+12F9D4j
					; PpmParkSteerInterrupts+12F9DFj
		lea	eax, [ebp+var_B4]
		push	eax
		lea	eax, [ebp+var_94]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5B62B6
		mov	ebx, [ebp+var_58]
		mov	eax, ebx
		mov	ecx, [ebp+var_94]
		shr	eax, cl
		test	al, 1
		jnz	short loc_5B627E
		bts	ebx, ecx
		inc	esi
		mov	[ebp+var_58], ebx
		cmp	esi, edi
		jb	short loc_5B627E
		jmp	loc_486C27
; 

loc_5B62B6:				; CODE XREF: PpmParkSteerInterrupts+12F991j
					; PpmParkSteerInterrupts+12F9C3j
		mov	ebx, [ebp+var_58]
		jmp	loc_486C27
; 

loc_5B62BE:				; CODE XREF: PpmParkSteerInterrupts:loc_486BABj
		mov	edi, ecx
		jmp	loc_486C27
; 

loc_5B62C5:				; CODE XREF: PpmParkSteerInterrupts+359j
		mov	[ebp+var_58], 1
		jmp	loc_486C2F
; 

loc_5B62D1:				; CODE XREF: PpmParkSteerInterrupts+3A9j
		movzx	eax, word ptr [ebp+var_60]
		shl	eax, 2
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_54]
		push	eax
		mov	eax, ds:dword_6FBC0C
		push	5
		push	0
		push	offset _PPM_ETW_INTERRUPT_STEERING_MASK_CHANGE
		push	eax
		mov	eax, ds:_KiIntSteerEtwHandle
		push	eax
		mov	[ebp+var_54], offset _KiIntSteerLoadPercent
		mov	[ebp+var_50], 0
		mov	[ebp+var_4C], 4
		mov	[ebp+var_48], 0
		mov	[ebp+var_44], offset _KiIntTrackRootCount
		mov	[ebp+var_40], 0
		mov	[ebp+var_3C], 4
		mov	[ebp+var_38], 0
		mov	[ebp+var_34], offset _KiIntSteerMaskCount
		mov	[ebp+var_30], 0
		mov	[ebp+var_2C], 4
		mov	[ebp+var_28], 0
		mov	[ebp+var_24], offset _KiIntSteerMask
		mov	[ebp+var_20], 0
		mov	[ebp+var_1C], 2
		mov	[ebp+var_18], 0
		mov	[ebp+var_14], offset dword_6C7528
		mov	[ebp+var_10], 0
		mov	[ebp+var_8], 0
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_486C7F
; 

loc_5B6383:				; CODE XREF: PpmParkSteerInterrupts+3C2j
		mov	esi, ds:_KiIntTrackRootList
		mov	[ebp+var_A0], esi
		cmp	esi, offset _KiIntTrackRootList
		jz	short loc_5B63DF

loc_5B6397:				; CODE XREF: PpmParkSteerInterrupts+12FB0Dj
		mov	eax, [esi+8Ch]
		cmp	eax, [esi+80h]
		jz	short loc_5B63CF
		mov	edi, [esi+8]
		lea	eax, [esi+8]
		mov	[ebp+var_9C], eax
		cmp	edi, eax
		jz	short loc_5B63CF
		mov	esi, eax

loc_5B63B7:				; CODE XREF: PpmParkSteerInterrupts+12FAF7j
		mov	edx, offset _PPM_ETW_INTERRUPT_STEERING_STATE_RETARGET
		mov	ecx, edi
		call	KiIntSteerLogState
		mov	edi, [edi]
		cmp	edi, esi
		jnz	short loc_5B63B7
		mov	esi, [ebp+var_A0]

loc_5B63CF:				; CODE XREF: PpmParkSteerInterrupts+12FAD3j
					; PpmParkSteerInterrupts+12FAE3j
		mov	esi, [esi]
		mov	[ebp+var_A0], esi
		cmp	esi, offset _KiIntTrackRootList
		jnz	short loc_5B6397

loc_5B63DF:				; CODE XREF: PpmParkSteerInterrupts+12FAC5j
		mov	esi, offset _KiIntTrackSpinlock
		jmp	loc_486C98
; 

loc_5B63E9:				; CODE XREF: PpmParkSteerInterrupts+3D4j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_486CAF
; END OF FUNCTION CHUNK	FOR PpmParkSteerInterrupts
; 
off_5B63F8	dd offset loc_5B6190	; DATA XREF: PpmParkSteerInterrupts+12F8B9r
		dd offset loc_5B61B4	; jump table for switch	statement
		dd offset loc_5B61CF
		dd offset loc_486B0C
		dd offset loc_5B61E5
		dd offset loc_5B61E5
; 
; START	OF FUNCTION CHUNK FOR KeQuerySystemAllowedCpuSetAffinity

loc_5B6410:				; CODE XREF: KeQuerySystemAllowedCpuSetAffinity+34j
					; KeQuerySystemAllowedCpuSetAffinity+12F676j
		pause
		mov	esi, ds:_KiCpuSetSequence
		mov	eax, esi
		mov	edi, ds:dword_70E6F4
		and	eax, 1
		or	eax, 0
		jnz	short loc_5B6410
		jmp	loc_486DEA
; 

loc_5B642D:				; CODE XREF: KeQuerySystemAllowedCpuSetAffinity+65j
		movzx	ecx, ds:_KiActiveGroups
		xor	eax, eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	loc_486E32

loc_5B6444:				; CODE XREF: KeQuerySystemAllowedCpuSetAffinity+12F6DDj
		mov	edx, ds:_KiSystemAllowedCpuSets[eax*8]
		mov	[ebp+var_4], 0
		test	edx, edx
		jz	short loc_5B6487
		mov	ebx, [ebp+var_4]

loc_5B6459:				; CODE XREF: KeQuerySystemAllowedCpuSetAffinity+12F6C0j
		mov	eax, ds:_KiCpuSetAffinities
		bsf	ecx, edx
		mov	[ebp+var_4], 0
		btr	edx, ecx
		or	ebx, [eax+ecx*4]
		test	edx, edx
		jnz	short loc_5B6459
		mov	ecx, [ebp+var_C]
		mov	eax, ebx
		mov	[ebp+var_4], ebx
		mov	ebx, [ebp+var_10]
		test	eax, eax
		jz	short loc_5B6484
		or	[ebx+8], eax

loc_5B6484:				; CODE XREF: KeQuerySystemAllowedCpuSetAffinity+12F6CFj
		mov	eax, [ebp+var_8]

loc_5B6487:				; CODE XREF: KeQuerySystemAllowedCpuSetAffinity+12F6A4j
		inc	eax
		mov	[ebp+var_8], eax
		cmp	eax, ecx
		jb	short loc_5B6444
		mov	edx, [ebp+var_14]
		jmp	loc_486E32
; END OF FUNCTION CHUNK	FOR KeQuerySystemAllowedCpuSetAffinity
; 
; START	OF FUNCTION CHUNK FOR KeIntSteerSnapPerf

loc_5B6497:				; CODE XREF: KeIntSteerSnapPerf+CDj
					; KeIntSteerSnapPerf+D8j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5B649E:				; CODE XREF: KeIntSteerSnapPerf+1BAj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_487015
; END OF FUNCTION CHUNK	FOR KeIntSteerSnapPerf
; 
; START	OF FUNCTION CHUNK FOR PpmCheckStart

loc_5B64AB:				; CODE XREF: PpmCheckStart+67j
		lea	eax, [ebp+var_40]
		mov	[ebp+var_34], offset _PpmCheckTime
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	0
		push	offset _PPM_ETW_PERF_CHECK_START
		push	edi
		push	ebx
		mov	[ebp+var_30], 0
		mov	[ebp+var_2C], 8
		mov	[ebp+var_28], 0
		mov	[ebp+var_20], 0
		mov	[ebp+var_1C], 8
		mov	[ebp+var_18], 0
		mov	[ebp+var_10], 0
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], 0
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_4870ED
; 

loc_5B6516:				; CODE XREF: PpmCheckStart+7Dj
		mov	eax, [ecx]
		mov	ds:_PpmCheckPipeline, eax
		jmp	loc_487103
; 

loc_5B6522:				; CODE XREF: PpmCheckStart+C7j
					; PpmCheckStart+CFj
		mov	eax, 1
		jmp	loc_487157
; END OF FUNCTION CHUNK	FOR PpmCheckStart

;  S U B	R O U T	I N E 


sub_5B652C	proc near		; CODE XREF: KeQueryInterruptTime+2Ej
		push	ebx
		push	esi
		mov	esi, 0FFDF000Ch
		push	edi
		lea	edi, [esi-4]
		lea	ebx, [esi+4]

loc_5B653A:				; CODE XREF: sub_5B652C+1Cj
		lea	ecx, [ebp-4]
		call	KeYieldProcessorEx
		mov	edx, [esi]
		mov	eax, [edi]
		cmp	edx, [ebx]
		jnz	short loc_5B653A
		pop	edi
		pop	esi
		pop	ebx
		jmp	loc_487444
sub_5B652C	endp

; 
; START	OF FUNCTION CHUNK FOR KiForwardTick

loc_5B6552:				; CODE XREF: KiForwardTick+8Aj
		mov	edi, ds:_KiLastForwardedHand
		xor	ecx, ecx
		mov	eax, [ebp+arg_0]
		dec	edi
		movzx	eax, al
		xor	esi, esi
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], eax
		mov	[ebp+var_1C], 10001h
		mov	[ebp+var_18], ecx

loc_5B6573:				; CODE XREF: KiForwardTick+12F157j
		movzx	eax, cx
		mov	edx, edi
		mov	edi, [ebp+var_8]
		mov	eax, ds:dword_70E644[eax*8]
		mov	ebx, eax
		mov	[ebp+arg_8], eax

loc_5B6587:				; CODE XREF: KiForwardTick+12F147j
		lea	eax, [edx+1]
		movzx	edx, al
		mov	eax, edx
		shl	eax, 6
		or	esi, [eax+ebx]
		cmp	edx, edi
		jnz	short loc_5B6587
		mov	edi, [ebp+var_C]
		inc	ecx
		mov	[ebp+var_14], esi
		cmp	cx, ds:_KiActiveGroups
		jb	short loc_5B6573
		mov	edi, [ebp+arg_C]
		lea	eax, [ebp+var_1C]
		push	edi
		push	eax
		push	edi
		call	_KeOrAffinityEx@12 ; KeOrAffinityEx(x,x,x)
		mov	ebx, [ebp+var_4]
		jmp	loc_4874E0
; 

loc_5B65BF:				; CODE XREF: KiForwardTick+AEj
		mov	ebx, esi
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	ebx, [ebp+var_4]
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		cmp	cl, 3
		ja	loc_487525
		jmp	loc_487504
; 

loc_5B6602:				; CODE XREF: KiForwardTick+C3j
		mov	eax, ds:_KiPollSlotNext
		mov	ecx, eax
		inc	eax
		mov	ds:_KiPollSlot,	ecx
		mov	ds:_KiPollSlotNext, eax
		cmp	eax, [ebp+var_10]
		jb	short loc_5B6624
		mov	ds:_KiPollSlotNext, 0

loc_5B6624:				; CODE XREF: KiForwardTick+12F1C8j
		mov	edx, [ebx+3CCh]
		cmp	ecx, edx
		jz	loc_487519
		mov	eax, [edi+8]
		shr	eax, cl
		test	al, 1
		jnz	loc_487519
		mov	ds:_KiPollSlot,	edx
		jmp	loc_487519
; END OF FUNCTION CHUNK	FOR KiForwardTick
; 
; START	OF FUNCTION CHUNK FOR KiUpdateTimeAssist

loc_5B664A:				; CODE XREF: KiUpdateTimeAssist+C2j
					; KiUpdateTimeAssist+12F0F9j
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		mov	eax, ds:dword_7186C4
		mov	[esi+4], eax
		mov	eax, ds:_KeTickCount
		mov	[esi], eax
		mov	eax, ds:dword_7186C8
		cmp	[esi+4], eax
		jnz	short loc_5B664A
		jmp	loc_487638
; END OF FUNCTION CHUNK	FOR KiUpdateTimeAssist
; 
; START	OF FUNCTION CHUNK FOR KiComputeNewInterruptTime

loc_5B6670:				; CODE XREF: KiComputeNewInterruptTime+97j
		mul	edi
		mov	esi, eax
		mov	eax, [ebp+arg_4]
		add	esi, eax
		mov	[ebp+var_8], esi
		mov	esi, [ebp+var_C]
		adc	edx, esi
		mov	[ebp+arg_4], edx
		mov	edx, [ebp+var_8]
		mov	[ebp+var_C], 0
		cmp	[ebp+arg_4], esi
		ja	short loc_5B66A0
		jb	short loc_5B6699
		cmp	edx, eax
		jnb	short loc_5B66A0

loc_5B6699:				; CODE XREF: KiComputeNewInterruptTime+12EF73j
		mov	[ebp+var_C], 1

loc_5B66A0:				; CODE XREF: KiComputeNewInterruptTime+12EF71j
					; KiComputeNewInterruptTime+12EF77j
		mov	eax, edi
		mul	ecx
		mov	ecx, eax
		mov	eax, ds:dword_6D4B04
		add	ecx, [ebp+arg_4]
		adc	edx, [ebp+var_C]
		add	eax, [ebp+var_8]
		mov	ds:dword_6D4B04, eax
		cmp	eax, [ebp+var_8]
		jnb	loc_4877EF
		add	ecx, 1
		adc	edx, 0
		jmp	loc_4877EF
; END OF FUNCTION CHUNK	FOR KiComputeNewInterruptTime
; 
; START	OF FUNCTION CHUNK FOR KiComputeNewSystemTime

loc_5B66CD:				; CODE XREF: KiComputeNewSystemTime+81j
		mul	edi
		mov	esi, eax
		mov	eax, [ebp+arg_4]
		add	esi, ebx
		mov	[ebp+arg_4], 0
		adc	edx, eax
		mov	[ebp+var_10], edx
		cmp	edx, eax
		ja	short loc_5B66F3
		jb	short loc_5B66EC
		cmp	esi, ebx
		jnb	short loc_5B66F3

loc_5B66EC:				; CODE XREF: KiComputeNewSystemTime+12EED6j
		mov	[ebp+arg_4], 1

loc_5B66F3:				; CODE XREF: KiComputeNewSystemTime+12EED4j
					; KiComputeNewSystemTime+12EEDAj
		mov	eax, edi
		mul	ecx
		mov	ecx, eax
		mov	eax, ds:dword_6D4B0C
		add	ecx, [ebp+var_10]
		adc	edx, [ebp+arg_4]
		add	eax, esi
		mov	ds:dword_6D4B0C, eax
		cmp	eax, esi
		jnb	loc_4878C8
		add	ecx, 1
		adc	edx, 0
		jmp	loc_4878C8
; END OF FUNCTION CHUNK	FOR KiComputeNewSystemTime
; 
; START	OF FUNCTION CHUNK FOR RtlWriteAcquireTickLock

loc_5B671E:				; CODE XREF: RtlWriteAcquireTickLock+29j
		mov	ecx, [esi]
		mov	edi, [esi+4]
		mov	[ebp+var_4], ecx

loc_5B6726:				; CODE XREF: RtlWriteAcquireTickLock+50j
		pause
		jmp	loc_4878F0
; END OF FUNCTION CHUNK	FOR RtlWriteAcquireTickLock
; 
; START	OF FUNCTION CHUNK FOR PoExecuteIdleCheck

loc_5B672D:				; CODE XREF: PoExecuteIdleCheck+36j
		mov	ecx, ds:_PpmIdleLastIdleDurationExpirationTime
		mov	eax, ds:dword_70EE34
		add	ecx, edx
		mov	edi, [ebp+arg_4]
		adc	eax, esi
		cmp	eax, edi
		ja	loc_48796E
		mov	esi, [ebp+arg_0]
		jb	short loc_5B6754
		cmp	ecx, esi
		jnb	loc_48796E

loc_5B6754:				; CODE XREF: PoExecuteIdleCheck+12EE18j
		lea	ecx, [ebp+var_1C]
		call	_PpmGetIdleConstrainedMask@4 ; PpmGetIdleConstrainedMask(x)
		test	al, al
		jz	loc_48796E
		xor	eax, eax
		mov	ds:_PpmIdleLastIdleDurationExpirationTime, esi
		inc	eax
		mov	ds:dword_70EE34, edi
		mov	word ptr [ebp+var_10], ax
		mov	word ptr [ebp+var_10+2], ax
		xor	eax, eax
		mov	[ebp+var_24], ax
		mov	eax, [ebp+var_14]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_2C], eax

loc_5B6793:				; CODE XREF: PoExecuteIdleCheck+12EE83j
					; PoExecuteIdleCheck+12EE8Bj ...
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5B67D9
		mov	ecx, [ebp+var_20]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, large fs:20h
		cmp	eax, ecx
		jz	short loc_5B6793
		cmp	[eax+3D94h], edi
		ja	short loc_5B6793
		jb	short loc_5B67CB
		mov	eax, [eax+3D90h]
		cmp	eax, esi
		ja	short loc_5B6793

loc_5B67CB:				; CODE XREF: PoExecuteIdleCheck+12EE8Dj
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_20]
		bts	ecx, eax
		mov	[ebp+var_8], ecx
		jmp	short loc_5B6793
; 

loc_5B67D9:				; CODE XREF: PoExecuteIdleCheck+12EE70j
		cmp	[ebp+var_8], ebx
		jz	loc_48796E
		lea	ecx, [ebp+var_10]
		call	_PpmEventIdleDurationExpiration@4 ; PpmEventIdleDurationExpiration(x)
		lea	eax, [ebp+var_10]
		push	eax
		push	ebx
		call	ds:__imp__HalRequestIpi@8 ; HalRequestIpi(x,x)
		jmp	loc_48796E
; END OF FUNCTION CHUNK	FOR PoExecuteIdleCheck
; 
; START	OF FUNCTION CHUNK FOR KiUpdateTime

loc_5B67FA:				; CODE XREF: KiUpdateTime+7Cj
					; KiUpdateTime+12ED49j
		lea	ecx, [ebp+var_38]
		call	KeYieldProcessorEx
		mov	eax, ds:dword_7186C4
		mov	ecx, ds:_KeTickCount
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], ecx
		cmp	eax, ds:dword_7186C8
		jnz	short loc_5B67FA
		jmp	loc_487B52
; 

loc_5B6820:				; CODE XREF: KiUpdateTime+A9j
					; KiUpdateTime+12ED5Fj
		lea	ecx, [ebp+var_3C]
		call	KeYieldProcessorEx
		mov	eax, ds:_KiForceIdleLock
		test	eax, eax
		jnz	short loc_5B6820
		jmp	loc_487B74
; 

loc_5B6836:				; CODE XREF: KiUpdateTime+C4j
		cmp	[ebp+var_18], ecx
		jb	loc_487B9A
		ja	short loc_5B684A
		cmp	[ebp+var_1C], edx
		jb	loc_487B9A

loc_5B684A:				; CODE XREF: KiUpdateTime+12ED6Fj
		mov	eax, ds:_KiForceIdleState
		cmp	eax, 2
		jnz	loc_487B9A
		mov	ecx, ds:_KiForceIdleState
		mov	edx, edi
		mov	ds:_KiForceIdleState, edi
		call	_PoTraceForceIdleStateChange@8 ; PoTraceForceIdleStateChange(x,x)
		mov	eax, [ebp+var_2C]
		mov	ecx, [eax+3CCh]
		mov	eax, ds:dword_6CB3DC
		test	eax, eax
		jnz	short loc_5B6886
		lea	eax, [ecx+20h]
		mov	ds:word_6CB3C2,	ax

loc_5B6886:				; CODE XREF: KiUpdateTime+12EDABj
		push	0
		push	0
		push	0
		xor	edx, edx
		mov	ecx, offset _KiForceIdleStartDpc
		call	KiInsertQueueDpc
		jmp	loc_487B9A
; 

loc_5B689D:				; CODE XREF: KiUpdateTime+D2j
					; KiUpdateTime+DBj
		mov	[ebp+var_11], 1
		jmp	loc_487BB1
; END OF FUNCTION CHUNK	FOR KiUpdateTime

;  S U B	R O U T	I N E 


sub_5B68A6	proc near		; CODE XREF: KiCheckForPendingQosUpdate+19j
		push	ebx
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	edx, [esi+244h]
		mov	bl, al
		mov	ecx, [edi+4D8h]
		mov	esi, ecx
		xor	ecx, edx
		and	esi, 0FFFFFCFFh
		test	cl, cl
		jz	short loc_5B68F3
		and	edx, 3
		mov	ecx, edi
		shl	edx, 8
		or	edx, esi
		mov	[edi+4D8h], edx
		shr	edx, 8
		and	edx, 3
		call	_PoSetProcessorQoS@8 ; PoSetProcessorQoS(x,x)
		mov	esi, [edi+4D8h]
		test	al, al
		jz	short loc_5B68F9
		and	esi, 0FFFFFCFFh

loc_5B68F3:				; CODE XREF: sub_5B68A6+20j
		mov	[edi+4D8h], esi

loc_5B68F9:				; CODE XREF: sub_5B68A6+45j
		test	esi, 300h
		jnz	short loc_5B6908
		mov	ecx, edi
		call	_KeUpdatePendingQosRequest@4 ; KeUpdatePendingQosRequest(x)

loc_5B6908:				; CODE XREF: sub_5B68A6+59j
		test	bl, bl
		pop	ebx
		jz	loc_487E81
		sti
		jmp	loc_487E81
sub_5B68A6	endp

; 
; START	OF FUNCTION CHUNK FOR KiCheckForPendingQosUpdate

loc_5B6917:				; CODE XREF: KiCheckForPendingQosUpdate+29j
		mov	ecx, edi
		mov	edx, esi
		pop	edi
		pop	esi
		jmp	@KeCheckAndApplyBamQos@8 ; KeCheckAndApplyBamQos(x,x)
; END OF FUNCTION CHUNK	FOR KiCheckForPendingQosUpdate
; 
; START	OF FUNCTION CHUNK FOR KeClockInterruptNotify

loc_5B6922:				; CODE XREF: KeClockInterruptNotify+100j
		lea	ecx, [ebp+var_58]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	ecx, edx
		mov	[ebp+var_38], eax
		push	ecx
		push	eax
		mov	[ebp+var_34], ecx
		call	PoExecuteIdleCheck
		mov	eax, ds:_KiForceIdleWatchdogResetCount
		cmp	eax, 20h
		jnz	short loc_5B694D
		call	ds:off_6B13A8	; SymCryptFatalIntercept(x)
		xor	eax, eax
		jmp	short loc_5B694E
; 

loc_5B694D:				; CODE XREF: KeClockInterruptNotify+12EAB1j
		inc	eax

loc_5B694E:				; CODE XREF: KeClockInterruptNotify+12EABBj
		mov	edx, [ebp+var_38]
		mov	ecx, edx
		sub	ecx, ds:_KiForceIdleActiveLastStartTime
		mov	ds:_KiForceIdleWatchdogResetCount, eax
		mov	eax, [ebp+var_34]
		sbb	eax, ds:dword_6CB1A4
		test	eax, eax
		ja	short loc_5B69B2
		jb	short loc_5B6975
		cmp	ecx, 1312D00h
		ja	short loc_5B69B2

loc_5B6975:				; CODE XREF: KeClockInterruptNotify+12EADBj
		add	ds:dword_6CAB90, 1
		mov	bh, 1
		mov	eax, ds:_KiClockTickSkipTraceIndex
		mov	ecx, eax
		adc	ds:dword_6CAB94, 0
		inc	eax
		shl	ecx, 4
		add	ecx, offset _KiClockTickSkipTraces
		and	eax, 0Fh
		mov	ds:_KiClockTickSkipTraceIndex, eax
		mov	eax, [ebp+var_34]
		mov	[ebp+var_40], ecx
		mov	byte ptr [ecx],	0
		mov	[ecx+8], edx
		mov	[ecx+0Ch], eax
		jmp	loc_487F27
; 

loc_5B69B2:				; CODE XREF: KeClockInterruptNotify+12EAD9j
					; KeClockInterruptNotify+12EAE3j
		mov	dl, 1
		mov	ecx, 2
		call	_KiResetForceIdle@8 ; KiResetForceIdle(x,x)
		jmp	loc_487F27
; 

loc_5B69C3:				; CODE XREF: KeClockInterruptNotify+A4j
		mov	edi, ds:__imp_@KfRaiseIrql@4 ; KfRaiseIrql(x)

loc_5B69C9:				; CODE XREF: KeClockInterruptNotify+E0j
		cmp	ds:_KiClockOwnerOneShotRequestState, 1
		jnz	loc_487F76
		mov	cl, 1Fh
		call	edi
		mov	bl, al
		mov	ds:_KiClockOwnerOneShotRequestState, 2
		call	_KiSetClockIntervalToMinimumRequested@0	; KiSetClockIntervalToMinimumRequested()
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_40]
		test	eax, eax
		jz	short loc_5B69FD
		mov	byte ptr [eax],	1

loc_5B69FD:				; CODE XREF: KeClockInterruptNotify+12EB68j
		add	ds:dword_6CAB98, 1
		adc	ds:dword_6CAB9C, 0
		jmp	loc_487F76
; 

loc_5B6A10:				; CODE XREF: KeClockInterruptNotify+283j
					; KeClockInterruptNotify+12EB93j
		lea	ecx, [ebp+var_60]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		mov	edx, 0FFDF0010h
		mov	ecx, [esi]
		cmp	eax, [edx]
		jnz	short loc_5B6A10
		mov	esi, [ebp+var_38]
		mov	edi, ds:__imp_@KfRaiseIrql@4 ; KfRaiseIrql(x)
		jmp	loc_487FD5
; 

loc_5B6A33:				; CODE XREF: KeClockInterruptNotify+1ADj
		mov	esi, 0FFDF000Ch

loc_5B6A38:				; CODE XREF: KeClockInterruptNotify+12EBC6j
		lea	ecx, [ebp+var_68]
		call	KeYieldProcessorEx
		mov	edi, [esi]
		mov	eax, 0FFDF0008h
		mov	[ebp+var_34], edi
		mov	eax, [eax]
		mov	[ebp+var_3C], eax
		mov	eax, 0FFDF0010h
		cmp	edi, [eax]
		jnz	short loc_5B6A38
		mov	esi, [ebp+var_38]
		mov	edi, ds:__imp_@KfRaiseIrql@4 ; KfRaiseIrql(x)
		mov	ecx, [ebp+var_34]
		jmp	loc_488043
; 

loc_5B6A69:				; CODE XREF: KeClockInterruptNotify+22Fj
		xor	eax, eax
		mov	[ebp+var_1A], 0
		mov	[ebp+var_16], ax
		lea	ecx, [ebp+var_2C]
		mov	eax, [ebp+var_48]
		mov	edx, 1
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_44]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_50]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_4C]
		push	602h
		mov	[ebp+var_8], eax
		lea	eax, [ebp-1Ch]
		push	0F57h
		push	40100000h
		mov	[ebp+var_1C], 200h
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], 0
		mov	[ebp+var_24], 18h
		mov	[ebp+var_20], 0
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_48804D
; END OF FUNCTION CHUNK	FOR KeClockInterruptNotify
; 
; START	OF FUNCTION CHUNK FOR PerfInfoLogInterrupt

loc_5B6AD0:				; CODE XREF: PerfInfoLogInterrupt+1Fj
		mov	eax, [ecx+0Ch]
		mov	ebx, 0F5Fh
		mov	esi, 8
		mov	[ebp+var_30], eax
		jmp	loc_488163
; END OF FUNCTION CHUNK	FOR PerfInfoLogInterrupt
; 
; START	OF FUNCTION CHUNK FOR KiRetireDpcList

loc_5B6AE5:				; CODE XREF: KiRetireDpcList+D7j
		mov	al, [edi+60h]
		mov	edx, [esi+3B40h]
		sub	edx, [esi+3B48h]
		mov	ecx, [esi+3B44h]
		sbb	ecx, [esi+3B4Ch]
		movzx	eax, al
		add	[esi+eax*8+3B50h], edx
		adc	[esi+eax*8+3B54h], ecx
		and	bl, 0EFh
		mov	dword ptr [esi+3B48h], 0
		mov	dword ptr [esi+3B4Ch], 0
		mov	[esp+138h+var_129], bl
		jmp	loc_48830D
; 

loc_5B6B31:				; CODE XREF: KiRetireDpcList+118j
		mov	edx, [eax+64h]
		jmp	loc_48835D
; 

loc_5B6B39:				; CODE XREF: KiRetireDpcList+1DFj
		mov	eax, [esp+138h+var_120]
		lea	esi, [edx+8]
		shl	eax, 4
		add	esi, eax
		mov	ecx, [esi]
		add	ecx, [esp+138h+var_128]
		mov	eax, [esi+4]
		adc	eax, [esp+138h+var_124]
		mov	[esp+138h+var_100], ecx
		mov	[esp+138h+var_118], eax

loc_5B6B5A:				; CODE XREF: KiRetireDpcList+12E946j
					; KiRetireDpcList+12E94Cj
		mov	edi, [esi]
		mov	eax, edi
		mov	edx, [esi+4]
		mov	[esp+138h+var_10C], edx
		nop
		mov	ebx, ecx
		mov	ecx, [esp+138h+var_118]
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [esp+138h+var_100]
		cmp	eax, edi
		jnz	short loc_5B6B5A
		cmp	edx, [esp+138h+var_10C]
		jnz	short loc_5B6B5A
		mov	esi, [esp+138h+var_108]
		mov	edi, [esp+138h+var_11C]
		mov	edx, [esp+138h+var_FC]
		jmp	loc_488415
; 

loc_5B6B8F:				; CODE XREF: KiRetireDpcList+1FCj
		and	bl, 0BFh
		jmp	loc_488432
; 

loc_5B6B97:				; CODE XREF: KiRetireDpcList+3FBj
		cmp	byte ptr [edi+244h], 2
		jz	short loc_5B6BB1
		add	[esi+3B78h], ebx
		adc	[esi+3B7Ch], eax
		jmp	loc_488631
; 

loc_5B6BB1:				; CODE XREF: KiRetireDpcList+12E96Ej
		add	[esi+3B80h], ebx
		adc	[esi+3B84h], eax
		jmp	loc_488631
; 

loc_5B6BC2:				; CODE XREF: KiRetireDpcList+40Ej
		mov	ecx, edi
		call	_KiEndCounterAccumulation@4 ; KiEndCounterAccumulation(x)
		jmp	loc_48843B
; 

loc_5B6BCE:				; CODE XREF: KiRetireDpcList+453j
		mov	ebx, 0FFDF000Ch
		lea	esi, [ebx-4]
		lea	edi, [ebx+4]

loc_5B6BD9:				; CODE XREF: KiRetireDpcList+12E9C0j
		lea	ecx, [esp+138h+var_F4]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		mov	ecx, [esi]
		mov	[esp+138h+var_128], eax
		mov	[esp+138h+var_120], ecx
		cmp	eax, [edi]
		jnz	short loc_5B6BD9
		mov	esi, [esp+138h+var_108]
		jmp	loc_488689
; 

loc_5B6BFB:				; CODE XREF: KiRetireDpcList+6BCj
		mov	ebx, 0FFDF0018h
		lea	esi, [ebx-4]
		lea	edi, [ebx+4]

loc_5B6C06:				; CODE XREF: KiRetireDpcList+12E9F1j
		lea	ecx, [esp+138h+var_F0]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		mov	[esp+138h+var_CC], eax
		mov	eax, [esi]
		mov	[esp+138h+var_D0], eax
		mov	eax, [edi]
		cmp	[esp+138h+var_CC], eax
		jnz	short loc_5B6C06
		mov	esi, [esp+138h+var_108]
		mov	edi, [esp+138h+var_11C]
		mov	cl, [esp+138h+var_129]
		jmp	loc_4888F2
; 

loc_5B6C34:				; CODE XREF: KiRetireDpcList+53Cj
		mov	edi, 0FFDF0018h
		lea	esi, [edi-4]
		lea	ebx, [edi+4]

loc_5B6C3F:				; CODE XREF: KiRetireDpcList+12EA2Aj
		lea	ecx, [esp+138h+var_EC]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		mov	[esp+138h+var_CC], eax
		mov	eax, [esi]
		mov	[esp+138h+var_D0], eax
		mov	eax, [ebx]
		cmp	[esp+138h+var_CC], eax
		jnz	short loc_5B6C3F
		mov	esi, [esp+138h+var_108]
		mov	edi, [esp+138h+var_11C]
		mov	ebx, [esp+138h+var_128]
		jmp	loc_488772
; 

loc_5B6C6D:				; CODE XREF: KiRetireDpcList+422j
		sti
		mov	eax, 0FFDF0018h
		mov	[esp+138h+var_E8], 0
		mov	eax, [eax]
		mov	[esp+138h+var_CC], eax
		mov	eax, 0FFDF0014h
		mov	eax, [eax]
		mov	[esp+138h+var_D0], eax
		mov	eax, 0FFDF001Ch
		mov	eax, [eax]
		cmp	[esp+138h+var_CC], eax
		jz	loc_4887B0
		mov	edi, 0FFDF0018h
		lea	esi, [edi-4]
		lea	ebx, [edi+4]

loc_5B6CA8:				; CODE XREF: KiRetireDpcList+12EA93j
		lea	ecx, [esp+138h+var_E8]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		mov	[esp+138h+var_CC], eax
		mov	eax, [esi]
		mov	[esp+138h+var_D0], eax
		mov	eax, [ebx]
		cmp	[esp+138h+var_CC], eax
		jnz	short loc_5B6CA8
		mov	esi, [esp+138h+var_108]
		mov	edi, [esp+138h+var_11C]
		jmp	loc_4887AC
; 

loc_5B6CD2:				; CODE XREF: KiRetireDpcList+2C2j
		mov	ecx, [ecx+64h]
		jmp	loc_488507
; 

loc_5B6CDA:				; CODE XREF: KiRetireDpcList+354j
		mov	al, [edi+60h]
		mov	[esi+3B48h], ebx
		mov	[esi+3B4Ch], ecx
		jmp	loc_48858A
; 

loc_5B6CEE:				; CODE XREF: KiRetireDpcList+35Ej
		xor	dl, dl
		mov	ecx, edi
		call	@KiBeginCounterAccumulation@8 ;	KiBeginCounterAccumulation(x,x)
		jmp	loc_488594
; END OF FUNCTION CHUNK	FOR KiRetireDpcList
; 
; START	OF FUNCTION CHUNK FOR KiExecuteAllDpcs

loc_5B6CFC:				; CODE XREF: KiExecuteAllDpcs+E7j
		call	@KiAcquireSpinLockInstrumented@4 ; KiAcquireSpinLockInstrumented(x)
		jmp	loc_488E21
; 

loc_5B6D06:				; CODE XREF: KiExecuteAllDpcs+15Fj
		test	edx, edx
		jnz	loc_488AE5
		mov	eax, [ecx+1Ch]
		dec	eax
		mov	[ecx+1Ch], eax
		jmp	loc_488AE5
; 

loc_5B6D1A:				; CODE XREF: KiExecuteAllDpcs+16Cj
		mov	edx, [ebp+4]
		lea	ecx, [edi+8]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_488AFA
; 

loc_5B6D2A:				; CODE XREF: KiExecuteAllDpcs+185j
		mov	eax, [ebp+var_5C]
		lea	ecx, [ebp+var_58]
		mov	[ebp+var_B4], eax
		mov	edx, 1
		imul	eax, esi, 0C8BE1499h
		push	400A02h
		push	0F65h
		push	20040000h
		mov	[ebp+var_54], 0
		mov	[ebp+var_B0], eax
		lea	eax, [ebp+var_B4]
		mov	[ebp+var_58], eax
		mov	[ebp+var_50], 8
		mov	[ebp+var_4C], 0
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_488B0B
; 

loc_5B6D7E:				; CODE XREF: KiExecuteAllDpcs+1FCj
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], edx
		jmp	loc_488B90
; 

loc_5B6D91:				; CODE XREF: KiExecuteAllDpcs+213j
		call	RtlGetSystemTimePrecise
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], edx
		jmp	loc_488BA7
; 

loc_5B6DA1:				; CODE XREF: KiExecuteAllDpcs+22Aj
		mov	[ebp+var_38], 0
		mov	[ebp+var_34], 0
		jmp	loc_488BB8
; 

loc_5B6DB4:				; CODE XREF: KiExecuteAllDpcs+23Bj
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_C0], 0
		push	eax
		mov	[ebp+var_BC], 0
		call	ds:off_6B1438	; ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig(x)
		mov	eax, [ebp+var_C0]
		mov	[ebp+var_30], eax
		mov	eax, [ebp+var_BC]
		mov	[ebp+var_2C], eax
		jmp	loc_488BCF
; 

loc_5B6DEC:				; CODE XREF: KiExecuteAllDpcs+2ADj
		mov	eax, [ebx+3B0Ch]
		cmp	eax, [ebx+3B14h]
		jge	loc_488C33
		mov	eax, ds:_KiDpcWatchdogProfileArrayLength
		shl	eax, 2
		push	eax		; size_t
		push	0		; int
		push	ecx		; void *
		mov	[ebx+4064h], ecx
		call	_memset
		add	esp, 0Ch
		jmp	loc_488C33
; 

loc_5B6E1D:				; CODE XREF: KiExecuteAllDpcs+318j
		mov	ecx, [eax+4]
		mov	[ebp+var_74], ecx
		and	ecx, 1Fh
		shr	[ebp+var_74], 5
		mov	[ebp+var_78], 0FFFFFFFFh
		shl	[ebp+var_78], cl
		mov	ecx, [ebp+var_78]
		and	ecx, [ebp+var_5C]
		mov	[ebp+var_6C], ecx
		shr	[ebp+var_6C], 18h
		mov	[ebp+var_68], ecx
		shr	[ebp+var_68], 10h
		mov	[ebp+var_64], ecx
		shr	[ebp+var_64], 8
		cmp	[ebp+var_74], 0
		mov	[ebp+var_C8], ecx
		jz	short loc_5B6EB9
		movzx	eax, cl
		add	eax, offset unk_B15DCB
		mov	[ebp+var_D0], ecx
		imul	ecx, eax, 25h
		mov	eax, [ebp+var_64]
		movzx	eax, al
		add	ecx, eax
		mov	eax, [ebp+var_68]
		imul	ecx, 25h
		movzx	eax, al
		add	ecx, eax
		imul	eax, ecx, 25h
		mov	ecx, [ebp+var_74]
		dec	ecx
		add	eax, [ebp+var_6C]
		and	ecx, eax
		mov	eax, [ebp+var_7C]
		mov	eax, [eax+8]
		lea	ecx, [eax+ecx*4]

loc_5B6E94:				; CODE XREF: KiExecuteAllDpcs+12E52Aj
		mov	ecx, [ecx]
		test	ecx, 1
		jnz	short loc_5B6EB6
		mov	eax, [ecx+4]
		and	eax, [ebp+var_78]
		cmp	[ebp+var_C8], eax
		jnz	short loc_5B6E94
		push	edx
		push	esi
		push	ecx
		call	_KiUpdateExistingDpcRuntime@20 ; KiUpdateExistingDpcRuntime(x,x,x,x,x)
		jmp	short loc_5B6EC5
; 

loc_5B6EB6:				; CODE XREF: KiExecuteAllDpcs+12E51Cj
		mov	eax, [ebp+var_7C]

loc_5B6EB9:				; CODE XREF: KiExecuteAllDpcs+12E4D9j
		push	edx
		mov	edx, [ebp+var_5C]
		mov	ecx, eax
		push	esi
		call	_KiInsertNewDpcRuntime@16 ; KiInsertNewDpcRuntime(x,x,x,x)

loc_5B6EC5:				; CODE XREF: KiExecuteAllDpcs+12E534j
		mov	ecx, [ebp+var_80]
		jmp	loc_488C9E
; 

loc_5B6ECD:				; CODE XREF: KiExecuteAllDpcs+10Fj
		test	ds:byte_70EFC6,	1
		jz	short loc_5B6EE3
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_488DD7
; 

loc_5B6EE3:				; CODE XREF: KiExecuteAllDpcs+12E554j
		xor	eax, eax
		lock and [ecx],	eax
		jmp	loc_488DD7
; 

loc_5B6EED:				; CODE XREF: KiExecuteAllDpcs+370j
		push	eax
		push	ecx
		push	[ebp+var_5C]
		push	4
		push	0C7h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5B6EFF:				; CODE XREF: EtwpLogKernelEvent+27Ej
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_48902D
; END OF FUNCTION CHUNK	FOR KiExecuteAllDpcs
; 
; START	OF FUNCTION CHUNK FOR EtwpLogKernelEvent

loc_5B6F09:				; CODE XREF: EtwpLogKernelEvent+65j
		push	[esp+48h+var_2C]
		mov	edx, ebx
		mov	ecx, esi
		call	_EtwpCloseLogger@12 ; EtwpCloseLogger(x,x,x)
		jmp	loc_48902D
; 

loc_5B6F1B:				; CODE XREF: EtwpLogKernelEvent+29Fj
		lea	edx, [ebx+18h]
		call	EtwpReserveTraceBuffer
		mov	[esp+48h+var_24], eax
		test	eax, eax
		jz	loc_489026
		mov	edx, [ebp+arg_C]
		movzx	ecx, dl
		or	ecx, 0C0030000h
		mov	[eax], ecx
		mov	ecx, [esp+48h+var_18]
		mov	[eax+10h], ecx
		mov	ecx, [esp+48h+var_14]
		mov	[eax+14h], ecx
		lea	ecx, [ebx+18h]
		mov	[eax+4], cx
		mov	ecx, [ebp+arg_8]
		mov	[eax+6], cx
		mov	eax, large fs:124h
		mov	ecx, [esp+48h+var_24]
		mov	eax, [eax+2B0h]
		mov	[ecx+8], eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+0E4h]
		mov	[ecx+0Ch], eax
		lea	eax, [ecx+18h]
		jmp	loc_488F66
; 

loc_5B6F89:				; CODE XREF: EtwpLogKernelEvent+E8j
		test	eax, 400h
		mov	eax, [ebp+arg_8]
		jz	short loc_5B6FBD
		mov	[esp+48h+var_24], 524h
		cmp	ax, word ptr [esp+48h+var_24]
		jnz	short loc_5B6FBD
		push	edx
		lea	eax, [esp+4Ch+var_18]
		mov	edx, 524h
		push	eax
		lea	eax, [esp+50h+var_C]
		push	eax
		push	ebx
		call	_EtwpReserveWithPebsIndex@24 ; EtwpReserveWithPebsIndex(x,x,x,x,x,x)
		jmp	loc_488F66
; 

loc_5B6FBD:				; CODE XREF: EtwpLogKernelEvent+12E161j
					; EtwpLogKernelEvent+12E170j
		mov	edx, eax
		call	_PMC_MONITORING_ENABLED@8 ; PMC_MONITORING_ENABLED(x,x)
		mov	edx, [ebp+arg_C]
		test	al, al
		jz	loc_488F1E
		push	edx
		mov	edx, [ebp+arg_8]
		lea	eax, [esp+4Ch+var_18]
		push	eax
		lea	eax, [esp+50h+var_C]
		push	eax
		push	ebx
		call	_EtwpReserveWithPmcCounters@24 ; EtwpReserveWithPmcCounters(x,x,x,x,x,x)
		jmp	loc_488F66
; 

loc_5B6FE8:				; CODE XREF: EtwpLogKernelEvent+159j
		mov	edx, [esp+48h+var_34]
		push	edx		; size_t
		push	0		; int
		push	[esp+50h+var_38] ; void	*
		call	_memset
		mov	esi, [esp+54h+var_30]
		add	esp, 0Ch
		mov	ecx, esi
		call	EtwpUpdateEventsLostCount
		jmp	loc_488FBD
; 

loc_5B700B:				; CODE XREF: EtwpLogKernelEvent+194j
		cmp	ds:_KdDebuggerNotPresent, 0
		jnz	short loc_5B701D
		cmp	ds:_KdPitchDebugger, 0
		jz	short loc_5B702A

loc_5B701D:				; CODE XREF: EtwpLogKernelEvent+12E1E2j
		cmp	ds:_KdEventLoggingPresent, 0
		jz	loc_488FCA

loc_5B702A:				; CODE XREF: EtwpLogKernelEvent+12E1EBj
		lea	edx, [esp+48h+var_C]
		mov	ecx, esi
		call	_EtwpSendTraceEvent@8 ;	EtwpSendTraceEvent(x,x)
		jmp	loc_488FCA
; 

loc_5B703A:				; CODE XREF: EtwpLogKernelEvent+1C0j
		mov	edx, edi
		mov	ecx, eax
		xor	edx, eax
		cmp	edx, 7
		jb	loc_488FE5
		jmp	loc_48914F
; 

loc_5B704E:				; CODE XREF: EtwpLogKernelEvent+1D1j
		mov	eax, [esi+2B4h]
		mov	ecx, edi
		and	ecx, 1FFFh
		mov	edx, ecx
		and	cl, 7
		shr	edx, 3
		mov	al, [edx+eax]
		sar	al, cl
		test	al, 1
		jz	loc_489007
		push	[ebp+arg_C]
		lea	edx, [esp+4Ch+var_18]
		mov	ecx, esi
		push	0
		call	_EtwpStackTraceDispatcher@16 ; EtwpStackTraceDispatcher(x,x,x,x)
		mov	ebx, [esi+258h]
		jmp	loc_489007
; 

loc_5B708C:				; CODE XREF: EtwpLogKernelEvent+1DDj
		mov	eax, [esi+2C0h]
		xor	ecx, ecx
		cmp	[eax+8], ecx
		jbe	loc_489013
		mov	eax, 0Ch

loc_5B70A2:				; CODE XREF: EtwpLogKernelEvent+12E285j
		mov	edx, [esi+2C0h]
		cmp	[eax+edx], di
		jz	short loc_5B70BC
		inc	ecx
		add	eax, 2
		cmp	ecx, [edx+8]
		jb	short loc_5B70A2
		jmp	loc_489013
; 

loc_5B70BC:				; CODE XREF: EtwpLogKernelEvent+12E27Cj
		mov	ebx, [ebp+arg_C]
		lea	edx, [esp+48h+var_18]
		push	ebx
		push	0
		mov	ecx, esi
		call	_EtwpTraceLastBranchRecord@16 ;	EtwpTraceLastBranchRecord(x,x,x,x)
		jmp	loc_489016
; 

loc_5B70D2:				; CODE XREF: EtwpLogKernelEvent+1F0j
		mov	eax, [esi+2C4h]
		xor	ecx, ecx
		cmp	[eax+14h], ecx
		jbe	loc_489026
		mov	eax, 18h

loc_5B70E8:				; CODE XREF: EtwpLogKernelEvent+12E2CBj
		mov	edx, [esi+2C4h]
		cmp	[eax+edx], di
		jz	short loc_5B7102
		inc	ecx
		add	eax, 2
		cmp	ecx, [edx+14h]
		jb	short loc_5B70E8
		jmp	loc_489026
; 

loc_5B7102:				; CODE XREF: EtwpLogKernelEvent+12E2C2j
		push	ebx
		push	0
		lea	edx, [esp+50h+var_18]
		mov	ecx, esi
		call	_EtwpTraceProcessorTrace@16 ; EtwpTraceProcessorTrace(x,x,x,x)
		jmp	loc_489026
; END OF FUNCTION CHUNK	FOR EtwpLogKernelEvent
; 
; START	OF FUNCTION CHUNK FOR EtwpReserveTraceBuffer

loc_5B7115:				; CODE XREF: EtwpReserveTraceBuffer+2C5j
		mov	ecx, eax
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		jbe	loc_489411
		jmp	loc_48947B
; 

loc_5B712B:				; CODE XREF: EtwpReserveTraceBuffer+2A7j
					; EtwpReserveTraceBuffer+31Fj
		mov	eax, 0FFFFFFF9h
		lea	ecx, [ebx+0Ch]
		lock xadd [ecx], eax
		jmp	loc_48921C
; 

loc_5B713C:				; CODE XREF: EtwpReserveTraceBuffer+A6j
		lea	edx, [esp+13h]
		mov	ecx, edi
		call	_EtwpLockBufferList@8 ;	EtwpLockBufferList(x,x)
		mov	esi, [esp+60h+var_4C]
		mov	ebx, [esi]
		and	ebx, 0FFFFFFF8h
		mov	[esp+60h+var_48], ebx
		jz	short loc_5B715A
		lock inc dword ptr [ebx+0Ch]

loc_5B715A:				; CODE XREF: EtwpReserveTraceBuffer+12DFF4j
		lea	edx, [esp+13h]
		mov	ecx, edi
		call	EtwpUnlockBufferList
		jmp	loc_48942B
; 

loc_5B716A:				; CODE XREF: EtwpReserveTraceBuffer+10Aj
		lea	eax, [esp+60h+var_18]
		mov	ecx, edi
		push	eax
		lea	edx, [esp+64h+var_10]
		call	_EtwpGetTimeStampAndQpcDelta@12	; EtwpGetTimeStampAndQpcDelta(x,x,x)
		test	eax, eax
		jnz	loc_4893E2
		mov	esi, [esp+60h+var_28]
		mov	eax, [esp+60h+var_34]
		shl	eax, 3
		mov	[esp+60h+var_20], eax
		mov	edi, [esi+8]
		add	edi, eax

loc_5B7196:				; CODE XREF: EtwpReserveTraceBuffer+12E054j
					; EtwpReserveTraceBuffer+12E058j
		mov	ebx, [edi]
		mov	eax, ebx
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[esp+60h+var_3C], ebx
		mov	[esp+60h+var_30], ecx
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, edx
		mov	edx, [esp+60h+var_3C]
		cmp	eax, edx
		jnz	short loc_5B7196
		cmp	ebx, ecx
		jnz	short loc_5B7196
		cmp	[esp+60h+var_18], edx
		mov	edi, [esp+60h+var_38]
		mov	edx, [esp+60h+var_44]
		jnz	short loc_5B71EE
		cmp	[esp+60h+var_14], ecx
		jnz	short loc_5B71EE
		cmp	edx, 48h
		jz	short loc_5B71EE
		mov	ecx, [ebp+arg_4]
		mov	esi, edx
		mov	eax, [esp+60h+var_10]
		mov	ebx, [esp+60h+var_48]
		mov	[ecx], eax
		mov	eax, [esp+60h+var_C]
		mov	[ecx+4], eax
		jmp	loc_489288
; 

loc_5B71EE:				; CODE XREF: EtwpReserveTraceBuffer+12E066j
					; EtwpReserveTraceBuffer+12E06Cj ...
		mov	ebx, [esp+60h+var_24]
		lea	ecx, [edx+18h]
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		mov	[esp+60h+var_44], eax
		cmp	edx, eax
		jnz	loc_5B72B2
		lea	ecx, [eax+18h]
		cmp	ecx, [esp+60h+var_40]
		ja	loc_5B72E4
		mov	esi, [esi+8]
		add	esi, [esp+60h+var_20]
		mov	eax, [esp+60h+var_3C]
		mov	edx, [esp+60h+var_30]
		nop
		mov	ebx, [esp+60h+var_18]
		mov	ecx, [esp+60h+var_14]
		lock cmpxchg8b qword ptr [esi]
		cmp	[esp+60h+var_3C], eax
		jnz	short loc_5B727A
		cmp	[esp+60h+var_30], edx
		jnz	short loc_5B727A
		mov	ecx, [esp+60h+var_44]
		mov	esi, ecx
		mov	ebx, [esp+60h+var_48]
		mov	eax, [esp+60h+var_10]
		mov	[ebx+ecx+8], eax
		mov	eax, [esp+60h+var_C]
		mov	[ebx+ecx+0Ch], eax
		mov	eax, [esp+60h+var_18]
		mov	[ebx+ecx+10h], eax
		mov	eax, [esp+60h+var_14]
		mov	dword ptr [ebx+ecx+4], offset dword_510018
		mov	dword ptr [ebx+ecx], 0C0100002h
		mov	[ebx+ecx+14h], eax
		jmp	loc_4893DE
; 

loc_5B727A:				; CODE XREF: EtwpReserveTraceBuffer+12E0D4j
					; EtwpReserveTraceBuffer+12E0DAj
		mov	ecx, [esp+60h+var_44]
		mov	esi, ecx
		mov	ebx, [esp+60h+var_48]
		mov	eax, [esp+60h+var_10]
		mov	[ebx+ecx+8], eax
		mov	eax, [esp+60h+var_C]
		mov	[ebx+ecx+0Ch], eax
		xor	eax, eax
		mov	dword ptr [ebx+ecx+4], offset dword_510018
		mov	dword ptr [ebx+ecx], 0C0100001h
		mov	[ebx+ecx+10h], eax
		mov	[ebx+ecx+14h], eax
		jmp	loc_4893DE
; 

loc_5B72B2:				; CODE XREF: EtwpReserveTraceBuffer+12E0A1j
		mov	ebx, [esp+60h+var_48]
		jmp	loc_4893DC
; 

loc_5B72BB:				; CODE XREF: EtwpReserveTraceBuffer+20Dj
		sub	eax, 1
		jnz	loc_5B73BC
		mov	[esp+60h+var_8], eax
		mov	[esp+60h+var_4], eax
		lea	eax, [esp+60h+var_8]
		push	eax
		call	ds:off_6B1438	; ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig(x)
		mov	ecx, [esp+64h+var_C]
		mov	edx, [esp+64h+var_8]
		jmp	loc_489280
; 

loc_5B72E4:				; CODE XREF: EtwpReserveTraceBuffer+12E0AEj
		mov	ebx, [esp+60h+var_48]
		mov	[ebx+4], eax
		jmp	loc_489398
; 

loc_5B72F0:				; CODE XREF: EtwpReserveTraceBuffer+25Aj
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	esi, eax
		mov	ecx, edx
		lea	eax, [edi+340h]
		mov	[esp+64h+var_20], eax
		mov	edi, eax

loc_5B7308:				; CODE XREF: EtwpReserveTraceBuffer+12E1C4j
					; EtwpReserveTraceBuffer+12E1CCj
		mov	eax, [edi]
		mov	edx, [edi+4]
		mov	[esp+64h+var_20], eax
		mov	[esp+64h+var_24], edx
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, edx
		mov	edx, [esp+64h+var_20]
		cmp	eax, edx
		jnz	short loc_5B7308
		mov	eax, [esp+64h+var_24]
		cmp	ebx, eax
		jnz	short loc_5B7308
		mov	edi, [esp+64h+var_3C]
		sub	esi, edx
		mov	[esp+64h+var_34], esi
		sbb	ecx, eax
		mov	[esp+64h+var_48], ecx
		lea	eax, [edi+348h]
		mov	edi, eax

loc_5B7346:				; CODE XREF: EtwpReserveTraceBuffer+12E247j
					; EtwpReserveTraceBuffer+12E24Dj
		mov	edx, [edi]
		mov	eax, edx
		mov	ebx, [edi+4]
		or	eax, ebx
		mov	[esp+64h+var_40], edx
		mov	[esp+64h+var_20], ebx
		jnz	short loc_5B735F
		mov	[esp+64h+var_4C], esi
		jmp	short loc_5B7392
; 

loc_5B735F:				; CODE XREF: EtwpReserveTraceBuffer+12E1F7j
		mov	esi, edx
		mov	ecx, ebx
		mov	eax, esi
		mov	edx, ebx
		shld	ecx, eax, 1
		push	0
		add	eax, eax
		add	esi, eax
		push	4
		adc	edx, ecx
		add	esi, [esp+6Ch+var_34]
		adc	edx, [esp+6Ch+var_48]
		push	edx
		push	esi
		call	__alldiv
		mov	esi, [esp+64h+var_34]
		mov	ecx, edx
		mov	edx, [esp+64h+var_40]
		mov	[esp+64h+var_4C], eax

loc_5B7392:				; CODE XREF: EtwpReserveTraceBuffer+12E1FDj
		mov	eax, edx
		mov	edx, ebx
		nop
		mov	ebx, [esp+64h+var_4C]
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [esp+64h+var_48]
		cmp	eax, [esp+64h+var_40]
		jnz	short loc_5B7346
		cmp	edx, [esp+64h+var_20]
		jnz	short loc_5B7346
		mov	edi, [esp+64h+var_3C]
		mov	esi, [esp+64h+var_28]
		jmp	loc_4893C0
; 

loc_5B73BC:				; CODE XREF: EtwpReserveTraceBuffer+12E15Ej
		mov	ecx, 3Dh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5B73C3:				; CODE XREF: KiUpdateRunTime+68j
					; EtwpReserveTraceBuffer+12E26Ej
		pause
		mov	eax, [edi+34h]
		mov	ecx, [edi+30h]
		cmp	eax, [edi+38h]
		jnz	short loc_5B73C3
		jmp	loc_48959E
; END OF FUNCTION CHUNK	FOR EtwpReserveTraceBuffer
; 
; START	OF FUNCTION CHUNK FOR PpmCheckSnapAllDeliveredPerformance

loc_5B73D5:				; CODE XREF: PpmCheckSnapAllDeliveredPerformance+5Aj
		xor	eax, eax
		jmp	loc_489697
; END OF FUNCTION CHUNK	FOR PpmCheckSnapAllDeliveredPerformance
; 
; START	OF FUNCTION CHUNK FOR PpmPerfSnapDeliveredPerformance

loc_5B73DC:				; CODE XREF: PpmPerfSnapDeliveredPerformance+CBj
					; PpmPerfSnapDeliveredPerformance+D5j
		mov	al, byte ptr [esp+0B0h+var_A0]
		test	al, al
		jz	loc_48984F

loc_5B73E8:				; CODE XREF: PpmPerfSnapDeliveredPerformance+91j
					; PpmPerfSnapDeliveredPerformance+9Bj
		xor	al, al
		jmp	loc_489A1B
; 

loc_5B73EF:				; CODE XREF: PpmPerfSnapDeliveredPerformance+336j
		mov	byte ptr [esi+3E50h], 0
		jmp	loc_489AD5
; 

loc_5B73FB:				; CODE XREF: PpmPerfSnapDeliveredPerformance+34Fj
					; PpmPerfSnapDeliveredPerformance+35Fj
		mov	ecx, [esi+3E4Ch]
		xor	edx, edx
		inc	ecx
		mov	eax, ecx
		mov	[esi+3E4Ch], ecx
		div	ds:_PopProcessorThrottleLogInterval
		test	edx, edx
		jz	short loc_5B741F
		cmp	ecx, 1
		jnz	loc_489AD5

loc_5B741F:				; CODE XREF: PpmPerfSnapDeliveredPerformance+12DCA4j
		push	[esp+0B0h+var_8C]
		movzx	ecx, large byte	ptr fs:51h
		lea	edx, [esi+3E60h]
		push	[esp+0B4h+var_90]
		call	_PopDiagTraceIllegalProcessorThrottle@16 ; PopDiagTraceIllegalProcessorThrottle(x,x,x,x)
		jmp	loc_489AD5
; 

loc_5B743F:				; CODE XREF: PpmPerfSnapDeliveredPerformance+202j
		cmp	edx, [ecx+144h]
		jz	loc_489A08
		jmp	loc_489978
; 

loc_5B7450:				; CODE XREF: PpmPerfSnapDeliveredPerformance+277j
		test	al, al
		jnz	loc_4899FE
		jmp	loc_4899ED
; 

loc_5B745D:				; CODE XREF: PpmPerfSnapDeliveredPerformance+288j
		mov	ecx, [edx+58h]
		xor	edi, edi
		mov	edx, [edx+5Ch]
		mov	eax, ecx
		and	eax, 80h
		cmp	eax, ecx
		jnz	loc_4899FE
		cmp	edi, edx
		jz	loc_489B26
		jmp	loc_4899FE
; END OF FUNCTION CHUNK	FOR PpmPerfSnapDeliveredPerformance
; 
; START	OF FUNCTION CHUNK FOR PpmSnapPerformanceAccumulation

loc_5B7481:				; CODE XREF: PpmSnapPerformanceAccumulation+C3j
		lea	edx, [esp+8Ch+var_34]
		mov	ecx, esi
		call	_HvlGetIdleGenerationCounter@8 ; HvlGetIdleGenerationCounter(x,x)
		test	al, al
		jnz	short loc_5B7498
		xor	ebx, ebx
		mov	[esp+8Ch+var_60], ebx
		jmp	short loc_5B74A4
; 

loc_5B7498:				; CODE XREF: PpmSnapPerformanceAccumulation+12D89Ej
		mov	eax, [esp+8Ch+var_30]
		mov	ebx, [esp+8Ch+var_34]
		mov	[esp+8Ch+var_60], eax

loc_5B74A4:				; CODE XREF: PpmSnapPerformanceAccumulation+12D8A6j
		mov	[esp+8Ch+var_54], ebx
		jmp	loc_489CB9
; 

loc_5B74AD:				; CODE XREF: PpmSnapPerformanceAccumulation+372j
		mov	ecx, 0DB2h
		rdmsr
		mov	[esp+8Ch+var_64], eax
		mov	[esp+8Ch+var_74], edx
		jmp	loc_489F70
; 

loc_5B74C1:				; CODE XREF: PpmSnapPerformanceAccumulation+3F7j
		mov	ecx, [esp+8Ch+var_64]
		sub	ecx, [esi+3E20h]
		mov	eax, [esp+8Ch+var_74]
		sbb	eax, [esi+3E24h]
		push	eax
		mov	eax, [esp+90h+var_58]
		push	ecx
		mov	ecx, [esp+94h+var_80]
		sub	ecx, edi
		sbb	eax, ebx
		push	eax
		mov	eax, [esp+98h+var_5C]
		push	ecx
		push	[esp+9Ch+var_78]
		push	eax
		call	PpmConvertTime
		add	[esi+3E28h], eax
		adc	[esi+3E2Ch], edx
		jmp	loc_489FED
; 

loc_5B7504:				; CODE XREF: PpmSnapPerformanceAccumulation+456j
		mov	eax, [esp+8Ch+var_64]
		mov	[esi+3E20h], eax
		mov	eax, [esp+8Ch+var_74]
		mov	[esi+3E24h], eax
		jmp	loc_48A04C
; 

loc_5B751D:				; CODE XREF: PpmSnapPerformanceAccumulation+104j
					; PpmSnapPerformanceAccumulation+12D941j
		pause
		mov	edx, [esi+3B6Ch]
		mov	eax, [esi+3B68h]
		cmp	edx, [esi+3B90h]
		jnz	short loc_5B751D
		jmp	loc_489CFA
; 

loc_5B7538:				; CODE XREF: PpmSnapPerformanceAccumulation+16Fj
		lea	ecx, [esp+8Ch+var_24]
		mov	[esp+8Ch+var_80], ecx
		jmp	loc_489D65
; 

loc_5B7545:				; CODE XREF: PpmSnapPerformanceAccumulation+199j
		mov	dl, byte ptr [esp+8Ch+var_48]
		mov	ecx, [esi+3CCh]
		push	1
		call	eax
		jmp	loc_489D8F
; 

loc_5B7558:				; CODE XREF: PpmSnapPerformanceAccumulation+1A5j
		mov	edx, [edx]
		mov	[esp+24h], edx
		mov	edx, [esp+8Ch+var_80]
		mov	eax, [edx+4]
		mov	ebx, [edx+8]
		mov	ecx, [edx+0Ch]
		mov	[esp+8Ch+var_7C], eax
		mov	eax, [edx+10h]
		mov	[esp+8Ch+var_58], eax
		mov	eax, [edx+14h]
		jmp	loc_489DD9
; 

loc_5B757E:				; CODE XREF: PpmSnapPerformanceAccumulation+483j
		mov	eax, [esi+3DF0h]
		mov	[esp+8Ch+var_78], eax
		mov	eax, [esi+3DF4h]
		jmp	loc_489E02
; 

loc_5B7593:				; CODE XREF: PpmSnapPerformanceAccumulation+223j
		mov	eax, [esi+3DF0h]
		mov	[esp+8Ch+var_78], eax
		mov	eax, [esi+3DF4h]
		mov	ebx, [esp+8Ch+var_78]
		jmp	loc_489E19
; 

loc_5B75AC:				; CODE XREF: PpmSnapPerformanceAccumulation+2AEj
		lea	edx, [esp+8Ch+var_2C]
		mov	ecx, esi
		call	_HvlGetIdleGenerationCounter@8 ; HvlGetIdleGenerationCounter(x,x)
		test	al, al
		jnz	short loc_5B75C4
		xor	edx, edx
		xor	eax, eax
		jmp	loc_489EA8
; 

loc_5B75C4:				; CODE XREF: PpmSnapPerformanceAccumulation+12D9C9j
		mov	eax, [esp+8Ch+var_28]
		mov	edx, [esp+8Ch+var_2C]
		jmp	loc_489EA8
; 

loc_5B75D1:				; CODE XREF: PpmSnapPerformanceAccumulation+2D5j
		mov	ecx, [esp+8Ch+var_64]
		jmp	loc_489EE3
; END OF FUNCTION CHUNK	FOR PpmSnapPerformanceAccumulation
; 
; START	OF FUNCTION CHUNK FOR PpmExitCoordinatedIdle

loc_5B75DA:				; CODE XREF: PpmExitCoordinatedIdle+1Fj
		cmp	[ebp+arg_0], 0
		jnz	short loc_5B762C
		cmp	[esi+4], edi
		jbe	short loc_5B762C
		xor	ebx, ebx

loc_5B75E7:				; CODE XREF: PpmExitCoordinatedIdle+12BCC4j
		mov	eax, [esi+0Ch]
		mov	eax, [eax+ebx*4]
		mov	[ebp+var_28], eax
		lea	ecx, [eax+eax*2]
		mov	eax, ds:_PpmPlatformStates
		add	eax, 88h
		shl	ecx, 6
		add	ecx, eax
		call	_PpmAbortCoordinatedIdleState@4	; PpmAbortCoordinatedIdleState(x)
		cmp	[ebp+arg_8], 0
		jz	short loc_5B7620
		mov	eax, ds:_PpmPlatformStates
		imul	ecx, [ebp+var_28], 3F0h
		mov	eax, [eax+20h]
		inc	dword ptr [ecx+eax+18h]

loc_5B7620:				; CODE XREF: PpmExitCoordinatedIdle+12BCABj
		inc	ebx
		cmp	ebx, [esi+4]
		jb	short loc_5B75E7
		mov	ecx, [ebp+var_2C]
		or	ebx, 0FFFFFFFFh

loc_5B762C:				; CODE XREF: PpmExitCoordinatedIdle+12BC7Ej
					; PpmExitCoordinatedIdle+12BC83j
		mov	eax, ds:_PpmPlatformStates
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		test	eax, eax
		jz	loc_5B782C
		lea	edx, [eax-1]
		mov	[ebp+var_8], edx
		imul	edx, eax, 3F0h
		sub	edx, 3F0h
		mov	[ebp+var_10], edx
		lea	edx, [eax+eax*2]
		shl	edx, 6
		sub	edx, 0C0h
		mov	[ebp+var_28], edx

loc_5B7662:				; CODE XREF: PpmExitCoordinatedIdle+12BEC7j
		mov	eax, ds:_PpmPlatformStates
		mov	ecx, [ecx+3CCh]
		add	eax, 40h
		add	edx, eax
		mov	[ebp+var_1], 0
		mov	[ebp+var_C], edx
		mov	eax, [edx+38h]
		shr	eax, cl
		test	al, 1
		jz	loc_5B77FF
		lea	ecx, [edx+48h]
		lea	edx, [ebp+var_2]
		call	_PpmExitCoordinatedIdleState@8 ; PpmExitCoordinatedIdleState(x,x)
		mov	ecx, [ebp+var_8]
		test	al, al
		jz	loc_5B7802
		mov	eax, [esi+0Ch]
		mov	[eax+edi*4], ecx
		inc	edi
		cmp	edi, 1
		jnz	loc_5B7758
		mov	edx, [ebp+var_C]
		cmp	byte ptr [edx+29h], 0
		jz	loc_5B7758
		cmp	[ebp+arg_0], 0
		mov	eax, ecx
		mov	ebx, ecx
		jz	loc_5B774C
		cmp	[ebp+arg_4], 0
		mov	cl, [ebp+arg_8]
		jl	short loc_5B76F2
		test	cl, cl
		jnz	short loc_5B76F2
		cmp	eax, ds:_PpmDripsStateIndex
		jnz	short loc_5B76F2
		mov	eax, ds:_PpmPlatformStates
		cmp	[eax+24h], cl
		mov	eax, ebx
		jz	short loc_5B76F2
		cmp	[ebp+arg_1C], 7
		jz	short loc_5B76F2
		mov	[ebp+var_1], 1

loc_5B76F2:				; CODE XREF: PpmExitCoordinatedIdle+12BD6Ej
					; PpmExitCoordinatedIdle+12BD72j ...
		cmp	byte ptr [edx+28h], 0
		jz	short loc_5B7714
		mov	ecx, 1
		call	_KdCallPowerHandlers@4 ; KdCallPowerHandlers(x)
		push	1
		push	80000001h
		call	_KdPowerTransitionEx@8 ; KdPowerTransitionEx(x,x)
		mov	eax, [ebp+var_8]
		mov	cl, [ebp+arg_8]

loc_5B7714:				; CODE XREF: PpmExitCoordinatedIdle+12BD96j
		test	ds:_PopSimulate, 100h
		jz	short loc_5B774C
		cmp	[ebp+arg_4], 0
		jl	short loc_5B774C
		test	cl, cl
		jz	short loc_5B774C
		cmp	[ebp+arg_14], 0
		jz	short loc_5B774C
		cmp	eax, ds:_PpmDripsStateIndex
		jnz	short loc_5B774C
		push	0
		push	0
		push	eax
		push	257h
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B774C:				; CODE XREF: PpmExitCoordinatedIdle+12BD61j
					; PpmExitCoordinatedIdle+12BDBEj ...
		mov	eax, ds:_PpmPlatformStates
		mov	ecx, [ebp+var_8]
		mov	byte ptr [eax+24h], 0

loc_5B7758:				; CODE XREF: PpmExitCoordinatedIdle+12BD46j
					; PpmExitCoordinatedIdle+12BD53j
		cmp	[ebp+arg_8], 0
		jnz	loc_5B7802
		mov	eax, ds:_PpmPlatformStates
		mov	edx, [ebp+var_10]
		add	edx, 18h
		mov	eax, [eax+20h]
		add	eax, edx
		mov	edx, [ebp+var_C]
		mov	[ebp+var_18], eax
		mov	eax, [edx+50h]
		mov	[ebp+var_C], eax
		mov	eax, [edx+54h]
		cmp	[ebp+arg_10], eax
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_18]
		ja	short loc_5B779D
		jb	short loc_5B7796
		mov	edx, [ebp+arg_C]
		cmp	edx, [ebp+var_C]
		jnb	short loc_5B779D

loc_5B7796:				; CODE XREF: PpmExitCoordinatedIdle+12BE2Cj
		xor	edx, edx
		mov	[ebp+var_20], edx
		jmp	short loc_5B77B2
; 

loc_5B779D:				; CODE XREF: PpmExitCoordinatedIdle+12BE2Aj
					; PpmExitCoordinatedIdle+12BE34j
		mov	edx, [ebp+arg_C]
		sub	edx, [ebp+var_C]
		mov	ecx, [ebp+arg_10]
		sbb	ecx, [ebp+var_14]
		add	[eax+20h], edx
		mov	[ebp+var_20], ecx
		adc	[eax+24h], ecx

loc_5B77B2:				; CODE XREF: PpmExitCoordinatedIdle+12BE3Bj
		cmp	[ebp+var_1], 0
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_1C], edx
		jz	short loc_5B77E0
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_1C]
		mov	ecx, ebx
		push	[ebp+arg_C]
		push	[ebp+var_14]
		push	[ebp+var_C]
		push	[ebp+arg_18]
		call	_PopIdleWakeNotifyWakeSource@28	; PopIdleWakeNotifyWakeSource(x,x,x,x,x,x,x)
		mov	eax, [ebp+var_18]
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_1C]

loc_5B77E0:				; CODE XREF: PpmExitCoordinatedIdle+12BE5Cj
		cmp	[ebp+arg_4], 0
		jge	short loc_5B77F1
		cmp	[ebp+var_2], 0
		jz	short loc_5B77F1
		inc	dword ptr [eax+4]
		jmp	short loc_5B7802
; 

loc_5B77F1:				; CODE XREF: PpmExitCoordinatedIdle+12BE84j
					; PpmExitCoordinatedIdle+12BE8Aj
		push	[ebp+var_20]
		inc	dword ptr [eax+8]
		mov	ecx, eax
		push	edx
		call	_PpmUpdatePlatformIdleAccounting@12 ; PpmUpdatePlatformIdleAccounting(x,x,x)

loc_5B77FF:				; CODE XREF: PpmExitCoordinatedIdle+12BD20j
		mov	ecx, [ebp+var_8]

loc_5B7802:				; CODE XREF: PpmExitCoordinatedIdle+12BD36j
					; PpmExitCoordinatedIdle+12BDFCj ...
		mov	eax, [ebp+var_24]
		dec	ecx
		mov	edx, [ebp+var_28]
		dec	eax
		sub	[ebp+var_10], 3F0h
		sub	edx, 0C0h
		mov	[ebp+var_24], eax
		mov	[ebp+var_8], ecx
		mov	[ebp+var_28], edx
		test	eax, eax
		jz	short loc_5B782C
		mov	ecx, [ebp+var_2C]
		jmp	loc_5B7662
; 

loc_5B782C:				; CODE XREF: PpmExitCoordinatedIdle+12BCD8j
					; PpmExitCoordinatedIdle+12BEC2j
		cmp	[ebp+arg_0], 0
		jz	loc_48B985
		mov	ecx, [esi+0Ch]
		mov	edx, edi
		push	ecx
		xor	cl, cl
		call	_PpmEventCoordinatedIdleTransition@12 ;	PpmEventCoordinatedIdleTransition(x,x,x)
		jmp	loc_48B985
; END OF FUNCTION CHUNK	FOR PpmExitCoordinatedIdle
; 
; START	OF FUNCTION CHUNK FOR PpmUpdatePerformanceFeedback

loc_5B7848:				; CODE XREF: PpmUpdatePerformanceFeedback+4Dj
		lea	edx, [esp+80h+var_28]
		mov	[esp+80h+var_6D], 1
		call	_HvlGetIdleGenerationCounter@8 ; HvlGetIdleGenerationCounter(x,x)
		mov	al, [esp+80h+var_6F]
		xor	edx, edx
		jmp	loc_48B9F7
; 

loc_5B7861:				; CODE XREF: PpmUpdatePerformanceFeedback+CDj
		mov	ecx, esi
		call	@KiAcquireSpinLockInstrumented@4 ; KiAcquireSpinLockInstrumented(x)
		jmp	loc_48BA7E
; 

loc_5B786D:				; CODE XREF: PpmUpdatePerformanceFeedback+D8j
		mov	ecx, esi
		call	KxWaitForSpinLockAndAcquire
		jmp	loc_48BA7E
; 

loc_5B7879:				; CODE XREF: PpmUpdatePerformanceFeedback+10Ej
		mov	ecx, [esp+80h+var_40]
		lea	eax, [esp+80h+var_20]
		push	eax
		lea	edx, [esp+84h+var_30]
		call	_PpmHvGetRuntimesForProcessor@12 ; PpmHvGetRuntimesForProcessor(x,x,x)
		mov	ecx, eax
		mov	[esp+80h+var_60], eax
		sub	ecx, [esp+80h+var_30]
		mov	edi, edx
		mov	eax, ecx
		mov	[esp+80h+var_5C], edx
		sbb	edi, [esp+80h+var_2C]
		sub	eax, [esi+68h]
		mov	edx, edi
		mov	[esp+80h+var_6C], eax
		sbb	edx, [esi+6Ch]
		mov	[esp+80h+var_68], edx
		mov	[esi+68h], ecx
		mov	[esi+6Ch], edi
		jmp	loc_48BAB8
; 

loc_5B78BC:				; CODE XREF: PpmUpdatePerformanceFeedback+167j
		lea	edx, [esp+80h+var_8]
		call	eax
		mov	ecx, [esp+80h+var_8]
		jmp	loc_48BBC6
; 

loc_5B78CB:				; CODE XREF: PpmUpdatePerformanceFeedback+2BDj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_48BC68
; 

loc_5B78DA:				; CODE XREF: PpmUpdatePerformanceFeedback+2E2j
		mov	eax, edi
		or	eax, edx
		jnz	short loc_5B78F2
		lea	eax, [esp+88h+var_28]
		mov	ecx, ebx
		push	eax
		lea	edx, [esp+8Ch+var_38]
		call	_PpmHvGetRuntimesForProcessor@12 ; PpmHvGetRuntimesForProcessor(x,x,x)
		mov	edi, eax

loc_5B78F2:				; CODE XREF: PpmUpdatePerformanceFeedback+12BF3Ej
		mov	eax, [esp+88h+var_38]
		mov	[esi+8], eax
		mov	eax, [esp+88h+var_34]
		mov	[esi+0Ch], eax
		mov	eax, [esp+88h+var_28]
		mov	[esi+10h], eax
		mov	eax, [esp+88h+var_24]
		mov	[esi+14h], eax
		mov	al, 1
		mov	[esi], edi
		mov	[esi+4], edx
		jmp	loc_48BC88
; END OF FUNCTION CHUNK	FOR PpmUpdatePerformanceFeedback
; 
; START	OF FUNCTION CHUNK FOR PpmIdlePrepare

loc_5B791A:				; CODE XREF: PpmIdlePrepare+447j
		mov	al, ds:_PopDeepSleepEvaluateWorkItemQueued
		test	al, al
		jnz	loc_48C1DD
		mov	al, 1
		jmp	loc_48C1DF
; 

loc_5B792E:				; CODE XREF: PpmIdlePrepare+60j
		test	edx, edx
		jnz	short loc_5B793C
		cmp	dword ptr [ecx+20h], 1
		jbe	loc_48BDF6

loc_5B793C:				; CODE XREF: PpmIdlePrepare+12BBA0j
		mov	[ebp+var_1], 1
		jmp	loc_48BDF6
; 

loc_5B7945:				; CODE XREF: PpmIdlePrepare+13Bj
		mov	ecx, [ebp+var_4C]
		jmp	loc_48BEDF
; 

loc_5B794D:				; CODE XREF: PpmIdlePrepare+161j
		mov	edi, [ebp+var_1C]
		mul	ecx
		mov	[ebp+var_28], 0
		add	eax, edi
		mov	[ebp+var_10], edx
		mov	edx, [ebp+var_18]
		adc	[ebp+var_10], edx
		cmp	[ebp+var_10], edx
		ja	short loc_5B7976
		jb	short loc_5B796F
		cmp	eax, edi
		jnb	short loc_5B7976

loc_5B796F:				; CODE XREF: PpmIdlePrepare+12BBD9j
		mov	[ebp+var_28], 1

loc_5B7976:				; CODE XREF: PpmIdlePrepare+12BBD7j
					; PpmIdlePrepare+12BBDDj
		mov	eax, ecx
		mul	[ebp+var_2C]
		add	eax, [ebp+var_10]
		mov	ecx, edx
		adc	ecx, [ebp+var_28]
		jmp	loc_48BF03
; 

loc_5B7988:				; CODE XREF: PpmIdlePrepare+EEj
					; PpmIdlePrepare+FBj
		mov	eax, [ebp+var_2C]
		mov	ecx, eax
		jmp	loc_48BF03
; 

loc_5B7992:				; CODE XREF: PpmIdlePrepare+416j
		mov	ecx, eax
		mov	eax, ds:dword_6D0698
		imul	ecx, edi
		add	ecx, edx
		mov	ecx, [eax+ecx*4]
		cmp	ecx, 0FFFFFFFFh
		jz	loc_48C1AC
		mov	ecx, ds:_KeNodeBlock[ecx*4]
		mov	eax, [ecx+84h]
		cmp	[ecx+40h], eax
		jnz	loc_48BF82
		mov	eax, [ebp+var_4C]
		jmp	loc_48C1A3
; 

loc_5B79C8:				; CODE XREF: PpmIdlePrepare+1FDj
		mov	ecx, 100h
		or	[ebx+30h], cx
		mov	ecx, [ebx+1Ch]
		jmp	loc_48BF96
; 

loc_5B79D9:				; CODE XREF: PpmIdlePrepare+238j
		mov	eax, 4000h
		or	[ebx+30h], ax
		jmp	loc_48BFCE
; 

loc_5B79E7:				; CODE XREF: PpmIdlePrepare+251j
		mov	ecx, [ebp+var_14]
		cmp	byte ptr [ecx+0BCh], 0
		jnz	loc_48BFE7
		xor	eax, eax
		mov	[ecx+30h], ax
		xor	al, al
		mov	[ebp+var_1], al
		jmp	loc_48BDFE
; 

loc_5B7A07:				; CODE XREF: PpmIdlePrepare+2D4j
		mov	edx, [ebp+var_18]

loc_5B7A0A:				; CODE XREF: PpmIdlePrepare+12BCBEj
		lea	eax, [edx-1]
		xor	ecx, ecx
		xor	ecx, [ebp+var_10]
		xor	eax, edx
		movzx	ebx, ax
		mov	esi, offset _PpmPlatformIdleHint
		xor	ebx, edx
		mov	eax, edx
		mov	edx, [ebp+var_10]
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [ebp+var_18]
		mov	ebx, edx
		mov	[ebp+var_54], eax
		cmp	eax, ecx
		jnz	short loc_5B7A3E
		mov	eax, [ebp+var_10]
		cmp	ebx, eax
		jz	short loc_5B7A61
		mov	eax, [ebp+var_54]

loc_5B7A3E:				; CODE XREF: PpmIdlePrepare+12BCA2j
		mov	edx, eax
		mov	[ebp+var_10], ebx
		mov	[ebp+var_18], edx
		pause
		movzx	eax, ax
		or	eax, 0
		jnz	short loc_5B7A0A
		mov	bl, [ebp+var_1]
		mov	ecx, [ebp+var_38]
		mov	edx, [ebp+var_34]
		mov	eax, [ebp+var_50]
		jmp	loc_48C06C
; 

loc_5B7A61:				; CODE XREF: PpmIdlePrepare+12BCA9j
		mov	bl, [ebp+var_1]
		mov	edx, [ebp+var_34]
		shrd	ecx, eax, 10h
		mov	[ebp+var_1C], ecx
		mov	ecx, [ebp+var_38]
		shr	eax, 10h
		jmp	loc_48C06C
; 

loc_5B7A79:				; CODE XREF: PpmIdlePrepare+36Ej
		mov	esi, eax
		mov	edi, ecx

loc_5B7A7D:				; CODE XREF: PpmIdlePrepare+12BD06j
		mov	eax, [esi+4Ch]
		lea	ecx, [eax-1]
		and	ecx, eax
		imul	eax, edx, 3E8h
		mov	[esi+4Ch], ecx
		inc	dword ptr [eax+edi+34h]
		bsf	edx, [esi+4Ch]
		jnz	short loc_5B7A7D
		mov	esi, [ebp+var_C]
		mov	edi, [ebp+var_38]
		mov	eax, [ebp+var_8]
		jmp	loc_48C104
; 

loc_5B7AA6:				; CODE XREF: PpmIdlePrepare+386j
		mov	edi, [ebp+arg_C]

loc_5B7AA9:				; CODE XREF: PpmIdlePrepare+12BD48j
		cmp	byte ptr [ecx+eax*8+4],	0FFh
		lea	esi, ds:0[eax*8]
		jnz	short loc_5B7AD2
		test	bh, bh
		jnz	short loc_5B7ABD
		mov	bh, 1

loc_5B7ABD:				; CODE XREF: PpmIdlePrepare+12BD29j
		mov	eax, [ebp+var_40]
		mov	ecx, [edi+8]
		mov	eax, [esi+eax]
		bts	ecx, eax
		mov	eax, [ebp+var_3C]
		mov	[edi+8], ecx
		mov	ecx, [ebp+var_40]

loc_5B7AD2:				; CODE XREF: PpmIdlePrepare+12BD25j
		inc	eax
		mov	[ebp+var_3C], eax
		cmp	eax, edx
		jb	short loc_5B7AA9
		mov	esi, [ebp+var_C]
		mov	edi, [ebp+var_38]
		mov	ecx, [ebp+var_8]
		test	bh, bh
		jz	loc_48C11F
		cmp	byte ptr [ecx+34h], 0
		jz	loc_48C11F
		mov	edx, [ecx+1Ch]
		mov	eax, [ecx+18h]
		cmp	[ebp+var_24], edx
		ja	loc_48C11F
		jb	short loc_5B7B0F
		cmp	[ebp+var_20], eax
		jnb	loc_48C11F

loc_5B7B0F:				; CODE XREF: PpmIdlePrepare+12BD74j
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], edx
		jmp	loc_48C11F
; 

loc_5B7B1A:				; CODE XREF: PpmIdlePrepare+391j
		cmp	[ebp+var_44], 0
		jz	short loc_5B7B33
		mov	eax, [ebp+var_30]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5B7B42
		cmp	eax, [ebp+var_58]
		jnb	loc_48C127
		jmp	short loc_5B7B42
; 

loc_5B7B33:				; CODE XREF: PpmIdlePrepare+12BD8Ej
		mov	eax, [ebp+var_14]
		mov	eax, [eax+20h]
		dec	eax
		cmp	edi, eax
		jz	loc_48C127

loc_5B7B42:				; CODE XREF: PpmIdlePrepare+12BD96j
					; PpmIdlePrepare+12BDA1j
		mov	ebx, [ebp+var_14]
		xor	edx, edx
		mov	ecx, [ecx]
		mov	eax, [ebx+7Ch]
		call	eax
		mov	ecx, [ebp+var_34]
		imul	eax, edi, 3E8h
		inc	dword ptr [eax+ecx+30h]
		mov	eax, [ebp+var_30]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5B7B77
		mov	edx, [ebp+var_44]
		test	edx, edx
		jz	short loc_5B7B77
		mov	ecx, [edx+20h]
		imul	eax, 3F0h
		inc	dword ptr [eax+ecx+18h]

loc_5B7B77:				; CODE XREF: PpmIdlePrepare+12BDD1j
					; PpmIdlePrepare+12BDD8j
		mov	eax, 2
		mov	[ebx+30h], ax
		xor	al, al
		mov	[ebp+var_1], al
		jmp	loc_48BDFE
; 

loc_5B7B8A:				; CODE XREF: PpmIdlePrepare+352j
					; PpmIdlePrepare+35Bj
		xor	bl, bl
		jmp	loc_48C127
; END OF FUNCTION CHUNK	FOR PpmIdlePrepare
; 
; START	OF FUNCTION CHUNK FOR KeAccumulateTicks

loc_5B7B91:				; CODE XREF: KeAccumulateTicks+244j
		cmp	ds:_KeEnableWatchdogTimeout, 0
		jz	loc_48C47A
		mov	eax, ds:_KiBugCheckActive
		test	al, 3
		jnz	loc_48C47A
		mov	esi, [esp+20h+var_8]
		mov	ecx, 1
		mov	edx, esi
		call	_HvlInvokeHypervisorDebugger@8 ; HvlInvokeHypervisorDebugger(x,x)
		movzx	eax, ds:_KiClockKeepAliveCycle
		push	esi
		push	[esp+24h+var_C]
		push	0
		push	eax
		push	101h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B7BD4:				; CODE XREF: KeAccumulateTicks+351j
		cmp	[esp+34h+var_20], 0
		jz	loc_48C587
		mov	ecx, esi
		call	_KiDpcWatchdogCaptureStack@4 ; KiDpcWatchdogCaptureStack(x)
		mov	edx, [esi+4B0h]
		mov	eax, [esi+4D0h]
		mov	[esp+34h+var_21], 1
		jmp	loc_48C587
; 

loc_5B7BFC:				; CODE XREF: KeAccumulateTicks+35Fj
		cmp	ds:_KeEnableWatchdogTimeout, 0
		jz	short loc_5B7C2D
		rdtsc
		mov	[esp+20h+var_8], eax
		mov	[esp+20h+var_4], edx
		xor	edx, edx
		lea	ecx, [edx+3]
		call	_HvlInvokeHypervisorDebugger@8 ; HvlInvokeHypervisorDebugger(x,x)
		cmp	ds:_KdDebuggerEnabled, 0
		jz	short loc_5B7C43
		cmp	ds:_KdDebuggerNotPresent, 0
		jnz	short loc_5B7C43
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_5B7C2D:				; CODE XREF: KeAccumulateTicks+12B9D3j
		mov	ecx, esi
		mov	dword ptr [esi+4B0h], 0
		call	KiResetGlobalDpcWatchdogProfiler
		jmp	loc_48C2B2
; 

loc_5B7C43:				; CODE XREF: KeAccumulateTicks+12B9F0j
					; KeAccumulateTicks+12B9F9j
		mov	eax, [esi+4D0h]
		push	offset _KeDpcWatchdogProfileGlobalTriageBlock
		push	eax
		mov	eax, [esi+4B0h]
		push	eax
		push	0
		push	133h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B7C62:				; CODE XREF: KeAccumulateTicks+1D4j
		cmp	[esp+34h+var_21], 0
		jnz	loc_48C40A
		mov	ecx, esi
		call	_KiDpcWatchdogCaptureStack@4 ; KiDpcWatchdogCaptureStack(x)
		mov	edx, [esi+3B0Ch]
		mov	eax, [esi+3B08h]
		jmp	loc_48C40A
; 

loc_5B7C85:				; CODE XREF: KeAccumulateTicks+1C8j
		mov	eax, ecx
		jmp	loc_48C40A
; 

loc_5B7C8C:				; CODE XREF: KeAccumulateTicks+1E2j
		cmp	ds:_KeEnableWatchdogTimeout, 0
		jz	loc_48C4ED
		rdtsc
		mov	[esp+20h+var_8], eax
		mov	[esp+20h+var_4], edx
		xor	edx, edx
		lea	ecx, [edx+2]
		call	_HvlInvokeHypervisorDebugger@8 ; HvlInvokeHypervisorDebugger(x,x)
		cmp	ds:_KdDebuggerEnabled, 0
		jz	short loc_5B7CC6
		cmp	ds:_KdDebuggerNotPresent, 0
		jnz	short loc_5B7CC6
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	loc_48C4ED
; 

loc_5B7CC6:				; CODE XREF: KeAccumulateTicks+12BA84j
					; KeAccumulateTicks+12BA8Dj
		mov	eax, [esi+3B08h]
		push	0
		push	offset _KeDpcWatchdogProfileGlobalTriageBlock
		push	eax
		push	1
		push	133h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B7CE0:				; CODE XREF: KeAccumulateTicks+ACj
		cmp	dword ptr [esi+3B14h], 0
		jle	loc_48C2E2
		mov	eax, ds:_KiDpcWatchdogProfileArrayLength
		shl	eax, 2
		push	eax		; size_t
		push	0		; int
		push	ecx		; void *
		mov	[esi+4064h], ecx
		call	_memset
		add	esp, 0Ch
		jmp	loc_48C2E2
; 

loc_5B7D0C:				; CODE XREF: KeAccumulateTicks+168j
		call	KdCheckForDebugBreak
		jmp	loc_48C26F
; END OF FUNCTION CHUNK	FOR KeAccumulateTicks
; 
; START	OF FUNCTION CHUNK FOR KiCheckForTimerExpiration

loc_5B7D16:				; CODE XREF: KiCheckForTimerExpiration+4Cj
		mov	edi, 0FFDF000Ch
		lea	ebx, [edi-4]

loc_5B7D1E:				; CODE XREF: KiCheckForTimerExpiration+12B797j
		lea	ecx, [ebp+var_4C]
		call	KeYieldProcessorEx
		mov	esi, [edi]
		mov	eax, 0FFDF0010h
		mov	ecx, [ebx]
		mov	[ebp+var_40], esi
		mov	[ebp+var_30], ecx
		cmp	esi, [eax]
		jnz	short loc_5B7D1E
		mov	esi, [ebp+var_48]
		mov	al, [ebp+var_29]
		mov	ebx, [ebp+var_40]
		jmp	loc_48C5F2
; 

loc_5B7D47:				; CODE XREF: KiCheckForTimerExpiration+6Cj
		mov	edx, esi
		mov	[ebp+var_38], esi
		jmp	loc_48C64D
; 

loc_5B7D51:				; CODE XREF: KiCheckForTimerExpiration+273j
		mov	eax, [ebp+var_34]
		add	eax, 0FFh
		mov	[ebp+var_38], eax
		jmp	loc_48C819
; 

loc_5B7D61:				; CODE XREF: KiCheckForTimerExpiration+4A5j
					; KiCheckForTimerExpiration+12B7D5j ...
		mov	edi, eax
		mov	[ebp+var_3C], edx
		nop
		mov	ebx, esi
		mov	esi, [ebp+var_44]
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [ebp+var_30]
		cmp	eax, edi
		jnz	short loc_5B7D61
		cmp	edx, [ebp+var_3C]
		jnz	short loc_5B7D61
		mov	esi, [ebp+var_48]
		jmp	loc_48CA2C
; 

loc_5B7D84:				; CODE XREF: KiCheckForTimerExpiration+363j
		push	1
		mov	edx, 534F5248h
		xor	ecx, ecx
		call	PoTraceSystemTimerResolutionKernel
		mov	ds:_KiClockOwnerOneShotRequest,	0
		mov	ds:dword_6CADF4, 0
		call	_KiSetClockIntervalToMinimumRequested@0	; KiSetClockIntervalToMinimumRequested()
		jmp	loc_48C909
; 

loc_5B7DB0:				; CODE XREF: KiCheckForTimerExpiration+8Dj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 1Ch
		jnz	loc_48C633
		mov	eax, [ebp+var_30]
		mov	[ebp+var_18], eax
		xor	eax, eax
		mov	[ebp+var_14], ebx
		mov	word ptr [ebp+var_10], ax
		lea	edx, [eax+1]
		cmp	[esi+3D0h], al
		jz	short loc_5B7DDF
		mov	ax, dx
		mov	word ptr [ebp+var_10], ax

loc_5B7DDF:				; CODE XREF: KiCheckForTimerExpiration+12B836j
		test	byte ptr [edi],	8
		jz	short loc_5B7DEC
		or	ax, 8
		mov	word ptr [ebp+var_10], ax

loc_5B7DEC:				; CODE XREF: KiCheckForTimerExpiration+12B842j
		push	400A02h
		push	0F4Fh
		lea	eax, [ebp+var_18]
		mov	[ebp+var_24], 0
		push	40040000h
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_28], eax
		mov	[ebp+var_20], 10h
		mov	[ebp+var_1C], 0
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_48C633
; END OF FUNCTION CHUNK	FOR KiCheckForTimerExpiration
; 
; START	OF FUNCTION CHUNK FOR KeResumeClockTimerFromIdle

loc_5B7E23:				; CODE XREF: KeResumeClockTimerFromIdle+86j
		mov	dword ptr [edi], 0FFFFFFFFh
		jmp	loc_48CAE0
; 

loc_5B7E2E:				; CODE XREF: KeResumeClockTimerFromIdle+1A1j
		test	edi, edi
		jz	short loc_5B7E65
		mov	ecx, ds:_KiClockTimerOwner
		cmp	ecx, [esi+3CCh]
		mov	ecx, [ebp+var_82+2]
		jnz	short loc_5B7E68
		cmp	edx, ds:dword_6CABA4
		jb	short loc_5B7E68
		ja	short loc_5B7E55
		cmp	ecx, ds:_KiClockTimerNextTickTime
		jb	short loc_5B7E68

loc_5B7E55:				; CODE XREF: KeResumeClockTimerFromIdle+12B3FBj
		test	bh, bh
		jz	short loc_5B7E68
		mov	eax, ecx
		sub	eax, ds:_KiClockTimerNextTickTime
		mov	[edi], eax
		jmp	short loc_5B7E68
; 

loc_5B7E65:				; CODE XREF: KeResumeClockTimerFromIdle+12B3E0j
		mov	ecx, [ebp+var_82+2]

loc_5B7E68:				; CODE XREF: KeResumeClockTimerFromIdle+12B3F1j
					; KeResumeClockTimerFromIdle+12B3F9j ...
		mov	ds:_KiClockLatencyMeasurementEnabled, 0
		jmp	loc_48CBFA
; 

loc_5B7E74:				; CODE XREF: KeResumeClockTimerFromIdle+1ACj
		mov	eax, ds:_KiClockTimerOwner
		cmp	eax, [esi+3CCh]
		jnz	loc_48CC02
		cmp	edx, ds:dword_6CABA4
		jb	loc_48CC02
		ja	short loc_5B7E9F
		cmp	ecx, ds:_KiClockTimerNextTickTime
		jb	loc_48CC02

loc_5B7E9F:				; CODE XREF: KeResumeClockTimerFromIdle+12B441j
		call	ds:off_6B1394	; KeIsCetCapable()
		test	al, al
		jz	loc_48CC02
		mov	eax, [ebp+var_82+2]
		sub	eax, ds:_KiClockTimerNextTickTime
		mov	[edi], eax
		jmp	loc_48CC02
; 

loc_5B7EBD:				; CODE XREF: KeResumeClockTimerFromIdle+20Aj
		test	bh, bh
		jz	short loc_5B7EEC
		push	ecx
		push	edi
		lea	edx, [ebp+var_82+1]
		lea	ecx, [ebp+var_82]
		call	_KiGetPastDueIRTimerInfo@16 ; KiGetPastDueIRTimerInfo(x,x,x,x)
		test	eax, eax
		jz	short loc_5B7EEC
		mov	dl, byte ptr [ebp+var_82+1]
		sub	esp, 8
		mov	cl, byte ptr [ebp+var_82]
		call	_ExRecordOneTimerExpiry@16 ; ExRecordOneTimerExpiry(x,x,x,x)

loc_5B7EEC:				; CODE XREF: KeResumeClockTimerFromIdle+12B46Fj
					; KeResumeClockTimerFromIdle+12B486j
		push	[ebp+var_7C]
		mov	ecx, esi
		push	edi
		call	_KiAdjustTimersAfterDripsExit@12 ; KiAdjustTimersAfterDripsExit(x,x,x)
		mov	ds:_KiConsiderTimerRebasing, 0
		jmp	loc_48CC60
; 

loc_5B7F03:				; CODE XREF: KeResumeClockTimerFromIdle+2BFj
		xor	eax, eax
		mov	[ebp+var_1E], edi
		mov	[ebp+var_1A], ax
		lea	ecx, [ebp+var_30]
		mov	eax, [ebp+var_98]
		mov	edx, 1
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_94]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_A0]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_9C]
		push	602h
		mov	[ebp+var_C], eax
		lea	eax, [ebp-20h]
		push	0F57h
		push	40100000h
		mov	[ebp+var_20], 100h
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], edi
		mov	[ebp+var_28], 18h
		mov	[ebp+var_24], edi
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_48CD15
; 

loc_5B7F6A:				; CODE XREF: KeResumeClockTimerFromIdle+349j
		xor	eax, eax
		mov	[ebp+var_3C], 0
		mov	ecx, 6
		mov	[ebp+var_38], 18h
		lea	edi, [ebp+var_78]
		mov	[ebp+var_34], 0
		rep stosd
		mov	eax, ds:_KiClockTimerNextTickTime
		lea	ecx, [ebp+var_40]
		mov	[ebp+var_70], eax
		mov	edx, 1
		mov	eax, ds:dword_6CABA4
		push	602h
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_78]
		push	0F57h
		push	40100000h
		mov	word ptr [ebp+var_78], 102h
		mov	[ebp+var_40], eax
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_7C]
		mov	edi, 2
		mov	edx, [ebp+var_88]
		jmp	loc_48CD9F
; 

loc_5B7FD6:				; CODE XREF: KeResumeClockTimerFromIdle+351j
		mov	ds:_KiClockTimerOwner, edx
		call	_KiSendClockInterruptToClockOwner@0 ; KiSendClockInterruptToClockOwner()
		mov	ebx, [ebp+var_82+2]
		jmp	loc_48CD15
; 

loc_5B7FE9:				; CODE XREF: KeResumeClockTimerFromIdle+2CFj
		mov	ds:_KiForceIdleReset, 0
		call	ds:off_6B1394	; KeIsCetCapable()
		xor	dl, dl
		test	al, al
		jz	short loc_5B8000
		xor	ecx, ecx
		jmp	short loc_5B8005
; 

loc_5B8000:				; CODE XREF: KeResumeClockTimerFromIdle+12B5AAj
		mov	ecx, 1

loc_5B8005:				; CODE XREF: KeResumeClockTimerFromIdle+12B5AEj
		call	_KiResetForceIdle@8 ; KiResetForceIdle(x,x)
		mov	ecx, [ebp+var_7C]
		jmp	loc_48CD25
; 

loc_5B8012:				; CODE XREF: KeResumeClockTimerFromIdle+2EBj
		push	602h
		mov	[ebp+var_48], eax
		mov	edx, 1
		push	0F58h
		mov	[ebp+var_4C], ecx
		lea	eax, [ebp+var_50]
		push	40100000h
		lea	ecx, [ebp+var_60]
		mov	[ebp+var_50], ebx
		mov	[ebp+var_60], eax
		mov	[ebp+var_5C], 0
		mov	[ebp+var_58], 10h
		mov	[ebp+var_54], 0
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_48CD41
; 

loc_5B8057:				; CODE XREF: KeResumeClockTimerFromIdle+EEj
		mov	ecx, ds:_KiProcessorBlock[ecx*4]
		jmp	loc_48CB4B
; 

loc_5B8063:				; CODE XREF: KeResumeClockTimerFromIdle+102j
		call	ds:off_6B1388	; SymCryptFatalIntercept(x)
		mov	al, [esi+3D0h]
		jmp	loc_48CB58
; END OF FUNCTION CHUNK	FOR KeResumeClockTimerFromIdle
; 
; START	OF FUNCTION CHUNK FOR KiCheckGroupSchedulingQuantumEnd

loc_5B8074:				; CODE XREF: KiCheckGroupSchedulingQuantumEnd+34j
					; KiCheckGroupSchedulingQuantumEnd+12B28Dj
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, ds:dword_7186C4
		mov	ecx, ds:_KeTickCount
		cmp	eax, ds:dword_7186C8
		jnz	short loc_5B8074
		jmp	loc_48CE3A
; 

loc_5B8094:				; CODE XREF: KiCheckGroupSchedulingQuantumEnd+A8j
		test	dl, 2
		jnz	loc_48CE9A
		mov	edx, [edi+30h]
		mov	ecx, [edi+34h]
		test	ecx, ecx
		jl	loc_48CE5B
		jg	short loc_5B80B5
		test	edx, edx
		jz	loc_48CE5B

loc_5B80B5:				; CODE XREF: KiCheckGroupSchedulingQuantumEnd+12B2ABj
		mov	ecx, [eax+4]
		cmp	ecx, [eax+1Ch]
		ja	loc_48CE5B
		jb	loc_48CE9A
		mov	ecx, [eax]
		cmp	ecx, [eax+18h]
		jnb	loc_48CE5B
		jmp	loc_48CE9A
; END OF FUNCTION CHUNK	FOR KiCheckGroupSchedulingQuantumEnd
; 
; START	OF FUNCTION CHUNK FOR KiInsertQueueDpc

loc_5B80D7:				; CODE XREF: KiInsertQueueDpc+33j
		mov	[ebp+var_1], 1
		jmp	loc_48CFAD
; 

loc_5B80E0:				; CODE XREF: KiInsertQueueDpc+50j
		push	0
		push	0
		push	edi
		push	6
		push	0C7h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B80F1:				; CODE XREF: KiInsertQueueDpc+23Dj
		mov	eax, ds:_KeNumberProcessors
		push	eax
		push	ecx
		push	edi
		push	3
		push	0C7h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5B8105:				; CODE XREF: KiInsertQueueDpc+B3j
		mov	ecx, eax
		call	@KiAcquireSpinLockInstrumented@4 ; KiAcquireSpinLockInstrumented(x)
		jmp	loc_48D034
; 

loc_5B8111:				; CODE XREF: KiInsertQueueDpc+103j
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_1C], eax
		mov	eax, [ebx+10h]
		mov	[ebp+var_18], eax
		jmp	loc_48D079
; 

loc_5B8122:				; CODE XREF: KiInsertQueueDpc+13Aj
		lea	eax, [esi+21E0h]
		cmp	ebx, eax
		jnz	loc_48D0B0
		mov	eax, [ecx+1Ch]
		inc	eax
		mov	[ecx+1Ch], eax
		jmp	loc_48D0B0
; 

loc_5B813C:				; CODE XREF: KiInsertQueueDpc+152j
		mov	edx, [ebp+4]
		lea	ecx, [ebx+8]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_48D0D0
; 

loc_5B814C:				; CODE XREF: KiInsertQueueDpc+16Ej
		movzx	eax, byte ptr [edi+1]
		mov	edx, [edi+0Ch]
		push	eax
		push	[ebp+var_C]
		imul	ecx, edi, 0C8BE1499h
		push	[ebp+var_18]
		push	[ebp+var_1C]
		call	_EtwTraceDpcEnqueueEvent@24 ; EtwTraceDpcEnqueueEvent(x,x,x,x,x,x)
		jmp	loc_48D0E4
; END OF FUNCTION CHUNK	FOR KiInsertQueueDpc
; 
; START	OF FUNCTION CHUNK FOR KiDirectSwitchThread

loc_5B816D:				; CODE XREF: KiDirectSwitchThread+5Bj
		push	1
		push	[ebp+var_30]
		mov	dl, 1
		mov	ecx, esi
		call	_EtwTraceReadyThread@16	; EtwTraceReadyThread(x,x,x,x)
		jmp	loc_48D3F1
; 

loc_5B8180:				; CODE XREF: KiDirectSwitchThread+7D5j
		mov	[ebp+var_28], 0FFFFFFFFh
		jmp	loc_48DB8F
; 

loc_5B818C:				; CODE XREF: KiDirectSwitchThread+832j
		mov	edx, [ebp+var_4C]
		lea	eax, [ebp+var_38]
		mov	ecx, [ebp+var_44]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		call	KiGetComparisonRanks
		jmp	loc_48D413
; 

loc_5B81A4:				; CODE XREF: KiDirectSwitchThread+BEj
		mov	[ebp+var_4], 0
		jmp	loc_48D458
; 

loc_5B81AD:				; CODE XREF: KiDirectSwitchThread+156j
		mov	al, [edi+60h]
		mov	edx, [ebx+3B40h]
		sub	edx, [ebx+3B48h]
		mov	ecx, [ebx+3B44h]
		sbb	ecx, [ebx+3B4Ch]
		movzx	eax, al
		add	[ebx+eax*8+3B50h], edx
		adc	[ebx+eax*8+3B54h], ecx
		mov	al, [ebp+var_1]
		and	al, 0EFh
		mov	dword ptr [ebx+3B48h], 0
		mov	dword ptr [ebx+3B4Ch], 0
		mov	[ebp+var_1], al
		jmp	loc_48D4EC
; 

loc_5B81FA:				; CODE XREF: KiDirectSwitchThread+195j
		mov	ecx, [eax+64h]
		jmp	loc_48D53A
; 

loc_5B8202:				; CODE XREF: KiDirectSwitchThread+183j
					; KiDirectSwitchThread+18Bj
		mov	ecx, 64h
		jmp	loc_48D53A
; 

loc_5B820C:				; CODE XREF: KiDirectSwitchThread+23Fj
		mov	eax, [ebp+var_2C]
		shl	eax, 4
		add	eax, 8
		add	eax, ebx
		mov	[ebp+var_34], eax
		mov	ecx, [eax]
		add	ecx, [ebp+var_14]
		mov	edx, [eax+4]
		adc	edx, [ebp+var_10]
		mov	[ebp+var_40], ecx
		mov	[ebp+var_50], edx

loc_5B822B:				; CODE XREF: KiDirectSwitchThread+12AEB9j
					; KiDirectSwitchThread+12AEBEj
		mov	edi, [eax]
		mov	edx, [eax+4]
		mov	eax, edi
		mov	[ebp+var_54], edx
		nop
		mov	esi, [ebp+var_34]
		mov	ebx, ecx
		mov	ecx, [ebp+var_50]
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [ebp+var_40]
		cmp	eax, edi
		mov	eax, esi
		jnz	short loc_5B822B
		cmp	edx, [ebp+var_54]
		jnz	short loc_5B822B
		mov	ebx, [ebp+var_3C]
		mov	eax, [ebp+var_C]
		jmp	loc_48D5D5
; 

loc_5B825B:				; CODE XREF: KiDirectSwitchThread+262j
		and	al, 0BFh
		jmp	loc_48D5F8
; 

loc_5B8262:				; CODE XREF: KiDirectSwitchThread+773j
		cmp	byte ptr [edi+244h], 2
		jz	short loc_5B827C
		add	[ebx+3B78h], eax
		adc	[ebx+3B7Ch], ecx
		jmp	loc_48DB09
; 

loc_5B827C:				; CODE XREF: KiDirectSwitchThread+12AED9j
		add	[ebx+3B80h], eax
		adc	[ebx+3B84h], ecx
		jmp	loc_48DB09
; 

loc_5B828D:				; CODE XREF: KiDirectSwitchThread+786j
		mov	ecx, edi
		call	_KiEndCounterAccumulation@4 ; KiEndCounterAccumulation(x)
		jmp	loc_48D600
; 

loc_5B8299:				; CODE XREF: KiDirectSwitchThread+2ECj
		mov	ecx, [ecx+64h]
		jmp	loc_48D691
; 

loc_5B82A1:				; CODE XREF: KiDirectSwitchThread+2DAj
					; KiDirectSwitchThread+2E2j
		mov	ecx, 64h
		jmp	loc_48D691
; 

loc_5B82AB:				; CODE XREF: KiDirectSwitchThread+372j
		mov	al, [edi+60h]
		mov	[ebx+3B48h], ecx
		mov	[ebx+3B4Ch], edx
		mov	al, [edi+2]
		jmp	loc_48D708
; 

loc_5B82C2:				; CODE XREF: KiDirectSwitchThread+37Aj
		xor	dl, dl
		mov	ecx, edi
		call	@KiBeginCounterAccumulation@8 ;	KiBeginCounterAccumulation(x,x)
		jmp	loc_48D710
; 

loc_5B82D0:				; CODE XREF: KiDirectSwitchThread+3B4j
					; KiDirectSwitchThread+12AF51j
		pause
		mov	edi, [esi+34h]
		mov	eax, [esi+30h]
		mov	[ebp+var_10], edi
		mov	[ebp+var_14], eax
		cmp	edi, [esi+38h]
		jnz	short loc_5B82D0
		jmp	loc_48D74A
; 

loc_5B82E8:				; CODE XREF: KiDirectSwitchThread+461j
		mov	ecx, esi
		call	_KiIsForegroundThreadWithBoost@4 ; KiIsForegroundThreadWithBoost(x)
		test	al, al
		jz	loc_48D7F7
		mov	ah, [esi+15Ch]
		or	al, 0FFh
		mov	cl, ah
		and	ah, 0Fh
		shr	cl, 4
		sub	al, cl
		add	dl, al
		mov	al, [esi+15Bh]
		add	al, ah
		cmp	dl, al
		jge	short loc_5B8319
		mov	dl, al

loc_5B8319:				; CODE XREF: KiDirectSwitchThread+12AF85j
		mov	[esi+15Ch], ah
		jmp	loc_48D824
; 

loc_5B8324:				; CODE XREF: KiDirectSwitchThread+6DDj
		mov	cl, 1
		jmp	loc_48DA75
; 

loc_5B832B:				; CODE XREF: KiDirectSwitchThread+6FAj
		mov	eax, ds:_KeTickCount
		sub	eax, [esi+138h]
		add	[esi+170h], eax
		jmp	loc_48DA90
; END OF FUNCTION CHUNK	FOR KiDirectSwitchThread
; 
; START	OF FUNCTION CHUNK FOR PpmCheckComputeEnergy

loc_5B8341:				; CODE XREF: PpmCheckComputeEnergy+7Bj
		xor	eax, eax
		jmp	loc_48E0B8
; 

loc_5B8348:				; CODE XREF: PpmCheckComputeEnergy+E9j
		mov	ecx, [ecx+64h]
		jmp	loc_48E12E
; 

loc_5B8350:				; CODE XREF: PpmCheckComputeEnergy+D7j
					; PpmCheckComputeEnergy+DFj
		mov	ecx, 64h
		jmp	loc_48E12E
; 

loc_5B835A:				; CODE XREF: PpmCheckComputeEnergy+196j
		lea	eax, [ebp+var_34]
		mov	[ebp+var_20], 0
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	0
		push	offset _PPM_ETW_COMPUTE_ENERGY
		push	ebx
		push	[ebp+var_28]
		mov	[ebp+var_1C], 4
		mov	[ebp+var_18], 0
		mov	[ebp+var_10], 0
		mov	[ebp+var_C], 8
		mov	[ebp+var_8], 0
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_48E1CC
; END OF FUNCTION CHUNK	FOR PpmCheckComputeEnergy
; 
; START	OF FUNCTION CHUNK FOR KeFlushTb

loc_5B83AB:				; CODE XREF: KeFlushTb+24j
		test	al, 2
		jnz	short loc_5B840B
		test	eax, 800000h
		jz	short loc_5B83BF
		call	_KiIsFlushEntire@4 ; KiIsFlushEntire(x)
		test	al, al
		jnz	short loc_5B840B

loc_5B83BF:				; CODE XREF: KeFlushTb+12A194j
		cmp	ds:_KeNumberProcessors,	1
		jz	loc_48E24A
		test	esi, esi
		jnz	short loc_5B840B
		mov	[ebp+var_8], esi
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		lock or	[eax], ecx
		call	ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()
		mov	edi, large fs:20h
		mov	[ebp+var_1], al
		mov	ecx, [edi+4]
		mov	ecx, [ecx+80h]
		mov	edx, [ecx+60h]
		mov	ecx, [edi+3C8h]
		not	ecx
		test	ecx, edx
		jz	short loc_5B8457
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5B840B:				; CODE XREF: KeFlushTb+12A18Dj
					; KeFlushTb+12A19Dj ...
		mov	byte ptr [ebp+var_8], 1
		cmp	ebx, 1
		jz	short loc_5B8419
		cmp	ebx, 2
		jnz	short loc_5B841D

loc_5B8419:				; CODE XREF: KeFlushTb+12A1F2j
		mov	byte ptr [ebp+var_8], 0

loc_5B841D:				; CODE XREF: KeFlushTb+12A1F7j
		lea	eax, [ebp+var_C]
		mov	ecx, ebx
		push	eax
		lea	edx, [ebp+var_10]
		call	_KiPrepareFlushParameters@12 ; KiPrepareFlushParameters(x,x,x)
		push	[ebp+var_8]
		mov	ecx, esi
		push	[ebp+var_C]
		call	_KiFlushAffinity@4 ; KiFlushAffinity(x)
		mov	ecx, [ebp+var_10]
		mov	edx, eax
		call	_KiFlushAddressSpaceTb@16 ; KiFlushAddressSpaceTb(x,x,x,x)

loc_5B8442:				; CODE XREF: KeFlushTb+12A247j
		cmp	ebx, 4
		jnz	loc_48E251
		mov	cl, 1
		call	_KeFlushProcessWriteBuffers@4 ;	KeFlushProcessWriteBuffers(x)
		jmp	loc_48E251
; 

loc_5B8457:				; CODE XREF: KeFlushTb+12A1E1j
		mov	ecx, ebx
		call	KiFlushCurrentTbOnly
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_5B8442
; 

loc_5B8469:				; CODE XREF: KeFlushTb+38j
		push	ebx
		xor	edx, edx
		xor	ecx, ecx
		call	_VmFlushTb@12	; VmFlushTb(x,x,x)
		jmp	loc_48E25E
; 

loc_5B8478:				; CODE XREF: KeFlushTb+45j
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	[ebp+var_14]
		xor	edx, edx
		xor	ecx, ecx
		mov	bl, al
		call	_ExFlushTb@12	; ExFlushTb(x,x,x)
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_48E26B
; END OF FUNCTION CHUNK	FOR KeFlushTb
; 
; START	OF FUNCTION CHUNK FOR KiFlushTb

loc_5B849B:				; CODE XREF: KiFlushTb+Aj
		test	ecx, ecx
		jz	loc_48E28C
		cmp	ecx, 2
		jg	loc_48E28C
		jmp	loc_48E293
; END OF FUNCTION CHUNK	FOR KiFlushTb
; 
; START	OF FUNCTION CHUNK FOR KiIpiSendRequest

loc_5B84B1:				; CODE XREF: KiIpiSendRequest+55j
		push	0
		mov	edx, 40400000h
		mov	[ebp+var_45], 1
		lea	ecx, [ebp+var_44]
		call	EtwGetKernelTraceTimestampSilo
		jmp	loc_48E3DE
; 

loc_5B84C9:				; CODE XREF: KiIpiSendRequest+303j
		lea	eax, [ebp+var_14]
		mov	[ebp+var_50], 0
		push	eax
		push	offset _KeSleepingProcessors
		push	eax
		call	_KeSubtractAffinityEx@12 ; KeSubtractAffinityEx(x,x,x)
		mov	edx, [ebp+var_C]
		jmp	loc_48E3FD
; 

loc_5B84E7:				; CODE XREF: KiIpiSendRequest+11Fj
		inc	[ebp+var_5C]
		jmp	loc_48E5CB
; 

loc_5B84EF:				; CODE XREF: KiIpiSendRequest+1D3j
		lock inc dword ptr [eax+20h]
		mov	edx, [ebp+var_7C]
		mov	edi, [ebp+arg_8]
		mov	esi, [ebp+arg_4]
		jmp	loc_48E4C0
; 

loc_5B8501:				; CODE XREF: KiIpiSendRequest+263j
		mov	edx, [ebp+var_74]
		neg	ecx
		mov	eax, ecx
		lock xadd [edx], eax
		add	eax, ecx
		jnz	loc_48E5E9
		mov	eax, [ebp+var_60]
		mov	dword ptr [eax+2120h], 0
		jmp	loc_48E61D
; 

loc_5B8526:				; CODE XREF: KiIpiSendRequest+26Fj
		cmp	[ebp+var_6C], 0
		jz	short loc_5B853E
		inc	dword ptr [ebx+40B0h]
		lea	eax, [ebp+var_20]
		push	eax
		push	0
		call	ds:__imp__HalRequestIpi@8 ; HalRequestIpi(x,x)

loc_5B853E:				; CODE XREF: KiIpiSendRequest+12A1AAj
		mov	esi, [ebp+var_50]
		jmp	loc_48E613
; 

loc_5B8546:				; CODE XREF: KiIpiSendRequest+297j
		lea	eax, [ebp+var_14]
		mov	edx, edi
		push	eax
		push	esi
		push	[ebp+var_70]
		lea	ecx, [ebp+var_44]
		call	_PerfInfoLogIpiSend@20 ; PerfInfoLogIpiSend(x,x,x,x,x)
		jmp	loc_48E61D
; END OF FUNCTION CHUNK	FOR KiIpiSendRequest
; 
; START	OF FUNCTION CHUNK FOR PpmCheckContinueExecution

loc_5B855D:				; CODE XREF: PpmCheckContinueExecution+3Ej
		lea	ecx, [ebp+var_14]
		call	_PoCopyDeepIdleMask@4 ;	PoCopyDeepIdleMask(x)
		lea	eax, [ebp+var_14]
		push	eax
		push	eax
		push	ebx
		call	_KeSubtractAffinityEx@12 ; KeSubtractAffinityEx(x,x,x)
		test	eax, eax
		jz	short loc_5B8583
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_5B858F
		bsf	ecx, eax
		jmp	loc_48E6CC
; 

loc_5B8583:				; CODE XREF: PpmCheckContinueExecution+129EEAj
		test	esi, esi
		jz	short loc_5B858F
		bsf	ecx, esi
		jmp	loc_48E6CC
; 

loc_5B858F:				; CODE XREF: PpmCheckContinueExecution+129EF1j
					; PpmCheckContinueExecution+129EFDj
		or	ecx, 0FFFFFFFFh
		jmp	loc_48E6CC
; END OF FUNCTION CHUNK	FOR PpmCheckContinueExecution
; 
; START	OF FUNCTION CHUNK FOR PpmCheckReportComplete

loc_5B8597:				; CODE XREF: PpmCheckReportComplete+7j
		push	ds:dword_6C0464
		push	ds:_PpmCheckTime
		push	ds:_PpmPerfGlobalContext
		call	eax
		jmp	loc_48E74F
; END OF FUNCTION CHUNK	FOR PpmCheckReportComplete
; 
; START	OF FUNCTION CHUNK FOR PpmEventTracePerfCheckStop

loc_5B85B0:				; CODE XREF: PpmEventTracePerfCheckStop+39j
		lea	eax, [ebp+var_14]
		mov	[ebp+var_14], offset _PpmCheckTime
		push	eax
		push	1
		xor	ecx, ecx
		mov	[ebp+var_C], 8
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_48E791
; END OF FUNCTION CHUNK	FOR PpmEventTracePerfCheckStop
; 
; START	OF FUNCTION CHUNK FOR PpmParkReportUnparkedCores

loc_5B85DA:				; CODE XREF: PpmParkReportUnparkedCores+18j
		mov	esi, offset _PpmPerfNewUnparkedMask
		push	esi
		push	offset _PpmPerfNewCoreParkingMask
		push	offset _PpmPerfChangedCoreParkingMask
		call	_KeSubtractAffinityEx@12 ; KeSubtractAffinityEx(x,x,x)
		test	eax, eax
		jz	loc_48E7E4
		push	ebx
		mov	ebx, ds:dword_6B6628
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		pop	ebx
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		movzx	eax, cl
		mov	ds:_PpmCheckCount, eax
		xor	eax, eax
		mov	[ebp+var_8], ax
		mov	eax, ds:dword_6B6628
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], esi

loc_5B8648:				; CODE XREF: PpmParkReportUnparkedCores+129EA5j
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5B866D
		mov	ecx, [ebp+var_4]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	_PpmPerfQueueAction@8 ;	PpmPerfQueueAction(x,x)
		jmp	short loc_5B8648
; 

loc_5B866D:				; CODE XREF: PpmParkReportUnparkedCores+129E91j
		xor	al, al
		jmp	loc_48E7E6
; END OF FUNCTION CHUNK	FOR PpmParkReportUnparkedCores
; 
; START	OF FUNCTION CHUNK FOR PpmParkReportParkedCores

loc_5B8674:				; CODE XREF: PpmParkReportParkedCores+3Aj
		push	esi
		lea	eax, [ebp+var_1C]
		mov	ebx, offset _PpmPerfNewCoreParkingMask
		push	eax
		push	ebx
		mov	edi, offset _PpmPerfChangedCoreParkingMask
		push	edi
		call	_KeAndAffinityEx@12 ; KeAndAffinityEx(x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_40]
		push	eax
		push	edi
		push	ebx
		call	_KeSubtractAffinityEx@12 ; KeSubtractAffinityEx(x,x,x)
		lea	eax, [ebp+var_10]
		mov	edx, offset _PpmParkNewSoftParkingMask
		push	eax
		mov	ecx, offset _PpmParkSoftParkingMask
		call	_KeXorAffinityEx@12 ; KeXorAffinityEx(x,x,x)
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_40]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_KeAndAffinityEx@12 ; KeAndAffinityEx(x,x,x)
		or	eax, esi
		pop	esi
		jz	loc_48E82A
		mov	edx, [ebp+var_14]
		mov	ebx, [ebp+var_8]
		not	edx
		movzx	eax, dl
		not	ebx
		shr	edx, 8
		mov	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		mov	[ebp+var_34], edx
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	[ebp+var_1D], cl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_34]
		add	cl, dl
		movzx	edx, cl
		mov	ecx, eax
		shr	ecx, 8
		movzx	eax, al
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, [ebp+var_1D]
		movzx	eax, cl
		add	edx, eax
		xor	eax, eax
		mov	[ebp+var_28], ax
		mov	eax, [ebp+var_14]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_1C]
		mov	ds:_PpmCheckCount, edx
		mov	[ebp+var_30], eax

loc_5B8754:				; CODE XREF: PpmParkReportParkedCores+129F8Dj
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5B8779
		mov	ecx, [ebp+var_24]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		push	3
		pop	edx
		mov	ecx, eax
		call	_PpmPerfQueueAction@8 ;	PpmPerfQueueAction(x,x)
		jmp	short loc_5B8754
; 

loc_5B8779:				; CODE XREF: PpmParkReportParkedCores+129F79j
		xor	eax, eax
		mov	[ebp+var_28], ax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_30], eax

loc_5B878B:				; CODE XREF: PpmParkReportParkedCores+129FC4j
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5B87B0
		mov	ecx, [ebp+var_24]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		push	4
		pop	edx
		mov	ecx, eax
		call	_PpmPerfQueueAction@8 ;	PpmPerfQueueAction(x,x)
		jmp	short loc_5B878B
; 

loc_5B87B0:				; CODE XREF: PpmParkReportParkedCores+129FB0j
		xor	al, al
		jmp	loc_48E82C
; END OF FUNCTION CHUNK	FOR PpmParkReportParkedCores
; 
; START	OF FUNCTION CHUNK FOR PpmParkUnblockIdle

loc_5B87B7:				; CODE XREF: PpmParkUnblockIdle+19j
		push	edi
		xor	eax, eax
		mov	edi, offset _PpmPerfNewUnparkedMask
		mov	[ebp+var_8], ax
		mov	eax, ds:dword_6B6628
		push	ebx
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], edi
		push	esi

loc_5B87D0:				; CODE XREF: PpmParkUnblockIdle+129FC1j
					; PpmParkUnblockIdle+129FD0j
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5B880C
		mov	esi, [ebp+var_4]
		mov	ecx, esi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		cmp	byte ptr [eax+3DA5h], 0
		jz	short loc_5B87FD
		mov	byte ptr [eax+3DA5h], 0
		jmp	short loc_5B87D0
; 

loc_5B87FD:				; CODE XREF: PpmParkUnblockIdle+129FB8j
		mov	eax, ds:dword_6B6628
		btr	eax, esi
		mov	ds:dword_6B6628, eax
		jmp	short loc_5B87D0
; 

loc_5B880C:				; CODE XREF: PpmParkUnblockIdle+129FA5j
		mov	edx, ds:dword_6B6628
		not	edx
		movzx	eax, dl
		shr	edx, 8
		pop	esi
		mov	bl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		mov	ecx, edx
		shr	ecx, 8
		add	bl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, bl
		pop	ebx
		jz	short loc_5B88A5
		movzx	eax, cl
		mov	ds:_PpmCheckCount, eax
		xor	eax, eax
		mov	[ebp+var_8], ax
		mov	eax, ds:dword_6B6628
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], edi

loc_5B885F:				; CODE XREF: PpmParkUnblockIdle+12A048j
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5B8884
		mov	ecx, [ebp+var_4]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		push	5
		pop	edx
		mov	ecx, eax
		call	_PpmPerfQueueAction@8 ;	PpmPerfQueueAction(x,x)
		jmp	short loc_5B885F
; 

loc_5B8884:				; CODE XREF: PpmParkUnblockIdle+12A034j
		and	ds:dword_6B6624, 0
		xor	eax, eax
		and	ds:dword_6B6628, 0
		inc	eax
		mov	ds:_PpmPerfNewUnparkedMask, ax
		mov	ds:word_6B6622,	ax
		xor	al, al
		jmp	short loc_5B88A8
; 

loc_5B88A5:				; CODE XREF: PpmParkUnblockIdle+12A00Aj
		xor	eax, eax
		inc	eax

loc_5B88A8:				; CODE XREF: PpmParkUnblockIdle+12A069j
		pop	edi
		leave
		retn
; END OF FUNCTION CHUNK	FOR PpmParkUnblockIdle
; 
; START	OF FUNCTION CHUNK FOR PpmPerfApplyDomainStates

loc_5B88AB:				; CODE XREF: PpmPerfApplyDomainStates+18j
		mov	esi, ds:_PpmPerfDomainHead
		cmp	esi, edi
		jz	loc_48E87A
		mov	ebx, offset _PpmPerfNewCoreParkingMask

loc_5B88BE:				; CODE XREF: PpmPerfApplyDomainStates+12A085j
		cmp	byte ptr [esi+215h], 0
		jz	short loc_5B88DD
		push	ebx
		lea	eax, [esi+0Ch]
		push	eax
		call	_KeIsSubsetAffinityEx@8	; KeIsSubsetAffinityEx(x,x)
		test	eax, eax
		jnz	short loc_5B88DD
		mov	esi, ds:_PpmPerfDomainHead
		jmp	short loc_5B88FF
; 

loc_5B88DD:				; CODE XREF: PpmPerfApplyDomainStates+12A069j
					; PpmPerfApplyDomainStates+12A077j
		mov	esi, [esi]
		cmp	esi, edi
		jnz	short loc_5B88BE
		jmp	loc_48E87A
; END OF FUNCTION CHUNK	FOR PpmPerfApplyDomainStates

;  S U B	R O U T	I N E 


sub_5B88E8	proc near		; CODE XREF: PpmPerfApplyDomainStates+12A0A5j
		push	ebx
		lea	eax, [esi+0Ch]
		push	eax
		call	_KeIsSubsetAffinityEx@8	; KeIsSubsetAffinityEx(x,x)
		test	eax, eax
		jnz	short loc_5B88FD
		mov	byte ptr [esi+215h], 1

loc_5B88FD:				; CODE XREF: sub_5B88E8+Cj
		mov	esi, [esi]
sub_5B88E8	endp

; START	OF FUNCTION CHUNK FOR PpmPerfApplyDomainStates

loc_5B88FF:				; CODE XREF: PpmPerfApplyDomainStates+12A07Fj
		cmp	esi, edi
		jnz	short sub_5B88E8
		jmp	loc_48E87A
; END OF FUNCTION CHUNK	FOR PpmPerfApplyDomainStates
; 
; START	OF FUNCTION CHUNK FOR PpmParkReportMask

loc_5B8908:				; CODE XREF: PpmParkReportMask+7j
		mov	eax, ds:dword_6B5BB8
		cmp	eax, ds:dword_6B6634
		jz	loc_48E8C5
		mov	eax, large fs:20h
		push	ebx
		push	esi
		push	edi
		mov	ebx, offset _PpmPerfCoreParkingMask
		mov	edi, offset _PpmPerfReportedCoreParkingMask
		mov	esi, ebx
		movsd
		movsd
		movsd
		cmp	dword ptr [eax+3E38h], 2
		jnz	short loc_5B893F
		call	_HvlParkedVirtualProcessors@4 ;	HvlParkedVirtualProcessors(x)

loc_5B893F:				; CODE XREF: PpmParkReportMask+12A080j
		mov	eax, ds:_PpmParkMaskHandler
		test	eax, eax
		jz	short loc_5B8957
		push	ebx
		push	ds:dword_6C0464
		push	ds:_PpmCheckTime
		call	eax

loc_5B8957:				; CODE XREF: PpmParkReportMask+12A08Ej
		mov	dl, 2
		mov	ecx, ebx
		call	KeCpuSetReportParkedProcessors
		pop	edi
		pop	esi
		pop	ebx
		jmp	loc_48E8C5
; END OF FUNCTION CHUNK	FOR PpmParkReportMask
; 
; START	OF FUNCTION CHUNK FOR PpmPerfRecordUtility

loc_5B8968:				; CODE XREF: PpmPerfRecordUtility+180j
					; PpmPerfRecordUtility+18Cj
		mov	eax, edx
		mov	[ebp+var_D0], ecx
		mov	[ebp+var_DC], eax
		jmp	loc_48EB52
; 

loc_5B897B:				; CODE XREF: PpmPerfRecordUtility+19Aj
					; PpmPerfRecordUtility+1A6j
		mov	[ebp+var_F0], ecx
		mov	[ebp+var_F8], edx
		jmp	loc_48EB6C
; 

loc_5B898C:				; CODE XREF: PpmPerfRecordUtility+1B0j
					; PpmPerfRecordUtility+1B9j
		mov	[ebp+var_E0], 1
		mov	[ebp+var_C8], 0
		jmp	loc_48EB7F
; 

loc_5B89A5:				; CODE XREF: PpmPerfRecordUtility+1C7j
		movzx	ecx, byte ptr [edx+1]
		movzx	eax, byte ptr [edx]
		imul	ecx, eax
		mov	[ebx+14h], ecx
		jmp	loc_48EDAE
; 

loc_5B89B7:				; CODE XREF: PpmPerfRecordUtility+34Dj
		test	al, al
		jnz	loc_48ED22
		jmp	loc_48ED13
; 

loc_5B89C4:				; CODE XREF: PpmPerfRecordUtility+35Cj
		mov	ecx, [edx+58h]
		mov	eax, ecx
		mov	edx, [edx+5Ch]
		and	eax, 2
		mov	[ebp+var_EC], 0
		cmp	eax, ecx
		jnz	loc_48ED22
		cmp	[ebp+var_EC], edx
		jz	short loc_5B8A07
		jmp	loc_48ED22
; 

loc_5B89EE:				; CODE XREF: PpmPerfRecordUtility+366j
		mov	ecx, [edi+14h]
		mov	dl, 5
		push	0
		push	2
		add	ecx, 40h
		call	_EtwpLevelKeywordEnabled@16 ; EtwpLevelKeywordEnabled(x,x,x,x)
		test	al, al
		jz	loc_48ED2C

loc_5B8A07:				; CODE XREF: PpmPerfRecordUtility+12A027j
		lea	eax, [ebp+var_E8]
		mov	[ebp+var_B4], offset _PpmCheckTime
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_FC]
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_104]
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_100]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_114]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_108]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_D4]
		mov	[ebp+var_34], eax
		lea	eax, [esi+149h]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_F4]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_B4]
		push	eax
		mov	eax, ds:dword_6BFD04
		push	0Bh
		push	0
		push	offset _PPM_ETW_RECORDED_UTILITY
		push	eax
		push	edi
		mov	[ebp+var_B0], 0
		mov	[ebp+var_AC], 8
		mov	[ebp+var_A8], 0
		mov	[ebp+var_A0], 0
		mov	[ebp+var_9C], 8
		mov	[ebp+var_98], 0
		mov	[ebp+var_90], 0
		mov	[ebp+var_8C], 8
		mov	[ebp+var_88], 0
		mov	[ebp+var_80], 0
		mov	[ebp+var_7C], 4
		mov	[ebp+var_78], 0
		mov	[ebp+var_60], 0
		mov	[ebp+var_5C], 4
		mov	[ebp+var_58], 0
		mov	[ebp+var_50], 0
		mov	[ebp+var_4C], 2
		mov	[ebp+var_48], 0
		mov	[ebp+var_40], 0
		mov	[ebp+var_3C], 2
		mov	[ebp+var_38], 0
		mov	[ebp+var_30], 0
		mov	[ebp+var_2C], 1
		mov	[ebp+var_28], 0
		mov	[ebp+var_20], 0
		mov	[ebp+var_1C], 1
		mov	[ebp+var_18], 0
		mov	[ebp+var_10], 0
		mov	[ebp+var_C], 8
		mov	[ebp+var_8], 0
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_48ED2C
; 

loc_5B8B79:				; CODE XREF: PpmPerfRecordUtility+377j
		mov	eax, [edx]
		mov	ebx, [ebp+var_118]
		mov	[ebp+var_C8], eax
		mov	eax, [edx+4]
		mov	[ebp+var_108], eax
		movzx	ecx, bx
		mov	[ebp+var_E4], 3
		lea	eax, [eax+eax*4]
		lea	edi, [edx+eax*2]
		movzx	eax, word ptr [edi+20h]
		sub	ecx, eax
		add	[edx+8], ecx
		movzx	eax, word ptr [edi+22h]
		mov	[edi+20h], bx
		mov	ebx, [ebp+var_10C]
		movzx	ecx, bx
		sub	ecx, eax
		mov	eax, [ebp+var_C4]
		add	[edx+0Ch], ecx
		movzx	edx, ax
		movzx	eax, word ptr [edi+24h]
		mov	ecx, edx
		sub	ecx, eax
		mov	[edi+22h], bx
		mov	eax, [ebp+var_B8]
		lea	ebx, [edi+26h]
		add	[eax+10h], ecx
		add	eax, 14h
		mov	[edi+24h], dx
		mov	edi, eax
		mov	[ebp+var_10C], eax
		lea	edx, [esi+148h]

loc_5B8BF8:				; CODE XREF: PpmPerfRecordUtility+12A25Bj
		movzx	eax, byte ptr [ebx]
		lea	edi, [edi+4]
		sub	[edi-4], eax
		lea	edx, [edx+1]
		movzx	ecx, byte ptr [edx-1]
		lea	ebx, [ebx+1]
		add	[edi-4], ecx
		sub	[ebp+var_E4], 1
		mov	al, [edx-1]
		mov	[ebx-1], al
		jnz	short loc_5B8BF8
		mov	eax, [ebp+var_108]
		mov	edi, [ebp+var_B8]
		inc	eax
		mov	ecx, eax
		mov	ebx, [ebp+var_11C]
		sub	ecx, [ebp+var_C8]
		neg	ecx
		mov	esi, [ebp+var_10C]
		sbb	ecx, ecx
		xor	edx, edx
		and	ecx, eax
		mov	eax, [edi+8]
		mov	[edi+4], ecx
		mov	ecx, [ebp+var_C8]
		div	ecx
		xor	edx, edx
		mov	[ebp+var_C0], eax
		mov	eax, [edi+0Ch]
		div	ecx
		xor	edx, edx
		mov	[ebp+var_CC], eax
		mov	eax, [edi+10h]
		div	ecx
		mov	edi, [ebp+var_C8]
		xor	ecx, ecx
		mov	[ebp+var_C4], eax

loc_5B8C7C:				; CODE XREF: PpmPerfRecordUtility+12A2D0j
		mov	eax, [esi]
		lea	esi, [esi+4]
		xor	edx, edx
		div	edi
		mov	byte ptr [ebp+ecx+var_D8], al
		inc	ecx
		cmp	ecx, 3
		jb	short loc_5B8C7C
		mov	esi, [ebp+var_120]
		jmp	loc_48ED4B
; 

loc_5B8C9D:				; CODE XREF: PpmPerfRecordUtility+393j
		mov	al, 64h
		jmp	loc_48ED59
; 

loc_5B8CA4:				; CODE XREF: PpmPerfRecordUtility+3B6j
		imul	edi, [ebp+var_CC]
		sub	eax, ecx
		mov	[ebp+var_C0], eax
		mov	eax, 51EB851Fh
		mov	[ebp+var_B9], 1
		mul	edi
		mov	eax, [ebp+var_C0]
		shr	edx, 5
		sub	[ebp+var_CC], edx
		jmp	loc_48ED7C
; 

loc_5B8CD5:				; CODE XREF: PpmPerfRecordUtility+3E8j
		mov	ecx, ebx
		call	PpmPerfResetHistory
		jmp	loc_48EDAE
; END OF FUNCTION CHUNK	FOR PpmPerfRecordUtility
; 
; START	OF FUNCTION CHUNK FOR PpmParkRecordNodeStatistics

loc_5B8CE1:				; CODE XREF: PpmParkRecordNodeStatistics+CEj
		lea	eax, [ebp+var_90]
		mov	[ebp+var_60], 0
		mov	[ebp+var_64], eax
		lea	ecx, [esi+50h]
		lea	eax, [ebp+var_94]
		mov	[ebp+var_5C], 2
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_44], eax
		mov	[ebp+var_58], 0
		mov	[ebp+var_50], 0
		mov	[ebp+var_4C], 4
		mov	[ebp+var_48], 0
		mov	[ebp+var_40], 0
		mov	[ebp+var_3C], 1
		mov	[ebp+var_38], 0
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], 0
		mov	[ebp+var_2C], 4
		mov	[ebp+var_28], 0
		mov	ecx, [ecx]
		mov	eax, [esi+34h]
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], 0
		lea	eax, ds:0[ecx*8]
		mov	[ebp+var_18], 0
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	6
		push	0
		push	offset _PPM_ETW_PARK_NODE_STATS
		push	ebx
		push	[ebp+var_74]
		mov	[ebp+var_10], 0
		mov	[ebp+var_C], 1
		mov	[ebp+var_8], 0
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_48EF34
; 

loc_5B8DA9:				; CODE XREF: PpmParkRecordNodeStatistics+DAj
		mov	edi, [ebp+var_7C]
		lea	eax, [esi+0C8h]
		mov	bl, [ebp+var_65]
		xor	bh, bh
		xor	ecx, ecx
		mov	byte ptr [ebp+var_84], bh
		mov	[ebp+var_78], eax
		mov	[ebp+var_74], ecx

loc_5B8DC5:				; CODE XREF: PpmParkRecordNodeStatistics+129FC0j
		push	eax
		push	0
		add	ecx, 78h
		mov	dl, bl
		add	ecx, esi
		push	0
		push	ecx
		push	[ebp+var_80]
		mov	[ebp+var_8C], ecx
		mov	ecx, edi
		call	PpmParkComputeSnapStatistics
		test	al, al
		jz	short loc_5B8E05
		mov	eax, [ebp+var_78]
		mov	edx, [esi+8]
		mov	cx, [esi+4]
		movzx	eax, byte ptr [eax]
		push	eax
		push	[ebp+var_8C]
		push	[ebp+var_84]
		call	_PpmEventParkNodeClassRecordedStats@20 ; PpmEventParkNodeClassRecordedStats(x,x,x,x,x)

loc_5B8E05:				; CODE XREF: PpmParkRecordNodeStatistics+129F84j
		mov	ecx, [ebp+var_74]
		inc	bh
		mov	eax, [ebp+var_78]
		add	ecx, 28h
		inc	eax
		mov	byte ptr [ebp+var_84], bh
		mov	[ebp+var_74], ecx
		mov	[ebp+var_78], eax
		cmp	bh, 2
		jb	short loc_5B8DC5
		mov	edi, [ebp+var_88]
		jmp	loc_48EF40
; END OF FUNCTION CHUNK	FOR PpmParkRecordNodeStatistics
; 
; START	OF FUNCTION CHUNK FOR PpmParkComputeSnapStatistics

loc_5B8E2D:				; CODE XREF: PpmParkComputeSnapStatistics+14Cj
		cmp	[ebp+arg_C], 0
		jnz	loc_48F0C2
		mov	edx, [ebp+var_8]
		jmp	loc_48F1B1
; 

loc_5B8E3F:				; CODE XREF: PpmParkComputeSnapStatistics+238j
		mov	ecx, [esi+8]
		mov	edx, 64h
		push	[ebp+var_8]
		mov	eax, [ecx+ebx*8+4]
		mul	edx
		mov	edi, eax
		mov	eax, [ecx+ebx*8]
		mov	ebx, [ebp+var_C]
		mov	ecx, 64h
		mul	ecx
		push	ebx
		add	edi, edx
		push	edi
		push	eax
		call	__aulldiv
		mov	edx, [ebp+arg_C]
		mov	[edx], al
		mov	edx, [ebp+var_8]
		jmp	loc_48F1B4
; END OF FUNCTION CHUNK	FOR PpmParkComputeSnapStatistics
; 
; START	OF FUNCTION CHUNK FOR PpmParkCalculateUnparkCount

loc_5B8E76:				; CODE XREF: PpmParkCalculateUnparkCount+Fj
		mov	ecx, ds:_PpmCurrentProfile
		imul	eax, ds:dword_6C2D0C, 0F0h
		cmp	ds:_PpmCheckCurrentPipelineId, 5
		mov	dl, [eax+ecx+0A1h]
		mov	[ebp+var_2], dl
		mov	dl, [eax+ecx+0A0h]
		mov	[ebp+var_3], dl
		mov	edx, [eax+ecx+0A8h]
		mov	[ebp+var_14], edx
		mov	edx, [eax+ecx+0A4h]
		mov	[ebp+var_18], edx
		mov	dh, [eax+ecx+9Eh]
		mov	[ebp+var_5], dh
		jnz	short loc_5B8EC9
		and	[ebp+var_18], 0
		and	[ebp+var_14], 0

loc_5B8EC9:				; CODE XREF: PpmParkCalculateUnparkCount+129C89j
		push	edi
		xor	edi, edi
		mov	[ebp+var_20], edi
		cmp	ds:_PpmParkNumNodes, edi
		jz	loc_5B907B
		push	ebx
		xor	ecx, ecx
		push	esi

loc_5B8EDF:				; CODE XREF: PpmParkCalculateUnparkCount+129E3Dj
		imul	esi, ecx, 0D0h
		add	esi, ds:_PpmParkNodes
		test	byte ptr [esi+6Ah], 1
		jnz	loc_5B9066
		inc	dword ptr [esi]
		mov	eax, [esi]
		mov	edi, [ebp+var_14]
		push	2
		mov	[ebp+var_C], eax
		xor	eax, eax
		pop	ebx
		mov	[ebp+var_10], eax
		mov	[ebp+var_1C], ebx

loc_5B8F0A:				; CODE XREF: PpmParkCalculateUnparkCount+129E27j
		lea	ecx, [eax+1]
		mov	dl, [ecx+esi+57h]
		mov	[ebp+var_24], ecx
		mov	[ebp+var_1], dl
		test	dl, dl
		jz	loc_5B9052
		xor	eax, eax
		inc	eax
		shl	eax, cl
		test	[esi+6Ah], al
		jnz	loc_5B9052
		mov	al, ds:_PpmParkUnparkCores
		mov	bh, 1
		mov	[ebp+var_4], al
		test	al, al
		jnz	short loc_5B8F41
		mov	bh, ds:_PpmParkGranularity

loc_5B8F41:				; CODE XREF: PpmParkCalculateUnparkCount+129D03j
		mov	bl, [esi+64h]
		test	al, al
		jz	short loc_5B8F51
		cmp	ds:_PpmParkGranularity,	1
		jnz	short loc_5B8F5C

loc_5B8F51:				; CODE XREF: PpmParkCalculateUnparkCount+129D10j
		cmp	bl, dl
		jnb	short loc_5B8F5C
		cmp	[esi+65h], dh
		jbe	short loc_5B8F5C
		inc	bl

loc_5B8F5C:				; CODE XREF: PpmParkCalculateUnparkCount+129D19j
					; PpmParkCalculateUnparkCount+129D1Dj ...
		mov	edx, [ebp+var_10]
		mov	dl, [edx+esi+62h]
		test	al, al
		jz	short loc_5B8F77
		movzx	ecx, ds:_PpmParkGranularity
		movzx	eax, dl
		xor	edx, edx
		div	ecx
		mov	dl, al

loc_5B8F77:				; CODE XREF: PpmParkCalculateUnparkCount+129D2Fj
		mov	eax, [ebp+var_C]
		cmp	dl, bl
		jnb	short loc_5B8FCE
		cmp	dl, [ebp+var_1]
		jnb	short loc_5B8FCC
		cmp	eax, edi
		jb	short loc_5B8FCC
		movzx	eax, [ebp+var_2]
		and	dword ptr [esi], 0
		sub	eax, 0
		jz	loc_5B901F
		sub	eax, 1
		jz	short loc_5B8FC8
		sub	eax, 1
		jz	loc_5B902A
		sub	eax, 1
		jnz	short loc_5B9021
		mov	bl, [esi+69h]
		movzx	eax, dl
		movzx	ecx, bl
		add	ecx, eax
		movzx	eax, [ebp+var_1]
		cmp	ecx, eax
		mov	al, [ebp+var_1]
		jnb	short loc_5B8FC4
		add	dl, bl
		jmp	short loc_5B9024
; 

loc_5B8FC4:				; CODE XREF: PpmParkCalculateUnparkCount+129D88j
		mov	dl, al
		jmp	short loc_5B9024
; 

loc_5B8FC8:				; CODE XREF: PpmParkCalculateUnparkCount+129D64j
		add	dl, bh
		jmp	short loc_5B9021
; 

loc_5B8FCC:				; CODE XREF: PpmParkCalculateUnparkCount+129D4Bj
					; PpmParkCalculateUnparkCount+129D4Fj
		cmp	dl, bl

loc_5B8FCE:				; CODE XREF: PpmParkCalculateUnparkCount+129D46j
		jbe	short loc_5B9021
		cmp	dl, bh
		jbe	short loc_5B9021
		cmp	eax, [ebp+var_18]
		jb	short loc_5B9021
		movzx	eax, [ebp+var_3]
		and	dword ptr [esi], 0
		sub	eax, 0
		jz	short loc_5B901F
		sub	eax, 1
		jz	short loc_5B901B
		sub	eax, 1
		jz	short loc_5B9017
		sub	eax, 1
		jnz	short loc_5B9021
		mov	bl, [esi+69h]
		mov	bh, ds:_PpmParkGranularity
		movzx	eax, bh
		movzx	ecx, bl
		add	ecx, eax
		movzx	eax, dl
		cmp	eax, ecx
		mov	al, [ebp+var_1]
		jbe	short loc_5B9013
		sub	dl, bl
		jmp	short loc_5B9024
; 

loc_5B9013:				; CODE XREF: PpmParkCalculateUnparkCount+129DD7j
		mov	dl, bh
		jmp	short loc_5B9024
; 

loc_5B9017:				; CODE XREF: PpmParkCalculateUnparkCount+129DB7j
		mov	dl, bh
		jmp	short loc_5B9021
; 

loc_5B901B:				; CODE XREF: PpmParkCalculateUnparkCount+129DB2j
		sub	dl, bh
		jmp	short loc_5B9021
; 

loc_5B901F:				; CODE XREF: PpmParkCalculateUnparkCount+129D5Bj
					; PpmParkCalculateUnparkCount+129DADj
		mov	dl, bl

loc_5B9021:				; CODE XREF: PpmParkCalculateUnparkCount+129D72j
					; PpmParkCalculateUnparkCount+129D94j ...
		mov	al, [ebp+var_1]

loc_5B9024:				; CODE XREF: PpmParkCalculateUnparkCount+129D8Cj
					; PpmParkCalculateUnparkCount+129D90j ...
		cmp	dl, al
		jnb	short loc_5B902D
		jmp	short loc_5B902F
; 

loc_5B902A:				; CODE XREF: PpmParkCalculateUnparkCount+129D69j
		mov	al, [ebp+var_1]

loc_5B902D:				; CODE XREF: PpmParkCalculateUnparkCount+129DF0j
		mov	dl, al

loc_5B902F:				; CODE XREF: PpmParkCalculateUnparkCount+129DF2j
		cmp	[ebp+var_4], 0
		jz	short loc_5B9042
		movzx	eax, dl
		movzx	edx, ds:_PpmParkGranularity
		imul	edx, eax

loc_5B9042:				; CODE XREF: PpmParkCalculateUnparkCount+129DFDj
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+var_24]
		mov	ebx, [ebp+var_1C]
		mov	dh, [ebp+var_5]
		mov	[eax+esi+62h], dl

loc_5B9052:				; CODE XREF: PpmParkCalculateUnparkCount+129CE3j
					; PpmParkCalculateUnparkCount+129CF1j
		mov	eax, ecx
		sub	ebx, 1
		mov	[ebp+var_10], eax
		mov	[ebp+var_1C], ebx
		jnz	loc_5B8F0A
		mov	edi, [ebp+var_20]

loc_5B9066:				; CODE XREF: PpmParkCalculateUnparkCount+129CB9j
		inc	edi
		movzx	ecx, di
		mov	[ebp+var_20], edi
		cmp	ecx, ds:_PpmParkNumNodes
		jb	loc_5B8EDF
		pop	esi
		pop	ebx

loc_5B907B:				; CODE XREF: PpmParkCalculateUnparkCount+129C9Fj
		pop	edi
		jmp	loc_48F24B
; END OF FUNCTION CHUNK	FOR PpmParkCalculateUnparkCount
; 
; START	OF FUNCTION CHUNK FOR PpmParkCalculateCoreParkingMask

loc_5B9081:				; CODE XREF: PpmParkCalculateCoreParkingMask+26j
		mov	eax, ds:_PpmCurrentProfile
		imul	ecx, ds:dword_6C2D0C, 0F0h
		add	ecx, eax
		mov	[ebp+var_48], ecx
		movzx	eax, byte ptr [ecx+9Ch]
		mov	ecx, ebx
		imul	edx, eax, 64h
		mov	[ebp+var_40], ecx
		mov	[ebp+var_4C], edx
		cmp	ds:_PpmParkNumNodes, ecx
		jz	loc_5B9626
		push	esi
		mov	esi, ebx
		mov	[ebp+var_44], ebx

loc_5B90B9:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A3CDj
		mov	edi, ds:_PpmParkNodes
		add	edi, esi
		mov	[ebp+var_30], edi
		test	byte ptr [edi+6Ah], 1
		jnz	loc_5B960A
		mov	eax, [edi+14h]
		mov	bl, [edi+5Fh]
		mov	[edi+18h], eax
		mov	al, [edi+61h]
		cmp	bl, al
		jb	short loc_5B90E0
		mov	bl, al

loc_5B90E0:				; CODE XREF: PpmParkCalculateCoreParkingMask+129E8Cj
		mov	ecx, edi
		call	_PpmParkFindOverUtilizedProcessors@8 ; PpmParkFindOverUtilizedProcessors(x,x)
		xor	ecx, ecx
		movzx	edx, bl
		mov	[ebp+var_38], eax
		mov	[ebp+var_10], ecx
		mov	[ebp+var_28], edx

loc_5B90F5:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A3ABj
		mov	eax, [edi+ecx*4+0Ch]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	loc_5B9601
		cmp	ds:_PpmParkGranularity,	1
		mov	esi, 100000h
		mov	[ebp+var_4], esi
		jbe	short loc_5B914A
		mov	ax, [edi+4]
		xor	ebx, ebx
		and	[ebp+var_58], ebx
		mov	[ebp+var_50], ax
		mov	eax, [edi+ecx*4+20h]
		mov	[ebp+var_54], eax

loc_5B9129:				; CODE XREF: PpmParkCalculateCoreParkingMask+129EF8j
		lea	eax, [ebp+var_58]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5B9150
		mov	ecx, [ebp+var_8]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		or	ebx, [eax+402Ch]
		jmp	short loc_5B9129
; 

loc_5B914A:				; CODE XREF: PpmParkCalculateCoreParkingMask+129EC3j
		mov	ebx, [edi+ecx*4+20h]
		jmp	short loc_5B9153
; 

loc_5B9150:				; CODE XREF: PpmParkCalculateCoreParkingMask+129EE8j
		mov	eax, [ebp+var_1C]

loc_5B9153:				; CODE XREF: PpmParkCalculateCoreParkingMask+129EFEj
		and	ebx, eax
		mov	[ebp+var_24], ebx
		jz	short loc_5B9162
		mov	esi, 110000h
		mov	[ebp+var_4], esi

loc_5B9162:				; CODE XREF: PpmParkCalculateCoreParkingMask+129F08j
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		movzx	eax, cl
		mov	ecx, [ebp+var_10]
		movzx	ecx, byte ptr [edi+ecx+58h]
		sub	ecx, eax
		mov	eax, [ebp+var_28]
		mov	[ebp+var_18], ecx
		cmp	ecx, eax
		jbe	short loc_5B91AC
		mov	[ebp+var_18], eax

loc_5B91AC:				; CODE XREF: PpmParkCalculateCoreParkingMask+129F57j
		xor	ebx, ebx
		and	[ebp+var_14], ebx
		mov	[ebp+var_C], ebx
		cmp	ds:_KiClockTimerPerCpu,	bl
		jnz	loc_5B928E
		mov	ecx, ds:_KiClockTimerOwner
		mov	[ebp+var_8], ecx
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		movzx	edx, word ptr [edi+4]
		mov	ecx, eax
		movzx	eax, byte ptr [ecx+3C5h]
		cmp	ax, dx
		jnz	loc_5B928E
		mov	eax, [ecx+3C8h]
		test	[ebp+var_1C], eax
		jz	loc_5B928E
		and	[ebp+var_58], ebx
		mov	edi, [ebp+var_18]
		mov	[ebp+var_50], dx
		mov	[ebp+var_54], eax

loc_5B9200:				; CODE XREF: PpmParkCalculateCoreParkingMask+129FD8j
					; PpmParkCalculateCoreParkingMask+12A030j
		lea	eax, [ebp+var_58]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5B9285
		cmp	ebx, edi
		jnb	short loc_5B9285
		mov	ecx, [ebp+var_8]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, eax
		mov	eax, [ecx+3C8h]
		test	[ebp+var_24], eax
		jnz	short loc_5B9200
		cmp	ds:_PpmParkGranularity,	1
		jbe	short loc_5B9239
		mov	eax, [ecx+402Ch]

loc_5B9239:				; CODE XREF: PpmParkCalculateCoreParkingMask+129FE1j
		or	eax, [ebp+var_14]
		or	esi, 100h
		mov	ebx, eax
		mov	[ebp+var_34], eax
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_34]
		add	cl, dl
		movzx	ebx, cl
		mov	[ebp+var_14], eax
		jmp	loc_5B9200
; 

loc_5B9285:				; CODE XREF: PpmParkCalculateCoreParkingMask+129FBFj
					; PpmParkCalculateCoreParkingMask+129FC3j
		mov	edi, [ebp+var_30]
		mov	[ebp+var_4], esi
		mov	[ebp+var_C], ebx

loc_5B928E:				; CODE XREF: PpmParkCalculateCoreParkingMask+129F6Aj
					; PpmParkCalculateCoreParkingMask+129F8Ej ...
		movzx	ecx, word ptr [edi+4]
		lea	eax, [ebp+var_20]
		mov	edx, [ebp+var_1C]
		push	eax
		call	_KeCpuSetQueryUnparkRecommendation@12 ;	KeCpuSetQueryUnparkRecommendation(x,x,x)
		movzx	ecx, al
		mov	[ebp+var_34], ecx
		test	al, al
		jz	loc_5B93BC
		cmp	ds:_PpmParkGranularity,	1
		jbe	short loc_5B9324
		mov	ax, [edi+4]
		mov	ebx, [ebp+var_20]
		and	[ebp+var_58], 0
		mov	[ebp+var_50], ax
		mov	[ebp+var_54], ebx

loc_5B92C7:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A096j
		lea	eax, [ebp+var_58]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5B92E8
		mov	ecx, [ebp+var_8]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		or	ebx, [eax+402Ch]
		jmp	short loc_5B92C7
; 

loc_5B92E8:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A086j
		mov	[ebp+var_20], ebx
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	ebx, [ebp+var_C]
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		movzx	eax, cl
		mov	[ebp+var_34], eax

loc_5B9324:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A063j
		mov	ax, [edi+4]
		and	[ebp+var_58], 0
		mov	[ebp+var_50], ax
		mov	eax, [ebp+var_20]
		mov	[ebp+var_54], eax

loc_5B9336:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A10Fj
					; PpmParkCalculateCoreParkingMask+12A167j
		lea	eax, [ebp+var_58]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5B93BC
		cmp	ebx, [ebp+var_18]
		jnb	short loc_5B93BC
		mov	ecx, [ebp+var_8]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, eax
		mov	eax, [ecx+3C8h]
		test	[ebp+var_24], eax
		jnz	short loc_5B9336
		cmp	ds:_PpmParkGranularity,	1
		jbe	short loc_5B9370
		mov	eax, [ecx+402Ch]

loc_5B9370:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A118j
		or	eax, [ebp+var_14]
		or	esi, 10h
		mov	ebx, eax
		mov	[ebp+var_14], eax
		not	ebx
		mov	[ebp+var_4], esi
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_14]
		add	cl, dl
		movzx	ebx, cl
		mov	[ebp+var_14], eax
		jmp	loc_5B9336
; 

loc_5B93BC:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A056j
					; PpmParkCalculateCoreParkingMask+12A0F5j ...
		mov	ax, [edi+4]
		mov	[ebp+var_50], ax
		mov	eax, [edi+18h]
		and	eax, [ebp+var_1C]
		and	eax, [ebp+var_38]
		and	[ebp+var_58], 0
		mov	edi, [ebp+var_18]
		mov	[ebp+var_54], eax

loc_5B93D7:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A1AFj
					; PpmParkCalculateCoreParkingMask+12A207j
		lea	eax, [ebp+var_58]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5B945C
		cmp	ebx, edi
		jnb	short loc_5B945C
		mov	ecx, [ebp+var_8]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, eax
		mov	eax, [ecx+3C8h]
		test	[ebp+var_24], eax
		jnz	short loc_5B93D7
		cmp	ds:_PpmParkGranularity,	1
		jbe	short loc_5B9410
		mov	eax, [ecx+402Ch]

loc_5B9410:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A1B8j
		or	eax, [ebp+var_14]
		or	esi, 20000h
		mov	ebx, eax
		mov	[ebp+var_14], eax
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_14]
		add	cl, dl
		movzx	ebx, cl
		mov	[ebp+var_14], eax
		jmp	loc_5B93D7
; 

loc_5B945C:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A196j
					; PpmParkCalculateCoreParkingMask+12A19Aj
		mov	edi, [ebp+var_30]
		mov	eax, ebx
		mov	edx, [ebp+var_10]
		mov	[ebp+var_C], ebx
		mov	[ebp+var_4], esi
		movzx	ecx, byte ptr [edi+edx+5Ah]
		cmp	ebx, ecx
		mov	ebx, [ebp+var_18]
		jnb	short loc_5B9490
		cmp	eax, ebx
		jnb	short loc_5B9490
		cmp	ecx, ebx
		jnb	short loc_5B9485
		mov	eax, ecx
		mov	[ebp+var_C], eax
		jmp	short loc_5B948A
; 

loc_5B9485:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A22Cj
		mov	eax, ebx
		mov	[ebp+var_C], ebx

loc_5B948A:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A233j
		or	esi, 4
		mov	[ebp+var_4], esi

loc_5B9490:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A224j
					; PpmParkCalculateCoreParkingMask+12A228j
		movzx	ecx, byte ptr [edi+edx+5Ch]
		cmp	ebx, ecx
		jbe	short loc_5B94AB
		cmp	eax, ebx
		jnb	short loc_5B94AB
		mov	ebx, ecx
		cmp	ecx, eax
		ja	short loc_5B94A5
		mov	ebx, eax

loc_5B94A5:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A251j
		or	esi, 8
		mov	[ebp+var_4], esi

loc_5B94AB:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A247j
					; PpmParkCalculateCoreParkingMask+12A24Bj
		cmp	ds:_PpmPerfMaxOverrideEnabled, 0
		jz	short loc_5B94C1
		movzx	eax, byte ptr [edi+edx+58h]
		or	esi, 40000h
		jmp	short loc_5B94D4
; 

loc_5B94C1:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A262j
		test	edx, edx
		jnz	short loc_5B94D9
		cmp	[edi+63h], dl
		jz	short loc_5B94D9
		movzx	eax, byte ptr [edi+58h]
		or	esi, 80h

loc_5B94D4:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A26Fj
		mov	[ebp+var_4], esi
		jmp	short loc_5B9542
; 

loc_5B94D9:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A273j
					; PpmParkCalculateCoreParkingMask+12A278j
		mov	al, [edi+edx+62h]
		mov	dl, [edi+edx+58h]
		cmp	al, dl
		jb	short loc_5B94E7
		mov	al, dl

loc_5B94E7:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A293j
		cmp	ds:_PpmCheckLatencyBoostActive,	0
		movzx	eax, al
		mov	[ebp+var_18], eax
		jz	short loc_5B9522
		mov	eax, [ebp+var_48]
		mov	ecx, [ebp+var_10]
		push	64h
		movzx	ecx, byte ptr [eax+ecx+6Fh]
		movzx	eax, dl
		xor	edx, edx
		imul	eax, ecx
		pop	ecx
		add	eax, 32h
		div	ecx
		mov	edx, eax
		mov	eax, [ebp+var_18]
		cmp	edx, eax
		jbe	short loc_5B9522
		or	esi, 40h
		mov	eax, edx
		mov	[ebp+var_4], esi

loc_5B9522:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A2A4j
					; PpmParkCalculateCoreParkingMask+12A2C8j
		mov	cl, ds:_PpmParkGranularity
		cmp	cl, 1
		jbe	short loc_5B953F
		dec	eax
		movzx	ecx, cl
		add	eax, ecx
		xor	edx, edx
		mov	[ebp+var_18], eax
		div	ecx
		mov	eax, [ebp+var_18]
		sub	eax, edx

loc_5B953F:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A2DBj
		mov	edx, [ebp+var_10]

loc_5B9542:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A287j
		mov	[edi+edx+62h], al
		add	eax, [ebp+var_34]
		mov	edx, eax
		cmp	eax, ebx
		jb	short loc_5B9551
		mov	edx, ebx

loc_5B9551:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A2FDj
		mov	ecx, [ebp+var_C]
		cmp	edx, ecx
		jbe	short loc_5B9560
		cmp	eax, ebx
		jb	short loc_5B9562
		mov	eax, ebx
		jmp	short loc_5B9562
; 

loc_5B9560:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A306j
		mov	eax, ecx

loc_5B9562:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A30Aj
					; PpmParkCalculateCoreParkingMask+12A30Ej
		mov	edx, [ebp+var_28]
		mov	ecx, [ebp+var_10]
		sub	edx, ebx
		cmp	ds:_PpmParkSoftParkingEnabled, 0
		mov	[ebp+var_28], edx
		mov	dl, al
		mov	[ebp+var_34], edx
		mov	[edi+ecx+67h], dl
		jnz	short loc_5B958A
		or	esi, 200000h
		mov	ebx, eax
		mov	[ebp+var_4], esi

loc_5B958A:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A32Dj
		mov	ecx, [ebp+var_1C]
		lea	edx, [ebp+var_4]
		push	edx
		lea	edx, [ebp+var_2C]
		mov	esi, ecx
		and	esi, [ebp+var_38]
		push	edx
		lea	edx, [ebp+var_3C]
		push	edx
		push	[ebp+var_14]
		mov	edx, ecx
		push	[ebp+var_24]
		push	ebx
		push	eax
		mov	eax, [edi+18h]
		and	eax, ecx
		mov	cx, [edi+4]
		push	esi
		push	eax
		call	_PpmParkComputeUnparkMask@44 ; PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)
		push	[ebp+var_4]
		mov	ecx, [ebp+var_1C]
		push	[ebp+var_20]
		mov	eax, [edi+14h]
		not	ecx
		mov	edx, [ebp+var_10]
		and	eax, ecx
		or	eax, [ebp+var_2C]
		or	eax, [ebp+var_3C]
		push	esi
		push	[ebp+var_14]
		mov	[edi+14h], eax
		and	eax, ecx
		push	[ebp+var_24]
		or	eax, [ebp+var_2C]
		mov	ecx, edi
		push	[ebp+var_C]
		mov	[edi+1Ch], eax
		push	ebx
		push	[ebp+var_34]
		call	_PpmEventTraceSoftCoreParkingSelection@40 ; PpmEventTraceSoftCoreParkingSelection(x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_10]
		inc	ecx
		mov	[ebp+var_10], ecx
		cmp	ecx, 2
		jb	loc_5B90F5

loc_5B9601:				; CODE XREF: PpmParkCalculateCoreParkingMask+129EAEj
		mov	esi, [ebp+var_44]
		mov	ecx, [ebp+var_40]
		mov	edx, [ebp+var_4C]

loc_5B960A:				; CODE XREF: PpmParkCalculateCoreParkingMask+129E78j
		inc	ecx
		add	esi, 0D0h
		mov	[ebp+var_40], ecx
		mov	[ebp+var_44], esi
		cmp	ecx, ds:_PpmParkNumNodes
		jb	loc_5B90B9
		xor	ebx, ebx
		pop	esi

loc_5B9626:				; CODE XREF: PpmParkCalculateCoreParkingMask+129E5Dj
		call	_PpmParkComputeDiff@0 ;	PpmParkComputeDiff()
		xor	eax, eax
		cmp	eax, ds:_PpmParkLpiCap
		sbb	edx, edx
		neg	edx
		cmp	ds:_PpmParkLpiEngaged, edx
		jnz	short loc_5B964B
		cmp	ds:_PpmParkLpiCapChanged, eax
		jnz	short loc_5B964B
		mov	eax, ebx
		jmp	short loc_5B964E
; 

loc_5B964B:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A3EDj
					; PpmParkCalculateCoreParkingMask+12A3F5j
		xor	eax, eax
		inc	eax

loc_5B964E:				; CODE XREF: PpmParkCalculateCoreParkingMask+12A3F9j
		mov	ds:_PpmParkLpiEngaged, edx
		mov	ds:_PpmParkLpiCapChanged, ebx
		test	eax, eax
		jz	loc_48F27C
		call	_PpmEventLPICoreParking@8 ; PpmEventLPICoreParking(x,x)
		jmp	loc_48F27C
; END OF FUNCTION CHUNK	FOR PpmParkCalculateCoreParkingMask
; 
; START	OF FUNCTION CHUNK FOR PpmPerfSelectProcessorState

loc_5B966C:				; CODE XREF: PpmPerfSelectProcessorState+58j
		mov	dl, 64h
		jmp	loc_48F34E
; 

loc_5B9673:				; CODE XREF: PpmPerfSelectProcessorState+7Bj
		cmp	ds:byte_6C2D4C,	0
		jz	loc_48F371
		cmp	[ebx+149h], dl
		jnb	loc_48F371
		lea	ecx, dword_6BF8A0[ecx]
		mov	[ebp+var_58], 1000h
		mov	[ebp+var_64], ecx
		jmp	loc_48F373
; 

loc_5B96A1:				; CODE XREF: PpmPerfSelectProcessorState+8Aj
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_5B96AF
		mov	al, [eax+21h]
		jmp	loc_48F383
; 

loc_5B96AF:				; CODE XREF: PpmPerfSelectProcessorState+12A3B5j
		xor	al, al
		jmp	loc_48F38B
; 

loc_5B96B6:				; CODE XREF: PpmPerfSelectProcessorState+95j
		mov	al, 1
		jmp	loc_48F38B
; 

loc_5B96BD:				; CODE XREF: PpmPerfSelectProcessorState+11Cj
		mov	dl, [edi+2Ch]
		mov	edi, [ebx+150h]
		mov	[ebp+var_68], edi
		mov	edi, [ebp+var_78]
		mov	[ebp+var_59], dl
		test	dl, dl
		jnz	short loc_5B9701
		cmp	[ebp+var_68], eax
		jb	short loc_5B96FD
		mov	ecx, [ebp+var_64]
		xor	ah, ah
		mov	edx, [ebp+var_70]
		inc	byte ptr [edi+2Dh]
		mov	al, [edi+2Dh]
		or	[ebp+var_58], 100000h
		cmp	al, [ecx+edx+66h]
		jb	short loc_5B9734
		mov	word ptr [edi+2Ch], 1
		mov	ah, 1
		jmp	short loc_5B9734
; 

loc_5B96FD:				; CODE XREF: PpmPerfSelectProcessorState+12A3E6j
		xor	ah, ah
		jmp	short loc_5B9730
; 

loc_5B9701:				; CODE XREF: PpmPerfSelectProcessorState+12A3E1j
		cmp	[ebp+var_68], ecx
		ja	short loc_5B972E
		mov	ecx, [ebp+var_64]
		mov	edx, [ebp+var_70]
		inc	byte ptr [edi+2Dh]
		mov	al, [edi+2Dh]
		or	[ebp+var_58], 80000h
		cmp	al, [ecx+edx+64h]
		jb	short loc_5B9729
		mov	word ptr [edi+2Ch], 0
		xor	ah, ah
		jmp	short loc_5B9734
; 

loc_5B9729:				; CODE XREF: PpmPerfSelectProcessorState+12A42Dj
		mov	ah, [ebp+var_59]
		jmp	short loc_5B9734
; 

loc_5B972E:				; CODE XREF: PpmPerfSelectProcessorState+12A414j
		mov	ah, dl

loc_5B9730:				; CODE XREF: PpmPerfSelectProcessorState+12A40Fj
		mov	byte ptr [edi+2Dh], 0

loc_5B9734:				; CODE XREF: PpmPerfSelectProcessorState+12A401j
					; PpmPerfSelectProcessorState+12A40Bj ...
		mov	edx, [ebp+var_60]
		test	ah, ah
		jz	loc_48F416
		or	[ebp+var_58], 200000h
		jmp	loc_48F416
; 

loc_5B974B:				; CODE XREF: PpmPerfSelectProcessorState+13Bj
					; PpmPerfSelectProcessorState+144j ...
		mov	ecx, [edi+8]
		mov	eax, [ebp+var_74]
		jmp	loc_48F44F
; 

loc_5B9756:				; CODE XREF: PpmPerfSelectProcessorState+129j
					; PpmPerfSelectProcessorState+132j
		mov	eax, [ebp+var_74]
		mov	ecx, [eax+58h]
		jmp	loc_48F44F
; 

loc_5B9761:				; CODE XREF: PpmPerfSelectProcessorState+169j
		or	[ebp+var_58], 40000h
		mov	edi, ecx
		jmp	loc_48F558
; 

loc_5B976F:				; CODE XREF: PpmPerfSelectProcessorState+173j
		mov	al, [ebp+var_69]
		test	al, al
		jz	loc_48F469
		or	[ebp+var_58], 1
		cmp	al, 1
		jnz	short loc_5B978C
		mov	edi, 1
		jmp	loc_48F558
; 

loc_5B978C:				; CODE XREF: PpmPerfSelectProcessorState+12A490j
		mov	edi, ecx
		jmp	loc_48F558
; 

loc_5B9793:				; CODE XREF: PpmPerfSelectProcessorState+185j
		mov	cl, 64h
		mov	[ebp+var_59], cl
		jmp	loc_48F47B
; 

loc_5B979D:				; CODE XREF: PpmPerfSelectProcessorState+192j
		cmp	[ebp+var_5A], 0
		jnz	short loc_5B97A7
		mov	[ebp+var_5A], 2

loc_5B97A7:				; CODE XREF: PpmPerfSelectProcessorState+12A4B1j
		cmp	[ebp+var_5B], 0
		jnz	loc_48F488
		mov	[ebp+var_5B], 2
		jmp	loc_48F488
; 

loc_5B97BA:				; CODE XREF: PpmPerfSelectProcessorState+1ADj
		xor	edx, edx
		div	edi
		mov	edx, eax
		mov	[ebp+var_7C], edx
		jmp	loc_48F4BD
; 

loc_5B97C8:				; CODE XREF: PpmPerfSelectProcessorState+1C5j
		mov	eax, [ebp+var_78]
		mov	edx, [ebp+var_7C]
		mov	edi, [eax+38h]
		jmp	loc_48F4BD
; 

loc_5B97D6:				; CODE XREF: PpmPerfSelectProcessorState+3ABj
		sub	eax, 1
		jz	short loc_5B9814
		sub	eax, 2
		jnz	loc_48F6B7
		movzx	ecx, cl
		cmp	edx, ecx
		jb	short loc_5B97F8
		mov	eax, [ebp+var_60]
		xor	edx, edx
		div	[ebp+var_94]
		jmp	short loc_5B9808
; 

loc_5B97F8:				; CODE XREF: PpmPerfSelectProcessorState+12A4F9j
		mov	eax, [ebp+var_84]
		xor	edx, edx
		movzx	ecx, al
		mov	eax, [ebp+var_60]
		div	ecx

loc_5B9808:				; CODE XREF: PpmPerfSelectProcessorState+12A506j
		or	[ebp+var_58], 80h
		jmp	loc_48F6B5
; 

loc_5B9814:				; CODE XREF: PpmPerfSelectProcessorState+12A4E9j
		add	edi, ds:_PpmPerfSingleStepSize
		or	[ebp+var_58], 20h
		jmp	loc_48F6B7
; 

loc_5B9823:				; CODE XREF: PpmPerfSelectProcessorState+37Fj
		mov	edx, [ebp+var_58]
		sub	eax, 2
		jnz	loc_48F515

loc_5B982F:				; CODE XREF: PpmPerfSelectProcessorState+20Fj
		or	edx, 400h
		mov	edi, 1
		mov	[ebp+var_58], edx
		jmp	loc_48F515
; 

loc_5B9842:				; CODE XREF: PpmPerfSelectProcessorState+34Dj
					; PpmPerfSelectProcessorState+358j
		or	edx, 800h
		mov	edi, eax
		mov	[ebp+var_58], edx
		jmp	loc_48F538
; 

loc_5B9852:				; CODE XREF: PpmPerfSelectProcessorState+254j
		movzx	eax, al
		cmp	edi, eax
		ja	short loc_5B985B
		mov	edi, eax

loc_5B985B:				; CODE XREF: PpmPerfSelectProcessorState+12A567j
		or	edx, 10000h
		mov	byte ptr [ebx+14Bh], 0
		mov	[ebp+var_58], edx
		jmp	loc_48F54A
; 

loc_5B9870:				; CODE XREF: PpmPerfSelectProcessorState+262j
		movzx	eax, al
		cmp	edi, eax
		ja	short loc_5B9879
		mov	edi, eax

loc_5B9879:				; CODE XREF: PpmPerfSelectProcessorState+12A585j
		or	edx, 20000h
		mov	byte ptr [ebx+14Ch], 0
		mov	[ebp+var_58], edx
		jmp	loc_48F558
; 

loc_5B988E:				; CODE XREF: PpmPerfSelectProcessorState+311j
		test	cl, cl
		jnz	loc_48F616
		jmp	loc_48F607
; 

loc_5B989B:				; CODE XREF: PpmPerfSelectProcessorState+320j
		mov	ecx, [eax+58h]
		xor	edi, edi
		mov	edx, [eax+5Ch]
		mov	eax, ecx
		and	eax, 20h
		cmp	eax, ecx
		jnz	loc_48F616
		cmp	edi, edx
		jz	short loc_5B98D2
		jmp	loc_48F616
; 

loc_5B98B9:				; CODE XREF: PpmPerfSelectProcessorState+32Aj
		mov	ecx, [esi+14h]
		mov	dl, 4
		push	0
		push	20h
		add	ecx, 40h
		call	_EtwpLevelKeywordEnabled@16 ; EtwpLevelKeywordEnabled(x,x,x,x)
		test	al, al
		jz	loc_48F620

loc_5B98D2:				; CODE XREF: PpmPerfSelectProcessorState+12A5C2j
		lea	eax, [ebp+var_90]
		mov	[ebp+var_40], 0
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_88]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		push	eax
		mov	eax, ds:dword_6BFD04
		push	5
		push	0
		push	offset _PPM_ETW_PERF_SELECT_PROCESSOR_STATE
		push	eax
		push	esi
		mov	[ebp+var_3C], 4
		mov	[ebp+var_38], 0
		mov	[ebp+var_30], 0
		mov	[ebp+var_2C], 4
		mov	[ebp+var_28], 0
		mov	[ebp+var_20], 0
		mov	[ebp+var_1C], 4
		mov	[ebp+var_18], 0
		mov	[ebp+var_10], 0
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], 0
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_48F620
; END OF FUNCTION CHUNK	FOR PpmPerfSelectProcessorState
; 
; START	OF FUNCTION CHUNK FOR PpmCheckMakeupSkippedChecks

loc_5B9965:				; CODE XREF: PpmCheckMakeupSkippedChecks+24j
					; PpmCheckMakeupSkippedChecks+31j
		call	_PpmEventTraceMakeupPerfCheck@0	; PpmEventTraceMakeupPerfCheck()
		dec	ds:_PpmCheckMakeupCount
		mov	ds:_PpmCheckPipelineIndex, 4
		jmp	loc_48F6DD
; END OF FUNCTION CHUNK	FOR PpmCheckMakeupSkippedChecks
; 
; START	OF FUNCTION CHUNK FOR PpmCheckAdjustNextPerfCheck

loc_5B997F:				; CODE XREF: PpmCheckAdjustNextPerfCheck+Fj
		mov	ecx, ds:_PpmCheckLastExecutionTime
		mov	eax, ds:dword_6C049C
		or	ecx, eax
		jz	loc_48F76F
		call	KeQueryInterruptTime
		push	ebx
		mov	ecx, eax
		mov	[ebp+var_8], edx
		push	esi
		mov	[ebp+var_4], ecx
		push	edi

loc_5B99A2:				; CODE XREF: PpmCheckAdjustNextPerfCheck+12A277j
					; PpmCheckAdjustNextPerfCheck+12A27Bj
		mov	esi, ds:_PpmCheckLastExecutionTime
		mov	eax, esi
		mov	edi, ds:dword_6C049C
		mov	edx, edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], offset _PpmCheckLastExecutionTime
		nop
		mov	edi, [ebp+var_C]
		mov	ebx, ecx
		mov	ecx, [ebp+var_8]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_10]
		mov	ecx, [ebp+var_4]
		cmp	eax, esi
		jnz	short loc_5B99A2
		cmp	edx, edi
		jnz	short loc_5B99A2
		pop	edi
		pop	esi
		pop	ebx
		jmp	loc_48F76F
; END OF FUNCTION CHUNK	FOR PpmCheckAdjustNextPerfCheck
; 
; START	OF FUNCTION CHUNK FOR KeQueryMaximumProcessorCountEx

loc_5B99DF:				; CODE XREF: KeQueryMaximumProcessorCountEx+Cj
		mov	eax, [ebp+arg_0]
		mov	ecx, 0FFFFh
		cmp	ax, cx
		jz	short loc_5B9A0C
		test	ax, ax
		jnz	short loc_5B99FB
		cmp	ds:_KiMaximumGroups, 1
		jz	short loc_5B9A0C

loc_5B99FB:				; CODE XREF: KeQueryMaximumProcessorCountEx+12A179j
		cmp	ax, ds:_KiMaximumGroups
		sbb	eax, eax
		and	eax, ds:_KiMaximumGroupSize
		jmp	short loc_5B9A11
; 

loc_5B9A0C:				; CODE XREF: KeQueryMaximumProcessorCountEx+12A174j
					; KeQueryMaximumProcessorCountEx+12A183j
		mov	eax, ds:_KeMaximumProcessors

loc_5B9A11:				; CODE XREF: KeQueryMaximumProcessorCountEx+12A194j
		pop	ebp
		retn	4
; END OF FUNCTION CHUNK	FOR KeQueryMaximumProcessorCountEx
; 
; START	OF FUNCTION CHUNK FOR KiScheduleNextForegroundBoost

loc_5B9A15:				; CODE XREF: KiScheduleNextForegroundBoost+54j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_48F8ED
; END OF FUNCTION CHUNK	FOR KiScheduleNextForegroundBoost
; 
; START	OF FUNCTION CHUNK FOR KiEvaluateGroupSchedulingPreemption

loc_5B9A24:				; CODE XREF: KiEvaluateGroupSchedulingPreemption+13Bj
		cmp	byte ptr [edi+92h], 1
		jnz	loc_48F983
		jmp	loc_48FA71
; END OF FUNCTION CHUNK	FOR KiEvaluateGroupSchedulingPreemption
; 
; START	OF FUNCTION CHUNK FOR KeReleaseSemaphoreEx

loc_5B9A36:				; CODE XREF: KeReleaseSemaphoreEx+FEj
		push	0
		mov	edx, edi
		mov	edi, [ebp+var_4]
		push	100h
		mov	ecx, edi
		call	KiTryUnwaitThread

loc_5B9A49:				; CODE XREF: KeReleaseSemaphoreEx+A1j
					; KeReleaseSemaphoreEx+ABj ...
		mov	eax, [ebp+var_1C]
		lea	ecx, [esi+8]
		cmp	eax, ecx
		jnz	loc_48FB46
		jmp	loc_48FB91
; 

loc_5B9A5C:				; CODE XREF: KeReleaseSemaphoreEx+42j
					; KeReleaseSemaphoreEx+4Aj
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0C0000047h
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger

loc_5B9A75:				; CODE XREF: KiRemoveBoostThread+17Aj
		mov	edx, edi
		call	KiIsThreadRankNonZero
		mov	ecx, [ebp+var_8]
		mov	dl, 1
		test	al, al
		jnz	loc_48FF86
		jmp	loc_48FF80
; END OF FUNCTION CHUNK	FOR KeReleaseSemaphoreEx
; 
; START	OF FUNCTION CHUNK FOR KiSelectReadyThreadEx

loc_5B9A8E:				; CODE XREF: KiSelectReadyThreadEx+18j
		xor	eax, eax
		jmp	loc_490008
; END OF FUNCTION CHUNK	FOR KiSelectReadyThreadEx
; 
; START	OF FUNCTION CHUNK FOR KxFlushNonGlobalTb

loc_5B9A95:				; CODE XREF: KxFlushNonGlobalTb+2Cj
		mov	edx, large fs:20h
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], 0
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, [edx+4]
		mov	ecx, [eax+80h]
		mov	eax, [ecx+58h]
		mov	ebx, [ecx+60h]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+5Ch]
		mov	[ebp+var_C], eax
		mov	eax, [edx+3CCh]
		btr	ebx, eax
		mov	[ebp+var_8], ebx
		lea	edx, [ebp+var_10]
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, ds:_RtlpBitsClearTotal[ebx]
		mov	bl, [ebp+var_11]
		movzx	esi, cl
		xor	ecx, ecx
		jmp	loc_4900BE
; END OF FUNCTION CHUNK	FOR KxFlushNonGlobalTb
; 
; START	OF FUNCTION CHUNK FOR PpmPerfApplyDomainState

loc_5B9B0B:				; CODE XREF: PpmPerfApplyDomainState+A8j
		push	offset _PpmPerfNewCoreParkingMask
		lea	eax, [edx+0Ch]
		push	eax
		call	_KeIsSubsetAffinityEx@8	; KeIsSubsetAffinityEx(x,x)
		mov	edx, [ebp+var_38]
		xor	ecx, ecx
		test	eax, eax
		jnz	loc_4901CE
		mov	esi, ds:_PpmPerfDomainHead
		mov	edi, offset _PpmPerfDomainHead
		mov	[ebp+var_40], esi
		jmp	loc_4901D5
; 

loc_5B9B39:				; CODE XREF: PpmPerfApplyDomainState+FEj
		mov	ecx, [ebp+var_60]
		jmp	loc_4901DC
; 

loc_5B9B41:				; CODE XREF: PpmPerfApplyDomainState+C7j
		push	offset _PpmPerfNewCoreParkingMask
		lea	eax, [esi+0Ch]
		push	eax
		call	_KeIsSubsetAffinityEx@8	; KeIsSubsetAffinityEx(x,x)
		mov	edx, [ebp+var_38]
		test	eax, eax
		jnz	loc_490217
		mov	eax, [ebp+var_50]
		mov	ecx, [esi+8]
		mov	eax, [eax-3B68h]
		cmp	eax, [ecx-3B68h]
		jnz	loc_490217
		mov	al, [edx+20h]
		mov	cl, [esi+20h]
		mov	[ebp+var_32], al
		mov	[ebp+var_31], cl
		cmp	al, cl
		jz	short loc_5B9B8F
		cmp	ds:_PpmPerfQosEnabled, 0
		jz	loc_490217

loc_5B9B8F:				; CODE XREF: PpmPerfApplyDomainState+129A60j
		mov	al, [edx+21h]
		cmp	al, [esi+21h]
		jz	short loc_5B9BDF
		mov	edi, [esi+74h]
		mov	eax, edi
		mul	[ebp+var_58]
		mov	ebx, [esi+70h]
		mov	esi, eax
		mov	eax, ebx
		mul	[ebp+var_58]
		shrd	ebx, edi, 1
		mov	ecx, eax
		add	esi, edx
		shr	edi, 1
		add	ecx, ebx
		adc	esi, edi
		mov	edi, [ebp+var_38]
		mov	eax, [edi+74h]
		push	eax
		mov	eax, [edi+70h]
		push	eax
		push	esi
		push	ecx
		call	__aulldiv
		mov	esi, [ebp+var_40]
		mov	ebx, eax
		mov	eax, [ebp+var_5C]
		mov	edx, edi
		mov	cl, [ebp+var_31]
		mov	edi, [ebp+var_54]
		cmp	ebx, eax
		jbe	short loc_5B9BDF
		mov	ebx, eax

loc_5B9BDF:				; CODE XREF: PpmPerfApplyDomainState+129A75j
					; PpmPerfApplyDomainState+129ABBj
		cmp	[ebp+var_32], cl
		jz	short loc_5B9BF5
		cmp	ebx, [ebp+var_64]
		jbe	loc_490217
		mov	[ebp+var_64], ebx
		jmp	loc_490217
; 

loc_5B9BF5:				; CODE XREF: PpmPerfApplyDomainState+129AC2j
		mov	ecx, [ebp+var_60]
		jmp	loc_4901ED
; 

loc_5B9BFD:				; CODE XREF: PpmPerfApplyDomainState+DBj
		mov	[ebp+var_34], 1
		jmp	loc_490201
; 

loc_5B9C06:				; CODE XREF: PpmPerfApplyDomainState+203j
		mov	eax, [edx+60h]
		mov	esi, 1
		mov	[ebp+var_50], esi
		jmp	loc_49032C
; 

loc_5B9C16:				; CODE XREF: PpmPerfApplyDomainState+21Dj
		or	esi, 8
		cmp	ds:_PpmPerfBoostAtGuaranteed, 0
		mov	[ebp+var_50], esi
		jnz	short loc_5B9C2F
		mov	edx, 64h
		jmp	loc_490346
; 

loc_5B9C2F:				; CODE XREF: PpmPerfApplyDomainState+129B03j
		mov	edx, [ebp+var_48]
		jmp	loc_490346
; 

loc_5B9C37:				; CODE XREF: PpmPerfApplyDomainState+22Ej
		cmp	edx, ecx
		jb	loc_490354
		mov	edx, ecx
		mov	[ebp+var_4C], edx
		jmp	loc_490354
; 

loc_5B9C49:				; CODE XREF: PpmPerfApplyDomainState+258j
		movzx	ecx, byte ptr [edi+17h]
		jmp	loc_490389
; 

loc_5B9C52:				; CODE XREF: PpmPerfApplyDomainState+261j
		mov	ecx, [ebp+var_68]
		mov	esi, [ebp+var_74]
		mov	ecx, [ecx+esi*4+70h]
		jmp	loc_490389
; 

loc_5B9C61:				; CODE XREF: PpmPerfApplyDomainState+278j
		cmp	ecx, edx
		jnb	short loc_5B9C6C
		mov	esi, ecx
		jmp	loc_4903A0
; 

loc_5B9C6C:				; CODE XREF: PpmPerfApplyDomainState+129B43j
		mov	esi, edx
		jmp	loc_4903A0
; 

loc_5B9C73:				; CODE XREF: PpmPerfApplyDomainState+283j
		mov	esi, ecx
		cmp	ecx, edx
		jb	short loc_5B9C7B
		mov	esi, edx

loc_5B9C7B:				; CODE XREF: PpmPerfApplyDomainState+129B57j
		cmp	esi, eax
		jbe	short loc_5B9C91
		cmp	ecx, edx
		jnb	short loc_5B9C8A
		mov	esi, ecx
		jmp	loc_4903AC
; 

loc_5B9C8A:				; CODE XREF: PpmPerfApplyDomainState+129B61j
		mov	esi, edx
		jmp	loc_4903AC
; 

loc_5B9C91:				; CODE XREF: PpmPerfApplyDomainState+129B5Dj
		mov	esi, eax
		jmp	loc_4903AC
; 

loc_5B9C98:				; CODE XREF: PpmPerfApplyDomainState+2A1j
		cmp	ecx, edx
		jnb	short loc_5B9CA3
		mov	esi, ecx
		jmp	loc_4903C9
; 

loc_5B9CA3:				; CODE XREF: PpmPerfApplyDomainState+129B7Aj
		mov	esi, edx
		jmp	loc_4903C9
; 

loc_5B9CAA:				; CODE XREF: PpmPerfApplyDomainState+2ACj
		mov	esi, ecx
		cmp	ecx, edx
		jb	short loc_5B9CB2
		mov	esi, edx

loc_5B9CB2:				; CODE XREF: PpmPerfApplyDomainState+129B8Ej
		cmp	esi, eax
		jbe	short loc_5B9CC5
		cmp	ecx, edx
		jb	loc_4903D8
		mov	ecx, edx
		jmp	loc_4903D5
; 

loc_5B9CC5:				; CODE XREF: PpmPerfApplyDomainState+129B94j
		mov	ecx, eax
		jmp	loc_4903D5
; 

loc_5B9CCC:				; CODE XREF: PpmPerfApplyDomainState+28Fj
		mov	ecx, [ebp+var_58]
		jmp	loc_4903D5
; 

loc_5B9CD4:				; CODE XREF: PpmPerfApplyDomainState+2BAj
		mov	esi, edx
		jmp	loc_4903E2
; 

loc_5B9CDB:				; CODE XREF: PpmPerfApplyDomainState+2C5j
		cmp	edx, eax
		jbe	short loc_5B9CE6
		mov	esi, edx
		jmp	loc_4903EE
; 

loc_5B9CE6:				; CODE XREF: PpmPerfApplyDomainState+129BBDj
		mov	esi, eax
		jmp	loc_4903EE
; 

loc_5B9CED:				; CODE XREF: PpmPerfApplyDomainState+2D9j
		mov	esi, edx
		jmp	loc_490401
; 

loc_5B9CF4:				; CODE XREF: PpmPerfApplyDomainState+2E4j
		cmp	edx, eax
		ja	loc_490410
		mov	edx, eax
		jmp	loc_49040D
; 

loc_5B9D03:				; CODE XREF: PpmPerfApplyDomainState+2D1j
		mov	edx, [ebp+var_58]
		jmp	loc_49040D
; 

loc_5B9D0B:				; CODE XREF: PpmPerfApplyDomainState+2FEj
		mov	esi, [ebp+var_60]
		jmp	loc_490430
; 

loc_5B9D13:				; CODE XREF: PpmPerfApplyDomainState+315j
		cmp	[ebp+var_33], 0
		mov	[ebp+var_40], edx
		jz	loc_490442
		or	[ebp+var_50], 2
		jmp	loc_490442
; 

loc_5B9D29:				; CODE XREF: PpmPerfApplyDomainState+327j
		cmp	al, 4
		jz	loc_49044D
		cmp	al, 5
		jz	short loc_5B9D42
		cmp	al, 6
		jnz	loc_490477
		jmp	loc_49044D
; 

loc_5B9D42:				; CODE XREF: PpmPerfApplyDomainState+32Fj
					; PpmPerfApplyDomainState+337j	...
		mov	eax, [ebp+var_48]
		jmp	loc_49046F
; 

loc_5B9D4A:				; CODE XREF: PpmPerfApplyDomainState+369j
		xor	esi, esi
		jmp	loc_490491
; 

loc_5B9D51:				; CODE XREF: PpmPerfApplyDomainState+37Cj
		mov	esi, eax
		jmp	loc_4904A2
; 

loc_5B9D58:				; CODE XREF: PpmPerfApplyDomainState+3A3j
		mov	edx, [ebp+var_68]
		mov	ecx, [ebp+var_74]
		mov	edx, [edx+ecx*4+68h]
		cmp	eax, edx
		mov	[ebp+var_84], edx
		mov	edx, [ebp+var_4C]
		jb	loc_4904C9
		mov	eax, [ebp+var_84]
		mov	[ebp+var_54], eax
		jmp	loc_4904C9
; 

loc_5B9D81:				; CODE XREF: PpmPerfApplyDomainState+3B4j
		or	eax, 4
		jmp	loc_4904DA
; 

loc_5B9D89:				; CODE XREF: PpmPerfApplyDomainState+3E4j
		mov	esi, ecx
		jmp	loc_49050A
; 

loc_5B9D90:				; CODE XREF: PpmPerfApplyDomainState+3F6j
		mov	[ebp+var_C], 1
		jmp	loc_49051F
; 

loc_5B9D99:				; CODE XREF: PpmPerfApplyDomainState+43Ej
		mov	byte ptr [ebp+var_B], 1
		jmp	loc_490564
; END OF FUNCTION CHUNK	FOR PpmPerfApplyDomainState
; 
; START	OF FUNCTION CHUNK FOR PpmPerfApplyCapsAndFloors

loc_5B9DA2:				; CODE XREF: PpmPerfApplyCapsAndFloors+4Dj
		mov	ecx, [ebp+var_8]
		cmp	[ecx], eax
		jbe	loc_490663
		mov	[ebp+var_1], 1
		mov	[ecx], eax
		jmp	loc_490663
; END OF FUNCTION CHUNK	FOR PpmPerfApplyCapsAndFloors
; 
; START	OF FUNCTION CHUNK FOR PpmGetPerfPolicyClass

loc_5B9DB8:				; CODE XREF: PpmGetPerfPolicyClass+Bj
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_5B9DC6
		mov	al, [eax+21h]
		jmp	loc_4906A6
; 

loc_5B9DC6:				; CODE XREF: PpmGetPerfPolicyClass+12972Aj
		xor	al, al
		jmp	loc_4906A6
; END OF FUNCTION CHUNK	FOR PpmGetPerfPolicyClass

;  S U B	R O U T	I N E 


sub_5B9DCD	proc near		; DATA XREF: .text:006A123Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_5B9DCD	endp


;  S U B	R O U T	I N E 


sub_5B9DDD	proc near		; DATA XREF: .text:006A1240o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-1Ch]
		jmp	loc_4906F8
sub_5B9DDD	endp

; 
; START	OF FUNCTION CHUNK FOR ExpGetSystemBasicInformation

loc_5B9DE8:				; CODE XREF: ExpGetSystemBasicInformation+71j
		xor	edx, edx
		jmp	loc_49079D
; END OF FUNCTION CHUNK	FOR ExpGetSystemBasicInformation

;  S U B	R O U T	I N E 


sub_5B9DEF	proc near		; DATA XREF: .text:006A125Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_5B9DEF	endp


;  S U B	R O U T	I N E 


sub_5B9DFF	proc near		; DATA XREF: .text:006A1260o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-20h]
		jmp	loc_49080A
sub_5B9DFF	endp

; 
; START	OF FUNCTION CHUNK FOR MmQueryMemoryListInformation

loc_5B9E0A:				; CODE XREF: MmQueryMemoryListInformation+6Cj
		mov	dword ptr [ebx], 58h
		mov	eax, 0C0000004h
		jmp	loc_4908F3
; END OF FUNCTION CHUNK	FOR MmQueryMemoryListInformation

;  S U B	R O U T	I N E 


sub_5B9E1A	proc near		; DATA XREF: .text:006A127Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-88h], eax
		mov	eax, 1
		retn
sub_5B9E1A	endp


;  S U B	R O U T	I N E 


sub_5B9E2D	proc near		; DATA XREF: .text:006A1280o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-88h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-8Ch]
		jmp	loc_4908DD
sub_5B9E2D	endp

; 
; START	OF FUNCTION CHUNK FOR MmQueryMemoryListInformation

loc_5B9E48:				; CODE XREF: MmQueryMemoryListInformation+BBj
		mov	ecx, [ebp+var_90]
		mov	ecx, [ecx+64h]
		call	PsDereferencePartition
		jmp	loc_4908F1
; END OF FUNCTION CHUNK	FOR MmQueryMemoryListInformation
; 
; START	OF FUNCTION CHUNK FOR MiQueryMemoryListInformation

loc_5B9E5B:				; CODE XREF: MiQueryMemoryListInformation+ECj
		mov	[ebx], eax
		xor	eax, eax
		jmp	loc_490A15
; 

loc_5B9E64:				; CODE XREF: MiQueryMemoryListInformation+F7j
		mov	[ebx+4], eax
		xor	eax, eax
		jmp	loc_490A1F
; 

loc_5B9E6E:				; CODE XREF: MiQueryMemoryListInformation+103j
		mov	[ebx+8], eax
		xor	eax, eax
		jmp	loc_490A2D
; 

loc_5B9E78:				; CODE XREF: MiQueryMemoryListInformation+10Fj
		mov	[ebx+0Ch], eax
		xor	eax, eax
		jmp	loc_490A37
; 

loc_5B9E82:				; CODE XREF: MiQueryMemoryListInformation+119j
		mov	[ebx+10h], eax
		xor	eax, eax
		jmp	loc_490A41
; END OF FUNCTION CHUNK	FOR MiQueryMemoryListInformation
; 
; START	OF FUNCTION CHUNK FOR MiPartitionObjectToPartition

loc_5B9E8C:				; CODE XREF: MiPartitionObjectToPartition+29j
		cmp	[esi+64h], ecx
		jnz	short loc_5B9EA8
		call	PsReferencePartitionSafe
		test	al, al
		jnz	short loc_5B9EA1
		mov	esi, ebx
		jmp	loc_490AFF
; 

loc_5B9EA1:				; CODE XREF: MiPartitionObjectToPartition+1293C8j
		mov	bl, 1
		jmp	loc_490AFF
; 

loc_5B9EA8:				; CODE XREF: MiPartitionObjectToPartition+20j
					; MiPartitionObjectToPartition+1293BFj
		push	ebx
		push	esi
		push	ecx
		push	41001h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5B9EB8:				; CODE XREF: RtlUIntAdd+Cj
		mov	dword ptr [ecx], 0FFFFFFFFh
		mov	eax, 0C0000095h
		jmp	loc_490B46
; END OF FUNCTION CHUNK	FOR MiPartitionObjectToPartition
; 
; START	OF FUNCTION CHUNK FOR CcLazyWriteScan

loc_5B9EC8:				; CODE XREF: CcLazyWriteScan+FAj
		mov	eax, [esi]
		xor	edx, edx
		mov	ecx, [ecx+0FC0h]
		mov	edi, eax
		and	[esp+60h+var_3C], edx
		jmp	loc_490DD7
; 

loc_5B9EDD:				; CODE XREF: CcLazyWriteScan+7AAj
		mov	edx, [ebp+4]
		lea	ecx, [esp+60h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_491450
; 

loc_5B9EEE:				; CODE XREF: CcLazyWriteScan+7D0j
		lea	ecx, [esp+60h+var_C]
		call	KxWaitForLockChainValid

loc_5B9EF7:				; CODE XREF: CcLazyWriteScan+7B6j
		mov	[esp+60h+var_C], 0
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_491450
; 

loc_5B9F0A:				; CODE XREF: CcLazyWriteScan+794j
		xor	edx, edx
		mov	ecx, ebx
		call	CcRescheduleLazyWriteScan
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_5B9F2C
		mov	edx, [ebp+4]
		lea	ecx, [esp+60h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5B9F60
; 

loc_5B9F2C:				; CODE XREF: CcLazyWriteScan+1292A2j
		mov	eax, [esp+60h+var_C]
		test	eax, eax
		jnz	short loc_5B9F4F
		mov	edx, [esp+60h+var_8]
		lea	eax, [esp+60h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+60h+var_C]
		cmp	eax, ecx
		jz	short loc_5B9F60
		call	KxWaitForLockChainValid

loc_5B9F4F:				; CODE XREF: CcLazyWriteScan+1292B8j
		xor	ecx, ecx
		mov	[esp+60h+var_C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5B9F60:				; CODE XREF: CcLazyWriteScan+1292B0j
					; CcLazyWriteScan+1292CEj
		mov	cl, [esp+60h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5B9F6A:				; CODE XREF: CcLazyWriteScan+347j
		mov	ecx, ebx
		call	_CcPostDeferredWrites@4	; CcPostDeferredWrites(x)
		jmp	loc_490FC7
; 

loc_5B9F76:				; CODE XREF: CcLazyWriteScan+197j
		mov	edx, [eax]
		cmp	[eax+4], ecx
		jnz	loc_491477
		cmp	[edx+4], eax
		jnz	loc_491477
		mov	[ecx], edx
		lea	edi, [esp+60h+var_28]
		mov	[edx+4], ecx
		mov	edx, [esp+60h+var_24]
		cmp	[edx], edi
		jnz	loc_491477
		mov	[eax], edi
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[esp+60h+var_24], eax
		jmp	loc_490E0D
; 

loc_5B9FAF:				; CODE XREF: CcLazyWriteScan+3A9j
		mov	edx, [ebp+4]
		lea	ecx, [esp+60h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_49104D
; 

loc_5B9FC0:				; CODE XREF: CcLazyWriteScan+41Cj
		xor	ecx, ecx
		lea	edx, [ebx+94h]
		mov	eax, edi
		inc	ecx
		or	eax, ecx
		mov	[esi+160h], eax
		jmp	loc_4910B2
; 

loc_5B9FD8:				; CODE XREF: CcLazyWriteScan+48Ej
		mov	edx, [ebp+4]
		lea	ecx, [esp+60h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_491134
; 

loc_5B9FE9:				; CODE XREF: CcLazyWriteScan+3F9j
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		and	dword ptr [esi+60h], 0FFFFFFDFh
		dec	dword ptr [esi+4Ch]
		jmp	loc_490F27
; 

loc_5B9FFA:				; CODE XREF: CcLazyWriteScan+230j
		mov	edi, ecx
		jmp	loc_490F27
; 

loc_5BA001:				; CODE XREF: CcLazyWriteScan+2B7j
		xor	eax, eax
		inc	eax
		mov	[esp+60h+var_53], al
		jmp	loc_490F37
; 

loc_5BA00D:				; CODE XREF: CcLazyWriteScan+2C3j
		mov	eax, [ecx]
		lea	edx, [esp+60h+var_28]
		cmp	[ecx+4], edx
		jnz	loc_491477
		cmp	[eax+4], ecx
		jnz	loc_491477
		mov	[esp+60h+var_28], eax
		mov	[eax+4], edx
		lea	edx, [ebx+0A4h]
		mov	eax, [ecx+4Ch]
		add	eax, 0B4h
		cmp	eax, edx
		jnz	short loc_5BA045
		call	CcPostWorkQueueCachemapUninit
		jmp	short loc_5BA04A
; 

loc_5BA045:				; CODE XREF: CcLazyWriteScan+1293C2j
		call	CcPostWorkQueueRegular

loc_5BA04A:				; CODE XREF: CcLazyWriteScan+1293C9j
		mov	ecx, [esp+60h+var_28]
		jmp	loc_490F37
; 

loc_5BA053:				; CODE XREF: CcLazyWriteScan+6AFj
		xor	eax, eax
		mov	byte ptr [ebx+190h], 0
		inc	eax
		mov	[ebx+48h], al
		jmp	loc_490F66
; 

loc_5BA065:				; CODE XREF: CcLazyWriteScan+2E6j
		mov	byte ptr [ebx+48h], 0
		jmp	loc_490F66
; 

loc_5BA06E:				; CODE XREF: CcLazyWriteScan+2F2j
		mov	edx, [ebp+4]
		lea	ecx, [esp+60h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_490F98
; END OF FUNCTION CHUNK	FOR CcLazyWriteScan
; 
; START	OF FUNCTION CHUNK FOR CcShouldLazyWriteCacheMap

loc_5BA07F:				; CODE XREF: CcShouldLazyWriteCacheMap+CFj
		test	al, 0Fh
		jz	loc_49155D
		cmp	edx, 40h
		jnb	loc_49155D
		cmp	[ebp+arg_4], 10h
		jmp	loc_491582
; END OF FUNCTION CHUNK	FOR CcShouldLazyWriteCacheMap
; 
; START	OF FUNCTION CHUNK FOR KeWaitForMultipleObjects

loc_5BA099:				; CODE XREF: KeWaitForMultipleObjects+64j
					; KeWaitForMultipleObjects+5B0j
		push	0Ch
		call	_KeBugCheck@4	; KeBugCheck(x)

loc_5BA0A0:				; CODE XREF: KeWaitForMultipleObjects+106j
		mov	ebx, 0FFDF000Ch
		lea	edi, [ebx-4]

loc_5BA0A8:				; CODE XREF: KeWaitForMultipleObjects+128B30j
		lea	ecx, [esp+0ACh+var_40]
		call	KeYieldProcessorEx
		mov	esi, [ebx]
		mov	eax, 0FFDF0010h
		mov	edx, [edi]
		mov	[esp+0ACh+var_84], esi
		cmp	esi, [eax]
		jnz	short loc_5BA0A8
		mov	esi, [esp+0ACh+var_80]
		mov	edi, [esp+0ACh+var_70]
		mov	ebx, [esp+0ACh+var_84]
		mov	eax, [esp+14h]
		mov	ecx, [esp+0ACh+var_5C]
		jmp	loc_49169C
; 

loc_5BA0DB:				; CODE XREF: KeWaitForMultipleObjects+5FAj
		mov	ecx, [esp+0A8h+var_9C]
		mov	eax, 1
		xor	edx, edx
		call	__allshl
		or	[esp+0A8h+var_88], eax
		or	[esp+0A8h+var_84], edx
		mov	ecx, [esp+0A8h+var_8C]
		jmp	loc_491B90
; 

loc_5BA0FC:				; CODE XREF: KeWaitForMultipleObjects+302j
		mov	ebx, 0FFDF000Ch
		lea	esi, [ebx-4]

loc_5BA104:				; CODE XREF: KeWaitForMultipleObjects+128B8Cj
		lea	ecx, [esp+0A8h+var_30]
		call	KeYieldProcessorEx
		mov	edi, [ebx]
		mov	eax, 0FFDF0010h
		mov	edx, [esi]
		mov	[esp+0A8h+var_90], edi
		cmp	edi, [eax]
		jnz	short loc_5BA104
		mov	esi, [esp+0A8h+var_7C]
		mov	ebx, [esp+0A8h+var_80]
		mov	edi, [esp+0A8h+var_70]
		mov	ecx, [esp+0A8h+var_90]
		jmp	loc_491898
; 

loc_5BA133:				; CODE XREF: KeWaitForMultipleObjects+5C0j
		cmp	dword ptr [esi+13Ch], 0
		jnz	loc_4918D2
		cmp	byte ptr [esi+92h], 0
		jnz	loc_4918D2
		cmp	byte ptr [esi+84h], 0
		jnz	loc_4918D2
		mov	edx, [esp+0A8h+var_94]
		xor	ecx, ecx
		add	edx, edi
		adc	ecx, ebx
		jmp	loc_4918D2
; 

loc_5BA169:				; CODE XREF: KeWaitForMultipleObjects+3FAj
		mov	eax, 0FFDF0018h
		mov	[esp+0A8h+var_2C], 0
		mov	eax, [eax]
		mov	[esp+0A8h+var_90], eax
		mov	eax, 0FFDF0014h
		mov	eax, [eax]
		mov	[esp+0A8h+var_60], eax
		mov	eax, 0FFDF001Ch
		mov	eax, [eax]
		cmp	[esp+0A8h+var_90], eax
		jz	short loc_5BA1D0
		mov	edi, 0FFDF0018h
		lea	ebx, [edi-4]

loc_5BA19C:				; CODE XREF: KeWaitForMultipleObjects+128C2Aj
		lea	ecx, [esp+0A8h+var_2C]
		call	KeYieldProcessorEx
		mov	esi, [edi]
		mov	eax, [ebx]
		mov	[esp+0A8h+var_60], eax
		mov	eax, 0FFDF001Ch
		mov	[esp+0A8h+var_90], esi
		mov	eax, [eax]
		cmp	esi, eax
		jnz	short loc_5BA19C
		mov	esi, [esp+0A8h+var_7C]
		mov	ebx, [esp+0A8h+var_80]
		mov	edi, [esp+0A8h+var_70]
		mov	ecx, [esp+0A8h+var_78]
		mov	edx, [esp+0A8h+var_94]

loc_5BA1D0:				; CODE XREF: KeWaitForMultipleObjects+128C02j
		mov	eax, [ebp+arg_0]
		jmp	loc_4918D2
; 

loc_5BA1D8:				; CODE XREF: KeWaitForMultipleObjects+37Aj
		mov	ebx, [esp+0A8h+var_90]
		lea	eax, [esp+0A8h+var_C]
		mov	[esp+0A8h+var_94], eax
		mov	esi, ebx

loc_5BA1E9:				; CODE XREF: KeWaitForMultipleObjects+128CE3j
		bsf	ecx, ecx
		mov	[esp+0A8h+var_54], 0
		mov	[esp+0A8h+var_54], ecx
		jnz	short loc_5BA20A
		bsf	ecx, edx
		mov	[esp+0A8h+var_54], ecx
		jz	short loc_5BA20A
		add	ecx, 20h
		mov	[esp+0A8h+var_54], ecx

loc_5BA20A:				; CODE XREF: KeWaitForMultipleObjects+128C68j
					; KeWaitForMultipleObjects+128C71j
		mov	eax, 1
		xor	edx, edx
		call	__allshl
		mov	ecx, edx
		mov	[esp+0A8h+var_78], eax
		mov	[esp+0A8h+var_60], ecx
		not	eax
		and	[esp+0A8h+var_88], eax
		not	ecx
		and	[esp+0A8h+var_84], ecx
		xor	edx, edx
		mov	eax, [esp+0A8h+var_48]
		mov	ecx, [esp+0A8h+var_54]
		push	0
		mov	ecx, [eax+ecx*4]
		call	KeAbPreAcquire
		mov	edi, eax
		test	edi, edi
		jz	short loc_5BA279
		or	ebx, [esp+0A8h+var_78]
		mov	ecx, edi
		or	esi, [esp+0A8h+var_60]
		call	_KeAbPreWait@4	; KeAbPreWait(x)
		mov	ecx, edi
		call	_KeAbEncodeLockHandle@4	; KeAbEncodeLockHandle(x)
		mov	edx, [esp+0A8h+var_94]
		mov	ecx, [esp+0A8h+var_88]
		mov	[edx], al
		inc	edx
		mov	[esp+0A8h+var_94], edx
		mov	eax, ecx
		mov	edx, [esp+0A8h+var_84]
		or	eax, edx
		jnz	loc_5BA1E9

loc_5BA279:				; CODE XREF: KeWaitForMultipleObjects+128CB4j
		mov	edi, [esp+0A8h+var_70]
		mov	[esp+0A8h+var_9C], esi
		mov	esi, [esp+0A8h+var_7C]
		mov	[esp+0A8h+var_90], ebx
		mov	ebx, [esp+0A8h+var_80]
		jmp	loc_491910
; 

loc_5BA292:				; CODE XREF: KeWaitForMultipleObjects+3A9j
		mov	eax, ebx
		mov	[esp+0A8h+var_88], 0
		or	eax, edi
		mov	[esp+0A8h+var_84], edi
		mov	edx, ebx
		mov	[esp+0A8h+var_60], edx
		jz	loc_5BA37E

loc_5BA2AE:				; CODE XREF: KeWaitForMultipleObjects+128D7Ej
		bsf	ecx, edx
		mov	[esp+0A8h+var_50], 0
		mov	[esp+0A8h+var_50], ecx
		jnz	short loc_5BA2D3
		mov	eax, [esp+0A8h+var_84]
		bsf	ecx, eax
		mov	[esp+0A8h+var_50], ecx
		jz	short loc_5BA2D3
		add	ecx, 20h
		mov	[esp+0A8h+var_50], ecx

loc_5BA2D3:				; CODE XREF: KeWaitForMultipleObjects+128D2Dj
					; KeWaitForMultipleObjects+128D3Aj
		mov	eax, 1
		xor	edx, edx
		call	__allshl
		mov	ecx, [esp+0A8h+var_50]
		not	eax
		and	[esp+0A8h+var_60], eax
		not	edx
		mov	eax, [esp+0A8h+var_48]
		and	[esp+0A8h+var_84], edx
		mov	eax, [eax+ecx*4]
		mov	[esp+0A8h+var_78], eax
		cmp	[esp+0A8h+var_44], eax
		jz	short loc_5BA312
		mov	edx, [esp+0A8h+var_60]
		mov	eax, edx
		inc	[esp+0A8h+var_88]
		or	eax, [esp+0A8h+var_84]
		jnz	short loc_5BA2AE
		jmp	short loc_5BA37A
; 

loc_5BA312:				; CODE XREF: KeWaitForMultipleObjects+128D6Ej
		mov	eax, 1
		xor	edx, edx
		call	__allshl
		not	eax
		lea	ecx, [esp+0A8h+var_C]
		and	ebx, eax
		not	edx
		mov	eax, [esp+0A8h+var_88]
		and	edi, edx
		mov	edx, large fs:124h
		add	eax, ecx
		mov	ecx, [esp+0A8h+var_78]
		mov	[esp+0A8h+var_94], eax
		mov	[esp+0A8h+var_9C], edi
		movzx	eax, byte ptr [eax]
		shr	eax, 1
		push	0
		lea	edi, [eax+eax*2]
		shl	edi, 4
		add	edi, [edx+1E8h]
		mov	edx, edi
		call	KeAbPreAcquire
		or	byte ptr [edi+0Eh], 1
		cmp	[esp+0A8h+var_88], 6
		jnb	loc_5BA497
		mov	eax, [esp+0A8h+var_94]
		mov	edi, [esp+0A8h+var_9C]
		mov	byte ptr [eax],	0

loc_5BA37A:				; CODE XREF: KeWaitForMultipleObjects+128D80j
		mov	ecx, [esp+0A8h+var_8C]

loc_5BA37E:				; CODE XREF: KeWaitForMultipleObjects+128D18j
		mov	dword ptr [esi+248h], 0
		jmp	loc_49193F
; 

loc_5BA38D:				; CODE XREF: KeWaitForMultipleObjects+3B3j
		lea	esi, [esp+0A8h+var_C]

loc_5BA394:				; CODE XREF: KeWaitForMultipleObjects+128E8Fj
		bsf	ecx, ebx
		mov	[esp+0A8h+var_4C], 0
		mov	[esp+0A8h+var_4C], ecx
		jnz	short loc_5BA3B5
		bsf	ecx, edi
		mov	[esp+0A8h+var_4C], ecx
		jz	short loc_5BA3B5
		add	ecx, 20h
		mov	[esp+0A8h+var_4C], ecx

loc_5BA3B5:				; CODE XREF: KeWaitForMultipleObjects+128E13j
					; KeWaitForMultipleObjects+128E1Cj
		mov	eax, 1
		xor	edx, edx
		call	__allshl
		not	eax
		not	edx
		and	ebx, eax
		and	edi, edx
		mov	al, [esi]
		mov	[esp+0A8h+var_90], ebx
		mov	[esp+0A8h+var_9C], edi
		test	al, al
		jnz	short loc_5BA3DB
		mov	al, [esi+1]
		inc	esi

loc_5BA3DB:				; CODE XREF: KeWaitForMultipleObjects+128E45j
		mov	ecx, large fs:124h
		movzx	eax, al
		shr	eax, 1
		push	0
		lea	ebx, [eax+eax*2]
		mov	eax, [esp+0ACh+var_4C]
		shl	ebx, 4
		add	ebx, [ecx+1E8h]
		mov	ecx, [esp+0ACh+var_48]
		mov	edx, ebx
		lea	edi, [ecx+eax*4]
		mov	ecx, [edi]
		call	KeAbPreAcquire
		mov	ecx, [edi]
		mov	edx, ebx
		call	KeAbPostReleaseEx
		mov	ebx, [esp+0A8h+var_90]
		inc	esi
		mov	edi, [esp+0A8h+var_9C]
		mov	eax, ebx
		or	eax, edi
		jnz	loc_5BA394
		mov	esi, [esp+0A8h+var_7C]
		mov	ecx, [esp+0A8h+var_8C]
		jmp	loc_491949
; 

loc_5BA432:				; CODE XREF: KeWaitForMultipleObjects+51Fj
		mov	byte ptr [esi+56h], 0
		mov	esi, 101h
		jmp	loc_491C5F
; 

loc_5BA440:				; CODE XREF: KeWaitForMultipleObjects+507j
		mov	byte ptr [eax+esi+56h],	0
		mov	esi, 101h
		jmp	loc_491C5F
; 

loc_5BA44F:				; CODE XREF: KeWaitForMultipleObjects+635j
					; KeWaitForMultipleObjects+128ECFj
		lea	ecx, [esp+0A8h+var_28]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5BA44F
		jmp	loc_491BC0
; 

loc_5BA466:				; CODE XREF: KeWaitForMultipleObjects+611j
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		mov	ecx, esi
		call	_KiAcquireThreadLock@4 ; KiAcquireThreadLock(x)
		mov	ecx, [esp+0A8h+var_9C]
		mov	edx, esi
		push	ecx
		push	[esp+0ACh+var_64]
		mov	ecx, [esp+0B0h+var_8C]
		push	[esp+0B0h+var_6C]
		call	_KiSatisfyThreadWait@20	; KiSatisfyThreadWait(x,x,x,x,x)
		push	0C0000191h
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5BA497:				; CODE XREF: KeWaitForMultipleObjects+128DD9j
		call	___report_rangecheckfailure

loc_5BA49C:				; CODE XREF: KeWaitForMultipleObjects+4AAj
		push	1
		xor	edx, edx
		mov	dword ptr [esi+248h], 0
		call	KeAbPreAcquire
		test	eax, eax
		jz	loc_491A40
		or	byte ptr [eax+0Eh], 1
		jmp	loc_491A40
; 

loc_5BA4C0:				; CODE XREF: KeWaitForMultipleObjects+7A8j
		test	al, 8
		jz	short loc_5BA4CC
		add	esi, 5Ch
		lock bts dword ptr [esi], 0Ch

loc_5BA4CC:				; CODE XREF: KeWaitForMultipleObjects+128F32j
		mov	edi, [esp+0A8h+var_8C]
		mov	[esp+0A8h+var_40], 0
		mov	[esp+0A8h+var_1C], 0
		lea	esi, [edi+2224h]

loc_5BA4E9:				; CODE XREF: KeWaitForMultipleObjects+128F9Cj
		lock bts dword ptr [esi], 0
		jb	short loc_5BA51A
		cmp	dword ptr [edi+8], 0
		jnz	short loc_5BA501
		lea	edx, [esp+0A8h+var_40]
		mov	ecx, edi
		call	KiSelectNextThread

loc_5BA501:				; CODE XREF: KeWaitForMultipleObjects+128F64j
		xor	eax, eax
		lock and [esi],	eax
		push	[esp+0A8h+var_78]
		lea	edx, [esp+0ACh+var_40]
		mov	ecx, edi
		call	@KiProcessDeferredReadyList@12 ; KiProcessDeferredReadyList(x,x,x)
		jmp	loc_491B30
; 

loc_5BA51A:				; CODE XREF: KeWaitForMultipleObjects+128F5Ej
					; KeWaitForMultipleObjects+128F9Aj
		lea	ecx, [esp+0A8h+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5BA51A
		jmp	short loc_5BA4E9
; 

loc_5BA52E:				; CODE XREF: KeWaitForMultipleObjects+592j
		mov	ecx, [esp+0A8h+var_8C]
		call	KiCheckForThreadDispatch
		jmp	loc_491B30
; END OF FUNCTION CHUNK	FOR KeWaitForMultipleObjects
; 
; START	OF FUNCTION CHUNK FOR ObpIncrPointerCountEx

loc_5BA53C:				; CODE XREF: ObpIncrPointerCountEx+8j
		add	eax, edx
		push	eax
		push	10h
		lea	eax, [ecx+18h]
		push	eax
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5BA54F:				; CODE XREF: ExFastReplenishHandleTableEntry+35j
		add	eax, 0FFFFFFE1h
		mov	[ebp-4], eax
		mov	eax, 1Fh
		jmp	loc_491E2B
; END OF FUNCTION CHUNK	FOR ObpIncrPointerCountEx
; 
; START	OF FUNCTION CHUNK FOR ExFastReplenishHandleTableEntry

loc_5BA55F:				; CODE XREF: ExFastReplenishHandleTableEntry+81j
					; ExFastReplenishHandleTableEntry+8Cj
		mov	eax, [ebp+var_8]
		mov	[esi+4], eax
		mov	eax, [ebp+var_C]
		mov	[esi], eax
		mov	eax, [ebp+arg_0]
		jmp	loc_491E5C
; END OF FUNCTION CHUNK	FOR ExFastReplenishHandleTableEntry
; 
; START	OF FUNCTION CHUNK FOR PfLogEvent

loc_5BA572:				; CODE XREF: PfLogEvent+A3j
		push	0
		call	_PfFbLogEntryComplete@12 ; PfFbLogEntryComplete(x,x,x)
		jmp	loc_492007
; END OF FUNCTION CHUNK	FOR PfLogEvent
; 
; START	OF FUNCTION CHUNK FOR PfFbLogEntryReserve

loc_5BA57E:				; CODE XREF: PfFbLogEntryReserve+63j
		lea	ecx, [esi+10h]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edx, eax
		lea	eax, [esi+8]
		test	edx, edx
		jz	loc_492076
		jmp	loc_492052
; 

loc_5BA598:				; CODE XREF: PfFbLogEntryReserve+7Cj
		lea	ecx, [esi+8]
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		mov	edi, 0C0000023h
		jmp	loc_492091
; END OF FUNCTION CHUNK	FOR PfFbLogEntryReserve
; 
; START	OF FUNCTION CHUNK FOR CcWriteBehind

loc_5BA5AA:				; CODE XREF: CcWriteBehind+120j
		mov	eax, [esp+68h+var_58]
		lea	edi, [esp+68h+var_50]
		and	[esp+68h+var_4C], 0
		and	[esp+68h+var_50], 0
		mov	[esp+68h+var_48], eax
		mov	eax, [esp+68h+var_54]
		mov	[esp+68h+var_4], esi
		mov	[esp+68h+var_8], 2
		mov	[esp+68h+var_44], eax
		mov	[esp+68h+var_30], 0
		jmp	loc_492228
; END OF FUNCTION CHUNK	FOR CcWriteBehind
; 
; START	OF FUNCTION CHUNK FOR PfLockSharedTryAcquire

loc_5BA5DB:				; CODE XREF: PfLockSharedTryAcquire+72j
		lea	ecx, [esi+222h]
		cmp	byte ptr [ecx],	0
		jz	short loc_5BA5F7
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [esi+1E4h]
		or	cl, al
		jmp	loc_492386
; 

loc_5BA5F7:				; CODE XREF: PfLockSharedTryAcquire+1282D6j
		test	dword ptr ds:byte_70EFC4, 200h
		mov	[ebp+var_4], edi
		jz	loc_492437
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		mov	edx, [ebp+var_8]
		mov	eax, edi
		jmp	loc_4923A4
; 

loc_5BA61B:				; CODE XREF: PfLockSharedTryAcquire+BBj
					; PfLockSharedTryAcquire+CDj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	eax, [ebp+var_4]
		jmp	loc_4923E4
; END OF FUNCTION CHUNK	FOR PfLockSharedTryAcquire
; 
; START	OF FUNCTION CHUNK FOR ExQueueWorkItemToPartition

loc_5BA630:				; CODE XREF: ExQueueWorkItemToPartition+2Dj
		push	[ebp+arg_0]
		push	esi
		push	edi
		push	5
		push	0E4h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5BA642:				; CODE XREF: CcCachemapUninitWorkerThread+116j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_48]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4925EA
; END OF FUNCTION CHUNK	FOR ExQueueWorkItemToPartition
; 
; START	OF FUNCTION CHUNK FOR CcCachemapUninitWorkerThread

loc_5BA652:				; CODE XREF: CcCachemapUninitWorkerThread+65j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_48]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_492539
; END OF FUNCTION CHUNK	FOR CcCachemapUninitWorkerThread

;  S U B	R O U T	I N E 


sub_5BA662	proc near		; DATA XREF: .text:006A1AACo
		mov	eax, [ebp-14h]
		mov	[ebp-50h], eax
		mov	eax, [ebp-50h]
		mov	eax, [eax]
		push	dword ptr [eax+0Ch]
		mov	eax, [ebp-50h]
		push	dword ptr [eax+4]
		mov	eax, [ebp-50h]
		push	dword ptr [eax]
		push	5139Ch
		jmp	short loc_5BA68E
sub_5BA662	endp

; 
; START	OF FUNCTION CHUNK FOR CcCachemapUninitWorkerThread

loc_5BA682:				; CODE XREF: CcCachemapUninitWorkerThread+26j
		push	esi
		push	esi
		push	0C0000420h
		push	1A08h

loc_5BA68E:				; CODE XREF: sub_5BA662+1Ej
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; END OF FUNCTION CHUNK	FOR CcCachemapUninitWorkerThread

;  S U B	R O U T	I N E 


sub_5BA695	proc near		; DATA XREF: .text:006A1AB0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	esi, esi
		mov	edi, [ebp-60h]
		jmp	loc_492577
sub_5BA695	endp

; 
; START	OF FUNCTION CHUNK FOR CcWorkerThread

loc_5BA6A9:				; CODE XREF: CcWorkerThread+595j
		push	0
		push	0
		push	0C0000420h
		push	174Fh
		jmp	short loc_5BA6D7
; END OF FUNCTION CHUNK	FOR CcWorkerThread

;  S U B	R O U T	I N E 


sub_5BA6B9	proc near		; DATA XREF: .text:006A1ACCo
		mov	eax, [ebp-14h]
		mov	[ebp-64h], eax
		mov	eax, [ebp-64h]
		mov	eax, [eax]
		push	dword ptr [eax+0Ch]
		mov	eax, [ebp-64h]
		push	dword ptr [eax+4]
		mov	eax, [ebp-64h]
		push	dword ptr [eax]
		push	5139Ch
sub_5BA6B9	endp

; START	OF FUNCTION CHUNK FOR CcWorkerThread

loc_5BA6D7:				; CODE XREF: CcWorkerThread+128003j
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BA6DE:				; CODE XREF: CcWorkerThread+8Bj
		mov	byte ptr [esi+0DCh], 0
		mov	[ebp+var_3E], 0
		push	dword ptr [esi+0E8h]
		mov	edx, [esi+0E4h]
		mov	ecx, esi
		call	_CcReEngageWorkerThreads@12 ; CcReEngageWorkerThreads(x,x,x)
		jmp	loc_492745
; 

loc_5BA701:				; CODE XREF: CcWorkerThread+98j
		cmp	byte ptr [edi+48h], 2
		jnz	short loc_5BA710
		mov	eax, [edi+8]
		mov	[eax+160h], edi

loc_5BA710:				; CODE XREF: CcWorkerThread+128051j
		mov	ecx, [ebp+var_48]
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	loc_492CD5
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	[ecx+4], edi
		and	[ebp+var_70], 0
		jmp	loc_492752
; 

loc_5BA731:				; CODE XREF: CcWorkerThread+4F4j
		mov	byte ptr [esi+201h], 0
		jmp	loc_49293F
; 

loc_5BA73D:				; CODE XREF: CcWorkerThread+56Aj
		mov	ecx, esi
		call	_CcOkToAddWriteBehindThread@4 ;	CcOkToAddWriteBehindThread(x)
		mov	ecx, [ebp+var_54]
		mov	[esi+1F8h], ecx
		mov	ecx, [ebp+var_50]
		mov	[esi+1FCh], ecx
		cmp	dword ptr [esi+0C4h], 0
		jbe	short loc_5BA76B
		cmp	eax, 3
		jnz	short loc_5BA76B
		mov	byte ptr [esi+201h], 1

loc_5BA76B:				; CODE XREF: CcWorkerThread+1280A9j
					; CcWorkerThread+1280AEj
		cmp	eax, 2
		jnz	loc_4927FB
		lea	eax, [esi+0BCh]
		mov	ecx, [eax]
		mov	[ebp+var_44], ecx
		mov	edx, [ecx]
		cmp	[ecx+4], eax
		jnz	loc_492CD5
		cmp	[edx+4], ecx
		jnz	loc_492CD5
		mov	[eax], edx
		mov	[edx+4], eax
		inc	dword ptr [esi+0C4h]
		xor	edx, edx
		inc	edx
		mov	eax, edx
		lock xadd [esi+28Ch], eax
		inc	eax
		cmp	eax, edx
		jg	short loc_5BA7B8
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		mov	ecx, [ebp+var_44]

loc_5BA7B8:				; CODE XREF: CcWorkerThread+1280FAj
		and	dword ptr [ecx], 0
		push	dword ptr [esi+4]
		push	0FFFFFFFFh
		xor	edx, edx
		call	ExQueueWorkItemToPartition
		mov	[ebp+var_3D], 1
		jmp	loc_4927FB
; 

loc_5BA7D0:				; CODE XREF: CcWorkerThread+3F8j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_492AB2
; 

loc_5BA7DA:				; CODE XREF: CcWorkerThread+199j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_60]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_492875
; 

loc_5BA7EA:				; CODE XREF: CcWorkerThread+48Bj
		push	2
		pop	edx
		mov	ecx, esi
		call	_CcLogExtraWBThreadAction@8 ; CcLogExtraWBThreadAction(x,x)
		jmp	loc_492B45
; 

loc_5BA7F9:				; CODE XREF: CcWorkerThread+436j
		sub	eax, 1
		jnz	loc_4928F1
		push	eax
		push	eax
		push	dword ptr [edi+8]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		xor	edx, edx
		inc	edx
		mov	[ebp+var_3E], dl
		jmp	loc_4928F4
; END OF FUNCTION CHUNK	FOR CcWorkerThread

;  S U B	R O U T	I N E 


sub_5BA817	proc near		; DATA XREF: .text:006A1AD0o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-8Ch]
		cmp	byte ptr [edi+48h], 2
		jnz	short loc_5BA833
		mov	eax, large fs:124h
		and	dword ptr [eax+300h], 0FFFFFFFDh

loc_5BA833:				; CODE XREF: sub_5BA817+Dj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	edx, edx
		inc	edx
		mov	ecx, [ebp-68h]
		mov	[ebp-48h], ecx
		mov	eax, [ebp-90h]
		mov	[ebp-6Ch], eax
		mov	esi, [ebp-94h]
		mov	eax, [ebp-98h]
		mov	[ebp-4Ch], eax
		mov	eax, [ebp-9Ch]
		mov	[ebp-7Ch], eax
		jmp	loc_4928FE
sub_5BA817	endp

; 
; START	OF FUNCTION CHUNK FOR CcWorkerThread

loc_5BA869:				; CODE XREF: CcWorkerThread+269j
		test	ds:dword_70EFD0, 20000h
		jz	loc_492721
		push	0
		push	edx
		mov	edx, edi
		call	CcPerfLogWorkItemEnqueue
		jmp	loc_492721
; 

loc_5BA888:				; CODE XREF: CcWorkerThread+2CCj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_60]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4929A8
; 

loc_5BA898:				; CODE XREF: CcWorkerThread+4E8j
		push	3
		pop	edx
		mov	ecx, esi
		call	_CcLogExtraWBThreadAction@8 ; CcLogExtraWBThreadAction(x,x)
		jmp	loc_4929C1
; END OF FUNCTION CHUNK	FOR CcWorkerThread
; 
; START	OF FUNCTION CHUNK FOR CcShouldWorkOnThisQueue

loc_5BA8A7:				; CODE XREF: CcShouldWorkOnThisQueue+33j
		mov	eax, [ecx+0F0h]
		inc	eax
		cmp	eax, [ecx+84h]
		jb	loc_492CFE
		cmp	dword ptr [ecx+0C4h], 0
		jnz	loc_492CFE
		jmp	loc_492D20
; END OF FUNCTION CHUNK	FOR CcShouldWorkOnThisQueue
; 
; START	OF FUNCTION CHUNK FOR CcWriteBehindInternal

loc_5BA8CC:				; CODE XREF: CcWriteBehindInternal+9Bj
		mov	edx, [ebp+4]
		lea	ecx, [esp+68h+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_492DEB
; 

loc_5BA8DD:				; CODE XREF: CcWriteBehindInternal+FEj
		mov	edx, [ebp+4]
		lea	ecx, [esp+68h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_492E4E
; 

loc_5BA8EE:				; CODE XREF: CcWriteBehindInternal+1A3j
		mov	edx, [ebp+4]
		lea	ecx, [esp+70h+var_2C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_492EF3
; 

loc_5BA8FF:				; CODE XREF: CcWriteBehindInternal+3BCj
		lea	ecx, [esi+44h]
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_5BA916
		mov	ecx, esi
		call	_CcSlowReferenceSharedCacheMapFileObject@4 ; CcSlowReferenceSharedCacheMapFileObject(x)
		mov	edi, eax

loc_5BA916:				; CODE XREF: CcWriteBehindInternal+127BE7j
		mov	eax, [esp+84h+var_70]
		mov	ecx, edi
		mov	edx, [eax]
		call	_CcMmLogLostDelayedWriteError@8	; CcMmLogLostDelayedWriteError(x,x)
		mov	ecx, [esi+44h]
		mov	edx, ecx
		xor	edx, edi
		cmp	edx, 7
		jnb	short loc_5BA951

loc_5BA92F:				; CODE XREF: CcWriteBehindInternal+127C2Bj
		mov	esi, [esp+84h+var_64]
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		mov	esi, [esp+84h+var_60]
		cmp	eax, ecx
		jz	loc_492F90
		mov	ecx, eax
		xor	eax, edi
		cmp	eax, 7
		jb	short loc_5BA92F

loc_5BA951:				; CODE XREF: CcWriteBehindInternal+127C09j
		push	746C6644h
		push	edi
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_492F90
; 

loc_5BA961:				; CODE XREF: CcWriteBehindInternal+45Bj
		mov	ecx, eax
		xor	eax, ebx
		cmp	eax, 7
		jb	loc_49316C
		jmp	loc_4933FE
; 

loc_5BA973:				; CODE XREF: CcWriteBehindInternal+46Ej
		cmp	edi, 0C000009Ah
		jz	loc_492FBA
		cmp	edi, 80000016h
		jz	loc_492FBA
		cmp	edi, 0C0000054h
		jz	loc_492FBA
		mov	eax, [esi+28h]
		mov	[esp+84h+var_54], eax
		mov	eax, [esi+2Ch]
		mov	[esp+84h+var_50], eax
		jmp	loc_492FBA
; 

loc_5BA9AA:				; CODE XREF: CcWriteBehindInternal+2C5j
		cmp	edi, 0C000009Ah
		jz	short loc_5BA9C6
		cmp	edi, 80000016h
		jz	short loc_5BA9C6
		cmp	edi, 0C0000054h
		jnz	loc_492FEF

loc_5BA9C6:				; CODE XREF: CcWriteBehindInternal+127C8Cj
					; CcWriteBehindInternal+127C94j
		test	dword ptr [esi+60h], 10000h
		jz	short loc_5BA9D6
		mov	ecx, esi
		call	_CcCancelMmWaitForUninitializeCacheMap@4 ; CcCancelMmWaitForUninitializeCacheMap(x)

loc_5BA9D6:				; CODE XREF: CcWriteBehindInternal+127CA9j
		cmp	dword ptr [esi+4Ch], 0
		jnz	loc_493280
		mov	ecx, esi
		call	_CcInsertIntoDirtySharedCacheMapList@4 ; CcInsertIntoDirtySharedCacheMapList(x)
		xor	ebx, ebx
		inc	ebx
		mov	dl, bl
		jmp	loc_493287
; 

loc_5BA9F1:				; CODE XREF: CcWriteBehindInternal+2D4j
		mov	edx, [ebp+4]
		lea	ecx, [esp+84h+var_40]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_493024
; 

loc_5BAA02:				; CODE XREF: CcWriteBehindInternal+4B3j
		mov	edx, [ebp+4]
		lea	ecx, [esp+84h+var_40]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_493203
; 

loc_5BAA13:				; CODE XREF: CcWriteBehindInternal+4F4j
		mov	edx, [ebp+4]
		lea	ecx, [esp+84h+var_34]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_493244
; 

loc_5BAA24:				; CODE XREF: CcWriteBehindInternal+549j
		mov	ecx, eax
		jmp	loc_493257
; 

loc_5BAA2B:				; CODE XREF: CcWriteBehindInternal+56Dj
		cmp	[esp+84h+var_5C], 0
		jnz	loc_493297
		test	ds:byte_70EFC6,	bl
		jz	short loc_5BAA4C
		mov	edx, [ebp+4]
		lea	ecx, [esp+84h+var_40]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BAA7D
; 

loc_5BAA4C:				; CODE XREF: CcWriteBehindInternal+127D18j
		mov	eax, [esp+84h+var_40]
		test	eax, eax
		jnz	short loc_5BAA6F
		mov	edx, [esp+84h+var_3C]
		lea	eax, [esp+84h+var_40]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+84h+var_40]
		cmp	eax, ecx
		jz	short loc_5BAA7D
		call	KxWaitForLockChainValid

loc_5BAA6F:				; CODE XREF: CcWriteBehindInternal+127D2Ej
		mov	[esp+84h+var_40], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_5BAA7D:				; CODE XREF: CcWriteBehindInternal+127D26j
					; CcWriteBehindInternal+127D44j
		mov	cl, byte ptr [esp+84h+var_38]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [esp+84h+var_6C]
		mov	eax, [esp+84h+var_68]
		mov	edi, [esp+2Ch]
		jmp	loc_492D9C
; 

loc_5BAA98:				; CODE XREF: CcWriteBehindInternal+594j
		mov	edx, [ebp+4]
		lea	ecx, [esp+84h+var_40]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4932E4
; 

loc_5BAAA9:				; CODE XREF: CcWriteBehindInternal+154j
		push	esi
		xor	dl, dl
		mov	ecx, ebx
		call	CcApplyLowIoPriorityToThread
		lea	edx, [esp+70h+var_2C]
		lea	ecx, [ebx+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		and	dword ptr [esi+60h], 0FFFFFFDFh
		test	dword ptr [esi+60h], 10000h
		jz	short loc_5BAAD3
		mov	ecx, esi
		call	_CcCancelMmWaitForUninitializeCacheMap@4 ; CcCancelMmWaitForUninitializeCacheMap(x)

loc_5BAAD3:				; CODE XREF: CcWriteBehindInternal+127DA6j
		push	ecx
		mov	ecx, esi
		call	CcDecrementOpenCount
		xor	ebx, ebx
		inc	ebx
		test	ds:byte_70EFC6,	bl
		jz	short loc_5BAAF4
		mov	edx, [ebp+4]
		lea	ecx, [esp+70h+var_2C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BAB25
; 

loc_5BAAF4:				; CODE XREF: CcWriteBehindInternal+127DC0j
		mov	eax, [esp+70h+var_2C]
		test	eax, eax
		jnz	short loc_5BAB17
		mov	edx, [esp+70h+var_28]
		lea	eax, [esp+70h+var_2C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+70h+var_2C]
		cmp	eax, ecx
		jz	short loc_5BAB25
		call	KxWaitForLockChainValid

loc_5BAB17:				; CODE XREF: CcWriteBehindInternal+127DD6j
		mov	[esp+70h+var_2C], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_5BAB25:				; CODE XREF: CcWriteBehindInternal+127DCEj
					; CcWriteBehindInternal+127DECj
		mov	cl, byte ptr [esp+70h+var_24]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esp+70h+var_5C]
		mov	dword ptr [eax], 0C0000054h
		jmp	loc_4930B1
; 

loc_5BAB3E:				; CODE XREF: CcWriteBehindInternal+61j
		push	0
		push	0
		push	0C0000420h
		push	1A99h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5BAB54:				; CODE XREF: CcApplyLowIoPriorityToThread+402j
					; CcApplyLowIoPriorityToThread+415j
		mov	eax, [ebp+var_C]
		push	0
		push	[ebp+var_8]
		push	eax
		push	esi
		push	162h
		jmp	short loc_5BAB73
; END OF FUNCTION CHUNK	FOR CcWriteBehindInternal
; 
; START	OF FUNCTION CHUNK FOR CcApplyLowIoPriorityToThread

loc_5BAB65:				; CODE XREF: CcApplyLowIoPriorityToThread+2Fj
		push	ecx
		push	ecx
		push	0C0000420h
		push	48Ah
		push	34h

loc_5BAB73:				; CODE XREF: CcWriteBehindInternal+127E3Fj
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BAB78:				; CODE XREF: CcApplyLowIoPriorityToThread+36Cj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_30]
		jmp	loc_493852
; 

loc_5BAB8F:				; CODE XREF: CcApplyLowIoPriorityToThread+493j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_493969
; 

loc_5BAB9E:				; CODE XREF: CcApplyLowIoPriorityToThread+1F5j
		push	[ebp+var_30]

loc_5BABA1:				; CODE XREF: CcApplyLowIoPriorityToThread+4C0j
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_493869
; 

loc_5BABB0:				; CODE XREF: CcApplyLowIoPriorityToThread+189j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_20]
		jmp	loc_49366F
; 

loc_5BABC7:				; CODE XREF: CcApplyLowIoPriorityToThread+1CBj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_4936A1
; END OF FUNCTION CHUNK	FOR CcApplyLowIoPriorityToThread
; 
; START	OF FUNCTION CHUNK FOR PsSetIoPriorityThread

loc_5BABD6:				; CODE XREF: PsSetIoPriorityThread+46j
		push	0
		push	edi
		push	esi
		mov	edx, 534h
		mov	ecx, ebx
		call	_EtwTracePriority@20 ; EtwTracePriority(x,x,x,x,x)
		jmp	loc_4939E2
; END OF FUNCTION CHUNK	FOR PsSetIoPriorityThread
; 
; START	OF FUNCTION CHUNK FOR KeAbProcessBaseIoPriorityChangeInternal

loc_5BABEB:				; CODE XREF: KeAbProcessBaseIoPriorityChangeInternal+66j
		lea	eax, [esi+1ECh]
		push	eax
		lea	edx, [ebx+45E4h]
		jmp	loc_493A78
; END OF FUNCTION CHUNK	FOR KeAbProcessBaseIoPriorityChangeInternal
; 
; START	OF FUNCTION CHUNK FOR CcFindNextWorkQueueEntry

loc_5BABFD:				; CODE XREF: CcFindNextWorkQueueEntry+16j
		mov	eax, [ecx+88h]
		cmp	eax, 1
		ja	short loc_5BAC15
		cmp	dword ptr [ecx+0C4h], 1
		jbe	loc_493B37

loc_5BAC15:				; CODE XREF: CcFindNextWorkQueueEntry+1270F8j
		cmp	[ecx+0DCh], bl
		jnz	short loc_5BAC2F
		mov	[ecx+0E4h], eax
		mov	eax, [ecx+0C4h]
		mov	[ecx+0E8h], eax

loc_5BAC2F:				; CODE XREF: CcFindNextWorkQueueEntry+12710Dj
		mov	byte ptr [ecx+0DCh], 1
		mov	edi, ebx
		jmp	loc_493B4F
; END OF FUNCTION CHUNK	FOR CcFindNextWorkQueueEntry
; 
; START	OF FUNCTION CHUNK FOR CcDeleteSharedCacheMap

loc_5BAC3D:				; CODE XREF: CcDeleteSharedCacheMap+26j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_493B96
; 

loc_5BAC47:				; CODE XREF: CcDeleteSharedCacheMap+88j
		mov	eax, [ebp+var_4]
		cmp	[eax+28Ah], cl
		jnz	loc_493C07
		push	ecx
		push	ecx
		push	0C0000420h
		push	0E53h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BAC69:				; CODE XREF: CcDeleteSharedCacheMap+A7j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_493C34
; 

loc_5BAC78:				; CODE XREF: CcDeleteSharedCacheMap+E0j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_493C6D
; 

loc_5BAC87:				; CODE XREF: CcDeleteSharedCacheMap+165j
		mov	ecx, eax
		jmp	loc_493CB3
; 

loc_5BAC8E:				; CODE XREF: CcDeleteSharedCacheMap+1D5j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_493D5E
; 

loc_5BAC9D:				; CODE XREF: CcDeleteSharedCacheMap+210j
		lea	eax, [edi+0E0h]
		cmp	ecx, eax
		jz	loc_493D80
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_493D80
; 

loc_5BACB8:				; CODE XREF: CcDeleteSharedCacheMap+21Bj
		lea	eax, [edi+0E0h]
		cmp	ecx, eax
		jz	loc_493D8B
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_493D8B
; END OF FUNCTION CHUNK	FOR CcDeleteSharedCacheMap
; 
; START	OF FUNCTION CHUNK FOR CcUninitializeVolumeCacheMap

loc_5BACD3:				; CODE XREF: CcUninitializeVolumeCacheMap+A1j
		call	ObfDereferenceObject
		and	dword ptr [esi+68h], 0
		jmp	loc_493ED0
; 

loc_5BACE1:				; CODE XREF: CcUninitializeVolumeCacheMap+39j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_493EF7
; END OF FUNCTION CHUNK	FOR CcUninitializeVolumeCacheMap
; 
; START	OF FUNCTION CHUNK FOR CcDecrementVolumeUseCount

loc_5BACF1:				; CODE XREF: CcDecrementVolumeUseCount+5j
		push	0
		push	0
		push	0C0000420h
		push	599h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5BAD07:				; CODE XREF: CcUnmapFileOffsetFromSystemCache+13j
		push	eax
		push	eax
		push	0C0000420h
		push	1589h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5BAD1B:				; CODE XREF: CcUnmapVacbArray+5Fj
		mov	dl, al
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	short loc_5BAD61
; END OF FUNCTION CHUNK	FOR CcDecrementVolumeUseCount
; 
; START	OF FUNCTION CHUNK FOR CcUnmapVacbArray

loc_5BAD24:				; CODE XREF: CcUnmapVacbArray+86j
		mov	ebx, offset dword_6CF3C0

loc_5BAD29:				; CODE XREF: CcUnmapVacbArray+126D3Dj
		test	edx, 40000000h
		jnz	short loc_5BAD43
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	short loc_5BAD51

loc_5BAD43:				; CODE XREF: CcUnmapVacbArray+126D0Fj
		lea	ecx, [esp+58h+var_28]
		call	KeYieldProcessorEx
		mov	eax, ds:dword_6CF3C0

loc_5BAD51:				; CODE XREF: CcUnmapVacbArray+126D21j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_5BAD29
		xor	ebx, ebx

loc_5BAD61:				; CODE XREF: CcDecrementVolumeUseCount+126D4Ej
		mov	ecx, offset dword_6CF3C0
		jmp	loc_4940AC
; 

loc_5BAD6B:				; CODE XREF: CcUnmapVacbArray+93j
		mov	edx, [ebp+4]
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_4940BF
; 

loc_5BAD78:				; CODE XREF: CcUnmapVacbArray+B5j
		push	0
		push	0
		push	0C0000420h
		push	1314h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BAD8D:				; CODE XREF: CcUnmapVacbArray+C2j
		mov	al, 1
		jmp	loc_49431E
; 

loc_5BAD94:				; CODE XREF: CcUnmapVacbArray+461j
		mov	eax, [esi+74h]
		mov	[esp+58h+var_8], eax
		test	eax, eax
		jnz	short loc_5BADC0
		push	eax
		push	eax
		lea	edi, [esi+0E0h]
		push	edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esi+74h]
		xchg	edi, [eax]
		mov	edi, [esp+58h+var_48]
		mov	[esp+58h+var_4B], 0
		jmp	loc_49428D
; 

loc_5BADC0:				; CODE XREF: CcUnmapVacbArray+126D7Dj
		cmp	[esp+58h+var_4B], 0
		jz	short loc_5BADE7
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	[esp+58h+var_4], 0
		lea	eax, [esp+58h+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	[esp+58h+var_4B], cl
		jmp	loc_49428D
; 

loc_5BADE7:				; CODE XREF: CcUnmapVacbArray+126DA5j
		mov	ecx, [esp+58h+var_34]
		mov	edx, esi
		call	_CcReleaseBcbLockAndVacbLock@8 ; CcReleaseBcbLockAndVacbLock(x,x)
		push	0
		push	0
		push	0
		push	0
		push	[esp+68h+var_8]
		call	KeWaitForSingleObject
		cmp	[esp+58h+var_34], 0
		mov	[esp+58h+var_4B], 1
		jz	short loc_5BAE1A
		lea	ecx, [esi+0B4h]
		call	ExAcquireFastMutex

loc_5BAE1A:				; CODE XREF: CcUnmapVacbArray+126DEDj
		xor	edx, edx
		lea	ecx, [esi+48h]
		call	ExAcquirePushLockExclusiveEx
		jmp	loc_49428D
; 

loc_5BAE29:				; CODE XREF: CcUnmapVacbArray+366j
		or	eax, 2
		jmp	loc_49438F
; 

loc_5BAE31:				; CODE XREF: CcUnmapVacbArray+39Fj
		mov	byte ptr [esp+58h+var_10], 1
		jmp	loc_4943CA
; 

loc_5BAE3B:				; CODE XREF: CcUnmapVacbArray+3CFj
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_494414
; 

loc_5BAE4A:				; CODE XREF: CcUnmapVacbArray+2ADj
		push	0
		push	0
		push	0C0000420h
		push	0C31h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5BAE60:				; CODE XREF: CcDereferenceVacbArray+11j
		push	4
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	bl, al
		jmp	loc_494561
; END OF FUNCTION CHUNK	FOR CcUnmapVacbArray
; 
; START	OF FUNCTION CHUNK FOR CcDereferenceVacbArray

loc_5BAE6F:				; CODE XREF: CcDereferenceVacbArray+32j
		mov	ecx, edi
		call	_CcRemoveVacbArray@4 ; CcRemoveVacbArray(x)
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+438h]
		jz	short loc_5BAE97
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BAEC2
; 

loc_5BAE97:				; CODE XREF: CcDereferenceVacbArray+12693Fj
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5BAEB3
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_5BAEC2
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5BAEB3:				; CODE XREF: CcDereferenceVacbArray+126951j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5BAEC2:				; CODE XREF: CcDereferenceVacbArray+12694Bj
					; CcDereferenceVacbArray+126960j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, edi
		call	_CcFreeVacbArray@4 ; CcFreeVacbArray(x)
		jmp	loc_494574
; 

loc_5BAED6:				; CODE XREF: CcDereferenceVacbArray+38j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+438h]
		jz	short loc_5BAEF7
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BAF22
; 

loc_5BAEF7:				; CODE XREF: CcDereferenceVacbArray+12699Fj
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5BAF13
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_5BAF22
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5BAF13:				; CODE XREF: CcDereferenceVacbArray+1269B1j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5BAF22:				; CODE XREF: CcDereferenceVacbArray+1269ABj
					; CcDereferenceVacbArray+1269C0j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_494574
; 

loc_5BAF2F:				; CODE XREF: CcDereferenceVacbArray+1Cj
		push	0
		push	0
		push	0C0000420h
		push	16Eh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5BAF45:				; CODE XREF: CcAdjustVacbLevelLockCount+DDj
		push	0
		mov	edx, edi
		mov	ecx, esi
		call	_VacbLevelReference@12 ; VacbLevelReference(x,x,x)
		push	0
		push	[esp+28h+arg_8]
		and	ebx, 0FE000000h
		inc	dword ptr [eax+4]
		push	ebx
		push	0FFFFFFFEh
		pop	edx
		call	CcSetVacbLargeOffset
		jmp	loc_4946B7
; END OF FUNCTION CHUNK	FOR CcDereferenceVacbArray
; 
; START	OF FUNCTION CHUNK FOR CcSetVacbLargeOffset

loc_5BAF6D:				; CODE XREF: CcSetVacbLargeOffset+1CBj
		mov	eax, [ebp+var_5C]
		jmp	loc_4948BE
; 

loc_5BAF75:				; CODE XREF: CcSetVacbLargeOffset+FFj
		mov	edx, [ebp+var_44]
		lea	eax, [ecx+2]
		neg	eax
		mov	[ebp+var_58], 1
		sbb	eax, eax
		and	eax, ecx
		jmp	loc_4947DE
; 

loc_5BAF8D:				; CODE XREF: CcSetVacbLargeOffset+130j
		inc	dword ptr [eax+4]
		jmp	loc_4947F8
; 

loc_5BAF95:				; CODE XREF: CcSetVacbLargeOffset+168j
		dec	dword ptr [eax+4]
		jmp	loc_494830
; 

loc_5BAF9D:				; CODE XREF: CcSetVacbLargeOffset+B1j
					; CcSetVacbLargeOffset+1F2j
		xor	al, al
		jmp	loc_494808
; END OF FUNCTION CHUNK	FOR CcSetVacbLargeOffset
; 
; START	OF FUNCTION CHUNK FOR CcUpdateSharedCacheMapFlag

loc_5BAFA4:				; CODE XREF: CcUpdateSharedCacheMapFlag+41j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_494A07
; END OF FUNCTION CHUNK	FOR CcUpdateSharedCacheMapFlag
; 
; START	OF FUNCTION CHUNK FOR ExAcquireSharedStarveExclusive

loc_5BAFB4:				; CODE XREF: ExAcquireSharedStarveExclusive+21j
		test	al, 40h
		jnz	loc_494A5F
		xor	edx, edx
		push	edx
		push	edx
		push	esi
		push	0Fh
		jmp	short loc_5BAFCA
; 

loc_5BAFC5:				; CODE XREF: ExAcquireSharedStarveExclusive+1265EDj
		push	edx
		push	edx
		push	edx
		push	7

loc_5BAFCA:				; CODE XREF: ExAcquireSharedStarveExclusive+12658Bj
					; ExAcquireSharedStarveExclusive+1265A8j ...
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BAFD4:				; CODE XREF: ExAcquireSharedStarveExclusive+50j
		xor	edx, edx
		movzx	ecx, bh
		push	edx
		push	ecx
		movzx	eax, bl
		push	eax
		push	edx
		jmp	short loc_5BAFCA
; 

loc_5BAFE2:				; CODE XREF: ExAcquireSharedStarveExclusive+56j
		cmp	bl, 2
		jb	short loc_5BAFFD
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jz	short loc_5BAFFD
		xor	edx, edx
		push	edx
		push	edx
		push	edx
		push	5
		jmp	short loc_5BAFCA
; 

loc_5BAFFD:				; CODE XREF: ExAcquireSharedStarveExclusive+1265ADj
					; ExAcquireSharedStarveExclusive+1265BAj
		test	byte ptr [ecx+84h], 2
		jz	short loc_5BB00F
		xor	edx, edx
		push	edx
		push	edx
		push	edx
		push	6
		jmp	short loc_5BAFCA
; 

loc_5BB00F:				; CODE XREF: ExAcquireSharedStarveExclusive+1265CCj
		cmp	bl, 1
		jnb	short loc_5BB027
		test	dword ptr [ecx+58h], 400h
		jnz	short loc_5BB027
		xor	edx, edx
		cmp	[ecx+13Ch], edx
		jz	short loc_5BAFC5

loc_5BB027:				; CODE XREF: ExAcquireSharedStarveExclusive+1265DAj
					; ExAcquireSharedStarveExclusive+1265E3j
		movzx	eax, word ptr [esi+0Eh]
		mov	dl, [ebp+arg_4]
		jmp	loc_494A64
; END OF FUNCTION CHUNK	FOR ExAcquireSharedStarveExclusive
; 
; START	OF FUNCTION CHUNK FOR CcPinFileData

loc_5BB033:				; CODE XREF: CcPinFileData+CBj
		mov	ecx, 1
		jmp	loc_494B73
; 

loc_5BB03D:				; CODE XREF: CcPinFileData+C3j
		mov	ecx, [edx]
		and	ecx, 3FFFFh
		mov	eax, 40000h
		sub	eax, ecx
		mov	[ebp-38h], eax
		mov	eax, [edx+4]
		push	eax
		mov	eax, [edx]
		push	eax
		mov	ecx, esi
		call	_CcReferenceFileOffset@12 ; CcReferenceFileOffset(x,x,x)
		jmp	loc_494B8D
; 

loc_5BB062:				; CODE XREF: CcPinFileData+104j
		xor	edi, edi
		jmp	loc_494C86
; 

loc_5BB069:				; CODE XREF: CcPinFileData+727j
		mov	edx, esi
		mov	ecx, edi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		xor	edx, edx
		jmp	loc_494C08
; 

loc_5BB079:				; CODE XREF: CcPinFileData+17Dj
		mov	dword ptr [ebp-48h], 0
		jmp	loc_494C2D
; 

loc_5BB085:				; CODE XREF: CcPinFileData+194j
					; CcPinFileData+1A5j
		mov	ecx, [edi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	loc_494C4E
; 

loc_5BB095:				; CODE XREF: CcPinFileData+563j
		mov	ecx, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	dword ptr [ebp-34h], 0
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5BB0AD:				; CODE XREF: CcPinFileData+579j
		call	ExAcquireResourceExclusiveLite
		test	al, al
		jnz	loc_49502C
		push	0
		push	0
		push	edi
		push	201F7h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BB0CB:				; CODE XREF: CcPinFileData+586j
		push	0
		push	0
		push	edi
		push	201FEh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BB0DC:				; CODE XREF: CcPinFileData+787j
		xor	cl, cl
		mov	[ebp-21h], cl
		mov	edx, [ebp-28h]
		jmp	loc_494EBD
; 

loc_5BB0E9:				; CODE XREF: CcPinFileData+7A0j
		push	0
		push	0
		push	edi
		push	2025Eh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BB0FA:				; CODE XREF: CcPinFileData+7C9j
		xor	cl, cl
		mov	[ebp-21h], cl
		mov	edx, [ebp-28h]
		jmp	loc_494EBD
; 

loc_5BB107:				; CODE XREF: CcPinFileData+27Cj
		mov	cl, 1
		mov	[ebx+0Ch], cl
		jmp	loc_494D25
; 

loc_5BB111:				; CODE XREF: CcPinFileData+319j
		push	1
		lea	eax, [edi+38h]
		push	eax
		call	ExAcquireResourceExclusiveLite
		jmp	loc_494DF9
; 

loc_5BB121:				; CODE XREF: CcPinFileData+331j
		test	cl, 40h
		jnz	loc_494DD7
		push	0
		push	0
		push	edx
		push	0Fh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BB13B:				; CODE XREF: CcPinFileData+8A6j
		push	0
		push	1
		movzx	eax, cl
		push	eax
		push	0
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BB14F:				; CODE XREF: CcPinFileData+8ACj
		movzx	eax, byte ptr [edx+84h]
		test	al, 2
		jz	short loc_5BB16C
		push	0
		push	0
		push	0
		push	6
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BB16C:				; CODE XREF: CcPinFileData+1266B8j
		cmp	cl, 1
		jnb	short loc_5BB195
		test	dword ptr [edx+58h], 400h
		jnz	short loc_5BB195
		cmp	dword ptr [edx+13Ch], 0
		jnz	short loc_5BB195
		push	0
		push	0
		push	0
		push	7
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BB195:				; CODE XREF: CcPinFileData+1266CFj
					; CcPinFileData+1266D8j ...
		mov	ecx, [ebp-50h]
		movzx	edx, word ptr [ecx+0Eh]
		mov	edi, [ebp-2Ch]
		mov	eax, [ebp-68h]
		mov	[ebp-38h], eax
		jmp	loc_494DE9
; 

loc_5BB1AA:				; CODE XREF: CcPinFileData+34Ej
		call	_ExpFastResourceLegacyAcquireSharedStarveExclusive@8 ; ExpFastResourceLegacyAcquireSharedStarveExclusive(x,x)
		jmp	loc_494DF9
; 

loc_5BB1B4:				; CODE XREF: CcPinFileData+35Dj
		mov	edx, [ebp-28h]
		jmp	loc_494EB8
; 

loc_5BB1BC:				; CODE XREF: CcPinFileData+691j
		xor	edi, edi
		mov	[ebp-2Ch], edi
		xor	cl, cl
		mov	[ebp-21h], cl
		mov	edx, [ebp-28h]
		jmp	loc_494EBD
; 

loc_5BB1CE:				; CODE XREF: CcPinFileData+6BCj
		xor	cl, cl
		mov	[ebp-21h], cl
		mov	edx, [ebp-28h]
		jmp	loc_494EBD
; 

loc_5BB1DB:				; CODE XREF: CcPinFileData+492j
		call	ExAcquireResourceExclusiveLite
		jmp	loc_494F3D
; 

loc_5BB1E5:				; CODE XREF: CcPinFileData+74Aj
		xor	edi, edi
		mov	[ebp-2Ch], edi
		xor	cl, cl
		mov	[ebp-21h], cl
		mov	edx, [ebp-28h]
		jmp	loc_494EBD
; 

loc_5BB1F7:				; CODE XREF: CcPinFileData+424j
		test	al, 2
		jz	loc_494ECA
		test	edi, edi
		jz	loc_494ECA
		cmp	dword ptr [edi+74h], 0
		jz	loc_494ECA
		mov	ecx, [edi+30h]
		mov	esi, [ecx+4]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+8], eax
		dec	eax
		movzx	eax, ax
		test	ax, ax
		jnz	short loc_5BB243
		mov	eax, [esi+74h]
		test	eax, eax
		jz	short loc_5BB23C
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	edx, [ebp-28h]

loc_5BB23C:				; CODE XREF: CcPinFileData+12678Dj
		lock dec dword ptr [esi+180h]

loc_5BB243:				; CODE XREF: CcPinFileData+126786j
		mov	dword ptr [edi+74h], 0
		mov	dword ptr [edi+30h], 0
		mov	cl, [ebp-21h]
		jmp	loc_494ECA
; END OF FUNCTION CHUNK	FOR CcPinFileData

;  S U B	R O U T	I N E 


sub_5BB259	proc near		; DATA XREF: .text:006A1B30o
		mov	ebx, [ebp-1Ch]
		mov	esi, [ebp-5Ch]
		mov	edi, [ebp-2Ch]
		mov	cl, [ebp-21h]
		mov	edx, [ebp-28h]
		jmp	sub_4952C0
sub_5BB259	endp

; 
; START	OF FUNCTION CHUNK FOR sub_4952C0

loc_5BB26D:				; CODE XREF: sub_4952C0+4j
		lea	ecx, [esi+0B4h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	cl, [ebp-21h]
		mov	edx, [ebp-28h]
		jmp	loc_4952CA
; 

loc_5BB283:				; CODE XREF: sub_4952C0+65j
		push	0
		push	0
		push	dword ptr [ebp-5Ch]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	cl, [ebp-21h]
		mov	edx, [ebp-28h]
		mov	eax, [ebp-50h]
		jmp	loc_49532B
; 

loc_5BB29D:				; CODE XREF: sub_4952C0+15j
		mov	eax, [edx+4]
		push	eax
		mov	eax, [edx]
		push	eax
		mov	ecx, esi
		call	_CcDereferenceFileOffset@12 ; CcDereferenceFileOffset(x,x,x)
		mov	cl, [ebp-21h]
		jmp	loc_4952DB
; 

loc_5BB2B3:				; CODE XREF: sub_4952C0+1Dj
		mov	eax, [ebx+1Ch]
		mov	dword ptr [eax], 0
		test	edi, edi
		jz	locret_4952F9
		push	0
		mov	dl, [ebx+0Ch]
		mov	ecx, edi
		call	CcUnpinFileDataEx
		jmp	loc_4952F6
; END OF FUNCTION CHUNK	FOR sub_4952C0
; 
; START	OF FUNCTION CHUNK FOR CcPinFileData

loc_5BB2D5:				; CODE XREF: CcPinFileData+97j
					; CcPinFileData+A0j
		push	0
		push	0
		push	0C0000420h
		push	129h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5BB2EB:				; CODE XREF: CcFindBcb+83j
					; CcPinFileData+1268A6j
		mov	edi, [ebx+4]
		mov	ecx, [ebx]
		mov	[ebp-0Ch], ecx
		mov	[ebp-8], edi
		cmp	edi, [eax+1Ch]
		jg	loc_4953C0
		jl	short loc_5BB30A
		cmp	ecx, [eax+18h]
		jnb	loc_4953C0

loc_5BB30A:				; CODE XREF: CcPinFileData+12685Fj
		mov	ecx, [eax+0Ch]
		mov	edi, [eax+8]
		mov	[ebp+8], ecx
		cmp	[ebp-8], ecx
		jg	loc_4953C5
		jl	short loc_5BB327
		cmp	[ebp-0Ch], edi
		jnb	loc_4953C5

loc_5BB327:				; CODE XREF: CcPinFileData+12687Cj
		mov	ecx, [edx+4]
		cmp	ecx, [ebp+8]
		jl	short loc_5BB33D
		jg	short loc_5BB335
		cmp	[edx], edi
		jb	short loc_5BB33D

loc_5BB335:				; CODE XREF: CcPinFileData+12688Fj
		mov	ecx, [ebp+8]
		mov	[edx], edi
		mov	[edx+4], ecx

loc_5BB33D:				; CODE XREF: CcPinFileData+12688Dj
					; CcPinFileData+126893j
		mov	eax, [eax+10h]
		sub	eax, 10h
		cmp	[eax], si
		jz	short loc_5BB2EB
		jmp	loc_4953C0
; END OF FUNCTION CHUNK	FOR CcPinFileData
; 
; START	OF FUNCTION CHUNK FOR ExpAcquireSharedStarveExclusive

loc_5BB34D:				; CODE XREF: ExpAcquireSharedStarveExclusive+42j
		mov	bl, 1
		jmp	loc_4954CA
; 

loc_5BB354:				; CODE XREF: ExpAcquireSharedStarveExclusive+6Ej
		mov	edx, edi
		lea	ecx, [ebp+var_14]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_495501
; 

loc_5BB363:				; CODE XREF: ExpAcquireSharedStarveExclusive+23Ej
		mov	edi, [esi+1Ch]
		add	edi, 8
		mov	[esi+1Ch], edi
		shr	edi, 3
		test	ds:byte_70EFC6,	1
		jz	short loc_5BB385
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BB3B6
; 

loc_5BB385:				; CODE XREF: ExpAcquireSharedStarveExclusive+125EF6j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_5BB3A4
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_5BB3B6
		call	KxWaitForLockChainValid

loc_5BB3A4:				; CODE XREF: ExpAcquireSharedStarveExclusive+125F0Aj
		mov	[ebp+var_14], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5BB3B6:				; CODE XREF: ExpAcquireSharedStarveExclusive+125F03j
					; ExpAcquireSharedStarveExclusive+125F1Dj
		mov	cl, byte ptr [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:4228h
		inc	large dword ptr	fs:41E4h
		test	bl, bl
		jz	loc_495626
		mov	eax, [esi+24h]
		mov	edx, esi
		push	eax
		push	edi
		mov	ecx, 10031h
		call	@PerfLogExecutiveResourceAcquire@16 ; PerfLogExecutiveResourceAcquire(x,x,x,x)
		jmp	loc_495626
; 

loc_5BB3EB:				; CODE XREF: ExpAcquireSharedStarveExclusive+15Fj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_495607
; 

loc_5BB3FB:				; CODE XREF: ExpAcquireSharedStarveExclusive+1A0j
		mov	eax, [esi+24h]
		mov	edx, esi
		push	eax
		push	[ebp+var_8]
		mov	ecx, 10051h
		call	@PerfLogExecutiveResourceAcquire@16 ; PerfLogExecutiveResourceAcquire(x,x,x,x)
		mov	al, 1
		jmp	loc_495578
; 

loc_5BB415:				; CODE XREF: ExpAcquireSharedStarveExclusive+1D3j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_49567B
; 

loc_5BB425:				; CODE XREF: ExpAcquireSharedStarveExclusive+209j
		xor	ecx, ecx
		jmp	loc_495696
; 

loc_5BB42C:				; CODE XREF: ExpAcquireSharedStarveExclusive+236j
		mov	eax, [esi+24h]
		mov	edx, esi
		push	eax
		push	1
		mov	ecx, 10041h
		call	@PerfLogExecutiveResourceAcquire@16 ; PerfLogExecutiveResourceAcquire(x,x,x,x)
		mov	al, 1
		jmp	loc_495578
; 

loc_5BB445:				; CODE XREF: ExpAcquireSharedStarveExclusive+274j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_49571C
; 

loc_5BB455:				; CODE XREF: ExpAcquireSharedStarveExclusive+296j
		lea	ecx, [ebp+var_14]
		call	KxWaitForLockChainValid
		jmp	loc_49585B
; 

loc_5BB462:				; CODE XREF: ExpAcquireSharedStarveExclusive+330j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4957D8
; 

loc_5BB472:				; CODE XREF: ExpAcquireSharedStarveExclusive+352j
		lea	ecx, [ebp+var_14]
		call	KxWaitForLockChainValid

loc_5BB47A:				; CODE XREF: ExpAcquireSharedStarveExclusive+33Bj
		mov	[ebp+var_14], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4957D8
; 

loc_5BB491:				; CODE XREF: ExpAcquireSharedStarveExclusive+36Aj
		push	0
		mov	edx, esi
		mov	ecx, 10044h
		call	@PerfLogExecutiveResourceWait@12 ; PerfLogExecutiveResourceWait(x,x,x)
		jmp	loc_4957F0
; 

loc_5BB4A4:				; CODE XREF: ExpAcquireSharedStarveExclusive+AFj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_495557
; 

loc_5BB4B4:				; CODE XREF: ExpAcquireSharedStarveExclusive+F0j
		mov	ecx, [esi+24h]
		mov	edx, esi
		push	ecx
		push	1
		mov	ecx, 10041h
		call	@PerfLogExecutiveResourceAcquire@16 ; PerfLogExecutiveResourceAcquire(x,x,x,x)
		jmp	loc_495576
; END OF FUNCTION CHUNK	FOR ExpAcquireSharedStarveExclusive
; 
; START	OF FUNCTION CHUNK FOR CcGetBcbListHeadLargeOffset

loc_5BB4CB:				; CODE XREF: CcGetBcbListHeadLargeOffset+14Bj
		cmp	edi, 7
		jnb	short loc_5BB4E5
		mov	eax, [ebp+edi*4-40h]
		inc	ecx
		mov	esi, [ebp+edi*4+var_24]
		dec	edi
		mov	[ebp+var_44], ecx
		mov	[ebp+var_4C], edi
		jmp	loc_4959A0
; 

loc_5BB4E5:				; CODE XREF: CcGetBcbListHeadLargeOffset+125C4Ej
		xor	eax, eax
		jmp	loc_49597D
; END OF FUNCTION CHUNK	FOR CcGetBcbListHeadLargeOffset
; 
; START	OF FUNCTION CHUNK FOR CcIsFatalWriteError

loc_5BB4EC:				; CODE XREF: CcIsFatalWriteError+63j
		mov	ecx, eax
		xor	eax, esi
		cmp	eax, 7
		jb	loc_495B76
		jmp	loc_495B9B
; 

loc_5BB4FE:				; CODE XREF: CcIsFatalWriteError+1Bj
		push	0
		push	0
		push	0C0000420h
		push	1529h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5BB514:				; CODE XREF: CcScanLogHandleList+92j
		and	[ebp+var_4], 0
		inc	ds:_CcDbgForcedLogPercentFull
		mov	edi, [esi+24h]
		jmp	loc_495D12
; END OF FUNCTION CHUNK	FOR CcIsFatalWriteError
; 
; START	OF FUNCTION CHUNK FOR CcScanLogHandleList

loc_5BB526:				; CODE XREF: CcScanLogHandleList+11Cj
		mov	ecx, [ebx]
		cmp	[ecx+4], ebx
		jnz	short loc_5BB559
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jnz	short loc_5BB559
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	ecx, [esi+68h]
		test	ecx, ecx
		jz	short loc_5BB549
		call	ObfDereferenceObject
		and	dword ptr [esi+68h], 0

loc_5BB549:				; CODE XREF: CcScanLogHandleList+125996j
		push	6D566343h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_495CCA
; 

loc_5BB559:				; CODE XREF: CcScanLogHandleList+125983j
					; CcScanLogHandleList+12598Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5BB55E:				; CODE XREF: MiTryLockProtoPoolPageAtDpc+91j
		mov	ebx, 0C0000055h
		jmp	loc_495E18
; END OF FUNCTION CHUNK	FOR CcScanLogHandleList
; 
; START	OF FUNCTION CHUNK FOR MiDeleteControlArea

loc_5BB568:				; CODE XREF: MiDeleteControlArea+86j
		and	eax, 0C0000001h
		lea	esi, [ebx+24h]
		or	eax, 1
		push	esi
		mov	[edi+20h], eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, edi
		mov	bl, al
		call	MiDecrementSubsectionViewCount
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [ebp+var_4]
		mov	eax, 0FFFEh
		and	[edi+12h], ax
		mov	esi, [ebp+var_8]
		jmp	loc_495F15
; END OF FUNCTION CHUNK	FOR MiDeleteControlArea
; 
; START	OF FUNCTION CHUNK FOR MiDecrementControlAreaCount

loc_5BB5A7:				; CODE XREF: MiDecrementControlAreaCount+44j
		mov	ecx, [edi+350h]
		mov	eax, [edi+354h]
		or	ecx, eax
		jnz	loc_495F9A
		push	ecx
		push	ecx
		push	dword ptr [edi+510h]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_495F9A
; END OF FUNCTION CHUNK	FOR MiDecrementControlAreaCount
; 
; START	OF FUNCTION CHUNK FOR MiDeleteSegmentPages

loc_5BB5CD:				; CODE XREF: MiDeleteSegmentPages+5Cj
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+20h+var_D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pause
		push	edi
		call	ExAcquireSpinLockExclusive
		jmp	loc_495FF5
; 

loc_5BB5E9:				; CODE XREF: MiDeleteSegmentPages+88j
		mov	edx, edi
		mov	ecx, offset _MiSystemPartition
		sub	edx, esi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	loc_49602C
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax
		jmp	loc_49602C
; END OF FUNCTION CHUNK	FOR MiDeleteSegmentPages
; 
; START	OF FUNCTION CHUNK FOR MiTryLockLeafPage

loc_5BB60D:				; CODE XREF: MiTryLockLeafPage+9Fj
		mov	edx, [esp+28h+var_18]
		mov	eax, esi
		jmp	loc_496107
; END OF FUNCTION CHUNK	FOR MiTryLockLeafPage
; 
; START	OF FUNCTION CHUNK FOR MiSoftFaultMappedView

loc_5BB618:				; CODE XREF: MiSoftFaultMappedView+13Dj
		mov	eax, offset unk_6D3C40
		jmp	loc_4967E9
; 

loc_5BB622:				; CODE XREF: MiSoftFaultMappedView+39Bj
		mov	edx, [esp+0A8h+var_6C]
		mov	ecx, 1000h
		sub	ecx, esi
		and	ecx, 0FFFFFFF8h
		add	edi, ecx
		add	ebx, ecx
		test	edx, edx
		jz	loc_496855
		mov	eax, ebx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	edx, eax
		jz	loc_496855
		mov	ecx, [esp+0A8h+var_90]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	[esp+0A8h+var_6C], 0
		jmp	loc_496855
; 

loc_5BB669:				; CODE XREF: MiSoftFaultMappedView+1F6j
		mov	eax, esi
		and	eax, 400h
		or	eax, 0
		jnz	loc_49684F
		mov	eax, esi
		and	eax, 800h
		or	eax, 0
		jz	loc_49684F
		push	ecx
		push	esi
		call	_MiInvalidPteConforms@12 ; MiInvalidPteConforms(x,x,x)
		test	eax, eax
		jz	loc_496870
		mov	eax, ds:dword_6D0700
		mov	edx, ds:dword_6D0704
		mov	ecx, [esp+0A8h+var_84]
		mov	[esp+0A8h+var_60], eax
		or	eax, edx
		mov	[esp+0A8h+var_7C], edx
		mov	edx, esi
		mov	[esp+0A8h+var_4C], esi
		mov	[esp+0A8h+var_94], ecx
		jz	short loc_5BB6DD
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_5BB6DB
		mov	esi, [esp+0A8h+var_60]
		mov	ecx, [esp+0A8h+var_7C]
		not	esi
		not	ecx
		and	esi, edx
		and	ecx, [esp+0A8h+var_94]
		jmp	short loc_5BB6DD
; 

loc_5BB6DB:				; CODE XREF: MiSoftFaultMappedView+125025j
		mov	esi, edx

loc_5BB6DD:				; CODE XREF: MiSoftFaultMappedView+12501Bj
					; MiSoftFaultMappedView+125039j
		shrd	esi, ecx, 0Ch
		and	esi, 3FFFFFFh
		jmp	loc_4968A9
; 

loc_5BB6EC:				; CODE XREF: MiSoftFaultMappedView+253j
		mov	esi, [esp+0A8h+var_94]

loc_5BB6F0:				; CODE XREF: MiSoftFaultMappedView+12505Dj
					; MiSoftFaultMappedView+125064j
		lea	ecx, [esp+0A8h+var_7C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_5BB6F0
		lock bts dword ptr [esi], 1Fh
		jb	short loc_5BB6F0
		mov	esi, [esp+0A8h+var_60]
		mov	edx, [esp+0A8h+var_94]
		jmp	loc_4968F9
; 

loc_5BB713:				; CODE XREF: MiSoftFaultMappedView+263j
					; MiSoftFaultMappedView+26Dj
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		jmp	loc_496870
; 

loc_5BB720:				; CODE XREF: MiSoftFaultMappedView+28Bj
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		jmp	loc_49684F
; 

loc_5BB72D:				; CODE XREF: MiSoftFaultMappedView+2A0j
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		jmp	loc_49684F
; 

loc_5BB73A:				; CODE XREF: MiSoftFaultMappedView+2AAj
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		jmp	loc_49684F
; 

loc_5BB747:				; CODE XREF: MiSoftFaultMappedView+2C3j
		mov	eax, [esp+0A8h+var_84]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		jmp	loc_49684F
; END OF FUNCTION CHUNK	FOR MiSoftFaultMappedView
; 
; START	OF FUNCTION CHUNK FOR MiLockProtoPoolPage

loc_5BB758:				; CODE XREF: MiLockProtoPoolPage+15Bj
					; MiLockProtoPoolPage+124A64j ...
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		js	short loc_5BB758
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_5BB758
		jmp	loc_496E7C
; 

loc_5BB772:				; CODE XREF: MiLockProtoPoolPage+EEj
					; MiLockProtoPoolPage+FEj ...
		mov	edx, 7FFFFFFFh
		lea	eax, [ebx+10h]
		lock and [eax],	edx
		cmp	cl, 21h
		jz	loc_496E3E
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_496E3E
; END OF FUNCTION CHUNK	FOR MiLockProtoPoolPage
; 
; START	OF FUNCTION CHUNK FOR PsSetPagePriorityThread

loc_5BB791:				; CODE XREF: PsSetPagePriorityThread+44j
		mov	ecx, [ebp+var_4]
		mov	edx, 533h
		push	0
		push	ebx
		push	esi
		call	_EtwTracePriority@20 ; EtwTracePriority(x,x,x,x,x)
		jmp	loc_49707A
; END OF FUNCTION CHUNK	FOR PsSetPagePriorityThread
; 
; START	OF FUNCTION CHUNK FOR CcDeleteMbcb

loc_5BB7A7:				; CODE XREF: CcDeleteMbcb+6Bj
		mov	edx, [ebp+4]
		lea	ecx, [esp+28h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4971E9
; 

loc_5BB7B8:				; CODE XREF: CcDeleteMbcb+44j
		mov	ecx, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	loc_497276
; END OF FUNCTION CHUNK	FOR CcDeleteMbcb
; 
; START	OF FUNCTION CHUNK FOR ExDeleteResourceLite

loc_5BB7C4:				; CODE XREF: ExDeleteResourceLite+10j
		push	0
		push	0
		push	esi
		push	0Eh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BB7D5:				; CODE XREF: ExDeleteResourceLite+33j
		mov	dl, bl
		mov	ecx, edi
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_497363
; 

loc_5BB7E3:				; CODE XREF: ExDeleteResourceLite+5Dj
					; ExDeleteResourceLite+124516j
		test	edx, 40000000h
		jnz	short loc_5BB7FD
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_5BB80A

loc_5BB7FD:				; CODE XREF: ExDeleteResourceLite+1244E9j
		lea	ecx, [ebp+arg_0]
		call	KeYieldProcessorEx
		mov	eax, ds:_ExpResourceSpinLock

loc_5BB80A:				; CODE XREF: ExDeleteResourceLite+1244FBj
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_5BB7E3
		jmp	loc_497363
; 

loc_5BB81D:				; CODE XREF: ExDeleteResourceLite+85j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_497395
; 

loc_5BB82C:				; CODE XREF: ExDeleteResourceLite+B1j
		and	ebx, 0FFFFFFFCh
		jmp	loc_4973BC
; 

loc_5BB834:				; CODE XREF: ExDeleteResourceLite+D6j
					; ExDeleteResourceLite+E3j
		mov	ecx, [esi+1Ch]
		test	cl, 2
		jnz	loc_4973EC
		mov	eax, large fs:124h
		cmp	ebx, eax
		jz	loc_4973EC
		mov	eax, large fs:124h
		push	1
		push	ebx
		push	eax
		push	esi
		push	16Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BB863:				; CODE XREF: ExDeleteResourceLite+EFj
		push	0
		push	0
		mov	dl, 1
		mov	ecx, ebx
		call	PsBoostThreadIoEx
		mov	ecx, [esi+1Ch]
		jmp	loc_4973F5
; 

loc_5BB878:				; CODE XREF: ExDeleteResourceLite+FFj
		push	746C6644h
		push	ebx
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_4973C0
; 

loc_5BB888:				; CODE XREF: ExDeleteResourceLite+122j
		mov	ecx, esi
		call	_ExpResourceEnforcesOwnershipTransfer@4	; ExpResourceEnforcesOwnershipTransfer(x)
		test	al, al
		jz	short loc_5BB8B7
		test	byte ptr [ebx],	2
		jnz	short loc_5BB8B7
		mov	eax, large fs:124h
		cmp	edx, eax
		jz	short loc_5BB8B7
		mov	eax, large fs:124h
		push	2
		push	edx
		push	eax
		push	esi
		push	16Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BB8B7:				; CODE XREF: ExDeleteResourceLite+124591j
					; ExDeleteResourceLite+124596j	...
		mov	eax, [ebx]
		test	al, 1
		jz	short loc_5BB8D0
		mov	ecx, [ebp+var_4]
		mov	dl, 1
		push	0
		push	0
		call	PsBoostThreadIoEx
		mov	eax, [ebx]
		mov	edx, [ebp+var_4]

loc_5BB8D0:				; CODE XREF: ExDeleteResourceLite+1245BBj
		test	al, 4
		jz	short loc_5BB8DD
		lock dec dword ptr [edx+330h]
		mov	eax, [ebx]

loc_5BB8DD:				; CODE XREF: ExDeleteResourceLite+1245D2j
		test	al, 2
		jz	loc_497428
		push	746C6644h
		push	edx
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_497428
; 

loc_5BB8F5:				; CODE XREF: ExDeleteResourceLite+6Bj
					; ExDeleteResourceLite+73j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5BB8FC:				; CODE XREF: MiDeleteSystemPageTable+9Ej
		mov	eax, [ecx+10h]
		xor	edx, edx
		and	eax, 3FFFFFFFh
		inc	edx
		cmp	eax, edx
		jnz	loc_49770E
		cmp	[ecx+14h], dx
		jnz	loc_49770E
		push	0
		mov	eax, ebx
		shl	eax, 9
		push	1000h
		push	eax
		call	_RtlCompareMemoryUlong@12 ; RtlCompareMemoryUlong(x,x,x)
		cmp	eax, 1000h
		jnz	loc_49770E
		xor	eax, eax
		inc	eax
		jmp	loc_497612
; END OF FUNCTION CHUNK	FOR ExDeleteResourceLite
; 
; START	OF FUNCTION CHUNK FOR MiDeleteSystemPageTable

loc_5BB93E:				; CODE XREF: MiDeleteSystemPageTable+2A2j
		mov	edx, [ebp+4]
		lea	ecx, [esp+40h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_49783A
; 

loc_5BB94F:				; CODE XREF: MiDeleteSystemPageTable+2C8j
		lea	ecx, [esp+40h+var_C]
		call	KxWaitForLockChainValid

loc_5BB958:				; CODE XREF: MiDeleteSystemPageTable+2AEj
		xor	ecx, ecx
		mov	[esp+40h+var_C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_49783A
; 

loc_5BB96E:				; CODE XREF: MiDeleteSystemPageTable+277j
		mov	eax, ds:_ZeroPte
		mov	[ebx], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[ebx+4], eax
		jmp	loc_4976CC
; 

loc_5BB983:				; CODE XREF: MiDeleteSystemPageTable+226j
		mov	edx, [ebp+4]
		lea	ecx, [esp+40h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4977BE
; 

loc_5BB994:				; CODE XREF: MiDeleteSystemPageTable+24Cj
		lea	ecx, [esp+40h+var_C]
		call	KxWaitForLockChainValid

loc_5BB99D:				; CODE XREF: MiDeleteSystemPageTable+232j
		xor	ecx, ecx
		mov	[esp+40h+var_C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_4977BE
; END OF FUNCTION CHUNK	FOR MiDeleteSystemPageTable
; 
; START	OF FUNCTION CHUNK FOR MiReplicatePteChange

loc_5BB9B3:				; CODE XREF: MiReplicatePteChange+462j
		mov	ecx, ds:_PsInitialSystemProcess
		mov	edx, ebx
		push	esi
		call	_MiReplicatePteChangeToProcess@12 ; MiReplicatePteChangeToProcess(x,x,x)
		mov	edx, [esp+58h+var_34]
		jmp	loc_49790C
; 

loc_5BB9CA:				; CODE XREF: MiReplicatePteChange+17Cj
		mov	ebx, 1Ch
		jmp	loc_4979D2
; 

loc_5BB9D4:				; CODE XREF: MiReplicatePteChange+16Aj
					; MiReplicatePteChange+173j
		mov	ebx, 0Ch
		jmp	loc_4979D2
; 

loc_5BB9DE:				; CODE XREF: MiReplicatePteChange+21Ej
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5BBA07
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	edi, 1
		mov	eax, [esp+58h+var_44]
		jnz	loc_497A78
		or	eax, 80000000h
		jmp	loc_497A78
; 

loc_5BBA07:				; CODE XREF: MiReplicatePteChange+124195j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		mov	eax, [esp+58h+var_44]
		jz	loc_497A78
		or	eax, 80000000h
		jmp	loc_497A78
; 

loc_5BBA31:				; CODE XREF: MiReplicatePteChange+233j
		push	eax
		push	ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		mov	edx, [esp+58h+var_38]
		mov	ecx, [esp+58h+var_4C]
		jmp	loc_497A89
; 

loc_5BBA45:				; CODE XREF: MiReplicatePteChange+28Ej
		push	edi
		push	edx
		push	1
		mov	edx, ebx
		call	MiTransformValidPteInPlace
		jmp	loc_497B07
; 

loc_5BBA55:				; CODE XREF: MiReplicatePteChange+2A3j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5BBA7B
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	eax, 1
		jnz	loc_497AF9
		or	edi, 80000000h
		jmp	loc_497AF9
; 

loc_5BBA7B:				; CODE XREF: MiReplicatePteChange+12420Cj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		mov	eax, [esp+58h+var_30]
		jz	loc_497AF9
		or	edi, 80000000h
		jmp	loc_497AF9
; 

loc_5BBAA6:				; CODE XREF: MiReplicatePteChange+2B1j
		push	edi
		push	edx
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_497B07
; 

loc_5BBAB4:				; CODE XREF: MiReplicatePteChange+3A5j
		mov	eax, [esp+58h+var_30]
		mov	ecx, [eax+edx]
		mov	[esp+58h+var_4C], ecx
		nop
		mov	ecx, [eax+edx+4]
		mov	eax, [edx]
		mov	[esp+58h+var_44], ecx
		mov	[esp+58h+var_10], eax
		nop
		mov	eax, [edx+4]
		mov	[esp+58h+var_14], eax
		mov	eax, [esp+58h+var_10]
		cmp	[esp+58h+var_4C], eax
		jnz	short loc_5BBAEA
		cmp	ecx, [esp+58h+var_14]
		jz	loc_497BFB

loc_5BBAEA:				; CODE XREF: MiReplicatePteChange+12428Ej
		mov	eax, [edx]
		and	eax, 1
		or	eax, 0
		jz	short loc_5BBB0B
		push	ecx
		push	[esp+5Ch+var_4C]
		mov	ecx, [esp+60h+var_38]
		mov	edx, ebx
		push	1
		call	MiTransformValidPteInPlace
		jmp	loc_5BBB91
; 

loc_5BBB0B:				; CODE XREF: MiReplicatePteChange+1242A2j
		mov	ecx, edx
		mov	[esp+58h+var_28], 0
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_5BBB6F
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5BBB57
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	[esp+58h+var_28], 1
		jnz	short loc_5BBB6F

loc_5BBB38:				; CODE XREF: MiReplicatePteChange+12431Dj
		mov	eax, [esp+58h+var_4C]
		and	eax, 1
		or	eax, 0
		jz	short loc_5BBB6F
		mov	eax, [esp+58h+var_4C]
		mov	[esp+58h+var_4C], eax
		mov	eax, [esp+58h+var_44]
		or	eax, 80000000h
		jmp	short loc_5BBB73
; 

loc_5BBB57:				; CODE XREF: MiReplicatePteChange+1242D5j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_5BBB38

loc_5BBB6F:				; CODE XREF: MiReplicatePteChange+1242CCj
					; MiReplicatePteChange+1242E6j	...
		mov	eax, [esp+58h+var_44]

loc_5BBB73:				; CODE XREF: MiReplicatePteChange+124305j
		mov	[edx+4], eax
		nop
		cmp	[esp+58h+var_28], 0
		mov	ecx, [esp+58h+var_4C]
		mov	[edx], ecx
		jz	loc_497BFB
		push	eax
		push	ecx
		mov	ecx, edx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_5BBB91:				; CODE XREF: MiReplicatePteChange+1242B6j
		mov	edx, [esp+58h+var_38]
		jmp	loc_497BFB
; 

loc_5BBB9A:				; CODE XREF: MiReplicatePteChange+3E6j
		mov	edx, [ebp+4]
		lea	ecx, [esp+58h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_497C5A
; END OF FUNCTION CHUNK	FOR MiReplicatePteChange
; 
; START	OF FUNCTION CHUNK FOR MiDeletePageDirectoryPages

loc_5BBBAB:				; CODE XREF: MiDeletePageDirectoryPages+52j
		mov	dl, cl
		mov	ecx, esi
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		mov	eax, [esi+10h]
		sub	esi, ds:_MmPfnDatabase
		and	eax, 3FFFFFFFh
		push	eax
		push	1Ch
		pop	ecx
		mov	eax, esi
		cdq
		idiv	ecx
		push	eax
		push	[ebp+var_10]
		push	3454h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5BBBDC:				; CODE XREF: MiOutPageSingleKernelStack+CFj
		lea	edx, [ecx-3FFFFFF8h]
		mov	ecx, offset unk_6D3A40
		push	0
		call	MiLockPageTableInternal
		jmp	loc_497FA9
; END OF FUNCTION CHUNK	FOR MiDeletePageDirectoryPages
; 
; START	OF FUNCTION CHUNK FOR MiOutPageSingleKernelStack

loc_5BBBF3:				; CODE XREF: MiOutPageSingleKernelStack+2B2j
					; MiOutPageSingleKernelStack+2C1j
		push	offset unk_6D50F0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		jmp	loc_497FCB
; 

loc_5BBC02:				; CODE XREF: MiOutPageSingleKernelStack+1C5j
					; MiOutPageSingleKernelStack+123D3Bj
		lea	ecx, [esp+50h+var_20]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_5BBC02
		jmp	loc_498094
; 

loc_5BBC16:				; CODE XREF: MiOutPageSingleKernelStack+1D2j
		mov	ecx, [esp+50h+var_24]
		push	1Fh
		pop	edx
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		mov	[esp+50h+var_8], eax
		mov	[esp+50h+var_4], edx
		mov	[esi], eax
		nop
		mov	[esi+4], edx
		jmp	loc_4980C7
; 

loc_5BBC35:				; CODE XREF: MiOutPageSingleKernelStack+218j
					; MiOutPageSingleKernelStack+123D6Ej
		lea	ecx, [esp+50h+var_C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_5BBC35
		jmp	loc_4980E7
; 

loc_5BBC49:				; CODE XREF: MiOutPageSingleKernelStack+251j
		lea	edx, [ebx-3FFFFFF8h]
		mov	ecx, offset unk_6D3A40
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		jmp	loc_49812B
; END OF FUNCTION CHUNK	FOR MiOutPageSingleKernelStack
; 
; START	OF FUNCTION CHUNK FOR MiZeroCfgSystemWideBitmapWorker

loc_5BBC5E:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+7Cj
					; MiZeroCfgSystemWideBitmapWorker+123A77j
		cmp	eax, esi
		jz	loc_49849C
		mov	eax, [eax+8]
		mov	ecx, edx
		mov	[ebp+var_4], eax
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], edx
		cmp	[eax+4], edx
		jz	short loc_5BBC5E
		jmp	loc_498285
; 

loc_5BBC7E:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+8Dj
		mov	eax, [eax+1Ch]
		lea	esi, [edx+eax*8]
		mov	eax, [ebp+var_4]
		jmp	loc_498295
; 

loc_5BBC8C:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+28Aj
		xor	edi, edi
		jmp	short loc_5BBC98
; 

loc_5BBC90:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+123AA1j
		cmp	eax, edx
		jz	loc_498490

loc_5BBC98:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+123A8Ej
		mov	eax, [eax+8]
		mov	[ebp+var_4], eax
		cmp	[eax+4], edi
		jz	short loc_5BBC90
		mov	ebx, [eax+4]
		cmp	eax, edx
		jnz	short loc_5BBCC4
		mov	esi, [edx+4]
		add	esi, [ebp+var_44]
		mov	[ebp+var_C], esi
		cmp	[ebp+var_14], edi
		jz	loc_4982C8
		mov	[ebp+var_1C], esi
		jmp	loc_4982C8
; 

loc_5BBCC4:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+123AA8j
		mov	eax, [eax+1Ch]
		lea	esi, [ebx+eax*8]
		mov	[ebp+var_C], esi
		jmp	loc_4982C8
; 

loc_5BBCD2:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+2E1j
		mov	eax, [ebp+var_4]
		and	ebx, 0FFFFF000h
		add	ebx, 1000h
		jmp	loc_4982BE
; 

loc_5BBCE6:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+316j
		push	[ebp+var_14]
		xor	eax, eax
		push	eax
		push	esi
		jmp	loc_4986EE
; 

loc_5BBCF2:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+356j
		push	edx
		push	eax
		xor	eax, eax
		lea	edx, [eax+1]
		jmp	loc_498718
; 

loc_5BBCFE:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+14Ej
		mov	edi, ecx
		mov	esi, edx
		jmp	loc_498362
; 

loc_5BBD07:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+1A0j
		mov	ecx, esi
		jmp	short loc_5BBD0D
; 

loc_5BBD0B:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+53Aj
		xor	edx, edx

loc_5BBD0D:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+123B09j
		call	_MiDiscardTransitionPteEx@8 ; MiDiscardTransitionPteEx(x,x)
		lea	eax, [esi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		jmp	loc_498474
; 

loc_5BBD22:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+427j
		mov	edx, eax
		lea	ecx, [ebp+var_6C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_49863A
; 

loc_5BBD31:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+44Ej
		push	[ebp+var_14]
		xor	ecx, ecx
		push	ecx
		push	eax
		jmp	loc_498666
; 

loc_5BBD3D:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+486j
		mov	ecx, edi
		mov	esi, eax
		mov	eax, ds:dword_6D3068
		and	edi, 1Fh
		shr	ecx, 5
		lea	edx, [eax+ecx*4]
		lea	eax, [edi+1]
		mov	[ebp+var_38], edx
		cmp	eax, 20h
		ja	short loc_5BBD6C
		xor	eax, eax
		mov	ecx, edi
		inc	eax
		shl	eax, cl
		lock or	[edx], eax
		mov	esi, [ebp+var_8]
		jmp	loc_49868C
; 

loc_5BBD6C:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+123B58j
		test	edi, edi
		jz	short loc_5BBDB4
		push	20h
		xor	eax, eax
		pop	edx
		sub	edx, edi
		inc	eax
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, edi
		dec	eax
		shl	eax, cl
		mov	ecx, [ebp+var_38]
		lock or	[ecx], eax
		xor	edi, edi
		inc	edi
		mov	esi, edi
		sub	esi, edx
		mov	edx, ecx
		add	edx, 4
		cmp	esi, 20h
		jb	short loc_5BBDAE
		mov	eax, esi
		shr	eax, 5

loc_5BBD9D:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+123BACj
		mov	dword ptr [edx], 0FFFFFFFFh
		sub	esi, 20h
		add	edx, 4
		sub	eax, 1
		jnz	short loc_5BBD9D

loc_5BBDAE:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+123B96j
		test	esi, esi
		jnz	short loc_5BBDB7
		jmp	short loc_5BBDC1
; 

loc_5BBDB4:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+123B6Ej
		xor	edi, edi
		inc	edi

loc_5BBDB7:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+123BB0j
		mov	eax, edi
		mov	ecx, esi
		shl	eax, cl
		dec	eax
		lock or	[edx], eax

loc_5BBDC1:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+123BB2j
		mov	esi, [ebp+var_8]
		jmp	loc_49868F
; 

loc_5BBDC9:				; CODE XREF: MiZeroCfgSystemWideBitmapWorker+49Cj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_6C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4986C4
; END OF FUNCTION CHUNK	FOR MiZeroCfgSystemWideBitmapWorker
; 
; START	OF FUNCTION CHUNK FOR SmKmStoreHelperWorker

loc_5BBDD9:				; CODE XREF: SmKmStoreHelperWorker+97j
		lea	eax, [ebp+var_20]
		mov	edx, esi
		push	eax
		mov	ecx, ebx
		call	SmKmStoreHelperCommandCleanup
		jmp	loc_49894F
; END OF FUNCTION CHUNK	FOR SmKmStoreHelperWorker
; 
; START	OF FUNCTION CHUNK FOR SmKmStoreHelperCommandProcess

loc_5BBDEB:				; CODE XREF: SmKmStoreHelperCommandProcess+E3j
		sub	edx, 1
		jz	short loc_5BBDFA
		mov	edi, 0C000000Dh
		jmp	loc_498A68
; 

loc_5BBDFA:				; CODE XREF: SmKmStoreHelperCommandProcess+123450j
		mov	eax, [esi]
		mov	[ebp+var_4], eax
		mov	eax, [esi+4]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		push	1
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	0FFFFFFFFh
		call	_ZwUnlockVirtualMemory@16 ; ZwUnlockVirtualMemory(x,x,x,x)
		jmp	loc_498A66
; 

loc_5BBE1B:				; CODE XREF: SmKmStoreHelperCommandProcess+5Aj
					; SmKmStoreHelperCommandProcess+104j
		mov	edi, 0C000009Ah
		jmp	loc_498A68
; 

loc_5BBE25:				; CODE XREF: SmKmStoreHelperCommandProcess+15Aj
		mov	ecx, [ebx+48h]
		push	1
		push	0
		push	ebx
		push	4
		pop	edx
		call	SmFpAllocate
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		push	1
		push	[ebp+arg_0]
		mov	[ebp+var_C], eax
		call	?SmKmProbeAndLockAddress@@YGJPAXKPAU_MDL@@K@Z ;	SmKmProbeAndLockAddress(void *,ulong,_MDL *,ulong)
		mov	ecx, [ebp+var_C]
		mov	edi, eax
		test	edi, edi
		jns	short loc_5BBE63
		push	ecx
		mov	ecx, [ebx+48h]
		push	ebx
		push	4
		pop	edx
		call	SmFpFree
		jmp	loc_498A31
; 

loc_5BBE63:				; CODE XREF: SmKmStoreHelperCommandProcess+1234B1j
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jmp	loc_498A31
; 

loc_5BBE6D:				; CODE XREF: SmKmStoreHelperCommandProcess+BFj
		mov	edx, [ebx+48h]
		mov	edi, 0C000009Ah
		mov	ecx, [ebp+arg_0]
		push	ebx
		call	SmKmUnlockMdl
		jmp	loc_498ADA
; 

loc_5BBE83:				; CODE XREF: SmKmStoreHelperCommandProcess+137j
		mov	edx, [ebp+var_8]
		call	_SmKmVirtualLockCtxMemoryUnlocked@8 ; SmKmVirtualLockCtxMemoryUnlocked(x,x)
		jmp	loc_498A66
; 

loc_5BBE90:				; CODE XREF: SmKmStoreHelperCommandProcess+10Fj
		test	byte ptr [esi+14h], 1
		jnz	loc_498AB3
		push	[ebp+var_8]
		mov	edx, eax
		call	_SmKmVirtualLockCtxLockMemory@12 ; SmKmVirtualLockCtxLockMemory(x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_5BBEB7
		mov	ecx, [ebp+var_4]
		call	_MmStoreFreeVirtualMemory@4 ; MmStoreFreeVirtualMemory(x)
		jmp	loc_498A68
; 

loc_5BBEB7:				; CODE XREF: SmKmStoreHelperCommandProcess+12350Aj
		mov	eax, [ebp+var_4]
		jmp	loc_498AB3
; END OF FUNCTION CHUNK	FOR SmKmStoreHelperCommandProcess
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict

loc_5BBEBF:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict+DCj
		mov	edx, [ebp+var_4]
		push	ecx
		push	eax
		call	?SmFeSetEvictFailed@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@PAT_SM_PAGE_KEY@@KK@Z ; SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)
		mov	edx, [ebx+10F0h]
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		and	edx, 3FFh
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_498BE0
; 

loc_5BBEEC:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict+E4j
		push	esi
		mov	edx, edi
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFreeResource
		jmp	loc_498BE8
; 

loc_5BBEFE:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict+ECj
		push	esi
		push	esi
		xor	edx, edx
		mov	ecx, offset unk_718328
		call	SmFpFree
		jmp	loc_498BF0
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict
; 
; START	OF FUNCTION CHUNK FOR SmFpAllocate

loc_5BBF11:				; CODE XREF: SmFpAllocate+24j
		xor	esi, esi

loc_5BBF13:				; CODE XREF: SmFpAllocate+A5j
		cmp	[ebp+arg_8], 0
		jz	loc_498C50
		push	[ebp+arg_0]
		mov	edx, ebx
		call	_SmpFpWaitForResource@12 ; SmpFpWaitForResource(x,x,x)
		mov	esi, eax
		cmp	ebx, 5
		jl	loc_498C50
		push	1
		push	edi
		push	6D526D73h
		push	esi
		call	MmMapLockedPagesWithReservedMapping
		jmp	loc_498C50
; END OF FUNCTION CHUNK	FOR SmFpAllocate
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate

loc_5BBF45:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+1FEj
		push	0
		push	[ebp+var_68]
		push	offset unk_7180B0
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BBF5A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+17Bj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_6C]
		jmp	loc_498E3B
; 

loc_5BBF71:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+237j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_498EE7
; 

loc_5BBF80:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+261j
		push	[ebp+var_6C]
		mov	edx, offset unk_7180B0
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_498E52
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass

loc_5BBF94:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+143j
		test	byte ptr [ebx+7], 1
		mov	esi, eax
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_8], ecx
		jnz	loc_498FF2
		jmp	loc_498FC0
; 

loc_5BBFAB:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass+BEj
		cmp	eax, 400h
		jnz	loc_49902A
		jmp	loc_498FF2
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmFeEvictUpdatePass
; 
; START	OF FUNCTION CHUNK FOR SmSetThreadPagePriority

loc_5BBFBB:				; CODE XREF: SmSetThreadPagePriority+7j
		mov	esi, large fs:124h
		mov	[ecx], esi
		jmp	loc_499131
; END OF FUNCTION CHUNK	FOR SmSetThreadPagePriority
; 
; START	OF FUNCTION CHUNK FOR SmKmAllocateMdlForLock

loc_5BBFC9:				; CODE XREF: SmKmAllocateMdlForLock+73j
		push	1
		push	3
		pop	edx
		mov	ecx, edi
		call	_SmAcquireReleaseCharges@12 ; SmAcquireReleaseCharges(x,x,x)
		jmp	loc_4991BF
; 

loc_5BBFDA:				; CODE XREF: SmKmAllocateMdlForLock+7Bj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4991C7
; END OF FUNCTION CHUNK	FOR SmKmAllocateMdlForLock
; 
; START	OF FUNCTION CHUNK FOR SmKmUnlockMdl

loc_5BBFE7:				; CODE XREF: SmKmUnlockMdl+15j
		push	dword ptr [esi+0Ch]
		call	MmUnmapLockedPages
		jmp	loc_4991F8
; 

loc_5BBFF4:				; CODE XREF: SmKmUnlockMdl+2Cj
		push	eax
		push	[ebp+arg_0]
		mov	ecx, edi
		push	4
		pop	edx
		call	SmFpFree
		and	dword ptr [esi], 0
		jmp	loc_499202
; END OF FUNCTION CHUNK	FOR SmKmUnlockMdl
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree

loc_5BC00A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+125j
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_49928B
; 

loc_5BC017:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+143j
		xor	esi, esi
		test	eax, eax
		jnz	short loc_5BC025
		mov	[edx+18h], esi
		jmp	loc_499299
; 

loc_5BC025:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+122E0Bj
		cmp	eax, 3
		jz	short loc_5BC03F
		cmp	eax, 1
		jz	short loc_5BC038
		cmp	eax, 2
		jnz	loc_499299

loc_5BC038:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+122E1Dj
		xor	ebx, ebx
		jmp	loc_49929E
; 

loc_5BC03F:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+14Bj
					; SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+122E18j
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [esp+38h+var_2C]
		jmp	loc_4992C3
; 

loc_5BC050:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+90j
		mov	edi, [esp+38h+var_2C]
		jmp	loc_4992BB
; 

loc_5BC059:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+CCj
		xor	ecx, ecx
		jmp	loc_4992EB
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete

loc_5BC060:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+13j
		xor	edx, edx
		jmp	loc_49938B
; 

loc_5BC067:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+D8j
					; DATA XREF: .text:off_4994CCo
		mov	eax, [ebp+arg_4] ; case	0x2
		mov	[esi], eax
		mov	eax, [edi+8]
		mov	[esi+4], eax
		jmp	loc_4993E2	; default
; 

loc_5BC077:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+D8j
					; DATA XREF: .text:off_4994CCo
		test	byte ptr [edi+4], 7 ; case 0x3
		jz	loc_4994C3
		jmp	loc_4994B2	; case 0x4
; 

loc_5BC086:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+7Aj
		push	40000010h
		push	0
		push	0
		push	1
		push	0
		push	ebx
		call	MmMapLockedPagesSpecifyCache
		jmp	loc_4993F0
; 

loc_5BC09E:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+95j
		push	eax
		mov	edx, 5
		mov	ecx, offset unk_71836C
		call	_SmpFpReleaseResource@12 ; SmpFpReleaseResource(x,x,x)
		test	eax, eax
		jz	short loc_5BC0E9
		push	ebx
		push	6D526D73h
		push	[ebp+arg_4]
		call	_MmUnmapReservedMapping@12 ; MmUnmapReservedMapping(x,x,x)
		cmp	ds:byte_71839E,	0
		jnz	loc_499412
		xor	eax, eax
		mov	ecx, offset dword_7183AC
		xchg	eax, [ecx]
		push	0
		push	0
		push	offset unk_718370
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_499412
; 

loc_5BC0E9:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+122D40j
		mov	eax, [ebp+arg_4]
		jmp	loc_49940B
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFreeResource

loc_5BC0F1:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFreeResource+2Aj
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4996B0
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFreeResource
; 
; START	OF FUNCTION CHUNK FOR SmFpFree

loc_5BC0FE:				; CODE XREF: SmFpFree+1Fj
		push	esi
		mov	ecx, ebx
		call	_SmpFpReleaseResource@12 ; SmpFpReleaseResource(x,x,x)
		test	eax, eax
		jz	loc_4996EB
		cmp	edi, 5
		jl	short loc_5BC121
		push	[ebp+var_4]
		push	6D526D73h
		push	esi
		call	_MmUnmapReservedMapping@12 ; MmUnmapReservedMapping(x,x,x)

loc_5BC121:				; CODE XREF: SmFpFree+122A4Bj
		cmp	byte ptr [ebx+32h], 0
		jnz	loc_499702
		xor	eax, eax
		lea	ecx, [ebx+40h]
		xchg	eax, [ecx]
		push	0
		push	0
		lea	eax, [ebx+4]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_499702
; END OF FUNCTION CHUNK	FOR SmFpFree
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete

loc_5BC144:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+DCj
		mov	eax, [eax+3F0h]
		cmp	eax, [edi]
		jnz	loc_499822
		push	0
		push	0
		push	edx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [ebp-78h]
		jmp	loc_499822
; 

loc_5BC164:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+F3j
		lea	edx, [ebp-60h]
		call	?BTreeSearchResultDeref@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUSEARCH_RESULT@1@@Z ;	B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultDeref(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>	*,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)
		cmp	dword ptr [ebp-54h], 0FFFFFFFFh
		mov	edi, [ebp-68h]
		jnz	short loc_5BC182
		mov	[eax], ecx
		mov	ecx, [ebp-74h]
		mov	[eax+4], ecx
		jmp	loc_499842
; 

loc_5BC182:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+122A33j
		mov	eax, [ecx+8]
		lea	edx, [ebp-60h]
		push	eax
		mov	ecx, edi
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		mov	ecx, [ebp-54h]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_5BC1A7
		test	ecx, ecx
		jz	short loc_5BC1A7
		mov	eax, [ebp-60h]
		lea	eax, [eax+ecx*8]
		add	eax, 0FFFFFFFCh
		jmp	short loc_5BC1AA
; 

loc_5BC1A7:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+122A56j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+122A5Aj
		lea	eax, [ebp-58h]

loc_5BC1AA:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+122A65j
		mov	ecx, [ebp-74h]
		mov	[eax], ecx
		jmp	loc_499842
; 

loc_5BC1B4:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+2E7j
		mov	eax, [ebp-6Ch]
		push	0
		push	dword ptr [ebp-70h]
		push	eax
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BC1C8:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+241j
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp-7Ch]
		jmp	loc_499997
; 

loc_5BC1DD:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+31Fj
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_499A65
; 

loc_5BC1EE:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete+34Cj
		push	dword ptr [ebp-7Ch]
		mov	edx, [ebp-6Ch]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4999AE
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmFeEvictComplete
; 
; START	OF FUNCTION CHUNK FOR B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx

loc_5BC200:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+E9j
		cmp	byte ptr [edi+3], 0
		jnz	loc_499B1C
		mov	eax, [edx+10h]
		lea	eax, ds:0FFFFFFF8h[eax*8]
		push	eax		; size_t
		push	[ebp+var_10]	; void *
		push	ebx		; void *
		call	_memmove
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		mov	ecx, [ebp+var_8]
		xor	esi, esi
		dec	dword ptr [eax+0Ch]
		mov	eax, [edi+4]
		push	esi
		push	edi
		mov	[ecx], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_499B1E
; 

loc_5BC23D:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+B2j
		mov	esi, 0C0000006h
		jmp	loc_499B1E
; END OF FUNCTION CHUNK	FOR B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeFindSeperatorIndexEntry

loc_5BC247:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeFindSeperatorIndexEntry+1Dj
		mov	ecx, [esi]
		movzx	eax, word ptr [ecx]
		inc	eax
		lea	eax, [ecx+eax*8]
		cmp	[esi+4], eax
		jnb	loc_499CCF
		mov	eax, ecx
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, [esi+4]
		jmp	loc_499CBF
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeFindSeperatorIndexEntry
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StMapAndLockRegion

loc_5BC268:				; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+FDj
		mov	ebx, esi
		jmp	loc_49A095
; 

loc_5BC26F:				; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+A8j
		mov	eax, [ebp+arg_0]
		or	ebx, 0FFFFFFFFh
		jmp	loc_49A112
; 

loc_5BC27A:				; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+148j
		cmp	byte ptr [edi+1ACh], 0
		jnz	short loc_5BC293
		mov	eax, [edi+240h]
		mov	ecx, [ebp+var_10]
		movzx	esi, word ptr [ecx+eax]
		shr	esi, 0Dh

loc_5BC293:				; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+1222B5j
		mov	ecx, [edi+1C0h]
		shl	esi, 4
		or	esi, 4
		push	esi
		mov	esi, [ebp+var_4]
		sub	esp, 0Ch
		test	byte ptr [ecx+10F5h], 4
		mov	edx, esi
		jz	short loc_5BC2BB
		call	?SmStUnmapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@KKKPAXK@Z ; SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)
		jmp	loc_49A11D
; 

loc_5BC2BB:				; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion+1222E3j
		call	?SmStUnmapPhysicalRegion@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@KKKPAXK@Z ;	SMKM_STORE<SM_TRAITS>::SmStUnmapPhysicalRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)
		jmp	loc_49A11D
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StMapAndLockRegion
; 
; START	OF FUNCTION CHUNK FOR MmChargeResources

loc_5BC2C5:				; CODE XREF: MmChargeResources+32j
		push	0
		mov	edx, edi
		mov	ecx, ebx
		call	MmReleaseResourceCharge
		jmp	loc_49A54C
; END OF FUNCTION CHUNK	FOR MmChargeResources
; 
; START	OF FUNCTION CHUNK FOR MmReleaseResourceCharge

loc_5BC2D5:				; CODE XREF: MmReleaseResourceCharge+31j
		sub	eax, 1
		jnz	loc_49A58E
		mov	edx, esi
		mov	ecx, edi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	loc_49A58E
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax
		jmp	loc_49A58E
; END OF FUNCTION CHUNK	FOR MmReleaseResourceCharge
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion

loc_5BC2FD:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion+16j
		mov	edx, [ebp+arg_4]
		mov	esi, edx
		jmp	loc_49A673
; 

loc_5BC307:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion+6Ej
		or	ecx, 1
		mov	[ebp+var_14], ecx
		jmp	loc_49A63C
; 

loc_5BC312:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion+BCj
		xor	eax, eax
		cmp	[ebx], eax
		jl	loc_49A68A
		mov	[ebp+var_18], eax
		mov	ecx, edi
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+117Ch]
		push	8
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_20]
		push	eax
		push	6
		mov	[ebp+var_20], edx
		pop	edx
		call	SMKM_STORE_SM_TRAITS___SmStHelperSendCommand
		jmp	loc_49A68A
; END OF FUNCTION CHUNK	FOR SMKM_STORE_SM_TRAITS___SmStLockVirtualRegion
; 
; START	OF FUNCTION CHUNK FOR MiObtainSystemCharges

loc_5BC34C:				; CODE XREF: MiObtainSystemCharges+2Dj
		mov	edx, edi
		mov	ecx, ebx
		call	MiReturnCommit
		xor	eax, eax
		jmp	loc_49A79B
; END OF FUNCTION CHUNK	FOR MiObtainSystemCharges
; 
; START	OF FUNCTION CHUNK FOR MiGetPoolPages

loc_5BC35C:				; CODE XREF: MiGetPoolPages+18Dj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_49A995
; 

loc_5BC36C:				; CODE XREF: MiGetPoolPages+1AFj
		lea	ecx, [ebp+var_18]
		call	KxWaitForLockChainValid

loc_5BC374:				; CODE XREF: MiGetPoolPages+198j
		mov	[ebp+var_18], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx
		jmp	loc_49A995
; 

loc_5BC38B:				; CODE XREF: MiGetPoolPages+47j
		test	edi, edi
		jz	short loc_5BC398
		xor	edx, edx
		mov	ecx, edi
		call	MiReturnPhysicalPoolPages

loc_5BC398:				; CODE XREF: MiGetPoolPages+121BADj
		xor	eax, eax
		jmp	loc_49A8F2
; 

loc_5BC39F:				; CODE XREF: MiGetPoolPages+C1j
		call	MiRetryNonPagedAllocation
		test	eax, eax
		jnz	loc_49A8E8

loc_5BC3AC:				; CODE XREF: MiGetPoolPages+133j
		test	ebx, ebx
		jz	loc_49A8F0
		mov	[ebp+var_38], 0
		mov	[ebp+var_34], 0
		mov	[ebp+var_2C], 0
		mov	[ebp+var_28], 0
		test	edi, edi
		jz	short loc_5BC3DF
		xor	edx, edx
		mov	ecx, edi
		call	MiReturnPhysicalPoolPages
		xor	edi, edi

loc_5BC3DF:				; CODE XREF: MiGetPoolPages+121BF2j
		xor	edx, edx
		mov	[ebp+var_3C], ebx
		lea	ecx, [ebp+var_3C]
		mov	[ebp+var_30], ebx
		call	_MiReturnPoolCharges@8 ; MiReturnPoolCharges(x,x)
		jmp	loc_49A8F0
; 

loc_5BC3F4:				; CODE XREF: MiGetPoolPages+FAj
		mov	esi, [ebp+arg_0]

loc_5BC3F7:				; CODE XREF: MiGetPoolPages+121C27j
		mov	edx, eax
		mov	ecx, eax
		and	edx, 0F87FFFFFh
		lock cmpxchg [esi], edx
		cmp	ecx, eax
		jnz	short loc_5BC3F7
		mov	esi, [ebp+var_C]
		jmp	loc_49A8E0
; END OF FUNCTION CHUNK	FOR MiGetPoolPages
; 
; START	OF FUNCTION CHUNK FOR MiRetryNonPagedAllocation

loc_5BC411:				; CODE XREF: MiRetryNonPagedAllocation+56j
		xor	edi, edi
		mov	ebx, offset _Mi30Milliseconds
		xor	ecx, ecx
		lea	esi, [ecx+1]

loc_5BC41D:				; CODE XREF: MiRetryNonPagedAllocation+121AF9j
		lea	edx, [ebp+var_C]
		mov	ecx, offset unk_6D58C0
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edx, 0A0h
		mov	ecx, offset _MiSystemPartition
		call	MiSufficientAvailablePages
		xor	ecx, ecx
		inc	ecx
		test	eax, eax
		jnz	loc_5BC501
		cmp	esi, ecx
		jz	short loc_5BC45B
		cmp	esi, 102h
		jz	loc_5BC4E6
		mov	ebx, offset _Mi10Milliseconds
		jmp	short loc_5BC47B
; 

loc_5BC45B:				; CODE XREF: MiRetryNonPagedAllocation+121A5Ej
		cmp	ds:byte_6CF350,	cl
		jnz	short loc_5BC47B
		mov	eax, ds:dword_6CF34C
		cmp	eax, ds:dword_6D58E8
		jz	loc_5BC512
		mov	ds:byte_6CF350,	0

loc_5BC47B:				; CODE XREF: MiRetryNonPagedAllocation+121A71j
					; MiRetryNonPagedAllocation+121A79j
		mov	esi, offset unk_6D58D8
		push	esi
		call	_KeResetEvent@4	; KeResetEvent(x)
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_5BC49E
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BC4C9
; 

loc_5BC49E:				; CODE XREF: MiRetryNonPagedAllocation+121AA7j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5BC4BD
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5BC4C9
		call	KxWaitForLockChainValid

loc_5BC4BD:				; CODE XREF: MiRetryNonPagedAllocation+121ABBj
		xor	ecx, ecx
		mov	[ebp+var_C], edi
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5BC4C9:				; CODE XREF: MiRetryNonPagedAllocation+121AB4j
					; MiRetryNonPagedAllocation+121ACEj
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	ebx
		push	0
		push	0
		push	8
		push	esi
		call	KeWaitForSingleObject
		mov	esi, eax
		jmp	loc_5BC41D
; 

loc_5BC4E6:				; CODE XREF: MiRetryNonPagedAllocation+121A66j
		cmp	ds:byte_6CF350,	0
		jnz	short loc_5BC512
		mov	eax, ds:dword_6D58E8
		mov	ds:byte_6CF350,	cl
		mov	ds:dword_6CF34C, eax
		jmp	short loc_5BC512
; 

loc_5BC501:				; CODE XREF: MiRetryNonPagedAllocation+121A56j
		cmp	ds:byte_6CF350,	cl
		jnz	short loc_5BC510
		mov	ds:byte_6CF350,	0

loc_5BC510:				; CODE XREF: MiRetryNonPagedAllocation+121B1Fj
		mov	edi, ecx

loc_5BC512:				; CODE XREF: MiRetryNonPagedAllocation+121A86j
					; MiRetryNonPagedAllocation+121B05j ...
		test	ds:byte_70EFC6,	cl
		jz	short loc_5BC527
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BC556
; 

loc_5BC527:				; CODE XREF: MiRetryNonPagedAllocation+121B30j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5BC546
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5BC556
		call	KxWaitForLockChainValid

loc_5BC546:				; CODE XREF: MiRetryNonPagedAllocation+121B44j
		lea	ecx, [eax+4]
		mov	[ebp+var_C], 0
		xor	eax, eax
		inc	eax
		lock xor [ecx],	eax

loc_5BC556:				; CODE XREF: MiRetryNonPagedAllocation+121B3Dj
					; MiRetryNonPagedAllocation+121B57j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		jmp	loc_49AA46
; END OF FUNCTION CHUNK	FOR MiRetryNonPagedAllocation
; 
; START	OF FUNCTION CHUNK FOR MiAcquireNonPagedResources

loc_5BC566:				; CODE XREF: MiAcquireNonPagedResources+37j
		mov	edx, esi
		mov	ecx, edi
		call	MiReturnCommit
		mov	eax, 0C000009Ah
		jmp	loc_49AAD1
; END OF FUNCTION CHUNK	FOR MiAcquireNonPagedResources
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_SM_TRAITS___SmStHelperSendCommand

loc_5BC579:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+6Aj
		and	[ebp+var_14], 0
		jmp	loc_49ABFB
; 

loc_5BC582:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+23Cj
		push	0
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BC595:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+195j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_34]
		jmp	loc_49ACFD
; 

loc_5BC5AC:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+27Aj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_49ADD2
; 

loc_5BC5BB:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStHelperSendCommand+2A4j
		push	[ebp+var_34]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_49AD14
; END OF FUNCTION CHUNK	FOR SMKM_STORE_SM_TRAITS___SmStHelperSendCommand
; 
; START	OF FUNCTION CHUNK FOR ExReinitializeResourceLite

loc_5BC5CD:				; CODE XREF: ExReinitializeResourceLite+10j
		push	0
		push	0
		push	esi
		push	0Eh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BC5DE:				; CODE XREF: ExReinitializeResourceLite+F3j
		inc	edx
		mov	ecx, esi
		mov	[ebp+arg_0], edx
		call	_ExpResourceEnforcesOwnershipTransfer@4	; ExpResourceEnforcesOwnershipTransfer(x)
		mov	ecx, [ebp+var_8]
		test	al, al
		jz	short loc_5BC617
		test	byte ptr [ecx],	2
		jnz	short loc_5BC617
		mov	eax, large fs:124h
		cmp	[ebp+var_C], eax
		jz	short loc_5BC617
		mov	eax, large fs:124h
		push	3
		push	[ebp+var_C]
		push	eax
		push	esi
		push	16Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BC617:				; CODE XREF: ExReinitializeResourceLite+12168Ej
					; ExReinitializeResourceLite+121693j ...
		mov	eax, [ecx]
		mov	[ebp+var_10], eax
		test	al, 1
		jz	short loc_5BC639
		mov	ecx, [ebp+var_C]
		mov	dl, 1
		push	0
		push	0
		call	PsBoostThreadIoEx
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+arg_0]
		mov	eax, [ecx]
		mov	[ebp+var_10], eax

loc_5BC639:				; CODE XREF: ExReinitializeResourceLite+1216BEj
		test	al, 4
		mov	eax, [ebp+var_C]
		jz	short loc_5BC64F
		lock dec dword ptr [eax+330h]
		mov	ebx, [ecx]
		mov	[ebp+var_10], ebx
		mov	ebx, [ebp+var_4]

loc_5BC64F:				; CODE XREF: ExReinitializeResourceLite+1216DEj
		test	byte ptr [ebp+var_10], 2
		jz	loc_49B05C
		push	746C6644h
		push	eax
		call	ObDereferenceObjectDeferDeleteWithTag
		mov	edx, [ebp+arg_0]
		jmp	loc_49B059
; 

loc_5BC66C:				; CODE XREF: ExReinitializeResourceLite+45j
		and	ebx, 0FFFFFFFCh
		jmp	loc_49AFB0
; 

loc_5BC674:				; CODE XREF: ExReinitializeResourceLite+58j
					; ExReinitializeResourceLite+65j
		mov	ecx, [esi+1Ch]
		test	cl, 2
		jnz	loc_49AFCE
		mov	eax, large fs:124h
		cmp	ebx, eax
		jz	short loc_5BC69F
		mov	eax, large fs:124h
		push	4
		push	ebx
		push	eax
		push	esi
		push	16Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BC69F:				; CODE XREF: ExReinitializeResourceLite+121728j
		mov	eax, [ebp+var_4]
		jmp	loc_49AFCE
; 

loc_5BC6A7:				; CODE XREF: ExReinitializeResourceLite+71j
		push	0
		push	0
		mov	dl, 1
		mov	ecx, ebx
		call	PsBoostThreadIoEx
		mov	ecx, [esi+1Ch]
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+var_4]
		jmp	loc_49AFD7
; 

loc_5BC6C2:				; CODE XREF: ExReinitializeResourceLite+83j
		push	746C6644h
		push	ebx
		call	ObDereferenceObjectDeferDeleteWithTag
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+var_4]
		jmp	loc_49AFE9
; 

loc_5BC6D8:				; CODE XREF: ExReinitializeResourceLite+B9j
		push	edx
		push	eax
		mov	edx, esi
		mov	ecx, 10018h
		call	@PerfLogExecutiveResourceInitialize@16 ; PerfLogExecutiveResourceInitialize(x,x,x,x)
		jmp	loc_49B01F
; END OF FUNCTION CHUNK	FOR ExReinitializeResourceLite
; 
; START	OF FUNCTION CHUNK FOR MiObtainMdlCharges

loc_5BC6EB:				; CODE XREF: MiObtainMdlCharges+28j
		mov	edi, [ebx+10h]
		jmp	short loc_5BC6FD
; 

loc_5BC6F0:				; CODE XREF: MiObtainMdlCharges+30j
		mov	eax, [ebx+10h]
		test	eax, eax
		jz	loc_49B284
		mov	edi, eax

loc_5BC6FD:				; CODE XREF: MiObtainMdlCharges+1214A0j
		mov	[ebp+var_4], ecx
		jmp	loc_49B284
; 

loc_5BC705:				; CODE XREF: MiObtainMdlCharges+65j
		mov	eax, [ebx]
		mov	edx, esi
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	MiReturnCommit
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_5BC72E
		mov	ecx, [ebp+var_8]
		add	ecx, 1000h
		lock xadd [ecx], eax

loc_5BC72E:				; CODE XREF: MiObtainMdlCharges+46j
					; MiObtainMdlCharges+1214D1j
		test	byte ptr [ebx+4], 4
		jnz	short loc_5BC7AC
		mov	eax, [ebx]
		mov	ecx, [eax+1000h]
		test	ecx, ecx
		jle	short loc_5BC7AC
		mov	edx, [ebx+18h]
		cmp	ecx, edx
		jbe	short loc_5BC7AC
		sub	ecx, edx
		mov	edx, [eax+10BCh]
		mov	eax, [ebx]
		mov	eax, [eax+1114h]
		cmp	edx, eax
		jnb	short loc_5BC763
		sub	eax, edx
		cmp	eax, ecx
		jnb	short loc_5BC763
		mov	ecx, eax

loc_5BC763:				; CODE XREF: MiObtainMdlCharges+12150Bj
					; MiObtainMdlCharges+121511j
		cmp	esi, ecx
		jbe	short loc_5BC76B
		mov	esi, ecx
		jmp	short loc_5BC789
; 

loc_5BC76B:				; CODE XREF: MiObtainMdlCharges+121517j
		cmp	esi, edi
		ja	short loc_5BC787
		cmp	[ebp+var_4], 1
		jz	short loc_5BC7AC
		cmp	edi, 1
		jnz	short loc_5BC77E
		jmp	short loc_5BC7AC
; 

loc_5BC77C:				; CODE XREF: MiObtainMdlCharges+121532j
		shr	edi, 1

loc_5BC77E:				; CODE XREF: MiObtainMdlCharges+12152Aj
		cmp	esi, edi
		jb	short loc_5BC77C
		test	edi, edi
		jnz	short loc_5BC787
		inc	edi

loc_5BC787:				; CODE XREF: MiObtainMdlCharges+12151Fj
					; MiObtainMdlCharges+121536j
		sub	esi, edi

loc_5BC789:				; CODE XREF: MiObtainMdlCharges+12151Bj
		mov	eax, [ebx+4]
		test	al, 40h
		jz	short loc_5BC795
		mov	eax, [ebx+10h]
		jmp	short loc_5BC7A0
; 

loc_5BC795:				; CODE XREF: MiObtainMdlCharges+121540j
		test	al, 20h
		jz	short loc_5BC7A4
		mov	eax, [ebx+10h]
		test	eax, eax
		jz	short loc_5BC7A4

loc_5BC7A0:				; CODE XREF: MiObtainMdlCharges+121545j
		neg	eax
		and	esi, eax

loc_5BC7A4:				; CODE XREF: MiObtainMdlCharges+121549j
					; MiObtainMdlCharges+121550j
		test	esi, esi
		jnz	loc_49B284

loc_5BC7AC:				; CODE XREF: MiObtainMdlCharges+1214E4j
					; MiObtainMdlCharges+1214F0j ...
		mov	eax, 0C000009Ah
		jmp	loc_49B2FD
; END OF FUNCTION CHUNK	FOR MiObtainMdlCharges
; 
; START	OF FUNCTION CHUNK FOR MiAllocatePagesForMdl

loc_5BC7B6:				; CODE XREF: MiAllocatePagesForMdl+B3j
		mov	eax, [esp+9Ch+var_78]
		test	al, al
		jns	short loc_5BC7FF
		cmp	[esp+9Ch+var_8C], ecx
		jz	short loc_5BC7C8
		xor	edi, edi
		jmp	short loc_5BC7F1
; 

loc_5BC7C8:				; CODE XREF: MiAllocatePagesForMdl+1214B8j
		cmp	edi, 3
		ja	short loc_5BC7FF
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_5BC7FF
		test	byte ptr [esp+9Ch+var_78], 8
		jnz	short loc_5BC7FF
		push	offset _Mi10Milliseconds
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	eax, [esp+9Ch+var_78]
		inc	edi

loc_5BC7F1:				; CODE XREF: MiAllocatePagesForMdl+1214BCj
		and	eax, 0FFFEFFFFh
		mov	[esp+9Ch+var_78], eax
		jmp	loc_49B3A1
; 

loc_5BC7FF:				; CODE XREF: MiAllocatePagesForMdl+1214B2j
					; MiAllocatePagesForMdl+1214C1j ...
		lea	ecx, [esp+9Ch+var_7C]
		call	_MiReturnMdlExcess@4 ; MiReturnMdlExcess(x)
		jmp	loc_49B3C3
; 

loc_5BC80D:				; CODE XREF: MiAllocatePagesForMdl+E2j
		mov	eax, [edi+14h]
		lea	ecx, [edi+1Ch]
		shr	eax, 0Ch
		mov	edx, 278h
		push	eax
		call	_MiLogMdlRangeEvent@12 ; MiLogMdlRangeEvent(x,x,x)
		jmp	loc_49B3F2
; 

loc_5BC826:				; CODE XREF: MiAllocatePagesForMdl+F2j
		mov	ecx, edi
		call	_MiRemoveMdlPages@8 ; MiRemoveMdlPages(x,x)
		mov	[esp+9Ch+var_58], eax
		jmp	loc_49B402
; 

loc_5BC836:				; CODE XREF: MiAllocatePagesForMdl+118j
		push	[esp+9Ch+var_88]
		push	[esp+0A0h+var_84]
		push	ecx
		push	ecx
		call	_EtwpGetDurationSince@16 ; EtwpGetDurationSince(x,x,x,x)
		mov	[esp+9Ch+var_50], eax
		xor	ecx, ecx
		mov	eax, [ebp+arg_C]
		mov	[esp+9Ch+var_40], eax
		mov	eax, [ebp+arg_10]
		mov	[esp+9Ch+var_3C], eax
		mov	eax, [ebp+arg_14]
		mov	[esp+9Ch+var_38], eax
		mov	eax, [ebp+arg_18]
		mov	[esp+9Ch+var_34], eax
		mov	eax, [ebp+arg_1C]
		mov	[esp+9Ch+var_30], eax
		mov	eax, [ebp+arg_20]
		mov	[esp+9Ch+var_2C], eax
		mov	eax, [esp+9Ch+var_80]
		mov	[esp+9Ch+var_48], eax
		lea	eax, [esp+9Ch+var_50]
		mov	[esp+9Ch+var_1C], eax
		lea	eax, [esp+9Ch+var_1C]
		push	eax
		push	1
		push	ecx
		push	ecx
		push	1
		push	ecx
		push	ecx
		push	offset _KERNEL_MEM_EVENT_MDL_ALLOCATION
		push	ds:dword_6BC304
		mov	[esp+0C0h+var_4C], edx
		push	ds:_EtwpMemoryProvRegHandle
		mov	[esp+0C4h+var_28], ebx
		mov	[esp+0C4h+var_24], esi
		mov	[esp+0C4h+var_20], edi
		mov	[esp+0C4h+var_44], ecx
		mov	[esp+0C4h+var_18], ecx
		mov	[esp+0C4h+var_14], 34h
		mov	[esp+0C4h+var_10], ecx
		call	EtwWriteEx
		jmp	loc_49B428
; END OF FUNCTION CHUNK	FOR MiAllocatePagesForMdl
; 
; START	OF FUNCTION CHUNK FOR MiInitializeMdlPages

loc_5BC8EC:				; CODE XREF: MiInitializeMdlPages+25j
		and	[ebp+var_C], 0
		and	[ebp+var_8], 0
		jmp	loc_49B481
; END OF FUNCTION CHUNK	FOR MiInitializeMdlPages
; 
; START	OF FUNCTION CHUNK FOR MiFindPagesForMdl

loc_5BC8F9:				; CODE XREF: MiFindPagesForMdl+2Ej
		test	bl, 2
		jz	short loc_5BC90B
		mov	eax, [ecx]
		lea	edi, [ebp+var_4]
		mov	[ebp+var_4], eax
		jmp	loc_49B6CD
; 

loc_5BC90B:				; CODE XREF: MiFindPagesForMdl+121274j
		mov	ecx, [ecx]
		movzx	edx, ax
		mov	eax, ds:dword_6D0698
		imul	ecx, edx
		lea	edi, [eax+ecx*4]
		lea	eax, [edi+edx*4]
		mov	edx, [ebp+var_8]
		mov	[ebp+var_C], eax
		lea	ecx, [esi+1Ch]
		jmp	loc_49B6C6
; 

loc_5BC92C:				; CODE XREF: MiFindPagesForMdl+51j
		or	ebx, 4000000h
		jmp	loc_49B6DF
; 

loc_5BC937:				; CODE XREF: MiFindPagesForMdl+A5j
		cmp	ds:_InitializationPhase, 0
		jnz	loc_49B747
		jmp	loc_49B733
; 

loc_5BC949:				; CODE XREF: MiFindPagesForMdl+CDj
		test	bl, 2
		jnz	loc_49B712
		add	edi, 4
		cmp	edi, [ebp+var_C]
		jb	loc_49B717
		jmp	loc_49B712
; END OF FUNCTION CHUNK	FOR MiFindPagesForMdl
; 
; START	OF FUNCTION CHUNK FOR MiValidateMdlAllocationRequest

loc_5BC963:				; CODE XREF: MiValidateMdlAllocationRequest+20j
		cmp	eax, offset _MiSystemPartition
		jnz	loc_49B883
		jmp	loc_49B796
; 

loc_5BC973:				; CODE XREF: MiValidateMdlAllocationRequest+47j
		mov	eax, [ebp+var_4]
		cmp	esi, [eax+0F44h]
		jb	loc_49B7CD
		jmp	loc_49B7C0
; 

loc_5BC987:				; CODE XREF: MiValidateMdlAllocationRequest+78j
		test	dl, 40h
		jnz	loc_49B883
		xor	eax, eax
		mov	esi, eax
		jmp	loc_49B7F0
; 

loc_5BC999:				; CODE XREF: MiValidateMdlAllocationRequest+89j
		test	edx, 362h
		jnz	loc_49B883
		test	edx, 10001h
		jz	loc_49B883
		cmp	ecx, 1
		jz	loc_49B7FF
		cmp	ecx, 3
		jnz	loc_49B883
		jmp	loc_49B7FF
; 

loc_5BC9C8:				; CODE XREF: MiValidateMdlAllocationRequest+98j
		test	dl, 4
		jnz	loc_49B883
		mov	ecx, 0FFFFE000h
		test	dl, 60h
		jz	loc_49B80E
		test	esi, esi
		jz	loc_49B80E
		imul	ecx, esi, 0FFFFF000h
		and	ecx, 0FFFFE000h
		jmp	loc_49B80E
; 

loc_5BC9F8:				; CODE XREF: MiValidateMdlAllocationRequest+AEj
		mov	edx, [ebp+var_8]
		test	edx, edx
		jz	short loc_5BCA0B
		cmp	edx, 100000h
		jnz	loc_49B883

loc_5BCA0B:				; CODE XREF: MiValidateMdlAllocationRequest+12128Dj
		mov	edx, [ebp+arg_14]
		cmp	edx, ds:dword_6D5D84
		jb	loc_49B883

loc_5BCA1A:				; CODE XREF: MiValidateMdlAllocationRequest+1212B7j
		cmp	esi, ds:_MiLargePageSizes[eax*4]
		jz	short loc_5BCA29
		inc	eax
		cmp	eax, 2
		jb	short loc_5BCA1A

loc_5BCA29:				; CODE XREF: MiValidateMdlAllocationRequest+1212B1j
		cmp	eax, 2
		jz	loc_49B883
		xor	edx, edx
		mov	eax, ecx
		div	esi
		test	edx, edx
		mov	edx, [ebp+arg_C]
		jz	loc_49B824
		test	dl, 4
		jnz	loc_49B883
		cmp	ecx, esi
		jb	loc_49B883
		jmp	loc_49B824
; 

loc_5BCA59:				; CODE XREF: MiValidateMdlAllocationRequest+D8j
		test	dl, 4
		jnz	short loc_5BCA94
		cmp	[ebp+arg_0], 0
		mov	ecx, edi
		jz	short loc_5BCA79
		xor	edx, edx
		mov	eax, edi
		div	esi
		test	edx, edx
		jz	short loc_5BCA74
		cmp	edi, esi
		jb	short loc_5BCA94

loc_5BCA74:				; CODE XREF: MiValidateMdlAllocationRequest+1212FEj
		mov	edx, [ebp+arg_C]
		jmp	short loc_5BCA82
; 

loc_5BCA79:				; CODE XREF: MiValidateMdlAllocationRequest+1212F4j
		test	dl, 20h
		jz	short loc_5BCA88
		test	esi, esi
		jz	short loc_5BCA88

loc_5BCA82:				; CODE XREF: MiValidateMdlAllocationRequest+121307j
		mov	ecx, esi
		neg	ecx
		and	ecx, edi

loc_5BCA88:				; CODE XREF: MiValidateMdlAllocationRequest+12130Cj
					; MiValidateMdlAllocationRequest+121310j
		test	ecx, ecx
		jz	short loc_5BCA94
		cmp	ecx, esi
		jnb	loc_49B84E

loc_5BCA94:				; CODE XREF: MiValidateMdlAllocationRequest+1212ECj
					; MiValidateMdlAllocationRequest+121302j ...
		mov	eax, 0C000009Ah
		jmp	loc_49B87D
; END OF FUNCTION CHUNK	FOR MiValidateMdlAllocationRequest
; 
; START	OF FUNCTION CHUNK FOR MmAllocatePartitionNodePagesForMdlEx

loc_5BCA9E:				; CODE XREF: MmAllocatePartitionNodePagesForMdlEx+47j
		mov	eax, edi
		or	ebx, 10h
		or	eax, edx
		jz	short loc_5BCAE7
		mov	ecx, edi
		mov	eax, edx
		sub	ecx, 1
		sbb	eax, 0
		and	ecx, edi
		and	eax, edx
		or	ecx, eax
		jnz	loc_49B93A
		test	edx, edx
		jl	loc_49B93A
		jg	short loc_5BCAD3
		cmp	edi, 1000h
		jb	loc_49B93A

loc_5BCAD3:				; CODE XREF: MmAllocatePartitionNodePagesForMdlEx+121235j
		mov	eax, [ebp+arg_18]
		xor	edx, edx
		div	edi
		test	edx, edx
		jz	loc_49B8DD
		jmp	loc_49B93A
; 

loc_5BCAE7:				; CODE XREF: MmAllocatePartitionNodePagesForMdlEx+121215j
		or	ebx, 4
		jmp	loc_49B8DD
; 

loc_5BCAEF:				; CODE XREF: MmAllocatePartitionNodePagesForMdlEx+53j
		test	bl, 4
		jnz	loc_49B93A
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	al, al
		jnz	loc_49B93A
		jmp	loc_49B8E9
; 

loc_5BCB0B:				; CODE XREF: MmAllocatePartitionNodePagesForMdlEx+94j
		mov	ecx, [esp+18h+var_5+1]
		mov	ecx, [ecx+64h]
		call	PsDereferencePartition
		jmp	loc_49B92A
; END OF FUNCTION CHUNK	FOR MmAllocatePartitionNodePagesForMdlEx
; 
; START	OF FUNCTION CHUNK FOR RtlpHpLfhSubsegmentCreate

loc_5BCB1C:				; CODE XREF: RtlpHpLfhSubsegmentCreate+30j
		xor	eax, eax
		jmp	loc_49BDAE
; 

loc_5BCB23:				; CODE XREF: RtlpHpLfhSubsegmentCreate+C3j
		mov	[ebp+var_1], 0FFh
		jmp	loc_49BE48
; 

loc_5BCB2C:				; CODE XREF: RtlpHpLfhSubsegmentCreate+F8j
		and	[ebp+var_8], 0
		jmp	loc_49BED8
; 

loc_5BCB35:				; CODE XREF: RtlpHpLfhSubsegmentCreate+133j
		and	[ebp+var_8], 0
		jmp	loc_49BED0
; 

loc_5BCB3E:				; CODE XREF: RtlpHpLfhSubsegmentCreate+162j
		push	[ebp+arg_0]
		mov	eax, [esi+8]
		xor	eax, ds:_RtlpHpHeapGlobals
		push	edi
		push	ebx
		push	dword ptr [esi]
		xor	eax, esi
		call	eax
		jmp	loc_49BED8
; END OF FUNCTION CHUNK	FOR RtlpHpLfhSubsegmentCreate
; 
; START	OF FUNCTION CHUNK FOR RtlpHpLfhOwnerMoveSubsegment

loc_5BCB57:				; CODE XREF: RtlpHpLfhOwnerMoveSubsegment+1Bj
		lea	ebx, [esi+14h]
		jmp	loc_49C03A
; 

loc_5BCB5F:				; CODE XREF: RtlpHpLfhOwnerMoveSubsegment+68j
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_49C0D2
		mov	esi, [edx]
		cmp	[esi+4], edx
		jnz	loc_49C0D2
		mov	[eax], esi
		mov	[esi+4], eax
		dec	dword ptr [ecx]
		mov	byte ptr [edx+16h], 2
		jmp	loc_49C080
; END OF FUNCTION CHUNK	FOR RtlpHpLfhOwnerMoveSubsegment
; 
; START	OF FUNCTION CHUNK FOR RtlpHpLfhSubsegmentDecBlockCounts

loc_5BCB85:				; CODE XREF: RtlpHpLfhSubsegmentDecBlockCounts+55j
		or	eax, 0FFFFFFFFh
		inc	edx
		cmp	esi, eax
		jnz	loc_49C161
		mov	esi, ecx
		sar	esi, 1
		jmp	loc_49C161
; END OF FUNCTION CHUNK	FOR RtlpHpLfhSubsegmentDecBlockCounts
; 
; START	OF FUNCTION CHUNK FOR RtlpHpLfhBucketAddSubsegment

loc_5BCB9A:				; CODE XREF: RtlpHpLfhBucketAddSubsegment+57j
		and	dword ptr [edi+8], 0
		jmp	loc_49C386
; END OF FUNCTION CHUNK	FOR RtlpHpLfhBucketAddSubsegment
; 
; START	OF FUNCTION CHUNK FOR MiInitializePfnForOtherProcess

loc_5BCBA3:				; CODE XREF: MiInitializePfnForOtherProcess+D0j
					; MiInitializePfnForOtherProcess+1205C9j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_5BCBA3
		jmp	loc_49C6AB
; END OF FUNCTION CHUNK	FOR MiInitializePfnForOtherProcess
; 
; START	OF FUNCTION CHUNK FOR RtlpHpVsSubsegmentCreate

loc_5BCBB6:				; CODE XREF: RtlpHpVsSubsegmentCreate+7Ej
					; RtlpHpVsSubsegmentCreate+B0j
		test	ebx, ebx
		jz	loc_49C939
		push	[ebp+arg_0]
		mov	ecx, [esi+80h]
		push	[ebp+var_4]
		xor	ecx, esi
		push	ebx
		push	ecx
		mov	ecx, [esi+88h]
		xor	ecx, ds:_RtlpHpHeapGlobals
		xor	ecx, esi
		call	ecx
		jmp	loc_49C939
; END OF FUNCTION CHUNK	FOR RtlpHpVsSubsegmentCreate
; 
; START	OF FUNCTION CHUNK FOR RtlpHpSegSubAllocate

loc_5BCBE3:				; CODE XREF: RtlpHpSegSubAllocate+50j
		mov	al, [edi+9]
		and	al, 7
		cmp	al, 1
		jb	loc_49CABC
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	ecx, edi
		mov	edx, ebx
		call	_RtlpHpSegPageRangeComputeLargePageCost@12 ; RtlpHpSegPageRangeComputeLargePageCost(x,x,x)
		cmp	eax, 1
		jg	loc_49CABF
		or	dword ptr [esi], 1
		jmp	loc_49CABF
; END OF FUNCTION CHUNK	FOR RtlpHpSegSubAllocate
; 
; START	OF FUNCTION CHUNK FOR RtlpHpFreeHeap

loc_5BCC0E:				; CODE XREF: RtlpHpFreeHeap+38j
		or	ebx, esi
		jmp	loc_49CD3E
; 

loc_5BCC15:				; CODE XREF: RtlpHpFreeHeap+4Bj
		push	esi
		push	ebx
		mov	ecx, edi
		call	_RtlpHpExtrasGet@16 ; RtlpHpExtrasGet(x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_5BCC67
		cmp	edx, 0FFFFFFFFh
		jz	short loc_5BCC67
		mov	al, [edx+2]
		test	al, 0Fh
		jz	short loc_5BCC67
		movzx	eax, al
		and	eax, 0Fh
		jz	short loc_5BCC5A
		xor	ecx, ecx
		dec	eax
		inc	ecx
		cmp	ax, cx
		jnb	short loc_5BCC5A
		movzx	eax, ax
		mov	ecx, ds:_RtlpInterceptorRoutines[eax*4]
		lea	eax, [edx+8]
		push	eax
		push	3
		push	[esp+18h+var_4]
		push	edi
		call	ecx
		jmp	short loc_5BCC5F
; 

loc_5BCC5A:				; CODE XREF: RtlpHpFreeHeap+11FF36j
					; RtlpHpFreeHeap+11FF3Fj
		mov	eax, 0C0000001h

loc_5BCC5F:				; CODE XREF: RtlpHpFreeHeap+11FF58j
		test	eax, eax
		js	loc_49CD80

loc_5BCC67:				; CODE XREF: RtlpHpFreeHeap+11FF22j
					; RtlpHpFreeHeap+11FF27j ...
		mov	edx, [esp+10h+var_4]
		jmp	loc_49CD51
; 

loc_5BCC70:				; CODE XREF: RtlpHpFreeHeap+58j
		push	ebx
		mov	ecx, edi
		call	_RtlpHpSizeHeap@12 ; RtlpHpSizeHeap(x,x,x)
		cmp	eax, 0FFFFFFFFh
		jnz	loc_49CD5E
		push	esi
		push	esi
		push	esi
		push	[esp+1Ch+var_4]
		mov	edx, edi
		push	9
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		jmp	loc_49CD80
; 

loc_5BCC97:				; CODE XREF: RtlpHpFreeHeap+6Aj
					; RtlpHpFreeHeap+AAj
		mov	edx, [esp+10h+var_4]
		mov	ecx, edi
		push	ebx
		call	RtlpHpLargeFree
		mov	esi, eax
		neg	esi
		sbb	esi, esi
		neg	esi
		jmp	loc_49CD80
; END OF FUNCTION CHUNK	FOR RtlpHpFreeHeap
; 
; START	OF FUNCTION CHUNK FOR RtlpHpSegFree

loc_5BCCB0:				; CODE XREF: RtlpHpSegFree+1Bj
		mov	edx, [esi+24h]
		xor	edi, edi
		push	edi
		push	edi
		push	edi
		push	ebx
		push	9
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		jmp	loc_49CE21
; END OF FUNCTION CHUNK	FOR RtlpHpSegFree
; 
; START	OF FUNCTION CHUNK FOR RtlpHpVsSubsegmentCommitPages

loc_5BCCC6:				; CODE XREF: RtlpHpVsSubsegmentCommitPages+2Aj
		bsf	edi, ecx
		setnz	al
		movzx	eax, al
		test	eax, eax
		jz	short loc_5BCCDB
		add	edi, 20h
		jmp	loc_49CE89
; 

loc_5BCCDB:				; CODE XREF: RtlpHpVsSubsegmentCommitPages+11FE7Bj
		mov	edi, [ebp+var_8]
		jmp	loc_49CE89
; 

loc_5BCCE3:				; CODE XREF: RtlpHpVsSubsegmentCommitPages+3Dj
		bsr	ecx, ecx
		setnz	al
		movzx	eax, al
		test	eax, eax
		jz	short loc_5BCCF8
		lea	eax, [ecx+20h]
		jmp	loc_49CE9C
; 

loc_5BCCF8:				; CODE XREF: RtlpHpVsSubsegmentCommitPages+11FE98j
		mov	eax, [ebp+var_4]
		jmp	loc_49CE9C
; 

loc_5BCD00:				; CODE XREF: RtlpHpVsSubsegmentCommitPages+9Ej
		mov	eax, [ebx+8Ch]
		xor	eax, ds:_RtlpHpHeapGlobals
		xor	eax, ebx
		call	eax
		mov	edi, eax
		test	edi, edi
		js	loc_49CF25
		mov	eax, [ebp+var_C]
		or	[esi+8], eax
		mov	eax, [ebp+var_8]
		or	[esi+0Ch], eax
		mov	ecx, [ebp+arg_8]
		jmp	loc_49CF1C
; END OF FUNCTION CHUNK	FOR RtlpHpVsSubsegmentCommitPages
; 
; START	OF FUNCTION CHUNK FOR RtlpHpLfhContextCompact

loc_5BCD2E:				; CODE XREF: RtlpHpLfhContextCompact+18j
		mov	[ebp+var_1], 0FFh
		jmp	loc_49D3B7
; END OF FUNCTION CHUNK	FOR RtlpHpLfhContextCompact
; 
; START	OF FUNCTION CHUNK FOR RtlpHpLfhSubsegmentFreeBlock

loc_5BCD37:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+103j
		mov	eax, [ebp-0Ch]
		mov	ecx, 11h
		mov	esi, [ebx+8]
		push	0
		mov	edx, [eax]
		mov	eax, [ebp-18h]
		push	eax
		push	edi
		push	esi
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_5BCD51:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+ACj
		xor	eax, eax
		jmp	loc_49D741
; 

loc_5BCD58:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+17Ej
		dec	eax
		mov	[ebp-14h], eax
		jmp	loc_49D6A4
; 

loc_5BCD61:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+28Fj
		cmp	dword ptr [ebp-18h], 0
		jnz	loc_5BCF5D
		mov	ecx, [ebp-14h]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5BCD83
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp-14h]

loc_5BCD83:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+11F859j
		xor	esi, esi
		mov	[ebp-34h], esi
		test	ecx, 7FFFFFFCh
		jz	loc_5BCF46
		mov	eax, large fs:124h
		mov	edx, ecx
		mov	[ebp-8], eax
		mov	eax, ds:dword_6D07D0
		shr	edx, 15h
		cmp	ecx, eax
		mov	[ebp-30h], eax
		mov	eax, [ebp-8]
		jb	short loc_5BCDBA
		cmp	byte ptr ds:dword_6D3994[edx], 1
		jz	short loc_5BCDC8

loc_5BCDBA:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+11F88Fj
		cmp	ecx, [ebp-30h]
		jb	short loc_5BCDDD
		cmp	byte ptr ds:dword_6D3994[edx], 0Bh
		jnz	short loc_5BCDDD

loc_5BCDC8:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+11F898j
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp-30h], eax
		mov	eax, [ebp-8]
		jmp	short loc_5BCDE3
; 

loc_5BCDDD:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+11F89Dj
					; RtlpHpLfhSubsegmentFreeBlock+11F8A6j
		or	edx, 0FFFFFFFFh
		mov	[ebp-30h], edx

loc_5BCDE3:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+11F8BBj
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	cl, [eax+1E6h]
		mov	[ebp-2], cl
		mov	ecx, eax
		push	edx
		mov	edx, [ebp-14h]
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[ebp-40h], edx
		test	edx, edx
		jnz	short loc_5BCE32
		mov	ecx, [ebp-8]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_5BCEBD
		push	edx
		push	dword ptr [ebp-30h]
		push	dword ptr [ebp-14h]
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BCE32:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+11F8EDj
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		cmp	[edx+10h], esi
		jge	short loc_5BCE4A
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [ebp-40h]

loc_5BCE4A:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+11F91Ej
		mov	eax, [edx+2Ch]
		mov	esi, eax
		and	byte ptr [edx+0Dh], 0FEh
		and	esi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp-40h], esi
		mov	[ebp-34h], esi
		mov	[edx+2Ch], eax
		nop
		mov	ecx, [ebp-8]
		mov	eax, 2AAAAAABh
		mov	dword ptr [edx+10h], 0
		sub	edx, [ecx+1E8h]
		imul	edx
		sar	edx, 3
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		cmp	byte ptr [ebp-2], 1
		mov	[ebp-30h], eax
		jnz	short loc_5BCEA7
		movzx	eax, byte ptr [ecx+1E4h]
		mov	edx, [ebp-30h]
		bts	eax, edx
		mov	[ecx+1E4h], al
		jmp	short loc_5BCEBD
; 

loc_5BCEA7:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+11F970j
		mov	ecx, [ebp-30h]
		mov	al, 1
		shl	al, cl
		mov	ecx, [ebp-8]
		lea	esi, [ecx+222h]
		lock or	[esi], al
		mov	esi, [ebp-40h]

loc_5BCEBD:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+11F8FAj
					; RtlpHpLfhSubsegmentFreeBlock+11F985j
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, esi
		and	eax, 1FFFFh
		mov	[ebp-30h], eax
		jz	short loc_5BCF2E
		test	esi, 8000h
		jz	short loc_5BCEE5
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [ebp-8]
		mov	eax, [ebp-30h]

loc_5BCEE5:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+11F9B6j
		test	byte ptr [ebp-32h], 1
		jz	short loc_5BCEFB
		mov	edx, 1
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [ebp-8]
		mov	eax, [ebp-30h]

loc_5BCEFB:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+11F9C9j
		test	esi, 7FFFh
		jz	short loc_5BCF16
		and	esi, 7FFFh
		mov	edx, esi
		call	KiAbThreadUnboostCpuPriority
		mov	ecx, [ebp-8]
		mov	eax, [ebp-30h]

loc_5BCF16:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+11F9E1j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5BCF2E
		mov	edx, [ebp-14h]
		push	eax
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		mov	ecx, [ebp-8]

loc_5BCF2E:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+11F9AEj
					; RtlpHpLfhSubsegmentFreeBlock+11FA00j
		nop
		add	word ptr [ecx+13Eh], 1
		jnz	short loc_5BCF46
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	short loc_5BCF46
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5BCF46:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+11F86Ej
					; RtlpHpLfhSubsegmentFreeBlock+11FA17j	...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	esi, [ebp-50h]
		mov	ecx, [ebp-18h]
		jmp	loc_49D780
; 

loc_5BCF5D:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+11F845j
		push	dword ptr [ebp-14h]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp-18h]
		jmp	loc_49D780
; 

loc_5BCF76:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+26Dj
		mov	ecx, edi
		and	ecx, 0FFFFFFFEh
		add	ecx, 2
		or	ecx, eax
		mov	eax, edi
		lock cmpxchg [esi], ecx
		cmp	eax, edi
		jz	short loc_5BCF94
		mov	ecx, [ebp-18h]
		mov	edi, eax
		jmp	loc_49D780
; 

loc_5BCF94:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+11FA68j
		xor	eax, eax
		mov	[ebp-8], eax
		jmp	loc_49D7B5
; 

loc_5BCF9E:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+67Aj
		sub	eax, 2
		mov	eax, [ebp-8]
		jnz	loc_49D866
		xor	edx, edx
		xor	esi, esi
		mov	[ebp-30h], esi
		jmp	loc_49D7E7
; 

loc_5BCFB6:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+694j
		lea	ecx, [eax+14h]
		xor	esi, esi
		jmp	loc_49D7F5
; 

loc_5BCFC0:				; CODE XREF: RtlpHpLfhSubsegmentFreeBlock+2DEj
					; RtlpHpLfhSubsegmentFreeBlock+2ECj ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5BCFC7:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+3CAj
		add	esi, eax
		jmp	loc_49DF94
; END OF FUNCTION CHUNK	FOR RtlpHpLfhSubsegmentFreeBlock
; 
; START	OF FUNCTION CHUNK FOR RtlpHpLfhSubsegmentDecommitPages

loc_5BCFCE:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+A9j
		test	dl, dl
		jnz	short loc_5BD000
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_5BCFEA
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp-10h]

loc_5BCFEA:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+11F210j
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_49DE92
; 

loc_5BD000:				; CODE XREF: RtlpHpLfhSubsegmentDecommitPages+11F200j
		push	ecx
		call	ExReleaseSpinLockSharedFromDpcLevel
		jmp	loc_49DE8D
; END OF FUNCTION CHUNK	FOR RtlpHpLfhSubsegmentDecommitPages
; 
; START	OF FUNCTION CHUNK FOR RtlpHpVsContextFree

loc_5BD00B:				; CODE XREF: RtlpHpVsContextFree+37j
		shr	eax, 10h
		and	eax, 7FFFh
		jz	short loc_5BD03F
		shl	eax, 3
		mov	edx, edi
		sub	edx, eax
		mov	eax, [edx]
		xor	eax, ecx
		xor	eax, edx
		jl	short loc_5BD033
		shr	eax, 10h
		and	eax, 7FFFh
		jz	short loc_5BD03F
		imul	eax, -8
		add	edx, eax

loc_5BD033:				; CODE XREF: RtlpHpVsContextFree+11ECBEj
		mov	eax, [edx+4]
		xor	eax, ecx
		xor	eax, edx
		jmp	loc_49E3A8
; 

loc_5BD03F:				; CODE XREF: RtlpHpVsContextFree+11ECAFj
					; RtlpHpVsContextFree+11ECC8j
		mov	eax, esi
		jmp	loc_49E3AB
; 

loc_5BD046:				; CODE XREF: RtlpHpVsContextFree+70j
		push	esi
		push	esi
		push	esi
		push	edx
		push	12h
		jmp	short loc_5BD054
; 

loc_5BD04E:				; CODE XREF: RtlpHpVsContextFree+80j
		push	esi
		push	esi
		push	edi
		push	ecx
		push	8

loc_5BD054:				; CODE XREF: RtlpHpVsContextFree+11ECE8j
		mov	edx, [ebx+80h]
		xor	edx, ebx
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		jmp	loc_49E418
; END OF FUNCTION CHUNK	FOR RtlpHpVsContextFree

;  S U B	R O U T	I N E 


sub_5BD067	proc near		; CODE XREF: ExGetHeapFromVA+41j
		push	ebx
		push	esi
		push	ebx
		push	ebx
		push	0C2h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5BD076:				; CODE XREF: RtlpHpGetOwnerHeap+13j
					; RtlpHpGetOwnerHeap+54j
		push	dword ptr [ebp+0Ch]
		mov	ecx, edi
		push	dword ptr [ebp+8]
		call	_RtlpHpLargeAllocGetOwner@12 ; RtlpHpLargeAllocGetOwner(x,x,x)
		mov	ecx, eax
		jmp	loc_49E4D2
sub_5BD067	endp

; 
; START	OF FUNCTION CHUNK FOR MiRemoveFromSystemSpace

loc_5BD08A:				; CODE XREF: MiRemoveFromSystemSpace+32Dj
		push	0
		push	[esp+0D0h+var_94]
		push	[esp+0D4h+var_9C]
		push	ecx
		push	162h
		jmp	loc_49E640
; 

loc_5BD09F:				; CODE XREF: MiRemoveFromSystemSpace+20Cj
		mov	esi, [esp+0CCh+var_C0]
		mov	al, 1
		mov	ecx, edx
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [esp+0CCh+var_A0]
		mov	eax, [esp+0CCh+var_C0]
		jmp	loc_49E794
; 

loc_5BD0BF:				; CODE XREF: MiRemoveFromSystemSpace+386j
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_49E8FA
; 

loc_5BD0CE:				; CODE XREF: MiRemoveFromSystemSpace+3AEj
		push	[esp+0CCh+var_BC]
		mov	edx, [esp+0D0h+var_9C]
		mov	ecx, edi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_49E922
; 

loc_5BD0E2:				; CODE XREF: MiRemoveFromSystemSpace+265j
		mov	ecx, eax
		call	ObfDereferenceObject
		jmp	loc_49E7D9
; 

loc_5BD0EE:				; CODE XREF: MiRemoveFromSystemSpace+2ACj
		mov	ecx, [esi+34h]
		push	9
		shl	edx, 0Ch
		and	ecx, 0FFFFF000h
		call	MiUnmapLargePages
		jmp	loc_49E839
; END OF FUNCTION CHUNK	FOR MiRemoveFromSystemSpace
; 
; START	OF FUNCTION CHUNK FOR MiInsertInSystemSpace

loc_5BD106:				; CODE XREF: MiInsertInSystemSpace+9Cj
		mov	eax, 0C000001Fh
		mov	ecx, 7FFFFh
		jmp	loc_5BD1A6
; 

loc_5BD115:				; CODE XREF: MiInsertInSystemSpace+BFj
		mov	eax, 0C0000017h
		mov	ecx, 7FFFFh
		jmp	loc_5BD1A6
; 

loc_5BD124:				; CODE XREF: MiInsertInSystemSpace+153j
		push	0
		push	ecx
		mov	ecx, [esp+0C8h+var_78]
		mov	edx, 9
		call	MiGetPageTablesForLargeMap
		mov	[esp+0C0h+var_88], eax
		test	eax, eax
		jnz	short loc_5BD149
		mov	eax, 0C000009Ah
		mov	ecx, 7FFFFh
		jmp	short loc_5BD1A6
; 

loc_5BD149:				; CODE XREF: MiInsertInSystemSpace+11E7FBj
		mov	esi, eax
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		mov	[esp+0C0h+var_84], esi
		jmp	loc_49EABD
; 

loc_5BD163:				; CODE XREF: MiInsertInSystemSpace+143j
		mov	ecx, 7FFFFh
		jmp	short loc_5BD1AA
; 

loc_5BD16A:				; CODE XREF: MiInsertInSystemSpace+170j
		mov	eax, 0C000009Ah
		mov	ecx, 7FFFFh
		jmp	short loc_5BD1A6
; 

loc_5BD176:				; CODE XREF: MiInsertInSystemSpace+198j
		mov	eax, 0C000009Ah
		mov	ecx, 7FFFFh
		jmp	short loc_5BD1A6
; 

loc_5BD182:				; CODE XREF: MiInsertInSystemSpace+1BBj
		or	eax, 1
		mov	[edx+24h], eax
		jmp	loc_49EB01
; 

loc_5BD18D:				; CODE XREF: MiInsertInSystemSpace+5D9j
		mov	ecx, 7FFFFh
		mov	eax, 0C0000017h
		mov	[esp+0C0h+var_98], ecx
		jmp	short loc_5BD1A6
; 

loc_5BD19D:				; CODE XREF: MiInsertInSystemSpace+520j
		mov	ecx, [esp+0C0h+var_98]
		mov	eax, 0C000012Dh

loc_5BD1A6:				; CODE XREF: MiInsertInSystemSpace+11E7D0j
					; MiInsertInSystemSpace+11E7DFj ...
		mov	[esp+0C0h+var_B8], eax

loc_5BD1AA:				; CODE XREF: MiInsertInSystemSpace+11E828j
		mov	edx, [esp+0C0h+var_7C]
		inc	dword ptr [edx+10h]
		mov	edx, [esp+0C0h+var_80]
		test	esi, esi
		jz	short loc_5BD1EF
		cmp	[esp+0C0h+var_74], 2
		jnb	short loc_5BD1D4
		mov	edx, [esp+0C0h+var_78]
		mov	ecx, [esp+0C0h+var_88]
		push	9
		shl	edx, 0Ch
		call	MiUnmapLargePages
		jmp	short loc_5BD1E3
; 

loc_5BD1D4:				; CODE XREF: MiInsertInSystemSpace+11E87Ej
		push	[esp+0C0h+var_78]
		mov	ecx, [esp+0C4h+var_94]
		mov	edx, esi
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_5BD1E3:				; CODE XREF: MiInsertInSystemSpace+11E892j
		mov	ecx, [esp+0C4h+var_9C]
		mov	eax, [esp+0C4h+var_BC]
		mov	edx, [esp+0C4h+var_84]

loc_5BD1EF:				; CODE XREF: MiInsertInSystemSpace+11E877j
		cmp	byte ptr [esp+0C4h+var_B8+3], 1
		mov	esi, [esp+0C4h+var_90]
		jnz	short loc_5BD214
		mov	edx, [ebp+arg_4]
		sub	esp, 8
		mov	ecx, esi
		push	edi
		call	_MiDereferenceDataSubsections@20 ; MiDereferenceDataSubsections(x,x,x,x,x)
		mov	edx, [esp+0C4h+var_84]
		mov	eax, [esp+0C4h+var_BC]
		mov	ecx, [esp+0C4h+var_9C]

loc_5BD214:				; CODE XREF: MiInsertInSystemSpace+11E8B8j
		cmp	ecx, 7FFFFh
		jz	short loc_5BD22D
		mov	edx, ecx
		mov	ecx, esi
		call	_MiDereferencePerSessionProtos@8 ; MiDereferencePerSessionProtos(x,x)
		mov	edx, [esp+0C4h+var_84]
		mov	eax, [esp+0C4h+var_BC]

loc_5BD22D:				; CODE XREF: MiInsertInSystemSpace+11E8DAj
		test	edx, edx
		jz	loc_49EE12
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+0C4h+var_BC]
		jmp	loc_49EE12
; 

loc_5BD246:				; CODE XREF: MiInsertInSystemSpace+262j
		mov	eax, offset unk_6D3C40
		jmp	loc_49EBAE
; 

loc_5BD250:				; CODE XREF: MiInsertInSystemSpace+5A2j
		push	0
		push	[esp+0C4h+var_B0]
		push	[esp+0C8h+var_98]
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BD265:				; CODE XREF: MiInsertInSystemSpace+415j
		mov	ecx, [esp+0D4h+var_C4]
		mov	al, 1
		shl	al, cl
		mov	ecx, [esp+0D4h+var_CC]
		lea	esi, [ecx+222h]
		lock or	[esi], al
		mov	esi, [esp+0D4h+var_98]
		jmp	loc_49ED6F
; 

loc_5BD283:				; CODE XREF: MiInsertInSystemSpace+60Aj
		mov	edx, 1
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [esp+0C0h+var_B8]
		jmp	loc_49EF50
; 

loc_5BD296:				; CODE XREF: MiInsertInSystemSpace+639j
		push	[esp+0C0h+var_84]
		mov	edx, [esp+0C4h+var_98]
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		mov	ecx, [esp+0C0h+var_B8]
		jmp	loc_49ED87
; 

loc_5BD2AC:				; CODE XREF: MiInsertInSystemSpace+46Fj
		mov	eax, [esp+0C0h+var_8C]
		lock inc dword ptr [eax+34h]
		jmp	loc_49EDB5
; 

loc_5BD2B9:				; CODE XREF: MiInsertInSystemSpace+47Cj
		cmp	[esp+0C0h+var_78], 0
		mov	eax, [esp+0C0h+var_88]
		mov	edx, ds:_MiLargePageSizes[edi*4]
		mov	[esp+0C0h+var_90], eax
		mov	eax, [esp+0C0h+var_70]
		mov	[esp+0C0h+var_74], edx
		mov	[esp+0C0h+var_B0], 0
		mov	ecx, [eax+4]
		mov	eax, [esp+0C0h+var_60]
		lea	esi, [ecx+eax*8]
		mov	eax, [esp+0C0h+var_70]
		mov	eax, [eax+1Ch]
		lea	eax, [ecx+eax*8]
		mov	[esp+0C0h+var_84], eax
		jbe	loc_5BD383
		mov	ecx, 3
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	[esp+0C0h+var_68], eax
		mov	eax, edx
		shl	eax, 0Ch
		mov	[esp+0C0h+var_6C], eax
		lea	eax, ds:0[edx*8]
		mov	[esp+0C0h+var_94], eax

loc_5BD31D:				; CODE XREF: MiInsertInSystemSpace+11EA41j
		cmp	esi, [esp+0C0h+var_84]
		jnz	short loc_5BD33B
		mov	eax, [esp+0C0h+var_70]
		mov	eax, [eax+8]
		mov	[esp+0C0h+var_70], eax
		mov	esi, [eax+4]
		mov	eax, [eax+1Ch]
		lea	eax, [esi+eax*8]
		mov	[esp+0C0h+var_84], eax

loc_5BD33B:				; CODE XREF: MiInsertInSystemSpace+11E9E1j
		mov	ecx, [esi]
		nop
		mov	eax, [esi+4]
		push	1
		push	4
		shrd	ecx, eax, 0Ch
		push	edi
		push	edx
		mov	edx, [esp+0D0h+var_90]
		and	ecx, 1FFFFFFh
		push	ecx
		mov	ecx, [esp+0D4h+var_68]
		call	MiMapWithLargePages
		mov	eax, [esp+0C0h+var_90]
		add	eax, [esp+0C0h+var_6C]
		mov	edx, [esp+0C0h+var_74]
		add	esi, [esp+0C0h+var_94]
		mov	[esp+0C0h+var_90], eax
		mov	eax, [esp+0C0h+var_B0]
		add	eax, edx
		mov	[esp+0C0h+var_B0], eax
		cmp	eax, [esp+0C0h+var_78]
		jb	short loc_5BD31D

loc_5BD383:				; CODE XREF: MiInsertInSystemSpace+11E9B5j
		xor	esi, esi
		jmp	loc_49EE07
; 

loc_5BD38A:				; CODE XREF: MiInsertInSystemSpace+4C1j
		mov	eax, [esp+0C0h+var_7C]
		mov	ecx, eax
		mov	edx, [esp+0C0h+var_88]
		push	0
		inc	dword ptr [eax+10h]
		call	MiRemoveFromSystemSpace
		jmp	loc_49EE10
; END OF FUNCTION CHUNK	FOR MiInsertInSystemSpace
; 
; START	OF FUNCTION CHUNK FOR MiRemoveMappedPtes

loc_5BD3A3:				; CODE XREF: MiRemoveMappedPtes+F8j
		mov	eax, ecx
		and	eax, 800h
		or	eax, 0
		jz	short loc_5BD3D0
		mov	ecx, ebx
		call	_MiTryDeleteTransitionPte@8 ; MiTryDeleteTransitionPte(x,x)
		cmp	eax, 1
		jz	loc_4A025B
		cmp	eax, 3
		jnz	loc_4A023E
		inc	[ebp+var_C]
		jmp	loc_4A023E
; 

loc_5BD3D0:				; CODE XREF: MiRemoveMappedPtes+11D26Dj
		push	edx
		push	ecx
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	_MiReleasePageFileSpace@16 ; MiReleasePageFileSpace(x,x,x,x)
		jmp	loc_4A023E
; END OF FUNCTION CHUNK	FOR MiRemoveMappedPtes
; 
; START	OF FUNCTION CHUNK FOR MI_WSLE_LOG_ACCESS

loc_5BD3E6:				; CODE XREF: MI_WSLE_LOG_ACCESS+2Cj
		push	ecx
		push	edi
		push	esi
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5BD3F6:				; CODE XREF: MiUpdateWsleAge+2Aj
		mov	eax, [esi+4]
		or	dword ptr [esi], 20h
		mov	[esi+4], eax
		jmp	loc_4A0562
; END OF FUNCTION CHUNK	FOR MI_WSLE_LOG_ACCESS
; 
; START	OF FUNCTION CHUNK FOR ExProtectPoolEx

loc_5BD404:				; CODE XREF: ExProtectPoolEx+9Bj
		push	offset _ExpLargePoolTableLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4A06C2
; 

loc_5BD41C:				; CODE XREF: ExProtectPoolEx+F6j
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_C]
		add	ecx, 0FFFh
		add	eax, 0FFFh
		and	ecx, 0FFFFF000h
		and	eax, 0FFFFF000h
		cmp	eax, ecx
		jb	short loc_5BD444
		mov	ecx, [ebp+var_10]
		jmp	loc_4A064C
; 

loc_5BD444:				; CODE XREF: ExProtectPoolEx+11CEBEj
		mov	eax, [ebp+var_24]
		jmp	loc_4A0678
; 

loc_5BD44C:				; CODE XREF: ExProtectPoolEx+126j
		test	bl, 40h
		jz	loc_4A06C2
		cmp	edi, 8
		ja	loc_4A06C2
		jmp	loc_4A06A8
; END OF FUNCTION CHUNK	FOR ExProtectPoolEx
; 
; START	OF FUNCTION CHUNK FOR MmFreePoolMemory

loc_5BD463:				; CODE XREF: MmFreePoolMemory+3Bj
		push	[ebp+arg_0]
		push	ebx
		push	edi
		push	5305h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BD474:				; CODE XREF: MmFreePoolMemory+89j
		or	ebx, eax
		jmp	loc_4A12BF
; END OF FUNCTION CHUNK	FOR MmFreePoolMemory
; 
; START	OF FUNCTION CHUNK FOR MiLockNonPagedPoolPte

loc_5BD47B:				; CODE XREF: MiLockNonPagedPoolPte+52j
					; MiLockNonPagedPoolPte+5Bj
		mov	cl, [ecx]
		lea	eax, [edi+10h]
		mov	edx, 7FFFFFFFh
		lock and [eax],	edx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4A1415
; 

loc_5BD493:				; CODE XREF: MiLockNonPagedPoolPte+20j
		push	0
		push	esi
		shl	esi, 9
		push	esi
		push	5307h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5BD4A7:				; CODE XREF: MiClearNonPagedPtes+D7j
		call	_MiLogNonPagedPoolReleaseEvent@4 ; MiLogNonPagedPoolReleaseEvent(x)
		mov	ecx, [ebp+var_80]
		jmp	loc_4A15A1
; END OF FUNCTION CHUNK	FOR MiLockNonPagedPoolPte
; 
; START	OF FUNCTION CHUNK FOR MiReturnPhysicalPoolPages

loc_5BD4B4:				; CODE XREF: MiReturnPhysicalPoolPages+A3j
					; MiReturnPhysicalPoolPages+11BEEFj ...
		lea	ecx, [ebp+var_18]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_5BD4B4
		lock bts dword ptr [edi], 1Fh
		jb	short loc_5BD4B4
		jmp	loc_4A1679
; 

loc_5BD4CD:				; CODE XREF: MiReturnPhysicalPoolPages+17Bj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_34]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A1773
; 

loc_5BD4DD:				; CODE XREF: MiReturnPhysicalPoolPages+19Dj
		lea	ecx, [ebp+var_34]
		call	KxWaitForLockChainValid

loc_5BD4E5:				; CODE XREF: MiReturnPhysicalPoolPages+186j
		mov	[ebp+var_34], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A1773
; END OF FUNCTION CHUNK	FOR MiReturnPhysicalPoolPages
; 
; START	OF FUNCTION CHUNK FOR MiGetVaAge

loc_5BD4FC:				; CODE XREF: MiGetVaAge+6j
		cmp	edx, 0C07FFFFFh
		ja	loc_4A1800
		shr	edx, 9
		and	edx, offset loc_7FFFF8
		mov	ecx, [edx-40000000h]
		nop
		mov	eax, [edx-3FFFFFFCh]
		shrd	ecx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	ecx, 1FFFFFFh
		imul	ecx, 1Ch
		mov	eax, [ecx+eax]
		shr	eax, 1
		and	al, 7
		retn
; END OF FUNCTION CHUNK	FOR MiGetVaAge
; 
; START	OF FUNCTION CHUNK FOR MiDeleteCachedKernelStack

loc_5BD538:				; CODE XREF: MiDeleteCachedKernelStack+18j
		push	eax
		push	edx
		push	ecx
		push	3472h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5BD548:				; CODE XREF: MmFlushSection+D3j
		inc	[esp+14h+var_4]
		push	offset _MiShortTime
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		cmp	[esp+14h+var_4], 5
		jb	loc_4A245C
		jmp	loc_4A2499
; END OF FUNCTION CHUNK	FOR MiDeleteCachedKernelStack
; 
; START	OF FUNCTION CHUNK FOR MiEmptyDecayClusterTimers

loc_5BD56A:				; CODE XREF: MiEmptyDecayClusterTimers+B1j
		mov	edx, ebx
		lea	ecx, [esp+38h+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A2905
; 

loc_5BD57A:				; CODE XREF: MiEmptyDecayClusterTimers+136j
		mov	esi, [esp+38h+var_20]
		mov	edx, 1
		mov	ecx, esi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		mov	al, [esi+17h]
		mov	ecx, esi
		and	al, 0F7h
		mov	[esi+17h], al
		call	_MiRemoveDecayClusterTimer@4 ; MiRemoveDecayClusterTimer(x)
		test	ds:byte_70EFC6,	1
		jz	short loc_5BD5B3
		mov	edx, [ebp+4]
		lea	ecx, [esp+38h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A29E1
; 

loc_5BD5B3:				; CODE XREF: MiEmptyDecayClusterTimers+11AD60j
		mov	eax, [esp+38h+var_C]
		test	eax, eax
		jnz	short loc_5BD62D
		mov	edx, [esp+38h+var_8]
		lea	eax, [esp+38h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+38h+var_C]
		cmp	eax, ecx
		jz	loc_4A29E1
		jmp	short loc_5BD624
; 

loc_5BD5D7:				; CODE XREF: MiEmptyDecayClusterTimers+168j
		mov	edx, [ebp+4]
		lea	ecx, [esp+38h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A29D0
; 

loc_5BD5E8:				; CODE XREF: MiEmptyDecayClusterTimers+154j
		test	ds:byte_70EFC6,	1
		jz	short loc_5BD602
		mov	edx, [ebp+4]
		lea	ecx, [esp+38h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A29E1
; 

loc_5BD602:				; CODE XREF: MiEmptyDecayClusterTimers+11ADAFj
		mov	eax, [esp+38h+var_C]
		test	eax, eax
		jnz	short loc_5BD62D
		mov	edx, [esp+38h+var_8]
		lea	eax, [esp+38h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+38h+var_C]
		cmp	eax, ecx
		jz	loc_4A29E1

loc_5BD624:				; CODE XREF: MiEmptyDecayClusterTimers+11AD95j
		lea	ecx, [esp+38h+var_C]
		call	KxWaitForLockChainValid

loc_5BD62D:				; CODE XREF: MiEmptyDecayClusterTimers+11AD79j
					; MiEmptyDecayClusterTimers+11ADC8j
		add	eax, 4
		mov	[esp+38h+var_C], 0
		mov	ecx, 1
		lock xor [eax],	ecx
		jmp	loc_4A29E1
; 

loc_5BD645:				; CODE XREF: MiEmptyDecayClusterTimers+1C1j
		mov	edx, [ebp+4]
		lea	ecx, [esp+38h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A2A29
; 

loc_5BD656:				; CODE XREF: MiEmptyDecayClusterTimers+1E3j
		lea	ecx, [esp+38h+var_C]
		call	KxWaitForLockChainValid
		jmp	loc_4A2A63
; END OF FUNCTION CHUNK	FOR MiEmptyDecayClusterTimers
; 
; START	OF FUNCTION CHUNK FOR MiClearPageFileHash

loc_5BD664:				; CODE XREF: MiClearPageFileHash+53j
		mov	eax, ds:dword_6D0704
		mov	ebx, ecx
		mov	edi, ds:dword_6D0700
		mov	[esp+30h+var_20], eax
		mov	eax, edi
		or	eax, [esp+30h+var_20]
		jz	short loc_5BD68F
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_5BD68F
		mov	ecx, [esp+30h+var_20]
		not	ecx
		and	ecx, ebx

loc_5BD68F:				; CODE XREF: MiClearPageFileHash+11AA0Bj
					; MiClearPageFileHash+11AA15j
		push	[esp+30h+var_18]
		dec	ecx
		push	edx
		push	0
		push	ecx
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		mov	[esp+30h+var_10], eax
		mov	[esp+30h+var_C], edx
		mov	[esi], eax
		nop
		mov	[esi+4], edx
		jmp	loc_4A2C8A
; END OF FUNCTION CHUNK	FOR MiClearPageFileHash
; 
; START	OF FUNCTION CHUNK FOR MiWriteComplete

loc_5BD6B0:				; CODE XREF: MiWriteComplete+3Dj
		mov	ecx, edi
		call	_MiRetardMdl@4	; MiRetardMdl(x)
		movzx	ecx, word ptr [edi+6]
		jmp	loc_4A2DC3
; 

loc_5BD6C0:				; CODE XREF: MiWriteComplete+7Bj
		mov	ecx, 1
		jmp	loc_4A2E03
; 

loc_5BD6CA:				; CODE XREF: MiWriteComplete+5A4j
		mov	ecx, eax
		xor	eax, edi
		cmp	eax, 7
		jb	loc_4A3304
		jmp	loc_4A3394
; 

loc_5BD6DC:				; CODE XREF: MiWriteComplete+C1j
		mov	eax, [esp+50h+var_38]
		test	eax, eax
		jnz	short loc_5BD6F7
		push	eax
		mov	eax, [esp+54h+var_3C]
		push	eax
		push	[esp+58h+var_34]
		push	20h
		push	7Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BD6F7:				; CODE XREF: MiWriteComplete+11A962j
		test	byte ptr [eax+1Ch], 10h
		jnz	loc_4A2E50
		mov	edx, [esp+64h+var_3C]
		mov	ecx, [esp+64h+var_48]
		call	_MiIsRetryIoStatus@8 ; MiIsRetryIoStatus(x,x)
		test	eax, eax
		jz	short loc_5BD727
		test	edi, edi
		jz	short loc_5BD727
		mov	eax, [esp+64h+var_50]
		add	eax, 20h
		cmp	[esp+64h+var_34], eax
		ja	loc_4A2E47

loc_5BD727:				; CODE XREF: MiWriteComplete+11A990j
					; MiWriteComplete+11A994j
		mov	esi, 1
		mov	[esp+64h+var_30], esi
		jmp	loc_4A2E50
; 

loc_5BD735:				; CODE XREF: MiWriteComplete+DEj
		mov	[eax+178h], ecx
		jmp	loc_4A2E6A
; 

loc_5BD740:				; CODE XREF: MiWriteComplete+F4j
		mov	edx, 1
		mov	ecx, edi
		call	_MiSetDeleteOnClose@8 ;	MiSetDeleteOnClose(x,x)
		jmp	loc_4A2E7A
; 

loc_5BD751:				; CODE XREF: MiWriteComplete+16Fj
		lea	esi, [ebx+10h]

loc_5BD754:				; CODE XREF: MiWriteComplete+11A9E1j
					; MiWriteComplete+11A9E8j
		lea	ecx, [esp+50h+var_14]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_5BD754
		lock bts dword ptr [esi], 1Fh
		jb	short loc_5BD754
		mov	esi, [ebp+arg_0]
		jmp	loc_4A2EF5
; 

loc_5BD772:				; CODE XREF: MiWriteComplete+1C8j
		or	eax, 4
		jmp	loc_4A2F51
; 

loc_5BD77A:				; CODE XREF: MiWriteComplete+2BCj
		push	0
		push	40h
		mov	edx, 70646D4Dh
		mov	ecx, 20h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_5BD7C2
		mov	ecx, [esp+50h+var_38]
		call	MiReferenceControlAreaFile
		push	1
		mov	[edi+10h], eax
		mov	eax, [esp+54h+var_34]
		push	edi
		mov	[edi+14h], eax
		mov	byte ptr [edi+1Ch], 1
		mov	dword ptr [edi+8], offset _MiLdwPopupWorker@4 ;	MiLdwPopupWorker(x)
		mov	[edi+0Ch], edi
		mov	dword ptr [edi], 0
		call	ExQueueWorkItem

loc_5BD7C2:				; CODE XREF: MiWriteComplete+11AA11j
		mov	edi, [esp+50h+var_40]
		jmp	loc_4A3042
; 

loc_5BD7CB:				; CODE XREF: MiWriteComplete+2F1j
		mov	ecx, [edi+160h]
		lea	eax, [edi+15Ch]
		cmp	[ecx], eax
		jz	short loc_5BD7E2
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5BD7E2:				; CODE XREF: MiWriteComplete+11AA59j
		mov	[ebx], eax
		mov	[ebx+4], ecx
		mov	[ecx], ebx
		mov	[eax+4], ebx
		cmp	byte ptr [edi+174h], 1
		jnz	loc_4A3083
		lea	ecx, [edi+164h]
		mov	byte ptr [edi+174h], 0
		mov	edx, 1
		call	KeSignalGate
		jmp	loc_4A3083
; 

loc_5BD815:				; CODE XREF: MiWriteComplete+408j
		lea	esi, [eax+254h]
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	cl, [edi]
		mov	bl, al
		test	cl, cl
		jz	short loc_5BD88D
		cmp	byte ptr [edi+2], 0
		jz	short loc_5BD83D
		cmp	cl, 1
		jbe	short loc_5BD88D
		mov	byte ptr [edi+2], 0
		mov	byte ptr [edi],	0
		jmp	short loc_5BD88D
; 

loc_5BD83D:				; CODE XREF: MiWriteComplete+11AAADj
		sub	byte ptr [edi+1], 1
		jnz	short loc_5BD88D
		cmp	cl, 1
		jbe	short loc_5BD889
		mov	byte ptr [edi],	0
		jmp	short loc_5BD88D
; 

loc_5BD84D:				; CODE XREF: MiWriteComplete+5C3j
		test	eax, eax
		jz	loc_4A30CE
		mov	esi, [esp+50h+var_40]
		add	esi, 254h
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	cl, [edi]
		mov	bl, al
		test	cl, cl
		jnz	short loc_5BD874
		mov	word ptr [edi],	1010h
		jmp	short loc_5BD88D
; 

loc_5BD874:				; CODE XREF: MiWriteComplete+11AAEBj
		cmp	cl, 1
		jbe	short loc_5BD87D
		shr	cl, 1
		mov	[edi], cl

loc_5BD87D:				; CODE XREF: MiWriteComplete+11AAF7j
		cmp	byte ptr [edi+2], 0
		jnz	short loc_5BD88D
		sub	byte ptr [edi+1], 1
		jnz	short loc_5BD88D

loc_5BD889:				; CODE XREF: MiWriteComplete+11AAC6j
		mov	byte ptr [edi+2], 1

loc_5BD88D:				; CODE XREF: MiWriteComplete+11AAA7j
					; MiWriteComplete+11AAB2j ...
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4A30CE
; END OF FUNCTION CHUNK	FOR MiWriteComplete
; 
; START	OF FUNCTION CHUNK FOR MiWalkVaRange

loc_5BD8A0:				; CODE XREF: MiWalkVaRange+13Aj
		mov	ecx, [ebp-0B4h]
		lea	ecx, [ecx+240h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	eax, [ebp-0A8h]
		xor	edx, edx
		mov	[ebp-0C4h], edx
		jmp	loc_4A3500
; 

loc_5BD8C4:				; CODE XREF: MiWalkVaRange+538j
					; MiWalkVaRange+542j ...
		mov	dword ptr [ebp-0C8h], 0C0000434h
		test	esi, esi
		jz	loc_4A37C1
		mov	eax, esi
		mov	[ebp-0A8h], eax
		jmp	loc_4A3539
; 

loc_5BD8E3:				; CODE XREF: MiWalkVaRange+49Aj
		push	esi
		push	edx
		call	_MI_PROTO_FORMAT_COMBINED@8 ; MI_PROTO_FORMAT_COMBINED(x,x)
		test	al, al
		jz	short loc_5BD937
		mov	edx, ds:dword_6D0700
		mov	eax, edx
		mov	ecx, ds:dword_6D0704
		or	eax, ecx
		mov	[ebp-0BCh], esi
		mov	[ebp-0B8h], ecx
		jz	loc_4A38E4
		mov	ecx, [ebp-0CCh]
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	loc_4A38E4
		mov	esi, [ebp-0B8h]
		not	esi
		and	esi, [ebp-0BCh]
		jmp	loc_4A38E4
; 

loc_5BD937:				; CODE XREF: MiWalkVaRange+11A52Cj
		mov	edx, [ebp-0CCh]
		jmp	loc_4A3860
; 

loc_5BD942:				; CODE XREF: MiWalkVaRange+4A9j
		cmp	dword ptr [ebx+0Ch], 1
		jnz	short loc_5BD957
		mov	dword ptr [ebp-0C8h], 0C0000434h
		jmp	loc_4A398C
; 

loc_5BD957:				; CODE XREF: MiWalkVaRange+11A586j
		mov	esi, [ebp-0ACh]
		test	esi, esi
		jz	short loc_5BD96E
		mov	dl, [ebp-0A1h]
		mov	ecx, esi
		call	MiUnlockProtoPoolPage

loc_5BD96E:				; CODE XREF: MiWalkVaRange+11A59Fj
		neg	esi
		lea	ecx, [ebp-0A0h]
		sbb	esi, esi
		not	esi
		and	esi, [ebp-0B0h]
		mov	[ebp-0B0h], esi
		call	MiFlushTbList
		push	dword ptr [ebp-0D4h]
		mov	ecx, [ebp-0A8h]
		mov	edx, 18h
		call	MiMakeProtoLeafValid
		mov	[ebp-0C8h], eax
		test	eax, eax
		mov	eax, [ebp-0A8h]
		jns	short loc_5BD9C8
		xor	ecx, ecx
		mov	dword ptr [ebp-0C8h], 0C0000434h
		mov	[ebp-0ACh], ecx
		jmp	loc_4A360F
; 

loc_5BD9C8:				; CODE XREF: MiWalkVaRange+11A5EFj
		sub	eax, 8
		mov	[ebp-0B0h], esi
		xor	ecx, ecx
		mov	[ebp-0ACh], ecx
		jmp	loc_4A360F
; 

loc_5BD9DE:				; CODE XREF: MiWalkVaRange+4D1j
		test	edx, edx
		jz	loc_4A3897

loc_5BD9E6:				; CODE XREF: MiWalkVaRange+4C3j
		mov	ecx, [ebp-0B4h]
		test	byte ptr [ecx+3A8h], 1
		jnz	loc_4A3897
		mov	dword ptr [ebp-0C8h], 0C0000434h
		jmp	loc_4A3609
; 

loc_5BDA08:				; CODE XREF: MiWalkVaRange+51Ej
		mov	eax, ds:dword_6D0700
		mov	edx, ds:dword_6D0704
		or	eax, edx
		mov	ecx, [ebp-0BCh]
		mov	[ebp-0B8h], ecx
		mov	[ebp-0DCh], edx
		jz	short loc_5BDA47
		mov	edx, [ebp-0CCh]
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_5BDA47
		mov	ecx, [ebp-0DCh]
		not	ecx
		and	ecx, [ebp-0B8h]

loc_5BDA47:				; CODE XREF: MiWalkVaRange+11A667j
					; MiWalkVaRange+11A677j
		cmp	esi, ecx
		jz	loc_4A38E4
		mov	eax, [ebp-0A8h]
		mov	esi, [ebp-0BCh]

loc_5BDA5B:				; CODE XREF: MiWalkVaRange+4DEj
					; MiWalkVaRange+4E8j
		mov	edx, ds:dword_6D0704
		mov	ecx, ds:dword_6D0700
		mov	[ebp-0E8h], edx
		or	ecx, edx
		mov	edx, [ebp-0CCh]
		mov	[ebp-0B8h], esi
		jz	short loc_5BDA9D
		mov	ecx, edx
		and	ecx, 10h
		or	ecx, 0
		jnz	short loc_5BDA97
		mov	esi, [ebp-0E8h]
		not	esi
		and	esi, [ebp-0B8h]
		jmp	short loc_5BDA9D
; 

loc_5BDA97:				; CODE XREF: MiWalkVaRange+11A6C5j
		mov	esi, [ebp-0B8h]

loc_5BDA9D:				; CODE XREF: MiWalkVaRange+11A6BBj
					; MiWalkVaRange+11A6D5j
		cmp	dword ptr [ebx+0Ch], 2
		jz	loc_4A38E4
		mov	dword ptr [ebp-0C8h], 0C0000434h
		jmp	loc_4A3609
; 

loc_5BDAB6:				; CODE XREF: MiWalkVaRange+1E4j
		cmp	dword ptr [ebp-0D0h], 0
		jnz	loc_4A3694
		mov	eax, [ebp-0A8h]
		mov	ecx, 1
		sub	eax, 8
		jmp	loc_4A360F
; 

loc_5BDAD6:				; CODE XREF: MiWalkVaRange+30Dj
		mov	esi, [ebp-0A8h]
		lea	ecx, [ebp-0A0h]
		push	0
		shl	esi, 9
		push	1
		mov	edx, esi
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		lea	ecx, [ebp-0A0h]
		call	MiFlushTbList
		mov	edx, [ebp-0A8h]
		mov	ecx, esi
		push	0
		push	0FFFFFFFFh
		call	_MiCopyOnWrite@16 ; MiCopyOnWrite(x,x,x,x)
		mov	[ebp-0E4h], eax
		mov	eax, [ebp-0A8h]
		sub	eax, 8
		mov	dword ptr [ebp-0C0h], 1
		mov	[ebp-0A8h], eax
		jmp	loc_4A35F3
; 

loc_5BDB30:				; CODE XREF: MiWalkVaRange+318j
		mov	[ebp-0C8h], eax
		jmp	loc_4A35ED
; 

loc_5BDB3B:				; CODE XREF: MiWalkVaRange+3CCj
		mov	ecx, [ebp-0B4h]
		mov	edx, 0C0000434h
		lea	ecx, [ecx+240h]
		call	MiCopyOnWriteCheckConditions
		jmp	loc_4A3792
; 

loc_5BDB56:				; CODE XREF: MiWalkVaRange+414j
		mov	ecx, [ebp-0B4h]
		mov	edx, eax
		lea	ecx, [ecx+240h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		jmp	loc_4A37DA
; END OF FUNCTION CHUNK	FOR MiWalkVaRange
; 
; START	OF FUNCTION CHUNK FOR MiReturnResavailToPrcb

loc_5BDB6E:				; CODE XREF: MiReturnResavailToPrcb+39j
		mov	edx, eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_4A4363
		add	eax, esi
		jmp	loc_4A4348
; END OF FUNCTION CHUNK	FOR MiReturnResavailToPrcb
; 
; START	OF FUNCTION CHUNK FOR MmIsWriteErrorFatal

loc_5BDB80:				; CODE XREF: MmIsWriteErrorFatal+Dj
		test	ecx, ecx
		jz	loc_4A43CD
		test	edx, edx
		jnz	loc_4A440F
		jmp	loc_4A43CD
; 

loc_5BDB95:				; CODE XREF: MmIsWriteErrorFatal+34j
		test	ecx, ecx
		jz	loc_4A440F
		test	edx, edx
		jnz	loc_4A43FF
		jmp	loc_4A440F
; 

loc_5BDBAA:				; CODE XREF: MmIsWriteErrorFatal+3Fj
		test	ecx, ecx
		jnz	loc_4A440F
		jmp	loc_4A43FF
; END OF FUNCTION CHUNK	FOR MmIsWriteErrorFatal
; 
; START	OF FUNCTION CHUNK FOR FsRtlReleaseFileForModWrite

loc_5BDBB7:				; CODE XREF: FsRtlReleaseFileForModWrite+93j
					; FsRtlReleaseFileForModWrite+A1j
		mov	al, 1
		jmp	loc_4A44F3
; 

loc_5BDBBE:				; CODE XREF: FsRtlReleaseFileForModWrite+B5j
		test	al, al
		jnz	loc_4A4501
		xor	eax, eax
		mov	[ebp+var_144], eax
		jmp	short loc_5BDBF0
; 

loc_5BDBD0:				; CODE XREF: FsRtlReleaseFileForModWrite+117j
		push	[ebp+var_128]
		call	_IoGetDeviceAttachmentBaseRef@4	; IoGetDeviceAttachmentBaseRef(x)
		mov	ebx, eax
		mov	[ebp+var_132], 1
		mov	eax, [ebx+8]
		mov	ecx, [eax+28h]
		mov	eax, [eax+18h]
		mov	edi, [eax+18h]

loc_5BDBF0:				; CODE XREF: FsRtlReleaseFileForModWrite+119788j
		mov	edx, [ebp+var_138]
		jmp	loc_4A4569
; 

loc_5BDBFB:				; CODE XREF: FsRtlReleaseFileForModWrite+FEj
		lea	ecx, [esi-126h]
		neg	ecx
		sbb	ecx, ecx
		and	esi, ecx
		jmp	loc_4A45B1
; 

loc_5BDC0C:				; CODE XREF: FsRtlReleaseFileForModWrite+F8j
					; FsRtlReleaseFileForModWrite+16Dj
		test	byte ptr [ebp+var_13C],	1
		jz	loc_4A45B9
		mov	ecx, [ebp+var_140]
		call	ExReleaseResourceLite
		xor	ecx, ecx
		mov	esi, ecx
		jmp	loc_4A45BB
; END OF FUNCTION CHUNK	FOR FsRtlReleaseFileForModWrite
; 
; START	OF FUNCTION CHUNK FOR KeYieldExecution

loc_5BDC2D:				; CODE XREF: KeYieldExecution+12j
		mov	eax, 0C000000Dh
		jmp	loc_4A4779
; 

loc_5BDC37:				; CODE XREF: KeYieldExecution+85j
					; KeYieldExecution+119503j
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5BDC37
		jmp	loc_4A47C0
; 

loc_5BDC4A:				; CODE XREF: KeYieldExecution+BBj
		mov	eax, [ebp+var_4]
		cmp	byte ptr [eax+87h], 10h
		jge	loc_4A4801
		mov	edx, eax
		mov	ecx, 3
		jmp	loc_4A4801
; 

loc_5BDC66:				; CODE XREF: KeYieldExecution+109j
		mov	ebx, [ebp+var_4]
		mov	eax, [ebx+30h]
		mov	edx, [ebx+34h]
		jmp	loc_4A485F
; END OF FUNCTION CHUNK	FOR KeYieldExecution
; 
; START	OF FUNCTION CHUNK FOR FsRtlAcquireFileForModWriteEx

loc_5BDC74:				; CODE XREF: FsRtlAcquireFileForModWriteEx+8Dj
					; FsRtlAcquireFileForModWriteEx+9Bj
		mov	al, 1
		jmp	loc_4A49E3
; 

loc_5BDC7B:				; CODE XREF: FsRtlAcquireFileForModWriteEx+ABj
		test	al, al
		jnz	loc_4A49EF
		xor	eax, eax
		mov	[esp+160h+var_138], eax
		jmp	short loc_5BDCB0
; 

loc_5BDC8B:				; CODE XREF: FsRtlAcquireFileForModWriteEx+107j
		mov	ecx, [esp+160h+var_128]
		mov	edx, 746C6644h
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	ecx, eax
		mov	[esp+160h+var_13C], eax
		mov	[esp+160h+var_14D], 1
		mov	eax, [ecx+8]
		mov	ebx, [eax+28h]
		mov	eax, [eax+18h]
		mov	edi, [eax+18h]

loc_5BDCB0:				; CODE XREF: FsRtlAcquireFileForModWriteEx+11934Bj
		mov	edx, [esp+160h+var_14C]
		jmp	loc_4A4A4F
; 

loc_5BDCB9:				; CODE XREF: FsRtlAcquireFileForModWriteEx+F4j
		lea	ecx, [esi-126h]
		neg	ecx
		sbb	ecx, ecx
		and	esi, ecx
		jmp	loc_4A4A99
; 

loc_5BDCCA:				; CODE XREF: FsRtlAcquireFileForModWriteEx+155j
		mov	ecx, [esp+170h+var_14C]
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag
		jmp	loc_4A4A99
; 

loc_5BDCDD:				; CODE XREF: FsRtlAcquireFileForModWriteEx+161j
		test	byte ptr [esp+170h+var_154], 1
		jz	loc_4A4AA5
		mov	eax, [esp+170h+var_15C]
		mov	edi, [eax+0Ch]
		mov	ecx, [edi+8]
		test	ecx, ecx
		jnz	short loc_5BDD13
		mov	eax, [esp+20h]
		mov	[eax], ecx
		jmp	short loc_5BDD0C
; 

loc_5BDCFE:				; CODE XREF: FsRtlAcquireFileForModWriteEx+11945Cj
					; FsRtlAcquireFileForModWriteEx+1194C2j
		push	esi
		call	ExConvertExclusiveToSharedLite

loc_5BDD04:				; CODE XREF: FsRtlAcquireFileForModWriteEx+119465j
					; FsRtlAcquireFileForModWriteEx+11946Fj ...
		mov	eax, [esp+20h]
		xor	ecx, ecx
		mov	[eax], esi

loc_5BDD0C:				; CODE XREF: FsRtlAcquireFileForModWriteEx+1193BEj
		mov	esi, ecx
		jmp	loc_4A4AA7
; 

loc_5BDD13:				; CODE XREF: FsRtlAcquireFileForModWriteEx+1193B6j
		mov	dl, [edi+4]
		test	dl, 8
		jnz	short loc_5BDD5A
		mov	eax, [esp+170h+var_158]
		mov	ebx, [edi+24h]
		mov	esi, [edi+20h]
		mov	eax, [eax+4]
		cmp	eax, ebx
		jl	short loc_5BDD42
		jg	short loc_5BDD38
		mov	eax, [esp+170h+var_158]
		mov	eax, [eax]
		cmp	eax, esi
		jbe	short loc_5BDD42

loc_5BDD38:				; CODE XREF: FsRtlAcquireFileForModWriteEx+1193EEj
		cmp	esi, [edi+18h]
		jnz	short loc_5BDD5A
		cmp	ebx, [edi+1Ch]
		jnz	short loc_5BDD5A

loc_5BDD42:				; CODE XREF: FsRtlAcquireFileForModWriteEx+1193ECj
					; FsRtlAcquireFileForModWriteEx+1193F8j
		test	dl, 10h
		jnz	short loc_5BDD54
		mov	esi, [edi+0Ch]
		test	esi, esi
		jz	short loc_5BDD54
		xor	eax, eax
		mov	bl, al
		jmp	short loc_5BDD60
; 

loc_5BDD54:				; CODE XREF: FsRtlAcquireFileForModWriteEx+119407j
					; FsRtlAcquireFileForModWriteEx+11940Ej
		xor	eax, eax
		mov	bl, al
		jmp	short loc_5BDD5E
; 

loc_5BDD5A:				; CODE XREF: FsRtlAcquireFileForModWriteEx+1193DBj
					; FsRtlAcquireFileForModWriteEx+1193FDj ...
		mov	bl, 1
		xor	eax, eax

loc_5BDD5E:				; CODE XREF: FsRtlAcquireFileForModWriteEx+11941Aj
		mov	esi, ecx

loc_5BDD60:				; CODE XREF: FsRtlAcquireFileForModWriteEx+119414j
					; FsRtlAcquireFileForModWriteEx+119483j
		push	eax
		push	esi
		test	bl, bl
		jz	short loc_5BDD6D
		call	ExAcquireResourceExclusiveLite
		jmp	short loc_5BDD72
; 

loc_5BDD6D:				; CODE XREF: FsRtlAcquireFileForModWriteEx+119426j
		call	ExAcquireSharedWaitForExclusive

loc_5BDD72:				; CODE XREF: FsRtlAcquireFileForModWriteEx+11942Dj
		test	al, al
		jz	short loc_5BDDEE
		mov	cl, [edi+4]
		test	cl, 8
		jnz	short loc_5BDDAB
		mov	edx, [esp+170h+var_158]
		mov	eax, [edx+4]
		cmp	eax, [edi+24h]
		jg	short loc_5BDDAB
		jl	short loc_5BDD93
		mov	eax, [edx]
		cmp	eax, [edi+20h]
		ja	short loc_5BDDAB

loc_5BDD93:				; CODE XREF: FsRtlAcquireFileForModWriteEx+11944Cj
		test	cl, 10h
		jz	short loc_5BDDC3
		test	bl, bl
		jnz	loc_5BDCFE
		cmp	esi, [edi+8]
		jz	loc_5BDD04
		jmp	short loc_5BDDB3
; 

loc_5BDDAB:				; CODE XREF: FsRtlAcquireFileForModWriteEx+11943Ej
					; FsRtlAcquireFileForModWriteEx+11944Aj ...
		test	bl, bl
		jnz	loc_5BDD04

loc_5BDDB3:				; CODE XREF: FsRtlAcquireFileForModWriteEx+11946Bj
		mov	ecx, esi
		call	ExReleaseResourceLite
		mov	esi, [edi+8]
		mov	bl, 1
		xor	eax, eax
		jmp	short loc_5BDD60
; 

loc_5BDDC3:				; CODE XREF: FsRtlAcquireFileForModWriteEx+119458j
		mov	eax, [edi+0Ch]
		test	eax, eax
		jz	short loc_5BDDF8
		cmp	esi, eax
		jz	short loc_5BDDF8
		xor	esi, esi
		push	esi
		push	eax
		call	ExAcquireSharedWaitForExclusive
		test	al, al
		jz	short loc_5BDDDE
		mov	esi, [edi+0Ch]

loc_5BDDDE:				; CODE XREF: FsRtlAcquireFileForModWriteEx+11949Bj
		mov	ecx, [edi+8]
		call	ExReleaseResourceLite
		test	esi, esi
		jnz	loc_5BDD04

loc_5BDDEE:				; CODE XREF: FsRtlAcquireFileForModWriteEx+119436j
		mov	esi, 0C00000D8h
		jmp	loc_4A4AA5
; 

loc_5BDDF8:				; CODE XREF: FsRtlAcquireFileForModWriteEx+11948Aj
					; FsRtlAcquireFileForModWriteEx+11948Ej
		test	bl, bl
		jz	loc_5BDD04
		jmp	loc_5BDCFE
; 

loc_5BDE05:				; CODE XREF: FsRtlAcquireFileForModWriteEx+187j
		lea	ecx, [esp+170h+var_140]
		call	_FsFilterFreeCompletionStack@4 ; FsFilterFreeCompletionStack(x)
		jmp	loc_4A4ACB
; END OF FUNCTION CHUNK	FOR FsRtlAcquireFileForModWriteEx
; 
; START	OF FUNCTION CHUNK FOR FsFilterPerformCallbacks

loc_5BDE13:				; CODE XREF: FsFilterPerformCallbacks+2A6j
		mov	eax, 0FFFFh
		add	[edi+2Eh], ax
		jmp	loc_4A4D47
; 

loc_5BDE21:				; CODE XREF: FsFilterPerformCallbacks+C8j
					; FsFilterPerformCallbacks+DDj
		cmp	[ebp+var_1], 0
		jnz	short loc_5BDE36
		push	0
		push	0
		push	0
		push	0
		push	22h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BDE36:				; CODE XREF: FsFilterPerformCallbacks+119205j
		mov	eax, 0C000009Ah
		jmp	loc_4A4D5A
; 

loc_5BDE40:				; CODE XREF: FsFilterPerformCallbacks+2C0j
		push	0
		push	38Ch
		push	0
		push	eax
		push	22h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BDE51:				; CODE XREF: FsFilterPerformCallbacks+178j
					; FsFilterPerformCallbacks+2D4j
		mov	ecx, 0FFFFh
		add	[edi+2Eh], cx
		jmp	loc_4A4D5A
; END OF FUNCTION CHUNK	FOR FsFilterPerformCallbacks
; 
; START	OF FUNCTION CHUNK FOR FsFilterCtrlInit

loc_5BDE5F:				; CODE XREF: FsFilterCtrlInit+4Fj
		mov	dl, [ebp+arg_C]
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, esi
		call	_FsFilterAllocateCompletionStack@12 ; FsFilterAllocateCompletionStack(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_4A4F97
		mov	eax, [esi+30h]
		mov	ecx, [ebp+var_4]
		jmp	loc_4A4F89
; END OF FUNCTION CHUNK	FOR FsFilterCtrlInit
; 
; START	OF FUNCTION CHUNK FOR MI_UNLOCK_RELOCATIONS_EXCLUSIVE

loc_5BDE82:				; CODE XREF: MI_UNLOCK_RELOCATIONS_EXCLUSIVE+178j
		push	0
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BDE95:				; CODE XREF: MI_UNLOCK_RELOCATIONS_EXCLUSIVE+109j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]
		jmp	loc_4A5129
; 

loc_5BDEAC:				; CODE XREF: MI_UNLOCK_RELOCATIONS_EXCLUSIVE+1AAj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_4A51BA
; 

loc_5BDEBB:				; CODE XREF: MI_UNLOCK_RELOCATIONS_EXCLUSIVE+1D4j
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4A513C
; END OF FUNCTION CHUNK	FOR MI_UNLOCK_RELOCATIONS_EXCLUSIVE
; 
; START	OF FUNCTION CHUNK FOR MmStoreProbeAndLockPages

loc_5BDECD:				; CODE XREF: MmStoreProbeAndLockPages+36j
		and	eax, 0FFFFFFFBh
		or	eax, 8
		jmp	loc_4A546C
; 

loc_5BDED8:				; CODE XREF: MmStoreProbeAndLockPages+A5j
		mov	ebx, eax

loc_5BDEDA:				; CODE XREF: MmStoreProbeAndLockPages+118ABDj
					; MmStoreProbeAndLockPages+118AC4j
		lea	ecx, [esp+80h+var_6C]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		js	short loc_5BDEDA
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_5BDEDA
		mov	ebx, [esp+80h+var_68]
		mov	eax, [esp+80h+var_70]
		mov	ecx, [esp+80h+var_64]
		jmp	loc_4A54D5
; 

loc_5BDF01:				; CODE XREF: MmStoreProbeAndLockPages+7Fj
		push	edi
		push	[esp+84h+var_60]
		push	esi
		push	6001h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5BDF14:				; CODE XREF: MiProbeLeafFrame+3Ej
		cmp	[ebp+var_4], 1
		jz	short loc_5BDF30
		mov	ecx, esi
		call	MiFaultInProbeAddress
		test	eax, eax
		jns	short loc_5BDF30
		inc	ds:dword_6D30A0
		jmp	loc_4A55B9
; 

loc_5BDF30:				; CODE XREF: MmStoreProbeAndLockPages+118AEEj
					; MmStoreProbeAndLockPages+118AF9j
		mov	ecx, esi
		call	MiLockPageLeafPageTable
		mov	edi, eax
		mov	eax, [esi+18h]
		cmp	eax, ds:_ZeroPte
		jnz	loc_4A5584
		mov	eax, [esi+1Ch]
		cmp	eax, ds:dword_40F9FC
		jmp	loc_4A5582
; END OF FUNCTION CHUNK	FOR MmStoreProbeAndLockPages
; 
; START	OF FUNCTION CHUNK FOR MiReferencePageForModifiedWrite

loc_5BDF56:				; CODE XREF: MiReferencePageForModifiedWrite+1Fj
		or	edx, 2
		jmp	loc_4A5875
; 

loc_5BDF5E:				; CODE XREF: MiReferencePageForModifiedWrite+7Aj
		mov	edx, 1Ch
		mov	ecx, esi
		call	MiClearPfnImageVerified
		jmp	loc_4A58D0
; END OF FUNCTION CHUNK	FOR MiReferencePageForModifiedWrite
; 
; START	OF FUNCTION CHUNK FOR MiChargeForWriteInProgressPage

loc_5BDF6F:				; CODE XREF: MiChargeForWriteInProgressPage+12j
		mov	[ebp+var_8], 4
		or	edx, 0FFFFFFFFh
		jmp	loc_4A5911
; 

loc_5BDF7E:				; CODE XREF: MiChargeForWriteInProgressPage+53j
		mov	ecx, eax
		cmp	eax, 1
		jnb	loc_4A5933
		jmp	loc_4A598B
; 

loc_5BDF8E:				; CODE XREF: MiChargeForWriteInProgressPage+7Fj
		mov	edx, 1
		mov	ecx, edi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	loc_4A5987
		lea	ecx, [edi+1000h]
		lock xadd [ecx], eax
		jmp	loc_4A5987
; END OF FUNCTION CHUNK	FOR MiChargeForWriteInProgressPage
; 
; START	OF FUNCTION CHUNK FOR MiGatherMappedPages

loc_5BDFB1:				; CODE XREF: MiGatherMappedPages+5Bj
		lea	eax, [esi+254h]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	[ebp+var_5], al
		cmp	[esi+25Dh], bl
		jz	short loc_5BDFD7
		mov	[esi+25Dh], bl
		mov	[esi+25Bh], bl
		xor	ebx, ebx
		inc	ebx

loc_5BDFD7:				; CODE XREF: MiGatherMappedPages+118422j
		lea	eax, [esi+254h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_5]
		call	[ebp+var_C]
		xor	edx, edx
		jmp	loc_4A5C05
; 

loc_5BDFF0:				; CODE XREF: MiGatherMappedPages+D5j
		mov	ebx, [ebp+var_10]
		jmp	loc_4A5C93
; 

loc_5BDFF8:				; CODE XREF: MiGatherMappedPages+F6j
		xor	edx, edx
		mov	ecx, edi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		mov	ecx, [edi+8]
		nop
		mov	eax, [edi+0Ch]
		nop
		shrd	ecx, eax, 5
		shr	eax, 5
		mov	[ebp+var_20], eax
		mov	eax, [edi+18h]
		and	eax, 70000000h
		mov	[ebp+var_14], ecx
		cmp	eax, 30000000h
		jnz	short loc_5BE067
		push	1Ch
		pop	edx
		mov	ecx, edi
		call	MiClearPfnImageVerified
		test	byte ptr ds:_MiFlags+2,	1
		mov	ecx, [ebp+var_14]
		jz	short loc_5BE067
		test	cl, 2
		jz	short loc_5BE067
		test	dword ptr [ebx+34h], 0C0000h
		jz	short loc_5BE067
		mov	edx, ds:_MiFlags
		mov	ecx, edi
		shr	edx, 11h
		not	edx
		and	edx, 1
		shl	edx, 5
		add	edx, 6
		call	_MiMarkPfnVerified@8 ; MiMarkPfnVerified(x,x)
		mov	ecx, [ebp+var_14]

loc_5BE067:				; CODE XREF: MiGatherMappedPages+11847Fj
					; MiGatherMappedPages+118495j ...
		and	ecx, 1Fh
		xor	eax, eax
		shld	eax, ecx, 5
		shl	ecx, 5
		push	eax
		push	ecx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], edx
		mov	[edi+8], eax
		nop
		push	3
		mov	[edi+0Ch], edx
		xor	edx, edx
		push	ecx
		mov	ecx, ebx
		call	MiDereferenceControlAreaPfnList
		push	8
		jmp	loc_4A5E80
; 

loc_5BE09A:				; CODE XREF: MiGatherMappedPages+114j
		mov	eax, [ebp+var_20]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		jmp	loc_4A5E75
; 

loc_5BE0A8:				; CODE XREF: MiGatherMappedPages+3F3j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_4A5CD2
; 

loc_5BE0B2:				; CODE XREF: MiGatherMappedPages+16Bj
		xor	eax, eax
		jmp	loc_4A5D22
; 

loc_5BE0B9:				; CODE XREF: MiGatherMappedPages+1F6j
		or	ecx, [ebp+var_18]
		jmp	loc_4A5DA3
; 

loc_5BE0C1:				; CODE XREF: MiGatherMappedPages+41Dj
		push	746C6644h
		push	esi
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_4A5FD4
; 

loc_5BE0D1:				; CODE XREF: MiGatherMappedPages+213j
		add	ebx, 20h
		mov	ecx, [ebx]
		mov	eax, ecx
		jmp	short loc_5BE0E9
; 

loc_5BE0DA:				; CODE XREF: MiGatherMappedPages+11854Aj
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [ebx], edx
		cmp	eax, ecx
		jz	short loc_5BE0FB
		mov	ecx, eax

loc_5BE0E9:				; CODE XREF: MiGatherMappedPages+118534j
		xor	eax, esi
		cmp	eax, 7
		jb	short loc_5BE0DA
		push	746C6644h
		push	esi
		call	ObDereferenceObjectDeferDeleteWithTag

loc_5BE0FB:				; CODE XREF: MiGatherMappedPages+118541j
		mov	[ebp+var_10], 1
		mov	ecx, 0C0000098h
		jmp	loc_4A5E2C
; 

loc_5BE10C:				; CODE XREF: MiGatherMappedPages+272j
		mov	ecx, eax
		jmp	loc_4A5E00
; 

loc_5BE113:				; CODE XREF: MiGatherMappedPages+332j
		cmp	eax, 420h
		jnb	short loc_5BE120
		dec	edx
		mov	[ebp+var_1C], edx
		jmp	short loc_5BE124
; 

loc_5BE120:				; CODE XREF: MiGatherMappedPages+118574j
		and	[ebp+var_1C], 0

loc_5BE124:				; CODE XREF: MiGatherMappedPages+11857Aj
		mov	edx, [ebp+var_18]
		cmp	eax, 420h
		sbb	eax, eax
		and	eax, edx
		add	edx, eax
		mov	eax, [ebp+var_1C]
		mov	[ecx+184h], eax
		jmp	loc_4A5EEA
; 

loc_5BE140:				; CODE XREF: MiGatherMappedPages+33Dj
		cmp	eax, 0A0h
		push	4
		sbb	eax, eax
		and	eax, 18h
		add	eax, 8
		mov	[ecx+184h], eax
		pop	edx
		jmp	loc_4A5EEA
; 

loc_5BE15B:				; CODE XREF: MiGatherMappedPages+361j
		mov	edx, [ebp+var_14]
		push	ecx
		push	ecx
		call	_MiFlushFileOnlyMdl@16 ; MiFlushFileOnlyMdl(x,x,x,x)
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		lea	eax, [edi+8]
		push	0
		push	eax
		jmp	loc_4A5E43
; 

loc_5BE17A:				; CODE XREF: MiGatherMappedPages+3B9j
		mov	ecx, eax
		jmp	loc_4A5F4B
; END OF FUNCTION CHUNK	FOR MiGatherMappedPages
; 
; START	OF FUNCTION CHUNK FOR CcNotifyOfMappedWrite

loc_5BE181:				; CODE XREF: CcNotifyOfMappedWrite+87j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_34]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A609F
; 

loc_5BE191:				; CODE XREF: CcNotifyOfMappedWrite+C1j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_40]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A60D9
; 

loc_5BE1A1:				; CODE XREF: CcNotifyOfMappedWrite+15Bj
		push	0
		mov	dl, 1
		mov	ecx, ebx
		call	_CcScheduleLazyWriteScan@12 ; CcScheduleLazyWriteScan(x,x,x)
		jmp	loc_4A6151
; 

loc_5BE1B1:				; CODE XREF: CcNotifyOfMappedWrite+1F6j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_34]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A620E
; 

loc_5BE1C1:				; CODE XREF: CcNotifyOfMappedWrite+218j
		lea	ecx, [ebp+var_34]
		call	KxWaitForLockChainValid

loc_5BE1C9:				; CODE XREF: CcNotifyOfMappedWrite+201j
		mov	[ebp+var_34], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A620E
; 

loc_5BE1E0:				; CODE XREF: CcNotifyOfMappedWrite+254j
		mov	eax, edi
		lea	edx, [ebx+94h]
		or	eax, 1
		mov	[esi+160h], eax
		jmp	loc_4A6256
; 

loc_5BE1F6:				; CODE XREF: CcNotifyOfMappedWrite+272j
		call	CcPostWorkQueueCachemapUninit
		jmp	loc_4A626D
; 

loc_5BE200:				; CODE XREF: CcNotifyOfMappedWrite+235j
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		and	dword ptr [esi+60h], 0FFFFFFDFh
		mov	edi, 2
		dec	dword ptr [esi+4Ch]
		mov	[ebp+var_4], edi
		jmp	loc_4A6151
; 

loc_5BE219:				; CODE XREF: CcNotifyOfMappedWrite+3A1j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_40]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A63B9
; 

loc_5BE229:				; CODE XREF: CcNotifyOfMappedWrite+3C3j
		lea	ecx, [ebp+var_40]
		call	KxWaitForLockChainValid

loc_5BE231:				; CODE XREF: CcNotifyOfMappedWrite+3ACj
		mov	[ebp+var_40], ebx
		mov	ecx, edi
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A63B9
; 

loc_5BE241:				; CODE XREF: CcNotifyOfMappedWrite+29Dj
		lea	ecx, [ebp+var_34]
		call	KeReleaseInStackQueuedSpinLock
		push	0
		push	0
		push	0C0000420h
		push	12BAh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BE25E:				; CODE XREF: CcNotifyOfMappedWrite+2C0j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_34]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A62D8
; 

loc_5BE26E:				; CODE XREF: CcNotifyOfMappedWrite+2E2j
		lea	ecx, [ebp+var_34]
		call	KxWaitForLockChainValid

loc_5BE276:				; CODE XREF: CcNotifyOfMappedWrite+2CBj
		mov	[ebp+var_34], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A62D8
; 

loc_5BE28D:				; CODE XREF: CcNotifyOfMappedWrite+316j
		test	byte ptr [esi+60h], 4
		jz	loc_4A632F
		jmp	loc_4A630C
; 

loc_5BE29C:				; CODE XREF: CcNotifyOfMappedWrite+38Dj
		lea	ecx, [ebp+var_34]
		call	KxWaitForLockChainValid

loc_5BE2A4:				; CODE XREF: CcNotifyOfMappedWrite+370j
		mov	[ebp+var_34], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A619B
; 

loc_5BE2BB:				; CODE XREF: CcNotifyOfMappedWrite+351j
		push	0
		push	0
		push	0C0000420h
		push	12B2h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BE2D0:				; CODE XREF: CcNotifyOfMappedWrite+183j
					; CcNotifyOfMappedWrite+365j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_34]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A619B
; END OF FUNCTION CHUNK	FOR CcNotifyOfMappedWrite
; 
; START	OF FUNCTION CHUNK FOR MiReleaseSystemCacheView

loc_5BE2E0:				; CODE XREF: MiReleaseSystemCacheView+113j
		mov	[ebp+edi*4+var_25+1], esi
		inc	edi
		jmp	loc_4A65A6
; 

loc_5BE2EA:				; CODE XREF: MiReleaseSystemCacheView+80j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_38]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A651C
; 

loc_5BE2FA:				; CODE XREF: MiReleaseSystemCacheView+149j
					; MiReleaseSystemCacheView+117E8Aj
		mov	ecx, [ebp+esi*4+var_25+1]
		call	_MiWaitForSystemCacheViewFlush@4 ; MiWaitForSystemCacheViewFlush(x)
		inc	esi
		cmp	esi, edi
		jb	short loc_5BE2FA
		jmp	loc_4A65CB
; END OF FUNCTION CHUNK	FOR MiReleaseSystemCacheView
; 
; START	OF FUNCTION CHUNK FOR CcGetVacbMiss

loc_5BE30D:				; CODE XREF: CcGetVacbMiss+5Fj
		or	[ebp+var_14], 2
		jmp	loc_4A66B5
; 

loc_5BE316:				; CODE XREF: CcGetVacbMiss+84j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A66F7
; 

loc_5BE325:				; CODE XREF: CcGetVacbMiss+B2j
					; CcGetVacbMiss+117D60j
		mov	ebx, [ebp+var_18]
		mov	edx, 40h
		push	0
		push	0
		mov	ecx, [ebx+4]
		call	_CcUnmapInactiveViews@16 ; CcUnmapInactiveViews(x,x,x,x)
		test	eax, eax
		jz	short loc_5BE3BB
		mov	ecx, 4
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	dl, byte ptr [ebp+var_C]
		mov	ecx, ebx
		mov	byte ptr [ebp+arg_8+3],	al
		call	CcGetVacbFromFreeList
		mov	ecx, large fs:20h
		mov	edi, eax
		test	ds:byte_70EFC6,	1
		lea	ebx, [ecx+438h]
		jz	short loc_5BE378
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BE3A5
; 

loc_5BE378:				; CODE XREF: CcGetVacbMiss+117D1Aj
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5BE394
		mov	ecx, [ebx+4]
		xor	edx, edx
		mov	eax, ebx
		lock cmpxchg [ecx], edx
		cmp	eax, ebx
		jz	short loc_5BE3A5
		mov	ecx, ebx
		call	KxWaitForLockChainValid

loc_5BE394:				; CODE XREF: CcGetVacbMiss+117D2Cj
		mov	dword ptr [ebx], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5BE3A5:				; CODE XREF: CcGetVacbMiss+117D26j
					; CcGetVacbMiss+117D3Bj
		mov	cl, byte ptr [ebp+arg_8+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	loc_5BE325
		jmp	loc_4A6708
; 

loc_5BE3BB:				; CODE XREF: CcGetVacbMiss+117CEBj
		test	edi, edi
		jnz	loc_4A6708
		cmp	[ebp+arg_0], 1
		jnz	short loc_5BE3CF
		inc	ds:_CcDbgNumberOfFailedHighPriorityMappingsDueToCcResources

loc_5BE3CF:				; CODE XREF: CcGetVacbMiss+117D77j
		mov	eax, 0C000009Ah

loc_5BE3D4:				; CODE XREF: CcGetVacbMiss+1C7j
					; CcGetVacbMiss+117E63j
		cmp	byte ptr [ebp+var_C], 0
		jnz	loc_5BE4DC
		cmp	[ebp+arg_0], 1
		jnz	loc_5BE4DC
		mov	edi, [ebp+var_18]
		mov	bl, 1
		mov	byte ptr [ebp+var_C], bl
		jmp	loc_4A66A0
; 

loc_5BE3F5:				; CODE XREF: CcGetVacbMiss+150j
		push	[ebp+var_14]
		mov	ebx, 0C000009Ah
		mov	edx, esi
		mov	ecx, edi
		mov	[ebp+var_8], ebx
		call	CcUnmapVacb
		jmp	short loc_5BE40E
; 

loc_5BE40B:				; CODE XREF: CcGetVacbMiss+13Cj
					; CcGetVacbMiss+15Dj
		mov	ebx, [ebp+var_8]

loc_5BE40E:				; CODE XREF: CcGetVacbMiss+117DB9j
		mov	ecx, [ebp+var_10]
		mov	edx, esi
		call	_CcReleaseBcbLockAndVacbLock@8 ; CcReleaseBcbLockAndVacbLock(x,x)
		cmp	byte ptr [ebp+var_C], 0
		jz	short loc_5BE426
		inc	ds:_CcDbgNumberOfFailedHighPriorityMappingsDueToMmResources
		jmp	short loc_5BE42C
; 

loc_5BE426:				; CODE XREF: CcGetVacbMiss+117DCCj
		mov	dword ptr [edi], 0

loc_5BE42C:				; CODE XREF: CcGetVacbMiss+117DD4j
		mov	ecx, 4
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		push	[ebp+var_C]
		mov	ecx, [ebp+var_18]
		mov	edx, edi
		mov	byte ptr [ebp+arg_8+3],	al
		call	_CcSetVacbInFreeList@12	; CcSetVacbInFreeList(x,x,x)
		mov	ecx, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	edi, [ecx+438h]
		jz	short loc_5BE468
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BE495
; 

loc_5BE468:				; CODE XREF: CcGetVacbMiss+117E0Aj
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5BE484
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jz	short loc_5BE495
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_5BE484:				; CODE XREF: CcGetVacbMiss+117E1Cj
		mov	dword ptr [edi], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5BE495:				; CODE XREF: CcGetVacbMiss+117E16j
					; CcGetVacbMiss+117E2Bj
		mov	cl, byte ptr [ebp+arg_8+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	ebx
		xor	edi, edi
		call	_FsRtlIsNtstatusExpected@4 ; FsRtlIsNtstatusExpected(x)
		test	al, al
		jnz	loc_4A6812
		mov	eax, 0C00000EBh
		jmp	loc_5BE3D4
; 

loc_5BE4B8:				; CODE XREF: CcGetVacbMiss+253j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A68BE
; 

loc_5BE4C7:				; CODE XREF: CcGetVacbMiss+16Fj
		push	0
		push	0
		push	0C0000420h
		push	770h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BE4DC:				; CODE XREF: CcGetVacbMiss+117D88j
					; CcGetVacbMiss+117D92j
		push	eax
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger

loc_5BE4E3:				; CODE XREF: CcIncrementVacbActiveCount+15j
		push	0
		push	0
		push	0C0000420h
		push	9FFh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5BE4F9:				; CODE XREF: MmMapViewInSystemCache+5Aj
		mov	eax, 0C0000088h
		jmp	loc_4A6BE8
; END OF FUNCTION CHUNK	FOR CcGetVacbMiss
; 
; START	OF FUNCTION CHUNK FOR MmMapViewInSystemCache

loc_5BE503:				; CODE XREF: MmMapViewInSystemCache+77j
		mov	ecx, 1
		jmp	loc_4A69BF
; 

loc_5BE50D:				; CODE XREF: MmMapViewInSystemCache+8Aj
		push	0
		push	0
		push	esi
		push	103087h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BE51E:				; CODE XREF: MmMapViewInSystemCache+DAj
		inc	ds:dword_6D3CC0
		jmp	loc_4A6BE8
; 

loc_5BE529:				; CODE XREF: MmMapViewInSystemCache+FEj
		push	[ebp+var_B8]
		mov	ecx, [ebp+var_A8]
		inc	ds:dword_6D3CC0
		push	ebx
		call	_MiRemoveSystemCacheReferences@12 ; MiRemoveSystemCacheReferences(x,x,x)
		mov	eax, 0C0000017h
		jmp	loc_4A6BE8
; 

loc_5BE54B:				; CODE XREF: MmMapViewInSystemCache+EAj
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		mov	eax, [esi+1Ch]
		push	eax
		mov	eax, [esi+18h]
		push	eax
		call	_MiGetPteLink@8	; MiGetPteLink(x,x)
		cmp	eax, 2
		jnz	loc_4A6A4F
		test	edx, edx
		jnz	loc_4A6A4F
		mov	eax, [esi+14h]
		push	eax
		mov	eax, [esi+10h]
		push	eax
		call	_MiGetPteLink@8	; MiGetPteLink(x,x)
		mov	edx, 0FFFFFh
		mov	ecx, eax
		call	MiCompareTbFlushTimeStamp
		test	al, al
		jz	loc_4A6A4F
		push	0
		mov	edx, esi
		mov	[ebp+var_9C], 21h
		push	40h
		shl	edx, 9
		lea	ecx, [ebp+var_A4]
		mov	[ebp+var_90], 0
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		lea	ecx, [ebp+var_A4]
		call	MiFlushTbList
		jmp	loc_4A6A4F
; 

loc_5BE5D1:				; CODE XREF: MmMapViewInSystemCache+1EEj
		mov	eax, edx
		or	eax, 1
		mov	[ecx+0Ch], eax
		jmp	loc_4A6B34
; END OF FUNCTION CHUNK	FOR MmMapViewInSystemCache
; 
; START	OF FUNCTION CHUNK FOR MiManageSubsectionView

loc_5BE5DE:				; CODE XREF: MiManageSubsectionView+225j
		mov	eax, [ebp+var_8]
		push	0
		push	[ebp+var_C]
		push	eax
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BE5F2:				; CODE XREF: MiManageSubsectionView+173j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]
		jmp	loc_4A6DBB
; 

loc_5BE609:				; CODE XREF: MiManageSubsectionView+25Aj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_4A6E92
; 

loc_5BE618:				; CODE XREF: MiManageSubsectionView+284j
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4A6DD2
; END OF FUNCTION CHUNK	FOR MiManageSubsectionView
; 
; START	OF FUNCTION CHUNK FOR RemoveListHeadPte

loc_5BE62A:				; CODE XREF: RemoveListHeadPte+2Ej
					; RemoveListHeadPte+3Fj
		push	edx
		push	ecx
		push	esi
		push	3800h

loc_5BE632:				; CODE XREF: RemoveListHeadPte+C6j
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5BE63A:				; CODE XREF: MiObtainSystemCacheView+C6j
		mov	edx, edi
		lea	ecx, [ebp+var_E8]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A716C
; END OF FUNCTION CHUNK	FOR RemoveListHeadPte
; 
; START	OF FUNCTION CHUNK FOR MiObtainSystemCacheView

loc_5BE64C:				; CODE XREF: MiObtainSystemCacheView+5D9j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_E8]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A769D
; 

loc_5BE65F:				; CODE XREF: MiObtainSystemCacheView+607j
		lea	ecx, [ebp+var_E8]
		call	KxWaitForLockChainValid

loc_5BE66A:				; CODE XREF: MiObtainSystemCacheView+5E7j
		mov	[ebp+var_E8], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A769D
; 

loc_5BE684:				; CODE XREF: MiObtainSystemCacheView+658j
		mov	esi, [ebp+var_DC]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5BE69E
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_5BE69E:				; CODE XREF: MiObtainSystemCacheView+117605j
		xor	edi, edi
		mov	[ebp+var_FC], edi
		test	esi, 7FFFFFFCh
		jz	loc_5BE85A
		mov	ebx, large fs:124h
		cmp	esi, ds:dword_6D07D0
		jb	short loc_5BE6E1
		mov	eax, esi
		shr	eax, 15h
		mov	al, byte ptr ds:dword_6D3994[eax]
		cmp	al, 1
		jz	short loc_5BE6D4
		cmp	al, 0Bh
		jnz	short loc_5BE6E1

loc_5BE6D4:				; CODE XREF: MiObtainSystemCacheView+11763Ej
		mov	ecx, [ebx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	short loc_5BE6E4
; 

loc_5BE6E1:				; CODE XREF: MiObtainSystemCacheView+11762Fj
					; MiObtainSystemCacheView+117642j
		or	eax, 0FFFFFFFFh

loc_5BE6E4:				; CODE XREF: MiObtainSystemCacheView+11764Fj
		dec	word ptr [ebx+13Eh]
		mov	[ebp+var_F4], eax
		nop
		inc	byte ptr [ebx+1E6h]
		nop
		mov	cl, [ebx+1E6h]
		mov	edx, esi
		mov	[ebp+var_D1], cl
		mov	ecx, ebx
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_104], ecx
		test	ecx, ecx
		jnz	short loc_5BE73C
		mov	eax, [ebx+5Ch]
		test	eax, 10000h
		jnz	loc_5BE7B5
		push	ecx
		push	[ebp+var_F4]
		push	esi
		push	ebx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BE73C:				; CODE XREF: MiObtainSystemCacheView+117689j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5BE755
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_104]

loc_5BE755:				; CODE XREF: MiObtainSystemCacheView+1176B8j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_FC], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		mov	eax, 2AAAAAABh
		sub	ecx, [ebx+1E8h]
		imul	ecx
		mov	al, 1
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		shl	al, cl
		cmp	[ebp+var_D1], 1
		jnz	short loc_5BE7A6
		or	[ebx+1E4h], al
		jmp	short loc_5BE7B5
; 

loc_5BE7A6:				; CODE XREF: MiObtainSystemCacheView+11770Cj
		lea	esi, [ebx+222h]
		lock or	[esi], al
		mov	esi, [ebp+var_DC]

loc_5BE7B5:				; CODE XREF: MiObtainSystemCacheView+117693j
					; MiObtainSystemCacheView+117714j
		nop
		dec	byte ptr [ebx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_D8], eax
		jz	short loc_5BE834
		test	edi, 8000h
		jz	short loc_5BE7E2
		xor	edx, edx
		mov	ecx, ebx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp+var_D8]

loc_5BE7E2:				; CODE XREF: MiObtainSystemCacheView+117741j
		test	byte ptr [ebp+var_FC+2], 1
		jz	short loc_5BE801
		lea	eax, [ebx+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [ebx+330h]
		mov	eax, [ebp+var_D8]

loc_5BE801:				; CODE XREF: MiObtainSystemCacheView+117759j
		test	edi, 7FFFh
		jz	short loc_5BE81E
		and	edi, 7FFFh
		mov	ecx, ebx
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority
		mov	eax, [ebp+var_D8]

loc_5BE81E:				; CODE XREF: MiObtainSystemCacheView+117777j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5BE834
		push	eax
		mov	edx, esi
		mov	ecx, ebx
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5BE834:				; CODE XREF: MiObtainSystemCacheView+117739j
					; MiObtainSystemCacheView+117798j
		nop
		mov	ax, [ebx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ebx+13Eh], ax
		test	ax, ax
		jnz	short loc_5BE85A
		nop
		lea	eax, [ebx+70h]
		cmp	[eax], eax
		jz	short loc_5BE85A
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5BE85A:				; CODE XREF: MiObtainSystemCacheView+11761Cj
					; MiObtainSystemCacheView+1177BBj ...
		mov	ecx, [ebp+var_F0]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		xor	eax, eax
		jmp	loc_4A730C
; 

loc_5BE86C:				; CODE XREF: MiObtainSystemCacheView+649j
		or	eax, 0FFFFFFFFh
		lea	edx, [esi+480h]
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5BE88C
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	edx, [esi+480h]

loc_5BE88C:				; CODE XREF: MiObtainSystemCacheView+1177EDj
		xor	edi, edi
		mov	[ebp+var_F8], edi
		test	edx, 7FFFFFFCh
		jz	loc_5BEA7F
		mov	ecx, large fs:124h
		mov	[ebp+var_D8], ecx
		cmp	edx, ds:dword_6D07D0
		jb	short loc_5BE8DB
		mov	eax, edx
		shr	eax, 15h
		mov	al, byte ptr ds:dword_6D3994[eax]
		cmp	al, 1
		jz	short loc_5BE8C8
		cmp	al, 0Bh
		jnz	short loc_5BE8DB

loc_5BE8C8:				; CODE XREF: MiObtainSystemCacheView+117832j
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_D8]
		jmp	short loc_5BE8DE
; 

loc_5BE8DB:				; CODE XREF: MiObtainSystemCacheView+117823j
					; MiObtainSystemCacheView+117836j
		or	eax, 0FFFFFFFFh

loc_5BE8DE:				; CODE XREF: MiObtainSystemCacheView+117849j
		dec	word ptr [ecx+13Eh]
		mov	[ebp+var_FC], eax
		nop
		inc	byte ptr [ecx+1E6h]
		nop
		mov	dl, [ecx+1E6h]
		mov	[ebp+var_D1], dl
		lea	edx, [esi+480h]
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_EC], ecx
		test	ecx, ecx
		jnz	short loc_5BE945
		mov	ecx, [ebp+var_D8]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_5BE9CA
		mov	eax, [ebp+var_DC]
		push	0
		push	[ebp+var_FC]
		push	eax
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BE945:				; CODE XREF: MiObtainSystemCacheView+117885j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5BE95E
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_EC]

loc_5BE95E:				; CODE XREF: MiObtainSystemCacheView+1178C1j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_F8], edi
		mov	[ecx+2Ch], eax
		nop
		mov	eax, [ebp+var_D8]
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [eax+1E8h]
		mov	eax, 2AAAAAABh
		imul	ecx
		mov	al, 1
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		shl	al, cl
		cmp	[ebp+var_D1], 1
		mov	ecx, [ebp+var_D8]
		jnz	short loc_5BE9BB
		or	[ecx+1E4h], al
		jmp	short loc_5BE9CA
; 

loc_5BE9BB:				; CODE XREF: MiObtainSystemCacheView+117921j
		lea	esi, [ecx+222h]
		lock or	[esi], al
		mov	esi, [ebp+var_F4]

loc_5BE9CA:				; CODE XREF: MiObtainSystemCacheView+117895j
					; MiObtainSystemCacheView+117929j
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_DC], eax
		jz	short loc_5BEA59
		test	edi, 8000h
		jz	short loc_5BE9FB
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [ebp+var_D8]
		mov	eax, [ebp+var_DC]

loc_5BE9FB:				; CODE XREF: MiObtainSystemCacheView+117956j
		test	byte ptr [ebp+var_F8+2], 1
		jz	short loc_5BEA1A
		lea	eax, [ecx+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [ecx+330h]
		mov	eax, [ebp+var_DC]

loc_5BEA1A:				; CODE XREF: MiObtainSystemCacheView+117972j
		test	edi, 7FFFh
		jz	short loc_5BEA3B
		and	edi, 7FFFh
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority
		mov	ecx, [ebp+var_D8]
		mov	eax, [ebp+var_DC]

loc_5BEA3B:				; CODE XREF: MiObtainSystemCacheView+117990j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5BEA59
		push	eax
		lea	edx, [esi+480h]
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		mov	ecx, [ebp+var_D8]

loc_5BEA59:				; CODE XREF: MiObtainSystemCacheView+11794Ej
					; MiObtainSystemCacheView+1179B5j
		nop
		mov	ax, [ecx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ecx+13Eh], ax
		test	ax, ax
		jnz	short loc_5BEA7F
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	short loc_5BEA7F
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5BEA7F:				; CODE XREF: MiObtainSystemCacheView+11780Aj
					; MiObtainSystemCacheView+1179E0j ...
		mov	ecx, [ebp+var_F0]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	[ebp+var_F0], 0
		mov	edi, offset dword_6D2EA8
		jmp	loc_4A76EE
; 

loc_5BEA9E:				; CODE XREF: MiObtainSystemCacheView+683j
		mov	edx, edi
		lea	ecx, [ebp+var_E8]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A7729
; 

loc_5BEAB0:				; CODE XREF: MiObtainSystemCacheView+693j
		lea	ecx, [ebp+var_E8]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4A7729
; 

loc_5BEAC0:				; CODE XREF: MiObtainSystemCacheView+3D8j
		test	ds:byte_70EFC6,	1
		jz	short loc_5BEAD9
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_E8]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BEB19
; 

loc_5BEAD9:				; CODE XREF: MiObtainSystemCacheView+117A37j
		mov	eax, [ebp+var_E8]
		test	eax, eax
		jnz	short loc_5BEB04
		mov	edx, [ebp+var_E4]
		lea	eax, [ebp+var_E8]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_E8]
		cmp	eax, ecx
		jz	short loc_5BEB19
		call	KxWaitForLockChainValid

loc_5BEB04:				; CODE XREF: MiObtainSystemCacheView+117A51j
		mov	[ebp+var_E8], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5BEB19:				; CODE XREF: MiObtainSystemCacheView+117A47j
					; MiObtainSystemCacheView+117A6Dj
		mov	cl, [ebp+var_D1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_F0], 0
		jz	loc_5BED65
		lea	edx, [esi+480h]
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_EC], edx
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5BEB58
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	edx, [esi+480h]

loc_5BEB58:				; CODE XREF: MiObtainSystemCacheView+117AB9j
		xor	edi, edi
		mov	[ebp+var_100], edi
		test	edx, 7FFFFFFCh
		jz	loc_5BED4B
		mov	ecx, large fs:124h
		mov	[ebp+var_D8], ecx
		cmp	edx, ds:dword_6D07D0
		jb	short loc_5BEBA7
		mov	eax, edx
		shr	eax, 15h
		mov	al, byte ptr ds:dword_6D3994[eax]
		cmp	al, 1
		jz	short loc_5BEB94
		cmp	al, 0Bh
		jnz	short loc_5BEBA7

loc_5BEB94:				; CODE XREF: MiObtainSystemCacheView+117AFEj
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_D8]
		jmp	short loc_5BEBAA
; 

loc_5BEBA7:				; CODE XREF: MiObtainSystemCacheView+117AEFj
					; MiObtainSystemCacheView+117B02j
		or	eax, 0FFFFFFFFh

loc_5BEBAA:				; CODE XREF: MiObtainSystemCacheView+117B15j
		dec	word ptr [ecx+13Eh]
		mov	[ebp+var_F8], eax
		nop
		inc	byte ptr [ecx+1E6h]
		nop
		mov	bl, [ecx+1E6h]
		push	eax
		mov	[ebp+var_D1], bl
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		lea	ebx, [esi+450h]
		mov	[ebp+var_DC], ecx
		test	ecx, ecx
		jnz	short loc_5BEC11
		mov	ecx, [ebp+var_D8]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_5BEC96
		mov	edx, [ebp+var_EC]
		push	0
		push	[ebp+var_F8]
		push	edx
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BEC11:				; CODE XREF: MiObtainSystemCacheView+117B51j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5BEC2A
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_DC]

loc_5BEC2A:				; CODE XREF: MiObtainSystemCacheView+117B8Dj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_100], edi
		mov	[ecx+2Ch], eax
		nop
		mov	eax, [ebp+var_D8]
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [eax+1E8h]
		mov	eax, 2AAAAAABh
		imul	ecx
		mov	al, 1
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		shl	al, cl
		cmp	[ebp+var_D1], 1
		mov	ecx, [ebp+var_D8]
		jnz	short loc_5BEC87
		or	[ecx+1E4h], al
		jmp	short loc_5BEC96
; 

loc_5BEC87:				; CODE XREF: MiObtainSystemCacheView+117BEDj
		lea	esi, [ecx+222h]
		lock or	[esi], al
		mov	esi, [ebp+var_F4]

loc_5BEC96:				; CODE XREF: MiObtainSystemCacheView+117B61j
					; MiObtainSystemCacheView+117BF5j
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_DC], eax
		jz	short loc_5BED25
		test	edi, 8000h
		jz	short loc_5BECC7
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [ebp+var_D8]
		mov	eax, [ebp+var_DC]

loc_5BECC7:				; CODE XREF: MiObtainSystemCacheView+117C22j
		test	byte ptr [ebp+var_100+2], 1
		jz	short loc_5BECE6
		lea	eax, [ecx+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [ecx+330h]
		mov	eax, [ebp+var_DC]

loc_5BECE6:				; CODE XREF: MiObtainSystemCacheView+117C3Ej
		test	edi, 7FFFh
		jz	short loc_5BED07
		and	edi, 7FFFh
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority
		mov	ecx, [ebp+var_D8]
		mov	eax, [ebp+var_DC]

loc_5BED07:				; CODE XREF: MiObtainSystemCacheView+117C5Cj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5BED25
		push	eax
		lea	edx, [esi+480h]
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		mov	ecx, [ebp+var_D8]

loc_5BED25:				; CODE XREF: MiObtainSystemCacheView+117C1Aj
					; MiObtainSystemCacheView+117C81j
		nop
		mov	ax, [ecx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ecx+13Eh], ax
		test	ax, ax
		jnz	short loc_5BED4B
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	short loc_5BED4B
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5BED4B:				; CODE XREF: MiObtainSystemCacheView+117AD6j
					; MiObtainSystemCacheView+117CACj ...
		mov	ecx, [ebp+var_F0]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	[ebp+var_F0], 0
		mov	edi, offset dword_6D2EA8

loc_5BED65:				; CODE XREF: MiObtainSystemCacheView+117A9Cj
		mov	ecx, [ebp+var_114]
		test	ecx, ecx
		jz	short loc_5BED7D
		push	ecx
		push	8
		lea	edx, [ecx+200000h]
		call	_MiReturnSystemVa@16 ; MiReturnSystemVa(x,x,x,x)

loc_5BED7D:				; CODE XREF: MiObtainSystemCacheView+117CDDj
		mov	ecx, [esi+64h]
		lea	eax, [ebp+var_108]
		push	eax
		push	0
		mov	edx, 40h
		call	_CcUnmapInactiveViews@16 ; CcUnmapInactiveViews(x,x,x,x)
		cmp	eax, 1
		jnz	loc_5BEE3F
		mov	edi, [ebp+var_108]
		mov	esi, edi
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		mov	eax, [esi+1Ch]
		push	eax
		mov	eax, [esi+18h]
		push	eax
		call	_MiGetPteLink@8	; MiGetPteLink(x,x)
		cmp	eax, 2
		jnz	short loc_5BEE02
		test	edx, edx
		jnz	short loc_5BEE02
		mov	eax, [esi+14h]
		push	eax
		mov	eax, [esi+10h]
		push	eax
		call	_MiGetPteLink@8	; MiGetPteLink(x,x)
		mov	edx, 0FFFFFh
		mov	ecx, eax
		call	MiCompareTbFlushTimeStamp
		test	al, al
		jz	short loc_5BEE02
		push	0
		push	40h
		mov	edx, edi
		lea	ecx, [ebp+var_D0]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		lea	ecx, [ebp+var_D0]
		call	MiFlushTbList

loc_5BEE02:				; CODE XREF: MiObtainSystemCacheView+117D33j
					; MiObtainSystemCacheView+117D37j ...
		mov	eax, ds:_ZeroPte
		mov	[esi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	ecx, ds:_ZeroPte
		mov	[esi+4], eax
		mov	[esi+8], ecx
		nop
		mov	ecx, ds:dword_40F9FC
		mov	[esi+0Ch], ecx
		mov	ecx, ds:_ZeroPte
		mov	[esi+10h], ecx
		nop
		mov	ecx, ds:dword_40F9FC
		mov	eax, esi
		mov	[esi+14h], ecx
		jmp	loc_4A730C
; 

loc_5BEE3F:				; CODE XREF: MiObtainSystemCacheView+117D06j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_D1], al
		mov	[ebp+var_E4], offset dword_6D2EA8
		mov	[ebp+var_E8], 0
		jz	short loc_5BEE79
		mov	edx, edi
		lea	ecx, [ebp+var_E8]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BEE90
; 

loc_5BEE79:				; CODE XREF: MiObtainSystemCacheView+117DD8j
		lea	edx, [ebp+var_E8]
		xchg	edx, [edi]
		test	edx, edx
		jz	short loc_5BEE90
		lea	ecx, [ebp+var_E8]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_5BEE90:				; CODE XREF: MiObtainSystemCacheView+117DE7j
					; MiObtainSystemCacheView+117DF3j
		mov	eax, [ebx+4]
		push	eax
		mov	eax, [ebx]
		push	eax
		call	_MiGetPteLink@8	; MiGetPteLink(x,x)
		mov	ecx, [ebp+var_FC]
		sub	ecx, [esi+460h]
		sar	ecx, 3
		cmp	eax, ecx
		jnz	loc_4A71BB
		test	edx, edx
		jnz	loc_4A71BB
		test	ds:byte_70EFC6,	1
		jz	short loc_5BEED4
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_E8]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BEF14
; 

loc_5BEED4:				; CODE XREF: MiObtainSystemCacheView+117E32j
		mov	eax, [ebp+var_E8]
		test	eax, eax
		jnz	short loc_5BEEFF
		mov	edx, [ebp+var_E4]
		lea	eax, [ebp+var_E8]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_E8]
		cmp	eax, ecx
		jz	short loc_5BEF14
		call	KxWaitForLockChainValid

loc_5BEEFF:				; CODE XREF: MiObtainSystemCacheView+117E4Cj
		mov	[ebp+var_E8], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5BEF14:				; CODE XREF: MiObtainSystemCacheView+117E42j
					; MiObtainSystemCacheView+117E68j
		mov	cl, [ebp+var_D1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		jmp	loc_4A730C
; 

loc_5BEF27:				; CODE XREF: MiObtainSystemCacheView+305j
		mov	edx, [ebp+var_F8]
		and	ecx, 0FFFFFFEFh
		mov	[ebp+var_10C], edx
		jmp	loc_4A739F
; 

loc_5BEF3B:				; CODE XREF: MiObtainSystemCacheView+1C5j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_E8]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A7289
; 

loc_5BEF4E:				; CODE XREF: MiObtainSystemCacheView+442j
		test	al, 4
		jnz	loc_4A74D8
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp+var_F4]
		jmp	loc_4A74D8
; 

loc_5BEF68:				; CODE XREF: MiObtainSystemCacheView+6C8j
		push	0
		push	[ebp+var_EC]
		push	[ebp+var_F4]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BEF81:				; CODE XREF: MiObtainSystemCacheView+530j
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_F8]
		jmp	loc_4A75CC
; 

loc_5BEF95:				; CODE XREF: MiObtainSystemCacheView+56Aj
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]
		jmp	loc_4A7600
; 

loc_5BEFAA:				; CODE XREF: MiObtainSystemCacheView+591j
		push	[ebp+var_EC]
		mov	edx, [ebp+var_F4]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4A7627
; END OF FUNCTION CHUNK	FOR MiObtainSystemCacheView
; 
; START	OF FUNCTION CHUNK FOR CcGetVacbFromFreeList

loc_5BEFC2:				; CODE XREF: CcGetVacbFromFreeList+8j
		lea	edx, [ecx+264h]
		lea	edi, [ecx+26Ch]
		jmp	loc_4A77BE
; 

loc_5BEFD3:				; CODE XREF: CcGetVacbFromFreeList+3Fj
		push	0
		push	0
		push	0C0000420h
		push	35Dh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5BEFE9:				; CODE XREF: CcReferenceVacbArray+15j
		push	0
		push	0
		push	0C0000420h
		push	13Fh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5BEFFF:				; CODE XREF: CcSetFileSizesEx+7Dj
		mov	edx, offset _CcMasterLock
		lea	ecx, [esp+2Ch+arg_10]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A78E6
; END OF FUNCTION CHUNK	FOR CcGetVacbFromFreeList
; 
; START	OF FUNCTION CHUNK FOR CcSetFileSizesEx

loc_5BF012:				; CODE XREF: CcSetFileSizesEx+DDj
		mov	edx, edi
		lea	ecx, [esp+50h+var_18]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A7941
; 

loc_5BF022:				; CODE XREF: CcSetFileSizesEx+33Ej
		mov	edx, [ebp+4]
		lea	ecx, [esp+50h+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A7BBA
; 

loc_5BF033:				; CODE XREF: CcSetFileSizesEx+364j
		lea	ecx, [esp+50h+var_18]
		call	KxWaitForLockChainValid
		jmp	loc_4A7DCC
; 

loc_5BF041:				; CODE XREF: CcSetFileSizesEx+377j
		mov	edx, [ebp+4]
		lea	ecx, [esp+50h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A7BF3
; 

loc_5BF052:				; CODE XREF: CcSetFileSizesEx+39Dj
		lea	ecx, [esp+50h+var_C]
		call	KxWaitForLockChainValid
		jmp	loc_4A7DE4
; 

loc_5BF060:				; CODE XREF: CcSetFileSizesEx+3E5j
		push	eax
		call	_FsRtlIsNtstatusExpected@4 ; FsRtlIsNtstatusExpected(x)
		test	al, al
		jnz	loc_4A7C4E
		mov	[esp+50h+var_40], 0C00000ECh
		jmp	loc_4A7C4E
; 

loc_5BF07B:				; CODE XREF: CcSetFileSizesEx+417j
		lea	ecx, [esp+50h+var_18]
		call	KeReleaseInStackQueuedSpinLock
		push	esi
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5BF08A:				; CODE XREF: CcSetFileSizesEx+42Ej
		test	ds:byte_70EFC6,	1
		jz	short loc_5BF0A1
		mov	edx, [ebp+4]
		lea	ecx, [esp+54h+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BF0D7
; 

loc_5BF0A1:				; CODE XREF: CcSetFileSizesEx+117841j
		mov	eax, [esp+54h+var_1C]
		test	eax, eax
		jnz	short loc_5BF0C4
		mov	edx, [esp+54h+var_18]
		lea	eax, [esp+54h+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+54h+var_1C]
		cmp	eax, ecx
		jz	short loc_5BF0D7
		call	KxWaitForLockChainValid

loc_5BF0C4:				; CODE XREF: CcSetFileSizesEx+117857j
		mov	[esp+54h+var_1C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5BF0D7:				; CODE XREF: CcSetFileSizesEx+11784Fj
					; CcSetFileSizesEx+11786Dj
		mov	cl, byte ptr [esp+54h+var_14]
		call	ebx
		jmp	loc_4A7D9E
; 

loc_5BF0E2:				; CODE XREF: CcSetFileSizesEx+12Ej
		mov	edx, [ebp+4]
		lea	ecx, [esp+50h+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A79AA
; 

loc_5BF0F3:				; CODE XREF: CcSetFileSizesEx+167j
		mov	edx, [ebp+4]
		lea	ecx, [esp+50h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A79E3
; 

loc_5BF104:				; CODE XREF: CcSetFileSizesEx+1B6j
		mov	edx, edi
		lea	ecx, [esp+50h+var_18]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A7A1A
; 

loc_5BF114:				; CODE XREF: CcSetFileSizesEx+28Dj
		mov	edx, [ebp+4]
		lea	ecx, [esp+50h+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A7B09
; 

loc_5BF125:				; CODE XREF: CcSetFileSizesEx+2F6j
		mov	ecx, esi
		call	CcDeleteBcbs
		jmp	loc_4A7B4C
; 

loc_5BF131:				; CODE XREF: CcSetFileSizesEx+239j
		mov	edx, [ebp+4]
		lea	ecx, [esp+50h+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A7AB5
; 

loc_5BF142:				; CODE XREF: CcSetFileSizesEx+4F4j
		mov	edx, [ebp+4]
		lea	ecx, [esp+50h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A7D70
; 

loc_5BF153:				; CODE XREF: CcSetFileSizesEx+51Aj
		lea	ecx, [esp+50h+var_C]
		call	KxWaitForLockChainValid

loc_5BF15C:				; CODE XREF: CcSetFileSizesEx+500j
		mov	[esp+50h+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A7D70
; 

loc_5BF174:				; CODE XREF: CcSetFileSizesEx+548j
		mov	eax, 0C0000435h
		jmp	loc_4A7ABF
; END OF FUNCTION CHUNK	FOR CcSetFileSizesEx
; 
; START	OF FUNCTION CHUNK FOR CcDecrementOpenCount

loc_5BF17E:				; CODE XREF: CcDecrementOpenCount+32j
		mov	edx, [ebp+4]
		mov	ecx, offset dword_6CF3C0
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_4A7E42
; 

loc_5BF190:				; CODE XREF: CcDecrementOpenCount+52j
		push	0
		push	0
		push	0C0000420h
		push	1314h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BF1A5:				; CODE XREF: CcDecrementOpenCount+7Ej
		test	eax, eax
		jnz	short loc_5BF1B0
		mov	ecx, esi
		call	_CcInsertIntoDirtySharedCacheMapList@4 ; CcInsertIntoDirtySharedCacheMapList(x)

loc_5BF1B0:				; CODE XREF: CcDecrementOpenCount+1173A7j
		push	1
		mov	dl, 1
		jmp	loc_4A7EA2
; END OF FUNCTION CHUNK	FOR CcDecrementOpenCount
; 

loc_5BF1B9:				; CODE XREF: .text:004A7F5Aj
		mov	eax, [esp+44h]
		cmp	eax, [ebx+2Ch]
		jl	loc_4A8174
		jg	loc_4A7F60
		mov	eax, [esp+3Ch]
		cmp	eax, [ebx+28h]
		jbe	loc_4A8174
		jmp	loc_4A7F60
; 

loc_5BF1DE:				; CODE XREF: .text:004A7FD8j
		mov	dl, al
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	short loc_5BF226
; 

loc_5BF1E7:				; CODE XREF: .text:004A8003j
		mov	edi, offset dword_6CF3C0

loc_5BF1EC:				; CODE XREF: .text:005BF220j
		test	edx, 40000000h
		jnz	short loc_5BF206
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_5BF214

loc_5BF206:				; CODE XREF: .text:005BF1F2j
		lea	ecx, [esp+44h]
		call	KeYieldProcessorEx
		mov	eax, ds:dword_6CF3C0

loc_5BF214:				; CODE XREF: .text:005BF204j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_5BF1EC
		mov	edi, [esp+14h]

loc_5BF226:				; CODE XREF: .text:005BF1E5j
		mov	ecx, offset dword_6CF3C0
		jmp	loc_4A8009
; 

loc_5BF230:				; CODE XREF: .text:004A8010j
		mov	edx, [ebp+4]
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_4A8020
; 

loc_5BF23D:				; CODE XREF: .text:004A8036j
		push	0
		push	0
		push	0C0000420h
		push	1314h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BF252:				; CODE XREF: .text:004A8043j
		lea	ecx, [ebx+0B4h]
		call	ExAcquireFastMutex
		jmp	loc_4A80FB
; 

loc_5BF262:				; CODE XREF: .text:004A822Bj
		mov	edx, [esp+20h]
		lea	ecx, [esp+5Ch]
		add	edx, 40h
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A85BE
; 

loc_5BF277:				; CODE XREF: .text:004A82E2j
		mov	edx, [ebp+4]
		lea	ecx, [esp+5Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A830E
; 

loc_5BF288:				; CODE XREF: .text:004A83D2j
		mov	edi, [esp+14h]
		jmp	loc_4A8050
; 

loc_5BF291:				; CODE XREF: .text:004A83FBj
		inc	ds:_CcDbgNumberOfFailedBitmapAllocations

loc_5BF297:				; CODE XREF: .text:004A81AAj
					; .text:004A8563j
		test	dword ptr [ebx+60h], 20000h
		jnz	loc_5BF3AF
		mov	ecx, [esp+20h]
		lea	edx, [esp+5Ch]
		lea	ecx, [ecx+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		or	dword ptr [ebx+60h], 20000h
		test	ds:byte_70EFC6,	1
		jz	loc_5BF36B
		mov	edx, [ebp+4]
		lea	ecx, [esp+5Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5BF3A1
; 

loc_5BF2D9:				; CODE XREF: .text:004A8125j
		mov	esi, [esp+20h]
		lea	edx, [esp+5Ch]
		lea	ecx, [esi+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebx+60h]
		test	eax, 400h
		jnz	short loc_5BF2FB
		or	eax, 400h
		mov	[ebx+60h], eax

loc_5BF2FB:				; CODE XREF: .text:005BF2F1j
		mov	ecx, ebx
		call	_CcInsertIntoDirtySharedCacheMapList@4 ; CcInsertIntoDirtySharedCacheMapList(x)
		push	0
		xor	dl, dl
		mov	ecx, esi
		call	_CcScheduleLazyWriteScan@12 ; CcScheduleLazyWriteScan(x,x,x)
		test	ds:byte_70EFC6,	1
		jz	short loc_5BF324
		mov	edx, [ebp+4]
		lea	ecx, [esp+5Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BF35A
; 

loc_5BF324:				; CODE XREF: .text:005BF314j
		mov	eax, [esp+5Ch]
		test	eax, eax
		jnz	short loc_5BF347
		mov	edx, [esp+60h]
		lea	eax, [esp+5Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+5Ch]
		cmp	eax, ecx
		jz	short loc_5BF35A
		call	KxWaitForLockChainValid

loc_5BF347:				; CODE XREF: .text:005BF32Aj
		mov	dword ptr [esp+5Ch], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_5BF35A:				; CODE XREF: .text:005BF322j
					; .text:005BF340j
		mov	cl, [esp+64h]
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	esi
		jmp	loc_4A8131
; 

loc_5BF36B:				; CODE XREF: .text:005BF2C2j
		mov	eax, [esp+5Ch]
		test	eax, eax
		jnz	short loc_5BF38E
		mov	edx, [esp+60h]
		lea	eax, [esp+5Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+5Ch]
		cmp	eax, ecx
		jz	short loc_5BF3A1
		call	KxWaitForLockChainValid

loc_5BF38E:				; CODE XREF: .text:005BF371j
		mov	dword ptr [esp+5Ch], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_5BF3A1:				; CODE XREF: .text:005BF2D4j
					; .text:005BF387j
		mov	cl, [esp+64h]
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	esi
		jmp	short loc_5BF3B5
; 

loc_5BF3AF:				; CODE XREF: .text:005BF29Ej
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)

loc_5BF3B5:				; CODE XREF: .text:005BF3ADj
		cmp	dword ptr [esp+40h], 0
		jz	loc_4A8168
		jmp	loc_4A8131
; 

loc_5BF3C5:				; CODE XREF: .text:004A7FA0j
					; .text:004A7FAAj
		push	0
		push	0
		push	0C0000420h
		push	0C73h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BF3DA:				; CODE XREF: .text:004A7F43j
					; .text:004A7F4Dj
		push	0
		push	0
		push	0C0000420h
		push	0C53h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
; START	OF FUNCTION CHUNK FOR CcUninitializeCacheMap

loc_5BF3F0:				; CODE XREF: CcUninitializeCacheMap+4Ej
		mov	edx, offset _CcMasterLock
		lea	ecx, [ebp+var_18]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A8666
; 

loc_5BF402:				; CODE XREF: CcUninitializeCacheMap+90j
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_4A8696
; 

loc_5BF40E:				; CODE XREF: CcUninitializeCacheMap+B3j
		lea	edx, [ebx+40h]
		lea	ecx, [ebp+var_24]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A86C9
; 

loc_5BF41E:				; CODE XREF: CcUninitializeCacheMap+432j
		mov	edx, ecx
		lea	ecx, [ebp+var_30]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A8A45
; 

loc_5BF42D:				; CODE XREF: CcUninitializeCacheMap+43Fj
		mov	edx, eax
		lea	ecx, [ebp+var_30]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4A8A45
; 

loc_5BF43C:				; CODE XREF: CcUninitializeCacheMap+489j
		push	0
		push	0
		push	0C0000420h
		push	964h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BF451:				; CODE XREF: CcUninitializeCacheMap+49Fj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_30]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A86EB
; 

loc_5BF461:				; CODE XREF: CcUninitializeCacheMap+4C7j
		lea	ecx, [ebp+var_30]
		call	KxWaitForLockChainValid

loc_5BF469:				; CODE XREF: CcUninitializeCacheMap+4AAj
		mov	[ebp+var_30], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4A86EB
; 

loc_5BF480:				; CODE XREF: CcUninitializeCacheMap+F9j
					; CcUninitializeCacheMap+101j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5BF487:				; CODE XREF: CcUninitializeCacheMap+DBj
		push	0
		push	0
		push	0C0000420h
		push	943h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BF49C:				; CODE XREF: CcUninitializeCacheMap+D3j
		push	0
		push	0
		push	0C0000420h
		push	93Dh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BF4B1:				; CODE XREF: CcUninitializeCacheMap+2C0j
		lea	eax, [esi+90h]
		cmp	[eax], eax
		jz	short loc_5BF4CD
		push	0
		push	0
		lea	eax, [ecx+4]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_4A88C6
; 

loc_5BF4CD:				; CODE XREF: CcUninitializeCacheMap+116EB9j
		mov	eax, [esi+0B0h]
		mov	[ecx], eax
		mov	[esi+0B0h], ecx
		mov	eax, [edx+4]
		test	byte ptr [eax+20h], 10h
		jz	loc_4A88C6
		mov	[ebp+var_1], 1
		jmp	loc_4A88C6
; 

loc_5BF4F1:				; CODE XREF: CcUninitializeCacheMap+2CDj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A88F5
; 

loc_5BF501:				; CODE XREF: CcUninitializeCacheMap+307j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A892F
; 

loc_5BF511:				; CODE XREF: CcUninitializeCacheMap+18Cj
		or	dword ptr [esi+60h], 10000h
		mov	dl, 1
		jmp	loc_4A879C
; 

loc_5BF51F:				; CODE XREF: CcUninitializeCacheMap+194j
		test	byte ptr [esi+60h], 20h
		jnz	loc_4A879A
		mov	dl, 1
		jmp	loc_4A879C
; 

loc_5BF530:				; CODE XREF: CcUninitializeCacheMap+1B0j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A87D8
; 

loc_5BF540:				; CODE XREF: CcUninitializeCacheMap+1EAj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A8812
; 

loc_5BF550:				; CODE XREF: CcUninitializeCacheMap+14Cj
		push	0
		push	0
		push	0C0000420h
		push	9E0h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BF565:				; CODE XREF: CcUninitializeCacheMap+375j
		test	ebx, ebx
		jnz	short loc_5BF5CF
		test	ds:byte_70EFC6,	1
		jz	short loc_5BF57F
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BF5B0
; 

loc_5BF57F:				; CODE XREF: CcUninitializeCacheMap+116F70j
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	short loc_5BF59E
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jz	short loc_5BF5B0
		call	KxWaitForLockChainValid

loc_5BF59E:				; CODE XREF: CcUninitializeCacheMap+116F84j
		mov	[ebp+var_18], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5BF5B0:				; CODE XREF: CcUninitializeCacheMap+116F7Dj
					; CcUninitializeCacheMap+116F97j
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	0
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+14h]
		push	eax
		call	CcPurgeCacheSection
		jmp	loc_4A89B6
; 

loc_5BF5CF:				; CODE XREF: CcUninitializeCacheMap+116F67j
		push	0
		push	0
		push	0C0000420h
		push	0A82h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BF5E4:				; CODE XREF: CcUninitializeCacheMap+382j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A89AA
; 

loc_5BF5F4:				; CODE XREF: CcUninitializeCacheMap+3A4j
		lea	ecx, [ebp+var_18]
		call	KxWaitForLockChainValid
		jmp	loc_4A8B78
; 

loc_5BF601:				; CODE XREF: CcUninitializeCacheMap+227j
		mov	dl, 1
		mov	ecx, ebx
		call	CcAdjustWriteBehindThreadPoolIfNeeded
		jmp	loc_4A882D
; 

loc_5BF60F:				; CODE XREF: CcUninitializeCacheMap+4D8j
		call	_IoDiskIoAttributionDereference@4 ; IoDiskIoAttributionDereference(x)
		jmp	loc_4A8ADE
; END OF FUNCTION CHUNK	FOR CcUninitializeCacheMap
; 
; START	OF FUNCTION CHUNK FOR CcDereferencePartition

loc_5BF619:				; CODE XREF: CcDereferencePartition+11j
		jnz	short loc_5BF632
		push	0
		push	0
		lea	eax, [ecx+2A0h]
		mov	bl, 1
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_4A8BA9
; 

loc_5BF632:				; CODE XREF: CcDereferencePartition:loc_5BF619j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_4A8BA7
; END OF FUNCTION CHUNK	FOR CcDereferencePartition
; 
; START	OF FUNCTION CHUNK FOR CcSetParallelFlushFile

loc_5BF63C:				; CODE XREF: CcSetParallelFlushFile+3Cj
		mov	edx, esi
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A8BFD
; 

loc_5BF64B:				; CODE XREF: CcSetParallelFlushFile+66j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A8C38
; END OF FUNCTION CHUNK	FOR CcSetParallelFlushFile
; 
; START	OF FUNCTION CHUNK FOR CcSetAdditionalCacheAttributesEx

loc_5BF65B:				; CODE XREF: CcSetAdditionalCacheAttributesEx+6Cj
		mov	edx, edi
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A8CFF
; 

loc_5BF66A:				; CODE XREF: CcSetAdditionalCacheAttributesEx+96j
		or	eax, 4000000h
		jmp	loc_4A8D2C
; 

loc_5BF674:				; CODE XREF: CcSetAdditionalCacheAttributesEx+A1j
		or	eax, 20000h
		jmp	loc_4A8D27
; 

loc_5BF67E:				; CODE XREF: CcSetAdditionalCacheAttributesEx+AFj
		and	eax, 0EFFFFFFFh
		jmp	loc_4A8D3A
; 

loc_5BF688:				; CODE XREF: CcSetAdditionalCacheAttributesEx+D5j
		or	eax, 1000h
		jmp	loc_4A8D60
; 

loc_5BF692:				; CODE XREF: CcSetAdditionalCacheAttributesEx+ECj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A8D8C
; 

loc_5BF6A2:				; CODE XREF: CcSetAdditionalCacheAttributesEx+1Fj
		push	0
		push	0
		push	0C0000420h
		push	0C6h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5BF6B8:				; CODE XREF: CcSetAdditionalCacheAttributes+47j
		mov	edx, esi
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A8E34
; END OF FUNCTION CHUNK	FOR CcSetAdditionalCacheAttributesEx
; 
; START	OF FUNCTION CHUNK FOR CcSetAdditionalCacheAttributes

loc_5BF6C7:				; CODE XREF: CcSetAdditionalCacheAttributes+76j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A8E74
; 

loc_5BF6D7:				; CODE XREF: CcSetAdditionalCacheAttributes+21j
		push	ebx
		push	ebx
		push	0C0000420h
		push	5Fh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5BF6E8:				; CODE XREF: CcChargeDirtyPages+Fj
		mov	eax, ds:_PspSystemPartition
		mov	esi, [eax+4]
		jmp	loc_4A8EC8
; END OF FUNCTION CHUNK	FOR CcSetAdditionalCacheAttributes
; 
; START	OF FUNCTION CHUNK FOR CcChargeDirtyPages

loc_5BF6F5:				; CODE XREF: CcChargeDirtyPages+5Dj
		cmp	dword ptr [esi+198h], 2000h
		jb	loc_4A8F0F
		push	ebx
		mov	dl, 1
		mov	ecx, esi
		call	_CcScheduleLazyWriteScan@12 ; CcScheduleLazyWriteScan(x,x,x)
		jmp	loc_4A8F0F
; 

loc_5BF714:				; CODE XREF: CcChargeDirtyPages+66j
		push	ebx
		xor	dl, dl
		mov	ecx, esi
		call	_CcScheduleLazyWriteScan@12 ; CcScheduleLazyWriteScan(x,x,x)
		mov	[esi+48h], bl
		jmp	loc_4A8F18
; END OF FUNCTION CHUNK	FOR CcChargeDirtyPages
; 
; START	OF FUNCTION CHUNK FOR CcAdjustWriteBehindThreadPoolIfNeeded

loc_5BF726:				; CODE XREF: CcAdjustWriteBehindThreadPoolIfNeeded+45j
		mov	edx, edi
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A8FB8
; 

loc_5BF735:				; CODE XREF: CcAdjustWriteBehindThreadPoolIfNeeded+5Fj
		mov	eax, [esi+284h]
		cmp	eax, [esi+84h]
		jnb	loc_4A9011
		xor	dl, dl
		mov	ecx, esi
		mov	bh, 1
		call	CcAdjustWriteBehindThreadPool
		jmp	loc_4A9011
; 

loc_5BF757:				; CODE XREF: CcAdjustWriteBehindThreadPoolIfNeeded+ABj
		mov	byte ptr [esi+200h], 0
		jmp	loc_4A9011
; 

loc_5BF763:				; CODE XREF: CcAdjustWriteBehindThreadPoolIfNeeded+B8j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A9038
; END OF FUNCTION CHUNK	FOR CcAdjustWriteBehindThreadPoolIfNeeded
; 
; START	OF FUNCTION CHUNK FOR CcInitializeCacheMapEx

loc_5BF773:				; CODE XREF: CcInitializeCacheMapEx+7Cj
		and	eax, 0FFFFFFFEh
		jmp	loc_4A9132
; 

loc_5BF77B:				; CODE XREF: CcInitializeCacheMapEx+125j
		mov	edx, offset _CcMasterLock
		lea	ecx, [esp+88h+var_30]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A91EE
; 

loc_5BF78E:				; CODE XREF: CcInitializeCacheMapEx+542j
		test	ds:byte_70EFC6,	1
		jz	short loc_5BF7A5
		mov	edx, [ebp+4]
		lea	ecx, [esp+88h+var_30]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BF7DB
; 

loc_5BF7A5:				; CODE XREF: CcInitializeCacheMapEx+1166E5j
		mov	eax, [esp+88h+var_30]
		test	eax, eax
		jnz	short loc_5BF7C8
		mov	edx, [esp+88h+var_2C]
		lea	eax, [esp+88h+var_30]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+88h+var_30]
		cmp	eax, ecx
		jz	short loc_5BF7DB
		call	KxWaitForLockChainValid

loc_5BF7C8:				; CODE XREF: CcInitializeCacheMapEx+1166FBj
		mov	[esp+88h+var_30], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5BF7DB:				; CODE XREF: CcInitializeCacheMapEx+1166F3j
					; CcInitializeCacheMapEx+116711j
		mov	cl, [esp+88h+var_28]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	edi
		jmp	loc_4A96BD
; 

loc_5BF7EC:				; CODE XREF: CcInitializeCacheMapEx+648j
		or	eax, 1
		mov	[esp+88h+var_60], eax
		jmp	loc_4A96FE
; 

loc_5BF7F8:				; CODE XREF: CcInitializeCacheMapEx+6A6j
		push	0
		push	0
		push	0C0000420h
		push	5A3h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BF80D:				; CODE XREF: CcInitializeCacheMapEx+699j
					; CcInitializeCacheMapEx+6AEj
		xor	ecx, ecx
		jmp	loc_5BFF8F
; 

loc_5BF814:				; CODE XREF: CcInitializeCacheMapEx+673j
		push	eax
		call	_FsRtlIsNtstatusExpected@4 ; FsRtlIsNtstatusExpected(x)
		mov	edx, [esp+88h+var_74]
		xor	ecx, ecx
		test	al, al
		jnz	loc_5BFF97
		mov	[esp+88h+var_70], 0C00000EAh
		jmp	loc_5BFF97
; 

loc_5BF835:				; CODE XREF: CcInitializeCacheMapEx+66Bj
		lea	edx, [esp+88h+var_30]
		mov	ecx, offset _CcMasterLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, ds:_CcSectionDeletionSequencePhase3
		cmp	eax, ds:_CcSectionDeletionSequencePhase1
		jnz	short loc_5BF85D
		mov	eax, ds:dword_6FDEF4
		cmp	eax, ds:dword_6CE9BC
		jz	short loc_5BF865

loc_5BF85D:				; CODE XREF: CcInitializeCacheMapEx+11679Ej
		mov	[esp+88h+var_70], 0C000A008h

loc_5BF865:				; CODE XREF: CcInitializeCacheMapEx+1167ABj
		test	ds:byte_70EFC6,	1
		jz	short loc_5BF87C
		mov	edx, [ebp+4]
		lea	ecx, [esp+88h+var_30]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BF8B2
; 

loc_5BF87C:				; CODE XREF: CcInitializeCacheMapEx+1167BCj
		mov	eax, [esp+88h+var_30]
		test	eax, eax
		jnz	short loc_5BF89F
		mov	edx, [esp+88h+var_2C]
		lea	eax, [esp+88h+var_30]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+88h+var_30]
		cmp	eax, ecx
		jz	short loc_5BF8B2
		call	KxWaitForLockChainValid

loc_5BF89F:				; CODE XREF: CcInitializeCacheMapEx+1167D2j
		mov	[esp+88h+var_30], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5BF8B2:				; CODE XREF: CcInitializeCacheMapEx+1167CAj
					; CcInitializeCacheMapEx+1167E8j
		mov	cl, [esp+88h+var_28]
		call	edi
		mov	edx, [esp+88h+var_74]
		xor	ecx, ecx
		jmp	loc_5BFF97
; 

loc_5BF8C3:				; CODE XREF: CcInitializeCacheMapEx+625j
					; CcInitializeCacheMapEx+70Ej
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5BF8CD:				; CODE XREF: CcInitializeCacheMapEx+56Ej
		mov	edx, eax
		lea	ecx, [esp+8Ch+var_40]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A9632
; 

loc_5BF8DD:				; CODE XREF: CcInitializeCacheMapEx+5BEj
		mov	edx, [ebp+4]
		lea	ecx, [esp+88h+var_3C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A92B8
; 

loc_5BF8EE:				; CODE XREF: CcInitializeCacheMapEx+175j
		mov	eax, [eax]
		cmp	eax, [ecx+4]
		jz	loc_4A922B
		test	ds:byte_70EFC6,	21h
		lea	eax, [ecx+40h]
		mov	[esp+88h+var_38], eax
		mov	[esp+88h+var_3C], 0
		jz	short loc_5BF91E
		mov	edx, eax
		lea	ecx, [esp+88h+var_3C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BF931
; 

loc_5BF91E:				; CODE XREF: CcInitializeCacheMapEx+11685Fj
		lea	edx, [esp+88h+var_3C]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_5BF935
		lea	ecx, [esp+88h+var_3C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_5BF931:				; CODE XREF: CcInitializeCacheMapEx+11686Cj
		mov	ecx, [esp+88h+var_74]

loc_5BF935:				; CODE XREF: CcInitializeCacheMapEx+116876j
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_5BF94E
		sub	eax, [esi+178h]
		jz	short loc_5BF94E
		mov	[esp+88h+var_70], 0C000060Bh
		jmp	short loc_5BF964
; 

loc_5BF94E:				; CODE XREF: CcInitializeCacheMapEx+11688Aj
					; CcInitializeCacheMapEx+116892j
		push	0
		mov	dl, 1
		mov	[esp+8Ch+var_70], 0C00000D8h
		call	_CcScheduleLazyWriteScan@12 ; CcScheduleLazyWriteScan(x,x,x)
		mov	[esp+88h+var_75], 1

loc_5BF964:				; CODE XREF: CcInitializeCacheMapEx+11689Cj
		test	ds:byte_70EFC6,	1
		jz	short loc_5BF97B
		mov	edx, [ebp+4]
		lea	ecx, [esp+88h+var_3C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BF9B1
; 

loc_5BF97B:				; CODE XREF: CcInitializeCacheMapEx+1168BBj
		mov	eax, [esp+88h+var_3C]
		test	eax, eax
		jnz	short loc_5BF99E
		mov	edx, [esp+88h+var_38]
		lea	eax, [esp+88h+var_3C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+88h+var_3C]
		cmp	eax, ecx
		jz	short loc_5BF9B1
		call	KxWaitForLockChainValid

loc_5BF99E:				; CODE XREF: CcInitializeCacheMapEx+1168D1j
		mov	[esp+88h+var_3C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5BF9B1:				; CODE XREF: CcInitializeCacheMapEx+1168C9j
					; CcInitializeCacheMapEx+1168E7j
		test	ds:byte_70EFC6,	1
		jz	short loc_5BF9C8
		mov	edx, [ebp+4]
		lea	ecx, [esp+88h+var_30]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BF9FE
; 

loc_5BF9C8:				; CODE XREF: CcInitializeCacheMapEx+116908j
		mov	eax, [esp+88h+var_30]
		test	eax, eax
		jnz	short loc_5BF9EB
		mov	edx, [esp+88h+var_2C]
		lea	eax, [esp+88h+var_30]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+88h+var_30]
		cmp	eax, ecx
		jz	short loc_5BF9FE
		call	KxWaitForLockChainValid

loc_5BF9EB:				; CODE XREF: CcInitializeCacheMapEx+11691Ej
		mov	[esp+88h+var_30], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5BF9FE:				; CODE XREF: CcInitializeCacheMapEx+116916j
					; CcInitializeCacheMapEx+116934j
		mov	cl, [esp+88h+var_28]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [esp+88h+var_74]
		xor	ecx, ecx
		jmp	loc_5BFF97
; 

loc_5BFA13:				; CODE XREF: CcInitializeCacheMapEx+191j
		mov	edx, ecx
		lea	ecx, [esp+88h+var_3C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A9255
; 

loc_5BFA23:				; CODE XREF: CcInitializeCacheMapEx+1DCj
		mov	edx, [ebp+4]
		lea	ecx, [esp+88h+var_3C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A92B8
; 

loc_5BFA34:				; CODE XREF: CcInitializeCacheMapEx+233j
		mov	edx, edi
		lea	ecx, [esp+88h+var_3C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A92F7
; 

loc_5BFA44:				; CODE XREF: CcInitializeCacheMapEx+24Ej
		cmp	ds:_KdDebuggerNotPresent, 0
		jnz	loc_4A9304
		test	dword ptr [esi+60h], 80000h
		jz	loc_4A9304
		push	offset ??_C@_0ED@GKJLADHL@CC?3?5Reusing?5shared?5cache?5map?5th@FNODOBFM@
		call	_DbgPrint
		add	esp, 4
		int	3		; Trap to Debugger
		jmp	loc_4A9304
; 

loc_5BFA71:				; CODE XREF: CcInitializeCacheMapEx+7AEj
		push	0
		push	0
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		jmp	loc_4A9864
; 

loc_5BFA80:				; CODE XREF: CcInitializeCacheMapEx+7BBj
		mov	edx, [ebp+4]
		lea	ecx, [esp+88h+var_3C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A9897
; 

loc_5BFA91:				; CODE XREF: CcInitializeCacheMapEx+7F8j
		mov	edx, [ebp+4]
		lea	ecx, [esp+88h+var_30]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A98D4
; 

loc_5BFAA2:				; CODE XREF: CcInitializeCacheMapEx+97Bj
		mov	edx, edi
		lea	ecx, [esp+88h+var_3C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A9A3F
; 

loc_5BFAB2:				; CODE XREF: CcInitializeCacheMapEx+99Dj
		mov	edx, [ebp+4]
		lea	ecx, [esp+88h+var_3C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A9A79
; 

loc_5BFAC3:				; CODE XREF: CcInitializeCacheMapEx+9D0j
		mov	edx, [ebp+4]
		lea	ecx, [esp+88h+var_30]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A9AAC
; 

loc_5BFAD4:				; CODE XREF: CcInitializeCacheMapEx+88Aj
		lea	edx, [esp+90h+var_38]
		mov	ecx, offset _CcMasterLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		test	ds:byte_70EFC6,	21h
		mov	[esp+90h+var_40], edi
		mov	[esp+90h+var_44], 0
		jz	short loc_5BFB04
		mov	edx, edi
		lea	ecx, [esp+90h+var_44]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BFB17
; 

loc_5BFB04:				; CODE XREF: CcInitializeCacheMapEx+116A45j
		lea	edx, [esp+90h+var_44]
		xchg	edx, [edi]
		test	edx, edx
		jz	short loc_5BFB17
		lea	ecx, [esp+90h+var_44]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_5BFB17:				; CODE XREF: CcInitializeCacheMapEx+116A52j
					; CcInitializeCacheMapEx+116A5Cj
		or	dword ptr [esi+60h], 40000000h
		test	ds:byte_70EFC6,	1
		jz	short loc_5BFB35
		mov	edx, [ebp+4]
		lea	ecx, [esp+90h+var_44]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BFB6B
; 

loc_5BFB35:				; CODE XREF: CcInitializeCacheMapEx+116A75j
		mov	eax, [esp+90h+var_44]
		test	eax, eax
		jnz	short loc_5BFB58
		mov	edx, [esp+90h+var_40]
		lea	eax, [esp+90h+var_44]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+90h+var_44]
		cmp	eax, ecx
		jz	short loc_5BFB6B
		call	KxWaitForLockChainValid

loc_5BFB58:				; CODE XREF: CcInitializeCacheMapEx+116A8Bj
		mov	[esp+90h+var_44], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5BFB6B:				; CODE XREF: CcInitializeCacheMapEx+116A83j
					; CcInitializeCacheMapEx+116AA1j
		test	ds:byte_70EFC6,	1
		jz	short loc_5BFB82
		mov	edx, [ebp+4]
		lea	ecx, [esp+90h+var_38]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BFBB8
; 

loc_5BFB82:				; CODE XREF: CcInitializeCacheMapEx+116AC2j
		mov	eax, [esp+90h+var_38]
		test	eax, eax
		jnz	short loc_5BFBA5
		mov	edx, [esp+90h+var_34]
		lea	eax, [esp+90h+var_38]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+90h+var_38]
		cmp	eax, ecx
		jz	short loc_5BFBB8
		call	KxWaitForLockChainValid

loc_5BFBA5:				; CODE XREF: CcInitializeCacheMapEx+116AD8j
		mov	[esp+90h+var_38], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5BFBB8:				; CODE XREF: CcInitializeCacheMapEx+116AD0j
					; CcInitializeCacheMapEx+116AEEj
		mov	cl, byte ptr [esp+90h+var_30]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4A9940
; 

loc_5BFBC7:				; CODE XREF: CcInitializeCacheMapEx+8B1j
		mov	edx, edi
		lea	ecx, [esp+90h+var_44]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A9975
; 

loc_5BFBD7:				; CODE XREF: CcInitializeCacheMapEx+8D1j
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_4A9987
; 

loc_5BFBE6:				; CODE XREF: CcInitializeCacheMapEx+8DEj
		mov	edx, [ebp+4]
		lea	ecx, [esp+90h+var_44]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A99BA
; 

loc_5BFBF7:				; CODE XREF: CcInitializeCacheMapEx+911j
		mov	edx, [ebp+4]
		lea	ecx, [esp+90h+var_38]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A99ED
; 

loc_5BFC08:				; CODE XREF: CcInitializeCacheMapEx+846j
		push	0
		push	0
		push	0C0000420h
		push	68Ch
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5BFC1D:				; CODE XREF: CcInitializeCacheMapEx+83Aj
		mov	[esp+9Ch+var_84], 0C000000Dh

loc_5BFC25:				; CODE XREF: CcInitializeCacheMapEx+87Fj
		mov	ebx, [esp+9Ch+var_6C]

loc_5BFC29:				; CODE XREF: CcInitializeCacheMapEx+116EF7j
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)

loc_5BFC2F:				; CODE XREF: CcInitializeCacheMapEx+116DAEj
					; CcInitializeCacheMapEx+116DBCj
		lea	edx, [esp+9Ch+var_44]
		mov	ecx, offset _CcMasterLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [esp+9Ch+var_88]
		lea	edx, [esp+9Ch+var_50]
		lea	ecx, [ecx+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		test	ebx, ebx
		jz	short loc_5BFC69
		mov	eax, [esi+70h]
		test	eax, eax
		jz	short loc_5BFC62
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_5BFC62:				; CODE XREF: CcInitializeCacheMapEx+116BA6j
		and	dword ptr [esi+60h], 0FFFFFEFFh

loc_5BFC69:				; CODE XREF: CcInitializeCacheMapEx+116B9Fj
		add	dword ptr [esi+4], 0FFFFFFFFh
		jnz	loc_5BFFAC
		test	byte ptr [esi+60h], 20h
		jnz	loc_5BFFAC
		cmp	dword ptr [esi+4Ch], 0
		jnz	loc_5BFFAC
		push	0
		push	0
		lea	eax, [esp+0A4h+var_50]
		mov	ecx, esi
		push	eax
		lea	edx, [esp+0A8h+var_44]
		call	CcDeleteSharedCacheMap
		jmp	loc_4A959B
; 

loc_5BFCA0:				; CODE XREF: CcInitializeCacheMapEx+271j
					; CcInitializeCacheMapEx+798j
		cmp	dword ptr [esi+70h], 0
		jnz	loc_5BFD83
		push	76456343h
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+70h], eax
		test	eax, eax
		jnz	loc_5BFD79
		test	ds:byte_70EFC6,	1
		jz	short loc_5BFCDD
		mov	edx, [ebp+4]
		lea	ecx, [esp+88h+var_3C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BFD13
; 

loc_5BFCDD:				; CODE XREF: CcInitializeCacheMapEx+116C1Dj
		mov	eax, [esp+88h+var_3C]
		test	eax, eax
		jnz	short loc_5BFD00
		mov	edx, [esp+88h+var_38]
		lea	eax, [esp+88h+var_3C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+88h+var_3C]
		cmp	eax, ecx
		jz	short loc_5BFD13
		call	KxWaitForLockChainValid

loc_5BFD00:				; CODE XREF: CcInitializeCacheMapEx+116C33j
		mov	[esp+88h+var_3C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5BFD13:				; CODE XREF: CcInitializeCacheMapEx+116C2Bj
					; CcInitializeCacheMapEx+116C49j
		mov	cl, byte ptr [esp+88h+var_34]
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	ebx
		test	ds:byte_70EFC6,	1
		jz	short loc_5BFD36
		mov	edx, [ebp+4]
		lea	ecx, [esp+88h+var_30]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BFD6C
; 

loc_5BFD36:				; CODE XREF: CcInitializeCacheMapEx+116C76j
		mov	eax, [esp+88h+var_30]
		test	eax, eax
		jnz	short loc_5BFD59
		mov	edx, [esp+88h+var_2C]
		lea	eax, [esp+88h+var_30]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+88h+var_30]
		cmp	eax, ecx
		jz	short loc_5BFD6C
		call	KxWaitForLockChainValid

loc_5BFD59:				; CODE XREF: CcInitializeCacheMapEx+116C8Cj
		mov	[esp+88h+var_30], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5BFD6C:				; CODE XREF: CcInitializeCacheMapEx+116C84j
					; CcInitializeCacheMapEx+116CA2j
		mov	cl, [esp+88h+var_28]
		call	ebx
		xor	ecx, ecx
		jmp	loc_5BFF8B
; 

loc_5BFD79:				; CODE XREF: CcInitializeCacheMapEx+116C10j
		push	0
		push	0
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)

loc_5BFD83:				; CODE XREF: CcInitializeCacheMapEx+116BF4j
		inc	dword ptr [esi+4]
		test	ds:byte_70EFC6,	1
		jz	short loc_5BFD9D
		mov	edx, [ebp+4]
		lea	ecx, [esp+88h+var_3C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BFDD3
; 

loc_5BFD9D:				; CODE XREF: CcInitializeCacheMapEx+116CDDj
		mov	eax, [esp+88h+var_3C]
		test	eax, eax
		jnz	short loc_5BFDC0
		mov	edx, [esp+88h+var_38]
		lea	eax, [esp+88h+var_3C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+88h+var_3C]
		cmp	eax, ecx
		jz	short loc_5BFDD3
		call	KxWaitForLockChainValid

loc_5BFDC0:				; CODE XREF: CcInitializeCacheMapEx+116CF3j
		mov	[esp+88h+var_3C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5BFDD3:				; CODE XREF: CcInitializeCacheMapEx+116CEBj
					; CcInitializeCacheMapEx+116D09j
		mov	cl, byte ptr [esp+88h+var_34]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	edi
		test	ds:byte_70EFC6,	1
		jz	short loc_5BFDF6
		mov	edx, [ebp+4]
		lea	ecx, [esp+88h+var_30]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BFE2C
; 

loc_5BFDF6:				; CODE XREF: CcInitializeCacheMapEx+116D36j
		mov	eax, [esp+88h+var_30]
		test	eax, eax
		jnz	short loc_5BFE19
		mov	edx, [esp+88h+var_2C]
		lea	eax, [esp+88h+var_30]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+88h+var_30]
		cmp	eax, ecx
		jz	short loc_5BFE2C
		call	KxWaitForLockChainValid

loc_5BFE19:				; CODE XREF: CcInitializeCacheMapEx+116D4Cj
		mov	[esp+88h+var_30], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5BFE2C:				; CODE XREF: CcInitializeCacheMapEx+116D44j
					; CcInitializeCacheMapEx+116D62j
		mov	cl, [esp+88h+var_28]
		call	edi
		mov	eax, [esi+70h]
		push	0
		push	0
		push	0
		push	0
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esi+64h]
		test	eax, eax
		jns	loc_4A93A0
		mov	ebx, eax
		push	ebx
		mov	[esp+8Ch+var_70], ebx
		call	_FsRtlIsNtstatusExpected@4 ; FsRtlIsNtstatusExpected(x)
		xor	ebx, ebx
		test	al, al
		jnz	loc_5BFC2F
		mov	[esp+88h+var_70], 0C00000EAh
		jmp	loc_5BFC2F
; 

loc_5BFE71:				; CODE XREF: CcInitializeCacheMapEx+281j
		mov	edx, [ebp+4]
		lea	ecx, [esp+88h+var_3C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A935B
; 

loc_5BFE82:				; CODE XREF: CcInitializeCacheMapEx+2BEj
		mov	edx, [ebp+4]
		lea	ecx, [esp+88h+var_30]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A939A
; 

loc_5BFE93:				; CODE XREF: CcInitializeCacheMapEx+2F6j
		push	63536343h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esp+88h+var_6C], 0
		jmp	loc_4A93AC
; 

loc_5BFEAB:				; CODE XREF: CcInitializeCacheMapEx+339j
		mov	edx, offset _CcMasterLock
		lea	ecx, [esp+88h+var_30]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A9402
; 

loc_5BFEBE:				; CODE XREF: CcInitializeCacheMapEx+376j
		mov	edx, [esp+88h+var_74]
		lea	ecx, [esp+88h+var_3C]
		lea	edx, [edx+40h]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A9441
; 

loc_5BFED3:				; CODE XREF: CcInitializeCacheMapEx+A1Aj
		test	ds:byte_70EFC6,	1
		jz	short loc_5BFEEA
		mov	edx, [ebp+4]
		lea	ecx, [esp+88h+var_3C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BFF20
; 

loc_5BFEEA:				; CODE XREF: CcInitializeCacheMapEx+116E2Aj
		mov	eax, [esp+88h+var_3C]
		test	eax, eax
		jnz	short loc_5BFF0D
		mov	edx, [esp+88h+var_38]
		lea	eax, [esp+88h+var_3C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+88h+var_3C]
		cmp	eax, ecx
		jz	short loc_5BFF20
		call	KxWaitForLockChainValid

loc_5BFF0D:				; CODE XREF: CcInitializeCacheMapEx+116E40j
		mov	[esp+88h+var_3C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5BFF20:				; CODE XREF: CcInitializeCacheMapEx+116E38j
					; CcInitializeCacheMapEx+116E56j
		mov	cl, byte ptr [esp+88h+var_34]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ds:byte_70EFC6,	1
		jz	short loc_5BFF41
		mov	edx, [ebp+4]
		lea	ecx, [esp+88h+var_30]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BFF77
; 

loc_5BFF41:				; CODE XREF: CcInitializeCacheMapEx+116E81j
		mov	eax, [esp+88h+var_30]
		test	eax, eax
		jnz	short loc_5BFF64
		mov	edx, [esp+88h+var_2C]
		lea	eax, [esp+88h+var_30]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+88h+var_30]
		cmp	eax, ecx
		jz	short loc_5BFF77
		call	KxWaitForLockChainValid

loc_5BFF64:				; CODE XREF: CcInitializeCacheMapEx+116E97j
		mov	[esp+88h+var_30], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5BFF77:				; CODE XREF: CcInitializeCacheMapEx+116E8Fj
					; CcInitializeCacheMapEx+116EADj
		mov	cl, [esp+88h+var_28]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4A9ADF
; 

loc_5BFF86:				; CODE XREF: CcInitializeCacheMapEx+A4Cj
		mov	ecx, 1

loc_5BFF8B:				; CODE XREF: CcInitializeCacheMapEx+116CC4j
		mov	edx, [esp+88h+var_74]

loc_5BFF8F:				; CODE XREF: CcInitializeCacheMapEx+11675Fj
		mov	[esp+88h+var_70], 0C000009Ah

loc_5BFF97:				; CODE XREF: CcInitializeCacheMapEx+116772j
					; CcInitializeCacheMapEx+116780j ...
		xor	eax, eax
		xor	ebx, ebx
		mov	[esp+88h+var_5C], eax
		test	ecx, ecx
		jz	loc_4A94BD
		jmp	loc_5BFC29
; 

loc_5BFFAC:				; CODE XREF: CcInitializeCacheMapEx+116BBDj
					; CcInitializeCacheMapEx+116BC7j ...
		test	ds:byte_70EFC6,	1
		jz	short loc_5BFFC3
		mov	edx, [ebp+4]
		lea	ecx, [esp+9Ch+var_50]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5BFFF9
; 

loc_5BFFC3:				; CODE XREF: CcInitializeCacheMapEx+116F03j
		mov	eax, [esp+9Ch+var_50]
		test	eax, eax
		jnz	short loc_5BFFE6
		mov	edx, [esp+9Ch+var_4C]
		lea	eax, [esp+9Ch+var_50]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+9Ch+var_50]
		cmp	eax, ecx
		jz	short loc_5BFFF9
		call	KxWaitForLockChainValid

loc_5BFFE6:				; CODE XREF: CcInitializeCacheMapEx+116F19j
		mov	[esp+9Ch+var_50], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5BFFF9:				; CODE XREF: CcInitializeCacheMapEx+116F11j
					; CcInitializeCacheMapEx+116F2Fj
		mov	cl, byte ptr [esp+9Ch+var_48]
		call	edi

loc_5BFFFF:				; DATA XREF: .text:0041A67Do
					; .text:0041D868o ...
		test	ds:byte_70EFC6,	1
		jz	short loc_5C0016
		mov	edx, [ebp+4]
		lea	ecx, [esp+9Ch+var_44]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5C004C
; 

loc_5C0016:				; CODE XREF: CcInitializeCacheMapEx+116F56j
		mov	eax, [esp+9Ch+var_44]
		test	eax, eax
		jnz	short loc_5C0039
		mov	edx, [esp+9Ch+var_40]
		lea	eax, [esp+9Ch+var_44]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx

loc_5C002C:				; DATA XREF: .text:??_C@_01LFCBOECM@?4@FNODOBFM@o
		lea	ecx, [esp+9Ch+var_44]
		cmp	eax, ecx
		jz	short loc_5C004C
		call	KxWaitForLockChainValid

loc_5C0039:				; CODE XREF: CcInitializeCacheMapEx+116F6Cj
					; DATA XREF: .text:004053E4o ...
		mov	[esp+9Ch+var_44], 0

loc_5C0041:				; DATA XREF: .text:005A4570o
					; .text:005A5678o
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5C004C:				; CODE XREF: CcInitializeCacheMapEx+116F64j
					; CcInitializeCacheMapEx+116F82j
		mov	cl, byte ptr [esp+9Ch+var_3C]
		call	edi
		jmp	loc_4A959B
; 

loc_5C0057:				; CODE XREF: CcInitializeCacheMapEx+3F1j
					; CcInitializeCacheMapEx+58Dj
					; DATA XREF: ...
		mov	ecx, 3

loc_5C005C:				; DATA XREF: .text:_PathPrefixWin32o
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5C005E:				; CODE XREF: CcInitializeCacheMapEx+417j
		lea	edx, [esp+88h+var_30]
		mov	ecx, offset _CcMasterLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edx, [esp+88h+var_74]
		mov	[esp+88h+var_5C], 1 ; DATA XREF: PAGE:008B846Fo
		jmp	loc_4A94CD
; 

loc_5C007D:				; CODE XREF: CcInitializeCacheMapEx+425j
		lea	ecx, [edx+40h]
		lea	edx, [esp+88h+var_3C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ebx, 1
		jmp	loc_4A94DB
; 

loc_5C0093:				; CODE XREF: CcInitializeCacheMapEx+44Dj
					; CcInitializeCacheMapEx+116FF9j
		and	eax, 0FFFFFFFEh
		push	0
		push	0
		mov	edi, [eax]
		add	eax, 4
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	eax, edi
		test	edi, edi
		jnz	short loc_5C0093
		jmp	loc_4A9503
; 

loc_5C00B0:				; CODE XREF: CcInitializeCacheMapEx+395j
		mov	eax, [esi+4]
		cmp	eax, 1
		jbe	loc_5C013D
		dec	eax
		mov	[esi+4], eax
		jmp	loc_4A951C
; 

loc_5C00C5:				; CODE XREF: CcInitializeCacheMapEx+473j
		mov	edx, [ebp+4]
		lea	ecx, [esp+88h+var_3C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A954F
; 

loc_5C00D6:				; CODE XREF: CcInitializeCacheMapEx+466j
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		jmp	loc_4A955B
; 

loc_5C00E1:				; CODE XREF: CcInitializeCacheMapEx+4B9j
		mov	edx, [ebp+4]
		lea	ecx, [esp+88h+var_30]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A9595
; 

loc_5C00F2:				; CODE XREF: CcInitializeCacheMapEx+4F1j
		push	63536343h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4A95A7
; 

loc_5C0102:				; CODE XREF: CcInitializeCacheMapEx+4FDj
		push	63506343h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4A95B3
; 

loc_5C0112:				; CODE XREF: CcInitializeCacheMapEx+509j
		push	746C6644h
		push	eax
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_4A95BF
; 

loc_5C0122:				; CODE XREF: CcInitializeCacheMapEx+515j
		cmp	[esp+88h+var_75], 0
		jz	short loc_5C0137
		push	offset _Cc10Milliseconds
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)

loc_5C0137:				; CODE XREF: CcInitializeCacheMapEx+117077j
		push	esi
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5C013D:				; CODE XREF: CcInitializeCacheMapEx+117006j
		push	0
		push	0
		push	0C0000420h
		push	7DCh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C0152:				; CODE XREF: CcInitializeCacheMapEx+142j
		test	ds:byte_70EFC6,	1
		jz	short loc_5C0169
		mov	edx, [ebp+4]
		lea	ecx, [esp+0A0h+var_48]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5C019F
; 

loc_5C0169:				; CODE XREF: CcInitializeCacheMapEx+1170A9j
		mov	eax, [esp+0A0h+var_48]
		test	eax, eax
		jnz	short loc_5C018C
		mov	edx, [esp+0A0h+var_44]
		lea	eax, [esp+0A0h+var_48]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+0A0h+var_48]
		cmp	eax, ecx
		jz	short loc_5C019F
		call	KxWaitForLockChainValid

loc_5C018C:				; CODE XREF: CcInitializeCacheMapEx+1170BFj
		mov	[esp+0A0h+var_48], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5C019F:				; CODE XREF: CcInitializeCacheMapEx+1170B7j
					; CcInitializeCacheMapEx+1170D5j
		mov	cl, byte ptr [esp+0A0h+var_40]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esp+0A0h+var_84]
		test	eax, eax
		jz	loc_4A95CB
		push	63536343h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4A95CB
; END OF FUNCTION CHUNK	FOR CcInitializeCacheMapEx
; 
; START	OF FUNCTION CHUNK FOR CcCanIWrite

loc_5C01C5:				; CODE XREF: CcCanIWrite+85j
		mov	edx, offset _CcMasterLock
		lea	ecx, [esp+90h+var_74]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A9D7E
; 

loc_5C01D8:				; CODE XREF: CcCanIWrite+CDj
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_4A9DB3
; 

loc_5C01E4:				; CODE XREF: CcCanIWrite+FCj
		mov	bl, 1
		jmp	loc_4A9DE2
; 

loc_5C01EB:				; CODE XREF: CcCanIWrite+109j
		mov	edx, [ebp+4]
		lea	ecx, [esp+90h+var_74]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4A9E15
; 

loc_5C01FC:				; CODE XREF: CcCanIWrite+4Cj
		mov	eax, ds:_PspSystemPartition
		mov	edi, [eax+4]
		mov	[esp+90h+var_68], edi
		jmp	loc_4A9E30
; 

loc_5C020D:				; CODE XREF: CcCanIWrite+16Aj
		mov	ecx, ds:_CcAzure_LargeWriteSize
		test	ecx, ecx
		jz	short loc_5C0236
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_5C0236
		cmp	eax, ecx
		jb	short loc_5C0236
		jmp	loc_4A9E50
; 

loc_5C0227:				; CODE XREF: CcCanIWrite+18Dj
					; CcCanIWrite+195j
		cmp	[esp+90h+var_64], 2
		jnz	short loc_5C0236
		test	bl, bl
		jnz	loc_4A9E7B

loc_5C0236:				; CODE XREF: CcCanIWrite+116535j
					; CcCanIWrite+11653Cj ...
		test	ds:dword_70EFD0, 20000h
		jz	short loc_5C025A
		mov	eax, [edi+1A8h]
		mov	ecx, esi
		mov	edx, [ebp+arg_4]
		push	eax
		mov	eax, [edi+198h]
		push	eax
		call	_CcPerfLogCanWriteFail@16 ; CcPerfLogCanWriteFail(x,x,x,x)

loc_5C025A:				; CODE XREF: CcCanIWrite+116560j
		mov	dl, 1
		mov	ecx, edi
		call	CcAdjustWriteBehindThreadPoolIfNeeded
		cmp	[ebp+arg_8], 0
		jnz	short loc_5C02C8
		cmp	[esp+90h+var_64], 1
		jnz	loc_4A9E7D
		test	bl, bl
		jz	short loc_5C02C1
		test	bh, bh
		jz	loc_4A9E7B
		mov	ecx, ds:_CcSoftThrottleDelay
		push	ecx		; char
		imul	eax, ecx, 0FFFFD8F0h
		push	(offset	loc_5A3880+6) ;	char *
		push	2		; int
		push	7Fh		; int
		mov	[esp+0A0h+var_5C], 0FFFFFFFFh
		mov	[esp+0A0h+var_60], eax
		call	_DbgPrintEx
		add	esp, 10h
		lea	eax, [esp+90h+var_60]
		push	eax
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	ecx, [esp+90h+var_64]
		jmp	loc_4A9E30
; 

loc_5C02C1:				; CODE XREF: CcCanIWrite+116596j
		xor	bl, bl
		jmp	loc_4A9E7D
; 

loc_5C02C8:				; CODE XREF: CcCanIWrite+116587j
		xor	eax, eax
		mov	[esp+90h+var_4C], 0
		lea	edi, [esp+90h+var_10]
		mov	[esp+90h+var_48], 0
		stosd
		push	0
		push	0
		mov	[esp+98h+var_40], 0
		stosd
		mov	[esp+98h+var_3C], 0
		mov	[esp+98h+var_38], 0
		mov	[esp+98h+var_30], 0
		stosd
		mov	[esp+98h+var_2C], 0
		mov	[esp+98h+var_28], 0
		mov	[esp+98h+var_24], 0
		stosd
		lea	eax, [esp+98h+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [ebp+arg_4]
		mov	edi, [esp+90h+var_68]
		mov	[esp+90h+var_50], eax
		lea	eax, [esp+90h+var_10]
		mov	[esp+90h+var_44], eax
		lea	eax, [esp+90h+var_28]
		push	eax
		mov	[esp+94h+var_34], edi
		mov	[esp+94h+var_58], 3802FCh
		mov	[esp+94h+var_54], esi
		call	KeQueryTickCount
		test	bl, bl
		jz	short loc_5C036B
		mov	byte ptr [esp+90h+var_30], 1
		test	bh, bh
		jnz	short loc_5C0370

loc_5C036B:				; CODE XREF: CcCanIWrite+116680j
		mov	byte ptr [esp+90h+var_30], 0

loc_5C0370:				; CODE XREF: CcCanIWrite+116689j
		cmp	[ebp+arg_C], 0
		lea	eax, [edi+240h]
		lea	ecx, [edi+204h]
		push	eax
		lea	edx, [esp+94h+var_4C]
		jz	short loc_5C038E
		call	@ExfInterlockedInsertHeadList@12 ; ExfInterlockedInsertHeadList(x,x,x)
		jmp	short loc_5C0393
; 

loc_5C038E:				; CODE XREF: CcCanIWrite+1166A5j
		call	@ExfInterlockedInsertTailList@12 ; ExfInterlockedInsertTailList(x,x,x)

loc_5C0393:				; CODE XREF: CcCanIWrite+1166ACj
		lea	edx, [esp+10h]
		lea	ecx, [edi+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		push	0
		mov	dl, 1
		mov	ecx, edi
		call	_CcScheduleLazyWriteScan@12 ; CcScheduleLazyWriteScan(x,x,x)
		test	ds:byte_70EFC6,	1
		jz	short loc_5C03C1
		mov	edx, [ebp+4]
		lea	ecx, [esp+10h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5C03F7
; 

loc_5C03C1:				; CODE XREF: CcCanIWrite+1166D1j
		mov	eax, [esp+10h]
		test	eax, eax
		jnz	short loc_5C03E4
		mov	edx, [esp+94h+var_80]
		lea	eax, [esp+10h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+10h]
		cmp	eax, ecx
		jz	short loc_5C03F7
		call	KxWaitForLockChainValid

loc_5C03E4:				; CODE XREF: CcCanIWrite+1166E7j
		mov	dword ptr [esp+10h], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx

loc_5C03F7:				; CODE XREF: CcCanIWrite+1166DFj
					; CcCanIWrite+1166FDj
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)

loc_5C03FD:				; CODE XREF: CcCanIWrite+11678Fj
					; CcCanIWrite+1167ADj ...
		mov	cl, byte ptr [esp+94h+var_7C]
		call	ebx

loc_5C0403:				; CODE XREF: CcCanIWrite+116757j
		mov	ecx, edi
		call	_CcPostDeferredWrites@4	; CcPostDeferredWrites(x)
		push	offset _CcIdleDelay
		push	0
		push	0
		push	0
		lea	eax, [esp+0A4h+var_14]
		push	eax
		call	KeWaitForSingleObject
		test	eax, eax
		jz	loc_4A9E7B
		cmp	byte ptr [edi+288h], 0
		jnz	short loc_5C0439
		cmp	byte ptr [edi+48h], 0
		jz	short loc_5C0403

loc_5C0439:				; CODE XREF: CcCanIWrite+116751j
		lea	edx, [esp+10h]
		lea	ecx, [edi+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		push	0
		mov	dl, 1
		mov	ecx, edi
		call	_CcScheduleLazyWriteScan@12 ; CcScheduleLazyWriteScan(x,x,x)
		cmp	byte ptr [edi+48h], 0
		jz	short loc_5C045A
		mov	byte ptr [edi+48h], 0

loc_5C045A:				; CODE XREF: CcCanIWrite+116774j
		test	ds:byte_70EFC6,	1
		jz	short loc_5C0471
		mov	edx, [ebp+4]
		lea	ecx, [esp+10h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5C03FD
; 

loc_5C0471:				; CODE XREF: CcCanIWrite+116781j
		mov	eax, [esp+10h]
		test	eax, eax
		jnz	short loc_5C0498
		mov	edx, [esp+94h+var_80]
		lea	eax, [esp+10h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+10h]
		cmp	eax, ecx
		jz	loc_5C03FD
		call	KxWaitForLockChainValid

loc_5C0498:				; CODE XREF: CcCanIWrite+116797j
		mov	dword ptr [esp+10h], 0
		add	eax, 4
		mov	ecx, 1
		lock xor [eax],	ecx
		jmp	loc_5C03FD
; 

loc_5C04B0:				; CODE XREF: CcCanIWrite+1B2j
		jz	short loc_5C04BE
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_4A9E98
; 

loc_5C04BE:				; CODE XREF: CcCanIWrite:loc_5C04B0j
		push	0
		push	0
		lea	eax, [edi+2A0h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_4A9E98
; END OF FUNCTION CHUNK	FOR CcCanIWrite
; 
; START	OF FUNCTION CHUNK FOR CcCanIWriteStreamEx

loc_5C04D3:				; CODE XREF: CcCanIWriteStreamEx+22j
		mov	eax, 1
		jmp	loc_4A9F1A
; 

loc_5C04DD:				; CODE XREF: CcCanIWriteStreamEx+55j
		mov	eax, 1000000h
		mov	[ebp+arg_0], eax
		jmp	loc_4A9F4B
; 

loc_5C04EA:				; CODE XREF: CcCanIWriteStreamEx+96j
		mov	edx, [ebp+var_8]
		lea	ecx, [ebp+var_1C]
		lea	edx, [edx+40h]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4AA0E8
; 

loc_5C04FD:				; CODE XREF: CcCanIWriteStreamEx+D8j
		mov	eax, ds:_CcAzure_LargeWriteSize
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_4A9FCE
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	loc_4A9FCE
		cmp	eax, [ebp+var_10]
		jb	loc_4A9FCE
		mov	ecx, [ecx+1A8h]
		mov	eax, 51EB851Fh
		imul	ecx, edx
		mul	ecx
		mov	ecx, [ebp+var_8]
		shr	edx, 5
		mov	eax, [ecx+198h]
		add	eax, edi
		add	eax, esi
		cmp	eax, edx
		jb	loc_4A9FCE
		mov	eax, [ebp+arg_C]
		mov	byte ptr [eax],	1
		jmp	loc_4A9FCE
; 

loc_5C0554:				; CODE XREF: CcCanIWriteStreamEx+ECj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4AA004
; 

loc_5C0564:				; CODE XREF: CcCanIWriteStreamEx+1ABj
		mov	edi, [eax+4Ch]
		test	edi, edi
		mov	[ebp+arg_0], edi
		mov	edi, [ebp+arg_4]
		jz	loc_4AA0A1
		mov	eax, [ebp+arg_0]
		add	eax, esi
		cmp	eax, [ebp+arg_C]
		mov	eax, [ebp+arg_8]
		jbe	loc_4AA0A1
		mov	[ebp+var_2], 1
		jmp	loc_4AA0A1
; 

loc_5C058F:				; CODE XREF: CcCanIWriteStreamEx+271j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4AA189
; 

loc_5C059F:				; CODE XREF: CcCanIWriteStreamEx+293j
		lea	ecx, [ebp+var_1C]
		call	KxWaitForLockChainValid

loc_5C05A7:				; CODE XREF: CcCanIWriteStreamEx+27Cj
		mov	[ebp+var_1C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4AA189
; 

loc_5C05BE:				; CODE XREF: CcCanIWriteStreamEx+12Dj
		xor	eax, eax
		jmp	loc_4AA0CA
; 

loc_5C05C5:				; CODE XREF: CcCanIWriteStreamEx+150j
		mov	ecx, 4000h
		jmp	loc_4AA04B
; 

loc_5C05CF:				; CODE XREF: CcCanIWriteStreamEx+163j
		mov	eax, ds:dword_6D06D4
		mov	esi, offset dword_6D5794
		mov	[ebp+arg_0], eax

loc_5C05DC:				; CODE XREF: CcCanIWriteStreamEx+116728j
		mov	edi, [esi]
		mov	[ebp+arg_8], edi
		xor	edi, edi
		test	eax, eax
		jz	short loc_5C060F
		mov	eax, [ebp+arg_8]
		add	eax, 4
		mov	[ebp+arg_8], eax

loc_5C05F0:				; CODE XREF: CcCanIWriteStreamEx+11671Aj
		movzx	eax, word ptr [eax]
		add	edx, eax
		cmp	edx, ecx
		jnb	loc_4AA059
		mov	eax, [ebp+arg_8]
		inc	edi
		add	eax, 8
		mov	[ebp+arg_8], eax
		cmp	edi, [ebp+arg_0]
		jb	short loc_5C05F0
		mov	eax, [ebp+arg_0]

loc_5C060F:				; CODE XREF: CcCanIWriteStreamEx+1166F5j
		add	esi, 4
		cmp	esi, offset dword_6D5798
		jle	short loc_5C05DC
		mov	eax, ds:dword_6D5F58
		add	eax, 320h
		cmp	ds:dword_6D5F00, eax
		jnb	loc_4AA05B
		mov	edx, 50h
		mov	ecx, offset _MiSystemPartition
		call	MiSufficientAvailablePages
		test	eax, eax
		jz	loc_4AA05B
		jmp	loc_4AA059
; END OF FUNCTION CHUNK	FOR CcCanIWriteStreamEx
; 
; START	OF FUNCTION CHUNK FOR CcGetPartition

loc_5C064C:				; CODE XREF: CcGetPartition+2Bj
		mov	dl, bl
		mov	ecx, edi
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_4AA1F7
; 

loc_5C065A:				; CODE XREF: CcGetPartition+51j
					; CcGetPartition+1164EDj
		test	edx, 40000000h
		jnz	short loc_5C0674
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_5C0681

loc_5C0674:				; CODE XREF: CcGetPartition+1164C0j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, ds:dword_6CF3C0

loc_5C0681:				; CODE XREF: CcGetPartition+1164D2j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_5C065A
		jmp	loc_4AA1F7
; 

loc_5C0694:				; CODE XREF: CcGetPartition+5Ej
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_4AA20E
; 

loc_5C06A3:				; CODE XREF: CcGetPartition+80j
		push	0
		push	0
		push	0C0000420h
		push	1314h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5C06B9:				; CODE XREF: CcInsertIntoCleanSharedCacheMapList+18j
		cmp	ds:_KdDebuggerNotPresent, 0
		jnz	loc_4AA452
		cmp	dword ptr [esi+4], 0
		jnz	loc_4AA452
		cmp	dword ptr [esi+4Ch], 0
		jnz	loc_4AA452
		push	offset ??_C@_0FA@OGCCJEAN@CC?3?5SharedCacheMap?9?$DOOpenCount?5?$DN@FNODOBFM@
		call	_DbgPrint
		pop	ecx
		int	3		; Trap to Debugger
		jmp	loc_4AA452
; END OF FUNCTION CHUNK	FOR CcGetPartition
; 
; START	OF FUNCTION CHUNK FOR MmEnoughMemoryForWrite

loc_5C06EB:				; CODE XREF: MmEnoughMemoryForWrite+4Dj
		mov	eax, ds:dword_6D5F58
		add	eax, 320h
		cmp	ds:dword_6D5F00, eax
		jnb	loc_4AA573
		push	50h
		pop	edx
		mov	ecx, edi
		call	MiSufficientAvailablePages
		test	eax, eax
		jz	loc_4AA573
		jmp	loc_4AA571
; END OF FUNCTION CHUNK	FOR MmEnoughMemoryForWrite
; 
; START	OF FUNCTION CHUNK FOR MiReferencePfBackedSection

loc_5C0718:				; CODE XREF: MiReferencePfBackedSection:loc_4AA6B9j
					; DATA XREF: .text:004AA7B8o
		mov	eax, [ecx+10h]
		mov	edx, [ecx+14h]
		jmp	loc_4AA6C6
; 

loc_5C0723:				; CODE XREF: MiReferencePfBackedSection+ABj
		mov	ecx, ebx
		call	_MiReleaseControlAreaWaiters@4 ; MiReleaseControlAreaWaiters(x)
		jmp	loc_4AA721
; END OF FUNCTION CHUNK	FOR MiReferencePfBackedSection
; 
; START	OF FUNCTION CHUNK FOR MiUnlinkUnusedControlArea

loc_5C072F:				; CODE XREF: MiUnlinkUnusedControlArea+14j
		sub	ds:dword_6D5184, 1
		jnz	loc_4AA926
		push	offset unk_6D5230
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		mov	ds:byte_6D5258,	0
		jmp	loc_4AA926
; END OF FUNCTION CHUNK	FOR MiUnlinkUnusedControlArea
; 

loc_5C0752:				; CODE XREF: .text:004AAABDj
		test	edx, ebx
		jnz	loc_4AAAC3
		or	ecx, ebx
		mov	[esi+1Ch], ecx
		jmp	loc_4AAAC3
; 

loc_5C0764:				; CODE XREF: .text:004AAAC8j
		mov	ecx, ds:dword_6D5228
		mov	edx, offset unk_6D5224
		cmp	[ecx], edx
		jnz	loc_4AAB18
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		inc	ds:dword_6D5184
		cmp	ds:byte_6D5258,	0
		mov	ds:dword_6D5228, eax
		jnz	loc_4AAAE9
		push	ds:dword_4057CC
		xor	edx, edx
		mov	ds:byte_6D5258,	1
		push	ds:_Mi10Milliseconds
		mov	ecx, offset unk_6D5230
		push	0
		push	0
		call	KiSetTimerEx
		jmp	loc_4AAAE9
; 
; START	OF FUNCTION CHUNK FOR MiCopyDataPageToImagePage

loc_5C07BE:				; CODE XREF: MiCopyDataPageToImagePage+2E1j
		xor	edx, edx
		mov	ecx, ebx
		call	_MiDiscardTransitionPteEx@8 ; MiDiscardTransitionPteEx(x,x)

loc_5C07C7:				; CODE XREF: MiCopyDataPageToImagePage+115CB3j
					; MiCopyDataPageToImagePage+115CD8j
		mov	eax, [ebp+var_4]
		jmp	loc_4AABAC
; 

loc_5C07CF:				; CODE XREF: MiCopyDataPageToImagePage+2FDj
		cmp	[ebp+var_5], 0
		jz	short loc_5C07C7
		mov	ecx, ebx
		mov	eax, 92492493h
		sub	ecx, ds:_MmPfnDatabase
		imul	ecx
		lea	eax, [ecx+edx]
		mov	ecx, ebx
		sar	eax, 4
		mov	edx, eax
		shr	edx, 1Fh
		add	edx, eax
		call	MiPfnReferenceCountIsZero
		jmp	short loc_5C07C7
; 

loc_5C07FA:				; CODE XREF: MiCopyDataPageToImagePage+385j
		lea	esi, [edi+10h]

loc_5C07FD:				; CODE XREF: MiCopyDataPageToImagePage+115CE9j
					; MiCopyDataPageToImagePage+115CF0j
		lea	ecx, [ebp+var_30]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_5C07FD
		lock bts dword ptr [esi], 1Fh
		jb	short loc_5C07FD
		mov	ebx, [ebp+var_88]
		mov	esi, [ebp+var_3C]
		jmp	loc_4AAEAB
; 

loc_5C0820:				; CODE XREF: MiCopyDataPageToImagePage+4D6j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5C0853
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	ecx, 1
		jnz	loc_4AAFFE
		mov	eax, ebx
		and	eax, ecx
		or	eax, 0
		jz	loc_4AAFFE
		or	edx, 80000000h
		jmp	loc_4AAFFE
; 

loc_5C0853:				; CODE XREF: MiCopyDataPageToImagePage+115D07j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_4AAFFC
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	loc_4AAFFC
		or	edx, 80000000h
		jmp	loc_4AAFFC
; 

loc_5C0888:				; CODE XREF: MiCopyDataPageToImagePage+4E6j
		push	edx
		push	ebx
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_4AB00C
; 

loc_5C0896:				; CODE XREF: MiCopyDataPageToImagePage+52Aj
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		mov	ecx, [ebp+arg_0]
		test	eax, eax
		jz	short loc_5C08CF
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	[ebp+arg_8], 1
		jnz	loc_4AB053
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_4AB053
		or	edx, 80000000h
		jmp	loc_4AB053
; 

loc_5C08CF:				; CODE XREF: MiCopyDataPageToImagePage+115D80j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_4AB053
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_4AB053
		or	edx, 80000000h
		jmp	loc_4AB053
; 

loc_5C0904:				; CODE XREF: MiCopyDataPageToImagePage+53Ej
		push	edx
		push	ecx
		lea	ecx, [edi+8]
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_4AB064
; 

loc_5C0913:				; CODE XREF: MiCopyDataPageToImagePage+586j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		mov	ecx, [ebp+arg_0]
		test	eax, eax
		jz	short loc_5C094C
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	[ebp+arg_8], 1
		jnz	loc_4AB0AF
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_4AB0AF
		or	edx, 80000000h
		jmp	loc_4AB0AF
; 

loc_5C094C:				; CODE XREF: MiCopyDataPageToImagePage+115DFDj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_4AB0AF
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_4AB0AF
		or	edx, 80000000h
		jmp	loc_4AB0AF
; 

loc_5C0981:				; CODE XREF: MiCopyDataPageToImagePage+59Aj
		push	edx
		push	ecx
		lea	ecx, [edi+10h]
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_4AB0C0
; 

loc_5C0990:				; CODE XREF: MiCopyDataPageToImagePage+49Cj
		mov	eax, 0C000009Ah
		jmp	loc_4AB116
; 

loc_5C099A:				; CODE XREF: MiCopyDataPageToImagePage+ADj
		add	ecx, 10h
		lock and [ecx],	edx
		jmp	loc_4AABD3
; 

loc_5C09A5:				; CODE XREF: MiCopyDataPageToImagePage+B8j
		call	_MiUnlockNestedProtoPoolPage@4 ; MiUnlockNestedProtoPoolPage(x)
		mov	eax, [ebp+var_4]
		mov	edx, 7FFFFFFFh
		jmp	loc_4AABDE
; 

loc_5C09B7:				; CODE XREF: MiCopyDataPageToImagePage+C8j
		mov	ecx, esi
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	eax, [ebp+var_4]
		mov	edx, 7FFFFFFFh
		jmp	loc_4AABEE
; 

loc_5C09CB:				; CODE XREF: MiCopyDataPageToImagePage+E6j
		push	3
		push	ecx
		mov	ecx, [ebp+var_18]
		xor	edx, edx
		call	MiDereferenceControlAreaPfnList
		jmp	loc_4AAC0C
; END OF FUNCTION CHUNK	FOR MiCopyDataPageToImagePage
; 
; START	OF FUNCTION CHUNK FOR MiDereferencePageRunsEx

loc_5C09DD:				; CODE XREF: MiDereferencePageRunsEx+3Aj
		mov	eax, [ebp+var_8]
		add	eax, 70h
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4AB3BA
; 

loc_5C09F7:				; CODE XREF: MiDereferencePageRunsEx+4Fj
		lea	eax, [ecx+70h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	edi
		push	offset unk_6D4EB0
		call	ExAcquireSpinLockExclusive
		mov	[ebp+var_1], al
		jmp	loc_4AB38D
; 

loc_5C0A17:				; CODE XREF: MiDereferencePageRunsEx+7Cj
					; MiDereferencePageRunsEx+1156F0j
		mov	esi, [ebx]
		lea	ecx, [ebx+4]
		xor	edx, edx
		inc	edx
		call	KeSignalGate
		mov	ebx, esi
		test	esi, esi
		jnz	short loc_5C0A17
		mov	esi, [ebp+var_10]
		jmp	loc_4AB3BA
; 

loc_5C0A32:				; CODE XREF: MiDereferencePageRunsEx+84j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4AB3C2
; END OF FUNCTION CHUNK	FOR MiDereferencePageRunsEx
; 
; START	OF FUNCTION CHUNK FOR MiReferencePageRuns

loc_5C0A3F:				; CODE XREF: MiReferencePageRuns+25j
		lea	ecx, [edi+70h]
		push	ecx
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	eax, offset _MiSystemPartition
		jmp	loc_4AB3F7
; 

loc_5C0A52:				; CODE XREF: MiReferencePageRuns+49j
		lea	eax, [edi+70h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		jmp	loc_4AB41B
; 

loc_5C0A60:				; CODE XREF: MiReferencePageRuns+65j
		mov	edx, ebx
		mov	ecx, offset _MiSystemPartition
		call	MiReferencePageRuns
		mov	esi, eax
		jmp	loc_4AB437
; END OF FUNCTION CHUNK	FOR MiReferencePageRuns
; 
; START	OF FUNCTION CHUNK FOR MiReferenceControlArea

loc_5C0A73:				; CODE XREF: MiReferenceControlArea+5Dj
		mov	edx, [ebp+4]
		mov	ecx, offset dword_6CF3C0
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_4AB4B7
; END OF FUNCTION CHUNK	FOR MiReferenceControlArea
; 
; START	OF FUNCTION CHUNK FOR MiObtainProtoBaseFromNode

loc_5C0A85:				; CODE XREF: MiObtainProtoBaseFromNode+47j
		sub	eax, 1
		jz	short loc_5C0A91
		xor	eax, eax
		jmp	loc_4AB7D5
; 

loc_5C0A91:				; CODE XREF: MiObtainProtoBaseFromNode+1152D2j
		mov	edx, [ecx+10h]
		mov	esi, [ecx+14h]
		jmp	loc_4AB7D1
; END OF FUNCTION CHUNK	FOR MiObtainProtoBaseFromNode
; 
; START	OF FUNCTION CHUNK FOR MiConvertStaticSubsections

loc_5C0A9C:				; CODE XREF: MiConvertStaticSubsections+42j
		movzx	eax, word ptr [esi+12h]
		or	ecx, 3FFFFFFFh
		mov	[esi+20h], ecx
		jmp	loc_4AB8A0
; 

loc_5C0AAE:				; CODE XREF: MiConvertStaticSubsections+34j
		cmp	[esi+3Ch], ebx
		jnz	loc_4AB873
		push	ebx
		push	ebx
		push	esi
		push	42003h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5C0AC7:				; CODE XREF: MiDecrementSubsectionViewCount+19j
					; MiDecrementSubsectionViewCount+2Ej
		push	0
		push	0
		push	ecx
		push	42001h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5C0AD9:				; CODE XREF: MiLockSectionControlArea+43j
		mov	edx, [ebp+4]
		mov	ecx, offset dword_6CF3C0
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_4ABA6F
; END OF FUNCTION CHUNK	FOR MiConvertStaticSubsections
; 
; START	OF FUNCTION CHUNK FOR MiSectionCreated

loc_5C0AEB:				; CODE XREF: MiSectionCreated+13Cj
		mov	ecx, eax
		jmp	short loc_5C0AF2
; 

loc_5C0AEF:				; CODE XREF: MiSectionCreated+11506Aj
		mov	ecx, [ebp+var_C]

loc_5C0AF2:				; CODE XREF: MiSectionCreated+11501Dj
		call	_MiReturnPfnReferenceCount@4 ; MiReturnPfnReferenceCount(x)
		mov	eax, [ebp+var_8]
		or	dword ptr [eax], 0FFFFFFFFh
		jmp	loc_4ABCBC
; 

loc_5C0B02:				; CODE XREF: MiSectionCreated+14Fj
		mov	dl, cl
		mov	ecx, [ebp+var_14]
		call	MiUnlockProtoPoolPage
		jmp	loc_4ABC25
; 

loc_5C0B11:				; CODE XREF: MiSectionCreated+166j
		push	0
		push	0
		push	ebx
		push	2
		call	MmAccessFault
		jmp	loc_4ABC25
; 

loc_5C0B22:				; CODE XREF: MiSectionCreated+18Bj
		lea	ecx, [eax+10h]
		mov	edx, 7FFFFFFFh
		lock and [ecx],	edx
		jmp	short loc_5C0B32
; 

loc_5C0B2F:				; CODE XREF: MiSectionCreated+199j
		xor	eax, eax
		inc	eax

loc_5C0B32:				; CODE XREF: MiSectionCreated+11505Dj
		test	eax, eax
		jz	loc_4ABC6F
		jmp	short loc_5C0AEF
; 

loc_5C0B3C:				; CODE XREF: MiSectionCreated+1B1j
		mov	esi, [ebp+var_20]

loc_5C0B3F:				; CODE XREF: MiSectionCreated+11507Bj
					; MiSectionCreated+115082j
		lea	ecx, [ebp+var_34]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_5C0B3F
		lock bts dword ptr [esi], 1Fh
		jb	short loc_5C0B3F
		mov	esi, [ebp+var_1C]
		jmp	loc_4ABC87
; END OF FUNCTION CHUNK	FOR MiSectionCreated
; 
; START	OF FUNCTION CHUNK FOR CcDeductDirtyPages

loc_5C0B5C:				; CODE XREF: CcDeductDirtyPages+Aj
		mov	eax, ds:_PspSystemPartition
		mov	eax, [eax+4]
		jmp	loc_4ABD23
; 

loc_5C0B69:				; CODE XREF: CcDeductDirtyPages+22j
		push	0
		push	0
		push	0C0000420h
		push	1637h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5C0B7F:				; DATA XREF: .text:006A1C14o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B4h], eax
		mov	[ebp-84h], eax
		mov	eax, [ebp-84h]
		push	eax
		call	_FsRtlIsNtstatusExpected@4 ; FsRtlIsNtstatusExpected(x)
		xor	ecx, ecx
		test	al, al
		setnz	cl
		mov	[ebp-88h], ecx
		mov	eax, [ebp-88h]
		retn
; END OF FUNCTION CHUNK	FOR CcDeductDirtyPages

;  S U B	R O U T	I N E 


sub_5C0BB2	proc near		; DATA XREF: .text:006A1C18o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp+14h]
		mov	eax, [ebp-94h]
		mov	[ebp-68h], eax
		mov	eax, [ebp-98h]
		mov	[ebp-64h], eax
		mov	eax, [ebp-48h]
		mov	[ebp-5Ch], eax
		mov	[ebp-40h], eax
		mov	[ebp-50h], eax
		mov	ebx, eax
		mov	esi, eax
		mov	eax, [ebp-9Ch]
		mov	[ebp-1Ch], eax
		mov	eax, [ebp-0A0h]
		mov	[ebp-24h], eax
		mov	eax, ebx
		mov	[ebp-60h], eax
		mov	eax, [ebp-0A4h]
		mov	[ebp-34h], eax
		mov	eax, [ebp-0A8h]
		mov	[ebp-28h], eax
		mov	eax, edi
		mov	[ebp-80h], eax
		jmp	loc_4ABE42
sub_5C0BB2	endp

; 
; START	OF FUNCTION CHUNK FOR CcAcquireByteRangeForWrite

loc_5C0C14:				; CODE XREF: CcAcquireByteRangeForWrite+3F4j
					; CcAcquireByteRangeForWrite+400j
		mov	ecx, [ecx+1Ch]
		mov	eax, [ebp+var_48]
		shr	eax, 5
		lea	ebx, [ecx+eax*4]
		mov	eax, [ebp+var_54]
		shr	eax, 5
		lea	eax, [ecx+eax*4]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+var_48]
		mov	ecx, eax
		and	ecx, 0FFFFFFE0h
		xor	edi, edi
		add	ecx, [ebp+var_38]
		mov	[ebp+var_24], ecx
		adc	edi, [ebp+var_30]
		mov	[ebp+var_1C], edi
		mov	[ebp+var_60], eax
		mov	edi, dword ptr [ebp+arg_C]
		jmp	loc_4AC787
; 

loc_5C0C4D:				; CODE XREF: CcAcquireByteRangeForWrite+8B0j
		mov	[ebp+var_5C], 1
		jmp	loc_4AC176
; 

loc_5C0C59:				; CODE XREF: CcAcquireByteRangeForWrite+64Aj
		mov	eax, [ecx+8]
		mov	[ebp+var_2C], eax
		mov	eax, [ecx+0Ch]
		shrd	[ebp+var_2C], eax, 0Ch
		cmp	[ebp+var_1C], 0
		jl	loc_4ABF56
		jg	loc_4AC3C0
		mov	eax, [ebp+var_24]
		cmp	eax, [ebp+var_2C]
		jbe	loc_4ABF56
		jmp	loc_4AC3C0
; 

loc_5C0C88:				; CODE XREF: CcAcquireByteRangeForWrite+6C5j
					; CcAcquireByteRangeForWrite+6D6j
		test	dl, dl
		jz	loc_4AC81D
		inc	ds:_CcDbgLsnLargerThanHint
		jmp	loc_4AC81D
; 

loc_5C0C9B:				; CODE XREF: CcAcquireByteRangeForWrite+689j
		push	0
		mov	dl, 1
		mov	ecx, [ebp+var_28]
		call	CcUnpinFileDataEx
		mov	ecx, [ebp+var_4C]
		call	ExAcquireFastMutex
		jmp	loc_4AC2B8
; 

loc_5C0CB4:				; CODE XREF: CcAcquireByteRangeForWrite+5A7j
		push	ecx
		mov	eax, [ebx+9Ch]
		jmp	loc_4AC323
; END OF FUNCTION CHUNK	FOR CcAcquireByteRangeForWrite

;  S U B	R O U T	I N E 


sub_5C0CC0	proc near		; DATA XREF: .text:006A1C20o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B8h], eax
		mov	[ebp-8Ch], eax
		mov	eax, [ebp-8Ch]
		push	eax
		call	_FsRtlIsNtstatusExpected@4 ; FsRtlIsNtstatusExpected(x)
		xor	ecx, ecx
		test	al, al
		setnz	cl
		mov	[ebp-90h], ecx
		mov	eax, [ebp-90h]
		retn
sub_5C0CC0	endp


;  S U B	R O U T	I N E 


sub_5C0CF3	proc near		; DATA XREF: .text:006A1C24o
		mov	esp, [ebp-18h]
		xor	edx, edx
		mov	[ebp+8], edx
		mov	eax, 2FDh
		mov	edi, [ebp+18h]
		mov	ebx, [ebp+10h]

loc_5C0D06:				; CODE XREF: sub_5C0CF3+4Bj
					; sub_5C0CF3+58j
		mov	ecx, [edi]
		mov	esi, [ecx+10h]
		sub	esi, 10h
		cmp	[ecx], ax
		jnz	short loc_5C0D35
		mov	eax, [ecx+8]
		mov	[ebp+0Ch], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp+8], eax
		mov	eax, [ebp-20h]
		movzx	edx, byte ptr [eax+60h]
		shr	edx, 1
		and	edx, 1
		push	0
		call	CcUnpinFileDataEx
		mov	edx, [ebp+0Ch]

loc_5C0D35:				; CODE XREF: sub_5C0CF3+1Ej
		mov	[edi], esi
		cmp	[ebx], edx
		mov	eax, 2FDh
		jnz	short loc_5C0D06
		mov	eax, [ebx+4]
		cmp	eax, [ebp+8]
		mov	eax, 2FDh
		jnz	short loc_5C0D06
		mov	edi, [ebp+14h]
		mov	dword ptr [edi], 0
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_4AC0B2
sub_5C0CF3	endp

; 
; START	OF FUNCTION CHUNK FOR CcAcquireByteRangeForWrite

loc_5C0D62:				; CODE XREF: CcAcquireByteRangeForWrite+54Cj
		mov	edx, [ebp+var_3C]
		jmp	loc_4ABF56
; 

loc_5C0D6A:				; CODE XREF: CcAcquireByteRangeForWrite+1EDj
		test	edx, edx
		jz	short loc_5C0D78
		mov	eax, [edx]
		mov	dword ptr [ebp+arg_C], eax
		mov	edx, [edx+4]
		jmp	short loc_5C0D81
; 

loc_5C0D78:				; CODE XREF: CcAcquireByteRangeForWrite+114FFCj
		mov	dword ptr [ebp+arg_C], 0
		xor	edx, edx

loc_5C0D81:				; CODE XREF: CcAcquireByteRangeForWrite+115006j
		mov	ecx, [ebp+var_40]
		mov	eax, [ecx+18h]
		push	eax
		push	ecx
		push	[ebp+var_1C]
		push	[ebp+var_24]
		push	[ebp+var_20]
		push	[ebp+arg_0]
		push	edx
		push	dword ptr [ebp+arg_C] ;	char
		push	offset ??_C@_0FB@CFMECOPH@CcAcquireByteRange?5?$CIAcceptPage?$CJ@FNODOBFM@ ; char *
		push	0		; int
		push	7Fh		; int
		call	_DbgPrintEx
		add	esp, 2Ch
		mov	edx, [ebp+var_3C]
		jmp	loc_4ABF63
; 

loc_5C0DB2:				; CODE XREF: CcAcquireByteRangeForWrite+210j
		push	0
		push	0
		push	0C0000420h
		push	11D4h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C0DC7:				; CODE XREF: CcAcquireByteRangeForWrite+2A8j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_78]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4AC040
; 

loc_5C0DD7:				; CODE XREF: CcAcquireByteRangeForWrite+24Ej
		push	0
		push	0
		push	0C0000420h
		push	1203h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5C0DED:				; CODE XREF: PfSnCheckLoggingForThread+32j
		cmp	eax, ecx
		jnz	loc_4AD302
		mov	eax, [esi+130h]
		cmp	eax, [ecx+2B0h]
		jnz	loc_4AD302
		jmp	loc_4AD2F2
; END OF FUNCTION CHUNK	FOR CcAcquireByteRangeForWrite
; 
; START	OF FUNCTION CHUNK FOR RtlpHpHeapCheckCommitLimit

loc_5C0E0C:				; CODE XREF: RtlpHpHeapCheckCommitLimit+Ej
					; RtlpHpHeapCheckCommitLimit+21j
		lea	eax, [ecx+edx]
		cmp	eax, esi
		jbe	loc_4AD32D
		mov	eax, [edi+4]
		xor	esi, esi
		test	eax, eax
		jz	loc_4AD330
		push	edx
		mov	edx, [ebp+arg_0]
		push	ecx
		push	eax
		push	esi
		push	15h
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		jmp	loc_4AD330
; END OF FUNCTION CHUNK	FOR RtlpHpHeapCheckCommitLimit
; 
; START	OF FUNCTION CHUNK FOR RtlpHpSegMgrCommit

loc_5C0E38:				; CODE XREF: RtlpHpSegMgrCommit+5Ej
		mov	ebx, 0C000012Dh
		jmp	loc_4AD428
; 

loc_5C0E42:				; CODE XREF: RtlpHpSegMgrCommit+6Fj
		push	dword ptr [edi+20h]
		mov	ecx, edx
		lea	edx, [esp+2Ch+var_18]
		push	dword ptr [edi+1Ch]
		and	ecx, 0FFE00000h
		push	0
		mov	[esp+34h+var_1C], ecx
		call	_RtlpHpQueryVA@20 ; RtlpHpQueryVA(x,x,x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	eax, [esp+28h+var_18]
		shr	ecx, 9
		lea	ecx, [eax+ecx*2]
		jmp	loc_4AD3AF
; 

loc_5C0E71:				; CODE XREF: RtlpHpSegMgrCommit+9Ej
		lea	eax, [esp+28h+var_8]
		mov	edx, ecx
		push	eax
		lea	eax, [esp+2Ch+var_4]
		mov	ecx, edi
		push	eax
		push	[ebp+arg_10]
		push	ebx
		call	_RtlpHpSegMgrCommitInitiate@24 ; RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)
		cmp	eax, 0C0000100h
		jz	loc_5C0F1C
		cmp	eax, 0C0000102h
		jnz	loc_4AD3DC
		and	[esp+28h+var_1C], 0FFE00000h
		mov	[esp+28h+var_14], 200000h
		test	ebx, ebx
		jle	loc_4AD433
		or	esi, 20000000h
		jmp	loc_4AD3DC
; 

loc_5C0EC1:				; CODE XREF: RtlpHpSegMgrCommit+12Fj
		push	[ebp+arg_4]	; size_t
		push	0		; int
		push	[esp+30h+var_1C] ; void	*
		call	_memset
		add	esp, 0Ch
		jmp	loc_4AD41C
; 

loc_5C0ED7:				; CODE XREF: RtlpHpSegMgrCommit+EAj
		mov	edx, [ebp+arg_8]
		mov	ecx, 4000h
		test	[eax], cx
		jz	loc_4AD46C
		test	ebx, ebx
		js	loc_4AD46C
		movsx	eax, word ptr [edi+10h]
		xor	ecx, ecx
		test	edx, edx
		setnle	cl
		add	eax, 4
		add	eax, edi
		lea	ecx, ds:0FFFFFFFFh[ecx*2]
		lock xadd [eax], ecx
		movsx	eax, word ptr [edi+10h]
		mov	ecx, edx
		add	eax, edi
		lock xadd [eax], ecx
		jmp	loc_4AD46C
; 

loc_5C0F1C:				; CODE XREF: RtlpHpSegMgrCommit+113B55j
		movsx	eax, word ptr [edi+10h]
		add	eax, edi
		lock xadd [eax], ebx
		cmp	[esp+28h+var_10], 0
		jz	short loc_5C0F3E
		push	[ebp+arg_4]	; size_t
		push	0		; int
		push	[esp+30h+var_1C] ; void	*
		call	_memset
		add	esp, 0Ch

loc_5C0F3E:				; CODE XREF: RtlpHpSegMgrCommit+113BF3j
		xor	ebx, ebx
		jmp	loc_4AD428
; END OF FUNCTION CHUNK	FOR RtlpHpSegMgrCommit
; 
; START	OF FUNCTION CHUNK FOR RtlpHpAllocVA

loc_5C0F45:				; CODE XREF: RtlpHpAllocVA+124j
		or	edx, 0FFFFFFFFh
		jmp	loc_4AD5EA
; 

loc_5C0F4D:				; CODE XREF: RtlpHpAllocVA+166j
		lea	esi, [edi+64h]
		push	esi
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		push	0
		push	0
		lea	edx, [esp+48h+var_18]
		mov	bl, al
		lea	ecx, [edi+30h]
		call	_RtlpHpVaMgrCtxAllocatorFind@16	; RtlpHpVaMgrCtxAllocatorFind(x,x,x,x)
		push	esi
		mov	edi, eax
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [esp+40h+var_2C]
		jmp	loc_4AD630
; 

loc_5C0F81:				; CODE XREF: RtlpHpAllocVA+187j
		mov	eax, 0C000009Ah
		jmp	loc_4AD5AF
; 

loc_5C0F8B:				; CODE XREF: RtlpHpAllocVA+9Fj
		mov	ecx, [esp+40h+var_2C]
		mov	[ecx], esi
		test	edx, 40000000h
		jz	loc_4AD5AD
		mov	eax, [esp+40h+var_30]
		push	esi		; size_t
		push	0		; int
		push	dword ptr [eax]	; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_4AD5AD
; END OF FUNCTION CHUNK	FOR RtlpHpAllocVA
; 
; START	OF FUNCTION CHUNK FOR MiInitializePoolCommitPacket

loc_5C0FB3:				; CODE XREF: MiInitializePoolCommitPacket+F1j
		cmp	eax, 1
		jz	loc_4AD6BB
		cmp	eax, 18h
		jz	loc_4AD6BB
		push	[ebp+arg_4]
		push	esi
		push	edx
		push	5300h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C0FD6:				; CODE XREF: MiInitializePoolCommitPacket+8Aj
		xor	edx, edx
		mov	ecx, ebx
		call	_MiObtainPoolCharges@8 ; MiObtainPoolCharges(x,x)
		test	eax, eax
		jz	short loc_5C100E
		push	esi
		mov	ecx, ebx
		call	_MiGetLargePageChain@12	; MiGetLargePageChain(x,x,x)
		mov	[edi+8], eax
		test	eax, eax
		jnz	short loc_5C1018
		xor	edx, edx
		mov	[ebp+var_14], eax
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], ebx
		mov	[ebp+var_18], ebx
		call	_MiReturnPoolCharges@8 ; MiReturnPoolCharges(x,x)

loc_5C100E:				; CODE XREF: MiInitializePoolCommitPacket+9Dj
					; MiInitializePoolCommitPacket+113953j
		mov	eax, 0C000009Ah
		jmp	loc_4AD742
; 

loc_5C1018:				; CODE XREF: MiInitializePoolCommitPacket+113962j
		push	4
		pop	eax
		or	[edi+2Eh], ax
		jmp	loc_4AD731
; END OF FUNCTION CHUNK	FOR MiInitializePoolCommitPacket
; 
; START	OF FUNCTION CHUNK FOR RtlpHpEnvAllocVA

loc_5C1024:				; CODE XREF: RtlpHpEnvAllocVA+CFj
		lea	eax, [esi+ebx]
		mov	[ebp+arg_4], eax
		jmp	loc_4AD7E8
; 

loc_5C102F:				; CODE XREF: RtlpHpEnvAllocVA+F2j
		push	ebx
		lea	edx, [ebp+arg_8]
		lea	ecx, [ebp+arg_10]
		call	_RtlpHpEnvFreeVA@12 ; RtlpHpEnvFreeVA(x,x,x)
		mov	edi, [ebp+arg_8]
		mov	ecx, eax
		mov	edx, [ebp+arg_0]
		jmp	loc_4AD89F
; 

loc_5C1048:				; CODE XREF: RtlpHpEnvAllocVA+10Bj
		push	ebx
		lea	edx, [ebp+arg_8]
		lea	ecx, [ebp+arg_10]
		call	_RtlpHpEnvFreeVA@12 ; RtlpHpEnvFreeVA(x,x,x)
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		jmp	loc_4AD8B5
; END OF FUNCTION CHUNK	FOR RtlpHpEnvAllocVA
; 
; START	OF FUNCTION CHUNK FOR MmAllocatePoolMemory

loc_5C105E:				; CODE XREF: MmAllocatePoolMemory+99j
					; MmAllocatePoolMemory+ACj
		cmp	[esp+50h+var_40], 0
		jz	short loc_5C1073
		push	8000h
		mov	edx, ebx
		mov	ecx, esi
		call	MmFreePoolMemory

loc_5C1073:				; CODE XREF: MmAllocatePoolMemory+11378Dj
		and	dword ptr [esi], 0
		jmp	loc_4AD988
; 

loc_5C107B:				; CODE XREF: MmAllocatePoolMemory+2Fj
					; MmAllocatePoolMemory+3Ej
		mov	eax, 0C00000F1h
		jmp	loc_4AD998
; END OF FUNCTION CHUNK	FOR MmAllocatePoolMemory
; 
; START	OF FUNCTION CHUNK FOR MiCountSystemPool

loc_5C1085:				; CODE XREF: MiCountSystemPool+5Aj
		cmp	ecx, 0Bh
		jz	loc_4ADA4A
		xor	esi, esi
		jmp	loc_4AD9FB
; END OF FUNCTION CHUNK	FOR MiCountSystemPool
; 
; START	OF FUNCTION CHUNK FOR MiReturnExcessPoolCommit

loc_5C1095:				; CODE XREF: MiReturnExcessPoolCommit+17j
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_5C10A1
		call	_MiFreeLargePageChain@4	; MiFreeLargePageChain(x)

loc_5C10A1:				; CODE XREF: MiReturnExcessPoolCommit+11361Aj
		mov	ebx, [esi+0Ch]
		mov	edx, [esi+4]
		cmp	ebx, edx
		jz	loc_4ADAAB
		push	6
		sub	edx, ebx
		lea	edi, [ebp+var_18]
		pop	ecx
		xor	eax, eax
		rep stosd
		mov	[ebp+var_C], edx
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_18], edx
		xor	edx, edx
		call	_MiReturnPoolCharges@8 ; MiReturnPoolCharges(x,x)
		jmp	loc_4ADAAB
; END OF FUNCTION CHUNK	FOR MiReturnExcessPoolCommit
; 
; START	OF FUNCTION CHUNK FOR MiCommitPoolMemory

loc_5C10D0:				; CODE XREF: MiCommitPoolMemory+10Fj
		xor	eax, eax
		inc	eax
		or	[esi+2Eh], ax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [esi+1Ch]
		mov	[esi+2Ch], al
		call	MiLockWorkingSetShared
		xor	ebx, ebx
		jmp	loc_4ADB84
; 

loc_5C10EF:				; CODE XREF: MiCommitPoolMemory+B0j
		push	dword ptr [esi+4]
		mov	ecx, [esi]
		xor	edx, edx
		push	0Bh
		call	_MiLogPerfMemoryRangeEvent@16 ;	MiLogPerfMemoryRangeEvent(x,x,x,x)
		jmp	loc_4ADBB4
; 

loc_5C1102:				; CODE XREF: MiCommitPoolMemory+9Bj
		test	cl, 2
		jnz	short loc_5C114B
		mov	ebx, [esi]
		mov	edx, ebx
		shr	edx, 9
		and	edx, offset loc_7FFFF8
		lea	eax, [edx-40000000h]
		cmp	edi, eax
		jz	short loc_5C114B
		sub	edi, edx
		mov	eax, ecx
		add	edi, 40000000h
		shr	eax, 2
		sar	edi, 3
		and	eax, 1
		test	ecx, 100h
		jz	short loc_5C113C
		or	eax, 2

loc_5C113C:				; CODE XREF: MiCommitPoolMemory+113639j
		push	eax
		push	4000h
		mov	edx, edi
		mov	ecx, ebx
		call	MiClearNonPagedPtes

loc_5C114B:				; CODE XREF: MiCommitPoolMemory+113607j
					; MiCommitPoolMemory+11361Ej
		mov	ebx, 0C000009Ah
		jmp	loc_4ADBC3
; END OF FUNCTION CHUNK	FOR MiCommitPoolMemory
; 
; START	OF FUNCTION CHUNK FOR MiLockPoolCommitPageTable

loc_5C1155:				; CODE XREF: MiLockPoolCommitPageTable+39j
		push	0
		push	0
		push	edi
		push	5301h
		jmp	short loc_5C1169
; 

loc_5C1161:				; CODE XREF: MiLockPoolCommitPageTable+1134B6j
		push	esi
		push	esi
		push	edi
		push	5303h

loc_5C1169:				; CODE XREF: MiLockPoolCommitPageTable+113487j
					; MiLockPoolCommitPageTable+1134AAj
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C1170:				; CODE XREF: MiLockPoolCommitPageTable+68j
		and	ecx, 80h
		or	ecx, esi
		jz	short loc_5C1184
		push	esi
		push	esi
		push	edi
		push	5302h
		jmp	short loc_5C1169
; 

loc_5C1184:				; CODE XREF: MiLockPoolCommitPageTable+1134A0j
		test	byte ptr [ebx+2Eh], 4
		jz	loc_4ADD46
		jmp	short loc_5C1161
; END OF FUNCTION CHUNK	FOR MiLockPoolCommitPageTable
; 
; START	OF FUNCTION CHUNK FOR MiIncrementSubsectionViewCount

loc_5C1190:				; CODE XREF: MiIncrementSubsectionViewCount+19j
		push	edx
		push	edx
		push	ecx
		push	42000h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5C11A0:				; CODE XREF: IoPageReadEx+42j
		or	bl, 2
		jmp	loc_4AE218
; END OF FUNCTION CHUNK	FOR MiIncrementSubsectionViewCount
; 
; START	OF FUNCTION CHUNK FOR IoPageReadEx

loc_5C11A8:				; CODE XREF: IoPageReadEx+8Fj
		mov	ecx, [esp+28h+var_14]
		call	_MmIsFileObjectAPagingFile@4 ; MmIsFileObjectAPagingFile(x)
		test	eax, eax
		jz	short loc_5C11D6
		lock inc ds:_IoPageReadIrpAllocationFailure
		mov	eax, [esp+28h+var_10]
		push	0
		mov	dl, [eax+30h]
		call	_IopAllocateReserveIrp@12 ; IopAllocateReserveIrp(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_4AE265
		jmp	short loc_5C1215
; 

loc_5C11D6:				; CODE XREF: IoPageReadEx+112FE3j
		lock inc ds:_IoPageReadNonPagefileIrpAllocationFailure
		mov	ax, [edi+6]
		mov	ecx, 6
		bt	ax, cx
		setb	dl
		test	byte ptr [esp+28h+var_18], 40h
		setnz	al
		test	dl, al
		jz	short loc_5C1215
		mov	eax, [esp+28h+var_10]
		mov	ecx, [esp+28h+var_C]
		push	1
		mov	dl, [eax+30h]
		call	_IopAllocateBackpocketIrp@12 ; IopAllocateBackpocketIrp(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_4AE265

loc_5C1215:				; CODE XREF: IoPageReadEx+113004j
					; IoPageReadEx+113027j
		mov	eax, 0C000009Ah
		jmp	loc_4AE355
; 

loc_5C121F:				; CODE XREF: IoPageReadEx+EBj
		cmp	ecx, 2
		jnz	loc_4AE2C1
		mov	ecx, 3
		jmp	loc_4AE2C1
; END OF FUNCTION CHUNK	FOR IoPageReadEx
; 
; START	OF FUNCTION CHUNK FOR MiReacquireWalkLocks

loc_5C1232:				; CODE XREF: MiReacquireWalkLocks+2Fj
		mov	edx, eax
		mov	ecx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		cmp	[ebp+arg_0], 0
		jnz	short loc_5C124C
		mov	dl, [esi+6]
		mov	ecx, [esi+10h]
		call	MiUnlockWorkingSetShared

loc_5C124C:				; CODE XREF: MiReacquireWalkLocks+112DE9j
		xor	eax, eax
		jmp	loc_4AE495
; END OF FUNCTION CHUNK	FOR MiReacquireWalkLocks
; 
; START	OF FUNCTION CHUNK FOR MiRelockFaultState

loc_5C1253:				; CODE XREF: MiRelockFaultState+3Aj
		mov	edx, esi
		mov	ecx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [ebp+var_1]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		xor	esi, esi
		jmp	loc_4AE4DC
; END OF FUNCTION CHUNK	FOR MiRelockFaultState
; 
; START	OF FUNCTION CHUNK FOR MiEvictPageTableLock

loc_5C126D:				; CODE XREF: MiEvictPageTableLock+ADj
		push	0
		push	1000h
		push	esi
		call	_RtlCompareMemoryUlong@12 ; RtlCompareMemoryUlong(x,x,x)
		cmp	eax, 1000h
		jnz	loc_4AE625
		mov	eax, [ebp+arg_0]
		jmp	loc_4AE603
; END OF FUNCTION CHUNK	FOR MiEvictPageTableLock
; 
; START	OF FUNCTION CHUNK FOR PfFileInfoNotify

loc_5C128D:				; CODE XREF: PfFileInfoNotify+23j
		mov	eax, 0C000000Dh
		jmp	loc_4AF2A5
; 

loc_5C1297:				; CODE XREF: PfFileInfoNotify+35Ej
					; PfFileInfoNotify+36Bj ...
		mov	eax, 0C00000BBh
		jmp	loc_4AF2A5
; 

loc_5C12A1:				; CODE XREF: PfFileInfoNotify+B73j
		mov	eax, 0C0000189h
		jmp	loc_4AF2A5
; 

loc_5C12AB:				; CODE XREF: PfFileInfoNotify+B57j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset dword_6D4930
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		or	eax, 0FFFFFFFFh
		cmp	ds:dword_6D4928, 0
		jz	loc_5C155F
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset dword_6D4934
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		or	ds:dword_6D4940, 1
		mov	eax, ds:dword_6D4938
		cmp	eax, offset dword_6D4938
		jz	short loc_5C1326
		mov	esi, eax

loc_5C1308:				; CODE XREF: PfFileInfoNotify+112591j
		or	dword ptr [esi+28h], 4
		lea	eax, [esi+3Ch]
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	esi, [esi]
		cmp	esi, offset dword_6D4938
		jnz	short loc_5C1308
		mov	esi, [ebp+arg_0]

loc_5C1326:				; CODE XREF: PfFileInfoNotify+112574j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5C133A
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_5C133A:				; CODE XREF: PfFileInfoNotify+1125A1j
		xor	edi, edi
		mov	ecx, offset dword_6D4934
		mov	[esp+80h+var_60], edi
		test	ecx, 7FFFFFFCh
		jz	loc_5C152A
		mov	eax, large fs:124h
		mov	edx, ecx
		mov	esi, ds:dword_6D07D0
		shr	edx, 15h
		cmp	esi, ecx
		mov	[esp+80h+var_50], esi
		mov	esi, [ebp+arg_0]
		mov	[esp+80h+var_70], eax
		ja	short loc_5C137A
		cmp	byte ptr ds:dword_6D3994[edx], 1
		jz	short loc_5C138D

loc_5C137A:				; CODE XREF: PfFileInfoNotify+1125DFj
		cmp	[esp+80h+var_50], offset dword_6D4934
		ja	short loc_5C13A7
		cmp	byte ptr ds:dword_6D3994[edx], 0Bh
		jnz	short loc_5C13A7

loc_5C138D:				; CODE XREF: PfFileInfoNotify+1125E8j
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[esp+80h+var_74], eax
		mov	ecx, offset dword_6D4934
		mov	eax, [esp+80h+var_70]
		jmp	short loc_5C13AE
; 

loc_5C13A7:				; CODE XREF: PfFileInfoNotify+1125F2j
					; PfFileInfoNotify+1125FBj
		or	edx, 0FFFFFFFFh
		mov	[esp+80h+var_74], edx

loc_5C13AE:				; CODE XREF: PfFileInfoNotify+112615j
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	dl, [eax+1E6h]
		mov	[esp+80h+var_75], dl
		mov	edx, [esp+80h+var_74]
		push	edx
		mov	edx, ecx
		mov	ecx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[esp+80h+var_50], edx
		test	edx, edx
		jnz	short loc_5C1406
		mov	ecx, [esp+80h+var_70]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_5C1496
		push	edx
		push	[esp+84h+var_74]
		push	offset dword_6D4934
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C1406:				; CODE XREF: PfFileInfoNotify+11264Dj
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		cmp	[edx+10h], edi
		jge	short loc_5C141F
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [esp+94h+var_64]

loc_5C141F:				; CODE XREF: PfFileInfoNotify+112682j
		mov	eax, [edx+2Ch]
		mov	edi, eax
		and	byte ptr [edx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+94h+var_74], edi
		mov	[edx+2Ch], eax
		nop
		mov	ecx, [esp+94h+var_84]
		mov	eax, 2AAAAAABh
		mov	dword ptr [edx+10h], 0
		sub	edx, [ecx+1E8h]
		imul	edx
		sar	edx, 3
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		cmp	[esp+94h+var_89], 1
		mov	[esp+1Ch], eax
		jnz	short loc_5C147E
		movzx	eax, byte ptr [ecx+1E4h]
		mov	edx, [esp+1Ch]
		bts	eax, edx
		mov	[ecx+1E4h], al
		jmp	short loc_5C1496
; 

loc_5C147E:				; CODE XREF: PfFileInfoNotify+1126D6j
		mov	ecx, [esp+1Ch]
		mov	al, 1
		shl	al, cl
		mov	ecx, [esp+94h+var_84]
		lea	esi, [ecx+222h]
		lock or	[esi], al
		mov	esi, [ebp+arg_0]

loc_5C1496:				; CODE XREF: PfFileInfoNotify+11265Bj
					; PfFileInfoNotify+1126ECj
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+94h+var_88], eax
		jz	short loc_5C1512
		test	edi, 8000h
		jz	short loc_5C14C1
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [esp+94h+var_84]
		mov	eax, [esp+94h+var_88]

loc_5C14C1:				; CODE XREF: PfFileInfoNotify+112720j
		test	byte ptr [esp+94h+var_74+2], 1
		jz	short loc_5C14DA
		mov	edx, 1
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [esp+94h+var_84]
		mov	eax, [esp+94h+var_88]

loc_5C14DA:				; CODE XREF: PfFileInfoNotify+112736j
		test	edi, 7FFFh
		jz	short loc_5C14F7
		and	edi, 7FFFh
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority
		mov	ecx, [esp+94h+var_84]
		mov	eax, [esp+94h+var_88]

loc_5C14F7:				; CODE XREF: PfFileInfoNotify+112750j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5C1512
		push	eax
		mov	edx, offset dword_6D4934
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		mov	ecx, [esp+94h+var_84]

loc_5C1512:				; CODE XREF: PfFileInfoNotify+112718j
					; PfFileInfoNotify+112771j
		nop
		add	word ptr [ecx+13Eh], 1
		jnz	short loc_5C152A
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	short loc_5C152A
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5C152A:				; CODE XREF: PfFileInfoNotify+1125BBj
					; PfFileInfoNotify+11278Bj ...
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, offset unk_6D492C
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	ecx, offset unk_6D492C
		call	@ExRundownCompleted@4 ;	ExRundownCompleted(x)
		mov	ds:dword_6D4928, 0
		or	eax, 0FFFFFFFFh
		mov	[esp+94h+var_88], 0
		mov	edi, offset dword_6D4930
		jmp	short loc_5C1567
; 

loc_5C155F:				; CODE XREF: PfFileInfoNotify+112541j
		mov	[esp+80h+var_74], 0C0000225h

loc_5C1567:				; CODE XREF: PfFileInfoNotify+1127CDj
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5C1578
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_5C1578:				; CODE XREF: PfFileInfoNotify+1127DFj
		xor	edi, edi
		mov	ecx, offset dword_6D4930
		mov	[esp+80h+var_50], edi
		test	ecx, 7FFFFFFCh
		jz	loc_5C1768
		mov	eax, large fs:124h
		mov	edx, ecx
		mov	esi, ds:dword_6D07D0
		shr	edx, 15h
		cmp	esi, ecx
		mov	[esp+80h+var_60], esi
		mov	esi, [ebp+arg_0]
		mov	[esp+80h+var_70], eax
		ja	short loc_5C15B8
		cmp	byte ptr ds:dword_6D3994[edx], 1
		jz	short loc_5C15CB

loc_5C15B8:				; CODE XREF: PfFileInfoNotify+11281Dj
		cmp	[esp+80h+var_60], offset dword_6D4930
		ja	short loc_5C15E5
		cmp	byte ptr ds:dword_6D3994[edx], 0Bh
		jnz	short loc_5C15E5

loc_5C15CB:				; CODE XREF: PfFileInfoNotify+112826j
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[esp+80h+var_64], eax
		mov	ecx, offset dword_6D4930
		mov	eax, [esp+80h+var_70]
		jmp	short loc_5C15EC
; 

loc_5C15E5:				; CODE XREF: PfFileInfoNotify+112830j
					; PfFileInfoNotify+112839j
		or	edx, 0FFFFFFFFh
		mov	[esp+80h+var_64], edx

loc_5C15EC:				; CODE XREF: PfFileInfoNotify+112853j
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	dl, [eax+1E6h]
		mov	[esp+80h+var_75], dl
		mov	edx, [esp+80h+var_64]
		push	edx
		mov	edx, ecx
		mov	ecx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[esp+80h+var_60], edx
		test	edx, edx
		jnz	short loc_5C1644
		mov	ecx, [esp+80h+var_70]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_5C16D4
		push	edx
		push	[esp+84h+var_64]
		push	offset dword_6D4930
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C1644:				; CODE XREF: PfFileInfoNotify+11288Bj
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		cmp	[edx+10h], edi
		jge	short loc_5C165D
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [esp+94h+var_74]

loc_5C165D:				; CODE XREF: PfFileInfoNotify+1128C0j
		mov	eax, [edx+2Ch]
		mov	edi, eax
		and	byte ptr [edx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+94h+var_64], edi
		mov	[edx+2Ch], eax
		nop
		mov	ecx, [esp+94h+var_84]
		mov	eax, 2AAAAAABh
		mov	dword ptr [edx+10h], 0
		sub	edx, [ecx+1E8h]
		imul	edx
		sar	edx, 3
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		cmp	[esp+94h+var_89], 1
		mov	[esp+94h+var_74], eax
		jnz	short loc_5C16BC
		movzx	eax, byte ptr [ecx+1E4h]
		mov	edx, [esp+94h+var_74]
		bts	eax, edx
		mov	[ecx+1E4h], al
		jmp	short loc_5C16D4
; 

loc_5C16BC:				; CODE XREF: PfFileInfoNotify+112914j
		mov	ecx, [esp+94h+var_74]
		mov	al, 1
		shl	al, cl
		mov	ecx, [esp+94h+var_84]
		lea	esi, [ecx+222h]
		lock or	[esi], al
		mov	esi, [ebp+arg_0]

loc_5C16D4:				; CODE XREF: PfFileInfoNotify+112899j
					; PfFileInfoNotify+11292Aj
		nop
		dec	byte ptr [ecx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+1Ch], eax
		jz	short loc_5C1750
		test	edi, 8000h
		jz	short loc_5C16FF
		xor	edx, edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [esp+94h+var_84]
		mov	eax, [esp+1Ch]

loc_5C16FF:				; CODE XREF: PfFileInfoNotify+11295Ej
		test	byte ptr [esp+94h+var_64+2], 1
		jz	short loc_5C1718
		mov	edx, 1
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [esp+94h+var_84]
		mov	eax, [esp+1Ch]

loc_5C1718:				; CODE XREF: PfFileInfoNotify+112974j
		test	edi, 7FFFh
		jz	short loc_5C1735
		and	edi, 7FFFh
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority
		mov	ecx, [esp+94h+var_84]
		mov	eax, [esp+1Ch]

loc_5C1735:				; CODE XREF: PfFileInfoNotify+11298Ej
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5C1750
		push	eax
		mov	edx, offset dword_6D4930
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		mov	ecx, [esp+94h+var_84]

loc_5C1750:				; CODE XREF: PfFileInfoNotify+112956j
					; PfFileInfoNotify+1129AFj
		nop
		add	word ptr [ecx+13Eh], 1
		jnz	short loc_5C1768
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	short loc_5C1768
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5C1768:				; CODE XREF: PfFileInfoNotify+1127F9j
					; PfFileInfoNotify+1129C9j ...
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_4AEFEB
; 

loc_5C1772:				; CODE XREF: PfFileInfoNotify+B96j
		push	0
		push	[esp+84h+var_64]
		push	offset dword_6D4934
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C1788:				; CODE XREF: PfFileInfoNotify+8D5j
		mov	ecx, [esp+94h+var_64]
		mov	al, 1
		shl	al, cl
		mov	ecx, [esp+94h+var_88]
		lea	esi, [ecx+222h]
		lock or	[esi], al
		mov	esi, [ebp+arg_0]
		jmp	loc_4AF67F
; 

loc_5C17A5:				; CODE XREF: PfFileInfoNotify+91Bj
		mov	edx, 1
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [esp+80h+var_74]
		jmp	loc_4AF6B1
; 

loc_5C17B8:				; CODE XREF: PfFileInfoNotify+944j
		push	[esp+80h+var_50]
		mov	edx, offset dword_6D4934
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		mov	ecx, [esp+80h+var_74]
		jmp	loc_4AF6DA
; 

loc_5C17CF:				; CODE XREF: PfFileInfoNotify+790j
		mov	[esp+80h+var_74], 0C0000021h
		jmp	loc_4AF71C
; 

loc_5C17DC:				; CODE XREF: PfFileInfoNotify+BB9j
		push	0
		push	[esp+88h+var_68]
		push	offset dword_6D4930
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C17F2:				; CODE XREF: PfFileInfoNotify+AA5j
		mov	ecx, [esp+98h+var_68]
		mov	al, 1
		shl	al, cl
		mov	ecx, [esp+98h+var_88]
		lea	esi, [ecx+222h]
		lock or	[esi], al
		mov	esi, [ebp+arg_0]
		jmp	loc_4AF84F
; 

loc_5C180F:				; CODE XREF: PfFileInfoNotify+AEBj
		mov	edx, 1
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [esp+84h+var_74]
		jmp	loc_4AF881
; 

loc_5C1822:				; CODE XREF: PfFileInfoNotify+B14j
		push	[esp+84h+var_54]
		mov	edx, offset dword_6D4930
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		mov	ecx, [esp+84h+var_74]
		jmp	loc_4AF8AA
; 

loc_5C1839:				; CODE XREF: PfFileInfoNotify+3E8j
					; PfFileInfoNotify+66Dj
		mov	ecx, [esp+80h+var_6C]
		test	ecx, ecx
		jz	loc_4AEFEB
		push	0
		call	_PfFbLogEntryComplete@12 ; PfFbLogEntryComplete(x,x,x)
		jmp	loc_4AEFEB
; 

loc_5C1851:				; CODE XREF: PfFileInfoNotify+36Bj
					; DATA XREF: .text:004AF964o
		mov	ecx, [esi+10h]
		mov	eax, [ecx+8]
		test	eax, eax
		jnz	short loc_5C1865
		mov	eax, 0C000004Dh
		jmp	loc_4AF2A5
; 

loc_5C1865:				; CODE XREF: PfFileInfoNotify+112AC9j
		mov	[esp+80h+var_20], eax
		mov	eax, ds:dword_6FB628
		mov	[esp+80h+var_1C], eax
		mov	eax, [ecx]
		mov	[esp+80h+var_28], eax
		mov	eax, [ecx+4]
		mov	[esp+80h+var_24], eax
		lea	eax, [esp+80h+var_28]
		push	10h
		push	eax
		call	_PFP_GET_CURRENT_TIME@0	; PFP_GET_CURRENT_TIME()
		mov	ecx, 1Fh
		jmp	loc_4AF315
; 

loc_5C1895:				; CODE XREF: PfFileInfoNotify+160j
					; PfFileInfoNotify+112B23j
		lea	ecx, [esp+80h+var_3C]
		call	KeYieldProcessorEx
		mov	eax, ds:dword_7186C4
		mov	ecx, ds:_KeTickCount
		mov	[esp+80h+var_50], ecx
		cmp	eax, ds:dword_7186C8
		jnz	short loc_5C1895
		jmp	loc_4AEEF6
; 

loc_5C18BA:				; CODE XREF: PfFileInfoNotify+4E4j
		push	offset unk_6D4380
		call	ds:dword_6D43B8
		mov	[esp+0Ch], eax
		test	eax, eax
		js	short loc_5C1944
		mov	ecx, offset unk_6D4390
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_4AF260
		jmp	loc_4AEF54
; 

loc_5C18E6:				; CODE XREF: PfFileInfoNotify+1CFj
		cmp	[ecx+10h], esi
		jz	short loc_5C1930
		push	ecx
		call	ds:dword_6D43BC
		mov	ecx, offset unk_6D4380
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	loc_4AEF40

loc_5C1904:				; CODE XREF: PfFileInfoNotify+1A8j
		mov	dword ptr [esp+0Ch], 0C0000189h

loc_5C190C:				; CODE XREF: PfFileInfoNotify+1E1j
		mov	eax, 1
		mov	ecx, offset dword_6D4484
		lock xadd [ecx], eax
		test	edi, edi
		jz	loc_4AEFE8
		push	0
		mov	ecx, edi
		call	_PfFbLogEntryComplete@12 ; PfFbLogEntryComplete(x,x,x)
		jmp	loc_4AEFE8
; 

loc_5C1930:				; CODE XREF: PfFileInfoNotify+112B59j
		mov	edx, ecx
		mov	ecx, offset unk_6D4388
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		mov	[esp+80h+var_74], 0C0000023h

loc_5C1944:				; CODE XREF: PfFileInfoNotify+112B3Bj
		inc	ds:dword_6D43C4
		add	ds:dword_6D43C8, 20h
		mov	ecx, offset unk_6D4380
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, [esp+80h+var_74]
		jmp	loc_4AEF6F
; END OF FUNCTION CHUNK	FOR PfFileInfoNotify
; 
; START	OF FUNCTION CHUNK FOR PfSnReferenceProcessTrace

loc_5C1964:				; CODE XREF: PfSnReferenceProcessTrace+C9j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4AFA54
; 

loc_5C1971:				; CODE XREF: PfSnReferenceProcessTrace+7Aj
		mov	ecx, eax
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		jbe	loc_4AF9E0

loc_5C1982:				; CODE XREF: PfSnReferenceProcessTrace+58j
					; PfSnReferenceProcessTrace+67j
		mov	edx, [ebx]
		test	dl, 1
		jnz	short loc_5C19A0

loc_5C1989:				; CODE XREF: PfSnReferenceProcessTrace+11201Ej
		lea	ecx, [edx-0Eh]
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jz	loc_4AF9A1
		mov	edx, eax
		test	al, 1
		jz	short loc_5C1989

loc_5C19A0:				; CODE XREF: PfSnReferenceProcessTrace+112007j
		and	edx, 0FFFFFFFEh
		mov	eax, 0FFFFFFF9h
		lock xadd [edx], eax
		cmp	eax, 7
		jnz	loc_4AF9A1
		lea	eax, [edx+14h]
		lock btr dword ptr [eax], 0
		jb	loc_4AF9A1
		push	0
		push	0
		lea	eax, [edx+4]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_4AF9A1
; END OF FUNCTION CHUNK	FOR PfSnReferenceProcessTrace
; 
; START	OF FUNCTION CHUNK FOR MiLockLowestValidPageTable

loc_5C19D5:				; CODE XREF: MiLockLowestValidPageTable+2C7j
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	loc_4AFD3D
		push	edi
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	loc_4AFD3F
; 

loc_5C19ED:				; CODE XREF: MiLockLowestValidPageTable+1EFj
		mov	[esp+38h+var_28], offset unk_6D2E54
		jmp	loc_4AFCAF
; END OF FUNCTION CHUNK	FOR MiLockLowestValidPageTable
; 
; START	OF FUNCTION CHUNK FOR MiCheckSystemPageTables

loc_5C19FA:				; CODE XREF: MiCheckSystemPageTables+31j
		test	byte ptr [edi+4], 2
		jz	short loc_5C1A35
		mov	eax, ebx
		and	eax, 800h
		or	eax, 0
		jnz	short loc_5C1A35
		mov	ecx, edi
		call	_MiGenerateAccessViolation@4 ; MiGenerateAccessViolation(x)
		test	eax, eax
		jz	short loc_5C1A21
		mov	eax, 2
		jmp	loc_4B06CF
; 

loc_5C1A21:				; CODE XREF: MiCheckSystemPageTables+111385j
		mov	eax, [edi+8]
		push	10h
		push	eax
		mov	eax, [edi]
		push	ebx
		push	eax
		push	0BEh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C1A35:				; CODE XREF: MiCheckSystemPageTables+11136Ej
					; MiCheckSystemPageTables+11137Aj
		push	edx
		push	ebx
		mov	edx, 6
		mov	ecx, edi
		call	MiCheckSystemNxFault
		mov	ecx, [edi+8]
		test	cl, 1
		jz	short loc_5C1A68
		mov	eax, ecx
		and	eax, 0FFFFFFFEh
		mov	al, [eax]
		cmp	al, 1
		jz	short loc_5C1A5E
		cmp	al, 3
		jz	short loc_5C1A5E
		cmp	al, 6
		jnz	short loc_5C1A73

loc_5C1A5E:				; CODE XREF: MiCheckSystemPageTables+1113C4j
					; MiCheckSystemPageTables+1113C8j ...
		mov	eax, 1
		jmp	loc_4B06CF
; 

loc_5C1A68:				; CODE XREF: MiCheckSystemPageTables+1113B9j
		xor	edx, edx
		call	@KeInvalidAccessAllowed@8 ; KeInvalidAccessAllowed(x,x)
		cmp	al, 1
		jz	short loc_5C1A5E

loc_5C1A73:				; CODE XREF: MiCheckSystemPageTables+1113CCj
		mov	edx, [edi]
		lea	eax, [edx+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	short loc_5C1A5E
		mov	eax, [edi+4]
		push	8
		push	ecx
		push	eax
		push	edx
		push	50h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C1A91:				; CODE XREF: MiCheckSystemPageTables+20j
		mov	eax, [edi+8]
		push	0Dh
		push	eax
		mov	eax, [edi+4]
		push	eax
		mov	eax, [edi]
		push	eax
		push	50h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5C1AA6:				; CODE XREF: MiSynchronizeSystemVa+52j
		or	al, 1
		mov	[edi+21h], al
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short loc_5C1ABF
		lea	eax, [ecx+80h]

loc_5C1ABF:				; CODE XREF: MiCheckSystemPageTables+111427j
		push	eax
		mov	[esp+40h+var_18], eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [esp+3Ch+var_18]
		mov	dword ptr [ecx+4], 0
		jmp	loc_4B079D
; END OF FUNCTION CHUNK	FOR MiCheckSystemPageTables
; 
; START	OF FUNCTION CHUNK FOR MiSynchronizeSystemVa

loc_5C1AD9:				; CODE XREF: MiSynchronizeSystemVa+8Bj
		mov	dl, al
		mov	ecx, esi
		call	@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)
		jmp	loc_4B078A
; 

loc_5C1AE7:				; CODE XREF: MiSynchronizeSystemVa+B0j
		xor	eax, eax
		xchg	eax, [esi]
		jmp	loc_4B0796
; 

loc_5C1AF0:				; CODE XREF: MiSynchronizeSystemVa+352j
		xor	eax, eax
		jmp	loc_4B0A3F
; 

loc_5C1AF7:				; CODE XREF: MiSynchronizeSystemVa+38Fj
		push	0
		push	0
		push	ebx
		push	2105h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C1B08:				; CODE XREF: MiSynchronizeSystemVa+362j
					; MiSynchronizeSystemVa+371j
		mov	[esp+5Ch+var_48], 1
		jmp	loc_4B0A75
; 

loc_5C1B15:				; CODE XREF: MiSynchronizeSystemVa+CCj
		lea	edx, [esp+48h+var_10]
		mov	ecx, ebx
		call	_MiFillPteHierarchy@8 ;	MiFillPteHierarchy(x,x)
		lea	edx, [esp+48h+var_20]
		lea	ecx, [esp+48h+var_10]
		call	_MiPageTableStillExists@8 ; MiPageTableStillExists(x,x)
		test	eax, eax
		jz	short loc_5C1B47
		mov	eax, [esp+48h+var_20]
		test	eax, eax
		jz	loc_4B097F
		test	byte ptr [edi+4], 4
		jnz	loc_5C1BF5

loc_5C1B47:				; CODE XREF: MiSynchronizeSystemVa+3A4j
					; MiSynchronizeSystemVa+11144Fj ...
		mov	ecx, edi
		call	_MiUnlockSystemVa@4 ; MiUnlockSystemVa(x)

loc_5C1B4E:				; CODE XREF: MiSynchronizeSystemVa+33j
		xor	eax, eax
		jmp	loc_4B0984
; 

loc_5C1B55:				; CODE XREF: MiSynchronizeSystemVa+15Bj
		push	edx
		push	ecx
		push	1
		mov	edx, esi
		call	MiPerformSafePdeWrite
		jmp	loc_4B0841
; 

loc_5C1B65:				; CODE XREF: MiSynchronizeSystemVa+2D3j
		mov	[esp+48h+var_34], offset unk_6D2E54
		jmp	loc_4B0B42
; 

loc_5C1B72:				; CODE XREF: MiSynchronizeSystemVa+2FEj
		mov	eax, [edx+0Ch]
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h
		jmp	loc_4B0899
; 

loc_5C1B82:				; CODE XREF: MiSynchronizeSystemVa+3CFj
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	loc_4B0AB5
		push	eax
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	loc_4B0AB7
; 

loc_5C1B9A:				; CODE XREF: MiSynchronizeSystemVa+23Fj
		mov	[esp+48h+var_34], offset unk_6D2E54
		jmp	loc_4B0B21
; 

loc_5C1BA7:				; CODE XREF: MiSynchronizeSystemVa+317j
		mov	eax, [edx+0Ch]
		lea	eax, [eax+ecx*4]
		add	eax, 0D90h
		jmp	loc_4B092F
; 

loc_5C1BB7:				; CODE XREF: MiSynchronizeSystemVa+299j
		test	byte ptr [edi+4], 4
		jz	short loc_5C1B47
		mov	edx, [esi]
		nop
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jz	loc_5C1B47
		and	edx, 80h
		or	edx, 0
		jz	loc_5C1B47
		mov	eax, [esp+48h+var_20]

loc_5C1BE1:				; CODE XREF: MiSynchronizeSystemVa+111513j
		shr	ecx, 9
		inc	eax
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		cmp	ecx, esi
		jnz	short loc_5C1BE1

loc_5C1BF5:				; CODE XREF: MiSynchronizeSystemVa+111461j
		mov	[edi+10h], eax
		jmp	loc_4B097F
; END OF FUNCTION CHUNK	FOR MiSynchronizeSystemVa
; 
; START	OF FUNCTION CHUNK FOR MiLockPageTableInternal

loc_5C1BFD:				; CODE XREF: MiLockPageTableInternal+11Dj
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	loc_4B0CC3
		push	eax
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	loc_4B0CC5
; END OF FUNCTION CHUNK	FOR MiLockPageTableInternal
; 
; START	OF FUNCTION CHUNK FOR MiUnlockNestedPageTableWritePte

loc_5C1C15:				; CODE XREF: MiUnlockNestedPageTableWritePte+90j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4B0E30
; END OF FUNCTION CHUNK	FOR MiUnlockNestedPageTableWritePte
; 
; START	OF FUNCTION CHUNK FOR PfSnLogPageFaultCommon

loc_5C1C25:				; CODE XREF: PfSnLogPageFaultCommon+5Bj
		mov	ebx, 1
		jmp	loc_4B0EC7
; END OF FUNCTION CHUNK	FOR PfSnLogPageFaultCommon
; 
; START	OF FUNCTION CHUNK FOR PfSnGetFileInformation

loc_5C1C2F:				; CODE XREF: PfSnGetFileInformation+104j
		add	ebx, 150h
		test	byte ptr [ebx],	2
		jnz	short loc_5C1C43
		mov	eax, 2
		lock or	[ebx], ax

loc_5C1C43:				; CODE XREF: PfSnGetFileInformation+110CC8j
		mov	eax, 0C000009Ah
		jmp	loc_4B1015
; 

loc_5C1C4D:				; CODE XREF: PfSnGetFileInformation+1C3j
		mov	esi, 0C0000189h
		jmp	loc_4B10DD
; 

loc_5C1C57:				; CODE XREF: PfSnGetFileInformation+2E8j
		lea	ecx, [ebx+104h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_4B1013
; END OF FUNCTION CHUNK	FOR PfSnGetFileInformation
; 
; START	OF FUNCTION CHUNK FOR PfSnTraceGetLogEntry

loc_5C1C67:				; CODE XREF: PfSnTraceGetLogEntry+12Cj
		mov	edx, [ebp+4]
		lea	ecx, [edi+60h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4B141A
; 

loc_5C1C77:				; CODE XREF: PfSnTraceGetLogEntry+BFj
		mov	edx, [ebp+4]
		lea	ecx, [edi+60h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4B13AD
; 

loc_5C1C87:				; CODE XREF: PfSnTraceGetLogEntry+74j
		mov	eax, [ebp+var_10]
		neg	esi
		lock xadd [eax], esi
		mov	ebx, 0C000009Ah
		jmp	loc_4B1339
; 

loc_5C1C9A:				; CODE XREF: PfSnTraceGetLogEntry+3Fj
					; PfSnTraceGetLogEntry+EFj
		mov	eax, [ebp+var_10]
		neg	esi
		lock xadd [eax], esi
		mov	ebx, 0C0000095h
		jmp	loc_4B1339
; END OF FUNCTION CHUNK	FOR PfSnTraceGetLogEntry
; 
; START	OF FUNCTION CHUNK FOR ExReleaseSpinLockSharedFromDpcLevel

loc_5C1CAD:				; CODE XREF: ExReleaseSpinLockSharedFromDpcLevel+Dj
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	@ExpReleaseSpinLockSharedFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockSharedFromDpcLevelInstrumented(x,x)
		jmp	loc_4B1597
; END OF FUNCTION CHUNK	FOR ExReleaseSpinLockSharedFromDpcLevel
; 
; START	OF FUNCTION CHUNK FOR IoSetDiskIoAttributionFromThread

loc_5C1CBD:				; CODE XREF: IoSetDiskIoAttributionFromThread+65j
		push	offset _PspThreadWorkOnBehalfLock
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	ebx, [esi+36Ch]
		mov	[ebp+var_1], al
		test	ebx, ebx
		jz	short loc_5C1CE5
		mov	edx, 746C6644h
		mov	ecx, ebx
		call	ObfReferenceObjectWithTag
		mov	edi, 1

loc_5C1CE5:				; CODE XREF: IoSetDiskIoAttributionFromThread+1106B2j
		push	offset _PspThreadWorkOnBehalfLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_8]
		jmp	loc_4B168B
; 

loc_5C1D00:				; CODE XREF: IoSetDiskIoAttributionFromThread+BAj
		mov	esi, 0C0000225h
		jmp	loc_4B1669
; 

loc_5C1D0A:				; CODE XREF: IoSetDiskIoAttributionFromThread+4Fj
		push	746C6644h
		push	ebx
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_4B1675
; END OF FUNCTION CHUNK	FOR IoSetDiskIoAttributionFromThread

;  S U B	R O U T	I N E 


sub_5C1D1A	proc near		; DATA XREF: .text:006A1C88o
		mov	edx, [ebp-14h]
		push	1Eh
		pop	ecx
		call	_KiFatalFilter@8 ; KiFatalFilter(x,x)

loc_5C1D25:				; DATA XREF: .text:006A1C8Co
		mov	esp, [ebp-18h]
		jmp	loc_4B3017
sub_5C1D1A	endp

; 

loc_5C1D2D:				; DATA XREF: .text:006A1C80o
		jmp	loc_4B305C
; 
; START	OF FUNCTION CHUNK FOR KeExpandKernelStackAndCalloutInternal

loc_5C1D32:				; CODE XREF: KeExpandKernelStackAndCalloutInternal+ABj
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	ecx, al
		shl	ecx, 8
		movzx	eax, bl
		or	ecx, eax
		shl	ecx, 8
		or	ecx, 2
		push	ecx
		push	0C8h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5C1D5D:				; CODE XREF: KiExpandKernelStackAndCalloutSwitchStack+2Fj
		mov	eax, 0C00000F1h
		jmp	loc_4B3104
; END OF FUNCTION CHUNK	FOR KeExpandKernelStackAndCalloutInternal
; 
; START	OF FUNCTION CHUNK FOR KiExpandKernelStackAndCalloutSwitchStack

loc_5C1D67:				; CODE XREF: KiExpandKernelStackAndCalloutSwitchStack+5Dj
		push	0
		push	0
		movzx	eax, al
		push	eax
		push	2
		push	0Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C1D78:				; CODE XREF: KiExpandKernelStackAndCalloutSwitchStack+C2j
		mov	eax, 0C00000F2h
		jmp	loc_4B3104
; 

loc_5C1D82:				; CODE XREF: KiExpandKernelStackAndCalloutSwitchStack+FDj
		cmp	eax, 3000h
		jnb	loc_4B30E0
		jmp	loc_4B3173
; 

loc_5C1D92:				; CODE XREF: KiExpandKernelStackAndCalloutSwitchStack+A8j
		push	esi
		push	ecx
		call	MmGrowKernelStackEx
		test	eax, eax
		js	loc_4B30F4
		jmp	loc_4B311E
; END OF FUNCTION CHUNK	FOR KiExpandKernelStackAndCalloutSwitchStack
; 
; START	OF FUNCTION CHUNK FOR KiExpandKernelStackAndCalloutOnStackSegment

loc_5C1DA6:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+60j
		test	edx, edx
		jz	loc_4B31F6
		mov	al, 10h
		mov	[esp+30h+var_23], al
		jmp	loc_4B31F6
; 

loc_5C1DB9:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+25Bj
		cmp	byte ptr [edx+4], 0
		jz	loc_4B3212
		mov	ebx, 5
		jmp	loc_4B3212
; 

loc_5C1DCD:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+1ACj
		cmp	byte ptr [ecx+4], 0
		jnz	loc_4B3342

loc_5C1DD7:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+1A4j
					; KiExpandKernelStackAndCalloutOnStackSegment+10EC85j
		mov	eax, 0C0000017h
		jmp	loc_4B32FE
; 

loc_5C1DE1:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+1B7j
		or	al, 4
		mov	[esp+30h+var_23], al
		jmp	loc_4B334D
; 

loc_5C1DEC:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+1D5j
		movzx	eax, [esp+30h+var_23]
		shl	eax, 0Dh
		xor	eax, [edi+58h]
		and	eax, 8000h
		xor	[edi+58h], eax
		mov	eax, 0C0000708h
		jmp	loc_4B32FE
; 

loc_5C1E09:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+1E4j
		push	0
		push	0
		push	1
		push	esi
		call	KeReleaseMutant
		jmp	short loc_5C1DD7
; 

loc_5C1E17:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+212j
		or	al, 1
		mov	[esp+30h+var_20], 0E800h
		mov	ebx, 5
		mov	[esp+30h+var_23], al
		jmp	loc_4B3261
; 

loc_5C1E2F:				; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+166j
		push	0
		push	[esp+34h+var_14]
		push	[esp+38h+var_10]
		call	esi
		movzx	ecx, al
		movzx	eax, [esp+3Ch+var_21]
		shl	ecx, 8
		or	ecx, eax
		shl	ecx, 8
		or	ecx, 2
		push	ecx
		push	0C8h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5C1E5A:				; CODE XREF: MiAllocateMdlPagesByLists+ADj
		mov	ecx, [ebp+var_1C]
		xor	edx, edx
		call	_MiGetEnclavePage@8 ; MiGetEnclavePage(x,x)
		jmp	loc_4B34CE
; END OF FUNCTION CHUNK	FOR KiExpandKernelStackAndCalloutOnStackSegment
; 
; START	OF FUNCTION CHUNK FOR MiAllocateMdlPagesByLists

loc_5C1E69:				; CODE XREF: MiAllocateMdlPagesByLists+129j
		mov	dword ptr [ebp-14h], 1
		jmp	loc_4B355D
; 

loc_5C1E75:				; CODE XREF: MiAllocateMdlPagesByLists+E6j
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		mov	edi, [ebp-0Ch]
		xor	edx, edx
		jmp	loc_4B3650
; END OF FUNCTION CHUNK	FOR MiAllocateMdlPagesByLists
; 
; START	OF FUNCTION CHUNK FOR MmCreateKernelStack

loc_5C1E84:				; CODE XREF: MmCreateKernelStack+22Fj
		push	eax
		push	ecx
		push	ebx
		push	3470h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C1E93:				; CODE XREF: MmCreateKernelStack+C0j
		push	eax
		push	ecx
		push	ebx
		push	3470h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C1EA2:				; CODE XREF: MmCreateKernelStack+155j
		lea	ebx, [edi+10h]

loc_5C1EA5:				; CODE XREF: MmCreateKernelStack+10E821j
					; MmCreateKernelStack+10E828j
		lea	ecx, [esp+68h+var_44]
		call	KeYieldProcessorEx
		cmp	dword ptr [ebx], 0
		jl	short loc_5C1EA5
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_5C1EA5
		mov	ebx, [esp+68h+var_50]
		jmp	loc_4B37EB
; 

loc_5C1EC3:				; CODE XREF: MmCreateKernelStack+2B6j
		mov	edx, ebx
		jmp	short loc_5C1EF6
; 

loc_5C1EC7:				; CODE XREF: MmCreateKernelStack+30Aj
		mov	edx, esi
		mov	ecx, offset _MiSystemPartition
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_5C1EE0
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_5C1EE0:				; CODE XREF: MmCreateKernelStack+2E3j
					; MmCreateKernelStack+10E845j
		mov	esi, [esp+40h+var_30]
		mov	edx, edi
		mov	ecx, offset unk_6D33D0
		lea	eax, [esi+1]
		push	eax
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		mov	edx, esi

loc_5C1EF6:				; CODE XREF: MmCreateKernelStack+10E835j
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit

loc_5C1F00:				; CODE XREF: MmCreateKernelStack+29Fj
		xor	eax, eax
		jmp	loc_4B3853
; 

loc_5C1F07:				; CODE XREF: MmCreateKernelStack+1BBj
		test	byte ptr [esp+40h+var_24], 8
		jz	loc_4B3851
		mov	edx, [esp+40h+var_2C]
		mov	ecx, ebx
		shl	esi, 0Ch
		push	1
		sub	ecx, esi
		call	_MiLogKernelStackEvent@12 ; MiLogKernelStackEvent(x,x,x)
		jmp	loc_4B3851
; END OF FUNCTION CHUNK	FOR MmCreateKernelStack
; 
; START	OF FUNCTION CHUNK FOR MiClearStackOwners

loc_5C1F29:				; CODE XREF: MiClearStackOwners+1Dj
		sub	edi, 78h
		mov	ecx, 0Fh
		jmp	loc_4B3CF1
; 

loc_5C1F36:				; CODE XREF: MiClearStackOwners+B0j
		mov	esi, [ebp+var_C]

loc_5C1F39:				; CODE XREF: MiClearStackOwners+10E285j
					; MiClearStackOwners+10E28Cj
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_5C1F39
		lock bts dword ptr [esi], 1Fh
		jb	short loc_5C1F39
		mov	esi, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		jmp	loc_4B3D76
; END OF FUNCTION CHUNK	FOR MiClearStackOwners
; 
; START	OF FUNCTION CHUNK FOR MiSearchNumaNodeTable

loc_5C1F59:				; CODE XREF: MiSearchNumaNodeTable+28j
		cmp	ecx, [eax+8]
		jb	loc_4B3E2E

loc_5C1F62:				; CODE XREF: MiSearchNumaNodeTable+Fj
					; MiSearchNumaNodeTable+20j
		push	edi
		xor	edi, edi
		test	esi, esi
		js	short loc_5C1F98

loc_5C1F69:				; CODE XREF: MiSearchNumaNodeTable+10E196j
		mov	eax, ds:dword_6D06B0
		lea	edx, [edi+esi]
		sar	edx, 1
		cmp	ecx, [eax+edx*8]
		lea	eax, [eax+edx*8]
		jnb	short loc_5C1F84
		test	edx, edx
		jz	short loc_5C1FA9
		lea	esi, [edx-1]
		jmp	short loc_5C1F94
; 

loc_5C1F84:				; CODE XREF: MiSearchNumaNodeTable+10E179j
		cmp	edx, ds:dword_6D0688
		jz	short loc_5C1FB9
		cmp	ecx, [eax+8]
		jb	short loc_5C1FB9
		lea	edi, [edx+1]

loc_5C1F94:				; CODE XREF: MiSearchNumaNodeTable+10E182j
		cmp	esi, edi
		jge	short loc_5C1F69

loc_5C1F98:				; CODE XREF: MiSearchNumaNodeTable+10E167j
		push	0
		push	0
		push	ecx
		push	6201h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C1FA9:				; CODE XREF: MiSearchNumaNodeTable+10E17Dj
		push	0
		push	eax
		push	ecx
		push	6200h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C1FB9:				; CODE XREF: MiSearchNumaNodeTable+10E18Aj
					; MiSearchNumaNodeTable+10E18Fj
		pop	edi
		mov	ds:dword_6D0684, edx
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR MiSearchNumaNodeTable
; 
; START	OF FUNCTION CHUNK FOR MiIncreaseAvailablePages

loc_5C1FC2:				; CODE XREF: MiIncreaseAvailablePages+23j
		mov	esi, ecx
		lock xadd [eax], esi
		inc	esi
		mov	eax, 420h
		cmp	esi, eax
		ja	loc_5C2089
		cmp	esi, 0A0h
		jnz	short loc_5C1FE5
		mov	eax, 0A98h
		jmp	short loc_5C1FFE
; 

loc_5C1FE5:				; CODE XREF: MiIncreaseAvailablePages+10E1ACj
		cmp	esi, eax
		jnz	short loc_5C1FF0
		mov	eax, 0AACh
		jmp	short loc_5C1FFE
; 

loc_5C1FF0:				; CODE XREF: MiIncreaseAvailablePages+10E1B7j
		cmp	esi, 22h
		jnz	loc_5C2089
		mov	eax, 0A84h

loc_5C1FFE:				; CODE XREF: MiIncreaseAvailablePages+10E1B3j
					; MiIncreaseAvailablePages+10E1BEj
		lea	edx, [eax+ebx]
		xor	edi, edi
		test	ds:byte_70EFC6,	21h
		lea	eax, [ebx+0A80h]
		mov	[ebp+var_8], edx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_20], edi
		jz	short loc_5C2027
		mov	edx, eax
		lea	ecx, [ebp+var_20]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5C2038
; 

loc_5C2027:				; CODE XREF: MiIncreaseAvailablePages+10E1E9j
		lea	edx, [ebp+var_20]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_5C2038
		lea	ecx, [ebp+var_20]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_5C2038:				; CODE XREF: MiIncreaseAvailablePages+10E1F5j
					; MiIncreaseAvailablePages+10E1FEj
		push	edi
		push	edi
		push	[ebp+var_8]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	eax, [ebp+var_8]
		inc	dword ptr [eax+10h]
		test	ds:byte_70EFC6,	1
		jz	short loc_5C205E
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_20]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5C2089
; 

loc_5C205E:				; CODE XREF: MiIncreaseAvailablePages+10E21Fj
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	short loc_5C207D
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_20]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_20]
		cmp	eax, ecx
		jz	short loc_5C2089
		call	KxWaitForLockChainValid

loc_5C207D:				; CODE XREF: MiIncreaseAvailablePages+10E233j
		xor	ecx, ecx
		mov	[ebp+var_20], edi
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5C2089:				; CODE XREF: MiIncreaseAvailablePages+10E1A0j
					; MiIncreaseAvailablePages+10E1C3j ...
		dec	esi
		cmp	esi, [ebx+0B2Ch]
		jz	loc_5C2129
		cmp	esi, [ebx+0B30h]
		jnz	loc_4B3EB3
		jmp	loc_5C2129
; 

loc_5C20A7:				; CODE XREF: MiIncreaseAvailablePages+47j
		cmp	esi, eax
		jb	loc_4B3E7D
		push	2
		pop	edx
		mov	[ebp+var_4], edx
		jmp	loc_4B3E7D
; 

loc_5C20BA:				; CODE XREF: MiIncreaseAvailablePages+50j
		cmp	esi, 22h
		jb	loc_4B3E86
		xor	eax, eax
		inc	eax
		or	edx, eax
		mov	[ebp+var_4], edx
		jmp	loc_4B3E86
; 

loc_5C20D0:				; CODE XREF: MiIncreaseAvailablePages+9Bj
		mov	edx, ecx
		lea	ecx, [ebp+var_20]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5C20E6
; 

loc_5C20DC:				; CODE XREF: MiIncreaseAvailablePages+A8j
		mov	edx, eax
		lea	ecx, [ebp+var_20]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_5C20E6:				; CODE XREF: MiIncreaseAvailablePages+10E2AAj
		mov	edx, [ebp+var_4]
		jmp	loc_4B3EDE
; 

loc_5C20EE:				; CODE XREF: MiIncreaseAvailablePages+DDj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_20]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4B3F35
; 

loc_5C20FE:				; CODE XREF: MiIncreaseAvailablePages+FFj
		lea	ecx, [ebp+var_20]
		call	KxWaitForLockChainValid

loc_5C2106:				; CODE XREF: MiIncreaseAvailablePages+E8j
		xor	ecx, ecx
		mov	[ebp+var_20], edi
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_4B3F35
; 

loc_5C2117:				; CODE XREF: MiIncreaseAvailablePages+6Fj
		cmp	esi, eax
		jbe	loc_4B3EA5
		jmp	short loc_5C2129
; 

loc_5C2121:				; CODE XREF: MiIncreaseAvailablePages+7Dj
		cmp	esi, eax
		jbe	loc_4B3EB3

loc_5C2129:				; CODE XREF: MiIncreaseAvailablePages+10E260j
					; MiIncreaseAvailablePages+10E272j ...
		mov	ecx, ebx
		call	MiUpdateAvailableEvents
		jmp	loc_4B3EB3
; END OF FUNCTION CHUNK	FOR MiIncreaseAvailablePages
; 
; START	OF FUNCTION CHUNK FOR RtlpCopyLegacyContext

loc_5C2135:				; CODE XREF: RtlpCopyLegacyContext+Dj
		test	eax, 100000h
		jz	short loc_5C214A
		push	[ebp+arg_4]
		push	eax
		call	_RtlpCopyLegacyContextAmd64@16 ; RtlpCopyLegacyContextAmd64(x,x,x,x)
		jmp	loc_4B40D8
; 

loc_5C214A:				; CODE XREF: RtlpCopyLegacyContext+10E07Ej
		test	eax, 200000h
		jz	short loc_5C215F
		push	[ebp+arg_4]
		push	eax
		call	_RtlpCopyLegacyContextArm@16 ; RtlpCopyLegacyContextArm(x,x,x,x)
		jmp	loc_4B40D8
; 

loc_5C215F:				; CODE XREF: RtlpCopyLegacyContext+10E093j
		test	eax, 400000h
		jz	loc_4B40D8
		push	[ebp+arg_4]
		push	eax
		call	_RtlpCopyLegacyContextArm64@16 ; RtlpCopyLegacyContextArm64(x,x,x,x)
		jmp	loc_4B40D8
; END OF FUNCTION CHUNK	FOR RtlpCopyLegacyContext
; 
; START	OF FUNCTION CHUNK FOR RtlpCopyLegacyContextX86

loc_5C2178:				; CODE XREF: RtlpCopyLegacyContextX86+24j
		mov	ecx, [ebx]
		and	ecx, 98000000h
		or	ecx, esi
		mov	[edx], ecx
		jmp	loc_4B410A
; END OF FUNCTION CHUNK	FOR RtlpCopyLegacyContextX86
; 
; START	OF FUNCTION CHUNK FOR RtlpSanitizeContextFlags

loc_5C2189:				; CODE XREF: RtlpSanitizeContextFlags+25j
		test	bl, bl
		jz	loc_4B42A1
		mov	eax, [esi]
		and	eax, 0D801003Fh
		or	eax, edx
		mov	[esi], eax
		xor	eax, eax
		jmp	loc_4B42A1
; END OF FUNCTION CHUNK	FOR RtlpSanitizeContextFlags
; 
; START	OF FUNCTION CHUNK FOR RtlGetExtendedContextLength2

loc_5C21A3:				; CODE XREF: RtlGetExtendedContextLength2+67j
		mov	eax, ds:0FFDF03D8h
		or	eax, ds:0FFDF0708h
		mov	ecx, ds:0FFDF03DCh
		and	edx, eax
		or	ecx, ds:0FFDF070Ch
		mov	eax, [ebp+arg_4]
		or	ecx, 80000000h
		and	eax, ecx
		jmp	loc_4B4368
; END OF FUNCTION CHUNK	FOR RtlGetExtendedContextLength2
; 
; START	OF FUNCTION CHUNK FOR RtlpGetLegacyContextLength

loc_5C21CC:				; CODE XREF: RtlpGetLegacyContextLength+10j
		test	ecx, 100000h
		jz	short loc_5C21DB
		mov	eax, 4D0h
		jmp	short loc_5C2200
; 

loc_5C21DB:				; CODE XREF: RtlpGetLegacyContextLength+10DE56j
		test	ecx, 200000h
		jz	short loc_5C21EF
		mov	eax, 1A0h
		push	8
		jmp	loc_4B4399
; 

loc_5C21EF:				; CODE XREF: RtlpGetLegacyContextLength+10DE65j
		test	ecx, 400000h
		jz	loc_4B439A
		mov	eax, 390h

loc_5C2200:				; CODE XREF: RtlpGetLegacyContextLength+10DE5Dj
		push	10h
		jmp	loc_4B4399
; END OF FUNCTION CHUNK	FOR RtlpGetLegacyContextLength
; 
; START	OF FUNCTION CHUNK FOR KiDispatchException

loc_5C2207:				; CODE XREF: KiDispatchException+D5j
		mov	eax, [ebx]
		mov	[ebp+var_F0], eax
		cmp	eax, 10000004h
		jnz	short loc_5C221C
		mov	dword ptr [ebx], 0C0000005h

loc_5C221C:				; CODE XREF: KiDispatchException+10DE04j
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_5C225D
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_5C225D
		mov	ecx, [ebp+arg_C]
		test	cl, cl
		jnz	short loc_5C2249
		cmp	dword ptr [ebx], 0C0000005h
		jnz	short loc_5C2260
		mov	eax, [ebx+18h]
		cmp	eax, ds:_MmUserProbeAddress
		ja	short loc_5C2260

loc_5C2249:				; CODE XREF: KiDispatchException+10DE24j
		push	ecx
		push	0
		push	esi
		push	edi
		push	ebx
		call	ds:dword_6BEDF0
		test	al, al
		jnz	loc_4B4998

loc_5C225D:				; CODE XREF: KiDispatchException+10DE13j
					; KiDispatchException+10DE1Dj
		mov	ecx, [ebp+arg_C]

loc_5C2260:				; CODE XREF: KiDispatchException+10DE2Cj
					; KiDispatchException+10DE37j
		mov	eax, [ebp+var_F0]
		mov	[ebx], eax
		jmp	loc_4B44EE
; 

loc_5C226D:				; CODE XREF: KiDispatchException+139j
					; KiDispatchException+18Cj
		mov	eax, [ebp+var_F8]
		jmp	loc_4B45D9
; 

loc_5C2278:				; CODE XREF: KiDispatchException+5E2j
		mov	ecx, ds:0FFDF0708h
		mov	eax, 0FFDF03D8h
		or	ecx, [eax]
		mov	eax, ds:0FFDF070Ch
		mov	ebx, 0FFDF03D8h
		or	eax, [ebx+4]
		or	eax, 80000000h
		and	edx, ecx
		and	edi, eax
		mov	ebx, [ebp+var_F4]
		jmp	loc_4B49F8
; 

loc_5C22A6:				; CODE XREF: KiDispatchException+26Ej
		mov	edx, edi
		mov	ecx, ebx
		call	_KiCheckForAtlThunk@8 ;	KiCheckForAtlThunk(x,x)
		test	al, al
		jnz	loc_4B46D0
		cmp	ds:0FFDF0280h, al
		jz	loc_4B4A3B
		cmp	dword ptr [ebx+14h], 8
		jnz	loc_4B4A3B
		mov	ecx, ds:_KeFeatureBits
		mov	eax, ecx
		and	eax, 40000000h
		or	eax, 0
		jnz	short loc_5C2303
		mov	eax, [ebp+var_FC]
		mov	al, [eax+6Bh]
		test	al, 2
		jnz	short loc_5C2303
		and	ecx, 80000000h
		or	ecx, 0
		jnz	loc_4B4A3B
		test	al, 1
		jnz	loc_4B4A3B

loc_5C2303:				; CODE XREF: KiDispatchException+10DECDj
					; KiDispatchException+10DEDAj
		mov	dword ptr [ebx+14h], 0
		jmp	loc_4B4A3B
; 

loc_5C230F:				; CODE XREF: KiDispatchException+65Cj
		cmp	eax, 5
		jz	loc_4B4A55
		jmp	loc_4B46AE
; 

loc_5C231D:				; CODE XREF: KiDispatchException+2A5j
		cmp	ds:_KdAutoEnableOnEvent, 0
		jz	short loc_5C234A
		cmp	ds:_KdPreviouslyEnabled, 0
		jz	short loc_5C234A
		cmp	ds:_KdDebuggerEnabled, 0
		jnz	short loc_5C234A
		call	_KdEnableDebugger@0 ; KdEnableDebugger()
		test	eax, eax
		js	short loc_5C234A
		cmp	ds:_KdDebuggerEnabled, 0
		jnz	short loc_5C2358

loc_5C234A:				; CODE XREF: KiDispatchException+10DF14j
					; KiDispatchException+10DF1Dj ...
		mov	edx, edi
		mov	ecx, ebx
		call	_KdpCheckTracePoint@8 ;	KdpCheckTracePoint(x,x)
		jmp	loc_4B46BD
; 

loc_5C2358:				; CODE XREF: KiDispatchException+28Cj
					; KiDispatchException+10DF38j
		push	0
		push	0
		push	edi
		push	ebx
		mov	edx, [ebp+var_E4]
		mov	ecx, [ebp+var_E8]
		call	_KdpTrap@24	; KdpTrap(x,x,x,x,x,x)
		jmp	loc_4B46BD
; 

loc_5C2374:				; CODE XREF: KiDispatchException+27Fj
					; KiDispatchException+2BAj
		push	1
		push	0
		push	edi
		push	ebx
		mov	edx, [ebp+var_E4]
		mov	esi, [ebp+var_E8]
		mov	ecx, esi
		call	_KdTrap@24	; KdTrap(x,x,x,x,x,x)
		test	al, al
		jnz	loc_4B46D0
		push	0
		push	esi
		mov	eax, [ebx+0Ch]
		push	eax
		mov	eax, [ebx]
		push	eax
		push	8Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C23A9:				; CODE XREF: KiDispatchException+344j
					; KiDispatchException+351j
		test	cl, cl
		jz	loc_4B4787
		jmp	loc_4B4767
; 

loc_5C23B6:				; CODE XREF: KiDispatchException+2E6j
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		push	0
		push	edi
		call	KiSetupForInstrumentationReturn
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4B4998
; 

loc_5C23D5:				; CODE XREF: KiDispatchException+39Bj
					; KiDispatchException+3A8j
		mov	[ebp+var_8C], 0C0000005h
		mov	[ebp+var_88], 0
		mov	[ebp+var_7C], 0
		lea	eax, [ebp+var_8C]
		push	eax
		call	_RtlRaiseException@4 ; RtlRaiseException(x)
		jmp	loc_4B47BE
; 

loc_5C2401:				; CODE XREF: KiDispatchException+462j
		mov	byte ptr [eax],	0
		jmp	loc_4B4878
; 

loc_5C2409:				; CODE XREF: KiDispatchException+47Bj
		mov	eax, [ebp+var_114]
		mov	[ebp+var_E4], eax
		jmp	loc_4B48B3
; 

loc_5C241A:				; CODE XREF: KiDispatchException+449j
					; KiDispatchException+455j
		push	4
		push	ecx
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		jmp	loc_4B48B3
; END OF FUNCTION CHUNK	FOR KiDispatchException

;  S U B	R O U T	I N E 


sub_5C2428	proc near		; DATA XREF: .text:006A1CECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	[ebp-108h], eax
		push	50h		; size_t
		push	0		; int
		lea	eax, [ebp-0DCh]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, [ebp-108h]
		mov	eax, [ecx]
		mov	[ebp-0DCh], eax
		mov	eax, [ecx+4]
		mov	[ebp-0D8h], eax
		mov	eax, [ecx+8]
		mov	[ebp-0D4h], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp-0D0h], eax
		mov	eax, [ecx+10h]
		mov	[ebp-0CCh], eax
		mov	eax, [ebp-108h]
		mov	eax, [eax+10h]
		shl	eax, 2
		push	eax		; size_t
		mov	eax, [ebp-108h]
		add	eax, 14h
		push	eax		; void *
		lea	eax, [ebp-0C8h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, 1
		retn
sub_5C2428	endp


;  S U B	R O U T	I N E 


sub_5C24A4	proc near		; DATA XREF: .text:006A1CF0o
		mov	esp, [ebp-18h]
		cmp	dword ptr [ebp-0DCh], 0C00000FDh
		jnz	short loc_5C2505
		mov	ebx, [ebp-0F4h]
		mov	eax, [ebx+0Ch]
		mov	[ebp-0D0h], eax
		mov	ecx, 14h
		lea	esi, [ebp-0DCh]
		mov	edi, ebx
		rep movsd
		mov	eax, [ebx+10h]
		add	eax, 5
		lea	ecx, [ebx+eax*4]
		mov	eax, ebx
		sub	eax, ecx
		add	eax, 50h
		push	eax		; size_t
		push	0		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-0F0h]
		mov	edi, [ebp-12Ch]
		jmp	loc_4B479A
; 

loc_5C2505:				; CODE XREF: sub_5C24A4+Dj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-0F4h]
		jmp	loc_4B4A71
sub_5C24A4	endp

; 
; START	OF FUNCTION CHUNK FOR RtlInitializeExtendedContext2

loc_5C2517:				; CODE XREF: RtlInitializeExtendedContext2+1Bj
		mov	eax, edx
		and	eax, 27FFFFA0h
		cmp	eax, 100000h
		jz	loc_4B4AD1
		mov	eax, edx
		and	eax, 7FFFFF0h
		cmp	eax, 200000h
		jz	loc_4B4AD1
		mov	eax, edx
		and	eax, 7FFFFE0h
		cmp	eax, 400000h
		jz	loc_4B4AD1
		mov	eax, 0C000000Dh
		jmp	loc_4B4B7B
; 

loc_5C2557:				; CODE XREF: RtlInitializeExtendedContext2+53j
		mov	eax, 0C00000BBh
		jmp	loc_4B4B7B
; 

loc_5C2561:				; CODE XREF: RtlInitializeExtendedContext2+64j
		test	edx, 100000h
		jz	short loc_5C2584
		lea	eax, [edi+0Fh]
		and	eax, 0FFFFFFF0h
		lea	esi, [eax+4D0h]
		mov	[eax+30h], edx
		mov	dword ptr [esi+0Ch], 4D0h
		jmp	loc_4B4B2F
; 

loc_5C2584:				; CODE XREF: RtlInitializeExtendedContext2+10DAB7j
		test	edx, 200000h
		jz	short loc_5C25A6
		lea	eax, [edi+7]
		and	eax, 0FFFFFFF8h
		lea	esi, [eax+1A0h]
		mov	[eax], edx
		mov	dword ptr [esi+0Ch], 1A0h
		jmp	loc_4B4B2F
; 

loc_5C25A6:				; CODE XREF: RtlInitializeExtendedContext2+10DADAj
		test	edx, 400000h
		jz	loc_4B4B2F
		lea	eax, [edi+0Fh]
		and	eax, 0FFFFFFF0h
		lea	esi, [eax+390h]
		mov	[eax], edx
		mov	dword ptr [esi+0Ch], 390h
		jmp	loc_4B4B2F
; 

loc_5C25CC:				; CODE XREF: RtlInitializeExtendedContext2+E4j
		mov	eax, ds:0FFDF03D8h
		or	eax, ds:0FFDF0708h
		mov	ecx, ds:0FFDF03DCh
		and	edx, eax
		or	ecx, ds:0FFDF070Ch
		mov	eax, [ebp+arg_8]
		or	ecx, 80000000h
		and	eax, ecx
		jmp	loc_4B4B9D
; 

loc_5C25F5:				; CODE XREF: RtlInitializeExtendedContext2+113j
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		or	eax, 80000000h
		mov	[edi+8], ecx
		mov	[edi+0Ch], eax
		jmp	loc_4B4BC9
; END OF FUNCTION CHUNK	FOR RtlInitializeExtendedContext2
; 
; START	OF FUNCTION CHUNK FOR KeContextFromKframes

loc_5C260B:				; CODE XREF: KeContextFromKframes+1Cj
		mov	ch, 1Fh
		mov	[ebp+var_5], ch
		jmp	loc_4B4C1F
; 

loc_5C2615:				; CODE XREF: KeContextFromKframes+72j
		test	dword ptr [ebx+70h], 20000h
		jnz	loc_4B4C58
		movzx	eax, word ptr [ebx+0Ch]
		jmp	loc_4B4C5B
; 

loc_5C262B:				; CODE XREF: KeContextFromKframes+91j
		mov	eax, [ebx+78h]
		jmp	loc_4B4C86
; 

loc_5C2633:				; CODE XREF: KeContextFromKframes+21Dj
		mov	eax, [ebx+10h]
		jmp	loc_4B4CAA
; 

loc_5C263B:				; CODE XREF: KeContextFromKframes+E5j
		movzx	eax, word ptr [ebx+88h]
		mov	[esi+8Ch], eax
		movzx	eax, word ptr [ebx+84h]
		mov	[esi+90h], eax
		movzx	eax, word ptr [ebx+7Ch]
		mov	[esi+94h], eax
		movzx	eax, word ptr [ebx+80h]
		mov	[esi+98h], eax
		jmp	loc_4B4CFD
; 

loc_5C2671:				; CODE XREF: KeContextFromKframes+385j
		mov	eax, [edx+200h]
		mov	ebx, 0FFDF03D8h
		and	eax, [ebx]
		mov	[ebp+var_14], eax
		mov	eax, [edx+204h]
		and	eax, [ebx+4]
		and	[ebp+var_14], ecx
		and	eax, edi
		mov	ebx, [ebp+arg_0]
		not	edi
		mov	[ebp+var_18], eax
		not	ecx
		mov	eax, [ebp+var_C]
		and	edi, [eax+204h]
		and	ecx, [eax+200h]
		or	edi, [ebp+var_18]
		or	ecx, [ebp+var_14]
		mov	[eax+204h], edi
		mov	edi, eax
		mov	[eax+200h], ecx
		test	byte ptr ds:0FFDF03ECh,	2
		jz	loc_5C27F2
		mov	ecx, 0FFDF03D8h
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_C], 10h
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		mov	[edi+208h], eax
		or	ecx, 80000000h
		mov	[edi+20Ch], ecx
		mov	eax, [edx+208h]
		mov	ecx, [ebp+var_18]
		shrd	[ebp+var_14], ecx, 2
		mov	[ebp+var_20], eax
		mov	eax, [edx+20Ch]
		shrd	[ebp+var_20], eax, 2
		shr	ecx, 2
		shr	eax, 2
		mov	[ebp+var_28], eax
		mov	eax, ds:0FFDF05F8h
		mov	[ebp+var_10], eax
		mov	eax, ds:0FFDF05FCh
		shrd	[ebp+var_10], eax, 2
		mov	[ebp+var_18], ecx
		shr	eax, 2
		mov	[ebp+var_2C], eax

loc_5C2733:				; CODE XREF: KeContextFromKframes+10DC07j
		mov	eax, [ebp+var_20]
		and	eax, 1
		or	eax, 0
		jz	short loc_5C2799
		mov	eax, [ebp+var_10]
		and	eax, 1
		or	eax, 0
		jz	short loc_5C2755
		mov	eax, [ebp+var_1C]
		add	eax, 3Fh
		and	eax, 0FFFFFFC0h
		mov	[ebp+var_1C], eax

loc_5C2755:				; CODE XREF: KeContextFromKframes+10DB67j
		mov	eax, [ebp+var_14]
		and	eax, 1
		or	eax, 0
		jz	short loc_5C2787
		mov	ecx, [ebp+var_C]
		mov	eax, [ecx-20FC0Ch]
		push	eax		; size_t
		mov	eax, [ebp+var_1C]
		add	eax, edx
		push	eax		; void *
		mov	eax, [ecx-20FC10h]
		add	eax, edi
		push	eax		; void *
		call	_memcpy
		mov	edx, [ebp+var_24]
		add	esp, 0Ch
		mov	ecx, [ebp+var_18]

loc_5C2787:				; CODE XREF: KeContextFromKframes+10DB7Ej
		mov	ebx, [ebp+var_C]
		mov	eax, [ebp+var_1C]
		add	eax, [ebx-20FC0Ch]
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_1C], eax

loc_5C2799:				; CODE XREF: KeContextFromKframes+10DB5Cj
		mov	esi, [ebp+var_20]
		mov	eax, [ebp+var_14]
		mov	[ebp+var_20], esi
		mov	esi, [ebp+var_28]
		shrd	[ebp+var_20], esi, 1
		shrd	eax, ecx, 1
		shr	esi, 1
		mov	[ebp+var_28], esi
		mov	esi, [ebp+var_10]
		mov	[ebp+var_10], esi
		mov	esi, [ebp+var_2C]
		shrd	[ebp+var_10], esi, 1
		shr	ecx, 1
		shr	esi, 1
		mov	[ebp+var_14], eax
		or	eax, ecx
		mov	[ebp+var_2C], esi
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_18], ecx
		jz	loc_4B4EAB
		mov	eax, [ebp+var_C]
		add	eax, 8
		mov	[ebp+var_C], eax
		cmp	eax, 200h
		jb	loc_5C2733
		jmp	loc_4B4EAB
; 

loc_5C27F2:				; CODE XREF: KeContextFromKframes+10DAE3j
		mov	ecx, [ebp+var_18]
		xor	ebx, ebx
		mov	esi, [ebp+var_14]

loc_5C27FA:				; CODE XREF: KeContextFromKframes+10DC5Fj
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	short loc_5C2827
		mov	ecx, [ebx-20FC10h]
		mov	eax, [ebx-20FC0Ch]
		push	eax		; size_t
		lea	eax, [ecx+edx]
		push	eax		; void *
		lea	eax, [ecx+edi]
		push	eax		; void *
		call	_memcpy
		mov	edx, [ebp+var_24]
		add	esp, 0Ch
		mov	ecx, [ebp+var_18]

loc_5C2827:				; CODE XREF: KeContextFromKframes+10DC22j
		shrd	esi, ecx, 1
		shr	ecx, 1
		mov	eax, esi
		or	eax, ecx
		mov	[ebp+var_18], ecx
		jz	short loc_5C2841
		add	ebx, 8
		cmp	ebx, 200h
		jb	short loc_5C27FA

loc_5C2841:				; CODE XREF: KeContextFromKframes+10DC54j
		mov	ebx, [ebp+arg_0]
		mov	esi, [ebp+arg_8]
		jmp	loc_4B4EAB
; 

loc_5C284C:				; CODE XREF: KeContextFromKframes+1C4j
		mov	eax, [ebx+14h]
		mov	[esi+4], eax
		mov	eax, [ebx+18h]
		mov	[esi+8], eax
		mov	eax, [ebx+1Ch]
		mov	[esi+0Ch], eax
		mov	eax, [ebx+20h]
		mov	[esi+10h], eax
		mov	eax, [ebx+24h]
		mov	[esi+14h], eax
		mov	eax, large fs:124h
		test	byte ptr [eax+3], 10h
		jz	short loc_5C287A
		xor	eax, eax
		jmp	short loc_5C287D
; 

loc_5C287A:				; CODE XREF: KeContextFromKframes+10DC94j
		mov	eax, [ebx+28h]

loc_5C287D:				; CODE XREF: KeContextFromKframes+10DC98j
		mov	[esi+18h], eax
		jmp	loc_4B4DD4
; END OF FUNCTION CHUNK	FOR KeContextFromKframes
; 
; START	OF FUNCTION CHUNK FOR RtlUnwind

loc_5C2885:				; CODE XREF: RtlUnwind+8Ej
		push	0C0000028h
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5C288F:				; CODE XREF: RtlUnwind+DEj
		xor	ecx, ecx
		jmp	loc_4B50A9
; 

loc_5C2896:				; CODE XREF: RtlUnwind+EBj
		mov	ecx, 6
		jmp	loc_4B50B6
; 

loc_5C28A0:				; CODE XREF: RtlUnwind+12Ej
		mov	eax, [esp+3B0h+var_3A4]
		mov	[esp+3B0h+var_370], eax
		lea	eax, [esp+3B0h+var_378]
		push	eax
		mov	[esp+3B4h+var_378], 0C0000029h
		mov	[esp+3B4h+var_374], 1
		mov	[esp+3B4h+var_368], 0
		call	_RtlRaiseException@4 ; RtlRaiseException(x)
		jmp	loc_4B51E1
; 

loc_5C28CF:				; CODE XREF: RtlUnwind+185j
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_4B514B

loc_5C28D8:				; CODE XREF: RtlUnwind+136j
					; RtlUnwind+141j ...
		mov	esi, [esp+3B0h+var_3A4]
		lea	eax, [esp+3B0h+var_378]
		push	eax
		mov	[esp+3B4h+var_378], 0C0000028h
		mov	[esp+3B4h+var_374], 1
		mov	[esp+3B4h+var_370], esi
		mov	[esp+3B4h+var_368], 0
		call	_RtlRaiseException@4 ; RtlRaiseException(x)
		jmp	loc_4B51B9
; 

loc_5C2907:				; CODE XREF: RtlUnwind+1EAj
		sub	eax, 2
		jz	short loc_5C2937
		lea	eax, [esp+3C4h+var_38C]
		mov	[esp+3C4h+var_38C], 0C0000026h
		push	eax
		mov	[esp+3C8h+var_388], 1
		mov	[esp+3C8h+var_384], esi
		mov	[esp+3C8h+var_37C], 0
		call	_RtlRaiseException@4 ; RtlRaiseException(x)
		jmp	loc_4B51B0
; 

loc_5C2937:				; CODE XREF: RtlUnwind+10D94Aj
		mov	ebx, [esp+3C4h+var_3A8]
		jmp	loc_4B51B0
; 

loc_5C2940:				; CODE XREF: RtlUnwind+103j
		mov	esi, [esp+3B0h+var_3A4]

loc_5C2944:				; CODE XREF: RtlUnwind+20Dj
		lea	eax, [esp+3B0h+var_2D8]
		push	0
		push	eax
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_5C295A
		call	_ZwContinue@8	; ZwContinue(x,x)
		jmp	short loc_5C2960
; 

loc_5C295A:				; CODE XREF: RtlUnwind+10D991j
		push	esi
		call	_ZwRaiseException@12 ; ZwRaiseException(x,x,x)

loc_5C2960:				; CODE XREF: RtlUnwind+10D998j
		mov	ecx, [esp+3B0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; END OF FUNCTION CHUNK	FOR RtlUnwind
; 
; START	OF FUNCTION CHUNK FOR RtlDispatchException

loc_5C2977:				; CODE XREF: RtlDispatchException+6Aj
		mov	edx, ebx
		mov	[esp+98h+var_85], 1
		mov	ecx, esi
		call	_RtlpLogExceptionDispatch@8 ; RtlpLogExceptionDispatch(x,x)
		jmp	loc_4B5260
; 

loc_5C298A:				; CODE XREF: RtlDispatchException+112j
					; RtlDispatchException+11Fj ...
		cmp	ebx, ds:_KiI386ExceptionChainTerminator
		jz	loc_4B531E

loc_5C2996:				; CODE XREF: RtlDispatchException+7Fj
					; RtlDispatchException+90j
		or	dword ptr [esi+4], 8
		jmp	loc_4B53F4
; 

loc_5C299F:				; CODE XREF: RtlDispatchException+15Fj
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_4B5355

loc_5C29A8:				; CODE XREF: RtlDispatchException+16Dj
					; RtlDispatchException+17Fj ...
		mov	edi, [esp+98h+var_84]
		mov	al, [esp+98h+var_86]
		or	dword ptr [edi+4], 8
		jmp	loc_5C2A64
; 

loc_5C29B9:				; CODE XREF: RtlDispatchException+1A2j
		mov	eax, [ebx+4]
		mov	edx, [esp+98h+var_70]
		push	eax
		push	ecx
		mov	ecx, edi
		call	_RtlpLogExceptionHandler@16 ; RtlpLogExceptionHandler(x,x,x,x)
		mov	esi, eax
		jmp	loc_4B5398
; 

loc_5C29D0:				; CODE XREF: RtlDispatchException+1CAj
		and	dword ptr [esi+4], 0FFFFFFEFh
		xor	ecx, ecx
		mov	[esp+98h+var_78], ecx
		jmp	loc_4B53C0
; 

loc_5C29DF:				; CODE XREF: RtlDispatchException+1D3j
		sub	eax, 0
		jz	short loc_5C2A2D
		sub	eax, 2
		jz	short loc_5C2A14
		lea	eax, [esp+98h+var_58]
		mov	[esp+98h+var_58], 0C0000026h
		push	eax
		mov	[esp+9Ch+var_54], 1
		mov	[esp+9Ch+var_50], esi
		mov	[esp+9Ch+var_48], 0
		call	_RtlRaiseException@4 ; RtlRaiseException(x)
		jmp	loc_4B53CF
; 

loc_5C2A14:				; CODE XREF: RtlDispatchException+10D7F7j
		or	dword ptr [esi+4], 10h
		mov	eax, [esp+98h+var_6C]
		cmp	eax, ecx
		jbe	loc_4B53CF
		mov	[esp+98h+var_78], eax
		jmp	loc_4B53CF
; 

loc_5C2A2D:				; CODE XREF: RtlDispatchException+10D7F2j
		test	byte ptr [esi+4], 1
		jz	short loc_5C2A5E
		lea	eax, [esp+98h+var_58]
		mov	[esp+98h+var_58], 0C0000025h
		push	eax
		mov	[esp+9Ch+var_54], 1
		mov	[esp+9Ch+var_50], esi
		mov	[esp+9Ch+var_48], 0
		call	_RtlRaiseException@4 ; RtlRaiseException(x)
		jmp	loc_4B53C9
; 

loc_5C2A5E:				; CODE XREF: RtlDispatchException+10D841j
		mov	al, 1
		jmp	short loc_5C2A64
; 

loc_5C2A62:				; CODE XREF: RtlDispatchException+10Aj
		mov	al, cl

loc_5C2A64:				; CODE XREF: RtlDispatchException+208j
					; RtlDispatchException+10D7C4j	...
		mov	ecx, [esp+98h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; END OF FUNCTION CHUNK	FOR RtlDispatchException
; 
; START	OF FUNCTION CHUNK FOR IoGetStackLimits

loc_5C2A7B:				; CODE XREF: IoGetStackLimits+18j
		mov	dword ptr [esi], 0
		mov	dword ptr [edi], 0
		jmp	loc_4B544E
; END OF FUNCTION CHUNK	FOR IoGetStackLimits
; 
; START	OF FUNCTION CHUNK FOR KeQueryCurrentStackInformationEx

loc_5C2A8C:				; CODE XREF: KeQueryCurrentStackInformationEx+18j
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	dword ptr [esi], 0
		mov	dword ptr [eax], 0FFFFFFFFh
		mov	eax, ds:_MmSystemRangeStart
		mov	[ecx], eax
		mov	al, 1
		jmp	loc_4B5540
; 

loc_5C2AAC:				; CODE XREF: KeQueryCurrentStackInformationEx+EDj
		mov	eax, [ebp+arg_4]
		mov	dword ptr [esi], 6
		mov	[eax], ecx
		mov	eax, [ebp+arg_0]
		mov	[eax], edx
		mov	al, 1
		jmp	loc_4B553F
; 

loc_5C2AC3:				; CODE XREF: KeQueryCurrentStackInformationEx+45j
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		mov	dword ptr [eax], 5
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 0FFFFFFFFh
		mov	eax, ds:_MmSystemRangeStart
		mov	[ecx], eax
		mov	al, 1
		jmp	loc_4B553F
; END OF FUNCTION CHUNK	FOR KeQueryCurrentStackInformationEx
; 
; START	OF FUNCTION CHUNK FOR RtlpValidateContextFlags

loc_5C2AE6:				; CODE XREF: RtlpValidateContextFlags+Fj
		mov	eax, ecx
		and	eax, 27FFFFA0h
		cmp	eax, 100000h
		jz	loc_4B55E5
		mov	eax, ecx
		and	eax, 7FFFFF0h
		cmp	eax, 200000h
		jz	loc_4B55E5
		mov	eax, ecx
		and	eax, 7FFFFE0h
		cmp	eax, 400000h
		jz	loc_4B55E5
		mov	eax, 0C000000Dh
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR RtlpValidateContextFlags
; 
; START	OF FUNCTION CHUNK FOR MiVadCommitCrossPartition

loc_5C2B23:				; CODE XREF: MiVadCommitCrossPartition+27j
					; MiVadCommitCrossPartition+10CCEDj
		test	byte ptr [eax+24h], 10h
		jnz	short loc_5C2B34
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_5C2B23
		jmp	loc_4B5E5D
; 

loc_5C2B34:				; CODE XREF: MiVadCommitCrossPartition+10CCE7j
		test	eax, eax
		jz	loc_4B5E5D
		cmp	dword ptr [eax+0Ch], 0
		jz	loc_4B5E5D
		mov	eax, 1
		retn
; END OF FUNCTION CHUNK	FOR MiVadCommitCrossPartition
; 
; START	OF FUNCTION CHUNK FOR MiReturnCommit

loc_5C2B4C:				; CODE XREF: MiReturnCommit+23j
		lea	ecx, [esi+0D98h]
		lea	edx, [ebp+var_C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edx, edi
		mov	ecx, esi
		call	_MiRestockOverCommit@8 ; MiRestockOverCommit(x,x)
		test	ds:byte_70EFC6,	1
		mov	edi, eax
		jz	short loc_5C2B7B
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5C2BAC
; 

loc_5C2B7B:				; CODE XREF: MiReturnCommit+10CCFCj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5C2B9A
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5C2BAC
		call	KxWaitForLockChainValid

loc_5C2B9A:				; CODE XREF: MiReturnCommit+10CD10j
		mov	[ebp+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5C2BAC:				; CODE XREF: MiReturnCommit+10CD09j
					; MiReturnCommit+10CD23j
		mov	cl, byte ptr [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	loc_4B5ED2
		jmp	loc_4B5E99
; 

loc_5C2BC2:				; CODE XREF: MiReturnCommit+5Bj
		mov	edx, eax
		add	eax, edi
		cmp	eax, 100h
		jbe	loc_4B5EC0
		jmp	loc_4B5ED8
; 

loc_5C2BD6:				; CODE XREF: MiReturnCommit+82j
		cmp	eax, edx
		jb	short loc_5C2BE7
		jmp	loc_4B5EF8
; 

loc_5C2BDF:				; CODE XREF: MiReturnCommit+92j
		cmp	eax, edx
		jnb	loc_4B5ED1

loc_5C2BE7:				; CODE XREF: MiReturnCommit+10CD68j
		xor	edx, edx
		mov	ecx, esi
		call	MiSyncCommitSignals
		jmp	loc_4B5ED1
; END OF FUNCTION CHUNK	FOR MiReturnCommit
; 
; START	OF FUNCTION CHUNK FOR MiUseSlabAllocator

loc_5C2BF5:				; CODE XREF: MiUseSlabAllocator+34j
		test	al, 8
		jz	loc_4B5F5F
		test	byte ptr [edx+12h], 2
		jz	short loc_5C2C10
		mov	al, [edx+10h]
		and	al, 0Ah
		cmp	al, 8
		jz	loc_4B5F5F

loc_5C2C10:				; CODE XREF: MiUseSlabAllocator+10CCB1j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_5C2C1A
		and	dword ptr [eax], 0

loc_5C2C1A:				; CODE XREF: MiUseSlabAllocator+10CCC5j
		xor	eax, eax
		inc	eax
		jmp	loc_4B5F61
; 

loc_5C2C22:				; CODE XREF: MiUseSlabAllocator+3Ej
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	loc_4B5F5F
		xor	eax, eax
		inc	eax
		mov	[ecx], eax
		jmp	loc_4B5F61
; END OF FUNCTION CHUNK	FOR MiUseSlabAllocator
; 
; START	OF FUNCTION CHUNK FOR MiObtainFaultCharges

loc_5C2C37:				; CODE XREF: MiObtainFaultCharges+57j
		mov	edi, eax
		cmp	esi, eax
		jbe	loc_4B5FE0
		jmp	loc_4B6046
; 

loc_5C2C46:				; CODE XREF: MiObtainFaultCharges+5Fj
					; MiObtainFaultCharges+BCj
		test	[ebp+arg_0], 2
		jnz	short loc_5C2C53
		xor	eax, eax
		jmp	loc_4B6032
; 

loc_5C2C53:				; CODE XREF: MiObtainFaultCharges+10CCAAj
		mov	esi, 1
		mov	ecx, ebx
		push	0FFFFFFFFh
		mov	edx, esi
		call	_MiChargeResident@12 ; MiChargeResident(x,x,x)
		jmp	loc_4B6005
; 

loc_5C2C68:				; CODE XREF: MiObtainFaultCharges+82j
					; MiObtainFaultCharges+C5j
		test	[ebp+arg_0], 2
		jz	loc_4B6028
		mov	edi, 1
		mov	ecx, ebx
		push	4
		mov	edx, edi
		call	MiChargeCommit
		jmp	loc_4B6028
; 

loc_5C2C87:				; CODE XREF: MiObtainFaultCharges+8Aj
		sub	esi, edi
		mov	ecx, ebx
		mov	edx, esi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	loc_4B6030
		lea	ecx, [ebx+1000h]
		lock xadd [ecx], eax
		jmp	loc_4B6030
; END OF FUNCTION CHUNK	FOR MiObtainFaultCharges
; 
; START	OF FUNCTION CHUNK FOR MiEndingOffsetWithLock

loc_5C2CA9:				; CODE XREF: MiEndingOffsetWithLock+2Bj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@ExpReleaseSpinLockSharedFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockSharedFromDpcLevelInstrumented(x,x)
		jmp	loc_4B60AC
; END OF FUNCTION CHUNK	FOR MiEndingOffsetWithLock
; 
; START	OF FUNCTION CHUNK FOR MiStartingOffset

loc_5C2CB8:				; CODE XREF: MiStartingOffset+19j
					; MiStartingOffset+27j
		test	byte ptr [edi+12h], 2
		jz	short loc_5C2CCB
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		push	edi
		call	_MiGetSharedProtos@12 ;	MiGetSharedProtos(x,x,x)
		jmp	short loc_5C2CCE
; 

loc_5C2CCB:				; CODE XREF: MiStartingOffset+10CB3Cj
		mov	eax, [edi+0Ch]

loc_5C2CCE:				; CODE XREF: MiStartingOffset+10CB49j
		sub	esi, [eax+24h]
		mov	ecx, 8
		sar	esi, 3
		mov	eax, esi
		imul	ecx
		add	eax, [edi+14h]
		adc	edx, 0
		shld	edx, eax, 9
		shl	eax, 9
		jmp	loc_4B61CA
; END OF FUNCTION CHUNK	FOR MiStartingOffset
; 
; START	OF FUNCTION CHUNK FOR MiClaimPhysicalRun

loc_5C2CEF:				; CODE XREF: MiClaimPhysicalRun+19j
		mov	dword ptr [eax], 0FFFFFFFFh
		jmp	loc_4B622F
; 

loc_5C2CFA:				; CODE XREF: MiClaimPhysicalRun+A8j
		lea	edx, [ecx-1]
		not	edx
		mov	eax, edx
		and	eax, esi
		cmp	esi, eax
		jnz	short loc_5C2D0E
		mov	eax, ecx
		jmp	loc_4B62BE
; 

loc_5C2D0E:				; CODE XREF: MiClaimPhysicalRun+10CAF5j
		lea	eax, [ecx-1]
		add	eax, esi
		and	eax, edx
		sub	eax, esi
		jmp	loc_4B62BE
; 

loc_5C2D1C:				; CODE XREF: MiClaimPhysicalRun+10Aj
		mov	ecx, [ebp+arg_1C]
		test	ecx, ecx
		jz	loc_4B6320
		mov	eax, [ebp+var_10]
		mov	[ecx], eax
		jmp	loc_4B6320
; 

loc_5C2D31:				; CODE XREF: MiClaimPhysicalRun+126j
		imul	eax, esi, 0FFFFF000h
		add	[ecx+14h], eax
		jmp	loc_4B633C
; END OF FUNCTION CHUNK	FOR MiClaimPhysicalRun
; 
; START	OF FUNCTION CHUNK FOR MiCollapseRunTopDown

loc_5C2D3F:				; CODE XREF: MiCollapseRunTopDown+67j
		mov	edx, [ebp+var_8]
		mov	eax, edi
		and	eax, edx
		cmp	eax, edi
		jz	short loc_5C2D4D
		mov	[ecx+4], eax

loc_5C2D4D:				; CODE XREF: MiCollapseRunTopDown+10BA78j
		mov	eax, esi
		and	eax, edx
		cmp	eax, esi
		jz	short loc_5C2D64
		lea	eax, [ebx-1]
		add	eax, esi
		and	eax, edx
		mov	[ecx], eax
		jz	loc_4B7344

loc_5C2D64:				; CODE XREF: MiCollapseRunTopDown+10BA83j
		mov	esi, [ecx]
		mov	edi, [ecx+4]
		mov	al, [ebp+var_1]
		cmp	esi, edi
		jb	loc_4B7300
		jmp	loc_4B7344
; END OF FUNCTION CHUNK	FOR MiCollapseRunTopDown
; 
; START	OF FUNCTION CHUNK FOR MiFreeVadRange

loc_5C2D79:				; CODE XREF: MiFreeVadRange+3Ej
		cmp	esi, [ecx+0Ch]
		jnz	short loc_5C2D97
		cmp	edi, [ecx+10h]
		jnz	short loc_5C2D97
		test	byte ptr [ecx+28h], 1
		jnz	loc_4B7E90
		mov	eax, 0C0000002h
		jmp	loc_4B7ED4
; 

loc_5C2D97:				; CODE XREF: MiFreeVadRange+10AF30j
					; MiFreeVadRange+10AF35j
		mov	eax, 0C0000018h
		jmp	loc_4B7ED4
; 

loc_5C2DA1:				; CODE XREF: MiFreeVadRange+62j
		mov	eax, [esp+18h+var_C]
		mov	eax, [eax+24h]
		jmp	short loc_5C2DB2
; 

loc_5C2DAA:				; CODE XREF: MiFreeVadRange+10AF68j
		test	byte ptr [eax+24h], 80h
		jnz	short loc_5C2DB6
		mov	eax, [eax]

loc_5C2DB2:				; CODE XREF: MiFreeVadRange+10AF5Cj
		test	eax, eax
		jnz	short loc_5C2DAA

loc_5C2DB6:				; CODE XREF: MiFreeVadRange+10AF62j
		mov	esi, [eax+4]
		mov	ecx, esi
		and	dword ptr [eax+4], 0
		call	_MiLockNestedVad@4 ; MiLockNestedVad(x)
		mov	eax, [esp+18h+var_8]
		shr	eax, 0Ch
		mov	[esi+0Ch], eax
		mov	eax, ebx
		shr	eax, 0Ch
		mov	[esi+10h], eax
		jmp	loc_4B7EB4
; 

loc_5C2DDB:				; CODE XREF: MiFreeVadRange+A3j
					; MiFreeVadRange+10AF99j
		test	byte ptr [eax+24h], 2
		jnz	short loc_5C2DE7
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_5C2DDB

loc_5C2DE7:				; CODE XREF: MiFreeVadRange+10AF93j
		test	eax, eax
		jz	loc_4B7EF5
		mov	eax, 0C0000045h
		jmp	loc_4B7ED4
; 

loc_5C2DF9:				; CODE XREF: MiFreeVadRange+ACj
		push	28h
		push	edi
		call	_PsChargeProcessNonPagedPoolQuota@8 ; PsChargeProcessNonPagedPoolQuota(x,x)
		test	eax, eax
		js	loc_4B7ED4
		mov	ecx, [esp+18h+var_8]
		mov	edx, ebx
		push	2
		call	MiAllocateVad
		mov	esi, eax
		test	esi, esi
		jnz	short loc_5C2E3E
		cmp	edi, ds:_PsInitialSystemProcess
		jz	short loc_5C2E34
		mov	ecx, [edi+188h]
		mov	edx, edi
		push	28h
		push	eax
		call	PspReturnQuota

loc_5C2E34:				; CODE XREF: MiFreeVadRange+10AFD6j
		mov	eax, 0C000009Ah
		jmp	loc_4B7ED4
; 

loc_5C2E3E:				; CODE XREF: MiFreeVadRange+10AFCEj
		mov	ecx, esi
		call	_MiLockNestedVad@4 ; MiLockNestedVad(x)
		jmp	loc_4B7EFE
; 

loc_5C2E4A:				; CODE XREF: MiFreeVadRange+CDj
		test	esi, esi
		jz	loc_4B7ED4
		mov	ecx, esi
		call	_MiUnlockNestedVad@4 ; MiUnlockNestedVad(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	edi, ds:_PsInitialSystemProcess
		jz	short loc_5C2E7A
		mov	ecx, [edi+188h]
		mov	edx, edi
		push	28h
		push	0
		call	PspReturnQuota

loc_5C2E7A:				; CODE XREF: MiFreeVadRange+10B01Bj
		mov	eax, [esp+18h+var_C]
		jmp	loc_4B7ED4
; 

loc_5C2E83:				; CODE XREF: MiFreeVadRange+80j
		sub	ebx, [esp+18h+var_8]
		mov	ecx, [esp+18h+var_8]
		push	eax
		push	edi
		lea	edx, [ebx+1]
		call	_PerfInfoLogVirtualFree@16 ; PerfInfoLogVirtualFree(x,x,x,x)
		jmp	loc_4B7ED2
; END OF FUNCTION CHUNK	FOR MiFreeVadRange
; 
; START	OF FUNCTION CHUNK FOR MiResolveMappedFileFault

loc_5C2E9A:				; CODE XREF: MiResolveMappedFileFault+68j
		mov	ecx, [ebp+arg_0]
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		mov	eax, 0C00000A1h
		jmp	loc_4B83EC
; 

loc_5C2EAE:				; CODE XREF: MiResolveMappedFileFault+4C1j
		test	byte ptr [esi+1Ch], 4
		jz	short loc_5C2EC8
		mov	ecx, [ebp+arg_0]
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		mov	eax, 0C0000017h
		jmp	loc_4B83EC
; 

loc_5C2EC8:				; CODE XREF: MiResolveMappedFileFault+10AE92j
		mov	[ebp+var_8], 0
		jmp	loc_4B80A6
; 

loc_5C2ED4:				; CODE XREF: MiResolveMappedFileFault+4DCj
		mov	ecx, [ebp+arg_0]
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		xor	eax, eax
		jmp	loc_4B83EC
; 

loc_5C2EE5:				; CODE XREF: MiResolveMappedFileFault+5D2j
		mov	ecx, [ebp+var_30]
		jmp	loc_4B8607
; 

loc_5C2EED:				; CODE XREF: MiResolveMappedFileFault+D4j
		mov	ecx, [ebp+arg_0]
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		mov	eax, 0C0000006h
		jmp	loc_4B83EC
; 

loc_5C2F01:				; CODE XREF: MiResolveMappedFileFault+F2j
		test	eax, 4000000h
		jz	loc_4B8118
		mov	ecx, [ebp+var_10]
		call	_MiGetSessionIdForVa@4 ; MiGetSessionIdForVa(x)
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_24], eax
		cmp	ecx, ds:dword_6D07D0
		jb	short loc_5C2F70
		test	edx, edx
		jz	short loc_5C2F39
		mov	cl, [esi]
		cmp	cl, 1
		jz	short loc_5C2F47
		cmp	cl, 3
		jz	short loc_5C2F47
		cmp	cl, 6
		jnz	short loc_5C2F70
		jmp	short loc_5C2F47
; 

loc_5C2F39:				; CODE XREF: MiResolveMappedFileFault+10AF04j
		mov	ecx, [ebp+var_2C]
		xor	edx, edx
		call	@KeInvalidAccessAllowed@8 ; KeInvalidAccessAllowed(x,x)
		cmp	al, 1
		jnz	short loc_5C2F6D

loc_5C2F47:				; CODE XREF: MiResolveMappedFileFault+10AF0Bj
					; MiResolveMappedFileFault+10AF10j ...
		mov	eax, [ebp+var_28]
		mov	eax, [eax+8]
		test	al, 1
		jz	short loc_5C2F59
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	6
		jz	short loc_5C2F6D

loc_5C2F59:				; CODE XREF: MiResolveMappedFileFault+120j
					; MiResolveMappedFileFault+10AF2Fj
		mov	ecx, [ebp+arg_0]
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		mov	eax, 0C0000005h
		jmp	loc_4B83EC
; 

loc_5C2F6D:				; CODE XREF: MiResolveMappedFileFault+10AF25j
					; MiResolveMappedFileFault+10AF37j
		mov	eax, [ebp+var_24]

loc_5C2F70:				; CODE XREF: MiResolveMappedFileFault+10AF00j
					; MiResolveMappedFileFault+10AF15j
		push	edi
		mov	edx, eax
		mov	ecx, ebx
		call	_MiGetSharedProtos@12 ;	MiGetSharedProtos(x,x,x)
		mov	edx, eax
		mov	[ebp+var_40], edx
		mov	eax, [edx+24h]
		jmp	short loc_5C2F87
; 

loc_5C2F84:				; CODE XREF: MiResolveMappedFileFault+4A0j
		mov	eax, [eax+24h]

loc_5C2F87:				; CODE XREF: MiResolveMappedFileFault+10AF62j
		mov	[ebp+var_20], eax
		jmp	loc_4B8129
; 

loc_5C2F8F:				; CODE XREF: MiResolveMappedFileFault+132j
		test	edx, edx
		jz	short loc_5C2F9A
		mov	eax, 2
		jmp	short loc_5C2FA6
; 

loc_5C2F9A:				; CODE XREF: MiResolveMappedFileFault+10AF71j
		mov	eax, 3
		mov	[ebp+var_18], 1

loc_5C2FA6:				; CODE XREF: MiResolveMappedFileFault+10AF78j
		mov	[ebp+var_14], eax
		mov	[ebp+var_34], esi
		cmp	eax, 2
		ja	loc_4B819F
		jmp	loc_4B8158
; 

loc_5C2FBA:				; CODE XREF: MiResolveMappedFileFault+156j
		mov	[ebp+var_18], 1
		jmp	loc_4B819F
; 

loc_5C2FC6:				; CODE XREF: MiResolveMappedFileFault+196j
		mov	eax, 0C000009Ah
		jmp	loc_4B8677
; 

loc_5C2FD0:				; CODE XREF: MiResolveMappedFileFault+22Fj
		mov	esi, [ebp+var_34]
		jmp	loc_4B828F
; 

loc_5C2FD8:				; CODE XREF: MiResolveMappedFileFault+2BDj
		mov	edx, [ebp+var_50]
		mov	ecx, offset _MiSystemPartition
		push	0
		push	0
		push	0
		call	_MiGetSlabPage@20 ; MiGetSlabPage(x,x,x,x,x)
		jmp	loc_4B82F4
; 

loc_5C2FF0:				; CODE XREF: MiResolveMappedFileFault+2DAj
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_5C300C
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_5C300C:				; CODE XREF: MiResolveMappedFileFault+10AFE1j
		mov	edx, 1
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit
		jmp	loc_4B832F
; 

loc_5C3020:				; CODE XREF: MiResolveMappedFileFault+2E6j
		push	[ebp+var_40]
		mov	ecx, ebx
		push	[ebp+arg_0]
		push	eax
		push	[ebp+var_2C]
		push	[ebp+var_C]
		call	_MiCopyFileOnlyGlobalSubsectionPage@28 ; MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)
		mov	[ebp+var_50], eax
		test	eax, eax
		jns	loc_4B84C5
		cmp	eax, 0C0000055h
		jz	short loc_5C3065
		cmp	eax, 0C0000434h
		jz	short loc_5C308F
		cmp	eax, 0C0033333h
		jnz	short loc_5C3069
		mov	eax, [ebp+var_28]
		mov	esi, 0C0000016h
		or	dword ptr [eax+24h], 100h
		jmp	short loc_5C306C
; 

loc_5C3065:				; CODE XREF: MiResolveMappedFileFault+10B024j
		xor	esi, esi
		jmp	short loc_5C306C
; 

loc_5C3069:				; CODE XREF: MiResolveMappedFileFault+10B032j
		mov	esi, [ebp+var_50]

loc_5C306C:				; CODE XREF: MiResolveMappedFileFault+10B043j
					; MiResolveMappedFileFault+10B047j
		mov	ecx, [ebp+arg_0]
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		mov	ecx, ebx
		call	_MiFreeInPageSupportBlock@4 ; MiFreeInPageSupportBlock(x)
		mov	eax, esi
		jmp	loc_4B83EC
; 

loc_5C3084:				; CODE XREF: MiResolveMappedFileFault+282j
		mov	esi, [ebp+var_4]
		jmp	loc_4B832F
; 

loc_5C308C:				; CODE XREF: MiResolveMappedFileFault+1D6j
		mov	esi, [ebp+var_4]

loc_5C308F:				; CODE XREF: MiResolveMappedFileFault+10B02Bj
		mov	ecx, [ebp+arg_0]
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		mov	eax, [ebp+var_1C]
		mov	[ebx+64h], eax
		mov	eax, [ebp+var_C]
		mov	[ebx+8Ch], eax
		mov	eax, [ebx+78h]
		and	eax, 0FFFBFFFFh
		mov	dword ptr [ebx+0BCh], 0
		or	eax, 1
		mov	[ebx+80h], edi
		mov	[ebx+78h], eax
		mov	eax, [ebp+arg_4]
		mov	dword ptr [ebx+70h], 0
		mov	[ebx+60h], esi
		mov	dword ptr [ebx+5Ch], 0
		mov	[eax], ebx
		mov	eax, 0C0033333h
		mov	dword ptr [ebx+98h], 0
		mov	dword ptr [ebx+30h], 0
		jmp	loc_4B83EC
; 

loc_5C30F7:				; CODE XREF: MiResolveMappedFileFault+1AAj
					; MiResolveMappedFileFault+1B5j ...
		mov	ecx, [ebp+arg_0]
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		mov	ecx, ebx
		call	_MiFreeInPageSupportBlock@4 ; MiFreeInPageSupportBlock(x)
		mov	eax, 0C0000434h
		jmp	loc_4B8677
; 

loc_5C3112:				; CODE XREF: MiResolveMappedFileFault+662j
		cmp	eax, 0C000009Ah
		setz	cl
		inc	cl
		mov	[edx+1], cl
		jmp	loc_4B83EC
; END OF FUNCTION CHUNK	FOR MiResolveMappedFileFault
; 
; START	OF FUNCTION CHUNK FOR MiAllocateInPageSupport

loc_5C3124:				; CODE XREF: MiAllocateInPageSupport+59j
		test	bl, 1
		jz	short loc_5C3166
		and	ebx, 0FFFFFFFEh
		mov	dword ptr [edi], 10h
		jmp	loc_4B86F1
; 

loc_5C3137:				; CODE XREF: MiAllocateInPageSupport+74j
		test	bl, 1
		jz	loc_4B871A
		mov	eax, [ebp+arg_0]
		and	ebx, 0FFFFFFFEh
		mov	ecx, ebx
		mov	dword ptr [eax], 10h
		call	_MiGetInPageSupportBlock@4 ; MiGetInPageSupportBlock(x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_4B8702
		jmp	short loc_5C3166
; 

loc_5C315F:				; CODE XREF: MiAllocateInPageSupport+8Aj
		mov	ecx, edi
		call	_MiFreeInPageSupportBlock@4 ; MiFreeInPageSupportBlock(x)

loc_5C3166:				; CODE XREF: MiAllocateInPageSupport+10AA9Fj
					; MiAllocateInPageSupport+10AAD5j
		xor	eax, eax
		jmp	loc_4B86C7
; END OF FUNCTION CHUNK	FOR MiAllocateInPageSupport
; 
; START	OF FUNCTION CHUNK FOR MiPickClusterForMappedFileFault

loc_5C316D:				; CODE XREF: MiPickClusterForMappedFileFault+83j
		dec	eax
		mov	ds:dword_6D348C, eax
		jmp	loc_4B8989
; END OF FUNCTION CHUNK	FOR MiPickClusterForMappedFileFault
; 
; START	OF FUNCTION CHUNK FOR MiChangePageAttributeBatch

loc_5C3178:				; CODE XREF: MiChangePageAttributeBatch+9Ej
		xor	esi, esi
		inc	esi
		cmp	edx, esi
		jz	loc_4B9150
		inc	ds:dword_6D06DC
		call	KeInvalidateAllCaches
		mov	[ebp+var_10], esi
		jmp	loc_4B912B
; END OF FUNCTION CHUNK	FOR MiChangePageAttributeBatch
; 
; START	OF FUNCTION CHUNK FOR MiAbortCombineScan

loc_5C3196:				; CODE XREF: MiAbortCombineScan+10j
		mov	ebx, offset unk_6D2F80
		push	ebx
		call	ExAcquireSpinLockSharedAtDpcLevel
		mov	esi, ds:dword_6D5C64
		jmp	short loc_5C31D9
; 

loc_5C31A9:				; CODE XREF: MiAbortCombineScan+109FBFj
		cmp	[esi+18h], edi
		jnz	short loc_5C31D7
		mov	ecx, [esi+1Ch]
		mov	eax, [ecx]
		and	eax, 1
		or	eax, 0
		jz	short loc_5C31D7
		mov	eax, ds:_ZeroPte
		mov	[ecx], eax
		nop
		mov	eax, ds:dword_40F9FC
		xor	edx, edx
		mov	[ecx+4], eax
		push	1
		shl	ecx, 9
		call	KeFlushSingleTb

loc_5C31D7:				; CODE XREF: MiAbortCombineScan+109F8Cj
					; MiAbortCombineScan+109F99j
		mov	esi, [esi]

loc_5C31D9:				; CODE XREF: MiAbortCombineScan+109F87j
		cmp	esi, offset dword_6D5C64
		jnz	short loc_5C31A9
		push	ebx
		call	ExReleaseSpinLockSharedFromDpcLevel
		jmp	loc_4B9236
; END OF FUNCTION CHUNK	FOR MiAbortCombineScan
; 
; START	OF FUNCTION CHUNK FOR MiCreateSoftwareWsle

loc_5C31EC:				; CODE XREF: MiCreateSoftwareWsle+B4j
		test	ebx, ebx
		jz	short loc_5C31FD
		mov	edx, [ebp+esi*4+var_C]
		mov	ecx, [ebp+var_8]
		push	ebx
		call	_MiDeleteUnusedSoftwareWsle@12 ; MiDeleteUnusedSoftwareWsle(x,x,x)

loc_5C31FD:				; CODE XREF: MiCreateSoftwareWsle+109F1Ej
		mov	eax, 4
		jmp	loc_4B9374
; END OF FUNCTION CHUNK	FOR MiCreateSoftwareWsle
; 
; START	OF FUNCTION CHUNK FOR MiCreateSystemPageTable

loc_5C3207:				; CODE XREF: MiCreateSystemPageTable+6Aj
		cmp	ecx, 0C0000017h
		jnz	short loc_5C323F
		mov	eax, [ebp+arg_0]
		test	byte ptr [eax],	2
		jz	short loc_5C323F
		cmp	byte ptr [eax+6], 2
		jnb	short loc_5C323F
		mov	eax, large fs:124h
		cmp	byte ptr [eax+87h], 10h
		jge	short loc_5C323F
		test	dword ptr [esi+20h], 400h
		jnz	short loc_5C323F
		mov	eax, 2
		jmp	loc_4B9529
; 

loc_5C323F:				; CODE XREF: MiCreateSystemPageTable+109E7Dj
					; MiCreateSystemPageTable+109E85j ...
		mov	[esi+0C4h], ecx
		mov	eax, 4
		jmp	loc_4B9529
; 

loc_5C324F:				; CODE XREF: MiCreateSystemPageTable+9Bj
		mov	eax, ds:dword_6D30F0
		inc	eax
		mov	ds:dword_6D30F0, eax
		test	ds:_MmPageValidationFrequency, eax
		jnz	loc_4B9431
		mov	edx, 1
		call	_MiArePageContentsZero@8 ; MiArePageContentsZero(x,x)
		mov	ecx, [esp+30h+var_1C]
		jmp	loc_4B9431
; 

loc_5C3279:				; CODE XREF: MiCreateSystemPageTable+22Dj
		mov	ecx, [esp+30h+var_10]
		call	MiFlushTbList
		jmp	loc_4B95C3
; 

loc_5C3287:				; CODE XREF: MiCreateSystemPageTable+191j
		push	edi
		mov	edx, esi
		call	_MiMakeSystemLeavesNonZero@12 ;	MiMakeSystemLeavesNonZero(x,x,x)
		jmp	loc_4B9527
; END OF FUNCTION CHUNK	FOR MiCreateSystemPageTable
; 
; START	OF FUNCTION CHUNK FOR MiInitializeSystemPageTable

loc_5C3294:				; CODE XREF: MiInitializeSystemPageTable+24Fj
		mov	eax, esi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	edx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		jmp	loc_4B98AB
; 

loc_5C32B0:				; CODE XREF: MiInitializeSystemPageTable+1E6j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		mov	ecx, [ebp+var_C]
		test	eax, eax
		jz	short loc_5C32E9
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	edx, 1
		jnz	loc_4B982F

loc_5C32CE:				; CODE XREF: MiInitializeSystemPageTable+109CBFj
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		mov	eax, [ebp+var_4]
		jz	loc_4B9832
		or	eax, 80000000h
		jmp	loc_4B9832
; 

loc_5C32E9:				; CODE XREF: MiInitializeSystemPageTable+109C7Aj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_5C32CE
		jmp	loc_4B982F
; 

loc_5C3306:				; CODE XREF: MiInitializeSystemPageTable+1FAj
		push	eax
		push	ecx
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_4B9840
; 

loc_5C3314:				; CODE XREF: MiInitializeSystemPageTable+326j
		mov	ecx, [ebp+arg_8]
		push	esi
		mov	esi, 1
		mov	edx, esi
		call	_MiInsertRecursiveTbFlushEntries@12 ; MiInsertRecursiveTbFlushEntries(x,x,x)
		jmp	loc_4B98D4
; 

loc_5C3329:				; CODE XREF: MiInitializeSystemPageTable+29Bj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_2C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4B98FF
; END OF FUNCTION CHUNK	FOR MiInitializeSystemPageTable
; 
; START	OF FUNCTION CHUNK FOR MiLockAndIncrementShareCount

loc_5C3339:				; CODE XREF: MiLockAndIncrementShareCount+28j
					; MiLockAndIncrementShareCount+1099BFj
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_5C3339
		jmp	loc_4B99A9
; END OF FUNCTION CHUNK	FOR MiLockAndIncrementShareCount
; 
; START	OF FUNCTION CHUNK FOR MiGetPageTablePages

loc_5C334C:				; CODE XREF: MiGetPageTablePages+75j
		test	byte ptr [edi+20h], 10h
		jz	short loc_5C337C
		mov	ecx, [ebp+var_4]
		push	60h
		pop	edx
		call	MiSufficientAvailablePages
		test	eax, eax
		jz	short loc_5C337C
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+var_14]
		or	eax, 4
		mov	ecx, [ebp+var_4]
		push	eax
		call	MiGetPage
		cmp	eax, 0FFFFFFFFh
		jnz	loc_4B9A6F

loc_5C337C:				; CODE XREF: MiGetPageTablePages+10995Cj
					; MiGetPageTablePages+10996Bj
		cmp	[ebp+var_10], 0
		jz	short loc_5C339C
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		call	MiReturnCommit
		push	dword ptr [edi+18h]
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		call	_MiReturnSystemCharges@12 ; MiReturnSystemCharges(x,x,x)
		sub	[edi+10h], esi

loc_5C339C:				; CODE XREF: MiGetPageTablePages+10998Cj
		test	ebx, ebx
		jz	short loc_5C33AF

loc_5C33A0:				; CODE XREF: MiGetPageTablePages+1099B9j
		mov	esi, [ebx]
		mov	ecx, ebx
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		mov	ebx, esi
		test	esi, esi
		jnz	short loc_5C33A0

loc_5C33AF:				; CODE XREF: MiGetPageTablePages+1099AAj
		mov	eax, 0C0000017h
		jmp	loc_4B9A9C
; END OF FUNCTION CHUNK	FOR MiGetPageTablePages
; 
; START	OF FUNCTION CHUNK FOR MiFillPhysicalPages

loc_5C33B9:				; CODE XREF: MiFillPhysicalPages+D6j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5C33F0
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	loc_4B9C09
		jmp	short loc_5C33D7
; 

loc_5C33D4:				; CODE XREF: MiFillPhysicalPages+1098E2j
		mov	ecx, [ebp+var_C]

loc_5C33D7:				; CODE XREF: MiFillPhysicalPages+1098A8j
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	loc_4B9C09
		or	edx, 80000000h
		jmp	loc_4B9C09
; 

loc_5C33F0:				; CODE XREF: MiFillPhysicalPages+109896j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_4B9C06
		jmp	short loc_5C33D4
; 

loc_5C340E:				; CODE XREF: MiFillPhysicalPages+E7j
		push	edx
		push	esi
		mov	ecx, ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_4B9C17
; 

loc_5C341C:				; CODE XREF: MiFillPhysicalPages+9Cj
		push	0
		push	0
		push	esi
		push	3030305h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5C342E:				; CODE XREF: MiMapPageInHyperSpaceWorker+16j
		mov	ebx, 1
		jmp	loc_4B9CF1
; END OF FUNCTION CHUNK	FOR MiFillPhysicalPages
; 
; START	OF FUNCTION CHUNK FOR MiMapPageInHyperSpaceWorker

loc_5C3438:				; CODE XREF: MiMapPageInHyperSpaceWorker+44j
					; MiMapPageInHyperSpaceWorker+4Dj
		or	ebx, 8
		jmp	loc_4B9D2C
; 

loc_5C3440:				; CODE XREF: MiMapPageInHyperSpaceWorker+111j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5C345D
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	edi, 1
		jnz	loc_4B9DE7
		jmp	short loc_5C3479
; 

loc_5C345D:				; CODE XREF: MiMapPageInHyperSpaceWorker+109777j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_4B9DE7

loc_5C3479:				; CODE XREF: MiMapPageInHyperSpaceWorker+10978Bj
		or	edx, 80000000h
		jmp	loc_4B9DE7
; 

loc_5C3484:				; CODE XREF: MiMapPageInHyperSpaceWorker+109j
		test	eax, eax
		jz	short loc_5C34BF
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5C34A1
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	edi, 1
		jz	short loc_5C34B9
		jmp	short loc_5C34BF
; 

loc_5C34A1:				; CODE XREF: MiMapPageInHyperSpaceWorker+1097BFj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_5C34BF

loc_5C34B9:				; CODE XREF: MiMapPageInHyperSpaceWorker+1097CDj
		or	edx, 80000000h

loc_5C34BF:				; CODE XREF: MiMapPageInHyperSpaceWorker+1097B6j
					; MiMapPageInHyperSpaceWorker+1097CFj ...
		mov	[ecx+4], edx
		nop
		mov	[ecx], ebx
		test	edi, edi
		jz	loc_4B9DF1
		jmp	loc_4B9E25
; END OF FUNCTION CHUNK	FOR MiMapPageInHyperSpaceWorker
; 
; START	OF FUNCTION CHUNK FOR MiGetPhysicalAddress

loc_5C34D2:				; CODE XREF: MiGetPhysicalAddress+6Aj
		xor	ecx, ecx
		jmp	loc_4B9EF0
; END OF FUNCTION CHUNK	FOR MiGetPhysicalAddress
; 

loc_5C34D9:				; CODE XREF: .text:004BA099j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_4BA0A5
; 

loc_5C34E8:				; CODE XREF: .text:004BA0E3j
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_4BA0EE
; 
; START	OF FUNCTION CHUNK FOR RtlCompressBufferXpressLz

loc_5C34F2:				; CODE XREF: RtlCompressBufferXpressLz+15j
		mov	edx, 100h
		cmp	cx, dx
		jnz	short loc_5C351B
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		push	edx		; int
		push	0		; int
		push	0		; int
		push	eax		; void *
		push	[ebp+arg_18]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		call	_RtlCompressBufferXpressLzMax@36 ; RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)
		jmp	loc_4BA4E5
; 

loc_5C351B:				; CODE XREF: RtlCompressBufferXpressLz+10904Aj
		mov	eax, 0C00000BBh
		jmp	loc_4BA4E5
; END OF FUNCTION CHUNK	FOR RtlCompressBufferXpressLz
; 
; START	OF FUNCTION CHUNK FOR RtlCompressBufferXpressLzStandard

loc_5C3525:				; CODE XREF: RtlCompressBufferXpressLzStandard+5D7j
		xor	ecx, ecx
		mov	[eax], cx
		mov	[edi], edx
		add	edi, 4
		jmp	loc_4BA84E
; 

loc_5C3534:				; CODE XREF: RtlCompressBufferXpressLzStandard+5B4j
		mov	dword ptr [eax], 8
		jmp	loc_4BAAAA
; END OF FUNCTION CHUNK	FOR RtlCompressBufferXpressLzStandard
; 
; START	OF FUNCTION CHUNK FOR MmBuildMdlForNonPagedPool

loc_5C353F:				; CODE XREF: MmBuildMdlForNonPagedPool+96j
		mov	ecx, edi
		call	_MiVaToPfn@4	; MiVaToPfn(x)
		mov	ebx, 1
		mov	edi, eax
		mov	[esp+30h+var_1C], ebx
		jmp	loc_4BAC77
; 

loc_5C3556:				; CODE XREF: MmBuildMdlForNonPagedPool+A6j
		mov	[esp+30h+var_18], 0
		jmp	loc_4BAD33
; 

loc_5C3563:				; CODE XREF: MmBuildMdlForNonPagedPool+1D4j
					; MmBuildMdlForNonPagedPool+1DCj
		mov	edi, eax
		mov	ecx, edx
		and	eax, 200h
		or	eax, 0
		jz	loc_4BAD01
		jmp	loc_4BAD22
; 

loc_5C357A:				; CODE XREF: MmBuildMdlForNonPagedPool+131j
		push	edx
		push	ecx
		mov	ecx, esi
		mov	edx, 1
		shl	ecx, 9
		call	MiQueuePinDriverAddressLog
		jmp	loc_4BAC77
; 

loc_5C3590:				; CODE XREF: MmBuildMdlForNonPagedPool+117j
		push	ecx
		push	esi
		push	[ebp+arg_0]
		push	1241h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C35A1:				; CODE XREF: MmBuildMdlForNonPagedPool+D4j
		push	ecx
		push	esi
		push	[ebp+arg_0]
		push	1240h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5C35B3:				; CODE XREF: KeInvalidateRangeAllCachesNoIpi+38j
		push	edi
		lea	ecx, [esi-1]
		add	ecx, edi
		neg	edi
		and	ecx, edi
		sub	ecx, eax
		push	ecx
		push	eax
		call	_KiFlushCacheLines@12 ;	KiFlushCacheLines(x,x,x)
		jmp	loc_4BAE2B
; END OF FUNCTION CHUNK	FOR MmBuildMdlForNonPagedPool
; 
; START	OF FUNCTION CHUNK FOR MiDecreaseAvailablePages

loc_5C35CB:				; CODE XREF: MiDecreaseAvailablePages+8Fj
					; MiDecreaseAvailablePages+98j
		call	MiUpdateAvailableEvents
		jmp	loc_4BB865
; 

loc_5C35D5:				; CODE XREF: MiDecreaseAvailablePages+3Bj
		mov	eax, [edi+0F00h]
		test	eax, eax
		jz	short loc_5C35E6
		mov	al, [eax+2Ch]
		test	al, al
		jnz	short loc_5C35ED

loc_5C35E6:				; CODE XREF: MiDecreaseAvailablePages+107DADj
		mov	ecx, edi
		call	_MiObtainFreePages@4 ; MiObtainFreePages(x)

loc_5C35ED:				; CODE XREF: MiDecreaseAvailablePages+107DB4j
		cmp	esi, 0A0h
		jnb	loc_4BB871
		cmp	ebx, 0A0h
		jb	loc_4BB871
		mov	eax, [edi+2C0h]
		test	eax, eax
		jz	loc_4BB871
		push	0
		push	0
		lea	eax, [edi+260h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_4BB871
; END OF FUNCTION CHUNK	FOR MiDecreaseAvailablePages
; 
; START	OF FUNCTION CHUNK FOR MiPageAvailableEx

loc_5C3628:				; CODE XREF: MiPageAvailableEx+Cj
		test	[ebp+arg_0], 2000h
		jnz	loc_4BB8E4
		mov	eax, large fs:124h
		mov	ebx, [eax+300h]
		mov	eax, ebx
		and	al, 0Ch
		cmp	al, 8
		jz	loc_4BB8E4
		cmp	edx, 20h
		jnb	short loc_5C365A
		cmp	ecx, offset _MiSystemPartition
		jz	short loc_5C367C

loc_5C365A:				; CODE XREF: MiPageAvailableEx+107D7Ej
		test	byte ptr [ebp+arg_0], 4
		jnz	loc_4BB8E4
		test	bl, 2
		jz	short loc_5C3672
		cmp	edx, 21h
		jnb	loc_4BB8E4

loc_5C3672:				; CODE XREF: MiPageAvailableEx+107D95j
		test	byte ptr [ecx+4], 20h
		jnz	loc_4BB8E4

loc_5C367C:				; CODE XREF: MiPageAvailableEx+107D86j
		xor	eax, eax
		jmp	loc_4BB8E7
; END OF FUNCTION CHUNK	FOR MiPageAvailableEx

;  S U B	R O U T	I N E 


sub_5C3683	proc near		; CODE XREF: MmUnmapIoSpace+2Bj
		push	ebx
		mov	edx, edi
		xor	ecx, ecx
		call	_MiRemovePteTracker@12 ; MiRemovePteTracker(x,x,x)
		jmp	loc_4BB9E7
sub_5C3683	endp

; 
; START	OF FUNCTION CHUNK FOR MiFindActualFaultingPte

loc_5C3692:				; CODE XREF: MiFindActualFaultingPte+4Bj
		lea	edx, [ebp+var_58]
		call	_MiFillPteHierarchy@8 ;	MiFillPteHierarchy(x,x)
		mov	edx, 2

loc_5C369F:				; CODE XREF: MiFindActualFaultingPte+1075D7j
		mov	esi, [ebp+edx*4+var_5C]
		dec	edx
		mov	ecx, [esi]
		nop
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_4BC1F2
		and	ecx, 80h
		or	ecx, 0
		jnz	loc_4BC205
		cmp	edx, 1
		jnz	short loc_5C369F
		mov	esi, [ebp+var_58]
		jmp	loc_4BC16C
; END OF FUNCTION CHUNK	FOR MiFindActualFaultingPte
; 
; START	OF FUNCTION CHUNK FOR MiChangePageAttribute

loc_5C36D1:				; CODE XREF: MiChangePageAttribute+56j
		mov	ecx, esi
		call	MiAbortCombineScan
		mov	bl, [esi+16h]
		push	0FFFFFFFBh
		pop	ecx
		jmp	loc_4BC283
; END OF FUNCTION CHUNK	FOR MiChangePageAttribute
; 
; START	OF FUNCTION CHUNK FOR MiPfCompleteInPageSupport

loc_5C36E3:				; CODE XREF: MiPfCompleteInPageSupport+9Bj
		dec	eax
		sub	eax, 1
		jnz	loc_4BC52E
		push	4
		pop	ecx
		jmp	loc_4BC527
; END OF FUNCTION CHUNK	FOR MiPfCompleteInPageSupport
; 
; START	OF FUNCTION CHUNK FOR MiBuildMappedCluster

loc_5C36F5:				; CODE XREF: MiBuildMappedCluster+67j
		mov	eax, [ebp+var_14]
		jmp	loc_4BC63B
; 

loc_5C36FD:				; CODE XREF: MiBuildMappedCluster+1F7j
		mov	eax, [ebp+var_C]
		sub	eax, [ebp+var_28]
		sub	eax, 1Ch
		and	eax, 0FFFFFFFCh
		cmp	eax, 40h
		jge	loc_4BC934
		jmp	loc_4BC7B7
; 

loc_5C3717:				; CODE XREF: MiBuildMappedCluster+29Cj
		mov	esi, eax

loc_5C3719:				; CODE XREF: MiBuildMappedCluster+10716Bj
					; MiBuildMappedCluster+107172j
		lea	ecx, [ebp+var_48]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_5C3719
		lock bts dword ptr [esi], 1Fh
		jb	short loc_5C3719
		mov	ecx, [ebp+var_40]
		xor	esi, esi
		inc	esi
		jmp	loc_4BC85C
; 

loc_5C3739:				; CODE XREF: MiBuildMappedCluster+2F0j
		xor	edx, edx
		call	MiReferencePageForModifiedWrite
		mov	ecx, eax
		mov	[ebp+var_20], eax
		jmp	loc_4BC8E8
; 

loc_5C374A:				; CODE XREF: MiBuildMappedCluster+2ABj
					; MiBuildMappedCluster+2B4j
		mov	eax, [ebp+arg_0]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		sub	edi, 8
		sub	ebx, 8
		jmp	loc_4BC89A
; 

loc_5C3760:				; CODE XREF: MiBuildMappedCluster+279j
		mov	edx, [ebp+var_10]

loc_5C3763:				; CODE XREF: MiBuildMappedCluster+25Dj
		mov	eax, [ebp+var_18]
		sub	edi, 8
		sub	ebx, 8
		jmp	loc_4BC716
; 

loc_5C3771:				; CODE XREF: MiBuildMappedCluster+3A0j
		mov	ecx, [ebp+var_C]
		mov	eax, ecx
		sub	eax, [ebp+var_28]
		sub	eax, 1Ch
		sar	eax, 2
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_5C37D9
		cmp	ecx, [ebp+var_2C]
		jbe	short loc_5C37C9

loc_5C378B:				; CODE XREF: MiBuildMappedCluster+10720Aj
		sub	ecx, 4
		mov	[ebp+var_C], ecx
		imul	edi, [ecx], 1Ch
		add	edi, ds:_MmPfnDatabase
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		push	esi
		mov	ecx, edi
		mov	bl, al
		call	MiWriteCompletePfn
		lea	ecx, [edi+10h]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_C]
		cmp	ecx, [ebp+var_2C]
		ja	short loc_5C378B
		mov	eax, [ebp+arg_0]

loc_5C37C9:				; CODE XREF: MiBuildMappedCluster+1071CFj
		push	esi
		mov	edx, eax
		mov	ecx, offset _MiSystemPartition
		call	_MiReleaseWriteInProgressCharges@12 ; MiReleaseWriteInProgressCharges(x,x,x)
		mov	edx, [ebp+var_18]

loc_5C37D9:				; CODE XREF: MiBuildMappedCluster+1071CAj
		mov	eax, [ebp+var_8]
		add	eax, 8
		cmp	[ebp+var_14], eax
		jnz	short loc_5C37EF
		lea	eax, [edx+8]
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], eax
		jmp	short loc_5C37FD
; 

loc_5C37EF:				; CODE XREF: MiBuildMappedCluster+107228j
		lea	ecx, [edx+80h]
		cmp	[ebp+var_10], ecx
		jbe	short loc_5C37FD
		mov	[ebp+var_14], ecx

loc_5C37FD:				; CODE XREF: MiBuildMappedCluster+107233j
					; MiBuildMappedCluster+10723Ej
		mov	ecx, [ebp+var_38]
		mov	[ebp+var_8], edx
		lea	edx, [ebp+var_1]
		push	80000000h
		call	MiMapPageInHyperSpaceWorker
		mov	edi, [ebp+var_4C]
		mov	ecx, eax
		mov	eax, [ebp+var_18]
		and	edi, 0FFFh
		add	edi, 0FFFFFFF8h
		mov	[ebp+var_1C], ecx
		add	edi, ecx
		lea	ebx, [eax-8]
		jmp	loc_4BC89D
; 

loc_5C382E:				; CODE XREF: MiBuildMappedCluster+4D4j
		mov	eax, ebx
		sub	eax, [ebp+var_10]
		sub	eax, 1Ch
		and	eax, 0FFFFFFFCh
		cmp	eax, 40h
		jl	loc_4BCA94

loc_5C3842:				; CODE XREF: MiBuildMappedCluster+4F2j
					; MiBuildMappedCluster+503j ...
		test	ecx, ecx
		jz	short loc_5C3857
		mov	dl, byte ptr [ebp+var_1]
		push	80000000h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		xor	eax, eax
		mov	ecx, eax

loc_5C3857:				; CODE XREF: MiBuildMappedCluster+10728Aj
		cmp	edi, [ebp+var_8]
		jnb	loc_4BCC13
		mov	eax, ebx
		sub	eax, [ebp+var_10]
		sub	eax, 1Ch
		sar	eax, 2
		mov	[ebp+var_50], eax
		test	eax, eax
		jz	short loc_5C38C2
		cmp	ebx, [ebp+var_40]
		jbe	short loc_5C38B5

loc_5C3877:				; CODE XREF: MiBuildMappedCluster+1072F6j
		sub	ebx, 4
		mov	[ebp+arg_0], ebx
		imul	edi, [ebx], 1Ch
		add	edi, ds:_MmPfnDatabase
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		push	esi
		mov	ecx, edi
		mov	bl, al
		call	MiWriteCompletePfn
		lea	ecx, [edi+10h]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [ebp+arg_0]
		cmp	ebx, [ebp+var_40]
		ja	short loc_5C3877
		mov	eax, [ebp+var_50]

loc_5C38B5:				; CODE XREF: MiBuildMappedCluster+1072BBj
		push	esi
		mov	edx, eax
		mov	ecx, offset _MiSystemPartition
		call	_MiReleaseWriteInProgressCharges@12 ; MiReleaseWriteInProgressCharges(x,x,x)

loc_5C38C2:				; CODE XREF: MiBuildMappedCluster+1072B6j
		mov	eax, [ebp+var_2C]
		lea	edx, [ebp+var_1]
		mov	edi, [ebp+var_8]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_3C]
		push	80000000h
		mov	ecx, [eax+18h]
		and	ecx, offset loc_7FFFFF
		call	MiMapPageInHyperSpaceWorker
		mov	ecx, eax
		mov	eax, edi
		mov	edx, eax
		mov	[ebp+arg_0], ecx
		and	edx, 0FFFh
		add	edx, ecx
		mov	[ebp+var_1C], edx
		jmp	loc_4BCC0A
; 

loc_5C38FD:				; CODE XREF: MiBuildMappedCluster+57Bj
		mov	esi, eax

loc_5C38FF:				; CODE XREF: MiBuildMappedCluster+107351j
					; MiBuildMappedCluster+107358j
		lea	ecx, [ebp+var_50]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_5C38FF
		lock bts dword ptr [esi], 1Fh
		jb	short loc_5C38FF
		mov	ecx, [ebp+var_34]
		jmp	loc_4BCB3B
; 

loc_5C391C:				; CODE XREF: MiBuildMappedCluster+5C0j
		mov	ecx, [ebp+var_34]
		xor	edx, edx
		call	MiReferencePageForModifiedWrite
		mov	edx, [ebp+var_1C]
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_28], eax
		jmp	loc_4BCBBB
; 

loc_5C3934:				; CODE XREF: MiBuildMappedCluster+603j
		mov	eax, [ebp+var_24]
		mov	edx, 7FFFFFFFh
		lock and [eax],	edx
		jmp	loc_5C3842
; 

loc_5C3944:				; CODE XREF: MiBuildMappedCluster+5A9j
					; MiBuildMappedCluster+5B5j
		mov	eax, [ebp+var_24]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	ecx, [ebp+arg_0]
		jmp	loc_5C3842
; 

loc_5C3957:				; CODE XREF: MiBuildMappedCluster+593j
					; MiBuildMappedCluster+59Fj
		mov	eax, [ebp+var_24]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		jmp	loc_4BCC51
; 

loc_5C3967:				; CODE XREF: MiBuildMappedCluster+558j
		mov	edx, [ebp+var_1C]
		jmp	loc_4BCC51
; END OF FUNCTION CHUNK	FOR MiBuildMappedCluster
; 
; START	OF FUNCTION CHUNK FOR MiGetHardFaultPages

loc_5C396F:				; CODE XREF: MiGetHardFaultPages+E8j
					; MiGetHardFaultPages+106C14j
		imul	edi, ecx, 1Ch
		add	edi, edx
		mov	[ebp+var_8], edi
		mov	ecx, [edi+10h]
		and	ecx, eax
		cmp	ecx, eax
		jnz	short loc_5C396F
		mov	edi, [ebp+var_14]
		jmp	loc_4BCD94
; 

loc_5C3988:				; CODE XREF: MiGetHardFaultPages+129j
		test	eax, eax
		jz	loc_4BCE20
		mov	ebx, eax
		jmp	loc_4BCDB7
; 

loc_5C3997:				; CODE XREF: MiGetHardFaultPages+64j
		cmp	[edi+4], ebx
		jnb	loc_4BCDD4
		mov	eax, [ebp+arg_8]
		add	eax, 38h
		mov	[ebp+arg_18], eax

loc_5C39A9:				; CODE XREF: MiGetHardFaultPages+106C8Bj
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		push	0
		push	eax
		push	[ebp+var_C]
		call	_MiGetSlabPage@20 ; MiGetSlabPage(x,x,x,x,x)
		mov	[ebp+var_14], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5C39FC
		mov	edx, [ebp+var_4]
		imul	eax, 1Ch
		push	0
		add	eax, ds:_MmPfnDatabase
		mov	ecx, eax
		mov	[ebp+arg_4], eax
		call	_MiSetPfnBlink@12 ; MiSetPfnBlink(x,x,x)
		cmp	dword ptr [edi], 0
		mov	eax, [ebp+arg_4]
		jnz	short loc_5C39E4
		mov	[ebp+var_8], eax

loc_5C39E4:				; CODE XREF: MiGetHardFaultPages+106C75j
		inc	dword ptr [edi+4]
		mov	[edi], eax
		mov	eax, [ebp+var_14]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_18]
		cmp	[edi+4], ebx
		jb	short loc_5C39A9
		jmp	loc_4BCDD4
; 

loc_5C39FC:				; CODE XREF: MiGetHardFaultPages+106C55j
		mov	eax, [ebp+arg_18]
		cmp	dword ptr [eax], 0
		jz	loc_4BCDD4
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+arg_C]
		sub	ebx, [edi+4]
		mov	[eax+3Ch], ebx
		mov	ecx, [ecx+80h]
		mov	[eax+30h], ecx
		call	_MiRetainSubsection@4 ;	MiRetainSubsection(x)
		mov	ebx, [edi+4]
		jmp	loc_4BCDD4
; END OF FUNCTION CHUNK	FOR MiGetHardFaultPages
; 
; START	OF FUNCTION CHUNK FOR MiAllocateKernelStackPages

loc_5C3A2A:				; CODE XREF: MiAllocateKernelStackPages+68j
		mov	ecx, [ebp+arg_C]
		and	ecx, 2
		mov	[esp+38h+var_18], ecx

loc_5C3A34:				; CODE XREF: MiAllocateKernelStackPages+106BBFj
		test	ecx, ecx
		jnz	short loc_5C3A5E
		mov	ecx, [esp+38h+var_1C]
		xor	edx, edx
		call	_MiWaitForFreePage@8 ; MiWaitForFreePage(x,x)
		mov	ecx, [esp+38h+var_1C]
		mov	edx, esi
		push	0
		call	MiGetPage
		mov	ecx, [esp+38h+var_18]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5C3A34
		jmp	loc_4BCF06
; 

loc_5C3A5E:				; CODE XREF: MiAllocateKernelStackPages+106B9Ej
		test	edi, edi
		jz	short loc_5C3A71

loc_5C3A62:				; CODE XREF: MiAllocateKernelStackPages+106BD7j
		mov	esi, [edi]
		mov	ecx, edi
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		mov	edi, esi
		test	esi, esi
		jnz	short loc_5C3A62

loc_5C3A71:				; CODE XREF: MiAllocateKernelStackPages+106BC8j
		xor	eax, eax
		jmp	loc_4BD01F
; 

loc_5C3A78:				; CODE XREF: MiAllocateKernelStackPages+12Bj
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5C3AAE
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	loc_4BCFCD

loc_5C3A91:				; CODE XREF: MiAllocateKernelStackPages+106C30j
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	loc_4BCFCD
		mov	edx, [esp+38h+var_24]
		or	edx, 80000000h
		jmp	loc_4BCFD1
; 

loc_5C3AAE:				; CODE XREF: MiAllocateKernelStackPages+106BE7j
		mov	eax, large fs:124h
		mov	ecx, [esp+38h+var_1C]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_5C3A91
		jmp	loc_4BCFCD
; 

loc_5C3ACF:				; CODE XREF: MiAllocateKernelStackPages+141j
		push	edx
		push	esi
		mov	ecx, ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_4BCFDF
; END OF FUNCTION CHUNK	FOR MiAllocateKernelStackPages
; 
; START	OF FUNCTION CHUNK FOR MiMarkKernelStack

loc_5C3ADD:				; CODE XREF: MiMarkKernelStack+31j
					; MiMarkKernelStack+106A91j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_5C3ADD
		jmp	loc_4BD084
; END OF FUNCTION CHUNK	FOR MiMarkKernelStack
; 
; START	OF FUNCTION CHUNK FOR MiCreateSharedZeroPages

loc_5C3AF0:				; CODE XREF: MiCreateSharedZeroPages+1F8j
		mov	ecx, [ebp-14h]
		lea	eax, [ebp-1]
		push	eax
		mov	eax, [esi+14h]
		push	eax
		mov	eax, [esi+10h]
		push	eax
		mov	eax, [ebp-8]
		mov	byte ptr [ebp-1], 0
		mov	eax, [eax]
		push	eax
		call	_MiGetClusterPage@24 ; MiGetClusterPage(x,x,x,x,x,x)
		mov	edx, eax
		mov	eax, [ebp-8]
		test	edx, edx
		jz	short loc_5C3B64
		mov	ecx, [edx+10h]
		and	ecx, offset loc_7FFFFF
		cmp	ecx, offset loc_7FFFFF
		mov	ecx, [ebp-0Ch]
		jnz	short loc_5C3B43
		cmp	byte ptr [ebp-1], 1
		mov	dword ptr [eax], 1
		jnz	loc_4BD16E
		or	dword ptr [esi], 4
		jmp	loc_4BD16E
; 

loc_5C3B43:				; CODE XREF: MiCreateSharedZeroPages+106A39j
		mov	dword ptr [eax], 10h
		mov	eax, ecx
		shr	eax, 0Ch
		and	ecx, 0FFFF0000h
		and	eax, 0Fh
		mov	[esi+8], ecx
		neg	eax
		lea	edi, [edi+eax*8]
		jmp	loc_4BD16E
; 

loc_5C3B64:				; CODE XREF: MiCreateSharedZeroPages+106A25j
		mov	ecx, [ebp-28h]
		mov	dword ptr [eax], 1
		jmp	loc_4BD13E
; 

loc_5C3B72:				; CODE XREF: MiCreateSharedZeroPages+210j
		mov	dword ptr [ebp-10h], 40h
		jmp	loc_4BD184
; 

loc_5C3B7E:				; CODE XREF: MiCreateSharedZeroPages+F2j
		mov	eax, ds:dword_6D30F0
		inc	eax
		mov	ds:dword_6D30F0, eax
		test	ds:_MmPageValidationFrequency, eax
		jnz	loc_4BD1E8
		mov	edx, 1
		call	_MiArePageContentsZero@8 ; MiArePageContentsZero(x,x)
		jmp	loc_4BD1E8
; 

loc_5C3BA4:				; CODE XREF: MiCreateSharedZeroPages+107j
		mov	esi, 1
		jmp	loc_4BD1FD
; 

loc_5C3BAE:				; CODE XREF: MiCreateSharedZeroPages+15Dj
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5C3BE1
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	ecx, 1
		jnz	loc_4BD255
		mov	eax, esi
		and	eax, ecx
		or	eax, 0
		jz	loc_4BD255
		or	edx, 80000000h
		jmp	loc_4BD255
; 

loc_5C3BE1:				; CODE XREF: MiCreateSharedZeroPages+106AC5j
		mov	eax, large fs:124h
		mov	ecx, [ebp-14h]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_4BD255
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	loc_4BD255
		or	edx, 80000000h
		jmp	loc_4BD255
; 

loc_5C3C19:				; CODE XREF: MiCreateSharedZeroPages+16Dj
		push	edx
		push	esi
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_4BD263
; END OF FUNCTION CHUNK	FOR MiCreateSharedZeroPages
; 
; START	OF FUNCTION CHUNK FOR MiMakeSystemCachePteValid

loc_5C3C27:				; CODE XREF: MiMakeSystemCachePteValid+BBj
		shrd	esi, edi, 0Ch
		push	20000001h
		and	esi, 1FFFFFFh
		mov	ecx, eax
		mov	edx, esi
		call	MiMakeValidPte
		mov	esi, eax
		mov	edi, edx
		jmp	loc_4BD70D
; 

loc_5C3C48:				; CODE XREF: MiMakeSystemCachePteValid+AFj
		xor	eax, eax
		xor	esi, esi
		and	[ebp+var_1C], eax
		xor	edi, edi
		jmp	loc_4BD778
; 

loc_5C3C56:				; CODE XREF: MiMakeSystemCachePteValid+109j
					; MiMakeSystemCachePteValid+12Ej
		xor	edx, edx
		mov	ecx, ebx
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		mov	ecx, [ebp+var_10]
		xor	edx, edx
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		jmp	loc_4BD780
; END OF FUNCTION CHUNK	FOR MiMakeSystemCachePteValid
; 
; START	OF FUNCTION CHUNK FOR MiCheckVirtualAddress

loc_5C3C6E:				; CODE XREF: MiCheckVirtualAddress+3Fj
		mov	eax, ds:dword_6D0610
		jmp	short loc_5C3C82
; 

loc_5C3C75:				; CODE XREF: MiCheckVirtualAddress+4Bj
		test	eax, eax
		jz	loc_4BD8ED
		mov	eax, ds:dword_6D0614

loc_5C3C82:				; CODE XREF: MiCheckVirtualAddress+1063D7j
		mov	dword ptr [edi], 1
		jmp	loc_4BD906
; 

loc_5C3C8D:				; CODE XREF: MiCheckVirtualAddress+18j
		lea	eax, [esi+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	short loc_5C3CA2
		mov	dword ptr [edi], 4
		jmp	short loc_5C3CA8
; 

loc_5C3CA2:				; CODE XREF: MiCheckVirtualAddress+5Aj
					; MiCheckVirtualAddress+1063FCj
		mov	dword ptr [edi], 18h

loc_5C3CA8:				; CODE XREF: MiCheckVirtualAddress+106404j
		xor	eax, eax
		jmp	loc_4BD906
; END OF FUNCTION CHUNK	FOR MiCheckVirtualAddress
; 
; START	OF FUNCTION CHUNK FOR IoBuildPartialMdl

loc_5C3CAF:				; CODE XREF: IoBuildPartialMdl+28j
					; IoBuildPartialMdl+31j
		push	edx
		push	ecx
		push	[ebp+arg_4]
		push	ebx
		push	12Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5C3CC0:				; CODE XREF: MiRemovePageAnyColor+BFj
		mov	ebx, [ebp+var_C]
		mov	ecx, ebx
		and	ecx, [ebp+var_20]
		mov	[ebp+var_14], 0
		and	ecx, 0Fh
		mov	esi, [ebp+var_14]

loc_5C3CD5:				; CODE XREF: IoBuildPartialMdl+1063C7j
		mov	eax, ecx
		add	ecx, 10h
		and	eax, 1Fh
		bts	esi, eax
		cmp	ecx, 20h
		jnb	short loc_5C3CE9
		cmp	ecx, ebx
		jbe	short loc_5C3CD5

loc_5C3CE9:				; CODE XREF: IoBuildPartialMdl+1063C3j
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		mov	ebx, [ebp+arg_0]
		not	eax
		and	ecx, eax
		mov	[ebp+var_14], esi
		mov	esi, [ebp+var_28]
		mov	[ebp+var_8], ecx
		jmp	loc_4BDACA
; END OF FUNCTION CHUNK	FOR IoBuildPartialMdl
; 
; START	OF FUNCTION CHUNK FOR MiRemovePageAnyColor

loc_5C3D03:				; CODE XREF: MiRemovePageAnyColor+143j
		mov	eax, 1
		jmp	loc_4BDA35
; END OF FUNCTION CHUNK	FOR MiRemovePageAnyColor
; 
; START	OF FUNCTION CHUNK FOR MiSlistGetFreePage

loc_5C3D0D:				; CODE XREF: MiSlistGetFreePage+7Cj
		mov	eax, ds:dword_6D30F0
		inc	eax
		mov	ds:dword_6D30F0, eax
		test	ds:_MmPageValidationFrequency, eax
		jnz	loc_4BDC1A
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		xor	edx, edx
		inc	edx
		mov	ecx, eax
		call	_MiArePageContentsZero@8 ; MiArePageContentsZero(x,x)
		jmp	loc_4BDC1A
; END OF FUNCTION CHUNK	FOR MiSlistGetFreePage
; 
; START	OF FUNCTION CHUNK FOR MiGetPerfectColorHeadPage

loc_5C3D41:				; CODE XREF: MiGetPerfectColorHeadPage+5Cj
		lock bts dword ptr [eax], 1Fh
		jb	loc_4BDC68
		mov	ecx, [ebp+arg_8]
		mov	dl, 21h
		mov	[ebp+var_1], dl
		jmp	loc_4BDCD1
; 

loc_5C3D59:				; CODE XREF: MiGetPerfectColorHeadPage+83j
		mov	[ebp+var_14], 0
		test	al, al
		jz	loc_4BDCD1
		mov	ebx, [ebp+var_8]

loc_5C3D6B:				; CODE XREF: MiGetPerfectColorHeadPage+106136j
					; MiGetPerfectColorHeadPage+10613Dj
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		cmp	dword ptr [ebx], 0
		jl	short loc_5C3D6B
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_5C3D6B
		mov	ebx, [ebp+var_18]
		mov	ecx, [ebp+arg_8]
		mov	dl, [ebp+var_1]
		jmp	loc_4BDCD1
; 

loc_5C3D8D:				; CODE XREF: MiGetPerfectColorHeadPage+B7j
		test	ds:byte_70EFC6,	21h
		jz	short loc_5C3DA3
		lea	ecx, [ebp+var_24]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4BDD0D
; 

loc_5C3DA3:				; CODE XREF: MiGetPerfectColorHeadPage+106154j
		lea	eax, [ebp+var_24]
		xchg	eax, [edx]
		test	eax, eax
		jz	loc_4BDD10
		mov	edx, eax
		lea	ecx, [ebp+var_24]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4BDD0D
; 

loc_5C3DBF:				; CODE XREF: MiGetPerfectColorHeadPage+D3j
		test	ds:byte_70EFC6,	1
		jz	short loc_5C3DD5
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5C3E06
; 

loc_5C3DD5:				; CODE XREF: MiGetPerfectColorHeadPage+106186j
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	short loc_5C3DF4
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jz	short loc_5C3E06
		call	KxWaitForLockChainValid

loc_5C3DF4:				; CODE XREF: MiGetPerfectColorHeadPage+10619Aj
		mov	[ebp+var_24], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5C3E06:				; CODE XREF: MiGetPerfectColorHeadPage+106193j
					; MiGetPerfectColorHeadPage+1061ADj
		mov	eax, [ebp+var_8]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		cmp	cl, 21h
		jz	loc_4BDDC2
		jmp	loc_4BDDBC
; 

loc_5C3E22:				; CODE XREF: MiGetPerfectColorHeadPage+E5j
		test	ds:byte_70EFC6,	1
		jz	short loc_5C3E38
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5C3E69
; 

loc_5C3E38:				; CODE XREF: MiGetPerfectColorHeadPage+1061E9j
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	short loc_5C3E57
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jz	short loc_5C3E69
		call	KxWaitForLockChainValid

loc_5C3E57:				; CODE XREF: MiGetPerfectColorHeadPage+1061FDj
		mov	[ebp+var_24], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5C3E69:				; CODE XREF: MiGetPerfectColorHeadPage+1061F6j
					; MiGetPerfectColorHeadPage+106210j
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		call	_MiReturnFreeZeroPage@8	; MiReturnFreeZeroPage(x,x)
		mov	eax, [ebp+var_8]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		cmp	cl, 21h
		jz	short loc_5C3E8C
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5C3E8C:				; CODE XREF: MiGetPerfectColorHeadPage+106244j
		mov	eax, 1
		jmp	loc_4BDC6A
; 

loc_5C3E96:				; CODE XREF: MiGetPerfectColorHeadPage+10Cj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4BDD74
; END OF FUNCTION CHUNK	FOR MiGetPerfectColorHeadPage
; 
; START	OF FUNCTION CHUNK FOR MiPfnReferenceCountIsZero

loc_5C3EA6:				; CODE XREF: MiPfnReferenceCountIsZero+16j
		push	0
		push	eax
		push	edi
		push	7
		push	4Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5C3EB4:				; CODE XREF: MiInitializeImageProtos+2Dj
		push	5
		pop	ebx
		jmp	loc_4BE04E
; END OF FUNCTION CHUNK	FOR MiPfnReferenceCountIsZero
; 
; START	OF FUNCTION CHUNK FOR MiInitializeImageProtos

loc_5C3EBC:				; CODE XREF: MiInitializeImageProtos+22Fj
		push	0
		push	0
		push	esi
		push	2
		call	MmAccessFault
		jmp	loc_4BE1FF
; 

loc_5C3ECD:				; CODE XREF: MiInitializeImageProtos+128j
		push	0C0000020h
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	1
		push	ecx
		push	eax
		call	MmMapLockedPagesSpecifyCache
		jmp	loc_4BE147
; 

loc_5C3EE4:				; CODE XREF: MiInitializeImageProtos+1B1j
		mov	ebx, [ebp+var_1C]

loc_5C3EE7:				; CODE XREF: MiInitializeImageProtos+105EDDj
					; MiInitializeImageProtos+105EE4j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		js	short loc_5C3EE7
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_5C3EE7
		mov	ebx, [ebp+var_14]
		jmp	loc_4BE1CD
; END OF FUNCTION CHUNK	FOR MiInitializeImageProtos
; 
; START	OF FUNCTION CHUNK FOR MiGetPageForHeader

loc_5C3F04:				; CODE XREF: MiGetPageForHeader+51j
		xor	ebx, ebx
		mov	ecx, esi
		lea	edx, [ebx+1]
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_5C3F1E
		lea	ecx, [esi+1000h]
		lock xadd [ecx], eax

loc_5C3F1E:				; CODE XREF: MiGetPageForHeader+105C7Cj
		lea	edx, [ebx+1]
		mov	ecx, esi
		call	MiReturnCommit
		or	eax, 0FFFFFFFFh
		jmp	loc_4BE350
; END OF FUNCTION CHUNK	FOR MiGetPageForHeader
; 
; START	OF FUNCTION CHUNK FOR MiGetSystemPage

loc_5C3F30:				; CODE XREF: MiGetSystemPage+28j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jz	short loc_5C3F4A
		xor	edx, edx
		mov	ecx, ebx
		call	_MiWaitForFreePage@8 ; MiWaitForFreePage(x,x)
		mov	ecx, ebx
		jmp	loc_4BE379
; 

loc_5C3F4A:				; CODE XREF: MiGetSystemPage+105BDCj
		xor	eax, eax
		jmp	loc_4BE3B5
; END OF FUNCTION CHUNK	FOR MiGetSystemPage
; 
; START	OF FUNCTION CHUNK FOR MiLockPagableImageSection

loc_5C3F51:				; CODE XREF: MiLockPagableImageSection+75j
		push	0
		push	[ebp+var_4]
		push	esi
		push	1012h
		jmp	short loc_5C3F69
; 

loc_5C3F5E:				; CODE XREF: MiLockPagableImageSection+ADj
		or	esi, [ebp+var_4]
		push	eax
		push	ecx
		push	esi
		push	1013h

loc_5C3F69:				; CODE XREF: MiLockPagableImageSection+105B0Cj
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5C3F71:				; CODE XREF: MiStealPage+703j
		mov	eax, 2000h
		mov	ds:dword_6D2E90, eax
		jmp	loc_4BEDBF
; END OF FUNCTION CHUNK	FOR MiLockPagableImageSection
; 
; START	OF FUNCTION CHUNK FOR MiStealPage

loc_5C3F80:				; CODE XREF: MiStealPage+7A1j
		mov	eax, [ebp+var_E8]
		or	eax, 8
		test	al, 1
		jz	short loc_5C3F91
		or	eax, esi
		jmp	short loc_5C3F94
; 

loc_5C3F91:				; CODE XREF: MiStealPage+1058D5j
		or	eax, 4

loc_5C3F94:				; CODE XREF: MiStealPage+1058D9j
		mov	[ebp+var_E8], eax
		jmp	loc_4BE836
; 

loc_5C3F9F:				; CODE XREF: MiStealPage+184j
		test	al, 20h
		jnz	loc_5C40B1
		test	byte ptr [edi+16h], 10h
		jnz	loc_5C40B1
		push	2
		pop	edx
		cmp	ecx, edx
		jz	loc_5C40B1
		test	al, 8
		jnz	loc_5C40B1
		mov	eax, [ebp+var_110]
		mov	ecx, [eax]
		nop
		mov	eax, [edi+18h]
		xor	esi, esi
		and	eax, offset loc_7FFFFF
		cmp	eax, [ebp+var_FC]
		jz	loc_4BEC99
		and	ecx, 42h
		or	ecx, esi
		jnz	loc_4BEC99
		test	byte ptr [edi+17h], 8
		jnz	loc_4BEC99
		mov	edx, [ebp+var_118]
		mov	ecx, [ebp+var_128]
		call	MiLocateWsle
		mov	al, [eax]
		and	al, 0Fh
		cmp	al, 8
		jz	loc_4BEC99
		push	98h		; size_t
		lea	eax, [ebp+var_A0]
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+var_128]
		add	esp, 0Ch
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		and	[ebp+var_90], esi
		and	[ebp+var_8C], esi
		mov	[ebp+var_A0], eax
		mov	[ebp+var_9C], 4
		mov	[ebp+var_98], 21h
		cmp	ds:dword_6D3154, esi
		jz	short loc_5C406D
		mov	edx, [ebp+var_110]
		call	MI_WSLE_LOG_ACCESS

loc_5C406D:				; CODE XREF: MiStealPage+1059AAj
		mov	edx, [ebp+var_118]
		lea	ecx, [ebp+var_A0]
		xor	eax, eax
		push	0
		inc	eax
		push	eax
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	ecx, [ebp+var_128]
		lea	edx, [ebp+var_A0]
		xor	esi, esi
		push	esi
		call	MiFreeWsleList
		test	eax, eax
		jnz	loc_4BEC99
		push	2
		pop	eax
		mov	esi, eax
		jmp	loc_4BEC99
; 

loc_5C40AA:				; CODE XREF: MiStealPage+105A7Aj
		or	[ebp+var_120], 0FFFFFFFFh

loc_5C40B1:				; CODE XREF: MiStealPage+1058EBj
					; MiStealPage+1058F5j ...
		xor	esi, esi
		jmp	loc_4BEC99
; 

loc_5C40B8:				; CODE XREF: MiStealPage+19Bj
		mov	eax, ds:dword_6D06D0
		mov	edx, eax
		and	eax, [ebp+var_FC]
		not	edx
		and	edx, [ebx+10h]
		push	30h
		or	edx, eax
		pop	esi
		jmp	loc_4BE889
; 

loc_5C40D4:				; CODE XREF: MiStealPage+1CDj
		mov	esi, 10000h
		jmp	loc_4BE889
; 

loc_5C40DE:				; CODE XREF: MiStealPage+1DAj
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	[ebp+var_134]
		mov	ecx, eax
		call	MiSearchNumaNodeTable
		mov	edx, [ebp+var_128]
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_150], ecx
		lea	ecx, [ebp+var_150]
		mov	eax, [eax+4]
		push	ecx
		push	[ebp+var_A4]
		inc	eax
		mov	ecx, offset _MiSystemPartition
		push	esi
		push	[ebp+var_108]
		push	eax
		call	_MiGetPageChain@28 ; MiGetPageChain(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_124], esi
		test	esi, esi
		jz	loc_5C40AA
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	[ebp+var_134]
		mov	[ebp+var_120], eax
		jmp	loc_4BE8C1
; 

loc_5C414E:				; CODE XREF: MiStealPage+22Aj
		xor	eax, eax
		mov	ecx, edi
		push	0
		lea	edx, [eax+1]
		call	_MiGetPagePrivilege@12 ; MiGetPagePrivilege(x,x,x)
		test	eax, eax
		jz	loc_4BE8E6
		mov	ecx, [ebp+var_E8]
		or	ecx, 2000h
		mov	[ebp+var_E8], ecx
		jmp	loc_4BE8EC
; 

loc_5C417B:				; CODE XREF: MiStealPage+AE6j
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		jmp	loc_4BEEE5
; 

loc_5C4188:				; CODE XREF: MiStealPage+AA4j
		mov	[ebp+var_11C], edx
		jmp	loc_4BEA0E
; 

loc_5C4193:				; CODE XREF: MiStealPage+379j
		mov	edx, [ebp+var_118]
		call	_MiVaIsPageFileHash@8 ;	MiVaIsPageFileHash(x,x)
		mov	[ebp+var_144], eax
		test	eax, eax
		jz	short loc_5C421C
		add	eax, 88h
		push	eax
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	edx, [ebp+var_118]
		mov	[ebp+var_109], al
		call	_MiVaIsPageFileHash@8 ;	MiVaIsPageFileHash(x,x)
		mov	ecx, [ebp+var_144]
		cmp	ecx, eax
		jnz	short loc_5C41ED
		mov	edx, [ebp+var_FC]
		mov	ecx, [ebp+var_118]
		call	_MiSmallVaStillMapsFrame@8 ; MiSmallVaStillMapsFrame(x,x)
		test	eax, eax
		jnz	loc_4BEA35
		mov	ecx, [ebp+var_144]

loc_5C41ED:				; CODE XREF: MiStealPage+105B16j
		lea	eax, [ecx+88h]
		push	eax
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_109]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_5C421C
; 

loc_5C4207:				; CODE XREF: MiStealPage+8A3j
					; MiStealPage+8AFj
		lea	ecx, [esi+8]
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		mov	al, [esi+16h]
		push	0FFFFFFFDh
		pop	ecx
		and	al, cl
		or	al, 5
		mov	[esi+16h], al

loc_5C421C:				; CODE XREF: MiStealPage+105AF0j
					; MiStealPage+105B4Fj
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		jmp	loc_4BEEDF
; 

loc_5C422C:				; CODE XREF: MiStealPage+807j
		test	dl, 4
		jz	loc_4BEAC6
		jmp	loc_4BEAA7
; 

loc_5C423A:				; CODE XREF: MiStealPage+BA5j
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax

loc_5C4242:				; CODE XREF: MiStealPage+105C81j
		mov	ecx, [ebp+var_138]

loc_5C4248:				; CODE XREF: MiStealPage+B47j
		mov	dl, [ebp+var_F2]
		call	MiUnlockProtoPoolPage

loc_5C4253:				; CODE XREF: MiStealPage+B3Aj
					; MiStealPage+105C7Bj
		lea	ecx, [esi+8]
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)

loc_5C425B:				; CODE XREF: MiStealPage+83Bj
		mov	eax, esi
		xor	esi, esi
		mov	[ebp+var_114], eax

loc_5C4265:				; CODE XREF: MiStealPage+105C9Bj
		test	eax, eax
		jz	loc_4BEC99
		mov	ecx, eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	edx, [ebp+var_114]
		mov	cl, [edx+16h]
		and	cl, 0FDh
		or	cl, 5
		mov	[edx+16h], cl
		lea	ecx, [edx+10h]
		mov	edx, 7FFFFFFFh
		lock and [ecx],	edx
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4BEC99
; 

loc_5C429E:				; CODE XREF: MiStealPage+B8Cj
		mov	edi, [ebp+var_108]

loc_5C42A4:				; CODE XREF: MiStealPage+105BFDj
					; MiStealPage+105C04j
		lea	ecx, [ebp+var_154]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_5C42A4
		lock bts dword ptr [edi], 1Fh
		jb	short loc_5C42A4
		mov	ecx, [ebp+var_108]
		mov	edx, [ebp+var_110]
		jmp	loc_4BF248
; 

loc_5C42CD:				; CODE XREF: MiStealPage+BF0j
		xor	eax, eax
		push	edx
		push	ecx
		mov	ecx, offset _MiSystemPartition
		lea	edx, [eax+1]
		call	MiReleasePageFileInfo
		jmp	loc_4BF2AC
; 

loc_5C42E3:				; CODE XREF: MiStealPage+C08j
					; MiStealPage+105C3Cj
		lea	ecx, [ebp+var_184]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_5C42E3
		jmp	loc_4BF2B9
; 

loc_5C42F9:				; CODE XREF: MiStealPage+46Aj
		push	2
		pop	ecx
		or	eax, ecx
		mov	[ebp+var_108], eax
		jmp	loc_4BEB26
; 

loc_5C4309:				; CODE XREF: MiStealPage+CE9j
					; MiStealPage+CFFj
		and	[ebp+var_F8], 0
		mov	ecx, [ebp+var_F8]
		jmp	loc_4BF0B2
; 

loc_5C431B:				; CODE XREF: MiStealPage+9EAj
		and	[ebp+var_F8], 0
		jmp	loc_4BF0A6
; 

loc_5C4327:				; CODE XREF: MiStealPage+A1Fj
		test	[ebp+var_E8], 200h
		jz	loc_5C4253
		jmp	loc_5C4242
; 

loc_5C433C:				; CODE XREF: MiStealPage+DE9j
					; MiStealPage+E24j
		push	2
		pop	eax
		lea	ecx, [edi+8]
		mov	[ebp+var_114], edi
		mov	esi, eax
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		mov	eax, edi
		jmp	loc_5C4265
; 

loc_5C4356:				; CODE XREF: MiStealPage+51Dj
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		mov	ecx, [ebp+var_F8]
		test	eax, eax
		jz	short loc_5C4394
		xor	eax, eax
		lea	edx, [eax+1]
		cmp	byte ptr ds:word_6D07B8+1, al
		jnz	loc_4BEBDF

loc_5C4376:				; CODE XREF: MiStealPage+105CFAj
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		mov	eax, [ebp+var_FC]
		jz	loc_4BEBE5
		or	eax, 80000000h
		jmp	loc_4BEBE5
; 

loc_5C4394:				; CODE XREF: MiStealPage+105CADj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_4BEBDF
		jmp	short loc_5C4376
; 

loc_5C43B2:				; CODE XREF: MiStealPage+537j
		push	eax
		push	ecx
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_4BEBF3
; 

loc_5C43C0:				; CODE XREF: MiStealPage+586j
		xor	edx, edx
		cmp	cl, 21h
		mov	ecx, edi
		setnz	dl
		lea	edx, ds:8[edx*4]
		call	MiClearPfnImageVerified
		jmp	loc_4BEC42
; 

loc_5C43DB:				; CODE XREF: MiStealPage+595j
		mov	eax, [ebp+var_144]
		add	eax, 88h
		push	eax
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_109]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4BEC51
; 

loc_5C43FD:				; CODE XREF: MiStealPage+5F6j
		mov	ecx, eax
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		jmp	loc_4BECB2
; 

loc_5C4409:				; CODE XREF: MiStealPage+608j
		mov	al, [edi+16h]
		and	al, 7
		push	2
		cmp	al, 6
		pop	eax
		jz	short loc_5C4417
		mov	esi, eax

loc_5C4417:				; CODE XREF: MiStealPage+105D5Dj
		cmp	esi, eax
		jnz	loc_4BECD6
		mov	eax, [edi+10h]
		and	eax, 40000000h
		neg	eax
		sbb	eax, eax
		not	eax
		and	esi, eax
		jmp	loc_4BECD6
; END OF FUNCTION CHUNK	FOR MiStealPage
; 
; START	OF FUNCTION CHUNK FOR MiRemoveWsleList

loc_5C4434:				; CODE XREF: MiRemoveWsleList+DAj
		mov	edx, eax
		lea	ecx, [ebp+var_44]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4BF8FD
; 

loc_5C4443:				; CODE XREF: MiRemoveWsleList+FDj
		sub	ds:dword_6CF58C, eax
		jmp	loc_4BF663
; 

loc_5C444E:				; CODE XREF: MiRemoveWsleList+1A5j
		mov	edx, offset dword_6D3540
		lea	ecx, [ebp+var_38]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4BF995
; 

loc_5C4460:				; CODE XREF: MiRemoveWsleList+1D5j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_38]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4BF6B3
; 

loc_5C4470:				; CODE XREF: MiRemoveWsleList+3B5j
					; MiRemoveWsleList+3BDj ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5C4477:				; CODE XREF: MiRemoveWsleList+24Bj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_44]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4BF7D3
; 

loc_5C4487:				; CODE XREF: MiRemoveWsleList+410j
		cmp	eax, 0C07FFFFFh
		jbe	loc_4BF81A
		jmp	loc_4BF976
; 

loc_5C4497:				; CODE XREF: MiRemoveWsleList+2C4j
		movzx	edx, byte ptr [edi+60h]
		mov	ecx, [ebp+arg_0]
		and	edx, 7
		call	_MiLogRemoveWsleEvent@8	; MiLogRemoveWsleEvent(x,x)
		jmp	loc_4BF82A
; 

loc_5C44AB:				; CODE XREF: MiRemoveWsleList+2B1j
		push	eax
		push	edi
		push	edx
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5C44BB:				; CODE XREF: KeFlushSingleTb+21j
		test	al, 2
		jnz	short loc_5C4514
		cmp	ds:_KeNumberProcessors,	1
		jz	loc_4BF9E5
		cmp	[ebp+arg_0], ecx
		jnz	short loc_5C4514
		mov	[ebp+var_10], ecx
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock or	[eax], ecx
		call	ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()
		mov	esi, large fs:20h
		mov	ecx, [esi+4]
		mov	ecx, [ecx+80h]
		mov	edx, [ecx+60h]
		mov	ecx, [esi+3C8h]
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		not	ecx
		test	ecx, edx
		mov	cl, al
		jz	short loc_5C450D
		call	esi
		jmp	short loc_5C451A
; 

loc_5C450D:				; CODE XREF: MiRemoveWsleList+104FA7j
		invlpg	byte ptr [edi]
		call	esi
		jmp	short loc_5C4559
; 

loc_5C4514:				; CODE XREF: MiRemoveWsleList+104F5Dj
					; MiRemoveWsleList+104F6Fj
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)

loc_5C451A:				; CODE XREF: MiRemoveWsleList+104FABj
		lea	eax, [ebp+var_8]
		mov	ecx, ebx
		push	eax
		lea	edx, [ebp+var_C]
		call	_KiPrepareFlushParameters@12 ; KiPrepareFlushParameters(x,x,x)
		mov	ecx, [ebp+arg_0]
		call	_KiFlushAffinity@4 ; KiFlushAffinity(x)
		mov	ecx, edi
		mov	edx, eax
		and	ecx, 0FFFFF000h
		mov	[ebp+var_14], ecx
		lea	ecx, [ebp+var_14]
		push	ecx
		push	1
		push	1
		push	ecx
		push	[ebp+var_8]
		mov	ecx, [ebp+var_C]
		call	_HvlFlushRangeListTb@28	; HvlFlushRangeListTb(x,x,x,x,x,x,x)
		test	al, al
		jz	loc_4BF9E5

loc_5C4559:				; CODE XREF: MiRemoveWsleList+104FB2j
		cmp	ebx, 4
		jnz	loc_4BF9F7
		mov	cl, 1
		call	_KeFlushProcessWriteBuffers@4 ;	KeFlushProcessWriteBuffers(x)
		jmp	loc_4BF9F7
; END OF FUNCTION CHUNK	FOR MiRemoveWsleList
; 
; START	OF FUNCTION CHUNK FOR KeFlushSingleTb

loc_5C456E:				; CODE XREF: KeFlushSingleTb+46j
		xor	ecx, ecx
		mov	[ebp+var_4], edi
		push	ebx
		lea	edx, [ebp+var_4]
		inc	ecx
		call	_VmFlushTb@12	; VmFlushTb(x,x,x)
		jmp	loc_4BFA0A
; 

loc_5C4582:				; CODE XREF: KeFlushSingleTb+53j
		mov	cl, 1Fh
		mov	[ebp+var_4], edi
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	[ebp+var_18]
		xor	ecx, ecx
		lea	edx, [ebp+var_4]
		inc	ecx
		mov	bl, al
		call	_ExFlushTb@12	; ExFlushTb(x,x,x)
		mov	cl, bl
		call	esi
		jmp	loc_4BFA17
; END OF FUNCTION CHUNK	FOR KeFlushSingleTb
; 
; START	OF FUNCTION CHUNK FOR MiGetTopLevelPfn

loc_5C45A6:				; CODE XREF: MiGetTopLevelPfn+78j
		push	0
		push	0
		push	[ebp+var_20]
		push	9696h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5C45BA:				; CODE XREF: MiAttachThreadDone+55j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4C00E7
; END OF FUNCTION CHUNK	FOR MiGetTopLevelPfn
; 
; START	OF FUNCTION CHUNK FOR IoAllocateMdl

loc_5C45CA:				; CODE XREF: IoAllocateMdl+D0j
		mov	ecx, [ecx+4]
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_5C45DB

loc_5C45D3:				; CODE XREF: IoAllocateMdl+104469j
		mov	ecx, edx
		mov	edx, [ecx]
		test	edx, edx
		jnz	short loc_5C45D3

loc_5C45DB:				; CODE XREF: IoAllocateMdl+104461j
		mov	[ecx], eax
		jmp	loc_4C0233
; END OF FUNCTION CHUNK	FOR IoAllocateMdl
; 
; START	OF FUNCTION CHUNK FOR MiCopyHeaderIfResident

loc_5C45E2:				; CODE XREF: MiCopyHeaderIfResident+5Dj
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	edi
		mov	esi, [ebp+var_8]
		jmp	loc_4C02AF
; 

loc_5C45F3:				; CODE XREF: MiCopyHeaderIfResident+114j
		mov	edx, ecx
		mov	ecx, [ebp+var_C]
		jmp	loc_4C03C0
; 

loc_5C45FD:				; CODE XREF: MiCopyHeaderIfResident+A7j
					; MiCopyHeaderIfResident+B1j ...
		push	[ebp+var_C]

loc_5C4600:				; CODE XREF: MiCopyHeaderIfResident+1BEj
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, 2
		call	edi
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	ecx, [ebp+var_4]
		mov	dl, bl
		call	MiUnlockProtoPoolPage
		jmp	loc_4C02D9
; END OF FUNCTION CHUNK	FOR MiCopyHeaderIfResident
; 
; START	OF FUNCTION CHUNK FOR MiLegacyImageArchitecture

loc_5C4623:				; CODE XREF: MiLegacyImageArchitecture+8j
		mov	eax, 8664h
		cmp	cx, ax
		jz	loc_4C05FE
		xor	eax, eax
		retn
; END OF FUNCTION CHUNK	FOR MiLegacyImageArchitecture
; 
; START	OF FUNCTION CHUNK FOR MiTradeTransitionPage

loc_5C4634:				; CODE XREF: MiTradeTransitionPage+7Cj
		mov	ecx, ds:dword_6D06D0
		mov	edx, ecx
		not	edx
		and	ecx, eax
		and	edx, [ebx+0Ch]
		push	30h
		or	edx, ecx
		pop	eax
		jmp	loc_4C06CE
; 

loc_5C464D:				; CODE XREF: MiTradeTransitionPage+AAj
		mov	eax, 10080h
		jmp	loc_4C06CE
; 

loc_5C4657:				; CODE XREF: MiTradeTransitionPage+3Ej
		mov	al, byte ptr [ebp+var_4+3]
		mov	ecx, [ebp+var_10]
		jmp	loc_4C07B2
; END OF FUNCTION CHUNK	FOR MiTradeTransitionPage
; 
; START	OF FUNCTION CHUNK FOR MiCreatePrototypePtes

loc_5C4662:				; CODE XREF: MiCreatePrototypePtes+4Cj
		mov	eax, 0C000009Ah
		jmp	loc_4C0980
; 

loc_5C466C:				; CODE XREF: MiCreatePrototypePtes+8Aj
		mov	esi, [ebp+var_8]
		lea	ecx, [esi+24h]
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	[ebp+var_10], 0C000009Ah
		jmp	loc_4C096E
; 

loc_5C468D:				; CODE XREF: MiCreatePrototypePtes+2B2j
		push	0
		push	[ebp+var_14]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C46A0:				; CODE XREF: MiCreatePrototypePtes+1E1j
		xor	eax, eax
		mov	ecx, edx
		inc	eax
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_34]
		jmp	loc_4C0A8D
; 

loc_5C46B8:				; CODE XREF: MiCreatePrototypePtes+2D9j
		xor	eax, eax
		mov	ecx, esi
		lea	edx, [eax+1]
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_4C0B75
; 

loc_5C46C9:				; CODE XREF: MiCreatePrototypePtes+303j
		push	[ebp+var_34]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4C0AA4
; END OF FUNCTION CHUNK	FOR MiCreatePrototypePtes
; 
; START	OF FUNCTION CHUNK FOR MiEncodeProtoFill

loc_5C46DB:				; CODE XREF: MiEncodeProtoFill+4Aj
		mov	edx, esi
		mov	ecx, offset unk_6D3840
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		jmp	loc_4C0CDE
; END OF FUNCTION CHUNK	FOR MiEncodeProtoFill
; 
; START	OF FUNCTION CHUNK FOR MiZeroLargePage

loc_5C46EC:				; CODE XREF: MiZeroLargePage+2Fj
					; MiZeroLargePage+4Cj
		push	4
		pop	esi
		jmp	loc_4C18EA
; 

loc_5C46F4:				; CODE XREF: MiZeroLargePage+6Dj
		xor	esi, esi
		test	edi, edi
		jz	loc_4C19B5
		mov	ebx, [esp+28h+var_C]

loc_5C4702:				; CODE XREF: MiZeroLargePage+102E86j
		push	[ebp+arg_0]
		lea	ecx, [ebx+esi]
		xor	edx, edx
		call	MiZeroPhysicalPage
		inc	esi
		cmp	esi, edi
		jb	short loc_5C4702
		jmp	loc_4C19B5
; END OF FUNCTION CHUNK	FOR MiZeroLargePage
; 
; START	OF FUNCTION CHUNK FOR MiRemoveSystemImagePage

loc_5C4719:				; CODE XREF: MiRemoveSystemImagePage+38j
		cmp	edx, ds:_PsHalImageBase
		jb	loc_4C209E

loc_5C4725:				; CODE XREF: MiRemoveSystemImagePage+69j
		mov	eax, offset unk_6CF594
		jmp	loc_4C20A3
; 

loc_5C472F:				; CODE XREF: MiRemoveSystemImagePage+5Aj
					; MiRemoveSystemImagePage+1026DBj
		lea	ecx, [ebp+arg_0]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_5C472F
		jmp	loc_4C20B5
; END OF FUNCTION CHUNK	FOR MiRemoveSystemImagePage
; 
; START	OF FUNCTION CHUNK FOR MiSetPagingOfDriver

loc_5C4742:				; CODE XREF: MiSetPagingOfDriver+110j
		push	2
		pop	edx
		cmp	ax, dx
		jnz	loc_4C248E
		test	byte ptr [ecx+16h], 8
		jz	loc_4C248E
		jmp	loc_4C2438
; 

loc_5C475D:				; CODE XREF: MiSetPagingOfDriver+1CCj
					; MiSetPagingOfDriver+1DDj
		mov	eax, offset unk_6CF594
		jmp	loc_4C2505
; END OF FUNCTION CHUNK	FOR MiSetPagingOfDriver
; 
; START	OF FUNCTION CHUNK FOR MiUnlockLoaderEntry

loc_5C4767:				; CODE XREF: MiUnlockLoaderEntry+1BAj
		push	0
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C477A:				; CODE XREF: MiUnlockLoaderEntry+10Fj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]
		jmp	loc_4C3539
; 

loc_5C4791:				; CODE XREF: MiUnlockLoaderEntry+1EEj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_4C3608
; 

loc_5C47A0:				; CODE XREF: MiUnlockLoaderEntry+218j
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4C3550
; 

loc_5C47B2:				; CODE XREF: MiUnlockLoaderEntry+18Dj
		xor	edx, edx
		call	ExReleaseAutoExpandPushLockExclusive
		jmp	loc_4C3575
; END OF FUNCTION CHUNK	FOR MiUnlockLoaderEntry
; 
; START	OF FUNCTION CHUNK FOR KeFlushQueuedDpcs

loc_5C47BE:				; CODE XREF: KeFlushQueuedDpcs+66j
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_20]
		bts	ecx, eax
		mov	[ebp+var_8], ecx
		jmp	loc_4C36C5
; END OF FUNCTION CHUNK	FOR KeFlushQueuedDpcs
; 
; START	OF FUNCTION CHUNK FOR KeQueryLogicalProcessorRelationship

loc_5C47CF:				; CODE XREF: KeQueryLogicalProcessorRelationship+54Aj
		mov	eax, 0C000000Dh
		jmp	loc_4C3918
; 

loc_5C47D9:				; CODE XREF: KeQueryLogicalProcessorRelationship+1B0j
		mov	eax, 0C0000001h
		jmp	loc_4C3910
; END OF FUNCTION CHUNK	FOR KeQueryLogicalProcessorRelationship
; 
; START	OF FUNCTION CHUNK FOR MiObtainSessionVa

loc_5C47E3:				; CODE XREF: MiObtainSessionVa+53j
		mov	ecx, ds:dword_6D3D58
		add	ecx, esi
		cmp	ecx, edx
		jbe	loc_4C3E1B
		inc	ds:dword_6D4198
		push	offset dword_6D2E64
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_5C4868
; 

loc_5C480E:				; CODE XREF: MiObtainSessionVa+74j
					; MiObtainSessionVa+98j ...
		cmp	ds:dword_6D07C4, 0
		push	offset dword_6D2E64
		jz	short loc_5C483C
		and	ds:dword_6D07C4, 0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp+var_C]

loc_5C4834:				; CODE XREF: MiObtainSessionVa+100A9Ej
		mov	edi, [ebp+var_10]
		jmp	loc_4C3DF8
; 

loc_5C483C:				; CODE XREF: MiObtainSessionVa+100A58j
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp+var_C]
		xor	ecx, ecx
		push	0
		mov	edx, esi
		push	1
		shl	edx, 3
		call	_CcUnmapInactiveViews@16 ; CcUnmapInactiveViews(x,x,x,x)
		cmp	eax, 1
		jz	short loc_5C4834
		inc	ds:dword_6D4198

loc_5C4868:				; CODE XREF: MiObtainSessionVa+100A4Aj
		xor	ecx, ecx
		inc	ecx
		call	MiReclaimSystemVa
		xor	eax, eax
		jmp	loc_4C3F48
; END OF FUNCTION CHUNK	FOR MiObtainSessionVa
; 
; START	OF FUNCTION CHUNK FOR MiExpandSystemCache

loc_5C4877:				; CODE XREF: MiExpandSystemCache+C2j
		mov	eax, [ebp+var_14]
		push	esi
		mov	[eax], ebx

loc_5C487D:				; CODE XREF: MiExpandSystemCache+99j
		mov	eax, [ebp+var_4]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4C40D6
; END OF FUNCTION CHUNK	FOR MiExpandSystemCache
; 
; START	OF FUNCTION CHUNK FOR MiExpandPtes

loc_5C488B:				; CODE XREF: MiExpandPtes+17Dj
		mov	edx, [ebx+4]
		lea	ecx, [ebp+var_58]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4C42DB
; 

loc_5C489B:				; CODE XREF: MiExpandPtes+19Fj
		lea	ecx, [ebp+var_58]
		call	KxWaitForLockChainValid
		xor	ecx, ecx
		inc	ecx
		jmp	loc_4C459C
; 

loc_5C48AB:				; CODE XREF: MiExpandPtes+4E9j
		push	edi
		push	[ebp+var_38]
		push	[ebp+var_10]
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C48BD:				; CODE XREF: MiExpandPtes+3CAj
		lea	esi, [ecx+222h]
		lock or	[esi], al
		mov	esi, [ebp+var_44]
		jmp	loc_4C450C
; 

loc_5C48CE:				; CODE XREF: MiExpandPtes+4CAj
		push	[ebp+var_44]
		mov	edx, [ebp+var_10]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4C4606
; 

loc_5C48E0:				; CODE XREF: MiExpandPtes+1B5j
		mov	eax, [ebp+var_18]
		push	edi
		push	[ebp+var_C]
		lea	edx, [ecx+eax*8]
		jmp	short loc_5C48FA
; 

loc_5C48EC:				; CODE XREF: MiExpandPtes+1007DAj
		mov	eax, [ebp+var_C]

loc_5C48EF:				; CODE XREF: MiExpandPtes+1007DFj
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_24]
		push	edi
		push	eax
		lea	edx, [ecx+edx*8]

loc_5C48FA:				; CODE XREF: MiExpandPtes+1007B4j
		mov	ecx, [ebp+var_28]
		shl	edx, 9
		call	_MiReturnSystemVa@16 ; MiReturnSystemVa(x,x,x,x)

loc_5C4905:				; CODE XREF: MiExpandPtes+35j
					; MiExpandPtes+BBj
		xor	eax, eax
		jmp	loc_4C439B
; 

loc_5C490C:				; CODE XREF: MiExpandPtes+1D0j
		cmp	[ebp+var_14], 1
		jnz	short loc_5C48EC
		push	0Dh
		pop	eax
		jmp	short loc_5C48EF
; 

loc_5C4917:				; CODE XREF: MiExpandPtes+1F1j
		cmp	esi, offset dword_6D35E0
		jnz	loc_4C432D
		mov	eax, [ebp+var_30]
		lea	edx, [ebp+var_58]
		mov	ecx, [ebp+var_34]
		add	ecx, 1Ch
		lea	esi, [eax+eax]
		mov	eax, esi
		shr	eax, 3
		add	eax, ds:dword_6D3390
		mov	[ebp+var_4C], eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [ebp+var_2C]
		and	esi, 7
		mov	edx, [ebp+var_4C]
		lea	eax, [esi+ecx*2]
		mov	ecx, [ebp+var_C]
		push	eax
		call	MiSplitBitmapPages
		test	eax, eax
		jnz	short loc_5C4965
		and	ds:dword_7051B4, 0FFFFFFFDh

loc_5C4965:				; CODE XREF: MiExpandPtes+100826j
		test	ds:byte_70EFC6,	1
		jz	short loc_5C497B
		mov	edx, [ebx+4]
		lea	ecx, [ebp+var_58]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5C49A6
; 

loc_5C497B:				; CODE XREF: MiExpandPtes+100836j
		mov	eax, [ebp+var_58]
		test	eax, eax
		jnz	short loc_5C499A
		mov	edx, [ebp+var_54]
		lea	eax, [ebp+var_58]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_58]
		cmp	eax, ecx
		jz	short loc_5C49A6
		call	KxWaitForLockChainValid

loc_5C499A:				; CODE XREF: MiExpandPtes+10084Aj
		xor	ecx, ecx
		mov	[ebp+var_58], edi
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5C49A6:				; CODE XREF: MiExpandPtes+100843j
					; MiExpandPtes+10085Dj
		mov	cl, [ebp+var_50]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4C432D
; 

loc_5C49B4:				; CODE XREF: MiExpandPtes+271j
		mov	[edx], edi
		jmp	loc_4C4398
; 

loc_5C49BB:				; CODE XREF: MiExpandPtes+25Cj
		mov	ecx, esi
		or	eax, 0FFFFFFFFh
		shl	eax, cl
		jmp	loc_4C43BC
; END OF FUNCTION CHUNK	FOR MiExpandPtes
; 
; START	OF FUNCTION CHUNK FOR MiSplitBitmapPages

loc_5C49C7:				; CODE XREF: MiSplitBitmapPages+Fj
		push	9
		pop	esi
		jmp	loc_4C465F
; END OF FUNCTION CHUNK	FOR MiSplitBitmapPages
; 
; START	OF FUNCTION CHUNK FOR MiMakeZeroedPageTablesEx

loc_5C49CF:				; CODE XREF: MiMakeZeroedPageTablesEx+50j
		mov	[esp+148h+var_BC], ecx
		mov	al, cl
		jmp	loc_4C48E5
; 

loc_5C49DD:				; CODE XREF: MiMakeZeroedPageTablesEx+295j
		mov	eax, large fs:124h
		mov	[esp+148h+var_13C], 1
		mov	esi, [eax+80h]
		add	esi, 240h
		jmp	loc_4C476F
; 

loc_5C49FC:				; CODE XREF: MiMakeZeroedPageTablesEx+1CBj
		test	[ebp+arg_0], 200h
		jnz	short loc_5C4A1E
		mov	edx, [ebp+arg_4]
		lea	eax, [esp+14Ch+var_B8]
		push	eax
		push	0
		push	[esp+154h+var_13C]
		mov	ecx, esi
		push	edi
		call	_MiDeleteSystemPageTables@24 ; MiDeleteSystemPageTables(x,x,x,x,x,x)

loc_5C4A1E:				; CODE XREF: MiMakeZeroedPageTablesEx+20Dj
					; MiMakeZeroedPageTablesEx+10033Dj
		xor	eax, eax
		jmp	loc_4C489A
; END OF FUNCTION CHUNK	FOR MiMakeZeroedPageTablesEx
; 
; START	OF FUNCTION CHUNK FOR MiObtainSystemVa

loc_5C4A25:				; CODE XREF: MiObtainSystemVa+59j
		mov	ecx, ds:dword_6D3D54[esi*4]
		add	ecx, [ebp-0Ch]
		cmp	ecx, edx
		jbe	loc_4C4B3F
		inc	ds:dword_6D4194[esi*4]
		push	offset dword_6D2E64
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_5C4AD1
; 

loc_5C4A53:				; CODE XREF: MiObtainSystemVa+71j
					; MiObtainSystemVa+84j	...
		cmp	ds:dword_6D07C4, 0
		push	offset dword_6D2E64
		jz	short loc_5C4A7E
		mov	ds:dword_6D07C4, 0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4C4B1E
; 

loc_5C4A7E:				; CODE XREF: MiObtainSystemVa+FFF7Fj
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp-8]
		cmp	esi, 6
		jz	short loc_5C4AAC
		cmp	esi, 0Ch
		jnz	short loc_5C4AA1
		cmp	dword ptr [ebp-10h], 0
		jnz	short loc_5C4AAC
		jmp	short loc_5C4ACA
; 

loc_5C4AA1:				; CODE XREF: MiObtainSystemVa+FFFB7j
		cmp	esi, 9
		jnz	short loc_5C4ACA
		cmp	dword ptr [ebp-10h], 0
		jz	short loc_5C4ACA

loc_5C4AAC:				; CODE XREF: MiObtainSystemVa+FFFB2j
					; MiObtainSystemVa+FFFBDj
		mov	eax, [ebp-0Ch]
		xor	ecx, ecx
		push	0
		push	1
		lea	edx, ds:0[eax*8]
		call	_CcUnmapInactiveViews@16 ; CcUnmapInactiveViews(x,x,x,x)
		cmp	eax, 1
		jz	loc_4C4B21

loc_5C4ACA:				; CODE XREF: MiObtainSystemVa+FFFBFj
					; MiObtainSystemVa+FFFC4j ...
		inc	ds:dword_6D4194[esi*4]

loc_5C4AD1:				; CODE XREF: MiObtainSystemVa+FFF71j
		mov	ecx, 1
		call	MiReclaimSystemVa
		xor	eax, eax
		jmp	loc_4C4C03
; END OF FUNCTION CHUNK	FOR MiObtainSystemVa
; 
; START	OF FUNCTION CHUNK FOR MiReclaimSystemVa

loc_5C4AE2:				; CODE XREF: MiReclaimSystemVa+3j
					; MiReclaimSystemVa+13j
		push	0
		push	0
		push	offset unk_6D2E94
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		retn
; END OF FUNCTION CHUNK	FOR MiReclaimSystemVa

;  S U B	R O U T	I N E 


sub_5C4AF1	proc near		; CODE XREF: KeFreezeProcess+60j
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp-5]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi
		jmp	loc_4C4EB8
sub_5C4AF1	endp

; 
; START	OF FUNCTION CHUNK FOR PnpLockDeviceActionQueue

loc_5C4B07:				; CODE XREF: PnpLockDeviceActionQueue+2Aj
		test	ds:byte_70EFC6,	1
		jz	short loc_5C4B1C
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5C4B21
; 

loc_5C4B1C:				; CODE XREF: PnpLockDeviceActionQueue+FFB8Ej
		xor	eax, eax
		lock and [edi],	eax

loc_5C4B21:				; CODE XREF: PnpLockDeviceActionQueue+FFB9Aj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeUnlockTree
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _PnpEnumerationLock
		call	KeWaitForSingleObject
		jmp	loc_4C4F8C
; 

loc_5C4B46:				; CODE XREF: PnpLockDeviceActionQueue+48j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4C4FD3
; END OF FUNCTION CHUNK	FOR PnpLockDeviceActionQueue
; 
; START	OF FUNCTION CHUNK FOR PnpUnlockDeviceActionQueue

loc_5C4B55:				; CODE XREF: PnpUnlockDeviceActionQueue+42j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4C502F
; END OF FUNCTION CHUNK	FOR PnpUnlockDeviceActionQueue
; 
; START	OF FUNCTION CHUNK FOR PopPolicyWorkerThread

loc_5C4B64:				; CODE XREF: PopPolicyWorkerThread+69j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	ebx, [ebp+arg_0]
		jmp	loc_4C50DA
; 

loc_5C4B76:				; CODE XREF: PopPolicyWorkerThread+BDj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4C512E
; END OF FUNCTION CHUNK	FOR PopPolicyWorkerThread
; 
; START	OF FUNCTION CHUNK FOR EmpEvaluateTargetRule

loc_5C4B83:				; CODE XREF: EmpEvaluateTargetRule+4Dj
		mov	eax, [ebp+var_C]
		jmp	loc_4C5199
; END OF FUNCTION CHUNK	FOR EmpEvaluateTargetRule
; 
; START	OF FUNCTION CHUNK FOR EmpEvaluateNodeLink

loc_5C4B8B:				; CODE XREF: EmpEvaluateNodeLink+E5j
		test	eax, eax
		jnz	short loc_5C4BA9
		push	dword ptr [edi+18h]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	[ebp+var_10]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	dword ptr [edi+10h]
		jmp	short loc_5C4BCD
; 

loc_5C4BA9:				; CODE XREF: EmpEvaluateNodeLink+FF877j
		push	[ebp+arg_20]
		mov	edx, [ebp+var_10]
		push	[ebp+arg_1C]
		mov	ecx, [ecx+40h]
		push	0
		push	0
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	EmpEvaluateNodeLink

loc_5C4BCD:				; CODE XREF: EmpEvaluateNodeLink+FF891j
		mov	esi, eax
		jmp	loc_4C53A3
; 

loc_5C4BD4:				; CODE XREF: EmpEvaluateNodeLink+175j
					; EmpEvaluateNodeLink+18Ej
		mov	edi, [ebp+arg_20]
		jmp	loc_4C5514
; 

loc_5C4BDC:				; CODE XREF: EmpEvaluateNodeLink+13Bj
					; EmpEvaluateNodeLink+157j
		mov	ebx, [ebp+arg_1C]
		jmp	loc_4C5528
; END OF FUNCTION CHUNK	FOR EmpEvaluateNodeLink
; 
; START	OF FUNCTION CHUNK FOR EmpAllocatePool

loc_5C4BE4:				; CODE XREF: EmpAllocatePool+14j
					; EmpAllocatePool+21j
		push	76654D45h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		jmp	loc_4C5666
; END OF FUNCTION CHUNK	FOR EmpAllocatePool
; 
; START	OF FUNCTION CHUNK FOR EmpUpdateRuleState

loc_5C4BF6:				; CODE XREF: EmpUpdateRuleState+9Cj
		push	dword ptr [edi-4]
		push	esi
		push	dword ptr [esi+10h]
		call	dword ptr [edi-8]
		mov	edi, [edi]
		jmp	loc_4C5814
; END OF FUNCTION CHUNK	FOR EmpUpdateRuleState
; 
; START	OF FUNCTION CHUNK FOR PipAreDriversLoadedWorker

loc_5C4C07:				; CODE XREF: PipAreDriversLoadedWorker+14j
					; DATA XREF: .text:004C58BCo
		mov	ecx, edx
		mov	edx, 300h
		jmp	loc_4C5892
; END OF FUNCTION CHUNK	FOR PipAreDriversLoadedWorker
; 
; START	OF FUNCTION CHUNK FOR PiControlAllocateBufferForUserModeCaller

loc_5C4C13:				; CODE XREF: PiControlAllocateBufferForUserModeCaller+13j
		push	20207050h
		push	edi
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	[esi], eax
		test	eax, eax
		jnz	short loc_5C4C30
		mov	eax, 0C000009Ah
		jmp	loc_4C58F4
; 

loc_5C4C30:				; CODE XREF: PiControlAllocateBufferForUserModeCaller+FF350j
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_4C58F2
; END OF FUNCTION CHUNK	FOR PiControlAllocateBufferForUserModeCaller
; 
; START	OF FUNCTION CHUNK FOR ExGetSessionPoolTagInfo

loc_5C4C41:				; CODE XREF: ExGetSessionPoolTagInfo+34j
		mov	eax, 0C000010Ah
		jmp	loc_4C5D9D
; 

loc_5C4C4B:				; CODE XREF: ExGetSessionPoolTagInfo+7Dj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_58]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4C5C99
; 

loc_5C4C5B:				; CODE XREF: ExGetSessionPoolTagInfo+9Fj
		lea	ecx, [ebp+var_58]
		call	KxWaitForLockChainValid

loc_5C4C63:				; CODE XREF: ExGetSessionPoolTagInfo+88j
		mov	[ebp+var_58], esi
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_4C5C99
; 

loc_5C4C71:				; CODE XREF: ExGetSessionPoolTagInfo+1F3j
		xor	ecx, ecx
		call	MmAcquireSessionPoolRundown
		mov	eax, 0C000009Ah
		jmp	loc_4C5D9D
; 

loc_5C4C82:				; CODE XREF: ExGetSessionPoolTagInfo+235j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_58]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4C5E51
; 

loc_5C4C92:				; CODE XREF: ExGetSessionPoolTagInfo+257j
		lea	ecx, [ebp+var_58]
		call	KxWaitForLockChainValid

loc_5C4C9A:				; CODE XREF: ExGetSessionPoolTagInfo+240j
		mov	[ebp+var_58], esi
		add	eax, 4
		xor	ecx, ecx
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_4C5E51
; 

loc_5C4CAB:				; CODE XREF: ExGetSessionPoolTagInfo+E7j
		mov	[ebp+var_20], 0C0000095h
		jmp	loc_4C5D74
; 

loc_5C4CB7:				; CODE XREF: ExGetSessionPoolTagInfo+12Fj
		mov	[edx+4], eax
		jmp	loc_4C5D29
; 

loc_5C4CBF:				; CODE XREF: ExGetSessionPoolTagInfo+13Bj
		mov	[edx+10h], eax
		jmp	loc_4C5D35
; END OF FUNCTION CHUNK	FOR ExGetSessionPoolTagInfo

;  S U B	R O U T	I N E 


sub_5C4CC7	proc near		; DATA XREF: .text:006A1EB4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-48h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5C4CC7	endp


;  S U B	R O U T	I N E 


sub_5C4CD5	proc near		; DATA XREF: .text:006A1EB8o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-48h]
		mov	[ebp-20h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	esi, esi
		mov	edi, [ebp-3Ch]
		jmp	loc_4C5D7B
sub_5C4CD5	endp

; 
; START	OF FUNCTION CHUNK FOR MmDetachSession

loc_5C4CEF:				; CODE XREF: MmDetachSession+40j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4C6250
; 

loc_5C4CFF:				; CODE XREF: MmDetachSession+74j
		lea	ecx, [esi+40h]
		mov	edx, edi
		call	KeSignalGate
		jmp	loc_4C626A
; END OF FUNCTION CHUNK	FOR MmDetachSession
; 
; START	OF FUNCTION CHUNK FOR MmAttachSession

loc_5C4D0E:				; CODE XREF: MmAttachSession+44j
		test	ds:byte_70EFC6,	1
		jz	short loc_5C4D24
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5C4D53
; 

loc_5C4D24:				; CODE XREF: MmAttachSession+FEA87j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_5C4D43
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_5C4D53
		call	KxWaitForLockChainValid

loc_5C4D43:				; CODE XREF: MmAttachSession+FEA9Bj
		xor	ecx, ecx
		mov	[ebp+var_14], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5C4D53:				; CODE XREF: MmAttachSession+FEA94j
					; MmAttachSession+FEAAEj
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, 0C000010Ah
		jmp	loc_4C6320
; 

loc_5C4D66:				; CODE XREF: MmAttachSession+54j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4C6302
; END OF FUNCTION CHUNK	FOR MmAttachSession
; 
; START	OF FUNCTION CHUNK FOR RtlpHpSegContextCompact

loc_5C4D76:				; CODE XREF: RtlpHpSegContextCompact+276j
		mov	ecx, [ebp-0Ch]
		mov	ecx, [ecx+4]
		mov	[ebp-0Ch], ecx
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_5C4DB4
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_5C4DB4
		mov	esi, [ebp-8]
		mov	[edx], ecx
		mov	[ecx+4], edx
		lea	edx, [ebp-24h]
		mov	ecx, [ebp-20h]
		dec	dword ptr [esi+4Ch]
		cmp	[ecx], edx
		jnz	short loc_5C4DB4
		mov	[eax], edx
		mov	edx, [ebp-0Ch]
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[ebp-20h], eax
		jmp	loc_4C6499
; 

loc_5C4DB4:				; CODE XREF: RtlpHpSegContextCompact+FE9A4j
					; RtlpHpSegContextCompact+FE9ABj ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5C4DBB:				; CODE XREF: RtlpHpSegContextCompact+2ADj
		push	0
		push	dword ptr [ebp-10h]
		push	dword ptr [ebp-0Ch]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C4DCE:				; CODE XREF: RtlpHpSegContextCompact+1C4j
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp-1Ch]
		jmp	loc_4C65BA
; 

loc_5C4DE3:				; CODE XREF: RtlpHpSegContextCompact+2D4j
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_4C66BA
; 

loc_5C4DF4:				; CODE XREF: RtlpHpSegContextCompact+301j
		push	dword ptr [ebp-1Ch]
		mov	edx, [ebp-0Ch]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4C65D1
; 

loc_5C4E06:				; CODE XREF: RtlpHpSegContextCompact+21Cj
					; RtlpHpSegContextCompact+FEA3Ej
		mov	ecx, [ebp-8]
		mov	edx, esi
		mov	esi, [esi]
		push	1
		push	7FFFFFFFh
		call	RtlpHpSegSegmentFree
		lea	eax, [ebp-24h]
		cmp	esi, eax
		jnz	short loc_5C4E06
		jmp	loc_4C6602
; END OF FUNCTION CHUNK	FOR RtlpHpSegContextCompact
; 
; START	OF FUNCTION CHUNK FOR PpMarkDeviceStackExtensionFlag

loc_5C4E25:				; CODE XREF: PpMarkDeviceStackExtensionFlag+48j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_565EDB
; 

loc_5C4E34:				; CODE XREF: PpMarkDeviceStackExtensionFlag+65j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5C4E3B:				; CODE XREF: PpMarkDeviceStackExtensionFlag+52j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_565EDB
; END OF FUNCTION CHUNK	FOR PpMarkDeviceStackExtensionFlag
; 
; START	OF FUNCTION CHUNK FOR PnpSetDeviceInstanceStartedEventFromDeviceInstance

loc_5C4E4F:				; CODE XREF: PnpSetDeviceInstanceStartedEventFromDeviceInstance+16j
		mov	eax, 0C0000189h
		jmp	loc_565F8F
; END OF FUNCTION CHUNK	FOR PnpSetDeviceInstanceStartedEventFromDeviceInstance
; 
; START	OF FUNCTION CHUNK FOR IoResolveDependency

loc_5C4E59:				; CODE XREF: IoResolveDependency+31j
		mov	eax, [ecx+18h]
		test	eax, eax
		jz	short loc_5C4E74
		cmp	eax, esi
		jz	loc_5660D8
		mov	edx, [ebp+arg_0]
		call	_PipDeleteBindingId@8 ;	PipDeleteBindingId(x,x)
		mov	ebx, eax
		mov	ecx, edi

loc_5C4E74:				; CODE XREF: IoResolveDependency+5EE58j
		test	ecx, ecx
		jz	loc_56603D
		cmp	[ecx+18h], edi
		jnz	loc_566085
		test	esi, esi
		jz	short loc_5C4E94
		mov	eax, [esi+0B0h]
		mov	eax, [eax+2Ch]
		jmp	short loc_5C4E96
; 

loc_5C4E94:				; CODE XREF: IoResolveDependency+5EE81j
		mov	eax, edi

loc_5C4E96:				; CODE XREF: IoResolveDependency+5EE8Cj
		test	eax, eax
		jnz	short loc_5C4EA8
		mov	edx, ecx
		mov	ecx, esi
		call	_PipLinkDeviceObjectAndDependencyNode@8	; PipLinkDeviceObjectAndDependencyNode(x,x)
		jmp	loc_566085
; 

loc_5C4EA8:				; CODE XREF: IoResolveDependency+5EE92j
		test	esi, esi
		jz	short loc_5C4EB5
		mov	eax, [esi+0B0h]
		mov	edi, [eax+2Ch]

loc_5C4EB5:				; CODE XREF: IoResolveDependency+5EEA4j
		mov	edx, ecx
		mov	ecx, edi
		call	_PipMergeDependencyNodes@8 ; PipMergeDependencyNodes(x,x)
		jmp	loc_566085
; 

loc_5C4EC3:				; CODE XREF: IoResolveDependency+39j
		mov	eax, edi
		jmp	loc_56604E
; 

loc_5C4ECA:				; CODE XREF: IoResolveDependency+5Ej
		mov	ebx, 0C000009Ah
		jmp	loc_5660D8
; 

loc_5C4ED4:				; CODE XREF: IoResolveDependency+72j
		mov	edx, edi
		mov	ecx, esi
		call	_PipUnlinkDeviceObjectAndDependencyNode@8 ; PipUnlinkDeviceObjectAndDependencyNode(x,x)
		mov	ecx, edi
		call	_PipDereferenceDependencyNode@4	; PipDereferenceDependencyNode(x)
		jmp	loc_5660D8
; 

loc_5C4EE9:				; CODE XREF: IoResolveDependency+8Ej
		test	dword ptr [ecx+10Ch], 20000h
		jnz	loc_56609A
		call	_PipIsProviderStarted@4	; PipIsProviderStarted(x)
		test	al, al
		jz	loc_56609A
		call	PipAttemptDependentsStart
		jmp	loc_56609A
; END OF FUNCTION CHUNK	FOR IoResolveDependency
; 
; START	OF FUNCTION CHUNK FOR IopVerifierExAllocatePool

loc_5C4F10:				; CODE XREF: IopVerifierExAllocatePool+7j
		test	ds:_VfRuleClasses, 0FFAFFFFFh
		jnz	short loc_5C4F29
		test	byte ptr ds:dword_6FDE00, 6
		jz	loc_5660ED

loc_5C4F29:				; CODE XREF: IopVerifierExAllocatePool+5EE3Aj
		mov	eax, ds:_MmVerifierData
		and	eax, 10h
		or	eax, 40h
		shr	eax, 1
		push	eax
		push	20206F49h
		push	edx
		push	ecx
		call	ExAllocatePoolWithTagPriority
		retn
; END OF FUNCTION CHUNK	FOR IopVerifierExAllocatePool
; 
; START	OF FUNCTION CHUNK FOR RtlIoDecodeMemIoResource

loc_5C4F44:				; CODE XREF: RtlIoDecodeMemIoResource+1Cj
		movzx	eax, word ptr [edx+4]
		test	eax, 200h
		jz	short loc_5C4F6C
		mov	esi, [edx+8]
		xor	ebx, ebx
		mov	edi, [edx+0Ch]
		xor	ecx, ecx
		shld	ebx, esi, 8
		shld	ecx, edi, 8
		shl	esi, 8
		shl	edi, 8
		jmp	loc_5661E8
; 

loc_5C4F6C:				; CODE XREF: RtlIoDecodeMemIoResource+5ED8Dj
		test	eax, 400h
		jz	short loc_5C4F90
		mov	esi, [edx+8]
		xor	ebx, ebx
		mov	edi, [edx+0Ch]
		xor	ecx, ecx
		shld	ebx, esi, 10h
		shld	ecx, edi, 10h
		shl	esi, 10h
		shl	edi, 10h
		jmp	loc_5661E8
; 

loc_5C4F90:				; CODE XREF: RtlIoDecodeMemIoResource+5EDB1j
		test	eax, 800h
		jz	loc_5661E8
		mov	ebx, [edx+8]
		mov	ecx, [edx+0Ch]
		jmp	loc_5661E8
; END OF FUNCTION CHUNK	FOR RtlIoDecodeMemIoResource
; 
; START	OF FUNCTION CHUNK FOR RtlCmEncodeMemIoResource

loc_5C4FA6:				; CODE XREF: RtlCmEncodeMemIoResource+46j
					; RtlCmEncodeMemIoResource+4Fj
		cmp	edx, 0FFh
		ja	short loc_5C4FEC
		jb	short loc_5C4FB8
		cmp	esi, 0FFFFFF00h
		ja	short loc_5C4FEC

loc_5C4FB8:				; CODE XREF: RtlCmEncodeMemIoResource+5ED86j
		and	[ebp+arg_4], 0
		mov	edi, esi
		mov	eax, edx
		shrd	edi, eax, 8
		mov	eax, edi
		shld	[ebp+arg_4], eax, 8
		shl	eax, 8
		cmp	esi, eax
		jnz	short loc_5C504C
		cmp	edx, [ebp+arg_4]
		jnz	short loc_5C504C
		or	ebx, 200h
		mov	byte ptr [ecx],	7
		mov	[ecx+0Ch], edi
		mov	[ecx+2], bx
		jmp	loc_566283
; 

loc_5C4FEC:				; CODE XREF: RtlCmEncodeMemIoResource+5ED84j
					; RtlCmEncodeMemIoResource+5ED8Ej
		cmp	edx, 0FFFFh
		ja	short loc_5C503D
		jb	short loc_5C4FFE
		cmp	esi, 0FFFF0000h
		ja	short loc_5C503D

loc_5C4FFE:				; CODE XREF: RtlCmEncodeMemIoResource+5EDCCj
		and	[ebp+arg_4], 0
		mov	ebx, esi
		mov	eax, edx
		shrd	ebx, eax, 10h
		mov	eax, ebx
		shld	[ebp+arg_4], eax, 10h
		shl	eax, 10h
		cmp	esi, eax
		jnz	short loc_5C504C
		cmp	edx, [ebp+arg_4]
		jnz	short loc_5C504C
		mov	[ecx+0Ch], ebx
		or	edi, 400h
		jmp	short loc_5C5031
; 

loc_5C5028:				; CODE XREF: RtlCmEncodeMemIoResource+5EE22j
		mov	[ecx+0Ch], edx
		or	edi, 800h

loc_5C5031:				; CODE XREF: RtlCmEncodeMemIoResource+5EDFEj
		mov	byte ptr [ecx],	7
		mov	[ecx+2], di
		jmp	loc_566283
; 

loc_5C503D:				; CODE XREF: RtlCmEncodeMemIoResource+5EDCAj
					; RtlCmEncodeMemIoResource+5EDD4j
		cmp	edx, 0FFFFFFFFh
		ja	short loc_5C504C
		jb	short loc_5C5048
		test	esi, esi
		jnz	short loc_5C504C

loc_5C5048:				; CODE XREF: RtlCmEncodeMemIoResource+5EE1Aj
		test	esi, esi
		jz	short loc_5C5028

loc_5C504C:				; CODE XREF: RtlCmEncodeMemIoResource+5EDA8j
					; RtlCmEncodeMemIoResource+5EDADj ...
		mov	eax, 0C0000001h
		jmp	loc_566285
; END OF FUNCTION CHUNK	FOR RtlCmEncodeMemIoResource
; 
; START	OF FUNCTION CHUNK FOR MiInitializeNonPagedPoolThresholds

loc_5C5056:				; CODE XREF: MiInitializeNonPagedPoolThresholds+4Bj
		mov	edx, [ebx+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_56631F
; 

loc_5C5066:				; CODE XREF: MiInitializeNonPagedPoolThresholds+6Dj
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_5C506E:				; CODE XREF: MiInitializeNonPagedPoolThresholds+56j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_56631F
; END OF FUNCTION CHUNK	FOR MiInitializeNonPagedPoolThresholds
; 
; START	OF FUNCTION CHUNK FOR MiSignalNonPagedPoolWatchers

loc_5C5083:				; CODE XREF: MiSignalNonPagedPoolWatchers+27j
		test	ds:byte_70EFC6,	1
		jnz	short loc_5C50EE
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5C50AF
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	loc_5663E8
		call	KxWaitForLockChainValid

loc_5C50AF:				; CODE XREF: MiSignalNonPagedPoolWatchers+5ED57j
		mov	[ebp+var_C], 0

loc_5C50B6:				; CODE XREF: MiSignalNonPagedPoolWatchers+BFj
		xor	ecx, ecx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_5663E8
; 

loc_5C50C4:				; CODE XREF: MiSignalNonPagedPoolWatchers+4Fj
		cmp	[ecx+4], ebx
		jz	loc_56639C
		push	ecx
		call	_KeResetEvent@4	; KeResetEvent(x)
		jmp	loc_56639C
; 

loc_5C50D8:				; CODE XREF: MiSignalNonPagedPoolWatchers+72j
		cmp	[ecx+4], ebx
		jnz	loc_5663BD
		push	ebx
		push	ebx
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_5663BD
; 

loc_5C50EE:				; CODE XREF: MiSignalNonPagedPoolWatchers+8Aj
					; MiSignalNonPagedPoolWatchers+5ED50j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5663E8
; 

loc_5C50FE:				; CODE XREF: MiSignalNonPagedPoolWatchers+A8j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid
		jmp	loc_5663F6
; END OF FUNCTION CHUNK	FOR MiSignalNonPagedPoolWatchers
; 
; START	OF FUNCTION CHUNK FOR MiFreeLargeInitializationCodePages

loc_5C510B:				; CODE XREF: MiFreeLargeInitializationCodePages+13j
		mov	edi, [ebp+arg_0]
		imul	eax, edi, 1Ch
		add	esi, eax
		test	edi, edi
		jz	loc_566421

loc_5C511B:				; CODE XREF: MiFreeLargeInitializationCodePages+5ED63j
		sub	esi, 1Ch
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	cl, [esi+16h]
		mov	bl, al
		and	cl, 0FDh
		or	cl, 5
		mov	[esi+16h], cl
		lea	ecx, [esi+8]
		and	dword ptr [ecx], 0
		and	dword ptr [ecx+4], 0
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		xor	edx, edx
		mov	ecx, esi
		call	_MiReturnFreeZeroPage@8	; MiReturnFreeZeroPage(x,x)
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		sub	edi, 1
		jnz	short loc_5C511B
		jmp	loc_566421
; END OF FUNCTION CHUNK	FOR MiFreeLargeInitializationCodePages
; 
; START	OF FUNCTION CHUNK FOR MiFillGapPtes

loc_5C5168:				; CODE XREF: MiFillGapPtes+1Cj
		mov	esi, ecx
		jmp	loc_5666B8
; 

loc_5C516F:				; CODE XREF: MiFillGapPtes+B3j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5C51A1
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	loc_566752

loc_5C5188:				; CODE XREF: MiFillGapPtes+5EB24j
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	loc_566752
		or	edx, 80000000h
		jmp	loc_566752
; 

loc_5C51A1:				; CODE XREF: MiFillGapPtes+5EAE0j
		mov	eax, large fs:124h
		mov	ecx, [ebp+arg_8]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_5C5188
		jmp	loc_566752
; 

loc_5C51C1:				; CODE XREF: MiFillGapPtes+C4j
		push	edx
		push	edi
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_566760
; END OF FUNCTION CHUNK	FOR MiFillGapPtes
; 
; START	OF FUNCTION CHUNK FOR MiZeroNodePages

loc_5C51CF:				; CODE XREF: MiZeroNodePages+8Aj
		mov	esi, eax
		mov	[esp+80h+var_70], eax
		jmp	loc_566966
; 

loc_5C51DA:				; CODE XREF: MiZeroNodePages+C9j
		mov	ecx, [esp+80h+var_68]
		mov	esi, edi
		mov	[esp+80h+var_70], esi
		mov	byte ptr [ecx+0DFCh], 1
		jmp	loc_5669A5
; 

loc_5C51F0:				; CODE XREF: MiZeroNodePages+1BAj
		mov	esi, [esp+80h+var_70]
		mov	edi, [esp+80h+var_6C]
		sub	esi, edi
		mov	ecx, [esp+80h+var_48]
		call	_MiDeleteZeroThreadContext@4 ; MiDeleteZeroThreadContext(x)
		jmp	short loc_5C522A
; 

loc_5C5205:				; CODE XREF: MiZeroNodePages+183j
		mov	esi, [esp+80h+var_70]
		lea	ecx, [ebx+54h]
		mov	edi, [esp+80h+var_6C]
		sub	esi, edi
		mov	eax, esi
		neg	eax
		lock xadd [ecx], eax
		cmp	eax, esi
		jnz	short loc_5C522A
		xor	eax, eax
		mov	ecx, ebx
		lea	edx, [eax+1]
		call	KeSignalGate

loc_5C522A:				; CODE XREF: MiZeroNodePages+5E92Dj
					; MiZeroNodePages+5E946j
		test	esi, esi
		jz	loc_566AC5
		mov	esi, [esp+80h+var_68]
		lea	edx, [esp+80h+var_30]
		xor	eax, eax
		lea	ecx, [ebx+10h]
		inc	eax
		mov	[esi+0DFCh], al
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		xor	eax, eax
		mov	ecx, ebx
		lea	edx, [eax+1]
		call	_MiWakeZeroingThreads@8	; MiWakeZeroingThreads(x,x)
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_5C5270
		mov	edx, [ebp+4]
		lea	ecx, [esp+80h+var_30]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5C52A4
; 

loc_5C5270:				; CODE XREF: MiZeroNodePages+5E98Aj
		mov	eax, [esp+80h+var_30]
		test	eax, eax
		jnz	short loc_5C5293
		mov	edx, [esp+80h+var_2C]
		lea	eax, [esp+80h+var_30]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+80h+var_30]
		cmp	eax, ecx
		jz	short loc_5C52A4
		call	KxWaitForLockChainValid

loc_5C5293:				; CODE XREF: MiZeroNodePages+5E9A0j
		xor	ecx, ecx
		mov	[esp+80h+var_30], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5C52A4:				; CODE XREF: MiZeroNodePages+5E998j
					; MiZeroNodePages+5E9B6j
		mov	cl, [esp+80h+var_28]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_566AC9
; 

loc_5C52B3:				; CODE XREF: MiZeroNodePages+F2j
		mov	esi, [esp+80h+var_68]

loc_5C52B7:				; CODE XREF: MiZeroNodePages+1F5j
		xor	edx, edx
		mov	ecx, esi
		call	MiZeroPageCalibrate
		jmp	loc_566AE6
; 

loc_5C52C5:				; CODE XREF: MiZeroNodePages+271j
		mov	eax, [esp+80h+var_58]
		test	eax, eax
		jz	short loc_5C52D4
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5C52D4:				; CODE XREF: MiZeroNodePages+5E9F5j
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_566B61
; END OF FUNCTION CHUNK	FOR MiZeroNodePages
; 
; START	OF FUNCTION CHUNK FOR MiZeroPageCalibrate

loc_5C52E0:				; CODE XREF: MiZeroPageCalibrate+2Fj
		xor	ebx, ebx
		xor	esi, esi
		jmp	loc_566DAF
; 

loc_5C52E9:				; CODE XREF: MiZeroPageCalibrate+7Bj
		mov	byte ptr [edi+0DFCh], 1
		jmp	loc_566D3E
; 

loc_5C52F5:				; CODE XREF: MiZeroPageCalibrate+ABj
		mov	esi, [ebp+var_54]
		mov	byte ptr [edi+0DFCh], 1
		jmp	loc_566D9C
; 

loc_5C5304:				; CODE XREF: MiZeroPageCalibrate+C7j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_566D81
; 

loc_5C5311:				; CODE XREF: MiZeroPageCalibrate+108j
		test	ecx, ecx
		jz	loc_566E53
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [edi+0E08h]
		push	eax
		call	KeWaitForSingleObject
		jmp	loc_566E53
; 

loc_5C5330:				; CODE XREF: MiZeroPageCalibrate+173j
		push	0
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_566E2D
; END OF FUNCTION CHUNK	FOR MiZeroPageCalibrate
; 
; START	OF FUNCTION CHUNK FOR MiComputeRunTimeZeroComparisons

loc_5C533F:				; CODE XREF: MiComputeRunTimeZeroComparisons+C4j
					; MiComputeRunTimeZeroComparisons+CCj
		inc	ds:dword_6C68D8
		mov	ecx, eax
		mov	edx, edi
		jmp	loc_566F6A
; END OF FUNCTION CHUNK	FOR MiComputeRunTimeZeroComparisons
; 
; START	OF FUNCTION CHUNK FOR MiAllocateCalibrationResultsMemory

loc_5C534E:				; CODE XREF: MiAllocateCalibrationResultsMemory+41j
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_4]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_56701C
; 

loc_5C5364:				; CODE XREF: MiAllocateCalibrationResultsMemory+2Bj
		mov	dword ptr [esi+2Ch], 0C000009Ah
		mov	al, 21h
		jmp	loc_56705A
; END OF FUNCTION CHUNK	FOR MiAllocateCalibrationResultsMemory
; 
; START	OF FUNCTION CHUNK FOR MiTimeSingleLargePageZero

loc_5C5372:				; CODE XREF: MiTimeSingleLargePageZero+67j
		xor	eax, eax
		inc	eax
		mov	[ebp+var_34], eax
		jmp	loc_5670CD
; 

loc_5C537D:				; CODE XREF: MiTimeSingleLargePageZero+DFj
					; MiTimeSingleLargePageZero+185j
		or	ecx, 0FFFFFFFFh
		jmp	loc_567148
; 

loc_5C5385:				; CODE XREF: MiTimeSingleLargePageZero+26Cj
		lea	esi, [ebx+264h]
		lea	edi, [ebp+var_4C]
		movsd
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_4C]
		push	eax
		movsd
		movsd
		call	KeSetSystemGroupAffinityThread
		push	[ebp+var_20]
		mov	ecx, [ebp+var_38]
		call	_MiTimeSingleLargePageZeroWorker@8 ; MiTimeSingleLargePageZeroWorker(x,x)
		mov	esi, eax
		mov	edi, edx
		lea	eax, [ebp+var_10]
		push	eax
		call	KeRevertToUserGroupAffinityThread
		mov	[ebx+258h], esi
		mov	[ebx+25Ch], edi
		jmp	loc_5672D2
; END OF FUNCTION CHUNK	FOR MiTimeSingleLargePageZero
; 
; START	OF FUNCTION CHUNK FOR MiRestrictRangeToNode

loc_5C53C7:				; CODE XREF: MiRestrictRangeToNode+1Ej
		mov	ecx, edi
		call	_MiSearchChannelTable@4	; MiSearchChannelTable(x)
		mov	ecx, [eax+0Ch]
		lea	eax, [edi+esi]
		cmp	eax, ecx
		jbe	loc_567C1C
		mov	esi, ecx
		sub	esi, edi
		jmp	loc_567C1C
; END OF FUNCTION CHUNK	FOR MiRestrictRangeToNode
; 
; START	OF FUNCTION CHUNK FOR MiInitializeSystemVaRange

loc_5C53E5:				; CODE XREF: MiInitializeSystemVaRange+13j
		push	[ebp+arg_0]
		push	edi
		push	esi
		push	3030304h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5C53F7:				; CODE XREF: MiUpdatePageThresholdsDpc+2Aj
		mov	eax, [esi+4]
		mov	edx, [ebp+arg_4]
		or	eax, edi
		mov	[esi], eax
		mov	ecx, [edx+8]
		mov	eax, [edx]
		mov	[ecx+0B2Ch], eax
		mov	eax, [edx+4]
		mov	[ecx+0B30h], eax
		call	MiUpdateAvailableEvents
		mov	ecx, 80000000h

loc_5C541F:				; CODE XREF: MiUpdatePageThresholdsDpc+47j
		lock xadd [esi], ebx
		dec	ebx
		mov	edi, ebx
		not	edi
		and	edi, ecx
		test	ebx, 7FFFFFFFh
		jnz	short loc_5C5446
		mov	eax, [esi+4]
		or	eax, edi
		mov	[esi], eax

loc_5C5439:				; CODE XREF: MiInitializeSystemVaRange+135j
		mov	eax, [ebp+arg_8]
		lock dec dword ptr [eax]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_5C5446:				; CODE XREF: MiInitializeSystemVaRange+5D7D6j
		mov	eax, [esi]
		and	[ebp+arg_C], 0
		and	eax, ecx
		jmp	loc_567D8B
; END OF FUNCTION CHUNK	FOR MiInitializeSystemVaRange

;  S U B	R O U T	I N E 


sub_5C5453	proc near		; CODE XREF: MiUpdateAvailableEvents+37j
		push	ebx
		push	ebx
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_567DD7
sub_5C5453	endp

; 
; START	OF FUNCTION CHUNK FOR MiUpdateAvailableEvents

loc_5C5460:				; CODE XREF: MiUpdateAvailableEvents+60j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_567E1C
; 

loc_5C5470:				; CODE XREF: MiUpdateAvailableEvents+82j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_5C5478:				; CODE XREF: MiUpdateAvailableEvents+6Bj
		xor	ecx, ecx
		mov	[ebp+var_C], ebx
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_567E1C
; END OF FUNCTION CHUNK	FOR MiUpdateAvailableEvents
; 
; START	OF FUNCTION CHUNK FOR SmPerformStoreSwapOperation

loc_5C5489:				; CODE XREF: SmPerformStoreSwapOperation+6j
		mov	ecx, edx
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)
		xor	eax, eax
		pop	ecx
		retn
; END OF FUNCTION CHUNK	FOR SmPerformStoreSwapOperation
; 
; START	OF FUNCTION CHUNK FOR MiLogWsEmptyControl

loc_5C5494:				; CODE XREF: MiLogWsEmptyControl+51j
		mov	al, [edi+60h]
		lea	ecx, [esp+88h+var_38]
		mov	edx, [esp+88h+var_74]
		and	al, 7
		and	[esp+88h+var_44], 0
		xor	edi, edi
		and	[esp+88h+var_3C], 0
		inc	edi
		mov	[esp+13h], al
		lea	eax, [esp+13h]
		mov	[esp+88h+var_48], eax
		mov	[esp+88h+var_40], edi
		call	_tlgCreate1Sz_char
		mov	eax, [esp+88h+var_70]
		xor	edx, edx
		mov	[esp+88h+var_74], eax
		lea	eax, [esp+88h+var_74]
		push	4
		pop	ecx
		mov	[esp+88h+var_28], eax
		lea	eax, [esp+88h+var_6C]
		mov	[esp+88h+var_18], eax
		lea	eax, [esp+88h+var_68]
		push	eax
		push	6
		push	ecx
		push	ecx
		push	edi
		push	ecx
		mov	[esp+0A0h+var_24], edx
		mov	[esp+0A0h+var_20], ecx
		mov	[esp+0A0h+var_1C], edx
		mov	[esp+0A0h+var_14], edx
		mov	[esp+0A0h+var_10], ecx
		mov	[esp+0A0h+var_C], edx
		mov	edx, offset loc_41D487
		push	ecx
		mov	ecx, esi
		mov	[esp+0A4h+var_6C], ebx
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)
		jmp	loc_4C67C7
; END OF FUNCTION CHUNK	FOR MiLogWsEmptyControl
; 
; START	OF FUNCTION CHUNK FOR MiPreUnlockWorkingSetShared

loc_5C5528:				; CODE XREF: MiPreUnlockWorkingSetShared+63j
		mov	edx, eax
		lea	ecx, [ebp+var_10]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4C6852
; 

loc_5C5537:				; CODE XREF: MiPreUnlockWorkingSetShared+70j
		lea	ecx, [ebp+var_10]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4C6852
; 

loc_5C5544:				; CODE XREF: MiPreUnlockWorkingSetShared+85j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4C6889
; 

loc_5C5554:				; CODE XREF: MiPreUnlockWorkingSetShared+A7j
		lea	ecx, [ebp+var_10]
		call	KxWaitForLockChainValid
		jmp	loc_4C6973
; 

loc_5C5561:				; CODE XREF: MiPreUnlockWorkingSetShared+E9j
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, edi
		jz	short loc_5C5572
		lea	eax, [esi+0C0h]

loc_5C5572:				; CODE XREF: MiPreUnlockWorkingSetShared+FED8Ej
		and	[ebp+var_10], 0
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_C], eax
		jz	short loc_5C558E
		mov	edx, eax
		lea	ecx, [ebp+var_10]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5C559F
; 

loc_5C558E:				; CODE XREF: MiPreUnlockWorkingSetShared+FEDA4j
		lea	edx, [ebp+var_10]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_5C559F
		lea	ecx, [ebp+var_10]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_5C559F:				; CODE XREF: MiPreUnlockWorkingSetShared+FEDB0j
					; MiPreUnlockWorkingSetShared+FEDB9j
		mov	al, [esi+63h]
		and	al, 0FBh
		mov	[esi+63h], al
		test	ds:byte_70EFC6,	1
		jz	short loc_5C55BD
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5C55EC
; 

loc_5C55BD:				; CODE XREF: MiPreUnlockWorkingSetShared+FEDD2j
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_5C55DC
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jz	short loc_5C55EC
		call	KxWaitForLockChainValid

loc_5C55DC:				; CODE XREF: MiPreUnlockWorkingSetShared+FEDE6j
		xor	ecx, ecx
		mov	[ebp+var_10], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5C55EC:				; CODE XREF: MiPreUnlockWorkingSetShared+FEDDFj
					; MiPreUnlockWorkingSetShared+FEDF9j
		lock bts dword ptr [ebx], 16h
		mov	eax, ds:dword_6D5D40
		mov	ecx, esi
		mov	dl, [ebp+var_1]
		movzx	eax, word ptr [eax+4BEh]
		push	eax
		push	5
		call	MiAgeWorkingSet
		mov	al, [esi+63h]
		jmp	loc_4C68CB
; 

loc_5C5612:				; CODE XREF: MiPreUnlockWorkingSetShared+122j
		mov	edx, edi
		lea	ecx, [ebp+var_10]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4C690D
; 

loc_5C5621:				; CODE XREF: MiPreUnlockWorkingSetShared+140j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4C6940
; 

loc_5C5631:				; CODE XREF: MiPreUnlockWorkingSetShared+15Ej
		lea	ecx, [ebp+var_10]
		call	KxWaitForLockChainValid
		jmp	loc_4C6961
; END OF FUNCTION CHUNK	FOR MiPreUnlockWorkingSetShared
; 
; START	OF FUNCTION CHUNK FOR MiTrimWorkingSet

loc_5C563E:				; CODE XREF: MiTrimWorkingSet+72j
		or	edx, 20h
		mov	[ebp+var_36D+1], edx
		jmp	loc_4C6A4E
; 

loc_5C564C:				; CODE XREF: MiTrimWorkingSet+7Bj
		or	edx, 40h
		mov	[ebp+var_36D+1], edx
		jmp	loc_4C6A57
; 

loc_5C565A:				; CODE XREF: MiTrimWorkingSet+8Dj
		or	edx, 100h
		mov	[ebp+var_36D+1], edx
		jmp	loc_4C6A69
; 

loc_5C566B:				; CODE XREF: MiTrimWorkingSet+C0j
		mov	[ebp+var_374], eax
		jmp	loc_4C6A9C
; 

loc_5C5676:				; CODE XREF: MiTrimWorkingSet+C9j
		or	edx, 800h
		mov	[ebp+var_36D+1], edx
		jmp	loc_4C6AA5
; 

loc_5C5687:				; CODE XREF: MiTrimWorkingSet+122j
		lea	eax, [ebp+var_1D4]
		mov	[ebp+var_1D0], 20h
		mov	[ebp+var_2B8], eax
		jmp	loc_4C6AFE
; 

loc_5C56A2:				; CODE XREF: MiTrimWorkingSet+23Cj
		mov	al, [esi+60h]
		lea	ecx, [ebp+var_9C]
		mov	edx, [ebp+var_378]
		and	al, 7
		and	[ebp+var_A8], 0
		and	[ebp+var_A0], 0
		mov	byte ptr [ebp+var_36D],	al
		lea	eax, [ebp+var_36D]
		mov	[ebp+var_AC], eax
		mov	[ebp+var_A4], 1
		call	_tlgCreate1Sz_char
		mov	eax, [ebp+var_37C]
		xor	ecx, ecx
		mov	[ebp+var_378], eax
		lea	eax, [ebp+var_378]
		mov	[ebp+var_8C], eax
		mov	eax, [ebp+var_380]
		mov	[ebp+var_394], eax
		lea	eax, [ebp+var_394]
		mov	[ebp+var_7C], eax
		mov	eax, [ebp+var_374]
		mov	[ebp+var_39C], eax
		lea	eax, [ebp+var_39C]
		mov	[ebp+var_6C], eax
		mov	eax, ds:dword_6D5E00
		mov	[ebp+var_3A4], eax
		lea	eax, [ebp+var_3A4]
		mov	[ebp+var_5C], eax
		mov	eax, ds:dword_6D5F00
		mov	[ebp+var_3AC], eax
		lea	eax, [ebp+var_3AC]
		mov	[ebp+var_4C], eax
		mov	eax, ds:dword_6D5F58
		mov	[ebp+var_3B4], eax
		lea	eax, [ebp+var_3B4]
		push	4
		pop	esi
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_384], eax
		lea	eax, [ebp+var_384]
		push	8
		pop	edx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_388]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_CC]
		push	eax
		push	0Ch
		push	ecx
		mov	[ebp+var_88], ecx
		mov	[ebp+var_84], esi
		mov	[ebp+var_80], ecx
		mov	[ebp+var_390], ecx
		mov	[ebp+var_78], ecx
		mov	[ebp+var_74], edx
		mov	[ebp+var_70], ecx
		mov	[ebp+var_398], ecx
		mov	[ebp+var_68], ecx
		mov	[ebp+var_64], edx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_3A0], ecx
		mov	[ebp+var_58], ecx
		mov	[ebp+var_54], edx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_3A8], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3B0], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_388], ebx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], ecx
		push	ecx
		push	1
		push	ecx
		push	ecx
		mov	edx, offset loc_41CE4D
		mov	ecx, edi
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)
		mov	eax, [ebp+var_364]
		jmp	loc_4C6C1E
; END OF FUNCTION CHUNK	FOR MiTrimWorkingSet
; 
; START	OF FUNCTION CHUNK FOR MiInitializeWalkBounds

loc_5C581B:				; CODE XREF: MiInitializeWalkBounds+78j
					; MiInitializeWalkBounds+FEB2Bj
		mov	[edx+ecx*8], esi
		add	esi, 40000000h
		lea	eax, [esi-1]
		mov	[edx+ecx*8+4], eax
		inc	ecx
		cmp	ecx, 3
		jb	short loc_5C581B
		mov	dword ptr [edx+ecx*8], 0C0800000h
		jmp	short loc_5C585F
; 

loc_5C583A:				; CODE XREF: MiInitializeWalkBounds+12j
		mov	eax, ds:dword_6D07D0
		xor	ecx, ecx
		cmp	eax, 0C0000000h
		jz	short loc_5C5852
		mov	[edx], eax
		inc	ecx
		mov	dword ptr [edx+4], 0BFFFFFFFh

loc_5C5852:				; CODE XREF: MiInitializeWalkBounds+FEB42j
		mov	eax, ds:dword_6D2E78
		add	eax, 200000h
		mov	[edx+ecx*8], eax

loc_5C585F:				; CODE XREF: MiInitializeWalkBounds+FEB34j
		or	dword ptr [edx+ecx*8+4], 0FFFFFFFFh
		jmp	loc_4C6D73
; 

loc_5C5869:				; CODE XREF: MiInitializeWalkBounds+5Dj
		mov	esi, 2000h
		mov	ds:dword_6D2E90, esi
		jmp	loc_4C6D67
; END OF FUNCTION CHUNK	FOR MiInitializeWalkBounds
; 
; START	OF FUNCTION CHUNK FOR MiSimpleAging

loc_5C5879:				; CODE XREF: MiSimpleAging+B2j
		sub	ebx, [ebp+var_2CC]
		sub	ebx, esi
		cmp	ebx, 400h
		jnb	loc_4C6E3E
		shr	esi, 5
		cmp	esi, 8
		jnb	short loc_5C5898
		push	8
		pop	esi

loc_5C5898:				; CODE XREF: MiSimpleAging+FEB0Dj
		mov	ecx, edi
		mov	[ebp+var_2A0], esi
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		xor	ecx, ecx
		mov	[ebp+var_A0], eax
		test	[ebp+var_2C1], 7
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_9C], cx
		mov	[ebp+var_90], ecx
		mov	[ebp+var_98], 21h
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_29C], eax
		jnz	short loc_5C58FD
		cmp	[edi+1A4h], ecx
		jz	short loc_5C58FD
		lea	eax, [ebp+var_1A8]
		mov	[ebp+var_1A4], 20h
		mov	[ebp+var_200], eax

loc_5C58FD:				; CODE XREF: MiSimpleAging+FEB57j
					; MiSimpleAging+FEB5Fj
		or	[ebp+var_2C0], 4
		lea	eax, [ebp+var_2C0]
		mov	[ebp+var_1B0], eax
		lea	ecx, [ebp+var_1F8]
		mov	al, [ebp+var_2C2]
		mov	[ebp+var_1E8], edi
		mov	[ebp+var_1F2], al
		call	_MiGenerateRandomPte@4 ; MiGenerateRandomPte(x)
		or	[ebp+var_1E0], 0FFFFFFFFh
		lea	ecx, [ebp+var_1F8]
		push	6
		mov	[ebp+var_1D8], eax
		pop	eax
		mov	[ebp+var_1B8], offset _MiSimpleAgePte@12 ; MiSimpleAgePte(x,x,x)
		mov	[ebp+var_1B4], offset _MiSimpleAgeWorkingSetTail@4 ; MiSimpleAgeWorkingSetTail(x)
		mov	word ptr [ebp+var_1F8],	ax
		call	MiWalkPageTables
		jmp	loc_4C6E3E
; END OF FUNCTION CHUNK	FOR MiSimpleAging
; 
; START	OF FUNCTION CHUNK FOR MiEmptyWorkingSetPrivatePagesByVa

loc_5C5968:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+5Ej
		and	byte ptr [edi+304h], 0FDh
		xor	ecx, ecx
		push	11h
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_5C5984
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_5C5984:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+FEB2Dj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, 0C000010Ah
		jmp	loc_4C7111
; 

loc_5C599C:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+1D6j
		mov	esi, [ebp+var_8]
		mov	al, 1
		mov	ecx, edx
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_C]
		mov	eax, [ebp+var_8]
		jmp	loc_4C703D
; 

loc_5C59B9:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+2FEj
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_4C7152
; 

loc_5C59C8:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+325j
		push	[ebp+var_30]
		lea	edx, [esi+18h]
		mov	ecx, edi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4C7179
; 

loc_5C59DA:				; CODE XREF: MiEmptyWorkingSetPrivatePagesByVa+284j
		mov	eax, [ebp+var_38]
		push	0
		push	[ebp+var_20]
		push	eax
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5C59EF:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmSwapStore+16j
		mov	eax, 0C00000BBh
		jmp	loc_4C73EF
; END OF FUNCTION CHUNK	FOR MiEmptyWorkingSetPrivatePagesByVa
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmPerformStoreMaintenance

loc_5C59F9:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPerformStoreMaintenance+3Fj
		mov	edi, 0C000009Ah
		jmp	loc_4C755D
; 

loc_5C5A03:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPerformStoreMaintenance+A9j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4C755D
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmPerformStoreMaintenance
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmStoreRequest

loc_5C5A10:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStoreRequest+35j
		mov	ecx, [ebp+var_4]
		and	ebx, 3FFh
		mov	edx, ebx
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_4C75A5
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmStoreRequest
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_SM_TRAITS___SmStInSwapStore

loc_5C5A2D:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStInSwapStore+3Bj
		mov	edi, 0C00000A3h

loc_5C5A32:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStInSwapStore+4Bj
		xor	eax, eax
		xchg	eax, [ebx]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		mov	ebx, [ebp+var_4]
		xor	edx, edx
		add	ebx, 10F8h
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_5C5A6B
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_5C5A6B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStInSwapStore+FE46Ej
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4C7613
; END OF FUNCTION CHUNK	FOR SMKM_STORE_SM_TRAITS___SmStInSwapStore
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_SM_TRAITS___SmStOutSwapStore

loc_5C5A8B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+5Bj
		mov	esi, 0C000A003h
		jmp	loc_4C79B9
; 

loc_5C5A95:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+B4j
		mov	esi, 0C000009Ah
		jmp	loc_4C794F
; 

loc_5C5A9F:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+38Dj
		cmp	dword ptr [edx], 0
		jnz	loc_4C7860
		add	esi, 20h
		add	edx, 4
		cmp	esi, 0FFFFFFFFh
		jnb	loc_4C7871
		jmp	loc_4C7AA3
; 

loc_5C5ABC:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore:loc_4C7871j
		or	esi, 0FFFFFFFFh
		jmp	loc_4C7877
; 

loc_5C5AC4:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+2EFj
		push	2
		sub	esp, 0Ch
		mov	edx, edi
		mov	edi, [ebp+var_4]
		mov	ecx, edi
		call	?SmStUnmapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@KKKPAXK@Z ; SMKM_STORE<SM_TRAITS>::SmStUnmapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)
		mov	ebx, [ebp+var_8]
		mov	esi, 0C000009Ah
		mov	[ebp+var_10], esi
		jmp	loc_4C78EE
; 

loc_5C5AE5:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+41j
					; SMKM_STORE_SM_TRAITS___SmStOutSwapStore+4Aj
		mov	ebx, [ebp+var_8]
		mov	esi, 0C000A003h
		mov	[ebp+var_10], esi
		jmp	loc_4C78EB
; 

loc_5C5AF5:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStOutSwapStore+1BDj
		mov	ebx, edi
		jmp	loc_4C78EB
; END OF FUNCTION CHUNK	FOR SMKM_STORE_SM_TRAITS___SmStOutSwapStore
; 
; START	OF FUNCTION CHUNK FOR SmArrayGrow

loc_5C5AFC:				; CODE XREF: SmArrayGrow+26j
		lea	esi, [ecx+8]
		cmp	esi, ecx
		jb	loc_4C7B6A
		jmp	loc_4C7AF4
; END OF FUNCTION CHUNK	FOR SmArrayGrow
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDescendToSibling

loc_5C5B0C:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDescendToSibling+2Fj
		mov	esi, [eax]
		test	ebx, ebx
		jz	short loc_5C5B18
		mov	edi, esi
		mov	eax, esi
		jmp	short loc_5C5B20
; 

loc_5C5B18:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDescendToSibling+FDD5Aj
		movzx	eax, word ptr [esi]
		lea	edi, [esi+eax*8]
		mov	eax, edi

loc_5C5B20:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDescendToSibling+FDD60j
		add	edi, 8
		add	eax, 4
		jmp	loc_4C7DDD
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDescendToSibling
; 
; START	OF FUNCTION CHUNK FOR SmHpBufferAlloc

loc_5C5B2B:				; CODE XREF: SmHpBufferAlloc+102j
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4C8466
; END OF FUNCTION CHUNK	FOR SmHpBufferAlloc
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StCompactionFindEmptiest

loc_5C5B38:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionFindEmptiest+96j
		xor	edx, edx
		jmp	loc_4C864F
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StCompactionFindEmptiest
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StCompactionPickPriority

loc_5C5B3F:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPickPriority+7Fj
		xor	edx, edx
		jmp	loc_4C8771
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StCompactionPickPriority
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StCompactionPerformInMem

loc_5C5B46:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+17Fj
		mov	esi, 0C0000708h
		jmp	loc_4C8AFA
; 

loc_5C5B50:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactionPerformInMem+20Dj
		mov	edx, [ebp+var_A0]
		push	ecx
		mov	ecx, ebx
		call	?StUnlockAndUnmapRegion@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@KPAD@Z ; ST_STORE<SM_TRAITS>::StUnlockAndUnmapRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,char *)
		jmp	loc_4C8B19
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StCompactionPerformInMem
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmCombineBufferProcess

loc_5C5B63:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferProcess+9Fj
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	loc_4C8CA5
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmCombineBufferProcess
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsert

loc_5C5B6A:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsert+1Aj
		test	eax, eax
		js	loc_4C8E4F
		mov	eax, 0C0000154h
		jmp	loc_4C8E4F
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsert
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmCombinePageRecords

loc_5C5B7C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombinePageRecords+1Aj
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	loc_4C8E76
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmCombinePageRecords
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StCompactRegions

loc_5C5B83:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+510j
		xor	eax, eax
		jmp	loc_4C94A9
; 

loc_5C5B8A:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+521j
		push	ecx
		mov	edx, ecx
		mov	ecx, edi
		call	?BTreeFindLeafSibling@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGPAUNODE@?$B_TREE_HEADER@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAU23@K@Z ;	B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,ulong)
		cmp	eax, 0FFFFFFFFh
		jnz	loc_4C9544
		or	eax, eax
		jmp	loc_4C90C1
; 

loc_5C5BA4:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+55Aj
		mov	ecx, [esp+0B0h+var_78]
		mov	eax, [esp+0B0h+var_9C]
		mov	[ecx], eax
		mov	[ecx+4], esi
		jmp	loc_4C950F
; 

loc_5C5BB6:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+367j
					; ST_STORE_SM_TRAITS___StCompactRegions+37Cj
		cmp	edi, 0C0000006h
		jz	loc_4C9519
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	loc_4C9312
; 

loc_5C5BC9:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+134j
					; ST_STORE_SM_TRAITS___StCompactRegions+4DAj
		mov	edi, 0C0000006h
		jmp	loc_4C9519
; 

loc_5C5BD3:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+34Ej
		mov	eax, [ebx+1A4h]
		lea	edx, [ebx+30h]
		push	[esp+0B0h+var_84]
		mov	eax, [eax]
		mov	[edi], eax
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey
		mov	edi, [esp+0B0h+var_A4]
		jmp	loc_4C9519
; 

loc_5C5BF2:				; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+1FEj
		mov	edi, 0C0000016h
		jmp	loc_4C9519
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StCompactRegions
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey

loc_5C5BFC:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+1D2j
		mov	eax, [ebp+var_14]
		mov	[eax], ebx
		jmp	loc_4C95EF
; 

loc_5C5C06:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+11Ej
		or	eax, 0FFFFFFFFh
		jmp	loc_4C95F7
; 

loc_5C5C0E:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+129j
		mov	ebx, [ecx+8]
		lea	eax, [ebp+var_10]
		push	eax
		mov	ecx, edi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], esi
		call	?Compare@ST_REGION_ENTRY_COMPARATOR@?$ST_STORE@USM_TRAITS@@@@SGHPAXABK1@Z ; ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR::Compare(void *,ulong const	&,ulong	const &)
		test	eax, eax
		jns	short loc_5C5C32
		mov	eax, [ebp+var_14]
		mov	[eax], ebx
		xor	ebx, ebx
		jmp	loc_4C96E6
; 

loc_5C5C32:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+FC690j
		xor	ebx, ebx
		jmp	loc_4C96E7
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmPageRemove

loc_5C5C39:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+53j
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref
		mov	edx, [esp+70h+var_48]
		mov	ecx, [esp+70h+var_58]
		mov	eax, [esp+70h+var_50]
		mov	edi, [edx+14h]
		jmp	loc_4C97D9
; 

loc_5C5C52:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+6Fj
		mov	edi, [esp+70h+var_30]
		add	ecx, 24h
		mov	edx, edi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref
		mov	edi, [edi+14h]
		mov	ecx, [esp+70h+var_58]
		mov	edx, [esp+70h+var_48]
		mov	eax, [esp+70h+var_50]
		jmp	loc_4C97F5
; 

loc_5C5C74:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+305j
		xor	eax, eax
		jmp	loc_4C9A8E
; 

loc_5C5C7B:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+316j
		push	ecx
		mov	edx, ecx
		mov	ecx, edi
		call	?BTreeFindLeafSibling@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAU23@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSibling(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE_HEADER<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY>::NODE *,ulong)
		cmp	eax, 0FFFFFFFFh
		jnz	loc_4C9B0B
		or	eax, eax
		jmp	loc_4C9ABB
; 

loc_5C5C95:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+186j
		mov	edx, [esp+70h+var_40]
		push	0
		push	0
		push	[esp+78h+var_58]
		mov	eax, [edx]
		mov	edx, 1
		push	eax
		push	ecx
		push	[esp+84h+var_44]
		call	_SmEtwLogStoreOp@32 ; SmEtwLogStoreOp(x,x,x,x,x,x,x,x)
		jmp	loc_4C990C
; 

loc_5C5CB8:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+20Fj
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	loc_4C9995
; 

loc_5C5CBF:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+254j
		cmp	eax, 0C0000006h
		jz	short loc_5C5CE9
		cmp	eax, 0C0000225h
		jnz	short loc_5C5CE7
		mov	eax, [ecx+484h]
		lea	edx, [ecx+0Ch]
		cmp	dword ptr [eax], 2
		mov	eax, [esp+70h+var_50]
		jge	loc_4C9814
		mov	eax, [esp+70h+var_54]

loc_5C5CE7:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC54Bj
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_5C5CE9:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC544j
		cmp	eax, 0C0000225h
		jnz	loc_5C5FE0
		mov	eax, [esp+70h+var_50]
		lea	edx, [ecx+0Ch]
		jmp	loc_4C9814
; 

loc_5C5D00:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+292j
		mov	ecx, [esp+70h+var_4C]
		test	ecx, ecx
		jz	loc_5C5F8A
		mov	eax, edi
		sub	eax, [esp+70h+var_3C]
		cmp	eax, ecx
		jz	loc_5C5F86
		mov	eax, [esp+70h+var_58]
		mov	ecx, [eax+1C0h]
		test	byte ptr [ecx+10F5h], 4
		jz	loc_5C5F61
		add	ecx, 10F8h
		or	eax, 0FFFFFFFFh
		mov	[esp+70h+var_40], ecx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5C5D51
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [esp+70h+var_40]

loc_5C5D51:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC5C6j
		xor	eax, eax
		mov	[esp+70h+var_44], eax
		test	ecx, 7FFFFFFCh
		jz	loc_5C5F55
		mov	eax, large fs:124h
		mov	edx, ecx
		mov	esi, ds:dword_6D07D0
		shr	edx, 15h
		cmp	ecx, esi
		mov	[esp+70h+var_20], esi
		mov	esi, [esp+70h+var_34]
		mov	[esp+70h+var_54], eax
		jb	short loc_5C5D8D
		cmp	byte ptr ds:dword_6D3994[edx], 1
		jz	short loc_5C5D9C

loc_5C5D8D:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC602j
		cmp	ecx, [esp+70h+var_20]
		jb	short loc_5C5DB3
		cmp	byte ptr ds:dword_6D3994[edx], 0Bh
		jnz	short loc_5C5DB3

loc_5C5D9C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC60Bj
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[esp+70h+var_38], eax
		mov	eax, [esp+70h+var_54]
		jmp	short loc_5C5DBA
; 

loc_5C5DB3:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC611j
					; ST_STORE_SM_TRAITS___StDmPageRemove+FC61Aj
		or	edx, 0FFFFFFFFh
		mov	[esp+70h+var_38], edx

loc_5C5DBA:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC631j
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	cl, [eax+1E6h]
		mov	[esp+70h+var_59], cl
		mov	ecx, eax
		push	edx
		mov	edx, [esp+74h+var_40]
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	edx, eax
		mov	[esp+70h+var_20], edx
		test	edx, edx
		jnz	short loc_5C5E0F
		mov	ecx, [esp+70h+var_54]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_5C5EA9
		push	edx
		push	[esp+74h+var_38]
		push	[esp+78h+var_40]
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C5E0F:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC667j
		mov	al, [edx+10h]
		or	al, 2
		mov	[edx+10h], al
		nop
		cmp	dword ptr [edx+10h], 0
		jge	short loc_5C5E29
		mov	ecx, edx
		call	KiAbEntryRemoveFromTree
		mov	edx, [esp+84h+var_34]

loc_5C5E29:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC69Cj
		mov	eax, [edx+2Ch]
		mov	ecx, eax
		and	byte ptr [edx+0Dh], 0FEh
		and	ecx, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+84h+var_58], ecx
		mov	[edx+2Ch], eax
		nop
		mov	eax, [esp+84h+var_68]
		mov	dword ptr [edx+10h], 0
		sub	edx, [eax+1E8h]
		mov	eax, 2AAAAAABh
		imul	edx
		sar	edx, 3
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		cmp	[esp+84h+var_6D], 1
		mov	[esp+84h+var_4C], eax
		jnz	short loc_5C5E90
		mov	edx, [esp+84h+var_68]
		mov	esi, [esp+84h+var_4C]
		movzx	eax, byte ptr [edx+1E4h]
		bts	eax, esi
		mov	esi, [esp+84h+var_48]
		mov	[edx+1E4h], al
		jmp	short loc_5C5EAD
; 

loc_5C5E90:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC6F0j
		mov	esi, [esp+84h+var_68]
		mov	al, 1
		mov	ecx, [esp+84h+var_4C]
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [esp+84h+var_48]

loc_5C5EA9:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC675j
		mov	ecx, [esp+84h+var_58]

loc_5C5EAD:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC70Ej
		nop
		mov	eax, [esp+84h+var_68]
		mov	edx, ecx
		dec	byte ptr [eax+1E6h]
		and	edx, 1FFFFh
		mov	[esp+84h+var_4C], edx
		jz	short loc_5C5F3D
		test	ecx, 8000h
		jz	short loc_5C5EE3
		xor	edx, edx
		mov	ecx, eax
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [esp+84h+var_58]
		mov	eax, [esp+84h+var_68]
		mov	edx, [esp+84h+var_4C]

loc_5C5EE3:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC74Cj
		test	byte ptr [esp+84h+var_58+2], 1
		jz	short loc_5C5F02
		mov	edx, 1
		mov	ecx, eax
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [esp+84h+var_58]
		mov	eax, [esp+84h+var_68]
		mov	edx, [esp+84h+var_4C]

loc_5C5F02:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC768j
		test	ecx, 7FFFh
		jz	short loc_5C5F21
		and	ecx, 7FFFh
		mov	edx, ecx
		mov	ecx, eax
		call	KiAbThreadUnboostCpuPriority
		mov	eax, [esp+84h+var_68]
		mov	edx, [esp+84h+var_4C]

loc_5C5F21:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC788j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5C5F3D
		push	edx
		mov	edx, [esp+88h+var_54]
		mov	ecx, eax
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		mov	eax, [esp+84h+var_68]

loc_5C5F3D:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC744j
					; ST_STORE_SM_TRAITS___StDmPageRemove+FC7ABj
		nop
		add	word ptr [eax+13Eh], 1
		jnz	short loc_5C5F55
		nop
		add	eax, 70h
		cmp	[eax], eax
		jz	short loc_5C5F55
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5C5F55:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC5DDj
					; ST_STORE_SM_TRAITS___StDmPageRemove+FC7C6j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_5C5F61:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC5ABj
		push	ecx
		push	[esp+88h+var_60]
		lea	edx, [esp+8Ch+var_50]
		call	?SmEvictKeys@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@PAT_SM_PAGE_KEY@@KPAU?$SMKM_STORE@USM_TRAITS@@@@@Z ; SMKM_STORE_MGR<SM_TRAITS>::SmEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,SMKM_STORE<SM_TRAITS> *)
		mov	eax, [esp+84h+var_6C]
		mov	ecx, [eax+1C0h]
		call	?SmStAcquireStoreLockExclusive@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@@Z ; SMKM_STORE<SM_TRAITS>::SmStAcquireStoreLockExclusive(SMKM_STORE<SM_TRAITS> *)
		mov	[esp+84h+var_60], 0

loc_5C5F86:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC594j
		mov	eax, [esp+84h+var_64]

loc_5C5F8A:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC586j
		mov	ecx, [esp+84h+var_6C]
		mov	edx, [ecx+484h]
		mov	[esp+84h+var_34], edx
		mov	edx, [edx]
		test	edx, edx
		jz	short loc_5C5FBA
		cmp	edx, 3
		lea	edx, [ecx+0Ch]
		jnz	loc_4C9814
		mov	edx, [esp+84h+var_34]
		cmp	edi, [edx+4]
		lea	edx, [ecx+0Ch]
		jnb	loc_4C9814

loc_5C5FBA:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC81Cj
		mov	edx, [esp+84h+var_60]
		test	edx, edx
		jnz	short loc_5C5FC6
		mov	[esp+84h+var_50], edi

loc_5C5FC6:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC840j
		inc	edx
		mov	[esp+84h+var_60], edx
		lea	edx, [ecx+0Ch]
		jmp	loc_4C9814
; 

loc_5C5FD3:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+1EEj
		cmp	eax, 0C0000006h
		jz	short loc_5C5FDC
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_5C5FDC:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+A6j
					; ST_STORE_SM_TRAITS___StDmPageRemove+26Dj ...
		mov	ecx, [esp+70h+var_58]

loc_5C5FE0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC56Ej
		mov	esi, [esp+70h+var_54]
		jmp	loc_4C9A70
; 

loc_5C5FE9:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+EEj
		mov	esi, 0C0000006h
		mov	ecx, edi
		jmp	loc_4C9A70
; 

loc_5C5FF5:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+2BCj
		mov	ecx, [edi+1C0h]
		test	byte ptr [ecx+10F5h], 4
		jz	loc_5C61EB
		add	ecx, 10F8h
		or	eax, 0FFFFFFFFh
		mov	[esp+70h+var_40], ecx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5C6028
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [esp+70h+var_40]

loc_5C6028:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC89Dj
		xor	edi, edi
		mov	[esp+70h+var_38], edi
		test	ecx, 7FFFFFFCh
		jz	loc_5C61DB
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, ds:dword_6D07D0
		shr	eax, 15h
		mov	[esp+70h+var_24], esi
		cmp	ecx, edx
		jb	short loc_5C607B
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_5C606A
		cmp	ecx, edx
		jb	short loc_5C607B
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_5C607B

loc_5C606A:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC8DBj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [esp+70h+var_40]
		jmp	short loc_5C607E
; 

loc_5C607B:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC8D2j
					; ST_STORE_SM_TRAITS___StDmPageRemove+FC8DFj ...
		or	eax, 0FFFFFFFFh

loc_5C607E:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC8F9j
		dec	word ptr [esi+13Eh]
		mov	[esp+70h+var_30], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	[esp+70h+var_59], dl
		mov	edx, ecx
		push	eax
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[esp+70h+var_20], ecx
		test	ecx, ecx
		jnz	short loc_5C60D1
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_5C614C
		push	ecx
		push	[esp+74h+var_30]
		push	[esp+78h+var_40]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C60D1:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC92Dj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5C60E8
		call	KiAbEntryRemoveFromTree
		mov	ecx, [esp+84h+var_34]

loc_5C60E8:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC95Dj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+84h+var_4C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		mov	eax, 2AAAAAABh
		sub	ecx, [esi+1E8h]
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	[esp+84h+var_6D], 1
		jnz	short loc_5C613B
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al
		jmp	short loc_5C614C
; 

loc_5C613B:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC9A7j
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [esp+84h+var_38]

loc_5C614C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC937j
					; ST_STORE_SM_TRAITS___StDmPageRemove+FC9B9j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+84h+var_48], eax
		jz	short loc_5C61BF
		test	edi, 8000h
		jz	short loc_5C6175
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [esp+84h+var_48]

loc_5C6175:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC9E6j
		test	byte ptr [esp+84h+var_4C+2], 1
		jz	short loc_5C618C
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [esp+84h+var_48]

loc_5C618C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC9FAj
		test	edi, 7FFFh
		jz	short loc_5C61A7
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority
		mov	eax, [esp+84h+var_48]

loc_5C61A7:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FCA12j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5C61BF
		mov	edx, [esp+84h+var_54]
		mov	ecx, esi
		push	eax
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5C61BF:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC9DEj
					; ST_STORE_SM_TRAITS___StDmPageRemove+FCA31j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_5C61D7
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_5C61D7
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5C61D7:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FCA48j
					; ST_STORE_SM_TRAITS___StDmPageRemove+FCA50j
		mov	esi, [esp+84h+var_60]

loc_5C61DB:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC8B4j
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [esp+84h+var_6C]

loc_5C61EB:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC882j
		push	ecx
		push	esi
		lea	edx, [esp+8Ch+var_50]
		call	?SmEvictKeys@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@PAT_SM_PAGE_KEY@@KPAU?$SMKM_STORE@USM_TRAITS@@@@@Z ; SMKM_STORE_MGR<SM_TRAITS>::SmEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,SMKM_STORE<SM_TRAITS> *)
		mov	ecx, [edi+1C0h]
		call	?SmStAcquireStoreLockExclusive@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@@Z ; SMKM_STORE<SM_TRAITS>::SmStAcquireStoreLockExclusive(SMKM_STORE<SM_TRAITS> *)
		jmp	loc_4C9A42
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmPageRemove
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmPageRecordRemove

loc_5C6206:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+4Fj
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	loc_4C9BA5
; 

loc_5C620D:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+79j
		cmp	eax, 0C0000006h
		jz	loc_4C9C50
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	loc_4C9C50
; 

loc_5C621F:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+9Aj
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	loc_4C9BF0
; 

loc_5C6226:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+B2j
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	loc_4C9C08
; 

loc_5C622D:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+C6j
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	loc_4C9C1C
; 

loc_5C6234:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRecordRemove+86j
		mov	edi, [ebp+arg_0]
		jmp	loc_4C9C1C
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmPageRecordRemove
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmCombineRegion

loc_5C623C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineRegion+9Cj
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	loc_4C9D82
; 

loc_5C6243:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineRegion+188j
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	loc_4C9E6E
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmCombineRegion
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry

loc_5C624A:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+3C6j
		xor	eax, eax
		jmp	loc_4CA32F
; 

loc_5C6251:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+3DDj
		push	ecx
		call	?BTreeFindLeafSibling@?$B_TREE@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_HASH_ENTRY_COMPARATOR@2@@@SGPAUNODE@?$B_TREE_HEADER@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAU23@K@Z	; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeFindLeafSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>	*,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY>::NODE *,ulong)
		cmp	eax, 0FFFFFFFFh
		jnz	loc_4CA392
		or	ecx, eax
		jmp	loc_4CA078
; 

loc_5C6267:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+317j
		mov	bl, [ebp+var_9]
		jmp	loc_4CA215
; 

loc_5C626F:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+18Dj
		xor	eax, eax
		jmp	loc_4CA0F6
; 

loc_5C6276:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+19Bj
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	loc_4CA101
		mov	edx, [ebx]
		cmp	eax, edx
		jz	loc_4CA101
		xor	eax, eax
		lea	edi, [ebp+var_50]
		mov	ecx, 6
		rep stosd
		test	edx, edx
		jnz	short loc_5C629F
		xor	edi, edi
		jmp	short loc_5C62A3
; 

loc_5C629F:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+FC339j
		movzx	edi, byte ptr [edx+2]

loc_5C62A3:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+FC33Dj
		lea	eax, ds:0[edi*8]
		call	__alloca_probe_16
		mov	edx, 2
		lea	ecx, [ebp+var_50]
		mov	esi, esp
		call	?BTreeSearchResultInit@?$B_TREE@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_HASH_ENTRY_COMPARATOR@2@@@SGXPAUSEARCH_RESULT@1@K@Z ;	B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeSearchResultInit(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_50]
		push	eax
		mov	ecx, ebx
		mov	[ebp+var_50], esi
		mov	[ebp+var_44], 0
		mov	edx, [edx+8]
		mov	[ebp+var_40], edi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey
		mov	ecx, [esi+edi*8-0Ch]
		mov	edi, [esi+edi*8-10h]
		lea	eax, [edi+8]
		cmp	ecx, eax
		jbe	short loc_5C62F0
		lea	edi, [ecx-4]
		jmp	short loc_5C62F3
; 

loc_5C62F0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+FC389j
		add	edi, 4

loc_5C62F3:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+FC38Ej
		lea	edx, [ebp+var_50]
		mov	ecx, ebx
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref
		mov	esi, [ebx+8]
		lea	ecx, [ebx+8]
		cmp	dword ptr [esi], 0FFFFFFFFh
		jz	short loc_5C630F
		mov	edx, edi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)

loc_5C630F:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+FC3A6j
		mov	eax, [ebp+var_8]
		jmp	loc_4CA103
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult

loc_5C6317:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+4Bj
		mov	ecx, [ebx]
		test	ecx, ecx
		jz	loc_4CA3F9
		mov	eax, [edi]
		mov	[ebp+var_C], eax
		cmp	ecx, eax
		jz	loc_4CA3F9
		cmp	esi, 0FFFFFFFFh
		jz	short loc_5C634A
		mov	ecx, [edx-8]
		mov	esi, [edx-4]
		lea	eax, [ecx+8]
		cmp	esi, eax
		jbe	short loc_5C6345
		add	esi, 0FFFFFFFCh
		jmp	short loc_5C63C4
; 

loc_5C6345:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+FBF96j
		lea	esi, [ecx+4]
		jmp	short loc_5C63C4
; 

loc_5C634A:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+FBF89j
		mov	eax, [edx]
		lea	edi, [ebp+var_2C]
		mov	[ebp+var_10], eax
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5C6364
		xor	edi, edi
		jmp	short loc_5C6368
; 

loc_5C6364:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+FBFB6j
		movzx	edi, byte ptr [eax+2]

loc_5C6368:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+FBFBAj
		mov	eax, edi
		mov	[ebp+var_C], edi
		shl	eax, 3
		call	__alloca_probe_16
		mov	esi, esp
		lea	ecx, [ebp+var_2C]
		push	2
		pop	edx
		call	?BTreeSearchResultInit@?$B_TREE@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_HASH_ENTRY_COMPARATOR@2@@@SGXPAUSEARCH_RESULT@1@K@Z ;	B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeSearchResultInit(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_2C]
		and	[ebp+var_20], 0
		mov	[ebp+var_1C], edi
		mov	edi, [ebp+var_14]
		mov	ecx, edi
		mov	edx, [edx+8]
		push	eax
		mov	[ebp+var_2C], esi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey
		mov	eax, [ebp+var_C]
		mov	ecx, [esi+eax*8-0Ch]
		mov	esi, [esi+eax*8-10h]
		lea	eax, [esi+8]
		cmp	ecx, eax
		jbe	short loc_5C63B7
		lea	esi, [ecx-4]
		jmp	short loc_5C63BA
; 

loc_5C63B7:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+FC008j
		add	esi, 4

loc_5C63BA:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+FC00Dj
		lea	edx, [ebp+var_2C]
		mov	ecx, edi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref

loc_5C63C4:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+FBF9Bj
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+FBFA0j
		lea	ecx, [edi+8]
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CA3F9
		push	3
		mov	edx, esi
		call	?NpLeafRefInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAXK@Z ; NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)
		jmp	loc_4CA3F9
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmpSinglePageAdd

loc_5C63E0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+65j
		neg	edx
		sbb	edx, edx
		and	edx, 0FFFFFFF9h
		add	edx, 7
		jmp	loc_4CA48D
; 

loc_5C63EF:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+18Cj
		mov	ecx, [edi+1ACh]
		mov	[ebp+var_30], ecx
		mov	[ebp+var_14], eax
		test	ecx, 400h
		jz	short loc_5C640D
		mov	edx, 1000h
		jmp	loc_4CA5BB
; 

loc_5C640D:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FBFE1j
		test	[ebp+var_30], 8000h
		jz	short loc_5C6446
		mov	eax, [edi+41Ch]
		push	1000h		; size_t
		push	edx		; void *
		add	eax, 1000h
		push	eax		; void *
		call	_memcpy
		mov	eax, [edi+41Ch]
		add	esp, 0Ch
		add	eax, 1000h
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_38]
		mov	eax, [eax]
		mov	[ebp+var_14], eax

loc_5C6446:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FBFF4j
		xor	edx, edx
		jmp	loc_4CA5BB
; 

loc_5C644D:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+1BDj
		mov	eax, [ebp+var_28]
		cmp	eax, [edi+1D0h]
		jnb	short loc_5C6463
		mov	eax, [edi+41Ch]
		mov	[ebp+var_14], eax
		jmp	short loc_5C6468
; 

loc_5C6463:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC036j
		mov	eax, ecx
		mov	[ebp+var_14], ecx

loc_5C6468:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC041j
		test	edx, edx
		jnz	short loc_5C64B0
		mov	eax, [edi+200h]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		movzx	eax, word ptr [edi+224h]
		push	1000h
		push	1000h
		push	[ebp+var_14]
		push	1000h
		push	[ebp+var_1C]
		push	eax
		call	_RtlCompressBuffer@32 ;	RtlCompressBuffer(x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_18]
		test	eax, eax
		mov	eax, [ebp+var_14]
		jns	short loc_5C64AD
		mov	edx, 1000h
		mov	[ebp+var_20], edx
		jmp	short loc_5C64B0
; 

loc_5C64AD:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC081j
		mov	edx, [ebp+var_20]

loc_5C64B0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC04Aj
					; ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC08Bj
		cmp	eax, ecx
		jz	short loc_5C64DC
		mov	eax, [edi+1D4h]
		mov	edi, [ebp+var_40]
		add	eax, 0Fh
		add	eax, edx
		shr	eax, 4
		mov	[edi], eax
		mov	edi, [ebp+var_34]
		cmp	eax, [ebp+var_28]
		jbe	short loc_5C64D9
		mov	eax, 0C000022Dh
		jmp	loc_4CA708
; 

loc_5C64D9:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC0ADj
		mov	eax, [ebp+var_14]

loc_5C64DC:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC092j
		cmp	edx, 0FF0h
		jbe	short loc_5C6505
		test	dword ptr [edi+1ACh], 200h
		jz	short loc_5C64FA
		mov	eax, 0C0000426h
		jmp	loc_4CA708
; 

loc_5C64FA:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC0CEj
		mov	eax, [ebp+var_1C]
		mov	edx, 1000h
		mov	[ebp+var_20], edx

loc_5C6505:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC0C2j
		cmp	eax, ecx
		jz	loc_4CA5F0
		push	edx
		push	eax
		jmp	loc_4CA5E7
; 

loc_5C6514:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+1FBj
		mov	eax, 0C000009Ah
		jmp	loc_4CA708
; 

loc_5C651E:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+2A7j
		lea	eax, [edx+ecx]
		mov	[ebp+var_24], eax
		cmp	ecx, 10h
		jb	loc_5C65BC
		add	eax, 0FFFFFFF0h
		mov	ecx, edx
		mov	[ebp+var_48], eax
		mov	ebx, 85EBCA77h
		xor	esi, esi
		mov	edi, 61C8864Fh
		mov	edx, 24234428h

loc_5C6546:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC173j
		imul	eax, [ecx], 7A143589h
		sub	edx, eax
		imul	eax, [ecx+4], 7A143589h
		rol	edx, 0Dh
		imul	edx, 9E3779B1h
		sub	ebx, eax
		imul	eax, [ecx+8], 7A143589h
		rol	ebx, 0Dh
		imul	ebx, 9E3779B1h
		sub	esi, eax
		imul	eax, [ecx+0Ch],	7A143589h
		rol	esi, 0Dh
		add	ecx, 10h
		imul	esi, 9E3779B1h
		sub	edi, eax
		rol	edi, 0Dh
		imul	edi, 9E3779B1h
		cmp	ecx, [ebp+var_48]
		jbe	short loc_5C6546
		rol	edi, 12h
		rol	esi, 0Ch
		add	edi, esi
		rol	ebx, 7
		mov	esi, [ebp+var_44]
		add	edi, ebx
		mov	ebx, [ebp+var_28]
		rol	edx, 1
		add	edi, edx
		mov	[ebp+var_14], ecx
		mov	ecx, [ebp+var_20]
		mov	eax, edi
		mov	edx, [ebp+var_18]
		mov	[ebp+var_1C], edi
		jmp	short loc_5C65C4
; 

loc_5C65BC:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC107j
		mov	eax, 165667B1h
		mov	[ebp+var_14], edx

loc_5C65C4:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC19Aj
		add	eax, ecx
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_14]
		lea	ecx, [eax+4]
		cmp	ecx, [ebp+var_24]
		mov	[ebp+var_44], ecx
		mov	ecx, [ebp+var_1C]
		ja	short loc_5C6600
		mov	edx, [ebp+var_44]

loc_5C65DD:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC1D8j
		mov	eax, [eax]
		imul	eax, 3D4D51C3h
		sub	ecx, eax
		mov	eax, edx
		rol	ecx, 11h
		imul	ecx, 27D4EB2Fh
		lea	edx, [eax+4]
		cmp	edx, [ebp+var_24]
		jbe	short loc_5C65DD
		mov	edx, [ebp+var_18]
		mov	[ebp+var_14], eax

loc_5C6600:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC1B8j
		mov	edi, [ebp+var_24]
		mov	eax, edi
		sub	eax, [ebp+var_14]
		cmp	edi, [ebp+var_14]
		sbb	edi, edi
		not	edi
		and	edi, eax
		mov	[ebp+var_44], edi
		mov	edi, [ebp+var_34]
		jbe	short loc_5C6646
		mov	edi, [ebp+var_14]
		xor	ebx, ebx
		mov	edx, [ebp+var_44]

loc_5C6621:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC21Bj
		movzx	eax, byte ptr [edi]
		lea	edi, [edi+1]
		imul	eax, 165667B1h
		inc	ebx
		add	eax, ecx
		rol	eax, 0Bh
		imul	ecx, eax, 9E3779B1h
		cmp	ebx, edx
		jb	short loc_5C6621
		mov	ebx, [ebp+var_28]
		mov	edi, [ebp+var_34]
		mov	edx, [ebp+var_18]

loc_5C6646:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC1F7j
		mov	eax, ecx
		shr	eax, 0Fh
		xor	eax, ecx
		imul	ecx, eax, 85EBCA77h
		mov	eax, ecx
		shr	eax, 0Dh
		xor	eax, ecx
		imul	eax, 0C2B2AE3Dh
		mov	ecx, eax
		shr	ecx, 10h
		xor	ecx, eax
		mov	eax, [ebp+var_38]
		jmp	loc_4CA6D3
; 

loc_5C666F:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+2C0j
		mov	ecx, [ecx+4]
		mov	edx, [ebp+var_20]
		dec	edx
		add	edx, ecx
		neg	ecx
		and	edx, ecx
		add	dword ptr [edi+238h], 1
		mov	ecx, [edi+238h]
		adc	dword ptr [edi+23Ch], 0
		mov	eax, [edi+23Ch]
		mov	[ebx+0Ch], ecx
		mov	[ebp+var_54], eax
		mov	ax, [edi+23Ch]
		mov	[ebx+6], ax
		mov	eax, [ebp+var_20]
		push	ecx
		mov	ecx, [ebp+var_3C]
		mov	[ebp+var_10], eax
		mov	eax, [ebx+0Ch]
		push	ecx
		mov	[ebp+var_C], eax
		movzx	eax, word ptr [ebx+6]
		push	ecx
		mov	ecx, [edi+234h]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_10]
		push	eax
		push	edx
		mov	edx, [ebp+var_18]
		push	edx
		call	_SmCrAuthEncrypt@32 ; SmCrAuthEncrypt(x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_5C66F2
		mov	eax, 0C000028Ah
		jmp	loc_4CA708
; 

loc_5C66E2:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+2CDj
		push	[ebp+var_20]
		push	edx
		push	0
		call	_RtlComputeCrc32@12 ; RtlComputeCrc32(x,x,x)
		mov	ecx, [ebp+var_3C]
		mov	[ecx], eax

loc_5C66F2:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC2B6j
		mov	eax, [ebp+var_38]
		jmp	loc_4CA6F3
; 

loc_5C66FA:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+2EDj
		mov	ecx, [edi+1C0h]
		call	?SmStAcquireStoreLockExclusive@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@@Z ; SMKM_STORE<SM_TRAITS>::SmStAcquireStoreLockExclusive(SMKM_STORE<SM_TRAITS> *)
		mov	eax, [ebp+var_14]
		jmp	loc_4CA713
; 

loc_5C670D:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+2F6j
		mov	ecx, edi
		call	?StDmpCurrentRegionWrite@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z ; ST_STORE<SM_TRAITS>::StDmpCurrentRegionWrite(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)
		mov	[ebp+var_14], eax
		jmp	loc_4CA71C
; 

loc_5C671C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+2FEj
		lea	ecx, [edi+6Ch]
		mov	edx, ebx
		call	_SmHpChunkFree@8 ; SmHpChunkFree(x,x)
		mov	eax, [ebp+var_14]
		jmp	loc_4CA724
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmpSinglePageAdd
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StLazyWorkMgrQueueWork

loc_5C672E:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrQueueWork+4Dj
		mov	esi, 0FFDF000Ch
		lea	edi, [esi-4]

loc_5C6736:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrQueueWork+FBDF9j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	ebx, [esi]
		mov	eax, 0FFDF0010h
		mov	edx, [edi]
		cmp	ebx, [eax]
		jnz	short loc_5C6736
		mov	edi, [ebp+var_C]
		mov	esi, 0FFDF03B0h
		mov	ecx, [ebp+var_10]
		jmp	loc_4CA9A3
; 

loc_5C675B:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrQueueWork+81j
		or	eax, 0FFFFFFFFh
		mov	[ebp+arg_4], 0FFFFFFFFh
		or	edi, 0FFFFFFFFh
		mov	[ebp+arg_0], 0FFFFFFFFh
		jmp	loc_4CAA34
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StLazyWorkMgrQueueWork
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule

loc_5C6774:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+74j
					; ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+7Dj
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+arg_4]
		jmp	loc_4CAAF3
; 

loc_5C677F:				; CODE XREF: ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+88j
					; ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule+91j
		mov	edi, [ebp+var_4]
		mov	ebx, [ebp+arg_4]
		jmp	loc_4CAB07
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StLazyWorkMgrSetSchedule
; 
; START	OF FUNCTION CHUNK FOR SmHpBufferProtectEx

loc_5C678A:				; CODE XREF: SmHpBufferProtectEx+309j
		mov	[ebx+8], esi
		jmp	loc_4CAC6B
; 

loc_5C6792:				; CODE XREF: SmHpBufferProtectEx+194j
		test	dl, 4
		jz	short loc_5C679E
		xor	esi, esi
		jmp	loc_4CAC6B
; 

loc_5C679E:				; CODE XREF: SmHpBufferProtectEx+FBB65j
		lea	eax, [ebp+var_20]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_14]
		push	edi
		call	_SmPrepareForFatalHeapCorruption@20 ; SmPrepareForFatalHeapCorruption(x,x,x,x,x)
		push	[ebp+var_20]
		mov	eax, [ebx+8]
		push	eax
		mov	eax, [ebx]
		push	eax
		push	[ebp+arg_4]
		push	1C7h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5C67C4:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+26j
		lea	edx, [esi+0Ch]
		mov	ecx, esi
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref
		mov	ecx, [esi+20h]
		mov	eax, [ebp+var_C]
		jmp	loc_4CAF7C
; END OF FUNCTION CHUNK	FOR SmHpBufferProtectEx
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmpSinglePageInsert

loc_5C67D9:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+F9j
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	loc_4CB04F
; 

loc_5C67E0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+119j
		test	edi, edi
		js	short loc_5C683B
		mov	edi, 0C0000154h
		jmp	loc_4CB080
; 

loc_5C67EE:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+164j
		test	edi, edi
		js	short loc_5C683B
		mov	edi, 0C0000154h
		jmp	loc_4CB0CB
; 

loc_5C67FC:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+1B7j
		mov	eax, [ebp+var_14]
		xor	edx, edx
		mov	ecx, [eax]
		mov	eax, ecx
		shr	eax, 1Eh
		and	ecx, 7
		and	eax, 1
		add	ecx, ecx
		or	eax, ecx
		mov	ecx, 0FFFh
		push	eax
		mov	ax, [ebx+4]
		and	ax, cx
		movzx	eax, ax
		push	eax
		mov	eax, [ebx]
		push	esi
		push	eax
		push	ecx
		lea	eax, [ebp+var_20]
		mov	ecx, offset unk_718648
		push	eax
		call	_SmEtwLogStoreOp@32 ; SmEtwLogStoreOp(x,x,x,x,x,x,x,x)
		jmp	loc_4CB10D
; 

loc_5C683B:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+132j
					; ST_STORE_SM_TRAITS___StDmpSinglePageInsert+17Dj ...
		lea	ebx, [esi+0Ch]

loc_5C683E:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+C7j
		mov	eax, [ebp+var_8]
		test	al, 1
		jz	short loc_5C6860
		mov	edx, ebx
		mov	ecx, esi
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx
		test	eax, eax
		jns	short loc_5C685D
		cmp	eax, 0C0000006h
		jz	short loc_5C685B
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_5C685B:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+FB907j
		mov	edi, eax

loc_5C685D:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+FB900j
		mov	eax, [ebp+var_8]

loc_5C6860:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+FB8F3j
		cmp	eax, 2
		jb	short loc_5C6882
		mov	ecx, [ebp+var_18]
		lea	edx, [esi+30h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx
		test	eax, eax
		jns	short loc_5C687F
		cmp	eax, 0C0000006h
		jz	short loc_5C687D
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_5C687D:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+FB929j
		mov	edi, eax

loc_5C687F:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+FB922j
		mov	eax, [ebp+var_8]

loc_5C6882:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+FB913j
		cmp	eax, 4
		jb	short loc_5C6898
		lea	ecx, [esi+48h]
		lea	edx, [esi+54h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx
		test	eax, eax
		jns	short loc_5C6898
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_5C6898:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+FB935j
					; ST_STORE_SM_TRAITS___StDmpSinglePageInsert+FB944j
		mov	eax, edi
		jmp	loc_4CB10F
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmpSinglePageInsert
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx

loc_5C689F:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+C0j
		sar	eax, 3
		jmp	loc_4CB219
; 

loc_5C68A7:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+12Cj
		test	ecx, ecx
		jns	loc_4CB28A
		movzx	eax, word ptr [ebx]
		mov	esi, ebx
		inc	eax
		add	ecx, eax
		jmp	loc_4CB41F
; 

loc_5C68BC:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+199j
		dec	ecx
		jmp	loc_4CB2EF
; 

loc_5C68C2:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+20Bj
		mov	eax, 0C000009Ah
		jmp	loc_4CB1FB
; 

loc_5C68CC:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+239j
		dec	ecx
		jmp	loc_4CB38F
; 

loc_5C68D2:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx+14Bj
		lea	eax, [ecx+1]
		lea	eax, [esi+eax*8]
		mov	[edx+4], eax
		mov	al, [esi+3]
		mov	[ebp+var_10], eax
		mov	eax, [esi]
		jmp	loc_4CB1C0
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeInsertEx
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey

loc_5C68E8:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+1Dj
		xor	eax, eax
		jmp	loc_4CB466
; 

loc_5C68EF:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+2Ej
		mov	edx, [ebx+0Ch]
		cmp	edx, 0FFFFFFFFh
		jnz	loc_5C69B0
		mov	ebx, [ebx+4]
		test	ebx, ebx
		jz	loc_5C699E
		mov	edx, [ecx]
		cmp	ebx, edx
		jz	loc_5C699E
		xor	eax, eax
		lea	edi, [ebp+var_3C]
		mov	ecx, 6
		rep stosd
		test	edx, edx
		jnz	short loc_5C6924
		xor	edi, edi
		jmp	short loc_5C6928
; 

loc_5C6924:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+FB4DEj
		movzx	edi, byte ptr [edx+2]

loc_5C6928:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+FB4E2j
		lea	eax, ds:0[edi*8]
		mov	[ebp+var_C], edi
		call	__alloca_probe_16
		mov	edx, 2
		lea	ecx, [ebp+var_3C]
		mov	esi, esp
		call	?BTreeSearchResultInit@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAUSEARCH_RESULT@1@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultInit(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)
		mov	edx, [ebx+8]
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_2C], edi
		mov	edi, [ebp+var_8]
		mov	ecx, edi
		push	eax
		mov	[ebp+var_3C], esi
		mov	[ebp+var_30], 0
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey
		mov	eax, [ebp+var_C]
		mov	ecx, [esi+eax*8-0Ch]
		mov	esi, [esi+eax*8-10h]
		lea	eax, [esi+8]
		cmp	ecx, eax
		jbe	short loc_5C697B
		lea	esi, [ecx-4]
		jmp	short loc_5C697E
; 

loc_5C697B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+FB534j
		add	esi, 4

loc_5C697E:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+FB539j
		lea	edx, [ebp+var_3C]
		mov	ecx, edi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref
		mov	ecx, edi
		mov	eax, [ecx+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_5C699E
		mov	edx, esi
		lea	ecx, [ecx+8]
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		mov	ecx, edi

loc_5C699E:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+FB4C0j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+FB4CAj ...
		mov	ebx, [ebp+arg_0]
		mov	eax, [ebx+0Ch]
		mov	dword ptr [ebx+4], 0
		jmp	loc_4CB485
; 

loc_5C69B0:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+FB4B5j
		cmp	edx, 1
		jbe	loc_4CB480
		mov	eax, [ebx]
		mov	esi, [eax+edx*8-0Ch]
		mov	edx, [eax+edx*8-10h]
		lea	eax, [edx+8]
		cmp	esi, eax
		jbe	short loc_5C69CF
		lea	edx, [esi-4]
		jmp	short loc_5C69D2
; 

loc_5C69CF:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+FB588j
		add	edx, 4

loc_5C69D2:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+FB58Dj
		mov	esi, ecx
		lea	eax, [ecx+8]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		mov	eax, [esi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CB480
		mov	ecx, esi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		mov	ecx, [ebp+var_8]
		jmp	loc_4CB480
; 

loc_5C69F7:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+6Aj
		push	ebx
		push	eax
		mov	edx, 8
		mov	ecx, esi
		call	SmArrayGrow
		test	eax, eax
		jnz	short loc_5C6A13
		mov	eax, 0C000009Ah
		jmp	loc_4CB5FE
; 

loc_5C6A13:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+FB5C7j
		mov	ecx, [ebp+var_8]
		jmp	loc_4CB4B0
; 

loc_5C6A1B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+1B3j
		mov	dword ptr [eax], 0
		mov	dword ptr [eax+4], 0
		jmp	loc_4CB5F9
; 

loc_5C6A2D:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+1A0j
		cmp	byte ptr [edx+2], 2
		jnz	loc_4CB5E6
		mov	eax, [ebp+arg_0]
		lea	edx, [esi+4]
		lea	ecx, [ecx+8]
		mov	eax, [eax+14h]
		and	eax, 1
		add	eax, eax
		push	eax
		call	?NpLeafRefInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAXK@Z ; NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)
		mov	edx, eax
		mov	[ebp+var_18], edx
		test	edx, edx
		jz	short loc_5C6A5F
		mov	ecx, [ebp+var_8]
		jmp	loc_4CB4C2
; 

loc_5C6A5F:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey+FB615j
		mov	eax, 0C0000006h
		jmp	loc_4CB5FE
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx

loc_5C6A69:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+C0j
		sar	eax, 3
		jmp	loc_4CB709
; 

loc_5C6A71:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+252j
		test	ecx, ecx
		jns	loc_4CB89C
		movzx	eax, word ptr [ebx]
		mov	esi, ebx
		inc	eax
		add	ecx, eax
		jmp	loc_4CB914
; 

loc_5C6A86:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+231j
		dec	ecx
		jmp	loc_4CB877
; 

loc_5C6A8C:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+1D5j
		mov	eax, 0C000009Ah
		jmp	loc_4CB6EB
; 

loc_5C6A96:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+203j
		dec	ecx
		jmp	loc_4CB849
; 

loc_5C6A9C:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx+132j
		lea	eax, [ecx+1]
		lea	eax, [esi+eax*8]
		mov	[edx+4], eax
		mov	al, [esi+3]
		mov	[ebp+var_10], eax
		mov	eax, [esi]
		jmp	loc_4CB6B0
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeInsertEx
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey

loc_5C6AB2:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+1Fj
		xor	eax, eax
		jmp	loc_4CB958
; 

loc_5C6AB9:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+3Cj
		mov	dword ptr [ebx+4], 0
		jmp	loc_4CB977
; 

loc_5C6AC5:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+30j
		mov	edx, [ebx+0Ch]
		cmp	edx, 0FFFFFFFFh
		jnz	loc_5C6B8C
		mov	eax, [ebx+4]
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_5C6B7D
		mov	edx, [ecx]
		cmp	eax, edx
		jz	loc_5C6B7D
		xor	eax, eax
		lea	edi, [ebp+var_38]
		mov	ecx, 6
		rep stosd
		test	edx, edx
		jnz	short loc_5C6AFD
		xor	edi, edi
		jmp	short loc_5C6B01
; 

loc_5C6AFD:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB1C7j
		movzx	edi, byte ptr [edx+2]

loc_5C6B01:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB1CBj
		lea	eax, ds:0[edi*8]
		mov	[ebp+var_18], edi
		call	__alloca_probe_16
		mov	edx, 2
		lea	ecx, [ebp+var_38]
		mov	esi, esp
		call	?BTreeSearchResultInit@?$B_TREE@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_HASH_ENTRY_COMPARATOR@2@@@SGXPAUSEARCH_RESULT@1@K@Z ;	B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeSearchResultInit(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_38]
		mov	[ebp+var_28], edi
		mov	edi, [ebp+var_8]
		mov	ecx, edi
		push	eax
		mov	edx, [edx+8]
		mov	[ebp+var_38], esi
		mov	[ebp+var_2C], 0
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey
		mov	eax, [ebp+var_18]
		mov	ecx, [esi+eax*8-0Ch]
		mov	esi, [esi+eax*8-10h]
		lea	eax, [esi+8]
		cmp	ecx, eax
		jbe	short loc_5C6B57
		lea	esi, [ecx-4]
		jmp	short loc_5C6B5A
; 

loc_5C6B57:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB220j
		add	esi, 4

loc_5C6B5A:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB225j
		lea	edx, [ebp+var_38]
		mov	ecx, edi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref
		mov	ecx, edi
		mov	eax, [ecx+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_5C6B7A
		mov	edx, esi
		lea	ecx, [ecx+8]
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		mov	ecx, edi

loc_5C6B7A:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB23Cj
		mov	esi, [ebp+var_10]

loc_5C6B7D:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB1A9j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB1B3j
		mov	eax, [ebx+0Ch]
		mov	dword ptr [ebx+4], 0
		jmp	loc_4CB977
; 

loc_5C6B8C:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB19Bj
		cmp	edx, 1
		jbe	loc_4CB972
		mov	eax, [ebx]
		mov	esi, [eax+edx*8-0Ch]
		mov	edx, [eax+edx*8-10h]
		lea	eax, [edx+8]
		cmp	esi, eax
		jbe	short loc_5C6BAB
		lea	edx, [esi-4]
		jmp	short loc_5C6BAE
; 

loc_5C6BAB:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB274j
		add	edx, 4

loc_5C6BAE:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB279j
		mov	esi, ecx
		lea	eax, [ecx+8]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		mov	eax, [esi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_5C6BCA
		mov	ecx, esi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		mov	ecx, [ebp+var_8]

loc_5C6BCA:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB28Ej
		mov	esi, [ebp+var_10]
		jmp	loc_4CB972
; 

loc_5C6BD2:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+4Aj
		xor	edi, edi
		lea	edx, [ebx+4]
		mov	[ebp+var_18], edi
		jmp	loc_4CB9A7
; 

loc_5C6BDF:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+6Cj
		push	ebx
		push	eax
		mov	edx, 8
		mov	ecx, esi
		call	SmArrayGrow
		test	eax, eax
		jnz	short loc_5C6BFB
		mov	eax, 0C000009Ah
		jmp	loc_4CBA63
; 

loc_5C6BFB:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB2BFj
		mov	ecx, [ebp+var_8]
		jmp	loc_4CB9A2
; 

loc_5C6C03:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+1E8j
		mov	dword ptr [edx], 0
		mov	dword ptr [edx+4], 0
		jmp	loc_4CBA5E
; 

loc_5C6C15:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+1BAj
		cmp	byte ptr [edx+2], 2
		jnz	loc_4CBAF0
		mov	eax, [ebp+arg_0]
		lea	edx, [esi+4]
		lea	ecx, [ecx+8]
		mov	eax, [eax+14h]
		and	eax, 1
		add	eax, eax
		push	eax
		call	?NpLeafRefInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAXK@Z ; NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)
		mov	edx, eax
		mov	[ebp+var_C], edx
		test	edx, edx
		jz	short loc_5C6C4A
		mov	ecx, [ebp+var_8]
		mov	esi, [ebp+var_10]
		jmp	loc_4CB9C0
; 

loc_5C6C4A:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey+FB30Dj
		mov	eax, 0C0000006h
		jmp	loc_4CBA63
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmpUpdateRegionState

loc_5C6C54:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpUpdateRegionState+31j
		xor	eax, eax
		jmp	loc_4CBB5C
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmpUpdateRegionState
; 
; START	OF FUNCTION CHUNK FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx

loc_5C6C5B:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+BCj
		mov	[ebp+var_10], 8
		jmp	loc_4CBD09
; 

loc_5C6C67:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+11Fj
		movzx	eax, word ptr [ecx]
		add	[ebp+var_4], eax
		mov	esi, [ebp+var_8]
		mov	eax, [ebp+var_4]
		jmp	short loc_5C6C8E
; 

loc_5C6C75:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+117j
		test	eax, eax
		jns	loc_4CBD65
		movzx	eax, word ptr [ecx]
		mov	ecx, [ebp+var_4]
		mov	esi, [ebp+var_8]
		inc	ecx
		add	ecx, eax
		mov	[ebp+var_4], ecx
		mov	eax, ecx

loc_5C6C8E:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+127j
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+FB033j
		mov	ecx, [ebp+var_C]
		mov	edi, [ebp+var_18]
		mov	[edx-4], ecx
		jmp	loc_4CBD70
; 

loc_5C6C9C:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+FCj
		cmp	eax, edi
		jle	loc_4CBD6D
		sub	eax, edi
		cmp	byte ptr [ebp+var_10], 0
		jnz	short loc_5C6CAD
		dec	eax

loc_5C6CAD:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+FB06Aj
		mov	edi, [ebp+var_18]
		mov	esi, ecx
		mov	ecx, [ebp+var_C]
		mov	[edx-4], ecx
		jmp	loc_4CBD70
; 

loc_5C6CBD:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+1E4j
		dec	eax
		mov	[ebp+var_4], eax
		jmp	loc_4CBE2A
; 

loc_5C6CC6:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx+1D3j
		add	edi, 8
		jmp	loc_4CBD70
; END OF FUNCTION CHUNK	FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeInsertEx
; 
; START	OF FUNCTION CHUNK FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey

loc_5C6CCE:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+24j
		xor	eax, eax
		jmp	loc_4CBEFD
; 

loc_5C6CD5:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+3Ej
		mov	dword ptr [esi+4], 0
		jmp	loc_4CBF19
; 

loc_5C6CE1:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+32j
		mov	ecx, [esi+0Ch]
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_5C6DA8
		mov	eax, [esi+4]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_5C6D94
		mov	edx, [edx]
		cmp	eax, edx
		jz	loc_5C6D91
		xor	eax, eax
		lea	edi, [ebp+var_30]
		mov	ecx, 6
		rep stosd
		test	edx, edx
		jnz	short loc_5C6D19
		xor	edi, edi
		jmp	short loc_5C6D1D
; 

loc_5C6D19:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAE43j
		movzx	edi, byte ptr [edx+2]

loc_5C6D1D:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAE47j
		lea	eax, ds:0[edi*8]
		call	__alloca_probe_16
		mov	edx, 2
		lea	ecx, [ebp+var_30]
		mov	esi, esp
		call	?BTreeSearchResultInit@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAUSEARCH_RESULT@1@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultInit(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)
		mov	eax, [ebp+var_C]
		lea	edx, [ebp+var_30]
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_30], esi
		mov	[ebp+var_24], 0
		mov	eax, [eax+8]
		push	eax
		mov	[ebp+var_20], edi
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		mov	ecx, [esi+edi*8-0Ch]
		mov	esi, [esi+edi*8-10h]
		lea	eax, [esi+8]
		cmp	ecx, eax
		jbe	short loc_5C6D6B
		lea	esi, [ecx-4]
		jmp	short loc_5C6D6E
; 

loc_5C6D6B:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAE94j
		add	esi, 4

loc_5C6D6E:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAE99j
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_30]
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref
		mov	edx, [ebp+var_8]
		mov	eax, [edx+8]
		lea	ecx, [edx+8]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_5C6DA3
		mov	edx, esi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		mov	esi, [ebp+var_14]

loc_5C6D91:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAE2Fj
		mov	edx, [ebp+var_8]

loc_5C6D94:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAE25j
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAED6j
		mov	eax, [esi+0Ch]
		mov	dword ptr [esi+4], 0
		jmp	loc_4CBF19
; 

loc_5C6DA3:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAEB5j
		mov	esi, [ebp+var_14]
		jmp	short loc_5C6D94
; 

loc_5C6DA8:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAE17j
		cmp	ecx, 1
		jbe	loc_4CBF14
		mov	eax, [esi]
		mov	edx, [eax+ecx*8-0Ch]
		mov	ecx, [eax+ecx*8-10h]
		lea	eax, [ecx+8]
		cmp	edx, eax
		jbe	short loc_5C6DC7
		add	edx, 0FFFFFFFCh
		jmp	short loc_5C6DCA
; 

loc_5C6DC7:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAEF0j
		lea	edx, [ecx+4]

loc_5C6DCA:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAEF5j
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		add	eax, 8
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_5C6DE4
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)

loc_5C6DE4:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAF0Dj
		mov	edx, [ebp+var_8]
		jmp	loc_4CBF14
; 

loc_5C6DEC:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+4Cj
		xor	eax, eax
		lea	edi, [esi+4]
		mov	[ebp+var_C], eax
		jmp	loc_4CBF4A
; 

loc_5C6DF9:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+6Dj
		push	esi
		push	eax
		mov	edx, 8
		call	SmArrayGrow
		test	eax, eax
		jnz	short loc_5C6E13
		mov	eax, 0C000009Ah
		jmp	loc_4CBFC0
; 

loc_5C6E13:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+FAF37j
		mov	edx, [ebp+var_8]
		jmp	loc_4CBF43
; 

loc_5C6E1B:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+18Aj
		mov	dword ptr [edi], 0
		mov	dword ptr [edi+4], 0
		jmp	loc_4CBFBB
; 

loc_5C6E2D:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey+158j
		cmp	byte ptr [esi+2], 2
		jnz	loc_4CC02E
		mov	eax, [ebp+var_14]
		mov	eax, [eax+14h]
		and	eax, 1
		add	eax, eax
		push	eax
		call	?NpLeafRefInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAXK@Z ; NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)
		mov	esi, eax
		mov	[ebp+var_10], esi
		test	esi, esi
		jnz	loc_4CBF57
		mov	eax, 0C0000006h
		jmp	loc_4CBFC0
; END OF FUNCTION CHUNK	FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx

loc_5C6E5F:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+C4j
		cmp	byte ptr [esi+2], 2
		jnz	loc_4CC2D0
		lea	edx, [esi+4]
		mov	ecx, edi
		push	1
		call	?NpLeafRefInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAXK@Z ; NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)
		mov	[ebx], eax
		lea	ebx, [esi+4]
		mov	eax, [edi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CC2D5
		mov	edx, ebx
		mov	ecx, edi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		mov	eax, [edi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CC2D5
		mov	edx, ebx
		mov	ecx, edi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		mov	eax, [edi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CC2D5
		mov	edx, ebx
		mov	ecx, edi
		call	?NpLeafRemoveInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAX@Z ; NP_CONTEXT::NpLeafRemoveInternal(NP_CONTEXT::NP_CTX *,void	* *)
		jmp	loc_4CC2D5
; 

loc_5C6EBB:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+10Bj
		mov	eax, 0C0000006h
		jmp	loc_4CC296
; 

loc_5C6EC5:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx+1D9j
		lea	eax, [ecx+eax*8]
		jmp	loc_4CC3E8
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeDeleteEx
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx

loc_5C6ECD:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+100j
		cmp	byte ptr [esi+2], 2
		jnz	loc_4CC516
		lea	edx, [esi+4]
		mov	ecx, edi
		push	1
		call	?NpLeafRefInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAXK@Z ; NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)
		mov	[ebx], eax
		lea	ebx, [esi+4]
		mov	eax, [edi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CC51B
		mov	edx, ebx
		mov	ecx, edi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		mov	eax, [edi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CC51B
		mov	edx, ebx
		mov	ecx, edi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		mov	eax, [edi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CC51B
		mov	edx, ebx
		mov	ecx, edi
		call	?NpLeafRemoveInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAX@Z ; NP_CONTEXT::NpLeafRemoveInternal(NP_CONTEXT::NP_CTX *,void	* *)
		jmp	loc_4CC51B
; 

loc_5C6F29:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+131j
		mov	eax, 0C0000006h
		jmp	loc_4CC4B6
; 

loc_5C6F33:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx+1A8j
		lea	eax, [eax+edx*8]
		add	eax, 8
		jmp	loc_4CC5C4
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeDeleteEx
; 
; START	OF FUNCTION CHUNK FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorCleanup

loc_5C6F3E:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorCleanup+28j
		mov	eax, [ecx]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_4CC65C
		mov	edx, [edx]
		cmp	eax, edx
		jz	loc_4CC65C
		push	6
		xor	eax, eax
		lea	edi, [ebp+var_28]
		pop	ecx
		rep stosd
		test	edx, edx
		jnz	short loc_5C6F67
		xor	edi, edi
		jmp	short loc_5C6F6B
; 

loc_5C6F67:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorCleanup+FA933j
		movzx	edi, byte ptr [edx+2]

loc_5C6F6B:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorCleanup+FA937j
		mov	eax, edi
		mov	[ebp+var_8], edi
		shl	eax, 3
		call	__alloca_probe_16
		mov	esi, esp
		lea	ecx, [ebp+var_28]
		push	2
		pop	edx
		call	?BTreeSearchResultInit@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAUSEARCH_RESULT@1@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultInit(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)
		mov	eax, [ebp+var_C]
		lea	edx, [ebp+var_28]
		and	[ebp+var_1C], 0
		mov	[ebp+var_18], edi
		mov	edi, [ebp+var_10]
		mov	ecx, edi
		mov	eax, [eax+8]
		push	eax
		mov	[ebp+var_28], esi
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		mov	eax, [ebp+var_8]
		mov	ecx, [esi+eax*8-0Ch]
		mov	esi, [esi+eax*8-10h]
		lea	eax, [esi+8]
		cmp	ecx, eax
		jbe	short loc_5C6FBA
		lea	esi, [ecx-4]
		jmp	short loc_5C6FBD
; 

loc_5C6FBA:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorCleanup+FA985j
		add	esi, 4

loc_5C6FBD:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorCleanup+FA98Aj
		lea	edx, [ebp+var_28]
		mov	ecx, edi
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref
		mov	eax, [ebx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CC65C
		mov	edx, esi
		mov	ecx, ebx
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		jmp	loc_4CC65C
; END OF FUNCTION CHUNK	FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorCleanup
; 
; START	OF FUNCTION CHUNK FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorFromSearchResult

loc_5C6FE0:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorFromSearchResult+4Bj
		mov	ecx, [ebx]
		test	ecx, ecx
		jz	loc_4CC6BF
		mov	eax, [edi]
		mov	[ebp+var_C], eax
		cmp	ecx, eax
		jz	loc_4CC6BF
		cmp	esi, 0FFFFFFFFh
		jz	short loc_5C7013
		mov	ecx, [edx-8]
		mov	esi, [edx-4]
		lea	eax, [ecx+8]
		cmp	esi, eax
		jbe	short loc_5C700E
		add	esi, 0FFFFFFFCh
		jmp	short loc_5C708D
; 

loc_5C700E:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorFromSearchResult+FA999j
		lea	esi, [ecx+4]
		jmp	short loc_5C708D
; 

loc_5C7013:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorFromSearchResult+FA98Cj
		mov	eax, [edx]
		lea	edi, [ebp+var_2C]
		mov	[ebp+var_10], eax
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5C702D
		xor	edi, edi
		jmp	short loc_5C7031
; 

loc_5C702D:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorFromSearchResult+FA9B9j
		movzx	edi, byte ptr [eax+2]

loc_5C7031:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorFromSearchResult+FA9BDj
		mov	eax, edi
		mov	[ebp+var_C], edi
		shl	eax, 3
		call	__alloca_probe_16
		mov	esi, esp
		lea	ecx, [ebp+var_2C]
		push	2
		pop	edx
		call	?BTreeSearchResultInit@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAUSEARCH_RESULT@1@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultInit(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)
		mov	eax, [ebp+var_10]
		lea	edx, [ebp+var_2C]
		and	[ebp+var_20], 0
		mov	[ebp+var_1C], edi
		mov	edi, [ebp+var_14]
		mov	ecx, edi
		mov	eax, [eax+8]
		push	eax
		mov	[ebp+var_2C], esi
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		mov	eax, [ebp+var_C]
		mov	ecx, [esi+eax*8-0Ch]
		mov	esi, [esi+eax*8-10h]
		lea	eax, [esi+8]
		cmp	ecx, eax
		jbe	short loc_5C7080
		lea	esi, [ecx-4]
		jmp	short loc_5C7083
; 

loc_5C7080:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorFromSearchResult+FAA0Bj
		add	esi, 4

loc_5C7083:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorFromSearchResult+FAA10j
		lea	edx, [ebp+var_2C]
		mov	ecx, edi
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref

loc_5C708D:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorFromSearchResult+FA99Ej
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorFromSearchResult+FA9A3j
		lea	ecx, [edi+8]
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CC6BF
		push	3
		mov	edx, esi
		call	?NpLeafRefInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAXK@Z ; NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)
		jmp	loc_4CC6BF
; END OF FUNCTION CHUNK	FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorFromSearchResult
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorCleanup

loc_5C70A9:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorCleanup+28j
		mov	eax, [ecx]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_4CC70A
		mov	edx, [edx]
		cmp	eax, edx
		jz	loc_4CC70A
		push	6
		xor	eax, eax
		lea	edi, [ebp+var_28]
		pop	ecx
		rep stosd
		test	edx, edx
		jnz	short loc_5C70D2
		xor	edi, edi
		jmp	short loc_5C70D6
; 

loc_5C70D2:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorCleanup+FA9F0j
		movzx	edi, byte ptr [edx+2]

loc_5C70D6:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorCleanup+FA9F4j
		mov	eax, edi
		mov	[ebp+var_8], edi
		shl	eax, 3
		call	__alloca_probe_16
		mov	esi, esp
		lea	ecx, [ebp+var_28]
		push	2
		pop	edx
		call	?BTreeSearchResultInit@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAUSEARCH_RESULT@1@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultInit(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_28]
		and	[ebp+var_1C], 0
		mov	[ebp+var_18], edi
		mov	edi, [ebp+var_10]
		mov	ecx, edi
		mov	edx, [edx+8]
		push	eax
		mov	[ebp+var_28], esi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey
		mov	eax, [ebp+var_8]
		mov	ecx, [esi+eax*8-0Ch]
		mov	esi, [esi+eax*8-10h]
		lea	eax, [esi+8]
		cmp	ecx, eax
		jbe	short loc_5C7125
		lea	esi, [ecx-4]
		jmp	short loc_5C7128
; 

loc_5C7125:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorCleanup+FAA42j
		add	esi, 4

loc_5C7128:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorCleanup+FAA47j
		lea	edx, [ebp+var_28]
		mov	ecx, edi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref
		mov	eax, [ebx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CC70A
		mov	edx, esi
		mov	ecx, ebx
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		jmp	loc_4CC70A
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorCleanup
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmCheckForCompaction

loc_5C714B:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+3Cj
		mov	eax, [ecx+1E4h]
		mov	esi, eax
		shr	esi, 2
		mov	[ebp+var_4], esi
		cmp	ebx, 3
		jnz	short loc_5C716E
		add	eax, 0FFFFFF00h
		cmp	esi, eax
		jb	short loc_5C7180
		mov	esi, eax
		mov	[ebp+var_4], esi
		jmp	short loc_5C7180
; 

loc_5C716E:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+FAA3Cj
		lea	esi, [esi+esi*2]
		add	eax, 0FFFFFF80h
		mov	[ebp+var_4], esi
		cmp	esi, eax
		jb	short loc_5C7180
		mov	esi, eax
		mov	[ebp+var_4], eax

loc_5C7180:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+FAA45j
					; ST_STORE_SM_TRAITS___StDmCheckForCompaction+FAA4Cj ...
		cmp	esi, 2
		jnb	short loc_5C718C
		mov	[ebp+var_4], 2

loc_5C718C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+FAA63j
		mov	[ebp+var_10], offset ?ThresholdShiftTableFile@?1??StDmCheckForCompaction@?$ST_STORE@USM_TRAITS@@@@SG?AW4_ST_COMPACTION_CHECK_RESULT@@PAU_ST_DATA_MGR@2@K@Z@4PAY01EA ; uchar (* `ST_STORE<SM_TRAITS>::StDmCheckForCompaction(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)'::`2'::ThresholdShiftTableFile)[2]
		jmp	loc_4CC770
; 

loc_5C7198:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+67j
		mov	[ebp+var_1C], 1
		jmp	loc_4CC794
; 

loc_5C71A4:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+A7j
		mov	ecx, [ebp+var_8]
		mov	ebx, edi
		mov	ecx, [ecx+1C8h]
		shl	ebx, cl
		jmp	loc_4CC7CF
; 

loc_5C71B6:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+FFj
		cmp	byte ptr [eax+10F6h], 0
		ja	loc_4CC92D
		mov	eax, [edx+1B4h]
		shr	eax, 0Ch
		imul	eax, ecx
		cmp	eax, [edx+4]
		jbe	loc_4CC92D
		mov	eax, 2
		jmp	loc_4CC8C1
; 

loc_5C71E2:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+199j
		mov	edx, 1
		call	SmWorkQueueGetDepth
		test	eax, eax
		jz	loc_4CC8BF
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_5C7204
		cmp	eax, 3
		jnz	loc_4CC906

loc_5C7204:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+FAAD9j
		mov	esi, edx
		jmp	loc_4CC8BF
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmCheckForCompaction
; 
; START	OF FUNCTION CHUNK FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx

loc_5C720B:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+D9j
		cmp	byte ptr [esi+2], 2
		jnz	loc_4CCA17
		lea	edx, [esi+4]
		mov	ecx, edi
		push	1
		call	?NpLeafRefInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAXK@Z ; NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)
		mov	[ebx], eax
		lea	ebx, [esi+4]
		mov	eax, [edi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CCA1C
		mov	edx, ebx
		mov	ecx, edi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		mov	eax, [edi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CCA1C
		mov	edx, ebx
		mov	ecx, edi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		mov	eax, [edi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CCA1C
		mov	edx, ebx
		mov	ecx, edi
		call	?NpLeafRemoveInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAX@Z ; NP_CONTEXT::NpLeafRemoveInternal(NP_CONTEXT::NP_CTX *,void	* *)
		jmp	loc_4CCA1C
; 

loc_5C7267:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx+FFj
		mov	eax, 0C0000006h
		jmp	loc_4CC9BD
; END OF FUNCTION CHUNK	FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref

loc_5C7271:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref+57j
		mov	eax, [ebx+4]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_4CCBDF
		mov	edx, [esi]
		cmp	eax, edx
		jz	loc_4CCBDF
		push	6
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		pop	ecx
		rep stosd
		test	edx, edx
		jnz	short loc_5C729B
		xor	edi, edi
		jmp	short loc_5C729F
; 

loc_5C729B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref+FA701j
		movzx	edi, byte ptr [edx+2]

loc_5C729F:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref+FA705j
		mov	eax, edi
		mov	[ebp+var_8], edi
		shl	eax, 3
		call	__alloca_probe_16
		mov	esi, esp
		lea	ecx, [ebp+var_2C]
		push	2
		pop	edx
		call	?BTreeSearchResultInit@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAUSEARCH_RESULT@1@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultInit(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_2C]
		and	[ebp+var_20], 0
		mov	[ebp+var_1C], edi
		mov	edi, [ebp+var_10]
		mov	ecx, edi
		mov	edx, [edx+8]
		push	eax
		mov	[ebp+var_2C], esi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey
		mov	eax, [ebp+var_8]
		mov	ecx, [esi+eax*8-0Ch]
		mov	esi, [esi+eax*8-10h]
		lea	eax, [esi+8]
		cmp	ecx, eax
		jbe	short loc_5C72EE
		lea	esi, [ecx-4]
		jmp	short loc_5C72F1
; 

loc_5C72EE:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref+FA753j
		add	esi, 4

loc_5C72F1:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref+FA758j
		lea	edx, [ebp+var_2C]
		mov	ecx, edi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref
		mov	ecx, [ebp+var_14]
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CCBDF
		mov	edx, esi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		jmp	loc_4CCBDF
; 

loc_5C7315:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref+62j
		mov	eax, [ebx]
		mov	esi, [eax+edx*8-0Ch]
		mov	edx, [eax+edx*8-10h]
		lea	eax, [edx+8]
		cmp	esi, eax
		jbe	short loc_5C732B
		lea	edx, [esi-4]
		jmp	short loc_5C732E
; 

loc_5C732B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref+FA790j
		add	edx, 4

loc_5C732E:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref+FA795j
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		jmp	loc_4CCBC9
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult

loc_5C7338:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+4Bj
		mov	ecx, [ebx]
		test	ecx, ecx
		jz	loc_4CCC4D
		mov	eax, [edi]
		mov	[ebp+var_C], eax
		cmp	ecx, eax
		jz	loc_4CCC4D
		cmp	esi, 0FFFFFFFFh
		jz	short loc_5C736B
		mov	ecx, [edx-8]
		mov	esi, [edx-4]
		lea	eax, [ecx+8]
		cmp	esi, eax
		jbe	short loc_5C7366
		add	esi, 0FFFFFFFCh
		jmp	short loc_5C73E5
; 

loc_5C7366:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+FA763j
		lea	esi, [ecx+4]
		jmp	short loc_5C73E5
; 

loc_5C736B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+FA756j
		mov	eax, [edx]
		lea	edi, [ebp+var_2C]
		mov	[ebp+var_10], eax
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5C7385
		xor	edi, edi
		jmp	short loc_5C7389
; 

loc_5C7385:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+FA783j
		movzx	edi, byte ptr [eax+2]

loc_5C7389:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+FA787j
		mov	eax, edi
		mov	[ebp+var_C], edi
		shl	eax, 3
		call	__alloca_probe_16
		mov	esi, esp
		lea	ecx, [ebp+var_2C]
		push	2
		pop	edx
		call	?BTreeSearchResultInit@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAUSEARCH_RESULT@1@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultInit(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_2C]
		and	[ebp+var_20], 0
		mov	[ebp+var_1C], edi
		mov	edi, [ebp+var_14]
		mov	ecx, edi
		mov	edx, [edx+8]
		push	eax
		mov	[ebp+var_2C], esi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey
		mov	eax, [ebp+var_C]
		mov	ecx, [esi+eax*8-0Ch]
		mov	esi, [esi+eax*8-10h]
		lea	eax, [esi+8]
		cmp	ecx, eax
		jbe	short loc_5C73D8
		lea	esi, [ecx-4]
		jmp	short loc_5C73DB
; 

loc_5C73D8:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+FA7D5j
		add	esi, 4

loc_5C73DB:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+FA7DAj
		lea	edx, [ebp+var_2C]
		mov	ecx, edi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref

loc_5C73E5:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+FA768j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult+FA76Dj
		lea	ecx, [edi+8]
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CCC4D
		push	3
		mov	edx, esi
		call	?NpLeafRefInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAXK@Z ; NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)
		jmp	loc_4CCC4D
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmCombineLazyCleanup

loc_5C7401:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+21j
		mov	esi, [edi+250h]
		lea	eax, [edi+0Ch]
		mov	ecx, [eax+14h]
		test	cl, 1
		jnz	short loc_5C7421
		mov	edx, eax
		mov	ecx, edi
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref
		lea	eax, [edi+0Ch]
		mov	ecx, [eax+14h]

loc_5C7421:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+FA7A6j
		or	ecx, 1
		mov	edx, eax
		mov	[eax+14h], ecx
		mov	ecx, edi
		push	esi
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		lea	eax, [edi+0Ch]
		mov	ecx, edi
		push	eax
		lea	edx, [ebp+var_C]
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorFromSearchResult
		jmp	loc_4CCCA7
; 

loc_5C7444:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+DCj
		push	ecx
		mov	edx, ecx
		mov	ecx, edi
		call	?BTreeFindLeafSibling@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAU23@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSibling(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE_HEADER<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY>::NODE *,ulong)
		cmp	eax, 0FFFFFFFFh
		jnz	loc_4CCD4F
		or	esi, eax
		jmp	loc_4CCCD7
; 

loc_5C745E:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+46j
					; ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+51j ...
		mov	al, [edi+47Dh]
		mov	ebx, 400h
		and	al, 0FDh
		or	al, 1
		mov	[edi+47Dh], al
		jmp	loc_4CCD1E
; 

loc_5C7478:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+BAj
		mov	ecx, [edi+480h]
		push	0FFFFFFFEh
		push	7530h
		push	5
		pop	edx
		call	ST_STORE_SM_TRAITS___StLazyWorkMgrQueueWork
		jmp	loc_4CCD31
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmCombineLazyCleanup
; 
; START	OF FUNCTION CHUNK FOR SmWorkQueueGetDepth

loc_5C7492:				; CODE XREF: SmWorkQueueGetDepth+11j
		mov	eax, [ecx+112Ch]
		add	esi, eax
		jmp	loc_4CCD8A
; END OF FUNCTION CHUNK	FOR SmWorkQueueGetDepth
; 
; START	OF FUNCTION CHUNK FOR SmHpUnprotectListNeighbors

loc_5C749F:				; CODE XREF: SmHpUnprotectListNeighbors+16j
		mov	eax, [ebx+4]
		mov	edx, [eax+8]
		bsr	eax, edx
		btc	edx, eax
		imul	edx, 0Ch
		jmp	loc_4CCEC5
; END OF FUNCTION CHUNK	FOR SmHpUnprotectListNeighbors
; 
; START	OF FUNCTION CHUNK FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref

loc_5C74B3:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref+51j
		mov	eax, [ebx+4]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_4CCF75
		mov	edx, [esi]
		cmp	eax, edx
		jz	loc_4CCF75
		push	6
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		pop	ecx
		rep stosd
		test	edx, edx
		jnz	short loc_5C74DD
		xor	edi, edi
		jmp	short loc_5C74E1
; 

loc_5C74DD:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref+FA5C3j
		movzx	edi, byte ptr [edx+2]

loc_5C74E1:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref+FA5C7j
		mov	eax, edi
		mov	[ebp+var_8], edi
		shl	eax, 3
		call	__alloca_probe_16
		mov	esi, esp
		lea	ecx, [ebp+var_2C]
		push	2
		pop	edx
		call	?BTreeSearchResultInit@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAUSEARCH_RESULT@1@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultInit(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)
		mov	eax, [ebp+var_C]
		lea	edx, [ebp+var_2C]
		and	[ebp+var_20], 0
		mov	[ebp+var_1C], edi
		mov	edi, [ebp+var_10]
		mov	ecx, edi
		mov	eax, [eax+8]
		push	eax
		mov	[ebp+var_2C], esi
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		mov	eax, [ebp+var_8]
		mov	ecx, [esi+eax*8-0Ch]
		mov	esi, [esi+eax*8-10h]
		lea	eax, [esi+8]
		cmp	ecx, eax
		jbe	short loc_5C7530
		lea	esi, [ecx-4]
		jmp	short loc_5C7533
; 

loc_5C7530:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref+FA615j
		add	esi, 4

loc_5C7533:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref+FA61Aj
		lea	edx, [ebp+var_2C]
		mov	ecx, edi
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref
		mov	ecx, [ebp+var_14]
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CCF75
		mov	edx, esi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		jmp	loc_4CCF75
; 

loc_5C7557:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref+5Cj
		mov	eax, [ebx]
		mov	esi, [eax+edx*8-0Ch]
		mov	edx, [eax+edx*8-10h]
		lea	eax, [edx+8]
		cmp	esi, eax
		jbe	short loc_5C756D
		lea	edx, [esi-4]
		jmp	short loc_5C7570
; 

loc_5C756D:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref+FA652j
		add	edx, 4

loc_5C7570:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref+FA657j
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		jmp	loc_4CCF49
; END OF FUNCTION CHUNK	FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmCurrentRegionSet

loc_5C757A:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCurrentRegionSet+C0j
		mov	eax, 0C000022Dh
		jmp	loc_4CD017
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmCurrentRegionSet
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref

loc_5C7584:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref+51j
		mov	eax, [ebx+4]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_4CD113
		mov	edx, [esi]
		cmp	eax, edx
		jz	loc_4CD113
		push	6
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		pop	ecx
		rep stosd
		test	edx, edx
		jnz	short loc_5C75AE
		xor	edi, edi
		jmp	short loc_5C75B2
; 

loc_5C75AE:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref+FA4F6j
		movzx	edi, byte ptr [edx+2]

loc_5C75B2:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref+FA4FAj
		mov	eax, edi
		mov	[ebp+var_8], edi
		shl	eax, 3
		call	__alloca_probe_16
		mov	esi, esp
		lea	ecx, [ebp+var_2C]
		push	2
		pop	edx
		call	?BTreeSearchResultInit@?$B_TREE@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_HASH_ENTRY_COMPARATOR@2@@@SGXPAUSEARCH_RESULT@1@K@Z ;	B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeSearchResultInit(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_2C]
		and	[ebp+var_20], 0
		mov	[ebp+var_1C], edi
		mov	edi, [ebp+var_10]
		mov	ecx, edi
		mov	edx, [edx+8]
		push	eax
		mov	[ebp+var_2C], esi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey
		mov	eax, [ebp+var_8]
		mov	ecx, [esi+eax*8-0Ch]
		mov	esi, [esi+eax*8-10h]
		lea	eax, [esi+8]
		cmp	ecx, eax
		jbe	short loc_5C7601
		lea	esi, [ecx-4]
		jmp	short loc_5C7604
; 

loc_5C7601:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref+FA548j
		add	esi, 4

loc_5C7604:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref+FA54Dj
		lea	edx, [ebp+var_2C]
		mov	ecx, edi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref
		mov	ecx, [ebp+var_14]
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_4CD113
		mov	edx, esi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		jmp	loc_4CD113
; 

loc_5C7628:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref+5Cj
		mov	eax, [ebx]
		mov	esi, [eax+edx*8-0Ch]
		mov	edx, [eax+edx*8-10h]
		lea	eax, [edx+8]
		cmp	esi, eax
		jbe	short loc_5C763E
		lea	edx, [esi-4]
		jmp	short loc_5C7641
; 

loc_5C763E:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref+FA585j
		add	edx, 4

loc_5C7641:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref+FA58Aj
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)
		jmp	loc_4CD0E7
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchResultDeref
; 
; START	OF FUNCTION CHUNK FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute

loc_5C764B:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+74j
		cmp	byte ptr [ebx+2], 2
		jnz	loc_4CD194
		neg	edi
		sbb	edi, edi
		and	edi, [ebp+var_1C]
		mov	eax, [edi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_5C7667
		mov	eax, [edx]
		jmp	short loc_5C7670
; 

loc_5C7667:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+FA547j
		push	0
		mov	ecx, edi
		call	?NpLeafRefInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAXK@Z ; NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)

loc_5C7670:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+FA54Bj
		mov	ecx, [ebp+var_10]
		mov	[ecx], eax
		test	eax, eax
		jnz	loc_4CD19B
		xor	esi, esi
		jmp	loc_4CD267
; 

loc_5C7684:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+FFj
		mov	ecx, [ebp+var_18]
		mov	edx, [ecx]
		mov	[ebp+var_20], edx
		cmp	esi, eax
		jnz	short loc_5C769E
		mov	eax, edx
		mov	[ebx+edi*8], eax
		mov	eax, [ebx+4]
		mov	[ebx+edi*8+4], eax
		jmp	short loc_5C76B1
; 

loc_5C769E:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+FA574j
		mov	eax, [ebp+var_8]
		add	[ebp+var_8], 8
		mov	[eax], edx
		mov	edx, [ebp+var_24]
		mov	eax, [esi+4]
		mov	[ebx+edx*8+0Ch], eax

loc_5C76B1:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+FA582j
		mov	edx, [ebp+var_C]
		cmp	esi, [ebp+var_10]
		jnz	short loc_5C76CC
		mov	eax, [edx]
		add	edx, 8
		mov	[ecx], eax
		mov	eax, [ebp+var_28]
		mov	eax, [esi+eax*8+0Ch]
		mov	[ebx+4], eax
		jmp	short loc_5C76D8
; 

loc_5C76CC:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+FA59Dj
		mov	eax, [esi+edi*8]
		mov	[ecx], eax
		mov	eax, [esi+edi*8+4]
		mov	[esi+4], eax

loc_5C76D8:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+FA5B0j
		lea	eax, ds:0FFFFFFF8h[edi*8]
		mov	[ebp+var_C], edx
		push	eax
		mov	eax, [ebp+var_8]
		push	edx
		push	eax
		jmp	loc_4CD227
; END OF FUNCTION CHUNK	FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StRegionFindCompact

loc_5C76ED:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+160j
		mov	edx, [ebp+var_8]
		jmp	loc_4CD480
; 

loc_5C76F5:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+2F9j
		add	ebx, 20h
		add	eax, 4
		cmp	ebx, 0FFFFFFFFh
		jnb	loc_4CD530
		cmp	eax, edi
		jb	loc_4CD6E0
		jmp	loc_4CD511
; 

loc_5C7711:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+148j
		or	ebx, 0FFFFFFFFh
		jmp	loc_4CD53E
; 

loc_5C7719:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+190j
		xor	eax, eax
		jmp	loc_4CD58C
; 

loc_5C7720:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+1E3j
		xor	eax, eax
		mov	esi, ecx
		mov	[ebp+var_C], eax
		jmp	loc_4CD5D9
; 

loc_5C772C:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+209j
		xor	edx, edx
		jmp	loc_4CD604
; 

loc_5C7733:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+23Cj
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_4]
		cmp	edx, eax
		jnz	loc_4CD65D

loc_5C7741:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+1D5j
		xor	eax, eax
		jmp	loc_4CD67C
; 

loc_5C7748:				; CODE XREF: ST_STORE_SM_TRAITS___StRegionFindCompact+284j
		mov	dword ptr [eax+260h], 0
		jmp	loc_4CD67A
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StRegionFindCompact
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StReleaseRegion

loc_5C7757:				; CODE XREF: ST_STORE_SM_TRAITS___StReleaseRegion+3Aj
		mov	edi, [edi+1184h]
		xor	edx, edx
		mov	esi, [edi+esi*4]
		and	esi, 0FFFFFFF8h
		mov	ecx, esi
		call	_MiFreePagesFromMdl@8 ;	MiFreePagesFromMdl(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [esp+18h+var_4]
		and	dword ptr [edi+esi*4], 0
		xor	eax, eax
		jmp	loc_4CD741
; 

loc_5C7783:				; CODE XREF: ST_STORE_SM_TRAITS___StReleaseRegion+4Ej
		push	1
		mov	edx, esi
		mov	ecx, ebx
		call	ST_STORE_SM_TRAITS___StDmUpdateRegionLazyCleanup
		jmp	loc_4CD74C
; 

loc_5C7793:				; CODE XREF: ST_STORE_SM_TRAITS___StReleaseRegion+5Dj
		mov	ecx, [ebx+240h]
		mov	edx, 1FFFh
		push	0
		mov	cx, [ecx+esi*2]
		and	cx, dx
		movzx	ecx, cx
		push	ecx
		push	0
		push	esi
		push	ebx
		push	5
		pop	edx
		mov	ecx, eax
		call	_SmEtwLogRegionOp@28 ; SmEtwLogRegionOp(x,x,x,x,x,x,x)
		jmp	loc_4CD75B
; 

loc_5C77BE:				; CODE XREF: ST_STORE_SM_TRAITS___StReleaseRegion+27j
		mov	eax, [ebx+248h]
		mov	byte ptr [esi+eax], 0
		jmp	loc_4CD768
; 

loc_5C77CD:				; CODE XREF: ST_STORE_SM_TRAITS___StReleaseRegion+A7j
		push	0
		lea	edx, [esp+1Ch+var_8]
		mov	ecx, ebx
		call	?StDmGetSpaceStats@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@PAK1@Z	; ST_STORE<SM_TRAITS>::StDmGetSpaceStats(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *,ulong *)
		mov	eax, [ebx+1E4h]
		sub	eax, [esp+18h+var_8]
		cmp	eax, 8
		jb	loc_4CD7A5
		test	byte ptr [ebx+560h], 1
		jnz	loc_4CD7A5
		lea	edx, [ebx+548h]
		and	dword ptr [edx+0Ch], 0
		or	dword ptr [ebx+560h], 1
		mov	ecx, [ebx+1C0h]
		push	6
		call	SMKM_STORE_SM_TRAITS___SmStWorkItemQueue
		jmp	loc_4CD7A5
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StReleaseRegion
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_SM_TRAITS___SmStReleaseVirtualRegion

loc_5C781D:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReleaseVirtualRegion+47j
		and	eax, 0BFFFh
		mov	[esi], ax
		jmp	loc_4CD810
; END OF FUNCTION CHUNK	FOR SMKM_STORE_SM_TRAITS___SmStReleaseVirtualRegion
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute

loc_5C782A:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+80j
		cmp	byte ptr [ebx+2], 2
		jnz	loc_4CD9B4
		neg	edi
		sbb	edi, edi
		and	edi, [ebp+var_28]
		mov	eax, [edi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_5C7846
		mov	eax, [esi]
		jmp	short loc_5C7854
; 

loc_5C7846:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+F9F12j
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	?NpLeafRefInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAXK@Z ; NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)
		push	8
		pop	edx

loc_5C7854:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+F9F16j
		mov	ecx, [ebp+var_1C]
		mov	[ecx], eax
		test	eax, eax
		jnz	loc_4CD9BB
		jmp	loc_4CDAB4
; 

loc_5C7866:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+131j
		mov	edx, [ebp+var_20]
		mov	ecx, [edx]
		mov	[ebp+var_2C], ecx
		cmp	edi, eax
		jnz	short loc_5C7881
		mov	[ebx+esi*8], ecx
		mov	eax, [ebx+4]
		mov	ecx, [ebp+var_18]
		mov	[ebx+esi*8+4], eax
		jmp	short loc_5C7898
; 

loc_5C7881:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+F9F42j
		mov	ecx, [ebp+var_24]
		mov	eax, [ebp+var_2C]
		mov	[ebx+ecx*8+8], eax
		mov	eax, [edi+4]
		mov	[ebx+ecx*8+0Ch], eax
		mov	ecx, [ebp+var_18]
		add	[ebp+var_10], ecx

loc_5C7898:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+F9F51j
		cmp	edi, [ebp+var_1C]
		jnz	short loc_5C78B7
		mov	eax, [ebp+var_28]
		mov	eax, [edi+eax*8+8]
		mov	[edx], eax
		mov	eax, [ebp+var_28]
		mov	edx, [ebp+var_C]
		add	edx, ecx
		mov	eax, [edi+eax*8+0Ch]
		mov	[ebx+4], eax
		jmp	short loc_5C78C6
; 

loc_5C78B7:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+F9F6Dj
		mov	eax, [edi+esi*8]
		mov	[edx], eax
		mov	eax, [edi+esi*8+4]
		mov	edx, [ebp+var_C]
		mov	[edi+4], eax

loc_5C78C6:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute+F9F87j
		lea	eax, [esi-1]
		mov	[ebp+var_C], edx
		imul	eax, ecx
		push	eax
		push	edx
		jmp	loc_4CDA6D
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeRedistribute
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute

loc_5C78D6:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+80j
		cmp	byte ptr [ebx+2], 2
		jnz	loc_4CDBAA
		neg	edi
		sbb	edi, edi
		and	edi, [ebp+var_28]
		mov	eax, [edi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_5C78F2
		mov	eax, [esi]
		jmp	short loc_5C7900
; 

loc_5C78F2:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+F9DC8j
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	?NpLeafRefInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAXK@Z ; NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)
		push	8
		pop	edx

loc_5C7900:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+F9DCCj
		mov	ecx, [ebp+var_1C]
		mov	[ecx], eax
		test	eax, eax
		jnz	loc_4CDBB1
		jmp	loc_4CDCA6
; 

loc_5C7912:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+12Dj
		mov	edx, [ebp+var_20]
		mov	ecx, [edx]
		mov	[ebp+var_2C], ecx
		cmp	edi, eax
		jnz	short loc_5C792D
		mov	[ebx+esi*8], ecx
		mov	eax, [ebx+4]
		mov	ecx, [ebp+var_18]
		mov	[ebx+esi*8+4], eax
		jmp	short loc_5C7944
; 

loc_5C792D:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+F9DF8j
		mov	ecx, [ebp+var_24]
		mov	eax, [ebp+var_2C]
		mov	[ebx+ecx*8+8], eax
		mov	eax, [edi+4]
		mov	[ebx+ecx*8+0Ch], eax
		mov	ecx, [ebp+var_18]
		add	[ebp+var_10], ecx

loc_5C7944:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+F9E07j
		cmp	edi, [ebp+var_1C]
		jnz	short loc_5C7963
		mov	eax, [ebp+var_28]
		mov	eax, [edi+eax*8+8]
		mov	[edx], eax
		mov	eax, [ebp+var_28]
		mov	edx, [ebp+var_C]
		add	edx, ecx
		mov	eax, [edi+eax*8+0Ch]
		mov	[ebx+4], eax
		jmp	short loc_5C7972
; 

loc_5C7963:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+F9E23j
		mov	eax, [edi+esi*8]
		mov	[edx], eax
		mov	eax, [edi+esi*8+4]
		mov	edx, [ebp+var_C]
		mov	[edi+4], eax

loc_5C7972:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute+F9E3Dj
		lea	eax, [esi-1]
		mov	[ebp+var_C], edx
		imul	eax, ecx
		push	eax
		push	edx
		jmp	loc_4CDC5F
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeRedistribute
; 
; START	OF FUNCTION CHUNK FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild

loc_5C7982:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+5Dj
		and	[ebp+var_C], ebx
		mov	[ebp+var_10], eax
		jmp	loc_4CDD98
; 

loc_5C798D:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+ABj
		mov	eax, 0D1Eh
		jmp	loc_4CDDCA
; 

loc_5C7997:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+92j
		dec	edx
		mov	eax, edx
		mov	[ebp+var_1C], edx
		shl	eax, 3
		push	eax		; size_t
		mov	eax, [ebp+var_10]
		add	eax, 8
		push	eax		; void *
		lea	eax, [esi+8]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_10]
		mov	eax, [eax+4]
		mov	[esi+4], eax
		jmp	loc_4CDDE1
; 

loc_5C79BF:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+144j
		movzx	eax, byte ptr [esi+3]
		lea	ecx, [edi+8]
		push	eax
		mov	edx, esi
		call	NP_CONTEXT__NpNodeFree
		jmp	loc_4CDE60
; 

loc_5C79D3:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+14Cj
		movzx	edx, byte ptr [ebx+3]
		lea	ecx, [edi+8]
		push	edx
		mov	edx, ebx
		call	NP_CONTEXT__NpNodeFree
		jmp	loc_4CDE68
; END OF FUNCTION CHUNK	FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild
; 
; START	OF FUNCTION CHUNK FOR NP_CONTEXT__NpNodeAllocate

loc_5C79E7:				; CODE XREF: NP_CONTEXT__NpNodeAllocate+2Ej
		mov	edx, ebx
		mov	ecx, esi
		call	?NpiGetReservedBuffer@NP_CONTEXT@@SGPAXPAU1@PAUNP_CTX@1@@Z ; NP_CONTEXT::NpiGetReservedBuffer(NP_CONTEXT *,NP_CONTEXT::NP_CTX *)
		mov	edi, eax
		test	edi, edi
		jz	loc_4CDF6E
		jmp	loc_4CDF60
; 

loc_5C79FF:				; CODE XREF: NP_CONTEXT__NpNodeAllocate+3Cj
		mov	edx, ebx
		mov	ecx, esi
		call	?NpiPerformPageOut@NP_CONTEXT@@SGJPAU1@PAUNP_CTX@1@@Z ;	NP_CONTEXT::NpiPerformPageOut(NP_CONTEXT *,NP_CONTEXT::NP_CTX *)
		jmp	loc_4CDF6E
; END OF FUNCTION CHUNK	FOR NP_CONTEXT__NpNodeAllocate
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild

loc_5C7A0D:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+66j
		mov	ecx, [ebp+var_14]
		lea	edx, [eax+4]
		cmp	edx, [ecx-4]
		mov	ecx, [ebp+var_18]
		jnb	loc_4CDFEC
		mov	eax, edx
		inc	ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_18], ecx
		jmp	loc_4CDFEC
; 

loc_5C7A2D:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+57j
		and	[ebp+var_C], ebx
		lea	eax, [eax+ecx*8]
		mov	[ebp+var_10], eax
		jmp	loc_4CDFEF
; 

loc_5C7A3B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+98j
		mov	eax, 0D1Eh
		jmp	loc_4CE021
; 

loc_5C7A45:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+7Fj
		dec	edx
		mov	eax, edx
		mov	[ebp+var_1C], edx
		shl	eax, 3
		push	eax		; size_t
		mov	eax, [ebp+var_10]
		add	eax, 8
		push	eax		; void *
		lea	eax, [edi+8]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_10]
		mov	eax, [eax+4]
		mov	[edi+4], eax
		jmp	loc_4CE038
; 

loc_5C7A6D:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+EBj
		mov	ebx, [ebp+var_4]
		jmp	loc_4CE090
; 

loc_5C7A75:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+131j
		movzx	eax, byte ptr [edi+3]
		lea	ecx, [esi+8]
		push	eax
		mov	edx, edi
		call	NP_CONTEXT__NpNodeFree
		jmp	loc_4CE0B7
; 

loc_5C7A89:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild+139j
		movzx	edx, byte ptr [ebx+3]
		lea	ecx, [esi+8]
		push	edx
		mov	edx, ebx
		call	NP_CONTEXT__NpNodeFree
		jmp	loc_4CE0BF
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSplitChild
; 
; START	OF FUNCTION CHUNK FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes

loc_5C7A9D:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes+61j
		mov	eax, 0D1Eh
		jmp	loc_4CE1AE
; 

loc_5C7AA7:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes+4Bj
		mov	eax, [ebx]
		mov	[esi+edx*8+8], eax
		mov	eax, [edi+4]
		mov	[esi+edx*8+0Ch], eax
		inc	edx
		mov	[ebp+arg_0], edx
		jmp	loc_4CE1B3
; END OF FUNCTION CHUNK	FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes
; 
; START	OF FUNCTION CHUNK FOR NP_CONTEXT__NpNodeFree

loc_5C7ABD:				; CODE XREF: NP_CONTEXT__NpNodeFree+18j
		inc	eax
		mov	[edx], eax
		mov	eax, [ecx+30h]
		mov	[eax], edx
		mov	[ecx+30h], edx
		jmp	loc_4CE284
; END OF FUNCTION CHUNK	FOR NP_CONTEXT__NpNodeFree
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmCleanup

loc_5C7ACD:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+1EAj
		and	dword ptr [ebx+1A4h], 0
		and	dword ptr [ebx+1A8h], 0
		jmp	loc_4CE2E8
; 

loc_5C7AE0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+4Dj
		lea	edx, [ebp+var_C]
		mov	ecx, edi	; void *
		call	_SmHpChunkHeapInitialize@8 ; SmHpChunkHeapInitialize(x,x)
		jmp	loc_4CE309
; 

loc_5C7AEF:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+ABj
		xor	eax, eax
		mov	edi, ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebx+24h]
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	edi, ecx
		stosd
		stosd
		stosd
		jmp	loc_4CE367
; 

loc_5C7B0A:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+DCj
		lea	eax, [ebx+36Ch]
		mov	[ebx+8], edi
		mov	[ebx+2Ch], eax
		lea	eax, [ebx+3C4h]
		mov	[ebx+50h], eax
		jmp	loc_4CE398
; 

loc_5C7B24:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+114j
		and	eax, 1FFFh
		mov	edx, edi
		push	0
		neg	eax
		mov	ecx, ebx
		push	eax
		call	ST_STORE_SM_TRAITS___StDmpUpdateRegionState
		jmp	loc_4CE3B0
; 

loc_5C7B3C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+139j
		lea	eax, [ebx+1E8h]
		xor	edx, edx
		push	eax
		inc	edx
		mov	ecx, ebx
		call	ST_STORE_SM_TRAITS___StDmLazyRegionsWorker
		jmp	loc_4CE3F5
; 

loc_5C7B52:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+159j
		mov	eax, [edi]
		cmp	eax, 0FFFFFFFFh
		jz	loc_4CE41E
		mov	ebx, 4000h
		cmp	[edx+eax*2], bx
		jnb	loc_4CE426
		jmp	loc_4CE415
; 

loc_5C7B71:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+162j
		push	0
		push	dword ptr [edi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	dword ptr [edi+8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_8]
		jmp	loc_4CE41E
; 

loc_5C7B90:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+16Aj
		and	dword ptr [edi+4], 0
		and	dword ptr [edi+8], 0
		or	dword ptr [edi], 0FFFFFFFFh
		jmp	loc_4CE426
; 

loc_5C7BA0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmCleanup+1BCj
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4CE478
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmCleanup
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeMergeNodes

loc_5C7BAC:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeMergeNodes+61j
		mov	eax, 0D1Eh
		jmp	loc_4CE68E
; 

loc_5C7BB6:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeMergeNodes+4Bj
		mov	eax, [ebx]
		mov	[esi+edx*8+8], eax
		mov	eax, [edi+4]
		mov	[esi+edx*8+0Ch], eax
		inc	edx
		movzx	eax, word ptr [edi]
		shl	eax, 3
		mov	[ebp+arg_0], edx
		inc	edx
		push	eax
		lea	eax, [edi+8]
		push	eax
		lea	eax, [esi+edx*8]
		jmp	loc_4CE6A4
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeMergeNodes
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild

loc_5C7BDB:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+66j
		mov	ecx, [ebp+var_14]
		lea	edx, [eax+4]
		cmp	edx, [ecx-4]
		mov	ecx, [ebp+var_18]
		jnb	loc_4CE7AC
		mov	eax, edx
		inc	ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_18], ecx
		jmp	loc_4CE7AC
; 

loc_5C7BFB:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+57j
		and	[ebp+var_C], ebx
		lea	eax, [eax+ecx*8]
		mov	[ebp+var_10], eax
		jmp	loc_4CE7AF
; 

loc_5C7C09:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+98j
		mov	eax, 0D1Eh
		jmp	loc_4CE7E1
; 

loc_5C7C13:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+7Fj
		dec	edx
		mov	eax, edx
		mov	[ebp+var_1C], edx
		shl	eax, 3
		push	eax		; size_t
		mov	eax, [ebp+var_10]
		add	eax, 8
		push	eax		; void *
		lea	eax, [edi+8]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_10]
		mov	eax, [eax+4]
		mov	[edi+4], eax
		jmp	loc_4CE7F8
; 

loc_5C7C3B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+EBj
		mov	ebx, [ebp+var_4]
		jmp	loc_4CE850
; 

loc_5C7C43:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+131j
		movzx	eax, byte ptr [edi+3]
		lea	ecx, [esi+8]
		push	eax
		mov	edx, edi
		call	NP_CONTEXT__NpNodeFree
		jmp	loc_4CE877
; 

loc_5C7C57:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild+139j
		movzx	edx, byte ptr [ebx+3]
		lea	ecx, [esi+8]
		push	edx
		mov	edx, ebx
		call	NP_CONTEXT__NpNodeFree
		jmp	loc_4CE87F
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSplitChild
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeMergeNodes

loc_5C7C6B:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeMergeNodes+61j
		mov	eax, 0D1Eh
		jmp	loc_4CE9AE
; 

loc_5C7C75:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeMergeNodes+4Bj
		mov	eax, [ebx]
		mov	[esi+edx*8+8], eax
		mov	eax, [edi+4]
		mov	[esi+edx*8+0Ch], eax
		inc	edx
		movzx	eax, word ptr [edi]
		shl	eax, 3
		mov	[ebp+arg_0], edx
		inc	edx
		push	eax
		lea	eax, [edi+8]
		push	eax
		lea	eax, [esi+edx*8]
		jmp	loc_4CE9C4
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeMergeNodes
; 
; START	OF FUNCTION CHUNK FOR MiInitializeMdlOneNodeBatchPages

loc_5C7C9A:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+1A3j
		mov	[ebp+var_24], 7
		jmp	loc_4CED1F
; 

loc_5C7CA6:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+18Fj
		push	2
		push	edi
		push	2
		pop	edx
		mov	ecx, esi
		call	_MiZeroAndConvertPage@16 ; MiZeroAndConvertPage(x,x,x,x)
		jmp	loc_4CEBFC
; 

loc_5C7CB8:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+A3j
		push	0FFFFFFFFh
		xor	edx, edx
		mov	ecx, ebx
		push	0FFFFFFFFh
		inc	edx
		call	MiChangePageAttributeBatch
		jmp	loc_4CEC1F
; 

loc_5C7CCB:				; CODE XREF: MiInitializeMdlOneNodeBatchPages+1BDj
		push	0
		push	0
		push	3
		pop	edx
		mov	ecx, ebx
		call	MiChangePageAttributeBatch
		jmp	loc_4CED39
; END OF FUNCTION CHUNK	FOR MiInitializeMdlOneNodeBatchPages
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_SM_TRAITS___SmStStart

loc_5C7CDE:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+80j
		test	ecx, 100h
		jz	loc_4CEEEA
		mov	eax, 0C00000BBh
		jmp	loc_4CF171
; 

loc_5C7CF4:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+9Dj
		test	eax, eax
		jz	loc_4CEF07

loc_5C7CFC:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+3Bj
					; SMKM_STORE_SM_TRAITS___SmStStart+45j	...
		mov	eax, 0C000000Dh
		jmp	loc_4CF171
; 

loc_5C7D06:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+B4j
		cmp	[esp+48h+var_3C], 0
		jz	short loc_5C7CFC
		jmp	loc_4CEF1E
; 

loc_5C7D12:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+1A6j
		mov	dword ptr [ebx+11D0h], offset unk_7185B4
		jmp	loc_4CF010
; 

loc_5C7D21:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+1D1j
					; SMKM_STORE_SM_TRAITS___SmStStart+1EFj ...
		mov	eax, 0C000009Ah
		jmp	loc_4CF171
; 

loc_5C7D2B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+249j
		mov	eax, [ebx+117Ch]
		lea	ecx, [ebx+1270h]
		shr	eax, 8
		lea	edx, [esp+48h+var_38]
		xor	eax, esi
		and	eax, 0FFFF0h
		xor	esi, eax
		push	1
		mov	[esp+4Ch+var_38], esi
		call	SmFpPreAllocate
		jmp	short loc_5C7D7B
; 

loc_5C7D54:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+134j
		lea	esi, [ebx+1184h]
		mov	ecx, esi
		call	_SmKmFileInfoInit@4 ; SmKmFileInfoInit(x)
		mov	eax, [edi+0Ch]
		mov	ecx, esi
		mov	[ebx+1180h], eax
		mov	eax, [edi+18h]
		mov	edx, [edi+24h]
		mov	[esp+48h+var_3C], eax
		call	_SmKmFileInfoDuplicate@8 ; SmKmFileInfoDuplicate(x,x)

loc_5C7D7B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+F8EEEj
		test	eax, eax
		js	loc_4CF171
		jmp	loc_4CF0B3
; 

loc_5C7D88:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+286j
		mov	eax, [eax+2Ch]
		mov	[esp+48h+var_8], eax
		jmp	loc_4CF0F0
; END OF FUNCTION CHUNK	FOR SMKM_STORE_SM_TRAITS___SmStStart

;  S U B	R O U T	I N E 


sub_5C7D94	proc near		; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorkerThreadStartThread+8Fj
		push	ebx
		push	dword ptr [ebp-4]
		call	ObCloseHandle
		jmp	loc_4CF275
sub_5C7D94	endp

; 
; START	OF FUNCTION CHUNK FOR MiGetClosestNodeWithProcessors

loc_5C7DA2:				; CODE XREF: MiGetClosestNodeWithProcessors+1Dj
		movzx	edx, ds:_KeNumberNodes
		mov	eax, ds:dword_6D0698
		mov	ecx, edx
		imul	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		lea	edi, [eax+ecx*4]
		lea	ebx, [edi+edx*4]

loc_5C7DBD:				; CODE XREF: MiGetClosestNodeWithProcessors+F8890j
		add	edi, 4
		cmp	edi, ebx
		jb	short loc_5C7DCF
		or	eax, 0FFFFFFFFh

loc_5C7DC7:				; CODE XREF: MiGetClosestNodeWithProcessors+F8894j
		pop	edi
		pop	esi
		pop	ebx
		jmp	locret_4CF578
; 

loc_5C7DCF:				; CODE XREF: MiGetClosestNodeWithProcessors+F8870j
		mov	esi, [edi]
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		push	esi
		call	_KeQueryNodeActiveAffinity@12 ;	KeQueryNodeActiveAffinity(x,x,x)
		cmp	word ptr [ebp+var_4], 0
		jz	short loc_5C7DBD
		mov	eax, esi
		jmp	short loc_5C7DC7
; END OF FUNCTION CHUNK	FOR MiGetClosestNodeWithProcessors
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StStart

loc_5C7DE8:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+6Ej
		mov	esi, [ebx+10h]
		test	esi, esi
		jz	short loc_5C7E14
		lea	eax, [esi-1]
		test	eax, esi
		jnz	short loc_5C7E14
		cmp	esi, edx
		ja	short loc_5C7E14
		mov	esi, [ebx+24h]
		test	esi, esi
		jz	short loc_5C7E14
		mov	eax, [ebp+var_4]
		cmp	[esi], eax
		jmp	loc_4CF6C0
; 

loc_5C7E0B:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+76j
		cmp	eax, 2
		jb	loc_4CF6C6

loc_5C7E14:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+49j
					; ST_STORE_SM_TRAITS___StStart+54j ...
		mov	eax, 0C000000Dh
		jmp	loc_4CF8D0
; 

loc_5C7E1E:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+107j
		mov	eax, [ebx+1Ch]
		neg	eax
		sbb	eax, eax
		and	eax, 0Ch
		add	eax, 4
		mov	[edi+28h], eax
		jmp	loc_4CF745
; 

loc_5C7E33:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+128j
		mov	eax, 0C0000206h
		jmp	loc_4CF8D0
; 

loc_5C7E3D:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+168j
		mov	edi, [ebx+0Ch]
		push	74536D73h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+30h], eax
		test	eax, eax
		jz	loc_4CF8D5
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	edi, [ebx+0Ch]
		add	esp, 0Ch
		push	74536D73h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+34h], eax
		test	eax, eax
		jz	loc_4CF8D5
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebx]
		add	esp, 0Ch
		jmp	loc_4CF7A6
; 

loc_5C7E98:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+1AEj
		mov	eax, ecx
		mov	[ebp+var_8], eax
		jmp	loc_4CF7EC
; 

loc_5C7EA2:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+201j
		test	ecx, ecx
		jz	short loc_5C7ED0
		mov	edx, [ebx+18h]
		push	ecx
		push	ecx
		lea	ecx, [esi+9A8h]
		call	_SmCrEncStart@16 ; SmCrEncStart(x,x,x,x)
		test	eax, eax
		js	loc_4CF8D0
		mov	ecx, [esi+9ACh]
		lea	eax, [ecx+0Fh]
		neg	ecx
		and	eax, ecx
		cmp	eax, 10h
		jnz	short loc_5C7F3D

loc_5C7ED0:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+F886Cj
		mov	eax, [ebx]
		jmp	loc_4CF847
; 

loc_5C7ED7:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+209j
		mov	eax, 0C00002F6h
		jmp	loc_4CF8D0
; 

loc_5C7EE1:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+242j
		push	dword ptr [ebx+24h]
		inc	edi
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	edx, eax
		cmp	edx, 1
		jbe	loc_5C7E14
		mov	ecx, [ebx]
		jmp	loc_4CF883
; 

loc_5C7EFC:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+255j
		test	ecx, 4000h
		jnz	loc_4CF893
		push	8
		pop	ebx
		jmp	loc_4CF895
; 

loc_5C7F10:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+290j
		mov	eax, [ebp+var_4]
		lea	edx, [esi+4C8h]
		and	eax, 0FFFFFFF6h
		push	edi
		or	eax, 16h
		push	ecx
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	ecx
		push	eax
		mov	ecx, esi
		call	ST_STORE_SM_TRAITS___StDmStart
		test	eax, eax
		js	loc_4CF8D0
		jmp	loc_4CF8CE
; 

loc_5C7F3D:				; CODE XREF: ST_STORE_SM_TRAITS___StStart+1Fj
					; ST_STORE_SM_TRAITS___StStart+2Aj ...
		mov	eax, 0C0000173h
		jmp	loc_4CF8D0
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StStart
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmStart

loc_5C7F47:				; CODE XREF: ST_STORE_SM_TRAITS___StDmStart+E2j
					; ST_STORE_SM_TRAITS___StDmStart+129j
		mov	eax, 0C000009Ah
		jmp	loc_4CFAB8
; 

loc_5C7F51:				; CODE XREF: ST_STORE_SM_TRAITS___StDmStart+BCj
		lea	ecx, [ebx+1DCh]
		jmp	loc_4CF9D8
; 

loc_5C7F5C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmStart+172j
		lea	ecx, [ebx+6Ch]
		mov	[ebp+var_48], 10h
		mov	[ebp+var_44], 4
		call	_SmHpChunkHeapCleanup@8	; SmHpChunkHeapCleanup(x,x)
		lea	edx, [ebp+var_48]
		lea	ecx, [ebx+6Ch]	; void *
		call	_SmHpChunkHeapInitialize@8 ; SmHpChunkHeapInitialize(x,x)
		xor	esi, esi
		jmp	loc_4CFA54
; 

loc_5C7F84:				; CODE XREF: ST_STORE_SM_TRAITS___StDmStart+17Ej
		push	esi
		push	38h
		lea	eax, [ebp+var_40]
		push	eax
		push	0B6h
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	loc_4CFAB8
		mov	eax, [ebp+var_40]
		mov	ecx, [ebp+var_3C]
		shrd	eax, ecx, 15h
		shr	ecx, 15h
		cmp	ecx, esi
		ja	short loc_5C7FBE
		jb	short loc_5C7FD0
		cmp	eax, 10h
		jb	short loc_5C7FD0
		cmp	ecx, esi
		ja	short loc_5C7FBE
		cmp	eax, 0FFFFFFFFh
		jbe	short loc_5C7FC1

loc_5C7FBE:				; CODE XREF: ST_STORE_SM_TRAITS___StDmStart+F86D0j
					; ST_STORE_SM_TRAITS___StDmStart+F86DBj
		or	eax, 0FFFFFFFFh

loc_5C7FC1:				; CODE XREF: ST_STORE_SM_TRAITS___StDmStart+F86E0j
					; ST_STORE_SM_TRAITS___StDmStart+F86F7j
		mov	[ebp+var_60], eax
		mov	[ebp+var_5C], 4
		jmp	loc_4CFA64
; 

loc_5C7FD0:				; CODE XREF: ST_STORE_SM_TRAITS___StDmStart+F86D2j
					; ST_STORE_SM_TRAITS___StDmStart+F86D7j
		push	10h
		pop	eax
		jmp	short loc_5C7FC1
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmStart
; 
; START	OF FUNCTION CHUNK FOR NP_CONTEXT__NpStart

loc_5C7FD5:				; CODE XREF: NP_CONTEXT__NpStart+21j
					; NP_CONTEXT__NpStart+F853Aj
		push	704E6D73h
		push	1000h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_5C800B
		mov	ecx, [ebp+var_4]
		mov	ecx, [ecx]
		inc	ecx
		mov	[edx], ecx
		mov	ecx, [ebp+var_4]
		mov	[ecx], edx
		mov	[ebp+var_4], edx
		mov	eax, [edx]
		cmp	eax, [edi+4]
		jb	short loc_5C7FD5
		jmp	loc_4CFAF1
; 

loc_5C800B:				; CODE XREF: NP_CONTEXT__NpStart+F8523j
		mov	esi, 0C000009Ah
		jmp	loc_4CFB5C
; END OF FUNCTION CHUNK	FOR NP_CONTEXT__NpStart
; 
; START	OF FUNCTION CHUNK FOR StEtaHelper__StartHelper

loc_5C8015:				; CODE XREF: StEtaHelper__StartHelper+6Aj
		lea	eax, [ebp+var_34]
		cmp	edx, edi
		jbe	short loc_5C8023

loc_5C801C:				; CODE XREF: StEtaHelper__StartHelper+F8491j
		add	eax, 8
		cmp	[eax], edx
		jb	short loc_5C801C

loc_5C8023:				; CODE XREF: StEtaHelper__StartHelper+F848Aj
		mov	[eax], esi
		lea	eax, [ebp+var_34]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_4C]
		jmp	loc_4CFC09
; END OF FUNCTION CHUNK	FOR StEtaHelper__StartHelper
; 
; START	OF FUNCTION CHUNK FOR StEtaStart

loc_5C8033:				; CODE XREF: StEtaStart+2Bj
		mov	esi, 0C00000BBh
		jmp	loc_4CFD49
; 

loc_5C803D:				; CODE XREF: StEtaStart+55j
					; StEtaStart+F840Aj
		lea	ecx, [ecx+8]
		inc	ebx
		cmp	dword ptr [ecx], 0FFFFFFFFh
		jb	short loc_5C803D
		jmp	loc_4CFC95
; 

loc_5C804B:				; CODE XREF: StEtaStart+75j
		mov	esi, 0C000009Ah
		jmp	loc_4CFD49
; END OF FUNCTION CHUNK	FOR StEtaStart
; 
; START	OF FUNCTION CHUNK FOR SmFirstTimeInit

loc_5C8055:				; CODE XREF: SmFirstTimeInit+77j
		mov	[esp+58h+var_4C], 0C000025Fh
		jmp	loc_4CFE6D
; 

loc_5C8062:				; CODE XREF: SmFirstTimeInit+306j
		mov	[esp+58h+var_4C], 0C00000BBh
		jmp	loc_4CFE6D
; 

loc_5C806F:				; CODE XREF: SmFirstTimeInit+380j
		push	[esp+58h+var_40]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_4CFE6D
; 

loc_5C807D:				; CODE XREF: SmFirstTimeInit+3B6j
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	?SmReInitialize@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@@Z ; SMKM_STORE_MGR<SM_TRAITS>::SmReInitialize(SMKM_STORE_MGR<SM_TRAITS>	*)
		mov	ecx, ds:dword_718460
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag
		push	ds:dword_71845C
		call	_ZwClose@4	; ZwClose(x)
		mov	ds:dword_718460, edi
		mov	ds:dword_71845C, edi
		jmp	loc_4CFE6D
; 

loc_5C80B3:				; CODE XREF: SmFirstTimeInit+3F7j
		mov	[esp+58h+var_4C], 0C000009Ah
		jmp	loc_4CFE6D
; 

loc_5C80C0:				; CODE XREF: SmFirstTimeInit+466j
		mov	esi, offset unk_7185C0
		mov	ecx, esi
		call	SmFpCleanup
		push	44h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		push	0
		push	1
		push	offset unk_7185C4
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		jmp	loc_4CFE6D
; 

loc_5C80EC:				; CODE XREF: SmFirstTimeInit+C3j
		mov	[esp+58h+var_4C], 0C0000018h
		jmp	loc_4CFE6D
; END OF FUNCTION CHUNK	FOR SmFirstTimeInit
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmStoreMgrCallback

loc_5C80F9:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStoreMgrCallback+24j
		cmp	edi, 4
		jnz	loc_4D0362
		mov	ecx, ebx
		call	?SmFeEmpty@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@@Z ; SMKM_STORE_MGR<SM_TRAITS>::SmFeEmpty(SMKM_STORE_MGR<SM_TRAITS> *)
		jmp	loc_4D0360
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmStoreMgrCallback
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete

loc_5C810E:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+D5j
		push	esi
		lea	edx, [ebp-60h]
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		lea	eax, [ebp-60h]
		push	eax
		lea	edx, [ebp-74h]
		call	?BTreeIteratorFromSearchResult@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUITERATOR@1@PAUSEARCH_RESULT@1@@Z ; B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeIteratorFromSearchResult(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::ITERATOR *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)
		mov	edi, [ebp-74h]
		xor	eax, eax
		mov	edx, [ebp-70h]
		mov	[ebp-6Ch], eax
		jmp	loc_4D046B
; 

loc_5C8133:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+10Dj
		mov	esi, [eax]
		mov	byte ptr [eax+6], 0
		mov	ecx, [ebp-54h]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_5C814E
		test	ecx, ecx
		jz	short loc_5C814E
		mov	eax, [ebp-60h]
		dec	ecx
		lea	ecx, [eax+ecx*8]
		jmp	short loc_5C8151
; 

loc_5C814E:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+F7DAFj
					; SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+F7DB3j
		lea	ecx, [ebp-5Ch]

loc_5C8151:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+F7DBCj
		cmp	[ecx], edi
		jnz	short loc_5C815A
		mov	[ecx+4], edx
		jmp	short loc_5C81A1
; 

loc_5C815A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+F7DC3j
		lea	edx, [ebp-60h]
		call	?BTreeSearchResultDeref@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUSEARCH_RESULT@1@@Z ;	B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultDeref(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>	*,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)
		cmp	dword ptr [ebp-54h], 0FFFFFFFFh
		jnz	short loc_5C8172
		mov	eax, [ebp-70h]
		mov	[ecx], edi
		mov	[ecx+4], eax
		jmp	short loc_5C81A1
; 

loc_5C8172:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+F7DD6j
		mov	eax, [edi+8]
		lea	edx, [ebp-60h]
		mov	ecx, [ebp-68h]
		push	eax
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		mov	ecx, [ebp-54h]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_5C8199
		test	ecx, ecx
		jz	short loc_5C8199
		lea	ecx, ds:0FFFFFFFCh[ecx*8]
		add	ecx, [ebp-60h]
		jmp	short loc_5C819C
; 

loc_5C8199:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+F7DF7j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+F7DFBj
		lea	ecx, [ebp-58h]

loc_5C819C:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+F7E07j
		mov	eax, [ebp-70h]
		mov	[ecx], eax

loc_5C81A1:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+F7DC8j
					; SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+F7DE0j
		mov	ecx, [ebp-68h]
		lea	edx, [ebp-60h]
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx
		mov	edx, [ebp-70h]
		mov	eax, 1
		mov	ecx, [ebp-68h]
		mov	[ebp-6Ch], eax
		jmp	loc_4D0463
; 

loc_5C81BF:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+2DAj
		mov	eax, [ebp-78h]
		push	0
		push	dword ptr [ebp-6Ch]
		push	eax
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C81D3:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+204j
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp-80h]
		jmp	loc_4D05AA
; 

loc_5C81E8:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+29Aj
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_4D0630
; 

loc_5C81F9:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete+2C7j
		push	dword ptr [ebp-80h]
		mov	edx, [ebp-78h]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4D05BD
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmFeStoreDelete
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_SM_TRAITS___SmStCleanup

loc_5C820B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+395j
		mov	edx, [esp+60h+var_28]
		push	0
		push	[esp+64h+var_44]
		push	edx
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C8221:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+1E3j
		mov	esi, [esp+74h+var_60]
		mov	al, 1
		mov	ecx, edx
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [esp+74h+var_38]
		mov	eax, [esp+74h+var_60]
		jmp	loc_4D0883
; 

loc_5C8241:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+352j
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_4D09DE
; 

loc_5C8250:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+37Aj
		push	[esp+60h+var_28]
		lea	edx, [esi+10F8h]
		mov	ecx, edi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4D0A06
; 

loc_5C8266:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+271j
		cmp	cl, 1
		jnz	loc_4D093B
		lea	ecx, [esi+1184h]
		call	_SmKmFileInfoCleanup@4 ; SmKmFileInfoCleanup(x)
		jmp	loc_4D093B
; END OF FUNCTION CHUNK	FOR SMKM_STORE_SM_TRAITS___SmStCleanup
; 
; START	OF FUNCTION CHUNK FOR SmFpCleanup

loc_5C827F:				; CODE XREF: SmFpCleanup+Fj
		mov	eax, [edi]
		mov	[ebx+esi*4+14h], eax
		cmp	esi, 5
		jb	short loc_5C8299
		push	6D526D73h
		push	dword ptr [edi+4]
		call	MmFreeMappingAddress
		jmp	short loc_5C82CA
; 

loc_5C8299:				; CODE XREF: SmFpCleanup+F7814j
		cmp	esi, 2
		jnz	short loc_5C82A8
		mov	ecx, [edi+4]
		call	_SmKmFreeMdlForLock@4 ;	SmKmFreeMdlForLock(x)
		jmp	short loc_5C82CA
; 

loc_5C82A8:				; CODE XREF: SmFpCleanup+F7828j
		cmp	esi, 3
		jnz	short loc_5C82C0
		movzx	ecx, word ptr [ebx+3Ah]
		xor	edx, edx
		push	1
		shl	ecx, 0Ch
		inc	edx
		call	_SmAcquireReleaseCharges@12 ; SmAcquireReleaseCharges(x,x,x)
		jmp	short loc_5C82CA
; 

loc_5C82C0:				; CODE XREF: SmFpCleanup+F7837j
		push	0
		push	dword ptr [edi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5C82CA:				; CODE XREF: SmFpCleanup+F7823j
					; SmFpCleanup+F7832j ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4D0A7D
; END OF FUNCTION CHUNK	FOR SmFpCleanup
; 
; START	OF FUNCTION CHUNK FOR MmInSwapWorkingSet

loc_5C82D7:				; CODE XREF: MmInSwapWorkingSet+B3j
		mov	ecx, [ebx]
		cmp	[ecx+8], esi
		jz	loc_4D0DA1
		call	_MiReAllocateWorkingSetSwapSupport@4 ; MiReAllocateWorkingSetSwapSupport(x)
		mov	[ebp+var_24], eax
		test	eax, eax
		jz	short loc_5C82F8
		mov	ecx, [ebx]
		test	byte ptr [ecx+10h], 1
		jnz	short loc_5C82F8
		mov	esi, edi

loc_5C82F8:				; CODE XREF: MmInSwapWorkingSet+F7604j
					; MmInSwapWorkingSet+F760Cj
		mov	ecx, [ebp+var_20]
		call	_VmCheckLargePageInswap@4 ; VmCheckLargePageInswap(x)
		test	eax, eax
		jz	loc_4D0DA1
		or	esi, 4
		jmp	loc_4D0DA1
; 

loc_5C8310:				; CODE XREF: MmInSwapWorkingSet+C6j
		mov	edx, [eax+8]
		mov	ecx, [eax]
		push	0
		call	_VmPrefetchVirtualAddresses@12 ; VmPrefetchVirtualAddresses(x,x,x)
		jmp	loc_4D0DB4
; 

loc_5C8321:				; CODE XREF: MmInSwapWorkingSet+DDj
		mov	ecx, [ebp+var_20]
		mov	edx, 73576D4Dh
		and	dword ptr [ebx+8], 0
		mov	dword ptr [ebx+10h], offset _MiInSwapSharedWorkingSetWorker@4 ;	MiInSwapSharedWorkingSetWorker(x)
		mov	[ebx+14h], ebx
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+var_20]
		lea	ecx, [ebx+8]
		mov	[ebx+18h], eax
		push	ds:dword_6D4EA4
		push	0FFFFFFFFh
		push	3
		pop	edx
		call	ExQueueWorkItemToPartition
		jmp	loc_4D0DD7
; 

loc_5C835A:				; CODE XREF: MmInSwapWorkingSet+67j
		mov	ebx, 0C0000476h
		jmp	loc_4D0E01
; 

loc_5C8364:				; CODE XREF: MmInSwapWorkingSet+51j
					; MmInSwapWorkingSet+5Fj
		mov	ebx, 0C0000225h
		jmp	loc_4D0E01
; 

loc_5C836E:				; CODE XREF: MmInSwapWorkingSet+131j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4D0E1F
; END OF FUNCTION CHUNK	FOR MmInSwapWorkingSet
; 
; START	OF FUNCTION CHUNK FOR MmOutSwapVirtualAddresses

loc_5C837B:				; CODE XREF: MmOutSwapVirtualAddresses+89j
		mov	eax, 0C0000147h
		jmp	loc_4D1263
; 

loc_5C8385:				; CODE XREF: MmOutSwapVirtualAddresses+10Aj
		cmp	[ebp+var_AC], 10h
		jnb	loc_4D10D2
		mov	eax, [ebp+var_AC]
		mov	edx, esi
		push	eax
		mov	ecx, offset _MiSystemPartition
		mov	[ebp+var_98], eax
		call	_MiExtendWorkingSetSwapPagefile@12 ; MiExtendWorkingSetSwapPagefile(x,x,x)
		mov	edi, eax
		mov	[ebp+var_A8], edi
		test	edi, edi
		jns	loc_4D0F37
		jmp	loc_4D10D2
; 

loc_5C83C0:				; CODE XREF: MmOutSwapVirtualAddresses+121j
		mov	[ebp+var_A8], 0C000009Ah
		jmp	loc_4D10D2
; 

loc_5C83CF:				; CODE XREF: MmOutSwapVirtualAddresses+4B9j
		push	0
		push	[ebp+var_A0]
		push	offset unk_6D50EC
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C83E7:				; CODE XREF: MmOutSwapVirtualAddresses+388j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_98]
		jmp	loc_4D11F0
; 

loc_5C8401:				; CODE XREF: MmOutSwapVirtualAddresses+46Aj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_4D12C2
; 

loc_5C8410:				; CODE XREF: MmOutSwapVirtualAddresses+494j
		push	[ebp+var_B4]
		mov	edx, offset unk_6D50EC
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4D120A
; END OF FUNCTION CHUNK	FOR MmOutSwapVirtualAddresses
; 
; START	OF FUNCTION CHUNK FOR MmOutSwapWorkingSet

loc_5C8427:				; CODE XREF: MmOutSwapWorkingSet+9Aj
		mov	[ebp+var_18], 1
		jmp	loc_4D1476
; 

loc_5C8433:				; CODE XREF: MmOutSwapWorkingSet+FBj
		mov	[ebp+var_98], 0C0000147h
		jmp	loc_4D17FA
; 

loc_5C8442:				; CODE XREF: MmOutSwapWorkingSet+119j
		mov	[ebp+var_98], 0C000009Ah
		jmp	loc_4D17F2
; 

loc_5C8451:				; CODE XREF: MmOutSwapWorkingSet+16Dj
		cmp	ecx, 1
		jnz	short loc_5C8462
		mov	[ebp+var_98], 0C0000476h
		jmp	short loc_5C847B
; 

loc_5C8462:				; CODE XREF: MmOutSwapWorkingSet+F707Ej
		xor	eax, eax
		cmp	ecx, 2
		setnz	al
		dec	eax
		and	eax, 0E9h
		add	eax, 0C0000021h
		mov	[ebp+var_98], eax

loc_5C847B:				; CODE XREF: MmOutSwapWorkingSet+F708Aj
		push	offset unk_6D50F0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_91]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4D17EA
; 

loc_5C8496:				; CODE XREF: MmOutSwapWorkingSet+15Dj
		cmp	al, 2
		mov	eax, offset unk_6D3C50
		jz	loc_4D1549
		lea	eax, [ecx+90h]
		jmp	loc_4D1549
; 

loc_5C84AE:				; CODE XREF: MmOutSwapWorkingSet+1B4j
		push	eax
		push	[ebp+var_B4]
		lea	edx, [ebp+var_78]
		push	[ebp+var_A0]
		push	ecx
		mov	ecx, offset _MiSystemPartition
		call	_MiReserveWorkingSetSwapSpace@24 ; MiReserveWorkingSetSwapSpace(x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_98], edi
		test	edi, edi
		jns	short loc_5C8514
		cmp	[ebp+var_B4], 10h
		jnb	loc_5C8620
		mov	eax, [ebp+var_B4]
		mov	ecx, offset _MiSystemPartition
		mov	edx, [ebp+var_B0]
		push	eax
		mov	[ebp+var_A0], eax
		call	_MiExtendWorkingSetSwapPagefile@12 ; MiExtendWorkingSetSwapPagefile(x,x,x)
		mov	edi, eax
		mov	[ebp+var_98], edi
		test	edi, edi
		jns	loc_4D156C
		jmp	loc_5C8620
; 

loc_5C8514:				; CODE XREF: MmOutSwapWorkingSet+F70FDj
		mov	eax, [ebp+var_B0]
		jmp	loc_4D1590
; 

loc_5C851F:				; CODE XREF: MmOutSwapWorkingSet+1CBj
					; MmOutSwapWorkingSet+F7199j
		mov	[ebp+var_98], 0C000009Ah
		jmp	loc_4D1778
; 

loc_5C852E:				; CODE XREF: MmOutSwapWorkingSet+1D5j
		or	dword ptr [eax+10h], 1
		jmp	loc_4D15B1
; 

loc_5C8537:				; CODE XREF: MmOutSwapWorkingSet+1E9j
		mov	edx, [ebp+var_A4]
		mov	eax, [edx+288h]
		mov	ecx, eax
		sub	ecx, [edx+28Ch]
		mov	[ebp+var_A0], ecx
		cmp	ecx, eax
		jbe	short loc_5C855D
		mov	ecx, eax
		mov	[ebp+var_A0], eax

loc_5C855D:				; CODE XREF: MmOutSwapWorkingSet+F717Dj
		test	ecx, ecx
		jz	loc_4D15C5
		call	_MiAllocateWorkingSetSwapSupport@4 ; MiAllocateWorkingSetSwapSupport(x)
		mov	[edi+4], eax
		test	eax, eax
		jz	short loc_5C851F
		jmp	loc_4D15C5
; 

loc_5C8576:				; CODE XREF: MmOutSwapWorkingSet+219j
		call	_VmCheckLargePageInswap@4 ; VmCheckLargePageInswap(x)
		test	eax, eax
		jz	loc_4D15F5
		mov	[ebp+var_1C], 1
		jmp	loc_4D15F5
; 

loc_5C858F:				; CODE XREF: MmOutSwapWorkingSet+25Dj
		and	byte ptr [ecx+304h], 0FDh
		xor	ecx, ecx
		mov	edx, [ebp+var_98]
		push	11h
		pop	eax
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jz	short loc_5C85B7
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	edx, [ebp+var_98]

loc_5C85B7:				; CODE XREF: MmOutSwapWorkingSet+F71D2j
		mov	ecx, edx
		call	KeAbPostRelease
		mov	ecx, [ebp+var_A8]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	[ebp+var_98], 0C000010Ah
		jmp	loc_4D1778
; 

loc_5C85D8:				; CODE XREF: MmOutSwapWorkingSet+362j
		mov	eax, [ebp+var_A0]
		cmp	[ecx+8], eax
		jnb	loc_4D173E
		call	_MiReAllocateWorkingSetSwapSupport@4 ; MiReAllocateWorkingSetSwapSupport(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_5C860B
		mov	eax, [ebp+var_9C]
		push	0
		push	dword ptr [eax+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_9C]
		mov	[eax+4], edi

loc_5C860B:				; CODE XREF: MmOutSwapWorkingSet+F721Aj
		mov	edi, [ebp+var_9C]
		jmp	loc_4D173E
; 

loc_5C8616:				; CODE XREF: MmOutSwapWorkingSet+1AAj
		mov	[ebp+var_98], 0C000002Dh

loc_5C8620:				; CODE XREF: MmOutSwapWorkingSet+F7106j
					; MmOutSwapWorkingSet+F7139j
		mov	edi, [ebp+var_9C]
		jmp	loc_4D1778
; 

loc_5C862B:				; CODE XREF: MmOutSwapWorkingSet+3DAj
		xor	eax, eax
		jmp	loc_4D17C4
; 

loc_5C8632:				; CODE XREF: MmOutSwapWorkingSet+3BCj
					; MmOutSwapWorkingSet+3CBj
		mov	[ebp+var_98], 0C000010Ah
		jmp	loc_4D17C6
; 

loc_5C8641:				; CODE XREF: MmOutSwapWorkingSet+416j
		mov	edx, edi
		mov	ecx, offset _MiSystemPartition
		call	_MiFreeWorkingSetSwapContext@8 ; MiFreeWorkingSetSwapContext(x,x)
		jmp	loc_4D17F2
; 

loc_5C8652:				; CODE XREF: MmOutSwapWorkingSet+666j
		push	0
		push	[ebp+var_C0]
		mov	eax, offset unk_6D50EC
		push	eax
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C866B:				; CODE XREF: MmOutSwapWorkingSet+516j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_C4]
		jmp	loc_4D1902
; 

loc_5C8685:				; CODE XREF: MmOutSwapWorkingSet+629j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_4D1A05
; 

loc_5C8694:				; CODE XREF: MmOutSwapWorkingSet+653j
		push	[ebp+var_B8]
		mov	edx, offset unk_6D50EC
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4D191C
; END OF FUNCTION CHUNK	FOR MmOutSwapWorkingSet
; 
; START	OF FUNCTION CHUNK FOR MiGetKernelStackSwapSupport

loc_5C86AB:				; CODE XREF: MiGetKernelStackSwapSupport+39j
		mov	ecx, ds:dword_6D5D94[edi*4]
		call	MiPageFileLargestBitmapsRun
		mov	ecx, [ebp+var_8]
		mov	esi, eax
		call	MiPageFileLargestBitmapsRun
		cmp	eax, esi
		jbe	loc_4D1BBD
		jmp	loc_4D1BBB
; 

loc_5C86CE:				; CODE XREF: MiGetKernelStackSwapSupport+20j
					; MiGetKernelStackSwapSupport+4Aj
		mov	eax, 0C0000147h
		jmp	loc_4D1C34
; END OF FUNCTION CHUNK	FOR MiGetKernelStackSwapSupport
; 
; START	OF FUNCTION CHUNK FOR MiFindBestOutswapPagefile

loc_5C86D8:				; CODE XREF: MiFindBestOutswapPagefile+48j
		mov	ecx, [esi+edi*4+0F54h]
		call	MiPageFileLargestBitmapsRun
		mov	ecx, [ebp+var_8]
		mov	esi, eax
		mov	ecx, [ecx]
		call	MiPageFileLargestBitmapsRun
		cmp	eax, esi
		jbe	loc_4D1C9C
		jmp	loc_4D1C9A
; END OF FUNCTION CHUNK	FOR MiFindBestOutswapPagefile
; 
; START	OF FUNCTION CHUNK FOR MiCanFlushMakeProgress

loc_5C86FD:				; CODE XREF: MiCanFlushMakeProgress+3Fj
		mov	ecx, [ebx+90h]
		and	eax, 0Fh
		imul	eax, 14h
		cmp	dword ptr [eax+ecx+740h], 0
		jnz	loc_4D1D37
		jmp	loc_4D1D3E
; END OF FUNCTION CHUNK	FOR MiCanFlushMakeProgress

;  S U B	R O U T	I N E 


sub_5C871C	proc near		; CODE XREF: MiWakeModifiedPageWriter+14j
		push	ebx
		push	ebx
		lea	eax, [esi+18Ch]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_4D1D64
sub_5C871C	endp

; 
; START	OF FUNCTION CHUNK FOR MiWakeModifiedPageWriter

loc_5C872F:				; CODE XREF: MiWakeModifiedPageWriter+21j
		lea	edi, [esi+23Ch]
		mov	ecx, edi
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_4D1D71
		push	12h
		push	dword ptr [esi+238h]
		call	KeSetActualBasePriorityThread
		mov	ecx, edi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_4D1D71
; END OF FUNCTION CHUNK	FOR MiWakeModifiedPageWriter
; 
; START	OF FUNCTION CHUNK FOR MiFlushAllPagesWorker

loc_5C875D:				; CODE XREF: MiFlushAllPagesWorker+44j
		cmp	dword ptr [ebx+4], 0
		jnz	loc_551A0A
		jmp	loc_55199A
; END OF FUNCTION CHUNK	FOR MiFlushAllPagesWorker
; 
; START	OF FUNCTION CHUNK FOR IoReleaseCancelSpinLock

loc_5C876C:				; CODE XREF: IoReleaseCancelSpinLock+1Aj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D1EC5
; END OF FUNCTION CHUNK	FOR IoReleaseCancelSpinLock
; 
; START	OF FUNCTION CHUNK FOR IopDereferenceVpbAndFree

loc_5C877B:				; CODE XREF: IopDereferenceVpbAndFree+2Ej
		mov	edx, eax
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D1F2C
; 

loc_5C8787:				; CODE XREF: IopDereferenceVpbAndFree+40j
		mov	eax, [esi+0Ch]
		cmp	[eax+24h], esi
		jz	loc_4D1F36
		test	byte ptr [esi+4], 4
		jnz	loc_4D1F36
		mov	edi, esi
		jmp	loc_4D1F36
; 

loc_5C87A4:				; CODE XREF: IopDereferenceVpbAndFree+5Aj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D1F65
; 

loc_5C87B3:				; CODE XREF: IopDereferenceVpbAndFree+7Fj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4D1F75
; END OF FUNCTION CHUNK	FOR IopDereferenceVpbAndFree
; 
; START	OF FUNCTION CHUNK FOR MiDecayPfnFullyInitialized

loc_5C87C0:				; CODE XREF: MiDecayPfnFullyInitialized+46j
		mov	edx, edi
		lea	ecx, [ebp+var_14]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D1FF7
; 

loc_5C87CF:				; CODE XREF: MiDecayPfnFullyInitialized+95j
		mov	ebx, edi
		jmp	loc_4D2041
; 

loc_5C87D6:				; CODE XREF: MiDecayPfnFullyInitialized+AFj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D206D
; END OF FUNCTION CHUNK	FOR MiDecayPfnFullyInitialized
; 
; START	OF FUNCTION CHUNK FOR MiRebuildLargeZeroPage

loc_5C87E6:				; CODE XREF: MiRebuildLargeZeroPage+F3j
		mov	edx, esi
		lea	ecx, [esp+30h+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D21CF
; 

loc_5C87F6:				; CODE XREF: MiRebuildLargeZeroPage+12Aj
		mov	edx, [ebp+4]
		lea	ecx, [esp+30h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D221E
; END OF FUNCTION CHUNK	FOR MiRebuildLargeZeroPage
; 
; START	OF FUNCTION CHUNK FOR ExpWorkerFactoryCompletionPacketRoutine

loc_5C8807:				; CODE XREF: ExpWorkerFactoryCompletionPacketRoutine+28j
		mov	edx, esi
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D2537
; 

loc_5C8816:				; CODE XREF: ExpWorkerFactoryCompletionPacketRoutine+51j
		mov	edi, 1
		jmp	loc_4D255B
; 

loc_5C8820:				; CODE XREF: ExpWorkerFactoryCompletionPacketRoutine+62j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D2582
; END OF FUNCTION CHUNK	FOR ExpWorkerFactoryCompletionPacketRoutine
; 
; START	OF FUNCTION CHUNK FOR MiGetFileHashPage

loc_5C8830:				; CODE XREF: MiGetFileHashPage+3Dj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	MiReturnCommit
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	loc_4D2686
		lea	ecx, [esi+1000h]
		lock xadd [ecx], eax
		jmp	loc_4D2686
; END OF FUNCTION CHUNK	FOR MiGetFileHashPage
; 
; START	OF FUNCTION CHUNK FOR ExpExpandResourceOwnerTable

loc_5C885B:				; CODE XREF: ExpExpandResourceOwnerTable+38j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D2731
; 

loc_5C886A:				; CODE XREF: ExpExpandResourceOwnerTable+98j
		push	offset _ExShortTime
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	loc_4D280F
; 

loc_5C887D:				; CODE XREF: ExpExpandResourceOwnerTable+100j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D27F5
; 

loc_5C888C:				; CODE XREF: ExpExpandResourceOwnerTable+1C3j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D28B4
; END OF FUNCTION CHUNK	FOR ExpExpandResourceOwnerTable
; 
; START	OF FUNCTION CHUNK FOR MiZeroPageWorkMapping

loc_5C889B:				; CODE XREF: MiZeroPageWorkMapping+83j
		cmp	edi, 0C07FFFFFh
		ja	loc_4D2989
		mov	[ebp+var_A0], 8
		jmp	loc_4D2989
; 

loc_5C88B3:				; CODE XREF: MiZeroPageWorkMapping+98j
		mov	eax, 400h
		mov	[ebp+var_A8], eax
		jmp	loc_4D29A6
; 

loc_5C88C3:				; CODE XREF: MiZeroPageWorkMapping+E9j
		test	[ebp+var_A0], 4
		jnz	loc_4D29EF
		push	offset _MiTbFlushSort ;	int __cdecl (*)(const void *,const void	*)
		push	4		; size_t
		push	edx		; size_t
		lea	eax, [ebp+var_90]
		push	eax		; void *
		call	_qsort
		add	esp, 10h
		lea	ecx, [ebp+var_A4]
		call	MiCompressTbFlushList
		mov	edx, [ebp+var_98]
		cmp	edx, [ebp+var_9C]
		jnz	loc_4D29EF
		mov	eax, 1
		test	ebx, ebx
		jz	loc_4D29F8
		mov	[ebp+var_9F], al
		mov	[ebp+var_94], edx
		jmp	loc_4D29F8
; END OF FUNCTION CHUNK	FOR MiZeroPageWorkMapping
; 
; START	OF FUNCTION CHUNK FOR MiReduceZeroingThreads

loc_5C8922:				; CODE XREF: MiReduceZeroingThreads+64j
		or	eax, 0FFFFFFFFh
		jmp	loc_4D2B28
; 

loc_5C892A:				; CODE XREF: MiReduceZeroingThreads+23Bj
		mov	eax, [ebp+var_2C]
		mov	eax, [eax+260h]
		mov	[ebp+var_30], eax
		test	eax, eax
		jz	loc_4D2D03
		mov	ecx, [ebx+80h]
		xor	eax, eax
		xor	edi, edi
		mov	[ebp+var_20], eax
		xor	edx, edx
		test	ecx, ecx
		jz	short loc_5C8970
		mov	[ebp+var_2C], ecx
		lea	edx, [ebx+88h]

loc_5C895A:				; CODE XREF: MiReduceZeroingThreads+F5EB0j
		add	edi, [edx]
		lea	edx, [edx+8]
		mov	eax, [edx-4]
		adc	[ebp+var_20], eax
		sub	ecx, 1
		jnz	short loc_5C895A
		mov	eax, [ebp+var_20]
		mov	edx, [ebp+var_2C]

loc_5C8970:				; CODE XREF: MiReduceZeroingThreads+F5E97j
		push	0
		push	edx
		push	eax
		push	edi
		call	__aulldiv
		push	0
		push	esi
		push	edx
		push	eax
		call	__aulldiv
		push	edx
		push	eax
		mov	eax, [ebp+var_30]
		push	dword ptr [eax+esi*8-4]
		push	dword ptr [eax+esi*8-8]
		call	__aulldiv
		cmp	eax, esi
		jb	short loc_5C899F
		lea	eax, [esi-1]
		jmp	short loc_5C89A4
; 

loc_5C899F:				; CODE XREF: MiReduceZeroingThreads+F5EE0j
		test	eax, eax
		jnz	short loc_5C89A4
		inc	eax

loc_5C89A4:				; CODE XREF: MiReduceZeroingThreads+F5EE5j
					; MiReduceZeroingThreads+F5EE9j
		mov	edi, esi
		sub	edi, eax
		jz	loc_4D2BDC
		jmp	loc_4D2D03
; END OF FUNCTION CHUNK	FOR MiReduceZeroingThreads
; 
; START	OF FUNCTION CHUNK FOR MmQuerySystemWorkingSetInformation

loc_5C89B3:				; CODE XREF: MmQuerySystemWorkingSetInformation+64j
		mov	edx, ecx
		lea	ecx, [ebp+var_10]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D2DFF
; 

loc_5C89C2:				; CODE XREF: MmQuerySystemWorkingSetInformation+99j
		or	dword ptr [esi+20h], 4
		mov	al, [edi+60h]
		jmp	loc_4D2E27
; 

loc_5C89CE:				; CODE XREF: MmQuerySystemWorkingSetInformation+A4j
		or	[esi+20h], ecx
		jmp	loc_4D2E32
; 

loc_5C89D6:				; CODE XREF: MmQuerySystemWorkingSetInformation+BBj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D2E6B
; 

loc_5C89E6:				; CODE XREF: MmQuerySystemWorkingSetInformation+DDj
		lea	ecx, [ebp+var_10]
		call	KxWaitForLockChainValid
		xor	ecx, ecx
		inc	ecx
		jmp	loc_4D2EE1
; 

loc_5C89F6:				; CODE XREF: MmQuerySystemWorkingSetInformation+2Dj
		push	9
		pop	ecx
		xor	eax, eax
		mov	edi, esi
		rep stosd
		jmp	loc_4D2EA1
; END OF FUNCTION CHUNK	FOR MmQuerySystemWorkingSetInformation
; 
; START	OF FUNCTION CHUNK FOR MiUpdatePageTableUseCount

loc_5C8A04:				; CODE XREF: MiUpdatePageTableUseCount+10j
		shl	eax, 9
		inc	esi
		cmp	esi, 1
		jb	loc_4D2F30
		xor	eax, eax
		jmp	loc_4D2F63
; END OF FUNCTION CHUNK	FOR MiUpdatePageTableUseCount
; 
; START	OF FUNCTION CHUNK FOR MiStoreUpdatePagefileHash

loc_5C8A18:				; CODE XREF: MiStoreUpdatePagefileHash+AEj
		mov	[ebp+var_8], 0
		jmp	loc_4D3054
; END OF FUNCTION CHUNK	FOR MiStoreUpdatePagefileHash
; 
; START	OF FUNCTION CHUNK FOR MiMapPageFileHash

loc_5C8A24:				; CODE XREF: MiMapPageFileHash+39j
		mov	[ebp+var_1C], esi
		jmp	loc_4D31A3
; 

loc_5C8A2C:				; CODE XREF: MiMapPageFileHash+119j
		mov	ecx, [ebp+var_C]
		jmp	loc_4D3269
; 

loc_5C8A34:				; CODE XREF: MiMapPageFileHash+107j
		mov	eax, [ebp+var_18]
		jmp	loc_4D3269
; 

loc_5C8A3C:				; CODE XREF: MiMapPageFileHash+1E9j
		mov	[ebp+var_C], esi
		mov	[ebp+var_1], 21h
		jmp	loc_4D3392
; 

loc_5C8A48:				; CODE XREF: MiMapPageFileHash+267j
		push	[ebp+var_14]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	edi
		mov	eax, [ebp+var_18]
		cmp	eax, 0FFFFFFFFh
		jz	loc_5C8B63
		mov	ecx, eax
		call	_MiFreePageFileHashPfn@4 ; MiFreePageFileHashPfn(x)
		mov	eax, [ebp+var_C]
		mov	ecx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	edi
		mov	edi, [ebp+var_8]
		xor	edx, edx
		inc	edx
		mov	eax, [edi+90h]
		mov	ecx, eax
		mov	[ebp+arg_0], eax
		call	MiReturnCommit
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		inc	edx
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_5C8AB3
		mov	ecx, [ebp+arg_0]
		add	ecx, 1000h
		lock xadd [ecx], eax

loc_5C8AB3:				; CODE XREF: MiMapPageFileHash+F5962j
		lock dec ds:dword_6D3CC4
		jmp	loc_5C8B66
; 

loc_5C8ABF:				; CODE XREF: MiMapPageFileHash+2A0j
		mov	ecx, [ebp+var_34]
		jmp	loc_4D33F0
; 

loc_5C8AC7:				; CODE XREF: MiMapPageFileHash+2BAj
		push	[ebp+var_3C]
		push	[ebp+var_20]
		push	esi
		push	edx
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], edx
		mov	[edi], eax
		nop
		push	[ebp+var_14]
		mov	[edi+4], edx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4D34C0
; 

loc_5C8AF6:				; CODE XREF: MiMapPageFileHash+2E6j
		and	byte ptr [ecx+16h], 0EFh
		jmp	loc_4D342E
; 

loc_5C8AFF:				; CODE XREF: MiMapPageFileHash+316j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		mov	ecx, [ebp+var_18]
		test	eax, eax
		jz	short loc_5C8B37
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	[ebp+var_34], 1
		jnz	loc_4D3461

loc_5C8B1F:				; CODE XREF: MiMapPageFileHash+F5A11j
		mov	eax, ecx
		and	eax, 1
		or	eax, esi
		jz	loc_4D3461
		or	edx, 80000000h
		jmp	loc_4D3461
; 

loc_5C8B37:				; CODE XREF: MiMapPageFileHash+F59C7j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_4D3461
		jmp	short loc_5C8B1F
; 

loc_5C8B55:				; CODE XREF: MiMapPageFileHash+329j
		push	edx
		push	ecx
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_4D3471
; 

loc_5C8B63:				; CODE XREF: MiMapPageFileHash+F591Fj
		mov	edi, [ebp+var_8]

loc_5C8B66:				; CODE XREF: MiMapPageFileHash+F5978j
		mov	eax, [ebp+arg_8]
		jmp	loc_4D32CA
; END OF FUNCTION CHUNK	FOR MiMapPageFileHash
; 
; START	OF FUNCTION CHUNK FOR MiComputeZeroClusterMaximum

loc_5C8B6E:				; CODE XREF: MiComputeZeroClusterMaximum+65j
		mov	eax, ecx
		jmp	loc_4D3533
; 

loc_5C8B75:				; CODE XREF: MiComputeZeroClusterMaximum+78j
		mov	edx, ecx
		jmp	loc_4D3546
; 

loc_5C8B7C:				; CODE XREF: MiComputeZeroClusterMaximum+70j
		mov	edx, 2710h
		jmp	loc_4D3548
; 

loc_5C8B86:				; CODE XREF: MiComputeZeroClusterMaximum+8Ej
		xor	esi, esi
		inc	esi
		jmp	loc_4D355C
; 

loc_5C8B8E:				; CODE XREF: MiComputeZeroClusterMaximum+D1j
		test	dword ptr [edx+28h], 4000h
		jnz	loc_4D3568
		jmp	loc_4D359F
; 

loc_5C8BA0:				; CODE XREF: MiComputeZeroClusterMaximum+A7j
		xor	esi, esi
		inc	esi
		jmp	loc_4D3575
; END OF FUNCTION CHUNK	FOR MiComputeZeroClusterMaximum
; 
; START	OF FUNCTION CHUNK FOR MiComputeAgeDistribution

loc_5C8BA8:				; CODE XREF: MiComputeAgeDistribution+94j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_30]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D369A
; 

loc_5C8BB8:				; CODE XREF: MiComputeAgeDistribution+B0j
		lea	ecx, [ebp+var_30]
		call	KxWaitForLockChainValid
		jmp	loc_4D36FD
; 

loc_5C8BC5:				; CODE XREF: MiComputeAgeDistribution+EDj
		test	edi, edi
		jnz	short loc_5C8BD0
		xor	eax, eax
		jmp	loc_4D36EE
; 

loc_5C8BD0:				; CODE XREF: MiComputeAgeDistribution+F55E3j
		mov	eax, 3E8h
		jmp	loc_4D36EE
; END OF FUNCTION CHUNK	FOR MiComputeAgeDistribution
; 
; START	OF FUNCTION CHUNK FOR MiUpdateClaimDistribution

loc_5C8BDA:				; CODE XREF: MiUpdateClaimDistribution+21j
		or	eax, 0FFFFFFFFh
		jmp	loc_4D3747
; 

loc_5C8BE2:				; CODE XREF: MiUpdateClaimDistribution+35j
		or	eax, 0FFFFFFFFh
		jmp	loc_4D375B
; END OF FUNCTION CHUNK	FOR MiUpdateClaimDistribution
; 
; START	OF FUNCTION CHUNK FOR AlpcpLookasidePacketCallbackRoutine

loc_5C8BEA:				; CODE XREF: AlpcpLookasidePacketCallbackRoutine+43j
		dec	eax
		mov	[ebp+arg_4], 0FFFFFFFFh
		mov	[esi+10h], eax
		jmp	loc_4D3854
; END OF FUNCTION CHUNK	FOR AlpcpLookasidePacketCallbackRoutine
; 
; START	OF FUNCTION CHUNK FOR MiHandleInPageError

loc_5C8BFA:				; CODE XREF: MiHandleInPageError+22j
		and	ecx, 0FFFFFFF9h
		mov	[esi+0Ch], edx
		mov	[esi+8], ecx
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR MiHandleInPageError
; 
; START	OF FUNCTION CHUNK FOR KxWaitForLockChainValid

loc_5C8C05:				; CODE XREF: KxWaitForLockChainValid+Fj
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	loc_4D39AF
		push	esi
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	loc_4D39B1
; END OF FUNCTION CHUNK	FOR KxWaitForLockChainValid
; 
; START	OF FUNCTION CHUNK FOR KePulseEvent

loc_5C8C1D:				; CODE XREF: KePulseEvent+F500Bj
		mov	ecx, [eax]
		mov	esi, eax
		mov	[ebp+var_C], ecx
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	loc_5C8E04
		cmp	[eax], esi
		jnz	loc_5C8E04
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	al, [esi+8]
		cmp	al, 1
		jnz	short loc_5C8C62
		movzx	eax, word ptr [esi+0Ah]
		mov	edx, esi
		mov	ecx, [ebp+var_8]
		push	0
		push	eax
		call	KiTryUnwaitThread
		test	al, al
		jnz	loc_5C8D29
		jmp	loc_5C8D46
; 

loc_5C8C62:				; CODE XREF: KePulseEvent+F4F02j
		cmp	al, 2
		jnz	loc_5C8D35
		mov	byte ptr [esi+9], 5
		mov	edi, [esi+0Ch]
		and	dword ptr [esi], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_14], eax
		mov	eax, [eax+4]
		mov	[ebp+var_10], eax
		jz	short loc_5C8CAA
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, [ebp+var_10]
		mov	edx, esi
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_5C8CAA:				; CODE XREF: KePulseEvent+F4F53j
		mov	ecx, edi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		lea	ecx, [edi+8]
		cmp	[ecx], ecx
		jz	short loc_5C8CE8
		mov	eax, [edi+18h]
		cmp	eax, [edi+1Ch]
		jnb	short loc_5C8CE8
		mov	edx, [ebp+var_10]
		mov	eax, [edx+0A4h]
		cmp	eax, edi
		jnz	short loc_5C8CD6
		cmp	byte ptr [edx+18Bh], 0Fh
		jz	short loc_5C8CE8

loc_5C8CD6:				; CODE XREF: KePulseEvent+F4F8Bj
		mov	ecx, [ebp+var_14]
		mov	edx, edi
		push	esi
		call	KiWakeQueueWaiter
		test	al, al
		jnz	short loc_5C8D1E
		lea	ecx, [edi+8]

loc_5C8CE8:				; CODE XREF: KePulseEvent+F4F76j
					; KePulseEvent+F4F7Ej ...
		mov	eax, [edi+4]
		mov	[ebp+var_10], eax
		inc	eax
		mov	[edi+4], eax
		lea	eax, [edi+10h]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_5C8E04
		cmp	[ebp+var_10], 0
		mov	[esi], eax
		mov	[esi+4], edx
		mov	[edx], esi
		mov	[eax+4], esi
		jnz	short loc_5C8D1E
		cmp	[ecx], ecx
		jz	short loc_5C8D1E
		mov	ecx, [ebp+var_14]
		mov	edx, edi
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)

loc_5C8D1E:				; CODE XREF: KePulseEvent+F4FA3j
					; KePulseEvent+F4FCEj ...
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		mov	edi, [ebp+arg_0]

loc_5C8D29:				; CODE XREF: KePulseEvent+F4F17j
		sub	dword ptr [edi+4], 1
		jz	loc_4D3D97
		jmp	short loc_5C8D46
; 

loc_5C8D35:				; CODE XREF: KePulseEvent+F4F24j
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		push	0
		push	100h
		call	KiTryUnwaitThread

loc_5C8D46:				; CODE XREF: KePulseEvent+F4F1Dj
					; KePulseEvent+F4FF3j
		mov	eax, [ebp+var_C]

loc_5C8D49:				; CODE XREF: KePulseEvent+48j
		cmp	eax, ebx
		jnz	loc_5C8C1D
		jmp	loc_4D3D97
; 

loc_5C8D56:				; CODE XREF: KePulseEvent+B5j
		mov	byte ptr [esi+9], 5
		mov	edi, [esi+0Ch]
		and	dword ptr [esi], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_10], eax
		mov	eax, [eax+4]
		mov	[ebp+var_14], eax
		jz	loc_4D3E04
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, [ebp+var_14]
		mov	edx, esi
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)
		jmp	loc_4D3E04
; 

loc_5C8D9F:				; CODE XREF: KePulseEvent+D0j
		mov	eax, [edi+18h]
		cmp	eax, [edi+1Ch]
		jnb	short loc_5C8DC5
		mov	edx, [ebp+var_14]
		mov	eax, [edx+0A4h]
		cmp	eax, edi
		jnz	loc_4D3E1B
		cmp	byte ptr [edx+18Bh], 0Fh
		jnz	loc_4D3E1B

loc_5C8DC5:				; CODE XREF: KePulseEvent+D6j
					; KePulseEvent+F7j ...
		mov	eax, [edi+4]
		mov	[ebp+var_14], eax
		inc	eax
		mov	[edi+4], eax
		lea	eax, [edi+10h]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_5C8E04
		cmp	[ebp+var_14], 0
		mov	[esi], eax
		mov	[esi+4], edx
		mov	[edx], esi
		mov	[eax+4], esi
		jnz	loc_4D3E2A
		cmp	[ecx], ecx
		jz	loc_4D3E2A
		mov	ecx, [ebp+var_10]
		mov	edx, edi
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		jmp	loc_4D3E2A
; 

loc_5C8E04:				; CODE XREF: KePulseEvent+F4EEAj
					; KePulseEvent+F4EF2j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
; END OF FUNCTION CHUNK	FOR KePulseEvent ; AL =	character to display
; START	OF FUNCTION CHUNK FOR MiStoreUpdateMemoryConditions

loc_5C8E09:				; CODE XREF: MiStoreUpdateMemoryConditions+47j
		push	12h
		xor	esi, esi
		mov	[esp+24h+var_14], eax
		pop	edi
		jmp	loc_4D3FA3
; 

loc_5C8E17:				; CODE XREF: MiStoreUpdateMemoryConditions+58j
		push	12h
		mov	esi, eax
		pop	edi
		jmp	loc_4D3FA3
; 

loc_5C8E21:				; CODE XREF: MiStoreUpdateMemoryConditions+90j
		add	eax, edx
		cmp	ecx, eax
		sbb	esi, esi
		neg	esi
		add	esi, 2
		jmp	loc_4D3FA3
; 

loc_5C8E31:				; CODE XREF: MiStoreUpdateMemoryConditions+A6j
		push	edi
		push	dword ptr [ebx+2DCh]
		call	KeSetActualBasePriorityThread
		jmp	loc_4D3FB6
; 

loc_5C8E42:				; CODE XREF: MiStoreUpdateMemoryConditions+B1j
		push	0
		push	0
		lea	eax, [ebx+2E0h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_4D3FC1
; 

loc_5C8E57:				; CODE XREF: MiStoreUpdateMemoryConditions+C9j
		mov	edx, [ebp+4]
		lea	ecx, [esp+20h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D3FFB
; 

loc_5C8E68:				; CODE XREF: MiStoreUpdateMemoryConditions+EBj
		lea	ecx, [esp+20h+var_C]
		call	KxWaitForLockChainValid
		jmp	loc_4D4014
; 

loc_5C8E76:				; CODE XREF: MiStoreUpdateMemoryConditions+FDj
		xor	edx, edx
		mov	ecx, offset unk_718320
		call	?SmDrainSList@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAT_SLIST_HEADER@@K@Z ;	SMKM_STORE_MGR<SM_TRAITS>::SmDrainSList(_SLIST_HEADER *,ulong)
		jmp	loc_4D400D
; END OF FUNCTION CHUNK	FOR MiStoreUpdateMemoryConditions
; 
; START	OF FUNCTION CHUNK FOR MiComputeSystemTrimCriteria

loc_5C8E87:				; CODE XREF: MiComputeSystemTrimCriteria+54j
		sub	edi, ebx
		jmp	loc_4D408E
; 

loc_5C8E8E:				; CODE XREF: MiComputeSystemTrimCriteria+A5j
		cmp	[esi+4C3h], al
		jz	loc_4D40D9

loc_5C8E9A:				; CODE XREF: MiComputeSystemTrimCriteria+B1j
		xor	eax, eax
		inc	eax
		mov	[ebp+var_4], eax
		jmp	loc_4D40E5
; 

loc_5C8EA5:				; CODE XREF: MiComputeSystemTrimCriteria+E4j
		test	edx, edx
		jns	loc_4D4118
		mov	eax, ecx
		sub	eax, edx
		cmp	ebx, eax
		jnb	loc_4D4118
		jmp	short loc_5C8EBD
; 

loc_5C8EBB:				; CODE XREF: MiComputeSystemTrimCriteria+D9j
		sub	eax, edx

loc_5C8EBD:				; CODE XREF: MiComputeSystemTrimCriteria+F4E8Bj
		mov	edi, eax
		mov	eax, [esi+4D4h]
		sub	edi, ebx
		cmp	edi, eax
		jbe	short loc_5C8ECD
		mov	edi, eax

loc_5C8ECD:				; CODE XREF: MiComputeSystemTrimCriteria+F4E9Bj
		mov	byte ptr [ebp+var_8], 1
		jmp	loc_4D4118
; 

loc_5C8ED6:				; CODE XREF: MiComputeSystemTrimCriteria+300j
		mov	edi, 8000h
		mov	byte ptr [ebp+var_8], 2
		jmp	loc_4D4160
; 

loc_5C8EE4:				; CODE XREF: MiComputeSystemTrimCriteria+31Bj
		cmp	[ebp+var_4], 0
		jnz	loc_4D4160
		mov	edi, eax
		jmp	loc_4D4160
; 

loc_5C8EF5:				; CODE XREF: MiComputeSystemTrimCriteria+13Cj
		mov	edx, [esi+474h]
		mov	eax, edx
		shl	eax, 2
		cmp	eax, ecx
		jnb	short loc_5C8F1A
		mov	ecx, [esi+4D0h]
		mov	[esi+4DCh], eax
		cmp	eax, ecx
		jnb	loc_4D4183
		jmp	short loc_5C8F39
; 

loc_5C8F1A:				; CODE XREF: MiComputeSystemTrimCriteria+F4ED4j
		lea	eax, [edx+edx]
		cmp	eax, ecx
		jbe	loc_4D4183
		mov	ecx, [esi+4D4h]
		mov	[esi+4DCh], eax
		cmp	eax, ecx
		jbe	loc_4D4183

loc_5C8F39:				; CODE XREF: MiComputeSystemTrimCriteria+F4EEAj
		mov	[esi+4DCh], ecx
		jmp	loc_4D4183
; 

loc_5C8F44:				; CODE XREF: MiComputeSystemTrimCriteria+172j
		cmp	eax, [esi+4E0h]
		ja	short loc_5C8F57
		mov	[esi+4C8h], edx
		jmp	loc_4D41A6
; 

loc_5C8F57:				; CODE XREF: MiComputeSystemTrimCriteria+F4F1Cj
		mov	eax, 0FAh
		mov	bl, cl
		cmp	[esi+4BEh], ax
		jnb	loc_4D41DD
		mov	[esi+4BEh], ax
		jmp	loc_4D41DD
; 

loc_5C8F77:				; CODE XREF: MiComputeSystemTrimCriteria+21Ej
					; MiComputeSystemTrimCriteria+229j
		mov	al, 64h
		jmp	loc_4D4264
; END OF FUNCTION CHUNK	FOR MiComputeSystemTrimCriteria
; 
; START	OF FUNCTION CHUNK FOR MiCheckLogPinDriverAddresses

loc_5C8F7E:				; CODE XREF: MiCheckLogPinDriverAddresses+2Ej
		jnz	loc_4D45DB
		mov	eax, ds:dword_6C6764
		bt	dword ptr [eax], 0
		setb	dl
		neg	dl
		sbb	dl, dl
		jmp	short loc_5C8FA6
; 

loc_5C8F96:				; CODE XREF: MiCheckLogPinDriverAddresses+51j
		push	20h
		pop	ecx
		sub	ecx, edi
		or	eax, 0FFFFFFFFh
		shr	eax, cl
		and	edx, eax
		neg	edx
		sbb	dl, dl

loc_5C8FA6:				; CODE XREF: MiCheckLogPinDriverAddresses+F4A76j
		inc	dl
		jmp	loc_4D4597
; END OF FUNCTION CHUNK	FOR MiCheckLogPinDriverAddresses
; 
; START	OF FUNCTION CHUNK FOR MiScheduleZeroPageThreads

loc_5C8FAD:				; CODE XREF: MiScheduleZeroPageThreads+89j
					; MiScheduleZeroPageThreads+92j
		inc	ds:dword_6C68F0
		jmp	loc_4D493F
; 

loc_5C8FB8:				; CODE XREF: MiScheduleZeroPageThreads+F2j
					; MiScheduleZeroPageThreads+FBj
		inc	ds:dword_6C68F8
		jmp	loc_4D4A11
; 

loc_5C8FC3:				; CODE XREF: MiScheduleZeroPageThreads+12Ej
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D4A3C
; 

loc_5C8FD3:				; CODE XREF: MiScheduleZeroPageThreads+14Cj
		lea	ecx, [ebp+var_24]
		call	KxWaitForLockChainValid
		jmp	loc_4D4A55
; END OF FUNCTION CHUNK	FOR MiScheduleZeroPageThreads
; 
; START	OF FUNCTION CHUNK FOR MiSignalLargePageRebuild

loc_5C8FE0:				; CODE XREF: MiSignalLargePageRebuild+68j
		mov	edx, eax
		lea	ecx, [ebp+var_14]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D4AEB
; 

loc_5C8FEF:				; CODE XREF: MiSignalLargePageRebuild+94j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D4B2C
; END OF FUNCTION CHUNK	FOR MiSignalLargePageRebuild
; 
; START	OF FUNCTION CHUNK FOR MiCheckTrimUnusedPageFileRegions

loc_5C8FFF:				; CODE XREF: MiCheckTrimUnusedPageFileRegions+44j
					; MiCheckTrimUnusedPageFileRegions+50j
		cmp	ds:byte_6D3029,	0
		jz	short loc_5C9021
		add	eax, 510BF600h
		mov	[esi+290h], eax
		adc	edx, 0FFFFFFF8h
		mov	[esi+294h], edx
		jmp	loc_4D4C3C
; 

loc_5C9021:				; CODE XREF: MiCheckTrimUnusedPageFileRegions+F4420j
		mov	ecx, [esi+64h]
		call	PsReferencePartitionSafe
		test	al, al
		jz	loc_4D4C3C
		push	dword ptr [esi+64h]
		lea	ecx, [esi+27Ch]
		and	dword ptr [ecx], 0
		push	0FFFFFFFFh
		push	3
		pop	edx
		mov	dword ptr [ecx+8], offset _MiTrimUnusedPageFileRegionsWorker@4 ; MiTrimUnusedPageFileRegionsWorker(x)
		mov	[ecx+0Ch], esi
		call	ExQueueWorkItemToPartition
		jmp	loc_4D4C3C
; END OF FUNCTION CHUNK	FOR MiCheckTrimUnusedPageFileRegions
; 
; START	OF FUNCTION CHUNK FOR MiScanPagefiles

loc_5C9056:				; CODE XREF: MiScanPagefiles+18j
		mov	eax, [esi+0F4Ch]
		test	eax, eax
		jz	loc_4D4C8A
		push	ebx
		xor	ebx, ebx
		cmp	[esi+1118h], ebx
		jz	loc_5C90F4
		cmp	[esi+24Ch], ebx
		jnz	short loc_5C90F4
		mov	ecx, [esi+250h]
		cmp	ecx, 1Eh
		jnb	short loc_5C9091
		lea	eax, [ecx+1]
		mov	[esi+250h], eax
		jmp	short loc_5C90F4
; 

loc_5C9091:				; CODE XREF: MiScanPagefiles+F4418j
		mov	ecx, ebx
		push	edi
		test	eax, eax
		jz	short loc_5C90B3
		lea	edx, [esi+0F54h]

loc_5C909E:				; CODE XREF: MiScanPagefiles+F4445j
		mov	edi, [edx]
		test	byte ptr [edi+74h], 50h
		jnz	short loc_5C90AB
		cmp	[edi+0Ch], ebx
		jnz	short loc_5C90F3

loc_5C90AB:				; CODE XREF: MiScanPagefiles+F4438j
		inc	ecx
		add	edx, 4
		cmp	ecx, eax
		jb	short loc_5C909E

loc_5C90B3:				; CODE XREF: MiScanPagefiles+F442Aj
		cmp	byte ptr [esi+177h], 1
		jnz	short loc_5C90F3
		mov	ecx, [esi+64h]
		mov	[esi+177h], bl
		mov	[esi+250h], ebx
		call	PsReferencePartitionSafe
		test	al, al
		jz	short loc_5C90F3
		push	dword ptr [esi+64h]
		lea	ecx, [esi+240h]
		push	0FFFFFFFFh
		push	2
		pop	edx
		mov	dword ptr [ecx+8], offset _MiScanPagefileSpace@4 ; MiScanPagefileSpace(x)
		mov	[ecx+0Ch], esi
		mov	[ecx], ebx
		call	ExQueueWorkItemToPartition

loc_5C90F3:				; CODE XREF: MiScanPagefiles+F443Dj
					; MiScanPagefiles+F444Ej ...
		pop	edi

loc_5C90F4:				; CODE XREF: MiScanPagefiles+F4401j
					; MiScanPagefiles+F440Dj ...
		pop	ebx
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR MiScanPagefiles
; 
; START	OF FUNCTION CHUNK FOR MiAdjustModifiedPageLoad

loc_5C90F7:				; CODE XREF: MiAdjustModifiedPageLoad+5Dj
		mov	eax, edx
		jmp	loc_4D4DD1
; 

loc_5C90FE:				; CODE XREF: MiAdjustModifiedPageLoad+11Ej
		and	[ebp+arg_0], 0
		lea	ecx, [ebp+arg_0]
		xor	edx, edx
		lock or	[ecx], edx
		cmp	eax, 4000h
		ja	short loc_5C9134
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		sub	eax, [esi+200h]
		sbb	edx, [esi+204h]
		mov	[ebp+var_8], edx
		jnz	short loc_5C9134
		cmp	eax, 47868C00h
		jb	loc_4D4E92

loc_5C9134:				; CODE XREF: MiAdjustModifiedPageLoad+F43A1j
					; MiAdjustModifiedPageLoad+F43B9j
		mov	eax, 0FFFEh
		mov	[ebp+var_4], 1
		and	[esi+20Ch], ax
		jmp	loc_4D4E92
; 

loc_5C914C:				; CODE XREF: MiAdjustModifiedPageLoad+170j
		mov	al, [edi+77h]
		test	al, 1
		jz	loc_4D4EE4
		and	al, 0FEh
		mov	[edi+77h], al
		jmp	loc_4D4EE4
; 

loc_5C9161:				; CODE XREF: MiAdjustModifiedPageLoad+1A6j
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	MiUpdateReserveClusterInfo
		jmp	loc_4D4DF5
; END OF FUNCTION CHUNK	FOR MiAdjustModifiedPageLoad
; 
; START	OF FUNCTION CHUNK FOR IopDecrementVpbRefCount

loc_5C9171:				; CODE XREF: IopDecrementVpbRefCount+34j
		mov	edx, edi
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D4FB2
; 

loc_5C917D:				; CODE XREF: IopDecrementVpbRefCount+60j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D4FEB
; 

loc_5C918C:				; CODE XREF: IopDecrementVpbRefCount+Aj
		dec	dword ptr [esi+14h]
		mov	eax, [esi+14h]
		jmp	loc_4D4FF7
; END OF FUNCTION CHUNK	FOR IopDecrementVpbRefCount
; 
; START	OF FUNCTION CHUNK FOR MiWritePageFileHash

loc_5C9197:				; CODE XREF: MiWritePageFileHash+36j
		push	0C0000010h
		push	0
		push	0
		push	1
		push	0
		push	ebx
		call	MmMapLockedPagesSpecifyCache
		mov	esi, eax
		mov	eax, [ebp+var_54]
		jmp	loc_4D586D
; 

loc_5C91B4:				; CODE XREF: MiWritePageFileHash+2Cj
		xor	esi, esi
		jmp	loc_4D5880
; END OF FUNCTION CHUNK	FOR MiWritePageFileHash
; 
; START	OF FUNCTION CHUNK FOR MiComputePageHash

loc_5C91BB:				; CODE XREF: MiComputePageHash+1Bj
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_1], al
		mov	ecx, esi
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		push	0
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		xor	edx, edx
		call	MiMapPageInHyperSpaceWorker
		mov	edi, eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], edi
		jmp	loc_4D59D5
; 

loc_5C91F7:				; CODE XREF: MiComputePageHash+9Fj
		push	0
		mov	dl, 21h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4D5A55
; END OF FUNCTION CHUNK	FOR MiComputePageHash
; 
; START	OF FUNCTION CHUNK FOR MiExpandSharedZeroCluster

loc_5C920E:				; CODE XREF: MiExpandSharedZeroCluster+4Dj
		mov	ebx, [eax]
		mov	eax, [eax+4]
		add	ebx, 0FFFFFFFFh
		adc	eax, 0FFFFFFFFh
		shrd	ebx, eax, 0Ch
		mov	[ebp+var_20], ebx
		jmp	loc_4D5ACA
; 

loc_5C9225:				; CODE XREF: MiExpandSharedZeroCluster+72j
		and	edi, 0FFFF0000h
		mov	[ebp+var_3C], 10000h
		mov	eax, edi
		mov	[ebp+var_40], edi
		shr	eax, 0Ch
		cmp	eax, [edx+0Ch]
		jb	loc_4D5C87
		lea	eax, [edi+0FFFFh]
		shr	eax, 0Ch
		cmp	eax, [edx+10h]
		ja	loc_4D5C87
		lea	eax, [ebp+var_40]
		mov	word ptr [ebp+var_70], 2
		mov	[ebp+var_6C], eax
		lea	ecx, [ebp+var_70]
		mov	[ebp+var_68], 1
		mov	[ebp+var_64], 0
		mov	[ebp+var_60], 0
		mov	[ebp+var_1], 1
		jmp	loc_4D5AE8
; 

loc_5C9282:				; CODE XREF: MiExpandSharedZeroCluster+1A0j
		mov	eax, [ebp+var_24]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	edi, eax
		jbe	loc_4D5C87
		jmp	loc_4D5C16
; 

loc_5C929F:				; CODE XREF: MiExpandSharedZeroCluster+1BFj
		mov	ecx, [ebp+var_C]
		xor	eax, eax
		or	eax, 400h
		push	ecx
		push	eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		jmp	loc_4D5C3A
; END OF FUNCTION CHUNK	FOR MiExpandSharedZeroCluster
; 
; START	OF FUNCTION CHUNK FOR MiYieldPageTableWalk

loc_5C92B5:				; CODE XREF: MiYieldPageTableWalk+47j
		and	al, 0FDh
		mov	[esi+2], al
		xor	eax, eax
		jmp	loc_4D61ED
; END OF FUNCTION CHUNK	FOR MiYieldPageTableWalk
; 
; START	OF FUNCTION CHUNK FOR MiReleaseWalkLocks

loc_5C92C1:				; CODE XREF: MiReleaseWalkLocks+3Aj
		push	offset dword_6D2E64
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		jmp	loc_4D623E
; END OF FUNCTION CHUNK	FOR MiReleaseWalkLocks
; 
; START	OF FUNCTION CHUNK FOR MiTrimWorkingSetTail

loc_5C92D0:				; CODE XREF: MiTrimWorkingSetTail+2Bj
		cmp	dword ptr [edx], 0
		jz	loc_4D627B
		push	ecx
		mov	ecx, edi
		call	_MiQueryEPTAccessedState@12 ; MiQueryEPTAccessedState(x,x,x)
		test	eax, eax
		jz	loc_4D627B
		mov	edx, [esi+0B4h]
		mov	ecx, edi
		push	esi
		push	offset _MiTrimWorkingSetEPTCallback@20 ; MiTrimWorkingSetEPTCallback(x,x,x,x,x)
		call	_MiProcessVmAccessedInfo@16 ; MiProcessVmAccessedInfo(x,x,x,x)
		jmp	loc_4D625F
; 

loc_5C9301:				; CODE XREF: MiTrimWorkingSetTail+37j
		mov	edx, esi
		mov	ecx, ebx
		call	_MiTrimmedEnough@8 ; MiTrimmedEnough(x,x)
		test	eax, eax
		jz	loc_4D6287
		push	4
		pop	eax
		jmp	loc_4D6289
; END OF FUNCTION CHUNK	FOR MiTrimWorkingSetTail
; 
; START	OF FUNCTION CHUNK FOR MiTrimWorkingSetBuildup

loc_5C931A:				; CODE XREF: MiTrimWorkingSetBuildup+94j
		mov	byte ptr [ebp+var_10], 6
		jmp	loc_4D6360
; 

loc_5C9323:				; CODE XREF: MiTrimWorkingSetBuildup+A5j
		xor	edx, edx
		mov	[ebp+var_4], edx
		jmp	loc_4D6370
; 

loc_5C932D:				; CODE XREF: MiTrimWorkingSetBuildup+C2j
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_8], edx

loc_5C9333:				; CODE XREF: MiTrimWorkingSetBuildup+2C1j
		cmp	[ebp+var_4], 0
		jz	loc_4D63E1
		lea	esi, [ecx+1]
		cmp	esi, edi
		jbe	short loc_5C9346
		mov	esi, edi

loc_5C9346:				; CODE XREF: MiTrimWorkingSetBuildup+F3082j
		dec	esi
		xor	edx, edx
		mov	[ebp+var_4], edx
		jmp	loc_4D6373
; 

loc_5C9351:				; CODE XREF: MiTrimWorkingSetBuildup+239j
					; MiTrimWorkingSetBuildup+262j
		mov	ecx, [ebp+var_4]
		jmp	loc_4D6493
; 

loc_5C9359:				; CODE XREF: MiTrimWorkingSetBuildup:loc_4D6496j
		or	edi, 0FFFFFFFFh
		jmp	loc_4D649C
; 

loc_5C9361:				; CODE XREF: MiTrimWorkingSetBuildup+5Cj
		mov	eax, 1
		jmp	loc_4D6324
; END OF FUNCTION CHUNK	FOR MiTrimWorkingSetBuildup
; 
; START	OF FUNCTION CHUNK FOR MiSetVaAgeList

loc_5C936B:				; CODE XREF: MiSetVaAgeList+1E1j
		mov	[ebp+var_8], 1
		jmp	loc_4D65E2
; 

loc_5C9377:				; CODE XREF: MiSetVaAgeList+61j
		mov	edx, ecx
		lea	ecx, [ebp+var_28]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D6818
; 

loc_5C9386:				; CODE XREF: MiSetVaAgeList+224j
		test	ds:byte_70EFC6,	1
		jz	short loc_5C939C
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5C93CD
; 

loc_5C939C:				; CODE XREF: MiSetVaAgeList+F2DEDj
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	short loc_5C93BB
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_28]
		cmp	eax, ecx
		jz	short loc_5C93CD
		call	KxWaitForLockChainValid

loc_5C93BB:				; CODE XREF: MiSetVaAgeList+F2E01j
		mov	[ebp+var_28], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5C93CD:				; CODE XREF: MiSetVaAgeList+F2DFAj
					; MiSetVaAgeList+F2E14j
		xor	eax, eax
		jmp	loc_4D675D
; 

loc_5C93D4:				; CODE XREF: MiSetVaAgeList+155j
		push	edx
		push	ebx
		push	[ebp+var_C]
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C93E5:				; CODE XREF: MiSetVaAgeList+C9j
		push	[ebp+arg_0]
		push	ebx
		push	edx
		push	41286h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C93F6:				; CODE XREF: MiSetVaAgeList+190j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D6758
; END OF FUNCTION CHUNK	FOR MiSetVaAgeList
; 

loc_5C9406:				; CODE XREF: .text:004D690Cj
		mov	edx, eax
		lea	ecx, [ebp-0Ch]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D691F
; 

loc_5C9415:				; CODE XREF: .text:004D6919j
		lea	ecx, [ebp-0Ch]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4D691F
; 

loc_5C9422:				; CODE XREF: .text:004D6932j
		mov	edx, [ebp+4]
		lea	ecx, [ebp-0Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D68E2
; 

loc_5C9432:				; CODE XREF: .text:004D6956j
		lea	ecx, [ebp-0Ch]
		call	KxWaitForLockChainValid

loc_5C943A:				; CODE XREF: .text:004D693Dj
		mov	dword ptr [ebp-0Ch], 0
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_4D68E2
; 
; START	OF FUNCTION CHUNK FOR IopIncrementDeviceObjectRefCount

loc_5C944C:				; CODE XREF: IopIncrementDeviceObjectRefCount+35j
		mov	edx, esi
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D6AB3
; 

loc_5C9458:				; CODE XREF: IopIncrementDeviceObjectRefCount+61j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D6AEC
; 

loc_5C9467:				; CODE XREF: IopIncrementDeviceObjectRefCount+88j
		mov	ecx, [ebx+8]
		test	ecx, ecx
		jz	short loc_5C9487
		mov	edx, 0A8h
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_5C9487:				; CODE XREF: IopIncrementDeviceObjectRefCount+F29FCj
		mov	eax, [ebx+4]
		push	eax
		push	6
		push	ebx
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5C9498:				; CODE XREF: IopIncrementVpbRefCount+19j
		mov	ecx, [edi+8]
		test	ecx, ecx
		jz	short loc_5C94CF
		mov	edx, 0B8h
		call	IoAddTriageDumpDataBlock
		mov	eax, [edi+8]
		mov	ecx, [eax+8]
		test	ecx, ecx
		jz	short loc_5C94CF
		mov	edx, 0A8h
		call	IoAddTriageDumpDataBlock
		mov	eax, [edi+8]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_5C94CF:				; CODE XREF: IopIncrementDeviceObjectRefCount+F2A2Dj
					; IopIncrementDeviceObjectRefCount+F2A41j
		push	dword ptr [esi]
		push	7
		push	edi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5C94DE:				; CODE XREF: IopInterlockedIncrementUlong+35j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D6BA8
; END OF FUNCTION CHUNK	FOR IopIncrementDeviceObjectRefCount
; 
; START	OF FUNCTION CHUNK FOR ExAllocatePoolWithTagPriority

loc_5C94ED:				; CODE XREF: ExAllocatePoolWithTagPriority+22j
		cmp	[ebp+arg_4], 0FF0h
		jbe	loc_4D6EB2
		xor	eax, eax
		jmp	loc_4D6EE0
; END OF FUNCTION CHUNK	FOR ExAllocatePoolWithTagPriority
; 
; START	OF FUNCTION CHUNK FOR MiFreePoolPagesLeft

loc_5C9501:				; CODE XREF: MiFreePoolPagesLeft+1Bj
		cmp	esi, eax
		jnb	short loc_5C950C
		sub	eax, esi
		shl	eax, 9
		jmp	short loc_5C950E
; 

loc_5C950C:				; CODE XREF: MiFreePoolPagesLeft+F2457j
		xor	eax, eax

loc_5C950E:				; CODE XREF: MiFreePoolPagesLeft+F245Ej
		cmp	eax, edx
		jnb	loc_4D70CD
		mov	edx, eax
		jmp	loc_4D70CD
; END OF FUNCTION CHUNK	FOR MiFreePoolPagesLeft
; 
; START	OF FUNCTION CHUNK FOR FsRtlCreateSectionForDataScan

loc_5C951D:				; CODE XREF: FsRtlCreateSectionForDataScan+58j
		mov	eax, 0C0000020h
		jmp	loc_4D737E
; 

loc_5C9527:				; CODE XREF: FsRtlCreateSectionForDataScan+8Aj
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, large fs:124h
		and	dword ptr [ecx+2D4h], 0
		jmp	loc_4D7387
; 

loc_5C953F:				; CODE XREF: FsRtlCreateSectionForDataScan+A9j
		mov	esi, 0C0000011h
		jmp	loc_4D731B
; 

loc_5C9549:				; CODE XREF: FsRtlCreateSectionForDataScan+DAj
		push	offset _FsRtlHalfSecond
		xor	esi, esi
		push	esi
		push	esi
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		push	esi
		push	esi
		push	[esp+30h+var_14]
		push	edi
		push	esi
		jmp	loc_4D72D4
; 

loc_5C9564:				; CODE XREF: FsRtlCreateSectionForDataScan+4Cj
		mov	eax, 0C00000F7h
		jmp	loc_4D737E
; 

loc_5C956E:				; CODE XREF: FsRtlCreateSectionForDataScan+31j
					; FsRtlCreateSectionForDataScan+39j
		mov	eax, 0C00000F6h
		jmp	loc_4D737E
; END OF FUNCTION CHUNK	FOR FsRtlCreateSectionForDataScan

;  S U B	R O U T	I N E 


sub_5C9578	proc near		; DATA XREF: .text:006A20D4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_5C9578	endp


;  S U B	R O U T	I N E 


sub_5C9586	proc near		; DATA XREF: .text:006A20D8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_4D73DC
sub_5C9586	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlInitializeBaseMcbEx

loc_5C9598:				; CODE XREF: FsRtlInitializeBaseMcbEx+31j
		test	bl, 1
		jz	short loc_5C95A7
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5C95A7:				; CODE XREF: FsRtlInitializeBaseMcbEx+F218Bj
		xor	al, al
		jmp	loc_4D744F
; END OF FUNCTION CHUNK	FOR FsRtlInitializeBaseMcbEx
; 
; START	OF FUNCTION CHUNK FOR KeCancelTimer2

loc_5C95AE:				; CODE XREF: KeCancelTimer2+50j
		mov	edx, [ebp+4]
		mov	ecx, offset _KiTimer2CollectionLock
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4D7600
; 

loc_5C95C0:				; CODE XREF: KeCancelTimer2+91j
		mov	[ebp+var_8], 4
		jmp	loc_4D7600
; 

loc_5C95CC:				; CODE XREF: KeCancelTimer2+7Cj
		test	bl, bl
		jz	loc_4D7622
		mov	ecx, esi
		call	_KiTraceCancelTimer2@8 ; KiTraceCancelTimer2(x,x)
		jmp	loc_4D7622
; END OF FUNCTION CHUNK	FOR KeCancelTimer2
; 
; START	OF FUNCTION CHUNK FOR KeDisableTimer2

loc_5C95E0:				; CODE XREF: KeDisableTimer2+13Ej
		test	edi, edi
		jz	loc_4D76A7
		imul	eax, 0C8BE1499h
		mov	[esp+68h+var_38], 8
		mov	[esp+68h+var_40], edi
		mov	[esp+68h+var_3C], eax
		jmp	loc_4D76A7
; 

loc_5C9600:				; CODE XREF: KeDisableTimer2+115j
		mov	edx, [ebp+4]
		mov	ecx, offset _KiTimer2CollectionLock
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4D775B
; 

loc_5C9612:				; CODE XREF: KeDisableTimer2+AFj
		mov	[esp+68h+var_4C], 24h
		jmp	loc_4D775B
; 

loc_5C961F:				; CODE XREF: KeDisableTimer2+BEj
		push	0
		mov	edx, 40020000h
		lea	ecx, [esp+6Ch+var_28]
		call	EtwGetKernelTraceTimestampSilo
		jmp	loc_4D76FA
; 

loc_5C9634:				; CODE XREF: KeDisableTimer2+158j
		and	[esp+68h+var_30], 0
		xor	eax, eax
		inc	eax
		xor	ecx, ecx
		mov	word ptr [esp+68h+var_34], ax
		mov	edx, offset _RtlEndStrongEnumerationHashTable@8	; RtlEndStrongEnumerationHashTable(x,x)
		mov	word ptr [esp+68h+var_34+2], ax
		mov	eax, ds:_KiClockTimerOwner
		bts	ecx, eax
		push	2
		mov	[esp+6Ch+var_2C], ecx
		lea	ecx, [esp+6Ch+var_34]
		push	0
		call	_KeGenericProcessorCallback@16 ; KeGenericProcessorCallback(x,x,x,x)
		jmp	loc_4D771B
; 

loc_5C966B:				; CODE XREF: KeDisableTimer2+88j
		mov	cl, [esp+68h+var_53]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [esp+68h+var_48]
		jmp	loc_4D771B
; 

loc_5C967E:				; CODE XREF: KeDisableTimer2+EBj
		cmp	[esp+68h+var_51], 0
		jnz	loc_4D7727
		test	bl, bl
		jz	short loc_5C9694
		mov	ecx, esi
		call	_KiTraceCancelTimer2@8 ; KiTraceCancelTimer2(x,x)

loc_5C9694:				; CODE XREF: KeDisableTimer2+F2055j
		imul	eax, esi, 0C8BE1499h
		cmp	[esp+68h+var_52], 0
		mov	[esp+68h+var_44], eax
		mov	al, [esp+68h+var_38]
		jz	short loc_5C96AF
		or	al, 1
		mov	[esp+68h+var_38], al

loc_5C96AF:				; CODE XREF: KeDisableTimer2+F2071j
		cmp	[ebp+arg_0], 0
		jz	short loc_5C96BB
		or	al, 2
		mov	[esp+68h+var_38], al

loc_5C96BB:				; CODE XREF: KeDisableTimer2+F207Dj
		cmp	[esp+68h+var_54], 0
		mov	edx, 40020000h
		mov	ecx, 0F6Bh
		jnz	short loc_5C96DE
		or	al, 4
		mov	[esp+68h+var_38], al
		lea	eax, [esp+68h+var_28]
		push	eax
		push	602h
		jmp	short loc_5C96E8
; 

loc_5C96DE:				; CODE XREF: KeDisableTimer2+F2094j
		lea	eax, [esp+68h+var_28]
		push	eax
		push	400E02h

loc_5C96E8:				; CODE XREF: KeDisableTimer2+F20A6j
		push	10h
		lea	eax, [esp+74h+var_44]
		push	eax
		call	_EtwTraceTimedEvent@24 ; EtwTraceTimedEvent(x,x,x,x,x,x)
		jmp	loc_4D7727
; END OF FUNCTION CHUNK	FOR KeDisableTimer2
; 
; START	OF FUNCTION CHUNK FOR KiInsertTimer2

loc_5C96F9:				; CODE XREF: KiInsertTimer2+36j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4D781F
; END OF FUNCTION CHUNK	FOR KiInsertTimer2
; 
; START	OF FUNCTION CHUNK FOR ExpSetTimer2

loc_5C9708:				; CODE XREF: ExpSetTimer2+4Fj
		mov	ecx, eax
		jmp	loc_4D78A3
; 

loc_5C970F:				; CODE XREF: ExpSetTimer2+6Cj
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_5C971A
		mov	ecx, eax

loc_5C971A:				; CODE XREF: ExpSetTimer2+F1EC8j
		nop
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], ecx
		jmp	loc_4D78C0
; END OF FUNCTION CHUNK	FOR ExpSetTimer2

;  S U B	R O U T	I N E 


sub_5C972B	proc near		; DATA XREF: .text:006A214Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_5C972B	endp


;  S U B	R O U T	I N E 


sub_5C9739	proc near		; DATA XREF: .text:006A2150o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-4Ch]
		jmp	loc_4D7927
sub_5C9739	endp

; 
; START	OF FUNCTION CHUNK FOR ExpSetTimerObject2

loc_5C974B:				; CODE XREF: ExpSetTimerObject2+13j
					; ExpSetTimerObject2+1Bj
		test	byte ptr [esi+51h], 2
		jz	loc_4D795F
		mov	ebx, 0C000000Dh
		jmp	loc_4D79BA
; 

loc_5C975F:				; CODE XREF: ExpSetTimerObject2+2Fj
		mov	ebx, 0C00000F1h
		jmp	loc_4D79BA
; END OF FUNCTION CHUNK	FOR ExpSetTimerObject2
; 
; START	OF FUNCTION CHUNK FOR KiExpireTimer2

loc_5C9769:				; CODE XREF: KiExpireTimer2+B4j
		mov	eax, [esi+28h]
		mov	[ebp+var_34], eax
		mov	eax, [esi+2Ch]
		mov	[ebp+var_30], eax
		mov	eax, [esi+30h]
		mov	[ebp+var_2C], eax
		mov	eax, [esi+34h]
		mov	[ebp+var_28], eax
		mov	al, [esi+51h]
		mov	[ebp+var_59], 1
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_61], al
		jmp	loc_4D7A9E
; 

loc_5C9796:				; CODE XREF: KiExpireTimer2+3E9j
		test	bl, 10h
		jnz	loc_4D7B15
		jmp	short loc_5C97AA
; 

loc_5C97A1:				; CODE XREF: KiExpireTimer2+3B3j
		test	bl, 10h
		jnz	loc_4D7B15

loc_5C97AA:				; CODE XREF: KiExpireTimer2+F1DBFj
		or	bl, 10h

loc_5C97AD:				; CODE XREF: KiExpireTimer2+402j
		mov	ecx, esi
		mov	[esi+51h], bl
		call	_KiUpdateTimer2Collections@4 ; KiUpdateTimer2Collections(x)
		jmp	loc_4D7B15
; 

loc_5C97BC:				; CODE XREF: KiExpireTimer2+160j
		cmp	byte ptr [ebp+var_75], 0
		jnz	loc_4D7B4D
		mov	edi, [esi+3Ch]
		lea	ecx, [ebp+var_75]
		mov	ebx, [esi+38h]
		mov	eax, [esi+2Ch]
		push	edi
		push	ebx
		push	eax
		mov	eax, [esi+28h]
		push	eax
		call	KiTimer2ComputeDueTime
		mov	ecx, [esi+34h]
		mov	[esi+28h], eax
		mov	[esi+2Ch], edx
		mov	edx, [esi+30h]
		mov	eax, edx
		and	eax, ecx
		cmp	eax, 0FFFFFFFFh
		jz	loc_4D7B31
		push	edi
		push	ebx
		push	ecx
		push	edx
		xor	ecx, ecx
		call	KiTimer2ComputeDueTime
		mov	[esi+30h], eax
		mov	[esi+34h], edx
		jmp	loc_4D7B31
; 

loc_5C980D:				; CODE XREF: KiExpireTimer2+18Fj
		mov	ecx, [ebp+var_6C]
		mov	edx, edi
		push	0
		push	100h
		call	KiTryUnwaitThread

loc_5C981E:				; CODE XREF: KiExpireTimer2+22Ej
					; KiExpireTimer2+394j ...
		lea	eax, [esi+8]
		cmp	ebx, eax
		jnz	loc_4D7AC8
		jmp	loc_4D7C14
; 

loc_5C982E:				; CODE XREF: KiExpireTimer2+468j
					; KiExpireTimer2+F1F65j
		mov	edi, eax
		mov	eax, [eax]
		mov	[ebp+var_80], eax
		mov	al, [edi+8]
		cmp	al, 1
		jnz	short loc_5C9848
		movzx	eax, word ptr [edi+0Ah]
		push	0
		push	eax
		jmp	loc_5C9934
; 

loc_5C9848:				; CODE XREF: KiExpireTimer2+F1E5Aj
		cmp	al, 2
		jnz	loc_5C992D
		mov	byte ptr [edi+9], 5
		mov	eax, [edi+0Ch]
		mov	[ebp+var_58], eax
		add	eax, 8
		mov	dword ptr [edi], 0
		mov	[ebp+var_71+1],	eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_68], eax
		mov	eax, [eax+4]
		mov	[ebp+var_60], eax
		jz	short loc_5C989C
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, [ebp+var_60]
		mov	edx, edi
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_5C989C:				; CODE XREF: KiExpireTimer2+F1EA5j
		mov	ecx, [ebp+var_58]
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	edx, [ebp+var_71+1]
		mov	ecx, [ebp+var_58]
		cmp	[edx], edx
		jz	short loc_5C98E4
		mov	eax, [ecx+18h]
		cmp	eax, [ecx+1Ch]
		jnb	short loc_5C98E4
		mov	eax, [ebp+var_60]
		mov	eax, [eax+0A4h]
		cmp	eax, ecx
		jnz	short loc_5C98CF
		mov	eax, [ebp+var_60]
		cmp	byte ptr [eax+18Bh], 0Fh
		jz	short loc_5C98E4

loc_5C98CF:				; CODE XREF: KiExpireTimer2+F1EE1j
		mov	edx, ecx
		mov	ecx, [ebp+var_68]
		push	edi
		call	KiWakeQueueWaiter
		mov	ecx, [ebp+var_58]
		test	al, al
		jnz	short loc_5C9923
		mov	edx, [ebp+var_71+1]

loc_5C98E4:				; CODE XREF: KiExpireTimer2+F1ECCj
					; KiExpireTimer2+F1ED4j ...
		mov	eax, [ecx+4]
		mov	[ebp+var_60], eax
		inc	eax
		mov	[ecx+4], eax
		lea	eax, [ecx+10h]
		mov	ebx, [eax+4]
		mov	[ebp+var_71+1],	ebx
		cmp	[ebx], eax
		jnz	loc_4D7AD6
		cmp	[ebp+var_60], 0
		mov	[edi+4], ebx
		mov	[edi], eax
		mov	[ebx], edi
		mov	ebx, [ebp+var_6C]
		mov	[eax+4], edi
		jnz	short loc_5C9923
		cmp	[edx], edx
		jz	short loc_5C9923
		mov	edx, ecx
		mov	ecx, [ebp+var_68]
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		mov	ecx, [ebp+var_58]

loc_5C9923:				; CODE XREF: KiExpireTimer2+F1EFFj
					; KiExpireTimer2+F1F30j ...
		mov	eax, 0FFFFFF7Fh
		lock and [ecx],	eax
		jmp	short loc_5C993D
; 

loc_5C992D:				; CODE XREF: KiExpireTimer2+F1E6Aj
		push	0
		push	100h

loc_5C9934:				; CODE XREF: KiExpireTimer2+F1E63j
		mov	edx, edi
		mov	ecx, ebx
		call	KiTryUnwaitThread

loc_5C993D:				; CODE XREF: KiExpireTimer2+F1F4Bj
		mov	eax, [ebp+var_80]
		lea	ecx, [esi+8]
		cmp	eax, ecx
		jnz	loc_5C982E
		jmp	loc_4D7E4E
; 

loc_5C9950:				; CODE XREF: KiExpireTimer2+305j
		push	0
		mov	edx, 40020000h
		lea	ecx, [ebp+var_54]
		call	EtwGetKernelTraceTimestampSilo
		jmp	loc_4D7CEB
; 

loc_5C9964:				; CODE XREF: KiExpireTimer2+261j
		push	eax
		push	ecx
		push	ebx
		push	5
		push	0C7h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5C9973:				; CODE XREF: KiExpireTimer2+26Bj
		mov	cl, [ebp+var_61]
		imul	eax, esi, 0C8BE1499h
		mov	[ebp+var_18], ebx
		mov	[ebp+var_1C], eax
		imul	eax, edi, 0C8BE1499h
		mov	[ebp+var_14], eax
		call	_KiTimer2TypeFlagsToEtwFlags@4 ; KiTimer2TypeFlagsToEtwFlags(x)
		mov	cl, al
		mov	byte ptr [ebp+var_10], cl
		test	ebx, ebx
		jz	short loc_5C999F
		or	cl, 1
		mov	byte ptr [ebp+var_10], cl

loc_5C999F:				; CODE XREF: KiExpireTimer2+F1FB7j
		mov	eax, [ebp+var_24]
		or	eax, [ebp+var_20]
		jz	short loc_5C99AD
		or	cl, 2
		mov	byte ptr [ebp+var_10], cl

loc_5C99AD:				; CODE XREF: KiExpireTimer2+F1FC5j
		test	ebx, ebx
		jnz	short loc_5C99BF
		push	ebx
		mov	edx, 40020000h
		lea	ecx, [ebp+var_54]
		call	EtwGetKernelTraceTimestampSilo

loc_5C99BF:				; CODE XREF: KiExpireTimer2+F1FCFj
		lea	eax, [ebp+var_54]
		mov	edx, 40020000h
		push	eax
		push	400E02h
		push	28h
		lea	eax, [ebp+var_34]
		mov	ecx, 0F69h
		push	eax
		call	_EtwTraceTimedEvent@24 ; EtwTraceTimedEvent(x,x,x,x,x,x)
		jmp	loc_4D7C51
; END OF FUNCTION CHUNK	FOR KiExpireTimer2
; 
; START	OF FUNCTION CHUNK FOR KiTimer2Expiration

loc_5C99E2:				; CODE XREF: KiTimer2Expiration+21Bj
		push	602h
		push	0F50h
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], ebx
		push	40020000h
		mov	edx, 1
		mov	[ebp+var_14], edi
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_10], 1
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], 10h
		mov	[ebp+var_1C], esi
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_4D8081
; 

loc_5C9A20:				; CODE XREF: KiTimer2Expiration+1D9j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5C9A27:				; CODE XREF: KiTimer2Expiration+F0j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4D7F5B
; 

loc_5C9A34:				; CODE XREF: KiTimer2Expiration+26Aj
		test	byte ptr [esi+51h], 2
		jz	loc_4D7F89
		jmp	loc_4D8098
; END OF FUNCTION CHUNK	FOR KiTimer2Expiration
; 
; START	OF FUNCTION CHUNK FOR KeSetTimer2

loc_5C9A43:				; CODE XREF: KeSetTimer2+230j
					; KeSetTimer2+23Ej
		mov	[esp+40h+var_20], eax
		mov	[esp+40h+var_1C], 0
		jmp	loc_4D8126
; 

loc_5C9A54:				; CODE XREF: KeSetTimer2+24Dj
		call	RtlGetSystemTimePrecise
		mov	ecx, eax
		jmp	loc_4D8368
; 

loc_5C9A60:				; CODE XREF: KeSetTimer2+272j
		mov	esi, 0FFDF0018h
		lea	edi, [esi-4]
		lea	ebx, [esi+4]

loc_5C9A6B:				; CODE XREF: KeSetTimer2+F198Cj
		lea	ecx, [esp+40h+var_10]
		call	KeYieldProcessorEx
		mov	edx, [esi]
		mov	ecx, [edi]
		mov	eax, [ebx]
		cmp	edx, eax
		jnz	short loc_5C9A6B
		mov	esi, [ebp+arg_0]
		mov	edi, [ebp+arg_8]
		mov	ebx, [ebp+arg_4]
		jmp	loc_4D8368
; 

loc_5C9A8C:				; CODE XREF: KeSetTimer2+211j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4D830C
; 

loc_5C9A99:				; CODE XREF: KeSetTimer2+2F9j
		test	dh, dh
		jnz	loc_4D8248
		jmp	loc_4D8412
; 

loc_5C9AA6:				; CODE XREF: KeSetTimer2+18Bj
		push	edi
		mov	dl, bl
		call	_KiTraceSetTimer2@12 ; KiTraceSetTimer2(x,x,x)
		jmp	loc_4D82A6
; 

loc_5C9AB3:				; CODE XREF: KeSetTimer2+1ABj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4D82A6
; END OF FUNCTION CHUNK	FOR KeSetTimer2
; 
; START	OF FUNCTION CHUNK FOR KiTimer2ComputeDueTime

loc_5C9AC0:				; CODE XREF: KiTimer2ComputeDueTime+28j
					; KiTimer2ComputeDueTime+3Bj
		test	esi, esi
		jz	short loc_5C9AC7
		mov	byte ptr [esi],	1

loc_5C9AC7:				; CODE XREF: KiTimer2ComputeDueTime+F168Cj
		push	0FFFFFFFEh
		pop	eax
		or	edx, 0FFFFFFFFh
		jmp	loc_4D847B
; END OF FUNCTION CHUNK	FOR KiTimer2ComputeDueTime
; 
; START	OF FUNCTION CHUNK FOR KiAcquireTimer2CollectionLockIfInserted

loc_5C9AD2:				; CODE XREF: KiAcquireTimer2CollectionLockIfInserted+28j
		test	ds:byte_70EFC6,	1
		jz	short loc_5C9AEA
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4D8578
; 

loc_5C9AEA:				; CODE XREF: KiAcquireTimer2CollectionLockIfInserted+F1591j
		xor	eax, eax
		lock and [edi],	eax
		jmp	loc_4D8578
; END OF FUNCTION CHUNK	FOR KiAcquireTimer2CollectionLockIfInserted
; 
; START	OF FUNCTION CHUNK FOR KiAcquireTimer2LockUnlessDisabled

loc_5C9AF4:				; CODE XREF: KiAcquireTimer2LockUnlessDisabled+Fj
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		mov	al, [esi+1]
		jmp	loc_4D8591
; END OF FUNCTION CHUNK	FOR KiAcquireTimer2LockUnlessDisabled
; 
; START	OF FUNCTION CHUNK FOR KiInsertTimer2WithCollectionLockHeld

loc_5C9B04:				; CODE XREF: KiInsertTimer2WithCollectionLockHeld+178j
					; KiInsertTimer2WithCollectionLockHeld+F1580j ...
		mov	esi, eax
		mov	[ebp+var_18], edx
		nop
		mov	ebx, edi
		mov	edi, [ebp+var_8]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_C]
		cmp	eax, esi
		jnz	short loc_5C9B04
		cmp	edx, [ebp+var_18]
		jnz	short loc_5C9B04
		mov	edi, [ebp+var_10]
		jmp	loc_4D86A2
; 

loc_5C9B27:				; CODE XREF: KiInsertTimer2WithCollectionLockHeld+145j
		mov	ecx, edi
		call	KiRemoveTimer2
		xor	bl, bl
		jmp	loc_4D8638
; END OF FUNCTION CHUNK	FOR KiInsertTimer2WithCollectionLockHeld
; 
; START	OF FUNCTION CHUNK FOR KiInsertTimer2IntoCollection

loc_5C9B35:				; CODE XREF: KiInsertTimer2IntoCollection+197j
					; KiInsertTimer2IntoCollection+F1424j ...
		mov	esi, eax
		mov	[ebp+arg_0], edx
		nop
		mov	ebx, [ebp+var_4]
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_5C9B35
		cmp	edx, [ebp+arg_0]
		jnz	short loc_5C9B35
		jmp	loc_4D8898
; END OF FUNCTION CHUNK	FOR KiInsertTimer2IntoCollection
; 
; START	OF FUNCTION CHUNK FOR KiRemoveTimer2

loc_5C9B50:				; CODE XREF: KiRemoveTimer2+C5j
					; KiRemoveTimer2+CEj
		mov	edi, [ebp+var_8]
		mov	ecx, [ebp+var_24]

loc_5C9B56:				; CODE XREF: KiRemoveTimer2+F12A5j
					; KiRemoveTimer2+F12AAj
		mov	esi, eax
		mov	[ebp+var_24], edx
		nop
		mov	ebx, [ebp+var_28]
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_5C9B56
		cmp	edx, [ebp+var_24]
		jnz	short loc_5C9B56
		jmp	short loc_5C9B86
; 

loc_5C9B6E:				; CODE XREF: KiRemoveTimer2+1EFj
					; KiRemoveTimer2+F12BFj ...
		mov	esi, eax
		mov	[ebp+var_28], edx
		nop
		or	ebx, 0FFFFFFFFh
		or	ecx, ebx
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_5C9B6E
		cmp	edx, [ebp+var_28]
		jnz	short loc_5C9B6E

loc_5C9B86:				; CODE XREF: KiRemoveTimer2+F12ACj
		mov	edi, [ebp+var_4]
		jmp	loc_4D8994
; 

loc_5C9B8E:				; CODE XREF: KiRemoveTimer2+16Aj
					; KiRemoveTimer2+173j
		mov	edi, [ebp+var_10]
		mov	ecx, [ebp+var_18]

loc_5C9B94:				; CODE XREF: KiRemoveTimer2+F12EFj
					; KiRemoveTimer2+F12F4j
		mov	esi, eax
		mov	[ebp+var_28], edx
		mov	[ebp+var_2C], offset _KiNextTimer2DueTime
		nop
		mov	ebx, edi
		mov	edi, [ebp+var_2C]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_10]
		cmp	eax, esi
		jnz	short loc_5C9B94
		cmp	edx, [ebp+var_28]
		jnz	short loc_5C9B94
		mov	edi, [ebp+var_14]
		jmp	loc_4D8A39
; END OF FUNCTION CHUNK	FOR KiRemoveTimer2
; 
; START	OF FUNCTION CHUNK FOR KiResetGlobalDpcWatchdogProfiler

loc_5C9BBE:				; CODE XREF: KiResetGlobalDpcWatchdogProfiler+10j
		mov	eax, [ecx+3B0Ch]
		cmp	eax, [ecx+3B14h]
		jge	locret_4D8B88
		mov	eax, ds:_KiDpcWatchdogProfileArrayLength
		shl	eax, 2
		push	eax		; size_t
		push	0		; int
		push	edx		; void *
		mov	[ecx+4064h], edx
		call	_memset
		add	esp, 0Ch
		retn
; END OF FUNCTION CHUNK	FOR KiResetGlobalDpcWatchdogProfiler
; 
; START	OF FUNCTION CHUNK FOR KiFinalizeTimer2Disablement

loc_5C9BEB:				; CODE XREF: KiFinalizeTimer2Disablement+5Ej
		push	0
		mov	edx, 40020000h
		lea	ecx, [ebp+var_30]
		call	EtwGetKernelTraceTimestampSilo
		jmp	loc_4D8C24
; 

loc_5C9BFF:				; CODE XREF: KiFinalizeTimer2Disablement+3Bj
		imul	eax, edx, 0C8BE1499h
		mov	[ebp+var_C], esi
		mov	[ebp+var_10], eax
		imul	eax, ebx, 0C8BE1499h
		mov	[ebp+var_8], eax
		test	esi, esi
		jnz	short loc_5C9C26
		push	esi
		mov	edx, 40020000h
		lea	ecx, [ebp+var_30]
		call	EtwGetKernelTraceTimestampSilo

loc_5C9C26:				; CODE XREF: KiFinalizeTimer2Disablement+F1056j
		lea	eax, [ebp+var_30]
		mov	edx, 40020000h
		push	eax
		push	400E02h
		push	0Ch
		lea	eax, [ebp+var_10]
		mov	ecx, 0F6Ch
		push	eax
		call	_EtwTraceTimedEvent@24 ; EtwTraceTimedEvent(x,x,x,x,x,x)
		jmp	loc_4D8C01
; END OF FUNCTION CHUNK	FOR KiFinalizeTimer2Disablement
; 
; START	OF FUNCTION CHUNK FOR NtCancelWaitCompletionPacket

loc_5C9C49:				; CODE XREF: NtCancelWaitCompletionPacket+89j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	edi, [esp+28h+var_1C]
		jmp	loc_4D8CCA
; 

loc_5C9C5C:				; CODE XREF: NtCancelWaitCompletionPacket+16Ej
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4D8DAF
; 

loc_5C9C6B:				; CODE XREF: NtCancelWaitCompletionPacket+F4j
		mov	edx, [ebp+4]
		lea	ecx, [esp+28h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4D8D52
; 

loc_5C9C7C:				; CODE XREF: NtCancelWaitCompletionPacket+116j
		lea	ecx, [esp+28h+var_C]
		call	KxWaitForLockChainValid
		jmp	loc_4D8D85
; END OF FUNCTION CHUNK	FOR NtCancelWaitCompletionPacket
; 
; START	OF FUNCTION CHUNK FOR KeShouldYieldProcessor

loc_5C9C8A:				; CODE XREF: KeShouldYieldProcessor+1Fj
		mov	edi, 1
		cmp	ebx, 7
		jbe	loc_4D8F82
		mov	al, [ecx+2239h]
		test	al, al
		jnz	loc_4D8F2D

loc_5C9CA6:				; CODE XREF: KeShouldYieldProcessor+7Dj
		test	dl, 1Eh
		jz	short loc_5C9CB5
		mov	edi, 5
		jmp	loc_4D8F2D
; 

loc_5C9CB5:				; CODE XREF: KeShouldYieldProcessor+F0DC9j
		mov	eax, [ecx+4]
		cmp	eax, [ecx+0Ch]
		jz	loc_4D8F63
		mov	edi, 6
		jmp	loc_4D8F2D
; 

loc_5C9CCB:				; CODE XREF: KeShouldYieldProcessor+57j
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	_EtwTraceShouldYieldProcessor@12 ; EtwTraceShouldYieldProcessor(x,x,x)
		jmp	loc_4D8F3D
; END OF FUNCTION CHUNK	FOR KeShouldYieldProcessor
; 
; START	OF FUNCTION CHUNK FOR SepSidInTokenSidHash

loc_5C9CDA:				; CODE XREF: SepSidInTokenSidHash+1Cj
		test	esi, esi
		jz	loc_4D8FD0
		push	esi
		push	ds:_SeAliasAdminsSid
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	loc_4D8FE8
		jmp	loc_4D8FD0
; END OF FUNCTION CHUNK	FOR SepSidInTokenSidHash
; 
; START	OF FUNCTION CHUNK FOR RtlSidDominates

loc_5C9CFB:				; CODE XREF: RtlSidDominates+86j
					; RtlSidDominates+DDj
		mov	eax, 0C000000Dh
		jmp	loc_4D91C4
; END OF FUNCTION CHUNK	FOR RtlSidDominates
; 
; START	OF FUNCTION CHUNK FOR PsTimerResolutionActive

loc_5C9D05:				; CODE XREF: PsTimerResolutionActive+Aj
		test	dword ptr [ecx+3A8h], 4000000h
		jnz	loc_4D938C
		mov	al, 1
		retn
; END OF FUNCTION CHUNK	FOR PsTimerResolutionActive
; 
; START	OF FUNCTION CHUNK FOR PopFxActivateComponent

loc_5C9D18:				; CODE XREF: PopFxActivateComponent+E6j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4D9661
; END OF FUNCTION CHUNK	FOR PopFxActivateComponent
; 
; START	OF FUNCTION CHUNK FOR PopFxActivateComponentWorker

loc_5C9D27:				; CODE XREF: PopFxActivateComponentWorker+1Bj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	esi, [edi+50h]
		mov	[esp+18h+var_6], al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [edi+78h]
		xor	eax, eax
		mov	[edi+80h], ecx
		mov	[esp+18h+var_4], eax
		test	ecx, ecx
		jz	short loc_5C9DA5

loc_5C9D4E:				; CODE XREF: PopFxActivateComponentWorker+F0730j
		mov	edx, [edi+7Ch]
		push	[ebp+arg_0]
		push	2
		mov	ecx, [edx+eax*8]
		mov	eax, [ebx+240h]
		mov	esi, [eax+ecx*4]
		mov	ecx, ebx
		mov	eax, [esp+20h+var_4]
		mov	byte ptr [edx+eax*8+4],	1
		mov	edx, esi
		call	PopFxActivateComponent
		cmp	dword ptr [esi+34h], 0
		jge	short loc_5C9D8C
		mov	eax, [edi+7Ch]
		mov	ecx, [esp+18h+var_4]
		mov	byte ptr [eax+ecx*8+4],	0
		dec	dword ptr [edi+80h]

loc_5C9D8C:				; CODE XREF: PopFxActivateComponentWorker+F070Aj
		mov	eax, [esp+18h+var_4]
		mov	ecx, [edi+80h]
		inc	eax
		mov	[esp+18h+var_4], eax
		cmp	eax, [edi+78h]
		jb	short loc_5C9D4E
		lea	esi, [edi+50h]
		test	ecx, ecx

loc_5C9DA5:				; CODE XREF: PopFxActivateComponentWorker+F06DEj
		setz	[esp+18h+var_5]
		test	ds:byte_70EFC6,	1
		jz	short loc_5C9DBF
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5C9DC4
; 

loc_5C9DBF:				; CODE XREF: PopFxActivateComponentWorker+F0743j
		xor	eax, eax
		lock and [esi],	eax

loc_5C9DC4:				; CODE XREF: PopFxActivateComponentWorker+F074Fj
		mov	cl, [esp+18h+var_6]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, [esp+18h+var_5]
		jmp	loc_4D9691
; END OF FUNCTION CHUNK	FOR PopFxActivateComponentWorker
; 
; START	OF FUNCTION CHUNK FOR PopFxAddRefDevice

loc_5C9DD7:				; CODE XREF: PopFxAddRefDevice+12j
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		jnz	short loc_5C9DF0
		push	0
		push	0
		lea	eax, [esi+84h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_5C9DF0:				; CODE XREF: PopFxAddRefDevice+F0710j
		push	0
		push	0C0000056h
		mov	edx, esi
		mov	ecx, 607h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)
		int	3		; Trap to Debugger

loc_5C9E04:				; CODE XREF: IoAcquireRemoveLockEx+1Fj
		push	ebx
		push	dword ptr [edi+28h]
		push	18h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_5C9E20
		lock inc dword ptr [edi+38h]
		jmp	short loc_5C9E83
; 

loc_5C9E20:				; CODE XREF: PopFxAddRefDevice+F074Aj
		mov	eax, [ebp+0Ch]
		mov	[ebx], esi
		mov	[ebx+8], esi
		mov	[ebx+0Ch], esi
		mov	[ebx+4], eax
		mov	eax, [ebp+10h]
		mov	[ebx+10h], eax
		mov	eax, [ebp+14h]
		mov	[ebx+14h], eax
		lea	eax, [ebx+8]
		push	eax
		call	KeQueryTickCount
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [edi+34h]
		mov	[ebp+0Bh], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, [edi+50h]
		mov	[ebx], edx
		mov	[edi+50h], ebx
		test	ds:byte_70EFC6,	1
		jz	short loc_5C9E72
		mov	edx, [ebp+4]
		lea	ecx, [edi+34h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5C9E7A
; 

loc_5C9E72:				; CODE XREF: PopFxAddRefDevice+F0795j
		xor	ecx, ecx
		lea	eax, [edi+34h]
		lock and [eax],	ecx

loc_5C9E7A:				; CODE XREF: PopFxAddRefDevice+F07A2j
		mov	cl, [ebp+0Bh]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5C9E83:				; CODE XREF: PopFxAddRefDevice+F0750j
		pop	ebx
		jmp	loc_4D9713
; END OF FUNCTION CHUNK	FOR PopFxAddRefDevice
; 
; START	OF FUNCTION CHUNK FOR IoAcquireRemoveLockEx

loc_5C9E89:				; CODE XREF: IoAcquireRemoveLockEx+13j
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		jnz	short loc_5C9E9F
		xor	esi, esi
		lea	eax, [edi+8]
		push	esi
		push	esi
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_5C9E9F:				; CODE XREF: IoAcquireRemoveLockEx+F07A2j
		mov	esi, 0C0000056h
		jmp	loc_4D9713
; END OF FUNCTION CHUNK	FOR IoAcquireRemoveLockEx
; 
; START	OF FUNCTION CHUNK FOR PopFxProcessWork

loc_5C9EA9:				; CODE XREF: PopFxProcessWork+344j
		push	0
		push	0
		push	0Eh
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		jmp	loc_4D985E
; 

loc_5C9EB9:				; CODE XREF: PopFxProcessWork+11Ej
		mov	ecx, [edi+1Ch]
		xor	dl, dl
		push	0
		call	PopDiagTraceFxDevicePowerRequirement
		push	dword ptr [edi+64h]
		call	dword ptr [edi+4Ch]
		push	40h
		lea	eax, [edi+10h]
		pop	ecx
		lock or	[eax], ecx
		mov	eax, esi
		lea	ecx, [edi+18h]
		lock xadd [ecx], eax
		jz	loc_4D9840
		mov	ecx, [edi+1Ch]
		xor	edx, edx
		push	0
		push	0
		push	11h
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		jmp	loc_4D9840
; 

loc_5C9EF8:				; CODE XREF: PopFxProcessWork+12Bj
		mov	edx, [ebp+4]
		mov	ecx, [esp+48h+var_28]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4D9856
; 

loc_5C9F09:				; CODE XREF: PopFxProcessWork+5Bj
					; DATA XREF: .text:004D9AE0o
		mov	ecx, [ebx+4]
		mov	edx, ebx
		call	_PopFxAcpiForwardPepWorkRequest@8 ; PopFxAcpiForwardPepWorkRequest(x,x)
		jmp	loc_4D9861
; 

loc_5C9F18:				; CODE XREF: PopFxProcessWork+2F4j
		push	0

loc_5C9F1A:				; CODE XREF: PopFxProcessWork+39Cj
					; PopFxProcessWork+F0819j
		push	ecx
		xor	edx, edx
		mov	ecx, 616h
		jmp	short loc_5C9F2E
; 

loc_5C9F24:				; CODE XREF: PopFxProcessWork+1ABj
		push	3

loc_5C9F26:				; CODE XREF: PopFxProcessWork+F086Ej
					; PopFxProcessWork+F0872j
		push	esi

loc_5C9F27:				; CODE XREF: PopFxProcessWork+F0877j
		xor	edx, edx
		mov	ecx, 615h

loc_5C9F2E:				; CODE XREF: PopFxProcessWork+F0806j
					; PopFxProcessWork+F082Ej ...
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_5C9F33:				; CODE XREF: PopFxProcessWork+302j
		push	1
		jmp	short loc_5C9F1A
; 

loc_5C9F37:				; CODE XREF: PopFxProcessWork+2DCj
		push	ecx
		push	edx
		jmp	short loc_5C9F3D
; 

loc_5C9F3B:				; CODE XREF: PopFxProcessWork+172j
		push	ebx
		push	edi

loc_5C9F3D:				; CODE XREF: PopFxProcessWork+F081Dj
		xor	edx, edx
		jmp	short loc_5C9F45
; 

loc_5C9F41:				; CODE XREF: PopFxProcessWork+F099Cj
		push	esi

loc_5C9F42:				; CODE XREF: PopFxProcessWork+F0A44j
		push	edi
		mov	edx, eax

loc_5C9F45:				; CODE XREF: PopFxProcessWork+F0823j
		mov	ecx, 611h
		jmp	short loc_5C9F2E
; 

loc_5C9F4C:				; CODE XREF: PopFxProcessWork+23j
					; PopFxProcessWork+2Cj	...
		push	0
		push	ecx
		mov	edx, eax
		jmp	short loc_5C9F58
; 

loc_5C9F53:				; CODE XREF: PopFxProcessWork+F098Dj
					; PopFxProcessWork+F09C6j
		push	0
		push	ecx
		xor	edx, edx

loc_5C9F58:				; CODE XREF: PopFxProcessWork+F0835j
		mov	ecx, 603h
		jmp	short loc_5C9F2E
; 

loc_5C9F5F:				; CODE XREF: PopFxProcessWork+F2j
					; PopFxProcessWork+FFj	...
		push	0
		push	edi
		xor	edx, edx
		mov	ecx, 610h
		jmp	short loc_5C9F2E
; 

loc_5C9F6B:				; CODE XREF: PopFxProcessWork+C7j
		push	1
		jmp	short loc_5C9F71
; 

loc_5C9F6F:				; CODE XREF: PopFxProcessWork+267j
		push	0

loc_5C9F71:				; CODE XREF: PopFxProcessWork+F0851j
		push	edi
		xor	edx, edx
		mov	ecx, 609h
		jmp	short loc_5C9F2E
; 

loc_5C9F7B:				; CODE XREF: PopFxProcessWork+1EDj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4D9914
; 

loc_5C9F88:				; CODE XREF: PopFxProcessWork+1A0j
		push	2
		jmp	short loc_5C9F26
; 

loc_5C9F8C:				; CODE XREF: PopFxProcessWork+192j
		push	1
		jmp	short loc_5C9F26
; 

loc_5C9F90:				; CODE XREF: PopFxProcessWork+189j
		push	0
		push	ebx
		jmp	short loc_5C9F27
; 

loc_5C9F95:				; CODE XREF: PopFxProcessWork+5Bj
					; DATA XREF: .text:004D9ACCo
		mov	edi, [ebx+4]
		xor	ecx, ecx
		mov	edx, 0C0000002h
		cmp	[edi+50h], ecx
		jz	short loc_5CA00D
		lea	eax, [edi+80h]
		lock inc dword ptr [eax]
		cmp	[edi+7Ch], cl
		jz	short loc_5C9FCE
		lock xadd [eax], esi
		dec	esi
		jnz	short loc_5C9FC7
		push	ecx
		push	ecx
		lea	eax, [edi+84h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_5C9FC7:				; CODE XREF: PopFxProcessWork+F089Bj
		mov	edx, 0C0000056h
		jmp	short loc_5CA00D
; 

loc_5C9FCE:				; CODE XREF: PopFxProcessWork+F0894j
		lea	eax, [esp+48h+var_20]
		push	eax
		push	dword ptr [ebx+1Ch]
		push	dword ptr [ebx+18h]
		push	dword ptr [ebx+14h]
		push	dword ptr [ebx+10h]
		push	dword ptr [ebx+8]
		push	dword ptr [edi+64h]
		call	dword ptr [edi+50h]
		mov	[esp+64h+var_40], eax
		lea	eax, [edi+80h]
		lock xadd [eax], esi
		dec	esi
		jnz	short loc_5CA009
		push	0
		push	0
		lea	ecx, [edi+84h]
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_5CA009:				; CODE XREF: PopFxProcessWork+F08DBj
		mov	edx, [esp+64h+var_40]

loc_5CA00D:				; CODE XREF: PopFxProcessWork+F0886j
					; PopFxProcessWork+F08B0j
		mov	eax, [edi+20h]
		mov	[esp+64h+var_20], edx
		mov	ecx, [eax+18h]
		mov	eax, [ecx+28h]
		mov	[esp+64h+var_30], eax
		mov	eax, [ebx+8]
		mov	[esp+64h+var_2C], eax
		mov	eax, [ebx+0Ch]
		mov	[esp+64h+var_28], eax
		mov	eax, [esp+64h+var_3C]
		mov	[esp+64h+var_24], eax
		mov	eax, [ecx+24h]
		lea	ecx, [esp+64h+var_30]
		push	ecx
		push	0Fh
		call	dword ptr [eax+40h]
		jmp	loc_4D995D
; 

loc_5CA046:				; CODE XREF: PopFxProcessWork+5Bj
					; DATA XREF: .text:004D9AD0o
		mov	esi, [ebx+4]
		call	edx
		lea	edi, [esi+0C8h]
		mov	[esp+48h+var_35], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	byte ptr [ebx+8], 0
		jz	short loc_5CA06D
		push	8
		lea	ecx, [esi+10h]
		pop	eax
		lock or	[ecx], eax
		jmp	short loc_5CA076
; 

loc_5CA06D:				; CODE XREF: PopFxProcessWork+F0944j
		push	0FFFFFFF7h
		pop	ecx
		lea	eax, [esi+10h]
		lock and [eax],	ecx

loc_5CA076:				; CODE XREF: PopFxProcessWork+F094Fj
		mov	ecx, esi
		call	PopFxUpdateDeviceIdleTimer
		test	ds:byte_70EFC6,	1
		jz	short loc_5CA092
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5CA097
; 

loc_5CA092:				; CODE XREF: PopFxProcessWork+F0968j
		xor	eax, eax
		lock and [edi],	eax

loc_5CA097:				; CODE XREF: PopFxProcessWork+F0974j
		mov	cl, [esp+48h+var_35]
		call	[esp+48h+var_2C]
		jmp	loc_4D995D
; 

loc_5CA0A4:				; CODE XREF: PopFxProcessWork+5Bj
					; DATA XREF: .text:004D9AD4o
		mov	edi, [ebx+4]
		test	eax, eax
		jz	loc_5C9F53
		mov	esi, [ebx+8]
		cmp	esi, [edi+23Ch]
		jnb	loc_5C9F41
		mov	ecx, [edi+1Ch]
		mov	edx, esi
		push	0
		push	1
		push	12h
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		mov	ecx, [edi+20h]
		mov	edx, esi
		call	_PopPepCompleteComponentIdleState@8 ; PopPepCompleteComponentIdleState(x,x)
		jmp	loc_4D995D
; 

loc_5CA0DD:				; CODE XREF: PopFxProcessWork+5Bj
					; DATA XREF: .text:004D9AD8o
		mov	edi, [ebx+4]
		test	eax, eax
		jz	loc_5C9F53
		mov	edx, [ebx+8]
		cmp	edx, [edi+23Ch]
		jnb	short loc_5CA15F
		lfence	eax
		mov	eax, [edi+240h]
		mov	eax, [eax+edx*4]
		mov	[esp+48h+var_1C], eax
		mov	eax, [eax+168h]
		mov	[esp+48h+var_18], eax
		add	eax, 18h
		lock xadd [eax], esi
		dec	esi
		mov	ecx, 20000000h
		lock or	[eax], ecx
		test	esi, 8000000h
		jnz	short loc_5CA133
		mov	ecx, [edi+1Ch]
		push	0
		push	1
		push	14h
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)

loc_5CA133:				; CODE XREF: PopFxProcessWork+F0A07j
		mov	ecx, [esp+48h+var_18]
		and	esi, 7
		mov	edx, esi
		call	_PopDiagTraceFxPerfRequestProgress@8 ; PopDiagTraceFxPerfRequestProgress(x,x)
		mov	edx, [esp+48h+var_1C]
		mov	ecx, edi
		movzx	eax, byte ptr [ebx+0Ch]
		push	eax
		push	dword ptr [edx+168h]
		mov	edx, [edx+10h]
		call	_PopFxCompleteComponentPerfState@16 ; PopFxCompleteComponentPerfState(x,x,x,x)
		jmp	loc_4D995D
; 

loc_5CA15F:				; CODE XREF: PopFxProcessWork+F09D5j
		push	edx
		jmp	loc_5C9F42
; 

loc_5CA165:				; CODE XREF: PopFxProcessWork+5Bj
					; DATA XREF: .text:004D9ADCo
		mov	ecx, [ebx+4]
		mov	edx, ebx
		call	_PopFxAcpiForwardPepAcpiNotifyRequest@8	; PopFxAcpiForwardPepAcpiNotifyRequest(x,x)
		jmp	loc_4D995D
; END OF FUNCTION CHUNK	FOR PopFxProcessWork
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceFxDevicePowerRequirement

loc_5CA174:				; CODE XREF: PopDiagTraceFxDevicePowerRequirement+51j
		movzx	eax, [ebp+arg_0]
		xor	ecx, ecx
		push	4
		pop	edx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	ecx
		push	ecx
		push	1
		push	ecx
		push	ecx
		push	esi
		push	edi
		push	ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ecx
		call	EtwWriteEx
		jmp	loc_4D9B3B
; END OF FUNCTION CHUNK	FOR PopDiagTraceFxDevicePowerRequirement
; 
; START	OF FUNCTION CHUNK FOR PopFxIdleWorker

loc_5CA1B7:				; CODE XREF: PopFxIdleWorker+BCj
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4D9CDD
; 

loc_5CA1C6:				; CODE XREF: PopFxIdleWorker+7Aj
		mov	edx, [ebp+var_8]
		mov	ecx, [esi+1Ch]
		push	ebx
		push	ebx
		push	0Dh
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		jmp	loc_4D9C98
; 

loc_5CA1DA:				; CODE XREF: PopFxIdleWorker+89j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4D9CAA
; END OF FUNCTION CHUNK	FOR PopFxIdleWorker
; 
; START	OF FUNCTION CHUNK FOR PopFxIdleWorkerTail

loc_5CA1E9:				; CODE XREF: PopFxIdleWorkerTail+68j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4D9D65
; 

loc_5CA1F8:				; CODE XREF: PopFxIdleWorkerTail+166j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4D9E63
; 

loc_5CA207:				; CODE XREF: PopFxIdleWorkerTail+D7j
					; PopFxIdleWorkerTail+F0527j
		mov	eax, [ebx+7Ch]
		push	2
		push	dword ptr [eax+esi*8]
		push	edi
		call	_PoFxIdleComponent@12 ;	PoFxIdleComponent(x,x,x)
		inc	esi
		cmp	esi, [ebx+78h]
		jb	short loc_5CA207
		jmp	loc_4D9DCF
; END OF FUNCTION CHUNK	FOR PopFxIdleWorkerTail
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceFxComponentLogicalCondition

loc_5CA220:				; CODE XREF: PopDiagTraceFxComponentLogicalCondition+3Fj
		movzx	eax, [ebp+arg_0]
		xor	edx, edx
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_38]
		push	4
		pop	ecx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	edx
		push	1
		push	edx
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	EtwWriteEx
		jmp	loc_4D9EDF
; END OF FUNCTION CHUNK	FOR PopDiagTraceFxComponentLogicalCondition
; 
; START	OF FUNCTION CHUNK FOR PopFxCompleteComponentActivation

loc_5CA272:				; CODE XREF: PopFxCompleteComponentActivation+38j
					; PopFxCompleteComponentActivation+F0431j
		mov	eax, [esi+88h]
		mov	[esp+20h+var_12], 0
		mov	ecx, [eax+ebx*8]
		mov	eax, [eax+ebx*8+4]
		mov	[esp+20h+var_8], eax
		mov	eax, [edi+240h]
		mov	[esp+20h+var_4], ecx
		mov	eax, [eax+ecx*4]
		mov	[esp+20h+var_10], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[esp+20h+var_11], al
		mov	eax, [esp+20h+var_10]
		add	eax, 50h
		mov	ecx, eax
		mov	[esp+20h+var_C], eax
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [esp+20h+var_10]
		mov	ecx, [esp+20h+var_8]
		mov	edx, [eax+7Ch]
		cmp	byte ptr [edx+ecx*8+4],	1
		jnz	short loc_5CA2DA
		mov	byte ptr [edx+ecx*8+4],	0
		sub	dword ptr [eax+80h], 1
		jnz	short loc_5CA2DA
		mov	[esp+20h+var_12], 1

loc_5CA2DA:				; CODE XREF: PopFxCompleteComponentActivation+F03D5j
					; PopFxCompleteComponentActivation+F03E3j
		test	ds:byte_70EFC6,	1
		jz	short loc_5CA2F1
		mov	edx, [ebp+4]
		mov	ecx, [esp+20h+var_C]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5CA2FA
; 

loc_5CA2F1:				; CODE XREF: PopFxCompleteComponentActivation+F03F1j
		mov	eax, [esp+20h+var_C]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_5CA2FA:				; CODE XREF: PopFxCompleteComponentActivation+F03FFj
		mov	cl, [esp+20h+var_11]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[esp+20h+var_12], 0
		jz	short loc_5CA31A
		mov	edx, [esp+20h+var_4]
		mov	ecx, edi
		push	0
		push	1
		call	PopPluginComponentActive

loc_5CA31A:				; CODE XREF: PopFxCompleteComponentActivation+F0419j
		inc	ebx
		cmp	ebx, [esi+84h]
		jb	loc_5CA272
		jmp	loc_4D9F2E
; 

loc_5CA32C:				; CODE XREF: PopFxCompleteComponentActivation+58j
		push	0
		push	0
		lea	eax, [edi+84h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_4D9F4E
; END OF FUNCTION CHUNK	FOR PopFxCompleteComponentActivation
; 
; START	OF FUNCTION CHUNK FOR PopFxIdleComponent

loc_5CA341:				; CODE XREF: PopFxIdleComponent+3Ej
		push	2
		push	edi
		mov	edx, esi
		mov	ecx, 614h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_5CA350:				; CODE XREF: PopFxIdleComponent+79j
		lea	ecx, [esp+48h+var_10]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	ecx, edx
		mov	[esp+48h+var_34], eax
		push	ecx
		mov	[esp+4Ch+var_38], ecx
		lea	edx, [esp+4Ch+var_18]
		mov	ecx, [esp+4Ch+var_2C]
		push	eax
		call	PpmInterlockedUpdateTimeNoFence
		jmp	loc_4DA041
; 

loc_5CA377:				; CODE XREF: PopFxIdleComponent+B8j
		mov	eax, [ebx]
		mov	ecx, 608h
		mov	edx, [esp+40h+var_20]
		push	0
		push	eax
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_5CA38A:				; CODE XREF: PopFxIdleComponent+1ABj
		lea	eax, [edx+3Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [ebx]
		mov	ecx, [esp+48h+var_34]
		jmp	loc_4DA0D8
; END OF FUNCTION CHUNK	FOR PopFxIdleComponent
; 
; START	OF FUNCTION CHUNK FOR PpmInterlockedUpdateTimeNoFence

loc_5CA39C:				; CODE XREF: PpmInterlockedUpdateTimeNoFence+43j
					; PpmInterlockedUpdateTimeNoFence+4Cj
		pause
		cmp	edx, [ebp+arg_4]
		jb	loc_4DA1A1
		ja	short loc_5CA3B2
		cmp	eax, [ebp+arg_0]
		jb	loc_4DA1A1

loc_5CA3B2:				; CODE XREF: PpmInterlockedUpdateTimeNoFence+F0231j
		mov	cl, [ebp+var_1]
		jmp	loc_4DA1CA
; END OF FUNCTION CHUNK	FOR PpmInterlockedUpdateTimeNoFence
; 
; START	OF FUNCTION CHUNK FOR PopFxUpdateAccountingActiveTime

loc_5CA3BA:				; CODE XREF: PopFxUpdateAccountingActiveTime+36j
					; PopFxUpdateAccountingActiveTime+3Fj
		add	[ecx+80h], edx
		adc	[ecx+84h], esi
		jmp	loc_4DA26B
; END OF FUNCTION CHUNK	FOR PopFxUpdateAccountingActiveTime
; 
; START	OF FUNCTION CHUNK FOR PopPepWork

loc_5CA3CB:				; CODE XREF: PopPepWork+51j
		mov	ecx, [esi]
		mov	eax, esi
		lock cmpxchg [edx], ecx
		mov	esi, ds:_PopPepLastCheckedDevice
		mov	[ebp+var_3C], esi
		jmp	loc_4DA377
; 

loc_5CA3E1:				; CODE XREF: PopPepWork+80j
		mov	[ebp+var_24], ebx
		test	edi, edi
		jz	short loc_5CA3EE
		mov	eax, [edi+1Ch]
		mov	[ebp+var_24], eax

loc_5CA3EE:				; CODE XREF: PopPepWork+F00C6j
		lea	eax, [ebp+var_24]
		mov	[ebp+var_14], ebx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	1
		push	ebx
		push	ebx
		push	1
		push	ebx
		push	ebx
		push	offset _POP_ETW_EVENT_DEFAULT_PEP_WORKER_START
		push	[ebp+var_30]
		mov	[ebp+var_10], 4
		push	[ebp+var_20]
		mov	[ebp+var_C], ebx
		call	EtwWriteEx
		jmp	loc_4DA3A6
; END OF FUNCTION CHUNK	FOR PopPepWork
; 
; START	OF FUNCTION CHUNK FOR PopPluginDevicePower

loc_5CA422:				; CODE XREF: PopPluginDevicePower+19j
					; PopPluginComponentActive+2Dj	...
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	612h
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5CA437:				; CODE XREF: PopPepComponentActive+14j
		mov	ecx, [esi+18h]
		push	ebx
		call	_PopPluginNotifyActive@12 ; PopPluginNotifyActive(x,x,x)
		jmp	loc_4DA68E
; END OF FUNCTION CHUNK	FOR PopPluginDevicePower
; 
; START	OF FUNCTION CHUNK FOR PopPepReleaseActivityLink

loc_5CA445:				; CODE XREF: PopPepReleaseActivityLink+Dj
		push	edx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		lea	eax, [esi+2Ch]
		push	eax
		call	ExReleaseSpinLockSharedFromDpcLevel
		jmp	loc_4DA84D
; END OF FUNCTION CHUNK	FOR PopPepReleaseActivityLink
; 
; START	OF FUNCTION CHUNK FOR PopPepComponentGetWork

loc_5CA459:				; CODE XREF: PopPepComponentGetWork+BDj
		mov	esi, [ebx+84h]
		mov	edx, eax
		test	esi, esi
		jz	short loc_5CA47E
		lea	ecx, [ebx+0D0h]

loc_5CA46B:				; CODE XREF: PopPepComponentGetWork+EFC02j
		cmp	[ecx], eax
		ja	loc_4DA93D
		inc	edx
		add	ecx, 0A8h
		cmp	edx, esi
		jb	short loc_5CA46B

loc_5CA47E:				; CODE XREF: PopPepComponentGetWork+EFBE9j
		push	5
		push	4
		lea	ecx, [ebx+30h]
		pop	edx
		call	_PopPepGetReadyActivityType@12 ; PopPepGetReadyActivityType(x,x,x)
		push	[ebp+arg_0]
		lea	edx, [ebx+48h]
		push	edx
		jmp	loc_4DA906
; END OF FUNCTION CHUNK	FOR PopPepComponentGetWork
; 
; START	OF FUNCTION CHUNK FOR PopPepPromoteActivities

loc_5CA497:				; CODE XREF: PopPepPromoteActivities+20j
		xor	ebx, ebx
		inc	ebx
		jmp	loc_4DA96E
; END OF FUNCTION CHUNK	FOR PopPepPromoteActivities
; 
; START	OF FUNCTION CHUNK FOR PopPepLockActivityLink

loc_5CA49F:				; CODE XREF: PopPepLockActivityLink+20j
		mov	eax, [ebp+arg_0]
		cmp	eax, 6
		jnz	short loc_5CA4B0
		cmp	ecx, eax
		jnz	short loc_5CA4C9
		jmp	loc_4DAA60
; 

loc_5CA4B0:				; CODE XREF: PopPepLockActivityLink+EFA6Bj
		test	eax, eax
		js	short loc_5CA4C9
		cmp	eax, 6
		jge	short loc_5CA4C9
		imul	eax, 7Ch
		cmp	ds:_ActivityAttributes[eax], 1
		jz	loc_4DAA60

loc_5CA4C9:				; CODE XREF: PopPepLockActivityLink+EFA6Fj
					; PopPepLockActivityLink+EFA78j ...
		cmp	ecx, 5
		ja	short loc_5CA4DE
		imul	eax, ecx, 7Ch
		cmp	ds:_ActivityAttributes[eax], 1
		jz	loc_4DAA60

loc_5CA4DE:				; CODE XREF: PopPepLockActivityLink+EFA92j
		lea	edi, [esi+2Ch]
		push	edi
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		cmp	byte ptr [esi+4Dh], 1
		mov	bl, al
		mov	eax, [ebp+arg_8]
		mov	[eax], bl
		jnz	short loc_5CA507
		push	edi
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4DAA60
; 

loc_5CA507:				; CODE XREF: PopPepLockActivityLink+EFAB8j
		push	[ebp+var_4]
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		jmp	loc_4DAA74
; END OF FUNCTION CHUNK	FOR PopPepLockActivityLink
; 
; START	OF FUNCTION CHUNK FOR PopPepAttemptAcitivityPromotion

loc_5CA514:				; CODE XREF: PopPepAttemptAcitivityPromotion+EFj
		lea	ecx, [eax-1]
		mov	[ebp+arg_0], ecx
		jmp	loc_4DAADF
; END OF FUNCTION CHUNK	FOR PopPepAttemptAcitivityPromotion
; 
; START	OF FUNCTION CHUNK FOR PopPepCompleteActivity

loc_5CA51F:				; CODE XREF: PopPepCompleteActivity+2Cj
		push	eax
		mov	edx, ecx
		mov	ecx, 667h
		push	esi
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)
		int	3		; Trap to Debugger

loc_5CA52E:				; CODE XREF: PopPepVerifyActivities+37j
		push	ecx
		push	esi
		mov	edx, edi
		mov	ecx, 666h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)
		int	3		; Trap to Debugger

loc_5CA53D:				; CODE XREF: PopPepGetComponentPreferedIdleState+5Fj
		or	eax, 4
		mov	[ecx+4], eax
		xor	eax, eax
		inc	eax
		lock xadd ds:_PopPepPoweredIdleComponentCount, eax
		inc	eax
		cmp	eax, 1
		jnz	loc_4DAE87
		xor	cl, cl
		call	_PopPepArmIdleTimer@4 ;	PopPepArmIdleTimer(x)
		jmp	loc_4DAE87
; END OF FUNCTION CHUNK	FOR PopPepCompleteActivity
; 
; START	OF FUNCTION CHUNK FOR PopPepGetComponentPreferedIdleState

loc_5CA564:				; CODE XREF: PopPepGetComponentPreferedIdleState+69j
		test	bl, bl
		jnz	loc_4DAE87
		and	eax, 0FFFFFFFBh
		mov	[ecx+4], eax
		lock dec ds:_PopPepPoweredIdleComponentCount
		jmp	loc_4DAE87
; END OF FUNCTION CHUNK	FOR PopPepGetComponentPreferedIdleState
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceFxDevicePowered

loc_5CA57E:				; CODE XREF: PopDiagTraceFxDevicePowered+47j
		lea	eax, [ebp+var_18]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	1
		push	ebx
		push	ebx
		push	1
		push	ebx
		push	ebx
		push	offset _POP_ETW_EVENT_DEVICE_POWERED
		push	esi
		push	edi
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], ebx
		call	EtwWriteEx
		jmp	loc_4DB09B
; END OF FUNCTION CHUNK	FOR PopDiagTraceFxDevicePowered
; 
; START	OF FUNCTION CHUNK FOR PopFxCompleteDevicePowerRequired

loc_5CA5AE:				; CODE XREF: PopFxCompleteDevicePowerRequired+1Bj
		push	1
		push	ebx
		mov	edx, esi
		mov	ecx, 613h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)
		int	3		; Trap to Debugger

loc_5CA5BE:				; CODE XREF: PspUnlockProcessListExclusive+17Fj
		push	0
		push	[ebp+var_8]
		push	offset _PspActiveProcessLock
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CA5D3:				; CODE XREF: PspUnlockProcessListExclusive+10Bj
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_24]
		jmp	loc_4DB22D
; END OF FUNCTION CHUNK	FOR PopFxCompleteDevicePowerRequired
; 
; START	OF FUNCTION CHUNK FOR PspUnlockProcessListExclusive

loc_5CA5E4:				; CODE XREF: PspUnlockProcessListExclusive+1DEj
		push	[ebp+var_24]
		mov	edx, offset _PspActiveProcessLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4DB240
; END OF FUNCTION CHUNK	FOR PspUnlockProcessListExclusive
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepSetSecurityAttributesToken

loc_5CA5F8:				; CODE XREF: AuthzBasepSetSecurityAttributesToken+1Fj
		cmp	eax, 1
		jnz	loc_4DB3FA
		call	AuthzBasepFreeSecurityAttributesList
		xor	esi, esi
		jmp	loc_4DB3C0
; 

loc_5CA60D:				; CODE XREF: AuthzBasepSetSecurityAttributesToken+39j
		mov	ecx, edi
		call	_AuthzBasepDeleteAllSecurityAttributes@4 ; AuthzBasepDeleteAllSecurityAttributes(x)
		mov	eax, [esp+20h+var_C]
		jmp	loc_4DB369
; END OF FUNCTION CHUNK	FOR AuthzBasepSetSecurityAttributesToken
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepValidateSecurityAttributes

loc_5CA61D:				; CODE XREF: AuthzBasepValidateSecurityAttributes+19j
					; AuthzBasepValidateSecurityAttributes+28j
		mov	esi, 0C000000Dh
		jmp	loc_4DB538
; 

loc_5CA627:				; CODE XREF: AuthzBasepValidateSecurityAttributes+38j
		test	edi, edi
		jnz	short loc_5CA634
		cmp	[ecx+8], edx
		jnz	loc_4DB5C2

loc_5CA634:				; CODE XREF: AuthzBasepValidateSecurityAttributes+EF1DFj
		mov	edx, [ecx+8]
		mov	[ebp+var_C], edx
		test	edx, edx
		jnz	loc_4DB49E
		test	edi, edi
		jz	loc_4DB49E
		jmp	loc_4DB5C2
; 

loc_5CA64F:				; CODE XREF: AuthzBasepValidateSecurityAttributes+190j
		cmp	ecx, 4
		jz	short loc_5CA697
		cmp	ecx, 5
		jz	short loc_5CA665
		push	10h
		pop	ecx
		cmp	dx, cx
		jnz	loc_5CA6F2

loc_5CA665:				; CODE XREF: AuthzBasepValidateSecurityAttributes+EF20Dj
		mov	edx, [eax+10h]
		test	edx, edx
		jz	short loc_5CA675
		cmp	[eax+14h], ebx
		jz	loc_4DB5C2

loc_5CA675:				; CODE XREF: AuthzBasepValidateSecurityAttributes+EF220j
		mov	ecx, ebx
		test	edx, edx
		jz	loc_4DB524
		mov	eax, [eax+14h]

loc_5CA682:				; CODE XREF: AuthzBasepValidateSecurityAttributes+EF246j
		cmp	[eax+ecx*8+4], ebx
		jz	short loc_5CA6F2
		cmp	[eax+ecx*8], ebx
		jz	short loc_5CA6F2
		inc	ecx
		cmp	ecx, edx
		jb	short loc_5CA682
		jmp	loc_4DB524
; 

loc_5CA697:				; CODE XREF: AuthzBasepValidateSecurityAttributes+EF208j
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jz	short loc_5CA6A7
		cmp	[eax+14h], ebx
		jz	loc_4DB5C2

loc_5CA6A7:				; CODE XREF: AuthzBasepValidateSecurityAttributes+EF252j
		mov	edx, ebx
		test	ecx, ecx
		jz	loc_4DB524
		mov	eax, [eax+14h]
		add	eax, 0Ah

loc_5CA6B7:				; CODE XREF: AuthzBasepValidateSecurityAttributes+EF2A1j
		movzx	edi, word ptr [eax-2]
		test	di, di
		jz	loc_4DB626
		movzx	ebx, word ptr [eax]
		test	bx, bx
		jz	loc_4DB626
		cmp	di, bx
		ja	loc_4DB626
		cmp	dword ptr [eax+2], 0
		jz	loc_4DB626
		push	10h
		pop	ebx
		inc	edx
		add	eax, ebx
		cmp	edx, ecx
		jb	short loc_5CA6B7
		jmp	loc_4DB593
; 

loc_5CA6F2:				; CODE XREF: AuthzBasepValidateSecurityAttributes+C0j
					; AuthzBasepValidateSecurityAttributes+D4j ...
		mov	esi, 0C000000Dh
		jmp	loc_4DB524
; END OF FUNCTION CHUNK	FOR AuthzBasepValidateSecurityAttributes

;  S U B	R O U T	I N E 


sub_5CA6FC	proc near		; CODE XREF: AuthzBasepCommitSecurityAttributeChanges+64j
		push	ebx
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4DB66F
sub_5CA6FC	endp

; 
; START	OF FUNCTION CHUNK FOR AuthzBasepRemoveSecurityAttributeFromLists

loc_5CA708:				; CODE XREF: AuthzBasepRemoveSecurityAttributeFromLists+39j
		test	byte ptr [edx+20h], 1
		jz	loc_4DB7A3
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	loc_4DB7A8
		mov	esi, [edx+4]
		cmp	[esi], edx
		jnz	loc_4DB7A8
		mov	[esi], eax
		mov	[eax+4], esi
		and	dword ptr [edx+20h], 0FFFFFFFEh
		test	ecx, ecx
		jz	loc_4DB7A3
		dec	dword ptr [ecx]
		jmp	loc_4DB7A3
; END OF FUNCTION CHUNK	FOR AuthzBasepRemoveSecurityAttributeFromLists
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepAddSecurityAttribute

loc_5CA740:				; CODE XREF: AuthzBasepAddSecurityAttribute+1Aj
		mov	eax, 0C000000Dh
		jmp	loc_4DB886
; END OF FUNCTION CHUNK	FOR AuthzBasepAddSecurityAttribute
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepAddSecurityAttributeValues

loc_5CA74A:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+1Aj
		mov	ebx, 0C000000Dh
		jmp	loc_4DB9E3
; 

loc_5CA754:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+1B9j
		push	10h
		pop	eax
		cmp	cx, ax
		jz	loc_4DB9F0

loc_5CA760:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+5Fj
		mov	eax, 0C000000Dh
		mov	[ebp+var_8], eax
		jmp	loc_4DB929
; 

loc_5CA76D:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+1A3j
		mov	eax, [edi+14h]
		add	eax, edx
		jmp	loc_4DB9F6
; 

loc_5CA777:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+95j
		mov	eax, [esi+10h]
		test	al, 4
		jz	loc_5CA81B
		push	ecx
		mov	ecx, [ebp+var_4]
		and	eax, 0FFFFFFFBh
		push	0
		mov	edx, esi
		mov	[esi+10h], eax
		call	_AuthzBasepRemoveSecurityAttributeValueFromLists@16 ; AuthzBasepRemoveSecurityAttributeValueFromLists(x,x,x,x)
		mov	ecx, [ebp+var_4]
		dec	dword ptr [ecx+28h]
		jmp	loc_4DB9CB
; 

loc_5CA7A0:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+B8j
					; AuthzBasepAddSecurityAttributeValues+C1j
		mov	eax, [edi+14h]
		mov	ecx, [eax+ebx*8+4]
		jmp	loc_4DB965
; 

loc_5CA7AC:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+AFj
		mov	eax, [edi+14h]
		movzx	ecx, word ptr [eax+edx+8]
		jmp	loc_4DB965
; 

loc_5CA7B9:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+1E2j
		push	10h
		pop	eax
		cmp	cx, ax
		jnz	loc_4DB997

loc_5CA7C5:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+1D0j
		mov	eax, [edi+14h]
		lea	ecx, [esi+28h]
		mov	eax, [eax+ebx*8+4]
		mov	[esi+1Ch], eax
		mov	[esi+18h], ecx
		push	eax
		mov	eax, [edi+14h]
		push	dword ptr [eax+ebx*8]
		jmp	loc_4DBA23
; 

loc_5CA7E1:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+1C4j
		mov	ecx, [edi+14h]
		mov	edx, [ebp+var_C]
		mov	eax, [edx+ecx]
		mov	[esi+18h], eax
		mov	eax, [edx+ecx+4]
		lea	ecx, [esi+28h]
		mov	[esi+1Ch], eax
		mov	eax, [edi+14h]
		movzx	eax, word ptr [edx+eax+8]
		mov	[esi+20h], ax
		mov	[esi+24h], ecx
		push	eax
		mov	eax, [edi+14h]
		push	dword ptr [edx+eax+0Ch]
		jmp	loc_4DBA23
; 

loc_5CA813:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+FDj
		mov	ecx, [ebp+var_4]
		jmp	loc_4DB9CB
; 

loc_5CA81B:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+EEEDEj
		mov	ebx, 0C0000035h
		jmp	loc_4DB9E3
; 

loc_5CA825:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+111j
		push	3
		pop	eax
		mov	ecx, eax
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5CA82C:				; CODE XREF: AuthzBasepAddSecurityAttributeValues+D0j
		mov	ebx, 0C000009Ah
		jmp	loc_4DB9E3
; END OF FUNCTION CHUNK	FOR AuthzBasepAddSecurityAttributeValues
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepFindSecurityAttributeValue

loc_5CA836:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+C8j
		cmp	di, word ptr [ebp+var_14]
		jz	short loc_5CA888
		cmp	di, word ptr [ebp+var_18]
		jz	short loc_5CA85C
		cmp	di, word ptr [ebp+var_1C]
		jz	loc_4DBC0D
		push	10h
		pop	eax
		cmp	[ebp+var_4], ax
		mov	eax, [ebp+arg_0]
		jnz	loc_4DBBBF

loc_5CA85C:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+EED7Cj
		mov	edx, [ebp+arg_0]
		mov	eax, [edx+4]
		cmp	eax, [esi+1Ch]
		jnz	short loc_5CA8C6
		push	eax		; size_t
		push	dword ptr [esi+18h] ; void *
		push	dword ptr [edx]	; void *
		call	_memcmp
		mov	edx, [ebp+var_8]
		add	esp, 0Ch
		test	eax, eax
		mov	eax, [ebp+arg_0]
		jnz	loc_4DBBBC
		jmp	loc_4DBC1D
; 

loc_5CA888:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+EED76j
		mov	edx, [ebp+arg_0]
		mov	ax, [edx+8]
		mov	word ptr [ebp+var_28], ax
		mov	word ptr [ebp+var_28+2], ax
		mov	eax, [edx+0Ch]
		mov	[ebp+var_24], eax
		mov	ax, [esi+20h]
		mov	word ptr [ebp+var_30], ax
		mov	word ptr [ebp+var_30+2], ax
		mov	eax, [esi+24h]
		mov	[ebp+var_2C], eax
		mov	eax, [edx]
		cmp	eax, [esi+18h]
		jnz	short loc_5CA8C6
		mov	eax, [edx+4]
		cmp	eax, [esi+1Ch]
		jnz	short loc_5CA8C6
		lea	edx, [ebp+var_30]
		jmp	loc_4DBBA9
; 

loc_5CA8C6:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+EEDA1j
					; AuthzBasepFindSecurityAttributeValue+EEDF0j ...
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+var_8]
		jmp	loc_4DBBBF
; 

loc_5CA8D1:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+110j
		push	4
		pop	edx
		cmp	di, dx
		jz	short loc_5CA92B
		push	5
		pop	edx
		cmp	di, dx
		jz	short loc_5CA8FA
		push	6
		pop	edx
		cmp	di, dx
		jz	loc_4DBB5F
		push	10h
		pop	edx
		cmp	[ebp+var_4], dx
		jnz	loc_4DBB70

loc_5CA8FA:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+EEE1Bj
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+4]
		cmp	eax, [ebx+1Ch]
		jnz	short loc_5CA975
		push	eax		; size_t
		push	dword ptr [ebx+18h] ; void *
		push	dword ptr [esi]	; void *
		call	_memcmp
		mov	esi, [ebp+var_8]
		add	esp, 0Ch
		test	eax, eax
		mov	eax, [ebp+arg_0]
		jnz	loc_4DBC05

loc_5CA921:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+A6j
					; AuthzBasepFindSecurityAttributeValue+13Bj
		mov	cl, 1
		mov	[ebp+var_1], cl
		jmp	loc_4DBB70
; 

loc_5CA92B:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+EEE13j
		mov	esi, [ebp+arg_0]
		mov	ax, [esi+8]
		mov	word ptr [ebp+var_28], ax
		mov	word ptr [ebp+var_28+2], ax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_24], eax
		mov	ax, [ebx+20h]
		mov	word ptr [ebp+var_30], ax
		mov	word ptr [ebp+var_30+2], ax
		mov	eax, [ebx+24h]
		mov	[ebp+var_2C], eax
		mov	eax, [esi]
		cmp	eax, [ebx+18h]
		jnz	short loc_5CA975
		mov	eax, [esi+4]
		cmp	eax, [ebx+1Ch]
		jnz	short loc_5CA975
		push	ecx
		lea	edx, [ebp+var_30]
		lea	ecx, [ebp+var_28]
		call	AuthzBasepEqualUnicodeString
		mov	esi, [ebp+var_8]
		jmp	loc_4DBBFA
; 

loc_5CA975:				; CODE XREF: AuthzBasepFindSecurityAttributeValue+EEE3Fj
					; AuthzBasepFindSecurityAttributeValue+EEE93j ...
		mov	eax, [ebp+arg_0]
		mov	esi, [ebp+var_8]
		jmp	loc_4DBB70
; END OF FUNCTION CHUNK	FOR AuthzBasepFindSecurityAttributeValue
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepDeleteSecurityAttribute

loc_5CA980:				; CODE XREF: AuthzBasepDeleteSecurityAttribute+76j
		lea	eax, [ebp+var_1]
		push	eax
		call	_AuthzBasepDeleteSecurityAttributeValues@12 ; AuthzBasepDeleteSecurityAttributeValues(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_4DBCE6
		cmp	byte ptr [ebp+var_1], 0
		jz	loc_4DBD2D
		or	dword ptr [esi+20h], 4
		jmp	loc_4DBD2D
; END OF FUNCTION CHUNK	FOR AuthzBasepDeleteSecurityAttribute
; 
; START	OF FUNCTION CHUNK FOR RtlInsertEntryHashTable

loc_5CA9A6:				; CODE XREF: RtlInsertEntryHashTable+62j
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	_RtlpPopulateContext@12	; RtlpPopulateContext(x,x,x)
		jmp	loc_4DBEAD
; END OF FUNCTION CHUNK	FOR RtlInsertEntryHashTable
; 
; START	OF FUNCTION CHUNK FOR RtlEnumerateEntryHashTable

loc_5CA9B5:				; CODE XREF: RtlEnumerateEntryHashTable+3Cj
		mov	eax, [ecx]
		mov	ecx, eax
		cmp	eax, edx
		jnz	loc_4DBF6E
		jmp	loc_4DBF64
; END OF FUNCTION CHUNK	FOR RtlEnumerateEntryHashTable
; 
; START	OF FUNCTION CHUNK FOR SepMandatorySubProcessToken

loc_5CA9C6:				; CODE XREF: SepMandatorySubProcessToken+BAj
		push	20206553h
		push	[ebp+var_8D+1]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_5CA9E8
		mov	esi, 0C0000017h
		jmp	loc_4DC1B1
; 

loc_5CA9E8:				; CODE XREF: SepMandatorySubProcessToken+EE948j
		push	1
		push	edi
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_4DC1B1
		mov	ecx, [ebp+var_98]
		lea	eax, [ebp+var_8D+1]
		push	eax
		push	[ebp+var_8D+1]
		push	edi
		push	10h
		pop	edx
		call	_ObQuerySecurityObject@20 ; ObQuerySecurityObject(x,x,x,x,x)
		mov	esi, eax
		jmp	loc_4DC154
; 

loc_5CAA1D:				; CODE XREF: SepMandatorySubProcessToken+FDj
		mov	ecx, ebx
		call	_SepLocateTokenIntegrity@4 ; SepLocateTokenIntegrity(x)
		mov	ecx, eax
		mov	[ebp+var_94], ecx
		test	ecx, ecx
		jz	loc_4DC197
		mov	edx, [ebp+var_8D+1]
		lea	eax, [ebp+var_8D]
		mov	ecx, [ecx]
		push	eax
		lea	edx, [edx+8]
		call	RtlSidDominates
		mov	esi, eax
		test	esi, esi
		js	loc_4DC1B1
		cmp	byte ptr [ebp+var_8D], 0
		jz	loc_4DC197
		mov	ecx, [ebp+var_8D+1]
		mov	al, [ecx+9]
		test	al, al
		jnz	short loc_5CAA78
		and	[ebp+var_8D+1],	0
		jmp	short loc_5CAA85
; 

loc_5CAA78:				; CODE XREF: SepMandatorySubProcessToken+EE9D9j
		movzx	eax, al
		mov	eax, [ecx+eax*4+0Ch]
		mov	[ebp+var_8D+1],	eax

loc_5CAA85:				; CODE XREF: SepMandatorySubProcessToken+EE9E2j
		mov	edx, [ebp+var_94]
		mov	eax, [edx]
		mov	edx, [ebp+var_8D+1]
		mov	[eax+8], edx
		mov	edx, [ebp+var_94]
		mov	eax, [edx]
		mov	edx, [ebp+var_A0]
		mov	[edx], eax
		mov	al, [ecx+9]
		test	al, al
		jnz	short loc_5CAAB1
		xor	ecx, ecx
		jmp	short loc_5CAAB8
; 

loc_5CAAB1:				; CODE XREF: SepMandatorySubProcessToken+EEA17j
		movzx	eax, al
		mov	ecx, [ecx+eax*4+0Ch]

loc_5CAAB8:				; CODE XREF: SepMandatorySubProcessToken+EEA1Bj
		mov	eax, [ebx+0B0h]
		mov	edx, 2000h
		cmp	ecx, edx
		jnb	short loc_5CAACE
		and	eax, 0FFFFDFFFh
		jmp	short loc_5CAAD0
; 

loc_5CAACE:				; CODE XREF: SepMandatorySubProcessToken+EEA31j
		or	eax, edx

loc_5CAAD0:				; CODE XREF: SepMandatorySubProcessToken+EEA38j
		mov	[ebx+0B0h], eax
		jmp	loc_4DC197
; 

loc_5CAADB:				; CODE XREF: SepMandatorySubProcessToken+117j
		push	eax
		call	SeTokenIsAdmin
		test	al, al
		jnz	loc_4DC1B1
		and	dword ptr [ebx+0B0h], 0FFFFEFFFh
		mov	ecx, ebx
		call	_SepLocateTokenIntegrity@4 ; SepLocateTokenIntegrity(x)
		mov	edx, eax
		mov	[ebp+var_8D+1],	edx
		test	edx, edx
		jz	loc_4DC1B1
		mov	ecx, [ebx+0C0h]
		mov	ecx, [ecx+20h]
		test	ecx, ecx
		jnz	short loc_5CAB4A
		mov	ecx, [edx]
		mov	al, [ecx+1]
		test	al, al
		jz	loc_4DC1B1
		movzx	eax, al
		mov	ebx, 2000h
		mov	eax, [ecx+eax*4+4]
		cmp	eax, ebx
		jbe	loc_4DC1B1
		mov	[ecx+8], ebx
		mov	ecx, [ebp+var_A0]
		mov	eax, [edx]
		mov	[ecx], eax
		jmp	loc_4DC1B1
; 

loc_5CAB4A:				; CODE XREF: SepMandatorySubProcessToken+EEA81j
		call	_SepLocateTokenIntegrity@4 ; SepLocateTokenIntegrity(x)
		mov	[ebp+var_9C], eax
		test	eax, eax
		jz	loc_4DC1B1
		mov	ecx, [ebp+var_8D+1]
		mov	eax, [ecx]
		mov	[ebp+var_AC], eax
		mov	dl, [eax+1]
		test	dl, dl
		jnz	short loc_5CAB7B
		and	[ebp+var_A4], 0
		jmp	short loc_5CAB8E
; 

loc_5CAB7B:				; CODE XREF: SepMandatorySubProcessToken+EEADCj
		movzx	eax, dl
		mov	edx, [ebp+var_AC]
		mov	eax, [edx+eax*4+4]
		mov	[ebp+var_A4], eax

loc_5CAB8E:				; CODE XREF: SepMandatorySubProcessToken+EEAE5j
		mov	edx, [ebp+var_9C]
		mov	edx, [edx]
		mov	al, [edx+1]
		test	al, al
		jnz	short loc_5CABAD
		and	[ebp+var_94], 0
		and	[ebp+var_A8], 0
		jmp	short loc_5CABC0
; 

loc_5CABAD:				; CODE XREF: SepMandatorySubProcessToken+EEB07j
		movzx	ecx, al
		mov	[ebp+var_A8], ecx
		mov	ecx, [edx+ecx*4+4]
		mov	[ebp+var_94], ecx

loc_5CABC0:				; CODE XREF: SepMandatorySubProcessToken+EEB17j
		mov	ecx, [ebp+var_94]
		cmp	[ebp+var_A4], ecx
		mov	ecx, [ebp+var_8D+1]
		jbe	loc_4DC1B1
		test	al, al
		jnz	short loc_5CABE0
		xor	eax, eax
		jmp	short loc_5CABEA
; 

loc_5CABE0:				; CODE XREF: SepMandatorySubProcessToken+EEB46j
		mov	eax, [ebp+var_A8]
		mov	eax, [edx+eax*4+4]

loc_5CABEA:				; CODE XREF: SepMandatorySubProcessToken+EEB4Aj
		mov	edx, [ebp+var_AC]
		mov	[edx+8], eax
		mov	eax, [ecx]
		mov	ecx, [ebp+var_A0]
		mov	[ecx], eax
		mov	eax, [ebp+var_9C]
		mov	ecx, [eax]
		mov	al, [ecx+1]
		test	al, al
		jnz	short loc_5CAC10
		xor	ecx, ecx
		jmp	short loc_5CAC17
; 

loc_5CAC10:				; CODE XREF: SepMandatorySubProcessToken+EEB76j
		movzx	eax, al
		mov	ecx, [ecx+eax*4+4]

loc_5CAC17:				; CODE XREF: SepMandatorySubProcessToken+EEB7Aj
		mov	eax, [ebx+0B0h]
		mov	edx, 2000h
		cmp	ecx, edx
		jnb	short loc_5CAC2D
		and	eax, 0FFFFDFFFh
		jmp	short loc_5CAC2F
; 

loc_5CAC2D:				; CODE XREF: SepMandatorySubProcessToken+EEB90j
		or	eax, edx

loc_5CAC2F:				; CODE XREF: SepMandatorySubProcessToken+EEB97j
		mov	[ebx+0B0h], eax
		jmp	loc_4DC1B1
; 

loc_5CAC3A:				; CODE XREF: SepMandatorySubProcessToken+13Aj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4DC1D4
; END OF FUNCTION CHUNK	FOR SepMandatorySubProcessToken
; 
; START	OF FUNCTION CHUNK FOR RtlQueryPackageClaims

loc_5CAC47:				; CODE XREF: RtlQueryPackageClaims+AAj
					; RtlQueryPackageClaims+14Bj
		mov	eax, 0C000000Dh
		jmp	loc_4DC6C6
; 

loc_5CAC51:				; CODE XREF: RtlQueryPackageClaims+137j
		xor	eax, eax
		mov	edi, ecx
		stosd
		stosd
		stosd
		stosd
		mov	eax, [esp+320h+var_2F0]
		cmp	dword ptr [eax+10h], 3
		jbe	loc_4DC781
		mov	eax, [eax+14h]
		push	ecx
		add	eax, 18h
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		jmp	loc_4DC781
; END OF FUNCTION CHUNK	FOR RtlQueryPackageClaims
; 
; START	OF FUNCTION CHUNK FOR RtlpQueryPackageIdentityAttributes

loc_5CAC79:				; CODE XREF: RtlpQueryPackageIdentityAttributes+26j
		test	esi, esi
		jz	loc_4DC7C3
		jmp	loc_4DC7C0
; 

loc_5CAC86:				; CODE XREF: RtlpQueryPackageIdentityAttributes+75j
		xor	dl, dl
		jmp	loc_4DC81C
; 

loc_5CAC8D:				; CODE XREF: RtlpQueryPackageIdentityAttributes+97j
		and	dword ptr [edi], 0
		and	dword ptr [edi+4], 0
		jmp	loc_4DC841
; 

loc_5CAC99:				; CODE XREF: RtlpQueryPackageIdentityAttributes+F6j
		mov	eax, [esi+4]
		or	dword ptr [esi], 4
		mov	[esi+4], eax
		jmp	loc_4DC890
; 

loc_5CACA7:				; CODE XREF: RtlpQueryPackageIdentityAttributes+115j
		mov	eax, [esi+4]
		or	dword ptr [esi], 8
		mov	[esi+4], eax
		jmp	loc_4DC845
; END OF FUNCTION CHUNK	FOR RtlpQueryPackageIdentityAttributes
; 
; START	OF FUNCTION CHUNK FOR RtlStringCbPrintfExW

loc_5CACB5:				; CODE XREF: RtlStringCbPrintfExW+39j
		test	eax, eax
		jnz	loc_4DC8ED
		mov	eax, offset ??_C@_11LOCGONAA@@FNODOBFM@
		mov	[ebp+arg_14], eax
		jmp	loc_4DC8ED
; 

loc_5CACCA:				; CODE XREF: RtlStringCbPrintfExW+48j
		mov	esi, 0C000000Dh
		test	edi, edi
		jz	short loc_5CACD8
		xor	eax, eax
		mov	[ebx], ax

loc_5CACD8:				; CODE XREF: RtlStringCbPrintfExW+7Bj
					; RtlStringCbPrintfExW+90j ...
		test	[ebp+arg_10], 1C00h
		jz	short loc_5CAD00
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_5CAD00
		push	[ebp+arg_10]	; int
		lea	ecx, [ebp+var_4]
		mov	edx, eax	; size_t
		push	ecx		; int
		lea	ecx, [ebp+var_8]
		push	ecx		; int
		push	ecx		; int
		mov	ecx, ebx	; void *
		call	StringExHandleOtherFlagsW
		mov	edi, [ebp+var_4]

loc_5CAD00:				; CODE XREF: RtlStringCbPrintfExW+EE431j
					; RtlStringCbPrintfExW+EE438j
		test	esi, esi
		jns	loc_4DC944
		cmp	esi, 80000005h
		jnz	loc_4DC962
		jmp	loc_4DC944
; 

loc_5CAD19:				; CODE XREF: RtlStringCbPrintfExW+50j
		cmp	[eax], si
		jz	loc_4DC944
		mov	esi, ebx
		neg	esi
		sbb	esi, esi
		and	esi, 0BFFFFFF8h
		add	esi, 0C000000Dh
		jmp	loc_4DC93C
; 

loc_5CAD39:				; CODE XREF: RtlStringCbPrintfExW+88j
		mov	eax, [ebp+arg_4]
		push	[ebp+arg_10]
		and	eax, 1
		lea	edx, [eax+edi*2]
		call	RtlStringExHandleFillBehindNullW
		jmp	loc_4DC93C
; 

loc_5CAD4F:				; CODE XREF: RtlStringCbPrintfExW+23j
		test	edi, edi
		jz	loc_4DC962
		xor	eax, eax
		mov	[ebx], ax
		jmp	loc_4DC962
; END OF FUNCTION CHUNK	FOR RtlStringCbPrintfExW
; 
; START	OF FUNCTION CHUNK FOR RtlStringExValidateDestA

loc_5CAD61:				; CODE XREF: RtlStringExValidateDestA+Ej
		test	ecx, ecx
		jnz	loc_4DC9CE
		test	edx, edx
		jnz	loc_4DC9DA
		jmp	loc_4DC9CE
; END OF FUNCTION CHUNK	FOR RtlStringExValidateDestA
; 
; START	OF FUNCTION CHUNK FOR IopDeleteFileObjectExtension

loc_5CAD76:				; CODE XREF: IopDeleteFileObjectExtension+4Cj
		mov	eax, [edi]
		mov	[ebp+var_8], eax
		cmp	eax, edi
		jz	loc_4DCB9E
		mov	ebx, eax

loc_5CAD85:				; CODE XREF: IopDeleteFileObjectExtension+EE293j
		mov	eax, ebx
		mov	ebx, [ebx]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	ebx, edi
		jnz	short loc_5CAD85
		mov	ebx, [ebp+var_C]
		jmp	loc_4DCB9E
; 

loc_5CAD9D:				; CODE XREF: IopDeleteFileObjectExtension+54j
		mov	eax, [edi+4]
		test	eax, eax
		jz	loc_4DCB9E
		push	746C6644h
		push	eax
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_4DCB9E
; 

loc_5CADB8:				; CODE XREF: IopDeleteFileObjectExtension+8Dj
		mov	ebx, [ebp+var_8]
		mov	edi, [ebp+var_10]

loc_5CADBE:				; CODE XREF: IopDeleteFileObjectExtension+EE330j
		mov	eax, [ebx+0Ch]
		mov	ecx, offset dword_6CCF98
		mov	[ebp+var_8], ebx
		mov	ebx, [ebx]
		mov	[ebp+var_14], eax
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	[ebp+var_1], al
		mov	eax, [ebp+var_14]
		cmp	byte ptr [eax+8], 1
		mov	cl, [eax+0Ah]
		mov	byte ptr [ebp+var_18], cl
		jnz	short loc_5CADEB
		mov	byte ptr [eax+9], 1
		jmp	short loc_5CADF3
; 

loc_5CADEB:				; CODE XREF: IopDeleteFileObjectExtension+EE2E3j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5CADF3:				; CODE XREF: IopDeleteFileObjectExtension+EE2E9j
		mov	dl, [ebp+var_1]
		mov	ecx, offset dword_6CCF98
		call	KfReleaseSpinLock
		mov	eax, [ebp+var_8]
		cmp	dword ptr [eax+8], 0
		jz	short loc_5CAE26
		push	[ebp+var_18]
		mov	ecx, [eax+4]
		or	edx, 0FFFFFFFFh
		push	edi
		call	_PspAdjustKeepAliveCountProcess@16 ; PspAdjustKeepAliveCountProcess(x,x,x,x)
		mov	ecx, [ebp+var_8]
		mov	ecx, [ecx+4]
		call	ObfDereferenceObject
		mov	eax, [ebp+var_8]

loc_5CAE26:				; CODE XREF: IopDeleteFileObjectExtension+EE307j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		jnz	short loc_5CADBE
		mov	edi, [ebp+var_1C]
		mov	ebx, [ebp+var_C]
		jmp	loc_4DCB93
; 

loc_5CAE3D:				; CODE XREF: IopDeleteFileObjectExtension+98j
		call	ObfDereferenceObject
		jmp	loc_4DCB9E
; 

loc_5CAE47:				; CODE XREF: IopDeleteFileObjectExtension+CAj
		mov	eax, [edi+14h]
		test	eax, eax
		jz	loc_4DCB9E

loc_5CAE52:				; CODE XREF: IopDeleteFileObjectExtension+EE361j
		mov	edi, [eax+14h]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		test	edi, edi
		jnz	short loc_5CAE52
		jmp	loc_4DCB9E
; 

loc_5CAE68:				; CODE XREF: IopDeleteFileObjectExtension+F0j
		mov	ecx, [edi]
		mov	edx, 6F466F49h
		jmp	loc_4DCBE4
; 

loc_5CAE74:				; CODE XREF: IopDeleteFileObjectExtension+34j
		mov	eax, [ebp+var_10]
		mov	edx, eax
		mov	ecx, [eax+4]
		mov	ecx, [ecx+8]
		call	IopCleanupNotifications
		jmp	loc_4DCB3A
; END OF FUNCTION CHUNK	FOR IopDeleteFileObjectExtension
; 
; START	OF FUNCTION CHUNK FOR KiAbCleanupThreadState

loc_5CAE89:				; CODE XREF: KiAbCleanupThreadState+20j
		cmp	eax, 1
		jnz	short loc_5CAE9A
		mov	esi, [ebx+10h]
		and	esi, 0FFFFFFFCh
		or	esi, 80000000h

loc_5CAE9A:				; CODE XREF: KiAbCleanupThreadState+EE246j
		push	esi
		push	eax
		push	ebx
		push	edx
		push	153h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5CAEA9:				; CODE XREF: IopProcessWorkItem+4Ej
		mov	esi, edi
		lea	eax, [esp+20h+var_4]
		lea	edi, [esp+20h+var_4]
		push	eax
		movsd
		movsd
		movsd
		movsd
		call	_IoSetActivityIdThread@4 ; IoSetActivityIdThread(x)
		mov	esi, [esp+20h+var_8]
		mov	[esp+20h+var_C], 1
		jmp	loc_4DCE5A
; END OF FUNCTION CHUNK	FOR KiAbCleanupThreadState
; 
; START	OF FUNCTION CHUNK FOR IopProcessWorkItem

loc_5CAECE:				; CODE XREF: IopProcessWorkItem+67j
		mov	edx, 540h
		mov	ecx, esi
		call	_EtwTraceThreadWorkItem@8 ; EtwTraceThreadWorkItem(x,x)
		jmp	loc_4DCE73
; 

loc_5CAEDF:				; CODE XREF: IopProcessWorkItem+88j
		mov	edx, 541h
		mov	ecx, esi
		call	_EtwTraceThreadWorkItem@8 ; EtwTraceThreadWorkItem(x,x)
		jmp	loc_4DCE94
; 

loc_5CAEF0:				; CODE XREF: IopProcessWorkItem+9Aj
		mov	eax, large fs:124h
		and	dword ptr [eax+35Ch], 0
		jmp	loc_4DCEA6
; 

loc_5CAF02:				; CODE XREF: IopProcessWorkItem+B1j
		mov	eax, large fs:124h
		push	0
		push	dword ptr [eax+13Ch]
		mov	eax, large fs:124h
		movzx	eax, byte ptr [eax+16Ah]
		push	eax
		push	esi
		push	1
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5CAF27:				; DATA XREF: .text:006A2554o
		xor	eax, eax
		inc	eax
		retn
; END OF FUNCTION CHUNK	FOR IopProcessWorkItem

;  S U B	R O U T	I N E 


sub_5CAF2B	proc near		; DATA XREF: .text:006A2558o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp-90h]
		jmp	loc_4DD01E
sub_5CAF2B	endp


;  S U B	R O U T	I N E 


sub_5CAF42	proc near		; DATA XREF: .text:006A2574o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_5CAF42	endp


;  S U B	R O U T	I N E 


sub_5CAF50	proc near		; DATA XREF: .text:006A2578o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-2Ch]
		mov	[ebp-30h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	edi, [ebp+8]
		mov	esi, [ebp-34h]
		jmp	loc_4DD1EB
sub_5CAF50	endp

; 
; START	OF FUNCTION CHUNK FOR EtwpLogSystemEventUnsafe

loc_5CAF6D:				; CODE XREF: EtwpLogSystemEventUnsafe+FBj
		push	[ebp+var_24]	; size_t
		push	ebx		; int
		push	[ebp+var_38]	; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, esi
		call	EtwpUpdateEventsLostCount
		jmp	loc_4DD1F3
; 

loc_5CAF88:				; CODE XREF: EtwpLogSystemEventUnsafe+108j
		cmp	ds:_KdDebuggerNotPresent, 0
		jnz	short loc_5CAF9A
		cmp	ds:_KdPitchDebugger, 0
		jz	short loc_5CAFA7

loc_5CAF9A:				; CODE XREF: EtwpLogSystemEventUnsafe+EDE9Dj
		cmp	ds:_KdEventLoggingPresent, 0
		jz	loc_4DD200

loc_5CAFA7:				; CODE XREF: EtwpLogSystemEventUnsafe+EDEA6j
		lea	edx, [ebp+var_58]
		mov	ecx, esi
		call	_EtwpSendTraceEvent@8 ;	EtwpSendTraceEvent(x,x)
		jmp	loc_4DD200
; 

loc_5CAFB6:				; CODE XREF: EtwpLogSystemEventUnsafe+11Ej
		mov	ecx, [ebp+arg_C]
		and	ecx, 1FFFh
		mov	[ebp+arg_8], eax
		mov	edx, ecx
		shr	edx, 3
		mov	eax, [esi+2B4h]
		and	cl, 7
		mov	al, [edx+eax]
		sar	al, cl
		test	al, 1
		jz	short loc_5CAFF5
		push	[ebp+arg_10]
		push	edi
		lea	edx, [ebp+var_4C]
		mov	ecx, esi
		call	_EtwpStackTraceDispatcher@16 ; EtwpStackTraceDispatcher(x,x,x,x)
		mov	eax, [ebp+var_3C]
		mov	eax, [eax+258h]
		jmp	loc_4DD216
; 

loc_5CAFF5:				; CODE XREF: EtwpLogSystemEventUnsafe+EDEE5j
		mov	eax, [ebp+arg_8]
		jmp	loc_4DD216
; 

loc_5CAFFD:				; CODE XREF: EtwpLogSystemEventUnsafe+129j
		mov	edx, ebx
		mov	eax, [esi+2C0h]
		cmp	[eax+8], ebx
		jbe	loc_4DD221
		push	0Ch
		pop	ecx

loc_5CB011:				; CODE XREF: EtwpLogSystemEventUnsafe+EDF3Cj
		mov	eax, [esi+2C0h]
		mov	[ebp+arg_8], eax
		mov	ax, [ecx+eax]
		cmp	ax, word ptr [ebp+arg_C]
		jz	short loc_5CB035
		inc	edx
		add	ecx, 2
		mov	eax, [ebp+arg_8]
		cmp	edx, [eax+8]
		jb	short loc_5CB011
		jmp	loc_4DD221
; 

loc_5CB035:				; CODE XREF: EtwpLogSystemEventUnsafe+EDF30j
		push	[ebp+arg_10]
		push	edi
		lea	edx, [ebp+var_4C]
		mov	ecx, esi
		call	_EtwpTraceLastBranchRecord@16 ;	EtwpTraceLastBranchRecord(x,x,x,x)
		jmp	loc_4DD221
; 

loc_5CB048:				; CODE XREF: EtwpLogSystemEventUnsafe+139j
		mov	eax, [esi+2C4h]
		cmp	[eax+14h], ebx
		jbe	loc_4DD231
		push	18h
		pop	ecx

loc_5CB05A:				; CODE XREF: EtwpLogSystemEventUnsafe+EDF7Fj
		mov	edx, [esi+2C4h]
		mov	ax, [ecx+edx]
		cmp	ax, word ptr [ebp+arg_C]
		jz	short loc_5CB078
		inc	ebx
		add	ecx, 2
		cmp	ebx, [edx+14h]
		jb	short loc_5CB05A
		jmp	loc_4DD231
; 

loc_5CB078:				; CODE XREF: EtwpLogSystemEventUnsafe+EDF76j
		push	[ebp+arg_10]
		push	edi
		lea	edx, [ebp+var_4C]
		mov	ecx, esi
		call	_EtwpTraceProcessorTrace@16 ; EtwpTraceProcessorTrace(x,x,x,x)
		jmp	loc_4DD231
; END OF FUNCTION CHUNK	FOR EtwpLogSystemEventUnsafe
; 
; START	OF FUNCTION CHUNK FOR KeRequestTerminationThread

loc_5CB08B:				; CODE XREF: KeRequestTerminationThread+3Aj
					; KeRequestTerminationThread+EDCF9j
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5CB08B
		jmp	loc_4DD3D3
; END OF FUNCTION CHUNK	FOR KeRequestTerminationThread
; 
; START	OF FUNCTION CHUNK FOR IopCancelApcRequired

loc_5CB09E:				; CODE XREF: IopCancelApcRequired+38j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4DD483
; END OF FUNCTION CHUNK	FOR IopCancelApcRequired
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepEvaluateSetRelationship

loc_5CB0AD:				; CODE XREF: AuthzBasepEvaluateSetRelationship+3Bj
		sub	ebx, 1
		jnz	loc_4DD572
		xor	edi, edi
		mov	ebx, eax
		inc	edi

loc_5CB0BB:				; CODE XREF: AuthzBasepEvaluateSetRelationship+EDC74j
		mov	eax, [esi+8]
		lea	edx, [ebp+var_24]
		mov	ecx, esi
		mov	[ebp+arg_0], eax
		call	AuthzBasepGetNextValue
		mov	edx, eax
		cmp	edx, 8000001Ah
		jz	loc_4DD570
		test	edx, edx
		js	loc_4DD56B
		push	4
		lea	eax, [esi+1Ch]
		pop	ecx
		cmp	[eax], cx
		jnz	short loc_5CB129
		lea	edx, [ebp+var_40]
		mov	ecx, esi
		call	AuthzBasepGetNextValue
		mov	edx, eax
		test	edx, edx
		js	loc_4DD56B
		mov	al, [esi+4]
		and	[ebp+var_1C], 0
		mov	[ebp+var_20], al
		mov	ax, [esi]
		mov	word ptr [ebp+var_24], ax
		mov	eax, [esi+10h]
		mov	[ebp+var_14], eax
		mov	eax, [esi+8]
		mov	[ebp+var_10], eax
		mov	eax, [esi+18h]
		add	eax, [ebp+arg_0]
		mov	[ebp+var_C], eax
		lea	eax, [esi+1Ch]

loc_5CB129:				; CODE XREF: AuthzBasepEvaluateSetRelationship+EDC1Cj
		push	edi
		push	ebx
		mov	edx, eax
		lea	ecx, [ebp+var_24]
		call	AuthzBasepValueInSet
		mov	edx, eax
		test	edx, edx
		js	loc_4DD56B
		cmp	dword ptr [ebx], 0
		jz	loc_5CB0BB
		jmp	loc_4DD567
; 

loc_5CB14D:				; CODE XREF: AuthzBasepEvaluateSetRelationship+4Cj
		mov	eax, [esi+4]
		cmp	eax, [esi+20h]
		jb	loc_4DD572
		jmp	loc_4DD520
; 

loc_5CB15E:				; CODE XREF: AuthzBasepEvaluateSetRelationship+7Cj
		lea	edx, [ebp+var_40]
		lea	ecx, [esi+1Ch]
		call	AuthzBasepGetNextValue
		mov	edx, eax
		test	edx, edx
		js	loc_4DD56B
		mov	al, [esi+20h]
		and	[ebp+var_1C], 0
		mov	[ebp+var_20], al
		mov	ax, [esi+1Ch]
		mov	word ptr [ebp+var_24], ax
		mov	eax, [esi+2Ch]
		mov	[ebp+var_14], eax
		mov	eax, [esi+24h]
		mov	[ebp+var_10], eax
		mov	eax, [esi+34h]
		add	eax, [ebp+arg_0]
		mov	[ebp+var_C], eax
		jmp	loc_4DD550
; 

loc_5CB19F:				; CODE XREF: AuthzBasepEvaluateSetRelationship+32j
		xor	edi, edi
		inc	edi
		cmp	[esi+0Ch], edi
		jz	short loc_5CB1B8
		cmp	[esi+28h], edi
		jz	short loc_5CB1B8
		mov	eax, [esi+4]
		cmp	eax, [esi+20h]
		jnz	loc_4DD572

loc_5CB1B8:				; CODE XREF: AuthzBasepEvaluateSetRelationship+EDCD7j
					; AuthzBasepEvaluateSetRelationship+EDCDCj
		mov	ebx, [ebp+arg_0]

loc_5CB1BB:				; CODE XREF: AuthzBasepEvaluateSetRelationship+EDD73j
		mov	eax, [esi+8]
		lea	edx, [ebp+var_24]
		mov	ecx, esi
		mov	[ebp+arg_0], eax
		call	AuthzBasepGetNextValue
		mov	edx, eax
		cmp	edx, 8000001Ah
		jz	short loc_5CB24C
		test	edx, edx
		js	loc_4DD56B
		push	4
		lea	ecx, [esi+1Ch]
		pop	eax
		cmp	[ecx], ax
		jnz	short loc_5CB225
		lea	edx, [ebp+var_40]
		mov	ecx, esi
		call	AuthzBasepGetNextValue
		mov	edx, eax
		test	edx, edx
		js	loc_4DD56B
		mov	al, [esi+4]
		lea	ecx, [esi+1Ch]
		and	[ebp+var_1C], 0
		mov	[ebp+var_20], al
		mov	ax, [esi]
		mov	word ptr [ebp+var_24], ax
		mov	eax, [esi+10h]
		mov	[ebp+var_14], eax
		mov	eax, [esi+8]
		mov	[ebp+var_10], eax
		mov	eax, [esi+18h]
		add	eax, [ebp+arg_0]
		mov	[ebp+var_C], eax

loc_5CB225:				; CODE XREF: AuthzBasepEvaluateSetRelationship+EDD18j
		inc	[ebp+var_8]
		mov	edx, ecx
		push	0
		push	ebx
		lea	ecx, [ebp+var_24]
		call	AuthzBasepValueInSet
		mov	edx, eax
		test	edx, edx
		js	loc_4DD56B
		cmp	[ebx], edi
		jz	loc_5CB1BB
		jmp	loc_4DD567
; 

loc_5CB24C:				; CODE XREF: AuthzBasepEvaluateSetRelationship+EDD05j
		mov	eax, [esi+0Ch]
		xor	edx, edx
		cmp	eax, edi
		jnz	short loc_5CB268
		cmp	[esi+4], dl
		jnz	short loc_5CB268
		cmp	[esi+28h], edi
		jz	short loc_5CB26D
		cmp	[esi+20h], edi
		jz	loc_4DD572

loc_5CB268:				; CODE XREF: AuthzBasepEvaluateSetRelationship+EDD85j
					; AuthzBasepEvaluateSetRelationship+EDD8Aj
		cmp	[esi+28h], edi
		jnz	short loc_5CB27F

loc_5CB26D:				; CODE XREF: AuthzBasepEvaluateSetRelationship+EDD8Fj
		cmp	[esi+20h], dl
		jnz	short loc_5CB27F
		cmp	eax, edi
		jz	short loc_5CB27F
		cmp	[esi+4], edi
		jz	loc_4DD572

loc_5CB27F:				; CODE XREF: AuthzBasepEvaluateSetRelationship+EDD9Dj
					; AuthzBasepEvaluateSetRelationship+EDDA2j ...
		mov	ecx, esi
		call	_AuthzBasepRestartOperandValueEnumeration@4 ; AuthzBasepRestartOperandValueEnumeration(x)

loc_5CB286:				; CODE XREF: AuthzBasepEvaluateSetRelationship+EDE43j
		mov	ecx, [esi+24h]
		lea	eax, [esi+1Ch]
		mov	[ebp+arg_0], ecx
		lea	edx, [ebp+var_24]
		mov	ecx, eax
		call	AuthzBasepGetNextValue
		mov	edx, eax
		cmp	edx, 8000001Ah
		jz	short loc_5CB316
		test	edx, edx
		js	loc_4DD56B
		push	4
		pop	eax
		cmp	[esi], ax
		jnz	short loc_5CB2EF
		lea	edx, [ebp+var_40]
		lea	ecx, [esi+1Ch]
		call	AuthzBasepGetNextValue
		mov	edx, eax
		test	edx, edx
		js	loc_4DD56B
		mov	al, [esi+20h]
		and	[ebp+var_1C], 0
		mov	[ebp+var_20], al
		mov	ax, [esi+1Ch]
		mov	word ptr [ebp+var_24], ax
		mov	eax, [esi+2Ch]
		mov	[ebp+var_14], eax
		mov	eax, [esi+24h]
		mov	[ebp+var_10], eax
		mov	eax, [esi+34h]
		add	eax, [ebp+arg_0]
		mov	[ebp+var_C], eax

loc_5CB2EF:				; CODE XREF: AuthzBasepEvaluateSetRelationship+EDDE3j
		inc	[ebp+var_4]
		lea	ecx, [ebp+var_24]
		push	0
		push	ebx
		mov	edx, esi
		call	AuthzBasepValueInSet
		mov	edx, eax
		test	edx, edx
		js	loc_4DD56B
		cmp	[ebx], edi
		jnz	loc_4DD567
		jmp	loc_5CB286
; 

loc_5CB316:				; CODE XREF: AuthzBasepEvaluateSetRelationship+EDDD3j
		mov	eax, [ebp+var_4]
		xor	edx, edx
		cmp	[ebp+var_8], eax
		jz	loc_4DD572
		and	[ebx], edx
		jmp	loc_4DD567
; END OF FUNCTION CHUNK	FOR AuthzBasepEvaluateSetRelationship
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepValueInSet

loc_5CB32B:				; CODE XREF: AuthzBasepValueInSet+4Bj
		lea	edx, [ebp+var_20]
		mov	ecx, edi
		call	AuthzBasepGetNextValue
		mov	esi, eax
		cmp	esi, 8000001Ah
		jz	loc_4DD633
		test	esi, esi
		js	loc_4DD63D
		mov	al, [edi+4]
		and	[ebp+var_34], 0
		mov	[ebp+var_38], al
		mov	ax, [edi]
		mov	word ptr [ebp+arg_0+2],	ax
		mov	word ptr [ebp+var_3C], ax
		mov	eax, [edi+10h]
		mov	[ebp+var_2C], eax
		mov	eax, [edi+8]
		mov	[ebp+var_28], eax
		mov	eax, [edi+18h]
		add	eax, [ebp+var_4]
		mov	[ebp+var_24], eax
		jmp	loc_4DD5D5
; 

loc_5CB37A:				; CODE XREF: AuthzBasepValueInSet+63j
		cmp	[ebp+arg_4], 0
		jnz	loc_4DD5A2
		mov	esi, 0C00001A2h
		jmp	loc_4DD61F
; 

loc_5CB38E:				; CODE XREF: AuthzBasepValueInSet+87j
		push	4
		pop	edx
		cmp	ax, dx
		jz	short loc_5CB3B6
		cmp	eax, 5
		jz	short loc_5CB3AA
		cmp	eax, 6
		jz	short loc_5CB3C6
		cmp	cx, 10h
		jnz	loc_4DD61A

loc_5CB3AA:				; CODE XREF: AuthzBasepValueInSet+EDE1Dj
		lea	edx, [ebp+var_58]
		mov	cl, 80h
		call	_AuthzBasepCompareOctetStringOperands@8	; AuthzBasepCompareOctetStringOperands(x,x)
		jmp	short loc_5CB3D0
; 

loc_5CB3B6:				; CODE XREF: AuthzBasepValueInSet+EDE18j
		push	ebx
		lea	edx, [ebp+var_58]
		mov	cl, 80h
		call	_AuthzBasepCompareFQBNOperands@12 ; AuthzBasepCompareFQBNOperands(x,x,x)
		jmp	loc_4DD614
; 

loc_5CB3C6:				; CODE XREF: AuthzBasepValueInSet+7Ej
					; AuthzBasepValueInSet+EDE22j
		lea	edx, [ebp+var_58]
		mov	cl, 80h
		call	_AuthzBasepCompareIntegerOperands@8 ; AuthzBasepCompareIntegerOperands(x,x)

loc_5CB3D0:				; CODE XREF: AuthzBasepValueInSet+EDE38j
		mov	[ebx], eax
		jmp	loc_4DD61A
; END OF FUNCTION CHUNK	FOR AuthzBasepValueInSet
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepGetNextValue

loc_5CB3D7:				; CODE XREF: AuthzBasepGetNextValue+5Ej
		mov	edx, [ebx+14h]
		cmp	eax, edx
		jnb	loc_4DD6C7
		lea	ecx, [ebp+var_4]
		sub	edx, eax
		push	ecx
		mov	ecx, [ebx+18h]
		push	edi
		add	ecx, eax
		call	AuthzBasepGetConstantOperand
		cmp	byte ptr [edi+4], 0
		mov	edx, eax
		jz	short loc_5CB405
		mov	edx, 0C00001A2h
		jmp	loc_4DD696
; 

loc_5CB405:				; CODE XREF: AuthzBasepGetNextValue+EDDB7j
		mov	eax, [ebp+var_4]
		add	[ebx+8], eax
		jmp	loc_4DD696
; END OF FUNCTION CHUNK	FOR AuthzBasepGetNextValue
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepCompareUnicodeStringOperands

loc_5CB410:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+36j
		or	dword ptr [esi], 0FFFFFFFFh
		mov	edi, eax
		jmp	loc_4DD7DA
; 

loc_5CB41A:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+5Cj
		mov	eax, [ecx]
		mov	ecx, [eax+1Ch]
		mov	eax, [ecx]
		mov	esi, [ebp+var_28]
		mov	[esi], eax
		mov	eax, [ecx+4]
		mov	ecx, esi
		mov	[ecx+4], eax
		mov	esi, [ebp+arg_0]
		jmp	loc_4DD767
; 

loc_5CB436:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+B5j
		test	dl, dl
		jz	short loc_5CB447
		lea	edx, [ebp+var_3C]
		lea	ecx, [ebp+var_44]
		call	AuthzBasepEqualUnicodeStringCaseSensitive
		jmp	short loc_5CB456
; 

loc_5CB447:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+EDD56j
		push	1
		lea	eax, [ebp+var_3C]
		push	eax
		lea	eax, [ebp+var_44]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)

loc_5CB456:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+EDD63j
		movzx	ecx, al
		mov	[esi], ecx
		jmp	loc_4DD7CD
; 

loc_5CB460:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+C3j
		test	dl, dl
		setz	byte ptr [ebp+var_30]
		push	[ebp+var_30]
		lea	eax, [ebp+var_44]
		push	eax
		lea	eax, [ebp+var_3C]
		jmp	loc_4DD7BB
; 

loc_5CB475:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+F2j
		xor	eax, eax
		cmp	ecx, 1
		setnz	al
		mov	[esi], eax
		jmp	loc_4DD7DA
; END OF FUNCTION CHUNK	FOR AuthzBasepCompareUnicodeStringOperands

;  S U B	R O U T	I N E 


sub_5CB484	proc near		; DATA XREF: .text:006A28B4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5CB484	endp


;  S U B	R O U T	I N E 


sub_5CB492	proc near		; DATA XREF: .text:006A28B8o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-34h]
		mov	eax, [ebp+8]
		or	dword ptr [eax], 0FFFFFFFFh
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		jmp	loc_4DD7DA
sub_5CB492	endp

; 
; START	OF FUNCTION CHUNK FOR AuthzBasepCompareUnicodeStringOperands

loc_5CB4AC:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+A5j
		test	dl, dl
		jz	short loc_5CB4BD
		lea	edx, [ebp+var_3C]
		lea	ecx, [ebp+var_44]
		call	_AuthzBasepCompareUnicodeStringCaseSensitive@8 ; AuthzBasepCompareUnicodeStringCaseSensitive(x,x)
		jmp	short loc_5CB4CC
; 

loc_5CB4BD:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+EDDCCj
		push	1
		lea	eax, [ebp+var_3C]
		push	eax
		lea	eax, [ebp+var_44]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)

loc_5CB4CC:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+EDDD9j
		mov	ecx, eax
		mov	[esi], ecx
		mov	al, [ebp+var_1A]
		cmp	al, 82h
		jz	short loc_5CB4E6
		cmp	al, 83h
		jnz	short loc_5CB4F8
		xor	eax, eax
		test	ecx, ecx
		setle	al
		jmp	short loc_5CB4F4
; 

loc_5CB4E4:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+EDE1Ej
		not	ecx

loc_5CB4E6:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+EDDF3j
		shr	ecx, 1Fh
		mov	[esi], ecx
		jmp	short loc_5CB505
; 

loc_5CB4ED:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+EDE18j
		xor	eax, eax
		test	ecx, ecx
		setnle	al

loc_5CB4F4:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+EDE00j
		mov	[esi], eax
		jmp	short loc_5CB505
; 

loc_5CB4F8:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+EDDF7j
		cmp	al, 84h
		jz	short loc_5CB4ED
		cmp	al, 85h
		jnz	short loc_5CB505
		jmp	short loc_5CB4E4
; 

loc_5CB502:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+7Cj
		or	dword ptr [esi], 0FFFFFFFFh

loc_5CB505:				; CODE XREF: AuthzBasepCompareUnicodeStringOperands+EDE09j
					; AuthzBasepCompareUnicodeStringOperands+EDE14j ...
		mov	edi, [ebp+var_24]
		jmp	loc_4DD7DA
; END OF FUNCTION CHUNK	FOR AuthzBasepCompareUnicodeStringOperands

;  S U B	R O U T	I N E 


sub_5CB50D	proc near		; DATA XREF: .text:006A28D8o
		mov	bl, [ebp-1Dh]
		jmp	sub_4DD888
sub_5CB50D	endp

; 
; START	OF FUNCTION CHUNK FOR RtlIsNameInUnUpcasedExpression

loc_5CB515:				; CODE XREF: RtlIsNameInUnUpcasedExpression+67j
		push	ecx
		lea	ecx, [ebp+var_24]
		call	RtlpUpcaseUnicodeStringPrivate
		test	eax, eax
		jns	short loc_5CB528
		push	eax
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5CB528:				; CODE XREF: RtlIsNameInUnUpcasedExpression+EDC70j
		push	ecx
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_2C]
		call	RtlpUpcaseUnicodeStringPrivate
		test	eax, eax
		jns	short loc_5CB53E
		push	eax
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5CB53E:				; CODE XREF: RtlIsNameInUnUpcasedExpression+EDC86j
		lea	edx, [ebp+var_24]
		lea	ecx, [ebp+var_2C]
		mov	byte ptr [ebp+arg_8], 0
		jmp	loc_4DD920
; END OF FUNCTION CHUNK	FOR RtlIsNameInUnUpcasedExpression

;  S U B	R O U T	I N E 


sub_5CB54D	proc near		; DATA XREF: .text:006A28F8o
		mov	bl, [ebp-19h]
		jmp	sub_4DD952
sub_5CB54D	endp

; 
; START	OF FUNCTION CHUNK FOR sub_4DD952

loc_5CB555:				; CODE XREF: sub_4DD952+4j
		lea	eax, [ebp-24h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	loc_4DD95C
; 

loc_5CB563:				; CODE XREF: sub_4DD952+Ej
		lea	eax, [ebp-2Ch]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	locret_4DD966
; END OF FUNCTION CHUNK	FOR sub_4DD952
; 
; START	OF FUNCTION CHUNK FOR RtlpIsNameInExpressionPrivate

loc_5CB571:				; CODE XREF: RtlpIsNameInExpressionPrivate+38Cj
		mov	eax, [ebp+var_60]
		mov	ebx, [ebp+var_70]
		push	edi		; size_t
		mov	eax, [eax+4]
		lea	eax, [eax+edx*2]
		push	eax		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jmp	loc_4DDBED
; 

loc_5CB58F:				; CODE XREF: RtlpIsNameInExpressionPrivate+15Bj
		cmp	[ebp+var_6C], 0
		jnz	loc_4DDAD1
		mov	eax, [ebp+var_80]
		movzx	eax, ax
		shr	eax, 1
		mov	[ebp+var_80], eax
		push	6E725346h
		lea	eax, ds:8[eax*8]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_6C], eax
		test	eax, eax
		jz	short loc_5CB60A
		mov	esi, [ebp+var_4C]
		mov	edi, eax
		mov	ecx, 8
		mov	[ebp+var_4C], eax
		rep movsd
		mov	ecx, [ebp+var_80]
		mov	esi, [ebp+var_50]
		lea	edx, [eax+ecx*4]
		mov	eax, [ebp+var_58]
		lea	edi, [edx+4]
		mov	ecx, 8
		rep movsd
		mov	esi, [ebp+var_84]
		lea	edi, [edx+4]
		mov	edx, [ebp+var_88]
		mov	[ebp+var_50], edi
		jmp	loc_4DDAD1
; 

loc_5CB5FE:				; CODE XREF: RtlpIsNameInExpressionPrivate+22Dj
		mov	eax, [ebp+var_4C]
		mov	[eax+ebx*2], dx
		jmp	loc_4DDAFF
; 

loc_5CB60A:				; CODE XREF: RtlpIsNameInExpressionPrivate+EDC50j
		push	0C0000017h
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5CB614:				; CODE XREF: RtlpIsNameInExpressionPrivate+2FDj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4DDC73
; 

loc_5CB621:				; CODE XREF: RtlpIsNameInExpressionPrivate+274j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4DDBEA
; 

loc_5CB62E:				; CODE XREF: RtlpIsNameInExpressionPrivate+3Dj
					; RtlpIsNameInExpressionPrivate+49j
		movzx	eax, word ptr [edx]
		mov	ecx, esi
		add	ecx, eax
		jmp	loc_4DDBED
; END OF FUNCTION CHUNK	FOR RtlpIsNameInExpressionPrivate
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepEvaluateExpression

loc_5CB63A:				; CODE XREF: AuthzBasepEvaluateExpression+61j
					; DATA XREF: .text:off_4DDEC2o
		push	edi
		mov	edx, ebx
		xor	ecx, ecx
		call	AuthzBasepEvaluateSetRelationship
		mov	esi, eax
		test	esi, esi
		js	loc_4DDE7F
		cmp	[esp+18h+var_5], 81h
		jnz	loc_4DDEBB
		mov	ecx, [edi]
		cmp	ecx, 0FFFFFFFFh
		jz	loc_4DDEBB
		xor	eax, eax
		test	ecx, ecx
		setz	al
		mov	[edi], eax
		jmp	loc_4DDEBB
; 

loc_5CB672:				; CODE XREF: AuthzBasepEvaluateExpression+61j
					; DATA XREF: .text:004DDECEo
		push	edi
		push	2
		pop	ecx
		jmp	loc_4DDEAE
; 

loc_5CB67B:				; CODE XREF: AuthzBasepEvaluateExpression+61j
					; DATA XREF: .text:004DDEC6o
		mov	edx, [esp+18h+var_4]
		movzx	eax, dx
		test	ax, ax
		jz	short loc_5CB6D1
		cmp	eax, 2
		jbe	short loc_5CB6AA
		cmp	eax, 3
		jz	short loc_5CB6C2
		cmp	eax, 4
		jz	short loc_5CB6B8
		cmp	eax, 5
		jz	short loc_5CB6A1
		cmp	dx, 10h
		jnz	short loc_5CB6D1

loc_5CB6A1:				; CODE XREF: AuthzBasepEvaluateExpression+ED857j
		mov	edx, ebx
		call	_AuthzBasepCompareOctetStringOperands@8	; AuthzBasepCompareOctetStringOperands(x,x)
		jmp	short loc_5CB6B1
; 

loc_5CB6AA:				; CODE XREF: AuthzBasepEvaluateExpression+ED848j
		mov	edx, ebx
		call	_AuthzBasepCompareIntegerOperands@8 ; AuthzBasepCompareIntegerOperands(x,x)

loc_5CB6B1:				; CODE XREF: AuthzBasepEvaluateExpression+ED866j
		mov	[edi], eax
		jmp	loc_4DDE82
; 

loc_5CB6B8:				; CODE XREF: AuthzBasepEvaluateExpression+ED852j
		push	edi
		mov	edx, ebx
		call	_AuthzBasepCompareFQBNOperands@12 ; AuthzBasepCompareFQBNOperands(x,x,x)
		jmp	short loc_5CB6CA
; 

loc_5CB6C2:				; CODE XREF: AuthzBasepEvaluateExpression+ED84Dj
		push	edi
		mov	edx, ebx
		call	AuthzBasepCompareUnicodeStringOperands

loc_5CB6CA:				; CODE XREF: AuthzBasepEvaluateExpression+ED87Ej
		mov	esi, eax
		jmp	loc_4DDEBB
; 

loc_5CB6D1:				; CODE XREF: AuthzBasepEvaluateExpression+ED843j
					; AuthzBasepEvaluateExpression+ED85Dj
		mov	esi, 0C00001A2h
		jmp	loc_4DDEBB
; END OF FUNCTION CHUNK	FOR AuthzBasepEvaluateExpression
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepOperandValueTypesCompatible

loc_5CB6DB:				; CODE XREF: AuthzBasepOperandValueTypesCompatible+17j
		mov	ax, [ecx]
		cmp	ax, [ecx+1Ch]
		jmp	loc_4DDF55
; 

loc_5CB6E7:				; CODE XREF: AuthzBasepOperandValueTypesCompatible+3Fj
		cmp	edx, 2
		jz	loc_4DDF57
		cmp	edx, 3

loc_5CB6F3:				; CODE XREF: AuthzBasepOperandValueTypesCompatible+8Ej
		jnz	loc_4DDF4F
		jmp	loc_4DDF57
; 

loc_5CB6FE:				; CODE XREF: AuthzBasepOperandValueTypesCompatible+50j
					; AuthzBasepOperandValueTypesCompatible+59j
		cmp	dx, word ptr [ebp+var_4]
		jnz	loc_4DDF45
		mov	ecx, [esi+18h]
		mov	dl, [ecx+8]
		cmp	ax, word ptr [ebp+var_4]
		jnz	short loc_5CB722
		cmp	dl, 2
		jz	loc_4DDF64
		jmp	loc_4DDF57
; 

loc_5CB722:				; CODE XREF: AuthzBasepOperandValueTypesCompatible+ED82Cj
		cmp	ax, bx
		jnz	loc_4DDF64
		cmp	dl, 2
		jz	loc_4DDF57
		cmp	dword ptr [ecx+4], 7FFFFFFFh
		ja	loc_4DDF64
		jb	loc_4DDF57
		cmp	dword ptr [ecx], 0FFFFFFFFh
		ja	loc_4DDF64
		jmp	loc_4DDF57
; END OF FUNCTION CHUNK	FOR AuthzBasepOperandValueTypesCompatible
; 
; START	OF FUNCTION CHUNK FOR KiCallInterruptServiceRoutine

loc_5CB755:				; CODE XREF: KiCallInterruptServiceRoutine+25Ej
		xor	dl, dl
		mov	ecx, 1
		call	_KiResetForceIdle@8 ; KiResetForceIdle(x,x)
		jmp	loc_4DE558
; 

loc_5CB766:				; CODE XREF: KiCallInterruptServiceRoutine+267j
					; KiCallInterruptServiceRoutine+276j
		call	KiCheckAndRearmForceIdle
		jmp	loc_4DE558
; 

loc_5CB770:				; CODE XREF: KiCallInterruptServiceRoutine+2Cj
		mov	eax, [esi+18h]
		push	eax
		mov	eax, [esi+0Ch]
		push	esi
		call	eax
		mov	bl, al
		jmp	loc_4DE695
; 

loc_5CB781:				; CODE XREF: KiCallInterruptServiceRoutine+285j
		call	@KiAcquireSpinLockInstrumented@4 ; KiAcquireSpinLockInstrumented(x)
		jmp	loc_4DE5AE
; 

loc_5CB78B:				; CODE XREF: KiCallInterruptServiceRoutine+AEj
		xor	edx, edx
		call	_KiFreezeTargetExecution@8 ; KiFreezeTargetExecution(x,x)
		mov	edx, [esp+30h+var_20]
		jmp	loc_4DE5E4
; 

loc_5CB79B:				; CODE XREF: KiCallInterruptServiceRoutine+2AAj
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4DE623
; END OF FUNCTION CHUNK	FOR KiCallInterruptServiceRoutine
; 
; START	OF FUNCTION CHUNK FOR KiIntRedirectQueueRequestOnProcessor

loc_5CB7AA:				; CODE XREF: KiIntRedirectQueueRequestOnProcessor+3Bj
		push	eax
		push	esi
		push	103h
		push	4001h
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5CB7C1:				; CODE XREF: MI_INTERLOCKED_EXCHANGE_PTE+34j
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_4DECD8
; END OF FUNCTION CHUNK	FOR KiIntRedirectQueueRequestOnProcessor
; 
; START	OF FUNCTION CHUNK FOR MiDrainSystemAccessLog

loc_5CB7D1:				; CODE XREF: MiDrainSystemAccessLog+64j
		mov	edx, eax
		lea	ecx, [ebp+var_14]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4DEDD5
; 

loc_5CB7E0:				; CODE XREF: MiDrainSystemAccessLog+71j
		lea	ecx, [ebp+var_14]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4DEDD5
; 

loc_5CB7ED:				; CODE XREF: MiDrainSystemAccessLog+8Dj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4DEE0F
; 

loc_5CB7FD:				; CODE XREF: MiDrainSystemAccessLog+ABj
		lea	ecx, [ebp+var_14]
		call	KxWaitForLockChainValid
		jmp	loc_4DEE1D
; END OF FUNCTION CHUNK	FOR MiDrainSystemAccessLog
; 
; START	OF FUNCTION CHUNK FOR MiEmptyPageAccessLog

loc_5CB80A:				; CODE XREF: MiEmptyPageAccessLog+243j
					; MiEmptyPageAccessLog+254j
		test	byte ptr [eax+12h], 2
		jz	short loc_5CB823
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_2C]
		push	eax
		call	_MiGetSharedProtos@12 ;	MiGetSharedProtos(x,x,x)
		mov	edx, [ebp+var_8]
		mov	ecx, eax
		jmp	short loc_5CB826
; 

loc_5CB823:				; CODE XREF: MiEmptyPageAccessLog+EC9DEj
		mov	ecx, [eax+0Ch]

loc_5CB826:				; CODE XREF: MiEmptyPageAccessLog+EC9F1j
		mov	eax, edx
		sub	eax, [ecx+24h]
		sar	eax, 3
		cdq
		mov	esi, edx
		mov	[ebp+var_2C], eax
		mov	edx, eax
		mov	eax, [ebp+var_C]
		jmp	loc_4DF091
; 

loc_5CB83E:				; CODE XREF: MiEmptyPageAccessLog+2DDj
		mov	edx, eax
		test	al, 7
		jnz	loc_4DF102
		jmp	loc_4DF113
; 

loc_5CB84D:				; CODE XREF: MiEmptyPageAccessLog+422j
		mov	ecx, eax
		and	eax, 7
		add	eax, 7
		mov	[ebp+var_28], ecx
		cmp	eax, 7
		jbe	loc_4DF230
		jmp	loc_4DF2BD
; 

loc_5CB866:				; CODE XREF: MiEmptyPageAccessLog+2FCj
					; MiEmptyPageAccessLog+3CDj
		add	eax, 24h
		push	eax
		mov	[ebp+var_38], eax
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_1], al
		mov	ebx, [ecx+20h]
		and	ebx, 0FFFFFFF8h
		mov	[ebp+var_2C], ebx
		jz	short loc_5CB88F
		mov	edx, 746C6644h
		mov	ecx, ebx
		call	ObfReferenceObjectWithTag

loc_5CB88F:				; CODE XREF: MiEmptyPageAccessLog+ECA51j
		push	[ebp+var_38]
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4DF132
; 

loc_5CB8A5:				; CODE XREF: MiEmptyPageAccessLog+47Ej
					; MiEmptyPageAccessLog+ECA83j
		mov	esi, [esi]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		test	esi, esi
		jnz	short loc_5CB8A5
		jmp	loc_4DEFC6
; END OF FUNCTION CHUNK	FOR MiEmptyPageAccessLog
; 
; START	OF FUNCTION CHUNK FOR RtlAreNamesEqual

loc_5CB8BA:				; CODE XREF: RtlAreNamesEqual+4Aj
		push	ecx
		lea	ecx, [ebp+var_C]
		call	RtlpUpcaseUnicodeStringPrivate
		test	eax, eax
		jns	short loc_5CB8CD
		push	eax
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5CB8CD:				; CODE XREF: RtlAreNamesEqual+EC5D5j
		mov	edx, [ebp+arg_4]
		push	ecx
		lea	ecx, [ebp+var_14]
		call	RtlpUpcaseUnicodeStringPrivate
		mov	esi, eax
		test	esi, esi
		jns	short loc_5CB8EE
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		push	esi
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5CB8EE:				; CODE XREF: RtlAreNamesEqual+EC5EDj
		movzx	eax, word ptr [ebp+var_C]
		lea	edx, [ebp+var_C]
		lea	ecx, [ebp+var_14]
		mov	bl, 1

loc_5CB8FA:				; CODE XREF: RtlAreNamesEqual+8Fj
		movzx	eax, ax
		push	eax		; size_t
		mov	eax, [ecx+4]
		push	eax		; void *
		mov	eax, [edx+4]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		setz	bh
		test	bl, bl
		jz	short loc_5CB929
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_5CB929:				; CODE XREF: RtlAreNamesEqual+EC625j
		mov	al, bh
		jmp	loc_4DF36F
; END OF FUNCTION CHUNK	FOR RtlAreNamesEqual
; 
; START	OF FUNCTION CHUNK FOR KiIpiServiceRoutine

loc_5CB930:				; CODE XREF: KiIpiServiceRoutine+26j
		xor	edx, edx
		mov	ecx, edi
		call	_KiFreezeTargetExecution@8 ; KiFreezeTargetExecution(x,x)
		jmp	loc_4DF3BC
; END OF FUNCTION CHUNK	FOR KiIpiServiceRoutine
; 
; START	OF FUNCTION CHUNK FOR SepMaximumAccessCheck

loc_5CB93E:				; CODE XREF: SepMaximumAccessCheck+A1j
		test	ebx, ebx
		jz	loc_4DF8D7
		mov	eax, ds:_SeAliasAdminsSid
		push	ebx
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	loc_4DFA1B
		jmp	loc_4DF8D7
; 

loc_5CB95F:				; CODE XREF: SepMaximumAccessCheck+1D7j
		mov	eax, [edi+4]
		mov	edx, ecx
		mov	ecx, [ebp+arg_14]
		push	1
		push	eax
		push	[ebp+var_4]
		push	0
		call	AuthzBasepAddAccessTypeList
		jmp	loc_4DFA1B
; 

loc_5CB979:				; CODE XREF: SepMaximumAccessCheck+429j
		mov	ecx, [edi+8]
		lea	eax, [edi+0Ch]
		mov	edx, ecx
		and	edx, 1
		mov	esi, edx
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jnz	short loc_5CBA0C
		push	dword ptr [ebp+arg_2C]
		mov	eax, dword ptr [ebp+arg_20]
		and	ecx, 2
		push	dword ptr [ebp+arg_24]
		shl	ecx, 3
		or	ecx, 0Ch
		shl	edx, 4
		add	ecx, edi
		add	edx, ecx
		movzx	ecx, al
		neg	ecx
		push	eax
		sbb	ecx, ecx
		and	ecx, 88h
		push	esi
		mov	esi, [ebp+arg_C]
		add	ecx, 0CCh
		add	ecx, [ebp+var_8]
		push	edx
		mov	edx, esi
		jmp	short loc_5CB9E0
; 

loc_5CB9C7:				; CODE XREF: SepMaximumAccessCheck+EC29Cj
		push	dword ptr [ebp+arg_2C] ; char
		mov	ecx, [ebp+var_40]
		lea	eax, [edi+0Ch]
		push	dword ptr [ebp+arg_24] ; char
		xor	edx, edx
		push	0		; char
		push	0		; char
		push	eax		; void *
		lea	ecx, [ecx+0CCh]

loc_5CB9E0:				; CODE XREF: SepMaximumAccessCheck+EC195j
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_4DFA21
		mov	ecx, [ebp+arg_10]
		cmp	ecx, 1
		jnz	loc_5CBAD1
		mov	ecx, [ebp+arg_14]
		mov	eax, [ecx+20h]
		not	eax
		and	eax, [edi+4]
		or	[ecx+1Ch], eax
		jmp	loc_4DFA21
; 

loc_5CBA0C:				; CODE XREF: SepMaximumAccessCheck+EC15Cj
		cmp	[ebp+arg_18], 0
		jz	loc_4DFA1E
		push	dword ptr [ebp+arg_2C] ; char
		mov	eax, dword ptr [ebp+arg_20]
		and	ecx, 2
		push	dword ptr [ebp+arg_24] ; char
		shl	ecx, 3
		or	ecx, 0Ch
		shl	edx, 4
		add	ecx, edi
		add	edx, ecx
		movzx	ecx, al
		neg	ecx
		push	eax		; char
		sbb	ecx, ecx
		and	ecx, 88h
		push	0		; char
		add	ecx, 0CCh
		add	ecx, [ebp+var_8]
		push	edx		; void *
		mov	edx, [ebp+arg_C]
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_4DFA1E
		mov	edx, [ebp+arg_14]
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+arg_10]
		mov	ecx, esi
		call	_AuthzBasepObjectInTypeList@16 ; AuthzBasepObjectInTypeList(x,x,x,x)
		test	al, al
		jz	loc_4DFA1E
		mov	eax, [edi+4]
		mov	edx, [ebp+arg_10]
		mov	ecx, [ebp+arg_14]
		push	1
		push	eax
		push	[ebp+var_4]
		push	[ebp+var_C]
		call	AuthzBasepAddAccessTypeList
		jmp	loc_4DFA1B
; 

loc_5CBA8E:				; CODE XREF: SepMaximumAccessCheck+431j
		push	dword ptr [ebp+arg_2C] ; char
		movzx	eax, byte ptr [edi+0Dh]
		mov	edx, esi
		push	dword ptr [ebp+arg_24] ; char
		add	eax, 5
		push	dword ptr [ebp+arg_20] ; char
		push	0		; char
		lea	eax, [edi+eax*4]
		push	eax		; void *
		mov	eax, dword ptr [ebp+arg_20]
		movzx	ecx, al
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 88h
		add	ecx, 0CCh
		add	ecx, [ebp+var_8]
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_4DFA21
		jmp	loc_5CB9C7
; 

loc_5CBAD1:				; CODE XREF: SepMaximumAccessCheck+EC1C3j
		push	1
		jmp	short loc_5CBAD7
; 

loc_5CBAD5:				; CODE XREF: SepMaximumAccessCheck+47Bj
					; SepMaximumAccessCheck+EC312j
		push	2

loc_5CBAD7:				; CODE XREF: SepMaximumAccessCheck+EC2A3j
		mov	edx, ecx
		jmp	loc_4DFE26
; 

loc_5CBADE:				; CODE XREF: SepMaximumAccessCheck+4FAj
		mov	ecx, [edi+8]
		mov	edx, esi
		mov	eax, ecx
		and	ecx, 1
		and	eax, 2
		shl	ecx, 4
		push	0		; char
		push	dword ptr [ebp+arg_24] ; char
		shl	eax, 3
		push	dword ptr [ebp+arg_20] ; char
		or	eax, 0Ch
		add	eax, edi
		add	ecx, eax
		mov	eax, dword ptr [ebp+arg_20]
		push	1		; char
		push	ecx		; void *
		movzx	ecx, al
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 88h
		add	ecx, 0CCh
		add	ecx, [ebp+var_8]
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_4DFA21
		mov	eax, [edi+8]
		lea	ecx, [edi+0Ch]
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		jnz	short loc_5CBB57
		mov	ecx, [ebp+arg_10]
		cmp	ecx, 1
		jnz	short loc_5CBAD5
		mov	ecx, [ebp+arg_14]
		mov	eax, [ecx+1Ch]
		not	eax
		and	eax, [edi+4]
		or	[ecx+20h], eax
		jmp	loc_4DFA21
; 

loc_5CBB57:				; CODE XREF: SepMaximumAccessCheck+EC30Aj
		cmp	[ebp+arg_18], 0
		jnz	short loc_5CBB70
		mov	ecx, [ebp+arg_14]
		mov	eax, [ecx+1Ch]
		not	eax
		and	eax, [edi+4]
		or	[ecx+20h], eax
		jmp	loc_4DFA21
; 

loc_5CBB70:				; CODE XREF: SepMaximumAccessCheck+EC32Bj
		mov	edx, [ebp+arg_14]
		lea	ecx, [ebp+var_C]
		push	ecx
		push	[ebp+arg_10]
		mov	ecx, eax
		call	_AuthzBasepObjectInTypeList@16 ; AuthzBasepObjectInTypeList(x,x,x,x)
		test	al, al
		jz	loc_4DFA21
		mov	eax, [edi+4]
		mov	edx, [ebp+arg_10]
		mov	ecx, [ebp+arg_14]
		push	2
		push	eax
		push	[ebp+var_4]
		push	[ebp+var_C]
		call	AuthzBasepAddAccessTypeList
		jmp	loc_4DFE74
; 

loc_5CBBA5:				; CODE XREF: SepMaximumAccessCheck+543j
		mov	ecx, [eax+12Ch]
		mov	edx, [eax+124h]
		mov	ebx, [eax+128h]
		mov	eax, [eax+120h]
		mov	[ebp+arg_0], eax
		jmp	loc_4DFD82
; 

loc_5CBBC5:				; CODE XREF: SepMaximumAccessCheck+59Aj
		test	al, al
		jz	loc_4DFDFF

loc_5CBBCD:				; CODE XREF: SepMaximumAccessCheck+5A2j
		mov	ecx, 154h
		jmp	loc_4DFE04
; END OF FUNCTION CHUNK	FOR SepMaximumAccessCheck
; 
; START	OF FUNCTION CHUNK FOR SepMatchPackage

loc_5CBBD7:				; CODE XREF: SepMatchPackage+60j
		mov	eax, [ebp+arg_14]
		or	[eax], esi
		mov	eax, [ebp+arg_18]
		jmp	loc_4DFEC0
; END OF FUNCTION CHUNK	FOR SepMatchPackage
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepInitializeResourceClaimsFromSacl

loc_5CBBE4:				; CODE XREF: AuthzBasepInitializeResourceClaimsFromSacl+62j
		mov	esi, 0C0000017h
		jmp	loc_4E0026
; 

loc_5CBBEE:				; CODE XREF: AuthzBasepInitializeResourceClaimsFromSacl+A6j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, [ebp+var_114]
		mov	ecx, [ebp+var_110]
		jmp	loc_4DFFCA
; 

loc_5CBC07:				; CODE XREF: AuthzBasepInitializeResourceClaimsFromSacl+BFj
		test	byte ptr [edx+1], 8
		jnz	loc_4DFFE3
		movzx	ecx, byte ptr [edx+9]
		movzx	esi, word ptr [edx+2]
		mov	eax, ecx
		shl	eax, 2
		add	edx, 10h
		sub	esi, eax
		lea	eax, [ebp+var_10C]
		push	eax		; void *
		sub	esi, 10h
		lea	eax, [ebp+var_108]
		lea	ecx, [edx+ecx*4]
		mov	[ebp+var_120], esi
		push	eax		; int
		mov	edx, esi
		call	_AuthzBasepConvertRelativeToAbsoluteTokenAttribute@16 ;	AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_5CBC8D
		mov	ecx, [ebp+var_10C]
		push	74416553h
		call	_AuthzBasepMemAlloc@12 ; AuthzBasepMemAlloc(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_5CBD14
		mov	eax, [ebp+var_114]
		lea	edx, [ebp+var_10C]
		push	edx		; void *
		mov	edx, [ebp+var_120]
		push	edi		; int
		movzx	ecx, byte ptr [eax+9]
		add	eax, 10h
		lea	ecx, [eax+ecx*4]
		call	_AuthzBasepConvertRelativeToAbsoluteTokenAttribute@16 ;	AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)
		mov	esi, eax

loc_5CBC8D:				; CODE XREF: AuthzBasepInitializeResourceClaimsFromSacl+EBD2Ej
		test	esi, esi
		js	loc_4E0004
		lea	eax, [ebp+var_118]
		mov	[ebp+var_12C], edi
		push	eax		; int
		xor	ecx, ecx
		mov	edx, edi
		inc	ecx
		push	0		; size_t
		push	0		; size_t
		mov	word ptr [ebp+var_134],	cx
		mov	[ebp+var_130], ecx
		push	ecx		; int
		mov	ecx, ebx
		call	AuthzBasepQuerySecurityAttributesToken
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_5CBCD2
		cmp	esi, 0C0000225h
		jnz	short loc_5CBCD4

loc_5CBCD2:				; CODE XREF: AuthzBasepInitializeResourceClaimsFromSacl+EBDAAj
		xor	esi, esi

loc_5CBCD4:				; CODE XREF: AuthzBasepInitializeResourceClaimsFromSacl+EBDB2j
		test	esi, esi
		js	loc_4E0004
		cmp	[ebp+var_118], 0Ch
		ja	short loc_5CBCFB
		lea	eax, [ebp+var_134]
		mov	ecx, ebx
		push	eax
		lea	edx, [ebp+var_124]
		call	AuthzBasepSetSecurityAttributesToken
		mov	esi, eax

loc_5CBCFB:				; CODE XREF: AuthzBasepInitializeResourceClaimsFromSacl+EBDC5j
		test	esi, esi
		js	loc_4E0004
		mov	edx, [ebp+var_114]
		mov	ecx, [ebp+var_110]
		jmp	loc_4DFFE3
; 

loc_5CBD14:				; CODE XREF: AuthzBasepInitializeResourceClaimsFromSacl+EBD44j
		mov	esi, 0C0000017h
		jmp	loc_4E0004
; 

loc_5CBD1E:				; CODE XREF: AuthzBasepInitializeResourceClaimsFromSacl+F2j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4E0016
; 

loc_5CBD2B:				; CODE XREF: AuthzBasepInitializeResourceClaimsFromSacl+FAj
		mov	ecx, ebx
		call	AuthzBasepFreeSecurityAttributesList
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4E0026
; END OF FUNCTION CHUNK	FOR AuthzBasepInitializeResourceClaimsFromSacl
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepAddAccessTypeList

loc_5CBD3F:				; CODE XREF: AuthzBasepAddAccessTypeList+64j
		sub	eax, 1
		jz	short loc_5CBD7A
		sub	eax, 1
		jnz	loc_4E0092
		mov	esi, [ebp+arg_0]
		mov	edi, [ebp+arg_8]
		imul	ebx, esi, 2Ch
		add	ebx, ecx
		mov	eax, [ebx+1Ch]
		mov	ecx, eax
		and	ecx, edi
		mov	[ebx+1Ch], ecx
		cmp	eax, ecx
		jz	loc_4E00CA
		push	dword ptr [ebx+28h]
		push	[ebp+arg_4]
		call	_AuthzBasepSetAppContainerAccessReasons@16 ; AuthzBasepSetAppContainerAccessReasons(x,x,x,x)
		jmp	loc_4E0083
; 

loc_5CBD7A:				; CODE XREF: AuthzBasepAddAccessTypeList+EBD0Aj
		mov	esi, [ebp+arg_0]
		mov	edi, [ebp+arg_8]
		imul	ebx, esi, 2Ch
		add	ebx, ecx
		mov	edx, [ebx+1Ch]
		mov	ecx, [ebx+20h]
		not	edx
		mov	eax, edx
		and	eax, edi
		or	eax, ecx
		mov	[ebx+20h], eax
		cmp	ecx, eax
		jz	loc_4E00CA
		not	ecx
		and	ecx, edx
		mov	edx, 20000h
		push	0
		jmp	loc_4E0076
; 

loc_5CBDAE:				; CODE XREF: AuthzBasepAddAccessTypeList+54j
		test	al, al
		jnz	short loc_5CBDC6
		push	[ebp+arg_C]
		mov	edx, ecx
		mov	ecx, [ebp+var_C]
		push	[ebp+arg_4]
		push	esi
		call	_AuthzBasepUpdateParentTypeList@20 ; AuthzBasepUpdateParentTypeList(x,x,x,x,x)
		mov	ecx, [ebp+var_8]

loc_5CBDC6:				; CODE XREF: AuthzBasepAddAccessTypeList+EBD78j
		lea	eax, [esi+1]
		mov	[ebp+arg_0], eax
		cmp	eax, ecx
		jnb	loc_4E0092
		mov	esi, [ebp+var_C]
		imul	eax, 2Ch
		add	esi, 1Ch
		add	esi, eax

loc_5CBDDF:				; CODE XREF: AuthzBasepAddAccessTypeList+EBE49j
		mov	ax, [esi-1Ch]
		cmp	ax, [ebx]
		jbe	loc_4E0092
		mov	eax, [ebp+arg_C]
		sub	eax, 0
		jz	short loc_5CBE50
		sub	eax, 1
		jz	short loc_5CBE3B
		sub	eax, 1
		jz	short loc_5CBE1C
		sub	eax, 1
		jnz	loc_4E0092
		mov	ecx, [esi]
		and	ecx, edi
		mov	[esi], ecx
		jz	short loc_5CBE74
		push	dword ptr [esi+0Ch]
		push	[ebp+arg_4]
		call	_AuthzBasepSetAppContainerAccessReasons@16 ; AuthzBasepSetAppContainerAccessReasons(x,x,x,x)
		jmp	short loc_5CBE74
; 

loc_5CBE1C:				; CODE XREF: AuthzBasepAddAccessTypeList+EBDC4j
		mov	eax, [esi+4]
		mov	ecx, eax
		mov	edx, [esi]
		not	ecx
		not	edx
		and	ecx, edx
		and	edx, edi
		or	edx, eax
		mov	[esi+4], edx
		and	ecx, edi
		jz	short loc_5CBE74
		mov	edx, 20000h
		jmp	short loc_5CBE67
; 

loc_5CBE3B:				; CODE XREF: AuthzBasepAddAccessTypeList+EBDBFj
		mov	eax, [esi]
		mov	ecx, eax
		mov	edx, [esi+4]
		not	ecx
		not	edx
		and	ecx, edx
		and	edx, edi
		or	edx, eax
		mov	[esi], edx
		jmp	short loc_5CBE5E
; 

loc_5CBE50:				; CODE XREF: AuthzBasepAddAccessTypeList+EBDBAj
		mov	edx, [esi-4]
		mov	eax, edi
		not	eax
		mov	ecx, edx
		and	eax, edx
		mov	[esi-4], eax

loc_5CBE5E:				; CODE XREF: AuthzBasepAddAccessTypeList+EBE16j
		and	ecx, edi
		jz	short loc_5CBE74
		mov	edx, 10000h

loc_5CBE67:				; CODE XREF: AuthzBasepAddAccessTypeList+EBE01j
		push	0
		push	dword ptr [esi+0Ch]
		push	[ebp+arg_4]
		call	AuthzBasepSetAccessReasons

loc_5CBE74:				; CODE XREF: AuthzBasepAddAccessTypeList+EBDD5j
					; AuthzBasepAddAccessTypeList+EBDE2j ...
		mov	eax, [ebp+arg_0]
		add	esi, 2Ch
		inc	eax
		mov	[ebp+arg_0], eax
		cmp	eax, [ebp+var_8]
		jb	loc_5CBDDF
		jmp	loc_4E0092
; END OF FUNCTION CHUNK	FOR AuthzBasepAddAccessTypeList
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepSetAccessReasons

loc_5CBE8C:				; CODE XREF: AuthzBasepSetAccessReasons+1Bj
					; AuthzBasepSetAccessReasons+EBDDBj
		test	edi, edi
		jz	short loc_5CBEAB
		test	edi, ecx
		jz	short loc_5CBEA4
		test	bl, bl
		jnz	short loc_5CBE9D
		cmp	dword ptr [esi], 0
		jnz	short loc_5CBEA4

loc_5CBE9D:				; CODE XREF: AuthzBasepSetAccessReasons+EBDC8j
		mov	eax, edx
		or	eax, [ebp+arg_0]
		mov	[esi], eax

loc_5CBEA4:				; CODE XREF: AuthzBasepSetAccessReasons+EBDC4j
					; AuthzBasepSetAccessReasons+EBDCDj
		add	esi, 4
		add	edi, edi
		jmp	short loc_5CBE8C
; 

loc_5CBEAB:				; CODE XREF: AuthzBasepSetAccessReasons+EBDC0j
		pop	ebx
		jmp	loc_4E00DF
; END OF FUNCTION CHUNK	FOR AuthzBasepSetAccessReasons
; 
; START	OF FUNCTION CHUNK FOR SepIsCapabilitySid

loc_5CBEB1:				; CODE XREF: SepIsCapabilitySid+2Aj
		mov	eax, [esi+8]
		cmp	eax, [edi+8]
		jnz	loc_4E011E
		mov	al, 1
		jmp	loc_4E0120
; END OF FUNCTION CHUNK	FOR SepIsCapabilitySid
; 
; START	OF FUNCTION CHUNK FOR EtwTraceContextSwap

loc_5CBEC4:				; CODE XREF: EtwTraceContextSwap+BBj
					; EtwTraceContextSwap+EBD69j
		mov	ecx, edi
		call	_PsIsServerSilo@4 ; PsIsServerSilo(x)
		test	al, al
		jnz	loc_4E01A1
		mov	edi, [edi+244h]
		jmp	short loc_5CBEC4
; 

loc_5CBEDB:				; CODE XREF: EtwTraceContextSwap+B1j
					; EtwTraceContextSwap+EBD80j
		mov	ecx, esi
		call	_PsIsServerSilo@4 ; PsIsServerSilo(x)
		test	al, al
		jnz	loc_4E01B8
		mov	esi, [esi+244h]
		jmp	short loc_5CBEDB
; 

loc_5CBEF2:				; CODE XREF: EtwTraceContextSwap+4Aj
		mov	eax, [edi+2F8h]
		jmp	loc_4E01C5
; 

loc_5CBEFD:				; CODE XREF: EtwTraceContextSwap+9Aj
		mov	ecx, [esp+18h+var_8]
		test	ecx, ecx
		jz	short loc_5CBF0B
		mov	edx, [esp+18h+var_C]
		jmp	short loc_5CBF39
; 

loc_5CBF0B:				; CODE XREF: EtwTraceContextSwap+DBj
					; EtwTraceContextSwap+EBD93j
		test	edi, edi
		jz	loc_4E0210
		test	ecx, ecx
		jz	loc_4E0210
		mov	edx, [esp+18h+var_C]
		push	0
		call	EtwpLogContextSwapEvent
		jmp	loc_4E0210
; 

loc_5CBF2B:				; CODE XREF: EtwTraceContextSwap+A2j
		mov	ecx, [esp+18h+var_4]
		test	ecx, ecx
		jz	loc_4E0218
		xor	edx, edx

loc_5CBF39:				; CODE XREF: EtwTraceContextSwap+EBD99j
		push	ebx
		call	EtwpLogContextSwapEvent
		jmp	loc_4E0218
; END OF FUNCTION CHUNK	FOR EtwTraceContextSwap
; 
; START	OF FUNCTION CHUNK FOR EtwpLogContextSwapEvent

loc_5CBF44:				; CODE XREF: EtwpLogContextSwapEvent+6Dj
		mov	ecx, 1
		jmp	loc_4E02CF
; 

loc_5CBF4E:				; CODE XREF: EtwpLogContextSwapEvent+BAj
		sub	eax, 0
		jz	short loc_5CBF8B
		sub	eax, 2
		jz	short loc_5CBF68
		sub	eax, 1
		jnz	loc_5CC24E
		rdtsc
		jmp	loc_4E0315
; 

loc_5CBF68:				; CODE XREF: EtwpLogContextSwapEvent+EBD06j
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_2C], 0
		push	eax
		mov	[ebp+var_28], 0
		call	ds:off_6B1438	; ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig(x)
		mov	eax, [ebp+var_2C]
		mov	edx, [ebp+var_28]
		jmp	loc_4E0315
; 

loc_5CBF8B:				; CODE XREF: EtwpLogContextSwapEvent+EBD01j
		call	RtlGetSystemTimePrecise
		jmp	loc_4E0315
; 

loc_5CBF95:				; CODE XREF: EtwpLogContextSwapEvent+96j
		mov	eax, [ecx+258h]
		test	eax, 0C00h
		jz	short loc_5CBFEC
		mov	edx, 524h
		test	eax, 400h
		jz	short loc_5CBFC6
		push	405A04h
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_40]
		push	eax
		push	18h
		call	_EtwpReserveWithPebsIndex@24 ; EtwpReserveWithPebsIndex(x,x,x,x,x,x)
		mov	edx, eax
		jmp	short loc_5CC027
; 

loc_5CBFC6:				; CODE XREF: EtwpLogContextSwapEvent+EBD5Cj
		call	_PMC_MONITORING_ENABLED@8 ; PMC_MONITORING_ENABLED(x,x)
		test	al, al
		jz	short loc_5CBFEC
		push	405A04h
		lea	eax, [ebp+var_24]
		mov	edx, 524h
		push	eax
		lea	eax, [ebp+var_40]
		push	eax
		push	18h
		call	_EtwpReserveWithPmcCounters@24 ; EtwpReserveWithPmcCounters(x,x,x,x,x,x)
		mov	edx, eax
		jmp	short loc_5CC027
; 

loc_5CBFEC:				; CODE XREF: EtwpLogContextSwapEvent+EBD50j
					; EtwpLogContextSwapEvent+EBD7Dj
		push	405A04h
		lea	eax, [ebp+var_24]
		mov	edx, 28h
		push	eax
		lea	eax, [ebp+var_40]
		push	eax
		call	EtwpReserveTraceBuffer
		test	eax, eax
		jz	loc_4E036B
		mov	ecx, [ebp+var_24]
		lea	edx, [eax+10h]
		mov	[eax+8], ecx
		mov	ecx, [ebp+var_20]
		mov	[eax+0Ch], ecx
		mov	dword ptr [eax], 0C0100004h
		mov	dword ptr [eax+4], 5240028h

loc_5CC027:				; CODE XREF: EtwpLogContextSwapEvent+EBD74j
					; EtwpLogContextSwapEvent+EBD9Aj
		test	edx, edx
		jz	loc_4E036B
		xor	eax, eax
		mov	ecx, 6
		mov	edi, edx
		rep stosd
		mov	ecx, [ebp+var_10]
		test	ecx, ecx
		jz	loc_5CC11E
		mov	eax, [ecx+2B0h]
		mov	[edx+4], eax
		mov	al, [ecx+87h]
		mov	[edx+9], al
		mov	al, [ecx+18Bh]
		mov	[edx+0Ch], al
		mov	al, [ecx+93h]
		xor	al, [edx+0Dh]
		and	al, 1
		mov	[ebp+var_34], 0
		xor	[edx+0Dh], al
		mov	al, [ecx+90h]
		mov	[edx+0Eh], al
		mov	al, [ecx+16Ch]
		mov	[edx+0Fh], al
		mov	al, [ecx+244h]
		add	al, al
		mov	[ebp+var_30], 0
		xor	al, [edx+0Dh]
		and	al, 0Eh
		xor	[edx+0Dh], al
		mov	edi, [ecx+34h]
		mov	eax, [ecx+30h]
		cmp	edi, [ecx+38h]
		jz	short loc_5CC0B6

loc_5CC0A9:				; CODE XREF: EtwpLogContextSwapEvent+EBE64j
		pause
		mov	edi, [ecx+34h]
		mov	eax, [ecx+30h]
		cmp	edi, [ecx+38h]
		jnz	short loc_5CC0A9

loc_5CC0B6:				; CODE XREF: EtwpLogContextSwapEvent+EBE57j
		mov	ecx, [ecx+18h]
		sub	ecx, eax
		mov	eax, [ebp+var_10]
		mov	eax, [eax+1Ch]
		sbb	eax, edi
		shrd	ecx, eax, 0Ah
		mov	eax, large fs:20h
		mov	[edx+14h], ecx
		mov	ecx, [ebp+var_10]
		cmp	ecx, [eax+0Ch]
		jnz	short loc_5CC0EA
		mov	eax, [eax+3D70h]
		test	eax, eax
		jz	short loc_5CC11E
		mov	al, [eax+14h]
		mov	[edx+0Ah], al
		jmp	short loc_5CC11E
; 

loc_5CC0EA:				; CODE XREF: EtwpLogContextSwapEvent+EBE86j
		mov	ecx, [ecx+50h]
		test	ecx, ecx
		jnz	short loc_5CC0F5
		xor	cl, cl
		jmp	short loc_5CC11B
; 

loc_5CC0F5:				; CODE XREF: EtwpLogContextSwapEvent+EBE9Fj
		mov	eax, [eax+3B34h]
		add	eax, ecx

loc_5CC0FD:				; CODE XREF: EtwpLogContextSwapEvent+EBEC4j
		mov	ecx, [eax+60h]
		cmp	ecx, 0FFh
		ja	short loc_5CC118
		test	cl, cl
		jnz	short loc_5CC11B
		mov	eax, [eax+0F4h]
		test	eax, eax
		jnz	short loc_5CC0FD
		jmp	short loc_5CC11B
; 

loc_5CC118:				; CODE XREF: EtwpLogContextSwapEvent+EBEB6j
		or	cl, 0FFh

loc_5CC11B:				; CODE XREF: EtwpLogContextSwapEvent+EBEA3j
					; EtwpLogContextSwapEvent+EBEBAj ...
		mov	[edx+0Ah], cl

loc_5CC11E:				; CODE XREF: EtwpLogContextSwapEvent+EBDEFj
					; EtwpLogContextSwapEvent+EBE90j ...
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_5CC15E
		mov	eax, [ecx+2B0h]
		mov	[edx], eax
		mov	al, [ecx+87h]
		mov	[edx+8], al
		mov	al, [ecx+15Ch]
		mov	[edx+0Bh], al
		mov	al, [ecx+244h]
		shl	al, 4
		xor	al, [edx+0Dh]
		and	al, 70h
		xor	[edx+0Dh], al
		mov	eax, ds:_KeTickCount
		sub	eax, [ecx+138h]
		mov	[edx+10h], eax

loc_5CC15E:				; CODE XREF: EtwpLogContextSwapEvent+EBED3j
		lea	ecx, [ebp+var_40]
		call	_EtwpReleaseTraceBuffer@4 ; EtwpReleaseTraceBuffer(x)
		mov	edi, [ebp+var_8]
		jmp	loc_4E0337
; 

loc_5CC16E:				; CODE XREF: EtwpLogContextSwapEvent+F6j
		mov	eax, [edi+2B4h]
		test	byte ptr [eax+0A4h], 10h
		jz	loc_4E034C
		push	405A04h
		push	edx
		lea	edx, [ebp+var_24]
		mov	ecx, edi
		call	_EtwpStackTraceDispatcher@16 ; EtwpStackTraceDispatcher(x,x,x,x)
		mov	ecx, [edi+258h]
		jmp	loc_4E034C
; 

loc_5CC19C:				; CODE XREF: EtwpLogContextSwapEvent+102j
		mov	eax, [edi+2C0h]
		xor	ecx, ecx
		cmp	[eax+8], ecx
		jbe	loc_4E0358
		mov	eax, 0Ch

loc_5CC1B2:				; CODE XREF: EtwpLogContextSwapEvent+EBF89j
		mov	edx, [edi+2C0h]
		mov	edi, 524h
		mov	[ebp+var_18], edx
		cmp	[eax+edx], di
		mov	edi, [ebp+var_8]
		mov	edx, [ebp+arg_0]
		jz	short loc_5CC1E0
		mov	edi, [ebp+var_18]
		inc	ecx
		add	eax, 2
		cmp	ecx, [edi+8]
		mov	edi, [ebp+var_8]
		jb	short loc_5CC1B2
		jmp	loc_4E0358
; 

loc_5CC1E0:				; CODE XREF: EtwpLogContextSwapEvent+EBF7Aj
		push	405A04h
		push	edx
		lea	edx, [ebp+var_24]
		mov	ecx, edi
		call	_EtwpTraceLastBranchRecord@16 ;	EtwpTraceLastBranchRecord(x,x,x,x)
		jmp	loc_4E0358
; 

loc_5CC1F5:				; CODE XREF: EtwpLogContextSwapEvent+112j
		mov	eax, [edi+2C4h]
		xor	ecx, ecx
		cmp	[eax+14h], ecx
		jbe	loc_4E0368
		mov	eax, 18h

loc_5CC20B:				; CODE XREF: EtwpLogContextSwapEvent+EBFE2j
		mov	edx, [edi+2C4h]
		mov	edi, 524h
		mov	[ebp+var_18], edx
		cmp	[eax+edx], di
		mov	edi, [ebp+var_8]
		mov	edx, [ebp+arg_0]
		jz	short loc_5CC239
		mov	edi, [ebp+var_18]
		inc	ecx
		add	eax, 2
		cmp	ecx, [edi+14h]
		mov	edi, [ebp+var_8]
		jb	short loc_5CC20B
		jmp	loc_4E0368
; 

loc_5CC239:				; CODE XREF: EtwpLogContextSwapEvent+EBFD3j
		push	405A04h
		push	edx
		lea	edx, [ebp+var_24]
		mov	ecx, edi
		call	_EtwpTraceProcessorTrace@16 ; EtwpTraceProcessorTrace(x,x,x,x)
		jmp	loc_4E0368
; 

loc_5CC24E:				; CODE XREF: EtwpLogContextSwapEvent+EBD0Bj
		mov	ecx, 3Dh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5CC255:				; CODE XREF: EtwpCCSwapTrace+229j
		mov	eax, 1FFFFh
		jmp	loc_4E05AF
; END OF FUNCTION CHUNK	FOR EtwpLogContextSwapEvent
; 
; START	OF FUNCTION CHUNK FOR MiStoreEvictPageFile

loc_5CC25F:				; CODE XREF: MiStoreEvictPageFile:loc_4E08DBj
		or	ebx, 0FFFFFFFFh
		jmp	loc_4E08E1
; 

loc_5CC267:				; CODE XREF: MiStoreEvictPageFile+1B6j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4E09CC
; END OF FUNCTION CHUNK	FOR MiStoreEvictPageFile
; 
; START	OF FUNCTION CHUNK FOR IoWithinStackLimits

loc_5CC274:				; CODE XREF: IoWithinStackLimits+23j
		mov	ecx, large fs:20h
		cmp	eax, [ecx+0Ch]
		jz	loc_4E0B89
		mov	eax, large fs:2330h
		cmp	edi, eax
		ja	loc_4E0BA5
		sub	eax, ds:_KeKernelStackSize
		cmp	edx, eax
		jb	loc_4E0BA5
		jmp	loc_4E0BB4
; END OF FUNCTION CHUNK	FOR IoWithinStackLimits
; 
; START	OF FUNCTION CHUNK FOR RtlpxLookupFunctionTable

loc_5CC2A5:				; CODE XREF: RtlpxLookupFunctionTable+37j
		or	dl, 0FFh
		mov	ecx, offset _PsLoadedModuleSpinLock
		call	@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)
		jmp	loc_4E0C2B
; 

loc_5CC2B7:				; CODE XREF: RtlpxLookupFunctionTable+99j
		mov	edx, [ebp+4]
		mov	ecx, offset _PsLoadedModuleSpinLock
		call	@ExpReleaseSpinLockSharedFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockSharedFromDpcLevelInstrumented(x,x)
		jmp	loc_4E0C7F
; END OF FUNCTION CHUNK	FOR RtlpxLookupFunctionTable
; 
; START	OF FUNCTION CHUNK FOR ExpWaitForSpinLockSharedAndAcquire

loc_5CC2C9:				; CODE XREF: ExpWaitForSpinLockSharedAndAcquire+32j
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	loc_4E0CF8
		push	esi
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	loc_4E0CFA
; END OF FUNCTION CHUNK	FOR ExpWaitForSpinLockSharedAndAcquire
; 
; START	OF FUNCTION CHUNK FOR ExIsResourceAcquiredExclusiveLite

loc_5CC2E1:				; CODE XREF: ExIsResourceAcquiredExclusiveLite+12j
		test	cl, 40h
		jnz	loc_4E0DA8
		push	0
		push	0
		push	esi
		push	0Fh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CC2FB:				; CODE XREF: ExIsResourceAcquiredExclusiveLite+4Bj
		push	0
		push	2
		movzx	eax, al
		push	eax
		push	0
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5CC310:				; CODE XREF: RtlCreateAtomTableEx+83j
		mov	edi, 0C0000017h
		call	_RtlpFreeAtom@4	; RtlpFreeAtom(x)
		jmp	loc_4E0E94
; END OF FUNCTION CHUNK	FOR ExIsResourceAcquiredExclusiveLite
; 
; START	OF FUNCTION CHUNK FOR RtlpAllocateAtomTableEntry

loc_5CC31F:				; CODE XREF: RtlpAllocateAtomTableEntry+85j
		mov	ecx, esi
		call	_RtlpFreeAtom@4	; RtlpFreeAtom(x)
		jmp	loc_4E0F55
; END OF FUNCTION CHUNK	FOR RtlpAllocateAtomTableEntry
; 
; START	OF FUNCTION CHUNK FOR FsRtlLookupPerFileObjectContext

loc_5CC32B:				; CODE XREF: FsRtlLookupPerFileObjectContext+4Dj
		mov	ecx, [edx]
		cmp	ecx, edx
		jz	loc_4E10C7
		mov	ebx, [ebp+arg_4]

loc_5CC338:				; CODE XREF: FsRtlLookupPerFileObjectContext+EB2EDj
		cmp	[ecx+8], ebx
		jnz	short loc_5CC349
		cmp	[ecx+0Ch], eax
		jnz	short loc_5CC349
		mov	edi, ecx
		jmp	loc_4E10C7
; 

loc_5CC349:				; CODE XREF: FsRtlLookupPerFileObjectContext+EB2DBj
					; FsRtlLookupPerFileObjectContext+EB2E0j
		mov	ecx, [ecx]
		cmp	ecx, edx
		jnz	short loc_5CC338
		jmp	loc_4E10C7
; 

loc_5CC354:				; CODE XREF: FsRtlLookupPerFileObjectContext+92j
		cmp	word ptr [eax+13Eh], 0
		jnz	loc_4E10E1
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_4E10E1
; END OF FUNCTION CHUNK	FOR FsRtlLookupPerFileObjectContext
; 
; START	OF FUNCTION CHUNK FOR RtlFindClearRuns

loc_5CC36C:				; CODE XREF: RtlFindClearRuns+177j
		mov	edi, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		cmp	edi, [ebp+arg_8]
		jb	loc_4E11D8
		mov	eax, edi
		jmp	loc_4E11B8
; 

loc_5CC382:				; CODE XREF: RtlFindClearRuns+252j
		mov	ecx, [ebp+arg_0]
		cmp	ecx, [ebp+arg_8]
		jnb	loc_4E11B6
		jmp	loc_4E1368
; END OF FUNCTION CHUNK	FOR RtlFindClearRuns
; 
; START	OF FUNCTION CHUNK FOR FsRtlGetIoAtEof

loc_5CC393:				; CODE XREF: FsRtlGetIoAtEof+14j
		inc	word ptr [eax+16h]
		mov	eax, [ebp+arg_1C]
		mov	byte ptr [eax],	1
		xor	eax, eax
		jmp	loc_4E13F8
; END OF FUNCTION CHUNK	FOR FsRtlGetIoAtEof
; 
; START	OF FUNCTION CHUNK FOR FsRtlAcquireEofLock

loc_5CC3A4:				; CODE XREF: FsRtlAcquireEofLock+33j
		xor	esi, esi
		jmp	loc_4E1530
; 

loc_5CC3AB:				; CODE XREF: FsRtlAcquireEofLock+6Bj
		cmp	byte ptr [esi+222h], 0
		lea	ecx, [esi+222h]
		jz	short loc_5CC3CB
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [esi+1E4h]
		or	cl, al
		jmp	loc_4E14A1
; 

loc_5CC3CB:				; CODE XREF: FsRtlAcquireEofLock+EAF88j
		test	dword ptr ds:byte_70EFC4, 200h
		mov	[ebp+var_8], 0
		jz	short loc_5CC3E7
		mov	edx, edi
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)

loc_5CC3E7:				; CODE XREF: FsRtlAcquireEofLock+92j
					; FsRtlAcquireEofLock+EAFACj
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	loc_4E1502
; 

loc_5CC3F4:				; CODE XREF: FsRtlAcquireEofLock+AEj
					; FsRtlAcquireEofLock+BFj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	loc_4E14F8
; 

loc_5CC404:				; CODE XREF: FsRtlAcquireEofLock+14Aj
		inc	word ptr [ecx+16h]
		jmp	loc_4E158A
; END OF FUNCTION CHUNK	FOR FsRtlAcquireEofLock
; 
; START	OF FUNCTION CHUNK FOR FsRtlpWaitForIoAtEof

loc_5CC40D:				; CODE XREF: FsRtlpWaitForIoAtEof+85j
		xor	edi, edi
		inc	edi
		jmp	loc_4E16B2
; 

loc_5CC415:				; CODE XREF: FsRtlpWaitForIoAtEof+A9j
		xor	eax, eax
		inc	eax
		jmp	loc_4E16D6
; 

loc_5CC41D:				; CODE XREF: FsRtlpWaitForIoAtEof+1AFj
		mov	ecx, [esp+50h+var_3C]
		push	edx
		push	edx
		xor	dl, dl
		call	PsBoostThreadIoEx
		mov	byte ptr [esi+14h], 1
		jmp	loc_4E17A2
; END OF FUNCTION CHUNK	FOR FsRtlpWaitForIoAtEof
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepGetInternalSecurityAttributeValueCopyoutBufferSize

loc_5CC433:				; CODE XREF: AuthzBasepGetInternalSecurityAttributeValueCopyoutBufferSize+1Bj
		mov	ecx, 0C0000095h
		jmp	loc_4E1967
; 

loc_5CC43D:				; CODE XREF: AuthzBasepGetInternalSecurityAttributeValueCopyoutBufferSize+73j
		cmp	eax, 4
		jz	short loc_5CC484
		cmp	eax, 5
		jz	short loc_5CC459
		cmp	eax, 6
		jz	loc_4E195E
		cmp	edx, 10h
		jnz	loc_4E199A

loc_5CC459:				; CODE XREF: AuthzBasepGetInternalSecurityAttributeValueCopyoutBufferSize+EAB47j
		lea	edi, [esi+2Ch]
		mov	esi, [edi]
		jmp	short loc_5CC47B
; 

loc_5CC460:				; CODE XREF: AuthzBasepGetInternalSecurityAttributeValueCopyoutBufferSize+EAB7Fj
		mov	edx, [esi+1Ch]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	loc_4E1967
		mov	esi, [esi]

loc_5CC47B:				; CODE XREF: AuthzBasepGetInternalSecurityAttributeValueCopyoutBufferSize+EAB60j
		cmp	esi, edi
		jnz	short loc_5CC460
		jmp	loc_4E195E
; 

loc_5CC484:				; CODE XREF: AuthzBasepGetInternalSecurityAttributeValueCopyoutBufferSize+EAB42j
		lea	edi, [esi+2Ch]
		mov	esi, [edi]
		jmp	short loc_5CC4A7
; 

loc_5CC48B:				; CODE XREF: AuthzBasepGetInternalSecurityAttributeValueCopyoutBufferSize+EABABj
		movzx	edx, word ptr [esi+20h]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	loc_4E1967
		mov	esi, [esi]

loc_5CC4A7:				; CODE XREF: AuthzBasepGetInternalSecurityAttributeValueCopyoutBufferSize+EAB8Bj
		cmp	esi, edi
		jnz	short loc_5CC48B
		jmp	loc_4E195E
; END OF FUNCTION CHUNK	FOR AuthzBasepGetInternalSecurityAttributeValueCopyoutBufferSize
; 
; START	OF FUNCTION CHUNK FOR IoGetActivityIdIrp

loc_5CC4B0:				; CODE XREF: IoGetActivityIdIrp+1Aj
		mov	edx, [edx+68h]
		mov	ecx, [ebp+arg_4]
		mov	eax, [edx+10h]
		mov	[ecx], eax
		mov	eax, [edx+14h]
		mov	[ecx+4], eax
		mov	eax, [edx+18h]
		mov	[ecx+8], eax
		mov	eax, [edx+1Ch]
		mov	[ecx+0Ch], eax
		xor	eax, eax
		jmp	loc_4E1BD5
; END OF FUNCTION CHUNK	FOR IoGetActivityIdIrp
; 
; START	OF FUNCTION CHUNK FOR CcRemapBcb

loc_5CC4D4:				; CODE XREF: CcRemapBcb+4Ej
		push	0
		push	0
		push	0C0000420h
		push	9FFh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CC4E9:				; CODE XREF: CcRemapBcb+38j
		push	0
		push	0
		push	0C0000420h
		push	203Dh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CC4FE:				; CODE XREF: CcRemapBcb+2Aj
		push	0
		push	0
		push	0C0000420h
		push	203Ch
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5CC514:				; CODE XREF: ExReleaseAutoExpandPushLockShared+38j
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_5CC52B
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_5CC52B:				; CODE XREF: CcRemapBcb+EA942j
		mov	esi, [esi+4]
		jmp	loc_4E1CD7
; END OF FUNCTION CHUNK	FOR CcRemapBcb
; 
; START	OF FUNCTION CHUNK FOR ExReleaseAutoExpandPushLockShared

loc_5CC533:				; CODE XREF: ExReleaseAutoExpandPushLockShared+A7j
		mov	eax, edi
		and	eax, 0F0000h
		cmp	eax, 0F0000h
		jnb	loc_4E1D0D
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_4E1D0D
		mov	ecx, esi
		call	@ExpTryExpandAutoExpandPushLock@4 ; ExpTryExpandAutoExpandPushLock(x)
		jmp	loc_4E1CB2
; END OF FUNCTION CHUNK	FOR ExReleaseAutoExpandPushLockShared
; 
; START	OF FUNCTION CHUNK FOR ExfReleasePushLockSharedEx

loc_5CC55F:				; CODE XREF: ExfReleasePushLockSharedEx+24j
					; ExfReleasePushLockSharedEx+6Aj
		test	cl, 8
		jz	short loc_5CC58B
		mov	eax, ecx
		and	eax, 0FFFFFFF0h
		jmp	short loc_5CC56E
; 

loc_5CC56B:				; CODE XREF: ExfReleasePushLockSharedEx+EA7EDj
		mov	eax, [eax+10h]

loc_5CC56E:				; CODE XREF: ExfReleasePushLockSharedEx+EA7E3j
		mov	edx, [eax+14h]
		test	edx, edx
		jz	short loc_5CC56B
		or	eax, 0FFFFFFFFh
		lock xadd [edx+1Ch], eax
		dec	eax
		test	eax, eax
		jg	loc_4E1DCF
		push	0FFFFFFF7h
		pop	ebx
		jmp	short loc_5CC58E
; 

loc_5CC58B:				; CODE XREF: ExfReleasePushLockSharedEx+EA7DCj
		or	ebx, 0FFFFFFFFh

loc_5CC58E:				; CODE XREF: ExfReleasePushLockSharedEx+EA803j
					; ExfReleasePushLockSharedEx+EA831j
		mov	edi, ecx
		lea	eax, [ebx+4]
		and	edi, 6
		mov	[ebp+var_8], edi
		cmp	edi, 2
		jz	short loc_5CC5A0
		mov	eax, ebx

loc_5CC5A0:				; CODE XREF: ExfReleasePushLockSharedEx+EA816j
		mov	edi, [ebp+var_4]
		lea	edx, [eax+ecx]
		mov	esi, edx
		mov	eax, ecx
		lock cmpxchg [edi], esi
		mov	edi, [ebp+var_8]
		cmp	eax, ecx
		jz	short loc_5CC5B9
		mov	ecx, eax
		jmp	short loc_5CC58E
; 

loc_5CC5B9:				; CODE XREF: ExfReleasePushLockSharedEx+EA82Dj
		cmp	edi, 2
		jnz	loc_4E1DCF
		mov	ecx, [ebp+var_4]
		push	edx
		call	@ExpWakePushLock@8 ; ExpWakePushLock(x,x)
		jmp	loc_4E1DCF
; END OF FUNCTION CHUNK	FOR ExfReleasePushLockSharedEx
; 
; START	OF FUNCTION CHUNK FOR FsRtlPrivateFastUnlockAll

loc_5CC5D0:				; CODE XREF: FsRtlPrivateFastUnlockAll+17Fj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4E2044
; 

loc_5CC5DF:				; CODE XREF: FsRtlPrivateFastUnlockAll+64j
		mov	ebx, eax
		jmp	loc_4E1F19
; 

loc_5CC5E6:				; CODE XREF: FsRtlPrivateFastUnlockAll+1AEj
		mov	esi, [ebp+arg_4]
		cmp	[edi+1Ch], esi
		mov	esi, [esp+48h+var_24]
		jnz	loc_4E1F70
		jmp	loc_4E206E
; 

loc_5CC5FB:				; CODE XREF: FsRtlPrivateFastUnlockAll+1EFj
		xor	eax, eax
		inc	eax
		mov	[esp+48h+var_35], al
		jmp	loc_4E1FA6
; 

loc_5CC607:				; CODE XREF: FsRtlPrivateFastUnlockAll+FDj
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_5CC61E
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5CC623
; 

loc_5CC61E:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA756j
		xor	eax, eax
		lock and [esi],	eax

loc_5CC623:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA762j
		mov	cl, [esp+48h+var_36]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edi, [esp+48h+var_18]
		lea	eax, [edi+8]
		push	eax
		mov	eax, [esp+4Ch+var_30]
		push	[ebp+arg_C]
		call	dword ptr [eax+0Ch]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bl, al
		mov	ecx, esi
		mov	[esp+50h+var_3E], bl
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, edi
		mov	byte ptr [esp+50h+var_34], bl
		mov	ecx, offset _FsRtlSharedLockLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		mov	ecx, [esi+4]
		xor	al, al
		mov	[esp+50h+var_3D], al
		test	ecx, ecx
		jz	loc_4E1FC1
		mov	eax, [ecx+4]
		test	eax, eax
		jz	loc_4E1FC1

loc_5CC67E:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA7CFj
		mov	esi, eax
		mov	[esp+50h+var_28], esi
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_5CC67E
		mov	esi, [esp+50h+var_2C]
		jmp	loc_4E1FBD
; 

loc_5CC694:				; CODE XREF: FsRtlPrivateFastUnlockAll+285j
		mov	eax, [ebp+arg_4]
		cmp	[edi+24h], eax
		jnz	loc_4E20FB
		jmp	loc_4E2145
; 

loc_5CC6A5:				; CODE XREF: FsRtlPrivateFastUnlockAll+29Cj
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_5CC6BC
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5CC6C1
; 

loc_5CC6BC:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA7F4j
		xor	eax, eax
		lock and [esi],	eax

loc_5CC6C1:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA800j
		mov	cl, [esp+48h+var_36]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	eax, [edi+10h]
		push	eax
		mov	eax, [esp+4Ch+var_30]
		push	[ebp+arg_C]
		call	dword ptr [eax+0Ch]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bl, al
		mov	ecx, esi
		mov	[esp+50h+var_3E], bl
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	byte ptr [esp+50h+var_34], bl
		mov	ebx, [esi+8]
		test	ebx, ebx
		jz	loc_4E215C
		jmp	short loc_5CC6FF
; 

loc_5CC6FD:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA84Aj
		mov	ebx, eax

loc_5CC6FF:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA841j
		mov	eax, [ebx+4]
		test	eax, eax
		jnz	short loc_5CC6FD
		jmp	loc_4E215C
; 

loc_5CC70B:				; CODE XREF: FsRtlPrivateFastUnlockAll+127j
		mov	edi, [ebx+0Ch]
		mov	ecx, [esp+48h+var_1C]
		mov	eax, [edi+60h]
		mov	[esp+48h+var_18], eax
		cmp	ecx, [eax+18h]
		jnz	loc_5CC85C
		push	edi
		call	_IoGetRequestorProcess@4 ; IoGetRequestorProcess(x)
		cmp	[ebp+arg_0], eax
		jnz	loc_5CC85C
		cmp	[ebp+arg_8], 0
		jz	short loc_5CC747
		mov	eax, [esp+48h+var_18]
		mov	ecx, [ebp+arg_4]
		cmp	ecx, [eax+8]
		jnz	loc_5CC85C

loc_5CC747:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA87Bj
		push	7
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[edi+25h], al
		xor	ecx, ecx
		lea	eax, [edi+38h]
		xchg	ecx, [eax]
		cmp	byte ptr [edi+24h], 0
		mov	al, [edi+25h]
		mov	[esp+48h+var_35], al
		jz	short loc_5CC768
		xor	edi, edi

loc_5CC768:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA8AAj
		mov	eax, large fs:20h
		xor	ecx, ecx
		add	eax, 450h
		inc	ecx
		mov	[esp+48h+var_18], eax
		test	ds:byte_70EFC6,	cl
		jz	short loc_5CC78E
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5CC7BF
; 

loc_5CC78E:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA8C6j
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_5CC7B0
		mov	ecx, [eax+4]
		xor	edx, edx
		lock cmpxchg [ecx], edx
		mov	ecx, [esp+48h+var_18]
		cmp	eax, ecx
		jz	short loc_5CC7BF
		call	KxWaitForLockChainValid
		mov	ecx, eax
		mov	eax, [esp+48h+var_18]

loc_5CC7B0:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA8D8j
		mov	dword ptr [eax], 0
		lea	eax, [ecx+4]
		xor	ecx, ecx
		inc	ecx
		lock xor [eax],	ecx

loc_5CC7BF:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA8D2j
					; FsRtlPrivateFastUnlockAll+EA8E9j
		mov	cl, [esp+48h+var_35]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	loc_5CC85C
		mov	ecx, [esp+48h+var_34]
		and	dword ptr [edi+1Ch], 0
		mov	eax, [ebx]
		mov	[ecx], eax
		cmp	ebx, [esi+10h]
		jnz	short loc_5CC7E5
		mov	[esi+10h], ecx

loc_5CC7E5:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA926j
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_5CC7FC
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5CC801
; 

loc_5CC7FC:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA934j
		xor	eax, eax
		lock and [esi],	eax

loc_5CC801:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA940j
		mov	cl, [esp+48h+var_36]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [ebx+8]
		lea	eax, [esp+48h+var_14]
		push	0
		push	eax
		mov	eax, [esp+50h+var_30]
		push	0C000007Eh
		push	edi
		mov	ecx, [eax+8]
		call	FsRtlCompleteLockIrpReal
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	[esp+48h+var_36], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	al, [esp+48h+var_36]
		lea	ecx, [esi+0Ch]
		mov	[esp+48h+var_34], ecx
		mov	edx, ebx
		mov	ecx, offset _FsRtlWaitingLockLookasideList
		mov	byte ptr [esp+48h+var_2C], al
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		mov	eax, [esp+48h+var_34]
		jmp	loc_4E1FDD
; 

loc_5CC85C:				; CODE XREF: FsRtlPrivateFastUnlockAll+EA862j
					; FsRtlPrivateFastUnlockAll+EA871j ...
		mov	eax, ebx
		jmp	loc_4E1FD9
; 

loc_5CC863:				; CODE XREF: FsRtlPrivateFastUnlockAll+14Ej
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4E2013
; END OF FUNCTION CHUNK	FOR FsRtlPrivateFastUnlockAll
; 
; START	OF FUNCTION CHUNK FOR FsRtlCompareNodeAndKey

loc_5CC872:				; CODE XREF: FsRtlCompareNodeAndKey+60j
		test	edi, edi
		jnz	short loc_5CC878
		mov	esi, ebx

loc_5CC878:				; CODE XREF: FsRtlCompareNodeAndKey+EA666j
		push	0
		push	[ebp+var_4]
		push	esi
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		jmp	loc_4E2257
; END OF FUNCTION CHUNK	FOR FsRtlCompareNodeAndKey
; 

loc_5CC888:				; CODE XREF: .text:004E22AEj
		push	ecx
		push	offset _TunnelLookasideList
		call	_ExFreeToPagedLookasideList@8 ;	ExFreeToPagedLookasideList(x,x)
		retn
; 
; START	OF FUNCTION CHUNK FOR RtlInsertElementGenericTableFull

loc_5CC894:				; CODE XREF: RtlInsertElementGenericTableFull+1Fj
					; RtlInsertElementGenericTableFull+2Ej
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_5CC89E
		mov	byte ptr [eax],	0

loc_5CC89E:				; CODE XREF: RtlInsertElementGenericTableFull+EA475j
		xor	eax, eax
		jmp	loc_4E24B1
; END OF FUNCTION CHUNK	FOR RtlInsertElementGenericTableFull
; 
; START	OF FUNCTION CHUNK FOR FsRtlPrivateInsertExclusiveLock

loc_5CC8A5:				; CODE XREF: FsRtlPrivateInsertExclusiveLock+37j
		cmp	[eax+8], ebx
		jz	loc_4E2527
		cmp	[eax+4], ebx
		jz	loc_4E252E
		push	eax
		call	_RtlRealSuccessor@4 ; RtlRealSuccessor(x)
		jmp	loc_4E252E
; END OF FUNCTION CHUNK	FOR FsRtlPrivateInsertExclusiveLock
; 
; START	OF FUNCTION CHUNK FOR FsRtlPrivateLock

loc_5CC8C2:				; CODE XREF: FsRtlPrivateLock+188j
		mov	[ebp+var_19], 0
		xor	esi, esi
		jmp	loc_4E2679
; 

loc_5CC8CD:				; CODE XREF: FsRtlPrivateLock+D9j
					; FsRtlPrivateLock+E5j
		mov	eax, [ebp+var_28]
		or	eax, [ebp+arg_0]
		jz	loc_4E262B
		mov	eax, [ebp+arg_20]
		mov	dword ptr [eax], 0C00001A1h
		jmp	loc_4E2675
; 

loc_5CC8E7:				; CODE XREF: FsRtlPrivateLock+16Ej
		cmp	[ebp+arg_24], 0
		jz	loc_5CC983
		mov	ecx, offset _FsRtlWaitingLockLookasideList
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_5CC92B
		mov	ecx, [ebp+arg_24]
		mov	[edx+0Ch], ecx
		mov	eax, [ebp+arg_28]
		mov	[edx+8], eax
		mov	eax, [edi+8]
		mov	[edx+4], eax
		mov	eax, [ecx+60h]
		or	byte ptr [eax+3], 1
		mov	dword ptr [edx], 0
		cmp	dword ptr [esi+0Ch], 0
		jnz	short loc_5CC942
		mov	[esi+0Ch], edx
		jmp	short loc_5CC947
; 

loc_5CC92B:				; CODE XREF: FsRtlPrivateLock+EA3BFj
					; FsRtlPrivateLock+EA450j
		mov	dl, bh
		mov	ecx, esi
		call	KfReleaseSpinLock
		mov	[ebp+var_1A], 0
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5CC942:				; CODE XREF: FsRtlPrivateLock+EA3E4j
		mov	eax, [esi+10h]
		mov	[eax], edx

loc_5CC947:				; CODE XREF: FsRtlPrivateLock+EA3E9j
		mov	[esi+10h], edx
		mov	[ecx+1Ch], edi
		lea	edx, [ecx+38h]
		mov	eax, offset _FsRtlPrivateCancelFileLockIrp@8 ; FsRtlPrivateCancelFileLockIrp(x,x)
		xchg	eax, [edx]
		cmp	byte ptr [ecx+24h], 0
		jz	short loc_5CC975
		xor	eax, eax
		xchg	eax, [edx]
		test	eax, eax
		jz	short loc_5CC975
		mov	[ecx+25h], bh
		push	ecx
		push	0
		call	_FsRtlPrivateCancelFileLockIrp@8 ; FsRtlPrivateCancelFileLockIrp(x,x)
		xor	bl, bl
		mov	[ebp+var_1A], bl

loc_5CC975:				; CODE XREF: FsRtlPrivateLock+EA41Bj
					; FsRtlPrivateLock+EA423j
		mov	eax, [ebp+arg_20]
		mov	dword ptr [eax], 103h
		jmp	loc_4E2675
; 

loc_5CC983:				; CODE XREF: FsRtlPrivateLock+EA3ABj
					; FsRtlPrivateLock+EA452j
		mov	[ebp+var_19], 0
		jmp	loc_4E2679
; 

loc_5CC98C:				; CODE XREF: FsRtlPrivateLock+126j
		cmp	[ebp+arg_24], 0
		jnz	short loc_5CC92B
		jmp	short loc_5CC983
; END OF FUNCTION CHUNK	FOR FsRtlPrivateLock

;  S U B	R O U T	I N E 


sub_5CC994	proc near		; DATA XREF: .text:006A29D8o
		mov	bl, [ebp-1Ah]
		mov	edi, [ebp-20h]
		mov	esi, [ebp-24h]
		jmp	sub_4E26DD
sub_5CC994	endp

; 
; START	OF FUNCTION CHUNK FOR sub_4E26DD

loc_5CC9A2:				; CODE XREF: sub_4E26DD+Bj
		mov	edx, [ebp+4]
		mov	ecx, [ebp-24h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	edi, [ebp-20h]
		jmp	loc_4E26F3
; 

loc_5CC9B5:				; CODE XREF: sub_4E26DD+6Bj
		cmp	dword ptr [esi], 0
		jl	loc_4E274E
		push	1
		lea	edx, [ebp-58h]
		mov	ecx, edi
		call	_FsRtlPrivateRemoveLock@12 ; FsRtlPrivateRemoveLock(x,x,x)
		jmp	loc_4E274E
; END OF FUNCTION CHUNK	FOR sub_4E26DD
; 
; START	OF FUNCTION CHUNK FOR FsRtlPrivateInsertLock

loc_5CC9CF:				; CODE XREF: FsRtlPrivateInsertLock+47j
		mov	edx, [ebp+var_8]
		mov	ecx, offset _FsRtlSharedLockLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)

loc_5CC9DC:				; CODE XREF: FsRtlPrivateInsertLock+28j
					; FsRtlPrivateInsertLock+83j
		xor	al, al
		jmp	loc_4E27CA
; END OF FUNCTION CHUNK	FOR FsRtlPrivateInsertLock
; 
; START	OF FUNCTION CHUNK FOR FsRtlPrivateInsertSharedLock

loc_5CC9E3:				; CODE XREF: FsRtlPrivateInsertSharedLock+48j
		xor	al, al
		jmp	loc_4E2891
; 

loc_5CC9EA:				; CODE XREF: FsRtlPrivateInsertSharedLock+7Bj
		mov	[eax+8], ecx
		jmp	loc_4E2880
; 

loc_5CC9F2:				; CODE XREF: FsRtlPrivateInsertSharedLock+EA282j
		lea	edi, [ebx-10h]
		mov	ecx, [edi]
		mov	eax, [ecx+0Ch]
		cmp	eax, [esi-4]
		ja	loc_4E28FF
		jb	short loc_5CCA11
		mov	eax, [ecx+8]
		cmp	eax, [esi-8]
		ja	loc_4E28FF

loc_5CCA11:				; CODE XREF: FsRtlPrivateInsertSharedLock+EA207j
		cmp	byte ptr [esi-0Ch], 0
		jnz	short loc_5CCA2C
		cmp	byte ptr [edi+4], 0
		jz	short loc_5CCA2C
		push	0
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	FsRtlSplitLocks
		mov	ecx, [edi]

loc_5CCA2C:				; CODE XREF: FsRtlPrivateInsertSharedLock+EA219j
					; FsRtlPrivateInsertSharedLock+EA21Fj
		mov	eax, [esi+0Ch]
		mov	[eax], ecx
		mov	eax, [edi+1Ch]
		mov	[esi+0Ch], eax
		mov	eax, [edi+0Ch]
		cmp	eax, [esi-4]
		jb	short loc_5CCA5F
		ja	short loc_5CCA49
		mov	eax, [edi+8]
		cmp	eax, [esi-8]
		jbe	short loc_5CCA5F

loc_5CCA49:				; CODE XREF: FsRtlPrivateInsertSharedLock+EA243j
		cmp	byte ptr [edi+4], 0
		jz	short loc_5CCA53
		mov	byte ptr [esi-0Ch], 1

loc_5CCA53:				; CODE XREF: FsRtlPrivateInsertSharedLock+EA251j
		mov	eax, [edi+8]
		mov	[esi-8], eax
		mov	eax, [edi+0Ch]
		mov	[esi-4], eax

loc_5CCA5F:				; CODE XREF: FsRtlPrivateInsertSharedLock+EA241j
					; FsRtlPrivateInsertSharedLock+EA24Bj
		push	[ebp+var_8]
		push	ebx
		call	_RtlDeleteNoSplay@8 ; RtlDeleteNoSplay(x,x)
		mov	edx, edi
		mov	ecx, offset _FsRtlLockTreeNodeLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)

loc_5CCA74:				; CODE XREF: FsRtlPrivateInsertSharedLock+125j
		push	esi
		call	_RtlRealSuccessor@4 ; RtlRealSuccessor(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_5CC9F2
		jmp	loc_4E28FF
; 

loc_5CCA89:				; CODE XREF: FsRtlPrivateInsertSharedLock+109j
		push	0
		push	0
		xor	edx, edx
		lea	ecx, [esi-10h]
		call	FsRtlSplitLocks
		jmp	loc_4E288F
; END OF FUNCTION CHUNK	FOR FsRtlPrivateInsertSharedLock
; 
; START	OF FUNCTION CHUNK FOR FsRtlFastUnlockSingle

loc_5CCA9C:				; CODE XREF: FsRtlFastUnlockSingle+11j
		mov	eax, 0C000007Eh
		jmp	loc_4E29AF
; END OF FUNCTION CHUNK	FOR FsRtlFastUnlockSingle
; 
; START	OF FUNCTION CHUNK FOR FsRtlFastUnlockSingleExclusive

loc_5CCAA6:				; CODE XREF: FsRtlFastUnlockSingleExclusive+A0j
					; FsRtlFastUnlockSingleExclusive+DEj ...
		mov	ecx, [ebp+var_8]

loc_5CCAA9:				; CODE XREF: FsRtlFastUnlockSingleExclusive+AFj
					; FsRtlFastUnlockSingleExclusive+BBj ...
		mov	eax, [edi+14h]
		cmp	eax, [ebp+var_C]
		ja	loc_4E2A0A
		jb	short loc_5CCAC0
		cmp	[edi+10h], ecx
		ja	loc_4E2A0A

loc_5CCAC0:				; CODE XREF: FsRtlFastUnlockSingleExclusive+EA0EFj
		push	edi
		call	_RtlRealSuccessor@4 ; RtlRealSuccessor(x)
		jmp	loc_4E2A5A
; 

loc_5CCACB:				; CODE XREF: FsRtlFastUnlockSingleExclusive+125j
		test	ds:byte_70EFC6,	1
		jz	short loc_5CCAE0
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5CCAE5
; 

loc_5CCAE0:				; CODE XREF: FsRtlFastUnlockSingleExclusive+EA10Cj
		xor	eax, eax
		lock and [esi],	eax

loc_5CCAE5:				; CODE XREF: FsRtlFastUnlockSingleExclusive+EA118j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	eax, [edi+10h]
		push	eax
		push	[ebp+arg_10]
		call	dword ptr [ebx+0Ch]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	byte ptr [ebp+arg_0+3],	al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	al, byte ptr [ebp+arg_0+3]
		mov	byte ptr [ebp+var_10], al
		jmp	loc_4E2AF1
; 

loc_5CCB13:				; CODE XREF: FsRtlFastUnlockSingleExclusive+141j
		push	[ebp+var_10]
		mov	edx, esi
		mov	ecx, ebx
		call	FsRtlPrivateCheckWaitingLocks
		jmp	loc_4E2B0D
; 

loc_5CCB24:				; CODE XREF: FsRtlFastUnlockSingleExclusive+14Ej
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4E2B1F
; 

loc_5CCB33:				; CODE XREF: FsRtlFastUnlockSingleExclusive+4Bj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4E2A1C
; END OF FUNCTION CHUNK	FOR FsRtlFastUnlockSingleExclusive
; 
; START	OF FUNCTION CHUNK FOR FsRtlFastUnlockSingleShared

loc_5CCB42:				; CODE XREF: FsRtlFastUnlockSingleShared+264j
		mov	edx, [ebp+4]
		lea	ecx, [edi+10h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4E2DA2
; 

loc_5CCB52:				; CODE XREF: FsRtlFastUnlockSingleShared+181j
		mov	ebx, [esp+40h+var_18]
		jmp	loc_4E2CC4
; 

loc_5CCB5B:				; CODE XREF: FsRtlFastUnlockSingleShared+1AAj
		push	[esp+40h+var_14]
		mov	edx, ebx
		mov	ecx, edi
		call	FsRtlPrivateCheckWaitingLocks
		jmp	loc_4E2CE0
; 

loc_5CCB6D:				; CODE XREF: FsRtlFastUnlockSingleShared+1B7j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4E2CF2
; 

loc_5CCB7C:				; CODE XREF: FsRtlFastUnlockSingleShared+AFj
					; FsRtlFastUnlockSingleShared+219j ...
		test	ds:byte_70EFC6,	1
		jz	loc_4E2D2A

loc_5CCB89:				; CODE XREF: FsRtlFastUnlockSingleShared+1F4j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4E2D2F
; END OF FUNCTION CHUNK	FOR FsRtlFastUnlockSingleShared
; 
; START	OF FUNCTION CHUNK FOR FsRtlFindFirstOverlappingSharedNode

loc_5CCB98:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+BAj
		mov	ecx, [ebp+var_8]
		or	ecx, [ebp+var_10]
		jz	loc_4E2E70
		jmp	loc_4E2EA0
; 

loc_5CCBA9:				; CODE XREF: FsRtlFindFirstOverlappingSharedNode+10Fj
		mov	ecx, [ebx+8]
		cmp	ecx, [ebp+var_8]
		jnz	loc_4E2EF5
		mov	ecx, [ebx+0Ch]
		cmp	ecx, [ebp+var_10]
		jz	loc_4E2EAF
		jmp	loc_4E2EF5
; END OF FUNCTION CHUNK	FOR FsRtlFindFirstOverlappingSharedNode
; 
; START	OF FUNCTION CHUNK FOR FsRtlPrivateCheckForSharedLockAccess

loc_5CCBC6:				; CODE XREF: FsRtlPrivateCheckForSharedLockAccess+39j
		mov	edx, [edi]
		mov	edi, [edi+4]
		mov	[ebp+var_8], edx

loc_5CCBCE:				; CODE XREF: FsRtlPrivateCheckForSharedLockAccess+E9D03j
		cmp	[ecx+14h], edi
		ja	loc_4E2F53
		jb	short loc_5CCBE2
		cmp	[ecx+10h], edx
		ja	loc_4E2F53

loc_5CCBE2:				; CODE XREF: FsRtlPrivateCheckForSharedLockAccess+E9CC3j
		mov	eax, [ecx+28h]
		cmp	eax, [esi+18h]
		jnz	short loc_5CCBFA
		mov	eax, [ecx+2Ch]
		cmp	eax, [esi+1Ch]
		jnz	short loc_5CCBFA
		mov	eax, [ecx+24h]
		cmp	eax, [esi+14h]
		jz	short loc_5CCC0A

loc_5CCBFA:				; CODE XREF: FsRtlPrivateCheckForSharedLockAccess+E9CD4j
					; FsRtlPrivateCheckForSharedLockAccess+E9CDCj
		mov	eax, [esi+8]
		or	eax, [esi+0Ch]
		jnz	short loc_5CCC1E
		mov	eax, [ecx+18h]
		or	eax, [ecx+1Ch]
		jnz	short loc_5CCC1E

loc_5CCC0A:				; CODE XREF: FsRtlPrivateCheckForSharedLockAccess+E9CE4j
		push	ecx
		call	_RtlRealSuccessor@4 ; RtlRealSuccessor(x)
		mov	edx, [ebp+var_8]
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_5CCBCE
		jmp	loc_4E2F53
; 

loc_5CCC1E:				; CODE XREF: FsRtlPrivateCheckForSharedLockAccess+E9CECj
					; FsRtlPrivateCheckForSharedLockAccess+E9CF4j
		xor	bl, bl
		jmp	loc_4E2F53
; END OF FUNCTION CHUNK	FOR FsRtlPrivateCheckForSharedLockAccess
; 
; START	OF FUNCTION CHUNK FOR FsRtlFindFirstOverlappingExclusiveNode

loc_5CCC25:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+87j
		mov	eax, edi
		or	eax, ebx
		jz	loc_4E3343
		jmp	loc_4E32E9
; 

loc_5CCC34:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+C8j
		cmp	[ecx+10h], edi
		jnz	loc_4E332A
		cmp	[ecx+14h], ebx
		jnz	loc_4E332A
		mov	[ebp+var_4], ecx
		test	esi, esi
		jz	short loc_5CCC4F
		mov	[esi], ecx

loc_5CCC4F:				; CODE XREF: FsRtlFindFirstOverlappingExclusiveNode+E99EFj
		test	edx, edx
		jz	loc_4E334D
		mov	byte ptr [edx],	0
		jmp	loc_4E334D
; END OF FUNCTION CHUNK	FOR FsRtlFindFirstOverlappingExclusiveNode

;  S U B	R O U T	I N E 


sub_5CCC5F	proc near		; CODE XREF: FsRtlPrivateCheckForExclusiveLockAccess+7Ej
		push	ebx
		mov	edx, esi
		call	_FsRtlFindFirstOverlapInNode@12	; FsRtlFindFirstOverlapInNode(x,x,x)
		mov	ecx, eax
		jmp	loc_4E33F8
sub_5CCC5F	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlPrivateCheckForExclusiveLockAccess

loc_5CCC6E:				; CODE XREF: FsRtlPrivateCheckForExclusiveLockAccess+90j
		mov	eax, [ecx+10h]
		or	eax, [ecx+14h]
		jnz	loc_4E3408
		jmp	loc_4E339D
; 

loc_5CCC7F:				; CODE XREF: FsRtlPrivateCheckForExclusiveLockAccess+A2j
		mov	ecx, [eax+18h]
		or	ecx, [eax+1Ch]
		jz	loc_4E33D9
		jmp	loc_4E3408
; END OF FUNCTION CHUNK	FOR FsRtlPrivateCheckForExclusiveLockAccess
; 
; START	OF FUNCTION CHUNK FOR SwapSplayLinks

loc_5CCC90:				; CODE XREF: SwapSplayLinks+11j
					; SwapSplayLinks+1Dj
		mov	eax, esi
		mov	ecx, edi
		mov	esi, edx
		mov	edx, eax
		mov	eax, [ebx]
		jmp	loc_4E3493
; 

loc_5CCC9F:				; CODE XREF: SwapSplayLinks+7Cj
		mov	[eax], edx
		leave
		retn
; END OF FUNCTION CHUNK	FOR SwapSplayLinks
; 
; START	OF FUNCTION CHUNK FOR FsRtlPrivateCheckWaitingLocks

loc_5CCCA3:				; CODE XREF: FsRtlPrivateCheckWaitingLocks+26j
		xor	eax, eax
		lea	edi, [esp+50h+var_28]
		push	0Ah
		pop	ecx
		rep stosd
		mov	edi, [ebx+0Ch]
		push	edi
		mov	[esp+54h+var_2C], edi
		mov	eax, [edi+60h]
		mov	[esp+54h+var_38], eax
		mov	edx, [eax+0Ch]
		mov	esi, [eax+10h]
		mov	[esp+54h+var_28], edx
		mov	[esp+54h+var_24], esi
		mov	eax, [eax+4]
		mov	ecx, [eax]
		mov	eax, [eax+4]
		mov	[esp+54h+var_20], ecx
		add	ecx, edx
		mov	[esp+54h+var_1C], eax
		adc	eax, esi
		mov	esi, [esp+54h+var_38]
		xor	edx, edx
		inc	edx
		sub	ecx, edx
		mov	[esp+54h+var_8], ecx
		sbb	eax, 0
		mov	[esp+54h+var_4], eax
		mov	eax, [esi+18h]
		mov	[esp+54h+var_10], eax
		call	_IoGetRequestorProcess@4 ; IoGetRequestorProcess(x)
		mov	[esp+50h+var_C], eax
		lea	edx, [esp+50h+var_28]
		mov	eax, [esi+8]
		mov	[esp+50h+var_14], eax
		test	byte ptr [esi+2], 2
		mov	esi, [esp+50h+var_3C]
		mov	ecx, esi
		jz	short loc_5CCD28
		xor	eax, eax
		inc	eax
		mov	[esp+50h+var_18], al
		call	FsRtlPrivateCheckForExclusiveLockAccess
		jmp	short loc_5CCD32
; 

loc_5CCD28:				; CODE XREF: FsRtlPrivateCheckWaitingLocks+E977Cj
		mov	[esp+50h+var_18], 0
		call	FsRtlPrivateCheckForSharedLockAccess

loc_5CCD32:				; CODE XREF: FsRtlPrivateCheckWaitingLocks+E978Aj
		mov	[esp+50h+var_42], al
		test	al, al
		jz	loc_5CCE9C
		push	7
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[edi+25h], al
		xor	ecx, ecx
		lea	eax, [edi+38h]
		xchg	ecx, [eax]
		cmp	byte ptr [edi+24h], 0
		setnz	al
		dec	al
		and	al, [esp+50h+var_42]
		mov	[esp+50h+var_41], al
		mov	al, [edi+25h]
		mov	[esp+50h+var_42], al
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	edi, [eax+450h]
		jz	short loc_5CCD89
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5CCDB4
; 

loc_5CCD89:				; CODE XREF: FsRtlPrivateCheckWaitingLocks+E97DFj
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5CCDA5
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jz	short loc_5CCDB4
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_5CCDA5:				; CODE XREF: FsRtlPrivateCheckWaitingLocks+E97F1j
		xor	ecx, ecx
		mov	dword ptr [edi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5CCDB4:				; CODE XREF: FsRtlPrivateCheckWaitingLocks+E97EBj
					; FsRtlPrivateCheckWaitingLocks+E9800j
		mov	cl, [esp+50h+var_42]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[esp+50h+var_41], 0
		jz	loc_5CCE9C
		mov	edx, [esp+50h+var_38]
		lea	eax, [esp+50h+var_28]
		mov	edi, [esp+50h+var_30]
		mov	ecx, edi
		push	eax
		mov	edx, [edx+18h]
		call	FsRtlPrivateInsertLock
		mov	edx, [esp+50h+var_40]
		mov	ecx, [ebx]
		mov	[esp+50h+var_42], al
		mov	[edx], ecx
		cmp	ebx, [esi+10h]
		jnz	short loc_5CCDF4
		mov	[esi+10h], edx

loc_5CCDF4:				; CODE XREF: FsRtlPrivateCheckWaitingLocks+E9853j
		test	ds:byte_70EFC6,	1
		jz	short loc_5CCE09
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5CCE0E
; 

loc_5CCE09:				; CODE XREF: FsRtlPrivateCheckWaitingLocks+E985Fj
		xor	eax, eax
		lock and [esi],	eax

loc_5CCE0E:				; CODE XREF: FsRtlPrivateCheckWaitingLocks+E986Bj
		mov	cl, [ebp+arg_0]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [esp+50h+var_10]
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag
		cmp	[esp+50h+var_42], 0
		jz	short loc_5CCE30
		xor	eax, eax
		jmp	short loc_5CCE35
; 

loc_5CCE30:				; CODE XREF: FsRtlPrivateCheckWaitingLocks+E988Ej
		mov	eax, 0C000009Ah

loc_5CCE35:				; CODE XREF: FsRtlPrivateCheckWaitingLocks+E9892j
		push	[esp+50h+var_10]
		mov	edx, [ebx+8]
		lea	ecx, [esp+54h+var_34]
		push	ecx
		mov	ecx, [edi+8]
		push	eax
		push	[esp+5Ch+var_2C]
		call	FsRtlCompleteLockIrpReal
		cmp	[esp+50h+var_42], 0
		jz	short loc_5CCE69
		cmp	[esp+50h+var_34], 0
		jge	short loc_5CCE69
		push	0
		lea	edx, [esp+54h+var_28]
		mov	ecx, edi
		call	_FsRtlPrivateRemoveLock@12 ; FsRtlPrivateRemoveLock(x,x,x)

loc_5CCE69:				; CODE XREF: FsRtlPrivateCheckWaitingLocks+E98B7j
					; FsRtlPrivateCheckWaitingLocks+E98BEj
		mov	ecx, [esp+50h+var_10]
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	[ebp+arg_0], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		add	esi, 0Ch
		mov	edx, ebx
		mov	ecx, offset _FsRtlWaitingLockLookasideList
		mov	[esp+50h+var_40], esi
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	short loc_5CCEA2
; 

loc_5CCE9C:				; CODE XREF: FsRtlPrivateCheckWaitingLocks+E979Cj
					; FsRtlPrivateCheckWaitingLocks+E9827j
		mov	esi, ebx
		mov	[esp+50h+var_40], ebx

loc_5CCEA2:				; CODE XREF: FsRtlPrivateCheckWaitingLocks+E98FEj
		mov	ebx, [esi]
		jmp	loc_4E35C0
; END OF FUNCTION CHUNK	FOR FsRtlPrivateCheckWaitingLocks
; 
; START	OF FUNCTION CHUNK FOR FsRtlSplitLocks

loc_5CCEA9:				; CODE XREF: FsRtlSplitLocks+1Fj
		mov	edi, [esi+8]
		mov	edx, esi
		mov	[esi+4], al
		mov	eax, [esi+0Ch]
		mov	[ebp+var_C], esi
		mov	[ebp+var_18], edi
		mov	[ebp+arg_0], eax
		jmp	loc_4E3620
; 

loc_5CCEC2:				; CODE XREF: FsRtlSplitLocks+56j
					; FsRtlSplitLocks+5Fj
		mov	[ebp+arg_4], 1
		jmp	loc_4E363B
; 

loc_5CCECE:				; CODE XREF: FsRtlSplitLocks+C3j
					; FsRtlSplitLocks+CBj
		mov	eax, [edi+10h]
		or	eax, [edi+14h]
		jnz	short loc_5CCEE7
		cmp	edx, [ebp+var_10]
		jnz	short loc_5CCEE7
		mov	eax, [ebp+var_14]
		cmp	[ebp+var_1C], eax
		jz	loc_4E36A3

loc_5CCEE7:				; CODE XREF: FsRtlSplitLocks+E9902j
					; FsRtlSplitLocks+E9907j
		mov	ecx, offset _FsRtlLockTreeNodeLookasideList
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	edx, eax
		mov	[ebp+var_1C], edx
		test	edx, edx
		jnz	short loc_5CCF0F
		cmp	[esi+4], al
		jz	short loc_5CCF03
		inc	eax
		mov	[ebp+var_8], eax

loc_5CCF03:				; CODE XREF: FsRtlSplitLocks+E992Bj
		mov	ecx, [ebp+var_4]
		mov	byte ptr [esi+4], 1
		jmp	loc_4E36A3
; 

loc_5CCF0F:				; CODE XREF: FsRtlSplitLocks+E9926j
		xor	ecx, ecx
		lea	edi, [edx+10h]
		mov	[edi], edi
		lea	eax, [esi+10h]
		mov	[edi+4], ecx
		mov	[edi+8], ecx
		mov	[edx+4], cl
		cmp	[esi+18h], ecx
		jnz	short loc_5CCF2C
		mov	[eax+8], edi
		jmp	short loc_5CCF38
; 

loc_5CCF2C:				; CODE XREF: FsRtlSplitLocks+E9953j
		push	eax
		call	_RtlRealSuccessor@4 ; RtlRealSuccessor(x)
		mov	edx, [ebp+var_1C]
		mov	[eax+4], edi

loc_5CCF38:				; CODE XREF: FsRtlSplitLocks+E9958j
		mov	ecx, [ebp+var_C]
		mov	[edi], eax
		mov	edi, edx
		mov	eax, [ecx]
		mov	[edx], eax
		and	dword ptr [ecx], 0
		cmp	[ebp+var_8], 0
		mov	eax, [esi+1Ch]
		mov	[edx+1Ch], eax
		mov	eax, [esi+8]
		mov	[esi+1Ch], ecx
		mov	ecx, [ebp+var_4]
		mov	[edx+8], eax
		mov	eax, [esi+0Ch]
		mov	[edx+0Ch], eax
		mov	[esi+8], ebx
		mov	[esi+0Ch], ecx
		jnz	short loc_5CCF70
		mov	byte ptr [esi+4], 0
		jmp	short loc_5CCF75
; 

loc_5CCF70:				; CODE XREF: FsRtlSplitLocks+E9996j
		xor	eax, eax
		mov	[ebp+var_8], eax

loc_5CCF75:				; CODE XREF: FsRtlSplitLocks+E999Cj
		mov	esi, edx
		jmp	loc_4E3670
; 

loc_5CCF7C:				; CODE XREF: FsRtlSplitLocks+D5j
		mov	eax, [edi+0Ch]
		cmp	eax, [ebp+arg_0]
		ja	loc_4E3681
		jb	loc_4E36AD
		mov	eax, [edi+8]
		cmp	eax, [ebp+var_18]
		ja	loc_4E3681
		jmp	loc_4E36AD
; END OF FUNCTION CHUNK	FOR FsRtlSplitLocks
; 
; START	OF FUNCTION CHUNK FOR FsRtlPrivateInitializeFileLock

loc_5CCF9F:				; CODE XREF: FsRtlPrivateInitializeFileLock+36j
		cmp	[ebp+var_1A], 0
		jnz	loc_4E372C
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5CCFB3:				; DATA XREF: .text:006A29F8o
		mov	bl, [ebp+var_19]
		jmp	sub_4E374D
; END OF FUNCTION CHUNK	FOR FsRtlPrivateInitializeFileLock

;  S U B	R O U T	I N E 


sub_5CCFBB	proc near		; DATA XREF: .text:006A2A18o
		mov	esi, [ebp+8]
		mov	bl, [ebp-19h]
		jmp	sub_4E37BC
sub_5CCFBB	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlRemoveBaseMcbEntry

loc_5CCFC6:				; CODE XREF: FsRtlRemoveBaseMcbEntry+33Ej
		test	esi, esi
		jz	loc_4E3A3B
		jmp	loc_4E3A2B
; 

loc_5CCFD3:				; CODE XREF: FsRtlRemoveBaseMcbEntry+12Bj
		lea	eax, [esi-1]
		mov	edx, ebx
		test	eax, eax
		jz	short loc_5CCFE0
		mov	edx, [ecx+esi*8-10h]

loc_5CCFE0:				; CODE XREF: FsRtlRemoveBaseMcbEntry+E96D0j
		mov	eax, [ecx+esi*8-8]
		sub	eax, edx
		add	eax, [ebp+var_1C]
		jnz	loc_4E3A95
		jmp	loc_4E3A3B
; 

loc_5CCFF4:				; CODE XREF: FsRtlRemoveBaseMcbEntry+1E9j
					; FsRtlRemoveBaseMcbEntry+1F8j
		cmp	[ebp+var_14], 0FFFFFFFFh
		jz	short loc_5CD062
		push	2
		mov	edx, esi
		mov	ecx, edi
		call	_FsRtlAddEntry@12 ; FsRtlAddEntry(x,x,x)
		test	al, al
		jz	loc_4E3C97
		mov	ecx, [edi+0Ch]
		mov	eax, [ecx+esi*8+14h]
		mov	[ecx+esi*8+4], eax
		mov	eax, [edi+0Ch]
		mov	ecx, [ebp+var_4]
		mov	[eax+esi*8], ecx
		mov	eax, [edi+0Ch]
		add	ecx, [ebp+arg_8]
		or	dword ptr [eax+esi*8+0Ch], 0FFFFFFFFh
		mov	eax, [edi+0Ch]
		mov	[eax+esi*8+8], ecx
		mov	ecx, [edi+0Ch]
		test	esi, esi
		jnz	short loc_5CD03F
		mov	[ebp+arg_10], ebx
		jmp	short loc_5CD046
; 

loc_5CD03F:				; CODE XREF: FsRtlRemoveBaseMcbEntry+E972Ej
		mov	eax, [ecx+esi*8-8]
		mov	[ebp+arg_10], eax

loc_5CD046:				; CODE XREF: FsRtlRemoveBaseMcbEntry+E9733j
		lea	eax, [esi+1]
		mov	edx, ebx
		test	eax, eax
		jz	short loc_5CD052
		mov	edx, [ecx+esi*8]

loc_5CD052:				; CODE XREF: FsRtlRemoveBaseMcbEntry+E9743j
		mov	eax, [ecx+esi*8+8]
		sub	eax, edx
		sub	eax, [ebp+arg_10]
		add	eax, [ecx+esi*8]
		add	[ecx+esi*8+14h], eax

loc_5CD062:				; CODE XREF: FsRtlRemoveBaseMcbEntry+E96EEj
		mov	eax, [ebp+var_1C]
		mov	edx, ebx
		mov	ecx, [ebp+var_18]
		mov	[ebp+var_C], eax
		mov	eax, ebx
		mov	[ebp+arg_8], ebx
		jmp	loc_4E3B38
; 

loc_5CD077:				; CODE XREF: FsRtlRemoveBaseMcbEntry+259j
		lea	eax, [esi-1]
		test	eax, eax
		jz	short loc_5CD082
		mov	ebx, [ecx+esi*8-10h]

loc_5CD082:				; CODE XREF: FsRtlRemoveBaseMcbEntry+E9772j
		mov	eax, [ecx+esi*8-8]
		sub	eax, ebx
		add	eax, [ebp+arg_0]
		jnz	loc_4E3BBA
		jmp	loc_4E3B69
; END OF FUNCTION CHUNK	FOR FsRtlRemoveBaseMcbEntry
; 
; START	OF FUNCTION CHUNK FOR FsRtlAddBaseMcbEntryEx

loc_5CD096:				; CODE XREF: FsRtlAddBaseMcbEntryEx+E3j
		cmp	edi, [ebp+var_4]
		jb	short loc_5CD09F
		xor	ebx, ebx
		jmp	short loc_5CD0A9
; 

loc_5CD09F:				; CODE XREF: FsRtlAddBaseMcbEntryEx+E93E9j
		lea	ebx, [edi+1]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, [ebp+arg_C]

loc_5CD0A9:				; CODE XREF: FsRtlAddBaseMcbEntryEx+E93EDj
		test	edi, edi
		jnz	short loc_5CD0B1
		xor	eax, eax
		jmp	short loc_5CD0B4
; 

loc_5CD0B1:				; CODE XREF: FsRtlAddBaseMcbEntryEx+E93FBj
		mov	eax, [ecx-8]

loc_5CD0B4:				; CODE XREF: FsRtlAddBaseMcbEntryEx+E93FFj
		mov	ecx, [ebp+arg_C]
		sub	esi, ebx
		sub	ecx, eax
		add	ecx, edx
		inc	esi
		mov	[ebp+arg_C], ecx
		mov	[ebp+arg_14], esi
		jmp	loc_4E3F41
; 

loc_5CD0C9:				; CODE XREF: FsRtlAddBaseMcbEntryEx+28Bj
		test	ecx, ecx
		jnz	short loc_5CD0D1
		xor	eax, eax
		jmp	short loc_5CD0D5
; 

loc_5CD0D1:				; CODE XREF: FsRtlAddBaseMcbEntryEx+E941Bj
		mov	eax, [esi+ecx*8-8]

loc_5CD0D5:				; CODE XREF: FsRtlAddBaseMcbEntryEx+E941Fj
		sub	eax, ebx
		lea	edx, [esi+ecx*8]
		add	eax, [ebp+arg_C]
		cmp	[edx+4], eax
		jnz	short loc_5CD0E8
		test	ecx, ecx
		jnz	short loc_5CD0F2
		jmp	short loc_5CD0F5
; 

loc_5CD0E8:				; CODE XREF: FsRtlAddBaseMcbEntryEx+D2j
					; FsRtlAddBaseMcbEntryEx+134j ...
		mov	eax, 0C0000001h
		jmp	loc_4E3D9B
; 

loc_5CD0F2:				; CODE XREF: FsRtlAddBaseMcbEntryEx+E9434j
		mov	ecx, [edx-8]

loc_5CD0F5:				; CODE XREF: FsRtlAddBaseMcbEntryEx+E9436j
		sub	ecx, ebx
		mov	[ebp+arg_14], ecx
		jmp	loc_4E3F41
; 

loc_5CD0FF:				; CODE XREF: FsRtlAddBaseMcbEntryEx+2D9j
		xor	eax, eax
		jmp	loc_4E3FA5
; 

loc_5CD106:				; CODE XREF: FsRtlAddBaseMcbEntryEx+302j
		push	1
		xor	edx, edx
		mov	ecx, esi
		call	_FsRtlAddEntry@12 ; FsRtlAddEntry(x,x,x)
		test	al, al
		jz	short loc_5CD188
		mov	eax, [esi+0Ch]
		mov	ecx, [ebp+arg_14]
		mov	[eax+4], ebx
		mov	eax, [esi+0Ch]
		mov	[eax], ecx
		jmp	loc_4E3D99
; 

loc_5CD128:				; CODE XREF: FsRtlAddBaseMcbEntryEx+337j
		or	ecx, 0FFFFFFFFh
		jmp	loc_4E3FF0
; 

loc_5CD130:				; CODE XREF: FsRtlAddBaseMcbEntryEx+40Aj
		xor	eax, eax
		jmp	loc_4E401E
; 

loc_5CD137:				; CODE XREF: FsRtlAddBaseMcbEntryEx+4A1j
		mov	eax, [ebp+arg_C]
		xor	edx, edx
		mov	[ecx+0Ch], eax
		mov	ecx, esi
		push	1
		call	_FsRtlRemoveLargeEntry@12 ; FsRtlRemoveLargeEntry(x,x,x)
		jmp	loc_4E3D99
; 

loc_5CD14D:				; CODE XREF: FsRtlAddBaseMcbEntryEx+37Dj
		or	ebx, 0FFFFFFFFh
		jmp	loc_4E4036
; 

loc_5CD155:				; CODE XREF: FsRtlAddBaseMcbEntryEx+391j
		mov	eax, [ebp+arg_C]
		mov	ecx, esi
		mov	[edx+0Ch], eax
		mov	edx, edi
		push	1
		call	_FsRtlRemoveLargeEntry@12 ; FsRtlRemoveLargeEntry(x,x,x)
		jmp	loc_4E3D99
; 

loc_5CD16B:				; CODE XREF: FsRtlAddBaseMcbEntryEx+47Bj
		mov	eax, [ebp+var_10]
		mov	ecx, esi
		mov	[edx-8], eax
		mov	edx, edi
		push	1
		call	_FsRtlRemoveLargeEntry@12 ; FsRtlRemoveLargeEntry(x,x,x)
		jmp	loc_4E3D99
; 

loc_5CD181:				; CODE XREF: FsRtlAddBaseMcbEntryEx+230j
		xor	eax, eax
		jmp	loc_4E3EFC
; 

loc_5CD188:				; CODE XREF: FsRtlAddBaseMcbEntryEx+7Dj
					; FsRtlAddBaseMcbEntryEx+185j ...
		mov	eax, 0C000009Ah
		jmp	loc_4E3D9B
; END OF FUNCTION CHUNK	FOR FsRtlAddBaseMcbEntryEx
; 
; START	OF FUNCTION CHUNK FOR IoAsynchronousPageWrite

loc_5CD192:				; CODE XREF: IoAsynchronousPageWrite+3Bj
		mov	ecx, ebx
		call	_MmIsFileObjectAPagingFile@4 ; MmIsFileObjectAPagingFile(x)
		test	eax, eax
		jz	short loc_5CD1B0
		lock inc ds:_IoAsynchronousPageWriteIrpAllocationFailure
		mov	dl, [edi+30h]
		push	1
		call	_IopAllocateReserveIrp@12 ; IopAllocateReserveIrp(x,x,x)
		jmp	short loc_5CD1C3
; 

loc_5CD1B0:				; CODE XREF: IoAsynchronousPageWrite+E8DBDj
		lock inc ds:_IoAsynchronousPageWriteNonPagefileIrpAllocationFailure
		mov	dl, [edi+30h]
		mov	ecx, edi
		push	0
		call	_IopAllocateBackpocketIrp@12 ; IopAllocateBackpocketIrp(x,x,x)

loc_5CD1C3:				; CODE XREF: IoAsynchronousPageWrite+E8DD0j
		mov	esi, eax
		test	esi, esi
		jnz	loc_4E441F
		mov	eax, 0C000009Ah
		jmp	loc_4E44CE
; 

loc_5CD1D7:				; CODE XREF: IoAsynchronousPageWrite+D0j
		mov	dl, byte ptr [ebp+arg_10]
		mov	ecx, esi	; int
		call	_StRtlIoStorInfoSetNvCachePriority@8 ; StRtlIoStorInfoSetNvCachePriority(x,x)
		jmp	loc_4E44B4
; 

loc_5CD1E6:				; CODE XREF: IoAsynchronousPageWrite+EAj
		mov	esi, [ebp+arg_1C]
		mov	cl, 1
		and	dword ptr [esi+4], 0
		mov	[esi], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	0
		push	esi
		push	[ebp+arg_8]
		mov	bl, al
		call	[ebp+arg_4]
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, 103h
		jmp	loc_4E44CE
; END OF FUNCTION CHUNK	FOR IoAsynchronousPageWrite
; 
; START	OF FUNCTION CHUNK FOR IopQueryVpbFlagsSafe

loc_5CD214:				; CODE XREF: IopQueryVpbFlagsSafe+34j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4E455D
; 

loc_5CD223:				; CODE XREF: IopQueryVpbFlagsSafe+51j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5CD22A:				; CODE XREF: IopQueryVpbFlagsSafe+3Ej
		xor	edx, edx
		mov	dword ptr [esi], 0
		inc	edx
		lea	ecx, [eax+4]
		lock xor [ecx],	edx
		jmp	loc_4E455D
; END OF FUNCTION CHUNK	FOR IopQueryVpbFlagsSafe
; 
; START	OF FUNCTION CHUNK FOR IopWaitForLockAlertable

loc_5CD23E:				; CODE XREF: IopWaitForLockAlertable+58j
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFF2Bh
		add	eax, 0C0000120h
		jmp	loc_4E45B4
; END OF FUNCTION CHUNK	FOR IopWaitForLockAlertable
; 
; START	OF FUNCTION CHUNK FOR IoPropagateActivityIdToThread

loc_5CD256:				; CODE XREF: IoPropagateActivityIdToThread+11j
		push	esi
		mov	esi, [ebp+arg_4]
		push	esi
		push	[ebp+arg_0]
		call	IoGetActivityIdIrp
		mov	eax, large fs:124h
		mov	ecx, [eax+35Ch]
		mov	[eax+35Ch], esi
		mov	eax, [ebp+arg_8]
		pop	esi
		mov	[eax], ecx
		xor	eax, eax
		jmp	loc_4E4750
; END OF FUNCTION CHUNK	FOR IoPropagateActivityIdToThread
; 
; START	OF FUNCTION CHUNK FOR ExQueueWorkItemFromIo

loc_5CD282:				; CODE XREF: ExQueueWorkItemFromIo+2Fj
		push	0FFFFFFFFh
		push	esi
		push	edi
		push	5
		push	0E4h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5CD293:				; CODE XREF: IopQueueWorkItemProlog+1Aj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_4E47F6
		mov	eax, large fs:124h
		lea	edi, [ebx+24h]
		mov	esi, [eax+35Ch]
		test	esi, esi
		jz	loc_4E47F9
		movsd
		movsd
		movsd
		movsd
		jmp	loc_4E47FF
; END OF FUNCTION CHUNK	FOR ExQueueWorkItemFromIo
; 
; START	OF FUNCTION CHUNK FOR IoMakeAssociatedIrpPriv

loc_5CD2C1:				; CODE XREF: IoMakeAssociatedIrpPriv+1Dj
		xor	edx, edx
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jnz	loc_4E48DB
		jmp	loc_4E48AB
; 

loc_5CD2D5:				; CODE XREF: IoMakeAssociatedIrpPriv+40j
					; IoMakeAssociatedIrpPriv+4Dj
		mov	cl, [ebp+arg_0]
		jmp	loc_4E48E5
; 

loc_5CD2DD:				; CODE XREF: IoMakeAssociatedIrpPriv+A2j
		and	[ebp+var_C], 0
		mov	ebx, 5A0h
		jmp	loc_4E495A
; 

loc_5CD2EB:				; CODE XREF: IoMakeAssociatedIrpPriv+ADj
		cbw
		mov	ebx, 5A8h
		mov	[ebp+var_C], 8
		jmp	loc_4E494B
; 

loc_5CD2FE:				; CODE XREF: IoMakeAssociatedIrpPriv+F0j
		mov	ebx, [ebp+var_8]
		jmp	loc_4E4999
; 

loc_5CD306:				; CODE XREF: IoMakeAssociatedIrpPriv+19Dj
		xor	edx, edx
		mov	ecx, edi
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jz	loc_4E4A2B
		mov	eax, [edi+68h]
		add	eax, 10h
		push	eax
		push	esi
		call	_IoSetActivityIdIrp@8 ;	IoSetActivityIdIrp(x,x)
		jmp	loc_4E4A2B
; END OF FUNCTION CHUNK	FOR IoMakeAssociatedIrpPriv
; 
; START	OF FUNCTION CHUNK FOR IoGetFsTrackOffsetState

loc_5CD329:				; CODE XREF: IoGetFsTrackOffsetState+15j
		mov	edx, [esi+68h]
		mov	eax, [ebp+arg_4]
		mov	ecx, [edx+20h]
		mov	[eax], ecx
		mov	ecx, [ebp+arg_8]
		mov	eax, [edx+24h]
		mov	[ecx], eax
		mov	eax, [edx+28h]
		mov	[ecx+4], eax
		xor	eax, eax
		jmp	loc_4E4AFE
; END OF FUNCTION CHUNK	FOR IoGetFsTrackOffsetState
; 
; START	OF FUNCTION CHUNK FOR IopIsActivityTracingEnabled

loc_5CD349:				; CODE XREF: IopIsActivityTracingEnabled+7j
		test	byte ptr ds:_IopIrpExtensionStatus, 1
		jz	loc_4E4D89
		mov	al, 1
		retn
; END OF FUNCTION CHUNK	FOR IopIsActivityTracingEnabled
; 
; START	OF FUNCTION CHUNK FOR IoSynchronousPageWriteEx

loc_5CD359:				; CODE XREF: IoSynchronousPageWriteEx+50j
		mov	ecx, ebx
		call	_MmIsFileObjectAPagingFile@4 ; MmIsFileObjectAPagingFile(x)
		test	eax, eax
		jz	short loc_5CD377
		lock inc ds:_IoSynchronousPageWriteIrpAllocationFailure
		mov	dl, [edi+30h]
		push	1
		call	_IopAllocateReserveIrp@12 ; IopAllocateReserveIrp(x,x,x)
		jmp	short loc_5CD38A
; 

loc_5CD377:				; CODE XREF: IoSynchronousPageWriteEx+E85ACj
		lock inc ds:_IoSynchronousPageWriteNonPagefileIrpAllocationFailure
		mov	dl, [edi+30h]
		mov	ecx, edi
		push	0
		call	_IopAllocateBackpocketIrp@12 ; IopAllocateBackpocketIrp(x,x,x)

loc_5CD38A:				; CODE XREF: IoSynchronousPageWriteEx+E85BFj
		mov	esi, eax
		test	esi, esi
		jnz	loc_4E4E0C
		mov	eax, 0C000009Ah
		jmp	loc_4E4EB1
; END OF FUNCTION CHUNK	FOR IoSynchronousPageWriteEx
; 
; START	OF FUNCTION CHUNK FOR IopSetDiskIoAttributionExtension

loc_5CD39E:				; CODE XREF: IopSetDiskIoAttributionExtension+43j
		mov	eax, [ecx+158h]
		cmp	dword ptr [eax+328h], 0
		jz	loc_4E4F43
		test	[ebp+arg_4], 1
		jnz	loc_4E4F43
		lea	eax, [ebp+var_4]
		mov	dl, 1
		push	eax
		call	IopReferenceIoAttributionFromProcess
		jmp	loc_4E4F43
; END OF FUNCTION CHUNK	FOR IopSetDiskIoAttributionExtension
; 
; START	OF FUNCTION CHUNK FOR IoPropagateIrpExtensionEx

loc_5CD3CB:				; CODE XREF: IoPropagateIrpExtensionEx+36j
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		call	IopAllocateIrpExtension
		mov	edx, eax
		test	edx, edx
		jz	loc_4E50CA
		mov	ecx, [edi+10h]
		mov	[edx+10h], ecx
		mov	eax, [edi+14h]
		mov	[edx+14h], eax
		mov	eax, [edi+18h]
		mov	[edx+18h], eax
		mov	eax, [edi+1Ch]
		mov	[edx+1Ch], eax
		jmp	loc_4E4FCC
; 

loc_5CD3FC:				; CODE XREF: IoPropagateIrpExtensionEx+49j
					; IoPropagateIrpExtensionEx+57j
		mov	ecx, [ebp+arg_4]
		mov	edx, 2
		call	IopAllocateIrpExtension
		mov	ecx, [edi+4]
		mov	[eax+4], ecx
		jmp	loc_4E4FED
; 

loc_5CD414:				; CODE XREF: IoPropagateIrpExtensionEx+74j
		mov	ecx, [ebp+arg_4]
		mov	edx, 5
		call	IopAllocateIrpExtension
		test	eax, eax
		jz	loc_4E50CA
		mov	edx, [edi+24h]
		add	edx, [ebp+arg_8]
		mov	ecx, [edi+28h]
		adc	ecx, [ebp+arg_C]
		mov	[eax+24h], edx
		mov	[eax+28h], ecx
		mov	ecx, [edi+20h]
		mov	[eax+20h], ecx
		mov	eax, [edi+20h]
		mov	edx, [eax+4]
		test	edx, edx
		jz	loc_4E500A
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	ecx
		push	eax
		call	edx
		jmp	loc_4E500A
; 

loc_5CD45E:				; CODE XREF: IoPropagateIrpExtensionEx+B1j
		mov	ecx, [edi+28h]
		mov	eax, 1
		test	ecx, ecx
		jz	short loc_5CD474
		mov	eax, [ecx+10h]
		shl	eax, 9
		test	eax, eax
		jz	short loc_5CD4D1

loc_5CD474:				; CODE XREF: IoPropagateIrpExtensionEx+E84D8j
		push	ebx
		push	0
		push	eax
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	__alldvrm
		or	ecx, ebx
		pop	ebx
		nop
		mov	ebx, eax
		mov	[ebp+arg_C], edx
		jnz	short loc_5CD4D1
		mov	ecx, [ebp+arg_4]
		mov	edx, 7
		call	IopAllocateIrpExtension
		mov	edx, eax
		test	edx, edx
		jz	loc_4E50CA
		mov	edi, [ebp+arg_0]
		mov	ecx, [edi+20h]
		mov	[edx+20h], ecx
		mov	ecx, [edi+24h]
		mov	[edx+24h], ecx
		mov	eax, [edi+28h]
		mov	[edx+28h], eax
		mov	eax, [edi+2Ch]
		mov	[edx+2Ch], eax
		add	[edx+20h], ebx
		mov	eax, [ebp+arg_C]
		adc	[edx+24h], eax
		mov	ebx, [ebp+arg_10]
		jmp	loc_4E5047
; 

loc_5CD4D1:				; CODE XREF: IoPropagateIrpExtensionEx+E84E2j
					; IoPropagateIrpExtensionEx+E84FCj
		mov	eax, 0C000000Dh
		jmp	loc_4E5067
; END OF FUNCTION CHUNK	FOR IoPropagateIrpExtensionEx
; 
; START	OF FUNCTION CHUNK FOR IopAllocateIrpExtension

loc_5CD4DB:				; CODE XREF: IopAllocateIrpExtension+14j
		cmp	ebx, 2
		jz	loc_4E513C
		push	58707249h
		push	48h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_4E512D
		push	48h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		push	4
		pop	eax
		bts	ax, bx
		mov	[esi+2], ax
		mov	eax, [edi+68h]
		mov	[esi+4], eax
		mov	[edi+68h], esi
		mov	al, [edi+27h]
		and	al, 3Fh
		or	al, 40h
		mov	[edi+27h], al
		or	word ptr [esi],	1
		jmp	loc_4E512D
; END OF FUNCTION CHUNK	FOR IopAllocateIrpExtension
; 
; START	OF FUNCTION CHUNK FOR IopMountInitializeVpb

loc_5CD533:				; CODE XREF: IopMountInitializeVpb+77j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4E521A
; 

loc_5CD542:				; CODE XREF: IopMountInitializeVpb+94j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5CD549:				; CODE XREF: IopMountInitializeVpb+81j
		lea	ecx, [eax+4]
		mov	dword ptr [esi], 0
		xor	eax, eax
		inc	eax
		lock xor [ecx],	eax
		jmp	loc_4E521A
; END OF FUNCTION CHUNK	FOR IopMountInitializeVpb
; 
; START	OF FUNCTION CHUNK FOR IoSetIoCompletionEx

loc_5CD55D:				; CODE XREF: IoSetIoCompletionEx+53j
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)
		jmp	loc_4E52B9
; END OF FUNCTION CHUNK	FOR IoSetIoCompletionEx
; 
; START	OF FUNCTION CHUNK FOR KeInsertQueueEx

loc_5CD577:				; CODE XREF: KeInsertQueueEx+2Ej
		mov	ecx, edi
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		movzx	eax, al
		mov	edx, ebx
		push	eax
		mov	ecx, edi
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)
		jmp	loc_4E53CE
; 

loc_5CD590:				; CODE XREF: KeInsertQueueEx+39j
		mov	al, [esi+1]
		and	al, 2
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	ecx, eax
		mov	[ebp+arg_0], ecx
		jmp	loc_4E53D9
; 

loc_5CD5A8:				; CODE XREF: KeInsertQueueEx+4Fj
		mov	eax, [eax+150h]
		mov	[ebp+var_1], 1
		mov	al, [eax+2A2h]
		cmp	al, 2
		jz	loc_4E53F3
		jmp	loc_4E53EF
; 

loc_5CD5C5:				; CODE XREF: KeInsertQueueEx+73j
		cmp	[ebp+var_1], 0
		jz	loc_4E545C
		jmp	loc_4E5413
; END OF FUNCTION CHUNK	FOR KeInsertQueueEx
; 
; START	OF FUNCTION CHUNK FOR MiFindPageFileWriteCluster

loc_5CD5D4:				; CODE XREF: MiFindPageFileWriteCluster+7Ej
		cmp	[ebp+arg_4], 0
		jnz	short loc_5CD639
		mov	eax, [ebx+44h]
		mov	esi, [ebx+40h]
		mov	ecx, ds:dword_7051C4
		mov	[ebp+var_C], eax
		cmp	esi, ecx
		jnb	short loc_5CD60E
		cmp	[ebx+48h], eax
		jz	short loc_5CD60E
		mov	eax, ecx
		shr	eax, 3
		cmp	esi, eax
		jnb	short loc_5CD5FF
		add	esi, esi
		jmp	short loc_5CD60B
; 

loc_5CD5FF:				; CODE XREF: MiFindPageFileWriteCluster+E815Bj
		mov	eax, esi
		shr	eax, 1
		add	esi, eax
		cmp	esi, ecx
		jb	short loc_5CD60B
		mov	esi, ecx

loc_5CD60B:				; CODE XREF: MiFindPageFileWriteCluster+E815Fj
					; MiFindPageFileWriteCluster+E8169j
		mov	[ebx+40h], esi

loc_5CD60E:				; CODE XREF: MiFindPageFileWriteCluster+E814Dj
					; MiFindPageFileWriteCluster+E8152j
		cmp	edi, esi
		jnb	short loc_5CD614
		mov	esi, edi

loc_5CD614:				; CODE XREF: MiFindPageFileWriteCluster+E8172j
		mov	eax, 800h
		test	[ebx+74h], ax
		jz	short loc_5CD622
		xor	esi, esi
		inc	esi

loc_5CD622:				; CODE XREF: MiFindPageFileWriteCluster+E817Fj
		lea	eax, [ebp+var_3C]
		mov	ecx, ebx
		mov	edx, eax
		mov	[ebp+var_14], eax
		call	_MiRefPageFileSpaceBitmaps@8 ; MiRefPageFileSpaceBitmaps(x,x)
		lea	ecx, [ebp+var_38]
		lea	eax, [ebx+3Ch]
		jmp	short loc_5CD657
; 

loc_5CD639:				; CODE XREF: MiFindPageFileWriteCluster+E813Aj
		mov	edi, [ebx+38h]
		lea	ecx, [ebp+var_28]
		mov	eax, [ebx]
		and	[ebp+var_C], 0
		mov	esi, [ebp+var_8]
		mov	[ebp+var_28], eax
		mov	eax, [edi+8]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_14], edi

loc_5CD657:				; CODE XREF: MiFindPageFileWriteCluster+E8199j
		mov	eax, [eax]
		mov	edx, esi
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_RtlFindLongestRunClearCapped@12 ; RtlFindLongestRunClearCapped(x,x,x)
		cmp	[ebp+arg_4], 0
		mov	edi, [ebp+var_4]
		mov	[ebp+var_8], eax
		jnz	short loc_5CD6A3
		test	eax, eax
		jz	short loc_5CD689
		cmp	eax, esi
		jnb	short loc_5CD684
		mov	ecx, [ebp+var_C]
		mov	[ebx+40h], eax
		mov	[ebx+48h], ecx

loc_5CD684:				; CODE XREF: MiFindPageFileWriteCluster+E81DBj
		add	eax, edi
		mov	[ebx+3Ch], eax

loc_5CD689:				; CODE XREF: MiFindPageFileWriteCluster+E81D7j
		mov	edx, [ebp+var_14]
		mov	ecx, ebx
		push	0
		call	_MiDerefPageFileSpaceBitmaps@12	; MiDerefPageFileSpaceBitmaps(x,x,x)
		test	eax, eax
		jz	short loc_5CD6AE
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_5CD6AE
; 

loc_5CD6A3:				; CODE XREF: MiFindPageFileWriteCluster+E81D3j
		push	ecx
		push	eax
		mov	edx, edi
		mov	ecx, ebx
		call	_MiSetPageFileAllocationBits@16	; MiSetPageFileAllocationBits(x,x,x,x)

loc_5CD6AE:				; CODE XREF: MiFindPageFileWriteCluster+E81F9j
					; MiFindPageFileWriteCluster+E8203j
		mov	ecx, [ebp+var_8]
		jmp	loc_4E5550
; END OF FUNCTION CHUNK	FOR MiFindPageFileWriteCluster
; 
; START	OF FUNCTION CHUNK FOR MiBitmapsCachedEntryLengthChanged

loc_5CD6B6:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+15j
		mov	edx, [edi+4]
		mov	esi, edi
		test	edx, edx
		jz	short loc_5CD6D1
		mov	ecx, [edx]
		test	ecx, ecx
		jz	short loc_5CD6E4

loc_5CD6C5:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+E816Bj
		mov	eax, [ecx]
		mov	edx, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_5CD6C5
		jmp	short loc_5CD6E4
; 

loc_5CD6D1:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+E815Bj
		mov	edx, [edi+8]
		jmp	short loc_5CD6DF
; 

loc_5CD6D6:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+E8180j
		cmp	[edx], esi
		jz	short loc_5CD6E4
		mov	esi, edx
		mov	edx, [edx+8]

loc_5CD6DF:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+E8172j
		and	edx, 0FFFFFFFCh
		jnz	short loc_5CD6D6

loc_5CD6E4:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+E8161j
					; MiBitmapsCachedEntryLengthChanged+E816Dj ...
		mov	esi, [ebp+var_4]
		jmp	loc_4E55AE
; 

loc_5CD6EC:				; CODE XREF: MiBitmapsCachedEntryLengthChanged+54j
		cmp	eax, ecx
		jbe	loc_4E55C7
		jmp	loc_4E55C0
; END OF FUNCTION CHUNK	FOR MiBitmapsCachedEntryLengthChanged
; 

loc_5CD6F9:				; CODE XREF: .text:004E56BDj
		push	esi
		lea	eax, [ebx+54h]
		push	eax
		call	RtlRbRemoveNode
		lea	eax, [esi+0Ch]
		push	eax
		lea	eax, [ebx+5Ch]
		push	eax
		call	RtlRbRemoveNode
		mov	eax, [ebx+50h]
		mov	ecx, [esi+1Ch]
		cmp	eax, ecx
		ja	short loc_5CD71C
		mov	eax, ecx

loc_5CD71C:				; CODE XREF: .text:005CD718j
		mov	[ebx+50h], eax
		jmp	loc_4E56DE
; 

loc_5CD724:				; CODE XREF: .text:004E57C7j
		lea	esi, [ebx+54h]
		mov	eax, [esi+4]
		test	al, 1
		jz	short loc_5CD744
		cmp	eax, 1
		jnz	short loc_5CD73A
		xor	esi, esi
		jmp	loc_4E57CD
; 

loc_5CD73A:				; CODE XREF: .text:005CD731j
		or	esi, 1
		xor	esi, eax
		jmp	loc_4E57CD
; 

loc_5CD744:				; CODE XREF: .text:005CD72Cj
		mov	esi, eax
		jmp	loc_4E57CD
; 

loc_5CD74B:				; CODE XREF: .text:004E56B5j
		mov	eax, [ebx+50h]
		cmp	eax, edi
		ja	short loc_5CD754
		mov	eax, edi

loc_5CD754:				; CODE XREF: .text:005CD750j
		mov	[ebx+50h], eax
		jmp	loc_4E57CD
; 
; START	OF FUNCTION CHUNK FOR RtlFindMostSignificantBit

loc_5CD75C:				; CODE XREF: RtlFindMostSignificantBit+7Dj
		and	ecx, 0FF000000h
		xor	eax, eax
		or	eax, ecx
		jz	short loc_5CD76F
		mov	bl, 38h
		jmp	loc_4E5A3D
; 

loc_5CD76F:				; CODE XREF: RtlFindMostSignificantBit+E7D56j
		mov	bl, 30h
		jmp	loc_4E5A3D
; END OF FUNCTION CHUNK	FOR RtlFindMostSignificantBit
; 
; START	OF FUNCTION CHUNK FOR MiFindFreePageFileSpace

loc_5CD776:				; CODE XREF: MiFindFreePageFileSpace+11Fj
		or	ebx, 10h
		mov	[ebp+arg_4], ebx
		jmp	loc_4E5BFB
; 

loc_5CD781:				; CODE XREF: MiFindFreePageFileSpace+59j
		test	byte ptr [esi+74h], 10h
		jnz	loc_4E5B07

loc_5CD78B:				; CODE XREF: MiFindFreePageFileSpace+E7CF2j
		mov	ecx, esi
		mov	edi, esi
		call	MiPageFileLargestBitmapsRun
		jmp	short loc_5CD7B2
; 

loc_5CD796:				; CODE XREF: MiFindFreePageFileSpace+61j
		test	byte ptr [esi+74h], 20h
		jz	short loc_5CD78B
		jmp	loc_4E5B0F
; 

loc_5CD7A1:				; CODE XREF: MiFindFreePageFileSpace+6Bj
		mov	ecx, esi
		call	MiPageFileLargestBitmapsRun
		cmp	eax, ebx
		jbe	loc_4E5B19
		mov	edi, esi

loc_5CD7B2:				; CODE XREF: MiFindFreePageFileSpace+E7CECj
		mov	ebx, eax
		jmp	loc_4E5B19
; 

loc_5CD7B9:				; CODE XREF: MiFindFreePageFileSpace+167j
		test	bl, 48h
		jnz	loc_4E5DDE
		jmp	loc_4E5B76
; 

loc_5CD7C7:				; CODE XREF: MiFindFreePageFileSpace+37Cj
					; MiFindFreePageFileSpace+385j
		test	bl, bl
		js	loc_4E5DDB
		mov	ecx, [eax]
		mov	edx, eax
		test	ecx, ecx
		jz	short loc_5CD7EA
		cmp	dword ptr [ecx+4], 0
		jz	short loc_5CD7FE

loc_5CD7DD:				; CODE XREF: MiFindFreePageFileSpace+E7D3Ej
		mov	eax, [ecx+4]
		mov	ecx, eax
		cmp	dword ptr [eax+4], 0
		jnz	short loc_5CD7DD
		jmp	short loc_5CD7FE
; 

loc_5CD7EA:				; CODE XREF: MiFindFreePageFileSpace+E7D2Dj
		mov	ecx, [eax+8]
		jmp	short loc_5CD7F9
; 

loc_5CD7EF:				; CODE XREF: MiFindFreePageFileSpace+E7D54j
		cmp	[ecx+4], edx
		jz	short loc_5CD7FE
		mov	edx, ecx
		mov	ecx, [ecx+8]

loc_5CD7F9:				; CODE XREF: MiFindFreePageFileSpace+E7D45j
		and	ecx, 0FFFFFFFCh
		jnz	short loc_5CD7EF

loc_5CD7FE:				; CODE XREF: MiFindFreePageFileSpace+E7D33j
					; MiFindFreePageFileSpace+E7D40j ...
		test	ecx, ecx
		jnz	short loc_5CD810
		cmp	esi, 20h
		jb	loc_4E5DDB
		jmp	loc_4E5E33
; 

loc_5CD810:				; CODE XREF: MiFindFreePageFileSpace+E7D58j
		mov	eax, [ecx+1Ch]
		mov	[ebp+var_8], ecx
		cmp	esi, eax
		jbe	short loc_5CD823
		cmp	esi, 20h
		jnb	loc_4E5E33

loc_5CD823:				; CODE XREF: MiFindFreePageFileSpace+E7D70j
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_8]
		jmp	loc_4E5C3E
; 

loc_5CD82E:				; CODE XREF: MiFindFreePageFileSpace+38Fj
		lea	esi, [edi+88h]
		push	esi
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_14]
		xor	eax, eax
		inc	eax
		jmp	loc_4E5B3E
; END OF FUNCTION CHUNK	FOR MiFindFreePageFileSpace
; 
; START	OF FUNCTION CHUNK FOR MiPageFileLargestBitmapsRun

loc_5CD84E:				; CODE XREF: MiPageFileLargestBitmapsRun+5Aj
		mov	eax, [ecx]
		mov	edi, ecx
		jmp	loc_4E5E9F
; END OF FUNCTION CHUNK	FOR MiPageFileLargestBitmapsRun
; 
; START	OF FUNCTION CHUNK FOR MiInvalidatePageFileBitmapsCache

loc_5CD857:				; CODE XREF: MiInvalidatePageFileBitmapsCache+14Cj
		test	ecx, ecx
		jz	short loc_5CD862
		xor	ecx, edx
		jmp	loc_4E6062
; 

loc_5CD862:				; CODE XREF: MiInvalidatePageFileBitmapsCache+E7949j
		xor	ecx, ecx
		jmp	loc_4E6062
; 

loc_5CD869:				; CODE XREF: MiInvalidatePageFileBitmapsCache+182j
					; MiInvalidatePageFileBitmapsCache+18Cj
		mov	byte ptr [ebp+arg_0], 1
		jmp	loc_4E60BF
; 

loc_5CD872:				; CODE XREF: MiInvalidatePageFileBitmapsCache+19Ej
					; MiInvalidatePageFileBitmapsCache+1AAj
		mov	byte ptr [ebp+arg_0], 0
		jmp	loc_4E60BF
; 

loc_5CD87B:				; CODE XREF: MiInvalidatePageFileBitmapsCache+1C3j
		test	ecx, ecx
		jz	short loc_5CD886
		xor	ecx, edi
		jmp	loc_4E60D9
; 

loc_5CD886:				; CODE XREF: MiInvalidatePageFileBitmapsCache+E796Dj
		xor	ecx, ecx
		jmp	loc_4E60D9
; 

loc_5CD88D:				; CODE XREF: MiInvalidatePageFileBitmapsCache+10Aj
		cmp	edx, eax
		jbe	short loc_5CD89F
		mov	[esi+1Ch], edx
		mov	ecx, [edi+50h]
		cmp	ecx, eax
		ja	short loc_5CD8B1
		mov	ecx, eax
		jmp	short loc_5CD8B1
; 

loc_5CD89F:				; CODE XREF: MiInvalidatePageFileBitmapsCache+E797Fj
		mov	[esi+1Ch], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+18h], eax
		mov	ecx, [edi+50h]
		cmp	ecx, edx
		ja	short loc_5CD8B1
		mov	ecx, edx

loc_5CD8B1:				; CODE XREF: MiInvalidatePageFileBitmapsCache+E7989j
					; MiInvalidatePageFileBitmapsCache+E798Dj ...
		mov	[edi+50h], ecx
		jmp	loc_4E5F4C
; END OF FUNCTION CHUNK	FOR MiInvalidatePageFileBitmapsCache
; 
; START	OF FUNCTION CHUNK FOR RtlLengthCurrentClearRunForward

loc_5CD8B9:				; CODE XREF: RtlLengthCurrentClearRunForward+B1j
		test	esi, esi
		jz	short loc_5CD8C0
		mov	ecx, [edx+4]

loc_5CD8C0:				; CODE XREF: RtlLengthCurrentClearRunForward+E770Bj
		mov	eax, ds:dword_40BA68[eax*4]
		not	eax
		or	eax, ecx
		push	0
		push	eax
		jmp	loc_4E61FE
; END OF FUNCTION CHUNK	FOR RtlLengthCurrentClearRunForward
; 

loc_5CD8D3:				; CODE XREF: .text:004E62EFj
		mov	edx, [eax+8]
		lea	ecx, [eax+8]
		mov	[ebp-4], edx
		cmp	[edx+4], ecx
		jnz	loc_4E634B
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_4E634B
		mov	ecx, [ebp-4]
		mov	[edx], ecx
		mov	[ecx+4], edx
		and	dword ptr [eax+10h], 0FFFFFFFDh
		dec	dword ptr [esi+34h]
		mov	ecx, [eax+10h]
		jmp	loc_4E62F5
; 

loc_5CD907:				; CODE XREF: .text:004E632Cj
					; .text:005CD92Cj
		test	byte ptr [eax+8], 1
		lea	edx, [eax-8]
		mov	eax, [eax]
		mov	[ebp-4], eax
		jnz	short loc_5CD92A
		push	ecx
		push	0
		mov	ecx, esi
		call	_AuthzBasepRemoveSecurityAttributeValueFromLists@16 ; AuthzBasepRemoveSecurityAttributeValueFromLists(x,x,x,x)
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp-4]

loc_5CD92A:				; CODE XREF: .text:005CD913j
		cmp	eax, edi
		jnz	short loc_5CD907
		jmp	loc_4E6332
; 
; START	OF FUNCTION CHUNK FOR RtlpOwnerAcesPresent

loc_5CD933:				; CODE XREF: RtlpOwnerAcesPresent+46j
		cmp	al, 0Ch
		jbe	short loc_5CD944
		jmp	loc_4E63BC
; 

loc_5CD93C:				; CODE XREF: RtlpOwnerAcesPresent+4Ej
		cmp	al, 10h
		ja	loc_4E63C4

loc_5CD944:				; CODE XREF: RtlpOwnerAcesPresent+106j
					; RtlpOwnerAcesPresent+E75C5j
		mov	eax, [edi+8]
		mov	ecx, eax
		and	ecx, 2
		and	eax, 1
		shl	ecx, 3
		or	ecx, 0Ch
		shl	eax, 4
		add	ecx, eax
		jmp	loc_4E63D9
; 

loc_5CD95F:				; CODE XREF: RtlpOwnerAcesPresent+56j
		mov	ecx, 0Ch
		jmp	loc_4E63D9
; 

loc_5CD969:				; CODE XREF: RtlpOwnerAcesPresent+113j
		sub	al, 0Dh
		cmp	al, 1
		ja	loc_4E63E8
		jmp	loc_4E63D4
; END OF FUNCTION CHUNK	FOR RtlpOwnerAcesPresent
; 

loc_5CD978:				; CODE XREF: .text:004E64E6j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4E64F1
; 

loc_5CD987:				; CODE XREF: .text:004E65F9j
		mov	edi, 0C0000017h
		jmp	loc_4E666D
; 

loc_5CD991:				; CODE XREF: .text:004E664Ej
		mov	edx, [ebp+4]
		mov	ecx, [ebp-8]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4E665C
; 

loc_5CD9A1:				; CODE XREF: .text:004E6667j
		push	50737050h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4E666D
; 
; START	OF FUNCTION CHUNK FOR PsGetThreadProperty

loc_5CD9B1:				; CODE XREF: PsGetThreadProperty+9Aj
		mov	ecx, edi
		call	@KiAcquireSpinLockInstrumented@4 ; KiAcquireSpinLockInstrumented(x)
		jmp	loc_4E673B
; 

loc_5CD9BD:				; CODE XREF: PsGetThreadProperty+A5j
		mov	ecx, edi
		call	KxWaitForSpinLockAndAcquire
		jmp	loc_4E673B
; 

loc_5CD9C9:				; CODE XREF: PsGetThreadProperty+DFj
		push	72507350h
		push	1
		mov	dl, 1
		call	_ObpPushStackInfo@16 ; ObpPushStackInfo(x,x,x,x)
		mov	ecx, [esp+18h+var_4]
		jmp	loc_4E6775
; 

loc_5CD9E0:				; CODE XREF: PsGetThreadProperty+F2j
		push	eax
		push	10h
		lea	eax, [ecx+18h]
		push	eax
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CD9F0:				; CODE XREF: PsGetThreadProperty+FFj
		mov	edx, [ebp+4]
		mov	ecx, [esp+2Ch+var_1C]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4E679E
; END OF FUNCTION CHUNK	FOR PsGetThreadProperty
; 
; START	OF FUNCTION CHUNK FOR PspGetJobProperty

loc_5CDA01:				; CODE XREF: PspGetJobProperty+35j
		mov	ecx, [ebp+arg_0]
		mov	eax, [esp+18h+var_4]
		mov	[ecx], eax
		jmp	loc_4E689B
; END OF FUNCTION CHUNK	FOR PspGetJobProperty
; 
; START	OF FUNCTION CHUNK FOR PspGetProperty

loc_5CDA0F:				; CODE XREF: PspGetProperty+2Ej
		mov	ecx, [esi+0Ch]
		mov	edx, 72507350h
		call	ObfReferenceObjectWithTag
		jmp	loc_4E68E0
; 

loc_5CDA21:				; CODE XREF: PspGetProperty+3Bj
		mov	edx, [ebp+4]
		lea	ecx, [edi+8]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4E68F5
; END OF FUNCTION CHUNK	FOR PspGetProperty
; 
; START	OF FUNCTION CHUNK FOR KeWaitForAlertByThreadId

loc_5CDA31:				; CODE XREF: KeWaitForAlertByThreadId+1CAj
		mov	eax, 102h
		jmp	loc_4E6A99
; 

loc_5CDA3B:				; CODE XREF: KeWaitForAlertByThreadId+1D3j
		mov	ecx, [ebx]
		mov	edi, 1
		mov	edx, [ebx+4]
		mov	[ebp+var_8], ecx
		jmp	loc_4E6B40
; 

loc_5CDA4D:				; CODE XREF: KeWaitForAlertByThreadId+B5j
		cmp	word ptr [esi+13Eh], 0
		jnz	loc_4E69FB
		cmp	dl, 1
		jnb	loc_4E69FB
		mov	cl, 1
		mov	dword ptr [ebx], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	0
		push	0
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	al, [ebp+var_1]
		mov	[esi+92h], al
		jmp	loc_4E69C0
; 

loc_5CDA91:				; CODE XREF: KeWaitForAlertByThreadId+117j
		mov	eax, edx
		or	eax, ecx
		jz	short loc_5CDAF7
		mov	eax, 0FFDF0018h
		mov	[ebp+var_30], 0
		mov	eax, [eax]
		mov	[ebp+var_10], eax
		mov	eax, 0FFDF0014h
		mov	eax, [eax]
		mov	[ebp+var_18], eax
		mov	eax, 0FFDF001Ch
		mov	eax, [eax]
		cmp	[ebp+var_10], eax
		jz	short loc_5CDAEF
		mov	esi, 0FFDF0018h
		lea	edi, [esi-4]

loc_5CDAC6:				; CODE XREF: KeWaitForAlertByThreadId+E71A1j
		lea	ecx, [ebp+var_30]
		call	KeYieldProcessorEx
		mov	ebx, [esi]
		mov	eax, [edi]
		mov	[ebp+var_18], eax
		mov	eax, 0FFDF001Ch
		mov	[ebp+var_10], ebx
		mov	eax, [eax]
		cmp	ebx, eax
		jnz	short loc_5CDAC6
		mov	esi, [ebp+var_34]
		mov	edi, [ebp+var_14]
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_C]

loc_5CDAEF:				; CODE XREF: KeWaitForAlertByThreadId+E717Cj
		mov	eax, [ebp+var_1C]
		jmp	loc_4E6ADF
; 

loc_5CDAF7:				; CODE XREF: KeWaitForAlertByThreadId+1A8j
					; KeWaitForAlertByThreadId+1BAj ...
		mov	edi, 102h
		jmp	loc_4E6B9C
; END OF FUNCTION CHUNK	FOR KeWaitForAlertByThreadId
; 
; START	OF FUNCTION CHUNK FOR KiGetDueTimeWithThreadTimerDelay

loc_5CDB01:				; CODE XREF: KiGetDueTimeWithThreadTimerDelay+41j
		mov	eax, [ebp+arg_0]
		add	eax, edx
		mov	edx, [ebp+arg_4]
		adc	edx, 0
		jmp	loc_4E6C21
; END OF FUNCTION CHUNK	FOR KiGetDueTimeWithThreadTimerDelay
; 
; START	OF FUNCTION CHUNK FOR MiAttachSession

loc_5CDB11:				; CODE XREF: MiAttachSession+44j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4E6D52
; END OF FUNCTION CHUNK	FOR MiAttachSession
; 
; START	OF FUNCTION CHUNK FOR MiCompareTbFlushTimeStamp

loc_5CDB21:				; CODE XREF: MiCompareTbFlushTimeStamp+44j
		and	[ebp+var_C], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		xor	ecx, ecx
		lock or	[eax], ecx
		jmp	short loc_5CDB3B
; 

loc_5CDB33:				; CODE XREF: MiCompareTbFlushTimeStamp+E6DAEj
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx

loc_5CDB3B:				; CODE XREF: MiCompareTbFlushTimeStamp+E6D9Dj
		mov	eax, ds:_KiTbFlushTimeStamp
		test	al, 1
		jnz	short loc_5CDB33
		test	esi, esi
		jz	loc_4E6DC0
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	edx, ds:_KiTbFlushTimeStamp
		mov	eax, edx
		sub	eax, edi
		and	eax, ebx
		cmp	eax, 2
		jbe	loc_4E6DCC
		jmp	loc_4E6DC0
; END OF FUNCTION CHUNK	FOR MiCompareTbFlushTimeStamp
; 
; START	OF FUNCTION CHUNK FOR MiAttachTrimmerToSession

loc_5CDB72:				; CODE XREF: MiAttachTrimmerToSession+75j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5CDB9A
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	ecx, 1
		mov	eax, [ebp+var_4]
		jnz	loc_4E6E70
		or	eax, 80000000h
		jmp	loc_4E6E70
; 

loc_5CDB9A:				; CODE XREF: MiAttachTrimmerToSession+E6D89j
		mov	eax, large fs:124h
		mov	ecx, [ebp+var_8]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		mov	eax, [ebp+var_4]
		jz	loc_4E6E70
		or	eax, 80000000h
		jmp	loc_4E6E70
; 

loc_5CDBC6:				; CODE XREF: MiAttachTrimmerToSession+8Aj
		push	eax
		push	edx
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_4E6E1E
; END OF FUNCTION CHUNK	FOR MiAttachTrimmerToSession
; 
; START	OF FUNCTION CHUNK FOR ExEnterCriticalRegionAndAcquireResourceShared

loc_5CDBD4:				; CODE XREF: ExEnterCriticalRegionAndAcquireResourceShared+22j
		test	cl, 40h
		jnz	loc_4E6EE8
		push	0
		push	0
		push	esi
		push	0Fh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CDBEE:				; CODE XREF: ExEnterCriticalRegionAndAcquireResourceShared+5Aj
		push	0
		push	1
		movzx	eax, al
		push	eax
		push	0
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CDC02:				; CODE XREF: ExEnterCriticalRegionAndAcquireResourceShared+60j
		test	byte ptr [ecx+84h], 2
		jz	short loc_5CDC1D
		push	0
		push	0
		push	0
		push	6
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CDC1D:				; CODE XREF: ExEnterCriticalRegionAndAcquireResourceShared+E6D49j
		cmp	al, 1
		jnb	short loc_5CDC45
		test	dword ptr [ecx+58h], 400h
		jnz	short loc_5CDC45
		cmp	dword ptr [ecx+13Ch], 0
		jnz	short loc_5CDC45
		push	0
		push	0
		push	0
		push	7
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CDC45:				; CODE XREF: ExEnterCriticalRegionAndAcquireResourceShared+E6D5Fj
					; ExEnterCriticalRegionAndAcquireResourceShared+E6D68j	...
		movzx	ecx, word ptr [esi+0Eh]
		jmp	loc_4E6EED
; END OF FUNCTION CHUNK	FOR ExEnterCriticalRegionAndAcquireResourceShared

;  S U B	R O U T	I N E 


sub_5CDC4E	proc near		; CODE XREF: KiPriQueueThreadPriorityChanged+90j
		push	ebx
		xor	edx, edx
		push	ebx
		inc	edx
		call	KiProcessThreadWaitList
		jmp	loc_4E6FA6
sub_5CDC4E	endp

; 
; START	OF FUNCTION CHUNK FOR KiActivateWaiterQueueWithNoLocks

loc_5CDC5D:				; CODE XREF: KiActivateWaiterQueueWithNoLocks+A4j
					; KiActivateWaiterQueueWithNoLocks+E6BF1j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5CDC5D
		jmp	loc_4E7117
; END OF FUNCTION CHUNK	FOR KiActivateWaiterQueueWithNoLocks
; 
; START	OF FUNCTION CHUNK FOR KiActivateWaiterKQueue

loc_5CDC70:				; CODE XREF: KiActivateWaiterKQueue+52j
		mov	eax, [ebx]
		cmp	[eax+4], ebx
		jnz	loc_4E71BB
		mov	[esi], eax
		mov	[esi+4], ebx
		mov	[eax+4], esi
		mov	[ebx], esi
		jmp	loc_4E7176
; END OF FUNCTION CHUNK	FOR KiActivateWaiterKQueue
; 
; START	OF FUNCTION CHUNK FOR KiActivateWaiterPriQueue

loc_5CDC8A:				; CODE XREF: KiActivateWaiterPriQueue+4Fj
		inc	dword ptr [esi+4]
		lea	eax, [ebx+2]
		lea	eax, [esi+eax*8]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jz	short loc_5CDC9F
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5CDC9F:				; CODE XREF: KiActivateWaiterPriQueue+E6AD8j
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[ecx+4], edi
		mov	[eax], edi
		jmp	loc_4E7215
; END OF FUNCTION CHUNK	FOR KiActivateWaiterPriQueue
; 
; START	OF FUNCTION CHUNK FOR KiAttemptFastRemovePriQueue

loc_5CDCAE:				; CODE XREF: KiAttemptFastRemovePriQueue+51j
		mov	eax, [ebx+8]
		push	eax
		mov	eax, ds:_ExWorkerQueue
		push	eax
		push	ecx
		push	ebx
		push	96h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5CDCC5:				; CODE XREF: KiAttemptFastRemovePriQueue+B3j
		mov	eax, [esi+10h]
		and	eax, 1
		or	eax, ebx
		jz	loc_4E7312
		jmp	loc_4E72D9
; END OF FUNCTION CHUNK	FOR KiAttemptFastRemovePriQueue
; 
; START	OF FUNCTION CHUNK FOR KeReleaseSemaphore

loc_5CDCD8:				; CODE XREF: KeReleaseSemaphore+15Dj
		mov	edx, [ebp+var_C]
		jmp	loc_4E74C9
; END OF FUNCTION CHUNK	FOR KeReleaseSemaphore
; 
; START	OF FUNCTION CHUNK FOR ExpTryQueueWorkItem

loc_5CDCE0:				; CODE XREF: ExpTryQueueWorkItem+2Aj
		mov	esi, ds:_ExpBuiltinPriorities[esi*4]
		mov	[ebp+arg_0], esi
		jmp	loc_4E75AE
; 

loc_5CDCEF:				; CODE XREF: ExpTryQueueWorkItem+69j
		xor	esi, esi
		jmp	loc_4E75F1
; END OF FUNCTION CHUNK	FOR ExpTryQueueWorkItem
; 
; START	OF FUNCTION CHUNK FOR KeInsertPriQueue

loc_5CDCF6:				; CODE XREF: KeInsertPriQueue+CAj
		inc	dword ptr [ebx+4]
		lea	eax, [edi+2]
		mov	ecx, [ebx+eax*8+4]
		lea	eax, [ebx+eax*8]
		cmp	[ecx], eax
		jz	short loc_5CDD0E
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5CDD0E:				; CODE XREF: KeInsertPriQueue+E6675j
		mov	edi, [ebp+var_10]
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi
		jmp	loc_4E771A
; END OF FUNCTION CHUNK	FOR KeInsertPriQueue
; 
; START	OF FUNCTION CHUNK FOR MmGetNextNode

loc_5CDD20:				; CODE XREF: MmGetNextNode+Dj
		imul	edx, ecx
		add	edx, eax
		mov	eax, ds:dword_6D0698
		mov	eax, [eax+edx*4]
		retn
; END OF FUNCTION CHUNK	FOR MmGetNextNode
; 
; START	OF FUNCTION CHUNK FOR MiDetachProcessFromSession

loc_5CDD2E:				; CODE XREF: MiDetachProcessFromSession+A1j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4E7915
; 

loc_5CDD3E:				; CODE XREF: MiDetachProcessFromSession+BFj
		lea	ecx, [ebp+var_10]
		call	KxWaitForLockChainValid
		jmp	loc_4E7942
; END OF FUNCTION CHUNK	FOR MiDetachProcessFromSession
; 
; START	OF FUNCTION CHUNK FOR ExpScanGeneralLookasideList

loc_5CDD4B:				; CODE XREF: ExpScanGeneralLookasideList+81j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4E7CAC
; END OF FUNCTION CHUNK	FOR ExpScanGeneralLookasideList
; 
; START	OF FUNCTION CHUNK FOR RtlpDynamicLookasideRebalance

loc_5CDD5A:				; CODE XREF: RtlpDynamicLookasideRebalance+71j
		or	ecx, 0FFFFFFFFh
		jmp	loc_4E7F97
; 

loc_5CDD62:				; CODE XREF: RtlpDynamicLookasideRebalance+81j
		or	eax, 0FFFFFFFFh
		jmp	loc_4E7FA7
; END OF FUNCTION CHUNK	FOR RtlpDynamicLookasideRebalance
; 
; START	OF FUNCTION CHUNK FOR RtlpLookasideAdjustDepth

loc_5CDD6A:				; CODE XREF: RtlpLookasideAdjustDepth+31j
		mov	ecx, esi
		jmp	loc_4E80CD
; END OF FUNCTION CHUNK	FOR RtlpLookasideAdjustDepth
; 
; START	OF FUNCTION CHUNK FOR ExEnterPriorityRegionAndAcquireResourceShared

loc_5CDD71:				; CODE XREF: ExEnterPriorityRegionAndAcquireResourceShared+31j
		test	dl, 40h
		jnz	loc_4E8177
		push	0
		push	0
		push	edi
		push	0Fh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CDD8B:				; CODE XREF: ExEnterPriorityRegionAndAcquireResourceShared+66j
		push	0
		push	1
		movzx	eax, cl
		push	eax
		push	0
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CDD9F:				; CODE XREF: ExEnterPriorityRegionAndAcquireResourceShared+6Cj
		test	byte ptr [eax+84h], 2
		jz	short loc_5CDDBA
		push	0
		push	0
		push	0
		push	6
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CDDBA:				; CODE XREF: ExEnterPriorityRegionAndAcquireResourceShared+E5C66j
		cmp	cl, 1
		jnb	short loc_5CDDE3
		test	dword ptr [eax+58h], 400h
		jnz	short loc_5CDDE3
		cmp	dword ptr [eax+13Ch], 0
		jnz	short loc_5CDDE3
		push	0
		push	0
		push	0
		push	7
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CDDE3:				; CODE XREF: ExEnterPriorityRegionAndAcquireResourceShared+E5C7Dj
					; ExEnterPriorityRegionAndAcquireResourceShared+E5C86j	...
		movzx	eax, word ptr [edi+0Eh]
		jmp	loc_4E817C
; END OF FUNCTION CHUNK	FOR ExEnterPriorityRegionAndAcquireResourceShared
; 
; START	OF FUNCTION CHUNK FOR KeSaveExtendedProcessorState

loc_5CDDEC:				; CODE XREF: KeSaveExtendedProcessorState+43j
		and	edi, ebx
		push	edi
		push	0
		push	131h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5CDDFC:				; CODE XREF: KeSaveExtendedAndSupervisorState+22j
		push	0
		push	0
		movzx	eax, bl
		push	eax
		push	1
		push	131h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CDE10:				; CODE XREF: KeSaveExtendedAndSupervisorState+1D1j
		mov	ecx, ds:0FFDF03D8h
		or	ecx, ds:0FFDF05F0h
		mov	eax, ds:0FFDF03DCh
		not	ecx
		or	eax, ds:0FFDF05F4h
		mov	edx, [ebp+arg_0]
		not	eax
		and	eax, [ebp+arg_4]
		and	ecx, edx
		or	ecx, eax
		jz	loc_4E8516

loc_5CDE3B:				; CODE XREF: KeSaveExtendedAndSupervisorState+60j
		mov	ecx, [ebp+arg_4]

loc_5CDE3E:				; CODE XREF: KeSaveExtendedProcessorState+E5B90j
		mov	eax, [ebp+var_14]
		push	ecx
		push	edx
		and	eax, 400000h
		push	eax
		push	0
		push	131h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CDE55:				; CODE XREF: KeSaveExtendedAndSupervisorState+38j
		mov	edx, [ebp+arg_0]
		mov	eax, edx
		mov	ecx, [ebp+arg_4]
		and	eax, 0FFFFFFFCh
		or	eax, ecx
		jnz	short loc_5CDE3E
		jmp	loc_4E83A6
; END OF FUNCTION CHUNK	FOR KeSaveExtendedProcessorState
; 
; START	OF FUNCTION CHUNK FOR KeSaveExtendedAndSupervisorState

loc_5CDE69:				; CODE XREF: KeSaveExtendedAndSupervisorState+1BFj
		push	0
		movzx	eax, bh
		push	eax
		movzx	eax, byte ptr [ebp+arg_4+3]
		push	eax
		push	2
		push	131h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CDE80:				; CODE XREF: KeSaveExtendedAndSupervisorState+ADj
		mov	dword ptr [esi+8], 0
		mov	dword ptr [esi+18h], 0
		mov	dword ptr [esi+10h], 0
		jmp	loc_4E8454
; 

loc_5CDE9A:				; CODE XREF: KeSaveExtendedAndSupervisorState+1E4j
		cmp	[eax+1Ch], bh
		jnz	loc_4E852A
		cmp	bl, 2
		jnz	loc_4E83FC
		test	ds:0FFDF03ECh, bl
		jz	loc_4E83FC
		mov	eax, ds:0FFDF0600h
		jmp	loc_4E8401
; 

loc_5CDEC2:				; CODE XREF: KeSaveExtendedAndSupervisorState+C9j
		mov	eax, 240h
		mov	[ebp+arg_4], eax
		jmp	loc_4E840F
; 

loc_5CDECF:				; CODE XREF: KeSaveExtendedAndSupervisorState+235j
		mov	ecx, [esi+10h]
		push	0
		push	0
		call	_RtlXRestore@12	; RtlXRestore(x,x,x)
		mov	eax, [esi+10h]
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_C]
		push	edx
		mov	[eax+208h], ecx
		mov	[eax+20Ch], edx
		push	ecx
		mov	ecx, [esi+10h]
		call	_RtlXSaveS@12	; RtlXSaveS(x,x,x)
		jmp	loc_4E84A1
; 

loc_5CDEFF:				; CODE XREF: KeSaveExtendedAndSupervisorState+148j
		mov	eax, [esi+10h]
		nop
		fxsave	dword ptr [eax]
		nop
		jmp	loc_4E84A1
; 

loc_5CDF0C:				; CODE XREF: KeSaveExtendedAndSupervisorState+E7j
		mov	eax, 0C0000017h
		jmp	loc_4E84E8
; END OF FUNCTION CHUNK	FOR KeSaveExtendedAndSupervisorState
; 

loc_5CDF16:				; CODE XREF: .text:004E8593j
		push	dword ptr [ebp+0Ch]
		push	dword ptr [ebp+8]
		push	edi
		call	_XSaveCHelper@12 ; XSaveCHelper(x,x,x)
		jmp	loc_4E85BB
; 
; START	OF FUNCTION CHUNK FOR IopCallDriverReference

loc_5CDF27:				; CODE XREF: IopCallDriverReference+C9j
		mov	ecx, [edi+8]
		and	ecx, 0FFF1FFFFh
		mov	[edi+8], ecx
		mov	eax, [eax+28h]
		jmp	loc_4E8637
; 

loc_5CDF3B:				; CODE XREF: IopCallDriverReference+65j
					; IopCallDriverReference+15Ej
		mov	eax, 2
		jmp	loc_4E8655
; 

loc_5CDF45:				; CODE XREF: IopCallDriverReference+178j
		inc	ds:_IoLowPriorityWriteOperationCount
		jmp	loc_4E8664
; 

loc_5CDF50:				; CODE XREF: IopCallDriverReference+169j
		inc	ds:_IoLowPriorityReadOperationCount
		jmp	loc_4E8664
; 

loc_5CDF5B:				; CODE XREF: IopCallDriverReference+94j
		mov	eax, [edx+10h]
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_18], eax
		mov	eax, [edx+14h]
		mov	[ebp+var_14], eax
		mov	eax, [edx+18h]
		mov	[ebp+var_10], eax
		mov	eax, [edx+1Ch]
		mov	edx, edi
		mov	[ebp+var_C], eax
		mov	eax, large fs:124h
		mov	esi, [eax+35Ch]
		mov	[eax+35Ch], ecx
		mov	ecx, [ebp+var_1C]
		call	IofCallDriver
		mov	edi, eax
		mov	eax, large fs:124h
		mov	[eax+35Ch], esi
		mov	esi, [ebp+var_20]
		jmp	loc_4E8686
; END OF FUNCTION CHUNK	FOR IopCallDriverReference
; 
; START	OF FUNCTION CHUNK FOR CcCopyWriteWontFlush

loc_5CDFA8:				; CODE XREF: CcCopyWriteWontFlush+4Ej
		push	0
		push	0
		push	0
		push	[ebp+arg_8]
		mov	edx, edi
		call	CcCanIWriteStreamEx
		test	al, al
		jnz	loc_4E87C4
		jmp	loc_4E87E4
; END OF FUNCTION CHUNK	FOR CcCopyWriteWontFlush
; 
; START	OF FUNCTION CHUNK FOR CcIsFileObjectDirectMapped

loc_5CDFC5:				; CODE XREF: CcIsFileObjectDirectMapped+56j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4E889C
; 

loc_5CDFD5:				; CODE XREF: CcIsFileObjectDirectMapped+74j
		lea	ecx, [ebp+var_10]
		call	KxWaitForLockChainValid
		jmp	loc_4E88AC
; END OF FUNCTION CHUNK	FOR CcIsFileObjectDirectMapped
; 
; START	OF FUNCTION CHUNK FOR CcCopyWriteEx

loc_5CDFE2:				; CODE XREF: CcCopyWriteEx+AFj
		mov	eax, [ecx+20h]
		mov	[ebp+var_18], eax
		mov	ecx, [ecx+24h]
		mov	[ebp+var_14], ecx
		jmp	loc_4E8A16
; 

loc_5CDFF3:				; CODE XREF: CcCopyWriteEx+154j
					; CcCopyWriteEx+160j
		mov	eax, [ebp+arg_4]
		jmp	loc_4E8A43
; END OF FUNCTION CHUNK	FOR CcCopyWriteEx
; 
		align 4
		db 2 dup(0CCh)
; 
; START	OF FUNCTION CHUNK FOR MmNotifyProcessInSwapTrigger

loc_5CDFFE:				; CODE XREF: MmNotifyProcessInSwapTrigger+24j
		mov	esi, ds:dword_6D35BC
		test	esi, esi
		jz	loc_4E8CCE
		cmp	dword ptr [esi], 5
		jbe	loc_4E8CCE
		push	4000h
		push	8
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_4E8CCE
		lea	edx, [edi+1ACh]
		lea	ecx, [esp+70h+var_38]
		call	_tlgCreate1Sz_char
		mov	eax, [edi+0E4h]
		xor	ecx, ecx
		mov	[esp+70h+var_64], eax
		mov	edx, offset loc_41C8E2
		lea	eax, [esp+70h+var_64]
		mov	[esp+70h+var_24], ecx
		mov	[esp+70h+var_28], eax
		lea	eax, [esp+70h+var_60]
		mov	[esp+70h+var_18], eax
		lea	eax, [esp+70h+var_58]
		push	eax
		push	5
		push	ecx
		push	ecx
		push	1
		push	ecx
		mov	[esp+88h+var_1C], ecx
		mov	[esp+88h+var_5C], ecx
		mov	[esp+88h+var_14], ecx
		mov	[esp+88h+var_C], ecx
		push	ecx
		mov	ecx, esi
		mov	[esp+8Ch+var_20], 4
		mov	[esp+8Ch+var_60], 1000000h
		mov	[esp+8Ch+var_10], 8
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)
		jmp	loc_4E8CCE
; END OF FUNCTION CHUNK	FOR MmNotifyProcessInSwapTrigger
; 
; START	OF FUNCTION CHUNK FOR FsRtlFastCheckLockForWrite

loc_5CE0A0:				; CODE XREF: FsRtlFastCheckLockForWrite+93j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4E8E78
; 

loc_5CE0AF:				; CODE XREF: FsRtlFastCheckLockForWrite+BEj
					; FsRtlFastCheckLockForWrite+CFj ...
		lea	eax, [ebp+var_10]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_18]
		call	_FsRtlCheckNoSharedConflict@12 ; FsRtlCheckNoSharedConflict(x,x,x)
		mov	byte ptr [ebp+arg_14+3], al
		cmp	al, bl
		jnz	short loc_5CE0DC
		push	edi
		push	[ebp+arg_10]
		lea	eax, [ebp+var_10]
		mov	ecx, esi
		push	[ebp+arg_C]
		lea	edx, [ebp+var_18]
		push	eax
		call	_FsRtlCheckNoExclusiveConflict@24 ; FsRtlCheckNoExclusiveConflict(x,x,x,x,x,x)
		mov	byte ptr [ebp+arg_14+3], al

loc_5CE0DC:				; CODE XREF: FsRtlFastCheckLockForWrite+E52E8j
		test	ds:byte_70EFC6,	bl
		jz	short loc_5CE0F0
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5CE0F5
; 

loc_5CE0F0:				; CODE XREF: FsRtlFastCheckLockForWrite+E5308j
		xor	eax, eax
		lock and [esi],	eax

loc_5CE0F5:				; CODE XREF: FsRtlFastCheckLockForWrite+E5314j
		mov	bl, byte ptr [ebp+arg_14+3]
		jmp	loc_4E8E78
; END OF FUNCTION CHUNK	FOR FsRtlFastCheckLockForWrite
; 
; START	OF FUNCTION CHUNK FOR FsRtlFastCheckLockForRead

loc_5CE0FD:				; CODE XREF: FsRtlFastCheckLockForRead+86j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4E9013
; 

loc_5CE10C:				; CODE XREF: FsRtlFastCheckLockForRead+B1j
					; FsRtlFastCheckLockForRead+C2j ...
		push	edi
		push	[ebp+arg_10]
		lea	eax, [ebp+var_10]
		mov	ecx, esi
		push	[ebp+arg_C]
		lea	edx, [ebp+var_18]
		push	eax
		call	_FsRtlCheckNoExclusiveConflict@24 ; FsRtlCheckNoExclusiveConflict(x,x,x,x,x,x)
		mov	byte ptr [ebp+arg_14+3], al
		test	ds:byte_70EFC6,	bl
		jz	short loc_5CE13B
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	al, byte ptr [ebp+arg_14+3]
		jmp	short loc_5CE140
; 

loc_5CE13B:				; CODE XREF: FsRtlFastCheckLockForRead+E51A8j
		xor	ecx, ecx
		lock and [esi],	ecx

loc_5CE140:				; CODE XREF: FsRtlFastCheckLockForRead+E51B7j
		mov	bl, al
		jmp	loc_4E9013
; END OF FUNCTION CHUNK	FOR FsRtlFastCheckLockForRead
; 
; START	OF FUNCTION CHUNK FOR FsRtlpOplockKeysEqual

loc_5CE147:				; CODE XREF: FsRtlpOplockKeysEqual+17j
		test	esi, esi
		jz	loc_4E9B55
		mov	eax, [esi+0Ch]
		mov	edi, [eax+3Ch]
		test	edi, edi
		jz	loc_4E9B55
		cmp	dword ptr [edi+44h], 0
		jz	loc_4E9B55
		push	esi
		call	_IoGetOplockKeyContextEx@4 ; IoGetOplockKeyContextEx(x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_4E9B55
		test	[ecx+2], bl
		jz	loc_4E9B55
		mov	edx, [edi+44h]
		mov	eax, [ecx+4]
		cmp	eax, [edx]
		jnz	loc_4E9B55
		mov	ax, [ecx+8]
		cmp	ax, [edx+4]
		jnz	loc_4E9B55
		mov	ax, [ecx+0Ah]
		cmp	ax, [edx+6]
		jnz	loc_4E9B55
		mov	al, [ecx+0Ch]
		cmp	al, [edx+8]
		jnz	loc_4E9B55
		mov	al, [ecx+0Dh]
		cmp	al, [edx+9]
		jnz	loc_4E9B55
		mov	al, [ecx+0Eh]
		cmp	al, [edx+0Ah]
		jnz	loc_4E9B55
		mov	al, [ecx+0Fh]
		cmp	al, [edx+0Bh]
		jnz	loc_4E9B55
		mov	al, [ecx+10h]
		cmp	al, [edx+0Ch]
		jnz	loc_4E9B55
		mov	al, [ecx+11h]
		cmp	al, [edx+0Dh]
		jnz	loc_4E9B55
		mov	al, [ecx+12h]
		cmp	al, [edx+0Eh]
		jnz	loc_4E9B55
		mov	al, [ecx+13h]
		cmp	al, [edx+0Fh]
		jnz	loc_4E9B55
		mov	edi, [ebp+var_4]
		jmp	loc_4E9B4D
; 

loc_5CE212:				; CODE XREF: FsRtlpOplockKeysEqual+46j
		test	ecx, ecx
		jz	loc_4E9B55
		test	byte ptr [ecx+2], 2
		jz	loc_4E9B55
		test	[ebp+arg_0], 10h
		movzx	eax, word ptr [esi+2]
		jnz	loc_5CE2BE
		test	al, 2
		jz	loc_4E9B55
		mov	eax, [esi+14h]
		cmp	eax, [ecx+14h]
		jnz	loc_4E9B7B
		mov	ax, [esi+18h]
		cmp	ax, [ecx+18h]
		jnz	loc_4E9B7B
		mov	ax, [esi+1Ah]
		cmp	ax, [ecx+1Ah]
		jnz	loc_4E9B7B
		mov	al, [esi+1Ch]
		cmp	al, [ecx+1Ch]
		jnz	loc_4E9B7B
		mov	al, [esi+1Dh]
		cmp	al, [ecx+1Dh]
		jnz	loc_4E9B7B
		mov	al, [esi+1Eh]
		cmp	al, [ecx+1Eh]
		jnz	loc_4E9B7B
		mov	al, [esi+1Fh]
		cmp	al, [ecx+1Fh]
		jnz	loc_4E9B7B
		mov	al, [esi+20h]
		cmp	al, [ecx+20h]
		jnz	loc_4E9B7B
		mov	al, [esi+21h]
		cmp	al, [ecx+21h]
		jnz	loc_4E9B7B
		mov	al, [esi+22h]
		cmp	al, [ecx+22h]
		jnz	loc_4E9B7B
		mov	al, [esi+23h]
		jmp	loc_5CE345
; 

loc_5CE2BE:				; CODE XREF: FsRtlpOplockKeysEqual+E46FCj
		test	al, bl
		jz	loc_4E9B55
		mov	eax, [esi+4]
		cmp	eax, [ecx+14h]
		jnz	loc_4E9B7B
		mov	ax, [esi+8]
		cmp	ax, [ecx+18h]
		jnz	loc_4E9B7B
		mov	ax, [esi+0Ah]
		cmp	ax, [ecx+1Ah]
		jnz	loc_4E9B7B
		mov	al, [esi+0Ch]
		cmp	al, [ecx+1Ch]
		jnz	loc_4E9B7B
		mov	al, [esi+0Dh]
		cmp	al, [ecx+1Dh]
		jnz	loc_4E9B7B
		mov	al, [esi+0Eh]
		cmp	al, [ecx+1Eh]
		jnz	loc_4E9B7B
		mov	al, [esi+0Fh]
		cmp	al, [ecx+1Fh]
		jnz	loc_4E9B7B
		mov	al, [esi+10h]
		cmp	al, [ecx+20h]
		jnz	loc_4E9B7B
		mov	al, [esi+11h]
		cmp	al, [ecx+21h]
		jnz	loc_4E9B7B
		mov	al, [esi+12h]
		cmp	al, [ecx+22h]
		jnz	loc_4E9B7B
		mov	al, [esi+13h]

loc_5CE345:				; CODE XREF: FsRtlpOplockKeysEqual+E4789j
		cmp	al, [ecx+23h]
		jz	loc_4E9B7D
		jmp	loc_4E9B7B
; END OF FUNCTION CHUNK	FOR FsRtlpOplockKeysEqual
; 
; START	OF FUNCTION CHUNK FOR KiGetNextTimer2ExpirationDueTime

loc_5CE353:				; CODE XREF: KiGetNextTimer2ExpirationDueTime+2Cj
		mov	esi, 4
		jmp	loc_4E9D47
; END OF FUNCTION CHUNK	FOR KiGetNextTimer2ExpirationDueTime
; 
; START	OF FUNCTION CHUNK FOR KeRestoreExtendedAndSupervisorState

loc_5CE35D:				; CODE XREF: KeRestoreExtendedAndSupervisorState+1Fj
		push	0
		push	0
		movzx	eax, bl
		push	eax
		push	1
		push	131h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CE371:				; CODE XREF: KeRestoreExtendedAndSupervisorState+3Fj
		push	0
		movzx	eax, al
		push	eax
		movzx	eax, cl
		push	eax
		push	4
		push	131h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CE387:				; CODE XREF: KeRestoreExtendedAndSupervisorState+4Aj
		push	0
		push	edi
		push	eax
		push	3
		push	131h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CE397:				; CODE XREF: KeRestoreExtendedAndSupervisorState+14Aj
		mov	ecx, ds:0FFDF03D8h
		mov	eax, ds:0FFDF03DCh
		or	ecx, ds:0FFDF05F0h
		or	eax, ds:0FFDF05F4h
		jmp	loc_4E9EA0
; 

loc_5CE3B3:				; CODE XREF: KeRestoreExtendedAndSupervisorState+86j
		mov	eax, ecx
		and	eax, 0FFFFFFFCh
		or	eax, [ebp+var_4]
		jz	loc_4E9EB5

loc_5CE3C1:				; CODE XREF: KeRestoreExtendedAndSupervisorState+AFj
		push	[ebp+var_4]
		mov	eax, [ebp+var_C]
		push	ecx
		and	eax, 400000h
		push	eax
		push	0
		push	131h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CE3DA:				; CODE XREF: KeRestoreExtendedAndSupervisorState+15Cj
		push	[ebp+var_4]
		push	ecx
		mov	ecx, [esi+10h]
		call	_RtlXRestoreS@12 ; RtlXRestoreS(x,x,x)
		jmp	loc_4E9EF2
; 

loc_5CE3EB:				; CODE XREF: KeRestoreExtendedAndSupervisorState+BFj
		mov	eax, [esi+10h]
		push	eax
		call	_KiFxstateRestore@4 ; KiFxstateRestore(x)
		jmp	loc_4E9EDA
; END OF FUNCTION CHUNK	FOR KeRestoreExtendedAndSupervisorState
; 
; START	OF FUNCTION CHUNK FOR MiCompressTbFlushList

loc_5CE3F9:				; CODE XREF: MiCompressTbFlushList+B0j
		mov	edx, 3FFh
		mov	ecx, ebx
		sub	edx, [ebp+var_10]
		sub	ecx, edx
		xor	ecx, ebx
		and	ecx, 3FFh
		xor	ecx, ebx
		mov	ebx, [ebp+var_4]
		imul	ebx, edx
		add	ecx, ebx
		mov	[edi], ecx
		or	dword ptr [eax], 3FFh
		add	eax, 4
		mov	ecx, [edi]
		mov	[eax], ecx
		jmp	loc_4EA058
; END OF FUNCTION CHUNK	FOR MiCompressTbFlushList
; 
; START	OF FUNCTION CHUNK FOR KeSetSystemAllowedCpuSets

loc_5CE42B:				; CODE XREF: KeSetSystemAllowedCpuSets+2Cj
		xor	esi, esi
		inc	esi
		jmp	loc_4EA2EA
; END OF FUNCTION CHUNK	FOR KeSetSystemAllowedCpuSets
; 
; START	OF FUNCTION CHUNK FOR KeCpuSetReportParkedProcessors

loc_5CE433:				; CODE XREF: KeCpuSetReportParkedProcessors+24j
		mov	ecx, eax
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		jmp	loc_4EA39E
; 

loc_5CE43F:				; CODE XREF: KeCpuSetReportParkedProcessors+49j
		test	dx, dx
		jnz	short loc_5CE449
		mov	edi, [ebx+8]
		jmp	short loc_5CE44B
; 

loc_5CE449:				; CODE XREF: KeCpuSetReportParkedProcessors+E40CEj
		xor	edi, edi

loc_5CE44B:				; CODE XREF: KeCpuSetReportParkedProcessors+E40D3j
		xor	edi, ecx
		mov	[ebp+var_1C], edi
		mov	[ebp+eax*4+var_30], edi
		cmp	ds:_KiNonParkedCpuSets[eax*4], edi
		jz	loc_4EA40F
		jmp	loc_4EA3D1
; 

loc_5CE466:				; CODE XREF: KeCpuSetReportParkedProcessors+92j
		mov	edx, ds:dword_70E75C[eax*8]
		mov	esi, edx
		xor	esi, ecx
		test	edi, edx
		setnz	cl
		test	edi, esi
		setnz	al
		and	cl, al
		movzx	eax, cl
		neg	eax
		sbb	eax, eax
		and	eax, edx
		mov	edx, edi
		mov	[ebp+var_20], eax
		movzx	eax, cl
		neg	eax
		sbb	eax, eax
		and	eax, esi
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_C]
		mov	esi, ds:_KiSystemAllowedCpuSets[eax*8]
		mov	eax, [ebp+var_10]
		xor	esi, eax
		and	edx, esi
		test	esi, esi
		jz	short loc_5CE4FA
		test	edx, edx
		jz	short loc_5CE4FA
		and	esi, ebx
		xor	ebx, esi
		mov	[ebp+var_3C], ebx
		test	esi, esi
		jz	short loc_5CE4FA
		mov	edi, [ebp+var_20]

loc_5CE4BE:				; CODE XREF: KeCpuSetReportParkedProcessors+E417Bj
		bsf	ecx, esi
		xor	eax, eax
		mov	[ebp+var_C], edx
		inc	eax
		mov	[ebp+var_18], ecx
		shl	eax, cl
		btr	esi, ecx
		test	eax, edi
		mov	eax, edi
		jnz	short loc_5CE4D8
		mov	eax, [ebp+var_24]

loc_5CE4D8:				; CODE XREF: KeCpuSetReportParkedProcessors+E415Fj
		and	eax, edx
		jz	short loc_5CE4DF
		mov	[ebp+var_C], eax

loc_5CE4DF:				; CODE XREF: KeCpuSetReportParkedProcessors+E4166j
		mov	eax, ds:_KiCpuSetAffinitiesShadow
		mov	ebx, [ebp+var_18]
		mov	ecx, [ebp+var_C]
		mov	[eax+ebx*4], ecx
		test	esi, esi
		jnz	short loc_5CE4BE
		mov	edi, [ebp+var_1C]
		mov	ebx, [ebp+var_3C]
		mov	eax, [ebp+var_10]

loc_5CE4FA:				; CODE XREF: KeCpuSetReportParkedProcessors+E4136j
					; KeCpuSetReportParkedProcessors+E413Aj ...
		test	ebx, ebx
		jz	short loc_5CE53D
		not	edx
		and	edx, eax
		test	edi, edx
		jnz	short loc_5CE508
		mov	edx, eax

loc_5CE508:				; CODE XREF: KeCpuSetReportParkedProcessors+E4190j
					; KeCpuSetReportParkedProcessors+E41C7j
		bsf	ecx, ebx
		xor	eax, eax
		mov	esi, edx
		inc	eax
		mov	[ebp+var_28], ecx
		btr	ebx, ecx
		shl	eax, cl
		mov	ecx, [ebp+var_20]
		test	eax, ecx
		jnz	short loc_5CE522
		mov	ecx, [ebp+var_24]

loc_5CE522:				; CODE XREF: KeCpuSetReportParkedProcessors+E41A9j
		mov	eax, ecx
		and	eax, edi
		test	eax, edx
		jz	short loc_5CE52E
		mov	esi, ecx
		and	esi, edx

loc_5CE52E:				; CODE XREF: KeCpuSetReportParkedProcessors+E41B4j
		mov	eax, ds:_KiCpuSetAffinitiesShadow
		mov	ecx, [ebp+var_28]
		mov	[eax+ecx*4], esi
		test	ebx, ebx
		jnz	short loc_5CE508

loc_5CE53D:				; CODE XREF: KeCpuSetReportParkedProcessors+E4188j
		mov	edx, [ebp+var_8]
		jmp	loc_4EA40C
; 

loc_5CE545:				; CODE XREF: KeCpuSetReportParkedProcessors+126j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4EA4A5
; END OF FUNCTION CHUNK	FOR KeCpuSetReportParkedProcessors
; 
; START	OF FUNCTION CHUNK FOR KiUpdateGlobalCpuSetConfiguration

loc_5CE552:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+58j
		lea	eax, [esi+220h]
		lock inc word ptr [eax]
		xor	eax, eax
		lock and [ebx],	eax
		and	[ebp+var_14], eax
		lea	ebx, [esi+2Ch]
		mov	[ebp+var_8], ebx

loc_5CE56A:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+E40F0j
		lock bts dword ptr [ebx], 0
		jb	short loc_5CE5A8
		and	[ebp+var_18], 0
		lea	ebx, [edi+2224h]

loc_5CE57B:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+E4100j
		lock bts dword ptr [ebx], 0
		jb	short loc_5CE5B8
		lea	eax, [esi+220h]
		lock dec word ptr [eax]
		cmp	esi, [edi+4]
		jz	loc_4EA524
		xor	eax, eax
		lock and [ebx],	eax
		mov	eax, [ebp+var_8]
		mov	dword ptr [eax], 0
		jmp	loc_4EA501
; 

loc_5CE5A8:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+E40A9j
					; KiUpdateGlobalCpuSetConfiguration+E40EEj
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5CE5A8
		jmp	short loc_5CE56A
; 

loc_5CE5B8:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+E40BAj
					; KiUpdateGlobalCpuSetConfiguration+E40FEj
		lea	ecx, [ebp+var_18]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5CE5B8
		jmp	short loc_5CE57B
; 

loc_5CE5C8:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+8Aj
		push	ecx
		push	ebx
		mov	edx, 546h
		mov	ecx, esi
		call	_EtwTraceIdealProcessor@16 ; EtwTraceIdealProcessor(x,x,x,x)
		jmp	loc_4EA556
; 

loc_5CE5DB:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+116j
		mov	esi, [edi+4]
		test	byte ptr [esi+2], 4
		jz	short loc_5CE5F3
		mov	edx, edi
		mov	ecx, esi
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	short loc_5CE5F9

loc_5CE5F3:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+E411Cj
		mov	cl, [esi+87h]

loc_5CE5F9:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+E412Bj
		mov	eax, [edi+33Ch]
		mov	esi, [ebp+var_4]
		mov	edx, esi
		mov	[eax], cl
		mov	ecx, edi
		call	KiSelectNextThread
		lea	eax, [ebx+5Ch]
		lock btr dword ptr [eax], 0Ch
		mov	ecx, ebx
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		mov	eax, [esi]
		lea	ecx, [ebx+9Ch]
		mov	[ecx], eax
		mov	[esi], ecx
		jmp	loc_4EA55D
; 

loc_5CE62D:				; CODE XREF: KiUpdateGlobalCpuSetConfiguration+A5j
		movzx	eax, large byte	ptr fs:51h
		mov	ecx, [edi+3CCh]
		cmp	eax, ecx
		jz	loc_4EA571
		mov	dl, 2
		call	_KiSendSoftwareInterrupt@8 ; KiSendSoftwareInterrupt(x,x)
		jmp	loc_4EA571
; END OF FUNCTION CHUNK	FOR KiUpdateGlobalCpuSetConfiguration
; 
; START	OF FUNCTION CHUNK FOR KiSetAffinityThread

loc_5CE64F:				; CODE XREF: KiSetAffinityThread+38j
					; KiSetAffinityThread+E3FAFj
		lea	ecx, [ebp+var_2C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5CE64F
		jmp	loc_4EA6DF
; 

loc_5CE662:				; CODE XREF: KiSetAffinityThread+FEj
		mov	ax, [esi+168h]
		lea	ebx, [ebp+var_10]
		mov	[ebp+var_C], ax
		mov	eax, [esi+164h]
		mov	[ebp+var_10], eax
		jmp	loc_4EA7CA
; 

loc_5CE67E:				; CODE XREF: KiSetAffinityThread+18Cj
		push	ecx
		push	[ebp+var_30]
		mov	edx, 546h
		mov	ecx, esi
		call	_EtwTraceIdealProcessor@16 ; EtwTraceIdealProcessor(x,x,x,x)
		test	ds:dword_70EFD0, edi
		jz	loc_4EA83E
		push	[ebp+var_24]
		mov	edx, 547h
		mov	ecx, esi
		push	[ebp+var_34]
		call	_EtwTraceIdealProcessor@16 ; EtwTraceIdealProcessor(x,x,x,x)
		jmp	loc_4EA83E
; 

loc_5CE6B1:				; CODE XREF: KiSetAffinityThread+19Cj
		mov	edx, ebx
		mov	ecx, esi
		call	_EtwTraceThreadAffinity@8 ; EtwTraceThreadAffinity(x,x)
		jmp	loc_4EA84E
; END OF FUNCTION CHUNK	FOR KiSetAffinityThread
; 
; START	OF FUNCTION CHUNK FOR KiRescheduleThreadAfterAffinityChange

loc_5CE6BF:				; CODE XREF: KiRescheduleThreadAfterAffinityChange+4Bj
		mov	ecx, [ebp+arg_4]
		call	_KiPrcbInGroupAffinity@8 ; KiPrcbInGroupAffinity(x,x)
		test	eax, eax
		jnz	loc_4EA8C1
		mov	esi, [ebp+arg_C]
		mov	edx, esi
		call	KiSelectNextThread
		mov	ecx, edi
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		mov	eax, [esi]
		lea	ecx, [edi+9Ch]
		mov	[ecx], eax
		mov	[esi], ecx
		jmp	loc_4EA8C1
; END OF FUNCTION CHUNK	FOR KiRescheduleThreadAfterAffinityChange
; 
; START	OF FUNCTION CHUNK FOR KeSelectNodeForAffinity

loc_5CE6F1:				; CODE XREF: KeSelectNodeForAffinity+14j
		movzx	ecx, ds:_KiProcessNodeSeed
		lea	eax, [ecx+1]
		mov	ds:_KiProcessNodeSeed, ax
		cmp	ax, dx
		jb	short loc_5CE70E
		xor	eax, eax
		mov	ds:_KiProcessNodeSeed, ax

loc_5CE70E:				; CODE XREF: KeSelectNodeForAffinity+E3E12j
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edi
		push	esi

loc_5CE715:				; CODE XREF: KeSelectNodeForAffinity+E3E61j
		cmp	cx, dx
		sbb	eax, eax
		and	ecx, eax
		movzx	eax, cx
		mov	esi, ds:_KeNodeBlock[eax*4]
		test	byte ptr [esi+0A5h], 10h
		jnz	short loc_5CE746
		mov	ax, [esi+88h]
		cmp	ax, [ebx+4]
		jnz	short loc_5CE746
		mov	eax, [esi+84h]
		test	[ebx], eax
		jnz	short loc_5CE790

loc_5CE746:				; CODE XREF: KeSelectNodeForAffinity+E3E3Bj
					; KeSelectNodeForAffinity+E3E48j
		mov	eax, [ebp+var_4]
		inc	eax
		movzx	esi, dx
		inc	ecx
		mov	[ebp+var_4], eax
		cmp	eax, esi
		jb	short loc_5CE715
		movzx	eax, word ptr [ebx+4]
		mov	[ebp+var_4], eax

loc_5CE75C:				; CODE XREF: KeSelectNodeForAffinity+E3E98j
		cmp	cx, dx
		sbb	eax, eax
		and	ecx, eax
		movzx	eax, cx
		mov	esi, ds:_KeNodeBlock[eax*4]
		mov	eax, [ebp+var_4]
		cmp	[esi+88h], ax
		jnz	short loc_5CE783
		mov	eax, [esi+84h]
		test	[ebx], eax
		jnz	short loc_5CE790

loc_5CE783:				; CODE XREF: KeSelectNodeForAffinity+E3E85j
		inc	edi
		movzx	eax, dx
		inc	ecx
		cmp	edi, eax
		jb	short loc_5CE75C
		xor	eax, eax
		jmp	short loc_5CE792
; 

loc_5CE790:				; CODE XREF: KeSelectNodeForAffinity+E3E52j
					; KeSelectNodeForAffinity+E3E8Fj
		mov	eax, esi

loc_5CE792:				; CODE XREF: KeSelectNodeForAffinity+E3E9Cj
		pop	esi
		pop	edi
		jmp	loc_4EA911
; END OF FUNCTION CHUNK	FOR KeSelectNodeForAffinity
; 
; START	OF FUNCTION CHUNK FOR PfVolumeSupportedForPrefetch

loc_5CE799:				; CODE XREF: PfVolumeSupportedForPrefetch+5j
		cmp	eax, 8
		jz	loc_4EA9B3
		xor	eax, eax
		inc	eax
		retn
; END OF FUNCTION CHUNK	FOR PfVolumeSupportedForPrefetch
; 
; START	OF FUNCTION CHUNK FOR MiProcessWsInSwapSupport

loc_5CE7A6:				; CODE XREF: MiProcessWsInSwapSupport+5Cj
		mov	ecx, [esi]
		mov	ebx, edx
		shl	ebx, 0Ch
		add	ebx, ecx
		lea	eax, [ebx-1]
		xor	eax, ecx
		test	eax, 0FFE00000h
		jz	short loc_5CE7C6
		shr	ebx, 0Ch
		and	ebx, 1FFh
		sub	edx, ebx

loc_5CE7C6:				; CODE XREF: MiProcessWsInSwapSupport+E3DB7j
		mov	ebx, [ebp+var_8]
		jmp	loc_4EAA64
; END OF FUNCTION CHUNK	FOR MiProcessWsInSwapSupport
; 
; START	OF FUNCTION CHUNK FOR CcForEachPartition

loc_5CE7CE:				; CODE XREF: CcForEachPartition+4Bj
		cmp	[ebp+arg_0], 0
		jz	loc_4EAD12
		lea	ebx, [edi+28Ch]
		mov	edx, [ebx]
		lea	ecx, [edx+1]
		jmp	short loc_5CE7F4
; 

loc_5CE7E5:				; CODE XREF: CcForEachPartition+E3B49j
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		mov	ecx, eax
		cmp	ecx, edx
		jz	short loc_5CE80D
		mov	edx, ecx
		inc	ecx

loc_5CE7F4:				; CODE XREF: CcForEachPartition+E3B35j
		cmp	ecx, 1
		ja	short loc_5CE7E5
		cmp	ecx, 1
		jz	short loc_5CE803
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5CE803:				; CODE XREF: CcForEachPartition+E3B4Ej
		xor	bh, bh

loc_5CE805:				; CODE XREF: CcForEachPartition+E3B61j
		mov	bl, [ebp+var_1]
		jmp	loc_4EAD12
; 

loc_5CE80D:				; CODE XREF: CcForEachPartition+E3B41j
		mov	bh, 1
		jmp	short loc_5CE805
; 

loc_5CE811:				; CODE XREF: CcForEachPartition+70j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4EAD29
; 

loc_5CE81E:				; CODE XREF: CcForEachPartition+9Bj
		mov	edx, 6E457350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		jmp	loc_4EAD56
; END OF FUNCTION CHUNK	FOR CcForEachPartition
; 
; START	OF FUNCTION CHUNK FOR PsDereferencePartition

loc_5CE82F:				; CODE XREF: PsDereferencePartition+Bj
		jz	short loc_5CE837
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		retn
; 

loc_5CE837:				; CODE XREF: PsDereferencePartition:loc_5CE82Fj
		lea	eax, [ecx+20h]
		and	dword ptr [eax], 0
		push	1
		push	eax
		mov	dword ptr [eax+8], offset _PspTeardownPartition@4 ; PspTeardownPartition(x)
		mov	[eax+0Ch], ecx
		call	ExQueueWorkItem
		retn
; END OF FUNCTION CHUNK	FOR PsDereferencePartition
; 
; START	OF FUNCTION CHUNK FOR PsReferencePartitionSafe

loc_5CE850:				; CODE XREF: PsReferencePartitionSafe+Ej
		cmp	ecx, 1
		jz	short loc_5CE85A
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5CE85A:				; CODE XREF: PsReferencePartitionSafe+E3A65j
		xor	al, al
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR PsReferencePartitionSafe
; 
; START	OF FUNCTION CHUNK FOR MiUnlockDynamicMemoryExclusive

loc_5CE85E:				; CODE XREF: MiUnlockDynamicMemoryExclusive+174j
		push	0
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CE871:				; CODE XREF: MiUnlockDynamicMemoryExclusive+101j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]
		jmp	loc_4EAF2F
; 

loc_5CE888:				; CODE XREF: MiUnlockDynamicMemoryExclusive+1A8j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_4EAFC6
; 

loc_5CE897:				; CODE XREF: MiUnlockDynamicMemoryExclusive+1D2j
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4EAF42
; END OF FUNCTION CHUNK	FOR MiUnlockDynamicMemoryExclusive
; 
; START	OF FUNCTION CHUNK FOR MiSetTrimWhileAgingState

loc_5CE8A9:				; CODE XREF: MiSetTrimWhileAgingState+20j
		lea	edi, [ebx+80h]
		jmp	loc_4EB0CA
; 

loc_5CE8B4:				; CODE XREF: MiSetTrimWhileAgingState+4Bj
		mov	dword ptr [esi+38h], 32000h
		mov	dword ptr [esi+34h], 0C800h
		jmp	loc_4EB10A
; 

loc_5CE8C7:				; CODE XREF: MiSetTrimWhileAgingState+42j
		or	dword ptr [esi+34h], 0FFFFFFFFh
		mov	dword ptr [esi+38h], 32000h
		jmp	loc_4EB10A
; END OF FUNCTION CHUNK	FOR MiSetTrimWhileAgingState
; 
; START	OF FUNCTION CHUNK FOR KiPreprocessAccessViolation

loc_5CE8D7:				; CODE XREF: KiPreprocessAccessViolation+49j
		mov	edx, offset _ExpInterlockedPopEntrySListResume
		jmp	short loc_5CE922
; 

loc_5CE8DE:				; CODE XREF: KiPreprocessAccessViolation+54j
					; KiPreprocessAccessViolation+5Fj
		mov	eax, [ecx+60h]
		test	byte ptr [eax+6Ch], 1
		jnz	short loc_5CE8F7
		test	dword ptr [eax+70h], 20000h
		jnz	short loc_5CE8F7
		xor	bh, bh
		jmp	loc_4EB2B8
; 

loc_5CE8F7:				; CODE XREF: KiPreprocessAccessViolation+E3695j
					; KiPreprocessAccessViolation+E369Ej
		mov	dword ptr [ecx+68h], offset _KiSystemServicePostCall@0 ; KiSystemServicePostCall()
		mov	bh, 1
		mov	dword ptr [ecx+40h], 0C0000005h
		jmp	loc_4EB2B8
; 

loc_5CE90C:				; CODE XREF: KiPreprocessAccessViolation+3Ej
		cmp	eax, ds:_KeUserPopEntrySListFault
		jnz	short loc_5CE967
		mov	edx, ds:_KeUserPopEntrySListResume
		test	edx, edx
		jz	loc_4EB2B5

loc_5CE922:				; CODE XREF: KiPreprocessAccessViolation+E368Cj
		mov	esi, large fs:124h
		mov	eax, [ebp+arg_8]
		cmp	eax, [esi+10h]
		jnz	short loc_5CE951
		movzx	eax, word ptr [esi+18Eh]
		push	edi
		mov	edi, 400h
		cmp	ax, di
		pop	edi
		jb	short loc_5CE94B
		xor	bh, bh
		jmp	loc_4EB2B8
; 

loc_5CE94B:				; CODE XREF: KiPreprocessAccessViolation+E36F2j
		inc	eax
		movzx	eax, ax
		jmp	short loc_5CE956
; 

loc_5CE951:				; CODE XREF: KiPreprocessAccessViolation+E36DFj
		mov	[esi+10h], eax
		xor	eax, eax

loc_5CE956:				; CODE XREF: KiPreprocessAccessViolation+E36FFj
		mov	[esi+18Eh], ax
		mov	bh, 1
		mov	[ecx+68h], edx
		jmp	loc_4EB2B8
; 

loc_5CE967:				; CODE XREF: KiPreprocessAccessViolation+E36C2j
		test	dword ptr [ecx+70h], 20000h
		jnz	short loc_5CE992
		cmp	edx, 1Bh
		jz	loc_4EB2B5
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	dword ptr [eax+0F4h], 0
		jz	loc_4EB2B5

loc_5CE992:				; CODE XREF: KiPreprocessAccessViolation+E371Ej
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		call	_VdmDispatchPageFault@12 ; VdmDispatchPageFault(x,x,x)
		mov	bh, al
		jmp	loc_4EB2B8
; END OF FUNCTION CHUNK	FOR KiPreprocessAccessViolation
; 

loc_5CE9A4:				; CODE XREF: .text:004EB302j
		lea	edx, [ebp-0Ch]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		jmp	loc_4EB324
; 

loc_5CE9B1:				; CODE XREF: .text:004EB315j
		mov	edx, ecx
		lea	ecx, [ebp-0Ch]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4EB324
; 

loc_5CE9C0:				; CODE XREF: .text:004EB33Cj
		test	ds:byte_70EFC6,	1
		jz	short loc_5CE9D6
		mov	edx, [ebp+4]
		lea	ecx, [ebp-0Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5CEA07
; 

loc_5CE9D6:				; CODE XREF: .text:005CE9C7j
		mov	eax, [ebp-0Ch]
		test	eax, eax
		jnz	short loc_5CE9F5
		mov	edx, [ebp-8]
		lea	eax, [ebp-0Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-0Ch]
		cmp	eax, ecx
		jz	short loc_5CEA07
		call	KxWaitForLockChainValid

loc_5CE9F5:				; CODE XREF: .text:005CE9DBj
		mov	dword ptr [ebp-0Ch], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5CEA07:				; CODE XREF: .text:005CE9D4j
					; .text:005CE9EEj
		mov	cl, [ebp-4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4EB369
; 

loc_5CEA15:				; CODE XREF: .text:004EB349j
		mov	edx, [ebp+4]
		lea	ecx, [ebp-0Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4EB369
; 
; START	OF FUNCTION CHUNK FOR KeRemoveDeviceQueue

loc_5CEA25:				; CODE XREF: KeRemoveDeviceQueue+21j
		lea	edx, [ebp+var_C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		jmp	loc_4EB407
; 

loc_5CEA32:				; CODE XREF: KeRemoveDeviceQueue+34j
		mov	edx, ecx
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4EB407
; 

loc_5CEA41:				; CODE XREF: KeRemoveDeviceQueue+5Cj
		test	ds:byte_70EFC6,	1
		jz	short loc_5CEA57
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5CEA88
; 

loc_5CEA57:				; CODE XREF: KeRemoveDeviceQueue+E3688j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5CEA76
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5CEA88
		call	KxWaitForLockChainValid

loc_5CEA76:				; CODE XREF: KeRemoveDeviceQueue+E369Cj
		mov	[ebp+var_C], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5CEA88:				; CODE XREF: KeRemoveDeviceQueue+E3695j
					; KeRemoveDeviceQueue+E36AFj
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4EB449
; 

loc_5CEA96:				; CODE XREF: KeRemoveDeviceQueue+69j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4EB449
; END OF FUNCTION CHUNK	FOR KeRemoveDeviceQueue
; 
; START	OF FUNCTION CHUNK FOR MiTransformValidPteInPlace

loc_5CEAA6:				; CODE XREF: MiTransformValidPteInPlace+8Aj
					; MiTransformValidPteInPlace+92j
		mov	edi, ecx
		mov	esi, edx
		mov	[ebp+var_4], edi
		cmp	ecx, [ebp+arg_4]
		jnz	loc_5A31DF
		cmp	edx, [ebp+arg_8]
		jnz	loc_5A31DF
		jmp	loc_5A325C
; 

loc_5CEAC4:				; CODE XREF: MiTransformValidPteInPlace+ACj
		push	edx
		mov	edx, [ebp+arg_0]
		push	ecx
		mov	ecx, [ebp+var_C]
		call	_MiFlushValidPteFromTb@16 ; MiFlushValidPteFromTb(x,x,x,x)
		jmp	loc_5A325C
; END OF FUNCTION CHUNK	FOR MiTransformValidPteInPlace
; 
; START	OF FUNCTION CHUNK FOR MiRealVaToFlushType

loc_5CEAD6:				; CODE XREF: MiRealVaToFlushType+10j
		mov	eax, ds:dword_6D2E90
		test	eax, eax
		jnz	short loc_5CEAE9
		mov	eax, 2000h
		mov	ds:dword_6D2E90, eax

loc_5CEAE9:				; CODE XREF: MiRealVaToFlushType+E357Bj
		add	eax, edx
		cmp	ecx, eax
		jb	loc_4EB590
		jmp	loc_4EB578
; END OF FUNCTION CHUNK	FOR MiRealVaToFlushType
; 
; START	OF FUNCTION CHUNK FOR MiDeleteNonPagedPoolPte

loc_5CEAF8:				; CODE XREF: MiDeleteNonPagedPoolPte+60j
		test	byte ptr [edi+0A4h], 1
		jz	loc_4EB72F
		mov	[esp+20h+var_10], esi
		mov	edx, esi
		cmp	esi, 0C0000000h
		jb	short loc_5CEB2A

loc_5CEB13:				; CODE XREF: MiDeleteNonPagedPoolPte+E3584j
		cmp	edx, 0C07FFFFFh
		ja	short loc_5CEB26
		shl	edx, 9
		cmp	edx, 0C0000000h
		jnb	short loc_5CEB13

loc_5CEB26:				; CODE XREF: MiDeleteNonPagedPoolPte+E3579j
		mov	[esp+20h+var_10], edx

loc_5CEB2A:				; CODE XREF: MiDeleteNonPagedPoolPte+E3571j
		mov	ecx, [ebp+arg_0]
		cmp	edx, [ecx+14h]
		jb	short loc_5CEB5A
		mov	eax, ebx
		shl	eax, 0Ch
		dec	eax
		add	eax, edx
		cmp	eax, [ecx+18h]
		ja	short loc_5CEB5A
		mov	ecx, [esp+20h+var_10]
		mov	edx, esi
		push	ebx
		call	_MiDecommitLargePoolVa@12 ; MiDecommitLargePoolVa(x,x,x)
		add	dword ptr [edi+0ACh], 200h
		jmp	loc_4EB72F
; 

loc_5CEB5A:				; CODE XREF: MiDeleteNonPagedPoolPte+E3590j
					; MiDeleteNonPagedPoolPte+E359Dj
		push	ebx
		push	edx
		push	ecx
		push	5306h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CEB69:				; CODE XREF: MiDeleteNonPagedPoolPte+DAj
		lea	esi, [ebx+10h]

loc_5CEB6C:				; CODE XREF: MiDeleteNonPagedPoolPte+E35D9j
					; MiDeleteNonPagedPoolPte+E35E0j
		lea	ecx, [esp+34h+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_5CEB6C
		lock bts dword ptr [esi], 1Fh
		jb	short loc_5CEB6C
		mov	esi, [ebp+arg_4]
		lea	edx, [ebx+10h]
		mov	ecx, [ebp+arg_8]
		jmp	loc_4EB680
; 

loc_5CEB90:				; CODE XREF: MiDeleteNonPagedPoolPte+F0j
		push	eax
		movzx	eax, byte ptr [ebx+16h]
		sub	ebx, ds:_MmPfnDatabase
		and	eax, 7
		push	eax
		mov	eax, 92492493h
		imul	ebx
		add	edx, ebx
		sar	edx, 4
		mov	eax, edx
		shr	eax, 1Fh
		add	eax, edx
		push	eax
		push	9Ah
		push	4Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5CEBC0:				; CODE XREF: MiSetPteTimeStamp+Fj
		push	esi
		mov	esi, ds:dword_6D0700
		mov	eax, esi
		push	edi
		mov	edi, ds:dword_6D0704
		or	eax, edi
		jz	short loc_5CEBE7
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_5CEBE4
		not	esi
		and	ecx, esi
		jmp	short loc_5CEBE7
; 

loc_5CEBE4:				; CODE XREF: MiDeleteNonPagedPoolPte+E363Cj
		and	ecx, 0FFFFFFEFh

loc_5CEBE7:				; CODE XREF: MiDeleteNonPagedPoolPte+E3632j
					; MiDeleteNonPagedPoolPte+E3642j
		pop	edi
		pop	esi
		jmp	loc_4EB851
; END OF FUNCTION CHUNK	FOR MiDeleteNonPagedPoolPte
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StSufficientSpaceForAdd

loc_5CEBEE:				; CODE XREF: ST_STORE_SM_TRAITS___StSufficientSpaceForAdd+30j
		mov	edx, [edi+ebx*8+434h]
		mov	ecx, [edi+ebx*8+430h]
		mov	eax, [edi+1B4h]
		shr	eax, 4
		imul	eax, ecx
		cmp	eax, edx
		jb	loc_4EB8D6
		sub	eax, edx
		shl	ecx, 8
		cmp	eax, ecx
		jnb	loc_4EB8D6
		xor	eax, eax
		jmp	loc_4EB8DB
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StSufficientSpaceForAdd
; 
; START	OF FUNCTION CHUNK FOR WmipCompleteGuidIrpWithError

loc_5CEC24:				; CODE XREF: WmipCompleteGuidIrpWithError+2Fj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4EB93D
; 

loc_5CEC34:				; CODE XREF: WmipCompleteGuidIrpWithError+51j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_5CEC3C:				; CODE XREF: WmipCompleteGuidIrpWithError+3Aj
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4EB93D
; END OF FUNCTION CHUNK	FOR WmipCompleteGuidIrpWithError
; 
; START	OF FUNCTION CHUNK FOR RtlCheckPortableOperatingSystem

loc_5CEC51:				; CODE XREF: RtlCheckPortableOperatingSystem+1Cj
					; RtlCheckPortableOperatingSystem+6Bj
		cmp	[ebp+var_4], 0
		mov	eax, [ebp+arg_0]
		setnz	cl
		mov	[eax], cl
		jmp	loc_4EBAED
; END OF FUNCTION CHUNK	FOR RtlCheckPortableOperatingSystem
; 
; START	OF FUNCTION CHUNK FOR WmipReceiveNotifications

loc_5CEC62:				; CODE XREF: WmipReceiveNotifications+52j
		push	70696D57h
		shl	eax, 3
		push	eax
		push	ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_4EBB50
		mov	eax, 0C000009Ah
		jmp	loc_4EBD5E
; 

loc_5CEC85:				; CODE XREF: WmipReceiveNotifications+DBj
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag
		mov	ecx, [esp+0D8h+var_B4]
		jmp	loc_4EBC20
; 

loc_5CEC98:				; CODE XREF: WmipReceiveNotifications+ECj
		mov	[esp+0D8h+var_C9], al
		jmp	loc_4EBBE6
; 

loc_5CECA1:				; CODE XREF: WmipReceiveNotifications+FDj
		cmp	[ecx+48h], edx
		jz	loc_4EBBF7
		mov	[esp+0D8h+var_CB], al
		jmp	loc_4EBBF7
; 

loc_5CECB3:				; CODE XREF: WmipReceiveNotifications+151j
		xor	eax, eax
		mov	[esp+0D8h+var_C4], eax
		test	edi, edi
		jz	loc_4EBC4B

loc_5CECC1:				; CODE XREF: WmipReceiveNotifications+E31E6j
		mov	ecx, [ebx+eax*8]
		cmp	dword ptr [ecx+30h], 0
		jz	short loc_5CECD3
		call	WmipCompleteGuidIrpWithError
		mov	eax, [esp+0D8h+var_C4]

loc_5CECD3:				; CODE XREF: WmipReceiveNotifications+E31D4j
		inc	eax
		mov	[esp+0D8h+var_C4], eax
		cmp	eax, edi
		jb	short loc_5CECC1
		mov	edx, [esp+0D8h+var_B8]
		jmp	loc_4EBC4B
; 

loc_5CECE5:				; CODE XREF: WmipReceiveNotifications+299j
		xor	eax, eax
		mov	edx, edi
		inc	eax
		push	eax		; char
		lea	eax, [esp+0DCh+var_AC]
		push	eax		; int
		lea	eax, [esp+0E0h+var_C0]
		push	eax		; int
		push	ecx		; int
		push	[esp+0E8h+var_C8] ; void *
		mov	ecx, ebx
		call	WmipCopyFromEventQueues
		mov	ecx, [esp+0D8h+var_C8]
		add	ecx, [esp+0D8h+var_C0]
		sub	esi, [esp+0D8h+var_C0]
		jmp	loc_4EBD97
; 

loc_5CED12:				; CODE XREF: WmipReceiveNotifications+1DFj
		mov	ecx, esi
		call	_WmipClearIrpObjectList@4 ; WmipClearIrpObjectList(x)
		mov	[esp+0D8h+var_BC], 0C0000120h
		lea	ecx, [esi+38h]
		xor	eax, eax
		xchg	eax, [ecx]
		test	eax, eax
		jz	loc_4EBCD9
		xor	eax, eax
		inc	eax
		mov	[esp+0D8h+var_CB], al
		jmp	loc_4EBCDC
; 

loc_5CED3C:				; CODE XREF: WmipReceiveNotifications+1EEj
		mov	edx, [ebp+4]
		lea	ecx, [esp+0D8h+var_A4]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4EBD0E
; 

loc_5CED4D:				; CODE XREF: WmipReceiveNotifications+214j
		lea	ecx, [esp+0D8h+var_A4]
		call	KxWaitForLockChainValid

loc_5CED56:				; CODE XREF: WmipReceiveNotifications+1FAj
		xor	ecx, ecx
		mov	[esp+0D8h+var_A4], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_4EBD0E
; 

loc_5CED6C:				; CODE XREF: WmipReceiveNotifications+229j
		and	dword ptr [esi+1Ch], 0
		xor	dl, dl
		mov	ecx, esi
		mov	dword ptr [esi+18h], 0C0000120h
		call	IofCompleteRequest
		jmp	loc_4EBD23
; 

loc_5CED85:				; CODE XREF: WmipReceiveNotifications+260j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4EBD5A
; END OF FUNCTION CHUNK	FOR WmipReceiveNotifications
; 
; START	OF FUNCTION CHUNK FOR IopCancelIrpsInCurrentThreadList

loc_5CED92:				; CODE XREF: IopCancelIrpsInCurrentThreadList+56j
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jz	short loc_5CEDA2
		cmp	[esi+64h], ecx
		jnz	loc_4EBE99

loc_5CEDA2:				; CODE XREF: IopCancelIrpsInCurrentThreadList+E2FA7j
		test	ebx, ebx
		jz	short loc_5CEDAF
		cmp	[esi+28h], ebx
		jnz	loc_4EBE99

loc_5CEDAF:				; CODE XREF: IopCancelIrpsInCurrentThreadList+E2FB4j
		mov	eax, [esi+8]
		test	eax, 402h
		jnz	loc_4EBE99
		test	al, 84h
		jnz	loc_4EBE67
		test	byte ptr [esi+27h], 2
		jz	loc_4EBE99
		jmp	loc_4EBE67
; 

loc_5CEDD4:				; CODE XREF: IopCancelIrpsInCurrentThreadList+83j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4EBE7E
; 

loc_5CEDE3:				; CODE XREF: IopCancelIrpsInCurrentThreadList+C0j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4EBEBB
; END OF FUNCTION CHUNK	FOR IopCancelIrpsInCurrentThreadList
; 
; START	OF FUNCTION CHUNK FOR IoCancelIrp

loc_5CEDF2:				; CODE XREF: IoCancelIrp+12j
		test	ds:_VfRuleClasses, 0FFAFFFFFh
		jnz	short loc_5CEE0B
		test	byte ptr ds:dword_6FDE00, 6
		jz	loc_4EBEEA

loc_5CEE0B:				; CODE XREF: IoCancelIrp+E2F2Aj
		mov	ecx, esi
		call	_IovCancelIrp@4	; IovCancelIrp(x)
		jmp	loc_4EBEEA
; 

loc_5CEE17:				; CODE XREF: IoCancelIrp+3Fj
		push	0
		push	0
		push	edi
		push	esi
		push	48h
		jmp	short loc_5CEE2C
; 

loc_5CEE21:				; CODE XREF: IoCancelIrp+E2F94j
		push	0
		push	0
		push	edi
		push	esi
		push	11Bh

loc_5CEE2C:				; CODE XREF: IoCancelIrp+E2F4Dj
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CEE31:				; CODE XREF: IoCancelIrp+4Fj
		test	ds:_VfRuleClasses, 0FFAFFFFFh
		jnz	short loc_5CEE4A
		test	byte ptr ds:dword_6FDE00, 6
		jz	loc_4EBF27

loc_5CEE4A:				; CODE XREF: IoCancelIrp+E2F69j
		mov	ecx, [esi+60h]
		mov	edx, esi
		push	edi
		mov	ecx, [ecx+14h]
		call	@IovpCancelRoutine@12 ;	IovpCancelRoutine(x,x,x)
		jmp	loc_4EBF30
; 

loc_5CEE5D:				; CODE XREF: IoCancelIrp+66j
		cmp	bl, 2
		jz	loc_4EBF3E
		jmp	short loc_5CEE21
; 

loc_5CEE68:				; CODE XREF: IoCancelIrp+31j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+450h]
		jz	short loc_5CEE89
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5CEEB4
; 

loc_5CEE89:				; CODE XREF: IoCancelIrp+E2FA9j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5CEEA5
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_5CEEB4
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5CEEA5:				; CODE XREF: IoCancelIrp+E2FBBj
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5CEEB4:				; CODE XREF: IoCancelIrp+E2FB5j
					; IoCancelIrp+E2FCAj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	al, al
		jmp	loc_4EBF43
; END OF FUNCTION CHUNK	FOR IoCancelIrp
; 
; START	OF FUNCTION CHUNK FOR FsRtlpCancelOplockRHIrp

loc_5CEEC3:				; CODE XREF: FsRtlpCancelOplockRHIrp+35j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4EBFB8
; 

loc_5CEED2:				; CODE XREF: FsRtlpCancelOplockRHIrp+52j
		mov	ecx, esi
		call	KxWaitForLockChainValid
		jmp	loc_4EC056
; END OF FUNCTION CHUNK	FOR FsRtlpCancelOplockRHIrp

;  S U B	R O U T	I N E 


sub_5CEEDE	proc near		; DATA XREF: .text:006A3068o
		mov	edi, [ebp-28h]
		jmp	sub_4EC068
sub_5CEEDE	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlpReleaseIrpsWaitingForRH

loc_5CEEE6:				; CODE XREF: FsRtlpReleaseIrpsWaitingForRH+21j
					; FsRtlpReleaseIrpsWaitingForRH+E2EE9j
		mov	edi, [eax]
		mov	edx, esi
		mov	[ebp+var_C], edx
		cmp	edi, eax
		jnz	short loc_5CEEFA
		test	dword ptr [ebx+48h], 10000h
		jz	short loc_5CEF4D

loc_5CEEFA:				; CODE XREF: FsRtlpReleaseIrpsWaitingForRH+E2E77j
		cmp	byte ptr [esi+1Ch], 0
		jnz	short loc_5CEF5D
		test	dword ptr [ebx+48h], 10000h
		jz	short loc_5CEF0E
		lea	eax, [ebx+3Ch]
		mov	edi, [eax]

loc_5CEF0E:				; CODE XREF: FsRtlpReleaseIrpsWaitingForRH+E2E8Fj
		mov	[ebp+var_8], eax
		cmp	edi, eax
		jz	short loc_5CEF47

loc_5CEF15:				; CODE XREF: FsRtlpReleaseIrpsWaitingForRH+E2EC1j
		test	dword ptr [ebx+48h], 10000h
		lea	edx, [edi-1Ch]
		jnz	short loc_5CEF23
		mov	edx, edi

loc_5CEF23:				; CODE XREF: FsRtlpReleaseIrpsWaitingForRH+E2EA7j
		mov	edx, [edx+0Ch]
		mov	ecx, [esi+20h]
		push	0
		call	FsRtlpOplockKeysEqual
		test	al, al
		jz	short loc_5CEF3D
		mov	edi, [edi]
		cmp	edi, [ebp+var_8]
		jnz	short loc_5CEF15
		jmp	short loc_5CEF41
; 

loc_5CEF3D:				; CODE XREF: FsRtlpReleaseIrpsWaitingForRH+E2EBAj
		mov	[ebp+var_1], 0

loc_5CEF41:				; CODE XREF: FsRtlpReleaseIrpsWaitingForRH+E2EC3j
		mov	edx, [ebp+var_C]
		lea	ecx, [ebx+2Ch]

loc_5CEF47:				; CODE XREF: FsRtlpReleaseIrpsWaitingForRH+E2E9Bj
		cmp	[ebp+var_1], 0
		jz	short loc_5CEF5A

loc_5CEF4D:				; CODE XREF: FsRtlpReleaseIrpsWaitingForRH+E2E80j
		mov	esi, [esi+4]
		mov	ecx, edx
		call	_FsRtlpRemoveAndCompleteWaitingIrp@4 ; FsRtlpRemoveAndCompleteWaitingIrp(x)
		lea	ecx, [ebx+2Ch]

loc_5CEF5A:				; CODE XREF: FsRtlpReleaseIrpsWaitingForRH+E2ED3j
		lea	eax, [ebx+24h]

loc_5CEF5D:				; CODE XREF: FsRtlpReleaseIrpsWaitingForRH+E2E86j
		mov	esi, [esi]
		cmp	esi, ecx
		jnz	short loc_5CEEE6
		pop	edi
		jmp	loc_4EC091
; END OF FUNCTION CHUNK	FOR FsRtlpReleaseIrpsWaitingForRH
; 
; START	OF FUNCTION CHUNK FOR FsRtlCancelNotify

loc_5CEF69:				; CODE XREF: FsRtlCancelNotify+43j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4EC104
; 

loc_5CEF78:				; CODE XREF: FsRtlCancelNotify+60j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5CEF7F:				; CODE XREF: FsRtlCancelNotify+4Dj
		mov	[esi], edi
		xor	ebx, ebx
		inc	ebx
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_4EC107
; 

loc_5CEF8F:				; CODE XREF: FsRtlCancelNotify+E3j
		cmp	[esi+2Ch], edi
		jnz	loc_4EC187
		mov	edx, [ecx+4]
		test	edx, edx
		jz	short loc_5CEFC8
		test	byte ptr [edx+6], 5
		jz	short loc_5CEFAA
		mov	edx, [edx+0Ch]
		jmp	short loc_5CEFC1
; 

loc_5CEFAA:				; CODE XREF: FsRtlCancelNotify+E2F05j
		push	40000010h
		push	edi
		push	edi
		push	ebx
		push	edi
		push	edx
		call	MmMapLockedPagesSpecifyCache
		mov	edx, eax
		mov	eax, [esi+30h]
		mov	ecx, [ebp+arg_4]

loc_5CEFC1:				; CODE XREF: FsRtlCancelNotify+E2F0Aj
		mov	[ebp+var_48], edx
		cmp	edx, eax
		jz	short loc_5CEFD1

loc_5CEFC8:				; CODE XREF: FsRtlCancelNotify+E2EFFj
		cmp	eax, [ecx+0Ch]
		jnz	loc_4EC187

loc_5CEFD1:				; CODE XREF: FsRtlCancelNotify+E2F28j
		mov	[ebp+var_24], edi
		mov	[ebp+var_2C], edi
		mov	edx, edi
		mov	[ebp+var_24], edx
		mov	ecx, edi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_2C], ecx
		lea	eax, [esi+18h]
		mov	edx, [eax]
		mov	[ebp+var_30], edx
		cmp	edx, eax
		mov	edx, edi
		jz	short loc_5CF062
		mov	eax, [ebp+var_30]
		mov	ecx, [eax+8]
		mov	[ebp+var_4C], ecx
		mov	ecx, [ecx+4]
		mov	[ebp+var_30], ecx
		cmp	ecx, [esi+3Ch]
		mov	ecx, edi
		jb	short loc_5CF072
		mov	ecx, [eax-4Ch]
		test	ecx, ecx
		jz	short loc_5CF019
		mov	edx, ecx
		mov	[ebp+var_24], edx
		mov	ecx, [ebp+var_30]
		jmp	short loc_5CF04E
; 

loc_5CF019:				; CODE XREF: FsRtlCancelNotify+E2F6Fj
		mov	eax, [eax-54h]
		mov	ecx, [ebp+var_30]
		mov	[ebp+var_20], ecx
		test	eax, eax
		jz	short loc_5CF051
		test	byte ptr [eax+6], 5
		jz	short loc_5CF034
		mov	edx, [eax+0Ch]
		mov	[ebp+var_24], edx
		jmp	short loc_5CF04E
; 

loc_5CF034:				; CODE XREF: FsRtlCancelNotify+E2F8Cj
		push	40000010h
		push	edi
		push	edi
		push	ebx
		push	edi
		push	eax
		call	MmMapLockedPagesSpecifyCache
		mov	edx, eax
		mov	[ebp+var_24], edx
		mov	ecx, [ebp+var_4C]
		mov	ecx, [ecx+4]

loc_5CF04E:				; CODE XREF: FsRtlCancelNotify+E2F79j
					; FsRtlCancelNotify+E2F94j
		mov	[ebp+var_20], ecx

loc_5CF051:				; CODE XREF: FsRtlCancelNotify+E2F86j
		mov	[ebp+var_2C], ecx
		mov	eax, [esi+34h]
		cmp	ecx, eax
		jbe	short loc_5CF072
		mov	ecx, eax
		mov	[ebp+var_2C], ecx
		jmp	short loc_5CF06F
; 

loc_5CF062:				; CODE XREF: FsRtlCancelNotify+E2F52j
		mov	eax, [esi+34h]
		cmp	eax, [esi+3Ch]
		jb	short loc_5CF072
		mov	ecx, eax
		mov	[ebp+var_2C], eax

loc_5CF06F:				; CODE XREF: FsRtlCancelNotify+E2FC2j
		mov	[ebp+var_20], ecx

loc_5CF072:				; CODE XREF: FsRtlCancelNotify+E2F68j
					; FsRtlCancelNotify+E2FBBj ...
		test	ecx, ecx
		jz	loc_5CF137
		mov	[ebp+var_3C], edi
		mov	[ebp+ms_exc.disabled], ebx
		test	edx, edx
		jnz	short loc_5CF0B3
		mov	eax, [esi+48h]
		push	ecx
		push	ebx
		push	eax
		call	_PsChargeProcessPoolQuota@12 ; PsChargeProcessPoolQuota(x,x,x)
		test	eax, eax
		jns	short loc_5CF099
		push	eax
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5CF099:				; CODE XREF: FsRtlCancelNotify+E2FF3j
		mov	[ebp+var_3C], ebx
		push	4E725346h
		push	[ebp+var_20]
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_24], edx
		mov	[esi+2Ch], edx

loc_5CF0B3:				; CODE XREF: FsRtlCancelNotify+E2FE4j
		push	dword ptr [esi+3Ch] ; size_t
		push	dword ptr [esi+30h] ; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_20]
		mov	[esi+38h], eax
		mov	eax, [ebp+var_24]
		mov	[esi+30h], eax
		mov	[ebp+ms_exc.disabled], edi
		jmp	short loc_5CF12E
; END OF FUNCTION CHUNK	FOR FsRtlCancelNotify

;  S U B	R O U T	I N E 


sub_5CF0D3	proc near		; DATA XREF: .text:006A3090o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-58h], eax
		mov	[ebp-38h], eax
		push	dword ptr [ebp-38h]
		call	_FsRtlIsNtstatusExpected@4 ; FsRtlIsNtstatusExpected(x)
		xor	ecx, ecx
		test	al, al
		setnz	cl
		mov	eax, ecx
		retn
sub_5CF0D3	endp


;  S U B	R O U T	I N E 


sub_5CF0F2	proc near		; DATA XREF: .text:006A3094o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-28h]
		xor	ebx, ebx
		inc	ebx
		cmp	dword ptr [ebp-3Ch], 0
		jz	short loc_5CF11E
		mov	edx, [esi+48h]
		cmp	edx, ds:_PsInitialSystemProcess
		jz	short loc_5CF11E
		mov	ecx, [edx+188h]
		push	dword ptr [ebp-2Ch]
		push	ebx
		call	PspReturnQuota
		mov	esi, [ebp-28h]

loc_5CF11E:				; CODE XREF: sub_5CF0F2+Dj
					; sub_5CF0F2+18j
		or	word ptr [esi+24h], 2
		xor	edi, edi
		mov	[ebp-4], edi
		mov	eax, [ebp-44h]
		mov	[ebp-40h], eax
sub_5CF0F2	endp

; START	OF FUNCTION CHUNK FOR FsRtlCancelNotify

loc_5CF12E:				; CODE XREF: FsRtlCancelNotify+E3033j
		mov	eax, [ebp+var_50]
		movzx	eax, word ptr [eax+24h]
		jmp	short loc_5CF146
; 

loc_5CF137:				; CODE XREF: FsRtlCancelNotify+E2FD6j
		mov	ax, [esi+24h]
		or	ax, 2
		movzx	eax, ax
		mov	[esi+24h], ax

loc_5CF146:				; CODE XREF: FsRtlCancelNotify+E3097j
		mov	ecx, [ebp+arg_4]
		test	al, 2
		jz	loc_4EC187
		mov	[esi+30h], edi
		mov	[esi+2Ch], edi
		mov	[esi+40h], edi
		mov	[esi+3Ch], edi
		mov	[esi+38h], edi
		jmp	loc_4EC187
; 

loc_5CF165:				; CODE XREF: FsRtlCancelNotify+FFj
		mov	eax, [esi+2Ch]
		test	eax, eax
		jz	short loc_5CF199
		mov	ecx, [esi+38h]
		mov	[ebp+arg_4], ecx
		mov	edx, [esi+48h]
		cmp	edx, ds:_PsInitialSystemProcess
		jz	short loc_5CF192
		mov	ecx, [edx+188h]
		push	[ebp+arg_4]
		push	ebx
		call	PspReturnQuota
		mov	eax, [esi+2Ch]
		mov	esi, [ebp+var_28]

loc_5CF192:				; CODE XREF: FsRtlCancelNotify+E30DDj
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5CF199:				; CODE XREF: FsRtlCancelNotify+E30CCj
		test	byte ptr [esi+24h], 40h
		jnz	short loc_5CF1A4
		cmp	[esi+50h], edi
		jz	short loc_5CF1AA

loc_5CF1A4:				; CODE XREF: FsRtlCancelNotify+E30FFj
		mov	eax, [esi+0Ch]
		mov	[ebp+var_34], eax

loc_5CF1AA:				; CODE XREF: FsRtlCancelNotify+E3104j
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4EC1A3
; END OF FUNCTION CHUNK	FOR FsRtlCancelNotify

;  S U B	R O U T	I N E 


sub_5CF1B6	proc near		; DATA XREF: .text:006A3088o
		xor	edi, edi
		mov	eax, [ebp-44h]
		jmp	sub_4EC1C4
sub_5CF1B6	endp

; 
; START	OF FUNCTION CHUNK FOR sub_4EC1C4

loc_5CF1C0:				; CODE XREF: sub_4EC1C4+15j
		push	esi
		call	SeReleaseSubjectContext
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4EC1DF
; END OF FUNCTION CHUNK	FOR sub_4EC1C4
; 
; START	OF FUNCTION CHUNK FOR WmipNotificationIrpCancel

loc_5CF1D2:				; CODE XREF: WmipNotificationIrpCancel+22j
		mov	edx, eax
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4EC227
; 

loc_5CF1E1:				; CODE XREF: WmipNotificationIrpCancel+2Fj
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4EC227
; 

loc_5CF1EE:				; CODE XREF: WmipNotificationIrpCancel+49j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4EC25F
; 

loc_5CF1FE:				; CODE XREF: WmipNotificationIrpCancel+67j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid
		jmp	loc_4EC2BB
; 

loc_5CF20B:				; CODE XREF: WmipNotificationIrpCancel+83j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4EC298
; 

loc_5CF21A:				; CODE XREF: WmipNotificationIrpCancel+A0j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5CF221:				; CODE XREF: WmipNotificationIrpCancel+8Dj
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_4EC298
; END OF FUNCTION CHUNK	FOR WmipNotificationIrpCancel
; 
; START	OF FUNCTION CHUNK FOR ExReleaseRundownProtectionCacheAware

loc_5CF235:				; CODE XREF: ExReleaseRundownProtectionCacheAware+25j
		cmp	ebx, 1
		jnz	short loc_5CF241
		mov	edx, [esi]
		jmp	loc_4EC460
; 

loc_5CF241:				; CODE XREF: ExReleaseRundownProtectionCacheAware+E2DF8j
		and	ebx, 0FFFFFFFEh
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		jnz	loc_4EC478
		push	0
		push	0
		lea	eax, [ebx+4]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_4EC478
; END OF FUNCTION CHUNK	FOR ExReleaseRundownProtectionCacheAware
; 
; START	OF FUNCTION CHUNK FOR MiMakeProtoTransition

loc_5CF263:				; CODE XREF: MiMakeProtoTransition+57j
		mov	edi, 1Ch
		jmp	loc_4EC9FD
; 

loc_5CF26D:				; CODE XREF: MiMakeProtoTransition+45j
					; MiMakeProtoTransition+4Ej
		mov	edi, 0Ch
		jmp	loc_4EC9FD
; 

loc_5CF277:				; CODE XREF: MiMakeProtoTransition+9Fj
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5CF2B1
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	eax, 1
		mov	[ebp+var_4], eax
		jnz	loc_4ECA47
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		mov	eax, [ebp+var_4]
		jz	loc_4ECA47
		or	edx, 80000000h
		jmp	loc_4ECA47
; 

loc_5CF2B1:				; CODE XREF: MiMakeProtoTransition+E28DEj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_4ECA45
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	loc_4ECA45
		or	edx, 80000000h
		jmp	loc_4ECA45
; 

loc_5CF2E6:				; CODE XREF: MiMakeProtoTransition+AFj
		push	edx
		push	ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_4ECA55
; END OF FUNCTION CHUNK	FOR MiMakeProtoTransition

;  S U B	R O U T	I N E 


sub_5CF2F2	proc near		; CODE XREF: ExpWaitForResource+9Cj
		push	ebx
		mov	edx, esi
		mov	ecx, [ebp+8]
		call	@PerfLogExecutiveResourceWait@12 ; PerfLogExecutiveResourceWait(x,x,x)
		jmp	loc_4ECBA2
sub_5CF2F2	endp

; 
; START	OF FUNCTION CHUNK FOR ExpWaitForResource

loc_5CF302:				; CODE XREF: ExpWaitForResource+C4j
		xor	eax, eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_28], eax
		push	esi		; char
		push	offset ??_C@_0EC@ECIGCEHM@Possible?5deadlock?4?5Use?5?$CBlocks?5?$CF@FNODOBFM@ ; char *
		push	eax		; int
		push	eax		; int
		call	_DbgPrintEx
		add	esp, 10h
		mov	eax, large fs:20h
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		push	0
		or	eax, 80000000h
		push	eax
		push	6F546552h
		mov	edx, 20h
		mov	ecx, 200h
		call	ExpAllocatePoolWithTagFromNode
		mov	edx, eax
		test	edx, edx
		jz	short loc_5CF382
		mov	dword ptr [edx+8], offset _ExpResourceTimeoutCaptureLiveDump@4 ; ExpResourceTimeoutCaptureLiveDump(x)
		mov	[edx+0Ch], edx
		mov	dword ptr [edx], 0
		mov	ecx, large fs:124h
		mov	[edx+10h], ecx
		mov	[edx+14h], esi
		mov	eax, [esi+24h]
		mov	[edx+18h], eax
		mov	eax, ds:_ExResourceTimeoutCount
		mov	[edx+1Ch], eax
		push	1
		push	edx
		call	ExQueueWorkItem

loc_5CF382:				; CODE XREF: ExpWaitForResource+E284Dj
		mov	[ebp+var_4], 0
		int	3		; Trap to Debugger
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_4ECBCA
; END OF FUNCTION CHUNK	FOR ExpWaitForResource

;  S U B	R O U T	I N E 


sub_5CF396	proc near		; DATA XREF: .text:006A30F4o
		mov	eax, 1
		retn
sub_5CF396	endp


;  S U B	R O U T	I N E 


sub_5CF39C	proc near		; DATA XREF: .text:006A30F8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-20h]
		mov	esi, [ebp-24h]
		mov	eax, [ebp-28h]
		mov	[ebp-1Ch], eax
		mov	ebx, [ebp-2Ch]
		jmp	loc_4ECBCA
sub_5CF39C	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlRemovePerFileObjectContext

loc_5CF3BA:				; CODE XREF: FsRtlRemovePerFileObjectContext+4Aj
		lea	ecx, [edi+4]
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	loc_4ECC5E
		mov	edx, [ebp+arg_4]

loc_5CF3CA:				; CODE XREF: FsRtlRemovePerFileObjectContext+E2800j
		cmp	[eax+8], edx
		jnz	short loc_5CF3D8
		cmp	[eax+0Ch], ebx
		jz	loc_4ECC45

loc_5CF3D8:				; CODE XREF: FsRtlRemovePerFileObjectContext+E27F1j
		mov	eax, [eax]
		cmp	eax, ecx
		jnz	short loc_5CF3CA
		jmp	loc_4ECC5E
; 

loc_5CF3E3:				; CODE XREF: FsRtlRemovePerFileObjectContext+55j
		lea	eax, [edi+4]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	loc_4ECC5E
		mov	esi, ecx
		jmp	loc_4ECC47
; END OF FUNCTION CHUNK	FOR FsRtlRemovePerFileObjectContext
; 
; START	OF FUNCTION CHUNK FOR FsRtlInsertPerFileObjectContext

loc_5CF3F7:				; CODE XREF: FsRtlInsertPerFileObjectContext+12j
		mov	eax, 0C000000Dh
		jmp	loc_4ECD40
; 

loc_5CF401:				; CODE XREF: FsRtlInsertPerFileObjectContext+63j
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	ebx
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	_IoGetFileObjectFilterContext@12 ; IoGetFileObjectFilterContext(x,x,x)
		cmp	[ebp+var_4], ebx
		jnz	loc_4ECCF7
		mov	eax, 0C0000001h
		jmp	loc_4ECD3F
; END OF FUNCTION CHUNK	FOR FsRtlInsertPerFileObjectContext
; 
; START	OF FUNCTION CHUNK FOR MiPageTableHasValidWsles

loc_5CF426:				; CODE XREF: MiPageTableHasValidWsles+2Bj
		mov	eax, offset unk_6D3C80
		jmp	loc_4ECE67
; 

loc_5CF430:				; CODE XREF: MiPageTableHasValidWsles+48j
		mov	edx, eax
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4ECE8B
; 

loc_5CF43F:				; CODE XREF: MiPageTableHasValidWsles+C3j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4ECF13
; END OF FUNCTION CHUNK	FOR MiPageTableHasValidWsles
; 
; START	OF FUNCTION CHUNK FOR CcZeroData

loc_5CF44F:				; CODE XREF: CcZeroData+88j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_4ED02A
; 

loc_5CF459:				; CODE XREF: CcZeroData+97j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_5C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4ED05B
; 

loc_5CF469:				; CODE XREF: CcZeroData+B9j
		lea	ecx, [ebp+var_5C]
		call	KxWaitForLockChainValid
		mov	ecx, [ebp+var_3C]
		mov	[ebp+var_20], ecx
		mov	ebx, [ebp+var_40]
		xor	edx, edx
		inc	edx

loc_5CF47D:				; CODE XREF: CcZeroData+A2j
		mov	[ebp+var_5C], 0
		add	eax, 4
		lock xor [eax],	edx
		mov	edi, [ebp+var_20]
		jmp	loc_4ED061
; 

loc_5CF492:				; CODE XREF: CcZeroData+104j
		test	ecx, ecx
		jl	loc_4ED0A6
		jg	loc_4ED183
		cmp	esi, 2000h
		jbe	loc_4ED0A6
		jmp	loc_4ED183
; 

loc_5CF4B1:				; CODE XREF: CcZeroData+11Ej
		xor	eax, eax
		jmp	loc_4ED0D0
; 

loc_5CF4B8:				; CODE XREF: CcZeroData+1F5j
		and	[ebp+var_50], 0
		and	[ebp+var_4C], 0
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], edi
		add	ebx, eax
		mov	[ebp+var_40], ebx
		adc	edi, 0
		mov	[ebp+var_3C], edi
		not	eax
		and	ebx, eax
		mov	[ebp+var_40], ebx
		mov	eax, ebx
		mov	ecx, [ebp+arg_4]
		sub	eax, [ecx]
		mov	[ebp+var_30], eax
		push	[ebp+arg_C]
		push	eax
		mov	edx, ecx
		mov	ecx, [ebp+arg_0]
		call	CcZeroDataInCache
		test	al, al
		jz	loc_4ED159
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+14h]
		lea	eax, [ebp+var_50]
		push	eax
		push	0
		push	0
		push	[ebp+var_30]
		mov	edx, [ebp+arg_4]
		call	_CcFlushCachePriv@24 ; CcFlushCachePriv(x,x,x,x,x,x)
		cmp	[ebp+var_50], 0
		jge	loc_4ED197
		push	[ebp+var_50]
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5CF523:				; CODE XREF: CcZeroData+158j
		test	ecx, ecx
		jl	loc_4ED0FA
		jg	short loc_5CF539
		cmp	esi, 2000h
		jbe	loc_4ED0FA

loc_5CF539:				; CODE XREF: CcZeroData+E258Fj
		mov	eax, [ebp+var_20]
		test	ebx, eax
		jz	loc_4ED0FD
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], edi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], edi
		mov	esi, eax
		xor	eax, eax
		add	esi, ebx
		adc	eax, edi
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], eax
		mov	eax, [ebp+var_20]
		not	eax
		and	esi, eax
		mov	[ebp+var_34], esi
		jmp	short loc_5CF5B8
; 

loc_5CF56A:				; CODE XREF: CcZeroData+167j
		test	ecx, ecx
		jl	loc_4ED11F
		jg	short loc_5CF580
		cmp	esi, 2000h
		jbe	loc_4ED109

loc_5CF580:				; CODE XREF: CcZeroData+E25D6j
		xor	esi, esi
		jmp	loc_4ED11F
; 

loc_5CF587:				; CODE XREF: CcZeroData+171j
					; CcZeroData+17Dj
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], edi
		mov	edx, ebx
		add	edx, 200000h
		mov	ecx, edi
		adc	ecx, 0
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], ecx
		mov	esi, eax
		xor	eax, eax
		add	esi, edx
		adc	eax, ecx
		mov	[ebp+var_2C], esi
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_20]
		not	eax
		and	esi, eax
		mov	[ebp+var_2C], esi

loc_5CF5B8:				; CODE XREF: CcZeroData+E25CCj
		sub	esi, ebx
		jmp	loc_4ED11F
; END OF FUNCTION CHUNK	FOR CcZeroData

;  S U B	R O U T	I N E 

; Attributes: thunk

sub_5CF5BF	proc near		; DATA XREF: .text:006A3138o
		jmp	sub_4ED1DB
sub_5CF5BF	endp

; 
; START	OF FUNCTION CHUNK FOR CcZeroDataInCache

loc_5CF5C4:				; CODE XREF: CcZeroDataInCache+5Bj
		mov	[ebp+var_19], bl
		mov	esi, ebx
		mov	[ebp+var_20], esi
		jmp	loc_4ED31E
; 

loc_5CF5D1:				; CODE XREF: CcZeroDataInCache+80j
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5CF5DB:				; DATA XREF: .text:006A3158o
		xor	ebx, ebx
		mov	esi, [ebp+var_20]
		jmp	sub_4ED33F
; END OF FUNCTION CHUNK	FOR CcZeroDataInCache
; 
; START	OF FUNCTION CHUNK FOR sub_4ED33F

loc_5CF5E5:				; CODE XREF: sub_4ED33F+4j
		mov	ecx, large fs:124h
		mov	al, [ebp-28h]
		sub	al, 2
		mov	[ecx+309h], al
		mov	esi, [ebp-20h]
		jmp	loc_4ED349
; 

loc_5CF5FF:				; CODE XREF: sub_4ED33F+Fj
		push	ebx
		xor	dl, dl
		call	CcUnpinFileDataEx
		jmp	loc_4ED354
; END OF FUNCTION CHUNK	FOR sub_4ED33F
; 
; START	OF FUNCTION CHUNK FOR MmSetAddressRangeModifiedEx

loc_5CF60C:				; CODE XREF: MmSetAddressRangeModifiedEx+1B6j
		push	edx
		push	ecx
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo
		jmp	loc_4ED53C
; 

loc_5CF61F:				; CODE XREF: MmSetAddressRangeModifiedEx+1C1j
		mov	eax, edi
		and	eax, 800h
		or	eax, 0
		jz	loc_4ED547
		nop
		mov	edx, [esp+0E8h+var_C0]
		mov	ecx, edi
		xor	ecx, [esp+0E8h+var_D6+2]
		mov	eax, edx
		xor	eax, [esp+0E8h+var_D0]
		and	ecx, 0FFFFF000h
		xor	[esp+0E8h+var_D6+2], ecx
		and	eax, 1Fh
		mov	ecx, [esp+0E8h+var_D0]
		xor	ecx, eax
		mov	[esp+0E8h+var_D0], ecx
		nop
		mov	eax, [esp+0E8h+var_D6+2]
		mov	[esi], eax
		mov	[esi+4], ecx
		test	ds:_MiFlags, 300h
		jz	short loc_5CF680
		push	ecx
		push	eax
		push	edx
		push	edi
		call	_MI_TIGHTER_PERMISSIONS@16 ; MI_TIGHTER_PERMISSIONS(x,x,x,x)
		test	eax, eax
		jnz	short loc_5CF680
		mov	eax, [esp+0E8h+var_B0]
		jmp	short loc_5CF685
; 

loc_5CF680:				; CODE XREF: MmSetAddressRangeModifiedEx+E22EBj
					; MmSetAddressRangeModifiedEx+E22F8j
		mov	eax, 1

loc_5CF685:				; CODE XREF: MmSetAddressRangeModifiedEx+E22FEj
		and	edi, 42h
		or	edi, 0
		jz	short loc_5CF692
		mov	[esp+0E8h+var_D7], 1

loc_5CF692:				; CODE XREF: MmSetAddressRangeModifiedEx+E230Bj
		test	eax, eax
		jz	loc_4ED468
		jmp	loc_4ED56F
; 

loc_5CF69F:				; CODE XREF: MmSetAddressRangeModifiedEx+E2j
		mov	eax, edi
		and	eax, 8
		or	eax, 0
		jnz	loc_4ED468
		or	edi, 8
		mov	[esp+0E8h+var_B4], ecx
		mov	[esp+0E8h+var_B8], edi
		mov	[esi], edi
		nop
		mov	[esi+4], ecx
		jmp	loc_4ED468
; END OF FUNCTION CHUNK	FOR MmSetAddressRangeModifiedEx
; 
; START	OF FUNCTION CHUNK FOR MmZeroPageWrite

loc_5CF6C3:				; CODE XREF: MmZeroPageWrite+44j
					; MmZeroPageWrite+E20C3j
		push	[ebp+arg_4]
		push	40000000h
		call	MiZeroPageWrite
		mov	esi, eax
		test	esi, esi
		js	loc_4ED66B
		mov	eax, [esp+18h+var_4]
		add	edi, 0C0000000h
		mov	edx, [esp+18h+var_C]
		mov	ecx, [esp+18h+var_8]
		adc	eax, 0FFFFFFFFh
		inc	ebx
		mov	[esp+18h+var_4], eax
		cmp	ebx, 4
		jb	short loc_5CF6C3
		jmp	loc_4ED658
; END OF FUNCTION CHUNK	FOR MmZeroPageWrite
; 
; START	OF FUNCTION CHUNK FOR MiZeroPageWrite

loc_5CF6FE:				; CODE XREF: MiZeroPageWrite+7Cj
		push	10h
		pop	ebx
		jmp	loc_4ED700
; 

loc_5CF706:				; CODE XREF: MiZeroPageWrite+164j
		mov	ecx, esi
		call	_MiRetardMdl@4	; MiRetardMdl(x)
		movzx	ecx, word ptr [esi+6]
		jmp	loc_4ED7E8
; 

loc_5CF716:				; CODE XREF: MiZeroPageWrite+17Dj
		mov	edx, [ebp+var_70]
		push	8
		pop	eax
		mov	[ebp+var_74], eax
		call	_MiIsRetryIoStatus@8 ; MiIsRetryIoStatus(x,x)
		test	eax, eax
		jz	loc_4ED82C
		cmp	edi, 1
		jz	loc_4ED82C
		mov	edx, [ebp+var_6C]
		shr	edi, 1
		jmp	loc_4ED824
; 

loc_5CF73F:				; CODE XREF: MiZeroPageWrite+19Cj
		dec	eax
		mov	[ebp+var_74], eax
		jmp	loc_4ED824
; END OF FUNCTION CHUNK	FOR MiZeroPageWrite
; 
; START	OF FUNCTION CHUNK FOR MiUpdatePrefetchPriority

loc_5CF748:				; CODE XREF: MiUpdatePrefetchPriority+A9j
		mov	ecx, ebx
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		test	eax, eax
		jz	loc_4ED91F
		mov	eax, [eax+1Ch]
		and	al, 70h
		cmp	al, 10h
		jnz	loc_4ED94F
		jmp	loc_4ED91F
; 

loc_5CF769:				; CODE XREF: MiUpdatePrefetchPriority+8Dj
		mov	eax, [eax+1Ch]
		and	al, 70h
		cmp	al, 10h
		jz	loc_4ED91F
		jmp	loc_4ED94F
; 

loc_5CF77B:				; CODE XREF: MiUpdatePrefetchPriority+BEj
					; MiUpdatePrefetchPriority+E1EE7j ...
		lea	ecx, [ebp+arg_0]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		js	short loc_5CF77B
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_5CF77B
		jmp	loc_4ED964
; 

loc_5CF795:				; CODE XREF: MiUpdatePrefetchPriority+31j
		mov	ecx, eax
		or	ecx, edx
		jz	loc_4ED91F
		mov	ecx, eax
		and	ecx, 400h
		or	ecx, 0
		jnz	loc_4ED91F
		and	eax, 800h
		or	eax, ecx
		jz	loc_4ED91F
		xor	edx, edx
		lea	ecx, [esi-40000000h]
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_4ED91F
		jmp	loc_4ED964
; END OF FUNCTION CHUNK	FOR MiUpdatePrefetchPriority
; 
; START	OF FUNCTION CHUNK FOR RtlGetNextEntryHashTable

loc_5CF7D9:				; CODE XREF: RtlGetNextEntryHashTable+3Aj
					; RtlGetNextEntryHashTable+E1E59j
		cmp	dword ptr [ebx+8], 0
		mov	edx, ebx
		jnz	short loc_5CF7EB
		mov	ecx, [ebx]
		mov	esi, ebx
		mov	ebx, ecx
		cmp	ecx, edi
		jnz	short loc_5CF7D9

loc_5CF7EB:				; CODE XREF: RtlGetNextEntryHashTable+E1E4Fj
		pop	ebx
		jmp	loc_4ED9B0
; END OF FUNCTION CHUNK	FOR RtlGetNextEntryHashTable
; 
; START	OF FUNCTION CHUNK FOR CcNotifyOfMappedWriteComplete

loc_5CF7F1:				; CODE XREF: CcNotifyOfMappedWriteComplete+38j
		mov	ecx, esi
		call	CcIsFatalWriteError
		test	al, al
		jnz	loc_4EDBD2
		xor	eax, eax
		inc	eax
		mov	byte ptr [ebp+var_4], al
		jmp	loc_4EDBD2
; 

loc_5CF80B:				; CODE XREF: CcNotifyOfMappedWriteComplete+56j
					; CcNotifyOfMappedWriteComplete+5Ej
		mov	eax, [ebp+arg_8]
		cmp	eax, [ebp+arg_0]
		jg	loc_4EDC0C
		jl	short loc_5CF822
		cmp	[ebp+arg_4], ecx
		ja	loc_4EDC0C

loc_5CF822:				; CODE XREF: CcNotifyOfMappedWriteComplete+E1C83j
		mov	ebx, ecx
		sub	ebx, [ebp+arg_4]
		jmp	loc_4EDBF8
; 

loc_5CF82C:				; CODE XREF: CcNotifyOfMappedWriteComplete+A2j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4EDC5A
; 

loc_5CF83C:				; CODE XREF: CcNotifyOfMappedWriteComplete+C0j
		lea	ecx, [ebp+var_10]
		call	KxWaitForLockChainValid
		jmp	loc_4EDC6A
; 

loc_5CF849:				; CODE XREF: CcNotifyOfMappedWriteComplete+2Dj
		push	0
		push	0
		push	0C0000420h
		push	12F9h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5CF85F:				; CODE XREF: MiTrimSharedPage+3Bj
		or	esi, 2
		jmp	loc_4EDE4B
; END OF FUNCTION CHUNK	FOR CcNotifyOfMappedWriteComplete
; 
; START	OF FUNCTION CHUNK FOR MiTrimSharedPage

loc_5CF867:				; CODE XREF: MiTrimSharedPage+46j
		or	esi, 4
		jmp	loc_4EDE56
; 

loc_5CF86F:				; CODE XREF: MiTrimSharedPage+51j
		or	esi, 8
		jmp	loc_4EDE61
; 

loc_5CF877:				; CODE XREF: MiTrimSharedPage+63j
		or	esi, 10h
		jmp	loc_4EDE73
; 

loc_5CF87F:				; CODE XREF: MiTrimSharedPage+6Ej
		or	esi, 40h
		jmp	loc_4EDE7E
; 

loc_5CF887:				; CODE XREF: MiTrimSharedPage+198j
		cmp	dword ptr [eax+1Ch], 0
		jge	loc_4EDEFC
		mov	edx, ebx
		mov	ecx, edi
		call	_MiClusterVadFull@8 ; MiClusterVadFull(x,x)
		cmp	eax, 1
		jnz	loc_4EDEF8
		mov	ecx, [esp+40h+var_2C]
		xor	edx, edx
		call	_MiDecrementModifiedWriteCount@8 ; MiDecrementModifiedWriteCount(x,x)
		test	eax, eax
		jz	loc_4EDFA7
		mov	ecx, eax
		call	_MiReleaseControlAreaWaiters@4 ; MiReleaseControlAreaWaiters(x)
		jmp	loc_4EDFA7
; END OF FUNCTION CHUNK	FOR MiTrimSharedPage
; 
; START	OF FUNCTION CHUNK FOR MiTrimSection

loc_5CF8C2:				; CODE XREF: MiTrimSection+32j
		cmp	dword ptr [esi+20h], 0
		jz	short loc_5CF8D2
		test	byte ptr [esi+1Ch], 20h
		jz	loc_4EE006

loc_5CF8D2:				; CODE XREF: MiTrimSection+E18F8j
		mov	eax, 0C0000088h
		jmp	loc_4EE14A
; 

loc_5CF8DC:				; CODE XREF: MiTrimSection+99j
		lea	eax, [esi+24h]
		push	eax
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [esp+48h+var_39]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, esi
		call	_MiUnlockControlAreaFileObjectShared@4 ; MiUnlockControlAreaFileObjectShared(x)
		xor	eax, eax
		jmp	loc_4EE14A
; END OF FUNCTION CHUNK	FOR MiTrimSection
; 
; START	OF FUNCTION CHUNK FOR MiViewMayContainPage

loc_5CF8FD:				; CODE XREF: MiViewMayContainPage+2B8j
		test	dword ptr [edx+1Ch], 4000000h
		jnz	loc_4EE2A3
		jmp	loc_4EE4C6
; 

loc_5CF90F:				; CODE XREF: MiViewMayContainPage+164j
		shl	edi, 0Ch
		jmp	loc_4EE377
; 

loc_5CF917:				; CODE XREF: MiViewMayContainPage+13Fj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edi, edi
		jmp	loc_4EE34D
; END OF FUNCTION CHUNK	FOR MiViewMayContainPage
; 
; START	OF FUNCTION CHUNK FOR CcPurgeAndClearCacheSection

loc_5CF926:				; CODE XREF: CcPurgeAndClearCacheSection+35j
		test	al, 1
		jnz	short loc_5CF934
		mov	eax, 0C0000435h
		jmp	loc_4EF388
; 

loc_5CF934:				; CODE XREF: CcPurgeAndClearCacheSection+E063Aj
		xor	eax, 1
		mov	[ebp+var_20], eax
		jmp	loc_4EF329
; END OF FUNCTION CHUNK	FOR CcPurgeAndClearCacheSection

;  S U B	R O U T	I N E 


sub_5CF93F	proc near		; DATA XREF: .text:006A31ACo
		xor	eax, eax
		inc	eax
		retn
sub_5CF93F	endp


;  S U B	R O U T	I N E 


sub_5CF943	proc near		; DATA XREF: .text:006A31B0o
		mov	esp, [ebp-18h]
		xor	esi, esi
		mov	[ebp-2Ch], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-38h]
		mov	[ebp-20h], eax
		mov	edi, [ebp-3Ch]
		mov	ebx, [ebp-28h]
		jmp	loc_4EF410
sub_5CF943	endp

; 
; START	OF FUNCTION CHUNK FOR CcPurgeAndClearCacheSection

loc_5CF963:				; CODE XREF: CcPurgeAndClearCacheSection+130j
					; CcPurgeAndClearCacheSection+13Cj
		push	ecx
		xor	edx, edx
		inc	edx
		mov	ecx, [ebp+var_34]
		call	MmSetAddressRangeModifiedEx
		push	1
		mov	edx, 20000h
		mov	ecx, edi
		call	CcUpdateSharedCacheMapFlag
		jmp	loc_4EF43E
; 

loc_5CF982:				; CODE XREF: CcPurgeAndClearCacheSection+180j
		push	esi
		push	esi
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	edx, [ebp+var_3C]
		jmp	loc_4EF474
; 

loc_5CF992:				; CODE XREF: CcPurgeAndClearCacheSection+D6j
					; CcPurgeAndClearCacheSection+DFj
		push	esi
		lea	eax, [ebp+var_50]
		push	eax
		push	ecx
		push	1
		lea	edx, [ebp+var_48]
		mov	ecx, [ebx+14h]
		call	MmFlushSection
		mov	eax, [ebp+var_50]
		test	eax, eax
		js	loc_4EF388
		jmp	loc_4EF461
; 

loc_5CF9B5:				; CODE XREF: CcPurgeAndClearCacheSection+88j
		mov	ecx, eax
		xor	eax, ebx
		cmp	eax, 7
		jb	loc_4EF36B
		jmp	loc_4EF39D
; 

loc_5CF9C7:				; CODE XREF: CcPurgeAndClearCacheSection+92j
		mov	esi, 0C0000435h
		jmp	loc_4EF386
; END OF FUNCTION CHUNK	FOR CcPurgeAndClearCacheSection
; 
; START	OF FUNCTION CHUNK FOR CcPurgeCacheSection

loc_5CF9D1:				; CODE XREF: CcPurgeCacheSection+6Aj
		xor	eax, eax
		inc	eax
		test	bl, al
		jnz	short loc_5CFA34
		test	ds:byte_70EFC6,	al
		jz	short loc_5CF9EE
		mov	edx, [ebp+4]
		lea	ecx, [esp+38h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5CFA22
; 

loc_5CF9EE:				; CODE XREF: CcPurgeCacheSection+E055Cj
		mov	eax, [esp+38h+var_C]
		test	eax, eax
		jnz	short loc_5CFA11
		mov	edx, [esp+38h+var_8]
		lea	eax, [esp+38h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+38h+var_C]
		cmp	eax, ecx
		jz	short loc_5CFA22
		call	KxWaitForLockChainValid

loc_5CFA11:				; CODE XREF: CcPurgeCacheSection+E0572j
		xor	edx, edx
		mov	[esp+38h+var_C], 0
		lea	ecx, [eax+4]
		inc	edx
		lock xor [ecx],	edx

loc_5CFA22:				; CODE XREF: CcPurgeCacheSection+E056Aj
					; CcPurgeCacheSection+E0588j
		mov	cl, [esp+38h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		inc	eax
		jmp	loc_4EF678
; 

loc_5CFA34:				; CODE XREF: CcPurgeCacheSection+E0554j
		xor	ebx, eax
		jmp	loc_4EF4F2
; 

loc_5CFA3B:				; CODE XREF: CcPurgeCacheSection+8Ej
		mov	edx, [ebp+4]
		lea	ecx, [esp+38h+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4EF53C
; 

loc_5CFA4C:				; CODE XREF: CcPurgeCacheSection+B4j
		lea	ecx, [esp+38h+var_18]
		call	KxWaitForLockChainValid
		jmp	loc_4EF71C
; 

loc_5CFA5A:				; CODE XREF: CcPurgeCacheSection+CDj
		mov	edx, [ebp+4]
		lea	ecx, [esp+38h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4EF57B
; 

loc_5CFA6B:				; CODE XREF: CcPurgeCacheSection+11Dj
		lea	edi, [esi+90h]

loc_5CFA71:				; CODE XREF: CcPurgeCacheSection+E0601j
		mov	eax, [edi]
		cmp	eax, edi
		jz	short loc_5CFA85
		push	0
		push	0
		push	dword ptr [eax-54h]
		call	CcUninitializeCacheMap
		jmp	short loc_5CFA71
; 

loc_5CFA85:				; CODE XREF: CcPurgeCacheSection+E05F3j
		mov	edi, [esp+38h+var_20]
		xor	eax, eax
		inc	eax
		jmp	loc_4EF5A5
; 

loc_5CFA91:				; CODE XREF: CcPurgeCacheSection+12Bj
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		call	_MmTrimSection@16 ; MmTrimSection(x,x,x,x)
		test	eax, eax
		jns	loc_4EF5C0
		lea	ecx, [edi+40h]
		lea	edx, [esp+38h+var_18]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		push	ecx
		mov	ecx, esi
		call	CcDecrementOpenCount
		xor	ebx, ebx
		inc	ebx
		test	ds:byte_70EFC6,	bl
		jz	short loc_5CFAD1
		mov	edx, [ebp+4]
		lea	ecx, [esp+38h+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5CFB02
; 

loc_5CFAD1:				; CODE XREF: CcPurgeCacheSection+E063Fj
		mov	eax, [esp+38h+var_18]
		test	eax, eax
		jnz	short loc_5CFAF4
		mov	edx, [esp+38h+var_14]
		lea	eax, [esp+38h+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+38h+var_18]
		cmp	eax, ecx
		jz	short loc_5CFB02
		call	KxWaitForLockChainValid

loc_5CFAF4:				; CODE XREF: CcPurgeCacheSection+E0655j
		mov	[esp+38h+var_18], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_5CFB02:				; CODE XREF: CcPurgeCacheSection+E064Dj
					; CcPurgeCacheSection+E066Bj
		mov	cl, [esp+38h+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	al, al
		jmp	loc_4EF678
; 

loc_5CFB13:				; CODE XREF: CcPurgeCacheSection+111j
		push	0
		push	0
		push	0C0000420h
		push	122Bh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CFB28:				; CODE XREF: CcPurgeCacheSection+2C5j
		test	[ebp+arg_C], 2
		jnz	loc_4EF74D
		push	offset _CcCollisionDelay
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		sub	edi, 1
		jz	loc_4EF74D
		mov	ecx, [ebp+arg_0]
		lea	eax, [esp+4Ch+var_3A]
		push	eax
		push	esi
		push	0
		mov	edx, ebx
		call	MmPurgeSection
		mov	byte ptr [esp+4Ch+var_3A+1], al
		test	al, al
		jz	loc_4EF736
		jmp	loc_4EF74D
; 

loc_5CFB6C:				; CODE XREF: CcPurgeCacheSection+1BCj
		mov	edx, [ebp+4]
		lea	ecx, [esp+38h+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4EF66A
; 

loc_5CFB7D:				; CODE XREF: CcPurgeCacheSection+1E2j
		lea	ecx, [esp+38h+var_18]
		call	KxWaitForLockChainValid
		jmp	loc_4EF709
; END OF FUNCTION CHUNK	FOR CcPurgeCacheSection
; 
; START	OF FUNCTION CHUNK FOR CcGetFlushedValidData

loc_5CFB8B:				; CODE XREF: CcGetFlushedValidData+2Fj
		lea	edx, [esp+30h+var_C]
		mov	ecx, offset _CcMasterLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	esi, [esi+4]
		mov	[esp+30h+var_20], esi
		test	esi, esi
		jnz	short loc_5CFC02
		test	ds:byte_70EFC6,	1
		jz	short loc_5CFBBB
		mov	edx, [ebp+4]
		lea	ecx, [esp+30h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5CFBEB
; 

loc_5CFBBB:				; CODE XREF: CcGetFlushedValidData+E044Fj
		mov	eax, [esp+30h+var_C]
		test	eax, eax
		jnz	short loc_5CFBDE
		mov	edx, [esp+30h+var_8]
		lea	eax, [esp+30h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+30h+var_C]
		cmp	eax, ecx
		jz	short loc_5CFBEB
		call	KxWaitForLockChainValid

loc_5CFBDE:				; CODE XREF: CcGetFlushedValidData+E0465j
		xor	ecx, ecx
		mov	[esp+30h+var_C], edi
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5CFBEB:				; CODE XREF: CcGetFlushedValidData+E045Dj
					; CcGetFlushedValidData+E047Bj
		mov	cl, [esp+30h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		or	eax, 0FFFFFFFFh
		mov	edx, 7FFFFFFFh
		jmp	loc_4EF7CE
; 

loc_5CFC02:				; CODE XREF: CcGetFlushedValidData+E0446j
		mov	ecx, esi
		call	CcGetPartition
		lea	edx, [esp+30h+var_18]
		lea	ecx, [eax+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		inc	dword ptr [esi+4]
		inc	dword ptr [esi+178h]
		test	ds:byte_70EFC6,	1
		jz	short loc_5CFC35
		mov	edx, [ebp+4]
		lea	ecx, [esp+30h+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5CFC65
; 

loc_5CFC35:				; CODE XREF: CcGetFlushedValidData+E04C9j
		mov	eax, [esp+30h+var_18]
		test	eax, eax
		jnz	short loc_5CFC58
		mov	edx, [esp+30h+var_14]
		lea	eax, [esp+30h+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+30h+var_18]
		cmp	eax, ecx
		jz	short loc_5CFC65
		call	KxWaitForLockChainValid

loc_5CFC58:				; CODE XREF: CcGetFlushedValidData+E04DFj
		xor	ecx, ecx
		mov	[esp+30h+var_18], edi
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5CFC65:				; CODE XREF: CcGetFlushedValidData+E04D7j
					; CcGetFlushedValidData+E04F5j
		mov	cl, [esp+30h+var_10]
		call	ebx
		test	ds:byte_70EFC6,	1
		jz	short loc_5CFC82
		mov	edx, [ebp+4]
		lea	ecx, [esp+30h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5CFCB2
; 

loc_5CFC82:				; CODE XREF: CcGetFlushedValidData+E0516j
		mov	eax, [esp+30h+var_C]
		test	eax, eax
		jnz	short loc_5CFCA5
		mov	edx, [esp+30h+var_8]
		lea	eax, [esp+30h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+30h+var_C]
		cmp	eax, ecx
		jz	short loc_5CFCB2
		call	KxWaitForLockChainValid

loc_5CFCA5:				; CODE XREF: CcGetFlushedValidData+E052Cj
		xor	ecx, ecx
		mov	[esp+30h+var_C], edi
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5CFCB2:				; CODE XREF: CcGetFlushedValidData+E0524j
					; CcGetFlushedValidData+E0542j
		mov	cl, [esp+30h+var_4]
		call	ebx
		lea	ecx, [esi+0B4h]
		call	ExAcquireFastMutex
		jmp	loc_4EF798
; 

loc_5CFCC8:				; CODE XREF: CcGetFlushedValidData+AAj
					; CcGetFlushedValidData+E0586j
		mov	esi, 2FDh
		cmp	[ecx], si
		jnz	short loc_5CFCD8
		cmp	byte ptr [ecx+2], 0
		jnz	short loc_5CFCE4

loc_5CFCD8:				; CODE XREF: CcGetFlushedValidData+E0574j
		mov	ecx, [eax]
		sub	ecx, 10h
		lea	eax, [ecx+10h]
		cmp	eax, edx
		jnz	short loc_5CFCC8

loc_5CFCE4:				; CODE XREF: CcGetFlushedValidData+E057Aj
		mov	esi, [esp+30h+var_20]
		jmp	loc_4EF80C
; 

loc_5CFCED:				; CODE XREF: CcGetFlushedValidData+B7j
		mov	eax, [ecx+8]
		mov	ecx, [ecx+0Ch]
		cmp	ecx, ebx
		jg	loc_4EF7C0
		jl	short loc_5CFD05
		cmp	eax, edi
		jnb	loc_4EF7C0

loc_5CFD05:				; CODE XREF: CcGetFlushedValidData+E059Fj
		mov	edi, eax
		mov	ebx, ecx
		jmp	loc_4EF7C0
; 

loc_5CFD0E:				; CODE XREF: CcGetFlushedValidData+68j
		lea	ecx, [esi+0B4h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, [esp+30h+var_1C]
		lea	edx, [esp+30h+var_18]
		add	ecx, 40h
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		push	ecx
		mov	ecx, esi
		call	CcDecrementOpenCount
		test	ds:byte_70EFC6,	1
		jz	short loc_5CFD48
		mov	edx, [ebp+4]
		lea	ecx, [esp+30h+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5CFD7C
; 

loc_5CFD48:				; CODE XREF: CcGetFlushedValidData+E05DCj
		mov	eax, [esp+30h+var_18]
		test	eax, eax
		jnz	short loc_5CFD6B
		mov	edx, [esp+30h+var_14]
		lea	eax, [esp+30h+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+30h+var_18]
		cmp	eax, ecx
		jz	short loc_5CFD7C
		call	KxWaitForLockChainValid

loc_5CFD6B:				; CODE XREF: CcGetFlushedValidData+E05F2j
		lea	ecx, [eax+4]
		mov	[esp+30h+var_18], 0
		xor	eax, eax
		inc	eax
		lock xor [ecx],	eax

loc_5CFD7C:				; CODE XREF: CcGetFlushedValidData+E05EAj
					; CcGetFlushedValidData+E0608j
		mov	cl, [esp+30h+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4EF7CA
; 

loc_5CFD8B:				; CODE XREF: CcGetFlushedValidData+51j
		push	edi
		push	edi
		push	0C0000420h
		push	1E8Ch
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5CFD9F:				; CODE XREF: CcReleaseByteRangeFromWrite+DCj
					; CcReleaseByteRangeFromWrite+E5j
		lea	esi, [edi+0FFFFFFh]
		and	esi, 0FF000000h
		sub	esi, edi
		jmp	loc_4EF97A
; END OF FUNCTION CHUNK	FOR CcGetFlushedValidData
; 
; START	OF FUNCTION CHUNK FOR CcReleaseByteRangeFromWrite

loc_5CFDB2:				; CODE XREF: CcReleaseByteRangeFromWrite+F6j
		push	0
		push	0C0000420h
		push	14A2h
		jmp	short loc_5CFDCE
; 

loc_5CFDC0:				; CODE XREF: CcReleaseByteRangeFromWrite+2Fj
		push	0
		push	0
		push	0C0000420h
		push	14B5h

loc_5CFDCE:				; CODE XREF: CcReleaseByteRangeFromWrite+E0532j
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5CFDD5:				; CODE XREF: CcReleaseByteRangeFromWrite+69j
		push	0
		push	esi
		call	CcSetDirtyPinnedData
		jmp	loc_4EF8FB
; END OF FUNCTION CHUNK	FOR CcReleaseByteRangeFromWrite
; 
; START	OF FUNCTION CHUNK FOR MiCanFileBeTruncatedInternal

loc_5CFDE2:				; CODE XREF: MiCanFileBeTruncatedInternal+30j
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4EFB2D
; 

loc_5CFDF5:				; CODE XREF: MiCanFileBeTruncatedInternal+47j
		mov	esi, offset dword_6CF3C0
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4EFA1C
; 

loc_5CFE0D:				; CODE XREF: MiCanFileBeTruncatedInternal+73j
					; MiCanFileBeTruncatedInternal+7Cj
		test	byte ptr [esi+1Ch], 8
		jnz	loc_4EFA8A
		cmp	[ebp+arg_4], edx
		jz	loc_4EFB06
		jmp	loc_4EFA8A
; 

loc_5CFE25:				; CODE XREF: MiCanFileBeTruncatedInternal+F0j
					; MiCanFileBeTruncatedInternal+F8j
		add	eax, 0FFFh
		adc	edx, 0
		and	eax, 0FFFFF000h
		cmp	[ebp+arg_0], edx
		ja	loc_4EFA8F
		jb	short loc_5CFE45
		cmp	ecx, eax
		jnb	loc_4EFA8F

loc_5CFE45:				; CODE XREF: MiCanFileBeTruncatedInternal+E0433j
		mov	[edi], eax
		mov	[edi+4], edx
		jmp	loc_4EFA8F
; END OF FUNCTION CHUNK	FOR MiCanFileBeTruncatedInternal
; 
; START	OF FUNCTION CHUNK FOR MiUnlockControlAreaSectionExtend

loc_5CFE4F:				; CODE XREF: MiUnlockControlAreaSectionExtend+4Fj
		xor	edx, edx
		lea	ecx, [edi+0Ch]
		inc	edx
		call	KeSignalGate
		mov	eax, [ebp+var_4]
		jmp	loc_4EFBA3
; END OF FUNCTION CHUNK	FOR MiUnlockControlAreaSectionExtend
; 
; START	OF FUNCTION CHUNK FOR MiLockControlAreaSectionExtend

loc_5CFE62:				; CODE XREF: MiLockControlAreaSectionExtend+9Bj
					; MiLockControlAreaSectionExtend+E02A3j
		test	[edi+4], eax
		jnz	short loc_5CFE6D
		mov	edi, [edi]
		test	edi, edi
		jnz	short loc_5CFE62

loc_5CFE6D:				; CODE XREF: MiLockControlAreaSectionExtend+E029Dj
		test	edi, edi
		jz	loc_4EFC08
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_4EFC08
		mov	ecx, eax
		call	_KeAbPreWait@4	; KeAbPreWait(x)
		jmp	loc_4EFC08
; 

loc_5CFE97:				; CODE XREF: MiLockControlAreaSectionExtend+60j
		lea	eax, [esi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	ecx
		push	12h
		pop	edx
		lea	ecx, [ebx+0Ch]
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		mov	edi, [ebp+var_8]
		lea	eax, [esi+24h]
		test	edi, edi
		jz	loc_4EFBF4
		push	0
		mov	edx, edi
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	edx, edi
		mov	ecx, esi
		call	KeAbPostReleaseEx
		jmp	loc_4EFBF1
; END OF FUNCTION CHUNK	FOR MiLockControlAreaSectionExtend
; 
; START	OF FUNCTION CHUNK FOR MiAppendSubsectionChain

loc_5CFEDC:				; CODE XREF: MiAppendSubsectionChain+37j
					; MiAppendSubsectionChain+E0245j
		mov	eax, [esi+20h]
		test	eax, 3FFFFFFFh
		jz	short loc_5CFEEE
		or	eax, 3FFFFFFFh
		mov	[esi+20h], eax

loc_5CFEEE:				; CODE XREF: MiAppendSubsectionChain+E022Cj
		mov	ecx, esi
		mov	[esi+3Ch], edi
		call	_MiInsertUnusedSubsection@8 ; MiInsertUnusedSubsection(x,x)
		mov	esi, [esi+8]
		test	esi, esi
		jnz	short loc_5CFEDC
		mov	ecx, [ebp+var_8]
		jmp	loc_4EFCF5
; END OF FUNCTION CHUNK	FOR MiAppendSubsectionChain
; 
; START	OF FUNCTION CHUNK FOR MmFlushImageSection

loc_5CFF07:				; CODE XREF: MmFlushImageSection+32j
		mov	edi, offset dword_6CF3C0

loc_5CFF0C:				; CODE XREF: MmFlushImageSection+A0j
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4EFEE2
; END OF FUNCTION CHUNK	FOR MmFlushImageSection
; 
; START	OF FUNCTION CHUNK FOR MiForceSectionClosed

loc_5CFF20:				; CODE XREF: MiForceSectionClosed+3Ej
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp+var_4]
		jmp	loc_4EFFEA
; END OF FUNCTION CHUNK	FOR MiForceSectionClosed
; 
; START	OF FUNCTION CHUNK FOR MiAttemptSectionDelete

loc_5CFF35:				; CODE XREF: MiAttemptSectionDelete+4Fj
		lea	eax, [ebp+var_8]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], eax
		lea	ecx, [esi+24h]
		mov	[ebp+var_8], eax
		mov	eax, [esi+2Ch]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_1C]
		push	ecx
		mov	[ebp+var_18], 1
		mov	[ebp+var_10], 107h
		mov	byte ptr [ebp-0Eh], 4
		mov	[esi+2Ch], eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	ecx
		push	13h
		pop	edx
		lea	ecx, [ebp+var_10]
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		mov	al, 1
		jmp	loc_4F0091
; END OF FUNCTION CHUNK	FOR MiAttemptSectionDelete
; 
; START	OF FUNCTION CHUNK FOR IopDeleteIoCompletionInternal

loc_5CFF82:				; CODE XREF: IopDeleteIoCompletionInternal+5Ej
		mov	edx, [ebp+4]
		lea	ecx, [esp+28h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4F0174
; 

loc_5CFF93:				; CODE XREF: IopDeleteIoCompletionInternal+84j
		lea	ecx, [esp+28h+var_C]
		call	KxWaitForLockChainValid

loc_5CFF9C:				; CODE XREF: IopDeleteIoCompletionInternal+6Aj
		mov	[esp+28h+var_C], 0
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_4F0174
; END OF FUNCTION CHUNK	FOR IopDeleteIoCompletionInternal
; 
; START	OF FUNCTION CHUNK FOR KeRundownQueueCommon

loc_5CFFAF:				; CODE XREF: KeRundownQueueCommon+6Bj
		movzx	eax, word ptr [esi+0Ah]
		push	0
		push	eax
		jmp	short loc_5CFFBF
; 

loc_5CFFB8:				; CODE XREF: KeRundownQueueCommon+73j
		push	0
		push	100h

loc_5CFFBF:				; CODE XREF: KeRundownQueueCommon+DFCF4j
		mov	edx, esi
		call	KiTryUnwaitThread
		jmp	loc_4F0410
; END OF FUNCTION CHUNK	FOR KeRundownQueueCommon
; 
; START	OF FUNCTION CHUNK FOR IopDropIrp

loc_5CFFCB:				; CODE XREF: IopDropIrp+24j
		test	ebx, ebx
		jz	loc_4F04D2
		test	byte ptr [edi+8], 4
		jnz	loc_4F04D2
		call	ObfDereferenceObject
		jmp	loc_4F04D2
; END OF FUNCTION CHUNK	FOR IopDropIrp
; 

loc_5CFFE7:				; CODE XREF: .text:004F05A1j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4F05AC
; 
; START	OF FUNCTION CHUNK FOR sub_4F0630

loc_5CFFF6:				; CODE XREF: sub_4F0630+7j
		test	ds:_VfRuleClasses, 0FFAFFFFFh
		jnz	short loc_5D000F

loc_5D0002:				; DATA XREF: .text:0042553Co
		test	byte ptr ds:dword_6FDE00, 6
		jz	loc_4F063D

loc_5D000F:				; CODE XREF: sub_4F0630+DF9D0j
		mov	eax, ds:_MmVerifierData
		and	eax, 10h
		or	eax, 40h
		shr	eax, 1
		push	eax
		push	20206F49h
		push	edx
		push	ecx
		call	ExAllocatePoolWithTagPriority
		test	eax, eax
		jnz	locret_4F0649
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger

loc_5D003C:				; CODE XREF: sub_4F0820+27j
		mov	eax, [ebp+0Ch]
		mov	ecx, esi
		mov	edx, [ebp+10h]
		push	eax
		mov	eax, [eax+8]
		mov	edx, [eax+edx*4+38h]
		call	_MmUpdateMdlTracker@12 ; MmUpdateMdlTracker(x,x,x)
		jmp	loc_4F084D
; END OF FUNCTION CHUNK	FOR sub_4F0630
; 
; START	OF FUNCTION CHUNK FOR MiAccessCheck

loc_5D0056:				; CODE XREF: MiAccessCheck+11j
		mov	eax, ds:_MmHighestUserAddress
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	edi, eax
		ja	loc_4F09B7
		cmp	edi, 0C0000000h
		jb	loc_4F09B7
		jmp	loc_4F0967
; 

loc_5D0081:				; CODE XREF: MiAccessCheck+28j
		test	edx, edx
		jz	loc_4F09AC
		mov	eax, ebx
		and	eax, 800h
		or	eax, 0
		jnz	loc_4F09AC
		and	ebx, 200h
		or	ebx, eax
		jnz	loc_4F09AC
		jmp	loc_4F09B7
; 

loc_5D00AC:				; CODE XREF: MiAccessCheck+56j
		mov	ecx, [ebp+arg_8]
		test	cl, 1
		jz	short loc_5D00C2
		mov	eax, ecx
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	1
		jz	loc_4F09AC

loc_5D00C2:				; CODE XREF: MiAccessCheck+DF762j
		call	MiAllowGuardFault
		test	eax, eax
		jz	loc_4F09B7
		mov	eax, ebx
		and	eax, 800h
		or	eax, 0
		jz	loc_5D01C2
		mov	eax, ebx
		and	eax, 400h
		or	eax, 0
		jnz	loc_5D01C2
		cmp	[ebp+arg_C], 1
		jnz	short loc_5D014B
		mov	eax, ds:dword_6D0700
		mov	ecx, ebx
		mov	esi, ds:dword_6D0704
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_4], eax
		or	eax, esi
		mov	[ebp+var_8], esi
		mov	esi, [ebp+arg_4]
		jz	short loc_5D012C
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_5D012C
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_8]
		not	ecx
		not	eax
		and	ecx, ebx
		and	eax, edx
		jmp	short loc_5D012E
; 

loc_5D012C:				; CODE XREF: MiAccessCheck+DF7C0j
					; MiAccessCheck+DF7CAj
		mov	eax, edx

loc_5D012E:				; CODE XREF: MiAccessCheck+DF7DAj
		shrd	ecx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	ecx, 3FFFFFFh
		mov	[ebp+arg_0], ecx
		shl	ecx, 3
		sub	ecx, [ebp+arg_0]
		lea	ecx, [eax+ecx*4]
		jmp	short loc_5D018F
; 

loc_5D014B:				; CODE XREF: MiAccessCheck+DF7A3j
		xor	edx, edx
		mov	ecx, edi
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		mov	ebx, [edi]
		mov	ecx, eax
		mov	[ebp+arg_4], ecx
		nop
		mov	eax, [edi+4]
		mov	[ebp+arg_0], eax
		test	ecx, ecx
		jz	short loc_5D018C
		mov	eax, [ebp+arg_4]
		mov	edx, esi
		and	edx, 0Fh
		xor	ecx, ecx
		shld	ecx, edx, 5
		mov	eax, [eax+8]
		and	eax, 0FFFFFC1Fh
		shl	edx, 5
		or	edx, eax
		mov	eax, [ebp+arg_4]
		or	[eax+0Ch], ecx
		mov	ecx, eax
		mov	[eax+8], edx

loc_5D018C:				; CODE XREF: MiAccessCheck+DF814j
		mov	edx, [ebp+arg_0]

loc_5D018F:				; CODE XREF: MiAccessCheck+DF7F9j
		and	esi, 0Fh
		xor	eax, eax
		shld	eax, esi, 5
		and	ebx, 0FFFFFC1Fh
		shl	esi, 5
		or	eax, edx
		or	esi, ebx
		mov	[edi], esi
		nop
		cmp	[ebp+arg_C], 0
		mov	[edi+4], eax
		jnz	short loc_5D01DF
		test	ecx, ecx
		jz	short loc_5D01DF
		mov	edx, 7FFFFFFFh
		lea	eax, [ecx+10h]
		lock and [eax],	edx
		jmp	short loc_5D01DF
; 

loc_5D01C2:				; CODE XREF: MiAccessCheck+DF789j
					; MiAccessCheck+DF799j
		and	esi, 0Fh
		xor	eax, eax
		shld	eax, esi, 5
		and	ebx, 0FFFFFC1Fh
		shl	esi, 5
		or	esi, ebx
		or	eax, [ebp+arg_0]
		mov	[edi], esi
		nop
		mov	[edi+4], eax

loc_5D01DF:				; CODE XREF: MiAccessCheck+DF85Fj
					; MiAccessCheck+DF863j	...
		mov	eax, 80000001h
		jmp	loc_4F09AE
; END OF FUNCTION CHUNK	FOR MiAccessCheck
; 
; START	OF FUNCTION CHUNK FOR RtlIntersectBitMaps

loc_5D01E9:				; CODE XREF: RtlIntersectBitMaps+26j
		mov	edx, [esi+4]
		mov	eax, [ebx+eax]
		and	[edx+ebx], eax
		add	ebx, 4
		sub	ecx, 20h
		jnz	loc_4F09F0
		jmp	loc_4F0A0A
; END OF FUNCTION CHUNK	FOR RtlIntersectBitMaps
; 
; START	OF FUNCTION CHUNK FOR MiAddToReservationCluster

loc_5D0203:				; CODE XREF: MiAddToReservationCluster+77j
		lea	eax, [edi+10h]
		mov	edx, 7FFFFFFFh
		lock and [eax],	edx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_4]
		jmp	loc_4F0C8E
; 

loc_5D021C:				; CODE XREF: MiAddToReservationCluster+149j
		mov	ecx, [ebp+var_18]
		cmp	ecx, ebx
		jb	loc_4F0CB5
		cmp	esi, 1Fh
		ja	loc_4F0CB5
		mov	eax, [ebp+var_4]
		add	eax, esi
		cmp	eax, [ebp+arg_0]
		jnb	loc_4F0CB5
		jmp	loc_4F0C21
; 

loc_5D0243:				; CODE XREF: MiAddToReservationCluster+D8j
		mov	ecx, [ebp+var_1C]
		mov	eax, [ecx]
		cmp	ebx, eax
		jnb	loc_5D02EA
		cmp	esi, 1
		ja	short loc_5D026C
		jnz	loc_5D02EA
		mov	eax, [ecx+4]
		bt	[eax], ebx
		setb	dl
		neg	dl
		sbb	dl, dl
		inc	dl
		jmp	short loc_5D02E2
; 

loc_5D026C:				; CODE XREF: MiAddToReservationCluster+DF6EDj
		sub	eax, ebx
		cmp	eax, esi
		jb	short loc_5D02EA
		mov	ecx, [ecx+4]
		lea	edx, [ebx-1]
		mov	eax, ebx
		add	edx, esi
		shr	eax, 5
		mov	[ebp+var_14], edx
		lea	edi, [ecx+eax*4]
		mov	eax, edx
		mov	edx, [edi]
		shr	eax, 5
		lea	eax, [ecx+eax*4]
		mov	[ebp+var_18], eax
		cmp	edi, eax
		jnz	short loc_5D02AE
		push	20h
		or	eax, 0FFFFFFFFh
		pop	ecx
		sub	ecx, esi
		shr	eax, cl
		mov	ecx, ebx
		shl	eax, cl
		and	edx, eax
		neg	edx
		sbb	dl, dl
		inc	dl
		jmp	short loc_5D02DF
; 

loc_5D02AE:				; CODE XREF: MiAddToReservationCluster+DF72Ej
		or	eax, 0FFFFFFFFh
		mov	ecx, ebx
		shl	eax, cl
		test	edx, eax
		jnz	short loc_5D02EA
		mov	eax, [ebp+var_18]
		jmp	short loc_5D02C3
; 

loc_5D02BE:				; CODE XREF: MiAddToReservationCluster+DF762j
		cmp	dword ptr [edi], 0
		jnz	short loc_5D02EA

loc_5D02C3:				; CODE XREF: MiAddToReservationCluster+DF756j
		add	edi, 4
		cmp	edi, eax
		jnz	short loc_5D02BE
		mov	ecx, [ebp+var_14]
		or	eax, 0FFFFFFFFh
		not	ecx
		shr	eax, cl
		mov	ecx, [edi]
		and	ecx, eax
		neg	ecx
		sbb	cl, cl
		lea	edx, [ecx+1]

loc_5D02DF:				; CODE XREF: MiAddToReservationCluster+DF746j
		mov	edi, [ebp+var_8]

loc_5D02E2:				; CODE XREF: MiAddToReservationCluster+DF704j
		test	dl, dl
		jnz	loc_4F0C44

loc_5D02EA:				; CODE XREF: MiAddToReservationCluster+DF6E4j
					; MiAddToReservationCluster+DF6EFj ...
		mov	eax, [ebp+var_8]
		add	eax, 10h
		jmp	loc_4F0CB8
; 

loc_5D02F5:				; CODE XREF: MiAddToReservationCluster+10Dj
		mov	eax, [ebp+arg_C]
		add	ecx, esi
		add	ebx, esi
		add	[eax], esi
		test	esi, esi
		jz	loc_4F0C79

loc_5D0306:				; CODE XREF: MiAddToReservationCluster+DF7ADj
		mov	eax, ds:dword_6D34E4
		mov	[edi], eax
		add	edi, 4
		sub	esi, 1
		jnz	short loc_5D0306
		jmp	loc_4F0C79
; 

loc_5D031A:				; CODE XREF: MiAddToReservationCluster+D0j
		lea	ecx, [edi+10h]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		jmp	loc_4F0CC0
; END OF FUNCTION CHUNK	FOR MiAddToReservationCluster
; 
; START	OF FUNCTION CHUNK FOR MiUnlockStoreLockedPages

loc_5D032A:				; CODE XREF: MiUnlockStoreLockedPages+EAj
					; MiUnlockStoreLockedPages+DF577j ...
		lea	ecx, [esp+28h+var_10]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		js	short loc_5D032A
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_5D032A
		mov	ebx, [esp+28h+var_8]
		jmp	loc_4F0E42
; 

loc_5D0349:				; CODE XREF: MiUnlockStoreLockedPages+C3j
		mov	ecx, [esp+28h+var_10]
		push	edx
		push	ebx
		xor	edx, edx
		call	MiReleasePageFileInfo
		jmp	loc_4F0E89
; END OF FUNCTION CHUNK	FOR MiUnlockStoreLockedPages
; 
; START	OF FUNCTION CHUNK FOR SepConvertToOwnTokenClaims

loc_5D035B:				; CODE XREF: SepConvertToOwnTokenClaims+23j
		lea	edx, [ebp+var_4]
		call	_SepDuplicateClaimAttributes@8 ; SepDuplicateClaimAttributes(x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	loc_4F0F8B
		mov	eax, [ebp+var_4]
		or	[esi+0B0h], edi
		mov	[esi+27Ch], eax
		mov	eax, ecx
		jmp	loc_4F0F8B
; END OF FUNCTION CHUNK	FOR SepConvertToOwnTokenClaims
; 
; START	OF FUNCTION CHUNK FOR ExpInsertPoolTrackerExpansion

loc_5D0383:				; CODE XREF: ExpInsertPoolTrackerExpansion+39j
		mov	eax, ds:_PoolTrackTableSize
		mov	edi, ds:_PoolTrackTable
		mov	ebx, ds:_PoolTrackTableExpansionSize
		mov	edx, ds:_PoolTrackTableExpansion
		mov	[esp+58h+var_34], eax
		jmp	loc_4F1006
; 

loc_5D03A3:				; CODE XREF: ExpInsertPoolTrackerExpansion+BEj
		add	[eax+8], ebx
		adc	dword ptr [eax+0Ch], 0
		add	[eax+4], esi
		jmp	loc_4F1068
; 

loc_5D03B2:				; CODE XREF: ExpInsertPoolTrackerExpansion+D4j
		mov	edx, [ebp+4]
		lea	ecx, [esp+58h+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4F109A
; 

loc_5D03C3:				; CODE XREF: ExpInsertPoolTrackerExpansion+FAj
		lea	ecx, [esp+58h+var_18]
		call	KxWaitForLockChainValid

loc_5D03CC:				; CODE XREF: ExpInsertPoolTrackerExpansion+E0j
		mov	[esp+58h+var_18], 0
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_4F109A
; 

loc_5D03DF:				; CODE XREF: ExpInsertPoolTrackerExpansion+120j
		xor	ebx, ebx
		inc	ebx
		test	ds:byte_70EFC6,	bl
		jz	short loc_5D03F8
		mov	edx, [ebp+4]
		lea	ecx, [esp+58h+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5D0429
; 

loc_5D03F8:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF44Ej
		mov	eax, [esp+58h+var_18]
		test	eax, eax
		jnz	short loc_5D041B
		mov	edx, [esp+58h+var_14]
		lea	eax, [esp+58h+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+58h+var_18]
		cmp	eax, ecx
		jz	short loc_5D0429
		call	KxWaitForLockChainValid

loc_5D041B:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF464j
		mov	[esp+58h+var_18], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_5D0429:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF45Cj
					; ExpInsertPoolTrackerExpansion+DF47Aj
		mov	cl, [esp+58h+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		imul	eax, esi, 30h
		add	eax, 0FFFFFFD0h
		add	eax, edi
		xor	edi, edi
		mov	[esp+58h+var_28], eax
		test	byte ptr [ebp+arg_0], bl
		jnz	short loc_5D0480
		add	eax, 8
		inc	edi
		mov	[esp+58h+var_38], eax

loc_5D044E:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF4DAj
					; ExpInsertPoolTrackerExpansion+DF4E0j
		mov	esi, [eax]
		mov	ebx, esi
		mov	edx, [eax+4]
		add	ebx, edi
		mov	ecx, edx
		mov	[esp+58h+var_24], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		mov	edi, [esp+58h+var_38]
		lock cmpxchg8b qword ptr [edi]
		push	1
		cmp	eax, esi
		mov	eax, [esp+5Ch+var_38]
		pop	edi
		jnz	short loc_5D044E
		cmp	edx, [esp+58h+var_24]
		jnz	short loc_5D044E
		push	4
		jmp	short loc_5D04B8
; 

loc_5D0480:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF4AAj
		add	eax, 20h
		inc	edi
		mov	[esp+58h+var_38], eax

loc_5D0488:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF514j
					; ExpInsertPoolTrackerExpansion+DF51Aj
		mov	esi, [eax]
		mov	ebx, esi
		mov	edx, [eax+4]
		add	ebx, edi
		mov	ecx, edx
		mov	[esp+58h+var_24], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		mov	edi, [esp+58h+var_38]
		lock cmpxchg8b qword ptr [edi]
		push	1
		cmp	eax, esi
		mov	eax, [esp+5Ch+var_38]
		pop	edi
		jnz	short loc_5D0488
		cmp	edx, [esp+58h+var_24]
		jnz	short loc_5D0488
		push	18h

loc_5D04B8:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF4E4j
		mov	eax, [esp+5Ch+var_28]
		pop	ecx
		jmp	loc_5D07F9
; 

loc_5D04C2:				; CODE XREF: ExpInsertPoolTrackerExpansion+16Bj
		push	ebx		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_4F110B
; 

loc_5D04D2:				; CODE XREF: ExpInsertPoolTrackerExpansion+195j
		mov	ds:_PoolTrackTableExpansion, esi
		mov	ds:_PoolTrackTableExpansionSize, ecx
		jmp	loc_4F1153
; 

loc_5D04E3:				; CODE XREF: ExpInsertPoolTrackerExpansion+1D2j
		int	3		; Trap to Debugger

loc_5D04E4:				; CODE XREF: ExpInsertPoolTrackerExpansion+1D8j
		test	ds:byte_70EFC4,	41h
		jz	short loc_5D0502
		push	ebx
		push	esi
		push	[esp+60h+var_48]
		mov	edx, 200h
		mov	ecx, 0E20h
		call	_EtwTracePool@20 ; EtwTracePool(x,x,x,x,x)

loc_5D0502:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF551j
		movzx	eax, large byte	ptr fs:51h
		mov	ebx, ds:_PoolTrackTableMask
		mov	[esp+58h+var_20], ebx
		mov	edx, ds:_ExPoolTagTables[eax*4]
		mov	eax, ds:_PoolTrackTableSize
		mov	[esp+58h+var_1C], eax
		mov	eax, [esp+58h+var_48]
		movzx	ecx, al
		shl	ecx, 2
		movzx	eax, ah
		xor	ecx, eax
		mov	[esp+58h+var_34], edx
		movzx	eax, byte ptr [esp+58h+var_48+2]
		shl	ecx, 2
		xor	ecx, eax
		movzx	eax, byte ptr [esp+58h+var_48+3]
		shl	ecx, 2
		xor	ecx, eax
		imul	edi, ecx, 9E5Fh
		sar	edi, 2
		and	edi, ebx
		xor	ebx, ebx
		imul	esi, edi, 30h
		inc	ebx
		mov	[esp+58h+var_3C], edi
		jmp	loc_4F117D
; 

loc_5D0565:				; CODE XREF: ExpInsertPoolTrackerExpansion+316j
		mov	edx, [ebp+4]
		lea	ecx, [esp+58h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4F12DC
; 

loc_5D0576:				; CODE XREF: ExpInsertPoolTrackerExpansion+33Cj
		lea	ecx, [esp+58h+var_C]
		call	KxWaitForLockChainValid

loc_5D057F:				; CODE XREF: ExpInsertPoolTrackerExpansion+322j
		mov	[esp+58h+var_C], 0
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_4F12DC
; 

loc_5D0592:				; CODE XREF: ExpInsertPoolTrackerExpansion+24Ej
		mov	edx, [ebp+4]
		lea	ecx, [esp+58h+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4F1214
; 

loc_5D05A3:				; CODE XREF: ExpInsertPoolTrackerExpansion+274j
		lea	ecx, [esp+58h+var_18]
		call	KxWaitForLockChainValid

loc_5D05AC:				; CODE XREF: ExpInsertPoolTrackerExpansion+25Aj
		mov	[esp+58h+var_18], 0
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_4F1214
; 

loc_5D05BF:				; CODE XREF: ExpInsertPoolTrackerExpansion+28Aj
		mov	eax, 6C6F6F50h
		mov	[esp+58h+var_44], eax
		cmp	ds:_PoolHitTag,	eax
		jnz	short loc_5D05D1
		int	3		; Trap to Debugger

loc_5D05D1:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF634j
		test	ds:byte_70EFC4,	41h
		mov	esi, [esp+58h+var_2C]
		jz	short loc_5D05F3
		push	esi
		push	ebx
		push	[esp+60h+var_44]
		mov	edx, 200h
		mov	ecx, 0E22h
		call	_EtwTracePool@20 ; EtwTracePool(x,x,x,x,x)

loc_5D05F3:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF642j
		movzx	eax, large byte	ptr fs:51h
		mov	edx, ds:_PoolTrackTableMask
		mov	[esp+58h+var_1C], edx
		mov	edi, ds:_ExPoolTagTables[eax*4]
		mov	eax, [esp+58h+var_44]
		movzx	ecx, al
		shl	ecx, 2
		movzx	eax, ah
		xor	ecx, eax
		mov	[esp+58h+var_34], edi
		movzx	eax, byte ptr [esp+58h+var_44+2]
		shl	ecx, 2
		xor	ecx, eax
		movzx	eax, byte ptr [esp+58h+var_44+3]
		shl	ecx, 2
		xor	ecx, eax
		imul	ecx, 9E5Fh
		sar	ecx, 2
		and	ecx, edx
		mov	[esp+58h+var_20], ecx

loc_5D0642:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF743j
					; ExpInsertPoolTrackerExpansion+DF755j
		imul	edx, ecx, 30h
		mov	[esp+58h+var_24], edx
		mov	eax, [edi+edx]
		mov	[esp+58h+var_3C], eax
		mov	eax, [esp+58h+var_44]
		cmp	[esp+58h+var_3C], eax
		jnz	short loc_5D06C7
		lea	eax, [edi+10h]
		xor	edi, edi
		add	eax, edx
		inc	edi
		mov	[esp+58h+var_30], eax

loc_5D0666:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF6F2j
					; ExpInsertPoolTrackerExpansion+DF6F8j
		mov	esi, [eax]
		mov	ebx, esi
		mov	edx, [eax+4]
		add	ebx, edi
		mov	ecx, edx
		mov	[esp+58h+var_1C], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		mov	edi, [esp+58h+var_30]
		lock cmpxchg8b qword ptr [edi]
		push	1
		cmp	eax, esi
		mov	eax, [esp+5Ch+var_30]
		pop	edi
		jnz	short loc_5D0666
		cmp	edx, [esp+58h+var_1C]
		jnz	short loc_5D0666
		mov	eax, [esp+58h+var_24]
		mov	ecx, [esp+58h+var_2C]
		add	eax, 4
		add	eax, [esp+58h+var_34]
		neg	ecx
		lock xadd [eax], ecx
		mov	ebx, [esp+58h+var_38]

loc_5D06AD:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF769j
		mov	ecx, ebx
		call	ExGetHeapFromVA
		xor	ecx, ecx
		mov	edx, ebx
		push	ecx
		push	ecx
		push	ecx
		mov	ecx, eax
		call	RtlpHpFreeHeap
		jmp	loc_4F122A
; 

loc_5D06C7:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF6BEj
		cmp	[esp+58h+var_3C], 0
		jnz	short loc_5D06E6
		mov	eax, ds:_PoolTrackTable
		mov	eax, [edx+eax]
		test	eax, eax
		jz	short loc_5D06E2
		mov	[edi+edx], eax
		jmp	loc_5D0642
; 

loc_5D06E2:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF73Ej
		mov	eax, [esp+58h+var_44]

loc_5D06E6:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF732j
		inc	ecx
		and	ecx, [esp+58h+var_1C]
		cmp	ecx, [esp+58h+var_20]
		jnz	loc_5D0642
		push	200h
		mov	edx, esi
		mov	ecx, eax
		call	ExpRemovePoolTrackerExpansion
		jmp	short loc_5D06AD
; 

loc_5D0705:				; CODE XREF: ExpInsertPoolTrackerExpansion+15Fj
		mov	eax, [esp+58h+var_34]
		xor	ebx, ebx
		dec	eax
		inc	ebx
		imul	esi, eax, 30h
		mov	[esp+58h+var_24], esi
		mov	dword ptr [esi+edi], 6C66764Fh
		test	ds:byte_70EFC6,	bl
		jz	short loc_5D0731
		mov	edx, [ebp+4]
		lea	ecx, [esp+58h+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5D0762
; 

loc_5D0731:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF787j
		mov	eax, [esp+58h+var_18]
		test	eax, eax
		jnz	short loc_5D0754
		mov	edx, [esp+58h+var_14]
		lea	eax, [esp+58h+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+58h+var_18]
		cmp	eax, ecx
		jz	short loc_5D0762
		call	KxWaitForLockChainValid

loc_5D0754:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF79Dj
		mov	[esp+58h+var_18], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_5D0762:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF795j
					; ExpInsertPoolTrackerExpansion+DF7B3j
		mov	cl, [esp+58h+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	byte ptr [ebp+arg_0], bl
		jnz	short loc_5D07B4
		lea	eax, [esi+8]
		add	eax, edi
		xor	edi, edi
		mov	[esp+58h+var_28], eax
		inc	edi

loc_5D077D:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF809j
					; ExpInsertPoolTrackerExpansion+DF80Fj
		mov	esi, [eax]
		mov	ebx, esi
		mov	edx, [eax+4]
		add	ebx, edi
		mov	ecx, edx
		mov	[esp+58h+var_1C], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		mov	edi, [esp+58h+var_28]
		lock cmpxchg8b qword ptr [edi]
		push	1
		cmp	eax, esi
		mov	eax, [esp+5Ch+var_28]
		pop	edi
		jnz	short loc_5D077D
		cmp	edx, [esp+58h+var_1C]
		jnz	short loc_5D077D
		mov	ecx, [esp+58h+var_24]
		add	ecx, 4
		jmp	short loc_5D07F5
; 

loc_5D07B4:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF7D5j
		lea	eax, [esi+20h]
		add	eax, edi
		xor	edi, edi
		mov	[esp+58h+var_28], eax
		inc	edi

loc_5D07C0:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF84Cj
					; ExpInsertPoolTrackerExpansion+DF852j
		mov	esi, [eax]
		mov	ebx, esi
		mov	edx, [eax+4]
		add	ebx, edi
		mov	ecx, edx
		mov	[esp+58h+var_1C], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		mov	edi, [esp+58h+var_28]
		lock cmpxchg8b qword ptr [edi]
		push	1
		cmp	eax, esi
		mov	eax, [esp+5Ch+var_28]
		pop	edi
		jnz	short loc_5D07C0
		cmp	edx, [esp+58h+var_1C]
		jnz	short loc_5D07C0
		mov	ecx, [esp+58h+var_24]
		add	ecx, 18h

loc_5D07F5:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF818j
		mov	eax, [esp+58h+var_3C]

loc_5D07F9:				; CODE XREF: ExpInsertPoolTrackerExpansion+DF523j
		add	eax, ecx
		mov	ecx, [esp+58h+var_40]
		lock xadd [eax], ecx
		jmp	loc_4F10A4
; END OF FUNCTION CHUNK	FOR ExpInsertPoolTrackerExpansion
; 
; START	OF FUNCTION CHUNK FOR WmipRawSMBiosTableHandler

loc_5D0808:				; CODE XREF: WmipRawSMBiosTableHandler+12j
					; WmipRawSMBiosTableHandler+22j
		mov	eax, 0C00000EFh
		jmp	loc_4F1340
; END OF FUNCTION CHUNK	FOR WmipRawSMBiosTableHandler
; 
; START	OF FUNCTION CHUNK FOR MmAllocateContiguousNodeMemory

loc_5D0812:				; CODE XREF: MmAllocateContiguousNodeMemory+2Bj
		inc	esi
		jmp	loc_4F13BB
; 

loc_5D0818:				; CODE XREF: MmAllocateContiguousNodeMemory+A8j
		test	dl, 7
		jnz	loc_4F1437
		jmp	loc_4F13E9
; END OF FUNCTION CHUNK	FOR MmAllocateContiguousNodeMemory
; 
; START	OF FUNCTION CHUNK FOR MiAllocateContiguousMemory

loc_5D0826:				; CODE XREF: MiAllocateContiguousMemory+2F3j
		and	ebx, 0FFFFFFFDh
		mov	[esp+0ACh+var_88], ebx
		jmp	loc_4F14CC
; 

loc_5D0832:				; CODE XREF: MiAllocateContiguousMemory+EAj
		mov	eax, large fs:124h
		mov	eax, [eax+16Ch]
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	eax, [eax+338h]
		movzx	esi, word ptr [eax+8Ah]
		jmp	loc_4F1539
; 

loc_5D0857:				; CODE XREF: MiAllocateContiguousMemory+119j
		mov	eax, edx
		shl	eax, 2
		jmp	loc_4F155E
; 

loc_5D0861:				; CODE XREF: MiAllocateContiguousMemory+177j
		xor	eax, eax
		lea	ebx, [eax+1]
		jmp	loc_4F16D4
; 

loc_5D086B:				; CODE XREF: MiAllocateContiguousMemory+1CAj
		add	esi, 4
		cmp	esi, [esp+0ACh+var_80]
		jz	short loc_5D08B7
		and	ebx, 0F7FFFFFFh
		jmp	loc_4F15D9
; 

loc_5D087F:				; CODE XREF: MiAllocateContiguousMemory+20Dj
		cmp	[esp+0ACh+var_84], 0
		jz	short loc_5D088D
		mov	eax, 1000h
		add	esi, eax

loc_5D088D:				; CODE XREF: MiAllocateContiguousMemory+DF448j
		push	esi
		push	ebx
		call	MmUnmapIoSpace
		xor	ebx, ebx
		mov	[esp+0ACh+var_9C], ebx
		jmp	loc_4F164F
; 

loc_5D089F:				; CODE XREF: MiAllocateContiguousMemory+225j
		xor	esi, esi
		jmp	loc_4F1678
; 

loc_5D08A6:				; CODE XREF: MiAllocateContiguousMemory+290j
		push	edi
		push	0Dh
		xor	edx, edx
		mov	ecx, ebx
		call	_MiLogPerfMemoryRangeEvent@16 ;	MiLogPerfMemoryRangeEvent(x,x,x,x)
		jmp	loc_4F16D2
; 

loc_5D08B7:				; CODE XREF: MiAllocateContiguousMemory+283j
					; MiAllocateContiguousMemory+DF436j
		mov	ecx, [esp+0ACh+var_98]
		xor	ebx, ebx
		cmp	ecx, 0FFFFFFFFh
		jz	loc_4F16D4
		mov	edx, edi
		call	_MiFreeContiguousPages@8 ; MiFreeContiguousPages(x,x)
		jmp	loc_4F16D2
; 

loc_5D08D2:				; CODE XREF: MiAllocateContiguousMemory+2B4j
		or	edi, 0FFFFFFFFh
		test	esi, esi
		jz	short loc_5D08E5
		push	esi
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		mov	[esp+0ACh+var_6C], eax
		mov	edi, edx

loc_5D08E5:				; CODE XREF: MiAllocateContiguousMemory+DF49Bj
		push	[esp+0ACh+var_64]
		push	[esp+0B0h+var_60]
		push	ecx
		push	ecx
		call	_EtwpGetDurationSince@16 ; EtwpGetDurationSince(x,x,x,x)
		mov	[esp+0ACh+var_5C], eax
		mov	ecx, 1000h
		mov	eax, [esp+0ACh+var_6C]
		mov	[esp+0ACh+var_34], eax
		mov	eax, [esp+0ACh+var_94]
		mov	[esp+0ACh+var_58], edx
		mul	ecx
		mov	[esp+0ACh+var_2C], esi
		mov	[esp+0ACh+var_4C], eax
		mov	eax, [esp+0ACh+var_90]
		mov	[esp+0ACh+var_48], edx
		mul	ecx
		mov	[esp+0ACh+var_30], edi
		mov	[esp+0ACh+var_44], eax
		mov	eax, [esp+0ACh+var_8C]
		mov	[esp+0ACh+var_40], edx
		mul	ecx
		xor	ecx, ecx
		mov	[esp+0ACh+var_28], ebx
		mov	[esp+0ACh+var_3C], eax
		mov	eax, [esp+0ACh+var_88]
		mov	[esp+0ACh+var_24], eax
		mov	eax, [esp+0ACh+var_74]
		mov	[esp+0ACh+var_20], eax
		mov	eax, [esp+0ACh+var_70]
		mov	[esp+0ACh+var_54], eax
		lea	eax, [esp+0ACh+var_5C]
		mov	[esp+0ACh+var_1C], eax
		lea	eax, [esp+0ACh+var_1C]
		push	eax
		xor	eax, eax
		mov	[esp+0B0h+var_38], edx
		inc	eax
		mov	[esp+0B0h+var_50], ecx
		push	eax
		push	ecx
		push	ecx
		push	eax
		push	ecx
		push	ecx
		push	offset _KERNEL_MEM_EVENT_CONT_ALLOCATION
		push	ds:dword_6BC304
		mov	[esp+0D0h+var_18], ecx
		push	ds:_EtwpMemoryProvRegHandle
		mov	[esp+0D4h+var_14], 40h
		mov	[esp+0D4h+var_10], ecx
		call	EtwWriteEx
		jmp	loc_4F16F6
; END OF FUNCTION CHUNK	FOR MiAllocateContiguousMemory
; 
; START	OF FUNCTION CHUNK FOR ExInsertPoolTag

loc_5D09B9:				; CODE XREF: ExInsertPoolTag+22j
		lea	edi, [eax+esi]
		mov	ebx, 0FFFh
		test	edi, ebx
		jz	loc_4F176A
		lea	eax, [ebp+var_28]
		push	eax
		call	KeQueryTickCount
		mov	dl, byte ptr [ebp+var_28]
		lea	eax, [ebx+1]
		mov	ecx, edi
		or	dl, 1
		and	ecx, ebx
		mov	byte ptr [ebp+var_4], dl
		sub	eax, ecx
		movzx	eax, ax
		mov	[ebp+arg_8], eax
		movzx	eax, ax
		push	eax		; size_t
		movzx	eax, dl
		push	eax		; int
		push	edi		; void *
		call	_memset
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		mov	ecx, [ebp+arg_8]
		jmp	loc_4F176A
; 

loc_5D0A06:				; CODE XREF: ExInsertPoolTag+6Fj
		int	3		; Trap to Debugger
		jmp	loc_4F17B7
; 

loc_5D0A0C:				; CODE XREF: ExInsertPoolTag+7Cj
		mov	edx, [ebp+arg_4]
		mov	ecx, 0E20h
		push	ebx
		push	[ebp+var_8]
		push	[ebp+arg_8]
		call	_EtwTracePool@20 ; EtwTracePool(x,x,x,x,x)
		jmp	loc_4F17C4
; 

loc_5D0A25:				; CODE XREF: ExInsertPoolTag+201j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_34]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4F196B
; 

loc_5D0A35:				; CODE XREF: ExInsertPoolTag+223j
		lea	ecx, [ebp+var_34]
		call	KxWaitForLockChainValid

loc_5D0A3D:				; CODE XREF: ExInsertPoolTag+20Cj
		xor	ecx, ecx
		mov	[ebp+var_34], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_4F196B
; 

loc_5D0A52:				; CODE XREF: ExInsertPoolTag+30j
					; ExInsertPoolTag+57j
		xor	eax, eax
		jmp	loc_4F1881
; END OF FUNCTION CHUNK	FOR ExInsertPoolTag
; 
; START	OF FUNCTION CHUNK FOR MiMapContiguousMemory

loc_5D0A59:				; CODE XREF: MiMapContiguousMemory+6Ej
					; MiMapContiguousMemory+76j
		or	eax, [ebp+var_2C]
		jnz	loc_4F1BA3
		jmp	loc_4F1A92
; 

loc_5D0A67:				; CODE XREF: MiMapContiguousMemory+A4j
		and	ecx, 1FFFFFFh
		mov	[ebp+var_38], ecx
		jmp	loc_4F1AC0
; 

loc_5D0A75:				; CODE XREF: MiMapContiguousMemory+B6j
		and	ebx, 0FFFFFFFDh
		jmp	loc_4F1AD2
; 

loc_5D0A7D:				; CODE XREF: MiMapContiguousMemory+DAj
		lea	eax, [esi+1]
		mov	[ebp+var_40], eax
		jmp	loc_4F1AF6
; 

loc_5D0A88:				; CODE XREF: MiMapContiguousMemory+FCj
		or	eax, 2
		jmp	loc_4F1B18
; 

loc_5D0A90:				; CODE XREF: MiMapContiguousMemory+117j
		push	[ebp+var_40]
		mov	edx, esi
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		jmp	loc_4F1BA3
; 

loc_5D0AA4:				; CODE XREF: MiMapContiguousMemory+132j
		mov	ecx, [ebp+var_4C]
		xor	eax, eax
		mov	edx, [ebp+var_50]
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_14], eax
		mov	eax, ecx
		shrd	eax, edx, 0Ch
		and	ecx, 0FFFFF000h
		mov	[ebp+var_1C], esi
		cmp	[ebp+var_48], 0
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_44]
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], eax
		jz	short loc_5D0AD9
		or	edi, 2

loc_5D0AD9:				; CODE XREF: MiMapContiguousMemory+DF0BEj
		mov	eax, [ebp+var_34]
		xor	ecx, ecx
		mov	[ebp+var_20], eax
		inc	ecx
		mov	eax, ebx
		shr	eax, 3
		cmp	eax, ecx
		jnz	short loc_5D0AEF
		xor	ecx, ecx
		jmp	short loc_5D0AFC
; 

loc_5D0AEF:				; CODE XREF: MiMapContiguousMemory+DF0D3j
		cmp	eax, 3
		jnz	short loc_5D0AFC
		test	bl, 7
		jz	short loc_5D0AFC
		push	2
		pop	ecx

loc_5D0AFC:				; CODE XREF: MiMapContiguousMemory+DF0D7j
					; MiMapContiguousMemory+DF0DCj	...
		push	ecx
		xor	edx, edx
		lea	ecx, [ebp+var_28]
		push	edi
		inc	edx
		call	_MiInsertPteTracker@16 ; MiInsertPteTracker(x,x,x,x)
		jmp	loc_4F1B4E
; END OF FUNCTION CHUNK	FOR MiMapContiguousMemory
; 
; START	OF FUNCTION CHUNK FOR ExAllocateContiguousHeapPool

loc_5D0B0E:				; CODE XREF: ExAllocateContiguousHeapPool+56j
		mov	esi, [ebp+arg_4]
		cmp	esi, [edi+18Ch]
		jnb	loc_4F1C5C
		add	esi, 0FFFh
		lea	ecx, [edi+100h]
		and	esi, 0FFFFF000h
		mov	[ebp+var_1C], esi
		cmp	esi, [edi+10Ch]
		jbe	short loc_5D0B40
		lea	ecx, [edi+180h]

loc_5D0B40:				; CODE XREF: ExAllocateContiguousHeapPool+DEF38j
		push	800000h
		push	esi
		push	esi
		mov	edx, esi
		call	RtlpHpSegAlloc
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_4F1C5C
		push	ebx
		push	ebx
		push	200h
		push	esi
		mov	edx, 746E6F43h
		mov	ecx, eax
		call	ExpAddTagForBigPages
		test	eax, eax
		jz	loc_5D0D1D
		xor	eax, eax
		lea	edi, [ebp+var_28]
		stosd
		mov	ecx, 746E6F43h
		mov	[ebp+arg_0], ecx
		stosd
		stosd
		mov	eax, ds:_PoolHitTag
		cmp	eax, ecx
		jnz	short loc_5D0B8F
		int	3		; Trap to Debugger

loc_5D0B8F:				; CODE XREF: ExAllocateContiguousHeapPool+DEF8Cj
		test	ds:byte_70EFC4,	41h
		jz	short loc_5D0BAE
		push	esi
		push	[ebp+var_4]
		mov	edx, 200h
		mov	ecx, 0E20h
		push	[ebp+arg_0]
		call	_EtwTracePool@20 ; EtwTracePool(x,x,x,x,x)

loc_5D0BAE:				; CODE XREF: ExAllocateContiguousHeapPool+DEF96j
		movzx	eax, large byte	ptr fs:51h
		mov	edi, ds:_PoolTrackTableMask
		mov	[ebp+var_14], edi
		mov	edx, ds:_ExPoolTagTables[eax*4]
		mov	eax, ds:_PoolTrackTableSize
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_0]
		movzx	ecx, al
		shl	ecx, 2
		movzx	eax, ah
		xor	ecx, eax
		mov	[ebp+arg_4], edx
		movzx	eax, byte ptr [ebp+arg_0+2]
		shl	ecx, 2
		xor	ecx, eax
		movzx	eax, byte ptr [ebp+arg_0+3]
		shl	ecx, 2
		xor	ecx, eax
		imul	ecx, 9E5Fh
		sar	ecx, 2
		and	ecx, edi
		mov	[ebp+var_8], ecx
		mov	[ebp+var_18], ecx

loc_5D0C02:				; CODE XREF: ExAllocateContiguousHeapPool+DF074j
					; ExAllocateContiguousHeapPool+DF0F2j ...
		imul	edi, ecx, 30h
		mov	[ebp+var_C], edi
		mov	eax, [edi+edx]
		mov	[ebp+arg_8], eax
		mov	eax, [ebp+arg_0]
		cmp	[ebp+arg_8], eax
		jnz	short loc_5D0C5C
		lea	eax, [edi+8]
		add	eax, edx
		mov	[ebp+arg_0], eax
		mov	edi, eax

loc_5D0C20:				; CODE XREF: ExAllocateContiguousHeapPool+DF03Dj
					; ExAllocateContiguousHeapPool+DF042j
		mov	esi, [edi]
		xor	eax, eax
		mov	edx, [edi+4]
		inc	eax
		mov	ebx, esi
		mov	[ebp+arg_0], edx
		add	ebx, eax
		mov	ecx, edx
		mov	eax, esi
		adc	ecx, 0
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_5D0C20
		cmp	edx, [ebp+arg_0]
		jnz	short loc_5D0C20
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+var_1C]
		add	eax, 4
		add	eax, [ebp+var_C]
		lock xadd [eax], ecx

loc_5D0C54:				; CODE XREF: ExAllocateContiguousHeapPool+DF118j
		mov	ebx, [ebp+var_4]
		jmp	loc_4F1C5C
; 

loc_5D0C5C:				; CODE XREF: ExAllocateContiguousHeapPool+DF014j
		cmp	[ebp+arg_8], ebx
		jnz	loc_5D0CFA
		mov	eax, ds:_PoolTrackTable
		mov	eax, [edi+eax]
		test	eax, eax
		jz	short loc_5D0C76
		mov	[edi+edx], eax
		jmp	short loc_5D0C02
; 

loc_5D0C76:				; CODE XREF: ExAllocateContiguousHeapPool+DF06Fj
		mov	eax, [ebp+var_10]
		dec	eax
		cmp	ecx, eax
		jz	short loc_5D0CF7
		lea	edx, [ebp+var_28]
		mov	ecx, offset _ExpTaggedPoolLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, ds:_PoolTrackTable
		cmp	[edi+ecx], ebx
		jnz	short loc_5D0CA2
		mov	eax, [ebp+arg_0]
		mov	[edi+ecx], eax
		mov	ecx, [ebp+arg_4]
		mov	[edi+ecx], eax

loc_5D0CA2:				; CODE XREF: ExAllocateContiguousHeapPool+DF094j
		test	ds:byte_70EFC6,	1
		jz	short loc_5D0CB8
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5D0CE3
; 

loc_5D0CB8:				; CODE XREF: ExAllocateContiguousHeapPool+DF0A9j
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	short loc_5D0CD7
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_28]
		cmp	eax, ecx
		jz	short loc_5D0CE3
		call	KxWaitForLockChainValid

loc_5D0CD7:				; CODE XREF: ExAllocateContiguousHeapPool+DF0BDj
		xor	ecx, ecx
		mov	[ebp+var_28], ebx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5D0CE3:				; CODE XREF: ExAllocateContiguousHeapPool+DF0B6j
					; ExAllocateContiguousHeapPool+DF0D0j
		mov	cl, [ebp+var_20]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+arg_4]
		jmp	loc_5D0C02
; 

loc_5D0CF7:				; CODE XREF: ExAllocateContiguousHeapPool+DF07Cj
		mov	eax, [ebp+arg_0]

loc_5D0CFA:				; CODE XREF: ExAllocateContiguousHeapPool+DF05Fj
		inc	ecx
		and	ecx, [ebp+var_14]
		mov	[ebp+var_8], ecx
		cmp	ecx, [ebp+var_18]
		jnz	loc_5D0C02
		push	200h
		mov	edx, esi
		mov	ecx, eax
		call	ExpInsertPoolTrackerExpansion
		jmp	loc_5D0C54
; 

loc_5D0D1D:				; CODE XREF: ExAllocateContiguousHeapPool+32j
					; ExAllocateContiguousHeapPool+41j ...
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	loc_4F1C5C
		push	ecx
		push	ecx
		push	ebx
		mov	edx, eax
		mov	ecx, edi
		call	RtlpHpFreeHeap
		jmp	loc_4F1C5C
; END OF FUNCTION CHUNK	FOR ExAllocateContiguousHeapPool
; 
; START	OF FUNCTION CHUNK FOR ExGetHeapFromType

loc_5D0D39:				; CODE XREF: ExGetHeapFromType+25j
		cmp	[ebp+arg_0], 0
		jnz	short loc_5D0D47
		mov	eax, [edx+0Ch]
		jmp	loc_4F1CC5
; 

loc_5D0D47:				; CODE XREF: ExGetHeapFromType+DF0C9j
		mov	eax, ds:dword_6F9A8C
		jmp	loc_4F1CC5
; 

loc_5D0D51:				; CODE XREF: ExGetHeapFromType+32j
		cmp	[ebp+arg_0], 0
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		mov	eax, [eax+1D8h]
		jnz	short loc_5D0D7A
		mov	eax, [eax+1C78h]
		jmp	loc_4F1CC5
; 

loc_5D0D7A:				; CODE XREF: ExGetHeapFromType+DF0F9j
		mov	eax, [eax+1C7Ch]
		jmp	loc_4F1CC5
; END OF FUNCTION CHUNK	FOR ExGetHeapFromType
; 
; START	OF FUNCTION CHUNK FOR RtlFxToFnFrame

loc_5D0D85:				; CODE XREF: RtlFxToFnFrame+7Dj
		lea	edx, [ebx+2]
		mov	esi, 7FFFh
		shl	edx, 4
		or	ecx, 2
		add	edx, [ebp+var_14]
		mov	ax, [edx+8]
		and	ax, si
		jnz	short loc_5D0DBE
		mov	eax, [edx]
		or	eax, [edx+4]
		mov	al, [ebp+var_1]
		mov	edx, [ebp+var_8]
		jnz	loc_4F1E80
		and	ecx, 0FFFDh
		or	ecx, 1
		jmp	loc_4F1E80
; 

loc_5D0DBE:				; CODE XREF: RtlFxToFnFrame+DEFA3j
		cmp	ax, si
		jz	short loc_5D0DD6
		cmp	dword ptr [edx+4], 0
		jg	short loc_5D0DD6
		jl	short loc_5D0DD0
		cmp	dword ptr [edx], 0
		jnb	short loc_5D0DD6

loc_5D0DD0:				; CODE XREF: RtlFxToFnFrame+DEFCFj
		and	ecx, 0FFFCh

loc_5D0DD6:				; CODE XREF: RtlFxToFnFrame+DEFC7j
					; RtlFxToFnFrame+DEFCDj ...
		mov	edx, [ebp+var_8]
		mov	al, [ebp+var_1]
		jmp	loc_4F1E80
; END OF FUNCTION CHUNK	FOR RtlFxToFnFrame
; 

loc_5D0DE1:				; CODE XREF: .text:004F1FDAj
		mov	byte ptr [ebp-1], 1
		cmp	ebx, [ebp-18h]
		jz	loc_4F1FE0
		mov	edx, 746C6644h
		mov	ecx, ebx
		call	ObfReferenceObjectWithTag
		jmp	loc_4F1FE0
; 

loc_5D0DFF:				; CODE XREF: .text:004F1FF6j
					; .text:005D0F35j
		mov	edi, eax
		mov	eax, [eax]
		mov	[ebp-28h], eax
		mov	ecx, [edi+4]
		cmp	[eax+4], edi
		jnz	loc_4F202D
		cmp	[ecx], edi
		jnz	loc_4F202D
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	al, [edi+8]
		cmp	al, 1
		jnz	short loc_5D0E4B
		mov	ecx, [ebp-0Ch]
		lea	eax, [ebp-24h]
		push	eax
		movzx	eax, word ptr [edi+0Ah]
		mov	edx, edi
		push	eax
		call	KiTryUnwaitThread
		mov	edx, 0FFFFFF7Fh
		test	al, al
		jnz	loc_5D0F0F
		jmp	loc_5D0F2D
; 

loc_5D0E4B:				; CODE XREF: .text:005D0E24j
		cmp	al, 2
		jnz	loc_5D0F17
		mov	byte ptr [edi+9], 5
		mov	ebx, [edi+0Ch]
		and	dword ptr [edi], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp-14h], eax
		mov	eax, [eax+4]
		mov	[ebp-10h], eax
		jz	short loc_5D0E93
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, [ebp-10h]
		mov	edx, edi
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_5D0E93:				; CODE XREF: .text:005D0E7Cj
		mov	ecx, ebx
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		lea	ecx, [ebx+8]
		cmp	[ecx], ecx
		jz	short loc_5D0ED1
		mov	eax, [ebx+18h]
		cmp	eax, [ebx+1Ch]
		jnb	short loc_5D0ED1
		mov	edx, [ebp-10h]
		mov	eax, [edx+0A4h]
		cmp	eax, ebx
		jnz	short loc_5D0EBF
		cmp	byte ptr [edx+18Bh], 0Fh
		jz	short loc_5D0ED1

loc_5D0EBF:				; CODE XREF: .text:005D0EB4j
		mov	ecx, [ebp-14h]
		mov	edx, ebx
		push	edi
		call	KiWakeQueueWaiter
		test	al, al
		jnz	short loc_5D0F07
		lea	ecx, [ebx+8]

loc_5D0ED1:				; CODE XREF: .text:005D0E9Fj
					; .text:005D0EA7j ...
		mov	eax, [ebx+4]
		mov	[ebp-10h], eax
		inc	eax
		mov	[ebx+4], eax
		lea	eax, [ebx+10h]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_4F202D
		cmp	dword ptr [ebp-10h], 0
		mov	[edi], eax
		mov	[edi+4], edx
		mov	[edx], edi
		mov	[eax+4], edi
		jnz	short loc_5D0F07
		cmp	[ecx], ecx
		jz	short loc_5D0F07
		mov	ecx, [ebp-14h]
		mov	edx, ebx
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)

loc_5D0F07:				; CODE XREF: .text:005D0ECCj
					; .text:005D0EF7j ...
		mov	edx, 0FFFFFF7Fh
		lock and [ebx],	edx

loc_5D0F0F:				; CODE XREF: .text:005D0E40j
		sub	dword ptr [esi+4], 1
		jnz	short loc_5D0F2D
		jmp	short loc_5D0F3B
; 

loc_5D0F17:				; CODE XREF: .text:005D0E4Dj
		mov	ecx, [ebp-0Ch]
		mov	edx, edi
		push	0
		push	100h
		call	KiTryUnwaitThread
		mov	edx, 0FFFFFF7Fh

loc_5D0F2D:				; CODE XREF: .text:005D0E46j
					; .text:005D0F13j
		mov	eax, [ebp-28h]
		lea	ecx, [esi+8]
		cmp	eax, ecx
		jnz	loc_5D0DFF

loc_5D0F3B:				; CODE XREF: .text:005D0F15j
		mov	ebx, [ebp-8]
		jmp	loc_4F1FFC
; 

loc_5D0F43:				; CODE XREF: .text:004F1F7Cj
		mov	ecx, esi
		cmp	ebx, edi
		jnz	short loc_5D0F53
		call	KeAbPostRelease
		jmp	loc_4F1F82
; 

loc_5D0F53:				; CODE XREF: .text:005D0F47j
		mov	edx, ebx
		call	_KeAbCrossThreadDelete@8 ; KeAbCrossThreadDelete(x,x)
		mov	ecx, ebx
		call	ObfDereferenceObject
		jmp	loc_4F1F82
; 

loc_5D0F66:				; CODE XREF: .text:004F2018j
		mov	ecx, edi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_4F1F8A
; 
; START	OF FUNCTION CHUNK FOR MiStoreMarkLockedPagesModified

loc_5D0F72:				; CODE XREF: MiStoreMarkLockedPagesModified+51j
					; MiStoreMarkLockedPagesModified+DEF24j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		js	short loc_5D0F72
		jmp	loc_4F20A6
; END OF FUNCTION CHUNK	FOR MiStoreMarkLockedPagesModified

;  S U B	R O U T	I N E 


sub_5D0F85	proc near		; DATA XREF: .text:006A334Co
		xor	eax, eax
		inc	eax
		retn
sub_5D0F85	endp


;  S U B	R O U T	I N E 


sub_5D0F89	proc near		; DATA XREF: .text:006A3350o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	eax, eax
		jmp	loc_4F22E5
sub_5D0F89	endp

; 
; START	OF FUNCTION CHUNK FOR ExfWaitForRundownProtectionRelease

loc_5D0F9A:				; CODE XREF: ExfWaitForRundownProtectionRelease+56j
					; ExfWaitForRundownProtectionRelease+DEC91j
		mov	eax, [esp+30h+var_4]
		test	al, 1
		jz	loc_4F23E5
		lea	ecx, [esp+30h+var_24]
		call	KeYieldProcessorEx
		jmp	short loc_5D0F9A
; 

loc_5D0FB1:				; CODE XREF: ExfWaitForRundownProtectionRelease+75j
		rdtsc
		mov	edi, eax
		mov	ebx, edx
		xor	eax, eax
		add	esi, edi
		adc	eax, ebx
		mov	[esp+30h+var_20], eax

loc_5D0FC1:				; CODE XREF: ExfWaitForRundownProtectionRelease+DECFCj
		lea	eax, [esp+30h+var_4]
		xor	ecx, ecx
		xor	edx, edx
		invlpg	dl
		mov	eax, [esp+30h+var_4]
		test	al, 1
		jz	loc_4F23E5
		rdtsc
		mov	[esp+30h+var_24], edi
		mov	ecx, ebx
		mov	edi, eax
		mov	eax, edx
		cmp	eax, ecx
		jb	loc_4F23BA
		ja	short loc_5D0FF8
		cmp	edi, [esp+30h+var_24]
		jbe	loc_4F23BA

loc_5D0FF8:				; CODE XREF: ExfWaitForRundownProtectionRelease+DECCEj
		cmp	eax, [esp+30h+var_20]
		ja	loc_4F23BA
		jb	short loc_5D100C
		cmp	edi, esi
		jnb	loc_4F23BA

loc_5D100C:				; CODE XREF: ExfWaitForRundownProtectionRelease+DECE4j
		mov	ebx, esi
		sub	ebx, edi
		xor	eax, eax
		push	2
		pop	ecx
		invlpg	bl
		mov	ebx, edx
		jmp	short loc_5D0FC1
; END OF FUNCTION CHUNK	FOR ExfWaitForRundownProtectionRelease
; 
; START	OF FUNCTION CHUNK FOR IoCsqInsertIrpEx

loc_5D101C:				; CODE XREF: IoCsqInsertIrpEx+58j
		xor	eax, eax
		xchg	eax, [ecx]
		test	eax, eax
		jz	loc_4F2570
		push	edi
		push	esi
		call	dword ptr [esi+8]
		test	ebx, ebx
		jz	short loc_5D1035
		and	dword ptr [ebx+4], 0

loc_5D1035:				; CODE XREF: IoCsqInsertIrpEx+DEB1Dj
		push	[ebp+var_4]
		and	dword ptr [edi+4Ch], 0
		push	esi
		call	dword ptr [esi+14h]
		push	edi
		push	esi
		call	dword ptr [esi+18h]
		jmp	loc_4F2577
; END OF FUNCTION CHUNK	FOR IoCsqInsertIrpEx
; 
; START	OF FUNCTION CHUNK FOR SeSetAuditParameter

loc_5D104A:				; CODE XREF: SeSetAuditParameter+25j
					; DATA XREF: .text:004F2684o
		mov	eax, 0C0000002h
		jmp	loc_4F2632
; 

loc_5D1054:				; CODE XREF: SeSetAuditParameter+25j
					; DATA XREF: .text:004F267Co
		mov	ecx, [ebp+arg_C]
		movzx	eax, byte ptr [ecx+1]
		lea	ebx, ds:8[eax*4]
		jmp	loc_4F2652
; 

loc_5D1067:				; CODE XREF: SeSetAuditParameter+25j
					; DATA XREF: .text:004F2688o
		mov	edx, [ebp+arg_C]
		test	edx, edx
		jz	short loc_5D107F
		mov	eax, [edx]
		test	eax, eax
		jz	short loc_5D107C
		imul	ebx, eax, 0Ch
		add	ebx, 8
		jmp	short loc_5D107F
; 

loc_5D107C:				; CODE XREF: SeSetAuditParameter+DEA92j
		push	8
		pop	ebx

loc_5D107F:				; CODE XREF: SeSetAuditParameter+DEA8Cj
					; SeSetAuditParameter+DEA9Aj
		lea	eax, [edi+2]
		imul	eax, 14h
		mov	[eax+esi], edx
		jmp	loc_4F2622
; 

loc_5D108D:				; CODE XREF: SeSetAuditParameter+25j
					; DATA XREF: .text:004F2690o
		lea	eax, [edi+2]
		imul	ecx, eax, 14h
		mov	eax, [ebp+arg_C]
		push	10h
		mov	[ecx+esi], eax
		jmp	loc_4F2621
; 

loc_5D10A0:				; CODE XREF: SeSetAuditParameter+25j
					; DATA XREF: .text:004F2694o
		mov	ecx, [ebp+arg_C]
		movzx	eax, word ptr [ecx]
		cmp	eax, 17h
		jnz	short loc_5D10AF
		push	1Ch
		jmp	short loc_5D10B6
; 

loc_5D10AF:				; CODE XREF: SeSetAuditParameter+DEAC9j
		cmp	eax, 2
		jnz	short loc_5D10BC
		push	10h

loc_5D10B6:				; CODE XREF: SeSetAuditParameter+DEACDj
		pop	ebx
		jmp	loc_4F2652
; 

loc_5D10BC:				; CODE XREF: SeSetAuditParameter+DEAD2j
		xor	ebx, ebx
		cmp	eax, 21h
		setnz	bl
		lea	ebx, ds:0Eh[ebx*2]
		jmp	loc_4F2652
; END OF FUNCTION CHUNK	FOR SeSetAuditParameter
; 
; START	OF FUNCTION CHUNK FOR RtlpHpVaMgrRegionAllocate

loc_5D10D0:				; CODE XREF: RtlpHpVaMgrRegionAllocate+51j
		push	8000h
		lea	edx, [ebp+var_8]
		lea	ecx, [ebp+var_4]
		call	_RtlpHpEnvFreeVA@12 ; RtlpHpEnvFreeVA(x,x,x)
		jmp	loc_4F2717
; END OF FUNCTION CHUNK	FOR RtlpHpVaMgrRegionAllocate
; 
; START	OF FUNCTION CHUNK FOR RtlpHpSegSegmentAllocate

loc_5D10E5:				; CODE XREF: RtlpHpSegSegmentAllocate+CBj
		push	[esp+28h+var_14]
		mov	ecx, esi
		push	edx
		mov	edx, ebx
		call	RtlpHpSegSegmentFree
		jmp	loc_4F27F3
; END OF FUNCTION CHUNK	FOR RtlpHpSegSegmentAllocate
; 
; START	OF FUNCTION CHUNK FOR RtlCSparseBitmapBitmaskWrite

loc_5D10F8:				; CODE XREF: RtlCSparseBitmapBitmaskWrite+2Cj
		push	2
		call	RtlCSparseBitmapBitsClear
		xor	eax, eax
		jmp	loc_4F28AB
; END OF FUNCTION CHUNK	FOR RtlCSparseBitmapBitmaskWrite
; 
; START	OF FUNCTION CHUNK FOR RtlpHpVaMgrAlloc

loc_5D1106:				; CODE XREF: RtlpHpVaMgrAlloc+51j
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	loc_4F2921
; 

loc_5D110D:				; CODE XREF: RtlpHpVaMgrAlloc+169j
		push	8000h
		lea	edx, [ebp+var_2C]
		lea	ecx, [ebp+var_28]
		call	_RtlpHpEnvFreeVA@12 ; RtlpHpEnvFreeVA(x,x,x)

loc_5D111D:				; CODE XREF: RtlpHpVaMgrAlloc+20Dj
		xor	ecx, ecx
		jmp	loc_4F2A44
; 

loc_5D1124:				; CODE XREF: RtlpHpVaMgrAlloc+B0j
		push	0
		mov	edx, edi
		mov	ecx, esi
		call	_RtlpHpVaMgrRangeMarkAllocated@12 ; RtlpHpVaMgrRangeMarkAllocated(x,x,x)
		mov	eax, [ebp+var_30]
		sub	eax, edi
		sar	eax, 4
		push	eax
		call	_RtlpHpVaMgrRangeSplit@12 ; RtlpHpVaMgrRangeSplit(x,x,x)
		mov	edx, edi
		mov	ecx, esi
		call	_RtlpHpVaMgrFree@8 ; RtlpHpVaMgrFree(x,x)
		mov	edi, [ebp+var_30]
		jmp	loc_4F2980
; END OF FUNCTION CHUNK	FOR RtlpHpVaMgrAlloc
; 
; START	OF FUNCTION CHUNK FOR RtlpHpVaMgrRangeFind

loc_5D114E:				; CODE XREF: RtlpHpVaMgrRangeFind+75j
		mov	edi, [ebp+var_4]
		movzx	eax, ax
		mov	[ebp+arg_0], eax
		mov	edi, [edi+0Ch]
		mov	ecx, [edi+14h]
		mov	ebx, [edi+0Ch]
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], ebx

loc_5D1166:				; CODE XREF: RtlpHpVaMgrRangeFind+DE30Cj
		mov	edx, esi
		sub	edx, ecx
		mov	ecx, ebx
		shr	edx, cl
		lea	ebx, [eax-1]
		lea	ecx, [edx-1]
		add	ecx, eax
		and	ecx, ebx
		sub	eax, ecx
		movzx	ecx, word ptr [esi+0Ch]
		add	ecx, edx
		lea	ebx, [eax-1]
		mov	eax, [ebp+var_8]
		add	ebx, edx
		add	eax, ebx
		cmp	eax, ecx
		jbe	short loc_5D11CC
		mov	eax, [esi+4]
		mov	ecx, esi
		test	eax, eax
		jz	short loc_5D11B1
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_5D11B9

loc_5D119F:				; CODE XREF: RtlpHpVaMgrRangeFind+DE2E9j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_5D119F
		jmp	short loc_5D11B9
; 

loc_5D11AB:				; CODE XREF: RtlpHpVaMgrRangeFind+DE2F9j
		cmp	[esi], ecx
		jz	short loc_5D11B9
		mov	ecx, esi

loc_5D11B1:				; CODE XREF: RtlpHpVaMgrRangeFind+DE2D7j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_5D11AB

loc_5D11B9:				; CODE XREF: RtlpHpVaMgrRangeFind+DE2DFj
					; RtlpHpVaMgrRangeFind+DE2EBj ...
		test	esi, esi
		jz	loc_4F2F3E
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		mov	ebx, [ebp+var_C]
		jmp	short loc_5D1166
; 

loc_5D11CC:				; CODE XREF: RtlpHpVaMgrRangeFind+DE2CEj
		mov	edx, ebx
		lea	ecx, [edi+8]
		call	_RtlSparseArrayElementAllocated@8 ; RtlSparseArrayElementAllocated(x,x)
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		jmp	loc_4F2F3E
; END OF FUNCTION CHUNK	FOR RtlpHpVaMgrRangeFind
; 
; START	OF FUNCTION CHUNK FOR RtlpHpLargeFree

loc_5D11E0:				; CODE XREF: RtlpHpLargeFree+2Fj
		mov	byte ptr [ebp+var_4+3],	0FFh
		jmp	loc_4F33CA
; 

loc_5D11E9:				; CODE XREF: RtlpHpLargeFree+73j
					; RtlpHpLargeFree+A6j
		cmp	[ebx+8], edi
		jnz	loc_5D13D8
		mov	eax, [ebp+var_10]
		lea	edx, [eax+40h]
		mov	[ebp+var_8], edx
		test	[eax], cl
		jnz	loc_5D13C9
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_C], eax
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5D1220
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp+var_8]
		xor	ecx, ecx
		inc	ecx

loc_5D1220:				; CODE XREF: RtlpHpLargeFree+DDE8Fj
		mov	[ebp+var_20], edi
		test	edx, 7FFFFFFCh
		jz	loc_5D13B9
		mov	esi, large fs:124h
		mov	eax, edx
		mov	[ebp+var_14], esi
		mov	esi, ds:dword_6D07D0
		shr	eax, 15h
		cmp	edx, esi
		mov	[ebp+var_30], esi
		mov	esi, [ebp+var_14]
		jb	short loc_5D1256
		cmp	byte ptr ds:dword_6D3994[eax], cl
		jz	short loc_5D1264

loc_5D1256:				; CODE XREF: RtlpHpLargeFree+DDECAj
		cmp	edx, [ebp+var_30]
		jb	short loc_5D1277
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_5D1277

loc_5D1264:				; CODE XREF: RtlpHpLargeFree+DDED2j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, [ebp+var_8]
		mov	[ebp+var_C], eax
		jmp	short loc_5D127A
; 

loc_5D1277:				; CODE XREF: RtlpHpLargeFree+DDED7j
					; RtlpHpLargeFree+DDEE0j
		or	eax, 0FFFFFFFFh

loc_5D127A:				; CODE XREF: RtlpHpLargeFree+DDEF3j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_5D12CD
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_5D133F
		push	ecx
		push	[ebp+var_C]
		push	[ebp+var_8]
		jmp	short loc_5D12C2
; 

loc_5D12BA:				; CODE XREF: RtlpHpLargeFree+2D8j
		push	0
		push	[ebp+var_C]
		push	[ebp+var_14]

loc_5D12C2:				; CODE XREF: RtlpHpLargeFree+DDF36j
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D12CD:				; CODE XREF: RtlpHpLargeFree+DDF1Fj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5D12E3
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_5D12E3:				; CODE XREF: RtlpHpLargeFree+DDF57j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_20], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		cdq
		push	30h
		pop	ecx
		idiv	ecx
		mov	edx, eax
		xor	eax, eax
		inc	eax
		cmp	byte ptr [ebp+var_4+3],	al
		jnz	short loc_5D132F
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_5D133F
; 

loc_5D132F:				; CODE XREF: RtlpHpLargeFree+DDF99j
		mov	ecx, edx
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_14]

loc_5D133F:				; CODE XREF: RtlpHpLargeFree+DDF29j
					; RtlpHpLargeFree+DDFABj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_30], eax
		jz	short loc_5D13A1
		test	edi, 8000h
		jz	short loc_5D1363
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5D1363:				; CODE XREF: RtlpHpLargeFree+DDFD6j
		xor	eax, eax
		inc	eax
		test	byte ptr [ebp+var_20+2], al
		jz	short loc_5D1374
		mov	edx, eax
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5D1374:				; CODE XREF: RtlpHpLargeFree+DDFE7j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5D1388
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5D1388:				; CODE XREF: RtlpHpLargeFree+DDFF9j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5D13A1
		push	[ebp+var_30]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5D13A1:				; CODE XREF: RtlpHpLargeFree+DDFCEj
					; RtlpHpLargeFree+DE010j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_5D13B9
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_5D13B9
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5D13B9:				; CODE XREF: RtlpHpLargeFree+DDEA7j
					; RtlpHpLargeFree+DE028j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		xor	edi, edi
		jmp	short loc_5D13D8
; 

loc_5D13C9:				; CODE XREF: RtlpHpLargeFree+DDE7Bj
		push	edx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5D13D8:				; CODE XREF: RtlpHpLargeFree+DDE6Aj
					; RtlpHpLargeFree+DE045j
		mov	edx, [ebp+var_10]
		push	edi
		push	edi
		push	edi
		push	[ebp+var_18]
		push	8
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		jmp	loc_4F35FC
; 

loc_5D13EE:				; CODE XREF: RtlpHpLargeFree+1AAj
		mov	ecx, edx
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_34]
		jmp	loc_4F3542
; 

loc_5D1403:				; CODE XREF: RtlpHpLargeFree+301j
		mov	edx, eax
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_4F3689
; 

loc_5D1411:				; CODE XREF: RtlpHpLargeFree+32Bj
		push	[ebp+var_34]
		mov	edx, [ebp+var_14]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4F3559
; END OF FUNCTION CHUNK	FOR RtlpHpLargeFree
; 
; START	OF FUNCTION CHUNK FOR RtlpHpVaMgrCtxFree

loc_5D1423:				; CODE XREF: RtlpHpVaMgrCtxFree+40j
		mov	edx, [ebp+var_10]
		lea	ecx, [edi+8]
		or	eax, 0FFFFFFFFh
		mov	edx, [edx]
		sub	edx, [edi+4]
		shr	edx, 14h
		sub	eax, edx
		push	eax
		call	_RtlSparseArrayElementFindCapped@12 ; RtlSparseArrayElementFindCapped(x,x,x)
		mov	edi, [ebx+8]
		mov	esi, eax
		mov	ecx, [ebp+var_10]
		mov	edx, edi
		push	8000h
		call	_RtlpHpEnvFreeVA@12 ; RtlpHpEnvFreeVA(x,x,x)
		mov	ecx, [edi]
		shr	ecx, 14h
		sub	[esi+0Ch], ecx
		jmp	loc_4F3780
; 

loc_5D145D:				; CODE XREF: RtlpHpVaMgrCtxFree+9Fj
		mov	[ebp+var_8], esi

loc_5D1460:				; CODE XREF: RtlpHpVaMgrCtxFree+DDD50j
		sub	esi, 10h
		test	byte ptr [esi],	2
		jnz	short loc_5D1460
		mov	ch, [edi+1Ah]
		jmp	loc_4F37FA
; 

loc_5D1470:				; CODE XREF: RtlpHpVaMgrCtxFree+B6j
		mov	edx, [esi+0Ch]
		jmp	loc_4F37D6
; 

loc_5D1478:				; CODE XREF: RtlpHpVaMgrCtxFree+C5j
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	loc_4F37E1
; 

loc_5D147F:				; CODE XREF: RtlpHpVaMgrCtxFree+CDj
		mov	edx, [esi+0Ch]
		jmp	loc_4F37ED
; 

loc_5D1487:				; CODE XREF: RtlpHpVaMgrCtxFree+D9j
		shl	eax, 4
		add	eax, esi
		jmp	loc_4F37F7
; 

loc_5D1491:				; CODE XREF: RtlpHpVaMgrCtxFree+F9j
		sub	eax, esi
		mov	edx, esi
		sar	eax, 4
		mov	ecx, edi
		push	eax
		call	_RtlpHpVaMgrRangeSplit@12 ; RtlpHpVaMgrRangeSplit(x,x,x)
		jmp	loc_4F3815
; END OF FUNCTION CHUNK	FOR RtlpHpVaMgrCtxFree
; 
; START	OF FUNCTION CHUNK FOR RtlpHpVaMgrCtxQuery

loc_5D14A5:				; CODE XREF: RtlpHpVaMgrCtxQuery+1Ej
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	eax
		push	eax
		push	eax
		push	16h
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	eax, 0C0000001h
		jmp	loc_4F3AC7
; END OF FUNCTION CHUNK	FOR RtlpHpVaMgrCtxQuery
; 
; START	OF FUNCTION CHUNK FOR RtlCSparseBitmapFindBitSetCapped

loc_5D14BF:				; CODE XREF: RtlCSparseBitmapFindBitSetCapped+42j
		test	eax, eax
		jns	loc_4F3B58
		mov	esi, ecx
		not	esi
		jmp	short loc_5D14D1
; 

loc_5D14CD:				; CODE XREF: RtlCSparseBitmapFindBitSetCapped+4Aj
		mov	esi, edi
		sub	esi, ecx

loc_5D14D1:				; CODE XREF: RtlCSparseBitmapFindBitSetCapped+DD9C3j
		mov	[ebp+var_28], esi
		jmp	loc_4F3B58
; 

loc_5D14D9:				; CODE XREF: RtlCSparseBitmapFindBitSetCapped+BBj
		mov	edx, [ebp+var_1C]
		lea	ecx, [ebp+var_3C]
		test	esi, esi
		jle	short loc_5D14EF
		push	0FFFFFFFFh
		call	RtlLengthCurrentClearRunForward
		jmp	loc_4F3BCB
; 

loc_5D14EF:				; CODE XREF: RtlCSparseBitmapFindBitSetCapped+DD9D9j
		mov	eax, esi
		neg	eax
		push	eax
		call	_RtlLengthCurrentClearRunBackward@12 ; RtlLengthCurrentClearRunBackward(x,x,x)
		neg	eax
		jmp	loc_4F3BCB
; END OF FUNCTION CHUNK	FOR RtlCSparseBitmapFindBitSetCapped

;  S U B	R O U T	I N E 


sub_5D1500	proc near		; DATA XREF: .text:006A3394o
		xor	eax, eax
		inc	eax
		retn
sub_5D1500	endp


;  S U B	R O U T	I N E 


sub_5D1504	proc near		; DATA XREF: .text:006A3398o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp+8]
		mov	edx, [ebp-34h]
		mov	esi, [ebp-28h]
sub_5D1504	endp

; START	OF FUNCTION CHUNK FOR RtlCSparseBitmapFindBitSetCapped

loc_5D1517:				; CODE XREF: RtlCSparseBitmapFindBitSetCapped+107j
					; RtlCSparseBitmapFindBitSetCapped+DDA35j ...
		mov	edi, 8000h

loc_5D151C:				; CODE XREF: RtlCSparseBitmapFindBitSetCapped+77j
					; RtlCSparseBitmapFindBitSetCapped+DDA48j ...
		add	edx, esi
		mov	[ebp+var_30], edx
		sub	ebx, esi
		mov	[ebp+arg_0], ebx
		jmp	loc_4F3B2A
; 

loc_5D152B:				; CODE XREF: RtlCSparseBitmapFindBitSetCapped+64j
		mov	eax, edx
		and	eax, 3FFFFFFFh
		mov	esi, ebx
		lea	ecx, [eax+ebx]
		test	ebx, ebx
		jns	short loc_5D1545
		test	ecx, ecx
		jns	short loc_5D1517
		mov	esi, eax
		not	esi
		jmp	short loc_5D1517
; 

loc_5D1545:				; CODE XREF: RtlCSparseBitmapFindBitSetCapped+DDA31j
		mov	edi, 8000h
		cmp	ecx, 40000000h
		jle	short loc_5D151C
		mov	esi, 40000000h
		sub	esi, eax
		jmp	short loc_5D151C
; END OF FUNCTION CHUNK	FOR RtlCSparseBitmapFindBitSetCapped
; 
; START	OF FUNCTION CHUNK FOR RtlCSparseBitmapBitsClear

loc_5D155B:				; CODE XREF: RtlCSparseBitmapBitsClear+3Cj
		test	edx, edx
		jns	loc_4F3D9A
		mov	esi, edi
		not	esi
		jmp	short loc_5D1570
; 

loc_5D1569:				; CODE XREF: RtlCSparseBitmapBitsClear+48j
		mov	esi, 8000h
		sub	esi, edi

loc_5D1570:				; CODE XREF: RtlCSparseBitmapBitsClear+DD81Bj
		mov	[ebp+var_20], esi
		jmp	loc_4F3D9A
; 

loc_5D1578:				; CODE XREF: RtlCSparseBitmapBitsClear+B6j
		push	20h
		pop	edx
		sub	edx, eax
		xor	eax, eax
		inc	eax
		mov	ecx, edx
		shl	eax, cl
		dec	eax
		mov	ecx, [ebp+var_24]
		shl	eax, cl
		not	eax
		mov	ecx, [ebp+var_1C]
		lock and [ecx],	eax
		mov	ecx, esi
		sub	ecx, edx
		mov	edx, [ebp+var_1C]
		add	edx, 4
		jmp	loc_4F3E15
; 

loc_5D15A1:				; CODE XREF: RtlCSparseBitmapBitsClear+E5j
		or	eax, 0FFFFFFFFh
		shl	eax, cl
		jmp	loc_4F3F02
; 

loc_5D15AB:				; CODE XREF: RtlCSparseBitmapBitsClear+F1j
		xor	eax, eax
		inc	eax
		mov	[ebp+var_40], eax
		jmp	loc_4F3EB2
; END OF FUNCTION CHUNK	FOR RtlCSparseBitmapBitsClear

;  S U B	R O U T	I N E 


sub_5D15B6	proc near		; DATA XREF: .text:006A33B4o
		xor	eax, eax
		inc	eax
		retn
sub_5D15B6	endp


;  S U B	R O U T	I N E 


sub_5D15BA	proc near		; DATA XREF: .text:006A33B8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp-20h]
		jmp	loc_4F3ED5
sub_5D15BA	endp

; 
; START	OF FUNCTION CHUNK FOR RtlCSparseBitmapBitsClear

loc_5D15CE:				; CODE XREF: RtlCSparseBitmapBitsClear+61j
		mov	eax, [ebp+var_30]
		and	eax, 3FFFFFFFh
		mov	esi, ecx
		lea	edx, [eax+ecx]
		test	ecx, ecx
		jns	short loc_5D15F0
		test	edx, edx
		jns	loc_4F3ED8
		mov	esi, eax
		not	esi
		jmp	loc_4F3ED8
; 

loc_5D15F0:				; CODE XREF: RtlCSparseBitmapBitsClear+DD891j
		cmp	edx, 40000000h
		jle	loc_4F3ED8
		mov	esi, 40000000h
		sub	esi, eax
		jmp	loc_4F3ED8
; END OF FUNCTION CHUNK	FOR RtlCSparseBitmapBitsClear
; 
; START	OF FUNCTION CHUNK FOR RtlpCSparseBitmapPageDecommit

loc_5D1608:				; CODE XREF: RtlpCSparseBitmapPageDecommit+79j
		jnz	loc_4F3FE7
		mov	eax, [ebp+var_54]
		bt	[eax], ebx
		push	0
		pop	edx
		setnb	dl
		jmp	loc_4F3FE9
; 

loc_5D161F:				; CODE XREF: RtlpCSparseBitmapPageDecommit+AEj
		push	20h
		pop	ecx
		sub	ecx, edi
		or	eax, 0FFFFFFFFh
		shr	eax, cl
		mov	ecx, ebx
		shl	eax, cl
		jmp	loc_4F4033
; END OF FUNCTION CHUNK	FOR RtlpCSparseBitmapPageDecommit

;  S U B	R O U T	I N E 


sub_5D1632	proc near		; DATA XREF: .text:006A33D4o
		xor	eax, eax
		inc	eax
		retn
sub_5D1632	endp


;  S U B	R O U T	I N E 


sub_5D1636	proc near		; DATA XREF: .text:006A33D8o
		mov	esp, [ebp-18h]
		xor	esi, esi
		mov	edx, esi
		mov	[ebp-40h], edx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-44h]
		jmp	loc_4F3FF3
sub_5D1636	endp

; 
; START	OF FUNCTION CHUNK FOR RtlpCSparseBitmapPageDecommit

loc_5D164F:				; CODE XREF: RtlpCSparseBitmapPageDecommit+14Fj
		lea	ecx, [ebp+var_6C]
		call	RtlpCSparseBitmapUnlock
		push	edi
		push	ecx
		lea	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_3C]
		call	_RtlpCSparseBitmapWaitOnAddress@16 ; RtlpCSparseBitmapWaitOnAddress(x,x,x,x)
		mov	eax, [edi]
		mov	ecx, [ebp+var_1C]
		bt	[eax], ecx
		jnb	loc_4F3FF7
		mov	edi, [ebp+var_28]
		jmp	loc_4F3F71
; 

loc_5D167A:				; CODE XREF: RtlpCSparseBitmapPageDecommit+188j
		jnz	loc_4F3FF7
		mov	eax, [ebp+var_54]
		bt	[eax], ebx
		setb	al
		neg	al
		sbb	al, al
		jmp	loc_4F4104
; 

loc_5D1692:				; CODE XREF: RtlpCSparseBitmapPageDecommit+1BEj
		push	20h
		pop	edx
		sub	edx, ecx
		mov	ecx, edx
		shr	eax, cl
		mov	ecx, ebx
		shl	eax, cl
		and	eax, [ebp+arg_0]
		jmp	loc_4F40FA
; 

loc_5D16A7:				; CODE XREF: RtlpCSparseBitmapPageDecommit+235j
		lea	ecx, [eax+14h]
		mov	[ebp+var_4C], esi
		xor	edx, edx
		lea	eax, [ebp+var_4C]
		lock or	[eax], edx
		cmp	[ecx], esi
		jz	loc_4F4001
		push	esi
		call	ExpUnblockPushLock
		jmp	loc_4F4001
; END OF FUNCTION CHUNK	FOR RtlpCSparseBitmapPageDecommit
; 
; START	OF FUNCTION CHUNK FOR RtlpHpVaMgrRangeCreate

loc_5D16C8:				; CODE XREF: RtlpHpVaMgrRangeCreate+B2j
		test	edi, edi
		jz	short loc_5D16F7

loc_5D16CC:				; CODE XREF: RtlpHpVaMgrRangeCreate+DD57Dj
		mov	eax, [ebp+var_8]
		mov	edx, ebx
		push	8
		mov	esi, [eax+0Ch]
		pop	eax
		mov	ecx, [esi+0Ch]
		sub	edx, [esi+14h]
		shr	edx, cl
		shl	eax, cl
		shl	edx, cl
		lea	ecx, [esi+10h]
		push	eax
		shl	edx, 3
		call	RtlCSparseBitmapBitsClear
		add	ebx, 10h
		sub	edi, 1
		jnz	short loc_5D16CC

loc_5D16F7:				; CODE XREF: RtlpHpVaMgrRangeCreate+DD552j
		xor	ebx, ebx
		jmp	loc_4F41BF
; END OF FUNCTION CHUNK	FOR RtlpHpVaMgrRangeCreate
; 
; START	OF FUNCTION CHUNK FOR RtlSparseArrayElementAllocate

loc_5D16FE:				; CODE XREF: RtlSparseArrayElementAllocate+66j
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_4F42A9
; END OF FUNCTION CHUNK	FOR RtlSparseArrayElementAllocate
; 
; START	OF FUNCTION CHUNK FOR RtlpCSparseBitmapUnlock

loc_5D170F:				; CODE XREF: RtlpCSparseBitmapUnlock+209j
		push	0
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D1722:				; CODE XREF: RtlpCSparseBitmapUnlock+16Ej
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]
		jmp	loc_4F443A
; 

loc_5D1739:				; CODE XREF: RtlpCSparseBitmapUnlock+1ACj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_4F4468
; 

loc_5D1748:				; CODE XREF: RtlpCSparseBitmapUnlock+1D0j
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4F448C
; END OF FUNCTION CHUNK	FOR RtlpCSparseBitmapUnlock
; 
; START	OF FUNCTION CHUNK FOR RtlpCSparseBitmapPageCommit

loc_5D175A:				; CODE XREF: RtlpCSparseBitmapPageCommit+2Dj
		push	edx
		shl	eax, 0Ch
		lea	ecx, [esp+24h+var_C]
		add	eax, [esi]
		push	edx
		mov	[esp+28h+var_C], eax
		movzx	eax, byte ptr [esi+1Ah]
		push	eax
		movzx	eax, byte ptr [esi+19h]
		push	eax
		push	4
		push	40001000h
		push	edx
		lea	edx, [esp+3Ch+var_10]
		mov	[esp+3Ch+var_10], 1000h
		call	RtlpHpEnvAllocVA
		mov	edi, eax
		test	edi, edi
		js	loc_4F4532
		mov	eax, [esp+20h+var_8]
		lea	ecx, [esi+20h]
		lock bts [ecx],	eax
		jmp	loc_4F4505
; 

loc_5D17A6:				; CODE XREF: RtlpCSparseBitmapPageCommit+51j
		mov	ecx, [ebp+arg_0]
		call	RtlpCSparseBitmapUnlock
		push	esi
		push	ecx
		lea	edx, [esp+28h+var_4]
		lea	ecx, [esi+10h]
		call	_RtlpCSparseBitmapWaitOnAddress@16 ; RtlpCSparseBitmapWaitOnAddress(x,x,x,x)
		jmp	loc_4F4514
; 

loc_5D17C1:				; CODE XREF: RtlpCSparseBitmapPageCommit+A6j
		mov	ecx, [ebp+arg_0]
		call	RtlpCSparseBitmapUnlock
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		mov	eax, [eax+4]
		cmp	byte ptr [eax+18h], 0
		jnz	short loc_5D17E8
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_4F4532
; 

loc_5D17E8:				; CODE XREF: RtlpCSparseBitmapPageCommit+DD303j
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4F4532
; END OF FUNCTION CHUNK	FOR RtlpCSparseBitmapPageCommit
; 
; START	OF FUNCTION CHUNK FOR RtlpHpSegMgrAllocate

loc_5D17F3:				; CODE XREF: RtlpHpSegMgrAllocate+53j
		mov	edx, esi
		mov	ecx, ebx
		call	_RtlpHpSegMgrVaCtxInsert@8 ; RtlpHpSegMgrVaCtxInsert(x,x)
		jmp	loc_4F46DB
; 

loc_5D1801:				; CODE XREF: RtlpHpSegMgrAllocate+5Fj
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	RtlpHpSegMgrRelease
		jmp	loc_4F46E7
; END OF FUNCTION CHUNK	FOR RtlpHpSegMgrAllocate
; 
; START	OF FUNCTION CHUNK FOR RtlpHpSegMgrReserve

loc_5D1811:				; CODE XREF: RtlpHpSegMgrReserve+3Ej
					; RtlpHpSegMgrReserve+47j
		movzx	edx, byte ptr [esi+1Ch]
		add	esi, 58h
		and	edx, 1
		mov	[ebp+var_8], esi
		mov	ecx, esi
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	edx, [ebp+var_30]
		mov	byte ptr [ebp+var_4+3],	al
		lea	ecx, [edx+4]
		mov	eax, [ecx]
		mov	[ebp+var_20], eax
		test	eax, eax
		jnz	loc_5D1A3A
		test	byte ptr [ebp+var_14], 2
		jnz	short loc_5D1850
		mov	ecx, edx
		mov	eax, [ecx]
		mov	[ebp+var_20], eax
		test	eax, eax
		jnz	loc_5D1A3A

loc_5D1850:				; CODE XREF: RtlpHpSegMgrReserve+DD149j
		mov	eax, [ebp+var_18]
		test	byte ptr [eax+1Ch], 1
		jnz	loc_5D1A21
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_14], ecx
		mov	eax, ecx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5D1876
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_5D1876:				; CODE XREF: RtlpHpSegMgrReserve+DD177j
		mov	[ebp+var_20], edi
		test	esi, 7FFFFFFCh
		jz	loc_5D1A08
		mov	eax, [ebp+var_8]
		mov	edx, eax
		mov	esi, large fs:124h
		mov	ecx, ds:dword_6D07D0
		shr	edx, 15h
		cmp	eax, ecx
		push	0FFFFFFFFh
		mov	[ebp+var_30], ecx
		mov	[ebp+var_50], esi
		pop	ecx
		jb	short loc_5D18B0
		cmp	byte ptr ds:dword_6D3994[edx], 1
		jz	short loc_5D18BE

loc_5D18B0:				; CODE XREF: RtlpHpSegMgrReserve+DD1AFj
		cmp	eax, [ebp+var_30]
		jb	short loc_5D18D1
		cmp	byte ptr ds:dword_6D3994[edx], 0Bh
		jnz	short loc_5D18D1

loc_5D18BE:				; CODE XREF: RtlpHpSegMgrReserve+DD1B8j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_8]

loc_5D18D1:				; CODE XREF: RtlpHpSegMgrReserve+DD1BDj
					; RtlpHpSegMgrReserve+DD1C6j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	dl
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_5D191D
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_5D198F

loc_5D190A:				; CODE XREF: RtlpHpSegMgrReserve+DD425j
		push	0
		push	[ebp+var_14]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D191D:				; CODE XREF: RtlpHpSegMgrReserve+DD204j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5D1933
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_5D1933:				; CODE XREF: RtlpHpSegMgrReserve+DD233j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_20], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_5D197D
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_5D198F
; 

loc_5D197D:				; CODE XREF: RtlpHpSegMgrReserve+DD273j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_50]

loc_5D198F:				; CODE XREF: RtlpHpSegMgrReserve+DD20Ej
					; RtlpHpSegMgrReserve+DD285j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_50], eax
		jz	short loc_5D19F0
		test	edi, 8000h
		jz	short loc_5D19B3
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5D19B3:				; CODE XREF: RtlpHpSegMgrReserve+DD2B2j
		test	byte ptr [ebp+var_20+2], 1
		jz	short loc_5D19C3
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5D19C3:				; CODE XREF: RtlpHpSegMgrReserve+DD2C1j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5D19D7
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5D19D7:				; CODE XREF: RtlpHpSegMgrReserve+DD2D4j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5D19F0
		push	[ebp+var_50]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5D19F0:				; CODE XREF: RtlpHpSegMgrReserve+DD2AAj
					; RtlpHpSegMgrReserve+DD2EBj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_5D1A08
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_5D1A08
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5D1A08:				; CODE XREF: RtlpHpSegMgrReserve+DD189j
					; RtlpHpSegMgrReserve+DD303j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	esi, [ebp+var_18]
		xor	edi, edi
		mov	[ebp+var_10], edi
		jmp	loc_4F474A
; 

loc_5D1A21:				; CODE XREF: RtlpHpSegMgrReserve+DD161j
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp+var_18]
		mov	edx, edi
		jmp	loc_4F4743
; 

loc_5D1A3A:				; CODE XREF: RtlpHpSegMgrReserve+DD13Fj
					; RtlpHpSegMgrReserve+DD154j
		movzx	eax, word ptr [eax-2]
		bsf	edx, eax
		btc	eax, edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_34], edx
		mov	edx, [ebp+var_20]
		movzx	eax, ax
		mov	[edx-2], ax
		test	ax, ax
		jnz	short loc_5D1A65
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_5D1A63
		mov	eax, [eax]
		mov	[ecx], eax

loc_5D1A63:				; CODE XREF: RtlpHpSegMgrReserve+DD367j
		mov	[edx], edi

loc_5D1A65:				; CODE XREF: RtlpHpSegMgrReserve+DD361j
		mov	eax, [ebp+var_18]
		test	byte ptr [eax+1Ch], 1
		jnz	loc_5D1C21
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_14], ecx
		mov	eax, ecx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5D1A8B
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_5D1A8B:				; CODE XREF: RtlpHpSegMgrReserve+DD38Cj
		mov	[ebp+var_30], edi
		test	esi, 7FFFFFFCh
		jz	loc_5D1C0B
		mov	eax, [ebp+var_8]
		mov	edx, eax
		mov	esi, large fs:124h
		mov	ecx, ds:dword_6D07D0
		shr	edx, 15h
		cmp	eax, ecx
		push	0FFFFFFFFh
		mov	[ebp+var_50], ecx
		mov	[ebp+var_54], esi
		pop	ecx
		jb	short loc_5D1AC5
		cmp	byte ptr ds:dword_6D3994[edx], 1
		jz	short loc_5D1AD3

loc_5D1AC5:				; CODE XREF: RtlpHpSegMgrReserve+DD3C4j
		cmp	eax, [ebp+var_50]
		jb	short loc_5D1AE6
		cmp	byte ptr ds:dword_6D3994[edx], 0Bh
		jnz	short loc_5D1AE6

loc_5D1AD3:				; CODE XREF: RtlpHpSegMgrReserve+DD3CDj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_8]

loc_5D1AE6:				; CODE XREF: RtlpHpSegMgrReserve+DD3D2j
					; RtlpHpSegMgrReserve+DD3DBj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	dl
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_50], ecx
		test	ecx, ecx
		jnz	short loc_5D1B20
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_5D1B92
		jmp	loc_5D190A
; 

loc_5D1B20:				; CODE XREF: RtlpHpSegMgrReserve+DD419j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5D1B36
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_50]

loc_5D1B36:				; CODE XREF: RtlpHpSegMgrReserve+DD436j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_30], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_5D1B80
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_5D1B92
; 

loc_5D1B80:				; CODE XREF: RtlpHpSegMgrReserve+DD476j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_54]

loc_5D1B92:				; CODE XREF: RtlpHpSegMgrReserve+DD423j
					; RtlpHpSegMgrReserve+DD488j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_54], eax
		jz	short loc_5D1BF3
		test	edi, 8000h
		jz	short loc_5D1BB6
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5D1BB6:				; CODE XREF: RtlpHpSegMgrReserve+DD4B5j
		test	byte ptr [ebp+var_30+2], 1
		jz	short loc_5D1BC6
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5D1BC6:				; CODE XREF: RtlpHpSegMgrReserve+DD4C4j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5D1BDA
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5D1BDA:				; CODE XREF: RtlpHpSegMgrReserve+DD4D7j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5D1BF3
		push	[ebp+var_54]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5D1BF3:				; CODE XREF: RtlpHpSegMgrReserve+DD4ADj
					; RtlpHpSegMgrReserve+DD4EEj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_5D1C0B
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_5D1C0B
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5D1C0B:				; CODE XREF: RtlpHpSegMgrReserve+DD39Ej
					; RtlpHpSegMgrReserve+DD506j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+var_34]
		xor	edi, edi
		mov	[ebp+var_30], eax
		jmp	short loc_5D1C30
; 

loc_5D1C21:				; CODE XREF: RtlpHpSegMgrReserve+DD376j
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5D1C30:				; CODE XREF: RtlpHpSegMgrReserve+DD529j
		mov	esi, [ebp+var_18]
		mov	edx, [ebp+var_20]
		add	edx, 0FFFFFFF8h
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		call	_RtlpHpEnvGetHeapManager@8 ; RtlpHpEnvGetHeapManager(x,x)
		movzx	ecx, byte ptr [edx+1]
		imul	ecx, 1Ch
		mov	eax, [eax+ecx+78h]
		sub	edx, [eax+14h]
		mov	ecx, [eax+0Ch]
		shr	edx, cl
		mov	ecx, [ebp+var_30]
		imul	ecx, [ebp+var_1C]
		shl	edx, 14h
		add	edx, ecx
		add	edx, [eax+4]
		jmp	loc_4F4743
; 

loc_5D1C6B:				; CODE XREF: RtlpHpSegMgrReserve+5Bj
		mov	eax, 200000h
		cmp	[ebp+var_1C], eax
		jnb	loc_4F4757
		mov	[ebp+var_C], eax
		jmp	loc_4F4757
; 

loc_5D1C81:				; CODE XREF: RtlpHpSegMgrReserve+9Dj
		push	[ebp+var_C]
		mov	edx, [ebp+var_10]
		mov	ecx, esi
		push	eax
		call	_RtlpHpSegMgrVaCtxInitialize@16	; RtlpHpSegMgrVaCtxInitialize(x,x,x,x)
		jmp	loc_4F4799
; 

loc_5D1C94:				; CODE XREF: RtlpHpSegMgrReserve+C3j
		push	dword ptr [esi+20h]
		lea	edx, [ebp+var_C]
		push	dword ptr [esi+1Ch]
		lea	ecx, [ebp+var_10]
		push	8000h
		call	_RtlpHpFreeVA@20 ; RtlpHpFreeVA(x,x,x,x,x)
		jmp	loc_4F47BF
; END OF FUNCTION CHUNK	FOR RtlpHpSegMgrReserve
; 
; START	OF FUNCTION CHUNK FOR RtlpHpVaMgrRangeCoalesce

loc_5D1CAF:				; CODE XREF: RtlpHpVaMgrRangeCoalesce+A8j
		mov	[eax+0Eh], cx
		jmp	loc_4F48B9
; END OF FUNCTION CHUNK	FOR RtlpHpVaMgrRangeCoalesce
; 
; START	OF FUNCTION CHUNK FOR MiDeletePartialVad

loc_5D1CB8:				; CODE XREF: MiDeletePartialVad+92j
		mov	[ebp+var_6C], 8
		jmp	loc_4F4AAE
; 

loc_5D1CC4:				; CODE XREF: MiDeletePartialVad+82j
		mov	eax, [esi+2Ch]
		push	4Ch
		pop	ecx
		mov	[ebp+var_10], ecx
		mov	edx, [eax]
		mov	[ebp+var_5C], edx
		cmp	dword ptr [edx+20h], 0
		jz	loc_4F4AAE
		cmp	dword ptr [esi+44h], 0
		jge	short loc_5D1CEC
		mov	eax, 0C0000021h
		jmp	loc_4F4E57
; 

loc_5D1CEC:				; CODE XREF: MiDeletePartialVad+DD2CAj
		test	dword ptr [edx+1Ch], 420h
		jnz	loc_4F4AAE
		mov	byte ptr [ebp+var_4+3],	1
		jmp	loc_4F4AAE
; 

loc_5D1D02:				; CODE XREF: MiDeletePartialVad+9Cj
		push	0
		push	40h
		mov	edx, 46646156h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_60], edi
		test	edi, edi
		jnz	short loc_5D1D23
		mov	esi, 0C000009Ah
		jmp	loc_5D1E39
; 

loc_5D1D23:				; CODE XREF: MiDeletePartialVad+DD301j
		push	[ebp+var_10]	; size_t
		push	esi		; void *
		push	edi		; void *
		call	_memcpy
		xor	edx, edx
		mov	dword ptr [edi+8], 0FFFFFFFEh
		mov	[edi+14h], edx
		add	esp, 0Ch
		mov	[edi+24h], edx
		mov	eax, [esi+20h]
		mov	ecx, [edi+20h]
		and	eax, 7FFFFFFFh
		cmp	eax, 0FFFFDh
		jnz	short loc_5D1D5B
		and	ecx, 800FFFFDh
		or	ecx, eax
		jmp	short loc_5D1D61
; 

loc_5D1D5B:				; CODE XREF: MiDeletePartialVad+DD339j
		and	ecx, 80000000h

loc_5D1D61:				; CODE XREF: MiDeletePartialVad+DD343j
		mov	eax, [ebx+8]
		inc	eax
		mov	[edi+20h], ecx
		shr	eax, 0Ch
		mov	[edi+18h], edx
		sub	eax, [esi+0Ch]
		mov	[ebp+var_54], eax
		mov	eax, [edi+1Ch]
		and	al, 70h
		cmp	al, 40h
		jnz	short loc_5D1D92
		mov	ecx, edi
		call	MiCreateRotateView
		test	eax, eax
		jnz	short loc_5D1D92
		mov	esi, 0C000009Ah
		jmp	loc_5D1E23
; 

loc_5D1D92:				; CODE XREF: MiDeletePartialVad+DD365j
					; MiDeletePartialVad+DD370j
		mov	eax, [esi+24h]
		test	eax, eax
		jz	short loc_5D1DB7

loc_5D1D99:				; CODE XREF: MiDeletePartialVad+DD38Dj
		test	byte ptr [eax+24h], 80h
		jnz	short loc_5D1DA5
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_5D1D99

loc_5D1DA5:				; CODE XREF: MiDeletePartialVad+DD387j
		test	eax, eax
		jz	short loc_5D1DB7
		mov	ecx, edi
		call	_MiCreatePlaceholderStorage@4 ;	MiCreatePlaceholderStorage(x)
		mov	[ebp+var_24], eax
		test	eax, eax
		js	short loc_5D1E20

loc_5D1DB7:				; CODE XREF: MiDeletePartialVad+DD381j
					; MiDeletePartialVad+DD391j
		mov	ecx, edi
		call	_MiLockNestedVad@4 ; MiLockNestedVad(x)
		mov	edx, [ebp+var_54]
		mov	ecx, edi
		call	MiAdvanceVadView
		mov	ecx, edi
		call	_MiUnlockNestedVad@4 ; MiUnlockNestedVad(x)
		cmp	[ebp+var_10], 28h
		jz	short loc_5D1DFB
		and	dword ptr [edi+28h], 0FDFFFFFFh
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_5C]
		and	dword ptr [edi+44h], 0
		push	0
		call	MiInsertSharedCommitNode
		mov	[ebp+var_24], eax
		test	eax, eax
		js	short loc_5D1E20
		mov	[ebp+var_68], 1

loc_5D1DFB:				; CODE XREF: MiDeletePartialVad+DD3BDj
		mov	edx, [ebp+var_8]
		push	ecx
		mov	ecx, edi
		call	MiInsertVadCharges
		mov	[ebp+var_24], eax
		test	eax, eax
		jns	short loc_5D1E40
		cmp	[ebp+var_68], 0
		jz	short loc_5D1E20
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_5C]
		push	0
		call	MiRemoveSharedCommitNode

loc_5D1E20:				; CODE XREF: MiDeletePartialVad+DD39Fj
					; MiDeletePartialVad+DD3DCj ...
		mov	esi, [ebp+var_24]

loc_5D1E23:				; CODE XREF: MiDeletePartialVad+DD377j
		mov	ecx, edi
		call	_MiFreeRotateView@4 ; MiFreeRotateView(x)
		mov	ecx, edi
		call	MiFreePlaceholderStorage
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5D1E39:				; CODE XREF: MiDeletePartialVad+DD308j
		mov	eax, esi
		jmp	loc_4F4E57
; 

loc_5D1E40:				; CODE XREF: MiDeletePartialVad+DD3F5j
		cmp	[ebp+var_10], 28h
		mov	eax, [ebp+var_8]
		mov	ecx, [eax+24Ch]
		jnz	short loc_5D1E73
		mov	eax, [edi+1Ch]
		shr	eax, 12h
		and	eax, 3
		mov	eax, ds:_MiVadPageSizes[eax*4]
		cmp	eax, 10h
		jnz	loc_4F4AB8
		inc	dword ptr [ecx+0B0h]
		jmp	loc_4F4AB8
; 

loc_5D1E73:				; CODE XREF: MiDeletePartialVad+DD437j
		mov	eax, [edi+48h]
		test	eax, eax
		jz	short loc_5D1E88
		mov	edx, 746C6644h
		mov	ecx, eax
		call	ObfReferenceObjectWithTag
		jmp	short loc_5D1EA3
; 

loc_5D1E88:				; CODE XREF: MiDeletePartialVad+DD462j
		mov	eax, [edi+1Ch]
		shr	eax, 12h
		and	eax, 3
		mov	eax, ds:_MiVadPageSizes[eax*4]
		cmp	eax, 10h
		jnz	short loc_5D1EA3
		inc	dword ptr [ecx+0B4h]

loc_5D1EA3:				; CODE XREF: MiDeletePartialVad+DD470j
					; MiDeletePartialVad+DD485j
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	MiUpControlAreaRefs
		jmp	loc_4F4AB8
; 

loc_5D1EB2:				; CODE XREF: MiDeletePartialVad+D0j
					; MiDeletePartialVad+DCj
		mov	edx, [esi+10h]
		mov	ecx, [esi+0Ch]
		shl	edx, 0Ch
		push	0
		or	edx, 0FFFh
		shl	ecx, 0Ch
		call	_MiResidentPagesForSpan@12 ; MiResidentPagesForSpan(x,x,x)
		mov	[ebp+var_68], eax
		jmp	loc_4F4AF8
; 

loc_5D1ED3:				; CODE XREF: MiDeletePartialVad+4BCj
		mov	edi, ecx
		jmp	loc_4F4EE1
; 

loc_5D1EDA:				; CODE XREF: MiDeletePartialVad+4A8j
		mov	eax, [ebp+var_20]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	_MiCountSharedPages@12 ; MiCountSharedPages(x,x,x)
		mov	ecx, [ebp+var_20]
		sub	ecx, edi
		sar	ecx, 3
		sub	ecx, eax
		inc	ecx
		mov	[ebp+var_20], ecx
		mov	ecx, [ebp+var_28]
		mov	al, [ecx]
		mov	ecx, offset unk_6D3C40
		and	al, 7
		mov	[ebp+var_54], ecx
		cmp	al, 2
		jnz	short loc_5D1F0C
		mov	edi, ecx
		jmp	short loc_5D1F15
; 

loc_5D1F0C:				; CODE XREF: MiDeletePartialVad+DD4F0j
		mov	edi, [ebp+var_8]
		add	edi, 2C0h

loc_5D1F15:				; CODE XREF: MiDeletePartialVad+DD4F4j
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	byte ptr [ebp+var_4+2],	al
		mov	byte ptr [ebp+var_2C], al
		mov	eax, [ebp+var_28]
		mov	[ebp+var_28], eax
		jmp	loc_4F4B73
; 

loc_5D1F2C:				; CODE XREF: MiDeletePartialVad+174j
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	loc_4F4B90
		mov	edx, [esi+0Ch]
		lea	eax, [ebp+var_C]
		push	eax
		push	0
		mov	ecx, esi
		call	MiGetProtoPteAddress
		jmp	loc_4F4B90
; 

loc_5D1F4B:				; CODE XREF: MiDeletePartialVad+190j
		and	ecx, 800FFFFDh
		or	ecx, edi
		jmp	loc_4F4BB7
; 

loc_5D1F58:				; CODE XREF: MiDeletePartialVad+1BBj
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	loc_4F4BD7
		mov	edx, [esi+0Ch]
		lea	eax, [ebp+var_18]
		push	eax
		push	0
		mov	ecx, esi
		call	MiGetProtoPteAddress
		jmp	loc_4F4BD7
; 

loc_5D1F77:				; CODE XREF: MiDeletePartialVad+51Dj
		and	ecx, 800FFFFDh
		or	ecx, edi
		jmp	loc_4F4F44
; 

loc_5D1F84:				; CODE XREF: MiDeletePartialVad+53Aj
		cmp	al, 1
		jnz	loc_4F4F56
		mov	edx, [esi+10h]
		lea	eax, [ebp+var_18]
		push	eax
		push	0
		mov	ecx, esi
		call	MiGetProtoPteAddress
		mov	eax, [ebp+var_18]
		mov	eax, [eax+8]
		mov	[ebp+var_18], eax
		mov	al, byte ptr [ebp+var_4+3]
		jmp	loc_4F4F56
; 

loc_5D1FAD:				; CODE XREF: MiDeletePartialVad+54Dj
		cmp	al, 1
		jnz	loc_4F4F69
		lea	eax, [ebp+var_C]
		mov	ecx, esi
		push	eax
		push	0
		call	MiGetProtoPteAddress
		mov	eax, [ebp+var_C]
		xor	edx, edx
		mov	ecx, esi
		mov	eax, [eax+8]
		mov	[ebp+var_34], eax
		mov	[ebp+var_C], eax
		call	MiAdvanceVadView
		jmp	loc_4F4F6F
; 

loc_5D1FDC:				; CODE XREF: MiDeletePartialVad+506j
		mov	edi, [ebp+var_10]
		mov	al, byte ptr [ebp+var_4+3]
		cmp	edi, 28h
		jz	short loc_5D2007
		cmp	al, 1
		jnz	short loc_5D2007
		mov	edx, [esi+10h]
		lea	eax, [ebp+var_18]
		push	eax
		push	0
		mov	ecx, esi
		call	MiGetProtoPteAddress
		mov	eax, [ebp+var_18]
		mov	eax, [eax+8]
		mov	[ebp+var_18], eax
		mov	al, byte ptr [ebp+var_4+3]

loc_5D2007:				; CODE XREF: MiDeletePartialVad+DD5CFj
					; MiDeletePartialVad+DD5D3j
		mov	edx, [ebp+var_14]
		dec	edx
		mov	[ebp+var_1C], edx
		shr	edx, 0Ch
		mov	[esi+10h], edx
		cmp	edi, 28h
		jz	short loc_5D2041
		cmp	al, 1
		jnz	short loc_5D2041
		lea	eax, [ebp+var_C]
		mov	ecx, esi
		push	eax
		push	0
		call	MiGetProtoPteAddress
		mov	eax, [ebp+var_C]
		xor	edx, edx
		mov	ecx, esi
		mov	edi, [eax+8]
		mov	[ebp+var_34], edi
		mov	[ebp+var_C], edi
		call	MiAdvanceVadView
		jmp	short loc_5D2047
; 

loc_5D2041:				; CODE XREF: MiDeletePartialVad+DD601j
					; MiDeletePartialVad+DD605j
		mov	eax, [ebp+var_C]
		mov	[ebp+var_34], eax

loc_5D2047:				; CODE XREF: MiDeletePartialVad+DD629j
		mov	edi, [ebp+var_60]
		mov	ecx, [ebp+var_64]
		mov	edx, [ebp+var_8]
		inc	ecx
		push	2
		mov	eax, [edi+10h]
		sub	eax, [edi+0Ch]
		add	ecx, eax
		mov	[ebp+var_64], ecx
		mov	ecx, edi
		call	MiInsertVad
		mov	eax, [esi+20h]
		mov	ecx, 0FFFFDh
		and	eax, 7FFFFFFFh
		cmp	eax, ecx
		jnz	short loc_5D207D
		mov	edx, ecx
		jmp	loc_5D2117
; 

loc_5D207D:				; CODE XREF: MiDeletePartialVad+DD65Ej
		cmp	[ebp+var_10], 28h
		jnz	short loc_5D20A0
		mov	edx, [ebp+var_14]
		mov	ecx, [esi+0Ch]
		push	0
		push	4
		push	[ebp+var_2C]
		lea	edx, [edx-1]
		shl	ecx, 0Ch
		push	esi
		call	_MiComputePageCommitment@24 ; MiComputePageCommitment(x,x,x,x,x,x)
		mov	edx, eax
		jmp	short loc_5D2117
; 

loc_5D20A0:				; CODE XREF: MiDeletePartialVad+DD66Bj
		mov	dl, byte ptr [ebp+var_4+2]
		mov	ecx, [ebp+var_30]
		call	MiUnlockWorkingSetExclusive
		mov	eax, [esi+0Ch]
		mov	ecx, [ebp+var_58]
		and	eax, 0FFFFFh
		lea	esi, ds:0C0000000h[eax*8]
		mov	eax, [ebp+var_1C]
		shr	eax, 9
		mov	edx, esi
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		push	eax
		mov	[ebp+var_1C], eax
		call	_MiCountSharedPages@12 ; MiCountSharedPages(x,x,x)
		mov	ecx, [ebp+var_1C]
		sub	ecx, esi
		sar	ecx, 3
		sub	ecx, eax
		mov	eax, [ebp+var_28]
		inc	ecx
		mov	[ebp+var_1C], ecx
		mov	al, [eax]
		and	al, 7
		cmp	al, 2
		jnz	short loc_5D20F8
		mov	esi, offset unk_6D3C40
		jmp	short loc_5D2101
; 

loc_5D20F8:				; CODE XREF: MiDeletePartialVad+DD6D9j
		mov	esi, [ebp+var_8]
		add	esi, 2C0h

loc_5D2101:				; CODE XREF: MiDeletePartialVad+DD6E0j
		push	esi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [esi+4], 0
		mov	esi, [ebp+var_58]
		mov	edx, [ebp+var_1C]
		mov	byte ptr [ebp+var_4+2],	al
		mov	byte ptr [ebp+var_2C], al

loc_5D2117:				; CODE XREF: MiDeletePartialVad+DD662j
					; MiDeletePartialVad+DD688j
		mov	eax, [esi+20h]
		mov	ecx, edx
		and	eax, 80000000h
		and	ecx, 7FFFFFFFh
		or	eax, ecx
		mov	[esi+20h], eax
		mov	esi, [edi+20h]
		and	esi, 80000000h
		mov	[ebp+var_1C], esi
		mov	esi, 7FFFFFFFh
		and	eax, esi
		cmp	eax, 0FFFFDh
		jz	short loc_5D214D
		mov	ecx, [ebp+var_50]
		sub	ecx, edx
		and	ecx, esi

loc_5D214D:				; CODE XREF: MiDeletePartialVad+DD72Ej
		or	ecx, [ebp+var_1C]
		mov	esi, [ebp+var_58]
		mov	[edi+20h], ecx
		jmp	loc_4F4F71
; 

loc_5D215B:				; CODE XREF: MiDeletePartialVad+1F7j
		mov	eax, offset unk_6D3C40
		jmp	loc_4F4C1E
; 

loc_5D2165:				; CODE XREF: MiDeletePartialVad+219j
		mov	ecx, [ebp+var_30]
		call	MiDrainSystemAccessLog
		jmp	loc_4F4C35
; 

loc_5D2172:				; CODE XREF: MiDeletePartialVad+496j
		push	0
		push	[ebp+var_6C]
		push	[ebp+var_24]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D2185:				; CODE XREF: MiDeletePartialVad+37Dj
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_34]
		jmp	loc_4F4D9F
; 

loc_5D2196:				; CODE XREF: MiDeletePartialVad+619j
		push	[ebp+var_70]
		mov	edx, [ebp+var_24]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4F4DB6
; 

loc_5D21A8:				; CODE XREF: MiDeletePartialVad+2BDj
		mov	edi, [ebp+var_34]
		jmp	loc_4F4DE1
; 

loc_5D21B0:				; CODE XREF: MiDeletePartialVad+3D8j
		mov	edx, large fs:124h
		mov	ecx, eax
		push	3
		mov	edx, [edx+80h]
		call	MiInsertVad
		mov	ecx, [ebx+10h]
		call	_MiUnlockNestedVad@4 ; MiUnlockNestedVad(x)
		mov	edi, [ebp+var_C]
		jmp	loc_4F4DF4
; 

loc_5D21D6:				; CODE XREF: MiDeletePartialVad+3E3j
		test	dword ptr [ecx+1Ch], 100000h
		jnz	loc_4F4DFF
		mov	eax, [ebp+var_8]
		lea	edx, [ecx+38h]
		or	eax, 1
		mov	[ecx+40h], eax
		mov	ecx, [ecx+2Ch]
		push	3
		call	MiManageSubsectionView
		jmp	loc_4F4DFF
; 

loc_5D21FE:				; CODE XREF: MiDeletePartialVad+411j
		mov	edx, [ebp+var_8]
		cmp	edx, ds:_PsInitialSystemProcess
		jz	loc_4F4E2D
		mov	eax, [ebp+var_64]
		mov	ecx, [edx+188h]
		shl	eax, 3
		push	eax
		push	1
		call	PspReturnQuota
		mov	edi, [ebp+var_C]
		jmp	loc_4F4E2D
; 

loc_5D2229:				; CODE XREF: MiDeletePartialVad+41Bj
		mov	edx, [esi+10h]
		mov	ecx, [esi+0Ch]
		shl	edx, 0Ch
		push	0
		or	edx, 0FFFh
		shl	ecx, 0Ch
		call	_MiResidentPagesForSpan@12 ; MiResidentPagesForSpan(x,x,x)
		mov	ecx, [ebp+var_68]
		cmp	eax, ecx
		jnb	loc_4F4E37
		sub	ecx, eax
		mov	edx, ecx
		mov	ecx, offset _MiSystemPartition
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	loc_4F4E37
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax
		jmp	loc_4F4E37
; 

loc_5D2271:				; CODE XREF: MiDeletePartialVad+439j
		cmp	edi, [ebp+var_18]
		jz	loc_4F4E55
		mov	esi, [ebp+var_5C]
		add	esi, 24h
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	byte ptr [ebp+var_4+2],	al

loc_5D2289:				; CODE XREF: MiDeletePartialVad+DD883j
		push	ecx
		mov	edx, edi
		mov	ecx, edi
		call	_MiDecrementSubsections@12 ; MiDecrementSubsections(x,x,x)
		mov	edi, [edi+8]
		cmp	edi, [ebp+var_18]
		jnz	short loc_5D2289
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4F4E55
; END OF FUNCTION CHUNK	FOR MiDeletePartialVad
; 
; START	OF FUNCTION CHUNK FOR MiClearVadBits

loc_5D22AF:				; CODE XREF: MiClearVadBits+3Ej
		lea	eax, [esi-1]
		cmp	eax, esi
		ja	loc_4F50D7
		mov	esi, eax
		jmp	loc_4F508A
; END OF FUNCTION CHUNK	FOR MiClearVadBits
; 
; START	OF FUNCTION CHUNK FOR MiClearVadCellBits

loc_5D22C1:				; CODE XREF: MiClearVadCellBits+19j
		test	edx, edx
		jnz	loc_4F5101
		xor	esi, esi
		inc	esi
		jmp	loc_4F5101
; 

loc_5D22D1:				; CODE XREF: MiClearVadCellBits+4Aj
		mov	esi, edx
		jmp	loc_4F5132
; 

loc_5D22D8:				; CODE XREF: MiClearVadCellBits+5Cj
		lea	ecx, [ebx-1]
		mov	[ebp+var_8], 1
		jmp	loc_4F5144
; 

loc_5D22E7:				; CODE XREF: MiClearVadCellBits+B5j
					; MiClearVadCellBits+BEj
		mov	[ebp+arg_C], ebx
		jmp	loc_4F51A6
; 

loc_5D22EF:				; CODE XREF: MiClearVadCellBits+133j
		cmp	[ebp+arg_C], ebx
		jz	loc_4F521B
		cmp	ecx, eax
		jb	loc_4F51AB
		mov	[edi+8], eax
		jmp	loc_4F51AB
; END OF FUNCTION CHUNK	FOR MiClearVadCellBits
; 
; START	OF FUNCTION CHUNK FOR MiCaptureDeleteHierarchy

loc_5D2308:				; CODE XREF: MiCaptureDeleteHierarchy+42j
		test	edi, edi
		jz	loc_4F5282
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		push	1
		push	[ebp+arg_0]
		shl	ecx, 9
		push	0
		call	MiMakeSystemAddressValid
		jmp	loc_4F5282
; END OF FUNCTION CHUNK	FOR MiCaptureDeleteHierarchy
; 
; START	OF FUNCTION CHUNK FOR MiAdvanceVadView

loc_5D2329:				; CODE XREF: MiAdvanceVadView+1Bj
		mov	ecx, [esi+2Ch]
		mov	edx, [esi+30h]
		push	0FFFFFFFFh
		mov	eax, [ecx]
		mov	[ebp+var_4], eax
		call	MiStartingOffset
		shl	ebx, 0Ch
		mov	ecx, eax
		add	ecx, ebx
		mov	eax, ecx
		adc	edx, 0
		mov	ebx, edx
		shrd	eax, ebx, 0Ch
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_4]
		shr	ebx, 0Ch
		mov	[ebp+var_C], ebx
		cmp	dword ptr [eax+20h], 0
		jz	short loc_5D2371
		push	edx
		push	ecx
		xor	edx, edx
		mov	ecx, eax
		call	_MiLocateSubsectionNode@16 ; MiLocateSubsectionNode(x,x,x,x)
		mov	ecx, eax
		jmp	short loc_5D2387
; 

loc_5D2371:				; CODE XREF: MiAdvanceVadView+DD06Cj
		lea	ecx, [eax+50h]
		lea	edx, [ebp+var_10]
		call	_MiLocatePagefileSubsection@8 ;	MiLocatePagefileSubsection(x,x)
		mov	ebx, [ebp+var_C]
		mov	ecx, eax
		mov	eax, [ebp+var_10]
		mov	[ebp+var_8], eax

loc_5D2387:				; CODE XREF: MiAdvanceVadView+DD07Bj
		mov	ax, [ecx+10h]
		shr	ax, 6
		movzx	eax, ax
		mov	[ebp+var_4], ecx
		xor	ecx, ecx
		cdq
		mov	edx, [ebp+var_4]
		or	ecx, [edx+14h]
		mov	edx, [ebp+var_8]
		sub	edx, ecx
		mov	ecx, [esi+10h]
		sbb	ebx, eax
		mov	eax, [ebp+var_4]
		mov	[esi+2Ch], eax
		sub	ecx, edi
		mov	eax, [eax+4]
		lea	eax, [eax+edx*8]
		mov	[esi+30h], eax
		xor	eax, eax
		add	ecx, edx
		adc	eax, ebx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_4]
		call	_MiComputeContiguousSubsectionPte@12 ; MiComputeContiguousSubsectionPte(x,x,x)
		mov	[esi+34h], eax
		jmp	loc_4F5315
; END OF FUNCTION CHUNK	FOR MiAdvanceVadView
; 
; START	OF FUNCTION CHUNK FOR MiZeroAndFlushPtes

loc_5D23D1:				; CODE XREF: MiZeroAndFlushPtes+79j
		mov	ecx, eax

loc_5D23D3:				; CODE XREF: MiZeroAndFlushPtes+DCF60j
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		shl	ebx, 9
		sub	edi, 40000000h
		sub	ecx, 1
		jnz	short loc_5D23D3
		mov	[ebp+var_124], ebx
		jmp	loc_4F5507
; 

loc_5D23F5:				; CODE XREF: MiZeroAndFlushPtes+12Ej
		lea	edx, [ebp+var_140]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, ds:_ZeroPte
		mov	[edi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[edi+4], eax
		test	ds:byte_70EFC6,	1
		jz	short loc_5D242E
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_140]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5D246C
; 

loc_5D242E:				; CODE XREF: MiZeroAndFlushPtes+DCF94j
		mov	eax, [ebp+var_140]
		test	eax, eax
		jnz	short loc_5D2459
		mov	edx, [ebp+var_13C]
		lea	eax, [ebp+var_140]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_140]
		cmp	eax, ecx
		jz	short loc_5D246C
		call	KxWaitForLockChainValid

loc_5D2459:				; CODE XREF: MiZeroAndFlushPtes+DCFAEj
		xor	ecx, ecx
		mov	[ebp+var_140], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5D246C:				; CODE XREF: MiZeroAndFlushPtes+DCFA4j
					; MiZeroAndFlushPtes+DCFCAj
		mov	cl, [ebp+var_138]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jnz	short loc_5D2484
		mov	esi, edi
		mov	[ebp+var_148], esi

loc_5D2484:				; CODE XREF: MiZeroAndFlushPtes+DCFF2j
		mov	ecx, [ebp+var_134]
		mov	ebx, edi
		mov	[ebp+var_14C], ebx

loc_5D2492:				; CODE XREF: MiZeroAndFlushPtes+14Aj
		mov	edx, ecx
		lea	ecx, [ebp+var_120]
		push	edi
		call	_MiInsertLargeTbFlushEntry@12 ;	MiInsertLargeTbFlushEntry(x,x,x)
		jmp	loc_4F55EB
; 

loc_5D24A5:				; CODE XREF: MiZeroAndFlushPtes+134j
		mov	eax, [ebp+var_150]
		mov	[edi], eax
		nop
		mov	eax, [ebp+var_154]
		jmp	loc_4F55CF
; 

loc_5D24B9:				; CODE XREF: MiZeroAndFlushPtes+245j
		lea	ecx, [ebp+var_120]
		call	MiFlushTbList
		xor	ebx, ebx
		xor	esi, esi

loc_5D24C8:				; CODE XREF: MiZeroAndFlushPtes+DD05Dj
		mov	edx, [ebp+ebx*8+var_88]
		lea	ecx, [esi+1]
		mov	eax, [ebp+ebx*8+var_84]
		sub	eax, edx
		push	eax
		call	MiDereferenceIoPages
		inc	ebx
		cmp	ebx, 10h
		jb	short loc_5D24C8
		and	[ebp+var_12C], esi
		mov	esi, [ebp+var_148]
		mov	ebx, [ebp+var_14C]
		jmp	loc_4F5629
; 

loc_5D24FE:				; CODE XREF: MiZeroAndFlushPtes+E1j
		mov	eax, [ebp+var_128]
		jmp	loc_4F5653
; 

loc_5D2509:				; CODE XREF: MiZeroAndFlushPtes+1CDj
		and	[ebp+var_134], 0
		mov	edi, eax
		xor	ecx, ecx
		shr	edi, 9
		inc	ecx
		and	edi, offset loc_7FFFF8
		mov	[ebp+var_124], ecx
		sub	edi, 40000000h
		jmp	loc_4F5552
; 

loc_5D252F:				; CODE XREF: MiZeroAndFlushPtes+1D5j
		mov	ecx, 0C07FFFFFh
		mov	eax, 0C0000000h
		jmp	short loc_5D2542
; 

loc_5D253B:				; CODE XREF: MiZeroAndFlushPtes+DD0BCj
		cmp	esi, ecx
		ja	short loc_5D2546
		shl	esi, 9

loc_5D2542:				; CODE XREF: MiZeroAndFlushPtes+DD0B1j
		cmp	esi, eax
		jnb	short loc_5D253B

loc_5D2546:				; CODE XREF: MiZeroAndFlushPtes+DD0B5j
		shr	esi, 9
		mov	edx, offset loc_7FFFF8
		and	esi, edx
		mov	edi, 40000000h
		sub	esi, edi
		jmp	short loc_5D2560
; 

loc_5D2559:				; CODE XREF: MiZeroAndFlushPtes+DD0DAj
		cmp	ebx, ecx
		ja	short loc_5D2564
		shl	ebx, 9

loc_5D2560:				; CODE XREF: MiZeroAndFlushPtes+DD0CFj
		cmp	ebx, eax
		jnb	short loc_5D2559

loc_5D2564:				; CODE XREF: MiZeroAndFlushPtes+DD0D3j
		shr	ebx, 9
		mov	ecx, esi
		and	edx, ebx
		sub	edx, edi
		call	MiReplicatePteChange
		jmp	loc_4F5663
; END OF FUNCTION CHUNK	FOR MiZeroAndFlushPtes
; 
; START	OF FUNCTION CHUNK FOR MiIoSpaceRunIsConstant

loc_5D2577:				; CODE XREF: MiIoSpaceRunIsConstant+DCEBCj
		mov	ebx, [edi]
		cmp	ebx, ds:dword_6D07B0
		ja	short loc_5D259A
		mov	eax, ds:dword_6D35B8
		mov	edx, ebx
		shr	edx, 5
		mov	ecx, ebx
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jnz	short loc_5D25B2

loc_5D259A:				; CODE XREF: MiIoSpaceRunIsConstant+DCE83j
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	MiIoSpaceIsConstant
		cmp	[ebp+var_4], eax
		jz	short loc_5D25B2
		and	[ebp+var_4], 0
		jmp	loc_4F5730
; 

loc_5D25B2:				; CODE XREF: MiIoSpaceRunIsConstant+DCE9Cj
					; MiIoSpaceRunIsConstant+DCEABj
		add	edi, 4

loc_5D25B5:				; CODE XREF: MiIoSpaceRunIsConstant+50j
		sub	esi, 1
		jnz	short loc_5D2577
		jmp	loc_4F5730
; END OF FUNCTION CHUNK	FOR MiIoSpaceRunIsConstant
; 
; START	OF FUNCTION CHUNK FOR MiDereferenceIoPages

loc_5D25BF:				; CODE XREF: MiDereferenceIoPages+E2j
		mov	eax, 400h
		jmp	loc_4F5842
; 

loc_5D25C9:				; CODE XREF: MiDereferenceIoPages+259j
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	ds:dword_6D3454, eax
		mov	eax, [edi]
		mov	edx, [ebx+14h]
		mov	byte ptr [ebp+var_20], 0
		test	eax, eax
		jnz	loc_4F59B6

loc_5D25E6:				; CODE XREF: MiDereferenceIoPages+27Dj
					; MiDereferenceIoPages+286j
		push	esi
		push	[ebp+var_20]
		push	eax
		push	edi
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		xor	ebx, ebx
		inc	ds:dword_6D345C
		jmp	loc_4F5919
; 

loc_5D25FE:				; CODE XREF: MiDereferenceIoPages+FDj
		mov	ecx, [ebp+var_14]
		jmp	loc_4F58AE
; 

loc_5D2606:				; CODE XREF: MiDereferenceIoPages+19Bj
		push	edi
		push	edx
		push	ebx
		push	6194Bh
		jmp	short loc_5D261E
; 

loc_5D2610:				; CODE XREF: MiDereferenceIoPages+6Dj
		push	[ebp+var_8]
		push	[ebp+arg_0]
		push	[ebp+var_28]
		push	61948h

loc_5D261E:				; CODE XREF: MiDereferenceIoPages+DCEBCj
					; MiDereferenceIoPages+DCEDFj
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D2625:				; CODE XREF: MiDereferenceIoPages+116j
		push	edi
		push	[ebp+arg_0]
		push	[ebp+var_28]
		push	6194Ah
		jmp	short loc_5D261E
; END OF FUNCTION CHUNK	FOR MiDereferenceIoPages
; 
; START	OF FUNCTION CHUNK FOR MiReferenceIoPages

loc_5D2633:				; CODE XREF: MiReferenceIoPages+B8j
		mov	eax, [eax+14h]
		jmp	loc_4F5A9F
; 

loc_5D263B:				; CODE XREF: MiReferenceIoPages+315j
		mov	ecx, [esp+0B8h+var_8C]
		jmp	loc_4F5D01
; 

loc_5D2644:				; CODE XREF: MiReferenceIoPages+337j
		push	5Ch
		xor	eax, eax
		mov	dword ptr [edi+14h], 10000h
		inc	ds:dword_6D3468
		pop	ecx
		push	2
		mov	[edi], eax
		mov	[edi+10h], eax
		mov	[edi+18h], eax
		pop	eax
		push	ecx
		mov	[edi+4], cx
		mov	[edi+6], ax
		call	_MiFlushCacheMdl@12 ; MiFlushCacheMdl(x,x,x)
		test	eax, eax
		jz	short loc_5D267B
		mov	[esp+0B8h+var_90], 1

loc_5D267B:				; CODE XREF: MiReferenceIoPages+DCC93j
		xor	edi, edi
		jmp	loc_4F5BE5
; 

loc_5D2682:				; CODE XREF: MiReferenceIoPages+272j
		mov	ecx, ebx
		call	_MiClearCacheFromNode@4	; MiClearCacheFromNode(x)
		jmp	loc_4F5C56
; 

loc_5D268E:				; CODE XREF: MiReferenceIoPages+1C4j
		mov	ebx, [esp+0B8h+var_88]
		cmp	esi, ebx
		jz	short loc_5D269A
		mov	[esp+0B8h+var_78], esi

loc_5D269A:				; CODE XREF: MiReferenceIoPages+DCCB6j
		mov	[esp+0B8h+var_74], 0C000009Ah
		jmp	loc_4F5C64
; 

loc_5D26A7:				; CODE XREF: MiReferenceIoPages+120j
		push	offset unk_6D3440
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+0B8h+var_A9]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [esp+0B8h+var_88]
		sub	esi, edx
		mov	ecx, [esp+0B8h+var_9C]
		push	esi
		call	MiDereferenceIoPages
		mov	eax, 0C000009Ah
		jmp	loc_4F5C91
; 

loc_5D26D5:				; CODE XREF: MiReferenceIoPages+2A9j
		mov	ecx, [esp+0B8h+var_9C]
		sub	eax, ebx
		push	eax
		mov	edx, ebx
		call	MiDereferenceIoPages
		jmp	loc_4F5C8D
; END OF FUNCTION CHUNK	FOR MiReferenceIoPages
; 
; START	OF FUNCTION CHUNK FOR MiIoSpaceIsConstant

loc_5D26E8:				; CODE XREF: MiIoSpaceIsConstant+26j
		cmp	esi, edx
		jb	loc_4F5DC4
		cmp	edi, ecx
		jbe	loc_4F5DC4
		jmp	loc_4F5DC2
; END OF FUNCTION CHUNK	FOR MiIoSpaceIsConstant
; 
; START	OF FUNCTION CHUNK FOR MiRemoveUnmappedIoNode

loc_5D26FD:				; CODE XREF: MiRemoveUnmappedIoNode+48j
		mov	eax, [eax+10h]
		mov	ds:dword_6D3458, eax
		jmp	loc_4F5E1A
; END OF FUNCTION CHUNK	FOR MiRemoveUnmappedIoNode
; 
; START	OF FUNCTION CHUNK FOR IopPostProcessIrp

loc_5D270A:				; CODE XREF: IopPostProcessIrp+40j
		lea	ecx, [ebx+0F0h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_5D2753
		lea	eax, [ebp+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, ebx
		call	KiStackAttachProcess
		lea	eax, [ebp+var_20]
		push	eax
		push	edi
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [esi+40h]
		push	eax
		call	_IopCompleteRequest@20 ; IopCompleteRequest(x,x,x,x,x)
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		lea	ecx, [ebx+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_4F65E9
; 

loc_5D2753:				; CODE XREF: IopPostProcessIrp+DC187j
		mov	edx, [edi]
		mov	ecx, esi
		call	IopDropIrp
		mov	eax, [ebp+var_24]
		and	dword ptr [eax+4], 0
		mov	dword ptr [eax], 0C0000120h
		jmp	loc_4F65E9
; END OF FUNCTION CHUNK	FOR IopPostProcessIrp
; 
; START	OF FUNCTION CHUNK FOR EtwActivityIdControl

loc_5D276E:				; CODE XREF: EtwActivityIdControl+90j
		mov	esi, ecx
		lea	edi, [ebp+var_30]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+arg_4]
		mov	edi, ecx
		movsd
		movsd
		movsd
		movsd
		lea	esi, [ebp+var_30]
		jmp	loc_4F6691
; END OF FUNCTION CHUNK	FOR EtwActivityIdControl

;  S U B	R O U T	I N E 


sub_5D2788	proc near		; DATA XREF: .text:006A3414o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5D2788	endp


;  S U B	R O U T	I N E 


sub_5D2796	proc near		; DATA XREF: .text:006A3418o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-20h]
		mov	[ebp-1Ch], eax
		jmp	loc_4F6698
sub_5D2796	endp

; 
; START	OF FUNCTION CHUNK FOR EtwpClearPartitionContext

loc_5D27A4:				; CODE XREF: EtwpClearPartitionContext+9j
		call	PsDereferencePartition
		and	dword ptr [esi], 0
		jmp	loc_4F67C7
; END OF FUNCTION CHUNK	FOR EtwpClearPartitionContext

;  S U B	R O U T	I N E 


sub_5D27B1	proc near		; CODE XREF: EtwpFreeTraceBuffer+1Dj
		push	ebx
		push	edi
		mov	edi, [ecx+37Ch]
		mov	[ebp-8], edi
		or	word ptr [edi+6], 3
		lea	eax, [edi+1Ch]
		mov	[edi+0Ch], esi
		mov	ebx, [ecx+4]
		shr	ebx, 0Ch
		test	ebx, ebx
		jz	short loc_5D27F0
		mov	edi, eax

loc_5D27D3:				; CODE XREF: sub_5D27B1+3Aj
		push	esi
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		shrd	eax, edx, 0Ch
		add	esi, 1000h
		mov	[edi], eax
		lea	edi, [edi+4]
		sub	ebx, 1
		jnz	short loc_5D27D3
		mov	edi, [ebp-8]

loc_5D27F0:				; CODE XREF: sub_5D27B1+1Ej
		xor	edx, edx
		mov	ecx, edi
		call	_MiFreePagesFromMdl@8 ;	MiFreePagesFromMdl(x,x)
		pop	edi
		pop	ebx
		jmp	loc_4F67F7
sub_5D27B1	endp

; 
; START	OF FUNCTION CHUNK FOR EtwpFreeCompression

loc_5D2800:				; CODE XREF: EtwpFreeCompression+37j
		lea	eax, [esi+2FCh]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, esi
		call	_EtwpRelinquishCompressionTarget@4 ; EtwpRelinquishCompressionTarget(x)
		mov	edx, [ebp+var_8]
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_10], eax
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5D2836
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp+var_8]

loc_5D2836:				; CODE XREF: EtwpFreeCompression+DC028j
		xor	edi, edi
		mov	[ebp+var_14], edi
		test	edx, 7FFFFFFCh
		jz	loc_5D29CC
		mov	esi, large fs:124h
		mov	ecx, edx
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], eax
		cmp	edx, eax
		jb	short loc_5D287D
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_5D2882
		mov	eax, [ebp+var_30]
		cmp	edx, eax
		jb	short loc_5D287D
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jz	short loc_5D2882

loc_5D287D:				; CODE XREF: EtwpFreeCompression+DC05Ej
					; EtwpFreeCompression+DC070j
		or	eax, 0FFFFFFFFh
		jmp	short loc_5D2890
; 

loc_5D2882:				; CODE XREF: EtwpFreeCompression+DC069j
					; EtwpFreeCompression+DC079j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_10], eax

loc_5D2890:				; CODE XREF: EtwpFreeCompression+DC07Ej
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_5D28D6
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_5D293C
		mov	eax, [ebp+var_8]
		push	ecx
		push	[ebp+var_10]
		push	eax
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D28D6:				; CODE XREF: EtwpFreeCompression+DC0B5j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5D28EC
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_5D28EC:				; CODE XREF: EtwpFreeCompression+DC0E0j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_14], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	short loc_5D2930
		or	[esi+1E4h], dl
		jmp	short loc_5D293C
; 

loc_5D2930:				; CODE XREF: EtwpFreeCompression+DC124j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_34]

loc_5D293C:				; CODE XREF: EtwpFreeCompression+DC0BFj
					; EtwpFreeCompression+DC12Cj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_34], eax
		jz	short loc_5D29A3
		test	edi, 8000h
		jz	short loc_5D2960
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5D2960:				; CODE XREF: EtwpFreeCompression+DC153j
		test	byte ptr [ebp+var_14+2], 1
		jz	short loc_5D2976
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_5D2976:				; CODE XREF: EtwpFreeCompression+DC162j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5D298A
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5D298A:				; CODE XREF: EtwpFreeCompression+DC17Bj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5D29A3
		push	[ebp+var_34]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5D29A3:				; CODE XREF: EtwpFreeCompression+DC14Bj
					; EtwpFreeCompression+DC192j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_5D29C9
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_5D29C9
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5D29C9:				; CODE XREF: EtwpFreeCompression+DC1B8j
					; EtwpFreeCompression+DC1C0j
		mov	esi, [ebp+var_C]

loc_5D29CC:				; CODE XREF: EtwpFreeCompression+DC03Fj
		xor	eax, eax
		lea	ecx, [esi+308h]
		xchg	eax, [ecx]
		jmp	loc_4F683F
; 

loc_5D29DB:				; CODE XREF: EtwpFreeCompression+45j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4F684D
; END OF FUNCTION CHUNK	FOR EtwpFreeCompression
; 
; START	OF FUNCTION CHUNK FOR EtwpCancelPendingStackwalkApcs

loc_5D29E8:				; CODE XREF: EtwpCancelPendingStackwalkApcs+2Dj
					; EtwpCancelPendingStackwalkApcs+DC1B9j
		mov	ecx, [edi+298h]
		add	ecx, esi
		cmp	byte ptr [ecx],	12h
		jnz	short loc_5D2A0D
		call	KeRemoveQueueApc
		test	al, al
		jz	short loc_5D2A0D
		mov	edx, [edi+298h]
		mov	ecx, edi
		add	edx, esi
		call	_EtwpFinalizePendingApc@8 ; EtwpFinalizePendingApc(x,x)

loc_5D2A0D:				; CODE XREF: EtwpCancelPendingStackwalkApcs+DC195j
					; EtwpCancelPendingStackwalkApcs+DC19Ej
		inc	ebx
		add	esi, 30h
		cmp	ebx, [edi+29Ch]
		jb	short loc_5D29E8
		jmp	loc_4F686F
; 

loc_5D2A1E:				; CODE XREF: EtwpCancelPendingStackwalkApcs+21j
		mov	eax, [edi+2E4h]
		xor	edx, edx
		mov	esi, [edi]
		inc	edx
		mov	ecx, [eax+188h]
		mov	ecx, [ecx+esi*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		lea	eax, [edi+2A0h]
		lock btr dword ptr [eax], 1
		jmp	loc_4F6885
; END OF FUNCTION CHUNK	FOR EtwpCancelPendingStackwalkApcs
; 
; START	OF FUNCTION CHUNK FOR KeRemoveQueueDpcEx

loc_5D2A47:				; CODE XREF: KeRemoveQueueDpcEx+4Cj
		mov	ecx, [esi]
		mov	eax, ecx
		shr	eax, 10h
		mov	[ebp+var_58], ecx
		cmp	ax, 20h
		jb	short loc_5D2A5C
		add	eax, 0FFE0h

loc_5D2A5C:				; CODE XREF: KeRemoveQueueDpcEx+DC1A7j
		cmp	byte ptr [ebp+var_58], 1Ah
		movzx	eax, ax
		mov	ebx, ds:_KiProcessorBlock[eax*4]
		jnz	short loc_5D2A7A
		cmp	byte ptr [ebx+2255h], 0
		mov	eax, 21F8h
		jnz	short loc_5D2A7F

loc_5D2A7A:				; CODE XREF: KeRemoveQueueDpcEx+DC1BCj
		mov	eax, 21E0h

loc_5D2A7F:				; CODE XREF: KeRemoveQueueDpcEx+DC1CAj
		lea	edi, [ebx+eax]
		lea	ecx, [edi+8]
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [esi+1Ch]
		cmp	[ebp+var_20], eax
		jnz	short loc_5D2ACB
		mov	eax, [esi]
		cmp	[ebp+var_58], eax
		jnz	short loc_5D2ACB
		xor	eax, eax
		lea	edx, [esi+4]
		inc	eax
		mov	ecx, edi
		sub	[edi+0Ch], eax
		mov	[ebp+var_18], eax
		call	_KiRemoveEntryDpcList@8	; KiRemoveEntryDpcList(x,x)
		and	dword ptr [esi+1Ch], 0
		mov	ecx, [ebx+4DCh]
		test	ecx, ecx
		jz	short loc_5D2ACB
		lea	eax, [ebx+21E0h]
		cmp	edi, eax
		jnz	short loc_5D2ACB
		mov	eax, [ecx+1Ch]
		dec	eax
		mov	[ecx+1Ch], eax

loc_5D2ACB:				; CODE XREF: KeRemoveQueueDpcEx+DC1E2j
					; KeRemoveQueueDpcEx+DC1E9j ...
		test	ds:byte_70EFC6,	1
		jz	short loc_5D2AE1
		mov	edx, [ebp+4]
		lea	ecx, [edi+8]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5D2AE9
; 

loc_5D2AE1:				; CODE XREF: KeRemoveQueueDpcEx+DC224j
		xor	ecx, ecx
		lea	eax, [edi+8]
		lock and [eax],	ecx

loc_5D2AE9:				; CODE XREF: KeRemoveQueueDpcEx+DC231j
		mov	al, [ebp+var_11]
		mov	ebx, [ebp+var_18]
		jmp	loc_4F6900
; 

loc_5D2AF4:				; CODE XREF: KeRemoveQueueDpcEx+5Bj
		cmp	dword ptr [esi+8], 0
		jz	loc_4F690F
		lea	edx, [ebp+var_10]
		lea	ecx, [ebp+var_38]
		call	_KiGetDeepIdleProcessors@8 ; KiGetDeepIdleProcessors(x,x)
		xor	eax, eax
		xor	ecx, ecx
		cmp	ax, word ptr [ebp+var_10]
		jnb	short loc_5D2B23
		mov	edx, [esi+8]

loc_5D2B16:				; CODE XREF: KeRemoveQueueDpcEx+DC273j
		and	[ebp+ecx*4+var_8], edx
		inc	ecx
		movzx	eax, word ptr [ebp+var_10]
		cmp	ecx, eax
		jb	short loc_5D2B16

loc_5D2B23:				; CODE XREF: KeRemoveQueueDpcEx+DC263j
		mov	eax, large fs:20h
		mov	eax, [eax+3C8h]
		not	eax
		and	[ebp+var_8], eax
		xor	eax, eax
		mov	[ebp+var_24], ax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_2C], eax

loc_5D2B46:				; CODE XREF: KeRemoveQueueDpcEx+DC2E0j
					; KeRemoveQueueDpcEx+DC2EDj
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5D2B9D
		cmp	byte ptr [esi],	1Ah
		mov	eax, [ebp+var_1C]
		mov	edi, ds:_KiProcessorBlock[eax*4]
		jnz	short loc_5D2B74
		cmp	byte ptr [edi+2255h], 0
		mov	eax, 21F8h
		jnz	short loc_5D2B79

loc_5D2B74:				; CODE XREF: KeRemoveQueueDpcEx+DC2B6j
		mov	eax, 21E0h

loc_5D2B79:				; CODE XREF: KeRemoveQueueDpcEx+DC2C4j
		cmp	[ebp+var_20], 0
		lea	ebx, [edi+eax]
		jnz	short loc_5D2B89
		mov	ecx, ebx
		call	_KiAcquireReleaseDpcData@4 ; KiAcquireReleaseDpcData(x)

loc_5D2B89:				; CODE XREF: KeRemoveQueueDpcEx+DC2D2j
		mov	eax, [ebx+14h]
		cmp	eax, esi
		jz	short loc_5D2B46
		mov	eax, [edi+3C8h]
		not	eax
		and	[ebp+var_8], eax
		jmp	short loc_5D2B46
; 

loc_5D2B9D:				; CODE XREF: KeRemoveQueueDpcEx+DC2A7j
		cmp	[ebp+var_8], 0
		jz	short loc_5D2BB4
		push	2
		push	0
		mov	edx, offset _RtlEndStrongEnumerationHashTable@8	; RtlEndStrongEnumerationHashTable(x,x)
		lea	ecx, [ebp+var_10]
		call	_KeGenericProcessorCallback@16 ; KeGenericProcessorCallback(x,x,x,x)

loc_5D2BB4:				; CODE XREF: KeRemoveQueueDpcEx+DC2F3j
		mov	ebx, [ebp+var_18]
		jmp	loc_4F690F
; END OF FUNCTION CHUNK	FOR KeRemoveQueueDpcEx
; 
; START	OF FUNCTION CHUNK FOR EtwpFreePlaceholderList

loc_5D2BBC:				; CODE XREF: EtwpFreePlaceholderList+Dj
		mov	eax, [edx]
		mov	[esi+318h], eax
		lea	eax, [edx-20h]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4F6927
; END OF FUNCTION CHUNK	FOR EtwpFreePlaceholderList
; 
; START	OF FUNCTION CHUNK FOR KiOutSwapKernelStacks

loc_5D2BD4:				; CODE XREF: KiOutSwapKernelStacks+55j
					; KiOutSwapKernelStacks+DBFECj
		lea	ecx, [ebp+var_28]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5D2BD4
		jmp	loc_4F6C44
; END OF FUNCTION CHUNK	FOR KiOutSwapKernelStacks
; 
; START	OF FUNCTION CHUNK FOR PspReaper

loc_5D2BE7:				; CODE XREF: PspReaper+29j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi+354h], 0
		jmp	loc_4F6DFB
; END OF FUNCTION CHUNK	FOR PspReaper
; 
; START	OF FUNCTION CHUNK FOR KeDeleteThread

loc_5D2BFB:				; CODE XREF: KeDeleteThread+68j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4F6F89
; END OF FUNCTION CHUNK	FOR KeDeleteThread
; 
; START	OF FUNCTION CHUNK FOR MiInPageSingleKernelStack

loc_5D2C08:				; CODE XREF: MiInPageSingleKernelStack+278j
					; MiInPageSingleKernelStack+28Aj
		mov	ecx, 7FFFFFFFh
		lock and [edx],	ecx
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4F7256
; 

loc_5D2C1D:				; CODE XREF: MiInPageSingleKernelStack+2F2j
		push	eax
		push	esi
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo
		jmp	loc_4F732E
; 

loc_5D2C30:				; CODE XREF: MiInPageSingleKernelStack+1C8j
		xor	ecx, ecx
		push	ecx
		push	[ebp+var_90]
		push	edi
		push	3451h
		push	1Ah
		jmp	short loc_5D2C5C
; 

loc_5D2C43:				; CODE XREF: MiInPageSingleKernelStack+374j
		xor	ecx, ecx
		inc	ecx
		call	_MiFlushAllFilesystemPages@4 ; MiFlushAllFilesystemPages(x)
		mov	eax, [esi+8]
		push	eax
		push	0
		push	dword ptr [eax-4]
		push	[ebp+var_B4]
		push	77h

loc_5D2C5C:				; CODE XREF: MiInPageSingleKernelStack+DBC0Bj
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D2C61:				; CODE XREF: MiInPageSingleKernelStack+35Cj
		push	1
		lea	ecx, [ebx+1000h]
		mov	edx, eax
		call	_MiLogKernelStackEvent@12 ; MiLogKernelStackEvent(x,x,x)
		jmp	loc_4F7398
; END OF FUNCTION CHUNK	FOR MiInPageSingleKernelStack
; 
; START	OF FUNCTION CHUNK FOR MiFaultInProbeAddress

loc_5D2C75:				; CODE XREF: MiFaultInProbeAddress+D2j
		mov	edx, [ebp+var_8]
		mov	ecx, ebx
		call	_MiDeliverPicoExceptionForProbedPage@8 ; MiDeliverPicoExceptionForProbedPage(x,x)
		mov	esi, eax
		jmp	loc_4F7601
; END OF FUNCTION CHUNK	FOR MiFaultInProbeAddress
; 
; START	OF FUNCTION CHUNK FOR NLS_DOWNCASE

loc_5D2C86:				; CODE XREF: NLS_DOWNCASE+21j
		movzx	edx, cx
		mov	eax, edx
		shr	eax, 8
		movzx	ecx, word ptr [esi+eax*2]
		mov	eax, edx
		shr	eax, 4
		and	eax, 0Fh
		add	ecx, eax
		mov	eax, edx
		and	eax, 0Fh
		movzx	ecx, word ptr [esi+ecx*2]
		add	ecx, eax
		mov	ax, [esi+ecx*2]
		add	ax, dx
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR NLS_DOWNCASE
; 
; START	OF FUNCTION CHUNK FOR RtlFreeHeap

loc_5D2CB0:				; CODE XREF: RtlFreeHeap+13j
		xor	eax, eax
		xor	edx, edx
		push	eax
		push	eax
		push	eax
		push	edi
		push	13h
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		jmp	loc_4F76ED
; 

loc_5D2CC5:				; CODE XREF: RtlFreeHeap+22j
		push	[ebp+arg_4]
		mov	ecx, esi
		call	_RtlpHpFreeWithExceptionProtection@12 ;	RtlpHpFreeWithExceptionProtection(x,x,x)
		jmp	loc_4F7708
; END OF FUNCTION CHUNK	FOR RtlFreeHeap
; 
; START	OF FUNCTION CHUNK FOR RtlpFreeHeapInternal

loc_5D2CD4:				; CODE XREF: RtlpFreeHeapInternal+18j
		xor	esi, esi
		test	byte ptr [ebx+48h], 1
		push	edi
		jz	short loc_5D2CE6
		call	@RtlpProbeUserBufferSafe@8 ; RtlpProbeUserBufferSafe(x,x)
		mov	edi, eax
		jmp	short loc_5D2D1A
; 

loc_5D2CE6:				; CODE XREF: RtlpFreeHeapInternal+DB5C7j
		test	al, 7
		jnz	short loc_5D2D0A
		lea	edi, [eax-8]
		cmp	byte ptr [edi+7], 5
		jnz	short loc_5D2CFC
		movzx	eax, byte ptr [edi+6]
		shl	eax, 3
		sub	edi, eax

loc_5D2CFC:				; CODE XREF: RtlpFreeHeapInternal+DB5DDj
		test	byte ptr [edi+7], 3Fh
		jnz	short loc_5D2D1A
		push	esi
		push	esi
		push	esi
		push	edi
		push	8
		jmp	short loc_5D2D10
; 

loc_5D2D0A:				; CODE XREF: RtlpFreeHeapInternal+DB5D4j
		push	esi
		push	esi
		push	esi
		push	eax
		push	9

loc_5D2D10:				; CODE XREF: RtlpFreeHeapInternal+DB5F4j
		mov	edx, ebx
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	edi, esi

loc_5D2D1A:				; CODE XREF: RtlpFreeHeapInternal+DB5D0j
					; RtlpFreeHeapInternal+DB5ECj
		test	edi, edi
		jz	loc_5D2E24
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+arg_0]
		cmp	byte ptr [ecx-1], 5
		jnz	loc_5D2E13
		cmp	[ebx+4Ch], esi
		jz	short loc_5D2D6F
		mov	eax, [edi]
		mov	edx, [ebx+50h]
		xor	edx, eax
		mov	[ebp+var_10], eax
		mov	ecx, edx
		mov	eax, edx
		shr	ecx, 10h
		shr	eax, 8
		xor	cl, al
		xor	cl, dl
		shr	edx, 18h
		cmp	dl, cl
		mov	ecx, [ebp+var_4]
		jnz	short loc_5D2DD7
		cmp	[ebx+4Ch], esi
		jz	short loc_5D2D6F
		mov	eax, [edi]
		mov	edx, [ebx+4Ch]
		test	edx, eax
		jz	short loc_5D2D6A
		xor	eax, [ebx+50h]

loc_5D2D6A:				; CODE XREF: RtlpFreeHeapInternal+DB651j
		movzx	eax, ax
		jmp	short loc_5D2D74
; 

loc_5D2D6F:				; CODE XREF: RtlpFreeHeapInternal+DB621j
					; RtlpFreeHeapInternal+DB648j
		movzx	eax, word ptr [edi]
		mov	edx, esi

loc_5D2D74:				; CODE XREF: RtlpFreeHeapInternal+DB659j
		cmp	byte ptr [edi+7], 4
		movzx	eax, ax
		mov	[ebp+var_4], eax
		jnz	short loc_5D2DA3
		test	edx, edx
		jz	short loc_5D2D93
		mov	eax, [edi]
		test	[ebx+4Ch], eax
		jz	short loc_5D2D8E
		xor	eax, [ebx+50h]

loc_5D2D8E:				; CODE XREF: RtlpFreeHeapInternal+DB675j
		movzx	eax, ax
		jmp	short loc_5D2D96
; 

loc_5D2D93:				; CODE XREF: RtlpFreeHeapInternal+DB66Ej
		movzx	eax, word ptr [edi]

loc_5D2D96:				; CODE XREF: RtlpFreeHeapInternal+DB67Dj
		mov	edx, [edi-8]
		movzx	eax, ax
		sub	edx, eax
		add	edx, [ebp+var_4]
		jmp	short loc_5D2DA8
; 

loc_5D2DA3:				; CODE XREF: RtlpFreeHeapInternal+DB66Aj
		mov	edx, eax
		shl	edx, 3

loc_5D2DA8:				; CODE XREF: RtlpFreeHeapInternal+DB68Dj
		lea	eax, [edx+edi]
		cmp	eax, ecx
		jb	short loc_5D2DD7
		test	[ebp+arg_0], 3C000102h
		lea	edx, [ecx-8]
		mov	eax, [edx]
		mov	[ebp+var_8], eax
		jnz	short loc_5D2E10
		cmp	byte ptr [edx+7], 5
		jnz	short loc_5D2DE7
		movzx	eax, byte ptr [edx+6]
		shl	eax, 3
		sub	edx, eax
		mov	eax, [ebp+var_8]
		add	edx, 8
		jmp	short loc_5D2DE9
; 

loc_5D2DD7:				; CODE XREF: RtlpFreeHeapInternal+DB643j
					; RtlpFreeHeapInternal+DB699j
		push	esi
		push	esi
		push	ecx
		push	edi
		push	3
		mov	edx, ebx
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		jmp	short loc_5D2E24
; 

loc_5D2DE7:				; CODE XREF: RtlpFreeHeapInternal+DB6B0j
		mov	edx, esi

loc_5D2DE9:				; CODE XREF: RtlpFreeHeapInternal+DB6C1j
		test	eax, eax
		jz	short loc_5D2E07
		dec	eax
		cmp	ax, 1
		jnb	short loc_5D2E07
		push	edx
		movzx	eax, ax
		push	3
		push	ecx
		push	ebx
		mov	eax, ds:_RtlpInterceptorRoutines[eax*4]
		call	eax
		jmp	short loc_5D2E0C
; 

loc_5D2E07:				; CODE XREF: RtlpFreeHeapInternal+DB6D7j
					; RtlpFreeHeapInternal+DB6DEj
		mov	eax, 0C0000001h

loc_5D2E0C:				; CODE XREF: RtlpFreeHeapInternal+DB6F1j
		test	eax, eax
		js	short loc_5D2E24

loc_5D2E10:				; CODE XREF: RtlpFreeHeapInternal+DB6AAj
		mov	eax, [ebp+arg_0]

loc_5D2E13:				; CODE XREF: RtlpFreeHeapInternal+DB618j
		push	ecx
		or	eax, 2
		mov	ecx, ebx
		push	edi
		mov	edx, eax
		call	@RtlpFreeHeap@16 ; RtlpFreeHeap(x,x,x,x)
		movzx	esi, al

loc_5D2E24:				; CODE XREF: RtlpFreeHeapInternal+DB608j
					; RtlpFreeHeapInternal+DB6D1j ...
		pop	edi
		jmp	loc_4F7755
; END OF FUNCTION CHUNK	FOR RtlpFreeHeapInternal
; 
; START	OF FUNCTION CHUNK FOR RtlAllocateHeap

loc_5D2E2A:				; CODE XREF: RtlAllocateHeap+Bj
		xor	eax, eax
		xor	edx, edx
		push	eax
		push	eax
		push	eax
		push	eax
		push	13h
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		jmp	loc_4F7773
; 

loc_5D2E3F:				; CODE XREF: RtlAllocateHeap+1Bj
		push	[ebp+arg_4]
		mov	ecx, esi
		call	_RtlpHpAllocWithExceptionProtection@12 ; RtlpHpAllocWithExceptionProtection(x,x,x)
		jmp	loc_4F778E
; END OF FUNCTION CHUNK	FOR RtlAllocateHeap
; 
; START	OF FUNCTION CHUNK FOR RtlpAllocateHeapInternal

loc_5D2E4E:				; CODE XREF: RtlpAllocateHeapInternal+16j
		mov	eax, [ebp+arg_0]
		xor	edi, edi
		or	eax, [ebx+44h]
		mov	ecx, edi
		mov	[ebp+arg_0], eax
		mov	[ebp+var_10], edi
		mov	[ebp+var_4], edi
		cmp	esi, 7FFFFFFFh
		ja	loc_5D2F7A
		lea	eax, [ebx+0D4h]
		mov	edx, ebx
		push	eax
		mov	ecx, esi
		call	_RtlpHpCheckAllocationSizeLimit@12 ; RtlpHpCheckAllocationSizeLimit(x,x,x)
		test	eax, eax
		jnz	short loc_5D2E88
		mov	ecx, edi
		jmp	loc_5D2F77
; 

loc_5D2E88:				; CODE XREF: RtlpAllocateHeapInternal+DB6EBj
		mov	ecx, [ebx+58h]
		xor	edx, edx
		mov	eax, [ebp+arg_0]
		inc	edx
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	short loc_5D2EEE
		test	eax, 3C000102h
		jnz	short loc_5D2EEB
		dec	ecx
		cmp	cx, dx
		jnb	short loc_5D2EC2
		movzx	eax, cx
		lea	ecx, [ebp+var_4]
		push	ecx
		push	edx
		push	edi
		mov	eax, ds:_RtlpInterceptorRoutines[eax*4]
		push	ebx
		call	eax
		xor	edx, edx
		mov	ecx, eax
		mov	eax, [ebp+arg_0]
		inc	edx
		jmp	short loc_5D2EC7
; 

loc_5D2EC2:				; CODE XREF: RtlpAllocateHeapInternal+DB70Fj
		mov	ecx, 0C0000001h

loc_5D2EC7:				; CODE XREF: RtlpAllocateHeapInternal+DB72Cj
		test	ecx, ecx
		jns	short loc_5D2ED2
		mov	ecx, edi
		jmp	loc_5D2F7A
; 

loc_5D2ED2:				; CODE XREF: RtlpAllocateHeapInternal+DB735j
		mov	ecx, [ebp+var_4]
		add	esi, 8
		add	ecx, 7
		and	ecx, 0FFFFFFF8h
		add	esi, ecx
		lea	eax, [ecx+8]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		jmp	short loc_5D2EEE
; 

loc_5D2EEB:				; CODE XREF: RtlpAllocateHeapInternal+DB709j
		mov	[ebp+var_C], edi

loc_5D2EEE:				; CODE XREF: RtlpAllocateHeapInternal+DB702j
					; RtlpAllocateHeapInternal+DB755j
		mov	ecx, esi
		test	esi, esi
		jnz	short loc_5D2EF6
		mov	ecx, edx

loc_5D2EF6:				; CODE XREF: RtlpAllocateHeapInternal+DB75Ej
		add	ecx, 0Fh
		lea	edx, [ebp+var_10]
		push	edx
		and	ecx, 0FFFFFFF8h
		mov	edx, eax
		push	ecx
		push	ecx
		mov	[ebp+var_8], ecx
		or	edx, 2
		push	esi
		mov	ecx, ebx
		call	@RtlpAllocateHeap@24 ; RtlpAllocateHeap(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_5D2F74
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	loc_4F77C4
		mov	edx, [ebp+arg_0]
		sub	esi, [ebp+var_4]
		push	eax
		push	[ebp+var_4]
		mov	[ebp+var_10], edi
		push	ecx
		push	edi
		mov	ecx, ebx
		call	@RtlpSetupExtendedBlock@24 ; RtlpSetupExtendedBlock(x,x,x,x,x,x)
		mov	ecx, [ebp+var_C]
		mov	edi, eax
		xor	eax, eax
		dec	ecx
		inc	eax
		cmp	cx, ax
		jnb	short loc_5D2F5C
		push	[ebp+var_10]
		movzx	eax, cx
		push	2
		push	edi
		push	ebx
		mov	eax, ds:_RtlpInterceptorRoutines[eax*4]
		call	eax
		jmp	short loc_5D2F61
; 

loc_5D2F5C:				; CODE XREF: RtlpAllocateHeapInternal+DB7B1j
		mov	eax, 0C0000001h

loc_5D2F61:				; CODE XREF: RtlpAllocateHeapInternal+DB7C6j
		test	eax, eax
		jns	loc_4F77C4
		push	edi
		push	0
		push	ebx
		call	RtlFreeHeap
		xor	edi, edi

loc_5D2F74:				; CODE XREF: RtlpAllocateHeapInternal+DB782j
		mov	ecx, [ebp+var_8]

loc_5D2F77:				; CODE XREF: RtlpAllocateHeapInternal+DB6EFj
		mov	eax, [ebp+arg_0]

loc_5D2F7A:				; CODE XREF: RtlpAllocateHeapInternal+DB6D3j
					; RtlpAllocateHeapInternal+DB739j
		test	al, 4
		jz	loc_4F77C4
		test	ecx, ecx
		jz	short loc_5D2F88
		mov	esi, ecx

loc_5D2F88:				; CODE XREF: RtlpAllocateHeapInternal+DB7F0j
		mov	ecx, esi
		call	_RtlpAllocateHeapRaiseException@4 ; RtlpAllocateHeapRaiseException(x)
		jmp	loc_4F77C4
; END OF FUNCTION CHUNK	FOR RtlpAllocateHeapInternal
; 
; START	OF FUNCTION CHUNK FOR RtlpHpVsContextAllocate

loc_5D2F94:				; CODE XREF: RtlpHpVsContextAllocate+40j
		test	bl, 1
		jnz	loc_4F783A
		mov	ecx, [esi+4]
		lea	edx, [ebp+var_10]
		call	RtlpHpReleaseQueuedLockExclusive
		jmp	loc_4F783A
; END OF FUNCTION CHUNK	FOR RtlpHpVsContextAllocate
; 
; START	OF FUNCTION CHUNK FOR RtlpHpConvertFlagsToSegmentFlags

loc_5D2FAD:				; CODE XREF: RtlpHpConvertFlagsToSegmentFlags+2j
		cmp	ecx, 8
		jnz	short loc_5D2FB6
		push	2
		pop	eax
		retn
; 

loc_5D2FB6:				; CODE XREF: RtlpHpConvertFlagsToSegmentFlags+DB762j
		mov	eax, ecx
		and	eax, 1
		test	cl, 8
		jz	short loc_5D2FC3
		or	eax, 2

loc_5D2FC3:				; CODE XREF: RtlpHpConvertFlagsToSegmentFlags+DB770j
		test	cl, 4
		jz	short loc_5D2FCD
		or	eax, 80000000h

loc_5D2FCD:				; CODE XREF: RtlpHpConvertFlagsToSegmentFlags+DB778j
		mov	edx, 100h
		test	ecx, edx
		jz	short loc_5D2FD8
		or	eax, edx

loc_5D2FD8:				; CODE XREF: RtlpHpConvertFlagsToSegmentFlags+DB786j
		mov	edx, ecx
		and	edx, 0E00h
		jz	short loc_5D2FE4
		or	eax, edx

loc_5D2FE4:				; CODE XREF: RtlpHpConvertFlagsToSegmentFlags+DB792j
		test	cl, 10h
		jz	short loc_5D2FEE
		or	eax, 2000000h

loc_5D2FEE:				; CODE XREF: RtlpHpConvertFlagsToSegmentFlags+DB799j
		test	cl, 2
		jz	locret_4F7858
		or	eax, 1000000h
		retn
; END OF FUNCTION CHUNK	FOR RtlpHpConvertFlagsToSegmentFlags
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepEqualUnicodeString

loc_5D2FFD:				; CODE XREF: AuthzBasepEqualUnicodeString+10j
		mov	edx, esi
		mov	ecx, edi
		call	AuthzBasepEqualUnicodeStringCaseSensitive
		jmp	loc_4F78D7
; END OF FUNCTION CHUNK	FOR AuthzBasepEqualUnicodeString

;  S U B	R O U T	I N E 


sub_5D300B	proc near		; DATA XREF: .text:006A34ECo
		xor	eax, eax
		inc	eax
		retn
sub_5D300B	endp


;  S U B	R O U T	I N E 


sub_5D300F	proc near		; DATA XREF: .text:006A34F0o
		mov	esp, [ebp-18h]
		xor	eax, eax
		jmp	loc_4F82A6
sub_5D300F	endp

; 
; START	OF FUNCTION CHUNK FOR ExAcquireAutoExpandPushLockExclusive

loc_5D3019:				; CODE XREF: ExAcquireAutoExpandPushLockExclusive+Fj
		push	esi
		push	esi
		push	edi
		push	edx
		push	152h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D3027:				; CODE XREF: ExAcquireAutoExpandPushLockExclusive+31j
		push	edi
		and	ecx, 0FFFFFFF8h
		mov	edx, esi
		call	@ExpAcquireFannedOutPushLockExclusive@12 ; ExpAcquireFannedOutPushLockExclusive(x,x,x)
		jmp	loc_4F8311
; END OF FUNCTION CHUNK	FOR ExAcquireAutoExpandPushLockExclusive
; 
; START	OF FUNCTION CHUNK FOR RtlNtStatusToDosErrorNoTeb

loc_5D3037:				; CODE XREF: RtlNtStatusToDosErrorNoTeb+18j
		mov	eax, 3E5h
		jmp	loc_4F84F4
; 

loc_5D3041:				; CODE XREF: RtlNtStatusToDosErrorNoTeb+32j
		mov	eax, ecx
		shr	eax, 18h
		cmp	eax, 0C0h
		jz	short loc_5D3058
		cmp	eax, 80h
		jnz	loc_4F851E

loc_5D3058:				; CODE XREF: RtlNtStatusToDosErrorNoTeb+DAB65j
		movzx	eax, cx
		jmp	loc_4F84F4
; 

loc_5D3060:				; CODE XREF: RtlNtStatusToDosErrorNoTeb+7Cj
		mov	eax, ecx
		and	eax, 0FFFF0000h
		cmp	eax, 0C0010000h
		jnz	short loc_5D3076
		movzx	eax, cx
		jmp	loc_4F8587
; 

loc_5D3076:				; CODE XREF: RtlNtStatusToDosErrorNoTeb+DAB86j
		mov	eax, 13Dh
		jmp	loc_4F8587
; 

loc_5D3080:				; CODE XREF: RtlNtStatusToDosErrorNoTeb+91j
		lea	ecx, [eax+edi*2]
		movzx	eax, ds:word_40CB32[ecx*2]
		movzx	ecx, ds:_RtlpStatusTable[ecx*2]
		shl	eax, 10h
		or	eax, ecx
		jmp	loc_4F8587
; END OF FUNCTION CHUNK	FOR RtlNtStatusToDosErrorNoTeb
; 
; START	OF FUNCTION CHUNK FOR ExReleaseAutoExpandPushLockExclusive

loc_5D309D:				; CODE XREF: ExReleaseAutoExpandPushLockExclusive+12j
		push	0
		push	0
		push	esi
		push	ebx
		push	152h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D30AD:				; CODE XREF: ExReleaseAutoExpandPushLockExclusive+1Ej
		and	ecx, 0FFFFFFF8h
		call	_ExpReleaseFannedOutPushLockExclusive@4	; ExpReleaseFannedOutPushLockExclusive(x)
		jmp	loc_4F85D8
; END OF FUNCTION CHUNK	FOR ExReleaseAutoExpandPushLockExclusive
; 
; START	OF FUNCTION CHUNK FOR EtwpTraceIo

loc_5D30BA:				; CODE XREF: EtwpTraceIo+4Bj
		mov	[esp+90h+var_74], edi
		jmp	loc_4F8815
; 

loc_5D30C3:				; CODE XREF: EtwpTraceIo+C3j
		or	eax, 0FFFFFFFFh
		jmp	loc_4F8889
; 

loc_5D30CB:				; CODE XREF: EtwpTraceIo+16Ej
		xor	eax, eax
		lea	edi, [esp+90h+var_14]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esp+90h+var_14]
		push	eax
		push	esi
		call	IoGetActivityIdIrp
		mov	ecx, [esp+90h+var_7C]
		lea	edx, [esp+90h+var_28]
		test	eax, eax
		jnz	short loc_5D30F3
		lea	eax, [esp+90h+var_14]
		push	eax
		jmp	short loc_5D30F5
; 

loc_5D30F3:				; CODE XREF: EtwpTraceIo+DA930j
		push	0

loc_5D30F5:				; CODE XREF: EtwpTraceIo+DA937j
		push	ebx
		call	_EtwpDiskProvTraceDisk@16 ; EtwpDiskProvTraceDisk(x,x,x,x)
		jmp	loc_4F892E
; END OF FUNCTION CHUNK	FOR EtwpTraceIo
; 
; START	OF FUNCTION CHUNK FOR FsRtlNotifySetCancelRoutine

loc_5D3100:				; CODE XREF: FsRtlNotifySetCancelRoutine+A4j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4F8CE5
; 

loc_5D310F:				; CODE XREF: FsRtlNotifySetCancelRoutine+C1j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5D3116:				; CODE XREF: FsRtlNotifySetCancelRoutine+AEj
		xor	ecx, ecx
		mov	[esi], ebx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_4F8CE5
; 

loc_5D3126:				; CODE XREF: FsRtlNotifySetCancelRoutine+22j
		push	esi
		push	ebx
		call	FsRtlCancelNotify
		jmp	loc_4F8C95
; 

loc_5D3132:				; CODE XREF: FsRtlNotifySetCancelRoutine+4Bj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4F8C8C
; 

loc_5D3141:				; CODE XREF: FsRtlNotifySetCancelRoutine+68j
		mov	ecx, esi
		call	KxWaitForLockChainValid
		jmp	loc_4F8CFE
; END OF FUNCTION CHUNK	FOR FsRtlNotifySetCancelRoutine
; 
; START	OF FUNCTION CHUNK FOR MiMakeProtoLeafValid

loc_5D314D:				; CODE XREF: MiMakeProtoLeafValid+A9j
		mov	ecx, [edi]
		nop
		mov	edx, [edi+4]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jnz	loc_4F8E39
		or	ecx, 8
		mov	[edi], ecx
		nop
		mov	[edi+4], edx
		jmp	loc_4F8DB8
; 

loc_5D316F:				; CODE XREF: MiMakeProtoLeafValid+9Fj
		cmp	ebx, 0C0000006h
		jnz	loc_4F8DB8
		mov	eax, ebx
		jmp	loc_4F8E27
; END OF FUNCTION CHUNK	FOR MiMakeProtoLeafValid
; 
; START	OF FUNCTION CHUNK FOR CcWaitForUninitializeCacheMap

loc_5D3182:				; CODE XREF: CcWaitForUninitializeCacheMap+A4j
		mov	edx, eax
		lea	ecx, [ebp+var_4C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4F8FB9
; 

loc_5D3191:				; CODE XREF: CcWaitForUninitializeCacheMap+B1j
		lea	ecx, [ebp+var_4C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_4F8FB9
; 

loc_5D319E:				; CODE XREF: CcWaitForUninitializeCacheMap+215j
		mov	edx, edi
		lea	ecx, [ebp+var_58]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5D31B2
; 

loc_5D31AA:				; CODE XREF: CcWaitForUninitializeCacheMap+222j
		lea	ecx, [ebp+var_58]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_5D31B2:				; CODE XREF: CcWaitForUninitializeCacheMap+DA2A6j
		xor	ecx, ecx
		inc	ecx
		jmp	loc_4F912A
; 

loc_5D31BA:				; CODE XREF: CcWaitForUninitializeCacheMap+25Fj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_58]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4F9189
; 

loc_5D31CA:				; CODE XREF: CcWaitForUninitializeCacheMap+281j
		lea	ecx, [ebp+var_58]
		call	KxWaitForLockChainValid
		xor	ecx, ecx
		inc	ecx

loc_5D31D5:				; CODE XREF: CcWaitForUninitializeCacheMap+26Aj
		mov	[ebp+var_58], ebx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_4F8FCD
; 

loc_5D31E3:				; CODE XREF: CcWaitForUninitializeCacheMap+D6j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_4C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4F9000
; 

loc_5D31F3:				; CODE XREF: CcWaitForUninitializeCacheMap+F8j
		lea	ecx, [ebp+var_4C]
		call	KxWaitForLockChainValid
		xor	ecx, ecx
		inc	ecx
		jmp	loc_4F9191
; 

loc_5D3203:				; CODE XREF: CcWaitForUninitializeCacheMap+105j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_64]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4F902F
; 

loc_5D3213:				; CODE XREF: CcWaitForUninitializeCacheMap+127j
		lea	ecx, [ebp+var_64]
		call	KxWaitForLockChainValid

loc_5D321B:				; CODE XREF: CcWaitForUninitializeCacheMap+110j
		mov	[ebp+var_64], ebx
		add	eax, 4
		xor	ecx, ecx
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_4F902F
; END OF FUNCTION CHUNK	FOR CcWaitForUninitializeCacheMap

;  S U B	R O U T	I N E 


sub_5D322C	proc near		; DATA XREF: .text:006A3730o
		xor	ebx, ebx
		mov	edi, [ebp-20h]
		jmp	sub_4F91AB
sub_5D322C	endp

; 
; START	OF FUNCTION CHUNK FOR CcWaitForUninitializeCacheMap

loc_5D3236:				; CODE XREF: CcWaitForUninitializeCacheMap+17Dj
		mov	ecx, [ebp+var_24]
		add	ecx, 40h
		lea	edx, [ebp+var_4C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [ebp+var_28]
		mov	eax, [ecx+14h]
		mov	esi, [eax+4]
		test	esi, esi
		jz	short loc_5D32D0
		lea	edx, [esi+0B0h]
		mov	eax, [edx]
		xor	ecx, ecx
		inc	ecx
		test	eax, eax
		jz	short loc_5D327B
		lea	edi, [ebp+var_78]
		or	edi, ecx

loc_5D3265:				; CODE XREF: CcWaitForUninitializeCacheMap+DA370j
		cmp	eax, edi
		jz	short loc_5D3276
		mov	edx, eax
		and	edx, 0FFFFFFFEh
		mov	eax, [edx]
		test	eax, eax
		jnz	short loc_5D3265
		jmp	short loc_5D327B
; 

loc_5D3276:				; CODE XREF: CcWaitForUninitializeCacheMap+DA365j
		mov	eax, [ebp+var_78]
		mov	[edx], eax

loc_5D327B:				; CODE XREF: CcWaitForUninitializeCacheMap+DA35Cj
					; CcWaitForUninitializeCacheMap+DA372j
		and	dword ptr [esi+60h], 0FFFEFFFFh
		test	ds:byte_70EFC6,	cl
		jz	short loc_5D3297
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_4C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5D32C2
; 

loc_5D3297:				; CODE XREF: CcWaitForUninitializeCacheMap+DA386j
		mov	eax, [ebp+var_4C]
		test	eax, eax
		jnz	short loc_5D32B9
		mov	edx, [ebp+var_48]
		lea	eax, [ebp+var_4C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_4C]
		cmp	eax, ecx
		jz	short loc_5D32C2
		call	KxWaitForLockChainValid
		xor	ecx, ecx
		inc	ecx

loc_5D32B9:				; CODE XREF: CcWaitForUninitializeCacheMap+DA39Aj
		mov	[ebp+var_4C], ebx
		add	eax, 4
		lock xor [eax],	ecx

loc_5D32C2:				; CODE XREF: CcWaitForUninitializeCacheMap+DA393j
					; CcWaitForUninitializeCacheMap+DA3ADj
		mov	cl, [ebp+var_44]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4F8F54
; 

loc_5D32D0:				; CODE XREF: CcWaitForUninitializeCacheMap+DA34Dj
		test	ds:byte_70EFC6,	1
		jz	short loc_5D32E6
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_4C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5D3311
; 

loc_5D32E6:				; CODE XREF: CcWaitForUninitializeCacheMap+DA3D5j
		mov	eax, [ebp+var_4C]
		test	eax, eax
		jnz	short loc_5D3305
		mov	edx, [ebp+var_48]
		lea	eax, [ebp+var_4C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_4C]
		cmp	eax, ecx
		jz	short loc_5D3311
		call	KxWaitForLockChainValid

loc_5D3305:				; CODE XREF: CcWaitForUninitializeCacheMap+DA3E9j
		mov	[ebp+var_4C], ebx
		add	eax, 4
		xor	ecx, ecx
		inc	ecx
		lock xor [eax],	ecx

loc_5D3311:				; CODE XREF: CcWaitForUninitializeCacheMap+DA3E2j
					; CcWaitForUninitializeCacheMap+DA3FCj
		mov	cl, [ebp+var_44]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_74]
		push	eax
		call	KeWaitForSingleObject
		jmp	loc_4F8F54
; END OF FUNCTION CHUNK	FOR CcWaitForUninitializeCacheMap
; 
; START	OF FUNCTION CHUNK FOR ExSetResourceOwnerPointerEx

loc_5D332C:				; CODE XREF: ExSetResourceOwnerPointerEx+Cj
		push	0
		push	0
		push	ecx
		push	0Eh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5D333E:				; CODE XREF: ExpSetResourceOwnerPointerEx+1CBj
					; ExpSetResourceOwnerPointerEx+1D8j
		mov	ecx, [ebp+var_8]
		cmp	[ebx+18h], ecx
		jz	loc_4F9525
		push	5
		push	dword ptr [ebx+8]
		jmp	short loc_5D3359
; END OF FUNCTION CHUNK	FOR ExSetResourceOwnerPointerEx
; 
; START	OF FUNCTION CHUNK FOR ExpSetResourceOwnerPointerEx

loc_5D3351:				; CODE XREF: ExpSetResourceOwnerPointerEx+81j
		mov	ecx, [ebp+var_8]
		push	4
		push	dword ptr [ebx+8]

loc_5D3359:				; CODE XREF: ExSetResourceOwnerPointerEx+DA02Dj
		push	ecx
		push	ebx
		push	0E3h
		jmp	short loc_5D336D
; 

loc_5D3362:				; CODE XREF: ExpSetResourceOwnerPointerEx+1F3j
		push	esi

loc_5D3363:				; CODE XREF: ExpSetResourceOwnerPointerEx+DA067j
					; ExpSetResourceOwnerPointerEx+DA0F3j
		push	ecx
		push	dword ptr [ebx+8]
		push	ebx
		push	132h

loc_5D336D:				; CODE XREF: ExpSetResourceOwnerPointerEx+DA01Cj
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D3372:				; CODE XREF: ExpSetResourceOwnerPointerEx+1E6j
		mov	ecx, [ebx+1Ch]
		test	cl, al
		jz	short loc_5D338C
		mov	ecx, [ebx+18h]
		mov	dl, al
		push	edi
		push	edi
		call	PsBoostThreadIoEx
		and	dword ptr [ebx+1Ch], 0FFFFFFFEh
		mov	ecx, [ebx+1Ch]

loc_5D338C:				; CODE XREF: ExpSetResourceOwnerPointerEx+DA033j
		test	cl, 4
		jz	loc_4F954D
		mov	eax, [ebx+18h]
		lock dec dword ptr [eax+330h]
		and	dword ptr [ebx+1Ch], 0FFFFFFFBh
		jmp	loc_4F954D
; 

loc_5D33A8:				; CODE XREF: ExpSetResourceOwnerPointerEx+13Dj
		push	[ebp+var_C]
		jmp	short loc_5D3363
; 

loc_5D33AD:				; CODE XREF: ExpSetResourceOwnerPointerEx+148j
		mov	eax, [ebp+var_4]
		mov	ecx, [eax+4]
		test	cl, dl
		jz	short loc_5D33C2
		mov	ecx, [esi]
		push	edi
		push	edi
		call	PsBoostThreadIoEx
		jmp	short loc_5D33C7
; 

loc_5D33C2:				; CODE XREF: ExpSetResourceOwnerPointerEx+DA071j
		or	ecx, edx
		mov	[eax+4], ecx

loc_5D33C7:				; CODE XREF: ExpSetResourceOwnerPointerEx+DA07Cj
		and	dword ptr [esi+4], 0FFFFFFFEh
		mov	eax, [esi+4]
		jmp	loc_4F9492
; 

loc_5D33D3:				; CODE XREF: ExpSetResourceOwnerPointerEx+153j
		mov	eax, [ecx+4]
		test	al, 4
		jz	short loc_5D33E5
		mov	eax, [esi]
		lock dec dword ptr [eax+330h]
		jmp	short loc_5D33EB
; 

loc_5D33E5:				; CODE XREF: ExpSetResourceOwnerPointerEx+DA094j
		or	eax, 4
		mov	[ecx+4], eax

loc_5D33EB:				; CODE XREF: ExpSetResourceOwnerPointerEx+DA09Fj
		and	dword ptr [esi+4], 0FFFFFFFBh
		jmp	loc_4F949D
; 

loc_5D33F4:				; CODE XREF: ExpSetResourceOwnerPointerEx+15Dj
		mov	ecx, [esi]
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag
		mov	ecx, [ebp+var_4]
		or	dword ptr [ecx+4], 2
		jmp	loc_4F94A7
; 

loc_5D340C:				; CODE XREF: ExpSetResourceOwnerPointerEx+231j
		mov	ecx, [esi]
		push	edi
		push	edi
		call	PsBoostThreadIoEx
		and	dword ptr [esi+4], 0FFFFFFFEh
		mov	eax, [esi+4]
		mov	[ebp+arg_0], eax
		jmp	loc_4F957B
; 

loc_5D3424:				; CODE XREF: ExpSetResourceOwnerPointerEx+23Fj
		mov	eax, [esi]
		lock dec dword ptr [eax+330h]
		and	dword ptr [esi+4], 0FFFFFFFBh
		jmp	loc_4F94A7
; 

loc_5D3436:				; CODE XREF: ExpSetResourceOwnerPointerEx+B0j
		push	eax
		jmp	loc_5D3363
; 

loc_5D343C:				; CODE XREF: ExpSetResourceOwnerPointerEx+19Aj
		mov	ecx, [esi]
		push	edi
		push	edi
		call	PsBoostThreadIoEx
		and	dword ptr [esi+4], 0FFFFFFFEh
		mov	eax, [esi+4]
		jmp	loc_4F94E4
; 

loc_5D3451:				; CODE XREF: ExpSetResourceOwnerPointerEx+1A8j
		mov	eax, [esi]
		lock dec dword ptr [eax+330h]
		and	dword ptr [esi+4], 0FFFFFFFBh
		jmp	loc_4F940B
; 

loc_5D3463:				; CODE XREF: ExpSetResourceOwnerPointerEx+E8j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4F9454
; 

loc_5D3473:				; CODE XREF: ExpSetResourceOwnerPointerEx+11Dj
		mov	edx, ebx
		mov	ecx, esi
		call	@PerfLogExecutiveResourceSetOwnerPointer@8 ; PerfLogExecutiveResourceSetOwnerPointer(x,x)
		jmp	loc_4F9467
; END OF FUNCTION CHUNK	FOR ExpSetResourceOwnerPointerEx
; 
; START	OF FUNCTION CHUNK FOR KeTestAlertThread

loc_5D3481:				; CODE XREF: KeTestAlertThread+24j
					; KeTestAlertThread+D9EF3j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5D3481
		jmp	loc_4F95B9
; END OF FUNCTION CHUNK	FOR KeTestAlertThread
; 
; START	OF FUNCTION CHUNK FOR IoReleaseRemoveLockEx

loc_5D3494:				; CODE XREF: IoReleaseRemoveLockEx+1Cj
		push	esi
		mov	byte ptr [ebp+arg_8+3],	0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [edi+34h]
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	eax, [edi+50h]
		mov	esi, [eax]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_14]
		push	eax
		mov	[ebp+var_8], esi
		call	KeQueryTickCount
		mov	eax, esi
		test	eax, eax
		jz	short loc_5D350F
		mov	edi, [ebp+var_C]
		mov	bl, byte ptr [ebp+arg_8+3]

loc_5D34CA:				; CODE XREF: IoReleaseRemoveLockEx+D9E6Cj
		test	bl, bl
		jnz	short loc_5D34FB
		mov	ecx, [ebp+arg_4]
		cmp	[esi+4], ecx
		jnz	short loc_5D34FB
		mov	ecx, [esi]
		inc	bl
		cmp	esi, [edi]
		jnz	short loc_5D34E5
		mov	[edi], ecx
		mov	[ebp+arg_8], edi
		jmp	short loc_5D34EA
; 

loc_5D34E5:				; CODE XREF: IoReleaseRemoveLockEx+D9E44j
		mov	[eax], ecx
		mov	[ebp+arg_8], eax

loc_5D34EA:				; CODE XREF: IoReleaseRemoveLockEx+D9E4Bj
		xor	eax, eax
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+arg_8]
		mov	eax, [ebp+var_8]
		jmp	short loc_5D3500
; 

loc_5D34FB:				; CODE XREF: IoReleaseRemoveLockEx+D9E34j
					; IoReleaseRemoveLockEx+D9E3Cj
		mov	eax, esi
		mov	[ebp+var_8], eax

loc_5D3500:				; CODE XREF: IoReleaseRemoveLockEx+D9E61j
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_5D34CA
		mov	edi, [ebp+arg_0]
		mov	byte ptr [ebp+arg_8+3],	bl
		or	ebx, 0FFFFFFFFh

loc_5D350F:				; CODE XREF: IoReleaseRemoveLockEx+D9E2Aj
		test	ds:byte_70EFC6,	1
		jz	short loc_5D3525
		mov	edx, [ebp+4]
		lea	ecx, [edi+34h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5D352D
; 

loc_5D3525:				; CODE XREF: IoReleaseRemoveLockEx+D9E7Ej
		xor	ecx, ecx
		lea	eax, [edi+34h]
		lock and [eax],	ecx

loc_5D352D:				; CODE XREF: IoReleaseRemoveLockEx+D9E8Bj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	byte ptr [ebp+arg_8+3],	0
		jnz	short loc_5D3564
		lea	esi, [edi+38h]
		mov	eax, ebx
		lock xadd [esi], eax
		jns	short loc_5D3564
		test	ds:_MmVerifierData, 800h
		jz	short loc_5D3561
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		call	_VfRemLockReportBadReleaseTag@8	; VfRemLockReportBadReleaseTag(x,x)
		test	eax, eax
		jnz	short loc_5D3564

loc_5D3561:				; CODE XREF: IoReleaseRemoveLockEx+D9EB9j
		lock inc dword ptr [esi]

loc_5D3564:				; CODE XREF: IoReleaseRemoveLockEx+D9EA2j
					; IoReleaseRemoveLockEx+D9EADj	...
		pop	esi
		jmp	loc_4F96BA
; 

loc_5D356A:				; CODE XREF: IoReleaseRemoveLockEx+28j
		push	0
		push	0
		lea	eax, [edi+8]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_4F96C6
; END OF FUNCTION CHUNK	FOR IoReleaseRemoveLockEx
; 
; START	OF FUNCTION CHUNK FOR RtlpCopyXStateChunk

loc_5D357C:				; CODE XREF: RtlpCopyXStateChunk+85j
		mov	eax, ds:0FFDF0708h
		mov	edx, 0FFDF03D8h
		mov	ecx, ds:0FFDF070Ch
		mov	byte ptr [ebp+var_14], 1
		or	eax, [edx]
		or	ecx, [edx+4]
		or	eax, 3
		mov	edx, [ebp+arg_4]
		and	eax, [edx+8]
		and	ecx, [edx+0Ch]
		mov	edx, ds:0FFDF05F8h
		or	ecx, 80000000h
		mov	[ebp+var_20], edx
		mov	edx, ds:0FFDF05FCh
		mov	[ebp+var_24], edx
		mov	edx, [ebp+arg_0]
		jmp	loc_4F979C
; 

loc_5D35C1:				; CODE XREF: RtlpCopyXStateChunk+DEj
		mov	esi, eax
		mov	ecx, edx
		and	esi, [ebp+var_18]
		and	ecx, [ebp+var_1C]
		or	esi, ecx
		jz	short loc_5D35F5
		mov	ecx, eax
		mov	ebx, edi
		and	ecx, [ebp+var_20]
		mov	eax, edx
		and	eax, [ebp+var_24]
		or	ecx, eax
		jz	short loc_5D35E5
		lea	ebx, [edi+3Fh]
		and	ebx, 0FFFFFFC0h

loc_5D35E5:				; CODE XREF: RtlpCopyXStateChunk+D9EDBj
		mov	esi, [ebp+var_10]
		mov	edi, [esi-20FC28h]
		add	edi, ebx
		jmp	loc_4F9805
; 

loc_5D35F5:				; CODE XREF: RtlpCopyXStateChunk+D9ECBj
		mov	esi, [ebp+var_10]
		jmp	loc_4F9808
; END OF FUNCTION CHUNK	FOR RtlpCopyXStateChunk
; 
; START	OF FUNCTION CHUNK FOR KeFlushIoBuffers

loc_5D35FD:				; CODE XREF: KeFlushIoBuffers+2Ej
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ebx, [ebp+arg_8]
		mov	cl, al
		mov	eax, [esi+14h]
		mov	[esp+40h+var_31], cl
		mov	[esp+40h+var_30], eax
		test	bl, bl
		jnz	short loc_5D3620
		cmp	byte ptr [ebp+arg_4], bl
		jz	loc_4F99EE

loc_5D3620:				; CODE XREF: KeFlushIoBuffers+D9C5Bj
		xor	eax, eax
		xor	edx, edx
		inc	eax
		test	byte ptr [esi+6], 5
		mov	[esp+40h+var_2C], eax
		jz	short loc_5D3634
		mov	edi, [esi+0Ch]
		jmp	short loc_5D364B
; 

loc_5D3634:				; CODE XREF: KeFlushIoBuffers+D9C73j
		push	40000020h
		push	edx
		push	edx
		push	eax
		push	edx
		push	esi
		call	MmMapLockedPagesSpecifyCache
		mov	cl, [esp+40h+var_31]
		mov	edi, eax
		xor	edx, edx

loc_5D364B:				; CODE XREF: KeFlushIoBuffers+D9C78j
		test	edi, edi
		jnz	short loc_5D3667
		cmp	cl, 1Fh
		jnz	short loc_5D3667
		push	edx
		push	edx
		push	0BADh
		push	86h
		push	55h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D3667:				; CODE XREF: KeFlushIoBuffers+D9C93j
					; KeFlushIoBuffers+D9C98j
		test	ds:dword_70EFD0, 4000000h
		jz	short loc_5D3684
		push	edx
		mov	edx, 84000000h
		lea	ecx, [esp+58h+var_3C]
		call	EtwGetKernelTraceTimestampSilo
		jmp	short loc_5D3688
; 

loc_5D3684:				; CODE XREF: KeFlushIoBuffers+D9CB7j
		mov	[esp+54h+var_40], dl

loc_5D3688:				; CODE XREF: KeFlushIoBuffers+D9CC8j
		test	edi, edi
		jnz	short loc_5D36C2
		test	bl, bl
		jz	short loc_5D3695
		call	KeInvalidateAllCaches

loc_5D3695:				; CODE XREF: KeFlushIoBuffers+D9CD4j
		mov	ebx, [esp+54h+var_44]

loc_5D3699:				; CODE XREF: KeFlushIoBuffers+D9D1Aj
		cmp	[esp+54h+var_40], 0
		jz	loc_4F99EE
		cmp	byte ptr [ebp+arg_4], 0
		mov	edx, edi
		push	ecx
		push	ecx
		setz	al
		lea	ecx, [esp+5Ch+var_3C]
		movzx	eax, al
		push	eax
		push	ebx
		call	_EtwTraceCpuCacheFlush@24 ; EtwTraceCpuCacheFlush(x,x,x,x,x,x)
		jmp	loc_4F99EE
; 

loc_5D36C2:				; CODE XREF: KeFlushIoBuffers+D9CD0j
		push	ebx
		push	[ebp+arg_4]
		mov	ebx, [esp+5Ch+var_44]
		mov	edx, edi
		push	ebx
		mov	ecx, esi
		call	_KiFlushRangeAllCaches@20 ; KiFlushRangeAllCaches(x,x,x,x,x)
		jmp	short loc_5D3699
; END OF FUNCTION CHUNK	FOR KeFlushIoBuffers
; 
; START	OF FUNCTION CHUNK FOR MiUnlinkStandbyPfn

loc_5D36D6:				; CODE XREF: MiUnlinkStandbyPfn+75j
		xor	edx, edx
		mov	ecx, esi
		call	_MiDiscardTransitionPteEx@8 ; MiDiscardTransitionPteEx(x,x)
		xor	eax, eax
		inc	eax
		jmp	loc_4F9B38
; 

loc_5D36E7:				; CODE XREF: MiUnlinkStandbyPfn+E2j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5D3702
		xor	esi, esi
		inc	esi
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	loc_4F9B2C
		jmp	short loc_5D371E
; 

loc_5D3702:				; CODE XREF: MiUnlinkStandbyPfn+D9CAAj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_4F9B2C

loc_5D371E:				; CODE XREF: MiUnlinkStandbyPfn+D9CBCj
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	loc_4F9B2C
		or	edx, 80000000h
		jmp	loc_4F9B2C
; END OF FUNCTION CHUNK	FOR MiUnlinkStandbyPfn
; 
; START	OF FUNCTION CHUNK FOR RtlpHpLfhSubsegmentIncBlockCounts

loc_5D3737:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+28j
		mov	byte ptr [ebp+var_4+3],	0FFh
		jmp	loc_4F9BA4
; 

loc_5D3740:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+88j
		mov	eax, [ebp+var_24]
		mov	ecx, [ebp+var_20]
		mov	dword ptr [ebx+14h], 1
		movzx	edx, byte ptr [eax+1Dh]
		lea	ecx, [ecx+0Ch]
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	cx, [edi]
		mov	byte ptr [ebp+var_4+3],	al
		movzx	edx, cx
		jmp	loc_4F9BE9
; 

loc_5D3767:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+7Ej
		lea	eax, [edx+1]
		movzx	ecx, ax
		mov	ax, dx
		lock cmpxchg [edi], cx
		movzx	eax, ax
		cmp	ax, dx
		jz	short loc_5D379F
		mov	edx, eax
		jmp	loc_4F9BE9
; 

loc_5D3784:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+94j
		mov	esi, [ebp+var_10]
		inc	ecx
		sar	esi, 1
		cmp	[ebp+var_C], 0FFFFFFFFh
		mov	[ebp+var_8], ecx
		jnz	loc_4F9C0C
		mov	[ebp+var_C], esi
		jmp	loc_4F9C0C
; 

loc_5D379F:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+D9C0Dj
		mov	ecx, [ebp+var_8]
		jmp	loc_4F9C12
; 

loc_5D37A7:				; CODE XREF: RtlpHpLfhSubsegmentIncBlockCounts+E8j
		mov	eax, [ebx+10h]
		sub	esi, ecx
		mov	cl, byte ptr [ebp+var_4+3]
		inc	esi
		mov	[eax], esi
		xor	eax, eax
		mov	esi, [ebx+18h]
		mov	[esi], cl
		jmp	loc_4F9C5F
; END OF FUNCTION CHUNK	FOR RtlpHpLfhSubsegmentIncBlockCounts
; 
; START	OF FUNCTION CHUNK FOR PfSnActiveTraceGetNext

loc_5D37BE:				; CODE XREF: PfSnActiveTraceGetNext+4Dj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4F9F4E
; END OF FUNCTION CHUNK	FOR PfSnActiveTraceGetNext
; 
; START	OF FUNCTION CHUNK FOR MiNoFaultFound

loc_5D37CB:				; CODE XREF: MiNoFaultFound+3Fj
		xor	edi, edi
		inc	edi
		jmp	loc_4FA0A7
; 

loc_5D37D3:				; CODE XREF: MiNoFaultFound+87j
		test	ds:_MiFlags, 300h
		jnz	loc_4FA0EF
		mov	ecx, [ebp+var_C]
		mov	ecx, [ecx+14h]
		test	ecx, ecx
		jz	short loc_5D37F4
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		mov	esi, eax

loc_5D37F4:				; CODE XREF: MiNoFaultFound+D9789j
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	KeFlushSingleTb
		jmp	loc_4FA0EF
; END OF FUNCTION CHUNK	FOR MiNoFaultFound
; 
; START	OF FUNCTION CHUNK FOR MiLockSetPfnPriority

loc_5D3806:				; CODE XREF: MiLockSetPfnPriority+19j
					; MiLockSetPfnPriority+D96F4j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_5D3806
		jmp	loc_4FA132
; END OF FUNCTION CHUNK	FOR MiLockSetPfnPriority
; 
; START	OF FUNCTION CHUNK FOR sub_4FA154

loc_5D3819:				; CODE XREF: sub_4FA154+7j
		test	ds:_VfRuleClasses, 0FFAFFFFFh
		jnz	short loc_5D3832
		test	byte ptr ds:dword_6FDE00, 6
		jz	loc_4FA161

loc_5D3832:				; CODE XREF: sub_4FA154+D96CFj
		mov	eax, ds:_MmVerifierData
		and	eax, 10h
		or	eax, 40h
		shr	eax, 1
		push	eax
		push	20206F49h
		push	edx
		push	200h
		call	ExAllocatePoolWithTagPriority
		test	eax, eax
		jnz	locret_4FA171
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger

loc_5D3863:				; CODE XREF: MiUpdateLargePageBitMap+C7j
		sub	eax, esi
		cmp	eax, edi
		jb	short loc_5D38E5
		lea	edx, [ecx-1]
		mov	eax, esi
		mov	ecx, [ebx+4]
		shr	eax, 5
		mov	[ebp-10h], edx
		lea	edi, [ecx+eax*4]
		mov	eax, edx
		mov	edx, [edi]
		shr	eax, 5
		lea	eax, [ecx+eax*4]
		mov	[ebp+10h], eax
		cmp	edi, eax
		jnz	short loc_5D38A8
		mov	edi, [ebp+8]
		or	eax, 0FFFFFFFFh
		push	20h
		pop	ecx
		sub	ecx, edi
		shr	eax, cl
		mov	ecx, esi
		shl	eax, cl
		and	edx, eax
		cmp	edx, eax
		setz	dl
		jmp	loc_4FA21B
; 

loc_5D38A8:				; CODE XREF: sub_4FA154+D9735j
		or	eax, 0FFFFFFFFh
		mov	ecx, esi
		shl	eax, cl
		and	edx, eax
		cmp	edx, eax
		jnz	short loc_5D38BA
		mov	eax, [ebp+10h]
		jmp	short loc_5D38C6
; 

loc_5D38BA:				; CODE XREF: sub_4FA154+D975Fj
					; sub_4FA154+D9770j ...
		xor	dl, dl
		jmp	loc_5D3969
; 

loc_5D38C1:				; CODE XREF: sub_4FA154+D9777j
		cmp	dword ptr [edi], 0FFFFFFFFh
		jnz	short loc_5D38BA

loc_5D38C6:				; CODE XREF: sub_4FA154+D9764j
		add	edi, 4
		cmp	edi, eax
		jnz	short loc_5D38C1
		mov	ecx, [ebp-10h]
		or	edx, 0FFFFFFFFh
		mov	eax, [edi]
		not	ecx
		shr	edx, cl
		and	eax, edx
		cmp	eax, edx
		setz	dl
		jmp	loc_5D3969
; END OF FUNCTION CHUNK	FOR sub_4FA154
; 
; START	OF FUNCTION CHUNK FOR MiUpdateLargePageBitMap

loc_5D38E5:				; CODE XREF: MiUpdateLargePageBitMap+86j
					; MiUpdateLargePageBitMap+94j ...
		xor	dl, dl
		jmp	loc_4FA21B
; 

loc_5D38EC:				; CODE XREF: MiUpdateLargePageBitMap+8Ej
		sub	eax, esi
		cmp	eax, edi
		jb	short loc_5D38E5
		lea	edx, [ecx-1]
		mov	eax, esi
		mov	ecx, [ebx+4]
		shr	eax, 5
		mov	[ebp+var_10], edx
		lea	edi, [ecx+eax*4]
		mov	eax, edx
		mov	edx, [edi]
		shr	eax, 5
		lea	eax, [ecx+eax*4]
		mov	[ebp+arg_8], eax
		cmp	edi, eax
		jnz	short loc_5D3930
		mov	edi, [ebp+arg_0]
		or	eax, 0FFFFFFFFh
		push	20h
		pop	ecx
		sub	ecx, edi
		shr	eax, cl
		mov	ecx, esi
		shl	eax, cl
		and	edx, eax
		neg	edx
		sbb	dl, dl
		jmp	loc_4FA219
; 

loc_5D3930:				; CODE XREF: MiUpdateLargePageBitMap+D97A0j
		or	eax, 0FFFFFFFFh
		mov	ecx, esi
		shl	eax, cl
		test	edx, eax
		jnz	loc_5D38BA
		mov	eax, [ebp+arg_8]
		jmp	short loc_5D394D
; 

loc_5D3944:				; CODE XREF: MiUpdateLargePageBitMap+D97E0j
		cmp	dword ptr [edi], 0
		jnz	loc_5D38BA

loc_5D394D:				; CODE XREF: MiUpdateLargePageBitMap+D97D0j
		add	edi, 4
		cmp	edi, eax
		jnz	short loc_5D3944
		mov	ecx, [ebp+var_10]
		or	eax, 0FFFFFFFFh
		not	ecx
		shr	eax, cl
		mov	ecx, [edi]
		and	ecx, eax
		neg	ecx
		sbb	cl, cl
		lea	edx, [ecx+1]
; END OF FUNCTION CHUNK	FOR MiUpdateLargePageBitMap
; START	OF FUNCTION CHUNK FOR sub_4FA154

loc_5D3969:				; CODE XREF: sub_4FA154+D9768j
					; sub_4FA154+D978Cj
		mov	edi, [ebp+8]
		jmp	loc_4FA21B
; END OF FUNCTION CHUNK	FOR sub_4FA154
; 
; START	OF FUNCTION CHUNK FOR MiUpdateLargePageBitMap

loc_5D3971:				; CODE XREF: MiUpdateLargePageBitMap+10Cj
		mov	eax, ds:dword_4102F0[eax*4]
		xor	edx, edx
		div	[ebp+var_4]
		mov	edi, eax
		mov	eax, [ebp+var_18]
		dec	eax
		add	eax, edi
		lea	ecx, [edi-1]
		not	ecx
		and	eax, ecx
		and	esi, ecx
		xor	ecx, ecx
		mov	[ebp+var_10], eax
		mov	edx, eax
		inc	ecx
		sub	edx, esi
		mov	[ebp+arg_0], edx
		cmp	[ebp+arg_4], ecx
		jnz	loc_5D3ADA
		mov	eax, [ebx]
		cmp	esi, eax
		jnb	loc_5D3A45
		cmp	edi, ecx
		ja	short loc_5D39C3
		jnz	loc_5D3A45
		mov	eax, [ebx+4]
		bt	[eax], esi
		setb	al
		jmp	short loc_5D3A41
; 

loc_5D39C3:				; CODE XREF: MiUpdateLargePageBitMap+D983Ej
		sub	eax, esi
		cmp	eax, edi
		jb	short loc_5D3A45
		mov	ecx, [ebx+4]
		lea	eax, [edi-1]
		add	eax, esi
		mov	[ebp+var_1C], eax
		mov	eax, esi
		shr	eax, 5
		lea	ebx, [ecx+eax*4]
		lea	eax, [edi-1]
		add	eax, esi
		shr	eax, 5
		lea	ecx, [ecx+eax*4]
		mov	eax, [ebx]
		mov	[ebp+arg_8], eax
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_18], ecx
		cmp	ebx, ecx
		jnz	short loc_5D3A0C
		push	20h
		pop	ecx
		sub	ecx, edi
		shr	eax, cl
		mov	ecx, esi
		shl	eax, cl
		mov	ecx, [ebp+arg_8]
		and	ecx, eax
		cmp	ecx, eax
		jz	short loc_5D3A52
		jmp	short loc_5D3A45
; 

loc_5D3A0C:				; CODE XREF: MiUpdateLargePageBitMap+D9882j
		mov	ecx, esi
		shl	eax, cl
		mov	ecx, [ebp+arg_8]
		and	ecx, eax
		cmp	ecx, eax
		jnz	short loc_5D3A45
		mov	eax, [ebp+var_18]
		jmp	short loc_5D3A23
; 

loc_5D3A1E:				; CODE XREF: MiUpdateLargePageBitMap+D98B6j
		cmp	dword ptr [ebx], 0FFFFFFFFh
		jnz	short loc_5D3A45

loc_5D3A23:				; CODE XREF: MiUpdateLargePageBitMap+D98AAj
		add	ebx, 4
		cmp	ebx, eax
		jnz	short loc_5D3A1E
		mov	ecx, [ebp+var_1C]
		or	edx, 0FFFFFFFFh
		mov	eax, [ebx]
		not	ecx
		shr	edx, cl
		and	eax, edx
		cmp	eax, edx
		jz	short loc_5D3A52
		mov	edx, [ebp+arg_0]
		xor	al, al

loc_5D3A41:				; CODE XREF: MiUpdateLargePageBitMap+D984Fj
		test	al, al
		jnz	short loc_5D3A52

loc_5D3A45:				; CODE XREF: MiUpdateLargePageBitMap+D9836j
					; MiUpdateLargePageBitMap+D9840j ...
		sub	edx, edi
		mov	[ebp+arg_0], edx
		jz	loc_4FA220
		add	esi, edi

loc_5D3A52:				; CODE XREF: MiUpdateLargePageBitMap+D9896j
					; MiUpdateLargePageBitMap+D98C8j ...
		mov	eax, [ebp+var_8]
		mov	ebx, [ebp+var_14]
		mov	edx, [ebp+var_10]
		sub	edx, edi
		lea	ecx, [ebx+eax*8]
		mov	ebx, [ebp+var_10]
		mov	eax, [ecx+0B04h]
		cmp	edx, eax
		jnb	loc_5D3B32
		cmp	edi, 1
		ja	short loc_5D3A8D
		jnz	loc_5D3B32
		mov	eax, [ecx+0B08h]
		bt	[eax], edx
		setb	al
		jmp	loc_5D3B2E
; 

loc_5D3A8D:				; CODE XREF: MiUpdateLargePageBitMap+D9902j
		sub	eax, edx
		cmp	eax, edi
		jb	loc_5D3B32
		mov	ecx, [ecx+0B08h]
		lea	eax, [ebx-1]
		mov	[ebp+var_10], eax
		mov	eax, edx
		shr	eax, 5
		lea	ebx, [ecx+eax*4]
		mov	eax, [ebp+var_10]
		shr	eax, 5
		lea	ecx, [ecx+eax*4]
		mov	eax, [ebx]
		mov	[ebp+arg_8], eax
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_1C], ecx
		cmp	ebx, ecx
		jnz	short loc_5D3AFC
		push	20h
		pop	ecx
		sub	ecx, edi
		shr	eax, cl
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, [ebp+arg_8]
		and	ecx, eax
		cmp	ecx, eax
		jnz	short loc_5D3B32

loc_5D3AD7:				; CODE XREF: MiUpdateLargePageBitMap+D99B8j
					; MiUpdateLargePageBitMap+D99BEj
		mov	edx, [ebp+arg_0]

loc_5D3ADA:				; CODE XREF: MiUpdateLargePageBitMap+D982Cj
					; MiUpdateLargePageBitMap+D99CBj
		imul	esi, [ebp+var_4]
		imul	edx, [ebp+var_4]
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_14]
		mov	[ebp+var_10], esi
		mov	[ebp+arg_0], edx
		mov	edx, [ebp+arg_4]
		mov	edi, [ebp+arg_0]
		mov	[ebp+arg_8], edx
		jmp	loc_4FA1A3
; 

loc_5D3AFC:				; CODE XREF: MiUpdateLargePageBitMap+D994Fj
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, [ebp+arg_8]
		and	ecx, eax
		cmp	ecx, eax
		jnz	short loc_5D3B32
		mov	eax, [ebp+var_1C]
		jmp	short loc_5D3B13
; 

loc_5D3B0E:				; CODE XREF: MiUpdateLargePageBitMap+D99A6j
		cmp	dword ptr [ebx], 0FFFFFFFFh
		jnz	short loc_5D3B32

loc_5D3B13:				; CODE XREF: MiUpdateLargePageBitMap+D999Aj
		add	ebx, 4
		cmp	ebx, eax
		jnz	short loc_5D3B0E
		mov	ecx, [ebp+var_10]
		or	edx, 0FFFFFFFFh
		mov	eax, [ebx]
		not	ecx
		shr	edx, cl
		and	eax, edx
		cmp	eax, edx
		jz	short loc_5D3AD7
		xor	al, al

loc_5D3B2E:				; CODE XREF: MiUpdateLargePageBitMap+D9916j
		test	al, al
		jnz	short loc_5D3AD7

loc_5D3B32:				; CODE XREF: MiUpdateLargePageBitMap+D98F9j
					; MiUpdateLargePageBitMap+D9904j ...
		mov	edx, [ebp+arg_0]
		sub	edx, edi
		jz	loc_4FA220
		jmp	short loc_5D3ADA
; 

loc_5D3B3F:				; CODE XREF: MiUpdateLargePageBitMap+118j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4FA2B2
; 

loc_5D3B4F:				; CODE XREF: MiUpdateLargePageBitMap+13Aj
		lea	ecx, [ebp+var_28]
		call	KxWaitForLockChainValid

loc_5D3B57:				; CODE XREF: MiUpdateLargePageBitMap+123j
		mov	[ebp+var_28], 0
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_4FA2B2
; END OF FUNCTION CHUNK	FOR MiUpdateLargePageBitMap
; 
; START	OF FUNCTION CHUNK FOR CmpDoQueryKeyName

loc_5D3B69:				; CODE XREF: CmpDoQueryKeyName+B8j
		mov	edi, ebx
		mov	al, bl
		cmp	esi, 0C0000503h
		jnz	loc_4FA4A5
		xor	esi, esi
		jmp	loc_4FA4A5
; 

loc_5D3B80:				; CODE XREF: CmpDoQueryKeyName+E0j
		xor	ebx, [ebp+var_44]
		mov	[ebp+var_54], ebx
		jmp	loc_4FA3C1
; 

loc_5D3B8B:				; CODE XREF: CmpDoQueryKeyName+11Cj
		lea	edx, [ebp+var_64]
		mov	ecx, ebx
		call	_CmVirtualKCBToRealPath@8 ; CmVirtualKCBToRealPath(x,x)
		test	eax, eax
		js	short loc_5D3BA1
		lea	edi, [ebp+var_64]
		jmp	loc_4FA3F3
; 

loc_5D3BA1:				; CODE XREF: CmpDoQueryKeyName+D98CFj
		mov	edi, [ebp+var_3C]
		jmp	loc_4FA3F6
; 

loc_5D3BA9:				; CODE XREF: CmpDoQueryKeyName+133j
		mov	esi, 0C000009Ah
		jmp	loc_4FA4A5
; 

loc_5D3BB3:				; CODE XREF: CmpDoQueryKeyName+168j
		movzx	eax, word ptr [edi]
		add	eax, 0Ah
		mov	[esi], eax
		mov	esi, 0C0000004h
		jmp	short loc_5D3BF5
; END OF FUNCTION CHUNK	FOR CmpDoQueryKeyName

;  S U B	R O U T	I N E 


sub_5D3BC2	proc near		; DATA XREF: .text:006A384Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-6Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_5D3BC2	endp


;  S U B	R O U T	I N E 


sub_5D3BD0	proc near		; DATA XREF: .text:006A3850o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-6Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	al, [ebp-36h]
		mov	[ebp-35h], al
		mov	ebx, [ebp-54h]
		mov	al, [ebp-3Dh]
		mov	[ebp-44h], eax
		mov	eax, [ebp-70h]
		mov	[ebp-50h], eax
sub_5D3BD0	endp

; START	OF FUNCTION CHUNK FOR CmpDoQueryKeyName

loc_5D3BF2:				; CODE XREF: CmpDoQueryKeyName+106j
		mov	edi, [ebp+var_3C]

loc_5D3BF5:				; CODE XREF: CmpDoQueryKeyName+D98F8j
		mov	al, [ebp+var_35]
		jmp	loc_4FA4A5
; 

loc_5D3BFD:				; CODE XREF: CmpDoQueryKeyName+1DFj
		mov	ecx, ebx
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		jmp	loc_4FA4AD
; 

loc_5D3C09:				; CODE XREF: CmpDoQueryKeyName+1EAj
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		test	bl, bl
		jz	loc_4FA4B8
		lea	ecx, [ebp+var_34]
		call	_CmpDetachFromRegistryProcess@4	; CmpDetachFromRegistryProcess(x)
		jmp	loc_4FA4B8
; 

loc_5D3C23:				; CODE XREF: CmpDoQueryKeyName+21Dj
		lea	eax, [ebp+var_64]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	loc_4FA4FA
; END OF FUNCTION CHUNK	FOR CmpDoQueryKeyName
; 
; START	OF FUNCTION CHUNK FOR RtlpHpLfhBucketUpdateAffinityMapping

loc_5D3C31:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+47j
		jz	short loc_5D3C43
		cmp	al, 1
		jz	short loc_5D3C43
		mov	eax, [esi+18h]
		sub	eax, edx
		movzx	ecx, byte ptr [eax+ecx-1]
		jmp	short loc_5D3C45
; 

loc_5D3C43:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping:loc_5D3C31j
					; RtlpHpLfhBucketUpdateAffinityMapping+D96D7j
		xor	ecx, ecx

loc_5D3C45:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+D96E3j
		mov	[ebp+var_44], ecx
		jmp	loc_4FA5AB
; 

loc_5D3C4D:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+55Ej
		push	0
		push	[ebp+var_38]
		push	esi
		push	ecx
		jmp	short loc_5D3C5F
; 

loc_5D3C56:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+47Fj
		push	0
		push	[ebp+var_38]
		push	[ebp+var_3C]
		push	esi

loc_5D3C5F:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+D96F6j
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D3C69:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+419j
		mov	esi, [ebp+var_14]
		mov	al, 1
		mov	ecx, edx
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_3C]
		mov	eax, [ebp+var_14]
		jmp	loc_4FA990
; 

loc_5D3C86:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+4CCj
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_4FAA30
; 

loc_5D3C95:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+4F7j
		push	[ebp+var_30]
		mov	edx, esi
		mov	ecx, edi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4FAA5B
; 

loc_5D3CA6:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+202j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_40]
		jmp	loc_4FA776
; 

loc_5D3CBD:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+51Aj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_4FAA7E
; 

loc_5D3CCC:				; CODE XREF: RtlpHpLfhBucketUpdateAffinityMapping+544j
		push	[ebp+var_50]
		mov	edx, [ebp+var_3C]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4FA78D
; END OF FUNCTION CHUNK	FOR RtlpHpLfhBucketUpdateAffinityMapping
; 
; START	OF FUNCTION CHUNK FOR RtlpHpLfhContextAllocate

loc_5D3CDE:				; CODE XREF: RtlpHpLfhContextAllocate+12j
		add	edx, 2
		jmp	loc_4FAB70
; 

loc_5D3CE6:				; CODE XREF: RtlpHpLfhContextAllocate+7Cj
		mov	eax, large fs:124h
		movzx	eax, byte ptr [eax+3A1h]
		add	eax, esi
		mov	al, [eax+ecx]
		jmp	loc_4FABDC
; 

loc_5D3CFD:				; CODE XREF: RtlpHpLfhContextAllocate+A7j
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_4FAB96
; END OF FUNCTION CHUNK	FOR RtlpHpLfhContextAllocate
; 
; START	OF FUNCTION CHUNK FOR RtlpLfhBucketUsageUpdate

loc_5D3D0E:				; CODE XREF: RtlpLfhBucketUsageUpdate+53j
		mov	ecx, [edi]
		mov	edx, ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], edx
		test	cl, 1
		jnz	loc_4FAC8A
		jmp	loc_4FACC3
; END OF FUNCTION CHUNK	FOR RtlpLfhBucketUsageUpdate
; 
; START	OF FUNCTION CHUNK FOR RtlpHpLfhBucketActivate

loc_5D3D26:				; CODE XREF: RtlpHpLfhBucketActivate+86j
		lea	ecx, [edx+7Fh]
		mov	[ebp+var_C], ecx
		jmp	loc_4FAD64
; END OF FUNCTION CHUNK	FOR RtlpHpLfhBucketActivate
; 
; START	OF FUNCTION CHUNK FOR RtlpHpHeapExtendContext

loc_5D3D31:				; CODE XREF: RtlpHpHeapExtendContext+63j
		mov	edi, [edx+0B8h]
		jmp	loc_4FAF30
; 

loc_5D3D3C:				; CODE XREF: RtlpHpHeapExtendContext+97j
		test	byte ptr [edi],	1
		jnz	loc_4FB12B
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5D3D59
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_5D3D59:				; CODE XREF: RtlpHpHeapExtendContext+D8E62j
		xor	edi, edi
		mov	[ebp+var_24], edi
		test	esi, 7FFFFFFCh
		jz	loc_4FB0FF
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_8], eax
		cmp	esi, edx
		jb	short loc_5D3DAD
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_5D3D98
		cmp	esi, edx
		jb	short loc_5D3DAD
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_5D3DAD

loc_5D3D98:				; CODE XREF: RtlpHpHeapExtendContext+D8E9Bj
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+var_8]
		jmp	short loc_5D3DB3
; 

loc_5D3DAD:				; CODE XREF: RtlpHpHeapExtendContext+D8E92j
					; RtlpHpHeapExtendContext+D8E9Fj ...
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_2C], ecx

loc_5D3DB3:				; CODE XREF: RtlpHpHeapExtendContext+D8EBDj
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	dl, [eax+1E6h]
		mov	[ebp+var_1], dl
		mov	edx, esi
		push	ecx
		mov	ecx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_5D3DF3
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jz	loc_5D3F1B
		mov	eax, ecx
		jmp	short loc_5D3E71
; 

loc_5D3DF3:				; CODE XREF: RtlpHpHeapExtendContext+D8EEEj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5D3E09
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_5D3E09:				; CODE XREF: RtlpHpHeapExtendContext+D8F11j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_24], edi
		mov	[ecx+2Ch], eax
		nop
		mov	eax, [ebp+var_8]
		mov	dword ptr [ecx+10h], 0
		push	30h
		sub	ecx, [eax+1E8h]
		mov	eax, ecx
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_1], 1
		mov	edx, eax
		jnz	short loc_5D3E59
		mov	eax, [ebp+var_8]
		movzx	ecx, byte ptr [eax+1E4h]
		bts	ecx, edx
		mov	[eax+1E4h], cl
		jmp	short loc_5D3E71
; 

loc_5D3E59:				; CODE XREF: RtlpHpHeapExtendContext+D8F54j
		mov	esi, [ebp+var_8]
		mov	al, 1
		mov	ecx, edx
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_C]
		mov	eax, [ebp+var_8]

loc_5D3E71:				; CODE XREF: RtlpHpHeapExtendContext+D8F03j
					; RtlpHpHeapExtendContext+D8F69j
		nop
		dec	byte ptr [eax+1E6h]
		mov	ecx, edi
		and	ecx, 1FFFFh
		mov	[ebp+var_30], ecx
		jz	loc_4FB0E8
		test	edi, 8000h
		jz	short loc_5D3E9D
		xor	edx, edx
		mov	ecx, eax
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp+var_8]

loc_5D3E9D:				; CODE XREF: RtlpHpHeapExtendContext+D8FA1j
		test	byte ptr [ebp+var_24+2], 1
		jz	short loc_5D3EAD
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5D3EAD:				; CODE XREF: RtlpHpHeapExtendContext+D8FB3j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5D3EC6
		and	edi, eax
		mov	edx, edi
		mov	edi, [ebp+var_8]
		mov	ecx, edi
		call	KiAbThreadUnboostCpuPriority
		jmp	short loc_5D3EC9
; 

loc_5D3EC6:				; CODE XREF: RtlpHpHeapExtendContext+D8FC6j
		mov	edi, [ebp+var_8]

loc_5D3EC9:				; CODE XREF: RtlpHpHeapExtendContext+D8FD6j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_4FB19F
		push	[ebp+var_30]
		jmp	short loc_5D3EE1
; 

loc_5D3EDE:				; CODE XREF: RtlpHpHeapExtendContext+2ABj
		push	[ebp+var_30]

loc_5D3EE1:				; CODE XREF: RtlpHpHeapExtendContext+D8FEEj
		mov	edx, esi
		mov	ecx, edi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4FB19F
; 

loc_5D3EEF:				; CODE XREF: RtlpHpHeapExtendContext+1CDj
		mov	esi, [ebp+var_8]
		mov	al, 1
		mov	ecx, edx
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_C]
		mov	eax, [ebp+var_8]
		jmp	loc_4FB0D4
; 

loc_5D3F0C:				; CODE XREF: RtlpHpHeapExtendContext+284j
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_4FB178
; 

loc_5D3F1B:				; CODE XREF: RtlpHpHeapExtendContext+2CEj
					; RtlpHpHeapExtendContext+D8EFBj
		push	0
		push	[ebp+var_2C]
		push	esi
		push	ecx
		jmp	short loc_5D3F2D
; 

loc_5D3F24:				; CODE XREF: RtlpHpHeapExtendContext+D90F6j
		push	0
		push	[ebp+var_1C]
		push	[ebp+var_C]
		push	esi

loc_5D3F2D:				; CODE XREF: RtlpHpHeapExtendContext+D9034j
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D3F37:				; CODE XREF: RtlpHpHeapExtendContext+DEj
		xor	edi, edi
		mov	[ebp+var_20], edi
		test	cl, cl
		jnz	loc_5D40E8
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5D3F58
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_5D3F58:				; CODE XREF: RtlpHpHeapExtendContext+D9061j
		xor	edi, edi
		mov	[ebp+var_2C], edi
		test	esi, 7FFFFFFCh
		jz	loc_5D40D4
		mov	eax, [ebp+var_C]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_24], esi
		cmp	eax, edx
		jb	short loc_5D3FAC
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_5D3F9B
		cmp	eax, edx
		jb	short loc_5D3FAC
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_5D3FAC

loc_5D3F9B:				; CODE XREF: RtlpHpHeapExtendContext+D909Ej
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_C]

loc_5D3FAC:				; CODE XREF: RtlpHpHeapExtendContext+D9095j
					; RtlpHpHeapExtendContext+D90A2j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	edx, eax
		mov	[ebp+var_1], cl
		mov	ecx, [ebp+var_1C]
		push	ecx
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_5D3FE9
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_5D405B
		jmp	loc_5D3F24
; 

loc_5D3FE9:				; CODE XREF: RtlpHpHeapExtendContext+D90EAj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5D3FFF
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_5D3FFF:				; CODE XREF: RtlpHpHeapExtendContext+D9107j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_2C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_1], 1
		mov	edx, eax
		jnz	short loc_5D4049
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_5D405B
; 

loc_5D4049:				; CODE XREF: RtlpHpHeapExtendContext+D9147j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]

loc_5D405B:				; CODE XREF: RtlpHpHeapExtendContext+D90F4j
					; RtlpHpHeapExtendContext+D9159j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_30], eax
		jz	short loc_5D40BC
		test	edi, 8000h
		jz	short loc_5D407F
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5D407F:				; CODE XREF: RtlpHpHeapExtendContext+D9186j
		test	byte ptr [ebp+var_2C+2], 1
		jz	short loc_5D408F
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5D408F:				; CODE XREF: RtlpHpHeapExtendContext+D9195j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5D40A3
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5D40A3:				; CODE XREF: RtlpHpHeapExtendContext+D91A8j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5D40BC
		push	[ebp+var_30]
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5D40BC:				; CODE XREF: RtlpHpHeapExtendContext+D917Ej
					; RtlpHpHeapExtendContext+D91BFj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_5D40D4
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_5D40D4
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5D40D4:				; CODE XREF: RtlpHpHeapExtendContext+D9075j
					; RtlpHpHeapExtendContext+D91D7j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebp+var_20]
		jmp	loc_4FAF57
; 

loc_5D40E8:				; CODE XREF: RtlpHpHeapExtendContext+D9050j
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4FAF57
; END OF FUNCTION CHUNK	FOR RtlpHpHeapExtendContext
; 
; START	OF FUNCTION CHUNK FOR RtlpHpAcquireReleaseLockExclusive

loc_5D40FC:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+4Aj
		test	al, 4
		jnz	loc_4FB22C
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_4FB22C
; 

loc_5D4110:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+1AAj
		push	0
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D4123:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+119j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]
		jmp	loc_4FB30B
; 

loc_5D413A:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+1C4j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_4FB3A6
; 

loc_5D4149:				; CODE XREF: RtlpHpAcquireReleaseLockExclusive+1EEj
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4FB31E
; END OF FUNCTION CHUNK	FOR RtlpHpAcquireReleaseLockExclusive
; 
; START	OF FUNCTION CHUNK FOR IopVerifyDeviceObjectOnStack

loc_5D415B:				; CODE XREF: IopVerifyDeviceObjectOnStack+71j
		test	bl, bl
		jz	short loc_5D41B3
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+468h]
		jz	short loc_5D4180
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5D41AB
; 

loc_5D4180:				; CODE XREF: IopVerifyDeviceObjectOnStack+D8D8Cj
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5D419C
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_5D41AB
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5D419C:				; CODE XREF: IopVerifyDeviceObjectOnStack+D8D9Ej
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5D41AB:				; CODE XREF: IopVerifyDeviceObjectOnStack+D8D98j
					; IopVerifyDeviceObjectOnStack+D8DADj
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5D41B3:				; CODE XREF: IopVerifyDeviceObjectOnStack+D8D77j
		xor	al, al
		jmp	loc_4FB449
; 

loc_5D41BA:				; CODE XREF: IopVerifyDeviceObjectOnStack+3Dj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4FB43E
; END OF FUNCTION CHUNK	FOR IopVerifyDeviceObjectOnStack
; 
; START	OF FUNCTION CHUNK FOR SeReportSecurityEventWithSubCategory

loc_5D41C9:				; CODE XREF: SeReportSecurityEventWithSubCategory+E6j
		mov	ebx, edi
		jmp	loc_4FB634
; 

loc_5D41D0:				; CODE XREF: SeReportSecurityEventWithSubCategory+ABj
		mov	al, ds:byte_6BE5F8[eax*2]
		jmp	loc_4FB5E2
; 

loc_5D41DC:				; CODE XREF: SeReportSecurityEventWithSubCategory+BAj
		mov	eax, ecx
		mov	ebx, edi
		test	edi, edi
		jnz	loc_4FB66A
		mov	ebx, ds:_SeLocalSystemSid
		jmp	loc_4FB66A
; 

loc_5D41F3:				; CODE XREF: SeReportSecurityEventWithSubCategory+1B6j
		mov	ecx, [ebp+arg_4]
		or	[esp+2D0h+var_28C], 6
		mov	[esp+2D0h+var_260], eax
		push	3
		movzx	eax, word ptr [ecx]
		mov	[esp+2D4h+var_250], ecx
		add	eax, 8
		pop	ecx
		mov	[esp+2D0h+var_25C], eax
		mov	[esp+2D0h+var_298], ecx
		jmp	loc_4FB6FB
; 

loc_5D421C:				; CODE XREF: SeReportSecurityEventWithSubCategory+37j
					; SeReportSecurityEventWithSubCategory+42j ...
		mov	eax, 0C000000Dh
		jmp	loc_4FB5F7
; END OF FUNCTION CHUNK	FOR SeReportSecurityEventWithSubCategory
; 
; START	OF FUNCTION CHUNK FOR FsRtlUninitializeOplock

loc_5D4226:				; CODE XREF: FsRtlUninitializeOplock+43j
		mov	ecx, [esi]
		cmp	[esi+4], eax
		jnz	loc_5D4374
		cmp	[ecx+4], esi
		jnz	loc_5D4374
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	eax, [esi+8]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_5D4271
		lea	esi, [eax+25h]
		push	esi
		call	_IoAcquireCancelSpinLock@4 ; IoAcquireCancelSpinLock(x)
		xor	ecx, ecx
		mov	eax, [ebp+arg_0]
		add	eax, 38h
		xchg	ecx, [eax]
		movzx	eax, byte ptr [esi]
		push	eax
		call	IoReleaseCancelSpinLock
		mov	eax, [ebp+arg_0]
		mov	[eax+1Ch], edi
		mov	esi, [ebp+var_1C]
		mov	eax, [esi+8]

loc_5D4271:				; CODE XREF: FsRtlUninitializeOplock+D894Bj
		push	eax
		push	dword ptr [esi+10h]
		call	dword ptr [esi+0Ch]
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4FB935
; 

loc_5D4284:				; CODE XREF: FsRtlUninitializeOplock+53j
		mov	esi, [ecx+8]
		mov	[ebp+var_1C], esi
		mov	esi, [ecx]
		cmp	[ecx+4], edx
		jnz	loc_5D4374
		cmp	[esi+4], ecx
		jnz	loc_5D4374
		mov	[edx], esi
		mov	[esi+4], edx
		lea	esi, [ecx-33h]
		push	esi
		call	_IoAcquireCancelSpinLock@4 ; IoAcquireCancelSpinLock(x)
		xor	ecx, ecx
		mov	eax, [ebp+arg_0]
		add	eax, 0FFFFFFE0h
		xchg	ecx, [eax]
		movzx	eax, byte ptr [esi]
		push	eax
		call	IoReleaseCancelSpinLock
		mov	esi, [ebp+var_1C]
		mov	ecx, [esi+18h]
		call	ObfDereferenceObject
		cmp	dword ptr [esi+0Ch], 90240h
		mov	esi, [ebp+arg_0]
		jnz	short loc_5D4303
		add	esi, 0FFFFFFA8h
		mov	edx, [esi+0Ch]
		push	6
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd
		inc	eax
		mov	[edx], ax
		push	18h
		pop	ecx
		mov	[edx+2], cx
		mov	eax, [ebx+48h]
		shr	eax, 0Ch
		and	eax, 7
		mov	[edx+4], eax
		mov	[esi+1Ch], ecx
		xor	edi, edi
		jmp	short loc_5D430D
; 

loc_5D4303:				; CODE XREF: FsRtlUninitializeOplock+D89D8j
		add	esi, 0FFFFFFA8h
		mov	dword ptr [esi+1Ch], 8

loc_5D430D:				; CODE XREF: FsRtlUninitializeOplock+D8A05j
		mov	[esi+18h], edi
		xor	eax, eax
		lea	edx, [eax+1]
		mov	ecx, esi
		call	IofCompleteRequest
		jmp	loc_4FB945
; 

loc_5D4321:				; CODE XREF: FsRtlUninitializeOplock+60j
		test	dword ptr [ebx+48h], 10000h
		jz	short loc_5D4379
		cmp	[esi+1Ch], edi
		jz	short loc_5D4379
		mov	ecx, esi
		call	_FsRtlpOplockDequeueRH@4 ; FsRtlpOplockDequeueRH(x)
		lea	eax, [esi+1Ch]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_5D4374
		cmp	[ecx], eax
		jnz	short loc_5D4374
		mov	[ecx], edx
		mov	[edx+4], ecx
		lea	eax, [ebx+3Ch]
		cmp	[eax], eax
		jnz	short loc_5D435A
		and	dword ptr [ebx+48h], 0FFFCFFFFh

loc_5D435A:				; CODE XREF: FsRtlUninitializeOplock+D8A55j
		cmp	[esi+14h], edi
		jz	short loc_5D4368
		mov	edx, esi
		mov	ecx, ebx
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)

loc_5D4368:				; CODE XREF: FsRtlUninitializeOplock+D8A61j
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_4FB955
; 

loc_5D4374:				; CODE XREF: FsRtlUninitializeOplock+D892Fj
					; FsRtlUninitializeOplock+D8938j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5D4379:				; CODE XREF: FsRtlUninitializeOplock+D8A2Cj
					; FsRtlUninitializeOplock+D8A31j
		push	edi
		push	edi
		push	edi
		push	edi
		push	edi
		mov	edx, ebx
		mov	ecx, esi
		call	_FsRtlpRemoveAndCompleteRHIrp@28 ; FsRtlpRemoveAndCompleteRHIrp(x,x,x,x,x,x,x)
		jmp	loc_4FB955
; 

loc_5D438C:				; CODE XREF: FsRtlUninitializeOplock+76j
		mov	edi, [eax+60h]
		lea	esi, [eax+25h]
		push	esi
		call	_IoAcquireCancelSpinLock@4 ; IoAcquireCancelSpinLock(x)
		xor	edx, edx
		mov	eax, [ebp+arg_0]
		add	eax, 38h
		xchg	edx, [eax]
		movzx	eax, byte ptr [esi]
		push	eax
		call	IoReleaseCancelSpinLock
		mov	esi, [ebp+arg_0]
		cmp	dword ptr [edi+0Ch], 90240h
		jnz	short loc_5D43DF
		mov	edx, [esi+0Ch]
		push	6
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd
		inc	eax
		mov	[edx], ax
		push	18h
		pop	ecx
		mov	[edx+2], cx
		mov	eax, [ebx+48h]
		shr	eax, 0Ch
		and	eax, 7
		mov	[edx+4], eax
		mov	[esi+1Ch], ecx
		jmp	short loc_5D43E6
; 

loc_5D43DF:				; CODE XREF: FsRtlUninitializeOplock+D8AB9j
		mov	dword ptr [esi+1Ch], 8

loc_5D43E6:				; CODE XREF: FsRtlUninitializeOplock+D8AE1j
		xor	edi, edi
		mov	[esi+18h], edi
		xor	eax, eax
		lea	edx, [eax+1]
		mov	ecx, esi
		call	IofCompleteRequest
		mov	[ebx], edi
		mov	ecx, [ebx+4]
		test	ecx, ecx
		jz	short loc_5D4405
		call	ObfDereferenceObject

loc_5D4405:				; CODE XREF: FsRtlUninitializeOplock+D8B02j
		push	edi
		xor	edx, edx
		mov	ecx, ebx
		call	FsRtlpModifyThreadPriorities
		xor	edx, edx
		mov	ecx, ebx
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		jmp	loc_4FB978
; END OF FUNCTION CHUNK	FOR FsRtlUninitializeOplock

;  S U B	R O U T	I N E 


sub_5D441D	proc near		; DATA XREF: .text:006A3930o
		xor	edi, edi
		mov	ebx, [ebp-20h]
		jmp	sub_4FB9CB
sub_5D441D	endp

; 
; START	OF FUNCTION CHUNK FOR MiMakeImageReadOnly

loc_5D4427:				; CODE XREF: MiMakeImageReadOnly+11Cj
		push	0
		push	0
		push	esi
		push	2
		call	MmAccessFault
		jmp	loc_4FBBA5
; 

loc_5D4438:				; CODE XREF: MiMakeImageReadOnly+137j
		and	ecx, 0FFFFFC3Fh
		or	ecx, 20h
		mov	[esi], ecx
		mov	[esi+4], edx
		jmp	loc_4FBB3C
; END OF FUNCTION CHUNK	FOR MiMakeImageReadOnly
; 

loc_5D444B:				; CODE XREF: .text:004FBC67j
		mov	edx, [ebp+4]
		lea	ecx, [ebp-10h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4FBC87
; 

loc_5D445B:				; CODE XREF: .text:004FBCC9j
		mov	edx, [ebp+4]
		lea	ecx, [ebp-10h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4FBCF1
; 

loc_5D446B:				; CODE XREF: .text:004FBCEBj
		lea	ecx, [ebp-10h]
		call	KxWaitForLockChainValid

loc_5D4473:				; CODE XREF: .text:004FBCD4j
		mov	dword ptr [ebp-10h], 0
		add	eax, 4
		lock xor [eax],	esi
		jmp	loc_4FBCF1
; 

loc_5D4485:				; CODE XREF: .text:004FBD13j
		mov	eax, 0C000009Ah
		jmp	loc_4FBC97
; 

loc_5D448F:				; CODE XREF: .text:004FBD51j
		inc	dword ptr [edi+4]
		test	ds:byte_70EFC6,	1
		jz	short loc_5D44A8
		mov	edx, [ebp+4]
		lea	ecx, [ebp-10h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5D44D7
; 

loc_5D44A8:				; CODE XREF: .text:005D4499j
		mov	eax, [ebp-10h]
		test	eax, eax
		jnz	short loc_5D44C7
		mov	edx, [ebp-0Ch]
		lea	eax, [ebp-10h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-10h]
		cmp	eax, ecx
		jz	short loc_5D44D7
		call	KxWaitForLockChainValid

loc_5D44C7:				; CODE XREF: .text:005D44ADj
		xor	ecx, ecx
		mov	dword ptr [ebp-10h], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5D44D7:				; CODE XREF: .text:005D44A6j
					; .text:005D44C0j
		mov	cl, [ebp-8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	6D566343h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp-4]
		mov	[eax], edi
		jmp	loc_4FBC95
; 

loc_5D44F5:				; CODE XREF: .text:004FBD80j
		mov	edx, [ebp+4]
		lea	ecx, [ebp-10h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4FBDA8
; 

loc_5D4505:				; CODE XREF: .text:004FBDA2j
		lea	ecx, [ebp-10h]
		call	KxWaitForLockChainValid

loc_5D450D:				; CODE XREF: .text:004FBD8Bj
		xor	ecx, ecx
		mov	dword ptr [ebp-10h], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_4FBDA8
; 

loc_5D4522:				; CODE XREF: .text:004FBE3Aj
		mov	edx, ecx
		lea	ecx, [esp+10h]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_4FBE4E
; 

loc_5D4532:				; CODE XREF: .text:004FBEB7j
		lea	eax, [edx+0Ch]
		lock xadd [eax], ecx
		mov	eax, [ebx+60h]
		jmp	loc_4FBEBD
; 

loc_5D4541:				; CODE XREF: .text:004FBECEj
		mov	edx, [ebp+4]
		lea	ecx, [esp+10h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4FBEF6
; 

loc_5D4552:				; CODE XREF: .text:004FBEFDj
		mov	edx, [ebp+4]
		lea	ecx, [esp+1Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4FBF21
; 

loc_5D4563:				; CODE XREF: .text:004FBE14j
		push	edi
		push	edi
		push	0C0000420h
		push	325h
		jmp	short loc_5D457D
; 

loc_5D4571:				; CODE XREF: .text:004FBDFEj
		push	edi
		push	edi
		push	0C0000420h
		push	316h

loc_5D457D:				; CODE XREF: .text:005D456Fj
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
; START	OF FUNCTION CHUNK FOR ExConvertExclusiveToSharedLite

loc_5D4585:				; CODE XREF: ExConvertExclusiveToSharedLite+14j
		test	al, 40h
		jnz	loc_4FC034
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	esi
		push	0Fh
		jmp	short loc_5D459B
; 

loc_5D4596:				; CODE XREF: ExConvertExclusiveToSharedLite+D85AAj
		push	ecx
		push	ecx
		push	ecx
		push	7

loc_5D459B:				; CODE XREF: ExConvertExclusiveToSharedLite+D857Aj
					; ExConvertExclusiveToSharedLite+D8595j
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D45A5:				; CODE XREF: ExConvertExclusiveToSharedLite+3Ej
		xor	ecx, ecx
		movzx	eax, al
		push	ecx
		push	1
		push	eax
		push	ecx
		jmp	short loc_5D459B
; 

loc_5D45B1:				; CODE XREF: ExConvertExclusiveToSharedLite+44j
		jnb	short loc_5D45C6
		test	dword ptr [edx+58h], 400h
		jnz	short loc_5D45C6
		xor	ecx, ecx
		cmp	[edx+13Ch], ecx
		jz	short loc_5D4596

loc_5D45C6:				; CODE XREF: ExConvertExclusiveToSharedLite:loc_5D45B1j
					; ExConvertExclusiveToSharedLite+D85A0j
		movzx	eax, word ptr [esi+0Eh]
		jmp	loc_4FC039
; END OF FUNCTION CHUNK	FOR ExConvertExclusiveToSharedLite
; 
; START	OF FUNCTION CHUNK FOR ExpConvertExclusiveToSharedLite

loc_5D45CF:				; CODE XREF: ExpConvertExclusiveToSharedLite+47j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4FC0D1
; END OF FUNCTION CHUNK	FOR ExpConvertExclusiveToSharedLite
; 
; START	OF FUNCTION CHUNK FOR sub_4FC146

loc_5D45DF:				; CODE XREF: sub_4FC146+7j
		test	ds:_VfRuleClasses, 0FFAFFFFFh
		jnz	short loc_5D45F8
		test	byte ptr ds:dword_6FDE00, 6
		jz	loc_4FC153

loc_5D45F8:				; CODE XREF: sub_4FC146+D84A3j
		mov	eax, ds:_MmVerifierData
		and	eax, 10h
		or	eax, 40h
		shr	eax, 1
		push	eax
		push	20206F49h
		push	edx
		push	200h
		call	ExAllocatePoolWithTagPriority
		retn
; END OF FUNCTION CHUNK	FOR sub_4FC146
; 
; START	OF FUNCTION CHUNK FOR MiPaeCheckProcessShadow

loc_5D4617:				; CODE XREF: MiPaeCheckProcessShadow+5Aj
		mov	eax, ecx
		or	eax, [ebp+var_8]
		jz	loc_4FC1E5
		test	byte ptr [ebp+var_14], 8
		jnz	short loc_5D4647
		push	ecx
		push	ecx
		push	edx
		push	3601h
		jmp	short loc_5D4640
; 

loc_5D4632:				; CODE XREF: MiPaeCheckProcessShadow+6Cj
					; MiPaeCheckProcessShadow+7Bj
		test	byte ptr [ebp+var_14], 8
		jnz	short loc_5D4647
		push	ecx
		push	eax
		push	edx
		push	3600h

loc_5D4640:				; CODE XREF: MiPaeCheckProcessShadow+D84CCj
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D4647:				; CODE XREF: MiPaeCheckProcessShadow+D84C2j
					; MiPaeCheckProcessShadow+D84D2j
		mov	eax, ebx
		jmp	loc_4FC1F4
; END OF FUNCTION CHUNK	FOR MiPaeCheckProcessShadow
; 
; START	OF FUNCTION CHUNK FOR KeFlushCurrentTbOnly

loc_5D464E:				; CODE XREF: KeFlushCurrentTbOnly+29j
		lea	eax, [ebp+var_4]
		push	eax
		lea	edx, [ebp+var_8]
		call	_KiPrepareFlushParameters@12 ; KiPrepareFlushParameters(x,x,x)
		lea	ecx, [ebp+var_14]
		call	_KiPrepareFlushCurrentAffinity@4 ; KiPrepareFlushCurrentAffinity(x)
		push	[ebp+var_4]
		mov	edx, ecx
		mov	ecx, [ebp+var_8]
		call	_HvlpSlowFlushAddressSpaceTb@12	; HvlpSlowFlushAddressSpaceTb(x,x,x)
		jmp	loc_4FC27A
; END OF FUNCTION CHUNK	FOR KeFlushCurrentTbOnly
; 
; START	OF FUNCTION CHUNK FOR KiFlushCurrentTbOnly

loc_5D4674:				; CODE XREF: KiFlushCurrentTbOnly+7j
		test	ecx, ecx
		jz	loc_4FC2A1
		cmp	ecx, 2
		jg	loc_4FC2A1
		jmp	loc_4FC290
; END OF FUNCTION CHUNK	FOR KiFlushCurrentTbOnly
; 
; START	OF FUNCTION CHUNK FOR KiHypercallForLocalFlush

loc_5D468A:				; CODE XREF: KiHypercallForLocalFlush+Aj
		test	al, 2
		jnz	short loc_5D46A5
		test	cl, cl
		jz	loc_4FC2B6
		mov	ecx, edx
		call	_KiIsFlushEntire@4 ; KiIsFlushEntire(x)
		test	al, al
		jz	loc_4FC2B6

loc_5D46A5:				; CODE XREF: KiHypercallForLocalFlush+D83E6j
		mov	al, 1
		retn
; END OF FUNCTION CHUNK	FOR KiHypercallForLocalFlush
; 
; START	OF FUNCTION CHUNK FOR CcIsThereDirtyLoggedPages

loc_5D46A8:				; CODE XREF: CcIsThereDirtyLoggedPages+92j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4FC540
; 

loc_5D46B8:				; CODE XREF: CcIsThereDirtyLoggedPages+BEj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4FC568
; END OF FUNCTION CHUNK	FOR CcIsThereDirtyLoggedPages
; 
; START	OF FUNCTION CHUNK FOR NtWorkerFactoryWorkerReady

loc_5D46C8:				; CODE XREF: NtWorkerFactoryWorkerReady+61j
		mov	edi, 0C0000001h
		jmp	loc_4FC660
; 

loc_5D46D2:				; CODE XREF: NtWorkerFactoryWorkerReady+83j
		mov	edx, [ebp+4]
		lea	ecx, [esp+20h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4FC68B
; END OF FUNCTION CHUNK	FOR NtWorkerFactoryWorkerReady
; 
; START	OF FUNCTION CHUNK FOR KiWaitForAllObjects

loc_5D46E3:				; CODE XREF: KiWaitForAllObjects+2DAj
		xor	eax, eax
		xor	edx, edx
		inc	eax
		mov	ecx, edi
		call	__allshl
		or	[esp+168h+var_148], eax
		or	[esp+168h+var_158], edx
		mov	ecx, [esp+168h+var_150]
		jmp	loc_4FC820
; 

loc_5D4700:				; CODE XREF: KiWaitForAllObjects+2F6j
		cmp	[edx+2], al
		jnz	loc_4FC9D2
		cmp	dword ptr [edx+4], 80000000h
		jnz	loc_4FC9D2
		mov	edx, ecx
		lea	ecx, [esp+168h+var_110]
		call	@KiUnlockKobjectArray@8	; KiUnlockKobjectArray(x,x)
		push	[esp+168h+var_130]
		mov	edx, ebx
		mov	ecx, edi
		call	_KiFastExitThreadWait@12 ; KiFastExitThreadWait(x,x,x)
		push	0C0000191h
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5D4738:				; CODE XREF: KiWaitForAllObjects+310j
		cmp	[edx+2], al
		jnz	loc_4FC851
		jmp	loc_4FC84C
; 

loc_5D4746:				; CODE XREF: KiWaitForAllObjects+1F4j
		mov	ebx, [esp+168h+var_144]
		lea	eax, [esp+168h+var_C]
		mov	[esp+168h+var_14C], eax

loc_5D4755:				; CODE XREF: KiWaitForAllObjects+D80DAj
		bsf	ecx, ecx
		mov	[esp+168h+var_134], ecx
		jnz	loc_4FCA09
		bsf	ecx, edx
		mov	[esp+168h+var_134], ecx
		jz	loc_4FCA09
		add	ecx, 20h
		mov	[esp+168h+var_134], ecx
		jmp	loc_4FCA09
; 

loc_5D477B:				; CODE XREF: KiWaitForAllObjects+36Bj
		or	esi, [esp+168h+var_114]
		mov	ecx, edi
		mov	eax, [esp+168h+var_124]
		or	[esp+168h+var_154], eax
		mov	[esp+168h+var_138], esi
		call	_KeAbPreWait@4	; KeAbPreWait(x)
		mov	ecx, edi
		call	_KeAbEncodeLockHandle@4	; KeAbEncodeLockHandle(x)
		mov	edx, [esp+168h+var_14C]
		mov	ecx, [esp+168h+var_148]
		mov	[edx], al
		inc	edx
		mov	[esp+168h+var_14C], edx
		mov	eax, ecx
		mov	edx, [esp+168h+var_158]
		or	eax, edx
		jnz	short loc_5D4755
		jmp	loc_4FCA47
; 

loc_5D47B7:				; CODE XREF: KiWaitForAllObjects+220j
					; KiWaitForAllObjects+22Cj
		mov	[esp+168h+var_159], 1
		jmp	loc_4FC90D
; 

loc_5D47C1:				; CODE XREF: KiWaitForAllObjects+247j
		mov	ebx, [esp+168h+var_154]
		lea	eax, [esp+168h+var_C]
		mov	edi, [esp+168h+var_144]
		mov	[esp+168h+var_158], eax

loc_5D47D4:				; CODE XREF: KiWaitForAllObjects+D818Fj
		bsf	ecx, esi
		mov	[esp+168h+var_13C], ecx
		jnz	short loc_5D47ED
		bsf	ecx, ebx
		mov	[esp+168h+var_13C], ecx
		jz	short loc_5D47ED
		add	ecx, 20h
		mov	[esp+168h+var_13C], ecx

loc_5D47ED:				; CODE XREF: KiWaitForAllObjects+D8105j
					; KiWaitForAllObjects+D810Ej
		xor	eax, eax
		xor	edx, edx
		inc	eax
		call	__allshl
		mov	ecx, large fs:124h
		not	eax
		and	esi, eax
		not	edx
		mov	eax, [esp+168h+var_158]
		and	ebx, edx
		mov	[esp+168h+var_138], esi
		push	0
		movzx	eax, byte ptr [eax]
		shr	eax, 1
		imul	esi, eax, 30h
		add	esi, [ecx+1E8h]
		cmp	[esp+16Ch+var_159], 0
		mov	[esp+16Ch+var_14C], esi
		jz	short loc_5D483D
		mov	ecx, [esp+16Ch+var_13C]
		mov	edx, esi
		mov	ecx, [edi+ecx*4]
		call	KeAbPreAcquire
		or	byte ptr [esi+0Eh], 1
		jmp	short loc_5D4859
; 

loc_5D483D:				; CODE XREF: KiWaitForAllObjects+D8151j
		mov	esi, [esp+16Ch+var_13C]
		mov	edx, [esp+16Ch+var_14C]
		mov	ecx, [edi+esi*4]
		call	KeAbPreAcquire
		mov	edx, [esp+168h+var_14C]
		mov	ecx, [edi+esi*4]
		call	KeAbPostReleaseEx

loc_5D4859:				; CODE XREF: KiWaitForAllObjects+D8165j
		mov	esi, [esp+168h+var_138]
		mov	eax, esi
		inc	[esp+168h+var_158]
		or	eax, ebx
		jnz	loc_5D47D4
		mov	ebx, [esp+168h+var_140]
		mov	edi, [esp+168h+var_124]
		jmp	loc_4FC923
; 

loc_5D4878:				; CODE XREF: KiWaitForAllObjects+19Cj
		lea	ecx, [esp+168h+var_110]
		call	@KiUnlockKobjectArray@8	; KiUnlockKobjectArray(x,x)
		push	[esp+168h+var_130]
		mov	ecx, [esp+16Ch+var_154]
		mov	edx, ebx
		call	_KiFastExitThreadWait@12 ; KiFastExitThreadWait(x,x,x)
		mov	edi, 102h
		jmp	loc_4FC98D
; END OF FUNCTION CHUNK	FOR KiWaitForAllObjects
; 
; START	OF FUNCTION CHUNK FOR KiWaitSatisfyAny

loc_5D489A:				; CODE XREF: KiWaitSatisfyAny+38j
					; KiWaitSatisfyAny+D7E50j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5D489A
		jmp	loc_4FCA89
; 

loc_5D48AD:				; CODE XREF: KiWaitSatisfyAny+56j
		push	1
		xor	edx, edx
		mov	ecx, esi
		call	KeAbPreAcquire
		test	eax, eax
		jz	loc_4FCA75
		or	byte ptr [eax+0Eh], 1
		jmp	loc_4FCA75
; END OF FUNCTION CHUNK	FOR KiWaitSatisfyAny

;  S U B	R O U T	I N E 


sub_5D48C9	proc near		; DATA XREF: .text:006A39F4o
		mov	eax, [ebp-14h]
		mov	[ebp-1Ch], eax
		mov	eax, [ebp-1Ch]
		push	dword ptr [eax+4]
		mov	eax, [ebp-1Ch]
		push	dword ptr [eax]
		mov	eax, [ebp-1Ch]
		mov	eax, [eax]
		push	dword ptr [eax+0Ch]
		mov	eax, [ebp-1Ch]
		mov	eax, [eax]
		push	dword ptr [eax]
		push	7Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D48F0:				; DATA XREF: .text:006A39F8o
		mov	esp, [ebp-18h]
		push	1Eh
		call	_KeBugCheck@4	; KeBugCheck(x)
		int	3		; Trap to Debugger
sub_5D48C9	endp

; START	OF FUNCTION CHUNK FOR KeSetIdealProcessorThreadEx

loc_5D48FB:				; CODE XREF: KeSetIdealProcessorThreadEx+3Dj
					; KeSetIdealProcessorThreadEx+D7A3Bj
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5D48FB
		jmp	loc_4FCF04
; 

loc_5D490E:				; CODE XREF: KeSetIdealProcessorThreadEx+5Dj
		test	byte ptr [esi+58h], 8
		jz	loc_4FCF2F
		mov	[ebp+var_18], ecx
		lea	edx, [esi+154h]
		mov	ecx, [ebp+var_8]
		call	_KiPrcbInGroupAffinity@8 ; KiPrcbInGroupAffinity(x,x)
		test	eax, eax
		jz	short loc_5D4938
		xor	eax, eax
		mov	[esi+88h], edi
		mov	[ebp+var_C], eax

loc_5D4938:				; CODE XREF: KeSetIdealProcessorThreadEx+D7A5Fj
		mov	edi, [ebp+var_C]
		jmp	loc_4FCF92
; 

loc_5D4940:				; CODE XREF: KeSetIdealProcessorThreadEx+76j
		mov	edi, 0C0000001h
		jmp	loc_4FCF92
; 

loc_5D494A:				; CODE XREF: KeSetIdealProcessorThreadEx+E0j
		push	ebx
		push	[ebp+var_20]
		mov	edx, 546h
		mov	ecx, esi
		call	_EtwTraceIdealProcessor@16 ; EtwTraceIdealProcessor(x,x,x,x)
		test	ds:dword_70EFD0, 8000000h
		mov	eax, [ebp+var_C]
		jz	loc_4FCFB2
		push	eax
		push	[ebp+var_24]
		mov	edx, 547h
		mov	ecx, esi
		call	_EtwTraceIdealProcessor@16 ; EtwTraceIdealProcessor(x,x,x,x)
		jmp	loc_4FCFB2
; END OF FUNCTION CHUNK	FOR KeSetIdealProcessorThreadEx
; 
; START	OF FUNCTION CHUNK FOR KeSignalGate

loc_5D4982:				; CODE XREF: KeSignalGate+68j
		cmp	al, 2
		jnz	loc_5D4A58
		mov	byte ptr [esi+9], 5
		mov	ebx, [esi+0Ch]
		and	dword ptr [esi], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_C], eax
		mov	eax, [eax+4]
		mov	[ebp+var_8], eax
		jz	short loc_5D49CA
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_5D49CA:				; CODE XREF: KeSignalGate+D79DBj
		mov	ecx, ebx
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		lea	ecx, [ebx+8]
		cmp	[ecx], ecx
		jz	short loc_5D4A08
		mov	eax, [ebx+18h]
		cmp	eax, [ebx+1Ch]
		jnb	short loc_5D4A08
		mov	edx, [ebp+var_8]
		mov	eax, [edx+0A4h]
		cmp	eax, ebx
		jnz	short loc_5D49F6
		cmp	byte ptr [edx+18Bh], 0Fh
		jz	short loc_5D4A08

loc_5D49F6:				; CODE XREF: KeSignalGate+D7A13j
		mov	ecx, [ebp+var_C]
		mov	edx, ebx
		push	esi
		call	KiWakeQueueWaiter
		test	al, al
		jnz	short loc_5D4A3E
		lea	ecx, [ebx+8]

loc_5D4A08:				; CODE XREF: KeSignalGate+D79FEj
					; KeSignalGate+D7A06j ...
		mov	eax, [ebx+4]
		mov	[ebp+var_8], eax
		inc	eax
		mov	[ebx+4], eax
		lea	eax, [ebx+10h]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_4FD02D
		cmp	[ebp+var_8], 0
		mov	[esi], eax
		mov	[esi+4], edx
		mov	[edx], esi
		mov	[eax+4], esi
		jnz	short loc_5D4A3E
		cmp	[ecx], ecx
		jz	short loc_5D4A3E
		mov	ecx, [ebp+var_C]
		mov	edx, ebx
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)

loc_5D4A3E:				; CODE XREF: KeSignalGate+D7A2Bj
					; KeSignalGate+D7A56j ...
		mov	ecx, 0FFFFFF7Fh
		lock and [ebx],	ecx
		sub	dword ptr [edi+4], 1
		jz	loc_4FD066
		mov	ebx, [ebp+var_10]
		jmp	loc_4FD080
; 

loc_5D4A58:				; CODE XREF: KeSignalGate+D79ACj
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		push	0
		push	100h
		call	KiTryUnwaitThread
		mov	ecx, 0FFFFFF7Fh
		jmp	loc_4FD080
; END OF FUNCTION CHUNK	FOR KeSignalGate

;  S U B	R O U T	I N E 


sub_5D4A73	proc near		; DATA XREF: .text:006A3A14o
		push	1
		mov	edx, [ebp-14h]
		mov	ecx, [ebp+8]
		call	?SmStUnhandledExceptionFilter@?$SMKM_STORE@USM_TRAITS@@@@SGJPAXPAU_EXCEPTION_POINTERS@@W4_SMST_STORE_EXCEPTION_SOURCE@1@@Z ; SMKM_STORE<SM_TRAITS>::SmStUnhandledExceptionFilter(void *,_EXCEPTION_POINTERS *,SMKM_STORE<SM_TRAITS>::_SMST_STORE_EXCEPTION_SOURCE)
		retn
sub_5D4A73	endp


;  S U B	R O U T	I N E 


sub_5D4A81	proc near		; DATA XREF: .text:006A3A18o
		mov	esp, [ebp-18h]
		jmp	loc_4FD0A7
sub_5D4A81	endp

; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_SM_TRAITS___SmStReadThread

loc_5D4A89:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStReadThread+D6j
		mov	edx, [ebp+4]
		lea	ecx, [ebx+2Ch]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4FD1A4
; END OF FUNCTION CHUNK	FOR SMKM_STORE_SM_TRAITS___SmStReadThread
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StAcquireReadContext

loc_5D4A99:				; CODE XREF: ST_STORE_SM_TRAITS___StAcquireReadContext+56j
		xor	ebx, ebx
		jmp	loc_4FD260
; 

loc_5D4AA0:				; CODE XREF: ST_STORE_SM_TRAITS___StAcquireReadContext+73j
		mov	[ebx+4], eax
		add	eax, [esi+994h]
		jmp	loc_4FD2BB
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StAcquireReadContext
; 
; START	OF FUNCTION CHUNK FOR MiReplenishLocalCommit

loc_5D4AAE:				; CODE XREF: MiReplenishLocalCommit+36j
		cmp	edx, eax
		jnb	loc_4FD352

loc_5D4AB6:				; CODE XREF: MiReplenishLocalCommit+87j
		xor	edx, edx
		mov	ecx, edi
		call	MiSyncCommitSignals
		mov	ecx, [ebp+arg_0]
		jmp	loc_4FD35C
; 

loc_5D4AC7:				; CODE XREF: MiReplenishLocalCommit+61j
		mov	ecx, ebx
		lea	eax, [edi+10BCh]
		neg	ecx
		lock xadd [eax], ecx
		mov	edx, [edi+0D94h]
		mov	eax, ecx
		sub	eax, ebx
		cmp	ecx, edx
		jb	short loc_5D4AE7
		cmp	eax, edx
		jb	short loc_5D4AFD

loc_5D4AE7:				; CODE XREF: MiReplenishLocalCommit+D77CBj
		mov	edx, [edi+0D90h]
		cmp	eax, edx
		jnb	loc_4FD38A
		cmp	ecx, edx
		jb	loc_4FD38A

loc_5D4AFD:				; CODE XREF: MiReplenishLocalCommit+D77CFj
		xor	edx, edx
		mov	ecx, edi
		call	MiSyncCommitSignals
		jmp	loc_4FD38A
; END OF FUNCTION CHUNK	FOR MiReplenishLocalCommit
; 
; START	OF FUNCTION CHUNK FOR SiValidateSystemPartition

loc_5D4B0B:				; CODE XREF: SiValidateSystemPartition+51j
		cmp	eax, [edi]
		jz	loc_4FD4DB
		mov	esi, 0C0000001h
		jmp	loc_4FD502
; 

loc_5D4B1D:				; CODE XREF: SiValidateSystemPartition+5Fj
		push	10h		; size_t
		lea	eax, [ebp-0ACh]
		push	offset _PARTITION_SYSTEM_GUID ;	void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_4FD502
		jmp	loc_4FD4F5
; 

loc_5D4B40:				; CODE XREF: SiValidateSystemPartition+78j
		push	0Ah
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_C], edx
		lea	edi, [ebp+var_3C]
		mov	[ebp+var_14], edx
		rep stosd
		push	28h
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_10], edx
		push	eax
		push	ecx
		lea	eax, [ebp+var_14]
		mov	ecx, ebx
		push	eax
		call	_SiIssueSynchronousIoctl@24 ; SiIssueSynchronousIoctl(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_4FD502
		cmp	[ebp+var_32], 0
		jz	loc_4FD502
		mov	esi, 0C0000184h
		jmp	loc_4FD502
; END OF FUNCTION CHUNK	FOR SiValidateSystemPartition
; 
; START	OF FUNCTION CHUNK FOR MiDeleteNonPagedPoolTail

loc_5D4B83:				; CODE XREF: MiDeleteNonPagedPoolTail+51j
					; MiDeleteNonPagedPoolTail+D7555j
		lea	ecx, [ebp+arg_0]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_5D4B83
		jmp	loc_4FD686
; END OF FUNCTION CHUNK	FOR MiDeleteNonPagedPoolTail
; 
; START	OF FUNCTION CHUNK FOR MiReduceShareCount

loc_5D4B96:				; CODE XREF: MiReduceShareCount+Cj
		mov	eax, [ecx+10h]
		and	eax, 3FFFFFFFh
		push	eax
		movzx	eax, bl
		and	eax, 7
		sub	ecx, ds:_MmPfnDatabase
		push	eax
		mov	eax, ecx
		cdq
		push	1Ch
		pop	ecx
		idiv	ecx
		push	eax
		push	99h
		push	4Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5D4BC2:				; CODE XREF: SeIsSModeAdminlessEnabled+Aj
		call	_SepIsSModeEnabled@0 ; SepIsSModeEnabled()
		cmp	al, 1
		jnz	loc_4FD880
		pop	ecx
		retn
; END OF FUNCTION CHUNK	FOR MiReduceShareCount
; 
; START	OF FUNCTION CHUNK FOR RtlCompareAltitudes

loc_5D4BD1:				; CODE XREF: RtlCompareAltitudes+9Cj
		inc	eax
		add	ebx, 2
		add	ecx, 0FFFFh
		add	edi, 0FFFFh
		cmp	ax, dx
		jb	loc_4FD93B
		jmp	loc_4FD944
; 

loc_5D4BEF:				; CODE XREF: RtlCompareAltitudes+16Aj
		mov	esi, [ebp+var_4]
		mov	edx, [ebp+var_8]
		push	30h
		pop	ebx

loc_5D4BF8:				; CODE XREF: RtlCompareAltitudes+D7369j
		movzx	eax, si
		cmp	[edx+eax*2], bx
		jnz	short loc_5D4C0D
		add	esi, 0FFFFh
		dec	edi
		cmp	si, cx
		ja	short loc_5D4BF8

loc_5D4C0D:				; CODE XREF: RtlCompareAltitudes+D735Dj
		mov	edx, [ebp+var_18]
		xor	esi, esi
		mov	ebx, [ebp+var_10]
		mov	[ebp+var_14], edi
		jmp	loc_4FDA12
; 

loc_5D4C1D:				; CODE XREF: RtlCompareAltitudes+182j
		mov	esi, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	30h
		pop	edi

loc_5D4C26:				; CODE XREF: RtlCompareAltitudes+D7397j
		movzx	eax, si
		cmp	[ecx+eax*2], di
		jnz	short loc_5D4C3B
		add	esi, 0FFFFh
		dec	edx
		cmp	si, bx
		ja	short loc_5D4C26

loc_5D4C3B:				; CODE XREF: RtlCompareAltitudes+D738Bj
		mov	ecx, [ebp+var_C]
		xor	esi, esi
		mov	edi, [ebp+var_14]
		jmp	loc_4FDA2A
; 

loc_5D4C48:				; CODE XREF: RtlCompareAltitudes+1AEj
		mov	ebx, [ebp+arg_4]
		mov	ecx, esi
		movsx	eax, dx
		mov	[ebp+var_14], eax

loc_5D4C53:				; CODE XREF: RtlCompareAltitudes+D73D3j
		cmp	ecx, eax
		jge	loc_4FDA56
		mov	ax, [ebx+ecx*2]
		mov	ebx, [ebp+arg_0]
		cmp	ax, [ebx+ecx*2]
		mov	ebx, [ebp+arg_4]
		jnz	short loc_5D4C7C
		mov	eax, [ebp+var_14]
		inc	esi
		movzx	ecx, si
		cmp	ecx, [ebp+var_18]
		jl	short loc_5D4C53
		jmp	loc_4FDA56
; 

loc_5D4C7C:				; CODE XREF: RtlCompareAltitudes+D73C7j
		mov	edx, [ebp+arg_0]
		movzx	ecx, si
		mov	ax, [ebx+ecx*2]
		cmp	[edx+ecx*2], ax
		jmp	loc_4FD98A
; 

loc_5D4C8F:				; CODE XREF: RtlCompareAltitudes+1BFj
		setnle	al
		lea	eax, ds:0FFFFFFFFh[eax*2]
		jmp	loc_4FD990
; END OF FUNCTION CHUNK	FOR RtlCompareAltitudes
; 
; START	OF FUNCTION CHUNK FOR ExpAcquireSpinLockDisabled

loc_5D4C9E:				; CODE XREF: ExpAcquireSpinLockDisabled+1Aj
		test	bl, bl
		jz	short loc_5D4CA3
		sti

loc_5D4CA3:				; CODE XREF: ExpAcquireSpinLockDisabled+D7132j
					; ExpAcquireSpinLockDisabled+D7141j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5D4CA3
		cli
		jmp	loc_4FDB83
; END OF FUNCTION CHUNK	FOR ExpAcquireSpinLockDisabled
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepEvaluateAttribute

loc_5D4CB7:				; CODE XREF: AuthzBasepEvaluateAttribute+21j
		cmp	eax, 2
		jbe	loc_4FDBBB
		cmp	eax, 3
		jz	short loc_5D4CDE
		cmp	eax, 5
		jz	short loc_5D4CD3
		cmp	esi, 10h
		jnz	loc_4FDBCC

loc_5D4CD3:				; CODE XREF: AuthzBasepEvaluateAttribute+D7134j
		mov	eax, [ecx+1Ch]
		cmp	[eax+4], edx
		jmp	loc_4FDBC7
; 

loc_5D4CDE:				; CODE XREF: AuthzBasepEvaluateAttribute+D712Fj
		mov	eax, [ecx+1Ch]
		xor	ecx, ecx
		cmp	[eax], dx
		setnz	cl
		mov	edx, ecx
		jmp	loc_4FDBCC
; END OF FUNCTION CHUNK	FOR AuthzBasepEvaluateAttribute
; 
; START	OF FUNCTION CHUNK FOR MiReferenceExistingControlArea

loc_5D4CF0:				; CODE XREF: MiReferenceExistingControlArea+32j
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4FDC39
; END OF FUNCTION CHUNK	FOR MiReferenceExistingControlArea
; 
; START	OF FUNCTION CHUNK FOR FsRtlInsertPerStreamContext

loc_5D4D04:				; CODE XREF: FsRtlInsertPerStreamContext+1Bj
		mov	ecx, [esi+28h]
		call	ExAcquireFastMutex
		jmp	loc_4FDCF7
; 

loc_5D4D11:				; CODE XREF: FsRtlInsertPerStreamContext+57j
		mov	ecx, [esi+28h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	loc_4FDD31
; END OF FUNCTION CHUNK	FOR FsRtlInsertPerStreamContext
; 
; START	OF FUNCTION CHUNK FOR CcMapDataForOverwrite

loc_5D4D1E:				; CODE XREF: CcMapDataForOverwrite+152j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_48]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_4FDEC0
; 

loc_5D4D2E:				; CODE XREF: CcMapDataForOverwrite+174j
		lea	ecx, [ebp+var_48]
		call	KxWaitForLockChainValid

loc_5D4D36:				; CODE XREF: CcMapDataForOverwrite+15Dj
		mov	[ebp+var_48], 0
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_4FDEC0
; 

loc_5D4D48:				; CODE XREF: CcMapDataForOverwrite+D1j
		push	0
		push	4
		xor	edx, edx
		inc	edx
		mov	ecx, [ebp+arg_0]
		call	_MmCheckCachedPageStates@16 ; MmCheckCachedPageStates(x,x,x,x)
		jmp	loc_4FDE1D
; END OF FUNCTION CHUNK	FOR CcMapDataForOverwrite

;  S U B	R O U T	I N E 


sub_5D4D5C	proc near		; DATA XREF: .text:006A3AE8o
		mov	ebx, [ebp-34h]
		mov	esi, [ebp-38h]
		jmp	sub_4FDECE
sub_5D4D5C	endp

; 
; START	OF FUNCTION CHUNK FOR sub_4FDECE

loc_5D4D67:				; CODE XREF: sub_4FDECE+17j
		mov	ecx, [ebp-20h]
		test	ecx, ecx
		jz	locret_4FDEEB
		push	0
		xor	dl, dl
		call	CcUnpinFileDataEx
		retn
; END OF FUNCTION CHUNK	FOR sub_4FDECE
; 
; START	OF FUNCTION CHUNK FOR SepConstrainByMandatory

loc_5D4D7C:				; CODE XREF: SepConstrainByMandatory+59j
		mov	dword ptr [eax], 0C0000022h
		test	esi, esi
		jz	loc_4FDF14
		mov	byte ptr [esi],	0
		jmp	loc_4FDF14
; 

loc_5D4D92:				; CODE XREF: SepConstrainByMandatory+51j
		mov	dword ptr [eax], 0C0000022h
		test	esi, esi
		jz	loc_4FDF14
		cmp	dword ptr [edx], 0
		setnz	al
		mov	[esi], al
		jmp	loc_4FDF14
; 

loc_5D4DAD:				; CODE XREF: SepConstrainByMandatory+33j
		push	edi
		xor	edi, edi
		test	eax, eax
		jz	short loc_5D4E1A
		mov	ebx, [ebp+arg_4]
		mov	edx, [ebp+arg_0]
		sub	ebx, edx

loc_5D4DBC:				; CODE XREF: SepConstrainByMandatory+D6F2Cj
		mov	eax, [edx]
		mov	esi, [ecx]
		and	esi, eax
		mov	[ebp+arg_4], esi
		cmp	esi, eax
		jz	short loc_5D4E11
		mov	eax, [ebp+var_4]
		mov	[edx], esi
		mov	esi, [ebp+arg_8]
		and	eax, 2000000h
		jz	short loc_5D4DFD
		cmp	[ebp+arg_4], 0
		jnz	short loc_5D4DEF
		mov	dword ptr [ebx+edx], 0C0000022h
		test	esi, esi
		jz	short loc_5D4E11
		mov	byte ptr [edi+esi], 0
		jmp	short loc_5D4E11
; 

loc_5D4DEF:				; CODE XREF: SepConstrainByMandatory+D6EF0j
		and	dword ptr [ebx+edx], 0
		test	esi, esi
		jz	short loc_5D4E11
		mov	byte ptr [edi+esi], 1
		jmp	short loc_5D4E11
; 

loc_5D4DFD:				; CODE XREF: SepConstrainByMandatory+D6EEAj
		mov	dword ptr [ebx+edx], 0C0000022h
		test	esi, esi
		jz	short loc_5D4E11
		cmp	dword ptr [edx], 0
		setnz	al
		mov	[esi+edi], al

loc_5D4E11:				; CODE XREF: SepConstrainByMandatory+D6EDBj
					; SepConstrainByMandatory+D6EFBj ...
		inc	edi
		add	edx, 4
		cmp	edi, [ebp+arg_C]
		jb	short loc_5D4DBC

loc_5D4E1A:				; CODE XREF: SepConstrainByMandatory+D6EC6j
		pop	edi
		jmp	loc_4FDF14
; END OF FUNCTION CHUNK	FOR SepConstrainByMandatory
; 
; START	OF FUNCTION CHUNK FOR MiGetImageProtoProtection

loc_5D4E20:				; CODE XREF: MiGetImageProtoProtection+1Ej
		mov	eax, [edi]
		mov	[ebp+var_4], eax
		test	dword ptr [eax+1Ch], 4000000h
		jz	loc_4FDF7C
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_4]
		mov	edx, eax
		push	edi
		call	_MiGetSharedProtos@12 ;	MiGetSharedProtos(x,x,x)
		mov	edx, [eax+24h]
		jmp	loc_4FDF7F
; END OF FUNCTION CHUNK	FOR MiGetImageProtoProtection
; 
; START	OF FUNCTION CHUNK FOR MiUnlockFlushMdl

loc_5D4E57:				; CODE XREF: MiUnlockFlushMdl+17j
		mov	ecx, esi
		call	_MiRetardMdl@4	; MiRetardMdl(x)
		movzx	ecx, word ptr [esi+6]
		jmp	loc_4FE017
; END OF FUNCTION CHUNK	FOR MiUnlockFlushMdl
; 
; START	OF FUNCTION CHUNK FOR MiAllowGuardFault

loc_5D4E67:				; CODE XREF: MiAllowGuardFault+1Fj
		cmp	byte ptr [esi],	1
		jz	short loc_5D4E7F
		jmp	loc_4FE0B7
; 

loc_5D4E71:				; CODE XREF: MiAllowGuardFault+27j
		mov	al, [esi]
		cmp	al, 3
		jz	short loc_5D4E7F
		cmp	al, 6
		jnz	loc_4FE0CE

loc_5D4E7F:				; CODE XREF: MiAllowGuardFault+36j
					; MiAllowGuardFault+D6DD8j ...
		test	edi, edi
		jz	loc_4FE0DB
		cmp	byte ptr [esi],	6
		jnz	loc_4FE0DB
		jmp	loc_4FE0CE
; END OF FUNCTION CHUNK	FOR MiAllowGuardFault
; 
; START	OF FUNCTION CHUNK FOR MiReadyFlushMdlToWrite

loc_5D4E95:				; CODE XREF: MiReadyFlushMdlToWrite+4Ej
		or	esi, 4000h
		mov	[ebx+6], si
		jmp	loc_4FE162
; END OF FUNCTION CHUNK	FOR MiReadyFlushMdlToWrite
; 
; START	OF FUNCTION CHUNK FOR EtwpTraceImageUnloadApc

loc_5D4EA4:				; CODE XREF: EtwpTraceImageUnloadApc+23j
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	loc_4FE203
; 

loc_5D4EAB:				; CODE XREF: EtwpTraceImageUnloadApc+36j
		mov	eax, 0C00000BBh
		jmp	loc_4FE229
; END OF FUNCTION CHUNK	FOR EtwpTraceImageUnloadApc
; 
; START	OF FUNCTION CHUNK FOR PpmEventIdleStateChange

loc_5D4EB5:				; CODE XREF: PpmEventIdleStateChange+1Cj
		mov	eax, large fs:20h
		mov	[ebp+var_18], ecx
		xor	ecx, ecx
		mov	[ebp+var_14], edx
		xor	edx, edx
		push	602h
		mov	eax, [eax+3C8h]
		inc	edx
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_18]
		push	1235h
		mov	[ebp+var_C], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_1C], ecx
		lea	ecx, [ebp+var_28]
		push	80008000h
		mov	[ebp+var_28], eax
		mov	[ebp+var_20], 10h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_4FE2D2
; END OF FUNCTION CHUNK	FOR PpmEventIdleStateChange
; 
; START	OF FUNCTION CHUNK FOR MiChargePartitionResidentAvailable

loc_5D4F01:				; CODE XREF: MiChargePartitionResidentAvailable+DDj
		inc	ds:dword_6D3114
		xor	eax, eax
		jmp	loc_4FE511
; 

loc_5D4F0E:				; CODE XREF: MiChargePartitionResidentAvailable+36j
		cmp	[ebp+var_4], offset _MiSystemPartition
		jnz	loc_4FE47E
		mov	eax, ds:_KeNumberProcessors
		and	[ebp+var_8], edx
		test	eax, eax
		jz	short loc_5D4F5F
		mov	ecx, [ebp+var_8]
		mov	ebx, eax

loc_5D4F2C:				; CODE XREF: MiChargePartitionResidentAvailable+D6B12j
		mov	eax, ds:_KiProcessorBlock[ecx*4]
		add	eax, 3D30h
		mov	[ebp+var_C], eax
		mov	eax, [eax]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5D4F51
		mov	esi, [ebp+var_C]
		or	eax, 0FFFFFFFFh
		xchg	eax, [esi]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5D4F51
		add	edx, eax

loc_5D4F51:				; CODE XREF: MiChargePartitionResidentAvailable+D6AFEj
					; MiChargePartitionResidentAvailable+D6B0Bj
		inc	ecx
		cmp	ecx, ebx
		jb	short loc_5D4F2C
		mov	esi, [ebp+var_10]
		mov	ebx, [ebp+var_14]
		mov	ecx, [ebp+arg_0]

loc_5D4F5F:				; CODE XREF: MiChargePartitionResidentAvailable+D6AE3j
		cmp	edx, esi
		jb	short loc_5D4F6D
		sub	edx, esi
		jz	short loc_5D4FAD
		lock xadd [ebx], edx
		jmp	short loc_5D4FAD
; 

loc_5D4F6D:				; CODE XREF: MiChargePartitionResidentAvailable+D6B1Fj
		sub	esi, edx
		jmp	loc_4FE47E
; 

loc_5D4F74:				; CODE XREF: MiChargePartitionResidentAvailable+49j
		cmp	ecx, 0FFFFFFFFh
		jz	loc_4FE491

loc_5D4F7D:				; CODE XREF: MiChargePartitionResidentAvailable+D6B63j
		inc	ds:dword_6D3118
		test	edx, edx
		jz	short loc_5D4F8B
		lock xadd [ebx], edx

loc_5D4F8B:				; CODE XREF: MiChargePartitionResidentAvailable+D6B43j
		xor	eax, eax
		jmp	loc_4FE50F
; 

loc_5D4F92:				; CODE XREF: MiChargePartitionResidentAvailable+5Bj
		mov	ecx, [ebp+arg_0]
		mov	edi, eax
		test	eax, eax
		lea	eax, [esi+ecx]
		jg	loc_4FE489

loc_5D4FA2:				; CODE XREF: MiChargePartitionResidentAvailable+3Ej
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_5D4F7D
		neg	esi
		lock xadd [ebx], esi

loc_5D4FAD:				; CODE XREF: MiChargePartitionResidentAvailable+D6B23j
					; MiChargePartitionResidentAvailable+D6B29j
		push	3
		pop	eax
		jmp	loc_4FE50F
; 

loc_5D4FB5:				; CODE XREF: MiChargePartitionResidentAvailable+8Fj
		cmp	edi, 800h
		jl	loc_4FE50D
		xor	ecx, ecx
		or	eax, 0FFFFFFFFh
		lock cmpxchg [edx], ecx
		xor	ecx, ecx
		jmp	loc_4FE4DC
; END OF FUNCTION CHUNK	FOR MiChargePartitionResidentAvailable
; 
; START	OF FUNCTION CHUNK FOR RtlRbReplaceNode

loc_5D4FD1:				; CODE XREF: RtlRbReplaceNode+24j
		cmp	ebx, 1
		jnz	short loc_5D4FDD
		xor	eax, eax
		jmp	loc_4FE55C
; 

loc_5D4FDD:				; CODE XREF: RtlRbReplaceNode+D6AA4j
		mov	eax, ecx
		or	eax, 1
		xor	eax, ebx
		jmp	loc_4FE55C
; 

loc_5D4FE9:				; CODE XREF: RtlRbReplaceNode+37j
		mov	eax, ecx
		xor	eax, edx
		mov	[ecx+4], eax
		or	byte ptr [ecx+4], 1
		jmp	loc_4FE570
; END OF FUNCTION CHUNK	FOR RtlRbReplaceNode
; 
; START	OF FUNCTION CHUNK FOR KiResumeClockTimer

loc_5D4FF9:				; CODE XREF: KiResumeClockTimer+71j
		mov	eax, large fs:20h
		lea	ecx, [esp+64h+var_3C]
		inc	ds:dword_6CAB44
		mov	byte ptr [eax+3D0h], 1
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	edi, edx
		lea	ecx, [esp+64h+var_4C]
		mov	esi, eax
		lea	edx, [esp+64h+var_54]
		push	edi
		push	esi
		call	KiRestoreClockTickRate
		mov	eax, [esp+64h+var_40]
		cmp	eax, 2
		jnz	loc_4FE737
		xor	eax, eax
		mov	ecx, offset _KiClockState
		xchg	eax, [ecx]
		jmp	loc_4FE737
; 

loc_5D5043:				; CODE XREF: KiResumeClockTimer+93j
		mov	[esp-4+arg_2D],	al
		xor	edx, edx
		mov	eax, [esp-4+arg_C]
		xor	ecx, ecx
		mov	[esp-4+arg_34],	eax
		mov	eax, [esp-4+arg_10]
		mov	[esp-4+arg_38],	eax
		mov	eax, [esp-4+arg_14]
		mov	[esp-4+arg_3C],	eax
		mov	eax, [esp-4+arg_18]
		push	602h
		mov	[esp+arg_40], eax
		lea	eax, [esp+34h]
		push	0F57h
		mov	[esp+4+arg_2E],	edx
		mov	[esp+4+arg_32],	cx
		lea	ecx, [esp+4+arg_44]
		mov	[esp+4+arg_2C],	dl
		mov	[esp+4+arg_48],	edx
		mov	[esp+4+arg_50],	edx
		inc	edx
		push	40100000h
		mov	[esp+8+arg_44],	eax
		mov	[esp+8+arg_4C],	18h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_4FE747
; END OF FUNCTION CHUNK	FOR KiResumeClockTimer
; 
; START	OF FUNCTION CHUNK FOR PoTraceSystemTimerResolutionKernel

loc_5D50AE:				; CODE XREF: PoTraceSystemTimerResolutionKernel+45j
		push	4
		pop	ecx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_24], eax
		xor	edx, edx
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_20], edx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	esi
		push	edi
		push	ebx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_4FE7F5
; END OF FUNCTION CHUNK	FOR PoTraceSystemTimerResolutionKernel
; 
; START	OF FUNCTION CHUNK FOR KiSetClockTickRate

loc_5D50E5:				; CODE XREF: KiSetClockTickRate+61j
		xor	ebx, ebx
		mov	eax, offset _KiClockState
		xchg	ebx, [eax]
		jmp	loc_4FE921
; 

loc_5D50F3:				; CODE XREF: KiSetClockTickRate+71j
		xor	eax, eax
		mov	[ebp+var_1B], bl
		xor	ecx, ecx
		mov	[ebp+var_16], ax
		mov	eax, [ebp+var_38]
		xor	edx, edx
		mov	[ebp+var_14], eax
		inc	edx
		mov	eax, [ebp+var_34]
		push	602h
		mov	[ebp+var_10], eax
		lea	eax, [ebp-1Ch]
		push	0F57h
		mov	[ebp+var_1A], ecx
		mov	[ebp+var_1C], cl
		mov	[ebp+var_8], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_20], ecx
		lea	ecx, [ebp+var_2C]
		push	40100000h
		mov	[ebp+var_C], esi
		mov	[ebp+var_2C], eax
		mov	[ebp+var_24], 18h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_4FE931
; 

loc_5D5148:				; CODE XREF: KiSetClockTickRate+95j
		mov	esi, 0FFDF000Ch

loc_5D514D:				; CODE XREF: KiSetClockTickRate+D68A9j
		lea	ecx, [ebp+var_3C]
		call	KeYieldProcessorEx
		mov	edi, [esi]
		mov	eax, 0FFDF0008h
		mov	ebx, [eax]
		add	eax, 8
		cmp	edi, [eax]
		jnz	short loc_5D514D
		mov	esi, [ebp+var_44]
		jmp	loc_4FE955
; 

loc_5D516D:				; CODE XREF: KiSetClockTickRate+C2j
		mov	ds:dword_6CAB70, edx
		jmp	loc_4FE982
; END OF FUNCTION CHUNK	FOR KiSetClockTickRate
; 
; START	OF FUNCTION CHUNK FOR KiRestoreClockTickRate

loc_5D5178:				; CODE XREF: KiRestoreClockTickRate+12j
		push	[ebp+arg_4]
		mov	ecx, ds:_KiClockOwnerOneShotRequest
		push	[ebp+arg_0]
		mov	eax, ds:dword_6CADF4
		push	eax
		push	ecx
		call	_KiGetClockIntervalOneShot@16 ;	KiGetClockIntervalOneShot(x,x,x,x)
		and	dword ptr [esi+4], 0
		push	edi
		push	0
		push	eax
		push	1
		jmp	loc_4FEA32
; END OF FUNCTION CHUNK	FOR KiRestoreClockTickRate
; 
; START	OF FUNCTION CHUNK FOR KiSetPendingTick

loc_5D519F:				; CODE XREF: KiSetPendingTick+Fj
		mov	eax, ds:_KiClockTimerOwner
		mov	ecx, ds:_KiProcessorBlock[eax*4]
		mov	al, [ecx+3D1h]
		and	al, 0FEh
		or	al, bl
		mov	[ecx+3D1h], al
		pop	ebx
		retn
; END OF FUNCTION CHUNK	FOR KiSetPendingTick
; 
; START	OF FUNCTION CHUNK FOR KiEspToTrapFrame

loc_5D51BD:				; CODE XREF: KiEspToTrapFrame+Ej
		test	dword ptr [ecx+70h], 20000h
		jnz	loc_4FEB86
		cmp	edx, eax
		jnb	short loc_5D51DA
		push	0
		push	ecx
		push	eax
		push	edx
		push	30h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D51DA:				; CODE XREF: KiEspToTrapFrame+D665Aj
		test	ebx, 0FFF9h
		jz	short loc_5D51FA
		cmp	eax, edx
		jz	loc_4FEB89
		mov	ax, bx
		and	ebx, 0FFFF0006h
		mov	[ecx+0Ch], ax
		mov	[ecx+6Ch], ebx

loc_5D51FA:				; CODE XREF: KiEspToTrapFrame+D666Ej
		mov	[ecx+10h], edx
		pop	ebx
		retn
; END OF FUNCTION CHUNK	FOR KiEspToTrapFrame
; 
; START	OF FUNCTION CHUNK FOR KiEspFromTrapFrame

loc_5D51FF:				; CODE XREF: KiEspFromTrapFrame+5j
		test	dword ptr [ecx+70h], 20000h
		jnz	loc_4FEB97
		test	eax, 0FFF9h
		jnz	short loc_5D5217
		mov	eax, [ecx+10h]
		retn
; 

loc_5D5217:				; CODE XREF: KiEspFromTrapFrame+D6685j
		lea	eax, [ecx+74h]
		retn
; END OF FUNCTION CHUNK	FOR KiEspFromTrapFrame
; 
; START	OF FUNCTION CHUNK FOR ExpRemoveGeneralLookaside

loc_5D521B:				; CODE XREF: ExpRemoveGeneralLookaside+3Aj
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4FECC5
; 

loc_5D522A:				; CODE XREF: ExpRemoveGeneralLookaside+85j
		cmp	edi, esi
		jnb	short loc_5D523F
		mov	eax, esi
		sub	eax, edi
		cmp	eax, 400000h
		jnb	loc_4FED0B
		cmp	edi, esi

loc_5D523F:				; CODE XREF: ExpRemoveGeneralLookaside+D65ACj
		ja	loc_4FED0B
		mov	ecx, [ebx+0D84h]
		cmp	esi, ecx
		jnb	loc_4FED0B
		cmp	edi, ecx
		jnb	loc_4FED0B
		mov	eax, 40000h
		cmp	edx, eax
		jbe	short loc_5D5266
		mov	edx, eax

loc_5D5266:				; CODE XREF: ExpRemoveGeneralLookaside+D65E2j
		mov	eax, esi
		sub	ecx, esi
		sub	eax, edi
		add	edx, eax
		cmp	edx, ecx
		jbe	short loc_5D5274
		mov	edx, ecx

loc_5D5274:				; CODE XREF: ExpRemoveGeneralLookaside+D65F0j
		push	0
		push	2
		mov	ecx, ebx
		call	_MiIssuePageExtendRequest@16 ; MiIssuePageExtendRequest(x,x,x,x)
		jmp	loc_4FED0B
; END OF FUNCTION CHUNK	FOR ExpRemoveGeneralLookaside
; 
; START	OF FUNCTION CHUNK FOR CcAmILowPriorityWriter

loc_5D5284:				; CODE XREF: CcAmILowPriorityWriter+197j
		mov	eax, [ebp+var_8]
		push	0
		push	[ebp+var_C]
		push	eax
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D5298:				; CODE XREF: CcAmILowPriorityWriter+12Dj
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_24]
		jmp	loc_4FEF9F
; 

loc_5D52AD:				; CODE XREF: CcAmILowPriorityWriter+1D2j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_4FF034
; 

loc_5D52BC:				; CODE XREF: CcAmILowPriorityWriter+1FCj
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_4FEFB2
; END OF FUNCTION CHUNK	FOR CcAmILowPriorityWriter
; 
; START	OF FUNCTION CHUNK FOR MiImageUnused

loc_5D52CE:				; CODE XREF: MiImageUnused+29j
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	edx, [ebp+arg_0]
		mov	bl, al
		jmp	loc_4FF08F
; 

loc_5D52DE:				; CODE XREF: MiImageUnused+43j
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4FF0A7
; END OF FUNCTION CHUNK	FOR MiImageUnused
; 
; START	OF FUNCTION CHUNK FOR KeInsertQueue

loc_5D52F1:				; CODE XREF: KeInsertQueue+35j
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)
		jmp	loc_4FF12B
; 

loc_5D530B:				; CODE XREF: KeInsertQueue+5Fj
		cmp	byte ptr [ecx+18Bh], 0Fh
		jz	loc_4FF187
		jmp	loc_4FF155
; 

loc_5D531D:				; CODE XREF: KeInsertQueue+107j
		cmp	ds:_KdAutoEnableOnEvent, 0
		jz	short loc_5D5362
		cmp	ds:_KdPreviouslyEnabled, 0
		jz	short loc_5D5362
		cmp	ds:_KdDebuggerEnabled, 0
		jnz	short loc_5D5362
		call	_KdEnableDebugger@0 ; KdEnableDebugger()
		test	eax, eax
		js	short loc_5D5362
		cmp	ds:_KdDebuggerEnabled, 0
		jz	short loc_5D5362
		push	[ebp+arg_C]
		mov	edx, edi
		mov	ecx, ebx
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	_KdpTrap@24	; KdpTrap(x,x,x,x,x,x)
		jmp	loc_4FF1FF
; 

loc_5D5362:				; CODE XREF: KeInsertQueue+D6234j
					; KeInsertQueue+D623Dj	...
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		call	_KdpCheckTracePoint@8 ;	KdpCheckTracePoint(x,x)
		jmp	loc_4FF1FF
; END OF FUNCTION CHUNK	FOR KeInsertQueue
; 
; START	OF FUNCTION CHUNK FOR RtlContractHashTable

loc_5D5371:				; CODE XREF: RtlContractHashTable+18j
		cmp	dword ptr [esi+1Ch], 0
		ja	loc_4FF2B6
		mov	eax, [esi+0Ch]
		test	eax, eax
		jnz	short loc_5D538A
		shr	dword ptr [esi+10h], 1
		mov	eax, [esi+10h]
		jmp	short loc_5D538B
; 

loc_5D538A:				; CODE XREF: RtlContractHashTable+D60E8j
		dec	eax

loc_5D538B:				; CODE XREF: RtlContractHashTable+D60F0j
		push	ebx
		push	edi
		dec	edx
		mov	[esi+0Ch], eax
		mov	ecx, esi
		call	_RtlpGetChainHead@8 ; RtlpGetChainHead(x,x)
		mov	edx, [esi+0Ch]
		mov	edi, eax
		mov	[ebp+var_8], edi
		call	_RtlpGetChainHead@8 ; RtlpGetChainHead(x,x)
		dec	dword ptr [esi+8]
		mov	ebx, eax
		cmp	[edi], edi
		jz	short loc_5D53B5
		cmp	[ebx], ebx
		jz	short loc_5D53B5
		dec	dword ptr [esi+18h]

loc_5D53B5:				; CODE XREF: RtlContractHashTable+D6114j
					; RtlContractHashTable+D6118j
		mov	edx, ebx

loc_5D53B7:				; CODE XREF: RtlContractHashTable+D616Aj
		mov	ecx, [edi]
		cmp	ecx, edi
		jz	short loc_5D5409
		cmp	[ecx+4], edi
		jnz	short loc_5D5404
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_5D5404
		mov	[edi], eax
		mov	[eax+4], edi
		mov	eax, [edx]
		mov	[ebp+var_4], eax
		cmp	eax, ebx
		jz	short loc_5D53F1
		mov	edi, [ecx+8]
		mov	esi, eax

loc_5D53DC:				; CODE XREF: RtlContractHashTable+D6151j
		cmp	[esi+8], edi
		jnb	short loc_5D53EB
		mov	eax, [esi]
		mov	edx, esi
		mov	esi, eax
		cmp	eax, ebx
		jnz	short loc_5D53DC

loc_5D53EB:				; CODE XREF: RtlContractHashTable+D6147j
		mov	esi, [ebp+arg_0]
		mov	edi, [ebp+var_8]

loc_5D53F1:				; CODE XREF: RtlContractHashTable+D613Dj
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	short loc_5D5404
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[eax+4], ecx
		mov	[edx], ecx
		jmp	short loc_5D53B7
; 

loc_5D5404:				; CODE XREF: RtlContractHashTable+D6128j
					; RtlContractHashTable+D612Fj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5D5409:				; CODE XREF: RtlContractHashTable+D6123j
		mov	eax, [esi+8]
		sub	eax, 0FFFFFF80h
		bsr	ebx, eax
		btc	eax, ebx
		test	eax, eax
		jnz	short loc_5D5441
		mov	edi, [esi+20h]
		push	eax
		push	dword ptr [edi+ebx*4-1Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi+ebx*4-1Ch], 0
		cmp	dword ptr [esi+8], 80h
		jnz	short loc_5D5441
		mov	eax, [edi]
		push	0
		push	edi
		mov	[esi+20h], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5D5441:				; CODE XREF: RtlContractHashTable+D617Fj
					; RtlContractHashTable+D619Aj
		pop	edi
		mov	al, 1
		pop	ebx
		jmp	loc_4FF2B8
; END OF FUNCTION CHUNK	FOR RtlContractHashTable
; 
; START	OF FUNCTION CHUNK FOR ExInitializeLookasideListExInternal

loc_5D544A:				; CODE XREF: ExInitializeLookasideListExInternal+111j
		mov	eax, 0FFFFh
		mov	[esi+0Ah], ax
		mov	eax, [ebp+arg_0]
		mov	[esi+8], ax
		jmp	loc_4FF40C
; 

loc_5D545F:				; CODE XREF: ExInitializeLookasideListExInternal+13Dj
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4FF432
; 

loc_5D546E:				; CODE XREF: ExInitializeLookasideListExInternal+79j
					; ExInitializeLookasideListExInternal+86j
		mov	eax, 0C00000F2h
		jmp	loc_4FF43E
; 

loc_5D5478:				; CODE XREF: ExInitializeLookasideListExInternal+55j
		mov	eax, 0C00000F3h
		jmp	loc_4FF43E
; END OF FUNCTION CHUNK	FOR ExInitializeLookasideListExInternal
; 
; START	OF FUNCTION CHUNK FOR MmGetImageFileSignatureInformation

loc_5D5482:				; CODE XREF: MmGetImageFileSignatureInformation+38j
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_4FF5F0
; END OF FUNCTION CHUNK	FOR MmGetImageFileSignatureInformation
; 
; START	OF FUNCTION CHUNK FOR MiUnlockVadCore

loc_5D5496:				; CODE XREF: MiUnlockVadCore+19j
					; MiUnlockVadCore+D5E1Fj
		mov	ecx, eax
		mov	edx, eax
		and	ecx, 0FFFFFFFCh
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_5D5496
		jmp	loc_4FF6A3
; END OF FUNCTION CHUNK	FOR MiUnlockVadCore
; 
; START	OF FUNCTION CHUNK FOR ExpDeleteTimer

loc_5D54AA:				; CODE XREF: ExpDeleteTimer+2Cj
		mov	eax, [edi+90h]
		mov	[ebp+var_3C], eax
		mov	eax, large fs:124h
		mov	[ebp+var_38], eax
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _ExpWakeTimerLock
		mov	[ebp+var_30], edx
		mov	eax, ecx
		mov	[ebp+var_24], 0FFFFFFFFh
		and	eax, 7FFFFFFCh
		mov	[ebp+var_20], eax
		jnz	short loc_5D54E6
		mov	edi, edx
		jmp	loc_5D5619
; 

loc_5D54E6:				; CODE XREF: ExpDeleteTimer+D5E2Fj
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jz	short loc_5D5535
		push	edx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		mov	eax, offset _ExpWakeTimerLock
		push	eax
		push	esi
		push	192h
		jmp	short loc_5D5530
; 

loc_5D551E:				; CODE XREF: ExpDeleteTimer+D6055j
		mov	eax, [ebp+var_24]
		push	0
		push	eax
		mov	eax, offset _ExpWakeTimerLock
		push	eax
		push	esi
		push	162h

loc_5D5530:				; CODE XREF: ExpDeleteTimer+D5E6Ej
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D5535:				; CODE XREF: ExpDeleteTimer+D5E55j
		mov	[ebp+var_2C], edx
		mov	dl, [esi+1E4h]
		test	dl, dl
		jnz	short loc_5D555C
		lea	ecx, [esi+222h]
		cmp	[ecx], dl
		jz	loc_5D5708
		xor	al, al
		xchg	al, [ecx]
		mov	dl, [esi+1E4h]
		or	dl, al

loc_5D555C:				; CODE XREF: ExpDeleteTimer+D5E92j
		movzx	eax, dl
		bsf	ecx, eax
		mov	al, 1
		shl	al, cl
		imul	edi, ecx, 30h
		not	al
		and	al, dl
		mov	[ebp+var_2C], ecx
		mov	[esi+1E4h], al
		add	edi, [esi+1E8h]
		jz	loc_5D5722
		mov	edx, ds:dword_6D07D0
		mov	eax, offset _ExpWakeTimerLock
		mov	ecx, eax
		shr	ecx, 15h
		cmp	edx, eax
		ja	loc_5D572F
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_5D55BF
		mov	eax, offset _ExpWakeTimerLock
		cmp	edx, eax
		ja	loc_5D572F
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	loc_5D572F

loc_5D55BF:				; CODE XREF: ExpDeleteTimer+D5EF5j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)

loc_5D55CA:				; CODE XREF: ExpDeleteTimer+D6084j
		mov	[edi+14h], eax
		nop
		mov	eax, [ebp+var_20]
		mov	[edi+10h], eax

loc_5D55D4:				; CODE XREF: ExpDeleteTimer+D607Cj
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp+var_30]
		push	eax
		mov	edx, offset _ExpWakeTimerLock
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_5D5611
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_5D5611
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5D5611:				; CODE XREF: ExpDeleteTimer+D5F54j
					; ExpDeleteTimer+D5F5Cj
		mov	esi, [ebp+var_28]
		mov	ecx, offset _ExpWakeTimerLock

loc_5D5619:				; CODE XREF: ExpDeleteTimer+D5E33j
		lock bts dword ptr [ecx], 0
		jnb	short loc_5D5628
		push	ecx
		mov	edx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_5D5628:				; CODE XREF: ExpDeleteTimer+D5F70j
		test	edi, edi
		jz	short loc_5D5630
		or	byte ptr [edi+0Eh], 1

loc_5D5630:				; CODE XREF: ExpDeleteTimer+D5F7Cj
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	loc_5D584A
		cmp	[eax], esi
		jnz	loc_5D584A
		mov	[eax], ecx
		or	edx, 0FFFFFFFFh
		mov	[ecx+4], eax
		mov	eax, edx
		and	dword ptr [esi], 0
		mov	ecx, offset _ExpWakeTimerLock
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5D566F
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _ExpWakeTimerLock

loc_5D566F:				; CODE XREF: ExpDeleteTimer+D5FB2j
		xor	edi, edi
		mov	[ebp+var_28], edi
		cmp	[ebp+var_20], edi
		jz	loc_5D582C
		mov	esi, large fs:124h
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_34], esi
		mov	[ebp+var_20], eax
		cmp	eax, offset _ExpWakeTimerLock
		ja	short loc_5D56C7
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_5D56B7
		mov	eax, [ebp+var_20]
		cmp	eax, offset _ExpWakeTimerLock
		ja	short loc_5D56C7
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_5D56C7

loc_5D56B7:				; CODE XREF: ExpDeleteTimer+D5FF4j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_24], edx

loc_5D56C7:				; CODE XREF: ExpDeleteTimer+D5FE9j
					; ExpDeleteTimer+D5FFEj ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _ExpWakeTimerLock
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_5D5737
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_5D579D
		jmp	loc_5D551E
; 

loc_5D5708:				; CODE XREF: ExpDeleteTimer+D5E9Cj
		xor	edi, edi
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5D5722
		mov	edx, offset _ExpWakeTimerLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)

loc_5D5722:				; CODE XREF: ExpDeleteTimer+D5ECEj
					; ExpDeleteTimer+D6066j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	loc_5D55D4
; 

loc_5D572F:				; CODE XREF: ExpDeleteTimer+D5EE6j
					; ExpDeleteTimer+D5EFEj ...
		or	eax, 0FFFFFFFFh
		jmp	loc_5D55CA
; 

loc_5D5737:				; CODE XREF: ExpDeleteTimer+D6045j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5D574D
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_5D574D:				; CODE XREF: ExpDeleteTimer+D6095j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_28], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	short loc_5D5791
		or	[esi+1E4h], dl
		jmp	short loc_5D579D
; 

loc_5D5791:				; CODE XREF: ExpDeleteTimer+D60D9j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_34]

loc_5D579D:				; CODE XREF: ExpDeleteTimer+D604Fj
					; ExpDeleteTimer+D60E1j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_34], eax
		jz	short loc_5D5806
		test	edi, 8000h
		jz	short loc_5D57C1
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5D57C1:				; CODE XREF: ExpDeleteTimer+D6108j
		test	byte ptr [ebp+var_28+2], 1
		jz	short loc_5D57D7
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_5D57D7:				; CODE XREF: ExpDeleteTimer+D6117j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5D57EB
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5D57EB:				; CODE XREF: ExpDeleteTimer+D6130j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5D5806
		push	[ebp+var_34]
		mov	edx, offset _ExpWakeTimerLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5D5806:				; CODE XREF: ExpDeleteTimer+D6100j
					; ExpDeleteTimer+D6147j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_5D582C
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_5D582C
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5D582C:				; CODE XREF: ExpDeleteTimer+D5FC9j
					; ExpDeleteTimer+D616Fj ...
		mov	ecx, [ebp+var_38]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [ebp+var_3C]
		test	eax, eax
		jz	short loc_5D5842
		mov	ecx, eax
		call	_PoDestroyReasonContext@4 ; PoDestroyReasonContext(x)

loc_5D5842:				; CODE XREF: ExpDeleteTimer+D618Bj
		mov	edi, [ebx+8]
		jmp	loc_4FF6E0
; 

loc_5D584A:				; CODE XREF: ExpDeleteTimer+D5F8Aj
					; ExpDeleteTimer+D5F92j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5D584F:				; CODE XREF: ExpDeleteTimer+57j
		mov	edx, [ebx+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_4FF710
; END OF FUNCTION CHUNK	FOR ExpDeleteTimer
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepGetConstantOperand

loc_5D585E:				; CODE XREF: AuthzBasepGetConstantOperand+41j
		cmp	cl, 18h
		jz	loc_4FF811
		lea	eax, [ecx-50h]
		cmp	al, 1
		ja	loc_4FF842
		mov	eax, [ebp+var_4]
		jmp	loc_4FF811
; 

loc_5D587A:				; CODE XREF: AuthzBasepGetConstantOperand+50j
		push	10h
		pop	eax
		mov	[esi], ax
		cmp	cl, 50h
		jnz	loc_4FF826
		mov	[esi+4], bl
		jmp	loc_4FF826
; 

loc_5D5891:				; CODE XREF: AuthzBasepGetConstantOperand+38j
		push	0Ah
		dec	eax
		pop	ecx
		cmp	eax, ecx
		jb	loc_4FF850
		push	2
		pop	eax
		mov	[esi+14h], ecx
		lea	ecx, [edi+1]
		push	0Bh
		mov	[esi], ax
		mov	[esi+18h], ecx
		pop	ebx
		jmp	loc_4FF842
; END OF FUNCTION CHUNK	FOR AuthzBasepGetConstantOperand
; 
; START	OF FUNCTION CHUNK FOR MiGetClosestImplicitNode

loc_5D58B4:				; CODE XREF: MiGetClosestImplicitNode+Aj
		mov	ecx, ds:dword_6D0698
		lea	edx, [eax-1]
		push	esi
		movzx	esi, ds:_KeNumberNodes
		imul	edx, esi
		lea	edx, [ecx+edx*4]
		lea	ecx, [edx+esi*4]
		pop	esi
		cmp	edx, ecx
		jnb	loc_4FF88E
		mov	eax, [edx]
		inc	eax
		jmp	loc_4FF88E
; END OF FUNCTION CHUNK	FOR MiGetClosestImplicitNode
; 
; START	OF FUNCTION CHUNK FOR KiAttemptFastRemoveQueue

loc_5D58DF:				; CODE XREF: KiAttemptFastRemoveQueue+1Aj
		push	dword ptr [eax+8]
		push	ds:_ExWorkerQueue
		push	ecx
		push	eax
		push	96h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
; END OF FUNCTION CHUNK	FOR KiAttemptFastRemoveQueue
; START	OF FUNCTION CHUNK FOR ObpDeferObjectDeletion

loc_5D58F5:				; CODE XREF: ObpDeferObjectDeletion+2Fj
					; ObpDeferObjectDeletion+3Dj
		xor	eax, eax
		xor	edx, edx
		push	eax
		push	eax
		push	eax
		mov	ecx, offset _ObpRemoveObjectDpc
		call	KiInsertQueueDpc
		retn
; END OF FUNCTION CHUNK	FOR ObpDeferObjectDeletion
; 
; START	OF FUNCTION CHUNK FOR RtlGetElementGenericTable

loc_5D5907:				; CODE XREF: RtlGetElementGenericTable:loc_4FFC84j
		mov	eax, esi
		shr	eax, 1
		cmp	edx, eax
		jbe	short loc_5D5924
		sub	esi, edx
		jz	loc_4FFCA6

loc_5D5917:				; CODE XREF: RtlGetElementGenericTable+D5CD1j
		mov	ecx, [ecx+4]
		sub	esi, 1
		jnz	short loc_5D5917
		jmp	loc_4FFCA6
; 

loc_5D5924:				; CODE XREF: RtlGetElementGenericTable+D5CC1j
		lea	ecx, [edi+4]
		test	edx, edx
		jz	loc_4FFCA6

loc_5D592F:				; CODE XREF: RtlGetElementGenericTable+D5CE8j
		mov	ecx, [ecx]
		sub	edx, 1
		jnz	short loc_5D592F
		jmp	loc_4FFCA6
; 

loc_5D593B:				; CODE XREF: RtlGetElementGenericTable+48j
		lea	ecx, [edi+4]
		test	eax, eax
		jz	loc_4FFCA5

loc_5D5946:				; CODE XREF: RtlGetElementGenericTable+D5D00j
		mov	ecx, [ecx+4]
		sub	eax, 1
		jnz	short loc_5D5946
		jmp	loc_4FFCA5
; END OF FUNCTION CHUNK	FOR RtlGetElementGenericTable
; 
; START	OF FUNCTION CHUNK FOR B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute

loc_5D5953:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+CBj
		mov	edx, [ebx]
		mov	[ebp+var_24], edx
		mov	edx, [ebp+var_8]
		cmp	edi, [ebp+var_10]
		jnz	short loc_5D596F
		mov	eax, [ebp+var_24]
		mov	[ecx+esi*8], eax
		mov	eax, [ecx+4]
		mov	[ecx+esi*8+4], eax
		jmp	short loc_5D5985
; 

loc_5D596F:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+D5AE0j
		mov	edx, [ebp+var_24]
		add	[ebp+var_C], 8
		mov	[eax], edx
		mov	edx, [ebp+var_14]
		mov	eax, [edi+4]
		mov	[ecx+edx*8+0Ch], eax
		mov	edx, [ebp+var_8]

loc_5D5985:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+D5AEFj
		cmp	edi, [ebp+var_10]
		jnz	short loc_5D599D
		mov	eax, [edx]
		add	edx, 8
		mov	[ebx], eax
		mov	eax, [ebp+var_18]
		mov	eax, [edi+eax*8+0Ch]
		mov	[ecx+4], eax
		jmp	short loc_5D59A9
; 

loc_5D599D:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+D5B0Aj
		mov	eax, [edi+esi*8]
		mov	[ebx], eax
		mov	eax, [edi+esi*8+4]
		mov	[edi+4], eax

loc_5D59A9:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute+D5B1Dj
		mov	eax, esi
		mov	[ebp+var_8], edx
		shl	eax, 3
		mov	[ebp+var_24], eax
		add	eax, 0FFFFFFF8h
		jmp	loc_4FFF57
; END OF FUNCTION CHUNK	FOR B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeRedistribute
; 
; START	OF FUNCTION CHUNK FOR MiCheckFatalAccessViolation

loc_5D59BC:				; CODE XREF: MiCheckFatalAccessViolation+27j
		mov	ecx, [ebp+arg_4]
		test	dword ptr [ecx+3A8h], 1000h
		jz	short loc_5D59E8
		push	0
		push	0
		push	esi
		push	4477h
		jmp	short loc_5D59E1
; 

loc_5D59D7:				; CODE XREF: MiCheckFatalAccessViolation+D59FBj
		push	0
		push	0
		push	esi
		push	4478h

loc_5D59E1:				; CODE XREF: MiCheckFatalAccessViolation+D59DBj
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D59E8:				; CODE XREF: MiCheckFatalAccessViolation+D59CFj
		call	_MiIsStoreProcess@4 ; MiIsStoreProcess(x)
		test	eax, eax
		jz	loc_50000A
		jmp	short loc_5D59D7
; END OF FUNCTION CHUNK	FOR MiCheckFatalAccessViolation
; 
; START	OF FUNCTION CHUNK FOR RtlpGetEntireXStateAreaLength

loc_5D59F7:				; CODE XREF: RtlpGetEntireXStateAreaLength+10j
		mov	eax, ds:0FFDF05F8h
		mov	esi, 240h
		push	ebx
		push	edi
		push	2
		mov	[ebp+var_8], eax
		lea	edi, [esi-0Ch]
		mov	eax, ds:0FFDF05FCh
		pop	ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], ecx

loc_5D5A17:				; CODE XREF: RtlpGetEntireXStateAreaLength+D5A31j
		xor	eax, eax
		xor	edx, edx
		inc	eax
		call	__allshl
		mov	ebx, eax
		mov	eax, edx
		and	eax, [ebp+arg_4]
		mov	ecx, ebx
		and	ecx, [ebp+arg_0]
		or	ecx, eax
		jz	short loc_5D5A47
		and	ebx, [ebp+var_8]
		and	edx, [ebp+var_C]
		or	ebx, edx
		jz	short loc_5D5A41
		add	esi, 3Fh
		and	esi, 0FFFFFFC0h

loc_5D5A41:				; CODE XREF: RtlpGetEntireXStateAreaLength+D5A13j
		add	esi, [edi-20FC28h]

loc_5D5A47:				; CODE XREF: RtlpGetEntireXStateAreaLength+D5A09j
		mov	ecx, [ebp+var_4]
		add	edi, 4
		inc	ecx
		mov	[ebp+var_4], ecx
		cmp	edi, 32Ch
		jb	short loc_5D5A17
		pop	edi
		pop	ebx
		jmp	loc_500042
; END OF FUNCTION CHUNK	FOR RtlpGetEntireXStateAreaLength
; 
; START	OF FUNCTION CHUNK FOR MiGetPageFileSectionForReservation

loc_5D5A60:				; CODE XREF: MiGetPageFileSectionForReservation+69j
		mov	ecx, esi
		call	_MiReleasePageFileSectionInfo@4	; MiReleasePageFileSectionInfo(x)
		jmp	loc_500061
; END OF FUNCTION CHUNK	FOR MiGetPageFileSectionForReservation
; 
; START	OF FUNCTION CHUNK FOR wil_details_MapReportingKind

loc_5D5A6C:				; CODE XREF: wil_details_MapReportingKind+1Cj
		sub	eax, 1
		jz	short loc_5D5AB8
		sub	eax, 1
		jz	short loc_5D5AA9
		sub	eax, 1
		jz	short loc_5D5A9A
		sub	cl, 64h
		cmp	cl, 31h
		ja	loc_500131
		neg	edx
		movzx	eax, cl
		sbb	edx, edx
		and	edx, 0FFFFFFCEh
		add	edx, 96h
		add	eax, edx
		retn
; 

loc_5D5A9A:				; CODE XREF: wil_details_MapReportingKind+D5977j
		xor	eax, eax
		test	edx, edx
		setz	al
		lea	eax, ds:9[eax*2]
		retn
; 

loc_5D5AA9:				; CODE XREF: wil_details_MapReportingKind+D5972j
		xor	eax, eax
		test	edx, edx
		setz	al
		lea	eax, ds:8[eax*2]
		retn
; 

loc_5D5AB8:				; CODE XREF: wil_details_MapReportingKind+D596Dj
		xor	eax, eax
		test	edx, edx
		setz	al
		lea	eax, ds:3[eax*4]
		retn
; 

loc_5D5AC7:				; CODE XREF: wil_details_MapReportingKind+13j
		xor	eax, eax
		test	edx, edx
		setz	al
		lea	eax, ds:1[eax*4]
		retn
; 

loc_5D5AD6:				; CODE XREF: wil_details_MapReportingKind+Aj
		neg	edx
		sbb	edx, edx
		and	edx, 0FFFFFFFCh
		lea	eax, [edx+4]
		retn
; END OF FUNCTION CHUNK	FOR wil_details_MapReportingKind
; 
; START	OF FUNCTION CHUNK FOR SepFreeTokenCapabilities

loc_5D5AE1:				; CODE XREF: SepFreeTokenCapabilities+Aj
		mov	edx, [esi+1E8h]
		mov	ecx, [esi+1E4h]
		call	_SepDeReferenceSharedSidEntries@8 ; SepDeReferenceSharedSidEntries(x,x)
		jmp	loc_500148
; END OF FUNCTION CHUNK	FOR SepFreeTokenCapabilities
; 
; START	OF FUNCTION CHUNK FOR SeLogAccessFailure

loc_5D5AF7:				; CODE XREF: SeLogAccessFailure+B2j
		push	esi
		xor	esi, esi
		test	ebx, ebx
		jnz	short loc_5D5B38
		mov	ecx, large fs:124h
		lea	eax, [ebp+var_22C]
		push	esi
		push	eax
		lea	eax, [ebp+var_208]
		push	eax
		lea	edx, [ebp+var_228]
		call	PsReferenceEffectiveToken
		mov	ebx, eax
		mov	[ebp+var_24C], eax
		test	ebx, ebx
		jz	loc_5D63ED
		mov	[ebp+var_206], 1
		jmp	short loc_5D5B50
; 

loc_5D5B38:				; CODE XREF: SeLogAccessFailure+D5980j
		mov	eax, [ebx+0A8h]
		mov	[ebp+var_228], eax
		mov	eax, [ebx+0ACh]
		mov	[ebp+var_22C], eax

loc_5D5B50:				; CODE XREF: SeLogAccessFailure+D59BAj
		mov	al, [ebp+arg_14]
		xor	ecx, ecx
		cmp	[ebp+arg_10], cl
		jnz	short loc_5D5B76
		test	al, al
		setnz	cl
		dec	ecx
		and	ecx, 0FFFFFFFAh
		add	ecx, 14h
		test	al, al
		mov	eax, offset ??_C@_1BE@DINJNKOJ@?$AAA?$AAd?$AAm?$AAi?$AAn?$AAl?$AAe?$AAs?$AAs@FNODOBFM@
		jnz	short loc_5D5B90
		mov	eax, offset ??_C@_1O@PFKKKDLL@?$AAN?$AAo?$AAr?$AAm?$AAa?$AAl@FNODOBFM@
		jmp	short loc_5D5B90
; 

loc_5D5B76:				; CODE XREF: SeLogAccessFailure+D59DCj
		test	al, al
		setnz	cl
		dec	ecx
		and	ecx, 0FFFFFFECh
		add	ecx, 2Ah
		test	al, al
		mov	eax, offset ??_C@_1CK@ICJDEGKO@?$AAA?$AAd?$AAm?$AAi?$AAn?$AAl?$AAe?$AAs?$AAs?$AA?5?$AAP?$AAe?$AAr?$AAm?$AAi@FNODOBFM@
		jnz	short loc_5D5B90
		mov	eax, offset ??_C@_1BG@LOFAHIAF@?$AAP?$AAe?$AAr?$AAm?$AAi?$AAs?$AAs?$AAi?$AAv?$AAe@FNODOBFM@

loc_5D5B90:				; CODE XREF: SeLogAccessFailure+D59F1j
					; SeLogAccessFailure+D59F8j ...
		mov	[ebp+var_1FC], ecx
		lea	ecx, [ebp-207h]
		mov	[ebp+var_1F8], esi
		mov	[ebp+var_200], esi
		mov	[ebp+var_205+1], eax
		call	_SepGetLearningModeObjectInformation@4 ; SepGetLearningModeObjectInformation(x)
		mov	ecx, eax
		mov	[ebp+var_25C], ecx
		test	ecx, ecx
		jz	short loc_5D5BDD
		mov	edx, [ecx+8]
		test	edx, edx
		jz	short loc_5D5BDD
		movzx	eax, word ptr [edx]
		movzx	esi, word ptr [edx+2]
		add	eax, 2
		cmp	eax, esi
		jb	short loc_5D5BD6
		mov	eax, esi

loc_5D5BD6:				; CODE XREF: SeLogAccessFailure+D5A56j
		mov	edx, [edx+4]
		xor	esi, esi
		jmp	short loc_5D5BE5
; 

loc_5D5BDD:				; CODE XREF: SeLogAccessFailure+D5A41j
					; SeLogAccessFailure+D5A48j
		push	2
		pop	eax
		mov	edx, offset ??_C@_11LOCGONAA@@FNODOBFM@

loc_5D5BE5:				; CODE XREF: SeLogAccessFailure+D5A5Fj
		mov	[ebp+var_1F4], edx
		mov	[ebp+var_1F0], esi
		mov	[ebp+var_1EC], eax
		mov	[ebp+var_1E8], esi
		test	ecx, ecx
		jz	short loc_5D5C36
		mov	esi, [ecx+0Ch]
		test	esi, esi
		jz	short loc_5D5C34
		cmp	dword ptr [ecx+10h], 0
		jz	short loc_5D5C24
		mov	edx, [ecx+18h]
		test	edx, edx
		jz	short loc_5D5C24
		movzx	eax, word ptr [ecx+16h]
		jmp	short loc_5D5C20
; 

loc_5D5C1B:				; CODE XREF: SeLogAccessFailure+D5AB6j
		mov	eax, ecx

loc_5D5C1D:				; CODE XREF: SeLogAccessFailure+D5AB4j
		mov	edx, [esi+4]

loc_5D5C20:				; CODE XREF: SeLogAccessFailure+D5A9Dj
		xor	esi, esi
		jmp	short loc_5D5C3E
; 

loc_5D5C24:				; CODE XREF: SeLogAccessFailure+D5A90j
					; SeLogAccessFailure+D5A97j
		movzx	eax, word ptr [esi]
		movzx	ecx, word ptr [esi+2]
		add	eax, 2
		cmp	eax, ecx
		jb	short loc_5D5C1D
		jmp	short loc_5D5C1B
; 

loc_5D5C34:				; CODE XREF: SeLogAccessFailure+D5A8Aj
		xor	esi, esi

loc_5D5C36:				; CODE XREF: SeLogAccessFailure+D5A83j
		push	2
		pop	eax
		mov	edx, offset ??_C@_11LOCGONAA@@FNODOBFM@

loc_5D5C3E:				; CODE XREF: SeLogAccessFailure+D5AA6j
		mov	[ebp+var_1DC], eax
		mov	eax, large fs:124h
		mov	[ebp+var_1D8], esi
		mov	[ebp+var_1E4], edx
		mov	[ebp+var_1E0], esi
		mov	eax, [eax+80h]
		mov	eax, [eax+1C0h]
		test	eax, eax
		jz	short loc_5D5C75
		movzx	ecx, word ptr [eax+2]
		mov	eax, [eax+4]
		jmp	short loc_5D5C7D
; 

loc_5D5C75:				; CODE XREF: SeLogAccessFailure+D5AEEj
		push	2
		pop	ecx
		mov	eax, offset ??_C@_11LOCGONAA@@FNODOBFM@

loc_5D5C7D:				; CODE XREF: SeLogAccessFailure+D5AF7j
		mov	[ebp+var_1D4], eax
		lea	eax, [ebp+arg_C]
		mov	[ebp+var_1B4], eax
		lea	eax, [ebp+var_228]
		mov	[ebp+var_1A4], eax
		lea	eax, [ebp+var_22C]
		mov	[ebp+var_1CC], ecx
		push	4
		pop	ecx
		mov	[ebp+var_194], eax
		lea	eax, [ebx+78h]
		mov	[ebp+var_1D0], esi
		mov	[ebp+var_1C8], esi
		mov	[ebp+var_1C4], offset ??_C@_11LOCGONAA@@FNODOBFM@
		mov	[ebp+var_1C0], esi
		mov	[ebp+var_1BC], 2
		mov	[ebp+var_1B8], esi
		mov	[ebp+var_1B0], esi
		mov	[ebp+var_1AC], ecx
		mov	[ebp+var_1A8], esi
		mov	[ebp+var_1A0], esi
		mov	[ebp+var_19C], ecx
		mov	[ebp+var_198], esi
		mov	[ebp+var_190], esi
		mov	[ebp+var_18C], ecx
		mov	[ebp+var_188], esi
		mov	[ebp+var_184], eax
		mov	[ebp+var_180], esi
		mov	[ebp+var_17C], ecx
		mov	[ebp+var_178], esi
		mov	eax, [ebx+274h]
		test	eax, eax
		jz	short loc_5D5D39
		add	eax, 14h
		jmp	short loc_5D5D3F
; 

loc_5D5D39:				; CODE XREF: SeLogAccessFailure+D5BB6j
		lea	eax, [ebp+var_214]

loc_5D5D3F:				; CODE XREF: SeLogAccessFailure+D5BBBj
		mov	[ebp+var_16C], ecx
		xor	ecx, ecx
		mov	[ebp+var_170], esi
		inc	ecx
		mov	[ebp+var_168], esi
		mov	[ebp+var_174], eax
		mov	[ebp+var_264], ecx
		mov	eax, [ebx+94h]
		push	69536553h
		mov	eax, [eax]
		movzx	eax, byte ptr [eax+1]
		lea	esi, ds:0Ch[eax*4]
		push	esi
		push	ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_248], edx
		test	edx, edx
		jz	short loc_5D5DF0
		mov	eax, [ebx+94h]
		mov	eax, [eax+4]
		mov	[edx], eax
		mov	eax, [ebx+94h]
		mov	ecx, [eax]
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	ecx		; void *
		lea	eax, [edx+4]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_14C], esi
		lea	eax, [ebp+var_264]
		xor	edx, edx
		mov	[ebp+var_164], eax
		mov	eax, [ebp+var_248]
		push	4
		pop	ecx
		mov	[ebp+var_154], eax
		lea	eax, [ebp+var_144]
		mov	[ebp+var_150], edx
		mov	[ebp+var_148], edx
		push	0Dh
		jmp	short loc_5D5E09
; 

loc_5D5DF0:				; CODE XREF: SeLogAccessFailure+D5C0Dj
		push	4
		lea	eax, [ebp+var_214]
		xor	edx, edx
		pop	ecx
		mov	[ebp+var_164], eax
		lea	eax, [ebp+var_154]
		push	0Ch

loc_5D5E09:				; CODE XREF: SeLogAccessFailure+D5C72j
		mov	[ebp+var_158], edx
		mov	[ebp+var_15C], ecx
		mov	[ebp+var_160], edx
		cmp	[ebx+1E0h], edx
		pop	esi
		mov	[ebp+var_210], esi
		mov	[eax+4], edx
		mov	[eax+0Ch], edx
		jz	short loc_5D5E80
		mov	dword ptr [eax+8], 4
		lea	ecx, [ebp+var_234]
		mov	[eax], ecx
		mov	edx, esi
		mov	ecx, [ebx+1E0h]
		add	edx, edx
		push	4
		movzx	eax, byte ptr [ecx+1]
		and	[ebp+edx*8+var_200], 0
		and	[ebp+edx*8+var_1F8], 0
		inc	esi
		mov	[ebp+edx*8+var_205+1], ecx
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_210], esi
		mov	[ebp+edx*8+var_1FC], eax
		xor	edx, edx
		pop	ecx
		jmp	short loc_5D5E91
; 

loc_5D5E80:				; CODE XREF: SeLogAccessFailure+D5CB2j
		lea	edi, [ebp+var_214]
		mov	[eax+8], ecx
		mov	[eax], edi
		mov	edi, [ebp+var_20C]

loc_5D5E91:				; CODE XREF: SeLogAccessFailure+D5D02j
		cmp	[ebx+1E8h], edx
		jbe	loc_5D5FBF
		mov	edi, [ebx+1E8h]
		mov	ecx, edx
		mov	edx, [ebx+1E4h]

loc_5D5EAB:				; CODE XREF: SeLogAccessFailure+D5D41j
		mov	eax, [edx]
		lea	edx, [edx+8]
		movzx	eax, byte ptr [eax+1]
		lea	ecx, [ecx+eax*4]
		add	ecx, 0Ch
		sub	edi, 1
		jnz	short loc_5D5EAB
		push	69536553h
		push	ecx
		push	1
		mov	[ebp+var_258], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, [ebp+var_20C]
		mov	edx, eax
		mov	[ebp+var_230], edx
		test	edx, edx
		jz	loc_5D5F6D
		mov	ecx, [ebx+1E8h]
		and	[ebp+var_250], 0
		mov	[ebp+var_21C], ecx
		mov	[ebp+var_254], edx
		test	ecx, ecx
		jz	short loc_5D5F73
		mov	edi, [ebp+var_250]
		mov	esi, eax

loc_5D5F0D:				; CODE XREF: SeLogAccessFailure+D5DDBj
		mov	eax, [ebx+1E4h]
		mov	eax, [eax+edi*8+4]
		mov	[esi], eax
		mov	eax, [ebx+1E4h]
		mov	ecx, [eax+edi*8]
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	ecx		; void *
		lea	eax, [esi+4]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebx+1E4h]
		add	esp, 0Ch
		mov	ecx, [ebp+var_21C]
		mov	eax, [eax+edi*8]
		inc	edi
		movzx	eax, byte ptr [eax+1]
		lea	esi, [esi+eax*4]
		lea	esi, [esi+0Ch]
		cmp	edi, ecx
		jb	short loc_5D5F0D
		mov	esi, [ebp+var_210]
		mov	edi, [ebp+var_20C]
		mov	edx, [ebp+var_230]
		jmp	short loc_5D5F73
; 

loc_5D5F6D:				; CODE XREF: SeLogAccessFailure+D5D66j
		mov	ecx, [ebp+var_21C]

loc_5D5F73:				; CODE XREF: SeLogAccessFailure+D5D87j
					; SeLogAccessFailure+D5DEFj
		mov	eax, esi
		lea	ebx, [ebp+var_21C]
		add	eax, eax
		and	[ebp+eax*8+var_200], 0
		and	[ebp+eax*8+var_1F8], 0
		inc	esi
		mov	[ebp+eax*8+var_205+1], ebx
		lea	ebx, [ebp+var_214]
		mov	[ebp+eax*8+var_1FC], 4
		test	ecx, ecx
		jz	short loc_5D5FE8
		mov	ecx, [ebp+var_258]
		mov	eax, esi
		add	eax, eax
		mov	[ebp+eax*8+var_205+1], edx
		xor	edx, edx
		jmp	short loc_5D5FD0
; 

loc_5D5FBF:				; CODE XREF: SeLogAccessFailure+D5D1Bj
		mov	eax, esi
		lea	ebx, [ebp+var_214]
		add	eax, eax
		mov	[ebp+eax*8+var_205+1], ebx

loc_5D5FD0:				; CODE XREF: SeLogAccessFailure+D5E41j
		mov	[ebp+eax*8+var_200], edx
		inc	esi
		mov	[ebp+eax*8+var_1FC], ecx
		mov	[ebp+eax*8+var_1F8], edx
		jmp	short loc_5D5FEA
; 

loc_5D5FE8:				; CODE XREF: SeLogAccessFailure+D5E2Cj
		xor	edx, edx

loc_5D5FEA:				; CODE XREF: SeLogAccessFailure+D5E6Aj
		mov	eax, [ebp+arg_4]
		mov	ecx, esi
		add	ecx, ecx
		mov	[ebp+ecx*8+var_1FC], 4
		mov	[ebp+ecx*8+var_1F8], edx
		test	eax, eax
		jz	short loc_5D6047
		xor	ebx, ebx
		lea	edx, [ebp+var_234]
		mov	[ebp+ecx*8+var_205+1], edx
		inc	esi
		mov	[ebp+ecx*8+var_200], ebx
		mov	[ebp+ecx*8+var_1F4], eax
		movzx	eax, byte ptr [eax+1]
		mov	[ebp+ecx*8+var_1F0], ebx
		mov	[ebp+ecx*8+var_1E8], ebx
		lea	eax, ds:8[eax*4]
		mov	[ebp+ecx*8+var_1EC], eax
		jmp	short loc_5D6057
; 

loc_5D6047:				; CODE XREF: SeLogAccessFailure+D5E89j
		mov	[ebp+ecx*8+var_205+1], ebx
		xor	ebx, ebx
		mov	[ebp+ecx*8+var_200], edx

loc_5D6057:				; CODE XREF: SeLogAccessFailure+D5EC9j
		lea	ecx, [esi+1]
		add	ecx, ecx
		lea	eax, [edi+2]
		mov	[ebp+ecx*8+var_200], ebx
		mov	[ebp+ecx*8+var_1F8], ebx
		mov	[ebp+ecx*8+var_205+1], edi
		mov	[ebp+ecx*8+var_1FC], 1
		mov	[ebp+ecx*8+var_1F4], eax
		movzx	eax, word ptr [eax]
		mov	[ebp+var_210], eax
		mov	[ebp+ecx*8+var_1F0], ebx
		mov	[ebp+ecx*8+var_1E8], ebx
		lea	ebx, [esi+3]
		movzx	eax, ax
		mov	[ebp+ecx*8+var_1EC], 2
		mov	ecx, [edi+4]
		mov	edx, ecx
		test	ax, ax
		jns	short loc_5D60C1
		neg	edx
		lea	eax, [edi+ecx]
		sbb	edx, edx
		and	edx, eax

loc_5D60C1:				; CODE XREF: SeLogAccessFailure+D5F3Aj
		test	edx, edx
		jnz	short loc_5D60CB
		mov	edx, ds:_SeNullSid

loc_5D60CB:				; CODE XREF: SeLogAccessFailure+D5F47j
		movzx	eax, byte ptr [edx+1]
		mov	esi, ebx
		add	esi, esi
		lea	eax, ds:8[eax*4]
		and	[ebp+esi*8+var_200], 0
		and	[ebp+esi*8+var_1F8], 0
		mov	[ebp+esi*8+var_1FC], eax
		mov	eax, [ebp+var_210]
		mov	[ebp+esi*8+var_205+1], edx
		movzx	edx, ax
		test	dx, dx
		jns	short loc_5D610F
		lea	eax, [ecx+edi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_5D610F:				; CODE XREF: SeLogAccessFailure+D5F88j
		test	ecx, ecx
		jnz	short loc_5D6119
		mov	ecx, ds:_SeNullSid

loc_5D6119:				; CODE XREF: SeLogAccessFailure+D5F95j
		movzx	eax, byte ptr [ecx+1]
		and	[ebp+esi*8+var_1F0], 0
		and	[ebp+esi*8+var_1E8], 0
		mov	[ebp+esi*8+var_1F4], ecx
		lea	eax, ds:8[eax*4]
		mov	[ebp+esi*8+var_1EC], eax
		mov	eax, [ebp+var_210]
		test	al, 4
		jnz	short loc_5D6157
		lea	esi, [ebx+2]
		shl	esi, 4
		jmp	loc_5D6277
; 

loc_5D6157:				; CODE XREF: SeLogAccessFailure+D5FCEj
		mov	edi, [edi+10h]
		test	dx, dx
		jns	short loc_5D6173
		mov	eax, [ebp+var_20C]
		add	eax, edi
		neg	edi
		sbb	edi, edi
		and	edi, eax
		mov	eax, [ebp+var_210]

loc_5D6173:				; CODE XREF: SeLogAccessFailure+D5FE1j
		lea	esi, [ebx+2]
		shl	esi, 4
		test	edi, edi
		jz	loc_5D6271
		lea	eax, [ebp+var_238]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_23C]
		add	ebx, 4
		push	eax
		lea	edx, [ebp+var_218]
		call	_SepFlattenAcl@16 ; SepFlattenAcl(x,x,x,x)
		mov	edx, [ebp+var_218]
		mov	[ebp+var_218], edx
		mov	[ebp+esi+var_1FC], 1
		test	eax, eax
		js	short loc_5D6222
		xor	ecx, ecx
		mov	[ebp+esi+var_205+1], edi
		mov	[ebp+esi+var_200], ecx
		lea	eax, [ebp+var_238]
		mov	[ebp+esi+var_1F8], ecx
		mov	[ebp+esi+var_1F0], ecx
		mov	[ebp+esi+var_1E8], ecx
		mov	ecx, ebx
		add	ecx, ecx
		mov	[ebp+esi+var_1F4], eax
		mov	eax, [ebp+var_23C]
		mov	[ebp+esi+var_1EC], 2
		mov	[ebp+ecx*8+var_205+1], edx
		xor	edx, edx
		mov	[ebp+ecx*8+var_200], edx
		inc	ebx
		mov	[ebp+ecx*8+var_1FC], eax
		mov	[ebp+ecx*8+var_1F8], edx
		jmp	short loc_5D6265
; 

loc_5D6222:				; CODE XREF: SeLogAccessFailure+D603Cj
		lea	eax, [ebp+var_205]
		xor	edx, edx
		mov	[ebp+esi+var_205+1], eax
		lea	eax, [ebp+var_220]
		mov	[ebp+esi+var_200], edx
		mov	[ebp+esi+var_1F8], edx
		mov	[ebp+esi+var_1F4], eax
		mov	[ebp+esi+var_1F0], edx
		mov	[ebp+esi+var_1EC], 2
		mov	[ebp+esi+var_1E8], edx

loc_5D6265:				; CODE XREF: SeLogAccessFailure+D60A4j
		mov	edi, [ebp+var_20C]
		movzx	eax, word ptr [edi+2]
		jmp	short loc_5D62D7
; 

loc_5D6271:				; CODE XREF: SeLogAccessFailure+D5FFFj
		mov	edi, [ebp+var_20C]

loc_5D6277:				; CODE XREF: SeLogAccessFailure+D5FD6j
		xor	edx, edx
		mov	[ebp+esi+var_1FC], 1
		lea	ecx, [ebp+var_205]
		mov	[ebp+esi+var_200], edx
		mov	[ebp+esi+var_205+1], ecx
		add	ebx, 4
		mov	[ebp+esi+var_1F8], edx
		lea	ecx, [ebp+var_220]
		mov	[ebp+esi+var_1F4], ecx
		mov	ecx, [ebp+var_218]
		mov	[ebp+esi+var_1F0], edx
		mov	[ebp+esi+var_1EC], 2
		mov	[ebp+esi+var_1E8], edx
		movzx	eax, ax
		mov	[ebp+var_218], ecx

loc_5D62D7:				; CODE XREF: SeLogAccessFailure+D60F3j
		movzx	ecx, ax
		test	al, 10h
		jnz	loc_5D63F3
		mov	esi, ebx
		shl	esi, 4

loc_5D62E7:				; CODE XREF: SeLogAccessFailure+D6294j
		lea	eax, [ebp+var_205]
		mov	[ebp+esi+var_200], edx
		mov	[ebp+esi+var_205+1], eax
		lea	eax, [ebp+var_220]
		mov	[ebp+esi+var_1FC], 1
		mov	[ebp+esi+var_1F8], edx
		push	2
		mov	[ebp+esi+var_1F4], eax
		pop	eax
		mov	[ebp+esi+var_1EC], eax
		add	ebx, eax

loc_5D6326:				; CODE XREF: SeLogAccessFailure+D635Bj
		mov	[ebp+esi+var_1F0], edx
		mov	[ebp+esi+var_1E8], edx
		mov	esi, [ebp+var_224]

loc_5D633A:				; CODE XREF: SeLogAccessFailure+D6331j
		lea	eax, [ebp+var_205+1]
		push	eax
		push	ebx
		push	edx
		push	offset _AccessCheckLog
		push	ds:dword_6BC12C
		push	ds:_EtwKernelProvRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	eax, [ebp+var_248]
		xor	ebx, ebx
		test	eax, eax
		jz	short loc_5D636C
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5D636C:				; CODE XREF: SeLogAccessFailure+D61E7j
		mov	eax, [ebp+var_230]
		test	eax, eax
		jz	short loc_5D637D
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5D637D:				; CODE XREF: SeLogAccessFailure+D61F8j
		mov	eax, [ebp+var_218]
		test	eax, eax
		jz	short loc_5D638E
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5D638E:				; CODE XREF: SeLogAccessFailure+D6209j
		test	esi, esi
		jz	short loc_5D6399
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5D6399:				; CODE XREF: SeLogAccessFailure+D6214j
		cmp	[ebp+var_206], 0
		jz	short loc_5D63AD
		mov	ecx, [ebp+var_24C]
		call	ObfDereferenceObject

loc_5D63AD:				; CODE XREF: SeLogAccessFailure+D6224j
		cmp	[ebp+var_207], 0
		jz	short loc_5D63ED
		mov	esi, [ebp+var_25C]
		push	ebx
		mov	eax, [esi+8]
		push	dword ptr [eax+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	ebx
		push	dword ptr [esi+8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi+0Ch]
		push	ebx
		push	dword ptr [eax+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	ebx
		push	dword ptr [esi+0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5D63ED:				; CODE XREF: SeLogAccessFailure+D59ADj
					; SeLogAccessFailure+D6238j
		pop	esi
		jmp	loc_500234
; 

loc_5D63F3:				; CODE XREF: SeLogAccessFailure+D6160j
		mov	edi, [edi+0Ch]
		test	cx, cx
		jns	short loc_5D6409
		mov	eax, [ebp+var_20C]
		add	eax, edi
		neg	edi
		sbb	edi, edi
		and	edi, eax

loc_5D6409:				; CODE XREF: SeLogAccessFailure+D627Dj
		mov	esi, ebx
		shl	esi, 4
		test	edi, edi
		jz	loc_5D62E7
		lea	eax, [ebp+var_240]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_244]
		push	eax
		lea	edx, [ebp+var_224]
		call	_SepFlattenAcl@16 ; SepFlattenAcl(x,x,x,x)
		xor	edx, edx
		mov	[ebp+esi+var_1FC], 1
		add	ebx, 2
		mov	[ebp+esi+var_1F8], edx
		mov	[ebp+esi+var_200], edx
		test	eax, eax
		js	short loc_5D64B2
		mov	[ebp+esi+var_205+1], edi
		lea	eax, [ebp+var_240]
		mov	ecx, ebx
		mov	[ebp+esi+var_1F4], eax
		mov	eax, [ebp+var_244]
		add	ecx, ecx
		mov	[ebp+esi+var_1F0], edx
		inc	ebx
		mov	[ebp+esi+var_1EC], 2
		mov	[ebp+esi+var_1E8], edx
		mov	esi, [ebp+var_224]
		mov	[ebp+ecx*8+var_205+1], esi
		mov	[ebp+ecx*8+var_200], edx
		mov	[ebp+ecx*8+var_1FC], eax
		mov	[ebp+ecx*8+var_1F8], edx
		jmp	loc_5D633A
; 

loc_5D64B2:				; CODE XREF: SeLogAccessFailure+D62D5j
		lea	eax, [ebp+var_205]
		mov	[ebp+esi+var_205+1], eax
		lea	eax, [ebp+var_220]
		mov	[ebp+esi+var_1F4], eax
		mov	[ebp+esi+var_1EC], 2
		jmp	loc_5D6326
; END OF FUNCTION CHUNK	FOR SeLogAccessFailure
; 
; START	OF FUNCTION CHUNK FOR MiLockPageTableRange

loc_5D64DC:				; CODE XREF: MiLockPageTableRange+ADj
		mov	dl, byte ptr [ebp+var_4]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		mov	eax, [ebp+var_10]
		add	eax, 0C0000000h
		cmp	ebx, eax
		jz	short loc_5D6500
		mov	ecx, [ebp+var_14]
		lea	edx, [ebx-8]
		shl	edx, 9
		call	_MiUnlockPageTableRange@8 ; MiUnlockPageTableRange(x,x)

loc_5D6500:				; CODE XREF: MiLockPageTableRange+D6122j
		mov	eax, 0C000009Ah
		jmp	loc_5004A0
; END OF FUNCTION CHUNK	FOR MiLockPageTableRange
; 
; START	OF FUNCTION CHUNK FOR SleepstudyHelperBlockerActiveReference

loc_5D650A:				; CODE XREF: SleepstudyHelperBlockerActiveReference+2Dj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_5005D2
; END OF FUNCTION CHUNK	FOR SleepstudyHelperBlockerActiveReference
; 
; START	OF FUNCTION CHUNK FOR SleepstudyHelperBlockerActiveDereference

loc_5D6519:				; CODE XREF: SleepstudyHelperBlockerActiveDereference+2Aj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_500633
; END OF FUNCTION CHUNK	FOR SleepstudyHelperBlockerActiveDereference
; 
; START	OF FUNCTION CHUNK FOR SshpSetBlockerActive

loc_5D6528:				; CODE XREF: SshpSetBlockerActive+1Ej
		call	KeQueryInterruptTime
		push	edx
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	_SshpStopBlockerAccounting@16 ;	SshpStopBlockerAccounting(x,x,x,x)
		mov	edx, [esi+4]
		jmp	loc_500684
; END OF FUNCTION CHUNK	FOR SshpSetBlockerActive
; 
; START	OF FUNCTION CHUNK FOR MiBeginProcessClean

loc_5D6540:				; CODE XREF: MiBeginProcessClean+36j
		xor	eax, eax
		inc	eax
		jmp	loc_5008ED
; 

loc_5D6548:				; CODE XREF: MiBeginProcessClean+222j
		push	0
		push	[ebp+var_10]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D655B:				; CODE XREF: MiBeginProcessClean+195j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_34]
		jmp	loc_5008A1
; 

loc_5D6572:				; CODE XREF: MiBeginProcessClean+263j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_50095F
; 

loc_5D6581:				; CODE XREF: MiBeginProcessClean+28Dj
		push	[ebp+var_34]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_5008B8
; END OF FUNCTION CHUNK	FOR MiBeginProcessClean
; 
; START	OF FUNCTION CHUNK FOR ExReleaseResourceForThreadLite

loc_5D6593:				; CODE XREF: ExReleaseResourceForThreadLite+15j
		test	al, 40h
		jnz	loc_500A3D
		xor	esi, esi
		push	esi
		push	esi
		push	edi
		push	0Fh
		jmp	short loc_5D65A9
; 

loc_5D65A4:				; CODE XREF: ExReleaseResourceForThreadLite+D5BCCj
		push	esi
		push	eax
		push	edi
		push	11h

loc_5D65A9:				; CODE XREF: ExReleaseResourceForThreadLite+D5B80j
					; ExReleaseResourceForThreadLite+D5B9Bj ...
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D65B3:				; CODE XREF: ExReleaseResourceForThreadLite+49j
		xor	esi, esi
		movzx	eax, al
		push	esi
		push	2
		push	eax
		push	esi
		jmp	short loc_5D65A9
; 

loc_5D65BF:				; CODE XREF: ExReleaseResourceForThreadLite+4Fj
		cmp	al, 1
		jnb	short loc_5D65DB
		test	dword ptr [ecx+58h], 400h
		jnz	short loc_5D65DB
		cmp	[ecx+13Ch], esi
		jnz	short loc_5D65DB
		push	esi
		push	esi
		push	esi
		push	7
		jmp	short loc_5D65A9
; 

loc_5D65DB:				; CODE XREF: ExReleaseResourceForThreadLite+D5B9Fj
					; ExReleaseResourceForThreadLite+D5BA8j ...
		movzx	eax, word ptr [edi+0Eh]
		jmp	loc_500A44
; 

loc_5D65E4:				; CODE XREF: ExReleaseResourceForThreadLite+24j
		mov	eax, [ebp+arg_4]
		cmp	eax, large fs:124h
		jnz	short loc_5D65A4
		mov	ecx, edi
		call	_ExpFastResourceLegacyRelease@4	; ExpFastResourceLegacyRelease(x)
		jmp	loc_500A56
; END OF FUNCTION CHUNK	FOR ExReleaseResourceForThreadLite
; 
; START	OF FUNCTION CHUNK FOR MiReduceMappedFileReadBehind

loc_5D65FC:				; CODE XREF: MiReduceMappedFileReadBehind:loc_500B8Fj
		or	esi, 0FFFFFFFFh
		jmp	loc_500B95
; END OF FUNCTION CHUNK	FOR MiReduceMappedFileReadBehind
; 
; START	OF FUNCTION CHUNK FOR PspReturnResourceQuota

loc_5D6604:				; CODE XREF: PspReturnResourceQuota+35j
		lea	eax, [ebx+48h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_5D661F
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_5D661F
		mov	[ecx], edx
		mov	[edx+4], ecx
		jmp	loc_500C53
; 

loc_5D661F:				; CODE XREF: PspReturnResourceQuota+D59F4j
					; PspReturnResourceQuota+D59FBj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5D6624:				; CODE XREF: PspExpandQuota+49j
		mov	edx, edi
		mov	ecx, ebx
		call	_PspReleaseReturnedQuota@8 ; PspReleaseReturnedQuota(x,x)
		test	eax, eax
		jz	short loc_5D6644
		lea	eax, [ebp+var_8]
		push	eax
		push	0
		push	esi
		push	ebx
		call	dword ptr [edi+0Ch]
		test	al, al
		jnz	loc_500CD3

loc_5D6644:				; CODE XREF: PspReturnResourceQuota+D5A17j
		mov	dl, byte ptr [ebp+var_1]
		mov	ecx, edi
		call	PspUnlockQuotaExpansion
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		xor	al, al
		jmp	loc_500CF4
; END OF FUNCTION CHUNK	FOR PspReturnResourceQuota
; 
; START	OF FUNCTION CHUNK FOR PspUnlockQuotaExpansion

loc_5D665A:				; CODE XREF: PspUnlockQuotaExpansion+176j
		mov	edx, [ebx+4]
		lea	ecx, [ecx+8]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	al, byte ptr [ebp+var_4+3]
		jmp	loc_500F15
; 

loc_5D666D:				; CODE XREF: PspUnlockQuotaExpansion+45j
		test	al, 4
		jnz	loc_500DDF
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp+var_8]
		jmp	loc_500DDF
; 

loc_5D6684:				; CODE XREF: PspUnlockQuotaExpansion+1ACj
		mov	eax, [ebp+var_8]
		push	0
		push	[ebp+var_C]
		push	eax
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D6698:				; CODE XREF: PspUnlockQuotaExpansion+116j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_24]
		jmp	loc_500EB6
; 

loc_5D66A9:				; CODE XREF: PspUnlockQuotaExpansion+1F9j
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_500ECD
; END OF FUNCTION CHUNK	FOR PspUnlockQuotaExpansion
; 
; START	OF FUNCTION CHUNK FOR MiLockAddressSpaceToo

loc_5D66BB:				; CODE XREF: MiLockAddressSpaceToo+4Fj
		xor	edi, edi
		jmp	loc_501118
; 

loc_5D66C2:				; CODE XREF: MiLockAddressSpaceToo+EDj
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		mov	edx, [ebp+var_10]
		jmp	loc_50108D
; 

loc_5D66D1:				; CODE XREF: MiLockAddressSpaceToo+BBj
					; MiLockAddressSpaceToo+CCj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	loc_5010C1
; 

loc_5D66E1:				; CODE XREF: MiLockAddressSpaceToo+361j
		mov	edi, [ebp+var_8]
		push	0
		push	[ebp+var_14]
		push	edi
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D66F5:				; CODE XREF: MiLockAddressSpaceToo+270j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_28]
		jmp	loc_501272
; 

loc_5D670C:				; CODE XREF: MiLockAddressSpaceToo+2B2j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_5012A4
; 

loc_5D671B:				; CODE XREF: MiLockAddressSpaceToo+2D9j
		push	[ebp+var_28]
		mov	edx, edi
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_5012CB
; 

loc_5D672C:				; CODE XREF: MiLockAddressSpaceToo+1A8j
		mov	edi, [ebp+var_8]
		jmp	loc_5012D9
; END OF FUNCTION CHUNK	FOR MiLockAddressSpaceToo
; 
; START	OF FUNCTION CHUNK FOR RtlFindLastBackwardRunClear

loc_5D6734:				; CODE XREF: RtlFindLastBackwardRunClear+Fj
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		xor	eax, eax
		jmp	loc_501459
; END OF FUNCTION CHUNK	FOR RtlFindLastBackwardRunClear
; 
; START	OF FUNCTION CHUNK FOR KiChooseLowestRankedThread

loc_5D6740:				; CODE XREF: KiChooseLowestRankedThread+2Ej
		mov	byte ptr [ebp+var_8], cl
		cmp	ebx, [esi+4]
		jz	loc_5014FA
		jmp	loc_5014F6
; 

loc_5D6751:				; CODE XREF: KiChooseLowestRankedThread+10Cj
		lea	eax, [edi+0ECh]
		mov	ecx, [eax+4]
		test	cl, dl
		jz	short loc_5D676C
		cmp	ecx, edx
		jnz	short loc_5D6766
		mov	eax, ebx
		jmp	short loc_5D676E
; 

loc_5D6766:				; CODE XREF: KiChooseLowestRankedThread+D529Ej
		or	eax, edx
		xor	eax, ecx
		jmp	short loc_5D676E
; 

loc_5D676C:				; CODE XREF: KiChooseLowestRankedThread+D529Aj
		mov	eax, ecx

loc_5D676E:				; CODE XREF: KiChooseLowestRankedThread+D52A2j
					; KiChooseLowestRankedThread+D52A8j
		lea	edi, [eax-50h]
		jmp	loc_5015CA
; 

loc_5D6776:				; CODE XREF: KiChooseLowestRankedThread+A1j
		mov	[ebp+arg_0], eax
		jmp	loc_50156C
; 

loc_5D677E:				; CODE XREF: KiChooseLowestRankedThread+E2j
		lea	eax, [ebp+var_1]
		push	eax
		push	edx
		push	[ebp+arg_0]
		mov	edx, ebx
		call	_KiSelectThreadFromScbQueue@20 ; KiSelectThreadFromScbQueue(x,x,x,x,x)
		mov	cl, byte ptr [ebp+var_1]
		jmp	loc_501582
; 

loc_5D6795:				; CODE XREF: KiChooseLowestRankedThread+101j
		mov	eax, [ebp+var_8]
		lea	edi, [esi-50h]
		cmp	[edi+60h], eax
		jnz	loc_50153C
		mov	eax, [ebp+arg_0]
		jmp	loc_50156F
; END OF FUNCTION CHUNK	FOR KiChooseLowestRankedThread
; 
; START	OF FUNCTION CHUNK FOR MiMakeProtoAddressValid

loc_5D67AC:				; CODE XREF: MiMakeProtoAddressValid+BAj
					; MiMakeProtoAddressValid+CAj ...
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_5017AB
; END OF FUNCTION CHUNK	FOR MiMakeProtoAddressValid
; 
; START	OF FUNCTION CHUNK FOR IopProcessIrpStackProfiler

loc_5D67C4:				; CODE XREF: IopProcessIrpStackProfiler+70j
					; IopProcessIrpStackProfiler+78j
		mov	edi, ds:_IopLargeIrpStackLocations
		jmp	loc_501EA4
; END OF FUNCTION CHUNK	FOR IopProcessIrpStackProfiler
; 
; START	OF FUNCTION CHUNK FOR KiContextToNpxFrame

loc_5D67CF:				; CODE XREF: KiContextToNpxFrame+A4j
		mov	edi, [esi+200h]
		mov	eax, 0FFDF03D8h
		mov	esi, [esi+204h]
		and	edi, [eax]
		and	esi, [eax+4]
		and	edi, ecx
		and	esi, edx
		not	ecx
		and	ecx, [ebx+200h]
		not	edx
		and	edx, [ebx+204h]
		or	ecx, edi
		or	edx, esi
		mov	[ebx+200h], ecx
		mov	[ebx+204h], edx
		test	byte ptr ds:0FFDF03ECh,	2
		jz	loc_5D691D
		mov	eax, [eax]
		mov	ecx, 0FFDF03D8h
		shrd	edi, esi, 2
		push	10h
		shr	esi, 2
		mov	ecx, [ecx+4]
		mov	[ebx+208h], eax
		or	ecx, 80000000h
		mov	eax, [ebp+var_C]
		mov	[ebx+20Ch], ecx
		mov	ecx, 240h
		mov	[ebp+var_8], ecx
		mov	edx, [eax+208h]
		mov	eax, [eax+20Ch]
		shrd	edx, eax, 2
		shr	eax, 2
		mov	[ebp+arg_8], edx
		mov	edx, ds:0FFDF05F8h
		mov	[ebp+var_10], eax
		mov	eax, ds:0FFDF05FCh
		shrd	edx, eax, 2
		mov	[ebp+arg_4], edx
		shr	eax, 2
		pop	edx
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], edx

loc_5D687B:				; CODE XREF: KiContextToNpxFrame+D48B4j
		mov	eax, [ebp+arg_8]
		and	eax, 1
		or	eax, 0
		jz	short loc_5D68D0
		mov	eax, [ebp+arg_4]
		and	eax, 1
		or	eax, 0
		jz	short loc_5D689A
		add	ecx, 3Fh
		and	ecx, 0FFFFFFC0h
		mov	[ebp+var_8], ecx

loc_5D689A:				; CODE XREF: KiContextToNpxFrame+D4831j
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	short loc_5D68C7
		push	dword ptr [edx-20FC0Ch]	; size_t
		mov	eax, [ebp+var_C]
		add	eax, ecx
		push	eax		; void *
		mov	eax, [edx-20FC10h]
		add	eax, ebx
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+var_8]
		add	esp, 0Ch
		mov	edx, [ebp+var_18]

loc_5D68C7:				; CODE XREF: KiContextToNpxFrame+D4844j
		add	ecx, [edx-20FC0Ch]
		mov	[ebp+var_8], ecx

loc_5D68D0:				; CODE XREF: KiContextToNpxFrame+D4826j
		mov	eax, [ebp+arg_8]
		mov	[ebp+arg_8], eax
		mov	eax, [ebp+var_10]
		shrd	[ebp+arg_8], eax, 1
		shrd	edi, esi, 1
		shr	eax, 1
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+arg_4], eax
		mov	eax, [ebp+var_14]
		shrd	[ebp+arg_4], eax, 1
		shr	esi, 1
		shr	eax, 1
		mov	[ebp+var_14], eax
		mov	eax, edi
		or	eax, esi
		jz	loc_502108
		add	edx, 8
		mov	[ebp+var_18], edx
		cmp	edx, 200h
		jb	loc_5D687B
		jmp	loc_502108
; 

loc_5D691D:				; CODE XREF: KiContextToNpxFrame+D47B2j
		xor	edx, edx
		mov	[ebp+arg_8], edx

loc_5D6922:				; CODE XREF: KiContextToNpxFrame+D490Bj
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	short loc_5D694D
		mov	ecx, [edx-20FC10h]
		push	dword ptr [edx-20FC0Ch]	; size_t
		mov	eax, [ebp+var_C]
		add	eax, ecx
		push	eax		; void *
		lea	eax, [ecx+ebx]
		push	eax		; void *
		call	_memcpy
		mov	edx, [ebp+arg_8]
		add	esp, 0Ch

loc_5D694D:				; CODE XREF: KiContextToNpxFrame+D48CCj
		shrd	edi, esi, 1
		shr	esi, 1
		mov	eax, edi
		or	eax, esi
		jz	loc_502108
		add	edx, 8
		mov	[ebp+arg_8], edx
		cmp	edx, 200h
		jb	short loc_5D6922
		jmp	loc_502108
; END OF FUNCTION CHUNK	FOR KiContextToNpxFrame
; 
; START	OF FUNCTION CHUNK FOR CcAdjustThrottle

loc_5D6970:				; CODE XREF: CcAdjustThrottle+69j
		mov	ecx, esi
		jmp	loc_502275
; 

loc_5D6977:				; CODE XREF: CcAdjustThrottle+80j
		mov	eax, [ebp+var_14]
		sub	esi, ecx
		cmp	esi, eax
		ja	loc_50229F
		mov	esi, eax
		jmp	loc_50229F
; END OF FUNCTION CHUNK	FOR CcAdjustThrottle
; 
; START	OF FUNCTION CHUNK FOR CcAdjustTopBottomThresholds

loc_5D698B:				; CODE XREF: CcAdjustTopBottomThresholds+46j
					; CcAdjustTopBottomThresholds+51j
		mov	eax, ds:_CcAzure_TopBottomDPTEqual
		test	eax, eax
		jz	short loc_5D699D
		cmp	eax, 1
		jnz	loc_50239B

loc_5D699D:				; CODE XREF: CcAdjustTopBottomThresholds+D464Ej
		mov	ecx, [esi+1D8h]
		add	ecx, [esi+1E0h]
		mov	eax, [esi+1DCh]
		adc	eax, [esi+1E4h]
		shrd	ecx, eax, 1
		mov	[edx+8], ecx
		mov	[edx+4], ecx
		jmp	loc_50239B
; END OF FUNCTION CHUNK	FOR CcAdjustTopBottomThresholds
; 
; START	OF FUNCTION CHUNK FOR PfSnTraceTimerRoutine

loc_5D69C4:				; CODE XREF: PfSnTraceTimerRoutine+31j
		mov	edx, eax
		jmp	loc_502503
; 

loc_5D69CB:				; CODE XREF: PfSnTraceTimerRoutine+3Fj
		mov	eax, edx
		jmp	loc_502511
; 

loc_5D69D2:				; CODE XREF: PfSnTraceTimerRoutine+73j
		push	0Ah
		pop	ecx
		xor	eax, eax
		lock cmpxchg [edi], ecx
		jmp	loc_5025D7
; 

loc_5D69E0:				; CODE XREF: PfSnTraceTimerRoutine+E6j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_5025BD
; END OF FUNCTION CHUNK	FOR PfSnTraceTimerRoutine
; 
; START	OF FUNCTION CHUNK FOR RtlpTimeFieldsToTime

loc_5D69EF:				; CODE XREF: RtlpTimeFieldsToTime+4Cj
		lea	eax, [esi+8]
		mov	[ebp+var_8], eax

loc_5D69F5:				; CODE XREF: RtlpTimeFieldsToTime+D447Dj
		mov	esi, [eax+4]
		mov	edi, [eax]
		test	esi, esi
		jl	short loc_5D6A47
		jg	short loc_5D6A04
		test	edi, edi
		jb	short loc_5D6A47

loc_5D6A04:				; CODE XREF: RtlpTimeFieldsToTime+D43F8j
		mov	eax, edi
		add	eax, 989680h
		mov	[ebp+var_C], eax
		mov	eax, esi
		adc	eax, 0
		cmp	edx, eax
		jl	short loc_5D6A29
		jg	short loc_5D6A1E
		cmp	ecx, [ebp+var_C]
		jb	short loc_5D6A29

loc_5D6A1E:				; CODE XREF: RtlpTimeFieldsToTime+D4411j
		add	ecx, 989680h
		adc	edx, 0
		jmp	short loc_5D6A70
; 

loc_5D6A29:				; CODE XREF: RtlpTimeFieldsToTime+D440Fj
					; RtlpTimeFieldsToTime+D4416j
		cmp	edx, esi
		jl	loc_502658
		jg	short loc_5D6A3B
		cmp	ecx, edi
		jb	loc_502658

loc_5D6A3B:				; CODE XREF: RtlpTimeFieldsToTime+D442Bj
		shld	edx, ecx, 1
		add	ecx, ecx
		sub	ecx, edi
		sbb	edx, esi
		jmp	short loc_5D6A70
; 

loc_5D6A47:				; CODE XREF: RtlpTimeFieldsToTime+D43F6j
					; RtlpTimeFieldsToTime+D43FCj
		and	esi, 7FFFFFFFh
		mov	eax, edi
		add	eax, 989680h
		mov	[ebp+var_C], eax
		mov	eax, esi
		adc	eax, 0
		cmp	edx, eax
		jl	short loc_5D6A8E
		jg	short loc_5D6A67
		cmp	ecx, [ebp+var_C]
		jb	short loc_5D6A8E

loc_5D6A67:				; CODE XREF: RtlpTimeFieldsToTime+D445Aj
		sub	ecx, 989680h
		sbb	edx, 0

loc_5D6A70:				; CODE XREF: RtlpTimeFieldsToTime+D4421j
					; RtlpTimeFieldsToTime+D443Fj
		mov	esi, [ebp+var_4]
		mov	eax, [ebp+var_8]
		inc	esi
		add	eax, 8
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], eax
		cmp	esi, [ebp+var_14]
		jb	loc_5D69F5
		jmp	loc_502658
; 

loc_5D6A8E:				; CODE XREF: RtlpTimeFieldsToTime+D4458j
					; RtlpTimeFieldsToTime+D445Fj
		cmp	edx, esi
		jg	loc_502666
		jl	loc_502658
		cmp	ecx, edi
		jnb	loc_502666
		jmp	loc_502658
; END OF FUNCTION CHUNK	FOR RtlpTimeFieldsToTime
; 
; START	OF FUNCTION CHUNK FOR PoQueryWatchdogTime

loc_5D6AA9:				; CODE XREF: PoQueryWatchdogTime+22j
		xor	ebx, ebx
		jmp	loc_502855
; 

loc_5D6AB0:				; CODE XREF: PoQueryWatchdogTime+68j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5028B4
; 

loc_5D6AC0:				; CODE XREF: PoQueryWatchdogTime+8Aj
		lea	ecx, [ebp+var_10]
		call	KxWaitForLockChainValid
		jmp	loc_502982
; 

loc_5D6ACD:				; CODE XREF: PoQueryWatchdogTime+BAj
					; PoQueryWatchdogTime+C2j
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0
		jmp	loc_5028C6
; END OF FUNCTION CHUNK	FOR PoQueryWatchdogTime
; 
; START	OF FUNCTION CHUNK FOR KeSetExecuteOptions

loc_5D6AD8:				; CODE XREF: KeSetExecuteOptions+12j
		mov	eax, 0C000000Dh
		jmp	loc_502AC2
; END OF FUNCTION CHUNK	FOR KeSetExecuteOptions
; 
; START	OF FUNCTION CHUNK FOR MmQueryCommitReleaseState

loc_5D6AE2:				; CODE XREF: MmQueryCommitReleaseState+57j
		mov	ebx, offset unk_6D3C54
		mov	[esp+60h+var_3C], offset unk_6D3C4C
		mov	ecx, offset unk_6D3C48
		jmp	loc_502B4D
; 

loc_5D6AF9:				; CODE XREF: MmQueryCommitReleaseState+99j
		lea	edx, [esp+60h+var_4C]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [esp+60h+var_40]
		mov	edx, esi
		call	_MiPrepareAttachThread@8 ; MiPrepareAttachThread(x,x)
		test	ds:byte_70EFC6,	1
		mov	[esp+60h+var_34], eax
		jz	short loc_5D6B2D
		mov	edx, [ebp+4]
		lea	ecx, [esp+60h+var_4C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5D6B5D
; 

loc_5D6B2D:				; CODE XREF: MmQueryCommitReleaseState+D4043j
		mov	eax, [esp+60h+var_4C]
		test	eax, eax
		jnz	short loc_5D6B50
		mov	edx, [esp+60h+var_48]
		lea	eax, [esp+60h+var_4C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+60h+var_4C]
		cmp	eax, ecx
		jz	short loc_5D6B5D
		call	KxWaitForLockChainValid

loc_5D6B50:				; CODE XREF: MmQueryCommitReleaseState+D4059j
		xor	ecx, ecx
		mov	[esp+60h+var_4C], edi
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5D6B5D:				; CODE XREF: MmQueryCommitReleaseState+D4051j
					; MmQueryCommitReleaseState+D406Fj
		mov	cl, [esp+60h+var_44]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[esp+60h+var_34], edi
		jz	loc_502B79
		mov	ecx, [esp+60h+var_40]
		lea	edx, [esp+60h+var_1C]
		push	edi
		call	KeForceAttachProcess
		mov	ecx, esi
		call	MiLockWorkingSetShared
		mov	ecx, [esi+60h]
		mov	dl, al
		mov	[esp+60h+var_50], ecx
		shr	ecx, 18h
		and	cl, 60h
		cmp	cl, 40h
		jnz	short loc_5D6BA9
		mov	eax, [esp+60h+var_3C]
		mov	ecx, [ebx]
		mov	eax, [eax]
		mov	edi, [ecx+10h]
		mov	[esp+60h+var_38], eax

loc_5D6BA9:				; CODE XREF: MmQueryCommitReleaseState+D40BEj
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		xor	edx, edx
		lea	ecx, [esp+60h+var_1C]
		call	_KeForceDetachProcess@8	; KeForceDetachProcess(x,x)
		mov	ecx, esi
		call	MiAttachThreadDone
		jmp	loc_502B79
; END OF FUNCTION CHUNK	FOR MmQueryCommitReleaseState
; 
; START	OF FUNCTION CHUNK FOR IopBuildAsynchronousFsdRequest

loc_5D6BC7:				; CODE XREF: IopBuildAsynchronousFsdRequest+134j
		push	[ebp+arg_C]	; size_t
		push	[ebp+arg_8]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		push	30h
		jmp	loc_502DA0
; END OF FUNCTION CHUNK	FOR IopBuildAsynchronousFsdRequest

;  S U B	R O U T	I N E 


sub_5D6BDD	proc near		; DATA XREF: .text:006A3E24o
		xor	eax, eax
		inc	eax
		retn
sub_5D6BDD	endp


;  S U B	R O U T	I N E 


sub_5D6BE1	proc near		; DATA XREF: .text:006A3E28o
		mov	esp, [ebp-18h]
		mov	esi, [ebp+8]
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_5D6BF4
		push	eax
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_5D6BF4:				; CODE XREF: sub_5D6BE1+Bj
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_502DAC
sub_5D6BE1	endp

; 
; START	OF FUNCTION CHUNK FOR IopProbeAndLockPages

loc_5D6C06:				; CODE XREF: IopProbeAndLockPages+1Aj
		mov	eax, [ebp+arg_4]
		mov	ecx, esi
		mov	edx, [ebp+arg_8]
		push	eax
		mov	eax, [eax+8]
		mov	edx, [eax+edx*4+38h]
		call	_MmUpdateMdlTracker@12 ; MmUpdateMdlTracker(x,x,x)
		jmp	loc_502DD4
; END OF FUNCTION CHUNK	FOR IopProbeAndLockPages
; 
; START	OF FUNCTION CHUNK FOR IoFreeWorkItem

loc_5D6C20:				; CODE XREF: IoFreeWorkItem+Dj
		lea	eax, [ecx+10h]
		push	eax
		push	ecx
		push	2
		push	0E4h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5D6C32:				; CODE XREF: PsQueryProcessCommandLine+82j
		mov	ecx, eax
		jmp	loc_50342A
; END OF FUNCTION CHUNK	FOR IoFreeWorkItem
; 
; START	OF FUNCTION CHUNK FOR PsQueryProcessCommandLine

loc_5D6C39:				; CODE XREF: PsQueryProcessCommandLine+BCj
					; PsQueryProcessCommandLine+C4j
		mov	[eax], bl
		jmp	loc_50346C
; END OF FUNCTION CHUNK	FOR PsQueryProcessCommandLine

;  S U B	R O U T	I N E 


sub_5D6C40	proc near		; DATA XREF: .text:006A3E64o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-54h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5D6C40	endp


;  S U B	R O U T	I N E 


sub_5D6C4E	proc near		; DATA XREF: .text:006A3E68o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-54h]
		mov	[ebp-44h], esi
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		xor	ebx, ebx
		jmp	loc_503472
sub_5D6C4E	endp


;  S U B	R O U T	I N E 


sub_5D6C64	proc near		; DATA XREF: .text:006A3E70o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-64h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5D6C64	endp


;  S U B	R O U T	I N E 


sub_5D6C72	proc near		; DATA XREF: .text:006A3E74o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-64h]
		mov	[ebp-44h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_503529
sub_5D6C72	endp

; 
; START	OF FUNCTION CHUNK FOR PsQueryProcessCommandLine

loc_5D6C87:				; CODE XREF: PsQueryProcessCommandLine+E8j
					; PsQueryProcessCommandLine+F5j ...
		mov	esi, 0C0000225h
		jmp	loc_503529
; END OF FUNCTION CHUNK	FOR PsQueryProcessCommandLine
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmStoreActionNotify

loc_5D6C91:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStoreActionNotify+10j
		lea	eax, [ecx-3]
		cmp	eax, 1
		ja	short loc_5D6CB4
		push	[ebp+arg_4]
		xor	eax, eax
		cmp	ecx, 3
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		setnz	al
		push	eax
		call	?SmStoreTerminate@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGJPAU1@PAU?$SMKM_STORE@USM_TRAITS@@@@W4_ST_ETW_TERMINATION_REASON@@J@Z ; SMKM_STORE_MGR<SM_TRAITS>::SmStoreTerminate(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE<SM_TRAITS> *,_ST_ETW_TERMINATION_REASON,long)
		jmp	loc_5035C6
; 

loc_5D6CB4:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStoreActionNotify+D3707j
		mov	eax, 0C000000Dh
		jmp	loc_5035C6
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmStoreActionNotify
; 
; START	OF FUNCTION CHUNK FOR KiPollFreezeExecution

loc_5D6CBE:				; CODE XREF: KiPollFreezeExecution+11j
		push	0FFFFFFFCh
		mov	bl, 1
		pop	eax
		lock xadd [ecx], eax
		xor	edx, edx
		xor	ecx, ecx
		call	_KiFreezeTargetExecution@8 ; KiFreezeTargetExecution(x,x)
		jmp	loc_503899
; END OF FUNCTION CHUNK	FOR KiPollFreezeExecution
; 
; START	OF FUNCTION CHUNK FOR KiGetAllocatedXSaveArea

loc_5D6CD5:				; CODE XREF: KiGetAllocatedXSaveArea+D3420j
		mov	eax, ecx

loc_5D6CD7:				; CODE XREF: KiGetAllocatedXSaveArea+8j
		mov	ecx, [eax+0Ch]
		test	ecx, ecx
		jnz	short loc_5D6CD5
		mov	eax, [eax+10h]
		retn
; END OF FUNCTION CHUNK	FOR KiGetAllocatedXSaveArea
; 
; START	OF FUNCTION CHUNK FOR MiFinalizeImageHeaderPage

loc_5D6CE2:				; CODE XREF: MiFinalizeImageHeaderPage+50j
		movzx	ebx, word ptr [ebx+10h]
		mov	ecx, edi
		shr	ebx, 1
		and	ebx, 1Fh
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jz	short loc_5D6D12
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		push	ebx
		call	_MiCheckSlabPage@12 ; MiCheckSlabPage(x,x,x)
		test	eax, eax
		jnz	loc_503A68
		cmp	[ebp+var_4], esi
		jnz	loc_503A68

loc_5D6D12:				; CODE XREF: MiFinalizeImageHeaderPage+D32E2j
		push	20000h
		push	0FFFFFFFFh
		push	[ebp+var_4]
		mov	edx, ebx
		mov	ecx, offset _MiSystemPartition
		call	_MiGetSlabPage@20 ; MiGetSlabPage(x,x,x,x,x)
		cmp	eax, 0FFFFFFFFh
		jz	loc_503A68
		imul	esi, eax, 1Ch
		add	esi, ds:_MmPfnDatabase
		jmp	loc_503A68
; 

loc_5D6D3F:				; CODE XREF: MiFinalizeImageHeaderPage+68j
		xor	eax, eax
		cmp	[edi+14h], ax
		jnz	loc_503A80
		push	eax
		mov	ecx, edi
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	_MiReplaceTransitionPage@16 ; MiReplaceTransitionPage(x,x,x,x)
		mov	eax, ds:_ZeroPte
		lea	ecx, [edi+8]
		mov	[ecx], eax
		mov	eax, ds:dword_40F9FC
		mov	[ecx+4], eax
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		mov	esi, edi
		jmp	loc_503A80
; END OF FUNCTION CHUNK	FOR MiFinalizeImageHeaderPage
; 
; START	OF FUNCTION CHUNK FOR MiMakePagefileWriterEntryAvailable

loc_5D6D7B:				; CODE XREF: MiMakePagefileWriterEntryAvailable+17j
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	loc_503BB3
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[eax+4], ecx
		mov	[edx], ecx
		retn
; END OF FUNCTION CHUNK	FOR MiMakePagefileWriterEntryAvailable
; 
; START	OF FUNCTION CHUNK FOR ExpRemovePoolTrackerExpansion

loc_5D6D91:				; CODE XREF: ExpRemovePoolTrackerExpansion+31j
		mov	ecx, ds:_PoolTrackTableExpansionSize
		mov	edx, ds:_PoolTrackTableExpansion
		jmp	loc_503C45
; 

loc_5D6DA2:				; CODE XREF: ExpRemovePoolTrackerExpansion+88j
		add	[eax+10h], edi
		adc	dword ptr [eax+14h], 0
		sub	[eax+4], esi
		jmp	loc_503C88
; 

loc_5D6DB1:				; CODE XREF: ExpRemovePoolTrackerExpansion+9Fj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_503CB7
; 

loc_5D6DC1:				; CODE XREF: ExpRemovePoolTrackerExpansion+C1j
		lea	ecx, [ebp+var_18]
		call	KxWaitForLockChainValid

loc_5D6DC9:				; CODE XREF: ExpRemovePoolTrackerExpansion+AAj
		mov	[ebp+var_18], 0
		add	eax, 4
		lock xor [eax],	edi
		jmp	loc_503CB7
; 

loc_5D6DDB:				; CODE XREF: ExpRemovePoolTrackerExpansion+59j
					; ExpRemovePoolTrackerExpansion+77j
		xor	edi, edi
		inc	edi
		test	ds:byte_70EFC6,	1
		jz	short loc_5D6DF4
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5D6E20
; 

loc_5D6DF4:				; CODE XREF: ExpRemovePoolTrackerExpansion+D31F5j
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	short loc_5D6E13
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jz	short loc_5D6E20
		call	KxWaitForLockChainValid

loc_5D6E13:				; CODE XREF: ExpRemovePoolTrackerExpansion+D3209j
		mov	[ebp+var_18], 0
		add	eax, 4
		lock xor [eax],	edi

loc_5D6E20:				; CODE XREF: ExpRemovePoolTrackerExpansion+D3202j
					; ExpRemovePoolTrackerExpansion+D321Cj
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jnz	short loc_5D6E44
		movzx	eax, large byte	ptr fs:51h
		mov	ecx, ds:_PoolTrackTableSize
		mov	edx, ds:_ExPoolTagTables[eax*4]
		jmp	short loc_5D6E50
; 

loc_5D6E44:				; CODE XREF: ExpRemovePoolTrackerExpansion+D323Bj
		mov	edx, ds:_ExpSessionPoolTrackTable
		mov	ecx, ds:_ExpSessionPoolTrackTableSize

loc_5D6E50:				; CODE XREF: ExpRemovePoolTrackerExpansion+D3252j
		dec	ecx
		imul	eax, ecx, 30h
		add	eax, edx
		test	byte ptr [ebp+arg_0], 1
		mov	[ebp+var_4], eax
		jnz	short loc_5D6E97
		add	eax, 10h
		mov	[ebp+arg_0], eax

loc_5D6E65:				; CODE XREF: ExpRemovePoolTrackerExpansion+D3298j
					; ExpRemovePoolTrackerExpansion+D329Dj
		mov	esi, [eax]
		mov	ebx, esi
		mov	edx, [eax+4]
		add	ebx, edi
		mov	ecx, edx
		mov	[ebp+var_C], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		mov	edi, [ebp+arg_0]
		lock cmpxchg8b qword ptr [edi]
		push	1
		cmp	eax, esi
		mov	eax, [ebp+arg_0]
		pop	edi
		jnz	short loc_5D6E65
		cmp	edx, [ebp+var_C]
		jnz	short loc_5D6E65
		mov	eax, [ebp+var_4]
		add	eax, 4
		jmp	short loc_5D6ECD
; 

loc_5D6E97:				; CODE XREF: ExpRemovePoolTrackerExpansion+D326Dj
		add	eax, 28h
		mov	[ebp+arg_0], eax

loc_5D6E9D:				; CODE XREF: ExpRemovePoolTrackerExpansion+D32D0j
					; ExpRemovePoolTrackerExpansion+D32D5j
		mov	esi, [eax]
		mov	ebx, esi
		mov	edx, [eax+4]
		add	ebx, edi
		mov	ecx, edx
		mov	[ebp+var_C], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		mov	edi, [ebp+arg_0]
		lock cmpxchg8b qword ptr [edi]
		push	1
		cmp	eax, esi
		mov	eax, [ebp+arg_0]
		pop	edi
		jnz	short loc_5D6E9D
		cmp	edx, [ebp+var_C]
		jnz	short loc_5D6E9D
		mov	eax, [ebp+var_4]
		add	eax, 18h

loc_5D6ECD:				; CODE XREF: ExpRemovePoolTrackerExpansion+D32A5j
		mov	ecx, [ebp+var_8]
		neg	ecx
		lock xadd [eax], ecx
		jmp	loc_503CC0
; END OF FUNCTION CHUNK	FOR ExpRemovePoolTrackerExpansion
; 
; START	OF FUNCTION CHUNK FOR KiGetNextClockOwner

loc_5D6EDB:				; CODE XREF: KiGetNextClockOwner+30j
		mov	eax, ds:dword_6C7528
		test	eax, eax
		jz	short loc_5D6EE9
		bsf	eax, eax
		jmp	short loc_5D6EEC
; 

loc_5D6EE9:				; CODE XREF: KiGetNextClockOwner+D3154j
		or	eax, 0FFFFFFFFh

loc_5D6EEC:				; CODE XREF: KiGetNextClockOwner+D3159j
		cmp	eax, 0FFFFFFFFh
		jnz	loc_503DC6
		jmp	loc_503DC4
; END OF FUNCTION CHUNK	FOR KiGetNextClockOwner
; 
; START	OF FUNCTION CHUNK FOR SeQuerySecurityAttributesTokenAccessInformation

loc_5D6EFA:				; CODE XREF: SeQuerySecurityAttributesTokenAccessInformation+47j
		test	esi, esi
		jnz	loc_503E8A
		jmp	loc_503E43
; END OF FUNCTION CHUNK	FOR SeQuerySecurityAttributesTokenAccessInformation
; 
; START	OF FUNCTION CHUNK FOR ExReturnPoolQuota

loc_5D6F07:				; CODE XREF: ExReturnPoolQuota+Aj
		call	ExGetHeapFromVA
		mov	ecx, eax
		call	_ExpHpIsSpecialPoolHeap@4 ; ExpHpIsSpecialPoolHeap(x)
		test	eax, eax
		jnz	loc_503F94
		jmp	loc_503F3A
; 

loc_5D6F20:				; CODE XREF: ExReturnPoolQuota+3Ej
		movzx	ecx, word ptr [esi]
		and	ecx, eax
		mov	eax, esi
		shl	ecx, 3
		sub	eax, ecx
		movzx	ecx, word ptr [eax+2]
		and	ecx, 1FFh
		jmp	loc_503F6E
; END OF FUNCTION CHUNK	FOR ExReturnPoolQuota
; 
; START	OF FUNCTION CHUNK FOR ExpGetBilledProcess

loc_5D6F3B:				; CODE XREF: ExpGetBilledProcess+28j
					; ExpGetBilledProcess+34j
		push	ecx
		push	dword ptr [edx+4]
		lea	eax, [edx+8]
		push	eax
		push	0Dh
		push	0C2h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5D6F50:				; CODE XREF: ExpGetBilledProcess+12Dj
		cmp	[ebp-28h], ecx
		jnz	loc_5041D3
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_50422D
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_50422D
		mov	[ecx], eax
		mov	[eax+4], ecx
		test	edi, edi
		jz	short loc_5D6F7D
		mov	eax, [esi+70h]
		sub	[edi], eax

loc_5D6F7D:				; CODE XREF: ExpGetBilledProcess+D2FAEj
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	MiIssueHardFaultIo
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jnz	loc_50422D
		mov	edx, [ebp-18h]
		mov	[esi+4], eax
		mov	[esi], ebx
		mov	[eax], esi
		mov	eax, [ebp-8]
		mov	[ebx+4], esi
		jmp	loc_5040B6
; 

loc_5D6FA8:				; CODE XREF: ExpGetBilledProcess+10Fj
		cmp	[esi+4], eax
		jnz	loc_50422D
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	loc_50422D
		mov	[eax], ecx
		xor	edx, edx
		mov	[ecx+4], eax
		mov	ecx, esi
		push	0
		call	MiIssueHardFaultIo
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jnz	loc_50422D
		mov	[esi], ebx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[ebx+4], esi
		jmp	loc_5040D0
; END OF FUNCTION CHUNK	FOR ExpGetBilledProcess
; 
; START	OF FUNCTION CHUNK FOR PsGetEffectiveContainerId

loc_5D6FE6:				; CODE XREF: PsGetEffectiveContainerId+11j
		mov	eax, 0C00000EFh
		jmp	loc_5042A0
; 

loc_5D6FF0:				; CODE XREF: PsGetEffectiveContainerId+1Dj
		mov	eax, 0C00000F0h
		jmp	loc_50429F
; 

loc_5D6FFA:				; CODE XREF: PsGetEffectiveContainerId+7Aj
		sub	esi, 1
		jz	short loc_5D7019
		sub	esi, 1
		jnz	loc_504296

loc_5D7008:				; CODE XREF: PsGetEffectiveContainerId+70j
		lea	esi, [ecx+2D8h]

loc_5D700E:				; CODE XREF: PsGetEffectiveContainerId+D2DF2j
		mov	edi, eax
		movsd
		movsd
		movsd
		movsd
		jmp	loc_504296
; 

loc_5D7019:				; CODE XREF: PsGetEffectiveContainerId+D2DC5j
		mov	esi, [ecx+188h]
		jmp	loc_5042BE
; 

loc_5D7024:				; CODE XREF: PsGetEffectiveContainerId+8Aj
		add	esi, 2D8h
		jmp	short loc_5D700E
; END OF FUNCTION CHUNK	FOR PsGetEffectiveContainerId
; 
; START	OF FUNCTION CHUNK FOR CcExtendVacbArray

loc_5D702C:				; CODE XREF: CcExtendVacbArray+1Fj
		mov	eax, 0C0000040h
		jmp	loc_5044CE
; 

loc_5D7036:				; CODE XREF: CcExtendVacbArray+A0j
		mov	edi, ebx
		jmp	loc_5043C1
; 

loc_5D703D:				; CODE XREF: CcExtendVacbArray+E3j
		lea	eax, [edi+7]
		and	eax, 0FFFFFFF8h
		add	edi, eax
		jmp	loc_5043F1
; 

loc_5D704A:				; CODE XREF: CcExtendVacbArray+110j
		lea	ecx, [esi+0B4h]
		call	ExAcquireFastMutex
		jmp	loc_50441E
; 

loc_5D705A:				; CODE XREF: CcExtendVacbArray+128j
		xor	ebx, ebx
		jmp	loc_504443
; 

loc_5D7061:				; CODE XREF: CcExtendVacbArray+162j
		and	[ebp+var_10], 0
		xor	edi, edi
		add	ecx, [ebp+var_20]
		mov	[ebp+var_8], edi
		cmp	[esi+1Ch], edi
		jl	short loc_5D70DA
		jg	short loc_5D707D
		cmp	dword ptr [esi+18h], 200000h
		jbe	short loc_5D70DA

loc_5D707D:				; CODE XREF: CcExtendVacbArray+D2D6Aj
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	short loc_5D70DA
		lea	edi, [ebx+eax]
		mov	ebx, [ebp+var_10]

loc_5D708A:				; CODE XREF: CcExtendVacbArray+D2DC9j
					; CcExtendVacbArray+D2DD0j
		mov	edx, [edi]
		mov	eax, [edi+4]
		cmp	[edx+4], edi
		jnz	loc_5D7196
		cmp	[eax], edi
		jnz	loc_5D7196
		mov	[eax], edx
		mov	[edx+4], eax
		cmp	[eax], edx
		jnz	loc_5D7196
		mov	[ecx+4], eax
		add	ebx, 80000h
		mov	[ecx], edx
		mov	[eax], ecx
		mov	eax, [ebp+var_8]
		adc	eax, 0
		mov	[edx+4], ecx
		add	edi, 8
		mov	[ebp+var_8], eax
		add	ecx, 8
		cmp	eax, [esi+1Ch]
		jg	short loc_5D7142
		jl	short loc_5D708A
		cmp	ebx, [esi+18h]
		jnb	short loc_5D7142
		jmp	short loc_5D708A
; 

loc_5D70DA:				; CODE XREF: CcExtendVacbArray+D2D68j
					; CcExtendVacbArray+D2D73j ...
		mov	eax, [esi+14h]
		lea	ebx, [esi+10h]
		cmp	eax, ebx
		jz	short loc_5D713D
		lea	edx, [esi+10h]

loc_5D70E7:				; CODE XREF: CcExtendVacbArray+D2E2Ej
		mov	ebx, [ebp+var_10]
		cmp	edi, [eax-4]
		jg	short loc_5D7131
		jl	short loc_5D70F6
		cmp	ebx, [eax-8]
		ja	short loc_5D7131

loc_5D70F6:				; CODE XREF: CcExtendVacbArray+D2DE7j
		mov	edx, [eax]

loc_5D70F8:				; CODE XREF: CcExtendVacbArray+D2E1Dj
					; CcExtendVacbArray+D2E24j
		mov	edi, ecx
		cmp	[edx+4], eax
		jnz	loc_5D7196
		mov	[ecx], edx
		add	ebx, 80000h
		mov	[ecx+4], eax
		adc	[ebp+var_8], 0
		mov	[edx+4], ecx
		mov	edx, edi
		mov	edi, [ebp+var_8]
		mov	[eax], ecx
		add	ecx, 8
		mov	[ebp+var_10], ebx
		cmp	edi, [eax-4]
		jl	short loc_5D70F8
		jg	short loc_5D712E
		cmp	ebx, [eax-8]
		jbe	short loc_5D70F8

loc_5D712E:				; CODE XREF: CcExtendVacbArray+D2E1Fj
		lea	edx, [esi+10h]

loc_5D7131:				; CODE XREF: CcExtendVacbArray+D2DE5j
					; CcExtendVacbArray+D2DECj
		mov	eax, [eax+4]
		cmp	eax, edx
		jnz	short loc_5D70E7
		mov	eax, [ebp+var_8]
		jmp	short loc_5D7142
; 

loc_5D713D:				; CODE XREF: CcExtendVacbArray+D2DDAj
		mov	ebx, [ebp+var_10]
		mov	eax, edi

loc_5D7142:				; CODE XREF: CcExtendVacbArray+D2DC7j
					; CcExtendVacbArray+D2DCEj ...
		cmp	eax, [ebp+var_1C]
		jg	loc_504470
		jl	short loc_5D7156
		cmp	ebx, [ebp+var_18]
		jnb	loc_504470

loc_5D7156:				; CODE XREF: CcExtendVacbArray+D2E43j
		lea	edx, [esi+10h]
		mov	eax, [edx]

loc_5D715B:				; CODE XREF: CcExtendVacbArray+D2E8Cj
		mov	edi, ecx
		cmp	[eax+4], edx
		jnz	short loc_5D7196
		mov	[ecx], eax
		add	ebx, 80000h
		mov	[ecx+4], edx
		mov	[eax+4], ecx
		mov	eax, [ebp+var_8]
		adc	eax, 0
		mov	[edx], ecx
		add	ecx, 8
		mov	[ebp+var_8], eax
		cmp	eax, [ebp+var_1C]
		jg	loc_504470
		jl	short loc_5D7192
		cmp	ebx, [ebp+var_18]
		jnb	loc_504470

loc_5D7192:				; CODE XREF: CcExtendVacbArray+D2E7Fj
		mov	eax, edi
		jmp	short loc_5D715B
; 

loc_5D7196:				; CODE XREF: CcExtendVacbArray+D2D8Aj
					; CcExtendVacbArray+D2D92j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5D719B:				; CODE XREF: CcExtendVacbArray+2C8j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5045F3
; 

loc_5D71AA:				; CODE XREF: CcExtendVacbArray+2E5j
		mov	ecx, ebx
		call	KxWaitForLockChainValid

loc_5D71B1:				; CODE XREF: CcExtendVacbArray+2D2j
		xor	ecx, ecx
		mov	dword ptr [ebx], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_5045F3
; 

loc_5D71C5:				; CODE XREF: CcExtendVacbArray+106j
					; CcExtendVacbArray+308j
		mov	eax, 0C000009Ah
		jmp	loc_5044CE
; 

loc_5D71CF:				; CODE XREF: CcExtendVacbArray+312j
		lea	ecx, [esi+0B4h]
		call	ExAcquireFastMutex
		jmp	loc_504620
; 

loc_5D71DF:				; CODE XREF: CcExtendVacbArray+34Cj
		xor	eax, eax
		inc	eax
		cmp	edi, eax
		jnz	loc_50467D
		test	dword ptr [esi+60h], 200h
		jz	loc_50467D
		xor	edx, edx
		lea	ecx, [ebp+var_38]
		call	CcAllocateVacbLevel
		mov	edx, [ebp+var_28]
		mov	[esi+40h], eax
		mov	ecx, [edx+200h]
		mov	eax, [edx+3FCh]
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	ecx, offset _CcVacbLevelWithBcbListHeadsLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	loc_50467D
; END OF FUNCTION CHUNK	FOR CcExtendVacbArray
; 
; START	OF FUNCTION CHUNK FOR CcFreeUnusedVacbLevels

loc_5D7227:				; CODE XREF: CcFreeUnusedVacbLevels+16j
		mov	ecx, edi
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		and	dword ptr [esi+8], 0
		jmp	loc_5046E8
; END OF FUNCTION CHUNK	FOR CcFreeUnusedVacbLevels
; 
; START	OF FUNCTION CHUNK FOR CcAllocateVacbLevel

loc_5D7237:				; CODE XREF: CcAllocateVacbLevel+Cj
		xor	edi, edi
		push	edi
		push	edi
		push	0C0000420h
		push	13AEh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5D724D:				; CODE XREF: MiFlushDirtyBitsToPfn+FFj
		mov	esi, edi
		mov	ecx, eax

loc_5D7251:				; CODE XREF: CcAllocateVacbLevel+D2B2Dj
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h
		sub	ecx, 1
		jnz	short loc_5D7251
		mov	edx, 200000h
		cmp	eax, 1
		jbe	short loc_5D7287
		dec	eax

loc_5D7270:				; CODE XREF: CcAllocateVacbLevel+D2B4Fj
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		shl	edx, 9
		sub	esi, 40000000h
		sub	eax, 1
		jnz	short loc_5D7270

loc_5D7287:				; CODE XREF: CcAllocateVacbLevel+D2B37j
		and	dword ptr [ebp-0E4h], 0
		and	dword ptr [ebp-0E0h], 0
		mov	ecx, [esi]
		nop
		mov	eax, [esi+4]
		mov	[ebp-0ACh], eax
		mov	[ebp-0C0h], eax
		mov	eax, ecx
		and	eax, 1
		mov	[ebp-0C4h], ecx
		or	eax, 0
		jz	loc_5D7344
		mov	eax, ecx
		and	eax, 42h
		or	eax, 0
		jz	short loc_5D7344
		nop
		mov	eax, [ebp-0ACh]
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	eax, ecx, 1Ch
		add	eax, ds:_MmPfnDatabase
		test	edx, edx
		jz	short loc_5D7344
		lea	ebx, [eax+10h]
		mov	ecx, 7FFFFFFFh
		lea	eax, [edx-1]
		shr	eax, 0Ch
		inc	eax
		mov	[ebp-0A8h], eax

loc_5D72F8:				; CODE XREF: CcAllocateVacbLevel+D2C06j
		and	dword ptr [ebp-0C8h], 0
		lock bts dword ptr [ebx], 1Fh
		jnb	short loc_5D7329

loc_5D7306:				; CODE XREF: CcAllocateVacbLevel+D2BDFj
					; CcAllocateVacbLevel+D2BE6j
		lea	ecx, [ebp-0C8h]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		js	short loc_5D7306
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_5D7306
		mov	eax, [ebp-0A8h]
		mov	ecx, 7FFFFFFFh

loc_5D7329:				; CODE XREF: CcAllocateVacbLevel+D2BCEj
		or	byte ptr [ebx+6], 10h
		lock and [ebx],	ecx
		add	ebx, 1Ch
		sub	eax, 1
		mov	[ebp-0A8h], eax
		jnz	short loc_5D72F8
		mov	ebx, [ebp-0B4h]

loc_5D7344:				; CODE XREF: CcAllocateVacbLevel+D2B7Fj
					; CcAllocateVacbLevel+D2B8Dj ...
		add	esi, 8
		mov	eax, 0C0000000h
		jmp	short loc_5D7359
; 

loc_5D734E:				; CODE XREF: CcAllocateVacbLevel+D2C25j
		cmp	esi, 0C07FFFFFh
		ja	short loc_5D735D
		shl	esi, 9

loc_5D7359:				; CODE XREF: CcAllocateVacbLevel+D2C16j
		cmp	esi, eax
		jnb	short loc_5D734E

loc_5D735D:				; CODE XREF: CcAllocateVacbLevel+D2C1Ej
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		jmp	loc_5049EF
; END OF FUNCTION CHUNK	FOR CcAllocateVacbLevel
; 
; START	OF FUNCTION CHUNK FOR MiFlushDirtyBitsToPfn

loc_5D7371:				; CODE XREF: MiFlushDirtyBitsToPfn+239j
					; MiFlushDirtyBitsToPfn+D2B08j	...
		lea	ecx, [ebp+var_CC]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		js	short loc_5D7371
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_5D7371
		mov	ebx, [ebp+var_B4]
		mov	edx, [ebp+var_D0]
		mov	eax, [ebp+var_B8]
		mov	ecx, [ebp+var_D8]
		jmp	loc_504A69
; END OF FUNCTION CHUNK	FOR MiFlushDirtyBitsToPfn
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmHighMemPriorityWatchdogWorker

loc_5D73A6:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmHighMemPriorityWatchdogWorker+58j
					; SMKM_STORE_MGR_SM_TRAITS___SmHighMemPriorityWatchdogWorker+66j
		mov	edi, 3C00h
		jmp	loc_504B27
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmHighMemPriorityWatchdogWorker
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore

loc_5D73B0:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+34j
		mov	edi, 0C00000BBh
		jmp	loc_504C04
; 

loc_5D73BA:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+157j
					; SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+20Dj
		mov	eax, [esi+117Ch]
		xor	ecx, ecx
		mov	[ebp+var_108], ebx
		inc	ecx
		mov	[ebp+var_104], eax
		push	5
		jmp	short loc_5D7452
; 

loc_5D73D3:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+1ADj
		cmp	ebx, [ebp+var_234]
		jnb	loc_504D6B
		mov	ecx, [ebp+var_230]
		lea	edx, [ebp+var_204]
		dec	ecx
		shr	ecx, 0Ch
		inc	ecx

loc_5D73F0:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+D284Cj
		mov	eax, [edx]
		and	eax, 0FEFFFFFFh
		or	eax, 6000001h
		mov	[edx], eax
		lea	edx, [edx+8]
		sub	ecx, 1
		jnz	short loc_5D73F0
		jmp	loc_504D6B
; 

loc_5D740B:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+1FDj
		jnb	loc_504DD4
		mov	ecx, [ebp+var_228]
		mov	ecx, [ecx]
		test	ecx, ecx
		jz	loc_504DD4
		mov	eax, [eax]
		mov	[ebp+edx*8+var_108], eax
		lea	eax, [ecx-1]
		mov	ecx, [ebp+var_228]
		mov	[ebp+edx*8+var_104], 1000h
		inc	edx
		mov	[ebp+var_230], edx
		jmp	loc_504DCC
; 

loc_5D744A:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+241j
		mov	ecx, [ebp+var_230]
		push	6

loc_5D7452:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+D2819j
		lea	edx, [ebp+var_108]
		call	_MmSetPriorityVaRanges@12 ; MmSetPriorityVaRanges(x,x,x)
		jmp	loc_504DFF
; 

loc_5D7462:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+11Ej
		lea	ebx, [esi+10F8h]
		jmp	loc_504E2D
; 

loc_5D746D:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+BEj
					; SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+CAj ...
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_5D7482
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_5D7482:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+D28C1j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+var_248]
		lock dec dword ptr [eax]
		xor	edx, edx
		lea	ecx, [ebp+var_220]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_504C04
; END OF FUNCTION CHUNK	FOR SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore
; 
; START	OF FUNCTION CHUNK FOR KeForceAttachProcess

loc_5D74B0:				; CODE XREF: KeForceAttachProcess+22j
		mov	ecx, large fs:124h
		mov	al, [ecx+16Ah]
		test	al, al
		jz	short loc_5D74D5
		push	0
		movzx	eax, al
		push	eax
		push	dword ptr [ecx+80h]
		push	esi
		push	5
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D74D5:				; CODE XREF: KeForceAttachProcess+D2607j
		lea	edx, [ebp+var_20]
		jmp	loc_504EE0
; END OF FUNCTION CHUNK	FOR KeForceAttachProcess
; 
; START	OF FUNCTION CHUNK FOR MiUnlockImageSection

loc_5D74DD:				; CODE XREF: MiUnlockImageSection+36j
					; MiUnlockImageSection+3Fj
		push	eax
		push	[ebp+arg_4]
		shl	esi, 9
		push	esi
		push	1010h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5D74F2:				; CODE XREF: PopDiagTraceFxDefaultPepWorkerEnd+2Cj
		cmp	ds:dword_6B23F8, 5
		jbe	loc_5050FB
		push	4000h
		mov	esi, offset dword_6B23F8
		push	edi
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_5050FB
		mov	eax, [ebp+arg_8]
		mov	edx, offset loc_41E94A
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_94]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_7C]
		push	eax
		mov	[ebp+var_54], 4
		push	3
		jmp	short loc_5D758A
; END OF FUNCTION CHUNK	FOR MiUnlockImageSection
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceFxDefaultPepWorkerEnd

loc_5D753F:				; CODE XREF: PopDiagTraceFxDefaultPepWorkerEnd+D7j
		mov	eax, [ebp+arg_8]
		mov	edx, offset loc_41E8FC
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_94]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_A4]
		push	4
		pop	ecx
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_8F+3]
		push	eax
		mov	[ebp+var_68], edi
		mov	[ebp+var_64], ecx
		mov	[ebp+var_60], edi
		mov	[ebp+var_A4], 1000000h
		mov	[ebp+var_A0], edi
		mov	[ebp+var_54], 8
		push	ecx

loc_5D758A:				; CODE XREF: MiUnlockImageSection+D2637j
		push	ecx
		push	ecx
		push	1
		push	ecx
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_58], edi
		mov	[ebp+var_50], edi
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)
		jmp	loc_5050FB
; 

loc_5D75A2:				; CODE XREF: PopDiagTraceFxDefaultPepWorkerEnd+5Aj
					; PopDiagTraceFxDefaultPepWorkerEnd+6Ej ...
		mov	eax, [ebp+var_98]
		xor	edx, edx
		inc	edx
		test	eax, eax
		jnz	short loc_5D75B3
		mov	al, 0FDh
		jmp	short loc_5D75C5
; 

loc_5D75B3:				; CODE XREF: PopDiagTraceFxDefaultPepWorkerEnd+D24E9j
		cmp	eax, edx
		jnz	short loc_5D75BB
		or	al, 0FFh
		jmp	short loc_5D75C5
; 

loc_5D75BB:				; CODE XREF: PopDiagTraceFxDefaultPepWorkerEnd+D24F1j
		cmp	eax, 3
		mov	al, 0FEh
		jz	short loc_5D75C5
		mov	al, [ebp+arg_0]

loc_5D75C5:				; CODE XREF: PopDiagTraceFxDefaultPepWorkerEnd+D24EDj
					; PopDiagTraceFxDefaultPepWorkerEnd+D24F5j ...
		mov	byte ptr [ebp+var_8F+2], al
		xor	ecx, ecx
		mov	eax, [ebp+arg_8]
		mov	byte ptr [ebp+var_8F], al
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_8F+2]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp-8Eh]
		push	offset _POP_ETW_EVENT_DEFAULT_PEP_WORKER_END
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_8F]
		push	esi
		push	edi
		mov	byte ptr [ebp+var_8F+1], bl
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], 4
		mov	[ebp+var_40], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		call	EtwEventEnabled
		test	al, al
		jz	short loc_5D7652
		lea	eax, [ebp+var_4C]
		push	eax
		push	4
		xor	eax, eax
		push	eax
		push	eax
		push	1
		push	eax
		push	eax
		push	offset _POP_ETW_EVENT_DEFAULT_PEP_WORKER_END
		push	esi
		push	edi
		call	EtwWriteEx

loc_5D7652:				; CODE XREF: PopDiagTraceFxDefaultPepWorkerEnd+D2572j
		cmp	ebx, 2
		jnz	short loc_5D7691
		mov	esi, ds:dword_6C1D74
		mov	edi, ds:_PopDiagHandle
		push	offset _POP_ETW_EVENT_DEFAULT_PEP_WORKER_DEVICE_RECOVERED
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	loc_50514C
		lea	eax, [ebp+var_4C]
		push	eax
		push	4
		xor	eax, eax
		push	eax
		push	eax
		push	1
		push	eax
		push	eax
		push	offset _POP_ETW_EVENT_DEFAULT_PEP_WORKER_DEVICE_RECOVERED
		push	esi
		push	edi
		call	EtwWriteEx

loc_5D7691:				; CODE XREF: PopDiagTraceFxDefaultPepWorkerEnd+D2591j
		cmp	ebx, 3
		jnz	loc_50514C
		mov	esi, ds:dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_DEFAULT_PEP_WORKER_DEVICE_ORPHANED
		mov	edi, ds:_PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	loc_50514C
		lea	eax, [ebp+var_4C]
		push	eax
		push	4
		xor	eax, eax
		push	eax
		push	eax
		push	1
		push	eax
		push	eax
		push	ebx
		push	esi
		push	edi
		call	EtwWriteEx
		jmp	loc_50514C
; END OF FUNCTION CHUNK	FOR PopDiagTraceFxDefaultPepWorkerEnd
; 
; START	OF FUNCTION CHUNK FOR MmChangeSectionBackingFile

loc_5D76D6:				; CODE XREF: MmChangeSectionBackingFile+2Bj
		mov	eax, [ebx+14h]
		cmp	eax, [esi+14h]
		jz	loc_505355
		mov	eax, 0C00000F0h
		jmp	loc_505405
; 

loc_5D76EC:				; CODE XREF: MmChangeSectionBackingFile+67j
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp+var_4]
		jmp	loc_505358
; 

loc_5D7702:				; CODE XREF: MmChangeSectionBackingFile+7Dj
		mov	eax, [ecx]
		and	eax, 0FFFFFFF8h
		cmp	eax, ebx
		jnz	loc_5053CE
		jmp	loc_5053AE
; 

loc_5D7714:				; CODE XREF: MmChangeSectionBackingFile+51j
		push	offset dword_6CF3C0
		jmp	loc_5053F5
; 

loc_5D771E:				; CODE XREF: MmChangeSectionBackingFile+1Aj
					; MmChangeSectionBackingFile+23j
		mov	eax, 0C00000F1h
		jmp	loc_505405
; END OF FUNCTION CHUNK	FOR MmChangeSectionBackingFile
; 
; START	OF FUNCTION CHUNK FOR MiLeapPrefetch

loc_5D7728:				; CODE XREF: MiLeapPrefetch+B4j
		mov	al, [ebp+var_1]
		mov	[ebp+var_8], 1

loc_5D7732:				; CODE XREF: MiLeapPrefetch+86j
					; MiLeapPrefetch+93j
		mov	dl, al
		lea	ecx, [ebx+240h]
		call	MiUnlockWorkingSetShared
		mov	eax, [ebp+var_8]
		jmp	loc_50557C
; 

loc_5D7747:				; CODE XREF: MiLeapPrefetch+C7j
		mov	al, [ebp+var_1]
		jmp	loc_5055AE
; END OF FUNCTION CHUNK	FOR MiLeapPrefetch
; 
; START	OF FUNCTION CHUNK FOR SepSetTokenBnoIsolation

loc_5D774F:				; CODE XREF: SepSetTokenBnoIsolation+17j
		test	dword ptr [ecx+0B0h], 4000h
		jz	short loc_5D7765
		mov	esi, 0C00000BBh
		jmp	loc_50562E
; 

loc_5D7765:				; CODE XREF: SepSetTokenBnoIsolation+D2177j
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	loc_505637
		cmp	[ebp+arg_8], esi
		jz	loc_505637
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	loc_505637
		movzx	eax, word ptr [edi]
		test	ax, ax
		jz	loc_505637
		cmp	[edi+4], esi
		jz	loc_505637
		mov	edx, 110h
		cmp	ax, dx
		jb	short loc_5D77AD
		mov	esi, 0C0000106h
		jmp	loc_50562E
; 

loc_5D77AD:				; CODE XREF: SepSetTokenBnoIsolation+D21BFj
		cmp	ebx, 0Ah
		jbe	loc_505616
		mov	esi, 0C000000Dh
		jmp	loc_50562E
; 

loc_5D77C0:				; CODE XREF: SepSetTokenBnoIsolation+2Ej
		cmp	[edi], si
		jnz	loc_505637
		cmp	[edi+4], esi
		jnz	loc_505637
		jmp	loc_505616
; 

loc_5D77D7:				; CODE XREF: SepSetTokenBnoIsolation+3Cj
		mov	ecx, [ecx+0C0h]
		call	SepDereferenceCachedHandlesEntry
		mov	ecx, [ebp+var_8]
		mov	[ecx+298h], esi
		jmp	loc_505624
; 

loc_5D77F0:				; CODE XREF: SepSetTokenBnoIsolation+46j
		mov	eax, [edi]
		lea	edx, [ebp+var_14]
		push	[ebp+arg_8]
		mov	[ebp+var_10], eax
		mov	eax, [edi+4]
		push	ebx
		mov	[ebp+var_14], 1
		mov	[ebp+var_C], eax
		call	SepSetTokenCachedHandles
		mov	esi, eax
		jmp	loc_50562E
; END OF FUNCTION CHUNK	FOR SepSetTokenBnoIsolation
; 
; START	OF FUNCTION CHUNK FOR MiDecreaseUsedPtesCount

loc_5D7815:				; CODE XREF: MiDecreaseUsedPtesCount+14j
		push	edx
		push	edi
		push	ecx
		push	41790h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5D7825:				; CODE XREF: CcUpdateTimeOnLogHandles+6Bj
		mov	edx, eax
		lea	ecx, [ebp-14h]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_5056DE
; END OF FUNCTION CHUNK	FOR MiDecreaseUsedPtesCount
; 
; START	OF FUNCTION CHUNK FOR CcUpdateTimeOnLogHandles

loc_5D7834:				; CODE XREF: CcUpdateTimeOnLogHandles+9Fj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5056B6
; 

loc_5D7844:				; CODE XREF: CcUpdateTimeOnLogHandles+DAj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_20]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_50575E
; 

loc_5D7854:				; CODE XREF: CcUpdateTimeOnLogHandles+F8j
		lea	ecx, [ebp+var_20]
		call	KxWaitForLockChainValid
		jmp	loc_505779
; END OF FUNCTION CHUNK	FOR CcUpdateTimeOnLogHandles
; 
; START	OF FUNCTION CHUNK FOR sub_5057C4

loc_5D7861:				; CODE XREF: sub_5057C4+18j
		mov	eax, [ebp+arg_4]
		mov	ecx, esi
		mov	edx, [ebp+arg_8]
		push	eax
		mov	eax, [eax+8]
		mov	edx, [eax+edx*4+38h]
		call	_MmUpdateMdlTracker@12 ; MmUpdateMdlTracker(x,x,x)
		jmp	loc_5057E2
; END OF FUNCTION CHUNK	FOR sub_5057C4
; 
; START	OF FUNCTION CHUNK FOR RtlIsUntrustedObject

loc_5D787B:				; CODE XREF: RtlIsUntrustedObject+2Fj
		test	ebx, ebx
		jnz	loc_505829

loc_5D7883:				; CODE XREF: RtlIsUntrustedObject+37j
		mov	eax, 0C000000Dh
		jmp	loc_5058A0
; 

loc_5D788D:				; CODE XREF: RtlIsUntrustedObject+44j
		lea	eax, [ebp+var_74]
		push	eax
		push	68h
		lea	eax, [ebp+var_6C]
		push	eax
		push	10h
		push	ebx
		call	_ZwQuerySecurityObject@20 ; ZwQuerySecurityObject(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	loc_505854
		cmp	edi, 0C0000023h
		jnz	loc_50589F
		push	62507452h
		push	[ebp+var_74]
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	esi, eax
		test	esi, esi
		jz	short loc_5D7933
		lea	eax, [ebp+var_74]
		mov	[ebp+var_6D], 1
		push	eax
		push	68h
		push	esi
		push	10h
		push	ebx
		call	_ZwQuerySecurityObject@20 ; ZwQuerySecurityObject(x,x,x,x,x)

loc_5D78E0:				; CODE XREF: RtlIsUntrustedObject+D2145j
		mov	edi, eax
		test	edi, edi
		jns	loc_505854

loc_5D78EA:				; CODE XREF: RtlIsUntrustedObject+ABj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_50589D
; 

loc_5D78F7:				; CODE XREF: RtlIsUntrustedObject+62j
		cmp	edi, 0C0000023h
		jnz	loc_50589F
		push	62507452h
		push	[ebp+var_74]
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	esi, eax
		test	esi, esi
		jz	short loc_5D7933
		mov	ecx, [ebp+var_78]
		lea	eax, [ebp+var_74]
		push	eax
		push	68h
		push	esi
		push	10h
		pop	edx
		mov	[ebp+var_6D], 1
		call	_ObQuerySecurityObject@20 ; ObQuerySecurityObject(x,x,x,x,x)
		jmp	short loc_5D78E0
; 

loc_5D7933:				; CODE XREF: RtlIsUntrustedObject+D20DFj
					; RtlIsUntrustedObject+D212Dj
		mov	eax, 0C0000017h
		jmp	loc_50589F
; 

loc_5D793D:				; CODE XREF: RtlIsUntrustedObject+9Bj
		test	byte ptr [ecx+1], 8
		jnz	loc_505877
		mov	al, [ecx+9]
		test	al, al
		jz	loc_505893
		movzx	eax, al
		mov	eax, [ecx+eax*4+0Ch]
		cmp	eax, 2000h
		jb	loc_505893
		jmp	loc_50588D
; END OF FUNCTION CHUNK	FOR RtlIsUntrustedObject
; 
; START	OF FUNCTION CHUNK FOR MiCheckFreeModifiedReservations

loc_5D7969:				; CODE XREF: MiCheckFreeModifiedReservations+32j
		mov	eax, [esi+0F48h]
		shr	eax, 2
		cmp	edi, eax
		ja	short loc_5D7981
		shr	ecx, 2
		cmp	edi, ecx
		jbe	loc_5058E8

loc_5D7981:				; CODE XREF: MiCheckFreeModifiedReservations+D20C4j
		mov	ecx, [esi+1F0h]
		cmp	ecx, 40h
		jb	loc_5058E8
		mov	eax, [esi+1ECh]
		xor	edx, edx
		div	ecx
		mov	ecx, ds:dword_7051C4
		shr	ecx, 3
		cmp	eax, ecx
		jnb	loc_5058E8
		mov	eax, [esi+0F4Ch]
		shr	edi, 2
		imul	ecx, edi, 3
		mov	[ebp+var_8], eax
		push	ebx
		mov	[ebp+var_10], ecx
		test	eax, eax
		jz	short loc_5D7A35
		lea	ebx, [esi+0F54h]
		mov	esi, [ebp+var_C]

loc_5D79CB:				; CODE XREF: MiCheckFreeModifiedReservations+D2180j
		mov	edi, [ebx]
		test	byte ptr [edi+74h], 60h
		jnz	short loc_5D7A27
		cmp	esi, ecx
		jbe	short loc_5D7A18
		lea	eax, [edi+88h]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	cl, [edi+77h]
		mov	[ebp+var_1], al
		test	cl, 1
		jnz	short loc_5D7A03
		or	cl, 1
		mov	[edi+77h], cl
		mov	ecx, edi
		call	MiInitializePagefileBitmapsCache
		mov	eax, ds:dword_7051C4
		mov	[edi+40h], eax

loc_5D7A03:				; CODE XREF: MiCheckFreeModifiedReservations+D213Cj
		lea	eax, [edi+88h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5D7A18:				; CODE XREF: MiCheckFreeModifiedReservations+D2125j
		xor	edx, edx
		mov	ecx, edi
		call	_MiFreeModifiedReservations@8 ;	MiFreeModifiedReservations(x,x)
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_10]

loc_5D7A27:				; CODE XREF: MiCheckFreeModifiedReservations+D2121j
		add	ebx, 4
		sub	eax, 1
		mov	[ebp+var_8], eax
		jnz	short loc_5D79CB
		mov	esi, [ebp+var_14]

loc_5D7A35:				; CODE XREF: MiCheckFreeModifiedReservations+D2110j
		inc	dword ptr [esi+1F8h]
		cmp	[ebp+var_C], ecx
		jbe	short loc_5D7A6F
		xor	ebx, ebx
		inc	ebx
		mov	cl, bl
		call	KiQueryUnbiasedInterruptTime
		and	[ebp+var_8], 0
		xor	ecx, ecx
		mov	[esi+200h], eax
		lea	eax, [ebp+var_8]
		mov	[esi+204h], edx
		lock or	[eax], ecx
		or	[esi+20Ch], bx
		inc	dword ptr [esi+1F4h]

loc_5D7A6F:				; CODE XREF: MiCheckFreeModifiedReservations+D218Ej
		and	dword ptr [esi+1F0h], 0
		and	dword ptr [esi+1ECh], 0
		pop	ebx
		jmp	loc_5058E8
; END OF FUNCTION CHUNK	FOR MiCheckFreeModifiedReservations
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_SM_TRAITS___SmStAllocateVirtualRegion

loc_5D7A83:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStAllocateVirtualRegion+6Ej
		or	eax, 80000000h
		mov	[ebx+esi*4], eax
		jmp	loc_505964
; END OF FUNCTION CHUNK	FOR SMKM_STORE_SM_TRAITS___SmStAllocateVirtualRegion
; 
; START	OF FUNCTION CHUNK FOR MiResetVirtualMemory

loc_5D7A90:				; CODE XREF: MiResetVirtualMemory+78j
		test	edx, 200h
		jnz	loc_505A68
		push	[ebp+arg_C]
		mov	eax, [ebp+arg_0]
		mov	edx, ebx
		sub	eax, ebx
		mov	ecx, edi
		push	4
		inc	eax
		push	eax
		call	MiCheckSecuredVad
		test	eax, eax
		js	loc_505AAC
		mov	ecx, [ebp+var_4]
		jmp	loc_505A68
; 

loc_5D7AC1:				; CODE XREF: MiResetVirtualMemory+4Aj
		mov	eax, large fs:124h
		test	dword ptr [eax+2FCh], 40000h
		jnz	loc_505A78
		push	[ebp+arg_0]
		mov	eax, large fs:124h
		mov	edx, [ebp+var_4]
		push	ebx
		push	4
		mov	ecx, [eax+80h]
		push	edi
		call	_MiAllowProtectionChange@24 ; MiAllowProtectionChange(x,x,x,x,x,x)
		test	eax, eax
		js	loc_505A94
		jmp	loc_505A78
; END OF FUNCTION CHUNK	FOR MiResetVirtualMemory
; 
; START	OF FUNCTION CHUNK FOR CcRescheduleLazyWriteScan

loc_5D7AFF:				; CODE XREF: CcRescheduleLazyWriteScan+14j
		push	0
		xor	dl, dl
		call	_CcScheduleLazyWriteScan@12 ; CcScheduleLazyWriteScan(x,x,x)
		pop	edi
		retn
; END OF FUNCTION CHUNK	FOR CcRescheduleLazyWriteScan

;  S U B	R O U T	I N E 


sub_5D7B0A	proc near		; CODE XREF: MmFreeContiguousMemory+35j
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_505CA4
sub_5D7B0A	endp


;  S U B	R O U T	I N E 


sub_5D7B16	proc near		; CODE XREF: MmFreeContiguousMemory+8Cj
		push	ebx
		push	ebx
		push	esi
		push	61h
		jmp	short loc_5D7B22
; 

loc_5D7B1D:				; CODE XREF: MmFreeContiguousMemory+22j
					; MmFreeContiguousMemory+3Dj
		push	ebx
		push	ebx
		push	esi
		push	62h

loc_5D7B22:				; CODE XREF: MmFreeContiguousMemory+118j
					; sub_5D7B16+5j
		push	0C2h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D7B2C:				; CODE XREF: MmFreeContiguousMemory+CFj
		mov	edx, eax
		mov	ecx, esi
		call	_VfFreeMemoryNotification@8 ; VfFreeMemoryNotification(x,x)
		jmp	loc_505C77
sub_5D7B16	endp

; 
; START	OF FUNCTION CHUNK FOR MmFreeContiguousMemory

loc_5D7B3A:				; CODE XREF: MmFreeContiguousMemory+E3j
		push	edi
		push	0Ch
		xor	edx, edx
		mov	ecx, esi
		call	_MiLogPerfMemoryRangeEvent@16 ;	MiLogPerfMemoryRangeEvent(x,x,x,x)
		jmp	loc_505C8B
; END OF FUNCTION CHUNK	FOR MmFreeContiguousMemory
; 
; START	OF FUNCTION CHUNK FOR ExRemovePoolTag

loc_5D7B4B:				; CODE XREF: ExRemovePoolTag+1D6j
		test	esi, esi
		jz	short loc_5D7B58
		mov	edx, ebx
		mov	esi, ebx
		jmp	loc_505E0F
; 

loc_5D7B58:				; CODE XREF: ExRemovePoolTag+83j
					; ExRemovePoolTag+D1DA3j
		push	ebx
		push	[ebp+arg_4]
		push	edi
		push	22h
		push	19h
		jmp	short loc_5D7B70
; 

loc_5D7B63:				; CODE XREF: ExRemovePoolTag+D1E83j
		movzx	eax, dl
		push	eax
		push	ecx
		push	edi
		push	62h
		push	0C2h

loc_5D7B70:				; CODE XREF: ExRemovePoolTag+D1DB7j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D7B75:				; CODE XREF: ExRemovePoolTag+A2j
		mov	byte ptr [ebp+arg_0+3],	bl
		mov	[ebp+var_24], ebx
		jmp	loc_505E61
; 

loc_5D7B80:				; CODE XREF: ExRemovePoolTag+E2j
		int	3		; Trap to Debugger
		jmp	loc_505E92
; 

loc_5D7B86:				; CODE XREF: ExRemovePoolTag+EFj
		mov	edx, [ebp+arg_4]
		mov	ecx, 0E22h
		push	esi
		push	edi
		push	[ebp+var_8]
		call	_EtwTracePool@20 ; EtwTracePool(x,x,x,x,x)
		jmp	loc_505E9F
; 

loc_5D7B9D:				; CODE XREF: ExRemovePoolTag+FEj
		mov	eax, ds:_ExpSessionPoolTrackTable
		mov	edx, ds:_ExpSessionPoolTrackTableMask
		jmp	loc_505EC3
; 

loc_5D7BAD:				; CODE XREF: ExRemovePoolTag+163j
		cmp	[ebp+var_C], ebx
		jnz	short loc_5D7BD3
		cmp	[ebp+var_2C], ebx
		jnz	short loc_5D7BD3
		mov	esi, [ebp+var_14]
		mov	eax, ds:_PoolTrackTable
		mov	eax, [esi+eax]
		mov	esi, [ebp+var_18]
		test	eax, eax
		jz	short loc_5D7BD0
		mov	[edx], eax
		jmp	loc_505EF7
; 

loc_5D7BD0:				; CODE XREF: ExRemovePoolTag+D1E1Dj
		mov	eax, [ebp+var_8]

loc_5D7BD3:				; CODE XREF: ExRemovePoolTag+D1E06j
					; ExRemovePoolTag+D1E0Bj
		inc	ecx
		and	ecx, [ebp+var_1C]
		cmp	ecx, [ebp+var_30]
		jnz	loc_505EF7
		push	[ebp+arg_4]
		mov	edx, esi
		mov	ecx, eax
		call	ExpRemovePoolTrackerExpansion
		jmp	loc_505F59
; 

loc_5D7BF1:				; CODE XREF: ExRemovePoolTag+1DEj
					; ExRemovePoolTag+D1E62j ...
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[ebp+arg_4], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_5D7BF1
		cmp	edx, [ebp+arg_4]
		jnz	short loc_5D7BF1
		push	18h
		jmp	loc_505F3F
; 

loc_5D7C1A:				; CODE XREF: ExRemovePoolTag+1B4j
		mov	eax, [ebp+var_24]
		mov	ecx, esi
		sub	ecx, eax
		add	ecx, edi
		test	eax, eax
		jz	loc_505F64

loc_5D7C2B:				; CODE XREF: ExRemovePoolTag+D1E8Dj
		cmp	[ecx], dl
		jnz	loc_5D7B63
		inc	ecx
		inc	ebx
		cmp	ebx, eax
		jb	short loc_5D7C2B
		jmp	loc_505F64
; END OF FUNCTION CHUNK	FOR ExRemovePoolTag
; 
; START	OF FUNCTION CHUNK FOR ExpFreePoolChecks

loc_5D7C3E:				; CODE XREF: ExpFreePoolChecks+16j
		test	eax, 200h
		jz	short loc_5D7C50
		cmp	[ebp+arg_0], 0
		jnz	short loc_5D7C50
		call	_ExpCheckForLookaside@8	; ExpCheckForLookaside(x,x)

loc_5D7C50:				; CODE XREF: ExpFreePoolChecks+D1CB5j
					; ExpFreePoolChecks+D1CBBj
		test	byte ptr ds:_ExpPoolFlags, 1
		jz	short loc_5D7C62
		mov	edx, esi
		mov	ecx, edi
		call	_KeCheckForTimer@8 ; KeCheckForTimer(x,x)

loc_5D7C62:				; CODE XREF: ExpFreePoolChecks+D1CC9j
		test	byte ptr ds:_ExpPoolFlags, 4
		jz	short loc_5D7C74
		mov	edx, esi
		mov	ecx, edi
		call	_ExpCheckForResource@8 ; ExpCheckForResource(x,x)

loc_5D7C74:				; CODE XREF: ExpFreePoolChecks+D1CDBj
		test	byte ptr ds:_ExpPoolFlags, 2
		jz	loc_505FAA
		mov	edx, esi
		mov	ecx, edi
		call	_ExpCheckForWorker@8 ; ExpCheckForWorker(x,x)
		jmp	loc_505FAA
; 

loc_5D7C8F:				; CODE XREF: ExpFreePoolChecks+23j
		mov	edx, esi
		mov	ecx, edi
		call	_VfFreePoolNotification@8 ; VfFreePoolNotification(x,x)
		jmp	loc_505FB7
; END OF FUNCTION CHUNK	FOR ExpFreePoolChecks
; 
; START	OF FUNCTION CHUNK FOR RtlFindFirstRunClear

loc_5D7C9D:				; CODE XREF: RtlFindFirstRunClear+11j
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		jmp	loc_506030
; 

loc_5D7CA7:				; CODE XREF: RtlFindFirstRunClear+BBj
		push	20h
		pop	edi
		add	esi, 4
		jmp	short loc_5D7CBE
; 

loc_5D7CAF:				; CODE XREF: RtlFindFirstRunClear+D1CFCj
		cmp	dword ptr [esi], 0FFFFFFFFh
		jnz	loc_505FF6
		add	esi, 4
		add	edi, 20h

loc_5D7CBE:				; CODE XREF: RtlFindFirstRunClear+D1CE9j
		cmp	esi, eax
		jb	short loc_5D7CAF
		jmp	loc_505FF6
; 

loc_5D7CC7:				; CODE XREF: RtlFindFirstRunClear+66j
		or	edx, 0FFFFFFFFh
		jmp	loc_506030
; END OF FUNCTION CHUNK	FOR RtlFindFirstRunClear
; 
; START	OF FUNCTION CHUNK FOR MiUpdatePageAttributeStamp

loc_5D7CCF:				; CODE XREF: MiUpdatePageAttributeStamp+31j
		cmp	dword ptr [ecx+4], 3
		jnz	loc_5060E5
		mov	eax, [esi+8]
		and	eax, 400h
		or	eax, edi
		jz	loc_5060E5
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, eax
		call	MiSearchNumaNodeTable
		mov	eax, [eax+4]
		imul	ecx, eax, 14h
		add	ecx, offset unk_6D56C0
		jmp	loc_5060E5
; 

loc_5D7D0F:				; CODE XREF: MiUpdatePageAttributeStamp+57j
		mov	edx, ecx
		lea	ecx, [ebp+var_10]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_506104
; 

loc_5D7D1E:				; CODE XREF: MiUpdatePageAttributeStamp+8Bj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_506147
; END OF FUNCTION CHUNK	FOR MiUpdatePageAttributeStamp
; 
; START	OF FUNCTION CHUNK FOR SepCleanSingletonEntry

loc_5D7D2E:				; CODE XREF: SepCleanSingletonEntry+24j
		call	AuthzBasepFreeSecurityAttributesList
		push	74446553h
		push	dword ptr [esi+10h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+10h], 0
		jmp	loc_5061D4
; END OF FUNCTION CHUNK	FOR SepCleanSingletonEntry
; 
; START	OF FUNCTION CHUNK FOR MiReassessZeroThreads

loc_5D7D49:				; CODE XREF: MiReassessZeroThreads+8Bj
		lea	ecx, [ebp+var_28]
		call	KxWaitForLockChainValid

loc_5D7D51:				; CODE XREF: MiReassessZeroThreads+74j
		mov	[ebp+var_28], 0
		jmp	loc_50656B
; 

loc_5D7D5D:				; CODE XREF: MiReassessZeroThreads+F9j
					; MiReassessZeroThreads+105j ...
		mov	eax, [ebx+0Ch]
		shr	eax, 2
		mov	[ebx+10h], eax
		test	eax, eax
		jnz	short loc_5D7D6F
		mov	[ebx+10h], esi
		mov	eax, esi

loc_5D7D6F:				; CODE XREF: MiReassessZeroThreads+D1ADCj
		cmp	edi, eax
		lea	esi, [ebx+20h]
		sbb	eax, eax
		and	eax, 5
		mov	[esi], eax
		and	dword ptr [ebx+1Ch], 0
		jmp	loc_5063B6
; 

loc_5D7D84:				; CODE XREF: MiReassessZeroThreads+69j
					; MiReassessZeroThreads+1E5j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_50631D
; 

loc_5D7D94:				; CODE XREF: MiReassessZeroThreads+20Dj
		lea	ecx, [ebp+var_28]
		call	KxWaitForLockChainValid
		jmp	loc_506568
; END OF FUNCTION CHUNK	FOR MiReassessZeroThreads
; 
; START	OF FUNCTION CHUNK FOR MiLogZeroPageDecision

loc_5D7DA1:				; CODE XREF: MiLogZeroPageDecision+27j
		mov	eax, edi
		mov	[esi+8], edi
		cmp	eax, ecx
		jnb	loc_506626
		jmp	loc_5065A7
; 

loc_5D7DB3:				; CODE XREF: MiLogZeroPageDecision+3Dj
					; MiLogZeroPageDecision+45j
		or	eax, ecx
		jmp	loc_5065C8
; END OF FUNCTION CHUNK	FOR MiLogZeroPageDecision
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_SM_TRAITS___SmStCompareRegionData

loc_5D7DBA:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCompareRegionData+46j
		cmp	eax, 0C0000120h
		jnz	loc_50676F
		mov	[esi], edi
		jmp	loc_50676F
; 

loc_5D7DCC:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCompareRegionData+15j
		push	0
		push	eax
		lea	eax, [ecx+118Ch]
		push	eax
		call	?SmStCompareRegionDataCallback@?$SMKM_STORE@USM_TRAITS@@@@SGJPAU_SMKM_STORE_HELPER@@PAXK@Z ; SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)
		jmp	loc_50676F
; END OF FUNCTION CHUNK	FOR SMKM_STORE_SM_TRAITS___SmStCompareRegionData
; 
; START	OF FUNCTION CHUNK FOR CcCompleteAsyncReadWorker

loc_5D7DE0:				; CODE XREF: CcCompleteAsyncReadWorker+53j
		mov	ecx, edi
		call	CcFindNextWorkQueueEntry
		mov	[ebp+var_4], eax
		jmp	loc_5067D8
; END OF FUNCTION CHUNK	FOR CcCompleteAsyncReadWorker
; 
; START	OF FUNCTION CHUNK FOR CcCompleteAsyncRead

loc_5D7DEF:				; CODE XREF: CcCompleteAsyncRead+A9j
		mov	eax, [eax+0Ch]
		jmp	loc_5068C9
; 

loc_5D7DF7:				; CODE XREF: CcCompleteAsyncRead+C6j
		mov	dword ptr [edi], 0C000009Ah
		jmp	loc_5068F0
; END OF FUNCTION CHUNK	FOR CcCompleteAsyncRead

;  S U B	R O U T	I N E 


sub_5D7E02	proc near		; DATA XREF: .text:006A4038o
		lea	edx, [ebp-20h]
		mov	ecx, [ebp-14h]
		call	_CcCopyReadExceptionFilter@8 ; CcCopyReadExceptionFilter(x,x)
		retn
sub_5D7E02	endp


;  S U B	R O U T	I N E 


sub_5D7E0E	proc near		; DATA XREF: .text:006A403Co
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		mov	eax, [ebp-44h]
		mov	[eax], ecx
		xor	ebx, ebx
		mov	[ebp-4], ebx
		xor	esi, esi
		inc	esi
		jmp	loc_5068F3
sub_5D7E0E	endp

; 

loc_5D7E26:				; DATA XREF: .text:006A4030o
		xor	ebx, ebx
		xor	esi, esi
		inc	esi
		jmp	sub_50690F
; 
; START	OF FUNCTION CHUNK FOR sub_50690F

loc_5D7E30:				; CODE XREF: sub_50690F+Fj
		mov	eax, ds:_CcNumberAsyncReadRefaulted
		mov	ecx, ds:dword_6FDF0C
		add	eax, esi
		adc	ecx, ebx
		mov	ds:_CcNumberAsyncReadRefaulted,	eax
		mov	ds:dword_6FDF0C, ecx
		jmp	loc_506924
; 

loc_5D7E4F:				; CODE XREF: sub_50690F+7Aj
		mov	edx, [ebp+4]
		lea	ecx, [ebp-70h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5069AD
; 

loc_5D7E5F:				; CODE XREF: sub_50690F+98j
		lea	ecx, [ebp-70h]
		call	KxWaitForLockChainValid
		jmp	loc_5069C1
; 

loc_5D7E6C:				; CODE XREF: sub_50690F+5Aj
		push	ebx
		push	ebx
		push	0C0000420h
		push	643h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
; END OF FUNCTION CHUNK	FOR sub_50690F
; START	OF FUNCTION CHUNK FOR MiInitializeImageHeaderPage

loc_5D7E80:				; CODE XREF: MiInitializeImageHeaderPage+4Cj
		imul	esi, ebx, 1Ch
		add	esi, ds:_MmPfnDatabase
		and	[ebp+var_8], 0
		lea	edi, [esi+10h]
		jmp	short loc_5D7EA0
; 

loc_5D7E92:				; CODE XREF: MiInitializeImageHeaderPage+D14AAj
					; MiInitializeImageHeaderPage+D14B1j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_5D7E92

loc_5D7EA0:				; CODE XREF: MiInitializeImageHeaderPage+D149Cj
		lock bts dword ptr [edi], 1Fh
		jb	short loc_5D7E92
		or	byte ptr [esi+16h], 10h
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		jmp	loc_506A46
; END OF FUNCTION CHUNK	FOR MiInitializeImageHeaderPage
; 
; START	OF FUNCTION CHUNK FOR MmWaitMultipleForCacheManagerPrefetch

loc_5D7EB8:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+62j
		push	3
		pop	edx
		mov	[ebp+var_78], edx
		jmp	loc_506ABC
; 

loc_5D7EC3:				; CODE XREF: MmWaitMultipleForCacheManagerPrefetch+109j
		mov	edx, [ebp+var_78]
		jmp	loc_506ABC
; END OF FUNCTION CHUNK	FOR MmWaitMultipleForCacheManagerPrefetch
; 
; START	OF FUNCTION CHUNK FOR MmGrowKernelStackEx

loc_5D7ECB:				; CODE XREF: MmGrowKernelStackEx+28j
		mov	eax, 0C00000BBh
		jmp	loc_506D49
; 

loc_5D7ED5:				; CODE XREF: MmGrowKernelStackEx+77j
		inc	ds:dword_6D3404
		mov	ebx, 0C00000FDh
		jmp	loc_506D3E
; 

loc_5D7EE5:				; CODE XREF: MmGrowKernelStackEx+CAj
		mov	edx, edi
		mov	ecx, offset _MiSystemPartition
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_5D7EFE
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_5D7EFE:				; CODE XREF: MmGrowKernelStackEx+D128Dj
		mov	ebx, 0C000009Ah
		jmp	loc_506D3E
; END OF FUNCTION CHUNK	FOR MmGrowKernelStackEx
; 
; START	OF FUNCTION CHUNK FOR KeAttachProcess

loc_5D7F08:				; CODE XREF: KeAttachProcess+2Aj
					; KeAttachProcess+38j ...
		mov	eax, large fs:235Ch
		and	eax, ebx
		push	eax
		movzx	eax, dl
		push	eax
		push	ecx
		push	edi
		push	5
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5D7F1F:				; CODE XREF: ST_STORE_SM_TRAITS___StGetStatsWorker+29j
		mov	eax, 0C000000Dh
		jmp	loc_50705E
; END OF FUNCTION CHUNK	FOR KeAttachProcess
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StGetStatsWorker

loc_5D7F29:				; CODE XREF: ST_STORE_SM_TRAITS___StGetStatsWorker+33j
		sub	eax, 1
		jz	short loc_5D7FA0
		mov	edi, [ebp+arg_0]
		sub	eax, 1
		jz	short loc_5D7F88
		sub	eax, 1
		jz	short loc_5D7F43
		or	ebx, 0FFFFFFFFh
		jmp	loc_506EC7
; 

loc_5D7F43:				; CODE XREF: ST_STORE_SM_TRAITS___StGetStatsWorker+D10B3j
		mov	ebx, [esi+0Ch]
		lea	edx, [edi+601h]
		and	edx, 0FFFFFFFEh
		add	edx, 7
		lea	edx, [edx+ebx*4]
		and	edx, 0FFFFFFF8h
		mov	eax, [esi+1FCh]
		sub	edx, edi
		inc	eax
		mov	ecx, 200h
		cmp	eax, ecx
		ja	short loc_5D7F6C
		mov	ecx, eax

loc_5D7F6C:				; CODE XREF: ST_STORE_SM_TRAITS___StGetStatsWorker+D10E2j
		add	ecx, 7
		shr	ecx, 3
		imul	ecx, ebx
		lea	ebx, [edx+0Ch]
		mov	edx, [ebp+var_4]
		mov	[ebp+var_C], ecx
		add	ebx, ecx
		mov	ecx, [ebp+arg_4]
		jmp	loc_506EC7
; 

loc_5D7F88:				; CODE XREF: ST_STORE_SM_TRAITS___StGetStatsWorker+D10AEj
		lea	eax, [edi+601h]
		and	eax, 0FFFFFFFEh
		mov	ebx, [esi+0Ch]
		shl	ebx, 2
		sub	ebx, edi
		add	ebx, eax
		jmp	loc_506EC7
; 

loc_5D7FA0:				; CODE XREF: ST_STORE_SM_TRAITS___StGetStatsWorker+D10A6j
		mov	ebx, 600h
		jmp	loc_506EC4
; 

loc_5D7FAA:				; CODE XREF: ST_STORE_SM_TRAITS___StGetStatsWorker+44j
		mov	[ecx], ebx
		mov	eax, 0C0000023h
		jmp	loc_50705E
; 

loc_5D7FB6:				; CODE XREF: ST_STORE_SM_TRAITS___StGetStatsWorker+1CBj
		mov	edi, [ebp+arg_0]
		lea	edx, [esi+0A48h]
		lea	ecx, [edi+0BCh]
		call	?StCopyIoStats@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_IO_STATS@@PAU_ST_IO_COUNTS@@@Z ; ST_STORE<SM_TRAITS>::StCopyIoStats(_ST_IO_STATS *,_ST_IO_COUNTS *)
		push	dword ptr [esi+0F5Ch]
		lea	ecx, [edi+5C0h]
		push	dword ptr [esi+0F60h]
		call	_StLcBucketsCopy@16 ; StLcBucketsCopy(x,x,x,x)
		mov	edx, [ebp+var_4]
		cmp	edx, 1
		jz	loc_507057
		lea	eax, [edi+601h]
		and	eax, 0FFFFFFFEh
		mov	[ebp+var_14], eax
		mov	ecx, [esi+2Ch]
		mov	[ebp+var_10], eax
		mov	eax, [esi+0Ch]
		lea	eax, [ecx+eax*2]
		cmp	ecx, eax
		jnb	short loc_5D8045
		mov	edi, [ebp+var_10]
		mov	edx, eax

loc_5D800E:				; CODE XREF: ST_STORE_SM_TRAITS___StGetStatsWorker+D11B7j
		mov	ax, [ecx]
		mov	[ebp+var_10], 1FFFh
		and	ax, word ptr [ebp+var_10]
		mov	[edi], ax
		cmp	byte ptr [esi+1E4h], 0
		jnz	short loc_5D8030
		movzx	eax, word ptr [ecx]
		shr	eax, 0Dh
		jmp	short loc_5D8032
; 

loc_5D8030:				; CODE XREF: ST_STORE_SM_TRAITS___StGetStatsWorker+D11A0j
		xor	eax, eax

loc_5D8032:				; CODE XREF: ST_STORE_SM_TRAITS___StGetStatsWorker+D11A8j
		mov	[edi+2], al
		add	ecx, 2
		add	edi, 4
		cmp	ecx, edx
		jb	short loc_5D800E
		mov	edi, [ebp+arg_0]
		mov	edx, [ebp+var_4]

loc_5D8045:				; CODE XREF: ST_STORE_SM_TRAITS___StGetStatsWorker+D1181j
		cmp	edx, 2
		jz	loc_507057
		mov	eax, [edi+14h]
		mov	edi, [ebp+var_14]
		add	edi, 7
		lea	edi, [edi+eax*4]
		and	edi, 0FFFFFFF8h
		push	[ebp+var_C]	; size_t
		lea	eax, [edi+0Ch]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	esi, [esi+8]
		add	esp, 0Ch
		shr	esi, 9
		cmp	esi, 10h
		ja	short loc_5D807C
		push	10h
		pop	esi

loc_5D807C:				; CODE XREF: ST_STORE_SM_TRAITS___StGetStatsWorker+D11F1j
		mov	ecx, [ebp+var_18]
		lea	eax, [ebp+var_28]
		push	eax
		mov	[edi+8], esi
		lea	eax, [edi+0Ch]
		shr	esi, 4
		push	eax
		mov	edx, esi
		call	?StDmGetStatsBitmap@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@KPAEPA_K@Z ; ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned __int64 *)
		test	eax, eax
		js	loc_50705E
		mov	eax, [ebp+var_28]
		mov	edx, esi
		mov	ecx, [ebp+var_1C]
		mov	[edi], eax
		mov	eax, [ebp+var_24]
		mov	[edi+4], eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [edi+0Ch]
		push	eax
		call	?StDmGetStatsBitmap@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@KPAEPA_K@Z ; ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned __int64 *)
		test	eax, eax
		js	loc_50705E
		jmp	loc_507057
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StGetStatsWorker
; 
; START	OF FUNCTION CHUNK FOR IoInitializeIrp

loc_5D80C6:				; CODE XREF: IoInitializeIrp+12j
		push	dword ptr [ebp+4]
		push	ecx
		mov	ecx, edi
		call	_IovInitializeIrp@16 ; IovInitializeIrp(x,x,x,x)
		jmp	loc_5071B0
; END OF FUNCTION CHUNK	FOR IoInitializeIrp
; 
; START	OF FUNCTION CHUNK FOR WmipBuildTraceDeviceList

loc_5D80D6:				; CODE XREF: WmipBuildTraceDeviceList+42j
		mov	esi, 0C00000C0h
		jmp	short loc_5D80E2
; 

loc_5D80DD:				; CODE XREF: WmipBuildTraceDeviceList+62j
		mov	esi, 0C000009Ah

loc_5D80E2:				; CODE XREF: WmipBuildTraceDeviceList+D0ED5j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _WmipRegistrationSpinLock
		jz	short loc_5D80FA
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5D80FF
; 

loc_5D80FA:				; CODE XREF: WmipBuildTraceDeviceList+D0EE8j
		xor	eax, eax
		lock and [ecx],	eax

loc_5D80FF:				; CODE XREF: WmipBuildTraceDeviceList+D0EF2j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		jmp	short loc_5D8127
; 

loc_5D8115:				; CODE XREF: WmipBuildTraceDeviceList+B6j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_5072C7
; 

loc_5D8122:				; CODE XREF: WmipBuildTraceDeviceList+D8j
		mov	esi, 0C00000C0h

loc_5D8127:				; CODE XREF: WmipBuildTraceDeviceList+D0F0Dj
		test	edi, edi
		jz	loc_5072F0
		xor	edx, edx
		mov	ecx, edi
		call	_WmipFreeTraceDeviceList@8 ; WmipFreeTraceDeviceList(x,x)
		jmp	loc_5072F0
; END OF FUNCTION CHUNK	FOR WmipBuildTraceDeviceList
; 
; START	OF FUNCTION CHUNK FOR CcNotifyWriteBehindInternal

loc_5D813D:				; CODE XREF: CcNotifyWriteBehindInternal+15j
		push	edi
		push	edi
		lea	eax, [esi+0F4h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_507347
; 

loc_5D8150:				; CODE XREF: CcNotifyWriteBehindInternal+36j
		push	edi
		push	edi
		lea	eax, [esi+124h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_507368
; 

loc_5D8163:				; CODE XREF: CcNotifyWriteBehindInternal+3Fj
		push	edi
		push	edi
		lea	eax, [esi+134h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_507371
; END OF FUNCTION CHUNK	FOR CcNotifyWriteBehindInternal
; 
; START	OF FUNCTION CHUNK FOR FsRtlpOplockBreakToII

loc_5D8176:				; CODE XREF: FsRtlpOplockBreakToII+27j
		test	eax, 7000h
		jnz	loc_5073F9
		test	[ebp+arg_4], 8
		jnz	short loc_5D819A
		push	dword ptr [edi+4]
		push	dword ptr [edx+18h]
		call	_FsRtlOplockKeysEqual@8	; FsRtlOplockKeysEqual(x,x)
		test	al, al
		jnz	loc_5073F9

loc_5D819A:				; CODE XREF: FsRtlpOplockBreakToII+D0DB9j
		test	dword ptr [ebp+arg_4], 10010000h
		jnz	loc_5D82E1
		mov	eax, [edi+48h]
		test	eax, 1F00F80h
		jnz	loc_5D8285
		mov	eax, [edi]
		mov	[ebp+var_20], eax
		lea	esi, [eax+25h]
		push	esi
		call	_IoAcquireCancelSpinLock@4 ; IoAcquireCancelSpinLock(x)
		xor	ecx, ecx
		mov	eax, [ebp+var_20]
		add	eax, 38h
		xchg	ecx, [eax]
		movzx	eax, byte ptr [esi]
		push	eax
		call	IoReleaseCancelSpinLock
		mov	eax, [ebp+var_20]
		cmp	byte ptr [eax+24h], 0
		jz	short loc_5D8245
		mov	dword ptr [eax+1Ch], 8
		push	ebx
		xor	edx, edx
		mov	ecx, edi
		call	FsRtlpModifyThreadPriorities
		xor	edx, edx
		mov	ecx, edi
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		mov	[edi+10h], bl
		mov	eax, [edi]
		cmp	[eax+1Ch], edi
		jnz	short loc_5D8208
		mov	[eax+1Ch], ebx
		mov	eax, [edi]

loc_5D8208:				; CODE XREF: FsRtlpOplockBreakToII+D0E35j
		mov	dword ptr [eax+18h], 0C0000120h
		mov	dl, 1
		mov	ecx, [edi]
		call	IofCompleteRequest
		mov	[edi], ebx
		mov	ecx, [edi+4]
		call	ObfDereferenceObject
		mov	[edi+4], ebx
		mov	eax, [edi+48h]
		and	eax, 20h
		or	eax, 1
		mov	[edi+48h], eax

loc_5D8231:				; CODE XREF: FsRtlpOplockBreakToII+D0E77j
		lea	eax, [edi+2Ch]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	loc_5073F9
		call	_FsRtlpRemoveAndCompleteWaitingIrp@4 ; FsRtlpRemoveAndCompleteWaitingIrp(x)
		jmp	short loc_5D8231
; 

loc_5D8245:				; CODE XREF: FsRtlpOplockBreakToII+D0E11j
		mov	eax, [edi+48h]
		test	al, 6
		jz	short loc_5D8255
		or	eax, 100h
		push	7
		jmp	short loc_5D825C
; 

loc_5D8255:				; CODE XREF: FsRtlpOplockBreakToII+D0E7Ej
		or	eax, 200h
		push	8

loc_5D825C:				; CODE XREF: FsRtlpOplockBreakToII+D0E87j
		pop	ecx
		mov	[edi+48h], eax
		mov	eax, [edi]
		mov	[eax+1Ch], ecx
		mov	eax, [edi]
		mov	[eax+18h], ebx
		mov	dl, 1
		mov	ecx, [edi]
		call	IofCompleteRequest
		mov	[edi], ebx

loc_5D8275:				; CODE XREF: FsRtlpOplockBreakToII+D0EBBj
		test	[ebp+arg_4], 1
		jz	short loc_5D829A
		mov	ebx, 108h
		jmp	loc_5073F9
; 

loc_5D8285:				; CODE XREF: FsRtlpOplockBreakToII+D0DE3j
		test	al, al
		jns	short loc_5D8275
		and	eax, 20h
		or	eax, 1
		mov	[edi+48h], eax
		mov	[edi+4], ebx
		jmp	loc_5073F9
; 

loc_5D829A:				; CODE XREF: FsRtlpOplockBreakToII+D0EADj
		push	1
		xor	edx, edx
		mov	ecx, edi
		call	FsRtlpModifyThreadPriorities
		xor	edx, edx
		mov	ecx, edi
		call	FsRtlpOplockSendModernAppTermination
		mov	eax, [ebp+arg_28]
		mov	[eax], bl
		push	[ebp+arg_2C]
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	ebx
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_FsRtlpWaitOnIrp@48 ; FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		jmp	loc_5073F9
; 

loc_5D82E1:				; CODE XREF: FsRtlpOplockBreakToII+D0DD5j
		mov	ebx, 0C0000909h
		jmp	loc_5073F9
; END OF FUNCTION CHUNK	FOR FsRtlpOplockBreakToII

;  S U B	R O U T	I N E 


sub_5D82EB	proc near		; DATA XREF: .text:006A4110o
		mov	ebx, [ebp-1Ch]
		jmp	nullsub_2
sub_5D82EB	endp

; 
; START	OF FUNCTION CHUNK FOR B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild

loc_5D82F3:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+5Ej
		mov	eax, edx
		xor	edx, edx
		mov	[ebp+var_8], eax
		mov	eax, [eax]
		jmp	loc_50749A
; 

loc_5D8301:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+8Bj
		dec	esi
		mov	eax, esi
		shl	eax, 3
		push	eax		; size_t
		mov	eax, [ebp+var_8]
		add	eax, 8
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		mov	eax, [eax+4]
		mov	[ebx+4], eax
		jmp	loc_5074C2
; 

loc_5D8323:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+E7j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_50750B
; 

loc_5D8330:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+EFj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_507513
; END OF FUNCTION CHUNK	FOR B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild
; 
; START	OF FUNCTION CHUNK FOR RtlStringCbCopyNExW

loc_5D833D:				; CODE XREF: RtlStringCbCopyNExW+35j
		mov	esi, ecx
		test	edi, edi
		jz	loc_507676
		xor	eax, eax
		mov	[ebx], ax
		jmp	loc_507676
; 

loc_5D8351:				; CODE XREF: RtlStringCbCopyNExW+3Fj
		test	eax, eax
		jz	loc_50767E
		mov	eax, [ebp+arg_0]
		cmp	[eax], si
		jz	loc_50767E
		mov	esi, ebx
		neg	esi
		sbb	esi, esi
		and	esi, 0BFFFFFF8h
		add	esi, ecx
		jmp	loc_507676
; 

loc_5D8378:				; CODE XREF: RtlStringCbCopyNExW+5Aj
					; RtlStringCbCopyNExW+62j
		cmp	[ebp+var_4], 0
		jz	loc_50767E
		test	edi, edi
		jz	loc_50767E
		xor	eax, eax
		mov	[ebx], ax
		jmp	loc_50767E
; END OF FUNCTION CHUNK	FOR RtlStringCbCopyNExW
; 
; START	OF FUNCTION CHUNK FOR IopGetFileVolumeNameInformation

loc_5D8394:				; CODE XREF: IopGetFileVolumeNameInformation+44j
		and	[ebp+ms_exc.disabled], 0
		mov	[ebx], eax
		and	dword ptr [ebx+4], 0
		jmp	short loc_5D83BA
; END OF FUNCTION CHUNK	FOR IopGetFileVolumeNameInformation

;  S U B	R O U T	I N E 


sub_5D83A0	proc near		; DATA XREF: .text:006A412Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-224h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5D83A0	endp


;  S U B	R O U T	I N E 


sub_5D83B1	proc near		; DATA XREF: .text:006A4130o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-224h]
sub_5D83B1	endp

; START	OF FUNCTION CHUNK FOR IopGetFileVolumeNameInformation

loc_5D83BA:				; CODE XREF: IopGetFileVolumeNameInformation+D0B8Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_5078A6
; END OF FUNCTION CHUNK	FOR IopGetFileVolumeNameInformation

;  S U B	R O U T	I N E 


sub_5D83C6	proc near		; DATA XREF: .text:006A4138o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-22Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_5D83C6	endp


;  S U B	R O U T	I N E 


sub_5D83D7	proc near		; DATA XREF: .text:006A413Co
		mov	esp, [ebp-18h]
		mov	edi, [ebp-22Ch]
		jmp	loc_50789D
sub_5D83D7	endp

; 
; START	OF FUNCTION CHUNK FOR MmAdjustWorkingSetSizeEx

loc_5D83E5:				; CODE XREF: MmAdjustWorkingSetSizeEx+3Bj
		push	2
		pop	ecx
		sub	eax, ecx
		jz	short loc_5D8405
		sub	eax, 1
		jz	short loc_5D83F9
		sub	eax, 1
		jnz	short loc_5D8418
		lea	ecx, [eax+1]

loc_5D83F9:				; CODE XREF: MmAdjustWorkingSetSizeEx+D0AE9j
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	esi, eax
		jmp	loc_507953
; 

loc_5D8405:				; CODE XREF: MmAdjustWorkingSetSizeEx+D0AE4j
		cmp	byte ptr ds:dword_6D5D90, 0
		jz	short loc_5D8418
		mov	esi, offset unk_6D5E80
		jmp	loc_507953
; 

loc_5D8418:				; CODE XREF: MmAdjustWorkingSetSizeEx+D0AEEj
					; MmAdjustWorkingSetSizeEx+D0B06j
		mov	eax, 0C00000F1h
		jmp	loc_507B33
; 

loc_5D8422:				; CODE XREF: MmAdjustWorkingSetSizeEx+66j
		mov	eax, offset unk_6D3C40
		jmp	loc_507977
; 

loc_5D842C:				; CODE XREF: MmAdjustWorkingSetSizeEx+A8j
		mov	edx, eax
		lea	ecx, [ebp+var_30]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_5079C1
; 

loc_5D843B:				; CODE XREF: MmAdjustWorkingSetSizeEx+C8j
		mov	[ebp+var_8], 0C000010Ah
		jmp	loc_507AF9
; 

loc_5D8447:				; CODE XREF: MmAdjustWorkingSetSizeEx+D0j
		mov	ebx, [esi+3Ch]
		jmp	loc_5079DF
; 

loc_5D844F:				; CODE XREF: MmAdjustWorkingSetSizeEx+E1j
		mov	eax, [esi+50h]
		jmp	loc_5079F0
; 

loc_5D8457:				; CODE XREF: MmAdjustWorkingSetSizeEx+296j
		mov	[ebp+var_8], 0C0000061h
		jmp	loc_507AF9
; 

loc_5D8463:				; CODE XREF: MmAdjustWorkingSetSizeEx+2DEj
		cmp	[ebp+arg_0], 0
		jnz	short loc_5D8481
		cmp	edi, ds:_PsInitialSystemProcess
		jz	short loc_5D8481
		mov	ecx, [edi+188h]
		mov	edx, edi
		push	ebx
		push	3
		call	PspReturnQuota

loc_5D8481:				; CODE XREF: MmAdjustWorkingSetSizeEx+D0B61j
					; MmAdjustWorkingSetSizeEx+D0B69j
		mov	[ebp+var_8], 0C000009Ah
		jmp	loc_507AF9
; 

loc_5D848D:				; CODE XREF: MmAdjustWorkingSetSizeEx+132j
		mov	[ebp+var_8], 0C000004Ch
		jmp	loc_507AF9
; 

loc_5D8499:				; CODE XREF: MmAdjustWorkingSetSizeEx+23Dj
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_8], 0C000004Ch
		cmp	byte ptr [eax],	1
		jnz	loc_507AF9
		cmp	[ebp+arg_0], 0
		jnz	short loc_5D84CA
		cmp	edi, ds:_PsInitialSystemProcess
		jz	short loc_5D84CA
		mov	ecx, [edi+188h]
		mov	edx, edi
		push	ebx
		push	3
		call	PspReturnQuota

loc_5D84CA:				; CODE XREF: MmAdjustWorkingSetSizeEx+D0BAAj
					; MmAdjustWorkingSetSizeEx+D0BB2j
		mov	edx, ebx
		mov	ecx, offset _MiSystemPartition
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	loc_507AF9
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax
		jmp	loc_507AF9
; 

loc_5D84EC:				; CODE XREF: MmAdjustWorkingSetSizeEx+151j
		cmp	[ebp+arg_0], 0
		jnz	short loc_5D8516
		cmp	edi, ds:_PsInitialSystemProcess
		jz	short loc_5D8516
		mov	ecx, [edi+188h]
		mov	edx, edi
		push	ebx
		push	3
		call	PspReturnQuota
		mov	eax, [ebp+var_C]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_10]
		mov	[ebp+arg_4], eax

loc_5D8516:				; CODE XREF: MmAdjustWorkingSetSizeEx+D0BEAj
					; MmAdjustWorkingSetSizeEx+D0BF2j
		mov	edx, ebx
		mov	ecx, offset _MiSystemPartition
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	loc_507A5D
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax
		jmp	loc_507A5D
; 

loc_5D8538:				; CODE XREF: MmAdjustWorkingSetSizeEx+182j
		mov	edx, eax
		lea	ecx, [ebp+var_24]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_507A9B
; 

loc_5D8547:				; CODE XREF: MmAdjustWorkingSetSizeEx+18Fj
		lea	ecx, [ebp+var_24]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_507A9B
; 

loc_5D8554:				; CODE XREF: MmAdjustWorkingSetSizeEx+19Ej
		or	al, 80h
		xor	ecx, ecx
		jmp	loc_507B58
; 

loc_5D855D:				; CODE XREF: MmAdjustWorkingSetSizeEx+1CBj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_507AF9
; 

loc_5D856D:				; CODE XREF: MmAdjustWorkingSetSizeEx+1EDj
		lea	ecx, [ebp+var_24]
		call	KxWaitForLockChainValid
		xor	ecx, ecx
		inc	ecx

loc_5D8578:				; CODE XREF: MmAdjustWorkingSetSizeEx+1D6j
		mov	[ebp+var_24], 0
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_507AF9
; 

loc_5D858A:				; CODE XREF: MmAdjustWorkingSetSizeEx+1FCj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_30]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_507B26
; 

loc_5D859A:				; CODE XREF: MmAdjustWorkingSetSizeEx+21Aj
		lea	ecx, [ebp+var_30]
		call	KxWaitForLockChainValid
		jmp	loc_507B7C
; END OF FUNCTION CHUNK	FOR MmAdjustWorkingSetSizeEx
; 
; START	OF FUNCTION CHUNK FOR MiCheckWsLimits

loc_5D85A7:				; CODE XREF: MiCheckWsLimits+25j
		mov	eax, ebx
		and	eax, 1
		jz	short loc_5D861E
		mov	esi, edx
		mov	edi, ecx
		jmp	loc_507C4B
; 

loc_5D85B7:				; CODE XREF: MiCheckWsLimits+32j
		mov	esi, eax
		mov	edi, ecx
		jmp	loc_507C58
; 

loc_5D85C0:				; CODE XREF: MiCheckWsLimits+3Aj
		mov	edx, eax
		mov	edi, ecx
		jmp	loc_507C60
; 

loc_5D85C9:				; CODE XREF: MiCheckWsLimits+45j
		mov	edx, ecx
		mov	edi, 40000002h
		cmp	esi, ecx
		jnb	loc_507C6B
		mov	esi, ecx
		jmp	loc_507C6B
; 

loc_5D85DF:				; CODE XREF: MiCheckWsLimits+60j
		test	ebx, ebx
		jz	short loc_5D861E
		lea	esi, [ecx+7]
		mov	edi, 40000002h
		jmp	loc_507C86
; 

loc_5D85F0:				; CODE XREF: MiCheckWsLimits+80j
		test	ebx, ebx
		jz	short loc_5D861E
		lea	esi, [edx+7]
		mov	edi, 40000002h
		jmp	loc_507CA6
; 

loc_5D8601:				; CODE XREF: MiCheckWsLimits+90j
		mov	eax, 1000h
		cmp	esi, eax
		jnb	loc_507CB6
		test	ebx, ebx
		jz	short loc_5D861E
		mov	esi, eax
		mov	edi, 40000002h
		jmp	loc_507CB6
; 

loc_5D861E:				; CODE XREF: MiCheckWsLimits+D098Cj
					; MiCheckWsLimits+D09C1j ...
		mov	eax, 0C000004Ch
		jmp	loc_507CC2
; END OF FUNCTION CHUNK	FOR MiCheckWsLimits
; 
; START	OF FUNCTION CHUNK FOR MiCreatePteCopyList

loc_5D8628:				; CODE XREF: MiCreatePteCopyList+33j
		mov	edx, [esi+4]
		add	edx, 0FFFFFFFEh
		mov	[esi+4], edx
		jnz	loc_508086
		jmp	loc_50809B
; END OF FUNCTION CHUNK	FOR MiCreatePteCopyList
; 
; START	OF FUNCTION CHUNK FOR PoFxCompleteIdleCondition

loc_5D863C:				; CODE XREF: PoFxCompleteIdleCondition+20j
		mov	ecx, [esi+1Ch]
		mov	edx, edi
		push	0
		push	1
		push	0Dh
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		push	0
		mov	edx, edi
		mov	ecx, esi
		call	PopFxIdleWorkerTail
		jmp	loc_5081B0
; 

loc_5D865C:				; CODE XREF: PoFxCompleteIdleCondition+28j
		push	2
		push	edi
		mov	edx, esi
		mov	ecx, 613h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)
		int	3		; Trap to Debugger

loc_5D866C:				; CODE XREF: KeRemoveQueueApc+22j
					; PoFxCompleteIdleCondition+D04EEj
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5D866C
		jmp	loc_5081DD
; END OF FUNCTION CHUNK	FOR PoFxCompleteIdleCondition
; 
; START	OF FUNCTION CHUNK FOR KiRemoveQueueApc

loc_5D867F:				; CODE XREF: KiRemoveQueueApc+8j
		mov	ecx, [edx+8]
		mov	bh, [edx+2Dh]
		add	ecx, 70h
		push	esi
		lea	esi, [edx+0Ch]
		mov	byte ptr [edx+2Eh], 0
		mov	eax, [esi+4]
		push	edi
		mov	edi, [esi]
		cmp	[edi+4], esi
		jnz	short loc_5D86CB
		cmp	[eax], esi
		jnz	short loc_5D86CB
		mov	[eax], edi
		mov	[edi+4], eax
		cmp	eax, edi
		jnz	short loc_5D86BE
		movsx	eax, bh
		lea	eax, [ecx+eax*8]
		cmp	[esi], eax
		jnz	short loc_5D86BE
		cmp	[edx+10h], eax
		jnz	short loc_5D86BE
		test	bh, bh
		jnz	short loc_5D86C5
		mov	[ecx+15h], bh

loc_5D86BE:				; CODE XREF: KiRemoveQueueApc+D04A0j
					; KiRemoveQueueApc+D04AAj ...
		pop	edi
		pop	esi
		jmp	loc_508214
; 

loc_5D86C5:				; CODE XREF: KiRemoveQueueApc+D04B3j
		and	byte ptr [ecx+16h], 0FDh
		jmp	short loc_5D86BE
; 

loc_5D86CB:				; CODE XREF: KiRemoveQueueApc+D0493j
					; KiRemoveQueueApc+D0497j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5D86D0:				; CODE XREF: RtlEnumerateGenericTableWithoutSplaying+1Aj
		push	ecx
		call	_RtlRealSuccessor@4 ; RtlRealSuccessor(x)
		test	eax, eax
		jz	loc_50824B
		jmp	loc_508249
; END OF FUNCTION CHUNK	FOR KiRemoveQueueApc
; 
; START	OF FUNCTION CHUNK FOR PspIsProcessReadyForRemoteThread

loc_5D86E3:				; CODE XREF: PspIsProcessReadyForRemoteThread+1Ej
		mov	eax, [esi+3A8h]
		test	al, 1
		jnz	loc_50827C
		test	eax, 1000h
		jnz	loc_50827C
		mov	[ebp+var_35], 0
		lea	eax, [ebp+var_34]
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	KiStackAttachProcess
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [esi+17Ch]
		cmp	dword ptr [eax+0Ch], 0
		setnz	[ebp+var_35]
		jmp	short loc_5D8728
; END OF FUNCTION CHUNK	FOR PspIsProcessReadyForRemoteThread

;  S U B	R O U T	I N E 


sub_5D8721	proc near		; DATA XREF: .text:006A4174o
		xor	eax, eax
		inc	eax
		retn
sub_5D8721	endp


;  S U B	R O U T	I N E 


sub_5D8725	proc near		; DATA XREF: .text:006A4178o
		mov	esp, [ebp-18h]
sub_5D8725	endp

; START	OF FUNCTION CHUNK FOR PspIsProcessReadyForRemoteThread

loc_5D8728:				; CODE XREF: PspIsProcessReadyForRemoteThread+D04C7j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_508280
; END OF FUNCTION CHUNK	FOR PspIsProcessReadyForRemoteThread
; 
; START	OF FUNCTION CHUNK FOR ExFreeSvmAsid

loc_5D873E:				; CODE XREF: ExFreeSvmAsid+1Fj
		mov	esi, [edi+3B0h]
		mov	[ebp+var_4], esi

loc_5D8747:				; CODE XREF: ExFreeSvmAsid+D0499j
		lea	ecx, [edi+3BCh]
		mov	eax, [ecx]
		mov	[ebp+var_8], eax
		cmp	[eax+4], ecx
		jnz	short loc_5D87AA
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_5D87AA
		mov	[ecx], edx
		mov	[edx+4], ecx
		cmp	eax, ecx
		jz	short loc_5D878B
		mov	esi, [eax+8]
		mov	eax, ds:_HalIommuDispatch
		push	dword ptr [esi+3Ch]
		push	[ebp+var_4]
		call	dword ptr [eax+18h]
		mov	ecx, esi
		call	_ExpSvmDereferenceDevice@4 ; ExpSvmDereferenceDevice(x)
		push	0
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_5D8747
; 

loc_5D878B:				; CODE XREF: ExFreeSvmAsid+D0475j
		mov	eax, ds:_HalIommuDispatch
		push	[ebp+var_4]
		call	dword ptr [eax+20h]
		and	dword ptr [edi+3B0h], 0
		lea	ecx, [ebx-1]
		call	_ExpFreeAsid@4	; ExpFreeAsid(x)
		jmp	loc_508315
; 

loc_5D87AA:				; CODE XREF: ExFreeSvmAsid+D0465j
					; ExFreeSvmAsid+D046Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5D87AF:				; CODE XREF: PfSnStartTraceTimer+1Dj
		mov	edi, 0C0000189h
		jmp	loc_5083B0
; END OF FUNCTION CHUNK	FOR ExFreeSvmAsid
; 
; START	OF FUNCTION CHUNK FOR PfSnStartTraceTimer

loc_5D87B9:				; CODE XREF: PfSnStartTraceTimer+79j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_50839E
; 

loc_5D87C8:				; CODE XREF: PfSnStartTraceTimer+90j
		mov	ecx, [ebp+var_8]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_5083B0
; END OF FUNCTION CHUNK	FOR PfSnStartTraceTimer
; 

loc_5D87D5:				; CODE XREF: .text:00508406j
					; .text:0050840Ej
		mov	byte ptr [eax],	0
		jmp	loc_508414
; 

loc_5D87DD:				; DATA XREF: .text:006A4194o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_5D87EB:				; DATA XREF: .text:006A4198o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_5084BF
; 

loc_5D87FD:				; DATA XREF: .text:006A41A0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_5D880D:				; DATA XREF: .text:006A41A4o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-28h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		inc	ebx
		jmp	loc_508467
; 

loc_5D8822:				; CODE XREF: .text:00508484j
		mov	edx, [ebp+4]
		lea	ecx, [ebp-34h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5084AC
; 

loc_5D8832:				; CODE XREF: .text:005084A6j
		lea	ecx, [ebp-34h]
		call	KxWaitForLockChainValid

loc_5D883A:				; CODE XREF: .text:0050848Fj
		mov	dword ptr [ebp-34h], 0
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_5084AC
; 
; START	OF FUNCTION CHUNK FOR IopCancelIrpsInCurrentThreadListSpecialApc

loc_5D884C:				; CODE XREF: IopCancelIrpsInCurrentThreadListSpecialApc+8Bj
					; IopCancelIrpsInCurrentThreadListSpecialApc+95j
		mov	byte ptr [edx+14h], 1
		mov	bh, 1
		mov	byte ptr [edi],	1
		mov	dword ptr [esi+4Ch], 1
		jmp	loc_508589
; 

loc_5D8861:				; CODE XREF: IopCancelIrpsInCurrentThreadListSpecialApc+DAj
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_5085D3
; 

loc_5D8870:				; CODE XREF: IopCancelIrpsInCurrentThreadListSpecialApc+EFj
		push	0
		push	[ebp+arg_C]
		call	_KeAlertThread@8 ; KeAlertThread(x,x)
		jmp	loc_5085E3
; 

loc_5D887F:				; CODE XREF: IopCancelIrpsInCurrentThreadListSpecialApc+4Fj
		test	ds:byte_70EFC6,	1
		jz	short loc_5D8894
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5D8899
; 

loc_5D8894:				; CODE XREF: IopCancelIrpsInCurrentThreadListSpecialApc+D0398j
		xor	eax, eax
		lock and [edi],	eax

loc_5D8899:				; CODE XREF: IopCancelIrpsInCurrentThreadListSpecialApc+D03A4j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_5085E3
; END OF FUNCTION CHUNK	FOR IopCancelIrpsInCurrentThreadListSpecialApc
; 
; START	OF FUNCTION CHUNK FOR ExRemoveVirtualizedTimer

loc_5D88A6:				; CODE XREF: ExRemoveVirtualizedTimer+35j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_5086A8
; END OF FUNCTION CHUNK	FOR ExRemoveVirtualizedTimer
; 
; START	OF FUNCTION CHUNK FOR PspSetProcessFreezeStateCallback

loc_5D88B5:				; CODE XREF: PspSetProcessFreezeStateCallback+D3j
		mov	edx, [ebp+4]
		lea	ecx, [esi+454h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_5087A4
; END OF FUNCTION CHUNK	FOR PspSetProcessFreezeStateCallback
; 
; START	OF FUNCTION CHUNK FOR ExTimerResume

loc_5D88C8:				; CODE XREF: ExTimerResume+2Bj
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_50880A
; END OF FUNCTION CHUNK	FOR ExTimerResume
; 
; START	OF FUNCTION CHUNK FOR ExpTimerResume

loc_5D88D7:				; CODE XREF: ExpTimerResume+23j
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		sub	ecx, edi
		mov	edi, ecx
		sbb	eax, edx
		mov	edx, eax
		js	loc_508839
		xor	edi, edi
		xor	edx, edx
		jmp	loc_508839
; END OF FUNCTION CHUNK	FOR ExpTimerResume
; 
; START	OF FUNCTION CHUNK FOR EtwpIsExecutingInArbitraryThreadContext

loc_5D88F4:				; CODE XREF: EtwpIsExecutingInArbitraryThreadContext+7j
					; EtwpIsExecutingInArbitraryThreadContext+15j
		mov	eax, large fs:20h
		cmp	byte ptr [eax+11h], 0
		jz	loc_5088C1
		mov	al, 1
		retn
; END OF FUNCTION CHUNK	FOR EtwpIsExecutingInArbitraryThreadContext
; 
; START	OF FUNCTION CHUNK FOR CountUnicodeToUTF8

loc_5D8907:				; CODE XREF: CountUnicodeToUTF8+2Aj
		add	eax, 0FFFF2400h
		inc	edx
		cmp	eax, 3FFh
		ja	loc_508AEC
		mov	esi, 0FFFDh
		add	ecx, 2
		jmp	loc_508AEC
; 

loc_5D8925:				; CODE XREF: CountUnicodeToUTF8+4Ej
		mov	[ebp+var_4], 107h
		mov	esi, 0FFFDh
		jmp	loc_508AFA
; 

loc_5D8936:				; CODE XREF: CountUnicodeToUTF8+57j
		cmp	esi, edi
		jbe	short loc_5D893B
		inc	edx

loc_5D893B:				; CODE XREF: CountUnicodeToUTF8+CFE92j
		inc	edx
		jmp	loc_508B03
; 

loc_5D8941:				; CODE XREF: CountUnicodeToUTF8+7Bj
		cmp	esi, edi
		jbe	short loc_5D8958
		mov	eax, esi
		and	eax, 0F800h
		cmp	eax, 0D800h
		jz	loc_5D89ED
		inc	edx

loc_5D8958:				; CODE XREF: CountUnicodeToUTF8+CFE9Dj
		inc	edx
		jmp	loc_508B27
; 

loc_5D895E:				; CODE XREF: CountUnicodeToUTF8+FBj
		cmp	esi, edi
		jbe	short loc_5D8971
		mov	eax, esi
		and	eax, 0F800h
		cmp	eax, 0D800h
		jz	short loc_5D89ED
		inc	edx

loc_5D8971:				; CODE XREF: CountUnicodeToUTF8+CFEBAj
		inc	edx
		jmp	loc_508B2C
; 

loc_5D8977:				; CODE XREF: CountUnicodeToUTF8+99j
		test	esi, 0F800F800h
		jnz	short loc_5D89D9
		mov	esi, 0FF800000h
		test	eax, esi
		jz	short loc_5D8989
		inc	edx

loc_5D8989:				; CODE XREF: CountUnicodeToUTF8+CFEE0j
		test	eax, 0FF80h
		jz	short loc_5D8991
		inc	edx

loc_5D8991:				; CODE XREF: CountUnicodeToUTF8+CFEE8j
		test	edi, esi
		jz	short loc_5D8996
		inc	edx

loc_5D8996:				; CODE XREF: CountUnicodeToUTF8+CFEEDj
		test	edi, 0FF80h
		jz	loc_508B45
		inc	edx
		jmp	loc_508B45
; 

loc_5D89A8:				; CODE XREF: CountUnicodeToUTF8+B1j
		test	esi, 0F800F800h
		jnz	short loc_5D89D9
		mov	esi, 0FF800000h
		test	eax, esi
		jz	short loc_5D89BA
		inc	edx

loc_5D89BA:				; CODE XREF: CountUnicodeToUTF8+CFF11j
		test	eax, 0FF80h
		jz	short loc_5D89C2
		inc	edx

loc_5D89C2:				; CODE XREF: CountUnicodeToUTF8+CFF19j
		test	edi, esi
		jz	short loc_5D89C7
		inc	edx

loc_5D89C7:				; CODE XREF: CountUnicodeToUTF8+CFF1Ej
		test	edi, 0FF80h
		jz	loc_508B5D
		inc	edx
		jmp	loc_508B5D
; 

loc_5D89D9:				; CODE XREF: CountUnicodeToUTF8+CFED7j
					; CountUnicodeToUTF8+CFF08j
		movzx	esi, ax
		add	ecx, 2
		mov	edi, 7FFh
		cmp	esi, 7Fh
		jbe	loc_508B14

loc_5D89ED:				; CODE XREF: CountUnicodeToUTF8+CFEABj
					; CountUnicodeToUTF8+CFEC8j
		cmp	esi, edi
		jbe	short loc_5D8A16
		lea	eax, [esi-0D800h]
		cmp	eax, edi
		ja	short loc_5D8A15
		cmp	esi, 0DBFFh
		ja	short loc_5D8A1C
		movzx	eax, word ptr [ecx]
		sub	eax, 0DC00h
		cmp	eax, 3FFh
		ja	short loc_5D8A1C
		add	ecx, 2

loc_5D8A15:				; CODE XREF: CountUnicodeToUTF8+CFF53j
		inc	edx

loc_5D8A16:				; CODE XREF: CountUnicodeToUTF8+CFF49j
		inc	edx
		jmp	loc_508B14
; 

loc_5D8A1C:				; CODE XREF: CountUnicodeToUTF8+CFF5Bj
					; CountUnicodeToUTF8+CFF6Aj
		sub	ecx, 2
		jmp	loc_508B67
; 

loc_5D8A24:				; CODE XREF: CountUnicodeToUTF8+40j
		dec	edx
		jmp	loc_508AC3
; END OF FUNCTION CHUNK	FOR CountUnicodeToUTF8
; 
; START	OF FUNCTION CHUNK FOR SepLpacCausedAccessFailure

loc_5D8A2A:				; CODE XREF: SepLpacCausedAccessFailure+4j
		mov	eax, [ecx+10h]
		push	esi
		mov	esi, [ecx+8]
		or	esi, [ecx+4]
		or	esi, 2000000h
		not	esi
		and	esi, edx
		and	eax, esi
		cmp	eax, esi
		pop	esi
		jnz	loc_508C52
		mov	al, 1
		retn
; END OF FUNCTION CHUNK	FOR SepLpacCausedAccessFailure
; 
; START	OF FUNCTION CHUNK FOR IopUnloadSafeCompletion

loc_5D8A4C:				; CODE XREF: IopUnloadSafeCompletion:loc_508C6Ej
		cmp	[ebx+24h], cl
		jz	short loc_5D8A5A
		cmp	[edi+0Eh], cl
		jnz	loc_508C74

loc_5D8A5A:				; CODE XREF: IopUnloadSafeCompletion+CFDF9j
		cmp	[ebx+21h], cl
		jz	short loc_5D8A6D
		mov	eax, [ebx+60h]
		mov	ebx, 103h
		or	byte ptr [eax+3], 1
		jmp	short loc_5D8A6F
; 

loc_5D8A6D:				; CODE XREF: IopUnloadSafeCompletion+CFE07j
		mov	ebx, ecx

loc_5D8A6F:				; CODE XREF: IopUnloadSafeCompletion+CFE15j
		push	ecx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_508CA4
; END OF FUNCTION CHUNK	FOR IopUnloadSafeCompletion
; 
; START	OF FUNCTION CHUNK FOR KiGetPendingTick

loc_5D8A7B:				; CODE XREF: KiGetPendingTick+7j
		mov	eax, ds:_KiClockTimerOwner
		mov	eax, ds:_KiProcessorBlock[eax*4]
		jmp	loc_508CC5
; END OF FUNCTION CHUNK	FOR KiGetPendingTick
; 
; START	OF FUNCTION CHUNK FOR SepAppendAceToTokenDefaultDacl

loc_5D8A8C:				; CODE XREF: SepAppendAceToTokenDefaultDacl+A6j
		mov	esi, 0C000009Ah
		jmp	loc_508E56
; END OF FUNCTION CHUNK	FOR SepAppendAceToTokenDefaultDacl
; 
; START	OF FUNCTION CHUNK FOR LZNT1DecompressChunkWorkItem

loc_5D8A96:				; CODE XREF: LZNT1DecompressChunkWorkItem+21j
		mov	ecx, [esi+28h]
		cmp	[ecx+14h], edx
		jl	loc_508E8F
		mov	[ecx+14h], eax
		jmp	loc_508E8F
; END OF FUNCTION CHUNK	FOR LZNT1DecompressChunkWorkItem
; 
; START	OF FUNCTION CHUNK FOR MiCheckSystemNxFault

loc_5D8AAA:				; CODE XREF: MiCheckSystemNxFault+26j
		or	edx, 80000000h

loc_5D8AB0:				; CODE XREF: MiCheckSystemNxFault+32j
					; MiCheckSystemNxFault+3Aj
		push	edx
		push	dword ptr [ecx+8]
		push	esi
		push	dword ptr [ecx]
		push	0FCh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5D8AC2:				; CODE XREF: SSHSupportReleasePushLockExclusive+2Dj
		test	al, 4
		jnz	loc_509183
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp+var_8]
		jmp	loc_509183
; END OF FUNCTION CHUNK	FOR MiCheckSystemNxFault
; 
; START	OF FUNCTION CHUNK FOR SSHSupportReleasePushLockExclusive

loc_5D8AD7:				; CODE XREF: SSHSupportReleasePushLockExclusive+164j
		push	0
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D8AEA:				; CODE XREF: SSHSupportReleasePushLockExclusive+FEj
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_24]
		jmp	loc_50925A
; 

loc_5D8AFB:				; CODE XREF: SSHSupportReleasePushLockExclusive+1A4j
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_50926D
; END OF FUNCTION CHUNK	FOR SSHSupportReleasePushLockExclusive
; 
; START	OF FUNCTION CHUNK FOR KiGetComparisonRanks

loc_5D8B0D:				; CODE XREF: KiGetComparisonRanks+3Ej
		mov	bh, byte ptr [ebp+arg_0+3]
		mov	bl, 1

loc_5D8B12:				; CODE XREF: KiGetComparisonRanks+CF7FAj
		mov	esi, [ecx+60h]
		cmp	esi, edx
		jbe	short loc_5D8B1B
		mov	edx, esi

loc_5D8B1B:				; CODE XREF: KiGetComparisonRanks+CF7EDj
		mov	ecx, [ecx+0F4h]
		cmp	[ecx+5Dh], bh
		ja	short loc_5D8B12
		jmp	loc_509373
; 

loc_5D8B2B:				; CODE XREF: KiGetComparisonRanks+79j
					; KiGetComparisonRanks+CF813j
		mov	esi, [eax+60h]
		cmp	esi, edx
		jbe	short loc_5D8B34
		mov	edx, esi

loc_5D8B34:				; CODE XREF: KiGetComparisonRanks+CF806j
		mov	eax, [eax+0F4h]
		cmp	bh, [eax+5Dh]
		jb	short loc_5D8B2B
		jmp	loc_509373
; 

loc_5D8B44:				; CODE XREF: KiGetComparisonRanks+81j
					; KiGetComparisonRanks+CF82Cj
		mov	ecx, edi
		mov	eax, esi
		mov	edi, [ecx+0F4h]
		mov	esi, [eax+0F4h]
		cmp	edi, esi
		jnz	short loc_5D8B44
		mov	esi, [ebp+arg_0]

loc_5D8B5B:				; CODE XREF: KiGetComparisonRanks+51j
		test	bl, bl
		jz	loc_509396
		jle	short loc_5D8B6C
		xor	edx, edx
		jmp	loc_50939C
; 

loc_5D8B6C:				; CODE XREF: KiGetComparisonRanks+CF839j
		xor	esi, esi
		jmp	loc_50939C
; END OF FUNCTION CHUNK	FOR KiGetComparisonRanks
; 
; START	OF FUNCTION CHUNK FOR StringCchPrintfW

loc_5D8B73:				; CODE XREF: StringCchPrintfW+17j
		test	eax, eax
		jz	loc_5093E1
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		mov	[eax], dx
		jmp	loc_5093E1
; END OF FUNCTION CHUNK	FOR StringCchPrintfW
; 
; START	OF FUNCTION CHUNK FOR wil_details_StagingConfig_QueryFeatureState

loc_5D8B88:				; CODE XREF: wil_details_StagingConfig_QueryFeatureState+39j
		mov	eax, [ebp+var_14]
		mov	edi, [ebp+var_8]

loc_5D8B8E:				; CODE XREF: wil_details_StagingConfig_QueryFeatureState+CF7BAj
		mov	edx, [ebp+arg_0]
		cmp	[eax], edx
		mov	edx, [ebp+var_4]
		jnz	short loc_5D8BE0
		cmp	[ebp+arg_4], ebx
		jz	short loc_5D8BC8
		mov	edi, [ebp+var_C]
		cmp	[edi+20h], ebx
		jz	short loc_5D8BC8
		test	byte ptr [eax+4], 1
		jnz	short loc_5D8BDD
		imul	esi, ecx, 0Ch
		lea	edi, [ebp+var_20]
		add	esi, [ebp+var_14]
		movsd
		movsd
		movsd

loc_5D8BB7:				; CODE XREF: wil_details_StagingConfig_QueryFeatureState+43j
		cmp	[ebp+arg_4], ebx
		jz	short loc_5D8BED
		mov	eax, [ebp+var_C]
		cmp	[eax+20h], ebx
		jz	short loc_5D8BED
		push	0Ch
		jmp	short loc_5D8BEF
; 

loc_5D8BC8:				; CODE XREF: wil_details_StagingConfig_QueryFeatureState+CF76Fj
					; wil_details_StagingConfig_QueryFeatureState+CF777j
		mov	esi, eax
		lea	edi, [ebp+var_20]
		movsd
		movsd
		movsd
		xor	esi, esi
		inc	esi
		test	byte ptr [eax+4], 1
		jnz	loc_50946B

loc_5D8BDD:				; CODE XREF: wil_details_StagingConfig_QueryFeatureState+CF77Dj
		mov	edi, [ebp+var_8]

loc_5D8BE0:				; CODE XREF: wil_details_StagingConfig_QueryFeatureState+CF76Aj
		inc	ecx
		add	eax, 0Ch
		cmp	ecx, edi
		jb	short loc_5D8B8E
		jmp	loc_50946B
; 

loc_5D8BED:				; CODE XREF: wil_details_StagingConfig_QueryFeatureState+CF78Ej
					; wil_details_StagingConfig_QueryFeatureState+CF796j
		push	8

loc_5D8BEF:				; CODE XREF: wil_details_StagingConfig_QueryFeatureState+CF79Aj
		mov	ecx, [ebp+var_10]
		mov	esi, [ebp+var_1C]
		pop	eax
		mov	eax, [eax+ecx]
		test	al, 4
		jz	short loc_5D8C06
		and	esi, 0FFFFCFFFh
		mov	[ebp+var_1C], esi

loc_5D8C06:				; CODE XREF: wil_details_StagingConfig_QueryFeatureState+CF7CFj
		test	al, 2
		jz	short loc_5D8C13
		and	esi, 0FFFFF3FFh
		mov	[ebp+var_1C], esi

loc_5D8C13:				; CODE XREF: wil_details_StagingConfig_QueryFeatureState+CF7DCj
		test	al, 1
		jz	short loc_5D8C20
		and	esi, 0FFFFFCFFh
		mov	[ebp+var_1C], esi

loc_5D8C20:				; CODE XREF: wil_details_StagingConfig_QueryFeatureState+CF7E9j
		test	al, 8
		jz	short loc_5D8C30
		and	esi, 0C0FFFFFFh
		mov	[ebp+var_18], ebx
		mov	[ebp+var_1C], esi

loc_5D8C30:				; CODE XREF: wil_details_StagingConfig_QueryFeatureState+CF7F6j
		lea	ecx, [ebp+var_20]
		mov	edi, ebx
		call	_wil_details_StagingConfigFeature_HasUniqueState@4 ; wil_details_StagingConfigFeature_HasUniqueState(x)
		mov	edx, [ebp+var_4]
		test	eax, eax
		jz	loc_509475
		mov	eax, [ebp+var_18]
		mov	[edx+0Ch], eax
		mov	eax, esi
		shr	eax, 1Eh
		mov	[edx+8], eax
		mov	eax, esi
		shr	eax, 18h
		and	al, 3Fh
		mov	[edx+4], al
		mov	eax, esi
		shr	eax, 1
		and	eax, 1
		mov	[edx+14h], eax
		mov	eax, esi
		shr	eax, 0Ch
		and	eax, 3
		jnz	short loc_5D8C87
		mov	eax, esi
		shr	eax, 0Ah
		and	eax, 3
		jnz	short loc_5D8C87
		shr	esi, 8
		and	esi, 3
		jz	short loc_5D8C89
		mov	[edx], esi
		jmp	short loc_5D8C89
; 

loc_5D8C87:				; CODE XREF: wil_details_StagingConfig_QueryFeatureState+CF843j
					; wil_details_StagingConfig_QueryFeatureState+CF84Dj
		mov	[edx], eax

loc_5D8C89:				; CODE XREF: wil_details_StagingConfig_QueryFeatureState+CF855j
					; wil_details_StagingConfig_QueryFeatureState+CF859j
		xor	edi, edi
		inc	edi
		jmp	loc_509475
; 

loc_5D8C91:				; CODE XREF: wil_details_StagingConfig_QueryFeatureState+5Aj
					; wil_details_StagingConfig_QueryFeatureState+CF875j
		mov	edx, [ebp+arg_0]
		cmp	[eax], edx
		mov	edx, [ebp+var_4]
		jz	short loc_5D8CA8
		inc	ecx
		add	eax, 10h
		cmp	ecx, esi
		jb	short loc_5D8C91
		jmp	loc_50948C
; 

loc_5D8CA8:				; CODE XREF: wil_details_StagingConfig_QueryFeatureState+CF86Dj
		xor	ebx, ebx
		inc	ebx
		jmp	loc_50948C
; END OF FUNCTION CHUNK	FOR wil_details_StagingConfig_QueryFeatureState
; 
; START	OF FUNCTION CHUNK FOR RtlReleaseSwapReference

loc_5D8CB0:				; CODE XREF: RtlReleaseSwapReference+38j
		lea	eax, [ebp+var_4]
		push	eax
		call	_RtlBackoff@4	; RtlBackoff(x)
		jmp	loc_50958A
; 

loc_5D8CBE:				; CODE XREF: RtlReleaseSwapReference+1Bj
		or	eax, 0FFFFFFFFh
		lock xadd [edi+4], eax
		dec	eax
		jnz	loc_5095B6
		and	[ebp+var_8], 0
		lea	ecx, [edi+8]
		xor	edx, edx
		lea	eax, [ebp+var_8]
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	loc_5095B6
		push	edx
		call	ExpUnblockPushLock
		jmp	loc_5095B6
; END OF FUNCTION CHUNK	FOR RtlReleaseSwapReference
; 
; START	OF FUNCTION CHUNK FOR RtlAcquireSwapReference

loc_5D8CEF:				; CODE XREF: RtlAcquireSwapReference+2Ej
		lea	eax, [ebp+var_4]
		push	eax
		call	_RtlBackoff@4	; RtlBackoff(x)
		jmp	loc_509616
; END OF FUNCTION CHUNK	FOR RtlAcquireSwapReference
; 
; START	OF FUNCTION CHUNK FOR CcSetLazyWriteScanQueued

loc_5D8CFD:				; CODE XREF: CcSetLazyWriteScanQueued+17j
		sub	edx, 4
		jz	short loc_5D8D19
		sub	edx, 8
		jnz	loc_509732
		mov	al, [ebp+arg_0]
		mov	[ecx+196h], al
		jmp	loc_509732
; 

loc_5D8D19:				; CODE XREF: CcSetLazyWriteScanQueued+CF5F4j
		mov	al, [ebp+arg_0]
		mov	[ecx+192h], al
		jmp	loc_509732
; 

loc_5D8D27:				; CODE XREF: CcSetLazyWriteScanQueued+8j
		mov	al, [ebp+arg_0]
		mov	[ecx+194h], al
		jmp	loc_509732
; END OF FUNCTION CHUNK	FOR CcSetLazyWriteScanQueued
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_SM_TRAITS___SmStUpdateMemoryCondition

loc_5D8D35:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStUpdateMemoryCondition+3Fj
		cmp	edx, eax
		jz	short loc_5D8D40
		push	eax
		push	ecx
		call	KeSetActualBasePriorityThread

loc_5D8D40:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStUpdateMemoryCondition+CF5F5j
		test	ebx, ebx
		jg	loc_50978B
		lea	edx, [esi+10D0h]
		lea	ecx, [esi+38h]
		call	?StDmLazyWorkItemQueue@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DATA_MGR@1@PAU_ST_WORK_ITEM@1@@Z ; ST_STORE<SM_TRAITS>::StDmLazyWorkItemQueue(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)
		jmp	loc_50978B
; END OF FUNCTION CHUNK	FOR SMKM_STORE_SM_TRAITS___SmStUpdateMemoryCondition
; 
; START	OF FUNCTION CHUNK FOR B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes

loc_5D8D5B:				; CODE XREF: B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes+4Bj
		mov	eax, [ecx]
		lea	ecx, [edi+edx*8]
		mov	[ecx+8], eax
		mov	eax, [esi+4]
		mov	[edi+edx*8+0Ch], eax
		inc	edx
		movzx	eax, word ptr [esi]
		shl	eax, 3
		push	eax
		mov	[ebp+arg_0], edx
		lea	eax, [esi+8]
		inc	edx
		push	eax
		lea	eax, [edi+edx*8]
		push	eax
		jmp	loc_50980C
; END OF FUNCTION CHUNK	FOR B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes
; 
; START	OF FUNCTION CHUNK FOR ExpTimerPause

loc_5D8D83:				; CODE XREF: ExpTimerPause+5Ej
		sub	eax, 1
		jnz	loc_509982
		mov	eax, [ebp+var_C]
		mov	[esi+0B0h], eax
		mov	eax, [ebp+var_8]
		mov	[esi+0B4h], eax
		jmp	loc_509982
; 

loc_5D8DA3:				; CODE XREF: ExpTimerPause+BEj
					; ExpTimerPause+CCj
		mov	[esi+0B0h], edi
		mov	[esi+0B4h], edi
		jmp	loc_509982
; 

loc_5D8DB4:				; CODE XREF: ExpTimerPause+9Cj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_5099A1
; END OF FUNCTION CHUNK	FOR ExpTimerPause
; 
; START	OF FUNCTION CHUNK FOR OBJECT_HEADER_TO_AUDIT_INFO

loc_5D8DC3:				; CODE XREF: OBJECT_HEADER_TO_AUDIT_INFO+5j
		movzx	eax, al
		and	eax, 3Fh
		movzx	eax, ds:_ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		jmp	loc_509A57
; END OF FUNCTION CHUNK	FOR OBJECT_HEADER_TO_AUDIT_INFO
; 
; START	OF FUNCTION CHUNK FOR IopCompletePageWrite

loc_5D8DD7:				; CODE XREF: IopCompletePageWrite+Fj
		mov	eax, [edx+18h]
		mov	ecx, 0C0000000h
		and	eax, ecx
		cmp	eax, ecx
		jnz	loc_509A6F
		push	edx
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		jmp	loc_509A98
; END OF FUNCTION CHUNK	FOR IopCompletePageWrite
; 
; START	OF FUNCTION CHUNK FOR MiDeleteCloneZombies

loc_5D8DF4:				; CODE XREF: MiDeleteCloneZombies+1Bj
		lea	esi, [ecx+240h]
		test	edx, edx
		jz	short loc_5D8E02
		mov	bl, 21h
		jmp	short loc_5D8E25
; 

loc_5D8E02:				; CODE XREF: MiDeleteCloneZombies+CF360j
		mov	al, [esi+60h]
		mov	edi, offset unk_6D3C40
		and	al, 7
		cmp	al, 2
		jz	short loc_5D8E16
		lea	edi, [esi+80h]

loc_5D8E16:				; CODE XREF: MiDeleteCloneZombies+CF372j
		push	edi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [edi+4], 0
		mov	bl, al
		mov	ecx, [ebp+var_4]

loc_5D8E25:				; CODE XREF: MiDeleteCloneZombies+CF364j
		call	_MiDeleteDeferredCloneDescriptors@4 ; MiDeleteDeferredCloneDescriptors(x)
		mov	edi, eax
		cmp	bl, 21h
		jz	short loc_5D8E3A
		mov	dl, bl
		mov	ecx, esi
		call	MiUnlockWorkingSetExclusive

loc_5D8E3A:				; CODE XREF: MiDeleteCloneZombies+CF393j
		test	edi, edi
		jz	loc_509ABD

loc_5D8E42:				; CODE XREF: MiDeleteCloneZombies+CF3B4j
		mov	esi, [edi]
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, esi
		test	esi, esi
		jnz	short loc_5D8E42
		jmp	loc_509ABD
; END OF FUNCTION CHUNK	FOR MiDeleteCloneZombies
; 

loc_5D8E57:				; CODE XREF: .text:00509B7Bj
		mov	cx, [ebp+20h]
		mov	eax, 0FFFFh
		mov	[esi+0Ah], ax
		mov	[esi+8], cx
		jmp	loc_509B8A
; 

loc_5D8E6D:				; CODE XREF: .text:00509BB4j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_509BBF
; 
; START	OF FUNCTION CHUNK FOR KeIsSingleGroupAffinityEx

loc_5D8E7A:				; CODE XREF: KeIsSingleGroupAffinityEx+Cj
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_5D8E86
		xor	ecx, ecx
		mov	[eax], cx

loc_5D8E86:				; CODE XREF: KeIsSingleGroupAffinityEx+CF29Dj
		xor	eax, eax
		inc	eax
		jmp	loc_509BF6
; END OF FUNCTION CHUNK	FOR KeIsSingleGroupAffinityEx
; 
; START	OF FUNCTION CHUNK FOR RealPredecessor

loc_5D8E8E:				; CODE XREF: RealPredecessor+CF265j
		mov	eax, ecx

loc_5D8E90:				; CODE XREF: RealPredecessor+5j
		mov	ecx, [eax+8]
		test	ecx, ecx
		jnz	short loc_5D8E8E
		retn
; END OF FUNCTION CHUNK	FOR RealPredecessor
; 
; START	OF FUNCTION CHUNK FOR CcPerfLogLoggedStreamsStats

loc_5D8E98:				; CODE XREF: CcPerfLogLoggedStreamsStats+54j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_509F7A
; END OF FUNCTION CHUNK	FOR CcPerfLogLoggedStreamsStats
; 
; START	OF FUNCTION CHUNK FOR CcIsLazyWriteScanQueued

loc_5D8EA8:				; CODE XREF: CcIsLazyWriteScanQueued+Ej
		cmp	edx, 8
		jz	short loc_5D8EB7
		cmp	edx, 10h
		jz	loc_50A099
		retn
; 

loc_5D8EB7:				; CODE XREF: CcIsLazyWriteScanQueued+CEE37j
		mov	al, [ecx+192h]
		retn
; END OF FUNCTION CHUNK	FOR CcIsLazyWriteScanQueued
; 
; START	OF FUNCTION CHUNK FOR IoGetLowerDeviceObjectWithTag

loc_5D8EBE:				; CODE XREF: IoGetLowerDeviceObjectWithTag+28j
		test	al, 0Eh
		jnz	short loc_5D8ECB
		cmp	[ecx+18h], edi
		jnz	loc_50A0FE

loc_5D8ECB:				; CODE XREF: IoGetLowerDeviceObjectWithTag+CEDF0j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+468h]
		jz	short loc_5D8EEF
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_50A13F
; 

loc_5D8EEF:				; CODE XREF: IoGetLowerDeviceObjectWithTag+CEE0Ej
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5D8F0F
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	loc_50A13F
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5D8F0F:				; CODE XREF: IoGetLowerDeviceObjectWithTag+CEE23j
		xor	ecx, ecx
		mov	[esi], edi
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_50A13F
; 

loc_5D8F1F:				; CODE XREF: IoGetLowerDeviceObjectWithTag+4Aj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_50A13D
; 

loc_5D8F2E:				; CODE XREF: IoGetLowerDeviceObjectWithTag+67j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5D8F35:				; CODE XREF: IoGetLowerDeviceObjectWithTag+54j
		xor	ecx, ecx
		mov	[esi], edi
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_50A13D
; END OF FUNCTION CHUNK	FOR IoGetLowerDeviceObjectWithTag
; 
; START	OF FUNCTION CHUNK FOR KeQueryBootTimeValues

loc_5D8F45:				; CODE XREF: KeQueryBootTimeValues+3Aj
		mov	esi, 0FFDF0018h
		lea	ebx, [esi-4]

loc_5D8F4D:				; CODE XREF: KeQueryBootTimeValues+CEDD0j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		mov	[edi+4], eax
		mov	eax, [ebx]
		mov	[edi], eax
		mov	eax, 0FFDF001Ch
		mov	eax, [eax]
		cmp	[edi+4], eax
		jnz	short loc_5D8F4D
		mov	ebx, [ebp+var_C]
		jmp	loc_50A1D8
; END OF FUNCTION CHUNK	FOR KeQueryBootTimeValues
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepEqualUnicodeStringCaseSensitive

loc_5D8F72:				; CODE XREF: AuthzBasepEqualUnicodeStringCaseSensitive+6j
		push	eax		; size_t
		push	dword ptr [edx+4] ; void *
		push	dword ptr [ecx+4] ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		setz	al
		retn
; END OF FUNCTION CHUNK	FOR AuthzBasepEqualUnicodeStringCaseSensitive
; 
; START	OF FUNCTION CHUNK FOR ViCreateProcessCallback

loc_5D8F87:				; CODE XREF: ViCreateProcessCallback+Cj
		mov	dl, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		call	_ViCreateProcessCallbackInternal@8 ; ViCreateProcessCallbackInternal(x,x)
		jmp	loc_50A2CC
; END OF FUNCTION CHUNK	FOR ViCreateProcessCallback
; 
; START	OF FUNCTION CHUNK FOR MiSwapStackPageNoDpc

loc_5D8F97:				; CODE XREF: MiSwapStackPageNoDpc+F5j
					; MiSwapStackPageNoDpc+FFj
		mov	al, [ebx+16h]
		lea	ecx, [ebx+8]
		and	al, 0FDh
		or	al, 5
		mov	[ebx+16h], al
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		and	dword ptr [ebx+18h], 8FFFFFFFh
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		jmp	loc_50A95F
; END OF FUNCTION CHUNK	FOR MiSwapStackPageNoDpc
; 
; START	OF FUNCTION CHUNK FOR FsRtlInsertPerFileContext

loc_5D8FBD:				; CODE XREF: FsRtlInsertPerFileContext+Bj
		mov	eax, 0C0000010h
		jmp	loc_50AA09
; 

loc_5D8FC7:				; CODE XREF: FsRtlInsertPerFileContext+54j
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, edi
		jmp	loc_50A9C2
; END OF FUNCTION CHUNK	FOR FsRtlInsertPerFileContext
; 
; START	OF FUNCTION CHUNK FOR WdipSemCaptureState

loc_5D8FD5:				; CODE XREF: WdipSemCaptureState+30j
		sub	eax, 1
		jz	short loc_5D8FEE
		sub	eax, 1
		jnz	loc_50AAD2
		push	2
		push	edx
		push	edx
		push	edx
		movzx	ecx, di
		push	edx
		jmp	short loc_5D9067
; 

loc_5D8FEE:				; CODE XREF: WdipSemCaptureState+CE53Cj
		mov	eax, [esi+28h]
		cmp	[eax+45h], cl
		jnz	short loc_5D903F
		mov	cl, [esi+12h]
		mov	dl, [eax+30h]
		mov	byte ptr [esp+10h+var_4], cl
		cmp	cl, dl
		ja	short loc_5D9008
		mov	byte ptr [esp+10h+var_4], dl

loc_5D9008:				; CODE XREF: WdipSemCaptureState+CE566j
		mov	edx, [eax+38h]
		xor	ebx, ebx
		mov	ecx, [eax+3Ch]
		inc	ebx
		mov	eax, [eax+40h]
		or	eax, [esi+24h]
		or	ecx, [esi+1Ch]
		or	edx, [esi+18h]
		push	ebx
		push	eax
		push	ecx
		push	edx
		push	[esp+20h+var_4]
		movzx	edi, di
		mov	edx, esi
		mov	ecx, edi
		call	_WdipSemEnableDisableTrace@28 ;	WdipSemEnableDisableTrace(x,x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	loc_50AAD2
		xor	edx, edx
		jmp	short loc_5D9042
; 

loc_5D903F:				; CODE XREF: WdipSemCaptureState+CE558j
		movzx	edi, di

loc_5D9042:				; CODE XREF: WdipSemCaptureState+CE5A1j
		push	2
		push	edx
		push	edx
		push	edx
		movzx	edi, di
		push	edx
		mov	edx, esi
		mov	ecx, edi
		call	_WdipSemEnableDisableTrace@28 ;	WdipSemEnableDisableTrace(x,x,x,x,x,x,x)
		mov	ecx, eax
		test	bl, bl
		jz	loc_50AAD2
		xor	eax, eax
		mov	ecx, edi
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax

loc_5D9067:				; CODE XREF: WdipSemCaptureState+CE550j
		mov	edx, esi
		call	_WdipSemEnableDisableTrace@28 ;	WdipSemEnableDisableTrace(x,x,x,x,x,x,x)
		mov	ecx, eax
		jmp	loc_50AAD2
; END OF FUNCTION CHUNK	FOR WdipSemCaptureState
; 
; START	OF FUNCTION CHUNK FOR RtlIpv6StringToAddressExW

loc_5D9075:				; CODE XREF: RtlIpv6StringToAddressExW+51j
		mov	esi, [ebp+var_C]
		mov	eax, 80h
		mov	[ebp+arg_4], 0Ah
		cmp	word ptr [esi],	25h
		jnz	loc_5D912B
		add	esi, 2
		movzx	edi, word ptr [esi]
		cmp	di, ax
		jnb	loc_50AB3F
		push	4		; wctype_t
		push	edi		; wint_t
		call	_iswctype
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_50AB3F
		jmp	short loc_5D9123
; 

loc_5D90B1:				; CODE XREF: RtlIpv6StringToAddressExW+CE63Ej
		push	5Dh
		pop	eax
		cmp	di, ax
		jz	loc_5D9183
		add	eax, 23h
		cmp	di, ax
		jnb	loc_50AB3F
		push	4		; wctype_t
		push	edi		; wint_t
		call	_iswctype
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_50AB3F
		movzx	eax, di
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_4]
		push	0Ah
		pop	ecx
		mul	ecx
		mov	edi, eax
		mov	ecx, edx
		mov	eax, [ebp+var_C]
		cdq
		add	edi, eax
		adc	ecx, edx
		add	edi, 0FFFFFFD0h
		adc	ecx, 0FFFFFFFFh
		test	ecx, ecx
		ja	loc_50AB3F
		jb	short loc_5D910E
		cmp	edi, 0FFFFFFFFh
		ja	loc_50AB3F

loc_5D910E:				; CODE XREF: RtlIpv6StringToAddressExW+CE61Bj
		imul	eax, [ebp+var_4], arg_0+2
		mov	ecx, [ebp+var_C]
		add	ecx, 0FFFFFFD0h
		add	eax, ecx
		add	esi, 2
		mov	[ebp+var_4], eax
		movzx	edi, word ptr [esi]

loc_5D9123:				; CODE XREF: RtlIpv6StringToAddressExW+CE5C7j
		test	di, di
		jnz	short loc_5D90B1
		mov	edi, [ebp+var_8]

loc_5D912B:				; CODE XREF: RtlIpv6StringToAddressExW+CE5A0j
		push	5Dh
		pop	eax

loc_5D912E:				; CODE XREF: RtlIpv6StringToAddressExW+CE69Ej
		cmp	[esi], ax
		jnz	loc_5D926C
		push	5Bh
		pop	eax
		cmp	di, ax
		jnz	loc_50AB3F
		add	esi, 2
		xor	dl, dl
		mov	byte ptr [ebp+arg_0+3],	dl
		cmp	word ptr [esi],	3Ah
		jnz	loc_5D926F
		add	esi, 2
		push	10h
		pop	edi
		cmp	word ptr [esi],	30h
		jnz	short loc_5D9188
		lea	ecx, [esi+2]
		mov	esi, ecx
		push	8
		pop	edx
		mov	[ebp+arg_4], edx
		movzx	eax, word ptr [esi]
		cmp	eax, 78h
		jz	short loc_5D9179
		cmp	eax, 58h
		jnz	short loc_5D918B

loc_5D9179:				; CODE XREF: RtlIpv6StringToAddressExW+CE68Aj
		mov	edx, edi
		lea	esi, [ecx+2]
		mov	[ebp+arg_4], edx
		jmp	short loc_5D918B
; 

loc_5D9183:				; CODE XREF: RtlIpv6StringToAddressExW+CE5CFj
		mov	edi, [ebp+var_8]
		jmp	short loc_5D912E
; 

loc_5D9188:				; CODE XREF: RtlIpv6StringToAddressExW+CE677j
		push	0Ah
		pop	edx

loc_5D918B:				; CODE XREF: RtlIpv6StringToAddressExW+CE68Fj
					; RtlIpv6StringToAddressExW+CE699j ...
		movzx	edi, word ptr [esi]
		test	di, di
		jz	loc_5D926C
		mov	eax, 80h
		cmp	di, ax
		jnb	short loc_5D91EE
		push	4		; wctype_t
		push	edi		; wint_t
		call	_iswctype
		mov	edx, [ebp+arg_4]
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_5D91E9
		movzx	ecx, di
		movzx	eax, dx
		mov	[ebp+var_C], eax
		lea	eax, [ecx-30h]
		cmp	eax, [ebp+var_C]
		jge	short loc_5D91E9
		movzx	eax, bx
		imul	eax, [ebp+var_C]
		add	eax, 0FFFFFFD0h
		add	eax, ecx
		cmp	eax, 0FFFFh
		ja	loc_50AB3F
		mov	eax, edx
		imul	eax, ebx
		add	eax, 0FFFFFFD0h
		add	eax, edi
		movzx	ebx, ax
		jmp	short loc_5D9264
; 

loc_5D91E9:				; CODE XREF: RtlIpv6StringToAddressExW+CE6C8j
					; RtlIpv6StringToAddressExW+CE6D9j
		mov	eax, 80h

loc_5D91EE:				; CODE XREF: RtlIpv6StringToAddressExW+CE6B7j
		push	10h
		pop	ecx
		cmp	dx, cx
		jnz	loc_50AB3F
		cmp	di, ax
		jnb	loc_50AB3F
		push	eax		; wctype_t
		push	edi		; wint_t
		call	_iswctype
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_50AB3F
		push	2		; wctype_t
		push	edi		; wint_t
		call	_iswctype
		neg	eax
		pop	ecx
		sbb	eax, eax
		and	eax, 20h
		pop	ecx
		add	eax, 41h
		movzx	ecx, bx
		shl	ecx, 4
		sub	ecx, eax
		movzx	eax, di
		add	eax, 0Ah
		add	eax, ecx
		cmp	eax, 0FFFFh
		ja	loc_50AB3F
		push	2		; wctype_t
		push	edi		; wint_t
		shl	ebx, 4
		call	_iswctype
		mov	edx, [ebp+arg_4]
		neg	eax
		pop	ecx
		sbb	eax, eax
		add	ebx, 0Ah
		and	eax, 20h
		add	eax, 41h
		sub	edi, eax
		pop	ecx
		add	ebx, edi

loc_5D9264:				; CODE XREF: RtlIpv6StringToAddressExW+CE6FFj
		add	esi, 2
		jmp	loc_5D918B
; 

loc_5D926C:				; CODE XREF: RtlIpv6StringToAddressExW+CE649j
					; RtlIpv6StringToAddressExW+CE6A9j
		mov	dl, byte ptr [ebp+arg_0+3]

loc_5D926F:				; CODE XREF: RtlIpv6StringToAddressExW+CE667j
		xor	eax, eax
		cmp	[esi], ax
		jnz	loc_50AB3F
		test	dl, dl
		jnz	loc_50AB3F
		mov	ecx, [ebp+arg_C]
		mov	ah, bl
		mov	al, bh
		mov	[ecx], ax
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_4]
		mov	[eax], ecx
		xor	eax, eax
		jmp	loc_50AB44
; END OF FUNCTION CHUNK	FOR RtlIpv6StringToAddressExW
; 
; START	OF FUNCTION CHUNK FOR RtlIpv6StringToAddressW

loc_5D929B:				; CODE XREF: RtlIpv6StringToAddressW+AEj
		sub	eax, 1
		jz	loc_50AB9B
		jmp	short loc_5D9304
; 

loc_5D92A6:				; CODE XREF: RtlIpv6StringToAddressW+C6j
		mov	edx, [ebp+var_C]
		inc	edx
		mov	[ebp+var_C], edx
		jmp	loc_5D9404
; 

loc_5D92B2:				; CODE XREF: RtlIpv6StringToAddressW+DFj
		inc	edx
		mov	[ebp+var_C], edx
		test	ecx, ecx
		jnz	loc_50ABD1
		mov	[ebp+var_1], 1
		jmp	loc_5D9407
; 

loc_5D92C7:				; CODE XREF: RtlIpv6StringToAddressW+E9j
		test	ecx, ecx
		jnz	loc_50ABD1
		cmp	edi, 6
		ja	loc_50ABD1
		mov	eax, [ebp+arg_0]
		mov	esi, [ebp+var_1C]
		add	eax, 2
		cmp	[eax], si
		jnz	short loc_5D92FC
		test	ebx, ebx
		jnz	loc_50ABD1
		push	2
		mov	[ebp+arg_0], eax
		lea	ebx, [edi+1]
		pop	eax
		mov	[ebp+var_8], eax
		jmp	short loc_5D9302
; 

loc_5D92FC:				; CODE XREF: RtlIpv6StringToAddressW+CE78Ej
		xor	eax, eax
		mov	[ebp+var_8], eax
		inc	eax

loc_5D9302:				; CODE XREF: RtlIpv6StringToAddressW+CE7A4j
		add	edi, eax

loc_5D9304:				; CODE XREF: RtlIpv6StringToAddressW+CE74Ej
		mov	eax, [ebp+var_8]
		jmp	loc_50AC71
; 

loc_5D930C:				; CODE XREF: RtlIpv6StringToAddressW+F5j
		cmp	[ebp+var_1], 0
		jnz	loc_50ABD1
		cmp	ecx, 2
		ja	loc_50ABD1
		cmp	edi, 6
		ja	loc_50ABD1
		inc	ecx
		xor	eax, eax
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], eax
		jmp	loc_50AC90
; 

loc_5D9336:				; CODE XREF: RtlIpv6StringToAddressW+49j
		test	ecx, ecx
		jnz	loc_50ABD1
		test	edi, edi
		jnz	loc_50ABD1
		mov	eax, [ebp+arg_0]
		mov	esi, [ebp+var_1C]
		add	eax, 2
		cmp	[eax], si
		jnz	loc_50ABD1
		mov	edx, [ebp+var_14]
		xor	ebx, ebx
		mov	esi, [ebp+arg_8]
		inc	ebx
		push	2
		pop	edi
		push	edi
		mov	[esi+edx*2], cx
		inc	edx
		mov	ecx, [ebp+var_10]
		mov	[ebp+arg_0], eax
		pop	eax
		mov	[ebp+var_14], edx
		mov	edx, [ebp+var_C]
		mov	[ebp+var_8], eax

loc_5D937A:				; CODE XREF: RtlIpv6StringToAddressW+13Dj
		cmp	[ebp+var_18], 0
		jz	loc_50AC76
		test	ecx, ecx
		jnz	short loc_5D93CE
		cmp	edx, 4
		ja	loc_50ABF5
		push	10h		; int
		push	ecx		; wchar_t **
		push	[ebp+var_18]	; wchar_t *
		call	_wcstol
		mov	ch, al
		add	esp, 0Ch
		mov	cl, ah
		mov	eax, [ebp+var_14]
		mov	[esi+eax*2], cx
		inc	eax
		mov	[ebp+var_14], eax
		jmp	short loc_5D9401
; 

loc_5D93B0:				; CODE XREF: RtlIpv6StringToAddressW+66j
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_18], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1], 0
		inc	edx
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], edx
		jmp	loc_50AC76
; 

loc_5D93CE:				; CODE XREF: RtlIpv6StringToAddressW+CE830j
		cmp	edx, 3
		ja	loc_50ABF5
		push	0Ah		; int
		push	0		; wchar_t **
		push	[ebp+var_18]	; wchar_t *
		call	_wcstol
		add	esp, 0Ch
		cmp	eax, 0FFh
		ja	loc_50ABF5
		mov	esi, [ebp+var_10]
		mov	ecx, [ebp+var_14]
		mov	edx, [ebp+arg_8]
		lea	ecx, [esi+ecx*2]
		mov	[ecx+edx-1], al

loc_5D9401:				; CODE XREF: RtlIpv6StringToAddressW+CE858j
		mov	edx, [ebp+var_C]

loc_5D9404:				; CODE XREF: RtlIpv6StringToAddressW+CE757j
		mov	ecx, [ebp+var_10]

loc_5D9407:				; CODE XREF: RtlIpv6StringToAddressW+CE76Cj
		mov	eax, [ebp+var_8]
		jmp	loc_50AC76
; 

loc_5D940F:				; CODE XREF: RtlIpv6StringToAddressW+88j
		cmp	esi, 3
		jnz	loc_50ABF5
		inc	edi
		jmp	loc_50ABE4
; 

loc_5D941E:				; CODE XREF: RtlIpv6StringToAddressW+90j
					; RtlIpv6StringToAddressW+99j
		mov	eax, [ebp+var_8]
		cmp	eax, 1
		jnz	short loc_5D9488
		test	esi, esi
		jnz	short loc_5D9454
		cmp	[ebp+var_C], 4
		ja	loc_50ABF5
		push	10h		; int
		push	esi		; wchar_t **
		push	[ebp+var_18]	; wchar_t *
		call	_wcstol
		mov	edx, [ebp+var_14]
		mov	ch, al
		mov	cl, ah
		add	esp, 0Ch
		mov	eax, [ebp+arg_8]
		mov	[eax+edx*2], cx
		mov	ecx, eax
		jmp	short loc_5D949D
; 

loc_5D9454:				; CODE XREF: RtlIpv6StringToAddressW+CE8D2j
		cmp	[ebp+var_C], 3
		ja	loc_50ABF5
		push	0Ah		; int
		push	0		; wchar_t **
		push	[ebp+var_18]	; wchar_t *
		call	_wcstol
		add	esp, 0Ch
		cmp	eax, 0FFh
		ja	loc_50ABF5
		mov	ecx, [ebp+var_14]
		mov	edx, [ebp+arg_8]
		lea	ecx, [esi+ecx*2]
		mov	[ecx+edx], al
		mov	ecx, edx
		jmp	short loc_5D949D
; 

loc_5D9488:				; CODE XREF: RtlIpv6StringToAddressW+CE8CEj
		cmp	eax, 2
		jnz	loc_50ABF5
		mov	ecx, [ebp+arg_8]
		xor	edx, edx
		mov	eax, [ebp+var_14]
		mov	[ecx+eax*2], dx

loc_5D949D:				; CODE XREF: RtlIpv6StringToAddressW+CE8FCj
					; RtlIpv6StringToAddressW+CE930j
		test	ebx, ebx
		jz	short loc_5D94CD
		mov	eax, edi
		lea	esi, [ecx+ebx*2]
		sub	eax, ebx
		sub	ebx, edi
		add	eax, eax
		push	eax		; size_t
		lea	eax, [ecx+10h]
		lea	eax, [eax+ebx*2]
		push	esi		; void *
		push	eax		; void *
		call	_memmove
		push	8
		pop	eax
		sub	eax, edi
		add	eax, eax
		push	eax		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 18h

loc_5D94CD:				; CODE XREF: RtlIpv6StringToAddressW+CE949j
		xor	eax, eax
		jmp	loc_50ABFA
; END OF FUNCTION CHUNK	FOR RtlIpv6StringToAddressW
; 
; START	OF FUNCTION CHUNK FOR RtlCmDecodeMemIoResource

loc_5D94D4:				; CODE XREF: RtlCmDecodeMemIoResource+37j
		movzx	eax, word ptr [edi+2]
		test	eax, 200h
		jz	short loc_5D94F0
		mov	edx, [edi+0Ch]
		xor	esi, esi
		shld	esi, edx, 8
		shl	edx, 8
		jmp	loc_50ACB5
; 

loc_5D94F0:				; CODE XREF: RtlCmDecodeMemIoResource+CE83Fj
		test	eax, 400h
		jz	short loc_5D9508
		mov	edx, [edi+0Ch]
		xor	esi, esi
		shld	esi, edx, 10h
		shl	edx, 10h
		jmp	loc_50ACB5
; 

loc_5D9508:				; CODE XREF: RtlCmDecodeMemIoResource+CE857j
		test	eax, 800h
		jz	loc_50ACB5
		mov	esi, [edi+0Ch]
		jmp	loc_50ACB5
; END OF FUNCTION CHUNK	FOR RtlCmDecodeMemIoResource
; 
; START	OF FUNCTION CHUNK FOR CcPrepareMdlWrite

loc_5D951B:				; CODE XREF: CcPrepareMdlWrite+52j
					; CcPrepareMdlWrite+17Fj
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5D9525:				; CODE XREF: CcPrepareMdlWrite+28Ej
		push	ebx
		push	ebx
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_50AFD4
; 

loc_5D9532:				; CODE XREF: CcPrepareMdlWrite+222j
					; CcPrepareMdlWrite+CE7FDj
		mov	[ebp+var_4C], ecx
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_5D953F
		mov	ecx, eax
		jmp	short loc_5D9532
; 

loc_5D953F:				; CODE XREF: CcPrepareMdlWrite+CE7F9j
		mov	eax, [ebp+var_1C]
		mov	[ecx], eax
		jmp	loc_50AF6D
; END OF FUNCTION CHUNK	FOR CcPrepareMdlWrite

;  S U B	R O U T	I N E 


sub_5D9549	proc near		; DATA XREF: .text:006A42D0o
		xor	ebx, ebx
		mov	edi, [ebp-50h]
		mov	ecx, [ebp-1Ch]
		mov	[ebp-3Ch], ecx
		mov	edx, [ebp-38h]
		mov	eax, [ebp-44h]
		mov	[ebp-2Ch], eax
		mov	esi, [ebp-24h]
		jmp	sub_50B00E
sub_5D9549	endp

; 
; START	OF FUNCTION CHUNK FOR sub_50B00E

loc_5D9565:				; CODE XREF: sub_50B00E+3j
		test	edx, edx
		jz	short loc_5D9584
		mov	ecx, large fs:124h
		mov	al, [ebp-38h]
		sub	al, 2
		mov	[ecx+309h], al
		mov	ecx, [ebp-1Ch]
		mov	[ebp-3Ch], ecx
		mov	esi, [ebp-24h]

loc_5D9584:				; CODE XREF: sub_50B00E+CE559j
		test	esi, esi
		jz	short loc_5D95BB
		mov	edx, [esi+4]
		mov	[ebp+8], edx
		or	eax, 0FFFFFFFFh
		lock xadd [esi+8], eax
		dec	eax
		movzx	eax, ax
		test	ax, ax
		jnz	short loc_5D95BB
		mov	eax, [edx+74h]
		test	eax, eax
		jz	short loc_5D95B4
		push	ebx
		push	ebx
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [ebp-3Ch]
		mov	edx, [ebp+8]

loc_5D95B4:				; CODE XREF: sub_50B00E+CE596j
		lock dec dword ptr [edx+180h]

loc_5D95BB:				; CODE XREF: sub_50B00E+CE578j
					; sub_50B00E+CE58Fj
		test	ecx, ecx
		jz	short loc_5D95C5
		push	ecx
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_5D95C5:				; CODE XREF: sub_50B00E+CE5AFj
		mov	ecx, [ebp+0Ch]
		mov	eax, [ecx]
		mov	[ebp+0Ch], eax
		mov	[ebp-68h], eax
		mov	eax, [ecx+4]
		mov	[ebp+8], eax
		mov	[ebp-64h], eax
		mov	eax, [ebp+14h]

loc_5D95DC:				; CODE XREF: sub_50B00E+CE61Aj
		mov	eax, [eax]
		test	eax, eax
		jz	locret_50B075
		mov	esi, [eax]
		push	eax
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	ebx
		mov	eax, [ebp+14h]
		mov	eax, [eax]
		push	dword ptr [eax+14h]
		lea	edx, [ebp-68h]
		mov	ecx, edi
		call	CcSetDirtyInMask
		mov	eax, [ebp+14h]
		mov	ecx, [eax]
		mov	edx, [ebp+0Ch]
		add	edx, [ecx+14h]
		mov	[ebp+0Ch], edx
		mov	[ebp-68h], edx
		mov	eax, [ebp+8]
		adc	eax, ebx
		mov	[ebp+8], eax
		mov	[ebp-64h], eax
		push	ecx
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		mov	eax, [ebp+14h]
		mov	[eax], esi
		jmp	short loc_5D95DC
; 

loc_5D962A:				; CODE XREF: sub_50B00E+36j
		mov	edx, [ebp+4]
		lea	ecx, [ebp-7Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_50B06C
; 

loc_5D963A:				; CODE XREF: sub_50B00E+58j
		lea	ecx, [ebp-7Ch]
		call	KxWaitForLockChainValid

loc_5D9642:				; CODE XREF: sub_50B00E+41j
		mov	[ebp-7Ch], ebx
		add	eax, 4
		xor	ecx, ecx
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_50B06C
; END OF FUNCTION CHUNK	FOR sub_50B00E
; 
; START	OF FUNCTION CHUNK FOR CcForceWriteThrough

loc_5D9653:				; CODE XREF: CcForceWriteThrough+22j
		mov	eax, ds:_PspSystemPartition
		mov	edi, [eax+4]
		jmp	loc_50B0AD
; 

loc_5D9660:				; CODE XREF: CcForceWriteThrough+41j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	edx
		mov	edx, ecx
		mov	ecx, edi
		call	CcCanIWriteStreamEx
		test	al, al
		jz	short loc_5D969C
		jmp	loc_50B0BD
; 

loc_5D9678:				; CODE XREF: CcForceWriteThrough+49j
		mov	ecx, large fs:124h
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		test	eax, eax
		jg	loc_50B0C5
		mov	eax, [ebp+var_8]
		test	dword ptr [eax+2Ch], 8000h
		jnz	loc_50B0C5

loc_5D969C:				; CODE XREF: CcForceWriteThrough+CE5FBj
		mov	[ebp+var_4], 1
		test	bl, bl
		jz	loc_50B0C5
		mov	ebx, 400h
		test	[esi+60h], ebx
		jnz	loc_50B0C5
		lea	ecx, [edi+40h]
		lea	edx, [ebp+var_18]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		or	[esi+60h], ebx
		test	ds:byte_70EFC6,	1
		jz	short loc_5D96DD
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5D970C
; 

loc_5D96DD:				; CODE XREF: CcForceWriteThrough+CE658j
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	short loc_5D96FC
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jz	short loc_5D970C
		call	KxWaitForLockChainValid

loc_5D96FC:				; CODE XREF: CcForceWriteThrough+CE66Cj
		lea	ecx, [eax+4]
		mov	[ebp+var_18], 0
		mov	eax, [ebp+var_4]
		lock xor [ecx],	eax

loc_5D970C:				; CODE XREF: CcForceWriteThrough+CE665j
					; CcForceWriteThrough+CE67Fj
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_50B0C5
; END OF FUNCTION CHUNK	FOR CcForceWriteThrough
; 
; START	OF FUNCTION CHUNK FOR MiDeletePerSessionProtos

loc_5D971A:				; CODE XREF: MiDeletePerSessionProtos+4Aj
		mov	dl, bl
		mov	ecx, eax
		call	MiUnlockProtoPoolPage
		jmp	loc_50B22E
; 

loc_5D9728:				; CODE XREF: MiDeletePerSessionProtos+61j
		push	0
		push	0
		push	esi
		push	2
		call	MmAccessFault
		jmp	loc_50B22E
; 

loc_5D9739:				; CODE XREF: MiDeletePerSessionProtos+86j
		test	byte ptr ds:_MiFlags+2,	1
		jz	short loc_5D976E
		test	ds:_MiFlags, 8000h
		jz	short loc_5D976E
		mov	eax, [edi+18h]
		and	eax, 70000000h
		cmp	eax, 30000000h
		jnz	short loc_5D976E
		mov	ecx, edi
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		push	4
		pop	edx
		mov	ecx, edi
		call	MiClearPfnImageVerified

loc_5D976E:				; CODE XREF: MiDeletePerSessionProtos+CE562j
					; MiDeletePerSessionProtos+CE56Ej ...
		push	1
		push	21h
		mov	edx, edi
		mov	ecx, esi
		call	MiDeleteTransitionPte
		cmp	eax, 3
		jnz	loc_50B27F
		dec	[esp+28h+var_18]
		jmp	loc_50B27F
; 

loc_5D978D:				; CODE XREF: MiDeletePerSessionProtos+9Bj
		push	0
		push	300h
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [esp+28h+var_C]
		cmp	ecx, eax
		mov	eax, [esp+28h+var_10]
		jnz	short loc_5D97AD
		cmp	eax, edx
		jz	loc_50B27F

loc_5D97AD:				; CODE XREF: MiDeletePerSessionProtos+CE5C5j
		push	eax
		xor	edx, edx
		push	ecx
		inc	edx
		mov	ecx, offset _MiSystemPartition
		call	_MiReleasePageFileSpace@16 ; MiReleasePageFileSpace(x,x,x,x)
		jmp	loc_50B27F
; END OF FUNCTION CHUNK	FOR MiDeletePerSessionProtos
; 
; START	OF FUNCTION CHUNK FOR SleepstudyHelperCreateBlockerFromGuid

loc_5D97C1:				; CODE XREF: SleepstudyHelperCreateBlockerFromGuid+75j
					; SleepstudyHelperCreateBlockerFromGuid+97j
		test	ebx, ebx
		jz	loc_50B358
		push	ebx
		call	SleepstudyHelperDestroyBlockerBuilder
		jmp	loc_50B358
; END OF FUNCTION CHUNK	FOR SleepstudyHelperCreateBlockerFromGuid
; 
; START	OF FUNCTION CHUNK FOR SleepstudyHelperSetBlockerFriendlyName

loc_5D97D4:				; CODE XREF: SleepstudyHelperSetBlockerFriendlyName+5Aj
		mov	eax, [esi]
		push	dword ptr [eax+0Ch]
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_50B3D2
; 

loc_5D97E4:				; CODE XREF: SleepstudyHelperSetBlockerFriendlyName+81j
					; SleepstudyHelperSetBlockerFriendlyName+8Bj
		test	edi, edi
		jz	loc_50B3E0
		mov	eax, [esi]
		push	dword ptr [eax+0Ch]
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_50B3E0
; END OF FUNCTION CHUNK	FOR SleepstudyHelperSetBlockerFriendlyName
; 
; START	OF FUNCTION CHUNK FOR EtwpApplyEventIdPayloadFilter

loc_5D97FC:				; CODE XREF: EtwpApplyEventIdPayloadFilter+3Fj
					; EtwpApplyEventIdPayloadFilter+4Cj
		mov	eax, [edi+160h]
		mov	esi, [eax+ebx+28h]
		test	esi, esi
		jz	loc_50B58C
		lock inc dword ptr [esi]
		jmp	loc_50B58C
; 

loc_5D9816:				; CODE XREF: EtwpApplyEventIdPayloadFilter+18j
		mov	eax, [edi+160h]
		mov	edx, [eax+ebx+24h]
		test	edx, edx
		jz	short loc_5D9839
		mov	ecx, [ebp+arg_8]
		call	_EtwpPerfectHashFunctionSearch@8 ; EtwpPerfectHashFunctionSearch(x,x)
		cmp	[edx], al
		jz	short loc_5D9839
		mov	byte ptr [ebp+var_1], 0
		jmp	loc_50B59D
; 

loc_5D9839:				; CODE XREF: EtwpApplyEventIdPayloadFilter+CE2E8j
					; EtwpApplyEventIdPayloadFilter+CE2F4j
		mov	eax, [edi+160h]
		mov	esi, [eax+ebx+28h]
		jmp	loc_50B595
; 

loc_5D9848:				; CODE XREF: EtwpApplyEventIdPayloadFilter+5Dj
		cmp	[ebp+arg_0], 0
		lea	eax, [ebp+var_1]
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+arg_4]
		push	eax		; int
		lea	eax, [esi+8]
		push	eax		; int
		setz	al
		movzx	eax, al
		push	eax		; int
		push	dword ptr [ebp+arg_14] ; char
		push	[ebp+arg_10]	; void *
		call	_EtwpApplyPayloadFilterInternal@28 ; EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_5D9875
		mov	byte ptr [ebp+var_1], 1

loc_5D9875:				; CODE XREF: EtwpApplyEventIdPayloadFilter+CE335j
		cmp	[ebp+arg_18], 2
		jnb	loc_50B59D
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		jnz	loc_50B59D
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_50B59D
; END OF FUNCTION CHUNK	FOR EtwpApplyEventIdPayloadFilter
; 
; START	OF FUNCTION CHUNK FOR RtlGetProductInfo

loc_5D9899:				; CODE XREF: RtlGetProductInfo+E6j
		cmp	[ebp+var_DC], 3
		jnz	loc_50B6E1
		mov	eax, [ebp+var_D8]
		push	14h
		pop	ecx
		cmp	eax, ecx
		jb	loc_50B6E1
		xor	edx, edx
		div	ecx
		test	edx, edx
		jnz	loc_50B6E1
		test	eax, eax
		jz	loc_50B6D0
		lea	ecx, [ebp+var_C4]
		mov	edx, eax

loc_5D98D3:				; CODE XREF: RtlGetProductInfo+CE31Bj
		sub	esp, 10h
		lea	esi, [ecx-10h]
		mov	edi, esp
		sub	esp, 10h
		movsd
		movsd
		movsd
		movsd
		mov	edi, esp
		lea	esi, [ebp+var_F4]
		movsd
		movsd
		movsd
		movsd
		call	CompareVersions
		test	eax, eax
		jns	short loc_5D98F9
		mov	ebx, [ecx]

loc_5D98F9:				; CODE XREF: RtlGetProductInfo+CE311j
		add	ecx, 14h
		sub	edx, 1
		jnz	short loc_5D98D3
		test	ebx, ebx
		jz	loc_50B6D0
		mov	ecx, [ebp+var_E0]
		mov	[ecx], ebx
		jmp	loc_50B6DE
; END OF FUNCTION CHUNK	FOR RtlGetProductInfo
; 
; START	OF FUNCTION CHUNK FOR MiInvalidateCollidedIos

loc_5D9916:				; CODE XREF: MiInvalidateCollidedIos+126j
		mov	ecx, [ebp+var_C]
		jmp	short loc_5D9936
; 

loc_5D991B:				; CODE XREF: MiInvalidateCollidedIos+CE175j
		imul	edi, [edx], 1Ch
		add	edi, ecx
		mov	[ebp+var_1C], edi
		mov	eax, [edi+4]
		or	eax, 80000000h
		cmp	eax, ebx
		jz	loc_50B91B
		add	edx, 4

loc_5D9936:				; CODE XREF: MiInvalidateCollidedIos+138j
					; MiInvalidateCollidedIos+151j	...
		cmp	edx, [ebp+var_18]
		jbe	short loc_5D991B
		mov	edi, [ebp+var_28]
		mov	dword ptr [esi+6Ch], 1
		jmp	loc_50B994
; END OF FUNCTION CHUNK	FOR MiInvalidateCollidedIos
; 
; START	OF FUNCTION CHUNK FOR IoGetDriverObjectExtension

loc_5D994A:				; CODE XREF: IoGetDriverObjectExtension+3Aj
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_50BADD
; END OF FUNCTION CHUNK	FOR IoGetDriverObjectExtension
; 
; START	OF FUNCTION CHUNK FOR RtlGetMultiTimePrecise

loc_5D9959:				; CODE XREF: RtlGetMultiTimePrecise+3Cj
		mov	eax, [ebp+arg_8]
		mov	[eax], ebx
		jmp	loc_50BE5D
; 

loc_5D9963:				; CODE XREF: RtlGetMultiTimePrecise+BDj
					; RtlGetMultiTimePrecise+C5j
		push	ebx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	edi, eax
		mov	esi, edx
		jmp	loc_50BDA3
; 

loc_5D9973:				; CODE XREF: RtlGetMultiTimePrecise+159j
		pause
		mov	esi, [ebp+var_C]
		mov	edi, [ebp+var_30]
		jmp	loc_50BCC9
; 

loc_5D9980:				; CODE XREF: RtlGetMultiTimePrecise+166j
		mov	edx, [ebp+var_8]
		jmp	loc_50BDD3
; 

loc_5D9988:				; CODE XREF: RtlGetMultiTimePrecise+18Bj
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		sub	ecx, [ebp+var_18]
		mov	eax, esi
		sbb	eax, [ebp+var_1C]
		add	ecx, [ebp+var_10]
		mov	[edx+8], ecx
		mov	ecx, edx
		mov	edx, [ebp+var_8]
		adc	eax, [ebp+var_14]
		or	edx, 2
		mov	[ebp+var_8], edx
		mov	[ecx+0Ch], eax
		jmp	loc_50BDED
; 

loc_5D99B1:				; CODE XREF: RtlGetMultiTimePrecise+1D9j
		mov	edi, [ebp+arg_4]
		mul	esi
		mov	[ebp+arg_4], ebx
		add	eax, edi
		adc	edx, [ebp+arg_0]
		mov	[ebp+var_54], edx
		cmp	edx, [ebp+arg_0]
		ja	short loc_5D99D3
		jb	short loc_5D99CC
		cmp	eax, edi
		jnb	short loc_5D99D3

loc_5D99CC:				; CODE XREF: RtlGetMultiTimePrecise+CDD6Aj
		mov	[ebp+arg_4], 1

loc_5D99D3:				; CODE XREF: RtlGetMultiTimePrecise+CDD68j
					; RtlGetMultiTimePrecise+CDD6Ej
		mov	eax, esi
		mul	[ebp+var_2C]
		add	eax, [ebp+var_54]
		mov	ebx, edx
		adc	ebx, [ebp+arg_4]
		jmp	loc_50BE45
; END OF FUNCTION CHUNK	FOR RtlGetMultiTimePrecise
; 
; START	OF FUNCTION CHUNK FOR RtlpHpSegSegmentInitialize

loc_5D99E5:				; CODE XREF: RtlpHpSegSegmentInitialize+18j
		push	dword ptr [esi+20h]
		mov	ecx, ebx
		lea	edx, [ebp+var_4]
		push	dword ptr [esi+1Ch]
		and	ecx, 0FFE00000h
		push	0
		call	_RtlpHpQueryVA@20 ; RtlpHpQueryVA(x,x,x,x,x)
		mov	eax, [ebp+var_4]
		mov	[ebx+0Ch], eax
		jmp	loc_50BEC6
; 

loc_5D9A08:				; CODE XREF: RtlpHpSegSegmentInitialize+44j
		mov	esi, ebx
		mov	ecx, edx
		mov	ebx, eax

loc_5D9A0E:				; CODE XREF: RtlpHpSegSegmentInitialize+CDB88j
		mov	[ebp+arg_0], ecx
		cmp	ecx, ebx
		jb	short loc_5D9A18
		mov	[ebp+arg_0], ebx

loc_5D9A18:				; CODE XREF: RtlpHpSegSegmentInitialize+CDB6Bj
		mov	al, [esi]
		shl	byte ptr [ebp+arg_0], 5
		and	al, 1Fh
		or	al, byte ptr [ebp+arg_0]
		mov	[esi], al
		add	esi, 10h
		movzx	eax, al
		shr	eax, 5
		sub	ecx, eax
		jnz	short loc_5D9A0E
		lea	ebx, [edi+0Ch]
		jmp	loc_50BEF2
; END OF FUNCTION CHUNK	FOR RtlpHpSegSegmentInitialize
; 
; START	OF FUNCTION CHUNK FOR MiRemoveFaultNode

loc_5D9A3A:				; CODE XREF: MiRemoveFaultNode+Bj
		mov	edi, offset unk_6D2FA0
		mov	ebx, offset dword_6D2FA4
		jmp	loc_50BF59
; END OF FUNCTION CHUNK	FOR MiRemoveFaultNode
; 
; START	OF FUNCTION CHUNK FOR MiAllocateMostlyContiguousPagesForMdl

loc_5D9A49:				; CODE XREF: MiAllocateMostlyContiguousPagesForMdl+6Bj
		mov	ecx, [edi+10h]
		test	ecx, ecx
		jz	loc_50BFE5
		lea	eax, [ecx+ebx]
		cmp	eax, ebx
		jbe	loc_50BFE5
		mov	edx, [ebp+var_14]
		cmp	eax, edx
		ja	loc_50BFE5
		mov	ebx, eax
		lea	eax, [ecx+esi]
		cmp	eax, esi
		jbe	short loc_5D9A79
		mov	esi, eax
		cmp	eax, edx
		jbe	short loc_5D9A7B

loc_5D9A79:				; CODE XREF: MiAllocateMostlyContiguousPagesForMdl+CDAFDj
		mov	esi, edx

loc_5D9A7B:				; CODE XREF: MiAllocateMostlyContiguousPagesForMdl+CDB03j
		mov	ecx, [edi]
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_4]
		mov	eax, [ebp+var_10]
		mov	edx, ebx
		push	[ebp+var_18]
		sub	eax, [ebp+var_C]
		push	80000000h
		push	[ebp+arg_0]
		push	dword ptr [edi+20h]
		push	eax
		push	0
		push	esi
		call	_MiFindContiguousPages@44 ; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+14h]
		mov	ecx, [edi+14h]
		shr	eax, 0Ch
		mov	[ebp+var_10], ecx
		cmp	eax, ecx
		jmp	loc_50BFDC
; END OF FUNCTION CHUNK	FOR MiAllocateMostlyContiguousPagesForMdl
; 
; START	OF FUNCTION CHUNK FOR PsIsThreadAttachedToSpecificSilo

loc_5D9AB9:				; CODE XREF: PsIsThreadAttachedToSpecificSilo+Bj
		test	edx, edx
		jz	short loc_5D9ABF
		mov	[edx], ecx

loc_5D9ABF:				; CODE XREF: PsIsThreadAttachedToSpecificSilo+CDA5Bj
		mov	al, 1
		retn
; END OF FUNCTION CHUNK	FOR PsIsThreadAttachedToSpecificSilo
; 
; START	OF FUNCTION CHUNK FOR CcComputeNextScanTime

loc_5D9AC2:				; CODE XREF: CcComputeNextScanTime+A4j
		or	dword ptr [esi], 0FFFFFFFFh
		and	dword ptr [edi+44h], 0
		mov	dword ptr [esi+4], 7FFFFFFFh
		jmp	loc_50C142
; END OF FUNCTION CHUNK	FOR CcComputeNextScanTime

;  S U B	R O U T	I N E 


sub_5D9AD5	proc near		; DATA XREF: .text:006A437Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5D9AD5	endp


;  S U B	R O U T	I N E 


sub_5D9AE3	proc near		; DATA XREF: .text:006A4380o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, [ebp+8]
		jmp	loc_50C1A5
sub_5D9AE3	endp

; 
; START	OF FUNCTION CHUNK FOR SepCaptureHandles

loc_5D9AF8:				; CODE XREF: SepCaptureHandles+5Dj
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_50C1AD
; END OF FUNCTION CHUNK	FOR SepCaptureHandles
; 
; START	OF FUNCTION CHUNK FOR KeBoostPriorityThread

loc_5D9B05:				; CODE XREF: KeBoostPriorityThread+4Bj
					; KeBoostPriorityThread+CD93Dj
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5D9B05
		jmp	loc_50C21A
; 

loc_5D9B18:				; CODE XREF: KeBoostPriorityThread+87j
		cmp	byte ptr [ebx+11h], 0
		jnz	short loc_5D9B35
		cli
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	_KiUpdateTotalCyclesCurrentThread@12 ; KiUpdateTotalCyclesCurrentThread(x,x,x)
		mov	ecx, eax
		sti
		mov	eax, [ebp+var_8]
		jmp	loc_50C270
; 

loc_5D9B35:				; CODE XREF: KeBoostPriorityThread+CD948j
		mov	ecx, [esi+30h]
		mov	edx, [esi+34h]
		jmp	loc_50C270
; 

loc_5D9B40:				; CODE XREF: KeBoostPriorityThread+E5j
		test	edi, edi
		jz	loc_50C2BF
		push	0
		push	edi
		push	[ebp+var_20]
		mov	edx, 530h
		mov	ecx, esi
		call	_EtwTracePriority@20 ; EtwTracePriority(x,x,x,x,x)
		jmp	loc_50C2BF
; END OF FUNCTION CHUNK	FOR KeBoostPriorityThread
; 
; START	OF FUNCTION CHUNK FOR RtlGetThreadLangIdByIndex

loc_5D9B5F:				; CODE XREF: RtlGetThreadLangIdByIndex+61j
		test	al, 3
		jnz	short loc_5D9BD0
		lea	edx, [eax+38h]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		ja	short loc_5D9B74
		cmp	edx, eax
		jnb	short loc_5D9B76

loc_5D9B74:				; CODE XREF: RtlGetThreadLangIdByIndex+CD860j
		mov	[ecx], bl

loc_5D9B76:				; CODE XREF: RtlGetThreadLangIdByIndex+CD864j
		mov	ecx, [eax+10h]
		mov	[ebp+var_2C], ecx
		test	ecx, ecx
		jz	loc_50C375
		movzx	eax, word ptr [eax+4]
		mov	[ebp+var_24], eax
		mov	edx, [ebp+arg_4]
		cmp	edx, eax
		jnb	loc_50C375
		test	cl, 1
		jnz	short loc_5D9BD0
		imul	eax, edx, 6
		add	ecx, eax
		lea	edx, [ecx+6]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_5D9BB0
		cmp	edx, ecx
		jnb	short loc_5D9BB2

loc_5D9BB0:				; CODE XREF: RtlGetThreadLangIdByIndex+CD89Cj
		mov	[eax], bl

loc_5D9BB2:				; CODE XREF: RtlGetThreadLangIdByIndex+CD8A0j
		mov	eax, [ecx]
		mov	[ebp+var_34], eax
		mov	ax, [ecx+4]
		xor	ecx, ecx
		inc	ecx
		cmp	cx, word ptr [ebp+var_34]
		jz	short loc_5D9BD5
		mov	[ebp+var_1C], 0C00000E5h
		jmp	loc_50C375
; 

loc_5D9BD0:				; CODE XREF: RtlGetThreadLangIdByIndex+CD853j
					; RtlGetThreadLangIdByIndex+CD88Bj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_5D9BD5:				; CODE XREF: RtlGetThreadLangIdByIndex+CD8B4j
		movzx	eax, ax
		mov	[ebp+var_20], eax
		jmp	loc_50C375
; END OF FUNCTION CHUNK	FOR RtlGetThreadLangIdByIndex

;  S U B	R O U T	I N E 


sub_5D9BE0	proc near		; DATA XREF: .text:006A439Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5D9BE0	endp


;  S U B	R O U T	I N E 


sub_5D9BEE	proc near		; DATA XREF: .text:006A43A0o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-28h]
		mov	[ebp-1Ch], eax
		jmp	loc_50C382
sub_5D9BEE	endp

; 
; START	OF FUNCTION CHUNK FOR RtlGetThreadLangIdByIndex

loc_5D9BFC:				; CODE XREF: RtlGetThreadLangIdByIndex+21j
					; RtlGetThreadLangIdByIndex+2Cj
		mov	eax, 0C000000Dh
		jmp	loc_50C3A0
; END OF FUNCTION CHUNK	FOR RtlGetThreadLangIdByIndex
; 
; START	OF FUNCTION CHUNK FOR RtlIpv4StringToAddressExW

loc_5D9C06:				; CODE XREF: RtlIpv4StringToAddressExW+31j
		mov	edi, [ebp+var_4]
		movzx	eax, word ptr [edi]
		cmp	eax, 3Ah
		jnz	loc_5D9D44
		push	0Ah
		add	edi, 2
		pop	edx
		push	10h
		mov	[ebp+arg_8], edx
		cmp	word ptr [edi],	30h
		pop	esi
		jnz	short loc_5D9C47
		lea	ecx, [edi+2]
		mov	edi, ecx
		push	8
		pop	edx
		mov	[ebp+arg_8], edx
		movzx	eax, word ptr [edi]
		cmp	eax, 78h
		jz	short loc_5D9C3F
		cmp	eax, 58h
		jnz	short loc_5D9C47

loc_5D9C3F:				; CODE XREF: RtlIpv4StringToAddressExW+CD7E2j
		mov	edx, esi
		lea	edi, [ecx+2]
		mov	[ebp+arg_8], edx

loc_5D9C47:				; CODE XREF: RtlIpv4StringToAddressExW+CD7CFj
					; RtlIpv4StringToAddressExW+CD7E7j
		movzx	eax, word ptr [edi]
		mov	esi, eax
		mov	ecx, eax
		mov	[ebp+arg_0], ecx
		test	si, si
		jz	loc_5D9D3A
		mov	eax, 80h

loc_5D9C5F:				; CODE XREF: RtlIpv4StringToAddressExW+CD8DBj
		lea	edi, [edi+2]
		cmp	si, ax
		jnb	short loc_5D9CB0
		push	4		; wctype_t
		push	esi		; wint_t
		call	_iswctype
		mov	edx, [ebp+arg_8]
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_5D9CAB
		lea	eax, [esi-30h]
		cmp	ax, dx
		jnb	short loc_5D9CAB
		movzx	eax, bx
		movzx	ecx, dx
		imul	ecx, eax
		movzx	eax, si
		add	eax, 0FFFFFFD0h
		add	eax, ecx
		cmp	eax, 0FFFFh
		ja	loc_50C48D
		mov	eax, edx
		imul	eax, ebx
		add	eax, 0FFFFFFD0h
		add	eax, esi
		movzx	ebx, ax
		jmp	short loc_5D9D26
; 

loc_5D9CAB:				; CODE XREF: RtlIpv4StringToAddressExW+CD820j
					; RtlIpv4StringToAddressExW+CD828j
		mov	eax, 80h

loc_5D9CB0:				; CODE XREF: RtlIpv4StringToAddressExW+CD80Fj
		push	10h
		pop	ecx
		cmp	dx, cx
		jnz	loc_50C48D
		cmp	si, ax
		jnb	loc_50C48D
		push	eax		; wctype_t
		push	esi		; wint_t
		call	_iswctype
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_50C48D
		push	2		; wctype_t
		push	esi		; wint_t
		call	_iswctype
		neg	eax
		pop	ecx
		sbb	eax, eax
		and	eax, 20h
		pop	ecx
		add	eax, 41h
		movzx	ecx, bx
		shl	ecx, 4
		sub	ecx, eax
		movzx	eax, si
		add	eax, 0Ah
		add	eax, ecx
		cmp	eax, 0FFFFh
		ja	loc_50C48D
		push	2		; wctype_t
		push	esi		; wint_t
		shl	ebx, 4
		call	_iswctype
		mov	edx, [ebp+arg_8]
		neg	eax
		pop	ecx
		sbb	eax, eax
		add	ebx, 0Ah
		and	eax, 20h
		add	eax, 41h
		sub	esi, eax
		pop	ecx
		add	ebx, esi

loc_5D9D26:				; CODE XREF: RtlIpv4StringToAddressExW+CD853j
		movzx	esi, word ptr [edi]
		mov	eax, 80h
		test	si, si
		jnz	loc_5D9C5F
		mov	ecx, [ebp+arg_0]

loc_5D9D3A:				; CODE XREF: RtlIpv4StringToAddressExW+CD7FEj
		test	cx, cx
		jnz	short loc_5D9D4D
		jmp	loc_50C48D
; 

loc_5D9D44:				; CODE XREF: RtlIpv4StringToAddressExW+CD7B9j
		test	ax, ax
		jnz	loc_50C48D

loc_5D9D4D:				; CODE XREF: RtlIpv4StringToAddressExW+CD8E7j
		mov	ecx, [ebp+arg_C]
		mov	ah, bl
		mov	al, bh
		mov	[ecx], ax
		xor	eax, eax
		jmp	loc_50C492
; END OF FUNCTION CHUNK	FOR RtlIpv4StringToAddressExW
; 
; START	OF FUNCTION CHUNK FOR RtlIpv4StringToAddressW

loc_5D9D5E:				; CODE XREF: RtlIpv4StringToAddressW+3Ej
		add	edi, 2
		movzx	eax, word ptr [edi]
		cmp	ax, cx
		jnb	short loc_5D9D7B
		push	4		; wctype_t
		push	eax		; wint_t
		call	_iswctype
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_5D9D7B
		push	8
		jmp	short loc_5D9D96
; 

loc_5D9D7B:				; CODE XREF: RtlIpv4StringToAddressW+CD8C9j
					; RtlIpv4StringToAddressW+CD8D7j
		movzx	eax, word ptr [edi]
		cmp	eax, 78h
		jz	short loc_5D9D91
		cmp	eax, 58h
		jz	short loc_5D9D91
		mov	[ebp+var_15], 1
		jmp	loc_50C4E2
; 

loc_5D9D91:				; CODE XREF: RtlIpv4StringToAddressW+CD8E3j
					; RtlIpv4StringToAddressW+CD8E8j
		push	10h
		add	edi, 2

loc_5D9D96:				; CODE XREF: RtlIpv4StringToAddressW+CD8DBj
		pop	ebx
		mov	[ebp+var_24], ebx
		jmp	loc_50C4E2
; 

loc_5D9D9F:				; CODE XREF: RtlIpv4StringToAddressW+72j
		mov	ecx, [ebp+var_24]
		movzx	eax, bx
		mov	[ebp+var_28], eax
		add	eax, 0FFFFFFD0h
		cmp	eax, ecx
		jge	loc_50C516
		mov	edx, [ebp+var_1C]
		mov	eax, ecx
		mov	ecx, [ebp+var_28]
		imul	eax, edx
		add	ecx, 0FFFFFFD0h
		jmp	short loc_5D9E01
; 

loc_5D9DC3:				; CODE XREF: RtlIpv4StringToAddressW+81j
		cmp	bx, ax
		jnb	loc_50C525
		push	eax		; wctype_t
		push	ebx		; wint_t
		call	_iswctype
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_50C525
		push	2		; wctype_t
		push	ebx		; wint_t
		call	_iswctype
		mov	edx, [ebp+var_1C]
		neg	eax
		pop	ecx
		sbb	eax, eax
		pop	ecx
		and	eax, 20h
		mov	ecx, edx
		add	eax, 41h
		shl	ecx, 4
		sub	ecx, eax
		movzx	eax, bx
		add	eax, 0Ah

loc_5D9E01:				; CODE XREF: RtlIpv4StringToAddressW+CD923j
		add	eax, ecx
		cmp	eax, edx
		jb	loc_50C53C
		add	edi, 2
		mov	[ebp+var_1C], eax
		mov	cl, 1
		mov	[ebp+var_15], cl
		movzx	ebx, word ptr [edi]
		test	bx, bx
		jnz	loc_50C4FA
		jmp	loc_50C52B
; 

loc_5D9E27:				; CODE XREF: RtlIpv4StringToAddressW+56j
		mov	eax, [ebp+var_1C]
		mov	cl, [ebp+var_15]
		jmp	loc_50C52E
; 

loc_5D9E32:				; CODE XREF: RtlIpv4StringToAddressW+98j
		mov	[esi], eax
		lea	eax, [ebp+var_14]
		sub	esi, eax
		add	esi, 4
		sar	esi, 2
		test	dl, dl
		jz	short loc_5D9E4C
		cmp	esi, 4
		jnz	loc_50C53C

loc_5D9E4C:				; CODE XREF: RtlIpv4StringToAddressW+CD9A3j
		sub	esi, 1
		jz	loc_5D9F17
		sub	esi, 1
		jz	loc_5D9EEF
		sub	esi, 1
		jz	short loc_5D9EB6
		sub	esi, 1
		jnz	loc_50C53C
		mov	edx, [ebp+var_14]
		mov	eax, 0FFh
		cmp	edx, eax
		ja	loc_50C53C
		mov	ecx, [ebp+var_10]
		cmp	ecx, eax
		ja	loc_50C53C
		mov	ebx, [ebp+var_C]
		cmp	ebx, eax
		ja	loc_50C53C
		cmp	[ebp+var_8], eax
		ja	loc_50C53C
		movzx	ecx, cl
		shl	edx, 8
		or	ecx, edx
		movzx	eax, bl
		shl	ecx, 8
		or	ecx, eax
		mov	eax, [ebp+var_8]
		shl	ecx, 8
		movzx	eax, al
		jmp	short loc_5D9F13
; 

loc_5D9EB6:				; CODE XREF: RtlIpv4StringToAddressW+CD9C3j
		mov	edx, [ebp+var_14]
		mov	eax, 0FFh
		cmp	edx, eax
		ja	loc_50C53C
		mov	ecx, [ebp+var_10]
		cmp	ecx, eax
		ja	loc_50C53C
		mov	eax, [ebp+var_C]
		cmp	eax, 0FFFFh
		ja	loc_50C53C
		movzx	ecx, cl
		shl	edx, 8
		or	ecx, edx
		movzx	eax, ax
		shl	ecx, 10h
		jmp	short loc_5D9F13
; 

loc_5D9EEF:				; CODE XREF: RtlIpv4StringToAddressW+CD9BAj
		mov	ecx, [ebp+var_14]
		cmp	ecx, 0FFh
		ja	loc_50C53C
		mov	eax, [ebp+var_10]
		mov	edx, 0FFFFFFh
		cmp	eax, edx
		ja	loc_50C53C
		shl	ecx, 18h
		and	eax, edx

loc_5D9F13:				; CODE XREF: RtlIpv4StringToAddressW+CDA16j
					; RtlIpv4StringToAddressW+CDA4Fj
		or	ecx, eax
		jmp	short loc_5D9F1A
; 

loc_5D9F17:				; CODE XREF: RtlIpv4StringToAddressW+CD9B1j
		mov	ecx, [ebp+var_14]

loc_5D9F1A:				; CODE XREF: RtlIpv4StringToAddressW+CDA77j
		mov	eax, [ebp+var_20]
		bswap	ecx
		mov	[eax], edi
		mov	eax, [ebp+var_2C]
		mov	[eax], ecx
		xor	eax, eax
		jmp	loc_50C546
; END OF FUNCTION CHUNK	FOR RtlIpv4StringToAddressW

;  S U B	R O U T	I N E 


sub_5D9F2D	proc near		; CODE XREF: KeQueryActiveProcessorCount+Aj
		push	ebx
		mov	ebx, ds:dword_70E328
		mov	[eax], ebx
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		pop	ebx
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		movzx	eax, cl
		jmp	loc_50C638
sub_5D9F2D	endp

; 
; START	OF FUNCTION CHUNK FOR MiPerformSafePdeWrite

loc_5D9F6F:				; CODE XREF: MiPerformSafePdeWrite+4Aj
		mov	eax, [ebp+arg_4]
		test	edi, edi
		jz	short loc_5D9F79
		or	eax, 20h

loc_5D9F79:				; CODE XREF: MiPerformSafePdeWrite+CD898j
		test	dl, 2
		jz	short loc_5D9F84
		or	ecx, 80000000h

loc_5D9F84:				; CODE XREF: MiPerformSafePdeWrite+CD8A0j
		test	dl, 4
		jz	short loc_5D9F8C
		or	eax, 4

loc_5D9F8C:				; CODE XREF: MiPerformSafePdeWrite+CD8ABj
		nop
		mov	[esi], eax
		mov	[esi+4], ecx
		jmp	loc_50C7A1
; END OF FUNCTION CHUNK	FOR MiPerformSafePdeWrite
; 
; START	OF FUNCTION CHUNK FOR KeReleaseInterruptSpinLock

loc_5D9F97:				; CODE XREF: KeReleaseInterruptSpinLock+Cj
		push	0
		push	0
		push	eax
		push	1
		push	13Bh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5D9FA8:				; CODE XREF: KeReleaseInterruptSpinLock+1Cj
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_50C7EB
; END OF FUNCTION CHUNK	FOR KeReleaseInterruptSpinLock
; 
; START	OF FUNCTION CHUNK FOR KeAcquireInterruptSpinLock

loc_5D9FB7:				; CODE XREF: KeAcquireInterruptSpinLock+Fj
		push	0
		push	0
		push	esi
		push	1
		push	13Bh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5D9FC9:				; CODE XREF: KiTestForAlertPending+27j
		cmp	[ebp+arg_4], 0
		jz	short loc_5D9FDA
		mov	byte ptr [eax+ecx+56h],	0
		jmp	short loc_5D9FDA
; END OF FUNCTION CHUNK	FOR KeAcquireInterruptSpinLock
; 
; START	OF FUNCTION CHUNK FOR KiTestForAlertPending

loc_5D9FD6:				; CODE XREF: KiTestForAlertPending+CD77Bj
		mov	byte ptr [ecx+56h], 0
; END OF FUNCTION CHUNK	FOR KiTestForAlertPending
; START	OF FUNCTION CHUNK FOR KeAcquireInterruptSpinLock

loc_5D9FDA:				; CODE XREF: KeAcquireInterruptSpinLock+CD7CFj
					; KeAcquireInterruptSpinLock+CD7D6j ...
		mov	eax, 101h
		jmp	loc_50C896
; END OF FUNCTION CHUNK	FOR KeAcquireInterruptSpinLock
; 
; START	OF FUNCTION CHUNK FOR KiTestForAlertPending

loc_5D9FE4:				; CODE XREF: KiTestForAlertPending+36j
		cmp	[ebp+arg_4], 0
		jz	short loc_5DA005
		or	byte ptr [ecx+86h], 2
		jmp	short loc_5DA005
; 

loc_5D9FF3:				; CODE XREF: KiTestForAlertPending+42j
		cmp	[ebp+arg_4], 0
		jz	short loc_5D9FDA
		jmp	short loc_5D9FD6
; 

loc_5D9FFB:				; CODE XREF: KiTestForAlertPending+10j
		cmp	[ebp+arg_0], 0
		jz	loc_50C894

loc_5DA005:				; CODE XREF: KiTestForAlertPending+CD76Aj
					; KiTestForAlertPending+CD773j
		mov	eax, 0C0h
		jmp	loc_50C896
; END OF FUNCTION CHUNK	FOR KiTestForAlertPending
; 
; START	OF FUNCTION CHUNK FOR CcMdlWriteComplete2

loc_5DA00F:				; CODE XREF: CcMdlWriteComplete2+80j
		push	edx
		lea	edx, [esp+50h+var_18]
		push	edx
		push	ecx
		mov	ecx, [ecx+14h]
		lea	edx, [esp+58h+var_24]
		push	eax
		call	MmFlushSection
		cmp	[esp+4Ch+var_18], 0
		jge	loc_50C9D0
		mov	ebx, [esp+4Ch+var_18]
		jmp	loc_50C9D0
; 

loc_5DA037:				; CODE XREF: CcMdlWriteComplete2+F1j
		mov	edx, [ebp+4]
		lea	ecx, [esp+54h+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_50CA59
; 

loc_5DA048:				; CODE XREF: CcMdlWriteComplete2+117j
		lea	ecx, [esp+54h+var_18]
		call	KxWaitForLockChainValid

loc_5DA051:				; CODE XREF: CcMdlWriteComplete2+FDj
		xor	ecx, ecx
		mov	[esp+54h+var_18], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_50CA59
; 

loc_5DA067:				; CODE XREF: CcMdlWriteComplete2+129j
		push	0C00000E9h
		push	ebx
		call	_FsRtlNormalizeNtstatus@8 ; FsRtlNormalizeNtstatus(x,x)
		push	eax
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger

loc_5DA079:				; CODE XREF: CmpLazyFlushDpcRoutine+30j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_50CABD
; END OF FUNCTION CHUNK	FOR CcMdlWriteComplete2

;  S U B	R O U T	I N E 


sub_5DA088	proc near		; CODE XREF: RtlpHpFixedHeapCreate+36j
		push	ebx
		push	1Ch
		lea	eax, [ebp-68h]
		push	eax
		push	3
		push	esi
		push	0FFFFFFFFh
		call	_ZwQueryVirtualMemory@24 ; ZwQueryVirtualMemory(x,x,x,x,x,x)
		test	eax, eax
		js	loc_50CC0C
		push	ebx
		push	1Ch
		lea	eax, [ebp-4Ch]
		push	eax
		push	ebx
		push	dword ptr [ebp-8]
		push	0FFFFFFFFh
		call	_ZwQueryVirtualMemory@24 ; ZwQueryVirtualMemory(x,x,x,x,x,x)
		test	eax, eax
		js	loc_50CC0C
		mov	esi, [ebp-8]
		mov	[ebp-0Ch], esi
		cmp	[ebp-4Ch], esi
		jnz	loc_50CC0C
		cmp	dword ptr [ebp-3Ch], 10000h
		jz	loc_50CC0C
		cmp	dword ptr [ebp-3Ch], 1000h
		mov	eax, [ebp-5Ch]
		jnz	short loc_5DA0EE
		mov	ecx, [ebp-40h]
		mov	edx, [ebp-14h]
		jmp	loc_50CB26
; 

loc_5DA0EE:				; CODE XREF: sub_5DA088+59j
		mov	ecx, [ebp+0Ch]

loc_5DA0F1:				; CODE XREF: RtlpHpFixedHeapCreate+5Cj
		mov	edx, offset _RtlpHpFixedHeapCommitRoutine@12 ; RtlpHpFixedHeapCommitRoutine(x,x,x)
		mov	[ebp-14h], edx
		jmp	loc_50CB2E
sub_5DA088	endp

; 
; START	OF FUNCTION CHUNK FOR RtlpHpFixedHeapCreate

loc_5DA0FE:				; CODE XREF: RtlpHpFixedHeapCreate+8Cj
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	edx ; RtlpHpFixedHeapCommitRoutine(x,x,x) ; RtlpHpFixedHeapCommitRoutine(x,x,x)
		test	eax, eax
		js	loc_50CC0C
		mov	esi, [ebp+var_8]
		mov	[ebp+var_C], esi
		jmp	loc_50CB5E
; END OF FUNCTION CHUNK	FOR RtlpHpFixedHeapCreate
; 
; START	OF FUNCTION CHUNK FOR RtlpHpVsContextInitialize

loc_5DA11C:				; CODE XREF: RtlpHpVsContextInitialize+84j
		xor	eax, ds:_RtlpHpHeapGlobals
		xor	eax, ebx
		mov	[edx+10h], eax
		jmp	loc_50CCAE
; END OF FUNCTION CHUNK	FOR RtlpHpVsContextInitialize
; 
; START	OF FUNCTION CHUNK FOR MiDereferenceExtendInfo

loc_5DA12C:				; CODE XREF: MiDereferenceExtendInfo+1BAj
		push	0
		push	[ebp+var_8]
		push	offset dword_6CF3C8
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5DA141:				; CODE XREF: MiDereferenceExtendInfo+12Cj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_18]
		jmp	loc_50CF12
; 

loc_5DA158:				; CODE XREF: MiDereferenceExtendInfo+1D4j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_50CFAA
; 

loc_5DA167:				; CODE XREF: MiDereferenceExtendInfo+1FEj
		push	[ebp+var_18]
		mov	edx, offset dword_6CF3C8
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_50CF25
; END OF FUNCTION CHUNK	FOR MiDereferenceExtendInfo
; 
; START	OF FUNCTION CHUNK FOR FsRtlInitializeLargeMcb

loc_5DA17B:				; CODE XREF: FsRtlInitializeLargeMcb+28j
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger

loc_5DA186:				; CODE XREF: PopDisksRegisteredForIdle+32j
		cmp	dword ptr [eax+8], 1
		jz	short loc_5DA193
		mov	eax, [eax]
		jmp	loc_50D06A
; 

loc_5DA193:				; CODE XREF: FsRtlInitializeLargeMcb+CD19Aj
		mov	bl, 1
		jmp	loc_50D072
; END OF FUNCTION CHUNK	FOR FsRtlInitializeLargeMcb
; 
; START	OF FUNCTION CHUNK FOR PopDisksRegisteredForIdle

loc_5DA19A:				; CODE XREF: PopDisksRegisteredForIdle+3Fj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_50D084
; END OF FUNCTION CHUNK	FOR PopDisksRegisteredForIdle
; 
; START	OF FUNCTION CHUNK FOR PpmEventTraceFailedPerfCheckStart

loc_5DA1A9:				; CODE XREF: PpmEventTraceFailedPerfCheckStart+39j
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_C], 8
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], ecx
		push	eax
		push	1
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_50D0ED
; END OF FUNCTION CHUNK	FOR PpmEventTraceFailedPerfCheckStart
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmCompressContextUpdateMemoryCondition

loc_5DA1D2:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressContextUpdateMemoryCondition+5Ej
		cmp	edi, 8
		jg	short loc_5DA1DE
		shr	esi, 1
		jmp	loc_50D198
; 

loc_5DA1DE:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressContextUpdateMemoryCondition+CD0A7j
		cmp	edi, 0Ah
		jle	loc_50D195
		shr	esi, 3
		jmp	loc_50D198
; 

loc_5DA1EF:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressContextUpdateMemoryCondition+3Cj
		lea	eax, [ebx+2Ch]
		mov	[ebx+4Ch], edi
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	loc_50D170
		mov	ebx, ecx
		mov	esi, eax

loc_5DA203:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressContextUpdateMemoryCondition+CD0E2j
		push	edi
		push	dword ptr [ebx+8]
		call	KeSetActualBasePriorityThread
		mov	ebx, [ebx]
		cmp	ebx, esi
		jnz	short loc_5DA203
		mov	esi, [ebp+var_4]
		mov	ebx, [ebp+var_10]
		jmp	loc_50D170
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmCompressContextUpdateMemoryCondition
; 
; START	OF FUNCTION CHUNK FOR KiRemoveEntryTimer

loc_5DA21D:				; CODE XREF: KiRemoveEntryTimer+42j
		movzx	ecx, byte ptr [ecx-1E9Ch]
		shl	esi, 6
		jmp	loc_50D265
; END OF FUNCTION CHUNK	FOR KiRemoveEntryTimer
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThread

loc_5DA22C:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThread+22j
		mov	edi, 0C000009Ah
		jmp	loc_50D450
; 

loc_5DA236:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThread+86j
		mov	ecx, [esi]
		add	ecx, 48h
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_50D450
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThread
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThreadParams

loc_5DA24D:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThreadParams+6Fj
		mov	ecx, [ebp+var_8]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_50D4E9
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxCreateThreadParams
; 
; START	OF FUNCTION CHUNK FOR KiCheckAndRearmForceIdle

loc_5DA25A:				; CODE XREF: KiCheckAndRearmForceIdle+28j
					; KiCheckAndRearmForceIdle+CCC1Bj
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, ds:_KiForceIdleLock
		test	eax, eax
		jnz	short loc_5DA25A
		jmp	loc_50D671
; 

loc_5DA270:				; CODE XREF: KiCheckAndRearmForceIdle+36j
		push	esi
		push	offset _KiForceIdleStartDpc
		call	KeRemoveQueueDpcEx
		mov	ecx, ds:_KiForceIdleState
		push	2
		pop	edx
		mov	ds:_KiForceIdleState, edx
		call	_PoTraceForceIdleStateChange@8 ; PoTraceForceIdleStateChange(x,x)

loc_5DA28F:				; CODE XREF: KiCheckAndRearmForceIdle+3Fj
		lea	ecx, [ebp+var_C]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	ecx, eax
		mov	esi, edx
		mov	eax, ds:_KiForceIdleGracePeriodInSec
		mov	edx, 989680h
		mul	edx
		add	ecx, eax
		mov	ds:_KiForceIdleStartTime, ecx
		adc	esi, edx
		mov	ds:dword_6CB38C, esi
		jmp	loc_50D693
; END OF FUNCTION CHUNK	FOR KiCheckAndRearmForceIdle
; 
; START	OF FUNCTION CHUNK FOR RtlIsSandboxedTokenHandle

loc_5DA2BC:				; CODE XREF: RtlIsSandboxedTokenHandle+4Aj
		push	2
		pop	ecx
		mov	[esp+58h+var_8], al
		lea	eax, [esp+58h+var_10]
		mov	[esp+58h+var_24], eax
		lea	eax, [esp+58h+var_48]
		push	eax
		push	ecx
		push	ebx
		lea	eax, [esp+64h+var_38]
		mov	[esp+64h+var_38], 18h
		push	eax
		push	8
		push	esi
		mov	[esp+70h+var_34], ebx
		mov	[esp+70h+var_2C], 200h
		mov	[esp+70h+var_30], ebx
		mov	[esp+70h+var_28], ebx
		mov	[esp+70h+var_10], 0Ch
		mov	[esp+70h+var_C], ecx
		mov	[esp+70h+var_7], bl
		call	_ZwDuplicateToken@24 ; ZwDuplicateToken(x,x,x,x,x,x)
		test	eax, eax
		js	loc_50D742
		mov	eax, large fs:124h
		lea	ecx, [esp+58h+var_44]
		push	ebx
		push	ecx
		push	ebx
		mov	eax, [eax+80h]
		mov	[esp+64h+var_44], ebx
		mov	eax, [eax+0E4h]
		mov	[esp+64h+var_14], eax
		mov	eax, ds:_SeTokenObjectType
		push	eax
		push	8
		push	[esp+6Ch+var_48]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, eax
		mov	eax, [esp+58h+var_44]
		mov	[esp+58h+var_18], eax
		test	ecx, ecx
		js	loc_50D742
		mov	[esp+58h+var_20], ebx
		lea	ebx, [esp+58h+var_20]
		jmp	loc_50D72C
; 

loc_5DA364:				; CODE XREF: RtlIsSandboxedTokenHandle+60j
		mov	ecx, [ebx+8]
		call	ObfDereferenceObject
		jmp	loc_50D742
; 

loc_5DA371:				; CODE XREF: RtlIsSandboxedTokenHandle+6Bj
		push	[esp+58h+var_48]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_50D74D
; END OF FUNCTION CHUNK	FOR RtlIsSandboxedTokenHandle
; 
; START	OF FUNCTION CHUNK FOR PfpMemoryRangesQuery

loc_5DA37F:				; CODE XREF: PfpMemoryRangesQuery+2Fj
		mov	esi, 0C000000Dh
		mov	[ebp+var_2C], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_50D877
; 

loc_5DA393:				; CODE XREF: PfpMemoryRangesQuery+3Dj
		mov	esi, 0C000000Dh
		mov	[ebp+var_2C], esi
		mov	[ebp+ms_exc.disabled], edx
		jmp	loc_50D877
; 

loc_5DA3A3:				; CODE XREF: PfpMemoryRangesQuery+46j
		push	3
		pop	eax
		mov	[ebp+var_3C], eax
		jmp	loc_50D7B0
; 

loc_5DA3AE:				; CODE XREF: PfpMemoryRangesQuery+5Dj
					; PfpMemoryRangesQuery+92j ...
		mov	esi, 0C000009Ah
		jmp	loc_50D877
; END OF FUNCTION CHUNK	FOR PfpMemoryRangesQuery

;  S U B	R O U T	I N E 


sub_5DA3B8	proc near		; DATA XREF: .text:006A4448o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5DA3B8	endp


;  S U B	R O U T	I N E 


sub_5DA3C6	proc near		; DATA XREF: .text:006A444Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-34h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	edi, edi
		mov	ebx, [ebp-20h]
		jmp	loc_50D877
sub_5DA3C6	endp

; 

loc_5DA3DD:				; DATA XREF: .text:006A443Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_5DA3EB:				; DATA XREF: .text:006A4440o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-38h]
		mov	[ebp-2Ch], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	edi, edi
		mov	ebx, edi
		jmp	loc_50D877
; 
; START	OF FUNCTION CHUNK FOR IoUninitializeWorkItem

loc_5DA404:				; CODE XREF: IoUninitializeWorkItem+Bj
		push	0
		lea	eax, [ecx+10h]
		push	eax
		push	ecx
		push	2
		push	0E4h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5DA418:				; CODE XREF: FsRtlLookupPerFileContext+Ej
		lea	esi, [edi+4]
		cmp	[esi], esi
		jz	loc_50DA0C
		mov	eax, large fs:124h
		push	ebx
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	edx, [ebp+arg_8]
		xor	ebx, ebx
		mov	eax, [esi]
		test	edx, edx
		jz	short loc_5DA45F
		cmp	eax, esi
		jz	short loc_5DA46C
		mov	ecx, [ebp+arg_4]

loc_5DA44D:				; CODE XREF: IoUninitializeWorkItem+CCB9Fj
		cmp	[eax+8], ecx
		jnz	short loc_5DA457
		cmp	[eax+0Ch], edx
		jz	short loc_5DA46A

loc_5DA457:				; CODE XREF: IoUninitializeWorkItem+CCB94j
		mov	eax, [eax]
		cmp	eax, esi
		jnz	short loc_5DA44D
		jmp	short loc_5DA46C
; 

loc_5DA45F:				; CODE XREF: IoUninitializeWorkItem+CCB88j
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jnz	short loc_5DA490
		cmp	eax, esi
		jz	short loc_5DA46C

loc_5DA46A:				; CODE XREF: IoUninitializeWorkItem+CCB99j
					; IoUninitializeWorkItem+CCBD0j
		mov	ebx, eax

loc_5DA46C:				; CODE XREF: IoUninitializeWorkItem+CCB8Cj
					; IoUninitializeWorkItem+CCBA1j ...
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, ebx
		pop	ebx
		jmp	loc_50DA0E
; 

loc_5DA489:				; CODE XREF: IoUninitializeWorkItem+CCBD6j
		cmp	[eax+8], ecx
		jz	short loc_5DA46A
		mov	eax, [eax]

loc_5DA490:				; CODE XREF: IoUninitializeWorkItem+CCBA8j
		cmp	eax, esi
		jnz	short loc_5DA489
		jmp	short loc_5DA46C
; END OF FUNCTION CHUNK	FOR IoUninitializeWorkItem
; 
; START	OF FUNCTION CHUNK FOR IoInitializeWorkItem

loc_5DA496:				; CODE XREF: IoInitializeWorkItem+3Bj
		push	0
		push	ecx
		push	[ebp+arg_4]
		push	edx
		push	0E4h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5DA4A8:				; CODE XREF: PfSnUpdatePrefetcherFlags+40j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_50DB4F
; END OF FUNCTION CHUNK	FOR IoInitializeWorkItem
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepFreeSecurityAttributeValues

loc_5DA4B5:				; CODE XREF: AuthzBasepFreeSecurityAttributeValues+2Fj
		lea	edx, [esi-8]
		mov	esi, [esi]
		test	byte ptr [edx+10h], 1
		jnz	loc_50DC4B
		push	ecx
		push	0
		mov	ecx, ebx
		call	_AuthzBasepRemoveSecurityAttributeValueFromLists@16 ; AuthzBasepRemoveSecurityAttributeValueFromLists(x,x,x,x)
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_50DC4B
; END OF FUNCTION CHUNK	FOR AuthzBasepFreeSecurityAttributeValues
; 
; START	OF FUNCTION CHUNK FOR CcBoostLowPriorityWorkerThread

loc_5DA4DB:				; CODE XREF: CcBoostLowPriorityWorkerThread+183j
		push	ecx
		push	ecx
		push	0C0000420h
		push	518h
		jmp	short loc_5DA4F5
; 

loc_5DA4E9:				; CODE XREF: CcBoostLowPriorityWorkerThread+1DAj
		push	ecx
		push	ecx
		push	0C0000420h
		push	545h

loc_5DA4F5:				; CODE XREF: CcBoostLowPriorityWorkerThread+CC827j
		push	34h
		jmp	short loc_5DA507
; 

loc_5DA4F9:				; CODE XREF: CcBoostLowPriorityWorkerThread+27Dj
		push	0
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h

loc_5DA507:				; CODE XREF: CcBoostLowPriorityWorkerThread+CC837j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5DA50C:				; CODE XREF: CcBoostLowPriorityWorkerThread+5Ej
		test	al, 4
		jnz	loc_50DD24
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_50DD24
; 

loc_5DA520:				; CODE XREF: CcBoostLowPriorityWorkerThread+12Dj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]
		jmp	loc_50DE03
; 

loc_5DA537:				; CODE XREF: CcBoostLowPriorityWorkerThread+240j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_50DF06
; 

loc_5DA546:				; CODE XREF: CcBoostLowPriorityWorkerThread+26Aj
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_50DE1A
; END OF FUNCTION CHUNK	FOR CcBoostLowPriorityWorkerThread
; 
; START	OF FUNCTION CHUNK FOR MiGetWorkingSetInfo

loc_5DA558:				; CODE XREF: MiGetWorkingSetInfo+4Bj
		mov	eax, 0C000009Ah
		jmp	loc_50E09E
; END OF FUNCTION CHUNK	FOR MiGetWorkingSetInfo

;  S U B	R O U T	I N E 


sub_5DA562	proc near		; DATA XREF: .text:006A4484o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5DA562	endp


;  S U B	R O U T	I N E 


sub_5DA570	proc near		; DATA XREF: .text:006A4488o
		mov	esp, [ebp-18h]
		push	0
		push	dword ptr [ebp-24h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-28h]
		jmp	loc_50E09E
sub_5DA570	endp

; 
; START	OF FUNCTION CHUNK FOR MiGetWorkingSetInfoEx

loc_5DA58C:				; CODE XREF: MiGetWorkingSetInfoEx+85j
		test	eax, eax
		jns	short loc_5DA594
		mov	[ebx], edi
		jmp	short loc_5DA597
; 

loc_5DA594:				; CODE XREF: MiGetWorkingSetInfoEx+CC4C8j
		mov	[ebx+4], edi

loc_5DA597:				; CODE XREF: MiGetWorkingSetInfoEx+CC4CCj
		xor	eax, eax
		jmp	loc_50E20E
; 

loc_5DA59E:				; CODE XREF: MiGetWorkingSetInfoEx+97j
		lea	eax, [ebp+var_1C]
		xor	edx, edx
		push	eax
		call	KiStackAttachProcess
		mov	[ebp+var_88], 1
		jmp	loc_50E163
; 

loc_5DA5B8:				; CODE XREF: MiGetWorkingSetInfoEx+D2j
		mov	edi, 0C000010Ah
		jmp	loc_50E1F3
; 

loc_5DA5C2:				; CODE XREF: MiGetWorkingSetInfoEx+E3j
		mov	edx, ecx
		sub	edx, [esi+44h]
		mov	[ebp+var_74], edx
		jz	loc_50E256
		mov	eax, [ebp+arg_4]
		cmp	eax, 20h
		jb	loc_50E1E3
		add	eax, 0FFFFFFE0h
		mov	[ebp+var_84], 18h
		xor	edx, edx
		mov	[ebp+var_80], 8
		div	[ebp+var_84]
		jmp	loc_50E1CC
; 

loc_5DA5FD:				; CODE XREF: MiGetWorkingSetInfoEx+140j
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_50E20C
; END OF FUNCTION CHUNK	FOR MiGetWorkingSetInfoEx
; 
; START	OF FUNCTION CHUNK FOR KiSwitchPriQueue

loc_5DA60C:				; CODE XREF: KiSwitchPriQueue+2Cj
					; KiSwitchPriQueue+CC2F6j
		lea	ecx, [ebp+arg_0]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5DA60C
		jmp	loc_50E349
; 

loc_5DA61F:				; CODE XREF: KiSwitchPriQueue+13Fj
		mov	ecx, [ebp+var_18]
		mov	dl, bl
		call	MiUnlockProtoPoolPage
		jmp	loc_50E467
; 

loc_5DA62E:				; CODE XREF: KiSwitchPriQueue+154j
		xor	eax, eax
		push	eax
		push	eax
		push	esi
		push	2
		call	MmAccessFault
		jmp	loc_50E467
; 

loc_5DA63F:				; CODE XREF: KiSwitchPriQueue+17Ej
		test	byte ptr [edx+16h], 10h
		jnz	short loc_5DA661
		mov	eax, [edx+8]
		and	eax, 400h
		or	eax, ecx
		jz	short loc_5DA661
		lea	eax, [edx+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		jmp	loc_50E4B5
; 

loc_5DA661:				; CODE XREF: KiSwitchPriQueue+CC321j
					; KiSwitchPriQueue+CC32Dj
		lea	eax, [edx+8]
		mov	[ebp+var_1C], eax
		mov	eax, [eax]
		and	eax, 400h
		or	eax, ecx
		jz	short loc_5DA684
		push	2
		push	ecx
		mov	ecx, [ebp+var_38]
		xor	edx, edx
		call	MiDereferenceControlAreaPfnList
		mov	edx, [ebp+var_14]
		xor	ecx, ecx

loc_5DA684:				; CODE XREF: KiSwitchPriQueue+CC34Ej
		mov	eax, [edx+18h]
		and	eax, offset loc_7FFFFF
		mov	[ebp+var_24], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_44], eax
		cmp	[edx+14h], cx
		jnz	loc_5DA723
		mov	ecx, [ebp+var_14]
		xor	edx, edx
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		mov	ecx, [ebp+var_1C]
		mov	eax, [ecx]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_5DA6CA
		push	1
		xor	edx, edx
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	[ebp+var_24], eax
		mov	[ebp+var_28], edx

loc_5DA6CA:				; CODE XREF: KiSwitchPriQueue+CC397j
		mov	eax, ds:dword_6D0700
		mov	ecx, edi
		mov	edx, ds:dword_6D0704
		mov	[ebp+var_3C], eax
		or	eax, edx
		mov	[ebp+var_40], edx
		mov	edx, [ebp+var_8]
		jz	short loc_5DA704
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_5DA6FE
		mov	edi, [ebp+var_3C]
		mov	eax, [ebp+var_40]
		not	edi
		not	eax
		and	edi, ecx
		and	eax, edx
		jmp	short loc_5DA707
; 

loc_5DA6FE:				; CODE XREF: KiSwitchPriQueue+CC3CAj
		mov	edi, ecx
		mov	eax, edx
		jmp	short loc_5DA707
; 

loc_5DA704:				; CODE XREF: KiSwitchPriQueue+CC3C0j
		mov	eax, [ebp+var_8]

loc_5DA707:				; CODE XREF: KiSwitchPriQueue+CC3DAj
					; KiSwitchPriQueue+CC3E0j
		shrd	edi, eax, 0Ch
		push	2
		and	edi, 3FFFFFFh
		pop	edx
		mov	ecx, edi
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		mov	edi, [ebp+var_14]
		add	edi, 10h
		jmp	short loc_5DA768
; 

loc_5DA723:				; CODE XREF: KiSwitchPriQueue+CC37Aj
		mov	al, [edx+16h]
		lea	edi, [edx+10h]
		or	dword ptr [edi], 40000000h
		and	al, 28h
		cmp	al, 20h
		jnz	short loc_5DA74A
		mov	ecx, [edx]
		sub	ecx, 10h
		lea	eax, [ecx+8]
		mov	edx, [eax]
		sub	edx, eax
		neg	edx
		sbb	edx, edx
		and	edx, ecx
		mov	[ebp+var_20], edx

loc_5DA74A:				; CODE XREF: KiSwitchPriQueue+CC411j
		mov	ecx, [ebp+var_1C]
		mov	eax, [ecx]
		and	eax, 400h
		or	eax, 0
		jnz	short loc_5DA768
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		push	4
		inc	edx
		call	MiChargeCommit

loc_5DA768:				; CODE XREF: KiSwitchPriQueue+CC3FFj
					; KiSwitchPriQueue+CC435j
		mov	eax, [ebp+var_C]
		mov	[esi], eax
		nop
		mov	eax, [ebp+var_10]
		mov	[esi+4], eax
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_5DA78A
		mov	ecx, eax
		call	MiInvalidateCollidedIos

loc_5DA78A:				; CODE XREF: KiSwitchPriQueue+CC45Fj
		imul	eax, [ebp+var_44], 1Ch
		and	[ebp+var_48], 0
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_44], eax
		lea	edi, [eax+10h]
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_5DA7C0

loc_5DA7A5:				; CODE XREF: KiSwitchPriQueue+CC48Fj
					; KiSwitchPriQueue+CC496j
		lea	ecx, [ebp+var_48]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_5DA7A5
		lock bts dword ptr [edi], 1Fh
		jb	short loc_5DA7A5
		mov	bl, byte ptr [ebp+var_1]
		mov	eax, [ebp+var_44]

loc_5DA7C0:				; CODE XREF: KiSwitchPriQueue+CC481j
		mov	ecx, eax
		call	MiDecrementShareCount
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	ecx, [ebp+var_24]
		mov	eax, ecx
		mov	edx, [ebp+var_28]
		or	eax, edx
		jz	loc_50E4B5
		push	edx
		xor	edx, edx
		push	ecx
		inc	edx
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo
		jmp	loc_50E4B5
; 

loc_5DA7F3:				; CODE XREF: KiSwitchPriQueue+18Dj
		push	ecx
		push	300h
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		cmp	edi, eax
		mov	eax, [ebp+var_8]
		jnz	short loc_5DA80D
		cmp	eax, edx
		jz	loc_50E4B5

loc_5DA80D:				; CODE XREF: KiSwitchPriQueue+CC4E1j
		push	eax
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		push	edi
		inc	edx
		call	_MiReleasePageFileSpace@16 ; MiReleasePageFileSpace(x,x,x,x)
		mov	eax, [ebp+var_C]
		mov	[esi], eax
		mov	eax, [ebp+var_10]
		mov	[esi+4], eax
		jmp	loc_50E4B5
; END OF FUNCTION CHUNK	FOR KiSwitchPriQueue
; 
; START	OF FUNCTION CHUNK FOR RtlCompressWorkSpaceSizeXpressLz

loc_5DA82C:				; CODE XREF: RtlCompressWorkSpaceSizeXpressLz+Cj
		mov	ecx, 100h
		cmp	ax, cx
		jnz	short loc_5DA84F
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 30003h
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 0
		xor	eax, eax
		jmp	loc_50E626
; 

loc_5DA84F:				; CODE XREF: RtlCompressWorkSpaceSizeXpressLz+CC234j
		mov	eax, 0C00000BBh
		jmp	loc_50E626
; END OF FUNCTION CHUNK	FOR RtlCompressWorkSpaceSizeXpressLz
; 
; START	OF FUNCTION CHUNK FOR FsRtlUninitializeFileLock

loc_5DA859:				; CODE XREF: FsRtlUninitializeFileLock+CC1C1j
		mov	eax, [ecx]
		mov	edx, ecx
		mov	ecx, offset _FsRtlSharedLockLookasideList
		mov	[esi], eax
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)

loc_5DA869:				; CODE XREF: FsRtlUninitializeFileLock+ACj
		mov	ecx, [esi]
		test	ecx, ecx
		jnz	short loc_5DA859
		push	ebx
		lea	eax, [esi+10h]
		push	eax
		call	_RtlDeleteNoSplay@8 ; RtlDeleteNoSplay(x,x)
		mov	edx, esi
		mov	ecx, offset _FsRtlLockTreeNodeLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	loc_50E6E7
; 

loc_5DA88A:				; CODE XREF: FsRtlUninitializeFileLock+48j
		push	ebx
		push	esi
		call	_RtlDeleteNoSplay@8 ; RtlDeleteNoSplay(x,x)
		mov	edx, esi
		mov	ecx, offset _FsRtlExclusiveLockLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	loc_50E6F0
; 

loc_5DA8A2:				; CODE XREF: FsRtlUninitializeFileLock+56j
					; FsRtlUninitializeFileLock+CC365j
		mov	eax, [esi]
		mov	[edi+1Ch], eax
		mov	ebx, [esi+0Ch]
		mov	[ebp+var_8], ebx
		test	ds:byte_70EFC6,	cl
		jz	short loc_5DA8C2
		mov	edx, [ebp+4]
		lea	ecx, [edi+10h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5DA8CA
; 

loc_5DA8C2:				; CODE XREF: FsRtlUninitializeFileLock+CC207j
		xor	ecx, ecx
		lea	eax, [edi+10h]
		lock and [eax],	ecx

loc_5DA8CA:				; CODE XREF: FsRtlUninitializeFileLock+CC214j
		push	7
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[ebx+25h], al
		xor	ecx, ecx
		lea	eax, [ebx+38h]
		xchg	ecx, [eax]
		mov	al, [ebx+25h]
		cmp	byte ptr [ebx+24h], 0
		mov	[ebp+var_2], al
		mov	eax, large fs:20h
		lea	ebx, [eax+450h]
		jz	short loc_5DA951
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_5DA90B
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5DA936
; 

loc_5DA90B:				; CODE XREF: FsRtlUninitializeFileLock+CC251j
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5DA927
		mov	ecx, [ebx+4]
		xor	edx, edx
		mov	eax, ebx
		lock cmpxchg [ecx], edx
		cmp	eax, ebx
		jz	short loc_5DA936
		mov	ecx, ebx
		call	KxWaitForLockChainValid

loc_5DA927:				; CODE XREF: FsRtlUninitializeFileLock+CC263j
		xor	ecx, ecx
		mov	dword ptr [ebx], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5DA936:				; CODE XREF: FsRtlUninitializeFileLock+CC25Dj
					; FsRtlUninitializeFileLock+CC272j
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, ds:_FsRtlFileLockCancelCollideList
		mov	[esi], eax
		mov	ds:_FsRtlFileLockCancelCollideList, esi
		jmp	loc_5DA9FF
; 

loc_5DA951:				; CODE XREF: FsRtlUninitializeFileLock+CC246j
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_5DA968
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5DA993
; 

loc_5DA968:				; CODE XREF: FsRtlUninitializeFileLock+CC2AEj
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5DA984
		mov	ecx, [ebx+4]
		xor	edx, edx
		mov	eax, ebx
		lock cmpxchg [ecx], edx
		cmp	eax, ebx
		jz	short loc_5DA993
		mov	ecx, ebx
		call	KxWaitForLockChainValid

loc_5DA984:				; CODE XREF: FsRtlUninitializeFileLock+CC2C0j
		xor	ecx, ecx
		mov	dword ptr [ebx], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5DA993:				; CODE XREF: FsRtlUninitializeFileLock+CC2BAj
					; FsRtlUninitializeFileLock+CC2CFj
		mov	cl, [ebp+var_2]
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	ebx
		xor	eax, eax
		mov	ecx, offset _FsRtlFileLockCancelCollideLock
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_5DA9B8
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5DA9BD
; 

loc_5DA9B8:				; CODE XREF: FsRtlUninitializeFileLock+CC300j
		xor	eax, eax
		lock and [ecx],	eax

loc_5DA9BD:				; CODE XREF: FsRtlUninitializeFileLock+CC30Aj
		mov	cl, [ebp+var_1]
		call	ebx
		mov	eax, [ebp+var_8]
		lea	ecx, [ebp+var_C]
		push	0
		push	ecx
		push	0C000007Eh
		and	dword ptr [eax+1Ch], 0
		mov	edx, [esi+8]
		mov	ecx, [edi+8]
		push	eax
		call	FsRtlCompleteLockIrpReal
		mov	edx, esi
		mov	ecx, offset _FsRtlWaitingLockLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _FsRtlFileLockCancelCollideLock
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)

loc_5DA9FF:				; CODE XREF: FsRtlUninitializeFileLock+CC2A0j
		lea	ebx, [edi+10h]
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, [edi+1Ch]
		push	1
		pop	ecx
		test	esi, esi
		jnz	loc_5DA8A2
		jmp	loc_50E70B
; 

loc_5DAA1C:				; CODE XREF: FsRtlUninitializeFileLock+65j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		xor	ecx, ecx
		inc	ecx
		jmp	loc_50E71C
; 

loc_5DAA2E:				; CODE XREF: FsRtlUninitializeFileLock+7Dj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_50E734
; END OF FUNCTION CHUNK	FOR FsRtlUninitializeFileLock
; 
; START	OF FUNCTION CHUNK FOR KeCaptureWaitChainHeadEx

loc_5DAA3B:				; CODE XREF: KeCaptureWaitChainHeadEx+17j
		mov	[ecx], eax
		mov	ecx, [edx]
		cmp	[ecx+4], edx
		jnz	short loc_5DAA55
		mov	eax, [edx+4]
		cmp	[eax], edx
		jnz	short loc_5DAA55
		mov	[eax], ecx
		mov	[ecx+4], eax
		jmp	loc_50E7D3
; 

loc_5DAA55:				; CODE XREF: KeCaptureWaitChainHeadEx+CC28Ej
					; KeCaptureWaitChainHeadEx+CC295j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5DAA5A:				; CODE XREF: RtlInsertHeadCircularList+4j
		push	esi
		mov	esi, [eax+4]
		cmp	[esi], eax
		jz	short loc_5DAA67
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5DAA67:				; CODE XREF: KeCaptureWaitChainHeadEx+CC2ACj
		mov	[edx+4], esi
		mov	[edx], eax
		mov	[esi], edx
		mov	[eax+4], edx
		pop	esi
		jmp	loc_50E7FB
; END OF FUNCTION CHUNK	FOR KeCaptureWaitChainHeadEx
; 
; START	OF FUNCTION CHUNK FOR RtlpHpFixedVsAllocate

loc_5DAA77:				; CODE XREF: RtlpHpFixedVsAllocate+29j
		mov	edx, [edi+14h]
		mov	ecx, esi
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	byte ptr [ebp+var_4+3],	al
		jmp	loc_50E831
; 

loc_5DAA89:				; CODE XREF: RtlpHpFixedVsAllocate+7Aj
		cmp	dword ptr [edi+14h], 0
		jnz	loc_5DAC4A
		mov	eax, edx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5DAAA6
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_5DAAA6:				; CODE XREF: RtlpHpFixedVsAllocate+CC29Fj
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	esi, 7FFFFFFCh
		jz	loc_5DAC39
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		cmp	eax, edx
		push	0FFFFFFFFh
		mov	[ebp+var_30], edx
		mov	[ebp+var_34], esi
		pop	edx
		jb	short loc_5DAAE2
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_5DAAF0

loc_5DAAE2:				; CODE XREF: RtlpHpFixedVsAllocate+CC2D9j
		cmp	eax, [ebp+var_30]
		jb	short loc_5DAB03
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_5DAB03

loc_5DAAF0:				; CODE XREF: RtlpHpFixedVsAllocate+CC2E2j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_C], edx

loc_5DAB03:				; CODE XREF: RtlpHpFixedVsAllocate+CC2E7j
					; RtlpHpFixedVsAllocate+CC2F0j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_5DAB4E
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_5DABC0
		push	ecx
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5DAB4E:				; CODE XREF: RtlpHpFixedVsAllocate+CC32Ej
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5DAB64
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_5DAB64:				; CODE XREF: RtlpHpFixedVsAllocate+CC35Cj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_5DABAE
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_5DABC0
; 

loc_5DABAE:				; CODE XREF: RtlpHpFixedVsAllocate+CC39Cj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_34]

loc_5DABC0:				; CODE XREF: RtlpHpFixedVsAllocate+CC338j
					; RtlpHpFixedVsAllocate+CC3AEj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_34], eax
		jz	short loc_5DAC21
		test	edi, 8000h
		jz	short loc_5DABE4
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5DABE4:				; CODE XREF: RtlpHpFixedVsAllocate+CC3DBj
		test	byte ptr [ebp+var_10+2], 1
		jz	short loc_5DABF4
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5DABF4:				; CODE XREF: RtlpHpFixedVsAllocate+CC3EAj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5DAC08
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5DAC08:				; CODE XREF: RtlpHpFixedVsAllocate+CC3FDj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5DAC21
		push	[ebp+var_34]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5DAC21:				; CODE XREF: RtlpHpFixedVsAllocate+CC3D3j
					; RtlpHpFixedVsAllocate+CC414j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_5DAC39
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_5DAC39
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5DAC39:				; CODE XREF: RtlpHpFixedVsAllocate+CC2B3j
					; RtlpHpFixedVsAllocate+CC42Cj	...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_50E87E
; 

loc_5DAC4A:				; CODE XREF: RtlpHpFixedVsAllocate+CC28Fj
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_50E87E
; END OF FUNCTION CHUNK	FOR RtlpHpFixedVsAllocate
; 
; START	OF FUNCTION CHUNK FOR SepDuplicateLogonSessionReference

loc_5DAC5E:				; CODE XREF: SepDuplicateLogonSessionReference+14j
		lea	ecx, [edx+18h]
		mov	edx, edi
		call	_SepReferenceLogonSession@8 ; SepReferenceLogonSession(x,x)
		test	eax, eax
		jns	loc_50E99E
		or	dword ptr [esi+0B0h], 20h
		and	dword ptr [edi], 0
		jmp	loc_50E99E
; END OF FUNCTION CHUNK	FOR SepDuplicateLogonSessionReference
; 
; START	OF FUNCTION CHUNK FOR ExQueryHandleExceptionsPermanency

loc_5DAC7F:				; CODE XREF: ExQueryHandleExceptionsPermanency+4Cj
		mov	byte ptr [edi],	1
		mov	eax, [ecx+8]
		shr	eax, 3
		and	al, 1
		jmp	loc_50EAA0
; 

loc_5DAC8F:				; CODE XREF: ExQueryHandleExceptionsPermanency+56j
		mov	byte ptr [edi],	1
		mov	al, 1
		jmp	loc_50EAA0
; 

loc_5DAC99:				; CODE XREF: ExQueryHandleExceptionsPermanency+20Dj
		push	0
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5DACAC:				; CODE XREF: ExQueryHandleExceptionsPermanency+144j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]
		jmp	loc_50EB9A
; 

loc_5DACC3:				; CODE XREF: ExQueryHandleExceptionsPermanency+1D0j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_50EC16
; 

loc_5DACD2:				; CODE XREF: ExQueryHandleExceptionsPermanency+1FAj
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_50EBAD
; END OF FUNCTION CHUNK	FOR ExQueryHandleExceptionsPermanency
; 
; START	OF FUNCTION CHUNK FOR PiDrvDbUnloadNodeDpcRoutine

loc_5DACE4:				; CODE XREF: PiDrvDbUnloadNodeDpcRoutine+49j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_50ED1E
; END OF FUNCTION CHUNK	FOR PiDrvDbUnloadNodeDpcRoutine
; 
; START	OF FUNCTION CHUNK FOR RtlpHpFixedVsFree

loc_5DACF3:				; CODE XREF: RtlpHpFixedVsFree+39j
		mov	edx, [edi+14h]
		lea	ecx, [edi+10h]
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	ecx, [ebp+var_8]
		mov	byte ptr [ebp+var_4+3],	al
		jmp	loc_50ED67
; 

loc_5DAD09:				; CODE XREF: RtlpHpFixedVsFree+63j
		jnz	short loc_5DAD1C
		mov	eax, [ebp+var_34]
		bt	[eax], esi
		setb	al

loc_5DAD14:				; CODE XREF: RtlpHpFixedVsFree+11Dj
		test	al, al
		jnz	loc_50EE3A

loc_5DAD1C:				; CODE XREF: RtlpHpFixedVsFree+56j
					; RtlpHpFixedVsFree+6Dj ...
		push	0
		push	dword ptr [ebx+14h]
		mov	edx, edi
		push	dword ptr [ebx+10h]
		push	dword ptr [ebx+0Ch]
		push	8
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		push	32h
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5DAD36:				; CODE XREF: RtlpHpFixedVsFree+FBj
		cmp	dword ptr [edx], 0FFFFFFFFh
		jnz	short loc_5DAD1C
		jmp	loc_50EE17
; 

loc_5DAD40:				; CODE XREF: RtlpHpFixedVsFree+CBj
		cmp	dword ptr [edi+14h], 0
		lea	ecx, [edi+10h]
		mov	[ebp+var_8], ecx
		jnz	loc_5DAF0B
		or	edx, 0FFFFFFFFh
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5DAD6A
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]
		or	edx, 0FFFFFFFFh

loc_5DAD6A:				; CODE XREF: RtlpHpFixedVsFree+CC039j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	loc_5DAEFA
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	[ebp+var_14], esi
		mov	esi, ds:dword_6D07D0
		shr	eax, 15h
		cmp	ecx, esi
		mov	[ebp+var_30], esi
		mov	esi, [ebp+var_14]
		jb	short loc_5DADA3
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_5DADB1

loc_5DADA3:				; CODE XREF: RtlpHpFixedVsFree+CC074j
		cmp	ecx, [ebp+var_30]
		jb	short loc_5DADC4
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_5DADC4

loc_5DADB1:				; CODE XREF: RtlpHpFixedVsFree+CC07Dj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_C], edx

loc_5DADC4:				; CODE XREF: RtlpHpFixedVsFree+CC082j
					; RtlpHpFixedVsFree+CC08Bj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_5DAE0F
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_5DAE81
		push	ecx
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5DAE0F:				; CODE XREF: RtlpHpFixedVsFree+CC0C9j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5DAE25
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_5DAE25:				; CODE XREF: RtlpHpFixedVsFree+CC0F7j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_5DAE6F
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_5DAE81
; 

loc_5DAE6F:				; CODE XREF: RtlpHpFixedVsFree+CC137j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_14]

loc_5DAE81:				; CODE XREF: RtlpHpFixedVsFree+CC0D3j
					; RtlpHpFixedVsFree+CC149j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_30], eax
		jz	short loc_5DAEE2
		test	edi, 8000h
		jz	short loc_5DAEA5
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5DAEA5:				; CODE XREF: RtlpHpFixedVsFree+CC176j
		test	byte ptr [ebp+var_10+2], 1
		jz	short loc_5DAEB5
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5DAEB5:				; CODE XREF: RtlpHpFixedVsFree+CC185j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5DAEC9
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5DAEC9:				; CODE XREF: RtlpHpFixedVsFree+CC198j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5DAEE2
		push	[ebp+var_30]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5DAEE2:				; CODE XREF: RtlpHpFixedVsFree+CC16Ej
					; RtlpHpFixedVsFree+CC1AFj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_5DAEFA
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_5DAEFA
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5DAEFA:				; CODE XREF: RtlpHpFixedVsFree+CC051j
					; RtlpHpFixedVsFree+CC1C7j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_50EDF5
; 

loc_5DAF0B:				; CODE XREF: RtlpHpFixedVsFree+CC026j
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_50EDF5
; END OF FUNCTION CHUNK	FOR RtlpHpFixedVsFree
; 
; START	OF FUNCTION CHUNK FOR PsBoostThreadIoQoS

loc_5DAF1F:				; CODE XREF: PsBoostThreadIoQoS+Bj
		xor	eax, eax
		inc	eax
		lock xadd [esi], eax
		inc	eax
		cmp	eax, 1
		jnz	loc_50EF18
		xor	edx, edx
		pop	esi
		jmp	_KeAbProcessEffectiveIoPriorityChange@8	; KeAbProcessEffectiveIoPriorityChange(x,x)
; END OF FUNCTION CHUNK	FOR PsBoostThreadIoQoS
; 
; START	OF FUNCTION CHUNK FOR RtlDeleteHashTable

loc_5DAF38:				; CODE XREF: RtlDeleteHashTable+15j
		test	esi, esi
		jz	loc_50EF8D
		push	ebx
		xor	ebx, ebx

loc_5DAF43:				; CODE XREF: RtlDeleteHashTable+CBFF0j
		mov	eax, [esi+ebx*4]
		test	eax, eax
		jz	short loc_5DAF58
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		inc	ebx
		cmp	ebx, 10h
		jb	short loc_5DAF43

loc_5DAF58:				; CODE XREF: RtlDeleteHashTable+CBFE2j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebx
		jmp	loc_50EF8D
; END OF FUNCTION CHUNK	FOR RtlDeleteHashTable
; 
; START	OF FUNCTION CHUNK FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorAttachEx

loc_5DAF66:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorAttachEx+22j
		cmp	byte ptr [esi+2], 2
		jnz	loc_50F008
		push	2
		lea	edx, [esi+4]
		mov	ecx, ebx
		call	?NpLeafRefInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAXK@Z ; NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)
		mov	esi, eax
		test	esi, esi
		jnz	loc_50F00B
		or	esi, 0FFFFFFFFh
		jmp	loc_50F016
; END OF FUNCTION CHUNK	FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorAttachEx
; 
; START	OF FUNCTION CHUNK FOR EtwpLoggerDpc

loc_5DAF8E:				; CODE XREF: EtwpLoggerDpc+41j
		xor	dl, dl
		mov	ecx, esi
		call	EtwpRequestFlushTimer
		jmp	loc_50F105
; END OF FUNCTION CHUNK	FOR EtwpLoggerDpc
; 
; START	OF FUNCTION CHUNK FOR MiLockDownWorkingSet

loc_5DAF9C:				; CODE XREF: MiLockDownWorkingSet+8Cj
					; MiLockDownWorkingSet+98978j
		lea	ecx, [ebp+var_28]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_5DAF9C
		jmp	loc_5426B7
; END OF FUNCTION CHUNK	FOR MiLockDownWorkingSet
; 
; START	OF FUNCTION CHUNK FOR MiCloneVads

loc_5DAFAF:				; CODE XREF: MiCloneVads+C8j
		mov	esi, 1
		jmp	loc_54288E
; 

loc_5DAFB9:				; CODE XREF: MiCloneVads+183j
		mov	edi, offset unk_6D3C40
		jmp	loc_54294B
; 

loc_5DAFC3:				; CODE XREF: MiCloneVads+1B1j
		mov	ecx, [ebp+var_E0]
		call	MiUnlockWorkingSetExclusive
		mov	ecx, [ebp+var_E4]
		call	_MiUnlockAweVadsExclusive@4 ; MiUnlockAweVadsExclusive(x)
		mov	edx, [ebp+var_D0]
		mov	ecx, edi
		call	_MiFreeCloneDescriptor@8 ; MiFreeCloneDescriptor(x,x)
		mov	eax, [ebp+var_C4]
		cmp	eax, ds:_PsInitialSystemProcess
		jz	short loc_5DB004
		mov	ecx, [eax+188h]
		mov	edx, eax
		push	esi
		push	0
		call	PspReturnQuota

loc_5DB004:				; CODE XREF: MiCloneVads+98832j
		mov	edx, [ebp+var_D4]
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_542880
; 

loc_5DB017:				; CODE XREF: MiCloneVads+1F6j
		mov	esi, offset unk_6D3C40
		jmp	loc_5429C2
; 

loc_5DB021:				; CODE XREF: MiCloneVads+22Fj
		lea	ecx, [ebp+var_C0]
		call	_MiFreeForkMaps@4 ; MiFreeForkMaps(x)
		mov	edi, 0C000009Ah
		jmp	loc_542DE0
; 

loc_5DB036:				; CODE XREF: MiCloneVads+661j
		mov	esi, offset unk_6D3C40
		jmp	loc_542E2D
; 

loc_5DB040:				; CODE XREF: MiCloneVads+709j
		mov	eax, [ebp+var_11C]
		mov	dword ptr [eax], 1
		jmp	loc_542ECF
; 

loc_5DB051:				; CODE XREF: MiCloneVads+12Ej
		mov	eax, [ebp+var_C4]
		cmp	eax, ds:_PsInitialSystemProcess
		jz	short loc_5DB06F
		mov	ecx, [eax+188h]
		mov	edx, eax
		push	esi
		push	0
		call	PspReturnQuota

loc_5DB06F:				; CODE XREF: MiCloneVads+9889Dj
		mov	edx, [ebp+var_D0]
		mov	ecx, [ebp+var_CC]
		call	_MiFreeCloneDescriptor@8 ; MiFreeCloneDescriptor(x,x)

loc_5DB080:				; CODE XREF: MiCloneVads+F3j
		mov	eax, 0C000009Ah
		jmp	loc_542ED1
; 

loc_5DB08A:				; CODE XREF: MiCloneVads+10Dj
		mov	edx, [ebp+var_D0]
		mov	ecx, [ebp+var_CC]
		call	_MiFreeCloneDescriptor@8 ; MiFreeCloneDescriptor(x,x)
		mov	eax, edi
		jmp	loc_542ED1
; END OF FUNCTION CHUNK	FOR MiCloneVads
; 
; START	OF FUNCTION CHUNK FOR MiReferenceCloneProto

loc_5DB0A2:				; CODE XREF: MiReferenceCloneProto+4Fj
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		inc	ecx
		inc	dword ptr [eax+4]
		lea	eax, [edi+1124h]
		lock xadd [eax], ecx
		jmp	loc_543E68
; END OF FUNCTION CHUNK	FOR MiReferenceCloneProto
; 
; START	OF FUNCTION CHUNK FOR MiUpdateForkMaps

loc_5DB0BA:				; CODE XREF: MiUpdateForkMaps+47j
		mov	ecx, eax

loc_5DB0BC:				; CODE XREF: MiUpdateForkMaps+971BCj
		shr	ebx, 9
		and	ebx, offset loc_7FFFF8
		sub	ebx, 40000000h
		sub	ecx, 1
		jnz	short loc_5DB0BC
		add	ebx, 8
		test	eax, eax
		jz	loc_543F8A

loc_5DB0DB:				; CODE XREF: MiUpdateForkMaps+971CFj
		shl	ebx, 9
		sub	eax, 1
		jnz	short loc_5DB0DB
		jmp	loc_543F8A
; 

loc_5DB0E8:				; CODE XREF: MiUpdateForkMaps+DCj
		mov	eax, edi
		and	eax, 1
		or	eax, esi
		jz	short loc_5DB101
		nop
		shrd	edi, ecx, 0Ch
		and	edi, 1FFFFFFh
		jmp	loc_544020
; 

loc_5DB101:				; CODE XREF: MiUpdateForkMaps+971DDj
		mov	eax, ds:dword_6D0700
		mov	edx, edi
		mov	esi, ds:dword_6D0704
		mov	[ebp+arg_4], eax
		or	eax, esi
		push	0
		mov	[ebp+var_C], esi
		mov	[ebp+arg_8], ecx
		pop	esi
		jz	short loc_5DB136
		mov	eax, edx
		and	eax, 10h
		or	eax, esi
		jnz	short loc_5DB136
		mov	edi, [ebp+arg_4]
		mov	ecx, [ebp+var_C]
		not	edi
		not	ecx
		and	edi, edx
		and	ecx, [ebp+arg_8]

loc_5DB136:				; CODE XREF: MiUpdateForkMaps+9720Aj
					; MiUpdateForkMaps+97213j
		shrd	edi, ecx, 0Ch
		and	edi, 3FFFFFFh
		jmp	loc_544020
; END OF FUNCTION CHUNK	FOR MiUpdateForkMaps
; 
; START	OF FUNCTION CHUNK FOR MiBuildForkPageTable

loc_5DB145:				; CODE XREF: MiBuildForkPageTable+6Ej
					; MiBuildForkPageTable+970C7j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_5DB145
		jmp	loc_5440F3
; 

loc_5DB158:				; CODE XREF: MiBuildForkPageTable+84j
		push	edi
		mov	edx, edi
		mov	ecx, ebx
		call	MiChangePageAttribute
		mov	cl, [ebx+16h]
		jmp	loc_544114
; END OF FUNCTION CHUNK	FOR MiBuildForkPageTable
; 
; START	OF FUNCTION CHUNK FOR MiDoneWithThisPageGetAnother

loc_5DB16A:				; CODE XREF: MiDoneWithThisPageGetAnother+71j
					; MiDoneWithThisPageGetAnother+9704Aj
		mov	dl, bl
		mov	ecx, edi
		call	MiUnlockWorkingSetExclusive
		mov	ecx, esi
		call	_MiWaitForFreePage@8 ; MiWaitForFreePage(x,x)
		mov	al, [edi+60h]
		mov	esi, offset unk_6D3C40
		and	al, 7
		cmp	al, 2
		jz	short loc_5DB18E
		lea	esi, [edi+80h]

loc_5DB18E:				; CODE XREF: MiDoneWithThisPageGetAnother+9701Aj
		push	esi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [esi+4], 0
		mov	bl, al
		mov	edx, [ebp+var_4]
		mov	esi, offset _MiSystemPartition
		push	302h
		mov	ecx, esi
		call	MiGetPage
		mov	ecx, [ebp+var_8]
		mov	[ecx], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5DB16A
		jmp	loc_5441D3
; END OF FUNCTION CHUNK	FOR MiDoneWithThisPageGetAnother
; 
; START	OF FUNCTION CHUNK FOR MiFinishLastForkPageTable

loc_5DB1BD:				; CODE XREF: MiFinishLastForkPageTable+ADj
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5DB1D8
		xor	ebx, ebx
		inc	ebx
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	loc_544295
		jmp	short loc_5DB1F4
; 

loc_5DB1D8:				; CODE XREF: MiFinishLastForkPageTable+96FE2j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_544295

loc_5DB1F4:				; CODE XREF: MiFinishLastForkPageTable+96FF4j
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	loc_544295
		or	edx, 80000000h
		jmp	loc_544295
; END OF FUNCTION CHUNK	FOR MiFinishLastForkPageTable
; 
; START	OF FUNCTION CHUNK FOR MiCloneImageVad

loc_5DB20D:				; CODE XREF: MiCloneImageVad+3Bj
		mov	ecx, edi
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	ecx, ebx
		call	MiCreatePerSessionProtos
		test	eax, eax
		jns	loc_5442F9
		cmp	esi, 1
		jnz	loc_5442FB
		mov	ecx, [edi+24Ch]
		dec	dword ptr [ecx+98h]
		jmp	loc_5442FB
; END OF FUNCTION CHUNK	FOR MiCloneImageVad
; 
; START	OF FUNCTION CHUNK FOR MiCloneCaptureVadCommit

loc_5DB23F:				; CODE XREF: MiCloneCaptureVadCommit+29j
		mov	eax, 0C000009Ah
		jmp	loc_54441B
; 

loc_5DB249:				; CODE XREF: MiCloneCaptureVadCommit+D1j
		mov	dl, byte ptr [ebp+var_8]
		mov	ecx, [ebp+var_C]
		call	MiUnlockWorkingSetExclusive
		push	esi
		push	40h
		push	48h
		mov	edx, 6356694Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		test	eax, eax
		jz	short loc_5DB2A4
		mov	ecx, [ebp+var_C]
		mov	[eax], edi
		mov	edi, eax
		add	eax, 4
		mov	[ebp+var_4], eax
		mov	[eax], esi
		mov	al, [ecx+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short loc_5DB28B
		lea	eax, [ecx+80h]

loc_5DB28B:				; CODE XREF: MiCloneCaptureVadCommit+96F67j
		push	eax
		mov	[ebp+var_10], eax
		call	ExAcquireSpinLockExclusive
		mov	eax, [ebp+var_10]
		mov	[eax+4], esi
		mov	eax, [ebp+var_4]
		mov	ecx, [eax]
		jmp	loc_5443F3
; 

loc_5DB2A4:				; CODE XREF: MiCloneCaptureVadCommit+96F4Aj
		mov	esi, 0C000009Ah
		jmp	loc_54440F
; END OF FUNCTION CHUNK	FOR MiCloneCaptureVadCommit
; 
; START	OF FUNCTION CHUNK FOR MiInsertClone

loc_5DB2AE:				; CODE XREF: MiInsertClone+6Fj
		mov	ecx, edi
		call	_MiDeleteDeferredCloneDescriptors@4 ; MiDeleteDeferredCloneDescriptors(x)
		test	eax, eax
		jz	loc_544785

loc_5DB2BD:				; CODE XREF: MiInsertClone+96B59j
		mov	esi, [eax]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		test	esi, esi
		jnz	short loc_5DB2BD
		jmp	loc_544785
; END OF FUNCTION CHUNK	FOR MiInsertClone
; 
; START	OF FUNCTION CHUNK FOR MiLockPagedAddress

loc_5DB2D2:				; CODE XREF: MiLockPagedAddress+6Fj
		push	eax
		mov	ecx, esi
		mov	edx, esi
		push	0FFFFFFFFh
		shl	ecx, 9
		call	_MiCopyOnWrite@16 ; MiCopyOnWrite(x,x,x,x)
		mov	edx, ebx
		mov	ecx, offset unk_6D3840
		mov	edi, eax
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		test	edi, edi
		jns	loc_54489E
		mov	dl, byte ptr [ebp+var_4]
		mov	ecx, offset unk_6D3840
		call	MiUnlockWorkingSetShared
		mov	edx, edi
		mov	edi, offset unk_6D3840
		mov	ecx, edi
		call	MiCopyOnWriteCheckConditions
		mov	ecx, edi
		jmp	loc_5449C9
; 

loc_5DB319:				; CODE XREF: MiLockPagedAddress+160j
		xor	ecx, ecx
		inc	ecx
		call	_MiFlushAllFilesystemPages@4 ; MiFlushAllFilesystemPages(x)
		push	[ebp+var_C]
		push	0
		push	edi
		push	2
		push	7Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5DB330:				; CODE XREF: MiLockPagedAddress+97j
					; MiLockPagedAddress+96ADEj ...
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_5DB330
		lock bts dword ptr [edi], 1Fh
		jb	short loc_5DB330
		mov	ecx, [ebp+var_8]
		jmp	loc_5448FB
; 

loc_5DB34D:				; CODE XREF: MiLockPagedAddress+A8j
		xor	edx, edx
		jmp	loc_544918
; 

loc_5DB354:				; CODE XREF: MiLockPagedAddress+D6j
		push	edx
		xor	edx, edx
		push	ecx
		inc	edx
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo
		jmp	loc_54493A
; 

loc_5DB368:				; CODE XREF: MiLockPagedAddress+EEj
					; MiLockPagedAddress+F9j
		mov	byte ptr [ebp+var_1C], al
		mov	ecx, esi
		push	[ebp+var_1C]
		push	3
		pop	edx
		call	_MiWriteValidPteVolatile@12 ; MiWriteValidPteVolatile(x,x,x)
		jmp	loc_54495D
; END OF FUNCTION CHUNK	FOR MiLockPagedAddress
; 
; START	OF FUNCTION CHUNK FOR MiCommitPageTableRangesForVad

loc_5DB37D:				; CODE XREF: MiCommitPageTableRangesForVad+225j
		push	0
		push	[ebp+var_10]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5DB390:				; CODE XREF: MiCommitPageTableRangesForVad+1A9j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_34]
		jmp	loc_544B93
; 

loc_5DB3A7:				; CODE XREF: MiCommitPageTableRangesForVad+258j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_544C32
; 

loc_5DB3B6:				; CODE XREF: MiCommitPageTableRangesForVad+282j
		push	[ebp+var_34]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_544BA6
; END OF FUNCTION CHUNK	FOR MiCommitPageTableRangesForVad
; 
; START	OF FUNCTION CHUNK FOR MiUpControlAreaRefs

loc_5DB3C8:				; CODE XREF: MiUpControlAreaRefs+8Ej
		mov	ecx, [ebp+var_C]
		call	_MiUnlockNestedVad@4 ; MiUnlockNestedVad(x)
		jmp	loc_544D01
; 

loc_5DB3D5:				; CODE XREF: MiUpControlAreaRefs+148j
		push	ecx
		mov	edx, edi
		mov	ecx, edi
		call	_MiDecrementSubsections@12 ; MiDecrementSubsections(x,x,x)
		jmp	loc_544DCC
; 

loc_5DB3E4:				; CODE XREF: MiUpControlAreaRefs+160j
		mov	eax, [ebp+var_30]
		test	eax, eax
		jz	loc_544D4A
		mov	edx, eax
		jmp	short loc_5DB3FD
; 

loc_5DB3F3:				; CODE XREF: MiUpControlAreaRefs+CEj
		test	al, 20h
		jnz	loc_544D4A
		mov	edx, edi

loc_5DB3FD:				; CODE XREF: MiUpControlAreaRefs+9678Bj
		push	ecx
		mov	ecx, edi
		call	_MiDecrementSubsections@12 ; MiDecrementSubsections(x,x,x)
		jmp	loc_544D4A
; 

loc_5DB40A:				; CODE XREF: MiUpControlAreaRefs+1C7j
		test	al, 4
		jnz	loc_544E33
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp+var_10]
		jmp	loc_544E33
; 

loc_5DB421:				; CODE XREF: MiUpControlAreaRefs+352j
		push	0
		push	[ebp+var_38]
		push	[ebp+var_10]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5DB434:				; CODE XREF: MiUpControlAreaRefs+298j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_20]
		jmp	loc_544F0A
; 

loc_5DB445:				; CODE XREF: MiUpControlAreaRefs+39Fj
		push	[ebp+var_38]
		mov	edx, [ebp+var_10]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_544F21
; 

loc_5DB457:				; CODE XREF: MiUpControlAreaRefs+113j
		cmp	[ebp+var_44], 1
		jnz	loc_544D7F
		lock dec dword ptr [esi+34h]
		jmp	loc_544D7F
; END OF FUNCTION CHUNK	FOR MiUpControlAreaRefs
; 
; START	OF FUNCTION CHUNK FOR MiCreateForkWsle

loc_5DB46A:				; CODE XREF: MiCreateForkWsle+4Fj
		mov	dl, [ebp+var_1]
		lea	eax, [ebx-1]
		mov	ecx, esi
		shl	ecx, 9
		push	eax
		lea	eax, [ecx+0FF8h]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_8]
		call	MiCreateForkWsle
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+arg_0]
		jmp	loc_545107
; END OF FUNCTION CHUNK	FOR MiCreateForkWsle
; 
; START	OF FUNCTION CHUNK FOR MiCreateCloneChain

loc_5DB491:				; CODE XREF: MiCreateCloneChain+9Fj
					; MiCreateCloneChain+D3j
		mov	eax, [esi+4]
		mov	ecx, esi
		test	eax, eax
		jz	loc_54523A
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	loc_5451A0
		jmp	loc_545221
; 

loc_5DB4AF:				; CODE XREF: MiCreateCloneChain+BAj
		mov	ebx, 0C000009Ah
		jmp	loc_5451A4
; 

loc_5DB4B9:				; CODE XREF: MiCreateCloneChain+75j
					; MiCreateCloneChain+84j
		test	edi, edi
		jz	short loc_5DB4CD

loc_5DB4BD:				; CODE XREF: MiCreateCloneChain+9638Fj
		mov	esi, [edi]
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, esi
		test	esi, esi
		jnz	short loc_5DB4BD

loc_5DB4CD:				; CODE XREF: MiCreateCloneChain+9637Fj
		xor	edi, edi
		jmp	loc_5451C6
; END OF FUNCTION CHUNK	FOR MiCreateCloneChain
; 
; START	OF FUNCTION CHUNK FOR MiDecrementCloneHeaderCount

loc_5DB4D4:				; CODE XREF: MiDecrementCloneHeaderCount+4Dj
		mov	eax, [ebp+var_10]
		push	0
		push	0
		push	dword ptr [eax+514h]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		leave
		retn
; END OF FUNCTION CHUNK	FOR MiDecrementCloneHeaderCount
; 
; START	OF FUNCTION CHUNK FOR MiUpdateOldPteWorker

loc_5DB4E8:				; CODE XREF: MiUpdateOldPteWorker+1Ej
		cmp	eax, edx
		jbe	loc_5459F4
		call	MiLockSetPfnPriority
		jmp	loc_5459F4
; END OF FUNCTION CHUNK	FOR MiUpdateOldPteWorker
; 
; START	OF FUNCTION CHUNK FOR PspHandleTableWalker

loc_5DB4FA:				; CODE XREF: PspHandleTableWalker+25j
		push	esi
		xor	edx, edx
		call	ExpUnblockPushLock
		jmp	loc_545A79
; END OF FUNCTION CHUNK	FOR PspHandleTableWalker
; 
; START	OF FUNCTION CHUNK FOR MiDecrementCloneBlockReference

loc_5DB507:				; CODE XREF: MiDecrementCloneBlockReference+1Bj
		cmp	eax, large fs:124h
		jz	loc_545ABB
		push	0
		push	edx
		push	esi
		push	61945h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5DB524:				; CODE XREF: MiDecrementCloneBlockReference+58j
		mov	eax, edi
		lock xadd [edx+8], eax
		dec	eax
		test	eax, 7FFFFFFh
		jnz	short loc_5DB54A
		mov	ecx, [ebp+var_8]
		lock dec dword ptr [ecx+1124h]
		cmp	ebx, 3
		jz	short loc_5DB54A
		xor	edx, edx
		inc	edx
		call	MiReturnCommit

loc_5DB54A:				; CODE XREF: MiDecrementCloneBlockReference+95A97j
					; MiDecrementCloneBlockReference+95AA6j
		push	5
		pop	ebx
		jmp	loc_545AF8
; 

loc_5DB552:				; CODE XREF: MiDecrementCloneBlockReference+64j
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_MiDeleteCloneDescriptor@8 ; MiDeleteCloneDescriptor(x,x)
		jmp	loc_545B04
; END OF FUNCTION CHUNK	FOR MiDecrementCloneBlockReference
; 
; START	OF FUNCTION CHUNK FOR MiDeleteMergedPte

loc_5DB561:				; CODE XREF: MiDeleteMergedPte+37j
		mov	esi, [edi]
		nop
		mov	ecx, [edi+4]
		push	ecx
		mov	ecx, [ebp+var_8]
		push	esi
		call	_MiReleasePageFileSpace@16 ; MiReleasePageFileSpace(x,x,x,x)
		jmp	loc_545B79
; END OF FUNCTION CHUNK	FOR MiDeleteMergedPte
; 
; START	OF FUNCTION CHUNK FOR MiUpdateOldWorkingSetPagesTail

loc_5DB576:				; CODE XREF: MiUpdateOldWorkingSetPagesTail+20j
		cmp	dword ptr [edx], 0
		jz	loc_545BB6
		push	ecx
		mov	ecx, edi
		call	_MiQueryEPTAccessedState@12 ; MiQueryEPTAccessedState(x,x,x)
		test	eax, eax
		jz	loc_545BB6
		mov	edx, [esi+0A8h]
		mov	ecx, edi
		push	esi
		push	offset _MiUpdateOldPagesEPTCallback@20 ; MiUpdateOldPagesEPTCallback(x,x,x,x,x)
		call	_MiProcessVmAccessedInfo@16 ; MiProcessVmAccessedInfo(x,x,x,x)
		jmp	loc_545BA2
; END OF FUNCTION CHUNK	FOR MiUpdateOldWorkingSetPagesTail
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_SM_TRAITS___SmStTrimWsStore

loc_5DB5A7:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+72j
		mov	esi, 0C0000476h
		jmp	loc_545E68
; 

loc_5DB5B1:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+38Cj
		cmp	[edx], esi
		jnz	loc_545D25
		add	edi, 20h
		add	edx, 4
		cmp	edi, 0FFFFFFFFh
		jnb	loc_545D45
		jmp	loc_545F5A
; 

loc_5DB5CD:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+180j
		or	edi, 0FFFFFFFFh
		jmp	loc_545D56
; 

loc_5DB5D5:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStore+345j
		cmp	[esp+90h+var_7C], esi
		jz	loc_545E36
		jmp	loc_545E04
; END OF FUNCTION CHUNK	FOR SMKM_STORE_SM_TRAITS___SmStTrimWsStore
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch

loc_5DB5E4:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+58j
		shr	ebx, 0Ch
		mov	eax, ebx
		mov	[ebp+var_10], ebx
		imul	eax, esi
		push	71576D73h
		shl	eax, 3
		push	eax
		push	200h
		mov	[ebp+var_18], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	short loc_5DB616
		mov	eax, [ebp+arg_C]
		mov	[eax], edi
		jmp	loc_545FFD
; 

loc_5DB616:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+95692j
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		mov	[ebp+var_8], edx
		test	esi, esi
		jz	short loc_5DB659
		mov	edx, ebx

loc_5DB624:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+956DAj
		mov	eax, [ebp+var_8]
		mov	eax, [eax+edi*4]
		mov	[ebp+var_4], eax
		cmp	ecx, edx
		jnb	short loc_5DB64D
		mov	ebx, [ebp+var_C]

loc_5DB634:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+956CDj
		mov	[ebx+ecx*8], eax
		inc	ecx
		mov	eax, [ebp+var_4]
		add	eax, 1000h
		mov	[ebp+var_4], eax
		cmp	ecx, edx
		jb	short loc_5DB634
		mov	esi, [ebp+arg_4]
		mov	ebx, [ebp+var_10]

loc_5DB64D:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+956B7j
		inc	edi
		add	edx, ebx
		cmp	edi, esi
		jb	short loc_5DB624
		mov	eax, [ebp+var_C]
		xor	edi, edi

loc_5DB659:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+956A8j
		push	edi
		push	[ebp+var_18]
		push	eax
		push	4
		push	dword ptr [eax]
		push	0FFFFFFFFh
		call	_ZwQueryVirtualMemory@24 ; ZwQueryVirtualMemory(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_5DB674
		mov	eax, [ebp+arg_C]
		mov	[eax], edi
		jmp	short loc_5DB6EE
; 

loc_5DB674:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+956F3j
		mov	[ebp+var_1C], edi
		mov	edx, edi
		test	esi, esi
		jz	short loc_5DB6EE
		mov	eax, [ebp+arg_C]
		mov	[ebp+arg_0], ebx

loc_5DB683:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+95774j
		mov	ecx, edi
		mov	[ebp+var_4], ecx
		cmp	edx, [ebp+arg_0]
		jnb	short loc_5DB6D8
		mov	eax, [ebp+var_C]
		mov	esi, [ebp+arg_C]
		mov	ebx, [ebp+var_8]
		lea	eax, [eax+edx*8]
		add	eax, 4

loc_5DB69C:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+9573Aj
		test	byte ptr [eax],	1
		jz	short loc_5DB6AB
		sub	dword ptr [esi], 1
		mov	ecx, [ebx]
		mov	[ebp+var_4], ecx
		jz	short loc_5DB6B4

loc_5DB6AB:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+95727j
		inc	edx
		add	eax, 8
		cmp	edx, [ebp+arg_0]
		jb	short loc_5DB69C

loc_5DB6B4:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+95731j
		mov	esi, [ebp+arg_4]
		mov	ebx, [ebp+var_10]
		mov	[ebp+var_18], edx
		test	ecx, ecx
		jz	short loc_5DB6D5
		push	1
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	0FFFFFFFFh
		call	_ZwUnlockVirtualMemory@16 ; ZwUnlockVirtualMemory(x,x,x,x)
		mov	edx, [ebp+var_18]

loc_5DB6D5:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+95747j
		mov	eax, [ebp+arg_C]

loc_5DB6D8:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+95713j
		cmp	[eax], edi
		jz	short loc_5DB6EE
		mov	ecx, [ebp+var_1C]
		add	[ebp+arg_0], ebx
		inc	ecx
		add	[ebp+var_8], 4
		mov	[ebp+var_1C], ecx
		cmp	ecx, esi
		jb	short loc_5DB683

loc_5DB6EE:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+956FAj
					; SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch+95703j ...
		push	edi
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_545FFD
; END OF FUNCTION CHUNK	FOR SMKM_STORE_SM_TRAITS___SmStTrimWsStoreBatch
; 
; START	OF FUNCTION CHUNK FOR MiForcedTrim

loc_5DB6FC:				; CODE XREF: MiForcedTrim+80j
		mov	eax, [ebp+var_8]
		xor	edx, edx
		mov	[ebp+var_14], 0Ah
		div	[ebp+var_14]
		shl	esi, 4
		cmp	esi, eax
		jbe	short loc_5DB714
		mov	esi, eax

loc_5DB714:				; CODE XREF: MiForcedTrim+956D2j
		mov	eax, [ebp+var_8]
		mov	edx, ecx
		cmp	ecx, eax
		jb	short loc_5DB71F
		mov	edx, eax

loc_5DB71F:				; CODE XREF: MiForcedTrim+956DDj
		imul	eax, edx, 64h
		xor	edx, edx
		div	[ebp+var_8]
		xor	edx, edx
		imul	eax, esi
		div	[ebp+var_10]
		xor	edx, edx
		mov	esi, eax
		mov	eax, ecx
		div	[ebp+var_14]
		cmp	esi, eax
		jbe	loc_5460C4
		mov	esi, eax
		jmp	loc_5460C4
; 

loc_5DB747:				; CODE XREF: MiForcedTrim+8Bj
		sub	esi, eax
		cmp	esi, 10h
		jnb	short loc_5DB751
		push	10h
		pop	esi

loc_5DB751:				; CODE XREF: MiForcedTrim+9570Ej
		push	7
		mov	edx, ebx
		lea	eax, [edi+34h]
		pop	ecx

loc_5DB759:				; CODE XREF: MiForcedTrim+95728j
		add	edx, [eax]
		cmp	edx, esi
		jnb	short loc_5DB76A
		dec	ecx
		sub	eax, 4
		cmp	ecx, 1
		jnz	short loc_5DB759
		jmp	short loc_5DB76C
; 

loc_5DB76A:				; CODE XREF: MiForcedTrim+9571Fj
		mov	edx, esi

loc_5DB76C:				; CODE XREF: MiForcedTrim+9572Aj
		test	edx, edx
		jz	loc_5460CF
		cmp	[ebp+var_1], 0
		jnz	short loc_5DB788
		mov	eax, ds:dword_6D596C
		shr	eax, 1
		cmp	[ebp+var_18], eax
		sbb	eax, eax
		and	edx, eax

loc_5DB788:				; CODE XREF: MiForcedTrim+9573Aj
		test	edx, edx
		jz	loc_5460CF
		push	79h
		push	ecx
		push	[ebp+var_24]
		mov	ecx, edi
		call	MiTrimWorkingSet
		mov	ebx, eax
		mov	eax, [ebp+var_1C]
		add	[eax+504h], ebx
		jmp	loc_5460CF
; 

loc_5DB7AD:				; CODE XREF: MiForcedTrim+97j
					; MiForcedTrim+A4j
		mov	eax, ds:dword_6D5D40
		mov	ecx, edi
		mov	dl, byte ptr [ebp+var_24]
		movzx	eax, word ptr [eax+4BEh]
		push	eax
		push	5
		call	MiAgeWorkingSet
		jmp	loc_5460E8
; END OF FUNCTION CHUNK	FOR MiForcedTrim
; 
; START	OF FUNCTION CHUNK FOR MmUpdateOldWorkingSetPages

loc_5DB7CB:				; CODE XREF: MmUpdateOldWorkingSetPages+FEj
		lea	eax, [esp+240h+var_110]
		mov	[esp+240h+var_10C], 20h
		mov	[esp+240h+var_130], eax
		jmp	loc_546314
; END OF FUNCTION CHUNK	FOR MmUpdateOldWorkingSetPages
; 
; START	OF FUNCTION CHUNK FOR EtwpFailLogging

loc_5DB7E9:				; CODE XREF: EtwpFailLogging+42j
					; EtwpFailLogging+954A5j
		mov	edi, [esi-8]
		test	dword ptr [edi+0Ch], 8000000h
		jnz	short loc_5DB838
		mov	ecx, [esi-4]
		mov	eax, [edi+1Ch]
		and	eax, [ecx]
		or	eax, [edi+18h]
		mov	[ecx], eax
		mov	ecx, edi
		call	EtwpUpdateEventsLostCount
		push	offset _ETW_EVENT_LOST_EVENT
		push	ds:dword_6BC30C
		push	ds:_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_5DB838
		mov	ecx, [ebp+var_8]
		lea	eax, [edi+5Ch]
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_14]
		push	eax
		lea	ecx, [ecx+14h]
		call	_EtwpTraceLostEvent@16 ; EtwpTraceLostEvent(x,x,x,x)

loc_5DB838:				; CODE XREF: EtwpFailLogging+9542Bj
					; EtwpFailLogging+95459j
		mov	ecx, esi
		call	_EtwpReleaseTraceBuffer@4 ; EtwpReleaseTraceBuffer(x)
		cmp	[ebp+arg_18], 0
		jz	short loc_5DB85D
		mov	eax, [edi]
		xor	edx, edx
		mov	edi, [ebp+var_C]
		inc	edx
		mov	ecx, [edi+188h]
		mov	ecx, [ecx+eax*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		jmp	short loc_5DB860
; 

loc_5DB85D:				; CODE XREF: EtwpFailLogging+9547Bj
		mov	edi, [ebp+var_C]

loc_5DB860:				; CODE XREF: EtwpFailLogging+95493j
		mov	eax, [ebp+arg_8]
		inc	ebx
		add	esi, 18h
		cmp	ebx, [eax+0C0h]
		jb	loc_5DB7E9
		jmp	loc_5DB92C
; 

loc_5DB878:				; CODE XREF: EtwpFailLogging+32j
		push	[ebp+arg_4]
		mov	al, cl
		add	esi, 3
		push	[ebp+arg_0]
		dec	al
		shl	esi, 5
		and	cl, al
		add	esi, edx
		mov	[ebp+arg_C], cl
		mov	dl, ch
		mov	ecx, esi
		call	_EtwpLevelKeywordEnabled@16 ; EtwpLevelKeywordEnabled(x,x,x,x)
		test	al, al
		jz	loc_5DB92C
		mov	cl, [ebp+arg_18]
		movzx	esi, word ptr [esi+6]
		test	cl, cl
		jz	short loc_5DB8C3
		mov	ecx, [edi+188h]
		xor	edx, edx
		inc	edx
		mov	ecx, [ecx+esi*4]
		call	@ExAcquireRundownProtectionCacheAwareEx@8 ; ExAcquireRundownProtectionCacheAwareEx(x,x)
		test	al, al
		jz	short loc_5DB92C
		mov	cl, [ebp+arg_18]

loc_5DB8C3:				; CODE XREF: EtwpFailLogging+954E1j
		cmp	esi, [edi+8]
		jnb	short loc_5DB8D3
		mov	eax, [edi+18Ch]
		mov	ebx, [eax+esi*4]
		jmp	short loc_5DB8D6
; 

loc_5DB8D3:				; CODE XREF: EtwpFailLogging+954FEj
		xor	ebx, ebx
		inc	ebx

loc_5DB8D6:				; CODE XREF: EtwpFailLogging+95509j
		test	bl, 1
		jz	short loc_5DB8DF
		test	cl, cl
		jmp	short loc_5DB919
; 

loc_5DB8DF:				; CODE XREF: EtwpFailLogging+95511j
		mov	ecx, ebx
		call	EtwpUpdateEventsLostCount
		push	offset _ETW_EVENT_LOST_EVENT
		push	ds:dword_6BC30C
		push	ds:_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_5DB915
		push	[ebp+arg_10]
		mov	ecx, [ebp+var_8]
		lea	eax, [ebx+5Ch]
		mov	edx, [ebp+arg_14]
		add	ecx, 14h
		push	eax
		call	_EtwpTraceLostEvent@16 ; EtwpTraceLostEvent(x,x,x,x)

loc_5DB915:				; CODE XREF: EtwpFailLogging+95536j
		cmp	[ebp+arg_18], 0

loc_5DB919:				; CODE XREF: EtwpFailLogging+95515j
		jz	short loc_5DB92C
		mov	ecx, [edi+188h]
		xor	edx, edx
		inc	edx
		mov	ecx, [ecx+esi*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)

loc_5DB92C:				; CODE XREF: EtwpFailLogging+954ABj
					; EtwpFailLogging+954D2j ...
		mov	edx, [ebp+var_8]
		mov	ch, [ebp+var_1]
		jmp	loc_5463F1
; END OF FUNCTION CHUNK	FOR EtwpFailLogging
; 
; START	OF FUNCTION CHUNK FOR EtwpUpdateEventsLostCount

loc_5DB937:				; CODE XREF: EtwpUpdateEventsLostCount+10j
		mov	dword ptr [ecx+160h], 1
		retn
; END OF FUNCTION CHUNK	FOR EtwpUpdateEventsLostCount
; 
; START	OF FUNCTION CHUNK FOR PfpMemoryListQuery

loc_5DB942:				; CODE XREF: PfpMemoryListQuery+2Ej
		mov	esi, 0C0000023h
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jmp	loc_54653A
; END OF FUNCTION CHUNK	FOR PfpMemoryListQuery

;  S U B	R O U T	I N E 


sub_5DB951	proc near		; DATA XREF: .text:006A465Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5DB951	endp


;  S U B	R O U T	I N E 


sub_5DB95F	proc near		; DATA XREF: .text:006A4660o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-28h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_54653A
sub_5DB95F	endp

; 
; START	OF FUNCTION CHUNK FOR MiStoreLogWriteDisabled

loc_5DB971:				; CODE XREF: MiStoreLogWriteDisabled+35j
		push	4
		pop	ecx
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_28], eax
		xor	edx, edx
		lea	eax, [ebp+var_50]
		mov	[ebp+var_24], edx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	1
		push	ecx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edx
		mov	edx, offset loc_41D2BE
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_50], edi
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)
		jmp	loc_546589
; END OF FUNCTION CHUNK	FOR MiStoreLogWriteDisabled
; 
; START	OF FUNCTION CHUNK FOR MiCopyOnWriteCheckConditions

loc_5DB9B6:				; CODE XREF: MiCopyOnWriteCheckConditions+227j
		push	0
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5DB9C9:				; CODE XREF: MiCopyOnWriteCheckConditions+160j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]
		jmp	loc_54672C
; 

loc_5DB9E0:				; CODE XREF: MiCopyOnWriteCheckConditions+1EAj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_5467A6
; 

loc_5DB9EF:				; CODE XREF: MiCopyOnWriteCheckConditions+214j
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_54673F
; 

loc_5DBA01:				; CODE XREF: MiCopyOnWriteCheckConditions+22j
		cmp	edx, 0C0000017h
		jnz	loc_54675E
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_54675E
		mov	eax, large fs:124h
		test	byte ptr [eax+300h], 0Ch
		jnz	loc_54675E
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		inc	edx
		call	_MiWaitForFreePage@8 ; MiWaitForFreePage(x,x)
		jmp	loc_54675E
; END OF FUNCTION CHUNK	FOR MiCopyOnWriteCheckConditions
; 
; START	OF FUNCTION CHUNK FOR MiRaisedIrqlFault

loc_5DBA40:				; CODE XREF: MiRaisedIrqlFault+2Cj
		push	0Eh
		push	ecx
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		jmp	short loc_5DBA53
; 

loc_5DBA4A:				; CODE XREF: MiRaisedIrqlFault+95364j
		push	8
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	ecx

loc_5DBA53:				; CODE XREF: MiRaisedIrqlFault+9524Ej
		push	50h
		jmp	short loc_5DBA64
; 

loc_5DBA57:				; CODE XREF: MiRaisedIrqlFault+ECj
		push	0Ah
		push	dword ptr [esi+8]
		push	edi

loc_5DBA5D:				; CODE XREF: MiRaisedIrqlFault+95340j
		push	dword ptr [esi]
		push	0BEh

loc_5DBA64:				; CODE XREF: MiRaisedIrqlFault+9525Bj
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5DBA69:				; CODE XREF: MiRaisedIrqlFault+39j
		cmp	byte ptr [eax],	1
		jz	loc_5DBB04
		test	edi, edi
		jz	loc_546839
		mov	al, [eax]
		cmp	al, 3
		jz	loc_5DBB04
		cmp	al, 6
		jmp	loc_546842
; 

loc_5DBA8B:				; CODE XREF: MiRaisedIrqlFault+60j
		push	offset unk_6D2F80
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	edi, ds:dword_6D2F88
		mov	[ebp+var_1], al
		test	edi, edi
		jz	short loc_5DBAD7
		mov	eax, [ebp+var_8]

loc_5DBAA5:				; CODE XREF: MiRaisedIrqlFault+952BBj
		cmp	eax, [edi+0Ch]
		ja	short loc_5DBAB0
		jnb	short loc_5DBAB7
		mov	edi, [edi]
		jmp	short loc_5DBAB3
; 

loc_5DBAB0:				; CODE XREF: MiRaisedIrqlFault+952AEj
		mov	edi, [edi+4]

loc_5DBAB3:				; CODE XREF: MiRaisedIrqlFault+952B4j
		test	edi, edi
		jnz	short loc_5DBAA5

loc_5DBAB7:				; CODE XREF: MiRaisedIrqlFault+952B0j
		test	edi, edi
		jz	short loc_5DBAD7
		mov	eax, [edi+14h]
		shr	ebx, 9
		and	ebx, offset loc_7FFFF8
		sub	ebx, 40000000h
		sub	eax, ebx
		neg	eax
		sbb	eax, eax
		not	eax
		and	edi, eax

loc_5DBAD7:				; CODE XREF: MiRaisedIrqlFault+952A6j
					; MiRaisedIrqlFault+952BFj
		push	offset unk_6D2F80
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jnz	short loc_5DBB04
		mov	ebx, [esi]
		jmp	loc_546860
; 

loc_5DBAF5:				; CODE XREF: MiRaisedIrqlFault+88j
					; MiRaisedIrqlFault+CCj ...
		mov	ecx, esi
		call	_MiGenerateAccessViolation@4 ; MiGenerateAccessViolation(x)
		test	eax, eax
		jz	loc_54693B

loc_5DBB04:				; CODE XREF: MiRaisedIrqlFault+22j
					; MiRaisedIrqlFault:loc_546842j ...
		mov	eax, 0C0000005h
		jmp	loc_546936
; 

loc_5DBB0E:				; CODE XREF: MiRaisedIrqlFault+11Fj
		test	byte ptr [eax],	1
		jz	loc_54691F
		test	byte ptr [eax+17h], 8
		jz	short loc_5DBAF5
		jmp	loc_54691F
; 

loc_5DBB22:				; CODE XREF: MiRaisedIrqlFault+98j
		test	byte ptr [esi+4], 2
		jz	short loc_5DBB3F
		mov	eax, ecx
		and	eax, 800h
		or	eax, 0
		jnz	short loc_5DBB3F
		push	0Fh
		push	dword ptr [esi+8]
		push	ecx
		jmp	loc_5DBA5D
; 

loc_5DBB3F:				; CODE XREF: MiRaisedIrqlFault+9532Cj
					; MiRaisedIrqlFault+95338j
		push	ebx
		push	ecx
		push	3
		pop	edx
		mov	ecx, esi
		call	MiCheckSystemNxFault
		mov	ecx, [esi]
		lea	eax, [ecx+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	loc_546934
		jmp	loc_5DBA4A
; END OF FUNCTION CHUNK	FOR MiRaisedIrqlFault
; 
; START	OF FUNCTION CHUNK FOR PfpReturnAccessBuffer

loc_5DBB63:				; CODE XREF: PfpReturnAccessBuffer+24j
		push	64h
		pop	eax
		mov	ecx, offset unk_6D4480
		lock xadd [ecx], eax
		xor	esi, esi
		jmp	loc_546984
; END OF FUNCTION CHUNK	FOR PfpReturnAccessBuffer
; 
; START	OF FUNCTION CHUNK FOR MiMapLockedPagesInUserSpaceHelper

loc_5DBB76:				; CODE XREF: MiMapLockedPagesInUserSpaceHelper+52j
		xor	esi, esi
		jmp	loc_546A21
; 

loc_5DBB7D:				; CODE XREF: MiMapLockedPagesInUserSpaceHelper+81j
		imul	ecx, [eax], 1Ch
		add	ecx, ds:_MmPfnDatabase
		mov	edx, [ecx+8]
		mov	eax, [ecx+0Ch]
		shrd	edx, eax, 5
		mov	al, [ecx+16h]
		and	edx, 7
		shr	al, 6
		mov	[ebp+arg_10], edx
		cmp	al, 2
		jnz	short loc_5DBBA5
		or	edx, 18h
		jmp	short loc_5DBBAC
; 

loc_5DBBA5:				; CODE XREF: MiMapLockedPagesInUserSpaceHelper+951EAj
		test	al, al
		jnz	short loc_5DBBAF
		or	edx, 8

loc_5DBBAC:				; CODE XREF: MiMapLockedPagesInUserSpaceHelper+951EFj
		mov	[ebp+arg_10], edx

loc_5DBBAF:				; CODE XREF: MiMapLockedPagesInUserSpaceHelper+951F3j
		add	[ebp+arg_0], 4
		jmp	loc_546A3B
; 

loc_5DBBB8:				; CODE XREF: MiMapLockedPagesInUserSpaceHelper+115j
		mov	ecx, [ebp+arg_4]
		mov	edx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		jmp	loc_546A3F
; 

loc_5DBBC7:				; CODE XREF: MiMapLockedPagesInUserSpaceHelper+CCj
		mov	ecx, [ebp+arg_4]
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_5DBBEB
		mov	edx, ebx
		call	_MiPageTableLockIsContended@8 ;	MiPageTableLockIsContended(x,x)
		test	eax, eax
		jnz	short loc_5DBBEB
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	loc_546A86

loc_5DBBEB:				; CODE XREF: MiMapLockedPagesInUserSpaceHelper+9521Dj
					; MiMapLockedPagesInUserSpaceHelper+95228j
		mov	ecx, [ebp+arg_4]
		mov	edx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [ebp+arg_C]
		mov	ecx, [ebp+arg_4]
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+arg_4]
		xor	ebx, ebx
		call	MiLockWorkingSetShared
		jmp	loc_546A86
; END OF FUNCTION CHUNK	FOR MiMapLockedPagesInUserSpaceHelper
; 
; START	OF FUNCTION CHUNK FOR PpmMediaBufferingWorker

loc_5DBC0F:				; CODE XREF: PpmMediaBufferingWorker+4Aj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_546B7D
; 

loc_5DBC1E:				; CODE XREF: PpmMediaBufferingWorker+85j
		xor	eax, eax
		mov	[ebp+var_C], 4
		test	bl, bl
		setnz	al
		xor	ecx, ecx
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	1
		push	ecx
		push	offset _PPM_ETW_MEDIA_BUFFERING_NOTIFY
		push	esi
		push	edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_546BB3
; 

loc_5DBC55:				; CODE XREF: PpmMediaBufferingWorker+BBj
		mov	cl, bl
		mov	ds:_PpmPdcMediaEngaged,	bl
		call	_PpmPdcNotifyMediaBufferingUpdate@4 ; PpmPdcNotifyMediaBufferingUpdate(x)
		jmp	loc_546B42
; 

loc_5DBC67:				; CODE XREF: PpmMediaBufferingWorker+D0j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_546C03
; END OF FUNCTION CHUNK	FOR PpmMediaBufferingWorker
; 
; START	OF FUNCTION CHUNK FOR KeUpdateThreadTag

loc_5DBC76:				; CODE XREF: KeUpdateThreadTag+32j
					; KeUpdateThreadTag+95052j
		lea	ecx, [ebp+arg_0]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5DBC76
		jmp	loc_546C5D
; 

loc_5DBC89:				; CODE XREF: KeUpdateThreadTag+4Bj
		lea	eax, [ebp+var_C]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_8]
		call	KiAcquireThreadStateLock
		cmp	al, 2
		jz	short loc_5DBCBA
		mov	al, [esi+55h]
		test	al, al
		jnz	short loc_5DBCBA
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jnz	short loc_5DBCB0
		lock btr dword ptr [esi], 14h
		jmp	short loc_5DBCB5
; 

loc_5DBCB0:				; CODE XREF: KeUpdateThreadTag+95077j
		lock bts dword ptr [esi], 14h

loc_5DBCB5:				; CODE XREF: KeUpdateThreadTag+9507Ej
		mov	[esi+60h], cl
		jmp	short loc_5DBD0C
; 

loc_5DBCBA:				; CODE XREF: KeUpdateThreadTag+95069j
					; KeUpdateThreadTag+95070j
		mov	ecx, [esi+148h]
		xor	eax, eax
		inc	eax
		mov	[ebp+var_14], edi
		mov	word ptr [ebp+var_18], ax
		and	ecx, 7FFFFFFFh
		mov	word ptr [ebp+var_18+2], ax
		xor	eax, eax
		bts	eax, ecx
		mov	[ebp+var_10], eax
		call	ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()
		push	edi
		lea	eax, [ebp+arg_4]
		xor	ecx, ecx
		push	eax
		push	esi
		push	offset _KiIpiUpdateThreadTag@16	; KiIpiUpdateThreadTag(x,x,x,x)
		lea	edx, [ebp+var_18]
		call	_KiIpiSendPacket@24 ; KiIpiSendPacket(x,x,x,x,x,x)
		mov	ecx, large fs:20h
		jmp	short loc_5DBD02
; 

loc_5DBD00:				; CODE XREF: KeUpdateThreadTag+950DAj
		pause

loc_5DBD02:				; CODE XREF: KeUpdateThreadTag+950CEj
		mov	eax, [ecx+2120h]
		test	eax, eax
		jnz	short loc_5DBD00

loc_5DBD0C:				; CODE XREF: KeUpdateThreadTag+95088j
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_5DBD1D
		xor	ecx, ecx
		add	eax, 2224h
		lock and [eax],	ecx

loc_5DBD1D:				; CODE XREF: KeUpdateThreadTag+950E1j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	loc_546CB3
		xor	ecx, ecx
		lock and [eax],	ecx
		jmp	loc_546CB3
; END OF FUNCTION CHUNK	FOR KeUpdateThreadTag
; 
; START	OF FUNCTION CHUNK FOR ExHandleLogBadReference

loc_5DBD32:				; CODE XREF: ExHandleLogBadReference+10j
		cmp	dword ptr [esi+54h], 0
		jz	short loc_5DBD47
		mov	edx, large fs:124h
		push	3
		push	edi
		call	_ExpUpdateDebugInfo@16 ; ExpUpdateDebugInfo(x,x,x,x)

loc_5DBD47:				; CODE XREF: ExHandleLogBadReference+9506Aj
		cmp	[ebp+arg_0], 1
		jnz	short loc_5DBDAB
		call	_KeIsAttachedProcess@0 ; KeIsAttachedProcess()
		test	al, al
		jnz	loc_546CE2
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	esi, [eax+18Ch]
		jnz	loc_546CE2
		test	ds:_NtGlobalFlag, 100h
		jz	short loc_5DBD9C
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		push	edi		; char
		push	offset ??_C@_0CI@PPHKMJLE@AVRF?3?5Invalid?5handle?5?$CFp?5in?5proc@FNODOBFM@ ; char *
		push	0		; int
		push	5Dh		; int
		call	_DbgPrintEx
		add	esp, 14h

loc_5DBD9C:				; CODE XREF: ExHandleLogBadReference+950B0j
		push	0C0000008h
		call	_KeRaiseUserException@4	; KeRaiseUserException(x)
		jmp	loc_546CE2
; 

loc_5DBDAB:				; CODE XREF: ExHandleLogBadReference+9507Fj
		test	ds:_NtGlobalFlag, 40000000h
		jz	loc_546CE2
		push	1
		push	0
		push	esi
		push	edi
		push	93h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5DBDCC:				; CODE XREF: MiStoreLogWriteCompleteFailure+34j
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_3C], edi
		mov	[ebp+var_18], eax
		mov	edx, offset loc_41D454
		lea	eax, [ebp+var_38]
		mov	[ebp+var_14], ebx
		push	eax
		push	3
		push	ebx
		push	ebx
		push	1
		push	ebx
		push	ebx
		mov	ecx, esi
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], ebx
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)
		jmp	loc_546D24
; END OF FUNCTION CHUNK	FOR ExHandleLogBadReference
; 
; START	OF FUNCTION CHUNK FOR PoNotifyMediaBuffering

loc_5DBDFF:				; CODE XREF: PoNotifyMediaBuffering+40j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	cl, [ebp+var_1]
		jmp	loc_546DCD
; END OF FUNCTION CHUNK	FOR PoNotifyMediaBuffering
; 
; START	OF FUNCTION CHUNK FOR MiFaultInPagedPool

loc_5DBE11:				; CODE XREF: MiFaultInPagedPool+61j
		push	4
		push	0FFFFFFFFh
		mov	ecx, ebx
		call	_MiCopyOnWrite@16 ; MiCopyOnWrite(x,x,x,x)
		jmp	loc_546ED7
; END OF FUNCTION CHUNK	FOR MiFaultInPagedPool
; 
; START	OF FUNCTION CHUNK FOR KeQueryAffinityThread

loc_5DBE21:				; CODE XREF: KeQueryAffinityThread+2Cj
					; KeQueryAffinityThread+94E97j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5DBE21
		jmp	loc_546FBD
; END OF FUNCTION CHUNK	FOR KeQueryAffinityThread
; 
; START	OF FUNCTION CHUNK FOR PopGetDozeTimerSource

loc_5DBE34:				; CODE XREF: PopGetDozeTimerSource+2Ej
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_547055
; END OF FUNCTION CHUNK	FOR PopGetDozeTimerSource
; 
; START	OF FUNCTION CHUNK FOR MiIsPfnLocked

loc_5DBE43:				; CODE XREF: MiIsPfnLocked+16j
		mov	edx, [ecx+18h]
		mov	eax, edx
		and	eax, offset loc_7FFFFF
		cmp	eax, 7FFFFDh
		jz	loc_547088
		and	edx, 70000000h
		cmp	edx, 10000000h
		jz	loc_547088
		cmp	si, di
		ja	loc_547088
		test	byte ptr [ecx],	1
		jz	loc_547088
		call	_MiPfnIsNonPagedPool@4 ; MiPfnIsNonPagedPool(x)
		test	eax, eax
		jnz	loc_547088
		jmp	loc_54708A
; END OF FUNCTION CHUNK	FOR MiIsPfnLocked
; 
; START	OF FUNCTION CHUNK FOR CcIncrementWriteBehindPriority

loc_5DBE8E:				; CODE XREF: CcIncrementWriteBehindPriority+20j
		test	al, 1
		jnz	loc_5470B4
		and	[ebp+var_C], esi
		lea	eax, [edi+80h]
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_8], eax
		jz	short loc_5DBEB7
		mov	edx, eax
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5DBEC8
; 

loc_5DBEB7:				; CODE XREF: CcIncrementWriteBehindPriority+94E1Bj
		lea	edx, [ebp+var_C]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_5DBEC8
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_5DBEC8:				; CODE XREF: CcIncrementWriteBehindPriority+94E27j
					; CcIncrementWriteBehindPriority+94E30j
		mov	ecx, [ebx+160h]
		test	ecx, ecx
		jnz	short loc_5DBF21
		test	ds:byte_70EFC6,	1
		jz	short loc_5DBEEB
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5470B4
; 

loc_5DBEEB:				; CODE XREF: CcIncrementWriteBehindPriority+94E4Bj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5DBF0E
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	loc_5470B4
		call	KxWaitForLockChainValid

loc_5DBF0E:				; CODE XREF: CcIncrementWriteBehindPriority+94E62j
		xor	ebx, ebx
		xor	ecx, ecx
		mov	[ebp+var_C], ebx
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_5470B4
; 

loc_5DBF21:				; CODE XREF: CcIncrementWriteBehindPriority+94E42j
		xor	edx, edx
		mov	eax, ecx
		inc	edx
		or	eax, edx
		mov	[ebx+160h], eax
		mov	edx, [ecx]
		mov	eax, [ecx+4]
		cmp	[edx+4], ecx
		jnz	loc_5DC015
		cmp	[eax], ecx
		jnz	loc_5DC015
		mov	[eax], edx
		xor	ebx, ebx
		mov	[edx+4], eax
		lea	eax, [edi+94h]
		mov	[ecx+4], ebx
		mov	[ecx], ebx
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_5DC015
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		cmp	[edi+0DCh], bl
		jnz	short loc_5DBFB7
		lea	eax, [edi+8Ch]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_5DBFB7
		mov	esi, ecx
		mov	ecx, [esi]
		cmp	[esi+4], eax
		jnz	loc_5DC015
		cmp	[ecx+4], esi
		jnz	loc_5DC015
		mov	[eax], ecx
		mov	[ecx+4], eax
		xor	ecx, ecx
		inc	dword ptr [edi+88h]
		inc	ecx
		mov	eax, ecx
		lock xadd [edi+28Ch], eax
		inc	eax
		cmp	eax, ecx
		jg	short loc_5DBFB7
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5DBFB7:				; CODE XREF: CcIncrementWriteBehindPriority+94EE3j
					; CcIncrementWriteBehindPriority+94EEFj ...
		test	ds:byte_70EFC6,	1
		jz	short loc_5DBFCD
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5DBFF8
; 

loc_5DBFCD:				; CODE XREF: CcIncrementWriteBehindPriority+94F30j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5DBFEC
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5DBFF8
		call	KxWaitForLockChainValid

loc_5DBFEC:				; CODE XREF: CcIncrementWriteBehindPriority+94F44j
		xor	ecx, ecx
		mov	[ebp+var_C], ebx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5DBFF8:				; CODE XREF: CcIncrementWriteBehindPriority+94F3Dj
					; CcIncrementWriteBehindPriority+94F57j
		test	esi, esi
		jz	loc_5470B4
		mov	[esi], ebx
		xor	edx, edx
		push	dword ptr [edi+4]
		mov	ecx, esi
		push	0FFFFFFFFh
		call	ExQueueWorkItemToPartition
		jmp	loc_5470B4
; 

loc_5DC015:				; CODE XREF: CcIncrementWriteBehindPriority+94EA8j
					; CcIncrementWriteBehindPriority+94EB0j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5DC01A:				; CODE XREF: MmFreePagesFromMdlEx+Fj
					; MmFreePagesFromMdlEx+1Cj
		push	dword ptr [eax+14h]
		push	[ebp+arg_4]
		push	eax
		push	1302h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5DC02E:				; CODE XREF: RtlCompressBufferXpressHuff+15j
		mov	edx, 100h
		cmp	cx, dx
		jnz	short loc_5DC057
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		push	edx		; int
		push	0		; int
		push	0		; int
		push	eax		; void *
		push	[ebp+arg_18]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		call	_RtlCompressBufferXpressHuffMax@36 ; RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)
		jmp	loc_547135
; 

loc_5DC057:				; CODE XREF: CcIncrementWriteBehindPriority+94FA8j
		mov	eax, 0C00000BBh
		jmp	loc_547135
; END OF FUNCTION CHUNK	FOR CcIncrementWriteBehindPriority
; 
; START	OF FUNCTION CHUNK FOR RtlCompressBufferXpressHuffStandard

loc_5DC061:				; CODE XREF: RtlCompressBufferXpressHuffStandard+54j
		mov	ecx, [ebp+arg_18]
		cmp	ecx, edx
		jbe	loc_54719F
		jmp	loc_54719A
; 

loc_5DC071:				; CODE XREF: RtlCompressBufferXpressHuffStandard+48Aj
		mov	eax, [ebp+var_4]
		jmp	loc_5475DD
; 

loc_5DC079:				; CODE XREF: RtlCompressBufferXpressHuffStandard+4D5j
		push	esi
		mov	edx, eax
		lea	ecx, [ebp+var_54]
		call	_RtlpMakeXpressCallback@12 ; RtlpMakeXpressCallback(x,x,x)
		mov	[ebp+var_8], eax
		jmp	loc_547240
; 

loc_5DC08C:				; CODE XREF: RtlCompressBufferXpressHuffStandard+688j
		xor	eax, eax
		mov	[edi], ax
		mov	edi, ebx
		mov	eax, [ebp+arg_14]
		mov	[edi], eax
		add	edi, 4
		mov	eax, 7
		jmp	loc_5476E8
; 

loc_5DC0A5:				; CODE XREF: RtlCompressBufferXpressHuffStandard+339j
		push	esi
		mov	edx, eax
		lea	ecx, [ebp+var_54]
		call	_RtlpMakeXpressCallback@12 ; RtlpMakeXpressCallback(x,x,x)
		mov	[ebp+var_8], eax
		jmp	loc_547240
; 

loc_5DC0B8:				; CODE XREF: RtlCompressBufferXpressHuffStandard+369j
		mov	[ebp+arg_4], 0
		jmp	loc_5474BC
; END OF FUNCTION CHUNK	FOR RtlCompressBufferXpressHuffStandard
; 
; START	OF FUNCTION CHUNK FOR XpressBuildHuffmanEncodings

loc_5DC0C4:				; CODE XREF: XpressBuildHuffmanEncodings+B0j
		lea	eax, [ebx+800h]
		cmp	esi, eax
		jnz	short loc_5DC0D5
		xor	eax, eax
		jmp	loc_547B2F
; 

loc_5DC0D5:				; CODE XREF: XpressBuildHuffmanEncodings+9489Cj
		mov	esi, [ebx+808h]
		mov	edx, esi
		and	dl, 1
		mov	ecx, esi
		neg	dl
		sbb	dl, dl
		and	dl, 0Fh
		inc	dl
		shr	ecx, 1
		mov	[ecx+ebx+4A10h], dl
		mov	dword ptr [ebx+esi*4], 1
		mov	eax, [eax]
		jmp	loc_547B2F
; 

loc_5DC102:				; CODE XREF: XpressBuildHuffmanEncodings+29Dj
		mov	edi, [ebp+var_18]
		mov	ecx, edi
		mov	eax, [ebp+var_1C]
		cmp	ecx, esi
		jnb	loc_5479C2

loc_5DC112:				; CODE XREF: XpressBuildHuffmanEncodings+948F5j
		mov	eax, [ecx]
		inc	eax
		mov	dword ptr [ecx+4], 0
		shr	eax, 1
		mov	[ecx], eax
		add	ecx, 0Ch
		cmp	ecx, esi
		jb	short loc_5DC112
		mov	eax, [ebp+var_1C]
		jmp	loc_5479C2
; END OF FUNCTION CHUNK	FOR XpressBuildHuffmanEncodings
; 
; START	OF FUNCTION CHUNK FOR XpressDoHuffmanPass

loc_5DC12F:				; CODE XREF: XpressDoHuffmanPass+236j
		mov	edx, [ebp+var_4]
		movzx	ecx, byte ptr [ebx]
		mov	[edx], cl
		movzx	ecx, byte ptr [ebx+1]
		mov	[edx+1], cl
		movzx	ecx, byte ptr [ebx+2]
		mov	[edx+2], cl
		movzx	ecx, byte ptr [ebx+3]
		mov	[edx+3], cl
		add	edx, 4
		mov	[ebp+var_4], edx
		add	ebx, 4
		jmp	loc_547CD6
; END OF FUNCTION CHUNK	FOR XpressDoHuffmanPass
; 
; START	OF FUNCTION CHUNK FOR RtlDecompressBufferXpressLz

loc_5DC15A:				; CODE XREF: RtlDecompressBufferXpressLz+33Fj
		lea	ecx, [ebx+3]
		cmp	ecx, esi
		jnb	loc_54841D
		mov	ecx, [ebx]
		add	ebx, 4
		mov	[ebp+arg_8], ecx
		jmp	loc_5483C5
; 

loc_5DC172:				; CODE XREF: RtlDecompressBufferXpressLz+267j
		cmp	edx, [ebp+var_4]
		jb	loc_54841D
		jmp	loc_548387
; END OF FUNCTION CHUNK	FOR RtlDecompressBufferXpressLz
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmLazyRegionsWorker

loc_5DC180:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+23Fj
		cmp	dword ptr [edx], 0
		jnz	loc_548D72
		add	esi, 20h
		add	edx, 4
		cmp	esi, 0FFFFFFFFh
		jnb	loc_548D91
		jmp	loc_548ED3
; 

loc_5DC19D:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+100j
		or	esi, 0FFFFFFFFh
		jmp	loc_548D9C
; 

loc_5DC1A5:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+131j
		cmp	[ebp+arg_0], 0
		jz	loc_548DCD
		mov	ecx, [esi+1C0h]
		xor	al, al
		cmp	al, [ecx+10F6h]
		sbb	edx, edx
		inc	edx
		call	SmWorkQueueGetDepth
		test	eax, eax
		jz	loc_548DCD
		xor	ebx, ebx
		inc	ebx
		mov	edi, ebx
		mov	edx, ebx
		jmp	loc_548E9A
; 

loc_5DC1D9:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+185j
		mov	edi, [ecx+1184h]
		xor	edx, edx
		mov	esi, [edi+ebx*4]
		and	esi, 0FFFFFFF8h
		mov	ecx, esi
		call	_MiFreePagesFromMdl@8 ;	MiFreePagesFromMdl(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi+ebx*4], 0
		xor	edi, edi
		mov	esi, [ebp+var_4]
		mov	eax, edi
		jmp	loc_548E2F
; 

loc_5DC206:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+19Bj
					; ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+253j
		xor	edx, edx
		inc	edx
		mov	[ebp+var_8], edx
		jmp	loc_548E52
; 

loc_5DC211:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+1F7j
		test	byte ptr [ecx+10F5h], 4
		mov	edx, ebx
		push	8
		push	ecx
		push	edi
		jz	short loc_5DC22A
		call	?SmStMapVirtualRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAXPAU1@KKKK@Z ; SMKM_STORE<SM_TRAITS>::SmStMapVirtualRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,ulong)
		jmp	loc_548EE0
; 

loc_5DC22A:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+93588j
		call	?SmStMapPhysicalRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAXPAU1@KKKK@Z ; SMKM_STORE<SM_TRAITS>::SmStMapPhysicalRegion(SMKM_STORE<SM_TRAITS>	*,ulong,ulong,ulong,ulong)
		jmp	loc_548EE0
; 

loc_5DC234:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+212j
					; ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+21Aj
		test	edi, edi
		jz	short loc_5DC23C
		or	[ecx+0Ah], bx

loc_5DC23C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmLazyRegionsWorker+935A0j
		test	ax, ax
		jnz	loc_548EB6
		mov	edx, ecx
		mov	ecx, esi
		call	?StDmLazyWorkItemQueue@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DATA_MGR@1@PAU_ST_WORK_ITEM@1@@Z ; ST_STORE<SM_TRAITS>::StDmLazyWorkItemQueue(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)
		jmp	loc_548EB6
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmLazyRegionsWorker
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmUpdateRegionLazyCleanup

loc_5DC253:				; CODE XREF: ST_STORE_SM_TRAITS___StDmUpdateRegionLazyCleanup+3Aj
		test	esi, esi
		jz	short loc_5DC294
		push	20h
		pop	edx
		sub	edx, esi
		mov	eax, edi
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, esi
		dec	eax
		shl	eax, cl
		not	eax
		lock and [ebx],	eax
		sub	edi, edx
		add	ebx, 4
		cmp	edi, 20h
		jb	short loc_5DC28C
		mov	eax, edi
		shr	eax, 5

loc_5DC27B:				; CODE XREF: ST_STORE_SM_TRAITS___StDmUpdateRegionLazyCleanup+9339Cj
		mov	dword ptr [ebx], 0
		sub	edi, 20h
		add	ebx, 4
		sub	eax, 1
		jnz	short loc_5DC27B

loc_5DC28C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmUpdateRegionLazyCleanup+93386j
		test	edi, edi
		jz	loc_548F35

loc_5DC294:				; CODE XREF: ST_STORE_SM_TRAITS___StDmUpdateRegionLazyCleanup+93367j
		or	eax, 0FFFFFFFFh
		mov	ecx, edi
		shl	eax, cl
		lock and [ebx],	eax
		jmp	loc_548F35
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmUpdateRegionLazyCleanup

;  S U B	R O U T	I N E 


sub_5DC2A3	proc near		; DATA XREF: .text:006A472Co
		push	3
		mov	edx, [ebp-14h]
		mov	ecx, [ebp-1Ch]
		call	?SmStUnhandledExceptionFilter@?$SMKM_STORE@USM_TRAITS@@@@SGJPAXPAU_EXCEPTION_POINTERS@@W4_SMST_STORE_EXCEPTION_SOURCE@1@@Z ; SMKM_STORE<SM_TRAITS>::SmStUnhandledExceptionFilter(void *,_EXCEPTION_POINTERS *,SMKM_STORE<SM_TRAITS>::_SMST_STORE_EXCEPTION_SOURCE)
		retn
sub_5DC2A3	endp


;  S U B	R O U T	I N E 


sub_5DC2B1	proc near		; DATA XREF: .text:006A4730o
		mov	esp, [ebp-18h]
		jmp	loc_548FC5
sub_5DC2B1	endp


;  S U B	R O U T	I N E 


sub_5DC2B9	proc near		; DATA XREF: .text:006A474Co
		push	2
		mov	edx, [ebp-14h]
		mov	ecx, [ebp-1Ch]
		call	?SmStUnhandledExceptionFilter@?$SMKM_STORE@USM_TRAITS@@@@SGJPAXPAU_EXCEPTION_POINTERS@@W4_SMST_STORE_EXCEPTION_SOURCE@1@@Z ; SMKM_STORE<SM_TRAITS>::SmStUnhandledExceptionFilter(void *,_EXCEPTION_POINTERS *,SMKM_STORE<SM_TRAITS>::_SMST_STORE_EXCEPTION_SOURCE)
		retn
sub_5DC2B9	endp


;  S U B	R O U T	I N E 


sub_5DC2C7	proc near		; DATA XREF: .text:006A4750o
		mov	esp, [ebp-18h]
		jmp	loc_549053
sub_5DC2C7	endp

; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmPageRetrieve

loc_5DC2CF:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRetrieve+BFj
					; ST_STORE_SM_TRAITS___StDmPageRetrieve+93228j
		lea	eax, [ebp+var_20]
		cmp	edi, eax
		jz	short loc_5DC32C
		mov	edx, [ebp+var_20]
		mov	eax, [edx]
		and	eax, 0FFFFFFF8h
		mov	[ebp+var_20], eax
		cmp	edx, edi
		jnz	short loc_5DC2F1
		and	[ebp+var_20], 0
		lea	eax, [ebp+var_20]
		mov	[ebp+var_1C], eax
		jmp	short loc_5DC306
; 

loc_5DC2F1:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRetrieve+931E1j
		mov	ecx, [edi]
		mov	eax, ecx
		shr	eax, 3
		and	ecx, 7
		lea	eax, ds:0FFFFFFF8h[eax*8]
		or	eax, ecx
		mov	[edi], eax

loc_5DC306:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRetrieve+931EDj
		test	byte ptr [edx+10h], 1
		jnz	short loc_5DC31F
		or	dword ptr [edx+10h], 1
		mov	eax, [edx+8]
		test	eax, eax
		jz	short loc_5DC31C
		mov	[eax+4], esi
		jmp	short loc_5DC31F
; 

loc_5DC31C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRetrieve+93213j
		mov	[edx+4], esi

loc_5DC31F:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRetrieve+93208j
					; ST_STORE_SM_TRAITS___StDmPageRetrieve+93218j
		mov	ecx, [ebp+var_28]
		call	?StDmDeviceIoCompletion@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_ST_WORK_ITEM@1@@Z ; ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)
		mov	edi, [ebp+var_1C]
		jmp	short loc_5DC2CF
; 

loc_5DC32C:				; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRetrieve+931D2j
		mov	esi, 103h
		jmp	loc_5491C7
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmPageRetrieve
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve

loc_5DC336:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+29j
		mov	eax, [ebp+arg_0]
		mov	edi, [eax+8]
		jmp	loc_549233
; 

loc_5DC341:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+B8j
		mov	eax, [ebx+234h]
		cmp	dword ptr [eax+0Ch], 0
		jz	loc_5492AE
		mov	eax, [edi+0Ch]
		mov	[ecx+8], eax
		movzx	eax, word ptr [edi+6]
		mov	[ecx+0Ch], eax
		jmp	loc_5492AE
; 

loc_5DC363:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+CFj
		test	al, al
		jnz	short loc_5DC376
		mov	eax, [ebx+240h]
		movzx	ecx, word ptr [eax+edx*2]
		shr	ecx, 0Dh
		jmp	short loc_5DC378
; 

loc_5DC376:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+9317Bj
		xor	ecx, ecx

loc_5DC378:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+9318Aj
		imul	eax, ecx, 0Ch
		cmp	edx, [eax+ebx+2B4h]
		jz	loc_5492C2
		jmp	loc_5492BF
; 

loc_5DC38D:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+105j
		lea	edi, [eax-1]
		neg	edi
		sbb	edi, edi
		and	edi, 40000104h
		add	edi, 8000000Eh
		jmp	loc_549345
; 

loc_5DC3A5:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve+E1j
		imul	eax, ecx, 0Ch
		mov	eax, [eax+ebx+2BCh]
		add	eax, edi
		jmp	loc_5492F5
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmSinglePageTransfer

loc_5DC3B6:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageTransfer+2Dj
		push	40000010h
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	1
		push	ecx
		push	eax
		call	MmMapLockedPagesSpecifyCache
		mov	ecx, eax
		jmp	loc_5493DC
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmSinglePageTransfer
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmSinglePageCopy

loc_5DC3CF:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+9Cj
		mov	eax, [ebp+var_2C]
		add	eax, [ebp+var_44]
		push	eax		; size_t
		push	[ebp+var_14]	; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_14], edi
		mov	ebx, edi
		jmp	loc_54958E
; 

loc_5DC3EC:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+AAj
		mov	eax, [ebp+var_2C]
		push	eax		; size_t
		push	ebx		; void *
		push	dword ptr [edx+41Ch] ; void *
		call	_memcpy
		mov	eax, [ebp+var_1C]
		add	esp, 0Ch
		mov	ebx, [eax+41Ch]
		mov	eax, [eax+234h]
		mov	[ebp+var_18], ebx
		mov	[ebp+var_30], eax
		jmp	loc_5494DA
; 

loc_5DC419:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+B3j
		mov	ecx, [ebp+var_28]
		mov	edx, ebx
		push	ecx
		push	[ebp+var_14]
		movzx	eax, word ptr [ecx+4]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_C], eax
		mov	eax, [ecx+0Ch]
		push	ecx
		mov	ecx, [ebp+var_30]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_2C]
		push	ebx
		call	_SmCrAuthDecrypt@32 ; SmCrAuthDecrypt(x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	loc_5494E3
		mov	esi, [ebp+var_18]
		mov	ebx, 0C000028Bh
		mov	ecx, [ebp+var_1C]
		mov	edx, esi
		push	ebx
		push	[ebp+var_24]
		push	[ebp+var_28]
		push	[ebp+var_20]
		call	?StDmPageError@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DATA_MGR@1@PAD1PAU_ST_PAGE_LOCATION@1@PAU_STDM_READ_CONTEXT@1@J@Z ; ST_STORE<SM_TRAITS>::StDmPageError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *,long)
		mov	[ebp+var_14], edi
		jmp	loc_549591
; 

loc_5DC472:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+DAj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		jmp	loc_549532
; 

loc_5DC48E:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+142j
					; ST_STORE_SM_TRAITS___StDmSinglePageCopy+150j
		mov	edi, esi
		mov	[ebp+var_14], 1
		mov	ebx, 0C00002C4h
		and	edi, 2
		jmp	loc_54958E
; 

loc_5DC4A4:				; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+19Dj
		push	ebx
		push	eax
		push	[ebp+var_28]
		mov	edx, esi
		mov	ecx, edi
		push	[ebp+var_20]
		call	?StDmPageError@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DATA_MGR@1@PAD1PAU_ST_PAGE_LOCATION@1@PAU_STDM_READ_CONTEXT@1@J@Z ; ST_STORE<SM_TRAITS>::StDmPageError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *,long)
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	ebx, eax
		jmp	loc_5495CD
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmSinglePageCopy
; 
; START	OF FUNCTION CHUNK FOR ST_STORE_SM_TRAITS___StDmpSinglePageLookup

loc_5DC4C7:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageLookup+38j
		mov	eax, 0C0000006h
		jmp	loc_549670
; 

loc_5DC4D1:				; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageLookup+40j
					; ST_STORE_SM_TRAITS___StDmpSinglePageLookup+4Ej
		mov	eax, 0C0000225h
		jmp	loc_549670
; END OF FUNCTION CHUNK	FOR ST_STORE_SM_TRAITS___StDmpSinglePageLookup
; 
; START	OF FUNCTION CHUNK FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDescendToSibling

loc_5DC4DB:				; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDescendToSibling+37j
		mov	edx, [ecx]
		lea	ecx, [edx+4]
		lea	esi, [edx+8]
		jmp	loc_5498B5
; END OF FUNCTION CHUNK	FOR B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDescendToSibling
; 
; START	OF FUNCTION CHUNK FOR MiPaeAllocatePage

loc_5DC4E8:				; CODE XREF: MiPaeAllocatePage+ADj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5499AD
; 

loc_5DC4F8:				; CODE XREF: MiPaeAllocatePage+CFj
		lea	ecx, [ebp+var_10]
		call	KxWaitForLockChainValid

loc_5DC500:				; CODE XREF: MiPaeAllocatePage+B8j
		xor	esi, esi
		mov	[ebp+var_10], 0
		lea	ecx, [eax+4]
		inc	esi
		lock xor [ecx],	esi
		jmp	loc_5499B0
; END OF FUNCTION CHUNK	FOR MiPaeAllocatePage
; 
; START	OF FUNCTION CHUNK FOR IopLoadDriverImage

loc_5DC515:				; CODE XREF: IopLoadDriverImage+93j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_5DC51C:				; CODE XREF: IopLoadDriverImage+2Aj
		mov	eax, 0C000000Dh
		jmp	loc_549B79
; 

loc_5DC526:				; CODE XREF: IopLoadDriverImage+5Ej
		mov	eax, 0C0000061h
		jmp	loc_549B79
; 

loc_5DC530:				; CODE XREF: IopLoadDriverImage+7Bj
		mov	esi, eax
		jmp	loc_549AC1
; 

loc_5DC537:				; CODE XREF: IopLoadDriverImage+ACj
					; IopLoadDriverImage+B4j
		mov	[eax], bl
		jmp	loc_549AFA
; END OF FUNCTION CHUNK	FOR IopLoadDriverImage

;  S U B	R O U T	I N E 


sub_5DC53E	proc near		; DATA XREF: .text:006A476Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5DC53E	endp


;  S U B	R O U T	I N E 


sub_5DC54C	proc near		; DATA XREF: .text:006A4770o
		mov	esp, [ebp-18h]
		cmp	dword ptr [ebp-1Ch], 0
		jz	short loc_5DC55F
		push	0
		push	dword ptr [ebp-1Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5DC55F:				; CODE XREF: sub_5DC54C+7j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-24h]
		jmp	loc_549B79
sub_5DC54C	endp

; 
; START	OF FUNCTION CHUNK FOR sub_549BAA

loc_5DC56E:				; CODE XREF: sub_549BAA+7j
		test	ds:_VfRuleClasses, 0FFAFFFFFh
		jnz	short loc_5DC587
		test	byte ptr ds:dword_6FDE00, 6
		jz	loc_549BB7

loc_5DC587:				; CODE XREF: sub_549BAA+929CEj
		mov	eax, ds:_MmVerifierData
		and	eax, 10h
		or	eax, 40h
		shr	eax, 1
		push	eax
		push	20206F49h
		push	edx
		push	1
		call	ExAllocatePoolWithTagPriority
		test	eax, eax
		jnz	locret_549BC4
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger

loc_5DC5B5:				; CODE XREF: MiUnlockDriverMappings+1B9j
		push	0
		push	dword ptr [ebp-8]
		push	offset dword_6CF57C
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5DC5CA:				; CODE XREF: MiUnlockDriverMappings+F2j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp-14h]
		jmp	loc_549CCE
; END OF FUNCTION CHUNK	FOR sub_549BAA
; 
; START	OF FUNCTION CHUNK FOR MiUnlockDriverMappings

loc_5DC5E1:				; CODE XREF: MiUnlockDriverMappings+17Cj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_549D48
; 

loc_5DC5F0:				; CODE XREF: MiUnlockDriverMappings+1A6j
		push	[ebp+var_14]
		mov	edx, offset dword_6CF57C
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_549CE1
; END OF FUNCTION CHUNK	FOR MiUnlockDriverMappings
; 
; START	OF FUNCTION CHUNK FOR IopInterlockedRemoveHeadList

loc_5DC604:				; CODE XREF: IopInterlockedRemoveHeadList+2Fj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_549E64
; 

loc_5DC613:				; CODE XREF: IopInterlockedRemoveHeadList+4Cj
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5DC61A:				; CODE XREF: IopInterlockedRemoveHeadList+39j
		xor	edx, edx
		mov	dword ptr [esi], 0
		inc	edx
		lea	ecx, [eax+4]
		lock xor [ecx],	edx
		jmp	loc_549E64
; END OF FUNCTION CHUNK	FOR IopInterlockedRemoveHeadList
; 
; START	OF FUNCTION CHUNK FOR DbgLoadImageSymbols

loc_5DC62E:				; CODE XREF: DbgLoadImageSymbols+1Cj
		and	[ebp+var_8], 0
		and	[ebp+var_C], 0
		jmp	loc_54A03E
; END OF FUNCTION CHUNK	FOR DbgLoadImageSymbols
; 
; START	OF FUNCTION CHUNK FOR DbgUnicodeStringToAnsiString

loc_5DC63B:				; CODE XREF: DbgUnicodeStringToAnsiString+46j
		push	0
		push	dword ptr [edi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_54A0A8
; END OF FUNCTION CHUNK	FOR DbgUnicodeStringToAnsiString
; 
; START	OF FUNCTION CHUNK FOR ApiSetResolveToHost

loc_5DC64A:				; CODE XREF: ApiSetResolveToHost+9Cj
		mov	ax, [edx]
		mov	edx, [edx+4]
		shr	ax, 1
		push	edi
		movzx	eax, ax
		push	eax
		call	_ApiSetpSearchForApiSetHost@16 ; ApiSetpSearchForApiSetHost(x,x,x,x)
		mov	ecx, eax
		jmp	loc_54A158
; END OF FUNCTION CHUNK	FOR ApiSetResolveToHost
; 
; START	OF FUNCTION CHUNK FOR HeadlessKernelAddLogEntry

loc_5DC664:				; CODE XREF: HeadlessKernelAddLogEntry+Aj
		cmp	dword ptr [eax+4], 0
		jz	loc_54A19A
		call	_HdlspKernelAddLogEntry@8 ; HdlspKernelAddLogEntry(x,x)
		pop	ecx
		retn
; END OF FUNCTION CHUNK	FOR HeadlessKernelAddLogEntry
; 
; START	OF FUNCTION CHUNK FOR RtlFileMapFree

loc_5DC675:				; CODE XREF: RtlFileMapFree+1Aj
		mov	eax, [edi+4]
		test	eax, eax
		jz	loc_54A1BC
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_54A1BC
; 

loc_5DC68B:				; CODE XREF: RtlFileMapFree+24j
		mov	eax, [edi+10h]
		test	eax, eax
		jz	loc_54A1C6
		push	eax
		push	0FFFFFFFFh
		call	_ZwUnmapViewOfSection@8	; ZwUnmapViewOfSection(x,x)
		jmp	loc_54A1C6
; END OF FUNCTION CHUNK	FOR RtlFileMapFree
; 
; START	OF FUNCTION CHUNK FOR RtlStringCchCopyW

loc_5DC6A3:				; CODE XREF: RtlStringCchCopyW+15j
		test	edx, edx
		jz	loc_54A28D
		xor	edx, edx
		mov	[ecx], dx
		jmp	loc_54A28D
; END OF FUNCTION CHUNK	FOR RtlStringCchCopyW
; 
; START	OF FUNCTION CHUNK FOR KsepPoolFreeNonPaged

loc_5DC6B5:				; CODE XREF: KsepPoolFreeNonPaged+2j
		push	6245534Bh
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lock inc ds:dword_6C6FAC
		retn
; END OF FUNCTION CHUNK	FOR KsepPoolFreeNonPaged
; 
; START	OF FUNCTION CHUNK FOR VfTargetDriversAdd

loc_5DC6C8:				; CODE XREF: VfTargetDriversAdd+32j
		call	_ViTargetDriversAllocateVerifiedData@4 ; ViTargetDriversAllocateVerifiedData(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_54A515
		cmp	ds:_InitializationPhase, 0
		mov	eax, [esi+10h]
		jnz	short loc_5DC6E8
		or	eax, 2
		jmp	short loc_5DC6EB
; 

loc_5DC6E8:				; CODE XREF: VfTargetDriversAdd+92277j
		and	eax, 0FFFFFFFDh

loc_5DC6EB:				; CODE XREF: VfTargetDriversAdd+9227Cj
		mov	[esi+10h], eax
		jmp	loc_54A4A2
; 

loc_5DC6F3:				; CODE XREF: VfTargetDriversAdd+4Fj
		mov	eax, offset _ViTargetAllocationFailures
		xchg	ebx, [eax]
		xor	ebx, ebx
		test	esi, esi
		jz	loc_54A50A
		push	44566656h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_54A50A
; 

loc_5DC714:				; CODE XREF: VfTargetDriversAdd+57j
		mov	edx, esi
		mov	ecx, ebx
		call	_VfNotifyDifPlugins@8 ;	VfNotifyDifPlugins(x,x)
		mov	ecx, [esp+18h+var_C]
		jmp	loc_54A4C7
; 

loc_5DC726:				; CODE XREF: VfTargetDriversAdd+91j
		mov	cl, [ebp+arg_0]
		inc	ds:dword_6BE398
		mov	[esi+18h], cl
		jmp	loc_54A501
; END OF FUNCTION CHUNK	FOR VfTargetDriversAdd
; 
; START	OF FUNCTION CHUNK FOR VfAvlCleanupLockContext

loc_5DC737:				; CODE XREF: VfAvlCleanupLockContext+Aj
		mov	ecx, [esi]
		mov	edx, esi
		call	_ViAvlReleaseTableLockFromDpcLevel@8 ; ViAvlReleaseTableLockFromDpcLevel(x,x)
		mov	al, [esi+5]
		jmp	loc_54A52A
; END OF FUNCTION CHUNK	FOR VfAvlCleanupLockContext
; 
; START	OF FUNCTION CHUNK FOR ViAvlAcquireTableLockAtDpcLevelSafe

loc_5DC748:				; CODE XREF: ViAvlAcquireTableLockAtDpcLevelSafe+21j
		call	_ViAvlReleaseTableLockFromDpcLevel@8 ; ViAvlReleaseTableLockFromDpcLevel(x,x)
		mov	al, [esi+5]
		jmp	loc_54A5FD
; END OF FUNCTION CHUNK	FOR ViAvlAcquireTableLockAtDpcLevelSafe
; 
; START	OF FUNCTION CHUNK FOR ViAvlTableIndex

loc_5DC755:				; CODE XREF: ViAvlTableIndex+6j
		shr	edx, 0Ch
		mov	eax, edx
		xor	edx, edx
		div	ecx
		mov	eax, edx
		retn
; END OF FUNCTION CHUNK	FOR ViAvlTableIndex
; 
; START	OF FUNCTION CHUNK FOR VfAvlReserveNode

loc_5DC761:				; CODE XREF: VfAvlReserveNode+12j
		mov	ecx, offset _ViAvlNodeLookaside
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		jmp	loc_54A664
; END OF FUNCTION CHUNK	FOR VfAvlReserveNode
; 
; START	OF FUNCTION CHUNK FOR MiCreateSystemSection

loc_5DC770:				; CODE XREF: MiCreateSystemSection+39j
		cmp	esi, 0C0000054h
		jnz	loc_54A74E
		push	offset _MiHalfSecond
		push	ebx
		push	ebx
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	loc_54A6DC
; 

loc_5DC78D:				; CODE XREF: MiCreateSystemSection+80j
		mov	ecx, eax
		xor	eax, edi
		cmp	eax, 7
		jb	loc_54A73D

loc_5DC79A:				; CODE XREF: MiCreateSystemSection+6Fj
		push	746C6644h
		push	edi
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_54A74E
; END OF FUNCTION CHUNK	FOR MiCreateSystemSection
; 
; START	OF FUNCTION CHUNK FOR VfDifCaptureDriverEntry

loc_5DC7AA:				; CODE XREF: VfDifCaptureDriverEntry+10j
		call	_ViDifAllocateCallbackStorage@0	; ViDifAllocateCallbackStorage()
		test	eax, eax
		jz	loc_54A8C2
		mov	ecx, esi
		mov	[edi+20h], eax
		call	_ViDifCaptureDriverEntry@4 ; ViDifCaptureDriverEntry(x)
		mov	al, 1
		jmp	loc_54A8C4
; END OF FUNCTION CHUNK	FOR VfDifCaptureDriverEntry
; 
; START	OF FUNCTION CHUNK FOR ViDifCheckCallbackInterception

loc_5DC7C8:				; CODE XREF: ViDifCheckCallbackInterception+14j
		cmp	ds:_XdvEnabled,	0
		jz	loc_54A8E2
		push	13h
		call	_VfIsRuleClassEnabled@4	; VfIsRuleClassEnabled(x)
		test	al, al
		jnz	short loc_5DC7EF
		push	23h
		call	_VfIsRuleClassEnabled@4	; VfIsRuleClassEnabled(x)
		test	al, al
		jz	loc_54A8E2

loc_5DC7EF:				; CODE XREF: ViDifCheckCallbackInterception+91F16j
		mov	esi, [esi+18h]
		mov	ecx, offset _VfRdbssServiceName
		add	esi, 0Ch
		mov	edx, esi
		call	_VfUtilEqualUnicodeString@8 ; VfUtilEqualUnicodeString(x,x)
		test	eax, eax
		jnz	loc_54A8E2
		mov	edx, esi
		mov	ecx, offset _VfMupServiceName
		call	_VfUtilEqualUnicodeString@8 ; VfUtilEqualUnicodeString(x,x)
		test	eax, eax
		jnz	loc_54A8E2
		mov	edx, esi
		mov	ecx, (offset loc_A503F5+3)
		call	_VfUtilEqualUnicodeString@8 ; VfUtilEqualUnicodeString(x,x)
		test	eax, eax
		jnz	loc_54A8E2
		mov	edx, esi
		mov	ecx, (offset loc_A503D7+1)
		call	_VfUtilEqualUnicodeString@8 ; VfUtilEqualUnicodeString(x,x)
		test	eax, eax
		jnz	loc_54A8E2
		mov	al, 1
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR ViDifCheckCallbackInterception
; 
; START	OF FUNCTION CHUNK FOR KsepShimDbChanged

loc_5DC849:				; CODE XREF: KsepShimDbChanged+6Bj
					; KsepShimDbChanged+73j
		mov	ds:dword_6C7478, edi
		mov	[esp+40h+var_2C], esi
		jmp	loc_5680B2
; 

loc_5DC858:				; CODE XREF: KsepShimDbChanged+93j
		mov	ecx, ds:dword_6C74A0
		mov	eax, ecx
		mov	edx, ds:dword_6C74A4
		or	eax, edx
		jnz	short loc_5DC879
		mov	eax, [esp+40h+var_8]
		mov	ds:dword_6C74A0, eax
		mov	eax, [esp+40h+var_4]
		jmp	short loc_5DC897
; 

loc_5DC879:				; CODE XREF: KsepShimDbChanged+74A16j
		mov	edi, [esp+40h+var_8]
		mov	eax, [esp+40h+var_4]
		cmp	edi, ecx
		jnz	short loc_5DC88D
		cmp	eax, edx
		jz	loc_567EEB

loc_5DC88D:				; CODE XREF: KsepShimDbChanged+74A31j
		mov	ds:dword_6C74A0, edi
		mov	[esp+40h+var_2C], esi

loc_5DC897:				; CODE XREF: KsepShimDbChanged+74A25j
		mov	ds:dword_6C74A4, eax
		jmp	loc_567EEB
; 

loc_5DC8A1:				; CODE XREF: KsepShimDbChanged+278j
		push	0
		push	[esp+44h+var_28]
		push	offset _KsepShimDbLock
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5DC8B7:				; CODE XREF: KsepShimDbChanged+18Fj
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [esp+54h+var_20]
		jmp	loc_567FED
; 

loc_5DC8C9:				; CODE XREF: KsepShimDbChanged+24Ej
		push	[esp+40h+var_C]
		mov	edx, offset _KsepShimDbLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_568001
; END OF FUNCTION CHUNK	FOR KsepShimDbChanged
; 
; START	OF FUNCTION CHUNK FOR VfAvlDeleteTreeNode

loc_5DC8DE:				; CODE XREF: VfAvlDeleteTreeNode+3Bj
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		or	byte ptr [edi+5], 1
		mov	[edi+4], al
		jmp	loc_54A951
; END OF FUNCTION CHUNK	FOR VfAvlDeleteTreeNode
; 
; START	OF FUNCTION CHUNK FOR VfAvlLookupTreeNode

loc_5DC8F2:				; CODE XREF: VfAvlLookupTreeNode+1Fj
		mov	ecx, [ebx]
		mov	[ebp+arg_4], ecx
		jmp	loc_54A9C3
; 

loc_5DC8FC:				; CODE XREF: VfAvlLookupTreeNode+46j
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], 1000h
		cmp	eax, 1
		ja	short loc_5DC90E
		mov	[ebp+var_18], ecx

loc_5DC90E:				; CODE XREF: VfAvlLookupTreeNode+91F6Bj
		lea	edx, [ebp+var_1C]
		mov	ecx, ebx
		call	_ViAvlNodeInitializeSessionId@8	; ViAvlNodeInitializeSessionId(x,x)
		mov	edx, [ebp+var_1C]
		mov	ecx, ebx
		call	ViAvlTableIndex
		test	byte ptr [esi+5], 1
		mov	[ebp+var_4], eax
		jnz	short loc_5DC93D
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		or	byte ptr [esi+5], 1
		mov	[esi+4], al
		mov	eax, [ebp+var_4]

loc_5DC93D:				; CODE XREF: VfAvlLookupTreeNode+91F8Bj
		mov	ecx, [ebx+8]
		mov	edx, esi
		shl	eax, 7
		add	ecx, eax
		mov	[ebp+var_4], eax
		call	ViAvlAcquireTableLockAtDpcLevelSafe
		lea	eax, [ebp+var_1C]
		push	eax
		mov	eax, [ebx+8]
		add	eax, [ebp+var_4]
		push	eax
		call	_RtlLookupElementGenericTableAvl@8 ; RtlLookupElementGenericTableAvl(x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	loc_54AA5E
		mov	ecx, [ebx+8]
		mov	edx, esi
		add	ecx, [ebp+var_4]
		call	_ViAvlReleaseTableLockFromDpcLevel@8 ; ViAvlReleaseTableLockFromDpcLevel(x,x)
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+arg_4]
		dec	eax
		mov	edx, [ebp+arg_0]
		add	edi, 1000h
		mov	[ebp+var_C], eax
		jmp	loc_54A9EA
; 

loc_5DC98F:				; CODE XREF: VfAvlLookupTreeNode+BAj
		mov	ecx, [ebx+8]
		mov	edx, esi
		add	ecx, edi
		call	_ViAvlReleaseTableLockFromDpcLevel@8 ; ViAvlReleaseTableLockFromDpcLevel(x,x)
		mov	eax, [ebp+var_10]
		mov	edi, [ebp+arg_4]
		inc	eax
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_10], eax
		cmp	eax, [ebp+var_C]
		jb	loc_54A9F3
		jmp	loc_54AA6E
; END OF FUNCTION CHUNK	FOR VfAvlLookupTreeNode
; 
; START	OF FUNCTION CHUNK FOR VfTargetDriversRemove

loc_5DC9B6:				; CODE XREF: VfTargetDriversRemove+5Cj
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		call	_ViTargetRemovingCheckEtwWmi@8 ; ViTargetRemovingCheckEtwWmi(x,x)
		mov	edx, ebx
		mov	ecx, esi
		call	_VfPoolCheckForLeaks@8 ; VfPoolCheckForLeaks(x,x)
		mov	edx, ebx
		mov	ecx, esi
		call	_ViTargetRemovingCheckContiguousMemory@8 ; ViTargetRemovingCheckContiguousMemory(x,x)
		jmp	loc_54AAD6
; 

loc_5DC9D7:				; CODE XREF: VfTargetDriversRemove+9Ej
		push	44566656h
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_54AB18
; 

loc_5DC9E9:				; CODE XREF: VfTargetDriversRemove+ABj
		mov	edx, esi
		mov	ecx, offset _ViAvlNodeLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	loc_54AB2B
; END OF FUNCTION CHUNK	FOR VfTargetDriversRemove
; 
; START	OF FUNCTION CHUNK FOR VfPoolDelayFreeIfPossible

loc_5DC9FA:				; CODE XREF: VfPoolDelayFreeIfPossible+1Bj
		movzx	eax, word ptr [esi+4]
		mov	edx, 200h
		mov	edi, eax
		cmp	ax, dx
		jb	short loc_5DCA25
		inc	dword ptr [esi+24h]
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5DCA14:				; CODE XREF: VfPoolDelayFreeIfPossible+91EE1j
		push	ebx
		push	1
		lea	eax, [esi+8]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_54AB7E
; 

loc_5DCA25:				; CODE XREF: VfPoolDelayFreeIfPossible+91EB2j
		mov	edx, ecx
		mov	ecx, esi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		cmp	edi, 40h
		jb	loc_54AB7E
		jmp	short loc_5DCA14
; END OF FUNCTION CHUNK	FOR VfPoolDelayFreeIfPossible
; 
; START	OF FUNCTION CHUNK FOR IopCleanupNotifications

loc_5DCA39:				; CODE XREF: IopCleanupNotifications+47j
					; IopCleanupNotifications+91EFCj
		mov	esi, edi
		mov	edi, [edi]
		mov	ecx, [esi+8]
		cmp	ecx, eax
		jnz	short loc_5DCA78
		test	ebx, ebx
		jz	short loc_5DCA4D
		cmp	[esi+14h], ebx
		jnz	short loc_5DCA78

loc_5DCA4D:				; CODE XREF: IopCleanupNotifications+91EC4j
		call	ObfDereferenceObject
		push	dword ptr [esi+10h]
		call	ExUnregisterCallback
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_5DCA85
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_5DCA85
		push	0
		mov	[eax], ecx
		push	esi
		mov	[ecx+4], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_4]

loc_5DCA78:				; CODE XREF: IopCleanupNotifications+91EC0j
					; IopCleanupNotifications+91EC9j
		cmp	edi, offset _IopSessionNotificationQueueHead
		jnz	short loc_5DCA39
		jmp	loc_54ABB0
; 

loc_5DCA85:				; CODE XREF: IopCleanupNotifications+91EDDj
					; IopCleanupNotifications+91EE4j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5DCA8A:				; CODE XREF: IopCheckUnloadDriver+2Ej
		mov	edi, 0C0000010h

loc_5DCA8F:				; CODE XREF: IopCheckUnloadDriver+72j
		mov	dl, bl
		push	0Ah
		pop	ecx
		call	KeReleaseQueuedSpinLock
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, edi
		jmp	loc_54AC2E
; END OF FUNCTION CHUNK	FOR IopCleanupNotifications
; 
; START	OF FUNCTION CHUNK FOR IopCheckUnloadDriver

loc_5DCAA7:				; CODE XREF: IopCheckUnloadDriver+43j
		cmp	[esi+4], edx
		jz	loc_54AC17
		mov	[edi], dl
		mov	al, dl
		jmp	loc_54AC17
; END OF FUNCTION CHUNK	FOR IopCheckUnloadDriver
; 
; START	OF FUNCTION CHUNK FOR MiResolvePageFileFault

loc_5DCAB9:				; CODE XREF: MiResolvePageFileFault+64j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_5DCAC7
		mov	dl, 21h
		call	MiUnlockProtoPoolPage

loc_5DCAC7:				; CODE XREF: MiResolvePageFileFault+91E4Ej
		mov	eax, 0C00000A1h
		jmp	loc_54B5F2
; 

loc_5DCAD1:				; CODE XREF: MiResolvePageFileFault+B74j
		mov	ecx, [ecx+1Ch]
		test	cl, 4
		jz	short loc_5DCAF5
		test	cl, 10h
		jnz	short loc_5DCB01
		push	[ebp+var_30]
		mov	ecx, offset _MiSystemPartition
		push	[ebp+var_1C]
		call	_MiIsPteInStore@16 ; MiIsPteInStore(x,x,x,x)
		test	eax, eax
		jz	short loc_5DCB01
		mov	eax, [ebp+var_C]

loc_5DCAF5:				; CODE XREF: MiResolvePageFileFault+91E67j
		mov	[ebp+var_24], 0
		jmp	loc_54AD1F
; 

loc_5DCB01:				; CODE XREF: MiResolvePageFileFault+91E6Cj
					; MiResolvePageFileFault+91E80j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	loc_54BB3A
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		jmp	loc_54BB3A
; 

loc_5DCB18:				; CODE XREF: MiResolvePageFileFault+CE9j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_5DCB26
		mov	dl, 21h
		call	MiUnlockProtoPoolPage

loc_5DCB26:				; CODE XREF: MiResolvePageFileFault+B9Aj
					; MiResolvePageFileFault+BAAj ...
		xor	eax, eax
		jmp	loc_54B5F2
; 

loc_5DCB2D:				; CODE XREF: MiResolvePageFileFault+A4Fj
		mov	al, 30h
		mov	[ebp+var_1], al
		jmp	loc_54B6C8
; 

loc_5DCB37:				; CODE XREF: MiResolvePageFileFault+239j
		lea	ecx, [edx-1]
		mov	ds:dword_6D348C, ecx
		mov	ecx, 1
		jmp	loc_54B676
; 

loc_5DCB4A:				; CODE XREF: MiResolvePageFileFault+E76j
		mov	ecx, [ebp+var_4C]
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	cl, [ebp+var_2]
		mov	edx, [ebp+var_24]
		mov	[ebp+var_68], eax
		mov	eax, [ebp+var_C]
		jmp	loc_54B869
; 

loc_5DCB63:				; CODE XREF: MiResolvePageFileFault+268j
		mov	[ebp+var_8], eax
		jmp	loc_54AEDE
; 

loc_5DCB6B:				; CODE XREF: MiResolvePageFileFault+290j
		mov	eax, 0C000009Ah
		jmp	loc_5DCDE7
; 

loc_5DCB75:				; CODE XREF: MiResolvePageFileFault+AC3j
					; MiResolvePageFileFault+AD0j ...
		mov	edi, [ebp+var_28]
		mov	ecx, 1
		mov	edx, ebx
		jmp	loc_54AF7D
; 

loc_5DCB84:				; CODE XREF: MiResolvePageFileFault+362j
					; MiResolvePageFileFault+36Bj
		mov	edi, 0FFFFFFFDh
		sub	edi, eax
		jmp	loc_54AFE1
; 

loc_5DCB90:				; CODE XREF: MiResolvePageFileFault+449j
					; MiResolvePageFileFault+451j
		lea	ebx, [edi-1]
		jmp	loc_54B0C7
; 

loc_5DCB98:				; CODE XREF: MiResolvePageFileFault+537j
		mov	edi, ds:dword_6D0700
		mov	eax, edi
		mov	ecx, ds:dword_6D0704
		or	eax, ecx
		mov	edx, [ebp+var_30]
		mov	[ebp+var_5C], ecx
		mov	ecx, [ebp+var_1C]
		mov	[ebp+var_6C], edx
		jz	short loc_5DCBC8
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_5DCBC8
		mov	edx, [ebp+var_5C]
		not	edx
		and	edx, [ebp+var_6C]

loc_5DCBC8:				; CODE XREF: MiResolvePageFileFault+91F44j
					; MiResolvePageFileFault+91F4Ej
		mov	eax, [ebp+var_18]
		sub	eax, [ebp+var_8]
		mov	edi, [ebp+var_10]
		mov	[ebp+var_18], eax
		lea	eax, [ebx+eax*8]
		cmp	eax, edi
		jbe	short loc_5DCBEC
		mov	eax, edi
		sub	eax, ebx
		mov	ebx, edi
		sar	eax, 3
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_18], eax
		jmp	short loc_5DCBF1
; 

loc_5DCBEC:				; CODE XREF: MiResolvePageFileFault+91F69j
		mov	ebx, eax
		mov	[ebp+var_3C], eax

loc_5DCBF1:				; CODE XREF: MiResolvePageFileFault+91F7Aj
		push	[ebp+var_30]
		xor	eax, eax
		push	ecx
		mov	ecx, [ebp+var_18]
		add	ecx, edx
		adc	eax, eax
		push	eax
		push	ecx
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		mov	edi, [ebp+var_8]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_30], edx
		mov	[ebp+var_18], edi
		jmp	loc_54B1AD
; 

loc_5DCC16:				; CODE XREF: MiResolvePageFileFault+C7Cj
		cmp	[ebp+var_50], 0
		jnz	loc_54B1CD
		mov	eax, [ebp+var_4C]
		cmp	eax, ds:_MmHighestUserAddress
		ja	loc_54B1CD
		cmp	[ebp+arg_0], 0
		jnz	loc_54B1CD
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, 92492493h
		imul	ecx
		add	edx, ecx
		sar	edx, 4
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		call	MiSearchNumaNodeTable
		lea	ecx, [esi-1]
		cmp	[eax+4], ecx
		jnz	loc_54B1CD
		mov	eax, [ebp+var_24]
		mov	ecx, [ebp+var_44]
		mov	edi, [eax+2Ch]
		mov	[ebp+var_20], edi
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		movzx	ecx, byte ptr [edi+16h]
		shr	ecx, 6
		cmp	ecx, eax
		jnz	loc_54B1CD
		mov	edx, [ebp+var_28]
		mov	eax, edi
		xor	esi, esi
		mov	[ebp+var_2C], eax
		xor	ecx, ecx
		test	edx, edx
		jz	short loc_5DCCCC

loc_5DCC93:				; CODE XREF: MiResolvePageFileFault+9204Ej
		mov	ecx, eax
		inc	esi
		mov	eax, [eax+10h]
		and	eax, offset loc_7FFFFF
		mov	[ebp+var_5C], ecx
		cmp	eax, offset loc_7FFFFF
		jz	short loc_5DCCC5
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	eax, [eax+ecx*4]
		mov	[ebp+var_2C], eax
		cmp	esi, edx
		jb	short loc_5DCC93
		mov	ecx, [ebp+var_5C]
		jmp	short loc_5DCCCC
; 

loc_5DCCC5:				; CODE XREF: MiResolvePageFileFault+92036j
		mov	[ebp+var_2C], 0

loc_5DCCCC:				; CODE XREF: MiResolvePageFileFault+92021j
					; MiResolvePageFileFault+92053j
		push	0
		mov	edx, offset loc_7FFFFF
		call	_MiSetPfnBlink@12 ; MiSetPfnBlink(x,x,x)
		mov	ecx, [ebp+var_24]
		mov	eax, [ebp+var_2C]
		mov	[ecx+2Ch], eax
		jmp	loc_54B1F5
; 

loc_5DCCE6:				; CODE XREF: MiResolvePageFileFault+627j
		mov	ecx, [ebp+var_30]
		jmp	loc_54B2B4
; 

loc_5DCCEE:				; CODE XREF: MiResolvePageFileFault+692j
		mov	eax, [ebp+var_C]
		jmp	loc_54BA1E
; 

loc_5DCCF6:				; CODE XREF: MiResolvePageFileFault+64Ej
					; MiResolvePageFileFault+65Dj ...
		mov	ebx, [ebp+var_3C]
		mov	edi, [ebp+var_20]
		jmp	loc_54BA1E
; 

loc_5DCD01:				; CODE XREF: MiResolvePageFileFault+DB0j
		mov	edx, [ebp+var_10]
		cmp	ebx, edx
		ja	short loc_5DCD79
		mov	ebx, [ebp+var_34]
		mov	ecx, [ebp+var_14]
		mov	esi, ecx
		test	ebx, ebx
		jz	short loc_5DCD52
		mov	edi, [ebp+var_2C]

loc_5DCD17:				; CODE XREF: MiResolvePageFileFault+920CEj
		mov	eax, [esi]
		cmp	eax, ds:dword_6D34EC
		jz	short loc_5DCD38
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, [eax+ecx*4]
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		dec	edi

loc_5DCD38:				; CODE XREF: MiResolvePageFileFault+920AFj
		add	esi, 4
		sub	ebx, 1
		jnz	short loc_5DCD17
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_14]
		mov	[ebp+var_2C], edi
		mov	edi, [ebp+var_20]
		mov	[ebp+var_34], ebx

loc_5DCD52:				; CODE XREF: MiResolvePageFileFault+920A2j
		and	eax, 0FFFFFFFDh
		mov	[ebp+var_28], ecx
		mov	ecx, [edx]
		mov	ebx, edx
		mov	[ebp+var_C], eax
		mov	[ebp+var_3C], edx
		mov	[ebp+var_1C], ecx
		nop
		mov	ecx, [edx+4]
		mov	esi, 1
		mov	[ebp+var_30], ecx
		mov	[ebp+var_18], esi
		jmp	loc_54B3E0
; 

loc_5DCD79:				; CODE XREF: MiResolvePageFileFault+92096j
		mov	esi, [ebp+var_34]
		mov	[ebp+var_18], esi
		jmp	loc_54B40C
; 

loc_5DCD84:				; CODE XREF: MiResolvePageFileFault+DEAj
		cmp	[ebp+var_2], 0
		lea	ebx, [ebx+eax*8]
		mov	[ebp+var_38], ebx
		jnz	loc_54BA60
		mov	ecx, [ebp+var_50]
		shl	eax, 0Ch
		add	[ecx+10h], eax
		jmp	loc_54BA60
; 

loc_5DCDA2:				; CODE XREF: MiResolvePageFileFault+A25j
		or	dword ptr [ebx+78h], 100000h
		jmp	loc_54B541
; 

loc_5DCDAE:				; CODE XREF: MiResolvePageFileFault+D84j
		mov	edx, offset dword_6D5E40
		lock xadd [edx], eax
		jmp	loc_54B9FA
; 

loc_5DCDBC:				; CODE XREF: MiResolvePageFileFault+EB2j
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax
		jmp	loc_54BB28
; 

loc_5DCDCA:				; CODE XREF: MiResolvePageFileFault+2A1j
					; MiResolvePageFileFault+2AAj ...
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_5DCDDD
		mov	dl, 21h
		mov	ecx, eax
		call	MiUnlockProtoPoolPage
		mov	ecx, [ebp+var_40]

loc_5DCDDD:				; CODE XREF: MiResolvePageFileFault+9215Fj
		call	_MiFreeInPageSupportBlock@4 ; MiFreeInPageSupportBlock(x)
		mov	eax, 0C0000434h

loc_5DCDE7:				; CODE XREF: MiResolvePageFileFault+91F00j
		mov	edx, [ebp+var_24]
		test	edx, edx
		jz	loc_54B5F2
		cmp	eax, 0C000009Ah
		setz	cl
		inc	cl
		mov	[edx+1], cl
		jmp	loc_54B5F2
; END OF FUNCTION CHUNK	FOR MiResolvePageFileFault
; 
; START	OF FUNCTION CHUNK FOR MiResetAccessBitsTail

loc_5DCE04:				; CODE XREF: MiResetAccessBitsTail+1Fj
		cmp	dword ptr [edx], 0
		jz	loc_54BD0B
		push	ecx
		mov	ecx, edi
		call	_MiQueryEPTAccessedState@12 ; MiQueryEPTAccessedState(x,x,x)
		test	eax, eax
		jz	loc_54BD0B
		mov	edx, [esi+8]
		mov	ecx, edi
		push	esi
		push	offset _MiResetAccessBitsEPTCallback@20	; MiResetAccessBitsEPTCallback(x,x,x,x,x)
		call	_MiProcessVmAccessedInfo@16 ; MiProcessVmAccessedInfo(x,x,x,x)
		jmp	loc_54BCF4
; END OF FUNCTION CHUNK	FOR MiResetAccessBitsTail
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmPageRead

loc_5DCE32:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+72j
		cmp	byte ptr [edi+10F4h], 0
		jnz	loc_54BD8C
		mov	edi, 0C0000021h
		jmp	short loc_5DCE4B
; 

loc_5DCE46:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+A0j
		mov	edi, 0C000009Ah

loc_5DCE4B:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+5Dj
					; SMKM_STORE_MGR_SM_TRAITS___SmPageRead+91130j
		mov	ebx, [ebp+var_8]
		jmp	loc_54BE67
; 

loc_5DCE53:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+1BDj
		and	[ebp+var_4], 0FFFFFFFEh
		mov	esi, [ebp+arg_8]
		jmp	loc_54BDC8
; 

loc_5DCE5F:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+D1j
		mov	ebx, [ebp+var_8]
		mov	edi, 0C000009Ah
		jmp	loc_54BE64
; 

loc_5DCE6C:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+101j
		or	dword ptr [esi+4], 1000000h
		jmp	loc_54BE1B
; 

loc_5DCE78:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+12Dj
		mov	eax, [ebp+arg_0]
		mov	edi, 0C000009Ah
		jmp	loc_54BE5C
; 

loc_5DCE85:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+14Aj
		push	eax
		mov	edx, esi
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFreeResource
		jmp	loc_54BE64
; 

loc_5DCE97:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+155j
		mov	edx, [ebx+10F0h]
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		and	edx, 3FFh
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_54BE6F
; 

loc_5DCEBA:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+162j
		mov	edx, [ebp+var_10]
		mov	ecx, ebx
		push	1
		call	SmAcquireReleaseResAvailForRead
		jmp	loc_54BE7C
; 

loc_5DCECB:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+16Aj
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0
		mov	[esi], edi
		jmp	loc_54BE84
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmPageRead
; 
; START	OF FUNCTION CHUNK FOR SmAcquireReleaseResAvailForRead

loc_5DCED9:				; CODE XREF: SmAcquireReleaseResAvailForRead+42j
		cmp	ds:dword_718470, 0
		jnz	short loc_5DCEFC
		xor	ecx, ecx
		inc	ecx
		cmp	edi, ecx
		jnz	short loc_5DCEFC
		mov	edx, offset dword_718470
		xor	eax, eax
		lock cmpxchg [edx], esi
		test	eax, eax
		jz	loc_54BF17

loc_5DCEFC:				; CODE XREF: SmAcquireReleaseResAvailForRead+90FF6j
					; SmAcquireReleaseResAvailForRead+90FFDj
		xor	ecx, ecx
		jmp	loc_54BF17
; END OF FUNCTION CHUNK	FOR SmAcquireReleaseResAvailForRead
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmReadPickStore

loc_5DCF03:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmReadPickStore+44j
					; SMKM_STORE_MGR_SM_TRAITS___SmReadPickStore+4Dj
		push	esi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ebx, [edi+470h]
		xor	ecx, ecx
		add	ebx, eax
		adc	ecx, edx
		cmp	[ebp+var_14], ecx
		jb	short loc_5DCF2C
		ja	short loc_5DCF22
		cmp	[ebp+var_18], ebx
		jbe	short loc_5DCF2C

loc_5DCF22:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmReadPickStore+90FBDj
		mov	esi, 0C000003Dh
		jmp	loc_54BFD5
; 

loc_5DCF2C:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmReadPickStore+90FBBj
					; SMKM_STORE_MGR_SM_TRAITS___SmReadPickStore+90FC2j
		mov	eax, [ebp+var_4]
		mov	ebx, [ebp+arg_0]
		jmp	loc_54BFB1
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmReadPickStore
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmFeReadInitiate

loc_5DCF37:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeReadInitiate+69j
		test	al, 8
		jz	loc_54C09B
		jmp	loc_54C05D
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmFeReadInitiate
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker

loc_5DCF44:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+6Aj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_54C253
; 

loc_5DCF53:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+129j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_54C312
; 

loc_5DCF62:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+203j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_54C3EC
; 

loc_5DCF71:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker+1DAj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_54C3C3
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueWorker
; 
; START	OF FUNCTION CHUNK FOR ExpResizeBigPageTable

loc_5DCF80:				; CODE XREF: ExpResizeBigPageTable+336j
		lea	eax, [ebp+var_18]
		mov	ecx, 200h
		push	eax
		xor	eax, eax
		lea	edx, [eax+1]
		call	ExpResizeBigPageTable
		test	eax, eax
		jnz	loc_54C750
		mov	ecx, esi
		call	ExGetHeapFromVA
		xor	ecx, ecx
		mov	edx, esi
		push	ecx
		push	ecx
		push	ecx
		mov	ecx, eax
		call	RtlpHpFreeHeap

loc_5DCFB0:				; CODE XREF: ExpResizeBigPageTable+5Fj
					; ExpResizeBigPageTable+6Bj ...
		xor	eax, eax
		jmp	loc_54C6EF
; 

loc_5DCFB7:				; CODE XREF: ExpResizeBigPageTable+1F4j
		int	3		; Trap to Debugger
		jmp	loc_54C60E
; 

loc_5DCFBD:				; CODE XREF: ExpResizeBigPageTable+201j
		push	edx
		push	esi
		push	[ebp+var_4]
		mov	edx, 200h
		mov	ecx, 0E20h
		call	_EtwTracePool@20 ; EtwTracePool(x,x,x,x,x)
		jmp	loc_54C61B
; 

loc_5DCFD6:				; CODE XREF: ExpResizeBigPageTable+3ADj
		mov	edx, [ebx+4]
		lea	ecx, [ebp+var_38]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_54C7E9
; 

loc_5DCFE6:				; CODE XREF: ExpResizeBigPageTable+3CFj
		lea	ecx, [ebp+var_38]
		call	KxWaitForLockChainValid

loc_5DCFEE:				; CODE XREF: ExpResizeBigPageTable+3B8j
		xor	ecx, ecx
		mov	[ebp+var_38], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_54C7E9
; END OF FUNCTION CHUNK	FOR ExpResizeBigPageTable
; 
; START	OF FUNCTION CHUNK FOR MiMapSinglePage

loc_5DD003:				; CODE XREF: MiMapSinglePage+5Cj
		or	ecx, 2
		jmp	loc_54C8CE
; 

loc_5DD00B:				; CODE XREF: MiMapSinglePage+8Ej
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5DD03D
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	loc_54C903

loc_5DD024:				; CODE XREF: MiMapSinglePage+907EAj
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	loc_54C903
		or	edx, 80000000h
		jmp	loc_54C903
; 

loc_5DD03D:				; CODE XREF: MiMapSinglePage+907A6j
		mov	eax, large fs:124h
		mov	ecx, [ebp+arg_0]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_5DD024
		jmp	loc_54C903
; 

loc_5DD05D:				; CODE XREF: MiMapSinglePage+9Fj
		push	edx
		push	ebx
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_54C911
; END OF FUNCTION CHUNK	FOR MiMapSinglePage
; 
; START	OF FUNCTION CHUNK FOR MiDeprioritizeVad

loc_5DD06B:				; CODE XREF: MiDeprioritizeVad+32j
		mov	ecx, edi
		call	_MiDereferenceVadUnsafe@4 ; MiDereferenceVadUnsafe(x)
		cmp	eax, 1
		jnz	short loc_5DD07F
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5DD07F:				; CODE XREF: MiDeprioritizeVad+90721j
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_54CA4B
; 

loc_5DD08B:				; CODE XREF: MiDeprioritizeVad+96j
		mov	ecx, eax
		xor	eax, esi
		cmp	eax, 7
		jb	loc_54C9D9
		mov	eax, esi

loc_5DD09A:				; CODE XREF: MiDeprioritizeVad+7Fj
		push	746C6644h
		push	eax
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_54C9F0
; END OF FUNCTION CHUNK	FOR MiDeprioritizeVad
; 
; START	OF FUNCTION CHUNK FOR MiTryLockVad

loc_5DD0AA:				; CODE XREF: MiTryLockVad+42j
		mov	edi, eax
		jmp	loc_54CAFA
; 

loc_5DD0B1:				; CODE XREF: MiTryLockVad+158j
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		mov	edx, [ebp+var_4]
		jmp	loc_54CB49
; 

loc_5DD0C0:				; CODE XREF: MiTryLockVad+A5j
		test	edi, edi
		jz	short loc_5DD0CE
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		call	KeAbPostReleaseEx

loc_5DD0CE:				; CODE XREF: MiTryLockVad+90668j
		xor	eax, eax
		jmp	loc_54CB18
; END OF FUNCTION CHUNK	FOR MiTryLockVad
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_SM_TRAITS___SmStDirectRead

loc_5DD0D5:				; CODE XREF: SMKM_STORE_SM_TRAITS___SmStDirectRead+BFj
		mov	ecx, ebx
		call	?StReleaseReadContext@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@PAX@Z ; ST_STORE<SM_TRAITS>::StReleaseReadContext(ST_STORE<SM_TRAITS> *,void *)
		mov	eax, [ebp+var_20]
		jmp	loc_54CFE1
; END OF FUNCTION CHUNK	FOR SMKM_STORE_SM_TRAITS___SmStDirectRead
; 
; START	OF FUNCTION CHUNK FOR MiReplacePageOfProtoPool

loc_5DD0E4:				; CODE XREF: MiReplacePageOfProtoPool+5Fj
		xor	eax, eax
		jmp	loc_54D46F
; 

loc_5DD0EB:				; CODE XREF: MiReplacePageOfProtoPool+98j
		or	esi, 0FFFFFFFFh

loc_5DD0EE:				; CODE XREF: MiReplacePageOfProtoPool+4C5j
		test	ebx, ebx
		jz	loc_54D127
		lea	edi, [ecx+1]
		cmp	edi, edx
		jbe	short loc_5DD0FF
		mov	edi, edx

loc_5DD0FF:				; CODE XREF: MiReplacePageOfProtoPool+900CBj
		dec	edi
		xor	ebx, ebx
		jmp	loc_54D0BC
; 

loc_5DD107:				; CODE XREF: MiReplacePageOfProtoPool:loc_54D1C7j
		or	ebx, 0FFFFFFFFh
		jmp	loc_54D1CD
; 

loc_5DD10F:				; CODE XREF: MiReplacePageOfProtoPool+230j
		and	[ebp+var_80], 0
		lea	edi, [esi+10h]
		lock bts dword ptr [edi], 1Fh
		jnb	loc_54D270

loc_5DD121:				; CODE XREF: MiReplacePageOfProtoPool+900FDj
					; MiReplacePageOfProtoPool+90104j
		lea	ecx, [ebp+var_80]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_5DD121
		lock bts dword ptr [edi], 1Fh
		jb	short loc_5DD121
		jmp	loc_54D26D
; 

loc_5DD13B:				; CODE XREF: MiReplacePageOfProtoPool+248j
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		jmp	short loc_5DD150
; 

loc_5DD145:				; CODE XREF: MiReplacePageOfProtoPool+259j
					; MiReplacePageOfProtoPool+26Bj
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax

loc_5DD14D:				; CODE XREF: MiReplacePageOfProtoPool+405j
		mov	ecx, [ebp+var_4C]

loc_5DD150:				; CODE XREF: MiReplacePageOfProtoPool+3DDj
					; MiReplacePageOfProtoPool+90113j
		xor	ebx, ebx
		jmp	loc_54D2C4
; 

loc_5DD157:				; CODE XREF: MiReplacePageOfProtoPool+2C4j
		or	ecx, 0FFFFFFFFh

loc_5DD15A:				; CODE XREF: MiReplacePageOfProtoPool+438j
		test	edi, edi
		jz	loc_54D356
		lea	esi, [ebx+1]
		cmp	esi, edx
		jbe	short loc_5DD16B
		mov	esi, edx

loc_5DD16B:				; CODE XREF: MiReplacePageOfProtoPool+90137j
		dec	esi
		xor	edi, edi
		jmp	loc_54D2E5
; 

loc_5DD173:				; CODE XREF: MiReplacePageOfProtoPool+373j
		mov	edx, edi
		mov	esi, ebx
		jmp	loc_54D3B7
; END OF FUNCTION CHUNK	FOR MiReplacePageOfProtoPool
; 
; START	OF FUNCTION CHUNK FOR MiGetPrototypePteRanges

loc_5DD17C:				; CODE XREF: MiGetPrototypePteRanges+9Bj
		and	[ebp+var_C], 0
		jmp	loc_54D5CA
; END OF FUNCTION CHUNK	FOR MiGetPrototypePteRanges
; 
; START	OF FUNCTION CHUNK FOR MiProcessDereferenceList

loc_5DD185:				; CODE XREF: MiProcessDereferenceList+C5j
		cmp	[eax+4], ecx
		jnz	loc_54D883
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_54D883
		mov	[ecx], edx
		lea	esi, [eax-4]
		mov	[edx+4], ecx
		lea	ecx, [ebx+23Ch]
		cmp	dword ptr [esi+10h], 0FFFFFFFFh
		jnz	short loc_5DD1FE
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_5DD1E2
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+50h+var_41]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, esi
		call	_MiAttemptPageFileReduction@4 ;	MiAttemptPageFileReduction(x)
		lea	ecx, [ebx+23Ch]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	[esp+50h+var_41], al

loc_5DD1E2:				; CODE XREF: MiProcessDereferenceList+8FA9Cj
		test	byte ptr [esi+2Fh], 10h
		lea	ecx, [ebx+3DCh]
		jnz	loc_54D7D9
		push	0
		push	0
		lea	eax, [esi+18h]
		jmp	loc_5DD280
; 

loc_5DD1FE:				; CODE XREF: MiProcessDereferenceList+8FA93j
		push	0Dh
		pop	ecx
		lea	edi, [esp+50h+var_34]
		rep movsd
		lea	esi, [eax-4]
		lea	eax, [esp+50h+var_34]
		mov	[esp+50h+var_4], esi
		lea	edi, [ebx+340h]
		mov	[esi+30h], eax
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+50h+var_41]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	ecx, [ebx+23Ch]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_5DD24E
		lea	ecx, [esp+50h+var_34]
		call	_MiExtendPagingFiles@4 ; MiExtendPagingFiles(x)
		lea	ecx, [ebx+23Ch]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_5DD24E:				; CODE XREF: MiProcessDereferenceList+8FB20j
		push	ebx
		mov	edx, esi
		lea	ecx, [esp+54h+var_34]
		call	_MiProcessingPageExtendComplete@12 ; MiProcessingPageExtendComplete(x,x,x)
		dec	dword ptr [ebx+488h]
		lea	ecx, [ebx+3DCh]
		mov	[esp+50h+var_41], al
		xor	eax, eax
		cmp	[ebx+484h], eax
		jz	loc_54D7D9
		push	eax
		push	eax
		lea	eax, [ebx+48Ch]

loc_5DD280:				; CODE XREF: MiProcessDereferenceList+8FAE1j
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_54D7D3
; 

loc_5DD28B:				; CODE XREF: MiProcessDereferenceList+DDj
		cmp	[eax+4], ecx
		jnz	loc_54D883
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_54D883
		mov	[ecx], edx
		lea	edi, [esp+50h+var_34]
		add	eax, 0FFFFFFFCh
		mov	[edx+4], ecx
		push	0Dh
		pop	ecx
		mov	esi, eax
		mov	[esp+50h+var_38], eax
		rep movsd
		mov	[esp+50h+var_4], eax
		lea	ecx, [esp+50h+var_34]
		mov	[eax+30h], ecx
		lea	eax, [ebx+340h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+50h+var_41]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [esp+50h+var_24]
		mov	ecx, ebx
		call	_MiRemoveUnusedSegments@8 ; MiRemoveUnusedSegments(x,x)
		test	eax, eax
		jz	short loc_5DD2EF
		xor	eax, eax
		inc	eax
		mov	[esp+50h+var_40], eax
		jmp	short loc_5DD2F3
; 

loc_5DD2EF:				; CODE XREF: MiProcessDereferenceList+8FBCCj
		mov	eax, [esp+50h+var_40]

loc_5DD2F3:				; CODE XREF: MiProcessDereferenceList+8FBD5j
		test	eax, eax
		jz	short loc_5DD2FF
		mov	[esp+50h+var_20], 1

loc_5DD2FF:				; CODE XREF: MiProcessDereferenceList+8FBDDj
		mov	edx, [esp+50h+var_38]
		lea	ecx, [esp+50h+var_34]
		push	ebx
		call	_MiProcessingPageExtendComplete@12 ; MiProcessingPageExtendComplete(x,x,x)
		mov	[esp+50h+var_41], al
		jmp	loc_54D7EB
; 

loc_5DD316:				; CODE XREF: MiProcessDereferenceList+132j
		lea	eax, [ebx+468h]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	ecx, ebx
		call	_MiFreeClonePool@4 ; MiFreeClonePool(x)
		jmp	loc_54D850
; END OF FUNCTION CHUNK	FOR MiProcessDereferenceList
; 
; START	OF FUNCTION CHUNK FOR MiValidatePagefilePageHash

loc_5DD32E:				; CODE XREF: MiValidatePagefilePageHash+25j
		mov	edx, ecx
		jmp	loc_54D8B3
; 

loc_5DD335:				; CODE XREF: MiValidatePagefilePageHash+D3j
		test	dl, 7
		jz	loc_54D961

loc_5DD33E:				; CODE XREF: MiValidatePagefilePageHash+DCj
					; MiValidatePagefilePageHash+8FAC2j ...
		mov	eax, [ebp+var_54]
		jmp	loc_54D9AC
; 

loc_5DD346:				; CODE XREF: MiValidatePagefilePageHash+104j
		and	[ebp+var_58], 0
		jmp	short loc_5DD33E
; 

loc_5DD34C:				; CODE XREF: MiValidatePagefilePageHash+11Ej
		test	dword ptr [eax], 40000000h
		jnz	loc_54D9AC
		cmp	esi, 2
		jz	loc_54D9AC
		test	esi, esi
		jnz	short loc_5DD375
		push	ecx
		mov	ecx, [ebp+var_58]
		mov	edx, ebx
		call	_MiComparePageHash@12 ;	MiComparePageHash(x,x,x)
		mov	ecx, [ebp+var_68]
		jmp	short loc_5DD387
; 

loc_5DD375:				; CODE XREF: MiValidatePagefilePageHash+8FADBj
		cmp	ds:byte_6D31C0,	1
		jz	loc_54D9AC
		mov	eax, 0C000003Fh

loc_5DD387:				; CODE XREF: MiValidatePagefilePageHash+8FAEBj
		test	eax, eax
		jns	short loc_5DD33E
		mov	eax, [ebp+var_70]
		inc	ds:dword_6D30EC
		push	esi
		push	ecx
		push	ebx
		push	3Fh
		push	1Ah
		mov	ds:dword_6D3098, eax
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5DD3A6:				; CODE XREF: TelemetryCoverageTableLocateInternal+1Dj
		sub	esi, eax
		cmp	esi, eax
		sbb	eax, eax
		and	esi, eax
		jmp	loc_54DF2B
; END OF FUNCTION CHUNK	FOR MiValidatePagefilePageHash
; 
; START	OF FUNCTION CHUNK FOR TelemetryCoverageTableLocateInternal

loc_5DD3B3:				; CODE XREF: TelemetryCoverageTableLocateInternal+39j
		add	eax, 4
		cmp	eax, esi
		jb	loc_54DF39
		jmp	loc_54DF4C
; 

loc_5DD3C3:				; CODE XREF: TelemetryCoverageTableLocateInternal+8F4D2j
		mov	edx, [eax]
		test	edx, edx
		jz	loc_54DF47
		cmp	edx, ebx
		jz	loc_54DF47
		add	eax, 4

loc_5DD3D8:				; CODE XREF: TelemetryCoverageTableLocateInternal+47j
		cmp	eax, ecx
		jb	short loc_5DD3C3
		xor	eax, eax
		jmp	loc_54DF47
; END OF FUNCTION CHUNK	FOR TelemetryCoverageTableLocateInternal
; 
; START	OF FUNCTION CHUNK FOR SeConvertStringSecurityDescriptorToSecurityDescriptor

loc_5DD3E3:				; CODE XREF: SeConvertStringSecurityDescriptorToSecurityDescriptor+15j
		mov	eax, 519h

loc_5DD3E8:				; CODE XREF: SeConvertStringSecurityDescriptorToSecurityDescriptor+2Cj
		movzx	eax, ax
		or	eax, 0C0070000h
		jmp	loc_54E112
; END OF FUNCTION CHUNK	FOR SeConvertStringSecurityDescriptorToSecurityDescriptor
; 
; START	OF FUNCTION CHUNK FOR MiCaptureAndResetWorkingSetAccessBits

loc_5DD3F5:				; CODE XREF: MiCaptureAndResetWorkingSetAccessBits+9Fj
		lea	eax, [ebp+var_1AC]
		mov	[ebp+var_1A8], 20h
		mov	[ebp+var_200], eax
		jmp	loc_54E1C1
; END OF FUNCTION CHUNK	FOR MiCaptureAndResetWorkingSetAccessBits
; 
; START	OF FUNCTION CHUNK FOR MiUseSlabAllocatorForDriverPage

loc_5DD410:				; CODE XREF: MiUseSlabAllocatorForDriverPage+Cj
		test	byte ptr [ecx+4], 8
		push	ebx
		setnz	bl
		test	dl, 2
		setnz	al
		test	bl, al
		pop	ebx
		jz	loc_54E24A
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax], 0
		xor	eax, eax
		inc	eax
		jmp	loc_54E256
; 

loc_5DD435:				; CODE XREF: MiUseSlabAllocatorForDriverPage+16j
		test	edx, edx
		jz	loc_54E254
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		inc	eax
		mov	[ecx], eax
		jmp	loc_54E256
; END OF FUNCTION CHUNK	FOR MiUseSlabAllocatorForDriverPage
; 
; START	OF FUNCTION CHUNK FOR MiStoreFaultComplete

loc_5DD44A:				; CODE XREF: MiStoreFaultComplete+11j
		mov	esi, 0C0000225h
		mov	eax, 10001h
		cmp	ecx, esi
		jnz	short loc_5DD47F
		imul	edx, [edi+0C4h], 1Ch
		mov	ecx, ds:_MmPfnDatabase
		test	dword ptr [edx+ecx+10h], 40000000h
		jnz	short loc_5DD491
		push	0
		push	esi
		push	edi
		push	6000h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5DD47F:				; CODE XREF: MiStoreFaultComplete+8EF52j
		cmp	ecx, 0C0000021h
		jz	short loc_5DD491
		mov	eax, 10003h
		jmp	loc_54E52C
; 

loc_5DD491:				; CODE XREF: MiStoreFaultComplete+8EF69j
					; MiStoreFaultComplete+8EF81j
		mov	dword ptr [edi+30h], 0C0000017h
		jmp	loc_54E52C
; END OF FUNCTION CHUNK	FOR MiStoreFaultComplete
; 
; START	OF FUNCTION CHUNK FOR MiAllocatePfnRepurposeLogDispatch

loc_5DD49D:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+75j
		mov	edx, eax
		lea	ecx, [ebp+var_24]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_54E5BA
; 

loc_5DD4AC:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+9Dj
		test	esi, esi
		jz	loc_54E5DD
		test	dword ptr [esi+20h], 0FFFh
		jz	short loc_5DD4C4
		xor	esi, esi
		jmp	loc_54E5DD
; 

loc_5DD4C4:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+95j
					; MiAllocatePfnRepurposeLogDispatch+8EF89j
		and	ds:dword_6D3260, 0
		jmp	loc_54E5DD
; 

loc_5DD4D0:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+B4j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_54E60E
; 

loc_5DD4E0:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+DEj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_54E616
; 

loc_5DD4ED:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+10Aj
					; MiAllocatePfnRepurposeLogDispatch+116j
		and	[ebp+var_18], 0
		lea	eax, [ebp+var_18]
		and	[ebp+var_14], 0
		push	eax
		call	KeQueryTickCount
		mov	eax, [ebp+var_18]
		mov	edx, [ebp+var_14]
		mov	ecx, [esi+20h]
		jmp	loc_54E654
; 

loc_5DD50C:				; CODE XREF: MiAllocatePfnRepurposeLogDispatch+14Cj
		push	64h
		pop	eax
		mov	ecx, offset unk_6D4480
		lock xadd [ecx], eax
		xor	ebx, ebx
		jmp	loc_54E695
; END OF FUNCTION CHUNK	FOR MiAllocatePfnRepurposeLogDispatch
; 
; START	OF FUNCTION CHUNK FOR MmStealTopLevelPage

loc_5DD51F:				; CODE XREF: MmStealTopLevelPage+CAj
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5DD563
		xor	eax, eax
		inc	eax
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	[esp+28h+var_14], eax
		jnz	loc_54E8A0
		mov	eax, edi
		and	eax, 1
		or	eax, esi
		mov	eax, [esp+28h+var_14]
		jmp	short loc_5DD552
; 

loc_5DD549:				; CODE XREF: MmStealTopLevelPage+8EDB1j
		mov	eax, edi
		and	eax, 1
		or	eax, esi
		mov	eax, esi

loc_5DD552:				; CODE XREF: MmStealTopLevelPage+8ED79j
		jz	loc_54E8A0
		or	edx, 80000000h
		jmp	loc_54E8A0
; 

loc_5DD563:				; CODE XREF: MmStealTopLevelPage+8ED58j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_54E89E
		jmp	short loc_5DD549
; 

loc_5DD581:				; CODE XREF: MmStealTopLevelPage+DAj
		push	edx
		push	edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_54E8AE
; 

loc_5DD58D:				; CODE XREF: MmStealTopLevelPage+16Dj
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5DD5A8
		xor	edx, edx
		inc	edx
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	loc_54E941
		jmp	short loc_5DD5C4
; 

loc_5DD5A8:				; CODE XREF: MmStealTopLevelPage+8EDC6j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_54E941

loc_5DD5C4:				; CODE XREF: MmStealTopLevelPage+8EDD8j
		mov	eax, ebx
		and	eax, 1
		or	eax, esi
		jz	loc_54E941
		or	edi, 80000000h
		jmp	loc_54E941
; END OF FUNCTION CHUNK	FOR MmStealTopLevelPage
; 
; START	OF FUNCTION CHUNK FOR RtlStringCchCatExW

loc_5DD5DC:				; CODE XREF: RtlStringCchCatExW+33j
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		cmp	[eax], dx
		jz	loc_54E9EC
		mov	ecx, edi
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 0BFFFFFF8h
		add	ecx, 0C000000Dh

loc_5DD5FC:				; CODE XREF: RtlStringCchCatExW+4Cj
		test	esi, esi
		jz	loc_54E9EC
		and	esi, 7FFFFFFFh
		jbe	loc_54E9EC
		xor	eax, eax
		mov	[edi], ax
		jmp	loc_54E9EC
; END OF FUNCTION CHUNK	FOR RtlStringCchCatExW
; 
; START	OF FUNCTION CHUNK FOR MiImageProtoChargedCommit

loc_5DD61A:				; CODE XREF: MiImageProtoChargedCommit+4Fj
		test	dword ptr [edx+1Ch], 4000000h
		jz	loc_54EB71
		mov	ecx, [ebp+var_4]
		mov	edx, eax
		push	esi
		call	_MiGetSharedProtosAtDpcLevel@12	; MiGetSharedProtosAtDpcLevel(x,x,x)
		test	eax, eax
		jz	short loc_5DD64B
		mov	ecx, [eax+24h]
		cmp	ebx, ecx
		jb	short loc_5DD64B
		mov	eax, [esi+1Ch]
		lea	eax, [ecx+eax*8]
		cmp	ebx, eax
		jb	loc_54EB90

loc_5DD64B:				; CODE XREF: MiImageProtoChargedCommit+8EB18j
					; MiImageProtoChargedCommit+8EB1Fj
		mov	edx, [ebp+var_4]
		jmp	loc_54EB84
; 

loc_5DD653:				; CODE XREF: MiImageProtoChargedCommit+62j
		mov	ecx, [eax+24h]
		cmp	ebx, ecx
		jb	loc_54EB84
		mov	eax, [esi+1Ch]
		lea	eax, [ecx+eax*8]
		cmp	ebx, eax
		jnb	loc_54EB84
		push	4
		pop	edi
		jmp	loc_54EB90
; END OF FUNCTION CHUNK	FOR MiImageProtoChargedCommit
; 
; START	OF FUNCTION CHUNK FOR PnpRequestDeviceAction

loc_5DD674:				; CODE XREF: PnpRequestDeviceAction+29j
		mov	[ebp+var_24], 0C0000189h
		jmp	loc_54ED8B
; 

loc_5DD680:				; CODE XREF: PnpRequestDeviceAction+47j
		mov	[ebp+var_24], 0C000009Ah
		jmp	loc_54ED8B
; 

loc_5DD68C:				; CODE XREF: PnpRequestDeviceAction+DEj
		lea	edi, [ebp+var_38]
		movsd
		movsd
		movsd
		movsd
		jmp	loc_54EC96
; END OF FUNCTION CHUNK	FOR PnpRequestDeviceAction

;  S U B	R O U T	I N E 


sub_5DD698	proc near		; DATA XREF: .text:006A4874o
		xor	eax, eax
		inc	eax
		retn
sub_5DD698	endp


;  S U B	R O U T	I N E 


sub_5DD69C	proc near		; DATA XREF: .text:006A4878o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-28h]
		jmp	loc_54EC93
sub_5DD69C	endp

; 
; START	OF FUNCTION CHUNK FOR PnpRequestDeviceAction

loc_5DD6AE:				; CODE XREF: PnpRequestDeviceAction+103j
		xor	eax, eax
		jmp	loc_54ECB4
; 

loc_5DD6B5:				; CODE XREF: PnpRequestDeviceAction+159j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_54ED06
; 

loc_5DD6C4:				; CODE XREF: PnpRequestDeviceAction+1AEj
		inc	dword ptr [ebx+30h]
		mov	[eax], ebx
		jmp	loc_54ED56
; 

loc_5DD6CE:				; CODE XREF: PnpRequestDeviceAction+21Fj
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_54EDCC
; 

loc_5DD6DD:				; CODE XREF: PnpRequestDeviceAction+1D9j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_54ED86
; 

loc_5DD6EC:				; CODE XREF: PnpRequestDeviceAction+27Dj
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_54EE2A
; END OF FUNCTION CHUNK	FOR PnpRequestDeviceAction
; 

loc_5DD6FB:				; CODE XREF: .text:0054EF67j
		lea	edi, [esp+4Ch]
		movsd
		lea	eax, [esp+4Ch]
		push	eax
		movsd
		movsd
		movsd
		call	_IoSetActivityIdThread@4 ; IoSetActivityIdThread(x)
		mov	byte ptr [esp+17h], 1
		jmp	loc_54EF6D
; 

loc_5DD717:				; CODE XREF: .text:0054EFA9j
		mov	esi, 0C0000189h
		jmp	loc_54F049
; 

loc_5DD721:				; CODE XREF: .text:0054EFB4j
		mov	esi, 0C0000120h
		jmp	loc_54F049
; 

loc_5DD72B:				; CODE XREF: .text:0054EFBFj
		xor	eax, eax
		jmp	loc_54EFCE
; 

loc_5DD732:				; CODE XREF: .text:0054EFD8j
		mov	esi, 0C0000001h
		jmp	loc_54F049
; 

loc_5DD73C:				; CODE XREF: .text:0054EFE0j
		xor	edi, edi
		jmp	loc_54EFEF
; 

loc_5DD743:				; CODE XREF: .text:0054F01Bj
					; DATA XREF: .text:off_54F280o
		mov	ecx, ebx	; case 0x1
		call	_PiProcessClearDeviceProblem@4 ; PiProcessClearDeviceProblem(x)
		jmp	loc_54F029
; 

loc_5DD74F:				; CODE XREF: .text:0054F01Bj
					; DATA XREF: .text:off_54F280o
		mov	ecx, ebx	; case 0x4
		call	_PiProcessHaltDevice@4 ; PiProcessHaltDevice(x)
		jmp	loc_54F029
; 

loc_5DD75B:				; CODE XREF: .text:0054F01Bj
					; DATA XREF: .text:off_54F280o
		mov	ecx, ebx	; case 0x6
		call	_PnpProcessRebalance@4 ; PnpProcessRebalance(x)
		jmp	loc_54F029
; 

loc_5DD767:				; CODE XREF: .text:0054F01Bj
					; DATA XREF: .text:off_54F280o
		mov	ecx, ebx	; case 0xC
		call	_PiRestartDevice@4 ; PiRestartDevice(x)
		jmp	loc_54F029
; 

loc_5DD773:				; CODE XREF: .text:0054F01Bj
					; DATA XREF: .text:off_54F280o
		mov	ecx, ebx	; case 0xD
		call	_PiProcessResourceRequirementsChanged@4	; PiProcessResourceRequirementsChanged(x)
		mov	esi, eax
		test	esi, esi
		jns	loc_54F02B
		mov	byte ptr [esp+1Ch], 1
		xor	esi, esi
		jmp	loc_54F02B
; 

loc_5DD790:				; CODE XREF: .text:0054F01Bj
					; DATA XREF: .text:off_54F280o
		mov	ecx, ebx	; case 0xF
		call	_PiProcessSetDeviceProblem@4 ; PiProcessSetDeviceProblem(x)
		jmp	loc_54F029
; 

loc_5DD79C:				; CODE XREF: .text:0054F01Bj
					; DATA XREF: .text:off_54F280o
		xor	eax, eax	; case 0x13
		lea	edi, [esp+30h]
		push	1Ch
		inc	eax
		xor	ecx, ecx
		mov	[esp+30h], ax
		mov	esi, offset _GUID_TARGET_DEVICE_TRANSPORT_RELATIONS_CHANGED
		pop	eax
		mov	[esp+2Eh], ax
		lea	eax, [esp+2Ch]
		mov	[esp+48h], ecx
		movsd
		push	ecx
		push	ecx
		push	eax
		movsd
		movsd
		movsd
		or	dword ptr [esp+50h], 0FFFFFFFFh
		mov	[esp+4Ch], ecx
		push	dword ptr [ebx+8]
		call	IoReportTargetDeviceChangeAsynchronous
		mov	ecx, [ebx+8]
		push	15h
		pop	edx
		call	PiPnpRtlPdoRaiseNtPlugPlayPropertyChangeEvent
		mov	esi, [esp+18h]
		mov	edi, [esp+20h]
		jmp	loc_54F02B
; 

loc_5DD7EF:				; CODE XREF: .text:0054F01Bj
					; DATA XREF: .text:off_54F280o
		mov	ecx, [ebx+8]	; case 0x14
		push	11h
		pop	edx
		call	PiPnpRtlPdoRaiseNtPlugPlayPropertyChangeEvent
		jmp	loc_54F1E9
; 

loc_5DD7FF:				; CODE XREF: .text:0054F01Bj
					; DATA XREF: .text:off_54F280o
		mov	ecx, ebx	; case 0x15
		call	_PiConfigureDevice@4 ; PiConfigureDevice(x)
		jmp	loc_54F029
; 

loc_5DD80B:				; CODE XREF: .text:0054F015j
		mov	esi, 0C0000001h	; default
		jmp	loc_54F02B
; 

loc_5DD815:				; CODE XREF: .text:0054F0ACj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_54F0B7
; 

loc_5DD822:				; CODE XREF: .text:0054F0D4j
		mov	[eax], esi
		jmp	loc_54F0DA
; 

loc_5DD829:				; CODE XREF: .text:0054F0DFj
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_54F0E5
; 

loc_5DD838:				; CODE XREF: .text:0054F11Dj
		xor	ebx, ebx
		push	ebx
		call	_IoSetActivityIdThread@4 ; IoSetActivityIdThread(x)
		jmp	loc_54EEE7
; 
; START	OF FUNCTION CHUNK FOR PnpLogActionQueueEvent

loc_5DD845:				; CODE XREF: PnpLogActionQueueEvent+8Bj
		test	ecx, ecx
		jz	short loc_5DD84E
		mov	eax, [ecx+18h]
		jmp	short loc_5DD850
; 

loc_5DD84E:				; CODE XREF: PnpLogActionQueueEvent+8E55Fj
		xor	eax, eax

loc_5DD850:				; CODE XREF: PnpLogActionQueueEvent+8E564j
		mov	edx, offset _KMPnPEvt_ReenumerateDeviceOnly_Queue
		jmp	short loc_5DD879
; 

loc_5DD857:				; CODE XREF: PnpLogActionQueueEvent+98j
		test	ecx, ecx
		jz	short loc_5DD860
		mov	eax, [ecx+18h]
		jmp	short loc_5DD862
; 

loc_5DD860:				; CODE XREF: PnpLogActionQueueEvent+8E571j
		xor	eax, eax

loc_5DD862:				; CODE XREF: PnpLogActionQueueEvent+8E576j
		mov	edx, offset _KMPnPEvt_ReenumerateDeviceOnly_Start
		jmp	short loc_5DD879
; 

loc_5DD869:				; CODE XREF: PnpLogActionQueueEvent+64j
		test	ecx, ecx
		jz	short loc_5DD872
		mov	eax, [ecx+18h]
		jmp	short loc_5DD874
; 

loc_5DD872:				; CODE XREF: PnpLogActionQueueEvent+8E583j
		xor	eax, eax

loc_5DD874:				; CODE XREF: PnpLogActionQueueEvent+8E588j
		mov	edx, offset _KMPnPEvt_ReenumerateDeviceOnly_Stop

loc_5DD879:				; CODE XREF: PnpLogActionQueueEvent+8E56Dj
					; PnpLogActionQueueEvent+8E57Fj
		push	eax
		push	ecx
		call	_McTemplateK0z_EtwWriteTransfer@16 ; McTemplateK0z_EtwWriteTransfer(x,x,x,x)
		jmp	loc_54F310
; 

loc_5DD885:				; CODE XREF: PnpLogActionQueueEvent+71j
		test	ecx, ecx
		jz	short loc_5DD88E
		mov	eax, [ecx+18h]
		jmp	short loc_5DD890
; 

loc_5DD88E:				; CODE XREF: PnpLogActionQueueEvent+8E59Fj
		xor	eax, eax

loc_5DD890:				; CODE XREF: PnpLogActionQueueEvent+8E5A4j
		push	edx
		mov	edx, offset _KMPnPEvt_ReenumerateDeviceTree_Queue
		jmp	loc_5DD998
; 

loc_5DD89B:				; CODE XREF: PnpLogActionQueueEvent+7Ej
		test	ecx, ecx
		jz	short loc_5DD8A4
		mov	eax, [ecx+18h]
		jmp	short loc_5DD8A6
; 

loc_5DD8A4:				; CODE XREF: PnpLogActionQueueEvent+8E5B5j
		xor	eax, eax

loc_5DD8A6:				; CODE XREF: PnpLogActionQueueEvent+8E5BAj
		push	edx
		mov	edx, offset _KMPnPEvt_ReenumerateDeviceTree_Start
		jmp	loc_5DD998
; 

loc_5DD8B1:				; CODE XREF: PnpLogActionQueueEvent+46j
		test	ecx, ecx
		jz	short loc_5DD8BA
		mov	eax, [ecx+18h]
		jmp	short loc_5DD8BC
; 

loc_5DD8BA:				; CODE XREF: PnpLogActionQueueEvent+8E5CBj
		xor	eax, eax

loc_5DD8BC:				; CODE XREF: PnpLogActionQueueEvent+8E5D0j
		push	edx
		mov	edx, offset _KMPnPEvt_ReenumerateDeviceTree_Stop
		jmp	loc_5DD998
; 

loc_5DD8C7:				; CODE XREF: PnpLogActionQueueEvent+AFj
		cmp	edx, 18h
		jg	loc_54F310
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_5DD8FA
		test	ds:byte_6CD8B9,	20h
		jz	loc_54F310
		test	ecx, ecx
		jz	short loc_5DD8ED
		mov	eax, [ecx+18h]
		jmp	short loc_5DD8EF
; 

loc_5DD8ED:				; CODE XREF: PnpLogActionQueueEvent+8E5FEj
		xor	eax, eax

loc_5DD8EF:				; CODE XREF: PnpLogActionQueueEvent+8E603j
		push	edx
		mov	edx, offset _KMPnPEvt_ConfigureDevice_Queue
		jmp	loc_5DD998
; 

loc_5DD8FA:				; CODE XREF: PnpLogActionQueueEvent+8E5EDj
		cmp	eax, 1
		jnz	short loc_5DD91F
		test	ds:byte_6CD8B9,	20h
		jz	loc_54F310
		test	ecx, ecx
		jz	short loc_5DD915
		mov	eax, [ecx+18h]
		jmp	short loc_5DD917
; 

loc_5DD915:				; CODE XREF: PnpLogActionQueueEvent+8E626j
		xor	eax, eax

loc_5DD917:				; CODE XREF: PnpLogActionQueueEvent+8E62Bj
		push	edx
		mov	edx, (offset loc_42797F+1)
		jmp	short loc_5DD998
; 

loc_5DD91F:				; CODE XREF: PnpLogActionQueueEvent+8E615j
		cmp	eax, 2
		jnz	loc_54F310
		test	ds:byte_6CD8B9,	20h
		jz	loc_54F310
		test	ecx, ecx
		jz	short loc_5DD93E
		mov	eax, [ecx+18h]
		jmp	short loc_5DD940
; 

loc_5DD93E:				; CODE XREF: PnpLogActionQueueEvent+8E64Fj
		xor	eax, eax

loc_5DD940:				; CODE XREF: PnpLogActionQueueEvent+8E654j
		push	[ebp+arg_4]
		push	edx
		mov	edx, offset _KMPnPEvt_ConfigureDevice_Stop
		jmp	loc_5DD9CE
; 

loc_5DD94E:				; CODE XREF: PnpLogActionQueueEvent+22j
					; PnpLogActionQueueEvent+A0j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_5DD975
		test	ds:byte_6CD8BB,	10h
		jz	loc_54F310
		test	ecx, ecx
		jz	short loc_5DD96B
		mov	eax, [ecx+18h]
		jmp	short loc_5DD96D
; 

loc_5DD96B:				; CODE XREF: PnpLogActionQueueEvent+8E67Cj
		xor	eax, eax

loc_5DD96D:				; CODE XREF: PnpLogActionQueueEvent+8E681j
		push	edx
		mov	edx, offset _KMPnPEvt_DeviceAction_Queue
		jmp	short loc_5DD998
; 

loc_5DD975:				; CODE XREF: PnpLogActionQueueEvent+8E66Bj
		cmp	eax, 1
		jnz	short loc_5DD9A4
		test	ds:byte_6CD8BB,	10h
		jz	loc_54F310
		test	ecx, ecx
		jz	short loc_5DD990
		mov	eax, [ecx+18h]
		jmp	short loc_5DD992
; 

loc_5DD990:				; CODE XREF: PnpLogActionQueueEvent+8E6A1j
		xor	eax, eax

loc_5DD992:				; CODE XREF: PnpLogActionQueueEvent+8E6A6j
		push	edx
		mov	edx, offset _KMPnPEvt_DeviceAction_Start

loc_5DD998:				; CODE XREF: PnpLogActionQueueEvent+8E5AEj
					; PnpLogActionQueueEvent+8E5C4j ...
		push	eax
		push	ecx
		call	_McTemplateK0zd_EtwWriteTransfer@20 ; McTemplateK0zd_EtwWriteTransfer(x,x,x,x,x)
		jmp	loc_54F310
; 

loc_5DD9A4:				; CODE XREF: PnpLogActionQueueEvent+8E690j
		cmp	eax, 2
		jnz	loc_54F310
		test	ds:byte_6CD8BB,	10h
		jz	loc_54F310
		test	ecx, ecx
		jz	short loc_5DD9C3
		mov	eax, [ecx+18h]
		jmp	short loc_5DD9C5
; 

loc_5DD9C3:				; CODE XREF: PnpLogActionQueueEvent+8E6D4j
		xor	eax, eax

loc_5DD9C5:				; CODE XREF: PnpLogActionQueueEvent+8E6D9j
		push	[ebp+arg_4]
		push	edx
		mov	edx, offset _KMPnPEvt_DeviceAction_Stop

loc_5DD9CE:				; CODE XREF: PnpLogActionQueueEvent+8E661j
		push	eax
		push	ecx
		call	_McTemplateK0zdq_EtwWriteTransfer@24 ; McTemplateK0zdq_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_54F310
; END OF FUNCTION CHUNK	FOR PnpLogActionQueueEvent
; 
; START	OF FUNCTION CHUNK FOR PopDirectedDripsNotifyPnpActionQueueEvent

loc_5DD9DA:				; CODE XREF: PopDirectedDripsNotifyPnpActionQueueEvent+38j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_54F467
; END OF FUNCTION CHUNK	FOR PopDirectedDripsNotifyPnpActionQueueEvent
; 
; START	OF FUNCTION CHUNK FOR PopDirectedDripsDiagNotifyPnpActionQueueEvent

loc_5DD9E7:				; CODE XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+9Fj
		sub	eax, ds:dword_6BF6E8
		sbb	edx, ds:dword_6BF6EC
		add	ds:dword_6BF6F0[esi*8],	eax
		adc	ds:dword_6BF6F4[esi*8],	edx
		mov	ds:dword_6BF6E8, ecx
		mov	ds:dword_6BF6EC, ecx
		jmp	loc_54F551
; 

loc_5DDA12:				; CODE XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+41j
		mov	ds:dword_6BF6E8, eax
		mov	ds:dword_6BF6EC, edx
		jmp	loc_54F50B
; 

loc_5DDA22:				; CODE XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+B9j
		sub	eax, ds:dword_6BF6E0
		mov	ds:dword_6BF6E0, ecx
		sbb	edx, ds:dword_6BF6E4
		add	ds:dword_6BF6D8, eax
		mov	ds:dword_6BF6E4, ecx
		adc	ds:dword_6BF6DC, edx
		jmp	loc_54F537
; 

loc_5DDA4B:				; CODE XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+59j
		inc	ds:dword_6BF7C0[esi*4]
		cmp	ds:dword_6BF660, 1
		jnz	loc_54F50B
		mov	ds:dword_6BF6E0, eax
		mov	ds:dword_6BF6E4, edx
		jmp	loc_54F50B
; 

loc_5DDA6F:				; CODE XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+6Bj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_54F522
; END OF FUNCTION CHUNK	FOR PopDirectedDripsDiagNotifyPnpActionQueueEvent
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueInsert

loc_5DDA7C:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueInsert+97j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_54F6F4
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueInsert
; 
; START	OF FUNCTION CHUNK FOR ExQueueWorkItemToPrivatePool

loc_5DDA8B:				; CODE XREF: ExQueueWorkItemToPrivatePool+Fj
					; ExQueueWorkItemToPrivatePool+19j ...
		push	0FFFFFFFFh
		lea	eax, [edi+20h]
		push	eax
		push	ebx
		push	5
		push	0E4h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5DDA9F:				; CODE XREF: CcCalculateVacbLevelLockCount+25j
		mov	eax, [edi+4]
		sub	eax, 10h
		xor	ecx, ecx

loc_5DDAA7:				; CODE XREF: ExQueueWorkItemToPrivatePool+8E34Ej
		mov	edi, 2FDh
		cmp	[eax], di
		jnz	short loc_5DDAB4
		inc	esi
		jmp	short loc_5DDAB5
; 

loc_5DDAB4:				; CODE XREF: ExQueueWorkItemToPrivatePool+8E33Fj
		inc	ecx

loc_5DDAB5:				; CODE XREF: ExQueueWorkItemToPrivatePool+8E342j
		mov	eax, [eax+14h]
		sub	eax, 10h
		cmp	ecx, 3Fh
		jbe	short loc_5DDAA7
		jmp	loc_54F7E5
; END OF FUNCTION CHUNK	FOR ExQueueWorkItemToPrivatePool
; 
; START	OF FUNCTION CHUNK FOR ExInitializeNPagedLookasideListInternal

loc_5DDAC5:				; CODE XREF: ExInitializeNPagedLookasideListInternal+7Cj
		mov	cx, [ebp+arg_18]
		mov	eax, 0FFFFh
		mov	[esi+0Ah], ax
		mov	[esi+8], cx
		jmp	loc_54FDC3
; 

loc_5DDADB:				; CODE XREF: ExInitializeNPagedLookasideListInternal+B5j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_54FDF8
; 

loc_5DDAE8:				; CODE XREF: ExInitializeNPagedLookasideListInternal+116j
		mov	[ebp+var_10], 21h
		jmp	loc_54FE5E
; 

loc_5DDAF4:				; CODE XREF: ExInitializeNPagedLookasideListInternal:loc_550002j
		push	0
		push	[ebp+var_8]
		push	offset _PfTGlobals
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5DDB09:				; CODE XREF: ExInitializeNPagedLookasideListInternal+208j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_18]
		jmp	loc_54FF56
; 

loc_5DDB20:				; CODE XREF: ExInitializeNPagedLookasideListInternal+28Dj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_54FFCB
; 

loc_5DDB2F:				; CODE XREF: ExInitializeNPagedLookasideListInternal+2B7j
		push	[ebp+var_18]
		mov	edx, offset _PfTGlobals
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_54FF69
; 

loc_5DDB43:				; CODE XREF: ExInitializeNPagedLookasideListInternal+ECj
		push	20h
		pop	eax
		jmp	loc_54FF89
; END OF FUNCTION CHUNK	FOR ExInitializeNPagedLookasideListInternal
; 
; START	OF FUNCTION CHUNK FOR MiQueueWorkingSetRequest

loc_5DDB4B:				; CODE XREF: MiQueueWorkingSetRequest+50j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5500AA
; 

loc_5DDB5B:				; CODE XREF: MiQueueWorkingSetRequest+72j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_5DDB63:				; CODE XREF: MiQueueWorkingSetRequest+5Bj
		xor	ecx, ecx
		mov	[ebp+var_C], edi
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_5500AA
; END OF FUNCTION CHUNK	FOR MiQueueWorkingSetRequest
; 
; START	OF FUNCTION CHUNK FOR MiPfIssueCoalesceCandidates

loc_5DDB74:				; CODE XREF: MiPfIssueCoalesceCandidates+6Dj
					; MiPfIssueCoalesceCandidates+8DAE5j
		mov	esi, [edi]
		cmp	esi, edi
		jz	short loc_5DDBB5
		cmp	[esi+4], edi
		jnz	loc_550140
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_550140
		mov	[edi], eax
		xor	edx, edx
		push	0
		mov	ecx, esi
		mov	[eax+4], edi
		call	MiIssueHardFaultIo
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jnz	loc_550140
		mov	[esi], ebx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[ebx+4], esi
		jmp	short loc_5DDB74
; 

loc_5DDBB5:				; CODE XREF: MiPfIssueCoalesceCandidates+8DAAAj
		mov	eax, 0C000009Ah
		jmp	loc_550111
; END OF FUNCTION CHUNK	FOR MiPfIssueCoalesceCandidates
; 

loc_5DDBBF:				; CODE XREF: .text:00550243j
		and	[esi+0AEh], ax
		jmp	loc_550249
; 

loc_5DDBCB:				; CODE XREF: .text:0055030Dj
		mov	[edi], eax
		xor	eax, eax
		push	eax
		push	eax
		push	ebx
		mov	[esi+34h], eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_550313
; 
; START	OF FUNCTION CHUNK FOR RtlVerifyVersionInfo

loc_5DDBDF:				; CODE XREF: RtlVerifyVersionInfo+1E0j
					; RtlVerifyVersionInfo+1E8j
		xor	eax, eax
		jmp	loc_550524
; 

loc_5DDBE6:				; CODE XREF: RtlVerifyVersionInfo+271j
		mov	bl, 1
		mov	byte ptr [esp+140h+var_131], bl
		jmp	loc_5504DE
; 

loc_5DDBF1:				; CODE XREF: RtlVerifyVersionInfo+7Fj
					; RtlVerifyVersionInfo+87j
		mov	ecx, esi
		mov	eax, edi
		shrd	ecx, eax, 4
		movzx	ebx, cl
		jmp	loc_5503C1
; 

loc_5DDC01:				; CODE XREF: RtlVerifyVersionInfo+B7j
		test	al, al
		jnz	loc_5503E9
		jmp	loc_550572
; 

loc_5DDC0E:				; CODE XREF: RtlVerifyVersionInfo+120j
		test	edi, edi
		jl	short loc_5DDC28
		jg	short loc_5DDC18
		test	esi, esi
		jb	short loc_5DDC28

loc_5DDC18:				; CODE XREF: RtlVerifyVersionInfo+8D8EAj
		mov	ecx, esi
		mov	eax, edi
		shrd	ecx, eax, 2
		movzx	ebx, cl
		jmp	loc_55044E
; 

loc_5DDC28:				; CODE XREF: RtlVerifyVersionInfo+8D8E8j
					; RtlVerifyVersionInfo+8D8EEj
		push	edi
		xor	ecx, ecx
		push	esi
		inc	ecx
		call	_RtlpVerGetConditionMask@12 ; RtlpVerGetConditionMask(x,x,x)
		mov	ebx, eax
		jmp	loc_55044E
; 

loc_5DDC39:				; CODE XREF: RtlVerifyVersionInfo+146j
		test	al, al
		jnz	loc_5503F3
		jmp	loc_550572
; 

loc_5DDC46:				; CODE XREF: RtlVerifyVersionInfo+CFj
		cmp	ebx, 1
		jnz	short loc_5DDC65
		test	edi, edi
		jl	short loc_5DDC59
		jg	short loc_5DDC55
		test	esi, esi
		jb	short loc_5DDC59

loc_5DDC55:				; CODE XREF: RtlVerifyVersionInfo+8D927j
		xor	ebx, ebx
		jmp	short loc_5DDC65
; 

loc_5DDC59:				; CODE XREF: RtlVerifyVersionInfo+8D925j
					; RtlVerifyVersionInfo+8D92Bj
		push	edi
		push	esi
		push	20h
		pop	ecx
		call	_RtlpVerGetConditionMask@12 ; RtlpVerGetConditionMask(x,x,x)
		mov	ebx, eax

loc_5DDC65:				; CODE XREF: RtlVerifyVersionInfo+8D921j
					; RtlVerifyVersionInfo+8D92Fj
		push	0
		lea	eax, [esp+144h+var_131]
		mov	ecx, ebx
		push	eax
		movzx	eax, [esp+148h+var_14]
		push	eax
		mov	eax, [ebp+arg_0]
		movzx	edx, word ptr [eax+114h]
		call	RtlpVerCompare
		test	al, al
		jnz	short loc_5DDC99
		cmp	byte ptr [esp+140h+var_131], al
		jnz	loc_550401
		jmp	loc_550572
; 

loc_5DDC99:				; CODE XREF: RtlVerifyVersionInfo+8D960j
		mov	al, byte ptr [esp+140h+var_131]
		jmp	loc_5503FD
; 

loc_5DDCA2:				; CODE XREF: RtlVerifyVersionInfo+DDj
		cmp	ebx, 1
		jnz	short loc_5DDCC1
		test	edi, edi
		jl	short loc_5DDCB5
		jg	short loc_5DDCB1
		test	esi, esi
		jb	short loc_5DDCB5

loc_5DDCB1:				; CODE XREF: RtlVerifyVersionInfo+8D983j
		xor	ebx, ebx
		jmp	short loc_5DDCC1
; 

loc_5DDCB5:				; CODE XREF: RtlVerifyVersionInfo+8D981j
					; RtlVerifyVersionInfo+8D987j
		push	edi
		push	esi
		push	10h
		pop	ecx
		call	_RtlpVerGetConditionMask@12 ; RtlpVerGetConditionMask(x,x,x)
		mov	ebx, eax

loc_5DDCC1:				; CODE XREF: RtlVerifyVersionInfo+8D97Dj
					; RtlVerifyVersionInfo+8D98Bj
		push	1
		lea	eax, [esp+144h+var_131]
		mov	ecx, ebx
		push	eax
		movzx	eax, [esp+148h+var_12]
		push	eax
		mov	eax, [ebp+arg_0]
		movzx	edx, word ptr [eax+116h]
		call	RtlpVerCompare
		test	al, al
		jz	loc_550572
		jmp	loc_55040B
; 

loc_5DDCEF:				; CODE XREF: RtlVerifyVersionInfo+14Fj
					; RtlVerifyVersionInfo+157j
		mov	ecx, esi
		mov	eax, edi
		shrd	ecx, eax, 10h
		movzx	eax, cl
		jmp	loc_55048F
; 

loc_5DDCFF:				; CODE XREF: RtlVerifyVersionInfo+F0j
		test	edi, edi
		jl	short loc_5DDD0D
		jg	short loc_5DDD09
		test	esi, esi
		jb	short loc_5DDD0D

loc_5DDD09:				; CODE XREF: RtlVerifyVersionInfo+8D9DBj
		xor	eax, eax
		jmp	short loc_5DDD17
; 

loc_5DDD0D:				; CODE XREF: RtlVerifyVersionInfo+8D9D9j
					; RtlVerifyVersionInfo+8D9DFj
		push	edi
		push	esi
		push	8
		pop	ecx
		call	_RtlpVerGetConditionMask@12 ; RtlpVerGetConditionMask(x,x,x)

loc_5DDD17:				; CODE XREF: RtlVerifyVersionInfo+8D9E3j
		mov	edx, [ebx+10h]
		lea	ecx, [esp+140h+var_131]
		push	0
		push	ecx
		push	[esp+148h+var_118]
		mov	ecx, eax
		call	RtlpVerCompare
		test	al, al
		jz	loc_550572
		jmp	loc_55041E
; 

loc_5DDD39:				; CODE XREF: RtlVerifyVersionInfo+2Ej
					; RtlVerifyVersionInfo+257j
		mov	eax, 0C000000Dh
		jmp	loc_55042E
; END OF FUNCTION CHUNK	FOR RtlVerifyVersionInfo
; 
; START	OF FUNCTION CHUNK FOR RtlpVerCompare

loc_5DDD43:				; CODE XREF: RtlpVerCompare+3Aj
		sub	esi, 1
		jz	short loc_5DDD5E
		sub	esi, 1
		jz	short loc_5DDD54
		xor	al, al
		jmp	loc_55060B
; 

loc_5DDD54:				; CODE XREF: RtlpVerCompare+8D785j
		cmp	ecx, edx
		setle	al
		jmp	loc_55060B
; 

loc_5DDD5E:				; CODE XREF: RtlpVerCompare+8D780j
		cmp	ecx, edx
		setl	al
		jmp	loc_55060B
; 

loc_5DDD68:				; CODE XREF: RtlpVerCompare+31j
		cmp	ecx, edx
		setnle	al
		jmp	loc_55060B
; END OF FUNCTION CHUNK	FOR RtlpVerCompare
; 
; START	OF FUNCTION CHUNK FOR RtlStringCbPrintfA

loc_5DDD72:				; CODE XREF: RtlStringCbPrintfA+17j
		test	eax, eax
		jz	loc_5506AC
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax],	0
		jmp	loc_5506AC
; END OF FUNCTION CHUNK	FOR RtlStringCbPrintfA
; 
; START	OF FUNCTION CHUNK FOR IopCsqCancelRoutine

loc_5DDD85:				; CODE XREF: IopCsqCancelRoutine+2Cj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5507C9
; END OF FUNCTION CHUNK	FOR IopCsqCancelRoutine
; 
; START	OF FUNCTION CHUNK FOR MiPfCompleteCoalescedIo

loc_5DDD94:				; CODE XREF: MiPfCompleteCoalescedIo+37j
		mov	ecx, edi
		call	_MiRetardMdl@4	; MiRetardMdl(x)
		movzx	ecx, word ptr [esi+0AEh]
		mov	dword ptr [esi+30h], 0C000009Ah
		mov	[esi+34h], ebx
		jmp	loc_550901
; 

loc_5DDDB1:				; CODE XREF: MiPfCompleteCoalescedIo+60j
		push	esi
		push	ecx
		push	eax
		push	5
		push	7Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5DDDBE:				; CODE XREF: ExCompareExchangeCallBack+C5j
		mov	edx, eax
		test	al, 1
		jz	loc_550A51

loc_5DDDC8:				; CODE XREF: ExCompareExchangeCallBack+AEj
		mov	eax, esi
		and	edx, 0FFFFFFFEh
		neg	eax
		lock xadd [edx], eax
		cmp	eax, esi
		jnz	loc_550A1D
		lea	eax, [edx+14h]
		lock btr dword ptr [eax], 0
		jb	loc_550A1D
		push	0
		push	0
		lea	ecx, [edx+4]
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_550A1D
; END OF FUNCTION CHUNK	FOR MiPfCompleteCoalescedIo
; 
; START	OF FUNCTION CHUNK FOR ExCompareExchangeCallBack

loc_5DDDFB:				; CODE XREF: ExCompareExchangeCallBack+55j
		mov	edx, eax
		test	al, 1
		jz	loc_5509E4

loc_5DDE05:				; CODE XREF: ExCompareExchangeCallBack+44j
		and	edx, 0FFFFFFFEh
		lock xadd [edx], ebx
		cmp	ebx, 8
		jnz	loc_5509F5
		lea	eax, [edx+14h]
		lock btr dword ptr [eax], 0
		jb	loc_5509F5
		push	0
		push	0
		lea	eax, [edx+4]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_5509F5
; END OF FUNCTION CHUNK	FOR ExCompareExchangeCallBack
; 
; START	OF FUNCTION CHUNK FOR MiReferenceOwningSession

loc_5DDE35:				; CODE XREF: MiReferenceOwningSession+23j
		cmp	eax, ebx
		jz	loc_550AF1
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		jmp	loc_550AF1
; 

loc_5DDE4A:				; CODE XREF: MiReferenceOwningSession+5Ej
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_550AEA
; 

loc_5DDE5A:				; CODE XREF: MiReferenceOwningSession+80j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_5DDE62:				; CODE XREF: MiReferenceOwningSession+69j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_550AEA
; END OF FUNCTION CHUNK	FOR MiReferenceOwningSession
; 
; START	OF FUNCTION CHUNK FOR MiInsertPhysicalPteMapping

loc_5DDE77:				; CODE XREF: MiInsertPhysicalPteMapping+151j
		push	4
		pop	edx
		mov	ecx, edi
		call	_MiShowBadMapper@8 ; MiShowBadMapper(x,x)
		mov	ecx, [esp+18h+var_8]
		jmp	loc_550C91
; 

loc_5DDE8A:				; CODE XREF: MiInsertPhysicalPteMapping+160j
		mov	edx, [esp+18h+var_4]
		call	_MiAssignInitialPageAttribute@8	; MiAssignInitialPageAttribute(x,x)
		mov	ecx, [esp+18h+var_8]
		mov	dl, [ecx+16h]
		jmp	loc_550CA0
; 

loc_5DDE9F:				; CODE XREF: MiInsertPhysicalPteMapping+176j
		mov	edx, ecx
		mov	ecx, esi
		call	_MiMakeProtectionPfnCompatible@8 ; MiMakeProtectionPfnCompatible(x,x)
		mov	esi, eax
		jmp	loc_550BC2
; 

loc_5DDEAF:				; CODE XREF: MiInsertPhysicalPteMapping+4Ej
		push	0
		push	1
		push	edi
		push	61949h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5DDEC0:				; CODE XREF: MiInsertPhysicalPteMapping+82j
		or	esi, 18h
		jmp	loc_550BC2
; 

loc_5DDEC8:				; CODE XREF: MiInsertPhysicalPteMapping+A5j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5DDEF9
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	loc_550BE7

loc_5DDEE1:				; CODE XREF: MiInsertPhysicalPteMapping+8D3D7j
		mov	eax, esi
		and	eax, 1
		or	eax, edi
		jz	loc_550BE7
		or	edx, 80000000h
		jmp	loc_550BE7
; 

loc_5DDEF9:				; CODE XREF: MiInsertPhysicalPteMapping+8D395j
		mov	eax, large fs:124h
		mov	ecx, edi
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_5DDEE1
		jmp	loc_550BE7
; 

loc_5DDF18:				; CODE XREF: MiInsertPhysicalPteMapping+B5j
		push	edx
		push	esi
		mov	ecx, ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_550BF5
; 

loc_5DDF26:				; CODE XREF: MiInsertPhysicalPteMapping+11Dj
					; MiInsertPhysicalPteMapping+8D3F9j
		lea	ecx, [esp+18h+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_5DDF26
		jmp	loc_550C52
; END OF FUNCTION CHUNK	FOR MiInsertPhysicalPteMapping
; 
; START	OF FUNCTION CHUNK FOR KeAndGroupAffinityEx

loc_5DDF3A:				; CODE XREF: KeAndGroupAffinityEx+15j
		and	dword ptr [edx+4], 0
		and	dword ptr [edx+8], 0
		mov	[edx], ecx
		jmp	loc_550D2D
; END OF FUNCTION CHUNK	FOR KeAndGroupAffinityEx
; 
; START	OF FUNCTION CHUNK FOR RtlPcToFileHeader

loc_5DDF49:				; CODE XREF: RtlPcToFileHeader+1Bj
					; RtlPcToFileHeader+42j
		push	offset _PsLoadedModuleSpinLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		cmp	cl, 1Bh
		jnb	short loc_5DDF61
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5DDF61:				; CODE XREF: RtlPcToFileHeader+8D21Bj
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0
		xor	eax, eax
		jmp	loc_550DA4
; END OF FUNCTION CHUNK	FOR RtlPcToFileHeader
; 
; START	OF FUNCTION CHUNK FOR ExRegisterCallback

loc_5DDF6E:				; CODE XREF: ExRegisterCallback+27j
		mov	ecx, edi
		call	ObfDereferenceObject
		xor	eax, eax
		jmp	loc_550E6F
; 

loc_5DDF7C:				; CODE XREF: ExRegisterCallback+75j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, edi
		call	ObfDereferenceObject
		xor	esi, esi
		jmp	loc_550E6D
; END OF FUNCTION CHUNK	FOR ExRegisterCallback
; 
; START	OF FUNCTION CHUNK FOR PsGetVersion

loc_5DDF92:				; CODE XREF: PsGetVersion+1Ej
		movzx	eax, word ptr ds:_NtBuildNumber
		mov	[ecx], eax
		jmp	loc_550EFA
; 

loc_5DDFA0:				; CODE XREF: PsGetVersion+29j
		mov	eax, ds:_CmCSDVersionString
		mov	[ecx], eax
		mov	eax, ds:dword_6CE76C
		mov	[ecx+4], eax
		jmp	loc_550F05
; END OF FUNCTION CHUNK	FOR PsGetVersion
; 
; START	OF FUNCTION CHUNK FOR MiCleanSection

loc_5DDFB4:				; CODE XREF: MiCleanSection+36j
		lea	eax, [esp+38h+var_8]
		mov	[esp+38h+var_14], edx
		mov	[esp+38h+var_4], eax
		mov	[esp+38h+var_8], eax
		mov	eax, [esi+2Ch]
		mov	[esp+38h+var_1C], eax
		lea	eax, [esp+38h+var_1C]
		mov	[esi+2Ch], eax
		lea	eax, [esi+24h]
		push	eax
		mov	[esp+3Ch+var_18], 4
		mov	[esp+3Ch+var_10], 7
		mov	[esp+3Ch+var_F], bl
		mov	[esp+3Ch+var_E], 4
		mov	[esp+3Ch+var_C], edx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+38h+var_29]
		call	edi
		lea	eax, [esp+38h+var_24]
		xor	edx, edx
		push	eax
		push	80000000h
		push	0
		push	0
		lea	eax, [esi+50h]
		xor	ecx, ecx
		push	eax
		call	MiFlushSectionInternal
		lea	ecx, [esi+24h]
		mov	[esp+38h+var_28], eax
		push	ecx
		call	ExAcquireSpinLockExclusive
		lea	edx, [esp+38h+var_1C]
		mov	[esp+38h+var_29], al
		mov	ecx, esi
		call	_MiRemoveWakeListEntry@8 ; MiRemoveWakeListEntry(x,x)
		cmp	[esp+38h+var_14], 0
		jz	short loc_5DE04D
		mov	eax, [esi+14h]
		cmp	eax, ebx
		jnz	short loc_5DE05A
		xor	edx, edx
		cmp	[esi+0Ch], edx
		jz	loc_550F52
		jmp	short loc_5DE05A
; 

loc_5DE04D:				; CODE XREF: MiCleanSection+8D117j
		cmp	[esp+38h+var_28], 0
		jge	short loc_5DE08D
		mov	eax, [esi+14h]
		push	2
		pop	ebx

loc_5DE05A:				; CODE XREF: MiCleanSection+8D11Ej
					; MiCleanSection+8D12Bj
		dec	eax
		cmp	[ebp+arg_0], 0
		mov	[esi+14h], eax
		jz	short loc_5DE06B
		or	dword ptr [esi+1Ch], 40000h

loc_5DE06B:				; CODE XREF: MiCleanSection+8D142j
		cmp	ebx, 2
		jnz	short loc_5DE077
		mov	ecx, esi
		call	MiInsertUnusedSegment

loc_5DE077:				; CODE XREF: MiCleanSection+8D14Ej
		lea	eax, [esi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+38h+var_29]
		call	edi
		xor	eax, eax
		jmp	loc_550F6D
; 

loc_5DE08D:				; CODE XREF: MiCleanSection+8D132j
		xor	edx, edx
		jmp	loc_550F5C
; END OF FUNCTION CHUNK	FOR MiCleanSection
; 
; START	OF FUNCTION CHUNK FOR MiDestroySection

loc_5DE094:				; CODE XREF: MiDestroySection+31j
		mov	ecx, [ebp+arg_0]
		call	FsRtlReleaseFileForCcFlush
		mov	ecx, [ebp+arg_0]
		call	ObfDereferenceObject
		jmp	loc_550FAD
; END OF FUNCTION CHUNK	FOR MiDestroySection
; 
; START	OF FUNCTION CHUNK FOR LdrUnloadAlternateResourceModuleEx

loc_5DE0A9:				; CODE XREF: LdrUnloadAlternateResourceModuleEx+54j
		lea	esi, [ecx-20h]
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_5DE0D4
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5DE0D4
		push	eax
		call	_MmUnmapViewInSystemSpace@4 ; MmUnmapViewInSystemSpace(x)
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_5DE0CE
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		mov	[esi+14h], ebx

loc_5DE0CE:				; CODE XREF: LdrUnloadAlternateResourceModuleEx+8D0DFj
		mov	[esi+10h], ebx
		mov	ecx, [ebp+var_20]

loc_5DE0D4:				; CODE XREF: LdrUnloadAlternateResourceModuleEx+8D0CDj
					; LdrUnloadAlternateResourceModuleEx+8D0D2j
		mov	eax, ds:_AlternateResourceModuleCount
		mov	[ebp+var_20], eax
		cmp	edi, eax
		jz	short loc_5DE0F3
		sub	eax, edi
		shl	eax, 5
		push	eax		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memmove
		add	esp, 0Ch
		mov	eax, [ebp+var_20]

loc_5DE0F3:				; CODE XREF: LdrUnloadAlternateResourceModuleEx+8D0FAj
		lea	ecx, [eax-1]
		mov	ds:_AlternateResourceModuleCount, ecx
		test	ecx, ecx
		jnz	short loc_5DE116
		push	ebx
		push	ds:_AlternateResourceModules
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ds:_AlternateResourceModules, ebx
		mov	eax, ebx
		jmp	short loc_5DE176
; 

loc_5DE116:				; CODE XREF: LdrUnloadAlternateResourceModuleEx+8D11Aj
		mov	eax, ds:_AltResMemBlockCount
		add	eax, 0FFFFFFE0h
		cmp	ecx, eax
		jnb	short loc_5DE17B
		push	69507472h
		shl	eax, 5
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_5DE143
		mov	[ebp+var_19], bl
		jmp	loc_551045
; 

loc_5DE143:				; CODE XREF: LdrUnloadAlternateResourceModuleEx+8D155j
		mov	eax, ds:_AltResMemBlockCount
		add	eax, 0FFFFFFE0h
		shl	eax, 5
		push	eax		; size_t
		mov	esi, ds:_AlternateResourceModules
		push	esi		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_20]
		mov	ds:_AlternateResourceModules, eax
		mov	eax, ds:_AltResMemBlockCount
		sub	eax, 20h

loc_5DE176:				; CODE XREF: LdrUnloadAlternateResourceModuleEx+8D130j
		mov	ds:_AltResMemBlockCount, eax

loc_5DE17B:				; CODE XREF: LdrUnloadAlternateResourceModuleEx+8D13Cj
		mov	[ebp+var_19], 1
		mov	esi, [ebp+var_24]
		jmp	loc_55103E
; END OF FUNCTION CHUNK	FOR LdrUnloadAlternateResourceModuleEx

;  S U B	R O U T	I N E 


sub_5DE187	proc near		; DATA XREF: .text:006A4908o
		xor	ebx, ebx
		jmp	sub_551064
sub_5DE187	endp

; 
; START	OF FUNCTION CHUNK FOR MiFindFreePageFileSpaceForward

loc_5DE18E:				; CODE XREF: MiFindFreePageFileSpaceForward+E4j
		cmp	esi, edi
		jnb	loc_551162
		xor	esi, esi
		xor	ebx, ebx
		jmp	loc_551162
; END OF FUNCTION CHUNK	FOR MiFindFreePageFileSpaceForward
; 
; START	OF FUNCTION CHUNK FOR MiClearPfnImageVerified

loc_5DE19F:				; CODE XREF: MiClearPfnImageVerified+26j
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	bl, al
		jmp	loc_5511A8
; 

loc_5DE1AD:				; CODE XREF: MiClearPfnImageVerified+32j
		lea	eax, [ebp+var_8]
		xor	edx, edx
		push	eax
		inc	edx
		mov	ecx, esi
		call	_MiGetPagePrivilege@12 ; MiGetPagePrivilege(x,x,x)
		test	eax, eax
		jz	loc_5511B2
		sub	esi, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		mov	eax, esi
		cdq
		idiv	ecx
		push	0
		push	0
		push	eax
		push	5150Bh
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5DE1E2:				; CODE XREF: MiClearPfnImageVerified+42j
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_5511C2
; END OF FUNCTION CHUNK	FOR MiClearPfnImageVerified
; 
; START	OF FUNCTION CHUNK FOR CcAdjustWriteBehindThreadPool

loc_5DE1FA:				; CODE XREF: CcAdjustWriteBehindThreadPool+2j
		cmp	byte ptr [ecx+200h], 0
		mov	dword ptr [ecx+284h], 1
		jz	locret_5511E3
		mov	byte ptr [ecx+200h], 0
		retn
; 

loc_5DE219:				; CODE XREF: CcAdjustWriteBehindThreadPool+17j
		cmp	byte ptr [ecx+0DCh], 0
		jnz	locret_5511E3
		mov	edx, [ecx+84h]
		push	0
		call	_CcReEngageWorkerThreads@12 ; CcReEngageWorkerThreads(x,x,x)
		retn
; END OF FUNCTION CHUNK	FOR CcAdjustWriteBehindThreadPool
; 
; START	OF FUNCTION CHUNK FOR CmpTransEnlistUowInCmTrans

loc_5DE234:				; CODE XREF: CmpTransEnlistUowInCmTrans+12j
		call	_UNLOCK_TRANSACTION_LIST@0 ; UNLOCK_TRANSACTION_LIST()
		mov	eax, 0C0190002h
		jmp	loc_5512F4
; END OF FUNCTION CHUNK	FOR CmpTransEnlistUowInCmTrans
; 
; START	OF FUNCTION CHUNK FOR ExUnregisterCallback

loc_5DE243:				; CODE XREF: ExUnregisterCallback+28j
		push	offset _ExpCallbackEvent
		mov	byte ptr [esi+18h], 1
		call	_KeResetEvent@4	; KeResetEvent(x)
		test	ds:byte_70EFC6,	1
		jz	short loc_5DE266
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5DE26B
; 

loc_5DE266:				; CODE XREF: ExUnregisterCallback+8CE60j
		xor	eax, eax
		lock and [edi],	eax

loc_5DE26B:				; CODE XREF: ExUnregisterCallback+8CE6Cj
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _ExpCallbackEvent
		call	KeWaitForSingleObject
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		jmp	loc_551412
; 

loc_5DE28F:				; CODE XREF: ExUnregisterCallback+48j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_55144B
; END OF FUNCTION CHUNK	FOR ExUnregisterCallback
; 
; START	OF FUNCTION CHUNK FOR SmKmStoreHelperCommandCleanup

loc_5DE29E:				; CODE XREF: SmKmStoreHelperCommandCleanup+2Dj
		sub	edx, 1
		jnz	loc_55150E
		mov	eax, [ebp+arg_0]
		push	1
		push	dword ptr [eax+4]
		push	edi
		call	dword ptr [eax]
		jmp	loc_55150E
; 

loc_5DE2B7:				; CODE XREF: SmKmStoreHelperCommandCleanup+1Fj
		mov	ecx, [ebp+arg_0]
		cmp	[ecx+18h], esi
		jl	loc_55150E
		mov	eax, [ecx+10h]
		mov	[ebp+var_1C], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_18], eax
		mov	eax, [ecx+14h]
		mov	ecx, edi
		xor	eax, esi
		and	eax, 1
		xor	esi, eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	3
		pop	edx
		mov	[ebp+var_14], esi
		call	SmKmStoreHelperCommandProcess
		jmp	loc_55150E
; END OF FUNCTION CHUNK	FOR SmKmStoreHelperCommandCleanup
; 
; START	OF FUNCTION CHUNK FOR ExTryConvertSharedSpinLockExclusive

loc_5DE2EF:				; CODE XREF: ExTryConvertSharedSpinLockExclusive+11j
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	_ExpTryConvertSharedSpinLockExclusiveInstrumented@8 ; ExpTryConvertSharedSpinLockExclusiveInstrumented(x,x)
		jmp	loc_55155A
; 

loc_5DE2FF:				; CODE XREF: ExTryConvertSharedSpinLockExclusive+37j
		test	edx, 40000000h
		jnz	short loc_5DE319
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_5DE323

loc_5DE319:				; CODE XREF: ExTryConvertSharedSpinLockExclusive+8CDEBj
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]

loc_5DE323:				; CODE XREF: ExTryConvertSharedSpinLockExclusive+8CDFDj
		mov	edx, eax
		jmp	loc_55154D
; END OF FUNCTION CHUNK	FOR ExTryConvertSharedSpinLockExclusive
; 

loc_5DE32A:				; CODE XREF: .text:00551577j
		cmp	[edx+4], ecx
		jnz	loc_5515A3
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	loc_5515A3
		push	0
		mov	[eax], edx
		push	0
		mov	[edx+4], eax
		push	offset _PopPowerSettingCallbackReturned
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		retn
; 
; START	OF FUNCTION CHUNK FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeNodeFree

loc_5DE357:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeNodeFree+12j
		movzx	eax, word ptr [edi]
		lea	edx, [edi+8]
		push	ebx
		mov	ebx, edx
		lea	eax, [ebx+eax*8]
		mov	[ebp+var_4], eax
		cmp	ebx, eax
		ja	short loc_5DE3B6
		mov	ecx, esi
		lea	eax, [esi+8]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	[ebp+var_8], ecx

loc_5DE378:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeNodeFree+8CD81j
		cmp	ebx, edx
		lea	edx, [ebx-4]
		ja	short loc_5DE382
		lea	edx, [edi+4]

loc_5DE382:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeNodeFree+8CD4Dj
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_5DE396
		cmp	byte ptr [edi+2], 2
		jnz	short loc_5DE396
		call	?NpLeafRemoveInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAX@Z ; NP_CONTEXT::NpLeafRemoveInternal(NP_CONTEXT::NP_CTX *,void	* *)
		jmp	short loc_5DE398
; 

loc_5DE396:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeNodeFree+8CD57j
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeNodeFree+8CD5Dj
		mov	eax, [edx]

loc_5DE398:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeNodeFree+8CD64j
		test	eax, eax
		jz	short loc_5DE3A5
		mov	edx, eax
		mov	ecx, esi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeNodeFree

loc_5DE3A5:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeNodeFree+8CD6Aj
		mov	ecx, [ebp+var_8]
		lea	edx, [edi+8]
		add	ebx, 8
		cmp	ebx, [ebp+var_4]
		jbe	short loc_5DE378
		mov	cl, [edi+3]

loc_5DE3B6:				; CODE XREF: B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeNodeFree+8CD38j
		pop	ebx
		jmp	loc_551648
; END OF FUNCTION CHUNK	FOR B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeNodeFree
; 
; START	OF FUNCTION CHUNK FOR SepExpandSingletonArrays

loc_5DE3BC:				; CODE XREF: SepExpandSingletonArrays+63j
		push	ds:_SepSingletonGlobal
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5DE3D7:				; CODE XREF: SepExpandSingletonArrays+23j
		mov	eax, 0C0000017h
		jmp	loc_5517A1
; END OF FUNCTION CHUNK	FOR SepExpandSingletonArrays
; 
; START	OF FUNCTION CHUNK FOR MiRebuildLargePages

loc_5DE3E1:				; CODE XREF: MiRebuildLargePages+60j
		xor	eax, eax
		mov	ecx, edi
		push	2
		lea	edx, [eax+1]
		call	_MiNodeLargeFreeZeroPages@12 ; MiNodeLargeFreeZeroPages(x,x,x)
		cmp	eax, ebx
		jnb	loc_551866
		sub	ebx, eax
		xor	edx, edx
		push	0
		mov	ecx, edi
		mov	[ebp+var_10], ebx
		call	_MiNodeFreeZeroPages@12	; MiNodeFreeZeroPages(x,x,x)
		mov	cl, 2
		mov	[ebp+var_8], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		and	[ebp+var_1C], 0
		lea	ebx, [edi+204h]
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [ebp+arg_0+3],	al
		mov	[ebp+var_18], ebx
		jz	short loc_5DE437
		mov	edx, ebx
		lea	ecx, [ebp+var_1C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5DE448
; 

loc_5DE437:				; CODE XREF: MiRebuildLargePages+8CC29j
		lea	edx, [ebp+var_1C]
		xchg	edx, [ebx]
		test	edx, edx
		jz	short loc_5DE448
		lea	ecx, [ebp+var_1C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_5DE448:				; CODE XREF: MiRebuildLargePages+8CC35j
					; MiRebuildLargePages+8CC3Ej
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	KeAbPreAcquire
		test	eax, eax
		jz	short loc_5DE45B
		or	byte ptr [eax+0Eh], 1

loc_5DE45B:				; CODE XREF: MiRebuildLargePages+8CC55j
		mov	eax, [ebp+var_8]
		cmp	eax, [ebp+var_10]
		jb	loc_5DE52C
		mov	byte ptr [edi+143h], 0
		test	ds:byte_70EFC6,	1
		jz	short loc_5DE484
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5DE4B3
; 

loc_5DE484:				; CODE XREF: MiRebuildLargePages+8CC75j
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_5DE4A3
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jz	short loc_5DE4B3
		call	KxWaitForLockChainValid

loc_5DE4A3:				; CODE XREF: MiRebuildLargePages+8CC89j
		xor	ecx, ecx
		mov	[ebp+var_1C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5DE4B3:				; CODE XREF: MiRebuildLargePages+8CC82j
					; MiRebuildLargePages+8CC9Cj
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	[ebp+var_8]
		mov	ecx, [ebp+var_C]
		xor	eax, eax
		push	esi
		lea	edx, [eax+1]
		call	_MiRebuildLargePage@16 ; MiRebuildLargePage(x,x,x,x)
		mov	cl, 2
		mov	esi, eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		and	[ebp+var_1C], 0
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [ebp+arg_0+3],	al
		mov	[ebp+var_18], ebx
		jz	short loc_5DE4F6
		mov	edx, ebx
		lea	ecx, [ebp+var_1C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5DE507
; 

loc_5DE4F6:				; CODE XREF: MiRebuildLargePages+8CCE8j
		lea	edx, [ebp+var_1C]
		xchg	edx, [ebx]
		test	edx, edx
		jz	short loc_5DE507
		lea	ecx, [ebp+var_1C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_5DE507:				; CODE XREF: MiRebuildLargePages+8CCF4j
					; MiRebuildLargePages+8CCFDj
		test	esi, esi
		jnz	short loc_5DE52C
		cmp	[ebp+var_1], 0
		jz	short loc_5DE51A
		xor	eax, eax
		inc	eax
		mov	[edi+143h], al

loc_5DE51A:				; CODE XREF: MiRebuildLargePages+8CD0Fj
		mov	al, [edi+142h]
		cmp	al, 80h
		jnb	short loc_5DE528
		add	al, al
		jmp	short loc_5DE52E
; 

loc_5DE528:				; CODE XREF: MiRebuildLargePages+8CD22j
		or	al, 0FFh
		jmp	short loc_5DE52E
; 

loc_5DE52C:				; CODE XREF: MiRebuildLargePages+8CC61j
					; MiRebuildLargePages+8CD09j
		mov	al, 8

loc_5DE52E:				; CODE XREF: MiRebuildLargePages+8CD26j
					; MiRebuildLargePages+8CD2Aj
		mov	[edi+142h], al
		mov	[edi+140h], al
		mov	byte ptr [edi+141h], 0
		test	ds:byte_70EFC6,	1
		jz	short loc_5DE557
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5DE586
; 

loc_5DE557:				; CODE XREF: MiRebuildLargePages+8CD48j
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_5DE576
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jz	short loc_5DE586
		call	KxWaitForLockChainValid

loc_5DE576:				; CODE XREF: MiRebuildLargePages+8CD5Cj
		xor	ecx, ecx
		mov	[ebp+var_1C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5DE586:				; CODE XREF: MiRebuildLargePages+8CD55j
					; MiRebuildLargePages+8CD6Fj
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, edi
		call	KeAbPostRelease
		jmp	loc_551866
; END OF FUNCTION CHUNK	FOR MiRebuildLargePages
; 
; START	OF FUNCTION CHUNK FOR KeFlushSingleCurrentTb

loc_5DE59B:				; CODE XREF: KeFlushSingleCurrentTb+36j
		test	al, 2
		jz	loc_551A60
		lea	eax, [esp+30h+var_1C]
		mov	ecx, ebx
		push	eax
		lea	edx, [esp+34h+var_18]
		call	_KiPrepareFlushParameters@12 ; KiPrepareFlushParameters(x,x,x)
		lea	ecx, [esp+30h+var_C]
		call	_KiPrepareFlushCurrentAffinity@4 ; KiPrepareFlushCurrentAffinity(x)
		mov	eax, esi
		mov	edx, ecx
		and	eax, 0FFFFF000h
		mov	[esp+30h+var_14], eax
		lea	eax, [esp+30h+var_14]
		push	eax
		push	edi
		push	edi
		push	ecx
		push	[esp+40h+var_1C]
		mov	ecx, [esp+44h+var_18]
		call	_HvlFlushRangeListTb@28	; HvlFlushRangeListTb(x,x,x,x,x,x,x)
		test	al, al
		jnz	loc_551A63
		jmp	loc_551A60
; 

loc_5DE5EB:				; CODE XREF: KeFlushSingleCurrentTb+4Cj
		push	ebx
		lea	edx, [esp+34h+var_20]
		mov	[esp+34h+var_20], esi
		mov	ecx, edi
		call	_VmFlushTb@12	; VmFlushTb(x,x,x)
		jmp	loc_551A76
; 

loc_5DE600:				; CODE XREF: KeFlushSingleCurrentTb+59j
		mov	cl, 1Fh
		mov	[esp+30h+var_20], esi
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	[esp+30h+var_10]
		lea	edx, [esp+34h+var_20]
		mov	ecx, edi
		mov	bl, al
		call	_ExFlushTb@12	; ExFlushTb(x,x,x)
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_551A83
; END OF FUNCTION CHUNK	FOR KeFlushSingleCurrentTb
; 
; START	OF FUNCTION CHUNK FOR PopFxNotifySystemStateTransition

loc_5DE62A:				; CODE XREF: PopFxNotifySystemStateTransition+Ej
		mov	ecx, [eax+24h]
		push	esi
		mov	esi, [eax+28h]
		test	ecx, ecx
		jz	short loc_5DE65A
		cmp	dword ptr [ecx+44h], 0
		jz	short loc_5DE65A
		mov	eax, [ebp+arg_0]
		test	dl, dl
		jz	short loc_5DE64D
		mov	[ebp+arg_0], eax
		lea	eax, [ebp+arg_0]
		push	eax
		push	27h
		jmp	short loc_5DE656
; 

loc_5DE64D:				; CODE XREF: PopFxNotifySystemStateTransition+8CB0Aj
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	28h

loc_5DE656:				; CODE XREF: PopFxNotifySystemStateTransition+8CB15j
		push	esi
		call	dword ptr [ecx+44h]

loc_5DE65A:				; CODE XREF: PopFxNotifySystemStateTransition+8CAFDj
					; PopFxNotifySystemStateTransition+8CB03j
		pop	esi
		jmp	locret_551B4A
; END OF FUNCTION CHUNK	FOR PopFxNotifySystemStateTransition
; 
; START	OF FUNCTION CHUNK FOR KeRestoreIptStateAfterProcessorComesOnline

loc_5DE660:				; CODE XREF: KeRestoreIptStateAfterProcessorComesOnline+7j
		mov	eax, large fs:20h
		mov	ecx, [eax+4170h]
		test	ecx, ecx
		jz	locret_551B5B
		add	ecx, ds:_KeXStateLength
		jmp	_KiRestoreIptState@4 ; KiRestoreIptState(x)
; END OF FUNCTION CHUNK	FOR KeRestoreIptStateAfterProcessorComesOnline
; 
; START	OF FUNCTION CHUNK FOR RtlCompressBufferProgress

loc_5DE67F:				; CODE XREF: RtlCompressBufferProgress+26j
		mov	edx, 100h
		cmp	cx, dx
		jnz	loc_5DE713
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	1000h		; int
		push	[ebp+arg_18]	; int
		push	[ebp+arg_14]	; int
		push	eax		; void *
		push	[ebp+arg_C]	; int
		push	10000h		; int
		push	[ebp+arg_4]	; int
		call	_RtlCompressBufferXpressLzMax@36 ; RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)
		jmp	loc_551D3D
; 

loc_5DE6B3:				; CODE XREF: RtlCompressBufferProgress+1Dj
		cmp	edx, 4
		jnz	short loc_5DE713
		test	cx, cx
		jnz	short loc_5DE6E3
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	1000h
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	eax
		push	[ebp+arg_C]
		push	10000h
		push	[ebp+arg_4]
		call	RtlCompressBufferXpressHuffStandard
		jmp	loc_551D3D
; 

loc_5DE6E3:				; CODE XREF: RtlCompressBufferProgress+8C9CBj
		mov	edx, 100h
		cmp	cx, dx
		jnz	short loc_5DE713
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	1000h		; int
		push	[ebp+arg_18]	; int
		push	[ebp+arg_14]	; int
		push	eax		; void *
		push	[ebp+arg_C]	; int
		push	10000h		; int
		push	[ebp+arg_4]	; int
		call	_RtlCompressBufferXpressHuffMax@36 ; RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)
		jmp	loc_551D3D
; 

loc_5DE713:				; CODE XREF: RtlCompressBufferProgress+8C997j
					; RtlCompressBufferProgress+8C9C6j ...
		mov	eax, 0C000025Fh
		jmp	loc_551D3D
; END OF FUNCTION CHUNK	FOR RtlCompressBufferProgress
; 
; START	OF FUNCTION CHUNK FOR PopGetNextTable

loc_5DE71D:				; CODE XREF: PopGetNextTable+268j
		mov	esi, eax
		mov	eax, [ebp+arg_8]
		add	eax, esi
		jmp	loc_551FB7
; 

loc_5DE729:				; CODE XREF: PopGetNextTable+C7j
		mov	ecx, [ebp+var_10]
		jmp	loc_551E2D
; END OF FUNCTION CHUNK	FOR PopGetNextTable
; 
; START	OF FUNCTION CHUNK FOR RtlDecompressBufferProgress

loc_5DE731:				; CODE XREF: RtlDecompressBufferProgress+Ej
		cmp	eax, 4
		jnz	short loc_5DE75C
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	1000h
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_RtlDecompressBufferXpressHuffProgress@36 ; RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)
		jmp	loc_552062
; 

loc_5DE75C:				; CODE XREF: RtlDecompressBufferProgress+8C704j
		mov	eax, 0C000025Fh
		jmp	loc_552062
; END OF FUNCTION CHUNK	FOR RtlDecompressBufferProgress
; 
; START	OF FUNCTION CHUNK FOR RtlDecompressBufferXpressLzProgress

loc_5DE766:				; CODE XREF: RtlDecompressBufferXpressLzProgress+221j
		mov	edi, [ecx]
		add	ecx, 4
		mov	[ebp+arg_4], ecx
		jmp	loc_5522B7
; 

loc_5DE773:				; CODE XREF: RtlDecompressBufferXpressLzProgress+463j
		lea	eax, [ecx+3]
		cmp	eax, [ebp+arg_0]
		jnb	loc_55279A
		mov	edi, [ecx]
		add	ecx, 4
		mov	[ebp+arg_4], ecx
		jmp	loc_5524F9
; 

loc_5DE78C:				; CODE XREF: RtlDecompressBufferXpressLzProgress+3A9j
		cmp	esi, [ebp+var_4]
		jb	loc_55279A
		jmp	loc_5525B0
; 

loc_5DE79A:				; CODE XREF: RtlDecompressBufferXpressLzProgress+6C5j
		lea	eax, [ecx+3]
		cmp	eax, [ebp+arg_0]
		jnb	loc_55279A
		mov	edx, [ecx]
		add	ecx, 4
		mov	[ebp+arg_4], ecx
		jmp	loc_55275B
; 

loc_5DE7B3:				; CODE XREF: RtlDecompressBufferXpressLzProgress+4CFj
		cmp	esi, [ebp+var_4]
		jb	loc_55279A
		jmp	loc_55264B
; END OF FUNCTION CHUNK	FOR RtlDecompressBufferXpressLzProgress
; 
; START	OF FUNCTION CHUNK FOR MiMapMemoryDumpMdl

loc_5DE7C1:				; CODE XREF: MiMapMemoryDumpMdl+4Cj
		mov	edx, 1
		jmp	loc_552864
; 

loc_5DE7CB:				; CODE XREF: MiMapMemoryDumpMdl+114j
		mov	ecx, 1
		jmp	loc_55292C
; 

loc_5DE7D5:				; CODE XREF: MiMapMemoryDumpMdl+16Fj
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		mov	ecx, [esp+0C8h+var_B8]
		test	eax, eax
		jz	short loc_5DE810
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	[esp+0C8h+var_B4], 1
		jnz	loc_552989
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_552989
		or	edx, 80000000h
		jmp	loc_552989
; 

loc_5DE810:				; CODE XREF: MiMapMemoryDumpMdl+8BFD0j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_552989
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_552989
		or	edx, 80000000h
		jmp	loc_552989
; 

loc_5DE845:				; CODE XREF: MiMapMemoryDumpMdl+184j
		push	edx
		push	ecx
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_55299A
; 

loc_5DE853:				; CODE XREF: MiMapMemoryDumpMdl+12Ej
		and	word ptr [edx+6], 0FFDEh
		jmp	loc_5529B1
; END OF FUNCTION CHUNK	FOR MiMapMemoryDumpMdl
; 
; START	OF FUNCTION CHUNK FOR KdCheckForDebugBreak

loc_5DE85D:				; CODE XREF: KdCheckForDebugBreak+7j
		cmp	ds:_KdDebuggerEnabled, 0
		jz	loc_5529FF

loc_5DE86A:				; CODE XREF: KdCheckForDebugBreak+14j
		call	KdPollBreakIn
		test	al, al
		jz	locret_552A0C
		push	1
		call	_DbgBreakPointWithStatus@4 ; DbgBreakPointWithStatus(x)
		retn
; END OF FUNCTION CHUNK	FOR KdCheckForDebugBreak
; 
; START	OF FUNCTION CHUNK FOR KeSaveIptStateBeforeProcessorGoesOffline

loc_5DE87F:				; CODE XREF: KeSaveIptStateBeforeProcessorGoesOffline+7j
		mov	eax, large fs:20h
		mov	ecx, [eax+4170h]
		test	ecx, ecx
		jz	locret_552A75
		add	ecx, ds:_KeXStateLength
		jmp	_KiSaveIptState@4 ; KiSaveIptState(x)
; END OF FUNCTION CHUNK	FOR KeSaveIptStateBeforeProcessorGoesOffline
; 
; START	OF FUNCTION CHUNK FOR PopWakeDeviceList

loc_5DE89E:				; CODE XREF: PopWakeDeviceList+D6j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_552B6C
; 

loc_5DE8AE:				; CODE XREF: PopWakeDeviceList+123j
					; PopWakeDeviceList+8BE4Ej
		test	esi, esi
		jle	loc_552B9F
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_2C]
		push	eax
		call	KeWaitForSingleObject
		dec	esi
		jmp	short loc_5DE8AE
; END OF FUNCTION CHUNK	FOR PopWakeDeviceList
; 
; START	OF FUNCTION CHUNK FOR PopSleepDeviceList

loc_5DE8C6:				; CODE XREF: PopSleepDeviceList+117j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_552D27
; 

loc_5DE8D6:				; CODE XREF: PopSleepDeviceList+164j
					; PopSleepDeviceList+8BCFCj
		test	esi, esi
		jle	loc_552D5A
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_40]
		push	eax
		call	KeWaitForSingleObject
		dec	esi
		jmp	short loc_5DE8D6
; END OF FUNCTION CHUNK	FOR PopSleepDeviceList
; 
; START	OF FUNCTION CHUNK FOR PopMapInternalActionToIrpAction

loc_5DE8EE:				; CODE XREF: PopMapInternalActionToIrpAction+Aj
		cmp	[ebp+arg_0], 0
		jz	loc_552DC8
		xor	eax, eax
		cmp	edx, 5
		setz	al
		add	eax, 2
		jmp	loc_552DC8
; END OF FUNCTION CHUNK	FOR PopMapInternalActionToIrpAction
; 
; START	OF FUNCTION CHUNK FOR PopIsNotifyForDirectedPowerTransition

loc_5DE908:				; CODE XREF: PopIsNotifyForDirectedPowerTransition+Cj
		cmp	[ecx-34h], edx
		jz	loc_552DEC
		mov	eax, [ecx+188h]
		test	eax, 10000h
		jz	loc_552DEC
		mov	eax, [ecx+188h]
		test	eax, 20000h
		jnz	loc_552DEC
		mov	dl, 1
		jmp	loc_552DEC
; END OF FUNCTION CHUNK	FOR PopIsNotifyForDirectedPowerTransition
; 
; START	OF FUNCTION CHUNK FOR PopSetPowerActionWatchdogState

loc_5DE93A:				; CODE XREF: PopSetPowerActionWatchdogState+50j
		xor	esi, esi
		push	esi
		push	esi
		push	esi
		push	esi
		call	_PopPowerActionWatchdog@16 ; PopPowerActionWatchdog(x,x,x,x)

loc_5DE945:				; CODE XREF: PopSetPowerActionWatchdogState+BBj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_552FB6
; END OF FUNCTION CHUNK	FOR PopSetPowerActionWatchdogState
; 
; START	OF FUNCTION CHUNK FOR PfpServiceMainThreadUnboost

loc_5DE954:				; CODE XREF: PfpServiceMainThreadUnboost+21j
		mov	ecx, ds:dword_6D48B4
		cmp	ecx, [edi+5Ch]
		jnz	loc_553086
		jmp	loc_553069
; 

loc_5DE968:				; CODE XREF: PfpServiceMainThreadUnboost+50j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_55309D
; 

loc_5DE975:				; CODE XREF: PfpServiceMainThreadUnboost+74j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_5530BC
; END OF FUNCTION CHUNK	FOR PfpServiceMainThreadUnboost
; 
; START	OF FUNCTION CHUNK FOR IoGetDumpHiberRanges

loc_5DE982:				; CODE XREF: IoGetDumpHiberRanges+2Aj
		lea	ebx, [ecx+18h]
		mov	edi, [ebx]
		jmp	short loc_5DE9C6
; 

loc_5DE989:				; CODE XREF: IoGetDumpHiberRanges+8B660j
		push	2
		lea	eax, [edi+30h]
		pop	edx
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], edx

loc_5DE995:				; CODE XREF: IoGetDumpHiberRanges+8B65Aj
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_5DE9B6
		push	66756263h
		push	dword ptr [edi+2Ch]
		push	ecx
		push	10000h
		push	0
		call	PoSetHiberRange
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+var_8]

loc_5DE9B6:				; CODE XREF: IoGetDumpHiberRanges+8B631j
		add	eax, 4
		sub	edx, 1
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], edx
		jnz	short loc_5DE995
		mov	edi, [edi]

loc_5DE9C6:				; CODE XREF: IoGetDumpHiberRanges+8B61Fj
		cmp	edi, ebx
		jnz	short loc_5DE989
		mov	ebx, 10000h
		jmp	loc_5533B8
; 

loc_5DE9D4:				; CODE XREF: IoGetDumpHiberRanges+4Aj
		push	66756263h
		push	dword ptr [ecx+10h]
		jmp	short loc_5DE9E6
; 

loc_5DE9DE:				; CODE XREF: IoGetDumpHiberRanges+A4j
		push	66756263h
		push	dword ptr [ecx+18h]

loc_5DE9E6:				; CODE XREF: IoGetDumpHiberRanges+8B674j
		push	eax
		push	ebx
		push	0
		call	PoSetHiberRange
		jmp	loc_5533B8
; END OF FUNCTION CHUNK	FOR IoGetDumpHiberRanges
; 
; START	OF FUNCTION CHUNK FOR PoSetHiberRange

loc_5DE9F4:				; CODE XREF: PoSetHiberRange+3Aj
		push	esi
		push	esi
		jmp	short loc_5DE9FA
; 

loc_5DE9F8:				; CODE XREF: PoSetHiberRange+17Fj
		push	esi
		push	eax

loc_5DE9FA:				; CODE XREF: PoSetHiberRange+8B592j
		push	0Ah
		push	10Bh
		jmp	short loc_5DEA0C
; 

loc_5DEA03:				; CODE XREF: PoSetHiberRange+8B5CCj
		push	esi
		push	esi
		push	0A11AAh
		push	2

loc_5DEA0C:				; CODE XREF: PoSetHiberRange+8B59Dj
					; PoSetHiberRange+8B5BBj
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5DEA16:				; CODE XREF: PoSetHiberRange+61j
					; PoSetHiberRange+175j	...
		push	esi
		push	ebx
		push	0Ah
		push	10Ch
		jmp	short loc_5DEA0C
; 

loc_5DEA21:				; CODE XREF: PoSetHiberRange+19Aj
		lea	eax, [esp+28h+var_14]
		push	eax
		lea	edx, [ebp+arg_8]
		call	_MmGetSectionRange@12 ;	MmGetSectionRange(x,x,x)
		test	eax, eax
		js	short loc_5DEA03
		mov	ecx, [esp+28h+var_14]
		jmp	loc_5534DF
; 

loc_5DEA3B:				; CODE XREF: PoSetHiberRange+7Ej
		and	ebx, 0FFFFFFFBh
		or	ebx, 2
		mov	[esp+28h+var_18], ebx
		jmp	loc_5534E8
; END OF FUNCTION CHUNK	FOR PoSetHiberRange
; 
; START	OF FUNCTION CHUNK FOR PopSetRange

loc_5DEA4A:				; CODE XREF: PopSetRange+Cj
		push	0
		mov	edx, 138h
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		push	0
		push	esi
		push	0Ah
		push	104h
		jmp	short loc_5DEA78
; 

loc_5DEA62:				; CODE XREF: PopSetRange+25j
		push	0
		mov	edx, 138h
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		push	0
		push	esi
		push	0Ah
		push	105h

loc_5DEA78:				; CODE XREF: PopSetRange+8B454j
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5DEA83:				; CODE XREF: MiIterateOverPartitions+38j
		or	ecx, 0FFFFFFFFh

loc_5DEA86:				; CODE XREF: MiIterateOverPartitions+CDj
		test	edi, edi
		jz	loc_5537C7
		lea	esi, [ebx+1]
		cmp	esi, edx
		jbe	short loc_5DEA97
		mov	esi, edx

loc_5DEA97:				; CODE XREF: PopSetRange+8B487j
		mov	ecx, [ebp+var_8]
		dec	esi
		xor	edi, edi
		jmp	loc_553770
; END OF FUNCTION CHUNK	FOR PopSetRange
; 
; START	OF FUNCTION CHUNK FOR MiLockMemoryLists

loc_5DEAA2:				; CODE XREF: MiLockMemoryLists+50j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_553889
; 

loc_5DEAB1:				; CODE XREF: MiLockMemoryLists+6Dj
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5DEAB8:				; CODE XREF: MiLockMemoryLists+5Aj
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_553889
; 

loc_5DEACC:				; CODE XREF: MiLockMemoryLists+ADj
		mov	edx, eax
		mov	ecx, edi
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_5538D5
; 

loc_5DEADA:				; CODE XREF: MiLockMemoryLists+B9j
		mov	ecx, edi
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_5538D5
; 

loc_5DEAE6:				; CODE XREF: MiLockMemoryLists+FFj
		mov	edx, edi
		mov	ecx, esi
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5DEAF8
; 

loc_5DEAF1:				; CODE XREF: MiLockMemoryLists+10Bj
		mov	ecx, esi
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_5DEAF8:				; CODE XREF: MiLockMemoryLists+8B2D9j
		mov	ecx, [ebp+arg_4]
		jmp	loc_553927
; 

loc_5DEB00:				; CODE XREF: MiLockMemoryLists+169j
		mov	edx, edi
		mov	ecx, esi
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5DEB12
; 

loc_5DEB0B:				; CODE XREF: MiLockMemoryLists+175j
		mov	ecx, esi
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_5DEB12:				; CODE XREF: MiLockMemoryLists+8B2F3j
		mov	eax, [ebp+var_8]
		jmp	loc_553991
; 

loc_5DEB1A:				; CODE XREF: MiLockMemoryLists+1A7j
		mov	edx, eax
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_5539CF
; 

loc_5DEB26:				; CODE XREF: MiLockMemoryLists+1B3j
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_5539CF
; 

loc_5DEB30:				; CODE XREF: MiLockMemoryLists+1E3j
		mov	edx, edi
		mov	ecx, esi
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5DEB42
; 

loc_5DEB3B:				; CODE XREF: MiLockMemoryLists+1EFj
		mov	ecx, esi
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_5DEB42:				; CODE XREF: MiLockMemoryLists+8B323j
		mov	eax, [ebp+var_C]
		jmp	loc_553A0B
; 

loc_5DEB4A:				; CODE XREF: MiLockMemoryLists+23Bj
		mov	edx, eax
		mov	ecx, edi
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5DEB5C
; 

loc_5DEB55:				; CODE XREF: MiLockMemoryLists+247j
		mov	ecx, edi
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_5DEB5C:				; CODE XREF: MiLockMemoryLists+8B33Dj
		mov	eax, [ebp+var_8]
		jmp	loc_553A63
; 

loc_5DEB64:				; CODE XREF: MiLockMemoryLists+28Bj
		mov	edx, eax
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_5538AA
; 

loc_5DEB70:				; CODE XREF: MiLockMemoryLists+29Dj
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_5538AA
; END OF FUNCTION CHUNK	FOR MiLockMemoryLists
; 
; START	OF FUNCTION CHUNK FOR MiMirrorOmitPagesFromCopy

loc_5DEB7A:				; CODE XREF: MiMirrorOmitPagesFromCopy+5Fj
		push	20h
		xor	eax, eax
		pop	edx
		sub	edx, [ebp+arg_0]
		inc	eax
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, [ebp+arg_0]
		dec	eax
		shl	eax, cl
		not	eax
		lock and [esi],	eax
		mov	ecx, edi
		sub	ecx, edx
		add	esi, 4
		jmp	loc_553F7B
; 

loc_5DEB9E:				; CODE XREF: MiMirrorOmitPagesFromCopy+4Aj
		push	edi
		push	ebx
		push	offset dword_6D305C
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		jmp	loc_553F66
; 

loc_5DEBAF:				; CODE XREF: MiMirrorOmitPagesFromCopy+97j
					; MiMirrorOmitPagesFromCopy+8ACC2j
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	MiMapPageInHyperSpaceWorker
		push	0FFFFFFFEh
		mov	esi, eax
		push	1000h
		push	esi
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		push	0
		mov	dl, 21h
		mov	ecx, esi
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		inc	ebx
		sub	edi, 1
		jnz	short loc_5DEBAF
		jmp	loc_553F6C
; END OF FUNCTION CHUNK	FOR MiMirrorOmitPagesFromCopy
; 
; START	OF FUNCTION CHUNK FOR MiMirrorVerify

loc_5DEBDF:				; CODE XREF: MiMirrorVerify+1Fj
					; MiMirrorVerify+8AD3Fj
		mov	edx, ds:dword_6D305C
		cmp	esi, edx
		mov	eax, ds:dword_6D3060
		sbb	edi, edi
		mov	[ebp+var_8], edx
		and	edi, esi
		mov	[ebp+var_C], eax
		lea	ecx, [edx-1]

loc_5DEBF9:				; CODE XREF: MiMirrorVerify+8ACD3j
		and	[ebp+var_18], 0
		mov	eax, ecx
		sub	eax, edi
		mov	[ebp+var_4], ecx
		inc	eax
		mov	[ebp+var_14], edi
		cmp	eax, 1
		jnb	short loc_5DEC12
		or	edi, 0FFFFFFFFh
		jmp	short loc_5DEC73
; 

loc_5DEC12:				; CODE XREF: MiMirrorVerify+8AC59j
		mov	eax, ecx
		xor	edx, edx
		mov	ecx, [ebp+var_C]
		inc	edx
		shr	eax, 5
		lea	eax, [ecx+eax*4]
		mov	ecx, edi
		mov	[ebp+var_18], eax
		and	ecx, 1Fh
		shl	edx, cl
		mov	eax, edi
		mov	ecx, [ebp+var_C]
		dec	edx
		shr	eax, 5
		lea	edi, [ecx+eax*4]
		mov	eax, [edi]
		not	eax
		or	eax, edx
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_5DEC57
		mov	ecx, [ebp+var_18]

loc_5DEC44:				; CODE XREF: MiMirrorVerify+8ACA0j
		add	edi, 4
		cmp	edi, ecx
		ja	short loc_5DEC8A
		mov	eax, [edi]
		not	eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5DEC44
		mov	ecx, [ebp+var_C]

loc_5DEC57:				; CODE XREF: MiMirrorVerify+8AC8Dj
		not	eax
		sub	edi, ecx
		bsf	eax, eax
		sar	edi, 2
		shl	edi, 5
		add	edi, eax
		cmp	edi, [ebp+var_4]
		ja	short loc_5DEC8A
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_5DEC8F

loc_5DEC70:				; CODE XREF: MiMirrorVerify+8ACDBj
		mov	edx, [ebp+var_8]

loc_5DEC73:				; CODE XREF: MiMirrorVerify+8AC5Ej
		cmp	[ebp+var_14], 0
		jz	short loc_5DEC8F
		lea	ecx, [esi+1]
		cmp	ecx, edx
		jbe	short loc_5DEC82
		mov	ecx, edx

loc_5DEC82:				; CODE XREF: MiMirrorVerify+8ACCCj
		dec	ecx
		xor	edi, edi
		jmp	loc_5DEBF9
; 

loc_5DEC8A:				; CODE XREF: MiMirrorVerify+8AC97j
					; MiMirrorVerify+8ACB7j
		or	edi, 0FFFFFFFFh
		jmp	short loc_5DEC70
; 

loc_5DEC8F:				; CODE XREF: MiMirrorVerify+8ACBCj
					; MiMirrorVerify+8ACC5j
		cmp	edi, esi
		jb	loc_5DEE0C
		cmp	edi, 0FFFFFFFFh
		jz	loc_5DEE0C
		mov	eax, ds:dword_6D305C
		cmp	eax, edi
		ja	short loc_5DECFC
		and	[ebp+var_8], 0

loc_5DECAD:				; CODE XREF: MiMirrorVerify+8AE4Aj
		mov	eax, ds:dword_6D305C
		sub	eax, edi
		mov	[ebp+var_4], eax

loc_5DECB7:				; CODE XREF: MiMirrorVerify+8AE55j
		mov	ecx, 1000h
		mov	eax, edi
		mul	ecx
		mov	esi, eax
		mov	ecx, edx
		mov	eax, [ebp+var_4]
		mov	edx, 1000h
		mul	edx
		push	edx
		push	eax
		mov	eax, [ebp+var_1C]
		push	ecx
		push	esi
		call	dword ptr [eax+0Ch]
		mov	[ebp+var_10], eax
		test	eax, eax
		js	loc_5DEE0F
		mov	esi, [ebp+var_8]
		add	esi, edi
		add	esi, [ebp+var_4]
		cmp	esi, ds:dword_6D305C
		jb	loc_5DEBDF
		jmp	loc_5DEE0F
; 

loc_5DECFC:				; CODE XREF: MiMirrorVerify+8ACF5j
		mov	ecx, ds:dword_6D3060
		dec	eax
		shr	eax, 5
		mov	edx, edi
		mov	[ebp+var_4], edx
		lea	eax, [ecx+eax*4]
		mov	[ebp+var_C], eax
		mov	eax, edi
		shr	eax, 5
		lea	esi, [ecx+eax*4]
		cmp	esi, [ebp+var_C]
		jz	short loc_5DED59
		mov	ecx, edi
		and	ecx, 1Fh
		mov	[ebp+var_18], ecx
		mov	ecx, ds:dword_40BA68[ecx*4]
		or	ecx, [esi]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_5DED59
		sub	edx, [ebp+var_18]
		add	esi, 4
		mov	eax, [ebp+var_C]
		add	edx, 20h
		mov	[ebp+var_4], edx
		cmp	esi, eax
		jnb	short loc_5DED59

loc_5DED47:				; CODE XREF: MiMirrorVerify+8ADA2j
		cmp	dword ptr [esi], 0FFFFFFFFh
		jnz	short loc_5DED56
		add	esi, 4
		add	edx, 20h
		cmp	esi, eax
		jb	short loc_5DED47

loc_5DED56:				; CODE XREF: MiMirrorVerify+8AD98j
		mov	[ebp+var_4], edx

loc_5DED59:				; CODE XREF: MiMirrorVerify+8AD6Aj
					; MiMirrorVerify+8AD80j ...
		mov	ecx, ds:dword_6D305C
		cmp	edx, ecx
		jnb	short loc_5DED75

loc_5DED63:				; CODE XREF: MiMirrorVerify+8ADBEj
		mov	eax, ds:dword_6D3060
		bt	[eax], edx
		jnb	short loc_5DED72
		inc	edx
		cmp	edx, ecx
		jb	short loc_5DED63

loc_5DED72:				; CODE XREF: MiMirrorVerify+8ADB9j
		mov	[ebp+var_4], edx

loc_5DED75:				; CODE XREF: MiMirrorVerify+8ADAFj
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		cmp	esi, [ebp+var_C]
		jz	short loc_5DEDC6
		mov	ecx, [esi]
		mov	eax, edx
		and	eax, 1Fh
		mov	[ebp+var_18], eax
		mov	eax, ds:dword_40BA68[eax*4]
		not	eax
		and	eax, ecx
		jnz	short loc_5DEDC3
		push	20h
		pop	ecx
		sub	ecx, [ebp+var_18]
		mov	[ebp+var_8], ecx
		cmp	ecx, 0FFFFFFFFh
		jnb	short loc_5DEDF2
		add	esi, 4
		jmp	short loc_5DEDBC
; 

loc_5DEDA9:				; CODE XREF: MiMirrorVerify+8AE0Dj
		cmp	dword ptr [esi], 0
		jnz	short loc_5DEDC6
		add	ecx, 20h
		add	esi, 4
		mov	[ebp+var_8], ecx
		cmp	ecx, 0FFFFFFFFh
		jnb	short loc_5DEDF2

loc_5DEDBC:				; CODE XREF: MiMirrorVerify+8ADF5j
		cmp	esi, [ebp+var_C]
		jb	short loc_5DEDA9
		jmp	short loc_5DEDC6
; 

loc_5DEDC3:				; CODE XREF: MiMirrorVerify+8ADE2j
		mov	ecx, [ebp+var_8]

loc_5DEDC6:				; CODE XREF: MiMirrorVerify+8ADCBj
					; MiMirrorVerify+8ADFAj ...
		mov	eax, ds:dword_6D305C
		lea	esi, [ecx+edx]
		cmp	esi, eax
		jnb	short loc_5DEDEF
		mov	edx, eax

loc_5DEDD4:				; CODE XREF: MiMirrorVerify+8AE35j
		mov	eax, ds:dword_6D3060
		bt	[eax], esi
		jb	short loc_5DEDE9
		cmp	ecx, 0FFFFFFFFh
		jnb	short loc_5DEDE9
		inc	esi
		inc	ecx
		cmp	esi, edx
		jb	short loc_5DEDD4

loc_5DEDE9:				; CODE XREF: MiMirrorVerify+8AE2Aj
					; MiMirrorVerify+8AE2Fj
		mov	edx, [ebp+var_4]
		mov	[ebp+var_8], ecx

loc_5DEDEF:				; CODE XREF: MiMirrorVerify+8AE1Ej
		cmp	ecx, 0FFFFFFFFh

loc_5DEDF2:				; CODE XREF: MiMirrorVerify+8ADF0j
					; MiMirrorVerify+8AE08j
		jbe	short loc_5DEDFA
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_8], ecx

loc_5DEDFA:				; CODE XREF: MiMirrorVerify:loc_5DEDF2j
		test	ecx, ecx
		jz	loc_5DECAD
		sub	edx, edi
		mov	[ebp+var_4], edx
		jmp	loc_5DECB7
; 

loc_5DEE0C:				; CODE XREF: MiMirrorVerify+8ACDFj
					; MiMirrorVerify+8ACE8j
		mov	eax, [ebp+var_10]

loc_5DEE0F:				; CODE XREF: MiMirrorVerify+8AD2Bj
					; MiMirrorVerify+8AD45j
		pop	edi
		pop	esi
		leave
		retn
; END OF FUNCTION CHUNK	FOR MiMirrorVerify
; 
; START	OF FUNCTION CHUNK FOR MiMirrorPerformBrownWrites

loc_5DEE13:				; CODE XREF: MiMirrorPerformBrownWrites+62j
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_C], esi

loc_5DEE19:				; CODE XREF: MiMirrorPerformBrownWrites+27Dj
		test	edx, edx
		jz	loc_554094
		mov	eax, [ebp+var_2C]
		lea	ecx, [edi+1]
		cmp	ecx, eax
		jbe	short loc_5DEE2D
		mov	ecx, eax

loc_5DEE2D:				; CODE XREF: MiMirrorPerformBrownWrites+8AE53j
		mov	esi, [ebp+var_24]
		dec	ecx
		xor	eax, eax
		mov	edx, eax
		jmp	loc_554027
; 

loc_5DEE3A:				; CODE XREF: MiMirrorPerformBrownWrites+D6j
		xor	eax, eax
		mov	[ebp+var_8], eax

loc_5DEE3F:				; CODE XREF: MiMirrorPerformBrownWrites+1B2j
		mov	edi, ds:dword_6D305C
		jmp	loc_55418E
; 

loc_5DEE4A:				; CODE XREF: MiMirrorPerformBrownWrites:loc_554180j
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_8], ecx
		jmp	loc_554186
; 

loc_5DEE55:				; CODE XREF: MiMirrorPerformBrownWrites+1C6j
		cmp	[ebp+var_18], 1
		jnz	loc_5DEEFB
		mov	eax, ds:dword_6D3068
		mov	ecx, esi
		shr	ecx, 5
		mov	[ebp+var_2C], edi
		lea	edx, [eax+ecx*4]
		mov	ecx, esi
		and	ecx, 1Fh
		mov	[ebp+var_14], edx
		mov	[ebp+var_24], ecx
		lea	eax, [ecx+edi]
		cmp	eax, 20h
		ja	short loc_5DEE9E
		cmp	edi, 20h
		jnz	short loc_5DEE8F
		mov	dword ptr [edx], 0FFFFFFFFh
		jmp	short loc_5DEEF1
; 

loc_5DEE8F:				; CODE XREF: MiMirrorPerformBrownWrites+8AEAFj
		xor	eax, eax
		mov	ecx, edi
		inc	eax
		shl	eax, cl
		mov	ecx, [ebp+var_24]
		dec	eax
		shl	eax, cl
		jmp	short loc_5DEEEE
; 

loc_5DEE9E:				; CODE XREF: MiMirrorPerformBrownWrites+8AEAAj
		test	ecx, ecx
		jz	short loc_5DEEC6
		push	20h
		xor	eax, eax
		pop	edx
		sub	edx, ecx
		inc	eax
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, [ebp+var_24]
		dec	eax
		shl	eax, cl
		mov	ecx, [ebp+var_14]
		lock or	[ecx], eax
		mov	ecx, edi
		sub	ecx, edx
		mov	edx, [ebp+var_14]
		add	edx, 4
		jmp	short loc_5DEEC9
; 

loc_5DEEC6:				; CODE XREF: MiMirrorPerformBrownWrites+8AECAj
		mov	ecx, [ebp+var_2C]

loc_5DEEC9:				; CODE XREF: MiMirrorPerformBrownWrites+8AEEEj
		cmp	ecx, 20h
		jb	short loc_5DEEE4
		mov	eax, ecx
		shr	eax, 5

loc_5DEED3:				; CODE XREF: MiMirrorPerformBrownWrites+8AF0Cj
		mov	dword ptr [edx], 0FFFFFFFFh
		sub	ecx, 20h
		add	edx, 4
		sub	eax, 1
		jnz	short loc_5DEED3

loc_5DEEE4:				; CODE XREF: MiMirrorPerformBrownWrites+8AEF6j
		test	ecx, ecx
		jz	short loc_5DEEF1
		xor	eax, eax
		inc	eax
		shl	eax, cl
		dec	eax

loc_5DEEEE:				; CODE XREF: MiMirrorPerformBrownWrites+8AEC6j
		lock or	[edx], eax

loc_5DEEF1:				; CODE XREF: MiMirrorPerformBrownWrites+8AEB7j
					; MiMirrorPerformBrownWrites+8AF10j
		add	esi, [ebp+var_8]
		add	esi, edi
		jmp	loc_5541DE
; 

loc_5DEEFB:				; CODE XREF: MiMirrorPerformBrownWrites+8AE83j
		mov	eax, 100h
		cmp	edi, eax
		jbe	short loc_5DEF06
		mov	edi, eax

loc_5DEF06:				; CODE XREF: MiMirrorPerformBrownWrites+8AF2Cj
		or	[ebp+var_14], 0FFFFFFFFh
		xor	eax, eax
		mov	[ebp+var_8], eax
		imul	eax, esi, 1Ch
		mov	[ebp+var_10], esi
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_2C], eax
		imul	eax, edi, 1Ch
		mov	edi, [ebp+var_2C]
		add	eax, edi
		mov	[ebp+var_34], eax
		lea	eax, [edi+10h]
		mov	[ebp+var_C], eax

loc_5DEF2F:				; CODE XREF: MiMirrorPerformBrownWrites+8B084j
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [ebp+var_C]
		mov	dl, al
		xor	eax, eax
		mov	byte ptr [ebp+var_4+3],	dl
		cmp	[ecx+4], ax
		jnz	loc_5DF034
		mov	al, [ecx+6]
		and	al, 7
		sub	al, 2
		cmp	al, 2
		ja	loc_5DF034
		xor	edx, edx
		mov	ecx, edi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		xor	edx, edx
		mov	ecx, edi
		test	eax, eax
		jz	loc_5DF070
		mov	eax, [ebp+var_C]
		and	dword ptr [eax], 0C0000000h
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		test	eax, eax
		jz	loc_5DF062
		mov	eax, ds:dword_6D3068
		mov	ecx, esi
		shr	ecx, 5
		xor	edx, edx
		inc	edx
		lea	eax, [eax+ecx*4]
		mov	ecx, esi
		and	ecx, 1Fh
		mov	[ebp+var_10], eax
		mov	[ebp+var_2C], ecx
		lea	eax, [ecx+1]
		cmp	eax, 20h
		ja	short loc_5DEFB0
		xor	eax, eax
		inc	eax
		shl	eax, cl
		not	eax
		jmp	short loc_5DF00B
; 

loc_5DEFB0:				; CODE XREF: MiMirrorPerformBrownWrites+8AFCFj
		test	ecx, ecx
		jz	short loc_5DF004
		push	20h
		xor	eax, eax
		pop	edx
		sub	edx, ecx
		inc	eax
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, [ebp+var_2C]
		dec	eax
		shl	eax, cl
		mov	ecx, [ebp+var_10]
		not	eax
		lock and [ecx],	eax
		xor	eax, eax
		add	ecx, 4
		inc	eax
		mov	[ebp+var_10], ecx
		sub	eax, edx
		mov	[ebp+var_24], eax
		cmp	eax, 20h
		jb	short loc_5DEFFD
		mov	edx, eax
		shr	edx, 5

loc_5DEFE6:				; CODE XREF: MiMirrorPerformBrownWrites+8B01Fj
		mov	dword ptr [ecx], 0
		sub	eax, 20h
		add	ecx, 4
		sub	edx, 1
		jnz	short loc_5DEFE6
		mov	[ebp+var_10], ecx
		mov	[ebp+var_24], eax

loc_5DEFFD:				; CODE XREF: MiMirrorPerformBrownWrites+8B009j
		test	eax, eax
		jz	short loc_5DF011
		mov	edx, [ebp+var_24]

loc_5DF004:				; CODE XREF: MiMirrorPerformBrownWrites+8AFDCj
		or	eax, 0FFFFFFFFh
		mov	ecx, edx
		shl	eax, cl

loc_5DF00B:				; CODE XREF: MiMirrorPerformBrownWrites+8AFD8j
		mov	ecx, [ebp+var_10]
		lock and [ecx],	eax

loc_5DF011:				; CODE XREF: MiMirrorPerformBrownWrites+8B029j
		mov	eax, [ebp+var_C]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_14]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_5DF04C
		mov	eax, esi
		mov	[ebp+var_14], eax
		jmp	short loc_5DF04C
; 

loc_5DF034:				; CODE XREF: MiMirrorPerformBrownWrites+8AF6Ej
					; MiMirrorPerformBrownWrites+8AF7Dj
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_14]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_5DF09C

loc_5DF04C:				; CODE XREF: MiMirrorPerformBrownWrites+8B055j
					; MiMirrorPerformBrownWrites+8B05Cj
		add	[ebp+var_C], 1Ch
		add	edi, 1Ch
		inc	esi
		mov	[ebp+var_10], esi
		cmp	edi, [ebp+var_34]
		jb	loc_5DEF2F
		jmp	short loc_5DF093
; 

loc_5DF062:				; CODE XREF: MiMirrorPerformBrownWrites+8AFA8j
		mov	edx, esi
		mov	ecx, edi
		call	MiPfnReferenceCountIsZero
		lea	eax, [edi+10h]
		jmp	short loc_5DF078
; 

loc_5DF070:				; CODE XREF: MiMirrorPerformBrownWrites+8AF92j
		call	_MiDiscardTransitionPteEx@8 ; MiDiscardTransitionPteEx(x,x)
		mov	eax, [ebp+var_C]

loc_5DF078:				; CODE XREF: MiMirrorPerformBrownWrites+8B098j
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_14]
		mov	[ebp+var_18], 1

loc_5DF093:				; CODE XREF: MiMirrorPerformBrownWrites+8B08Aj
		cmp	eax, 0FFFFFFFFh
		jz	loc_5541E1

loc_5DF09C:				; CODE XREF: MiMirrorPerformBrownWrites+8B074j
		mov	edi, [ebp+var_10]
		mov	esi, eax
		sub	edi, eax
		mov	[ebp+var_C], esi
		mov	[ebp+var_14], edi
		jmp	loc_5541A2
; 

loc_5DF0AE:				; CODE XREF: MiMirrorPerformBrownWrites+1F6j
		imul	ecx, [ebp+var_C], 1Ch
		imul	eax, edi, 1Ch
		mov	esi, ecx
		mov	[ebp+var_3C], ecx
		add	esi, ds:_MmPfnDatabase
		add	eax, esi
		mov	[ebp+var_3C], eax
		mov	edi, eax

loc_5DF0C7:				; CODE XREF: MiMirrorPerformBrownWrites+8B11Bj
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, esi
		mov	byte ptr [ebp+var_4+3],	al
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		lea	ecx, [esi+10h]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		add	esi, 1Ch
		cmp	esi, edi
		jb	short loc_5DF0C7
		mov	edi, [ebp+var_14]
		mov	eax, [ebp+var_20]
		jmp	loc_5541D2
; END OF FUNCTION CHUNK	FOR MiMirrorPerformBrownWrites
; 
; START	OF FUNCTION CHUNK FOR MiMirrorPerformBlackWrites

loc_5DF0FE:				; CODE XREF: MiMirrorPerformBlackWrites+1Fj
		xor	esi, esi
		mov	[ebp+var_4], esi
		jmp	loc_55428A
; 

loc_5DF108:				; CODE XREF: MiMirrorPerformBlackWrites+47j
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_10], esi

loc_5DF10E:				; CODE XREF: MiMirrorPerformBlackWrites+261j
		cmp	[ebp+var_4], 0
		jz	loc_554306
		lea	edx, [edi+1]
		cmp	edx, ecx
		jbe	short loc_5DF121
		mov	edx, ecx

loc_5DF121:				; CODE XREF: MiMirrorPerformBlackWrites+8AEBDj
		dec	edx
		xor	esi, esi
		mov	[ebp+var_4], esi
		jmp	loc_554295
; 

loc_5DF12C:				; CODE XREF: MiMirrorPerformBlackWrites+BEj
		mov	[ebp+var_8], 0
		jmp	loc_5544D2
; 

loc_5DF138:				; CODE XREF: MiMirrorPerformBlackWrites+E3j
		mov	eax, edi
		jmp	loc_554368
; 

loc_5DF13F:				; CODE XREF: MiMirrorPerformBlackWrites:loc_5543D4j
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_8], edi
		jmp	loc_5543DA
; 

loc_5DF14A:				; CODE XREF: MiMirrorPerformBlackWrites+A8j
					; MiMirrorPerformBlackWrites+B1j
		mov	eax, [ebp+var_14]
		jmp	loc_554425
; END OF FUNCTION CHUNK	FOR MiMirrorPerformBlackWrites
; 
; START	OF FUNCTION CHUNK FOR MiMirrorGatherBrownPages

loc_5DF152:				; CODE XREF: MiMirrorGatherBrownPages+41j
		imul	esi, ecx, 14h
		add	esi, [edx+edi*4+540h]
		jmp	loc_554529
; 

loc_5DF161:				; CODE XREF: MiMirrorGatherBrownPages+127j
		imul	eax, ebx, 14h
		lea	esi, [edx+880h]
		add	esi, eax
		jmp	loc_55453B
; 

loc_5DF171:				; CODE XREF: MiMirrorGatherBrownPages+8Dj
		mov	ecx, [edx+ebx+8]
		mov	eax, ds:dword_6D0700
		mov	edx, [edx+ebx+0Ch]
		mov	ebx, ds:dword_6D0704
		mov	[ebp+var_18], eax
		or	eax, ebx
		jz	short loc_5DF1A0
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_5DF1A0
		mov	eax, [ebp+var_18]
		not	ebx
		not	eax
		and	ecx, eax
		and	edx, ebx

loc_5DF1A0:				; CODE XREF: MiMirrorGatherBrownPages+8ACA7j
					; MiMirrorGatherBrownPages+8ACB1j
		shrd	ecx, edx, 0Ch
		and	ecx, 3FFFFFFh
		cmp	ecx, esi
		jz	short loc_5DF1CD
		mov	edi, [ebp+var_10]

loc_5DF1B1:				; CODE XREF: MiMirrorGatherBrownPages+8ACE6j
		imul	esi, ecx, 1Ch
		xor	eax, eax
		lea	edx, [eax+1]
		add	esi, ds:_MmPfnDatabase
		call	MiMirrorAddPagesToBrownList
		mov	ecx, [esi]
		cmp	ecx, edi
		jnz	short loc_5DF1B1
		mov	edi, [ebp+arg_0]

loc_5DF1CD:				; CODE XREF: MiMirrorGatherBrownPages+8ACCAj
		mov	ebx, [ebp+var_C]
		jmp	loc_554581
; 

loc_5DF1D5:				; CODE XREF: MiMirrorGatherBrownPages+BAj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_2C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5545C4
; 

loc_5DF1E5:				; CODE XREF: MiMirrorGatherBrownPages+DCj
		lea	ecx, [ebp+var_2C]
		call	KxWaitForLockChainValid

loc_5DF1ED:				; CODE XREF: MiMirrorGatherBrownPages+C5j
		xor	ecx, ecx
		mov	[ebp+var_2C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_5545C4
; 

loc_5DF202:				; CODE XREF: MiMirrorGatherBrownPages+F0j
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_4]
		inc	ecx
		mov	[ebp+var_8], ecx
		cmp	ecx, ds:dword_6D06D4
		jnb	short loc_5DF21A
		dec	edi
		jmp	loc_554612
; 

loc_5DF21A:				; CODE XREF: MiMirrorGatherBrownPages+8AD30j
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		cmp	edi, eax
		jnz	loc_554612
		push	ecx
		mov	ecx, [ebp+var_20]
		call	_MiMirrorNodeLargePages@12 ; MiMirrorNodeLargePages(x,x,x)
		jmp	loc_5545F9
; 

loc_5DF235:				; CODE XREF: MiMirrorGatherBrownPages+105j
		xor	ecx, ecx
		lea	edi, [ecx+1]
		jmp	loc_5545ED
; 

loc_5DF23F:				; CODE XREF: MiMirrorGatherBrownPages+204j
		inc	ebx
		mov	[ebp+arg_4], ebx
		cmp	ebx, 4
		jz	loc_554612
		push	2
		pop	edi
		jmp	loc_554612
; 

loc_5DF254:				; CODE XREF: MiMirrorGatherBrownPages+17Dj
					; MiMirrorGatherBrownPages+8AD8Bj
		imul	esi, eax, 1Ch
		mov	edx, ebx
		mov	ecx, eax
		add	esi, ds:_MmPfnDatabase
		call	MiMirrorAddPagesToBrownList
		mov	eax, [esi]
		cmp	eax, offset loc_7FFFFF
		jnz	short loc_5DF254
		jmp	loc_554665
; 

loc_5DF274:				; CODE XREF: MiMirrorGatherBrownPages+18Aj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_2C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_554694
; 

loc_5DF284:				; CODE XREF: MiMirrorGatherBrownPages+1ACj
		lea	ecx, [ebp+var_2C]
		call	KxWaitForLockChainValid

loc_5DF28C:				; CODE XREF: MiMirrorGatherBrownPages+195j
		mov	[ebp+var_2C], 0
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_554694
; END OF FUNCTION CHUNK	FOR MiMirrorGatherBrownPages
; 
; START	OF FUNCTION CHUNK FOR MiMirrorAddPagesToBrownList

loc_5DF29E:				; CODE XREF: MiMirrorAddPagesToBrownList+2Aj
		test	ebx, ebx
		jz	short loc_5DF2C2
		push	20h
		xor	eax, eax
		pop	edx
		sub	edx, ebx
		inc	eax
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, ebx
		dec	eax
		shl	eax, cl
		not	eax
		lock and [esi],	eax
		mov	ecx, edi
		sub	ecx, edx
		mov	edx, [ebp+var_4]
		add	esi, 4

loc_5DF2C2:				; CODE XREF: MiMirrorAddPagesToBrownList+8ABB4j
		cmp	ecx, 20h
		jb	short loc_5DF2DD
		mov	eax, ecx
		shr	eax, 5

loc_5DF2CC:				; CODE XREF: MiMirrorAddPagesToBrownList+8ABEFj
		mov	dword ptr [esi], 0
		sub	ecx, 20h
		add	esi, 4
		sub	eax, 1
		jnz	short loc_5DF2CC

loc_5DF2DD:				; CODE XREF: MiMirrorAddPagesToBrownList+8ABD9j
		test	ecx, ecx
		jz	loc_554730
		or	eax, 0FFFFFFFFh
		shl	eax, cl
		jmp	loc_55472D
; END OF FUNCTION CHUNK	FOR MiMirrorAddPagesToBrownList
; 
; START	OF FUNCTION CHUNK FOR MiMirrorDiscardPageContents

loc_5DF2EF:				; CODE XREF: MiMirrorDiscardPageContents+2Aj
					; MiMirrorDiscardPageContents+8ABD6j
		mov	eax, [edx+4]
		mov	esi, edx
		mov	byte ptr [edx+26h], 1
		test	eax, eax
		jz	short loc_5DF316
		mov	edx, eax
		mov	esi, [edx]
		test	esi, esi
		jz	short loc_5DF31E

loc_5DF304:				; CODE XREF: MiMirrorDiscardPageContents+8ABC2j
		mov	eax, [esi]
		mov	edx, esi
		mov	esi, eax
		test	eax, eax
		jnz	short loc_5DF304
		jmp	short loc_5DF31E
; 

loc_5DF310:				; CODE XREF: MiMirrorDiscardPageContents+8ABD2j
		cmp	[edx], esi
		jz	short loc_5DF31E
		mov	esi, edx

loc_5DF316:				; CODE XREF: MiMirrorDiscardPageContents+8ABB0j
		mov	edx, [edx+8]
		and	edx, 0FFFFFFFCh
		jnz	short loc_5DF310

loc_5DF31E:				; CODE XREF: MiMirrorDiscardPageContents+8ABB8j
					; MiMirrorDiscardPageContents+8ABC4j ...
		test	edx, edx
		jnz	short loc_5DF2EF
		pop	esi
		jmp	loc_55475B
; 

loc_5DF328:				; CODE XREF: MiMirrorDiscardPageContents+1Cj
		mov	eax, [ecx+4]
		mov	edx, ecx
		mov	byte ptr [ecx+26h], 1
		test	eax, eax
		jz	short loc_5DF35A
		mov	ecx, eax
		mov	edx, [ecx]
		test	edx, edx
		jz	loc_554764

loc_5DF341:				; CODE XREF: MiMirrorDiscardPageContents+8ABFFj
		mov	eax, [edx]
		mov	ecx, edx
		mov	edx, eax
		test	eax, eax
		jnz	short loc_5DF341
		jmp	loc_554764
; 

loc_5DF350:				; CODE XREF: MiMirrorDiscardPageContents+8AC16j
		cmp	[ecx], edx
		jz	loc_554764
		mov	edx, ecx

loc_5DF35A:				; CODE XREF: MiMirrorDiscardPageContents+8ABE9j
		mov	ecx, [ecx+8]
		and	ecx, 0FFFFFFFCh
		jnz	short loc_5DF350
		jmp	loc_554764
; END OF FUNCTION CHUNK	FOR MiMirrorDiscardPageContents
; 
; START	OF FUNCTION CHUNK FOR IoGetDumpStackTransferSizes

loc_5DF367:				; CODE XREF: IoGetDumpStackTransferSizes+7j
					; IoGetDumpStackTransferSizes+14j
		test	ecx, ecx
		jz	short loc_5DF371
		mov	dword ptr [ecx], 1000h

loc_5DF371:				; CODE XREF: IoGetDumpStackTransferSizes+8AB9Fj
		test	edx, edx
		jz	locret_5547E8
		mov	dword ptr [edx], 10000h
		retn
; END OF FUNCTION CHUNK	FOR IoGetDumpStackTransferSizes
; 
; START	OF FUNCTION CHUNK FOR MiFlushAllPages

loc_5DF380:				; CODE XREF: MiFlushAllPages+5Cj
		mov	eax, [esi+2C0h]
		test	eax, eax
		jz	loc_55484C
		mov	esi, [esi+30Ch]
		lea	eax, [esp+38h+var_1C]
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	KiStackAttachProcess
		lea	ecx, [esi+240h]
		xor	edx, edx
		call	MiEmptyWorkingSetPrivatePagesByVa
		xor	edx, edx
		lea	ecx, [esp+38h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		push	[esp+38h+var_2C]
		mov	ecx, [esp+3Ch+var_20]
		xor	edx, edx
		push	[esp+3Ch+var_28]
		push	[esp+40h+var_24]
		push	edi
		call	MiFlushAllPagesWorker
		jmp	loc_55484C
; END OF FUNCTION CHUNK	FOR MiFlushAllPages
; 
; START	OF FUNCTION CHUNK FOR BiSetFirmwareModified

loc_5DF3D7:				; CODE XREF: BiSetFirmwareModified+15j
		push	4
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		push	(offset	off_5A7454+2)
		call	BiSetRegistryValue
		leave
		retn
; END OF FUNCTION CHUNK	FOR BiSetFirmwareModified
; 
; START	OF FUNCTION CHUNK FOR BiWasFirmwareModified

loc_5DF3EB:				; CODE XREF: BiWasFirmwareModified+2Cj
		mov	eax, [ebp+var_4]
		push	4B444342h
		push	eax
		mov	esi, [eax]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		setnz	bl
		jmp	loc_558FDA
; END OF FUNCTION CHUNK	FOR BiWasFirmwareModified
; 
; START	OF FUNCTION CHUNK FOR MiPurgePartitionStandby

loc_5DF405:				; CODE XREF: MiPurgePartitionStandby+3Ej
					; MiPurgePartitionStandby+8A796j
		lea	ecx, [esp+20h+var_C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_5DF405
		jmp	loc_554CB5
; END OF FUNCTION CHUNK	FOR MiPurgePartitionStandby
; 
; START	OF FUNCTION CHUNK FOR MiComputeNextWalkPte

loc_5DF419:				; CODE XREF: MiComputeNextWalkPte+1Cj
		cmp	eax, 0C07FFFFFh
		ja	loc_554D30
		mov	ecx, eax
		jmp	loc_554D3B
; END OF FUNCTION CHUNK	FOR MiComputeNextWalkPte
; 
; START	OF FUNCTION CHUNK FOR PopCompleteNotifyTransitionCommon

loc_5DF42B:				; CODE XREF: PopCompleteNotifyTransitionCommon+109j
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_5DF43E
		cmp	byte ptr [ebx],	3
		jnz	short loc_5DF43E
		mov	edx, esi
		call	_PopDiagTraceDriverVeto@8 ; PopDiagTraceDriverVeto(x,x)

loc_5DF43E:				; CODE XREF: PopCompleteNotifyTransitionCommon+8A696j
					; PopCompleteNotifyTransitionCommon+8A69Bj
		test	edi, edi
		jns	loc_554EA9
		cmp	byte ptr [ebx+102h], 0
		jnz	loc_554EA9
		cmp	edi, 0C00000BBh
		jnz	short loc_5DF468
		cmp	byte ptr [ebx+103h], 0
		jnz	loc_554EA9

loc_5DF468:				; CODE XREF: PopCompleteNotifyTransitionCommon+8A6BFj
		cmp	dword ptr [ebx+0F8h], 0
		jl	loc_554EA9
		mov	[ebx+0F8h], edi
		mov	eax, [esi+20h]
		mov	[ebx+0FCh], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1], al
		jmp	loc_554EA9
; 

loc_5DF48F:				; CODE XREF: PopCompleteNotifyTransitionCommon+116j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_30]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_554ED8
; 

loc_5DF49F:				; CODE XREF: PopCompleteNotifyTransitionCommon+14Bj
		push	0
		push	0
		push	dword ptr [ebx+10h]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_554EF2
; END OF FUNCTION CHUNK	FOR PopCompleteNotifyTransitionCommon
; 
; START	OF FUNCTION CHUNK FOR PopPrepChildWake

loc_5DF4B0:				; CODE XREF: PopPrepChildWake+Cj
		mov	eax, [ecx+188h]
		test	eax, 30000h
		jz	loc_55510F
		jmp	loc_5550D2
; 

loc_5DF4C6:				; CODE XREF: PopPrepChildWake+68j
		mov	eax, [ecx+188h]
		test	eax, 30000h
		jz	loc_555134
		jmp	loc_55512E
; 

loc_5DF4DC:				; CODE XREF: PopPrepChildWake+CAj
		mov	eax, [ecx+188h]
		test	eax, 30000h
		jnz	loc_555190
		xor	dl, dl
		jmp	loc_5551D9
; 

loc_5DF4F4:				; CODE XREF: PopPrepChildWake+15Dj
		push	edi
		lea	esi, [ebp+var_10]
		push	1
		mov	eax, esi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, esi
		mov	ds:_PopDeviceIdleSync, eax
		jmp	loc_555223
; 

loc_5DF50E:				; CODE XREF: PopPrepChildWake+16Fj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_55523A
; 

loc_5DF51B:				; CODE XREF: PopPrepChildWake+184j
		push	edi
		push	edi
		push	edi
		push	edi
		push	esi
		call	KeWaitForSingleObject
		jmp	loc_55524A
; END OF FUNCTION CHUNK	FOR PopPrepChildWake
; 
; START	OF FUNCTION CHUNK FOR PopResumeDeviceIdle

loc_5DF52A:				; CODE XREF: PopResumeDeviceIdle+29j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_555284
; END OF FUNCTION CHUNK	FOR PopResumeDeviceIdle
; 
; START	OF FUNCTION CHUNK FOR MiSessionUnlinkProcess

loc_5DF539:				; CODE XREF: MiSessionUnlinkProcess+46j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5554DE
; 

loc_5DF549:				; CODE XREF: MiSessionUnlinkProcess+68j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_5DF551:				; CODE XREF: MiSessionUnlinkProcess+51j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_5554DE
; 

loc_5DF566:				; CODE XREF: MiSessionUnlinkProcess+A1j
					; MiSessionUnlinkProcess+A8j
		test	ds:byte_70EFC4,	41h
		jz	short loc_5DF583
		push	edi
		push	esi
		push	[ebp+var_4]
		mov	edx, 200h
		mov	ecx, 0E22h
		call	_EtwTracePool@20 ; EtwTracePool(x,x,x,x,x)

loc_5DF583:				; CODE XREF: MiSessionUnlinkProcess+8A0FDj
		movzx	eax, large byte	ptr fs:51h
		mov	edx, ds:_PoolTrackTableMask
		mov	[ebp+var_10], edx
		mov	ebx, ds:_ExPoolTagTables[eax*4]
		mov	eax, [ebp+var_4]
		movzx	ecx, al
		shl	ecx, 2
		movzx	eax, ah
		xor	ecx, eax
		mov	[ebp+var_1C], ebx
		movzx	eax, byte ptr [ebp+var_4+2]
		shl	ecx, 2
		xor	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+3]
		shl	ecx, 2
		xor	ecx, eax
		imul	ecx, 9E5Fh
		sar	ecx, 2
		and	ecx, edx
		mov	[ebp+var_14], ecx
		jmp	loc_55551D
; 

loc_5DF5D1:				; CODE XREF: MiSessionUnlinkProcess+BFj
		cmp	[ebp+var_8], 0
		jnz	short loc_5DF5EE
		mov	eax, ds:_PoolTrackTable
		mov	eax, [edx+eax]
		test	eax, eax
		jz	short loc_5DF5EB
		mov	[edx+ebx], eax
		jmp	loc_55551D
; 

loc_5DF5EB:				; CODE XREF: MiSessionUnlinkProcess+8A171j
		mov	eax, [ebp+var_4]

loc_5DF5EE:				; CODE XREF: MiSessionUnlinkProcess+8A165j
		inc	ecx
		and	ecx, [ebp+var_10]
		cmp	ecx, [ebp+var_14]
		jnz	loc_55551D
		push	200h
		mov	edx, edi
		mov	ecx, eax
		call	ExpRemovePoolTrackerExpansion
		jmp	loc_555571
; END OF FUNCTION CHUNK	FOR MiSessionUnlinkProcess
; 
; START	OF FUNCTION CHUNK FOR RtlpHpHeapDestroy

loc_5DF60E:				; CODE XREF: RtlpHpHeapDestroy+21j
		test	eax, eax
		jz	short loc_5DF619
		xor	eax, esi
		jmp	loc_555637
; 

loc_5DF619:				; CODE XREF: RtlpHpHeapDestroy+8A000j
		xor	eax, eax
		jmp	loc_555637
; 

loc_5DF620:				; CODE XREF: RtlpHpHeapDestroy+6Ej
		test	edi, edi
		jz	loc_555684
		xor	edi, eax
		jmp	loc_555684
; END OF FUNCTION CHUNK	FOR RtlpHpHeapDestroy
; 
; START	OF FUNCTION CHUNK FOR RtlpHpSegSegmentFree

loc_5DF62F:				; CODE XREF: RtlpHpSegSegmentFree+4Aj
		cmp	eax, 7FFFFFFFh
		jnz	loc_5557F4
		mov	edx, ebx
		mov	ecx, edi
		call	_RtlpHpSegSegmentComputeCommit@8 ; RtlpHpSegSegmentComputeCommit(x,x)
		jmp	loc_5557F4
; END OF FUNCTION CHUNK	FOR RtlpHpSegSegmentFree
; 
; START	OF FUNCTION CHUNK FOR RtlpHpSegMgrRelease

loc_5DF648:				; CODE XREF: RtlpHpSegMgrRelease+2Bj
		cmp	edi, 200000h
		jnb	short loc_5DF68C
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jle	short loc_5DF66C
		push	0		; int
		push	4000h		; int
		neg	eax
		shr	edi, 0Ch
		push	eax		; int
		push	edi		; size_t
		push	0		; int
		call	RtlpHpSegMgrCommit

loc_5DF66C:				; CODE XREF: RtlpHpSegMgrRelease+89E4Dj
		lea	eax, [esp+20h+var_10]
		mov	edx, ebx
		push	eax
		mov	ecx, esi
		call	_RtlpHpSegMgrVaCtxFree@12 ; RtlpHpSegMgrVaCtxFree(x,x,x)
		mov	ebx, eax
		mov	[esp+20h+var_8], ebx
		test	ebx, ebx
		jz	loc_555855
		mov	edi, [esp+20h+var_10]

loc_5DF68C:				; CODE XREF: RtlpHpSegMgrRelease+89E46j
		push	dword ptr [esi+20h]
		lea	edx, [esp+24h+var_C]
		mov	ecx, ebx
		push	dword ptr [esi+1Ch]
		push	0
		call	_RtlpHpQueryVA@20 ; RtlpHpQueryVA(x,x,x,x,x)
		mov	eax, [esp+20h+var_C]
		shr	edi, 15h
		lea	ecx, [eax+edi*2]
		xor	edi, edi
		mov	[esp+20h+var_4], ecx
		cmp	eax, ecx
		jmp	short loc_5DF6EE
; 

loc_5DF6B3:				; CODE XREF: RtlpHpSegMgrRelease+89EEAj
		movzx	ecx, word ptr [eax]
		test	ecx, 7FFh
		jz	short loc_5DF6E1
		push	0		; int
		and	ecx, 7FFh
		mov	edx, ebx
		push	4000h		; int
		neg	ecx
		push	ecx		; int
		push	200h		; size_t
		push	edi		; int
		mov	ecx, esi
		call	RtlpHpSegMgrCommit
		mov	eax, [esp+20h+var_C]

loc_5DF6E1:				; CODE XREF: RtlpHpSegMgrRelease+89EB4j
		add	eax, 2
		add	edi, 200h
		cmp	eax, [esp+20h+var_4]

loc_5DF6EE:				; CODE XREF: RtlpHpSegMgrRelease+89EA9j
		mov	[esp+20h+var_C], eax
		jb	short loc_5DF6B3
		jmp	loc_555839
; END OF FUNCTION CHUNK	FOR RtlpHpSegMgrRelease
; 
; START	OF FUNCTION CHUNK FOR RtlpHpLfhOwnerCleanup

loc_5DF6F9:				; CODE XREF: RtlpHpLfhOwnerCleanup+22j
		cmp	[eax+4], ecx
		jnz	loc_55594B
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_55594B
		mov	[edx], eax
		mov	[eax+4], edx
		lea	edx, [edi+0Ch]
		mov	eax, [edx]
		mov	esi, [edx+4]
		cmp	[eax+4], edx
		jnz	loc_55594B
		cmp	[esi], edx
		jnz	loc_55594B
		mov	ecx, [ecx]
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	loc_55594B
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	loc_55594B
		mov	[esi], ecx
		mov	eax, [ecx+4]
		mov	[edx+4], eax
		mov	eax, [ecx+4]
		mov	[eax], edx
		mov	[ecx+4], esi
		jmp	loc_5558FC
; END OF FUNCTION CHUNK	FOR RtlpHpLfhOwnerCleanup
; 
; START	OF FUNCTION CHUNK FOR MiFreeSessionSpaceMap

loc_5DF758:				; CODE XREF: MiFreeSessionSpaceMap+17j
		push	ecx
		push	ecx
		push	dword ptr [eax+7Ch]
		push	dword ptr [eax+8]
		push	0BAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5DF76B:				; CODE XREF: MiUnlinkSessionWorkingSet+36j
		mov	edx, [ebp+4]
		lea	ecx, [ebp-0Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5559CC
; END OF FUNCTION CHUNK	FOR MiFreeSessionSpaceMap
; 
; START	OF FUNCTION CHUNK FOR MiUnlinkSessionWorkingSet

loc_5DF77B:				; CODE XREF: MiUnlinkSessionWorkingSet+58j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_5DF783:				; CODE XREF: MiUnlinkSessionWorkingSet+41j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_5559CC
; END OF FUNCTION CHUNK	FOR MiUnlinkSessionWorkingSet
; 
; START	OF FUNCTION CHUNK FOR MiMarkSessionDeletePending

loc_5DF798:				; CODE XREF: MiMarkSessionDeletePending+2Bj
		xor	eax, eax
		mov	byte ptr [esi+40h], 7
		inc	eax
		mov	byte ptr [esi+42h], 4
		mov	[esi+41h], al
		mov	ebx, offset unk_6D05DC
		lea	eax, [esi+48h]
		mov	[esi+44h], edi
		mov	[eax+4], eax
		mov	[eax], eax
		cmp	ds:dword_6D05EC, edi
		jnz	short loc_5DF7C4
		push	ebx
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_5DF7C4:				; CODE XREF: MiMarkSessionDeletePending+89DE2j
		inc	ds:dword_6D05EC
		test	ds:byte_70EFC6,	1
		jz	short loc_5DF7E0
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5DF80B
; 

loc_5DF7E0:				; CODE XREF: MiMarkSessionDeletePending+89DF7j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5DF7FF
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5DF80B
		call	KxWaitForLockChainValid

loc_5DF7FF:				; CODE XREF: MiMarkSessionDeletePending+89E0Bj
		xor	ecx, ecx
		mov	[ebp+var_C], edi
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5DF80B:				; CODE XREF: MiMarkSessionDeletePending+89E04j
					; MiMarkSessionDeletePending+89E1Ej
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	ecx
		push	12h
		pop	edx
		lea	ecx, [esi+40h]
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		sub	ds:dword_6D05EC, 1
		jnz	loc_555A43
		push	edi
		push	edi
		push	ebx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_555A43
; 

loc_5DF83A:				; CODE XREF: MiMarkSessionDeletePending+38j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_555A3A
; 

loc_5DF84A:				; CODE XREF: MiMarkSessionDeletePending+5Aj
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_5DF852:				; CODE XREF: MiMarkSessionDeletePending+43j
		xor	ecx, ecx
		mov	[ebp+var_C], edi
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_555A3A
; END OF FUNCTION CHUNK	FOR MiMarkSessionDeletePending
; 

loc_5DF863:				; CODE XREF: .text:00555B23j
		mov	ecx, [esi+48h]
		mov	edx, ecx
		mov	eax, [esi+3Ch]
		sub	edx, eax
		cmp	eax, ecx
		sbb	eax, eax
		and	eax, edx
		jmp	loc_555B4F
; 

loc_5DF878:				; CODE XREF: .text:00555B79j
		mov	ecx, esi
		call	_MiWorkingSetVeryLarge@4 ; MiWorkingSetVeryLarge(x)
		test	eax, eax
		jnz	loc_555B7F
		push	0Ah
		jmp	loc_555CCB
; 

loc_5DF88E:				; CODE XREF: .text:00555BBDj
		or	dword ptr [ebp-90h], 0FFFFFFFFh
		jmp	loc_555BC9
; 
; START	OF FUNCTION CHUNK FOR PipFindDependencyNodePath

loc_5DF89A:				; CODE XREF: PipFindDependencyNodePath+3Fj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_555D9C
; 

loc_5DF8A7:				; CODE XREF: PipFindDependencyNodePath+5Cj
		xor	ecx, ecx
		cmp	[ebp+var_4], 1
		setnz	cl
		inc	ecx
		mov	[eax], ecx
		jmp	locret_555DB7
; END OF FUNCTION CHUNK	FOR PipFindDependencyNodePath
; 
; START	OF FUNCTION CHUNK FOR PipDependencyGraphDepthFirstSearch

loc_5DF8B8:				; CODE XREF: PipDependencyGraphDepthFirstSearch+23j
		mov	ecx, esi
		mov	esi, [esi]
		push	eax
		mov	[ebp+arg_0], ecx
		push	edi
		mov	ecx, [ecx+10h]
		call	PipDependencyGraphDepthFirstSearch
		test	al, al
		jnz	short loc_5DF8D8
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+var_4]
		jmp	loc_555DDD
; 

loc_5DF8D8:				; CODE XREF: PipDependencyGraphDepthFirstSearch+89B0Fj
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		inc	dword ptr [edi]
		mov	eax, [eax+18h]
		mov	[ecx], eax
		mov	al, 1
		jmp	loc_555DE7
; END OF FUNCTION CHUNK	FOR PipDependencyGraphDepthFirstSearch

;  S U B	R O U T	I N E 


sub_5DF8EC	proc near		; CODE XREF: PopThermalSxExit+1Aj
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	(offset	loc_42532C+4)
		mov	ds:_PopThermalHibernateInitiated, bl
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		jmp	loc_555F38
sub_5DF8EC	endp

; 
; START	OF FUNCTION CHUNK FOR PopTraceThermalZonePassiveHistogram

loc_5DF907:				; CODE XREF: PopTraceThermalZonePassiveHistogram+2Bj
		xor	edi, edi
		jmp	loc_556030
; 

loc_5DF90E:				; CODE XREF: PopTraceThermalZonePassiveHistogram+87j
		lea	eax, [ebp+var_40]
		mov	[ebp+var_50], 2
		mov	[ebp+var_58], eax
		xor	ecx, ecx
		mov	eax, [edi+4Ch]
		mov	edx, ebx
		mov	[ebp+var_48], eax
		movzx	eax, word ptr [edi+48h]
		xor	edi, edi
		mov	[ebp+var_54], ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_44], ecx
		lea	ecx, [ebp+var_38]
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], edi
		call	_tlgCreate1Sz_wchar_t
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_24], edi
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	7
		push	edi
		push	edi
		push	offset loc_41E989
		push	offset dword_6B23F8
		mov	[ebp+var_20], 54h
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], offset _PopThermalTrackingThresholds
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], 15h
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_556083
; END OF FUNCTION CHUNK	FOR PopTraceThermalZonePassiveHistogram
; 
; START	OF FUNCTION CHUNK FOR PopCoolingSxTransition

loc_5DF988:				; CODE XREF: PopCoolingSxTransition+6Fj
		cmp	byte ptr [esi+9], 0
		lea	ecx, [esi+18h]
		setz	dl
		call	_PopThermalUpdateActiveTimeTracking@8 ;	PopThermalUpdateActiveTimeTracking(x,x)
		mov	ecx, esi
		call	_PopTraceThermalRequestActiveActivity@4	; PopTraceThermalRequestActiveActivity(x)
		jmp	loc_556117
; END OF FUNCTION CHUNK	FOR PopCoolingSxTransition
; 
; START	OF FUNCTION CHUNK FOR PopTraceThermalRequestPassiveHistogram

loc_5DF9A3:				; CODE XREF: PopTraceThermalRequestPassiveHistogram+37j
		xor	eax, eax
		jmp	loc_55618E
; 

loc_5DF9AA:				; CODE XREF: PopTraceThermalRequestPassiveHistogram+D7j
		mov	ecx, [ebp+var_D8]
		lea	eax, [ebp+var_40]
		mov	edx, [ebp+var_D4]
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], ebx
		mov	eax, [ecx+4Ch]
		mov	[ebp+var_48], eax
		movzx	eax, word ptr [ecx+48h]
		lea	ecx, [ebp+var_38]
		mov	[ebp+var_50], 2
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], ebx
		call	_tlgCreate1Sz_wchar_t
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_24], ebx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	7
		push	ebx
		push	ebx
		push	offset loc_41E5D6
		push	offset dword_6B23F8
		mov	[ebp+var_20], 54h
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], offset _PopThermalTrackingThresholds
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], 15h
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_556225
; END OF FUNCTION CHUNK	FOR PopTraceThermalRequestPassiveHistogram
; 
; START	OF FUNCTION CHUNK FOR PoStoreDiagnosticContext

loc_5DFA2A:				; CODE XREF: PoStoreDiagnosticContext+34j
		test	al, al
		mov	eax, [ebp+var_8]
		jz	short loc_5DFA37
		and	dword ptr [esi+14h], 0
		mov	[esi], eax

loc_5DFA37:				; CODE XREF: PoStoreDiagnosticContext+897DBj
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		jmp	loc_5562CD
; END OF FUNCTION CHUNK	FOR PoStoreDiagnosticContext
; 
; START	OF FUNCTION CHUNK FOR PopTraceThermalZoneActiveActivity

loc_5DFA41:				; CODE XREF: PopTraceThermalZoneActiveActivity+39j
		xor	ebx, ebx
		jmp	loc_55638C
; 

loc_5DFA48:				; CODE XREF: PopTraceThermalZoneActiveActivity+76j
		cmp	ds:_PopThermalTelemetryVerbosity, 0
		jz	loc_5563F1
		jmp	loc_5563C0
; 

loc_5DFA5A:				; CODE XREF: PopTraceThermalZoneActiveActivity+A7j
		lea	eax, [ebp+var_60]
		mov	[ebp+var_70], 2
		mov	[ebp+var_78], eax
		xor	ecx, ecx
		mov	eax, [ebx+4Ch]
		mov	edx, edi
		mov	[ebp+var_68], eax
		movzx	eax, word ptr [ebx+48h]
		xor	ebx, ebx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_64], ecx
		lea	ecx, [ebp+var_58]
		mov	[ebp+var_60], eax
		mov	[ebp+var_5C], ebx
		call	_tlgCreate1Sz_wchar_t
		mov	eax, [ebp+var_C8]
		movzx	ecx, byte ptr [ebp+var_C1]
		mov	[ebp+var_C8], eax
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_48], eax
		mov	eax, ecx
		mov	[ebp+var_CC], eax
		lea	eax, [ebp+var_CC]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_C1+1]
		mov	[ebp+var_28], eax
		mov	eax, ecx
		shl	eax, 2
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_D8]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_98]
		push	eax
		push	9
		push	ebx
		push	ebx
		push	offset loc_41E655
		push	offset dword_6B23F8
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], 4
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], 2
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_D8], 1000000h
		mov	[ebp+var_D4], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], 8
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_5563F1
; END OF FUNCTION CHUNK	FOR PopTraceThermalZoneActiveActivity
; 
; START	OF FUNCTION CHUNK FOR PopThermalStandbyEndTracking

loc_5DFB31:				; CODE XREF: PopThermalStandbyEndTracking+1Fj
		mov	ds:byte_6C1F95,	0
		call	KeQueryInterruptTime
		push	[ebp+var_4]
		sub	eax, ds:dword_6C1F98
		push	0
		sbb	edx, ds:dword_6C1F9C
		push	989680h
		push	edx
		push	eax
		call	__aulldiv
		mov	edx, eax
		mov	ecx, esi
		call	_PopTraceThermalStandbyComplete@12 ; PopTraceThermalStandbyComplete(x,x,x)
		jmp	loc_5564EB
; END OF FUNCTION CHUNK	FOR PopThermalStandbyEndTracking
; 
; START	OF FUNCTION CHUNK FOR MiComputeTrimAmount

loc_5DFB68:				; CODE XREF: MiComputeTrimAmount+31j
		cmp	byte ptr [edx+3], 3
		jb	loc_55661C
		test	byte ptr [edx],	7Fh
		jnz	loc_55661C
		jmp	loc_556525
; 

loc_5DFB80:				; CODE XREF: MiComputeTrimAmount+63j
					; MiComputeTrimAmount+896A2j
		cmp	edi, [ebx+3Ch]
		ja	loc_556560
		jmp	loc_55661C
; 

loc_5DFB8E:				; CODE XREF: MiComputeTrimAmount+13Bj
		test	cl, cl
		js	short loc_5DFB80
		jmp	loc_556560
; 

loc_5DFB97:				; CODE XREF: MiComputeTrimAmount+84j
		mov	eax, [ebx+3Ch]
		mov	ecx, esi
		sub	ecx, eax
		cmp	eax, esi
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_8], eax
		jmp	loc_5565B2
; 

loc_5DFBAC:				; CODE XREF: MiComputeTrimAmount+CFj
		cmp	cl, 4
		jnz	short loc_5DFBC5
		cmp	ds:dword_6D5E00, 0E0h
		jnb	short loc_5DFBC5
		sub	esi, [ebp+var_14]
		jmp	loc_5565F8
; 

loc_5DFBC5:				; CODE XREF: MiComputeTrimAmount+896C1j
					; MiComputeTrimAmount+896CDj
		mov	ecx, [ebp+var_18]
		cmp	ecx, [ebp+var_1C]
		ja	loc_55661C
		cmp	byte ptr [ebx+62h], 2
		mov	esi, eax
		jz	loc_5565F4
		mov	eax, [edx+38h]
		mov	ecx, [edx+30h]
		cmp	eax, ecx
		jbe	loc_5565F4
		xor	edx, edx
		div	ecx
		xor	edx, edx
		mov	ecx, eax
		mov	eax, [ebp+var_8]
		div	ecx
		jmp	loc_55663D
; END OF FUNCTION CHUNK	FOR MiComputeTrimAmount
; 
; START	OF FUNCTION CHUNK FOR KiDisconnectInterruptCommon

loc_5DFBFD:				; CODE XREF: KiDisconnectInterruptCommon+78j
		mov	eax, [esi+2Ch]
		mov	cl, 1Ah
		sub	eax, 100h
		imul	edi, eax, 1Ch
		add	edi, ds:_KiGlobalSecondaryIDT
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		mov	ecx, edi
		mov	[esp+48h+var_36], bl
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		jmp	loc_5566D7
; 

loc_5DFC28:				; CODE XREF: KiDisconnectInterruptCommon+A9j
		push	2
		pop	ecx
		lock or	[eax], ecx
		lea	eax, [esp+48h+var_30]
		mov	[esp+48h+var_35], 1
		mov	[esi+58h], eax
		jmp	loc_55673B
; 

loc_5DFC3F:				; CODE XREF: KiDisconnectInterruptCommon+B5j
		call	_KiDisconnectSecondaryInterruptInternal@8 ; KiDisconnectSecondaryInterruptInternal(x,x)
		mov	esi, eax

loc_5DFC46:				; CODE XREF: KiDisconnectInterruptCommon+FEj
		cmp	[esp+48h+var_34], 0
		jz	loc_556708
		test	ds:byte_70EFC6,	1
		jz	short loc_5DFC6A
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	bl, [esp+48h+var_36]
		jmp	short loc_5DFC6F
; 

loc_5DFC6A:				; CODE XREF: KiDisconnectInterruptCommon+89616j
		xor	eax, eax
		lock and [edi],	eax

loc_5DFC6F:				; CODE XREF: KiDisconnectInterruptCommon+89626j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_55671A
; 

loc_5DFC7C:				; CODE XREF: KiDisconnectInterruptCommon+DDj
		cmp	[esp+48h+var_30], 0
		jz	loc_556725
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	[esp+58h+var_30]
		call	KeWaitForSingleObject
		mov	esi, [esp+48h+var_28]
		jmp	loc_556725
; END OF FUNCTION CHUNK	FOR KiDisconnectInterruptCommon
; 
; START	OF FUNCTION CHUNK FOR KiDisconnectInterruptInternal

loc_5DFC9F:				; CODE XREF: KiDisconnectInterruptInternal+3Dj
		lea	eax, [esi+4]
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_5DFCB0
		cmp	ecx, eax
		jnz	loc_556789

loc_5DFCB0:				; CODE XREF: KiDisconnectInterruptInternal+89560j
		mov	al, 1
		jmp	loc_55678C
; 

loc_5DFCB7:				; CODE XREF: KiDisconnectInterruptInternal+4Aj
		test	al, al
		jnz	loc_556796
		cmp	ebx, esi
		jnz	short loc_5DFCE2
		mov	esi, [esi+4]
		sub	esi, 4
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		push	2
		pop	edx
		mov	ecx, esi
		mov	bl, al
		call	KiConnectVectorAndInterruptObject
		test	bl, bl
		jz	short loc_5DFCDF
		sti

loc_5DFCDF:				; CODE XREF: KiDisconnectInterruptInternal+89596j
		mov	ebx, [ebp+var_8]

loc_5DFCE2:				; CODE XREF: KiDisconnectInterruptInternal+8957Bj
		lea	eax, [ebx+4]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_5DFD28
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_5DFD28
		mov	[ecx], edx
		lea	eax, [esi+4]
		mov	[edx+4], ecx
		cmp	[eax], eax
		jnz	short loc_5DFD1E
		cmp	byte ptr [esi+31h], 0
		jz	short loc_5DFD1E
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		mov	bl, al
		call	KiConnectVectorAndInterruptObject
		test	bl, bl
		jz	short loc_5DFD1B
		sti

loc_5DFD1B:				; CODE XREF: KiDisconnectInterruptInternal+895D2j
		mov	ebx, [ebp+var_8]

loc_5DFD1E:				; CODE XREF: KiDisconnectInterruptInternal+895B7j
					; KiDisconnectInterruptInternal+895BDj
		mov	eax, 128h
		jmp	loc_5567AA
; 

loc_5DFD28:				; CODE XREF: KiDisconnectInterruptInternal+895A4j
					; KiDisconnectInterruptInternal+895ABj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5DFD2D:				; CODE XREF: KiConnectVectorAndInterruptObject+2Bj
		cmp	eax, 1
		mov	eax, [ebp+var_C]
		jz	short loc_5DFD38
		mov	eax, [ebp+var_8]

loc_5DFD38:				; CODE XREF: KiDisconnectInterruptInternal+895EDj
		mov	[ebx+28h], eax
		mov	eax, large fs:20h
		mov	[eax+esi*4+41E0h], ebx
		jmp	loc_5567F3
; END OF FUNCTION CHUNK	FOR KiDisconnectInterruptInternal
; 
; START	OF FUNCTION CHUNK FOR IoReportInterruptInactive

loc_5DFD4D:				; CODE XREF: IoReportInterruptInactive+12j
		sub	eax, 1
		jz	short loc_5DFD97
		sub	eax, 1
		jz	short loc_5DFD71
		sub	eax, 1
		jz	loc_556816
		xor	esi, esi
		push	esi
		push	esi
		push	edx
		push	0Ch
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5DFD71:				; CODE XREF: IoReportInterruptInactive+89557j
		mov	ebx, [ecx+4]
		xor	esi, esi
		cmp	[ebx+4], esi
		jbe	loc_55681E
		lea	edi, [ebx+14h]

loc_5DFD82:				; CODE XREF: IoReportInterruptInactive+89592j
		mov	ecx, [edi]
		call	_IopMaskInterrupt@4 ; IopMaskInterrupt(x)
		inc	esi
		lea	edi, [edi+28h]
		cmp	esi, [ebx+4]
		jb	short loc_5DFD82
		jmp	loc_55681E
; 

loc_5DFD97:				; CODE XREF: IoReportInterruptInactive+89552j
		mov	edi, [ecx+4]
		xor	esi, esi
		cmp	[edi+0D4h], esi
		jbe	loc_55681E
		lea	ebx, [edi+0D8h]

loc_5DFDAE:				; CODE XREF: IoReportInterruptInactive+895C4j
		mov	ecx, [ebx]
		add	ecx, 60h
		call	_IopMaskInterrupt@4 ; IopMaskInterrupt(x)
		inc	esi
		lea	ebx, [ebx+4]
		cmp	esi, [edi+0D4h]
		jb	short loc_5DFDAE
		jmp	loc_55681E
; END OF FUNCTION CHUNK	FOR IoReportInterruptInactive
; 
; START	OF FUNCTION CHUNK FOR KeDisconnectInterrupt

loc_5DFDC9:				; CODE XREF: KeDisconnectInterrupt+47j
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	_KiDisconnectSecondaryInterrupt@8 ; KiDisconnectSecondaryInterrupt(x,x)
		jmp	loc_5568E5
; END OF FUNCTION CHUNK	FOR KeDisconnectInterrupt
; 
; START	OF FUNCTION CHUNK FOR KiIntSteerDisable

loc_5DFDD8:				; CODE XREF: KiIntSteerDisable+BFj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_5569F0
; 

loc_5DFDE5:				; CODE XREF: KiIntSteerDisable+14Bj
		mov	esi, 80000025h
		jmp	loc_556B08
; 

loc_5DFDEF:				; CODE XREF: KiIntSteerDisable+178j
		mov	eax, [ebp+var_1C]
		mov	edx, edi
		mov	ecx, [eax]
		mov	ecx, [ecx+2Ch]
		call	_KiMaskSecondaryInterruptInternal@8 ; KiMaskSecondaryInterruptInternal(x,x)
		mov	esi, eax
		jmp	loc_556B08
; 

loc_5DFE05:				; CODE XREF: KiIntSteerDisable+1DCj
		mov	eax, [ebp+var_1C]
		mov	edi, [eax]
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_5DFE47
		mov	ecx, [edi+34h]
		lea	eax, [ebp+var_11+1]
		push	eax
		lea	edx, [ebp+var_11]
		call	_KiAcquireInterruptConnectLock@12 ; KiAcquireInterruptConnectLock(x,x,x)
		mov	edx, [ebp+var_18]
		mov	ecx, [edi+2Ch]
		call	KiMaskInterruptInternal
		mov	cl, byte ptr [ebp+var_11]
		mov	esi, eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	eax, [ebp+var_11+1]
		push	eax
		call	KeRevertToUserGroupAffinityThread
		jmp	loc_556B08
; 

loc_5DFE47:				; CODE XREF: KiIntSteerDisable+894ECj
		test	ebx, ebx
		jnz	short loc_5DFE55
		mov	esi, 0C000000Dh
		jmp	loc_556B08
; 

loc_5DFE55:				; CODE XREF: KiIntSteerDisable+89523j
		lea	eax, [ebp+var_24]
		push	eax
		push	dword ptr [edi+34h]
		call	_KeGetProcessorNumberFromIndex@8 ; KeGetProcessorNumberFromIndex(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_556B08
		push	0
		push	ebx
		call	KeRemoveQueueDpcEx
		push	0
		push	offset _KiMaskInterruptDpc@16 ;	KiMaskInterruptDpc(x,x,x,x)
		push	ebx
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		lea	eax, [ebp+var_24]
		push	eax
		push	ebx
		call	_KeSetTargetProcessorDpcEx@8 ; KeSetTargetProcessorDpcEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_556B08
		mov	edx, [edi+2Ch]
		mov	ecx, ebx
		push	0
		push	0
		push	[ebp+var_18]
		call	KiInsertQueueDpc
		jmp	loc_556B08
; END OF FUNCTION CHUNK	FOR KiIntSteerDisable
; 
; START	OF FUNCTION CHUNK FOR KiMaskInterruptInternal

loc_5DFEAA:				; CODE XREF: KiMaskInterruptInternal+27j
		mov	ecx, [ebp+var_C]
		add	ecx, 4
		mov	eax, ecx

loc_5DFEB2:				; CODE XREF: KiMaskInterruptInternal+89392j
		test	byte ptr [eax+38h], 1
		jz	short loc_5DFEC3
		mov	eax, [eax]
		cmp	eax, ecx
		jnz	short loc_5DFEB2
		jmp	loc_556B79
; 

loc_5DFEC3:				; CODE XREF: KiMaskInterruptInternal+8938Cj
		mov	eax, 128h
		jmp	loc_556B82
; END OF FUNCTION CHUNK	FOR KiMaskInterruptInternal
; 
; START	OF FUNCTION CHUNK FOR PoFxReportDevicePoweredOn

loc_5DFECD:				; CODE XREF: PoFxReportDevicePoweredOn+7Aj
		push	0
		push	edi
		mov	edx, ebx
		mov	ecx, 602h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_5DFEDC:				; CODE XREF: PoFxReportDevicePoweredOn+FEj
					; PoFxReportDevicePoweredOn+10Cj
		lea	edx, [esi+10h]
		xor	edi, edi
		mov	eax, [edx]

loc_5DFEE3:				; CODE XREF: PoFxReportDevicePoweredOn+8929Dj
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_5DFEE3
		mov	edi, [esp+28h+var_C]
		test	eax, 400h
		jz	loc_556D60
		mov	eax, 0FFFFFBFFh
		lock and [edx],	eax
		movsx	eax, byte ptr [ebx+22h]
		add	eax, 3
		imul	eax, 24h
		push	dword ptr [eax+ebx]
		push	ebx
		push	0
		call	PopSystemIrpCompletion
		jmp	loc_556D60
; END OF FUNCTION CHUNK	FOR PoFxReportDevicePoweredOn
; 
; START	OF FUNCTION CHUNK FOR MiSessionRemoveImage

loc_5DFF1E:				; CODE XREF: MiSessionRemoveImage+75j
		push	0
		push	edi
		push	[ebp+var_8]
		push	2100h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5DFF31:				; CODE XREF: IopPowerDispatch+1Fj
		mov	ecx, [ecx+4]
		mov	eax, ds:_PoPowerSequence
		mov	[ecx], eax
		mov	[ecx+4], eax
		mov	[ecx+8], eax
		jmp	loc_556F21
; END OF FUNCTION CHUNK	FOR MiSessionRemoveImage
; 
; START	OF FUNCTION CHUNK FOR MiEmptyAccessLogs

loc_5DFF46:				; CODE XREF: MiEmptyAccessLogs+41j
		test	ds:byte_70EFC6,	1
		mov	ds:dword_6D3150, esi
		jz	short loc_5DFF63
		mov	edx, [ebp+4]
		lea	ecx, [esp+38h+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5DFF93
; 

loc_5DFF63:				; CODE XREF: MiEmptyAccessLogs+88FF7j
		mov	eax, [esp+38h+var_28]
		test	eax, eax
		jnz	short loc_5DFF86
		mov	edx, [esp+38h+var_24]
		lea	eax, [esp+38h+var_28]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+38h+var_28]
		cmp	eax, ecx
		jz	short loc_5DFF93
		call	KxWaitForLockChainValid

loc_5DFF86:				; CODE XREF: MiEmptyAccessLogs+8900Dj
		xor	ecx, ecx
		mov	[esp+38h+var_28], esi
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5DFF93:				; CODE XREF: MiEmptyAccessLogs+89005j
					; MiEmptyAccessLogs+89023j
		mov	cl, [esp+38h+var_20]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_55711B
; 

loc_5DFFA2:				; CODE XREF: MiEmptyAccessLogs+5Bj
		mov	edx, [ebp+4]
		lea	ecx, [esp+38h+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_556FE3
; 

loc_5DFFB3:				; CODE XREF: MiEmptyAccessLogs+81j
		lea	ecx, [esp+38h+var_28]
		call	KxWaitForLockChainValid

loc_5DFFBC:				; CODE XREF: MiEmptyAccessLogs+67j
		mov	[esp+38h+var_28], esi
		add	eax, 4
		lock xor [eax],	edi
		jmp	loc_556FE3
; 

loc_5DFFCB:				; CODE XREF: MiEmptyAccessLogs+182j
		mov	edx, [ebp+4]
		lea	ecx, [esp+38h+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_557106
; 

loc_5DFFDC:				; CODE XREF: MiEmptyAccessLogs+1A4j
		lea	ecx, [esp+38h+var_28]
		call	KxWaitForLockChainValid
		jmp	loc_557133
; END OF FUNCTION CHUNK	FOR MiEmptyAccessLogs
; 
; START	OF FUNCTION CHUNK FOR WmipWriteWnodeToObject

loc_5DFFEA:				; CODE XREF: WmipWriteWnodeToObject+53j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_55720F
; 

loc_5DFFFA:				; CODE XREF: WmipWriteWnodeToObject+75j
		lea	ecx, [ebp+var_18]

loc_5DFFFD:				; DATA XREF: .text:0041CCECo
		call	KxWaitForLockChainValid

loc_5E0002:				; CODE XREF: WmipWriteWnodeToObject+5Ej
		xor	ecx, ecx

loc_5E0004:				; DATA XREF: .text:00425DECo
					; .text:0042552Co
		mov	[ebp+var_18], ebx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_55720F
; END OF FUNCTION CHUNK	FOR WmipWriteWnodeToObject
; 
; START	OF FUNCTION CHUNK FOR PopTimeoutWakeTracking

loc_5E0013:				; CODE XREF: PopTimeoutWakeTracking+67j
		mov	eax, ds:dword_6C342C
		mov	ecx, offset _PopWakeSourceWorkList
		jmp	short loc_5E0027
; 

loc_5E001F:				; CODE XREF: PopTimeoutWakeTracking+88DA1j
		cmp	[eax+0Ch], esi
		jz	short loc_5E0030
		mov	eax, [eax+4]

loc_5E0027:				; CODE XREF: PopTimeoutWakeTracking+88D95j
		cmp	eax, ecx
		jnz	short loc_5E001F
		jmp	loc_5572F5
; 

loc_5E0030:				; CODE XREF: PopTimeoutWakeTracking+88D9Aj
		lea	edi, [esp+28h+var_10]
		mov	ecx, edi
		mov	[eax+10h], ecx
		jmp	loc_5572F5
; 

loc_5E003E:				; CODE XREF: PopTimeoutWakeTracking+74j
		mov	edx, [ebp+4]
		lea	ecx, [esp+28h+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_557328
; 

loc_5E004F:				; CODE XREF: PopTimeoutWakeTracking+9Aj
		lea	ecx, [esp+28h+var_1C]
		call	KxWaitForLockChainValid

loc_5E0058:				; CODE XREF: PopTimeoutWakeTracking+80j
		xor	ecx, ecx
		mov	[esp+28h+var_1C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_557328
; 

loc_5E006E:				; CODE XREF: PopTimeoutWakeTracking+A8j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	edi
		call	KeWaitForSingleObject
		jmp	loc_557336
; 

loc_5E007F:				; CODE XREF: PopTimeoutWakeTracking+FBj
		mov	edx, [ebp+4]
		lea	ecx, [esp+28h+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5573AF
; 

loc_5E0090:				; CODE XREF: PopTimeoutWakeTracking+121j
		lea	ecx, [esp+28h+var_1C]
		call	KxWaitForLockChainValid

loc_5E0099:				; CODE XREF: PopTimeoutWakeTracking+107j
		xor	ecx, ecx
		mov	[esp+28h+var_1C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_5573AF
; 

loc_5E00AF:				; CODE XREF: PopTimeoutWakeTracking+14Dj
		mov	edx, [ebp+4]
		lea	ecx, [esp+28h+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_557401
; 

loc_5E00C0:				; CODE XREF: PopTimeoutWakeTracking+173j
		lea	ecx, [esp+28h+var_1C]
		call	KxWaitForLockChainValid

loc_5E00C9:				; CODE XREF: PopTimeoutWakeTracking+159j
		xor	ecx, ecx
		mov	[esp+28h+var_1C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_557401
; END OF FUNCTION CHUNK	FOR PopTimeoutWakeTracking
; 
; START	OF FUNCTION CHUNK FOR PopDereferenceWakeInfos

loc_5E00DF:				; CODE XREF: PopDereferenceWakeInfos+42j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_55747E
; 

loc_5E00EF:				; CODE XREF: PopDereferenceWakeInfos+64j
		lea	ecx, [ebp+var_10]
		call	KxWaitForLockChainValid

loc_5E00F7:				; CODE XREF: PopDereferenceWakeInfos+4Dj
		xor	ecx, ecx
		mov	[ebp+var_10], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_55747E
; END OF FUNCTION CHUNK	FOR PopDereferenceWakeInfos
; 
; START	OF FUNCTION CHUNK FOR PopWakeInfoDereference

loc_5E010C:				; CODE XREF: PopWakeInfoDereference+8j
		lea	eax, [ecx+18h]
		and	dword ptr [eax], 0
		push	1
		push	eax
		mov	dword ptr [eax+8], offset _PopFreeWakeInfo@4 ; PopFreeWakeInfo(x)
		mov	[eax+0Ch], ecx
		call	ExQueueWorkItem
		retn
; END OF FUNCTION CHUNK	FOR PopWakeInfoDereference
; 
; START	OF FUNCTION CHUNK FOR PopGetCurrentWakeInfos

loc_5E0125:				; CODE XREF: PopGetCurrentWakeInfos+70j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_557540
; 

loc_5E0135:				; CODE XREF: PopGetCurrentWakeInfos+92j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_5E013D:				; CODE XREF: PopGetCurrentWakeInfos+7Bj
		xor	edx, edx
		mov	[ebp+var_C], 0
		inc	edx
		lea	ecx, [eax+4]
		lock xor [ecx],	edx
		jmp	loc_557540
; END OF FUNCTION CHUNK	FOR PopGetCurrentWakeInfos
; 
; START	OF FUNCTION CHUNK FOR PopCreateDynamicIrpWorker

loc_5E0152:				; CODE XREF: PopCreateDynamicIrpWorker+17j
		mov	esi, 0C000009Ah

loc_5E0157:				; CODE XREF: PopCreateDynamicIrpWorker+2Fj
					; PopCreateDynamicIrpWorker+39j
		test	edi, edi
		jz	short loc_5E0164
		mov	edx, edi
		mov	ecx, ebx
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)

loc_5E0164:				; CODE XREF: PopCreateDynamicIrpWorker+88B7Dj
		mov	edi, offset _PopIrpWorkerMutex
		mov	ecx, edi
		call	ExAcquireFastMutex
		dec	ds:_PopIrpWorkerPendingCount
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	loc_55761B
; END OF FUNCTION CHUNK	FOR PopCreateDynamicIrpWorker
; 
; START	OF FUNCTION CHUNK FOR PpmPerfApplyLatencyHint

loc_5E0182:				; CODE XREF: PpmPerfApplyLatencyHint+61j
		mov	edx, [ebp+var_4]
		push	0
		push	0
		push	1
		push	dword ptr [ebx+68h]
		push	dword ptr [ebx+edx*4+60h]
		mov	edx, ecx
		mov	ecx, [ebp+var_8]
		push	eax
		push	dword ptr [edi+60h]
		call	dword ptr [edi+44h]
		mov	[esi+28h], eax
		jmp	loc_557689
; END OF FUNCTION CHUNK	FOR PpmPerfApplyLatencyHint
; 
; START	OF FUNCTION CHUNK FOR ExAcquireSharedWaitForExclusive

loc_5E01A6:				; CODE XREF: ExAcquireSharedWaitForExclusive+24j
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	esi
		push	0Eh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5E01B7:				; CODE XREF: ExAcquireSharedWaitForExclusive+EAj
		cmp	[esi+18h], ecx
		jz	short loc_5E0201
		test	ax, ax
		jz	loc_557792

loc_5E01C5:				; CODE XREF: ExAcquireSharedWaitForExclusive+F3j
		cmp	[ebp+arg_4], bl
		jz	loc_5E0470
		test	ax, ax
		jz	loc_5E02F9
		lea	edx, [ebp+var_14]
		mov	ecx, esi
		call	@ExpFindEmptyEntry@8 ; ExpFindEmptyEntry(x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_5576F7
		mov	eax, [edi+4]
		mov	ecx, [ebp+arg_0]
		and	eax, 7
		or	eax, 8
		mov	[edi], ecx
		mov	[edi+4], eax
		jmp	loc_5E02FB
; 

loc_5E0201:				; CODE XREF: ExAcquireSharedWaitForExclusive+88B18j
		mov	edi, [esi+1Ch]
		xor	ecx, ecx
		add	edi, 8
		inc	ecx
		mov	[esi+1Ch], edi
		shr	edi, 3
		test	ds:byte_70EFC6,	cl
		jz	short loc_5E0255
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_5E0223:				; CODE XREF: ExAcquireSharedWaitForExclusive+88BCBj
		xor	ebx, ebx
		inc	ebx

loc_5E0226:				; CODE XREF: ExAcquireSharedWaitForExclusive+88BDEj
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:4240h
		inc	large dword ptr	fs:41E4h
		cmp	[ebp+var_4], 0
		jz	short loc_5E02A6
		push	dword ptr [esi+24h]
		mov	edx, esi
		mov	ecx, 10031h
		push	edi
		call	@PerfLogExecutiveResourceAcquire@16 ; PerfLogExecutiveResourceAcquire(x,x,x,x)
		jmp	short loc_5E02A6
; 

loc_5E0255:				; CODE XREF: ExAcquireSharedWaitForExclusive+88B74j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_5E0274
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_5E0223
		call	KxWaitForLockChainValid

loc_5E0274:				; CODE XREF: ExAcquireSharedWaitForExclusive+88BB8j
		mov	[ebp+var_14], ebx
		add	eax, 4
		xor	ebx, ebx
		inc	ebx
		lock xor [eax],	ebx
		jmp	short loc_5E0226
; 

loc_5E0282:				; CODE XREF: ExAcquireSharedWaitForExclusive+88E0Bj
		lea	ecx, [ebp+var_14]
		call	KxWaitForLockChainValid

loc_5E028A:				; CODE XREF: ExAcquireSharedWaitForExclusive+88DEEj
		xor	ecx, ecx
		mov	[ebp+var_14], ebx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5E0296:				; CODE XREF: ExAcquireSharedWaitForExclusive+88DE4j
					; ExAcquireSharedWaitForExclusive+88E05j
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:4250h

loc_5E02A6:				; CODE XREF: ExAcquireSharedWaitForExclusive+88B9Fj
					; ExAcquireSharedWaitForExclusive+88BB1j
		mov	al, bl
		jmp	loc_557770
; 

loc_5E02AD:				; CODE XREF: ExAcquireSharedWaitForExclusive+128j
		add	edi, 8
		and	edi, 0FFFFFFF8h
		or	edi, eax
		mov	[ecx+4], edi
		jmp	loc_5577E8
; 

loc_5E02BD:				; CODE XREF: ExAcquireSharedWaitForExclusive+152j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_55781C
; 

loc_5E02CD:				; CODE XREF: ExAcquireSharedWaitForExclusive+174j
		lea	ecx, [ebp+var_14]
		call	KxWaitForLockChainValid

loc_5E02D5:				; CODE XREF: ExAcquireSharedWaitForExclusive+15Dj
		xor	ecx, ecx
		mov	[ebp+var_14], ebx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_55781C
; 

loc_5E02E6:				; CODE XREF: ExAcquireSharedWaitForExclusive+1B1j
		push	dword ptr [esi+24h]
		push	edx
		mov	edx, esi
		call	@PerfLogExecutiveResourceAcquire@16 ; PerfLogExecutiveResourceAcquire(x,x,x,x)
		xor	edx, edx
		inc	edx
		jmp	loc_557859
; 

loc_5E02F9:				; CODE XREF: ExAcquireSharedWaitForExclusive+88B2Fj
		mov	edi, ebx

loc_5E02FB:				; CODE XREF: ExAcquireSharedWaitForExclusive+88B5Aj
		inc	dword ptr [esi+28h]
		xor	eax, eax
		push	ebx
		inc	eax
		mov	[ebp+var_24], ebx
		push	eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_20], ebx
		push	eax
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_28], ecx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	ecx, [esi+10h]
		lea	edx, [ebp+var_30]
		call	RtlInsertHeadCircularList
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_5E033E
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5E0369
; 

loc_5E033E:				; CODE XREF: ExAcquireSharedWaitForExclusive+88C8Dj
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_5E035D
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_5E0369
		call	KxWaitForLockChainValid

loc_5E035D:				; CODE XREF: ExAcquireSharedWaitForExclusive+88CA1j
		xor	ecx, ecx
		mov	[ebp+var_14], ebx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5E0369:				; CODE XREF: ExAcquireSharedWaitForExclusive+88C9Aj
					; ExAcquireSharedWaitForExclusive+88CB4j
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:424Ch
		cmp	[ebp+var_4], ebx
		jz	short loc_5E038B
		push	ebx
		mov	edx, esi
		mov	ecx, 10044h
		call	@PerfLogExecutiveResourceWait@12 ; PerfLogExecutiveResourceWait(x,x,x)

loc_5E038B:				; CODE XREF: ExAcquireSharedWaitForExclusive+88CDAj
		mov	ecx, esi
		call	_ExpApplyPrewaitBoost@4	; ExpApplyPrewaitBoost(x)
		push	offset _ExpApplyRewaitBoost@4 ;	ExpApplyRewaitBoost(x)
		push	10244h
		lea	edx, [ebp+var_30]
		mov	ecx, esi
		call	ExpWaitForResource
		test	edi, edi
		jnz	short loc_5E0429
		lea	edx, [ebp+var_14]
		lea	ecx, [esi+34h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edi, [ebp+arg_0]

loc_5E03B8:				; CODE XREF: ExAcquireSharedWaitForExclusive+88D2Bj
		xor	eax, eax
		mov	edx, edi
		push	ebx
		inc	eax
		mov	ecx, esi
		push	eax
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	@ExpFindCurrentThread@24 ; ExpFindCurrentThread(x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_5E03B8
		mov	ecx, [eax+4]
		and	ecx, 7
		mov	[eax], edi
		or	ecx, 8
		mov	[eax+4], ecx
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_5E03F5
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5E0420
; 

loc_5E03F5:				; CODE XREF: ExAcquireSharedWaitForExclusive+88D44j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_5E0414
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_5E0420
		call	KxWaitForLockChainValid

loc_5E0414:				; CODE XREF: ExAcquireSharedWaitForExclusive+88D58j
		xor	ecx, ecx
		mov	[ebp+var_14], ebx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5E0420:				; CODE XREF: ExAcquireSharedWaitForExclusive+88D51j
					; ExAcquireSharedWaitForExclusive+88D6Bj
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5E0429:				; CODE XREF: ExAcquireSharedWaitForExclusive+88D06j
		mov	eax, [ebp+arg_0]
		test	al, 3
		jnz	short loc_5E0437
		movzx	ebx, byte ptr [eax+26Ch]

loc_5E0437:				; CODE XREF: ExAcquireSharedWaitForExclusive+88D8Cj
		push	ebx
		mov	edx, eax
		mov	ecx, esi
		call	ExpBoostIoAfterAcquire
		inc	large dword ptr	fs:4244h
		inc	large dword ptr	fs:41E4h
		cmp	[ebp+var_4], 0
		jz	short loc_5E0468
		push	dword ptr [esi+24h]
		xor	eax, eax
		mov	edx, esi
		inc	eax
		mov	ecx, 10041h
		push	eax
		call	@PerfLogExecutiveResourceAcquire@16 ; PerfLogExecutiveResourceAcquire(x,x,x,x)

loc_5E0468:				; CODE XREF: ExAcquireSharedWaitForExclusive+88DB1j
		xor	eax, eax
		inc	eax
		jmp	loc_557770
; 

loc_5E0470:				; CODE XREF: ExAcquireSharedWaitForExclusive+88B26j
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_5E048B
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5E0296
; 

loc_5E048B:				; CODE XREF: ExAcquireSharedWaitForExclusive+88DD7j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	loc_5E028A
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	loc_5E0296
		jmp	loc_5E0282
; 

loc_5E04B2:				; CODE XREF: ExAcquireSharedWaitForExclusive+7Fj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_557749
; 

loc_5E04C2:				; CODE XREF: ExAcquireSharedWaitForExclusive+A1j
		lea	ecx, [ebp+var_14]
		call	KxWaitForLockChainValid

loc_5E04CA:				; CODE XREF: ExAcquireSharedWaitForExclusive+8Aj
		mov	[ebp+var_14], ebx
		add	eax, 4
		xor	ebx, ebx
		inc	ebx
		lock xor [eax],	ebx
		jmp	loc_55774C
; 

loc_5E04DB:				; CODE XREF: ExAcquireSharedWaitForExclusive+C5j
		push	dword ptr [esi+24h]
		mov	edx, esi
		mov	ecx, 10041h
		push	ebx
		call	@PerfLogExecutiveResourceAcquire@16 ; PerfLogExecutiveResourceAcquire(x,x,x,x)
		jmp	loc_55776D
; END OF FUNCTION CHUNK	FOR ExAcquireSharedWaitForExclusive
; 
; START	OF FUNCTION CHUNK FOR PoFxNotifySurprisePowerOn

loc_5E04F0:				; CODE XREF: PoFxNotifySurprisePowerOn+3Ej
		push	0
		push	0
		lea	eax, [edi+84h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_5578D0
; END OF FUNCTION CHUNK	FOR PoFxNotifySurprisePowerOn
; 
; START	OF FUNCTION CHUNK FOR PopPepSurprisePowerOn

loc_5E0505:				; CODE XREF: PopPepSurprisePowerOn+1Ej
		cmp	[edi+58h], cl
		jnz	loc_55792E
		mov	eax, [edi+30h]
		cmp	[eax], ecx
		jnz	loc_55792E
		push	esi
		mov	esi, [edi+48h]
		push	ecx
		push	ecx
		xor	edx, edx
		mov	ecx, edi
		call	_PopPepTriggerActivity@16 ; PopPepTriggerActivity(x,x,x,x)
		push	1
		xor	edx, edx
		mov	ecx, edi
		call	PopPepPromoteActivities
		mov	edx, [edi+48h]
		mov	ecx, esi
		call	_PopPepRequestWork@8 ; PopPepRequestWork(x,x)
		pop	esi
		jmp	loc_55792E
; END OF FUNCTION CHUNK	FOR PopPepSurprisePowerOn
; 
; START	OF FUNCTION CHUNK FOR PopReleaseWakeSourceSpinLock

loc_5E0543:				; CODE XREF: PopReleaseWakeSourceSpinLock+Fj
		mov	edx, [ebp+4]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5579C0
; 

loc_5E0550:				; CODE XREF: PopReleaseWakeSourceSpinLock+2Cj
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5E0557:				; CODE XREF: PopReleaseWakeSourceSpinLock+19j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_5579C0
; END OF FUNCTION CHUNK	FOR PopReleaseWakeSourceSpinLock
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceRtcWakeInfo

loc_5E056B:				; CODE XREF: PopDiagTraceRtcWakeInfo+10Aj
		mov	eax, [ebp+var_1F0]
		mov	[ebp+var_22C], eax
		lea	eax, [ebp+var_22C]
		mov	[ebp+var_1C8], eax
		mov	al, byte ptr [ebp+arg_0]
		mov	byte ptr [ebp+var_1E9],	al
		lea	eax, [ebp+var_1E9]
		mov	[ebp+var_1B8], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_230], eax
		lea	eax, [ebp+var_230]
		mov	[ebp+var_1A8], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_234], eax
		lea	eax, [ebp+var_234]
		mov	[ebp+var_198], eax
		mov	eax, [ebp+var_1F4]
		mov	[ebp+var_238], eax
		lea	eax, [ebp+var_238]
		mov	[ebp+var_188], eax
		mov	eax, [ebp+var_1F8]
		mov	[ebp+var_23C], eax
		lea	eax, [ebp+var_23C]
		mov	[ebp+var_178], eax
		mov	eax, [ebp+var_1FC]
		mov	[ebp+var_240], eax
		lea	eax, [ebp+var_240]
		mov	[ebp+var_168], eax
		mov	eax, [ebp+var_200]
		mov	[ebp+var_244], eax
		lea	eax, [ebp+var_244]
		mov	[ebp+var_158], eax
		lea	eax, [ebp+var_210]
		mov	[ebp+var_148], eax
		lea	eax, [ebp+var_218]
		mov	[ebp+var_138], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_248], eax
		lea	eax, [ebp+var_248]
		mov	[ebp+var_128], eax
		lea	eax, [ebp+var_220]
		push	8
		pop	ecx
		mov	[ebp+var_118], eax
		lea	eax, [ebp+var_228]
		mov	[ebp+var_1C4], esi
		mov	[ebp+var_1C0], edi
		mov	[ebp+var_1BC], esi
		mov	[ebp+var_1B4], esi
		mov	[ebp+var_1B0], 1
		mov	[ebp+var_1AC], esi
		mov	[ebp+var_1A4], esi
		mov	[ebp+var_1A0], edi
		mov	[ebp+var_19C], esi
		mov	[ebp+var_194], esi
		mov	[ebp+var_190], edi
		mov	[ebp+var_18C], esi
		mov	[ebp+var_184], esi
		mov	[ebp+var_180], edi
		mov	[ebp+var_17C], esi
		mov	[ebp+var_174], esi
		mov	[ebp+var_170], edi
		mov	[ebp+var_16C], esi
		mov	[ebp+var_164], esi
		mov	[ebp+var_160], edi
		mov	[ebp+var_15C], esi
		mov	[ebp+var_154], esi
		mov	[ebp+var_150], edi
		mov	[ebp+var_14C], esi
		mov	[ebp+var_144], esi
		mov	[ebp+var_140], ecx
		mov	[ebp+var_13C], esi
		mov	[ebp+var_134], esi
		mov	[ebp+var_130], ecx
		mov	[ebp+var_12C], esi
		mov	[ebp+var_124], esi
		mov	[ebp+var_120], edi
		mov	[ebp+var_11C], esi
		mov	[ebp+var_114], esi
		mov	[ebp+var_110], ecx
		mov	[ebp+var_10C], esi
		push	4
		mov	[ebp+var_108], eax
		lea	eax, [ebp+var_24C]
		mov	[ebp+var_24C], ebx
		pop	ebx
		mov	[ebp+var_F8], eax
		lea	eax, [ebp+var_1E9+1]
		push	eax
		push	10h
		push	esi
		push	esi
		push	(offset	loc_41DFA2+6)
		push	offset dword_6B23F8
		mov	[ebp+var_104], esi
		mov	[ebp+var_100], ecx
		mov	[ebp+var_FC], esi
		mov	[ebp+var_F4], esi
		mov	[ebp+var_F0], ebx
		mov	[ebp+var_EC], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_557AEB
; END OF FUNCTION CHUNK	FOR PopDiagTraceRtcWakeInfo
; 
; START	OF FUNCTION CHUNK FOR IoReportInterruptActive

loc_5E079E:				; CODE XREF: IoReportInterruptActive+12j
		sub	eax, 1
		jz	short loc_5E07E8
		sub	eax, 1
		jz	short loc_5E07C2
		sub	eax, 1
		jz	loc_557DCA
		xor	esi, esi
		push	esi
		push	esi
		push	edx
		push	0Ch
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5E07C2:				; CODE XREF: IoReportInterruptActive+889F4j
		mov	ebx, [ecx+4]
		xor	esi, esi
		cmp	[ebx+4], esi
		jbe	loc_557DD2
		lea	edi, [ebx+14h]

loc_5E07D3:				; CODE XREF: IoReportInterruptActive+88A2Fj
		mov	ecx, [edi]
		call	_IopUnmaskInterrupt@4 ;	IopUnmaskInterrupt(x)
		inc	esi
		lea	edi, [edi+28h]
		cmp	esi, [ebx+4]
		jb	short loc_5E07D3
		jmp	loc_557DD2
; 

loc_5E07E8:				; CODE XREF: IoReportInterruptActive+889EFj
		mov	edi, [ecx+4]
		xor	esi, esi
		cmp	[edi+0D4h], esi
		jbe	loc_557DD2
		lea	ebx, [edi+0D8h]

loc_5E07FF:				; CODE XREF: IoReportInterruptActive+88A61j
		mov	ecx, [ebx]
		add	ecx, 60h
		call	_IopUnmaskInterrupt@4 ;	IopUnmaskInterrupt(x)
		inc	esi
		lea	ebx, [ebx+4]
		cmp	esi, [edi+0D4h]
		jb	short loc_5E07FF
		jmp	loc_557DD2
; END OF FUNCTION CHUNK	FOR IoReportInterruptActive
; 
; START	OF FUNCTION CHUNK FOR KeUnmaskInterrupt

loc_5E081A:				; CODE XREF: KeUnmaskInterrupt+5Dj
		mov	ecx, [edi+2Ch]
		mov	edx, eax
		call	_KiUnmaskSecondaryInterruptInternal@8 ;	KiUnmaskSecondaryInterruptInternal(x,x)
		jmp	loc_557E92
; END OF FUNCTION CHUNK	FOR KeUnmaskInterrupt
; 
; START	OF FUNCTION CHUNK FOR PopFxUpdateDeviceAccountingEnhanced

loc_5E0829:				; CODE XREF: PopFxUpdateDeviceAccountingEnhanced+24j
					; PopFxUpdateDeviceAccountingEnhanced+2Aj
		mov	eax, [esi+8]
		cmp	eax, 5
		jz	loc_557F52
		cmp	[ebp+arg_0], 0
		jnz	short loc_5E0862
		cmp	edi, 1
		jnz	loc_557F52
		cmp	byte ptr [esi+4], 0
		jnz	loc_557F52
		call	KeQueryInterruptTime
		mov	[esi+10h], eax
		mov	[esi+14h], edx
		mov	byte ptr [esi+4], 1
		jmp	loc_557F52
; 

loc_5E0862:				; CODE XREF: PopFxUpdateDeviceAccountingEnhanced+88917j
		cmp	edi, eax
		jb	loc_557F52
		call	KeQueryInterruptTime
		push	0
		push	0
		push	edx
		push	eax
		mov	ecx, esi
		call	PopFxUpdateAccountingActiveTime
		mov	byte ptr [esi+4], 0
		jmp	loc_557F52
; 

loc_5E0885:				; CODE XREF: PopFxUpdateDeviceAccountingEnhanced+37j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_557F64
; END OF FUNCTION CHUNK	FOR PopFxUpdateDeviceAccountingEnhanced
; 
; START	OF FUNCTION CHUNK FOR wil_details_StagingConfig_Load

loc_5E0894:				; CODE XREF: wil_details_StagingConfig_Load+48j
		mov	eax, dword ptr ds:___WIL_WNF_WIL_USER_FEATURE_STORE
		mov	ecx, dword ptr ds:loc_425381+3
		jmp	loc_557FCD
; 

loc_5E08A4:				; CODE XREF: wil_details_StagingConfig_Load+89j
					; wil_details_StagingConfig_Load+96j
		mov	eax, 0C8h
		cmp	ebx, eax
		jnb	short loc_5E08AF
		mov	ebx, eax

loc_5E08AF:				; CODE XREF: wil_details_StagingConfig_Load+88937j
		cmp	ebx, [ebp+var_1C]
		jnb	short loc_5E08B7
		mov	ebx, [ebp+var_1C]

loc_5E08B7:				; CODE XREF: wil_details_StagingConfig_Load+8893Ej
		cmp	ebx, edx
		jnb	short loc_5E08BD
		mov	ebx, edx

loc_5E08BD:				; CODE XREF: wil_details_StagingConfig_Load+88945j
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	short loc_5E08CF
		push	4C4957h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5E08CF:				; CODE XREF: wil_details_StagingConfig_Load+8894Ej
		push	4C4957h
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		jz	short loc_5E090C
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_1C], ebx
		push	eax
		push	esi
		lea	eax, [edi+8]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_ZwQueryWnfStateData@24	; ZwQueryWnfStateData(x,x,x,x,x,x)
		push	10h
		mov	[ebp+var_28], eax
		pop	edx
		jmp	loc_558005
; 

loc_5E090C:				; CODE XREF: wil_details_StagingConfig_Load+88972j
		mov	eax, 0C000009Ah
		jmp	loc_558086
; 

loc_5E0916:				; CODE XREF: wil_details_StagingConfig_Load+B9j
		cmp	byte ptr [edi+0Ch], 2
		jnz	loc_558033
		movzx	eax, word ptr [esi+2]
		mov	[ebp+var_28], eax
		cmp	ax, cx
		jb	loc_558033
		movzx	eax, word ptr [esi+4]
		mov	[ebp+var_2C], eax
		movzx	eax, ax
		imul	ecx, eax, 0Ch
		movzx	eax, word ptr [esi+6]
		shl	eax, 4
		add	ecx, eax
		mov	eax, [ebp+var_28]
		movzx	eax, ax
		add	ecx, eax
		cmp	edx, ecx
		jb	loc_5E09FB
		xor	eax, eax
		mov	[ebp+var_20], eax
		cmp	word ptr [ebp+var_2C], ax
		jbe	short loc_5E09A6
		mov	[ebp+var_2C], eax
		cmp	[ebp+var_30], eax
		jnz	short loc_5E0977
		mov	ecx, dword ptr ds:___WIL_WNF_WIL_MACHINE_FEATURE_STORE_MODIFIED
		mov	edx, dword ptr ds:loc_4253EA+2
		jmp	short loc_5E0983
; 

loc_5E0977:				; CODE XREF: wil_details_StagingConfig_Load+889F3j
		mov	ecx, dword ptr ds:___WIL_WNF_WIL_USER_FEATURE_STORE_MODIFIED
		mov	edx, dword ptr ds:loc_425416+2

loc_5E0983:				; CODE XREF: wil_details_StagingConfig_Load+88A01j
		mov	[ebp+var_10], ecx
		lea	ecx, [ebp+var_2C]
		push	ecx
		push	eax
		lea	ecx, [ebp+var_20]
		mov	[ebp+var_C], edx
		push	ecx
		push	eax
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_ZwQueryWnfStateData@24	; ZwQueryWnfStateData(x,x,x,x,x,x)
		mov	eax, [ebp+var_20]
		mov	edx, [ebp+var_1C]
		mov	[ebp+var_34], eax

loc_5E09A6:				; CODE XREF: wil_details_StagingConfig_Load+889EBj
		lea	ecx, [esi+10h]
		mov	[edi+14h], esi
		mov	[edi+18h], ecx
		movzx	eax, word ptr [esi+4]
		imul	eax, 0Ch
		add	eax, ecx
		mov	[edi+1Ch], eax
		xor	eax, eax
		cmp	[ebp+var_34], eax
		setnz	al
		mov	[edi+20h], eax
		cmp	byte ptr [esi],	2
		jnz	loc_558065
		cmp	byte ptr [esi+1], 2
		jnb	loc_558065
		movzx	eax, word ptr [esi+4]
		imul	edx, eax, 0Ch
		movzx	eax, word ptr [esi+6]
		shl	eax, 4
		add	edx, eax
		movzx	eax, word ptr [esi+2]
		add	edx, eax
		mov	dword ptr [edi+10h], 1
		jmp	loc_558065
; 

loc_5E09FB:				; CODE XREF: wil_details_StagingConfig_Load+889DCj
		push	10h
		pop	ecx
		jmp	loc_558033
; 

loc_5E0A03:				; CODE XREF: wil_details_StagingConfig_Load+9Ej
					; wil_details_StagingConfig_Load+A6j
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	short loc_5E0A15
		push	4C4957h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5E0A15:				; CODE XREF: wil_details_StagingConfig_Load+88A94j
		mov	eax, [ebp+var_28]
		jmp	loc_558086
; END OF FUNCTION CHUNK	FOR wil_details_StagingConfig_Load
; 
; START	OF FUNCTION CHUNK FOR CcDeleteBcbs

loc_5E0A1D:				; CODE XREF: CcDeleteBcbs+3Dj
		xor	edx, edx
		cmp	[esi+34h], edx
		jnz	loc_5E0B34
		mov	eax, [ecx+4]
		cmp	[edi+4], ecx
		jnz	loc_5E0B2F
		cmp	[eax], ecx
		jnz	loc_5E0B2F
		mov	[eax], edi
		mov	[edi+4], eax
		cmp	[ebx+1Ch], edx
		jl	short loc_5E0A6C
		jg	short loc_5E0A51
		cmp	dword ptr [ebx+18h], 2000000h
		jbe	short loc_5E0A6C

loc_5E0A51:				; CODE XREF: CcDeleteBcbs+887A8j
		test	dword ptr [ebx+60h], 200h
		jz	short loc_5E0A6C
		push	dword ptr [esi+0Ch]
		or	edx, 0FFFFFFFFh
		mov	ecx, ebx
		push	dword ptr [esi+8]
		call	CcAdjustVacbLevelLockCount
		xor	edx, edx

loc_5E0A6C:				; CODE XREF: CcDeleteBcbs+887A6j
					; CcDeleteBcbs+887B1j ...
		cmp	[esi+74h], edx
		jz	short loc_5E0AA8
		mov	ecx, [esi+30h]
		or	eax, 0FFFFFFFFh
		mov	edx, [ecx+4]
		mov	[esp+20h+var_14], edx
		lock xadd [ecx+8], eax
		dec	eax
		movzx	eax, ax
		test	ax, ax
		jnz	short loc_5E0AA8
		mov	eax, [edx+74h]
		test	eax, eax
		jz	short loc_5E0AA1
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	edx, [esp+20h+var_14]

loc_5E0AA1:				; CODE XREF: CcDeleteBcbs+887F3j
		lock dec dword ptr [edx+180h]

loc_5E0AA8:				; CODE XREF: CcDeleteBcbs+887D1j
					; CcDeleteBcbs+887ECj
		mov	ecx, [esp+20h+var_10]
		lea	edx, [esp+20h+var_C]
		lea	ecx, [ecx+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	byte ptr [esi+2], 0
		jz	short loc_5E0ACB
		mov	edx, [esi+4]
		mov	ecx, ebx
		shr	edx, 0Ch
		call	CcDeductDirtyPages

loc_5E0ACB:				; CODE XREF: CcDeleteBcbs+8881Ej
		test	ds:byte_70EFC6,	1
		jz	short loc_5E0AE2
		mov	edx, [ebp+4]
		lea	ecx, [esp+20h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5E0B16
; 

loc_5E0AE2:				; CODE XREF: CcDeleteBcbs+88834j
		mov	eax, [esp+20h+var_C]
		test	eax, eax
		jnz	short loc_5E0B05
		mov	edx, [esp+20h+var_8]
		lea	eax, [esp+20h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+20h+var_C]
		cmp	eax, ecx
		jz	short loc_5E0B16
		call	KxWaitForLockChainValid

loc_5E0B05:				; CODE XREF: CcDeleteBcbs+8884Aj
		xor	ecx, ecx
		mov	[esp+20h+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5E0B16:				; CODE XREF: CcDeleteBcbs+88842j
					; CcDeleteBcbs+88860j
		mov	cl, [esp+20h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, esi
		call	@CcDeallocateBcb@4 ; CcDeallocateBcb(x)
		lea	eax, [ebx+10h]
		jmp	loc_5582C5
; 

loc_5E0B2F:				; CODE XREF: CcDeleteBcbs+88790j
					; CcDeleteBcbs+88798j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5E0B34:				; CODE XREF: CcDeleteBcbs+88784j
		push	edx
		push	edx
		push	0C0000420h
		push	0D7Dh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5E0B48:				; CODE XREF: RtlpHpVaMgrCtxAllocatorDereference+24j
		push	edi
		push	7
		xor	eax, eax
		lea	edi, [esi+3Ch]
		pop	ecx
		rep stosd
		and	[esi+40h], eax
		and	[esi+44h], eax
		dec	dword ptr [ebx+38h]
		pop	edi
		jmp	loc_5583D6
; END OF FUNCTION CHUNK	FOR CcDeleteBcbs
; 
; START	OF FUNCTION CHUNK FOR KiTimerExpirationDpc

loc_5E0B62:				; CODE XREF: KiTimerExpirationDpc+46j
		push	400A02h
		push	0F56h
		xor	edx, edx
		mov	[esp+110h+var_E8], esi
		push	40020000h
		inc	edx
		mov	[esp+114h+var_E4], esi
		lea	ecx, [esp+114h+var_E8]
		mov	[esp+114h+var_E0], esi
		mov	[esp+114h+var_DC], esi
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_558438
; 

loc_5E0B92:				; CODE XREF: KiTimerExpirationDpc+78j
		mov	ebx, 0FFDF0014h

loc_5E0B97:				; CODE XREF: KiTimerExpirationDpc+887CBj
		lea	ecx, [esp+108h+var_F4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		mov	[esp+108h+var_CC], eax
		mov	eax, [ebx]
		mov	[esp+108h+var_D0], eax
		mov	eax, 0FFDF001Ch
		mov	eax, [eax]
		cmp	[esp+108h+var_CC], eax
		jnz	short loc_5E0B97
		mov	ebx, [esp+108h+var_F8]
		jmp	loc_55846A
; 

loc_5E0BC2:				; CODE XREF: KiTimerExpirationDpc+95j
		mov	ebx, 0FFDF000Ch

loc_5E0BC7:				; CODE XREF: KiTimerExpirationDpc+887F2j
		lea	ecx, [esp+108h+var_F0]
		call	KeYieldProcessorEx
		mov	esi, [ebx]
		mov	eax, 0FFDF0008h
		mov	edi, [eax]
		add	eax, 8
		cmp	esi, [eax]
		jnz	short loc_5E0BC7
		mov	ebx, [esp+108h+var_F8]
		jmp	loc_558487
; 

loc_5E0BE9:				; CODE XREF: KiTimerExpirationDpc+A2j
		mov	ecx, edi
		mov	eax, esi
		shrd	ecx, eax, 12h
		mov	[ebx+3AA8h], ecx
		jmp	loc_5584B1
; END OF FUNCTION CHUNK	FOR KiTimerExpirationDpc
; 
; START	OF FUNCTION CHUNK FOR PoFxPowerControl

loc_5E0BFC:				; CODE XREF: PoFxPowerControl+18j
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		jnz	short loc_5E0C15
		xor	esi, esi
		lea	eax, [edi+84h]
		push	esi
		push	esi
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_5E0C15:				; CODE XREF: PoFxPowerControl+886A9j
		mov	ebx, 0C0000056h
		jmp	loc_5585A4
; 

loc_5E0C1F:				; CODE XREF: PoFxPowerControl+36j
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		push	eax
		push	[ebp+arg_14]
		mov	ecx, [ecx+18h]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_PopPluginRequestPowerControl@28 ; PopPluginRequestPowerControl(x,x,x,x,x,x,x)
		mov	ebx, eax
		lea	ecx, [edi+80h]
		jmp	loc_558596
; 

loc_5E0C47:				; CODE XREF: PoFxPowerControl+44j
		push	esi
		push	esi
		lea	ecx, [edi+84h]
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_5585A4
; END OF FUNCTION CHUNK	FOR PoFxPowerControl
; 
; START	OF FUNCTION CHUNK FOR PfpServiceMainThreadBoost

loc_5E0C5A:				; CODE XREF: PfpServiceMainThreadBoost+18j
		mov	edi, 80000022h
		jmp	loc_55865C
; 

loc_5E0C64:				; CODE XREF: PfpServiceMainThreadBoost+60j
		mov	edx, [ebp+4]
		lea	ecx, [esi+40h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_558620
; END OF FUNCTION CHUNK	FOR PfpServiceMainThreadBoost
; 
; START	OF FUNCTION CHUNK FOR RtlDeleteElementGenericTableAvlEx

loc_5E0C74:				; CODE XREF: RtlDeleteElementGenericTableAvlEx+10j
		mov	ecx, edi
		call	RealPredecessor
		mov	[esi+20h], eax
		jmp	loc_55867E
; END OF FUNCTION CHUNK	FOR RtlDeleteElementGenericTableAvlEx
; 
; START	OF FUNCTION CHUNK FOR PfpPowerActionDpcRoutine

loc_5E0C83:				; CODE XREF: PfpPowerActionDpcRoutine+2Aj
		cmp	eax, [edi+5Ch]
		jnz	loc_5586DA
		lea	eax, [edi+48h]
		and	dword ptr [eax], 0
		push	1
		push	eax
		mov	dword ptr [eax+8], offset PfpServiceMainThreadUnboost
		mov	[eax+0Ch], edi
		call	ExQueueWorkItem
		xor	edi, edi
		jmp	loc_5586DA
; 

loc_5E0CAB:				; CODE XREF: PfpPowerActionDpcRoutine+37j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_5586EC
; END OF FUNCTION CHUNK	FOR PfpPowerActionDpcRoutine
; 
; START	OF FUNCTION CHUNK FOR ExWakeTimersPause

loc_5E0CBA:				; CODE XREF: ExWakeTimersPause+1Dj
		push	ecx
		xor	edx, edx
		call	ExfAcquirePushLockExclusiveEx
		jmp	loc_558739
; 

loc_5E0CC7:				; CODE XREF: ExWakeTimersPause+85j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_55875C
; END OF FUNCTION CHUNK	FOR ExWakeTimersPause
; 
; START	OF FUNCTION CHUNK FOR ExWakeTimersResume

loc_5E0CD6:				; CODE XREF: ExWakeTimersResume+66j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_5587DB
; 

loc_5E0CE5:				; CODE XREF: ExWakeTimersResume+8Aj
		test	al, 4
		jnz	loc_558846
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_558846
; END OF FUNCTION CHUNK	FOR ExWakeTimersResume
; 
; START	OF FUNCTION CHUNK FOR PopActionRetrieveInitialState

loc_5E0CF7:				; CODE XREF: PopActionRetrieveInitialState+33j
		mov	[edi], ecx
		xor	edx, edx
		mov	ecx, edi
		call	PopVerifySystemPowerState
		jmp	loc_55889F
; 

loc_5E0D07:				; CODE XREF: PopActionRetrieveInitialState+17j
					; PopActionRetrieveInitialState+22j ...
		mov	[esi], ebx
		mov	[edi], ebx
		jmp	loc_55889F
; 

loc_5E0D10:				; CODE XREF: PopActionRetrieveInitialState+80j
		mov	eax, [edi]
		mov	[esi], eax
		and	ds:dword_6C26CC, 0EFFFFFFFh
		jmp	loc_5588DA
; END OF FUNCTION CHUNK	FOR PopActionRetrieveInitialState
; 
; START	OF FUNCTION CHUNK FOR NtSetTimer

loc_5E0D23:				; CODE XREF: NtSetTimer+2Aj
		mov	[ebp+ms_exc.disabled], ecx
		mov	ecx, [ebp+arg_4]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_5E0D34
		mov	ecx, eax

loc_5E0D34:				; CODE XREF: NtSetTimer+883E2j
		nop
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], ecx
		lea	esi, [ebp+var_30]
		mov	[ebp+var_28], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	al, [ebp+arg_10]
		xor	ecx, ecx
		jmp	loc_558992
; END OF FUNCTION CHUNK	FOR NtSetTimer

;  S U B	R O U T	I N E 


sub_5E0D57	proc near		; DATA XREF: .text:006A4AF4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5E0D57	endp


;  S U B	R O U T	I N E 


sub_5E0D65	proc near		; DATA XREF: .text:006A4AF8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-24h]
		jmp	loc_5589E8
sub_5E0D65	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetTimer

loc_5E0D77:				; CODE XREF: NtSetTimer+50j
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	1
		push	ecx
		mov	dl, bh
		xor	ecx, ecx
		call	_PoCaptureReasonContext@24 ; PoCaptureReasonContext(x,x,x,x,x,x)
		test	eax, eax
		js	loc_5589E8
		jmp	loc_5589A4
; 

loc_5E0D98:				; CODE XREF: NtSetTimer+79j
					; NtSetTimer+85j
		cmp	[ebp+var_1C], 0
		jz	loc_5589D9
		mov	ecx, [ebp+var_1C]
		call	_PoDestroyReasonContext@4 ; PoDestroyReasonContext(x)
		jmp	loc_5589D9
; END OF FUNCTION CHUNK	FOR NtSetTimer
; 
; START	OF FUNCTION CHUNK FOR MiPulseLowAvailableEvent

loc_5E0DAF:				; CODE XREF: MiPulseLowAvailableEvent+4Bj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_558A75
; 

loc_5E0DBF:				; CODE XREF: MiPulseLowAvailableEvent+6Dj
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_5E0DC7:				; CODE XREF: MiPulseLowAvailableEvent+56j
		xor	ecx, ecx
		mov	[ebp+var_C], esi
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_558A75
; END OF FUNCTION CHUNK	FOR MiPulseLowAvailableEvent
; 
; START	OF FUNCTION CHUNK FOR RtlEnumerateGenericTable

loc_5E0DD8:				; CODE XREF: RtlEnumerateGenericTable+Ej
		cmp	[ebp+arg_4], 0
		jnz	short loc_5E0DEE
		push	esi
		call	_RtlRealSuccessor@4 ; RtlRealSuccessor(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_5E0DF5
		jmp	short loc_5E0DFD
; 

loc_5E0DEC:				; CODE XREF: RtlEnumerateGenericTable+8829Bj
		mov	esi, eax

loc_5E0DEE:				; CODE XREF: RtlEnumerateGenericTable+88284j
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_5E0DEC

loc_5E0DF5:				; CODE XREF: RtlEnumerateGenericTable+88290j
		push	esi
		call	_RtlSplay@4	; RtlSplay(x)
		mov	[edi], eax

loc_5E0DFD:				; CODE XREF: RtlEnumerateGenericTable+88292j
		lea	eax, [esi+18h]
		neg	esi
		sbb	esi, esi
		and	eax, esi
		jmp	loc_558B6E
; END OF FUNCTION CHUNK	FOR RtlEnumerateGenericTable
; 
; START	OF FUNCTION CHUNK FOR BgLibraryEnable

loc_5E0E0B:				; CODE XREF: BgLibraryEnable+7j
		or	ds:dword_6B6BB8, 0C00h
		jmp	loc_558CE3
; 

loc_5E0E1A:				; CODE XREF: BgLibraryEnable+Fj
		mov	al, byte ptr ds:dword_6B6BB8
		and	al, 2
		movzx	eax, al
		neg	eax
		pop	esi
		sbb	eax, eax
		and	eax, 3FFFFF11h
		add	eax, 0C00000EFh
		retn
; END OF FUNCTION CHUNK	FOR BgLibraryEnable
; 
; START	OF FUNCTION CHUNK FOR MiUnmapLargePages

loc_5E0E34:				; CODE XREF: MiUnmapLargePages+1Ej
		mov	eax, ebx
		shr	ecx, 9
		and	eax, 0FFFh
		and	ecx, offset loc_7FFFF8
		add	eax, 0FFFh
		push	esi
		add	eax, edx
		mov	esi, edx
		shr	eax, 0Ch
		shr	esi, 15h
		add	eax, 0F8000000h
		sub	esi, 40000h
		shl	esi, 0Ch
		add	esi, ecx
		lea	eax, [ecx+eax*8]
		cmp	esi, eax
		jnb	short loc_5E0E8F
		mov	edi, eax

loc_5E0E6D:				; CODE XREF: MiUnmapLargePages+88162j
		mov	ecx, [esi]
		nop
		or	ecx, [esi+4]
		jz	short loc_5E0E8C
		mov	eax, ds:_ZeroPte
		mov	[esi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[esi+4], eax
		add	esi, 8
		cmp	esi, edi
		jb	short loc_5E0E6D

loc_5E0E8C:				; CODE XREF: MiUnmapLargePages+8814Bj
		mov	edi, [ebp+arg_0]

loc_5E0E8F:				; CODE XREF: MiUnmapLargePages+88141j
		add	edx, 1FFFFFh
		and	edx, 0FFE00000h
		pop	esi
		jmp	loc_558D4C
; END OF FUNCTION CHUNK	FOR MiUnmapLargePages
; 
; START	OF FUNCTION CHUNK FOR PopCheckPowerSourceAfterRtcWakeCancel

loc_5E0EA1:				; CODE XREF: PopCheckPowerSourceAfterRtcWakeCancel+25j
		push	esi
		push	offset _PopCheckPowerSourceAfterRtcWakeTimer
		call	KeCancelTimer2
		push	esi
		push	esi
		test	al, al
		jnz	short loc_5E0EBF
		push	esi
		push	esi
		push	edi
		call	KeWaitForSingleObject
		jmp	loc_558DE7
; 

loc_5E0EBF:				; CODE XREF: PopCheckPowerSourceAfterRtcWakeCancel+880F4j
		push	edi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_558DE7
; END OF FUNCTION CHUNK	FOR PopCheckPowerSourceAfterRtcWakeCancel
; 
; START	OF FUNCTION CHUNK FOR MiCheckSystemTrimEndCriteria

loc_5E0ECA:				; CODE XREF: MiCheckSystemTrimEndCriteria+1Bj
		cmp	al, 2
		jz	loc_558E0D
		mov	al, [esi]
		and	al, 7Fh
		cmp	al, 4
		jnb	loc_558E20
		mov	edx, [ecx+0FC0h]
		cmp	edx, [esi+28h]
		jnb	loc_558E20
		mov	eax, [esi+34h]
		xor	ecx, ecx
		mov	[ebp+var_C], ecx
		cmp	eax, [esi+2Ch]
		jb	short loc_5E0F09
		cmp	edx, 420h
		jnb	loc_558E20
		mov	[esi+34h], ecx

loc_5E0F09:				; CODE XREF: MiCheckSystemTrimEndCriteria+8810Cj
		mov	[ebp+var_4], ecx
		lea	edx, [edi+4E4h]
		mov	eax, ecx
		lea	ebx, [esi+8]

loc_5E0F17:				; CODE XREF: MiCheckSystemTrimEndCriteria+88141j
		mov	ecx, [ebx]
		mov	[edx], ecx
		cmp	eax, 6
		jb	short loc_5E0F23
		add	[ebp+var_4], ecx

loc_5E0F23:				; CODE XREF: MiCheckSystemTrimEndCriteria+88132j
		inc	eax
		add	ebx, 4
		add	edx, 4
		cmp	eax, 8
		jb	short loc_5E0F17
		mov	eax, [ebp+var_4]
		mov	ebx, [ebp+arg_0]
		mov	[edi+4E0h], eax
		test	ds:byte_70EFC6,	1
		push	0
		pop	ecx
		jz	short loc_5E0F53
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5E0F7C
; 

loc_5E0F53:				; CODE XREF: MiCheckSystemTrimEndCriteria+88159j
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5E0F71
		mov	ecx, [ebx+4]
		xor	edx, edx
		mov	eax, ebx
		lock cmpxchg [ecx], edx
		cmp	eax, ebx
		jz	short loc_5E0F7C
		mov	ecx, ebx
		call	KxWaitForLockChainValid
		xor	ecx, ecx

loc_5E0F71:				; CODE XREF: MiCheckSystemTrimEndCriteria+8816Bj
		mov	[ebx], ecx
		add	eax, 4
		xor	ecx, ecx
		inc	ecx
		lock xor [eax],	ecx

loc_5E0F7C:				; CODE XREF: MiCheckSystemTrimEndCriteria+88165j
					; MiCheckSystemTrimEndCriteria+8817Aj
		mov	cl, [ebx+8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_8]
		cmp	dword ptr [eax+10C0h], 420h
		jb	short loc_5E0FAD
		inc	dword ptr [edi+550h]
		xor	eax, eax
		push	offset _MiShortTime
		push	eax
		push	eax
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	eax, [ebp+var_8]
		jmp	short loc_5E0FB3
; 

loc_5E0FAD:				; CODE XREF: MiCheckSystemTrimEndCriteria+881A6j
		inc	dword ptr [edi+554h]

loc_5E0FB3:				; CODE XREF: MiCheckSystemTrimEndCriteria+881BFj
		mov	ecx, [eax+0FC0h]
		mov	eax, [esi+28h]
		cmp	ecx, eax
		jb	short loc_5E0FD1
		mov	edx, ebx
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		jmp	loc_558E20
; 

loc_5E0FD1:				; CODE XREF: MiCheckSystemTrimEndCriteria+881D2j
		sub	eax, ecx
		mov	[ebp+arg_0], eax
		movzx	eax, byte ptr [esi]
		and	eax, 7Fh
		movzx	eax, ds:_MiTrimPassToAge[eax]
		cmp	eax, 8
		jnb	short loc_5E1005
		push	8
		lea	ecx, [edi+4E4h]
		pop	edx
		lea	ecx, [ecx+eax*4]
		sub	edx, eax
		xor	eax, eax

loc_5E0FF8:				; CODE XREF: MiCheckSystemTrimEndCriteria+88214j
		add	eax, [ecx]
		lea	ecx, [ecx+4]
		sub	edx, 1
		jnz	short loc_5E0FF8
		mov	[ebp+var_C], eax

loc_5E1005:				; CODE XREF: MiCheckSystemTrimEndCriteria+881FAj
		xor	eax, eax
		lea	edi, [esi+8]
		push	8
		pop	ecx
		rep stosd
		mov	eax, [ebp+arg_0]
		add	eax, 100h
		cmp	[ebp+var_C], eax
		jb	short loc_5E1027
		mov	cl, [esi]
		test	cl, cl
		js	short loc_5E1027
		or	cl, 80h
		jmp	short loc_5E1033
; 

loc_5E1027:				; CODE XREF: MiCheckSystemTrimEndCriteria+8822Ej
					; MiCheckSystemTrimEndCriteria+88234j
		mov	al, [esi]
		lea	ecx, [eax+1]
		xor	cl, al
		and	cl, 7Fh
		xor	cl, al

loc_5E1033:				; CODE XREF: MiCheckSystemTrimEndCriteria+88239j
		mov	[esi], cl
		mov	edx, esi
		mov	ecx, [ebp+var_8]
		call	_MiLogContinueTrim@8 ; MiLogContinueTrim(x,x)
		mov	edx, ebx
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		xor	eax, eax
		jmp	loc_558E23
; END OF FUNCTION CHUNK	FOR MiCheckSystemTrimEndCriteria
; 
; START	OF FUNCTION CHUNK FOR MiDelayFaultingThread

loc_5E1052:				; CODE XREF: MiDelayFaultingThread+6j
		mov	edx, offset _MiHalfSecond
		jmp	short loc_5E105E
; 

loc_5E1059:				; CODE XREF: MiDelayFaultingThread+Fj
		mov	edx, offset _Mi30Milliseconds

loc_5E105E:				; CODE XREF: MiDelayFaultingThread+88203j
		mov	ecx, offset _MiSystemPartition
		call	_MiWaitForAvailablePages@8 ; MiWaitForAvailablePages(x,x)
		pop	ecx
		retn
; END OF FUNCTION CHUNK	FOR MiDelayFaultingThread
; 
; START	OF FUNCTION CHUNK FOR PfpScenCtxWaiterTimedOut

loc_5E106A:				; CODE XREF: PfpScenCtxWaiterTimedOut+11j
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		retn
; END OF FUNCTION CHUNK	FOR PfpScenCtxWaiterTimedOut
; 
; START	OF FUNCTION CHUNK FOR PopIgnoreBatteryStatusChange

loc_5E1075:				; CODE XREF: PopIgnoreBatteryStatusChange+Bj
		push	offset unk_6C2590
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		test	al, al
		jnz	loc_558EC9
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset unk_6C25D8
		call	KeWaitForSingleObject
		jmp	loc_558EC9
; END OF FUNCTION CHUNK	FOR PopIgnoreBatteryStatusChange
; 
; START	OF FUNCTION CHUNK FOR BgkNotifyDisplayOwnershipChange

loc_5E109C:				; CODE XREF: BgkNotifyDisplayOwnershipChange+104j
		mov	eax, 0C0000001h
		jmp	loc_5591C5
; 

loc_5E10A6:				; CODE XREF: BgkNotifyDisplayOwnershipChange+14Ej
		push	ebx
		push	ds:dword_6FDF5C
		push	0FFC6C6C6h
		push	ebx
		call	dword ptr [eax]
		mov	eax, ds:dword_6D4C74
		jmp	loc_55924C
; 

loc_5E10BF:				; CODE XREF: BgkNotifyDisplayOwnershipChange+168j
		xor	eax, eax
		mov	ecx, offset unk_6B5B9C
		xchg	eax, [ecx]
		jmp	loc_5591C3
; 

loc_5E10CD:				; CODE XREF: BgkNotifyDisplayOwnershipChange+47j
		mov	ds:dword_6D4D54, edx
		jmp	loc_559151
; 

loc_5E10D8:				; CODE XREF: BgkNotifyDisplayOwnershipChange+88j
		call	BgkDestroy
		push	3
		pop	ecx
		call	_InbvSetFunction@4 ; InbvSetFunction(x)
		mov	esi, ebx
		jmp	loc_5591A7
; 

loc_5E10EC:				; CODE XREF: BgkNotifyDisplayOwnershipChange+C5j
		call	eax
		mov	ds:dword_6D4AAC, ebx
		jmp	loc_5591C3
; END OF FUNCTION CHUNK	FOR BgkNotifyDisplayOwnershipChange
; 
; START	OF FUNCTION CHUNK FOR BgpFwLibraryEnable

loc_5E10F9:				; CODE XREF: BgpFwLibraryEnable+1Ej
		cmp	esi, edi
		jnz	loc_55934A
		jmp	loc_5592FC
; 

loc_5E1106:				; CODE XREF: BgpFwLibraryEnable+B6j
		push	204h
		push	[esp+14h+var_4]
		push	0
		push	esi
		call	_MmMapIoSpaceEx@16 ; MmMapIoSpaceEx(x,x,x,x)
		mov	[ebx+18h], eax
		test	eax, eax
		jnz	loc_559394
		mov	eax, 0C000009Ah
		jmp	loc_55934C
; 

loc_5E112C:				; CODE XREF: BgpFwLibraryEnable+C7j
		cmp	byte ptr ds:dword_6B6B7C+1, 0
		jz	loc_5593A5
		mov	cl, byte ptr ds:dword_6B6B7C+2
		xor	eax, eax
		cmp	ds:dword_6B6B8C, 4
		setnz	al
		add	eax, 3
		cmp	cl, 1
		jz	short loc_5E1167
		cmp	cl, 3
		jz	short loc_5E1167
		mov	ecx, ds:dword_6B6B88
		imul	ecx, ds:dword_6B6B80
		jmp	short loc_5E1174
; 

loc_5E1167:				; CODE XREF: BgpFwLibraryEnable+87E79j
					; BgpFwLibraryEnable+87E7Ej
		mov	ecx, ds:dword_6B6B84
		imul	ecx, ds:dword_6B6B88

loc_5E1174:				; CODE XREF: BgpFwLibraryEnable+87E8Dj
		imul	eax, ecx
		push	eax
		push	ds:dword_6B6B94
		call	MmUnmapIoSpace
		jmp	loc_5593A5
; 

loc_5E1188:				; CODE XREF: BgpFwLibraryEnable+3Aj
		shr	eax, 8
		test	al, al
		jz	loc_559318
		mov	eax, [ebx+10h]
		cmp	eax, ds:dword_6B6B8C
		jnz	loc_559318
		mov	eax, [ebx+4]
		cmp	eax, ds:dword_6B6B80
		jnz	loc_559318
		mov	eax, [ebx+8]
		cmp	eax, ds:dword_6B6B84
		jnz	loc_559318
		mov	eax, [ebx+0Ch]
		cmp	eax, ds:dword_6B6B88
		jnz	loc_559318
		push	ds:dword_6B6B94
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		and	[esp+10h+var_4], 0
		cmp	[ebx+18h], eax
		jnz	loc_559318
		cmp	[esp+10h+var_4], edx
		jnz	loc_559318
		mov	byte ptr [ebx+1], 1
		mov	eax, ds:dword_6B6B94
		mov	[ebx+18h], eax
		jmp	loc_55931F
; 

loc_5E1203:				; CODE XREF: BgpFwLibraryEnable+65j
		or	ds:dword_6B6BB8, 8
		mov	ds:dword_6B6B70, 5
		jmp	loc_559343
; END OF FUNCTION CHUNK	FOR BgpFwLibraryEnable
; 
; START	OF FUNCTION CHUNK FOR BgpFwReleaseLock

loc_5E1219:				; CODE XREF: BgpFwReleaseLock+23j
		mov	edx, [ebp+4]
		mov	ecx, offset dword_6FB700
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_55948D
; END OF FUNCTION CHUNK	FOR BgpFwReleaseLock
; 
; START	OF FUNCTION CHUNK FOR BgpTxtDisplayCharacter

loc_5E122B:				; CODE XREF: BgpTxtDisplayCharacter+15Cj
		mov	eax, [esp+50h+var_3C]
		movzx	ecx, ax
		push	ecx
		push	edi		; char
		push	(offset	loc_5A795B+1) ;	char *
		push	ebx		; int
		push	65h		; int
		call	_DbgPrintEx
		mov	dl, [esp+64h+var_43]
		add	esp, 14h
		jmp	loc_5595CF
; 

loc_5E124D:				; CODE XREF: BgpTxtDisplayCharacter+168j
		mov	ecx, [esp+50h+var_38]
		lea	edx, [esp+50h+var_8]
		call	_BgpFoGetTextMetrics@8 ; BgpFoGetTextMetrics(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_5595FF
		mov	edx, [esp+50h+var_40]
		mov	eax, [esp+50h+var_4]
		mov	[esp+50h+var_24], eax
		mov	[esp+50h+var_41], 1
		mov	[edx], eax
		mov	eax, [esp+50h+var_30]
		mov	[edx+4], eax
		mov	al, [esp+50h+var_43]
		jmp	loc_55965E
; 

loc_5E1287:				; CODE XREF: BgpTxtDisplayCharacter+178j
		lea	eax, [esp+50h+var_10]
		push	eax
		mov	eax, [esp+54h+var_28]
		mov	ecx, eax
		lea	edx, [eax+8]
		call	_TxtpJustifyRectangle@12 ; TxtpJustifyRectangle(x,x,x)
		mov	edx, [esp+50h+var_40]
		lea	eax, [esp+50h+var_34]
		push	eax
		lea	eax, [esp+54h+var_10]
		mov	ecx, esi
		push	eax
		call	_BgpGxBlendRectangle@16	; BgpGxBlendRectangle(x,x,x,x)
		mov	esi, [esp+50h+var_34]
		mov	edi, eax
		mov	al, [esp+50h+var_43]
		mov	dl, al
		test	edi, edi
		js	loc_5595CF
		mov	edx, [esp+50h+var_40]
		jmp	loc_55966C
; 

loc_5E12CC:				; CODE XREF: BgpTxtDisplayCharacter+193j
		cmp	eax, [esi+8]
		jnz	loc_559685
		mov	cl, [esp+50h+var_43]
		mov	ebx, esi
		mov	[esp+50h+var_42], cl
		jmp	loc_55958B
; 

loc_5E12E4:				; CODE XREF: BgpTxtDisplayCharacter+1BCj
		mov	ecx, esi
		call	_BgpGxRectangleDestroy@4 ; BgpGxRectangleDestroy(x)
		mov	al, byte ptr [esp+48h+var_3C+1]
		jmp	loc_5596AE
; 

loc_5E12F4:				; CODE XREF: BgpTxtDisplayCharacter+ECj
		mov	ebx, [esp+50h+var_30]
		mov	[eax], ebx
		jmp	loc_5595DE
; 

loc_5E12FF:				; CODE XREF: BgpTxtDisplayCharacter+F7j
		mov	ebx, [esp+50h+var_24]
		mov	[eax], ebx
		jmp	loc_5595E9
; 

loc_5E130A:				; CODE XREF: BgpTxtDisplayCharacter+1F9j
					; BgpTxtDisplayCharacter+207j
		test	esi, esi
		jz	loc_5595F4
		mov	ecx, esi
		call	_BgpGxRectangleDestroy@4 ; BgpGxRectangleDestroy(x)
		mov	ecx, [esp+48h+var_38]
		jmp	loc_5595F4
; 

loc_5E1322:				; CODE XREF: BgpTxtDisplayCharacter+10Dj
		mov	eax, [esp+50h+var_1C]
		mov	[ecx], eax
		mov	eax, [esp+50h+var_18]
		mov	[ecx+4], eax
		jmp	loc_5595FF
; END OF FUNCTION CHUNK	FOR BgpTxtDisplayCharacter
; 
; START	OF FUNCTION CHUNK FOR BgpGxDrawRectangle

loc_5E1334:				; CODE XREF: BgpGxDrawRectangle+38j
		test	ds:dword_6B6BB8, 0C00h
		jz	short loc_5E1349
		lea	ecx, [ebp+var_48]
		xor	esi, esi
		mov	[ebp+var_4C], ecx
		inc	esi

loc_5E1349:				; CODE XREF: BgpGxDrawRectangle+87BD2j
		push	esi
		lea	ecx, [ebp+var_4C]
		mov	edx, eax
		push	ecx
		mov	ecx, edi
		call	BgpGxConvertRectangleEx
		test	eax, eax
		js	loc_5597C0
		mov	esi, [ebp+var_4C]
		mov	edi, esi
		mov	ebx, edi
		jmp	loc_5597AA
; 

loc_5E136B:				; CODE XREF: BgpGxDrawRectangle+4Cj
		lea	eax, [ebp+var_48]
		cmp	ebx, eax
		jz	loc_5597BE
		mov	ecx, esi
		call	_BgpGxRectangleDestroy@4 ; BgpGxRectangleDestroy(x)
		jmp	loc_5597BE
; END OF FUNCTION CHUNK	FOR BgpGxDrawRectangle
; 
; START	OF FUNCTION CHUNK FOR GxpWriteFrameBufferPixels

loc_5E1382:				; CODE XREF: GxpWriteFrameBufferPixels+C2j
		mov	eax, 0C0000001h
		jmp	loc_5599A3
; 

loc_5E138C:				; CODE XREF: GxpWriteFrameBufferPixels+F4j
		mov	eax, [ebx]
		xor	esi, esi
		mov	[ebp+var_B0], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_AC], eax
		mov	eax, ds:dword_6B6BB8
		mov	[ebp+var_50], esi
		test	al, 8
		jz	short loc_5E13F7
		test	eax, 0C00h
		jz	short loc_5E13BD
		lea	eax, [ebp+var_48]
		mov	[ebp+var_50], eax
		xor	eax, eax
		inc	eax
		jmp	short loc_5E13BF
; 

loc_5E13BD:				; CODE XREF: GxpWriteFrameBufferPixels+87BE0j
		xor	eax, eax

loc_5E13BF:				; CODE XREF: GxpWriteFrameBufferPixels+87BEBj
		push	eax
		lea	eax, [ebp+var_50]
		mov	ecx, ebx
		push	eax
		push	4
		pop	edx
		call	BgpGxConvertRectangleEx
		test	eax, eax
		js	loc_5599A3
		mov	esi, [ebp+var_50]
		mov	eax, [esi+0Ch]
		mov	[ebp+var_A4], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_A0], eax
		mov	[ebp+var_A8], 1
		jmp	short loc_5E1414
; 

loc_5E13F7:				; CODE XREF: GxpWriteFrameBufferPixels+87BD9j
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_A4], eax
		mov	eax, [ebx+14h]
		mov	[ebp+var_A0], eax
		mov	eax, ds:dword_6B6B70
		mov	[ebp+var_A8], eax

loc_5E1414:				; CODE XREF: GxpWriteFrameBufferPixels+87C25j
		mov	eax, ds:dword_6B6B78
		lea	ecx, [ebp+var_B0]
		push	0
		push	edi
		push	ecx
		call	eax
		mov	edi, eax
		test	esi, esi
		jz	short loc_5E1439
		lea	eax, [ebp+var_48]
		cmp	esi, eax
		jz	short loc_5E1439
		mov	ecx, esi
		call	_BgpGxRectangleDestroy@4 ; BgpGxRectangleDestroy(x)

loc_5E1439:				; CODE XREF: GxpWriteFrameBufferPixels+87C59j
					; GxpWriteFrameBufferPixels+87C60j
		test	edi, edi
		js	loc_559982
		jmp	loc_559980
; 

loc_5E1446:				; CODE XREF: GxpWriteFrameBufferPixels+13Aj
		sub	eax, 1
		jz	short loc_5E1463
		sub	eax, 1
		jz	loc_559910
		sub	eax, 1
		jz	short loc_5E1463
		mov	edi, 0C000000Dh
		jmp	loc_559982
; 

loc_5E1463:				; CODE XREF: GxpWriteFrameBufferPixels+87C79j
					; GxpWriteFrameBufferPixels+87C87j
		mov	eax, [ebx]
		mov	[ebp+var_60], eax
		imul	eax, esi
		mov	[ebp+var_58], eax
		mov	[ebp+var_84], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_5C], eax
		jmp	loc_559927
; 

loc_5E147F:				; CODE XREF: GxpWriteFrameBufferPixels+16Dj
		mov	eax, [ebp+var_5C]
		xor	edx, edx
		mov	[ebp+var_C8], eax
		mov	eax, [ebp+var_60]
		mov	[ebp+var_C4], eax
		mov	[ebp+var_58], edx
		test	eax, eax
		jz	loc_559977
		mov	edi, [ebp+var_64]

loc_5E14A1:				; CODE XREF: GxpWriteFrameBufferPixels+87D53j
		mov	eax, edx
		imul	eax, edi
		add	eax, [ebx+14h]
		mov	[ebp+var_60], eax
		xor	eax, eax
		mov	[ebp+var_5C], eax
		cmp	[ebx+4], eax
		jbe	short loc_5E151D

loc_5E14B6:				; CODE XREF: GxpWriteFrameBufferPixels+87D48j
		push	edx
		push	eax
		sub	esp, 0Ch
		lea	esi, [ebp+var_9C]
		mov	edi, esp
		lea	edx, [ebp+var_70]
		sub	esp, 0Ch
		movsd
		movsd
		movsd
		mov	edi, esp
		lea	esi, [ebp+var_C8]
		movsd
		movsd
		movsd
		call	_GxpGetRotatedPixelOffset@40 ; GxpGetRotatedPixelOffset(x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_559982
		mov	esi, [ebp+var_6C]
		mov	eax, [ebp+var_70]
		mov	edi, [ebp+var_60]
		imul	eax, esi
		push	esi		; size_t
		push	edi		; void *
		add	eax, ds:dword_6B6B78
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_5C]
		add	edi, esi
		mov	ecx, [ebp+var_54]
		add	esp, 0Ch
		mov	edx, [ebp+var_58]
		inc	eax
		mov	[ebp+var_60], edi
		mov	[ebp+var_5C], eax
		cmp	eax, [ebx+4]
		jb	short loc_5E14B6
		mov	edi, [ebp+var_64]

loc_5E151D:				; CODE XREF: GxpWriteFrameBufferPixels+87CE4j
		inc	edx
		mov	[ebp+var_58], edx
		cmp	edx, [ebx]
		jb	loc_5E14A1
		jmp	loc_559977
; 

loc_5E152E:				; CODE XREF: GxpWriteFrameBufferPixels+8Ej
					; GxpWriteFrameBufferPixels+98j ...
		mov	eax, 0C000000Dh
		jmp	loc_5599A3
; END OF FUNCTION CHUNK	FOR GxpWriteFrameBufferPixels
; 
; START	OF FUNCTION CHUNK FOR GxpAdjustRectangleToFrameBuffer

loc_5E1538:				; CODE XREF: GxpAdjustRectangleToFrameBuffer+6Cj
		test	ah, ah
		jz	loc_559ABD
		mov	[ebp+var_10], esi
		jmp	loc_559A36
; 

loc_5E1548:				; CODE XREF: GxpAdjustRectangleToFrameBuffer+7Aj
		test	ah, ah
		jz	loc_559ABD
		mov	[ebp+var_18], esi
		jmp	loc_559A47
; 

loc_5E1558:				; CODE XREF: GxpAdjustRectangleToFrameBuffer+85j
					; GxpAdjustRectangleToFrameBuffer+8Dj
		cmp	byte ptr ds:_BgInternal, 0
		jz	loc_559A57
		mov	esi, [ebp+var_8]
		cmp	[ebp+var_10], esi
		mov	esi, [ebp+var_18]
		jnb	short loc_5E1578
		cmp	al, 2
		jnz	short loc_5E1578
		mov	ebx, edx
		jmp	short loc_5E1585
; 

loc_5E1578:				; CODE XREF: GxpAdjustRectangleToFrameBuffer+87BAAj
					; GxpAdjustRectangleToFrameBuffer+87BAEj
		mov	eax, [ebp+var_1C]
		sub	eax, [ebp+var_10]
		sub	eax, ebx
		mov	ebx, eax
		mov	al, [ebp+var_1]

loc_5E1585:				; CODE XREF: GxpAdjustRectangleToFrameBuffer+87BB2j
		cmp	esi, [ebp+var_14]
		jnb	short loc_5E1595
		cmp	al, 2
		jnz	short loc_5E1595
		mov	ecx, edx
		jmp	loc_559A67
; 

loc_5E1595:				; CODE XREF: GxpAdjustRectangleToFrameBuffer+87BC4j
					; GxpAdjustRectangleToFrameBuffer+87BC8j
		mov	eax, edi
		sub	eax, esi
		sub	eax, ecx
		mov	ecx, eax
		mov	al, [ebp+var_1]
		jmp	loc_559A57
; 

loc_5E15A5:				; CODE XREF: GxpAdjustRectangleToFrameBuffer+95j
					; GxpAdjustRectangleToFrameBuffer+9Dj
		cmp	byte ptr ds:_BgInternal, 0
		jz	loc_559A67
		mov	ecx, [ebp+var_1C]
		cmp	al, 1
		mov	eax, [ebp+var_C]
		mov	[ebp+var_30], ecx
		mov	[ebp+var_34], edi
		jnz	short loc_5E15DC
		mov	ebx, [ebp+var_10]
		mov	esi, [ebp+var_8]
		cmp	ebx, esi
		jnb	short loc_5E15D0
		mov	ecx, edx
		jmp	short loc_5E15D4
; 

loc_5E15D0:				; CODE XREF: GxpAdjustRectangleToFrameBuffer+87C06j
		sub	ecx, [eax]
		sub	ecx, ebx

loc_5E15D4:				; CODE XREF: GxpAdjustRectangleToFrameBuffer+87C0Aj
		mov	ebx, [eax+4]
		jmp	loc_559A6A
; 

loc_5E15DC:				; CODE XREF: GxpAdjustRectangleToFrameBuffer+87BFCj
		cmp	esi, [ebp+var_14]
		jnb	short loc_5E15E5
		mov	ebx, edx
		jmp	short loc_5E15EC
; 

loc_5E15E5:				; CODE XREF: GxpAdjustRectangleToFrameBuffer+87C1Bj
		mov	ebx, edi
		sub	ebx, [eax+4]
		sub	ebx, esi

loc_5E15EC:				; CODE XREF: GxpAdjustRectangleToFrameBuffer+87C1Fj
		mov	ecx, [eax]
		jmp	loc_559A67
; END OF FUNCTION CHUNK	FOR GxpAdjustRectangleToFrameBuffer
; 
; START	OF FUNCTION CHUNK FOR BgpRasPrintGlyph

loc_5E15F3:				; CODE XREF: BgpRasPrintGlyph+FAj
		mov	[ebp+var_4D], 1
		jmp	loc_559BE2
; 

loc_5E15FC:				; CODE XREF: BgpRasPrintGlyph+12Bj
		push	32h
		pop	ecx
		call	BgpFwAllocateMemory
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_559C19
		mov	eax, [ebp+var_64]
		mov	esi, 0C0000017h
		mov	[ebp+var_64], eax

loc_5E1619:				; CODE XREF: BgpRasPrintGlyph+121j
					; BgpRasPrintGlyph+264j ...
		mov	al, [ebp+var_4D]
		test	al, al
		jz	loc_559D53
		test	ebx, ebx
		jz	loc_559D4F
		mov	ecx, ebx
		call	_RaspDestroyCachedBitmap@4 ; RaspDestroyCachedBitmap(x)
		jmp	loc_559D4C
; 

loc_5E1638:				; CODE XREF: BgpRasPrintGlyph+1B7j
		movzx	eax, word ptr [ebx+2Ch]
		xor	esi, esi
		push	eax		; char
		push	(offset	loc_5A7987+1) ;	char *
		push	esi		; int
		push	65h		; int
		mov	[ebp+var_60], esi
		call	_DbgPrintEx
		add	esp, 10h
		jmp	loc_559CA4
; 

loc_5E1657:				; CODE XREF: BgpRasPrintGlyph+205j
		mov	[ebp+var_48], edx
		jmp	loc_559CF3
; 

loc_5E165F:				; CODE XREF: BgpRasPrintGlyph+1EBj
		push	edi
		lea	eax, [ebp+var_78]
		mov	[ebp+var_94], ecx
		push	eax
		push	20h
		mov	[ebp+var_98], edx
		lea	ecx, [ebp+var_98]
		mov	[ebp+var_90], edx
		pop	edx
		call	_RaspRectangleCreate@16	; RaspRectangleCreate(x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_58]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+var_78]
		mov	[ebp+var_54], eax
		test	esi, esi
		js	short loc_5E1619
		jmp	loc_559D12
; 

loc_5E169B:				; CODE XREF: BgpRasPrintGlyph+247j
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+var_54]
		mov	ecx, [ebp+var_88]
		and	[ebp+var_84], 0
		and	[ebp+var_80], 0
		mov	[ebp+var_70], eax
		mov	eax, [ebp+var_60]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_84]
		push	eax
		lea	eax, [ebp+var_70]
		push	eax
		call	_BgpGxCopyRectangle@16 ; BgpGxCopyRectangle(x,x,x,x)
		jmp	loc_559D2F
; 

loc_5E16D0:				; CODE XREF: BgpRasPrintGlyph+25Cj
		mov	edx, ebx
		mov	ecx, offset _RaspBitmapCache
		call	_RaspAddCacheEntry@8 ; RaspAddCacheEntry(x,x)
		jmp	loc_559D44
; 

loc_5E16E1:				; CODE XREF: BgpRasPrintGlyph+1D0j
					; BgpRasPrintGlyph+1E1j
		mov	esi, 80000005h
		jmp	loc_559D44
; 

loc_5E16EB:				; CODE XREF: BgpRasPrintGlyph+291j
		test	eax, eax
		jz	loc_559D79
		cmp	dword ptr [edi], 0
		jnz	loc_559D79
		mov	ecx, eax
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		jmp	loc_559D79
; END OF FUNCTION CHUNK	FOR BgpRasPrintGlyph
; 
; START	OF FUNCTION CHUNK FOR BgpGxConvertRectangleEx

loc_5E1708:				; CODE XREF: BgpGxConvertRectangleEx+1Ej
		mov	[ebp+arg_7], 1
		cmp	edx, [edi+8]
		jbe	short loc_5E171B
		mov	eax, 0C000000Dh
		jmp	loc_559E18
; 

loc_5E171B:				; CODE XREF: BgpGxConvertRectangleEx+87975j
		mov	esi, [ebp+arg_0]
		mov	eax, [edi]
		mov	esi, [esi]
		mov	[esi], eax
		mov	eax, [edi+4]
		mov	[esi+4], eax
		mov	[esi+8], edx
		mov	[esi+10h], ecx
		mov	eax, [edi+0Ch]
		mov	[esi+0Ch], eax
		mov	eax, [edi+14h]
		mov	[esi+14h], eax
		jmp	loc_559DE5
; 

loc_5E1741:				; CODE XREF: BgpGxConvertRectangleEx+87j
		xor	eax, eax
		mov	[ebp+var_10], eax
		cmp	[esi], eax
		jbe	loc_559E69
		mov	edi, ecx

loc_5E1750:				; CODE XREF: BgpGxConvertRectangleEx+879FAj
		xor	ecx, ecx
		mov	[ebp+var_C], ecx
		cmp	[esi+4], ecx
		jbe	short loc_5E1788

loc_5E175A:				; CODE XREF: BgpGxConvertRectangleEx+879E9j
		mov	ecx, [edi]
		lea	edx, [ebp+var_1]
		call	_GxpMatchPaletteColor@8	; GxpMatchPaletteColor(x,x)
		mov	ecx, [ebp+var_C]
		mov	al, byte ptr [ebp+var_1]
		test	cl, 1
		jnz	short loc_5E1776
		shl	al, 4
		mov	[ebx], al
		jmp	short loc_5E1779
; 

loc_5E1776:				; CODE XREF: BgpGxConvertRectangleEx+879D3j
		or	[ebx], al
		inc	ebx

loc_5E1779:				; CODE XREF: BgpGxConvertRectangleEx+879DAj
		add	edi, [ebp+var_8]
		inc	ecx
		mov	[ebp+var_C], ecx
		cmp	ecx, [esi+4]
		jb	short loc_5E175A
		mov	eax, [ebp+var_10]

loc_5E1788:				; CODE XREF: BgpGxConvertRectangleEx+879BEj
		test	cl, 1
		jz	short loc_5E178E
		inc	ebx

loc_5E178E:				; CODE XREF: BgpGxConvertRectangleEx+879F1j
		inc	eax
		mov	[ebp+var_10], eax
		cmp	eax, [esi]
		jb	short loc_5E1750
		jmp	loc_559E66
; END OF FUNCTION CHUNK	FOR BgpGxConvertRectangleEx
; 
; START	OF FUNCTION CHUNK FOR RaspRasterize

loc_5E179B:				; CODE XREF: RaspRasterize+7Aj
		test	ecx, ecx
		jz	loc_559FBA
		cmp	dword ptr [edi], 0
		jnz	loc_559FBA
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		jmp	loc_559FBA
; END OF FUNCTION CHUNK	FOR RaspRasterize
; 
; START	OF FUNCTION CHUNK FOR RaspGetUnscaledGlyphData

loc_5E17B6:				; CODE XREF: RaspGetUnscaledGlyphData+2Bj
		xor	ebx, ebx
		jmp	loc_55A162
; 

loc_5E17BD:				; CODE XREF: RaspGetUnscaledGlyphData+44j
		lea	eax, [ebp+var_4]
		xor	edx, edx
		push	eax
		mov	ecx, edi
		xor	ebx, ebx
		call	RaspMapGlyphIndexToLocation
		mov	edi, eax
		test	edi, edi
		js	short loc_5E17DA
		mov	edi, [ebp+var_10]
		jmp	loc_55A178
; 

loc_5E17DA:				; CODE XREF: RaspGetUnscaledGlyphData+876A2j
		mov	ebx, [ebp+arg_8]
		jmp	loc_55A1BC
; 

loc_5E17E2:				; CODE XREF: RaspGetUnscaledGlyphData+9Bj
		cmp	dword ptr [ebx], 0
		jnz	loc_55A1CF
		mov	ecx, esi
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		jmp	loc_55A1CF
; END OF FUNCTION CHUNK	FOR RaspGetUnscaledGlyphData
; 
; START	OF FUNCTION CHUNK FOR RaspScanConvert

loc_5E17F7:				; CODE XREF: RaspScanConvert+37j
		mov	byte ptr [ebp+arg_8+3],	1
		jmp	loc_55A221
; 

loc_5E1800:				; CODE XREF: RaspScanConvert+DDj
		push	0C3Ch
		push	offset unk_B15748
		call	_BgpGxInitializeRectangle@16 ; BgpGxInitializeRectangle(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_55A412
		mov	ecx, offset unk_B15748
		jmp	loc_55A2D4
; 

loc_5E1823:				; CODE XREF: RaspScanConvert+11Dj
		cmp	edi, 68h
		jg	short loc_5E1835
		mov	ebx, offset unk_B16388
		mov	[ebp+arg_8], ebx
		jmp	loc_55A31F
; 

loc_5E1835:				; CODE XREF: RaspScanConvert+139j
					; RaspScanConvert+87646j
		mov	ecx, [ebp+var_4]
		mov	esi, 0C000009Ah

loc_5E183D:				; CODE XREF: RaspScanConvert+F9j
		test	ecx, ecx
		jz	loc_55A412
		mov	eax, [ebp+arg_14]
		cmp	dword ptr [eax], 0
		jnz	loc_55A415
		jmp	loc_55A40D
; END OF FUNCTION CHUNK	FOR RaspScanConvert
; 
; START	OF FUNCTION CHUNK FOR RaspGetSegmentDirection

loc_5E1856:				; CODE XREF: RaspGetSegmentDirection+18j
		cmp	byte ptr [ecx+0Ch], 1
		jz	loc_55AA30
		mov	eax, [ecx+4]
		mov	esi, ebx
		sub	esi, [eax+0Ch]
		sub	esi, [eax+4]
		add	esi, edi
		jmp	loc_55AA1E
; END OF FUNCTION CHUNK	FOR RaspGetSegmentDirection
; 
; START	OF FUNCTION CHUNK FOR RaspLoadBearings

loc_5E1872:				; CODE XREF: RaspLoadBearings+5Fj
		mov	eax, [edi+30h]
		mov	ecx, [ebp+var_8]
		dec	ecx
		lea	edx, [eax+ecx*4]
		mov	ecx, [edi+8]
		lea	eax, [ebp+var_4]
		push	eax		; void *
		push	4		; size_t
		mov	ecx, [ecx+8]
		call	_FioFwReadBytesAtOffset@16 ; FioFwReadBytesAtOffset(x,x,x,x)
		test	eax, eax
		js	loc_55ADDB
		mov	ax, word ptr [ebp+var_4]
		mov	ch, al
		mov	cl, ah
		movzx	ebx, cx
		jmp	loc_55AD61
; END OF FUNCTION CHUNK	FOR RaspLoadBearings
; 
; START	OF FUNCTION CHUNK FOR RaspMapGlyphIndexToLocation

loc_5E18A5:				; CODE XREF: RaspMapGlyphIndexToLocation+1Fj
		cmp	eax, 1
		jnz	short loc_5E18F5
		mov	eax, [esi+34h]
		mov	ecx, [esi+8]
		lea	ebx, [eax+edx*4]
		mov	ecx, [ecx+8]
		lea	eax, [ebp+var_8]
		push	eax		; void *
		mov	edx, ebx
		call	_FioFwReadUlongAtOffset@12 ; FioFwReadUlongAtOffset(x,x,x)
		test	eax, eax
		js	loc_55AEA7
		mov	edi, [ebp+arg_0]
		lea	edx, [ebx+4]
		mov	eax, [ebp+var_8]
		mov	ecx, [esi+8]
		mov	[edi], eax
		lea	eax, [ebp+var_8]
		push	eax		; void *
		mov	ecx, [ecx+8]
		call	_FioFwReadUlongAtOffset@12 ; FioFwReadUlongAtOffset(x,x,x)
		test	eax, eax
		js	loc_55AEA7
		mov	eax, [edi]
		cmp	eax, [ebp+var_8]
		jmp	loc_55AEA3
; 

loc_5E18F5:				; CODE XREF: RaspMapGlyphIndexToLocation+86A6Ej
		mov	eax, 0C000007Bh
		jmp	loc_55AEA7
; END OF FUNCTION CHUNK	FOR RaspMapGlyphIndexToLocation
; 
; START	OF FUNCTION CHUNK FOR RaspInitializeGlyphData

loc_5E18FF:				; CODE XREF: RaspInitializeGlyphData+90j
		mov	eax, 0C000000Dh
		jmp	loc_55B1CA
; 

loc_5E1909:				; CODE XREF: RaspInitializeGlyphData+96j
		mov	edx, [ebp+arg_4]
		push	2Eh
		pop	ecx
		call	RaspAllocateMemory
		mov	esi, eax
		test	esi, esi
		jz	short loc_5E195C
		movsx	edx, word ptr [ebp+var_34+2]
		xor	eax, eax
		movsx	ecx, word ptr [ebp+var_30]
		mov	[esi], ax
		movsx	eax, word ptr [ebp+var_30+2]
		mov	[esi+0Ah], eax
		movsx	eax, word ptr [ebp+var_2C]
		mov	[esi+0Eh], eax
		xor	eax, eax
		mov	[esi+16h], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+2], edx
		mov	[esi+6], ecx
		mov	[esi+12h], edx
		mov	[eax], esi
		jmp	loc_55B1C8
; 

loc_5E194D:				; CODE XREF: RaspInitializeGlyphData+1B6j
		mov	eax, [ebp+arg_4]
		cmp	dword ptr [eax], 0
		jnz	short loc_5E195C
		mov	ecx, ebx
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_5E195C:				; CODE XREF: RaspInitializeGlyphData+E8j
					; RaspInitializeGlyphData+86A38j ...
		mov	eax, 0C000009Ah
		jmp	loc_55B1CA
; 

loc_5E1966:				; CODE XREF: RaspInitializeGlyphData+26j
					; RaspInitializeGlyphData+31j
		mov	eax, 0C0000001h
		jmp	loc_55B1CA
; END OF FUNCTION CHUNK	FOR RaspInitializeGlyphData
; 
; START	OF FUNCTION CHUNK FOR RaspCreateSegmentList

loc_5E1970:				; CODE XREF: RaspCreateSegmentList+14j
		mov	eax, 0C000000Dh
		jmp	loc_55B41B
; 

loc_5E197A:				; CODE XREF: RaspCreateSegmentList+93j
		mov	eax, 0C000009Ah
		jmp	loc_55B566
; 

loc_5E1984:				; CODE XREF: RaspCreateSegmentList+10Cj
		imul	eax, [ebp+var_14], arg_8+1
		mov	edx, [ebp+var_4]
		test	byte ptr [eax+edx+10h],	1
		jnz	loc_55B3FD
		jmp	loc_55B38E
; 

loc_5E199B:				; CODE XREF: RaspCreateSegmentList+121j
		imul	eax, [ebp+var_14], arg_8+1
		mov	edx, [ebp+var_4]
		test	byte ptr [eax+edx+10h],	1
		jnz	loc_55B3FD
		jmp	loc_55B3A3
; 

loc_5E19B2:				; CODE XREF: RaspCreateSegmentList+156j
					; RaspCreateSegmentList+171j ...
		push	[ebp+arg_C]
		mov	edx, [ebp+var_1C]
		mov	ecx, [ebp+var_20]
		call	_RaspDestroySegmentList@12 ; RaspDestroySegmentList(x,x,x)
		mov	eax, esi
		mov	ecx, esi
		mov	esi, 0C000009Ah
		jmp	loc_55B40D
; END OF FUNCTION CHUNK	FOR RaspCreateSegmentList
; 
; START	OF FUNCTION CHUNK FOR RaspAllocateMemory

loc_5E19CE:				; CODE XREF: RaspAllocateMemory+16j
		mov	eax, [edi+4]
		sub	eax, esi
		cmp	ebx, eax
		ja	short loc_5E19E5
		lea	eax, [esi+ebx]
		lea	edx, [ecx+esi]
		mov	[edi+8], eax
		jmp	loc_55B609
; 

loc_5E19E5:				; CODE XREF: RaspAllocateMemory+863FBj
		xor	edx, edx
		jmp	loc_55B609
; END OF FUNCTION CHUNK	FOR RaspAllocateMemory
; 
; START	OF FUNCTION CHUNK FOR BgpFwAllocateMemory

loc_5E19EC:				; CODE XREF: BgpFwAllocateMemory+Dj
		xor	eax, eax
		leave
		retn
; 

loc_5E19F0:				; CODE XREF: BgpFwAllocateMemory+76j
		mov	eax, large fs:20h
		mov	ecx, 200h
		push	0
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		mov	eax, [ebp+var_8]
		mov	edx, eax
		push	[ebp+var_C]
		mov	[ebp+var_8], eax
		call	ExpAllocatePoolWithTagFromNode
		jmp	loc_55B6CB
; 

loc_5E1A25:				; CODE XREF: BgpFwAllocateMemory+BDj
					; BgpFwAllocateMemory+103j
		test	esi, esi
		jz	loc_55B65A
		xor	edx, edx
		mov	ecx, esi
		call	_MiFreePagesFromMdl@8 ;	MiFreePagesFromMdl(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_55B65A
; END OF FUNCTION CHUNK	FOR BgpFwAllocateMemory
; 
; START	OF FUNCTION CHUNK FOR BgpFwReserveAllocate

loc_5E1A43:				; CODE XREF: BgpFwReserveAllocate+2Bj
		and	ds:dword_6D4C04, 0
		push	0
		push	esi
		push	ebx
		call	RtlFindClearBitsAndSet
		mov	edx, eax
		mov	eax, ds:dword_6D4C14
		jmp	loc_55B753
; END OF FUNCTION CHUNK	FOR BgpFwReserveAllocate
; 
; START	OF FUNCTION CHUNK FOR RaspLoadGlyphData

loc_5E1A5F:				; CODE XREF: RaspLoadGlyphData+48j
		push	[ebp+arg_0]
		call	_RaspLoadCompositeGlyphData@20 ; RaspLoadCompositeGlyphData(x,x,x,x,x)
		jmp	loc_55B865
; END OF FUNCTION CHUNK	FOR RaspLoadGlyphData
; 
; START	OF FUNCTION CHUNK FOR RaspMapCharacterCodeToGlyphIndex

loc_5E1A6C:				; CODE XREF: RaspMapCharacterCodeToGlyphIndex+43j
		mov	eax, [edi+8]
		shr	ecx, 1
		movzx	eax, word ptr [eax+esi*2]
		sub	ecx, eax
		movzx	eax, dx
		mov	edx, [ebp+var_4]
		add	ecx, esi
		add	eax, ecx
		mov	ecx, [edi+10h]
		mov	dx, [edx+eax*2]
		add	dx, [ecx+esi*2]
		movzx	eax, dx
		jmp	loc_55B8D8
; END OF FUNCTION CHUNK	FOR RaspMapCharacterCodeToGlyphIndex
; 
; START	OF FUNCTION CHUNK FOR RaspScaleCoordinates

loc_5E1A94:				; CODE XREF: RaspScaleCoordinates+18j
		mov	eax, 0C0000001h
		jmp	loc_55BA41
; END OF FUNCTION CHUNK	FOR RaspScaleCoordinates
; 
; START	OF FUNCTION CHUNK FOR BgpFwQueryBootGraphicsInformation

loc_5E1A9E:				; CODE XREF: BgpFwQueryBootGraphicsInformation+40j
					; BgpFwQueryBootGraphicsInformation+48j
		mov	ecx, [ebx+8]
		mov	eax, [ebx+0Ch]
		mov	[ebx+8], eax
		mov	[ebx+0Ch], ecx
		jmp	loc_55BD48
; 

loc_5E1AAF:				; CODE XREF: BgpFwQueryBootGraphicsInformation+62j
		mov	dword ptr [ebx], 8
		mov	eax, ds:dword_6B6C04
		add	eax, 8

loc_5E1ABD:				; CODE XREF: BgpFwQueryBootGraphicsInformation+85DD8j
		mov	[ebx], eax
		jmp	loc_55BD52
; 

loc_5E1AC4:				; CODE XREF: BgpFwQueryBootGraphicsInformation+6Bj
		cmp	ds:dword_6B6BFC, eax
		jnz	short loc_5E1AD4
		cmp	ds:dword_6B6C00, eax
		jz	short loc_5E1ABD

loc_5E1AD4:				; CODE XREF: BgpFwQueryBootGraphicsInformation+85DD0j
		mov	eax, ds:dword_6B6C00
		mov	edi, ds:dword_6B6C04
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	short loc_5E1B10
		mov	ecx, edi
		call	BgpFwAllocateMemory
		mov	esi, eax
		test	esi, esi
		jnz	short loc_5E1AFD
		mov	edx, 0C0000017h
		jmp	loc_55BD52
; 

loc_5E1AFD:				; CODE XREF: BgpFwQueryBootGraphicsInformation+85DF7j
		push	edi		; size_t
		push	ds:dword_6B6BFC	; void *
		mov	[ebp+var_C], esi
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_5E1B10:				; CODE XREF: BgpFwQueryBootGraphicsInformation+85DEAj
		lea	eax, [ebp+var_8]
		mov	ecx, edi
		push	eax
		push	8
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edx, eax
		mov	[ebp+var_4], edx
		test	edx, edx
		js	loc_5E1BAF
		call	BgpFwReleaseLock
		mov	ecx, large fs:20h
		mov	edx, [ebp+var_8]
		push	0
		mov	ecx, [ecx+338h]
		movzx	ecx, word ptr [ecx+8Ah]
		or	ecx, 80000000h
		push	ecx
		xor	ecx, ecx
		push	4B494742h
		inc	ecx
		call	ExpAllocatePoolWithTagFromNode
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	short loc_5E1B73
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		mov	edx, 0C0000017h
		mov	[ebp+var_4], edx
		jmp	short loc_5E1BAF
; 

loc_5E1B73:				; CODE XREF: BgpFwQueryBootGraphicsInformation+85E68j
		lea	ecx, [eax+8]
		xor	edx, edx
		test	ds:dword_6B6BB8, 800000h
		mov	[ebp+var_8], ecx
		mov	ecx, eax
		jz	short loc_5E1B8A
		inc	edx

loc_5E1B8A:				; CODE XREF: BgpFwQueryBootGraphicsInformation+85E8Dj
		push	edi		; size_t
		push	[ebp+var_C]	; void *
		mov	[ecx], edx
		push	[ebp+var_8]	; void *
		mov	dword ptr [eax+4], 8
		call	_memcpy
		add	esp, 0Ch
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		mov	eax, [ebp+var_10]
		mov	edx, [ebp+var_4]
		mov	[ebx], eax

loc_5E1BAF:				; CODE XREF: BgpFwQueryBootGraphicsInformation+85E2Bj
					; BgpFwQueryBootGraphicsInformation+85E77j
		test	esi, esi
		jz	loc_55BD52
		mov	ecx, esi
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		mov	edx, [ebp+var_4]
		jmp	loc_55BD52
; END OF FUNCTION CHUNK	FOR BgpFwQueryBootGraphicsInformation
; 
; START	OF FUNCTION CHUNK FOR PnpDeviceCompletionQueueDispatchedEntryCompleted

loc_5E1BC6:				; CODE XREF: PnpDeviceCompletionQueueDispatchedEntryCompleted+48j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_55BE93
; END OF FUNCTION CHUNK	FOR PnpDeviceCompletionQueueDispatchedEntryCompleted
; 
; START	OF FUNCTION CHUNK FOR PipSetDevNodeState

loc_5E1BD3:				; CODE XREF: PipSetDevNodeState+94j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_55BF79
; 

loc_5E1BE0:				; CODE XREF: PipSetDevNodeState+DFj
		mov	ecx, [esi+10h]
		call	_PnpRemoveDeviceActionRequests@4 ; PnpRemoveDeviceActionRequests(x)
		jmp	loc_55BFBF
; END OF FUNCTION CHUNK	FOR PipSetDevNodeState
; 
; START	OF FUNCTION CHUNK FOR PnpDeviceCompletionQueueIsEmpty

loc_5E1BED:				; CODE XREF: PnpDeviceCompletionQueueIsEmpty+3Ej
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_55C033
; END OF FUNCTION CHUNK	FOR PnpDeviceCompletionQueueIsEmpty
; 
; START	OF FUNCTION CHUNK FOR PoFxIdleDevice

loc_5E1BFC:				; CODE XREF: PoFxIdleDevice+12j
		mov	edi, esi
		jmp	loc_55C063
; END OF FUNCTION CHUNK	FOR PoFxIdleDevice
; 
; START	OF FUNCTION CHUNK FOR PnpDeviceCompletionQueueRemoveCompletedRequest

loc_5E1C03:				; CODE XREF: PnpDeviceCompletionQueueRemoveCompletedRequest+4Bj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_55C14C
; END OF FUNCTION CHUNK	FOR PnpDeviceCompletionQueueRemoveCompletedRequest
; 
; START	OF FUNCTION CHUNK FOR PopFxActivateDevice

loc_5E1C10:				; CODE XREF: PopFxActivateDevice+Fj
		xor	edi, edi
		jmp	loc_55C18C
; 

loc_5E1C17:				; CODE XREF: PopFxActivateDevice+90j
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_55C1EA
; 

loc_5E1C2B:				; CODE XREF: PopFxActivateDevice+103j
					; PopFxActivateDevice+111j
		cmp	[ebp+arg_0], dl
		jz	loc_55C285
		mov	ecx, 800h
		lea	eax, [esi+10h]
		lock or	[eax], ecx
		jmp	loc_55C285
; 

loc_5E1C44:				; CODE XREF: PopFxActivateDevice+DAj
					; PopFxActivateDevice+F2j
		push	edx
		lea	eax, [edi+34h]
		mov	edx, edi
		push	eax
		mov	ecx, 608h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_5E1C55:				; CODE XREF: PopFxActivateDevice+142j
		push	0
		push	0
		lea	eax, [esi+84h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_55C1EA
; END OF FUNCTION CHUNK	FOR PopFxActivateDevice
; 
; START	OF FUNCTION CHUNK FOR PnpDeviceCompletionQueueAddDispatchedRequest

loc_5E1C6A:				; CODE XREF: PnpDeviceCompletionQueueAddDispatchedRequest+54j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_55C31F
; END OF FUNCTION CHUNK	FOR PnpDeviceCompletionQueueAddDispatchedRequest
; 
; START	OF FUNCTION CHUNK FOR PopRequestCompletion

loc_5E1C79:				; CODE XREF: PopRequestCompletion+116j
		mov	ecx, [esi+0Ch]
		call	_PopUpdateWakeSource@4 ; PopUpdateWakeSource(x)
		mov	eax, [ebx+18h]
		jmp	loc_55C53E
; 

loc_5E1C89:				; CODE XREF: PopRequestCompletion+10Aj
		push	0
		push	0
		lea	eax, [edi+84h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_55C47F
; END OF FUNCTION CHUNK	FOR PopRequestCompletion
; 
; START	OF FUNCTION CHUNK FOR PopDequeueQuerySetIrp

loc_5E1C9E:				; CODE XREF: PopDequeueQuerySetIrp+49j
		mov	eax, edi
		jmp	loc_55C64C
; 

loc_5E1CA5:				; CODE XREF: PopDequeueQuerySetIrp+82j
		mov	ecx, ds:_PopInrushIrpList
		mov	ds:_PopInrushIrp, edi
		jmp	loc_5E1D48
; 

loc_5E1CB6:				; CODE XREF: PopDequeueQuerySetIrp+8575Aj
		lea	esi, [ecx-58h]
		movsx	eax, byte ptr [esi+22h]
		add	eax, 3
		imul	eax, 24h
		mov	eax, [eax+esi]
		mov	eax, [eax+0Ch]
		test	eax, eax
		jz	short loc_5E1CD8
		mov	eax, [eax+0B0h]
		mov	edx, [eax+14h]
		jmp	short loc_5E1CDA
; 

loc_5E1CD8:				; CODE XREF: PopDequeueQuerySetIrp+856D7j
		mov	edx, edi

loc_5E1CDA:				; CODE XREF: PopDequeueQuerySetIrp+856E2j
		cmp	[edx+98h], edi
		jnz	short loc_5E1D46
		cmp	[edx+9Ch], esi
		jnz	short loc_5E1D46
		mov	edi, [ecx]
		mov	eax, [ecx+4]
		cmp	[edi+4], ecx
		jnz	loc_5E1E08
		cmp	[eax], ecx
		jnz	loc_5E1E08
		mov	[eax], edi
		lea	ecx, [esi+40h]
		mov	[edi+4], eax
		mov	[edx+98h], esi
		mov	eax, [ecx]
		mov	[edx+9Ch], eax
		lea	edx, [esp+28h+var_14]
		mov	eax, [esp+28h+var_10]
		mov	ds:_PopInrushIrp, esi
		cmp	[eax], edx
		jnz	loc_5E1E08
		mov	[ecx], edx
		xor	edi, edi
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	[esp+28h+var_10], ecx
		cmp	[ebx], edi
		jnz	loc_55C687
		jmp	loc_55C67C
; 

loc_5E1D46:				; CODE XREF: PopDequeueQuerySetIrp+856ECj
					; PopDequeueQuerySetIrp+856F4j
		mov	ecx, [ecx]

loc_5E1D48:				; CODE XREF: PopDequeueQuerySetIrp+856BDj
		cmp	ecx, offset _PopInrushIrpList
		jnz	loc_5E1CB6
		jmp	loc_55C67C
; 

loc_5E1D59:				; CODE XREF: PopDequeueQuerySetIrp+8Dj
		lea	ecx, [eax+58h]
		mov	edx, [ecx]
		cmp	edx, ecx
		jz	short loc_5E1D8D
		cmp	ds:_PopInrushIrp, 0
		jnz	short loc_5E1D8B
		mov	esi, [ecx+4]
		mov	ds:_PopInrushIrp, eax
		cmp	[edx+4], ecx
		jnz	loc_5E1E08
		cmp	[esi], ecx
		jnz	loc_5E1E08
		mov	[esi], edx
		mov	[edx+4], esi
		jmp	short loc_5E1D8D
; 

loc_5E1D8B:				; CODE XREF: PopDequeueQuerySetIrp+85775j
		mov	eax, edi

loc_5E1D8D:				; CODE XREF: PopDequeueQuerySetIrp+8576Cj
					; PopDequeueQuerySetIrp+85795j
		test	eax, eax
		jz	loc_55C687
		mov	[ebx], eax
		lea	ecx, [eax+40h]
		mov	eax, [ecx]
		lea	edx, [esp+28h+var_14]
		mov	[ebx+4], eax
		mov	eax, [esp+28h+var_10]
		cmp	[eax], edx
		jnz	short loc_5E1E08
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	[esp+28h+var_10], ecx
		jmp	loc_55C687
; 

loc_5E1DBB:				; CODE XREF: PopDequeueQuerySetIrp+9Aj
		mov	edx, [ebp+4]
		lea	ecx, [esp+28h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_55C6B2
; 

loc_5E1DCC:				; CODE XREF: PopDequeueQuerySetIrp+D5j
		mov	eax, [edi]
		lea	ecx, [esp+28h+var_14]
		cmp	[edi+4], ecx
		jnz	short loc_5E1E08
		cmp	[eax+4], edi
		jnz	short loc_5E1E08
		add	edi, 0FFFFFFC0h
		mov	[esp+28h+var_14], eax
		mov	[eax+4], ecx
		mov	edx, edi
		mov	eax, [edi+60h]
		mov	esi, [eax-10h]
		call	PopDiagTraceIrpStart
		mov	ecx, edi
		call	_PopEnableIrpWatchdog@4	; PopEnableIrpWatchdog(x)
		mov	edx, edi
		mov	ecx, esi
		call	IofCallDriver
		jmp	loc_55C6BF
; 

loc_5E1E08:				; CODE XREF: PopDequeueQuerySetIrp+856FEj
					; PopDequeueQuerySetIrp+85706j	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5E1E0D:				; CODE XREF: PopDisableIrpWatchdog+30j
		lea	edx, [ebp+var_C]
		mov	ecx, offset _PopIrpLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, esi
		call	_PopIrpWatchdogBugcheck@4 ; PopIrpWatchdogBugcheck(x)
		int	3		; Trap to Debugger

loc_5E1E22:				; CODE XREF: PopDiagTraceIrpFinishTelemetry+77j
		cmp	[ebp+var_13C], 0
		jge	short loc_5E1E50
		cmp	dword ptr [esi+6Ch], 0
		jnz	short loc_5E1E50
		push	ecx
		mov	ecx, edi
		call	_IoFindDeviceThatFailedIrp@4 ; IoFindDeviceThatFailedIrp(x)
		lea	edx, [ebp+var_88]
		mov	ecx, eax
		call	_PopDiagGetDriverName@12 ; PopDiagGetDriverName(x,x,x)
		lea	edi, [ebp+var_88]
		test	eax, eax
		jns	short loc_5E1E55

loc_5E1E50:				; CODE XREF: PopDequeueQuerySetIrp+85835j
					; PopDequeueQuerySetIrp+8583Bj
		mov	edi, offset ??_C@_11LOCGONAA@@FNODOBFM@

loc_5E1E55:				; CODE XREF: PopDequeueQuerySetIrp+8585Aj
		mov	ecx, esi
		call	_PopComputeWatchdogTimeout@4 ; PopComputeWatchdogTimeout(x)
		cmp	ds:dword_6B23F8, 5
		mov	[ebp+var_144], eax
		mov	eax, [esi+70h]
		mov	[ebp+var_148], eax
		jbe	loc_55C941
		push	4000h
		push	0
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_55C941
		lea	eax, [ebp+var_154]
		mov	[ebp+var_154], ebx
		mov	[ebp+var_118], eax
		xor	ecx, ecx
		mov	eax, [esi+18h]
		mov	edx, edi
		mov	[ebp+var_160], eax
		mov	eax, [esi+1Ch]
		mov	[ebp+var_15C], eax
		lea	eax, [ebp+var_160]
		mov	[ebp+var_108], eax
		mov	eax, [ebp+var_140]
		mov	[ebp+var_168], eax
		mov	eax, [ebp+var_14C]
		push	8
		pop	ebx
		mov	[ebp+var_164], eax
		lea	eax, [ebp+var_168]
		mov	[ebp+var_114], ecx
		mov	[ebp+var_10C], ecx
		mov	[ebp+var_104], ecx
		mov	[ebp+var_FC], ecx
		mov	[ebp+var_F4], ecx
		mov	[ebp+var_EC], ecx
		lea	ecx, [ebp+var_E8]
		mov	[ebp+var_110], 4
		mov	[ebp+var_100], ebx
		mov	[ebp+var_F8], eax
		mov	[ebp+var_F0], ebx
		call	_tlgCreate1Sz_wchar_t
		mov	eax, [ebp+var_144]
		xor	edx, edx
		mov	[ebp+var_144], eax
		lea	eax, [ebp+var_144]
		mov	[ebp+var_D8], eax
		mov	eax, [esi+6Ch]
		mov	[ebp+var_140], eax
		lea	eax, [ebp+var_140]
		mov	[ebp+var_C8], eax
		mov	eax, [ebp+var_148]
		mov	[ebp+var_148], eax
		lea	eax, [ebp+var_148]
		mov	[ebp+var_B8], eax
		mov	eax, [ebp+var_13C]
		mov	[ebp+var_13C], eax
		lea	eax, [ebp+var_13C]
		push	4
		pop	ecx
		mov	[ebp+var_A8], eax
		lea	eax, [ebp+var_150]
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_138]
		push	eax
		push	0Bh
		push	edx
		push	edx
		push	offset loc_41F31D
		push	offset dword_6B23F8
		mov	[ebp+var_D4], edx
		mov	[ebp+var_D0], ecx
		mov	[ebp+var_CC], edx
		mov	[ebp+var_C4], edx
		mov	[ebp+var_C0], ecx
		mov	[ebp+var_BC], edx
		mov	[ebp+var_B4], edx
		mov	[ebp+var_B0], ecx
		mov	[ebp+var_AC], edx
		mov	[ebp+var_A4], edx
		mov	[ebp+var_A0], ecx
		mov	[ebp+var_9C], edx
		mov	[ebp+var_150], 1000000h
		mov	[ebp+var_14C], edx
		mov	[ebp+var_94], edx
		mov	[ebp+var_90], ebx
		mov	[ebp+var_8C], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_55C941
; END OF FUNCTION CHUNK	FOR PopDequeueQuerySetIrp

;  S U B	R O U T	I N E 


sub_5E2028	proc near		; CODE XREF: PopFxNotifyPreDIrpCompletion+39j
		push	ebx
		xor	bl, bl
		xor	esi, esi
		mov	eax, [edx]

loc_5E202F:				; CODE XREF: sub_5E2028+Fj
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_5E202F
		test	eax, 1000h
		jz	short loc_5E2042
		inc	bl

loc_5E2042:				; CODE XREF: sub_5E2028+16j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	esi, [edi+2F0h]
		mov	bh, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, [edi+300h]
		mov	ecx, [ebp+8]
		and	edx, 0FFFFFFFEh
		or	edx, 2
		mov	[edi+2FCh], ecx
		mov	[edi+300h], edx
		test	ds:byte_70EFC6,	1
		jz	short loc_5E2087
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5E208C
; 

loc_5E2087:				; CODE XREF: sub_5E2028+51j
		xor	eax, eax
		lock and [esi],	eax

loc_5E208C:				; CODE XREF: sub_5E2028+5Dj
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	dl, bl
		mov	ecx, edi
		call	_PopFxDerefAndCompleteDirectedPowerTransition@8	; PopFxDerefAndCompleteDirectedPowerTransition(x,x)
		pop	ebx
		jmp	loc_55C96B
sub_5E2028	endp

; 
; START	OF FUNCTION CHUNK FOR PopFxReleasePowerIrp

loc_5E20A3:				; CODE XREF: PopFxReleasePowerIrp+5Bj
		mov	bl, 1
		xor	edi, edi
		mov	eax, [edx]

loc_5E20A9:				; CODE XREF: PopFxReleasePowerIrp+85723j
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_5E20A9
		mov	edi, [ebp+var_4]
		test	eax, 100h
		jz	loc_55CA13
		mov	eax, [edi+12Ch]
		mov	esi, [edi+134h]
		mov	[ebp+var_10], eax
		mov	eax, [edi+13Ch]
		mov	[ebp+var_C], eax
		mov	eax, [edi+144h]
		mov	[ebp+var_8], eax
		jmp	loc_55CA13
; 

loc_5E20E7:				; CODE XREF: PopFxReleasePowerIrp+7Fj
		push	0
		push	0
		lea	eax, [edi+84h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_55CA13
; 

loc_5E20FC:				; CODE XREF: PopFxReleasePowerIrp+9Bj
		mov	ecx, [ebp+var_10]
		mov	dl, 2
		push	0
		push	1
		push	[ebp+var_8]
		push	[ebp+var_C]
		push	esi
		call	PopRequestPowerIrp
		jmp	loc_55CA2F
; END OF FUNCTION CHUNK	FOR PopFxReleasePowerIrp
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceFxDevicePowerState

loc_5E2116:				; CODE XREF: PopDiagTraceFxDevicePowerState+4Bj
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_1C], 4
		mov	[ebp+var_24], eax
		xor	edx, edx
		lea	eax, [ebp-25h]
		mov	[ebp+var_20], edx
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_24]
		mov	[ebp+var_18], edx
		push	eax
		push	2
		push	edx
		push	edx
		inc	ecx
		mov	[ebp+var_10], edx
		push	ecx
		push	edx
		push	edx
		push	offset _POP_ETW_EVENT_DEVICE_POWER_STATE
		push	esi
		dec	bl
		mov	[ebp+var_C], ecx
		push	edi
		mov	[ebp+var_25], bl
		mov	[ebp+var_8], edx
		call	EtwWriteEx
		jmp	loc_55CA85
; END OF FUNCTION CHUNK	FOR PopDiagTraceFxDevicePowerState
; 
; START	OF FUNCTION CHUNK FOR PopRequestPowerIrp

loc_5E215E:				; CODE XREF: PopRequestPowerIrp+1C1j
		mov	eax, 0C00000F0h
		jmp	loc_55CBF0
; 

loc_5E2168:				; CODE XREF: PopRequestPowerIrp+92j
		mov	eax, 0C000009Ah
		jmp	loc_55CBF0
; 

loc_5E2172:				; CODE XREF: PopRequestPowerIrp+1E7j
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+80h], eax
		dec	eax
		jnz	short loc_5E2190
		push	0
		push	0
		lea	eax, [ecx+84h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_5E2190:				; CODE XREF: PopRequestPowerIrp+856C2j
		and	dword ptr [ebx+78h], 0
		jmp	loc_55CCB3
; 

loc_5E2199:				; CODE XREF: PopRequestPowerIrp+16Cj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ebx, [esi+2F0h]
		mov	[esp+20h+var_11], al
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		or	dword ptr [esi+300h], 1
		lock inc dword ptr [esi+2F4h]
		test	ds:byte_70EFC6,	1
		jz	short loc_5E21D7
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	edi, [esp+20h+var_8]
		jmp	short loc_5E21DC
; 

loc_5E21D7:				; CODE XREF: PopRequestPowerIrp+85709j
		xor	eax, eax
		lock and [ebx],	eax

loc_5E21DC:				; CODE XREF: PopRequestPowerIrp+85719j
		mov	cl, [esp+20h+var_11]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_55CBD4
; 

loc_5E21EB:				; CODE XREF: PopRequestPowerIrp+122j
		mov	ecx, [esp+20h+var_4]
		xor	edx, edx
		push	edi
		call	_PopLogNotifyDevice@12 ; PopLogNotifyDevice(x,x,x)
		jmp	loc_55CBE4
; END OF FUNCTION CHUNK	FOR PopRequestPowerIrp
; 
; START	OF FUNCTION CHUNK FOR PopAllocateIrp

loc_5E21FC:				; CODE XREF: PopAllocateIrp+4Fj
		xor	ecx, ecx
		jmp	loc_55CD2A
; 

loc_5E2203:				; CODE XREF: PopAllocateIrp+63j
		mov	eax, 0C0000010h
		mov	[ebp+arg_8], eax

loc_5E220B:				; CODE XREF: PopAllocateIrp+1E1j
					; PopAllocateIrp+8561Aj
		cmp	[ebp+arg_C], 0
		jz	loc_55CEB3
		cmp	eax, 103h
		jz	loc_55CEB3
		xor	eax, eax
		cmp	[ebp+arg_4], eax
		setnz	al
		push	eax
		push	esi
		push	6
		push	1
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5E2238:				; CODE XREF: PopAllocateIrp+235j
		mov	ebx, [ebp+var_8]
		mov	edi, [ebp+var_C]
		jmp	loc_55CF50
; 

loc_5E2243:				; CODE XREF: PopAllocateIrp+26Bj
		mov	ecx, [ebp+var_4]
		mov	edx, 72496F50h
		call	ObfDereferenceObjectWithTag
		mov	eax, [ebp+arg_10]
		mov	edx, 72496F50h
		mov	ecx, [eax+38h]
		call	ObfReferenceObjectWithTag
		mov	ecx, [ebp+arg_10]
		mov	eax, [ecx+38h]
		mov	[ebp+var_4], eax
		jmp	loc_55CDBE
; 

loc_5E226E:				; CODE XREF: PopAllocateIrp+855D4j
		mov	edi, [ebp+var_1C]
		jmp	loc_55CD73
; 

loc_5E2276:				; CODE XREF: PopAllocateIrp+A9j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 1
		ja	loc_55CD7B
		lea	eax, [ebp+var_10]
		push	eax
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	loc_55CD7B
; 

loc_5E2296:				; CODE XREF: PopAllocateIrp+C1j
		cmp	[ebp+arg_C], 0
		jz	short loc_5E22A2
		cmp	[ebp+var_1C], 0Ah
		jb	short loc_5E226E

loc_5E22A2:				; CODE XREF: PopAllocateIrp+855CEj
		mov	eax, [ebp+arg_8]
		jmp	loc_55CF50
; 

loc_5E22AA:				; CODE XREF: PopAllocateIrp+CBj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 1
		ja	loc_55CD9D
		lea	eax, [ebp+var_10]
		push	eax
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	loc_55CD9D
; 

loc_5E22CA:				; CODE XREF: PopAllocateIrp+ECj
		cmp	[ebp+arg_C], 0
		jz	loc_55CEB3
		mov	ebx, [ebp+var_1C]
		cmp	ebx, 0Ah
		jb	loc_55CD95
		mov	eax, [ebp+arg_8]
		mov	esi, [ebp+var_4]
		jmp	loc_5E220B
; 

loc_5E22EB:				; CODE XREF: PopAllocateIrp+1E9j
		mov	edx, edi
		mov	ecx, offset _PopIrpDataLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	loc_55CEBB
; 

loc_5E22FC:				; CODE XREF: PopAllocateIrp+1F4j
		mov	edx, 72496F50h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag
		jmp	loc_55CEC6
; 

loc_5E230D:				; CODE XREF: PopAllocateIrp+1FFj
		mov	edx, 72496F50h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag
		jmp	loc_55CED1
; END OF FUNCTION CHUNK	FOR PopAllocateIrp
; 
; START	OF FUNCTION CHUNK FOR PopQueueQuerySetIrp

loc_5E231E:				; CODE XREF: PopQueueQuerySetIrp+31j
		and	[ebp+var_8], 0
		jmp	loc_55CF9B
; 

loc_5E2327:				; CODE XREF: PopQueueQuerySetIrp+15Cj
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1], al
		jmp	loc_55D0C7
; 

loc_5E2332:				; CODE XREF: PopQueueQuerySetIrp+182j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_55D0F5
; 

loc_5E2341:				; CODE XREF: PopQueueQuerySetIrp+99j
		mov	ecx, ds:dword_6C2ACC
		lea	eax, [esi+58h]
		cmp	dword ptr [ecx], offset	_PopInrushIrpList
		jnz	short loc_5E23A3
		mov	dword ptr [eax], offset	_PopInrushIrpList
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	ds:dword_6C2ACC, eax
		jmp	loc_55CFF7
; 

loc_5E2367:				; CODE XREF: PopQueueQuerySetIrp+85416j
		mov	eax, ecx

loc_5E2369:				; CODE XREF: PopQueueQuerySetIrp+A4j
		mov	ecx, [eax+40h]
		test	ecx, ecx
		jnz	short loc_5E2367
		mov	[eax+40h], esi

loc_5E2373:				; CODE XREF: PopQueueQuerySetIrp+AFj
					; PopQueueQuerySetIrp+85428j
		mov	esi, edi
		jmp	loc_55D01A
; 

loc_5E237A:				; CODE XREF: PopQueueQuerySetIrp+B7j
		cmp	ds:_PopInrushIrp, edi
		jnz	short loc_5E2373
		lea	eax, [esi+58h]
		mov	ds:_PopInrushIrp, esi
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_5E23A3
		cmp	[ecx], eax
		jnz	short loc_5E23A3
		mov	[ecx], edx
		mov	[edx+4], ecx
		jmp	loc_55D015
; 

loc_5E23A3:				; CODE XREF: PopQueueQuerySetIrp+853F8j
					; PopQueueQuerySetIrp+8543Bj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5E23A8:				; CODE XREF: PopQueueQuerySetIrp+C9j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_55D049
; END OF FUNCTION CHUNK	FOR PopQueueQuerySetIrp
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceIrpStart

loc_5E23B8:				; CODE XREF: PopDiagTraceIrpStart+52j
		xor	ecx, ecx
		jmp	loc_55D22F
; 

loc_5E23BF:				; CODE XREF: PopDiagTraceIrpStart+7Aj
		push	offset ??_C@_11LOCGONAA@@FNODOBFM@
		lea	eax, [ebp+var_90]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, [ebp+var_80]
		mov	dl, byte ptr [ebp+var_76+1]
		mov	esi, [ebp+var_7C]
		jmp	loc_55D24E
; END OF FUNCTION CHUNK	FOR PopDiagTraceIrpStart
; 
; START	OF FUNCTION CHUNK FOR PopFxAllocatePowerIrp

loc_5E23DE:				; CODE XREF: PopFxAllocatePowerIrp+6Cj
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		jnz	short loc_5E23F5
		push	ebx
		push	ebx
		lea	eax, [esi+84h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_5E23F5:				; CODE XREF: PopFxAllocatePowerIrp+85081j
		mov	edi, 0C0000056h
		jmp	loc_55D39D
; 

loc_5E23FF:				; CODE XREF: PopFxAllocatePowerIrp+9Dj
		test	al, 20h
		jz	short loc_5E243E
		xor	edx, edx
		mov	eax, [ebx]

loc_5E2407:				; CODE XREF: PopFxAllocatePowerIrp+850ABj
		mov	ecx, eax
		or	ecx, edx
		lock cmpxchg [ebx], ecx
		jnz	short loc_5E2407
		mov	edx, eax
		shr	edx, 8
		xor	esi, esi
		and	edx, 1
		mov	eax, [ebx]

loc_5E241D:				; CODE XREF: PopFxAllocatePowerIrp+850C1j
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [ebx], ecx
		jnz	short loc_5E241D
		mov	esi, [ebp+var_8]
		shr	eax, 9
		and	eax, 1
		cmp	edx, eax
		jnz	short loc_5E243E
		mov	edi, 0C000009Ah
		jmp	loc_55D39D
; 

loc_5E243E:				; CODE XREF: PopFxAllocatePowerIrp+8509Dj
					; PopFxAllocatePowerIrp+850CEj
		xor	edx, edx
		mov	eax, [ebx]

loc_5E2442:				; CODE XREF: PopFxAllocatePowerIrp+850E6j
		mov	ecx, eax
		or	ecx, edx
		lock cmpxchg [ebx], ecx
		jnz	short loc_5E2442
		mov	edx, eax
		push	20h
		mov	ecx, 200h
		pop	eax
		lock or	[ebx], eax
		lock xor [ebx],	ecx
		xor	eax, eax
		and	edx, ecx
		setnz	al
		xor	ecx, ecx
		test	edx, edx
		setnz	cl
		lea	eax, ds:128h[eax*4]
		mov	[eax+esi], edi
		mov	edi, 103h
		mov	eax, [ebp+arg_0]
		lea	ecx, ds:130h[ecx*4]
		mov	[ecx+esi], eax
		xor	ecx, ecx
		mov	eax, [ebp+arg_4]
		test	edx, edx
		setnz	cl
		lea	ecx, ds:138h[ecx*4]
		mov	[ecx+esi], eax
		xor	ecx, ecx
		mov	eax, [ebp+arg_8]
		test	edx, edx
		setnz	cl
		lea	ecx, ds:140h[ecx*4]
		mov	[ecx+esi], eax
		jmp	loc_55D39D
; 

loc_5E24B3:				; CODE XREF: PopFxAllocatePowerIrp+B9j
		cmp	[ebp+arg_C], dl
		jz	short loc_5E2513
		xor	eax, eax
		lock or	[ebx], eax
		mov	eax, 100h
		lock xor [ebx],	eax
		xor	edx, edx
		mov	eax, [ebx]

loc_5E24C9:				; CODE XREF: PopFxAllocatePowerIrp+8516Dj
		mov	ecx, eax
		or	ecx, edx
		lock cmpxchg [ebx], ecx
		jnz	short loc_5E24C9
		mov	edx, eax
		shr	edx, 8
		xor	edi, edi
		and	edx, 1
		mov	eax, [ebx]

loc_5E24DF:				; CODE XREF: PopFxAllocatePowerIrp+85183j
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [ebx], ecx
		jnz	short loc_5E24DF
		shr	eax, 9
		and	eax, 1
		cmp	edx, eax
		jnz	short loc_5E24F9
		push	0FFFFFFDFh
		pop	eax
		lock and [ebx],	eax

loc_5E24F9:				; CODE XREF: PopFxAllocatePowerIrp+8518Dj
		push	10h
		pop	eax
		lock or	[ebx], eax
		mov	ecx, [ebp+arg_10]
		xor	edi, edi
		mov	eax, [esi+8]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_14]
		mov	eax, [esi+0Ch]
		mov	[ecx], eax
		jmp	short loc_5E2518
; 

loc_5E2513:				; CODE XREF: PopFxAllocatePowerIrp+85152j
		mov	edi, 0C000009Ah

loc_5E2518:				; CODE XREF: PopFxAllocatePowerIrp+851ADj
		or	eax, 0FFFFFFFFh
		lock xadd [esi+80h], eax
		dec	eax
		jnz	loc_55D39D
		push	0
		push	0
		lea	eax, [esi+84h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_55D39D
; END OF FUNCTION CHUNK	FOR PopFxAllocatePowerIrp
; 
; START	OF FUNCTION CHUNK FOR PopIrpWorker

loc_5E253F:				; CODE XREF: PopIrpWorker+2AFj
		cmp	ds:_PopIrpWorkerPendingCount, ebx
		jz	loc_55D772
		jmp	loc_55D715
; 

loc_5E2550:				; CODE XREF: PopIrpWorker+2FDj
		cmp	eax, 0Fh
		jnb	loc_55D59E
		cmp	ds:_PopIrpWorkerPendingCount, 0
		jnz	loc_55D59E
		cmp	ds:_PopIrpWorkerRequested, 0
		jnz	loc_55D59E
		push	0
		push	0
		push	offset _PopIrpWorkerControlEvent
		mov	ds:_PopIrpWorkerRequested, 1
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_55D59E
; 

loc_5E258D:				; CODE XREF: PopIrpWorker+20Ej
		xor	ecx, ecx
		jmp	loc_55D67D
; 

loc_5E2594:				; CODE XREF: PopIrpWorker+1F4j
		push	2
		pop	eax
		mov	cl, al
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esp+50h+var_41], al
		mov	[esp+50h+var_42], 1
		jmp	loc_55D5EC
; 

loc_5E25AD:				; CODE XREF: PopIrpWorker+19Cj
		mov	cl, [esp+58h+var_49]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_55D602
; 

loc_5E25BC:				; CODE XREF: PopIrpWorker+1B0j
		mov	eax, large fs:124h
		push	dword ptr [eax+13Ch]
		push	ebx
		push	edi
		push	901h
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5E25D9:				; CODE XREF: PopIrpWorker+2EBj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; END OF FUNCTION CHUNK	FOR PopIrpWorker
; 
; START	OF FUNCTION CHUNK FOR PoHandleIrp

loc_5E25E2:				; CODE XREF: PoHandleIrp+6Fj
		test	dword ptr [edi], 8000h
		jz	loc_55D83B
		and	dword ptr [esi+18h], 0
		xor	dl, dl
		and	dword ptr [esi+1Ch], 0
		mov	ecx, esi
		call	IofCompleteRequest
		mov	eax, [ebp+var_8]
		and	dword ptr [eax], 0
		jmp	loc_55D825
; 

loc_5E260A:				; CODE XREF: PoHandleIrp+A6j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_55D876
; END OF FUNCTION CHUNK	FOR PoHandleIrp
; 
; START	OF FUNCTION CHUNK FOR PopDispatchQuerySetIrp

loc_5E261A:				; CODE XREF: PopDispatchQuerySetIrp+28j
		mov	edx, ds:_PopIrpWorkerList
		cmp	[edx+4], ecx
		jnz	loc_55DB09
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[edx+4], eax
		mov	ds:_PopIrpWorkerList, eax
		jmp	loc_55DAF8
; END OF FUNCTION CHUNK	FOR PopDispatchQuerySetIrp
; 
; START	OF FUNCTION CHUNK FOR PopPepDeviceDState

loc_5E263B:				; CODE XREF: PopPepDeviceDState+F5j
		mov	ecx, [edi+18h]
		xor	eax, eax
		cmp	[ebp+arg_4], 1
		mov	[esp+28h+var_2], ax
		mov	[esp+28h+var_8], ebx
		setz	[esp+28h+var_3]
		mov	eax, [ecx+28h]
		mov	[esp+28h+var_C], eax
		mov	eax, [ecx+24h]
		lea	ecx, [esp+28h+var_C]
		push	ecx
		push	5
		mov	[esp+30h+var_4], dl
		call	dword ptr [eax+40h]
		jmp	loc_55DC09
; 

loc_5E266F:				; CODE XREF: PopPepDeviceDState+119j
		cmp	byte ptr [edi+81h], 0
		jnz	short loc_5E2690
		cmp	byte ptr [edi+80h], 0
		jz	short loc_5E2688
		cmp	ebx, 1
		jnz	short loc_5E2688
		mov	cl, bl

loc_5E2688:				; CODE XREF: PopPepDeviceDState+84B71j
					; PopPepDeviceDState+84B76j
		test	cl, cl
		jz	loc_55DC2D

loc_5E2690:				; CODE XREF: PopPepDeviceDState+84B68j
		xor	ecx, ecx
		mov	[esp+28h+var_14], ecx
		cmp	[edi+84h], ecx
		jbe	loc_55DC2D
		lea	esi, [edi+90h]

loc_5E26A8:				; CODE XREF: PopPepDeviceDState+84BC5j
		cmp	byte ptr [esi+90h], 0
		jz	short loc_5E26C2
		mov	edx, [esi]
		mov	ecx, [edi+18h]
		push	ebx
		push	1
		call	_PopFxUpdateComponentPerfStateNominalChange@16 ; PopFxUpdateComponentPerfStateNominalChange(x,x,x,x)
		mov	ecx, [esp+28h+var_14]

loc_5E26C2:				; CODE XREF: PopPepDeviceDState+84BA1j
		inc	ecx
		add	esi, 0A8h
		mov	[esp+28h+var_14], ecx
		cmp	ecx, [edi+84h]
		jb	short loc_5E26A8
		mov	eax, [edi+78h]
		jmp	loc_55DC2D
; END OF FUNCTION CHUNK	FOR PopPepDeviceDState
; 
; START	OF FUNCTION CHUNK FOR PopPlNotifyDeviceDState

loc_5E26DD:				; CODE XREF: PopPlNotifyDeviceDState+2Ej
		mov	edi, [ebp+arg_0]
		mov	bh, [ebp+arg_4]
		cmp	edi, edx
		jle	short loc_5E26F1
		test	bh, bh
		jz	loc_55DD60
		cmp	edi, edx

loc_5E26F1:				; CODE XREF: PopPlNotifyDeviceDState+849B9j
		jge	short loc_5E26FB
		test	bh, bh
		jnz	loc_55DD60

loc_5E26FB:				; CODE XREF: PopPlNotifyDeviceDState:loc_5E26F1j
		mov	eax, [esi+8]
		mov	[ebp+var_C0], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, [ebp+var_C0]
		mov	bl, al
		add	ecx, 8
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebp+var_C0]
		lea	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_BC]
		push	0
		push	0
		mov	[eax+0Ch], bl
		mov	esi, [esi+10h]
		call	_PopPlCalculateDevicePowerDraw@16 ; PopPlCalculateDevicePowerDraw(x,x,x,x)
		mov	ecx, eax
		sub	ecx, esi
		mov	esi, [ebp+var_C4]
		mov	[ebp+var_C8], ecx
		mov	[esi+10h], eax
		cmp	ds:dword_6B23F8, 5
		jbe	loc_5E28BB
		and	[ebp+var_94], 0
		lea	eax, [ebp+var_C4]
		and	[ebp+var_8C], 0
		lea	edx, [ebp+var_70]
		mov	[ebp+var_98], eax
		mov	eax, [ebp+var_BC]
		mov	[ebp+var_88], edx
		xor	edx, edx
		mov	[ebp+var_84], edx
		mov	[ebp+var_7C], edx
		movzx	ecx, word ptr [eax+70h]
		mov	eax, [eax+74h]
		mov	[ebp+var_74], edx
		mov	[ebp+var_6C], edx
		mov	edx, offset ??_C@_09GOOJCAKO@Beginning@FNODOBFM@
		mov	[ebp+var_C4], 1
		mov	[ebp+var_90], 2
		mov	[ebp+var_80], 2
		mov	[ebp+var_78], eax
		mov	[ebp+var_70], ecx
		test	bh, bh
		jz	short loc_5E27C8
		mov	edx, offset ??_C@_09MIJAKHKB@Completed@FNODOBFM@

loc_5E27C8:				; CODE XREF: PopPlNotifyDeviceDState+84A95j
		lea	ecx, [ebp+var_68]
		call	_tlgCreate1Sz_char
		push	4
		pop	ebx
		test	edi, edi
		jnz	short loc_5E27DE
		mov	edx, (offset loc_5A5345+5)
		jmp	short loc_5E281C
; 

loc_5E27DE:				; CODE XREF: PopPlNotifyDeviceDState+84AA9j
		cmp	edi, 1
		jnz	short loc_5E27EA
		mov	edx, (offset loc_5A535D+5)
		jmp	short loc_5E281C
; 

loc_5E27EA:				; CODE XREF: PopPlNotifyDeviceDState+84AB5j
		cmp	edi, 2
		jnz	short loc_5E27F6
		mov	edx, offset ??_C@_0O@HLLDCKDP@PowerDeviceD1@FNODOBFM@
		jmp	short loc_5E281C
; 

loc_5E27F6:				; CODE XREF: PopPlNotifyDeviceDState+84AC1j
		cmp	edi, 3
		jnz	short loc_5E2802
		mov	edx, offset ??_C@_0O@FAJOHJPM@PowerDeviceD2@FNODOBFM@
		jmp	short loc_5E281C
; 

loc_5E2802:				; CODE XREF: PopPlNotifyDeviceDState+84ACDj
		cmp	edi, ebx
		jnz	short loc_5E280D
		mov	edx, (offset loc_5A539E+2)
		jmp	short loc_5E281C
; 

loc_5E280D:				; CODE XREF: PopPlNotifyDeviceDState+84AD8j
		mov	edx, offset ??_C@_0BD@ODMBHIPK@PowerDeviceMaximum@FNODOBFM@
		cmp	edi, 5
		jz	short loc_5E281C
		mov	edx, offset ??_C@_09EEKGDCPH@?$DMunknown?$DO@FNODOBFM@

loc_5E281C:				; CODE XREF: PopPlNotifyDeviceDState+84AB0j
					; PopPlNotifyDeviceDState+84ABCj ...
		lea	ecx, [ebp+var_58]
		call	_tlgCreate1Sz_char
		mov	ecx, [ebp+var_C8]
		lea	eax, [ebp+var_BC]
		mov	[ebp+var_48], eax
		xor	edx, edx
		mov	eax, [esi+10h]
		mov	[ebp+var_CC], eax
		lea	eax, [ebp+var_CC]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_28], eax
		mov	eax, [esi+8]
		mov	[ebp+var_BC], ecx
		mov	[ebp+var_44], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_D0], ecx
		mov	[ebp+var_24], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_20], ebx
		mov	eax, [eax+10h]
		add	eax, ecx
		mov	[ebp+var_14], edx
		mov	[ebp+var_D4], eax
		mov	ecx, offset dword_6B23F8
		lea	eax, [ebp+var_D4]
		mov	[ebp+var_C], edx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_B8]
		push	eax
		push	0Bh
		push	edx
		push	edx
		push	1
		push	edx
		push	edx
		mov	edx, offset loc_420CCE
		mov	[ebp+var_10], ebx
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_C8]

loc_5E28BB:				; CODE XREF: PopPlNotifyDeviceDState+84A26j
		mov	esi, [ebp+var_C0]
		mov	edx, ecx
		mov	ecx, esi
		call	_PopPlPublishSystemPowerChange@8 ; PopPlPublishSystemPowerChange(x,x)
		test	ds:byte_70EFC6,	1
		mov	bl, [esi+0Ch]
		jz	short loc_5E28E3
		mov	edx, [ebp+4]
		lea	ecx, [esi+8]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5E28EB
; 

loc_5E28E3:				; CODE XREF: PopPlNotifyDeviceDState+84BA8j
		xor	ecx, ecx
		lea	eax, [esi+8]
		lock and [eax],	ecx

loc_5E28EB:				; CODE XREF: PopPlNotifyDeviceDState+84BB5j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_55DD60
; END OF FUNCTION CHUNK	FOR PopPlNotifyDeviceDState
; 
; START	OF FUNCTION CHUNK FOR PopFxLockDevice

loc_5E28F8:				; CODE XREF: PopFxLockDevice+71j
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		jnz	short loc_5E2911
		push	0
		push	0
		lea	eax, [esi+84h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_5E2911:				; CODE XREF: PopFxLockDevice+84A05j
		xor	esi, esi
		jmp	loc_55DF46
; END OF FUNCTION CHUNK	FOR PopFxLockDevice
; 
; START	OF FUNCTION CHUNK FOR IofCallDriverSpecifyReturn

loc_5E2918:				; CODE XREF: IofCallDriverSpecifyReturn+Cj
		cmp	eax, 3
		jnz	short loc_5E2927
		call	@IopPerfCallDriver@8 ; IopPerfCallDriver(x,x)
		jmp	loc_55DF87
; 

loc_5E2927:				; CODE XREF: IofCallDriverSpecifyReturn+849ABj
		pop	ebp
		jmp	@IovCallDriver@12 ; IovCallDriver(x,x,x)
; END OF FUNCTION CHUNK	FOR IofCallDriverSpecifyReturn
; 
; START	OF FUNCTION CHUNK FOR IopfCallDriver

loc_5E292D:				; CODE XREF: IopfCallDriver+Fj
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	edx
		push	35h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5E293B:				; CODE XREF: PopPepCompleteComponentIdleStateChangeActivity+28j
		cmp	[ebx+4Ch], dl
		jz	loc_55E006
		mov	eax, [edi+1Ch]
		mov	ecx, [edi+18h]
		mov	[ebp-4], eax
		mov	eax, ecx
		and	eax, 4
		or	eax, edx
		jz	short loc_5E295E
		mov	eax, [edi+90h]
		jmp	short loc_5E2983
; 

loc_5E295E:				; CODE XREF: IopfCallDriver+849C8j
		cmp	[edi+94h], edx
		jz	loc_55E006
		mov	eax, [edi+90h]
		test	eax, eax
		jnz	loc_55E006
		and	ecx, 2
		or	ecx, edx
		jz	loc_55E006

loc_5E2983:				; CODE XREF: IopfCallDriver+849D0j
		mov	ecx, [ebx+18h]
		push	eax
		push	edx
		mov	edx, [edi+8]
		call	_PopFxUpdateComponentPerfStateNominalChange@16 ; PopFxUpdateComponentPerfStateNominalChange(x,x,x,x)
		xor	edx, edx
		jmp	loc_55E006
; END OF FUNCTION CHUNK	FOR IopfCallDriver
; 
; START	OF FUNCTION CHUNK FOR PopFxUpdateComponentAccountingEnhanced

loc_5E2997:				; CODE XREF: PopFxUpdateComponentAccountingEnhanced+2Aj
					; PopFxUpdateComponentAccountingEnhanced+30j
		mov	eax, [esi+8]
		cmp	eax, 0FFFFFFFFh
		jz	loc_55E0A0
		cmp	[ebp+arg_4], 0
		jnz	short loc_5E29D1
		cmp	[ebp+arg_0], 0
		jnz	loc_55E0A0
		cmp	byte ptr [esi+4], 0
		jnz	loc_55E0A0
		call	KeQueryInterruptTime
		mov	[esi+10h], eax
		mov	[esi+14h], edx
		mov	byte ptr [esi+4], 1
		jmp	loc_55E0A0
; 

loc_5E29D1:				; CODE XREF: PopFxUpdateComponentAccountingEnhanced+8493Dj
		cmp	[ebp+arg_0], eax
		jb	loc_55E0A0
		call	KeQueryInterruptTime
		push	0
		push	0
		push	edx
		push	eax
		mov	ecx, esi
		call	PopFxUpdateAccountingActiveTime
		mov	byte ptr [esi+4], 0
		jmp	loc_55E0A0
; 

loc_5E29F5:				; CODE XREF: PopFxUpdateComponentAccountingEnhanced+3Dj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_55E0B2
; END OF FUNCTION CHUNK	FOR PopFxUpdateComponentAccountingEnhanced
; 
; START	OF FUNCTION CHUNK FOR PopPepUpdateIdleStateRefCount

loc_5E2A04:				; CODE XREF: PopPepUpdateIdleStateRefCount+6Aj
					; PopPepUpdateIdleStateRefCount+84A05j
		imul	ebx, ecx, 0C0h
		lea	eax, [edi-1]
		and	edi, eax
		add	ebx, ds:_PopPepPlatformState
		cmp	[ebp+arg_0], 0
		lea	edx, [ebx+80h]
		jnz	short loc_5E2A99
		or	eax, 0FFFFFFFFh
		lock xadd [edx], eax
		dec	eax
		mov	edx, 40000000h
		cmp	eax, edx
		jl	loc_5E2B39
		jnz	loc_5E2ABC
		cmp	[ebp+var_8D], 0
		jnz	short loc_5E2A5A
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_8E], al
		mov	[ebp+var_8D], 1

loc_5E2A5A:				; CODE XREF: PopPepUpdateIdleStateRefCount+84983j
		or	edx, 0FFFFFFFFh
		lea	ecx, [ebx+80h]
		mov	eax, 40000000h
		lock cmpxchg [ecx], edx
		mov	ecx, [ebp+var_98]
		cmp	eax, 40000000h
		jnz	short loc_5E2ABC
		mov	dl, 1
		call	_PopFxPlatformStateAvailable@8 ; PopFxPlatformStateAvailable(x,x)
		lea	eax, [ebx+80h]
		mov	ecx, [eax]
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_5E2B22
		mov	dword ptr [eax], 0
		jmp	short loc_5E2ABC
; 

loc_5E2A99:				; CODE XREF: PopPepUpdateIdleStateRefCount+8495Fj
		mov	eax, [edx]
		mov	[ebp+var_94], eax
		test	eax, eax
		jle	short loc_5E2AB4
		lea	ecx, [eax+1]
		lock cmpxchg [edx], ecx
		cmp	eax, [ebp+var_94]
		jz	short loc_5E2ABC

loc_5E2AB4:				; CODE XREF: PopPepUpdateIdleStateRefCount+849E3j
		mov	[ebp+esi*4+var_8C], ebx
		inc	esi

loc_5E2ABC:				; CODE XREF: PopPepUpdateIdleStateRefCount+84976j
					; PopPepUpdateIdleStateRefCount+849B7j	...
		bsf	ecx, edi
		mov	[ebp+var_98], ecx
		jnz	loc_5E2A04
		test	esi, esi
		jz	loc_5E2B99
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_8E], al

loc_5E2AE1:				; CODE XREF: PopPepUpdateIdleStateRefCount+84A5Bj
		lea	ecx, [ebp+var_9C]
		call	KeYieldProcessorEx
		xor	edi, edi

loc_5E2AEE:				; CODE XREF: PopPepUpdateIdleStateRefCount+84A57j
		mov	eax, [ebp+edi*4+var_8C]
		mov	[ebp+var_94], eax
		lea	ebx, [eax+80h]
		mov	edx, [ebx]
		test	edx, edx
		jle	short loc_5E2B5E
		lea	ecx, [edx+1]
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jz	short loc_5E2B4D

loc_5E2B14:				; CODE XREF: PopPepUpdateIdleStateRefCount:loc_5E2B5Ej
					; PopPepUpdateIdleStateRefCount+84AABj
		inc	edi

loc_5E2B15:				; CODE XREF: PopPepUpdateIdleStateRefCount+84A9Cj
		cmp	edi, esi
		jb	short loc_5E2AEE
		test	esi, esi
		jnz	short loc_5E2AE1
		jmp	loc_5E2BA6
; 

loc_5E2B22:				; CODE XREF: PopPepUpdateIdleStateRefCount+849CBj
		push	0
		push	ecx
		mov	edx, ebx
		jmp	short loc_5E2B32
; 

loc_5E2B29:				; CODE XREF: PopPepUpdateIdleStateRefCount+84AD5j
		mov	edx, [ebp+var_94]
		push	0
		push	eax

loc_5E2B32:				; CODE XREF: PopPepUpdateIdleStateRefCount+84A67j
		mov	ecx, 669h
		jmp	short loc_5E2B42
; 

loc_5E2B39:				; CODE XREF: PopPepUpdateIdleStateRefCount+84970j
		push	edi
		push	eax
		mov	edx, ebx
		mov	ecx, 668h

loc_5E2B42:				; CODE XREF: PopPepUpdateIdleStateRefCount+84A77j
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_5E2B47:				; CODE XREF: PopPepUpdateIdleStateRefCount+84AD7j
		mov	dword ptr [ebx], 40000001h

loc_5E2B4D:				; CODE XREF: PopPepUpdateIdleStateRefCount+84A52j
		mov	eax, [ebp+esi*4-90h]
		dec	esi
		mov	[ebp+edi*4+var_8C], eax
		jmp	short loc_5E2B15
; 

loc_5E2B5E:				; CODE XREF: PopPepUpdateIdleStateRefCount+84A45j
		jnz	short loc_5E2B14
		or	ecx, 0FFFFFFFFh
		xor	eax, eax
		lock cmpxchg [ebx], ecx
		test	eax, eax
		jnz	short loc_5E2B14
		mov	eax, [ebp+var_94]
		mov	ecx, 0C0h
		sub	eax, ds:_PopPepPlatformState
		cdq
		idiv	ecx
		xor	dl, dl
		mov	ecx, eax
		mov	[ebp+var_98], eax
		call	_PopFxPlatformStateAvailable@8 ; PopFxPlatformStateAvailable(x,x)
		mov	eax, [ebx]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_5E2B29
		jmp	short loc_5E2B47
; 

loc_5E2B99:				; CODE XREF: PopPepUpdateIdleStateRefCount+84A0Dj
		cmp	[ebp+var_8D], 0
		jz	loc_55E130

loc_5E2BA6:				; CODE XREF: PopPepUpdateIdleStateRefCount+84A5Dj
		mov	cl, [ebp+var_8E]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_55E130
; END OF FUNCTION CHUNK	FOR PopPepUpdateIdleStateRefCount
; 
; START	OF FUNCTION CHUNK FOR RtlUnicodeStringCopyStringEx

loc_5E2BB7:				; CODE XREF: RtlUnicodeStringCopyStringEx+5Cj
		cmp	[ebp+var_4], ebx
		jnz	loc_56815C
		mov	[ebp+var_4], offset ??_C@_11LOCGONAA@@FNODOBFM@
		jmp	loc_56815C
; 

loc_5E2BCC:				; CODE XREF: RtlUnicodeStringCopyStringEx+69j
		mov	esi, 0C000000Dh
		jmp	short loc_5E2C19
; 

loc_5E2BD3:				; CODE XREF: RtlUnicodeStringCopyStringEx+71j
		mov	ecx, [ebp+var_4]
		cmp	[ecx], bx
		mov	ecx, [ebp+var_8] ; void	*
		jz	loc_5681B2
		mov	esi, ecx
		neg	esi
		sbb	esi, esi
		and	esi, 0BFFFFFF8h
		add	esi, 0C000000Dh
		jmp	short loc_5E2C19
; 

loc_5E2BF6:				; CODE XREF: RtlUnicodeStringCopyStringEx+AFj
		test	eax, eax
		jz	loc_5681AF
		add	eax, eax
		push	eax		; size_t
		movzx	eax, cl
		push	eax		; int
		push	edx		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_5681AF
; 

loc_5E2C13:				; CODE XREF: RtlUnicodeStringCopyStringEx+A0j
		mov	edx, [ebp+var_8]
		mov	eax, [ebp+arg_4]

loc_5E2C19:				; CODE XREF: RtlUnicodeStringCopyStringEx+7AAD7j
					; RtlUnicodeStringCopyStringEx+7AAFAj
		test	eax, 1C00h
		jz	loc_5681B2
		test	edi, edi
		jz	loc_5681B2
		push	eax		; int
		lea	eax, [ebp+var_10]
		mov	edx, edi	; int
		push	eax		; int
		lea	eax, [ebp+var_14]
		push	eax		; int
		lea	eax, [ebp+var_C]
		push	eax		; int
		push	ecx		; int
		call	RtlUnicodeStringExHandleOtherFlags
		mov	edx, [ebp+var_10]
		mov	ebx, [ebp+var_C]
		jmp	loc_5681B2
; 

loc_5E2C4C:				; CODE XREF: RtlUnicodeStringCopyStringEx+C7j
		cmp	esi, 80000005h
		jnz	loc_5681E0
		jmp	loc_5681C7
; END OF FUNCTION CHUNK	FOR RtlUnicodeStringCopyStringEx
; 
; START	OF FUNCTION CHUNK FOR RtlWideCharArrayCopyStringWorker

loc_5E2C5D:				; CODE XREF: RtlWideCharArrayCopyStringWorker+16j
					; RtlWideCharArrayCopyStringWorker+51j
		cmp	[eax], si
		jz	loc_568229
		mov	esi, 80000005h
		jmp	loc_568229
; END OF FUNCTION CHUNK	FOR RtlWideCharArrayCopyStringWorker
; 
; START	OF FUNCTION CHUNK FOR sub_568240

loc_5E2C70:				; CODE XREF: sub_568240+9j
		test	[ebp+arg_0], 100h
		jnz	loc_56827C
		jmp	loc_56824F
; 

loc_5E2C82:				; CODE XREF: sub_568240+35j
		test	bx, bx
		jnz	loc_568280
		test	dx, dx
		jz	loc_56827B
		jmp	loc_568280
; END OF FUNCTION CHUNK	FOR sub_568240
; 
; START	OF FUNCTION CHUNK FOR RtlStringCchPrintfA

loc_5E2C99:				; CODE XREF: RtlStringCchPrintfA+17j
		test	eax, eax
		jz	loc_568453
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax],	0
		jmp	loc_568453
; END OF FUNCTION CHUNK	FOR RtlStringCchPrintfA
; 
; START	OF FUNCTION CHUNK FOR ExpQueryLicenseValueFromBlobHelper

loc_5E2CAC:				; CODE XREF: ExpQueryLicenseValueFromBlobHelper+4Cj
		mov	eax, [esi+5B7Ch]
		test	eax, eax
		jz	loc_568572
		jmp	loc_5684F6
; END OF FUNCTION CHUNK	FOR ExpQueryLicenseValueFromBlobHelper

;  S U B	R O U T	I N E 


sub_5E2CBF	proc near		; DATA XREF: .text:006A4B60o
		mov	esi, [ebp-20h]
		jmp	sub_568538
sub_5E2CBF	endp

; 
; START	OF FUNCTION CHUNK FOR MiSetNonPagedPoolNoSteal

loc_5E2CC7:				; CODE XREF: MiSetNonPagedPoolNoSteal+2Fj
					; MiSetNonPagedPoolNoSteal+37j
		mov	esi, eax
		mov	ecx, edx
		and	eax, 200h
		or	eax, 0
		jz	loc_55E192
		jmp	loc_55E1B3
; END OF FUNCTION CHUNK	FOR MiSetNonPagedPoolNoSteal
; 
; START	OF FUNCTION CHUNK FOR KeFlushMultipleRangeCurrentTb

loc_5E2CDE:				; CODE XREF: KeFlushMultipleRangeCurrentTb+36j
		test	al, 2
		jz	loc_55E1F2
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_8]
		push	eax
		lea	edx, [ebp+var_C]
		call	_KiPrepareFlushParameters@12 ; KiPrepareFlushParameters(x,x,x)
		lea	ecx, [ebp+var_1C]
		call	_KiPrepareFlushCurrentAffinity@4 ; KiPrepareFlushCurrentAffinity(x)
		push	ebx
		push	esi
		push	1
		push	ecx
		push	[ebp+var_8]
		mov	edx, ecx
		mov	ecx, [ebp+var_C]
		call	_HvlFlushRangeListTb@28	; HvlFlushRangeListTb(x,x,x,x,x,x,x)
		test	al, al
		jnz	loc_55E20C
		jmp	loc_55E1F2
; 

loc_5E2D1C:				; CODE XREF: KeFlushMultipleRangeCurrentTb+5Dj
		push	[ebp+arg_0]
		mov	edx, ebx
		mov	ecx, esi
		call	_VmFlushTb@12	; VmFlushTb(x,x,x)
		jmp	loc_55E219
; 

loc_5E2D2D:				; CODE XREF: KeFlushMultipleRangeCurrentTb+6Aj
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	[ebp+arg_0]
		mov	edx, [ebp+var_10]
		mov	ecx, esi
		mov	bl, al
		call	_ExFlushTb@12	; ExFlushTb(x,x,x)
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_55E226
; END OF FUNCTION CHUNK	FOR KeFlushMultipleRangeCurrentTb
; 
; START	OF FUNCTION CHUNK FOR PnpSetDeviceInstancePropertyChangeEventFromDeviceInstance

loc_5E2D51:				; CODE XREF: PnpSetDeviceInstancePropertyChangeEventFromDeviceInstance+16j
		mov	eax, 0C0000189h
		jmp	loc_568615
; END OF FUNCTION CHUNK	FOR PnpSetDeviceInstancePropertyChangeEventFromDeviceInstance
; 
; START	OF FUNCTION CHUNK FOR KeInitializeInterruptEx

loc_5E2D5B:				; CODE XREF: KeInitializeInterruptEx+60j
		mov	esi, [ebp+arg_10]
		push	1
		push	1
		push	esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	[edi+50h], esi
		jmp	loc_55E310
; END OF FUNCTION CHUNK	FOR KeInitializeInterruptEx
; 
; START	OF FUNCTION CHUNK FOR KeConnectInterrupt

loc_5E2D70:				; CODE XREF: KeConnectInterrupt+36j
		call	_KiConnectSecondaryInterrupt@4 ; KiConnectSecondaryInterrupt(x)
		jmp	loc_55E451
; 

loc_5E2D7A:				; CODE XREF: KeConnectInterrupt+51j
		mov	[ebp+var_1], 1
		jmp	loc_55E467
; 

loc_5E2D83:				; CODE XREF: KeConnectInterrupt+A7j
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_10]
		call	ds:off_6B13B8	; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)
		test	eax, eax
		js	short loc_5E2DBA
		cmp	[ebp+var_2], 0
		mov	ecx, [edi]
		jz	short loc_5E2DA9
		mov	edx, [ebp+var_8]
		mov	ecx, [ecx+2Ch]
		call	_KiUnmaskSecondaryInterruptInternal@8 ;	KiUnmaskSecondaryInterruptInternal(x,x)
		jmp	short loc_5E2DB4
; 

loc_5E2DA9:				; CODE XREF: KeConnectInterrupt+8498Aj
		push	0
		push	[ebp+var_8]
		call	ds:off_6B1304	; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)

loc_5E2DB4:				; CODE XREF: KeConnectInterrupt+84997j
		mov	esi, eax
		test	esi, esi
		js	short loc_5E2DC4

loc_5E2DBA:				; CODE XREF: KeConnectInterrupt+84982j
		mov	esi, 127h
		jmp	loc_55E4DA
; 

loc_5E2DC4:				; CODE XREF: KeConnectInterrupt+45j
					; KeConnectInterrupt+7Dj ...
		test	bl, bl
		jz	loc_55E4E2
		push	[ebp+arg_0]
		mov	dl, bl
		mov	ecx, edi
		call	KeDisconnectInterrupt
		jmp	loc_55E4E2
; END OF FUNCTION CHUNK	FOR KeConnectInterrupt
; 
; START	OF FUNCTION CHUNK FOR KiIntSteerConnect

loc_5E2DDD:				; CODE XREF: KiIntSteerConnect+4Aj
		mov	eax, [ebx+14h]
		or	ds:dword_6C7508, eax
		xor	eax, eax
		jmp	loc_55E7B4
; 

loc_5E2DED:				; CODE XREF: KiIntSteerConnect+6Bj
		mov	eax, 0C000009Ah
		jmp	loc_55E7B4
; 

loc_5E2DF7:				; CODE XREF: KiIntSteerConnect+283j
		cmp	dword ptr [ebx+68h], 2
		jnz	short loc_5E2E18
		mov	eax, [ebx+0A0h]
		mov	[eax+0Ch], dl
		mov	eax, [ebp+arg_0]
		mov	[ebx+68h], edx
		mov	[ebx+6Ch], dl
		mov	eax, [eax+14h]
		or	ds:dword_6C7508, eax

loc_5E2E18:				; CODE XREF: KiIntSteerConnect+84893j
		mov	esi, edx
		jmp	loc_55E768
; 

loc_5E2E1F:				; CODE XREF: KiIntSteerConnect+110j
		mov	esi, 0C000009Ah

loc_5E2E24:				; CODE XREF: KiIntSteerConnect:loc_55E762j
		mov	eax, [ebp+var_18]
		push	6B725449h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_55E792
; 

loc_5E2E37:				; CODE XREF: KiIntSteerConnect+236j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_55E7A9
; END OF FUNCTION CHUNK	FOR KiIntSteerConnect
; 
; START	OF FUNCTION CHUNK FOR KiIntSteerLogState

loc_5E2E44:				; CODE XREF: KiIntSteerLogState+21j
		mov	eax, [edi+8]
		lea	ecx, [ebp+var_78]
		or	[ebp+var_78], 0FFFFFFFFh
		add	eax, 10h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_74], eax
		push	4
		pop	edx
		lea	eax, [edi+34h]
		mov	[ebp+var_70], ebx
		mov	[ebp+var_44], eax
		mov	eax, [edi+10h]
		mov	[ebp+var_6C], edx
		mov	[ebp+var_68], ebx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], edx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], ebx
		mov	eax, [eax]
		add	eax, 0Ch
		mov	[ebp+var_30], ebx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	7
		push	ebx
		push	esi
		push	ds:dword_6FBC0C
		mov	[ebp+var_2C], edx
		push	ds:_KiIntSteerEtwHandle
		mov	[ebp+var_28], ebx
		mov	[ebp+var_78], ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	ebx
		jmp	loc_55E837
; END OF FUNCTION CHUNK	FOR KiIntSteerLogState
; 
; START	OF FUNCTION CHUNK FOR KiIntSteerGetLineInformation

loc_5E2ED8:				; CODE XREF: KiIntSteerGetLineInformation+47j
		lea	eax, [ebp+var_4]
		xor	bl, bl
		push	eax
		push	[ebp+var_8]
		call	ds:off_6B12FC	; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)
		jmp	loc_55E98B
; END OF FUNCTION CHUNK	FOR KiIntSteerGetLineInformation
; 
; START	OF FUNCTION CHUNK FOR KiIsInterruptTypeSecondary

loc_5E2EEC:				; CODE XREF: KiIsInterruptTypeSecondary+7j
		cmp	dword ptr [ecx], 1
		jnz	loc_55E9A5
		mov	eax, [ecx+38h]
		push	eax
		push	dword ptr [ecx+8]
		call	ds:off_6B1308	; xHalpIsInterruptTypeSecondary(x,x)
		retn
; END OF FUNCTION CHUNK	FOR KiIsInterruptTypeSecondary
; 
; START	OF FUNCTION CHUNK FOR KiSetSystemTimeDpc

loc_5E2F03:				; CODE XREF: KiSetSystemTimeDpc+16Aj
		mov	esi, 0FFDF0018h
		lea	ebx, [esi-4]

loc_5E2F0B:				; CODE XREF: KiSetSystemTimeDpc+844DAj
		lea	ecx, [esp+28h+var_10]
		call	KeYieldProcessorEx
		mov	ecx, [esi]
		mov	eax, [edi+0Ch]
		mov	[eax+4], ecx
		mov	ecx, [ebx]
		mov	eax, [edi+0Ch]
		mov	[eax], ecx
		mov	eax, 0FFDF001Ch
		mov	ecx, [eax]
		mov	eax, [edi+0Ch]
		cmp	[eax+4], ecx
		jnz	short loc_5E2F0B
		mov	esi, [ebp+arg_C]
		or	ebx, 0FFFFFFFFh
		jmp	loc_55EBC6
; END OF FUNCTION CHUNK	FOR KiSetSystemTimeDpc
; 
; START	OF FUNCTION CHUNK FOR KiAdjustTimerDueTimes

loc_5E2F3D:				; CODE XREF: KiAdjustTimerDueTimes+37j
					; KiAdjustTimerDueTimes+84313j
		lea	ecx, [ebp+var_18]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5E2F3D
		jmp	loc_55EC68
; 

loc_5E2F50:				; CODE XREF: KiAdjustTimerDueTimes+12Dj
					; KiAdjustTimerDueTimes+135j
		or	edx, 0FFFFFFFFh
		or	edi, 0FFFFFFFFh
		jmp	loc_55ED71
; 

loc_5E2F5B:				; CODE XREF: KiAdjustTimerDueTimes+119j
					; KiAdjustTimerDueTimes+123j
		cmp	edi, ecx
		jb	loc_55ED71
		ja	short loc_5E2F6D
		cmp	edx, ebx
		jbe	loc_55ED71

loc_5E2F6D:				; CODE XREF: KiAdjustTimerDueTimes+8432Dj
		xor	edx, edx
		xor	edi, edi
		jmp	loc_55ED71
; 

loc_5E2F76:				; CODE XREF: KiAdjustTimerDueTimes+196j
		push	0
		mov	edx, ebx
		mov	ecx, esi
		call	_KiTraceSetTimer@12 ; KiTraceSetTimer(x,x,x)
		jmp	loc_55ED02
; END OF FUNCTION CHUNK	FOR KiAdjustTimerDueTimes
; 
; START	OF FUNCTION CHUNK FOR KiAdjustTimer2DueTimes

loc_5E2F86:				; CODE XREF: KiAdjustTimer2DueTimes+12Bj
					; KiAdjustTimer2DueTimes+133j
		push	ecx
		push	edx
		push	[ebp+var_C]
		lea	ecx, [edi+28h]
		push	[ebp+var_10]
		call	_RtlULongLongSub@20 ; RtlULongLongSub(x,x,x,x,x)
		test	eax, eax
		jz	short loc_5E2FA0
		mov	[edi+28h], ebx
		mov	[edi+2Ch], ebx

loc_5E2FA0:				; CODE XREF: KiAdjustTimer2DueTimes+84188j
		mov	ecx, [edi+30h]
		mov	eax, ecx
		mov	edx, [edi+34h]
		and	eax, edx
		cmp	eax, 0FFFFFFFFh
		jz	loc_55EF79
		mov	eax, [ebp+var_8]
		push	dword ptr [eax+14h]
		push	dword ptr [eax+10h]
		push	edx
		push	ecx
		lea	ecx, [edi+30h]
		call	_RtlULongLongSub@20 ; RtlULongLongSub(x,x,x,x,x)
		test	eax, eax
		jz	loc_55EF79
		mov	[edi+30h], ebx
		mov	[edi+34h], ebx
		jmp	loc_55EF79
; END OF FUNCTION CHUNK	FOR KiAdjustTimer2DueTimes
; 
; START	OF FUNCTION CHUNK FOR KiUpdateSystemTime

loc_5E2FD9:				; CODE XREF: KiUpdateSystemTime+8Bj
		mov	eax, [edi]
		mov	ds:0FFDF0358h, eax
		mov	eax, [edi+4]
		mov	ds:0FFDF035Ch, eax
		mov	al, [edi+8]
		mov	ds:0FFDF0368h, al
		jmp	loc_55F071
; 

loc_5E2FF5:				; CODE XREF: KiUpdateSystemTime+BBj
		add	ds:_KeBootTime,	ebx
		mov	eax, [ebp+arg_4]
		adc	ds:dword_70E2EC, eax
		add	ds:_KeBootTimeBias, ebx
		adc	ds:dword_70E73C, eax
		jmp	loc_55F0B9
; END OF FUNCTION CHUNK	FOR KiUpdateSystemTime
; 
; START	OF FUNCTION CHUNK FOR KeInvalidateAllCaches

loc_5E3015:				; CODE XREF: KeInvalidateAllCaches+CEj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_55F1A5
; END OF FUNCTION CHUNK	FOR KeInvalidateAllCaches
; 
; START	OF FUNCTION CHUNK FOR RtlHpHeapManagerStart

loc_5E3022:				; CODE XREF: RtlHpHeapManagerStart+54j
		xor	esi, esi
		add	edi, 1C50h

loc_5E302A:				; CODE XREF: RtlHpHeapManagerStart+83DD1j
		push	0
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	_RtlHpEnvContextCreate@16 ; RtlHpEnvContextCreate(x,x,x,x)
		push	edx
		push	eax
		mov	ecx, edi
		call	_RtlpHpMetadataHeapStart@12 ; RtlpHpMetadataHeapStart(x,x,x)
		test	eax, eax
		js	loc_55F2DA
		inc	esi
		add	edi, 8
		cmp	esi, 3
		jb	short loc_5E302A
		jmp	loc_55F2D8
; END OF FUNCTION CHUNK	FOR RtlHpHeapManagerStart
; 
; START	OF FUNCTION CHUNK FOR ExInitializeSessionHeapManager

loc_5E3056:				; CODE XREF: ExInitializeSessionHeapManager+42j
		mov	edi, 0C0000017h
		jmp	loc_55F471
; END OF FUNCTION CHUNK	FOR ExInitializeSessionHeapManager
; 
; START	OF FUNCTION CHUNK FOR RtlpHpHeapCreate

loc_5E3060:				; CODE XREF: RtlpHpHeapCreate+3Aj
		xor	eax, eax
		inc	eax
		mov	[esp+28h+var_1C], eax
		jmp	loc_55F5C0
; 

loc_5E306C:				; CODE XREF: RtlpHpHeapCreate+54j
		xor	edx, edx
		lea	ecx, [ebp+arg_4]
		xor	esi, esi
		call	_RtlpHpRegisterEnvironment@8 ; RtlpHpRegisterEnvironment(x,x)
		jmp	loc_55F717
; 

loc_5E307D:				; CODE XREF: RtlpHpHeapCreate+71j
		push	10h
		pop	esi
		jmp	loc_55F5F7
; 

loc_5E3085:				; CODE XREF: RtlpHpHeapCreate+7Dj
		or	esi, 4
		jmp	loc_55F603
; 

loc_5E308D:				; CODE XREF: RtlpHpHeapCreate+E3j
		call	_RtlpGetHeapInterceptorIndex@4 ; RtlpGetHeapInterceptorIndex(x)
		movzx	eax, ax
		mov	[ebx+10h], eax
		jmp	loc_55F669
; END OF FUNCTION CHUNK	FOR RtlpHpHeapCreate
; 
; START	OF FUNCTION CHUNK FOR RtlpHpSegContextReserve

loc_5E309D:				; CODE XREF: RtlpHpSegContextReserve+3Fj
					; RtlpHpSegContextReserve+83932j
		cmp	esi, edi
		jbe	short loc_5E30A8
		mov	eax, edi
		mov	[ebp+arg_0], eax
		jmp	short loc_5E30AD
; 

loc_5E30A8:				; CODE XREF: RtlpHpSegContextReserve+838D1j
		mov	eax, esi
		mov	[ebp+arg_0], esi

loc_5E30AD:				; CODE XREF: RtlpHpSegContextReserve+838D8j
		mov	ecx, [ebp+var_4]
		mov	edx, eax
		push	ebx
		call	RtlpHpSegSegmentAllocate
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_5E3107
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_4]
		mov	edx, eax
		call	RtlpHpSegSegmentInitialize
		mov	eax, [ebp+var_4]
		mov	ecx, eax
		push	1
		movzx	edx, byte ptr [eax+6]
		shl	edx, 4
		add	edx, [ebp+var_8]
		call	RtlpHpSegFreeRangeInsert
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_8]
		call	_RtlpHpSegHeapAddSegment@8 ; RtlpHpSegHeapAddSegment(x,x)
		mov	edx, [ebp+var_C]
		mov	eax, esi
		dec	edx
		sub	eax, edi
		cmp	edi, esi
		mov	[ebp+var_C], edx
		sbb	esi, esi
		and	esi, eax
		test	edx, edx
		jnz	short loc_5E309D
		jmp	loc_55F813
; 

loc_5E3107:				; CODE XREF: RtlpHpSegContextReserve+838EFj
		mov	ebx, 0C000009Ah
		jmp	loc_55F813
; END OF FUNCTION CHUNK	FOR RtlpHpSegContextReserve
; 
; START	OF FUNCTION CHUNK FOR RtlpHpHeapAllocate

loc_5E3111:				; CODE XREF: RtlpHpHeapAllocate+12Aj
		push	[ebp+arg_4]
		or	edi, 8000h
		lea	edx, [ebp+var_4]
		push	ebx
		push	edi
		lea	ecx, [ebp+var_8]
		call	_RtlpHpFreeVA@20 ; RtlpHpFreeVA(x,x,x,x,x)
		jmp	loc_55FA48
; END OF FUNCTION CHUNK	FOR RtlpHpHeapAllocate
; 
; START	OF FUNCTION CHUNK FOR RtlCSparseBitmapStart

loc_5E312C:				; CODE XREF: RtlCSparseBitmapStart+33j
					; RtlCSparseBitmapStart+6Dj
		mov	eax, 80000005h
		jmp	loc_55FF32
; END OF FUNCTION CHUNK	FOR RtlCSparseBitmapStart
; 
; START	OF FUNCTION CHUNK FOR MmManageFaultRange

loc_5E3136:				; CODE XREF: MmManageFaultRange+161j
		mov	eax, [ebp+var_8]
		jmp	loc_55FFBD
; 

loc_5E313E:				; CODE XREF: MmManageFaultRange+6Dj
		xor	eax, eax
		jmp	loc_5600A7
; 

loc_5E3145:				; CODE XREF: MmManageFaultRange+A1j
		push	edx
		push	ebx
		push	esi
		push	5230h
		jmp	short loc_5E3157
; 

loc_5E314F:				; CODE XREF: MmManageFaultRange+1A9j
					; MmManageFaultRange+1B7j
		push	ecx
		push	ebx
		push	esi
		push	5231h

loc_5E3157:				; CODE XREF: MmManageFaultRange+831D1j
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5E315E:				; CODE XREF: MmManageFaultRange+139j
		xor	esi, esi
		jmp	loc_5600C5
; END OF FUNCTION CHUNK	FOR MmManageFaultRange
; 
; START	OF FUNCTION CHUNK FOR MiMarkSessionMasterProcess

loc_5E3165:				; CODE XREF: MiMarkSessionMasterProcess+69j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_560221
; 

loc_5E3175:				; CODE XREF: MiMarkSessionMasterProcess+8Bj
		lea	ecx, [ebp+var_10]
		call	KxWaitForLockChainValid

loc_5E317D:				; CODE XREF: MiMarkSessionMasterProcess+74j
		xor	ecx, ecx
		mov	[ebp+var_10], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_560221
; END OF FUNCTION CHUNK	FOR MiMarkSessionMasterProcess
; 
; START	OF FUNCTION CHUNK FOR MiMapContiguousMemoryLarge

loc_5E3192:				; CODE XREF: MiMapContiguousMemoryLarge+50j
		mov	eax, ds:dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		mov	[ebp+var_20], eax
		jz	loc_56028B
		imul	eax, esi, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_14], eax
		jmp	loc_560290
; 

loc_5E31C3:				; CODE XREF: MiMapContiguousMemoryLarge+7Bj
		mov	eax, ds:dword_6D35B8
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_5E3220
		test	byte ptr [ebp+arg_4], 2
		jnz	short loc_5E322B
		cmp	[ebp+var_14], 0
		jz	loc_5602CD
		mov	edx, [ebp+var_10]
		mov	cl, [edx]
		mov	al, cl
		and	al, 0C0h
		cmp	al, 0C0h
		jnz	short loc_5E3207
		lea	ecx, [edx-16h]
		mov	edx, [ebp+var_4]
		call	_MiAssignInitialPageAttribute@8	; MiAssignInitialPageAttribute(x,x)
		mov	eax, [ebp+var_10]
		mov	cl, [eax]

loc_5E3207:				; CODE XREF: MiMapContiguousMemoryLarge+82FC3j
		movzx	eax, cl
		mov	ecx, [ebp+var_4]
		shr	eax, 6
		cmp	eax, ecx
		jnz	loc_5602D0
		mov	[ebp+var_18], ecx
		jmp	loc_5603B6
; 

loc_5E3220:				; CODE XREF: MiMapContiguousMemoryLarge+82FA6j
		mov	eax, [ebp+var_14]
		mov	edx, [ebp+var_10]
		jmp	loc_5602B3
; 

loc_5E322B:				; CODE XREF: MiMapContiguousMemoryLarge+82FACj
		push	0
		push	0
		push	[ebp+var_28]
		push	1160Ch
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5E323E:				; CODE XREF: MiMapContiguousMemoryLarge+17Bj
		mov	ecx, [eax+14h]
		mov	ebx, edi
		mov	[ebp+var_18], ecx
		jmp	short loc_5E324A
; 

loc_5E3248:				; CODE XREF: MiMapContiguousMemoryLarge+63j
		mov	eax, ebx

loc_5E324A:				; CODE XREF: MiMapContiguousMemoryLarge+83014j
		mov	ecx, [ebp+var_4]
		jmp	loc_5602D3
; 

loc_5E3252:				; CODE XREF: MiMapContiguousMemoryLarge+ADj
					; MiMapContiguousMemoryLarge+B5j
		mov	ebx, [ebp+var_18]
		jmp	loc_56033A
; 

loc_5E325A:				; CODE XREF: MiMapContiguousMemoryLarge+126j
		cmp	[ebp+var_20], 0
		jnz	loc_560381
		cmp	[ebp+var_8], 0
		jnz	loc_560381

loc_5E326E:				; CODE XREF: MiMapContiguousMemoryLarge+E3j
		xor	ecx, ecx
		mov	edx, esi
		push	edi
		inc	ecx
		call	MiDereferenceIoPages
		jmp	loc_5603C9
; END OF FUNCTION CHUNK	FOR MiMapContiguousMemoryLarge
; 
; START	OF FUNCTION CHUNK FOR MiMapWithLargePages

loc_5E327E:				; CODE XREF: MiMapWithLargePages+5Cj
		mov	edx, eax
		mov	ecx, eax
		mov	eax, ds:dword_6D35B8
		and	ecx, 1Fh
		shr	edx, 5
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_560430
		mov	edx, [ebp+arg_0]
		mov	eax, ds:_MmPfnDatabase
		imul	ecx, edx, 1Ch
		movzx	eax, byte ptr [ecx+eax+16h]
		shr	eax, 6
		test	eax, eax
		jnz	short loc_5E32BA
		or	esi, 8
		jmp	loc_560446
; 

loc_5E32BA:				; CODE XREF: MiMapWithLargePages+82EE2j
		cmp	eax, 2
		jnz	loc_560446
		or	esi, 18h
		jmp	loc_560446
; 

loc_5E32CB:				; CODE XREF: MiMapWithLargePages+1C5j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5E3309
		xor	ecx, ecx
		mov	eax, edi
		inc	ecx
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	[esp+30h+var_18], ecx
		jnz	loc_56059B
		and	eax, ecx
		jmp	short loc_5E32F1
; 

loc_5E32EE:				; CODE XREF: MiMapWithLargePages+82F5Aj
		and	eax, 1

loc_5E32F1:				; CODE XREF: MiMapWithLargePages+82F1Ej
		or	eax, 0
		mov	eax, edi
		jz	loc_56059B
		mov	edx, esi
		or	edx, 80000000h
		jmp	loc_56059B
; 

loc_5E3309:				; CODE XREF: MiMapWithLargePages+82F04j
		mov	eax, large fs:124h
		mov	ecx, 1000h
		mov	eax, [eax+80h]
		test	[eax+3A8h], ecx
		mov	eax, edi
		jz	loc_56059B
		jmp	short loc_5E32EE
; 

loc_5E332A:				; CODE XREF: MiMapWithLargePages+1D8j
		push	edx
		push	eax
		mov	ecx, ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_5605AC
; 

loc_5E3338:				; CODE XREF: MiMapWithLargePages+F3j
		mov	ecx, [esp+30h+var_1C]
		mov	edx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		jmp	loc_560535
; END OF FUNCTION CHUNK	FOR MiMapWithLargePages
; 
; START	OF FUNCTION CHUNK FOR MiWriteTopLevelPxe

loc_5E3348:				; CODE XREF: MiWriteTopLevelPxe+3Fj
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5E3363
		xor	edi, edi
		inc	edi
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	loc_56062D
		jmp	short loc_5E337F
; 

loc_5E3363:				; CODE XREF: MiWriteTopLevelPxe+82D67j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_56062D

loc_5E337F:				; CODE XREF: MiWriteTopLevelPxe+82D79j
		or	edx, 80000000h
		jmp	loc_56062D
; 

loc_5E338A:				; CODE XREF: MiWriteTopLevelPxe+59j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_560669
; 

loc_5E339A:				; CODE XREF: MiWriteTopLevelPxe+7Bj
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_5E33A2:				; CODE XREF: MiWriteTopLevelPxe+64j
		mov	[ebp+var_C], 0
		add	eax, 4
		lock xor [eax],	edi
		jmp	loc_560669
; END OF FUNCTION CHUNK	FOR MiWriteTopLevelPxe
; 
; START	OF FUNCTION CHUNK FOR MiGetPageTablesForLargeMap

loc_5E33B4:				; CODE XREF: MiGetPageTablesForLargeMap+15j
		mov	[ebp+var_8], edx
		jmp	loc_5606AF
; 

loc_5E33BC:				; CODE XREF: MiGetPageTablesForLargeMap+94j
		shl	esi, 15h
		mov	ecx, edi
		push	0
		push	[ebp+var_8]
		lea	edx, [edi+esi]
		call	_MiReturnSystemVa@16 ; MiReturnSystemVa(x,x,x,x)

loc_5E33CE:				; CODE XREF: MiGetPageTablesForLargeMap+44j
		xor	eax, eax
		jmp	loc_5606EA
; END OF FUNCTION CHUNK	FOR MiGetPageTablesForLargeMap
; 
; START	OF FUNCTION CHUNK FOR RtlStringCchCopyNW

loc_5E33D5:				; CODE XREF: RtlStringCchCopyNW+1Ej
		mov	eax, 0C000000Dh

loc_5E33DA:				; CODE XREF: RtlStringCchCopyNW+3Fj
		xor	edx, edx
		mov	[ecx], dx
		jmp	loc_560758
; END OF FUNCTION CHUNK	FOR RtlStringCchCopyNW
; 

loc_5E33E4:				; CODE XREF: .text:005607F7j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_560802
; 
; START	OF FUNCTION CHUNK FOR KeRegisterBugCheckReasonCallback

loc_5E33F3:				; CODE XREF: KeRegisterBugCheckReasonCallback+38j
					; KeRegisterBugCheckReasonCallback+46j
		mov	esi, offset _KeBugCheckAddRemovePagesCallbackListHead
		jmp	loc_56087E
; 

loc_5E33FD:				; CODE XREF: KeRegisterBugCheckReasonCallback+55j
		mov	esi, offset _KeBugCheckCallbackLock
		jmp	loc_5608FD
; 

loc_5E3407:				; CODE XREF: KeRegisterBugCheckReasonCallback+96j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_5608D3
; END OF FUNCTION CHUNK	FOR KeRegisterBugCheckReasonCallback
; 
; START	OF FUNCTION CHUNK FOR KiIpiSignalPacketDoneAndStall

loc_5E3416:				; CODE XREF: KiIpiSignalPacketDoneAndStall+67j
		push	0FFFFFFFBh
		pop	edx
		mov	eax, [edi]

loc_5E341B:				; CODE XREF: KiIpiSignalPacketDoneAndStall+82AE7j
		mov	ecx, eax
		and	ecx, edx
		lock cmpxchg [edi], ecx
		jnz	short loc_5E341B
		test	al, 4
		jz	loc_5609A9
		mov	ecx, [esi+2128h]
		xor	edx, edx
		call	_KiFreezeTargetExecution@8 ; KiFreezeTargetExecution(x,x)
		jmp	loc_5609A9
; END OF FUNCTION CHUNK	FOR KiIpiSignalPacketDoneAndStall
; 
; START	OF FUNCTION CHUNK FOR MiFreePrivateFixupEntryForSystemImage

loc_5E343F:				; CODE XREF: MiFreePrivateFixupEntryForSystemImage+3Dj
		push	offset unk_6CF554
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi
		jmp	loc_560CE3
; 

loc_5E3459:				; CODE XREF: MiFreePrivateFixupEntryForSystemImage+7Ej
		push	0
		push	ebx
		push	1011h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5E3469:				; CODE XREF: PopGetPolicyWorker+2Bj
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_50F6D6
; END OF FUNCTION CHUNK	FOR MiFreePrivateFixupEntryForSystemImage
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceIdleCheck

loc_5E3478:				; CODE XREF: PopDiagTraceIdleCheck+42j
		mov	eax, ds:dword_6C22A8
		cmp	eax, ds:dword_6C22AC
		push	4
		sbb	eax, eax
		mov	[ebp+var_84], ebx
		inc	eax
		mov	[ebp+var_70], ebx
		mov	[ebp+var_88], eax
		xor	eax, eax
		cmp	eax, ds:dword_6B1470
		pop	ecx
		sbb	eax, eax
		mov	[ebp+var_6C], ecx
		neg	eax
		mov	[ebp+var_68], ebx
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_88]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	7
		push	ebx
		push	offset _POP_ETW_EVENT_IDLE_CHECK ; "H"
		push	esi
		push	edi
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], offset dword_6C22A8
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_50F72A
; END OF FUNCTION CHUNK	FOR PopDiagTraceIdleCheck
; 
; START	OF FUNCTION CHUNK FOR PopBatteryTraceSystemBatteryStatus

loc_5E352C:				; CODE XREF: PopBatteryTraceSystemBatteryStatus+3Dj
		xor	edx, edx
		cmp	ds:dword_6C252C, edx
		jnz	short loc_5E3540
		mov	[ebp+var_38], edx
		mov	eax, edx
		mov	[ebp+var_3C], edx
		jmp	short loc_5E3553
; 

loc_5E3540:				; CODE XREF: PopBatteryTraceSystemBatteryStatus+827C4j
		mov	eax, ds:dword_6C2544
		mov	[ebp+var_38], eax
		mov	eax, ds:dword_6C2548
		mov	[ebp+var_3C], eax
		xor	eax, eax
		inc	eax

loc_5E3553:				; CODE XREF: PopBatteryTraceSystemBatteryStatus+827CEj
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_38]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	esi
		push	edi
		push	ebx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_560DB3
; END OF FUNCTION CHUNK	FOR PopBatteryTraceSystemBatteryStatus
; 
; START	OF FUNCTION CHUNK FOR PopUpdateAcDcState

loc_5E359A:				; CODE XREF: PopUpdateAcDcState+1Dj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _PopCsResiliencyStatsLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	ds:byte_70EFC6,	1
		mov	ds:dword_6C2D0C, esi
		jz	short loc_5E35C9
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5E35CE
; 

loc_5E35C9:				; CODE XREF: PopUpdateAcDcState+827CBj
		xor	eax, eax
		lock and [edi],	eax

loc_5E35CE:				; CODE XREF: PopUpdateAcDcState+827D7j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	ecx, [ebp+var_20]
		mov	bl, 1
		call	_PopCurrentPowerState@4	; PopCurrentPowerState(x)
		push	[ebp+var_18]
		mov	edx, [ebp+var_14]
		mov	ecx, esi
		call	_PopDiagTraceAcDcStateChange@12	; PopDiagTraceAcDcStateChange(x,x,x)
		jmp	loc_560E15
; END OF FUNCTION CHUNK	FOR PopUpdateAcDcState
; 
; START	OF FUNCTION CHUNK FOR RtlInterlockedClearBitRun

loc_5E35F2:				; CODE XREF: RtlInterlockedClearBitRun+25j
		test	ebx, ebx
		jz	short loc_5E3611
		push	20h
		xor	eax, eax
		pop	edx
		sub	edx, ebx
		inc	eax
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, ebx
		dec	eax
		shl	eax, cl
		not	eax
		lock and [edi],	eax
		sub	esi, edx
		add	edi, 4

loc_5E3611:				; CODE XREF: RtlInterlockedClearBitRun+827ACj
		cmp	esi, 20h
		jb	short loc_5E362C
		mov	eax, esi
		shr	eax, 5

loc_5E361B:				; CODE XREF: RtlInterlockedClearBitRun+827E2j
		mov	dword ptr [edi], 0
		sub	esi, 20h
		add	edi, 4
		sub	eax, 1
		jnz	short loc_5E361B

loc_5E362C:				; CODE XREF: RtlInterlockedClearBitRun+827CCj
		test	esi, esi
		jz	loc_560E89
		or	eax, 0FFFFFFFFh
		mov	ecx, esi
		shl	eax, cl
		jmp	loc_560E86
; END OF FUNCTION CHUNK	FOR RtlInterlockedClearBitRun
; 
; START	OF FUNCTION CHUNK FOR MiQueuePinDriverAddressLog

loc_5E3640:				; CODE XREF: MiQueuePinDriverAddressLog+87j
		or	edi, 0FFFFFFFFh

loc_5E3643:				; CODE XREF: MiQueuePinDriverAddressLog+212j
		test	esi, esi
		jz	short loc_5E365C
		mov	ebx, [ebp+var_18]
		inc	ebx
		cmp	ebx, edx
		jbe	short loc_5E3651
		mov	ebx, edx

loc_5E3651:				; CODE XREF: MiQueuePinDriverAddressLog+827B5j
		mov	edi, [ebp+var_C]
		dec	ebx
		mov	esi, ecx
		jmp	loc_560F14
; 

loc_5E365C:				; CODE XREF: MiQueuePinDriverAddressLog+827ADj
		cmp	edi, 0FFFFFFFFh
		jz	loc_560F8C
		jmp	loc_560F74
; 

loc_5E366A:				; CODE XREF: MiQueuePinDriverAddressLog+13Aj
		jnz	short loc_5E3674
		or	esi, 40h
		jmp	loc_560FD8
; 

loc_5E3674:				; CODE XREF: MiQueuePinDriverAddressLog:loc_5E366Aj
		or	esi, 80h
		jmp	loc_560FD8
; 

loc_5E367F:				; CODE XREF: MiQueuePinDriverAddressLog+147j
		cmp	ds:_KdDebuggerNotPresent, 0
		jz	short loc_5E3693
		or	esi, 400h
		jmp	loc_560FE5
; 

loc_5E3693:				; CODE XREF: MiQueuePinDriverAddressLog+827EEj
		or	esi, ebx
		jmp	loc_560FE5
; 

loc_5E369A:				; CODE XREF: MiQueuePinDriverAddressLog+53j
					; MiQueuePinDriverAddressLog+FEj
		mov	cl, [ebp+var_1]
		mov	edx, offset unk_6C6870
		push	2
		pop	ebx
		cmp	bl, cl
		sbb	eax, eax
		and	eax, 10h
		cmp	ds:_KdDebuggerEnabled, 0
		jnz	short loc_5E36BA
		mov	edx, offset unk_6C6868

loc_5E36BA:				; CODE XREF: MiQueuePinDriverAddressLog+8281Bj
		shl	esi, 5
		add	esi, edx
		add	esi, eax
		lock inc dword ptr [esi]
		jmp	loc_56106C
; END OF FUNCTION CHUNK	FOR MiQueuePinDriverAddressLog
; 
; START	OF FUNCTION CHUNK FOR KeIsBugCheckActive

loc_5E36C9:				; CODE XREF: KeIsBugCheckActive+7j
		test	ecx, ecx
		jz	short loc_5E36D2
		shr	eax, 4
		mov	[ecx], eax

loc_5E36D2:				; CODE XREF: KeIsBugCheckActive+8260Dj
		mov	al, 1
		retn
; END OF FUNCTION CHUNK	FOR KeIsBugCheckActive
; 
; START	OF FUNCTION CHUNK FOR RtlpTimeToTimeFields

loc_5E36D5:				; CODE XREF: RtlpTimeToTimeFields+53j
		xor	ecx, ecx
		lea	edx, [eax+8]
		mov	eax, [ebp+var_8]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_10], edx

loc_5E36E3:				; CODE XREF: RtlpTimeToTimeFields+8267Bj
		mov	ebx, [edx]
		mov	edx, [edx+4]
		test	edx, edx
		jl	short loc_5E3742
		jg	short loc_5E36F2
		test	ebx, ebx
		jb	short loc_5E3742

loc_5E36F2:				; CODE XREF: RtlpTimeToTimeFields+82602j
		mov	eax, ebx
		add	eax, 1312D00h
		mov	[ebp+var_14], eax
		mov	eax, edx
		adc	eax, 0
		cmp	edi, eax
		jl	short loc_5E3711
		jg	short loc_5E370C
		cmp	esi, [ebp+var_14]
		jb	short loc_5E3711

loc_5E370C:				; CODE XREF: RtlpTimeToTimeFields+8261Bj
		inc	[ebp+var_C]
		jmp	short loc_5E373D
; 

loc_5E3711:				; CODE XREF: RtlpTimeToTimeFields+82619j
					; RtlpTimeToTimeFields+82620j
		mov	eax, ebx
		add	eax, 989680h
		mov	[ebp+var_14], eax
		mov	eax, edx
		adc	eax, 0
		cmp	edi, eax
		jl	short loc_5E3730
		jg	short loc_5E372B
		cmp	esi, [ebp+var_14]
		jb	short loc_5E3730

loc_5E372B:				; CODE XREF: RtlpTimeToTimeFields+8263Aj
		or	ecx, 2
		jmp	short loc_5E373D
; 

loc_5E3730:				; CODE XREF: RtlpTimeToTimeFields+82638j
					; RtlpTimeToTimeFields+8263Fj
		cmp	edi, edx
		jl	short loc_5E376B
		jg	short loc_5E373A
		cmp	esi, ebx
		jb	short loc_5E376B

loc_5E373A:				; CODE XREF: RtlpTimeToTimeFields+8264Aj
		or	ecx, 4

loc_5E373D:				; CODE XREF: RtlpTimeToTimeFields+82625j
					; RtlpTimeToTimeFields+82644j
		mov	eax, [ebp+var_8]
		jmp	short loc_5E3755
; 

loc_5E3742:				; CODE XREF: RtlpTimeToTimeFields+82600j
					; RtlpTimeToTimeFields+82606j
		and	edx, 7FFFFFFFh
		cmp	edi, edx
		jl	short loc_5E376B
		jg	short loc_5E3752
		cmp	esi, ebx
		jb	short loc_5E376B

loc_5E3752:				; CODE XREF: RtlpTimeToTimeFields+82662j
		dec	[ebp+var_C]

loc_5E3755:				; CODE XREF: RtlpTimeToTimeFields+82656j
		mov	edx, [ebp+var_10]
		inc	eax
		add	edx, 8
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], edx
		cmp	eax, [ebp+var_18]
		jb	loc_5E36E3

loc_5E376B:				; CODE XREF: RtlpTimeToTimeFields+82648j
					; RtlpTimeToTimeFields+8264Ej ...
		mov	edx, [ebp+var_C]
		mov	[ebp+var_10], ecx
		jmp	loc_561143
; 

loc_5E3776:				; CODE XREF: RtlpTimeToTimeFields+71j
		mov	eax, 989680h
		sub	esi, eax
		mov	[ebp+var_1C], esi
		sbb	edi, 0
		mov	[ebp+var_18], edi
		jmp	loc_561161
; 

loc_5E378B:				; CODE XREF: RtlpTimeToTimeFields+8Fj
		movsx	eax, [ebp+var_24]
		cdq
		sub	eax, edx
		sar	eax, 1
		mov	[ebp+var_24], ax
		jmp	loc_561183
; 

loc_5E379D:				; CODE XREF: RtlpTimeToTimeFields+9Bj
		cwde
		cdq
		sub	eax, edx
		sar	eax, 1
		add	eax, 1F4h
		mov	[ebp+var_24], ax
		jmp	loc_56118B
; 

loc_5E37B1:				; CODE XREF: RtlpTimeToTimeFields+87j
		test	ebx, ebx
		jz	loc_56118B
		inc	[ebp+var_26]
		jmp	loc_56118B
; 

loc_5E37C2:				; CODE XREF: RtlpTimeToTimeFields+1Ej
					; RtlpTimeToTimeFields+27j
		call	_RtlpTimeToTimeFieldsNoLeapSeconds@8 ; RtlpTimeToTimeFieldsNoLeapSeconds(x,x)
		jmp	loc_561195
; END OF FUNCTION CHUNK	FOR RtlpTimeToTimeFields
; 
; START	OF FUNCTION CHUNK FOR KiConnectInterruptInternal

loc_5E37CC:				; CODE XREF: KiConnectInterruptInternal+5Cj
		test	al, al
		jnz	loc_561479
		jmp	loc_5613E4
; 

loc_5E37D9:				; CODE XREF: KiConnectInterruptInternal+A2j
		push	2
		pop	edx
		mov	ecx, esi
		call	KiConnectVectorAndInterruptObject
		jmp	loc_561437
; 

loc_5E37E8:				; CODE XREF: KiConnectInterruptInternal+101j
		cmp	byte ptr [esi+38h], 0
		jz	loc_561489
		mov	edi, [ebp+var_24]
		cmp	byte ptr [edi+38h], 0
		jz	loc_561489
		mov	eax, [edi+40h]
		cmp	eax, [esi+40h]
		jnz	loc_561489
		mov	edx, esi
		mov	[ebp+var_11], 1
		mov	ecx, edi
		mov	byte ptr [ebp+var_18], 1
		mov	byte ptr [esi+33h], 1
		call	_KiInsertInterruptObjectOrdered@8 ; KiInsertInterruptObjectOrdered(x,x)
		cmp	byte ptr [edi+31h], 0
		jz	short loc_5E3838
		cmp	ebx, 2
		jz	loc_561489
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	ecx, edi
		jmp	short loc_5E3849
; 

loc_5E3838:				; CODE XREF: KiConnectInterruptInternal+824A2j
		cmp	byte ptr [esi+31h], 0
		jz	loc_561489
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	ecx, esi

loc_5E3849:				; CODE XREF: KiConnectInterruptInternal+824B4j
		push	2
		pop	edx
		mov	bl, al
		call	KiConnectVectorAndInterruptObject
		test	bl, bl
		jz	loc_561489
		sti
		jmp	loc_561489
; END OF FUNCTION CHUNK	FOR KiConnectInterruptInternal
; 
; START	OF FUNCTION CHUNK FOR KiGetVectorInfo

loc_5E3861:				; CODE XREF: KiGetVectorInfo+Ej
		mov	ebx, ds:_IDT[edi*8]
		jmp	loc_5614A9
; END OF FUNCTION CHUNK	FOR KiGetVectorInfo
; 
; START	OF FUNCTION CHUNK FOR PoSetPowerState

loc_5E386D:				; CODE XREF: PoSetPowerState+60j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_5615DB
; END OF FUNCTION CHUNK	FOR PoSetPowerState
; 
; START	OF FUNCTION CHUNK FOR PpmPerfUpdateQosDisableReasons

loc_5E387A:				; CODE XREF: PpmPerfUpdateQosDisableReasons+43j
		add	ds:dword_70ED50, esi
		adc	ds:dword_70ED54, edi
		jmp	loc_561655
; END OF FUNCTION CHUNK	FOR PpmPerfUpdateQosDisableReasons
; 
; START	OF FUNCTION CHUNK FOR PpmPerfCalculateQosClassPolicies

loc_5E388B:				; CODE XREF: PpmPerfCalculateQosClassPolicies+228j
		imul	ebx, [ebp+var_48], 0F0h
		add	ebx, offset dword_6BF8A0
		jmp	loc_561799
; 

loc_5E389D:				; CODE XREF: PpmPerfCalculateQosClassPolicies+8Fj
		imul	eax, [ebp+var_48], 0F0h
		lea	ebx, [ecx+20h]
		jmp	loc_56194D
; 

loc_5E38AC:				; CODE XREF: PpmPerfCalculateQosClassPolicies+C8j
		mov	esi, eax
		jmp	loc_5617D6
; 

loc_5E38B3:				; CODE XREF: PpmPerfCalculateQosClassPolicies+DAj
		or	esi, 100h
		mov	[ebp+var_2C], esi
		jmp	loc_5617E2
; 

loc_5E38C1:				; CODE XREF: PpmPerfCalculateQosClassPolicies+F3j
		mov	ecx, [ebp+var_4C]
		mov	eax, [ebp+var_50]
		and	ecx, 0C00h
		and	eax, 1C0h
		or	ecx, eax
		jnz	loc_561801
		mov	ecx, [ebp+var_44]
		mov	eax, edx
		and	ecx, 40C0h
		and	eax, 400h
		or	ecx, eax
		jnz	loc_561801
		or	esi, 4
		jmp	loc_5617FE
; 

loc_5E38FA:				; CODE XREF: PpmPerfCalculateQosClassPolicies+119j
		or	esi, 20h
		mov	[ebp+var_2C], esi
		jmp	loc_561821
; 

loc_5E3905:				; CODE XREF: PpmPerfCalculateQosClassPolicies+135j
		or	esi, 1
		mov	[ebp+var_2C], esi
		jmp	loc_56183D
; 

loc_5E3910:				; CODE XREF: PpmPerfCalculateQosClassPolicies+13Dj
		mov	esi, [ebp+var_34]
		jmp	loc_561971
; 

loc_5E3918:				; CODE XREF: PpmPerfCalculateQosClassPolicies+275j
		mov	ecx, 400h
		mov	[ebp+var_4C], 0C00h
		mov	[ebp+var_50], 1C0h
		mov	[ebp+var_44], 40C0h
		mov	[ebp+var_40], ecx
		jmp	loc_561980
; 

loc_5E393A:				; CODE XREF: PpmPerfCalculateQosClassPolicies+296j
		test	edx, edx
		jz	short loc_5E3954
		test	cl, 40h
		jz	loc_56199E
		mov	eax, [edx+10h]
		cmp	eax, [ebx+esi*4+40h]
		jnb	loc_56199E

loc_5E3954:				; CODE XREF: PpmPerfCalculateQosClassPolicies+8223Aj
		mov	eax, [ebx+esi*4+40h]
		mov	[ebp+var_10], eax
		jmp	loc_56199E
; 

loc_5E3960:				; CODE XREF: PpmPerfCalculateQosClassPolicies+2A1j
		test	cl, 40h
		jz	loc_5619B1
		movzx	eax, byte ptr [ebx+esi+1Ah]
		cmp	[edx+8], eax
		jbe	loc_5619B1
		jmp	loc_5619A9
; 

loc_5E397C:				; CODE XREF: PpmPerfCalculateQosClassPolicies+2B1j
		test	cl, cl
		jns	loc_5619C1
		movzx	eax, byte ptr [ebx+esi+1Ch]
		cmp	[edx], eax
		jbe	loc_5619C1
		jmp	loc_5619B9
; 

loc_5E3996:				; CODE XREF: PpmPerfCalculateQosClassPolicies+2CBj
		mov	esi, [esi+54h]
		xor	edx, edx
		imul	eax, 64h
		mov	ecx, esi
		shr	ecx, 1
		add	eax, ecx
		div	esi
		mov	edx, [ebp+var_34]
		mov	ecx, eax
		cmp	ecx, edi
		jb	loc_5619D5
		jmp	loc_5619D3
; 

loc_5E39B8:				; CODE XREF: PpmPerfCalculateQosClassPolicies+2D5j
		test	[ebp+var_40], 400h
		jz	short loc_5E39CA
		cmp	[edx+4], ecx
		ja	loc_5619DD

loc_5E39CA:				; CODE XREF: PpmPerfCalculateQosClassPolicies+822BDj
		mov	ecx, [ebp+var_1C]
		jmp	loc_5619E0
; 

loc_5E39D2:				; CODE XREF: PpmPerfCalculateQosClassPolicies+2E5j
		test	edx, edx
		jz	short loc_5E39E0
		test	byte ptr [ebp+var_50], 80h
		jz	loc_5619ED

loc_5E39E0:				; CODE XREF: PpmPerfCalculateQosClassPolicies+822D2j
		mov	eax, [ebx+48h]
		mov	[ebp+var_14], eax
		jmp	loc_5619ED
; 

loc_5E39EB:				; CODE XREF: PpmPerfCalculateQosClassPolicies+2F0j
		test	esi, 400h
		jz	loc_5619FE
		cmp	byte ptr [edx+16h], 0
		jz	loc_5619FE
		cmp	dword ptr [ebx+38h], 0
		jnz	loc_5619FE
		jmp	loc_5619F8
; 

loc_5E3A10:				; CODE XREF: PpmPerfCalculateQosClassPolicies+2FEj
		test	[ebp+var_44], 4000h
		jz	loc_561A10
		mov	edi, [ebp+var_3C]
		mov	al, [edx+17h]
		cmp	al, [ebx+edi+4Dh]
		jbe	loc_561A10
		jmp	loc_561A09
; 

loc_5E3A32:				; CODE XREF: PpmPerfCalculateQosClassPolicies+316j
					; PpmPerfCalculateQosClassPolicies+324j
		mov	al, 1
		jmp	loc_561A2E
; 

loc_5E3A39:				; CODE XREF: PpmPerfCalculateQosClassPolicies+32Ej
		test	esi, 800h
		jz	loc_561A39
		jmp	loc_561A36
; 

loc_5E3A4A:				; CODE XREF: PpmPerfCalculateQosClassPolicies+341j
		xor	al, al
		jmp	loc_561A4B
; 

loc_5E3A51:				; CODE XREF: PpmPerfCalculateQosClassPolicies+34Ej
		test	[ebp+var_50], 100h
		jz	loc_561A61
		jmp	loc_561A56
; 

loc_5E3A63:				; CODE XREF: PpmPerfCalculateQosClassPolicies+367j
		mov	ebx, esi
		mov	[ebp+Source2], ebx
		jmp	loc_561A6F
; 

loc_5E3A6D:				; CODE XREF: PpmPerfCalculateQosClassPolicies+36Fj
		mov	ecx, esi
		mov	[ebp+var_1C], ecx
		jmp	loc_561A77
; 

loc_5E3A77:				; CODE XREF: PpmPerfCalculateQosClassPolicies+37Bj
		mov	eax, ebx
		cmp	ebx, ecx
		jb	short loc_5E3A7F
		mov	eax, ecx

loc_5E3A7F:				; CODE XREF: PpmPerfCalculateQosClassPolicies+82379j
		movzx	edx, byte ptr [edi+0FBh]
		cmp	eax, edx
		jnb	short loc_5E3A96
		cmp	ebx, ecx
		jnb	short loc_5E3A92
		mov	eax, ebx
		jmp	short loc_5E3A98
; 

loc_5E3A92:				; CODE XREF: PpmPerfCalculateQosClassPolicies+8238Aj
		mov	eax, ecx
		jmp	short loc_5E3A98
; 

loc_5E3A96:				; CODE XREF: PpmPerfCalculateQosClassPolicies+82386j
		mov	eax, edx

loc_5E3A98:				; CODE XREF: PpmPerfCalculateQosClassPolicies+8238Ej
					; PpmPerfCalculateQosClassPolicies+82392j
		cmp	esi, eax
		ja	short loc_5E3AC2
		mov	eax, ebx
		cmp	ebx, ecx
		jb	short loc_5E3AA4
		mov	eax, ecx

loc_5E3AA4:				; CODE XREF: PpmPerfCalculateQosClassPolicies+8239Ej
		cmp	eax, edx
		jnb	short loc_5E3ABF
		mov	edx, [ebp+var_28]
		cmp	ebx, ecx
		jnb	short loc_5E3AB7
		mov	[ebp+var_18], ebx
		jmp	loc_561A83
; 

loc_5E3AB7:				; CODE XREF: PpmPerfCalculateQosClassPolicies+823ABj
		mov	[ebp+var_18], ecx
		jmp	loc_561A83
; 

loc_5E3ABF:				; CODE XREF: PpmPerfCalculateQosClassPolicies+823A4j
		mov	[ebp+var_18], edx

loc_5E3AC2:				; CODE XREF: PpmPerfCalculateQosClassPolicies+82398j
		mov	edx, [ebp+var_28]
		jmp	loc_561A83
; 

loc_5E3ACA:				; CODE XREF: PpmPerfCalculateQosClassPolicies+391j
		cmp	eax, 3
		jnz	short loc_5E3AD9
		cmp	byte ptr [edi+20h], 0
		ja	loc_561A99

loc_5E3AD9:				; CODE XREF: PpmPerfCalculateQosClassPolicies+823CBj
		cmp	eax, 2
		jnz	loc_561AF6
		cmp	byte ptr [edi+20h], 0
		jnz	loc_561AF6
		jmp	loc_561A99
; 

loc_5E3AF1:				; CODE XREF: PpmPerfCalculateQosClassPolicies+3D4j
		push	1Ch		; Length
		lea	eax, [ebp+Source2]
		push	eax		; Source2
		push	esi		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		mov	edx, [ebp+var_30]
		cmp	eax, 1Ch
		jnz	loc_561ADC
		mov	ebx, [ebp+var_28]
		mov	dword ptr [edx+ebx*4+11Ch], 8
		jmp	loc_561883
; END OF FUNCTION CHUNK	FOR PpmPerfCalculateQosClassPolicies
; 
; START	OF FUNCTION CHUNK FOR PpmPerfClearBootOverrides

loc_5E3B1C:				; CODE XREF: PpmPerfClearBootOverrides+1Aj
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		xor	cl, cl
		jmp	_PpmReinitializeHeteroEngine@4 ; PpmReinitializeHeteroEngine(x)
; END OF FUNCTION CHUNK	FOR PpmPerfClearBootOverrides
; 
; START	OF FUNCTION CHUNK FOR PoLatencySensitivityHint

loc_5E3B2D:				; CODE XREF: PoLatencySensitivityHint+22j
		cmp	ds:_PpmPerfMultimediaQosSupported, bl
		jnz	loc_561C2A
		jmp	loc_561B48
; 

loc_5E3B3E:				; CODE XREF: PoLatencySensitivityHint+75j
		lea	eax, [ebp+var_30]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	1
		push	ebx
		push	offset _PPM_ETW_LATENCY_SENSITIVITY_HINT
		push	edi
		push	[ebp+var_1C]
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_561B9B
; 

loc_5E3B6B:				; CODE XREF: PoLatencySensitivityHint+B6j
		push	[ebp+var_1C]
		lea	edx, [ebp+var_2C]
		mov	ecx, offset _PpmPerfDeadlineBoostExpiration
		push	edi
		call	PpmInterlockedUpdateTimeNoFence
		test	al, al
		mov	al, 1
		jnz	loc_561BDF
		jmp	loc_561BDC
; 

loc_5E3B8B:				; CODE XREF: PoLatencySensitivityHint+EBj
		mov	ecx, ds:_PpmCheckLastExecutionTime
		mov	eax, ds:dword_6C049C
		cmp	[ebp+var_28], eax
		ja	loc_561C11
		jb	short loc_5E3BAA
		cmp	[ebp+var_2C], ecx
		ja	loc_561C11

loc_5E3BAA:				; CODE XREF: PoLatencySensitivityHint+8207Fj
		mov	bl, 1
		jmp	loc_561C11
; 

loc_5E3BB1:				; CODE XREF: PoLatencySensitivityHint+FCj
		xor	eax, eax
		mov	ecx, offset _PpmPerfLatencyBoostQueued
		inc	eax
		xchg	eax, [ecx]
		test	eax, eax
		jnz	loc_561C2A
		push	3Bh
		push	offset _PpmPerfLatencyBoostWorkItem
		call	ExQueueWorkItem
		jmp	loc_561C2A
; END OF FUNCTION CHUNK	FOR PoLatencySensitivityHint
; 
; START	OF FUNCTION CHUNK FOR MiSessionInsertImage

loc_5E3BD4:				; CODE XREF: MiSessionInsertImage+61j
		mov	eax, 0C0000017h
		jmp	loc_561D92
; 

loc_5E3BDE:				; CODE XREF: MiSessionInsertImage+80j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C000009Ah
		jmp	loc_561D92
; 

loc_5E3BF0:				; CODE XREF: MiSessionInsertImage+9Cj
		mov	esi, offset unk_6D3C40
		jmp	loc_561CDF
; 

loc_5E3BFA:				; CODE XREF: MiSessionInsertImage+C6j
		mov	ecx, [ebp+var_C]
		jmp	loc_561D97
; END OF FUNCTION CHUNK	FOR MiSessionInsertImage
; 
; START	OF FUNCTION CHUNK FOR ApiSetpSearchForApiSet

loc_5E3C02:				; CODE XREF: ApiSetpSearchForApiSet+36j
		add	edx, 20h
		jmp	loc_561E40
; END OF FUNCTION CHUNK	FOR ApiSetpSearchForApiSet
; 
; START	OF FUNCTION CHUNK FOR KiIpiGenericCallTarget

loc_5E3C0A:				; CODE XREF: KiIpiGenericCallTarget+7Fj
					; KiIpiGenericCallTarget+87j
		and	[ebp+var_C], 0
		lea	eax, [ebp+var_C]
		xor	esi, esi
		lock or	[eax], esi
		mov	eax, [ebx]
		test	eax, eax
		jz	loc_561F5D
		push	esi
		push	edx
		push	ecx
		push	[ebp+var_18]
		push	1DBh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5E3C31:				; CODE XREF: RtlIpv6AddressToStringExW+3Ej
		cmp	dword ptr [edi], 0
		jnz	loc_562028
		jmp	loc_561FBA
; END OF FUNCTION CHUNK	FOR KiIpiGenericCallTarget
; 
; START	OF FUNCTION CHUNK FOR RtlIpv6AddressToStringExW

loc_5E3C3F:				; CODE XREF: RtlIpv6AddressToStringExW+4Dj
		push	5Bh
		pop	eax
		mov	word ptr [ebp+var_88], ax
		lea	eax, [ebp+var_88+2]
		jmp	loc_561FC9
; 

loc_5E3C54:				; CODE XREF: RtlIpv6AddressToStringExW+64j
		push	eax
		lea	ecx, [ebp-6]
		sub	ecx, esi
		push	(offset	loc_5A59BB+1)
		sar	ecx, 1
		push	ecx
		push	esi
		call	_swprintf_s
		add	esp, 10h
		lea	esi, [esi+eax*2]
		jmp	loc_561FE0
; 

loc_5E3C73:				; CODE XREF: RtlIpv6AddressToStringExW+6Dj
		mov	ah, bl
		mov	al, bh
		movzx	eax, ax
		push	eax
		lea	eax, [ebp-6]
		sub	eax, esi
		push	offset ??_C@_19EPBCBBOP@?$AA?$FN?$AA?3?$AA?$CF?$AAu@FNODOBFM@
		sar	eax, 1
		push	eax
		push	esi
		call	_swprintf_s
		add	esp, 10h
		lea	esi, [esi+eax*2]
		jmp	loc_561FE9
; END OF FUNCTION CHUNK	FOR RtlIpv6AddressToStringExW
; 
; START	OF FUNCTION CHUNK FOR RtlIpv6AddressToStringW

loc_5E3C99:				; CODE XREF: RtlIpv6AddressToStringW+15Fj
		movzx	eax, word ptr [esi+8]
		test	ax, ax
		jnz	short loc_5E3D18
		movzx	eax, word ptr [esi+0Ah]
		test	ax, ax
		jz	short loc_5E3CC0
		mov	ecx, 0FFFFh
		cmp	ax, cx
		jnz	loc_56205D
		mov	ecx, offset ??_C@_05PBFMPBMC@ffff?3@FNODOBFM@
		jmp	short loc_5E3CC5
; 

loc_5E3CC0:				; CODE XREF: RtlIpv6AddressToStringW+81C75j
		mov	ecx, offset ??_C@_00CNPNBAHC@@FNODOBFM@

loc_5E3CC5:				; CODE XREF: RtlIpv6AddressToStringW+81C8Aj
		movzx	eax, byte ptr [esi+0Fh]
		push	eax
		movzx	eax, byte ptr [esi+0Eh]
		push	eax
		movzx	eax, byte ptr [esi+0Dh]
		push	eax
		movzx	eax, byte ptr [esi+0Ch]
		push	eax
		push	ecx
		push	offset ??_C@_1CC@CLPLLKPB@?$AA?3?$AA?3?$AA?$CF?$AAh?$AAs?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu?$AA?4?$AA?$CF@FNODOBFM@
		push	2Eh
		push	ebx
		call	_swprintf_s
		add	esp, 20h
		jmp	short loc_5E3D10
; 

loc_5E3CEC:				; CODE XREF: RtlIpv6AddressToStringW+81CFCj
		movzx	eax, byte ptr [esi+0Fh]
		push	eax
		movzx	eax, byte ptr [esi+0Eh]
		push	eax
		movzx	eax, byte ptr [esi+0Dh]
		push	eax
		movzx	eax, byte ptr [esi+0Ch]
		push	eax
		push	(offset	loc_5A590B+1)
		push	2Eh
		push	ebx
		call	_swprintf_s
		add	esp, 1Ch

loc_5E3D10:				; CODE XREF: RtlIpv6AddressToStringW+81CB6j
		lea	eax, [ebx+eax*2]
		jmp	loc_562114
; 

loc_5E3D18:				; CODE XREF: RtlIpv6AddressToStringW+81C6Cj
		mov	ecx, 0FFFFh
		cmp	ax, cx
		jnz	loc_56205D
		cmp	[esi+0Ah], di
		jnz	loc_56205D
		jmp	short loc_5E3CEC
; 

loc_5E3D32:				; CODE XREF: RtlIpv6AddressToStringW+173j
		mov	[ebp+var_10], 6
		jmp	loc_562076
; 

loc_5E3D3E:				; CODE XREF: RtlIpv6AddressToStringW+F6j
		mov	ecx, [ebp+arg_0]
		jmp	loc_56208A
; 

loc_5E3D46:				; CODE XREF: RtlIpv6AddressToStringW+D8j
		movzx	eax, byte ptr [esi+0Fh]
		push	eax
		movzx	eax, byte ptr [esi+0Eh]
		push	eax
		movzx	eax, byte ptr [esi+0Dh]
		push	eax
		movzx	eax, byte ptr [esi+0Ch]
		push	eax
		mov	eax, [ebp+var_8]
		sub	eax, ebx
		push	offset ??_C@_1BK@ONFLBCMH@?$AA?3?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu@FNODOBFM@
		sar	eax, 1
		push	eax
		push	ebx
		call	_swprintf_s
		add	esp, 1Ch
		lea	ebx, [ebx+eax*2]
		jmp	loc_562112
; END OF FUNCTION CHUNK	FOR RtlIpv6AddressToStringW
; 
; START	OF FUNCTION CHUNK FOR PpmPerfApplyProcessorState

loc_5E3D78:				; CODE XREF: PpmPerfApplyProcessorState+75j
		mov	ecx, esi
		call	_PpmGetIdleGenerationCounter@4 ; PpmGetIdleGenerationCounter(x)
		mov	ecx, edx
		mov	[esp+2Ch+var_1C], eax
		or	eax, ecx
		mov	[esp+2Ch+var_C], ecx
		jz	loc_5623EC
		push	ebx
		push	ebx
		push	1
		xor	dl, dl
		mov	ecx, esi
		call	PpmUpdatePerformanceFeedback
		mov	bl, al
		test	bl, bl
		jz	loc_5623EC
		mov	ecx, esi
		call	_PpmGetIdleGenerationCounter@4 ; PpmGetIdleGenerationCounter(x)
		cmp	[esp+2Ch+var_1C], eax
		jnz	short loc_5E3DCC
		cmp	[esp+2Ch+var_C], edx
		jnz	short loc_5E3DCC
		mov	bl, 1
		test	bl, bl
		jz	loc_5623EC
		xor	ebx, ebx
		jmp	loc_562382
; 

loc_5E3DCC:				; CODE XREF: PpmPerfApplyProcessorState+81AB5j
					; PpmPerfApplyProcessorState+81ABBj
		xor	eax, eax
		mov	bl, al
		jmp	loc_5623EC
; 

loc_5E3DD5:				; CODE XREF: PpmPerfApplyProcessorState+93j
		mov	byte ptr [esp+2Ch+var_10], 1
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	ecx, [esp+2Ch+var_1C]
		mov	bh, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		jmp	loc_56239D
; 

loc_5E3DEF:				; CODE XREF: PpmPerfApplyProcessorState+B5j
		test	ds:byte_70EFC6,	1
		jz	short loc_5E3E06
		mov	edx, [ebp+4]
		mov	ecx, [esp+2Ch+var_1C]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5E3E0F
; 

loc_5E3E06:				; CODE XREF: PpmPerfApplyProcessorState+81AF8j
		mov	eax, [esp+2Ch+var_1C]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_5E3E0F:				; CODE XREF: PpmPerfApplyProcessorState+81B06j
		test	bh, bh
		jz	loc_5623B9
		sti
		jmp	loc_5623B9
; 

loc_5E3E1D:				; CODE XREF: PpmPerfApplyProcessorState+116j
		push	[esp+2Ch+var_14]
		mov	ecx, [edi+18h]
		lea	edx, [edi+140h]
		push	[esp+30h+var_18]
		call	eax
		jmp	loc_5623C8
; END OF FUNCTION CHUNK	FOR PpmPerfApplyProcessorState
; 
; START	OF FUNCTION CHUNK FOR PpmPerfArbitratorApplyProcessorState

loc_5E3E35:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+39j
		mov	edi, [ebx+3F08h]
		jmp	loc_56245B
; 

loc_5E3E40:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+53j
		cmp	byte ptr [eax+7Bh], 0
		jz	short loc_5E3E57
		mov	eax, large fs:20h
		cmp	ebx, eax
		jz	short loc_5E3E57

loc_5E3E50:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+81A87j
		xor	al, al
		jmp	loc_562513
; 

loc_5E3E57:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+81A2Aj
					; PpmPerfArbitratorApplyProcessorState+81A34j
		movzx	edx, word ptr [ebx+3F10h]
		mov	eax, ecx
		mov	ecx, edi
		add	esi, 58h
		shl	eax, cl
		test	edx, eax
		mov	eax, [ebp+var_14]
		jz	short loc_5E3E77
		cmp	[esi], eax
		jnz	short loc_5E3E77
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_5E3E82
; 

loc_5E3E77:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+81A52j
					; PpmPerfArbitratorApplyProcessorState+81A56j
		xor	ecx, ecx
		mov	[esi], eax
		inc	ecx
		mov	[ebp+var_1], cl
		mov	byte ptr [ebp+var_10], cl

loc_5E3E82:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+81A5Bj
		mov	[ebx+3F0Ch], edi
		mov	[ebp+var_2], cl

loc_5E3E8B:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+5Ej
		mov	al, [ebp+var_1]
		jmp	loc_56248A
; 

loc_5E3E93:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+66j
		cmp	byte ptr [eax+7Bh], 0
		jz	short loc_5E3EA3
		mov	eax, large fs:20h
		cmp	ebx, eax
		jnz	short loc_5E3E50

loc_5E3EA3:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+81A7Dj
		mov	byte ptr [ebp+var_10], cl
		jmp	loc_562486
; 

loc_5E3EAB:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+BFj
		mov	eax, [ebp+var_18]
		movzx	esi, word ptr [ebx+3F10h]
		mov	[ebp+var_8], esi
		movzx	ecx, word ptr [eax+edi*2+130h]
		mov	dx, cx
		mov	[ebp+var_14], ecx
		cmp	dx, si
		jz	loc_5624DF
		mov	[ebx+3F10h], dx
		mov	eax, [ebx+338h]
		add	eax, 0E4h
		mov	[ebp+var_18], 5
		mov	[ebp+var_20], eax
		mov	ax, si
		mov	edi, [ebp+var_20]

loc_5E3EF1:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+81B19j
		and	ecx, 1
		and	esi, 1
		cmp	cx, si
		jz	short loc_5E3F16
		movzx	eax, byte ptr [ebx+3C4h]
		test	cx, cx
		jz	short loc_5E3F0E
		lock bts [edi],	eax
		jmp	short loc_5E3F12
; 

loc_5E3F0E:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+81AECj
		lock btr [edi],	eax

loc_5E3F12:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+81AF2j
		mov	ax, word ptr [ebp+var_8]

loc_5E3F16:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+81AE0j
		shr	dx, 1
		add	edi, 4
		shr	ax, 1
		sub	[ebp+var_18], 1
		mov	word ptr [ebp+var_14], dx
		mov	word ptr [ebp+var_8], ax
		jz	short loc_5E3F35
		mov	esi, [ebp+var_8]
		mov	ecx, [ebp+var_14]
		jmp	short loc_5E3EF1
; 

loc_5E3F35:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+81B11j
		mov	edi, [ebp+var_C]
		jmp	loc_5624DF
; 

loc_5E3F3D:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+CCj
		mov	eax, [ebx+338h]
		mov	ecx, edi
		mov	esi, [eax+100h]
		mov	edx, [eax+104h]
		mov	[ebp+var_14], esi
		mov	[ebp+var_C], edx
		call	_KiIsQosGroupingClass@4	; KiIsQosGroupingClass(x)
		mov	[ebp+var_1], al

loc_5E3F5F:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+81BA8j
		mov	ecx, [ebx+3C8h]
		mov	edi, edx
		mov	edx, [ebx+402Ch]
		test	al, al
		jz	short loc_5E3F7F
		or	ecx, esi
		mov	eax, ecx
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_5E3F87
		or	edi, edx
		jmp	short loc_5E3F87
; 

loc_5E3F7F:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+81B55j
		not	ecx
		not	edx
		and	ecx, esi
		and	edi, edx

loc_5E3F87:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+81B5Fj
					; PpmPerfArbitratorApplyProcessorState+81B63j
		mov	esi, [ebx+338h]
		mov	eax, [ebp+var_14]
		add	esi, 100h
		mov	edx, [ebp+var_C]
		nop
		mov	ebx, ecx
		mov	ecx, edi
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, [ebp+var_14]
		jnz	short loc_5E3FB4
		cmp	edx, [ebp+var_C]
		jnz	short loc_5E3FB4
		mov	ebx, [ebp+var_1C]
		jmp	loc_5624EC
; 

loc_5E3FB4:				; CODE XREF: PpmPerfArbitratorApplyProcessorState+81B8Bj
					; PpmPerfArbitratorApplyProcessorState+81B90j
		mov	ebx, [ebp+var_1C]
		mov	esi, eax
		mov	al, [ebp+var_1]
		mov	[ebp+var_14], esi
		mov	[ebp+var_C], edx
		jmp	short loc_5E3F5F
; END OF FUNCTION CHUNK	FOR PpmPerfArbitratorApplyProcessorState
; 
; START	OF FUNCTION CHUNK FOR PpmEventProcessorPerfStateChange

loc_5E3FC4:				; CODE XREF: PpmEventProcessorPerfStateChange+86j
		mov	ecx, [esi+4]
		xor	esi, esi
		push	4
		pop	edx
		mov	eax, [ecx+30h]
		mov	[ebp+var_CC], eax
		mov	eax, [ecx+3Ch]
		mov	[ebp+var_D0], eax
		lea	eax, [ebp+var_CC]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_B4], eax
		lea	eax, [ecx+38h]
		mov	[ebp+var_94], eax
		lea	eax, [ecx+48h]
		mov	[ebp+var_84], eax
		lea	eax, [ecx+40h]
		mov	[ebp+var_74], eax
		lea	eax, [ecx+44h]
		mov	[ebp+var_64], eax
		lea	eax, [ecx+4Ch]
		mov	[ebp+var_54], eax
		lea	eax, [ecx+50h]
		mov	[ebp+var_44], eax
		mov	[ebp+var_C0], esi
		mov	[ebp+var_BC], edx
		mov	[ebp+var_B8], esi
		mov	[ebp+var_B0], esi
		mov	[ebp+var_AC], edx
		mov	[ebp+var_A8], esi
		mov	[ebp+var_90], esi
		mov	[ebp+var_8C], edx
		mov	[ebp+var_88], esi
		mov	[ebp+var_80], esi
		mov	[ebp+var_7C], edx
		mov	[ebp+var_78], esi
		mov	[ebp+var_70], esi
		mov	[ebp+var_6C], edx
		mov	[ebp+var_68], esi
		mov	[ebp+var_60], esi
		mov	[ebp+var_5C], edx
		mov	[ebp+var_58], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], esi
		movzx	eax, byte ptr [ecx+54h]
		mov	[ebp+var_D4], eax
		lea	eax, [ebp+var_D4]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_D8]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_C4]
		push	eax
		push	0Ch
		push	esi
		push	offset _PPM_ETW_PROCESSOR_PERF_STATE_CHANGE
		push	edi
		push	ebx
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_5625DA
; END OF FUNCTION CHUNK	FOR PpmEventProcessorPerfStateChange
; 
; START	OF FUNCTION CHUNK FOR PpmEventTraceExpectedUtility

loc_5E40DB:				; CODE XREF: PpmEventTraceExpectedUtility+6Cj
		mov	eax, [esi+4]
		mov	[ebp+var_64], offset _PpmCheckTime
		mov	[ebp+var_60], edi
		mov	[ebp+var_5C], 8
		mov	[ebp+var_58], edi
		push	ebx
		push	64h
		pop	ecx
		test	eax, eax
		jz	short loc_5E40FF
		mov	ebx, [eax+38h]
		jmp	short loc_5E4101
; 

loc_5E40FF:				; CODE XREF: PpmEventTraceExpectedUtility+81B0Cj
		mov	ebx, ecx

loc_5E4101:				; CODE XREF: PpmEventTraceExpectedUtility+81B11j
		push	edi
		push	2710h
		push	ds:dword_6C0494
		mov	[ebp+var_78], ebx
		push	ds:_PpmCheckPeriod
		call	__aulldiv
		mov	edi, eax
		xor	edx, edx
		mov	eax, [esi+14h]
		div	ebx
		push	64h
		imul	eax, edi
		xor	edx, edx
		pop	ecx
		pop	ebx
		add	eax, 32h
		div	ecx
		mov	[ebp+var_6C], eax
		cmp	eax, edi
		jbe	short loc_5E4144
		xor	edx, edx
		mov	[ebp+var_6C], edi
		mov	ecx, edx
		sub	eax, edi
		jmp	short loc_5E414C
; 

loc_5E4144:				; CODE XREF: PpmEventTraceExpectedUtility+81B4Bj
		mov	ecx, edi
		sub	ecx, eax
		xor	edx, edx
		mov	eax, edx

loc_5E414C:				; CODE XREF: PpmEventTraceExpectedUtility+81B56j
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_74]
		push	4
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_70], ecx
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	6
		push	edx
		push	offset _PPM_ETW_EXPECTED_UTILITY
		push	[ebp+var_7C]
		mov	[ebp+var_50], edx
		push	[ebp+var_80]
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_56265E
; END OF FUNCTION CHUNK	FOR PpmEventTraceExpectedUtility
; 
; START	OF FUNCTION CHUNK FOR PpmScaleIdleStateValues

loc_5E41AD:				; CODE XREF: PpmScaleIdleStateValues+Bj
		mov	ecx, [esi+134h]
		test	ecx, ecx
		jz	loc_56267D
		mov	edx, [esi+130h]
		test	edx, edx
		jz	loc_56267D
		mov	eax, [ecx+38h]
		cmp	eax, [edx+88h]
		jb	short loc_5E41DA
		mov	al, [edx+88h]

loc_5E41DA:				; CODE XREF: PpmScaleIdleStateValues+81B66j
		movzx	edi, al
		xor	edx, edx
		movzx	eax, byte ptr [esi+32h]
		mov	ecx, edi
		imul	ecx, edi
		mov	ebx, 2710h
		imul	eax, ecx
		div	ebx
		xor	edx, edx
		mov	[esi+30h], al
		movzx	eax, byte ptr [esi+33h]
		imul	eax, ecx
		div	ebx
		mov	[esi+31h], al
		cmp	dword ptr [esi+0C8h], 3
		jnz	loc_56267D
		push	dword ptr [esi-39A4h]
		call	_HvlGetLpIndexFromProcessorIndex@4 ; HvlGetLpIndexFromProcessorIndex(x)
		mov	edx, edi
		mov	ecx, eax
		pop	edi
		pop	esi
		pop	ebx
		jmp	_HvlRegisterLogicalProcessorFrequency@8	; HvlRegisterLogicalProcessorFrequency(x,x)
; END OF FUNCTION CHUNK	FOR PpmScaleIdleStateValues
; 
; START	OF FUNCTION CHUNK FOR PpmEventLegacyProcessorPerfStateChange

loc_5E4227:				; CODE XREF: PpmEventLegacyProcessorPerfStateChange+40j
		and	[ebp+var_14], eax
		mov	ecx, [edx+38h]
		mov	eax, [edi+88h]
		cmp	ecx, eax
		jb	short loc_5E4239
		mov	ecx, eax

loc_5E4239:				; CODE XREF: PpmEventLegacyProcessorPerfStateChange+81BB3j
		xor	eax, eax
		mov	[ebp+var_28], 18h
		cmp	ecx, [edi+5Ch]
		lea	ecx, [ebp+var_30]
		mov	[ebp+var_1C], ebx
		setb	al
		xor	edi, edi
		inc	eax
		mov	[ebp+var_2C], edi
		mov	[ebp+var_20], eax
		mov	eax, [edx+5Ch]
		xor	edx, edx
		mov	[ebp+var_18], eax
		inc	edx
		mov	eax, [esi+3C8h]
		push	offset byte_401802
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_20]
		push	1233h
		push	80008000h
		mov	[ebp+var_C], edi
		mov	[ebp+var_30], eax
		mov	[ebp+var_24], edi
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_34]
		jmp	loc_5626CA
; 

loc_5E4291:				; CODE XREF: PpmEventLegacyProcessorPerfStateChange+4Fj
		mov	eax, [esi+3CCh]
		mov	edx, offset _PPM_PERFSTATE_CHANGE_GUID
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_48]
		push	eax		; void *
		mov	[ebp+var_48], ecx
		lea	ecx, [esi+3E40h]
		push	14h		; size_t
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], ebx
		call	_PpmFireWmiEvent@16 ; PpmFireWmiEvent(x,x,x,x)
		jmp	loc_5626D7
; END OF FUNCTION CHUNK	FOR PpmEventLegacyProcessorPerfStateChange
; 
; START	OF FUNCTION CHUNK FOR KeIpiGenericCall

loc_5E42C1:				; CODE XREF: KeIpiGenericCall+BBj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_5627E8
; END OF FUNCTION CHUNK	FOR KeIpiGenericCall
; 
; START	OF FUNCTION CHUNK FOR SepDeleteSessionLowboxEntries

loc_5E42CE:				; CODE XREF: SepDeleteSessionLowboxEntries+Fj
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _LowboxSessionMapLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, ds:_g_SessionLowboxMap
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_18], edx
		mov	edi, [eax]

loc_5E42F7:				; CODE XREF: SepDeleteSessionLowboxEntries+81F16j
		mov	[ebp+var_10], edi
		cmp	edi, ds:_g_SessionLowboxMap
		jz	loc_5E472B
		mov	eax, [edi]
		lea	esi, [edi+0Ch]
		mov	[ebp+var_28], eax
		mov	eax, large fs:124h
		mov	[ebp+var_8], esi
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+4]
		and	[ebp+var_1C], 0
		mov	edx, [esi+8]
		lea	ecx, [eax-1]
		mov	[ebp+var_C], ecx
		cmp	eax, 1
		jb	loc_5E4532
		mov	eax, ecx
		mov	ecx, edx
		shr	eax, 5
		lea	eax, [edx+eax*4]
		mov	[ebp+var_14], eax
		mov	eax, [edx]
		jmp	short loc_5E4360
; 

loc_5E4352:				; CODE XREF: SepDeleteSessionLowboxEntries+81B6Fj
		add	ecx, 4
		cmp	ecx, [ebp+var_14]
		ja	loc_5E4532
		mov	eax, [ecx]

loc_5E4360:				; CODE XREF: SepDeleteSessionLowboxEntries+81B5Aj
		not	eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5E4352
		not	eax
		sub	ecx, edx
		bsf	eax, eax
		sar	ecx, 2
		shl	ecx, 5
		add	ecx, eax
		mov	[ebp+var_1C], eax
		cmp	ecx, [ebp+var_C]
		ja	loc_5E4532
		or	eax, 0FFFFFFFFh
		cmp	ecx, eax
		jz	loc_5E4532
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5E439E
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_5E439E:				; CODE XREF: SepDeleteSessionLowboxEntries+81B9Fj
		xor	edi, edi
		mov	[ebp+var_C], edi
		test	esi, 7FFFFFFCh
		jz	loc_5E4528
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_20], esi
		cmp	eax, edx
		jb	short loc_5E43F6
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_5E43E1
		cmp	eax, edx
		jb	short loc_5E43F6
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_5E43F6

loc_5E43E1:				; CODE XREF: SepDeleteSessionLowboxEntries+81BDCj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_8]
		jmp	short loc_5E43FC
; 

loc_5E43F6:				; CODE XREF: SepDeleteSessionLowboxEntries+81BD3j
					; SepDeleteSessionLowboxEntries+81BE0j	...
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_10], ecx

loc_5E43FC:				; CODE XREF: SepDeleteSessionLowboxEntries+81BFEj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	[ebp+var_1], dl
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jnz	short loc_5E443D
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_5E44AF
		push	ecx
		push	[ebp+var_10]

loc_5E4435:				; CODE XREF: SepDeleteSessionLowboxEntries+81E14j
		push	[ebp+var_8]
		jmp	loc_5E471B
; 

loc_5E443D:				; CODE XREF: SepDeleteSessionLowboxEntries+81C2Fj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5E4453
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_14]

loc_5E4453:				; CODE XREF: SepDeleteSessionLowboxEntries+81C53j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_1], 1
		mov	edx, eax
		jnz	short loc_5E449D
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_5E44AF
; 

loc_5E449D:				; CODE XREF: SepDeleteSessionLowboxEntries+81C93j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_20]

loc_5E44AF:				; CODE XREF: SepDeleteSessionLowboxEntries+81C39j
					; SepDeleteSessionLowboxEntries+81CA5j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_20], eax
		jz	short loc_5E4510
		test	edi, 8000h
		jz	short loc_5E44D3
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5E44D3:				; CODE XREF: SepDeleteSessionLowboxEntries+81CD2j
		test	byte ptr [ebp+var_C+2],	1
		jz	short loc_5E44E3
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5E44E3:				; CODE XREF: SepDeleteSessionLowboxEntries+81CE1j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5E44F7
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5E44F7:				; CODE XREF: SepDeleteSessionLowboxEntries+81CF4j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5E4510
		push	[ebp+var_20]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5E4510:				; CODE XREF: SepDeleteSessionLowboxEntries+81CCAj
					; SepDeleteSessionLowboxEntries+81D0Bj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_5E4528
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_5E4528
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5E4528:				; CODE XREF: SepDeleteSessionLowboxEntries+81BB3j
					; SepDeleteSessionLowboxEntries+81D23j	...
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_5E4709
; 

loc_5E4532:				; CODE XREF: SepDeleteSessionLowboxEntries+81B45j
					; SepDeleteSessionLowboxEntries+81B62j	...
		push	dword ptr [esi+0Ch]
		call	RtlDeleteHashTable
		push	0
		push	dword ptr [esi+8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [edi]
		cmp	[ecx+4], edi
		jnz	loc_5E4726
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	loc_5E4726
		mov	[eax], ecx
		mov	[ecx+4], eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5E4573
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_5E4573:				; CODE XREF: SepDeleteSessionLowboxEntries+81D74j
		xor	edi, edi
		mov	[ebp+var_C], edi
		test	esi, 7FFFFFFCh
		jz	loc_5E46FA
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_24], esi
		cmp	eax, edx
		jb	short loc_5E45CB
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_5E45B6
		cmp	eax, edx
		jb	short loc_5E45CB
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_5E45CB

loc_5E45B6:				; CODE XREF: SepDeleteSessionLowboxEntries+81DB1j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_8]
		jmp	short loc_5E45D1
; 

loc_5E45CB:				; CODE XREF: SepDeleteSessionLowboxEntries+81DA8j
					; SepDeleteSessionLowboxEntries+81DB5j	...
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_14], ecx

loc_5E45D1:				; CODE XREF: SepDeleteSessionLowboxEntries+81DD3j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	[ebp+var_1], dl
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_5E460F
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_5E4681
		push	ecx
		push	[ebp+var_14]
		jmp	loc_5E4435
; 

loc_5E460F:				; CODE XREF: SepDeleteSessionLowboxEntries+81E04j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5E4625
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_5E4625:				; CODE XREF: SepDeleteSessionLowboxEntries+81E25j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_1], 1
		mov	edx, eax
		jnz	short loc_5E466F
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_5E4681
; 

loc_5E466F:				; CODE XREF: SepDeleteSessionLowboxEntries+81E65j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]

loc_5E4681:				; CODE XREF: SepDeleteSessionLowboxEntries+81E0Ej
					; SepDeleteSessionLowboxEntries+81E77j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jz	short loc_5E46E2
		test	edi, 8000h
		jz	short loc_5E46A5
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5E46A5:				; CODE XREF: SepDeleteSessionLowboxEntries+81EA4j
		test	byte ptr [ebp+var_C+2],	1
		jz	short loc_5E46B5
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5E46B5:				; CODE XREF: SepDeleteSessionLowboxEntries+81EB3j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5E46C9
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5E46C9:				; CODE XREF: SepDeleteSessionLowboxEntries+81EC6j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5E46E2
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5E46E2:				; CODE XREF: SepDeleteSessionLowboxEntries+81E9Cj
					; SepDeleteSessionLowboxEntries+81EDDj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_5E46FA
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_5E46FA
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5E46FA:				; CODE XREF: SepDeleteSessionLowboxEntries+81D88j
					; SepDeleteSessionLowboxEntries+81EF5j	...
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	0
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5E4709:				; CODE XREF: SepDeleteSessionLowboxEntries+81D37j
		mov	edi, [ebp+var_28]
		jmp	loc_5E42F7
; 

loc_5E4711:				; CODE XREF: SepDeleteSessionLowboxEntries+81FE6j
		push	0
		push	[ebp+var_18]
		push	offset _LowboxSessionMapLock

loc_5E471B:				; CODE XREF: SepDeleteSessionLowboxEntries+81C42j
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5E4726:				; CODE XREF: SepDeleteSessionLowboxEntries+81D53j
					; SepDeleteSessionLowboxEntries+81D5Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5E472B:				; CODE XREF: SepDeleteSessionLowboxEntries+81B0Aj
		or	edx, 0FFFFFFFFh
		mov	esi, offset _LowboxSessionMapLock
		mov	eax, edx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5E4749
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh

loc_5E4749:				; CODE XREF: SepDeleteSessionLowboxEntries+81F47j
		xor	edi, edi
		mov	[ebp+var_14], edi
		test	esi, 7FFFFFFCh
		jz	loc_5E48CE
		mov	esi, large fs:124h
		mov	eax, offset _LowboxSessionMapLock
		mov	ecx, ds:dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_24], esi
		cmp	ecx, offset _LowboxSessionMapLock
		ja	short loc_5E47A4
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_5E4794
		cmp	ecx, offset _LowboxSessionMapLock
		ja	short loc_5E47A4
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_5E47A4

loc_5E4794:				; CODE XREF: SepDeleteSessionLowboxEntries+81F8Bj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_18], eax

loc_5E47A4:				; CODE XREF: SepDeleteSessionLowboxEntries+81F82j
					; SepDeleteSessionLowboxEntries+81F93j	...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _LowboxSessionMapLock
		mov	[ebp+var_1], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		jnz	short loc_5E47E1
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_5E4853
		jmp	loc_5E4711
; 

loc_5E47E1:				; CODE XREF: SepDeleteSessionLowboxEntries+81FDAj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5E47F7
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_28]

loc_5E47F7:				; CODE XREF: SepDeleteSessionLowboxEntries+81FF7j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_14], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_1], 1
		mov	edx, eax
		jnz	short loc_5E4841
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_5E4853
; 

loc_5E4841:				; CODE XREF: SepDeleteSessionLowboxEntries+82037j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]

loc_5E4853:				; CODE XREF: SepDeleteSessionLowboxEntries+81FE4j
					; SepDeleteSessionLowboxEntries+82049j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_28], eax
		jz	short loc_5E48B6
		test	edi, 8000h
		jz	short loc_5E4877
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5E4877:				; CODE XREF: SepDeleteSessionLowboxEntries+82076j
		test	byte ptr [ebp+var_14+2], 1
		jz	short loc_5E4887
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5E4887:				; CODE XREF: SepDeleteSessionLowboxEntries+82085j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5E489B
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5E489B:				; CODE XREF: SepDeleteSessionLowboxEntries+82098j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5E48B6
		push	[ebp+var_28]
		mov	edx, offset _LowboxSessionMapLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5E48B6:				; CODE XREF: SepDeleteSessionLowboxEntries+8206Ej
					; SepDeleteSessionLowboxEntries+820AFj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_5E48CE
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_5E48CE
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5E48CE:				; CODE XREF: SepDeleteSessionLowboxEntries+81F5Ej
					; SepDeleteSessionLowboxEntries+820C9j	...
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		leave
		retn
; END OF FUNCTION CHUNK	FOR SepDeleteSessionLowboxEntries
; 
; START	OF FUNCTION CHUNK FOR SepQueueWorkItem

loc_5E48D7:				; CODE XREF: SepQueueWorkItem+32j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_5E48E0
		mov	[eax], cl

loc_5E48E0:				; CODE XREF: SepQueueWorkItem+820CEj
		xor	al, al
		jmp	loc_562916
; 

loc_5E48E7:				; CODE XREF: SepQueueWorkItem+4Dj
		lea	ecx, [esi+48h]
		lea	edx, [esp+20h+var_C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [esi+6Ch]
		jmp	loc_56287F
; 

loc_5E48FB:				; CODE XREF: SepQueueWorkItem+A8j
		lea	eax, [esi+8]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_56292D
		mov	[ebx+4], ecx
		mov	[ebx], eax
		mov	[ecx], ebx
		xor	ecx, ecx
		mov	[eax+4], ebx
		inc	ecx
		jmp	loc_5628CD
; 

loc_5E491B:				; CODE XREF: SepQueueWorkItem+73j
		mov	dl, byte ptr [esp+20h+var_10+1]
		xor	eax, eax
		mov	bl, byte ptr [esp+20h+var_10+2]
		inc	eax
		test	edi, edi
		jz	loc_5628DE
		mov	[edi], al
		jmp	loc_5628DE
; 

loc_5E4935:				; CODE XREF: SepQueueWorkItem+D3j
		test	ds:byte_70EFC6,	al
		jz	short loc_5E495B
		mov	edx, [ebp+4]
		lea	ecx, [esp+24h+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_5E4949:				; CODE XREF: SepQueueWorkItem+82169j
		xor	edi, edi
		inc	edi

loc_5E494C:				; CODE XREF: SepQueueWorkItem+82181j
		mov	cl, [esp+24h+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_5628F7
; 

loc_5E495B:				; CODE XREF: SepQueueWorkItem+8212Dj
		mov	eax, [esp+24h+var_10]
		test	eax, eax
		jnz	short loc_5E497E
		mov	edx, [esp+24h+var_C]
		lea	eax, [esp+24h+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+24h+var_10]
		cmp	eax, ecx
		jz	short loc_5E4949
		call	KxWaitForLockChainValid

loc_5E497E:				; CODE XREF: SepQueueWorkItem+82153j
		xor	edi, edi
		mov	[esp+24h+var_10], 0
		add	eax, 4
		inc	edi
		lock xor [eax],	edi
		jmp	short loc_5E494C
; END OF FUNCTION CHUNK	FOR SepQueueWorkItem
; 
; START	OF FUNCTION CHUNK FOR PsGetServerSiloState

loc_5E4991:				; CODE XREF: PsGetServerSiloState+2j
		mov	eax, [ecx+2F8h]
		mov	eax, [eax+280h]
		retn
; END OF FUNCTION CHUNK	FOR PsGetServerSiloState
; 
; START	OF FUNCTION CHUNK FOR SepRmCallLsa

loc_5E499E:				; CODE XREF: SepRmCallLsa+99j
		mov	eax, [ebx+68h]
		test	eax, eax
		jz	loc_562A0B
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_562A0B
; 

loc_5E49B8:				; CODE XREF: SepRmCallLsa+D8j
		xor	esi, esi
		inc	esi

loc_5E49BB:				; CODE XREF: SepRmCallLsa+74j
		test	byte ptr [ebx+78h], 2
		jz	loc_562AB3
		lea	ecx, [ebx+48h]
		lea	edx, [esp+40h+var_2C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		lea	edx, [ebx+8]
		mov	ecx, [edx]
		cmp	ecx, edx
		jnz	short loc_5E49ED
		mov	eax, [ebx+6Ch]
		test	eax, eax
		jz	short loc_5E4A11
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_5E4A11
; 

loc_5E49ED:				; CODE XREF: SepRmCallLsa+82090j
		mov	eax, [ebx+64h]
		inc	eax
		cmp	[ecx+28h], eax
		jnz	short loc_5E4A11
		mov	edi, ecx
		mov	eax, [ecx]
		cmp	[ecx+4], edx
		jnz	loc_562B26
		cmp	[eax+4], ecx
		jnz	loc_562B26
		mov	[edx], eax
		mov	[eax+4], edx

loc_5E4A11:				; CODE XREF: SepRmCallLsa+82097j
					; SepRmCallLsa+820A3j ...
		test	ds:byte_70EFC6,	1
		jz	short loc_5E4A28
		mov	edx, [ebp+4]
		lea	ecx, [esp+40h+var_2C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5E4A59
; 

loc_5E4A28:				; CODE XREF: SepRmCallLsa+820D0j
		mov	eax, [esp+40h+var_2C]
		test	eax, eax
		jnz	short loc_5E4A4B
		mov	edx, [esp+40h+var_28]
		lea	eax, [esp+40h+var_2C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+40h+var_2C]
		cmp	eax, ecx
		jz	short loc_5E4A59
		call	KxWaitForLockChainValid

loc_5E4A4B:				; CODE XREF: SepRmCallLsa+820E6j
		mov	[esp+40h+var_2C], 0
		add	eax, 4
		lock xor [eax],	esi

loc_5E4A59:				; CODE XREF: SepRmCallLsa+820DEj
					; SepRmCallLsa+820FCj
		mov	cl, byte ptr [esp+40h+var_24]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	loc_562AB3
		jmp	loc_562A26
; 

loc_5E4A70:				; CODE XREF: SepRmCallLsa+12Cj
		mov	ds:_SepAdtLastAuditFailStatus, eax
		lock inc ds:_SepAdtAuditFailureCount
		cmp	byte ptr [esp+40h+var_31], 0
		jnz	loc_562A7A
		push	eax
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		jmp	loc_562A7A
; 

loc_5E4A92:				; CODE XREF: SepRmCallLsa+138j
		cmp	eax, 5
		jnz	loc_562A90
		jmp	loc_562A86
; 

loc_5E4AA0:				; CODE XREF: SepRmCallLsa+15Ej
		mov	edx, 69416553h
		call	ObfDereferenceObjectWithTag
		and	dword ptr [edi+2Ch], 0
		jmp	loc_562AAC
; END OF FUNCTION CHUNK	FOR SepRmCallLsa
; 
; START	OF FUNCTION CHUNK FOR SepRmDispatchDataToLsa

loc_5E4AB3:				; CODE XREF: SepRmDispatchDataToLsa+AAj
		add	eax, 0FFFFFFFCh
		cmp	eax, 2
		ja	loc_562C60
		mov	eax, [edi+1Ch]
		mov	edx, [edi+10h]
		cmp	eax, 0E0h
		ja	short loc_5E4AEF
		push	eax		; size_t
		push	edx		; void *
		lea	eax, [ebp+var_1E8]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_20C]
		add	esp, 0Ch
		mov	[ebp+var_1EC], 1
		jmp	short loc_5E4B5F
; 

loc_5E4AEF:				; CODE XREF: SepRmDispatchDataToLsa+81F9Ej
		cmp	eax, 1000h
		ja	short loc_5E4B12
		push	eax		; size_t
		push	edx		; void *
		push	dword ptr [ebx+24h] ; void *
		call	_memcpy
		mov	eax, [ebx+20h]
		add	esp, 0Ch
		mov	[ebp+var_1EC], 2
		jmp	short loc_5E4B42
; 

loc_5E4B12:				; CODE XREF: SepRmDispatchDataToLsa+81FC8j
		lea	ecx, [ebp+var_210]
		push	ecx
		mov	ecx, [ebx]
		push	eax
		call	_SepAdtCopyToLsaSharedMemory@16	; SepAdtCopyToLsaSharedMemory(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_5E4B32
		push	esi
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		jmp	loc_562C00
; 

loc_5E4B32:				; CODE XREF: SepRmDispatchDataToLsa+81FF9j
		mov	eax, [ebp+var_210]
		mov	[ebp+var_1EC], 3

loc_5E4B42:				; CODE XREF: SepRmDispatchDataToLsa+81FE4j
		push	24h
		mov	[ebp+var_1E8], eax
		pop	eax
		mov	word ptr [ebp+var_208+2], ax
		push	0Ch
		pop	eax
		mov	word ptr [ebp+var_208],	ax
		mov	eax, [edi+8]

loc_5E4B5F:				; CODE XREF: SepRmDispatchDataToLsa+81FC1j
		cmp	eax, 4
		jz	short loc_5E4B6D
		cmp	eax, 5
		jnz	loc_562C00

loc_5E4B6D:				; CODE XREF: SepRmDispatchDataToLsa+82036j
		push	0
		push	dword ptr [edi+10h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_562C00
; 

loc_5E4B7C:				; CODE XREF: SepRmDispatchDataToLsa+DCj
					; SepRmDispatchDataToLsa+E6j
		lea	eax, [ebp+var_108]
		push	eax
		lea	eax, [ebp+var_208]
		push	eax
		push	dword ptr [ebx+4]
		call	_ZwRequestWaitReplyPort@12 ; ZwRequestWaitReplyPort(x,x,x)
		jmp	loc_562C27
; 

loc_5E4B97:				; CODE XREF: SepRmDispatchDataToLsa+106j
		push	dword ptr [edi+24h] ; size_t
		lea	ecx, [ebp+var_EC]
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_562C38
; 

loc_5E4BAF:				; CODE XREF: SepRmDispatchDataToLsa+119j
		and	[ebp+var_20C], 0
		lea	eax, [ebp+var_20C]
		push	8000h
		push	eax
		lea	eax, [ebp+var_1E8]
		push	eax
		push	dword ptr [ebx]
		call	_ZwFreeVirtualMemory@16	; ZwFreeVirtualMemory(x,x,x,x)
		mov	esi, eax
		jmp	loc_562C4B
; END OF FUNCTION CHUNK	FOR SepRmDispatchDataToLsa
; 
; START	OF FUNCTION CHUNK FOR IoGetDeviceInstanceName

loc_5E4BD7:				; CODE XREF: IoGetDeviceInstanceName+1Ej
					; IoGetDeviceInstanceName+2Ej
		movzx	edx, word ptr [esi+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_5E4C12
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_5E4C12
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_5E4C12:				; CODE XREF: IoGetDeviceInstanceName+81F27j
					; IoGetDeviceInstanceName+81F3Bj
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_5E4CB0
		mov	edx, 1F4h
		lea	edi, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		cmp	[edi], bx
		jz	short loc_5E4C4A
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [edi+4]
		call	IoAddTriageDumpDataBlock

loc_5E4C4A:				; CODE XREF: IoGetDeviceInstanceName+81F75j
		mov	edx, [esi+0B0h]
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_5E4C7E
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [esi+0B0h]

loc_5E4C7E:				; CODE XREF: IoGetDeviceInstanceName+81F9Bj
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_5E4CB0
		lea	ecx, [eax+1Ch]
		cmp	[ecx], bx
		jz	short loc_5E4CB0
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_5E4CB0:				; CODE XREF: IoGetDeviceInstanceName+Dj
					; IoGetDeviceInstanceName+81F5Fj ...
		push	ebx
		push	ebx
		push	esi
		push	2
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5E4CC0:				; CODE XREF: IoWMIWriteEvent+13j
		mov	eax, 0C0000001h
		jmp	loc_562EA2
; END OF FUNCTION CHUNK	FOR IoGetDeviceInstanceName
; 
; START	OF FUNCTION CHUNK FOR IoWMIWriteEvent

loc_5E4CCA:				; CODE XREF: IoWMIWriteEvent+25j
		mov	eax, [edi]
		and	esi, 20000h
		movzx	ecx, word ptr [edi+8]
		cmp	eax, 30h
		jnb	short loc_5E4CE5
		mov	eax, 0C0000023h
		jmp	loc_562EA2
; 

loc_5E4CE5:				; CODE XREF: IoWMIWriteEvent+81F01j
		test	esi, esi
		jz	short loc_5E4D13
		cmp	eax, 0FFFFh
		ja	short loc_5E4D17

loc_5E4CF0:				; CODE XREF: IoWMIWriteEvent+81F3Dj
		push	0
		push	0C00A0000h
		mov	eax, ecx
		mov	ecx, edi
		cdq
		push	edx
		push	eax
		push	30h
		pop	edx
		call	_EtwTraceEvent@24 ; EtwTraceEvent(x,x,x,x,x,x)
		test	esi, esi
		jnz	loc_562EA2
		jmp	loc_562E03
; 

loc_5E4D13:				; CODE XREF: IoWMIWriteEvent+81F0Fj
		test	eax, eax
		jns	short loc_5E4CF0

loc_5E4D17:				; CODE XREF: IoWMIWriteEvent+81F16j
		mov	eax, 80000005h
		jmp	loc_562EA2
; 

loc_5E4D21:				; CODE XREF: IoWMIWriteEvent+7Aj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_562E5D
; 

loc_5E4D2E:				; CODE XREF: IoWMIWriteEvent+40j
		mov	eax, 0C000009Ah
		jmp	loc_562EA2
; END OF FUNCTION CHUNK	FOR IoWMIWriteEvent
; 
; START	OF FUNCTION CHUNK FOR HviIsAnyHypervisorPresent

loc_5E4D38:				; CODE XREF: HviIsAnyHypervisorPresent+43j
		mov	eax, 40000001h
		lea	edi, [ebp+var_18]
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	al, 1
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		cmp	[ebp+var_18], 766E6258h
		jnz	loc_562EFC
		jmp	loc_562EF9
; END OF FUNCTION CHUNK	FOR HviIsAnyHypervisorPresent
; 
; START	OF FUNCTION CHUNK FOR PopEsUpdateState

loc_5E4D68:				; CODE XREF: PopEsUpdateState+52j
					; PopEsUpdateState+5Aj	...
		lea	ecx, [ebp+var_2C]
		call	PopEsSnapTelemetry
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _PopCsResiliencyStatsLock
		mov	[ebp+var_2], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	ds:_PopCsResiliencyStats, 0
		mov	eax, [ebp+var_C]
		mov	ds:_PopEsState,	eax
		mov	ds:_PopEsReason, esi
		jz	short loc_5E4DAB
		test	bl, bl
		jnz	short loc_5E4DA5
		cmp	[ebp+var_1], bl
		jz	short loc_5E4DAB

loc_5E4DA5:				; CODE XREF: PopEsUpdateState+81E92j
		inc	ds:dword_6C2388

loc_5E4DAB:				; CODE XREF: PopEsUpdateState+81E8Ej
					; PopEsUpdateState+81E97j
		test	ds:byte_70EFC6,	1
		jz	short loc_5E4DC0
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5E4DC5
; 

loc_5E4DC0:				; CODE XREF: PopEsUpdateState+81EA6j
		xor	eax, eax
		lock and [edi],	eax

loc_5E4DC5:				; CODE XREF: PopEsUpdateState+81EB2j
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bl, bl
		jz	short loc_5E4DD7
		call	_PopEsPublishState@0 ; PopEsPublishState()

loc_5E4DD7:				; CODE XREF: PopEsUpdateState+81EC4j
		call	_PopDiagTraceEsState@8 ; PopDiagTraceEsState(x,x)
		jmp	loc_562F74
; END OF FUNCTION CHUNK	FOR PopEsUpdateState
; 
; START	OF FUNCTION CHUNK FOR PopPepNotifyIdleState

loc_5E4DE1:				; CODE XREF: PopPepNotifyIdleState+1Dj
		mov	edx, [edi+90h]
		mov	ecx, [esi+18h]
		push	1
		push	dword ptr [edi+118h]
		call	_PopPluginNotifyIdleState@16 ; PopPluginNotifyIdleState(x,x,x,x)
		test	al, al
		jz	loc_563011
		jmp	loc_562FE1
; END OF FUNCTION CHUNK	FOR PopPepNotifyIdleState
; 
; START	OF FUNCTION CHUNK FOR PopPepStartComponentIdleStateChangeActivity

loc_5E4E04:				; CODE XREF: PopPepStartComponentIdleStateChangeActivity+3Aj
		mov	dword ptr [ebx+0Ch], 1

loc_5E4E0B:				; CODE XREF: PopPepStartComponentIdleStateChangeActivity+5Bj
		mov	edx, [edi+8]
		mov	ecx, [esi+18h]
		push	eax
		push	dword ptr [edi+90h]
		push	dword ptr [edi+94h]
		call	PopPlNotifyDeviceFState
		mov	esi, [edi+90h]
		imul	ecx, [edi+94h],	18h
		mov	eax, [edi+0A0h]
		imul	edx, esi, 18h
		push	1
		mov	ecx, [ecx+eax+10h]
		mov	edx, [edx+eax+10h]
		call	PopPepUpdateIdleStateRefCount
		mov	edx, [edi+8]
		push	0
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi+18h]
		call	PopFxUpdateComponentAccountingEnhanced
		mov	edx, [edi+8]
		mov	ecx, [esi+18h]
		push	0
		push	dword ptr [edi+90h]
		call	_PopPluginNotifyIdleState@16 ; PopPluginNotifyIdleState(x,x,x,x)
		cmp	al, 1
		jnz	loc_56307B
		mov	dword ptr [ebx+0Ch], 2
		jmp	loc_56307B
; END OF FUNCTION CHUNK	FOR PopPepStartComponentIdleStateChangeActivity
; 
; START	OF FUNCTION CHUNK FOR PopPlNotifyDeviceFState

loc_5E4E80:				; CODE XREF: PopPlNotifyDeviceFState+3Aj
		mov	eax, [ebp+arg_4]
		mov	bh, [ebp+arg_8]
		cmp	eax, [ebp+arg_0]
		jbe	short loc_5E4E96
		test	bh, bh
		jz	loc_5630F6
		cmp	eax, [ebp+arg_0]

loc_5E4E96:				; CODE XREF: PopPlNotifyDeviceFState+81DD3j
		jnb	short loc_5E4EA0
		test	bh, bh
		jnz	loc_5630F6

loc_5E4EA0:				; CODE XREF: PopPlNotifyDeviceFState:loc_5E4E96j
		mov	esi, [ecx+304h]
		mov	[ebp+var_D0], esi
		mov	edi, [esi+8]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [edi+8]
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [ebp+var_D8]
		lea	eax, [ebp+var_E0]
		push	eax
		lea	eax, [ebp+arg_4]
		mov	[edi+0Ch], bl
		mov	esi, [esi+10h]
		xor	edx, edx
		push	eax
		call	_PopPlCalculateDevicePowerDraw@16 ; PopPlCalculateDevicePowerDraw(x,x,x,x)
		mov	ecx, eax
		sub	ecx, esi
		mov	esi, [ebp+var_D0]
		mov	[ebp+var_DC], ecx
		mov	[esi+10h], eax
		cmp	ds:dword_6B23F8, 5
		jbe	loc_5E5047
		xor	ecx, ecx
		mov	[ebp+var_D0], 1
		mov	[ebp+var_A8], ecx
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_AC], eax
		mov	edx, offset ??_C@_09GOOJCAKO@Beginning@FNODOBFM@
		mov	eax, [ebp+var_D4]
		mov	[ebp+var_A4], 2
		mov	[ebp+var_A0], ecx
		mov	[ebp+var_9C], eax
		mov	[ebp+var_98], ecx
		mov	[ebp+var_94], 10h
		mov	[ebp+var_90], ecx
		test	bh, bh
		jz	short loc_5E4F5B
		mov	edx, offset ??_C@_09MIJAKHKB@Completed@FNODOBFM@

loc_5E4F5B:				; CODE XREF: PopPlNotifyDeviceFState+81E9Ej
		lea	ecx, [ebp+var_8C]
		call	_tlgCreate1Sz_char
		mov	eax, [ebp+arg_4]
		xor	ebx, ebx
		mov	ecx, [ebp+var_DC]
		mov	[ebp+var_D4], eax
		lea	eax, [ebp+var_D4]
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_E4]
		mov	[ebp+var_6C], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_E8], eax
		lea	eax, [ebp+var_E8]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_EC]
		push	4
		pop	edx
		mov	[ebp+var_4C], eax
		mov	eax, [esi+8]
		mov	[ebp+var_74], edx
		mov	[ebp+var_E4], ecx
		mov	[ebp+var_64], edx
		mov	[ebp+var_54], edx
		mov	[ebp+var_EC], ecx
		mov	[ebp+var_44], edx
		mov	[ebp+var_78], ebx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_68], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_40], ebx
		mov	eax, [eax+10h]
		add	eax, ecx
		mov	[ebp+var_34], edx
		mov	[ebp+var_F0], eax
		lea	edx, [ebp+var_14]
		lea	eax, [ebp+var_F0]
		mov	[ebp+var_2C], edx
		mov	[ebp+var_3C], eax
		mov	edx, offset loc_420D6E
		mov	eax, [ebp+var_D8]
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		movzx	ecx, word ptr [eax+70h]
		mov	eax, [eax+74h]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_CC]
		push	eax
		push	0Ch
		push	ebx
		push	ebx
		push	1
		push	ebx
		mov	[ebp+var_14], ecx
		mov	ecx, offset dword_6B23F8
		push	ebx
		mov	[ebp+var_24], 2
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_DC]

loc_5E5047:				; CODE XREF: PopPlNotifyDeviceFState+81E41j
		mov	edx, ecx
		mov	ecx, edi
		call	_PopPlPublishSystemPowerChange@8 ; PopPlPublishSystemPowerChange(x,x)
		test	ds:byte_70EFC6,	1
		mov	bl, [edi+0Ch]
		jz	short loc_5E5069
		mov	edx, [ebp+4]
		lea	ecx, [edi+8]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5E5071
; 

loc_5E5069:				; CODE XREF: PopPlNotifyDeviceFState+81FA4j
		xor	ecx, ecx
		lea	eax, [edi+8]
		lock and [eax],	ecx

loc_5E5071:				; CODE XREF: PopPlNotifyDeviceFState+81FB1j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_5630F6
; END OF FUNCTION CHUNK	FOR PopPlNotifyDeviceFState
; 
; START	OF FUNCTION CHUNK FOR IoInvalidateDeviceState

loc_5E507E:				; CODE XREF: IoInvalidateDeviceState+20j
					; IoInvalidateDeviceState+30j
		movzx	edx, word ptr [edi+2]
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		test	ecx, ecx
		jz	short loc_5E50BB
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		add	ecx, 1Ch
		cmp	[ecx], si
		jz	short loc_5E50BB
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_5E50BB:				; CODE XREF: IoInvalidateDeviceState+81F82j
					; IoInvalidateDeviceState+81F96j
		mov	eax, [edi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_5E5159
		mov	edx, 1F4h
		lea	ebx, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		cmp	[ebx], si
		jz	short loc_5E50F3
		push	2
		pop	edx
		mov	ecx, ebx
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [ebx]
		mov	ecx, [ebx+4]
		call	IoAddTriageDumpDataBlock

loc_5E50F3:				; CODE XREF: IoInvalidateDeviceState+81FD0j
		mov	edx, [edi+0B0h]
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], si
		jz	short loc_5E5127
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [edi+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [edi+0B0h]

loc_5E5127:				; CODE XREF: IoInvalidateDeviceState+81FF6j
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_5E5159
		lea	ecx, [eax+1Ch]
		cmp	[ecx], si
		jz	short loc_5E5159
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [edi+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_5E5159:				; CODE XREF: IoInvalidateDeviceState+Fj
					; IoInvalidateDeviceState+81FBAj ...
		push	esi
		push	esi
		push	edi
		push	2
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5E5169:				; CODE XREF: IoInvalidateDeviceRelations+68j
		sub	eax, 1
		jnz	loc_5631DE
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	13h
		jmp	loc_563200
; END OF FUNCTION CHUNK	FOR IoInvalidateDeviceState
; 
; START	OF FUNCTION CHUNK FOR IoInvalidateDeviceRelations

loc_5E517E:				; CODE XREF: IoInvalidateDeviceRelations+20j
					; IoInvalidateDeviceRelations+30j
		movzx	edx, word ptr [edi+2]
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		test	ecx, ecx
		jz	short loc_5E51BB
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		add	ecx, 1Ch
		cmp	[ecx], si
		jz	short loc_5E51BB
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_5E51BB:				; CODE XREF: IoInvalidateDeviceRelations+82002j
					; IoInvalidateDeviceRelations+82016j
		mov	eax, [edi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_5E5259
		mov	edx, 1F4h
		lea	ebx, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		cmp	[ebx], si
		jz	short loc_5E51F3
		push	2
		pop	edx
		mov	ecx, ebx
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [ebx]
		mov	ecx, [ebx+4]
		call	IoAddTriageDumpDataBlock

loc_5E51F3:				; CODE XREF: IoInvalidateDeviceRelations+82050j
		mov	edx, [edi+0B0h]
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], si
		jz	short loc_5E5227
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [edi+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [edi+0B0h]

loc_5E5227:				; CODE XREF: IoInvalidateDeviceRelations+82076j
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_5E5259
		lea	ecx, [eax+1Ch]
		cmp	[ecx], si
		jz	short loc_5E5259
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [edi+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_5E5259:				; CODE XREF: IoInvalidateDeviceRelations+Fj
					; IoInvalidateDeviceRelations+8203Aj ...
		push	esi
		push	esi
		push	edi
		push	2
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5E5269:				; CODE XREF: IoStartNextPacket+15j
		movzx	edx, byte ptr [ebp+arg_4]
		call	IopStartNextPacket
		jmp	loc_5632FA
; END OF FUNCTION CHUNK	FOR IoInvalidateDeviceRelations
; 
; START	OF FUNCTION CHUNK FOR IopStartNextPacketByKeyEx

loc_5E5277:				; CODE XREF: IopStartNextPacketByKeyEx+4Cj
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		push	ecx
		mov	ecx, esi
		call	_IopStartNextPacketByKey@12 ; IopStartNextPacketByKey(x,x,x)
		jmp	loc_56335E
; END OF FUNCTION CHUNK	FOR IopStartNextPacketByKeyEx
; 
; START	OF FUNCTION CHUNK FOR IopStartNextPacket

loc_5E5289:				; CODE XREF: IopStartNextPacket+14j
		push	7
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	bl, al
		mov	[ebp+var_1], al
		jmp	loc_5633BE
; 

loc_5E529B:				; CODE XREF: IopStartNextPacket+40j
		mov	eax, [esi+0B0h]
		test	dword ptr [eax+24h], 200h
		jz	short loc_5E52AE
		and	dword ptr [ebx+38h], 0

loc_5E52AE:				; CODE XREF: IopStartNextPacket+81F04j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	edi, [eax+450h]
		jz	short loc_5E52CF
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5E52FA
; 

loc_5E52CF:				; CODE XREF: IopStartNextPacket+81F1Dj
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5E52EB
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jz	short loc_5E52FA
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_5E52EB:				; CODE XREF: IopStartNextPacket+81F2Fj
		xor	ecx, ecx
		mov	dword ptr [edi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5E52FA:				; CODE XREF: IopStartNextPacket+81F29j
					; IopStartNextPacket+81F3Ej
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_5633EA
; 

loc_5E5308:				; CODE XREF: IopStartNextPacket+2Dj
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+450h]
		jz	short loc_5E5329
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5E5354
; 

loc_5E5329:				; CODE XREF: IopStartNextPacket+81F77j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5E5345
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_5E5354
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5E5345:				; CODE XREF: IopStartNextPacket+81F89j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5E5354:				; CODE XREF: IopStartNextPacket+81F83j
					; IopStartNextPacket+81F98j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_5633D7
; END OF FUNCTION CHUNK	FOR IopStartNextPacket
; 

loc_5E5361:				; CODE XREF: .text:005E5399j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5E5369:				; CODE XREF: .text:005634E7j
		push	0
		push	dword ptr [ebp-8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5E5373:				; CODE XREF: .text:005634CCj
		xor	eax, eax
		jmp	loc_563585
; 

loc_5E537A:				; CODE XREF: .text:00563532j
					; .text:00563543j
		test	dword ptr [edi+1Ch], 800h
		jnz	loc_563549
		mov	edx, ecx
		mov	ecx, edi
		push	esi
		call	_MiCreateSessionDriverProtos@12	; MiCreateSessionDriverProtos(x,x,x)
		test	eax, eax
		jnz	loc_563549
		jmp	short loc_5E5361
; 
; START	OF FUNCTION CHUNK FOR RtlMapSecurityErrorToNtStatus

loc_5E539B:				; CODE XREF: RtlMapSecurityErrorToNtStatus+Fj
		jz	short loc_5E53DB ; case	-0x7FF6FCFB
		lea	ecx, [eax+7FF6FD00h] ; switch 18 cases
		cmp	ecx, 11h
		ja	loc_5635C2	; default
		jmp	ds:off_5E5423[ecx*4] ; switch jump

loc_5E53B3:				; DATA XREF: .text:off_5E5423o
		mov	eax, 0C000009Ah	; case -0x7FF6FD00
		jmp	loc_5635C2	; default
; 

loc_5E53BD:				; CODE XREF: RtlMapSecurityErrorToNtStatus+81E14j
					; DATA XREF: .text:off_5E5423o
		mov	eax, 0C0000008h	; case -0x7FF6FCFF
		jmp	loc_5635C2	; default
; 

loc_5E53C7:				; CODE XREF: RtlMapSecurityErrorToNtStatus+81E14j
					; DATA XREF: .text:off_5E5423o
		mov	eax, 0C00000BEh	; case -0x7FF6FCFD
		jmp	loc_5635C2	; default
; 

loc_5E53D1:				; CODE XREF: RtlMapSecurityErrorToNtStatus+81E14j
					; DATA XREF: .text:off_5E5423o
		mov	eax, 0C00000E5h	; case -0x7FF6FCFC
		jmp	loc_5635C2	; default
; 

loc_5E53DB:				; CODE XREF: RtlMapSecurityErrorToNtStatus:loc_5E539Bj
					; RtlMapSecurityErrorToNtStatus+81E14j
					; DATA XREF: ...
		mov	eax, 0C00000FEh	; case -0x7FF6FCFB
		jmp	loc_5635C2	; default
; 

loc_5E53E5:				; CODE XREF: RtlMapSecurityErrorToNtStatus+81E14j
					; DATA XREF: .text:off_5E5423o
		mov	eax, 0C0000061h	; case -0x7FF6FCFA
		jmp	loc_5635C2	; default
; 

loc_5E53EF:				; CODE XREF: RtlMapSecurityErrorToNtStatus+81E14j
					; DATA XREF: .text:off_5E5423o
		mov	eax, 0C000010Dh	; case -0x7FF6FCF5
		jmp	loc_5635C2	; default
; 

loc_5E53F9:				; CODE XREF: RtlMapSecurityErrorToNtStatus+81E14j
					; DATA XREF: .text:off_5E5423o
		mov	eax, 0C000006Dh	; case -0x7FF6FCF4
		jmp	loc_5635C2	; default
; 

loc_5E5403:				; CODE XREF: RtlMapSecurityErrorToNtStatus+81E14j
					; DATA XREF: .text:off_5E5423o
		mov	eax, 0C000005Fh	; case -0x7FF6FCF3
		jmp	loc_5635C2	; default
; 

loc_5E540D:				; CODE XREF: RtlMapSecurityErrorToNtStatus+81E14j
					; DATA XREF: .text:off_5E5423o
		mov	eax, 0C0000022h	; case -0x7FF6FCF1
		jmp	loc_5635C2	; default
; 

loc_5E5417:				; CODE XREF: RtlMapSecurityErrorToNtStatus+81E14j
					; DATA XREF: .text:off_5E5423o
		mov	eax, 0C000005Eh	; case -0x7FF6FCEF
		jmp	loc_5635C2	; default
; END OF FUNCTION CHUNK	FOR RtlMapSecurityErrorToNtStatus
; 
		db 8Bh,	0FFh
off_5E5423	dd offset loc_5E53B3	; DATA XREF: RtlMapSecurityErrorToNtStatus+81E14r
		dd offset loc_5E53BD	; jump table for switch	statement
		dd offset loc_5635C6
		dd offset loc_5E53C7
		dd offset loc_5E53D1
		dd offset loc_5E53DB
		dd offset loc_5E53E5
		dd offset loc_5E53DB
		dd offset loc_5635CD
		dd offset loc_5635CD
		dd offset loc_5635C6
		dd offset loc_5E53EF
		dd offset loc_5E53F9
		dd offset loc_5E5403
		dd offset loc_5E5403
		dd offset loc_5E540D
		dd offset loc_5E540D
		dd offset loc_5E5417
; 
; START	OF FUNCTION CHUNK FOR PnpUnregisterPlugPlayNotification

loc_5E546B:				; CODE XREF: PnpUnregisterPlugPlayNotification+2Aj
		mov	ecx, offset _PnpDeferredRegistrationLock
		call	ExAcquireFastMutex
		mov	ebx, ds:_PnpDeferredRegistrationList
		jmp	short loc_5E54D8
; 

loc_5E547D:				; CODE XREF: PnpUnregisterPlugPlayNotification+81F02j
		lea	ecx, [ebx+8]
		mov	eax, ebx
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], ecx
		cmp	[ecx], edi
		jnz	short loc_5E54D6
		mov	[ebp+var_1], 1
		test	esi, esi
		jz	short loc_5E549D
		mov	ecx, esi
		call	ExAcquireFastMutex
		mov	eax, ebx

loc_5E549D:				; CODE XREF: PnpUnregisterPlugPlayNotification+81EB6j
		mov	edx, [ebx]
		mov	ebx, edx
		cmp	[edx+4], eax
		jnz	short loc_5E54F5
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_5E54F5
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, [ebp+var_C]
		mov	ecx, [ecx]
		call	_PnpDereferenceNotify@4	; PnpDereferenceNotify(x)
		test	esi, esi
		jz	short loc_5E54C7
		mov	ecx, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_5E54C7:				; CODE XREF: PnpUnregisterPlugPlayNotification+81EE2j
		push	37706E50h
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_5E54D8
; 

loc_5E54D6:				; CODE XREF: PnpUnregisterPlugPlayNotification+81EAEj
		mov	ebx, [ebx]

loc_5E54D8:				; CODE XREF: PnpUnregisterPlugPlayNotification+81E9Fj
					; PnpUnregisterPlugPlayNotification+81EF8j
		cmp	ebx, offset _PnpDeferredRegistrationList
		jnz	short loc_5E547D
		mov	ecx, offset _PnpDeferredRegistrationLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	bl, [ebp+var_2]
		mov	bh, [ebp+var_1]
		jmp	loc_56360C
; 

loc_5E54F5:				; CODE XREF: PnpUnregisterPlugPlayNotification+81EC8j
					; PnpUnregisterPlugPlayNotification+81ECFj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5E54FA:				; CODE XREF: PnpUnregisterPlugPlayNotification+5Aj
		test	bh, bh
		jnz	loc_56363C
		test	bl, bl
		jz	loc_56366A
		mov	ecx, [edi+28h]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_563675
; END OF FUNCTION CHUNK	FOR PnpUnregisterPlugPlayNotification
; 

loc_5E5523:				; CODE XREF: .text:005636D7j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_5636E2
; 
; START	OF FUNCTION CHUNK FOR IoValidateDeviceIoControlAccess

loc_5E5532:				; CODE XREF: IoValidateDeviceIoControlAccess+16j
		cmp	cl, 0Dh
		jnz	loc_5637C4
		jmp	loc_563796
; END OF FUNCTION CHUNK	FOR IoValidateDeviceIoControlAccess
; 
; START	OF FUNCTION CHUNK FOR PpmUpdateTargetProcessorPolicy

loc_5E5540:				; CODE XREF: PpmUpdateTargetProcessorPolicy+34j
		test	byte ptr [edi],	40h
		jz	loc_56382C
		mov	eax, [ebp+arg_4]
		mov	ecx, ebx
		mov	edx, [eax+38h]
		call	[ebp+arg_0]
		jmp	loc_56382C
; 

loc_5E5559:				; CODE XREF: PpmUpdateTargetProcessorPolicy+42j
		test	ds:_PpmAllowedActions, 100h
		jz	loc_56383A
		mov	eax, [ebp+arg_4]
		mov	ecx, ebx
		mov	edx, [eax+48h]
		call	[ebp+arg_0]
		jmp	loc_56383A
; 

loc_5E5579:				; CODE XREF: PpmUpdateTargetProcessorPolicy+50j
		test	byte ptr [edi],	80h
		jz	loc_563848
		mov	ecx, [ebp+arg_4]
		mov	al, [ecx+4Ch]
		mov	[esi+7Fh], al
		movzx	edx, byte ptr [ecx+4Ch]
		mov	ecx, ebx
		call	[ebp+arg_0]
		mov	eax, [ebp+var_4]
		mov	ecx, [eax]
		test	ecx, ecx
		jz	loc_563848
		movzx	edx, byte ptr [esi+7Fh]
		call	_PpmEventAutonomousModeChange@8	; PpmEventAutonomousModeChange(x,x)
		jmp	loc_563848
; 

loc_5E55AF:				; CODE XREF: PpmUpdateTargetProcessorPolicy+5Bj
		test	dword ptr [edi], 200h
		jz	loc_563853
		mov	edx, ds:_PpmPerfTimeWindow
		mov	ecx, ebx
		call	eax
		jmp	loc_563853
; END OF FUNCTION CHUNK	FOR PpmUpdateTargetProcessorPolicy
; 
; START	OF FUNCTION CHUNK FOR FsRtlpOplockBreakToNone

loc_5E55CA:				; CODE XREF: FsRtlpOplockBreakToNone+35j
		test	eax, 1F00F90h
		jnz	loc_5E5723
		mov	edi, [esi]
		mov	[ebp+var_24], edi
		test	eax, 1000h
		jnz	loc_563895
		test	[ebp+arg_4], 10010000h
		jnz	loc_5E584D
		push	7
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[edi+25h], al
		xor	ecx, ecx
		lea	eax, [edi+38h]
		xchg	ecx, [eax]
		mov	al, [edi+25h]
		mov	[ebp+var_19], al
		mov	eax, large fs:20h
		lea	edi, [eax+450h]
		test	ds:byte_70EFC6,	1
		jz	short loc_5E562B
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5E5652
; 

loc_5E562B:				; CODE XREF: FsRtlpOplockBreakToNone+81DC3j
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5E5647
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jz	short loc_5E5652
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_5E5647:				; CODE XREF: FsRtlpOplockBreakToNone+81DD5j
		mov	[edi], ebx
		add	eax, 4
		xor	ecx, ecx
		inc	ecx
		lock xor [eax],	ecx

loc_5E5652:				; CODE XREF: FsRtlpOplockBreakToNone+81DCFj
					; FsRtlpOplockBreakToNone+81DE4j
		mov	cl, [ebp+var_19]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_24]
		cmp	byte ptr [eax+24h], 0
		jz	short loc_5E56CF
		mov	dword ptr [eax+1Ch], 8
		push	ebx
		xor	edx, edx
		mov	ecx, esi
		call	FsRtlpModifyThreadPriorities
		xor	edx, edx
		mov	ecx, esi
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		mov	[esi+10h], bl
		mov	eax, [esi]
		cmp	[eax+1Ch], esi
		jnz	short loc_5E568D
		mov	[eax+1Ch], ebx
		mov	eax, [esi]

loc_5E568D:				; CODE XREF: FsRtlpOplockBreakToNone+81E2Cj
		mov	dword ptr [eax+18h], 0C0000120h
		xor	eax, eax
		lea	edx, [eax+1]
		mov	ecx, [esi]
		call	IofCompleteRequest
		mov	[esi], ebx
		mov	ecx, [esi+4]
		call	ObfDereferenceObject
		mov	[esi+4], ebx
		mov	eax, [esi+48h]
		and	eax, 20h
		xor	ecx, ecx
		inc	ecx
		or	eax, ecx
		mov	[esi+48h], eax

loc_5E56BB:				; CODE XREF: FsRtlpOplockBreakToNone+81E73j
		lea	eax, [esi+2Ch]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	loc_563895
		call	_FsRtlpRemoveAndCompleteWaitingIrp@4 ; FsRtlpRemoveAndCompleteWaitingIrp(x)
		jmp	short loc_5E56BB
; 

loc_5E56CF:				; CODE XREF: FsRtlpOplockBreakToNone+81E08j
		mov	eax, [esi]
		mov	dword ptr [eax+1Ch], 8
		mov	eax, [esi]
		mov	[eax+18h], ebx
		xor	eax, eax
		lea	edx, [eax+1]
		mov	ecx, [esi]
		call	IofCompleteRequest
		mov	[esi], ebx
		or	dword ptr [esi+48h], 200h

loc_5E56F2:				; CODE XREF: FsRtlpOplockBreakToNone+81F0Aj
					; FsRtlpOplockBreakToNone+81F0Ej
		test	byte ptr [ebp+arg_4], 8
		jnz	short loc_5E570F
		mov	edx, [esi+4]
		mov	ecx, [ebp+var_28]
		mov	ecx, [ecx+18h]
		push	ebx
		call	FsRtlpOplockKeysEqual
		test	al, al
		jnz	loc_563895

loc_5E570F:				; CODE XREF: FsRtlpOplockBreakToNone+81E9Cj
		test	byte ptr [ebp+arg_4], 1
		jz	loc_5E579C
		mov	ebx, 108h
		jmp	loc_563895
; 

loc_5E5723:				; CODE XREF: FsRtlpOplockBreakToNone+81D75j
		mov	ecx, eax
		and	ecx, 1F0FFDFh
		cmp	ecx, 10h
		jz	loc_5E57F2
		cmp	ecx, 1010h
		jz	loc_5E57F2
		test	eax, 100h
		jz	short loc_5E5766
		test	[ebp+arg_4], 10010000h
		jnz	loc_5E584D
		and	eax, 0FFFFFEFFh
		mov	[esi+48h], eax
		or	eax, 400h
		mov	[esi+48h], eax
		jmp	short loc_5E56F2
; 

loc_5E5766:				; CODE XREF: FsRtlpOplockBreakToNone+81EEBj
		test	al, al
		jns	short loc_5E56F2
		test	[ebp+arg_4], 10010000h
		jnz	loc_5E584D
		and	eax, 20h
		or	eax, edx
		mov	[esi+48h], eax
		mov	[esi+4], ebx
		cmp	[esi+0Ch], ebx
		jz	loc_563895
		xor	edx, edx
		mov	ecx, esi
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		mov	[esi+10h], bl
		jmp	loc_563895
; 

loc_5E579C:				; CODE XREF: FsRtlpOplockBreakToNone+81EB9j
		test	[ebp+arg_4], 10010000h
		jnz	loc_5E584D
		xor	eax, eax
		inc	eax
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	FsRtlpModifyThreadPriorities
		xor	edx, edx
		mov	ecx, esi
		call	FsRtlpOplockSendModernAppTermination
		mov	eax, [ebp+arg_28]
		mov	[eax], bl
		push	[ebp+arg_2C]
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	ebx
		lea	eax, [ebp+var_38]
		push	eax
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_FsRtlpWaitOnIrp@48 ; FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		jmp	loc_563895
; 

loc_5E57F2:				; CODE XREF: FsRtlpOplockBreakToNone+81ED4j
					; FsRtlpOplockBreakToNone+81EE0j
		test	[ebp+arg_4], 10010000h
		jnz	short loc_5E584D
		lea	eax, [esi+14h]
		mov	edi, [eax]

loc_5E5800:				; CODE XREF: FsRtlpOplockBreakToNone+81FC8j
		cmp	edi, eax
		jz	short loc_5E5824
		mov	eax, [edi+8]
		cmp	dword ptr [eax+0Ch], 90240h
		jz	short loc_5E581D
		mov	edi, [edi+4]
		push	ebx
		xor	edx, edx
		mov	ecx, [edi]
		call	_FsRtlpRemoveAndCompleteReadOnlyIrp@12 ; FsRtlpRemoveAndCompleteReadOnlyIrp(x,x,x)

loc_5E581D:				; CODE XREF: FsRtlpOplockBreakToNone+81FB4j
		mov	edi, [edi]
		lea	eax, [esi+14h]
		jmp	short loc_5E5800
; 

loc_5E5824:				; CODE XREF: FsRtlpOplockBreakToNone+81FA8j
		mov	eax, [esi+48h]
		mov	ecx, eax
		and	ecx, 20h
		and	eax, 1F0FFDFh
		cmp	eax, 1010h
		jnz	short loc_5E5840
		or	ecx, 1000h
		jmp	short loc_5E5845
; 

loc_5E5840:				; CODE XREF: FsRtlpOplockBreakToNone+81FDCj
		xor	eax, eax
		inc	eax
		or	ecx, eax

loc_5E5845:				; CODE XREF: FsRtlpOplockBreakToNone+81FE4j
		mov	[esi+48h], ecx
		jmp	loc_563895
; 

loc_5E584D:				; CODE XREF: FsRtlpOplockBreakToNone+81D92j
					; FsRtlpOplockBreakToNone+81EF4j ...
		mov	ebx, 0C0000909h
		jmp	loc_563895
; END OF FUNCTION CHUNK	FOR FsRtlpOplockBreakToNone

;  S U B	R O U T	I N E 


sub_5E5857	proc near		; DATA XREF: .text:006A4CE0o
		mov	ebx, [ebp-20h]
		jmp	nullsub_3
sub_5E5857	endp

; 
; START	OF FUNCTION CHUNK FOR IoStartPacket

loc_5E585F:				; CODE XREF: IoStartPacket+22j
		push	7
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	byte ptr [ebp+arg_0+3],	al
		mov	[esi+38h], ebx
		jmp	loc_5638E6
; 

loc_5E5872:				; CODE XREF: IoStartPacket+33j
		push	dword ptr [eax]
		push	ecx
		push	edx
		call	_KeInsertByKeyDeviceQueue@12 ; KeInsertByKeyDeviceQueue(x,x,x)
		jmp	loc_5638FE
; 

loc_5E5880:				; CODE XREF: IoStartPacket+49j
		mov	eax, [edi+0B0h]
		test	dword ptr [eax+24h], 200h
		jz	short loc_5E5893
		and	dword ptr [esi+38h], 0

loc_5E5893:				; CODE XREF: IoStartPacket+81FCFj
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	ebx, [eax+450h]
		jz	short loc_5E58B4
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5E58DF
; 

loc_5E58B4:				; CODE XREF: IoStartPacket+81FE8j
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5E58D0
		mov	ecx, [ebx+4]
		xor	edx, edx
		mov	eax, ebx
		lock cmpxchg [ecx], edx
		cmp	eax, ebx
		jz	short loc_5E58DF
		mov	ecx, ebx
		call	KxWaitForLockChainValid

loc_5E58D0:				; CODE XREF: IoStartPacket+81FFAj
		xor	ecx, ecx
		mov	dword ptr [ebx], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5E58DF:				; CODE XREF: IoStartPacket+81FF4j
					; IoStartPacket+82009j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_56390D
; 

loc_5E58ED:				; CODE XREF: IoStartPacket+6Bj
		cmp	byte ptr [esi+24h], 0
		jz	short loc_5E5906
		mov	cl, byte ptr [ebp+arg_0+3]
		and	dword ptr [esi+38h], 0
		push	esi
		push	edi
		mov	[esi+25h], cl
		call	ebx
		jmp	loc_563915
; 

loc_5E5906:				; CODE XREF: IoStartPacket+82033j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+450h]
		jz	short loc_5E5927
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5E5952
; 

loc_5E5927:				; CODE XREF: IoStartPacket+8205Bj
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5E5943
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_5E5952
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5E5943:				; CODE XREF: IoStartPacket+8206Dj
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5E5952:				; CODE XREF: IoStartPacket+82067j
					; IoStartPacket+8207Cj
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_563915
; END OF FUNCTION CHUNK	FOR IoStartPacket
; 
; START	OF FUNCTION CHUNK FOR SepLinkLogonSessions

loc_5E5960:				; CODE XREF: SepLinkLogonSessions+47j
		mov	edi, 0C0000061h

loc_5E5965:				; CODE XREF: SepLinkLogonSessions+89j
					; SepLinkLogonSessions+100j ...
		mov	ecx, [esp+40h+var_2C]
		test	ecx, ecx
		jz	short loc_5E5972
		call	ObfDereferenceObject

loc_5E5972:				; CODE XREF: SepLinkLogonSessions+8203Dj
		mov	ecx, [esp+40h+var_30]
		test	ecx, ecx
		jz	short loc_5E597F
		call	ObfDereferenceObject

loc_5E597F:				; CODE XREF: SepLinkLogonSessions+8204Aj
		test	esi, esi
		jz	loc_563B0E
		mov	ecx, esi
		call	_SepDeReferenceLogonSessionDirect@4 ; SepDeReferenceLogonSessionDirect(x)
		jmp	loc_563B0E
; 

loc_5E5993:				; CODE XREF: SepLinkLogonSessions+5Aj
					; SepLinkLogonSessions+98j ...
		mov	edi, 0C000000Dh
		jmp	short loc_5E5965
; 

loc_5E599A:				; CODE XREF: SepLinkLogonSessions+AAj
		or	dword ptr [ecx+18h], 4
		mov	edi, esi
		jmp	loc_563B0E
; 

loc_5E59A5:				; CODE XREF: SepLinkLogonSessions+1BCj
		mov	ecx, [esp+40h+var_2C]
		call	_SepRemoveTokenLogonSession@4 ;	SepRemoveTokenLogonSession(x)
		mov	ecx, [esp+40h+var_30]
		call	_SepRemoveTokenLogonSession@4 ;	SepRemoveTokenLogonSession(x)
		jmp	loc_563AF0
; END OF FUNCTION CHUNK	FOR SepLinkLogonSessions
; 
; START	OF FUNCTION CHUNK FOR PopFxQueueWorkOrder

loc_5E59BC:				; CODE XREF: PopFxQueueWorkOrder+37j
		push	offset unk_6C3B24
		mov	edx, esi
		mov	ecx, offset unk_6C3B28
		call	@ExfInterlockedInsertTailList@12 ; ExfInterlockedInsertTailList(x,x,x)
		push	0
		push	1
		push	0
		push	offset unk_6C3B30
		call	KeReleaseSemaphore
		jmp	loc_563BC7
; END OF FUNCTION CHUNK	FOR PopFxQueueWorkOrder
; 
; START	OF FUNCTION CHUNK FOR PopFxComponentWork

loc_5E59E2:				; CODE XREF: PopFxComponentWork+46j
		push	0
		push	0
		add	eax, 84h
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_563C18
; END OF FUNCTION CHUNK	FOR PopFxComponentWork
; 
; START	OF FUNCTION CHUNK FOR KiLoadFastSyscallMachineSpecificRegisters

loc_5E59F6:				; CODE XREF: KiLoadFastSyscallMachineSpecificRegisters+26j
		mov	eax, offset _KiFastCallEntry
		xor	edx, edx
		wrmsr
		mov	eax, [esi+2210h]
		jmp	loc_563C88
; END OF FUNCTION CHUNK	FOR KiLoadFastSyscallMachineSpecificRegisters
; 
; START	OF FUNCTION CHUNK FOR KvfCommitFeatureStates

loc_5E5A0A:				; CODE XREF: KvfCommitFeatureStates+51j
		push	4
		push	offset _KvfFeatureStates
		push	4
		push	edi
		push	offset unk_6B317C
		and	eax, 0FFFFFFFDh
		push	esi
		mov	ds:_KvfFeatureStates, eax
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		jmp	loc_563D3B
; END OF FUNCTION CHUNK	FOR KvfCommitFeatureStates
; 
; START	OF FUNCTION CHUNK FOR RtlIpv4AddressToStringExW

loc_5E5A2C:				; CODE XREF: RtlIpv4AddressToStringExW+2Fj
		cmp	dword ptr [edi], 0
		jnz	loc_563DCE
		jmp	loc_563D83
; 

loc_5E5A3A:				; CODE XREF: RtlIpv4AddressToStringExW+44j
		mov	ch, bl
		lea	eax, [ebp+var_4]
		mov	cl, bh
		sub	eax, esi
		movzx	ecx, cx
		push	ecx
		push	(offset	loc_5A5957+1)
		sar	eax, 1
		push	eax
		push	esi
		call	_swprintf_s
		add	esp, 10h
		lea	esi, [esi+eax*2]
		jmp	loc_563D98
; END OF FUNCTION CHUNK	FOR RtlIpv4AddressToStringExW
; 
; START	OF FUNCTION CHUNK FOR PoSetUserPresent

loc_5E5A60:				; CODE XREF: PoSetUserPresent+30j
		push	offset byte_401802
		xor	eax, eax
		lea	ecx, [ebp+var_1C]
		push	1241h
		xor	edx, edx
		mov	[ebp+var_1C], eax
		push	80008000h
		inc	edx
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_563E80
; END OF FUNCTION CHUNK	FOR PoSetUserPresent
; 
; START	OF FUNCTION CHUNK FOR PopSetSystemState

loc_5E5A8D:				; CODE XREF: PopSetSystemState+19j
		push	3
		pop	ecx
		call	_PopResetIdleTime@4 ; PopResetIdleTime(x)
		jmp	loc_563EC3
; END OF FUNCTION CHUNK	FOR PopSetSystemState
; 
; START	OF FUNCTION CHUNK FOR PopUserPresentSet

loc_5E5A9A:				; CODE XREF: PopUserPresentSet+13j
		mov	eax, ds:_PopFullWake
		mov	edx, ds:_PopUserPresentSetStatus ; int
		push	esi		; int
		push	esi		; int
		push	esi		; int
		push	esi		; int
		push	eax		; int
		push	edx		; int
		push	111h		; int
		push	0A0h		; int
		push	offset ??_C@_1CA@NLEIKFFC@?$AAU?$AAs?$AAe?$AAr?$AAP?$AAr?$AAe?$AAs?$AAe?$AAn?$AAc?$AAe?$AAS?$AAe?$AAt@FNODOBFM@	; int
		call	_DbgkWerCaptureLiveKernelDump@36 ; DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)
		jmp	loc_563EED
; 

loc_5E5AC4:				; CODE XREF: PopUserPresentSet+20j
		xor	ecx, ecx
		mov	eax, offset _PopPendingUserPresenceDuringSystemSleep
		inc	ecx
		lock or	[eax], ecx
		mov	eax, offset _PopPendingUserPresenceMonitorOnReason
		xchg	edi, [eax]
		jmp	loc_563F50
; 

loc_5E5ADB:				; CODE XREF: PopUserPresentSet+3Fj
		test	ebx, ebx
		jnz	loc_563F50
		xor	eax, eax
		mov	ecx, offset _PopUserPresentSetStatus
		xchg	eax, [ecx]
		push	esi
		push	esi
		push	offset _PopUserPresentCompletedEvent
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_563F50
; END OF FUNCTION CHUNK	FOR PopUserPresentSet
; 
; START	OF FUNCTION CHUNK FOR CcChangeBackingFileObject

loc_5E5AFD:				; CODE XREF: CcChangeBackingFileObject+49j
		mov	eax, [esi+14h]
		cmp	eax, [ecx+14h]
		jz	loc_56407D
		xor	esi, esi
		test	ds:byte_70EFC6,	1
		jz	short loc_5E5B21
		mov	edx, [ebx+4]
		lea	ecx, [ebp+var_50]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5E5B4C
; 

loc_5E5B21:				; CODE XREF: CcChangeBackingFileObject+81AE4j
		mov	eax, [ebp+var_50]
		test	eax, eax
		jnz	short loc_5E5B40
		mov	edx, [ebp+var_4C]
		lea	eax, [ebp+var_50]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_50]
		cmp	eax, ecx
		jz	short loc_5E5B4C
		call	KxWaitForLockChainValid

loc_5E5B40:				; CODE XREF: CcChangeBackingFileObject+81AF8j
		xor	ecx, ecx
		mov	[ebp+var_50], esi
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5E5B4C:				; CODE XREF: CcChangeBackingFileObject+81AF1j
					; CcChangeBackingFileObject+81B0Bj
		mov	cl, [ebp+var_48]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_8], edx
		mov	eax, edx
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5E5B6E
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_5E5B6E:				; CODE XREF: CcChangeBackingFileObject+81B37j
		mov	eax, offset _CcChangeSharedCacheMapFileLock
		mov	edi, esi
		mov	[ebp+var_10], edi
		test	eax, 7FFFFFFCh
		jz	loc_5E5D1A
		mov	ecx, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	eax, 15h
		cmp	edx, offset _CcChangeSharedCacheMapFileLock
		push	0FFFFFFFFh
		mov	[ebp+var_30], edx
		mov	[ebp+var_C], ecx
		pop	edx
		ja	short loc_5E5BAD
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_5E5BBF

loc_5E5BAD:				; CODE XREF: CcChangeBackingFileObject+81B74j
		cmp	[ebp+var_30], offset _CcChangeSharedCacheMapFileLock
		ja	short loc_5E5BD2
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_5E5BD2

loc_5E5BBF:				; CODE XREF: CcChangeBackingFileObject+81B7Dj
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_C]
		mov	edx, eax
		mov	[ebp+var_8], eax

loc_5E5BD2:				; CODE XREF: CcChangeBackingFileObject+81B86j
					; CcChangeBackingFileObject+81B8Fj
		dec	word ptr [ecx+13Eh]
		nop
		inc	byte ptr [ecx+1E6h]
		nop
		mov	al, [ecx+1E6h]
		push	edx
		mov	edx, offset _CcChangeSharedCacheMapFileLock
		mov	byte ptr [ebp+var_4+2],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_5E5C24
		mov	ecx, [ebp+var_C]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jz	short loc_5E5C0F
		mov	esi, ecx
		jmp	short loc_5E5C8B
; 

loc_5E5C0F:				; CODE XREF: CcChangeBackingFileObject+269j
					; CcChangeBackingFileObject+81BDBj ...
		push	esi
		push	[ebp+var_8]
		mov	eax, offset _CcChangeSharedCacheMapFileLock
		push	eax
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5E5C24:				; CODE XREF: CcChangeBackingFileObject+81BCEj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], esi
		jge	short loc_5E5C3A
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_5E5C3A:				; CODE XREF: CcChangeBackingFileObject+81C02j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	[ecx+10h], esi
		mov	esi, [ebp+var_C]
		push	30h
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		cdq
		pop	ecx
		idiv	ecx
		xor	edx, edx
		inc	edx
		mov	ecx, eax
		mov	al, dl
		shl	al, cl
		cmp	byte ptr [ebp+var_4+2],	dl
		jnz	short loc_5E5C7F
		or	[esi+1E4h], al
		jmp	short loc_5E5C8B
; 

loc_5E5C7F:				; CODE XREF: CcChangeBackingFileObject+81C47j
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_C]

loc_5E5C8B:				; CODE XREF: CcChangeBackingFileObject+81BDFj
					; CcChangeBackingFileObject+81C4Fj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_30], eax
		jz	short loc_5E5CF4
		test	edi, 8000h
		jz	short loc_5E5CAF
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5E5CAF:				; CODE XREF: CcChangeBackingFileObject+81C76j
		test	byte ptr [ebp+var_10+2], 1
		jz	short loc_5E5CC5
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_5E5CC5:				; CODE XREF: CcChangeBackingFileObject+81C85j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5E5CD9
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5E5CD9:				; CODE XREF: CcChangeBackingFileObject+81C9Ej
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5E5CF4
		push	[ebp+var_30]
		mov	edx, offset _CcChangeSharedCacheMapFileLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5E5CF4:				; CODE XREF: CcChangeBackingFileObject+81C6Ej
					; CcChangeBackingFileObject+81CB5j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_5E5D1A
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_5E5D1A
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5E5D1A:				; CODE XREF: CcChangeBackingFileObject+81B4Fj
					; CcChangeBackingFileObject+81CDDj ...
		mov	eax, 0C00000F0h
		jmp	loc_564247
; 

loc_5E5D24:				; CODE XREF: CcChangeBackingFileObject+57j
		xor	esi, esi
		test	ds:byte_70EFC6,	1
		jz	short loc_5E5D3C
		mov	edx, [ebx+4]
		lea	ecx, [ebp+var_50]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5E5D67
; 

loc_5E5D3C:				; CODE XREF: CcChangeBackingFileObject+81CFFj
		mov	eax, [ebp+var_50]
		test	eax, eax
		jnz	short loc_5E5D5B
		mov	edx, [ebp+var_4C]
		lea	eax, [ebp+var_50]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_50]
		cmp	eax, ecx
		jz	short loc_5E5D67
		call	KxWaitForLockChainValid

loc_5E5D5B:				; CODE XREF: CcChangeBackingFileObject+81D13j
		xor	ecx, ecx
		mov	[ebp+var_50], esi
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5E5D67:				; CODE XREF: CcChangeBackingFileObject+81D0Cj
					; CcChangeBackingFileObject+81D26j
		mov	cl, [ebp+var_48]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_8], edx
		mov	eax, edx
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5E5D89
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_5E5D89:				; CODE XREF: CcChangeBackingFileObject+81D52j
		mov	eax, offset _CcChangeSharedCacheMapFileLock
		mov	edi, esi
		mov	[ebp+var_10], edi
		test	eax, 7FFFFFFCh
		jz	loc_564245
		mov	ecx, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	eax, 15h
		cmp	edx, offset _CcChangeSharedCacheMapFileLock
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_C], ecx
		pop	edx
		ja	short loc_5E5DC8
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_5E5DDA

loc_5E5DC8:				; CODE XREF: CcChangeBackingFileObject+81D8Fj
		cmp	[ebp+var_20], offset _CcChangeSharedCacheMapFileLock
		ja	short loc_5E5DED
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_5E5DED

loc_5E5DDA:				; CODE XREF: CcChangeBackingFileObject+81D98j
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_C]
		mov	edx, eax
		mov	[ebp+var_8], eax

loc_5E5DED:				; CODE XREF: CcChangeBackingFileObject+81DA1j
					; CcChangeBackingFileObject+81DAAj
		dec	word ptr [ecx+13Eh]
		nop
		inc	byte ptr [ecx+1E6h]
		nop
		mov	al, [ecx+1E6h]
		push	edx
		mov	edx, offset _CcChangeSharedCacheMapFileLock
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_5E5E2E
		mov	ecx, [ebp+var_C]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jz	loc_5E5C0F
		mov	esi, ecx
		jmp	short loc_5E5E95
; 

loc_5E5E2E:				; CODE XREF: CcChangeBackingFileObject+81DE9j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], esi
		jge	short loc_5E5E44
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_5E5E44:				; CODE XREF: CcChangeBackingFileObject+81E0Cj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	[ecx+10h], esi
		mov	esi, [ebp+var_C]
		push	30h
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		cdq
		pop	ecx
		idiv	ecx
		xor	edx, edx
		inc	edx
		mov	ecx, eax
		mov	al, dl
		shl	al, cl
		cmp	byte ptr [ebp+var_4+3],	dl
		jnz	short loc_5E5E89
		or	[esi+1E4h], al
		jmp	short loc_5E5E95
; 

loc_5E5E89:				; CODE XREF: CcChangeBackingFileObject+81E51j
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_C]

loc_5E5E95:				; CODE XREF: CcChangeBackingFileObject+81DFEj
					; CcChangeBackingFileObject+81E59j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_30], eax
		jz	loc_5E62EE
		test	edi, 8000h
		jz	short loc_5E5EBD
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5E5EBD:				; CODE XREF: CcChangeBackingFileObject+81E84j
		test	byte ptr [ebp+var_10+2], 1
		jz	short loc_5E5ED3
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_5E5ED3:				; CODE XREF: CcChangeBackingFileObject+81E93j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5E5EE7
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5E5EE7:				; CODE XREF: CcChangeBackingFileObject+81EACj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_5E62EE
		push	[ebp+var_30]
		jmp	loc_5E62E2
; 

loc_5E5EFF:				; CODE XREF: CcChangeBackingFileObject+64j
		xor	esi, esi
		test	ds:byte_70EFC6,	1
		jz	short loc_5E5F17
		mov	edx, [ebx+4]
		lea	ecx, [ebp+var_50]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5E5F42
; 

loc_5E5F17:				; CODE XREF: CcChangeBackingFileObject+81EDAj
		mov	eax, [ebp+var_50]
		test	eax, eax
		jnz	short loc_5E5F36
		mov	edx, [ebp+var_4C]
		lea	eax, [ebp+var_50]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_50]
		cmp	eax, ecx
		jz	short loc_5E5F42
		call	KxWaitForLockChainValid

loc_5E5F36:				; CODE XREF: CcChangeBackingFileObject+81EEEj
		xor	ecx, ecx
		mov	[ebp+var_50], esi
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5E5F42:				; CODE XREF: CcChangeBackingFileObject+81EE7j
					; CcChangeBackingFileObject+81F01j
		mov	cl, [ebp+var_48]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_8], edx
		mov	eax, edx
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5E5F64
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_5E5F64:				; CODE XREF: CcChangeBackingFileObject+81F2Dj
		mov	eax, offset _CcChangeSharedCacheMapFileLock
		mov	edi, esi
		mov	[ebp+var_10], edi
		test	eax, 7FFFFFFCh
		jz	loc_5E60FF
		mov	ecx, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	eax, 15h
		cmp	edx, offset _CcChangeSharedCacheMapFileLock
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_C], ecx
		pop	edx
		ja	short loc_5E5FA3
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_5E5FB5

loc_5E5FA3:				; CODE XREF: CcChangeBackingFileObject+81F6Aj
		cmp	[ebp+var_20], offset _CcChangeSharedCacheMapFileLock
		ja	short loc_5E5FC8
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_5E5FC8

loc_5E5FB5:				; CODE XREF: CcChangeBackingFileObject+81F73j
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_C]
		mov	edx, eax
		mov	[ebp+var_8], eax

loc_5E5FC8:				; CODE XREF: CcChangeBackingFileObject+81F7Cj
					; CcChangeBackingFileObject+81F85j
		dec	word ptr [ecx+13Eh]
		nop
		inc	byte ptr [ecx+1E6h]
		nop
		mov	al, [ecx+1E6h]
		push	edx
		mov	edx, offset _CcChangeSharedCacheMapFileLock
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_5E6009
		mov	ecx, [ebp+var_C]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jz	loc_5E5C0F
		mov	esi, ecx
		jmp	short loc_5E6070
; 

loc_5E6009:				; CODE XREF: CcChangeBackingFileObject+81FC4j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], esi
		jge	short loc_5E601F
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_5E601F:				; CODE XREF: CcChangeBackingFileObject+81FE7j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	[ecx+10h], esi
		mov	esi, [ebp+var_C]
		push	30h
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		cdq
		pop	ecx
		idiv	ecx
		xor	edx, edx
		inc	edx
		mov	ecx, eax
		mov	al, dl
		shl	al, cl
		cmp	byte ptr [ebp+var_4+3],	dl
		jnz	short loc_5E6064
		or	[esi+1E4h], al
		jmp	short loc_5E6070
; 

loc_5E6064:				; CODE XREF: CcChangeBackingFileObject+8202Cj
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_C]

loc_5E6070:				; CODE XREF: CcChangeBackingFileObject+81FD9j
					; CcChangeBackingFileObject+82034j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_30], eax
		jz	short loc_5E60D9
		test	edi, 8000h
		jz	short loc_5E6094
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5E6094:				; CODE XREF: CcChangeBackingFileObject+8205Bj
		test	byte ptr [ebp+var_10+2], 1
		jz	short loc_5E60AA
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_5E60AA:				; CODE XREF: CcChangeBackingFileObject+8206Aj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5E60BE
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5E60BE:				; CODE XREF: CcChangeBackingFileObject+82083j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5E60D9
		push	[ebp+var_30]
		mov	edx, offset _CcChangeSharedCacheMapFileLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5E60D9:				; CODE XREF: CcChangeBackingFileObject+82053j
					; CcChangeBackingFileObject+8209Aj
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_5E60FF
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_5E60FF
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5E60FF:				; CODE XREF: CcChangeBackingFileObject+81F45j
					; CcChangeBackingFileObject+820C2j ...
		mov	eax, 0C00000BBh
		jmp	loc_564247
; 

loc_5E6109:				; CODE XREF: CcChangeBackingFileObject+77j
		cmp	eax, esi
		jz	loc_5640AB
		xor	esi, esi
		test	ds:byte_70EFC6,	1
		jz	short loc_5E6129
		mov	edx, [ebx+4]
		lea	ecx, [ebp+var_50]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5E6154
; 

loc_5E6129:				; CODE XREF: CcChangeBackingFileObject+820ECj
		mov	eax, [ebp+var_50]
		test	eax, eax
		jnz	short loc_5E6148
		mov	edx, [ebp+var_4C]
		lea	eax, [ebp+var_50]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_50]
		cmp	eax, ecx
		jz	short loc_5E6154
		call	KxWaitForLockChainValid

loc_5E6148:				; CODE XREF: CcChangeBackingFileObject+82100j
		xor	ecx, ecx
		mov	[ebp+var_50], esi
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5E6154:				; CODE XREF: CcChangeBackingFileObject+820F9j
					; CcChangeBackingFileObject+82113j
		mov	cl, [ebp+var_48]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _CcChangeSharedCacheMapFileLock
		mov	[ebp+var_8], edx
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5E6179
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_5E6179:				; CODE XREF: CcChangeBackingFileObject+82144j
		mov	eax, offset _CcChangeSharedCacheMapFileLock
		mov	edi, esi
		mov	[ebp+var_10], edi
		test	eax, 7FFFFFFCh
		jz	loc_564245
		mov	ecx, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	eax, 15h
		cmp	edx, offset _CcChangeSharedCacheMapFileLock
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_C], ecx
		pop	edx
		ja	short loc_5E61B8
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_5E61CA

loc_5E61B8:				; CODE XREF: CcChangeBackingFileObject+8217Fj
		cmp	[ebp+var_20], offset _CcChangeSharedCacheMapFileLock
		ja	short loc_5E61DD
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_5E61DD

loc_5E61CA:				; CODE XREF: CcChangeBackingFileObject+82188j
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_C]
		mov	edx, eax
		mov	[ebp+var_8], eax

loc_5E61DD:				; CODE XREF: CcChangeBackingFileObject+82191j
					; CcChangeBackingFileObject+8219Aj
		dec	word ptr [ecx+13Eh]
		nop
		inc	byte ptr [ecx+1E6h]
		nop
		mov	al, [ecx+1E6h]
		push	edx
		mov	edx, offset _CcChangeSharedCacheMapFileLock
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_5E621E
		mov	ecx, [ebp+var_C]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jz	loc_5E5C0F
		mov	esi, ecx
		jmp	short loc_5E6285
; 

loc_5E621E:				; CODE XREF: CcChangeBackingFileObject+821D9j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], esi
		jge	short loc_5E6234
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_5E6234:				; CODE XREF: CcChangeBackingFileObject+821FCj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	[ecx+10h], esi
		mov	esi, [ebp+var_C]
		push	30h
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		cdq
		pop	ecx
		idiv	ecx
		xor	edx, edx
		inc	edx
		mov	ecx, eax
		mov	al, dl
		shl	al, cl
		cmp	byte ptr [ebp+var_4+3],	dl
		jnz	short loc_5E6279
		or	[esi+1E4h], al
		jmp	short loc_5E6285
; 

loc_5E6279:				; CODE XREF: CcChangeBackingFileObject+82241j
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_C]

loc_5E6285:				; CODE XREF: CcChangeBackingFileObject+821EEj
					; CcChangeBackingFileObject+82249j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_30], eax
		jz	short loc_5E62EE
		test	edi, 8000h
		jz	short loc_5E62A9
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5E62A9:				; CODE XREF: CcChangeBackingFileObject+82270j
		test	byte ptr [ebp+var_10+2], 1
		jz	short loc_5E62BF
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_5E62BF:				; CODE XREF: CcChangeBackingFileObject+8227Fj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5E62D3
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5E62D3:				; CODE XREF: CcChangeBackingFileObject+82298j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5E62EE
		push	[ebp+var_30]

loc_5E62E2:				; CODE XREF: CcChangeBackingFileObject+81ECCj
		mov	edx, offset _CcChangeSharedCacheMapFileLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5E62EE:				; CODE XREF: CcChangeBackingFileObject+81E78j
					; CcChangeBackingFileObject+81EC3j ...
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	loc_564245
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	loc_564245
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_564245
; 

loc_5E6321:				; CODE XREF: CcChangeBackingFileObject+8Fj
		mov	edx, [ebx+4]
		lea	ecx, [ebp+var_50]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5640E5
; 

loc_5E6331:				; CODE XREF: CcChangeBackingFileObject+B1j
		lea	ecx, [ebp+var_50]
		call	KxWaitForLockChainValid

loc_5E6339:				; CODE XREF: CcChangeBackingFileObject+9Aj
		xor	ecx, ecx
		mov	[ebp+var_50], esi
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_5640E5
; 

loc_5E634A:				; CODE XREF: CcChangeBackingFileObject+D3j
		test	al, 4
		jnz	loc_564107
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_564107
; 

loc_5E635E:				; CODE XREF: CcChangeBackingFileObject+1BAj
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_C]
		jmp	loc_5641F4
; 

loc_5E636F:				; CODE XREF: CcChangeBackingFileObject+259j
		push	[ebp+var_40]
		mov	edx, offset _CcChangeSharedCacheMapFileLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_564207
; END OF FUNCTION CHUNK	FOR CcChangeBackingFileObject
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceFxComponentIdleState

loc_5E6383:				; CODE XREF: PopDiagTraceFxComponentIdleState+4Aj
		push	4
		pop	ecx
		lea	eax, [ebp+var_38]
		mov	[ebp+var_30], ebx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	ebx
		push	ebx
		push	1
		push	ebx
		push	ebx
		push	offset _POP_ETW_EVENT_COMPONENT_IDLE_STATE
		push	esi
		push	edi
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ebx
		call	EtwWriteEx
		jmp	loc_564314
; END OF FUNCTION CHUNK	FOR PopDiagTraceFxComponentIdleState
; 
; START	OF FUNCTION CHUNK FOR IopResurrectDriver

loc_5E63D0:				; CODE XREF: IopResurrectDriver+2Cj
					; IopResurrectDriver+820B9j
		mov	eax, [edi+0B0h]
		and	dword ptr [eax+10h], 0FFFFFFFEh
		mov	edi, [edi+0Ch]
		test	edi, edi
		jnz	short loc_5E63D0
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+468h]
		jz	short loc_5E6402
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5E642D
; 

loc_5E6402:				; CODE XREF: IopResurrectDriver+820CEj
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5E641E
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_5E642D
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5E641E:				; CODE XREF: IopResurrectDriver+820E0j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5E642D:				; CODE XREF: IopResurrectDriver+820DAj
					; IopResurrectDriver+820EFj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		jmp	loc_56439B
; 

loc_5E643C:				; CODE XREF: IopResurrectDriver+45j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_56438E
; 

loc_5E644B:				; CODE XREF: IopResurrectDriver+62j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5E6452:				; CODE XREF: IopResurrectDriver+4Fj
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_56438E
; END OF FUNCTION CHUNK	FOR IopResurrectDriver
; 
; START	OF FUNCTION CHUNK FOR MmSetAccessLogging

loc_5E6466:				; CODE XREF: MmSetAccessLogging+3Fj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_564489
; 

loc_5E6476:				; CODE XREF: MmSetAccessLogging+61j
		lea	ecx, [ebp+var_10]
		call	KxWaitForLockChainValid

loc_5E647E:				; CODE XREF: MmSetAccessLogging+4Aj
		xor	ecx, ecx
		mov	[ebp+var_10], esi
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_564489
; 

loc_5E648F:				; CODE XREF: MmSetAccessLogging+92j
		cmp	eax, 2
		jnz	loc_5644DB
		mov	ds:dword_6D3150, 3
		jmp	loc_5644DB
; 

loc_5E64A7:				; CODE XREF: MmSetAccessLogging+C0j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5644FC
; 

loc_5E64B7:				; CODE XREF: MmSetAccessLogging+CBj
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jz	loc_5644FC
		call	KxWaitForLockChainValid
		jmp	loc_5644F3
; END OF FUNCTION CHUNK	FOR MmSetAccessLogging
; 
; START	OF FUNCTION CHUNK FOR IopAllocateErrorLogEntry

loc_5E64D8:				; CODE XREF: IopAllocateErrorLogEntry+59j
		mov	edx, 746C6644h
		mov	ecx, eax
		call	ObfReferenceObjectWithTag
		jmp	loc_56459F
; 

loc_5E64E9:				; CODE XREF: IopAllocateErrorLogEntry+4Ej
		mov	ecx, offset _IopErrorLogAllocation
		jmp	loc_5645D8
; END OF FUNCTION CHUNK	FOR IopAllocateErrorLogEntry
; 
; START	OF FUNCTION CHUNK FOR PpmEndHighPerfRequest

loc_5E64F3:				; CODE XREF: PpmEndHighPerfRequest+C9j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_5646E4
; END OF FUNCTION CHUNK	FOR PpmEndHighPerfRequest
; 
; START	OF FUNCTION CHUNK FOR PoFxCompleteIdleState

loc_5E6502:				; CODE XREF: PoFxCompleteIdleState+30j
		mov	ecx, [esi+1Ch]
		mov	edx, edi
		push	0
		push	1
		push	0Eh
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		mov	eax, [ebx+68h]
		mov	edx, edi
		mov	ecx, [esi+1Ch]
		push	eax
		call	PopDiagTraceFxComponentIdleState
		lea	eax, [esp+30h+var_20]
		mov	edx, edi
		push	eax
		push	ecx
		mov	ecx, esi
		call	PopPluginComponentIdleState
		test	al, al
		jz	loc_564782
		lea	edx, [esp+30h+var_20]
		xor	ecx, ecx
		call	PopFxProcessWork
		jmp	loc_564782
; END OF FUNCTION CHUNK	FOR PoFxCompleteIdleState
; 

loc_5E6547:				; CODE XREF: .text:005647A3j
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_5E6553
		call	ObfDereferenceObject

loc_5E6553:				; CODE XREF: .text:005E654Cj
		mov	ecx, [esi+10h]
		test	ecx, ecx
		jz	short loc_5E655F
		call	ObfDereferenceObject

loc_5E655F:				; CODE XREF: .text:005E6558j
		movzx	eax, word ptr [esi+2]
		mov	ecx, offset _IopErrorLogAllocation
		neg	eax
		lock xadd [ecx], eax
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_564837
; 

loc_5E657B:				; CODE XREF: .text:00564822j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_56482D
; 
; START	OF FUNCTION CHUNK FOR FsRtlProcessFileLock

loc_5E658A:				; CODE XREF: FsRtlProcessFileLock+2Aj
		sub	eax, 1
		jz	short loc_5E65BE
		sub	eax, 1
		jz	short loc_5E65AE
		mov	esi, 0C0000010h
		mov	dl, 1
		mov	ecx, ebx
		mov	[ebx+18h], esi
		call	IofCompleteRequest
		mov	[esp+20h+var_10], esi
		jmp	loc_5648BD
; 

loc_5E65AE:				; CODE XREF: FsRtlProcessFileLock+81D4Cj
		mov	esi, [edi+8]
		push	ebx
		call	_IoGetRequestorProcess@4 ; IoGetRequestorProcess(x)
		push	[ebp+arg_8]
		push	1
		jmp	short loc_5E65C8
; 

loc_5E65BE:				; CODE XREF: FsRtlProcessFileLock+81D47j
		push	ebx
		call	_IoGetRequestorProcess@4 ; IoGetRequestorProcess(x)
		push	[ebp+arg_8]
		push	esi

loc_5E65C8:				; CODE XREF: FsRtlProcessFileLock+81D76j
		mov	edx, [edi+18h]
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	eax
		call	FsRtlPrivateFastUnlockAll
		jmp	loc_5648A6
; END OF FUNCTION CHUNK	FOR FsRtlProcessFileLock
; 
; START	OF FUNCTION CHUNK FOR FsRtlCompleteLockIrpReal

loc_5E65DC:				; CODE XREF: FsRtlCompleteLockIrpReal+Aj
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		mov	esi, [ebp+arg_4]
		mov	[ecx+18h], esi
		call	IofCompleteRequest
		jmp	loc_564940
; END OF FUNCTION CHUNK	FOR FsRtlCompleteLockIrpReal
; 
; START	OF FUNCTION CHUNK FOR FsRtlpOplockSendModernAppTermination

loc_5E65F1:				; CODE XREF: FsRtlpOplockSendModernAppTermination+13j
		mov	eax, [ebx+8]
		test	eax, eax
		jz	loc_5649A5
		mov	[ebp+var_C], 1
		lea	esi, [ebp+var_C]
		mov	eax, [eax+0E4h]
		mov	[ebp+var_8], eax
		push	8
		jmp	short loc_5E6638
; 

loc_5E6613:				; CODE XREF: FsRtlpOplockSendModernAppTermination+2Fj
		or	[ebp+var_C], 0FFFFFFFFh
		lea	esi, [ebp+var_C]
		and	[ebp+var_8], 0
		jmp	short loc_5E6636
; 

loc_5E6620:				; CODE XREF: FsRtlpOplockSendModernAppTermination+57j
		push	0FFCh		; size_t
		lea	eax, [esi+4]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		or	dword ptr [esi], 0FFFFFFFFh

loc_5E6636:				; CODE XREF: FsRtlpOplockSendModernAppTermination+81C92j
		push	4

loc_5E6638:				; CODE XREF: FsRtlpOplockSendModernAppTermination+81C85j
		pop	edi
		jmp	loc_5649FF
; END OF FUNCTION CHUNK	FOR FsRtlpOplockSendModernAppTermination
; 
; START	OF FUNCTION CHUNK FOR FsRtlSendModernAppTermination

loc_5E663E:				; CODE XREF: FsRtlSendModernAppTermination+1Aj
					; FsRtlSendModernAppTermination+25j
		or	[ebp+var_14], 0FFFFFFFFh
		lea	edx, [ebp+var_14]
		push	4
		mov	[ebp+var_10], esi
		pop	ecx
		jmp	loc_564A4B
; 

loc_5E6650:				; CODE XREF: FsRtlSendModernAppTermination+38j
		mov	eax, dword ptr ds:_WNF_FLT_RUNDOWN_WAIT
		mov	[ebp+var_C], eax
		mov	eax, dword ptr ds:loc_4253DA+2
		jmp	loc_564A70
; END OF FUNCTION CHUNK	FOR FsRtlSendModernAppTermination
; 
; START	OF FUNCTION CHUNK FOR MmSessionSetUnloadAddress

loc_5E6662:				; CODE XREF: MmSessionSetUnloadAddress+52j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_564CAC
; 

loc_5E6672:				; CODE XREF: MmSessionSetUnloadAddress+74j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_5E667A:				; CODE XREF: MmSessionSetUnloadAddress+5Dj
		mov	[ebp+var_C], 0
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_564CAC
; END OF FUNCTION CHUNK	FOR MmSessionSetUnloadAddress
; 
; START	OF FUNCTION CHUNK FOR PopThermalCoolingPowerSettingCallback

loc_5E668C:				; CODE XREF: PopThermalCoolingPowerSettingCallback+4Aj
		cmp	ds:_PopConsoleDisplayState, 0
		jnz	loc_564D80
		xor	eax, eax
		inc	eax
		jmp	loc_564D85
; 

loc_5E66A1:				; CODE XREF: PopThermalCoolingPowerSettingCallback+5Bj
		mov	ds:_PopCoolingMode, eax
		call	_PopThermalZoneUpdateCoolingPolicy@0 ; PopThermalZoneUpdateCoolingPolicy()
		jmp	loc_564D91
; END OF FUNCTION CHUNK	FOR PopThermalCoolingPowerSettingCallback
; 
; START	OF FUNCTION CHUNK FOR PopFxIdleTimeoutDpcRoutine

loc_5E66B0:				; CODE XREF: PopFxIdleTimeoutDpcRoutine+4Cj
		push	esi
		mov	edx, edi
		mov	ecx, 613h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_5E66BD:				; CODE XREF: PopFxIdleTimeoutDpcRoutine+75j
		mov	ecx, [edi+1Ch]
		xor	edx, edx
		push	esi
		push	esi
		push	11h
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		jmp	loc_564E43
; 

loc_5E66D0:				; CODE XREF: PopFxIdleTimeoutDpcRoutine+39j
		xor	edx, edx
		mov	ecx, edi
		call	_PopFxDeliverDevicePowerRequired@8 ; PopFxDeliverDevicePowerRequired(x,x)
		jmp	loc_564E43
; 

loc_5E66DE:				; CODE XREF: PopFxIdleTimeoutDpcRoutine+82j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_564E55
; END OF FUNCTION CHUNK	FOR PopFxIdleTimeoutDpcRoutine
; 
; START	OF FUNCTION CHUNK FOR FsRtlpModifyThreadPriorities

loc_5E66ED:				; CODE XREF: FsRtlpModifyThreadPriorities+25j
					; FsRtlpModifyThreadPriorities+33j
		lea	ebx, [esi+24h]
		mov	edi, [ebx]
		cmp	edi, ebx
		jz	loc_564F0A
		lea	ecx, [esi+10h]

loc_5E66FD:				; CODE XREF: FsRtlpModifyThreadPriorities+8184Fj
		push	esi
		lea	eax, [edi+18h]
		push	eax
		push	ecx
		mov	ecx, [edi+14h]
		call	FsRtlpDoBoost
		mov	edi, [edi]
		lea	ecx, [esi+10h]
		mov	edx, dword ptr [ebp+arg_0]
		cmp	edi, ebx
		jnz	short loc_5E66FD
		jmp	loc_564F0A
; 

loc_5E671C:				; CODE XREF: FsRtlpModifyThreadPriorities+4Dj
		test	byte ptr [esi+48h], 20h
		jz	loc_564F0A
		mov	ecx, [esi+0Ch]
		mov	dl, 1
		push	esi
		push	1
		call	PsBoostThreadIoEx
		and	dword ptr [esi+48h], 0FFFFFFDFh
		jmp	loc_564F0A
; 

loc_5E673C:				; CODE XREF: FsRtlpModifyThreadPriorities+59j
		mov	ecx, [edi+14h]
		mov	dl, 1
		push	esi
		push	1
		call	PsBoostThreadIoEx
		and	dword ptr [edi+18h], 0FFFFFFDFh
		jmp	loc_564F0A
; END OF FUNCTION CHUNK	FOR FsRtlpModifyThreadPriorities
; 
; START	OF FUNCTION CHUNK FOR FsRtlpDoBoost

loc_5E6752:				; CODE XREF: FsRtlpDoBoost+21j
		mov	eax, [ebp+arg_4]
		test	byte ptr [eax],	20h
		jnz	loc_564F51
		mov	bl, 1
		jmp	loc_564F51
; 

loc_5E6765:				; CODE XREF: FsRtlpDoBoost+6Bj
		push	[ebp+arg_8]
		xor	dl, dl
		mov	ecx, esi
		push	1
		call	PsBoostThreadIoEx
		mov	eax, [ebp+arg_4]
		mov	ecx, esi
		mov	edx, [ebp+var_4]
		push	0
		or	dword ptr [eax], 20h
		mov	edx, [edx+2FCh]
		shr	edx, 9
		and	edx, 7
		call	IoBoostThreadIoPriority
		jmp	loc_564F9B
; END OF FUNCTION CHUNK	FOR FsRtlpDoBoost
; 
; START	OF FUNCTION CHUNK FOR KiEnableFastSyscallReturn

loc_5E6796:				; CODE XREF: KiEnableFastSyscallReturn+12j
		cmp	ds:_KiFastCallCopyDoneOnce, 0
		jnz	loc_564FD6
		jmp	loc_564FC4
; END OF FUNCTION CHUNK	FOR KiEnableFastSyscallReturn
; 
; START	OF FUNCTION CHUNK FOR FsRtlGetNextFileLock

loc_5E67A8:				; CODE XREF: FsRtlGetNextFileLock+5Bj
		cmp	[esp+50h+var_18], 0
		lea	eax, [esp+50h+var_3E]
		push	eax
		lea	eax, [esp+54h+var_38]
		push	eax
		lea	eax, [esp+58h+var_8]
		lea	edx, [esp+58h+var_28]
		push	eax
		jz	loc_5E6881
		mov	ecx, [ebx+18h]
		call	FsRtlFindFirstOverlappingExclusiveNode
		mov	edx, eax
		test	edx, edx
		jnz	short loc_5E6800
		cmp	[esp+50h+var_3E], al
		jz	short loc_5E67E0
		mov	edx, [esp+50h+var_38]
		jmp	short loc_5E67F2
; 

loc_5E67E0:				; CODE XREF: FsRtlGetNextFileLock+81742j
		cmp	[esp+50h+var_38], 0
		jz	short loc_5E6860
		push	[esp+50h+var_38]

loc_5E67EB:				; CODE XREF: FsRtlGetNextFileLock+817AEj
		call	_RtlRealSuccessor@4 ; RtlRealSuccessor(x)
		mov	edx, eax

loc_5E67F2:				; CODE XREF: FsRtlGetNextFileLock+81748j
					; FsRtlGetNextFileLock+817B6j ...
		test	edx, edx
		jz	short loc_5E6860
		lea	esi, [edx+10h]
		mov	ebx, edx
		jmp	loc_5E6958
; 

loc_5E6800:				; CODE XREF: FsRtlGetNextFileLock+8173Cj
		mov	edi, [esp+50h+var_1C]

loc_5E6804:				; CODE XREF: FsRtlGetNextFileLock+817C8j
		mov	ecx, [esp+50h+var_20]
		cmp	esi, edx
		jnz	short loc_5E6846
		mov	eax, [esp+50h+var_28]
		cmp	eax, [edx+10h]
		jnz	short loc_5E6846
		mov	eax, [esp+50h+var_24]
		cmp	eax, [edx+14h]
		jnz	short loc_5E6846
		cmp	ecx, [edx+18h]
		jnz	short loc_5E6846
		cmp	edi, [edx+1Ch]
		jnz	short loc_5E6846
		mov	eax, [esp+50h+var_14]
		cmp	eax, [edx+24h]
		jnz	short loc_5E6846
		mov	eax, [esp+50h+var_10]
		cmp	eax, [edx+28h]
		jnz	short loc_5E6846
		mov	eax, [esp+50h+var_C]
		cmp	eax, [edx+2Ch]
		jnz	short loc_5E6846
		push	edx
		jmp	short loc_5E67EB
; 

loc_5E6846:				; CODE XREF: FsRtlGetNextFileLock+81774j
					; FsRtlGetNextFileLock+8177Dj ...
		mov	eax, [edx+18h]
		or	eax, [edx+1Ch]
		jnz	short loc_5E67F2
		mov	eax, ecx
		or	eax, edi
		jnz	short loc_5E67F2
		push	edx
		call	_RtlRealSuccessor@4 ; RtlRealSuccessor(x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_5E6804

loc_5E6860:				; CODE XREF: FsRtlGetNextFileLock+8174Fj
					; FsRtlGetNextFileLock+8175Ej
		mov	eax, [ebx+14h]
		test	eax, eax
		jz	loc_56510D
		jmp	short loc_5E686F
; 

loc_5E686D:				; CODE XREF: FsRtlGetNextFileLock+817DEj
		mov	eax, ecx

loc_5E686F:				; CODE XREF: FsRtlGetNextFileLock+817D5j
		mov	ecx, [eax+4]
		test	ecx, ecx
		jnz	short loc_5E686D

loc_5E6876:				; CODE XREF: FsRtlGetNextFileLock+818DEj
		mov	ebx, [eax-10h]

loc_5E6879:				; CODE XREF: FsRtlGetNextFileLock+8187Ej
					; FsRtlGetNextFileLock+81893j
		lea	esi, [ebx+8]
		jmp	loc_5E6958
; 

loc_5E6881:				; CODE XREF: FsRtlGetNextFileLock+8172Aj
		mov	ecx, [ebx+14h]
		call	FsRtlFindFirstOverlappingSharedNode
		test	eax, eax
		jnz	short loc_5E68B2
		mov	eax, [esp+50h+var_38]
		test	eax, eax
		jz	loc_56510D
		cmp	[esp+50h+var_3E], 0
		jnz	short loc_5E68B2
		push	eax
		call	_RtlRealSuccessor@4 ; RtlRealSuccessor(x)
		mov	ecx, eax
		test	eax, eax
		jz	loc_56510D
		jmp	short loc_5E68B4
; 

loc_5E68B2:				; CODE XREF: FsRtlGetNextFileLock+817F5j
					; FsRtlGetNextFileLock+81808j
		mov	ecx, eax

loc_5E68B4:				; CODE XREF: FsRtlGetNextFileLock+8181Aj
		lea	ebx, [ecx-10h]
		test	ebx, ebx
		jz	loc_56510D
		mov	ebx, [ebx]
		test	ebx, ebx
		jz	short loc_5E691A
		mov	ecx, [esp+50h+var_24]
		mov	edx, [esp+50h+var_28]

loc_5E68CD:				; CODE XREF: FsRtlGetNextFileLock+818B2j
		cmp	esi, ebx
		jnz	short loc_5E6938
		cmp	edx, [ebx+8]
		jnz	short loc_5E6938
		cmp	ecx, [ebx+0Ch]
		jnz	short loc_5E693B
		mov	edi, [esp+50h+var_20]
		cmp	edi, [ebx+10h]
		jnz	short loc_5E6938
		mov	edx, [esp+50h+var_1C]
		cmp	edx, [ebx+14h]
		mov	edx, [esp+50h+var_28]
		jnz	short loc_5E6938
		mov	edi, [esp+50h+var_14]
		cmp	edi, [ebx+1Ch]
		mov	edi, [esp+50h+var_C]
		jnz	short loc_5E6938
		mov	esi, [esp+50h+var_10]
		cmp	esi, [ebx+20h]
		mov	esi, [esp+50h+var_3C]
		jnz	short loc_5E6938
		cmp	edi, [ebx+24h]
		jnz	short loc_5E6938
		mov	ebx, [ebx]

loc_5E6912:				; CODE XREF: FsRtlGetNextFileLock:loc_5E693Bj
					; FsRtlGetNextFileLock+818ACj
		test	ebx, ebx
		jnz	loc_5E6879

loc_5E691A:				; CODE XREF: FsRtlGetNextFileLock+8182Dj
					; FsRtlGetNextFileLock+818B4j
		push	eax
		call	_RtlRealSuccessor@4 ; RtlRealSuccessor(x)
		test	eax, eax
		jz	short loc_5E6927
		mov	ebx, [eax-10h]

loc_5E6927:				; CODE XREF: FsRtlGetNextFileLock+8188Cj
		test	ebx, ebx
		jnz	loc_5E6879
		mov	ebx, [esp+50h+var_3C]
		jmp	loc_56510F
; 

loc_5E6938:				; CODE XREF: FsRtlGetNextFileLock+81839j
					; FsRtlGetNextFileLock+8183Ej ...
		cmp	ecx, [ebx+0Ch]

loc_5E693B:				; CODE XREF: FsRtlGetNextFileLock+81843j
		jb	short loc_5E6912
		ja	short loc_5E6944
		cmp	edx, [ebx+8]
		jb	short loc_5E6912

loc_5E6944:				; CODE XREF: FsRtlGetNextFileLock+818A7j
		mov	ebx, [ebx]
		test	ebx, ebx
		jnz	short loc_5E68CD
		jmp	short loc_5E691A
; 

loc_5E694C:				; CODE XREF: FsRtlGetNextFileLock+66j
					; FsRtlGetNextFileLock+818BDj
		mov	ebx, eax
		mov	eax, [ebx+4]
		test	eax, eax
		jnz	short loc_5E694C
		lea	esi, [ebx+10h]

loc_5E6958:				; CODE XREF: FsRtlGetNextFileLock+81765j
					; FsRtlGetNextFileLock+817E6j
		push	0Ah
		pop	ecx
		lea	edi, [esp+50h+var_28]
		mov	byte ptr [esp+50h+var_34], 1
		rep movsd
		jmp	loc_56510F
; 

loc_5E696B:				; CODE XREF: FsRtlGetNextFileLock+818DCj
		mov	eax, ecx

loc_5E696D:				; CODE XREF: FsRtlGetNextFileLock+71j
		mov	ecx, [eax+4]
		test	ecx, ecx
		jnz	short loc_5E696B
		jmp	loc_5E6876
; 

loc_5E6979:				; CODE XREF: FsRtlGetNextFileLock+80j
		mov	edx, [ebp+4]
		mov	ecx, [esp+50h+var_30]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_565125
; 

loc_5E698A:				; CODE XREF: FsRtlGetNextFileLock+9Ej
		mov	eax, [esp+50h+var_2C]
		lea	esi, [esp+50h+var_28]
		push	0Ah
		pop	ecx
		mov	edi, eax
		rep movsd
		mov	ecx, [ebp+arg_0]
		mov	[ecx+38h], ebx
		jmp	loc_56513C
; END OF FUNCTION CHUNK	FOR FsRtlGetNextFileLock
; 
; START	OF FUNCTION CHUNK FOR HvlEnlightenProcessor

loc_5E69A4:				; CODE XREF: HvlEnlightenProcessor+26j
		test	cl, cl
		jz	short loc_5E69B5
		test	byte ptr ds:_HvlpFlags,	2
		jnz	loc_565190

loc_5E69B5:				; CODE XREF: HvlEnlightenProcessor+81842j
		mov	edi, large fs:20h
		test	cl, cl
		jnz	short loc_5E6A32
		lea	edx, [esp+28h+var_18]
		mov	ecx, 90003h
		call	_HvlpGetRegister64@8 ; HvlpGetRegister64(x,x)
		mov	edx, [esp+28h+var_18]
		mov	ebx, edx
		mov	eax, [edi+3CCh]
		mov	cl, dl
		shr	ebx, 6
		and	cl, 3Fh
		mov	ds:_HvlpVirtualProcessorMapping[eax*2],	bl
		mov	eax, [edi+3CCh]
		mov	ds:byte_70E231[eax*2], cl
		cmp	edx, [edi+3CCh]
		jz	short loc_5E6A08
		xor	edx, edx
		mov	ds:_HvlpVirtualProcessorsIdentityMapped, dl
		jmp	short loc_5E6A0A
; 

loc_5E6A08:				; CODE XREF: HvlEnlightenProcessor+81898j
		xor	edx, edx

loc_5E6A0A:				; CODE XREF: HvlEnlightenProcessor+818A2j
		cmp	ebx, 10h
		jnb	short loc_5E6A32
		mov	eax, ds:_HvlpFlags
		mov	ecx, eax
		shr	ecx, 8
		and	ecx, 0Fh
		cmp	ebx, ecx
		jbe	short loc_5E6A32
		shl	ebx, 8
		xor	ebx, eax
		and	ebx, 0F00h
		xor	eax, ebx
		mov	ds:_HvlpFlags, eax

loc_5E6A32:				; CODE XREF: HvlEnlightenProcessor+8185Aj
					; HvlEnlightenProcessor+818A9j	...
		mov	eax, ds:_HvlpFlags
		test	eax, 80000h
		jz	short loc_5E6AB6
		mov	[esp+28h+var_10], edx
		mov	[esp+28h+var_C], edx
		test	al, 2
		jnz	short loc_5E6A61
		push	dword ptr [edi+3FCCh]
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		mov	esi, eax
		mov	ebx, edx
		and	esi, 0FFFFF000h
		jmp	short loc_5E6AA7
; 

loc_5E6A61:				; CODE XREF: HvlEnlightenProcessor+818E4j
		lea	edx, [esp+28h+var_10]
		mov	ecx, 90013h
		call	_HvlpGetRegister64@8 ; HvlpGetRegister64(x,x)
		mov	esi, [esp+28h+var_10]
		mov	eax, esi
		mov	ebx, [esp+28h+var_C]
		and	eax, 0FFFFF000h
		cmp	dword ptr [edi+3CCh], 0
		push	4
		jz	short loc_5E6A97
		push	1000h
		push	ebx
		push	eax
		call	_MmMapIoSpaceEx@16 ; MmMapIoSpaceEx(x,x,x,x)
		jmp	short loc_5E6AA1
; 

loc_5E6A97:				; CODE XREF: HvlEnlightenProcessor+81923j
		push	1
		push	ebx
		push	eax
		call	ds:dword_6B12D8

loc_5E6AA1:				; CODE XREF: HvlEnlightenProcessor+81931j
		mov	[edi+3FCCh], eax

loc_5E6AA7:				; CODE XREF: HvlEnlightenProcessor+818FBj
		or	esi, 1
		mov	ecx, 90013h
		push	ebx
		push	esi
		call	_HvlpSetRegister64@12 ;	HvlpSetRegister64(x,x,x)

loc_5E6AB6:				; CODE XREF: HvlEnlightenProcessor+818D8j
		mov	ecx, edi
		call	_HvlpSetupSchedulerAssist@4 ; HvlpSetupSchedulerAssist(x)
		mov	eax, ds:_HvlpFlags
		xor	ecx, ecx
		mov	esi, eax
		mov	[esp+38h+var_28], ecx
		shr	esi, 1
		mov	[esp+38h+var_20], eax
		and	esi, 1
		jz	short loc_5E6AF1
		push	dword ptr [edi+3CCh]
		call	_HvlGetLpIndexFromProcessorIndex@4 ; HvlGetLpIndexFromProcessorIndex(x)
		mov	ecx, eax
		call	_HvlpGetLpcbByLpIndex@4	; HvlpGetLpcbByLpIndex(x)
		mov	ecx, eax
		mov	[esp+38h+var_28], eax
		mov	eax, [esp+38h+var_20]

loc_5E6AF1:				; CODE XREF: HvlEnlightenProcessor+8196Fj
		test	esi, esi
		jz	short loc_5E6B58
		test	al, 20h
		jz	short loc_5E6B58
		lea	edx, [esp+38h+var_18]
		mov	ecx, 0A0013h
		call	_HvlpGetRegister64@8 ; HvlpGetRegister64(x,x)
		mov	esi, [esp+38h+var_18]
		mov	eax, esi
		mov	ebx, [esp+38h+var_14]
		and	eax, 1
		or	eax, 0
		jnz	short loc_5E6B28
		or	esi, 1
		mov	ecx, 0A0013h
		push	ebx
		push	esi
		call	_HvlpSetRegister64@12 ;	HvlpSetRegister64(x,x,x)

loc_5E6B28:				; CODE XREF: HvlEnlightenProcessor+819B3j
		and	esi, 0FFFFF000h
		cmp	dword ptr [edi+3CCh], 0
		push	4
		jnz	short loc_5E6B45
		push	1
		push	ebx
		push	esi
		call	ds:dword_6B12D8
		jmp	short loc_5E6B51
; 

loc_5E6B45:				; CODE XREF: HvlEnlightenProcessor+819D3j
		push	1000h
		push	ebx
		push	esi
		call	_MmMapIoSpaceEx@16 ; MmMapIoSpaceEx(x,x,x,x)

loc_5E6B51:				; CODE XREF: HvlEnlightenProcessor+819DFj
		mov	ecx, [esp+38h+var_28]
		mov	[ecx+20h], eax

loc_5E6B58:				; CODE XREF: HvlEnlightenProcessor+8198Fj
					; HvlEnlightenProcessor+81993j
		mov	ebx, ds:_HvlpFlags
		test	bl, 2
		jz	short loc_5E6B98
		test	bl, 20h
		jz	short loc_5E6B98
		shr	ebx, 4
		xor	esi, esi
		not	ebx
		mov	ecx, 0A0000h
		and	ebx, 1
		shld	esi, ebx, 11h
		shl	ebx, 11h
		push	esi
		or	ebx, 30h
		push	ebx
		call	_HvlpSetRegister64@12 ;	HvlpSetRegister64(x,x,x)
		push	esi
		push	ebx
		mov	ecx, 0A0004h
		call	_HvlpSetRegister64@12 ;	HvlpSetRegister64(x,x,x)
		mov	ecx, [esp+38h+var_28]

loc_5E6B98:				; CODE XREF: HvlEnlightenProcessor+819FDj
					; HvlEnlightenProcessor+81A02j
		test	byte ptr ds:_HvlpFlags,	2
		jz	loc_565190
		cmp	dword ptr [edi+3CCh], 0
		jz	loc_565190
		mov	edx, [ecx+8]
		lea	eax, [ecx+14h]
		push	eax
		lea	eax, [ecx+10h]
		push	eax
		call	_HvlpDiscoverTopologyLocal@16 ;	HvlpDiscoverTopologyLocal(x,x,x,x)
		jmp	loc_565190
; END OF FUNCTION CHUNK	FOR HvlEnlightenProcessor
; 
; START	OF FUNCTION CHUNK FOR PpmHighPerfRequestExpiration

loc_5E6BC7:				; CODE XREF: PpmHighPerfRequestExpiration+63j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_565206
; END OF FUNCTION CHUNK	FOR PpmHighPerfRequestExpiration
; 
; START	OF FUNCTION CHUNK FOR RtlFindLongestRunClear

loc_5E6BD6:				; CODE XREF: RtlFindLongestRunClear+1Aj
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0
		xor	eax, eax
		jmp	locret_565285
; END OF FUNCTION CHUNK	FOR RtlFindLongestRunClear
; 
; START	OF FUNCTION CHUNK FOR IopLoadCrashdumpDriver

loc_5E6BE3:				; CODE XREF: IopLoadCrashdumpDriver+5Cj
		mov	eax, 0C0000001h
		jmp	loc_565361
; END OF FUNCTION CHUNK	FOR IopLoadCrashdumpDriver
; 
; START	OF FUNCTION CHUNK FOR VfFailDeviceNode

loc_5E6BED:				; CODE XREF: VfFailDeviceNode+Cj
		test	ds:_MmVerifierData, 80000000h
		jnz	loc_5653D8
		mov	ecx, [ebp+arg_0]
		call	@PpvUtilIsHardwareBeingVerified@4 ; PpvUtilIsHardwareBeingVerified(x)
		test	al, al
		jz	loc_5653D8
		mov	edx, [ebp+arg_8]
		push	0
		push	0
		push	ecx
		mov	ecx, [ebp+arg_4]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)
		pop	ebp
		retn
; END OF FUNCTION CHUNK	FOR VfFailDeviceNode
; 
; START	OF FUNCTION CHUNK FOR VfIsVerificationEnabled

loc_5E6C1F:				; CODE XREF: VfIsVerificationEnabled+Cj
		mov	eax, [ebp+arg_0]
		sub	eax, 0
		jz	short loc_5E6C45
		sub	eax, 1
		jz	short loc_5E6C5E
		sub	eax, 1
		jnz	loc_5653F2
		mov	eax, ds:_MmVerifierData
		shr	eax, 1Eh
		and	eax, 1
		jmp	loc_5653F4
; 

loc_5E6C45:				; CODE XREF: VfIsVerificationEnabled+81845j
		test	ds:_MmVerifierData, 800h
		jz	short loc_5E6C5E
		push	[ebp+arg_4]
		call	_MmIsDriverVerifying@4 ; MmIsDriverVerifying(x)
		jmp	loc_5653F4
; 

loc_5E6C5E:				; CODE XREF: VfIsVerificationEnabled+8184Aj
					; VfIsVerificationEnabled+8186Fj
		test	ds:_MmVerifierData, 80000000h
		jnz	loc_5653F2
		mov	ecx, [ebp+arg_4]
		call	@PpvUtilIsHardwareBeingVerified@4 ; PpvUtilIsHardwareBeingVerified(x)
		movzx	eax, al
		jmp	loc_5653F4
; END OF FUNCTION CHUNK	FOR VfIsVerificationEnabled

;  S U B	R O U T	I N E 


sub_5E6C7E	proc near		; CODE XREF: PopIdleCancelAoAcDozeS4Timer+28j
		push	ebx
		push	offset _PopIdleAoAcDozeS4Timer
		call	KeCancelTimer2
		mov	ds:byte_6C22E4,	bl
		mov	bl, 1
		jmp	loc_565426
sub_5E6C7E	endp

; 
; START	OF FUNCTION CHUNK FOR PopIdleCancelAoAcDozeS4Timer

loc_5E6C96:				; CODE XREF: PopIdleCancelAoAcDozeS4Timer+35j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_565438
; END OF FUNCTION CHUNK	FOR PopIdleCancelAoAcDozeS4Timer
; 
; START	OF FUNCTION CHUNK FOR ExSetResourceOwnerPointer

loc_5E6CA5:				; CODE XREF: ExSetResourceOwnerPointer+Ej
		push	0
		push	ecx
		push	0Eh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5E6CB5:				; CODE XREF: PopEventCalloutDispatch+1Fj
		and	dword ptr [esp+4], 0
		lea	eax, [esp+4]
		push	eax
		push	1
		jmp	loc_565502
; END OF FUNCTION CHUNK	FOR ExSetResourceOwnerPointer
; 
; START	OF FUNCTION CHUNK FOR PpmEventDomainPerfStateChange

loc_5E6CC6:				; CODE XREF: PpmEventDomainPerfStateChange+41j
		mov	eax, [ebp+var_C0]
		mov	edx, offset _PPM_PERFSTATE_DOMAIN_CHANGE_GUID
		mov	ecx, [ebx+8]
		mov	[ebp+var_E0], eax
		sub	ecx, 60h
		mov	eax, [ebx+14h]
		mov	[ebp+var_D0], eax
		mov	eax, [ebp+var_C4]
		mov	[ebp+var_D8], eax
		lea	eax, [ebp+var_E0]
		push	eax		; void *
		push	18h		; size_t
		mov	[ebp+var_DC], edi
		mov	[ebp+var_D4], edi
		mov	[ebp+var_CC], edi
		call	_PpmFireWmiEvent@16 ; PpmFireWmiEvent(x,x,x,x)
		jmp	loc_5655BB
; 

loc_5E6D17:				; CODE XREF: PpmEventDomainPerfStateChange+68j
		mov	esi, edi
		lea	eax, [ebx+0Ch]
		mov	ecx, edi
		mov	[ebp+var_B8], esi
		mov	[ebp+var_B8], ecx
		mov	ebx, eax

loc_5E6D2C:				; CODE XREF: PpmEventDomainPerfStateChange+817FFj
		movzx	eax, si
		lea	edx, [ebp+var_B4]
		imul	eax, 0Ch
		add	edx, eax
		xor	eax, eax
		mov	edi, edx
		stosd
		stosd
		stosd
		mov	[edx+4], cx
		test	cx, cx
		jnz	short loc_5E6D51
		mov	eax, ds:dword_70E328
		jmp	short loc_5E6D53
; 

loc_5E6D51:				; CODE XREF: PpmEventDomainPerfStateChange+817D4j
		xor	eax, eax

loc_5E6D53:				; CODE XREF: PpmEventDomainPerfStateChange+817DBj
		push	edx
		push	edx
		push	ebx
		mov	[edx], eax
		call	KeAndGroupAffinityEx
		test	eax, eax
		jz	short loc_5E6D62
		inc	esi

loc_5E6D62:				; CODE XREF: PpmEventDomainPerfStateChange+817EBj
		mov	ecx, [ebp+var_B8]
		inc	ecx
		mov	[ebp+var_B8], ecx
		cmp	cx, 1
		jb	short loc_5E6D2C
		mov	ebx, [ebp+var_C8]
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_A8], eax
		xor	edx, edx
		lea	eax, [ebp+var_C4]
		mov	[ebp+var_B8], esi
		push	4
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_B8]
		pop	ecx
		mov	[ebp+var_88], eax
		xor	eax, eax
		mov	[ebp+var_A4], edx
		mov	[ebp+var_A0], ecx
		mov	[ebp+var_9C], edx
		mov	[ebp+var_94], edx
		mov	[ebp+var_90], ecx
		mov	[ebp+var_8C], edx
		mov	[ebp+var_84], edx
		mov	[ebp+var_80], 2
		mov	[ebp+var_7C], edx
		push	3
		pop	edi
		cmp	ax, si
		jnb	short loc_5E6E37
		movzx	esi, si
		mov	ebx, edx
		lea	edx, [ebp+var_6C]
		lea	edi, ds:3[esi*2]

loc_5E6DF7:				; CODE XREF: PpmEventDomainPerfStateChange+818B9j
		imul	eax, ebx, 0Ch
		lea	ecx, [ebp+var_B4]
		mov	dword ptr [edx-4], 2
		add	ecx, eax
		lea	eax, [ecx+4]
		mov	[edx-0Ch], eax
		xor	eax, eax
		mov	[edx-8], eax
		inc	ebx
		mov	[edx], eax
		lea	edx, [edx+20h]
		mov	[edx-1Ch], ecx
		mov	[edx-18h], eax
		mov	dword ptr [edx-14h], 4
		mov	[edx-10h], eax
		sub	esi, 1
		jnz	short loc_5E6DF7
		mov	ebx, [ebp+var_C8]
		xor	edx, edx

loc_5E6E37:				; CODE XREF: PpmEventDomainPerfStateChange+81872j
		push	4
		pop	esi
		mov	ecx, edi
		lea	eax, [ebx+148h]
		add	ecx, ecx
		mov	[ebp+ecx*8+var_A8], eax
		lea	eax, [ebx+150h]
		mov	[ebp+ecx*8+var_A4], edx
		mov	[ebp+ecx*8+var_A0], esi
		mov	[ebp+ecx*8+var_9C], edx
		lea	ecx, [edi+1]
		add	ecx, ecx
		mov	[ebp+ecx*8+var_A8], eax
		lea	eax, [ebx+154h]
		mov	[ebp+ecx*8+var_A4], edx
		mov	[ebp+ecx*8+var_A0], esi
		mov	[ebp+ecx*8+var_9C], edx
		lea	ecx, [edi+2]
		add	ecx, ecx
		mov	[ebp+ecx*8+var_A8], eax
		lea	eax, [ebx+158h]
		mov	[ebp+ecx*8+var_A4], edx
		mov	[ebp+ecx*8+var_A0], esi
		mov	[ebp+ecx*8+var_9C], edx
		lea	ecx, [edi+3]
		add	ecx, ecx
		mov	[ebp+ecx*8+var_A8], eax
		movzx	eax, byte ptr [ebx+164h]
		mov	[ebp+var_BC], eax
		lea	eax, [edi+4]
		add	eax, eax
		mov	[ebp+ecx*8+var_A4], edx
		mov	[ebp+ecx*8+var_A0], esi
		mov	[ebp+ecx*8+var_9C], edx
		lea	ecx, [ebp+var_BC]
		mov	[ebp+eax*8+var_A8], ecx
		mov	[ebp+eax*8+var_A4], edx
		mov	[ebp+eax*8+var_A0], esi
		mov	[ebp+eax*8+var_9C], edx
		lea	eax, [ebp+var_A8]
		push	eax
		lea	eax, [edi+5]
		push	eax
		push	edx
		push	offset _PPM_ETW_DOMAIN_PERF_STATE_CHANGE
		push	ds:dword_6BFD04
		push	ds:_PpmEtwHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_5655E2
; END OF FUNCTION CHUNK	FOR PpmEventDomainPerfStateChange
; 
; START	OF FUNCTION CHUNK FOR sub_565698

loc_5E6F30:				; CODE XREF: sub_565698+7j
		test	ds:_VfRuleClasses, 0FFAFFFFFh
		jnz	short loc_5E6F49
		test	byte ptr ds:dword_6FDE00, 6
		jz	loc_5656A5

loc_5E6F49:				; CODE XREF: sub_565698+818A2j
		mov	eax, ds:_MmVerifierData
		and	eax, 10h
		or	eax, 40h
		shr	eax, 1
		push	eax
		push	20206F49h
		push	8
		push	200h
		call	ExAllocatePoolWithTagPriority
		test	eax, eax
		jnz	locret_5656B6
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger

loc_5E6F7B:				; CODE XREF: IoGetRequestorSessionId+Dj
		mov	eax, [ebp+0Ch]
		or	dword ptr [eax], 0FFFFFFFFh
		mov	eax, 0C0000001h
		jmp	loc_56575C
; END OF FUNCTION CHUNK	FOR sub_565698
; 
; START	OF FUNCTION CHUNK FOR PpmPerfControlExecuteAction

loc_5E6F8B:				; CODE XREF: PpmPerfControlExecuteAction+7j
		mov	ecx, offset @PpmPerfControlActionCallback@0 ; PpmPerfControlActionCallback()
		call	esi
		test	esi, esi
		jmp	loc_565779
; END OF FUNCTION CHUNK	FOR PpmPerfControlExecuteAction
; 
; START	OF FUNCTION CHUNK FOR PoFxCompleteDevicePowerNotRequired

loc_5E6F99:				; CODE XREF: PoFxCompleteDevicePowerNotRequired+13j
		mov	ecx, [esi+1Ch]
		xor	edx, edx
		push	ebx
		push	0
		push	1
		push	11h
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ebx, [esi+0C8h]
		mov	byte ptr [ebp+arg_0+3],	al
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [esi+14h]
		cmp	ecx, 2
		jnz	short loc_5E6FD5
		push	ecx
		push	esi
		lea	edx, [esi+0ACh]
		call	PopFxQueueWorkOrder

loc_5E6FD5:				; CODE XREF: PoFxCompleteDevicePowerNotRequired+81832j
		test	ds:byte_70EFC6,	1
		jz	short loc_5E6FEA
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5E6FEF
; 

loc_5E6FEA:				; CODE XREF: PoFxCompleteDevicePowerNotRequired+81848j
		xor	eax, eax
		lock and [ebx],	eax

loc_5E6FEF:				; CODE XREF: PoFxCompleteDevicePowerNotRequired+81854j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx
		jmp	loc_5657AD
; 

loc_5E6FFE:				; CODE XREF: PoFxCompleteDevicePowerNotRequired+1Bj
		push	0
		push	0
		mov	edx, esi
		mov	ecx, 613h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)
		int	3		; Trap to Debugger

loc_5E700F:				; CODE XREF: RtlExpandHashTable+125j
		cmp	dword ptr [esi+8], 80h
		jnz	loc_50F8C2
		mov	eax, [ebx]
		push	0
		push	ebx
		mov	[esi+20h], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_50F8C2
; END OF FUNCTION CHUNK	FOR PoFxCompleteDevicePowerNotRequired
; 
; START	OF FUNCTION CHUNK FOR RtlpCreateHashTable

loc_5E702E:				; CODE XREF: RtlpCreateHashTable+5Bj
		lea	ecx, [ebx+7Fh]
		mov	[ebp+arg_4], edi
		bsr	eax, ecx
		push	62615448h
		btc	ecx, eax
		sub	eax, 7
		push	40h
		push	200h
		mov	[ebp+arg_0], ecx
		mov	[ebp+arg_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_4], ebx
		test	ebx, ebx
		jz	short loc_5E70B4
		push	40h		; size_t
		push	edi		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+20h], ebx

loc_5E706C:				; CODE XREF: RtlpCreateHashTable+D77C3j
		mov	ecx, edi
		call	_RtlpAllocateSecondLevelDir@4 ;	RtlpAllocateSecondLevelDir(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_5E70B4
		mov	ecx, [ebp+arg_4]
		cmp	edi, ecx
		jnb	short loc_5E708D
		xor	edx, edx
		lea	ecx, [edi+7]
		inc	edx
		shl	edx, cl
		mov	ecx, [ebp+arg_4]
		jmp	short loc_5E7091
; 

loc_5E708D:				; CODE XREF: RtlpCreateHashTable+D7794j
		mov	edx, [ebp+arg_0]
		inc	edx

loc_5E7091:				; CODE XREF: RtlpCreateHashTable+D77A1j
		test	edx, edx
		jz	short loc_5E70A4
		mov	eax, ebx

loc_5E7097:				; CODE XREF: RtlpCreateHashTable+D77B8j
		mov	[eax+4], eax
		mov	[eax], eax
		add	eax, 8
		sub	edx, 1
		jnz	short loc_5E7097

loc_5E70A4:				; CODE XREF: RtlpCreateHashTable+D77A9j
		mov	eax, [ebp+var_4]
		mov	[eax+edi*4], ebx
		inc	edi
		cmp	edi, ecx
		jbe	short loc_5E706C
		jmp	loc_50F973
; 

loc_5E70B4:				; CODE XREF: RtlpCreateHashTable+6Aj
					; RtlpCreateHashTable+D7771j ...
		push	esi
		call	RtlDeleteHashTable
		jmp	loc_50F9A0
; END OF FUNCTION CHUNK	FOR RtlpCreateHashTable
; 
; START	OF FUNCTION CHUNK FOR HvlQueryConnection

loc_5E70BF:				; CODE XREF: HvlQueryConnection+Cj
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_5E70C8
		mov	[ecx], eax

loc_5E70C8:				; CODE XREF: HvlQueryConnection+D76FEj
		xor	eax, eax
		jmp	loc_50F9DD
; END OF FUNCTION CHUNK	FOR HvlQueryConnection
; 
; START	OF FUNCTION CHUNK FOR RtlRemoveEntryHashTable

loc_5E70CF:				; CODE XREF: RtlRemoveEntryHashTable+37j
		cmp	dword ptr [edx], 0
		jnz	loc_50FA37
		push	edi
		mov	ecx, esi
		call	_RtlpPopulateContext@12	; RtlpPopulateContext(x,x,x)
		jmp	loc_50FA37
; END OF FUNCTION CHUNK	FOR RtlRemoveEntryHashTable
; 
; START	OF FUNCTION CHUNK FOR KeSetSchedulingGroupWeights

loc_5E70E5:				; CODE XREF: KeSetSchedulingGroupWeights+54j
		mov	eax, [ebx+esi*4]
		xor	ecx, ecx
		xor	dl, dl
		inc	ecx
		push	dword ptr [eax+4Ch]
		call	KiAssignSchedulingGroupWeights
		jmp	loc_50FAD6
; 

loc_5E70FA:				; CODE XREF: KeSetSchedulingGroupWeights+95j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_50FB39
; 

loc_5E710A:				; CODE XREF: KeSetSchedulingGroupWeights+B7j
		lea	ecx, [ebp+var_10]
		call	KxWaitForLockChainValid

loc_5E7112:				; CODE XREF: KeSetSchedulingGroupWeights+A0j
		mov	[ebp+var_10], 0
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_50FB39
; END OF FUNCTION CHUNK	FOR KeSetSchedulingGroupWeights
; 

loc_5E7124:				; CODE XREF: .text:0050FC28j
		lea	eax, [ebx-5Dh]
		mov	[edi+0ECh], eax
		mov	eax, [ebx+9Bh]
		mov	[edi+0F0h], eax
		mov	al, [ebx]
		inc	al
		jmp	loc_50FC3F
; 

loc_5E7142:				; CODE XREF: .text:0050FC66j
		lea	eax, [esi+44h]
		mov	[ebx+4Ch], esi
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_50FE43
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi
		jmp	loc_50FC8B
; 

loc_5E7162:				; CODE XREF: .text:0050FCFBj
		or	byte ptr [edi+5Ch], 0Ch
		mov	dword ptr [edi+60h], 1
		jmp	loc_50FD01
; 

loc_5E7172:				; CODE XREF: .text:0050FD56j
		mov	edx, [esi+10h]
		test	edx, edx
		jz	short loc_5E7180
		movzx	ecx, ax
		cmp	ecx, edx
		jnb	short loc_5E7186

loc_5E7180:				; CODE XREF: .text:005E7177j
		movzx	ecx, ax
		mov	[esi+10h], ecx

loc_5E7186:				; CODE XREF: .text:005E717Ej
		add	[esi+14h], ecx
		jmp	loc_50FD79
; 

loc_5E718E:				; CODE XREF: .text:0050FDD3j
		mov	edi, [esi+0Ch]
		test	edi, edi
		jz	short loc_5E71AA
		movzx	ecx, ax
		cmp	ecx, edi
		jb	short loc_5E71AA
		shl	ecx, 7
		xor	edx, edx
		mov	eax, ecx
		div	edi
		jmp	loc_50FDF3
; 

loc_5E71AA:				; CODE XREF: .text:005E7193j
					; .text:005E719Aj
		movzx	eax, ax
		mov	[esi+0Ch], eax
		xor	eax, eax
		push	esi
		lea	ecx, [eax+1]
		jmp	loc_50FE0D
; 

loc_5E71BB:				; CODE XREF: .text:0050FD8Dj
		mov	edx, [ebp+4]
		lea	ecx, [ebp-2Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_50FDB5
; 

loc_5E71CB:				; CODE XREF: .text:0050FDAFj
		lea	ecx, [ebp-2Ch]
		call	KxWaitForLockChainValid

loc_5E71D3:				; CODE XREF: .text:0050FD98j
		xor	ecx, ecx
		mov	dword ptr [ebp-2Ch], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_50FDB5
; 
; START	OF FUNCTION CHUNK FOR ObReferenceObjectByPointer

loc_5E71E8:				; CODE XREF: ObReferenceObjectByPointer+3Ej
		push	746C6644h
		push	1
		mov	dl, 1
		mov	ecx, esi
		call	_ObpPushStackInfo@16 ; ObpPushStackInfo(x,x,x,x)
		jmp	loc_50FE94
; 

loc_5E71FD:				; CODE XREF: ObReferenceObjectByPointer+51j
		push	eax
		push	10h
		push	edi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5E720B:				; CODE XREF: SepReferenceCachedTokenHandles+40j
		test	esi, esi
		jz	loc_510130
		mov	ebx, [ebp+arg_0]

loc_5E7216:				; CODE XREF: ObReferenceObjectByPointer+D73D1j
		push	dword ptr [ebx+esi*4]
		call	_ZwClose@4	; ZwClose(x)
		sub	esi, 1
		jnz	short loc_5E7216
		mov	ebx, [ebp+var_C]
		jmp	loc_510130
; END OF FUNCTION CHUNK	FOR ObReferenceObjectByPointer
; 
; START	OF FUNCTION CHUNK FOR KeRemoveSchedulingGroup

loc_5E722B:				; CODE XREF: KeRemoveSchedulingGroup+DFj
		movzx	eax, word ptr [esi]
		test	edi, edi
		jz	short loc_5E723A
		sub	[edi+14h], eax
		jmp	loc_51021F
; 

loc_5E723A:				; CODE XREF: KeRemoveSchedulingGroup+D70F6j
		sub	ds:_KiGroupSchedulingTotalWeight, eax
		jmp	loc_51021F
; 

loc_5E7245:				; CODE XREF: KeRemoveSchedulingGroup+EAj
		lea	eax, [edi+44h]
		cmp	[eax], eax
		jnz	short loc_5E7257
		mov	[edi+10h], edx
		mov	[edi+0Ch], edx
		jmp	loc_510251
; 

loc_5E7257:				; CODE XREF: KeRemoveSchedulingGroup+D7110j
		mov	ecx, [esi+4]
		xor	dl, dl
		push	edi
		and	ecx, 1
		call	KiUpdateMinimumWeight
		test	al, al
		jnz	short loc_5E7273
		test	byte ptr [esi+4], 1
		jnz	loc_510251

loc_5E7273:				; CODE XREF: KeRemoveSchedulingGroup+D712Dj
		push	edi
		jmp	loc_510298
; 

loc_5E7279:				; CODE XREF: KeRemoveSchedulingGroup+FAj
		mov	ds:_KiGroupSchedulingMinimumWeight, edx
		mov	ds:_KiGroupSchedulingMinimumRate, edx
		jmp	loc_510251
; 

loc_5E728A:				; CODE XREF: KeRemoveSchedulingGroup+121j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_510283
; 

loc_5E729A:				; CODE XREF: KeRemoveSchedulingGroup+143j
		lea	ecx, [ebp+var_28]
		call	KxWaitForLockChainValid

loc_5E72A2:				; CODE XREF: KeRemoveSchedulingGroup+12Cj
		mov	[ebp+var_28], 0
		lea	ecx, [eax+4]
		lock xor [ecx],	esi
		jmp	loc_510283
; END OF FUNCTION CHUNK	FOR KeRemoveSchedulingGroup
; 
; START	OF FUNCTION CHUNK FOR KeSetSchedulingGroupCpuRates

loc_5E72B4:				; CODE XREF: KeSetSchedulingGroupCpuRates+8Dj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_510377
; 

loc_5E72C4:				; CODE XREF: KeSetSchedulingGroupCpuRates+AFj
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_5E72CC:				; CODE XREF: KeSetSchedulingGroupCpuRates+98j
		mov	[ebp+var_C], 0
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_510377
; END OF FUNCTION CHUNK	FOR KeSetSchedulingGroupCpuRates
; 
; START	OF FUNCTION CHUNK FOR KiAssignSchedulingGroupWeights

loc_5E72DE:				; CODE XREF: KiAssignSchedulingGroupWeights+19j
		cmp	dword ptr [eax+14h], 0
		jz	loc_5103FB
		mov	edi, [eax+10h]
		jmp	loc_5103C1
; END OF FUNCTION CHUNK	FOR KiAssignSchedulingGroupWeights
; 
; START	OF FUNCTION CHUNK FOR KiUpdateMinimumWeight

loc_5E72F0:				; CODE XREF: KiUpdateMinimumWeight+20j
		mov	edx, [esi+0Ch]
		jmp	loc_510446
; 

loc_5E72F8:				; CODE XREF: KiUpdateMinimumWeight+D4j
		cmp	[ebp+var_1], 0
		mov	[esi+10h], ecx
		jz	loc_5104CD
		mov	[esi+14h], ebx
		jmp	loc_5104CD
; 

loc_5E730D:				; CODE XREF: KiUpdateMinimumWeight+7Cj
		and	dword ptr [esi+10h], 0
		and	dword ptr [esi+14h], 0
		jmp	loc_5104CD
; 

loc_5E731A:				; CODE XREF: KiUpdateMinimumWeight+A3j
		test	esi, esi
		jz	short loc_5E7327
		and	dword ptr [esi+0Ch], 0
		jmp	loc_5104CD
; 

loc_5E7327:				; CODE XREF: KiUpdateMinimumWeight+D6F02j
		and	ds:_KiGroupSchedulingMinimumRate, 0
		jmp	loc_5104CD
; END OF FUNCTION CHUNK	FOR KiUpdateMinimumWeight
; 
; START	OF FUNCTION CHUNK FOR KiUpdateCpuTargetByWeight

loc_5E7333:				; CODE XREF: KiUpdateCpuTargetByWeight+24j
		mov	edi, ds:_KiProcessorBlock
		add	edi, 2224h
		and	[ebp+var_1C], 0

loc_5E7343:				; CODE XREF: KiUpdateCpuTargetByWeight+D6E83j
		lock bts dword ptr [edi], 0
		jb	short loc_5E7387
		movzx	eax, word ptr [esi]
		mov	ebx, [esi+174h]
		cdq
		push	edx
		push	eax
		push	dword ptr [ebx+0Ch]
		push	dword ptr [ebx+8]
		call	__allmul
		mov	ecx, [esi+4Ch]
		push	0
		push	dword ptr [ecx+14h]
		push	edx
		push	eax
		call	__aulldiv
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], edx
		cmp	word ptr [ebp+var_C], cx
		jnz	short loc_5E7397
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], edx
		jmp	short loc_5E73A3
; 

loc_5E7387:				; CODE XREF: KiUpdateCpuTargetByWeight+D6E36j
					; KiUpdateCpuTargetByWeight+D6E81j
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5E7387
		jmp	short loc_5E7343
; 

loc_5E7397:				; CODE XREF: KiUpdateCpuTargetByWeight+D6E6Bj
		mov	eax, [ebx+10h]
		mov	[ebp+var_8], eax
		mov	eax, [ebx+14h]
		mov	[ebp+var_C], eax

loc_5E73A3:				; CODE XREF: KiUpdateCpuTargetByWeight+D6E73j
		xor	eax, eax
		lock and [edi],	eax
		mov	ebx, [ebp+var_C]
		jmp	loc_51057C
; 

loc_5E73B0:				; CODE XREF: KiUpdateCpuTargetByWeight+64j
		mov	ebx, edx
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], ebx
		jmp	loc_51057F
; 

loc_5E73BD:				; CODE XREF: KiUpdateCpuTargetByWeight+73j
					; KiUpdateCpuTargetByWeight+7Fj
		xor	bl, bl
		jmp	loc_510599
; 

loc_5E73C4:				; CODE XREF: KiUpdateCpuTargetByWeight+D9j
		cmp	byte ptr [ebx+3D0h], 0
		mov	eax, [ebp+var_8]
		jz	loc_5105F4
		push	[ebp+var_C]
		push	eax
		push	0
		push	[ebp+var_28]
		call	__allmul
		mov	[esi+28h], eax
		mov	[esi+2Ch], edx
		mov	[esi+30h], eax
		mov	[esi+34h], edx
		jmp	loc_5105F1
; 

loc_5E73F3:				; CODE XREF: KiUpdateCpuTargetByWeight+159j
		mov	edx, ebx
		mov	ecx, edi
		call	_KiResetScb@8	; KiResetScb(x,x)
		mov	edx, edi
		mov	ecx, ebx
		call	_KiCheckForEffectivePriorityChange@8 ; KiCheckForEffectivePriorityChange(x,x)
		jmp	loc_510621
; END OF FUNCTION CHUNK	FOR KiUpdateCpuTargetByWeight
; 
; START	OF FUNCTION CHUNK FOR KiUpdateCpuTargetByRate

loc_5E740A:				; CODE XREF: KiUpdateCpuTargetByRate+17j
		mov	edi, ds:_KiProcessorBlock
		add	edi, 2224h
		and	[ebp+var_1C], 0

loc_5E741A:				; CODE XREF: KiUpdateCpuTargetByRate+D6DEEj
		lock bts dword ptr [edi], 0
		jb	short loc_5E7480
		movzx	eax, word ptr [ebx]
		mov	esi, [ebx+174h]
		cdq
		push	edx
		push	eax
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		call	__allmul
		push	0
		push	2710h
		push	edx
		push	eax
		call	__aulldiv
		push	dword ptr [esi+14h]
		mov	[ebp+var_14], eax
		push	dword ptr [esi+10h]
		movzx	eax, word ptr [ebx+2]
		mov	[ebp+var_18], edx
		cdq
		push	edx
		push	eax
		call	__allmul
		push	0
		push	2710h
		push	edx
		push	eax
		call	__aulldiv
		mov	ecx, eax
		mov	eax, edx
		mov	[ebp+var_C], ecx
		xor	edx, edx
		mov	[ebp+var_10], eax
		lock and [edi],	edx
		jmp	loc_510710
; 

loc_5E7480:				; CODE XREF: KiUpdateCpuTargetByRate+D6D7Fj
					; KiUpdateCpuTargetByRate+D6DECj
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5E7480
		jmp	short loc_5E741A
; END OF FUNCTION CHUNK	FOR KiUpdateCpuTargetByRate
; 
; START	OF FUNCTION CHUNK FOR KeSetSchedulingGroupRankBias

loc_5E7490:				; CODE XREF: KeSetSchedulingGroupRankBias+10Fj
		mov	edx, esi
		test	ebx, ebx
		jnz	short loc_5E74A8

loc_5E7496:				; CODE XREF: KeSetSchedulingGroupRankBias+D6C36j
		mov	eax, [edx+0F4h]
		test	eax, eax
		jz	short loc_5E74A8
		mov	edx, eax
		cmp	dword ptr [edx+60h], 0
		jz	short loc_5E7496

loc_5E74A8:				; CODE XREF: KeSetSchedulingGroupRankBias+D6C24j
					; KeSetSchedulingGroupRankBias+D6C2Ej
		xor	ecx, ecx
		cmp	[edx+60h], ecx
		jz	short loc_5E74B2
		push	ecx
		jmp	short loc_5E74B8
; 

loc_5E74B2:				; CODE XREF: KeSetSchedulingGroupRankBias+D6C3Dj
		lea	eax, [ebp+var_C]
		xor	edx, edx
		push	eax

loc_5E74B8:				; CODE XREF: KeSetSchedulingGroupRankBias+D6C40j
		push	ecx
		mov	ecx, esi
		call	KiMoveScbThreadsToNewReadylist
		lea	ecx, [esi+0ECh]
		test	byte ptr [ecx+4], 1
		mov	eax, [ecx]
		jz	short loc_5E74D4
		test	eax, eax
		jz	short loc_5E74DC
		xor	eax, ecx

loc_5E74D4:				; CODE XREF: KeSetSchedulingGroupRankBias+D6C5Cj
		test	eax, eax
		jnz	loc_510985

loc_5E74DC:				; CODE XREF: KeSetSchedulingGroupRankBias+D6C60j
		push	1
		mov	edx, esi
		mov	ecx, edi
		call	KiRemoveSchedulingGroupQueue
		jmp	loc_510985
; END OF FUNCTION CHUNK	FOR KeSetSchedulingGroupRankBias
; 
; START	OF FUNCTION CHUNK FOR PspJobCycleTimeNotificationDpcRoutine

loc_5E74EC:				; CODE XREF: PspJobCycleTimeNotificationDpcRoutine+28j
		mov	ecx, [ebp+arg_4]
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag
		jmp	loc_510C76
; END OF FUNCTION CHUNK	FOR PspJobCycleTimeNotificationDpcRoutine
; 
; START	OF FUNCTION CHUNK FOR IoDiskIoAttributionQuery

loc_5E74FE:				; CODE XREF: IoDiskIoAttributionQuery+7Bj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_510E1B
; 

loc_5E750E:				; CODE XREF: IoDiskIoAttributionQuery+9Dj
		lea	ecx, [ebp+var_14]
		call	KxWaitForLockChainValid

loc_5E7516:				; CODE XREF: IoDiskIoAttributionQuery+86j
		xor	ecx, ecx
		mov	[ebp+var_14], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_510E1B
; END OF FUNCTION CHUNK	FOR IoDiskIoAttributionQuery
; 
; START	OF FUNCTION CHUNK FOR IoGetIoRateControl

loc_5E752B:				; CODE XREF: IoGetIoRateControl+A8j
		mov	ecx, eax
		mov	eax, [ecx+90h]
		jmp	loc_510ED2
; 

loc_5E7538:				; CODE XREF: IoGetIoRateControl+E2j
		mov	eax, [esp+68h+var_54]
		cmp	ebx, eax
		jz	short loc_5E754C
		cmp	[ebx+328h], eax
		jnz	loc_510F14

loc_5E754C:				; CODE XREF: IoGetIoRateControl+D6712j
		or	dword ptr [ecx], 1
		mov	esi, [esp+68h+var_58]

loc_5E7553:				; CODE XREF: IoGetIoRateControl+BBj
		mov	edi, [esp+68h+var_5C]
		jmp	loc_510F1C
; END OF FUNCTION CHUNK	FOR IoGetIoRateControl
; 
; START	OF FUNCTION CHUNK FOR IoRecordIoAttribution

loc_5E755C:				; CODE XREF: IoRecordIoAttribution+29j
		test	eax, 200h
		jnz	loc_51102B
		cmp	dword ptr [edi+90h], 0
		jz	loc_51103C
		jmp	loc_51102B
; END OF FUNCTION CHUNK	FOR IoRecordIoAttribution
; 
; START	OF FUNCTION CHUNK FOR IopRecordIoAttribution

loc_5E7579:				; CODE XREF: IopRecordIoAttribution+D9j
					; IopRecordIoAttribution+E2j
		mov	ecx, [ebp+var_14]
		mov	eax, [ebp+var_10]
		jmp	loc_51126B
; 

loc_5E7584:				; CODE XREF: IopRecordIoAttribution+1CDj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_38]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_511351
; END OF FUNCTION CHUNK	FOR IopRecordIoAttribution
; 
; START	OF FUNCTION CHUNK FOR PsIoRateControlReference

loc_5E7594:				; CODE XREF: PsIoRateControlReference+4Cj
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	loc_51140E
		mov	edx, eax
		mov	ecx, edi
		call	_PspJobIoRateVolumeEntryReference@8 ; PspJobIoRateVolumeEntryReference(x,x)
		test	eax, eax
		jz	loc_51140E
		mov	edx, [ebp+arg_0]
		mov	ecx, [eax+14h]
		mov	[edx+4], ecx
		mov	edx, [ebp+arg_4]
		mov	ecx, [eax+18h]
		mov	[ebx+4], eax
		mov	[edx+4], ecx
		jmp	loc_51140E
; END OF FUNCTION CHUNK	FOR PsIoRateControlReference
; 
; START	OF FUNCTION CHUNK FOR IopSetFileObjectExtensionFlag

loc_5E75CA:				; CODE XREF: IopSetFileObjectExtensionFlag+11j
		mov	ecx, [ecx+7Ch]
		test	ecx, ecx
		jnz	loc_5114B8
		mov	eax, 0C0000225h
		jmp	loc_5114B4
; END OF FUNCTION CHUNK	FOR IopSetFileObjectExtensionFlag
; 

loc_5E75DF:				; CODE XREF: .text:005117D2j
		mov	[esp+24h], ebx
		lea	ecx, [esp+20h]
		mov	[esp+28h], ebx
		mov	[esp+2Ch], ebx
		mov	[esp+30h], ebx
		mov	[esp+38h], ebx
		mov	[esp+3Ch], ebx
		mov	dword ptr [esp+34h], 4
		mov	eax, [eax+24h]
		mov	[esp+20h], eax
		call	_PspNetRateControlDispatch@4 ; PspNetRateControlDispatch(x)
		sub	esp, 0Ch
		mov	ecx, esi
		call	_PspRemoveRateControl@20 ; PspRemoveRateControl(x,x,x,x,x)
		jmp	loc_5117D8
; 

loc_5E761E:				; CODE XREF: .text:00511635j
		lea	eax, [esp+0Ch]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	PspLockRootJobExclusive
		push	ecx
		lea	edx, [esp+10h]
		mov	ecx, esi
		call	_PspLockJobConditionally@12 ; PspLockJobConditionally(x,x,x)
		cmp	[esi+328h], ebx
		jz	short loc_5E7647
		mov	ecx, esi
		call	_PspRemoveIoAttribution@4 ; PspRemoveIoAttribution(x)

loc_5E7647:				; CODE XREF: .text:005E763Ej
		push	ecx
		lea	edx, [esp+10h]
		mov	ecx, esi
		call	_PspUnlockJobConditionally@12 ;	PspUnlockJobConditionally(x,x,x)
		mov	ecx, [esp+0Ch]
		mov	edx, edi
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		jmp	loc_51163B
; 

loc_5E7663:				; CODE XREF: .text:0051168Dj
		mov	edx, 624A7350h
		call	ObfDereferenceObjectWithTag
		mov	[esi+0D4h], ebx
		jmp	loc_511693
; 

loc_5E7678:				; CODE XREF: .text:0051169Bj
		add	eax, 4
		push	eax
		call	SeReleaseSubjectContext
		push	614A7350h
		push	dword ptr [esi+0C4h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [esi+0C8h]
		push	ebx
		push	14h
		pop	edx
		call	PsReturnSharedPoolQuota
		jmp	loc_5116A1
; 

loc_5E76A5:				; CODE XREF: .text:00511833j
		push	624A7350h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+258h], ebx
		jmp	loc_51174C
; 

loc_5E76BB:				; CODE XREF: .text:00511756j
		mov	ecx, esi
		call	_PspDeleteSilo@4 ; PspDeleteSilo(x)
		jmp	loc_51175C
; 
; START	OF FUNCTION CHUNK FOR KiAbProcessThreadLocks

loc_5E76C7:				; CODE XREF: KiAbProcessThreadLocks+88j
		test	al, cl
		jnz	loc_5119FB
		jmp	loc_511A32
; 

loc_5E76D4:				; CODE XREF: KiAbProcessThreadLocks+98j
		test	[esi+0Fh], cl
		jnz	loc_5119FB
		test	[esi+0Dh], cl
		mov	ecx, esi
		jnz	short loc_5E76EE
		call	_KiAbOwnerComputeCpuPriorityKey@4 ; KiAbOwnerComputeCpuPriorityKey(x)
		mov	edx, [ebp+var_8]
		jmp	short loc_5E76F3
; 

loc_5E76EE:				; CODE XREF: KiAbProcessThreadLocks+D5D3Ej
		call	_KiAbWaiterComputeCpuPriorityKey@4 ; KiAbWaiterComputeCpuPriorityKey(x)

loc_5E76F3:				; CODE XREF: KiAbProcessThreadLocks+D5D48j
		cmp	al, [esi+18h]
		jmp	loc_511A4E
; 

loc_5E76FB:				; CODE XREF: KiAbProcessThreadLocks+1E0j
		cmp	esi, edi
		jz	loc_511B8A
		mov	edx, edi
		mov	ecx, esi
		call	_KiAbEntryUpdateOwnerTreePosition@8 ; KiAbEntryUpdateOwnerTreePosition(x,x)
		jmp	loc_511B8A
; 

loc_5E7711:				; CODE XREF: KiAbProcessThreadLocks+244j
		cmp	dword ptr [esi+334h], 0
		jz	loc_511BEE
		mov	ecx, esi
		call	_IoBoostThreadOutstandingIo@4 ;	IoBoostThreadOutstandingIo(x)
		jmp	loc_511BEE
; END OF FUNCTION CHUNK	FOR KiAbProcessThreadLocks
; 
; START	OF FUNCTION CHUNK FOR KiAbSetMinimumThreadPriority

loc_5E772A:				; CODE XREF: KiAbSetMinimumThreadPriority+114j
		push	0
		push	1
		push	ecx
		push	esi
		push	157h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5E773A:				; CODE XREF: KiAbSetMinimumThreadPriority+8Fj
		test	byte ptr [edi+2Eh], 1
		jnz	loc_511F2B
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_8]
		mov	ecx, esi
		push	1
		call	KiAbThreadBoostIoPriority
		test	eax, eax
		jz	loc_511F2B
		xor	eax, eax
		inc	eax
		or	[edi+2Eh], ax
		mov	ebx, eax
		mov	byte ptr [ebp+var_20+2], al
		jmp	loc_511F2B
; 

loc_5E776C:				; CODE XREF: KiAbSetMinimumThreadPriority+AFj
		cmp	[ebp+var_20], 0
		jz	loc_511F4B
		mov	eax, [ebp+arg_C]
		mov	ecx, esi
		mov	edx, [edi+10h]
		and	edx, 0FFFFFFFCh
		or	edx, 80000000h
		push	dword ptr [eax]
		xor	eax, eax
		push	eax
		push	[ebp+var_10]
		push	[ebp+var_14]
		push	[ebp+var_18]
		push	[ebp+var_20+2]
		push	[ebp+var_20+1]
		push	[ebp+var_20]
		call	_EtwTraceAutoBoostSetFloor@40 ;	EtwTraceAutoBoostSetFloor(x,x,x,x,x,x,x,x,x,x)
		jmp	loc_511F4B
; END OF FUNCTION CHUNK	FOR KiAbSetMinimumThreadPriority
; 
; START	OF FUNCTION CHUNK FOR KiAbThreadBoostIoPriority

loc_5E77A8:				; CODE XREF: KiAbThreadBoostIoPriority+1Bj
		xor	edx, edx
		call	PsBoostThreadIoQoS
		mov	eax, 21Ch
		jmp	loc_51218B
; END OF FUNCTION CHUNK	FOR KiAbThreadBoostIoPriority
; 
; START	OF FUNCTION CHUNK FOR KiAbProcessThreadPriorityModification

loc_5E77B9:				; CODE XREF: KiAbProcessThreadPriorityModification+74j
		cmp	dword ptr [ecx+1F0h], 1
		lea	edx, [ecx+1F0h]
		jnz	loc_512221
		mov	eax, 45E0h
		jmp	loc_512243
; END OF FUNCTION CHUNK	FOR KiAbProcessThreadPriorityModification
; 
; START	OF FUNCTION CHUNK FOR IoBoostThreadIoPriority

loc_5E77D6:				; CODE XREF: IoBoostThreadIoPriority+7Aj
		mov	[ebp+var_4A], al
		jmp	loc_51234F
; 

loc_5E77DE:				; CODE XREF: IoBoostThreadIoPriority+86j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_512335
; 

loc_5E77ED:				; CODE XREF: IoBoostThreadIoPriority+B1j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_512360
; 

loc_5E77FC:				; CODE XREF: IoBoostThreadIoPriority+3F2j
		mov	edx, eax
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_5126A8
; 

loc_5E7808:				; CODE XREF: IoBoostThreadIoPriority+43Ej
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_512705
; 

loc_5E7817:				; CODE XREF: IoBoostThreadIoPriority+45Bj
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5E781E:				; CODE XREF: IoBoostThreadIoPriority+448j
		xor	ecx, ecx
		mov	[esi], ebx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_512705
; 

loc_5E782E:				; CODE XREF: IoBoostThreadIoPriority+494j
		push	43426F49h
		push	18h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_512456
		mov	ecx, [ebp+var_98]
		mov	edx, [ebp+var_50]
		mov	esi, [ebp+var_6C]
		mov	[eax+10h], ecx
		movzx	ecx, dx
		mov	[ebp+var_98], eax
		mov	[eax+14h], dx
		mov	edx, [ebp+var_84]
		mov	ecx, [ebp+ecx*4+var_28]
		mov	[eax], ecx
		mov	ecx, [ebp+var_7C]
		mov	[eax+4], ecx
		mov	[eax+8], esi
		mov	[eax+0Ch], edx
		jmp	loc_512772
; 

loc_5E7880:				; CODE XREF: IoBoostThreadIoPriority+516j
		mov	edi, [ebp+var_54]
		inc	ds:_IoBoostedThreadedIrpCount
		mov	[ebp+var_54], edi
		mov	edi, [ebp+var_58]
		mov	[ebp+var_58], edi
		mov	edi, [ebp+var_5C]
		mov	[ebp+var_5C], edi
		mov	edi, [ebp+var_70]
		mov	[ebp+var_80], eax
		mov	[ebp+var_60], esi
		mov	[ebp+var_64], ecx
		mov	[ebp+var_70], edi
		jmp	loc_512459
; 

loc_5E78AC:				; CODE XREF: IoBoostThreadIoPriority+1CCj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_51247B
; 

loc_5E78BB:				; CODE XREF: IoBoostThreadIoPriority+31Ej
		push	43426F49h
		push	18h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_512630
		mov	ecx, [ebp+var_98]
		mov	[eax+10h], ecx
		mov	ecx, [ebp+var_78]
		mov	[ebp+var_98], eax
		mov	[eax], ecx
		mov	ecx, [ebp+var_60]
		mov	[eax+14h], cx
		mov	ecx, [ebp+var_6C]
		mov	[eax+8], ecx
		mov	ecx, [ebp+var_84]
		mov	[eax+4], esi
		mov	[eax+0Ch], ecx
		jmp	loc_5125F0
; 

loc_5E7906:				; CODE XREF: IoBoostThreadIoPriority+3A2j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_512669
; 

loc_5E7915:				; CODE XREF: IoBoostThreadIoPriority+227j
		mov	edi, [ebp+var_98]
		mov	eax, [edi+10h]
		mov	[ebp+var_98], eax
		jmp	loc_5124DC
; 

loc_5E7929:				; CODE XREF: IoBoostThreadIoPriority+249j
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_5124F3
; 

loc_5E7935:				; CODE XREF: IoBoostThreadIoPriority+2A2j
		mov	ecx, eax
		jmp	loc_512530
; 

loc_5E793C:				; CODE XREF: IoBoostThreadIoPriority+291j
		mov	ecx, esi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_51254C
; END OF FUNCTION CHUNK	FOR IoBoostThreadIoPriority
; 
; START	OF FUNCTION CHUNK FOR SepPotentialGlobalTableAttribute

loc_5E7948:				; CODE XREF: SepPotentialGlobalTableAttribute+16j
		movzx	eax, word ptr [esi]
		cmp	ax, [ebx]
		ja	short loc_5E7969
		push	eax		; size_t
		push	dword ptr [ebx+4] ; void *
		push	dword ptr [esi+4] ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		setz	al
		jmp	loc_512925
; 

loc_5E7969:				; CODE XREF: SepPotentialGlobalTableAttribute+D504Ej
		xor	al, al
		jmp	loc_512925
; END OF FUNCTION CHUNK	FOR SepPotentialGlobalTableAttribute
; 
; START	OF FUNCTION CHUNK FOR SepCaptureTokenSecurityOperations

loc_5E7970:				; CODE XREF: SepCaptureTokenSecurityOperations+1Cj
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		jmp	loc_5129EF
; 

loc_5E797A:				; CODE XREF: SepCaptureTokenSecurityOperations+28j
		push	4
		pop	eax
		mov	[ebp+var_1C], eax
		xor	esi, esi
		inc	esi
		mov	[ebp+var_20], esi
		jmp	loc_512997
; 

loc_5E798B:				; CODE XREF: SepCaptureTokenSecurityOperations+30j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000000Dh
		jmp	loc_5129F1
; 

loc_5E799C:				; CODE XREF: SepCaptureTokenSecurityOperations+4Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_5129F1
; END OF FUNCTION CHUNK	FOR SepCaptureTokenSecurityOperations

;  S U B	R O U T	I N E 


sub_5E79A8	proc near		; DATA XREF: .text:006A5038o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_5E79A8	endp


;  S U B	R O U T	I N E 


sub_5E79B6	proc near		; DATA XREF: .text:006A503Co
		mov	esp, [ebp-18h]
		push	0
		push	dword ptr [ebp+8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2Ch]
		jmp	loc_5129F1
sub_5E79B6	endp

; 

loc_5E79D2:				; DATA XREF: .text:006A502Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_5E79E0:				; DATA XREF: .text:006A5030o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-30h]
		jmp	loc_5129F1
; 
; START	OF FUNCTION CHUNK FOR SeConvertSecurityDescriptorToStringSecurityDescriptor

loc_5E79F2:				; CODE XREF: SeConvertSecurityDescriptorToStringSecurityDescriptor+11j
					; SeConvertSecurityDescriptorToStringSecurityDescriptor+19j
		test	esi, esi
		jz	loc_512A37
		push	ecx
		push	2
		pop	ecx
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	[esi], eax
		test	eax, eax
		jz	short loc_5E7A22
		xor	ecx, ecx
		mov	[eax], cx
		xor	eax, eax
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	loc_512A61
		mov	[ecx], eax
		jmp	loc_512A61
; 

loc_5E7A22:				; CODE XREF: SeConvertSecurityDescriptorToStringSecurityDescriptor+D4FEFj
		mov	eax, 0C0070008h
		jmp	loc_512A61
; 

loc_5E7A2C:				; CODE XREF: SeConvertSecurityDescriptorToStringSecurityDescriptor+2Fj
		mov	eax, 519h

loc_5E7A31:				; CODE XREF: SeConvertSecurityDescriptorToStringSecurityDescriptor+43j
		movzx	eax, ax
		or	eax, 0C0070000h
		jmp	loc_512A61
; END OF FUNCTION CHUNK	FOR SeConvertSecurityDescriptorToStringSecurityDescriptor
; 
; START	OF FUNCTION CHUNK FOR RtlStringCchPrintfW

loc_5E7A3E:				; CODE XREF: RtlStringCchPrintfW+17j
		test	eax, eax
		jz	loc_512ADF
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		mov	[eax], dx
		jmp	loc_512ADF
; END OF FUNCTION CHUNK	FOR RtlStringCchPrintfW
; 
; START	OF FUNCTION CHUNK FOR SepCreateTokenEx

loc_5E7A53:				; CODE XREF: SepCreateTokenEx+12Aj
		mov	ebx, [ebp+var_184]
		jmp	loc_512CDC
; 

loc_5E7A5E:				; CODE XREF: SepCreateTokenEx+1B9j
		test	cl, 6
		jnz	short loc_5E7ACE
		mov	ecx, 800h
		mov	[ebp+var_15C], ecx
		jmp	loc_512D1B
; 

loc_5E7A73:				; CODE XREF: SepCreateTokenEx+209j
		test	bl, 6
		jnz	short loc_5E7ACE
		or	ecx, 800h
		mov	[ebp+var_15C], ecx
		jmp	loc_512D65
; 

loc_5E7A89:				; CODE XREF: SepCreateTokenEx+8E7j
		xor	edx, edx
		jmp	loc_513454
; 

loc_5E7A90:				; CODE XREF: SepCreateTokenEx+8F8j
		mov	eax, 0C0000446h
		jmp	loc_513405
; 

loc_5E7A9A:				; CODE XREF: SepCreateTokenEx+2AFj
		mov	eax, 0C000005Bh
		jmp	loc_513405
; 

loc_5E7AA4:				; CODE XREF: SepCreateTokenEx+2B7j
					; SepCreateTokenEx+999j
		mov	eax, 0C000005Ah
		jmp	loc_513405
; 

loc_5E7AAE:				; CODE XREF: SepCreateTokenEx+34Ej
		mov	eax, 0C00001A6h
		jmp	loc_513405
; 

loc_5E7AB8:				; CODE XREF: SepCreateTokenEx+31Aj
		mov	eax, 0C0000060h
		jmp	loc_513405
; 

loc_5E7AC2:				; CODE XREF: SepCreateTokenEx+39Cj
		test	dword ptr [eax], 0FFFFFFFCh
		jz	loc_512EF8

loc_5E7ACE:				; CODE XREF: SepCreateTokenEx+307j
					; SepCreateTokenEx+90Ej ...
		mov	eax, 0C000000Dh
		jmp	loc_513405
; 

loc_5E7AD8:				; CODE XREF: SepCreateTokenEx+3DCj
		push	74416553h
		push	9Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_164], ebx
		test	ebx, ebx
		jnz	loc_512F3E
		push	eax
		push	esi
		jmp	short loc_5E7B11
; 

loc_5E7AFD:				; CODE XREF: SepCreateTokenEx+40Cj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	ds:_SeTokenLeakTracking, 0
		jz	short loc_5E7B16
		push	0
		push	ebx

loc_5E7B11:				; CODE XREF: SepCreateTokenEx+D4FA5j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5E7B16:				; CODE XREF: SepCreateTokenEx+3BAj
					; SepCreateTokenEx+D4FB6j
		mov	eax, 0C000009Ah
		jmp	loc_513405
; 

loc_5E7B20:				; CODE XREF: SepCreateTokenEx+424j
		mov	eax, [ebp+arg_24]
		add	ebx, 0Bh
		and	ebx, 0FFFFFFFCh
		mov	[ebp+var_18C], eax
		jmp	loc_512FAE
; 

loc_5E7B34:				; CODE XREF: SepCreateTokenEx+4AFj
		mov	ecx, eax
		mov	[ebp+var_16C], eax
		jmp	loc_51300B
; 

loc_5E7B41:				; CODE XREF: SepCreateTokenEx+4E3j
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	ds:_SeTokenLeakTracking, ebx
		jz	short loc_5E7B5D
		mov	eax, [ebp+var_164]
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5E7B5D:				; CODE XREF: SepCreateTokenEx+D4FF8j
		mov	eax, [ebp+var_178]
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		jmp	loc_513405
; 

loc_5E7B71:				; CODE XREF: SepCreateTokenEx+673j
		mov	eax, [eax]
		mov	[ebx+0BCh], eax
		jmp	loc_5131CF
; 

loc_5E7B7E:				; CODE XREF: SepCreateTokenEx+6D7j
		or	dword ptr [ebx+0B0h], 20h
		mov	ecx, ebx
		and	dword ptr [edi], 0
		call	ObfDereferenceObject
		mov	eax, [ebp+var_1AC]
		jmp	loc_513405
; 

loc_5E7B9A:				; CODE XREF: SepCreateTokenEx+6E4j
		mov	eax, large fs:124h
		mov	ecx, [esi]
		mov	edx, [ebp+var_154]
		mov	eax, [eax+2ACh]
		mov	[ecx], eax
		mov	eax, large fs:124h
		mov	ecx, [esi]
		mov	eax, [eax+2B0h]
		mov	[ecx+4], eax
		xor	ecx, ecx
		mov	eax, [esi]
		push	ecx
		push	1Eh
		mov	dword ptr [eax+18h], 0Ch
		mov	eax, [esi]
		mov	[eax+94h], ecx
		mov	eax, [esi]
		mov	[eax+98h], ecx
		mov	eax, large fs:124h
		mov	edi, [edx]
		add	edi, 8
		mov	esi, [eax+80h]
		add	esi, 1ACh
		movsd
		movsd
		movsd
		movsw
		movsb
		mov	esi, edx
		pop	edi
		push	edi
		mov	eax, [esi]
		add	eax, 1Ch
		push	eax
		call	RtlWalkFrameChain
		mov	ebx, eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_5E7C2A
		mov	eax, [esi]
		sub	edi, ebx
		add	eax, 1Ch
		push	1
		push	edi
		lea	eax, [eax+ebx*4]
		push	eax
		call	RtlWalkFrameChain

loc_5E7C2A:				; CODE XREF: SepCreateTokenEx+D50BFj
		mov	ebx, [ebp+var_174]
		mov	ecx, ebx
		call	_SepAddTokenLogonSession@4 ; SepAddTokenLogonSession(x)
		jmp	loc_513240
; 

loc_5E7C3C:				; CODE XREF: SepCreateTokenEx+6F7j
		push	[ebp+var_18C]	; int
		mov	edx, [ebp+var_184]
		mov	ecx, ebx
		push	[ebp+var_170]	; int
		push	edi		; void *
		call	_SepSetTokenUserAndGroups@20 ; SepSetTokenUserAndGroups(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_5132CF
		jmp	loc_5133FC
; 

loc_5E7C65:				; CODE XREF: SepCreateTokenEx+7BAj
		mov	esi, 0C0000017h
		jmp	loc_5133FC
; 

loc_5E7C6F:				; CODE XREF: SepCreateTokenEx+841j
		cmp	ds:_SepTokenLeakMethodWatch, 0Ch
		jnz	loc_51339D
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+0E4h]
		cmp	eax, ds:_SepTokenLeakProcessCid
		jnz	short loc_5E7CDB
		xor	ecx, ecx
		inc	ecx
		lock xadd ds:_SepTokenLeakMethodCount, ecx
		inc	ecx
		mov	edx, [ebp+var_154]
		mov	eax, [edx]
		mov	[eax+94h], ecx
		mov	eax, [edx]
		mov	eax, [eax+94h]
		cmp	eax, ds:_SepTokenLeakBreakCount
		jl	short loc_5E7CDB
		mov	ebx, [ebp+var_174]
		push	ebx
		push	eax
		push	offset ??_C@_0BL@PEIKBMNL@?6Token?5number?50x?$CFx?5?$DN?50x?$CFp?6@FNODOBFM@
		call	_DbgPrint
		add	esp, 0Ch
		int	3		; Trap to Debugger
		jmp	loc_51339D
; 

loc_5E7CDB:				; CODE XREF: SepCreateTokenEx+D513Ej
					; SepCreateTokenEx+D5168j
		mov	ebx, [ebp+var_174]
		jmp	loc_51339D
; 

loc_5E7CE6:				; CODE XREF: SepCreateTokenEx+A52j
		mov	eax, [ebp+var_1A4]
		mov	[eax], ecx
		jmp	loc_513403
; END OF FUNCTION CHUNK	FOR SepCreateTokenEx
; 

loc_5E7CF3:				; CODE XREF: .text:005136A8j
		push	2
		push	offset _RtlpAppPackageAuthority
		push	ebx
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	eax, [ebp-34h]
		mov	dword ptr [ebx+8], 3
		mov	[ebx+0Ch], eax
		jmp	loc_5136B9
; 
; START	OF FUNCTION CHUNK FOR IoDetachDevice

loc_5E7D12:				; CODE XREF: IoDetachDevice+20j
		mov	edx, [ebp+4]
		mov	ecx, esi	; int
		call	_IovDetachDevice@8 ; IovDetachDevice(x,x)
		jmp	loc_513B6C
; 

loc_5E7D21:				; CODE XREF: IoDetachDevice+6Ej
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_513BD7
; 

loc_5E7D30:				; CODE XREF: IoDetachDevice+8Bj
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5E7D37:				; CODE XREF: IoDetachDevice+78j
		xor	ecx, ecx
		mov	[esi], edi
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_513BD7
; END OF FUNCTION CHUNK	FOR IoDetachDevice
; 
; START	OF FUNCTION CHUNK FOR PnpSendIrp

loc_5E7D47:				; CODE XREF: PnpSendIrp+4Ej
		lea	eax, [ebp+var_10]
		push	eax
		call	KeRevertToUserGroupAffinityThread
		jmp	loc_513D14
; END OF FUNCTION CHUNK	FOR PnpSendIrp
; 
; START	OF FUNCTION CHUNK FOR PnpSetDeviceAffinityThread

loc_5E7D55:				; CODE XREF: PnpSetDeviceAffinityThread+36j
		cmp	edx, 0FFFFFFFFh
		jz	loc_513D57
		movzx	eax, ds:_KeNumberNodes
		cmp	edx, eax
		jnb	loc_513D57
		push	0
		lea	eax, [ebp+var_C]
		push	eax
		movzx	eax, dx
		push	eax
		call	_KeQueryNodeActiveAffinity@12 ;	KeQueryNodeActiveAffinity(x,x,x)
		lea	eax, [ebp+var_C]
		push	eax
		push	eax
		push	offset _KeActiveProcessors
		call	KeAndGroupAffinityEx
		cmp	[ebp+var_C], 0
		jz	loc_513D57
		push	esi
		lea	eax, [ebp+var_C]
		push	eax
		call	KeSetSystemGroupAffinityThread
		xor	eax, eax
		inc	eax
		jmp	loc_513D59
; END OF FUNCTION CHUNK	FOR PnpSetDeviceAffinityThread
; 
; START	OF FUNCTION CHUNK FOR IopAttachDeviceToDeviceStackSafe

loc_5E7DA7:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+47j
		mov	edx, esi
		mov	ecx, edi
		call	_IovAttachDeviceToDeviceStack@8	; IovAttachDeviceToDeviceStack(x,x)
		jmp	loc_513DBF
; 

loc_5E7DB5:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+7Fj
					; IopAttachDeviceToDeviceStackSafe+8Cj
		mov	ecx, [edi+8]
		add	ecx, eax
		mov	[esp+0E0h+var_D2], 1
		call	_IopIsKnownGoodLegacyFsFilter@4	; IopIsKnownGoodLegacyFsFilter(x)
		test	al, al
		jz	short loc_5E7DD7
		mov	edx, [esp+0E0h+var_C4]
		xor	cl, cl
		mov	[esp+0E0h+var_D2], cl
		jmp	loc_513E08
; 

loc_5E7DD7:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+D4054j
		mov	ecx, [esp+0E0h+var_C4]
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edx, [esp+0E0h+var_C4]
		jmp	loc_513E04
; 

loc_5E7DE9:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+1B7j
		mov	ecx, [ecx+10h]
		push	eax
		push	eax
		push	eax
		push	1
		push	eax
		push	8
		pop	edx
		call	PnpRequestDeviceAction
		jmp	loc_513E9B
; 

loc_5E7DFF:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+9Aj
					; IopAttachDeviceToDeviceStackSafe+AAj	...
		xor	esi, esi
		test	ebx, ebx
		jz	loc_513E9B
		and	[ebx], esi
		jmp	loc_513E9B
; 

loc_5E7E10:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+13Bj
		cmp	ds:_IopBlockLegacyFsFilters, 0
		jz	loc_5E7EAD
		push	offset _IoMgr_LegacyFsFilterBlockedByPolicy
		push	ds:dword_6CCFDC
		push	ds:_IoMgrTraceHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_5E807E
		mov	edx, [edi+8]
		push	2
		pop	ebx
		mov	ax, [edx+1Ch]
		and	[esp+0E0h+var_A4], 0
		and	[esp+0E0h+var_9C], 0
		shr	ax, 1
		movzx	eax, ax
		mov	[esp+0E0h+var_CC], eax
		lea	eax, [esp+0E0h+var_CC]
		mov	[esp+0E0h+var_A8], eax
		mov	[esp+0E0h+var_A0], ebx
		movzx	ecx, word ptr [edx+1Ch]
		mov	eax, [edx+20h]
		and	[esp+0E0h+var_94], 0
		and	[esp+0E0h+var_8C], 0
		mov	[esp+0E0h+var_98], eax
		mov	eax, ecx
		mov	[esp+0E0h+var_90], eax
		lea	eax, [esp+0E0h+var_A8]
		push	eax
		mov	eax, large fs:124h
		push	ebx
		push	dword ptr [eax+35Ch]
		push	offset _IoMgr_LegacyFsFilterBlockedByPolicy
		push	ds:dword_6CCFDC
		push	ds:_IoMgrTraceHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_5E807A
; 

loc_5E7EAD:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+D40A5j
		push	offset _IoMgr_LegacyFsFilterBlockedOnScm
		push	ds:dword_6CCFDC
		push	ds:_IoMgrTraceHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_5E807E
		mov	eax, [edi+8]
		lea	ebx, [esp+0E0h+var_48]
		and	[esp+0E0h+var_C0], 0
		push	1Ah
		pop	ecx
		mov	ax, [eax+1Ch]
		shr	ax, 1
		movzx	eax, ax
		mov	[esp+0E0h+var_B8], eax
		push	1Ch
		pop	eax
		mov	[esp+0E0h+var_AE], ax
		lea	eax, [esp+30h]
		mov	[esp+0E0h+var_CC], eax
		mov	eax, ecx
		mov	[esp+0E0h+var_B0], cx
		mov	[esp+0E0h+var_AC], offset ??_C@_1BM@GNJFGKCL@?$AA?$CI?$AAU?$AAn?$AAa?$AAv?$AAa?$AAi?$AAl?$AAa?$AAb?$AAl?$AAe?$AA?$CJ@FNODOBFM@
		mov	[esp+0E0h+var_C8], 40h
		mov	[esp+0E0h+var_D0], eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_5E7FB0
		push	1Ah
		pop	eax
		mov	[esp+0E0h+var_D0], eax
		lea	eax, [esp+0E0h+var_C0]
		push	eax
		push	[esp+0E4h+var_C4]
		call	_IoGetDiskDeviceObject@8 ; IoGetDiskDeviceObject(x,x)
		test	eax, eax
		js	short loc_5E7FB0
		lea	eax, [esp+0E0h+var_C8]
		push	eax
		push	[esp+0E4h+var_C8]
		mov	eax, ebx
		push	eax
		push	[esp+0ECh+var_C0]
		call	_ObQueryNameString@16 ;	ObQueryNameString(x,x,x,x)
		mov	[esp+0E0h+var_D0], eax
		cmp	eax, 0C0000004h
		jnz	short loc_5E7F94
		push	6E4F6F49h
		push	[esp+0E4h+var_C8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_5E7F8C
		lea	eax, [esp+0E0h+var_C8]
		push	eax
		push	[esp+0E4h+var_C8]
		push	ebx
		push	[esp+0ECh+var_C0]
		call	_ObQueryNameString@16 ;	ObQueryNameString(x,x,x,x)
		mov	[esp+0E0h+var_D0], eax
		jmp	short loc_5E7F94
; 

loc_5E7F8C:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+D41FFj
		mov	[esp+0E0h+var_D0], 0C000009Ah

loc_5E7F94:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+D41E9j
					; IopAttachDeviceToDeviceStackSafe+D4218j
		mov	ecx, [esp+0E0h+var_C0]
		call	ObfDereferenceObject
		cmp	[esp+0E0h+var_D0], 0
		push	1Ah
		pop	eax
		jl	short loc_5E7FB4
		movzx	eax, word ptr [ebx]
		mov	[esp+0E0h+var_CC], ebx
		jmp	short loc_5E7FB4
; 

loc_5E7FB0:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+D41ACj
					; IopAttachDeviceToDeviceStackSafe+D41C9j
		mov	eax, [esp+0E0h+var_D0]

loc_5E7FB4:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+D4233j
					; IopAttachDeviceToDeviceStackSafe+D423Cj
		and	[esp+0E0h+var_84], 0
		and	[esp+0E0h+var_7C], 0
		shr	ax, 1
		movzx	eax, ax
		mov	[esp+0E0h+var_B4], eax
		lea	eax, [esp+0E0h+var_B8]
		mov	[esp+0E0h+var_88], eax
		mov	eax, [edi+8]
		push	2
		pop	edx
		mov	[esp+0E0h+var_80], edx
		movzx	ecx, word ptr [eax+1Ch]
		mov	eax, [eax+20h]
		and	[esp+0E0h+var_74], 0
		mov	[esp+0E0h+var_78], eax
		mov	eax, ecx
		mov	[esp+0E0h+var_70], eax
		xor	ecx, ecx
		lea	eax, [esp+0E0h+var_B4]
		mov	[esp+0E0h+var_6C], ecx
		mov	[esp+0E0h+var_68], eax
		mov	eax, [esp+0E0h+var_CC]
		mov	[esp+0E0h+var_64], ecx
		mov	[esp+0E0h+var_60], edx
		mov	[esp+0E0h+var_5C], ecx
		movzx	ecx, word ptr [eax]
		mov	eax, [eax+4]
		and	[esp+0E0h+var_54], 0
		and	[esp+0E0h+var_4C], 0
		mov	[esp+0E0h+var_58], eax
		mov	eax, ecx
		mov	[esp+0E0h+var_50], eax
		lea	eax, [esp+0E0h+var_88]
		push	eax
		mov	eax, large fs:124h
		push	4
		push	dword ptr [eax+35Ch]
		push	offset _IoMgr_LegacyFsFilterBlockedOnScm
		push	ds:dword_6CCFDC
		push	ds:_IoMgrTraceHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		test	ebx, ebx
		jz	short loc_5E807A
		lea	eax, [esp+0E0h+var_48]
		cmp	ebx, eax
		jz	short loc_5E807A
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5E807A:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+D4136j
					; IopAttachDeviceToDeviceStackSafe+D42F3j ...
		mov	bl, [esp+0E0h+var_D2]

loc_5E807E:				; CODE XREF: IopAttachDeviceToDeviceStackSafe+D40C3j
					; IopAttachDeviceToDeviceStackSafe+D4153j
		test	bl, bl
		jz	loc_513EB3
		mov	ecx, [esp+0E0h+var_C4]
		call	ObfDereferenceObject
		jmp	loc_513EB3
; END OF FUNCTION CHUNK	FOR IopAttachDeviceToDeviceStackSafe
; 
; START	OF FUNCTION CHUNK FOR IoDeleteDevice

loc_5E8094:				; CODE XREF: IoDeleteDevice+42j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	_IovDeleteDevice@8 ; IovDeleteDevice(x,x)
		jmp	loc_513F92
; 

loc_5E80A3:				; CODE XREF: IoDeleteDevice+4Fj
		push	esi
		call	_IoUnregisterShutdownNotification@4 ; IoUnregisterShutdownNotification(x)
		jmp	loc_513F9F
; 

loc_5E80AE:				; CODE XREF: IoDeleteDevice+5Aj
		mov	ecx, edi
		call	_IopRemoveTimerFromTimerList@4 ; IopRemoveTimerFromTimerList(x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_513FAA
; 

loc_5E80C2:				; CODE XREF: IoDeleteDevice+80j
		push	ds:_ExPageLockHandle
		call	_MmLockPagableSectionByHandle@4	; MmLockPagableSectionByHandle(x)
		mov	ecx, offset _PopVolumeLock
		call	ExAcquireFastMutex
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopDopeGlobalLock
		mov	[esp+18h+var_9], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	ecx, [edi+34h]
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_5E810C
		mov	eax, [ecx+4]
		cmp	[edx+4], ecx
		jnz	short loc_5E8130
		cmp	[eax], ecx
		jnz	short loc_5E8130
		mov	[eax], edx
		mov	[edx+4], eax
		and	dword ptr [ecx], 0
		and	dword ptr [edi+38h], 0

loc_5E810C:				; CODE XREF: IoDeleteDevice+D41A8j
		and	dword ptr [ebx+0Ch], 0
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopDopeGlobalLock
		jz	short loc_5E8135
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5E813A
; 

loc_5E8130:				; CODE XREF: IoDeleteDevice+D41B0j
					; IoDeleteDevice+D41B4j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5E8135:				; CODE XREF: IoDeleteDevice+D41DAj
		xor	eax, eax
		lock and [ecx],	eax

loc_5E813A:				; CODE XREF: IoDeleteDevice+D41E4j
		mov	cl, [esp+18h+var_9]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, offset _PopVolumeLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, ds:_ExPageLockHandle
		xor	edx, edx
		call	MiLockPagableImageSection
		jmp	loc_513FD0
; 

loc_5E8160:				; CODE XREF: IoDeleteDevice+D4j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_514041
; 

loc_5E816F:				; CODE XREF: IoDeleteDevice+F1j
		mov	ecx, esi
		call	KxWaitForLockChainValid
		jmp	loc_5140B2
; END OF FUNCTION CHUNK	FOR IoDeleteDevice
; 
; START	OF FUNCTION CHUNK FOR PoRegisterDeviceForIdleDetection

loc_5E817B:				; CODE XREF: PoRegisterDeviceForIdleDetection+42j
		lea	eax, [ecx+1Ch]
		mov	edx, [eax]
		cmp	edx, eax
		jz	loc_514114
		mov	ebx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_5E8293
		cmp	[ebx], eax
		jnz	loc_5E8293
		mov	[ebx], edx
		mov	[edx+4], ebx
		mov	bl, byte ptr [ebp+arg_4+3]
		mov	[ecx+24h], edi
		mov	[ecx+10h], edi
		mov	[ecx+14h], edi
		mov	[ecx+28h], edi
		mov	[ecx+2Ch], edi
		mov	[ecx], edi
		mov	[ecx+4], edi
		mov	[ecx+8], edi
		mov	[ecx+0Ch], edi
		mov	[ecx+3Ch], edi
		mov	[ecx+40h], edi
		mov	[eax+4], eax
		mov	[eax], eax
		jmp	loc_514114
; 

loc_5E81CE:				; CODE XREF: PoRegisterDeviceForIdleDetection+4Fj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_514126
; 

loc_5E81DD:				; CODE XREF: PoRegisterDeviceForIdleDetection+Ej
					; PoRegisterDeviceForIdleDetection+17j
		mov	eax, [ebp+arg_C]
		add	eax, 0FFFFFFFEh
		cmp	eax, 2
		ja	loc_51412E
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_4], edi
		mov	eax, [ecx+2Ch]
		cmp	eax, 7
		jz	short loc_5E81FF
		cmp	eax, 2Dh
		jnz	short loc_5E8219

loc_5E81FF:				; CODE XREF: PoRegisterDeviceForIdleDetection+D412Cj
		cmp	ds:_PopPlatformAoAc, 0
		jnz	short loc_5E8212
		test	byte ptr [ecx+20h], 1
		jnz	loc_51412E

loc_5E8212:				; CODE XREF: PoRegisterDeviceForIdleDetection+D413Aj
		mov	[ebp+var_4], 1

loc_5E8219:				; CODE XREF: PoRegisterDeviceForIdleDetection+D4131j
		call	PopGetDope
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_51412E
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _PopDopeGlobalLock
		mov	byte ptr [ebp+arg_0+3],	al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebp+arg_4]
		mov	[ebx+10h], eax
		mov	eax, [ebp+arg_8]
		mov	[ebx+14h], eax
		mov	eax, [ebp+arg_C]
		mov	[ebx+28h], eax
		mov	eax, [ebp+var_4]
		mov	[ebx+24h], eax
		lea	eax, [ebx+1Ch]
		cmp	[eax], eax
		jnz	short loc_5E827E
		mov	dword ptr [ebx+2Ch], 1
		mov	edx, offset _PopIdleDetectList
		mov	ecx, ds:dword_6C2B04
		cmp	[ecx], edx
		jnz	short loc_5E8293
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	ds:dword_6C2B04, eax

loc_5E827E:				; CODE XREF: PoRegisterDeviceForIdleDetection+D418Ej
		test	ds:byte_70EFC6,	1
		jz	short loc_5E8298
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5E829D
; 

loc_5E8293:				; CODE XREF: PoRegisterDeviceForIdleDetection+D40C2j
					; PoRegisterDeviceForIdleDetection+D40CAj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5E8298:				; CODE XREF: PoRegisterDeviceForIdleDetection+D41B9j
		xor	eax, eax
		lock and [esi],	eax

loc_5E829D:				; CODE XREF: PoRegisterDeviceForIdleDetection+D41C5j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		call	PopCheckForWork
		mov	edi, ebx
		jmp	loc_51412E
; END OF FUNCTION CHUNK	FOR PoRegisterDeviceForIdleDetection
; 
; START	OF FUNCTION CHUNK FOR IopCompleteUnloadOrDelete

loc_5E82B2:				; CODE XREF: IopCompleteUnloadOrDelete+2Ej
		call	_IopGetDeviceAttachmentBase@4 ;	IopGetDeviceAttachmentBase(x)
		mov	edi, eax
		lea	ecx, [esp+48h+var_34]
		push	ebx
		mov	[esp+4Ch+var_34], edi
		call	_PnpIsAnyDeviceInUse@12	; PnpIsAnyDeviceInUse(x,x,x)
		mov	dl, [ebp+arg_0]
		mov	esi, eax
		push	0Ah
		pop	ecx
		call	KeReleaseQueuedSpinLock
		cmp	esi, 1
		jz	short loc_5E82E7
		mov	al, [esp+48h+var_39]
		mov	ecx, edi
		movzx	edx, al
		call	_PnpChainDereferenceComplete@8 ; PnpChainDereferenceComplete(x,x)

loc_5E82E7:				; CODE XREF: IopCompleteUnloadOrDelete+D419Fj
		xor	al, al
		jmp	loc_5141CD
; 

loc_5E82EE:				; CODE XREF: IopCompleteUnloadOrDelete+D9j
		call	_VfFastIoSnapState@0 ; VfFastIoSnapState()
		mov	[esp+48h+var_38], eax
		jmp	loc_51421B
; 

loc_5E82FC:				; CODE XREF: IopCompleteUnloadOrDelete+F2j
		mov	edx, dword ptr [esp+50h+var_3C]
		mov	ecx, eax
		call	_VfFastIoCheckState@8 ;	VfFastIoCheckState(x,x)
		jmp	loc_514230
; 

loc_5E830C:				; CODE XREF: IopCompleteUnloadOrDelete+8Dj
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		test	byte ptr [edi+8], 1
		mov	dl, al
		jz	short loc_5E8328
		mov	bl, 1
		jmp	loc_51424E
; 

loc_5E8323:				; CODE XREF: IopCompleteUnloadOrDelete+36j
		mov	dl, [ebp+arg_0]
		jmp	short loc_5E832C
; 

loc_5E8328:				; CODE XREF: IopCompleteUnloadOrDelete+D41E2j
		mov	dh, [esp+48h+var_3B]

loc_5E832C:				; CODE XREF: IopCompleteUnloadOrDelete+D41EEj
		mov	esi, [edi+4]
		mov	ecx, esi
		jmp	short loc_5E834C
; 

loc_5E8333:				; CODE XREF: IopCompleteUnloadOrDelete+D4216j
		cmp	[ecx+4], ebx
		jnz	short loc_5E8352
		cmp	[ecx+10h], ebx
		jnz	short loc_5E8352
		mov	eax, [ecx+0B0h]
		test	byte ptr [eax+10h], 6
		jnz	short loc_5E8352
		mov	ecx, [ecx+0Ch]

loc_5E834C:				; CODE XREF: IopCompleteUnloadOrDelete+D41F9j
		test	ecx, ecx
		jnz	short loc_5E8333
		jmp	short loc_5E8358
; 

loc_5E8352:				; CODE XREF: IopCompleteUnloadOrDelete+D41FEj
					; IopCompleteUnloadOrDelete+D4203j ...
		mov	dh, bl
		mov	[esp+48h+var_3B], dh

loc_5E8358:				; CODE XREF: IopCompleteUnloadOrDelete+D4218j
		mov	ecx, [edi+8]
		test	cl, cl
		jns	short loc_5E836C
		test	esi, esi
		setnz	al
		dec	al
		and	dh, al
		mov	[esp+48h+var_3B], dh

loc_5E836C:				; CODE XREF: IopCompleteUnloadOrDelete+D4225j
		test	dh, dh
		jz	short loc_5E8376
		or	ecx, 1
		mov	[edi+8], ecx

loc_5E8376:				; CODE XREF: IopCompleteUnloadOrDelete+D4236j
		push	0Ah
		pop	ecx
		call	KeReleaseQueuedSpinLock
		cmp	[esp+48h+var_3B], bl
		jz	short loc_5E83ED
		push	2Ch		; size_t
		lea	eax, [esp+4Ch+var_2C]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+48h+var_1C]
		push	ebx
		push	ebx
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+48h+var_2C]
		mov	[esp+48h+var_C], edi
		cmp	[esp+48h+var_39], bl
		jz	short loc_5E83B6
		push	eax
		call	_IopLoadUnloadDriver@4 ; IopLoadUnloadDriver(x)
		jmp	short loc_5E83E0
; 

loc_5E83B6:				; CODE XREF: IopCompleteUnloadOrDelete+D4274j
		mov	[esp+48h+var_20], eax
		lea	eax, [esp+48h+var_2C]
		push	1
		push	eax
		mov	[esp+50h+var_24], offset _IopLoadUnloadDriver@4	; IopLoadUnloadDriver(x)
		mov	[esp+50h+var_2C], ebx
		call	ExQueueWorkItem
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esp+58h+var_1C]
		push	eax
		call	KeWaitForSingleObject

loc_5E83E0:				; CODE XREF: IopCompleteUnloadOrDelete+D427Cj
		push	edi
		call	_ObMakeTemporaryObject@4 ; ObMakeTemporaryObject(x)
		mov	ecx, edi
		call	ObfDereferenceObject

loc_5E83ED:				; CODE XREF: IopCompleteUnloadOrDelete+D424Aj
		mov	al, [esp+48h+var_3A]
		jmp	loc_5141CD
; END OF FUNCTION CHUNK	FOR IopCompleteUnloadOrDelete
; 
; START	OF FUNCTION CHUNK FOR KeReleaseQueuedSpinLock

loc_5E83F6:				; CODE XREF: KeReleaseQueuedSpinLock+1Fj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5142BA
; END OF FUNCTION CHUNK	FOR KeReleaseQueuedSpinLock
; 
; START	OF FUNCTION CHUNK FOR IopInsertRemoveDevice

loc_5E8405:				; CODE XREF: IopInsertRemoveDevice+38j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_514331
; END OF FUNCTION CHUNK	FOR IopInsertRemoveDevice
; 
; START	OF FUNCTION CHUNK FOR IoGetDeviceAttachmentBaseRefWithTag

loc_5E8414:				; CODE XREF: IoGetDeviceAttachmentBaseRefWithTag+3Ej
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5143E5
; END OF FUNCTION CHUNK	FOR IoGetDeviceAttachmentBaseRefWithTag
; 
; START	OF FUNCTION CHUNK FOR IopGetDevicePDO

loc_5E8423:				; CODE XREF: IopGetDevicePDO+45j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_514498
; END OF FUNCTION CHUNK	FOR IopGetDevicePDO
; 
; START	OF FUNCTION CHUNK FOR IopDecrementDeviceObjectRefCount

loc_5E8432:				; CODE XREF: IopDecrementDeviceObjectRefCount+Bj
		mov	edx, esi
		push	0Ah
		pop	ecx
		call	@IopInterlockedDecrementUlong@8	; IopInterlockedDecrementUlong(x,x)
		jmp	loc_5144F9
; 

loc_5E8441:				; CODE XREF: IopDecrementDeviceObjectRefCount+17j
		mov	ecx, [edi+8]
		test	ecx, ecx
		jz	short loc_5E8461
		mov	edx, 0A8h
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_5E8461:				; CODE XREF: IopDecrementDeviceObjectRefCount+D3F62j
		push	dword ptr [esi]
		push	6
		push	edi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5E8470:				; CODE XREF: EtwpAdjustTraceBuffers+73j
					; IopDecrementDeviceObjectRefCount+D3FD6j
		mov	ecx, large fs:124h
		mov	edi, [ecx+390h]
		mov	[ecx+390h], esi
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, [eax+1F0h]
		test	ecx, ecx
		jz	short loc_5E84A1
		mov	eax, [ecx+8A4h]
		test	eax, eax
		jnz	short loc_5E84A1
		call	_EtwpAdjustSiloTraceBuffers@4 ;	EtwpAdjustSiloTraceBuffers(x)

loc_5E84A1:				; CODE XREF: IopDecrementDeviceObjectRefCount+D3FACj
					; IopDecrementDeviceObjectRefCount+D3FB6j
		mov	eax, large fs:124h
		mov	dl, 1
		mov	ecx, esi
		mov	[eax+390h], edi
		call	_PspGetNextSilo@8 ; PspGetNextSilo(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_5E8470
		pop	edi
		jmp	loc_514539
; END OF FUNCTION CHUNK	FOR IopDecrementDeviceObjectRefCount
; 
; START	OF FUNCTION CHUNK FOR EtwpAdjustTraceBuffers

loc_5E84C2:				; CODE XREF: EtwpAdjustTraceBuffers+42j
					; EtwpAdjustTraceBuffers+D3FEAj
		mov	ecx, offset _EtwpStackLookAsideList
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jz	loc_514558
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		or	edx, 0FFFFFFFFh
		lock xadd ds:dword_6BC44C, edx
		dec	edx
		mov	eax, ds:_KeNumberProcessors
		mov	ecx, ds:dword_6BC448
		imul	ecx, eax
		add	ecx, ecx
		cmp	edx, ecx
		jg	short loc_5E84C2
		jmp	loc_514558
; 

loc_5E8501:				; CODE XREF: EtwpAdjustTraceBuffers+60j
					; EtwpAdjustTraceBuffers+D4029j
		mov	ecx, offset _EtwpLastBranchLookAsideList
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jz	loc_514576
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		or	edx, 0FFFFFFFFh
		lock xadd ds:dword_6BC45C, edx
		dec	edx
		mov	eax, ds:_KeNumberProcessors
		mov	ecx, ds:dword_6BC458
		imul	ecx, eax
		add	ecx, ecx
		cmp	edx, ecx
		jg	short loc_5E8501
		jmp	loc_514576
; END OF FUNCTION CHUNK	FOR EtwpAdjustTraceBuffers
; 
; START	OF FUNCTION CHUNK FOR EtwpInitializeBufferHeader

loc_5E8540:				; CODE XREF: EtwpInitializeBufferHeader+31j
		mov	eax, 0FFFFh
		mov	[edi+2Ah], ax
		jmp	loc_5146FB
; END OF FUNCTION CHUNK	FOR EtwpInitializeBufferHeader
; 
; START	OF FUNCTION CHUNK FOR EtwpAllocateTraceBuffer

loc_5E854E:				; CODE XREF: EtwpAllocateTraceBuffer+26j
		push	65h
		push	1
		push	ebx
		push	eax
		push	200000h
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		push	eax
		push	eax
		mov	[esp+34h+var_4], eax
		call	_MmAllocatePagesForMdlEx@36 ; MmAllocatePagesForMdlEx(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_5E858A
		push	25h
		push	1
		push	ebx
		push	eax
		push	200000h
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		push	eax
		push	eax
		call	_MmAllocatePagesForMdlEx@36 ; MmAllocatePagesForMdlEx(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_5E85E1

loc_5E858A:				; CODE XREF: EtwpAllocateTraceBuffer+D3E64j
		push	offset _EtwpComparePfn ; int __cdecl (*)(const void *,const void *)
		push	4		; size_t
		shr	ebx, 0Ch
		lea	eax, [esi+1Ch]
		push	ebx		; size_t
		push	eax		; void *
		call	_qsort
		add	esp, 10h
		xor	ebx, ebx
		push	40000020h
		push	ebx
		push	ebx
		push	1
		push	ebx
		push	esi
		call	MmMapLockedPagesSpecifyCache
		mov	[esp+10h+var_4], eax
		test	eax, eax
		jnz	short loc_5E85C6
		xor	edx, edx
		mov	ecx, esi
		call	_MiFreePagesFromMdl@8 ;	MiFreePagesFromMdl(x,x)
		jmp	short loc_5E85D6
; 

loc_5E85C6:				; CODE XREF: EtwpAllocateTraceBuffer+D3EB1j
		cmp	[edi+37Ch], ebx
		jnz	short loc_5E85D6
		mov	[edi+37Ch], esi
		mov	esi, ebx

loc_5E85D6:				; CODE XREF: EtwpAllocateTraceBuffer+D3EBCj
					; EtwpAllocateTraceBuffer+D3EC4j
		test	esi, esi
		jz	short loc_5E85E1
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5E85E1:				; CODE XREF: EtwpAllocateTraceBuffer+D3E80j
					; EtwpAllocateTraceBuffer+D3ED0j
		mov	eax, [esp+10h+var_4]
		jmp	loc_514745
; END OF FUNCTION CHUNK	FOR EtwpAllocateTraceBuffer
; 
; START	OF FUNCTION CHUNK FOR EtwpQueryUsedProcessorCount

loc_5E85EA:				; CODE XREF: EtwpQueryUsedProcessorCount+14j
		push	0
		lea	eax, [ebp+var_4]
		push	eax
		call	_HvlQueryStartedProcessors@8 ; HvlQueryStartedProcessors(x,x)
		test	eax, eax
		js	loc_51488C
		mov	eax, [ebp+var_4]
		jmp	loc_51489A
; END OF FUNCTION CHUNK	FOR EtwpQueryUsedProcessorCount
; 
; START	OF FUNCTION CHUNK FOR EtwpLockUnlockBufferList

loc_5E8605:				; CODE XREF: EtwpLockUnlockBufferList+56j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_514903
; 

loc_5E8614:				; CODE XREF: EtwpLockUnlockBufferList+39j
		mov	ecx, esi
		call	@ExfAcquireReleasePushLockExclusive@4 ;	ExfAcquireReleasePushLockExclusive(x)
		jmp	loc_5148C5
; END OF FUNCTION CHUNK	FOR EtwpLockUnlockBufferList
; 
; START	OF FUNCTION CHUNK FOR EtwpDequeueFreeBuffer

loc_5E8620:				; CODE XREF: EtwpDequeueFreeBuffer+56j
		mov	eax, [edi+34h]
		test	eax, eax
		jz	short loc_5E8638
		mov	eax, [eax+0Ch]
		cmp	eax, 6
		jz	short loc_5E8638
		cmp	eax, 4
		jnz	loc_514B5A

loc_5E8638:				; CODE XREF: EtwpDequeueFreeBuffer+D3B27j
					; EtwpDequeueFreeBuffer+D3B2Fj
		mov	bl, 1
		jmp	loc_514B5A
; 

loc_5E863F:				; CODE XREF: EtwpDequeueFreeBuffer+68j
		mov	ecx, edi
		call	_EtwpDisableCompression@4 ; EtwpDisableCompression(x)
		jmp	loc_514B6C
; 

loc_5E864B:				; CODE XREF: EtwpDequeueFreeBuffer+86j
		mov	ebx, [esi+2Ch]
		cmp	ebx, 4
		jz	loc_514B8C
		cmp	ebx, 5
		jz	loc_514B8C
		jmp	loc_514B8A
; 

loc_5E8665:				; CODE XREF: EtwpDequeueFreeBuffer+92j
					; EtwpDequeueFreeBuffer+A6j
		mov	edx, esi
		mov	ecx, edi
		call	@EtwpEnqueueOverflowBuffer@8 ; EtwpEnqueueOverflowBuffer(x,x)
		lea	edx, [ebp+var_1]
		mov	ecx, edi
		call	_EtwpLockBufferList@8 ;	EtwpLockBufferList(x,x)
		lea	edx, [edi+30h]
		mov	ecx, edi
		call	EtwpDequeueBuffer
		lea	edx, [ebp+var_1]
		mov	ecx, edi
		mov	esi, eax
		call	EtwpUnlockBufferList
		lea	eax, [edi+9Ch]
		test	esi, esi
		jnz	loc_514B7A
		jmp	loc_514BAA
; 

loc_5E86A1:				; CODE XREF: EtwpDequeueFreeBuffer+128j
					; EtwpDequeueFreeBuffer+131j
		mov	esi, [ebp+var_8]
		mov	[ebp+var_C], ecx
		mov	ecx, eax
		mov	[ebp+var_14], ecx
		mov	edx, [esi+14h]
		cmp	edx, eax
		mov	ebx, [esi+10h]
		mov	[ebp+var_18], edx
		mov	edx, [ebp+var_C]
		jg	loc_514C07
		jl	loc_514C35
		cmp	ebx, [ebp+var_1C]
		ja	loc_514C07
		jmp	loc_514C35
; 

loc_5E86D4:				; CODE XREF: EtwpDequeueFreeBuffer+163j
					; EtwpDequeueFreeBuffer+16Cj
		mov	esi, [edi+368h]
		add	esi, [ebp+var_10]

loc_5E86DD:				; CODE XREF: EtwpDequeueFreeBuffer+D3BFAj
					; EtwpDequeueFreeBuffer+D3BFEj
		mov	ebx, [esi]
		mov	eax, ebx
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_18], ecx
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, edx
		mov	edx, [ebp+var_C]
		cmp	eax, edx
		jnz	short loc_5E86DD
		cmp	ebx, ecx
		jnz	short loc_5E86DD
		mov	esi, [ebp+var_8]
		mov	eax, [esi+14h]
		mov	ebx, [esi+10h]
		mov	[ebp+var_14], eax
		cmp	eax, ecx
		jl	loc_514C70
		jg	short loc_5E871C
		cmp	ebx, edx
		jbe	loc_514C70

loc_5E871C:				; CODE XREF: EtwpDequeueFreeBuffer+D3C14j
					; EtwpDequeueFreeBuffer+D3C65j	...
		mov	esi, [edi+368h]
		mov	eax, edx
		add	esi, [ebp+var_10]
		mov	edx, ecx
		nop
		mov	ecx, [ebp+var_14]
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, eax
		mov	eax, edx
		mov	[ebp+var_1C], ecx
		cmp	ecx, [ebp+var_C]
		jnz	short loc_5E874A
		cmp	eax, [ebp+var_18]
		jnz	short loc_5E874A
		mov	esi, [ebp+var_8]
		jmp	loc_514C70
; 

loc_5E874A:				; CODE XREF: EtwpDequeueFreeBuffer+D3C3Dj
					; EtwpDequeueFreeBuffer+D3C42j
		mov	esi, [ebp+var_8]
		mov	[ebp+var_C], ecx
		mov	ecx, eax
		mov	[ebp+var_18], ecx
		mov	edx, [esi+14h]
		cmp	edx, eax
		mov	ebx, [esi+10h]
		mov	[ebp+var_14], edx
		mov	edx, [ebp+var_C]
		jg	short loc_5E871C
		jl	loc_514C70
		cmp	ebx, [ebp+var_1C]
		ja	short loc_5E871C
		jmp	loc_514C70
; 

loc_5E8775:				; CODE XREF: EtwpDequeueFreeBuffer+182j
		push	ecx
		push	eax
		push	esi
		push	7
		push	11Dh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5E8785:				; CODE XREF: EtwpDequeueBuffer+1Fj
		lea	ecx, [eax+20h]
		mov	eax, [edi+318h]
		mov	[ecx], eax
		mov	[edi+318h], ecx
		jmp	loc_514CDD
; END OF FUNCTION CHUNK	FOR EtwpDequeueFreeBuffer
; 
; START	OF FUNCTION CHUNK FOR EtwpEnqueueAvailableBuffer

loc_5E879B:				; CODE XREF: EtwpEnqueueAvailableBuffer+20j
		push	edx
		push	ecx
		push	eax
		push	7
		push	11Dh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5E87AA:				; CODE XREF: EtwpEnqueueAvailableBuffer+81j
		lea	edx, [edi+34h]
		mov	ebx, [edx]
		test	ebx, ebx
		jz	loc_514D9B
		mov	eax, [ebp+arg_0]
		cmp	eax, 4
		jz	loc_514D9B
		test	eax, eax
		jnz	short loc_5E87DE
		lea	ecx, [edi+34h]
		add	esi, 20h

loc_5E87CD:				; CODE XREF: EtwpEnqueueAvailableBuffer+D3B15j
		mov	eax, [ecx]
		mov	[esi], eax
		mov	[ecx], esi
		cmp	ecx, [edi+30h]
		jnz	loc_514DA9
		jmp	short loc_5E8832
; 

loc_5E87DE:				; CODE XREF: EtwpEnqueueAvailableBuffer+D3AB1j
		xor	esi, esi

loc_5E87E0:				; CODE XREF: EtwpEnqueueAvailableBuffer+D3B05j
		mov	eax, [ebx+0Ch]
		test	esi, esi
		jnz	short loc_5E87ED
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_5E87F4

loc_5E87ED:				; CODE XREF: EtwpEnqueueAvailableBuffer+D3AD1j
		mov	ecx, eax
		cmp	eax, 6
		jnz	short loc_5E8813

loc_5E87F4:				; CODE XREF: EtwpEnqueueAvailableBuffer+D3AD7j
		mov	esi, edx
		cmp	ecx, 6
		jnz	short loc_5E8813
		lea	ecx, [edi+30h]
		call	_EtwpBufferQueueRemoveAfter@8 ;	EtwpBufferQueueRemoveAfter(x,x)
		mov	eax, [edi+318h]
		mov	[ebx], eax
		mov	[edi+318h], ebx
		jmp	short loc_5E8815
; 

loc_5E8813:				; CODE XREF: EtwpEnqueueAvailableBuffer+D3ADEj
					; EtwpEnqueueAvailableBuffer+D3AE5j
		mov	edx, ebx

loc_5E8815:				; CODE XREF: EtwpEnqueueAvailableBuffer+D3AFDj
		mov	ebx, [edx]
		test	ebx, ebx
		jnz	short loc_5E87E0
		mov	[ebp+arg_0], esi
		mov	esi, [ebp+var_8]
		mov	ecx, [ebp+arg_0]
		add	esi, 20h
		test	ecx, ecx
		jnz	short loc_5E87CD
		and	[esi], ecx
		mov	eax, [edi+30h]
		mov	[eax], esi

loc_5E8832:				; CODE XREF: EtwpEnqueueAvailableBuffer+D3AC8j
		mov	[edi+30h], esi
		jmp	loc_514DA9
; END OF FUNCTION CHUNK	FOR EtwpEnqueueAvailableBuffer
; 
; START	OF FUNCTION CHUNK FOR EtwpUnlockBufferList

loc_5E883A:				; CODE XREF: EtwpUnlockBufferList+1Ej
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_514DEB
; END OF FUNCTION CHUNK	FOR EtwpUnlockBufferList
; 
; START	OF FUNCTION CHUNK FOR EtwpPrepareDirtyBuffer

loc_5E8849:				; CODE XREF: EtwpPrepareDirtyBuffer+17j
		push	4
		call	EtwpEnqueueAvailableBuffer
		mov	eax, [esi+308h]
		test	eax, eax
		jnz	short loc_5E8885
		mov	edx, [esi+350h]
		mov	ecx, [esi+354h]
		shld	ecx, edx, 1
		add	edx, edx
		cmp	[esi+34Ch], ecx
		jl	short loc_5E8885
		jg	short loc_5E887E
		cmp	[esi+348h], edx
		jb	short loc_5E8885

loc_5E887E:				; CODE XREF: EtwpPrepareDirtyBuffer+D39FAj
		mov	ecx, esi
		call	_EtwpReenableCompression@4 ; EtwpReenableCompression(x)

loc_5E8885:				; CODE XREF: EtwpPrepareDirtyBuffer+D39DEj
					; EtwpPrepareDirtyBuffer+D39F8j ...
		mov	eax, [esi+308h]
		test	eax, eax
		jz	loc_514E9E
		push	2
		pop	ecx
		lea	eax, [esi+2F8h]
		xchg	ecx, [eax]
		test	ecx, ecx
		jnz	loc_514E9E
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_5E88C9
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		ja	short loc_5E88C9
		xor	eax, eax
		push	eax
		push	eax
		push	esi
		push	eax
		call	_EtwpCompressionDpc@16 ; EtwpCompressionDpc(x,x,x,x)
		jmp	loc_514E9E
; 

loc_5E88C9:				; CODE XREF: EtwpPrepareDirtyBuffer+D3A33j
					; EtwpPrepareDirtyBuffer+D3A3Dj
		pop	edi
		lea	ecx, [esi+31Ch]
		pop	esi
		jmp	_EtwpInsertQueueDpc@4 ;	EtwpInsertQueueDpc(x)
; END OF FUNCTION CHUNK	FOR EtwpPrepareDirtyBuffer
; 
; START	OF FUNCTION CHUNK FOR EtwpGetLoggerTimeStamp

loc_5E88D6:				; CODE XREF: EtwpGetLoggerTimeStamp+13j
		sub	eax, 1
		jz	short loc_5E88E9
		sub	eax, 1
		jz	short loc_5E88E5
		push	3Dh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5E88E5:				; CODE XREF: EtwpGetLoggerTimeStamp+D3A28j
		rdtsc
		leave
		retn
; 

loc_5E88E9:				; CODE XREF: EtwpGetLoggerTimeStamp+D3A23j
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], ecx
		push	eax
		mov	[ebp+var_4], ecx
		call	ds:off_6B1438	; ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig(x)
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_4]
		leave
		retn
; END OF FUNCTION CHUNK	FOR EtwpGetLoggerTimeStamp
; 
; START	OF FUNCTION CHUNK FOR EtwpBuffersFlushRequired

loc_5E8901:				; CODE XREF: EtwpBuffersFlushRequired+Cj
		call	EtwpQueryUsedProcessorCount
		mov	ecx, [esi+0A0h]
		sub	ecx, eax
		mov	eax, [esi+9Ch]
		sub	ecx, eax
		cmp	ecx, [esi+88h]
		pop	esi
		setnl	al
		retn
; END OF FUNCTION CHUNK	FOR EtwpBuffersFlushRequired
; 
; START	OF FUNCTION CHUNK FOR EtwpRequestFlushTimer

loc_5E8921:				; CODE XREF: EtwpRequestFlushTimer+1Cj
					; EtwpRequestFlushTimer+29j ...
		lock bts dword ptr [esi], 9
		jb	loc_515071
		lea	ecx, [edi+1B0h]
		call	_EtwpInsertQueueDpc@4 ;	EtwpInsertQueueDpc(x)
		jmp	loc_515071
; END OF FUNCTION CHUNK	FOR EtwpRequestFlushTimer
; 
; START	OF FUNCTION CHUNK FOR PfpFileCheckAttributesForPrefetch

loc_5E893C:				; CODE XREF: PfpFileCheckAttributesForPrefetch+35j
		push	edi
		push	edi
		push	edi
		push	26DEh
		push	191h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5E894F:				; CODE XREF: IopGetMountFlag+29j
		mov	edx, eax
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_515247
; END OF FUNCTION CHUNK	FOR PfpFileCheckAttributesForPrefetch
; 
; START	OF FUNCTION CHUNK FOR IopGetMountFlag

loc_5E895B:				; CODE XREF: IopGetMountFlag+5Aj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_515285
; END OF FUNCTION CHUNK	FOR IopGetMountFlag
; 
; START	OF FUNCTION CHUNK FOR sub_51531E

loc_5E896A:				; CODE XREF: sub_51531E+7j
		test	ds:_VfRuleClasses, 0FFAFFFFFh
		jnz	short loc_5E8983
		test	byte ptr ds:dword_6FDE00, 6
		jz	loc_51532B

loc_5E8983:				; CODE XREF: sub_51531E+D3656j
		mov	eax, ds:_MmVerifierData
		and	eax, 10h
		or	eax, 40h
		shr	eax, 1
		push	eax
		push	20206F49h
		push	10h
		push	200h
		call	ExAllocatePoolWithTagPriority
		retn
; END OF FUNCTION CHUNK	FOR sub_51531E
; 
; START	OF FUNCTION CHUNK FOR IopCancelIrpsInFileObjectList

loc_5E89A3:				; CODE XREF: IopCancelIrpsInFileObjectList+E5j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	esi, [esp+30h+var_1C]
		jmp	loc_51542E
; 

loc_5E89B6:				; CODE XREF: IopCancelIrpsInFileObjectList+C8j
		mov	esi, eax
		jmp	loc_515398
; 

loc_5E89BD:				; CODE XREF: IopCancelIrpsInFileObjectList+BCj
		test	ds:byte_70EFC6,	1
		mov	eax, [ebx+4]
		mov	eax, [eax+8]
		mov	eax, [eax+2Ch]
		mov	[esp+30h+var_C], eax
		jz	short loc_5E89DF
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5E89E4
; 

loc_5E89DF:				; CODE XREF: IopCancelIrpsInFileObjectList+D3693j
		xor	eax, eax
		lock and [edi],	eax

loc_5E89E4:				; CODE XREF: IopCancelIrpsInFileObjectList+D369Fj
		mov	cl, [esp+30h+var_21]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	eax, [esp+30h+var_8]
		push	eax
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	eax, [esp+30h+var_18]
		cmp	eax, 64h
		jge	short loc_5E8A1A
		add	eax, eax
		mov	[esp+30h+var_18], eax
		imul	eax, 0FFFFD8F0h
		cdq
		mov	[esp+30h+var_8], eax
		mov	[esp+30h+var_4], edx

loc_5E8A1A:				; CODE XREF: IopCancelIrpsInFileObjectList+D36C5j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	[esp+30h+var_21], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, [esp+30h+var_20]
		jmp	loc_515398
; 

loc_5E8A34:				; CODE XREF: IopCancelIrpsInFileObjectList+6Cj
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_5153B5
; END OF FUNCTION CHUNK	FOR IopCancelIrpsInFileObjectList
; 
; START	OF FUNCTION CHUNK FOR RtlStringCbCopyExW

loc_5E8A43:				; CODE XREF: RtlStringCbCopyExW+28j
		test	edi, edi
		jz	loc_51555C
		mov	esi, 0C000000Dh
		test	edi, edi
		jz	loc_5155DC
		xor	eax, eax
		mov	[ebx], ax
		jmp	loc_5155DC
; 

loc_5E8A62:				; CODE XREF: RtlStringCbCopyExW+3Fj
		mov	eax, offset ??_C@_11LOCGONAA@@FNODOBFM@
		jmp	loc_515573
; 

loc_5E8A6C:				; CODE XREF: RtlStringCbCopyExW+4Dj
		mov	esi, 0C000000Dh
		test	edi, edi
		jz	short loc_5E8A7A
		xor	eax, eax
		mov	[ebx], ax

loc_5E8A7A:				; CODE XREF: RtlStringCbCopyExW+7Fj
					; RtlStringCbCopyExW+96j ...
		mov	ecx, [ebp+arg_C]
		test	ecx, 1C00h
		jz	short loc_5E8AA2
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_5E8AA2
		push	ecx		; int
		lea	ecx, [ebp+var_4]
		mov	edx, eax	; size_t
		push	ecx		; int
		lea	ecx, [ebp+var_8]
		push	ecx		; int
		push	ecx		; int
		mov	ecx, ebx	; void *
		call	StringExHandleOtherFlagsW
		mov	edi, [ebp+var_4]

loc_5E8AA2:				; CODE XREF: RtlStringCbCopyExW+D3555j
					; RtlStringCbCopyExW+D355Cj
		test	esi, esi
		jns	loc_5155CA
		cmp	esi, 80000005h
		jnz	loc_5155DC
		jmp	loc_5155CA
; 

loc_5E8ABB:				; CODE XREF: RtlStringCbCopyExW+55j
		cmp	[eax], si
		jz	loc_5155CA
		mov	esi, ebx
		neg	esi
		sbb	esi, esi
		and	esi, 0BFFFFFF8h
		add	esi, 0C000000Dh
		jmp	loc_5155C2
; 

loc_5E8ADB:				; CODE XREF: RtlStringCbCopyExW+8Ej
		mov	eax, [ebp+var_C]
		and	eax, 1
		lea	eax, [eax+edi*2]
		cmp	eax, 2
		jbe	loc_5155C2
		add	eax, 0FFFFFFFEh
		push	eax		; size_t
		movzx	eax, cl
		push	eax		; int
		lea	eax, [edx+2]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_5155C2
; 

loc_5E8B06:				; CODE XREF: RtlStringCbCopyExW+A8j
		mov	eax, [ebp+var_C]
		and	eax, 1
		lea	eax, [eax+edi*2]
		mov	[ecx], eax
		jmp	loc_5155DC
; END OF FUNCTION CHUNK	FOR RtlStringCbCopyExW
; 
; START	OF FUNCTION CHUNK FOR RtlStringCchCopyExW

loc_5E8B16:				; CODE XREF: RtlStringCchCopyExW+25j
		test	edi, edi
		jz	loc_5157AF

loc_5E8B1E:				; CODE XREF: RtlStringCchCopyExW+31j
					; RtlStringCchCopyExW+CBj
		mov	esi, 0C000000Dh
		jmp	loc_5157BB
; 

loc_5E8B28:				; CODE XREF: RtlStringCchCopyExW+5Aj
		mov	esi, 0C000000Dh
		test	edi, edi
		jz	short loc_5E8B36
		xor	ecx, ecx
		mov	[ebx], cx

loc_5E8B36:				; CODE XREF: RtlStringCchCopyExW+DDj
					; RtlStringCchCopyExW+D33ABj ...
		test	edx, 1C00h
		jz	short loc_5E8B59
		test	edi, edi
		jz	short loc_5E8B59
		push	edx		; int
		lea	eax, [ebp+var_8]
		push	eax		; int
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	ecx		; int
		lea	edx, [edi+edi]	; size_t
		mov	ecx, ebx	; void *
		call	StringExHandleOtherFlagsW
		mov	eax, [ebp+var_8]

loc_5E8B59:				; CODE XREF: RtlStringCchCopyExW+D33B8j
					; RtlStringCchCopyExW+D33BCj
		test	esi, esi
		jns	short loc_5E8B69
		cmp	esi, 80000005h
		jnz	loc_515836

loc_5E8B69:				; CODE XREF: RtlStringCchCopyExW+D33D7j
					; RtlStringCchCopyExW+D33F5j ...
		mov	edx, [ebp+var_4]
		jmp	loc_515828
; 

loc_5E8B71:				; CODE XREF: RtlStringCchCopyExW+62j
		xor	edx, edx
		cmp	[ecx], dx
		mov	edx, [ebp+arg_C]
		jz	short loc_5E8B69
		mov	esi, ebx
		neg	esi
		sbb	esi, esi
		and	esi, 0BFFFFFF8h
		add	esi, 0C000000Dh
		jmp	short loc_5E8B36
; 

loc_5E8B8F:				; CODE XREF: RtlStringCchCopyExW+9Ej
		cmp	eax, 1
		jbe	loc_515828
		lea	edi, [eax+eax]
		cmp	edi, 2
		jbe	loc_515828
		lea	eax, [edi-2]
		push	eax		; size_t
		movzx	eax, cl
		push	eax		; int
		lea	eax, [edx+2]
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		jmp	short loc_5E8B69
; 

loc_5E8BBD:				; CODE XREF: RtlStringCchCopyExW+39j
		test	edi, edi
		jz	loc_515836
		xor	eax, eax
		mov	[ebx], ax
		jmp	loc_515836
; END OF FUNCTION CHUNK	FOR RtlStringCchCopyExW
; 
; START	OF FUNCTION CHUNK FOR RtlEnumerateGenericTableLikeADirectory

loc_5E8BCF:				; CODE XREF: RtlEnumerateGenericTableLikeADirectory+95j
		mov	ecx, [ebp+var_4]
		call	_RealSuccessor@4 ; RealSuccessor(x)
		mov	esi, eax
		jmp	loc_515916
; END OF FUNCTION CHUNK	FOR RtlEnumerateGenericTableLikeADirectory
; 
; START	OF FUNCTION CHUNK FOR RtlInsertElementGenericTableFullAvl

loc_5E8BDE:				; CODE XREF: RtlInsertElementGenericTableFullAvl+1Fj
					; RtlInsertElementGenericTableFullAvl+30j
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_5E8BE8
		mov	byte ptr [eax],	0

loc_5E8BE8:				; CODE XREF: RtlInsertElementGenericTableFullAvl+D3223j
		xor	eax, eax
		jmp	loc_515A7A
; END OF FUNCTION CHUNK	FOR RtlInsertElementGenericTableFullAvl
; 
; START	OF FUNCTION CHUNK FOR RtlStringCchCopyNExW

loc_5E8BEF:				; CODE XREF: RtlStringCchCopyNExW+2Aj
		test	ebx, ebx
		jnz	loc_515DE0
		test	edi, edi
		jz	loc_515DE0

loc_5E8BFF:				; CODE XREF: RtlStringCchCopyNExW+32j
					; RtlStringCchCopyNExW+3Aj
		mov	esi, eax
		jmp	loc_515DE8
; 

loc_5E8C06:				; CODE XREF: RtlStringCchCopyNExW+53j
		mov	esi, 0C000000Dh
		test	edi, edi
		jz	loc_515E66
		xor	ecx, ecx
		mov	[ebx], cx
		jmp	loc_515E66
; 

loc_5E8C1D:				; CODE XREF: RtlStringCchCopyNExW+60j
		test	ecx, ecx
		jnz	loc_515E0E
		and	[ebp+arg_4], 0
		mov	ecx, offset ??_C@_11LOCGONAA@@FNODOBFM@
		jmp	loc_515E0E
; 

loc_5E8C33:				; CODE XREF: RtlStringCchCopyNExW+6Ej
		mov	esi, 0C000000Dh
		test	edi, edi
		jz	short loc_5E8C41
		xor	ecx, ecx
		mov	[ebx], cx

loc_5E8C41:				; CODE XREF: RtlStringCchCopyNExW+A9j
					; RtlStringCchCopyNExW+C0j ...
		mov	ecx, [ebp+arg_10]
		test	ecx, 1C00h
		jz	short loc_5E8C67
		test	edi, edi
		jz	short loc_5E8C67
		push	ecx		; int
		lea	eax, [ebp+var_8]
		push	eax		; int
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	ecx		; int
		lea	edx, [edi+edi]	; size_t
		mov	ecx, ebx	; void *
		call	StringExHandleOtherFlagsW
		mov	eax, [ebp+var_8]

loc_5E8C67:				; CODE XREF: RtlStringCchCopyNExW+D2EA2j
					; RtlStringCchCopyNExW+D2EA6j
		test	esi, esi
		jns	loc_515E6E
		cmp	esi, 80000005h
		jnz	loc_515E7C
		jmp	loc_515E6E
; 

loc_5E8C80:				; CODE XREF: RtlStringCchCopyNExW+76j
		cmp	[ebp+arg_4], esi
		jz	loc_515E6E
		xor	edx, edx
		cmp	[ecx], dx
		jz	loc_515E6E
		mov	esi, ebx
		neg	esi
		sbb	esi, esi
		and	esi, 0BFFFFFF8h
		add	esi, 0C000000Dh
		jmp	short loc_5E8C41
; 

loc_5E8CA8:				; CODE XREF: RtlStringCchCopyNExW+B8j
		cmp	eax, 1
		jbe	loc_515E66
		lea	ecx, [eax+eax]
		cmp	ecx, 2
		jbe	loc_515E66
		lea	eax, [ecx-2]
		push	eax		; size_t
		movzx	eax, dl
		push	eax		; int
		mov	eax, [ebp+var_4]
		add	eax, 2
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		jmp	loc_515E66
; 

loc_5E8CDC:				; CODE XREF: RtlStringCchCopyNExW+42j
		test	edi, edi
		jz	loc_515E7C
		xor	eax, eax
		mov	[ebx], ax
		jmp	loc_515E7C
; END OF FUNCTION CHUNK	FOR RtlStringCchCopyNExW
; 
; START	OF FUNCTION CHUNK FOR RtlStringCchPrintfExW

loc_5E8CEE:				; CODE XREF: RtlStringCchPrintfExW+19j
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jnz	short loc_5E8CF9
		test	esi, esi
		jnz	short loc_5E8D05

loc_5E8CF9:				; CODE XREF: RtlStringCchPrintfExW+D2B13j
		cmp	esi, 7FFFFFFFh
		jbe	loc_516216

loc_5E8D05:				; CODE XREF: RtlStringCchPrintfExW+D2B17j
		mov	edx, 0C000000Dh
		jmp	loc_516216
; 

loc_5E8D0F:				; CODE XREF: RtlStringCchPrintfExW+21j
					; RtlStringCchPrintfExW+2Dj
		mov	edx, 0C000000Dh
		jmp	loc_516213
; 

loc_5E8D19:				; CODE XREF: RtlStringCchPrintfExW+4Dj
		test	eax, eax
		jnz	loc_516233
		mov	eax, offset ??_C@_11LOCGONAA@@FNODOBFM@
		mov	[ebp+arg_14], eax
		jmp	loc_516233
; 

loc_5E8D2E:				; CODE XREF: RtlStringCchPrintfExW+5Cj
		mov	eax, [ebp+arg_0]
		mov	edi, 0C000000Dh
		test	esi, esi
		jz	short loc_5E8D87
		xor	edx, edx
		mov	[eax], dx
		mov	edx, [ebp+var_4]
		jmp	short loc_5E8D87
; 

loc_5E8D44:				; CODE XREF: RtlStringCchPrintfExW+64j
		cmp	[eax], di
		jz	loc_516298
		mov	eax, [ebp+arg_0]
		mov	edi, eax
		neg	edi
		sbb	edi, edi
		and	edi, 0BFFFFFF8h
		add	edi, 0C000000Dh
		jmp	short loc_5E8D87
; 

loc_5E8D64:				; CODE XREF: RtlStringCchPrintfExW+B2j
		cmp	ebx, 1
		jbe	loc_516298
		mov	ecx, [ebp+var_4]
		lea	edx, [ebx+ebx]
		push	eax
		call	RtlStringExHandleFillBehindNullW
		mov	edx, [ebp+var_4]
		jmp	loc_516298
; 

loc_5E8D81:				; CODE XREF: RtlStringCchPrintfExW+A4j
		mov	ecx, [ebp+arg_10]
		mov	eax, [ebp+arg_0]

loc_5E8D87:				; CODE XREF: RtlStringCchPrintfExW+D2B58j
					; RtlStringCchPrintfExW+D2B62j	...
		test	ecx, 1C00h
		jz	short loc_5E8DAD
		test	esi, esi
		jz	short loc_5E8DAD
		push	ecx		; int
		lea	ecx, [ebp+var_8]
		push	ecx		; int
		lea	ecx, [ebp+var_4]
		push	ecx		; int
		push	ecx		; int
		lea	edx, [esi+esi]	; size_t
		mov	ecx, eax	; void *
		call	StringExHandleOtherFlagsW
		mov	ebx, [ebp+var_8]
		mov	edx, [ebp+var_4]

loc_5E8DAD:				; CODE XREF: RtlStringCchPrintfExW+D2BADj
					; RtlStringCchPrintfExW+D2BB1j
		test	edi, edi
		jns	loc_516298
		cmp	edi, 80000005h
		jnz	loc_5162A6
		jmp	loc_516298
; 

loc_5E8DC6:				; CODE XREF: RtlStringCchPrintfExW+38j
		test	esi, esi
		jz	short loc_5E8DCF
		xor	eax, eax
		mov	[ebx], ax

loc_5E8DCF:				; CODE XREF: RtlStringCchPrintfExW+D2BE8j
		mov	eax, edx
		jmp	loc_5162A9
; END OF FUNCTION CHUNK	FOR RtlStringCchPrintfExW
; 
; START	OF FUNCTION CHUNK FOR SeAccessCheckFromState

loc_5E8DD6:				; CODE XREF: SeAccessCheckFromState+80j
		lea	edx, [esp+578h+var_558]
		mov	ecx, ebx
		call	_SepTokenFromAccessInformation@8 ; SepTokenFromAccessInformation(x,x)
		lea	edi, [esp+578h+var_558]
		jmp	loc_51637C
; END OF FUNCTION CHUNK	FOR SeAccessCheckFromState
; 
; START	OF FUNCTION CHUNK FOR SeAccessCheckFromStateEx

loc_5E8DEA:				; CODE XREF: SeAccessCheckFromStateEx+22j
		mov	[esp+18h+var_10], eax
		mov	eax, [eax+0ACh]
		mov	[esp+18h+var_C], eax
		jmp	loc_5163EC
; END OF FUNCTION CHUNK	FOR SeAccessCheckFromStateEx

;  S U B	R O U T	I N E 


sub_5E8DFD	proc near		; CODE XREF: KeQuerySystemTime+2Ej
		push	ebx
		push	edi
		mov	edi, 0FFDF0018h
		lea	ebx, [edi-4]

loc_5E8E07:				; CODE XREF: sub_5E8DFD+25j
		lea	ecx, [ebp-4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		mov	[esi+4], eax
		mov	eax, [ebx]
		mov	[esi], eax
		mov	eax, 0FFDF001Ch
		mov	eax, [eax]
		cmp	[esi+4], eax
		jnz	short loc_5E8E07
		pop	edi
		pop	ebx
		jmp	loc_5164D4
sub_5E8DFD	endp

; 
; START	OF FUNCTION CHUNK FOR _MapCmDevicePropertyToRegValue

loc_5E8E2B:				; CODE XREF: _MapCmDevicePropertyToRegValue+15j
					; DATA XREF: .text:off_5165C4o
		mov	eax, offset ??_C@_1M@OAHBGIFG@?$AAC?$AAl?$AAa?$AAs?$AAs@FNODOBFM@ ; case 0x7
		retn
; 

loc_5E8E31:				; CODE XREF: _MapCmDevicePropertyToRegValue+38j
		mov	eax, offset ??_C@_1CG@HJGMLNKH@?$AAU?$AAI?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr?$AAD?$AAe?$AAs?$AAc?$AAF?$AAo?$AAr@FNODOBFM@
		retn
; END OF FUNCTION CHUNK	FOR _MapCmDevicePropertyToRegValue
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepIsValidExpression

loc_5E8E37:				; CODE XREF: AuthzBasepIsValidExpression+7Bj
		cmp	cl, 80h
		jz	loc_51667D
		cmp	cl, 81h
		jz	loc_51667D
		cmp	cl, 8Eh
		jz	loc_51667D
		cmp	cl, 88h
		jz	loc_51667D
		cmp	cl, 8Fh
		jz	loc_51667D
		cmp	cl, 89h
		jz	loc_51667D
		cmp	cl, 90h
		jz	loc_51667D
		cmp	cl, 8Bh
		jz	loc_51667D
		cmp	cl, 92h
		jz	loc_51667D
		cmp	cl, 0A0h
		jz	loc_51667D
		cmp	cl, 0A1h
		jz	loc_51667D
		cmp	cl, 8Ah
		jz	loc_51667D
		cmp	cl, 91h
		jz	loc_51667D
		cmp	cl, 8Ch
		jz	loc_51667D
		cmp	cl, 93h
		jz	loc_51667D
		cmp	cl, 8Dh
		jz	loc_51667D
		cmp	edi, 1
		jz	loc_51667D
		cmp	dword ptr [eax], 1
		ja	loc_5E8FD2
		jmp	loc_51667D
; 

loc_5E8EDE:				; CODE XREF: AuthzBasepIsValidExpression+8Aj
		cmp	cl, 80h
		jz	loc_516690
		cmp	cl, 81h
		jz	loc_516690
		cmp	cl, 8Eh
		jz	loc_516690
		cmp	cl, 88h
		jz	loc_516690
		cmp	cl, 8Fh
		jz	loc_516690
		cmp	cl, 89h
		jz	loc_516690
		cmp	cl, 90h
		jz	loc_516690
		cmp	cl, 8Bh
		jz	loc_516690
		cmp	cl, 92h
		jz	loc_516690
		cmp	cl, 0A0h
		jz	loc_516690
		cmp	cl, 0A1h
		jz	loc_516690
		cmp	cl, 8Ah
		jz	loc_516690
		cmp	cl, 91h
		jz	loc_516690
		cmp	cl, 8Ch
		jz	loc_516690
		cmp	cl, 93h
		jz	loc_516690
		cmp	cl, 8Dh
		jz	loc_516690
		cmp	esi, 2
		jnz	loc_516690
		movzx	eax, word ptr [edx]
		cmp	eax, 4
		jz	loc_516690
		test	ax, ax
		jz	loc_516690
		cmp	dword ptr [edx+28h], 1
		jnz	loc_516690
		cmp	[edx+20h], bl
		jnz	loc_516713
		jmp	loc_516690
; 

loc_5E8FA4:				; CODE XREF: AuthzBasepIsValidExpression+9Dj
					; AuthzBasepIsValidExpression+A8j
		cmp	dword ptr [edx+28h], 1
		jnz	loc_5166B8
		cmp	[edx+20h], bl
		jmp	loc_5166B6
; 

loc_5E8FB6:				; CODE XREF: AuthzBasepIsValidExpression+52j
					; DATA XREF: .text:00516720o
		cmp	esi, 1
		jnz	loc_516713
		cmp	[edx+0Ch], esi
		jz	loc_5166B8
		cmp	word ptr [edx],	5
		jz	loc_5166B8

loc_5E8FD2:				; CODE XREF: AuthzBasepIsValidExpression+D2883j
		mov	eax, [ebp+arg_4]
		mov	byte ptr [eax],	1
		jmp	loc_516713
; 

loc_5E8FDD:				; CODE XREF: AuthzBasepIsValidExpression+52j
					; DATA XREF: .text:00516724o
		test	esi, esi
		jz	loc_5166B8
		add	edx, 0Ch

loc_5E8FE8:				; CODE XREF: AuthzBasepIsValidExpression+D29A7j
		cmp	dword ptr [edx], 1
		jz	loc_516713
		inc	ebx
		add	edx, 1Ch
		cmp	ebx, esi
		jb	short loc_5E8FE8
		jmp	loc_5166B8
; END OF FUNCTION CHUNK	FOR AuthzBasepIsValidExpression
; 

loc_5E8FFE:				; CODE XREF: .text:005167B5j
		call	MiInitializeWorkingSetManagerParameters
		jmp	loc_5167BB
; 

loc_5E9008:				; CODE XREF: .text:00516BF8j
		nop
		mov	ecx, 0Ah
		mov	[eax+4BEh], cx
		jmp	loc_516BFE
; 

loc_5E901A:				; CODE XREF: .text:00516C1Aj
		mov	edx, [esp+24h]
		add	edx, 0F04h
		mov	byte ptr [ebx+2Eh], 0
		mov	edi, [edx]
		cmp	edi, edx
		jz	short loc_5E9072

loc_5E902E:				; CODE XREF: .text:005E9070j
		mov	ecx, edi
		mov	edi, [edi]
		mov	eax, [ecx+24h]
		cmp	eax, [ebx+30h]
		jb	short loc_5E906E
		mov	ebx, [ecx]
		mov	eax, [ecx+4]
		cmp	[ebx+4], ecx
		jnz	loc_516CC0
		cmp	[eax], ecx
		jnz	loc_516CC0
		mov	[eax], ebx
		mov	[ebx+4], eax
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	loc_516CC0
		mov	ebx, [esp+14h]
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[eax+4], ecx
		mov	[edx], ecx

loc_5E906E:				; CODE XREF: .text:005E9038j
		cmp	edi, edx
		jnz	short loc_5E902E

loc_5E9072:				; CODE XREF: .text:005E902Cj
		mov	edi, [esp+10h]
		jmp	loc_51683F
; 

loc_5E907B:				; CODE XREF: .text:00516BCEj
		cmp	dword ptr [edi+28h], 0
		jz	short loc_5E909B
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	loc_516CC0
		mov	[ebx], ecx
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	[ecx+4], ebx
		jmp	loc_516889
; 

loc_5E909B:				; CODE XREF: .text:005E907Fj
		mov	eax, [edi+50h]
		mov	[esp+0Ch], eax
		shr	eax, 8
		or	al, 6
		mov	[esp+0Dh], al
		mov	ax, [esp+0Ch]
		mov	[edi+50h], ax
		test	ds:byte_70EFC6,	1
		jz	short loc_5E90CB
		mov	edx, [ebp+4]
		lea	ecx, [esp+3Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5E9101
; 

loc_5E90CB:				; CODE XREF: .text:005E90BBj
		mov	eax, [esp+3Ch]
		test	eax, eax
		jnz	short loc_5E90EE
		mov	edx, [esp+40h]
		lea	eax, [esp+3Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+3Ch]
		cmp	eax, ecx
		jz	short loc_5E9101
		call	KxWaitForLockChainValid

loc_5E90EE:				; CODE XREF: .text:005E90D1j
		mov	dword ptr [esp+3Ch], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5E9101:				; CODE XREF: .text:005E90C9j
					; .text:005E90E7j
		mov	cl, [esp+44h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	ecx, [edi-250h]
		call	_KeRetryOutswapProcess@4 ; KeRetryOutswapProcess(x)
		lea	edx, [esp+3Ch]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [edi+50h]
		lea	ecx, [edi-10h]
		mov	[esp+0Ch], eax
		xor	edx, edx
		shr	eax, 8
		and	al, 0F9h
		mov	[esp+0Dh], al
		mov	ax, [esp+0Ch]
		mov	[edi+50h], ax
		call	MiReturnWsToExpansionList
		mov	ecx, [esp+20h]
		mov	edx, [esp+18h]
		jmp	loc_516889
; 

loc_5E9154:				; CODE XREF: .text:00516909j
		mov	eax, [edi+38h]
		mov	ecx, [edi+2Ch]
		cmp	eax, ecx
		jbe	loc_5169A3
		sub	eax, ecx
		cmp	eax, 40000h
		jb	loc_5169A3
		jmp	loc_51690F
; 

loc_5E9174:				; CODE XREF: .text:00516916j
		mov	edx, [ebp+4]
		lea	ecx, [esp+3Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_516942
; 

loc_5E9185:				; CODE XREF: .text:00516963j
		mov	eax, [esp+10h]
		mov	byte ptr [eax+4], 2
		jmp	loc_516969
; 

loc_5E9192:				; CODE XREF: .text:0051698Aj
		mov	edx, offset dword_6D3540
		lea	ecx, [esp+3Ch]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_5169A3
; 

loc_5E91A5:				; CODE XREF: .text:005169A8j
		mov	ecx, [esp+14h]
		xor	edx, edx
		mov	eax, [edi+24h]
		cmp	eax, [ecx+30h]
		jb	loc_5169AE
		cmp	[edi+28h], edx
		jz	loc_5169B3
		jmp	loc_5169AE
; 

loc_5E91C5:				; CODE XREF: .text:005169C1j
		or	cl, 6
		mov	[edi+4], esi
		mov	[esp+0Dh], cl
		lea	esi, [edi+4]
		mov	ax, [esp+0Ch]
		mov	[edi+50h], ax
		jmp	loc_516A06
; 

loc_5E91E0:				; CODE XREF: .text:00516CA4j
		mov	eax, [ecx+4Ch]
		add	ecx, 0FFFFFFECh
		mov	esi, [esi]
		mov	edx, 1
		mov	[esp+0Ch], eax
		shr	eax, 8
		and	al, 0F9h
		mov	[esp+0Dh], al
		mov	ax, [esp+0Ch]
		mov	[ecx+60h], ax
		call	MiReturnWsToExpansionList
		jmp	loc_516CA0
; 

loc_5E920D:				; CODE XREF: .text:00516BB5j
		mov	byte ptr [ebx+2Ch], 1
		jmp	loc_516BBB
; 

loc_5E9216:				; CODE XREF: .text:00516A61j
		mov	eax, [esp+14h]
		mov	byte ptr [eax+2Dh], 0
		test	dl, 5
		jz	short loc_5E9227
		mov	byte ptr [eax+2Ch], 0

loc_5E9227:				; CODE XREF: .text:005E9221j
		test	ds:byte_70EFC6,	1
		jnz	short loc_5E9264
		mov	eax, [esp+3Ch]
		test	eax, eax
		jnz	loc_516B94
		mov	edx, [esp+40h]
		lea	eax, [esp+3Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+3Ch]
		cmp	eax, ecx
		jz	loc_516B22

loc_5E9256:				; CODE XREF: .text:00516B1Cj
		lea	ecx, [esp+3Ch]
		call	KxWaitForLockChainValid
		jmp	loc_516B94
; 

loc_5E9264:				; CODE XREF: .text:00516AF6j
					; .text:005E922Ej
		mov	edx, [ebp+4]
		lea	ecx, [esp+3Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_516B22
; 
; START	OF FUNCTION CHUNK FOR MiTrimOrAgeWorkingSet

loc_5E9275:				; CODE XREF: MiTrimOrAgeWorkingSet+7Bj
		push	0
		movzx	eax, al
		push	eax
		mov	eax, [edx+80h]
		push	eax
		push	ecx
		push	5
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5E928A:				; CODE XREF: MiTrimOrAgeWorkingSet+96j
		push	0FFFFFFFFh
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	_MiEmptyWorkingSetInitiate@16 ;	MiEmptyWorkingSetInitiate(x,x,x,x)
		jmp	loc_516D6C
; 

loc_5E929C:				; CODE XREF: MiTrimOrAgeWorkingSet+A3j
		cmp	al, 5
		jz	loc_516D79
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esp+48h+var_39], al
		jmp	loc_516DCD
; 

loc_5E92B5:				; CODE XREF: MiTrimOrAgeWorkingSet+CAj
		mov	dl, al
		mov	ecx, edi
		call	@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)
		jmp	loc_516DB9
; 

loc_5E92C3:				; CODE XREF: MiTrimOrAgeWorkingSet+104j
		test	byte ptr [esi+60h], 7
		jnz	loc_516DDA
		mov	edx, [esi+48h]
		mov	ecx, esi
		push	2
		push	0
		push	[esp+50h+var_38]
		call	MiTrimWorkingSet
		mov	al, [esp+48h+var_39]
		jmp	loc_516DDA
; 

loc_5E92E8:				; CODE XREF: MiTrimOrAgeWorkingSet+110j
		mov	edx, [esi+48h]
		mov	ecx, esi
		push	4
		push	0
		push	[esp+50h+var_38]
		call	MiTrimWorkingSet
		mov	al, [esp+48h+var_39]
		jmp	loc_516DE6
; 

loc_5E9303:				; CODE XREF: MiTrimOrAgeWorkingSet+37Dj
		push	ecx
		push	1
		jmp	loc_51705E
; 

loc_5E930B:				; CODE XREF: MiTrimOrAgeWorkingSet+232j
		cmp	al, 5
		jnz	loc_516F5E
		jmp	loc_516F08
; 

loc_5E9318:				; CODE XREF: MiTrimOrAgeWorkingSet+243j
					; MiTrimOrAgeWorkingSet+24Cj
		mov	dl, [esp+48h+var_39]
		mov	ecx, esi
		call	MiPreUnlockWorkingSetShared
		mov	al, [esi+60h]
		jmp	loc_516F22
; 

loc_5E932B:				; CODE XREF: MiTrimOrAgeWorkingSet+279j
		mov	edx, [ebp+4]
		mov	ecx, [esp+48h+var_34]
		call	@ExpReleaseSpinLockSharedFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockSharedFromDpcLevelInstrumented(x,x)
		jmp	loc_516F5E
; END OF FUNCTION CHUNK	FOR MiTrimOrAgeWorkingSet
; 
; START	OF FUNCTION CHUNK FOR MiAgeWorkingSet

loc_5E933C:				; CODE XREF: MiAgeWorkingSet+9Ej
		mov	ebx, 0Ah
		jmp	loc_5171F4
; 

loc_5E9346:				; CODE XREF: MiAgeWorkingSet+EAj
		mov	edx, eax
		lea	ecx, [ebp+var_380]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_51762A
; 

loc_5E9358:				; CODE XREF: MiAgeWorkingSet+12Aj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_380]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5172AE
; 

loc_5E936B:				; CODE XREF: MiAgeWorkingSet+B0j
					; MiAgeWorkingSet+169j
		xor	ecx, ecx
		jmp	loc_5172BF
; 

loc_5E9372:				; CODE XREF: MiAgeWorkingSet+3DEj
		mov	[ebp+var_358], 3
		jmp	loc_51753E
; 

loc_5E9381:				; CODE XREF: MiAgeWorkingSet+1EDj
		lea	esi, [ebp+var_140]
		mov	ecx, 21h
		jmp	loc_51734B
; 

loc_5E9391:				; CODE XREF: MiAgeWorkingSet+238j
		lea	eax, [ebp+var_248]
		mov	[ebp+var_244], 20h
		mov	[ebp+var_2A0], eax
		jmp	loc_51738E
; 

loc_5E93AC:				; CODE XREF: MiAgeWorkingSet+2E5j
		lea	ecx, [ebp+var_298]
		call	_MiGenerateRandomPte@4 ; MiGenerateRandomPte(x)
		jmp	loc_51744D
; 

loc_5E93BC:				; CODE XREF: MiAgeWorkingSet+338j
		inc	dword ptr [ebx+558h]
		jmp	loc_51748E
; 

loc_5E93C7:				; CODE XREF: MiAgeWorkingSet+376j
		mov	ecx, [esi+10h]
		mov	eax, [esi+14h]
		mov	[ebp+var_370], eax
		mov	eax, ecx
		and	eax, 1
		mov	[ebp+var_374], 0
		cmp	eax, ecx
		mov	ecx, [ebp+var_364]
		jnz	loc_5174CC
		mov	eax, [ebp+var_374]
		cmp	eax, [ebp+var_370]
		jnz	loc_5174CC
		mov	al, 1
		jmp	loc_5174CE
; 

loc_5E9409:				; CODE XREF: MiAgeWorkingSet+380j
		lea	eax, [ebp-36Ah]
		mov	[ebp+var_36A], bl
		mov	edx, ecx
		mov	[ebp+var_88], eax
		lea	ecx, [ebp+var_78]
		mov	[ebp+var_84], 0
		mov	[ebp+var_80], 1
		mov	[ebp+var_7C], 0
		call	_tlgCreate1Sz_char
		lea	eax, [ebp+var_370]
		mov	[ebp+var_370], edi
		mov	[ebp+var_68], eax
		mov	edx, offset loc_41CEF3
		mov	eax, [ebp+var_344]
		mov	ecx, esi
		mov	[ebp+var_390], eax
		lea	eax, [ebp+var_390]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+var_350]
		mov	[ebp+var_398], eax
		lea	eax, [ebp+var_398]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+var_348]
		mov	[ebp+var_3A0], eax
		lea	eax, [ebp+var_3A0]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_34C]
		mov	[ebp+var_3A8], eax
		lea	eax, [ebp+var_3A8]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_384], eax
		lea	eax, [ebp+var_384]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_A8]
		push	eax
		push	0Ah
		push	0
		push	0
		push	1
		push	0
		push	0
		mov	[ebp+var_64], 0
		mov	[ebp+var_60], 4
		mov	[ebp+var_5C], 0
		mov	[ebp+var_38C], 0
		mov	[ebp+var_54], 0
		mov	[ebp+var_50], 8
		mov	[ebp+var_4C], 0
		mov	[ebp+var_394], 0
		mov	[ebp+var_44], 0
		mov	[ebp+var_40], 8
		mov	[ebp+var_3C], 0
		mov	[ebp+var_39C], 0
		mov	[ebp+var_34], 0
		mov	[ebp+var_30], 8
		mov	[ebp+var_2C], 0
		mov	[ebp+var_3A4], 0
		mov	[ebp+var_24], 0
		mov	[ebp+var_20], 8
		mov	[ebp+var_1C], 0
		mov	[ebp+var_14], 0
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], 0
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)
		mov	edx, [ebp+var_368]
		jmp	loc_5174D6
; 

loc_5E9582:				; CODE XREF: MiAgeWorkingSet+389j
		mov	eax, 1
		jmp	loc_5174E1
; END OF FUNCTION CHUNK	FOR MiAgeWorkingSet
; 
; START	OF FUNCTION CHUNK FOR MiCheckProcessShadow

loc_5E958C:				; CODE XREF: MiCheckProcessShadow+4Aj
		mov	eax, [esi-144h]
		test	eax, 4000000h
		jmp	loc_5176CC
; 

loc_5E959C:				; CODE XREF: MiCheckProcessShadow+60j
		mov	edx, 0C0603018h
		test	ecx, ecx
		jz	short loc_5E95B7
		mov	edi, ebx
		and	edi, 1
		jz	short loc_5E95DC
		push	0
		mov	ecx, esi
		call	MiLockPageTableInternal
		jmp	short loc_5E95DC
; 

loc_5E95B7:				; CODE XREF: MiCheckProcessShadow+D1F29j
		mov	ecx, esi
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	loc_5176B4
		mov	edi, ebx
		and	edi, 1
		jz	short loc_5E95DC
		push	1
		call	MiLockPageTableInternal
		test	eax, eax
		jz	loc_5176B4

loc_5E95DC:				; CODE XREF: MiCheckProcessShadow+D1F30j
					; MiCheckProcessShadow+D1F3Bj ...
		mov	ecx, ebx
		call	MiPaeCheckProcessShadow
		mov	[ebp+var_4], eax
		test	edi, edi
		jz	short loc_5E95F9
		mov	edx, 0C0603018h
		mov	ecx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	eax, [ebp+var_4]

loc_5E95F9:				; CODE XREF: MiCheckProcessShadow+D1F6Ej
		cmp	eax, 0FFFFFFFFh
		jnz	loc_5176B7
		test	bl, 10h
		jz	loc_5176B7
		call	_MiCheckRelevantKernelShadows@4	; MiCheckRelevantKernelShadows(x)
		jmp	loc_5176B7
; END OF FUNCTION CHUNK	FOR MiCheckProcessShadow
; 
; START	OF FUNCTION CHUNK FOR MiDrainOldAccessBuffers

loc_5E9615:				; CODE XREF: MiDrainOldAccessBuffers+4Ej
		mov	edx, eax
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_517741
; 

loc_5E9624:				; CODE XREF: MiDrainOldAccessBuffers+97j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_517797
; END OF FUNCTION CHUNK	FOR MiDrainOldAccessBuffers
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepQuerySecurityAttributesToken

loc_5E9634:				; CODE XREF: AuthzBasepQuerySecurityAttributesToken+1Fj
		push	0Ch
		pop	edx
		cmp	[ebp+arg_8], edx
		jnb	short loc_5E9643
		mov	eax, 0C0000023h
		jmp	short loc_5E9655
; 

loc_5E9643:				; CODE XREF: AuthzBasepQuerySecurityAttributesToken+D1AF2j
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		mov	edi, ecx
		stosd
		stosd
		stosd
		xor	eax, eax
		inc	eax
		mov	[ecx], ax
		mov	eax, esi

loc_5E9655:				; CODE XREF: AuthzBasepQuerySecurityAttributesToken+D1AF9j
		mov	[ebx], edx
		jmp	loc_517B99
; 

loc_5E965C:				; CODE XREF: AuthzBasepQuerySecurityAttributesToken+7Fj
					; AuthzBasepQuerySecurityAttributesToken+D1B46j
		movzx	edx, word ptr [eax-4]
		test	dx, dx
		jz	loc_517BCC
		movzx	esi, word ptr [eax-2]
		test	si, si
		jz	loc_517BCC
		cmp	dx, si
		ja	loc_517BCC
		cmp	dword ptr [eax], 0
		jz	loc_517BCC
		inc	ecx
		add	eax, 8
		cmp	ecx, edi
		jb	short loc_5E965C
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+var_8]
		jmp	loc_517B76
; END OF FUNCTION CHUNK	FOR AuthzBasepQuerySecurityAttributesToken
; 

loc_5E969B:				; CODE XREF: .text:00517D07j
		mov	byte ptr [ebp-48Ah], 1
		jmp	loc_517D14
; 

loc_5E96A7:				; CODE XREF: .text:00517D1Aj
		mov	eax, [ebp-490h]
		mov	ebx, 8000002Fh
		mov	dword ptr [eax], 1
		jmp	loc_51800B
; 

loc_5E96BD:				; CODE XREF: .text:00517D26j
		mov	eax, [ebp-490h]
		mov	ebx, 8000002Fh
		mov	dword ptr [eax], 1
		jmp	loc_51800B
; 

loc_5E96D3:				; CODE XREF: .text:00518118j
		cmp	dword ptr [ebp-4D8h], 1
		jz	loc_5E9D53
		mov	esi, [ebp-4D4h]
		mov	ecx, esi
		call	AuthzBasepEvaluateAttribute
		push	eax
		lea	edx, [ebp-488h]
		mov	[ebp-478h], eax
		lea	ecx, [ebp-468h]
		call	_AuthzBasepPushResult@12 ; AuthzBasepPushResult(x,x,x)
		mov	[ebp-474h], eax
		test	eax, eax
		js	loc_518005
		cmp	byte ptr [ebp-470h], 0
		jz	short loc_5E9727
		mov	eax, [esi+0Ch]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5E9727:				; CODE XREF: .text:005E971Aj
		mov	ecx, 0Ch
		lea	esi, [ebp-38h]
		lea	edi, [ebp-68h]
		rep movsd
		lea	eax, [ebp-68h]
		mov	ecx, 7
		lea	esi, [ebp-4C8h]
		lea	edi, [ebp-4E4h]
		rep movsd
		mov	[ebp-4D4h], eax
		lea	edi, [ebp-4C8h]
		mov	al, [ebp-46Fh]
		mov	ecx, 7
		mov	[ebp-470h], al
		xor	eax, eax
		push	30h
		push	eax
		rep stosd
		lea	eax, [ebp-38h]
		mov	byte ptr [ebp-46Fh], 0
		push	eax
		call	_memset
		mov	edi, [ebp+20h]
		mov	edx, 1
		add	esp, 0Ch
		mov	[ebp-480h], edx
		jmp	loc_51811E
; 

loc_5E9794:				; CODE XREF: .text:00518063j
					; DATA XREF: .text:00518278o
		lea	eax, [ebp-469h]
		inc	ebx
		push	eax
		push	edx
		lea	edx, [ebp-4E4h]
		call	AuthzBasepIsValidExpression
		test	al, al
		jz	loc_5E9D53
		mov	eax, [ebp-480h]
		cmp	eax, 2
		jnz	short loc_5E97E3
		mov	ecx, [ebp-4D4h]
		call	AuthzBasepEvaluateAttribute
		mov	ecx, [ebp-4B8h]
		mov	esi, eax
		mov	[ebp-498h], esi
		call	AuthzBasepEvaluateAttribute
		mov	ecx, eax
		mov	[ebp-4A4h], ecx
		jmp	short loc_5E9855
; 

loc_5E97E3:				; CODE XREF: .text:005E97B9j
		cmp	eax, 1
		jnz	short loc_5E97FD
		mov	ecx, [ebp-4D4h]
		call	AuthzBasepEvaluateAttribute
		mov	esi, eax
		mov	[ebp-498h], esi
		jmp	short loc_5E9829
; 

loc_5E97FD:				; CODE XREF: .text:005E97E6j
		lea	eax, [ebp-498h]
		push	eax
		lea	edx, [ebp-488h]
		lea	ecx, [ebp-468h]
		call	_AuthzBasepPopResult@12	; AuthzBasepPopResult(x,x,x)
		mov	[ebp-474h], eax
		test	eax, eax
		js	loc_518005
		mov	esi, [ebp-498h]

loc_5E9829:				; CODE XREF: .text:005E97FBj
		lea	eax, [ebp-4A4h]
		push	eax
		lea	edx, [ebp-488h]
		lea	ecx, [ebp-468h]
		call	_AuthzBasepPopResult@12	; AuthzBasepPopResult(x,x,x)
		mov	[ebp-474h], eax
		test	eax, eax
		js	loc_518005
		mov	ecx, [ebp-4A4h]

loc_5E9855:				; CODE XREF: .text:005E97E1j
		cmp	byte ptr [ebp-479h], 0A0h
		jnz	short loc_5E9875
		test	esi, esi
		jz	short loc_5E9889
		test	ecx, ecx
		jz	short loc_5E9889
		cmp	esi, 0FFFFFFFFh
		jz	short loc_5E9870
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_5E988D

loc_5E9870:				; CODE XREF: .text:005E9869j
					; .text:005E9882j ...
		or	eax, 0FFFFFFFFh
		jmp	short loc_5E989B
; 

loc_5E9875:				; CODE XREF: .text:005E985Cj
		cmp	esi, 1
		jz	short loc_5E988D
		cmp	ecx, 1
		jz	short loc_5E988D
		cmp	esi, 0FFFFFFFFh
		jz	short loc_5E9870
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_5E9870

loc_5E9889:				; CODE XREF: .text:005E9860j
					; .text:005E9864j
		xor	eax, eax
		jmp	short loc_5E989B
; 

loc_5E988D:				; CODE XREF: .text:005E986Ej
					; .text:005E9878j ...
		mov	eax, 1
		jmp	short loc_5E989B
; 

loc_5E9894:				; CODE XREF: .text:005E9A61j
		xor	eax, eax
		test	edx, edx
		setz	al

loc_5E989B:				; CODE XREF: .text:005E9873j
					; .text:005E988Bj ...
		mov	[ebp-478h], eax

loc_5E98A1:				; CODE XREF: .text:loc_5E9A52j
					; .text:005E9A5Bj
		push	eax
		jmp	loc_5180DC
; 

loc_5E98A7:				; CODE XREF: .text:0051809Aj
		cmp	byte ptr [ebp-469h], 0
		mov	eax, 0C00001A2h
		jnz	short loc_5E98D6

loc_5E98B5:				; CODE XREF: .text:005E9908j
					; .text:005E99B7j ...
		mov	ebx, eax
		jmp	loc_51800B
; 

loc_5E98BC:				; CODE XREF: .text:005180C7j
					; .text:005180CFj
		mov	ecx, [ebp-478h]
		cmp	ecx, 0FFFFFFFFh
		jz	loc_5180DB
		xor	eax, eax
		test	ecx, ecx
		setz	al
		mov	ecx, eax
		jmp	short loc_5E98D9
; 

loc_5E98D6:				; CODE XREF: .text:005180A7j
					; .text:005E98B3j
		or	ecx, 0FFFFFFFFh

loc_5E98D9:				; CODE XREF: .text:005E98D4j
		mov	[ebp-478h], ecx
		jmp	loc_5180DB
; 

loc_5E98E4:				; CODE XREF: .text:00518063j
					; DATA XREF: .text:0051827Co
		lea	eax, [ebp-469h]
		inc	ebx
		push	eax
		push	edx
		lea	edx, [ebp-4E4h]
		call	AuthzBasepIsValidExpression
		test	al, al
		jnz	short loc_5E9951
		cmp	byte ptr [ebp-469h], 0
		mov	eax, 0C00001A2h
		jz	short loc_5E98B5

loc_5E990A:				; CODE XREF: .text:005E9958j
					; .text:005E997Fj
		or	eax, 0FFFFFFFFh

loc_5E990D:				; CODE XREF: .text:005E998Aj
					; .text:005E998Ej
		push	eax
		lea	edx, [ebp-488h]
		mov	[ebp-478h], eax
		lea	ecx, [ebp-468h]
		call	_AuthzBasepPushResult@12 ; AuthzBasepPushResult(x,x,x)
		mov	esi, eax
		mov	[ebp-474h], esi
		test	esi, esi
		js	loc_518005
		lea	edx, [ebp-470h]
		lea	ecx, [ebp-4E4h]
		call	_AuthzBasepResetOperands@8 ; AuthzBasepResetOperands(x,x)
		mov	edx, [ebp-480h]
		jmp	loc_517FE0
; 

loc_5E9951:				; CODE XREF: .text:005E98FAj
		cmp	byte ptr [ebp-469h], 0
		jnz	short loc_5E990A
		lea	eax, [ebp-500h]
		push	eax
		lea	edx, [ebp-4E4h]
		call	_AuthzBasepComputeExpression@12	; AuthzBasepComputeExpression(x,x,x)
		mov	ecx, [ebp-500h]
		mov	eax, ecx
		mov	edx, [ebp-4FCh]
		and	eax, edx
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5E990A
		or	ecx, edx
		jz	short loc_5E998C
		mov	eax, 1
		jmp	short loc_5E990D
; 

loc_5E998C:				; CODE XREF: .text:005E9983j
		xor	eax, eax
		jmp	loc_5E990D
; 

loc_5E9993:				; CODE XREF: .text:00518063j
					; DATA XREF: .text:00518270o
		lea	eax, [ebp-469h]
		inc	ebx
		push	eax
		push	edx
		lea	edx, [ebp-4E4h]
		call	AuthzBasepIsValidExpression
		test	al, al
		jnz	short loc_5E99C6
		cmp	byte ptr [ebp-469h], 0
		mov	eax, 0C00001A2h
		jz	loc_5E98B5

loc_5E99BD:				; CODE XREF: .text:005E9A2Cj
		mov	eax, 0FFFFFFFFh
		or	edx, eax
		jmp	short loc_5E9A3F
; 

loc_5E99C6:				; CODE XREF: .text:005E99A9j
		cmp	byte ptr [ebp-469h], 0
		jnz	short loc_5E9A24
		cmp	cl, 89h
		jz	short loc_5E99E0
		mov	byte ptr [ebp-4ECh], 0
		cmp	cl, 90h
		jnz	short loc_5E99E7

loc_5E99E0:				; CODE XREF: .text:005E99D2j
		mov	byte ptr [ebp-4ECh], 1

loc_5E99E7:				; CODE XREF: .text:005E99DEj
		mov	edx, [ebp-494h]
		lea	eax, [ebp-47Ah]
		push	eax
		push	dword ptr [ebp-4ECh]
		lea	ecx, [ebp-4E4h]
		push	dword ptr [ebp-4A0h]
		push	dword ptr [ebp+24h]
		call	_AuthzBasepMemberOf@24 ; AuthzBasepMemberOf(x,x,x,x,x,x)
		mov	cl, [ebp-479h]
		mov	esi, eax
		mov	al, [ebp-47Ah]
		mov	[ebp-47Bh], al
		jmp	short loc_5E9A2A
; 

loc_5E9A24:				; CODE XREF: .text:005E99CDj
		mov	al, [ebp-47Bh]

loc_5E9A2A:				; CODE XREF: .text:005E9A22j
		test	esi, esi
		js	short loc_5E99BD
		test	al, al
		jz	short loc_5E9A3B
		mov	eax, 1
		mov	edx, eax
		jmp	short loc_5E9A3F
; 

loc_5E9A3B:				; CODE XREF: .text:005E9A30j
		xor	eax, eax
		xor	edx, edx

loc_5E9A3F:				; CODE XREF: .text:005E99C4j
					; .text:005E9A39j
		mov	[ebp-478h], eax
		cmp	cl, 90h
		jz	short loc_5E9A58
		cmp	cl, 92h
		jmp	short loc_5E9A52
; 

loc_5E9A4F:				; CODE XREF: .text:005E9B21j
		cmp	cl, 93h

loc_5E9A52:				; CODE XREF: .text:005E9A4Dj
		jnz	loc_5E98A1

loc_5E9A58:				; CODE XREF: .text:005E9A48j
					; .text:005E9B1Bj
		cmp	edx, 0FFFFFFFFh
		jz	loc_5E98A1
		jmp	loc_5E9894
; 

loc_5E9A66:				; CODE XREF: .text:00518063j
					; DATA XREF: .text:00518274o
		lea	eax, [ebp-469h]
		inc	ebx
		push	eax
		push	edx
		lea	edx, [ebp-4E4h]
		call	AuthzBasepIsValidExpression
		test	al, al
		jnz	short loc_5E9A99
		cmp	byte ptr [ebp-469h], 0
		mov	eax, 0C00001A2h
		jz	loc_5E98B5

loc_5E9A90:				; CODE XREF: .text:005E9AFFj
		mov	eax, 0FFFFFFFFh
		or	edx, eax
		jmp	short loc_5E9B12
; 

loc_5E9A99:				; CODE XREF: .text:005E9A7Cj
		cmp	byte ptr [ebp-469h], 0
		jnz	short loc_5E9AF7
		cmp	cl, 8Ah
		jz	short loc_5E9AB3
		mov	byte ptr [ebp-4F0h], 0
		cmp	cl, 91h
		jnz	short loc_5E9ABA

loc_5E9AB3:				; CODE XREF: .text:005E9AA5j
		mov	byte ptr [ebp-4F0h], 1

loc_5E9ABA:				; CODE XREF: .text:005E9AB1j
		mov	edx, [ebp-494h]
		lea	eax, [ebp-47Ah]
		push	eax
		push	dword ptr [ebp-4F0h]
		lea	ecx, [ebp-4E4h]
		push	dword ptr [ebp-4A0h]
		push	dword ptr [ebp+24h]
		call	_AuthzBasepDeviceMemberOf@24 ; AuthzBasepDeviceMemberOf(x,x,x,x,x,x)
		mov	cl, [ebp-479h]
		mov	esi, eax
		mov	al, [ebp-47Ah]
		mov	[ebp-47Bh], al
		jmp	short loc_5E9AFD
; 

loc_5E9AF7:				; CODE XREF: .text:005E9AA0j
		mov	al, [ebp-47Bh]

loc_5E9AFD:				; CODE XREF: .text:005E9AF5j
		test	esi, esi
		js	short loc_5E9A90
		test	al, al
		jz	short loc_5E9B0E
		mov	eax, 1
		mov	edx, eax
		jmp	short loc_5E9B12
; 

loc_5E9B0E:				; CODE XREF: .text:005E9B03j
		xor	eax, eax
		xor	edx, edx

loc_5E9B12:				; CODE XREF: .text:005E9A97j
					; .text:005E9B0Cj
		mov	[ebp-478h], eax
		cmp	cl, 91h
		jz	loc_5E9A58
		jmp	loc_5E9A4F
; 

loc_5E9B26:				; CODE XREF: .text:0051824Dj
		xor	eax, eax
		test	edx, edx
		setz	al
		mov	edx, eax
		mov	[ebp-478h], edx
		jmp	loc_518253
; 

loc_5E9B3A:				; CODE XREF: .text:00518176j
		cmp	ebx, edi
		jmp	loc_518079
; 

loc_5E9B41:				; CODE XREF: .text:00517DABj
		lea	eax, [ebp-478h]
		push	eax
		lea	edx, [ebp-488h]
		lea	ecx, [ebp-468h]
		call	_AuthzBasepPopResult@12	; AuthzBasepPopResult(x,x,x)
		mov	[ebp-474h], eax
		test	eax, eax
		js	loc_518005
		mov	esi, [ebp-478h]
		jmp	loc_517DD5
; 

loc_5E9B72:				; CODE XREF: .text:00517DD8j
		or	eax, 0FFFFFFFFh
		jmp	loc_517DE8
; 

loc_5E9B7A:				; CODE XREF: .text:00517DE0j
		mov	eax, 1
		jmp	loc_517DE8
; 

loc_5E9B84:				; CODE XREF: .text:00517E26j
		cmp	dword ptr [ebp-4D8h], 1
		jz	loc_5E9D53
		mov	esi, [ebp-4D4h]
		mov	ecx, esi
		call	AuthzBasepEvaluateAttribute
		push	eax
		lea	edx, [ebp-488h]
		mov	[ebp-478h], eax
		lea	ecx, [ebp-468h]
		call	_AuthzBasepPushResult@12 ; AuthzBasepPushResult(x,x,x)
		mov	[ebp-474h], eax
		test	eax, eax
		js	loc_518005
		cmp	byte ptr [ebp-470h], 0
		jz	short loc_5E9BD8
		mov	eax, [esi+0Ch]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5E9BD8:				; CODE XREF: .text:005E9BCBj
		mov	ecx, 0Ch
		lea	esi, [ebp-38h]
		lea	edi, [ebp-68h]
		rep movsd
		lea	eax, [ebp-68h]
		mov	ecx, 7
		lea	esi, [ebp-4C8h]
		lea	edi, [ebp-4E4h]
		rep movsd
		mov	[ebp-4D4h], eax
		lea	edi, [ebp-4C8h]
		mov	al, [ebp-46Fh]
		mov	ecx, 7
		mov	[ebp-470h], al
		xor	eax, eax
		push	30h
		push	eax
		rep stosd
		lea	eax, [ebp-38h]
		mov	byte ptr [ebp-46Fh], 0
		push	eax
		call	_memset
		mov	edi, [ebp+20h]
		mov	edx, 1
		add	esp, 0Ch
		mov	[ebp-480h], edx
		jmp	loc_517E2C
; 

loc_5E9C45:				; CODE XREF: .text:00517EB5j
		cmp	byte ptr [ebp-4A0h], 0
		mov	dword ptr [edi], 3
		jz	short loc_5E9C5C
		mov	eax, [ebp+10h]
		jmp	loc_517EDF
; 

loc_5E9C5C:				; CODE XREF: .text:005E9C52j
		mov	eax, [ebp+0Ch]
		jmp	loc_517EDF
; 

loc_5E9C64:				; CODE XREF: .text:00517EBDj
		cmp	byte ptr [ebp-4A0h], 0
		mov	dword ptr [edi], 5
		jz	short loc_5E9C7B
		mov	eax, [ebp+18h]
		jmp	loc_517EDF
; 

loc_5E9C7B:				; CODE XREF: .text:005E9C71j
		mov	eax, [ebp+14h]
		jmp	loc_517EDF
; 

loc_5E9C83:				; CODE XREF: .text:00517EC5j
		mov	eax, [ebp-504h]
		mov	dword ptr [edi], 4
		jmp	loc_517EDF
; 

loc_5E9C94:				; CODE XREF: .text:00517ECDj
		mov	eax, [ebp-494h]
		mov	dword ptr [edi], 6
		jmp	loc_517EDF
; 

loc_5E9CA5:				; CODE XREF: .text:00517F28j
		mov	eax, [ebp-494h]
		test	dword ptr [eax+0B0h], 20000h
		jnz	loc_517F2E
		lea	ecx, [ebp-60h]
		add	ecx, esi
		call	SepPotentialGlobalTableAttribute
		test	al, al
		jz	loc_517F2E
		cmp	byte ptr [ebp-489h], 0
		jnz	loc_517F2E
		cmp	byte ptr [ebp-481h], 0
		jnz	short loc_5E9D07
		mov	ecx, [ebp-4A8h]
		lea	edx, [ebp-4ACh]
		call	_SepValidateAndCopyGlobalEntry@8 ; SepValidateAndCopyGlobalEntry(x,x)
		mov	edx, eax
		mov	[ebp-474h], edx
		test	edx, edx
		js	short loc_5E9D3B
		mov	byte ptr [ebp-481h], 1

loc_5E9D07:				; CODE XREF: .text:005E9CE1j
		mov	eax, [ebp-4ACh]
		mov	ecx, edi
		mov	[ebp+esi-64h], eax
		call	AuthzBasepQuerySecurityAttributeAndValues
		mov	edx, eax
		mov	[ebp-474h], edx
		cmp	edx, 0C0000225h
		jnz	loc_517F61
		mov	eax, [ebp-4A8h]
		mov	[ebp+esi-64h], eax
		jmp	loc_517F2E
; 

loc_5E9D3B:				; CODE XREF: .text:005E9CFEj
		mov	byte ptr [ebp-489h], 1
		cmp	edx, 0C0000225h
		jz	loc_517F2E
		jmp	loc_517F61
; 

loc_5E9D53:				; CODE XREF: .text:00517D9Ej
					; .text:00517E33j ...
		mov	ebx, 0C00001A2h
		jmp	loc_51800B
; 

loc_5E9D5D:				; CODE XREF: .text:00517E5Dj
		mov	ebx, 0C0000106h
		jmp	loc_51800B
; 

loc_5E9D67:				; CODE XREF: .text:00517CF1j
					; .text:00517CF9j
		mov	ebx, 0C000000Dh
		jmp	loc_51800B
; 

loc_5E9D71:				; CODE XREF: .text:00517D4Cj
		xor	ebx, ebx
		jmp	loc_51800B
; 

loc_5E9D78:				; CODE XREF: .text:0051802Ej
		mov	esi, [ebp-4ACh]
		test	esi, esi
		jz	loc_518034
		mov	ecx, esi
		call	AuthzBasepFreeSecurityAttributesList
		push	74416553h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_518034
; 

loc_5E9D9D:				; CODE XREF: .text:00518036j
		mov	eax, [ebp-490h]
		mov	dword ptr [eax], 0FFFFFFFFh
		jmp	loc_51803C
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepCopyoutSecurityAttributes

loc_5E9DAE:				; CODE XREF: AuthzBasepCopyoutSecurityAttributes+1Bj
					; AuthzBasepCopyoutSecurityAttributes+23j ...
		mov	edx, 0C000000Dh

loc_5E9DB3:				; CODE XREF: AuthzBasepCopyoutSecurityAttributes+24Cj
		cmp	eax, 0Ch
		jb	loc_518554
		mov	edi, ebx
		xor	eax, eax
		stosd
		stosd
		stosd
		jmp	loc_518554
; 

loc_5E9DC8:				; CODE XREF: AuthzBasepCopyoutSecurityAttributes+4Fj
		mov	edx, 0C0000023h
		jmp	loc_518629
; 

loc_5E9DD2:				; CODE XREF: AuthzBasepCopyoutSecurityAttributes+8Bj
					; AuthzBasepCopyoutSecurityAttributes+108j ...
		mov	edx, 80000005h
		jmp	loc_518629
; 

loc_5E9DDC:				; CODE XREF: AuthzBasepCopyoutSecurityAttributes+D1j
		mov	edx, 0C0000225h
		jmp	loc_518629
; END OF FUNCTION CHUNK	FOR AuthzBasepCopyoutSecurityAttributes
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepCopyoutSecurityAttributeValues

loc_5E9DE6:				; CODE XREF: AuthzBasepCopyoutSecurityAttributeValues+1Cj
		mov	eax, 80000005h
		jmp	loc_5186C9
; 

loc_5E9DF0:				; CODE XREF: AuthzBasepCopyoutSecurityAttributeValues+144j
					; DATA XREF: .text:005187A0o
		mov	eax, [edx+24h]
		shl	eax, 4
		mov	[ebp+arg_4], eax
		lea	eax, [esi+7]
		mov	ecx, eax
		and	ecx, 0FFFFFFF8h
		add	ecx, [ebp+arg_4]
		cmp	ecx, ebx
		ja	loc_51878B
		mov	ecx, [ebp+var_4]
		and	eax, 0FFFFFFF8h
		mov	[ebp+var_8], eax
		mov	[ecx+14h], eax
		lea	ecx, [edx+2Ch]
		mov	edx, [ecx]
		add	eax, [ebp+arg_4]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_4], edx
		cmp	edx, ecx
		jz	loc_5186C2
		mov	ecx, [ebp+var_8]
		add	ecx, 0Ah
		mov	[ebp+arg_4], ecx

loc_5E9E37:				; CODE XREF: AuthzBasepCopyoutSecurityAttributeValues+D1856j
		movzx	ecx, word ptr [edx+20h]
		mov	edi, ecx
		mov	[ebp+var_C], ecx
		add	ecx, eax
		mov	[ebp+var_8], edi
		mov	edi, [ebp+arg_8]
		mov	[ebp+var_10], ecx
		cmp	ecx, ebx
		ja	loc_51878B
		mov	esi, [ebp+arg_4]
		mov	ecx, [edx+18h]
		push	[ebp+var_C]	; size_t
		mov	[esi-0Ah], ecx
		mov	ecx, [edx+1Ch]
		mov	[esi-6], ecx
		mov	ecx, esi
		mov	esi, [ebp+var_8]
		mov	[ecx-2], si
		mov	[ecx], si
		mov	[ecx+2], eax
		mov	ecx, [edx+24h]
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		mov	edx, [ebp+var_4]
		add	esp, 0Ch
		add	[ebp+arg_4], 10h
		mov	eax, [ebp+var_10]
		mov	esi, [ebp+arg_0]
		mov	edx, [edx]
		mov	[ebp+var_4], edx
		cmp	edx, [ebp+var_14]
		jnz	short loc_5E9E37
		jmp	loc_5186C2
; 

loc_5E9E9D:				; CODE XREF: AuthzBasepCopyoutSecurityAttributeValues+144j
					; DATA XREF: .text:005187A4o
		mov	eax, [edx+24h]
		shl	eax, 3
		mov	[ebp+var_8], eax
		lea	eax, [esi+3]
		mov	ecx, eax
		and	ecx, 0FFFFFFFCh
		add	ecx, [ebp+var_8]
		cmp	ecx, ebx
		ja	loc_51878B
		mov	ecx, [ebp+var_4]
		add	edx, 2Ch
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_10], edx
		mov	[ebp+arg_4], eax
		mov	[ecx+14h], eax
		add	eax, [ebp+var_8]
		mov	ecx, [edx]
		mov	[ebp+var_8], ecx
		cmp	ecx, edx
		jz	loc_5186C2

loc_5E9EDB:				; CODE XREF: AuthzBasepCopyoutSecurityAttributeValues+D18DAj
		mov	edx, [ecx+1Ch]
		lea	edi, [eax+edx]
		mov	[ebp+var_14], edi
		cmp	edi, ebx
		mov	edi, [ebp+arg_8]
		ja	loc_51878B
		mov	esi, [ebp+arg_4]
		push	edx		; size_t
		mov	[esi], eax
		mov	[esi+4], edx
		mov	ecx, [ecx+18h]
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+var_8]
		add	esp, 0Ch
		add	[ebp+arg_4], 8
		mov	eax, [ebp+var_14]
		mov	esi, [ebp+arg_0]
		mov	ecx, [ecx]
		mov	[ebp+var_8], ecx
		cmp	ecx, [ebp+var_10]
		jnz	short loc_5E9EDB
		jmp	loc_5186C2
; 

loc_5E9F21:				; CODE XREF: AuthzBasepCopyoutSecurityAttributeValues+137j
					; AuthzBasepCopyoutSecurityAttributeValues+144j
					; DATA XREF: ...
		mov	eax, 0C000000Dh
		jmp	loc_5186C8
; END OF FUNCTION CHUNK	FOR AuthzBasepCopyoutSecurityAttributeValues
; 
; START	OF FUNCTION CHUNK FOR CcGetDirtyPagesHelper

loc_5E9F2B:				; CODE XREF: CcGetDirtyPagesHelper+BEj
		cmp	[ebx+98h], edi
		jz	loc_5188A0
		jmp	loc_518884
; 

loc_5E9F3C:				; CODE XREF: CcGetDirtyPagesHelper+F3j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_70]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5188D9
; 

loc_5E9F4C:				; CODE XREF: CcGetDirtyPagesHelper+26Bj
		mov	ecx, eax
		jmp	loc_518A13
; 

loc_5E9F53:				; CODE XREF: CcGetDirtyPagesHelper+B3j
		push	0
		push	0
		push	0C0000420h
		push	408h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5E9F68:				; CODE XREF: CcGetDirtyPagesHelper+2CEj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_70]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_518AB6
; END OF FUNCTION CHUNK	FOR CcGetDirtyPagesHelper

;  S U B	R O U T	I N E 

; Attributes: thunk

sub_5E9F78	proc near		; DATA XREF: .text:006A5510o
		jmp	sub_518B5F
sub_5E9F78	endp

; 
; START	OF FUNCTION CHUNK FOR sub_518B5F

loc_5E9F7D:				; CODE XREF: sub_518B5F+4j
		mov	ecx, [ebp-28h]
		test	ecx, ecx
		jz	locret_518B69
		push	0
		mov	dl, 1
		call	CcUnpinFileDataEx
		jmp	locret_518B69
; END OF FUNCTION CHUNK	FOR sub_518B5F
; 
; START	OF FUNCTION CHUNK FOR SepCanTokenMatchAllPackageSid

loc_5E9F96:				; CODE XREF: SepCanTokenMatchAllPackageSid+AFj
		test	cl, 40h
		jnz	loc_518C25
		push	0
		push	0
		push	esi
		push	0Fh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5E9FB0:				; CODE XREF: SepCanTokenMatchAllPackageSid+136j
		push	0
		push	1
		movzx	eax, al
		push	eax
		push	0
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5E9FC4:				; CODE XREF: SepCanTokenMatchAllPackageSid+13Cj
		test	byte ptr [ecx+84h], 2
		jz	short loc_5E9FDF
		push	0
		push	0
		push	0
		push	6
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5E9FDF:				; CODE XREF: SepCanTokenMatchAllPackageSid+D145Bj
		cmp	al, 1
		jnb	short loc_5E9FF5
		test	dword ptr [ecx+58h], 400h
		jnz	short loc_5E9FF5
		cmp	dword ptr [ecx+13Ch], 0
		jz	short loc_5EA065

loc_5E9FF5:				; CODE XREF: SepCanTokenMatchAllPackageSid+D1471j
					; SepCanTokenMatchAllPackageSid+D147Aj
		movzx	ecx, word ptr [esi+0Eh]
		jmp	loc_518C2A
; 

loc_5E9FFE:				; CODE XREF: SepCanTokenMatchAllPackageSid+C0j
		call	_ExpFastResourceLegacyAcquireShared@8 ;	ExpFastResourceLegacyAcquireShared(x,x)
		jmp	loc_518C3B
; 

loc_5EA008:				; CODE XREF: SepCanTokenMatchAllPackageSid+D8j
		mov	eax, [esp+50h+var_1C]
		mov	ecx, [eax]
		or	ecx, [eax+4]
		jnz	short loc_5EA01A
		mov	bh, 1
		jmp	loc_518C4E
; 

loc_5EA01A:				; CODE XREF: SepCanTokenMatchAllPackageSid+D14A1j
		xor	bh, bh
		jmp	loc_518C4E
; 

loc_5EA021:				; CODE XREF: SepCanTokenMatchAllPackageSid+F0j
		test	cl, 40h
		jnz	loc_518C66
		push	0
		push	0
		push	esi
		push	0Fh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EA03B:				; CODE XREF: SepCanTokenMatchAllPackageSid+150j
		push	0
		push	2
		movzx	eax, al
		push	eax
		push	0
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EA04F:				; CODE XREF: SepCanTokenMatchAllPackageSid+156j
		cmp	al, 1
		jnb	short loc_5EA077
		test	dword ptr [ecx+58h], 400h
		jnz	short loc_5EA077
		cmp	dword ptr [ecx+13Ch], 0
		jnz	short loc_5EA077

loc_5EA065:				; CODE XREF: SepCanTokenMatchAllPackageSid+D1483j
		push	0
		push	0
		push	0
		push	7
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EA077:				; CODE XREF: SepCanTokenMatchAllPackageSid+D14E1j
					; SepCanTokenMatchAllPackageSid+D14EAj	...
		movzx	ecx, word ptr [esi+0Eh]
		jmp	loc_518C6B
; END OF FUNCTION CHUNK	FOR SepCanTokenMatchAllPackageSid
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepQuerySecurityAttributeAndValues

loc_5EA080:				; CODE XREF: AuthzBasepQuerySecurityAttributeAndValues+Aj
		pop	esi
		jmp	_AuthzBasepQueryTokenAttributeAndValues@4 ; AuthzBasepQueryTokenAttributeAndValues(x)
; END OF FUNCTION CHUNK	FOR AuthzBasepQuerySecurityAttributeAndValues
; 
; START	OF FUNCTION CHUNK FOR SeSecurityAttributePresent

loc_5EA086:				; CODE XREF: SeSecurityAttributePresent+36j
		test	cl, 40h
		jnz	loc_518DAC
		push	0
		push	0
		push	edi
		push	0Fh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EA0A0:				; CODE XREF: SeSecurityAttributePresent+BBj
		push	0
		push	1
		movzx	eax, al
		push	eax
		push	0
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EA0B4:				; CODE XREF: SeSecurityAttributePresent+C1j
		test	byte ptr [ecx+84h], 2
		jz	short loc_5EA0CF
		push	0
		push	0
		push	0
		push	6
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EA0CF:				; CODE XREF: SeSecurityAttributePresent+D134Bj
		cmp	al, 1
		jnb	short loc_5EA0E5
		test	dword ptr [ecx+58h], 400h
		jnz	short loc_5EA0E5
		cmp	dword ptr [ecx+13Ch], 0
		jz	short loc_5EA13C

loc_5EA0E5:				; CODE XREF: SeSecurityAttributePresent+D1361j
					; SeSecurityAttributePresent+D136Aj
		movzx	ecx, word ptr [edi+0Eh]
		jmp	loc_518DB1
; 

loc_5EA0EE:				; CODE XREF: SeSecurityAttributePresent+47j
		call	_ExpFastResourceLegacyAcquireShared@8 ;	ExpFastResourceLegacyAcquireShared(x,x)
		jmp	loc_518DC2
; 

loc_5EA0F8:				; CODE XREF: SeSecurityAttributePresent+7Fj
		test	cl, 40h
		jnz	loc_518DF5
		push	0
		push	0
		push	esi
		push	0Fh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EA112:				; CODE XREF: SeSecurityAttributePresent+D1j
		push	0
		push	2
		movzx	eax, al
		push	eax
		push	0
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EA126:				; CODE XREF: SeSecurityAttributePresent+D7j
		cmp	al, 1
		jnb	short loc_5EA14E
		test	dword ptr [ecx+58h], 400h
		jnz	short loc_5EA14E
		cmp	dword ptr [ecx+13Ch], 0
		jnz	short loc_5EA14E

loc_5EA13C:				; CODE XREF: SeSecurityAttributePresent+D1373j
		push	0
		push	0
		push	0
		push	7
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EA14E:				; CODE XREF: SeSecurityAttributePresent+D13B8j
					; SeSecurityAttributePresent+D13C1j ...
		movzx	ecx, word ptr [esi+0Eh]
		jmp	loc_518DFA
; END OF FUNCTION CHUNK	FOR SeSecurityAttributePresent
; 
; START	OF FUNCTION CHUNK FOR CcUnpinFileDataEx

loc_5EA157:				; CODE XREF: CcUnpinFileDataEx+4Cj
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_518EB2
; 

loc_5EA166:				; CODE XREF: CcUnpinFileDataEx+93j
		mov	dl, bh
		mov	ecx, offset dword_6CF3C0
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_518F29
; 

loc_5EA177:				; CODE XREF: CcUnpinFileDataEx+C3j
		mov	edi, offset dword_6CF3C0

loc_5EA17C:				; CODE XREF: CcUnpinFileDataEx+D1350j
		test	edx, 40000000h
		jnz	short loc_5EA196
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_5EA1A4

loc_5EA196:				; CODE XREF: CcUnpinFileDataEx+D1322j
		lea	ecx, [esp+40h+var_1C]
		call	KeYieldProcessorEx
		mov	eax, ds:dword_6CF3C0

loc_5EA1A4:				; CODE XREF: CcUnpinFileDataEx+D1334j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_5EA17C
		mov	edi, [esp+40h+var_28]
		jmp	loc_518F29
; 

loc_5EA1BB:				; CODE XREF: CcUnpinFileDataEx+D0j
		mov	edx, [ebp+4]
		mov	ecx, offset dword_6CF3C0
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_518F40
; 

loc_5EA1CD:				; CODE XREF: CcUnpinFileDataEx+F2j
		push	0
		push	0
		push	0C0000420h
		push	1314h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EA1E2:				; CODE XREF: CcUnpinFileDataEx+128j
		mov	[esp+54h+var_40], 0
		jmp	loc_51906A
; 

loc_5EA1EF:				; CODE XREF: CcUnpinFileDataEx+554j
		mov	ecx, [esp+40h+var_30]
		mov	edx, edi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		mov	edx, [esp+40h+var_30]
		jmp	loc_5193BA
; 

loc_5EA203:				; CODE XREF: CcUnpinFileDataEx+1AEj
					; CcUnpinFileDataEx+1B6j
		mov	ecx, [edx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [esp+40h+var_2C]
		jmp	loc_51901F
; 

loc_5EA217:				; CODE XREF: CcUnpinFileDataEx+339j
		push	0
		push	0
		push	eax
		push	2047Bh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EA228:				; CODE XREF: CcUnpinFileDataEx+3B1j
		mov	edx, [ebp+4]
		lea	ecx, [esp+68h+var_34]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_51923D
; 

loc_5EA239:				; CODE XREF: CcUnpinFileDataEx+28Aj
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	edx, [esp+40h+var_10]
		jmp	loc_5190F0
; 

loc_5EA24C:				; CODE XREF: CcUnpinFileDataEx+2B7j
		test	cl, 40h
		jnz	loc_51911D
		push	0
		push	0
		push	esi
		push	0Fh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EA266:				; CODE XREF: CcUnpinFileDataEx+587j
		push	0
		push	2
		movzx	eax, al
		push	eax
		push	0
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EA27A:				; CODE XREF: CcUnpinFileDataEx+58Dj
		cmp	al, 1
		jnb	short loc_5EA2A2
		test	dword ptr [ecx+58h], 400h
		jnz	short loc_5EA2A2
		cmp	dword ptr [ecx+13Ch], 0
		jnz	short loc_5EA2A2
		push	0
		push	0
		push	0
		push	7
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EA2A2:				; CODE XREF: CcUnpinFileDataEx+D141Cj
					; CcUnpinFileDataEx+D1425j ...
		movzx	ecx, word ptr [esi+0Eh]
		jmp	loc_519126
; 

loc_5EA2AB:				; CODE XREF: CcUnpinFileDataEx+2CBj
		call	_ExpFastResourceLegacyRelease@4	; ExpFastResourceLegacyRelease(x)
		jmp	loc_51913D
; 

loc_5EA2B5:				; CODE XREF: CcUnpinFileDataEx+4C9j
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_51932F
; 

loc_5EA2C4:				; CODE XREF: CcUnpinFileDataEx+42Aj
					; CcUnpinFileDataEx+432j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5EA2CB:				; CODE XREF: CcUnpinFileDataEx+24Aj
		push	0
		push	0
		push	0C0000420h
		push	444h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5EA2E1:				; CODE XREF: ExpReleaseResourceForThreadLite+2Dj
		mov	edx, edi
		lea	ecx, [ebp+var_28]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_519440
; END OF FUNCTION CHUNK	FOR CcUnpinFileDataEx
; 
; START	OF FUNCTION CHUNK FOR ExpReleaseResourceForThreadLite

loc_5EA2F0:				; CODE XREF: ExpReleaseResourceForThreadLite+4Ej
					; ExpReleaseResourceForThreadLite+5Bj
		mov	eax, ebx
		and	eax, 3
		cmp	al, 3
		jz	loc_519461
		cmp	ebx, edx
		jz	loc_519461
		push	0
		push	ebx
		push	edx
		push	esi
		push	16Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EA314:				; CODE XREF: ExpReleaseResourceForThreadLite+7Aj
		mov	[ebp+var_1], 1
		jmp	loc_519484
; 

loc_5EA31D:				; CODE XREF: ExpReleaseResourceForThreadLite+233j
					; ExpReleaseResourceForThreadLite+24Aj	...
		push	2
		push	[ebp+var_10]
		push	ebx
		push	esi
		push	0E3h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EA32E:				; CODE XREF: ExpReleaseResourceForThreadLite+1BAj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5195E2
; 

loc_5EA33E:				; CODE XREF: ExpReleaseResourceForThreadLite+EBj
		mov	eax, [esi+10h]
		mov	dword ptr [esi+10h], 0
		mov	[ebp+var_C], eax
		mov	eax, [esi+28h]
		mov	dword ptr [esi+28h], 0
		jmp	loc_5194F3
; 

loc_5EA35A:				; CODE XREF: ExpReleaseResourceForThreadLite+103j
		mov	al, 1
		jmp	loc_51950B
; 

loc_5EA361:				; CODE XREF: ExpReleaseResourceForThreadLite+134j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_51955C
; 

loc_5EA371:				; CODE XREF: ExpReleaseResourceForThreadLite+198j
		push	[ebp+var_10]
		mov	edx, esi
		mov	ecx, ebx
		push	edi
		call	@PerfLogExecutiveResourceRelease@16 ; PerfLogExecutiveResourceRelease(x,x,x,x)
		jmp	loc_51959E
; END OF FUNCTION CHUNK	FOR ExpReleaseResourceForThreadLite
; 
; START	OF FUNCTION CHUNK FOR KeWakeWaitChain

loc_5EA383:				; CODE XREF: KeWakeWaitChain+8Bj
		cmp	al, 2
		jnz	loc_5EA47E
		mov	byte ptr [ecx+9], 5
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_4], eax
		add	eax, 8
		mov	dword ptr [ecx], 0
		mov	[ebp+var_20], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_18], eax
		mov	eax, [eax+4]
		mov	[ebp+var_C], eax
		jz	short loc_5EA3D8
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_C]
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_5EA3D8:				; CODE XREF: KeWakeWaitChain+D0C80j
		mov	ecx, [ebp+var_4]
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_4]
		cmp	[edx], edx
		jz	short loc_5EA41F
		mov	eax, [ecx+18h]
		cmp	eax, [ecx+1Ch]
		jnb	short loc_5EA41F
		mov	eax, [ebp+var_C]
		mov	eax, [eax+0A4h]
		cmp	eax, ecx
		jnz	short loc_5EA40B
		mov	eax, [ebp+var_C]
		cmp	byte ptr [eax+18Bh], 0Fh
		jz	short loc_5EA41F

loc_5EA40B:				; CODE XREF: KeWakeWaitChain+D0CBDj
		push	[ebp+var_10]
		mov	edx, ecx
		mov	ecx, [ebp+var_18]
		call	KiWakeQueueWaiter
		mov	ecx, [ebp+var_4]
		test	al, al
		jnz	short loc_5EA467

loc_5EA41F:				; CODE XREF: KeWakeWaitChain+D0CA8j
					; KeWakeWaitChain+D0CB0j ...
		mov	eax, [ecx+4]
		mov	[ebp+var_C], eax
		inc	eax
		mov	[ecx+4], eax
		lea	eax, [ecx+10h]
		mov	edx, [eax+4]
		mov	[ebp+var_20], edx
		cmp	[edx], eax
		jnz	loc_5197B6
		cmp	[ebp+var_C], 0
		lea	edx, [ecx+10h]
		mov	eax, [ebp+var_10]
		mov	[eax], edx
		mov	edx, [ebp+var_20]
		mov	[eax+4], edx
		mov	[edx], eax
		lea	edx, [ecx+8]
		mov	[ecx+14h], eax
		jnz	short loc_5EA467
		cmp	[edx], edx
		jz	short loc_5EA467
		mov	edx, ecx
		mov	ecx, [ebp+var_18]
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		mov	ecx, [ebp+var_4]

loc_5EA467:				; CODE XREF: KeWakeWaitChain+D0CDDj
					; KeWakeWaitChain+D0D14j ...
		mov	eax, 0FFFFFF7Fh
		lock and [ecx],	eax
		mov	eax, [ebp+var_14]
		add	dword ptr [eax+10h], 0FFFFFFFFh
		jz	loc_5197F7
		jmp	short loc_5EA48F
; 

loc_5EA47E:				; CODE XREF: KeWakeWaitChain+D0C45j
		push	0
		mov	edx, ecx
		mov	ecx, [ebp+var_8]
		push	100h
		call	KiTryUnwaitThread

loc_5EA48F:				; CODE XREF: KeWakeWaitChain+A4j
					; KeWakeWaitChain+B1j ...
		mov	eax, [ebp+var_24]
		cmp	eax, [ebp+var_28]
		jnz	loc_5197A4
		jmp	loc_5197F7
; END OF FUNCTION CHUNK	FOR KeWakeWaitChain

;  S U B	R O U T	I N E 


sub_5EA4A0	proc near		; DATA XREF: .text:006A5530o
		mov	al, [ebp-1Ch]
		mov	ebx, [ebp-28h]
		mov	esi, [ebp-2Ch]
		jmp	sub_519976
sub_5EA4A0	endp

; 
; START	OF FUNCTION CHUNK FOR sub_519976

loc_5EA4AE:				; CODE XREF: sub_519976+4j
		test	al, al
		jz	locret_519980
		push	0
		push	dword ptr [esi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+4], 0
		retn
; END OF FUNCTION CHUNK	FOR sub_519976
; 
; START	OF FUNCTION CHUNK FOR SepInternalQuerySecurityAttributesTokenEx

loc_5EA4C5:				; CODE XREF: SepInternalQuerySecurityAttributesTokenEx+39j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	loc_5199CF
		mov	[ebp+arg_4], ebx
		test	edi, edi
		jz	short loc_5EA513
		mov	[ebp+arg_8], eax

loc_5EA4DA:				; CODE XREF: SepInternalQuerySecurityAttributesTokenEx+D0B81j
		mov	ecx, eax
		call	SepPotentialGlobalTableAttribute
		test	al, al
		jz	loc_5199CF
		mov	ecx, [esi+1DCh]
		mov	edx, [ebp+arg_8]
		call	_AuthzBasepFindSecurityAttribute@8 ; AuthzBasepFindSecurityAttribute(x,x)
		test	eax, eax
		jnz	loc_5199CF
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+arg_8]
		inc	ecx
		add	eax, 8
		mov	[ebp+arg_4], ecx
		mov	[ebp+arg_8], eax
		cmp	ecx, edi
		jb	short loc_5EA4DA

loc_5EA513:				; CODE XREF: SepInternalQuerySecurityAttributesTokenEx+2Aj
					; SepInternalQuerySecurityAttributesTokenEx+D0B45j
		lea	eax, [ebp+var_10]
		mov	edx, esi
		push	eax
		lea	eax, [ebp+var_4]
		xor	cl, cl
		push	eax
		call	_SepGetProcUniqueLuidAndIndexFromTokenEx@16 ; SepGetProcUniqueLuidAndIndexFromTokenEx(x,x,x,x)
		test	eax, eax
		js	short loc_5EA562
		mov	ecx, [ebp+var_4]
		call	_SepGetSingletonEntryFromIndexNumber@4 ; SepGetSingletonEntryFromIndexNumber(x)
		mov	esi, eax
		mov	[ebp+arg_4], esi
		test	esi, esi
		jz	short loc_5EA562
		push	esi
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	byte ptr [ebp+arg_8+3],	al
		cmp	[esi+10h], ebx
		jz	short loc_5EA57C
		call	_AuthzBasepAllocateSecurityAttributesList@0 ; AuthzBasepAllocateSecurityAttributesList()
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_5EA575
		mov	ecx, [esi+10h]
		mov	edx, ebx
		push	0
		call	AuthzBasepDuplicateSecurityAttributes
		mov	esi, eax
		jmp	short loc_5EA581
; 

loc_5EA562:				; CODE XREF: SepInternalQuerySecurityAttributesTokenEx+D0B96j
					; SepInternalQuerySecurityAttributesTokenEx+D0BA7j ...
		push	[ebp+arg_14]
		mov	edx, [ebp+arg_10]
		mov	ecx, [ebp+arg_C]
		call	_SepInternalFillNoAttribs@12 ; SepInternalFillNoAttribs(x,x,x)
		jmp	loc_519A4A
; 

loc_5EA575:				; CODE XREF: SepInternalQuerySecurityAttributesTokenEx+D0BC0j
		mov	esi, 0C0000017h
		jmp	short loc_5EA581
; 

loc_5EA57C:				; CODE XREF: SepInternalQuerySecurityAttributesTokenEx+D0BB5j
		mov	esi, 0C0000225h

loc_5EA581:				; CODE XREF: SepInternalQuerySecurityAttributesTokenEx+D0BD0j
					; SepInternalQuerySecurityAttributesTokenEx+D0BEAj
		push	[ebp+arg_4]
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, byte ptr [ebp+arg_8+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	esi, 0C0000225h
		jz	short loc_5EA562
		test	esi, esi
		js	short loc_5EA5B8
		test	ebx, ebx
		jz	short loc_5EA5CB
		push	[ebp+arg_14]	; int
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		push	[ebp+arg_10]	; size_t
		push	[ebp+arg_C]	; size_t
		push	edi		; int
		call	AuthzBasepQuerySecurityAttributesToken
		mov	esi, eax

loc_5EA5B8:				; CODE XREF: SepInternalQuerySecurityAttributesTokenEx+D0C0Cj
		test	ebx, ebx
		jz	short loc_5EA5CB
		mov	ecx, ebx
		call	AuthzBasepFreeSecurityAttributesList
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5EA5CB:				; CODE XREF: SepInternalQuerySecurityAttributesTokenEx+D0C10j
					; SepInternalQuerySecurityAttributesTokenEx+D0C2Aj
		mov	eax, esi
		jmp	loc_519A4A
; 

loc_5EA5D2:				; CODE XREF: SepInternalQuerySecurityAttributesTokenEx+77j
					; SepInternalQuerySecurityAttributesTokenEx+84j ...
		mov	eax, 0C000000Dh
		jmp	loc_519A4A
; END OF FUNCTION CHUNK	FOR SepInternalQuerySecurityAttributesTokenEx
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepUnicodeStringFromOperandValue

loc_5EA5DC:				; CODE XREF: AuthzBasepUnicodeStringFromOperandValue+68j
		mov	eax, 200h
		jmp	loc_519C93
; 

loc_5EA5E6:				; CODE XREF: AuthzBasepUnicodeStringFromOperandValue+88j
		mov	eax, 0C0000017h
		jmp	loc_519CD5
; 

loc_5EA5F0:				; CODE XREF: AuthzBasepUnicodeStringFromOperandValue+3Aj
					; AuthzBasepUnicodeStringFromOperandValue+42j
		mov	eax, 0C00001A2h
		jmp	loc_519CD5
; END OF FUNCTION CHUNK	FOR AuthzBasepUnicodeStringFromOperandValue
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepGetSecurityAttributeValueCopyoutBufferSize

loc_5EA5FA:				; CODE XREF: AuthzBasepGetSecurityAttributeValueCopyoutBufferSize+C3j
					; DATA XREF: .text:00519F58o
		lea	ebx, [ecx+7]
		and	ebx, 0FFFFFFF8h
		cmp	ebx, ecx
		jb	loc_519F4A
		mov	eax, [edi+24h]
		mov	ecx, 10h
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_519ED4
		mov	eax, [ebp+var_4]
		add	eax, ebx
		cmp	eax, ebx
		jb	loc_519F4A
		mov	edx, [edi+2Ch]
		add	edi, 2Ch
		cmp	edx, edi
		jz	loc_519ED0

loc_5EA63F:				; CODE XREF: AuthzBasepGetSecurityAttributeValueCopyoutBufferSize+D07D3j
		movzx	ecx, word ptr [edx+20h]
		add	ecx, eax
		cmp	ecx, eax
		jb	loc_519F4A
		mov	edx, [edx]
		mov	eax, ecx
		cmp	edx, edi
		jnz	short loc_5EA63F
		jmp	loc_519ED0
; 

loc_5EA65A:				; CODE XREF: AuthzBasepGetSecurityAttributeValueCopyoutBufferSize+C3j
					; DATA XREF: .text:00519F5Co
		lea	ebx, [ecx+3]
		and	ebx, 0FFFFFFFCh
		cmp	ebx, ecx
		jb	loc_519F4A
		mov	eax, [edi+24h]
		mov	ecx, 8
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_519ED4
		mov	eax, [ebp+var_4]
		add	eax, ebx
		cmp	eax, ebx
		jb	loc_519F4A
		mov	edx, [edi+2Ch]
		add	edi, 2Ch
		cmp	edx, edi
		jz	loc_519ED0

loc_5EA69F:				; CODE XREF: AuthzBasepGetSecurityAttributeValueCopyoutBufferSize+D0832j
		mov	ecx, [edx+1Ch]
		add	ecx, eax
		cmp	ecx, eax
		jb	loc_519F4A
		mov	edx, [edx]
		mov	eax, ecx
		cmp	edx, edi
		jnz	short loc_5EA69F
		jmp	loc_519ED0
; 

loc_5EA6B9:				; CODE XREF: AuthzBasepGetSecurityAttributeValueCopyoutBufferSize+B6j
					; AuthzBasepGetSecurityAttributeValueCopyoutBufferSize+C3j
					; DATA XREF: ...
		mov	eax, 0C000000Dh
		jmp	loc_519ED4
; END OF FUNCTION CHUNK	FOR AuthzBasepGetSecurityAttributeValueCopyoutBufferSize
; 
; START	OF FUNCTION CHUNK FOR KeStackAttachProcess

loc_5EA6C3:				; CODE XREF: KeStackAttachProcess+1Dj
					; KeStackAttachProcess+2Aj
		mov	eax, large fs:235Ch
		and	eax, 10001h
		push	eax
		movzx	eax, byte ptr [edi+16Ah]
		push	eax
		mov	eax, [edi+80h]
		push	eax
		push	esi
		push	5
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5EA6E7:				; CODE XREF: MiFlushTbList+88j
		test	al, 2
		jnz	loc_51A350
		cmp	ds:_KeNumberProcessors,	1
		jz	loc_51A19E
		test	ebx, ebx
		jnz	loc_51A350
		mov	[ebp+var_2C], ebx
		lea	eax, [ebp+var_2C]
		xor	edx, edx
		lock or	[eax], edx
		call	ecx
		mov	esi, large fs:20h
		mov	[ebp+var_11], al
		mov	ecx, [esi+4]
		mov	ecx, [ecx+80h]
		mov	edx, [ecx+60h]
		mov	ecx, [esi+3C8h]
		not	ecx
		test	ecx, edx
		jz	short loc_5EA743
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp+var_1C]
		jmp	loc_51A350
; 

loc_5EA743:				; CODE XREF: KeStackAttachProcess+D07B1j
		mov	ecx, [ebp+var_18]
		test	ecx, ecx
		jz	short loc_5EA762
		lea	esi, [edi+14h]
		mov	ebx, ecx

loc_5EA74F:				; CODE XREF: KeStackAttachProcess+D07DDj
		mov	eax, [esi]
		push	eax
		call	_KiFlushRangeTb@8 ; KiFlushRangeTb(x,x)
		lea	esi, [esi+4]
		sub	ebx, 1
		jnz	short loc_5EA74F
		mov	al, [ebp+var_11]

loc_5EA762:				; CODE XREF: KeStackAttachProcess+D07C8j
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp+var_18]

loc_5EA76D:				; CODE XREF: KeStackAttachProcess+3FFj
		mov	eax, [ebp+var_1C]
		cmp	eax, 4
		jnz	loc_51A284
		mov	cl, 1
		call	_KeFlushProcessWriteBuffers@4 ;	KeFlushProcessWriteBuffers(x)
		jmp	loc_51A281
; END OF FUNCTION CHUNK	FOR KeStackAttachProcess
; 
; START	OF FUNCTION CHUNK FOR MiFlushTbList

loc_5EA785:				; CODE XREF: MiFlushTbList+17Bj
		push	eax
		lea	edx, [edi+14h]
		mov	ecx, esi
		call	_VmFlushTb@12	; VmFlushTb(x,x,x)
		jmp	loc_51A291
; 

loc_5EA795:				; CODE XREF: MiFlushTbList+188j
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		lea	edx, [edi+14h]
		mov	eax, [ebp+var_1C]
		mov	ecx, esi
		push	eax
		call	_ExFlushTb@12	; ExFlushTb(x,x,x)
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_51A29E
; END OF FUNCTION CHUNK	FOR MiFlushTbList
; 
; START	OF FUNCTION CHUNK FOR MiMoveDirtyBitsToPfns

loc_5EA7BA:				; CODE XREF: MiMoveDirtyBitsToPfns+B6j
		mov	eax, [eax]
		test	eax, eax
		jnz	loc_51A452
		jmp	loc_51A45C
; 

loc_5EA7C9:				; CODE XREF: MiMoveDirtyBitsToPfns+A1j
		mov	[esp+160h+var_130], 0
		jmp	loc_51A463
; 

loc_5EA7D6:				; CODE XREF: MiMoveDirtyBitsToPfns+100j
		cmp	al, 5
		jz	loc_51A4A6
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esp+160h+var_14D], al
		jmp	loc_51A4F3
; 

loc_5EA7EF:				; CODE XREF: MiMoveDirtyBitsToPfns+108j
		mov	edi, offset unk_6D3C40
		jmp	loc_51A4B1
; 

loc_5EA7F9:				; CODE XREF: MiMoveDirtyBitsToPfns+124j
		mov	dl, al
		mov	ecx, edi
		call	@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)
		jmp	loc_51A4E3
; 

loc_5EA807:				; CODE XREF: MiMoveDirtyBitsToPfns+149j
		xor	eax, eax
		xchg	eax, [edi]
		jmp	loc_51A4EF
; 

loc_5EA810:				; CODE XREF: MiMoveDirtyBitsToPfns+17Aj
		mov	esi, [esp+160h+var_10C]
		add	esi, 0F90h

loc_5EA81A:				; CODE XREF: MiMoveDirtyBitsToPfns+D0496j
					; MiMoveDirtyBitsToPfns+D049Cj
		mov	edi, [esi]
		mov	ebx, edi
		mov	edx, [esi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[esp+160h+var_14C], edx
		adc	ecx, 0
		mov	eax, edi
		nop
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, edi
		jnz	short loc_5EA81A
		cmp	edx, [esp+160h+var_14C]
		jnz	short loc_5EA81A
		mov	esi, [esp+160h+var_148]
		mov	ebx, [esp+160h+var_128]
		jmp	loc_51A520
; 

loc_5EA84B:				; CODE XREF: MiMoveDirtyBitsToPfns+1B8j
					; MiMoveDirtyBitsToPfns+D04BEj
		cmp	eax, 0C07FFFFFh
		ja	loc_51A55E
		shl	eax, 9
		cmp	eax, 0C0000000h
		jnb	short loc_5EA84B
		jmp	loc_51A55E
; 

loc_5EA865:				; CODE XREF: MiMoveDirtyBitsToPfns+1C4j
		cmp	eax, ds:dword_6D2E88
		jb	short loc_5EA879
		cmp	eax, ds:dword_6D2E8C
		jbe	loc_51A56A

loc_5EA879:				; CODE XREF: MiMoveDirtyBitsToPfns+D04CBj
		mov	ecx, 1
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	ecx, eax
		jmp	loc_51A57C
; 

loc_5EA88A:				; CODE XREF: MiMoveDirtyBitsToPfns+25Fj
		shr	ebx, 9
		mov	edi, edx
		and	ebx, offset loc_7FFFF8
		sub	ebx, 40000000h
		cmp	eax, 1
		jbe	short loc_5EA8C4
		dec	eax

loc_5EA8A1:				; CODE XREF: MiMoveDirtyBitsToPfns+D0522j
		shr	edi, 9
		shr	ebx, 9
		and	edi, offset loc_7FFFF8
		and	ebx, offset loc_7FFFF8
		sub	edi, 40000000h
		sub	ebx, 40000000h
		sub	eax, 1
		jnz	short loc_5EA8A1

loc_5EA8C4:				; CODE XREF: MiMoveDirtyBitsToPfns+D04FEj
		mov	eax, edi
		lea	edx, [edi+8]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[esp+160h+var_140], eax
		test	edx, 0FFFh
		jz	short loc_5EA90E

loc_5EA8E2:				; CODE XREF: MiMoveDirtyBitsToPfns+D056Cj
		cmp	edx, ebx
		ja	short loc_5EA90E
		mov	eax, [edx]
		mov	[esp+160h+var_14C], eax
		nop
		and	eax, 1
		or	eax, 0
		jz	short loc_5EA90E
		mov	eax, [esp+160h+var_14C]
		and	eax, 80h
		or	eax, 0
		jz	short loc_5EA90E
		add	edx, 8
		test	edx, 0FFFh
		jnz	short loc_5EA8E2

loc_5EA90E:				; CODE XREF: MiMoveDirtyBitsToPfns+D0540j
					; MiMoveDirtyBitsToPfns+D0544j	...
		sub	edx, 8
		mov	[esp+160h+var_14C], edx
		jmp	loc_51A61D
; 

loc_5EA91A:				; CODE XREF: MiMoveDirtyBitsToPfns+2D0j
					; MiMoveDirtyBitsToPfns+2DCj
		mov	ecx, ebx
		jmp	loc_51A687
; 

loc_5EA921:				; CODE XREF: MiMoveDirtyBitsToPfns+373j
		test	dl, 2
		jnz	short loc_5EA938
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 2
		lock cmpxchg [ebx], ecx
		mov	edx, eax
		jmp	loc_51A710
; 

loc_5EA938:				; CODE XREF: MiMoveDirtyBitsToPfns+D0584j
		mov	[esp+160h+var_134], 0

loc_5EA940:				; CODE XREF: MiMoveDirtyBitsToPfns+D05AEj
		lea	ecx, [esp+160h+var_134]
		call	KeYieldProcessorEx
		mov	edx, [ebx]
		test	dl, 1
		jnz	short loc_5EA940
		jmp	loc_51A710
; 

loc_5EA955:				; CODE XREF: MiMoveDirtyBitsToPfns+389j
		mov	edx, eax
		jmp	loc_51A710
; 

loc_5EA95C:				; CODE XREF: MiMoveDirtyBitsToPfns+55Cj
		cmp	[ebp+arg_4], 0
		jz	short loc_5EA972
		and	edx, 80000000h
		xor	eax, eax
		or	eax, edx
		jnz	loc_51A778

loc_5EA972:				; CODE XREF: MiMoveDirtyBitsToPfns+D05C0j
		mov	edx, edi
		cmp	edi, 0C0000000h
		jb	short loc_5EA98F

loc_5EA97C:				; CODE XREF: MiMoveDirtyBitsToPfns+D05EDj
		cmp	edx, 0C07FFFFFh
		ja	short loc_5EA98F
		shl	edx, 9
		cmp	edx, 0C0000000h
		jnb	short loc_5EA97C

loc_5EA98F:				; CODE XREF: MiMoveDirtyBitsToPfns+D05DAj
					; MiMoveDirtyBitsToPfns+D05E2j
		mov	ecx, [esp+160h+var_13C]
		call	MiLocateWsle
		mov	al, [eax]
		and	al, 0Fh
		cmp	al, 9
		jz	loc_51A778
		jmp	loc_51A902
; 

loc_5EA9A9:				; CODE XREF: MiMoveDirtyBitsToPfns+580j
					; MiMoveDirtyBitsToPfns+D061Bj
		cmp	edx, 0C07FFFFFh
		ja	short loc_5EA9BD
		shl	edx, 9
		inc	eax
		cmp	edx, 0C0000000h
		jnb	short loc_5EA9A9

loc_5EA9BD:				; CODE XREF: MiMoveDirtyBitsToPfns+D060Fj
		mov	[esp+160h+var_148], eax
		test	eax, eax
		jz	loc_51A926
		mov	eax, large fs:124h
		mov	edx, edi
		push	0
		mov	esi, [eax+80h]
		lea	ecx, [esi+240h]
		call	MiLockPageTableInternal
		mov	eax, [esp+160h+var_FC]
		lea	ecx, [esi+240h]
		mov	ebx, [esp+160h+var_100]
		mov	edx, edi
		push	eax
		push	ebx
		push	0
		mov	[esp+16Ch+var_118], eax
		call	MiUnlockNestedPageTableWritePte
		mov	edx, [esp+160h+var_148]
		lea	ecx, [esp+160h+var_A0]
		push	edi
		call	_MiInsertLargeTbFlushEntry@12 ;	MiInsertLargeTbFlushEntry(x,x,x)
		mov	esi, [esp+160h+var_118]
		jmp	loc_51A93C
; 

loc_5EAA1B:				; CODE XREF: MiMoveDirtyBitsToPfns+5D0j
					; MiMoveDirtyBitsToPfns+D0687j	...
		lea	ecx, [esp+160h+var_104]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_5EAA1B
		lock bts dword ptr [esi], 1Fh
		jb	short loc_5EAA1B
		jmp	loc_51A976
; 

loc_5EAA35:				; CODE XREF: MiMoveDirtyBitsToPfns+5E0j
		mov	eax, [ebx+8]
		mov	ch, cl
		and	eax, 400h
		or	eax, 0
		jnz	short loc_5EAA5A
		test	cl, 8
		jnz	short loc_5EAA5A
		push	eax
		lea	edx, [eax+1]
		lea	ecx, [ebx+8]
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	ch, [ebx+16h]
		mov	esi, eax

loc_5EAA5A:				; CODE XREF: MiMoveDirtyBitsToPfns+D06A2j
					; MiMoveDirtyBitsToPfns+D06A7j
		or	ch, 10h
		mov	eax, esi
		or	eax, edx
		mov	[ebx+16h], ch
		jz	loc_51A986
		mov	ecx, offset _MiSystemPartition
		mov	[esp+160h+var_148], ecx
		jmp	loc_51A986
; 

loc_5EAA78:				; CODE XREF: MiMoveDirtyBitsToPfns+5FFj
		push	edx
		push	esi
		mov	edx, 1
		call	MiReleasePageFileInfo
		jmp	loc_51A778
; 

loc_5EAA89:				; CODE XREF: MiMoveDirtyBitsToPfns+402j
					; MiMoveDirtyBitsToPfns+D06F6j
		mov	ecx, eax
		mov	edx, eax
		and	ecx, 0FFFFFFFCh
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_5EAA89
		jmp	loc_51A7A8
; 

loc_5EAA9D:				; CODE XREF: MiMoveDirtyBitsToPfns+4C1j
		cmp	al, 5
		jnz	loc_51A8D8
		jmp	loc_51A867
; 

loc_5EAAAA:				; CODE XREF: MiMoveDirtyBitsToPfns+4D2j
					; MiMoveDirtyBitsToPfns+4DBj
		mov	dl, [esp+160h+var_14D]
		mov	ecx, ebx
		call	MiPreUnlockWorkingSetShared
		mov	al, [ebx+60h]
		jmp	loc_51A881
; 

loc_5EAABD:				; CODE XREF: MiMoveDirtyBitsToPfns+4E5j
		mov	esi, offset unk_6D3C40
		jmp	loc_51A891
; 

loc_5EAAC7:				; CODE XREF: MiMoveDirtyBitsToPfns+527j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@ExpReleaseSpinLockSharedFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockSharedFromDpcLevelInstrumented(x,x)
		jmp	loc_51A8D8
; END OF FUNCTION CHUNK	FOR MiMoveDirtyBitsToPfns
; 
; START	OF FUNCTION CHUNK FOR CmpDrainDelayDerefContext

loc_5EAAD6:				; CODE XREF: CmpDrainDelayDerefContext+83j
					; CmpDrainDelayDerefContext+90j
		mov	ecx, [ebp+var_C]
		push	esi
		call	_CmpUnlockHashEntry@8 ;	CmpUnlockHashEntry(x,x)
		jmp	loc_51ACD7
; 

loc_5EAAE4:				; CODE XREF: CmpDrainDelayDerefContext+20j
					; CmpDrainDelayDerefContext+2Bj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5EAAEB:				; CODE XREF: KeReleaseMutant+5Cj
		or	byte ptr [esi+1Ch], 1
		mov	eax, 1
		mov	dword ptr [esi+4], 1
		jmp	loc_51AE33
; END OF FUNCTION CHUNK	FOR CmpDrainDelayDerefContext
; 
; START	OF FUNCTION CHUNK FOR KeReleaseMutant

loc_5EAB00:				; CODE XREF: KeReleaseMutant+1F2j
		mov	byte ptr [edx+9], 5
		mov	eax, [edx+0Ch]
		mov	[ebp+arg_8], eax
		add	eax, 8
		mov	dword ptr [edx], 0
		mov	[ebp+var_18], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_1C], eax
		mov	eax, [eax+4]
		mov	[ebp+var_C], eax
		jz	short loc_5EAB4D
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_C]
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_5EAB4D:				; CODE XREF: KeReleaseMutant+CFD85j
		mov	ecx, [ebp+arg_8]
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+arg_8]
		cmp	[edx], edx
		jz	short loc_5EAB94
		mov	eax, [ecx+18h]
		cmp	eax, [ecx+1Ch]
		jnb	short loc_5EAB94
		mov	eax, [ebp+var_C]
		mov	eax, [eax+0A4h]
		cmp	eax, ecx
		jnz	short loc_5EAB80
		mov	eax, [ebp+var_C]
		cmp	byte ptr [eax+18Bh], 0Fh
		jz	short loc_5EAB94

loc_5EAB80:				; CODE XREF: KeReleaseMutant+CFDC2j
		push	[ebp+var_10]
		mov	edx, ecx
		mov	ecx, [ebp+var_1C]
		call	KiWakeQueueWaiter
		mov	ecx, [ebp+arg_8]
		test	al, al
		jnz	short loc_5EABDF

loc_5EAB94:				; CODE XREF: KeReleaseMutant+CFDADj
					; KeReleaseMutant+CFDB5j ...
		mov	eax, [ecx+4]
		mov	[ebp+var_C], eax
		inc	eax
		mov	[ecx+4], eax
		lea	eax, [ecx+10h]
		mov	esi, [eax+4]
		mov	[ebp+var_18], esi
		cmp	[esi], eax
		jnz	loc_51AF42
		cmp	[ebp+var_C], 0
		lea	esi, [ecx+10h]
		mov	eax, [ebp+var_10]
		mov	edx, [ebp+var_18]
		mov	[eax], esi
		mov	esi, [ebp+arg_0]
		mov	[eax+4], edx
		mov	[edx], eax
		lea	edx, [ecx+8]
		mov	[ecx+14h], eax
		jnz	short loc_5EABDF
		cmp	[edx], edx
		jz	short loc_5EABDF
		mov	edx, ecx
		mov	ecx, [ebp+var_1C]
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		mov	ecx, [ebp+arg_8]

loc_5EABDF:				; CODE XREF: KeReleaseMutant+CFDE2j
					; KeReleaseMutant+CFE1Cj ...
		mov	edx, 0FFFFFF7Fh
		lock and [ecx],	edx
		add	dword ptr [esi+4], 0FFFFFFFFh
		jz	loc_51AEC0
		jmp	loc_51AFBC
; 

loc_5EABF6:				; CODE XREF: KeReleaseMutant+114j
		mov	bh, 1
		jmp	loc_51AECA
; 

loc_5EABFD:				; CODE XREF: KeReleaseMutant+11Fj
		mov	ecx, esi
		call	_KiAcquireReleaseObjectRundownLockExclusive@4 ;	KiAcquireReleaseObjectRundownLockExclusive(x)
		jmp	loc_51AED5
; 

loc_5EAC09:				; CODE XREF: KeReleaseMutant+12Aj
		mov	edx, [ebp+var_20]
		test	edx, edx
		jz	loc_51AEE0
		mov	ecx, [eax+3B1Ch]
		test	ecx, ecx
		jz	loc_51AEE0
		lea	eax, [ecx-9Ch]
		cmp	edx, eax
		jnz	loc_51AF26
		mov	eax, [ebp+var_8]
		mov	ecx, esi
		movsx	eax, byte ptr [eax+87h]
		mov	[ebp+arg_8], eax
		call	KiAbFindWakeupLockEntry
		test	eax, eax
		jz	loc_51AF26
		mov	ecx, [ebp+arg_8]
		mov	edx, eax
		push	1
		call	KiAbApplyWakeupBoost
		jmp	loc_51AF26
; 

loc_5EAC5D:				; CODE XREF: KeReleaseMutant+134j
		mov	edx, 3
		jmp	loc_51AEEC
; 

loc_5EAC67:				; CODE XREF: KeReleaseMutant+150j
		cmp	[ebp+var_14], ebx
		jnz	short loc_5EAC78
		mov	ecx, esi
		call	KeAbPostRelease
		jmp	loc_51AF06
; 

loc_5EAC78:				; CODE XREF: KeReleaseMutant+CFEBAj
		mov	ecx, [ebx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		push	1
		push	eax
		push	esi
		push	ebx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5EAC93:				; CODE XREF: PsIsProcessLoggingEnabled+2Fj
		sub	edx, 7E0h
		jnz	loc_51B107
		mov	esi, 80000h
		lea	eax, [ecx+3A8h]
		jmp	loc_51B107
; END OF FUNCTION CHUNK	FOR KeReleaseMutant
; 
; START	OF FUNCTION CHUNK FOR PsIsProcessLoggingEnabled

loc_5EACAF:				; CODE XREF: PsIsProcessLoggingEnabled+26j
		mov	esi, 100000h
		lea	eax, [ecx+3A8h]
		jmp	loc_51B107
; END OF FUNCTION CHUNK	FOR PsIsProcessLoggingEnabled
; 
; START	OF FUNCTION CHUNK FOR SepNormalAccessCheck

loc_5EACBF:				; CODE XREF: SepNormalAccessCheck+41Cj
		or	[ecx+10h], esi
		mov	byte ptr [ecx+18h], 1
		jmp	loc_51B569
; 

loc_5EACCB:				; CODE XREF: SepNormalAccessCheck+5CFj
		mov	ecx, [ebp+arg_28]
		jmp	loc_51B569
; 

loc_5EACD3:				; CODE XREF: SepNormalAccessCheck+EAj
		test	esi, esi
		jz	loc_51B230
		mov	eax, ds:_SeAliasAdminsSid
		push	esi
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	loc_51B36F
		mov	edx, [ebp+var_18]
		jmp	loc_51B230
; 

loc_5EACF7:				; CODE XREF: SepNormalAccessCheck+221j
					; SepNormalAccessCheck+CFC36j ...
		push	0
		push	eax
		push	[ebp+var_14]
		mov	edx, ecx
		mov	ecx, ebx
		push	0
		call	AuthzBasepAddAccessTypeList
		jmp	loc_51B36F
; 

loc_5EAD0D:				; CODE XREF: SepNormalAccessCheck+501j
		mov	eax, [ebp+var_8]
		mov	ecx, [eax+8]
		mov	edx, ecx
		and	edx, 1
		add	eax, 0Ch
		mov	esi, edx
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jnz	short loc_5EAD86
		push	dword ptr [ebp+arg_2C] ; char
		mov	ebx, [ebp+var_8]
		and	ecx, 2
		mov	eax, dword ptr [ebp+arg_20]
		push	dword ptr [ebp+arg_24] ; char
		shl	ecx, 3
		or	ecx, 0Ch
		shl	edx, 4
		add	ecx, ebx
		add	edx, ecx
		movzx	ecx, al
		neg	ecx
		push	eax		; char
		sbb	ecx, ecx
		and	ecx, 88h
		push	esi		; char
		add	ecx, 0CCh
		add	ecx, [ebp+var_C]
		push	edx		; void *
		mov	edx, [ebp+arg_10]
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_51B3B0
		mov	ecx, [ebp+arg_14]
		mov	eax, [ebx+4]
		mov	ebx, [ebp+arg_18]
		cmp	ecx, 1
		jnz	loc_5EACF7
		not	eax
		and	[ebx+18h], eax
		jmp	loc_51B36F
; 

loc_5EAD86:				; CODE XREF: SepNormalAccessCheck+CFBE3j
		cmp	[ebp+arg_1C], 0
		jz	loc_51B36F
		push	dword ptr [ebp+arg_2C] ; char
		mov	ebx, [ebp+var_8]
		and	ecx, 2
		mov	eax, dword ptr [ebp+arg_20]
		push	dword ptr [ebp+arg_24] ; char
		shl	ecx, 3
		or	ecx, 0Ch
		shl	edx, 4
		add	ecx, ebx
		add	edx, ecx
		movzx	ecx, al
		neg	ecx
		push	eax		; char
		sbb	ecx, ecx
		and	ecx, 88h
		push	0		; char
		add	ecx, 0CCh
		add	ecx, [ebp+var_C]
		push	edx		; void *
		mov	edx, [ebp+arg_10]
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_51B3B0
		mov	edi, [ebp+arg_14]
		lea	eax, [ebp+var_24]
		mov	edx, [ebp+arg_18]
		mov	ecx, esi
		push	eax
		push	edi
		call	_AuthzBasepObjectInTypeList@16 ; AuthzBasepObjectInTypeList(x,x,x,x)
		test	al, al
		jz	loc_5EAF79
		mov	eax, [ebx+4]
		mov	edx, edi
		mov	ebx, [ebp+arg_18]
		mov	ecx, ebx
		push	0
		push	eax
		push	[ebp+var_14]
		push	[ebp+var_24]
		call	AuthzBasepAddAccessTypeList
		jmp	loc_51B36F
; 

loc_5EAE0D:				; CODE XREF: SepNormalAccessCheck+509j
		push	dword ptr [ebp+arg_2C] ; char
		mov	eax, dword ptr [ebp+arg_20]
		push	dword ptr [ebp+arg_24] ; char
		mov	ecx, [ebp+var_C]
		movzx	esi, al
		push	eax		; char
		movzx	eax, byte ptr [edi+0Dh]
		neg	esi
		push	0		; char
		sbb	esi, esi
		add	eax, 5
		and	esi, 88h
		add	esi, 0CCh
		lea	eax, [edi+eax*4]
		push	eax		; void *
		lea	ecx, [esi+ecx]
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_51B36F
		push	dword ptr [ebp+arg_2C] ; char
		mov	ecx, [ebp+arg_0]
		lea	eax, [edi+0Ch]
		push	dword ptr [ebp+arg_24] ; char
		xor	edx, edx
		push	dword ptr [ebp+arg_20] ; char
		lea	ecx, [esi+ecx]
		push	0		; char
		push	eax		; void *
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_51B36F
		mov	ecx, [ebp+arg_14]
		mov	eax, [edi+4]
		cmp	ecx, 1
		jnz	loc_5EACF7
		not	eax
		and	[ebx+18h], eax
		jmp	loc_51B36F
; 

loc_5EAE87:				; CODE XREF: SepNormalAccessCheck+519j
		mov	ecx, [edi+8]
		mov	eax, ecx
		mov	edx, dword ptr [ebp+arg_20]
		and	eax, 2
		and	ecx, 1
		shl	eax, 3
		push	0		; char
		push	dword ptr [ebp+arg_24] ; char
		shl	ecx, 4
		or	eax, 0Ch
		push	edx		; char
		add	eax, edi
		add	ecx, eax
		push	1		; char
		push	ecx		; void *
		movzx	ecx, dl
		mov	edx, [ebp+arg_10]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 88h
		add	ecx, 0CCh
		add	ecx, [ebp+var_C]
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_51B36F
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+8]
		add	ecx, 0Ch
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		jz	short loc_5EAF1E
		cmp	[ebp+arg_1C], 0
		jz	short loc_5EAF1E
		lea	ecx, [ebp+var_24]
		mov	edx, ebx
		push	ecx
		push	[ebp+arg_14]
		mov	ecx, eax
		call	_AuthzBasepObjectInTypeList@16 ; AuthzBasepObjectInTypeList(x,x,x,x)
		test	al, al
		jz	loc_51B36F
		imul	eax, [ebp+var_24], arg_24
		mov	ecx, [ebp+var_8]
		mov	eax, [eax+ebx+18h]
		test	[ecx+4], eax
		jnz	loc_51B39C
		jmp	loc_51B36F
; 

loc_5EAF1E:				; CODE XREF: SepNormalAccessCheck+CFDA5j
					; SepNormalAccessCheck+CFDABj
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+4]
		test	[ebx+18h], eax
		jnz	loc_51B39C
		jmp	loc_51B36F
; 

loc_5EAF32:				; CODE XREF: SepNormalAccessCheck+560j
		mov	ecx, [eax+12Ch]
		mov	edx, [eax+124h]
		mov	edi, [eax+128h]
		mov	ebx, [eax+120h]
		jmp	loc_51B6AE
; 

loc_5EAF4F:				; CODE XREF: SepNormalAccessCheck+6DAj
		mov	eax, [ebp+arg_28]
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_C]
		lea	esi, [eax+8]
		add	eax, 16h
		push	esi		; int
		push	eax		; int
		mov	eax, [ebx+4]
		push	eax		; int
		push	edi		; void *
		call	_SepMatchCapability@24 ; SepMatchCapability(x,x,x,x,x,x)
		jmp	loc_51B909
; 

loc_5EAF6F:				; CODE XREF: SepNormalAccessCheck+6F5j
		mov	ecx, 154h
		jmp	loc_51B840
; 

loc_5EAF79:				; CODE XREF: SepNormalAccessCheck+CFCAAj
		mov	ebx, edx
		jmp	loc_51B36F
; 

loc_5EAF80:				; CODE XREF: SepNormalAccessCheck+6EDj
		mov	ebx, eax
		jmp	loc_51B372
; END OF FUNCTION CHUNK	FOR SepNormalAccessCheck
; 
; START	OF FUNCTION CHUNK FOR SeAccessCheckWithHintWithAdminlessChecks

loc_5EAF87:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+C02j
		mov	ecx, [ebp+var_30]
		jmp	loc_51C80A
; 

loc_5EAF8F:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+215j
		cmp	[ebp+var_94], 0
		mov	dword ptr [edx], 0C0000022h
		jnz	short loc_5EAFBA
		mov	eax, [ebp+var_38]
		xor	edx, edx
		or	eax, [ebp+var_40]
		mov	ecx, [ebp+var_3C]
		push	0
		push	0
		push	eax
		push	[ebp+var_60]
		push	0
		push	0
		call	SeLogAccessFailure

loc_5EAFBA:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF2FCj
		cmp	[ebp+arg_4], 0
		jnz	loc_51C51C
		mov	esi, [ebp+var_30]
		push	esi
		jmp	loc_51C8FB
; 

loc_5EAFCD:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+241j
		test	byte ptr [eax+0B0h], 20h
		jnz	loc_51BEE7
		mov	ecx, [eax+0C0h]
		test	ecx, ecx
		jz	short loc_5EB00C
		test	byte ptr [ecx+18h], 20h
		jz	short loc_5EB00C
		cmp	[ebp+arg_4], 0
		mov	eax, [ebp+var_28]
		mov	dword ptr [eax], 0
		mov	dword ptr [edx], 0C0000022h
		jnz	loc_51C51C
		mov	esi, [ebp+var_30]
		push	esi
		jmp	loc_51C8FB
; 

loc_5EB00C:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF342j
					; SeAccessCheckWithHintWithAdminlessChecks+CF348j
		mov	cl, [ebp+var_31]
		jmp	loc_51BEE7
; 

loc_5EB014:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+2B8j
		test	byte ptr [edi+2], 10h
		jz	loc_51BF5E
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_5EB07C
		movzx	eax, word ptr [edi+2]
		mov	ecx, eax
		test	al, 10h
		jnz	short loc_5EB03E
		mov	[ebp+var_84], 0
		jmp	short loc_5EB07C
; 

loc_5EB03E:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF390j
		test	cx, cx
		mov	ecx, [edi+0Ch]
		jns	short loc_5EB04F
		lea	eax, [ecx+edi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_5EB04F:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF3A4j
		mov	[ebp+var_84], ecx
		test	ecx, ecx
		jz	short loc_5EB07C
		call	_SepGetScopedPolicySid@4 ; SepGetScopedPolicySid(x)
		test	eax, eax
		jz	short loc_5EB07C
		lea	edx, [ebp+var_7C]
		mov	ecx, eax
		call	_SepRmReferenceFindCap@8 ; SepRmReferenceFindCap(x,x)
		test	eax, eax
		jns	short loc_5EB078
		mov	eax, ds:_SepRmDefaultCap
		mov	[ebp+var_7C], eax

loc_5EB078:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF3CEj
		mov	[ebp+var_22], 1

loc_5EB07C:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF386j
					; SeAccessCheckWithHintWithAdminlessChecks+CF39Cj ...
		mov	ecx, [ebp+var_3C]
		mov	eax, [ebp+var_38]
		mov	edx, [ebp+var_2C]
		jmp	loc_51BF5E
; 

loc_5EB08A:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+2E6j
		test	ebx, ebx
		jz	loc_51BF8C
		mov	eax, ds:_SeAliasAdminsSid
		push	ebx
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	loc_51BF8C
		xor	al, al
		jmp	loc_51C229
; 

loc_5EB0AD:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+69Dj
		xor	ecx, ecx
		jmp	loc_51C260
; 

loc_5EB0B4:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+692j
		mov	ecx, [ebx+10h]
		jmp	loc_51C260
; 

loc_5EB0BC:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+6D4j
		cmp	al, 0Ch
		jbe	short loc_5EB0CD
		jmp	loc_51C37A
; 

loc_5EB0C5:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+6DCj
		cmp	al, 10h
		ja	loc_51C382

loc_5EB0CD:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+B11j
					; SeAccessCheckWithHintWithAdminlessChecks+CF41Ej
		mov	eax, [ebx+8]
		mov	ecx, eax
		and	ecx, 2
		and	eax, 1
		shl	ecx, 3
		or	ecx, 0Ch
		shl	eax, 4
		add	ecx, eax
		jmp	loc_51C397
; 

loc_5EB0E8:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+6E4j
		mov	ecx, 0Ch
		jmp	loc_51C397
; 

loc_5EB0F2:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+B1Ej
		sub	al, 0Dh
		cmp	al, 1
		ja	loc_51C3A6
		jmp	loc_51C392
; 

loc_5EB101:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+3DFj
		mov	eax, [ebp+var_2C]
		mov	eax, [eax]
		mov	[ebp+var_7C], eax
		test	eax, eax
		js	loc_51C085
		cmp	[ebp+var_22], 0
		jz	loc_51C085
		cmp	dword ptr [edx+20h], 0
		mov	ecx, [ebp+var_28]
		mov	[ebp+var_23], 0
		mov	[ebp+var_24], 0
		mov	[ebp+var_80], 0
		mov	ecx, [ecx]
		mov	[ebp+var_4C], ecx
		jbe	loc_5EB3EA
		lea	ecx, [edx+24h]
		mov	[ebp+var_54], ecx

loc_5EB142:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF6CCj
		mov	ecx, [ecx]
		mov	[ebp+var_64], ecx
		cmp	dword ptr [ecx+0Ch], 0
		jz	loc_5EB28E
		cmp	[ebp+var_5C], 0
		jnz	short loc_5EB170
		mov	ecx, [ebp+var_84]
		lea	edx, [ebp+var_5C]
		call	AuthzBasepInitializeResourceClaimsFromSacl
		mov	ecx, [ebp+var_64]
		test	eax, eax
		jns	short loc_5EB170
		mov	[ebp+var_24], 1

loc_5EB170:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF4B5j
					; SeAccessCheckWithHintWithAdminlessChecks+CF4CAj
		mov	eax, [ebx+27Ch]
		test	eax, eax
		jz	short loc_5EB1A0
		mov	edi, [eax+124h]
		mov	edx, [eax+12Ch]
		mov	[ebp+var_50], edi
		mov	edi, [eax+128h]
		mov	eax, [eax+120h]
		mov	[ebp+var_78], edi
		mov	edi, [ebp+var_6C]
		mov	[ebp+var_74], eax
		jmp	short loc_5EB1AB
; 

loc_5EB1A0:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF4D8j
		xor	edx, edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_78], edx
		mov	[ebp+var_74], edx

loc_5EB1AB:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF4FEj
		lea	eax, [ebp+var_88]
		push	eax
		mov	eax, [ecx+8]
		push	0
		push	1
		push	eax
		mov	eax, [ecx+0Ch]
		mov	ecx, ebx
		push	eax
		push	edx
		push	[ebp+var_50]
		mov	edx, [ebx+1DCh]
		push	[ebp+var_78]
		push	[ebp+var_74]
		push	[ebp+var_5C]
		call	AuthzBasepEvaluateAceCondition
		mov	ecx, eax
		mov	eax, [ebp+var_88]
		mov	[ebp+var_68], ecx
		cmp	eax, 1
		jz	loc_5EB28B
		test	ecx, ecx
		js	loc_5EB3DA
		test	byte ptr [ebx+0B0h], 10h
		jz	short loc_5EB278
		mov	eax, [ebx+27Ch]
		test	eax, eax
		jz	short loc_5EB22A
		mov	ecx, [eax+124h]
		mov	edx, [eax+12Ch]
		mov	[ebp+var_50], ecx
		mov	ecx, [eax+128h]
		mov	eax, [eax+120h]
		mov	[ebp+var_78], ecx
		mov	[ebp+var_74], eax
		jmp	short loc_5EB235
; 

loc_5EB22A:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF565j
		xor	edx, edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_78], edx
		mov	[ebp+var_74], edx

loc_5EB235:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF588j
		mov	ecx, [ebp+var_64]
		lea	eax, [ebp+var_88]
		push	eax
		push	1
		push	1
		mov	eax, [ecx+8]
		push	eax
		mov	eax, [ecx+0Ch]
		mov	ecx, ebx
		push	eax
		push	edx
		push	[ebp+var_50]
		mov	edx, [ebx+1DCh]
		push	[ebp+var_78]
		push	[ebp+var_74]
		push	[ebp+var_5C]
		call	AuthzBasepEvaluateAceCondition
		mov	ecx, eax
		mov	[ebp+var_68], ecx
		test	ecx, ecx
		js	loc_5EB374
		mov	eax, [ebp+var_88]

loc_5EB278:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF55Bj
		cmp	[ebp+var_24], 0
		jnz	short loc_5EB28B
		cmp	eax, 1
		jz	short loc_5EB28B
		mov	eax, [ebp+var_7C]
		jmp	loc_5EB353
; 

loc_5EB28B:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF546j
					; SeAccessCheckWithHintWithAdminlessChecks+CF5DCj ...
		mov	ecx, [ebp+var_64]

loc_5EB28E:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF4ABj
		mov	edx, [ecx+10h]
		lea	ecx, [ebp+var_C8]
		push	[ebp+var_84]
		call	_SepBuildCapeSecurityDescriptor@12 ; SepBuildCapeSecurityDescriptor(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_68], ecx
		test	ecx, ecx
		js	loc_5EB3DA
		mov	ecx, [ebp+var_64]
		mov	eax, [ebp+var_38]
		test	byte ptr [ecx+18h], 1
		jz	short loc_5EB2C9
		test	eax, 2000000h
		jnz	short loc_5EB2C5
		or	eax, [ebp+var_40]

loc_5EB2C5:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF620j
		xor	ecx, ecx
		jmp	short loc_5EB2CC
; 

loc_5EB2C9:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF619j
		mov	ecx, [ebp+var_40]

loc_5EB2CC:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF627j
		push	dword ptr [ebp+var_70]
		lea	edx, [ebp+var_21]
		push	0
		push	edx
		lea	edx, [ebp+var_5C]
		push	edx
		lea	edx, [ebp+var_21+1]
		push	edx
		push	edi
		push	0
		lea	edx, [ebp+var_AC]
		push	edx
		push	0
		lea	edx, [ebp+var_90]
		push	edx
		push	[ebp+var_A8]
		xor	edx, edx
		push	ecx
		push	[ebp+var_8C]
		mov	ecx, [ebp+var_30]
		push	0
		push	0
		push	eax
		mov	eax, [ecx]
		push	eax
		mov	eax, [ecx+8]
		lea	ecx, [ebp+var_C8]
		push	eax
		call	SepAccessCheck
		cmp	[ebp+var_23], 0
		mov	[ebp+var_55], al
		jnz	short loc_5EB32A
		mov	eax, [ebp+var_90]
		jmp	short loc_5EB333
; 

loc_5EB32A:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF680j
		mov	eax, [ebp+var_4C]
		and	eax, [ebp+var_90]

loc_5EB333:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF688j
		mov	[ebp+var_4C], eax
		test	eax, eax
		jz	loc_5EB3E2
		mov	eax, [ebp+var_AC]
		mov	[ebp+var_7C], eax
		mov	[ebp+var_23], 1
		test	eax, eax
		js	loc_5EB3E7

loc_5EB353:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF5E6j
		mov	ebx, [ebp+var_44]
		mov	edx, [ebp+var_80]
		mov	ecx, [ebp+var_54]
		inc	edx
		add	ecx, 4
		mov	[ebp+var_80], edx
		cmp	edx, [ebx+20h]
		mov	ebx, [ebp+var_3C]
		mov	[ebp+var_54], ecx
		jb	loc_5EB142
		jmp	short loc_5EB3E7
; 

loc_5EB374:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF5CCj
		cmp	[ebp+arg_4], 0
		jnz	short loc_5EB383

loc_5EB37A:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF740j
		mov	esi, [ebp+var_30]
		push	esi
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)

loc_5EB383:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF6D8j
					; SeAccessCheckWithHintWithAdminlessChecks+CF73Ej
		mov	eax, [ebp+var_44]
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jz	short loc_5EB3AA
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+24h], eax
		dec	eax
		test	eax, eax
		jg	short loc_5EB3AA
		jz	short loc_5EB3A5
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_5EB3AA
; 

loc_5EB3A5:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF6FAj
		call	_SepRmDestroyCapTable@4	; SepRmDestroyCapTable(x)

loc_5EB3AA:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF6EBj
					; SeAccessCheckWithHintWithAdminlessChecks+CF6F8j ...
		mov	eax, [ebp+var_28]
		mov	ecx, [ebp+var_2C]
		mov	esi, [ebp+var_5C]
		mov	dword ptr [eax], 0
		mov	eax, [ebp+var_68]
		mov	[ecx], eax
		test	esi, esi
		jz	loc_51C51C
		mov	ecx, esi
		call	AuthzBasepFreeSecurityAttributesList
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_51C51C
; 

loc_5EB3DA:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF54Ej
					; SeAccessCheckWithHintWithAdminlessChecks+CF609j
		cmp	[ebp+arg_4], 0
		jnz	short loc_5EB383
		jmp	short loc_5EB37A
; 

loc_5EB3E2:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF698j
		mov	eax, 0C0000022h

loc_5EB3E7:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF6ADj
					; SeAccessCheckWithHintWithAdminlessChecks+CF6D2j
		mov	ecx, [ebp+var_4C]

loc_5EB3EA:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF496j
		mov	edi, [ebp+var_2C]
		mov	[edi], eax
		mov	eax, [ebp+var_28]
		and	[eax], ecx
		cmp	dword ptr [edi], 0
		setl	al
		dec	al
		and	byte ptr [ebp+var_21], al
		jmp	loc_51C088
; 

loc_5EB404:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+9A1j
		mov	dword ptr [edi], 0C0000022h
		mov	byte ptr [ebp+var_21], 0
		jmp	loc_51C0AA
; 

loc_5EB413:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+90Cj
		mov	eax, [eax]
		mov	ecx, eax
		and	ecx, esi
		cmp	ecx, eax
		mov	eax, [ebp+var_28]
		jz	loc_51C5B2
		mov	[ebp+var_45], 1
		mov	[eax], ecx
		test	ecx, ecx
		jnz	short loc_5EB43C
		mov	dword ptr [edi], 0C0000022h
		mov	byte ptr [ebp+var_21], cl
		jmp	loc_51C5B2
; 

loc_5EB43C:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF78Cj
		mov	dword ptr [edi], 0
		mov	byte ptr [ebp+var_21], 1
		jmp	loc_51C5B2
; 

loc_5EB44B:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+925j
		mov	eax, [eax]
		mov	esi, eax
		and	esi, ecx
		cmp	esi, eax
		jz	loc_51C0B6
		mov	eax, [ebp+var_28]
		mov	cl, 1
		mov	[eax], esi
		test	esi, esi
		jnz	short loc_5EB473
		mov	dword ptr [edi], 0C0000022h
		mov	byte ptr [ebp+var_21], 0
		jmp	loc_51C0B9
; 

loc_5EB473:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF7C2j
		mov	dword ptr [edi], 0
		mov	byte ptr [ebp+var_21], cl
		jmp	loc_51C0B9
; 

loc_5EB481:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+7DDj
		mov	byte ptr [ebp+var_54], 1
		jmp	loc_51C487
; 

loc_5EB48A:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+8A7j
		mov	ecx, [ebp+var_18]
		or	ecx, [ebp+var_1C]
		mov	eax, [ebp+var_10]
		or	ecx, 2000000h
		not	ecx
		and	ecx, edx
		and	eax, ecx
		cmp	eax, ecx
		jnz	loc_51C0F5
		call	_SepLogLpacAccessFailure@4 ; SepLogLpacAccessFailure(x)
		jmp	loc_51C0F5
; 

loc_5EB4B1:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+41Bj
		mov	esi, [ebp+var_30]
		jmp	loc_51C0F5
; 

loc_5EB4B9:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+459j
		mov	eax, [ebp+var_44]
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jz	loc_51C0FF
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+24h], eax
		dec	eax
		test	eax, eax
		jg	loc_51C0FF
		jz	short loc_5EB4E6
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_51C0FF
; 

loc_5EB4E6:				; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF838j
		call	_SepRmDestroyCapTable@4	; SepRmDestroyCapTable(x)
		jmp	loc_51C0FF
; END OF FUNCTION CHUNK	FOR SeAccessCheckWithHintWithAdminlessChecks
; 
; START	OF FUNCTION CHUNK FOR SepMandatoryIntegrityCheck

loc_5EB4F0:				; CODE XREF: SepMandatoryIntegrityCheck+47Ej
		test	cl, 40h
		jnz	loc_51CDC4
		push	0
		push	0
		push	esi
		push	0Fh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EB50A:				; CODE XREF: SepMandatoryIntegrityCheck+5FFj
		push	0
		push	1
		movzx	eax, cl
		push	eax
		push	0
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EB51E:				; CODE XREF: SepMandatoryIntegrityCheck+605j
		movzx	eax, byte ptr [edx+84h]
		test	al, 2
		jz	short loc_5EB53B
		push	0
		push	0
		push	0
		push	6
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EB53B:				; CODE XREF: SepMandatoryIntegrityCheck+CEBE7j
		cmp	cl, 1
		jnb	short loc_5EB551
		test	dword ptr [edx+58h], 400h
		jnz	short loc_5EB551
		cmp	[edx+13Ch], edi
		jz	short loc_5EB5B4

loc_5EB551:				; CODE XREF: SepMandatoryIntegrityCheck+CEBFEj
					; SepMandatoryIntegrityCheck+CEC07j
		movzx	ecx, word ptr [esi+0Eh]
		jmp	loc_51CDCD
; 

loc_5EB55A:				; CODE XREF: SepMandatoryIntegrityCheck+493j
		call	_ExpFastResourceLegacyAcquireShared@8 ;	ExpFastResourceLegacyAcquireShared(x,x)
		jmp	loc_51C9FA
; 

loc_5EB564:				; CODE XREF: SepMandatoryIntegrityCheck+E6j
		mov	eax, ds:_SepDefaultMandatorySid
		mov	[ebp+var_14], eax
		jmp	loc_51CA2C
; 

loc_5EB571:				; CODE XREF: SepMandatoryIntegrityCheck+4B1j
		test	cl, 40h
		jnz	loc_51CDF7
		push	0
		push	0
		push	esi
		push	0Fh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EB58B:				; CODE XREF: SepMandatoryIntegrityCheck+619j
		push	0
		push	2
		movzx	eax, al
		push	eax
		push	0
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EB59F:				; CODE XREF: SepMandatoryIntegrityCheck+61Fj
		cmp	al, 1
		jnb	short loc_5EB5C6
		test	dword ptr [ecx+58h], 400h
		jnz	short loc_5EB5C6
		cmp	[ecx+13Ch], edi
		jnz	short loc_5EB5C6

loc_5EB5B4:				; CODE XREF: SepMandatoryIntegrityCheck+CEC0Fj
		push	0
		push	0
		push	0
		push	7
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EB5C6:				; CODE XREF: SepMandatoryIntegrityCheck+CEC61j
					; SepMandatoryIntegrityCheck+CEC6Aj ...
		movzx	ecx, word ptr [esi+0Eh]
		jmp	loc_51CE00
; 

loc_5EB5CF:				; CODE XREF: SepMandatoryIntegrityCheck+4C3j
		mov	ecx, esi
		call	_ExpFastResourceLegacyRelease@4	; ExpFastResourceLegacyRelease(x)
		jmp	loc_51CE83
; 

loc_5EB5DB:				; CODE XREF: SepMandatoryIntegrityCheck+4EEj
		mov	edx, edi
		lea	ecx, [ebp+var_38]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_51CE41
; 

loc_5EB5EA:				; CODE XREF: SepMandatoryIntegrityCheck+50Fj
					; SepMandatoryIntegrityCheck+51Cj
		mov	eax, ebx
		and	eax, 3
		cmp	al, 3
		jz	loc_51CE62
		cmp	ebx, edx
		jz	loc_51CE62
		push	0
		push	ebx
		push	edx
		push	esi
		push	16Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EB60E:				; CODE XREF: SepMandatoryIntegrityCheck+524j
		mov	al, 1
		jmp	loc_51CE6C
; 

loc_5EB615:				; CODE XREF: SepMandatoryIntegrityCheck+536j
		call	ExpReleaseResourceExclusiveForThreadLite
		jmp	loc_51CE81
; 

loc_5EB61F:				; CODE XREF: SepMandatoryIntegrityCheck+FCj
		xor	eax, eax
		jmp	loc_51CA49
; 

loc_5EB626:				; CODE XREF: SepMandatoryIntegrityCheck+140j
		mov	ebx, eax
		jmp	loc_51CAF5
; 

loc_5EB62D:				; CODE XREF: SepMandatoryIntegrityCheck+218j
					; SepMandatoryIntegrityCheck+272j
		mov	bl, [ebp+var_E]
		mov	edx, 0C000000Dh
		mov	bh, bl
		jmp	loc_51CCBE
; 

loc_5EB63C:				; CODE XREF: SepMandatoryIntegrityCheck+323j
		mov	al, [ebp+var_D]
		jmp	loc_51CC9E
; 

loc_5EB644:				; CODE XREF: SepMandatoryIntegrityCheck+3EFj
		xor	bh, bh
		jmp	loc_51CD35
; 

loc_5EB64B:				; CODE XREF: SepMandatoryIntegrityCheck+410j
		mov	esi, [ecx+4]
		or	esi, 10D0000h
		jmp	loc_51CD56
; 

loc_5EB659:				; CODE XREF: SepMandatoryIntegrityCheck+444j
		xor	ecx, ecx
		test	dl, dl
		jz	short loc_5EB668
		mov	ecx, [esi+4]
		or	ecx, 10D0000h

loc_5EB668:				; CODE XREF: SepMandatoryIntegrityCheck+CED1Dj
		mov	edx, [esi]
		test	bl, bl
		jz	short loc_5EB677
		mov	eax, edx
		or	eax, 20000h
		or	ecx, eax

loc_5EB677:				; CODE XREF: SepMandatoryIntegrityCheck+CED2Cj
		mov	eax, [esi+8]
		not	edx
		mov	edi, [ebp+var_1C]
		and	eax, edx
		mov	dl, [ebp+var_D]
		or	eax, 100000h
		not	ecx
		and	eax, ecx
		not	eax
		and	edi, eax
		jmp	loc_51CD8D
; END OF FUNCTION CHUNK	FOR SepMandatoryIntegrityCheck
; 
; START	OF FUNCTION CHUNK FOR SepFilterCheck

loc_5EB696:				; CODE XREF: SepFilterCheck+DAj
		movzx	eax, byte ptr [edi+9]
		lea	edx, ds:8[eax*4]
		movzx	eax, word ptr [edi+2]
		sub	eax, edx
		mov	[ebp+var_18], edx
		sub	eax, 8
		test	eax, eax
		jle	loc_5EB871
		mov	eax, [edi+4]
		mov	[ebp+var_28], eax
		test	eax, 0FF000000h
		jnz	loc_5EB871
		cmp	[ebp+arg_4], 0
		jz	short loc_5EB6F5
		cmp	[ebp+var_2], 0
		jnz	short loc_5EB6F5
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [ebp+arg_0]
		push	1
		mov	eax, [eax+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_2], 1

loc_5EB6F5:				; CODE XREF: SepFilterCheck+CE75Aj
					; SepFilterCheck+CE760j
		cmp	dword ptr [ecx], 0
		jnz	short loc_5EB713
		mov	edx, ecx
		mov	ecx, esi
		call	AuthzBasepInitializeResourceClaimsFromSacl
		mov	edx, eax
		mov	[ebp+var_C], edx
		test	edx, edx
		js	loc_51CFF9
		mov	ecx, [ebp+var_8]

loc_5EB713:				; CODE XREF: SepFilterCheck+CE788j
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_10], 0FFFFFFFFh
		mov	eax, [eax+27Ch]
		test	eax, eax
		jz	short loc_5EB74D
		mov	ecx, [eax+124h]
		mov	edx, [eax+12Ch]
		mov	[ebp+var_C], ecx
		mov	ecx, [eax+128h]
		mov	eax, [eax+120h]
		mov	[ebp+var_1C], ecx
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_20], eax
		jmp	short loc_5EB758
; 

loc_5EB74D:				; CODE XREF: SepFilterCheck+CE7B5j
		xor	edx, edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_20], edx

loc_5EB758:				; CODE XREF: SepFilterCheck+CE7DBj
		mov	eax, [ebp+var_18]
		add	eax, 8
		add	eax, edi
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_10]
		push	eax
		movzx	eax, word ptr [edi+2]
		sub	eax, [ebp+var_18]
		push	0
		push	1
		sub	eax, 8
		push	eax
		push	[ebp+var_24]
		mov	eax, [ecx]
		push	edx
		push	[ebp+var_C]
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	eax
		mov	eax, [ebp+arg_0]
		mov	ecx, eax
		mov	edx, [eax+1DCh]
		call	AuthzBasepEvaluateAceCondition
		mov	edx, eax
		mov	[ebp+var_C], edx
		test	edx, edx
		js	loc_51CFF9
		cmp	[ebp+var_10], 1
		jz	short loc_5EB7BE
		test	byte ptr [edi+1], 40h
		jz	short loc_5EB7B3
		mov	[ebp+var_1], 1

loc_5EB7B3:				; CODE XREF: SepFilterCheck+CE83Dj
		mov	eax, [ebp+var_28]
		or	eax, 1000000h
		and	[ebp+var_14], eax

loc_5EB7BE:				; CODE XREF: SepFilterCheck+CE837j
		mov	ecx, [ebp+arg_0]
		test	byte ptr [ecx+0B0h], 10h
		jz	loc_5EB869
		mov	eax, [ecx+27Ch]
		mov	[ebp+var_10], 0FFFFFFFFh
		test	eax, eax
		jz	short loc_5EB805
		mov	ecx, [eax+124h]
		mov	edx, [eax+12Ch]
		mov	[ebp+var_20], ecx
		mov	ecx, [eax+128h]
		mov	eax, [eax+120h]
		mov	[ebp+var_1C], ecx
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_C], eax
		jmp	short loc_5EB810
; 

loc_5EB805:				; CODE XREF: SepFilterCheck+CE86Dj
		xor	edx, edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_C], edx

loc_5EB810:				; CODE XREF: SepFilterCheck+CE893j
		lea	eax, [ebp+var_10]
		push	eax
		movzx	eax, word ptr [edi+2]
		sub	eax, [ebp+var_18]
		push	1
		push	1
		sub	eax, 8
		push	eax
		push	[ebp+var_24]
		mov	eax, [ebp+var_8]
		push	edx
		push	[ebp+var_20]
		mov	edx, [ecx+1DCh]
		push	[ebp+var_1C]
		mov	eax, [eax]
		push	[ebp+var_C]
		push	eax
		call	AuthzBasepEvaluateAceCondition
		mov	edx, eax
		mov	[ebp+var_C], edx
		test	edx, edx
		js	loc_51CFF9
		cmp	[ebp+var_10], 1
		jz	short loc_5EB869
		test	byte ptr [edi+1], 40h
		jz	short loc_5EB85E
		mov	[ebp+var_1], 1

loc_5EB85E:				; CODE XREF: SepFilterCheck+CE8E8j
		mov	eax, [ebp+var_28]
		or	eax, 1000000h
		and	[ebp+var_14], eax

loc_5EB869:				; CODE XREF: SepFilterCheck+CE858j
					; SepFilterCheck+CE8E2j
		mov	ecx, [ebp+var_8]
		jmp	loc_51CFF4
; 

loc_5EB871:				; CODE XREF: SepFilterCheck+CE73Fj
					; SepFilterCheck+CE750j
		mov	edx, 0C0000077h
		mov	[ebp+var_C], edx
		jmp	loc_51CFF9
; 

loc_5EB87E:				; CODE XREF: SepFilterCheck+8Fj
		mov	eax, [ebp+arg_8]
		mov	bl, [ebp+var_1]
		mov	[eax], ecx
		mov	[eax+4], bl
		jmp	loc_51D005
; 

loc_5EB88E:				; CODE XREF: SepFilterCheck+99j
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	edx, [ebp+var_C]
		jmp	loc_51D00F
; 

loc_5EB8A6:				; CODE XREF: SepFilterCheck+A4j
		mov	ecx, esi
		call	AuthzBasepFreeSecurityAttributesList
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_C]
		jmp	loc_51D01C
; END OF FUNCTION CHUNK	FOR SepFilterCheck
; 
; START	OF FUNCTION CHUNK FOR SepAccessCheck

loc_5EB8BD:				; CODE XREF: SepAccessCheck+627j
		mov	edi, [ebp+arg_18]
		mov	eax, esi
		and	eax, 0FEFFFFFFh
		mov	[esp+0A8h+var_68], 1
		or	edi, 1000000h
		mov	[esp+0A8h+var_84], eax
		mov	[esp+0A8h+var_8D], 1
		test	eax, eax
		jz	loc_51D264
		jmp	loc_51D111
; 

loc_5EB8EB:				; CODE XREF: SepAccessCheck+498j
		inc	[esp+0A8h+var_68]
		and	edx, 0FFF7FFFFh
		or	edi, 80000h
		mov	[esp+0A8h+var_84], edx
		mov	byte ptr [esp+0A8h+var_54], 1
		test	edx, edx
		jz	loc_51D264
		jmp	loc_51D473
; 

loc_5EB911:				; CODE XREF: SepAccessCheck+149j
		mov	esi, [esp+0A8h+var_94]
		mov	eax, [esp+0A8h+var_8C]
		mov	[esi+0Ch], edx
		mov	ecx, [eax+0B0h]
		test	ecx, 4000h
		jz	short loc_5EB930
		mov	eax, [esi]
		not	eax
		and	edi, eax

loc_5EB930:				; CODE XREF: SepAccessCheck+CE8D8j
		cmp	edx, 2000000h
		jnz	short loc_5EB941
		test	edi, edi
		jz	short loc_5EB959
		jmp	loc_51D264
; 

loc_5EB941:				; CODE XREF: SepAccessCheck+CE8E6j
		test	edx, edx
		jnz	short loc_5EB959
		cmp	[esi], edx
		jz	short loc_5EB959
		test	edi, edi
		jz	short loc_5EB959
		test	ecx, 6000h
		jz	loc_51D264

loc_5EB959:				; CODE XREF: SepAccessCheck+CE8EAj
					; SepAccessCheck+CE8F3j ...
		xor	edi, edi
		jmp	loc_51D305
; 

loc_5EB960:				; CODE XREF: SepAccessCheck+154j
		mov	edx, [esp+0A8h+var_78]
		mov	ecx, eax
		mov	[esp+0A8h+var_7C], eax
		jmp	loc_51D1C6
; 

loc_5EB96F:				; CODE XREF: SepAccessCheck+63Dj
		mov	ecx, [eax]
		mov	eax, [eax+4]
		or	ecx, edx
		not	eax
		jmp	loc_51D3F8
; 

loc_5EB97D:				; CODE XREF: SepAccessCheck+369j
		xor	cl, cl
		or	esi, edi
		cmp	[esp+0A8h+var_44], 0
		mov	[esp+0A8h+var_95], cl
		mov	[esp+0A8h+var_96], cl
		jz	short loc_5EB9A0
		mov	[esp+0A8h+var_64], 0FDFFFFFFh
		and	esi, 0FDFFFFFFh
		jmp	short loc_5EB9A4
; 

loc_5EB9A0:				; CODE XREF: SepAccessCheck+CE93Ej
		mov	[esp+0A8h+var_64], esi

loc_5EB9A4:				; CODE XREF: SepAccessCheck+CE94Ej
		cmp	[esp+0A8h+var_7C], 0
		mov	[esp+0A8h+var_6C], 0
		jz	loc_5EBA3F
		mov	ebx, [esp+0A8h+var_60]
		mov	ecx, [esp+0A8h+var_5C]
		sub	ecx, ebx
		mov	[esp+0A8h+var_70], ebx
		mov	[esp+0A8h+var_44], ecx

loc_5EB9C9:				; CODE XREF: SepAccessCheck+CE9E9j
		mov	ecx, [edx]
		mov	eax, [esp+0A8h+var_44]
		or	ecx, edi
		and	ecx, [esp+0A8h+var_64]
		mov	[eax+ebx], ecx
		mov	eax, [esp+0A8h+var_7C]
		jnz	short loc_5EB9EB
		mov	dword ptr [ebx], 0C0000022h
		mov	[esp+0A8h+var_96], 1
		jmp	short loc_5EBA24
; 

loc_5EB9EB:				; CODE XREF: SepAccessCheck+CE98Cj
		mov	ebx, [esp+0A8h+var_60]
		not	ecx
		mov	eax, [esp+0A8h+var_6C]
		test	ecx, esi
		lea	eax, [ebx+eax*4]
		mov	ebx, [esp+0A8h+var_70]
		mov	[esp+0A8h+var_74], eax
		mov	eax, [esp+0A8h+var_7C]
		mov	ecx, [esp+0A8h+var_74]
		jz	short loc_5EBA19
		mov	dword ptr [ecx], 0C0000022h
		mov	[esp+0A8h+var_96], 1
		jmp	short loc_5EBA24
; 

loc_5EBA19:				; CODE XREF: SepAccessCheck+CE9BAj
		mov	dword ptr [ecx], 0
		mov	[esp+0A8h+var_95], 1

loc_5EBA24:				; CODE XREF: SepAccessCheck+CE999j
					; SepAccessCheck+CE9C7j
		mov	ecx, [esp+0A8h+var_6C]
		add	ebx, 4
		inc	ecx
		mov	[esp+0A8h+var_70], ebx
		add	edx, 2Ch
		mov	[esp+0A8h+var_6C], ecx
		cmp	ecx, eax
		jb	short loc_5EB9C9
		mov	ebx, [esp+0A8h+var_58]

loc_5EBA3F:				; CODE XREF: SepAccessCheck+CE961j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	cl, [esp+0A8h+var_95]
		cmp	al, 2
		jnb	short loc_5EBAAE
		test	cl, cl
		jz	short loc_5EBAAE
		mov	eax, [esp+0A8h+var_68]
		test	eax, eax
		jz	short loc_5EBAAE
		mov	esi, [esp+0A8h+var_4C]
		mov	ecx, eax
		mov	dl, [esp+0A8h+var_8D]
		push	esi
		push	[esp+0ACh+var_54]
		push	[esp+0B0h+var_50]
		call	SepAssemblePrivileges
		test	esi, esi
		jz	short loc_5EBAAA
		cmp	dword ptr [esi], 0
		jnz	short loc_5EBAAA
		mov	eax, [esp+0A8h+var_7C]
		xor	dh, dh
		xor	cl, cl
		mov	dl, 1
		test	eax, eax
		jz	short loc_5EBAB6
		mov	edi, [esp+0A8h+var_60]
		mov	esi, [esp+0A8h+var_5C]
		sub	edi, esi

loc_5EBA92:				; CODE XREF: SepAccessCheck+CEA56j
		mov	dword ptr [edi+esi], 0C0000017h
		lea	esi, [esi+4]
		mov	dword ptr [esi-4], 0
		sub	eax, 1
		jnz	short loc_5EBA92
		jmp	short loc_5EBAB6
; 

loc_5EBAAA:				; CODE XREF: SepAccessCheck+CEA23j
					; SepAccessCheck+CEA28j
		mov	cl, [esp+0A8h+var_95]

loc_5EBAAE:				; CODE XREF: SepAccessCheck+CE9FBj
					; SepAccessCheck+CE9FFj ...
		mov	dl, [esp+0A8h+var_96]
		mov	dh, [esp+0A8h+var_97]

loc_5EBAB6:				; CODE XREF: SepAccessCheck+CEA36j
					; SepAccessCheck+CEA58j
		test	ebx, ebx
		jz	short loc_5EBABC
		mov	[ebx], cl

loc_5EBABC:				; CODE XREF: SepAccessCheck+CEA68j
		mov	ecx, [esp+0A8h+var_48]
		test	ecx, ecx
		jz	loc_51D2B9
		mov	[ecx], dl
		jmp	loc_51D2B9
; 

loc_5EBACF:				; CODE XREF: SepAccessCheck+45Aj
		xor	dh, dh
		mov	esi, 0C0000017h
		xor	edi, edi
		jmp	loc_51D288
; 

loc_5EBADD:				; CODE XREF: SepAccessCheck+23Cj
		cmp	[ebp+arg_10], 0
		jbe	loc_51D29E
		mov	ecx, [esp+0A8h+var_60]
		mov	eax, [esp+0A8h+var_5C]
		sub	ecx, eax

loc_5EBAF1:				; CODE XREF: SepAccessCheck+CEAAFj
		sub	[ebp+arg_10], 1
		lea	eax, [eax+4]
		mov	[eax+ecx-4], esi
		mov	[eax-4], edi
		jnz	short loc_5EBAF1
		jmp	loc_51D29E
; END OF FUNCTION CHUNK	FOR SepAccessCheck
; 
; START	OF FUNCTION CHUNK FOR ExReleaseResourceAndLeaveCriticalRegion

loc_5EBB06:				; CODE XREF: ExReleaseResourceAndLeaveCriticalRegion+16j
		test	cl, 40h
		jnz	loc_51D6BC
		push	0
		push	0
		push	esi
		push	0Fh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EBB20:				; CODE XREF: ExReleaseResourceAndLeaveCriticalRegion+C4j
		push	0
		push	2
		movzx	eax, al
		push	eax
		push	0
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EBB34:				; CODE XREF: ExReleaseResourceAndLeaveCriticalRegion+CAj
		cmp	al, 1
		jnb	short loc_5EBB5C
		test	dword ptr [ecx+58h], 400h
		jnz	short loc_5EBB5C
		cmp	dword ptr [ecx+13Ch], 0
		jnz	short loc_5EBB5C
		push	0
		push	0
		push	0
		push	7
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EBB5C:				; CODE XREF: ExReleaseResourceAndLeaveCriticalRegion+CE496j
					; ExReleaseResourceAndLeaveCriticalRegion+CE49Fj ...
		movzx	ecx, word ptr [esi+0Eh]
		jmp	loc_51D6C5
; 

loc_5EBB65:				; CODE XREF: ExReleaseResourceAndLeaveCriticalRegion+28j
		mov	ecx, esi
		call	_ExpFastResourceLegacyRelease@4	; ExpFastResourceLegacyRelease(x)
		jmp	loc_51D71F
; 

loc_5EBB71:				; CODE XREF: ExReleaseResourceAndLeaveCriticalRegion+5Aj
					; ExReleaseResourceAndLeaveCriticalRegion+67j
		mov	eax, edi
		and	eax, 3
		cmp	al, 3
		jz	loc_51D70D
		cmp	edi, edx
		jz	loc_51D70D
		push	0
		push	edi
		push	edx
		push	esi
		push	16Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5EBB96:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+17j
		mov	byte ptr [ebp+var_4], 1
		jmp	loc_51D791
; END OF FUNCTION CHUNK	FOR ExReleaseResourceAndLeaveCriticalRegion
; 
; START	OF FUNCTION CHUNK FOR ExpReleaseResourceExclusiveForThreadLite

loc_5EBB9F:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+25j
					; ExpReleaseResourceExclusiveForThreadLite+32j
		cmp	[edi+18h], edx
		jz	loc_51D7A8
		mov	eax, [edi+8]
		push	1
		push	eax
		push	edx
		push	edi
		push	0E3h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EBBBA:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+16Ej
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_51D905
; 

loc_5EBBCA:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+62j
		and	ebx, 0FFFFFFFCh
		jmp	loc_51D7DD
; 

loc_5EBBD2:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+227j
		xor	ecx, ecx
		jmp	loc_51D9BA
; 

loc_5EBBD9:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+D0j
		mov	al, 1
		jmp	loc_51D848
; 

loc_5EBBE0:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+103j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_51D896
; 

loc_5EBBEF:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+283j
		cmp	al, 2
		jnz	loc_5EBCF0
		mov	byte ptr [ecx+9], 5
		mov	eax, [ecx+0Ch]
		mov	[ebp+arg_0], eax
		add	eax, 8
		mov	dword ptr [ecx], 0
		mov	[ebp+var_28], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_2C], eax
		mov	eax, [eax+4]
		mov	[ebp+var_14], eax
		jz	short loc_5EBC44
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_14]
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_5EBC44:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+CE4BCj
		mov	ecx, [ebp+arg_0]
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	edx, [ebp+var_28]
		mov	ecx, [ebp+arg_0]
		cmp	[edx], edx
		jz	short loc_5EBC8B
		mov	eax, [ecx+18h]
		cmp	eax, [ecx+1Ch]
		jnb	short loc_5EBC8B
		mov	eax, [ebp+var_14]
		mov	eax, [eax+0A4h]
		cmp	eax, ecx
		jnz	short loc_5EBC77
		mov	eax, [ebp+var_14]
		cmp	byte ptr [eax+18Bh], 0Fh
		jz	short loc_5EBC8B

loc_5EBC77:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+CE4F9j
		push	[ebp+var_18]
		mov	edx, ecx
		mov	ecx, [ebp+var_2C]
		call	KiWakeQueueWaiter
		mov	ecx, [ebp+arg_0]
		test	al, al
		jnz	short loc_5EBCD6

loc_5EBC8B:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+CE4E4j
					; ExpReleaseResourceExclusiveForThreadLite+CE4ECj ...
		mov	eax, [ecx+4]
		mov	[ebp+var_14], eax
		inc	eax
		mov	[ecx+4], eax
		lea	eax, [ecx+10h]
		mov	esi, [eax+4]
		mov	[ebp+var_28], esi
		cmp	[esi], eax
		jnz	loc_51D978
		cmp	[ebp+var_14], 0
		lea	esi, [ecx+10h]
		mov	eax, [ebp+var_18]
		mov	edx, [ebp+var_28]
		mov	[eax], esi
		mov	esi, [ebp+var_C]
		mov	[eax+4], edx
		mov	[edx], eax
		lea	edx, [ecx+8]
		mov	[ecx+14h], eax
		jnz	short loc_5EBCD6
		cmp	[edx], edx
		jz	short loc_5EBCD6
		mov	edx, ecx
		mov	ecx, [ebp+var_2C]
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		mov	ecx, [ebp+arg_0]

loc_5EBCD6:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+CE519j
					; ExpReleaseResourceExclusiveForThreadLite+CE553j ...
		mov	eax, 0FFFFFF7Fh
		lock and [ecx],	eax
		mov	eax, [ebp+var_1C]
		add	dword ptr [eax+10h], 0FFFFFFFFh
		jz	loc_51DA1E
		jmp	loc_51DD3D
; 

loc_5EBCF0:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+CE481j
		push	0
		mov	edx, ecx
		mov	ecx, esi
		push	100h
		call	KiTryUnwaitThread
		jmp	loc_51DD3D
; 

loc_5EBD05:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+55Bj
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_14]
		call	KiIsThreadRankNonZero
		test	al, al
		jz	short loc_5EBD1C
		mov	[ebp+var_1], bl
		jmp	loc_51DCDA
; 

loc_5EBD1C:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+CE5A2j
		mov	edx, [ebp+var_14]
		jmp	loc_51DCD1
; 

loc_5EBD24:				; CODE XREF: ExpReleaseResourceExclusiveForThreadLite+14Dj
		push	[ebp+var_34]
		mov	edx, edi
		mov	ecx, ebx
		push	esi
		call	@PerfLogExecutiveResourceRelease@16 ; PerfLogExecutiveResourceRelease(x,x,x,x)
		jmp	loc_51D8C3
; END OF FUNCTION CHUNK	FOR ExpReleaseResourceExclusiveForThreadLite
; 
; START	OF FUNCTION CHUNK FOR ExpAcquireResourceExclusiveLite

loc_5EBD36:				; CODE XREF: ExpAcquireResourceExclusiveLite+30j
		mov	bl, 1
		jmp	loc_51DDC8
; 

loc_5EBD3D:				; CODE XREF: ExpAcquireResourceExclusiveLite+5Cj
		mov	edx, edi
		lea	ecx, [ebp+var_18]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_51DDFF
; 

loc_5EBD4C:				; CODE XREF: ExpAcquireResourceExclusiveLite+A4j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_51DE5C
; 

loc_5EBD5C:				; CODE XREF: ExpAcquireResourceExclusiveLite+E5j
		mov	eax, [esi+24h]
		mov	edx, esi
		push	eax
		push	1
		mov	ecx, 10021h
		call	@PerfLogExecutiveResourceAcquire@16 ; PerfLogExecutiveResourceAcquire(x,x,x,x)
		jmp	loc_51DE7B
; 

loc_5EBD73:				; CODE XREF: ExpAcquireResourceExclusiveLite+112j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_51DECA
; 

loc_5EBD83:				; CODE XREF: ExpAcquireResourceExclusiveLite+153j
		mov	eax, [esi+24h]
		mov	ecx, 10031h
		push	eax
		push	edi
		jmp	loc_5EBE25
; 

loc_5EBD92:				; CODE XREF: ExpAcquireResourceExclusiveLite+15Fj
		test	ds:byte_70EFC6,	1
		jz	short loc_5EBDA8
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5EBDD9
; 

loc_5EBDA8:				; CODE XREF: ExpAcquireResourceExclusiveLite+CE009j
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	short loc_5EBDC7
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jz	short loc_5EBDD9
		call	KxWaitForLockChainValid

loc_5EBDC7:				; CODE XREF: ExpAcquireResourceExclusiveLite+CE01Dj
		mov	[ebp+var_18], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx

loc_5EBDD9:				; CODE XREF: ExpAcquireResourceExclusiveLite+CE016j
					; ExpAcquireResourceExclusiveLite+CE030j
		mov	cl, byte ptr [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	large dword ptr	fs:4208h
		xor	bh, bh
		jmp	loc_51DE7B
; 

loc_5EBDF0:				; CODE XREF: ExpAcquireResourceExclusiveLite+2D0j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5EBDF7:				; CODE XREF: ExpAcquireResourceExclusiveLite+1AEj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_51DF66
; 

loc_5EBE07:				; CODE XREF: ExpAcquireResourceExclusiveLite+1E8j
		push	0
		mov	edx, esi
		mov	ecx, 10024h
		call	@PerfLogExecutiveResourceWait@12 ; PerfLogExecutiveResourceWait(x,x,x)
		jmp	loc_51DF7E
; 

loc_5EBE1A:				; CODE XREF: ExpAcquireResourceExclusiveLite+2BFj
		mov	eax, [esi+24h]
		mov	ecx, 10021h
		push	eax
		push	1

loc_5EBE25:				; CODE XREF: ExpAcquireResourceExclusiveLite+CDFFDj
		mov	edx, esi
		call	@PerfLogExecutiveResourceAcquire@16 ; PerfLogExecutiveResourceAcquire(x,x,x,x)
		jmp	loc_51DEE9
; END OF FUNCTION CHUNK	FOR ExpAcquireResourceExclusiveLite
; 
; START	OF FUNCTION CHUNK FOR ExEnterCriticalRegionAndAcquireResourceExclusive

loc_5EBE31:				; CODE XREF: ExEnterCriticalRegionAndAcquireResourceExclusive+26j
		test	cl, 40h
		jnz	loc_51E13C
		push	0
		push	0
		push	esi
		push	0Fh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EBE4B:				; CODE XREF: ExEnterCriticalRegionAndAcquireResourceExclusive+60j
		push	0
		push	1
		movzx	eax, al
		push	eax
		push	0
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EBE5F:				; CODE XREF: ExEnterCriticalRegionAndAcquireResourceExclusive+66j
		test	byte ptr [ecx+84h], 2
		jz	short loc_5EBE7A
		push	0
		push	0
		push	0
		push	6
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EBE7A:				; CODE XREF: ExEnterCriticalRegionAndAcquireResourceExclusive+CDD56j
		cmp	al, 1
		jnb	short loc_5EBEA2
		test	dword ptr [ecx+58h], 400h
		jnz	short loc_5EBEA2
		cmp	dword ptr [ecx+13Ch], 0
		jnz	short loc_5EBEA2
		push	0
		push	0
		push	0
		push	7
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EBEA2:				; CODE XREF: ExEnterCriticalRegionAndAcquireResourceExclusive+CDD6Cj
					; ExEnterCriticalRegionAndAcquireResourceExclusive+CDD75j ...
		movzx	ecx, word ptr [esi+0Eh]
		jmp	loc_51E141
; END OF FUNCTION CHUNK	FOR ExEnterCriticalRegionAndAcquireResourceExclusive
; 
; START	OF FUNCTION CHUNK FOR ExAcquireResourceExclusiveLite

loc_5EBEAB:				; CODE XREF: ExAcquireResourceExclusiveLite+26j
		test	cl, 40h
		jnz	loc_51E1BC
		push	0
		push	0
		push	esi
		push	0Fh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EBEC5:				; CODE XREF: ExAcquireResourceExclusiveLite+365j
		push	0
		movzx	ecx, bl
		push	ecx
		movzx	eax, dl
		push	eax
		push	0
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EBEDB:				; CODE XREF: ExAcquireResourceExclusiveLite+36Bj
		cmp	dl, 2
		jb	short loc_5EBEFF
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jz	short loc_5EBEFF
		push	0
		push	0
		push	0
		push	5
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EBEFF:				; CODE XREF: ExAcquireResourceExclusiveLite+CDD4Ej
					; ExAcquireResourceExclusiveLite+CDD5Bj
		movzx	eax, byte ptr [ecx+84h]
		test	al, 2
		jz	short loc_5EBF1C
		push	0
		push	0
		push	0
		push	6
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EBF1C:				; CODE XREF: ExAcquireResourceExclusiveLite+CDD78j
		cmp	dl, 1
		jnb	short loc_5EBF45
		test	dword ptr [ecx+58h], 400h
		jnz	short loc_5EBF45
		cmp	dword ptr [ecx+13Ch], 0
		jnz	short loc_5EBF45
		push	0
		push	0
		push	0
		push	7
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EBF45:				; CODE XREF: ExAcquireResourceExclusiveLite+CDD8Fj
					; ExAcquireResourceExclusiveLite+CDD98j ...
		movzx	ecx, word ptr [esi+0Eh]
		jmp	loc_51E1C5
; 

loc_5EBF4E:				; CODE XREF: ExAcquireResourceExclusiveLite+38j
		mov	dl, bh
		mov	ecx, esi
		call	_ExpFastResourceLegacyAcquireExclusive@8 ; ExpFastResourceLegacyAcquireExclusive(x,x)
		jmp	loc_51E289
; 

loc_5EBF5C:				; CODE XREF: ExAcquireResourceExclusiveLite+6Dj
		mov	bh, 1
		jmp	loc_51E205
; 

loc_5EBF63:				; CODE XREF: ExAcquireResourceExclusiveLite+ABj
		mov	edx, [ebp+4]
		lea	ecx, [esp+38h+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_51E267
; 

loc_5EBF74:				; CODE XREF: ExAcquireResourceExclusiveLite+F1j
		mov	eax, [esi+24h]
		mov	edx, esi
		push	eax
		push	1
		mov	ecx, 10021h
		call	@PerfLogExecutiveResourceAcquire@16 ; PerfLogExecutiveResourceAcquire(x,x,x,x)
		jmp	loc_51E287
; 

loc_5EBF8B:				; CODE XREF: ExAcquireResourceExclusiveLite+120j
		mov	edx, [ebp+4]
		lea	ecx, [esp+38h+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_51E2DC
; 

loc_5EBF9C:				; CODE XREF: ExAcquireResourceExclusiveLite+166j
		mov	eax, [esi+24h]
		mov	ecx, 10031h
		push	eax
		push	edi
		jmp	short loc_5EBFEF
; 

loc_5EBFA8:				; CODE XREF: ExAcquireResourceExclusiveLite+291j
		mov	edx, [ebp+4]
		lea	ecx, [esp+38h+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_51E445
; 

loc_5EBFB9:				; CODE XREF: ExAcquireResourceExclusiveLite+26Cj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5EBFC0:				; CODE XREF: ExAcquireResourceExclusiveLite+1E0j
		mov	edx, [ebp+4]
		lea	ecx, [esp+38h+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_51E39C
; 

loc_5EBFD1:				; CODE XREF: ExAcquireResourceExclusiveLite+21Fj
		push	0
		mov	edx, esi
		mov	ecx, 10024h
		call	@PerfLogExecutiveResourceWait@12 ; PerfLogExecutiveResourceWait(x,x,x)
		jmp	loc_51E3B5
; 

loc_5EBFE4:				; CODE XREF: ExAcquireResourceExclusiveLite+262j
		mov	eax, [esi+24h]
		mov	ecx, 10021h
		push	eax
		push	1

loc_5EBFEF:				; CODE XREF: ExAcquireResourceExclusiveLite+CDE16j
		mov	edx, esi
		call	@PerfLogExecutiveResourceAcquire@16 ; PerfLogExecutiveResourceAcquire(x,x,x,x)
		jmp	loc_51E2FC
; END OF FUNCTION CHUNK	FOR ExAcquireResourceExclusiveLite
; 
; START	OF FUNCTION CHUNK FOR ExAcquireResourceSharedLite

loc_5EBFFB:				; CODE XREF: ExAcquireResourceSharedLite+1Fj
		test	cl, 40h
		jnz	loc_51E535
		push	0
		push	0
		push	esi
		push	0Fh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EC015:				; CODE XREF: ExAcquireResourceSharedLite+4Fj
		push	0
		movzx	ecx, bh
		push	ecx
		movzx	eax, dl
		push	eax
		push	0
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EC02B:				; CODE XREF: ExAcquireResourceSharedLite+55j
		cmp	dl, 2
		jb	short loc_5EC04F
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jz	short loc_5EC04F
		push	0
		push	0
		push	0
		push	5
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EC04F:				; CODE XREF: ExAcquireResourceSharedLite+CDB1Ej
					; ExAcquireResourceSharedLite+CDB2Bj
		test	byte ptr [ecx+84h], 2
		jz	short loc_5EC06A
		push	0
		push	0
		push	0
		push	6
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EC06A:				; CODE XREF: ExAcquireResourceSharedLite+CDB46j
		cmp	dl, 1
		jnb	short loc_5EC093
		test	dword ptr [ecx+58h], 400h
		jnz	short loc_5EC093
		cmp	dword ptr [ecx+13Ch], 0
		jnz	short loc_5EC093
		push	0
		push	0
		push	0
		push	7
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EC093:				; CODE XREF: ExAcquireResourceSharedLite+CDB5Dj
					; ExAcquireResourceSharedLite+CDB66j ...
		movzx	ecx, word ptr [esi+0Eh]
		jmp	loc_51E53A
; END OF FUNCTION CHUNK	FOR ExAcquireResourceSharedLite
; 
; START	OF FUNCTION CHUNK FOR ExpAcquireResourceSharedLite

loc_5EC09C:				; CODE XREF: ExpAcquireResourceSharedLite+42j
		mov	bh, 1
		jmp	loc_51E5CA
; 

loc_5EC0A3:				; CODE XREF: ExpAcquireResourceSharedLite+6Ej
		mov	edx, edi
		lea	ecx, [ebp+var_2C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_51E601
; 

loc_5EC0B2:				; CODE XREF: ExpAcquireResourceSharedLite+360j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_2C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_51E908
; 

loc_5EC0C2:				; CODE XREF: ExpAcquireResourceSharedLite+3A7j
		mov	eax, [esi+24h]
		mov	edx, esi
		push	eax
		push	edi
		mov	ecx, 10031h
		call	@PerfLogExecutiveResourceAcquire@16 ; PerfLogExecutiveResourceAcquire(x,x,x,x)
		jmp	loc_51E7F4
; 

loc_5EC0D8:				; CODE XREF: ExpAcquireResourceSharedLite+2DCj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_2C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_51E884
; 

loc_5EC0E8:				; CODE XREF: ExpAcquireResourceSharedLite+323j
		mov	eax, [esi+24h]
		mov	edx, esi
		push	eax
		push	[ebp+var_20]
		mov	ecx, 10051h
		call	@PerfLogExecutiveResourceAcquire@16 ; PerfLogExecutiveResourceAcquire(x,x,x,x)
		mov	bl, 1
		jmp	loc_51E678
; 

loc_5EC102:				; CODE XREF: ExpAcquireResourceSharedLite+612j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_2C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_51EBB2
; 

loc_5EC112:				; CODE XREF: ExpAcquireResourceSharedLite+57Ej
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5EC119:				; CODE XREF: ExpAcquireResourceSharedLite+427j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_2C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_51E9CF
; 

loc_5EC129:				; CODE XREF: ExpAcquireResourceSharedLite+461j
		push	0
		mov	edx, esi
		mov	ecx, 10044h
		call	@PerfLogExecutiveResourceWait@12 ; PerfLogExecutiveResourceWait(x,x,x)
		jmp	loc_51E9E7
; 

loc_5EC13C:				; CODE XREF: ExpAcquireResourceSharedLite+4DAj
		xor	ecx, ecx
		jmp	loc_51EA67
; 

loc_5EC143:				; CODE XREF: ExpAcquireResourceSharedLite+22Dj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_2C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_51E7D5
; 

loc_5EC153:				; CODE XREF: ExpAcquireResourceSharedLite+26Ej
		mov	eax, [esi+24h]
		mov	edx, esi
		push	eax
		push	1
		mov	ecx, 10041h
		call	@PerfLogExecutiveResourceAcquire@16 ; PerfLogExecutiveResourceAcquire(x,x,x,x)
		mov	bl, 1
		jmp	loc_51E678
; 

loc_5EC16C:				; CODE XREF: ExpAcquireResourceSharedLite+B1j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_2C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_51E659
; 

loc_5EC17C:				; CODE XREF: ExpAcquireResourceSharedLite+F2j
		mov	ecx, [esi+24h]
		mov	edx, esi
		push	ecx
		push	1
		mov	ecx, 10041h
		call	@PerfLogExecutiveResourceAcquire@16 ; PerfLogExecutiveResourceAcquire(x,x,x,x)
		jmp	loc_51E678
; END OF FUNCTION CHUNK	FOR ExpAcquireResourceSharedLite
; 
; START	OF FUNCTION CHUNK FOR ExReleaseResourceLite

loc_5EC193:				; CODE XREF: ExReleaseResourceLite+18j
		test	cl, 40h
		jnz	loc_51EE8E
		push	0
		push	0
		push	esi
		push	0Fh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EC1AD:				; CODE XREF: ExReleaseResourceLite+C2j
		push	0
		push	2
		movzx	eax, al
		push	eax
		push	0
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EC1C1:				; CODE XREF: ExReleaseResourceLite+C8j
		cmp	al, 1
		jnb	short loc_5EC1E9
		test	dword ptr [ecx+58h], 400h
		jnz	short loc_5EC1E9
		cmp	dword ptr [ecx+13Ch], 0
		jnz	short loc_5EC1E9
		push	0
		push	0
		push	0
		push	7
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EC1E9:				; CODE XREF: ExReleaseResourceLite+CD353j
					; ExReleaseResourceLite+CD35Cj	...
		movzx	ecx, word ptr [esi+0Eh]
		jmp	loc_51EE97
; 

loc_5EC1F2:				; CODE XREF: ExReleaseResourceLite+2Aj
		mov	ecx, esi
		call	_ExpFastResourceLegacyRelease@4	; ExpFastResourceLegacyRelease(x)
		jmp	loc_51EF06
; 

loc_5EC1FE:				; CODE XREF: ExReleaseResourceLite+55j
		mov	edx, edi
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_51EED4
; 

loc_5EC20D:				; CODE XREF: ExReleaseResourceLite+72j
					; ExReleaseResourceLite+7Fj
		mov	eax, ebx
		and	eax, 3
		cmp	al, 3
		jz	loc_51EEF5
		cmp	ebx, edx
		jz	loc_51EEF5
		push	0
		push	ebx
		push	edx
		push	esi
		push	16Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5EC232:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+1Ej
		mov	byte ptr [ebp+var_4+3],	1
		jmp	loc_51EF68
; END OF FUNCTION CHUNK	FOR ExReleaseResourceLite
; 
; START	OF FUNCTION CHUNK FOR ExpReleaseResourceSharedForThreadLite

loc_5EC23B:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+2Bj
		xor	eax, eax
		jmp	loc_51EF78
; 

loc_5EC242:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+1AAj
					; ExpReleaseResourceSharedForThreadLite+1C4j ...
		push	2
		push	[ebp+var_20]
		push	ebx
		push	edi
		push	0E3h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EC253:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+22Fj
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_51F196
; 

loc_5EC263:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+6Ej
		and	ecx, 0FFFFFFFCh
		mov	[ebp+var_20], ecx
		jmp	loc_51EFBC
; 

loc_5EC26E:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+95j
		push	746C6644h
		push	ecx
		call	ObDereferenceObjectDeferDeleteWithTag
		mov	edx, [ebp+var_C]
		and	dword ptr [edx+4], 0FFFFFFFDh
		jmp	loc_51EFDB
; 

loc_5EC285:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+29Aj
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	loc_51F266
		mov	[ecx], esi
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	[esi+4], ecx
		jmp	loc_51F1E5
; 

loc_5EC29F:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+27Fj
		xor	edx, edx
		mov	[ebp+var_20], edx
		jmp	loc_51F1ED
; 

loc_5EC2A9:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+C0j
		mov	esi, [edi+10h]
		mov	[edi+10h], edx
		mov	ecx, [edi+28h]
		mov	[ebp+var_8], esi
		mov	[edi+28h], edx
		jmp	loc_51F008
; 

loc_5EC2BD:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+109j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_51F06C
; 

loc_5EC2CC:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+356j
		cmp	dl, 2
		jnz	loc_5EC3CB
		mov	byte ptr [eax+9], 5
		mov	ecx, [eax+0Ch]
		mov	[ebp+var_C], ecx
		add	ecx, 8
		mov	dword ptr [eax], 0
		mov	[ebp+var_24], ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_28], eax
		mov	eax, [eax+4]
		mov	[ebp+var_18], eax
		jz	short loc_5EC322
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_18]
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_5EC322:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+CD3CAj
		mov	ecx, [ebp+var_C]
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	edx, [ebp+var_24]
		mov	ecx, [ebp+var_C]
		cmp	[edx], edx
		jz	short loc_5EC369
		mov	eax, [ecx+18h]
		cmp	eax, [ecx+1Ch]
		jnb	short loc_5EC369
		mov	eax, [ebp+var_18]
		mov	eax, [eax+0A4h]
		cmp	eax, ecx
		jnz	short loc_5EC355
		mov	eax, [ebp+var_18]
		cmp	byte ptr [eax+18Bh], 0Fh
		jz	short loc_5EC369

loc_5EC355:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+CD407j
		push	[ebp+var_10]
		mov	edx, ecx
		mov	ecx, [ebp+var_28]
		call	KiWakeQueueWaiter
		mov	ecx, [ebp+var_C]
		test	al, al
		jnz	short loc_5EC3B4

loc_5EC369:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+CD3F2j
					; ExpReleaseResourceSharedForThreadLite+CD3FAj	...
		mov	eax, [ecx+4]
		mov	[ebp+var_18], eax
		inc	eax
		mov	[ecx+4], eax
		lea	eax, [ecx+10h]
		mov	esi, [eax+4]
		mov	[ebp+var_24], esi
		cmp	[esi], eax
		jnz	loc_51F266
		cmp	[ebp+var_18], 0
		lea	esi, [ecx+10h]
		mov	eax, [ebp+var_10]
		mov	edx, [ebp+var_24]
		mov	[eax], esi
		mov	esi, [ebp+arg_0]
		mov	[eax+4], edx
		mov	[edx], eax
		lea	edx, [ecx+8]
		mov	[ecx+14h], eax
		jnz	short loc_5EC3B4
		cmp	[edx], edx
		jz	short loc_5EC3B4
		mov	edx, ecx
		mov	ecx, [ebp+var_28]
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		mov	ecx, [ebp+var_C]

loc_5EC3B4:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+CD427j
					; ExpReleaseResourceSharedForThreadLite+CD461j	...
		mov	eax, 0FFFFFF7Fh
		lock and [ecx],	eax
		mov	eax, [ebp+var_1C]
		add	dword ptr [eax+10h], 0FFFFFFFFh
		jz	loc_51F2C0
		jmp	short loc_5EC3D9
; 

loc_5EC3CB:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+CD38Fj
		push	0
		push	100h
		mov	edx, eax
		call	KiTryUnwaitThread

loc_5EC3D9:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+36Dj
					; ExpReleaseResourceSharedForThreadLite+37Aj ...
		mov	edx, [ebp+var_38]
		mov	ecx, [ebp+var_14]
		cmp	edx, [ebp+var_3C]
		jnz	loc_51F251
		jmp	loc_51F2C0
; 

loc_5EC3ED:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+38Ej
		mov	ecx, [ebp+var_14]
		jmp	loc_51F220
; 

loc_5EC3F5:				; CODE XREF: ExpReleaseResourceSharedForThreadLite+157j
		push	[ebp+var_30]
		mov	edx, edi
		mov	ecx, esi
		push	ebx
		call	@PerfLogExecutiveResourceRelease@16 ; PerfLogExecutiveResourceRelease(x,x,x,x)
		jmp	loc_51F09D
; END OF FUNCTION CHUNK	FOR ExpReleaseResourceSharedForThreadLite
; 
; START	OF FUNCTION CHUNK FOR ExIsResourceAcquiredSharedLite

loc_5EC407:				; CODE XREF: ExIsResourceAcquiredSharedLite+15j
		test	cl, 40h
		jnz	loc_51F82B
		push	0
		push	0
		push	esi
		push	0Fh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EC421:				; CODE XREF: ExIsResourceAcquiredSharedLite+150j
		push	0
		push	2
		movzx	eax, al
		push	eax
		push	0
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EC435:				; CODE XREF: ExIsResourceAcquiredSharedLite+2Aj
		mov	ecx, esi
		call	_ExpFastResourceLegacyIsAcquiredShared@4 ; ExpFastResourceLegacyIsAcquiredShared(x)
		jmp	loc_51F856
; 

loc_5EC441:				; CODE XREF: ExIsResourceAcquiredSharedLite+8Bj
		lea	edx, [esi+34h]
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_51F8AD
; 

loc_5EC451:				; CODE XREF: ExIsResourceAcquiredSharedLite+D4j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_51F904
; END OF FUNCTION CHUNK	FOR ExIsResourceAcquiredSharedLite
; 
; START	OF FUNCTION CHUNK FOR ExAcquireFastMutex

loc_5EC461:				; CODE XREF: ExAcquireFastMutex+17Aj
		mov	edx, edi
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	loc_51FAF0
; 

loc_5EC46F:				; CODE XREF: ExAcquireFastMutex+ABj
					; ExAcquireFastMutex+BCj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	loc_51FA35
; END OF FUNCTION CHUNK	FOR ExAcquireFastMutex
; 
; START	OF FUNCTION CHUNK FOR FsRtlLookupPerStreamContextInternal

loc_5EC47F:				; CODE XREF: FsRtlLookupPerStreamContextInternal+11j
		mov	ecx, [esi+28h]
		call	ExAcquireFastMutex
		jmp	loc_51FB4F
; 

loc_5EC48C:				; CODE XREF: FsRtlLookupPerStreamContextInternal+3Aj
		mov	ecx, [edx]
		cmp	ecx, edx
		jz	loc_51FB77
		mov	ebx, [ebp+arg_4]

loc_5EC499:				; CODE XREF: FsRtlLookupPerStreamContextInternal+CC98Ej
		cmp	[ecx+8], ebx
		jnz	short loc_5EC4AA
		cmp	[ecx+0Ch], eax
		jnz	short loc_5EC4AA
		mov	edi, ecx
		jmp	loc_51FB77
; 

loc_5EC4AA:				; CODE XREF: FsRtlLookupPerStreamContextInternal+CC97Cj
					; FsRtlLookupPerStreamContextInternal+CC981j
		mov	ecx, [ecx]
		cmp	ecx, edx
		jnz	short loc_5EC499
		jmp	loc_51FB77
; 

loc_5EC4B5:				; CODE XREF: FsRtlLookupPerStreamContextInternal+5Fj
		mov	ecx, [esi+28h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	loc_51FBA0
; END OF FUNCTION CHUNK	FOR FsRtlLookupPerStreamContextInternal
; 
; START	OF FUNCTION CHUNK FOR ExReleaseCacheAwarePushLockSharedEx

loc_5EC4C2:				; CODE XREF: ExReleaseCacheAwarePushLockSharedEx+15j
		push	0
		push	0
		push	esi
		push	eax
		push	152h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EC4D2:				; CODE XREF: ExReleaseCacheAwarePushLockSharedEx+16Ej
		push	0
		push	[ebp+var_8]
		push	esi
		push	edi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EC4E3:				; CODE XREF: ExReleaseCacheAwarePushLockSharedEx+FFj
		mov	al, 1
		lea	esi, [edi+222h]
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_14]
		jmp	loc_51FEC5
; END OF FUNCTION CHUNK	FOR ExReleaseCacheAwarePushLockSharedEx
; 
; START	OF FUNCTION CHUNK FOR ExAcquireCacheAwarePushLockSharedEx

loc_5EC4F8:				; CODE XREF: ExAcquireCacheAwarePushLockSharedEx+14j
		push	0
		push	0
		push	edx
		push	eax
		push	152h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EC508:				; CODE XREF: ExAcquireCacheAwarePushLockSharedEx+172j
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		mov	edx, [ebp+var_4]
		jmp	loc_5200D8
; 

loc_5EC517:				; CODE XREF: ExAcquireCacheAwarePushLockSharedEx:loc_52004Cj
		nop
		add	esi, 70h
		cmp	[esi], esi
		jz	loc_520052
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_520052
; END OF FUNCTION CHUNK	FOR ExAcquireCacheAwarePushLockSharedEx
; 
; START	OF FUNCTION CHUNK FOR ObfDereferenceObjectWithTag

loc_5EC52D:				; CODE XREF: ObfDereferenceObjectWithTag+18j
		push	edx
		push	1
		xor	dl, dl
		mov	ecx, edi
		call	_ObpPushStackInfo@16 ; ObpPushStackInfo(x,x,x,x)
		jmp	loc_5215FE
; 

loc_5EC53E:				; CODE XREF: ObfDereferenceObjectWithTag+38j
		push	eax
		mov	eax, edi
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [edi+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		push	1
		xor	ecx, eax
		push	ebx
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		push	eax
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EC568:				; CODE XREF: ObfDereferenceObjectWithTag+40j
		push	esi
		push	2
		push	ebx
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5EC576:				; CODE XREF: IopReferenceFileObject+3Bj
		mov	ecx, [edi]
		call	ObfDereferenceObject
		mov	eax, 0C0000910h
		jmp	loc_5216E3
; END OF FUNCTION CHUNK	FOR ObfDereferenceObjectWithTag
; 
; START	OF FUNCTION CHUNK FOR IopFileObjectRevoked

loc_5EC587:				; CODE XREF: IopFileObjectRevoked+13j
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		call	_PsIsProcessAppContainer@4 ; PsIsProcessAppContainer(x)
		test	al, al
		jz	loc_52172A
		mov	al, 1
		pop	ecx
		retn
; END OF FUNCTION CHUNK	FOR IopFileObjectRevoked
; 
; START	OF FUNCTION CHUNK FOR SeClearLearningModeObjectInformation

loc_5EC5A4:				; CODE XREF: SeClearLearningModeObjectInformation+27j
		mov	eax, 1

loc_5EC5A9:				; CODE XREF: SeClearLearningModeObjectInformation+CABFFj
		mov	ecx, [edi+360h]
		test	ecx, ecx
		jz	loc_521A2D

loc_5EC5B7:				; CODE XREF: SeClearLearningModeObjectInformation+37j
		cmp	[ecx+4], eax
		jnz	loc_521A2D
		mov	eax, [ecx]
		mov	[edi+360h], eax
		cmp	dword ptr [ecx+10h], 0
		jz	loc_521A2D
		cmp	dword ptr [ecx+18h], 0
		jz	loc_521A2D
		lea	eax, [ecx+14h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	loc_521A2D
; 

loc_5EC5EA:				; CODE XREF: SeClearLearningModeObjectInformation+1Aj
		mov	eax, 2
		jmp	short loc_5EC5A9
; END OF FUNCTION CHUNK	FOR SeClearLearningModeObjectInformation
; 
; START	OF FUNCTION CHUNK FOR SepDeleteAccessState

loc_5EC5F1:				; CODE XREF: SepDeleteAccessState+Dj
		mov	eax, [edi]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_521A83
; 

loc_5EC600:				; CODE XREF: SepDeleteAccessState+18j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_521A8E
; 

loc_5EC60D:				; CODE XREF: SepDeleteAccessState+23j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_521A99
; 

loc_5EC61A:				; CODE XREF: SepDeleteAccessState+3Bj
		mov	ecx, [edi+3Ch]
		test	ecx, ecx
		jz	loc_521AB1
		mov	edx, [edi+30h]
		test	edx, edx
		jz	short loc_5EC630
		push	edx
		push	ecx
		call	eax

loc_5EC630:				; CODE XREF: SepDeleteAccessState+CABBAj
		mov	eax, [edi+34h]
		test	eax, eax
		jz	loc_521AB1
		push	eax
		mov	eax, [edi+3Ch]
		push	eax
		mov	eax, [edi+38h]
		call	eax
		jmp	loc_521AB1
; END OF FUNCTION CHUNK	FOR SepDeleteAccessState

;  S U B	R O U T	I N E 


sub_5EC64A	proc near		; CODE XREF: SeSetLearningModeObjectInformation+19j
		push	ebx
		xor	eax, eax
		lea	ebx, [esi+14h]
		mov	[ebx], eax
		mov	[ebx+4], eax
		mov	ecx, [esi+10h]
		push	edi
		test	ecx, ecx
		jz	loc_5EC78F
		mov	eax, large fs:124h
		push	0
		mov	dword ptr [ebp-14h], 0
		mov	al, [eax+15Ah]
		mov	[ebp-10h], al
		lea	eax, [ebp-14h]
		push	eax
		push	dword ptr [ebp-10h]
		push	0
		push	0
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, [ebp-14h]
		mov	[ebp-10h], ecx
		test	eax, eax
		js	loc_5EC78F
		push	4F526553h
		push	208h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_5EC787
		lea	eax, [ebp-4]
		push	eax
		push	208h
		push	edi
		push	dword ptr [ebp-10h]
		call	_ObQueryNameString@16 ;	ObQueryNameString(x,x,x,x)
		cmp	eax, 0C0000004h
		jnz	short loc_5EC6FD
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	4F526553h
		push	dword ptr [ebp-4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_5EC787
		lea	eax, [ebp-4]
		push	eax
		push	dword ptr [ebp-4]
		push	edi
		push	dword ptr [ebp-10h]
		call	_ObQueryNameString@16 ;	ObQueryNameString(x,x,x,x)

loc_5EC6FD:				; CODE XREF: sub_5EC64A+80j
		test	eax, eax
		js	short loc_5EC77F
		cmp	dword ptr [edi+4], 0
		jz	short loc_5EC77F
		mov	eax, [esi+0Ch]
		push	4F526553h
		movzx	ecx, word ptr [eax+2]
		movzx	eax, word ptr [edi+2]
		add	ecx, 2
		add	eax, ecx
		push	eax
		push	1
		mov	[ebp-8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp-0Ch], eax
		test	eax, eax
		jz	short loc_5EC77F
		push	dword ptr [ebp-8] ; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [edi+4]
		add	esp, 0Ch
		mov	edx, [ebp-8]
		push	ecx
		mov	ecx, [ebp-0Ch]
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		mov	eax, [esi+0Ch]
		cmp	dword ptr [eax+4], 0
		jz	short loc_5EC776
		mov	edx, [ebp-8]
		mov	ecx, [ebp-0Ch]
		push	(offset	loc_5A53CA+2)
		call	_RtlStringCbCatW@12 ; RtlStringCbCatW(x,x,x)
		mov	eax, [esi+0Ch]
		mov	edx, [ebp-8]
		mov	ecx, [ebp-0Ch]
		mov	eax, [eax+4]
		push	eax
		call	_RtlStringCbCatW@12 ; RtlStringCbCatW(x,x,x)

loc_5EC776:				; CODE XREF: sub_5EC64A+108j
		push	dword ptr [ebp-0Ch]
		push	ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_5EC77F:				; CODE XREF: sub_5EC64A+B5j
					; sub_5EC64A+BBj ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5EC787:				; CODE XREF: sub_5EC64A+63j
					; sub_5EC64A+9Dj
		mov	ecx, [ebp-10h]
		call	ObfDereferenceObject

loc_5EC78F:				; CODE XREF: sub_5EC64A+11j
					; sub_5EC64A+48j
		mov	edi, large fs:124h
		call	_SepGetCurrentLogLevel@0 ; SepGetCurrentLogLevel()
		mov	[esi+4], eax
		mov	eax, [edi+360h]
		mov	[esi], eax
		mov	[edi+360h], esi
		pop	edi
		pop	ebx
		jmp	loc_521D3F
sub_5EC64A	endp

; 
; START	OF FUNCTION CHUNK FOR IoGetRelatedDeviceObject

loc_5EC7B3:				; CODE XREF: IoGetRelatedDeviceObject+42j
		mov	eax, [eax+8]
		test	eax, eax
		jnz	loc_5228F6
		jmp	loc_522928
; END OF FUNCTION CHUNK	FOR IoGetRelatedDeviceObject
; 
; START	OF FUNCTION CHUNK FOR KiExitDispatcher

loc_5EC7C3:				; CODE XREF: KiExitDispatcher+D8j
		push	0
		mov	dl, cl
		mov	ecx, [esp+2Ch+var_1C]
		push	eax
		call	_EtwTraceReadyThread@16	; EtwTraceReadyThread(x,x,x,x)
		mov	edx, [esp+28h+var_1C]
		jmp	loc_52334E
; 

loc_5EC7DA:				; CODE XREF: KiExitDispatcher+22Dj
		mov	eax, ds:_KeTickCount
		sub	eax, [ecx+138h]
		add	[ecx+170h], eax
		jmp	loc_5234A3
; END OF FUNCTION CHUNK	FOR KiExitDispatcher
; 
; START	OF FUNCTION CHUNK FOR KiDeferredReadySingleThread

loc_5EC7F0:				; CODE XREF: KiDeferredReadySingleThread+36j
					; KiDeferredReadySingleThread+C91EEj
		pause
		mov	edi, [esi+34h]
		mov	eax, [esi+30h]
		mov	[ebp+var_8], eax
		cmp	edi, [esi+38h]
		jnz	short loc_5EC7F0
		jmp	loc_52364C
; 

loc_5EC805:				; CODE XREF: KiDeferredReadySingleThread+410j
		mov	ecx, esi
		call	_KiIsForegroundThreadWithBoost@4 ; KiIsForegroundThreadWithBoost(x)
		test	al, al
		jz	loc_523A26
		mov	ah, [esi+15Ch]
		or	al, 0FFh
		mov	cl, ah
		and	ah, 0Fh
		shr	cl, 4
		sub	al, cl
		add	dl, al
		mov	al, [esi+15Bh]
		add	al, ah
		cmp	dl, al
		jge	short loc_5EC836
		mov	dl, al

loc_5EC836:				; CODE XREF: KiDeferredReadySingleThread+C9222j
		mov	[esi+15Ch], ah
		jmp	loc_523A53
; 

loc_5EC841:				; CODE XREF: KiDeferredReadySingleThread+1DAj
		mov	ebx, [esi+148h]
		lea	edx, [ebp+var_4C]
		and	ebx, 7FFFFFFFh
		mov	edi, ds:_KiProcessorBlock[ebx*4]
		mov	ecx, edi
		call	_KiPrcbInGroupAffinity@8 ; KiPrcbInGroupAffinity(x,x)
		test	eax, eax
		jnz	short loc_5EC873
		bsr	ebx, [ebp+var_4C]
		mov	[ebp+var_30], eax
		mov	[ebp+var_30], ebx
		mov	edi, ds:_KiProcessorBlock[ebx*4]

loc_5EC873:				; CODE XREF: KiDeferredReadySingleThread+C9250j
		lea	esi, [edi+2224h]
		mov	[ebp+var_34], 0

loc_5EC880:				; CODE XREF: KiDeferredReadySingleThread+C92A3j
		lock bts dword ptr [esi], 0
		jb	short loc_5EC8A5
		mov	esi, [ebp+var_1C]
		mov	[esi+148h], ebx
		mov	edx, [esi+50h]
		test	edx, edx
		jz	short loc_5EC89D
		add	edx, [edi+3B34h]

loc_5EC89D:				; CODE XREF: KiDeferredReadySingleThread+C9285j
		mov	[ebp+var_C], edx
		jmp	loc_523D0B
; 

loc_5EC8A5:				; CODE XREF: KiDeferredReadySingleThread+C9275j
					; KiDeferredReadySingleThread+C92A1j
		lea	ecx, [ebp+var_34]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5EC8A5
		jmp	short loc_5EC880
; 

loc_5EC8B5:				; CODE XREF: KiDeferredReadySingleThread+202j
		mov	edx, edi
		mov	ecx, esi
		call	_KiIsThreadRankBiased@8	; KiIsThreadRankBiased(x,x)
		test	al, al
		jz	loc_523818
		cmp	[ebp+var_1], 0
		jnz	loc_523818
		mov	bl, 1
		jmp	loc_52381A
; 

loc_5EC8D7:				; CODE XREF: KiDeferredReadySingleThread+1F2j
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_4C]
		mov	edx, esi
		push	eax
		call	_KiHeteroChooseTargetProcessor@16 ; KiHeteroChooseTargetProcessor(x,x,x,x)
		mov	edi, eax
		jmp	loc_523833
; 

loc_5EC8F0:				; CODE XREF: KiDeferredReadySingleThread+6B4j
		cmp	[ebp+var_1], 0
		jz	loc_523D0B
		jmp	loc_523858
; 

loc_5EC8FF:				; CODE XREF: KiDeferredReadySingleThread+84Cj
		mov	ecx, 1Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5EC906:				; CODE XREF: KiDeferredReadySingleThread+288j
		mov	cl, 1
		jmp	loc_5238A0
; 

loc_5EC90D:				; CODE XREF: KiDeferredReadySingleThread+2D1j
		mov	ecx, 21h
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5EC914:				; CODE XREF: KiDeferredReadySingleThread+383j
		push	ebx
		jmp	short loc_5EC929
; 

loc_5EC917:				; CODE XREF: KiDeferredReadySingleThread+8BEj
		mov	dl, 1
		jmp	loc_523ED6
; 

loc_5EC91E:				; CODE XREF: KiDeferredReadySingleThread+578j
		mov	cl, 1
		jmp	loc_523B90
; 

loc_5EC925:				; CODE XREF: KiDeferredReadySingleThread+5FFj
		push	ebx
		jmp	short loc_5EC929
; 

loc_5EC928:				; CODE XREF: KiDeferredReadySingleThread+731j
					; KiDeferredReadySingleThread+92Dj
		push	ecx

loc_5EC929:				; CODE XREF: KiDeferredReadySingleThread+C9305j
					; KiDeferredReadySingleThread+C9316j
		push	[ebp+var_8]
		mov	edx, 546h
		mov	ecx, esi
		call	_EtwTraceIdealProcessor@16 ; EtwTraceIdealProcessor(x,x,x,x)
		jmp	loc_523999
; END OF FUNCTION CHUNK	FOR KiDeferredReadySingleThread
; 
; START	OF FUNCTION CHUNK FOR KiChooseTargetProcessor

loc_5EC93D:				; CODE XREF: KiChooseTargetProcessor+B3j
		test	eax, eax
		jnz	loc_5240A1
		mov	eax, [edi+0Ch]
		mov	ecx, [edi+4Ch]
		and	ecx, eax
		mov	eax, ecx
		mov	[ebp+var_28], ecx
		and	eax, edx
		mov	[ebp+var_3C], eax
		mov	ecx, eax
		jmp	loc_524099
; 

loc_5EC95E:				; CODE XREF: KiChooseTargetProcessor+CFj
		mov	ecx, [ebp+var_34]
		lea	edx, [ebp+var_3C]
		call	@KiFindRankBiasedIdleSmtSet@8 ;	KiFindRankBiasedIdleSmtSet(x,x)
		test	al, al
		jz	short loc_5EC975
		mov	eax, [ebp+var_3C]
		jmp	loc_5240CD
; 

loc_5EC975:				; CODE XREF: KiChooseTargetProcessor+C898Bj
		mov	ch, [ebp+var_2B]
		jmp	loc_5240B5
; 

loc_5EC97D:				; CODE XREF: KiChooseTargetProcessor+E5j
		mov	eax, [ebp+var_28]
		not	eax
		mov	[ebp+var_28], eax
		movzx	eax, al
		mov	cl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_28]
		shr	eax, 8
		mov	[ebp+var_28], eax
		movzx	eax, al
		add	cl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_28]
		shr	eax, 8
		mov	[ebp+var_28], eax
		movzx	eax, al
		add	cl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_28]
		shr	eax, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, cl
		cmp	eax, ds:_KiPerfIsoEnabled
		jb	loc_5241AA
		jmp	loc_5240CB
; 

loc_5EC9D2:				; CODE XREF: KiChooseTargetProcessor+12Dj
		test	esi, esi
		jz	loc_524115
		mov	ecx, [esi+4034h]
		and	ecx, eax
		jz	loc_524115
		jmp	loc_524113
; 

loc_5EC9ED:				; CODE XREF: KiChooseTargetProcessor+1DFj
		test	edx, edx
		jz	loc_5241C5
		push	[ebp+var_44]
		mov	edx, [ebp+var_4C]
		push	[ebp+var_48]
		push	ebx
		push	ecx
		mov	ecx, esi
		call	@KiSelectIdleProcessor@24 ; KiSelectIdleProcessor(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_52413C
		mov	ecx, [ebp+var_30]
		mov	esi, [ebp+var_40]
		mov	edx, [ebp+var_28]
		jmp	loc_5241C5
; 

loc_5ECA1F:				; CODE XREF: KiChooseTargetProcessor+200j
		cmp	ebx, ecx
		jz	loc_5241E6
		test	edx, edx
		jz	loc_5241E6
		push	[ebp+var_44]
		mov	edx, eax
		mov	ecx, esi
		push	[ebp+var_48]
		push	eax
		push	ebx
		call	@KiSelectIdleProcessor@24 ; KiSelectIdleProcessor(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_52413C
		mov	esi, [ebp+var_40]
		mov	edx, [ebp+var_28]
		jmp	loc_5241E6
; 

loc_5ECA55:				; CODE XREF: KiChooseTargetProcessor+252j
		movzx	ecx, word ptr [edi+8Ah]
		lea	edx, [ebp+var_70]
		call	MmGetNextNode
		mov	ecx, eax
		cmp	ecx, 0FFFFFFFFh
		jz	loc_524238
		mov	edx, 1
		shl	edx, cl
		test	edx, ebx
		mov	edx, [ebp+var_28]
		jz	loc_524230
		push	[ebp+var_44]
		mov	eax, ds:_KeNodeBlock[ecx*4]
		mov	ecx, esi
		push	[ebp+var_48]
		mov	edx, [ebp+var_4C]
		push	0
		push	eax
		mov	[ebp+var_38], eax
		call	@KiSelectIdleProcessor@24 ; KiSelectIdleProcessor(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_52413C
		mov	eax, [ebp+var_38]
		mov	edx, [ebp+var_28]
		mov	esi, [ebp+var_40]
		mov	eax, [eax+84h]
		not	eax
		and	edx, eax
		jmp	loc_524226
; 

loc_5ECAC0:				; CODE XREF: KiChooseTargetProcessor+3F8j
		cmp	al, 6
		jz	loc_524169
		jmp	loc_5243DE
; 

loc_5ECACD:				; CODE XREF: KiChooseTargetProcessor+26Aj
		mov	ecx, [ebp+var_34]
		lea	eax, [ebp+var_64]
		push	eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_6C], 0
		push	eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_68], 0
		push	eax
		lea	edx, [ebp+var_58]
		mov	[ebp+var_64], 0
		mov	[ebp+var_60], 0
		call	_KeQueryReadyQueueStatsProcessor@20 ; KeQueryReadyQueueStatsProcessor(x,x,x,x,x)
		mov	ecx, [ebp+var_64]
		add	ecx, [ebp+var_6C]
		mov	eax, [ebp+var_60]
		adc	eax, [ebp+var_68]
		mov	edx, ds:_KeSoftParkedQueueThreshold
		test	eax, eax
		jb	loc_524250
		ja	short loc_5ECB24
		cmp	ecx, edx
		jbe	loc_524250

loc_5ECB24:				; CODE XREF: KiChooseTargetProcessor+C8B3Aj
		mov	bl, 1
		mov	[ebp+var_29], bl
		jmp	loc_524250
; 

loc_5ECB2E:				; CODE XREF: KiChooseTargetProcessor+275j
		mov	edi, [ebp+var_50]
		jmp	loc_52401F
; 

loc_5ECB36:				; CODE XREF: KiChooseTargetProcessor+294j
		mov	edi, [ebp+var_50]
		jmp	loc_52433F
; 

loc_5ECB3E:				; CODE XREF: KiChooseTargetProcessor+2F8j
		test	al, 2
		jz	loc_5242F7

loc_5ECB46:				; CODE XREF: KiChooseTargetProcessor+311j
		mov	esi, [ebp+var_30]
		test	[ebp+var_3C], esi
		jz	loc_5242FA
		movzx	eax, byte ptr [edi+244h]
		cmp	eax, 2
		jz	short loc_5ECB67
		cmp	eax, 1
		jz	short loc_5ECB67
		xor	al, al
		jmp	short loc_5ECB69
; 

loc_5ECB67:				; CODE XREF: KiChooseTargetProcessor+C8B7Cj
					; KiChooseTargetProcessor+C8B81j
		mov	al, 1

loc_5ECB69:				; CODE XREF: KiChooseTargetProcessor+C8B85j
		test	al, al
		jz	loc_5242FA
		mov	[ebp+var_58], ebx
		cmp	ebx, ecx
		jnb	loc_5242FA
		mov	bl, [ebp+var_2A]
		mov	edi, [ebp+var_38]
		mov	ecx, [ebp+var_58]

loc_5ECB85:				; CODE XREF: KiChooseTargetProcessor+C8BCCj
		mov	eax, [ebp+var_3C]
		mov	edx, 1
		shl	edx, cl
		and	eax, edx
		test	eax, esi
		jz	short loc_5ECBA6
		mov	al, byte ptr [ebp+ecx+var_24]
		cmp	al, bl
		jge	short loc_5ECBA6
		mov	bl, al
		mov	eax, ecx
		mov	[ebp+var_28], eax
		jmp	short loc_5ECBA9
; 

loc_5ECBA6:				; CODE XREF: KiChooseTargetProcessor+C8BB3j
					; KiChooseTargetProcessor+C8BBBj
		mov	eax, [ebp+var_28]

loc_5ECBA9:				; CODE XREF: KiChooseTargetProcessor+C8BC4j
		inc	ecx
		cmp	ecx, edi
		jb	short loc_5ECB85
		mov	edi, [ebp+var_50]
		mov	[ebp+var_2A], bl
		mov	ebx, [ebp+var_78]
		test	eax, eax
		jns	loc_52432F
		mov	edx, [ebp+var_34]
		mov	ecx, [ebp+var_38]
		jmp	loc_5242FD
; 

loc_5ECBCA:				; CODE XREF: KiChooseTargetProcessor+392j
		mov	eax, [edx+0Ch]
		mov	ecx, [edx+4Ch]
		and	ecx, eax
		jmp	loc_52437A
; 

loc_5ECBD7:				; CODE XREF: KiChooseTargetProcessor+3BCj
		mov	eax, [ebp+var_30]
		xor	ecx, ecx
		lock and [eax],	ecx
		mov	ecx, [ebp+var_34]
		mov	edx, edi
		push	0FFFFFFFFh
		call	@KiSelectCandidateProcessor@12 ; KiSelectCandidateProcessor(x,x,x)
		mov	edx, eax
		test	bl, bl
		jnz	loc_5243A2
		test	byte ptr [edx+2238h], 1
		jnz	loc_5243A2
		mov	dword ptr [esi], 1
		jmp	loc_5243A2
; END OF FUNCTION CHUNK	FOR KiChooseTargetProcessor
; 
; START	OF FUNCTION CHUNK FOR KiTryLocalThreadSchedule

loc_5ECC0D:				; CODE XREF: KiTryLocalThreadSchedule+56j
		test	edx, edx
		jnz	loc_524480
		mov	eax, [ecx+0Ch]
		mov	edx, [ecx+4Ch]
		and	edx, eax
		mov	[ebp+var_4], edx
		and	edx, [ebp+arg_4]
		mov	[ebp+arg_0], edx
		mov	ebx, edx
		jmp	loc_52447C
; 

loc_5ECC2D:				; CODE XREF: KiTryLocalThreadSchedule+7Dj
		lea	edx, [ebp+arg_0]
		mov	ecx, esi
		call	@KiFindRankBiasedIdleSmtSet@8 ;	KiFindRankBiasedIdleSmtSet(x,x)
		test	al, al
		jnz	loc_524526
		mov	ecx, [ebp+var_8]
		jmp	loc_5244A3
; 

loc_5ECC47:				; CODE XREF: KiTryLocalThreadSchedule+8Dj
		mov	ebx, [ebp+var_4]
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, ds:_RtlpBitsClearTotal[ebx]
		movzx	eax, cl
		cmp	eax, ds:_KiPerfIsoEnabled
		jb	loc_524438
		jmp	loc_5244B3
; END OF FUNCTION CHUNK	FOR KiTryLocalThreadSchedule
; 
; START	OF FUNCTION CHUNK FOR IofCompleteRequest

loc_5ECC8A:				; CODE XREF: IofCompleteRequest+Fj
		cmp	eax, 3
		jnz	short loc_5ECC99
		call	@IopPerfCompleteRequest@8 ; IopPerfCompleteRequest(x,x)
		jmp	loc_52454A
; 

loc_5ECC99:				; CODE XREF: IofCompleteRequest+C875Dj
		call	@IovCompleteRequest@8 ;	IovCompleteRequest(x,x)
		jmp	loc_52454A
; END OF FUNCTION CHUNK	FOR IofCompleteRequest
; 
; START	OF FUNCTION CHUNK FOR IopDecrementDeviceObjectRef

loc_5ECCA3:				; CODE XREF: IopDecrementDeviceObjectRef+32j
		mov	edx, eax
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_525220
; 

loc_5ECCAF:				; CODE XREF: IopDecrementDeviceObjectRef+49j
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_5ECCD2
		mov	edx, 0A8h
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+4]

loc_5ECCD2:				; CODE XREF: IopDecrementDeviceObjectRef+C7AD4j
		push	eax
		push	6
		push	esi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5ECCDF:				; CODE XREF: IopDecrementDeviceObjectRef+67j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_525262
; END OF FUNCTION CHUNK	FOR IopDecrementDeviceObjectRef
; 
; START	OF FUNCTION CHUNK FOR ExAllocatePoolWithQuotaTag

loc_5ECCEE:				; CODE XREF: ExAllocatePoolWithQuotaTag+70j
		mov	ecx, esi
		call	ExGetHeapFromVA
		mov	ecx, eax
		call	_ExpHpIsSpecialPoolHeap@4 ; ExpHpIsSpecialPoolHeap(x)
		test	eax, eax
		jnz	loc_525693
		jmp	loc_525566
; 

loc_5ECD09:				; CODE XREF: ExAllocatePoolWithQuotaTag+117j
					; ExAllocatePoolWithQuotaTag+278j ...
		mov	ebx, ds:dword_70EF4C[ebx*8]
		test	ebx, ebx
		jns	loc_525668
		mov	edx, [ebp+arg_8]
		push	edx
		push	[ebp+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[ebp+var_24], 0
		jnz	short loc_5ECD30
		push	ebx
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5ECD30:				; CODE XREF: ExAllocatePoolWithQuotaTag+C7838j
		xor	eax, eax
		jmp	loc_525695
; 

loc_5ECD37:				; CODE XREF: ExAllocatePoolWithQuotaTag+22Ej
		cmp	[ebp+var_24], 0
		jnz	loc_525693
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger

loc_5ECD4C:				; CODE XREF: PspReturnQuota+72j
		mov	[ebp+arg_4], esi
		xor	edx, edx
		jmp	loc_5258FF
; END OF FUNCTION CHUNK	FOR ExAllocatePoolWithQuotaTag
; 
; START	OF FUNCTION CHUNK FOR PspReturnQuota

loc_5ECD56:				; CODE XREF: PspReturnQuota+90j
		cmp	[ebp+var_C], offset _PspSystemQuotaBlock
		jz	short loc_5ECD7A
		mov	eax, [ebp+var_18]
		mov	esi, ds:_PspSystemQuotaBlock[eax]
		lea	edi, _PspSystemQuotaBlock[eax]
		mov	[ebp+var_C], offset _PspSystemQuotaBlock
		jmp	loc_5258F0
; 

loc_5ECD7A:				; CODE XREF: PspReturnQuota+C74DDj
		push	ecx
		mov	ecx, [ebp+var_10]
		push	ebx
		push	[ebp+arg_0]
		push	ecx
		push	21h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5ECD8B:				; CODE XREF: ExFreeHeapPool+92j
		push	0
		push	edi
		push	0
		push	0
		push	0C2h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5ECD9C:				; CODE XREF: ExFreeHeapPool+9Fj
		mov	ecx, esi
		call	_ExpHpIsSpecialPoolHeap@4 ; ExpHpIsSpecialPoolHeap(x)
		test	eax, eax
		jz	loc_525A45
		or	eax, 0FFFFFFFFh
		lock xadd ds:_ExpSpecialAllocations, eax
		jnz	short loc_5ECDBF
		lock dec ds:dword_6D35AC

loc_5ECDBF:				; CODE XREF: PspReturnQuota+C7536j
		mov	edx, edi
		mov	ecx, esi
		call	_ExpFreeHeapSpecialPool@8 ; ExpFreeHeapSpecialPool(x,x)
		jmp	loc_525CEB
; END OF FUNCTION CHUNK	FOR PspReturnQuota
; 
; START	OF FUNCTION CHUNK FOR ExFreeHeapPool

loc_5ECDCD:				; CODE XREF: ExFreeHeapPool+550j
		mov	[esp+48h+var_34], 0
		jmp	loc_525EF6
; 

loc_5ECDDA:				; CODE XREF: ExFreeHeapPool+569j
		mov	dl, al
		mov	ecx, offset _ExpLargePoolTableLock
		call	@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)
		jmp	loc_525F35
; 

loc_5ECDEB:				; CODE XREF: ExFreeHeapPool+816j
		mov	eax, [esp+48h+var_2C]

loc_5ECDEF:				; CODE XREF: ExFreeHeapPool+83Aj
		test	byte ptr [esp+48h+var_34], 21h
		jnz	short loc_5ECE4A
		cmp	eax, ds:_PoolBigPageTable
		jnz	short loc_5ECE4A
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5ECE4A
		mov	eax, ds:dword_6D05D4
		mov	ecx, [eax+242Ch]
		mov	esi, [eax+2430h]
		add	eax, 23E4h
		mov	[esp+48h+var_30], esi
		mov	esi, [esp+48h+var_24]
		mov	[esp+48h+var_2C], ecx
		mov	[esp+48h+var_38], eax
		test	ecx, ecx
		jz	short loc_5ECE4A
		cmp	[esp+48h+var_30], 0
		jnz	loc_525F61

loc_5ECE4A:				; CODE XREF: ExFreeHeapPool+C7454j
					; ExFreeHeapPool+C745Cj ...
		push	0
		push	[esp+4Ch+var_34]
		push	edi
		push	22h
		push	19h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5ECE5A:				; CODE XREF: ExFreeHeapPool+86Ej
		mov	edx, [ebp+4]
		mov	ecx, offset _ExpLargePoolTableLock
		call	@ExpReleaseSpinLockSharedFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockSharedFromDpcLevelInstrumented(x,x)
		jmp	loc_526224
; 

loc_5ECE6C:				; CODE XREF: ExFreeHeapPool+4E2j
		push	ecx
		mov	ecx, [esp+4Ch+var_20]
		xor	dl, dl
		push	1
		call	_ObpPushStackInfo@16 ; ObpPushStackInfo(x,x,x,x)
		mov	eax, [esp+48h+var_34]
		mov	edx, [esp+48h+var_20]
		jmp	loc_525E88
; 

loc_5ECE87:				; CODE XREF: ExFreeHeapPool+505j
		push	[esp+48h+var_20]
		push	3
		push	eax
		mov	eax, edx
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [edx+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		push	eax
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5ECEB4:				; CODE XREF: ExFreeHeapPool+50Dj
		push	ecx
		push	4
		push	eax
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5ECEC1:				; CODE XREF: ExFreeHeapPool+498j
		mov	eax, [esp+70h+var_5C]

loc_5ECEC5:				; CODE XREF: ExFreeHeapPool+48Cj
		push	eax
		push	ecx
		push	[esp+78h+var_54]
		push	0Dh
		push	0C2h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5ECED7:				; CODE XREF: ExFreeHeapPool+112j
		test	eax, 200h
		jz	short loc_5ECEF6
		cmp	[esp+84h+var_6C], 0
		jnz	short loc_5ECEF6
		mov	edx, ecx
		mov	ecx, edi
		call	_ExpCheckForLookaside@8	; ExpCheckForLookaside(x,x)
		mov	ecx, [esp+84h+var_70]
		mov	edx, [esp+84h+var_68]

loc_5ECEF6:				; CODE XREF: ExFreeHeapPool+C753Cj
					; ExFreeHeapPool+C7543j
		test	byte ptr ds:_ExpPoolFlags, 1
		jz	short loc_5ECF10
		mov	edx, ecx
		mov	ecx, edi
		call	_KeCheckForTimer@8 ; KeCheckForTimer(x,x)
		mov	ecx, [esp+84h+var_70]
		mov	edx, [esp+84h+var_68]

loc_5ECF10:				; CODE XREF: ExFreeHeapPool+C755Dj
		test	byte ptr ds:_ExpPoolFlags, 4
		jz	short loc_5ECF2A
		mov	edx, ecx
		mov	ecx, edi
		call	_ExpCheckForResource@8 ; ExpCheckForResource(x,x)
		mov	ecx, [esp+84h+var_70]
		mov	edx, [esp+84h+var_68]

loc_5ECF2A:				; CODE XREF: ExFreeHeapPool+C7577j
		test	byte ptr ds:_ExpPoolFlags, 2
		jz	loc_525AB8
		mov	edx, ecx
		mov	ecx, edi
		call	_ExpCheckForWorker@8 ; ExpCheckForWorker(x,x)
		mov	ecx, [esp+84h+var_70]
		mov	edx, [esp+84h+var_68]
		jmp	loc_525AB8
; 

loc_5ECF4D:				; CODE XREF: ExFreeHeapPool+11Fj
		mov	edx, ecx
		mov	ecx, edi
		call	_VfFreePoolNotification@8 ; VfFreePoolNotification(x,x)
		mov	ecx, [esp+48h+var_34]
		mov	edx, [esp+48h+var_2C]
		jmp	loc_525AC5
; 

loc_5ECF63:				; CODE XREF: ExFreeHeapPool+133j
		int	3		; Trap to Debugger
		jmp	loc_525AD9
; 

loc_5ECF69:				; CODE XREF: ExFreeHeapPool+140j
		push	ecx
		push	edx
		push	[esp+50h+var_28]
		mov	edx, [esp+54h+var_30]
		mov	ecx, 0E22h
		call	_EtwTracePool@20 ; EtwTracePool(x,x,x,x,x)
		jmp	loc_525AE6
; 

loc_5ECF82:				; CODE XREF: ExFreeHeapPool+225j
		mov	ecx, [esp+48h+var_18]
		push	0
		push	eax
		call	_VerifierFreeTrackedPool@16 ; VerifierFreeTrackedPool(x,x,x,x)
		mov	edx, [esp+48h+var_34]
		jmp	loc_525BCB
; 

loc_5ECF97:				; CODE XREF: ExFreeHeapPool+25Dj
		or	edi, 1
		mov	[esp+48h+var_2C], edi
		jmp	loc_525C03
; 

loc_5ECFA3:				; CODE XREF: ExFreeHeapPool+26Fj
		mov	edx, [esp+48h+var_38]
		mov	ecx, esi
		push	0
		push	edi
		call	_RtlpHpExtrasGet@16 ; RtlpHpExtrasGet(x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_525C15
		cmp	edx, 0FFFFFFFFh
		jz	loc_525C15
		mov	al, [edx+2]
		test	al, 0Fh
		jz	loc_525C15
		movzx	eax, al
		and	eax, 0Fh
		jz	loc_525CEB
		dec	eax
		cmp	ax, 1
		jnb	loc_525CEB
		jmp	loc_526243
; 

loc_5ECFEB:				; CODE XREF: ExFreeHeapPool+27Cj
		mov	edx, [esp+48h+var_38]
		mov	ecx, esi
		push	edi
		call	_RtlpHpSizeHeap@12 ; RtlpHpSizeHeap(x,x,x)
		cmp	eax, 0FFFFFFFFh
		jnz	loc_525C22
		push	0
		push	0
		push	0
		push	[esp+54h+var_38]
		mov	edx, esi
		jmp	loc_525D00
; 

loc_5ED011:				; CODE XREF: ExFreeHeapPool+627j
		mov	eax, [edx]
		mov	esi, edx
		xor	eax, edx
		mov	edx, [esp+48h+var_1C]
		xor	eax, edx
		jge	short loc_5ED031
		mov	eax, [esp+48h+var_24]
		mov	eax, [eax+4]
		xor	eax, [esp+48h+var_24]
		xor	eax, edx
		movzx	eax, al
		jmp	short loc_5ED069
; 

loc_5ED031:				; CODE XREF: ExFreeHeapPool+C767Dj
		shr	eax, 10h
		and	eax, 7FFFh
		jz	short loc_5ED067
		mov	esi, [esp+48h+var_24]
		shl	eax, 3
		sub	esi, eax
		mov	eax, [esi]
		xor	eax, esi
		xor	eax, edx
		jl	short loc_5ED05B
		shr	eax, 10h
		and	eax, 7FFFh
		jz	short loc_5ED067
		neg	eax
		lea	esi, [esi+eax*8]

loc_5ED05B:				; CODE XREF: ExFreeHeapPool+C76AAj
		mov	eax, [esi+4]
		xor	eax, esi
		xor	eax, edx
		movzx	eax, al
		jmp	short loc_5ED069
; 

loc_5ED067:				; CODE XREF: ExFreeHeapPool+C7699j
					; ExFreeHeapPool+C76B4j
		xor	eax, eax

loc_5ED069:				; CODE XREF: ExFreeHeapPool+C768Fj
					; ExFreeHeapPool+C76C5j
		shl	eax, 0Ch
		sub	esi, eax
		and	esi, 0FFFFF000h
		jmp	loc_525FD1
; 

loc_5ED079:				; CODE XREF: ExFreeHeapPool+652j
		mov	ecx, [esp+48h+var_28]
		push	0
		push	0
		push	0
		mov	edx, [ecx+80h]
		xor	edx, ecx
		mov	ecx, 12h
		push	esi
		jmp	loc_525D05
; 

loc_5ED096:				; CODE XREF: ExFreeHeapPool+662j
		push	0
		push	0
		push	esi
		push	ecx
		mov	ecx, [esp+58h+var_28]
		mov	edx, [ecx+80h]
		xor	edx, ecx
		mov	ecx, 8
		jmp	loc_525D05
; END OF FUNCTION CHUNK	FOR ExFreeHeapPool
; 
; START	OF FUNCTION CHUNK FOR IopCheckDeviceAndDriver

loc_5ED0B2:				; CODE XREF: IopCheckDeviceAndDriver+30j
		mov	edx, edi
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_5262AE
; 

loc_5ED0BE:				; CODE XREF: IopCheckDeviceAndDriver+D4j
		mov	eax, [ebp+var_4]
		cmp	dword ptr [eax+14h], 0
		jnz	loc_5262CD
		test	dword ptr [eax+38h], 400h
		jnz	loc_5262CD
		mov	edi, 0C0000022h
		jmp	loc_5262DE
; 

loc_5ED0E2:				; CODE XREF: IopCheckDeviceAndDriver+66j
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_5ED105
		mov	edx, 0A8h
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+4]

loc_5ED105:				; CODE XREF: IopCheckDeviceAndDriver+C6E77j
		push	eax
		push	6
		push	esi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5ED112:				; CODE XREF: IopCheckDeviceAndDriver+81j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_52630C
; END OF FUNCTION CHUNK	FOR IopCheckDeviceAndDriver
; 
; START	OF FUNCTION CHUNK FOR IopAllocateIrpMustSucceed

loc_5ED121:				; CODE XREF: IopAllocateIrpMustSucceed+18j
					; IopAllocateIrpMustSucceed+C6BA3j
		push	3
		mov	dl, bl
		call	_IopAllocateReserveIrp@12 ; IopAllocateReserveIrp(x,x,x)
		test	eax, eax
		jnz	loc_5265BE
		mov	eax, [ebp+4]
		mov	dl, bl
		push	eax
		push	0
		mov	ecx, esi
		call	IopAllocateIrpExReturn
		test	eax, eax
		jz	short loc_5ED121
		jmp	loc_5265BE
; END OF FUNCTION CHUNK	FOR IopAllocateIrpMustSucceed
; 
; START	OF FUNCTION CHUNK FOR IopAllocateIrpExReturn

loc_5ED14A:				; CODE XREF: IopAllocateIrpExReturn+Cj
		cmp	eax, 2
		jnz	short loc_5ED155
		pop	ebp
		jmp	_IopAllocateIrpWithExtension@16	; IopAllocateIrpWithExtension(x,x,x,x)
; 

loc_5ED155:				; CODE XREF: IopAllocateIrpExReturn+C6B7Dj
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	_IovAllocateIrp@16 ; IovAllocateIrp(x,x,x,x)
		jmp	loc_5265EF
; END OF FUNCTION CHUNK	FOR IopAllocateIrpExReturn
; 
; START	OF FUNCTION CHUNK FOR IopAllocateIrpPrivate

loc_5ED167:				; CODE XREF: IopAllocateIrpPrivate+2D7j
		xor	eax, eax
		jmp	loc_5267FD
; 

loc_5ED16E:				; CODE XREF: IopAllocateIrpPrivate+29Cj
		mov	byte ptr [ebp+arg_4+3],	8
		lock dec dword ptr [edi+3CE4h]
		jmp	loc_52676A
; 

loc_5ED17E:				; CODE XREF: IopAllocateIrpPrivate+1EBj
		test	byte ptr ds:_IopIrpExtensionStatus, 1
		jz	loc_5267F1
		mov	al, 1
		jmp	loc_5267F3
; 

loc_5ED192:				; CODE XREF: IopAllocateIrpPrivate+1F5j
		mov	ecx, esi
		call	_IopInitActivityIdIrp@4	; IopInitActivityIdIrp(x)
		jmp	loc_5267FB
; END OF FUNCTION CHUNK	FOR IopAllocateIrpPrivate
; 
; START	OF FUNCTION CHUNK FOR IopDequeueIrpFromThread

loc_5ED19E:				; CODE XREF: IopDequeueIrpFromThread+5Ej
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_5269A9
; END OF FUNCTION CHUNK	FOR IopDequeueIrpFromThread
; 
; START	OF FUNCTION CHUNK FOR IoCallDriverWithTracing

loc_5ED1AD:				; CODE XREF: IoCallDriverWithTracing+24j
		mov	eax, [esi+10h]
		lea	edi, [ebp+var_14]
		mov	[ebp+var_14], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_10], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_C], eax
		mov	eax, [esi+1Ch]
		mov	[ebp+var_8], eax
		mov	eax, large fs:124h
		mov	esi, [eax+35Ch]
		mov	[eax+35Ch], edi
		call	IofCallDriver
		mov	ecx, large fs:124h
		mov	[ecx+35Ch], esi
		jmp	loc_5269FF
; END OF FUNCTION CHUNK	FOR IoCallDriverWithTracing
; 
; START	OF FUNCTION CHUNK FOR IofCallDriver

loc_5ED1F1:				; CODE XREF: IofCallDriver+21j
		push	0
		push	0
		push	0
		push	edx
		push	35h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5ED1FF:				; CODE XREF: IofCallDriver+13j
		cmp	eax, 3
		jnz	short loc_5ED20E
		call	@IopPerfCallDriver@8 ; IopPerfCallDriver(x,x)
		jmp	loc_526A68
; 

loc_5ED20E:				; CODE XREF: IofCallDriver+C67E2j
		mov	eax, [ebp+4]
		push	eax
		call	@IovCallDriver@12 ; IovCallDriver(x,x,x)
		jmp	loc_526A68
; END OF FUNCTION CHUNK	FOR IofCallDriver
; 

loc_5ED21C:				; CODE XREF: .text:00526ADCj
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_526AE7
; 

loc_5ED22B:				; CODE XREF: .text:00526B9Cj
		mov	ebx, 200h
		jmp	loc_526BA2
; 

loc_5ED235:				; CODE XREF: .text:00526BECj
		mov	eax, [ebp-18h]
		movzx	ebx, ax
		jmp	loc_526BF2
; 

loc_5ED240:				; CODE XREF: .text:00526C0Ej
		mov	eax, [ebp-14h]
		shr	ebx, 1
		xor	ecx, ecx
		mov	[eax+ebx*2], cx
		jmp	loc_526C14
; 

loc_5ED250:				; CODE XREF: .text:00526E5Ej
					; DATA XREF: .text:00526F34o
		mov	ebx, [edi+2Ch]
		lea	eax, [edi+2Ch]
		cmp	ebx, eax
		jz	loc_526D18

loc_5ED25E:				; CODE XREF: .text:005ED2B1j
		movzx	ecx, word ptr [ebx+20h]
		call	_AuthzBasepAllocateSecurityAttributeValue@4 ; AuthzBasepAllocateSecurityAttributeValue(x)
		mov	edx, eax
		mov	[ebp-1Ch], edx
		test	edx, edx
		jz	loc_526F14
		mov	eax, [ebx+18h]
		lea	ecx, [edx+28h]
		mov	[edx+18h], eax
		mov	eax, [ebx+1Ch]
		mov	[edx+1Ch], eax
		movzx	eax, word ptr [ebx+20h]
		push	eax
		mov	[edx+20h], ax
		mov	[edx+24h], ecx
		mov	eax, [ebx+24h]
		push	eax
		push	ecx
		call	_memcpy
		mov	edx, [ebp-1Ch]
		add	esp, 0Ch
		mov	ecx, esi
		push	1
		push	0
		call	_AuthzBasepAddSecurityAttributeValueToLists@16 ; AuthzBasepAddSecurityAttributeValueToLists(x,x,x,x)
		mov	ebx, [ebx]
		lea	eax, [edi+2Ch]
		cmp	ebx, eax
		jnz	short loc_5ED25E
		jmp	loc_526D18
; 

loc_5ED2B8:				; CODE XREF: .text:00526E5Ej
					; DATA XREF: .text:00526F38o
		mov	ebx, [edi+2Ch]
		lea	eax, [edi+2Ch]
		cmp	ebx, eax
		jz	loc_526D18

loc_5ED2C6:				; CODE XREF: .text:005ED30Dj
		mov	ecx, [ebx+1Ch]
		call	_AuthzBasepAllocateSecurityAttributeValue@4 ; AuthzBasepAllocateSecurityAttributeValue(x)
		mov	edx, eax
		mov	[ebp-1Ch], edx
		test	edx, edx
		jz	loc_526F14
		lea	ecx, [edx+28h]
		mov	[edx+18h], ecx
		mov	eax, [ebx+1Ch]
		mov	[edx+1Ch], eax
		mov	eax, [ebx+1Ch]
		push	eax
		mov	eax, [ebx+18h]
		push	eax
		push	ecx
		call	_memcpy
		mov	edx, [ebp-1Ch]
		add	esp, 0Ch
		mov	ecx, esi
		push	1
		push	0
		call	_AuthzBasepAddSecurityAttributeValueToLists@16 ; AuthzBasepAddSecurityAttributeValueToLists(x,x,x,x)
		mov	ebx, [ebx]
		lea	eax, [edi+2Ch]
		cmp	ebx, eax
		jnz	short loc_5ED2C6
		jmp	loc_526D18
; 

loc_5ED314:				; CODE XREF: .text:00526C90j
		mov	eax, 200h
		jmp	loc_526C9B
; 

loc_5ED31E:				; CODE XREF: .text:00526E51j
					; .text:00526E5Ej
					; DATA XREF: ...
		mov	dword ptr [ebp-0Ch], 0C000000Dh
		jmp	loc_526F1B
; 

loc_5ED32A:				; CODE XREF: .text:00526D84j
		push	0
		push	1
		mov	edx, esi
		mov	ecx, ebx
		call	AuthzBasepRemoveSecurityAttributeFromLists
		xor	dl, dl
		mov	ecx, esi
		call	AuthzBasepFreeSecurityAttributeValues
		mov	dl, 1
		jmp	loc_526E2E
; 

loc_5ED347:				; CODE XREF: .text:00526DBFj
		mov	byte ptr [ebp-1], 1
		jmp	loc_526DC9
; 

loc_5ED350:				; CODE XREF: .text:00526E00j
		test	edx, edx
		jz	short loc_5ED37F
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	loc_526F25
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_526F25
		mov	[edx], eax
		mov	[eax+4], edx
		and	dword ptr [ecx+10h], 0FFFFFFFEh
		dec	dword ptr [esi+24h]
		test	byte ptr [ecx+10h], 4
		jz	short loc_5ED37F
		dec	dword ptr [esi+28h]

loc_5ED37F:				; CODE XREF: .text:005ED352j
					; .text:005ED37Aj
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_526DB0
; 

loc_5ED38C:				; CODE XREF: .text:00526D42j
		mov	edx, esi
		mov	ecx, ebx
		call	_AuthzBasepRollbackSecurityAttributeChanges@8 ;	AuthzBasepRollbackSecurityAttributeChanges(x,x)
		mov	dl, al
		jmp	loc_526E2E
; 

loc_5ED39C:				; CODE XREF: .text:00526E3Cj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dl, [ebp+0Bh]
		jmp	loc_526D30
; 
; START	OF FUNCTION CHUNK FOR IopCheckVpbMounted

loc_5ED3AC:				; CODE XREF: IopCheckVpbMounted+40j
		mov	edx, eax
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_526FD2
; 

loc_5ED3B8:				; CODE XREF: IopCheckVpbMounted+103j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5270A6
; 

loc_5ED3C7:				; CODE XREF: IopCheckVpbMounted+120j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5ED3CE:				; CODE XREF: IopCheckVpbMounted+10Dj
		mov	dword ptr [esi], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_5270A6
; 

loc_5ED3E4:				; CODE XREF: IopCheckVpbMounted+167j
					; IopCheckVpbMounted+172j ...
		push	0
		xor	dl, dl
		mov	ecx, edi
		call	IopDecrementDeviceObjectRef
		xor	eax, eax
		cmp	[esi], eax
		jl	loc_52703B
		mov	dword ptr [esi], 0C0000012h
		jmp	loc_52703B
; 

loc_5ED404:				; CODE XREF: IopCheckVpbMounted+69j
		mov	eax, [ebp+arg_4]
		xor	esi, esi
		mov	dword ptr [eax], 0C0000022h
		jmp	loc_526FFD
; 

loc_5ED414:				; CODE XREF: IopCheckVpbMounted+77j
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_5ED44B
		mov	edx, 0B8h
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+8]
		mov	ecx, [eax+8]
		test	ecx, ecx
		jz	short loc_5ED44B
		mov	edx, 0A8h
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+8]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_5ED44B:				; CODE XREF: IopCheckVpbMounted+C6499j
					; IopCheckVpbMounted+C64ADj
		mov	eax, [esi+14h]
		push	eax
		push	7
		push	esi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5ED45B:				; CODE XREF: IopCheckVpbMounted+90j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_52702B
; 

loc_5ED46A:				; CODE XREF: IopCheckVpbMounted+B3j
		mov	ecx, [esp+20h+var_4]
		xor	dl, dl
		push	0
		call	IopDecrementDeviceObjectRef
		jmp	loc_527039
; END OF FUNCTION CHUNK	FOR IopCheckVpbMounted
; 
; START	OF FUNCTION CHUNK FOR FsRtlCheckOplockEx2

loc_5ED47C:				; CODE XREF: FsRtlCheckOplockEx2+8Bj
		mov	eax, 0C000000Dh
		jmp	loc_527330
; 

loc_5ED486:				; CODE XREF: FsRtlCheckOplockEx2+5CBj
		mov	esi, 0C000000Dh
		mov	edi, [ebp-3Ch]
		jmp	loc_527785
; 

loc_5ED493:				; CODE XREF: FsRtlCheckOplockEx2+5DBj
		lea	eax, [ebp-60h]
		push	eax
		mov	edx, [edi+18h]
		mov	edi, [ebp-3Ch]
		mov	ecx, edi
		call	_FsRtlpCallerIsAtomicRequestor@12 ; FsRtlpCallerIsAtomicRequestor(x,x,x)
		test	al, al
		jz	loc_527783
		mov	esi, [ebp-60h]
		mov	ecx, esi
		call	_FsRtlpOplockDequeueRH@4 ; FsRtlpOplockDequeueRH(x)
		lea	eax, [esi+1Ch]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_5ED504
		cmp	[ecx], eax
		jnz	short loc_5ED504
		mov	[ecx], edx
		mov	[edx+4], ecx
		lea	eax, [edi+3Ch]
		cmp	[eax], eax
		jnz	short loc_5ED4DA
		and	dword ptr [edi+48h], 0FFFCFFFFh

loc_5ED4DA:				; CODE XREF: FsRtlCheckOplockEx2+C6331j
		cmp	dword ptr [esi+14h], 0
		jz	short loc_5ED4E9
		mov	edx, esi
		mov	ecx, edi
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)

loc_5ED4E9:				; CODE XREF: FsRtlCheckOplockEx2+C633Ej
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, edi
		call	FsRtlpComputeShareableOplockState
		mov	ecx, edi
		call	FsRtlpReleaseIrpsWaitingForRH
		jmp	loc_527783
; 

loc_5ED504:				; CODE XREF: FsRtlCheckOplockEx2+C6321j
					; FsRtlCheckOplockEx2+C6325j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5ED50B:				; CODE XREF: FsRtlCheckOplockEx2+490j
		test	byte ptr [eax+2], 3
		jnz	loc_527304
		jmp	loc_527268
; 

loc_5ED51A:				; CODE XREF: FsRtlCheckOplockEx2+11Fj
		mov	eax, 2
		jmp	short loc_5ED526
; 

loc_5ED521:				; CODE XREF: FsRtlCheckOplockEx2+159j
		mov	eax, 1

loc_5ED526:				; CODE XREF: FsRtlCheckOplockEx2+C637Fj
		mov	[ebp-60h], eax
		push	eax
		mov	edx, [ebp-58h]
		mov	ecx, [edi+18h]
		call	_IoSetOplockKeyContext@12 ; IoSetOplockKeyContext(x,x,x)
		mov	[ebp-4Ch], eax
		mov	ecx, [ebp-60h]
		cmp	cx, 1
		jnz	short loc_5ED54C
		mov	ecx, [ebp-58h]
		push	ecx
		call	_FsRtlFreeExtraCreateParameter@4 ; FsRtlFreeExtraCreateParameter(x)
		jmp	short loc_5ED55B
; 

loc_5ED54C:				; CODE XREF: FsRtlCheckOplockEx2+C639Fj
		cmp	cx, 2
		jnz	short loc_5ED55E
		mov	ecx, [ebp-58h]
		push	ecx
		call	_FsRtlAcknowledgeEcp@4 ; FsRtlAcknowledgeEcp(x)

loc_5ED55B:				; CODE XREF: FsRtlCheckOplockEx2+C63AAj
		mov	eax, [ebp-4Ch]

loc_5ED55E:				; CODE XREF: FsRtlCheckOplockEx2+C63B0j
		lea	edx, [eax+3FFFFFFFh]
		neg	edx
		sbb	edx, edx
		and	edx, eax
		jmp	loc_527301
; 

loc_5ED56F:				; CODE XREF: FsRtlCheckOplockEx2+17Bj
		mov	esi, eax
		mov	[ebp-3Ch], esi
		mov	[ebp-88h], esi
		jmp	loc_527321
; 

loc_5ED57F:				; CODE XREF: FsRtlCheckOplockEx2+26Dj
		xor	esi, esi
		jmp	loc_52751D
; 

loc_5ED586:				; CODE XREF: FsRtlCheckOplockEx2+2B6j
		lea	edx, [esi+222h]
		cmp	byte ptr [edx],	0
		jnz	short loc_5ED597
		xor	eax, eax
		xor	dl, dl
		jmp	short loc_5ED5AC
; 

loc_5ED597:				; CODE XREF: FsRtlCheckOplockEx2+C63EFj
		xor	al, al
		xchg	al, [edx]
		or	[esi+1E4h], al
		mov	dl, [esi+1E4h]
		mov	eax, 1

loc_5ED5AC:				; CODE XREF: FsRtlCheckOplockEx2+C63F5j
		mov	[ebp-8Ch], eax
		test	eax, eax
		jnz	loc_52745C
		xor	edx, edx
		mov	[ebp-5Ch], edx
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_527486
		mov	edx, ecx
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		mov	edx, [ebp-5Ch]
		jmp	loc_527483
; 

loc_5ED5E0:				; CODE XREF: FsRtlCheckOplockEx2+2EBj
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	loc_5274E9
; 

loc_5ED5ED:				; CODE XREF: FsRtlCheckOplockEx2+304j
		mov	dword ptr [ebp-4Ch], 0
		mov	dword ptr [ebp-4Ch], 0
		jmp	loc_5274B4
; 

loc_5ED600:				; CODE XREF: FsRtlCheckOplockEx2+31Ej
					; FsRtlCheckOplockEx2+333j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp-50h]
		jmp	loc_5274DC
; 

loc_5ED613:				; CODE XREF: FsRtlCheckOplockEx2+382j
		mov	edx, esi
		call	_ExpAcquireFastMutexContended@8	; ExpAcquireFastMutexContended(x,x)
		mov	ecx, [ebp-50h]
		jmp	loc_527528
; 

loc_5ED622:				; CODE XREF: FsRtlCheckOplockEx2+3FEj
		mov	esi, 5000h
		mov	[ebp-44h], esi
		jmp	loc_5275D5
; 

loc_5ED62F:				; CODE XREF: FsRtlCheckOplockEx2+4E1j
		mov	eax, [edi+4]
		test	dword ptr [eax+8], 0FFEDFE56h
		jnz	loc_527687
		test	byte ptr [edi+0Eh], 1
		jnz	loc_5275CF
		jmp	loc_527687
; 

loc_5ED64E:				; CODE XREF: FsRtlCheckOplockEx2+4BBj
					; DATA XREF: .text:005278B4o
		mov	eax, [edi+18h]
		test	dword ptr [eax+2Ch], 4000h
		jz	loc_5275B6
		jmp	loc_5275CF
; 

loc_5ED663:				; CODE XREF: FsRtlCheckOplockEx2+4BBj
					; DATA XREF: .text:005278CCo
		test	cl, 8
		jmp	short loc_5ED66C
; 

loc_5ED668:				; CODE XREF: FsRtlCheckOplockEx2+C64EDj
					; DATA XREF: .text:005ED78Co
		cmp	byte ptr [edi+11h], 0

loc_5ED66C:				; CODE XREF: FsRtlCheckOplockEx2+C64C6j
					; FsRtlCheckOplockEx2+C65B3j
		jnz	loc_5275CF
		jmp	loc_52779E
; 

loc_5ED677:				; CODE XREF: FsRtlCheckOplockEx2+4BBj
					; DATA XREF: .text:005278C0o
		mov	eax, [edi+8]
		add	eax, 0FFFFFFF6h
		cmp	eax, 37h
		ja	loc_5275CF
		movzx	eax, ds:byte_5ED798[eax]
		jmp	ds:off_5ED780[eax*4]

loc_5ED694:				; DATA XREF: .text:005ED784o
		mov	eax, [edx+0Ch]
		cmp	byte ptr [eax],	0
		jz	loc_5275CF

loc_5ED6A0:				; CODE XREF: FsRtlCheckOplockEx2+429j
					; FsRtlCheckOplockEx2+4BBj ...
		mov	esi, 2000h
		mov	[ebp-44h], esi
		jmp	loc_5275CF
; 

loc_5ED6AD:				; CODE XREF: FsRtlCheckOplockEx2+C64EDj
					; DATA XREF: .text:005ED790o
		mov	eax, [edx+0Ch]
		test	byte ptr [eax],	1
		jz	loc_5275CF
		jmp	short loc_5ED6A0
; 

loc_5ED6BB:				; CODE XREF: FsRtlCheckOplockEx2+4BBj
					; DATA XREF: .text:005278C8o
		mov	eax, [edi+0Ch]
		cmp	eax, 98268h
		ja	short loc_5ED738
		jz	loc_52779E
		cmp	eax, 980C8h
		ja	short loc_5ED728
		jz	loc_52779E
		cmp	eax, 900FCh
		jz	short loc_5ED6EF
		cmp	eax, 94264h
		jnz	loc_5275CF
		jmp	loc_52785F
; 

loc_5ED6EF:				; CODE XREF: FsRtlCheckOplockEx2+C653Dj
		mov	eax, [edx+60h]
		cmp	dword ptr [eax+8], 0Ch
		jnb	short loc_5ED6FC
		xor	eax, eax
		jmp	short loc_5ED702
; 

loc_5ED6FC:				; CODE XREF: FsRtlCheckOplockEx2+C6556j
		mov	eax, [edx+0Ch]
		mov	eax, [eax+8]

loc_5ED702:				; CODE XREF: FsRtlCheckOplockEx2+C655Aj
		test	eax, 4000h
		jz	loc_5275CF

loc_5ED70D:				; CODE XREF: FsRtlCheckOplockEx2+C64EDj
					; DATA XREF: .text:off_5ED780o
		mov	esi, 2000h
		mov	[ebp-44h], esi
		test	cl, 0Ch
		jz	loc_5275CF
		mov	al, 1
		mov	[ebp-36h], al
		jmp	loc_5277AB
; 

loc_5ED728:				; CODE XREF: FsRtlCheckOplockEx2+C6530j
		cmp	eax, 98208h
		jz	loc_52779E
		jmp	loc_5275CF
; 

loc_5ED738:				; CODE XREF: FsRtlCheckOplockEx2+C6523j
		cmp	eax, 98344h
		jz	loc_52779E
		cmp	eax, 983E8h
		jz	loc_52779E
		cmp	eax, 9C2B4h
		jmp	loc_5ED66C
; END OF FUNCTION CHUNK	FOR FsRtlCheckOplockEx2

;  S U B	R O U T	I N E 


sub_5ED758	proc near		; DATA XREF: .text:006A5C48o
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-88h]
		mov	[ebp-3Ch], eax
		mov	edi, [ebp-0B0h]
		mov	ecx, [ebx+10h]
		jmp	sub_527876
sub_5ED758	endp

; 
; START	OF FUNCTION CHUNK FOR sub_527876

loc_5ED772:				; CODE XREF: sub_527876+25j
		mov	edx, eax
		mov	ecx, esi
		call	_ExpReleaseFastMutexContended@8	; ExpReleaseFastMutexContended(x,x)
		jmp	loc_5278A1
; END OF FUNCTION CHUNK	FOR sub_527876
; 
off_5ED780	dd offset loc_5ED70D	; DATA XREF: FsRtlCheckOplockEx2+C64EDr
		dd offset loc_5ED694
		dd offset loc_52779E
		dd offset loc_5ED668
		dd offset loc_5ED6AD
		dd offset loc_5275CF
byte_5ED798	db 0			; DATA XREF: FsRtlCheckOplockEx2+C64E6r
		align 2
		dw 105h
; 
		add	eax, 5050505h
		add	al, [ebx]
		add	eax, 5050505h
		add	eax, 5050505h
		add	eax, 5050505h
		add	eax, 20505h
		add	eax, 5050505h
		add	eax, 5050505h
		add	eax, 5050505h
		add	eax, 5050505h
		add	eax, 40505h
; START	OF FUNCTION CHUNK FOR FsRtlpOplockStoreKeyForDeleteOperation

loc_5ED7D0:				; CODE XREF: FsRtlpOplockStoreKeyForDeleteOperation+A6j
		test	byte ptr [edx+2], 1
		jz	loc_52799C
		mov	esi, [ebp+var_20]
		test	esi, esi
		jnz	short loc_5ED7F3
		call	FsRtlpAllocateOplock
		mov	esi, eax
		mov	[ebp+var_20], esi
		mov	[ebp+var_28], esi
		mov	[edi], esi
		mov	edx, [ebp+var_24]

loc_5ED7F3:				; CODE XREF: FsRtlpOplockStoreKeyForDeleteOperation+C5EEFj
		test	[ebp+arg_0], 20000000h
		jnz	short loc_5ED807
		mov	ecx, [esi+4Ch]
		call	ExAcquireFastMutexUnsafe
		mov	edx, [ebp+var_24]

loc_5ED807:				; CODE XREF: FsRtlpOplockStoreKeyForDeleteOperation+C5F0Aj
		mov	bl, 1
		mov	[ebp+var_19], bl
		mov	edi, [esi+44h]
		test	edi, edi
		jnz	short loc_5ED829
		push	6F725346h
		push	10h
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esi+44h], edi
		mov	edx, [ebp+var_24]

loc_5ED829:				; CODE XREF: FsRtlpOplockStoreKeyForDeleteOperation+C5F21j
		mov	ecx, [edx+4]
		mov	[edi], ecx
		mov	ecx, [edx+8]
		mov	[edi+4], ecx
		mov	eax, [edx+0Ch]
		mov	[edi+8], eax
		mov	eax, [edx+10h]
		mov	[edi+0Ch], eax
		jmp	loc_52799C
; END OF FUNCTION CHUNK	FOR FsRtlpOplockStoreKeyForDeleteOperation

;  S U B	R O U T	I N E 


sub_5ED845	proc near		; DATA XREF: .text:006A5C68o
		mov	ecx, [ebp-28h]
		mov	bl, [ebp-19h]
		jmp	sub_5279AE
sub_5ED845	endp

; 
; START	OF FUNCTION CHUNK FOR sub_5279AE

loc_5ED850:				; CODE XREF: sub_5279AE+2j
		test	dword ptr [ebp+8], 20000000h
		jnz	locret_5279B6
		mov	ecx, [ecx+4Ch]
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		jmp	locret_5279B6
; END OF FUNCTION CHUNK	FOR sub_5279AE
; 
; START	OF FUNCTION CHUNK FOR IoAllocateIrpEx

loc_5ED86A:				; CODE XREF: IoAllocateIrpEx+Dj
		cmp	eax, 2
		mov	eax, [ebp+4]
		push	eax
		push	[ebp+arg_8]
		jnz	short loc_5ED883
		mov	dl, byte ptr [ebp+arg_4]
		call	_IopAllocateIrpWithExtension@16	; IopAllocateIrpWithExtension(x,x,x,x)
		jmp	loc_5279E5
; 

loc_5ED883:				; CODE XREF: IoAllocateIrpEx+C5EB4j
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_IovAllocateIrp@16 ; IovAllocateIrp(x,x,x,x)
		jmp	loc_5279E5
; END OF FUNCTION CHUNK	FOR IoAllocateIrpEx
; 
; START	OF FUNCTION CHUNK FOR EtwWriteEx

loc_5ED893:				; CODE XREF: EtwWriteEx+B1j
		test	cl, cl
		jnz	loc_527D39
		jmp	loc_527CE7
; 

loc_5ED8A0:				; CODE XREF: EtwWriteEx+126j
		xor	eax, eax
		lea	edi, [esp+0A8h+var_64]
		mov	ecx, 8
		rep stosd
		mov	al, [ebx+36h]
		mov	edi, [esp+0A8h+var_74]
		mov	[esp+0A8h+var_95], al
		test	al, al
		jz	short loc_5ED929
		mov	eax, [esp+0A8h+var_94]
		mov	dl, [edi+4]
		mov	ecx, [eax+168h]
		mov	eax, [edi+0Ch]
		push	eax
		mov	eax, [edi+8]
		mov	[esp+0ACh+var_94], ecx
		add	ecx, 40h
		push	eax
		call	_EtwpLevelKeywordEnabled@16 ; EtwpLevelKeywordEnabled(x,x,x,x)
		test	al, al
		jz	short loc_5ED925
		lea	eax, [esp+0A8h+var_70]
		mov	dl, [esp+0A8h+var_95]
		push	eax
		movzx	eax, word ptr [ebx+32h]
		push	esi
		push	eax
		push	0
		mov	ecx, [esp+0B8h+var_94]
		lea	eax, [esp+0B8h+var_64]
		push	eax
		push	0
		push	[esp+0C0h+var_88]
		push	[ebp+arg_20]
		push	[esp+0C8h+var_84]
		push	[esp+0CCh+var_80]
		push	0
		push	0
		push	edi
		push	[ebp+arg_14]
		push	0
		push	0
		call	_EtwpEventWriteFull@72 ; EtwpEventWriteFull(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	edx, eax
		mov	[esp+0E8h+var_D0], edx
		jmp	short loc_5ED929
; 

loc_5ED925:				; CODE XREF: EtwWriteEx+C5CAFj
		mov	edx, [esp+0A8h+var_90]

loc_5ED929:				; CODE XREF: EtwWriteEx+C5C8Aj
					; EtwWriteEx+C5CF3j
		mov	al, [ebx+37h]
		mov	[esp+0A8h+var_95], al
		test	al, al
		jz	loc_527D5C
		mov	eax, [ebx+14h]
		mov	dl, [edi+4]
		mov	ecx, [eax+168h]
		mov	eax, [edi+0Ch]
		push	eax
		mov	eax, [edi+8]
		mov	[esp+0ACh+var_94], ecx
		add	ecx, 40h
		push	eax
		call	_EtwpLevelKeywordEnabled@16 ; EtwpLevelKeywordEnabled(x,x,x,x)
		test	al, al
		jz	short loc_5ED9A6
		lea	eax, [esp+0A8h+var_70]
		mov	ecx, [ebx+10h]
		push	eax
		movzx	eax, word ptr [ebx+32h]
		push	esi
		push	eax
		push	[esp+0B4h+var_94]
		mov	dl, [esp+0B8h+var_95]
		lea	eax, [esp+0B8h+var_64]
		push	eax
		push	0
		push	[esp+0C0h+var_88]
		mov	ecx, [ecx+168h]
		push	[ebp+arg_20]
		push	[esp+0C8h+var_84]
		push	[esp+0CCh+var_80]
		push	0
		push	0
		push	edi
		push	[ebp+arg_14]
		push	0
		push	0
		call	_EtwpEventWriteFull@72 ; EtwpEventWriteFull(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	edx, eax
		jmp	loc_527D5C
; 

loc_5ED9A6:				; CODE XREF: EtwWriteEx+C5D2Aj
		mov	edx, [esp+0A8h+var_90]
		jmp	loc_527D5C
; END OF FUNCTION CHUNK	FOR EtwWriteEx
; 
; START	OF FUNCTION CHUNK FOR ObReferenceObjectByPointerWithTag

loc_5ED9AF:				; CODE XREF: ObReferenceObjectByPointerWithTag+3Ej
		push	[ebp+arg_10]
		mov	dl, 1
		mov	ecx, esi
		push	1
		call	_ObpPushStackInfo@16 ; ObpPushStackInfo(x,x,x,x)
		jmp	loc_5297C4
; 

loc_5ED9C2:				; CODE XREF: ObReferenceObjectByPointerWithTag+51j
		push	eax
		push	10h
		push	edi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5ED9D0:				; CODE XREF: KeAlertThreadByThreadId+9Fj
		movzx	eax, byte ptr [esi+14Ch]
		mov	[esi+14Ch], eax
		lock inc dword ptr [ecx+eax*4+110h]
		jmp	loc_529899
; END OF FUNCTION CHUNK	FOR ObReferenceObjectByPointerWithTag
; 
; START	OF FUNCTION CHUNK FOR KeAlertThreadByThreadId

loc_5ED9EA:				; CODE XREF: KeAlertThreadByThreadId+E7j
					; KeAlertThreadByThreadId+EFj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5ED9F1:				; CODE XREF: KeAlertThreadByThreadId+114j
		or	dword ptr [esi+58h], 2
		jmp	loc_529933
; 

loc_5ED9FA:				; CODE XREF: KeAlertThreadByThreadId+130j
		add	[esi+250h], eax
		adc	dword ptr [esi+254h], 0
		jmp	loc_529933
; 

loc_5EDA0C:				; CODE XREF: KeAlertThreadByThreadId+3Fj
		mov	[ebp+var_1], 0
		jmp	loc_529970
; END OF FUNCTION CHUNK	FOR KeAlertThreadByThreadId
; 
; START	OF FUNCTION CHUNK FOR PsIsThreadInSilo

loc_5EDA15:				; CODE XREF: PsIsThreadInSilo+10j
		mov	ecx, eax
		call	PspIsSiloInSilo
		test	al, al
		setnz	al
		retn
; END OF FUNCTION CHUNK	FOR PsIsThreadInSilo
; 
; START	OF FUNCTION CHUNK FOR SepSidFromProcessProtection

loc_5EDA22:				; CODE XREF: SepSidFromProcessProtection+1Aj
					; DATA XREF: .text:00529C58o
		mov	eax, ds:_SeProcTrustLiteAppSid
		retn
; 

loc_5EDA28:				; CODE XREF: SepSidFromProcessProtection+1Aj
					; DATA XREF: .text:off_529C40o
		mov	eax, ds:_SeProcTrustAuthenticodeSid
		retn
; END OF FUNCTION CHUNK	FOR SepSidFromProcessProtection
; 
; START	OF FUNCTION CHUNK FOR SepReferenceTokenByHandle

loc_5EDA2E:				; CODE XREF: SepReferenceTokenByHandle+61j
		mov	eax, 0C0000022h
		jmp	loc_529DB2
; END OF FUNCTION CHUNK	FOR SepReferenceTokenByHandle
; 
; START	OF FUNCTION CHUNK FOR MiUnlockAndDereferenceVadShared

loc_5EDA38:				; CODE XREF: MiUnlockAndDereferenceVadShared+11j
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5EDA3F:				; CODE XREF: MI_GET_GRAPHICS_PROTECTION_FROM_VAD+11j
		mov	ecx, eax
		mov	edx, 800h
		shr	ecx, 1Bh
		and	ecx, 7
		shl	edx, cl
		test	eax, 2000000h
		jz	short loc_5EDA5B
		or	edx, 20000h

loc_5EDA5B:				; CODE XREF: MiUnlockAndDereferenceVadShared+C3AB3j
		test	eax, 4000000h
		jz	short loc_5EDA68
		or	edx, 40000h

loc_5EDA68:				; CODE XREF: MiUnlockAndDereferenceVadShared+C3AC0j
		mov	eax, edx
		retn
; END OF FUNCTION CHUNK	FOR MiUnlockAndDereferenceVadShared
; 

loc_5EDA6B:				; CODE XREF: .text:0052A93Cj
		mov	ecx, eax
		jmp	loc_52A942
; 

loc_5EDA72:				; CODE XREF: .text:0052A95Aj
					; .text:0052A962j
		mov	byte ptr [ecx],	0
		jmp	loc_52A968
; 

loc_5EDA7A:				; DATA XREF: .text:006A617Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0ACh], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_5EDA8D:				; DATA XREF: .text:006A6180o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0ACh]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-0B0h]
		mov	ebx, [ebp-0B4h]
		mov	al, [ebp-6Ch]
		mov	[ebp-5Dh], al
		jmp	loc_52A995
; 

loc_5EDAB4:				; CODE XREF: .text:0052A997j
		mov	dword ptr [ebp-78h], 0
		jmp	loc_52AAE7
; 

loc_5EDAC0:				; CODE XREF: .text:0052A919j
		mov	eax, [ebx]
		mov	[ebp-84h], eax
		mov	eax, [ebx+4]
		mov	[ebp-80h], eax
		mov	eax, [ebx+8]
		mov	[ebp-7Ch], eax
		mov	eax, [ebx+0Ch]
		mov	[ebp-78h], eax
		mov	ebx, edi
		mov	ecx, [ebp-94h]
		jmp	loc_52A99D
; 

loc_5EDAE7:				; CODE XREF: .text:0052A9DAj
		push	656E6F4Eh
		lea	eax, ds:0[ebx*4]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp-68h], esi
		test	esi, esi
		jnz	loc_52A9E0
		lea	ebx, [eax+10h]
		lea	eax, [ebp-5Ch]
		mov	[ebp-68h], eax
		jmp	loc_52A9E0
; 

loc_5EDB19:				; CODE XREF: .text:0052A9F5j
		lea	ecx, [ebp-0A8h]
		call	KeReleaseInStackQueuedSpinLock
		mov	esi, 80h
		jmp	loc_52AAE7
; 

loc_5EDB2E:				; CODE XREF: .text:0052AA16j
					; .text:0052AA23j
		mov	esi, 102h
		jmp	loc_52AA90
; 

loc_5EDB38:				; DATA XREF: .text:006A6188o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0BCh], eax
		mov	eax, 1
		retn
; 

loc_5EDB4B:				; DATA XREF: .text:006A618Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0BCh]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_52AAE7
; 

loc_5EDB60:				; CODE XREF: .text:0052AACBj
		mov	eax, [ebp-74h]
		mov	ecx, [ebp-64h]
		mov	[ecx], eax
		jmp	loc_52AAE7
; 

loc_5EDB6D:				; CODE XREF: .text:0052A905j
					; .text:0052A911j
		mov	esi, 0C000000Dh
		jmp	loc_52AAE7
; 

loc_5EDB77:				; CODE XREF: .text:0052AAEFj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_52AAF5
; 

loc_5EDB84:				; CODE XREF: .text:0052AB08j
		push	0
		push	0
		push	0
		push	0
		push	0
		push	dword ptr [ebp-84h]
		push	dword ptr [ebp-7Ch]
		push	dword ptr [ebp-80h]
		call	NtAlpcSendWaitReceivePort
		jmp	loc_52AB0E
; 

loc_5EDBA4:				; DATA XREF: .text:006A61A4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		mov	eax, 1
		retn
; 

loc_5EDBB4:				; DATA XREF: .text:006A61A8o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-30h]
		mov	[ebp-24h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-1Ch]
		jmp	loc_52ADEB
; 
; START	OF FUNCTION CHUNK FOR KeRemoveQueueEx

loc_5EDBCC:				; CODE XREF: KeRemoveQueueEx+63Bj
		mov	eax, ds:_KeTickCount
		sub	eax, [ecx+138h]
		add	[ecx+170h], eax
		jmp	loc_52B551
; 

loc_5EDBE2:				; CODE XREF: KeRemoveQueueEx+346j
		mov	cl, 1
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esp+58h+var_40]
		and	dword ptr [eax+58h], 0FFFFFFBFh
		jmp	loc_52B714
; 

loc_5EDBF7:				; CODE XREF: KeRemoveQueueEx+32Bj
		cmp	dword ptr [edi+8], 0
		jz	loc_52B267
		mov	al, [edi+223Ah]
		test	al, al
		jnz	loc_52B267
		mov	cl, 2
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)
		jmp	loc_52B264
; 

loc_5EDC1C:				; CODE XREF: KeRemoveQueueEx+367j
		push	ebx
		mov	ecx, esi
		call	_EtwTraceDequeueWork@12	; EtwTraceDequeueWork(x,x,x)
		jmp	loc_52B165
; 

loc_5EDC29:				; CODE XREF: KeRemoveQueueEx+2C7j
		mov	eax, [ecx+8]
		push	eax
		mov	eax, ds:_ExWorkerQueue
		push	eax
		push	edi
		push	ecx
		push	96h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EDC3F:				; CODE XREF: KeRemoveQueueEx+386j
		lea	edi, [esi+2Ch]
		mov	[esp+6Ch+var_3C], 0

loc_5EDC4A:				; CODE XREF: KeRemoveQueueEx+C2D6Cj
		lock bts dword ptr [edi], 0
		jb	short loc_5EDC6D
		mov	cl, [ebp+arg_4]
		movsx	eax, cl
		cmp	byte ptr [eax+esi+56h],	0
		jz	short loc_5EDC7E
		mov	byte ptr [eax+esi+56h],	0
		mov	eax, 101h
		jmp	loc_52B2AE
; 

loc_5EDC6D:				; CODE XREF: KeRemoveQueueEx+C2D3Fj
					; KeRemoveQueueEx+C2D6Aj
		lea	ecx, [esp+6Ch+var_3C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5EDC6D
		jmp	short loc_5EDC4A
; 

loc_5EDC7E:				; CODE XREF: KeRemoveQueueEx+C2D4Cj
		test	cl, cl
		jz	short loc_5EDC9A
		lea	eax, [esi+78h]
		cmp	[eax], eax
		jz	short loc_5EDC9A
		or	byte ptr [esi+86h], 2
		mov	eax, 0C0h
		jmp	loc_52B2AE
; 

loc_5EDC9A:				; CODE XREF: KeRemoveQueueEx+C2D70j
					; KeRemoveQueueEx+C2D77j
		cmp	byte ptr [esi+56h], 0
		jz	loc_52B2A9
		mov	byte ptr [esi+56h], 0
		mov	eax, 101h
		jmp	loc_52B2AE
; 

loc_5EDCB2:				; CODE XREF: KeRemoveQueueEx+393j
		cmp	[ebp+arg_4], 0
		jz	loc_52B2A9
		mov	ecx, [ebp+arg_10]
		mov	dword ptr [ecx], 0C0h
		jmp	loc_52B2BB
; 

loc_5EDCCA:				; CODE XREF: KeRemoveQueueEx+3A5j
		mov	dword ptr [esi+2Ch], 0
		jmp	loc_52B2BB
; 

loc_5EDCD6:				; CODE XREF: KeRemoveQueueEx+77Dj
		mov	eax, ds:_KeTickCount
		sub	eax, [ecx+138h]
		add	[ecx+170h], eax
		jmp	loc_52B693
; 

loc_5EDCEC:				; CODE XREF: KeRemoveQueueEx+3E4j
					; KeRemoveQueueEx+7C3j
		mov	cl, 1
		call	edi
		mov	eax, [esp+58h+var_44]
		push	0
		push	0
		push	0
		and	dword ptr [eax+58h], 0FFFFFFBFh
		call	_KiDeliverApc@12 ; KiDeliverApc(x,x,x)
		jmp	loc_52B2FA
; 

loc_5EDD08:				; CODE XREF: KeRemoveQueueEx+3C3j
		cmp	dword ptr [edi+8], 0
		jz	loc_52B2FE
		mov	al, [edi+223Ah]
		test	al, al
		jnz	loc_52B2FE
		mov	cl, 2
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)
		jmp	loc_52B2FE
; 

loc_5EDD2D:				; CODE XREF: KeRemoveQueueEx+3F8j
		mov	edx, [ebp+arg_10]
		jmp	loc_5EDDBB
; 

loc_5EDD35:				; CODE XREF: KeRemoveQueueEx+692j
		mov	eax, 0FFDF0018h
		mov	[esp+58h+var_14], 0
		mov	eax, [eax]
		mov	[esp+58h+var_3C], eax
		mov	eax, 0FFDF0014h
		mov	eax, [eax]
		mov	[esp+58h+var_38], eax
		mov	eax, 0FFDF001Ch
		mov	eax, [eax]
		cmp	[esp+58h+var_3C], eax
		jz	short loc_5EDD93
		mov	edi, 0FFDF0018h
		lea	esi, [edi-4]

loc_5EDD68:				; CODE XREF: KeRemoveQueueEx+C2E76j
		lea	ecx, [esp+58h+var_14]
		call	KeYieldProcessorEx
		mov	ebx, [edi]
		mov	eax, [esi]
		mov	[esp+58h+var_38], eax
		mov	eax, 0FFDF001Ch
		mov	[esp+58h+var_3C], ebx
		mov	eax, [eax]
		cmp	ebx, eax
		jnz	short loc_5EDD68
		mov	esi, [esp+58h+var_10]
		mov	edi, [ebp+arg_0]
		mov	edx, [esp+58h+var_C]

loc_5EDD93:				; CODE XREF: KeRemoveQueueEx+C2E4Ej
		mov	eax, [esp+58h+var_34]
		jmp	loc_52B494
; 

loc_5EDD9C:				; CODE XREF: KeRemoveQueueEx+FCj
		mov	byte ptr [esi+56h], 0
		mov	edi, 101h
		jmp	loc_52B3E1
; 

loc_5EDDAA:				; CODE XREF: KeRemoveQueueEx+E3j
		mov	byte ptr [eax+esi+56h],	0
		mov	edi, 101h
		jmp	loc_52B3E1
; 

loc_5EDDB9:				; CODE XREF: KeRemoveQueueEx+4F9j
		mov	edx, eax

loc_5EDDBB:				; CODE XREF: KeRemoveQueueEx+C2E20j
		push	1
		mov	ecx, esi
		call	_EtwTraceDequeueWork@12	; EtwTraceDequeueWork(x,x,x)
		jmp	loc_52B30E
; 

loc_5EDDC9:				; CODE XREF: KeRemoveQueueEx+58Aj
					; KeRemoveQueueEx+594j	...
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		mov	ebx, [ebp+arg_10]
		mov	dword ptr [ebx], 102h
		jmp	loc_52B724
; 

loc_5EDDDF:				; CODE XREF: KeRemoveQueueEx+24Fj
		mov	edx, ecx
		mov	ecx, esi
		push	ebx
		call	_EtwTraceDequeueWork@12	; EtwTraceDequeueWork(x,x,x)
		mov	eax, ebx
		jmp	loc_52B167
; 

loc_5EDDF0:				; CODE XREF: KeRemoveQueueEx+171j
		mov	eax, [esi+0A4h]
		test	eax, eax
		jz	short loc_5EDE21
		mov	edx, [esi+140h]
		lea	eax, [esi+140h]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_5EDE37
		cmp	[ecx], eax
		jnz	short loc_5EDE37
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	dword ptr [esi+0A4h], 0

loc_5EDE21:				; CODE XREF: KeRemoveQueueEx+C2EE8j
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		mov	ebx, [ebp+arg_10]
		mov	dword ptr [ebx], 80h
		jmp	loc_52B724
; 

loc_5EDE37:				; CODE XREF: KeRemoveQueueEx+1C6j
					; KeRemoveQueueEx+2D3j	...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5EDE3E:				; CODE XREF: KeRemoveQueueEx+488j
		push	2
		push	0
		mov	edx, 1
		mov	ecx, edi
		call	KiProcessThreadWaitList
		jmp	loc_52B39E
; 

loc_5EDE53:				; CODE XREF: KeRemoveQueueEx+4A7j
		push	edi
		mov	edx, ebx
		mov	ecx, esi
		call	_EtwTraceDequeueWork@12	; EtwTraceDequeueWork(x,x,x)
		jmp	loc_52B3BD
; END OF FUNCTION CHUNK	FOR KeRemoveQueueEx
; 
; START	OF FUNCTION CHUNK FOR KeWaitForSingleObject

loc_5EDE62:				; CODE XREF: KeWaitForSingleObject+458j
		mov	ebx, 0FFDF000Ch
		lea	esi, [ebx-4]

loc_5EDE6A:				; CODE XREF: KeWaitForSingleObject+C2746j
		lea	ecx, [esp+0A0h+var_4C]
		call	KeYieldProcessorEx
		mov	edi, [ebx]
		mov	eax, [esi]
		mov	[esp+0A0h+var_8C], eax
		mov	eax, 0FFDF0010h
		mov	[esp+0A0h+var_88], edi
		cmp	edi, [eax]
		jnz	short loc_5EDE6A
		mov	esi, [esp+0A0h+var_68]
		mov	edi, [ebp+arg_10]
		mov	dl, [esp+0A0h+var_8F]
		mov	ebx, [esp+0A0h+var_6C]
		mov	eax, [esp+0A0h+var_80]
		mov	ecx, [esp+0A0h+var_88]
		jmp	loc_52BB9E
; 

loc_5EDEA4:				; CODE XREF: KeWaitForSingleObject+4FAj
		mov	esi, 0FFDF000Ch
		lea	ebx, [esi-4]
		lea	edi, [esi+4]

loc_5EDEAF:				; CODE XREF: KeWaitForSingleObject+C277Ej
		lea	ecx, [esp+0A0h+var_40]
		call	KeYieldProcessorEx
		mov	ecx, [esi]
		mov	eax, [ebx]
		cmp	ecx, [edi]
		jnz	short loc_5EDEAF
		mov	esi, [esp+0A0h+var_68]
		mov	edi, [esp+0A0h+var_80]
		jmp	loc_52BC40
; 

loc_5EDECD:				; CODE XREF: KeWaitForSingleObject+573j
		cmp	dword ptr [esi+13Ch], 0
		jnz	loc_52BC70
		cmp	byte ptr [esi+92h], 0
		jnz	loc_52BC70
		cmp	byte ptr [esi+84h], 0
		jnz	loc_52BC70
		mov	edx, [esp+0A0h+var_80]
		xor	edi, edi
		add	edx, [esp+0A0h+var_8C]
		adc	edi, [esp+0A0h+var_88]
		jmp	loc_52BC70
; 

loc_5EDF07:				; CODE XREF: KeWaitForSingleObject+243j
		mov	ecx, 0FFDF0018h
		mov	[esp+0A0h+var_3C], 0
		mov	eax, 0FFDF0014h
		mov	ecx, [ecx]
		mov	eax, [eax]
		mov	[esp+0A0h+var_80], eax
		mov	eax, 0FFDF001Ch
		mov	eax, [eax]
		cmp	ecx, eax
		jz	short loc_5EDF5D
		mov	ebx, 0FFDF0018h
		lea	esi, [ebx-4]
		lea	edi, [ebx+4]

loc_5EDF37:				; CODE XREF: KeWaitForSingleObject+C280Cj
		lea	ecx, [esp+0A0h+var_3C]
		call	KeYieldProcessorEx
		mov	ecx, [ebx]
		mov	eax, [esi]
		mov	[esp+0A0h+var_80], eax
		mov	eax, [edi]
		cmp	ecx, eax
		jnz	short loc_5EDF37
		mov	esi, [esp+0A0h+var_68]
		mov	ebx, [ebp+arg_0]
		mov	edi, [esp+0A0h+var_64]
		mov	edx, [esp+0A0h+var_38]

loc_5EDF5D:				; CODE XREF: KeWaitForSingleObject+C27EAj
		mov	eax, [esp+0A0h+var_80]
		jmp	loc_52BC70
; 

loc_5EDF66:				; CODE XREF: KeWaitForSingleObject+1D3j
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	[esp+0A0h+var_70], eax
		jmp	loc_52B91D
; 

loc_5EDF7A:				; CODE XREF: KeWaitForSingleObject+1DFj
		mov	ecx, eax
		call	_KeAbPreWait@4	; KeAbPreWait(x)
		jmp	loc_52B925
; 

loc_5EDF86:				; CODE XREF: KeWaitForSingleObject+207j
		test	edi, edi
		jz	short loc_5EDFB3
		cmp	edi, 80h
		jz	short loc_5EDFB3
		push	0
		mov	edx, eax
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	edx, eax
		mov	ecx, ebx
		call	KeAbPostReleaseEx
		mov	[esp+0A0h+var_70], 0
		jmp	loc_52B94D
; 

loc_5EDFB3:				; CODE XREF: KeWaitForSingleObject+C2848j
					; KeWaitForSingleObject+C2850j
		push	0
		mov	edx, eax
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	[esp+0A0h+var_70], eax
		or	byte ptr [eax+0Eh], 1
		jmp	loc_52B94D
; 

loc_5EDFCB:				; CODE XREF: KeWaitForSingleObject+4B1j
		mov	byte ptr [esi+56h], 0
		mov	edi, 101h
		jmp	loc_52BCFB
; 

loc_5EDFD9:				; CODE XREF: KeWaitForSingleObject+499j
		mov	byte ptr [eax+esi+56h],	0
		mov	edi, 101h
		jmp	loc_52BCFB
; 

loc_5EDFE8:				; CODE XREF: KeWaitForSingleObject+353j
		xor	cl, cl
		jmp	loc_52BA9F
; 

loc_5EDFEF:				; CODE XREF: KeWaitForSingleObject+39Fj
		mov	[esi+248h], ebx
		jmp	loc_52BAEF
; 

loc_5EDFFA:				; CODE XREF: KeWaitForSingleObject+3F5j
		push	1
		xor	edx, edx
		mov	dword ptr [eax+248h], 0
		call	KeAbPreAcquire
		test	eax, eax
		jz	loc_52BB3B
		or	byte ptr [eax+0Eh], 1
		jmp	loc_52BB3B
; 

loc_5EE01E:				; CODE XREF: KeWaitForSingleObject+410j
		test	al, 18h
		jz	loc_52BDE3
		test	al, 8
		jz	short loc_5EE032
		add	esi, 5Ch
		lock bts dword ptr [esi], 0Ch

loc_5EE032:				; CODE XREF: KeWaitForSingleObject+C28E8j
		mov	ebx, [esp+0A0h+var_84]
		mov	[esp+0A0h+var_54], 0
		mov	[esp+0A0h+var_28], 0
		lea	esi, [ebx+2224h]

loc_5EE04C:				; CODE XREF: KeWaitForSingleObject+C294Cj
		lock bts dword ptr [esi], 0
		jb	short loc_5EE07D
		cmp	dword ptr [ebx+8], 0
		jnz	short loc_5EE064
		lea	edx, [esp+0A0h+var_54]
		mov	ecx, ebx
		call	KiSelectNextThread

loc_5EE064:				; CODE XREF: KeWaitForSingleObject+C2917j
		xor	eax, eax
		lock and [esi],	eax
		push	[esp+0A0h+var_60]
		lea	edx, [esp+0A4h+var_54]
		mov	ecx, ebx
		call	@KiProcessDeferredReadyList@12 ; KiProcessDeferredReadyList(x,x,x)
		jmp	loc_52B9E4
; 

loc_5EE07D:				; CODE XREF: KeWaitForSingleObject+C2911j
					; KeWaitForSingleObject+C294Aj
		lea	ecx, [esp+0A0h+var_28]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5EE07D
		jmp	short loc_5EE04C
; 

loc_5EE08E:				; CODE XREF: KeWaitForSingleObject+315j
		mov	eax, 0FFFFFF7Fh
		lock and [ebx],	eax
		push	[esp+0A0h+var_6C]
		mov	edx, esi
		call	_KiFastExitThreadWait@12 ; KiFastExitThreadWait(x,x,x)
		push	0C0000191h
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5EE0AB:				; CODE XREF: KeWaitForSingleObject+1A9j
					; KeWaitForSingleObject+3C0j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5EE0B2:				; CODE XREF: KeWaitForSingleObject+69Dj
		test	al, 8
		jz	short loc_5EE0BE
		add	esi, 5Ch
		lock bts dword ptr [esi], 0Ch

loc_5EE0BE:				; CODE XREF: KeWaitForSingleObject+C2974j
		mov	ebx, [esp+0A4h+var_88]
		mov	[esp+0A4h+var_54], 0
		mov	[esp+0A4h+var_20], 0
		lea	esi, [ebx+2224h]

loc_5EE0DB:				; CODE XREF: KeWaitForSingleObject+C29DEj
		lock bts dword ptr [esi], 0
		jb	short loc_5EE10C
		cmp	dword ptr [ebx+8], 0
		jnz	short loc_5EE0F3
		lea	edx, [esp+0A4h+var_54]
		mov	ecx, ebx
		call	KiSelectNextThread

loc_5EE0F3:				; CODE XREF: KeWaitForSingleObject+C29A6j
		xor	eax, eax
		lock and [esi],	eax
		push	[esp+0A4h+var_64]
		lea	edx, [esp+0A8h+var_54]
		mov	ecx, ebx
		call	@KiProcessDeferredReadyList@12 ; KiProcessDeferredReadyList(x,x,x)
		jmp	loc_52B9E4
; 

loc_5EE10C:				; CODE XREF: KeWaitForSingleObject+C29A0j
					; KeWaitForSingleObject+C29DCj
		lea	ecx, [esp+0A4h+var_20]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5EE10C
		jmp	short loc_5EE0DB
; END OF FUNCTION CHUNK	FOR KeWaitForSingleObject
; 
; START	OF FUNCTION CHUNK FOR KiCommitThreadWait

loc_5EE120:				; CODE XREF: KiCommitThreadWait+10Fj
		lock btr dword ptr [edx], 0Ch
		mov	ecx, [edx]
		jmp	loc_52BF25
; 

loc_5EE12C:				; CODE XREF: KiCommitThreadWait+265j
		xor	eax, eax
		add	ebx, ecx
		mov	[esp+48h+var_28], ebx
		adc	eax, edx
		mov	[esp+48h+var_2C], eax
		jmp	loc_52BF58
; 

loc_5EE13F:				; CODE XREF: KiCommitThreadWait+350j
		mov	edx, [ebx+10h]
		lea	eax, [ebx+10h]
		cmp	[edx+4], eax
		jnz	loc_52C269
		mov	ecx, [esp+48h+var_18]
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[edx+4], ecx
		mov	[eax], ecx
		jmp	loc_52C00B
; 

loc_5EE161:				; CODE XREF: KiCommitThreadWait+273j
		push	[esp+48h+var_2C]
		lea	eax, [esp+4Ch+var_34]
		xor	dl, dl
		push	[esp+4Ch+var_28]
		mov	ecx, ebx
		push	eax
		call	KiComputeDueTime
		test	eax, eax
		jz	short loc_5EE194
		mov	ecx, [esp+48h+var_34]
		jmp	loc_52C0DC
; 

loc_5EE184:				; CODE XREF: KiCommitThreadWait+2F0j
		push	1
		xor	edx, edx
		mov	ecx, ebx
		call	_KiTraceSetTimer@12 ; KiTraceSetTimer(x,x,x)
		jmp	loc_52BF90
; 

loc_5EE194:				; CODE XREF: KiCommitThreadWait+C2369j
		mov	edi, [esp+48h+var_30]
		jmp	loc_52C3A0
; 

loc_5EE19D:				; CODE XREF: KiCommitThreadWait+505j
					; KiCommitThreadWait+C239Aj
		lea	ecx, [esp+48h+var_14]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5EE19D
		jmp	loc_52C310
; 

loc_5EE1B1:				; CODE XREF: KiCommitThreadWait+51Bj
		mov	cl, [esp+48h+var_35]
		movsx	eax, cl
		cmp	byte ptr [eax+esi+56h],	0
		jz	short loc_5EE1C9
		mov	byte ptr [eax+esi+56h],	0
		jmp	loc_52C339
; 

loc_5EE1C9:				; CODE XREF: KiCommitThreadWait+C23ADj
		test	cl, cl
		jz	loc_52C339
		mov	byte ptr [esi+56h], 0
		jmp	loc_52C339
; 

loc_5EE1DA:				; CODE XREF: KiCommitThreadWait+499j
		push	0
		push	0
		mov	edx, 1
		mov	ecx, ebx
		call	KiProcessThreadWaitList
		jmp	loc_52C2AF
; END OF FUNCTION CHUNK	FOR KiCommitThreadWait
; 
; START	OF FUNCTION CHUNK FOR KiSwapThread

loc_5EE1EF:				; CODE XREF: KiSwapThread+CCj
		mov	al, [ebx+60h]
		mov	edx, [esi+3B40h]
		sub	edx, [esi+3B48h]
		mov	ecx, [esi+3B44h]
		sbb	ecx, [esi+3B4Ch]
		movzx	eax, al
		add	[esi+eax*8+3B50h], edx
		adc	[esi+eax*8+3B54h], ecx
		mov	al, [esp+0A0h+var_92]
		and	al, 0EFh
		mov	dword ptr [esi+3B48h], 0
		mov	dword ptr [esi+3B4Ch], 0
		mov	[esp+0A0h+var_92], al
		jmp	loc_52C4B2
; 

loc_5EE23E:				; CODE XREF: KiSwapThread+10Cj
		mov	edx, [eax+64h]
		jmp	loc_52C501
; 

loc_5EE246:				; CODE XREF: KiSwapThread+1C5j
		mov	eax, [esp+0A0h+var_78]
		shl	eax, 4
		add	eax, 8
		add	eax, edi
		mov	[esp+0A0h+var_88], eax
		mov	ecx, [eax]
		add	ecx, [esp+0A0h+var_8C]
		mov	edx, [eax+4]
		adc	edx, [esp+0A0h+var_90]
		mov	[esp+0A0h+var_60], ecx
		mov	[esp+0A0h+var_64], edx

loc_5EE26B:				; CODE XREF: KiSwapThread+C1EADj
					; KiSwapThread+C1EB3j
		mov	edi, [eax]
		mov	edx, [eax+4]
		mov	eax, edi
		mov	[esp+0A0h+var_70], edx
		nop
		mov	esi, [esp+0A0h+var_88]
		mov	ebx, ecx
		mov	ecx, [esp+0A0h+var_64]
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [esp+0A0h+var_60]
		cmp	eax, edi
		mov	eax, esi
		jnz	short loc_5EE26B
		cmp	edx, [esp+0A0h+var_70]
		jnz	short loc_5EE26B
		mov	ebx, [esp+0A0h+var_7C]
		mov	edi, [esp+0A0h+var_74]
		jmp	loc_52C5AB
; 

loc_5EE2A2:				; CODE XREF: KiSwapThread+1E4j
		and	al, 0BFh
		jmp	loc_52C5CA
; 

loc_5EE2A9:				; CODE XREF: KiSwapThread+8E1j
		cmp	byte ptr [ebx+244h], 2
		jz	short loc_5EE2C3
		add	[esi+3B78h], edi
		adc	[esi+3B7Ch], eax
		jmp	loc_52CCC7
; 

loc_5EE2C3:				; CODE XREF: KiSwapThread+C1ED0j
		add	[esi+3B80h], edi
		adc	[esi+3B84h], eax
		jmp	loc_52CCC7
; 

loc_5EE2D4:				; CODE XREF: KiSwapThread+8F4j
		mov	ecx, ebx
		call	_KiEndCounterAccumulation@4 ; KiEndCounterAccumulation(x)
		jmp	loc_52C5D2
; 

loc_5EE2E0:				; CODE XREF: KiSwapThread+AFDj
		test	byte ptr [edi+5Ch], 1
		jz	loc_52CD07
		push	1
		mov	edx, edi
		mov	ecx, esi
		call	KiRemoveSchedulingGroupQueue
		jmp	loc_52CD07
; 

loc_5EE2FA:				; CODE XREF: KiSwapThread+93Aj
		mov	ebx, edi
		sub	ebx, [esi+3B34h]
		jmp	loc_52CCF3
; 

loc_5EE307:				; CODE XREF: KiSwapThread+26Cj
		mov	eax, [esi+338h]
		mov	edx, [eax]
		not	edx
		movzx	eax, dl
		shr	edx, 8
		mov	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, ds:_RtlpBitsClearTotal[edx]
		movzx	eax, cl
		cmp	eax, ds:_KiPerfIsoEnabled
		jb	loc_52C67B
		mov	ecx, [esi+3C8h]
		mov	eax, [esi+402Ch]
		cmp	ecx, eax
		jz	loc_52C652
		not	ecx
		and	ecx, eax
		mov	eax, [esi+338h]
		mov	eax, [eax+0Ch]
		test	eax, ecx
		jnz	loc_52C652
		bsf	eax, ecx
		mov	[esp+0A0h+var_4C], 0
		mov	[esp+0A0h+var_4C], eax
		mov	eax, ds:_KiProcessorBlock[eax*4]
		test	dword ptr [eax+4D8h], 400h
		jz	loc_52C67B
		jmp	loc_52C652
; 

loc_5EE39E:				; CODE XREF: KiSwapThread+966j
		mov	eax, [esp+0A0h+var_70]
		add	eax, 0ECh
		mov	ecx, [eax+4]
		test	cl, 1
		jz	short loc_5EE3BF
		cmp	ecx, 1
		jz	loc_52C67B
		or	eax, 1
		xor	eax, ecx
		jmp	short loc_5EE3C1
; 

loc_5EE3BF:				; CODE XREF: KiSwapThread+C1FCDj
		mov	eax, ecx

loc_5EE3C1:				; CODE XREF: KiSwapThread+C1FDDj
		test	eax, eax
		jnz	loc_52CD30
		jmp	loc_52C673
; 

loc_5EE3CE:				; CODE XREF: KiSwapThread+C65j
					; KiSwapThread+C1FFBj
		lea	ecx, [esp+0A0h+var_44]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5EE3CE
		jmp	loc_52D040
; 

loc_5EE3E2:				; CODE XREF: KiSwapThread+2B6j
		mov	[esp+0A0h+var_84], 1
		jmp	loc_52C6A0
; 

loc_5EE3EF:				; CODE XREF: KiSwapThread+2D1j
		mov	byte ptr [ecx+10h], 1
		jmp	loc_52C6B7
; 

loc_5EE3F8:				; CODE XREF: KiSwapThread+333j
		mov	edx, esi
		mov	ecx, edi
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	loc_52C71F
		jmp	loc_52C719
; 

loc_5EE410:				; CODE XREF: KiSwapThread+34Ej
		mov	eax, 1
		jmp	loc_52C736
; 

loc_5EE41A:				; CODE XREF: KiSwapThread+363j
		cmp	[esp+0A0h+var_84], ecx
		jz	loc_52C8DC
		jmp	loc_52C749
; 

loc_5EE429:				; CODE XREF: KiSwapThread+D18j
		mov	edx, 1
		shl	edx, cl
		test	edx, edi
		jz	loc_52D0E0
		mov	edx, ds:_KeNodeBlock[ecx*4]
		jmp	loc_52C764
; 

loc_5EE444:				; CODE XREF: KiSwapThread+524j
		cmp	ds:_KeHeteroSystemVirtual, 0
		jnz	loc_52C90A
		xor	eax, eax
		lea	ebx, [esi+2224h]
		lock and [ebx],	eax
		mov	ecx, esi
		call	_KiSendHeteroRescheduleIntRequest@4 ; KiSendHeteroRescheduleIntRequest(x)
		mov	[esp+0A0h+var_30], 0

loc_5EE46B:				; CODE XREF: KiSwapThread+C20B7j
		lock bts dword ptr [ebx], 0
		jb	short loc_5EE488
		mov	eax, [esi+8]
		mov	ebx, [esp+0A0h+var_7C]
		test	eax, eax
		jz	loc_52C90A
		mov	edi, eax
		jmp	loc_52CE20
; 

loc_5EE488:				; CODE XREF: KiSwapThread+C2090j
					; KiSwapThread+C20B5j
		lea	ecx, [esp+0A0h+var_30]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5EE488
		jmp	short loc_5EE46B
; 

loc_5EE499:				; CODE XREF: KiSwapThread+54Dj
		mov	eax, ds:_KeTickCount
		sub	eax, [edi+138h]
		add	[edi+170h], eax
		jmp	loc_52C933
; 

loc_5EE4AF:				; CODE XREF: KiSwapThread+636j
		mov	cl, 1
		jmp	loc_52CA1E
; 

loc_5EE4B6:				; CODE XREF: KiSwapThread+653j
		mov	eax, ds:_KeTickCount
		sub	eax, [edi+138h]
		add	[edi+170h], eax
		jmp	loc_52CA39
; 

loc_5EE4CC:				; CODE XREF: KiSwapThread+66Ej
		mov	eax, ds:_KeTickCount
		sub	eax, [edi+138h]
		add	[edi+170h], eax
		jmp	loc_52CA54
; 

loc_5EE4E2:				; CODE XREF: KiSwapThread+58Bj
		mov	al, [ebx+90h]
		cmp	al, 5
		jnz	loc_52C971
		cmp	[ebx+1E5h], cl
		jbe	loc_52C971
		lea	esi, [ebx+2Ch]
		mov	[esp+0A0h+var_2C], ecx

loc_5EE503:				; CODE XREF: KiSwapThread+C2153j
		lock bts dword ptr [esi], 0
		jb	short loc_5EE524
		test	dword ptr [ebx+5Ch], 400000h
		jz	short loc_5EE519
		mov	al, [ebx+90h]

loc_5EE519:				; CODE XREF: KiSwapThread+C2131j
		mov	dword ptr [esi], 0
		jmp	loc_52C971
; 

loc_5EE524:				; CODE XREF: KiSwapThread+C2128j
					; KiSwapThread+C2151j
		lea	ecx, [esp+0A0h+var_2C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5EE524
		jmp	short loc_5EE503
; 

loc_5EE535:				; CODE XREF: KiSwapThread+6BEj
					; KiSwapThread+C2162j ...
		lea	ecx, [esp+0A0h+var_28]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	al, al
		js	short loc_5EE535
		lock bts dword ptr [esi], 7
		jb	short loc_5EE535
		jmp	loc_52CAA4
; 

loc_5EE550:				; CODE XREF: KiSwapThread+9E0j
		movzx	ecx, byte ptr [ecx-1E9Ch]
		shl	edx, 6
		jmp	loc_52CDD1
; 

loc_5EE55F:				; CODE XREF: KiSwapThread+747j
					; KiSwapThread+759j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5EE566:				; CODE XREF: KiSwapThread+78Dj
		test	al, al
		jz	loc_52CE8E
		push	602h
		push	0F55h
		lea	eax, [esp+0A8h+var_54]
		mov	[esp+0A8h+var_54], esi
		push	40020000h
		mov	edx, 1
		mov	[esp+0ACh+var_18], eax
		lea	ecx, [esp+0ACh+var_18]
		mov	[esp+0ACh+var_14], 0
		mov	[esp+0ACh+var_10], 4
		mov	[esp+0ACh+var_C], 0
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	al, [esp+0A0h+var_91]
		jmp	loc_52CB73
; END OF FUNCTION CHUNK	FOR KiSwapThread
; 
; START	OF FUNCTION CHUNK FOR KiSearchForNewThreadOnProcessor

loc_5EE5C7:				; CODE XREF: KiSearchForNewThreadOnProcessor+138j
		mov	eax, [edi+338h]
		mov	edx, [eax]
		not	edx
		movzx	eax, dl
		shr	edx, 8
		mov	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, ds:_RtlpBitsClearTotal[edx]
		movzx	eax, cl
		cmp	eax, ds:_KiPerfIsoEnabled
		jb	short loc_5EE653
		mov	ecx, [edi+3C8h]
		mov	eax, [edi+402Ch]
		cmp	ecx, eax
		jz	loc_52D23E
		not	ecx
		and	ecx, eax
		mov	eax, [edi+338h]
		mov	eax, [eax+0Ch]
		test	eax, ecx
		jnz	loc_52D23E
		bsf	eax, ecx
		mov	[ebp+var_20], 0
		mov	[ebp+var_20], eax
		mov	eax, ds:_KiProcessorBlock[eax*4]
		test	dword ptr [eax+4D8h], 400h
		jnz	loc_52D23E

loc_5EE653:				; CODE XREF: KiSearchForNewThreadOnProcessor+C1504j
		mov	ecx, [ebp+var_8]
		jmp	loc_52D253
; 

loc_5EE65B:				; CODE XREF: KiSearchForNewThreadOnProcessor+32Aj
		xor	ecx, ecx
		lea	eax, [edi+2224h]
		lock and [eax],	ecx
		jmp	loc_52D112
; 

loc_5EE66B:				; CODE XREF: KiSearchForNewThreadOnProcessor+23Ej
		mov	byte ptr [eax+10h], 1
		jmp	loc_52D344
; 

loc_5EE674:				; CODE XREF: KiSearchForNewThreadOnProcessor+1CBj
		mov	ecx, 21h
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5EE67B:				; CODE XREF: KiSelectReadyThread+3Fj
		test	[ebx+4020h], esi
		jz	loc_52D565
		xor	eax, eax
		cmp	[ebp+var_1], 7
		setnz	al
		dec	eax
		and	ecx, eax
		mov	[ebp+var_C], ecx
		jmp	loc_52D565
; END OF FUNCTION CHUNK	FOR KiSearchForNewThreadOnProcessor
; 
; START	OF FUNCTION CHUNK FOR KiSelectReadyThread

loc_5EE69B:				; CODE XREF: KiSelectReadyThread+11Dj
		push	edx
		mov	ecx, esi
		call	_KiConvertDynamicHeteroPolicy@12 ; KiConvertDynamicHeteroPolicy(x,x,x)
		mov	edx, [ebp+var_8]
		jmp	loc_52D643
; 

loc_5EE6AB:				; CODE XREF: KiSelectReadyThread+128j
		mov	ecx, [edx+338h]
		lea	eax, [eax+eax*2]
		mov	ecx, [ecx+eax*4+0B0h]
		jmp	loc_52D64E
; 

loc_5EE6C0:				; CODE XREF: KiSelectReadyThread+134j
		mov	eax, [edx+4020h]
		and	eax, ecx
		test	[ebp+var_28], eax
		jz	loc_52D65A
		mov	ecx, [ebp+var_1C]
		mov	ecx, [ecx]
		mov	[ebp+var_1C], ecx
		cmp	ecx, [ebp+var_2C]
		jnz	loc_52D630
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_30]
		jmp	loc_52D600
; 

loc_5EE6ED:				; CODE XREF: KiSelectReadyThread+14Cj
					; KiSelectReadyThread+154j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5EE6F4:				; CODE XREF: KiAbProcessContextSwitch+244j
		movzx	eax, byte ptr [esi+0Ch]
		mov	edx, 746C6644h
		shl	eax, 3
		sub	esi, eax
		mov	ecx, esi
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jz	loc_52D8C2
		test	bl, 1
		jz	short loc_5EE727
		push	80000000h
		mov	edx, 2
		mov	ecx, esi
		call	IoBoostThreadIoPriority

loc_5EE727:				; CODE XREF: KiSelectReadyThread+C11F4j
		test	byte ptr [ebp+var_1C], 2
		jz	short loc_5EE73D
		cmp	dword ptr [esi+334h], 0
		jz	short loc_5EE73D
		mov	ecx, esi
		call	_IoBoostThreadOutstandingIo@4 ;	IoBoostThreadOutstandingIo(x)

loc_5EE73D:				; CODE XREF: KiSelectReadyThread+C120Bj
					; KiSelectReadyThread+C1214j
		push	746C6644h
		push	esi
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_52D8C2
; END OF FUNCTION CHUNK	FOR KiSelectReadyThread
; 
; START	OF FUNCTION CHUNK FOR KiInsertTimerTable

loc_5EE74D:				; CODE XREF: KiInsertTimerTable+45j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_5EE765
		movzx	edx, word ptr [eax+2]
		cmp	edx, 20h
		jb	short loc_5EE765
		lea	ebx, [edx-20h]
		jmp	loc_52DB5B
; 

loc_5EE765:				; CODE XREF: KiInsertTimerTable+C0C42j
					; KiInsertTimerTable+C0C4Bj
		test	byte ptr [ecx+2238h], 2
		mov	ebx, [ecx+3CCh]
		jz	loc_52DB5B
		mov	eax, [ecx+338h]
		mov	edx, [eax+84h]
		and	edx, [eax+48h]
		jz	loc_52DB5B
		movzx	ecx, byte ptr [ecx+3C4h]
		ror	edx, cl
		bsf	eax, edx
		mov	[ebp+var_10], 0
		mov	[ebp+var_10], eax
		lea	ebx, [eax+ecx]
		and	ebx, 1Fh
		jmp	loc_52DB5B
; 

loc_5EE7AE:				; CODE XREF: KiInsertTimerTable+FCj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5EE7B5:				; CODE XREF: KiInsertTimerTable+155j
		mov	edi, [ebp+arg_4]
		movzx	edx, byte ptr [edx-1E9Ch]
		shl	edi, 6
		mov	[ebp+var_10], edi
		mov	edi, [ebp+arg_8]
		jmp	loc_52DC7F
; 

loc_5EE7CD:				; CODE XREF: KiInsertTimerTable+18Fj
		mov	edi, 0FFDF000Ch
		lea	ebx, [edi-4]
		lea	esi, [edi+4]

loc_5EE7D8:				; CODE XREF: KiInsertTimerTable+C0CD6j
		lea	ecx, [ebp+var_24]
		call	KeYieldProcessorEx
		mov	ecx, [edi]
		mov	edx, [ebx]
		cmp	ecx, [esi]
		jnz	short loc_5EE7D8
		mov	eax, [ebp+var_C]
		mov	esi, [ebp+var_2C]
		mov	edi, [ebp+arg_8]
		mov	ebx, [ebp+var_8]
		jmp	loc_52DCA5
; 

loc_5EE7F9:				; CODE XREF: KiInsertTimerTable+1B8j
		mov	[edi], bl
		jmp	loc_52DCCE
; END OF FUNCTION CHUNK	FOR KiInsertTimerTable
; 
; START	OF FUNCTION CHUNK FOR KiAbEntryGetLockedHeadEntry

loc_5EE800:				; CODE XREF: KiAbEntryGetLockedHeadEntry+219j
		call	ExReleaseSpinLockSharedFromDpcLevel
		jmp	loc_52E5B4
; 

loc_5EE80A:				; CODE XREF: KiAbEntryGetLockedHeadEntry+471j
		cmp	[esp+50h+var_34], 0
		push	[esp+50h+var_3C]
		jnz	short loc_5EE81F
		call	ExReleaseSpinLockSharedFromDpcLevel
		jmp	loc_52E965
; 

loc_5EE81F:				; CODE XREF: KiAbEntryGetLockedHeadEntry+C0483j
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		jmp	loc_52E965
; 

loc_5EE829:				; CODE XREF: KiAbEntryGetLockedHeadEntry+4A5j
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		jmp	loc_52E840
; 

loc_5EE833:				; CODE XREF: KiAbEntryGetLockedHeadEntry+511j
		test	ds:byte_70EFC6,	1
		jz	short loc_5EE84C
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_52E965
; 

loc_5EE84C:				; CODE XREF: KiAbEntryGetLockedHeadEntry+C04AAj
		mov	esi, [ebp+arg_0]
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5EE86F
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	loc_52E965
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5EE86F:				; CODE XREF: KiAbEntryGetLockedHeadEntry+C04C3j
		mov	dword ptr [esi], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_52E965
; END OF FUNCTION CHUNK	FOR KiAbEntryGetLockedHeadEntry
; 
; START	OF FUNCTION CHUNK FOR RtlRbInsertNodeEx

loc_5EE885:				; CODE XREF: RtlRbInsertNodeEx+4A1j
		xor	edi, edi
		jmp	loc_52EC28
; 

loc_5EE88C:				; CODE XREF: RtlRbInsertNodeEx+43Fj
		mov	[ebp+arg_8], 0
		jmp	loc_52EB26
; 

loc_5EE898:				; CODE XREF: RtlRbInsertNodeEx+44Ej
		xor	ecx, ecx
		jmp	loc_52EC08
; 

loc_5EE89F:				; CODE XREF: RtlRbInsertNodeEx+153j
					; RtlRbInsertNodeEx+170j ...
		mov	ecx, 1Dh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5EE8A6:				; CODE XREF: RtlpHpVsChunkSplit+8A8j
		mov	eax, [ebp+var_8]
		bsf	edi, eax
		setnz	al
		movzx	eax, al
		test	eax, eax
		jz	loc_52FF14
		lea	edx, [edi+20h]
		jmp	loc_52FF11
; END OF FUNCTION CHUNK	FOR RtlRbInsertNodeEx
; 
; START	OF FUNCTION CHUNK FOR RtlpHpVsChunkSplit

loc_5EE8C2:				; CODE XREF: RtlpHpVsChunkSplit+8BCj
		bsr	esi, eax
		setnz	al
		movzx	eax, al
		test	eax, eax
		jz	loc_52FF25
		lea	ecx, [esi+20h]
		jmp	loc_52FF25
; 

loc_5EE8DB:				; CODE XREF: RtlpHpVsChunkSplit+955j
		mov	edx, [ebp+arg_4]
		add	edx, ecx
		mov	[ebp+arg_4], 0
		mov	[ebp+var_18], edx
		jmp	loc_52FFBB
; 

loc_5EE8EF:				; CODE XREF: RtlpHpVsChunkSplit+223j
		mov	eax, [edi]
		xor	eax, ds:_RtlpHpHeapGlobals
		xor	eax, edi
		and	eax, 7FFF0000h
		jmp	loc_52F88E
; 

loc_5EE903:				; CODE XREF: RtlpHpVsChunkSplit+2E2j
		push	ecx
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		call	_RtlpHpVsFreeChunkRemove@12 ; RtlpHpVsFreeChunkRemove(x,x,x)
		mov	edx, [ebp+arg_0]
		mov	edi, [ebp+var_28]
		shr	esi, 1
		and	esi, 7FFFh
		mov	[ebp+var_14], edi
		add	edx, esi
		mov	[ebp+arg_0], edx
		jmp	loc_52F94B
; 

loc_5EE929:				; CODE XREF: RtlpHpVsChunkSplit+33Cj
		push	eax
		mov	edx, ebx
		call	_RtlpHpVsFreeChunkRemove@12 ; RtlpHpVsFreeChunkRemove(x,x,x)
		mov	edx, [ebp+arg_0]
		shr	esi, 1
		and	esi, 7FFFh
		add	edx, esi
		mov	[ebp+arg_0], edx
		jmp	loc_52F9A2
; 

loc_5EE946:				; CODE XREF: RtlpHpVsChunkSplit+7D9j
		push	[ebp+arg_C]
		mov	edx, [esi+4]
		mov	ecx, esi
		call	RtlpHpAcquireQueuedLockExclusive
		jmp	loc_52FE3F
; END OF FUNCTION CHUNK	FOR RtlpHpVsChunkSplit
; 
; START	OF FUNCTION CHUNK FOR RtlpHpVsContextAllocateInternal

loc_5EE958:				; CODE XREF: RtlpHpVsContextAllocateInternal+18j
		add	eax, 2
		mov	[ebp+arg_0], eax
		jmp	loc_5300EE
; 

loc_5EE963:				; CODE XREF: RtlpHpVsContextAllocateInternal+E4j
		mov	eax, [esi]
		xor	eax, ecx
		xor	eax, edi
		movzx	eax, al
		jmp	loc_5301F2
; 

loc_5EE971:				; CODE XREF: RtlpHpVsContextAllocateInternal+145j
		push	0
		push	0
		push	edi
		mov	edi, [ebp+var_4]
		mov	ecx, 12h
		push	edx
		mov	edx, [edi+80h]
		xor	edx, edi
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		jmp	loc_530369
; END OF FUNCTION CHUNK	FOR RtlpHpVsContextAllocateInternal
; 
; START	OF FUNCTION CHUNK FOR RtlpHpVsContextFreeList

loc_5EE991:				; CODE XREF: RtlpHpVsContextFreeList+58j
		mov	eax, ecx
		shr	eax, 10h
		and	eax, 7FFFh
		jz	short loc_5EE9CA
		shl	eax, 3
		mov	esi, edi
		sub	esi, eax
		mov	eax, [esi]
		xor	eax, edx
		xor	eax, esi
		jl	short loc_5EE9BB
		shr	eax, 10h
		and	eax, 7FFFh
		jz	short loc_5EE9CA
		neg	eax
		lea	esi, [esi+eax*8]

loc_5EE9BB:				; CODE XREF: RtlpHpVsContextFreeList+BE63Aj
		mov	eax, [esi+4]
		xor	eax, edx
		xor	eax, esi
		movzx	eax, al
		jmp	loc_5303D8
; 

loc_5EE9CA:				; CODE XREF: RtlpHpVsContextFreeList+BE62Bj
					; RtlpHpVsContextFreeList+BE644j
		xor	eax, eax
		jmp	loc_5303D8
; 

loc_5EE9D1:				; CODE XREF: RtlpHpVsContextFreeList+8Bj
		mov	edx, [ebx+80h]
		mov	ecx, 12h
		push	0
		push	0
		push	0
		push	esi
		xor	edx, ebx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		jmp	loc_5305BD
; 

loc_5EE9EF:				; CODE XREF: RtlpHpVsContextFreeList+93j
		mov	edx, [ebx+80h]
		mov	ecx, 8
		push	0
		push	0
		push	0
		push	edi
		xor	edx, ebx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		jmp	loc_5305BD
; END OF FUNCTION CHUNK	FOR RtlpHpVsContextFreeList
; 
; START	OF FUNCTION CHUNK FOR RtlRbRemoveNode

loc_5EEA0D:				; CODE XREF: RtlRbRemoveNode+AACj
		xor	ecx, esi

loc_5EEA0F:				; CODE XREF: RtlRbRemoveNode+AA4j
		test	ecx, ecx
		jz	loc_5314A2

loc_5EEA17:				; CODE XREF: RtlRbRemoveNode+7Cj
					; RtlRbRemoveNode+13Ej	...
		mov	ecx, 1Dh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5EEA1E:				; CODE XREF: RtlRbRemoveNode+BE4j
		xor	edx, edx
		jmp	loc_5313EF
; 

loc_5EEA25:				; CODE XREF: RtlRbRemoveNode+C0Dj
		xor	esi, esi
		jmp	loc_530B2C
; 

loc_5EEA2C:				; CODE XREF: RtlRbRemoveNode+A8Dj
		xor	ecx, ecx
		jmp	loc_530A8A
; 

loc_5EEA33:				; CODE XREF: RtlRbRemoveNode+C57j
		xor	eax, eax
		jmp	loc_531065
; 

loc_5EEA3A:				; CODE XREF: RtlRbRemoveNode+B17j
		mov	[ebp+var_10], 0
		jmp	loc_530E1B
; 

loc_5EEA46:				; CODE XREF: RtlRbRemoveNode+B26j
		xor	eax, eax
		jmp	loc_530F10
; END OF FUNCTION CHUNK	FOR RtlRbRemoveNode
; 
; START	OF FUNCTION CHUNK FOR RtlpHpSegAlloc

loc_5EEA4D:				; CODE XREF: RtlpHpSegAlloc+4Bj
		mov	eax, [edi]
		not	eax
		inc	eax
		cmp	eax, 200000h
		ja	loc_531D26
		jmp	loc_531C31
; 

loc_5EEA62:				; CODE XREF: RtlpHpSegAlloc+A1j
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	_RtlpHpSegPageRangeFree@12 ; RtlpHpSegPageRangeFree(x,x,x)
		jmp	loc_531D26
; 

loc_5EEA71:				; CODE XREF: RtlpHpSegAlloc+10Ej
		push	[esp+28h+var_18]
		mov	edx, esi
		mov	ecx, edi
		call	_RtlpHpSegPageRangeComputeLargePageCost@12 ; RtlpHpSegPageRangeComputeLargePageCost(x,x,x)
		cmp	eax, 2
		jg	loc_531CCB
		jmp	loc_531CBC
; END OF FUNCTION CHUNK	FOR RtlpHpSegAlloc
; 
; START	OF FUNCTION CHUNK FOR RtlpHpSegPageRangeAllocate

loc_5EEA8C:				; CODE XREF: RtlpHpSegPageRangeAllocate+5Dj
		mov	dl, bl
		mov	ecx, edi
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_531DB9
; 

loc_5EEA9A:				; CODE XREF: RtlpHpSegPageRangeAllocate+83j
					; RtlpHpSegPageRangeAllocate+BCD9Aj
		test	edx, 40000000h
		jnz	short loc_5EEAB4
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_5EEABE

loc_5EEAB4:				; CODE XREF: RtlpHpSegPageRangeAllocate+BCD70j
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [edi]

loc_5EEABE:				; CODE XREF: RtlpHpSegPageRangeAllocate+BCD82j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_5EEA9A
		jmp	loc_531DB9
; 

loc_5EEAD1:				; CODE XREF: RtlpHpSegPageRangeAllocate+E6j
		push	1
		push	[ebp+var_C]
		mov	edx, ebx
		mov	ecx, edi
		call	_RtlpHpSegLargeRangeAllocate@16	; RtlpHpSegLargeRangeAllocate(x,x,x,x)
		mov	ebx, eax
		jmp	loc_531E54
; 

loc_5EEAE6:				; CODE XREF: RtlpHpSegPageRangeAllocate+6CBj
		push	0
		push	[ebp+var_14]
		push	[ebp+var_8]
		push	ebx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EEAF9:				; CODE XREF: RtlpHpSegPageRangeAllocate+574j
		lea	esi, [ebx+222h]
		lock or	[esi], al
		mov	esi, [ebp+var_24]
		jmp	loc_5322B0
; 

loc_5EEB0A:				; CODE XREF: RtlpHpSegPageRangeAllocate+6E5j
		mov	edx, 1
		mov	ecx, ebx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_53241B
; 

loc_5EEB1B:				; CODE XREF: RtlpHpSegPageRangeAllocate+712j
		push	[ebp+var_28]
		mov	edx, [ebp+var_8]
		mov	ecx, ebx
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_5322C7
; 

loc_5EEB2D:				; CODE XREF: RtlpHpSegPageRangeAllocate+5D8j
		mov	ecx, 2
		jmp	loc_53230E
; 

loc_5EEB37:				; CODE XREF: RtlpHpSegPageRangeAllocate+5EDj
		xor	ebx, ebx
		jmp	loc_531ED0
; 

loc_5EEB3E:				; CODE XREF: RtlpHpSegPageRangeAllocate+63Cj
		push	0
		push	[ebp+var_C]
		mov	edx, ebx
		mov	ecx, edi
		call	_RtlpHpSegLargeRangeAllocate@16	; RtlpHpSegLargeRangeAllocate(x,x,x,x)
		mov	ebx, eax
		jmp	loc_531E5C
; 

loc_5EEB53:				; CODE XREF: RtlpHpSegPageRangeAllocate+36Dj
		mov	ecx, edx
		jmp	loc_5320E1
; 

loc_5EEB5A:				; CODE XREF: RtlpHpSegPageRangeAllocate+467j
		push	0
		push	[ebp+var_24]
		push	[ebp+var_14]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EEB6D:				; CODE XREF: RtlpHpSegPageRangeAllocate+2C5j
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_18]
		jmp	loc_53200B
; 

loc_5EEB82:				; CODE XREF: RtlpHpSegPageRangeAllocate+67Ej
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_5323B4
; 

loc_5EEB93:				; CODE XREF: RtlpHpSegPageRangeAllocate+6ABj
		push	[ebp+arg_0]
		mov	edx, [ebp+var_14]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_532022
; 

loc_5EEBA5:				; CODE XREF: RtlpHpSegPageRangeAllocate+17Ej
		mov	edx, [ebp+4]
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_531EBA
; END OF FUNCTION CHUNK	FOR RtlpHpSegPageRangeAllocate
; 
; START	OF FUNCTION CHUNK FOR RtlpHpSegPageRangeShrink

loc_5EEBB2:				; CODE XREF: RtlpHpSegPageRangeShrink+56j
		mov	dl, bl
		mov	ecx, edi
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_5324F2
; 

loc_5EEBC0:				; CODE XREF: RtlpHpSegPageRangeShrink+7Cj
					; RtlpHpSegPageRangeShrink+BC780j
		test	edx, 40000000h
		jnz	short loc_5EEBDA
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_5EEBE4

loc_5EEBDA:				; CODE XREF: RtlpHpSegPageRangeShrink+BC756j
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		mov	eax, [edi]

loc_5EEBE4:				; CODE XREF: RtlpHpSegPageRangeShrink+BC768j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_5EEBC0
		jmp	loc_5324F2
; 

loc_5EEBF7:				; CODE XREF: RtlpHpSegPageRangeShrink+95j
		mov	byte ptr [esi+0Fh], 0
		or	dword ptr [esi+0Ch], 0FFFF00h
		jmp	loc_53250B
; 

loc_5EEC07:				; CODE XREF: RtlpHpSegPageRangeShrink+E4j
		movzx	ecx, byte ptr [edi+6]
		mov	edx, 100h
		sub	edx, ecx
		movzx	ecx, byte ptr [eax+0Fh]
		cmp	ecx, edx
		jnz	loc_53255A
		mov	esi, [edi]
		and	esi, eax
		mov	dword ptr [eax], 0CCDDCCFFh
		mov	[ebp+var_18], esi
		jz	loc_5325DF
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	short loc_5EEC4C
		cmp	[eax], esi
		jnz	short loc_5EEC4C
		mov	[eax], ecx
		mov	[ecx+4], eax
		dec	dword ptr [edi+4Ch]
		jmp	loc_5325DF
; 

loc_5EEC4C:				; CODE XREF: RtlpHpSegPageRangeShrink+BC7C9j
					; RtlpHpSegPageRangeShrink+BC7CDj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5EEC53:				; CODE XREF: RtlpHpSegPageRangeShrink+34Cj
		push	0
		push	[ebp+var_10]
		push	ebx
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EEC64:				; CODE XREF: RtlpHpSegPageRangeShrink+29Dj
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_20]
		jmp	loc_532723
; 

loc_5EEC79:				; CODE XREF: RtlpHpSegPageRangeShrink+380j
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_5327F6
; 

loc_5EEC8A:				; CODE XREF: RtlpHpSegPageRangeShrink+3ADj
		push	[ebp+arg_4]
		mov	edx, ebx
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_53273A
; 

loc_5EEC9B:				; CODE XREF: RtlpHpSegPageRangeShrink+185j
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_532601
; 

loc_5EECAA:				; CODE XREF: RtlpHpSegPageRangeShrink+19Cj
		push	1
		push	7FFFFFFFh
		mov	edx, esi
		mov	ecx, edi
		call	RtlpHpSegSegmentFree
		jmp	loc_532612
; END OF FUNCTION CHUNK	FOR RtlpHpSegPageRangeShrink
; 
; START	OF FUNCTION CHUNK FOR RtlpHpSegPageRangeCommit

loc_5EECBF:				; CODE XREF: RtlpHpSegPageRangeCommit+26j
		mov	[ebp+var_14], 2
		jmp	loc_53285C
; 

loc_5EECCB:				; CODE XREF: RtlpHpSegPageRangeCommit+33j
		mov	[ebp+var_10], 1FFh
		jmp	loc_532870
; 

loc_5EECD7:				; CODE XREF: RtlpHpSegPageRangeCommit+BDj
		mov	ecx, [ebp+var_28]
		jmp	loc_5328A6
; END OF FUNCTION CHUNK	FOR RtlpHpSegPageRangeCommit
; 
; START	OF FUNCTION CHUNK FOR RtlpHpSegPageRangeHandleCommit

loc_5EECDF:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+67j
		cmp	eax, esi
		jnz	short loc_5EECEC
		mov	ebx, [ebp+var_14]
		inc	ebx
		mov	[ebp+var_18], ebx
		jmp	short loc_5EECF2
; 

loc_5EECEC:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+BC311j
		mov	esi, [ebp+var_8]
		mov	[ebp+var_18], esi

loc_5EECF2:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+BC31Aj
		movzx	esi, byte ptr [eax+0Ch]
		xor	ebx, ebx
		shr	esi, 5
		mov	[ebp+var_10], esi
		mov	esi, [ebp+var_8]
		cmp	ecx, 1
		jg	short loc_5EED1B
		mov	esi, [ebp+var_18]
		cmp	[ebp+var_10], esi
		mov	esi, [ebp+var_8]
		jnb	short loc_5EED1B
		mov	ebx, [ebp+var_18]
		mov	edx, [ebp+var_10]
		sub	ebx, edx
		jmp	short loc_5EED30
; 

loc_5EED1B:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+BC334j
					; RtlpHpSegPageRangeHandleCommit+BC33Fj
		cmp	ecx, 2
		jnz	short loc_5EED7A
		cmp	[ebp+var_10], edx
		jbe	short loc_5EED7A
		mov	esi, [ebp+var_10]
		mov	ebx, edx
		sub	ebx, [ebp+var_10]
		mov	[ebp+var_18], esi

loc_5EED30:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+BC349j
		mov	esi, [ebp+var_18]
		add	edx, edi
		add	esi, edi
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], esi
		mov	[ebp+var_C], esi
		mov	esi, [ebp+var_8]
		mov	[ebp+var_4], edx
		test	ebx, ebx
		jz	short loc_5EED7A
		mov	[ebp+var_4], edx
		mov	edx, [ebp+var_18]
		mov	[ebp+var_C], edx
		cmp	ecx, 1
		jl	short loc_5EED7A
		mov	cl, [eax+0Ch]
		mov	edx, [ebp+var_10]
		and	cl, 1Fh
		add	dl, bl
		shl	dl, 5
		or	dl, cl
		mov	ecx, [ebp+var_20]
		mov	[ebp+var_4], ecx
		mov	ecx, [ebp+var_18]
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+arg_8]
		mov	[eax+0Ch], dl

loc_5EED7A:				; CODE XREF: RtlpHpSegPageRangeHandleCommit+BC34Ej
					; RtlpHpSegPageRangeHandleCommit+BC353j ...
		add	eax, 10h
		add	edi, esi
		jmp	loc_532A40
; END OF FUNCTION CHUNK	FOR RtlpHpSegPageRangeHandleCommit
; 
; START	OF FUNCTION CHUNK FOR RtlpHpSegPageRangeCoalesce

loc_5EED84:				; CODE XREF: RtlpHpSegPageRangeCoalesce+3A6j
		mov	ecx, [ebp-30h]
		mov	al, 1
		shl	al, cl
		mov	ecx, [ebp-8]
		lea	esi, [ecx+222h]
		lock or	[esi], al
		mov	esi, [ebp-14h]
		jmp	loc_532F7F
; 

loc_5EED9F:				; CODE XREF: RtlpHpSegPageRangeCoalesce+46Dj
		mov	edx, 1
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [ebp-8]
		jmp	loc_533033
; 

loc_5EEDB1:				; CODE XREF: RtlpHpSegPageRangeCoalesce+49Bj
		push	dword ptr [ebp-38h]
		mov	edx, [ebp-10h]
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		mov	ecx, [ebp-8]
		jmp	loc_532F96
; 

loc_5EEDC4:				; CODE XREF: RtlpHpSegPageRangeCoalesce+422j
		push	0
		push	dword ptr [ebp-30h]
		push	dword ptr [ebp-10h]
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5EEDD8:				; CODE XREF: ExAllocatePoolMm+C0j
		mov	esi, 80000001h
		jmp	loc_53309A
; END OF FUNCTION CHUNK	FOR RtlpHpSegPageRangeCoalesce
; 
; START	OF FUNCTION CHUNK FOR ExAllocatePoolMm

loc_5EEDE2:				; CODE XREF: ExAllocatePoolMm+42j
		or	esi, 20h
		jmp	loc_5330A8
; 

loc_5EEDEA:				; CODE XREF: ExAllocatePoolMm+6Bj
		mov	ecx, eax
		and	ecx, 8
		or	ecx, 0
		jz	short loc_5EEDF7
		or	esi, 4

loc_5EEDF7:				; CODE XREF: ExAllocatePoolMm+BBD92j
		mov	ecx, eax
		and	ecx, 200h
		or	ecx, 0
		jz	short loc_5EEE0A
		or	esi, 80h

loc_5EEE0A:				; CODE XREF: ExAllocatePoolMm+BBDA2j
		mov	ecx, eax
		and	ecx, 400h
		or	ecx, 0
		jz	short loc_5EEE1A
		or	esi, 40h

loc_5EEE1A:				; CODE XREF: ExAllocatePoolMm+BBDB5j
		mov	ecx, eax
		and	eax, 1
		and	ecx, 20h
		or	eax, 0
		jz	short loc_5EEE3A
		or	ecx, 0
		mov	bl, 1
		jnz	loc_533125
		or	esi, 8
		jmp	loc_533125
; 

loc_5EEE3A:				; CODE XREF: ExAllocatePoolMm+BBDC5j
		or	ecx, 0
		jz	loc_533125
		or	esi, 10h
		jmp	loc_533125
; 

loc_5EEE4B:				; CODE XREF: ExAllocatePoolMm+7Aj
		push	[ebp+var_4]
		push	[ebp+var_8]
		push	esi
		call	ExAllocatePoolWithQuotaTag
		jmp	loc_5330F1
; END OF FUNCTION CHUNK	FOR ExAllocatePoolMm
; 
; START	OF FUNCTION CHUNK FOR ExpAllocatePoolWithTagFromNode

loc_5EEE5C:				; CODE XREF: ExpAllocatePoolWithTagFromNode+56j
		sub	[esp+20h+var_10], 1
		jz	short loc_5EEE77
		lea	edx, [esp+20h+var_4]
		mov	ecx, esi
		call	MmGetNextNode
		cmp	eax, 0FFFFFFFFh
		jnz	loc_533184

loc_5EEE77:				; CODE XREF: ExpAllocatePoolWithTagFromNode+BBD21j
		inc	ds:_ExPoolFailures
		test	bl, 2
		jz	short loc_5EEEA5
		lea	eax, [esp+20h+var_C]
		mov	edx, ebx
		push	eax
		lea	eax, [esp+24h+var_8]
		push	eax
		call	_ExpHeapQueryPoolPages@16 ; ExpHeapQueryPoolPages(x,x,x,x)
		push	0
		push	[esp+24h+var_C]
		push	[esp+28h+var_8]
		push	edi
		push	41h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EEEA5:				; CODE XREF: ExpAllocatePoolWithTagFromNode+BBD40j
		test	bl, 10h
		jz	short loc_5EEEB4
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5EEEB4:				; CODE XREF: ExpAllocatePoolWithTagFromNode+BBD68j
		xor	eax, eax
		jmp	loc_53319C
; END OF FUNCTION CHUNK	FOR ExpAllocatePoolWithTagFromNode
; 
; START	OF FUNCTION CHUNK FOR ExAllocateHeapPool

loc_5EEEBB:				; CODE XREF: ExAllocateHeapPool+2Dj
		and	ebx, 0FFFFFFFBh
		mov	[esp+80h+var_6C], ebx
		jmp	loc_5331E3
; 

loc_5EEEC7:				; CODE XREF: ExAllocateHeapPool+BD7j
		mov	eax, [ebp+4]
		push	eax
		push	20h
		push	[ebp+arg_0]
		push	edi
		push	ebx
		call	_VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		jmp	loc_5335D0
; 

loc_5EEEDC:				; CODE XREF: ExAllocateHeapPool+BDDj
		and	ebx, 0FFFFFF7Fh
		mov	[esp+80h+var_6C], ebx
		jge	loc_53320E
		test	byte ptr ds:_MmVerifierData, 1
		jz	loc_53320E
		mov	[esp+80h+var_48], 1
		jmp	loc_533215
; 

loc_5EEF06:				; CODE XREF: ExAllocateHeapPool+71j
		mov	eax, 30646142h
		mov	[esp+80h+var_60], eax
		jmp	loc_533227
; 

loc_5EEF14:				; CODE XREF: ExAllocateHeapPool+87j
		test	edi, edi
		jz	loc_53323D
		mov	ecx, eax
		call	_ExCheckSingleFilter@8 ; ExCheckSingleFilter(x,x)
		test	eax, eax
		jnz	short loc_5EEF47
		lea	eax, [edi+8]
		cmp	edx, eax
		jb	short loc_5EEF3E
		lea	eax, [edi+10h]
		cmp	edx, eax
		mov	eax, [esp+80h+var_60]
		jb	short loc_5EEF4B
		jmp	loc_53323D
; 

loc_5EEF3E:				; CODE XREF: ExAllocateHeapPool+BBD7Cj
		mov	eax, [esp+80h+var_60]
		jmp	loc_53323D
; 

loc_5EEF47:				; CODE XREF: ExAllocateHeapPool+BBD75j
		mov	eax, [esp+80h+var_60]

loc_5EEF4B:				; CODE XREF: ExAllocateHeapPool+92j
					; ExAllocateHeapPool+BBD87j
		push	eax
		mov	edx, edi
		mov	ecx, ebx
		call	_ExAllocateHeapSpecialPool@12 ;	ExAllocateHeapSpecialPool(x,x,x)
		mov	[esp+80h+var_50], eax
		test	eax, eax
		jz	loc_533248
		mov	ecx, 1
		lock xadd ds:_ExpSpecialAllocations, ecx
		inc	ecx
		cmp	ecx, 1
		jnz	loc_5335C8
		lock inc ds:dword_6D35AC
		jmp	loc_5335C8
; 

loc_5EEF84:				; CODE XREF: ExAllocateHeapPool+9Aj
		mov	edi, 1
		jmp	loc_533250
; 

loc_5EEF8E:				; CODE XREF: ExAllocateHeapPool+B8j
		mov	esi, [esp+80h+var_60]
		and	ebx, 0FFFFFF7Fh
		push	esi
		push	ebx
		push	ecx
		push	0Eh
		push	0C2h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EEFA7:				; CODE XREF: ExAllocateHeapPool+A9j
					; ExAllocateHeapPool+C4j
		mov	eax, large fs:20h
		mov	eax, [eax+338h]
		movzx	ecx, word ptr [eax+8Ah]
		jmp	loc_53327A
; 

loc_5EEFBF:				; CODE XREF: ExAllocateHeapPool+D0j
		xor	ecx, ecx
		jmp	loc_533286
; 

loc_5EEFC6:				; CODE XREF: ExAllocateHeapPool+6BCj
		sub	ecx, 0FFFFFF80h
		jmp	loc_533872
; 

loc_5EEFCE:				; CODE XREF: ExAllocateHeapPool+70Ej
		int	3		; Trap to Debugger
		jmp	loc_5338C4
; 

loc_5EEFD4:				; CODE XREF: ExAllocateHeapPool+71Bj
		push	edi
		push	[esp+84h+var_50]
		mov	edx, ebx
		mov	ecx, 0E20h
		push	[esp+88h+var_68]
		call	_EtwTracePool@20 ; EtwTracePool(x,x,x,x,x)
		jmp	loc_5338D1
; 

loc_5EEFEE:				; CODE XREF: ExAllocateHeapPool+B83j
		mov	edx, [ebp+4]
		lea	ecx, [esp+80h+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_533D5F
; 

loc_5EEFFF:				; CODE XREF: ExAllocateHeapPool+BA9j
		lea	ecx, [esp+80h+var_24]
		call	KxWaitForLockChainValid

loc_5EF008:				; CODE XREF: ExAllocateHeapPool+B8Fj
		mov	[esp+80h+var_24], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_533D5F
; 

loc_5EF020:				; CODE XREF: ExAllocateHeapPool+A1Cj
		xor	edi, edi
		mov	[esp+80h+var_70], edi
		jmp	loc_5336EE
; 

loc_5EF02B:				; CODE XREF: ExAllocateHeapPool+14Cj
					; ExAllocateHeapPool+159j
		cmp	ebx, eax
		jbe	loc_53330F
		mov	eax, [ecx+24h]
		test	eax, eax
		jz	loc_533DBB
		push	edx
		push	ebx
		push	eax
		mov	edx, ecx
		mov	ecx, 14h
		push	0
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		jmp	loc_533DBB
; 

loc_5EF054:				; CODE XREF: ExAllocateHeapPool+17Aj
		dec	edx
		or	edi, 8
		cmp	dx, 1
		jnb	loc_533DBB
		movzx	eax, dx
		lea	edx, [esp+80h+var_48]
		push	edx
		push	1
		push	0
		mov	eax, ds:_RtlpInterceptorRoutines[eax*4]
		push	ecx
		call	eax
		test	eax, eax
		js	loc_533DBB
		mov	eax, [esp+90h+var_58]
		mov	ecx, [esp+90h+var_74]
		jmp	loc_533330
; 

loc_5EF08D:				; CODE XREF: ExAllocateHeapPool+18Dj
		add	esi, 8
		mov	[esp+80h+var_58], esi
		jmp	loc_533343
; 

loc_5EF099:				; CODE XREF: ExAllocateHeapPool+199j
		add	esi, 7
		and	esi, 0FFFFFFF8h
		add	esi, 8
		mov	[esp+80h+var_58], esi
		jmp	loc_53334F
; 

loc_5EF0AB:				; CODE XREF: ExAllocateHeapPool+1A1j
		mov	esi, 1
		mov	[esp+80h+var_58], esi
		jmp	loc_533357
; 

loc_5EF0B9:				; CODE XREF: ExAllocateHeapPool+1E7j
		lea	edx, [esi+2]
		jmp	loc_53339D
; 

loc_5EF0C1:				; CODE XREF: ExAllocateHeapPool+876j
		cmp	esi, [ecx+18Ch]
		ja	short loc_5EF0F4
		lea	eax, [ecx+100h]
		cmp	esi, [ecx+10Ch]
		jbe	short loc_5EF0DD
		lea	eax, [ecx+180h]

loc_5EF0DD:				; CODE XREF: ExAllocateHeapPool+BBF25j
		push	edx
		push	esi
		push	esi
		mov	edx, ebx
		mov	ecx, eax
		call	RtlpHpSegAlloc
		mov	esi, eax
		mov	[esp+80h+var_70], esi
		jmp	loc_533446
; 

loc_5EF0F4:				; CODE XREF: ExAllocateHeapPool+BBF17j
		push	edx
		push	esi
		mov	edx, ebx
		call	_RtlpHpLargeAlloc@16 ; RtlpHpLargeAlloc(x,x,x,x)
		mov	esi, eax
		mov	[esp+80h+var_70], esi
		jmp	loc_533446
; 

loc_5EF108:				; CODE XREF: ExAllocateHeapPool+2A0j
		push	0
		push	edi
		push	[esp+88h+var_48]
		mov	edx, esi
		mov	esi, [esp+8Ch+var_64]
		push	ecx
		push	ebx
		mov	ecx, esi
		call	_RtlpHpExtrasAppend@28 ; RtlpHpExtrasAppend(x,x,x,x,x,x,x)
		mov	edx, [esp+80h+var_40]
		mov	[esp+80h+var_30], eax
		test	edx, edx
		jz	loc_533456
		mov	cl, [eax+2]
		xor	cl, dl
		dec	edx
		and	cl, 0Fh
		xor	[eax+2], cl
		cmp	dx, 1
		jnb	short loc_5EF163
		movzx	eax, dx
		mov	ecx, ds:_RtlpInterceptorRoutines[eax*4]
		mov	eax, [esp+80h+var_30]
		add	eax, 8
		push	eax
		push	2
		push	[esp+88h+var_70]
		push	esi
		call	ecx
		test	eax, eax
		jns	loc_533456

loc_5EF163:				; CODE XREF: ExAllocateHeapPool+BBF8Ej
		mov	edx, [esp+90h+var_80]
		mov	ecx, esi
		push	0
		push	0
		push	edi
		call	RtlpHpFreeHeap
		jmp	loc_533DBB
; 

loc_5EF178:				; CODE XREF: ExAllocateHeapPool+30Aj
		int	3		; Trap to Debugger
		jmp	loc_5334C0
; 

loc_5EF17E:				; CODE XREF: ExAllocateHeapPool+317j
		push	ebx
		lea	eax, [edi+8]
		mov	ecx, 0E20h
		push	eax
		push	[esp+88h+var_5C]
		call	_EtwTracePool@20 ; EtwTracePool(x,x,x,x,x)
		mov	edx, [esp+80h+var_64]
		jmp	loc_5334CD
; 

loc_5EF19A:				; CODE XREF: ExAllocateHeapPool+A95j
		mov	edx, [ebp+4]
		lea	ecx, [esp+80h+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_533C71
; 

loc_5EF1AB:				; CODE XREF: ExAllocateHeapPool+ABBj
		lea	ecx, [esp+80h+var_18]
		call	KxWaitForLockChainValid

loc_5EF1B4:				; CODE XREF: ExAllocateHeapPool+AA1j
		mov	[esp+80h+var_18], 0
		mov	ecx, 1
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_533C71
; 

loc_5EF1CC:				; CODE XREF: ExAllocateHeapPool+BC6j
		push	0
		push	0
		mov	edx, ecx
		mov	ecx, [esp+88h+var_64]
		push	0
		call	RtlpHpFreeHeap

loc_5EF1DD:				; CODE XREF: ExAllocateHeapPool+6D0j
		xor	eax, eax

loc_5EF1DF:				; CODE XREF: ExAllocateHeapPool+41Aj
					; ExAllocateHeapPool+BCCj
		test	bl, 10h
		jz	loc_5335D0
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger

loc_5EF1F3:				; CODE XREF: RtlpHpLfhSlotAllocate+45j
		mov	edi, [ebx+8]
		test	edx, edx
		jnz	loc_5340E6
		movzx	edx, byte ptr [ecx+1Dh]
		lea	ecx, [edi+8]
		mov	[ebp+var_14], 1
		call	_RtlpHpAcquireLockShared@8 ; RtlpHpAcquireLockShared(x,x)
		mov	byte ptr [ebp+var_4+3],	al
		mov	edx, 1
		jmp	loc_5340E3
; END OF FUNCTION CHUNK	FOR ExAllocateHeapPool
; 
; START	OF FUNCTION CHUNK FOR RtlpHpLfhSlotAllocate

loc_5EF21E:				; CODE XREF: RtlpHpLfhSlotAllocate+328j
		mov	dword ptr [ebp-3Ch], 1
		jmp	loc_534105
; 

loc_5EF22A:				; CODE XREF: RtlpHpLfhSlotAllocate+366j
		movzx	eax, ax
		mov	[ebp-28h], eax
		jmp	loc_53414B
; 

loc_5EF235:				; CODE XREF: RtlpHpLfhSlotAllocate+163Bj
		mov	edx, [ebp-14h]
		mov	dword ptr [ebp-2Ch], 1
		jmp	loc_534130
; 

loc_5EF244:				; CODE XREF: RtlpHpLfhSlotAllocate+375j
		mov	edi, [edi]
		mov	[ebp-10h], edi
		cmp	edi, [ebp-20h]
		jnz	loc_534120

loc_5EF252:				; CODE XREF: RtlpHpLfhSlotAllocate+342j
		mov	ecx, [ebx+8]
		xor	edi, edi
		mov	[ebp-10h], edi
		jmp	loc_534224
; 

loc_5EF25F:				; CODE XREF: RtlpHpLfhSlotAllocate+3BDj
		sub	eax, 1
		jz	short loc_5EF27A
		sub	eax, 1
		jnz	loc_5353A1
		mov	edx, [ebp-24h]
		xor	ecx, ecx
		mov	[ebp-20h], eax
		jmp	loc_534198
; 

loc_5EF27A:				; CODE XREF: RtlpHpLfhSlotAllocate+BB492j
		mov	eax, [ebx+8]
		mov	edx, [ebp-24h]
		add	eax, 14h
		mov	[ebp-20h], eax
		xor	ecx, ecx
		jmp	loc_534198
; 

loc_5EF28D:				; CODE XREF: RtlpHpLfhSlotAllocate+42Cj
		mov	esi, [eax]
		cmp	[esi+4], eax
		jnz	loc_5EF810
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	loc_5EF810
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	eax, [ebp-50h]
		mov	ecx, [ebx+8]
		dec	dword ptr [eax]
		mov	byte ptr [esi+16h], 2
		jmp	loc_534202
; 

loc_5EF2B9:				; CODE XREF: RtlpHpLfhSlotAllocate+434j
		cmp	byte ptr [esi+16h], 2
		jnz	loc_53420A
		mov	dword ptr [esi+8], 0
		jmp	loc_53420A
; 

loc_5EF2CF:				; CODE XREF: RtlpHpLfhSlotAllocate+463j
		test	al, al
		jnz	short loc_5EF302
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_5EF2EA
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_5EF2EA:				; CODE XREF: RtlpHpLfhSlotAllocate+BB511j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_534250
; 

loc_5EF302:				; CODE XREF: RtlpHpLfhSlotAllocate+BB501j
		push	esi
		call	ExReleaseSpinLockSharedFromDpcLevel
		jmp	loc_534247
; 

loc_5EF30D:				; CODE XREF: RtlpHpLfhSlotAllocate+482j
		mov	eax, [ebp-8]
		mov	ecx, esi
		mov	dword ptr [ebp-14h], 2
		movzx	edx, byte ptr [eax+1Dh]
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	ecx, [ebp-8]
		mov	edx, 2
		mov	[ebp-1], al
		mov	eax, [ebp-1Ch]
		jmp	loc_533E13
; 

loc_5EF335:				; CODE XREF: RtlpHpLfhSlotAllocate+C6Aj
		test	al, al
		jnz	short loc_5EF368
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_5EF350
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_5EF350:				; CODE XREF: RtlpHpLfhSlotAllocate+BB577j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_534CA0
; 

loc_5EF368:				; CODE XREF: RtlpHpLfhSlotAllocate+BB567j
		push	esi
		call	ExReleaseSpinLockSharedFromDpcLevel
		jmp	loc_534A4E
; 

loc_5EF373:				; CODE XREF: RtlpHpLfhSlotAllocate+E4Bj
		test	al, al
		jnz	short loc_5EF3A5
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_5EF38F
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp-24h]

loc_5EF38F:				; CODE XREF: RtlpHpLfhSlotAllocate+BB5B5j
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_534C38
; 

loc_5EF3A5:				; CODE XREF: RtlpHpLfhSlotAllocate+BB5A5j
		push	ecx
		call	ExReleaseSpinLockSharedFromDpcLevel
		jmp	loc_534C2F
; 

loc_5EF3B0:				; CODE XREF: RtlpHpLfhSlotAllocate+D5j
		xor	edx, edx
		jmp	loc_533EBA
; 

loc_5EF3B7:				; CODE XREF: RtlpHpLfhSlotAllocate+B9Bj
		push	ecx
		push	dword ptr [ebp-44h]
		push	esi
		mov	esi, [ebp-8]
		mov	ecx, esi
		call	RtlpHpLfhSubsegmentDecBlockCounts
		cmp	byte ptr [esi+1Dh], 0
		lea	ecx, [edi+0Ch]
		mov	[ebp-24h], ecx
		jnz	loc_5EF58D
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5EF3EB
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp-24h]

loc_5EF3EB:				; CODE XREF: RtlpHpLfhSlotAllocate+BB611j
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, ds:dword_6D07D0
		xor	edi, edi
		shr	eax, 15h
		mov	[ebp-38h], edi
		mov	[ebp-50h], esi
		cmp	ecx, edx
		jb	short loc_5EF42F
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_5EF41F
		cmp	ecx, edx
		jb	short loc_5EF42F
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_5EF42F

loc_5EF41F:				; CODE XREF: RtlpHpLfhSlotAllocate+BB640j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp-24h]
		jmp	short loc_5EF432
; 

loc_5EF42F:				; CODE XREF: RtlpHpLfhSlotAllocate+BB637j
					; RtlpHpLfhSlotAllocate+BB644j	...
		or	eax, 0FFFFFFFFh

loc_5EF432:				; CODE XREF: RtlpHpLfhSlotAllocate+BB65Dj
		dec	word ptr [esi+13Eh]
		mov	[ebp-44h], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	[ebp-2], dl
		mov	edx, ecx
		push	eax
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp-70h], ecx
		test	ecx, ecx
		jnz	short loc_5EF480
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_5EF4F7
		push	ecx
		push	dword ptr [ebp-44h]
		push	dword ptr [ebp-24h]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EF480:				; CODE XREF: RtlpHpLfhSlotAllocate+BB68Ej
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5EF496
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp-70h]

loc_5EF496:				; CODE XREF: RtlpHpLfhSlotAllocate+BB6BCj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp-38h], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		mov	eax, 2AAAAAABh
		sub	ecx, [esi+1E8h]
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	byte ptr [ebp-2], 1
		jnz	short loc_5EF4E7
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al
		jmp	short loc_5EF4F7
; 

loc_5EF4E7:				; CODE XREF: RtlpHpLfhSlotAllocate+BB703j
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp-50h]

loc_5EF4F7:				; CODE XREF: RtlpHpLfhSlotAllocate+BB698j
					; RtlpHpLfhSlotAllocate+BB715j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp-34h], eax
		jz	short loc_5EF564
		test	edi, 8000h
		jz	short loc_5EF51E
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp-34h]

loc_5EF51E:				; CODE XREF: RtlpHpLfhSlotAllocate+BB740j
		test	byte ptr [ebp-36h], 1
		jz	short loc_5EF533
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp-34h]

loc_5EF533:				; CODE XREF: RtlpHpLfhSlotAllocate+BB752j
		test	edi, 7FFFh
		jz	short loc_5EF54D
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority
		mov	eax, [ebp-34h]

loc_5EF54D:				; CODE XREF: RtlpHpLfhSlotAllocate+BB769j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5EF564
		mov	edx, [ebp-24h]
		mov	ecx, esi
		push	eax
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5EF564:				; CODE XREF: RtlpHpLfhSlotAllocate+BB738j
					; RtlpHpLfhSlotAllocate+BB787j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_5EF57C
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_5EF57C
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5EF57C:				; CODE XREF: RtlpHpLfhSlotAllocate+BB79Dj
					; RtlpHpLfhSlotAllocate+BB7A5j
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebp-3Ch]
		jmp	short loc_5EF59C
; 

loc_5EF58D:				; CODE XREF: RtlpHpLfhSlotAllocate+BB600j
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp-2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5EF59C:				; CODE XREF: RtlpHpLfhSlotAllocate+BB7BBj
		xor	esi, esi
		mov	[ebp-10h], esi
		mov	ecx, [ebp-18h]
		mov	edx, 3
		lea	eax, [ecx+ecx]
		mov	ecx, eax
		shr	eax, 5
		add	eax, 8
		and	ecx, 1Fh
		shl	edx, cl
		not	edx
		lea	eax, [edi+eax*4]
		lock and [eax],	edx
		xor	edx, edx
		jmp	loc_534093
; 

loc_5EF5C8:				; CODE XREF: RtlpHpLfhSlotAllocate+74Aj
		mov	esi, 8000h
		jmp	loc_534526
; 

loc_5EF5D2:				; CODE XREF: RtlpHpLfhSlotAllocate+2C8j
		push	dword ptr [ebx+10h]
		mov	edx, edi
		mov	ecx, esi
		push	0
		call	RtlpHpLfhSubsegmentFreeBlock
		jmp	loc_53409E
; 

loc_5EF5E5:				; CODE XREF: RtlpHpLfhSlotAllocate+2D3j
		mov	ecx, [ebx+8]
		mov	dl, [esi+1Dh]
		add	ecx, 8
		mov	[ebp-24h], ecx
		cmp	eax, 2
		jnz	loc_5EF7D9
		test	dl, dl
		jnz	loc_5EF7C5
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5EF617
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp-24h]

loc_5EF617:				; CODE XREF: RtlpHpLfhSlotAllocate+BB83Dj
		xor	edi, edi
		mov	[ebp-44h], edi
		test	ecx, 7FFFFFFCh
		jz	loc_5EF7B4
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, ds:dword_6D07D0
		shr	eax, 15h
		mov	[ebp-70h], esi
		cmp	ecx, edx
		jb	short loc_5EF667
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_5EF657
		cmp	ecx, edx
		jb	short loc_5EF667
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_5EF667

loc_5EF657:				; CODE XREF: RtlpHpLfhSlotAllocate+BB878j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp-24h]
		jmp	short loc_5EF66A
; 

loc_5EF667:				; CODE XREF: RtlpHpLfhSlotAllocate+BB86Fj
					; RtlpHpLfhSlotAllocate+BB87Cj	...
		or	eax, 0FFFFFFFFh

loc_5EF66A:				; CODE XREF: RtlpHpLfhSlotAllocate+BB895j
		dec	word ptr [esi+13Eh]
		mov	[ebp-48h], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	[ebp-2], dl
		mov	edx, ecx
		push	eax
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp-80h], ecx
		test	ecx, ecx
		jnz	short loc_5EF6B8
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_5EF72F
		push	ecx
		push	dword ptr [ebp-48h]
		push	dword ptr [ebp-24h]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EF6B8:				; CODE XREF: RtlpHpLfhSlotAllocate+BB8C6j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5EF6CE
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp-80h]

loc_5EF6CE:				; CODE XREF: RtlpHpLfhSlotAllocate+BB8F4j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp-44h], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		mov	eax, 2AAAAAABh
		sub	ecx, [esi+1E8h]
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	byte ptr [ebp-2], 1
		jnz	short loc_5EF71F
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al
		jmp	short loc_5EF72F
; 

loc_5EF71F:				; CODE XREF: RtlpHpLfhSlotAllocate+BB93Bj
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp-70h]

loc_5EF72F:				; CODE XREF: RtlpHpLfhSlotAllocate+BB8D0j
					; RtlpHpLfhSlotAllocate+BB94Dj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp-3Ch], eax
		jz	short loc_5EF79C
		test	edi, 8000h
		jz	short loc_5EF756
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp-3Ch]

loc_5EF756:				; CODE XREF: RtlpHpLfhSlotAllocate+BB978j
		test	byte ptr [ebp-42h], 1
		jz	short loc_5EF76B
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp-3Ch]

loc_5EF76B:				; CODE XREF: RtlpHpLfhSlotAllocate+BB98Aj
		test	edi, 7FFFh
		jz	short loc_5EF785
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority
		mov	eax, [ebp-3Ch]

loc_5EF785:				; CODE XREF: RtlpHpLfhSlotAllocate+BB9A1j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5EF79C
		mov	edx, [ebp-24h]
		mov	ecx, esi
		push	eax
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5EF79C:				; CODE XREF: RtlpHpLfhSlotAllocate+BB970j
					; RtlpHpLfhSlotAllocate+BB9BFj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_5EF7B4
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_5EF7B4
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5EF7B4:				; CODE XREF: RtlpHpLfhSlotAllocate+BB852j
					; RtlpHpLfhSlotAllocate+BB9D5j	...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_5340A9
; 

loc_5EF7C5:				; CODE XREF: RtlpHpLfhSlotAllocate+BB82Cj
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_5340A9
; 

loc_5EF7D9:				; CODE XREF: RtlpHpLfhSlotAllocate+BB824j
		test	dl, dl
		jnz	short loc_5EF7FC
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_5EF7F5
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp-24h]

loc_5EF7F5:				; CODE XREF: RtlpHpLfhSlotAllocate+BBA1Bj
		call	KeAbPostRelease
		jmp	short loc_5EF7B4
; 

loc_5EF7FC:				; CODE XREF: RtlpHpLfhSlotAllocate+BBA0Bj
		push	ecx
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_5340A9
; 

loc_5EF810:				; CODE XREF: RtlpHpLfhSlotAllocate+3E0j
					; RtlpHpLfhSlotAllocate+3EBj ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5EF817:				; CODE XREF: RtlpHpLfhSlotAllocate+4DDj
		mov	dword ptr [ebp-20h], 0
		jmp	loc_5342C8
; 

loc_5EF823:				; CODE XREF: RtlpHpLfhSlotAllocate+169Cj
		mov	ecx, [ebp-20h]
		mov	edx, eax
		mov	[ebp-24h], edx
		jmp	loc_534330
; 

loc_5EF830:				; CODE XREF: RtlpHpLfhSlotAllocate+10D5j
		push	ecx
		push	dword ptr [ebp-44h]
		push	esi
		mov	esi, [ebp-8]
		mov	ecx, esi
		call	RtlpHpLfhSubsegmentDecBlockCounts
		cmp	byte ptr [esi+1Dh], 0
		lea	ecx, [edi+0Ch]
		mov	[ebp-28h], ecx
		jnz	loc_5EFA12
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5EF864
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp-28h]

loc_5EF864:				; CODE XREF: RtlpHpLfhSlotAllocate+BBA8Aj
		xor	edi, edi
		mov	[ebp-44h], edi
		test	ecx, 7FFFFFFCh
		jz	loc_5EFA01
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, ds:dword_6D07D0
		shr	eax, 15h
		mov	[ebp-70h], esi
		cmp	ecx, edx
		jb	short loc_5EF8B4
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_5EF8A4
		cmp	ecx, edx
		jb	short loc_5EF8B4
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_5EF8B4

loc_5EF8A4:				; CODE XREF: RtlpHpLfhSlotAllocate+BBAC5j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp-28h]
		jmp	short loc_5EF8B7
; 

loc_5EF8B4:				; CODE XREF: RtlpHpLfhSlotAllocate+BBABCj
					; RtlpHpLfhSlotAllocate+BBAC9j	...
		or	eax, 0FFFFFFFFh

loc_5EF8B7:				; CODE XREF: RtlpHpLfhSlotAllocate+BBAE2j
		dec	word ptr [esi+13Eh]
		mov	[ebp-48h], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	[ebp-2], dl
		mov	edx, ecx
		push	eax
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp-80h], ecx
		test	ecx, ecx
		jnz	short loc_5EF905
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_5EF97C
		push	ecx
		push	dword ptr [ebp-48h]
		push	dword ptr [ebp-28h]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EF905:				; CODE XREF: RtlpHpLfhSlotAllocate+BBB13j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5EF91B
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp-80h]

loc_5EF91B:				; CODE XREF: RtlpHpLfhSlotAllocate+BBB41j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp-44h], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		mov	eax, 2AAAAAABh
		sub	ecx, [esi+1E8h]
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	byte ptr [ebp-2], 1
		jnz	short loc_5EF96C
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al
		jmp	short loc_5EF97C
; 

loc_5EF96C:				; CODE XREF: RtlpHpLfhSlotAllocate+BBB88j
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp-70h]

loc_5EF97C:				; CODE XREF: RtlpHpLfhSlotAllocate+BBB1Dj
					; RtlpHpLfhSlotAllocate+BBB9Aj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp-3Ch], eax
		jz	short loc_5EF9E9
		test	edi, 8000h
		jz	short loc_5EF9A3
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp-3Ch]

loc_5EF9A3:				; CODE XREF: RtlpHpLfhSlotAllocate+BBBC5j
		test	byte ptr [ebp-42h], 1
		jz	short loc_5EF9B8
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp-3Ch]

loc_5EF9B8:				; CODE XREF: RtlpHpLfhSlotAllocate+BBBD7j
		test	edi, 7FFFh
		jz	short loc_5EF9D2
		and	edi, 7FFFh
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority
		mov	eax, [ebp-3Ch]

loc_5EF9D2:				; CODE XREF: RtlpHpLfhSlotAllocate+BBBEEj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5EF9E9
		mov	edx, [ebp-28h]
		mov	ecx, esi
		push	eax
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5EF9E9:				; CODE XREF: RtlpHpLfhSlotAllocate+BBBBDj
					; RtlpHpLfhSlotAllocate+BBC0Cj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_5EFA01
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_5EFA01
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5EFA01:				; CODE XREF: RtlpHpLfhSlotAllocate+BBA9Fj
					; RtlpHpLfhSlotAllocate+BBC22j	...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebp-10h]
		jmp	short loc_5EFA21
; 

loc_5EFA12:				; CODE XREF: RtlpHpLfhSlotAllocate+BBA79j
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp-2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5EFA21:				; CODE XREF: RtlpHpLfhSlotAllocate+BBC40j
		xor	esi, esi
		mov	[ebp-10h], esi
		mov	ecx, [ebp-18h]
		mov	edx, 3
		lea	eax, [ecx+ecx]
		mov	ecx, eax
		shr	eax, 5
		add	eax, 8
		and	ecx, 1Fh
		shl	edx, cl
		not	edx
		lea	eax, [edi+eax*4]
		lock and [eax],	edx
		xor	edx, edx
		jmp	loc_534499
; 

loc_5EFA4D:				; CODE XREF: RtlpHpLfhSlotAllocate+91Aj
		mov	esi, 8000h
		jmp	loc_5346F6
; 

loc_5EFA57:				; CODE XREF: RtlpHpLfhSlotAllocate+6D1j
		push	dword ptr [ebx+10h]
		mov	edx, edi
		mov	edi, [ebp-8]
		push	0
		mov	ecx, edi
		call	RtlpHpLfhSubsegmentFreeBlock
		jmp	loc_5340AC
; 

loc_5EFA6D:				; CODE XREF: RtlpHpLfhSlotAllocate+EF9j
		mov	edi, [ebp-8]
		xor	esi, esi
		jmp	loc_5340B2
; END OF FUNCTION CHUNK	FOR RtlpHpLfhSlotAllocate
; 
; START	OF FUNCTION CHUNK FOR ExpAddTagForBigPages

loc_5EFA77:				; CODE XREF: ExpAddTagForBigPages+7Aj
		mov	dl, al
		mov	ecx, offset _ExpLargePoolTableLock
		call	@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)
		jmp	loc_535535
; 

loc_5EFA88:				; CODE XREF: ExpAddTagForBigPages+15Dj
		mov	ecx, [ebp-18h]
		mov	eax, [ebp-30h]
		jmp	loc_53557C
; 

loc_5EFA93:				; CODE XREF: ExpAddTagForBigPages+10Dj
		push	offset _ExpLargePoolTableLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp-0Ch]
		mov	eax, [ebp-10h]
		jmp	loc_5354E4
; 

loc_5EFAB1:				; CODE XREF: ExpAddTagForBigPages+14Dj
					; ExpAddTagForBigPages+BA62Fj
		mov	eax, esi
		mov	esi, [esi]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jnz	short loc_5EFAB1
		mov	ecx, [ebp-0Ch]
		mov	eax, [ebp-10h]
		mov	[ebp-8], esi
		jmp	loc_5354E4
; 

loc_5EFACF:				; CODE XREF: ExpAddTagForBigPages+20Fj
		push	offset _ExpLargePoolTableLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		jmp	loc_53564D
; 

loc_5EFADE:				; CODE XREF: ExpAddTagForBigPages+1ACj
		mov	edx, [ebx+4]
		call	@ExpReleaseSpinLockSharedFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockSharedFromDpcLevelInstrumented(x,x)
		jmp	loc_53564D
; 

loc_5EFAEB:				; CODE XREF: ExpAddTagForBigPages+136j
		inc	ds:_ExpBigTableExpansionFailed
		xor	eax, eax
		jmp	loc_53565B
; END OF FUNCTION CHUNK	FOR ExpAddTagForBigPages
; 
; START	OF FUNCTION CHUNK FOR RtlpHpSegFreeRangeInsert

loc_5EFAF8:				; CODE XREF: RtlpHpSegFreeRangeInsert+19j
		movzx	eax, byte ptr [ebx+6]
		mov	edx, 100h
		sub	edx, eax
		movzx	eax, byte ptr [esi+0Fh]
		cmp	eax, edx
		jnz	loc_53571F
		mov	eax, [ebx]
		and	eax, esi
		mov	dword ptr [esi], 0CCDDCCFFh
		jmp	loc_5357A1
; END OF FUNCTION CHUNK	FOR RtlpHpSegFreeRangeInsert
; 
; START	OF FUNCTION CHUNK FOR RtlpHpAllocateHeap

loc_5EFB1E:				; CODE XREF: RtlpHpAllocateHeap+36j
					; RtlpHpAllocateHeap+43j
		cmp	edx, eax
		jbe	loc_535899
		mov	eax, [ecx+24h]
		test	eax, eax
		jz	loc_5359CA
		push	edi
		push	edx
		push	eax
		mov	edx, ecx
		mov	ecx, 14h
		push	0
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		jmp	loc_5359CA
; 

loc_5EFB47:				; CODE XREF: RtlpHpAllocateHeap+64j
		dec	ebx
		or	esi, 8
		cmp	bx, 1
		jnb	loc_5359CA
		lea	edx, [esp+38h+var_28]
		movzx	eax, bx
		push	edx
		push	1
		push	0
		mov	eax, ds:_RtlpInterceptorRoutines[eax*4]
		push	ecx
		call	eax
		test	eax, eax
		js	loc_5359CA
		mov	eax, [esp+48h+var_38]
		mov	edx, [esp+48h+var_34]
		mov	ecx, [esp+48h+var_30]
		jmp	loc_5358BA
; 

loc_5EFB84:				; CODE XREF: RtlpHpAllocateHeap+73j
		add	edi, 8
		jmp	loc_5358C9
; 

loc_5EFB8C:				; CODE XREF: RtlpHpAllocateHeap+7Fj
		add	edi, 7
		and	edi, 0FFFFFFF8h
		add	edi, 8
		jmp	loc_5358D5
; 

loc_5EFB9A:				; CODE XREF: RtlpHpAllocateHeap+87j
		mov	edi, 1
		jmp	loc_5358DD
; 

loc_5EFBA4:				; CODE XREF: RtlpHpAllocateHeap+167j
		lea	eax, [ecx+100h]
		cmp	edi, [ecx+10Ch]
		jbe	short loc_5EFBB8
		lea	eax, [ecx+180h]

loc_5EFBB8:				; CODE XREF: RtlpHpAllocateHeap+BA360j
		push	ebx
		push	edi
		push	edi
		mov	ecx, eax
		call	RtlpHpSegAlloc
		jmp	loc_5359C4
; 

loc_5EFBC7:				; CODE XREF: RtlpHpAllocateHeap+124j
		mov	edi, [esp+38h+var_20]
		mov	edx, eax
		push	0
		push	esi
		push	[esp+40h+var_28]
		push	ecx
		push	[esp+48h+var_24]
		mov	ecx, edi
		call	_RtlpHpExtrasAppend@28 ; RtlpHpExtrasAppend(x,x,x,x,x,x,x)
		mov	edx, [esp+38h+var_18]
		mov	ebx, eax
		test	edx, edx
		jz	short loc_5EFC36
		mov	cl, [ebx+2]
		xor	cl, dl
		dec	edx
		and	cl, 0Fh
		xor	[ebx+2], cl
		cmp	dx, 1
		jnb	short loc_5EFC1F
		lea	ecx, [ebx+8]
		movzx	eax, dx
		mov	ebx, [esp+38h+var_2C]
		push	ecx
		push	2
		mov	edx, ds:_RtlpInterceptorRoutines[eax*4]
		push	ebx
		push	edi
		call	edx
		test	eax, eax
		js	short loc_5EFC23
		mov	eax, ebx
		jmp	loc_53597A
; 

loc_5EFC1F:				; CODE XREF: RtlpHpAllocateHeap+BA3AAj
		mov	ebx, [esp+38h+var_2C]

loc_5EFC23:				; CODE XREF: RtlpHpAllocateHeap+BA3C6j
		push	0
		push	0
		push	esi
		mov	edx, ebx
		mov	ecx, edi
		call	RtlpHpFreeHeap
		jmp	loc_5359CA
; 

loc_5EFC36:				; CODE XREF: RtlpHpAllocateHeap+BA398j
		mov	eax, [esp+38h+var_2C]
		jmp	loc_53597A
; END OF FUNCTION CHUNK	FOR RtlpHpAllocateHeap
; 
; START	OF FUNCTION CHUNK FOR MiAllocateAccessLog

loc_5EFC3F:				; CODE XREF: MiAllocateAccessLog+46j
		cmp	eax, edx
		jnb	short loc_5EFC4A
		sub	edx, eax
		shl	edx, 9
		jmp	short loc_5EFC4C
; 

loc_5EFC4A:				; CODE XREF: MiAllocateAccessLog+BA271j
		xor	edx, edx

loc_5EFC4C:				; CODE XREF: MiAllocateAccessLog+BA278j
		cmp	edx, ecx
		jnb	loc_535A1C
		mov	ecx, edx
		jmp	loc_535A1C
; 

loc_5EFC5B:				; CODE XREF: MiAllocateAccessLog+5Dj
		mov	ecx, esi
		jmp	loc_535A33
; 

loc_5EFC62:				; CODE XREF: MiAllocateAccessLog+6Bj
		mov	ecx, esi
		jmp	loc_535A41
; 

loc_5EFC69:				; CODE XREF: MiAllocateAccessLog+73j
		xor	eax, eax
		jmp	loc_535A4B
; 

loc_5EFC70:				; CODE XREF: MiAllocateAccessLog+1Ej
					; MiAllocateAccessLog+2Aj ...
		mov	ecx, 200h
		jmp	loc_535A5D
; 

loc_5EFC7A:				; CODE XREF: MiAllocateAccessLog+F8j
		mov	eax, 1
		jmp	loc_535ACE
; 

loc_5EFC84:				; CODE XREF: MiAllocateAccessLog+102j
		push	63416D4Dh
		push	[ebp+var_8]
		push	[ebp+var_C]
		call	ExAllocatePoolWithQuotaTag
		jmp	loc_535AF0
; 

loc_5EFC99:				; CODE XREF: MiAllocateAccessLog+EDj
					; MiAllocateAccessLog+124j
		mov	esi, [ebp+var_10]
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_5EFCAB
		call	MiEmptyPageAccessLog
		xor	ebx, ebx
		mov	[esi], ebx

loc_5EFCAB:				; CODE XREF: MiAllocateAccessLog+BA2D0j
		mov	eax, [ebp+var_8]
		shr	eax, 1
		mov	[ebp+var_8], eax
		cmp	eax, 200h
		jnb	loc_535A80
		xor	eax, eax
		jmp	loc_535B6D
; END OF FUNCTION CHUNK	FOR MiAllocateAccessLog
; 
; START	OF FUNCTION CHUNK FOR MiSufficientAvailablePages

loc_5EFCC5:				; CODE XREF: MiSufficientAvailablePages+13j
		mov	ebx, ds:dword_6D06D4
		lea	edi, [ecx+954h]
		mov	[ebp+var_4], ebx
		xor	esi, esi
		mov	ecx, ebx

loc_5EFCD8:				; CODE XREF: MiSufficientAvailablePages+BA142j
		mov	ebx, [edi]
		mov	[ebp+var_8], ebx
		xor	ebx, ebx
		test	ecx, ecx
		jz	short loc_5EFD0B
		mov	ecx, [ebp+var_8]
		add	ecx, 4
		mov	[ebp+var_8], ecx

loc_5EFCEC:				; CODE XREF: MiSufficientAvailablePages+BA136j
		movzx	ecx, word ptr [ecx]
		add	eax, ecx
		cmp	eax, edx
		jnb	loc_535BE9
		mov	ecx, [ebp+var_8]
		inc	ebx
		add	ecx, 8
		mov	[ebp+var_8], ecx
		cmp	ebx, [ebp+var_4]
		jb	short loc_5EFCEC
		mov	ecx, [ebp+var_4]

loc_5EFD0B:				; CODE XREF: MiSufficientAvailablePages+BA111j
		inc	esi
		add	edi, 4
		cmp	esi, 1
		jle	short loc_5EFCD8
		xor	eax, eax
		jmp	loc_535BEE
; END OF FUNCTION CHUNK	FOR MiSufficientAvailablePages
; 
; START	OF FUNCTION CHUNK FOR MiPrefetchVirtualMemory

loc_5EFD1B:				; CODE XREF: MiPrefetchVirtualMemory+A3j
					; MiPrefetchVirtualMemory+3DEj
		mov	eax, 0C000000Dh
		jmp	loc_535FC3
; 

loc_5EFD25:				; CODE XREF: MiPrefetchVirtualMemory+317j
		cmp	eax, 8
		jz	loc_535D59

loc_5EFD2E:				; CODE XREF: MiPrefetchVirtualMemory+118j
					; MiPrefetchVirtualMemory+162j	...
		lea	ecx, [esp+68h+var_30]
		call	_MiAdvanceFaultList@4 ;	MiAdvanceFaultList(x)
		jmp	loc_535E8F
; 

loc_5EFD3C:				; CODE XREF: MiPrefetchVirtualMemory+1F1j
		push	edi
		push	[esp+6Ch+var_4C]
		lea	edx, [esp+70h+var_30]
		push	ecx
		push	offset _MiSystemPartition
		lea	ecx, [esp+78h+var_48]
		call	_MiPrefetchPreallocatePages@24 ; MiPrefetchPreallocatePages(x,x,x,x,x,x)
		jmp	loc_535DF7
; 

loc_5EFD59:				; CODE XREF: MiPrefetchVirtualMemory+2CAj
		mov	[esp+68h+var_24], edx
		jmp	loc_535E6B
; 

loc_5EFD62:				; CODE XREF: MiPrefetchVirtualMemory+339j
					; MiPrefetchVirtualMemory+494j
		push	[ebp+arg_0]
		lea	edx, [esp+6Ch+var_14]
		lea	ecx, [esp+6Ch+var_1C]
		call	_MiPfCompletePrefetchIos@12 ; MiPfCompletePrefetchIos(x,x,x)
		test	eax, eax
		jns	short loc_5EFD81
		cmp	[esp+68h+var_60], 0
		jl	short loc_5EFD81
		mov	[esp+68h+var_60], eax

loc_5EFD81:				; CODE XREF: MiPrefetchVirtualMemory+BA174j
					; MiPrefetchVirtualMemory+BA17Bj
		mov	[esp+68h+var_C], 0
		jmp	loc_535E8F
; 

loc_5EFD8E:				; CODE XREF: MiPrefetchVirtualMemory+2DDj
		mov	edi, 0C000004Bh
		mov	[esp+68h+var_60], edi
		jmp	loc_535F7A
; 

loc_5EFD9C:				; CODE XREF: MiPrefetchVirtualMemory+120j
		mov	eax, [esp+68h+var_28]
		mov	[esp+68h+var_24], eax
		mov	[esp+68h+var_20], 0
		jmp	loc_535F76
; 

loc_5EFDB1:				; CODE XREF: MiPrefetchVirtualMemory+D2j
		xor	edi, edi
		jmp	loc_535F7A
; 

loc_5EFDB8:				; CODE XREF: MiPrefetchVirtualMemory+380j
		push	1
		push	offset _MiSystemPartition
		lea	edx, [esp+70h+var_30]
		lea	ecx, [esp+70h+var_48]
		call	_MiPrefetchReleasePreallocatedPages@16 ; MiPrefetchReleasePreallocatedPages(x,x,x,x)
		jmp	loc_535F86
; 

loc_5EFDD1:				; CODE XREF: MiPrefetchVirtualMemory+398j
		test	edi, edi
		js	loc_535FAE
		mov	edi, eax
		mov	[esp+68h+var_60], edi
		jmp	loc_535F9E
; 

loc_5EFDE4:				; CODE XREF: MiPrefetchVirtualMemory+482j
		mov	[esp+68h+var_60], eax
		jmp	loc_535FAE
; END OF FUNCTION CHUNK	FOR MiPrefetchVirtualMemory
; 
; START	OF FUNCTION CHUNK FOR MiAddViewsForSection

loc_5EFDED:				; CODE XREF: MiAddViewsForSection+78j
		mov	dl, al
		mov	ecx, edi
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_5361E4
; 

loc_5EFDFB:				; CODE XREF: MiAddViewsForSection+4A8j
		lea	esi, [ecx+222h]
		lock or	[esi], al
		mov	esi, [ebp+var_28]
		jmp	loc_5365F4
; 

loc_5EFE0C:				; CODE XREF: MiAddViewsForSection+63Cj
		mov	edx, 1
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	ecx, [ebp+var_4]
		jmp	loc_536782
; 

loc_5EFE1E:				; CODE XREF: MiAddViewsForSection+66Aj
		push	[ebp+arg_4]
		mov	edx, [ebp+var_24]
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		mov	ecx, [ebp+var_4]
		jmp	loc_53660B
; 

loc_5EFE31:				; CODE XREF: MiAddViewsForSection+5F0j
		mov	eax, [ebp+var_14]
		dec	word ptr [eax+13Eh]
		nop
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		add	ecx, 1Ch
		call	ExAcquirePushLockExclusiveEx
		jmp	loc_536736
; 

loc_5EFE4E:				; CODE XREF: MiAddViewsForSection+612j
		push	0
		push	[ebp+var_38]
		push	[ebp+var_24]
		push	ecx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EFE61:				; CODE XREF: MiAddViewsForSection+33Bj
		mov	eax, 0C0000189h
		jmp	loc_5363CA
; 

loc_5EFE6B:				; CODE XREF: MiAddViewsForSection+693j
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_20]
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	esi
		cmp	[ebp+var_8], 0
		jnz	loc_5F0050
		mov	ecx, [ebp+var_C]
		or	eax, 0FFFFFFFFh
		add	ecx, 1Ch
		mov	[ebp+var_24], ecx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5EFEA4
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_24]

loc_5EFEA4:				; CODE XREF: MiAddViewsForSection+B9D5Aj
		xor	edi, edi
		mov	[ebp+var_34], edi
		test	ecx, 7FFFFFFCh
		jz	loc_5F0045
		mov	ebx, large fs:124h
		cmp	ecx, ds:dword_6D07D0
		jb	short loc_5EFEE7
		mov	eax, ecx
		shr	eax, 15h
		mov	al, byte ptr ds:dword_6D3994[eax]
		cmp	al, 1
		jz	short loc_5EFED7
		cmp	al, 0Bh
		jnz	short loc_5EFEE7

loc_5EFED7:				; CODE XREF: MiAddViewsForSection+B9D91j
		mov	ecx, [ebx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_24]
		jmp	short loc_5EFEEA
; 

loc_5EFEE7:				; CODE XREF: MiAddViewsForSection+B9D82j
					; MiAddViewsForSection+B9D95j
		or	eax, 0FFFFFFFFh

loc_5EFEEA:				; CODE XREF: MiAddViewsForSection+B9DA5j
		dec	word ptr [ebx+13Eh]
		mov	[ebp+var_38], eax
		nop
		inc	byte ptr [ebx+1E6h]
		nop
		mov	dl, [ebx+1E6h]
		mov	byte ptr [ebp+arg_4+3],	dl
		mov	edx, ecx
		push	eax
		mov	ecx, ebx
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_4C], ecx
		test	ecx, ecx
		jnz	short loc_5EFF38
		mov	eax, [ebx+5Ch]
		test	eax, 10000h
		jnz	loc_5EFFB2
		push	ecx
		push	[ebp+var_38]
		push	[ebp+var_24]
		push	ebx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5EFF38:				; CODE XREF: MiAddViewsForSection+B9DD6j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5EFF4E
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_4C]

loc_5EFF4E:				; CODE XREF: MiAddViewsForSection+B9E04j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_34], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		mov	eax, 2AAAAAABh
		sub	ecx, [ebx+1E8h]
		imul	ecx
		sar	edx, 3
		mov	ecx, edx
		shr	ecx, 1Fh
		add	ecx, edx
		cmp	byte ptr [ebp+arg_4+3],	1
		jnz	short loc_5EFF9F
		movzx	eax, byte ptr [ebx+1E4h]
		bts	eax, ecx
		mov	[ebx+1E4h], al
		jmp	short loc_5EFFB2
; 

loc_5EFF9F:				; CODE XREF: MiAddViewsForSection+B9E4Bj
		mov	al, 1
		lea	esi, [ebx+222h]
		shl	al, cl
		lock or	[esi], al
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)

loc_5EFFB2:				; CODE XREF: MiAddViewsForSection+B9DE0j
					; MiAddViewsForSection+B9E5Dj
		nop
		dec	byte ptr [ebx+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+arg_4], eax
		jz	short loc_5F001F
		test	edi, 8000h
		jz	short loc_5EFFD9
		xor	edx, edx
		mov	ecx, ebx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp+arg_4]

loc_5EFFD9:				; CODE XREF: MiAddViewsForSection+B9E8Bj
		test	byte ptr [ebp+var_34+2], 1
		jz	short loc_5EFFEE
		mov	edx, 1
		mov	ecx, ebx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp+arg_4]

loc_5EFFEE:				; CODE XREF: MiAddViewsForSection+B9E9Dj
		test	edi, 7FFFh
		jz	short loc_5F0008
		and	edi, 7FFFh
		mov	ecx, ebx
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority
		mov	eax, [ebp+arg_4]

loc_5F0008:				; CODE XREF: MiAddViewsForSection+B9EB4j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5F001F
		mov	edx, [ebp+var_24]
		mov	ecx, ebx
		push	eax
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5F001F:				; CODE XREF: MiAddViewsForSection+B9E83j
					; MiAddViewsForSection+B9ED2j
		nop
		mov	ax, [ebx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[ebx+13Eh], ax
		test	ax, ax
		jnz	short loc_5F0045
		nop
		lea	eax, [ebx+70h]
		cmp	[eax], eax
		jz	short loc_5F0045
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5F0045:				; CODE XREF: MiAddViewsForSection+B9D6Fj
					; MiAddViewsForSection+B9EF6j ...
		mov	ecx, [ebp+var_14]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebp+var_3C]

loc_5F0050:				; CODE XREF: MiAddViewsForSection+B9D40j
		mov	eax, [ebp+var_4]

loc_5F0053:				; CODE XREF: MiAddViewsForSection+B9F68j
		cmp	[ebp+var_18], 0
		jz	short loc_5F007A
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	edx, [ebp+var_18]
		mov	bl, al
		push	ecx
		mov	ecx, [ebp+var_50]
		call	_MiDecrementSubsections@12 ; MiDecrementSubsections(x,x,x)
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	esi
		mov	eax, [ebp+var_4]

loc_5F007A:				; CODE XREF: MiAddViewsForSection+B9F17j
		test	byte ptr [ebp+var_1C], 1
		jz	loc_5363CA
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+var_54]
		mov	dl, al
		dec	dword ptr [ecx+14h]
		dec	dword ptr [ecx+30h]
		call	MiCheckControlArea
		mov	eax, [ebp+var_4]
		jmp	loc_5363CA
; 

loc_5F00A2:				; CODE XREF: MiAddViewsForSection+2EDj
					; MiAddViewsForSection+5E6j
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		jmp	short loc_5F0053
; 

loc_5F00AA:				; CODE XREF: MiAddViewsForSection+11Ej
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_53626A
; 

loc_5F00B9:				; CODE XREF: MiAddViewsForSection+3A4j
		mov	edx, [ebp+var_C]
		push	0
		push	[ebp+var_3C]
		add	edx, 1Ch
		push	edx
		push	ebx
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5F00D0:				; CODE XREF: MiAddViewsForSection+210j
		mov	al, 1
		lea	esi, [ebx+222h]
		shl	al, cl
		lock or	[esi], al
		jmp	loc_536366
; 

loc_5F00E2:				; CODE XREF: MiAddViewsForSection+5AFj
		mov	edx, 1
		mov	ecx, ebx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_5366F5
; 

loc_5F00F3:				; CODE XREF: MiAddViewsForSection+5DCj
		mov	edx, [ebp+var_C]
		mov	ecx, ebx
		push	esi
		lea	edx, [edx+1Ch]
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_53637B
; END OF FUNCTION CHUNK	FOR MiAddViewsForSection
; 
; START	OF FUNCTION CHUNK FOR MiReferenceActiveSubsection

loc_5F0106:				; CODE XREF: MiReferenceActiveSubsection+23j
		lea	eax, [edx+24h]
		mov	edi, 1
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	edx, [ebp+var_8]
		mov	[ebp+arg_0], al
		jmp	loc_536820
; 

loc_5F011F:				; CODE XREF: MiReferenceActiveSubsection+36j
		test	bl, 20h
		jnz	loc_5F01E3
		mov	eax, [ecx+1Ch]
		test	al, 20h
		jz	short loc_5F0134
		mov	ecx, [ecx+48h]
		jmp	short loc_5F0151
; 

loc_5F0134:				; CODE XREF: MiReferenceActiveSubsection+B993Dj
		test	al, al
		js	short loc_5F0144
		call	_MiGetCommittedPages@4 ; MiGetCommittedPages(x)
		mov	ecx, eax
		mov	[ebp+var_4], eax
		jmp	short loc_5F0154
; 

loc_5F0144:				; CODE XREF: MiReferenceActiveSubsection+B9946j
		mov	eax, [esi+24h]
		mov	ecx, [esi+1Ch]
		and	eax, 3FFFFFFFh
		sub	ecx, eax

loc_5F0151:				; CODE XREF: MiReferenceActiveSubsection+B9942j
		mov	[ebp+var_4], ecx

loc_5F0154:				; CODE XREF: MiReferenceActiveSubsection+B9952j
		or	ebx, 20h
		test	ecx, ecx
		jz	loc_536820
		lea	eax, [edx+24h]
		push	eax
		mov	[ebp+var_C], eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+arg_0]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	[ebp+var_C]
		call	ExAcquireSpinLockExclusive
		mov	edx, [ebp+var_8]
		test	byte ptr [edx+1Ch], 20h
		jnz	loc_536820
		cmp	[ebp+var_10], 0
		jnz	short loc_5F01A0
		mov	ecx, edx
		call	_MiGetCommittedPages@4 ; MiGetCommittedPages(x)
		cmp	[ebp+var_4], eax
		jnz	short loc_5F01BD
		jmp	loc_536820
; 

loc_5F01A0:				; CODE XREF: MiReferenceActiveSubsection+B999Dj
		cmp	dword ptr [esi+4], 0
		jz	short loc_5F01BD
		mov	ecx, [esi+24h]
		mov	eax, [esi+1Ch]
		and	ecx, 3FFFFFFFh
		sub	eax, ecx
		cmp	[ebp+var_4], eax
		jz	loc_536820

loc_5F01BD:				; CODE XREF: MiReferenceActiveSubsection+B99A9j
					; MiReferenceActiveSubsection+B99B4j
		mov	ebx, [ebp+var_C]
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+arg_0]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jnz	short loc_5F01D9
		push	ebx
		call	ExAcquireSpinLockExclusive

loc_5F01D9:				; CODE XREF: MiReferenceActiveSubsection+B99E1j
		mov	eax, 0C000020Ah
		jmp	loc_53684C
; 

loc_5F01E3:				; CODE XREF: MiReferenceActiveSubsection+B9932j
		lea	esi, [edx+24h]
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+arg_0]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jnz	short loc_5F01FF
		push	esi
		call	ExAcquireSpinLockExclusive

loc_5F01FF:				; CODE XREF: MiReferenceActiveSubsection+B9A07j
		mov	eax, 0C000012Dh
		jmp	loc_53684C
; 

loc_5F0209:				; CODE XREF: MiReferenceActiveSubsection+6Fj
		push	0
		push	0
		push	esi
		push	42000h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5F021A:				; CODE XREF: MiReferenceActiveSubsection+4Cj
		cmp	[ebp+var_4], 0
		jz	loc_536842
		lea	esi, [edx+24h]
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+arg_0]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jnz	loc_53684A
		push	esi
		call	ExAcquireSpinLockExclusive
		jmp	loc_53684A
; 

loc_5F0249:				; CODE XREF: MiReferenceActiveSubsection+54j
		lea	eax, [edx+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+arg_0]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_53684A
; END OF FUNCTION CHUNK	FOR MiReferenceActiveSubsection
; 
; START	OF FUNCTION CHUNK FOR MiCheckPurgeAndUpMapCount

loc_5F0260:				; CODE XREF: MiCheckPurgeAndUpMapCount+38j
		mov	dl, al
		mov	ecx, edi
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_53698C
; 

loc_5F026E:				; CODE XREF: MiCheckPurgeAndUpMapCount+60j
					; MiCheckPurgeAndUpMapCount+B9995j
		lea	eax, [ebp+var_10]
		mov	[ebp+var_20], 2
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], eax
		mov	eax, [esi+2Ch]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_24]
		push	edi
		mov	word ptr [ebp+var_18], 107h
		mov	byte ptr [ebp+var_18+2], 4
		mov	[ebp+var_14], 0
		mov	[esi+2Ch], eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	ecx
		mov	edx, 12h
		lea	ecx, [ebp+var_18]
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		push	edi
		call	ExAcquireSpinLockExclusive
		test	byte ptr [esi+1Ch], 4
		mov	[ebp+var_1], al
		jnz	short loc_5F026E
		jmp	loc_536999
; 

loc_5F02CC:				; CODE XREF: MiCheckPurgeAndUpMapCount+76j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		mov	al, [ebp+var_1]
		jmp	loc_5369B2
; END OF FUNCTION CHUNK	FOR MiCheckPurgeAndUpMapCount
; 
; START	OF FUNCTION CHUNK FOR MiGetWsAndInsertVad

loc_5F02DE:				; CODE XREF: MiGetWsAndInsertVad+84j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5F02E5:				; CODE XREF: MiGetWsAndInsertVad+1FEj
		push	0
		push	dword ptr [ebp-0Ch]
		push	dword ptr [ebp-8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5F02F8:				; CODE XREF: MiGetWsAndInsertVad+16Ej
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp-1Ch]
		jmp	loc_536BB4
; 

loc_5F030D:				; CODE XREF: MiGetWsAndInsertVad+232j
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_536C68
; 

loc_5F031E:				; CODE XREF: MiGetWsAndInsertVad+25Fj
		push	dword ptr [ebp-1Ch]
		mov	edx, [ebp-8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_536BCB
; 

loc_5F0330:				; CODE XREF: MiGetWsAndInsertVad+27Bj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_536BF0
; END OF FUNCTION CHUNK	FOR MiGetWsAndInsertVad
; 
; START	OF FUNCTION CHUNK FOR UNLOCK_ADDRESS_SPACE

loc_5F033A:				; CODE XREF: UNLOCK_ADDRESS_SPACE+17Aj
		push	0
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5F034D:				; CODE XREF: UNLOCK_ADDRESS_SPACE+E9j
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_1C]
		jmp	loc_536E0F
; 

loc_5F0362:				; CODE XREF: UNLOCK_ADDRESS_SPACE+1B8j
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_536ECE
; 

loc_5F0373:				; CODE XREF: UNLOCK_ADDRESS_SPACE+1E5j
		push	[ebp+var_1C]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_536E26
; END OF FUNCTION CHUNK	FOR UNLOCK_ADDRESS_SPACE
; 
; START	OF FUNCTION CHUNK FOR MiUnlockVad

loc_5F0385:				; CODE XREF: MiUnlockVad+186j
		push	0
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5F0398:				; CODE XREF: MiUnlockVad+EAj
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_18]
		jmp	loc_537010
; 

loc_5F03AD:				; CODE XREF: MiUnlockVad+1BBj
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_5370D1
; 

loc_5F03BE:				; CODE XREF: MiUnlockVad+1E8j
		push	[ebp+var_18]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_537027
; END OF FUNCTION CHUNK	FOR MiUnlockVad
; 
; START	OF FUNCTION CHUNK FOR MiCheckControlArea

loc_5F03D0:				; CODE XREF: MiCheckControlArea+CFj
		mov	eax, 1
		mov	[esp+28h+var_1C], eax
		jmp	loc_5374F2
; 

loc_5F03DE:				; CODE XREF: MiCheckControlArea+14Fj
		or	dword ptr [esi+1Ch], 1
		mov	ecx, esi
		mov	[esp+24h+var_18], 2
		call	_MiClearFilePointer@4 ;	MiClearFilePointer(x)
		mov	eax, 2
		jmp	loc_53756F
; 

loc_5F03FB:				; CODE XREF: MiCheckControlArea+13Bj
					; MiCheckControlArea+145j
		mov	eax, 4
		jmp	loc_53756B
; 

loc_5F0405:				; CODE XREF: MiCheckControlArea+17Cj
		push	0
		mov	dl, bl
		mov	dword ptr [esi+14h], 1
		mov	ecx, esi
		call	MiCleanSection
		jmp	loc_53749C
; 

loc_5F041C:				; CODE XREF: MiCheckControlArea+62j
		mov	edx, [ebp+4]
		lea	ecx, [esi+24h]
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_53746B
; 

loc_5F042C:				; CODE XREF: MiCheckControlArea+96j
		call	_MiShouldTrimUnusedSegments@0 ;	MiShouldTrimUnusedSegments()
		test	eax, eax
		jz	loc_53749C
		xor	ecx, ecx
		call	_PsGetNextPartition@4 ;	PsGetNextPartition(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_53749C

loc_5F044A:				; CODE XREF: MiCheckControlArea+B906Fj
		mov	eax, [esi]
		cmp	dword ptr [eax+420h], 0
		jz	short loc_5F0464
		push	0
		push	0
		add	eax, 370h
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_5F0464:				; CODE XREF: MiCheckControlArea+B9053j
		mov	ecx, esi
		call	_PsGetNextPartition@4 ;	PsGetNextPartition(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_5F044A
		jmp	loc_53749C
; END OF FUNCTION CHUNK	FOR MiCheckControlArea
; 
; START	OF FUNCTION CHUNK FOR MmGetSessionObjectById

loc_5F0476:				; CODE XREF: MmGetSessionObjectById+49j
		mov	edx, offset dword_6D3540
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_53783D
; 

loc_5F0488:				; CODE XREF: MmGetSessionObjectById+77j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_537877
; END OF FUNCTION CHUNK	FOR MmGetSessionObjectById
; 
; START	OF FUNCTION CHUNK FOR MiSelectSessionAttachProcess

loc_5F0498:				; CODE XREF: MiSelectSessionAttachProcess+6Cj
		mov	[ebp+var_4], ecx
		mov	eax, ecx
		test	ecx, ecx
		jnz	loc_537A70
		jmp	loc_537AA4
; END OF FUNCTION CHUNK	FOR MiSelectSessionAttachProcess
; 
; START	OF FUNCTION CHUNK FOR IopQueueIrpToFileObject

loc_5F04AA:				; CODE XREF: IopQueueIrpToFileObject+29j
		test	ds:byte_70EFC6,	1
		jz	short loc_5F04BF
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5F04C4
; 

loc_5F04BF:				; CODE XREF: IopQueueIrpToFileObject+B8A01j
		xor	eax, eax
		lock and [edi],	eax

loc_5F04C4:				; CODE XREF: IopQueueIrpToFileObject+B8A0Dj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	al, al
		jmp	loc_537B6C
; 

loc_5F04D4:				; CODE XREF: IopQueueIrpToFileObject+3Bj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5F04DB:				; CODE XREF: IopQueueIrpToFileObject+A6j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_537B61
; END OF FUNCTION CHUNK	FOR IopQueueIrpToFileObject
; 
; START	OF FUNCTION CHUNK FOR IoGetAttachedDeviceReference

loc_5F04EA:				; CODE XREF: IoGetAttachedDeviceReference+2Aj
		mov	edx, esi
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_537BB8
; 

loc_5F04F6:				; CODE XREF: IoGetAttachedDeviceReference+61j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_537BFC
; END OF FUNCTION CHUNK	FOR IoGetAttachedDeviceReference
; 
; START	OF FUNCTION CHUNK FOR RtlSidHashInitialize

loc_5F0505:				; CODE XREF: RtlSidHashInitialize+Bj
		mov	eax, 0C000000Dh
		jmp	loc_537CEE
; END OF FUNCTION CHUNK	FOR RtlSidHashInitialize
; 
; START	OF FUNCTION CHUNK FOR ExInitializeResourceLite

loc_5F050F:				; CODE XREF: ExInitializeResourceLite+64j
		call	_RtlLogStackBackTraceEx@4 ; RtlLogStackBackTraceEx(x)
		movzx	eax, ax
		jmp	loc_537D6A
; 

loc_5F051C:				; CODE XREF: ExInitializeResourceLite+83j
		mov	dl, bl
		mov	ecx, edi
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_537DAF
; 

loc_5F052A:				; CODE XREF: ExInitializeResourceLite+A9j
					; ExInitializeResourceLite+B885Dj
		test	edx, 40000000h
		jnz	short loc_5F0544
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_5F0551

loc_5F0544:				; CODE XREF: ExInitializeResourceLite+B8830j
		lea	ecx, [ebp+arg_0]
		call	KeYieldProcessorEx
		mov	eax, ds:_ExpResourceSpinLock

loc_5F0551:				; CODE XREF: ExInitializeResourceLite+B8842j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_5F052A
		jmp	loc_537DAF
; 

loc_5F0564:				; CODE XREF: ExInitializeResourceLite+D4j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_537DE4
; 

loc_5F0573:				; CODE XREF: ExInitializeResourceLite+FDj
		push	0
		push	0
		mov	edx, esi
		mov	ecx, 10008h
		call	@PerfLogExecutiveResourceInitialize@16 ; PerfLogExecutiveResourceInitialize(x,x,x,x)
		jmp	loc_537E03
; END OF FUNCTION CHUNK	FOR ExInitializeResourceLite
; 
; START	OF FUNCTION CHUNK FOR SeComputeAutoInheritByObjectTypeEx

loc_5F0588:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+91j
		mov	eax, ds:dword_6BE790[eax*4]
		mov	[ebp+var_8], eax
		mov	[ebp+var_1], 1
		jmp	loc_537F37
; 

loc_5F059B:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+11Aj
		or	[edx+4], ecx
		xor	ebx, ebx
		jmp	loc_537F6A
; 

loc_5F05A5:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+CEj
		test	esi, esi
		jz	short loc_5F05F7
		mov	[ebp+arg_8], 0

loc_5F05B0:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+B8755j
		movzx	eax, word ptr [esi+2]
		mov	ecx, eax
		test	al, 10h
		jnz	short loc_5F05BE
		xor	ecx, ecx
		jmp	short loc_5F05CF
; 

loc_5F05BE:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+B8718j
		test	cx, cx
		mov	ecx, [esi+0Ch]
		jns	short loc_5F05CF
		lea	eax, [ecx+esi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_5F05CF:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+B871Cj
					; SeComputeAutoInheritByObjectTypeEx+B8724j
		lea	eax, [ebp+arg_8]
		push	eax
		push	11h
		push	ecx
		call	_RtlFindAceByType@12 ; RtlFindAceByType(x,x,x)
		test	eax, eax
		jz	short loc_5F05F0
		test	byte ptr [eax+1], 8
		jnz	short loc_5F05F0
		mov	ecx, [ebp+var_8]
		and	[eax+4], ecx
		jmp	loc_537F74
; 

loc_5F05F0:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+B873Dj
					; SeComputeAutoInheritByObjectTypeEx+B8743j
		inc	[ebp+arg_8]
		test	eax, eax
		jnz	short loc_5F05B0

loc_5F05F7:				; CODE XREF: SeComputeAutoInheritByObjectTypeEx+B8707j
		test	edi, edi
		jz	loc_537F74
		mov	ecx, [ebp+var_8]
		or	ebx, 800h
		mov	[edi+4], ecx
		jmp	loc_537F74
; END OF FUNCTION CHUNK	FOR SeComputeAutoInheritByObjectTypeEx
; 
; START	OF FUNCTION CHUNK FOR SeAccessCheckByTypeWithAdminlessChecks

loc_5F0610:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+208j
		mov	dword ptr [ecx], 0
		mov	eax, [ebp+arg_4]
		mov	edi, [ebp+var_7C]
		mov	[edi], eax
		xor	eax, eax
		jmp	loc_5388B4
; 

loc_5F0625:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+21Dj
		mov	edx, [ebp+var_64]
		test	edx, edx
		jnz	short loc_5F0639
		mov	eax, 0C000000Dh
		mov	[ebp+var_6C], eax
		jmp	loc_538411
; 

loc_5F0639:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B84CAj
		mov	eax, ds:_MmSystemRangeStart
		neg	eax
		shr	eax, 3
		cmp	edx, eax
		jb	short loc_5F0654
		mov	eax, 0C000000Dh
		mov	[ebp+var_6C], eax
		jmp	loc_538411
; 

loc_5F0654:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B84E5j
		lea	esi, ds:0[edx*4]
		push	4
		push	esi
		push	[ebp+var_88]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	4
		push	esi
		push	[ebp+var_7C]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	esi, [ebp+var_A8]
		jmp	loc_5383AE
; 

loc_5F067F:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+230j
		mov	ecx, eax
		jmp	loc_538396
; 

loc_5F0686:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+244j
		mov	ecx, eax
		jmp	loc_5383AA
; 

loc_5F068D:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+257j
		mov	ecx, eax
		jmp	loc_5383BD
; 

loc_5F0694:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+28Ej
		mov	ecx, eax
		jmp	loc_5383F4
; END OF FUNCTION CHUNK	FOR SeAccessCheckByTypeWithAdminlessChecks

;  S U B	R O U T	I N E 


sub_5F069B	proc near		; DATA XREF: .text:006A62FCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-124h], eax
		mov	eax, 1
		retn
sub_5F069B	endp


;  S U B	R O U T	I N E 


sub_5F06AE	proc near		; DATA XREF: .text:006A6300o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-124h]
		mov	[ebp-6Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-134h]
		mov	[ebp-0BCh], ecx
		mov	[ebp-94h], ecx
		mov	[ebp-49h], cl
		mov	ecx, [ebp-100h]
		mov	[ebp-0C4h], ecx
		mov	[ebp-52h], cl
		mov	[ebp-51h], cl
		mov	ecx, [ebp-104h]
		mov	[ebp-78h], ecx
		mov	ecx, [ebp-108h]
		mov	[ebp-0B8h], ecx
		mov	ebx, [ebp-10Ch]
		mov	ecx, [ebp+30h]
		mov	[ebp-58h], ecx
		jmp	loc_53841E
sub_5F06AE	endp

; 
; START	OF FUNCTION CHUNK FOR SeAccessCheckByTypeWithAdminlessChecks

loc_5F070E:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+2CFj
		mov	edi, 0C00000E6h
		mov	ebx, [ebp+var_5C]
		jmp	loc_538803
; 

loc_5F071B:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+332j
		mov	edi, 0C00000A5h
		jmp	loc_538803
; 

loc_5F0725:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+391j
		mov	eax, [ebp+var_68]
		mov	eax, [eax+4]
		jmp	loc_538504
; 

loc_5F0730:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+3B2j
		mov	eax, [eax+8]
		jmp	loc_538525
; 

loc_5F0738:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+40Bj
		mov	[ebp+var_53], 1
		jmp	short loc_5F0742
; 

loc_5F073E:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+442j
		mov	[ebp+var_54], 1

loc_5F0742:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B85DCj
		test	eax, eax
		jns	loc_5385A8
		mov	cl, [ebp+var_49]
		jmp	loc_538625
; 

loc_5F0752:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+4BFj
		cmp	[ebp+var_80], 0
		jz	loc_538625
		mov	[ebp+var_51], 1
		jmp	loc_538625
; 

loc_5F0765:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B12j
					; SeAccessCheckByTypeWithAdminlessChecks+B861Fj
		mov	[ebp+var_A4], ecx
		cmp	ecx, [ebp+var_64]
		jnb	loc_538C54
		mov	[edx+ecx*4], eax
		mov	dword ptr [edi+ecx*4], 0
		inc	ecx
		jmp	short loc_5F0765
; END OF FUNCTION CHUNK	FOR SeAccessCheckByTypeWithAdminlessChecks

;  S U B	R O U T	I N E 


sub_5F0781	proc near		; DATA XREF: .text:006A6308o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-110h], eax
		mov	eax, 1
		retn
sub_5F0781	endp


;  S U B	R O U T	I N E 


sub_5F0794	proc near		; DATA XREF: .text:006A630Co

; FUNCTION CHUNK AT 005F08A0 SIZE 00000018 BYTES

		mov	esp, [ebp-18h]
		mov	edi, [ebp-110h]
		mov	[ebp-6Ch], edi
		jmp	loc_5F08A0
sub_5F0794	endp

; 
; START	OF FUNCTION CHUNK FOR SeAccessCheckByTypeWithAdminlessChecks

loc_5F07A5:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+4D5j
		mov	ecx, [edi]
		lea	eax, [ecx+ecx*2]
		shl	eax, 2
		test	ecx, ecx
		lea	edx, [eax+8]
		jnz	short loc_5F07B9
		mov	edx, 8

loc_5F07B9:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8652j
		cmp	edx, [ebp+arg_18]
		jbe	short loc_5F0830
		mov	[ebp+var_4], 2
		test	ecx, ecx
		jz	short loc_5F07CE
		add	eax, 8
		jmp	short loc_5F07D3
; 

loc_5F07CE:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8667j
		mov	eax, 8

loc_5F07D3:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B866Cj
		mov	ecx, [ebp+var_90]
		mov	[ecx], eax
		mov	edi, 0C0000023h
		mov	[ebp+var_6C], edi
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_5F081E
; END OF FUNCTION CHUNK	FOR SeAccessCheckByTypeWithAdminlessChecks

;  S U B	R O U T	I N E 


sub_5F07EC	proc near		; DATA XREF: .text:006A6314o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-114h], eax
		mov	eax, 1
		retn
sub_5F07EC	endp


;  S U B	R O U T	I N E 


sub_5F07FF	proc near		; DATA XREF: .text:006A6318o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-114h]
		mov	[ebp-6Ch], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp+0Ch]
		mov	ebx, [ebp-5Ch]
		mov	eax, [ebp+30h]
		mov	[ebp-58h], eax
sub_5F07FF	endp

; START	OF FUNCTION CHUNK FOR SeAccessCheckByTypeWithAdminlessChecks

loc_5F081E:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B868Aj
		push	0
		push	[ebp+var_9C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_538803
; 

loc_5F0830:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B865Cj
		mov	[ebp+var_4], 3
		test	ecx, ecx
		jz	short loc_5F0840
		add	eax, 8
		jmp	short loc_5F0845
; 

loc_5F0840:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B86D9j
		mov	eax, 8

loc_5F0845:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B86DEj
		push	eax		; size_t
		push	edi		; void *
		push	[ebp+var_A8]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0FFFFFFFEh
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_53865E
; END OF FUNCTION CHUNK	FOR SeAccessCheckByTypeWithAdminlessChecks

;  S U B	R O U T	I N E 


sub_5F0869	proc near		; DATA XREF: .text:006A6320o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-118h], eax
		mov	eax, 1
		retn
sub_5F0869	endp


;  S U B	R O U T	I N E 


sub_5F087C	proc near		; DATA XREF: .text:006A6324o
		mov	esp, [ebp-18h]
		push	0
		push	dword ptr [ebp-9Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [ebp-118h]
		jmp	short loc_5F08A0
sub_5F087C	endp


;  S U B	R O U T	I N E 


sub_5F0894	proc near		; DATA XREF: .text:006A6360o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-160h]
		mov	[ebp-6Ch], edi
sub_5F0894	endp

; START	OF FUNCTION CHUNK FOR sub_5F0794

loc_5F08A0:				; CODE XREF: sub_5F0794+Cj
					; sub_5F087C+16j ...
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp+0Ch]
		mov	ebx, [ebp-5Ch]
		mov	eax, [ebp+30h]
		mov	[ebp-58h], eax
		jmp	loc_538803
; END OF FUNCTION CHUNK	FOR sub_5F0794

;  S U B	R O U T	I N E 


sub_5F08B8	proc near		; DATA XREF: .text:006A632Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-11Ch], eax
		mov	eax, 1
		retn
sub_5F08B8	endp


;  S U B	R O U T	I N E 


sub_5F08CB	proc near		; DATA XREF: .text:006A6330o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-11Ch]
		mov	[ebp-6Ch], edi
		jmp	short loc_5F08A0
sub_5F08CB	endp

; 
; START	OF FUNCTION CHUNK FOR SeAccessCheckByTypeWithAdminlessChecks

loc_5F08D9:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+95Bj
		mov	[ebp+var_C8], 0
		jmp	loc_538803
; 

loc_5F08E8:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+54Bj
		test	byte ptr [ebx+0B0h], 20h
		jnz	loc_5386B1
		mov	ecx, [ebx+0C0h]
		test	ecx, ecx
		jz	loc_5386B1
		test	byte ptr [ecx+18h], 20h
		jz	loc_5386B1
		mov	[ebp+var_4], 6
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_5F0943
		xor	eax, eax
		mov	edx, [ebp+var_88]
		mov	edi, [ebp+var_7C]
		mov	ecx, [ebp+var_64]

loc_5F0928:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B87E1j
		mov	[ebp+var_A4], eax
		cmp	eax, ecx
		jnb	short loc_5F0958
		mov	dword ptr [edx+eax*4], 0C0000022h
		mov	dword ptr [edi+eax*4], 0
		inc	eax
		jmp	short loc_5F0928
; 

loc_5F0943:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B87B8j
		mov	eax, [ebp+var_88]
		mov	dword ptr [eax], 0C0000022h
		mov	eax, [ebp+var_7C]
		mov	dword ptr [eax], 0

loc_5F0958:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B87D0j
		mov	[ebp+var_8C], 0C0000022h
		xor	edi, edi
		mov	[ebp+var_6C], edi
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_538BC4
; END OF FUNCTION CHUNK	FOR SeAccessCheckByTypeWithAdminlessChecks

;  S U B	R O U T	I N E 


sub_5F0973	proc near		; DATA XREF: .text:006A6344o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-120h], eax
		mov	eax, 1
		retn
sub_5F0973	endp


;  S U B	R O U T	I N E 


sub_5F0986	proc near		; DATA XREF: .text:006A6348o
		mov	edi, [ebp-120h]
		jmp	short loc_5F0994
; 

loc_5F098E:				; DATA XREF: .text:006A6354o
		mov	edi, [ebp-128h]

loc_5F0994:				; CODE XREF: sub_5F0986+6j
		mov	esp, [ebp-18h]
		mov	[ebp-6Ch], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp+0Ch]
		mov	ebx, [ebp-5Ch]
		mov	eax, [ebp+30h]
		mov	[ebp-58h], eax
		jmp	loc_538BC4
sub_5F0986	endp

; 
; START	OF FUNCTION CHUNK FOR SeAccessCheckByTypeWithAdminlessChecks

loc_5F09B2:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+558j
		mov	ecx, [ebp+var_68]
		test	byte ptr [ecx+2], 10h
		jz	loc_5386C1
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_5F0A41
		mov	ecx, [ebp+var_68]
		movzx	eax, word ptr [ecx+2]
		test	al, 10h
		jnz	short loc_5F09E7
		xor	edx, edx
		mov	[ebp+var_C4], edx

loc_5F09DC:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B88B4j
		mov	al, byte ptr [ebp+var_90]
		jmp	loc_5386C1
; 

loc_5F09E7:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8872j
		test	ax, ax
		jns	short loc_5F0A09
		mov	eax, [ecx+0Ch]
		test	eax, eax
		jnz	short loc_5F0A04
		mov	[ebp+var_C4], eax
		mov	al, byte ptr [ebp+var_90]
		jmp	loc_5386C1
; 

loc_5F0A04:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8891j
		lea	edx, [eax+ecx]
		jmp	short loc_5F0A0C
; 

loc_5F0A09:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B888Aj
		mov	edx, [ecx+0Ch]

loc_5F0A0C:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B88A7j
		mov	[ebp+var_C4], edx
		test	edx, edx
		jz	short loc_5F09DC
		mov	ecx, edx
		call	_SepGetScopedPolicySid@4 ; SepGetScopedPolicySid(x)
		test	eax, eax
		jz	short loc_5F0A41
		lea	edx, [ebp+var_CC]
		mov	ecx, eax
		call	_SepRmReferenceFindCap@8 ; SepRmReferenceFindCap(x,x)
		test	eax, eax
		jns	short loc_5F0A3D
		mov	eax, ds:_SepRmDefaultCap
		mov	[ebp+var_CC], eax

loc_5F0A3D:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B88D0j
		mov	[ebp+var_5D], 1

loc_5F0A41:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8867j
					; SeAccessCheckByTypeWithAdminlessChecks+B88BFj
		mov	al, byte ptr [ebp+var_90]
		jmp	loc_5386BE
; 

loc_5F0A4C:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+7D9j
		xor	edx, edx
		jmp	loc_538956
; 

loc_5F0A53:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+7EDj
		xor	edx, edx
		jmp	loc_538956
; 

loc_5F0A5A:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+7E2j
		mov	edx, [ecx+10h]
		jmp	loc_538956
; 

loc_5F0A62:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+A06j
		cmp	[ebp+var_51], 0
		jz	loc_5386D8
		jmp	loc_538B6C
; 

loc_5F0A71:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+A19j
		cmp	[ebp+var_94], 0
		jnz	loc_5386DB
		jmp	loc_538B7F
; 

loc_5F0A83:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+A2Aj
		xor	ecx, ecx
		mov	eax, [ebp+var_64]
		mov	edx, [ebp+var_140]
		mov	edi, [ebp+var_D0]

loc_5F0A94:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B897Dj
		mov	[ebp+var_A4], ecx
		cmp	ecx, eax
		jnb	loc_538BB8
		cmp	[ebp+var_80], 0
		jnz	short loc_5F0AC2
		mov	dword ptr [edi+ecx*4], 0C0000022h
		mov	[ebp+var_8C], 0C0000022h
		mov	dword ptr [edx+ecx*4], 0
		jmp	short loc_5F0ADC
; 

loc_5F0AC2:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8946j
		mov	dword ptr [edi+ecx*4], 0
		mov	[ebp+var_8C], 0
		mov	eax, [ebp+var_80]
		mov	[edx+ecx*4], eax
		mov	eax, [ebp+var_64]

loc_5F0ADC:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8960j
		inc	ecx
		jmp	short loc_5F0A94
; 

loc_5F0ADF:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+A3Aj
		mov	dword ptr [eax], 0C0000022h
		mov	[ebp+var_8C], 0C0000022h
		mov	eax, [ebp+var_7C]
		mov	dword ptr [eax], 0
		jmp	loc_538BB8
; END OF FUNCTION CHUNK	FOR SeAccessCheckByTypeWithAdminlessChecks

;  S U B	R O U T	I N E 


sub_5F0AFD	proc near		; DATA XREF: .text:006A6350o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-128h], eax
		mov	eax, 1
		retn
sub_5F0AFD	endp

; 
; START	OF FUNCTION CHUNK FOR SeAccessCheckByTypeWithAdminlessChecks

loc_5F0B10:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+588j
		push	61476553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_50], ecx
		test	ecx, ecx
		jnz	short loc_5F0B48
		mov	ecx, [edi]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		lea	eax, [ebp+var_F4]
		push	eax
		call	SeReleaseSubjectContext
		mov	edi, 0C000009Ah
		jmp	loc_538803
; 

loc_5F0B48:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B89C4j
		mov	eax, [ebp+var_64]
		shl	eax, 2
		lea	edi, [eax+ecx]
		jmp	loc_538706
; 

loc_5F0B56:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+60Aj
		mov	ecx, [edi]
		mov	[ebp+var_9C], ecx
		test	ecx, ecx
		js	loc_538770
		cmp	[ebp+var_5D], 0
		jz	loc_538770
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_5F0BDF
		push	61476553h
		mov	ecx, [ebp+var_B0]
		lea	eax, ds:0[ecx*8]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_71+1],	esi
		test	esi, esi
		jnz	short loc_5F0BC7
		mov	ecx, [ebp+var_A8]
		mov	ecx, [ecx]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		lea	eax, [ebp+var_F4]
		push	eax
		call	SeReleaseSubjectContext
		mov	edi, 0C000009Ah
		mov	esi, [ebp+arg_4]
		mov	ebx, [ebp+var_5C]
		jmp	loc_538803
; 

loc_5F0BC7:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8A37j
		mov	ebx, [ebp+var_B8]
		add	ebx, esi
		mov	[ebp+var_BC], ebx
		mov	ecx, [edi]
		mov	[ebp+var_9C], ecx
		jmp	short loc_5F0BF4
; 

loc_5F0BDF:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8A14j
		lea	eax, [ebp+var_138]
		mov	[ebp+var_71+1],	eax
		lea	eax, [ebp+var_13C]
		mov	[ebp+var_BC], eax

loc_5F0BF4:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8A7Dj
		mov	eax, [ebp+var_50]
		mov	edx, [eax]
		mov	[ebp+var_94], edx
		mov	[ebp+var_51], 0
		mov	eax, [ebp+var_64]
		test	eax, eax
		jz	short loc_5F0C35
		lea	ecx, [ebp+var_E0]
		push	ecx
		mov	edx, eax
		mov	ecx, [ebp+var_D8]
		call	_SepCopyObjectTypeList@12 ; SepCopyObjectTypeList(x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_5F0C2F
		mov	esi, [ebp+arg_4]
		mov	ebx, [ebp+var_5C]
		jmp	loc_538803
; 

loc_5F0C2F:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8AC2j
		mov	edx, [ebp+var_94]

loc_5F0C35:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8AA8j
		xor	eax, eax
		mov	edi, [ebp+var_CC]
		add	edi, 24h
		mov	esi, [ebp+arg_4]
		mov	ebx, [ebp+var_5C]

loc_5F0C46:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8DABj
		mov	[ebp+var_84], edi
		mov	[ebp+var_B8], eax
		mov	ecx, [ebp+var_CC]
		cmp	eax, [ecx+20h]
		mov	ecx, [ebp+var_9C]
		jnb	loc_5F0F1D
		mov	edx, [edi]
		mov	[ebp+var_98], edx
		cmp	dword ptr [edx+0Ch], 0
		jz	loc_5F0DFB
		cmp	[ebp+var_B4], 0
		jnz	short loc_5F0C9B
		lea	edx, [ebp+var_B4]
		mov	ecx, [ebp+var_C4]
		call	AuthzBasepInitializeResourceClaimsFromSacl
		test	eax, eax
		jns	short loc_5F0C9B
		mov	[ebp+var_51], 1

loc_5F0C9B:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8B20j
					; SeAccessCheckByTypeWithAdminlessChecks+B8B35j
		mov	eax, [ebx+27Ch]
		test	eax, eax
		jz	short loc_5F0CB3
		mov	ecx, [eax+12Ch]
		mov	[ebp+var_B0], ecx
		jmp	short loc_5F0CBD
; 

loc_5F0CB3:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8B43j
		mov	[ebp+var_B0], 0

loc_5F0CBD:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8B51j
		test	eax, eax
		jz	short loc_5F0CC9
		mov	edi, [eax+124h]
		jmp	short loc_5F0CCB
; 

loc_5F0CC9:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8B5Fj
		xor	edi, edi

loc_5F0CCB:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8B67j
		test	eax, eax
		jz	short loc_5F0CD7
		mov	edx, [eax+128h]
		jmp	short loc_5F0CD9
; 

loc_5F0CD7:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8B6Dj
		xor	edx, edx

loc_5F0CD9:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8B75j
		test	eax, eax
		jz	short loc_5F0CE5
		mov	ecx, [eax+120h]
		jmp	short loc_5F0CE7
; 

loc_5F0CE5:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8B7Bj
		xor	ecx, ecx

loc_5F0CE7:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8B83j
		lea	eax, [ebp+var_DC]
		push	eax
		push	0
		push	1
		mov	eax, [ebp+var_98]
		mov	eax, [eax+8]
		push	eax
		mov	eax, [ebp+var_98]
		mov	eax, [eax+0Ch]
		push	eax
		push	[ebp+var_B0]
		push	edi
		push	edx
		push	ecx
		push	[ebp+var_B4]
		mov	edx, [ebx+1DCh]
		mov	ecx, ebx
		call	AuthzBasepEvaluateAceCondition
		mov	edi, eax
		mov	eax, [ebp+var_DC]
		cmp	eax, 1
		jz	loc_5F0DF5
		test	edi, edi
		js	loc_5F0F10
		test	byte ptr [ebx+0B0h], 10h
		jz	loc_5F0DDF
		mov	eax, [ebx+27Ch]
		test	eax, eax
		jz	short loc_5F0D60
		mov	ecx, [eax+12Ch]
		mov	[ebp+var_B0], ecx
		jmp	short loc_5F0D6A
; 

loc_5F0D60:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8BF0j
		mov	[ebp+var_B0], 0

loc_5F0D6A:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8BFEj
		test	eax, eax
		jz	short loc_5F0D76
		mov	edi, [eax+124h]
		jmp	short loc_5F0D78
; 

loc_5F0D76:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8C0Cj
		xor	edi, edi

loc_5F0D78:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8C14j
		test	eax, eax
		jz	short loc_5F0D84
		mov	edx, [eax+128h]
		jmp	short loc_5F0D86
; 

loc_5F0D84:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8C1Aj
		xor	edx, edx

loc_5F0D86:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8C22j
		test	eax, eax
		jz	short loc_5F0D92
		mov	ecx, [eax+120h]
		jmp	short loc_5F0D94
; 

loc_5F0D92:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8C28j
		xor	ecx, ecx

loc_5F0D94:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8C30j
		lea	eax, [ebp+var_DC]
		push	eax
		push	1
		push	1
		mov	eax, [ebp+var_98]
		mov	eax, [eax+8]
		push	eax
		mov	eax, [ebp+var_98]
		mov	eax, [eax+0Ch]
		push	eax
		push	[ebp+var_B0]
		push	edi
		push	edx
		push	ecx
		push	[ebp+var_B4]
		mov	edx, [ebx+1DCh]
		mov	ecx, ebx
		call	AuthzBasepEvaluateAceCondition
		mov	edi, eax
		test	edi, edi
		js	loc_5F0F10
		mov	eax, [ebp+var_DC]

loc_5F0DDF:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8BE2j
		cmp	[ebp+var_51], 0
		jnz	short loc_5F0DF5
		cmp	eax, 1
		jz	short loc_5F0DF5
		mov	edx, [ebp+var_94]
		jmp	loc_5F0EFB
; 

loc_5F0DF5:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8BCDj
					; SeAccessCheckByTypeWithAdminlessChecks+B8C83j ...
		mov	edx, [ebp+var_98]

loc_5F0DFB:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8B13j
		push	[ebp+var_C4]
		mov	edx, [edx+10h]
		lea	ecx, [ebp+var_174]
		call	_SepBuildCapeSecurityDescriptor@12 ; SepBuildCapeSecurityDescriptor(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_5F0F10
		mov	eax, [ebp+var_98]
		test	byte ptr [eax+18h], 1
		jz	short loc_5F0E3A
		test	esi, 2000000h
		jz	short loc_5F0E31
		mov	eax, esi
		jmp	short loc_5F0E36
; 

loc_5F0E31:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8CCBj
		mov	eax, [ebp+var_80]
		or	eax, esi

loc_5F0E36:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8CCFj
		xor	ecx, ecx
		jmp	short loc_5F0E3F
; 

loc_5F0E3A:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8CC3j
		mov	eax, esi
		mov	ecx, [ebp+var_80]

loc_5F0E3F:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8CD8j
		push	[ebp+arg_2C]
		push	0
		push	0
		lea	edx, [ebp+var_B4]
		push	edx
		lea	edx, [ebp+var_48]
		push	edx
		push	[ebp+var_90]
		push	[ebp+var_58]
		push	[ebp+var_BC]
		push	0
		push	[ebp+var_71+1]
		push	dword ptr [ebp+var_AC]
		push	ecx
		lea	ecx, [ebp+var_2C]
		push	ecx
		mov	edi, [ebp+var_64]
		push	edi
		push	[ebp+var_E0]
		push	eax
		push	ebx
		push	[ebp+var_EC]
		mov	edx, [ebp+var_C8]
		lea	ecx, [ebp+var_174]
		call	SepAccessCheck
		mov	ecx, [ebp+var_71+1]
		mov	eax, [ecx]
		cmp	[ebp+var_52], 0
		jnz	short loc_5F0EA8
		mov	edx, eax
		mov	[ebp+var_94], eax
		jmp	short loc_5F0EB6
; 

loc_5F0EA8:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8D3Cj
		mov	edx, [ebp+var_94]
		and	edx, eax
		mov	[ebp+var_94], edx

loc_5F0EB6:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8D46j
		test	edx, edx
		jnz	short loc_5F0EC1
		mov	ecx, 0C0000022h
		jmp	short loc_5F0EC9
; 

loc_5F0EC1:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8D58j
		mov	eax, [ebp+var_BC]
		mov	ecx, [eax]

loc_5F0EC9:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8D5Fj
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_52], 1
		mov	eax, [ebp+var_E0]
		test	eax, eax
		jz	short loc_5F0EF7
		push	edi
		mov	edx, eax
		mov	ecx, [ebp+var_D8]
		call	_SepMergeObjectTypeListAccesses@12 ; SepMergeObjectTypeListAccesses(x,x,x)
		mov	ecx, [ebp+var_9C]
		mov	edx, [ebp+var_94]

loc_5F0EF7:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8D7Bj
		test	ecx, ecx
		js	short loc_5F0F1D

loc_5F0EFB:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8C90j
		mov	eax, [ebp+var_B8]
		inc	eax
		mov	edi, [ebp+var_84]
		add	edi, 4
		jmp	loc_5F0C46
; 

loc_5F0F10:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8BD5j
					; SeAccessCheckByTypeWithAdminlessChecks+B8C73j ...
		mov	ecx, [ebp+var_A8]
		mov	ecx, [ecx]
		jmp	loc_538BC7
; 

loc_5F0F1D:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8B01j
					; SeAccessCheckByTypeWithAdminlessChecks+B8D99j
		mov	eax, [ebp+var_78]
		mov	[eax], ecx
		mov	eax, [ebp+var_50]
		and	[eax], edx
		jmp	loc_538776
; 

loc_5F0F2C:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+842j
		mov	eax, [ebp+var_64]
		jmp	loc_5389AA
; 

loc_5F0F34:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+9B7j
		xor	eax, eax
		mov	edx, [ebp+var_88]
		mov	edi, [ebp+var_7C]
		mov	ecx, [ebp+var_64]

loc_5F0F42:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8DFFj
		mov	[ebp+var_A4], eax
		cmp	eax, ecx
		jnb	loc_538B32
		mov	dword ptr [edx+eax*4], 0C0000022h
		mov	dword ptr [edi+eax*4], 0
		inc	eax
		jmp	short loc_5F0F42
; END OF FUNCTION CHUNK	FOR SeAccessCheckByTypeWithAdminlessChecks

;  S U B	R O U T	I N E 


sub_5F0F61	proc near		; DATA XREF: .text:006A635Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-160h], eax
		mov	eax, 1
		retn
sub_5F0F61	endp

; 
; START	OF FUNCTION CHUNK FOR SeAccessCheckByTypeWithAdminlessChecks

loc_5F0F74:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+86Dj
		mov	edx, eax
		jmp	loc_5389D5
; 

loc_5F0F7B:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+882j
		test	edx, edx
		jnz	short loc_5F0FB0
		mov	edi, [ebp+var_50]
		mov	eax, [edi]
		mov	edx, eax
		and	edx, ecx
		cmp	edx, eax
		mov	eax, [ebp+var_64]
		jz	loc_5389EB
		mov	[ebp+var_53], 1
		mov	[edi], edx
		neg	edx
		sbb	edx, edx
		and	edx, 3FFFFFDEh
		add	edx, 0C0000022h
		mov	[ebx], edx
		jmp	loc_5389EB
; 

loc_5F0FB0:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8E1Dj
		mov	eax, [ebp+var_50]
		mov	[ebp+var_A0], eax
		mov	edi, ebx
		sub	edi, eax
		mov	[ebp+var_D4], edi

loc_5F0FC3:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8ECCj
		mov	eax, [eax]
		mov	edi, eax
		and	edi, ecx
		cmp	edi, eax
		jz	short loc_5F101A
		mov	[ebp+var_53], 1
		mov	eax, esi
		and	eax, 2000000h
		mov	[ebp+var_D0], eax
		mov	ebx, [ebp+var_A0]
		mov	[ebx], edi
		mov	eax, [ebp+var_D4]
		add	eax, ebx
		mov	[ebp+var_84], eax
		cmp	[ebp+var_D0], 0
		mov	ebx, [ebp+var_78]
		jz	short loc_5F1014
		neg	edi
		sbb	edi, edi
		and	edi, 3FFFFFDEh
		add	edi, 0C0000022h
		mov	[eax], edi
		jmp	short loc_5F101A
; 

loc_5F1014:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8E9Ej
		mov	dword ptr [eax], 0C0000022h

loc_5F101A:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8E6Bj
					; SeAccessCheckByTypeWithAdminlessChecks+B8EB2j
		mov	eax, [ebp+var_A0]
		add	eax, 4
		mov	[ebp+var_A0], eax
		sub	edx, 1
		jnz	short loc_5F0FC3
		mov	eax, [ebp+var_64]
		jmp	loc_5389E8
; 

loc_5F1036:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+88Fj
		mov	edx, eax
		jmp	loc_5389F7
; 

loc_5F103D:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+8AAj
		test	edx, edx
		jnz	short loc_5F1080
		mov	edx, [ebp+var_50]
		mov	eax, [edx]
		and	ecx, eax
		cmp	ecx, eax
		jz	loc_5387BA
		mov	[ebp+var_54], 1
		and	esi, 2000000h
		mov	[edx], ecx
		jz	short loc_5F1075
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 3FFFFFDEh
		add	ecx, 0C0000022h
		mov	[ebx], ecx
		jmp	loc_5387BA
; 

loc_5F1075:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8EFCj
		mov	dword ptr [ebx], 0C0000022h
		jmp	loc_5387BA
; 

loc_5F1080:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8EDFj
		mov	eax, edi
		mov	[ebp+var_A0], eax
		mov	edi, ebx
		sub	edi, [ebp+var_50]
		mov	[ebp+var_D4], edi

loc_5F1093:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8F9Cj
		mov	eax, [eax]
		mov	edi, eax
		and	edi, ecx
		cmp	edi, eax
		jz	short loc_5F10EA
		mov	[ebp+var_54], 1
		mov	eax, esi
		and	eax, 2000000h
		mov	[ebp+var_D0], eax
		mov	ebx, [ebp+var_A0]
		mov	[ebx], edi
		mov	eax, [ebp+var_D4]
		add	eax, ebx
		mov	[ebp+var_84], eax
		cmp	[ebp+var_D0], 0
		mov	ebx, [ebp+var_78]
		jz	short loc_5F10E4
		neg	edi
		sbb	edi, edi
		and	edi, 3FFFFFDEh
		add	edi, 0C0000022h
		mov	[eax], edi
		jmp	short loc_5F10EA
; 

loc_5F10E4:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8F6Ej
		mov	dword ptr [eax], 0C0000022h

loc_5F10EA:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8F3Bj
					; SeAccessCheckByTypeWithAdminlessChecks+B8F82j
		mov	eax, [ebp+var_A0]
		add	eax, 4
		mov	[ebp+var_A0], eax
		sub	edx, 1
		jnz	short loc_5F1093
		jmp	loc_5387B7
; 

loc_5F1103:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+681j
		cmp	[ebp+var_52], 0
		jz	loc_5387E7
		cmp	dword ptr [ebx], 0
		jl	loc_5387E7
		mov	ecx, [ebp+var_BC]
		mov	eax, [ecx]
		mov	[esi], eax
		mov	eax, [ebp+var_71+1]
		mov	eax, [eax]
		and	[edi], eax
		mov	eax, [ecx]
		mov	[ebp+var_8C], eax
		jmp	loc_5387E7
; 

loc_5F1134:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+68Bj
		mov	eax, 1

loc_5F1139:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B902Cj
		mov	[ebp+var_A4], eax
		cmp	eax, [ebp+var_64]
		jnb	loc_5387F1
		lea	ecx, ds:0[eax*4]
		mov	eax, [ecx+ebx]
		mov	[ecx+esi], eax
		mov	eax, [ecx+edx]
		mov	[ecx+edi], eax
		cmp	ds:_SepRmEnforceCap, 0
		jz	short loc_5F1185
		cmp	[ebp+var_52], 0
		jz	short loc_5F1185
		cmp	dword ptr [ecx+ebx], 0
		jl	short loc_5F1185
		mov	eax, [ebp+var_BC]
		mov	eax, [ecx+eax]
		mov	[ecx+esi], eax
		mov	eax, [ebp+var_71+1]
		mov	eax, [ecx+eax]
		and	[ecx+edi], eax

loc_5F1185:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B9002j
					; SeAccessCheckByTypeWithAdminlessChecks+B9008j ...
		mov	eax, [ebp+var_A4]
		inc	eax
		jmp	short loc_5F1139
; END OF FUNCTION CHUNK	FOR SeAccessCheckByTypeWithAdminlessChecks

;  S U B	R O U T	I N E 


sub_5F118E	proc near		; DATA XREF: .text:006A6368o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-144h], eax
		mov	eax, 1
		retn
sub_5F118E	endp


;  S U B	R O U T	I N E 


sub_5F11A1	proc near		; DATA XREF: .text:006A636Co
		mov	esp, [ebp-18h]
		mov	edi, [ebp-144h]
		mov	[ebp-6Ch], edi
		jmp	loc_5F08A0
sub_5F11A1	endp

; 

loc_5F11B2:				; DATA XREF: .text:006A6338o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-148h], eax
		mov	eax, 1
		retn
; 

loc_5F11C5:				; DATA XREF: .text:006A633Co
		mov	esp, [ebp-18h]
		mov	edi, [ebp-148h]
		jmp	loc_5F08A0
; 
; START	OF FUNCTION CHUNK FOR SeAccessCheckByTypeWithAdminlessChecks

loc_5F11D3:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+8E1j
		mov	byte ptr [ebp+var_84], 1
		jmp	loc_538A4E
; 

loc_5F11DF:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+8F2j
		mov	ecx, [ebp+var_E4]
		jmp	loc_538A5E
; 

loc_5F11EA:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+79Cj
		call	_SepLogLpacAccessFailure@4 ; SepLogLpacAccessFailure(x)
		jmp	loc_538849
; 

loc_5F11F4:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+6EDj
		mov	eax, [ebp+var_50]
		test	eax, eax
		jz	short loc_5F1203
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5F1203:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B9099j
		mov	eax, [ebp+var_71+1]
		test	eax, eax
		jz	loc_538853
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_538853
; 

loc_5F121B:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+706j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_53886C
; 

loc_5F1228:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+733j
		mov	ecx, [ebp+var_CC]
		call	_SepRmDereferenceCap@4 ; SepRmDereferenceCap(x)
		jmp	loc_538899
; 

loc_5F1238:				; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+741j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_5388A7
; END OF FUNCTION CHUNK	FOR SeAccessCheckByTypeWithAdminlessChecks
; 
; START	OF FUNCTION CHUNK FOR SeCaptureObjectTypeList

loc_5F1245:				; CODE XREF: SeCaptureObjectTypeList+5Dj
		test	ecx, ecx
		jz	loc_5F13ED
		mov	ecx, ds:_MmSystemRangeStart
		neg	ecx
		mov	eax, 0BA2E8BA3h
		mul	ecx
		shr	edx, 5
		mov	eax, [ebp+var_44]
		cmp	eax, edx
		jnb	loc_5F13ED
		lea	edx, ds:0[eax*8]
		test	edx, edx
		jz	short loc_5F1296
		mov	ecx, [ebp+var_40]
		test	cl, 3
		jz	short loc_5F1282
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_5F1282:				; CODE XREF: SeCaptureObjectTypeList+B85DBj
		lea	ebx, [edx+ecx]
		mov	edx, ds:_MmUserProbeAddress
		cmp	ebx, edx
		ja	short loc_5F1293
		cmp	ebx, ecx
		jnb	short loc_5F1296

loc_5F1293:				; CODE XREF: SeCaptureObjectTypeList+B85EDj
		mov	byte ptr [edx],	0

loc_5F1296:				; CODE XREF: SeCaptureObjectTypeList+B85D3j
					; SeCaptureObjectTypeList+B85F1j
		push	744F6553h
		imul	eax, 2Ch
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_38], ebx
		mov	[ebp+var_54], ebx
		test	ebx, ebx
		jnz	short loc_5F12BC
		mov	edi, 0C000009Ah
		jmp	loc_5F13F2
; 

loc_5F12BC:				; CODE XREF: SeCaptureObjectTypeList+B8610j
		xor	eax, eax
		mov	[ebp+var_48], eax
		mov	ecx, [ebp+var_44]
		mov	edx, [ebp+var_40]

loc_5F12C7:				; CODE XREF: SeCaptureObjectTypeList+B8748j
		cmp	eax, ecx
		jnb	loc_538D03
		movzx	edi, word ptr [edx+eax*8]
		cmp	edi, 4
		ja	loc_5F13ED
		imul	ecx, eax, 2Ch
		mov	[ebp+var_50], ecx
		add	ebx, ecx
		mov	[ebx], di
		xor	ecx, ecx
		mov	[ebx+2], cx
		mov	eax, [edx+eax*8+4]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_4C], eax
		test	al, 3
		mov	ecx, [ebp+var_44]
		jz	short loc_5F1303
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_5F1303:				; CODE XREF: SeCaptureObjectTypeList+B865Cj
		mov	edx, ds:_MmUserProbeAddress
		mov	[ebp+var_58], edx
		cmp	eax, edx
		mov	edx, [ebp+var_40]
		mov	eax, [ebp+var_58]
		jnb	short loc_5F1319
		mov	eax, [ebp+var_4C]

loc_5F1319:				; CODE XREF: SeCaptureObjectTypeList+B8674j
		nop
		mov	al, [eax]
		mov	eax, [ebp+var_3C]
		mov	eax, [eax]
		mov	[ebx+4], eax
		mov	eax, [ebp+var_3C]
		mov	eax, [eax+4]
		mov	[ebx+8], eax
		mov	eax, [ebp+var_3C]
		mov	eax, [eax+8]
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+var_3C]
		mov	eax, [eax+0Ch]
		mov	[ebx+10h], eax
		mov	dword ptr [ebx+18h], 0
		mov	dword ptr [ebx+1Ch], 0
		mov	dword ptr [ebx+20h], 0
		mov	dword ptr [ebx+28h], 0
		mov	eax, [ebp+var_48]
		test	eax, eax
		jnz	short loc_5F137B
		test	di, di
		jz	short loc_5F1377
		mov	edi, 0C000000Dh
		mov	[ebp+var_34], edi
		mov	ebx, [ebp+var_38]
		jmp	loc_538D03
; 

loc_5F1377:				; CODE XREF: SeCaptureObjectTypeList+B86C5j
		xor	ebx, ebx
		jmp	short loc_5F13B1
; 

loc_5F137B:				; CODE XREF: SeCaptureObjectTypeList+B86C0j
		mov	[ebp+var_4C], edi
		movzx	eax, word ptr [ebx-2Ch]
		inc	eax
		mov	ebx, edi
		cmp	ebx, eax
		jbe	short loc_5F1399
		mov	edi, 0C000000Dh
		mov	[ebp+var_34], edi
		mov	ebx, [ebp+var_38]
		jmp	loc_538D03
; 

loc_5F1399:				; CODE XREF: SeCaptureObjectTypeList+B86E7j
		test	di, di
		jnz	short loc_5F13AE
		mov	edi, 0C000000Dh
		mov	[ebp+var_34], edi
		mov	ebx, [ebp+var_38]
		jmp	loc_538D03
; 

loc_5F13AE:				; CODE XREF: SeCaptureObjectTypeList+B86FCj
		mov	eax, [ebp+var_48]

loc_5F13B1:				; CODE XREF: SeCaptureObjectTypeList+B86D9j
		test	di, di
		mov	edi, [ebp+var_50]
		jnz	short loc_5F13C9
		mov	edx, [ebp+var_54]
		mov	dword ptr [edi+edx+14h], 0FFFFFFFFh
		mov	edx, [ebp+var_40]
		jmp	short loc_5F13DA
; 

loc_5F13C9:				; CODE XREF: SeCaptureObjectTypeList+B8717j
		mov	eax, [ebp+ebx*4+var_34]
		mov	ecx, [ebp+var_54]
		mov	[edi+ecx+14h], eax
		mov	ecx, [ebp+var_44]
		mov	eax, [ebp+var_48]

loc_5F13DA:				; CODE XREF: SeCaptureObjectTypeList+B8727j
		mov	[ebp+ebx*4+var_30], eax
		inc	eax
		mov	[ebp+var_48], eax
		mov	edi, [ebp+var_34]
		mov	ebx, [ebp+var_38]
		jmp	loc_5F12C7
; 

loc_5F13ED:				; CODE XREF: SeCaptureObjectTypeList+B85A7j
					; SeCaptureObjectTypeList+B85C4j ...
		mov	edi, 0C000000Dh

loc_5F13F2:				; CODE XREF: SeCaptureObjectTypeList+B8617j
		mov	[ebp+var_34], edi
		jmp	loc_538D03
; END OF FUNCTION CHUNK	FOR SeCaptureObjectTypeList

;  S U B	R O U T	I N E 


sub_5F13FA	proc near		; DATA XREF: .text:006A640Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5Ch], eax
		mov	eax, 1
		retn
sub_5F13FA	endp


;  S U B	R O U T	I N E 


sub_5F140A	proc near		; DATA XREF: .text:006A6410o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-5Ch]
		mov	[ebp-34h], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-38h]
		mov	esi, [ebp-60h]
		jmp	loc_538D0A
sub_5F140A	endp

; 
; START	OF FUNCTION CHUNK FOR SeCaptureObjectTypeList

loc_5F1425:				; CODE XREF: SeCaptureObjectTypeList+6Cj
		test	ebx, ebx
		jz	loc_538D14
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_538D14
; END OF FUNCTION CHUNK	FOR SeCaptureObjectTypeList
; 
; START	OF FUNCTION CHUNK FOR SepTrustLevelCheck

loc_5F143A:				; CODE XREF: SepTrustLevelCheck+7Ej
		test	byte ptr [edx+1], 8
		mov	esi, ecx
		jnz	loc_538D9B
		test	edx, edx
		jz	loc_538DA0
		mov	eax, [edx+4]
		lea	ecx, [edx+8]
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	loc_538DA0
		cmp	[ebp+arg_C], 0
		mov	esi, [ebp+arg_4]
		jz	short loc_5F149A
		test	esi, esi
		jz	short loc_5F148D
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [esi+30h]
		push	1
		push	eax
		call	ExAcquireResourceSharedLite
		mov	edi, [ebp+arg_0]
		jmp	short loc_5F1496
; 

loc_5F148D:				; CODE XREF: SepTrustLevelCheck+B86FDj
		mov	edi, [ebp+arg_0]
		push	edi
		call	_SeLockSubjectContext@4	; SeLockSubjectContext(x)

loc_5F1496:				; CODE XREF: SepTrustLevelCheck+B871Bj
		mov	bl, 1
		jmp	short loc_5F14A0
; 

loc_5F149A:				; CODE XREF: SepTrustLevelCheck+B86F9j
		mov	bl, [ebp+var_3]
		mov	edi, [ebp+arg_0]

loc_5F14A0:				; CODE XREF: SepTrustLevelCheck+B8728j
		test	esi, esi
		jz	short loc_5F14A9
		mov	ecx, [ebp+arg_8]
		jmp	short loc_5F14E9
; 

loc_5F14A9:				; CODE XREF: SepTrustLevelCheck+B8732j
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_5F14E0
		mov	eax, [eax+280h]
		lea	ecx, [ebp+var_2+1]
		push	ecx
		mov	ecx, [edi+8]
		mov	edx, eax
		mov	[ebp+arg_8], eax
		mov	ecx, [ecx+280h]
		call	_RtlSidDominatesForTrust@12 ; RtlSidDominatesForTrust(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_5F1517
		cmp	byte ptr [ebp+var_2+1],	0
		jz	short loc_5F14DD
		mov	ecx, [ebp+arg_8]
		jmp	short loc_5F14E9
; 

loc_5F14DD:				; CODE XREF: SepTrustLevelCheck+B8766j
		mov	edi, [ebp+arg_0]

loc_5F14E0:				; CODE XREF: SepTrustLevelCheck+B873Dj
		mov	eax, [edi+8]
		mov	ecx, [eax+280h]

loc_5F14E9:				; CODE XREF: SepTrustLevelCheck+B8737j
					; SepTrustLevelCheck+B876Bj
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_2]
		push	eax
		call	_RtlSidDominatesForTrust@12 ; RtlSidDominatesForTrust(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_5F1517
		cmp	byte ptr [ebp+var_2], 0
		mov	eax, [ebp+arg_10]
		jz	short loc_5F150C
		mov	dword ptr [eax], 0FFFFFFFFh
		jmp	short loc_5F1517
; 

loc_5F150C:				; CODE XREF: SepTrustLevelCheck+B8792j
		mov	ecx, [ebp+var_8]
		or	ecx, 1000000h
		mov	[eax], ecx

loc_5F1517:				; CODE XREF: SepTrustLevelCheck+B8760j
					; SepTrustLevelCheck+B8789j ...
		test	bl, bl
		jz	short loc_5F152C
		test	esi, esi
		jz	short loc_5F1533
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_5F152C:				; CODE XREF: SepTrustLevelCheck+B87A9j
		mov	eax, edi
		jmp	loc_538DAB
; 

loc_5F1533:				; CODE XREF: SepTrustLevelCheck+B87ADj
		push	[ebp+arg_0]
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)
		mov	eax, edi
		jmp	loc_538DAB
; END OF FUNCTION CHUNK	FOR SepTrustLevelCheck
; 
; START	OF FUNCTION CHUNK FOR SePrivilegePolicyCheck

loc_5F1542:				; CODE XREF: SePrivilegePolicyCheck+74j
		mov	ebx, [eax+8]
		jmp	loc_538E48
; 

loc_5F154A:				; CODE XREF: SePrivilegePolicyCheck+3Fj
		push	[ebp+arg_C]
		mov	eax, ds:_SeSecurityPrivilege
		lea	edx, [ebp+var_10]
		push	1
		mov	[ebp+var_10], eax
		mov	ecx, ebx
		mov	eax, ds:dword_A94A3C
		push	1
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], esi
		call	_SepPrivilegeCheck@20 ;	SepPrivilegeCheck(x,x,x,x,x)
		test	al, al
		jnz	short loc_5F157C
		mov	eax, 0C0000061h
		jmp	loc_538E6B
; 

loc_5F157C:				; CODE XREF: SePrivilegePolicyCheck+B8760j
		mov	eax, [ebp+var_18]
		mov	esi, 1
		and	dword ptr [edi], 0FEFFFFFFh
		mov	[ebp+var_13], 1
		or	dword ptr [eax], 1000000h
		mov	eax, [edi]
		jmp	loc_538E55
; 

loc_5F159B:				; CODE XREF: SePrivilegePolicyCheck+D5j
		mov	eax, [ebp+var_18]
		inc	esi
		and	dword ptr [edi], 0FFF7FFFFh
		mov	bl, 1
		mov	bh, [ebp+var_12]
		or	dword ptr [eax], 80000h
		jmp	loc_538E61
; 

loc_5F15B5:				; CODE XREF: SePrivilegePolicyCheck+112j
		mov	eax, 0C000009Ah
		jmp	loc_538E6B
; 

loc_5F15BF:				; CODE XREF: SePrivilegePolicyCheck+14Bj
		mov	ecx, [edi]
		lea	edx, [esi+esi*2]
		mov	eax, ds:_SeSecurityPrivilege
		inc	esi
		mov	[ecx+edx*4+8], eax
		mov	eax, ds:dword_A94A3C
		mov	[ecx+edx*4+0Ch], eax
		mov	eax, [edi]
		mov	dword ptr [eax+edx*4+10h], 80000000h
		jmp	loc_538F61
; 

loc_5F15E6:				; CODE XREF: SePrivilegePolicyCheck+159j
		mov	ecx, [edi]
		lea	edx, [esi+esi*2]
		mov	eax, ds:_SeRelabelPrivilege
		mov	[ecx+edx*4+8], eax
		mov	eax, ds:dword_A94A4C
		mov	[ecx+edx*4+0Ch], eax
		mov	eax, [edi]
		mov	dword ptr [eax+edx*4+10h], 80000000h
		jmp	loc_538E69
; END OF FUNCTION CHUNK	FOR SePrivilegePolicyCheck
; 
; START	OF FUNCTION CHUNK FOR SepTokenIsOwner

loc_5F160C:				; CODE XREF: SepTokenIsOwner+28j
		test	esi, esi
		jz	loc_538FAE
		mov	eax, ds:_SeAliasAdminsSid
		push	esi
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	loc_538FC4
		jmp	loc_538FAE
; END OF FUNCTION CHUNK	FOR SepTokenIsOwner
; 
; START	OF FUNCTION CHUNK FOR SepConstrainByConstraintMask

loc_5F162D:				; CODE XREF: SepConstrainByConstraintMask+1Cj
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jnz	short loc_5F169F
		mov	edx, [ebp+arg_0]
		mov	eax, [edx]
		mov	ecx, eax
		and	ecx, ebx
		cmp	ecx, eax
		jz	loc_5391E4
		mov	eax, [ebp+arg_10]
		mov	byte ptr [eax],	1
		mov	eax, [ebp+arg_4]
		mov	[edx], ecx
		and	edi, 2000000h
		jz	short loc_5F1684
		test	ecx, ecx
		jnz	short loc_5F1671
		mov	dword ptr [eax], 0C0000022h
		test	esi, esi
		jz	loc_5391E4
		mov	[esi], cl
		jmp	loc_5391E4
; 

loc_5F1671:				; CODE XREF: SepConstrainByConstraintMask+B8498j
		and	dword ptr [eax], 0
		test	esi, esi
		jz	loc_5391E4
		mov	byte ptr [esi],	1
		jmp	loc_5391E4
; 

loc_5F1684:				; CODE XREF: SepConstrainByConstraintMask+B8494j
		mov	dword ptr [eax], 0C0000022h
		test	esi, esi
		jz	loc_5391E4
		cmp	dword ptr [edx], 0
		setnz	al
		mov	[esi], al
		jmp	loc_5391E4
; 

loc_5F169F:				; CODE XREF: SepConstrainByConstraintMask+B8470j
		xor	edx, edx
		test	eax, eax
		jz	loc_5391E4
		mov	ebx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		sub	ebx, ecx

loc_5F16B1:				; CODE XREF: SepConstrainByConstraintMask+B8551j
		mov	eax, [ecx]
		mov	esi, eax
		and	esi, [ebp+var_4]
		mov	[ebp+arg_4], esi
		cmp	esi, eax
		jz	short loc_5F170C
		mov	eax, [ebp+arg_10]
		mov	byte ptr [eax],	1
		mov	eax, edi
		mov	[ecx], esi
		mov	esi, [ebp+arg_8]
		and	eax, 2000000h
		jz	short loc_5F16F8
		cmp	[ebp+arg_4], 0
		jnz	short loc_5F16EA
		mov	dword ptr [ebx+ecx], 0C0000022h
		test	esi, esi
		jz	short loc_5F170C
		mov	byte ptr [edx+esi], 0
		jmp	short loc_5F170C
; 

loc_5F16EA:				; CODE XREF: SepConstrainByConstraintMask+B8515j
		and	dword ptr [ebx+ecx], 0
		test	esi, esi
		jz	short loc_5F170C
		mov	byte ptr [edx+esi], 1
		jmp	short loc_5F170C
; 

loc_5F16F8:				; CODE XREF: SepConstrainByConstraintMask+B850Fj
		mov	dword ptr [ebx+ecx], 0C0000022h
		test	esi, esi
		jz	short loc_5F170C
		cmp	dword ptr [ecx], 0
		setnz	al
		mov	[esi+edx], al

loc_5F170C:				; CODE XREF: SepConstrainByConstraintMask+B84FBj
					; SepConstrainByConstraintMask+B8520j ...
		inc	edx
		add	ecx, 4
		cmp	edx, [ebp+arg_C]
		jb	short loc_5F16B1
		jmp	loc_5391E4
; END OF FUNCTION CHUNK	FOR SepConstrainByConstraintMask
; 
; START	OF FUNCTION CHUNK FOR AlpcpSignal

loc_5F171A:				; CODE XREF: AlpcpSignal+64j
					; AlpcpSignal+B8536j ...
		lea	ecx, [ebp+var_18]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	al, al
		js	short loc_5F171A
		lock bts dword ptr [esi], 7
		jb	short loc_5F171A
		mov	dl, byte ptr [ebp+var_14]
		jmp	loc_53925A
; 

loc_5F1737:				; CODE XREF: AlpcpSignal+B6j
		cmp	al, 2
		jnz	loc_5F1829
		mov	byte ptr [edi+9], 5
		mov	eax, [edi+0Ch]
		mov	dword ptr [ebp+arg_0], eax
		add	eax, 8
		mov	dword ptr [edi], 0
		mov	[ebp+var_1C], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+var_C], eax
		mov	eax, [eax+4]
		mov	[ebp+var_8], eax
		jz	short loc_5F178B
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_5F178B:				; CODE XREF: AlpcpSignal+B8584j
		mov	ecx, dword ptr [ebp+arg_0]
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	edx, [ebp+var_1C]
		mov	ecx, dword ptr [ebp+arg_0]
		cmp	[edx], edx
		jz	short loc_5F17D0
		mov	eax, [ecx+18h]
		cmp	eax, [ecx+1Ch]
		jnb	short loc_5F17D0
		mov	eax, [ebp+var_8]
		mov	eax, [eax+0A4h]
		cmp	eax, ecx
		jnz	short loc_5F17BE
		mov	eax, [ebp+var_8]
		cmp	byte ptr [eax+18Bh], 0Fh
		jz	short loc_5F17D0

loc_5F17BE:				; CODE XREF: AlpcpSignal+B85C0j
		mov	edx, ecx
		mov	ecx, [ebp+var_C]
		push	edi
		call	KiWakeQueueWaiter
		mov	ecx, dword ptr [ebp+arg_0]
		test	al, al
		jnz	short loc_5F1815

loc_5F17D0:				; CODE XREF: AlpcpSignal+B85ABj
					; AlpcpSignal+B85B3j ...
		mov	eax, [ecx+4]
		mov	[ebp+var_8], eax
		inc	eax
		mov	[ecx+4], eax
		lea	eax, [ecx+10h]
		mov	edx, [eax+4]
		mov	[ebp+var_1C], edx
		cmp	[edx], eax
		lea	edx, [ecx+8]
		jnz	loc_539291
		cmp	[ebp+var_8], 0
		mov	ecx, [ebp+var_1C]
		mov	[edi+4], ecx
		mov	[edi], eax
		mov	[ecx], edi
		mov	ecx, dword ptr [ebp+arg_0]
		mov	[eax+4], edi
		jnz	short loc_5F1815
		cmp	[edx], edx
		jz	short loc_5F1815
		mov	edx, ecx
		mov	ecx, [ebp+var_C]
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)
		mov	ecx, dword ptr [ebp+arg_0]

loc_5F1815:				; CODE XREF: AlpcpSignal+B85DEj
					; AlpcpSignal+B8612j ...
		mov	eax, 0FFFFFF7Fh
		lock and [ecx],	eax
		add	dword ptr [esi+4], 0FFFFFFFFh
		jz	loc_5392CF
		jmp	short loc_5F183A
; 

loc_5F1829:				; CODE XREF: AlpcpSignal+B8549j
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		push	0
		push	100h
		call	KiTryUnwaitThread

loc_5F183A:				; CODE XREF: AlpcpSignal+CFj
					; AlpcpSignal+D9j ...
		lea	eax, [esi+8]
		cmp	ebx, eax
		jnz	loc_539283
		jmp	loc_5392CF
; 

loc_5F184A:				; CODE XREF: AlpcpSignal+F4j
		mov	edx, 3
		jmp	loc_5392EA
; 

loc_5F1854:				; CODE XREF: AlpcpSignal+73j
					; AlpcpSignal+7Bj
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0C0000047h
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger

loc_5F186F:				; CODE XREF: KiIntSteerLogProc+31j
		push	ebx
		xor	eax, eax
		mov	[ebp+var_2C], ax
		mov	eax, ds:dword_70E328
		push	4
		mov	[ebp+var_30], eax
		mov	[ebp+var_34], offset _KeActiveProcessors
		pop	ebx

loc_5F1888:				; CODE XREF: AlpcpSignal+B86ECj
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5F18DE
		lea	eax, [ebp+var_28]
		mov	[ebp+var_20], edi
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_28]
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	eax, ds:_KiProcessorBlock[eax*4]
		add	eax, 21D8h
		mov	[ebp+var_C], ebx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edi
		push	esi
		push	ds:dword_6FBC0C
		mov	[ebp+var_8], edi
		push	ds:_KiIntSteerEtwHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	short loc_5F1888
; 

loc_5F18DE:				; CODE XREF: AlpcpSignal+B86A7j
		pop	ebx
		jmp	loc_5393B3
; END OF FUNCTION CHUNK	FOR AlpcpSignal
; 
; START	OF FUNCTION CHUNK FOR KiIntSteerLogMask

loc_5F18E4:				; CODE XREF: KiIntSteerLogMask+25j
		push	4
		pop	eax
		mov	[ebp+var_4C], eax
		xor	ecx, ecx
		mov	[ebp+var_3C], eax
		mov	[ebp+var_2C], eax
		movzx	eax, word ptr ds:_KiIntSteerMask
		shl	eax, 2
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		push	ecx
		push	esi
		push	ds:dword_6FBC0C
		mov	[ebp+var_54], offset _KiIntSteerLoadPercent
		push	ds:_KiIntSteerEtwHandle
		mov	[ebp+var_50], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], offset _KiIntTrackRootCount
		mov	[ebp+var_40], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], offset _KiIntSteerMaskCount
		mov	[ebp+var_30], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], offset _KiIntSteerMask
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], 2
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], offset dword_6C7528
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_5393F3
; END OF FUNCTION CHUNK	FOR KiIntSteerLogMask
; 
; START	OF FUNCTION CHUNK FOR KeQueryTotalCycleTimeThread

loc_5F1965:				; CODE XREF: KeQueryTotalCycleTimeThread+27j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+arg_0+3],	al
		lea	ebx, [esi+2Ch]
		mov	[ebp+var_C], 0

loc_5F1978:				; CODE XREF: KeQueryTotalCycleTimeThread+B8625j
		lock bts dword ptr [ebx], 0
		jb	loc_5F1A37
		lea	eax, [ebp+var_8]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_4]
		call	KiAcquireThreadStateLock
		cmp	al, 2
		jnz	loc_5F1A59
		mov	ecx, [esi+148h]
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_5F19B0
		xor	edx, edx
		add	eax, 2224h
		lock and [eax],	edx

loc_5F19B0:				; CODE XREF: KeQueryTotalCycleTimeThread+B8584j
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_5F19BC
		xor	edx, edx
		lock and [eax],	edx

loc_5F19BC:				; CODE XREF: KeQueryTotalCycleTimeThread+B8595j
		xor	eax, eax
		mov	dword ptr [ebx], 0
		bts	eax, ecx
		mov	[ebp+var_20], 10001h
		mov	[ebp+var_1C], 0
		mov	[ebp+var_18], eax
		call	ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()
		push	0
		push	0
		push	0
		push	offset _KiFlushWriteBuffersTarget@16 ; KiFlushWriteBuffersTarget(x,x,x,x)
		lea	edx, [ebp+var_20]
		xor	ecx, ecx
		call	_KiIpiSendPacket@24 ; KiIpiSendPacket(x,x,x,x,x,x)
		mov	ecx, large fs:20h
		mov	eax, [ecx+2120h]
		test	eax, eax
		jz	short loc_5F1A10

loc_5F1A04:				; CODE XREF: KeQueryTotalCycleTimeThread+B85EEj
		pause
		mov	eax, [ecx+2120h]
		test	eax, eax
		jnz	short loc_5F1A04

loc_5F1A10:				; CODE XREF: KeQueryTotalCycleTimeThread+B85E2j
		mov	ecx, [ebp+arg_4]
		rdtsc
		mov	[ebp+var_14], 0
		mov	[ebp+var_10], 0
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	edi, [esi+34h]
		mov	eax, [esi+30h]
		cmp	edi, [esi+38h]
		jnz	short loc_5F1A4A
		mov	ebx, eax
		jmp	short loc_5F1AA0
; 

loc_5F1A37:				; CODE XREF: KeQueryTotalCycleTimeThread+B855Dj
					; KeQueryTotalCycleTimeThread+B8623j
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5F1A37
		jmp	loc_5F1978
; 

loc_5F1A4A:				; CODE XREF: KeQueryTotalCycleTimeThread+B8611j
					; KeQueryTotalCycleTimeThread+B8635j
		pause
		mov	edi, [esi+34h]
		mov	ebx, [esi+30h]
		cmp	edi, [esi+38h]
		jnz	short loc_5F1A4A
		jmp	short loc_5F1AA0
; 

loc_5F1A59:				; CODE XREF: KeQueryTotalCycleTimeThread+B8573j
		mov	al, [esi+55h]
		test	al, al
		jz	short loc_5F1A67
		mov	cl, 1
		call	_KeFlushProcessWriteBuffers@4 ;	KeFlushProcessWriteBuffers(x)

loc_5F1A67:				; CODE XREF: KeQueryTotalCycleTimeThread+B863Ej
		mov	ecx, [ebp+arg_4]
		rdtsc
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	eax, [esi+30h]
		mov	edi, [esi+34h]
		mov	[ebp+arg_4], eax
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_5F1A8B
		xor	ecx, ecx
		add	eax, 2224h
		lock and [eax],	ecx

loc_5F1A8B:				; CODE XREF: KeQueryTotalCycleTimeThread+B865Fj
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_5F1A97
		xor	eax, eax
		lock and [ecx],	eax

loc_5F1A97:				; CODE XREF: KeQueryTotalCycleTimeThread+B8670j
		mov	dword ptr [ebx], 0
		mov	ebx, [ebp+arg_4]

loc_5F1AA0:				; CODE XREF: KeQueryTotalCycleTimeThread+B8615j
					; KeQueryTotalCycleTimeThread+B8637j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, ebx
		mov	edx, edi
		jmp	loc_539477
; END OF FUNCTION CHUNK	FOR KeQueryTotalCycleTimeThread
; 
; START	OF FUNCTION CHUNK FOR KiSetPriorityThread

loc_5F1AB2:				; CODE XREF: KiSetPriorityThread+261j
		test	byte ptr [ebx+2], 4
		jz	short loc_5F1AC7
		mov	edx, edi
		mov	ecx, ebx
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	short loc_5F1ACD

loc_5F1AC7:				; CODE XREF: KiSetPriorityThread+B8126j
		mov	cl, [ebx+87h]

loc_5F1ACD:				; CODE XREF: KiSetPriorityThread+B8135j
		mov	eax, [edi+33Ch]
		mov	[eax], cl
		cmp	ebx, [edi+0Ch]
		mov	eax, [edi+4DCh]
		setz	cl
		mov	[edi+8], ebx
		test	eax, eax
		jz	short loc_5F1AEB
		mov	[eax+10h], cl

loc_5F1AEB:				; CODE XREF: KiSetPriorityThread+B8156j
		mov	al, [ebx+90h]
		cmp	al, 1
		jnz	short loc_5F1B06
		mov	eax, ds:_KeTickCount
		sub	eax, [ebx+138h]
		add	[ebx+170h], eax

loc_5F1B06:				; CODE XREF: KiSetPriorityThread+B8163j
		mov	ecx, esi
		mov	byte ptr [ebx+90h], 3
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		mov	edx, [ebp+var_10]
		lea	ecx, [esi+9Ch]
		mov	edi, [ebp+var_4]
		mov	eax, [edx]
		mov	[ecx], eax
		mov	[edx], ecx
		jmp	loc_539A64
; 

loc_5F1B2B:				; CODE XREF: KiSetPriorityThread+284j
		or	byte ptr [esi+54h], 10h
		jmp	loc_539A67
; END OF FUNCTION CHUNK	FOR KiSetPriorityThread
; 
; START	OF FUNCTION CHUNK FOR KiAcquireThreadStateLock

loc_5F1B34:				; CODE XREF: KiAcquireThreadStateLock+EBj
		mov	eax, [edi+148h]
		cmp	eax, [ebp+var_C]
		jnz	loc_539D11
		mov	ecx, 1Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5F1B4A:				; CODE XREF: KeSetActualBasePriorityThread+16j
		mov	eax, 1
		jmp	loc_53A01F
; END OF FUNCTION CHUNK	FOR KiAcquireThreadStateLock
; 
; START	OF FUNCTION CHUNK FOR KeSetActualBasePriorityThread

loc_5F1B54:				; CODE XREF: KeSetActualBasePriorityThread+A2j
		mov	eax, [esi+30h]
		mov	edx, [esi+34h]
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_8], ebx
		jmp	loc_539EE5
; 

loc_5F1B65:				; CODE XREF: KeSetActualBasePriorityThread+3A5j
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	KiSelectReadyThreadEx
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	loc_539FC1
		test	byte ptr [ecx+2], 4
		jz	short loc_5F1B93
		mov	edx, ebx
		call	KiIsThreadRankNonZero
		mov	ecx, [ebp+var_C]
		mov	dl, 1
		test	al, al
		jnz	short loc_5F1B99

loc_5F1B93:				; CODE XREF: KeSetActualBasePriorityThread+B7D51j
		mov	dl, [ecx+87h]

loc_5F1B99:				; CODE XREF: KeSetActualBasePriorityThread+B7D61j
		mov	eax, [ebx+33Ch]
		mov	[eax], dl
		cmp	ecx, [ebx+0Ch]
		mov	eax, [ebx+4DCh]
		setz	dl
		mov	[ebx+8], ecx
		test	eax, eax
		jz	short loc_5F1BB7
		mov	[eax+10h], dl

loc_5F1BB7:				; CODE XREF: KeSetActualBasePriorityThread+B7D82j
		mov	al, [ecx+90h]
		cmp	al, 1
		jnz	short loc_5F1BD2
		mov	eax, ds:_KeTickCount
		sub	eax, [ecx+138h]
		add	[ecx+170h], eax

loc_5F1BD2:				; CODE XREF: KeSetActualBasePriorityThread+B7D8Fj
		mov	byte ptr [ecx+90h], 3
		mov	ecx, esi
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		mov	eax, [ebp+var_10]
		lea	ecx, [esi+9Ch]
		mov	[ecx], eax
		mov	[ebp+var_10], ecx
		jmp	loc_53A03B
; 

loc_5F1BF3:				; CODE XREF: KeSetActualBasePriorityThread+173j
		mov	eax, [ebx+3B20h]
		inc	ecx
		shr	eax, cl
		test	eax, eax
		jz	loc_539FC1
		or	byte ptr [esi+54h], 10h
		jmp	loc_539FC1
; 

loc_5F1C0D:				; CODE XREF: KeSetActualBasePriorityThread+2BCj
		mov	dl, 2
		mov	ecx, eax
		call	_KiSendSoftwareInterrupt@8 ; KiSendSoftwareInterrupt(x,x)
		jmp	loc_539FEA
; 

loc_5F1C1B:				; CODE XREF: KeSetActualBasePriorityThread+1E5j
		lea	eax, [ebp+arg_4]
		mov	edx, 531h
		push	eax
		push	[ebp+arg_4]
		mov	ecx, esi
		push	edi
		call	_EtwTracePriority@20 ; EtwTracePriority(x,x,x,x,x)
		jmp	loc_53A01B
; END OF FUNCTION CHUNK	FOR KeSetActualBasePriorityThread
; 
; START	OF FUNCTION CHUNK FOR PspUnlockThreadSecurityExclusive

loc_5F1C34:				; CODE XREF: PspUnlockThreadSecurityExclusive+1Ej
		test	cl, 4
		jnz	loc_53A214
		mov	ecx, eax
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_14]
		jmp	loc_53A214
; 

loc_5F1C4F:				; CODE XREF: PspUnlockThreadSecurityExclusive+177j
		push	0
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5F1C62:				; CODE XREF: PspUnlockThreadSecurityExclusive+E2j
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_1C]
		jmp	loc_53A2E8
; 

loc_5F1C77:				; CODE XREF: PspUnlockThreadSecurityExclusive+19Cj
		mov	edx, 1
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_53A392
; 

loc_5F1C88:				; CODE XREF: PspUnlockThreadSecurityExclusive+1C9j
		push	[ebp+var_1C]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_53A2FF
; END OF FUNCTION CHUNK	FOR PspUnlockThreadSecurityExclusive
; 
; START	OF FUNCTION CHUNK FOR AlpcpSignalAndWait

loc_5F1C9A:				; CODE XREF: AlpcpSignalAndWait+1C0j
		cmp	eax, 4
		jb	short loc_5F1CBC
		push	1
		push	0
		and	eax, 0FFFFFFFCh
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [esi+14h]
		test	cl, 2
		jz	short loc_5F1CBC
		and	ecx, 0FFFFFFFCh
		call	ObfDereferenceObject

loc_5F1CBC:				; CODE XREF: AlpcpSignalAndWait+B77FDj
					; AlpcpSignalAndWait+B7812j
		mov	dword ptr [esi+14h], 0
		jmp	loc_53A57C
; 

loc_5F1CC8:				; CODE XREF: AlpcpSignalAndWait+10Dj
		mov	ecx, edi
		call	_AlpcpLogUnwait@4 ; AlpcpLogUnwait(x)
		jmp	loc_53A5B3
; END OF FUNCTION CHUNK	FOR AlpcpSignalAndWait
; 
; START	OF FUNCTION CHUNK FOR EtwTraceThreadWorkOnBehalfUpdate

loc_5F1CD4:				; CODE XREF: EtwTraceThreadWorkOnBehalfUpdate+34j
		test	ebx, ebx
		jz	short loc_5F1CE0
		mov	eax, [ebx+2B0h]
		jmp	short loc_5F1CE2
; 

loc_5F1CE0:				; CODE XREF: EtwTraceThreadWorkOnBehalfUpdate+B7646j
		xor	eax, eax

loc_5F1CE2:				; CODE XREF: EtwTraceThreadWorkOnBehalfUpdate+B764Ej
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_20], 0
		mov	[ebp+var_1C], 4
		mov	[ebp+var_18], 0
		test	eax, eax
		jz	short loc_5F1D0F
		mov	eax, [eax+2B0h]
		jmp	short loc_5F1D11
; 

loc_5F1D0F:				; CODE XREF: EtwTraceThreadWorkOnBehalfUpdate+B7675j
		xor	eax, eax

loc_5F1D11:				; CODE XREF: EtwTraceThreadWorkOnBehalfUpdate+B767Dj
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_30]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	0
		push	0
		push	1
		push	0
		push	0
		push	offset _ThreadWorkOnBehalfUpdate
		push	edi
		push	esi
		mov	[ebp+var_10], 0
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], 0
		call	EtwWriteEx
		jmp	loc_53A6CA
; END OF FUNCTION CHUNK	FOR EtwTraceThreadWorkOnBehalfUpdate
; 
; START	OF FUNCTION CHUNK FOR PsImpersonateContainerOfThread

loc_5F1D50:				; CODE XREF: PsImpersonateContainerOfThread+44j
		mov	dl, al
		mov	ecx, offset _PspThreadWorkOnBehalfLock
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_53A759
; 

loc_5F1D61:				; CODE XREF: PsImpersonateContainerOfThread+73j
					; PsImpersonateContainerOfThread+B76B4j
		test	edx, 40000000h
		jnz	short loc_5F1D7B
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	short loc_5F1D88

loc_5F1D7B:				; CODE XREF: PsImpersonateContainerOfThread+B7687j
		lea	ecx, [ebp+var_34]
		call	KeYieldProcessorEx
		mov	eax, ds:_PspThreadWorkOnBehalfLock

loc_5F1D88:				; CODE XREF: PsImpersonateContainerOfThread+B7699j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_5F1D61
		jmp	loc_53A759
; 

loc_5F1D9B:				; CODE XREF: PsImpersonateContainerOfThread+D0j
		push	0
		push	1
		push	ecx
		push	esi
		push	157h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5F1DAB:				; CODE XREF: PsImpersonateContainerOfThread+10Dj
					; PsImpersonateContainerOfThread+B76E6j
		mov	eax, [ecx]
		lea	edx, [ecx-9Ch]
		mov	[ebp+var_30], eax
		mov	ecx, ebx
		lea	eax, [ebp+var_30]
		push	eax
		call	KiDeferredReadySingleThread
		mov	ecx, [ebp+var_30]
		test	ecx, ecx
		jnz	short loc_5F1DAB
		jmp	loc_53A7F3
; 

loc_5F1DCD:				; CODE XREF: PsImpersonateContainerOfThread+12Bj
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		movzx	ecx, byte ptr [edi+244h]
		movzx	edx, byte ptr [esi+244h]
		mov	[ebp+var_29], al
		call	_KiQosResponseRequired@8 ; KiQosResponseRequired(x,x)
		test	al, al
		jz	short loc_5F1E15
		mov	edx, ecx
		mov	ecx, esi
		call	_KeSetThreadBamQosLevel@8 ; KeSetThreadBamQosLevel(x,x)
		movzx	edx, byte ptr [ebx+4D8h]
		movzx	ecx, byte ptr [esi+244h]
		call	_KiQosResponseRequired@8 ; KiQosResponseRequired(x,x)
		test	al, al
		jz	short loc_5F1E15
		mov	edx, esi
		mov	ecx, ebx
		call	@KeCheckAndApplyBamQos@8 ; KeCheckAndApplyBamQos(x,x)

loc_5F1E15:				; CODE XREF: PsImpersonateContainerOfThread+B770Aj
					; PsImpersonateContainerOfThread+B772Aj
		cmp	[ebp+var_29], 0
		jz	loc_53A811
		sti
		jmp	loc_53A811
; 

loc_5F1E25:				; CODE XREF: PsImpersonateContainerOfThread+138j
		mov	edx, [ebp+4]
		mov	ecx, offset _PspThreadWorkOnBehalfLock
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_53A828
; 

loc_5F1E37:				; CODE XREF: PsImpersonateContainerOfThread+18Cj
		lea	eax, [ebp+var_40]
		mov	[ebp+var_40], 0
		mov	[ebp+var_28], eax
		mov	eax, [edi+2B0h]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_44]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	2
		push	0
		push	0
		push	1
		push	0
		push	0
		push	offset _ThreadWorkOnBehalfUpdate
		push	esi
		push	ebx
		mov	[ebp+var_24], 0
		mov	[ebp+var_20], 4
		mov	[ebp+var_1C], 0
		mov	[ebp+var_14], 0
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], 0
		call	EtwWriteEx
		jmp	loc_53A872
; END OF FUNCTION CHUNK	FOR PsImpersonateContainerOfThread
; 
; START	OF FUNCTION CHUNK FOR EtwEventEnabled

loc_5F1E9E:				; CODE XREF: EtwEventEnabled+31j
		test	cl, cl
		jnz	loc_53A925
		jmp	loc_53A907
; END OF FUNCTION CHUNK	FOR EtwEventEnabled
; 
; START	OF FUNCTION CHUNK FOR PspRevertContainerImpersonation

loc_5F1EAB:				; CODE XREF: PspRevertContainerImpersonation+4Cj
		mov	dl, cl
		mov	ecx, offset _PspThreadWorkOnBehalfLock
		call	@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 ; ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)
		jmp	loc_53AA01
; 

loc_5F1EBC:				; CODE XREF: PspRevertContainerImpersonation+7Bj
		mov	edi, offset _PspThreadWorkOnBehalfLock

loc_5F1EC1:				; CODE XREF: PspRevertContainerImpersonation+B7574j
		test	edx, 40000000h
		jnz	short loc_5F1EDB
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 40000000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_5F1EE8

loc_5F1EDB:				; CODE XREF: PspRevertContainerImpersonation+B7547j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, ds:_PspThreadWorkOnBehalfLock

loc_5F1EE8:				; CODE XREF: PspRevertContainerImpersonation+B7559j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000000h
		jnz	short loc_5F1EC1
		mov	edi, ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		jmp	loc_53AA01
; 

loc_5F1F01:				; CODE XREF: PspRevertContainerImpersonation+BCj
		push	0
		push	2
		push	ecx
		push	esi
		push	157h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5F1F11:				; CODE XREF: PspRevertContainerImpersonation+132j
		mov	edx, [ebp+4]
		mov	ecx, offset _PspThreadWorkOnBehalfLock
		call	@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 ; ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x,x)
		jmp	loc_53AAC2
; END OF FUNCTION CHUNK	FOR PspRevertContainerImpersonation
; 
; START	OF FUNCTION CHUNK FOR ExpApplyPriorityBoost

loc_5F1F23:				; CODE XREF: ExpApplyPriorityBoost+99j
		lea	edx, [esi+34h]
		lea	ecx, [ebp+var_28]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_53AF8F
; 

loc_5F1F33:				; CODE XREF: ExpApplyPriorityBoost+1CCj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_53B0D4
; 

loc_5F1F43:				; CODE XREF: ExpApplyPriorityBoost+24Cj
		mov	edx, ebx
		lea	ecx, [ebp+var_28]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_53B13F
; 

loc_5F1F52:				; CODE XREF: ExpApplyPriorityBoost+3ACj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_53B2B4
; 

loc_5F1F62:				; CODE XREF: ExpApplyPriorityBoost+433j
		lea	edx, [esi+34h]
		lea	ecx, [ebp+var_28]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_53B329
; 

loc_5F1F72:				; CODE XREF: ExpApplyPriorityBoost+26Fj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_28]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_53B177
; END OF FUNCTION CHUNK	FOR ExpApplyPriorityBoost
; 
; START	OF FUNCTION CHUNK FOR KeSetThreadChargeOnlySchedulingGroup

loc_5F1F82:				; CODE XREF: KeSetThreadChargeOnlySchedulingGroup+16j
		test	ebx, ebx
		jz	loc_53B54F
		jmp	loc_53B547
; 

loc_5F1F8F:				; CODE XREF: KeSetThreadChargeOnlySchedulingGroup+6Aj
		lock btr dword ptr [esi], 12h
		mov	dword ptr [esi+50h], 0
		lea	eax, [esi+5Ch]
		lock btr dword ptr [eax], 9
		jmp	loc_53B5A0
; END OF FUNCTION CHUNK	FOR KeSetThreadChargeOnlySchedulingGroup
; 
; START	OF FUNCTION CHUNK FOR ExpBoostIoAfterAcquire

loc_5F1FA8:				; CODE XREF: ExpBoostIoAfterAcquire+89j
		lea	edx, [esi+34h]
		lea	ecx, [ebp+var_10]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_53B66F
; 

loc_5F1FB8:				; CODE XREF: ExpBoostIoAfterAcquire+E3j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+arg_0+3],	al
		lea	edx, [edi+1ECh]
		mov	eax, large fs:20h
		mov	ecx, edi
		push	edx
		mov	[ebp+var_4], eax
		lea	edx, [eax+45E4h]
		call	_KiAbThreadInsertList@12 ; KiAbThreadInsertList(x,x,x)
		test	eax, eax
		jz	short loc_5F1FEA
		mov	ecx, [ebp+var_4]
		call	_KiAbQueueAutoBoostDpc@4 ; KiAbQueueAutoBoostDpc(x)

loc_5F1FEA:				; CODE XREF: ExpBoostIoAfterAcquire+B6A10j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_53B6B9
; 

loc_5F1FF8:				; CODE XREF: ExpBoostIoAfterAcquire+F4j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_53B6E4
; END OF FUNCTION CHUNK	FOR ExpBoostIoAfterAcquire
; 
; START	OF FUNCTION CHUNK FOR KeSetPriorityBoost

loc_5F2008:				; CODE XREF: KeSetPriorityBoost+76j
					; KeSetPriorityBoost+B67A9j
		pause
		mov	ebx, [esi+34h]
		mov	eax, [esi+30h]
		mov	[ebp+var_20], ebx
		mov	[ebp+var_24], eax
		cmp	ebx, [esi+38h]
		jnz	short loc_5F2008
		mov	ebx, [ebp+var_1C]
		jmp	loc_53B8EC
; 

loc_5F2023:				; CODE XREF: KeSetPriorityBoost+1ECj
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	KiSelectReadyThreadEx
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_53BA62
		test	byte ptr [ebx+2], 4
		jz	short loc_5F204D
		mov	edx, edi
		mov	ecx, ebx
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	short loc_5F2053

loc_5F204D:				; CODE XREF: KeSetPriorityBoost+B67CCj
		mov	cl, [ebx+87h]

loc_5F2053:				; CODE XREF: KeSetPriorityBoost+B67DBj
		mov	eax, [edi+33Ch]
		mov	[eax], cl
		cmp	ebx, [edi+0Ch]
		mov	eax, [edi+4DCh]
		setz	cl
		mov	[edi+8], ebx
		test	eax, eax
		jz	short loc_5F2071
		mov	[eax+10h], cl

loc_5F2071:				; CODE XREF: KeSetPriorityBoost+B67FCj
		mov	al, [ebx+90h]
		cmp	al, 1
		jnz	short loc_5F208C
		mov	eax, ds:_KeTickCount
		sub	eax, [ebx+138h]
		add	[ebx+170h], eax

loc_5F208C:				; CODE XREF: KeSetPriorityBoost+B6809j
		mov	ecx, esi
		mov	byte ptr [ebx+90h], 3
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		mov	eax, [ebp+var_C]
		lea	ecx, [esi+9Ch]
		mov	[ecx], eax
		mov	[ebp+var_C], ecx
		jmp	loc_53BADA
; 

loc_5F20AD:				; CODE XREF: KeSetPriorityBoost+14Aj
		test	eax, eax
		jnz	loc_5F215D
		mov	al, [esi+90h]
		mov	edi, [ebp+var_8]
		cmp	al, 2
		jnz	short loc_5F213E
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	KiSelectReadyThreadEx
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_53BA62
		test	byte ptr [ebx+2], 4
		jz	short loc_5F20EC
		mov	edx, edi
		mov	ecx, ebx
		call	KiIsThreadRankNonZero
		mov	cl, 1
		test	al, al
		jnz	short loc_5F20F2

loc_5F20EC:				; CODE XREF: KeSetPriorityBoost+B686Bj
		mov	cl, [ebx+87h]

loc_5F20F2:				; CODE XREF: KeSetPriorityBoost+B687Aj
		mov	eax, [edi+33Ch]
		mov	[eax], cl
		mov	eax, [ebp+var_34]
		cmp	ebx, [edi+0Ch]
		setz	cl
		mov	[eax], ebx
		mov	eax, [edi+4DCh]
		test	eax, eax
		jz	short loc_5F2112
		mov	[eax+10h], cl

loc_5F2112:				; CODE XREF: KeSetPriorityBoost+B689Dj
		mov	al, [ebx+90h]
		cmp	al, 1
		jnz	short loc_5F212D
		mov	eax, ds:_KeTickCount
		sub	eax, [ebx+138h]
		add	[ebx+170h], eax

loc_5F212D:				; CODE XREF: KeSetPriorityBoost+B68AAj
		mov	edi, [ebp+var_8]
		mov	byte ptr [ebx+90h], 3
		mov	bl, 1
		jmp	loc_53B9D6
; 

loc_5F213E:				; CODE XREF: KeSetPriorityBoost+B6850j
		mov	eax, [edi+3B20h]
		lea	ecx, [ebx+1]
		mov	bl, [ebp+var_1]
		shr	eax, cl
		test	eax, eax
		jz	loc_53B9D6
		or	byte ptr [esi+54h], 10h
		jmp	loc_53B9D6
; 

loc_5F215D:				; CODE XREF: KeSetPriorityBoost+B683Fj
		cmp	ebx, ecx
		jmp	loc_53B9C0
; 

loc_5F2164:				; CODE XREF: KeSetPriorityBoost+187j
		mov	al, large fs:51h
		movzx	edx, al
		mov	eax, [ebp+var_8]
		mov	ecx, [eax+3CCh]
		cmp	edx, ecx
		jz	loc_53B9FD
		mov	dl, 2
		call	_KiSendSoftwareInterrupt@8 ; KiSendSoftwareInterrupt(x,x)
		jmp	loc_53B9FD
; END OF FUNCTION CHUNK	FOR KeSetPriorityBoost
; 
; START	OF FUNCTION CHUNK FOR FsRtlpComputeShareableOplockState

loc_5F218A:				; CODE XREF: FsRtlpComputeShareableOplockState+1Ej
					; FsRtlpComputeShareableOplockState+2Dj
		lea	ecx, [edx+1Ch]
		cmp	[ecx], ecx
		jnz	short loc_5F21CD
		lea	ecx, [edx+24h]
		cmp	[ecx], ecx
		jnz	short loc_5F21CD
		cmp	ebx, edi
		jz	loc_53C5C3

loc_5F21A0:				; CODE XREF: FsRtlpComputeShareableOplockState+69j
		mov	[ebp+var_2], 0
		mov	[ebp+var_1], 0

loc_5F21A8:				; CODE XREF: FsRtlpComputeShareableOplockState+B5C5Aj
		mov	ecx, [ebx+8]
		cmp	dword ptr [ecx+0Ch], 90240h
		jnz	short loc_5F21DA
		mov	ch, [ebp+var_1]
		mov	cl, 1
		mov	[ebp+var_2], cl
		test	ch, ch
		jz	short loc_5F21E6

loc_5F21C0:				; CODE XREF: FsRtlpComputeShareableOplockState+B5C54j
					; FsRtlpComputeShareableOplockState+B5C62j
		and	eax, 20h
		or	eax, 1010h
		jmp	loc_53C5D2
; 

loc_5F21CD:				; CODE XREF: FsRtlpComputeShareableOplockState+B5BFFj
					; FsRtlpComputeShareableOplockState+B5C06j
		and	eax, 20h
		or	eax, 0B000h
		jmp	loc_53C5D2
; 

loc_5F21DA:				; CODE XREF: FsRtlpComputeShareableOplockState+B5C22j
		mov	cl, [ebp+var_2]
		mov	ch, 1
		mov	[ebp+var_1], ch
		test	cl, cl
		jnz	short loc_5F21C0

loc_5F21E6:				; CODE XREF: FsRtlpComputeShareableOplockState+B5C2Ej
		mov	ebx, [ebx]
		cmp	ebx, edi
		jnz	short loc_5F21A8
		test	cl, cl
		jz	short loc_5F21F4
		test	ch, ch
		jnz	short loc_5F21C0

loc_5F21F4:				; CODE XREF: FsRtlpComputeShareableOplockState+B5C5Ej
		and	eax, 20h
		test	cl, cl
		jz	short loc_5F2205
		or	eax, 1000h
		jmp	loc_53C5D2
; 

loc_5F2205:				; CODE XREF: FsRtlpComputeShareableOplockState+B5C69j
		or	eax, 10h
		jmp	loc_53C5D2
; 

loc_5F220D:				; CODE XREF: FsRtlpComputeShareableOplockState+88j
		mov	ecx, [ebx+18h]
		and	ecx, 0F00000h
		cmp	ecx, edi
		jnz	loc_53C5CA
		lea	ecx, [edx+24h]
		jmp	loc_53C61E
; END OF FUNCTION CHUNK	FOR FsRtlpComputeShareableOplockState
; 
; START	OF FUNCTION CHUNK FOR IoSetOplockPrivateFoExt

loc_5F2226:				; CODE XREF: IoSetOplockPrivateFoExt+45j
		mov	eax, 0C000009Ah
		jmp	loc_53C6F6
; 

loc_5F2230:				; CODE XREF: IoSetOplockPrivateFoExt+ACj
		mov	ecx, offset _IopOplockFoExtLookasideList
		mov	esi, 0C0000001h
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	loc_53C6F4
; END OF FUNCTION CHUNK	FOR IoSetOplockPrivateFoExt
; 
; START	OF FUNCTION CHUNK FOR ExAcquireFastMutexUnsafe

loc_5F2244:				; CODE XREF: ExAcquireFastMutexUnsafe+16Aj
		mov	edx, edi
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	loc_53C960
; 

loc_5F2252:				; CODE XREF: ExAcquireFastMutexUnsafe+B4j
					; ExAcquireFastMutexUnsafe+C5j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	loc_53C8BE
; END OF FUNCTION CHUNK	FOR ExAcquireFastMutexUnsafe
; 
; START	OF FUNCTION CHUNK FOR FsRtlpAttachOplockKey

loc_5F2262:				; CODE XREF: FsRtlpAttachOplockKey+66j
		xor	ebx, ebx
		mov	esi, ecx
		inc	ebx
		jmp	short loc_5F226E
; 

loc_5F2269:				; CODE XREF: FsRtlpAttachOplockKey+8Bj
		xor	ebx, ebx
		inc	ebx
		mov	esi, ebx

loc_5F226E:				; CODE XREF: FsRtlpAttachOplockKey+B5861j
		mov	ecx, [ebp+var_20]
		mov	edx, [ebp+var_18]
		push	esi
		mov	ecx, [ecx+18h]
		call	_IoSetOplockKeyContext@12 ; IoSetOplockKeyContext(x,x,x)
		mov	edi, eax
		cmp	si, bx
		jnz	short loc_5F228E
		push	[ebp+var_18]
		call	_FsRtlFreeExtraCreateParameter@4 ; FsRtlFreeExtraCreateParameter(x)
		jmp	short loc_5F229E
; 

loc_5F228E:				; CODE XREF: FsRtlpAttachOplockKey+B587Cj
		push	2
		pop	eax
		cmp	si, ax
		jnz	short loc_5F229E
		push	[ebp+var_18]
		call	_FsRtlAcknowledgeEcp@4 ; FsRtlAcknowledgeEcp(x)

loc_5F229E:				; CODE XREF: FsRtlpAttachOplockKey+B5886j
					; FsRtlpAttachOplockKey+B588Ej
		lea	ebx, [edi+3FFFFFFFh]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, edi
		jmp	loc_53CA97
; END OF FUNCTION CHUNK	FOR FsRtlpAttachOplockKey
; 
; START	OF FUNCTION CHUNK FOR FsRtlpOplockCleanup

loc_5F22AF:				; CODE XREF: FsRtlpOplockCleanup+36j
		lea	ecx, [ebx+34h]
		mov	esi, [ecx]

loc_5F22B4:				; CODE XREF: FsRtlpOplockCleanup+B578Cj
		cmp	esi, ecx
		jz	short loc_5F2304
		mov	eax, [edx+18h]
		cmp	eax, [esi+8]
		jz	short loc_5F22C4
		mov	esi, [esi]
		jmp	short loc_5F22B4
; 

loc_5F22C4:				; CODE XREF: FsRtlpOplockCleanup+B5788j
					; FsRtlpOplockCleanup+B579Cj
		lea	eax, [ebx+2Ch]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_5F22D4
		call	_FsRtlpRemoveAndCompleteWaitingIrp@4 ; FsRtlpRemoveAndCompleteWaitingIrp(x)
		jmp	short loc_5F22C4
; 

loc_5F22D4:				; CODE XREF: FsRtlpOplockCleanup+B5795j
		mov	eax, [esi+4]
		mov	eax, [eax]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_53CC90
		cmp	[ecx], eax
		jnz	loc_53CC90
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, [esi+8]
		call	ObfDereferenceObject
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5F2304:				; CODE XREF: FsRtlpOplockCleanup+B5780j
		and	dword ptr [ebx+48h], 0FEFFFFFFh
		lea	eax, [ebx+34h]
		cmp	[eax], eax
		jz	loc_53CB72
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1B], al
		jmp	loc_53CB72
; 

loc_5F2321:				; CODE XREF: FsRtlpOplockCleanup+C6j
					; FsRtlpOplockCleanup+B5829j
		cmp	esi, edi
		jz	short loc_5F2361
		mov	ecx, [esi+8]
		mov	eax, [ebp+var_20]
		mov	eax, [eax+18h]
		cmp	eax, [ecx+18h]
		jnz	short loc_5F235D
		mov	esi, [esi+4]
		cmp	dword ptr [ecx+0Ch], 90240h
		jnz	short loc_5F2347
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1A], al
		jmp	short loc_5F2349
; 

loc_5F2347:				; CODE XREF: FsRtlpOplockCleanup+B5807j
		xor	edx, edx

loc_5F2349:				; CODE XREF: FsRtlpOplockCleanup+B580Fj
		push	0
		mov	ecx, [esi]
		call	_FsRtlpRemoveAndCompleteReadOnlyIrp@12 ; FsRtlpRemoveAndCompleteReadOnlyIrp(x,x,x)
		cmp	[ebp+var_1A], 0
		jnz	short loc_5F2361
		mov	edx, 216h

loc_5F235D:				; CODE XREF: FsRtlpOplockCleanup+B57FBj
		mov	esi, [esi]
		jmp	short loc_5F2321
; 

loc_5F2361:				; CODE XREF: FsRtlpOplockCleanup+B57EDj
					; FsRtlpOplockCleanup+B5820j
		mov	ecx, ebx
		call	FsRtlpComputeShareableOplockState
		jmp	loc_53CB7B
; 

loc_5F236D:				; CODE XREF: FsRtlpOplockCleanup+FEj
		mov	edx, esi
		mov	ecx, ebx
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		jmp	loc_53CC3A
; 

loc_5F237B:				; CODE XREF: FsRtlpOplockCleanup+9Bj
		mov	eax, [ebx+48h]
		test	eax, 1F00F80h
		jnz	short loc_5F2402
		mov	eax, [ebx]
		mov	[ebp+var_20], eax
		mov	edi, [eax+60h]
		lea	esi, [eax+25h]
		push	esi
		call	_IoAcquireCancelSpinLock@4 ; IoAcquireCancelSpinLock(x)
		xor	ecx, ecx
		mov	eax, [ebp+var_20]
		add	eax, 38h
		xchg	ecx, [eax]
		movzx	eax, byte ptr [esi]
		push	eax
		call	IoReleaseCancelSpinLock
		cmp	dword ptr [edi+0Ch], 90240h
		jnz	short loc_5F23E2
		mov	esi, [ebp+var_20]
		mov	edx, [esi+0Ch]
		push	6
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd
		inc	eax
		mov	[edx], ax
		push	18h
		pop	ecx
		mov	[edx+2], cx
		mov	eax, [ebx+48h]
		shr	eax, 0Ch
		and	eax, 7
		mov	[edx+4], eax
		mov	[esi+1Ch], ecx
		mov	ecx, 216h
		jmp	short loc_5F23EE
; 

loc_5F23E2:				; CODE XREF: FsRtlpOplockCleanup+B587Aj
		mov	eax, [ebp+var_20]
		mov	dword ptr [eax+1Ch], 8
		xor	ecx, ecx

loc_5F23EE:				; CODE XREF: FsRtlpOplockCleanup+B58AAj
		mov	eax, [ebx]
		mov	[eax+18h], ecx
		xor	eax, eax
		lea	edx, [eax+1]
		mov	ecx, [ebx]
		call	IofCompleteRequest
		mov	eax, [ebx+48h]

loc_5F2402:				; CODE XREF: FsRtlpOplockCleanup+B584Dj
		test	al, al
		js	short loc_5F240E
		mov	ecx, [ebx+4]
		call	ObfDereferenceObject

loc_5F240E:				; CODE XREF: FsRtlpOplockCleanup+B58CEj
		xor	eax, eax
		mov	[ebx+4], eax
		mov	[ebx], eax
		cmp	[ebx+0Ch], eax
		jz	short loc_5F2431
		push	eax
		xor	edx, edx
		mov	ecx, ebx
		call	FsRtlpModifyThreadPriorities
		xor	edx, edx
		mov	ecx, ebx
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		mov	byte ptr [ebx+10h], 0

loc_5F2431:				; CODE XREF: FsRtlpOplockCleanup+B58E2j
		mov	eax, [ebx+48h]
		and	eax, 20h
		or	eax, 1
		mov	[ebx+48h], eax

loc_5F243D:				; CODE XREF: FsRtlpOplockCleanup+B5919j
		lea	eax, [ebx+2Ch]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	loc_53CBD7
		call	_FsRtlpRemoveAndCompleteWaitingIrp@4 ; FsRtlpRemoveAndCompleteWaitingIrp(x)
		jmp	short loc_5F243D
; END OF FUNCTION CHUNK	FOR FsRtlpOplockCleanup

;  S U B	R O U T	I N E 


sub_5F2451	proc near		; DATA XREF: .text:006A6868o
		mov	ebx, [ebp-28h]
		jmp	sub_53CC89
sub_5F2451	endp

; 
; START	OF FUNCTION CHUNK FOR RtlFindAceBySid

loc_5F2459:				; CODE XREF: RtlFindAceBySid+34j
		cmp	al, 9
		jb	short loc_5F2465
		cmp	al, 0Ah
		jbe	loc_53CDAA

loc_5F2465:				; CODE XREF: RtlFindAceBySid+B56EBj
		cmp	al, 0Dh
		jb	short loc_5F2471
		cmp	al, 0Eh
		jbe	loc_53CDAA

loc_5F2471:				; CODE XREF: RtlFindAceBySid+B56F7j
		cmp	al, 11h
		jz	loc_53CDAA
		cmp	al, 14h
		jz	loc_53CDAA
		cmp	al, 15h
		jz	loc_53CDAA
		cmp	al, 12h
		jz	loc_53CDAA
		cmp	al, 13h
		jz	loc_53CDAA
		cmp	al, 4
		jnz	short loc_5F24A7
		mov	ecx, 0Ch
		jmp	loc_53CDAF
; 

loc_5F24A7:				; CODE XREF: RtlFindAceBySid+B572Bj
		cmp	al, 5
		jb	short loc_5F24AF
		cmp	al, 8
		jbe	short loc_5F24C1

loc_5F24AF:				; CODE XREF: RtlFindAceBySid+B5739j
		cmp	al, 0Bh
		jb	short loc_5F24B7
		cmp	al, 0Ch
		jbe	short loc_5F24C1

loc_5F24B7:				; CODE XREF: RtlFindAceBySid+B5741j
		sub	al, 0Fh
		cmp	al, 1
		ja	loc_53CDBF

loc_5F24C1:				; CODE XREF: RtlFindAceBySid+B573Dj
					; RtlFindAceBySid+B5745j
		mov	eax, [esi+8]
		mov	ecx, eax
		and	ecx, 2
		and	eax, 1
		shl	ecx, 3
		or	ecx, 0Ch
		shl	eax, 4
		add	ecx, eax
		jmp	loc_53CDAF
; END OF FUNCTION CHUNK	FOR RtlFindAceBySid
; 
; START	OF FUNCTION CHUNK FOR IopCloseWaitCompletionPacket

loc_5F24DC:				; CODE XREF: IopCloseWaitCompletionPacket+60j
					; IopCloseWaitCompletionPacket+8Fj
		mov	dl, al
		mov	ecx, edi
		call	KfReleaseSpinLock
		jmp	loc_53D0EC
; END OF FUNCTION CHUNK	FOR IopCloseWaitCompletionPacket
; 

loc_5F24EA:				; CODE XREF: .text:0053D16Aj
		test	al, al
		jz	loc_53D170
		and	dword ptr [ebp-4], 0
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jb	short loc_5F2503
		mov	ecx, eax

loc_5F2503:				; CODE XREF: .text:005F24FFj
		mov	al, [ecx]
		mov	[ecx], al
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_53D170
; 

loc_5F2513:				; DATA XREF: .text:006A69F4o
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-68h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_5F2524:				; DATA XREF: .text:006A69F8o
		mov	ebx, [ebp-1Ch]
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-68h]
		jmp	loc_53D252
; 

loc_5F2539:				; CODE XREF: .text:0053D1BFj
		mov	ecx, esi
		test	edi, edi
		jz	short loc_5F254E
		call	ObfDereferenceObject
		mov	eax, 0C000000Dh
		jmp	loc_53D252
; 

loc_5F254E:				; CODE XREF: .text:005F253Dj
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		xor	edx, edx
		call	ExpSetTimerObject2
		jmp	loc_53D252
; 

loc_5F255F:				; CODE XREF: .text:0053D1CBj
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, 0C0000024h
		jmp	loc_53D252
; 

loc_5F2570:				; CODE XREF: .text:0053D3F5j
		mov	[ebp-44h], eax
		or	ecx, 0FFFFFFFFh
		mov	[ebp-40h], ecx
		jmp	loc_53D4DD
; 

loc_5F257E:				; CODE XREF: .text:0053D429j
		lea	ecx, [esi+222h]
		cmp	[ecx], al
		jz	short loc_5F2599
		xor	al, al
		xchg	al, [ecx]
		mov	dl, [esi+1E4h]
		or	dl, al
		jmp	loc_53D42F
; 

loc_5F2599:				; CODE XREF: .text:005F2586j
		mov	edx, eax
		mov	[ebp-44h], edx
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_53D452
		mov	edx, edi
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		mov	edx, [ebp-44h]
		jmp	loc_53D452
; 

loc_5F25BF:				; CODE XREF: .text:0053D5F8j
		push	esi
		mov	ecx, [ebp-40h]
		push	ecx
		push	offset _ExpWakeTimerLock
		push	edi
		push	162h
		jmp	loc_53D53D
; 

loc_5F25D4:				; CODE XREF: .text:0053D36Aj
		lea	esi, [edi+222h]
		lock or	[esi], dl
		jmp	loc_53D376
; 

loc_5F25E2:				; CODE XREF: .text:0053D58Ej
		lea	eax, [edi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [edi+330h]
		jmp	loc_53D594
; 

loc_5F25F7:				; CODE XREF: .text:0053D5B9j
		push	esi
		mov	edx, offset _ExpWakeTimerLock
		mov	ecx, edi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_53D38E
; 

loc_5F2609:				; CODE XREF: .text:0053D23Ej
		cmp	byte ptr [ebp-23h], 0
		jz	short loc_5F2636
		mov	dword ptr [ebp-4], 1
		mov	ecx, [ebp-64h]
		mov	[eax], cl
		jmp	short loc_5F2623
; 

loc_5F261D:				; DATA XREF: .text:006A6A04o
		mov	ebx, [ebp-1Ch]
		mov	esp, [ebp-18h]

loc_5F2623:				; CODE XREF: .text:005F261Bj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_53D244
; 

loc_5F262F:				; DATA XREF: .text:006A6A00o
		mov	ebx, [ebp-1Ch]
		xor	eax, eax
		inc	eax
		retn
; 

loc_5F2636:				; CODE XREF: .text:005F260Dj
		mov	ecx, [ebp-64h]
		mov	[eax], cl
		jmp	loc_53D244
; 
; START	OF FUNCTION CHUNK FOR NtAssociateWaitCompletionPacket

loc_5F2640:				; CODE XREF: NtAssociateWaitCompletionPacket+92j
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObject
		mov	eax, edi
		jmp	loc_53D784
; 

loc_5F264F:				; CODE XREF: NtAssociateWaitCompletionPacket+BCj
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObject
		mov	ecx, [ebp+var_28]
		jmp	short loc_5F26A2
; 

loc_5F265C:				; CODE XREF: NtAssociateWaitCompletionPacket+104j
		mov	dl, al
		mov	ecx, [ebp+arg_4]
		call	KfReleaseSpinLock
		mov	esi, 0C00000EFh
		mov	ebx, [ebp+var_24]
		jmp	short loc_5F2690
; END OF FUNCTION CHUNK	FOR NtAssociateWaitCompletionPacket

;  S U B	R O U T	I N E 


sub_5F2670	proc near		; DATA XREF: .text:006A6A1Co
		xor	eax, eax
		cmp	[ebp-2Ch], al
		setnz	al
		retn
sub_5F2670	endp


;  S U B	R O U T	I N E 


sub_5F2679	proc near		; DATA XREF: .text:006A6A20o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp+10h]
		jmp	loc_53D782
sub_5F2679	endp

; 
; START	OF FUNCTION CHUNK FOR NtAssociateWaitCompletionPacket

loc_5F268B:				; CODE XREF: NtAssociateWaitCompletionPacket+D0j
					; NtAssociateWaitCompletionPacket+DEj ...
		mov	esi, 0C00000F1h

loc_5F2690:				; CODE XREF: NtAssociateWaitCompletionPacket+B503Ej
		mov	ecx, [ebp+var_28]
		call	ObfDereferenceObject
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	ecx, [ebp+var_20]

loc_5F26A2:				; CODE XREF: NtAssociateWaitCompletionPacket+B502Aj
		call	ObfDereferenceObject
		jmp	loc_53D782
; END OF FUNCTION CHUNK	FOR NtAssociateWaitCompletionPacket
; 
; START	OF FUNCTION CHUNK FOR KeRegisterObjectNotification

loc_5F26AC:				; CODE XREF: KeRegisterObjectNotification+AAj
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)
		jmp	loc_53D8B0
; END OF FUNCTION CHUNK	FOR KeRegisterObjectNotification
; 
; START	OF FUNCTION CHUNK FOR ObpGetWaitObject

loc_5F26C6:				; CODE XREF: ObpGetWaitObject+52j
		movzx	eax, word ptr [edi+7Eh]
		mov	eax, [eax+esi+18h]
		jmp	loc_53DA03
; END OF FUNCTION CHUNK	FOR ObpGetWaitObject
; 
; START	OF FUNCTION CHUNK FOR IopBuildDeviceIoControlRequest

loc_5F26D3:				; CODE XREF: IopBuildDeviceIoControlRequest+213j
		xor	ecx, ecx
		jmp	loc_53DCB7
; 

loc_5F26DA:				; CODE XREF: IopBuildDeviceIoControlRequest+26Bj
		cmp	[ebp+arg_8], 0
		jz	short loc_5F26EB
		push	0
		mov	eax, [esi+0Ch]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5F26EB:				; CODE XREF: IopBuildDeviceIoControlRequest+B7j
					; IopBuildDeviceIoControlRequest+22Aj ...
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		jmp	loc_53DD52
; END OF FUNCTION CHUNK	FOR IopBuildDeviceIoControlRequest

;  S U B	R O U T	I N E 


sub_5F26F6	proc near		; DATA XREF: .text:006A6A74o
		mov	eax, 1
		retn
sub_5F26F6	endp


;  S U B	R O U T	I N E 


sub_5F26FC	proc near		; DATA XREF: .text:006A6A78o
		mov	esp, [ebp-18h]
		mov	esi, [ebp+2Ch]
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_5F270F
		push	eax
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_5F270F:				; CODE XREF: sub_5F26FC+Bj
		cmp	dword ptr [ebp+10h], 0
		jz	short loc_5F2720
		push	0
		mov	eax, [esi+0Ch]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5F2720:				; CODE XREF: sub_5F26FC+17j
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	eax, eax
		jmp	loc_53DC08
sub_5F26FC	endp

; 
; START	OF FUNCTION CHUNK FOR IopBuildDeviceIoControlRequest

loc_5F2734:				; CODE XREF: IopBuildDeviceIoControlRequest+2A5j
		test	byte ptr ds:dword_6FDE00, 6
		jz	loc_53DB12
		jmp	loc_53DD1B
; 

loc_5F2746:				; CODE XREF: IopBuildDeviceIoControlRequest+119j
		call	@KiAcquireSpinLockInstrumented@4 ; KiAcquireSpinLockInstrumented(x)
		jmp	short loc_5F2752
; 

loc_5F274D:				; CODE XREF: IopBuildDeviceIoControlRequest+124j
		call	KxWaitForSpinLockAndAcquire

loc_5F2752:				; CODE XREF: IopBuildDeviceIoControlRequest+B4CDBj
		mov	ecx, [ebp+arg_8]
		jmp	loc_53DB9A
; 

loc_5F275A:				; CODE XREF: IopBuildDeviceIoControlRequest+12Fj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5F2761:				; CODE XREF: IopBuildDeviceIoControlRequest+146j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_53DBC1
; END OF FUNCTION CHUNK	FOR IopBuildDeviceIoControlRequest
; 
; START	OF FUNCTION CHUNK FOR IopSetLockOperationProcess

loc_5F276E:				; CODE XREF: IopSetLockOperationProcess+1Fj
		mov	eax, 0C000000Dh
		jmp	loc_53DE86
; 

loc_5F2778:				; CODE XREF: IopSetLockOperationProcess+93j
		mov	ecx, [ecx]
		test	ecx, ecx
		jnz	loc_53DE40
		jmp	loc_53DEA9
; 

loc_5F2787:				; CODE XREF: IopSetLockOperationProcess+FFj
		mov	esi, 0C000009Ah
		jmp	loc_53DE4E
; 

loc_5F2791:				; CODE XREF: IopSetLockOperationProcess+A5j
		mov	edx, [ebp+4]
		mov	ecx, [ebp+var_14]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_53DE63
; 

loc_5F27A1:				; CODE XREF: IopSetLockOperationProcess+CEj
		cmp	[ebp+var_1], 0
		jz	loc_53DEA2
		test	bh, bh
		jz	loc_53DEA2
		xor	eax, eax
		jmp	loc_53DE86
; END OF FUNCTION CHUNK	FOR IopSetLockOperationProcess
; 
; START	OF FUNCTION CHUNK FOR IopGetSetSpecificExtension

loc_5F27BA:				; CODE XREF: IopGetSetSpecificExtension+2Fj
		xor	esi, esi
		xor	edi, edi
		jmp	loc_53DF03
; 

loc_5F27C3:				; CODE XREF: IopGetSetSpecificExtension+8Fj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		push	0
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		mov	esi, eax
		jmp	loc_53DF07
; END OF FUNCTION CHUNK	FOR IopGetSetSpecificExtension
; 
; START	OF FUNCTION CHUNK FOR NtSetTimerEx

loc_5F27DE:				; CODE XREF: NtSetTimerEx+83j
					; NtSetTimerEx+8Bj
		mov	byte ptr [esi],	0
		jmp	loc_53E001
; END OF FUNCTION CHUNK	FOR NtSetTimerEx

;  S U B	R O U T	I N E 


sub_5F27E6	proc near		; DATA XREF: .text:006A6ACCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		mov	eax, 1
		retn
sub_5F27E6	endp


;  S U B	R O U T	I N E 


sub_5F27F6	proc near		; DATA XREF: .text:006A6AD0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-28h]
		jmp	loc_53E083
sub_5F27F6	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetTimerEx

loc_5F2808:				; CODE XREF: NtSetTimerEx+58j
		mov	eax, [ebp+arg_C]
		mov	ebx, [ebp+arg_8]
		jmp	loc_53E008
; 

loc_5F2813:				; CODE XREF: NtSetTimerEx+9Cj
		mov	eax, 0C0000003h
		jmp	loc_53E083
; 

loc_5F281D:				; CODE XREF: NtSetTimerEx+A5j
		mov	eax, 0C0000004h
		jmp	loc_53E083
; END OF FUNCTION CHUNK	FOR NtSetTimerEx

;  S U B	R O U T	I N E 


sub_5F2827	proc near		; DATA XREF: .text:006A6AD8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		mov	eax, 1
		retn
sub_5F2827	endp


;  S U B	R O U T	I N E 


sub_5F2837	proc near		; DATA XREF: .text:006A6ADCo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2Ch]
		jmp	loc_53E083
sub_5F2837	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetTimerEx

loc_5F2849:				; CODE XREF: NtSetTimerEx+D5j
		mov	eax, 0C00000F1h
		jmp	loc_53E083
; END OF FUNCTION CHUNK	FOR NtSetTimerEx
; 
; START	OF FUNCTION CHUNK FOR ExpSetTimer

loc_5F2853:				; CODE XREF: ExpSetTimer+4Bj
		cmp	[ebp+arg_4], edi
		jnz	short loc_5F2888
		cmp	[ebp+arg_8], edi
		jnz	short loc_5F2888
		cmp	[ebp+arg_C], edi
		jnz	short loc_5F2888
		cmp	[ebp+arg_18], edi
		jnz	short loc_5F2888
		cmp	[ebp+arg_1C], edi
		jnz	short loc_5F2888
		mov	eax, [ebp+arg_14]
		mov	ecx, 2710h
		mul	ecx
		push	edi
		push	edx
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	eax
		call	ExpSetTimerObject2
		jmp	loc_53E146
; 

loc_5F2888:				; CODE XREF: ExpSetTimer+B478Ej
					; ExpSetTimer+B4793j ...
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, 0C000000Dh
		jmp	loc_53E146
; 

loc_5F2899:				; CODE XREF: ExpSetTimer+59j
		call	ObfDereferenceObject
		mov	eax, 0C0000024h
		jmp	loc_53E146
; END OF FUNCTION CHUNK	FOR ExpSetTimer
; 

loc_5F28A8:				; CODE XREF: .text:0053E4D3j
		call	_ExpCheckTestsigningEnabled@0 ;	ExpCheckTestsigningEnabled()
		test	al, al
		jnz	loc_53E4D9
		mov	eax, large fs:124h
		mov	cl, [eax+15Ah]
		call	_ExpCheckWakeTimerAccess@4 ; ExpCheckWakeTimerAccess(x)
		mov	[ebp-20h], eax
		test	eax, eax
		jz	loc_53E4D9
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	loc_53E2E9
; 

loc_5F28DD:				; CODE XREF: .text:0053E4E0j
		cmp	ds:byte_6C2E33,	0
		jnz	loc_53E4E6
		mov	eax, 40000025h
		mov	[ebp-20h], eax
		xor	edi, edi
		mov	[ebp-2Ch], edi
		jmp	loc_53E1A6
; 

loc_5F28FC:				; CODE XREF: .text:0053E50Fj
		xor	eax, eax
		mov	[ebp+14h], eax
		jmp	loc_53E60F
; 

loc_5F2906:				; CODE XREF: .text:0053E54Dj
		lea	ecx, [edx+222h]
		cmp	byte ptr [ecx],	0
		jz	short loc_5F2925
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [edx+1E4h]
		or	cl, al
		mov	[ebp+17h], cl
		jmp	loc_53E553
; 

loc_5F2925:				; CODE XREF: .text:005F290Fj
		xor	eax, eax
		mov	[ebp+14h], eax
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_53E57A
		mov	edx, offset _ExpWakeTimerLock
		mov	ecx, [ebp-28h]
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		mov	edx, [ebp-28h]
		xor	eax, eax
		jmp	loc_53E57A
; 

loc_5F2951:				; CODE XREF: .text:0053E1F1j
		lea	ecx, [esi+28h]
		call	@KefReleaseSpinLockFromDpcLevel@4 ; KefReleaseSpinLockFromDpcLevel(x)
		cmp	byte ptr [ebp+17h], 0
		jz	short loc_5F296D
		mov	ecx, [ebp-28h]
		add	ecx, 454h
		call	@KefReleaseSpinLockFromDpcLevel@4 ; KefReleaseSpinLockFromDpcLevel(x)

loc_5F296D:				; CODE XREF: .text:005F295Dj
		mov	cl, [ebp-1Ah]
		mov	eax, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[ebp-44h], eax
		call	eax
		mov	byte ptr [ebp-19h], 1
		mov	eax, large fs:124h
		mov	[ebp-38h], eax
		dec	word ptr [eax+13Ch]
		nop
		mov	dword ptr [ebp-5Ch], 0
		mov	eax, offset _ExpWakeTimerLock
		and	eax, 7FFFFFFCh
		mov	[ebp-58h], eax
		jnz	short loc_5F29AF
		xor	eax, eax
		mov	[ebp-30h], eax
		jmp	loc_5F2B02
; 

loc_5F29AF:				; CODE XREF: .text:005F29A3j
		mov	ecx, large fs:124h
		mov	[ebp-24h], ecx
		dec	word ptr [ecx+13Eh]
		nop
		inc	byte ptr [ecx+1E6h]
		nop
		cmp	byte ptr [ecx+1E6h], 1
		jz	short loc_5F29F0
		push	0
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	offset _ExpWakeTimerLock
		mov	edx, [ebp-24h]
		push	edx
		push	192h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5F29F0:				; CODE XREF: .text:005F29CFj
		mov	dword ptr [ebp-54h], 0
		mov	dl, [ecx+1E4h]
		test	dl, dl
		jnz	short loc_5F2A18
		lea	edx, [ecx+222h]
		cmp	byte ptr [edx],	0
		jz	short loc_5F2A52
		xor	al, al
		xchg	al, [edx]
		mov	dl, [ecx+1E4h]
		or	dl, al

loc_5F2A18:				; CODE XREF: .text:005F29FFj
		movzx	eax, dl
		bsf	ecx, eax
		mov	[ebp-54h], ecx
		mov	al, 1
		shl	al, cl
		not	al
		and	al, dl
		mov	edx, [ebp-24h]
		mov	[edx+1E4h], al
		lea	edx, [ecx+ecx*2]
		shl	edx, 4
		mov	ecx, [ebp-24h]
		add	edx, [ecx+1E8h]
		mov	[ebp-30h], edx

loc_5F2A44:				; CODE XREF: .text:005F2A61j
					; .text:005F2A72j
		test	edx, edx
		jnz	short loc_5F2A74
		lea	eax, [ecx+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_5F2AC1
; 

loc_5F2A52:				; CODE XREF: .text:005F2A0Aj
		xor	edx, edx
		mov	[ebp-30h], edx
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5F2A44
		mov	edx, offset _ExpWakeTimerLock
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		mov	ecx, [ebp-24h]
		xor	edx, edx
		jmp	short loc_5F2A44
; 

loc_5F2A74:				; CODE XREF: .text:005F2A46j
		mov	eax, offset _ExpWakeTimerLock
		shr	eax, 15h
		mov	edi, ds:dword_6D07D0
		cmp	edi, offset _ExpWakeTimerLock
		ja	short loc_5F2AA4
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_5F2AA9
		cmp	edi, offset _ExpWakeTimerLock
		ja	short loc_5F2AA4
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jz	short loc_5F2AA9

loc_5F2AA4:				; CODE XREF: .text:005F2A88j
					; .text:005F2A99j
		or	eax, 0FFFFFFFFh
		jmp	short loc_5F2AB7
; 

loc_5F2AA9:				; CODE XREF: .text:005F2A91j
					; .text:005F2AA2j
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp-24h]

loc_5F2AB7:				; CODE XREF: .text:005F2AA7j
		mov	[edx+14h], eax
		nop
		mov	eax, [ebp-58h]
		mov	[edx+10h], eax

loc_5F2AC1:				; CODE XREF: .text:005F2A50j
		nop
		dec	byte ptr [ecx+1E6h]
		lea	eax, [ebp-5Ch]
		push	eax
		mov	edx, offset _ExpWakeTimerLock
		call	KiAbThreadRemoveBoosts
		nop
		mov	edx, [ebp-24h]
		mov	ax, [edx+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[edx+13Eh], ax
		test	ax, ax
		jnz	short loc_5F2AFF
		nop
		lea	eax, [edx+70h]
		cmp	[eax], eax
		jz	short loc_5F2AFF
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5F2AFF:				; CODE XREF: .text:005F2AF0j
					; .text:005F2AF8j
		mov	eax, [ebp-30h]

loc_5F2B02:				; CODE XREF: .text:005F29AAj
		mov	ecx, offset _ExpWakeTimerLock
		lock bts dword ptr [ecx], 0
		jnb	short loc_5F2B19
		push	ecx
		mov	edx, eax
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [ebp-30h]

loc_5F2B19:				; CODE XREF: .text:005F2B0Cj
		test	eax, eax
		jz	short loc_5F2B21
		or	byte ptr [eax+0Eh], 1

loc_5F2B21:				; CODE XREF: .text:005F2B1Bj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp-1Ah], al
		cmp	byte ptr [ebp+17h], 0
		jz	short loc_5F2B3E
		mov	ecx, [ebp-28h]
		lea	ecx, [ecx+454h]
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)

loc_5F2B3E:				; CODE XREF: .text:005F2B2Ej
		lea	ecx, [esi+28h]
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		jmp	loc_53E1FF
; 

loc_5F2B4B:				; CODE XREF: .text:0053E31Bj
		mov	ecx, [ebp-58h]
		test	ecx, ecx
		jz	short loc_5F2B6F
		test	dword ptr [ecx+310h], 40000h
		jz	short loc_5F2B6B
		cmp	dword ptr [ecx+194h], 0
		mov	byte ptr [ebp+0Ch], 1
		jnz	short loc_5F2B6F

loc_5F2B6B:				; CODE XREF: .text:005F2B5Cj
		mov	byte ptr [ebp+0Ch], 0

loc_5F2B6F:				; CODE XREF: .text:005F2B50j
					; .text:005F2B69j
		lea	ecx, [esi+9Ch]
		push	ecx
		push	dword ptr [ebp+0Ch]
		push	0
		lea	edx, [esi+0A0h]
		mov	ecx, eax
		call	PsInsertVirtualizedTimer
		mov	eax, [ebp-28h]
		mov	ecx, [ebp+1Ch]
		mov	edx, [ebp+20h]
		jmp	loc_53E321
; 

loc_5F2B96:				; CODE XREF: .text:0053E343j
		mov	[ebp-64h], eax
		mov	edx, eax
		mov	ecx, [ebp+8]
		call	_ExpCalcDueTimeWithDelay@8 ; ExpCalcDueTimeWithDelay(x,x)
		mov	[ebp+10h], eax
		mov	[ebp-30h], edx
		mov	eax, 0D1B71759h
		mul	dword ptr [ebp+0Ch]
		shr	edx, 0Dh
		mov	ecx, [ebp+1Ch]
		test	ecx, ecx
		jz	short loc_5F2BCC
		lea	eax, [edx+ecx]
		cmp	eax, ecx
		jbe	short loc_5F2BCC
		mov	ecx, eax
		add	[esi+84h], edx
		jmp	short loc_5F2BEC
; 

loc_5F2BCC:				; CODE XREF: .text:005F2BB9j
					; .text:005F2BC0j
		mov	eax, [esi+84h]
		test	eax, eax
		jz	short loc_5F2BF2
		lea	edi, [eax+edx]
		mov	[ebp+1Ch], edi
		cmp	edi, eax
		mov	edi, [ebp-2Ch]
		jbe	short loc_5F2BF2
		mov	eax, [ebp+1Ch]
		mov	[esi+84h], eax

loc_5F2BEC:				; CODE XREF: .text:005F2BCAj
		mov	[esi+88h], edx

loc_5F2BF2:				; CODE XREF: .text:005F2BD4j
					; .text:005F2BE1j
		mov	edx, [ebp+20h]
		jmp	loc_53E262
; 

loc_5F2BFA:				; CODE XREF: .text:0053E269j
		mov	eax, [ebp+10h]
		mov	[esi+0B0h], eax
		mov	eax, [ebp-30h]
		mov	[esi+0B4h], eax
		test	eax, eax
		jns	short loc_5F2C22
		test	edi, edi
		setnz	al
		add	al, 2
		mov	[esi+8Ch], al
		jmp	loc_53E288
; 

loc_5F2C22:				; CODE XREF: .text:005F2C0Ej
		mov	byte ptr [esi+8Ch], 1
		jmp	loc_53E288
; 

loc_5F2C2E:				; CODE XREF: .text:0053E367j
		lea	eax, [esi+94h]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_53E7DC
		cmp	[ecx], eax
		jnz	loc_53E7DC
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	dword ptr [eax], 0
		jmp	loc_53E36D
; 

loc_5F2C5A:				; CODE XREF: .text:0053E7B2j
		push	0
		push	dword ptr [ebp+1Ch]
		push	offset _ExpWakeTimerLock
		push	edi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5F2C6F:				; CODE XREF: .text:0053E469j
		lea	esi, [ecx+222h]
		lock or	[esi], al
		mov	esi, [ebp-60h]
		jmp	loc_53E475
; 

loc_5F2C80:				; CODE XREF: .text:0053E6D7j
		lea	eax, [ecx+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [ecx+330h]
		jmp	loc_53E6DD
; 

loc_5F2C95:				; CODE XREF: .text:0053E705j
		push	dword ptr [ebp+18h]
		mov	edx, offset _ExpWakeTimerLock
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		mov	ecx, [ebp+20h]
		jmp	loc_53E48C
; 

loc_5F2CAA:				; CODE XREF: .text:0053E2E3j
		cmp	byte ptr [ebp-3Ch], 0
		jz	short loc_5F2CEE
		mov	dword ptr [ebp-4], 0
		mov	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_5F2CC4
		mov	edx, eax

loc_5F2CC4:				; CODE XREF: .text:005F2CC0j
		mov	al, [edx]
		mov	[edx], al
		mov	eax, [ebp-48h]
		mov	[ecx], al
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_53E2E9
; 

loc_5F2CD9:				; DATA XREF: .text:006A6AF4o
		mov	eax, 1
		retn
; 

loc_5F2CDF:				; DATA XREF: .text:006A6AF8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_53E2E9
; 

loc_5F2CEE:				; CODE XREF: .text:005F2CAEj
		mov	eax, [ebp-48h]
		mov	[ecx], al
		jmp	loc_53E2E9
; 
; START	OF FUNCTION CHUNK FOR ExpCancelTimer

loc_5F2CF8:				; CODE XREF: ExpCancelTimer+13j
		mov	ebx, [esi+34h]
		add	ebx, 2A0h
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	ecx, [esi+7Ch]
		mov	edx, [ecx]
		mov	eax, [ecx+4]
		cmp	[edx+4], ecx
		jnz	short loc_5F2D83
		cmp	[eax], ecx
		jnz	short loc_5F2D83
		mov	[eax], edx
		mov	[edx+4], eax
		test	ds:byte_70EFC6,	1
		jz	short loc_5F2D33
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5F2D38
; 

loc_5F2D33:				; CODE XREF: ExpCancelTimer+B4439j
		xor	eax, eax
		lock and [ebx],	eax

loc_5F2D38:				; CODE XREF: ExpCancelTimer+B4445j
		and	byte ptr [esi+0A8h], 0FEh
		test	byte ptr [esi+0A8h], 2
		jz	short loc_5F2D51
		cmp	byte ptr [esi+8Ch], 0
		jnz	short loc_5F2D6A

loc_5F2D51:				; CODE XREF: ExpCancelTimer+B445Aj
		push	esi
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		test	al, al
		jnz	short loc_5F2D6A
		push	0
		lea	eax, [esi+5Ch]
		push	eax
		call	KeRemoveQueueDpcEx
		test	al, al
		jz	short loc_5F2D6D

loc_5F2D6A:				; CODE XREF: ExpCancelTimer+B4463j
					; ExpCancelTimer+B446Dj
		xor	edi, edi
		inc	edi

loc_5F2D6D:				; CODE XREF: ExpCancelTimer+B447Cj
		lea	ecx, [esi+2Ch]
		call	KeRemoveQueueApc
		test	al, al
		jz	loc_53E91E
		inc	edi
		jmp	loc_53E91E
; 

loc_5F2D83:				; CODE XREF: ExpCancelTimer+B4427j
					; ExpCancelTimer+B442Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5F2D88:				; CODE XREF: KiSetTimerEx+7Aj
		push	0
		mov	edx, edi
		mov	ecx, esi
		call	_KiTraceSetTimer@12 ; KiTraceSetTimer(x,x,x)
		jmp	loc_53E9B8
; END OF FUNCTION CHUNK	FOR ExpCancelTimer
; 
; START	OF FUNCTION CHUNK FOR KiComputeDueTime

loc_5F2D98:				; CODE XREF: KiComputeDueTime+D7j
		mov	edi, 0FFDF0018h
		lea	esi, [edi-4]
		lea	ebx, [edi+4]

loc_5F2DA3:				; CODE XREF: KiComputeDueTime+B43C3j
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	edx, [edi]
		mov	ecx, [esi]
		mov	eax, [ebx]
		cmp	edx, eax
		jnz	short loc_5F2DA3
		mov	esi, [ebp+var_4]
		mov	ebx, [ebp+arg_8]
		jmp	loc_53EACD
; 

loc_5F2DC0:				; CODE XREF: KiComputeDueTime+69j
		mov	esi, 0FFDF000Ch
		lea	ebx, [esi-4]
		lea	edi, [esi+4]

loc_5F2DCB:				; CODE XREF: KiComputeDueTime+B43E9j
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		mov	ecx, [ebx]
		cmp	eax, [edi]
		jnz	short loc_5F2DCB
		mov	esi, [ebp+var_4]
		mov	edi, [ebp+arg_8]
		mov	ebx, [ebp+var_8]
		jmp	loc_53EA5F
; END OF FUNCTION CHUNK	FOR KiComputeDueTime
; 
; START	OF FUNCTION CHUNK FOR KiCancelTimer

loc_5F2DE9:				; CODE XREF: KiCancelTimer+136j
		movzx	ecx, byte ptr [ecx-1E9Ch]
		shl	edi, 6
		jmp	loc_53EC57
; 

loc_5F2DF8:				; CODE XREF: KiCancelTimer+CFj
					; KiCancelTimer+D7j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5F2DFF:				; CODE XREF: KiCancelTimer+4Ej
		test	bl, bl
		jz	loc_53EB64
		push	602h
		push	0F55h
		lea	eax, [ebp+var_24]
		mov	[ebp+var_24], esi
		push	40020000h
		mov	edx, 1
		mov	[ebp+var_14], eax
		lea	ecx, [ebp+var_14]
		mov	[ebp+var_10], 0
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], 0
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_53EB64
; END OF FUNCTION CHUNK	FOR KiCancelTimer
; 
; START	OF FUNCTION CHUNK FOR ObDereferenceObjectExWithTag

loc_5F2E46:				; CODE XREF: ObDereferenceObjectExWithTag+11j
		push	746C6644h
		push	edi
		xor	dl, dl
		mov	ecx, eax
		call	_ObpPushStackInfo@16 ; ObpPushStackInfo(x,x,x,x)
		lea	eax, [ebx-18h]
		jmp	loc_53ED47
; 

loc_5F2E5D:				; CODE XREF: ObDereferenceObjectExWithTag+32j
		push	ecx
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [ebx-0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		push	6
		xor	ecx, eax
		push	ebx
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		push	eax
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5F2E85:				; CODE XREF: ObDereferenceObjectExWithTag+3Aj
		push	esi
		push	5
		push	ebx
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5F2E93:				; CODE XREF: KxWaitForSpinLockAndAcquire+17j
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	loc_53ED9D
		push	esi
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	loc_53ED9F
; END OF FUNCTION CHUNK	FOR ObDereferenceObjectExWithTag
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceThermalZoneRundown

loc_5F2EAB:				; CODE XREF: PopDiagTraceThermalZoneRundown+56j
		mov	edx, 67446F50h
		mov	ecx, esi
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	esi, eax
		test	esi, esi
		jz	short loc_5F2EC8
		mov	ecx, [esi+0B0h]
		mov	edx, [ecx+14h]
		jmp	short loc_5F2ECA
; 

loc_5F2EC8:				; CODE XREF: PopDiagTraceThermalZoneRundown+B4013j
		mov	edx, ebx

loc_5F2ECA:				; CODE XREF: PopDiagTraceThermalZoneRundown+B401Ej
		test	edx, edx
		jz	loc_5F3003
		mov	cx, [edx+48h]
		and	[ebp+var_98], 0
		shr	cx, 1
		push	2
		movzx	eax, cx
		mov	[ebp+var_A8], eax
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_A4], eax
		mov	[ebp+var_A0], ebx
		pop	ebx
		mov	[ebp+var_9C], ebx
		mov	eax, [edx+4Ch]
		xor	edx, edx
		mov	[ebp+var_94], eax
		movzx	eax, cx
		add	eax, eax
		mov	[ebp+var_90], edx
		mov	[ebp+var_8C], eax
		xor	eax, eax
		cmp	[ebp+arg_0], al
		push	4
		setnz	al
		mov	[ebp+var_88], edx
		movzx	eax, ax
		mov	[ebp+var_AC], eax
		lea	eax, [ebp+var_AC]
		mov	[ebp+var_84], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_74], eax
		xor	eax, eax
		cmp	[ebp+arg_8], al
		pop	ecx
		setnz	al
		mov	[ebp+var_6C], ecx
		movzx	eax, ax
		mov	[ebp+var_B0], eax
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+arg_C]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+arg_10]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_14]
		mov	[ebp+var_34], eax
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_2C], ecx
		movzx	ecx, word ptr [edi]
		mov	ax, cx
		mov	[ebp+var_80], edx
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_B4]
		mov	[ebp+var_24], eax
		mov	eax, [edi+4]
		mov	[ebp+var_14], eax
		mov	eax, ecx
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_A4]
		push	eax
		push	0Ah
		mov	[ebp+var_7C], ebx
		mov	[ebp+var_78], edx
		mov	[ebp+var_70], edx
		mov	[ebp+var_68], edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], edx
		push	edx
		push	offset _POP_ETW_EVENT_THERMAL_ZONE_RUNDOWN
		push	ds:dword_6C1D74
		push	ds:_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_5F3003:				; CODE XREF: PopDiagTraceThermalZoneRundown+B4024j
		test	esi, esi
		jz	loc_53EF04
		mov	edx, 67446F50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		jmp	loc_53EF04
; END OF FUNCTION CHUNK	FOR PopDiagTraceThermalZoneRundown
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceFxRundown

loc_5F301C:				; CODE XREF: PopDiagTraceFxRundown+2Cj
		push	dword ptr [esi+14h]
		mov	dl, 1
		mov	ecx, esi
		push	dword ptr [esi+10h]
		call	_PopDiagTraceFxPluginRegistration@16 ; PopDiagTraceFxPluginRegistration(x,x,x,x)
		mov	esi, [esi]
		jmp	loc_53EF40
; END OF FUNCTION CHUNK	FOR PopDiagTraceFxRundown
; 
; START	OF FUNCTION CHUNK FOR PopPepGetDevicePlatformStateDependents

loc_5F3032:				; CODE XREF: PopPepGetDevicePlatformStateDependents+27j
		push	3
		lea	ecx, [esi+60h]
		pop	edx

loc_5F3038:				; CODE XREF: PopPepGetDevicePlatformStateDependents+B407Cj
		mov	eax, [ecx]
		lea	ecx, [ecx+4]
		or	[edi], eax
		sub	edx, 1
		jnz	short loc_5F3038
		cmp	[esi+84h], edx
		jbe	loc_53EFF3
		lea	ecx, [esi+124h]
		push	ebx

loc_5F3057:				; CODE XREF: PopPepGetDevicePlatformStateDependents+B40BAj
		xor	ebx, ebx
		cmp	[ecx], ebx
		jbe	short loc_5F3073
		xor	esi, esi

loc_5F305F:				; CODE XREF: PopPepGetDevicePlatformStateDependents+B40A8j
		mov	eax, [ecx+4]
		lea	esi, [esi+18h]
		mov	eax, [esi+eax-8]
		or	[edi], eax
		inc	ebx
		cmp	ebx, [ecx]
		jb	short loc_5F305F
		mov	esi, [ebp+var_8]

loc_5F3073:				; CODE XREF: PopPepGetDevicePlatformStateDependents+B4095j
		inc	edx
		add	ecx, 0A8h
		cmp	edx, [esi+84h]
		jb	short loc_5F3057
		pop	ebx
		jmp	loc_53EFF3
; END OF FUNCTION CHUNK	FOR PopPepGetDevicePlatformStateDependents

;  S U B	R O U T	I N E 


sub_5F3088	proc near		; CODE XREF: PopDiagTraceDeepSleepConstraintRundown+39j
		push	ebx
		push	esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopDeepSleepDisengageReasonLock
		mov	[ebp-0DDh], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, ds:_PopDeepSleepDisengageReasonMask
		mov	edx, esi
		and	[ebp-0D8h], edi
		not	edx
		and	[ebp-0D0h], edi
		movzx	ecx, dl
		shr	edx, 8
		movzx	eax, dl
		shr	edx, 8
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		mov	dword ptr [ebp-0D4h], 2
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, ds:_RtlpBitsClearTotal[edx]
		movzx	ecx, cl
		mov	eax, ecx
		mov	[ebp-0E4h], eax
		lea	eax, [ebp-0E4h]
		mov	[ebp-0DCh], eax
		bsf	eax, esi
		lea	ebx, [ecx+1]
		mov	[ebp-2Ch], eax
		jz	short loc_5F314B
		xor	ecx, ecx
		lea	edx, [ebp-2Ch]

loc_5F3111:				; CODE XREF: sub_5F3088+C1j
		add	ecx, ecx
		lea	eax, [esi-1]
		and	esi, eax
		and	dword ptr [ebp+ecx*8-0C8h], 0
		and	dword ptr [ebp+ecx*8-0C0h], 0
		inc	edi
		bsf	eax, esi
		mov	[ebp+ecx*8-0CCh], edx
		lea	edx, [ebp-2Ch]
		mov	dword ptr [ebp+ecx*8-0C4h], 4
		movzx	ecx, di
		lea	edx, [edx+ecx*4]
		mov	[edx], eax
		jnz	short loc_5F3111

loc_5F314B:				; CODE XREF: sub_5F3088+82j
		lea	eax, [ebp-0DCh]
		push	eax
		push	ebx
		push	0
		push	offset _POP_ETW_DEEP_SLEEP_CONSTRAINT_RUNDOWN
		push	ds:dword_6C1D74
		push	ds:_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopDeepSleepDisengageReasonLock
		pop	esi
		pop	ebx
		jz	short loc_5F3185
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5F318A
; 

loc_5F3185:				; CODE XREF: sub_5F3088+F1j
		xor	eax, eax
		lock and [ecx],	eax

loc_5F318A:				; CODE XREF: sub_5F3088+FBj
		mov	cl, [ebp-0DDh]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_53F083
sub_5F3088	endp

; 
; START	OF FUNCTION CHUNK FOR ExSetHandleAttributes

loc_5F319B:				; CODE XREF: ExSetHandleAttributes+1Fj
		mov	eax, [ecx+4]
		test	dl, 8
		jz	short loc_5F31AA
		or	eax, 4000000h
		jmp	short loc_5F31AF
; 

loc_5F31AA:				; CODE XREF: ExSetHandleAttributes+B4111j
		and	eax, 0FBFFFFFFh

loc_5F31AF:				; CODE XREF: ExSetHandleAttributes+B4118j
		mov	[ecx+4], eax
		jmp	loc_53F0B5
; END OF FUNCTION CHUNK	FOR ExSetHandleAttributes
; 
; START	OF FUNCTION CHUNK FOR vDbgPrintExWithPrefixInternal

loc_5F31B7:				; CODE XREF: vDbgPrintExWithPrefixInternal+7Bj
		mov	edi, eax
		jmp	loc_53F23B
; 

loc_5F31BE:				; CODE XREF: vDbgPrintExWithPrefixInternal+ACj
		cmp	eax, 80000005h
		mov	edi, [ebp+var_24]
		jz	loc_53F202

loc_5F31CC:				; CODE XREF: vDbgPrintExWithPrefixInternal+4Ej
		test	eax, eax
		jns	loc_53F26C
		cmp	eax, 80000005h
		jnz	loc_53F26C
		mov	word ptr [esi+ebx-2], 0Ah
		lea	ecx, [esi-1]
		jmp	loc_53F27A
; END OF FUNCTION CHUNK	FOR vDbgPrintExWithPrefixInternal

;  S U B	R O U T	I N E 


sub_5F31EE	proc near		; DATA XREF: .text:006A6F64o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5F31EE	endp


;  S U B	R O U T	I N E 


sub_5F31FC	proc near		; DATA XREF: .text:006A6F68o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-34h]
		jmp	loc_53F1E7
sub_5F31FC	endp

; 
; START	OF FUNCTION CHUNK FOR vDbgPrintExWithPrefixInternal

loc_5F320E:				; CODE XREF: vDbgPrintExWithPrefixInternal+D7j
		xor	edi, edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, al
		cmp	bl, 1Bh
		jnb	short loc_5F3225
		mov	cl, 1Bh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)

loc_5F3225:				; CODE XREF: vDbgPrintExWithPrefixInternal+B4061j
		push	offset _RtlpDebugPrintCallbackLock
		call	ExAcquireSpinLockSharedAtDpcLevel
		mov	esi, ds:_RtlpDebugPrintCallbackList
		jmp	short loc_5F3282
; 

loc_5F3237:				; CODE XREF: vDbgPrintExWithPrefixInternal+B40CEj
		lea	ecx, [esi-8]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_5F3280
		push	offset _RtlpDebugPrintCallbackLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		lea	eax, [esi-0Ch]
		mov	ecx, [eax+8]
		mov	[ebp+var_24], ecx
		test	edi, edi
		jz	short loc_5F3268
		lea	ecx, [edi+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		lea	eax, [esi-0Ch]
		mov	ecx, [ebp+var_24]

loc_5F3268:				; CODE XREF: vDbgPrintExWithPrefixInternal+B409Ej
		mov	edi, eax
		push	[ebp+arg_0]
		push	[ebp+var_28]
		lea	eax, [ebp+var_30]
		push	eax
		call	ecx
		push	offset _RtlpDebugPrintCallbackLock
		call	ExAcquireSpinLockSharedAtDpcLevel

loc_5F3280:				; CODE XREF: vDbgPrintExWithPrefixInternal+B4087j
		mov	esi, [esi]

loc_5F3282:				; CODE XREF: vDbgPrintExWithPrefixInternal+B407Bj
		cmp	esi, offset _RtlpDebugPrintCallbackList
		jnz	short loc_5F3237
		push	offset _RtlpDebugPrintCallbackLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		test	edi, edi
		jz	short loc_5F32A0
		lea	ecx, [edi+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_5F32A0:				; CODE XREF: vDbgPrintExWithPrefixInternal+B40DCj
		cmp	bl, 1Bh
		jnb	loc_53F297
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_53F297
; 

loc_5F32B6:				; CODE XREF: vDbgPrintExWithPrefixInternal+F6j
		cmp	[ebp+arg_C], 1
		jnz	loc_53F1E7
		push	1
		call	_DbgBreakPointWithStatus@4 ; DbgBreakPointWithStatus(x)
		jmp	loc_53F1E5
; END OF FUNCTION CHUNK	FOR vDbgPrintExWithPrefixInternal
; 
; START	OF FUNCTION CHUNK FOR PoClearPowerRequest

loc_5F32CC:				; CODE XREF: PoClearPowerRequest+11j
		sub	eax, 1
		jz	short loc_5F32E4
		sub	eax, 1
		jz	short loc_5F32E0
		mov	eax, 0C00000BBh
		jmp	loc_53F33E
; 

loc_5F32E0:				; CODE XREF: PoClearPowerRequest+B3FB6j
		push	3
		jmp	short loc_5F32E6
; 

loc_5F32E4:				; CODE XREF: PoClearPowerRequest+B3FB1j
		push	2

loc_5F32E6:				; CODE XREF: PoClearPowerRequest+B3FC4j
		pop	edx
		jmp	loc_53F336
; END OF FUNCTION CHUNK	FOR PoClearPowerRequest
; 
; START	OF FUNCTION CHUNK FOR PopApplyLegacyPowerRequestFlags

loc_5F32EC:				; CODE XREF: PopApplyLegacyPowerRequestFlags+28j
		push	2
		push	esi
		test	bl, 40h
		jz	short loc_5F32FE
		call	PoSetPowerRequest
		jmp	loc_53F3BE
; 

loc_5F32FE:				; CODE XREF: PopApplyLegacyPowerRequestFlags+B3F62j
		call	PoClearPowerRequest
		jmp	loc_53F3BE
; END OF FUNCTION CHUNK	FOR PopApplyLegacyPowerRequestFlags
; 
; START	OF FUNCTION CHUNK FOR PoSetPowerRequest

loc_5F3308:				; CODE XREF: PoSetPowerRequest+11j
		sub	eax, 1
		jz	short loc_5F3320
		sub	eax, 1
		jz	short loc_5F331C
		mov	eax, 0C00000BBh
		jmp	loc_53F406
; 

loc_5F331C:				; CODE XREF: PoSetPowerRequest+B3F2Aj
		push	3
		jmp	short loc_5F3322
; 

loc_5F3320:				; CODE XREF: PoSetPowerRequest+B3F25j
		push	2

loc_5F3322:				; CODE XREF: PoSetPowerRequest+B3F38j
		pop	edx
		jmp	loc_53F3FE
; END OF FUNCTION CHUNK	FOR PoSetPowerRequest
; 
; START	OF FUNCTION CHUNK FOR PoClearPowerRequestInternal

loc_5F3328:				; CODE XREF: PoClearPowerRequestInternal+19Fj
		cmp	esi, 2
		jnz	loc_53F662
		jmp	loc_53F534
; 

loc_5F3336:				; CODE XREF: PoClearPowerRequestInternal+11Bj
		mov	eax, [edi+54h]
		test	eax, eax
		jz	loc_53F5DF
		cmp	[ebp+var_4], 2
		jnb	loc_53F5DF
		mov	edx, 72506F50h
		mov	[ebp+var_8], eax
		mov	ecx, eax
		call	ObfReferenceObjectWithTag
		mov	[ebp+var_C], 2
		jmp	loc_53F5DF
; 

loc_5F3366:				; CODE XREF: PoClearPowerRequestInternal+131j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_20]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_53F617
; 

loc_5F3376:				; CODE XREF: PoClearPowerRequestInternal+153j
		lea	ecx, [ebp+var_20]
		call	KxWaitForLockChainValid
		jmp	loc_53F695
; 

loc_5F3383:				; CODE XREF: PoClearPowerRequestInternal+165j
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	_PopNotifyUserPowerRequestAction@12 ; PopNotifyUserPowerRequestAction(x,x,x)
		jmp	loc_53F629
; 

loc_5F3392:				; CODE XREF: PoClearPowerRequestInternal+18Aj
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		call	_PopProcessDisplayRequiredChange@8 ; PopProcessDisplayRequiredChange(x,x)
		mov	edx, 72506F50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		jmp	loc_53F64E
; 

loc_5F33AD:				; CODE XREF: PoClearPowerRequestInternal+38j
					; PoClearPowerRequestInternal+50j ...
		mov	ebx, 0C00000BBh
		jmp	loc_53F64E
; END OF FUNCTION CHUNK	FOR PoClearPowerRequestInternal
; 
; START	OF FUNCTION CHUNK FOR PopUmpoSendPowerMessage

loc_5F33B7:				; CODE XREF: PopUmpoSendPowerMessage+32j
		mov	esi, 0C000009Ah
		jmp	loc_53FC94
; 

loc_5F33C1:				; CODE XREF: PopUmpoSendPowerMessage+4Ej
		mov	esi, 80000005h
		jmp	loc_53FC87
; END OF FUNCTION CHUNK	FOR PopUmpoSendPowerMessage
; 
; START	OF FUNCTION CHUNK FOR PopProcessPowerRequestOverrideQueryResponse

loc_5F33CB:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+78j
		bsf	esi, edx
		mov	ebx, eax
		mov	ecx, esi
		mov	[ebp+var_38], esi
		shl	ebx, cl
		cmp	dword ptr [edi+esi*4+18h], 0
		jbe	loc_5F348F
		cmp	dword ptr [edi+44h], 0
		jz	short loc_5F3406
		cmp	ds:_PopPowerRequestNotificationsEnabled, 0
		jz	short loc_5F3406
		test	esi, esi
		jz	short loc_5F3403
		cmp	esi, 3
		jz	short loc_5F3403
		cmp	esi, eax
		jz	short loc_5F3403
		cmp	esi, 2
		jnz	short loc_5F3406

loc_5F3403:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+B36A7j
					; PopProcessPowerRequestOverrideQueryResponse+B36ACj ...
		mov	[ebp+var_15], al

loc_5F3406:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+B369Aj
					; PopProcessPowerRequestOverrideQueryResponse+B36A3j ...
		test	esi, esi
		jnz	short loc_5F3423
		mov	eax, [edi+54h]
		test	eax, eax
		jz	short loc_5F3423
		mov	edx, 72506F50h
		mov	[ebp+var_1C], eax
		mov	ecx, eax
		call	ObfReferenceObjectWithTag
		mov	edx, [ebp+var_34]

loc_5F3423:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+B36BCj
					; PopProcessPowerRequestOverrideQueryResponse+B36C3j
		mov	eax, ds:_PopPowerRequestAttributes[esi*8]
		test	[ebp+var_30], ebx
		jz	short loc_5F345E
		dec	eax
		mov	[ebp+var_20], 2
		mov	ds:_PopPowerRequestAttributes[esi*8], eax
		test	esi, esi
		jz	short loc_5F344B
		cmp	esi, 3
		jz	short loc_5F344B
		test	eax, eax
		jnz	short loc_5F344F

loc_5F344B:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+B36F4j
					; PopProcessPowerRequestOverrideQueryResponse+B36F9j
		dec	byte ptr [esi+edi+38h]

loc_5F344F:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+B36FDj
		xor	eax, eax
		inc	eax
		cmp	[ebp+var_15], 0
		jz	short loc_5F348F
		mov	byte ptr [ebp+esi+var_14], al
		jmp	short loc_5F348F
; 

loc_5F345E:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+B36E1j
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_20], ecx
		cmp	eax, 0FFFFFFFFh
		jnb	short loc_5F3482
		inc	eax
		mov	ds:_PopPowerRequestAttributes[esi*8], eax
		test	esi, esi
		jz	short loc_5F347E
		cmp	esi, 3
		jz	short loc_5F347E
		cmp	eax, ecx
		jnz	short loc_5F3482

loc_5F347E:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+B3727j
					; PopProcessPowerRequestOverrideQueryResponse+B372Cj
		inc	byte ptr [esi+edi+38h]

loc_5F3482:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+B371Bj
					; PopProcessPowerRequestOverrideQueryResponse+B3730j
		xor	eax, eax
		inc	eax
		cmp	[ebp+var_15], 0
		jz	short loc_5F348F
		mov	byte ptr [ebp+esi+var_C], al

loc_5F348F:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+B3690j
					; PopProcessPowerRequestOverrideQueryResponse+B370Aj ...
		not	ebx
		and	edx, ebx
		jmp	loc_53FDC1
; 

loc_5F3498:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+90j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_2C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_53FE00
; 

loc_5F34A8:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+AEj
		lea	ecx, [ebp+var_2C]
		call	KxWaitForLockChainValid
		jmp	loc_53FE54
; 

loc_5F34B5:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+C7j
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	_PopNotifyUserPowerRequestAction@12 ; PopNotifyUserPowerRequestAction(x,x,x)
		jmp	loc_53FE19
; 

loc_5F34C4:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+DDj
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	_PopNotifyUserPowerRequestAction@12 ; PopNotifyUserPowerRequestAction(x,x,x)
		jmp	loc_53FE2F
; 

loc_5F34D4:				; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+F3j
		mov	edx, edi
		mov	ecx, ebx
		call	_PopProcessDisplayRequiredChange@8 ; PopProcessDisplayRequiredChange(x,x)
		mov	edx, 72506F50h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		jmp	loc_53FE45
; END OF FUNCTION CHUNK	FOR PopProcessPowerRequestOverrideQueryResponse
; 
; START	OF FUNCTION CHUNK FOR PoSetPowerRequestInternal

loc_5F34EE:				; CODE XREF: PoSetPowerRequestInternal+1F5j
		cmp	esi, 2
		jnz	loc_54007D
		jmp	loc_53FECC
; 

loc_5F34FC:				; CODE XREF: PoSetPowerRequestInternal+A9j
		mov	edi, 0C0000095h
		jmp	loc_53FF7D
; 

loc_5F3506:				; CODE XREF: PoSetPowerRequestInternal+D2j
		and	dword ptr [ebx+esi*4+18h], 0
		mov	edi, 0C0000095h
		jmp	loc_53FF80
; 

loc_5F3515:				; CODE XREF: PoSetPowerRequestInternal+B7j
					; PoSetPowerRequestInternal+236j
		mov	[ebp+var_1], 0
		jmp	loc_53FF74
; 

loc_5F351E:				; CODE XREF: PoSetPowerRequestInternal+120j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_53FFAE
; 

loc_5F352E:				; CODE XREF: PoSetPowerRequestInternal+142j
		lea	ecx, [ebp+var_18]
		call	KxWaitForLockChainValid
		xor	ecx, ecx
		inc	ecx

loc_5F3539:				; CODE XREF: PoSetPowerRequestInternal+12Bj
		mov	[ebp+var_18], 0
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_53FFAE
; 

loc_5F354B:				; CODE XREF: PoSetPowerRequestInternal+159j
		xor	eax, eax
		mov	edx, esi
		inc	eax
		mov	ecx, ebx
		push	eax
		call	_PopNotifyUserPowerRequestAction@12 ; PopNotifyUserPowerRequestAction(x,x,x)
		jmp	loc_53FFC5
; 

loc_5F355D:				; CODE XREF: PoSetPowerRequestInternal+39j
					; PoSetPowerRequestInternal+4Bj ...
		mov	edi, 0C00000BBh
		jmp	loc_53FFEE
; END OF FUNCTION CHUNK	FOR PoSetPowerRequestInternal
; 
; START	OF FUNCTION CHUNK FOR _tlgCreate1Sz_char

loc_5F3567:				; CODE XREF: _tlgCreate1Sz_char+5j
		xor	esi, esi
		mov	edx, offset ??_C@_00CNPNBAHC@@FNODOBFM@
		inc	esi
		jmp	loc_540306
; END OF FUNCTION CHUNK	FOR _tlgCreate1Sz_char
; 
; START	OF FUNCTION CHUNK FOR SessionIsInteractive

loc_5F3574:				; CODE XREF: SessionIsInteractive+40j
		mov	eax, [ecx+2F8h]
		mov	eax, [eax+28Ch]
		mov	eax, [eax+4]
		jmp	loc_5403A1
; END OF FUNCTION CHUNK	FOR SessionIsInteractive
; 
; START	OF FUNCTION CHUNK FOR RtlStringCbCopyUnicodeString

loc_5F3588:				; CODE XREF: RtlStringCbCopyUnicodeString+42j
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		mov	[ecx], dx
		jmp	loc_540991
; END OF FUNCTION CHUNK	FOR RtlStringCbCopyUnicodeString
; 
; START	OF FUNCTION CHUNK FOR PoQueryStopWatch

loc_5F3595:				; CODE XREF: PoQueryStopWatch+2Dj
		call	KeQueryInterruptTime
		mov	ebx, [esi]
		mov	ecx, [esi+4]
		mov	esi, ecx
		mov	[ebp+var_10], ebx
		sub	ebx, [edi+10h]
		push	0
		sbb	esi, [edi+14h]
		add	ebx, eax
		mov	eax, esi
		mov	[ebp+var_8], ebx
		mov	esi, [ebp+var_C]
		adc	eax, edx
		mov	[ebp+var_4], eax
		pop	ebx
		cmp	eax, ecx
		jb	short loc_5F35D7
		mov	eax, [ebp+var_8]
		ja	short loc_5F35CA
		cmp	eax, [ebp+var_10]
		jb	short loc_5F35D7

loc_5F35CA:				; CODE XREF: PoQueryStopWatch+B2B4Fj
		mov	[esi], eax
		mov	eax, [ebp+var_4]
		mov	[esi+4], eax
		jmp	loc_540AA7
; 

loc_5F35D7:				; CODE XREF: PoQueryStopWatch+B2B4Aj
					; PoQueryStopWatch+B2B54j
		or	dword ptr [esi], 0FFFFFFFFh
		or	dword ptr [esi+4], 0FFFFFFFFh
		jmp	loc_540AA7
; 

loc_5F35E3:				; CODE XREF: PoQueryStopWatch+38j
		mov	eax, [edi+10h]
		or	eax, [edi+14h]
		mov	al, 1
		jnz	short loc_5F35EF
		mov	al, bl

loc_5F35EF:				; CODE XREF: PoQueryStopWatch+B2B77j
		mov	[ecx], al
		jmp	loc_540AB2
; END OF FUNCTION CHUNK	FOR PoQueryStopWatch
; 
; START	OF FUNCTION CHUNK FOR LdrpResSearchResourceMappedFile

loc_5F35F6:				; CODE XREF: LdrpResSearchResourceMappedFile+515j
		xor	edx, edx
		inc	edx
		mov	al, dl
		jmp	loc_540C2E
; END OF FUNCTION CHUNK	FOR LdrpResSearchResourceMappedFile

;  S U B	R O U T	I N E 


sub_5F3600	proc near		; DATA XREF: .text:006A704Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-338h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5F3600	endp


;  S U B	R O U T	I N E 


sub_5F3611	proc near		; DATA XREF: .text:006A7050o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-338h]
		jmp	short loc_5F3647
sub_5F3611	endp

; 
; START	OF FUNCTION CHUNK FOR LdrpResSearchResourceMappedFile

loc_5F361C:				; CODE XREF: LdrpResSearchResourceMappedFile+B2CA4j
		lea	esi, [ebx+ebx]
		push	esi		; size_t
		lea	ecx, [ebp+var_D0]
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebx+1]
		mov	ecx, [ebp+var_30C]
		mov	[ecx], eax
		xor	ecx, ecx
		mov	eax, [ebp+var_32C]
		mov	[esi+eax], cx

loc_5F3647:				; CODE XREF: sub_5F3611+9j
					; LdrpResSearchResourceMappedFile+B2CC5j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_540E35
; 

loc_5F3653:				; CODE XREF: LdrpResSearchResourceMappedFile+ABj
		xor	edx, edx
		inc	edx
		jmp	loc_540C3E
; 

loc_5F365B:				; CODE XREF: LdrpResSearchResourceMappedFile+420j
		mov	edx, ebx
		jmp	loc_540F88
; 

loc_5F3662:				; CODE XREF: LdrpResSearchResourceMappedFile+444j
		mov	eax, 400h
		cmp	dx, ax
		jz	loc_540FA8
		mov	eax, 800h
		cmp	dx, ax
		jnz	loc_541000
		jmp	loc_540FA8
; 

loc_5F3683:				; CODE XREF: LdrpResSearchResourceMappedFile+4BDj
		cmp	edi, 0C000008Ah
		jnz	loc_540E35
		mov	esi, [ebp+var_2E0]
		or	esi, 80000h
		jmp	loc_541038
; 

loc_5F36A0:				; CODE XREF: LdrpResSearchResourceMappedFile+F6j
		mov	edi, 0C000008Ah
		jmp	loc_540E35
; 

loc_5F36AA:				; CODE XREF: LdrpResSearchResourceMappedFile+3DFj
		or	esi, 4
		jmp	loc_540F43
; 

loc_5F36B2:				; CODE XREF: LdrpResSearchResourceMappedFile+400j
		mov	edx, [ebp+arg_0]
		test	edx, 1000h
		jz	loc_540CAA
		jmp	loc_540E37
; 

loc_5F36C6:				; CODE XREF: LdrpResSearchResourceMappedFile+2EEj
		or	edx, 20h
		mov	[ebp+arg_0], edx
		jmp	loc_540F21
; 

loc_5F36D1:				; CODE XREF: LdrpResSearchResourceMappedFile+1CAj
		mov	dl, [ebp+var_2D9]
		jmp	loc_540E91
; 

loc_5F36DC:				; CODE XREF: LdrpResSearchResourceMappedFile+366j
		cmp	edi, 0C0000034h
		jz	short loc_5F36F0
		cmp	edi, 0C000003Ah
		jnz	loc_540F18

loc_5F36F0:				; CODE XREF: LdrpResSearchResourceMappedFile+B2B84j
		mov	edi, 0C00B0001h
		jmp	loc_540F18
; 

loc_5F36FA:				; CODE XREF: LdrpResSearchResourceMappedFile+374j
		push	ecx
		push	200h
		lea	edx, [ebp+var_2E8]
		mov	ecx, [ebp+var_2EC]
		call	_LdrpResGetMappingSize@16 ; LdrpResGetMappingSize(x,x,x,x)
		mov	edi, eax
		mov	eax, [ebp+var_2E8]
		jmp	loc_540ED8
; 

loc_5F371E:				; CODE XREF: LdrpResSearchResourceMappedFile+22Cj
		lea	eax, [ebp+var_304]
		jmp	loc_540D90
; 

loc_5F3729:				; CODE XREF: LdrpResSearchResourceMappedFile+2BBj
		test	edi, edi
		js	loc_540F18
		mov	edx, [ebp+var_308]
		test	edx, edx
		jz	loc_540E1F
		cmp	[ebp+var_2D9], 0
		jz	loc_540E1F
		mov	eax, [ebp+var_328]
		test	eax, eax
		jz	short loc_5F375A
		mov	eax, [eax]
		jmp	short loc_5F3760
; 

loc_5F375A:				; CODE XREF: LdrpResSearchResourceMappedFile+B2BF6j
		mov	eax, [ebp+var_304]

loc_5F3760:				; CODE XREF: LdrpResSearchResourceMappedFile+B2BFAj
		push	1
		mov	ecx, [ebp+var_2E4]
		push	dword ptr [ecx+0Ch]
		push	eax
		mov	edx, [edx]
		mov	ecx, [ebp+var_2EC]
		call	LdrpFindMessageInAlternateModule
		mov	edi, eax
		test	edi, edi
		jns	loc_540E27
		mov	eax, [ebp+var_308]
		mov	[eax], ebx
		cmp	edi, 0C000007Bh
		jz	loc_540E35
		jmp	loc_540E1F
; 

loc_5F379C:				; CODE XREF: LdrpResSearchResourceMappedFile+2D1j
		mov	ecx, [ebp+var_2F0]
		test	cx, cx
		jnz	short loc_5F37B2
		xor	eax, eax
		mov	word ptr [ebp+var_D0], ax
		jmp	short loc_5F37EF
; 

loc_5F37B2:				; CODE XREF: LdrpResSearchResourceMappedFile+B2C47j
		push	2
		push	56h
		lea	edx, [ebp+var_D0]
		call	DownLevelLangIDToLanguageName
		test	eax, eax
		jnz	short loc_5F37CF
		mov	edi, 0C0000001h
		jmp	loc_540E35
; 

loc_5F37CF:				; CODE XREF: LdrpResSearchResourceMappedFile+B2C65j
		lea	ecx, [ebp+var_D0]
		lea	edx, [ecx+2]

loc_5F37D8:				; CODE XREF: LdrpResSearchResourceMappedFile+B2C83j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_5F37D8
		mov	ebx, ecx
		sub	ebx, edx
		sar	ebx, 1
		mov	edx, [ebp+var_30C]

loc_5F37EF:				; CODE XREF: LdrpResSearchResourceMappedFile+B2C52j
		mov	[ebp+ms_exc.disabled], 1
		cmp	ebx, [edx]
		jnb	short loc_5F3808
		mov	eax, [ebp+var_32C]
		test	eax, eax
		jnz	loc_5F361C

loc_5F3808:				; CODE XREF: LdrpResSearchResourceMappedFile+B2C9Aj
		lea	eax, [ebx+1]
		mov	[edx], eax
		mov	edi, 0C0000023h
		jmp	short loc_5F381D
; END OF FUNCTION CHUNK	FOR LdrpResSearchResourceMappedFile

;  S U B	R O U T	I N E 


sub_5F3814	proc near		; DATA XREF: .text:006A705Co
		mov	esp, [ebp-18h]
		mov	edi, [ebp-340h]
sub_5F3814	endp

; START	OF FUNCTION CHUNK FOR LdrpResSearchResourceMappedFile

loc_5F381D:				; CODE XREF: LdrpResSearchResourceMappedFile+B2CB4j
		mov	[ebp+var_344], edi
		jmp	loc_5F3647
; END OF FUNCTION CHUNK	FOR LdrpResSearchResourceMappedFile

;  S U B	R O U T	I N E 


sub_5F3828	proc near		; DATA XREF: .text:006A7058o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-340h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5F3828	endp

; 
; START	OF FUNCTION CHUNK FOR LdrpFindMessageInAlternateModule

loc_5F3839:				; CODE XREF: LdrpFindMessageInAlternateModule+34j
		imul	eax, ecx, 0Ch
		add	eax, 4
		cmp	eax, [ebp+arg_0]
		jbe	loc_5410B2
		mov	eax, 0C000007Bh
		jmp	loc_5410D3
; END OF FUNCTION CHUNK	FOR LdrpFindMessageInAlternateModule
; 
; START	OF FUNCTION CHUNK FOR LdrpGetAlternateResourceModuleHandleEx

loc_5F3852:				; CODE XREF: LdrpGetAlternateResourceModuleHandleEx+7Cj
					; LdrpGetAlternateResourceModuleHandleEx+B2j
		mov	edi, ds:_AlternateResourceModuleCount
		mov	[ebp+var_24], edi
		jmp	loc_541198
; 

loc_5F3860:				; CODE XREF: LdrpGetAlternateResourceModuleHandleEx+C4j
		mov	eax, [ebp+var_20]
		and	eax, 0FFFFFFFCh
		push	eax
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jz	loc_5411AA
		movzx	ecx, word ptr [eax+18h]
		mov	edx, 10Bh
		cmp	cx, dx
		jz	short loc_5F3894
		mov	edx, 20Bh
		cmp	cx, dx
		jz	short loc_5F3894
		mov	[ebp+var_1C], esi
		jmp	loc_5411AA
; 

loc_5F3894:				; CODE XREF: LdrpGetAlternateResourceModuleHandleEx+B27A0j
					; LdrpGetAlternateResourceModuleHandleEx+B27AAj
		mov	eax, [eax+50h]
		mov	[ebp+var_1C], eax
		jmp	loc_5411AA
; END OF FUNCTION CHUNK	FOR LdrpGetAlternateResourceModuleHandleEx

;  S U B	R O U T	I N E 


sub_5F389F	proc near		; DATA XREF: .text:006A70C0o
		xor	esi, esi
		jmp	sub_5411D3
sub_5F389F	endp

; 
; START	OF FUNCTION CHUNK FOR LdrpGetMappingFromCacheEntry

loc_5F38A6:				; CODE XREF: LdrpGetMappingFromCacheEntry+3Dj
		mov	eax, esi
		and	eax, 0FFFFFFFCh
		push	eax
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jz	loc_541250
		movzx	ecx, word ptr [eax+18h]
		mov	edx, 10Bh
		cmp	cx, dx
		jz	short loc_5F38D5
		mov	edx, 20Bh
		cmp	cx, dx
		jz	short loc_5F38D5
		xor	ecx, ecx
		jmp	short loc_5F38D8
; 

loc_5F38D5:				; CODE XREF: LdrpGetMappingFromCacheEntry+B26D7j
					; LdrpGetMappingFromCacheEntry+B26E1j
		mov	ecx, [eax+50h]

loc_5F38D8:				; CODE XREF: LdrpGetMappingFromCacheEntry+B26E5j
		test	ecx, ecx
		jz	loc_541250
		jmp	loc_541231
; END OF FUNCTION CHUNK	FOR LdrpGetMappingFromCacheEntry
; 
; START	OF FUNCTION CHUNK FOR LdrpGetImageSize

loc_5F38E5:				; CODE XREF: LdrpGetImageSize+49j
		mov	edx, 20Bh
		cmp	cx, dx
		jnz	loc_541307
		jmp	loc_5412FD
; END OF FUNCTION CHUNK	FOR LdrpGetImageSize
; 
; START	OF FUNCTION CHUNK FOR RtlSectionTableFromVirtualAddress

loc_5F38F8:				; CODE XREF: RtlSectionTableFromVirtualAddress+1Fj
		cmp	edx, edi
		ja	loc_5413F9
		imul	eax, esi, 28h
		add	eax, edx
		cmp	eax, edx
		jb	loc_5413F9
		cmp	eax, edi
		jnb	loc_5413F9
		jmp	loc_5413D9
; END OF FUNCTION CHUNK	FOR RtlSectionTableFromVirtualAddress
; 
; START	OF FUNCTION CHUNK FOR LdrRscIsTypeExist

loc_5F391A:				; CODE XREF: LdrRscIsTypeExist+30j
		mov	edx, [esi+58h]
		shr	edx, 1
		mov	[ebp+var_24], edx
		mov	ecx, [esi+54h]
		add	ecx, esi
		mov	[ebp+var_20], ecx
		cmp	ecx, 10000h
		jbe	short loc_5F397C

loc_5F3932:				; CODE XREF: LdrRscIsTypeExist+B250Fj
		test	edx, edx
		jle	short loc_5F397C
		cmp	[ecx], bx
		jz	short loc_5F3987
		push	ecx		; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		mov	ecx, [ebp+var_20]
		test	eax, eax
		jz	short loc_5F3979
		mov	edx, ecx
		lea	eax, [edx+2]
		mov	[ebp+arg_4], eax

loc_5F3953:				; CODE XREF: LdrRscIsTypeExist+B24F4j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, bx
		jnz	short loc_5F3953
		sub	edx, [ebp+arg_4]
		sar	edx, 1
		lea	eax, [edx+1]
		lea	ecx, [ecx+eax*2]
		mov	[ebp+var_20], ecx
		mov	edx, [ebp+var_24]
		sub	edx, eax
		mov	[ebp+var_24], edx
		mov	eax, [ebp+var_1C]
		jmp	short loc_5F3932
; 

loc_5F3979:				; CODE XREF: LdrRscIsTypeExist+B24E1j
		mov	edx, [ebp+var_24]

loc_5F397C:				; CODE XREF: LdrRscIsTypeExist+B24C8j
					; LdrRscIsTypeExist+B24CCj
		cmp	[ecx], bx
		jz	short loc_5F3987
		test	edx, edx
		mov	al, 1
		jg	short loc_5F3989

loc_5F3987:				; CODE XREF: LdrRscIsTypeExist+B24D1j
					; LdrRscIsTypeExist+B2517j
		mov	al, bl

loc_5F3989:				; CODE XREF: LdrRscIsTypeExist+B251Dj
		test	al, al
		jnz	short loc_5F3993
		or	dword ptr [edi], 40000h

loc_5F3993:				; CODE XREF: LdrRscIsTypeExist+B2523j
		mov	edx, [esi+68h]
		shr	edx, 1
		mov	[ebp+var_2C], edx
		mov	ecx, [esi+64h]
		add	ecx, esi
		mov	[ebp+var_28], ecx
		cmp	ecx, 10000h
		jbe	short loc_5F39F5
		mov	esi, [ebp+var_1C]

loc_5F39AE:				; CODE XREF: LdrRscIsTypeExist+B2588j
		test	edx, edx
		jle	short loc_5F39F5
		cmp	[ecx], bx
		jz	short loc_5F3A03
		push	ecx		; wchar_t *
		push	esi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		mov	ecx, [ebp+var_28]
		test	eax, eax
		jz	short loc_5F39F2
		mov	edx, ecx
		lea	eax, [edx+2]
		mov	[ebp+arg_4], eax

loc_5F39CF:				; CODE XREF: LdrRscIsTypeExist+B2570j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, bx
		jnz	short loc_5F39CF
		sub	edx, [ebp+arg_4]
		sar	edx, 1
		lea	eax, [edx+1]
		lea	ecx, [ecx+eax*2]
		mov	[ebp+var_28], ecx
		mov	edx, [ebp+var_2C]
		sub	edx, eax
		mov	[ebp+var_2C], edx
		jmp	short loc_5F39AE
; 

loc_5F39F2:				; CODE XREF: LdrRscIsTypeExist+B255Dj
		mov	edx, [ebp+var_2C]

loc_5F39F5:				; CODE XREF: LdrRscIsTypeExist+B2541j
					; LdrRscIsTypeExist+B2548j
		cmp	[ecx], bx
		jz	short loc_5F3A03
		test	edx, edx
		jle	short loc_5F3A03
		xor	eax, eax
		inc	eax
		jmp	short loc_5F3A05
; 

loc_5F3A03:				; CODE XREF: LdrRscIsTypeExist+B254Dj
					; LdrRscIsTypeExist+B2590j ...
		mov	al, bl

loc_5F3A05:				; CODE XREF: LdrRscIsTypeExist+B2599j
		test	al, al
		jnz	loc_5414F3
		jmp	loc_54151B
; END OF FUNCTION CHUNK	FOR LdrRscIsTypeExist

;  S U B	R O U T	I N E 


sub_5F3A12	proc near		; DATA XREF: .text:006A70FCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5F3A12	endp


;  S U B	R O U T	I N E 


sub_5F3A20	proc near		; DATA XREF: .text:006A7100o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-40h]
		jmp	loc_5414F3
sub_5F3A20	endp

; 
; START	OF FUNCTION CHUNK FOR LdrRscIsTypeExist

loc_5F3A2B:				; CODE XREF: LdrRscIsTypeExist+17j
					; LdrRscIsTypeExist+22j
		mov	eax, 0C000000Dh
		jmp	loc_5414FC
; END OF FUNCTION CHUNK	FOR LdrRscIsTypeExist
; 
; START	OF FUNCTION CHUNK FOR LdrpGetRcConfig

loc_5F3A35:				; CODE XREF: LdrpGetRcConfig+3Aj
		xor	eax, eax
		jmp	loc_54156A
; 

loc_5F3A3C:				; CODE XREF: LdrpGetRcConfig+A1j
		mov	eax, 0C000007Bh
		jmp	loc_5415EF
; END OF FUNCTION CHUNK	FOR LdrpGetRcConfig
; 
; START	OF FUNCTION CHUNK FOR LdrpLoadResourceFromAlternativeModule

loc_5F3A46:				; CODE XREF: LdrpLoadResourceFromAlternativeModule+13j
		cmp	[ebp+arg_0], 3
		jz	loc_54160D
		mov	eax, 0C00000F1h
		jmp	loc_541648
; END OF FUNCTION CHUNK	FOR LdrpLoadResourceFromAlternativeModule

;  S U B	R O U T	I N E 


sub_5F3A5A	proc near		; DATA XREF: .text:006A713Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2FCh], eax
		xor	eax, eax
		inc	eax
		retn
sub_5F3A5A	endp


;  S U B	R O U T	I N E 


sub_5F3A6B	proc near		; DATA XREF: .text:006A7140o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-2FCh]
		jmp	loc_541752
sub_5F3A6B	endp

; 
; START	OF FUNCTION CHUNK FOR LdrLoadAlternateResourceModuleEx

loc_5F3A79:				; CODE XREF: LdrLoadAlternateResourceModuleEx+1DBj
		push	[ebp+var_2E4]
		call	_MmUnmapViewInSystemSpace@4 ; MmUnmapViewInSystemSpace(x)
		push	[ebp+var_2DC]
		call	_ZwClose@4	; ZwClose(x)
		mov	[ebp+var_2DC], esi
		mov	edi, esi
		mov	[ebp+var_2D4], edi
		mov	ebx, 0C00B0002h
		jmp	loc_541873
; END OF FUNCTION CHUNK	FOR LdrLoadAlternateResourceModuleEx

;  S U B	R O U T	I N E 


sub_5F3AA7	proc near		; DATA XREF: .text:006A7148o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_5F3AA7	endp


;  S U B	R O U T	I N E 


sub_5F3AB8	proc near		; DATA XREF: .text:006A714Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	esi, esi
		jmp	loc_5418E3
sub_5F3AB8	endp

; 
; START	OF FUNCTION CHUNK FOR LdrLoadAlternateResourceModuleEx

loc_5F3AC9:				; CODE XREF: LdrLoadAlternateResourceModuleEx+69j
					; LdrLoadAlternateResourceModuleEx+78j	...
		mov	eax, 0C000000Dh
		jmp	loc_541761
; END OF FUNCTION CHUNK	FOR LdrLoadAlternateResourceModuleEx
; 
; START	OF FUNCTION CHUNK FOR LdrpGetFromMUIMemCache

loc_5F3AD3:				; CODE XREF: LdrpGetFromMUIMemCache+ACj
		mov	al, 1
		mov	[ebp+var_19], al
		mov	[ebp+var_1A], al
		jmp	loc_5419E7
; 

loc_5F3AE0:				; CODE XREF: LdrpGetFromMUIMemCache+131j
		mov	al, 1
		mov	[ebp+var_19], al
		mov	[ebp+var_1A], al
		mov	esi, ebx
		mov	[ebp+var_20], esi
		jmp	loc_5419E7
; END OF FUNCTION CHUNK	FOR LdrpGetFromMUIMemCache

;  S U B	R O U T	I N E 


sub_5F3AF2	proc near		; DATA XREF: .text:006A7168o
		xor	ebx, ebx
		mov	edi, [ebp-24h]
		mov	esi, [ebp-20h]
		mov	al, [ebp-1Ah]
		mov	[ebp-19h], al
		jmp	sub_541A3C
sub_5F3AF2	endp

; 
; START	OF FUNCTION CHUNK FOR LdrpInitMuiCrits

loc_5F3B05:				; CODE XREF: LdrpInitMuiCrits+2Fj
		lea	eax, [esp+8+var_8]
		push	eax
		push	0
		call	NtDelayExecution
		jmp	loc_541A8D
; END OF FUNCTION CHUNK	FOR LdrpInitMuiCrits
; 
; START	OF FUNCTION CHUNK FOR KiInitializeMutant

loc_5F3B15:				; CODE XREF: KiInitializeMutant+69j
					; KiInitializeMutant+B200Dj
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5F3B15
		jmp	loc_541B78
; 

loc_5F3B28:				; CODE XREF: KiInitializeMutant+3Dj
		or	byte ptr [esi+1Ch], 2
		test	dl, dl
		jz	loc_541B57
		push	1
		xor	edx, edx
		mov	ecx, esi
		call	KeAbPreAcquire
		test	eax, eax
		jz	loc_541B57
		or	byte ptr [eax+0Eh], 1
		jmp	loc_541B57
; END OF FUNCTION CHUNK	FOR KiInitializeMutant
; 
; START	OF FUNCTION CHUNK FOR PopThermalUpdateTelemetryClientCount

loc_5F3B50:				; CODE XREF: PopThermalUpdateTelemetryClientCount+3Bj
		sub	ds:_PopThermalTelemetryClientCount, 1
		jnz	loc_568673
		push	esi
		push	offset _PopThermalTelemetryTimer
		call	KeCancelTimer2
		jmp	loc_568673
; END OF FUNCTION CHUNK	FOR PopThermalUpdateTelemetryClientCount
; 
; START	OF FUNCTION CHUNK FOR PopGetDope

loc_5F3B6D:				; CODE XREF: PopGetDope+6Ej
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_56873F
; 

loc_5F3B7A:				; CODE XREF: PopGetDope+83j
		push	45504F44h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_56874F
; END OF FUNCTION CHUNK	FOR PopGetDope
; 
; START	OF FUNCTION CHUNK FOR EmpQueueRuleUpdateState

loc_5F3B8A:				; CODE XREF: EmpQueueRuleUpdateState+257j
		push	0
		push	[ebp+var_8]
		push	offset _EmpEvaluationQueueLock
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5F3B9F:				; CODE XREF: EmpQueueRuleUpdateState+16Bj
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]
		jmp	loc_568B07
; 

loc_5F3BB0:				; CODE XREF: EmpQueueRuleUpdateState+244j
		push	[ebp+var_24]
		mov	edx, offset _EmpEvaluationQueueLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_568B1A
; END OF FUNCTION CHUNK	FOR EmpQueueRuleUpdateState
; 
; START	OF FUNCTION CHUNK FOR RtlStringCbCopyNA

loc_5F3BC4:				; CODE XREF: RtlStringCbCopyNA+1Ej
		mov	eax, 0C000000Dh
		mov	byte ptr [ecx],	0
		jmp	loc_568C46
; END OF FUNCTION CHUNK	FOR RtlStringCbCopyNA
; 
; START	OF FUNCTION CHUNK FOR IopAddBootDiskInformation

loc_5F3BD1:				; CODE XREF: IopAddBootDiskInformation+2Ej
		mov	edx, [ebp+var_4]
		inc	edi
		add	ebx, 1Ch
		cmp	edi, esi
		jb	loc_568CD2
		jmp	loc_568CE6
; END OF FUNCTION CHUNK	FOR IopAddBootDiskInformation
; 
; START	OF FUNCTION CHUNK FOR PpmIdleSelectStates

loc_5F3BE5:				; CODE XREF: PpmIdleSelectStates+142j
		mov	ecx, [esi+88h]
		lea	edx, [esi+90h]
		call	eax
		mov	[ebp+var_68], eax
		jmp	loc_568E58
; 

loc_5F3BFB:				; CODE XREF: PpmIdleSelectStates+152j
		mov	[ebp+var_68], 0
		jmp	loc_568E68
; 

loc_5F3C07:				; CODE XREF: PpmIdleSelectStates+15Aj
		lea	ecx, [esi+0D8h]
		call	_PoCopyDeepIdleMask@4 ;	PoCopyDeepIdleMask(x)
		mov	eax, [ebp+var_40]
		mov	ecx, [esi+0E0h]
		mov	eax, [eax+3CCh]
		bts	ecx, eax
		mov	[esi+0E0h], ecx
		mov	eax, [edi+20h]
		mov	ecx, [esi+0E8h]
		mov	[ebp+var_C0], eax
		mov	eax, [edi]
		mov	[ebp+var_54], ecx
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	0		; int
		push	ecx		; void *
		call	_memset
		mov	edi, [ebp+var_3C]
		add	esp, 0Ch
		cmp	dword ptr [esi+0F4h], 0
		mov	[ebp+var_5C], 0
		jbe	loc_5F3E47
		mov	bh, [ebp+var_46]
		xor	ecx, ecx
		mov	eax, 8
		mov	[ebp+var_60], ecx
		mov	[ebp+var_4C], eax
		mov	bl, cl

loc_5F3C7A:				; CODE XREF: PpmIdleSelectStates+8B128j
		cmp	ds:_PpmIdleVetoBias, 0
		jnz	loc_5F3E0E
		mov	eax, [esi+0F8h]
		cmp	byte ptr [eax+ecx+1], 0
		jz	loc_5F3E0B
		mov	edi, [eax+ecx+4]
		mov	eax, ds:_PpmDripsStateIndex
		mov	ecx, [ebp+var_40]
		mov	[ebp+var_44], edi
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5F3CC3
		cmp	edi, eax
		jb	short loc_5F3CC3
		call	_PpmCheckPreConditionsForDeepSleep@4 ; PpmCheckPreConditionsForDeepSleep(x)
		test	al, al
		jz	short loc_5F3CC3
		test	bl, bl
		jnz	short loc_5F3CBF
		mov	bh, 1

loc_5F3CBF:				; CODE XREF: PpmIdleSelectStates+8AFABj
		mov	bl, 1
		jmp	short loc_5F3CCC
; 

loc_5F3CC3:				; CODE XREF: PpmIdleSelectStates+8AF9Aj
					; PpmIdleSelectStates+8AF9Ej ...
		cmp	bl, 1
		jnz	short loc_5F3CCA
		mov	bh, bl

loc_5F3CCA:				; CODE XREF: PpmIdleSelectStates+8AFB6j
		xor	bl, bl

loc_5F3CCC:				; CODE XREF: PpmIdleSelectStates+8AFB1j
		mov	byte ptr [ebp+var_98], bl
		test	bh, bh
		jz	short loc_5F3D0F
		mov	edx, [ebp+var_80]
		lea	eax, [ebp+var_8C]
		push	eax
		lea	eax, [ebp+var_94]
		xor	bh, bh
		push	eax
		lea	eax, [ebp+var_A0]
		push	eax
		lea	eax, [ebp+var_78]
		push	eax
		mov	eax, [edx+4]
		push	0
		push	0
		push	eax
		mov	eax, [edx]
		mov	dl, bl
		push	eax
		push	[ebp+var_98]
		call	_PpmEstimateIdleDuration@44 ; PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_40]

loc_5F3D0F:				; CODE XREF: PpmIdleSelectStates+8AFC4j
		mov	edx, [ebp+var_68]
		lea	eax, [esi+0FCh]
		push	eax
		mov	dword ptr [eax+4], 0
		lea	eax, [ebp+var_3C]
		push	eax
		push	edi
		push	edi
		push	[ebp+var_74]
		mov	[ebp+var_3C], 0FFFFFFFFh
		push	[ebp+var_78]
		push	[ebp+var_A4]
		call	_PpmIdleCheckCoordinatedStateEligibility@36 ; PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)
		mov	edi, [ebp+var_3C]
		mov	ecx, eax
		mov	eax, [ebp+var_6C]
		mov	[ebp+var_50], ecx
		mov	[ebp+var_64], edx
		cmp	byte ptr [eax+0Ch], 0
		jnz	short loc_5F3D78
		or	ecx, edx
		jnz	short loc_5F3D78
		mov	eax, [eax+10h]
		test	eax, eax
		jz	short loc_5F3D78
		push	[ebp+var_44]
		mov	ecx, [esi+88h]
		mov	edx, edi
		call	eax
		mov	edx, eax
		mov	[ebp+var_64], 0
		mov	[ebp+var_50], edx
		jmp	short loc_5F3D7B
; 

loc_5F3D78:				; CODE XREF: PpmIdleSelectStates+8B040j
					; PpmIdleSelectStates+8B044j ...
		mov	edx, [ebp+var_50]

loc_5F3D7B:				; CODE XREF: PpmIdleSelectStates+8B066j
		imul	eax, [ebp+var_44], 3F0h
		push	[ebp+var_64]
		mov	ecx, [ebp+var_C0]
		push	edx
		add	eax, 48h
		add	ecx, eax
		call	PpmIdleUpdateSelectionStatistics
		mov	eax, [ebp+var_44]
		mov	ecx, [ebp+var_6C]
		add	ecx, 40h
		lea	eax, [eax+eax*2]
		shl	eax, 6
		add	eax, ecx
		mov	ecx, [ebp+var_50]
		mov	[ebp+var_3C], eax
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_5F3DB9
		mov	edx, [ebp+var_64]
		test	edx, edx
		jz	short loc_5F3DCA

loc_5F3DB9:				; CODE XREF: PpmIdleSelectStates+8B0A0j
		mov	edx, [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_88], edx
		mov	edx, [ebp+var_64]
		mov	[ebp+var_7C], eax

loc_5F3DCA:				; CODE XREF: PpmIdleSelectStates+8B0A7j
		mov	eax, ecx
		or	eax, edx
		jz	loc_5F3E68
		cmp	ecx, 80000003h
		jnz	short loc_5F3DE6
		test	edx, edx
		jnz	short loc_5F3DE6
		mov	[ebp+var_35], 1
		jmp	short loc_5F3DF6
; 

loc_5F3DE6:				; CODE XREF: PpmIdleSelectStates+8B0CAj
					; PpmIdleSelectStates+8B0CEj
		cmp	ecx, 80000008h
		jnz	short loc_5F3DF6
		test	edx, edx
		jnz	short loc_5F3DF6
		mov	[ebp+var_36], 1

loc_5F3DF6:				; CODE XREF: PpmIdleSelectStates+8B0D4j
					; PpmIdleSelectStates+8B0DCj ...
		xor	edx, edx
		lea	ecx, [esi+0FCh]
		call	_PpmIdleRollbackCoordinatedSelection@8 ; PpmIdleRollbackCoordinatedSelection(x,x)
		mov	edx, [ebp+var_50]
		mov	eax, [ebp+var_4C]
		jmp	short loc_5F3E13
; 

loc_5F3E0B:				; CODE XREF: PpmIdleSelectStates+8AF82j
		mov	eax, [ebp+var_4C]

loc_5F3E0E:				; CODE XREF: PpmIdleSelectStates+8AF71j
		mov	edx, 0FFFFFFFEh

loc_5F3E13:				; CODE XREF: PpmIdleSelectStates+8B0F9j
		mov	ecx, [ebp+var_54]
		inc	[ebp+var_58]
		mov	[ecx+eax], edx
		add	eax, 4
		mov	edx, [ebp+var_5C]
		mov	ecx, [ebp+var_60]
		inc	edx
		add	ecx, 10h
		mov	[ebp+var_5C], edx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_4C], eax
		cmp	edx, [esi+0F4h]
		jb	loc_5F3C7A
		mov	eax, [ebp+var_58]
		lea	ebx, [esi+54h]
		mov	[ebp+var_58], eax

loc_5F3E47:				; CODE XREF: PpmIdleSelectStates+8AF52j
		mov	eax, [ebp+var_54]
		mov	edx, ebx
		mov	dword ptr [esi+100h], 0
		mov	ecx, ebx
		mov	dword ptr [eax], 0FFFFFFFFh
		call	_PpmUnlockProcessors@8 ; PpmUnlockProcessors(x,x)
		jmp	loc_568E73
; 

loc_5F3E68:				; CODE XREF: PpmIdleSelectStates+8B0BEj
		mov	ecx, [ebp+var_84]
		mov	eax, [ebp+var_44]
		mov	byte ptr [ecx],	1
		mov	ecx, [ebp+var_54]
		mov	[ecx], eax
		mov	ecx, [ebp+var_3C]
		cmp	byte ptr [ecx+29h], 0
		jz	short loc_5F3E88
		mov	[ebp+var_A8], eax

loc_5F3E88:				; CODE XREF: PpmIdleSelectStates+8B170j
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ecx+30h]
		push	eax
		lea	eax, [esi+54h]
		push	eax
		call	_KeSubtractAffinityEx@12 ; KeSubtractAffinityEx(x,x,x)
		test	eax, eax
		jz	short loc_5F3EA8
		lea	edx, [ebp+var_34]
		lea	ecx, [esi+54h]
		call	_PpmUnlockProcessors@8 ; PpmUnlockProcessors(x,x)

loc_5F3EA8:				; CODE XREF: PpmIdleSelectStates+1A3j
					; PpmIdleSelectStates+8B18Bj ...
		xor	edx, edx
		jmp	loc_568FAA
; 

loc_5F3EAF:				; CODE XREF: PpmIdleSelectStates+1E2j
		call	_PpmCheckPreConditionsForDeepSleep@4 ; PpmCheckPreConditionsForDeepSleep(x)
		test	al, al
		jz	loc_568EF8
		test	bl, bl
		jnz	short loc_5F3EC2
		mov	bh, 1

loc_5F3EC2:				; CODE XREF: PpmIdleSelectStates+8B1AEj
		mov	bl, 1
		jmp	loc_568F03
; 

loc_5F3EC9:				; CODE XREF: PpmIdleSelectStates+1EBj
		mov	bh, 1
		jmp	loc_568F01
; 

loc_5F3ED0:				; CODE XREF: PpmIdleSelectStates+22Bj
		mov	edx, [ebp+var_68]
		mov	ecx, [ebp+var_40]
		push	0
		push	edi
		push	[ebp+var_74]
		push	[ebp+var_78]
		push	[ebp+var_A4]
		call	_PpmIdleCheckProcessorStateEligibility@28 ; PpmIdleCheckProcessorStateEligibility(x,x,x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_3C], eax
		or	ecx, edx
		mov	[ebp+var_44], edx
		jnz	short loc_5F3F1A
		mov	eax, [esi+70h]
		test	eax, eax
		jz	short loc_5F3F1A
		mov	ecx, [esi+88h]
		mov	edx, edi
		push	0FFFFFFFFh
		call	eax
		mov	edx, eax
		mov	[ebp+var_44], 0
		mov	[ebp+var_3C], edx
		jmp	loc_568F49
; 

loc_5F3F1A:				; CODE XREF: PpmIdleSelectStates+8B1E4j
					; PpmIdleSelectStates+8B1EBj
		mov	edx, [ebp+var_3C]
		jmp	loc_568F49
; 

loc_5F3F22:				; CODE XREF: PpmIdleSelectStates+25Dj
		cmp	ecx, 80000003h
		jnz	short loc_5F3F34
		test	edx, edx
		jnz	short loc_5F3F34
		mov	[ebp+var_35], 1
		jmp	short loc_5F3F44
; 

loc_5F3F34:				; CODE XREF: PpmIdleSelectStates+8B218j
					; PpmIdleSelectStates+8B21Cj
		cmp	ecx, 80000008h
		jnz	short loc_5F3F44
		test	edx, edx
		jnz	short loc_5F3F44
		mov	[ebp+var_36], 1

loc_5F3F44:				; CODE XREF: PpmIdleSelectStates+8B222j
					; PpmIdleSelectStates+8B22Aj ...
		mov	edx, [ebp+var_60]
		mov	eax, [ebp+var_4C]
		inc	eax
		mov	[ebp+var_4C], eax
		mov	[edx], ecx
		add	edx, 4
		mov	ecx, [ebp+var_5C]
		add	ecx, 10h
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ecx
		cmp	eax, [esi+0ECh]
		jb	loc_568ED0
		jmp	loc_5F3EA8
; 

loc_5F3F70:				; CODE XREF: PpmIdleSelectStates+28Aj
		cmp	byte ptr [esi+eax*4+14Dh], 0
		jz	short loc_5F3F82
		test	edi, edi
		jz	loc_568FA0

loc_5F3F82:				; CODE XREF: PpmIdleSelectStates+280j
					; PpmIdleSelectStates+8B268j
		mov	al, 1
		jmp	loc_568FA2
; 

loc_5F3F89:				; CODE XREF: PpmIdleSelectStates+2A3j
		mov	ecx, [ebp+var_40]
		mov	dl, 1
		lea	ecx, [ecx+3DA8h]
		call	_PpmIdleSetSynchronizationState@8 ; PpmIdleSetSynchronizationState(x,x)
		mov	edx, [ebp+var_90]
		jmp	loc_568FB9
; 

loc_5F3FA4:				; CODE XREF: PpmIdleSelectStates+2B3j
		mov	eax, [ebp+var_54]
		test	eax, eax
		jz	short loc_5F3FEE
		mov	ecx, [ebp+var_58]
		mov	edx, 1
		push	602h
		mov	[eax+4], ecx
		mov	[ebp+var_28], eax
		lea	eax, ds:8[ecx*4]
		mov	[ebp+var_24], 0
		push	123Eh
		push	40200000h
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], 0
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	edx, [ebp+var_90]

loc_5F3FEE:				; CODE XREF: PpmIdleSelectStates+8B299j
		mov	eax, [ebp+var_70]
		test	eax, eax
		jz	loc_568FC9
		push	602h
		mov	[eax+4], edx
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_18], eax
		lea	eax, ds:8[edx*4]
		push	123Dh
		push	40200000h
		mov	edx, 1
		mov	[ebp+var_14], 0
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], 0
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_568FC9
; END OF FUNCTION CHUNK	FOR PpmIdleSelectStates
; 
; START	OF FUNCTION CHUNK FOR PpmIdleUpdateSelectionStatistics

loc_5F4038:				; CODE XREF: PpmIdleUpdateSelectionStatistics+12j
		mov	eax, ecx
		and	eax, 80000000h
		or	eax, 0
		jnz	short loc_5F4076
		and	edx, 1
		or	eax, edx
		jz	short loc_5F406E
		mov	eax, [esi+78h]
		push	2
		pop	edx
		test	eax, eax
		jz	loc_569076
		mov	eax, [eax+14h]
		imul	ecx, 38h
		add	dword ptr [ecx+eax-28h], 1
		adc	dword ptr [ecx+eax-24h], 0
		jmp	loc_569076
; 

loc_5F406E:				; CODE XREF: PpmIdleUpdateSelectionStatistics+8AFEDj
		xor	edx, edx
		inc	edx
		jmp	loc_569076
; 

loc_5F4076:				; CODE XREF: PpmIdleUpdateSelectionStatistics+8AFE6j
		cmp	ecx, 8000000Ch
		ja	loc_56907F
		lea	edx, [ecx-7FFFFFFEh]
		jmp	loc_569076
; END OF FUNCTION CHUNK	FOR PpmIdleUpdateSelectionStatistics
; 
; START	OF FUNCTION CHUNK FOR PpmComputeIdleDurationHint

loc_5F408D:				; CODE XREF: PpmComputeIdleDurationHint+62j
					; PpmComputeIdleDurationHint+8B04Fj
		lea	eax, [edx-1]
		xor	ecx, ecx
		xor	ecx, [ebp+var_8]
		xor	eax, edx
		movzx	ebx, ax
		mov	edi, offset _PpmPlatformIdleHint
		xor	ebx, edx
		mov	eax, edx
		mov	edx, [ebp+var_8]
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [ebp+var_C]
		mov	ebx, edx
		mov	[ebp+var_24], eax
		mov	edi, esi
		cmp	eax, ecx
		jnz	short loc_5F40C3
		mov	eax, [ebp+var_8]
		cmp	ebx, eax
		jz	short loc_5F40D7
		mov	eax, [ebp+var_24]

loc_5F40C3:				; CODE XREF: PpmComputeIdleDurationHint+8B033j
		mov	edx, eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], edx
		pause
		movzx	eax, ax
		or	eax, 0
		jnz	short loc_5F408D
		jmp	short loc_5F40E2
; 

loc_5F40D7:				; CODE XREF: PpmComputeIdleDurationHint+8B03Aj
		mov	edi, ecx
		mov	esi, eax
		shrd	edi, esi, 10h
		shr	esi, 10h

loc_5F40E2:				; CODE XREF: PpmComputeIdleDurationHint+8B051j
		mov	ecx, [ebp+var_14]
		mov	ebx, [ebp+var_10]
		jmp	loc_5690EC
; END OF FUNCTION CHUNK	FOR PpmComputeIdleDurationHint
; 
; START	OF FUNCTION CHUNK FOR PpmIdleEvaluateConstraints

loc_5F40ED:				; CODE XREF: PpmIdleEvaluateConstraints+EFj
		mov	eax, 80h
		mov	byte ptr [ebx+0BCh], 1
		or	[ebx+30h], ax
		jmp	loc_5691EC
; 

loc_5F4102:				; CODE XREF: PpmIdleEvaluateConstraints+9Ej
		mov	eax, 100h
		or	[ebx+30h], ax
		mov	eax, [ebx+1Ch]
		jmp	loc_5691F9
; 

loc_5F4113:				; CODE XREF: PpmIdleEvaluateConstraints+D5j
		mov	eax, 4000h
		or	[ebx+30h], ax
		jmp	loc_56922D
; END OF FUNCTION CHUNK	FOR PpmIdleEvaluateConstraints
; 
; START	OF FUNCTION CHUNK FOR PoAllProcessorsDeepIdle

loc_5F4121:				; CODE XREF: PoAllProcessorsDeepIdle+3Ej
					; PoAllProcessorsDeepIdle+8AEF0j
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	MmGetNextNode
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5F4147
		mov	ecx, ds:_KeNodeBlock[eax*4]
		mov	eax, [ecx+84h]
		cmp	[ecx+40h], eax
		jz	short loc_5F4121
		jmp	loc_569294
; 

loc_5F4147:				; CODE XREF: PoAllProcessorsDeepIdle+8AEDEj
		mov	al, 1
		jmp	loc_569296
; END OF FUNCTION CHUNK	FOR PoAllProcessorsDeepIdle
; 
; START	OF FUNCTION CHUNK FOR MiZeroLargePageThread

loc_5F414E:				; CODE XREF: MiZeroLargePageThread+96j
		mov	edx, [ebp+var_4]
		lea	ecx, [ebp+var_18]
		lea	edx, [edx+10h]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_56934F
; 

loc_5F4161:				; CODE XREF: MiZeroLargePageThread+104j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5693C4
; 

loc_5F4171:				; CODE XREF: MiZeroLargePageThread+68j
		mov	ecx, [ebp+arg_0]
		call	_MiDeleteZeroThreadContext@4 ; MiDeleteZeroThreadContext(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; END OF FUNCTION CHUNK	FOR MiZeroLargePageThread
; 
; START	OF FUNCTION CHUNK FOR RtlpComputeCrcInternal

loc_5F4182:				; CODE XREF: RtlpComputeCrcInternal+39j
		cmp	ecx, eax
		jbe	short loc_5F4188
		mov	ecx, eax

loc_5F4188:				; CODE XREF: RtlpComputeCrcInternal+8ACF4j
		xor	esi, esi
		test	ecx, ecx
		jz	short loc_5F41C2
		mov	eax, [ebp+arg_8]
		mov	eax, [eax+4]
		mov	[ebp+arg_4], eax

loc_5F4197:				; CODE XREF: RtlpComputeCrcInternal+8AD27j
		movzx	eax, byte ptr [esi+edx]
		inc	esi
		mov	edx, [ebp+arg_4]
		xor	eax, ebx
		shrd	ebx, edi, 8
		movzx	eax, al
		shr	edi, 8
		xor	ebx, [edx+eax*8]
		xor	edi, [edx+eax*8+4]
		mov	edx, [ebp+var_34]
		cmp	esi, ecx
		jb	short loc_5F4197
		mov	eax, [ebp+var_38]
		mov	[ebp+var_4], ebx
		mov	[ebp+arg_4], edi

loc_5F41C2:				; CODE XREF: RtlpComputeCrcInternal+8ACFCj
		mov	esi, [ebp+var_40]
		sub	eax, ecx
		add	edx, ecx
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], edx
		jmp	loc_5694CF
; 

loc_5F41D4:				; CODE XREF: RtlpComputeCrcInternal+78Ej
		mov	eax, [ebp+arg_8]
		mov	esi, [eax+4]

loc_5F41DA:				; CODE XREF: RtlpComputeCrcInternal+8AD65j
		movzx	eax, byte ptr [ecx+edx]
		inc	ecx
		xor	eax, ebx
		shrd	ebx, edi, 8
		movzx	eax, al
		shr	edi, 8
		xor	ebx, [esi+eax*8]
		xor	edi, [esi+eax*8+4]
		cmp	ecx, [ebp+var_38]
		jb	short loc_5F41DA
		mov	esi, [ebp+var_40]
		jmp	loc_569C24
; END OF FUNCTION CHUNK	FOR RtlpComputeCrcInternal
; 
; START	OF FUNCTION CHUNK FOR HvlStartBootLogicalProcessors

loc_5F41FF:				; CODE XREF: HvlStartBootLogicalProcessors+27j
		lea	eax, [ebp+var_8]
		xor	ebx, ebx
		push	eax
		lea	eax, [ebp+var_34]
		mov	[ebp+var_8], ebx
		push	eax
		push	20h
		push	0Bh
		call	ds:off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_5F4242
		cmp	[ebp+var_8], 20h
		jnz	short loc_5F4242
		mov	eax, [ebp+var_30]
		mov	ds:_HvlpQueryProcessorNode, eax
		mov	eax, [ebp+var_20]
		mov	ds:_HvlpQueryProximityId, eax
		mov	eax, [ebp+var_28]
		mov	ds:_HvlpQueryProximityNode, eax
		mov	eax, [ebp+var_18]
		mov	ds:_HvlpQueryNodeDistance, eax
		jmp	short loc_5F425A
; 

loc_5F4242:				; CODE XREF: HvlStartBootLogicalProcessors+8A5E2j
					; HvlStartBootLogicalProcessors+8A5E8j
		mov	ds:_HvlpQueryProcessorNode, ebx
		mov	ds:_HvlpQueryProximityId, ebx
		mov	ds:_HvlpQueryProximityNode, ebx
		mov	ds:_HvlpQueryNodeDistance, ebx

loc_5F425A:				; CODE XREF: HvlStartBootLogicalProcessors+8A60Aj
		call	ds:__imp__HalQueryMaximumProcessorCount@0 ; HalQueryMaximumProcessorCount()
		mov	edi, eax
		or	edx, 0FFFFFFFFh
		imul	esi, edi, 28h
		mov	ecx, esi
		mov	[ebp+var_14], esi
		call	_MmAllocateIndependentPages@8 ;	MmAllocateIndependentPages(x,x)
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		jnz	short loc_5F4285
		mov	esi, 0C000009Ah
		jmp	loc_5F4476
; 

loc_5F4285:				; CODE XREF: HvlStartBootLogicalProcessors+8A643j
		push	esi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	eax, large fs:20h
		add	esp, 0Ch
		and	ds:dword_706024, 0
		mov	edx, offset dword_706028
		xor	ecx, ecx
		mov	[ebp+var_4], eax
		push	offset word_70602C
		call	HvlpQueryApicIdAndNumaNode
		mov	esi, eax
		test	esi, esi
		js	loc_5F446B
		movzx	eax, ds:word_70602C
		mov	ecx, [ebp+var_4]
		mov	edx, ds:dword_706028
		push	offset unk_706034
		mov	eax, ds:_KeNodeBlock[eax*4]
		push	offset unk_706030
		mov	ax, [eax+8Ch]
		mov	ds:word_70602E,	ax
		mov	eax, [ecx+3FD0h]
		mov	ds:dword_70603C, eax
		mov	eax, [ecx+3CCh]
		mov	ds:dword_706038, eax
		mov	al, [ecx+3BEh]
		mov	ds:_HvlpCpuVendor, al
		call	_HvlpDiscoverTopologyLocal@16 ;	HvlpDiscoverTopologyLocal(x,x,x,x)
		xor	eax, eax
		mov	edx, ebx
		inc	eax
		push	ecx
		mov	ds:_HvlpLogicalProcessorCount, eax
		mov	ecx, edi
		mov	ds:_HvlpLogicalProcessorRegions, eax
		call	_HvlpSelectLpSet@12 ; HvlpSelectLpSet(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_5F446B
		xor	eax, eax
		inc	eax
		mov	[ebp+var_4], eax
		cmp	edi, eax
		jbe	short loc_5F436B
		lea	esi, [ebx+30h]

loc_5F433E:				; CODE XREF: HvlStartBootLogicalProcessors+8A733j
		cmp	byte ptr [esi-7], 0
		jz	short loc_5F4360
		mov	dx, [esi]
		mov	ecx, [esi-4]
		call	HvlpEnableNextLogicalProcessor
		test	eax, eax
		js	short loc_5F436B
		inc	ds:_HvlpLogicalProcessorCount
		mov	eax, [ebp+var_4]
		mov	byte ptr [esi-6], 1

loc_5F4360:				; CODE XREF: HvlStartBootLogicalProcessors+8A70Cj
		inc	eax
		add	esi, 28h
		mov	[ebp+var_4], eax
		cmp	eax, edi
		jb	short loc_5F433E

loc_5F436B:				; CODE XREF: HvlStartBootLogicalProcessors+8A703j
					; HvlStartBootLogicalProcessors+8A71Bj
		push	[ebp+var_10]
		mov	edx, ebx
		mov	ecx, edi
		call	_HvlpSelectVpSet@12 ; HvlpSelectVpSet(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_5F446B
		xor	ecx, ecx
		mov	[ebp+var_4], ecx
		test	edi, edi
		jz	short loc_5F43CA
		lea	esi, [ebx+1]

loc_5F438D:				; CODE XREF: HvlStartBootLogicalProcessors+8A792j
		mov	bl, [esi]
		test	bl, bl
		jnz	short loc_5F4398
		cmp	[esi+2], bl
		jz	short loc_5F43C2

loc_5F4398:				; CODE XREF: HvlStartBootLogicalProcessors+8A75Bj
		mov	ecx, [esi+3]
		call	HvlpGetLpcbByApicId
		mov	ecx, [ebp+var_4]
		test	bl, bl
		jz	short loc_5F43B2
		inc	ecx
		mov	dword ptr [eax+24h], 1
		mov	[ebp+var_4], ecx

loc_5F43B2:				; CODE XREF: HvlStartBootLogicalProcessors+8A76Fj
		cmp	byte ptr [esi+2], 0
		jz	short loc_5F43C2
		inc	ds:_HvlpActiveProcessorCount
		mov	byte ptr [eax+60h], 1

loc_5F43C2:				; CODE XREF: HvlStartBootLogicalProcessors+8A760j
					; HvlStartBootLogicalProcessors+8A780j
		add	esi, 28h
		sub	edi, 1
		jnz	short loc_5F438D

loc_5F43CA:				; CODE XREF: HvlStartBootLogicalProcessors+8A752j
		mov	eax, ds:_HvlpLogicalProcessorCount
		cmp	ecx, eax
		jnz	short loc_5F43E1
		test	ds:_HvlpRootFlags, 800h
		jz	short loc_5F445B
		jmp	short loc_5F4450
; 

loc_5F43E1:				; CODE XREF: HvlStartBootLogicalProcessors+8A79Bj
		push	offset _HvlpCompareActiveLpcbs ; int __cdecl (*)(const void *,const void *)
		push	68h		; size_t
		push	eax		; size_t
		push	offset _HvlpLogicalProcessorRegions ; void *
		call	_qsort
		xor	edi, edi
		add	esp, 10h
		cmp	ds:_HvlpLogicalProcessorCount, edi
		jz	short loc_5F4450
		mov	ebx, offset dword_706024

loc_5F4405:				; CODE XREF: HvlStartBootLogicalProcessors+8A818j
		push	0CB8h		; size_t
		lea	eax, [ebp+var_CF0]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebx]
		add	esp, 0Ch
		xor	esi, esi
		cmp	ecx, edi
		jz	short loc_5F4440
		lea	eax, [ebp+var_CF0]
		mov	[ebp+var_CF0], edi
		push	eax
		push	6
		pop	edx
		call	_HvlpSetLogicalProcessorProperty@12 ; HvlpSetLogicalProcessorProperty(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_5F446B
		mov	[ebx], edi

loc_5F4440:				; CODE XREF: HvlStartBootLogicalProcessors+8A7EBj
		test	esi, esi
		js	short loc_5F446B
		inc	edi
		add	ebx, 68h
		cmp	edi, ds:_HvlpLogicalProcessorCount
		jb	short loc_5F4405

loc_5F4450:				; CODE XREF: HvlStartBootLogicalProcessors+8A7A9j
					; HvlStartBootLogicalProcessors+8A7C8j
		call	_HvlpCommitLpIndices@0 ; HvlpCommitLpIndices()
		mov	esi, eax
		test	esi, esi
		js	short loc_5F446B

loc_5F445B:				; CODE XREF: HvlStartBootLogicalProcessors+8A7A7j
		xor	esi, esi
		cmp	ds:_KeDynamicPartitioningSupported, 0
		jnz	short loc_5F446B
		call	_HvlNotifyAllProcessorsStarted@0 ; HvlNotifyAllProcessorsStarted()

loc_5F446B:				; CODE XREF: HvlStartBootLogicalProcessors+8A680j
					; HvlStartBootLogicalProcessors+8A6F5j	...
		mov	edx, [ebp+var_14]
		mov	ecx, [ebp+var_C]
		call	_MmFreeIndependentPages@8 ; MmFreeIndependentPages(x,x)

loc_5F4476:				; CODE XREF: HvlStartBootLogicalProcessors+8A64Aj
		mov	eax, esi
		jmp	loc_569C63
; END OF FUNCTION CHUNK	FOR HvlStartBootLogicalProcessors
; 
; START	OF FUNCTION CHUNK FOR KiConfigureCpuSetSchedulingInformation

loc_5F447D:				; CODE XREF: KiConfigureCpuSetSchedulingInformation+D4j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_569D47
; END OF FUNCTION CHUNK	FOR KiConfigureCpuSetSchedulingInformation
; 
; START	OF FUNCTION CHUNK FOR KeAllocateProcessorProfileStructures

loc_5F448A:				; CODE XREF: KeAllocateProcessorProfileStructures+9Bj
		mov	ebx, 0C0000017h
		jmp	loc_569F87
; 

loc_5F4494:				; CODE XREF: KeAllocateProcessorProfileStructures+BFj
		mov	ebx, 0C000009Ah
		jmp	loc_569F87
; 

loc_5F449E:				; CODE XREF: KeAllocateProcessorProfileStructures+F9j
		mov	ecx, [ebp+arg_8]
		mov	ebx, 0C000020Ah
		mov	[ecx], eax
		jmp	loc_569F87
; 

loc_5F44AD:				; CODE XREF: KeAllocateProcessorProfileStructures+143j
		cmp	[esp+20h+var_D], 0
		jz	short loc_5F44BD
		mov	edx, edi
		mov	ecx, esi
		call	_MmDeleteShadowMapping@8 ; MmDeleteShadowMapping(x,x)

loc_5F44BD:				; CODE XREF: KeAllocateProcessorProfileStructures+8A662j
		mov	edx, edi
		mov	ecx, esi
		call	_MmFreeIndependentPages@8 ; MmFreeIndependentPages(x,x)
		jmp	loc_569F99
; END OF FUNCTION CHUNK	FOR KeAllocateProcessorProfileStructures
; 
; START	OF FUNCTION CHUNK FOR KiAddProcessorToGroupDatabase

loc_5F44CB:				; CODE XREF: KiAddProcessorToGroupDatabase+58j
		cmp	dword ptr [edi+3CCh], 0FFh
		mov	al, [edi+3CCh]
		mov	esi, [ebp+var_4]
		mov	[edi+10h], al
		jbe	loc_56A102
		mov	byte ptr [edi+10h], 0FFh
		jmp	loc_56A102
; 

loc_5F44F0:				; CODE XREF: KiAddProcessorToGroupDatabase+65j
		push	0
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	esi, [ebp+var_4]
		mov	ecx, eax
		xor	edx, edx
		mov	eax, esi
		div	ecx
		mov	[edi+10h], dl
		mov	edx, [ebp+var_8]
		jmp	loc_56A102
; END OF FUNCTION CHUNK	FOR KiAddProcessorToGroupDatabase
; 
; START	OF FUNCTION CHUNK FOR MiReadWriteAnyLevelShadowPte

loc_5F450D:				; CODE XREF: MiReadWriteAnyLevelShadowPte+94j
		lea	edi, [edi+ecx*8]
		add	edi, 0FFFFF000h
		jmp	loc_56A1FE
; 

loc_5F451B:				; CODE XREF: MiReadWriteAnyLevelShadowPte+162j
		mov	ecx, [ebp+var_14]
		mov	dl, al
		push	80000000h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		mov	edx, [ebp+var_8]
		jmp	loc_56A2C4
; 

loc_5F4532:				; CODE XREF: MiReadWriteAnyLevelShadowPte+142j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5F456E
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	[ebp+var_18], 1
		jnz	loc_56A2A4
		mov	ecx, [ebp+var_10]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_56A2A4
		mov	edx, [ebp+var_C]
		or	edx, 80000000h
		jmp	loc_56A2A7
; 

loc_5F456E:				; CODE XREF: MiReadWriteAnyLevelShadowPte+8A3DDj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_5F459F
		mov	ecx, [ebp+var_10]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_5F459F
		mov	edx, [ebp+var_C]
		mov	[ebp+arg_8], ecx
		or	edx, 80000000h

loc_5F459F:				; CODE XREF: MiReadWriteAnyLevelShadowPte+8A428j
					; MiReadWriteAnyLevelShadowPte+8A435j
		mov	al, [ebp+var_2]
		mov	ecx, [ebp+var_24]
		mov	ebx, [ebp+var_28]
		mov	[ebp+var_8], ecx
		mov	[ebp+var_1], al
		jmp	loc_56A2A4
; 

loc_5F45B3:				; CODE XREF: MiReadWriteAnyLevelShadowPte+155j
		push	edx
		push	ecx
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_56A2B7
; 

loc_5F45C1:				; CODE XREF: MiReadWriteAnyLevelShadowPte+117j
		mov	[edi], ecx
		nop
		mov	eax, [ebp+var_C]
		mov	[edi+4], eax
		jmp	loc_56A23C
; 

loc_5F45CF:				; CODE XREF: MiReadWriteAnyLevelShadowPte+DAj
		push	ebx
		push	0
		push	ecx
		push	3606h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5F45E0:				; CODE XREF: MmSetPageProtection+74j
		test	byte ptr ds:_MiFlags+2,	1
		jnz	loc_56A57B
		jmp	loc_56A3DA
; END OF FUNCTION CHUNK	FOR MiReadWriteAnyLevelShadowPte
; 
; START	OF FUNCTION CHUNK FOR MmSetPageProtection

loc_5F45F2:				; CODE XREF: MmSetPageProtection+173j
		mov	edi, eax
		mov	ecx, edx
		jmp	loc_56A50F
; END OF FUNCTION CHUNK	FOR MmSetPageProtection
; 
; START	OF FUNCTION CHUNK FOR MiMarkPxeAsShadowed

loc_5F45FB:				; CODE XREF: MiMarkPxeAsShadowed+4Dj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_56A5F5
; 

loc_5F460B:				; CODE XREF: MiMarkPxeAsShadowed+6Fj
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_5F4613:				; CODE XREF: MiMarkPxeAsShadowed+58j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_56A5F5
; END OF FUNCTION CHUNK	FOR MiMarkPxeAsShadowed
; 
; START	OF FUNCTION CHUNK FOR KiQueryProcessorNode

loc_5F4628:				; CODE XREF: KiQueryProcessorNode+12j
		lfence	eax
		mov	eax, ds:_KiProcessorBlock[ebx*4]
		mov	eax, [eax+338h]
		mov	cx, [eax+8Ah]
		mov	eax, [ebp+arg_0]
		mov	[eax], cx
		xor	eax, eax
		jmp	loc_56A686
; 

loc_5F464C:				; CODE XREF: KiQueryProcessorNode+39j
		cmp	esi, 0C0000225h
		jnz	loc_56A652
		mov	eax, [ebp+arg_0]
		mov	ecx, 0FFFFh
		cmp	ax, cx
		jz	loc_56A682
		movzx	ecx, ax
		mov	ecx, ds:_KeNodeBlock[ecx*4]
		call	_KiIsNodeFull@4	; KiIsNodeFull(x)
		test	al, al
		jnz	loc_56A682
		mov	eax, [ebp+arg_0]
		jmp	short loc_5F468F
; 

loc_5F4685:				; CODE XREF: KiQueryProcessorNode+2Aj
		cmp	ebx, ds:_KiMaximumGroupSize
		jnb	short loc_5F46BF
		xor	eax, eax

loc_5F468F:				; CODE XREF: KiQueryProcessorNode+8A083j
		xor	esi, esi
		mov	[edi], ax
		jmp	loc_56A652
; 

loc_5F4699:				; CODE XREF: KiQueryProcessorNode+6Fj
		mov	edx, eax
		mov	ecx, ebx
		call	_HvlGetApicIdFromLpIndex@8 ; HvlGetApicIdFromLpIndex(x,x)
		mov	eax, [ebp+var_4]
		jmp	loc_56A675
; 

loc_5F46AA:				; CODE XREF: KiQueryProcessorNode+7Cj
		mov	ecx, [eax]
		call	HvlpGetLpcbByApicId
		test	eax, eax
		jz	short loc_5F46BF
		cmp	dword ptr [eax+24h], 0
		jnz	loc_56A682

loc_5F46BF:				; CODE XREF: KiQueryProcessorNode+8A08Bj
					; KiQueryProcessorNode+8A0B3j
		mov	esi, 0C0000225h
		jmp	loc_56A682
; END OF FUNCTION CHUNK	FOR KiQueryProcessorNode
; 
; START	OF FUNCTION CHUNK FOR KiCommitNodeAssignment

loc_5F46C9:				; CODE XREF: KiCommitNodeAssignment+7Bj
		test	bl, 2
		jz	loc_56A7A5
		cmp	[ecx+88h], ax
		jnz	loc_56A7A5
		mov	ebx, [ebp+var_4]
		mov	[ecx+88h], bx
		jmp	loc_56A7A5
; END OF FUNCTION CHUNK	FOR KiCommitNodeAssignment
; 
; START	OF FUNCTION CHUNK FOR MiDeleteBootRange

loc_5F46EE:				; CODE XREF: MiDeleteBootRange+9Aj
					; MiDeleteBootRange+89DFCj ...
		lea	ecx, [ebp+var_18]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_5F46EE
		lock bts dword ptr [esi], 1Fh
		jb	short loc_5F46EE
		mov	eax, [ebp+var_1C]
		jmp	loc_56A99E
; 

loc_5F470B:				; CODE XREF: MiDeleteBootRange+10Ej
		mov	ebx, offset unk_6D3C40
		jmp	loc_56AA12
; 

loc_5F4715:				; CODE XREF: MiDeleteBootRange+154j
					; MiDeleteBootRange+89E23j ...
		lea	ecx, [ebp+var_28]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_5F4715
		lock bts dword ptr [esi], 1Fh
		jb	short loc_5F4715
		mov	eax, [ebp+var_20]
		jmp	loc_56AA58
; 

loc_5F4732:				; CODE XREF: MiDeleteBootRange+205j
		cmp	edx, 300h
		jnz	loc_56AB10
		jmp	loc_56AB09
; 

loc_5F4743:				; CODE XREF: MiDeleteBootRange+23Cj
		mov	eax, ds:dword_6CF51C
		add	eax, 0FFFh
		and	eax, 0FFFFF000h
		dec	eax
		add	eax, [ecx+20h]
		add	eax, edx
		shr	eax, 12h
		and	eax, 3FF8h
		sub	eax, 3FA00000h
		cmp	edi, eax
		ja	loc_56AB40
		xor	ecx, ecx
		jmp	loc_56AB4A
; END OF FUNCTION CHUNK	FOR MiDeleteBootRange
; 
; START	OF FUNCTION CHUNK FOR KiRegisterForDisableFgBoostDecayRegistryNotification

loc_5F4774:				; CODE XREF: KiRegisterForDisableFgBoostDecayRegistryNotification+4Cj
		push	ds:_KiDisableFgBoostDecayRegistryHandle
		call	_ZwClose@4	; ZwClose(x)
		mov	ds:_KiDisableFgBoostDecayRegistryHandle, esi
		jmp	loc_56ABF8
; END OF FUNCTION CHUNK	FOR KiRegisterForDisableFgBoostDecayRegistryNotification
; 
; START	OF FUNCTION CHUNK FOR PopQueryPowerButtonBugcheckConfiguration

loc_5F478A:				; CODE XREF: PopQueryPowerButtonBugcheckConfiguration+6Dj
		cmp	[ebp+var_14], edi
		jnz	loc_56AD39
		cmp	[ebp+var_10], edi
		jnz	loc_56AD39
		cmp	[ebp+var_C], 0
		jz	short loc_5F47B7
		mov	dword ptr [esi], 1
		mov	ds:dword_6BFDB0, 2
		jmp	loc_56AD77
; 

loc_5F47B7:				; CODE XREF: PopQueryPowerButtonBugcheckConfiguration+89ADAj
		mov	ds:dword_6BFDB0, 1
		jmp	loc_56AD77
; 

loc_5F47C6:				; CODE XREF: PopQueryPowerButtonBugcheckConfiguration+9Bj
		mov	ds:dword_6BFDB4, 1
		jmp	loc_56AD77
; END OF FUNCTION CHUNK	FOR PopQueryPowerButtonBugcheckConfiguration
; 
; START	OF FUNCTION CHUNK FOR HvlpTryConfigureInterface

loc_5F47D5:				; CODE XREF: HvlpTryConfigureInterface+52j
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_18]
		push	eax
		call	HviGetHypervisorFeatures
		mov	eax, [ebp+var_18]
		and	eax, 20h
		or	eax, 0
		jz	loc_56AE3E
		test	ebx, ebx
		jz	short loc_5F480B
		mov	eax, [ebx+84h]
		mov	ebx, [eax+54h]
		shr	ebx, 9
		and	bl, 1
		jmp	short loc_5F480D
; 

loc_5F480B:				; CODE XREF: HvlpTryConfigureInterface+89A12j
		xor	bl, bl

loc_5F480D:				; CODE XREF: HvlpTryConfigureInterface+89A23j
		movzx	eax, byte ptr ds:_CmNtCSDVersion+1
		mov	ecx, 40000000h
		cdq
		mov	esi, eax
		mov	edi, edx
		movzx	eax, word ptr ds:_NtBuildNumber
		or	esi, 40A0000h
		or	edi, 1
		cdq
		shld	edi, esi, 10h
		shl	esi, 10h
		or	edx, edi
		or	eax, esi
		wrmsr
		inc	ecx
		rdmsr
		mov	esi, eax
		or	esi, 1
		cmp	[ebp+var_19], 0
		jnz	short loc_5F48B6
		test	bl, bl
		jnz	short loc_5F48B6
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jz	short loc_5F4872
		push	20h
		lea	ecx, [ebp+var_28]
		push	ecx
		push	1
		push	eax
		call	ds:dword_6B12D4
		mov	edi, eax
		test	edi, edi
		jz	short loc_5F48D7
		mov	edx, [ebp+var_24]
		mov	eax, [ebp+var_28]
		jmp	short loc_5F4889
; 

loc_5F4872:				; CODE XREF: HvlpTryConfigureInterface+89A6Dj
		push	ds:_HvlpHypercallCodeVa
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		mov	edi, ds:_HvlpHypercallCodeVa
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], edx

loc_5F4889:				; CODE XREF: HvlpTryConfigureInterface+89A8Aj
		xor	esi, eax
		xor	ebx, ebx
		and	esi, 0FFFh
		xor	esi, eax
		xor	ebx, edx

loc_5F4897:				; CODE XREF: HvlpTryConfigureInterface+89AEFj
		mov	eax, esi
		mov	ecx, 40000001h
		mov	edx, ebx
		wrmsr
		mov	ds:_HvcallCodeVa, edi
		mov	eax, offset _HvlpHypercallCodeVa
		xchg	edi, [eax]
		xor	eax, eax
		jmp	loc_56AE4A
; 

loc_5F48B6:				; CODE XREF: HvlpTryConfigureInterface+89A62j
					; HvlpTryConfigureInterface+89A66j
		push	20h
		mov	ebx, edx
		mov	eax, esi
		push	1
		and	eax, 0FFFFF000h
		mov	[ebp+var_24], ebx
		push	ebx
		push	eax
		mov	[ebp+var_28], eax
		call	ds:dword_6B12D8
		mov	edi, eax
		test	edi, edi
		jnz	short loc_5F4897

loc_5F48D7:				; CODE XREF: HvlpTryConfigureInterface+89A82j
		mov	eax, 0C000009Ah
		jmp	loc_56AE4A
; END OF FUNCTION CHUNK	FOR HvlpTryConfigureInterface
; 
; START	OF FUNCTION CHUNK FOR InbvDisplayString

loc_5F48E1:				; CODE XREF: InbvDisplayString+Cj
		mov	eax, ds:dword_6D4D50
		test	eax, eax
		jz	short loc_5F48F0
		lea	ecx, [ebp+arg_0]
		push	ecx
		call	eax

loc_5F48F0:				; CODE XREF: InbvDisplayString+89A8Aj
		mov	eax, ds:dword_6D4D4C
		test	eax, eax
		jz	loc_56AE70
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_56AE70
		push	[ebp+arg_0]
		call	eax
		jmp	loc_56AE72
; END OF FUNCTION CHUNK	FOR InbvDisplayString
; 
; START	OF FUNCTION CHUNK FOR PopComputeCounterShifts

loc_5F4912:				; CODE XREF: PopComputeCounterShifts+13j
		lea	eax, [ecx+12h]
		mov	[esi], eax
		lea	eax, [ecx+0Dh]
		jmp	loc_56AEA7
; END OF FUNCTION CHUNK	FOR PopComputeCounterShifts
; 
; START	OF FUNCTION CHUNK FOR PopPowerSourceChangeCallback

loc_5F491F:				; CODE XREF: PopPowerSourceChangeCallback+3Cj
		push	edi		; size_t
		push	esi		; void *
		push	offset _GUID_BATTERY_COUNT ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_56AF30

loc_5F4936:				; CODE XREF: PopPowerSourceChangeCallback+46j
					; PopPowerSourceChangeCallback+4Ej
		mov	eax, 0C000000Dh
		jmp	loc_56AFD9
; 

loc_5F4940:				; CODE XREF: PopPowerSourceChangeCallback+5Fj
		cmp	ds:_PopConsoleExternalDisplayConnected,	bl
		jnz	loc_56AF53
		mov	bl, 1
		mov	[ebp+var_19], bl
		jmp	loc_56AF53
; 

loc_5F4956:				; CODE XREF: PopPowerSourceChangeCallback+7Ej
		mov	ecx, [ebp+var_20]
		xor	eax, eax
		inc	eax
		cmp	[ecx], eax
		jnz	short loc_5F4965
		mov	bl, al
		mov	[ebp+var_19], bl

loc_5F4965:				; CODE XREF: PopPowerSourceChangeCallback+89A70j
		cmp	ds:_PopDisableDisplayBurstOnPowerSourceChange, 0
		jz	loc_56AF72
		mov	bl, al
		mov	[ebp+var_19], bl
		jmp	loc_56AF72
; 

loc_5F497C:				; CODE XREF: PopPowerSourceChangeCallback+96j
		test	bl, bl
		jnz	short loc_5F4987
		lea	edi, [ebp+var_18]
		movsd
		movsd
		movsd
		movsd

loc_5F4987:				; CODE XREF: PopPowerSourceChangeCallback+89A90j
		mov	cl, [ebp+var_19]
		setz	dl
		xor	ebx, ebx
		test	cl, cl
		setnz	bl
		xor	eax, eax
		dec	ebx
		and	ebx, 0FFFFFFE2h
		add	ebx, 2Eh
		test	cl, cl
		setnz	al
		dec	eax
		and	eax, 0FFFFFFDFh
		add	eax, 31h
		mov	[ebp+var_24], eax
		mov	esi, eax
		jmp	loc_56AFA6
; 

loc_5F49B3:				; CODE XREF: PopPowerSourceChangeCallback+A1j
		mov	esi, offset _GUID_ACDC_DISPLAY_BURST_SUPPRESS
		push	2Bh
		pop	ebx
		push	1Ch
		movsd
		movsd
		movsd
		movsd
		pop	esi
		jmp	loc_56AFAA
; 

loc_5F49C7:				; CODE XREF: PopPowerSourceChangeCallback+E3j
		call	_PopGetSessionId@0 ; PopGetSessionId()
		mov	edx, esi
		mov	ecx, eax
		call	_TtmNotifySessionDisplayBurst@8	; TtmNotifySessionDisplayBurst(x,x)
		jmp	loc_56AFD7
; 

loc_5F49DA:				; CODE XREF: PopPowerSourceChangeCallback+D6j
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	ecx, ebx
		call	_PopPowerAggregatorForceSessionSwitch@4	; PopPowerAggregatorForceSessionSwitch(x)
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		jmp	loc_56AFD7
; END OF FUNCTION CHUNK	FOR PopPowerSourceChangeCallback
; 
; START	OF FUNCTION CHUNK FOR PopInitilizeAcDcSettings

loc_5F49F0:				; CODE XREF: PopInitilizeAcDcSettings+6Dj
		mov	ecx, 80h
		call	_PopSetNotificationWork@4 ; PopSetNotificationWork(x)
		jmp	loc_56B05D
; END OF FUNCTION CHUNK	FOR PopInitilizeAcDcSettings
; 
; START	OF FUNCTION CHUNK FOR HviGetHypervisorFeatures

loc_5F49FF:				; CODE XREF: HviGetHypervisorFeatures+11j
		mov	eax, 40000003h
		push	ebx
		cpuid
		mov	edi, ebx
		pop	ebx
		nop
		mov	esi, [ebp+arg_0]
		mov	[esi], eax
		mov	[esi+4], edi
		mov	[esi+8], ecx
		mov	[esi+0Ch], edx
		jmp	loc_56B09D
; END OF FUNCTION CHUNK	FOR HviGetHypervisorFeatures
; 
; START	OF FUNCTION CHUNK FOR HviGetEnlightenmentInformation

loc_5F4A1E:				; CODE XREF: HviGetEnlightenmentInformation+11j
		mov	eax, 40000004h
		push	ebx
		cpuid
		mov	edi, ebx
		pop	ebx
		nop
		mov	esi, [ebp+arg_0]
		mov	[esi], eax
		mov	[esi+4], edi
		mov	[esi+8], ecx
		mov	[esi+0Ch], edx
		jmp	loc_56B6ED
; END OF FUNCTION CHUNK	FOR HviGetEnlightenmentInformation
; 
; START	OF FUNCTION CHUNK FOR HviGetHypervisorInterface

loc_5F4A3D:				; CODE XREF: HviGetHypervisorInterface+11j
		mov	eax, 40000001h
		push	ebx
		cpuid
		mov	edi, ebx
		pop	ebx
		nop
		mov	esi, [ebp+arg_0]
		mov	[esi], eax
		mov	[esi+4], edi
		mov	[esi+8], ecx
		mov	[esi+0Ch], edx
		jmp	loc_56B761
; END OF FUNCTION CHUNK	FOR HviGetHypervisorInterface
; 
; START	OF FUNCTION CHUNK FOR KiGetIptInfo

loc_5F4A5C:				; CODE XREF: KiGetIptInfo+59j
		push	7
		pop	eax
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		lea	ebx, [ebp+var_14]
		mov	[ebx], eax
		lea	eax, [ebp+var_10]
		mov	[ebx+4], esi
		mov	[ebx+8], ecx
		mov	[ebx+0Ch], edx
		bt	dword ptr [eax], 19h
		jb	short loc_5F4A94
		lea	ecx, [ebp+var_24]
		call	_HviGetIptFeatures@4 ; HviGetIptFeatures(x)
		test	[ebp+var_24], 0FFFFF000h
		jz	loc_56B7C7

loc_5F4A94:				; CODE XREF: KiGetIptInfo+89315j
		push	14h
		pop	eax
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		lea	ebx, [ebp+var_14]
		mov	[ebx], eax
		mov	eax, [ebp+var_28]
		mov	[ebx+4], esi
		mov	[ebx+8], ecx
		push	10h
		pop	ecx
		mov	[edi], ecx
		or	dword ptr [eax], 9
		mov	[ebx+0Ch], edx
		test	[ebp+var_C], 5
		jz	short loc_5F4AC4
		add	[edi], ecx
		or	dword ptr [eax], 6

loc_5F4AC4:				; CODE XREF: KiGetIptInfo+89355j
		test	byte ptr [ebp+var_10], 1
		jz	short loc_5F4ACF
		add	dword ptr [edi], 8
		or	[eax], ecx

loc_5F4ACF:				; CODE XREF: KiGetIptInfo+89360j
		test	byte ptr [ebp+var_10], 4
		jz	short loc_5F4B1C
		cmp	[ebp+var_14], 0
		jbe	short loc_5F4B1C
		push	14h
		pop	eax
		xor	ecx, ecx
		inc	ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		lea	ebx, [ebp+var_14]
		mov	[ebx], eax
		mov	[ebx+4], esi
		mov	[ebx+8], ecx
		mov	[ebx+0Ch], edx
		mov	ecx, [ebp+var_14]
		mov	eax, ecx
		and	al, 7
		cmp	al, 4
		jbe	short loc_5F4B04
		push	0FFFFFFFCh
		pop	ecx

loc_5F4B04:				; CODE XREF: KiGetIptInfo+89397j
		mov	edx, [ebp+var_28]
		and	ecx, 7
		mov	eax, ecx
		shl	eax, 4
		add	[edi], eax
		xor	eax, eax
		inc	eax
		shl	eax, cl
		dec	eax
		shl	eax, 5
		or	[edx], eax

loc_5F4B1C:				; CODE XREF: KiGetIptInfo+8936Bj
					; KiGetIptInfo+89371j
		mov	eax, [edi]
		add	eax, 3Fh
		and	eax, 0FFFFFFC0h
		mov	[edi], eax
		jmp	loc_56B7C7
; END OF FUNCTION CHUNK	FOR KiGetIptInfo
; 
; START	OF FUNCTION CHUNK FOR KiGetXSaveSupportedFeatures

loc_5F4B2B:				; CODE XREF: KiGetXSaveSupportedFeatures+DDj
		mov	edx, [ebp+var_8]
		xor	ecx, ecx
		or	ecx, [ebp+var_C]
		or	edx, eax
		jmp	loc_56B8BD
; 

loc_5F4B3A:				; CODE XREF: KiGetXSaveSupportedFeatures+1B8j
		mov	eax, [ebp+var_30]
		or	[ebx+220h], eax
		mov	eax, [ebp+var_34]
		or	[ebx+224h], eax
		jmp	loc_56B917
; 

loc_5F4B51:				; CODE XREF: KiGetXSaveSupportedFeatures+15Aj
		mov	edi, 22Ch
		mov	[ebp+var_1C], edi

loc_5F4B59:				; CODE XREF: KiGetXSaveSupportedFeatures+8940Fj
		mov	ecx, [ebp+var_20]
		xor	eax, eax
		inc	eax
		xor	edx, edx
		call	__allshl
		mov	esi, [ebx+218h]
		mov	ecx, [ebx+21Ch]
		and	esi, eax
		and	ecx, edx
		mov	[ebp+var_34], eax
		or	esi, ecx
		mov	[ebp+var_30], edx
		jz	short loc_5F4BCA
		mov	ecx, [ebp+var_20]
		lea	edi, [ebp+var_14]
		xor	eax, eax
		stosd
		push	0Dh
		stosd
		stosd
		stosd
		pop	eax
		push	ebx
		cpuid
		mov	esi, ebx
		lea	edi, [ebp+var_14]
		pop	ebx
		nop
		mov	ebx, [ebp+var_18]
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		test	byte ptr [ebp+var_C], 2
		mov	edi, [ebp+var_1C]
		mov	eax, [ebp+var_14]
		mov	[edi+ebx], eax
		jz	short loc_5F4BD2
		mov	eax, [ebp+var_34]
		or	[ebx+220h], eax
		mov	eax, [ebp+var_30]
		or	[ebx+224h], eax
		jmp	short loc_5F4BD2
; 

loc_5F4BCA:				; CODE XREF: KiGetXSaveSupportedFeatures+893A8j
		mov	eax, [ebp+var_2C]
		mov	eax, [eax]
		mov	[edi+ebx], eax

loc_5F4BD2:				; CODE XREF: KiGetXSaveSupportedFeatures+893DEj
					; KiGetXSaveSupportedFeatures+893F2j
		inc	[ebp+var_20]
		add	edi, 4
		add	[ebp+var_2C], 8
		mov	[ebp+var_1C], edi
		cmp	edi, 32Ch
		jb	loc_5F4B59
		jmp	loc_56B936
; 

loc_5F4BF0:				; CODE XREF: KiGetXSaveSupportedFeatures+47j
		mov	edx, [ebp+var_18]

loc_5F4BF3:				; CODE XREF: KiGetXSaveSupportedFeatures+8Aj
		mov	[edx], ebx
		mov	[edx+4], ebx
		mov	[edx+10h], ebx
		jmp	loc_56B936
; END OF FUNCTION CHUNK	FOR KiGetXSaveSupportedFeatures
; 
; START	OF FUNCTION CHUNK FOR PpmHvUseNativeAlgorithms

loc_5F4C00:				; CODE XREF: PpmHvUseNativeAlgorithms+7j
		test	byte ptr ds:_HvlpFlags,	2
		jnz	short loc_5F4C0C
		xor	al, al
		retn
; 

loc_5F4C0C:				; CODE XREF: PpmHvUseNativeAlgorithms+89273j
		mov	eax, ds:_HvlEnlightenments
		and	eax, 408h
		neg	eax
		sbb	al, al
		inc	al
		retn
; END OF FUNCTION CHUNK	FOR PpmHvUseNativeAlgorithms
; 
; START	OF FUNCTION CHUNK FOR ExInitializeProcessor

loc_5F4C1D:				; CODE XREF: ExInitializeProcessor+48j
		mov	edx, [edi+338h]
		mov	cx, [edx+8Ah]
		call	_KeIsNodeInitialized@4 ; KeIsNodeInitialized(x)
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		xor	eax, eax
		and	esi, edx
		mov	edx, esi
		lea	ecx, [esi+14Ch]
		lock cmpxchg [ecx], edx
		test	eax, eax
		jnz	short loc_5F4C58
		push	1
		lea	eax, [esi+140h]
		push	eax
		call	ExQueueWorkItem

loc_5F4C58:				; CODE XREF: ExInitializeProcessor+89292j
		mov	ecx, [edi+3CCh]
		mov	eax, ds:_ExSaPageArrays
		mov	eax, [eax+ecx*4]
		mov	[edi+47B4h], eax
		jmp	loc_56BA04
; END OF FUNCTION CHUNK	FOR ExInitializeProcessor
; 
; START	OF FUNCTION CHUNK FOR SeRegisterObjectTypeMandatoryPolicy

loc_5F4C71:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+54j
		mov	al, 1
		jmp	loc_56BA6F
; 

loc_5F4C78:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+68j
		mov	[ebp+var_10], 0C0000001h
		jmp	loc_56BAD8
; 

loc_5F4C84:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+C4j
		or	ds:dword_6BE78C[eax], 400h
		jmp	loc_56BAD4
; 

loc_5F4C93:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+DCj
		test	al, 4
		jnz	loc_56BAEC
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh
		jmp	loc_56BAEC
; 

loc_5F4CAA:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+278j
		push	0
		push	[ebp+var_8]
		push	offset _SepMandatoryObjectTypePolicyLock
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5F4CBF:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+1B9j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_24]
		jmp	loc_56BBCF
; 

loc_5F4CD0:				; CODE XREF: SeRegisterObjectTypeMandatoryPolicy+265j
		push	[ebp+var_24]
		mov	edx, offset _SepMandatoryObjectTypePolicyLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_56BBE2
; END OF FUNCTION CHUNK	FOR SeRegisterObjectTypeMandatoryPolicy
; 
; START	OF FUNCTION CHUNK FOR HeadlessDispatch

loc_5F4CE4:				; CODE XREF: HeadlessDispatch+Dj
		cmp	dword ptr [eax+4], 0
		jz	loc_56BEF5
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_HdlspDispatch@20 ; HdlspDispatch(x,x,x,x,x)
		jmp	loc_56BF02
; 

loc_5F4D07:				; CODE XREF: HeadlessDispatch+28j
		cmp	eax, 1
		jz	loc_56BEFD
		cmp	eax, 0Ch
		jz	loc_56BF10
		cmp	eax, 0Dh
		jz	loc_56BF10
		cmp	eax, 2
		jz	loc_56BF10
		cmp	eax, 0Bh
		jnz	loc_56BF2C
		jmp	loc_56BF10
; END OF FUNCTION CHUNK	FOR HeadlessDispatch
; 
; START	OF FUNCTION CHUNK FOR PiDmaGuardInitialize

loc_5F4D39:				; CODE XREF: PiDmaGuardInitialize+26j
		mov	ds:_PipCslUnlockCallback, offset _PipDmgConsoleUnlockCallback@0	; PipDmgConsoleUnlockCallback()
		jmp	loc_56BF64
; END OF FUNCTION CHUNK	FOR PiDmaGuardInitialize
; 
; START	OF FUNCTION CHUNK FOR PiDrvDbUnloadNodeReset

loc_5F4D48:				; CODE XREF: PiDrvDbUnloadNodeReset+2Dj
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_541D38
; END OF FUNCTION CHUNK	FOR PiDrvDbUnloadNodeReset
; 
; START	OF FUNCTION CHUNK FOR PiDmaGuardInitialize

loc_5F4D57:				; CODE XREF: PiDmaGuardInitialize+70j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_56BFCB
; 

loc_5F4D66:				; CODE XREF: PiDmaGuardInitialize+8Dj
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5F4D6D:				; CODE XREF: PiDmaGuardInitialize+7Aj
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_56BFCB
; END OF FUNCTION CHUNK	FOR PiDmaGuardInitialize
; 
; START	OF FUNCTION CHUNK FOR WmipAllocRegEntry

loc_5F4D81:				; CODE XREF: WmipAllocRegEntry+8Dj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_56C074
; 

loc_5F4D8E:				; CODE XREF: WmipAllocRegEntry+E5j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_56C0E4
; 

loc_5F4D9D:				; CODE XREF: WmipAllocRegEntry+102j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5F4DA4:				; CODE XREF: WmipAllocRegEntry+EFj
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_56C0E4
; END OF FUNCTION CHUNK	FOR WmipAllocRegEntry
; 
; START	OF FUNCTION CHUNK FOR CmSiProcessTupleStartFromHandle

loc_5F4DB8:				; CODE XREF: CmSiProcessTupleStartFromHandle+2Bj
		mov	ecx, [esp+10h+var_4]
		test	ecx, ecx
		jz	loc_56C168
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag
		jmp	loc_56C168
; END OF FUNCTION CHUNK	FOR CmSiProcessTupleStartFromHandle
; 
; START	OF FUNCTION CHUNK FOR CmpInitializeLoadOptions

loc_5F4DD3:				; CODE XREF: CmpInitializeLoadOptions+56j
		push	esi
		push	1
		push	3
		push	74h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5F4DE0:				; CODE XREF: MiMappedPageWriter+1A4j
		mov	eax, [esi+154h]
		test	eax, eax
		jnz	short loc_5F4E15
		mov	ecx, esi
		call	_MiDeleteMappedMdls@4 ;	MiDeleteMappedMdls(x)
		push	[esp+24h+var_10]
		push	[esp+28h+var_14]
		call	KeSetActualBasePriorityThread
		mov	ecx, [esp+24h+arg_98]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_5F4E15:				; CODE XREF: CmpInitializeLoadOptions+88C74j
					; CmpInitializeLoadOptions+88CB7j
		push	offset _MiShortTime
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	eax, [esi+154h]
		test	eax, eax
		jnz	short loc_5F4E15
		jmp	short loc_5F4E3E
; END OF FUNCTION CHUNK	FOR CmpInitializeLoadOptions
; 
; START	OF FUNCTION CHUNK FOR MiMappedPageWriter

loc_5F4E2F:				; CODE XREF: MiMappedPageWriter+117j
		push	ecx
		push	13h
		lea	ecx, [esi+164h]
		pop	edx
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)

loc_5F4E3E:				; CODE XREF: CmpInitializeLoadOptions+88CB9j
		mov	edx, [esp+0C8h+var_BC]
		jmp	loc_56C4A0
; 

loc_5F4E47:				; CODE XREF: MiMappedPageWriter+E0j
		xor	edi, edi
		jmp	loc_56C4E4
; 

loc_5F4E4E:				; CODE XREF: MiMappedPageWriter+F6j
		mov	edx, [esp+0C8h+var_B8]
		dec	word ptr [edx+13Eh]
		nop
		lea	eax, [esi+15Ch]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_5F4E7B
		mov	edi, ecx
		cmp	[edi+4], eax
		jnz	short loc_5F4EBD
		mov	ecx, [edi]
		cmp	[ecx+4], edi
		jnz	short loc_5F4EBD
		mov	[eax], ecx
		mov	[ecx+4], eax
		jmp	short loc_5F4E82
; 

loc_5F4E7B:				; CODE XREF: MiMappedPageWriter+88A74j
		mov	byte ptr [esi+174h], 1

loc_5F4E82:				; CODE XREF: MiMappedPageWriter+88A89j
		mov	ecx, edx
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_56C505
; 

loc_5F4E8E:				; CODE XREF: MiMappedPageWriter+150j
		mov	ebx, [esp+0C8h+var_B8]
		dec	word ptr [ebx+13Eh]
		nop
		lea	eax, [esi+15Ch]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_5F4EBD
		mov	[edi+4], ecx
		mov	[edi], eax
		mov	[ecx], edi
		mov	ecx, ebx
		mov	[eax+4], edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_56C550
; 

loc_5F4EBD:				; CODE XREF: MiMappedPageWriter+88A7Bj
					; MiMappedPageWriter+88A82j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5F4EC2:				; CODE XREF: ExpWorkerFactoryManagerThread+E6j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_56C6CC
; END OF FUNCTION CHUNK	FOR MiMappedPageWriter
; 
; START	OF FUNCTION CHUNK FOR ExpWorkerFactoryManagerThread

loc_5F4ED2:				; CODE XREF: ExpWorkerFactoryManagerThread+108j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid
		jmp	loc_56C751
; 

loc_5F4EDF:				; CODE XREF: ExpWorkerFactoryManagerThread+5Fj
		xor	eax, eax
		lea	ebx, [eax+1]
		jmp	loc_56C637
; 

loc_5F4EE9:				; CODE XREF: ExpWorkerFactoryManagerThread+80j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_56C666
; 

loc_5F4EF9:				; CODE XREF: ExpWorkerFactoryManagerThread+BCj
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	loc_56C5D1
; END OF FUNCTION CHUNK	FOR ExpWorkerFactoryManagerThread
; 
; START	OF FUNCTION CHUNK FOR MiModifiedPageWriter

loc_5F4F05:				; CODE XREF: MiModifiedPageWriter+15Bj
		lea	eax, [esi+18Ch]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		cmp	dword ptr [esi+188h], 0
		jz	loc_56C8C3
		push	0
		push	2
		pop	edx
		mov	ecx, edi
		call	IoBoostThreadIoPriority
		jmp	loc_56C8C3
; 

loc_5F4F2F:				; CODE XREF: MiModifiedPageWriter+175j
		lea	eax, [esi+260h]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	ecx, esi
		call	MiStoreUpdateMemoryConditions
		jmp	loc_56C8DD
; 

loc_5F4F47:				; CODE XREF: MiModifiedPageWriter+264j
		push	0
		push	2
		pop	edx
		mov	ecx, edi
		call	IoBoostThreadIoPriority
		jmp	loc_56C9CC
; 

loc_5F4F58:				; CODE XREF: MiModifiedPageWriter+235j
		xor	eax, eax
		inc	eax
		jmp	loc_56C9A4
; 

loc_5F4F60:				; CODE XREF: MiModifiedPageWriter+D3j
					; MiModifiedPageWriter+DDj ...
		cmp	dword ptr [esi+188h], 0
		jz	short loc_5F4F75
		push	0
		push	2
		pop	edx
		mov	ecx, edi
		call	IoBoostThreadIoPriority

loc_5F4F75:				; CODE XREF: MiModifiedPageWriter+88805j
		lea	ecx, [esi+23Ch]
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	eax, [esi+0F4Ch]
		mov	[ebp+var_9C], eax
		test	eax, eax
		jz	loc_5F5041
		lea	ebx, [esi+0F54h]
		mov	[ebp+var_98], ebx

loc_5F4FA0:				; CODE XREF: MiModifiedPageWriter+888D9j
		cmp	dword ptr [ebx], 0
		jz	loc_5F5029
		dec	word ptr [edi+13Eh]
		nop
		mov	eax, [ebx]
		xor	ecx, ecx
		mov	[ebp+var_94], ecx
		cmp	[eax+24h], ecx
		jbe	short loc_5F501C

loc_5F4FC0:				; CODE XREF: MiModifiedPageWriter+888B8j
		mov	eax, [eax+20h]
		mov	eax, [eax+ecx*4]
		mov	[ebp+var_A0], eax
		test	eax, eax
		jz	short loc_5F500E
		mov	ebx, eax

loc_5F4FD2:				; CODE XREF: MiModifiedPageWriter+8889Ej
		cmp	dword ptr [ebx], 61h
		jnz	short loc_5F5002
		mov	ecx, edi
		mov	byte ptr [esi+175h], 1
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	13h
		lea	eax, [esi+228h]
		push	eax
		call	KeWaitForSingleObject
		dec	word ptr [edi+13Eh]
		nop
		jmp	short loc_5F4FD2
; 

loc_5F5002:				; CODE XREF: MiModifiedPageWriter+88873j
		mov	ebx, [ebp+var_98]
		mov	ecx, [ebp+var_94]

loc_5F500E:				; CODE XREF: MiModifiedPageWriter+8886Cj
		mov	eax, [ebx]
		inc	ecx
		mov	[ebp+var_94], ecx
		cmp	ecx, [eax+24h]
		jb	short loc_5F4FC0

loc_5F501C:				; CODE XREF: MiModifiedPageWriter+8885Cj
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+var_9C]

loc_5F5029:				; CODE XREF: MiModifiedPageWriter+88841j
		add	ebx, 4
		sub	eax, 1
		mov	[ebp+var_98], ebx
		mov	[ebp+var_9C], eax
		jnz	loc_5F4FA0

loc_5F5041:				; CODE XREF: MiModifiedPageWriter+8882Cj
		push	[ebp+var_A8]
		push	edi
		call	KeSetActualBasePriorityThread
		push	0
		push	0
		lea	eax, [esi+1B4h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; END OF FUNCTION CHUNK	FOR MiModifiedPageWriter
; 
; START	OF FUNCTION CHUNK FOR MiZeroPageCalibrateIsr

loc_5F506E:				; CODE XREF: MiZeroPageCalibrateIsr+42j
					; MiZeroPageCalibrateIsr+50j
		inc	eax
		add	edx, 280h
		cmp	eax, esi
		jb	loc_56CB70
		jmp	loc_56CB88
; 

loc_5F5082:				; CODE XREF: MiZeroPageCalibrateIsr+128j
		xor	eax, eax
		jmp	loc_56CC6E
; END OF FUNCTION CHUNK	FOR MiZeroPageCalibrateIsr
; 
; START	OF FUNCTION CHUNK FOR MiComputeOptimalWriteProcessors

loc_5F5089:				; CODE XREF: MiComputeOptimalWriteProcessors+D5j
		mov	esi, [ebp+var_4]
		jmp	loc_56D07E
; END OF FUNCTION CHUNK	FOR MiComputeOptimalWriteProcessors
; 
; START	OF FUNCTION CHUNK FOR RtlpMuiRegAddAlternateCodePage

loc_5F5091:				; CODE XREF: RtlpMuiRegAddAlternateCodePage+61j
		mov	ecx, [esp+30h+var_20]
		test	ecx, ecx
		jz	loc_56D27D
		cmp	eax, 80000005h
		jnz	loc_56D27D
		add	ecx, 2
		mov	[esp+30h+var_20], ecx
		lea	esi, [ecx+3]
		and	esi, 0FFFFFFFCh
		jz	short loc_5F50F7
		mov	eax, large fs:20h
		xor	ecx, ecx
		push	edi
		mov	edx, esi
		inc	ecx
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	72746C6Dh
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		test	edi, edi
		jz	loc_56D27D
		push	esi		; size_t
		xor	eax, eax
		push	eax		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch

loc_5F50F7:				; CODE XREF: RtlpMuiRegAddAlternateCodePage+87E9Fj
		test	edi, edi
		jz	loc_56D27D
		push	ecx		; int
		lea	eax, [esp+34h+var_20]
		mov	ecx, ebx
		push	eax		; int
		push	edi		; void *
		lea	eax, [esp+3Ch+var_1C]
		push	eax		; int
		lea	edx, [esp+40h+var_8]
		call	LdrpQueryValueKey
		test	eax, eax
		jnz	loc_5F51EC
		cmp	[esp+30h+var_1C], 1
		jz	short loc_5F5130
		cmp	[esp+30h+var_1C], 7
		jnz	loc_5F51EC

loc_5F5130:				; CODE XREF: RtlpMuiRegAddAlternateCodePage+87F0Dj
		mov	eax, [esp+30h+var_20]
		mov	esi, edi
		push	0
		shr	eax, 1
		pop	ecx
		mov	[esp+30h+var_20], eax
		mov	[esp+30h+var_1C], ecx
		jz	loc_5F51EC
		mov	ebx, [esp+30h+var_10]
		add	ebx, 14h

loc_5F5150:				; CODE XREF: RtlpMuiRegAddAlternateCodePage+87FC3j
		test	esi, esi
		jz	loc_5F51EC
		cmp	[esi], cx
		jz	loc_5F51EC
		push	offset ??_C@_13BBDEGPLJ@?$AA?$CK@FNODOBFM@ ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_5F51E1
		push	esi
		lea	eax, [esp+34h+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+30h+var_18]
		push	eax
		push	0Ah
		lea	eax, [esp+38h+var_8]
		push	eax
		call	RtlUnicodeStringToInteger
		test	eax, eax
		jnz	short loc_5F51AB
		mov	ax, word ptr [esp+30h+var_18]
		mov	[ebx], ax
		add	ebx, 2
		mov	eax, [esp+30h+var_14]
		inc	eax
		mov	[esp+30h+var_14], eax
		cmp	eax, 4
		jge	short loc_5F51EC

loc_5F51AB:				; CODE XREF: RtlpMuiRegAddAlternateCodePage+87F7Aj
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_5F51B0:				; CODE XREF: RtlpMuiRegAddAlternateCodePage+87FA5j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+30h+var_C]
		jnz	short loc_5F51B0
		sub	ecx, edx
		mov	edx, [esp+30h+var_1C]
		sar	ecx, 1
		inc	edx
		add	edx, ecx
		push	0
		mov	[esp+34h+var_1C], edx
		lea	esi, [esi+ecx*2]
		add	esi, 2
		pop	ecx
		cmp	edx, [esp+30h+var_20]
		jb	loc_5F5150
		jmp	short loc_5F51EC
; 

loc_5F51E1:				; CODE XREF: RtlpMuiRegAddAlternateCodePage+87F5Aj
		mov	eax, [esp+30h+var_10]
		or	ecx, 0FFFFFFFFh
		mov	[eax+14h], cx

loc_5F51EC:				; CODE XREF: RtlpMuiRegAddAlternateCodePage+87F02j
					; RtlpMuiRegAddAlternateCodePage+87F14j ...
		mov	ecx, edi
		call	ExFreeHeapPool
		jmp	loc_56D27D
; END OF FUNCTION CHUNK	FOR RtlpMuiRegAddAlternateCodePage
; 
; START	OF FUNCTION CHUNK FOR _RtlpRemovePendingDeleteLanguages

loc_5F51F8:				; CODE XREF: _RtlpRemovePendingDeleteLanguages+81j
					; _RtlpRemovePendingDeleteLanguages+88024j
		lea	eax, [ebp+var_234]
		push	eax
		push	200h
		lea	eax, [ebp+var_220]
		push	eax
		push	0
		push	esi
		push	[ebp+var_228]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	[ebp+var_224], eax
		test	eax, eax
		js	short loc_5F52A2
		mov	edx, [ebp+var_214]
		lea	ecx, [edx+18h]
		cmp	ecx, 1FEh
		jnb	short loc_5F52A2
		shr	edx, 1
		xor	eax, eax
		mov	word ptr [ebp+edx*2+var_210], ax
		lea	eax, [ebp+var_230]
		push	eax
		push	ecx
		lea	edx, [ebp+var_210]
		mov	ecx, edi
		call	_RtlpMuiRegGetInstalledLanguageIndexByName@16 ;	RtlpMuiRegGetInstalledLanguageIndexByName(x,x,x,x)
		test	eax, eax
		js	short loc_5F529C
		mov	eax, [ebp+var_230]
		or	ecx, 0FFFFFFFFh
		cmp	cx, ax
		jz	short loc_5F529C
		cmp	ax, [ebp+var_22A]
		jz	short loc_5F529C
		cwde
		mov	edx, 0FFDFh
		imul	ecx, eax, 1Ch
		mov	eax, [edi+14h]
		mov	eax, [eax+0Ch]
		and	[ecx+eax], dx
		mov	edx, 8000h
		movsx	eax, word ptr [ebp+var_230]
		imul	ecx, eax, 1Ch
		mov	eax, [edi+14h]
		mov	eax, [eax+0Ch]
		or	[ecx+eax], dx

loc_5F529C:				; CODE XREF: _RtlpRemovePendingDeleteLanguages+87FD3j
					; _RtlpRemovePendingDeleteLanguages+87FE1j ...
		mov	eax, [ebp+var_224]

loc_5F52A2:				; CODE XREF: _RtlpRemovePendingDeleteLanguages+87F9Dj
					; _RtlpRemovePendingDeleteLanguages+87FAEj
		inc	esi
		cmp	eax, 8000001Ah
		jnz	loc_5F51F8
		cmp	[ebp+var_228], 0
		jz	loc_56D30B
		push	[ebp+var_228]
		call	NtClose
		jmp	loc_56D30B
; END OF FUNCTION CHUNK	FOR _RtlpRemovePendingDeleteLanguages
; 
; START	OF FUNCTION CHUNK FOR _IsMachineLanguageListInMutableLocation

loc_5F52CB:				; CODE XREF: _IsMachineLanguageListInMutableLocation+33j
		push	offset aMachinelanguag ; "MachineLanguageListMigrationState"
		lea	eax, [ebp+var_20]
		mov	[ebp+var_20], ebx
		push	eax
		mov	[ebp+var_1C], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		pop	eax
		mov	[ebp+var_10], eax
		lea	edx, [ebp+var_20]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_C]
		push	ecx		; int
		mov	ecx, [ebp+var_4]
		push	eax		; int
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], ebx
		push	eax		; void *
		lea	eax, [ebp+var_10]
		push	eax		; int
		call	LdrpQueryValueKey
		test	eax, eax
		js	loc_56D361
		cmp	[ebp+var_8], 1
		jnz	loc_56D361
		mov	bl, 1
		jmp	loc_56D361
; 

loc_5F531C:				; CODE XREF: _IsMachineLanguageListInMutableLocation+3Dj
		push	[ebp+var_4]
		call	NtClose
		jmp	loc_56D36B
; END OF FUNCTION CHUNK	FOR _IsMachineLanguageListInMutableLocation
; 
; START	OF FUNCTION CHUNK FOR _RtlpMuiRegLoadInstalledFromKey

loc_5F5329:				; CODE XREF: _RtlpMuiRegLoadInstalledFromKey+1C4j
					; _RtlpMuiRegLoadInstalledFromKey+1D4j
		and	esi, 0FFFFFEFFh
		or	esi, 80h
		mov	[ebp+var_230], esi
		mov	edx, esi
		jmp	loc_56D54A
; END OF FUNCTION CHUNK	FOR _RtlpMuiRegLoadInstalledFromKey
; 
; START	OF FUNCTION CHUNK FOR RtlpGetNameFromLangInfoNode

loc_5F5342:				; CODE XREF: RtlpGetNameFromLangInfoNode+22j
		movzx	eax, word ptr [edx+4]
		mov	ecx, 1000h
		cmp	ax, cx
		jz	loc_56D637
		mov	ecx, 1400h
		cmp	ax, cx
		jz	loc_56D637
		push	edi
		push	eax
		call	_RtlLCIDToCultureName@8	; RtlLCIDToCultureName(x,x)
		test	al, al
		jnz	loc_56D62F
		jmp	loc_56D637
; END OF FUNCTION CHUNK	FOR RtlpGetNameFromLangInfoNode
; 
; START	OF FUNCTION CHUNK FOR RtlpMuiRegCreateKernelRegistryInfo

loc_5F5376:				; CODE XREF: RtlpMuiRegCreateKernelRegistryInfo+52j
		mov	esi, 0C0000017h
		jmp	loc_56D7C8
; 

loc_5F5380:				; CODE XREF: RtlpMuiRegCreateKernelRegistryInfo+1Dj
					; RtlpMuiRegCreateKernelRegistryInfo+25j ...
		mov	esi, 0C000000Dh

loc_5F5385:				; CODE XREF: RtlpMuiRegCreateKernelRegistryInfo+157j
		test	edi, edi
		jz	loc_56D7B0
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_56D7B0
; END OF FUNCTION CHUNK	FOR RtlpMuiRegCreateKernelRegistryInfo
; 
; START	OF FUNCTION CHUNK FOR LdrpGetParentLangId

loc_5F539A:				; CODE XREF: LdrpGetParentLangId+2Dj
		push	ecx		; int
		push	ecx		; int
		lea	edx, [ebp+var_15C] ; int
		lea	ecx, [ebp+var_B0] ; void *
		call	_DownLevelGetParentLanguageName@16 ; DownLevelGetParentLanguageName(x,x,x,x)
		cmp	eax, 2
		jge	short loc_5F53B6
		xor	eax, eax
		jmp	short loc_5F53C7
; 

loc_5F53B6:				; CODE XREF: LdrpGetParentLangId+8FBC2j
		push	2
		pop	edx
		lea	ecx, [ebp+var_15C] ; void *
		call	_DownLevelLanguageNameToLangID@8 ; DownLevelLanguageNameToLangID(x,x)
		movzx	eax, ax

loc_5F53C7:				; CODE XREF: LdrpGetParentLangId+8FBC6j
		mov	[esi], ax
		xor	eax, eax
		jmp	loc_565826
; END OF FUNCTION CHUNK	FOR LdrpGetParentLangId
; 
; START	OF FUNCTION CHUNK FOR DownLevelLangIDToLanguageName

loc_5F53D1:				; CODE XREF: DownLevelLangIDToLanguageName+18j
		test	esi, esi
		jnz	loc_5658C2
		jmp	loc_565852
; END OF FUNCTION CHUNK	FOR DownLevelLangIDToLanguageName
; 
; START	OF FUNCTION CHUNK FOR RtlpMuiRegLoadLicInformation

loc_5F53DE:				; CODE XREF: RtlpMuiRegLoadLicInformation+53j
		mov	esi, 0C000000Dh
		mov	eax, ebx
		jmp	loc_56DC3A
; 

loc_5F53EA:				; CODE XREF: RtlpMuiRegLoadLicInformation+73j
		mov	ecx, [esp+58h+var_4C]
		mov	[esp+58h+var_1C], 1
		test	ecx, ecx
		jz	short loc_5F53FF
		call	ExFreeHeapPool

loc_5F53FF:				; CODE XREF: RtlpMuiRegLoadLicInformation+87C1Cj
		mov	[esp+58h+var_4C], esi
		jmp	loc_56D855
; 

loc_5F5408:				; CODE XREF: RtlpMuiRegLoadLicInformation+D5j
		xor	edx, edx
		mov	eax, edx
		mov	[esp+58h+var_44], edx
		jmp	loc_56D8FF
; 

loc_5F5415:				; CODE XREF: RtlpMuiRegLoadLicInformation+129j
		mov	[esp+58h+var_24], edx
		jmp	short loc_5F541F
; 

loc_5F541B:				; CODE XREF: RtlpMuiRegLoadLicInformation+367j
		mov	[esp+58h+var_20], edx

loc_5F541F:				; CODE XREF: RtlpMuiRegLoadLicInformation+87C3Dj
					; RtlpMuiRegLoadLicInformation+87CB7j
		mov	esi, 0C0000017h
		jmp	loc_56DC22
; 

loc_5F5429:				; CODE XREF: RtlpMuiRegLoadLicInformation+15Aj
		mov	ebx, [esp+58h+var_24]
		mov	edi, [esp+58h+var_2C]

loc_5F5431:				; CODE XREF: RtlpMuiRegLoadLicInformation+87C8Fj
		xor	eax, eax
		mov	[ebx], ax
		add	ebx, 2
		push	edi
		lea	eax, [esp+5Ch+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+58h+var_3C]
		push	eax
		lea	eax, [esp+5Ch+var_8]
		push	eax
		call	_RtlCultureNameToLCID@8	; RtlCultureNameToLCID(x,x)
		test	al, al
		jz	short loc_5F5458
		inc	esi

loc_5F5458:				; CODE XREF: RtlpMuiRegLoadLicInformation+87C79j
		push	offset ??_C@_13PJJBFPED@?$AA?$DL@FNODOBFM@ ; wchar_t *
		push	ebx		; wchar_t *
		mov	edi, ebx
		call	_wcspbrk
		mov	ebx, eax
		pop	ecx
		pop	ecx
		test	ebx, ebx
		jnz	short loc_5F5431
		mov	[esp+58h+var_2C], edi
		mov	edi, [esp+58h+var_34]
		mov	ebx, edi
		jmp	loc_56D93C
; 

loc_5F547C:				; CODE XREF: RtlpMuiRegLoadLicInformation+187j
		inc	esi
		jmp	loc_56D969
; 

loc_5F5482:				; CODE XREF: RtlpMuiRegLoadLicInformation+1F7j
		xor	edx, edx
		mov	ebx, edx
		mov	[esp+58h+var_40], edx
		jmp	loc_56DA1F
; 

loc_5F548F:				; CODE XREF: RtlpMuiRegLoadLicInformation+249j
		mov	[esp+58h+var_30], edx
		jmp	short loc_5F541F
; 

loc_5F5495:				; CODE XREF: RtlpMuiRegLoadLicInformation+278j
		mov	edi, [esp+58h+var_10]
		mov	ebx, [esp+58h+var_2C]

loc_5F549D:				; CODE XREF: RtlpMuiRegLoadLicInformation+87CFBj
		xor	eax, eax
		mov	[edi], ax
		add	edi, 2
		push	ebx
		lea	eax, [esp+5Ch+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+58h+var_3C]
		push	eax
		lea	eax, [esp+5Ch+var_8]
		push	eax
		call	_RtlCultureNameToLCID@8	; RtlCultureNameToLCID(x,x)
		test	al, al
		jz	short loc_5F54C4
		inc	esi

loc_5F54C4:				; CODE XREF: RtlpMuiRegLoadLicInformation+87CE5j
		push	offset ??_C@_13PJJBFPED@?$AA?$DL@FNODOBFM@ ; wchar_t *
		push	edi		; wchar_t *
		mov	ebx, edi
		call	_wcspbrk
		mov	edi, eax
		pop	ecx
		pop	ecx
		test	edi, edi
		jnz	short loc_5F549D
		mov	edi, [esp+58h+var_34]
		mov	[esp+58h+var_2C], ebx
		mov	ebx, [esp+58h+var_40]
		jmp	loc_56DA5A
; 

loc_5F54EA:				; CODE XREF: RtlpMuiRegLoadLicInformation+2A5j
		inc	esi
		jmp	loc_56DA87
; 

loc_5F54F0:				; CODE XREF: RtlpMuiRegLoadLicInformation+315j
		xor	edx, edx
		mov	edi, edx
		mov	[esp+58h+var_34], edx
		jmp	loc_56DB3D
; 

loc_5F54FD:				; CODE XREF: RtlpMuiRegLoadLicInformation+412j
		mov	ecx, edi
		call	ExFreeHeapPool
		jmp	loc_56DBF4
; 

loc_5F5509:				; CODE XREF: RtlpMuiRegLoadLicInformation+454j
		test	ebx, ebx
		jz	loc_56DC36
		mov	ecx, ebx
		call	ExFreeHeapPool
		xor	eax, eax
		mov	ebx, eax
		mov	[esp+58h+var_30], eax
		mov	eax, [esp+58h+var_44]
		jmp	loc_56DC36
; END OF FUNCTION CHUNK	FOR RtlpMuiRegLoadLicInformation
; 
; START	OF FUNCTION CHUNK FOR StringCchCopyNW

loc_5F5529:				; CODE XREF: StringCchCopyNW+1Ej
		mov	eax, 80070057h

loc_5F552E:				; CODE XREF: StringCchCopyNW+3Fj
		xor	edx, edx
		mov	[ecx], dx
		jmp	loc_5658F6
; END OF FUNCTION CHUNK	FOR StringCchCopyNW
; 
; START	OF FUNCTION CHUNK FOR IsNeutralLanguageItem

loc_5F5538:				; CODE XREF: IsNeutralLanguageItem+4j
		cmp	word ptr [ecx+4], 7Fh
		jz	loc_565964
		xor	eax, eax
		inc	eax
		retn
; END OF FUNCTION CHUNK	FOR IsNeutralLanguageItem
; 
; START	OF FUNCTION CHUNK FOR OpenGlobalizationUserSettingsKey

loc_5F5547:				; CODE XREF: OpenGlobalizationUserSettingsKey+15j
		sub	eax, 1
		jz	short loc_5F556E
		sub	eax, 1
		jz	short loc_5F555B
		mov	eax, 0C00000E5h
		jmp	loc_56598B
; 

loc_5F555B:				; CODE XREF: OpenGlobalizationUserSettingsKey+8FBE7j
		and	[ebp+arg_0], 0
		lea	eax, [ebp+arg_0]
		push	eax
		push	esi
		call	OpenGlobalizationUserSettingsKey_ForMua
		jmp	loc_56598B
; 

loc_5F556E:				; CODE XREF: OpenGlobalizationUserSettingsKey+8FBE2j
		mov	edx, esi
		call	OpenGlobalizationUserSettingsKey_ForSingleUserModel
		jmp	loc_56598B
; END OF FUNCTION CHUNK	FOR OpenGlobalizationUserSettingsKey
; 
; START	OF FUNCTION CHUNK FOR GetGlobalizationUserModelType

loc_5F557A:				; CODE XREF: GetGlobalizationUserModelType+14j
		call	_RtlIsMultiUsersInSessionSku@0 ; RtlIsMultiUsersInSessionSku()
		xor	ecx, ecx
		test	al, al
		setnz	cl
		add	ecx, 2
		jmp	loc_5659B5
; END OF FUNCTION CHUNK	FOR GetGlobalizationUserModelType
; 
; START	OF FUNCTION CHUNK FOR RaspGetXExtent

loc_5F558E:				; CODE XREF: RaspGetXExtent+E1j
		mov	esi, 0C0000017h

loc_5F5593:				; CODE XREF: RaspGetXExtent+C6j
		mov	ebx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		jmp	loc_56DD5F
; 

loc_5F559E:				; CODE XREF: RaspGetXExtent+8Aj
					; RaspGetXExtent+92j
		test	ebx, ebx
		jz	loc_56DD76
		cmp	dword ptr [edi], 0
		jnz	loc_56DD76
		mov	ecx, ebx
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		jmp	loc_56DD76
; END OF FUNCTION CHUNK	FOR RaspGetXExtent
; 
; START	OF FUNCTION CHUNK FOR KiProcessorStart

loc_5F55BB:				; CODE XREF: KiProcessorStart+41j
		sub	eax, 1
		jz	short loc_5F55CF
		mov	ds:_KiProcessorStartControl, 0FFh
		jmp	loc_5A3295
; 

loc_5F55CF:				; CODE XREF: KiProcessorStart+52342j
		mov	ds:_KiProcessorStartControl, 1
		call	_KiSetHaltedNmiandDoubleFaultHandler@0 ; KiSetHaltedNmiandDoubleFaultHandler()
		cli

loc_5F55DF:				; CODE XREF: KiProcessorStart+52364j
		hlt
		jmp	short loc_5F55DF
; END OF FUNCTION CHUNK	FOR KiProcessorStart
; 
; START	OF FUNCTION CHUNK FOR KeBalanceSetManager

loc_5F55E2:				; CODE XREF: KeBalanceSetManager+6Cj
		push	0FFFFh
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	esi, eax
		cmp	esi, 1
		jbe	loc_56DFF6
		mov	edx, edi
		mov	eax, edi

loc_5F55FB:				; CODE XREF: KeBalanceSetManager+87687j
		mov	ecx, ds:_KiProcessorBlock[edx*4]
		add	eax, [ecx+3CE4h]
		inc	edx
		cmp	edx, esi
		jb	short loc_5F55FB
		cdq
		idiv	esi
		dec	esi
		xor	edx, edx
		mov	ebx, eax
		mov	[ebp+var_C], ebx

loc_5F5618:				; CODE XREF: KeBalanceSetManager+876BAj
		mov	eax, ds:_KiProcessorBlock[edi*4]
		mov	ecx, ebx
		add	eax, 3CE4h
		mov	[ebp+var_8], eax
		sub	ecx, [eax]
		jz	short loc_5F563B
		mov	ebx, [ebp+var_8]
		mov	eax, ecx
		lock xadd [ebx], eax
		mov	ebx, [ebp+var_C]
		add	edx, ecx

loc_5F563B:				; CODE XREF: KeBalanceSetManager+876A7j
		inc	edi
		cmp	edi, esi
		jb	short loc_5F5618
		mov	ebx, [ebp+var_4]
		test	edx, edx
		jz	short loc_5F5659
		mov	eax, ds:_KiProcessorBlock[edi*4]
		neg	edx
		add	eax, 3CE4h
		lock xadd [eax], edx

loc_5F5659:				; CODE XREF: KeBalanceSetManager+876C1j
		xor	edi, edi
		jmp	loc_56DFF6
; 

loc_5F5660:				; CODE XREF: KeBalanceSetManager+B5j
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		jmp	loc_56E025
; END OF FUNCTION CHUNK	FOR KeBalanceSetManager
; 
; START	OF FUNCTION CHUNK FOR CcQueueLazyWriteScanThread

loc_5F566D:				; CODE XREF: CcQueueLazyWriteScanThread+B2j
		sub	eax, 1
		jz	short loc_5F5688
		sub	eax, 1
		jz	short loc_5F5681
		sub	eax, 1
		jnz	short loc_5F569A
		jmp	loc_5F5767
; 

loc_5F5681:				; CODE XREF: CcQueueLazyWriteScanThread+875A3j
		push	10h
		jmp	loc_56E29B
; 

loc_5F5688:				; CODE XREF: CcQueueLazyWriteScanThread+8759Ej
		push	8
		jmp	loc_56E29B
; 

loc_5F568F:				; CODE XREF: CcQueueLazyWriteScanThread+A0j
		xor	ecx, ecx
		inc	ecx
		mov	esi, ecx
		mov	[ebp+var_AD], cl

loc_5F569A:				; CODE XREF: CcQueueLazyWriteScanThread+875A8j
		test	esi, esi
		jz	loc_5F5767
		jmp	loc_56E18D
; 

loc_5F56A7:				; CODE XREF: CcQueueLazyWriteScanThread+DBj
		mov	edx, ecx
		inc	ecx
		jmp	loc_56E198
; 

loc_5F56AF:				; CODE XREF: CcQueueLazyWriteScanThread+F1j
		cmp	ds:_CcExternalCacheList, offset	_CcExternalCacheList
		jz	loc_56E1C9
		mov	eax, ds:_PspSystemPartition
		cmp	ebx, [eax+4]
		jnz	loc_56E1C9
		mov	ecx, esi
		call	_CcNotifyExternalCaches@4 ; CcNotifyExternalCaches(x)
		jmp	loc_56E1C9
; 

loc_5F56D9:				; CODE XREF: CcQueueLazyWriteScanThread+204j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_BC]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_56E30A
; 

loc_5F56EC:				; CODE XREF: CcQueueLazyWriteScanThread+232j
		lea	ecx, [ebp+var_BC]
		call	KxWaitForLockChainValid

loc_5F56F7:				; CODE XREF: CcQueueLazyWriteScanThread+212j
		xor	ecx, ecx
		mov	[ebp+var_BC], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_56E30A
; 

loc_5F570F:				; CODE XREF: CcQueueLazyWriteScanThread+135j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_BC]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_56E237
; 

loc_5F5722:				; CODE XREF: CcQueueLazyWriteScanThread+180j
		inc	ds:_CcDbgNumberOfFailedWorkQueueEntryAllocations
		lea	edx, [ebp+var_BC]
		lea	ecx, [ebx+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		push	0
		mov	edx, esi
		mov	byte ptr [ebx+190h], 0
		mov	ecx, ebx
		call	CcSetLazyWriteScanQueued
		jmp	loc_56E2CD
; 

loc_5F574D:				; CODE XREF: CcQueueLazyWriteScanThread+CBj
		cmp	ecx, eax
		jz	short loc_5F5756
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5F5756:				; CODE XREF: CcQueueLazyWriteScanThread+8767Dj
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	[ebp+var_C4]
		call	KeWaitForSingleObject

loc_5F5767:				; CODE XREF: CcQueueLazyWriteScanThread+875AAj
					; CcQueueLazyWriteScanThread+875CAj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; END OF FUNCTION CHUNK	FOR CcQueueLazyWriteScanThread
; 
; START	OF FUNCTION CHUNK FOR KiSetupTimeIncrement

loc_5F5778:				; CODE XREF: KiSetupTimeIncrement+1Fj
		mov	ecx, eax
		jmp	loc_56E3A1
; 

loc_5F577F:				; CODE XREF: KiSetupTimeIncrement+3Aj
					; KiSetupTimeIncrement+42j
		mov	esi, edx
		jmp	loc_56E3C4
; 

loc_5F5786:				; CODE XREF: KiSetupTimeIncrement+56j
		mov	ecx, eax
		mov	ds:_KiMinDynamicTickDuration, ecx
		jmp	loc_56E3D8
; 

loc_5F5793:				; CODE XREF: KiSetupTimeIncrement+80j
					; KiSetupTimeIncrement+8Cj
		mov	ds:_KiMaxDynamicTickDuration, ecx
		mov	ds:dword_70505C, ebx
		jmp	loc_56E40E
; END OF FUNCTION CHUNK	FOR KiSetupTimeIncrement

;  S U B	R O U T	I N E 


sub_5F57A4	proc near		; CODE XREF: RtlGenerateQpcToIncrementConstants+24j
		push	ebx
		movsx	ebx, cl
		xor	esi, esi
		mov	ecx, ebx
		inc	esi
		push	edi
		not	ecx
		shl	esi, cl
		add	esi, eax
		push	0
		pop	edi
		adc	edi, edx
		cmp	edi, edx
		jb	short loc_5F57C7
		ja	short loc_5F57C3
		cmp	esi, eax
		jb	short loc_5F57C7

loc_5F57C3:				; CODE XREF: sub_5F57A4+19j
		mov	eax, esi
		mov	edx, edi

loc_5F57C7:				; CODE XREF: sub_5F57A4+17j
					; sub_5F57A4+1Dj
		neg	ebx
		mov	ecx, ebx
		call	__aullshr
		pop	edi
		xor	cl, cl
		pop	ebx
		jmp	loc_56E506
sub_5F57A4	endp

; 
; START	OF FUNCTION CHUNK FOR RtlpComputeFraction

loc_5F57D9:				; CODE XREF: RtlpComputeFraction+1Dj
		mov	al, 20h
		jmp	loc_56E535
; 

loc_5F57E0:				; CODE XREF: RtlpComputeFraction+ABj
					; RtlpComputeFraction+B4j
		mov	eax, ebx
		mov	ecx, edx
		add	eax, 1
		adc	ecx, 0
		cmp	ecx, edx
		jb	loc_56E5C8
		ja	short loc_5F57FC
		cmp	eax, ebx
		jbe	loc_56E5C8

loc_5F57FC:				; CODE XREF: RtlpComputeFraction+872E4j
		mov	ebx, eax
		mov	edx, ecx
		jmp	loc_56E5C8
; END OF FUNCTION CHUNK	FOR RtlpComputeFraction
; 
; START	OF FUNCTION CHUNK FOR RtlpCountLeadingZeroes64

loc_5F5805:				; CODE XREF: RtlpCountLeadingZeroes64+16j
		bsr	ecx, [ebp+arg_0]
		jz	short loc_5F580F
		sub	al, cl
		jmp	short loc_5F5811
; 

loc_5F580F:				; CODE XREF: RtlpCountLeadingZeroes64+8722Dj
		mov	al, 20h

loc_5F5811:				; CODE XREF: RtlpCountLeadingZeroes64+87231j
		add	al, 20h
		jmp	locret_56E5FA
; END OF FUNCTION CHUNK	FOR RtlpCountLeadingZeroes64
; 
; START	OF FUNCTION CHUNK FOR PspRegisterResource

loc_5F5818:				; CODE XREF: PspRegisterResource+19j
		mov	eax, ds:_PspDefaultResourceLimits[ecx*4]
		and	eax, 0FFFFFFE4h
		or	eax, 64h
		jmp	loc_56E624
; END OF FUNCTION CHUNK	FOR PspRegisterResource
; 
; START	OF FUNCTION CHUNK FOR KvfInitFeatureStates

loc_5F582A:				; CODE XREF: KvfInitFeatureStates+9j
		xor	edx, edx
		mov	ds:_KvfFeatureStates, edx
		jmp	loc_56E63F
; 

loc_5F5837:				; CODE XREF: KvfInitFeatureStates+19j
		test	dl, 2
		jz	locret_56E64F
		mov	eax, edx
		and	edx, 0FFFFFFFEh
		not	eax
		and	eax, 1
		or	eax, edx
		or	eax, 4
		mov	ds:_KvfFeatureStates, eax
		retn
; END OF FUNCTION CHUNK	FOR KvfInitFeatureStates
; 
; START	OF FUNCTION CHUNK FOR ExInitializePoolHeapManagement

loc_5F5855:				; CODE XREF: ExInitializePoolHeapManagement+5Dj
		mov	ecx, 4000000h
		jmp	loc_56E6B3
; 

loc_5F585F:				; CODE XREF: ExInitializePoolHeapManagement+84j
		lea	edi, [ecx+0A0h]
		lea	esi, [ebp+var_20]
		movsd
		movsd
		movsd
		mov	al, [ecx+109h]
		and	al, 0F9h
		or	al, 1
		mov	[ecx+109h], al
		mov	al, [ecx+189h]
		and	al, 0F9h
		or	al, 1
		mov	[ecx+189h], al
		jmp	loc_56E6DA
; END OF FUNCTION CHUNK	FOR ExInitializePoolHeapManagement
; 
; START	OF FUNCTION CHUNK FOR InbvDetermineFunction

loc_5F5890:				; CODE XREF: InbvDetermineFunction+4Bj
		test	bl, bl
		jz	loc_56EA87
		push	2
		mov	ds:dword_6D4D4C, offset	off_6B2C80
		pop	edx
		jmp	loc_56EA81
; END OF FUNCTION CHUNK	FOR InbvDetermineFunction
; 
; START	OF FUNCTION CHUNK FOR HvlPhase1Initialize

loc_5F58AA:				; CODE XREF: HvlPhase1Initialize+18j
		test	byte ptr ds:_HvlpRootFlags, 4
		jnz	loc_56ED16
		push	offset _HvlpComponentName
		push	2
		push	offset _HvlpHvIdentityInfoCallback@16 ;	HvlpHvIdentityInfoCallback(x,x,x,x)
		push	offset _HvlpHvIdentityInfoCallbackRecord
		mov	ds:byte_706018,	0
		call	KeRegisterBugCheckReasonCallback
		jmp	loc_56ED16
; 

loc_5F58D9:				; CODE XREF: HvlPhase1Initialize+25j
		mov	ecx, large fs:20h
		call	_HvlpSetupCachedHypercallPages@4 ; HvlpSetupCachedHypercallPages(x)
		call	_HvlpInitializePowerStatistics@0 ; HvlpInitializePowerStatistics()
		test	byte ptr ds:_HvlpRootFlags, 10h
		jz	short loc_5F5926
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		lea	edx, [ebp+var_18]
		xor	ecx, ecx
		inc	ecx
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_8]
		push	eax
		call	_HvlpMapStatisticsPage@12 ; HvlpMapStatisticsPage(x,x,x)
		test	eax, eax
		js	short loc_5F5926
		push	2
		push	1000h
		push	[ebp+var_4]
		push	[ebp+var_8]
		call	_MmMapIoSpaceEx@16 ; MmMapIoSpaceEx(x,x,x,x)
		mov	ds:_HvlpHypervisorStatsPage, eax

loc_5F5926:				; CODE XREF: HvlPhase1Initialize+86BF9j
					; HvlPhase1Initialize+86C15j
		mov	cl, 1
		call	_HvlConfigureMemoryZeroingOnReset@4 ; HvlConfigureMemoryZeroingOnReset(x)
		or	ds:_HvlpFlags, 8
		jmp	loc_56ED23
; END OF FUNCTION CHUNK	FOR HvlPhase1Initialize
; 
; START	OF FUNCTION CHUNK FOR RtlStringExValidateSrcA

loc_5F5939:				; CODE XREF: RtlStringExValidateSrcA+Cj
		cmp	dword ptr [ecx], 0
		jnz	loc_56EDAE
		mov	dword ptr [ecx], offset	??_C@_00CNPNBAHC@@FNODOBFM@
		jmp	loc_56EDAE
; END OF FUNCTION CHUNK	FOR RtlStringExValidateSrcA
; 
; START	OF FUNCTION CHUNK FOR SepInitProcessAuditSd

loc_5F594D:				; CODE XREF: SepInitProcessAuditSd+12j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	ds:_SepProcessAuditSd, esi
		jmp	loc_56EE3A
; 

loc_5F5960:				; CODE XREF: SepInitProcessAuditSd+1Ej
		mov	eax, ds:_SeWorldSid
		push	64536553h
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:18h[eax*4]
		mov	[ebp+var_4], eax
		add	eax, 14h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_5F5ABA
		push	2		; int
		push	[ebp+var_4]	; size_t
		lea	edi, [ebx+14h]
		push	edi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		test	eax, eax
		js	loc_5F5ABF
		sub	esp, 0Ch
		mov	ecx, edi
		push	ds:_SepProcessAccessesToAudit
		call	_RtlAddAuditAccessAce@24 ; RtlAddAuditAccessAce(x,x,x,x,x,x)
		test	eax, eax
		js	loc_5F5ABF
		push	1
		push	ebx
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		test	eax, eax
		js	loc_5F5ABF
		push	0
		push	edi
		push	1
		push	ebx
		call	_RtlSetSaclSecurityDescriptor@16 ; RtlSetSaclSecurityDescriptor(x,x,x,x)
		test	eax, eax
		js	loc_5F5ABF
		mov	eax, ds:_SeIUserSid
		push	64536553h
		mov	ds:_SepProcessAuditSd, ebx
		movzx	ecx, byte ptr [eax+1]
		mov	eax, ds:_SeNetworkServiceSid
		movzx	eax, byte ptr [eax+1]
		add	ecx, eax
		mov	eax, ds:_SeLocalServiceSid
		movzx	eax, byte ptr [eax+1]
		add	ecx, eax
		mov	eax, ds:_SeLocalSystemSid
		movzx	eax, byte ptr [eax+1]
		add	ecx, eax
		lea	eax, ds:48h[ecx*4]
		mov	[ebp+var_4], eax
		add	eax, 14h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_5F5ABA
		push	2		; int
		push	[ebp+var_4]	; size_t
		lea	edi, [esi+14h]
		push	edi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		test	eax, eax
		js	short loc_5F5ABF
		push	ds:_SeLocalSystemSid
		push	1
		push	2
		push	edi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		test	eax, eax
		js	short loc_5F5ABF
		push	ds:_SeLocalServiceSid
		push	1
		push	2
		push	edi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		test	eax, eax
		js	short loc_5F5ABF
		push	ds:_SeNetworkServiceSid
		push	1
		push	2
		push	edi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		test	eax, eax
		js	short loc_5F5ABF
		push	ds:_SeIUserSid
		push	1
		push	2
		push	edi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		test	eax, eax
		js	short loc_5F5ABF
		push	1
		push	esi
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		test	eax, eax
		js	short loc_5F5ABF
		push	0
		push	edi
		push	1
		push	esi
		call	RtlSetDaclSecurityDescriptor
		test	eax, eax
		js	short loc_5F5ABF
		mov	ds:_SepImportantProcessSd, esi
		jmp	loc_56EE46
; 

loc_5F5ABA:				; CODE XREF: SepInitProcessAuditSd+86B65j
					; SepInitProcessAuditSd+86C0Aj
		mov	eax, 0C000009Ah

loc_5F5ABF:				; CODE XREF: SepInitProcessAuditSd+86B7Bj
					; SepInitProcessAuditSd+86B93j	...
		push	eax
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		test	ebx, ebx
		jz	short loc_5F5AD8
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	ds:_SepProcessAuditSd, 0

loc_5F5AD8:				; CODE XREF: SepInitProcessAuditSd+86CA5j
		test	esi, esi
		jz	loc_56EE46
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	ds:_SepImportantProcessSd, 0
		jmp	loc_56EE46
; END OF FUNCTION CHUNK	FOR SepInitProcessAuditSd
; 
; START	OF FUNCTION CHUNK FOR MiDereferenceSegmentThread

loc_5F5AF4:				; CODE XREF: MiDereferenceSegmentThread+B7j
					; DATA XREF: .text:off_56EF6Co
		mov	ecx, edi	; case 0x5
		call	_MiDeleteControlAreaList@4 ; MiDeleteControlAreaList(x)
		jmp	loc_56EF01	; default
; 

loc_5F5B00:				; CODE XREF: MiDereferenceSegmentThread+B7j
					; DATA XREF: .text:off_56EF6Co
		lea	eax, [edi+370h]	; case 0x3
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		xor	edx, edx
		mov	ecx, edi
		call	_MiRemoveUnusedSegments@8 ; MiRemoveUnusedSegments(x,x)
		jmp	loc_56EF01	; default
; 

loc_5F5B1A:				; CODE XREF: MiDereferenceSegmentThread+B7j
					; DATA XREF: .text:off_56EF6Co
		push	offset unk_6D2E94 ; case 0x7
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_5F5B24:				; CODE XREF: MiDereferenceSegmentThread+86CCCj
		push	0
		push	1
		push	40h
		pop	edx
		xor	ecx, ecx
		call	_CcUnmapInactiveViews@16 ; CcUnmapInactiveViews(x,x,x,x)
		test	eax, eax
		jz	loc_56EF01	; default
		cmp	ds:dword_6D4254, 8000000h
		jbe	short loc_5F5B24
		jmp	loc_56EF01	; default
; 

loc_5F5B4B:				; CODE XREF: MiDereferenceSegmentThread+B7j
					; DATA XREF: .text:off_56EF6Co
		mov	ecx, edi	; case 0x4
		call	_MiProcessDeleteOnClose@4 ; MiProcessDeleteOnClose(x)
		jmp	loc_56EF01	; default
; 

loc_5F5B57:				; CODE XREF: MiDereferenceSegmentThread+B7j
					; DATA XREF: .text:off_56EF6Co
		cmp	edi, offset _MiSystemPartition ; case 0x0
		jnz	short loc_5F5B89
		lea	esi, [edi+424h]

loc_5F5B65:				; CODE XREF: MiDereferenceSegmentThread+86CFAj
		cmp	[esi], esi
		jz	short loc_5F5B74
		mov	ecx, edi
		call	_MiDeleteCachedSegment@4 ; MiDeleteCachedSegment(x)
		test	eax, eax
		jnz	short loc_5F5B65

loc_5F5B74:				; CODE XREF: MiDereferenceSegmentThread+86CEFj
		mov	ecx, edi
		mov	byte ptr [edi+418h], 1
		call	_MiProcessDeleteOnClose@4 ; MiProcessDeleteOnClose(x)
		mov	ecx, edi
		call	_MiDeleteControlAreaList@4 ; MiDeleteControlAreaList(x)

loc_5F5B89:				; CODE XREF: MiDereferenceSegmentThread+86CE5j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; END OF FUNCTION CHUNK	FOR MiDereferenceSegmentThread
; 
; START	OF FUNCTION CHUNK FOR MiInitializeCommitment

loc_5F5B9A:				; CODE XREF: MiInitializeCommitment+29j
		mov	[esi+0D9Ch], ecx
		jmp	loc_56EFD7
; END OF FUNCTION CHUNK	FOR MiInitializeCommitment
; 
; START	OF FUNCTION CHUNK FOR MiIncreaseCommitLimits

loc_5F5BA5:				; CODE XREF: MiIncreaseCommitLimits+47j
		mov	ecx, ebx
		jmp	short loc_5F5BBC
; 

loc_5F5BA9:				; CODE XREF: MiIncreaseCommitLimits+54j
		mov	edx, ebx
		mov	ecx, esi
		call	_MiRestockOverCommit@8 ; MiRestockOverCommit(x,x)
		mov	ecx, ebx
		sub	ecx, eax
		jz	loc_56F11C

loc_5F5BBC:				; CODE XREF: MiIncreaseCommitLimits+86AE5j
		lea	eax, [esi+10BCh]
		lock xadd [eax], ecx
		jmp	loc_56F11C
; 

loc_5F5BCB:				; CODE XREF: MiIncreaseCommitLimits+ADj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_56F197
; 

loc_5F5BDB:				; CODE XREF: MiIncreaseCommitLimits+CFj
		lea	ecx, [ebp+var_10]
		call	KxWaitForLockChainValid

loc_5F5BE3:				; CODE XREF: MiIncreaseCommitLimits+B8j
		lea	ecx, [eax+4]
		mov	[ebp+var_10], 0
		xor	eax, eax
		inc	eax
		lock xor [ecx],	eax
		jmp	loc_56F197
; END OF FUNCTION CHUNK	FOR MiIncreaseCommitLimits
; 
; START	OF FUNCTION CHUNK FOR MiSyncCommitSignals

loc_5F5BF8:				; CODE XREF: MiSyncCommitSignals+19j
		lea	ecx, [esi+0D98h]
		lea	edx, [ebp+var_C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		jmp	loc_56F21D
; 

loc_5F5C0B:				; CODE XREF: MiSyncCommitSignals+31j
		mov	ecx, [esi+0ACh]
		cmp	eax, [esi+0D94h]
		jb	short loc_5F5C48
		cmp	[ecx+4], edx
		jnz	short loc_5F5C28
		push	edx
		push	edx
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		xor	edx, edx

loc_5F5C28:				; CODE XREF: MiSyncCommitSignals+86A22j
		mov	eax, [esi+1114h]
		cmp	eax, [esi+0D84h]
		jnz	short loc_5F5C43
		push	edx
		push	edx
		push	dword ptr [esi+0B0h]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_5F5C43:				; CODE XREF: MiSyncCommitSignals+86A3Aj
		xor	edi, edi
		inc	edi
		jmp	short loc_5F5C61
; 

loc_5F5C48:				; CODE XREF: MiSyncCommitSignals+86A1Dj
		xor	edi, edi
		inc	edi
		cmp	[ecx+4], edi
		jnz	short loc_5F5C61
		push	ecx
		call	_KeResetEvent@4	; KeResetEvent(x)
		push	dword ptr [esi+0B0h]
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_5F5C61:				; CODE XREF: MiSyncCommitSignals+86A4Cj
					; MiSyncCommitSignals+86A54j
		mov	ecx, [esi+0A8h]
		cmp	[ecx+4], edi
		jnz	loc_56F263
		push	ecx
		jmp	loc_56F25E
; 

loc_5F5C76:				; CODE XREF: MiSyncCommitSignals+6Bj
		test	ds:byte_70EFC6,	1
		jz	short loc_5F5C8C
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5F5CB8
; 

loc_5F5C8C:				; CODE XREF: MiSyncCommitSignals+86A83j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5F5CAB
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5F5CB8
		call	KxWaitForLockChainValid

loc_5F5CAB:				; CODE XREF: MiSyncCommitSignals+86A97j
		mov	[ebp+var_C], 0
		add	eax, 4
		lock xor [eax],	edi

loc_5F5CB8:				; CODE XREF: MiSyncCommitSignals+86A90j
					; MiSyncCommitSignals+86AAAj
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_56F26B
; END OF FUNCTION CHUNK	FOR MiSyncCommitSignals
; 
; START	OF FUNCTION CHUNK FOR MiUpdateReserveClusterInfo

loc_5F5CC6:				; CODE XREF: MiUpdateReserveClusterInfo+Ej
		mov	eax, [edx]
		mov	ecx, eax
		xor	ecx, [ebp+arg_0]
		and	ecx, 3FFh
		xor	ecx, eax
		lock cmpxchg [esi], ecx
		jmp	loc_56F311
; END OF FUNCTION CHUNK	FOR MiUpdateReserveClusterInfo
; 
; START	OF FUNCTION CHUNK FOR MiUpdatePageFileList

loc_5F5CDE:				; CODE XREF: MiUpdatePageFileList+29j
		push	edi
		push	offset dword_6D3480
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		jmp	loc_56F36E
; END OF FUNCTION CHUNK	FOR MiUpdatePageFileList
; 
; START	OF FUNCTION CHUNK FOR MiInitializePagefileBitmapsCache

loc_5F5CEE:				; CODE XREF: MiInitializePagefileBitmapsCache+79j
		test	eax, eax
		jz	short loc_5F5CF9
		xor	eax, ebx
		jmp	loc_56F427
; 

loc_5F5CF9:				; CODE XREF: MiInitializePagefileBitmapsCache+86948j
		xor	eax, eax
		jmp	loc_56F427
; 

loc_5F5D00:				; CODE XREF: MiInitializePagefileBitmapsCache+97j
					; MiInitializePagefileBitmapsCache+A1j
		mov	byte ptr [ebp+var_4], 1
		jmp	loc_56F453
; 

loc_5F5D09:				; CODE XREF: MiInitializePagefileBitmapsCache+C2j
		test	ecx, ecx
		jz	short loc_5F5D14
		xor	ecx, ebx
		jmp	loc_56F470
; 

loc_5F5D14:				; CODE XREF: MiInitializePagefileBitmapsCache+86963j
		xor	ecx, ecx
		jmp	loc_56F470
; END OF FUNCTION CHUNK	FOR MiInitializePagefileBitmapsCache
; 
; START	OF FUNCTION CHUNK FOR MiCheckPageFileMapping

loc_5F5D1B:				; CODE XREF: MiCheckPageFileMapping+24j
					; MiCheckPageFileMapping+2Ej
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, 0C000004Dh
		jmp	loc_56F570
; END OF FUNCTION CHUNK	FOR MiCheckPageFileMapping
; 
; START	OF FUNCTION CHUNK FOR IoConfigureCrashDump

loc_5F5D33:				; CODE XREF: IoConfigureCrashDump+5Ej
		sub	ebx, 1
		jz	short loc_5F5D42
		mov	esi, 0C0000010h
		jmp	loc_56F600
; 

loc_5F5D42:				; CODE XREF: IoConfigureCrashDump+867BEj
		cmp	ds:_ForceDumpDisabled, 0
		jz	short loc_5F5D55
		mov	esi, 0C00000BBh
		jmp	loc_56F600
; 

loc_5F5D55:				; CODE XREF: IoConfigureCrashDump+867D1j
		call	_MmGetPageFileForCrashDump@0 ; MmGetPageFileForCrashDump()
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_5F5D6A
		mov	esi, 0C0000034h
		jmp	loc_56F600
; 

loc_5F5D6A:				; CODE XREF: IoConfigureCrashDump+867E6j
		push	1
		mov	edi, offset _IopCrashDumpLock
		push	edi
		call	ExAcquireResourceExclusiveLite
		call	_IopDisableCrashDump@0 ; IopDisableCrashDump()
		mov	esi, eax
		test	esi, esi
		js	loc_56F5F9
		lea	eax, [esp+60h+var_48]
		push	eax
		lea	eax, [esp+64h+var_54]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		call	_RtlGetHostNtSystemRoot@0 ; RtlGetHostNtSystemRoot()
		mov	eax, [eax+4]
		mov	cx, [eax]
		mov	eax, [esp+60h+var_50]
		mov	[eax], cx
		mov	ecx, ebx
		push	[esp+60h+var_50]
		push	[esp+64h+var_54]
		call	IopInitializeCrashDump
		test	al, al
		jz	short loc_5F5DC6
		call	_IopRemoveDumpCapsuleSupport@0 ; IopRemoveDumpCapsuleSupport()
		xor	esi, esi
		jmp	loc_56F5F9
; 

loc_5F5DC6:				; CODE XREF: IoConfigureCrashDump+86840j
		cmp	ds:_CapsuleDumpAllowed,	0
		jz	short loc_5F5DD4
		call	_IopInitDumpCapsuleSupport@0 ; IopInitDumpCapsuleSupport()

loc_5F5DD4:				; CODE XREF: IoConfigureCrashDump+86855j
		mov	esi, 0C0000001h
		jmp	loc_56F5F9
; END OF FUNCTION CHUNK	FOR IoConfigureCrashDump
; 
; START	OF FUNCTION CHUNK FOR SecureDump_GetSecureDumpSettings

loc_5F5DDE:				; CODE XREF: SecureDump_GetSecureDumpSettings+Bj
		push	edi
		mov	edi, ecx
		xor	eax, eax
		stosd
		stosd
		stosd
		pop	edi
		jmp	loc_56F6B9
; END OF FUNCTION CHUNK	FOR SecureDump_GetSecureDumpSettings
; 
; START	OF FUNCTION CHUNK FOR CcInitializePartition

loc_5F5DEC:				; CODE XREF: CcInitializePartition+187j
		mov	eax, ds:_CcAzure_TopBottomDPTEqual
		test	eax, eax
		jz	short loc_5F5E1A
		cmp	eax, 1
		jz	short loc_5F5E1A
		mov	esi, [ebp+var_4]
		mov	ecx, esi
		call	_MmGetNumberOfPhysicalPagesForPartitionObject@4	; MmGetNumberOfPhysicalPagesForPartitionObject(x)
		mov	edx, eax
		mov	ecx, esi
		shr	edx, 1
		mov	[ebx+1ACh], edx
		call	_MmGetNumberOfPhysicalPagesForPartitionObject@4	; MmGetNumberOfPhysicalPagesForPartitionObject(x)
		shr	eax, 3
		jmp	short loc_5F5E37
; 

loc_5F5E1A:				; CODE XREF: CcInitializePartition+86681j
					; CcInitializePartition+86686j
		mov	esi, [ebp+var_4]
		mov	ecx, esi
		call	_MmGetNumberOfPhysicalPagesForPartitionObject@4	; MmGetNumberOfPhysicalPagesForPartitionObject(x)
		mov	edx, eax
		mov	ecx, esi
		shr	edx, 1
		mov	[ebx+1ACh], edx
		call	_MmGetNumberOfPhysicalPagesForPartitionObject@4	; MmGetNumberOfPhysicalPagesForPartitionObject(x)
		shr	eax, 1

loc_5F5E37:				; CODE XREF: CcInitializePartition+866A6j
		mov	[ebx+1B0h], eax
		mov	[ebx+1A8h], edx
		mov	eax, ds:_ExCriticalWorkerThreads
		dec	eax
		jmp	loc_56F921
; 

loc_5F5E4E:				; CODE XREF: CcInitializePartition+20Fj
		push	0FFFFh
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		imul	eax, ds:_CcAzure_LazyWriterPercentageOfNumProcs
		xor	edx, edx
		push	64h
		pop	ecx
		div	ecx
		xor	edx, edx
		cmp	[ebx+84h], eax
		jnb	loc_56F987
		mov	[ebx+84h], eax
		jmp	loc_56F987
; END OF FUNCTION CHUNK	FOR CcInitializePartition
; 
; START	OF FUNCTION CHUNK FOR CcInitializeAsyncRead

loc_5F5E7F:				; CODE XREF: CcInitializeAsyncRead+2EDj
		push	71576343h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, esi
		call	CcDereferencePartition
		jmp	loc_56FF28
; END OF FUNCTION CHUNK	FOR CcInitializeAsyncRead
; 
; START	OF FUNCTION CHUNK FOR CcInitializePartitionVacbs

loc_5F5E96:				; CODE XREF: CcInitializePartitionVacbs+4Ej
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_56FFAD
; 

loc_5F5EA5:				; CODE XREF: CcInitializePartitionVacbs+6Bj
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5F5EAC:				; CODE XREF: CcInitializePartitionVacbs+58j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_56FFAD
; 

loc_5F5EC0:				; CODE XREF: CcInitializePartitionVacbs+12Cj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_57008B
; 

loc_5F5ECF:				; CODE XREF: CcInitializePartitionVacbs+149j
		mov	ecx, esi
		call	KxWaitForLockChainValid
		xor	ecx, ecx
		inc	ecx

loc_5F5ED9:				; CODE XREF: CcInitializePartitionVacbs+136j
		mov	dword ptr [esi], 0
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_57008B
; 

loc_5F5EEA:				; CODE XREF: CcInitializePartitionVacbs+BDj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_57001C
; 

loc_5F5EF9:				; CODE XREF: CcInitializePartitionVacbs+DAj
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5F5F00:				; CODE XREF: CcInitializePartitionVacbs:loc_570003j
		mov	dword ptr [esi], 0
		add	eax, 4
		lock xor [eax],	ebx
		jmp	loc_57001C
; 

loc_5F5F11:				; CODE XREF: CcInitializePartitionVacbs+8Dj
		mov	[ebp+var_1], 0
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		push	0
		mov	edx, ebx
		mov	[ebp+var_2], al
		mov	ecx, edi
		call	_CcSetVacbInFreeList@12	; CcSetVacbInFreeList(x,x,x)
		mov	eax, large fs:20h
		xor	ebx, ebx
		inc	ebx
		lea	esi, [eax+438h]
		test	ds:byte_70EFC6,	bl
		jz	short loc_5F5F4B
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5F5F73
; 

loc_5F5F4B:				; CODE XREF: CcInitializePartitionVacbs+86001j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5F5F67
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_5F5F73
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5F5F67:				; CODE XREF: CcInitializePartitionVacbs+86013j
		mov	dword ptr [esi], 0
		lea	ecx, [eax+4]
		lock xor [ecx],	ebx

loc_5F5F73:				; CODE XREF: CcInitializePartitionVacbs+8600Dj
					; CcInitializePartitionVacbs+86022j
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_57008F
; END OF FUNCTION CHUNK	FOR CcInitializePartitionVacbs
; 
; START	OF FUNCTION CHUNK FOR CcInsertVacbArray

loc_5F5F81:				; CODE XREF: CcInsertVacbArray+41j
		lea	edx, [ebx+264h]
		mov	edi, [edx+4]
		cmp	[edi], edx
		jnz	loc_570128
		mov	[ecx], edx
		mov	[ecx+4], edi
		mov	[edi], ecx
		mov	[edx+4], ecx
		inc	dword ptr [ebx+26Ch]
		jmp	loc_570108
; 

loc_5F5FA7:				; CODE XREF: CcInsertVacbArray+33j
		push	eax
		push	eax
		push	0C0000420h
		push	1D0h
		jmp	short loc_5F5FC1
; 

loc_5F5FB5:				; CODE XREF: CcInsertVacbArray+10j
		push	eax
		push	eax
		push	0C0000420h
		push	1B3h

loc_5F5FC1:				; CODE XREF: CcInsertVacbArray+85F17j
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5F5FC9:				; CODE XREF: CcAllocateInitializeVacbArray+1Ej
		mov	ecx, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [ecx+438h]
		jz	short loc_5F5FEB
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5F6013
; 

loc_5F5FEB:				; CODE XREF: CcInsertVacbArray+85F41j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5F6007
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_5F6013
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5F6007:				; CODE XREF: CcInsertVacbArray+85F53j
		mov	dword ptr [esi], 0
		add	eax, 4
		lock xor [eax],	edi

loc_5F6013:				; CODE XREF: CcInsertVacbArray+85F4Dj
					; CcInsertVacbArray+85F62j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		jmp	loc_5701D8
; END OF FUNCTION CHUNK	FOR CcInsertVacbArray
; 
; START	OF FUNCTION CHUNK FOR CcAllocateInitializeVacbArray

loc_5F6022:				; CODE XREF: CcAllocateInitializeVacbArray+3Ej
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_57018F
; 

loc_5F6031:				; CODE XREF: CcAllocateInitializeVacbArray+5Bj
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5F6038:				; CODE XREF: CcAllocateInitializeVacbArray+48j
		mov	dword ptr [esi], 0
		add	eax, 4
		lock xor [eax],	edi
		jmp	loc_57018F
; 

loc_5F6049:				; CODE XREF: CcAllocateInitializeVacbArray+84j
		push	4
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, large fs:20h
		dec	ds:_CcVacbArraysAllocated
		test	ds:byte_70EFC6,	1
		mov	[ebp+var_1], al
		lea	edi, [ecx+438h]
		jz	short loc_5F607C
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5F60A7
; 

loc_5F607C:				; CODE XREF: CcAllocateInitializeVacbArray+85F40j
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_5F6098
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jz	short loc_5F60A7
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_5F6098:				; CODE XREF: CcAllocateInitializeVacbArray+85F52j
		xor	ecx, ecx
		mov	dword ptr [edi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5F60A7:				; CODE XREF: CcAllocateInitializeVacbArray+85F4Cj
					; CcAllocateInitializeVacbArray+85F61j
		mov	cl, [ebp+var_1]
		call	ebx
		jmp	loc_5701D6
; END OF FUNCTION CHUNK	FOR CcAllocateInitializeVacbArray
; 
; START	OF FUNCTION CHUNK FOR IoSetGenericIrpExtension

loc_5F60B1:				; CODE XREF: IoSetGenericIrpExtension+14j
		mov	ecx, [ebp+arg_0]
		push	2
		pop	edx
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jz	loc_5701FC
		mov	eax, 0C0000021h
		jmp	loc_570222
; END OF FUNCTION CHUNK	FOR IoSetGenericIrpExtension
; 
; START	OF FUNCTION CHUNK FOR MiFreeUnusedPfnPagesDpc

loc_5F60CE:				; CODE XREF: MiFreeUnusedPfnPagesDpc+6Aj
		xor	eax, eax
		cmp	[edi], eax
		jnz	short loc_5F6102
		push	1
		push	offset dword_6D4E60
		mov	ds:dword_6D4E68, offset	MiFreeUnusedPfnPages
		mov	ds:dword_6D4E6C, offset	_MiSystemPartition
		mov	ds:dword_6D4E60, eax
		call	ExQueueWorkItem
		mov	ds:byte_6D4EB4,	1
		jmp	short loc_5F6127
; 

loc_5F6102:				; CODE XREF: MiFreeUnusedPfnPagesDpc+85E9Cj
		mov	ecx, [edi+4]
		mov	[ecx+8], eax
		lea	eax, [ecx+0Ch]
		mov	word ptr [ecx+4], 107h
		mov	byte ptr [ecx+6], 4
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, ds:dword_6D4E74
		mov	[ecx], eax
		mov	ds:dword_6D4E74, ecx

loc_5F6127:				; CODE XREF: MiFreeUnusedPfnPagesDpc+85ECAj
		mov	eax, 103h

loc_5F612C:				; CODE XREF: MiFreeUnusedPfnPagesDpc+79j
		push	offset unk_6D4EB0
		mov	[edi+8], eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, 2
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	dl, byte ptr [ebp+arg_C+3]
		mov	ecx, offset unk_6D3740
		call	MiUnlockWorkingSetExclusive
		mov	ecx, 80000000h

loc_5F6153:				; CODE XREF: MiFreeUnusedPfnPagesDpc+93j
		lock xadd [esi], ebx
		dec	ebx
		mov	edi, ebx
		not	edi
		and	edi, ecx
		test	ebx, 7FFFFFFFh
		jnz	short loc_5F617A
		mov	eax, [esi+4]
		or	eax, edi
		mov	[esi], eax

loc_5F616D:				; CODE XREF: MiFreeUnusedPfnPagesDpc+ABj
		mov	eax, [ebp+arg_8]
		lock dec dword ptr [eax]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_5F617A:				; CODE XREF: MiFreeUnusedPfnPagesDpc+85F2Ej
		mov	eax, [esi]
		and	[ebp+var_8], 0
		and	eax, ecx
		jmp	loc_5702DD
; END OF FUNCTION CHUNK	FOR MiFreeUnusedPfnPagesDpc
; 
; START	OF FUNCTION CHUNK FOR MiFreedUnusedPfnPagesWorker

loc_5F6187:				; CODE XREF: MiFreedUnusedPfnPagesWorker+34j
		lea	edx, [eax+8]
		mov	eax, [eax]
		lea	ebx, [edx+eax*8]
		jmp	short loc_5F61BC
; 

loc_5F6191:				; CODE XREF: MiFreedUnusedPfnPagesWorker+85ED8j
		mov	edi, [edx]
		cmp	esi, edi
		jnb	short loc_5F61AE
		mov	ecx, edi
		sub	ecx, esi
		cmp	ecx, 92h
		jnb	loc_570323
		mov	esi, [edx+4]
		add	esi, edi
		jmp	short loc_5F61B9
; 

loc_5F61AE:				; CODE XREF: MiFreedUnusedPfnPagesWorker+85EAFj
		mov	eax, [edx+4]
		add	eax, edi
		cmp	esi, eax
		jnb	short loc_5F61B9
		mov	esi, eax

loc_5F61B9:				; CODE XREF: MiFreedUnusedPfnPagesWorker+85EC6j
					; MiFreedUnusedPfnPagesWorker+85ECFj
		add	edx, 8

loc_5F61BC:				; CODE XREF: MiFreedUnusedPfnPagesWorker+85EA9j
		cmp	edx, ebx
		jb	short loc_5F6191
		mov	ecx, ds:dword_6D07B0
		jmp	loc_570320
; 

loc_5F61CB:				; CODE XREF: MiFreedUnusedPfnPagesWorker+13Fj
					; MiFreedUnusedPfnPagesWorker+153j
		lea	eax, [edi+1000h]
		mov	[esp+28h+var_18], eax
		jmp	loc_57043F
; END OF FUNCTION CHUNK	FOR MiFreedUnusedPfnPagesWorker
; 
; START	OF FUNCTION CHUNK FOR MiGetNextNonGapPfnPage

loc_5F61DA:				; CODE XREF: MiGetNextNonGapPfnPage+25j
		mov	edi, ds:_MmPfnDatabase
		shr	edi, 9
		and	edi, ecx
		sub	edi, edx
		jmp	loc_5704DF
; 

loc_5F61EC:				; CODE XREF: MiGetNextNonGapPfnPage+2Fj
		mov	eax, ds:dword_6D07B0
		inc	eax
		imul	eax, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	ebx, eax
		mov	[ebp+var_14], eax
		shr	ebx, 9
		and	ebx, ecx
		sub	ebx, edx
		test	ebx, 0FFFh
		jnz	loc_5704FA
		jmp	loc_5704F7
; 

loc_5F6218:				; CODE XREF: MiGetNextNonGapPfnPage+7Bj
		mov	eax, edi
		mov	[ebp+var_4], edi

loc_5F621D:				; CODE XREF: MiGetNextNonGapPfnPage+85D86j
		mov	ecx, eax
		call	_MiPfnDatabaseVaIsUnique@4 ; MiPfnDatabaseVaIsUnique(x)
		test	eax, eax
		mov	eax, [ebp+var_4]
		jnz	short loc_5F624B
		add	eax, 8
		mov	[ebp+var_4], eax
		cmp	eax, ebx
		ja	short loc_5F623C
		test	eax, 0FFFh
		jnz	short loc_5F621D

loc_5F623C:				; CODE XREF: MiGetNextNonGapPfnPage+85D7Fj
					; MiGetNextNonGapPfnPage+85D9Cj
		mov	edi, eax
		cmp	eax, ebx
		jbe	loc_57050D
		jmp	loc_5705AA
; 

loc_5F624B:				; CODE XREF: MiGetNextNonGapPfnPage+85D75j
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_5F623C
		add	eax, 8
		mov	esi, 1000h
		mov	[ebp+var_4], eax
		cmp	eax, ebx
		ja	loc_5705AA

loc_5F6265:				; CODE XREF: MiGetNextNonGapPfnPage+85DDCj
		test	eax, 0FFFh
		jz	loc_5705AA
		mov	ecx, eax
		call	_MiPfnDatabaseVaIsUnique@4 ; MiPfnDatabaseVaIsUnique(x)
		test	eax, eax
		jz	loc_5705AA
		mov	eax, [ebp+var_4]
		add	esi, 1000h
		add	eax, 8
		mov	[ebp+var_4], eax
		cmp	eax, ebx
		jbe	short loc_5F6265
		jmp	loc_57059F
; 

loc_5F6297:				; CODE XREF: MiGetNextNonGapPfnPage+94j
		shr	eax, 9
		and	eax, ecx
		sub	eax, 40000000h
		jmp	loc_57054E
; 

loc_5F62A6:				; CODE XREF: MiGetNextNonGapPfnPage+F0j
		mov	edx, eax
		mov	ecx, offset unk_6D3740
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		jmp	loc_5705AA
; END OF FUNCTION CHUNK	FOR MiGetNextNonGapPfnPage
; 
; START	OF FUNCTION CHUNK FOR MiPfnRangeIsZero

loc_5F62B7:				; CODE XREF: MiPfnRangeIsZero+28j
		mov	edx, eax
		mov	[ebp+var_4], eax
		jmp	loc_57061C
; 

loc_5F62C1:				; CODE XREF: MiPfnRangeIsZero+22Ej
					; MiPfnRangeIsZero+85CE1j
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, ebx
		sub	eax, 1
		jnz	short loc_5F62C1
		jmp	loc_5707AE
; 

loc_5F62D6:				; CODE XREF: MiPfnRangeIsZero+BCj
		and	eax, 20h
		or	eax, 0
		jz	loc_5706B0
		xor	edx, edx
		mov	ecx, esi
		push	0
		inc	edx
		call	MiClearSystemAccessBits
		jmp	loc_5706B0
; 

loc_5F62F3:				; CODE XREF: MiPfnRangeIsZero+FDj
		cmp	[ebp+var_10], 0
		jnz	short loc_5F62FC
		mov	[ebp+var_10], esi

loc_5F62FC:				; CODE XREF: MiPfnRangeIsZero+85D09j
		mov	[ebp+var_18], esi
		jmp	loc_5706F1
; 

loc_5F6304:				; CODE XREF: MiPfnRangeIsZero+12Cj
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		mov	[ebp+var_C], ebx
		push	2
		sub	esi, 40000000h
		inc	edi
		pop	ebx
		cmp	edi, ebx
		jge	loc_570723
		mov	edx, [ebp+var_20]
		jmp	loc_57069C
; 

loc_5F632A:				; CODE XREF: MiPfnRangeIsZero+227j
					; MiPfnRangeIsZero+85D51j
		cmp	ebx, 0C07FFFFFh
		ja	loc_570738
		shl	ebx, 9
		cmp	ebx, 0C0000000h
		jnb	short loc_5F632A
		jmp	loc_570738
; 

loc_5F6346:				; CODE XREF: MiPfnRangeIsZero+158j
		mov	edx, [ebp+var_18]
		mov	ecx, eax
		call	_MiReplicatePfnDatabaseMappings@8 ; MiReplicatePfnDatabaseMappings(x,x)
		jmp	loc_57074C
; 

loc_5F6355:				; CODE XREF: MiPfnRangeIsZero+193j
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax
		jmp	loc_570787
; END OF FUNCTION CHUNK	FOR MiPfnRangeIsZero
; 
; START	OF FUNCTION CHUNK FOR MiReplacePfnWithGapMapping

loc_5F6363:				; CODE XREF: MiReplacePfnWithGapMapping+58j
		and	ecx, 80h
		or	ecx, 0
		jz	loc_570880
		push	esi
		mov	edx, edi
		lea	ecx, [ebp+var_A0]
		call	_MiInsertLargeTbFlushEntry@12 ;	MiInsertLargeTbFlushEntry(x,x,x)
		jmp	loc_57088E
; 

loc_5F6385:				; CODE XREF: MiReplacePfnWithGapMapping+26j
		mov	edx, ds:dword_6D3518[edi*4]
		mov	eax, edi
		neg	eax
		sbb	eax, eax
		and	eax, 88000003h
		add	eax, 20000001h
		push	eax
		call	MiMakeValidPte
		push	edx
		push	eax
		push	edi
		mov	edx, esi
		mov	ecx, esi
		call	MiTransformValidPteInPlace
		jmp	loc_5708A9
; END OF FUNCTION CHUNK	FOR MiReplacePfnWithGapMapping
; 
; START	OF FUNCTION CHUNK FOR MiClearSystemAccessBits

loc_5F63B3:				; CODE XREF: MiClearSystemAccessBits+A2j
		imul	eax, edi, -8
		add	esi, eax
		test	edi, edi
		jz	loc_570A2E

loc_5F63C0:				; CODE XREF: MiClearSystemAccessBits+85A5Fj
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_A4]
		push	esi
		call	_MiInsertLargeTbFlushEntry@12 ;	MiInsertLargeTbFlushEntry(x,x,x)
		add	esi, 8
		sub	edi, 1
		jnz	short loc_5F63C0
		jmp	loc_570A2E
; END OF FUNCTION CHUNK	FOR MiClearSystemAccessBits
; 
; START	OF FUNCTION CHUNK FOR IoGetGenericIrpExtension

loc_5F63DC:				; CODE XREF: IoGetGenericIrpExtension+26j
		cmp	byte ptr [esi+27h], 0
		jge	short loc_5F63E7
		add	esi, 64h
		jmp	short loc_5F63EA
; 

loc_5F63E7:				; CODE XREF: IoGetGenericIrpExtension+8543Aj
		mov	esi, [esi+68h]

loc_5F63EA:				; CODE XREF: IoGetGenericIrpExtension+8543Fj
		movzx	eax, bx
		push	eax		; size_t
		lea	eax, [esi+4]
		push	eax		; void *
		push	[ebp+arg_4]	; void *
		call	_memcpy
		add	esp, 0Ch
		xor	edi, edi
		jmp	loc_570FD2
; END OF FUNCTION CHUNK	FOR IoGetGenericIrpExtension
; 
; START	OF FUNCTION CHUNK FOR CcAsyncReadWorker

loc_5F6404:				; CODE XREF: CcAsyncReadWorker+2B3j
		cmp	edi, 1
		jnz	short loc_5F6411
		push	2
		pop	edx
		jmp	loc_5710C9
; 

loc_5F6411:				; CODE XREF: CcAsyncReadWorker+85425j
		mov	edx, [ebp+var_20C]
		jmp	loc_5710CF
; 

loc_5F641C:				; CODE XREF: CcAsyncReadWorker+1B6j
		mov	ecx, [esi+258h]
		add	ecx, [ebp+var_230]
		mov	[ebp+var_208], ecx
		jmp	loc_57119E
; 

loc_5F6433:				; CODE XREF: CcAsyncReadWorker+227j
		push	73416343h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi+8]
		and	dword ptr [esi+20h], 0
		mov	byte ptr [esi+48h], 6
		cmp	dword ptr [eax+170h], 1
		jnz	short loc_5F645B
		cmp	dword ptr [esi+1Ch], 20000h
		jbe	short loc_5F6469

loc_5F645B:				; CODE XREF: CcAsyncReadWorker+8546Ej
		xor	edx, edx
		mov	ecx, esi
		call	CcPostWorkQueueAsyncRead
		jmp	loc_571239
; 

loc_5F6469:				; CODE XREF: CcAsyncReadWorker+21Aj
					; CcAsyncReadWorker+85477j
		mov	ecx, esi
		call	CcCompleteAsyncRead
		mov	ecx, esi
		call	_CcFreeWorkQueueEntry@4	; CcFreeWorkQueueEntry(x)
		jmp	loc_571239
; 

loc_5F647C:				; CODE XREF: CcAsyncReadWorker+1F9j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		push	[ebp+var_214]
		lea	edx, [ebp+var_224]
		mov	ecx, esi
		call	CcShouldSpinAsyncReadWorkerThread
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	edi, [ebp+var_224]
		mov	[ebp+var_220], edi
		jmp	loc_571253
; 

loc_5F64B2:				; CODE XREF: CcAsyncReadWorker+280j
		mov	eax, [edi+18h]
		xor	edx, edx
		mov	ecx, [ebp+var_21C]
		and	dword ptr [ecx+eax*4], 0
		mov	ecx, edi
		and	dword ptr [edi], 0
		push	dword ptr [esi+4]
		push	0FFFFFFFFh
		call	ExQueueWorkItemToPartition
		mov	edx, [ebp+var_20C]
		xor	eax, eax
		mov	[ebp+var_220], eax
		mov	[ebp+var_224], eax

loc_5F64E4:				; CODE XREF: CcAsyncReadWorker+101j
		cmp	edx, 2
		jnz	loc_571268
		cmp	[ebp+var_218], 0
		jnz	short loc_5F6522
		push	71576343h
		push	[ebp+var_234]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, esi
		call	CcDereferencePartition
		jmp	short loc_5F6522
; 

loc_5F650F:				; CODE XREF: CcAsyncReadWorker+125j
					; CcAsyncReadWorker+130j
		mov	esi, [ebp+var_210]
		jmp	loc_57119E
; 

loc_5F651A:				; CODE XREF: CcAsyncReadWorker+1CFj
		test	ebx, ebx
		jnz	loc_571095

loc_5F6522:				; CODE XREF: CcAsyncReadWorker+85512j
					; CcAsyncReadWorker+8552Bj
		pop	edi
		pop	esi

loc_5F6524:				; CODE XREF: CcAsyncReadWorker+3Bj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; END OF FUNCTION CHUNK	FOR CcAsyncReadWorker
; 
; START	OF FUNCTION CHUNK FOR PoFxSetComponentLatency

loc_5F6533:				; CODE XREF: PoFxSetComponentLatency+45j
		mov	eax, ds:dword_6C1D74
		push	offset _POP_ETW_EVENT_COMPONENT_LATENCY
		push	eax
		mov	[ebp+var_40], eax
		mov	eax, ds:_PopDiagHandle
		push	eax
		mov	[ebp+var_44], eax
		call	EtwEventEnabled
		test	al, al
		jz	loc_57135F
		push	4
		pop	ecx
		lea	eax, [ebp+var_38]
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_34], eax
		xor	edx, edx
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_30], edx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	edx
		push	1
		push	edx
		push	edx
		push	offset _POP_ETW_EVENT_COMPONENT_LATENCY
		push	[ebp+var_40]
		mov	[ebp+var_28], edx
		push	[ebp+var_44]
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], 8
		mov	[ebp+var_8], edx
		call	EtwWriteEx
		jmp	loc_57135F
; END OF FUNCTION CHUNK	FOR PoFxSetComponentLatency
; 
; START	OF FUNCTION CHUNK FOR PopPepComponentSetLatency

loc_5F65AE:				; CODE XREF: PopPepComponentSetLatency+56j
		push	2
		mov	edx, ebx
		mov	[ebx+7Ch], eax
		mov	ecx, edi
		call	_PopPepCountReadyActivities@12 ; PopPepCountReadyActivities(x,x,x)
		push	1
		mov	edx, ebx
		mov	ecx, edi
		mov	esi, eax
		call	_PopPepUpdateIdleState@12 ; PopPepUpdateIdleState(x,x,x)
		push	2
		mov	edx, ebx
		mov	ecx, edi
		call	PopPepPromoteActivities
		push	2
		mov	edx, ebx
		mov	ecx, edi
		call	_PopPepCountReadyActivities@12 ; PopPepCountReadyActivities(x,x,x)
		mov	edx, eax
		mov	ecx, esi
		call	_PopPepRequestWork@8 ; PopPepRequestWork(x,x)
		jmp	loc_5713DC
; END OF FUNCTION CHUNK	FOR PopPepComponentSetLatency
; 
; START	OF FUNCTION CHUNK FOR PopFxInsertDevice

loc_5F65ED:				; CODE XREF: PopFxInsertDevice+68j
		test	al, 4
		jnz	loc_571460
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh
		jmp	loc_571460
; 

loc_5F6604:				; CODE XREF: PopFxInsertDevice+202j
		push	0
		push	[ebp+var_8]
		push	offset _PopFxDeviceListLock
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5F6619:				; CODE XREF: PopFxInsertDevice+144j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_24]
		jmp	loc_571542
; 

loc_5F662A:				; CODE XREF: PopFxInsertDevice+1EFj
		push	[ebp+var_24]
		mov	edx, offset _PopFxDeviceListLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_571555
; END OF FUNCTION CHUNK	FOR PopFxInsertDevice
; 
; START	OF FUNCTION CHUNK FOR PopPlRegisterComponent

loc_5F663E:				; CODE XREF: PopPlRegisterComponent+21j
		mov	eax, [esi+30h]
		mov	ecx, [eax+304h]
		test	ecx, ecx
		jz	loc_5716B7
		mov	edx, esi
		call	_PopPlLookupComponentPowerProfile@8 ; PopPlLookupComponentPowerProfile(x,x)
		test	eax, eax
		jz	loc_5716B7
		mov	[esi+16Ch], eax
		jmp	loc_5716B7
; END OF FUNCTION CHUNK	FOR PopPlRegisterComponent
; 
; START	OF FUNCTION CHUNK FOR PopPlRegisterDevice

loc_5F6669:				; CODE XREF: PopPlRegisterDevice+21j
		lea	edx, [esi+70h]
		call	_PopPlLookupDevicePowerProfile@8 ; PopPlLookupDevicePowerProfile(x,x)
		test	eax, eax
		jz	loc_5717B3
		mov	[eax+0Ch], esi
		mov	[esi+304h], eax
		jmp	loc_5717B3
; END OF FUNCTION CHUNK	FOR PopPlRegisterDevice
; 
; START	OF FUNCTION CHUNK FOR PopFxRegisterDeviceWithPep

loc_5F6687:				; CODE XREF: PopFxRegisterDeviceWithPep+1Cj
		mov	edi, [ebp+arg_0]
		lea	ecx, [ebp+var_4]
		push	ecx
		push	ecx
		push	[ebp+arg_4]
		mov	ecx, ebx
		push	edi
		call	_PopPluginRegisterDevice@24 ; PopPluginRegisterDevice(x,x,x,x,x,x)
		mov	esi, eax
		jmp	loc_5718E6
; 

loc_5F66A1:				; CODE XREF: PopFxRegisterDeviceWithPep+4Bj
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		push	[ebp+arg_4]
		mov	ecx, ebx
		mov	[ebp+var_8], ebx
		push	edi
		call	_PopPluginRegisterDevice@24 ; PopPluginRegisterDevice(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_5718BD
		mov	ebx, [ebx]
		jmp	loc_5718B1
; 

loc_5F66C8:				; CODE XREF: PopFxRegisterDeviceWithPep+7Cj
		mov	eax, [ebp+var_4]
		push	2
		mov	[edi+24h], ebx
		mov	[edi+28h], eax
		pop	esi
		jmp	loc_5718EE
; END OF FUNCTION CHUNK	FOR PopFxRegisterDeviceWithPep
; 
; START	OF FUNCTION CHUNK FOR PopPepInsertDevice

loc_5F66D9:				; CODE XREF: PopPepInsertDevice+7Fj
		test	al, 4
		jnz	loc_571995
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh
		jmp	loc_571995
; 

loc_5F66F0:				; CODE XREF: PopPepInsertDevice+241j
		push	0
		push	[ebp+var_8]
		push	offset _PopPepDeviceListLock
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5F6705:				; CODE XREF: PopPepInsertDevice+15Cj
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_24]
		jmp	loc_571A78
; 

loc_5F6716:				; CODE XREF: PopPepInsertDevice+223j
		push	[ebp+var_24]
		mov	edx, offset _PopPepDeviceListLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_571A8B
; END OF FUNCTION CHUNK	FOR PopPepInsertDevice
; 
; START	OF FUNCTION CHUNK FOR IoInitializeRemoveLockEx

loc_5F672A:				; CODE XREF: IoInitializeRemoveLockEx+14j
		cmp	[ebp+arg_10], 58h
		jnz	loc_571D5D
		mov	eax, [ebp+arg_C]
		mov	[esi+1Ch], eax
		mov	eax, ds:_KeMaximumIncrement
		mul	[ebp+arg_8]
		push	ebx
		push	23C34600h
		push	edx
		push	eax
		mov	dword ptr [esi+18h], 434F4C52h
		call	__allmul
		mov	[esi+20h], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+24h], edx
		mov	[esi+28h], eax
		mov	[esi+34h], ebx
		mov	[esi+38h], ebx
		mov	[esi+50h], ebx
		jmp	loc_571D4A
; END OF FUNCTION CHUNK	FOR IoInitializeRemoveLockEx
; 
; START	OF FUNCTION CHUNK FOR PopFxFindAcpiDeviceByUniqueId

loc_5F6770:				; CODE XREF: PopFxFindAcpiDeviceByUniqueId+46j
		lea	esi, [ebx-68h]
		cmp	dword ptr [esi+74h], 0
		jz	short loc_5F67C6
		push	0
		push	[ebp+var_8]
		lea	eax, [esi+70h]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jnz	short loc_5F67C6
		mov	bl, [ebp+var_1]
		test	bl, bl
		jz	short loc_5F67CD
		lea	ecx, [esi+98h]
		lock inc dword ptr [ecx]
		cmp	[esi+94h], al
		jz	short loc_5F67CD
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		jnz	short loc_5F67BC
		push	0
		push	0
		lea	eax, [esi+9Ch]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_5F67BC:				; CODE XREF: PopFxFindAcpiDeviceByUniqueId+8477Cj
		mov	edi, 0C0000056h
		jmp	loc_57207D
; 

loc_5F67C6:				; CODE XREF: PopFxFindAcpiDeviceByUniqueId+84749j
					; PopFxFindAcpiDeviceByUniqueId+8475Bj
		mov	ebx, [ebx]
		jmp	loc_57206E
; 

loc_5F67CD:				; CODE XREF: PopFxFindAcpiDeviceByUniqueId+84762j
					; PopFxFindAcpiDeviceByUniqueId+84773j
		xor	edi, edi
		jmp	loc_57207D
; 

loc_5F67D4:				; CODE XREF: PopFxFindAcpiDeviceByUniqueId+75j
		test	bl, bl
		jz	loc_5720A9
		mov	eax, [ebp+var_C]
		mov	[eax], esi
		jmp	loc_5720A9
; END OF FUNCTION CHUNK	FOR PopFxFindAcpiDeviceByUniqueId
; 
; START	OF FUNCTION CHUNK FOR MiStoreEvictThread

loc_5F67E6:				; CODE XREF: MiStoreEvictThread+55j
		mov	ecx, [esp+0C8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; END OF FUNCTION CHUNK	FOR MiStoreEvictThread
; 

loc_5F67FD:				; CODE XREF: .text:00572408j
		xor	edi, edi
		jmp	loc_572417
; 

loc_5F6804:				; CODE XREF: .text:0057241Fj
					; .text:00572433j
		mov	esi, 0C0000001h
		jmp	loc_572506

;  S U B	R O U T	I N E 


sub_5F680E	proc near		; CODE XREF: BapdWriteEtwEvents+26Cj
		push	ebx
		push	edi
		call	EtwUnregister
		and	dword ptr [ebp-58h], 0
		and	dword ptr [ebp-54h], 0
		jmp	loc_565C30
sub_5F680E	endp

; 
; START	OF FUNCTION CHUNK FOR BapdWriteEtwEvents

loc_5F6822:				; CODE XREF: BapdWriteEtwEvents+2C8j
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WNF_BOOT_DIRTY_SHUTDOWN
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		jmp	loc_565AF1
; 

loc_5F6837:				; CODE XREF: BapdWriteEtwEvents+112j
					; BapdWriteEtwEvents+124j
		mov	eax, [esi+44h]
		mov	ds:_ExBootAppFailureStatus, eax
		jmp	loc_565AF1
; 

loc_5F6844:				; CODE XREF: BapdWriteEtwEvents+1BCj
		push	offset ??_C@_1CK@CHAEGJLO@?$AAB?$AAo?$AAo?$AAt?$AAm?$AAg?$AAr?$AAU?$AAs?$AAe?$AAr?$AAI?$AAn?$AAp?$AAu@FNODOBFM@	; "BootmgrUserInputTime"
		lea	eax, [ebp+var_50]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_50]
		push	eax
		lea	ecx, [ebp+var_78]
		call	_BapdpWriteEventDataToRegistry@12 ; BapdpWriteEventDataToRegistry(x,x,x)
		push	offset ??_C@_1BC@PIAIECI@?$AAP?$AAO?$AAS?$AAT?$AAT?$AAi?$AAm?$AAe@FNODOBFM@
		lea	eax, [ebp+var_50]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_50]
		push	eax
		lea	ecx, [ebp+var_78]
		call	_BapdpWriteEventDataToRegistry@12 ; BapdpWriteEventDataToRegistry(x,x,x)
		jmp	loc_565B80
; END OF FUNCTION CHUNK	FOR BapdWriteEtwEvents
; 
; START	OF FUNCTION CHUNK FOR SeConvertStringSidToSid

loc_5F687D:				; CODE XREF: SeConvertStringSidToSid+35j
		mov	ecx, esi
		xor	edi, edi
		lea	edx, [ecx+2]

loc_5F6884:				; CODE XREF: SeConvertStringSidToSid+842F1j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_5F6884
		mov	eax, [ebp+var_8]
		sub	ecx, edx
		sub	eax, esi
		sar	ecx, 1
		sar	eax, 1
		cmp	eax, ecx
		jz	loc_5725FE
		mov	ecx, [ebx]
		mov	edi, 0C0000078h
		call	_SddlpFree@4	; SddlpFree(x)
		xor	eax, eax
		mov	[ebx], eax
		jmp	loc_5725FE
; 

loc_5F68B7:				; CODE XREF: SeConvertStringSidToSid+55j
		mov	edx, [ecx+10h]
		test	edx, edx
		jz	loc_5725F7
		lea	edi, [esi+2]

loc_5F68C5:				; CODE XREF: SeConvertStringSidToSid+84333j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, word ptr [ebp+var_C]
		jnz	short loc_5F68C5
		sub	esi, edi
		sar	esi, 1
		cmp	esi, [ecx+0Ch]
		jz	short loc_5F68F6
		mov	edi, 0C0000078h

loc_5F68DF:				; CODE XREF: SeConvertStringSidToSid+8437Aj
					; SeConvertStringSidToSid+8438Dj ...
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	loc_5725FE
		mov	ecx, eax
		call	_SddlpFree@4	; SddlpFree(x)
		jmp	loc_5725FE
; 

loc_5F68F6:				; CODE XREF: SeConvertStringSidToSid+8433Cj
		movzx	eax, byte ptr [edx+1]
		push	ecx
		lea	esi, ds:8[eax*4]
		mov	ecx, esi
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	ecx, eax
		mov	[ebx], ecx
		test	ecx, ecx
		jnz	short loc_5F6918
		mov	edi, 0C0000017h
		jmp	short loc_5F68DF
; 

loc_5F6918:				; CODE XREF: SeConvertStringSidToSid+84373j
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax+10h] ; void *
		push	ecx		; void *
		push	esi		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_5F68DF
		mov	ecx, [ebx]
		call	_SddlpFree@4	; SddlpFree(x)
		xor	eax, eax
		mov	[ebx], eax
		jmp	short loc_5F68DF
; 

loc_5F6938:				; CODE XREF: SeConvertStringSidToSid+6Ej
					; SeConvertStringSidToSid+843A6j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, word ptr [ebp+var_C]
		jnz	short loc_5F6938
		sub	esi, edx
		sar	esi, 1
		cmp	esi, 2
		jnz	short loc_5F68DF
		xor	eax, eax
		mov	[ebx], ecx
		mov	edi, eax
		jmp	loc_5725FE
; END OF FUNCTION CHUNK	FOR SeConvertStringSidToSid
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmStorePrepare

loc_5F6958:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStorePrepare+68j
					; SMKM_STORE_MGR_SM_TRAITS___SmStorePrepare+842D9j
		test	ecx, ecx
		jnz	short loc_5F6964
		lea	eax, [ebp+var_8]
		lea	edx, [ebp+0]
		jmp	short loc_5F696A
; 

loc_5F6964:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStorePrepare+842B8j
		lea	eax, [ebp+var_10]
		lea	edx, [ebp+var_8]

loc_5F696A:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStorePrepare+842C0j
					; SMKM_STORE_MGR_SM_TRAITS___SmStorePrepare+842D3j
		and	dword ptr [eax], 0F00FFFFFh
		add	eax, 4
		cmp	eax, edx
		jb	short loc_5F696A
		inc	ecx
		cmp	ecx, 2
		jb	short loc_5F6958
		jmp	loc_5726DB
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmStorePrepare
; 
; START	OF FUNCTION CHUNK FOR SmFpPreAllocate

loc_5F6982:				; CODE XREF: SmFpPreAllocate+85j
					; SmFpPreAllocate+CCj ...
		lea	ecx, [ebp+var_50]
		call	SmFpCleanup
		mov	esi, 0C000009Ah
		test	edi, edi
		jz	loc_572847
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_572847
; END OF FUNCTION CHUNK	FOR SmFpPreAllocate
; 
; START	OF FUNCTION CHUNK FOR MmMapLockedPagesWithReservedMapping

loc_5F69A4:				; CODE XREF: MmMapLockedPagesWithReservedMapping+88j
		push	eax
		push	[ebp+arg_4]
		push	edi
		push	104h
		jmp	short loc_5F69BB
; 

loc_5F69B0:				; CODE XREF: MmMapLockedPagesWithReservedMapping+4Aj
					; MmMapLockedPagesWithReservedMapping+69j
		push	1
		push	[ebp+arg_4]
		push	edi
		push	106h

loc_5F69BB:				; CODE XREF: MmMapLockedPagesWithReservedMapping+8410Cj
					; MmMapLockedPagesWithReservedMapping+8414Bj
		push	0DAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5F69C5:				; CODE XREF: MmMapLockedPagesWithReservedMapping+92j
		test	edi, 0FFFh
		jnz	loc_5729D8
		mov	ecx, [esi+10h]
		mov	eax, edi
		sub	eax, [esi+0Ch]
		mov	esi, ebx
		shr	eax, 0Ch
		sub	ecx, eax
		jmp	loc_572942
; 

loc_5F69E5:				; CODE XREF: MmMapLockedPagesWithReservedMapping+C9j
		push	esi
		push	edx
		push	edi
		push	107h
		jmp	short loc_5F69BB
; END OF FUNCTION CHUNK	FOR MmMapLockedPagesWithReservedMapping
; 
; START	OF FUNCTION CHUNK FOR MiRemoveMappingNode

loc_5F69EF:				; CODE XREF: MiRemoveMappingNode+30j
					; MiRemoveMappingNode+50j
		push	0
		push	[ebp+var_8]
		push	ebx
		push	106h
		push	0DAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5F6A05:				; CODE XREF: MiMapMdlCommon+8Ej
		cmp	ds:dword_6D3034, eax
		jnz	loc_572B5A
		push	5
		pop	edx
		mov	ecx, edi
		call	_MiShowBadMapper@8 ; MiShowBadMapper(x,x)
		jmp	loc_572B5A
; END OF FUNCTION CHUNK	FOR MiRemoveMappingNode
; 
; START	OF FUNCTION CHUNK FOR MiMapMdlCommon

loc_5F6A20:				; CODE XREF: MiMapMdlCommon+9Bj
		mov	edx, [ebp+arg_8]
		mov	ecx, esi
		call	_MiAssignInitialPageAttribute@8	; MiAssignInitialPageAttribute(x,x)
		jmp	loc_572B67
; 

loc_5F6A2F:				; CODE XREF: MiMapMdlCommon+5Cj
					; MiMapMdlCommon+79j
		cmp	[ebp+arg_8], 0
		jnz	short loc_5F6A39
		push	0Ch
		jmp	short loc_5F6A45
; 

loc_5F6A39:				; CODE XREF: MiMapMdlCommon+83F6Dj
		cmp	[ebp+arg_8], 2
		jnz	loc_572B73
		push	1Ch

loc_5F6A45:				; CODE XREF: MiMapMdlCommon+83F71j
		pop	esi
		jmp	loc_572B73
; 

loc_5F6A4B:				; CODE XREF: MiMapMdlCommon+D2j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_5F6A7E
		xor	eax, eax
		lea	ecx, [eax+1]
		cmp	byte ptr ds:word_6D07B8+1, al
		jnz	loc_572BA2

loc_5F6A65:				; CODE XREF: MiMapMdlCommon+83FD2j
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	loc_572BA2
		or	edx, 80000000h
		jmp	loc_572BA2
; 

loc_5F6A7E:				; CODE XREF: MiMapMdlCommon+83F8Cj
		mov	eax, large fs:124h
		mov	ecx, [esp+28h+var_1C]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_5F6A65
		jmp	loc_572BA2
; 

loc_5F6A9F:				; CODE XREF: MiMapMdlCommon+E4j
		push	edx
		push	esi
		mov	ecx, ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_572BB0
; END OF FUNCTION CHUNK	FOR MiMapMdlCommon
; 
; START	OF FUNCTION CHUNK FOR AdtpPackageParameters

loc_5F6AAD:				; CODE XREF: AdtpPackageParameters+2Aj
					; AdtpPackageParameters+53j ...
		mov	esi, 0C000000Dh	; default
		jmp	loc_572DB4
; 

loc_5F6AB7:				; CODE XREF: AdtpPackageParameters+22j
		test	edx, edx
		jz	short loc_5F6AAD ; default
		mov	ecx, [edx+0Ch]
		lea	edi, [edx+1Ch]
		mov	[esp+40h+var_10], ecx
		jmp	loc_572CF4
; 

loc_5F6ACA:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		movzx	ecx, bx		; case 0x0
		shl	ecx, 4
		add	ecx, [ebp+arg_C]
		call	_AdtpEtwBuildDashString@4 ; AdtpEtwBuildDashString(x)
		jmp	loc_572DA0
; 

loc_5F6ADD:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		mov	eax, [ebp+arg_14] ; case 0x3
		xor	edx, edx
		movzx	ecx, bx
		add	eax, ecx
		shl	ecx, 4
		add	ecx, [ebp+arg_C]
		push	eax
		lea	eax, [esp+44h+var_20]
		push	eax
		push	[ebp+arg_4]
		push	ecx
		mov	ecx, [esi+edi+8]
		call	_AdtpBuildUlongString@24 ; AdtpBuildUlongString(x,x,x,x,x,x)
		jmp	loc_572D90
; 

loc_5F6B05:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		movzx	ecx, bx		; case 0xC
		lea	eax, [edi+8]
		shl	ecx, 4
		add	eax, esi
		add	ecx, [ebp+arg_C]
		mov	[ecx], eax
		and	dword ptr [ecx+4], 0
		mov	dword ptr [ecx+8], 8
		jmp	loc_572D54
; 

loc_5F6B25:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		mov	eax, [esi+edi+0Ch] ; case 0x7
		cmp	eax, [esp+40h+var_24]
		jnb	loc_5F6AAD	; default
		imul	edx, eax, 14h
		cmp	dword ptr [edx+edi], 1
		jnz	loc_5F6AAD	; default
		mov	eax, [ebp+arg_14]
		mov	esi, [esi+edi+8]
		mov	edx, [edx+edi+10h]
		movzx	ecx, bx
		add	eax, ecx
		shl	ecx, 4
		add	ecx, [ebp+arg_C]
		push	eax
		lea	eax, [esp+44h+var_20]
		push	eax
		push	[ebp+arg_4]
		push	ecx
		mov	ecx, [edi+24h]
		push	0
		push	0
		push	esi
		call	_AdtpBuildAccessesString@36 ; AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)
		jmp	loc_572D90
; 

loc_5F6B72:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		mov	eax, [esi+edi+0Ch] ; case 0x9
		cmp	eax, [esp+40h+var_24]
		jnb	loc_5F6AAD	; default
		imul	eax, 14h
		mov	[esp+40h+var_C], eax
		cmp	dword ptr [eax+edi], 1
		jnz	loc_5F6AAD	; default
		mov	eax, [esp+40h+var_2E+2]
		xor	edx, edx
		mov	ecx, [ebp+arg_8]
		movzx	eax, ax
		movzx	edi, bx
		mov	[esp+40h+var_14], 18h
		lea	esi, [ecx+eax*8]
		mov	eax, [ebp+arg_14]
		mov	ecx, [esp+40h+var_1C]
		add	eax, edi
		push	eax		; int
		mov	eax, [esp+44h+var_18]
		push	esi		; int
		mov	eax, [eax+ecx+4]
		div	[esp+48h+var_14]
		mov	edx, [esp+48h+var_C]
		push	eax		; size_t
		mov	eax, [esp+4Ch+var_18]
		mov	edx, [edx+ecx+10h]
		push	dword ptr [eax+ecx+10h]	; void *
		mov	ecx, [ecx+24h]
		call	_AdtpBuildObjectTypeStrings@24 ; AdtpBuildObjectTypeStrings(x,x,x,x,x,x)
		movzx	ecx, word ptr [esi]
		mov	eax, [esi+4]
		add	ecx, 2
		shl	edi, 4
		add	edi, [ebp+arg_C]
		and	dword ptr [edi+4], 0
		and	dword ptr [edi+0Ch], 0
		mov	[edi], eax
		mov	[edi+8], ecx
		mov	edi, [esp+40h+var_1C]
		jmp	short loc_5F6C53
; 

loc_5F6BFD:				; CODE XREF: AdtpPackageParameters+84185j
		movzx	ecx, word ptr [esi]
		mov	eax, esi
		mov	edx, [esp+40h+var_C]
		add	ecx, 2
		mov	esi, [ebp+arg_8]
		shl	edx, 4
		add	edx, [ebp+arg_C]
		mov	eax, [eax+4]
		and	dword ptr [edx+4], 0
		and	dword ptr [edx+0Ch], 0
		inc	ebx
		mov	[edx], eax
		mov	eax, [esp+40h+var_2E+2]
		mov	[edx+8], ecx
		inc	eax
		mov	ecx, [ebp+arg_8]
		mov	[esp+40h+var_2E+2], eax
		movzx	eax, ax
		movzx	edx, word ptr [ecx+eax*8]
		mov	eax, [esi+eax*8+4]
		add	edx, 2
		movzx	ecx, bx
		shl	ecx, 4
		add	ecx, [ebp+arg_C]
		and	dword ptr [ecx+4], 0
		and	dword ptr [ecx+0Ch], 0
		mov	[ecx], eax
		mov	[ecx+8], edx

loc_5F6C53:				; CODE XREF: AdtpPackageParameters+83F43j
		mov	eax, [esp+40h+var_2E+2]
		mov	edx, [esp+40h+var_24]
		inc	eax
		mov	[esp+40h+var_2E+2], eax
		jmp	loc_572DA0
; 

loc_5F6C65:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		mov	ecx, [esi+edi+10h] ; case 0xD
		test	ecx, ecx
		jnz	short loc_5F6C72
		mov	ecx, offset _AdtpNullGuid

loc_5F6C72:				; CODE XREF: AdtpPackageParameters+83FB3j
		movzx	eax, bx
		shl	eax, 4
		add	eax, [ebp+arg_C]
		and	dword ptr [eax+4], 0
		mov	[eax], ecx
		mov	dword ptr [eax+8], 10h
		jmp	loc_572F9B
; 

loc_5F6C8D:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		mov	eax, [ebp+arg_14] ; case 0x10
		mov	ecx, [esi+edi+10h]
		movzx	edx, bx
		add	eax, edx
		shl	edx, 4
		add	edx, [ebp+arg_C]
		push	eax
		lea	eax, [esp+44h+var_20]
		push	eax
		push	[ebp+arg_4]
		push	edx
		call	_AdtpBuildStringListString@24 ;	AdtpBuildStringListString(x,x,x,x,x,x)
		jmp	loc_572D90
; 

loc_5F6CB3:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		mov	eax, [ebp+arg_14] ; case 0x11
		mov	ecx, [esi+edi+10h]
		movzx	edx, bx
		add	eax, edx
		shl	edx, 4
		add	edx, [ebp+arg_C]
		push	eax
		lea	eax, [esp+44h+var_20]
		push	eax
		push	[ebp+arg_4]
		push	edx
		call	_AdtpBuildSidListString@24 ; AdtpBuildSidListString(x,x,x,x,x,x)
		jmp	loc_572D90
; 

loc_5F6CD9:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		mov	eax, [esp+40h+var_2E+2]	; case 0x13
		mov	ecx, [ebp+arg_8]
		movzx	eax, ax
		movzx	edx, bx
		add	edx, [ebp+arg_14]
		lea	ecx, [ecx+eax*8]
		lea	eax, [edx+2]
		push	eax
		lea	eax, [ecx+10h]
		push	eax
		lea	eax, [edx+1]
		push	eax
		lea	eax, [ecx+8]
		push	eax
		push	edx
		mov	edx, [esi+edi+0Ch]
		push	ecx
		mov	ecx, [esi+edi+8]
		call	_AdtpBuildUserAccountControlString@32 ;	AdtpBuildUserAccountControlString(x,x,x,x,x,x,x,x)
		mov	[esp+40h+var_28], eax
		test	eax, eax
		js	loc_572DB0
		mov	esi, [ebp+arg_C]
		mov	eax, [esp+40h+var_2E+2]
		push	3
		pop	edi

loc_5F6D21:				; CODE XREF: AdtpPackageParameters+840A2j
		mov	ecx, [ebp+arg_8]
		movzx	eax, ax
		movzx	edx, word ptr [ecx+eax*8]
		movzx	ecx, bx
		add	edx, 2
		shl	ecx, 4
		add	ecx, esi
		mov	esi, [ebp+arg_8]
		mov	eax, [esi+eax*8+4]
		and	dword ptr [ecx+4], 0
		and	dword ptr [ecx+0Ch], 0
		mov	esi, [ebp+arg_C]
		mov	[ecx], eax
		mov	eax, [esp+40h+var_2E+2]
		inc	eax
		mov	[ecx+8], edx
		inc	ebx
		mov	[esp+40h+var_2E+2], eax
		sub	edi, 1
		jnz	short loc_5F6D21
		mov	edi, [esp+40h+var_1C]
		jmp	short loc_5F6D8C
; 

loc_5F6D62:				; CODE XREF: AdtpPackageParameters+84147j
		mov	eax, [esp+40h+var_C]
		shl	esi, 4
		add	esi, [ebp+arg_C]
		movzx	ecx, word ptr [eax]
		mov	eax, [eax+4]
		add	ecx, 2
		and	dword ptr [esi+4], 0
		and	dword ptr [esi+0Ch], 0
		inc	ebx
		mov	[esi], eax
		mov	eax, [esp+40h+var_2E+2]
		inc	eax
		mov	[esi+8], ecx
		mov	[esp+40h+var_2E+2], eax

loc_5F6D8C:				; CODE XREF: AdtpPackageParameters+840A8j
		mov	edx, [esp+40h+var_24]
		jmp	loc_572DA1
; 

loc_5F6D95:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		mov	esi, [ebp+arg_C] ; case	0x14
		push	3
		pop	eax

loc_5F6D9B:				; CODE XREF: AdtpPackageParameters+840F4j
		movzx	ecx, bx
		shl	ecx, 4
		add	ecx, esi
		call	_AdtpEtwBuildDashString@4 ; AdtpEtwBuildDashString(x)
		inc	ebx
		sub	eax, 1
		jnz	short loc_5F6D9B
		jmp	short loc_5F6DB3
; 

loc_5F6DB0:				; CODE XREF: AdtpPackageParameters+84262j
		add	ebx, 2

loc_5F6DB3:				; CODE XREF: AdtpPackageParameters+840F6j
		mov	eax, [esp+40h+var_2E+2]
		jmp	loc_572DA1
; 

loc_5F6DBC:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		movzx	eax, bx		; case 0x12
		lea	ecx, [esp+40h+var_8]
		shl	eax, 4
		add	eax, [ebp+arg_C]
		mov	[eax], ecx
		jmp	loc_572F90
; 

loc_5F6DD0:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		mov	edx, [ebp+arg_8] ; case	0x1C
		mov	ecx, [esi+edi+10h]
		movzx	eax, ax
		push	0
		movzx	esi, bx
		push	0
		lea	edx, [edx+eax*8]
		mov	eax, [ebp+arg_14]
		add	eax, esi
		mov	[esp+48h+var_C], edx
		push	eax
		call	_AdtpBuildSockAddrString@20 ; AdtpBuildSockAddrString(x,x,x,x,x)
		mov	[esp+40h+var_28], eax
		test	eax, eax
		js	loc_572DB0
		jmp	loc_5F6D62
; 

loc_5F6E04:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		mov	edx, [ebp+arg_14] ; case 0x17
		mov	ecx, [esi+edi+10h]
		mov	esi, [ebp+arg_8]
		movzx	eax, bx
		add	edx, eax
		mov	[esp+40h+var_C], eax
		mov	eax, [esp+40h+var_2E+2]
		movzx	eax, ax
		lea	esi, [esi+eax*8]
		lea	eax, [edx+1]
		push	eax
		lea	eax, [esi+8]
		push	eax
		push	edx
		mov	edx, esi
		call	_AdtpBuildSockAddrString@20 ; AdtpBuildSockAddrString(x,x,x,x,x)
		mov	[esp+40h+var_28], eax
		test	eax, eax
		js	loc_572DB0
		jmp	loc_5F6BFD
; 

loc_5F6E42:				; CODE XREF: AdtpPackageParameters+389j
		cmp	[esp+40h+var_14], 21h
		jnz	short loc_5F6E56
		mov	esi, [esi+edi+10h]
		movzx	eax, byte ptr [esi+1]
		jmp	loc_572E7D
; 

loc_5F6E56:				; CODE XREF: AdtpPackageParameters+8418Fj
		test	dl, dl
		jz	loc_572EA7
		test	ecx, ecx
		jz	loc_572EA7
		call	ExFreeHeapPool
		jmp	loc_572EA7
; 

loc_5F6E70:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		mov	eax, [esi+edi+10h] ; case 0x8
		mov	[esp+40h+var_8], eax
		test	eax, eax
		jz	loc_5F6AAD	; default
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_5F6E8E
		imul	ecx, eax, 0Ch
		add	ecx, 8
		jmp	short loc_5F6E91
; 

loc_5F6E8E:				; CODE XREF: AdtpPackageParameters+841CCj
		push	8
		pop	ecx

loc_5F6E91:				; CODE XREF: AdtpPackageParameters+841D4j
		cmp	[esi+edi+4], ecx
		jb	loc_5F6AAD	; default
		test	eax, eax
		jz	short loc_5F6EA8
		cmp	eax, 42h
		ja	loc_5F6AAD	; default

loc_5F6EA8:				; CODE XREF: AdtpPackageParameters+841E5j
		mov	eax, [ebp+arg_14]
		mov	ecx, [esp+40h+var_8]
		movzx	edx, bx
		add	eax, edx
		shl	edx, 4
		add	edx, [ebp+arg_C]
		push	eax
		lea	eax, [esp+44h+var_20]
		push	eax
		push	[ebp+arg_4]
		push	edx
		xor	edx, edx
		call	_AdtpBuildPrivilegeAuditString@24 ; AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)
		jmp	loc_572D90
; 

loc_5F6ED0:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		mov	ecx, [esi+edi+8] ; case	0x18
		mov	esi, [ebp+arg_14]
		mov	edx, [ebp+arg_C]
		movzx	eax, bx
		add	esi, eax
		shl	eax, 4
		add	edx, eax
		lea	eax, [esp+40h+var_20]
		push	eax
		push	[ebp+arg_4]
		lea	eax, [esi+1]
		push	eax
		lea	eax, [edx+10h]
		push	eax
		mov	eax, [esp+50h+var_18]
		push	ecx
		push	esi
		push	edx
		mov	edx, [eax+edi+10h]
		push	ecx
		push	dword ptr [eax+edi+24h]
		call	_AdtpBuildSecurityDescriptorChangeString@44 ; AdtpBuildSecurityDescriptorChangeString(x,x,x,x,x,x,x,x,x,x,x)
		mov	edx, [esp+40h+var_24]
		inc	edx
		mov	[esp+40h+var_28], eax
		test	eax, eax
		js	loc_572DB0
		jmp	loc_5F6DB0
; 

loc_5F6F1F:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		cmp	dword ptr [esi+edi+8], 20h ; case 0x1F
		jnz	loc_5F6AAD	; default
		cmp	dword ptr [esi+edi+0Ch], 0
		jnz	loc_5F6AAD	; default
		mov	eax, [ebp+arg_14]
		mov	edx, [esi+edi+10h]
		movzx	ecx, bx
		add	eax, ecx
		shl	ecx, 4
		add	ecx, [ebp+arg_C]
		push	eax
		lea	eax, [esp+44h+var_20]
		push	eax
		push	[ebp+arg_4]
		push	ecx
		push	0
		push	20h
		pop	ecx
		call	_AdtpBuildSecurityDescriptorUnicodeString@28 ; AdtpBuildSecurityDescriptorUnicodeString(x,x,x,x,x,x,x)
		jmp	loc_572D90
; 

loc_5F6F60:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		cmp	dword ptr [esi+edi+8], 0 ; case	0x1E
		jnz	loc_5F6AAD	; default
		cmp	dword ptr [esi+edi+0Ch], 0
		jnz	loc_5F6AAD	; default

loc_5F6F76:				; CODE XREF: AdtpPackageParameters+7Aj
					; DATA XREF: .text:off_57305Co
		mov	esi, [esi+edi+10h] ; case 0x1D
		mov	eax, [esi+84h]
		cmp	eax, [esp+40h+var_24]
		jnb	loc_5F6AAD	; default
		imul	edx, eax, 14h
		cmp	dword ptr [edx+edi], 1
		jnz	loc_5F6AAD	; default
		mov	eax, [ebp+arg_14]
		mov	edx, [edx+edi+10h]
		movzx	ecx, bx
		add	eax, ecx
		shl	ecx, 4
		add	ecx, [ebp+arg_C]
		cmp	[esp+40h+var_14], 1Eh
		push	eax
		lea	eax, [esp+44h+var_20]
		push	eax
		push	[ebp+arg_4]
		setz	al
		push	ecx
		push	ecx
		mov	ecx, [edi+24h]
		movzx	eax, al
		push	eax
		push	esi
		call	_AdtpBuildAccessReasonAuditString@36 ; AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)
		jmp	loc_572D90
; 

loc_5F6FCE:				; CODE XREF: AdtpPackageParameters+307j
					; AdtpPackageParameters+315j
		mov	esi, 0C0000078h
		jmp	loc_572DB4
; END OF FUNCTION CHUNK	FOR AdtpPackageParameters
; 
; START	OF FUNCTION CHUNK FOR AdtpBuildMultiSzStringListString

loc_5F6FD8:				; CODE XREF: AdtpBuildMultiSzStringListString+41j
					; AdtpBuildMultiSzStringListString+83F09j
		lea	eax, [ebp+var_4]
		xor	edx, edx
		push	eax
		xor	eax, eax
		cmp	[edi], ax
		setz	dl
		dec	edx
		and	edx, 0FFFFFFFDh
		add	edx, 4
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_57316E
		mov	eax, [ebp+var_10]
		add	edi, 2
		mov	ecx, [ebp+var_4]
		inc	eax
		mov	[ebp+var_10], eax
		cmp	eax, ebx
		jb	short loc_5F6FD8
		jmp	loc_573147
; 

loc_5F7010:				; CODE XREF: AdtpBuildMultiSzStringListString+4Cj
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_57316E
		mov	ecx, [ebp+var_4]
		xor	ebx, ebx
		inc	ebx
		jmp	loc_573155
; 

loc_5F702F:				; CODE XREF: AdtpBuildMultiSzStringListString+68j
		cmp	[ebp+var_C], 0FFFFh
		jbe	loc_573175
		mov	eax, 0C000000Dh
		jmp	loc_57316E
; 

loc_5F7046:				; CODE XREF: AdtpBuildMultiSzStringListString+AEj
		mov	eax, dword ptr ds:??_C@_13IMODFHAA@?$AA?9@FNODOBFM@+4
		push	4
		mov	[edi], eax
		mov	eax, dword ptr ds:loc_5A73EB+1
		pop	ecx
		mov	[edi+4], eax
		mov	[ebp+var_8], ecx
		jmp	loc_5731B7
; 

loc_5F7060:				; CODE XREF: AdtpBuildMultiSzStringListString+BEj
					; AdtpBuildMultiSzStringListString+83FA5j
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+4]
		movzx	eax, word ptr [eax+ebx*2]
		test	ax, ax
		jnz	short loc_5F7099
		mov	eax, dword ptr ds:??_C@_13IMODFHAA@?$AA?9@FNODOBFM@+4
		mov	[edi+ecx*2], eax
		mov	eax, dword ptr ds:loc_5A73EB+1
		mov	[edi+ecx*2+4], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	4
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_57316E
		mov	ecx, [ebp+var_8]
		jmp	short loc_5F70A1
; 

loc_5F7099:				; CODE XREF: AdtpBuildMultiSzStringListString+83F6Dj
		mov	[edi+ecx*2], ax
		inc	ecx
		mov	[ebp+var_8], ecx

loc_5F70A1:				; CODE XREF: AdtpBuildMultiSzStringListString+83F97j
		inc	ebx
		cmp	ebx, [ebp+var_14]
		jb	short loc_5F7060
		jmp	loc_5731C4
; 

loc_5F70AC:				; CODE XREF: AdtpBuildMultiSzStringListString+1Fj
					; AdtpBuildMultiSzStringListString+2Aj
		test	esi, esi
		jz	loc_5731DC
		mov	ecx, esi
		call	_AdtpEtwBuildDashString@4 ; AdtpEtwBuildDashString(x)
		jmp	loc_5731DC
; END OF FUNCTION CHUNK	FOR AdtpBuildMultiSzStringListString
; 
; START	OF FUNCTION CHUNK FOR PpDevNodeInsertIntoTree

loc_5F70C0:				; CODE XREF: PpDevNodeInsertIntoTree+52j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_573245
; END OF FUNCTION CHUNK	FOR PpDevNodeInsertIntoTree
; 
; START	OF FUNCTION CHUNK FOR RtlpFindRegTziForCurrentYear

loc_5F70CD:				; CODE XREF: RtlpFindRegTziForCurrentYear+F6j
					; RtlpFindRegTziForCurrentYear+FFj
		mov	esi, 0C000003Eh
		jmp	loc_57335B
; END OF FUNCTION CHUNK	FOR RtlpFindRegTziForCurrentYear
; 
; START	OF FUNCTION CHUNK FOR PpmInstallFeedbackCounters

loc_5F70D7:				; CODE XREF: PpmInstallFeedbackCounters+91j
		mov	byte ptr [edi+81h], 1
		mov	eax, [edx+esi*4]
		jmp	loc_5734B3
; 

loc_5F70E6:				; CODE XREF: PpmInstallFeedbackCounters+F1j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_573518
; END OF FUNCTION CHUNK	FOR PpmInstallFeedbackCounters
; 
; START	OF FUNCTION CHUNK FOR PpmPerfFeedbackCounterRead

loc_5F70F5:				; CODE XREF: PpmPerfFeedbackCounterRead+47j
					; PpmPerfFeedbackCounterRead+4Fj
		mov	edi, [ebp+var_28]
		sub	ecx, ebx
		mov	ebx, [esi+8]
		sbb	eax, edx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], eax
		sub	edi, ebx
		mov	eax, [esi+0Ch]
		mov	esi, [ebp+var_24]
		sbb	esi, eax
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_8]
		push	esi
		push	edi
		mov	[ebp+var_18], ebx
		movzx	eax, byte ptr [eax+23h]
		cdq
		push	edx
		push	eax
		call	__allmul
		push	[ebp+var_C]
		push	[ebp+var_4]
		push	edx
		push	eax
		call	__aulldiv
		mov	edx, [ebp+var_10]
		mov	ecx, eax
		add	[ebp+var_4], edx
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_C]
		adc	edx, [ebp+var_14]
		add	edi, [ebp+var_18]
		mov	ebx, [ebp+var_4]
		adc	esi, [ebp+var_1C]
		mov	[eax+18h], ecx
		mov	[eax+10h], ebx
		mov	[eax+14h], edx
		mov	[eax+8], edi
		mov	[eax+0Ch], esi
		jmp	loc_5735A2
; END OF FUNCTION CHUNK	FOR PpmPerfFeedbackCounterRead
; 
; START	OF FUNCTION CHUNK FOR PpmParkRegisterParking

loc_5F7161:				; CODE XREF: PpmParkRegisterParking+A5j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_57366C
; 

loc_5F716E:				; CODE XREF: PpmParkRegisterParking+C6j
		and	[esp+70h+var_C], 0
		lea	ecx, [esp+70h+var_10]
		xor	eax, eax
		mov	edx, offset _PpmIdleRemoveConcurrency@12 ; PpmIdleRemoveConcurrency(x,x,x)
		inc	eax
		push	0
		mov	word ptr [esp+74h+var_10], ax
		mov	word ptr [esp+74h+var_10+2], ax
		mov	eax, [esi-62h]
		push	0
		mov	[esp+78h+var_8], eax
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)
		jmp	loc_57368A
; 

loc_5F719E:				; CODE XREF: PpmParkRegisterParking+1EDj
		mov	ds:_PpmParkCoreMask, 0
		jmp	loc_573743
; 

loc_5F71AA:				; CODE XREF: PpmParkRegisterParking+24Cj
		xor	eax, eax
		jmp	loc_573815
; 

loc_5F71B1:				; CODE XREF: PpmParkRegisterParking+2FCj
		mov	[ecx], al
		mov	eax, [esi+10h]
		and	dword ptr [esi+10h], 0
		mov	[esi+0Ch], eax
		xor	al, al
		mov	byte ptr [edx+59h], 0
		jmp	loc_5738C0
; 

loc_5F71C8:				; CODE XREF: PpmParkRegisterParking+379j
		lea	ecx, [esi+70h]
		xor	edi, edi
		mov	[esp+70h+var_54], ecx

loc_5F71D1:				; CODE XREF: PpmParkRegisterParking+83C8Aj
		mov	al, [esi+edi+58h]
		test	al, al
		jz	short loc_5F723D
		mov	edx, [esp+70h+var_4C]
		and	[esp+70h+var_8], 0
		add	edx, 3
		and	[esp+70h+var_C], 0
		movzx	eax, al
		imul	eax, 3
		add	edx, eax
		xor	eax, eax
		inc	eax
		mov	[esp+70h+var_4C], edx
		mov	word ptr [esp+70h+var_10], ax
		mov	word ptr [esp+70h+var_10+2], ax
		mov	eax, [ecx-64h]
		mov	[esp+70h+var_8], eax
		mov	eax, [esp+70h+var_50]
		cmp	[esp+70h+var_58], eax
		jnb	short loc_5F7223
		mov	eax, [esp+70h+var_64]
		mov	edx, [esp+70h+var_48]
		add	eax, edi
		lea	eax, [edx+eax*4]
		jmp	short loc_5F7225
; 

loc_5F7223:				; CODE XREF: PpmParkRegisterParking+83C54j
		xor	eax, eax

loc_5F7225:				; CODE XREF: PpmParkRegisterParking+83C63j
		mov	edx, ecx
		lea	ecx, [esp+70h+var_10]
		push	eax
		call	_PpmIdleInitializeConcurrency@12 ; PpmIdleInitializeConcurrency(x,x,x)
		test	eax, eax
		js	loc_5F7310
		mov	ecx, [esp+70h+var_54]

loc_5F723D:				; CODE XREF: PpmParkRegisterParking+83C19j
		inc	edi
		add	ecx, 4
		mov	[esp+70h+var_54], ecx
		cmp	edi, 2
		jb	short loc_5F71D1
		jmp	loc_57393D
; 

loc_5F724F:				; CODE XREF: PpmParkRegisterParking+3ACj
		mov	[esi+69h], cl
		jmp	loc_573970
; 

loc_5F7257:				; CODE XREF: PpmParkRegisterParking+493j
		lea	eax, [esi+20h]
		mov	[esp+70h+var_64], eax
		lea	ebx, [esi+48h]
		mov	esi, [esp+70h+var_64]
		push	2
		pop	eax
		mov	[esp+70h+var_54], eax

loc_5F726C:				; CODE XREF: PpmParkRegisterParking+83D30j
		mov	dl, [ecx]
		mov	[esp+70h+var_64], edi
		test	dl, dl
		jz	short loc_5F72DC
		movzx	eax, dl
		inc	eax
		mov	[ebx-20h], edi
		mov	[ebx], eax
		shl	eax, 3
		add	edi, eax
		mov	[ebx-1Ch], edi
		add	edi, eax
		push	eax		; size_t
		mov	[ebx-18h], edi
		add	edi, eax
		mov	eax, [esi]
		add	eax, 20h
		push	eax		; void *
		push	[esp+78h+var_64] ; void	*
		call	_memcpy
		mov	eax, [ebx]
		add	esp, 0Ch
		shl	eax, 3
		push	eax		; size_t
		mov	eax, [esi]
		add	eax, 20h
		push	eax		; void *
		push	dword ptr [ebx-1Ch] ; void *
		call	_memcpy
		mov	ecx, [esi]
		add	esp, 0Ch
		mov	eax, [ecx+18h]
		mov	[ebx-10h], eax
		mov	eax, [ecx+1Ch]
		mov	[ebx-0Ch], eax
		mov	ecx, [esi]
		mov	eax, [ecx+18h]
		mov	[ebx-8], eax
		mov	eax, [ecx+1Ch]
		mov	ecx, [esp+70h+var_3C]
		mov	[ebx-4], eax
		mov	eax, [esp+70h+var_54]

loc_5F72DC:				; CODE XREF: PpmParkRegisterParking+83CB6j
		add	ebx, 28h
		add	esi, 4
		inc	ecx
		sub	eax, 1
		mov	[esp+70h+var_3C], ecx
		mov	[esp+70h+var_54], eax
		jnz	loc_5F726C
		mov	esi, [esp+70h+var_40]
		mov	ebx, [esp+70h+var_44]
		jmp	loc_573A57
; 

loc_5F7301:				; CODE XREF: PpmParkRegisterParking+4E8j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_573AB1
; 

loc_5F7310:				; CODE XREF: PpmParkRegisterParking+36Dj
					; PpmParkRegisterParking+3F6j ...
		mov	edi, [esp+70h+var_5C]
		mov	eax, [esp+70h+var_60]
		jmp	loc_573AC5
; 

loc_5F731D:				; CODE XREF: PpmParkRegisterParking+509j
		test	edi, edi
		jz	short loc_5F7365
		lea	esi, [eax+28h]

loc_5F7324:				; CODE XREF: PpmParkRegisterParking+83DA1j
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_5F7335
		push	704D5050h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5F7335:				; CODE XREF: PpmParkRegisterParking+83D6Aj
		push	2
		lea	edi, [esi+48h]
		pop	ebx

loc_5F733B:				; CODE XREF: PpmParkRegisterParking+83D94j
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_5F734C
		push	704D5050h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5F734C:				; CODE XREF: PpmParkRegisterParking+83D81j
		add	edi, 4
		sub	ebx, 1
		jnz	short loc_5F733B
		add	esi, 0D0h
		sub	[esp+70h+var_5C], 1
		jnz	short loc_5F7324
		mov	eax, [esp+70h+var_60]

loc_5F7365:				; CODE XREF: PpmParkRegisterParking+83D61j
		push	704D5050h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_573ACD
; 

loc_5F7375:				; CODE XREF: PpmParkRegisterParking+515j
		push	704D5050h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_573AD9
; 

loc_5F7385:				; CODE XREF: PpmParkRegisterParking+531j
		push	704D5050h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_573AF5
; 

loc_5F7395:				; CODE XREF: PpmParkRegisterParking+541j
		push	704D5050h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_573B05
; END OF FUNCTION CHUNK	FOR PpmParkRegisterParking
; 
; START	OF FUNCTION CHUNK FOR PpmCheckArmPeriod

loc_5F73A5:				; CODE XREF: PpmCheckArmPeriod+35j
					; PpmCheckArmPeriod+41j
		mov	edi, ds:_PpmCheckMinimumPeriod
		mov	[ebp+var_4], edi
		jmp	loc_573BC0
; END OF FUNCTION CHUNK	FOR PpmCheckArmPeriod
; 
; START	OF FUNCTION CHUNK FOR PpmPerfCheckRequired

loc_5F73B3:				; CODE XREF: PpmPerfCheckRequired+83703j
		cmp	dword ptr [eax+58h], 64h
		ja	loc_573D05
		mov	eax, [eax]

loc_5F73BF:				; CODE XREF: PpmPerfCheckRequired+42j
		cmp	eax, ebx
		jnz	short loc_5F73B3
		jmp	loc_573CEF
; END OF FUNCTION CHUNK	FOR PpmPerfCheckRequired
; 
; START	OF FUNCTION CHUNK FOR PpmParkApplyPolicy

loc_5F73C8:				; CODE XREF: PpmParkApplyPolicy+DDj
		mov	cl, ch
		sub	cl, [ebp+var_3]
		jmp	loc_573DED
; 

loc_5F73D2:				; CODE XREF: PpmParkApplyPolicy+F8j
		mov	cl, ch
		sub	cl, [ebp+var_3]
		jmp	loc_573E08
; 

loc_5F73DC:				; CODE XREF: PpmParkApplyPolicy+189j
		mov	edx, [ebp+var_1C]
		cmp	cl, dl
		jb	loc_573E99
		mov	cl, dl
		mov	[ebp+var_1], cl
		jmp	loc_573E99
; 

loc_5F73F1:				; CODE XREF: PpmParkApplyPolicy+198j
		mov	al, dl
		mov	[ebp+var_2], dl
		jmp	loc_573EA8
; 

loc_5F73FB:				; CODE XREF: PpmParkApplyPolicy+1A0j
		mov	[ebp+var_1], al
		jmp	loc_573EB0
; 

loc_5F7403:				; CODE XREF: PpmParkApplyPolicy+1E0j
		or	esi, [eax+3C8h]
		jmp	loc_573EC8
; 

loc_5F740E:				; CODE XREF: PpmParkApplyPolicy+223j
		mov	edx, [ebx+8]
		mov	cx, [ebx+4]
		push	eax
		call	_PpmEventParkNodeParkHintChanged@12 ; PpmEventParkNodeParkHintChanged(x,x,x)
		jmp	loc_573F33
; 

loc_5F7420:				; CODE XREF: PpmParkApplyPolicy+22Dj
		mov	al, ds:_PpmParkGranularity
		mov	cl, [ebx+5Ch]
		mov	[ebx+5Ah], al
		cmp	al, cl
		ja	short loc_5F7431
		mov	al, cl

loc_5F7431:				; CODE XREF: PpmParkApplyPolicy+83723j
		mov	[ebx+5Ch], al
		jmp	loc_573F3D
; 

loc_5F7439:				; CODE XREF: PpmParkApplyPolicy+23Dj
		mov	al, [ebx+5Ah]
		mov	[ebx+63h], dl
		cmp	al, 1
		ja	short loc_5F7445
		mov	al, 1

loc_5F7445:				; CODE XREF: PpmParkApplyPolicy+83737j
		mov	[ebx+5Ah], al
		mov	al, [ebx+5Ch]
		cmp	al, 1
		ja	short loc_5F7451
		mov	al, 1

loc_5F7451:				; CODE XREF: PpmParkApplyPolicy+83743j
		mov	[ebx+5Ch], al
		mov	[ebx+5Bh], dl
		or	byte ptr [ebx+6Ah], 4
		mov	[ebx+5Dh], dl
		jmp	loc_573F56
; 

loc_5F7463:				; CODE XREF: PpmParkApplyPolicy+246j
		cmp	byte ptr [ebx+59h], 0
		jz	loc_573F56
		mov	al, [ebx+5Bh]
		mov	[ebx+62h], dl
		mov	[ebx+5Ah], dl
		mov	[ebx+5Ch], dl
		cmp	al, 1
		ja	short loc_5F747F
		mov	al, 1

loc_5F747F:				; CODE XREF: PpmParkApplyPolicy+83771j
		mov	[ebx+5Bh], al
		mov	al, [ebx+5Dh]
		cmp	al, 1
		ja	short loc_5F748B
		mov	al, 1

loc_5F748B:				; CODE XREF: PpmParkApplyPolicy+8377Dj
		or	byte ptr [ebx+6Ah], 2
		mov	[ebx+5Dh], al
		jmp	loc_573F56
; 

loc_5F7497:				; CODE XREF: PpmParkApplyPolicy+26Cj
		mov	ecx, edx
		test	esi, esi
		jz	loc_573F74

loc_5F74A1:				; CODE XREF: PpmParkApplyPolicy+837E9j
		test	edi, edi
		jz	loc_573F7C
		movzx	eax, cx
		imul	eax, 0D0h
		add	eax, ds:_PpmParkNodes
		mov	bl, [eax+6]
		mov	[ebp+var_4], bl
		test	bl, bl
		mov	ebx, [ebp+var_10]
		jz	short loc_5F74ED
		mov	bh, ds:_PpmParkGranularity
		mov	bl, [eax+5Eh]
		add	bl, bh
		mov	[ebp+var_2], bh
		cmp	bl, [ebp+var_4]
		mov	[ebp+var_3], bl
		mov	ebx, [ebp+var_10]
		jnb	short loc_5F74ED
		mov	bl, [ebp+var_3]
		mov	[eax+5Eh], bl
		movzx	eax, [ebp+var_2]
		mov	ebx, [ebp+var_10]
		sub	edi, eax

loc_5F74ED:				; CODE XREF: PpmParkApplyPolicy+837B9j
					; PpmParkApplyPolicy+837D2j
		inc	ecx
		movzx	eax, cx
		cmp	eax, esi
		jb	short loc_5F74A1
		jmp	loc_573F74
; 

loc_5F74FA:				; CODE XREF: PpmParkApplyPolicy+274j
		mov	ecx, edx
		test	esi, esi
		jz	loc_573F7C

loc_5F7504:				; CODE XREF: PpmParkApplyPolicy+8384Bj
		test	ebx, ebx
		jz	loc_573F84
		movzx	eax, cx
		imul	eax, 0D0h
		push	0
		add	eax, ds:_PpmParkNodes
		mov	dl, [eax+6]
		mov	[ebp+var_4], dl
		test	dl, dl
		pop	edx
		jz	short loc_5F754F
		mov	dh, ds:_PpmParkGranularity
		mov	dl, [eax+60h]
		add	dl, dh
		mov	[ebp+var_2], dh
		cmp	dl, [ebp+var_4]
		push	0
		mov	[ebp+var_3], dl
		pop	edx
		jnb	short loc_5F754F
		mov	dl, [ebp+var_3]
		mov	[eax+60h], dl
		movzx	eax, [ebp+var_2]
		sub	ebx, eax
		xor	edx, edx

loc_5F754F:				; CODE XREF: PpmParkApplyPolicy+8381Cj
					; PpmParkApplyPolicy+83835j
		inc	ecx
		movzx	eax, cx
		cmp	eax, esi
		jb	short loc_5F7504
		jmp	loc_573F7C
; 

loc_5F755C:				; CODE XREF: PpmParkApplyPolicy+2A0j
					; PpmParkApplyPolicy+2B2j
		movzx	eax, byte ptr [esi+60h]
		mov	edx, [esi+8]
		mov	cx, [esi+4]
		push	eax
		push	ebx
		call	_PpmEventParkNodeCapChange@16 ;	PpmEventParkNodeCapChange(x,x,x,x)
		mov	cl, [esi+6]
		mov	al, cl
		sub	al, [esi+5Eh]
		sub	cl, [esi+60h]
		mov	[esi+5Fh], al
		mov	[esi+61h], cl
		jmp	loc_573FC2
; 

loc_5F7584:				; CODE XREF: PpmParkApplyPolicy+2D3j
		mov	ecx, large fs:20h
		push	edx
		push	eax
		push	edx
		push	0F4240h
		xor	dl, dl
		mov	ds:_PpmParkSoftParkingEnabled, 1
		call	_KeQueryCycleCounterFrequency@8	; KeQueryCycleCounterFrequency(x,x)
		push	edx
		push	eax
		call	PpmConvertTime
		mov	edx, eax
		jmp	loc_573FE9
; END OF FUNCTION CHUNK	FOR PpmParkApplyPolicy
; 
; START	OF FUNCTION CHUNK FOR PpmPerfResetHistory

loc_5F75AF:				; CODE XREF: PpmPerfResetHistory+Cj
		mov	edx, [esi]
		xor	eax, eax
		push	ebx
		movzx	ebx, word ptr [ecx+14h]
		mov	[esi+4], eax
		mov	[esi+0Ch], eax
		mov	eax, ebx
		imul	eax, edx
		push	edi
		lea	edi, [esi+14h]
		mov	[esi+8], eax
		movzx	eax, word ptr [ecx+22h]
		mov	ecx, eax
		imul	eax, edx
		mov	[ebp+var_4], ecx
		mov	[esi+10h], eax
		xor	eax, eax
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	ecx, eax
		cmp	[esi], eax
		jbe	short loc_5F760D
		mov	edx, [ebp+var_4]
		lea	eax, [esi+20h]

loc_5F75EC:				; CODE XREF: PpmPerfResetHistory+835D7j
		mov	[eax+4], dx
		xor	edi, edi
		xor	edx, edx
		mov	[eax+2], di
		mov	[eax], bx
		inc	ecx
		mov	[eax+6], dx
		lea	eax, [eax+0Ah]
		mov	[eax-2], dl
		mov	edx, [ebp+var_4]
		cmp	ecx, [esi]
		jb	short loc_5F75EC

loc_5F760D:				; CODE XREF: PpmPerfResetHistory+835B0j
		pop	edi
		pop	ebx
		jmp	loc_574046
; END OF FUNCTION CHUNK	FOR PpmPerfResetHistory
; 
; START	OF FUNCTION CHUNK FOR PpmResetPerformanceAccumulation

loc_5F7614:				; CODE XREF: PpmResetPerformanceAccumulation+12j
		mov	ecx, 0DB2h
		rdmsr
		mov	[esi+3E20h], eax
		mov	[esi+3E24h], edx
		jmp	loc_5740EA
; END OF FUNCTION CHUNK	FOR PpmResetPerformanceAccumulation
; 
; START	OF FUNCTION CHUNK FOR PpmHeteroDetectHgsCores

loc_5F762C:				; CODE XREF: PpmHeteroDetectHgsCores+1Dj
		cmp	ds:_PpmHeteroHgsHeteroCoreTypes, al
		jz	loc_574199
		xor	eax, eax
		mov	[ebp+var_C], 1
		push	esi
		mov	[ebp+var_10], ax
		mov	esi, offset _PpmCheckRegistered
		mov	eax, ds:dword_6B5BAC
		mov	[ebp+var_1], 0FFh
		mov	[ebp+var_4], bl
		mov	[ebp+var_2], bl
		mov	[ebp+var_3], bl
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], esi

loc_5F7663:				; CODE XREF: PpmHeteroDetectHgsCores+83539j
					; PpmHeteroDetectHgsCores+83541j
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5F76B9
		mov	ecx, [ebp+var_8]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, eax
		mov	al, [ecx+3F17h]
		cmp	al, bl
		jbe	short loc_5F768A
		mov	bl, al

loc_5F768A:				; CODE XREF: PpmHeteroDetectHgsCores+83510j
		cmp	al, [ebp+var_1]
		jnb	short loc_5F7692
		mov	[ebp+var_1], al

loc_5F7692:				; CODE XREF: PpmHeteroDetectHgsCores+83517j
		mov	al, [ecx+3F16h]
		cmp	al, [ebp+var_2]
		jbe	short loc_5F76A0
		mov	[ebp+var_2], al

loc_5F76A0:				; CODE XREF: PpmHeteroDetectHgsCores+83525j
		cmp	al, [ebp+var_3]
		jbe	short loc_5F76A8
		mov	[ebp+var_3], al

loc_5F76A8:				; CODE XREF: PpmHeteroDetectHgsCores+8352Dj
		cmp	byte ptr [ecx+3F14h], 0
		jz	short loc_5F7663
		mov	al, byte ptr [ebp+var_C]
		mov	[ebp+var_4], al
		jmp	short loc_5F7663
; 

loc_5F76B9:				; CODE XREF: PpmHeteroDetectHgsCores+834FCj
		cmp	ds:_PpmHeteroHgsPopulated, 0
		jnz	short loc_5F7728
		mov	eax, [ebp+var_C]
		cmp	bl, [ebp+var_1]
		jz	loc_5F77B1
		mov	bl, [ebp+var_1]
		mov	[edi+4], al
		mov	[edi+5], al
		xor	eax, eax
		mov	[ebp+var_10], ax
		mov	eax, ds:dword_6B5BAC
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], esi

loc_5F76E8:				; CODE XREF: PpmHeteroDetectHgsCores+835B0j
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	loc_5F77AE
		mov	esi, [ebp+var_8]
		mov	ecx, esi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, eax
		lea	eax, [esi+2]
		imul	edx, eax, 3
		cmp	[ecx+3F17h], bl
		setnz	cl
		setz	al
		mov	[edx+edi], cl
		mov	[edx+edi+2], cl
		mov	[edx+edi+1], al
		jmp	short loc_5F76E8
; 

loc_5F7728:				; CODE XREF: PpmHeteroDetectHgsCores+8354Aj
		cmp	[ebp+var_4], 0
		mov	cl, [ebp+var_2]
		setnz	al
		inc	al
		mov	[edi+4], al
		mov	[edi+5], al
		mov	al, [edi+4]
		cmp	al, cl
		jb	short loc_5F7743
		mov	al, cl

loc_5F7743:				; CODE XREF: PpmHeteroDetectHgsCores+835C9j
		mov	cl, [ebp+var_3]
		mov	[edi+4], al
		mov	al, [edi+5]
		cmp	al, cl
		jb	short loc_5F7752
		mov	al, cl

loc_5F7752:				; CODE XREF: PpmHeteroDetectHgsCores+835D8j
		mov	[edi+5], al
		xor	eax, eax
		mov	[ebp+var_10], ax
		mov	eax, ds:dword_6B5BAC
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], esi

loc_5F7766:				; CODE XREF: PpmHeteroDetectHgsCores+83636j
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5F77AE
		mov	esi, [ebp+var_8]
		mov	ecx, esi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, eax
		lea	eax, [esi+2]
		imul	edx, eax, 3
		mov	al, [ecx+3F15h]
		mov	[edx+edi+2], al
		mov	al, [ecx+3F16h]
		mov	[edx+edi+1], al
		mov	al, [ebp+var_1]
		cmp	[ecx+3F17h], al
		setnz	al
		mov	[edx+edi], al
		jmp	short loc_5F7766
; 

loc_5F77AE:				; CODE XREF: PpmHeteroDetectHgsCores+83581j
					; PpmHeteroDetectHgsCores+835FFj
		mov	eax, [ebp+var_C]

loc_5F77B1:				; CODE XREF: PpmHeteroDetectHgsCores+83552j
		pop	esi
		jmp	loc_574199
; END OF FUNCTION CHUNK	FOR PpmHeteroDetectHgsCores
; 
; START	OF FUNCTION CHUNK FOR PpmHeteroUpdateHgsConfiguration

loc_5F77B7:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+27j
		cmp	ds:dword_6B5BAC, eax
		jz	loc_5741CB
		mov	ecx, 1B1h
		rdmsr
		mov	[ebp+var_38], edx
		test	eax, 4000000h
		jz	loc_5741CB
		xor	eax, eax
		xor	ecx, ecx
		inc	eax
		mov	[ebp+var_18], ecx
		mov	ds:_PpmHeteroHgsPopulated, al
		mov	word ptr [ebp+var_1C], ax
		mov	word ptr [ebp+var_1C+2], ax
		mov	word ptr [ebp+var_10], ax
		mov	word ptr [ebp+var_10+2], ax
		xor	eax, eax
		push	esi
		mov	[ebp+var_28], ax
		mov	esi, offset _PpmCheckRegistered
		mov	eax, ds:dword_6B5BAC
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_2C], eax
		mov	[ebp+var_30], esi

loc_5F7812:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+836B2j
		mov	[ebp+var_8], ecx

loc_5F7815:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+836C0j
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5F7860
		mov	ecx, [ebp+var_24]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, ds:_PpmHeteroHgsInterface
		movzx	eax, word ptr [eax+3F12h]
		cmp	[ecx+eax*8+10h], bl
		jz	short loc_5F7852
		cmp	[ecx+eax*8+11h], bl
		jz	short loc_5F7852
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_24]
		bts	ecx, eax
		jmp	short loc_5F7812
; 

loc_5F7852:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+836A1j
					; PpmHeteroUpdateHgsConfiguration+836A7j
		mov	ecx, [ebp+var_14]
		mov	eax, [ebp+var_24]
		bts	ecx, eax
		mov	[ebp+var_14], ecx
		jmp	short loc_5F7815
; 

loc_5F7860:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+83686j
		cmp	[ebp+var_8], 0
		jnz	short loc_5F78CC
		xor	eax, eax
		mov	[ebp+var_28], ax
		mov	eax, ds:dword_6B5BAC
		mov	[ebp+var_2C], eax
		mov	[ebp+var_30], esi

loc_5F7877:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+83721j
					; PpmHeteroUpdateHgsConfiguration+8372Cj
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	loc_5F7B8F
		mov	ecx, [ebp+var_24]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		cmp	byte ptr [eax+3F16h], 0
		jz	short loc_5F78A6
		mov	bl, 1
		mov	byte ptr [eax+3F16h], 0

loc_5F78A6:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+836FDj
		cmp	byte ptr [eax+3F15h], 0
		jz	short loc_5F78B8
		mov	bl, 1
		mov	byte ptr [eax+3F15h], 0

loc_5F78B8:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+8370Fj
		cmp	byte ptr [eax+3F14h], 0
		jz	short loc_5F7877
		mov	bl, 1
		mov	byte ptr [eax+3F14h], 0
		jmp	short loc_5F7877
; 

loc_5F78CC:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+836C6j
		cmp	[ebp+var_14], 0
		setnz	[ebp+var_1E]
		xor	eax, eax
		mov	[ebp+var_28], ax
		mov	eax, [ebp+var_14]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_30], eax

loc_5F78E6:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+8378Cj
					; PpmHeteroUpdateHgsConfiguration+83799j
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5F7939
		mov	ecx, [ebp+var_24]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		cmp	[eax+3F16h], bl
		jz	short loc_5F7911
		mov	[ebp+var_1D], 1
		mov	[eax+3F16h], bl

loc_5F7911:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+83767j
		cmp	[eax+3F15h], bl
		jz	short loc_5F7923
		mov	[ebp+var_1D], 1
		mov	[eax+3F15h], bl

loc_5F7923:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+83779j
		cmp	byte ptr [eax+3F14h], 1
		jz	short loc_5F78E6
		mov	[ebp+var_1D], 1
		mov	byte ptr [eax+3F14h], 1
		jmp	short loc_5F78E6
; 

loc_5F7939:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+83757j
		mov	ebx, [ebp+var_8]
		or	[ebp+var_38], 0FFFFFFFFh
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		push	edi
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		movzx	esi, cl
		mov	[ebp+var_34], esi
		jz	loc_5F7A8B
		mov	bl, [ebp+var_1E]

loc_5F7980:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+838E7j
		xor	eax, eax
		mov	[ebp+var_28], ax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_30], eax

loc_5F7992:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+83814j
					; PpmHeteroUpdateHgsConfiguration+83821j
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5F79C1
		mov	ecx, [ebp+var_24]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		cmp	byte ptr [eax+3F14h], 0
		jz	short loc_5F7992
		mov	[ebp+var_1D], 1
		mov	byte ptr [eax+3F14h], 0
		jmp	short loc_5F7992
; 

loc_5F79C1:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+83803j
		mov	esi, [ebp+var_38]
		or	edi, 0FFFFFFFFh
		xor	eax, eax
		mov	[ebp+var_28], ax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_30], eax

loc_5F79D9:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+8386Dj
					; PpmHeteroUpdateHgsConfiguration+83876j ...
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5F7A1D
		mov	ecx, [ebp+var_24]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	edx, ds:_PpmHeteroHgsInterface
		movzx	ecx, word ptr [eax+3F12h]
		cmp	esi, 0FFFFFFFFh
		jz	short loc_5F7A0D
		movzx	eax, byte ptr [edx+ecx*8+10h]
		cmp	eax, esi
		jbe	short loc_5F79D9

loc_5F7A0D:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+83864j
		movzx	eax, byte ptr [edx+ecx*8+10h]
		cmp	edi, eax
		jb	short loc_5F79D9
		movzx	edi, byte ptr [edx+ecx*8+10h]
		jmp	short loc_5F79D9
; 

loc_5F7A1D:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+8384Aj
		xor	eax, eax
		mov	[ebp+var_28], ax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_30], eax

loc_5F7A2F:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+838C3j
		mov	esi, [ebp+var_34]

loc_5F7A32:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+838DEj
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5F7A7E
		mov	ecx, [ebp+var_24]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, ds:_PpmHeteroHgsInterface
		mov	esi, eax
		movzx	edx, word ptr [esi+3F12h]
		movzx	eax, byte ptr [ecx+edx*8+10h]
		cmp	eax, edi
		jnz	short loc_5F7A2F
		cmp	[esi+3F15h], bl
		jz	short loc_5F7A75
		mov	[ebp+var_1D], 1
		mov	[esi+3F15h], bl

loc_5F7A75:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+838CBj
		mov	esi, [ebp+var_34]
		dec	esi
		mov	[ebp+var_34], esi
		jmp	short loc_5F7A32
; 

loc_5F7A7E:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+838A3j
		inc	bl
		mov	[ebp+var_38], edi
		test	esi, esi
		jnz	loc_5F7980

loc_5F7A8B:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+837D9j
		mov	ebx, [ebp+var_8]
		or	edi, 0FFFFFFFFh
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		movzx	ebx, cl
		jz	loc_5F7B8B

loc_5F7ACA:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+839E7j
		or	esi, 0FFFFFFFFh
		xor	eax, eax
		mov	[ebp+var_28], ax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_30], eax

loc_5F7ADF:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+83973j
					; PpmHeteroUpdateHgsConfiguration+8397Cj ...
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5F7B23
		mov	ecx, [ebp+var_24]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	edx, ds:_PpmHeteroHgsInterface
		movzx	ecx, word ptr [eax+3F12h]
		cmp	edi, 0FFFFFFFFh
		jz	short loc_5F7B13
		movzx	eax, byte ptr [edx+ecx*8+11h]
		cmp	eax, edi
		jbe	short loc_5F7ADF

loc_5F7B13:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+8396Aj
		movzx	eax, byte ptr [edx+ecx*8+11h]
		cmp	esi, eax
		jb	short loc_5F7ADF
		movzx	esi, byte ptr [edx+ecx*8+11h]
		jmp	short loc_5F7ADF
; 

loc_5F7B23:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+83950j
		xor	eax, eax
		mov	[ebp+var_28], ax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_30], eax

loc_5F7B35:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+839C6j
					; PpmHeteroUpdateHgsConfiguration+839DEj
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_5F7B7E
		mov	ecx, [ebp+var_24]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, ds:_PpmHeteroHgsInterface
		mov	edi, eax
		movzx	edx, word ptr [edi+3F12h]
		movzx	eax, byte ptr [ecx+edx*8+11h]
		cmp	eax, esi
		jnz	short loc_5F7B35
		mov	al, [ebp+var_1E]
		cmp	[edi+3F16h], al
		jz	short loc_5F7B7B
		mov	[ebp+var_1D], 1
		mov	[edi+3F16h], al

loc_5F7B7B:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+839D1j
		dec	ebx
		jmp	short loc_5F7B35
; 

loc_5F7B7E:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+839A6j
		inc	[ebp+var_1E]
		mov	edi, esi
		test	ebx, ebx
		jnz	loc_5F7ACA

loc_5F7B8B:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+83926j
		mov	bl, [ebp+var_1D]
		pop	edi

loc_5F7B8F:				; CODE XREF: PpmHeteroUpdateHgsConfiguration+836E8j
		mov	ecx, 1B1h
		rdmsr
		and	eax, 0FBFFFFFFh
		wrmsr
		pop	esi
		jmp	loc_5741CB
; END OF FUNCTION CHUNK	FOR PpmHeteroUpdateHgsConfiguration
; 
; START	OF FUNCTION CHUNK FOR CmpLazyWriteWorker

loc_5F7BA3:				; CODE XREF: CmpLazyWriteWorker+51j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_574256
; 

loc_5F7BB2:				; CODE XREF: CmpLazyWriteWorker+9Cj
		cmp	byte ptr [esp+0Fh], 0
		jnz	short loc_5F7BC5
		mov	ds:_CmpCannotWriteConfiguration, 0
		jmp	loc_574276
; 

loc_5F7BC5:				; CODE XREF: CmpLazyWriteWorker+839BDj
		call	_CmpDiskFullWarning@0 ;	CmpDiskFullWarning()
		jmp	loc_574276
; END OF FUNCTION CHUNK	FOR CmpLazyWriteWorker
; 
; START	OF FUNCTION CHUNK FOR SepAdtMarshallAuditRecord

loc_5F7BCF:				; CODE XREF: SepAdtMarshallAuditRecord+2Fj
		mov	eax, [edx+10h]
		mov	ecx, [eax+4]
		mov	eax, [eax]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], eax
		lea	ecx, ds:8[eax*8]
		test	eax, eax
		jz	loc_574570
		mov	esi, [ebp+var_1C]
		mov	edi, eax
		add	esi, 4

loc_5F7BF4:				; CODE XREF: SepAdtMarshallAuditRecord+836DAj
		mov	eax, [esi]
		lea	esi, [esi+8]
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	ecx, eax
		sub	edi, 1
		jnz	short loc_5F7BF4
		mov	edi, [ebp+var_8]
		xor	esi, esi
		jmp	loc_574570
; 

loc_5F7C18:				; CODE XREF: SepAdtMarshallAuditRecord+43j
		mov	esi, 0C000000Dh
		jmp	loc_57468F
; 

loc_5F7C22:				; CODE XREF: SepAdtMarshallAuditRecord+79j
		mov	[eax], esi
		mov	esi, 0C000009Ah
		jmp	loc_57468F
; 

loc_5F7C2E:				; CODE XREF: SepAdtMarshallAuditRecord+E6j
					; DATA XREF: .text:005746D2o
		mov	eax, [edi]
		or	dword ptr [eax+14h], 2
		jmp	loc_57466D
; 

loc_5F7C39:				; CODE XREF: SepAdtMarshallAuditRecord+E6j
					; DATA XREF: .text:005746D6o
		mov	eax, [edi]
		or	dword ptr [eax+14h], 2
		jmp	loc_574698
; 

loc_5F7C44:				; CODE XREF: SepAdtMarshallAuditRecord+E6j
					; DATA XREF: .text:005746CEo
		mov	eax, [ebp+var_4]
		mov	[ebp+var_10], ebx
		mov	ecx, [eax+10h]
		mov	[ebp+var_1C], ecx
		mov	eax, [ecx]
		mov	[ebx], eax
		mov	eax, [ecx+4]
		mov	[ebx+4], eax
		mov	eax, ebx
		sub	eax, [edi]
		add	ebx, 8
		mov	[edx], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_14], eax
		mov	eax, [ecx]
		mov	[ebp+var_20], ebx
		test	eax, eax
		jz	short loc_5F7C99
		shl	eax, 3
		push	eax		; size_t
		push	[ebp+var_14]	; void *
		push	ebx		; void *
		call	_memcpy
		mov	ecx, [ebp+var_10]
		mov	eax, ebx
		mov	edx, [ebp+arg_4]
		add	esp, 0Ch
		sub	eax, [edi]
		mov	[ecx+4], eax
		mov	eax, [ebp+var_1C]
		mov	eax, [eax]
		lea	ebx, [ebx+eax*8]
		jmp	short loc_5F7CA1
; 

loc_5F7C99:				; CODE XREF: SepAdtMarshallAuditRecord+8373Ej
		mov	eax, [ebp+var_10]
		mov	[eax+4], esi
		mov	eax, [ecx]

loc_5F7CA1:				; CODE XREF: SepAdtMarshallAuditRecord+83765j
		mov	[ebp+var_10], esi
		test	eax, eax
		jz	loc_57466A
		mov	edx, [ebp+var_14]
		mov	esi, [ebp+var_20]
		add	edx, 4
		add	esi, 4
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], esi

loc_5F7CBE:				; CODE XREF: SepAdtMarshallAuditRecord+837CAj
		mov	eax, ebx
		sub	eax, [edi]
		mov	[esi], eax
		mov	ecx, [edx]
		movzx	eax, byte ptr [ecx+1]
		lea	esi, ds:8[eax*4]
		push	esi		; size_t
		push	ecx		; void *
		push	ebx		; void *
		call	_memcpy
		mov	ecx, [ebp+var_10]
		add	ebx, esi
		mov	eax, [ebp+var_1C]
		add	esp, 0Ch
		mov	esi, [ebp+var_14]
		inc	ecx
		mov	edx, [ebp+var_18]
		add	esi, 8
		add	edx, 8
		mov	[ebp+var_10], ecx
		mov	[ebp+var_14], esi
		mov	[ebp+var_18], edx
		cmp	ecx, [eax]
		jb	short loc_5F7CBE
		jmp	loc_574665
; END OF FUNCTION CHUNK	FOR SepAdtMarshallAuditRecord
; 
; START	OF FUNCTION CHUNK FOR PpmInstallNewIdleStates

loc_5F7D03:				; CODE XREF: PpmInstallNewIdleStates+5Aj
		mov	ebx, 0C000000Dh
		jmp	loc_574B09
; 

loc_5F7D0D:				; CODE XREF: PpmInstallNewIdleStates+DCj
		mov	eax, [eax]
		imul	eax, edi
		imul	eax, 38h
		add	ecx, eax
		mov	[ebp+var_18], ecx
		jmp	loc_574804
; 

loc_5F7D1F:				; CODE XREF: PpmInstallNewIdleStates+F9j
		mov	ebx, 0C000009Ah
		jmp	loc_574B09
; 

loc_5F7D29:				; CODE XREF: PpmInstallNewIdleStates+426j
		mov	dword ptr [ecx+18h], 80000000h
		jmp	loc_5749AD
; 

loc_5F7D35:				; CODE XREF: PpmInstallNewIdleStates+295j
		mov	eax, [eax]
		mov	[ecx+28h], eax
		mov	eax, [ebp+var_18]
		mov	[ecx+2Ch], eax
		mov	eax, [ebp+var_24]
		imul	eax, [eax], 38h
		add	[ebp+var_18], eax
		jmp	loc_5749BD
; 

loc_5F7D4E:				; CODE XREF: PpmInstallNewIdleStates+2D9j
		test	eax, eax
		jz	loc_574A01
		lea	ecx, [edi+0C8h]
		lea	edx, [esi+130h]

loc_5F7D62:				; CODE XREF: PpmInstallNewIdleStates+8364Ej
		mov	[ecx], edx
		add	edx, 44h
		lea	ecx, [ecx+3E8h]
		sub	eax, 1
		jnz	short loc_5F7D62
		jmp	loc_574A01
; 

loc_5F7D77:				; CODE XREF: PpmInstallNewIdleStates+2FCj
		mov	edx, [ebp+4]
		mov	ecx, offset _PpmIdleVetoLock
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	ecx, [ebp+var_18]
		jmp	loc_574A2E
; 

loc_5F7D8C:				; CODE XREF: PpmInstallNewIdleStates+312j
		mov	eax, [ecx+1Ch]
		mov	[esi+1Ch], eax
		jmp	loc_574A3A
; 

loc_5F7D97:				; CODE XREF: PpmInstallNewIdleStates+3CFj
		imul	eax, ds:_PpmIdleDurationExpirationTimeoutMs, 2710h
		mov	ds:dword_70EE3C, ebx
		mov	ds:_PpmIdleDurationExpirationTimeout, eax
		jmp	loc_574AF7
; END OF FUNCTION CHUNK	FOR PpmInstallNewIdleStates
; 
; START	OF FUNCTION CHUNK FOR PpmUpdateProcessorIdleAccounting

loc_5F7DB1:				; CODE XREF: PpmUpdateProcessorIdleAccounting+9Cj
					; PpmUpdateProcessorIdleAccounting+A9j
		mov	[ecx+eax+0D8h],	edx
		mov	[ecx+eax+0DCh],	esi
		jmp	loc_574DA3
; 

loc_5F7DC4:				; CODE XREF: PpmUpdateProcessorIdleAccounting+B8j
					; PpmUpdateProcessorIdleAccounting+C5j
		mov	[ecx+eax+0E0h],	edx
		mov	[ecx+eax+0E4h],	esi
		jmp	loc_574DBF
; END OF FUNCTION CHUNK	FOR PpmUpdateProcessorIdleAccounting
; 
; START	OF FUNCTION CHUNK FOR BgfxGrowDirtyRect

loc_5F7DD7:				; CODE XREF: BgfxGrowDirtyRect+89j
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_574E9E
; END OF FUNCTION CHUNK	FOR BgfxGrowDirtyRect
; 
; START	OF FUNCTION CHUNK FOR SepBuildCapPolicyTable

loc_5F7DE6:				; CODE XREF: SepBuildCapPolicyTable+9Bj
		push	70536553h
		push	30h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+28h+var_C], edi
		test	edi, edi
		jnz	short loc_5F7E08
		mov	edi, 0C000009Ah
		jmp	loc_5751E0
; 

loc_5F7E08:				; CODE XREF: SepBuildCapPolicyTable+82CFAj
		push	30h		; size_t
		push	esi		; int
		push	edi		; void *
		call	_memset
		mov	eax, [esp+34h+var_1C]
		lea	ecx, [esp+34h+var_C]
		add	esp, 0Ch
		mov	[edi+28h], ebx
		mov	edx, 80h
		mov	[edi+2Ch], eax
		push	esi
		push	esi
		call	RtlpCreateHashTable
		mov	ebx, [esp+28h+var_C]
		test	al, al
		jnz	short loc_5F7E62
		mov	edi, 0C000009Ah

loc_5F7E3B:				; CODE XREF: SepBuildCapPolicyTable+82D72j
		test	ebx, ebx
		jz	loc_5751A3
		mov	ecx, ebx
		call	_SepRmDestroyCapTable@4	; SepRmDestroyCapTable(x)

loc_5F7E4A:				; CODE XREF: SepBuildCapPolicyTable+E2j
		test	esi, esi
		jz	loc_5751A3
		push	70536553h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_5751A3
; 

loc_5F7E62:				; CODE XREF: SepBuildCapPolicyTable+82D32j
		mov	edx, [esp+28h+var_8]
		mov	ecx, [esp+28h+var_18]
		push	ebx
		call	_SepReadAndInsertCaps@12 ; SepReadAndInsertCaps(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_5F7E3B
		mov	eax, [esp+28h+var_4]
		mov	[eax], ebx
		jmp	loc_5751A3
; END OF FUNCTION CHUNK	FOR SepBuildCapPolicyTable
; 
; START	OF FUNCTION CHUNK FOR EtwpQueryPartitionRegistryInformation

loc_5F7E81:				; CODE XREF: EtwpQueryPartitionRegistryInformation+1D1j
		cmp	[esp+0F0h+var_E4], 0FFFFh
		jnb	loc_5754E5
		mov	edi, 61777445h
		push	edi
		push	[esp+0F4h+var_E4]
		push	204h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx], eax
		test	eax, eax
		jz	loc_5754E5
		movzx	ecx, word ptr [esp+0F0h+var_DC]
		push	ecx
		push	[esp+0F4h+var_D8]
		lea	ecx, [esp+0F8h+var_E4]
		push	ecx
		push	[esp+0FCh+var_E4]
		push	eax
		call	RtlUnicodeToUTF8N
		test	eax, eax
		jz	short loc_5F7EE0
		cmp	eax, 107h
		jz	short loc_5F7EE0
		push	edi
		push	dword ptr [ebx]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebx], esi
		jmp	loc_5754E5
; 

loc_5F7EE0:				; CODE XREF: EtwpQueryPartitionRegistryInformation+82BBAj
					; EtwpQueryPartitionRegistryInformation+82BC1j
		mov	ecx, [esp+0F0h+var_C0]
		mov	ax, word ptr [esp+0F0h+var_E4]
		mov	[ecx], ax
		jmp	loc_5754E5
; END OF FUNCTION CHUNK	FOR EtwpQueryPartitionRegistryInformation
; 
; START	OF FUNCTION CHUNK FOR StringToGuidNoBrackets

loc_5F7EF1:				; CODE XREF: StringToGuidNoBrackets+17j
		movzx	eax, word ptr [ecx]
		shr	eax, 1
		cmp	eax, 24h
		jnz	loc_57555F
		xor	eax, eax
		mov	edi, esi
		push	5
		xor	edx, edx
		stosd
		stosd
		stosd
		stosd
		pop	edi

loc_5F7F0C:				; CODE XREF: StringToGuidNoBrackets+82AA0j
		cmp	edx, 8
		jz	loc_5F7FD3
		cmp	edx, 0Dh
		jz	loc_5F7FD3
		cmp	edx, 12h
		jz	loc_5F7FD3
		cmp	edx, 17h
		jz	loc_5F7FD3
		movzx	ecx, word ptr [ebx+edx*2]
		lea	eax, [ecx-30h]
		cmp	ax, 9
		ja	short loc_5F7F42
		lea	ebx, [ecx-30h]
		jmp	short loc_5F7F5E
; 

loc_5F7F42:				; CODE XREF: StringToGuidNoBrackets+829F9j
		lea	eax, [ecx-61h]
		cmp	ax, di
		ja	short loc_5F7F4F
		lea	ebx, [ecx-57h]
		jmp	short loc_5F7F5E
; 

loc_5F7F4F:				; CODE XREF: StringToGuidNoBrackets+82A06j
		lea	eax, [ecx-41h]
		cmp	ax, di
		ja	loc_57555F
		lea	ebx, [ecx-37h]

loc_5F7F5E:				; CODE XREF: StringToGuidNoBrackets+829FEj
					; StringToGuidNoBrackets+82A0Bj
		cmp	edx, 8
		jnb	short loc_5F7F6E
		mov	eax, [esi]
		shl	eax, 4
		add	eax, ebx
		mov	[esi], eax
		jmp	short loc_5F7FCE
; 

loc_5F7F6E:				; CODE XREF: StringToGuidNoBrackets+82A1Fj
		cmp	edx, 0Dh
		jnb	short loc_5F7F84
		mov	ax, [esi+4]
		shl	ax, 4
		add	ax, bx
		mov	[esi+4], ax
		jmp	short loc_5F7FCE
; 

loc_5F7F84:				; CODE XREF: StringToGuidNoBrackets+82A2Fj
		cmp	edx, 12h
		jnb	short loc_5F7F9A
		mov	ax, [esi+6]
		shl	ax, 4
		add	ax, bx
		mov	[esi+6], ax
		jmp	short loc_5F7FCE
; 

loc_5F7F9A:				; CODE XREF: StringToGuidNoBrackets+82A45j
		cmp	edx, 17h
		jnb	short loc_5F7FB3
		lea	ecx, [edx-13h]
		shr	ecx, 1
		mov	al, [ecx+esi+8]
		shl	al, 4
		add	al, bl
		mov	[ecx+esi+8], al
		jmp	short loc_5F7FCE
; 

loc_5F7FB3:				; CODE XREF: StringToGuidNoBrackets+82A5Bj
		cmp	edx, 24h
		jnb	loc_57555F
		lea	ecx, [edx-18h]
		shr	ecx, 1
		mov	al, [ecx+esi+0Ah]
		shl	al, 4
		add	al, bl
		mov	[ecx+esi+0Ah], al

loc_5F7FCE:				; CODE XREF: StringToGuidNoBrackets+82A2Aj
					; StringToGuidNoBrackets+82A40j ...
		mov	ebx, [ebp+var_4]
		jmp	short loc_5F7FDE
; 

loc_5F7FD3:				; CODE XREF: StringToGuidNoBrackets+829CDj
					; StringToGuidNoBrackets+829D6j ...
		cmp	word ptr [ebx+edx*2], 2Dh
		jnz	loc_57555F

loc_5F7FDE:				; CODE XREF: StringToGuidNoBrackets+82A8Fj
		inc	edx
		cmp	edx, 24h
		jb	loc_5F7F0C
		xor	eax, eax
		jmp	loc_575564
; END OF FUNCTION CHUNK	FOR StringToGuidNoBrackets
; 
; START	OF FUNCTION CHUNK FOR BapdpProcessEtwEvents

loc_5F7FEF:				; CODE XREF: BapdpProcessEtwEvents+5Cj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_5756D2
; END OF FUNCTION CHUNK	FOR BapdpProcessEtwEvents
; 
; START	OF FUNCTION CHUNK FOR BapdpMarshallBootDataToRegistry

loc_5F7FFC:				; CODE XREF: BapdpMarshallBootDataToRegistry+85j
		push	64506142h
		mov	eax, ebx
		shl	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_A8], esi
		test	esi, esi
		jz	loc_5F8301
		cmp	edi, offset dword_6FD470
		jz	short loc_5F8078
		mov	[ebp+var_98], esi

loc_5F802C:				; CODE XREF: BapdpMarshallBootDataToRegistry+8294Aj
		mov	eax, [edi+8]
		mov	edi, [edi]
		mov	[ebp+var_94], eax
		mov	ecx, [eax+20h]
		test	ecx, ecx
		jz	short loc_5F8070
		cmp	ecx, 2
		ja	short loc_5F8070
		push	10h		; size_t
		lea	ecx, [ebp+var_80]
		add	eax, 10h
		push	ecx		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_5F8070
		mov	eax, [ebp+var_98]
		mov	ecx, [ebp+var_94]
		mov	[eax], ecx
		add	eax, 4
		mov	[ebp+var_98], eax

loc_5F8070:				; CODE XREF: BapdpMarshallBootDataToRegistry+82910j
					; BapdpMarshallBootDataToRegistry+82915j ...
		cmp	edi, offset dword_6FD470
		jnz	short loc_5F802C

loc_5F8078:				; CODE XREF: BapdpMarshallBootDataToRegistry+828F8j
		push	offset ??_C@_1GG@IBGAEKLO@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@FNODOBFM@
		lea	eax, [ebp+var_78]
		xor	edi, edi
		push	eax
		mov	[ebp+var_78], edi
		mov	[ebp+var_74], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	18h
		pop	eax
		mov	[ebp+var_C0], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_C0]
		push	eax
		push	20019h
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_BC], edi
		push	eax
		mov	[ebp+var_B4], 240h
		mov	[ebp+var_B0], edi
		mov	[ebp+var_AC], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		jns	short loc_5F80E3
		mov	[ebp+var_A0], edi
		jmp	loc_5F8315
; 

loc_5F80E3:				; CODE XREF: BapdpMarshallBootDataToRegistry+829AAj
		push	offset ??_C@_1DM@KEPNEABC@?$AAB?$AAo?$AAo?$AAt?$AAA?$AAp?$AAp?$AAl?$AAi?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn@FNODOBFM@
		lea	eax, [ebp+var_78]
		mov	[ebp+var_78], edi
		push	eax
		mov	[ebp+var_74], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	18h
		pop	eax
		push	edi
		mov	[ebp+var_C0], eax
		mov	eax, [ebp+var_A0]
		push	1
		mov	[ebp+var_BC], eax
		lea	eax, [ebp+var_78]
		push	edi
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_C0]
		push	edi
		push	eax
		push	6001Fh
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_B4], 240h
		push	eax
		mov	[ebp+var_B0], edi
		mov	[ebp+var_AC], edi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_5F8157
		mov	[ebp+var_A4], edi
		jmp	loc_5F8301
; 

loc_5F8157:				; CODE XREF: BapdpMarshallBootDataToRegistry+82A1Ej
		mov	[ebp+var_94], edi
		test	ebx, ebx
		jz	loc_5F8301

loc_5F8165:				; CODE XREF: BapdpMarshallBootDataToRegistry+82BCFj
		and	[ebp+var_98], 0
		mov	eax, [esi+edi*4]
		test	eax, eax
		jz	loc_5F82F2
		mov	esi, eax
		lea	edi, [ebp+var_90]
		push	6
		pop	ecx
		xor	eax, eax
		lea	edx, [ebp+var_C8]
		movsd
		push	4Eh
		mov	word ptr [ebp+var_C8], ax
		movsd
		movsd
		movsd
		lea	edi, [ebp+var_C0]
		xor	esi, esi
		rep stosd
		pop	eax
		mov	word ptr [ebp+var_C8+2], ax
		lea	ecx, [ebp+var_90]
		lea	eax, [ebp+var_70]
		push	esi
		mov	[ebp+var_C4], eax
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		test	eax, eax
		js	loc_5F82E6
		push	18h
		pop	eax
		push	esi
		mov	[ebp+var_C0], eax
		mov	eax, [ebp+var_A4]
		push	1
		mov	[ebp+var_BC], eax
		lea	eax, [ebp+var_C8]
		push	esi
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_C0]
		push	esi
		push	eax
		push	6001Fh
		lea	eax, [ebp+var_98]
		mov	[ebp+var_B4], 240h
		push	eax
		mov	[ebp+var_B0], esi
		mov	[ebp+var_AC], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	edi, [ebp+var_94]
		test	eax, eax
		js	loc_5F82EC
		mov	[ebp+var_CC], esi
		mov	eax, edi
		mov	esi, [ebp+var_A8]
		mov	[ebp+var_9C], edi
		cmp	edi, ebx
		jnb	loc_5F82D9
		mov	edi, [ebp+var_CC]

loc_5F824A:				; CODE XREF: BapdpMarshallBootDataToRegistry+82BA1j
		xor	ecx, ecx
		mov	word ptr [ebp+var_78], cx
		push	18h
		pop	ecx
		mov	word ptr [ebp+var_78+2], cx
		lea	ecx, [ebp+var_1C]
		mov	[ebp+var_74], ecx
		mov	ecx, [esi+eax*4]
		test	ecx, ecx
		jz	short loc_5F82C4
		push	10h		; size_t
		lea	eax, [ebp+var_90]
		push	eax		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_5F82BE
		lea	ecx, [ebp+var_78]
		mov	eax, edi
		push	ecx
		push	0Ah
		push	eax
		inc	edi
		call	_RtlIntegerToUnicodeString@12 ;	RtlIntegerToUnicodeString(x,x,x)
		test	eax, eax
		js	short loc_5F82BE
		mov	ecx, [ebp+var_9C]
		mov	ecx, [esi+ecx*4]
		push	dword ptr [ecx+24h]
		mov	eax, [ecx+28h]
		add	eax, ecx
		push	eax
		push	3
		push	0
		lea	eax, [ebp+var_78]
		push	eax
		push	[ebp+var_98]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	eax, [ebp+var_9C]
		and	dword ptr [esi+eax*4], 0
		jmp	short loc_5F82C4
; 

loc_5F82BE:				; CODE XREF: BapdpMarshallBootDataToRegistry+82B4Cj
					; BapdpMarshallBootDataToRegistry+82B5Fj
		mov	eax, [ebp+var_9C]

loc_5F82C4:				; CODE XREF: BapdpMarshallBootDataToRegistry+82B36j
					; BapdpMarshallBootDataToRegistry+82B90j
		inc	eax
		mov	[ebp+var_9C], eax
		cmp	eax, ebx
		jb	loc_5F824A
		mov	edi, [ebp+var_94]

loc_5F82D9:				; CODE XREF: BapdpMarshallBootDataToRegistry+82B12j
		push	[ebp+var_98]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_5F82F2
; 

loc_5F82E6:				; CODE XREF: BapdpMarshallBootDataToRegistry+82A94j
		mov	edi, [ebp+var_94]

loc_5F82EC:				; CODE XREF: BapdpMarshallBootDataToRegistry+82AF6j
		mov	esi, [ebp+var_A8]

loc_5F82F2:				; CODE XREF: BapdpMarshallBootDataToRegistry+82A45j
					; BapdpMarshallBootDataToRegistry+82BB8j
		inc	edi
		mov	[ebp+var_94], edi
		cmp	edi, ebx
		jb	loc_5F8165

loc_5F8301:				; CODE XREF: BapdpMarshallBootDataToRegistry+828ECj
					; BapdpMarshallBootDataToRegistry+82A26j ...
		cmp	[ebp+var_A0], 0
		jz	short loc_5F8315
		push	[ebp+var_A0]
		call	_ZwClose@4	; ZwClose(x)

loc_5F8315:				; CODE XREF: BapdpMarshallBootDataToRegistry+829B2j
					; BapdpMarshallBootDataToRegistry+82BDCj
		cmp	[ebp+var_A4], 0
		jz	short loc_5F8329
		push	[ebp+var_A4]
		call	_ZwClose@4	; ZwClose(x)

loc_5F8329:				; CODE XREF: BapdpMarshallBootDataToRegistry+82BF0j
		test	esi, esi
		jz	loc_5757B7
		push	64506142h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_5757B7
; END OF FUNCTION CHUNK	FOR BapdpMarshallBootDataToRegistry
; 
; START	OF FUNCTION CHUNK FOR PnpTraceStartDevice

loc_5F8341:				; CODE XREF: PnpTraceStartDevice+17j
		push	dword ptr [eax+0Ch]
		lea	edi, [eax+1Ch]
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		movzx	esi, word ptr [eax+44h]
		movzx	eax, word ptr [eax+46h]
		shl	esi, 10h
		or	esi, eax
		jmp	loc_57580F
; END OF FUNCTION CHUNK	FOR PnpTraceStartDevice
; 
; START	OF FUNCTION CHUNK FOR PnpDiagnosticTraceDeviceOperation

loc_5F835E:				; CODE XREF: PnpDiagnosticTraceDeviceOperation+63j
		mov	ax, [edx]
		shr	ax, 1
		movzx	ecx, ax
		jmp	loc_575897
; END OF FUNCTION CHUNK	FOR PnpDiagnosticTraceDeviceOperation
; 
; START	OF FUNCTION CHUNK FOR PpvUtilCallAddDevice

loc_5F836C:				; CODE XREF: PpvUtilCallAddDevice+14j
		test	ds:_MmVerifierData, 200h
		jz	loc_575914
		push	[ebp+arg_4]
		push	ecx
		call	_VfDevObjPreAddDevice@16 ; VfDevObjPreAddDevice(x,x,x,x)
		push	ebx
		push	edi
		call	[ebp+arg_0]
		mov	esi, eax
		mov	edx, edi
		push	esi
		push	[ebp+arg_4]
		push	ecx
		mov	ecx, ebx
		call	_VfDevObjPostAddDevice@20 ; VfDevObjPostAddDevice(x,x,x,x,x)
		mov	eax, esi
		jmp	loc_575919
; END OF FUNCTION CHUNK	FOR PpvUtilCallAddDevice
; 
; START	OF FUNCTION CHUNK FOR PoFxStartDevicePowerManagement

loc_5F83A1:				; CODE XREF: PoFxStartDevicePowerManagement+21j
		mov	eax, [edi+28h]
		mov	[esp+18h+var_4], eax
		lea	eax, [esp+18h+var_4]
		push	eax
		push	12h
		call	dword ptr [ecx+40h]
		jmp	loc_57594D
; 

loc_5F83B7:				; CODE XREF: PoFxStartDevicePowerManagement+4Aj
		test	eax, eax
		jz	loc_5759AB
		mov	eax, ebx
		mov	[esp+18h+var_8], ebx
		mov	[esi+40h], ebx
		jmp	loc_575976
; 

loc_5F83CD:				; CODE XREF: PoFxStartDevicePowerManagement+F7j
		mov	esi, [esi+10h]
		xor	dl, dl
		push	ebx
		mov	ecx, esi
		call	PopFxActivateDevice
		mov	ecx, esi
		call	_PopFxIncrementDeviceSleepCount@4 ; PopFxIncrementDeviceSleepCount(x)
		jmp	loc_575A23
; END OF FUNCTION CHUNK	FOR PoFxStartDevicePowerManagement
; 
; START	OF FUNCTION CHUNK FOR PopPepDeviceStarted

loc_5F83E6:				; CODE XREF: PopPepDeviceStarted+4Aj
		mov	edx, ds:_PpmPlatformStates
		mov	ecx, edi
		mov	edx, [edx]
		call	_PopPepInitializeVetoMasks@8 ; PopPepInitializeVetoMasks(x,x)
		jmp	loc_575AA2
; END OF FUNCTION CHUNK	FOR PopPepDeviceStarted
; 
; START	OF FUNCTION CHUNK FOR PfFbBufferListAllocate

loc_5F83FA:				; CODE XREF: PfFbBufferListAllocate+1Fj
		mov	eax, 0C000012Dh
		jmp	short loc_5F8409
; 

loc_5F8401:				; CODE XREF: PfFbBufferListAllocate+44j
		mov	ecx, [ebp+var_8]
		mov	eax, 0C000009Ah

loc_5F8409:				; CODE XREF: PfFbBufferListAllocate+8292Fj
		neg	edi
		lock xadd [ecx], edi
		jmp	loc_575B6C
; END OF FUNCTION CHUNK	FOR PfFbBufferListAllocate
; 
; START	OF FUNCTION CHUNK FOR RtlIoEncodeMemIoResource

loc_5F8414:				; CODE XREF: RtlIoEncodeMemIoResource+A1j
		cmp	al, 7
		jz	loc_575B9F
		jmp	loc_575C37
; 

loc_5F8421:				; CODE XREF: RtlIoEncodeMemIoResource+6Aj
					; RtlIoEncodeMemIoResource+73j	...
		cmp	ebx, 0FFh
		ja	loc_5F84FF
		jb	short loc_5F843B
		cmp	edi, 0FFFFFF00h
		ja	loc_5F84FF

loc_5F843B:				; CODE XREF: RtlIoEncodeMemIoResource+828B5j
		and	[ebp+arg_0], 0
		mov	eax, ebx
		mov	[ebp+arg_4], edi
		shrd	[ebp+arg_4], eax, 8
		mov	eax, [ebp+arg_4]
		shld	[ebp+arg_0], eax, 8
		shl	eax, 8
		cmp	edi, eax
		jnz	loc_5F861D
		cmp	ebx, [ebp+arg_0]
		jnz	loc_5F861D
		cmp	edx, 0FFh
		ja	loc_5F861D
		jb	short loc_5F847F
		cmp	ecx, 0FFFFFF00h
		ja	loc_5F861D

loc_5F847F:				; CODE XREF: RtlIoEncodeMemIoResource+828F9j
		and	[ebp+arg_0], 0
		mov	edi, ecx
		mov	eax, edx
		shrd	edi, eax, 8
		mov	eax, [ebp+arg_24]
		movzx	ebx, ax
		mov	eax, edi
		shld	[ebp+arg_0], eax, 8
		shl	eax, 8
		cmp	ecx, eax
		jnz	short loc_5F84A4
		cmp	edx, [ebp+arg_0]
		jz	short loc_5F84DF

loc_5F84A4:				; CODE XREF: RtlIoEncodeMemIoResource+82925j
					; RtlIoEncodeMemIoResource+82960j ...
		mov	edi, ecx
		mov	eax, edx
		shld	edx, ecx, 1
		add	ecx, ecx
		cmp	edx, eax
		jb	loc_5F861D
		ja	short loc_5F84C0
		cmp	ecx, edi
		jb	loc_5F861D

loc_5F84C0:				; CODE XREF: RtlIoEncodeMemIoResource+8293Ej
		and	[ebp+arg_0], 0
		mov	edi, ecx
		mov	eax, edx
		shrd	edi, eax, 8
		mov	eax, edi
		shld	[ebp+arg_0], eax, 8
		shl	eax, 8
		cmp	ecx, eax
		jnz	short loc_5F84A4
		cmp	edx, [ebp+arg_0]
		jnz	short loc_5F84A4

loc_5F84DF:				; CODE XREF: RtlIoEncodeMemIoResource+8292Aj
		or	ebx, 200h
		jmp	short loc_5F84ED
; 

loc_5F84E7:				; CODE XREF: RtlIoEncodeMemIoResource+82A08j
					; RtlIoEncodeMemIoResource+82A45j
		or	ebx, 400h

loc_5F84ED:				; CODE XREF: RtlIoEncodeMemIoResource+8296Dj
		mov	eax, [ebp+arg_4]
		mov	[esi+0Ch], edi
		mov	[esi+8], eax
		mov	[esi+4], bx
		jmp	loc_5F8614
; 

loc_5F84FF:				; CODE XREF: RtlIoEncodeMemIoResource+828AFj
					; RtlIoEncodeMemIoResource+828BDj
		cmp	ebx, 0FFFFh
		ja	loc_5F85C2
		jb	short loc_5F8519
		cmp	edi, 0FFFF0000h
		ja	loc_5F85C2

loc_5F8519:				; CODE XREF: RtlIoEncodeMemIoResource+82993j
		and	[ebp+arg_0], 0
		mov	eax, ebx
		mov	[ebp+arg_4], edi
		shrd	[ebp+arg_4], eax, 10h
		mov	eax, [ebp+arg_4]
		shld	[ebp+arg_0], eax, 10h
		shl	eax, 10h
		cmp	edi, eax
		jnz	loc_5F861D
		cmp	ebx, [ebp+arg_0]
		jnz	loc_5F861D
		cmp	edx, 0FFFFh
		ja	loc_5F861D
		jb	short loc_5F855D
		cmp	ecx, 0FFFF0000h
		ja	loc_5F861D

loc_5F855D:				; CODE XREF: RtlIoEncodeMemIoResource+829D7j
		and	[ebp+arg_0], 0
		mov	edi, ecx
		mov	eax, edx
		shrd	edi, eax, 10h
		mov	eax, [ebp+arg_24]
		movzx	ebx, ax
		mov	eax, edi
		shld	[ebp+arg_0], eax, 10h
		shl	eax, 10h
		cmp	ecx, eax
		jnz	short loc_5F8586
		cmp	edx, [ebp+arg_0]
		jz	loc_5F84E7

loc_5F8586:				; CODE XREF: RtlIoEncodeMemIoResource+82A03j
					; RtlIoEncodeMemIoResource+82A3Ej ...
		mov	edi, ecx
		mov	eax, edx
		shld	edx, ecx, 1
		add	ecx, ecx
		cmp	edx, eax
		jb	loc_5F861D
		ja	short loc_5F859E
		cmp	ecx, edi
		jb	short loc_5F861D

loc_5F859E:				; CODE XREF: RtlIoEncodeMemIoResource+82A20j
		and	[ebp+arg_0], 0
		mov	edi, ecx
		mov	eax, edx
		shrd	edi, eax, 10h
		mov	eax, edi
		shld	[ebp+arg_0], eax, 10h
		shl	eax, 10h
		cmp	ecx, eax
		jnz	short loc_5F8586
		cmp	edx, [ebp+arg_0]
		jnz	short loc_5F8586
		jmp	loc_5F84E7
; 

loc_5F85C2:				; CODE XREF: RtlIoEncodeMemIoResource+8298Dj
					; RtlIoEncodeMemIoResource+8299Bj
		cmp	ebx, 0FFFFFFFFh
		ja	short loc_5F861D
		jb	short loc_5F85CD
		test	edi, edi
		jnz	short loc_5F861D

loc_5F85CD:				; CODE XREF: RtlIoEncodeMemIoResource+82A4Fj
		test	edi, edi
		jnz	short loc_5F861D
		cmp	edx, 0FFFFFFFFh
		ja	short loc_5F861D
		jb	short loc_5F85DC
		test	ecx, ecx
		jnz	short loc_5F861D

loc_5F85DC:				; CODE XREF: RtlIoEncodeMemIoResource+82A5Ej
		mov	edi, [ebp+arg_24]
		movzx	edi, di
		jmp	short loc_5F85FA
; 

loc_5F85E4:				; CODE XREF: RtlIoEncodeMemIoResource+82A86j
					; RtlIoEncodeMemIoResource+82A8Aj
		mov	[ebp+arg_4], ecx
		mov	eax, edx
		shld	edx, ecx, 1
		add	ecx, ecx
		cmp	edx, eax
		jb	short loc_5F861D
		ja	short loc_5F85FA
		cmp	ecx, [ebp+arg_4]
		jb	short loc_5F861D

loc_5F85FA:				; CODE XREF: RtlIoEncodeMemIoResource+82A6Aj
					; RtlIoEncodeMemIoResource+82A7Bj
		mov	eax, edx
		test	ecx, ecx
		jnz	short loc_5F85E4
		cmp	edx, eax
		jnz	short loc_5F85E4
		or	edi, 800h
		mov	[esi+8], ebx
		mov	[esi+0Ch], eax
		mov	[esi+4], di

loc_5F8614:				; CODE XREF: RtlIoEncodeMemIoResource+82982j
		mov	byte ptr [esi+1], 7
		jmp	loc_575C0E
; 

loc_5F861D:				; CODE XREF: RtlIoEncodeMemIoResource+828DEj
					; RtlIoEncodeMemIoResource+828E7j ...
		mov	eax, 0C0000001h
		jmp	loc_575C10
; END OF FUNCTION CHUNK	FOR RtlIoEncodeMemIoResource
; 
; START	OF FUNCTION CHUNK FOR PopCheckAndHandleThermalConditions

loc_5F8627:				; CODE XREF: PopCheckAndHandleThermalConditions+23j
		cmp	byte ptr [esi+27h], 0
		jnz	loc_575CC3
		mov	bl, 1
		call	_PopSqmThermalCriticalShutdown@4 ; PopSqmThermalCriticalShutdown(x)
		lea	ecx, [esi+50h]
		mov	edx, edi
		call	_PopDiagTraceZoneCriticalTripPointExceeded@8 ; PopDiagTraceZoneCriticalTripPointExceeded(x,x)
		mov	[esi+27h], bl
		jmp	loc_575CC3
; 

loc_5F864A:				; CODE XREF: PopCheckAndHandleThermalConditions+30j
		lea	ecx, [esi+50h]
		mov	edx, edi
		mov	bh, 1
		call	_PopDiagTraceZoneS4TripPointExceeded@8 ; PopDiagTraceZoneS4TripPointExceeded(x,x)
		mov	ecx, esi
		call	_PopSqmThermalHibernate@4 ; PopSqmThermalHibernate(x)

loc_5F865D:				; CODE XREF: PopCheckAndHandleThermalConditions+38j
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		test	bh, bh
		jz	short loc_5F86D0
		mov	ecx, offset _PopCapabilities
		call	_PopIsHibernateSupported@4 ; PopIsHibernateSupported(x)
		test	al, al
		jz	short loc_5F86CE
		mov	ecx, offset _PopSystemThermalInfo
		mov	ds:_PopThermalHibernateInitiated, 1
		call	_PopAcquireRwLockExclusive@4 ; PopAcquireRwLockExclusive(x)
		push	2
		pop	ecx
		call	PopThermalStandbyEndTracking
		mov	ecx, offset _PopSystemThermalInfo
		call	_PopReleaseRwLock@4 ; PopReleaseRwLock(x)
		xor	eax, eax
		mov	[ebp+var_C], 3
		mov	[ebp+var_4], eax
		lea	ecx, [ebp+var_1C]
		mov	[ebp+var_14], eax
		xor	edx, edx
		mov	[ebp+var_10], eax
		inc	eax
		push	eax
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_C]
		push	5
		push	eax
		mov	[ebp+var_8], 0C0000004h
		mov	[ebp+var_18], 80h
		call	PopExecutePowerAction
		jmp	short loc_5F86D0
; 

loc_5F86CE:				; CODE XREF: PopCheckAndHandleThermalConditions+829D8j
		mov	bl, 1

loc_5F86D0:				; CODE XREF: PopCheckAndHandleThermalConditions+829CAj
					; PopCheckAndHandleThermalConditions+82A32j
		test	bl, bl
		jz	loc_5F875E
		mov	edx, 6D546F50h
		mov	ecx, edi
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	edi, eax
		test	edi, edi
		jz	short loc_5F86F5
		mov	ecx, [edi+0B0h]
		mov	ecx, [ecx+14h]
		jmp	short loc_5F86F7
; 

loc_5F86F5:				; CODE XREF: PopCheckAndHandleThermalConditions+82A4Ej
		xor	ecx, ecx

loc_5F86F7:				; CODE XREF: PopCheckAndHandleThermalConditions+82A59j
		lea	eax, [ecx+48h]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		cmp	byte ptr [esi+0C4h], 0
		jnz	short loc_5F870E
		lea	edx, [esi+60h]
		jmp	short loc_5F8710
; 

loc_5F870E:				; CODE XREF: PopCheckAndHandleThermalConditions+82A6Dj
		xor	edx, edx

loc_5F8710:				; CODE XREF: PopCheckAndHandleThermalConditions+82A72j
		call	_PopThermalWriteShutdownToRegistry@8 ; PopThermalWriteShutdownToRegistry(x,x)
		test	edi, edi
		jz	short loc_5F8725
		mov	edx, 6D546F50h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_5F8725:				; CODE XREF: PopCheckAndHandleThermalConditions+82A7Dj
		cmp	ds:_PopThermalCriticalShutdownInitiated, 0
		jnz	short loc_5F875E
		mov	edi, offset _PopSystemThermalInfo
		mov	ecx, edi
		call	_PopAcquireRwLockExclusive@4 ; PopAcquireRwLockExclusive(x)
		push	3
		pop	ecx
		call	PopThermalStandbyEndTracking
		mov	ecx, edi
		call	_PopReleaseRwLock@4 ; PopReleaseRwLock(x)
		cmp	ds:_PopThermalCriticalShutdownEnabled, 0
		mov	ds:_PopThermalCriticalShutdownInitiated, 1
		jz	short loc_5F875E
		call	_PopCriticalShutdown@4 ; PopCriticalShutdown(x)

loc_5F875E:				; CODE XREF: PopCheckAndHandleThermalConditions+82A38j
					; PopCheckAndHandleThermalConditions+82A92j ...
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		jmp	loc_575CD8
; 

loc_5F8768:				; CODE XREF: PopCheckAndHandleThermalConditions+4Bj
		mov	ecx, esi
		mov	[esi+29h], dl
		call	_PopUpdateOverThrottledCount@8 ; PopUpdateOverThrottledCount(x,x)
		jmp	loc_575CEB
; 

loc_5F8777:				; CODE XREF: PopCheckAndHandleThermalConditions+5Aj
		mov	ecx, [esi+18h]
		push	offset _POP_ETW_EVENT_THERMAL_ZONE_THERMAL_STANDBY_UPDATE
		movzx	edx, al
		call	_PopDiagTraceThermalStateChange@12 ; PopDiagTraceThermalStateChange(x,x,x)
		mov	edi, offset _PopSystemThermalInfo
		mov	ecx, edi
		call	_PopAcquireRwLockExclusive@4 ; PopAcquireRwLockExclusive(x)
		mov	al, [esi+0B3h]
		mov	[esi+28h], al
		test	al, al
		jz	short loc_5F87D6
		mov	eax, ds:dword_6C1F8C
		inc	eax
		mov	ds:dword_6C1F8C, eax
		cmp	eax, 1
		jnz	short loc_5F87C7
		mov	ecx, ds:dword_6C1F90
		inc	ecx
		mov	ds:byte_6C1F94,	al
		mov	ds:dword_6C1F90, ecx
		call	_PopTraceCr3Tripped@4 ;	PopTraceCr3Tripped(x)

loc_5F87C7:				; CODE XREF: PopCheckAndHandleThermalConditions+82B14j
		mov	ecx, ds:dword_6C1F90
		mov	edx, esi
		call	_PopTraceZoneCr3Tripped@8 ; PopTraceZoneCr3Tripped(x,x)
		jmp	short loc_5F87E9
; 

loc_5F87D6:				; CODE XREF: PopCheckAndHandleThermalConditions+82B04j
		mov	ecx, ds:dword_6C1F90
		mov	edx, esi
		call	_PopTraceZoneCr3Mitigated@8 ; PopTraceZoneCr3Mitigated(x,x)
		dec	ds:dword_6C1F8C

loc_5F87E9:				; CODE XREF: PopCheckAndHandleThermalConditions+82B3Aj
		cmp	ds:dword_6C1F8C, 0
		jbe	short loc_5F8828
		mov	bl, 1

loc_5F87F4:				; CODE XREF: PopCheckAndHandleThermalConditions+82BA8j
		test	bh, bh
		jnz	short loc_5F881C
		test	bl, bl
		jz	short loc_5F881C
		cmp	byte ptr ds:word_6C1F88, bh
		jz	short loc_5F881C
		cmp	byte ptr ds:word_6C1F88+1, bh
		jnz	short loc_5F881C
		mov	cl, 1
		call	_PopThermalStandbyNotify@4 ; PopThermalStandbyNotify(x)
		mov	ds:word_6C1F88,	100h

loc_5F881C:				; CODE XREF: PopCheckAndHandleThermalConditions+82B5Cj
					; PopCheckAndHandleThermalConditions+82B60j ...
		mov	ecx, edi
		call	_PopReleaseRwLock@4 ; PopReleaseRwLock(x)
		jmp	loc_575CFA
; 

loc_5F8828:				; CODE XREF: PopCheckAndHandleThermalConditions+82B56j
		xor	ecx, ecx
		xor	bl, bl
		call	PopThermalStandbyEndTracking
		mov	ecx, ds:dword_6C1F90
		call	_PopTraceCr3Mitigated@4	; PopTraceCr3Mitigated(x)
		cmp	byte ptr ds:word_6C1F88+1, bl
		jz	short loc_5F87F4
		xor	cl, cl
		call	_PopThermalStandbyNotify@4 ; PopThermalStandbyNotify(x)
		mov	byte ptr ds:word_6C1F88+1, bl
		jmp	short loc_5F881C
; END OF FUNCTION CHUNK	FOR PopCheckAndHandleThermalConditions
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceThermalZoneEnumeration

loc_5F8853:				; CODE XREF: PopDiagTraceThermalZoneEnumeration+51j
		mov	edx, 67446F50h
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	edi, eax
		mov	[ebp+var_1E0], edi
		test	edi, edi
		jz	short loc_5F8874
		mov	ecx, [edi+0B0h]
		mov	eax, [ecx+14h]
		jmp	short loc_5F8876
; 

loc_5F8874:				; CODE XREF: PopDiagTraceThermalZoneEnumeration+82B67j
		xor	eax, eax

loc_5F8876:				; CODE XREF: PopDiagTraceThermalZoneEnumeration+82B72j
		test	eax, eax
		jz	loc_5F8B1E
		add	eax, 48h
		xor	edx, edx
		mov	[ebp+var_1D0], eax
		push	0Ah
		mov	ax, [eax]
		shr	ax, 1
		movzx	ecx, ax
		movzx	eax, ax
		mov	[ebp+var_1C8], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_1C4], ecx
		pop	ecx
		div	ecx
		xor	edx, edx
		mov	[ebp+var_1D4], ecx
		mov	[ebp+var_1C0], eax
		mov	eax, [esi+1Ch]
		div	ecx
		xor	edx, edx
		mov	[ebp+var_1BC], eax
		mov	eax, [esi+4Ch]
		div	ecx
		xor	edx, edx
		mov	[ebp+var_1B8], eax
		mov	eax, [esi+18h]
		div	ecx
		push	offset _POP_ETW_EVENT_THERMAL_ZONE_ENUMERATED
		push	ds:dword_6C1D74
		mov	[ebp+var_1E4], eax
		push	ds:_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_5F8ADA
		xor	ecx, ecx
		mov	[ebp+var_184], 2
		lea	eax, [ebp+var_1C8]
		mov	[ebp+var_188], ecx
		mov	[ebp+var_18C], eax
		lea	edi, [ebp+var_1B4]
		mov	eax, [ebp+var_1D0]
		mov	ebx, ecx
		mov	[ebp+var_180], ecx
		push	4
		pop	edx
		mov	eax, [eax+4]
		mov	[ebp+var_17C], eax
		mov	eax, [ebp+var_1C4]
		movzx	eax, ax
		add	eax, eax
		mov	[ebp+var_178], ecx
		mov	[ebp+var_174], eax
		lea	eax, [ebp+var_1C0]
		mov	[ebp+var_16C], eax
		lea	eax, [esi+4]
		mov	[ebp+var_15C], eax
		lea	eax, [esi+8]
		mov	[ebp+var_14C], eax
		lea	eax, [esi+0Ch]
		mov	[ebp+var_13C], eax
		lea	eax, [esi+24h]
		mov	[ebp+var_170], ecx
		mov	esi, eax
		mov	[ebp+var_168], ecx
		mov	[ebp+var_160], ecx
		mov	[ebp+var_158], ecx
		mov	[ebp+var_150], ecx
		mov	[ebp+var_148], ecx
		mov	[ebp+var_140], ecx
		mov	[ebp+var_138], ecx
		mov	[ebp+var_130], ecx
		lea	ecx, [ebp+var_120]
		mov	[ebp+var_164], edx
		mov	[ebp+var_154], edx
		mov	[ebp+var_144], edx
		mov	[ebp+var_134], edx

loc_5F89CF:				; CODE XREF: PopDiagTraceThermalZoneEnumeration+82D01j
		mov	eax, [esi]
		xor	edx, edx
		div	[ebp+var_1D4]
		push	4
		mov	[edi], eax
		xor	edx, edx
		lea	eax, [ebp+var_1B4]
		mov	[ecx-8], edx
		lea	eax, [eax+ebx*4]
		mov	[ecx], edx
		mov	[ecx-0Ch], eax
		lea	ecx, [ecx+10h]
		pop	eax
		add	esi, eax
		mov	[ecx-14h], eax
		add	edi, eax
		inc	ebx
		push	0Ah
		pop	eax
		cmp	ebx, eax
		jb	short loc_5F89CF
		mov	esi, [ebp+var_1D8]
		lea	eax, [ebp+var_1BC]
		mov	ebx, [ebp+var_1DC]
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_1B8]
		mov	[ebp+var_7C], eax
		lea	eax, [esi+50h]
		mov	[ebp+var_88], edx
		movzx	ecx, word ptr [ebx]
		mov	[ebp+var_6C], eax
		lea	eax, [esi+18h]
		mov	[ebp+var_5C], eax
		lea	eax, [esi+54h]
		mov	[ebp+var_4C], eax
		mov	ax, cx
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_1CC], eax
		lea	eax, [ebp+var_1CC]
		mov	[ebp+var_3C], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_2C], eax
		mov	eax, ecx
		push	4
		pop	edi
		mov	[ebp+var_24], eax
		lea	eax, [esi+58h]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_18C]
		push	eax
		push	18h
		push	edx
		push	offset _POP_ETW_EVENT_THERMAL_ZONE_ENUMERATED
		push	ds:dword_6C1D74
		mov	[ebp+var_84], edi
		push	ds:_PopDiagHandle
		mov	[ebp+var_80], edx
		mov	[ebp+var_78], edx
		mov	[ebp+var_74], edi
		mov	[ebp+var_70], edx
		mov	[ebp+var_68], edx
		mov	[ebp+var_64], edi
		mov	[ebp+var_60], edx
		mov	[ebp+var_58], edx
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], 2
		mov	[ebp+var_30], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	edi, [ebp+var_1E0]

loc_5F8ADA:				; CODE XREF: PopDiagTraceThermalZoneEnumeration+82BF4j
		push	dword ptr [esi+58h]
		mov	eax, [esi+28h]
		xor	edx, edx
		push	[ebp+var_1E4]
		push	[ebp+var_1B8]
		push	[ebp+var_1BC]
		push	0Ah
		pop	ecx
		div	ecx
		xor	edx, edx
		push	eax
		mov	eax, [esi+24h]
		div	ecx
		mov	ecx, [ebp+var_1D0]
		mov	edx, ebx
		push	eax
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	[ebp+var_1C0]
		call	_PopSqmThermalZoneEnumeration@48 ; PopSqmThermalZoneEnumeration(x,x,x,x,x,x,x,x,x,x,x,x)

loc_5F8B1E:				; CODE XREF: PopDiagTraceThermalZoneEnumeration+82B78j
		test	edi, edi
		jz	loc_575D57
		mov	edx, 67446F50h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		jmp	loc_575D57
; END OF FUNCTION CHUNK	FOR PopDiagTraceThermalZoneEnumeration
; 
; START	OF FUNCTION CHUNK FOR EmpEvaluateUpdateRuleEvalState

loc_5F8B37:				; CODE XREF: EmpEvaluateUpdateRuleEvalState+77j
					; EmpEvaluateUpdateRuleEvalState+82E1Aj
		mov	eax, [ecx+edx*4]
		add	eax, 24h
		mov	ebx, [eax]
		cmp	ebx, eax
		mov	[ebp+var_8], ebx
		mov	ebx, [ebp+var_14]
		jz	short loc_5F8B72
		mov	edi, [ebp+var_10]
		mov	ebx, [ebp+var_8]

loc_5F8B4F:				; CODE XREF: EmpEvaluateUpdateRuleEvalState+82E00j
		mov	eax, [esi+2Ch]
		push	dword ptr [ebx-4]
		push	dword ptr [eax+edi*4]
		call	dword ptr [ebx-8]
		mov	ecx, [esi+2Ch]
		mov	ebx, [ebx]
		mov	eax, [ecx+edi*4]
		add	eax, 24h
		cmp	ebx, eax
		jnz	short loc_5F8B4F
		mov	ebx, [ebp+var_14]
		xor	edi, edi
		mov	edx, [ebp+var_10]

loc_5F8B72:				; CODE XREF: EmpEvaluateUpdateRuleEvalState+82DDFj
		mov	eax, [ecx+edx*4]
		add	eax, 1Ch
		cmp	[eax], eax
		jz	short loc_5F8BDA
		inc	edx
		mov	[ebp+var_10], edx
		cmp	edx, ebx
		jb	short loc_5F8B37
		push	76654D45h
		mov	eax, ebx
		shl	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jz	loc_575DC9
		test	ebx, ebx
		jz	loc_575D99
		mov	edx, edi
		cmp	[esi+28h], edi
		jbe	loc_575D99
		mov	ecx, [ebp+var_C]

loc_5F8BB9:				; CODE XREF: EmpEvaluateUpdateRuleEvalState+82E6Ej
		mov	eax, [esi+2Ch]
		mov	eax, [eax+edx*4]
		mov	[ebp+var_14], eax
		cmp	eax, ecx
		jz	short loc_5F8BD2
		mov	ecx, [ebp+var_14]
		mov	eax, [eax+1Ch]
		mov	[ecx+18h], eax
		mov	ecx, [ebp+var_C]

loc_5F8BD2:				; CODE XREF: EmpEvaluateUpdateRuleEvalState+82E5Cj
		inc	edx
		cmp	edx, [esi+28h]
		jb	short loc_5F8BB9
		jmp	short loc_5F8BE5
; 

loc_5F8BDA:				; CODE XREF: EmpEvaluateUpdateRuleEvalState+82E12j
		mov	[esi+10h], edi
		jmp	loc_575DC9
; 

loc_5F8BE2:				; CODE XREF: EmpEvaluateUpdateRuleEvalState+82EDFj
		mov	[edx+18h], eax

loc_5F8BE5:				; CODE XREF: EmpEvaluateUpdateRuleEvalState+82E70j
					; EmpEvaluateUpdateRuleEvalState+82EF0j
		mov	ecx, [ebp+var_8]
		jmp	loc_575D99
; 

loc_5F8BED:				; CODE XREF: EmpEvaluateUpdateRuleEvalState+35j
					; EmpEvaluateUpdateRuleEvalState+82E97j
		mov	eax, [esi+2Ch]
		mov	eax, [eax+edx*4]
		mov	eax, [eax+18h]
		sub	eax, 8
		mov	[ecx+edx*4], eax
		inc	edx
		cmp	edx, ebx
		jb	short loc_5F8BED
		jmp	loc_575DA3
; 

loc_5F8C06:				; CODE XREF: EmpEvaluateUpdateRuleEvalState+4Dj
		mov	eax, [esi+2Ch]
		lea	ecx, [ebx-1]
		mov	edx, [eax+ecx*4]
		mov	[ebp+var_14], edx
		test	ecx, ecx
		jnz	short loc_5F8C1A
		mov	al, 1
		jmp	short loc_5F8C2A
; 

loc_5F8C1A:				; CODE XREF: EmpEvaluateUpdateRuleEvalState+82EACj
		push	edi
		push	[ebp+var_C]
		mov	edx, ecx
		mov	ecx, esi
		call	EmpEvaluatePermuteRuleEntries
		mov	edx, [ebp+var_14]

loc_5F8C2A:				; CODE XREF: EmpEvaluateUpdateRuleEvalState+82EB0j
		mov	[ebp+var_1], al
		cmp	edx, [ebp+var_C]
		jz	short loc_5F8C4E
		mov	ecx, [ebp+var_8]
		test	al, al
		jz	loc_575D99
		mov	eax, [edx+18h]
		lea	ecx, [edx+1Ch]
		mov	eax, [eax]
		cmp	eax, ecx
		jnz	short loc_5F8BE2
		mov	eax, [ecx]
		mov	[edx+18h], eax

loc_5F8C4E:				; CODE XREF: EmpEvaluateUpdateRuleEvalState+82EC8j
		cmp	[ebp+var_1], 0
		jnz	loc_575DBB
		jmp	short loc_5F8BE5
; 

loc_5F8C5A:				; CODE XREF: EmpEvaluateUpdateRuleEvalState+5Bj
		push	76654D45h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_575DC9
; END OF FUNCTION CHUNK	FOR EmpEvaluateUpdateRuleEvalState
; 
; START	OF FUNCTION CHUNK FOR EmpEvaluatePermuteRuleEntries

loc_5F8C6A:				; CODE XREF: EmpEvaluatePermuteRuleEntries+Cj
		xor	ebx, ebx
		cmp	[ebp+arg_4], bl
		jz	short loc_5F8C98
		mov	ecx, ebx
		cmp	[edi+28h], ebx
		jbe	loc_575DF8

loc_5F8C7C:				; CODE XREF: EmpEvaluatePermuteRuleEntries+82EADj
		mov	eax, [edi+2Ch]
		mov	edx, [eax+ecx*4]
		cmp	edx, [ebp+arg_0]
		jz	short loc_5F8C8D
		mov	eax, [edx+1Ch]
		mov	[edx+18h], eax

loc_5F8C8D:				; CODE XREF: EmpEvaluatePermuteRuleEntries+82EA1j
		inc	ecx
		cmp	ecx, [edi+28h]
		jb	short loc_5F8C7C
		jmp	loc_575DF8
; 

loc_5F8C98:				; CODE XREF: EmpEvaluatePermuteRuleEntries+82E8Bj
		mov	eax, [edi+2Ch]
		sub	edx, 1
		mov	esi, [eax+edx*4]
		jnz	short loc_5F8CA7
		mov	cl, 1
		jmp	short loc_5F8CB2
; 

loc_5F8CA7:				; CODE XREF: EmpEvaluatePermuteRuleEntries+82EBDj
		push	ebx
		push	[ebp+arg_0]
		call	EmpEvaluatePermuteRuleEntries
		mov	cl, al

loc_5F8CB2:				; CODE XREF: EmpEvaluatePermuteRuleEntries+82EC1j
		cmp	esi, [ebp+arg_0]
		jz	short loc_5F8CD0
		test	cl, cl
		jz	loc_575DF8
		mov	eax, [esi+18h]
		lea	edx, [esi+1Ch]
		mov	eax, [eax]
		cmp	eax, edx
		jnz	short loc_5F8CDD
		mov	eax, [edx]
		mov	[esi+18h], eax

loc_5F8CD0:				; CODE XREF: EmpEvaluatePermuteRuleEntries+82ED1j
		test	cl, cl
		jz	loc_575DF8
		jmp	loc_575DF6
; 

loc_5F8CDD:				; CODE XREF: EmpEvaluatePermuteRuleEntries+82EE5j
		mov	[esi+18h], eax
		jmp	loc_575DF8
; END OF FUNCTION CHUNK	FOR EmpEvaluatePermuteRuleEntries
; 
; START	OF FUNCTION CHUNK FOR AdtpNormalizeAuditInfoHelper

loc_5F8CE5:				; CODE XREF: AdtpNormalizeAuditInfoHelper+14j
		test	edx, edx
		jz	loc_576D82
		test	byte ptr [edx+18h], 1
		jz	loc_576D82
		mov	ebx, [edx+0Ch]
		lea	ecx, [edx+2Ch]
		jmp	loc_576D43
; 

loc_5F8D02:				; CODE XREF: AdtpNormalizeAuditInfoHelper+46j
					; DATA XREF: .text:00576D8Co
		add	[ecx], edx
		mov	eax, [ecx]
		mov	edi, [eax]
		test	edi, edi
		jz	short loc_5F8D7C
		add	[eax+4], edx
		mov	esi, [eax+4]
		and	[ebp+var_10], 0
		mov	[ebp+var_C], esi
		mov	esi, [ebp+var_8]
		test	edi, edi
		jz	loc_576D79
		mov	edi, [ebp+var_C]
		mov	esi, [ebp+var_10]
		add	edi, 8

loc_5F8D2D:				; CODE XREF: AdtpNormalizeAuditInfoHelper+82021j
		add	[edi], edx
		inc	esi
		lea	edi, [edi+0Ch]
		cmp	esi, [eax]
		jb	short loc_5F8D2D
		mov	esi, [ebp+var_8]
		jmp	loc_576D79
; 

loc_5F8D3F:				; CODE XREF: AdtpNormalizeAuditInfoHelper+46j
					; DATA XREF: .text:00576D90o
		add	[ecx], esi
		mov	eax, [ecx]
		mov	edi, [eax]
		test	edi, edi
		jz	short loc_5F8D7C
		add	[eax+4], esi
		mov	edx, [eax+4]
		and	[ebp+var_C], 0
		mov	[ebp+var_10], edx
		mov	edx, [ebp+var_4]
		test	edi, edi
		jz	loc_576D79
		mov	edi, [ebp+var_10]
		mov	edx, [ebp+var_C]
		add	edi, 4

loc_5F8D6A:				; CODE XREF: AdtpNormalizeAuditInfoHelper+8205Ej
		add	[edi], esi
		inc	edx
		lea	edi, [edi+8]
		cmp	edx, [eax]
		jb	short loc_5F8D6A
		mov	edx, [ebp+var_4]
		jmp	loc_576D79
; 

loc_5F8D7C:				; CODE XREF: AdtpNormalizeAuditInfoHelper+81FF6j
					; AdtpNormalizeAuditInfoHelper+82033j
		and	dword ptr [eax+4], 0
		jmp	loc_576D79
; END OF FUNCTION CHUNK	FOR AdtpNormalizeAuditInfoHelper
; 
; START	OF FUNCTION CHUNK FOR McGenControlCallbackV2

loc_5F8D85:				; CODE XREF: McGenControlCallbackV2+65j
		test	cl, cl
		jnz	loc_576EB7
		jmp	loc_576E25
; 

loc_5F8D92:				; CODE XREF: McGenControlCallbackV2+1Ej
		movzx	eax, word ptr [esi+2Ah]
		mov	[esi+24h], ecx
		mov	[esi+28h], cl
		mov	[esi+10h], ecx
		mov	[esi+14h], ecx
		mov	[esi+18h], ecx
		mov	[esi+1Ch], ecx
		test	ax, ax
		jz	loc_576EAE
		dec	eax
		push	20h
		pop	ecx
		cdq
		idiv	ecx
		lea	eax, ds:4[eax*4]
		push	eax		; size_t
		push	0		; int
		push	dword ptr [esi+2Ch] ; void *
		call	_memset
		add	esp, 0Ch

loc_5F8DCD:				; CODE XREF: McGenControlCallbackV2+27j
		cmp	[ebp+arg_4], 1
		jnz	loc_576EAE
		jmp	loc_576E87
; 

loc_5F8DDC:				; CODE XREF: McGenControlCallbackV2+E7j
		test	ds:_Microsoft_Windows_Storage_Tiering_IoHeatEnableBits,	1
		jz	short loc_5F8DF3
		push	dword ptr [esi+1Ch]
		lea	eax, [esi+0Ch]
		push	eax
		push	0
		call	_McTemplateK0jq_EtwWriteTransfer@20 ; McTemplateK0jq_EtwWriteTransfer(x,x,x,x,x)

loc_5F8DF3:				; CODE XREF: McGenControlCallbackV2+82029j
		mov	esi, [esi]
		jmp	loc_576E9F
; END OF FUNCTION CHUNK	FOR McGenControlCallbackV2
; 
; START	OF FUNCTION CHUNK FOR KiUpdateThreadCpuSetAffinitiesFromDpcLevel

loc_5F8DFA:				; CODE XREF: KiUpdateThreadCpuSetAffinitiesFromDpcLevel+1Aj
					; KiUpdateThreadCpuSetAffinitiesFromDpcLevel+81E38j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_5F8DFA
		jmp	loc_576FE3
; 

loc_5F8E0D:				; CODE XREF: KiUpdateThreadCpuSetAffinitiesFromDpcLevel+4Aj
		push	eax
		push	[ebp+var_8]
		mov	edx, 546h
		mov	ecx, esi
		call	_EtwTraceIdealProcessor@16 ; EtwTraceIdealProcessor(x,x,x,x)
		jmp	loc_57701E
; 

loc_5F8E22:				; CODE XREF: KiUpdateThreadCpuSetAffinitiesFromDpcLevel+52j
		movzx	eax, large byte	ptr fs:51h
		mov	ecx, [edi+3CCh]
		cmp	eax, ecx
		jz	loc_577026
		mov	dl, 2
		call	_KiSendSoftwareInterrupt@8 ; KiSendSoftwareInterrupt(x,x)
		jmp	loc_577026
; END OF FUNCTION CHUNK	FOR KiUpdateThreadCpuSetAffinitiesFromDpcLevel
; 
; START	OF FUNCTION CHUNK FOR IoAllocateDriverObjectExtension

loc_5F8E44:				; CODE XREF: IoAllocateDriverObjectExtension+6Dj
					; IoAllocateDriverObjectExtension+81C51j
		cmp	[ecx+4], edi
		jz	short loc_5F8E4F
		mov	ecx, [ecx]
		test	ecx, ecx
		jnz	short loc_5F8E44

loc_5F8E4F:				; CODE XREF: IoAllocateDriverObjectExtension+81C4Bj
		test	ecx, ecx
		jnz	loc_57727D
		jmp	loc_57726F
; 

loc_5F8E5C:				; CODE XREF: IoAllocateDriverObjectExtension+94j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5772B3
; 

loc_5F8E6B:				; CODE XREF: IoAllocateDriverObjectExtension+B1j
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_5F8E72:				; CODE XREF: IoAllocateDriverObjectExtension+9Ej
		mov	ecx, [ebp+arg_8]
		add	eax, 4
		mov	dword ptr [edi], 0
		lock xor [eax],	ecx
		jmp	loc_5772B3
; 

loc_5F8E86:				; CODE XREF: IoAllocateDriverObjectExtension+C4j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C0000035h
		jmp	loc_5772CD
; 

loc_5F8E98:				; CODE XREF: IoAllocateDriverObjectExtension+19j
					; IoAllocateDriverObjectExtension+36j
		mov	eax, 0C000009Ah
		jmp	loc_5772CD
; END OF FUNCTION CHUNK	FOR IoAllocateDriverObjectExtension
; 
; START	OF FUNCTION CHUNK FOR PipUpdateDeviceProducts

loc_5F8EA2:				; CODE XREF: PipUpdateDeviceProducts+27Ej
		test	esi, esi
		jz	short loc_5F8EB0
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi

loc_5F8EB0:				; CODE XREF: PipUpdateDeviceProducts+81BD0j
		mov	edx, [esp+0A8h+var_90]
		lea	eax, [esp+0A8h+var_98]
		and	[esp+0A8h+var_98], 0
		push	eax
		push	esi
		lea	eax, [esp+0B0h+var_78]
		push	eax
		push	offset ??_C@_1BA@LIACFDLB@?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@FNODOBFM@
		call	__PnpCtxRegQueryValue@24 ; _PnpCtxRegQueryValue(x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_5F8F09
		mov	edi, [esp+0A8h+var_98]
		push	6E697050h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_5F8F36
		mov	edx, [esp+0A8h+var_90]
		lea	eax, [esp+0A8h+var_98]
		push	eax
		push	esi
		lea	eax, [esp+0B0h+var_78]
		push	eax
		push	offset ??_C@_1BA@LIACFDLB@?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@FNODOBFM@
		call	__PnpCtxRegQueryValue@24 ; _PnpCtxRegQueryValue(x,x,x,x,x,x)
		mov	edi, [esp+0A8h+var_80]

loc_5F8F09:				; CODE XREF: PipUpdateDeviceProducts+81BFFj
		cmp	eax, 0C0000034h
		jz	loc_577558
		mov	edi, [esp+0A8h+var_98]
		test	eax, eax
		js	short loc_5F8F28
		cmp	[esp+0A8h+var_78], 1
		jnz	short loc_5F8F28
		cmp	edi, 2
		jnb	short loc_5F8F36

loc_5F8F28:				; CODE XREF: PipUpdateDeviceProducts+81C46j
					; PipUpdateDeviceProducts+81C4Dj
		test	esi, esi
		jz	short loc_5F8F36
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi

loc_5F8F36:				; CODE XREF: PipUpdateDeviceProducts+81C16j
					; PipUpdateDeviceProducts+81C52j ...
		mov	edx, [esp+0A8h+var_90]
		lea	eax, [esp+0A8h+var_60]
		push	8
		push	eax
		push	3
		push	offset ??_C@_1CC@IAPJKJMA@?$AAD?$AAe?$AAa?$AAc?$AAt?$AAi?$AAv?$AAa?$AAt?$AAi?$AAo?$AAn?$AAT?$AAi?$AAm@FNODOBFM@
		call	__PnpCtxRegSetValue@24 ; _PnpCtxRegSetValue(x,x,x,x,x,x)
		test	esi, esi
		jz	short loc_5F8F63
		mov	edx, [esp+0A8h+var_90]
		push	edi
		push	esi
		push	1
		push	offset ??_C@_1CI@GCBCBALN@?$AAD?$AAe?$AAa?$AAc?$AAt?$AAi?$AAv?$AAa?$AAt?$AAi?$AAo?$AAn?$AAV?$AAe?$AAr@FNODOBFM@
		call	__PnpCtxRegSetValue@24 ; _PnpCtxRegSetValue(x,x,x,x,x,x)

loc_5F8F63:				; CODE XREF: PipUpdateDeviceProducts+81C7Bj
		mov	edx, [esp+0A8h+var_90]
		push	offset ??_C@_1BA@LIACFDLB@?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@FNODOBFM@
		call	__PnpCtxRegDeleteValue@12 ; _PnpCtxRegDeleteValue(x,x,x)
		mov	edi, [esp+0A8h+var_80]
		jmp	loc_577558
; 

loc_5F8F7A:				; CODE XREF: PipUpdateDeviceProducts+35Dj
		mov	edx, [esp+0A8h+var_8C]
		lea	eax, [esp+0A8h+var_60]
		push	8
		push	eax
		push	3
		push	offset ??_C@_1BK@KBOGDDLN@?$AAC?$AAr?$AAe?$AAa?$AAt?$AAi?$AAo?$AAn?$AAT?$AAi?$AAm?$AAe@FNODOBFM@
		call	__PnpCtxRegSetValue@24 ; _PnpCtxRegSetValue(x,x,x,x,x,x)
		jmp	loc_577637
; 

loc_5F8F96:				; CODE XREF: PipUpdateDeviceProducts+383j
		mov	edx, [esp+0A8h+var_8C]
		push	10h
		push	offset ??_C@_1BA@OJFOBGOM@?$AA0?$AA?4?$AA0?$AA?4?$AA0?$AA?4?$AA0@FNODOBFM@
		push	1
		push	offset ??_C@_1BA@LIACFDLB@?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@FNODOBFM@
		call	__PnpCtxRegSetValue@24 ; _PnpCtxRegSetValue(x,x,x,x,x,x)
		test	eax, eax
		js	loc_57765D
		mov	edx, [esp+0A8h+var_8C]
		lea	eax, [esp+0A8h+var_60]
		push	8
		push	eax
		push	3
		push	offset ??_C@_1BO@OLACNIPJ@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAa?$AAt?$AAi?$AAo?$AAn?$AAT?$AAi?$AAm?$AAe@FNODOBFM@
		call	__PnpCtxRegSetValue@24 ; _PnpCtxRegSetValue(x,x,x,x,x,x)
		mov	edx, [esp+0A8h+var_8C]
		push	0Eh
		push	offset ??_C@_1O@FAMJMIMO@?$AAS?$AAM?$AAB?$AAI?$AAO?$AAS@FNODOBFM@
		push	1
		push	offset ??_C@_1O@FDGFDJPD@?$AAS?$AAo?$AAu?$AAr?$AAc?$AAe@FNODOBFM@
		call	__PnpCtxRegSetValue@24 ; _PnpCtxRegSetValue(x,x,x,x,x,x)
		jmp	loc_57765D
; 

loc_5F8FE8:				; CODE XREF: PipUpdateDeviceProducts+FEj
					; PipUpdateDeviceProducts+121j	...
		mov	edi, esi
		jmp	loc_577672
; 

loc_5F8FEF:				; CODE XREF: PipUpdateDeviceProducts+8Fj
					; PipUpdateDeviceProducts+B5j ...
		mov	edi, ebx
		jmp	loc_577672
; 

loc_5F8FF6:				; CODE XREF: PipUpdateDeviceProducts+3F0j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_5776CA
; END OF FUNCTION CHUNK	FOR PipUpdateDeviceProducts
; 
; START	OF FUNCTION CHUNK FOR PpmInitIllegalThrottleLogging

loc_5F9003:				; CODE XREF: PpmInitIllegalThrottleLogging+69j
		cmp	[ebp+var_14], 4
		jnz	loc_5777CB
		cmp	[ebp+var_10], 4
		jnz	loc_5777CB
		mov	eax, [ebp+var_C]
		mov	ecx, 2710h
		mov	ds:_PopProcessorThrottleLogInterval, eax
		cmp	eax, ecx
		jbe	loc_5777CB
		mov	ds:_PopProcessorThrottleLogInterval, ecx
		jmp	loc_5777CB
; END OF FUNCTION CHUNK	FOR PpmInitIllegalThrottleLogging
; 
; START	OF FUNCTION CHUNK FOR MiInsertViewOfPhysicalSection

loc_5F9037:				; CODE XREF: MiInsertViewOfPhysicalSection+BFj
		mov	edx, edi
		mov	ecx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		jmp	loc_577A25
; 

loc_5F9045:				; CODE XREF: MiInsertViewOfPhysicalSection+286j
					; MiInsertViewOfPhysicalSection+295j ...
		mov	edx, edi
		mov	ecx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [ebp+var_10]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		mov	ecx, esi
		xor	edi, edi
		call	MiLockWorkingSetShared
		jmp	loc_577A88
; 

loc_5F9066:				; CODE XREF: MiInsertViewOfPhysicalSection+327j
		mov	eax, [ebp+var_C]
		push	0
		push	[ebp+var_1C]
		push	eax
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5F907A:				; CODE XREF: MiInsertViewOfPhysicalSection+1EEj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_10]
		jmp	loc_5779E4
; 

loc_5F9091:				; CODE XREF: MiInsertViewOfPhysicalSection+2EAj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_577AD0
; 

loc_5F90A0:				; CODE XREF: MiInsertViewOfPhysicalSection+314j
		push	[ebp+var_30]
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_5779FB
; END OF FUNCTION CHUNK	FOR MiInsertViewOfPhysicalSection
; 
; START	OF FUNCTION CHUNK FOR EmpRuleUpdateWorkerThread

loc_5F90B2:				; CODE XREF: EmpRuleUpdateWorkerThread+4Cj
		test	al, 4
		jnz	loc_577B8C
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_577B8C
; 

loc_5F90C6:				; CODE XREF: EmpRuleUpdateWorkerThread+126j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_1C]
		jmp	loc_577C6C
; 

loc_5F90D7:				; CODE XREF: EmpRuleUpdateWorkerThread+470j
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]
		jmp	loc_577FB0
; 

loc_5F90EC:				; CODE XREF: EmpRuleUpdateWorkerThread+49Aj
		push	[ebp+var_1C]
		mov	edx, offset _EmpEvaluationQueueLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_577C83
; 

loc_5F9100:				; CODE XREF: EmpRuleUpdateWorkerThread+198j
		test	al, 4
		jnz	loc_577CD8
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_577CD8
; 

loc_5F9114:				; CODE XREF: EmpRuleUpdateWorkerThread+276j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_18]
		jmp	loc_577DBC
; 

loc_5F9125:				; CODE XREF: EmpRuleUpdateWorkerThread+4B4j
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]
		jmp	loc_577FF4
; 

loc_5F913A:				; CODE XREF: EmpRuleUpdateWorkerThread+4DEj
		push	[ebp+var_1C]
		mov	edx, offset _EmpDatabaseLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_577DD3
; 

loc_5F914E:				; CODE XREF: EmpRuleUpdateWorkerThread+535j
		push	0
		push	[ebp+var_14]
		push	offset _EmpEvaluationQueueLock
		jmp	short loc_5F9165
; 

loc_5F915A:				; CODE XREF: EmpRuleUpdateWorkerThread+589j
		push	0
		push	[ebp+var_8]
		mov	eax, offset _EmpEvaluationQueueLock
		push	eax

loc_5F9165:				; CODE XREF: EmpRuleUpdateWorkerThread+8161Ej
					; EmpRuleUpdateWorkerThread+81640j
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5F9170:				; CODE XREF: EmpRuleUpdateWorkerThread+55Fj
		push	0
		push	[ebp+var_14]
		push	offset _EmpDatabaseLock
		jmp	short loc_5F9165
; 

loc_5F917C:				; CODE XREF: EmpRuleUpdateWorkerThread+318j
		test	al, 4
		jnz	loc_577E58
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_577E58
; 

loc_5F9190:				; CODE XREF: EmpRuleUpdateWorkerThread+3F1j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_1C]
		jmp	loc_577F37
; 

loc_5F91A1:				; CODE XREF: EmpRuleUpdateWorkerThread+4F8j
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]
		jmp	loc_578038
; 

loc_5F91B6:				; CODE XREF: EmpRuleUpdateWorkerThread+522j
		push	[ebp+var_20]
		mov	edx, offset _EmpEvaluationQueueLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_577F4E
; END OF FUNCTION CHUNK	FOR EmpRuleUpdateWorkerThread
; 
; START	OF FUNCTION CHUNK FOR SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxBalancerThread

loc_5F91CA:				; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxBalancerThread+4Ej
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+10h+var_1]
		call	ebx
		mov	ecx, [edi]
		add	ecx, 48h
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; END OF FUNCTION CHUNK	FOR SMKM_STORE_MGR_SM_TRAITS___SmCompressCtxBalancerThread
; 

loc_5F91F1:				; CODE XREF: .text:005781C1j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_5781CC
; 
; START	OF FUNCTION CHUNK FOR FsRtlGetVirtualDiskNestingLevel

loc_5F9200:				; CODE XREF: FsRtlGetVirtualDiskNestingLevel+4Bj
		cmp	eax, 2
		jz	loc_578237
		cmp	eax, 24h
		jz	loc_578237
		cmp	eax, 8
		jz	loc_578237
		cmp	eax, 3
		jz	loc_578237
		mov	eax, 0C0000010h
		jmp	loc_5782D9
; 

loc_5F922E:				; CODE XREF: FsRtlGetVirtualDiskNestingLevel+BAj
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [esp+68h+var_28]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esp+58h+var_44]
		jmp	loc_5782A6
; 

loc_5F9245:				; CODE XREF: FsRtlGetVirtualDiskNestingLevel+C2j
		cmp	[esp+58h+var_40], 14h
		jb	loc_5782AE
		cmp	[esp+58h+var_18], ebx
		jnz	loc_5782AE
		mov	eax, ds:_FsRtlVirtualDiskMaxTreeDepth
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_5F926E
		call	_FsRtlpGetMaxVirtualDiskNestingLevel@0 ; FsRtlpGetMaxVirtualDiskNestingLevel()
		mov	ds:_FsRtlVirtualDiskMaxTreeDepth, eax

loc_5F926E:				; CODE XREF: FsRtlGetVirtualDiskNestingLevel+8107Cj
		mov	ecx, [esp+58h+var_8]
		cmp	ecx, eax
		ja	short loc_5F9280
		test	ecx, ecx
		jz	short loc_5F9293
		mov	[esp+58h+var_48], ecx
		jmp	short loc_5F9293
; 

loc_5F9280:				; CODE XREF: FsRtlGetVirtualDiskNestingLevel+8108Ej
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_5F928F
		call	_FsRtlpGetMaxVirtualDiskNestingLevel@0 ; FsRtlpGetMaxVirtualDiskNestingLevel()
		mov	ds:_FsRtlVirtualDiskMaxTreeDepth, eax

loc_5F928F:				; CODE XREF: FsRtlGetVirtualDiskNestingLevel+8109Dj
		mov	[esp+58h+var_48], eax

loc_5F9293:				; CODE XREF: FsRtlGetVirtualDiskNestingLevel+81092j
					; FsRtlGetVirtualDiskNestingLevel+81098j
		cmp	[esp+58h+var_14], 0
		jz	short loc_5F929C
		mov	ebx, edi

loc_5F929C:				; CODE XREF: FsRtlGetVirtualDiskNestingLevel+810B2j
		test	[esp+58h+var_C], 2
		jz	loc_5782BC
		or	ebx, 2
		jmp	loc_5782BC
; END OF FUNCTION CHUNK	FOR FsRtlGetVirtualDiskNestingLevel
; 
; START	OF FUNCTION CHUNK FOR WheaLogInternalEvent

loc_5F92AF:				; CODE XREF: WheaLogInternalEvent+29j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_578455
		xor	esi, esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	offset _WheapDeferredInternalLogsEventLock
		call	KeWaitForSingleObject
		mov	ecx, ds:_WheapDeferredEventTotalBytes
		mov	eax, [edi+1Ch]
		lea	edx, [ecx+28h]
		add	edx, eax
		mov	[esp+90h+var_80], edx
		cmp	edx, 1000h
		jnb	short loc_5F9327
		add	eax, 20h
		lea	ebx, _WheapDeferredEventBuffer[ecx]
		push	eax		; size_t
		lea	eax, [ebx+8]
		push	edi		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [esp+9Ch+var_80]
		mov	ecx, offset _WheapDeferredInternalLogs
		mov	ds:_WheapDeferredEventTotalBytes, eax
		add	esp, 0Ch
		mov	eax, ds:dword_6BB3C4
		cmp	[eax], ecx
		jz	short loc_5F931A
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5F931A:				; CODE XREF: WheaLogInternalEvent+80FAFj
		mov	[ebx], ecx
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	ds:dword_6BB3C4, ebx

loc_5F9327:				; CODE XREF: WheaLogInternalEvent+80F81j
		push	esi
		push	esi
		push	offset _WheapDeferredInternalLogsEventLock
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_578455
; 

loc_5F9338:				; CODE XREF: WheaLogInternalEvent+E7j
		mov	eax, [edi+8]
		push	esi
		push	esi
		mov	[esp+98h+var_78], eax
		lea	eax, [esp+98h+var_7C]
		push	14h
		push	eax
		push	5Eh
		mov	[esp+0A4h+var_74], esi
		mov	[esp+0A4h+var_6C], esi
		mov	[esp+0A4h+var_70], 0Fh
		mov	[esp+0A4h+var_7C], edi
		call	NtPowerInformation
		mov	eax, [edi+18h]
		jmp	loc_578451
; END OF FUNCTION CHUNK	FOR WheaLogInternalEvent
; 
; START	OF FUNCTION CHUNK FOR WheapIsNonHestErrorSource

loc_5F936B:				; CODE XREF: WheapIsNonHestErrorSource+3j
		cmp	ecx, 5
		jz	loc_57847F
		cmp	ecx, 8
		jz	loc_57847F
		cmp	ecx, 0Ch
		jz	loc_57847F
		cmp	ecx, 0Dh
		jz	loc_57847F
		cmp	ecx, 4
		jz	loc_57847F
		xor	al, al
		retn
; END OF FUNCTION CHUNK	FOR WheapIsNonHestErrorSource
; 
; START	OF FUNCTION CHUNK FOR ExpLegacyWorkerInitialization

loc_5F939B:				; CODE XREF: ExpLegacyWorkerInitialization+Aj
		mov	eax, edx
		mov	ds:_ExpAdditionalCriticalWorkerThreads,	eax
		jmp	loc_5784CA
; 

loc_5F93A7:				; CODE XREF: ExpLegacyWorkerInitialization+18j
		mov	ecx, edx
		mov	ds:_ExpAdditionalDelayedWorkerThreads, ecx
		jmp	loc_5784D8
; END OF FUNCTION CHUNK	FOR ExpLegacyWorkerInitialization
; 
; START	OF FUNCTION CHUNK FOR KeInitializePriQueue

loc_5F93B4:				; CODE XREF: KeInitializePriQueue+47j
		push	0FFFFh
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	edx, eax
		jmp	loc_578599
; END OF FUNCTION CHUNK	FOR KeInitializePriQueue
; 
; START	OF FUNCTION CHUNK FOR PipUpdatePostStartCharacteristics

loc_5F93C5:				; CODE XREF: PipUpdatePostStartCharacteristics+1Cj
					; PipUpdatePostStartCharacteristics+80E2Bj
		or	[ecx+20h], edx
		mov	ecx, [ecx+10h]
		test	ecx, ecx
		jnz	short loc_5F93C5
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR PipUpdatePostStartCharacteristics
; 
; START	OF FUNCTION CHUNK FOR ExDisableResourceBoostLite

loc_5F93D1:				; CODE XREF: ExDisableResourceBoostLite+19j
		push	0
		push	0
		push	esi
		push	0Eh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5F93E2:				; CODE XREF: ExDisableResourceBoostLite+38j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_57862C
; 

loc_5F93F2:				; CODE XREF: ExDisableResourceBoostLite+5Aj
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid

loc_5F93FA:				; CODE XREF: ExDisableResourceBoostLite+43j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_57862C
; END OF FUNCTION CHUNK	FOR ExDisableResourceBoostLite
; 
; START	OF FUNCTION CHUNK FOR PoFxPlatformRequestHandler

loc_5F940F:				; CODE XREF: PoFxPlatformRequestHandler+Ej
		lea	ecx, [edx+8]
		call	_PopFxAcpiDispatchNotification@4 ; PopFxAcpiDispatchNotification(x)
		mov	ecx, eax
		jmp	loc_578666
; END OF FUNCTION CHUNK	FOR PoFxPlatformRequestHandler
; 
; START	OF FUNCTION CHUNK FOR LdrpSetAlternateResourceModuleHandle

loc_5F941E:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+D9j
		cmp	[esi+ecx+8], edi
		jnz	loc_578847
		jmp	loc_578753
; 

loc_5F942D:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+FAj
		mov	ebx, [ebp+var_24]
		mov	eax, [ebx]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5F944B
		push	eax
		call	_MmUnmapViewInSystemSpace@4 ; MmUnmapViewInSystemSpace(x)
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_5F944B
		push	dword ptr [ecx]
		call	_ZwClose@4	; ZwClose(x)

loc_5F944B:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+80DC1j
					; LdrpSetAlternateResourceModuleHandle+80DCEj
		mov	edx, ds:_AlternateResourceModules
		mov	eax, [esi+edx+10h]
		mov	[ebx], eax
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	loc_578847
		mov	eax, [esi+edx+14h]
		mov	[ecx], eax
		jmp	loc_578847
; 

loc_5F946D:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+ABj
		push	69507472h
		add	eax, 20h
		shl	eax, 5
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_578847
		mov	esi, ds:_AltResMemBlockCount
		lea	eax, [esi+20h]
		shl	eax, 5
		push	eax		; size_t
		push	edi		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		shl	esi, 5
		push	esi		; size_t
		mov	esi, ds:_AlternateResourceModules
		push	esi		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ds:_AlternateResourceModules, ebx
		mov	eax, ds:_AltResMemBlockCount
		add	eax, 20h
		mov	ds:_AltResMemBlockCount, eax
		jmp	loc_578725
; 

loc_5F94D4:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+103j
		cmp	[ecx+ebx+8], edi
		jnz	loc_57877D
		mov	eax, [ebp+arg_4]
		mov	[ecx+ebx+8], eax
		mov	eax, [ebp+arg_10]
		mov	[ecx+ebx+1Ch], eax
		jmp	loc_578847
; 

loc_5F94F1:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+132j
		mov	eax, edi
		jmp	loc_5787AE
; 

loc_5F94F8:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+192j
		mov	eax, edi
		jmp	loc_57880E
; 

loc_5F94FF:				; CODE XREF: LdrpSetAlternateResourceModuleHandle+1A3j
		mov	eax, edi
		jmp	loc_57881F
; END OF FUNCTION CHUNK	FOR LdrpSetAlternateResourceModuleHandle

;  S U B	R O U T	I N E 


sub_5F9506	proc near		; DATA XREF: .text:006A73E0o
		xor	edi, edi
		jmp	sub_5788B1
sub_5F9506	endp

; 
; START	OF FUNCTION CHUNK FOR IovUtilMarkStack

loc_5F950D:				; CODE XREF: IovUtilMarkStack+15j
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	_IovpUtilMarkDeviceObject@8 ; IovpUtilMarkDeviceObject(x,x)
		jmp	loc_5788DB
; 

loc_5F951C:				; CODE XREF: IovUtilMarkStack+2Dj
		lea	ecx, [ebp+arg_0]
		call	_VfDevObjAdjustFdoForVerifierFilters@4 ; VfDevObjAdjustFdoForVerifierFilters(x)
		mov	ecx, [ebp+arg_0]
		jmp	loc_5788F3
; 

loc_5F952C:				; CODE XREF: IovUtilMarkStack+49j
		cmp	[ebp+arg_4], 0
		jz	loc_5788FB
		push	2
		pop	edx
		mov	ecx, esi
		call	_IovpUtilMarkDeviceObject@8 ; IovpUtilMarkDeviceObject(x,x)
		push	3

loc_5F9542:				; CODE XREF: IovUtilMarkStack+50j
		pop	edx
		call	_IovpUtilMarkDeviceObject@8 ; IovpUtilMarkDeviceObject(x,x)
		jmp	loc_5788FB
; END OF FUNCTION CHUNK	FOR IovUtilMarkStack
; 
; START	OF FUNCTION CHUNK FOR EtwTraceJobServerSiloMonitorCallback

loc_5F954D:				; CODE XREF: EtwTraceJobServerSiloMonitorCallback+3Aj
		sub	eax, 1
		jz	short loc_5F955C
		mov	esi, offset _ServerSiloTerminateCallbackStop
		jmp	loc_57895B
; 

loc_5F955C:				; CODE XREF: EtwTraceJobServerSiloMonitorCallback+80C3Aj
		mov	esi, offset _ServerSiloTerminateCallbackStart
		jmp	loc_57895B
; 

loc_5F9566:				; CODE XREF: EtwTraceJobServerSiloMonitorCallback+5Ej
		mov	edx, [esp+88h+var_74]
		lea	ecx, [esp+88h+var_68]
		call	_EtwpCopyJobGuidSafe@8 ; EtwpCopyJobGuidSafe(x,x)
		mov	eax, ecx
		mov	[esp+88h+var_54], edi
		lea	ecx, [esp+88h+var_78]
		mov	[esp+88h+var_58], eax
		mov	[esp+88h+var_50], 10h
		mov	[esp+88h+var_4C], edi
		call	_EtwpCopyJobIdSafe@8 ; EtwpCopyJobIdSafe(x,x)
		cmp	[esp+88h+var_70], 1
		mov	eax, ecx
		push	4
		pop	ecx
		push	2
		mov	[esp+8Ch+var_44], edi
		mov	[esp+8Ch+var_3C], edi
		mov	[esp+8Ch+var_48], eax
		mov	[esp+8Ch+var_40], ecx
		pop	edi
		jnz	short loc_5F95C9
		and	[esp+88h+var_34], 0
		lea	eax, [ebp+arg_4]
		and	[esp+88h+var_2C], 0
		push	3
		mov	[esp+8Ch+var_38], eax
		mov	[esp+8Ch+var_30], ecx
		pop	edi

loc_5F95C9:				; CODE XREF: EtwTraceJobServerSiloMonitorCallback+80C99j
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		add	edx, edx
		mov	eax, [ecx+4]
		and	[esp+edx*8+88h+var_54],	0
		mov	[esp+edx*8+88h+var_58],	eax
		movzx	eax, word ptr [ecx]
		xor	ecx, ecx
		mov	[esp+edx*8+88h+var_50],	eax
		lea	eax, [edi+1]
		add	eax, eax
		mov	[esp+edx*8+88h+var_4C],	ecx
		mov	[esp+eax*8+88h+var_58],	offset _EtwpNull
		mov	[esp+eax*8+88h+var_54],	ecx
		mov	[esp+eax*8+88h+var_50],	2
		mov	[esp+eax*8+88h+var_4C],	ecx
		lea	eax, [esp+88h+var_58]
		push	eax
		lea	eax, [edi+2]
		push	eax
		push	ecx
		push	esi
		push	ebx
		push	[esp+9Ch+var_6C]
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_57897A
; END OF FUNCTION CHUNK	FOR EtwTraceJobServerSiloMonitorCallback
; 
; START	OF FUNCTION CHUNK FOR RtlpGetBootStatusPathFromRegistry

loc_5F9620:				; CODE XREF: RtlpGetBootStatusPathFromRegistry+8Cj
		mov	ebx, 66647362h
		push	ebx
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_5F9640
		mov	esi, 0C0000017h
		jmp	loc_578A62
; 

loc_5F9640:				; CODE XREF: RtlpGetBootStatusPathFromRegistry+80C68j
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+var_4]
		lea	eax, [ebp+var_18]
		push	edi
		push	2
		push	eax
		push	[ebp+var_8]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_5F9689
		push	ebx
		push	dword ptr [edi+8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_5F9674
		mov	esi, 0C0000017h
		jmp	short loc_5F9689
; 

loc_5F9674:				; CODE XREF: RtlpGetBootStatusPathFromRegistry+80C9Fj
		push	dword ptr [edi+8] ; size_t
		lea	eax, [edi+0Ch]
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		mov	eax, [ebp+var_10]
		add	esp, 0Ch
		mov	[eax], ebx

loc_5F9689:				; CODE XREF: RtlpGetBootStatusPathFromRegistry+80C8Ej
					; RtlpGetBootStatusPathFromRegistry+80CA6j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_578A62
; END OF FUNCTION CHUNK	FOR RtlpGetBootStatusPathFromRegistry
; 
; START	OF FUNCTION CHUNK FOR IoEnumerateDeviceObjectList

loc_5F9696:				; CODE XREF: IoEnumerateDeviceObjectList+7Bj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_578B14
; 

loc_5F96A5:				; CODE XREF: IoEnumerateDeviceObjectList+98j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5F96AC:				; CODE XREF: IoEnumerateDeviceObjectList+85j
		xor	edx, edx
		mov	dword ptr [esi], 0
		inc	edx
		lea	ecx, [eax+4]
		lock xor [ecx],	edx
		jmp	loc_578B14
; END OF FUNCTION CHUNK	FOR IoEnumerateDeviceObjectList
; 
; START	OF FUNCTION CHUNK FOR PoFxSetDeviceIdleTimeout

loc_5F96C0:				; CODE XREF: PoFxSetDeviceIdleTimeout+54j
		mov	edx, [ebp+4]
		lea	ecx, [esi+0C8h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_578C39
; END OF FUNCTION CHUNK	FOR PoFxSetDeviceIdleTimeout
; 
; START	OF FUNCTION CHUNK FOR PopFxUpdateDeviceIdleTimer

loc_5F96D3:				; CODE XREF: PopFxUpdateDeviceIdleTimer+3Fj
		mov	ecx, [esi+1Ch]
		xor	dl, dl
		push	0
		call	PopDiagTraceFxDevicePowerRequirement
		push	dword ptr [esi+64h]
		call	dword ptr [esi+4Ch]
		push	40h
		pop	eax
		lock or	[edi], eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi+18h], eax
		jz	loc_578C69
		mov	ecx, [esi+1Ch]
		xor	edx, edx
		push	0
		push	0
		push	11h
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		jmp	loc_578C69
; END OF FUNCTION CHUNK	FOR PopFxUpdateDeviceIdleTimer
; 
; START	OF FUNCTION CHUNK FOR CcRegistryChangeCallback

loc_5F970E:				; CODE XREF: CcRegistryChangeCallback+8Fj
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_28], 18h
		push	ecx
		push	10h
		push	eax
		mov	[ebp+var_24], ebx
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		jns	loc_578D27
		push	edi
		push	eax		; char
		push	offset ??_C@_0EC@FIJIBDCC@CcRegistryChangeCallback?3?5Faile@FNODOBFM@ ;	char *
		push	ebx		; int
		push	7Fh		; int
		call	_DbgPrintEx
		add	esp, 14h
		push	52576343h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, ebx
		jmp	loc_578D27
; 

loc_5F9760:				; CODE XREF: CcRegistryChangeCallback+C1j
		test	ebx, ebx
		jns	short loc_5F978C
		push	dword ptr [esi+10h]
		call	_ZwClose@4	; ZwClose(x)
		push	edi
		push	ebx		; char
		xor	eax, eax
		mov	byte ptr [esi+28h], 1
		push	offset ??_C@_0EF@NMKLEGFE@CcRegistryChangeCallback?3?5Faile@FNODOBFM@ ;	char *
		push	eax		; int
		push	7Fh		; int
		mov	[esi+10h], eax
		call	_DbgPrintEx
		add	esp, 14h
		jmp	loc_578D6B
; 

loc_5F978C:				; CODE XREF: CcRegistryChangeCallback+80AD0j
		push	edi
		push	offset ??_C@_0EJ@MPHFDGKA@CcRegistryChangeCallback?3?5Watch@FNODOBFM@
		jmp	loc_578D5F
; 

loc_5F9797:				; CODE XREF: CcRegistryChangeCallback+E0j
		test	esi, esi
		jz	loc_578D78
		cmp	byte ptr [esi+28h], 0
		jnz	loc_578D78
		mov	ds:_CcRegistryWatchInitComplete, 1
		jmp	loc_578D78
; END OF FUNCTION CHUNK	FOR CcRegistryChangeCallback
; 
; START	OF FUNCTION CHUNK FOR CcUpdateDynamicRegistrySettings

loc_5F97B8:				; CODE XREF: CcUpdateDynamicRegistrySettings+BDj
		mov	ecx, [esp+0F0h+var_D8]
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		mov	dword ptr [esp+0F0h+var_BC], eax
		cmp	eax, 3
		jnb	loc_578E43
		mov	[esp+0F0h+var_DC], 1
		jmp	loc_578E43
; 

loc_5F97D9:				; CODE XREF: CcUpdateDynamicRegistrySettings+F9j
		mov	ecx, [esp+0F0h+var_D8]
		mov	[esp+0F0h+var_D2], 1
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		mov	[esp+0F0h+var_AC], eax
		jmp	loc_578E7F
; 

loc_5F97F1:				; CODE XREF: CcUpdateDynamicRegistrySettings+135j
		mov	ecx, [esp+0F0h+var_D8]
		mov	[esp+0F0h+var_DB], 1
		mov	eax, [ecx+8]
		mov	ebx, [ecx+eax]
		jmp	loc_578EBB
; 

loc_5F9805:				; CODE XREF: CcUpdateDynamicRegistrySettings+171j
		mov	ecx, [esp+0F0h+var_D8]
		mov	[esp+0F0h+var_DA], 1
		mov	eax, [ecx+8]
		mov	edi, [ecx+eax]
		jmp	loc_578EF7
; 

loc_5F9819:				; CODE XREF: CcUpdateDynamicRegistrySettings+1ADj
		mov	ecx, [esp+0F0h+var_D8]
		mov	[esp+0F0h+var_D9], 1
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		mov	[esp+0F0h+var_B8], eax
		jmp	loc_578F33
; 

loc_5F9831:				; CODE XREF: CcUpdateDynamicRegistrySettings+1F3j
		mov	edx, [esp+0F0h+var_D8]
		mov	[esp+0F0h+var_D1], 1
		mov	[esp+0F0h+var_C8], ecx
		mov	eax, [edx+8]
		mov	esi, [edx+eax]
		mov	edx, offset ??_C@_09GNNAFPDF@not?5found@FNODOBFM@ ; "not found"
		jmp	loc_578F7D
; 

loc_5F984E:				; CODE XREF: CcUpdateDynamicRegistrySettings+220j
		mov	edx, ecx
		jmp	loc_578FA6
; 

loc_5F9855:				; CODE XREF: CcUpdateDynamicRegistrySettings+274j
		push	78666343h
		push	[esp+0F4h+var_D8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_578FFA
; 

loc_5F9868:				; CODE XREF: CcUpdateDynamicRegistrySettings+27Fj
		mov	eax, dword ptr [esp+0F0h+var_BC]
		mov	ds:_CcAzure_TopBottomDPTEqual, eax
		jmp	loc_579005
; 

loc_5F9876:				; CODE XREF: CcUpdateDynamicRegistrySettings+28Aj
		test	ebx, ebx
		jz	short loc_5F988D
		mov	eax, ebx
		shl	eax, 0Ah
		cmp	eax, ebx
		jbe	short loc_5F988D
		mov	ds:_CcAzure_LargeWriteSize, eax
		jmp	loc_579010
; 

loc_5F988D:				; CODE XREF: CcUpdateDynamicRegistrySettings+80AF8j
					; CcUpdateDynamicRegistrySettings+80B01j
		and	ds:_CcAzure_LargeWriteSize, 0
		jmp	loc_579010
; 

loc_5F9899:				; CODE XREF: CcUpdateDynamicRegistrySettings+295j
		test	edi, edi
		jz	short loc_5F98AD
		cmp	edi, 64h
		ja	short loc_5F98AD
		mov	ds:_CcAzure_SoftThrottleLargeWriteAtPct, edi
		jmp	loc_57901B
; 

loc_5F98AD:				; CODE XREF: CcUpdateDynamicRegistrySettings+80B1Bj
					; CcUpdateDynamicRegistrySettings+80B20j
		and	ds:_CcAzure_SoftThrottleLargeWriteAtPct, 0
		jmp	loc_57901B
; 

loc_5F98B9:				; CODE XREF: CcUpdateDynamicRegistrySettings+2A0j
		mov	eax, [esp+0F0h+var_B8]
		test	eax, eax
		jz	loc_579026
		mov	ds:_CcSoftThrottleDelay, eax
		jmp	loc_579026
; 

loc_5F98CF:				; CODE XREF: CcUpdateDynamicRegistrySettings+2ABj
		test	esi, esi
		jz	loc_579031
		cmp	esi, 8000h
		ja	loc_579031
		mov	ds:_CcMaxLazyWritePages, esi
		jmp	loc_579031
; END OF FUNCTION CHUNK	FOR CcUpdateDynamicRegistrySettings
; 
; START	OF FUNCTION CHUNK FOR CcQueryRegKeyValue

loc_5F98EE:				; CODE XREF: CcQueryRegKeyValue+4Aj
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		xor	eax, eax
		jmp	loc_5790E1
; 

loc_5F98FD:				; CODE XREF: CcQueryRegKeyValue+75j
					; CcQueryRegKeyValue+81j
		mov	eax, [ebp+arg_0]
		cmp	edi, [eax]
		jnz	loc_5790CF
		mov	edi, [ebp+var_C]
		cmp	edi, 40000h
		ja	short loc_5F994C
		push	78666343h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_5F994C
		mov	eax, [ebp+arg_8]
		cmp	byte ptr [eax],	0
		jz	short loc_5F993A
		push	78666343h
		push	dword ptr [ebx]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5F993A:				; CODE XREF: CcQueryRegKeyValue+808E4j
		mov	eax, [ebp+arg_0]
		mov	[ebx], esi
		mov	[eax], edi
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	1
		jmp	loc_5790A2
; 

loc_5F994C:				; CODE XREF: CcQueryRegKeyValue+808C9j
					; CcQueryRegKeyValue+808DCj
		mov	esi, 0C000009Ah
		jmp	loc_5790CF
; 

loc_5F9956:				; CODE XREF: CcQueryRegKeyValue+91j
		mov	eax, [ebx]
		cmp	dword ptr [eax+0Ch], 0
		jnz	loc_5790DF
		mov	esi, 0C0000034h
		jmp	loc_5790DF
; END OF FUNCTION CHUNK	FOR CcQueryRegKeyValue
; 
; START	OF FUNCTION CHUNK FOR PfFbBufferListAllocateTemporary

loc_5F996C:				; CODE XREF: PfFbBufferListAllocateTemporary+17j
		push	dword ptr [edi+24h]
		push	esi
		push	dword ptr [edi+28h]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_5F9986
		mov	eax, 0C000009Ah
		jmp	loc_57912A
; 

loc_5F9986:				; CODE XREF: PfFbBufferListAllocateTemporary+80872j
		push	0
		push	1
		push	esi
		mov	edx, eax
		mov	ecx, edi
		call	PfFbBufferListInsertInFree
		xor	eax, eax
		jmp	loc_579130
; END OF FUNCTION CHUNK	FOR PfFbBufferListAllocateTemporary
; 
; START	OF FUNCTION CHUNK FOR ExAllocateCacheAwarePushLock

loc_5F999B:				; CODE XREF: ExAllocateCacheAwarePushLock+71j
		push	80h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		xor	eax, eax
		add	esp, 0Ch
		inc	eax
		cmp	ds:_KeNumberNodes, ax
		jz	loc_5791F9
		mov	eax, ds:_KeNumberProcessors
		xor	edi, edi
		mov	[ebp+var_1C], eax

loc_5F99C5:				; CODE XREF: ExAllocateCacheAwarePushLock+808FCj
		cmp	edi, eax
		jnb	short loc_5F99D2
		mov	ecx, edi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		jmp	short loc_5F99D8
; 

loc_5F99D2:				; CODE XREF: ExAllocateCacheAwarePushLock+80849j
		mov	eax, large fs:20h

loc_5F99D8:				; CODE XREF: ExAllocateCacheAwarePushLock+80852j
		cmp	[ebp+arg_0], 0
		mov	eax, [eax+338h]
		push	0
		movzx	eax, word ptr [eax+8Ah]
		jz	short loc_5F99F7
		movzx	eax, ax
		mov	ecx, 200h
		jmp	short loc_5F9A42
; 

loc_5F99F7:				; CODE XREF: ExAllocateCacheAwarePushLock+8086Dj
		lea	ecx, [ebp+var_28]
		push	ecx
		push	eax
		call	_KeQueryNodeActiveAffinity@12 ;	KeQueryNodeActiveAffinity(x,x,x)
		test	bl, bl
		jnz	short loc_5F9A1A
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		call	KeSetSystemGroupAffinityThread
		xor	eax, eax
		inc	eax
		mov	[ebp+var_11], al
		jmp	short loc_5F9A25
; 

loc_5F9A1A:				; CODE XREF: ExAllocateCacheAwarePushLock+80885j
		push	0
		lea	eax, [ebp+var_28]
		push	eax
		call	KeSetSystemGroupAffinityThread

loc_5F9A25:				; CODE XREF: ExAllocateCacheAwarePushLock+8089Aj
		mov	eax, large fs:20h
		mov	ecx, [ebp+var_18]
		push	0
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h

loc_5F9A42:				; CODE XREF: ExAllocateCacheAwarePushLock+80877j
		push	eax
		push	6C636C50h
		mov	edx, 80h
		call	ExpAllocatePoolWithTagFromNode
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_5F9A85
		push	80h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebx+8], esi
		mov	[esi+edi*4], ebx
		inc	edi
		cmp	edi, 20h
		jnb	short loc_5F9A7F
		mov	bl, [ebp+var_11]
		mov	eax, [ebp+var_1C]
		jmp	loc_5F99C5
; 

loc_5F9A7F:				; CODE XREF: ExAllocateCacheAwarePushLock+808F4j
		mov	edi, esi
		xor	esi, esi
		jmp	short loc_5F9A87
; 

loc_5F9A85:				; CODE XREF: ExAllocateCacheAwarePushLock+808D8j
		xor	edi, edi

loc_5F9A87:				; CODE XREF: ExAllocateCacheAwarePushLock+80905j
		cmp	[ebp+var_11], 0
		jz	short loc_5F9A96
		lea	eax, [ebp+var_10]
		push	eax
		call	KeRevertToUserGroupAffinityThread

loc_5F9A96:				; CODE XREF: ExAllocateCacheAwarePushLock+EBj
					; ExAllocateCacheAwarePushLock+8090Dj
		test	esi, esi
		jz	loc_579254
		push	esi
		call	_ExFreeCacheAwarePushLock@4 ; ExFreeCacheAwarePushLock(x)
		jmp	loc_579254
; END OF FUNCTION CHUNK	FOR ExAllocateCacheAwarePushLock
; 
; START	OF FUNCTION CHUNK FOR IopInterlockedInsertTailList

loc_5F9AA9:				; CODE XREF: IopInterlockedInsertTailList+3Aj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_5792CB
; 

loc_5F9AB8:				; CODE XREF: IopInterlockedInsertTailList+57j
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5F9ABF:				; CODE XREF: IopInterlockedInsertTailList+44j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_5792CB
; END OF FUNCTION CHUNK	FOR IopInterlockedInsertTailList
; 
; START	OF FUNCTION CHUNK FOR WmiQueryTraceProviderCount

loc_5F9AD3:				; CODE XREF: WmiQueryTraceProviderCount+6Aj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_579377
; END OF FUNCTION CHUNK	FOR WmiQueryTraceProviderCount
; 
; START	OF FUNCTION CHUNK FOR FsFilterInit

loc_5F9AE0:				; CODE XREF: FsFilterInit+3Bj
		push	edi
		push	ds:_AcquireOpsReservePool
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, 0C000009Ah
		jmp	loc_57956F
; END OF FUNCTION CHUNK	FOR FsFilterInit
; 
; START	OF FUNCTION CHUNK FOR LdrpMapResourceFile

loc_5F9AF6:				; CODE XREF: LdrpMapResourceFile+65j
		mov	edi, 0C000007Bh
		jmp	loc_579651
; 

loc_5F9B00:				; CODE XREF: LdrpMapResourceFile+188j
		test	esi, esi
		jz	loc_579651
		push	esi
		call	_MmUnmapViewInSystemSpace@4 ; MmUnmapViewInSystemSpace(x)
		jmp	loc_579651
; 

loc_5F9B13:				; CODE XREF: LdrpMapResourceFile+C0j
		push	[esp+48h+var_3C]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_57965C
; 

loc_5F9B21:				; CODE XREF: LdrpMapResourceFile+43j
					; LdrpMapResourceFile+4Bj ...
		mov	eax, 0C000000Dh
		jmp	loc_57965E
; END OF FUNCTION CHUNK	FOR LdrpMapResourceFile
; 
; START	OF FUNCTION CHUNK FOR LdrpGetResourceFileName

loc_5F9B2B:				; CODE XREF: LdrpGetResourceFileName+CDj
					; LdrpGetResourceFileName+EEj
		mov	eax, 0C000008Ah
		jmp	loc_5798AC
; 

loc_5F9B35:				; CODE XREF: LdrpGetResourceFileName+5Fj
					; LdrpGetResourceFileName+68j
		mov	eax, 0C00B0001h
		jmp	loc_5798AC
; 

loc_5F9B3F:				; CODE XREF: LdrpGetResourceFileName+36j
					; LdrpGetResourceFileName+3Ej ...
		mov	eax, 0C000000Dh
		jmp	loc_5798AD
; END OF FUNCTION CHUNK	FOR LdrpGetResourceFileName
; 
; START	OF FUNCTION CHUNK FOR DisplayBootBitmap

loc_5F9B49:				; CODE XREF: DisplayBootBitmap+17j
		call	_InbvAcquireLock@0 ; InbvAcquireLock()
		and	ds:_RotBarSelection, esi
		call	_InbvReleaseLock@0 ; InbvReleaseLock()
		jmp	loc_57A171
; 

loc_5F9B5E:				; CODE XREF: DisplayBootBitmap+26j
		push	0Fh
		call	_InbvSetTextColor@4 ; InbvSetTextColor(x)
		mov	eax, ds:dword_6D4D4C
		test	eax, eax
		jz	short loc_5F9BA3
		mov	ecx, [eax+10h]
		xor	ebx, ebx
		mov	esi, 1DFh
		mov	edi, 27Fh
		test	ecx, ecx
		jz	short loc_5F9B8D
		push	ebx
		push	esi
		push	edi
		push	ebx
		push	ebx
		call	ecx
		mov	eax, ds:dword_6D4D4C

loc_5F9B8D:				; CODE XREF: DisplayBootBitmap+7FA2Bj
		test	eax, eax
		jz	short loc_5F9BA3
		mov	eax, [eax+10h]
		test	eax, eax
		jz	short loc_5F9BA3
		push	ebx
		push	esi
		push	edi
		push	1A5h
		push	ebx
		call	eax

loc_5F9BA3:				; CODE XREF: DisplayBootBitmap+7FA18j
					; DisplayBootBitmap+7FA3Bj ...
		push	6
		pop	ecx
		call	_InbvGetResourceAddress@4 ; InbvGetResourceAddress(x)
		push	7
		pop	ecx
		mov	edi, eax
		call	_InbvGetResourceAddress@4 ; InbvGetResourceAddress(x)
		mov	ecx, ds:dword_6D4D4C
		xor	esi, esi
		mov	ebx, eax
		test	ecx, ecx
		jz	short loc_5F9BDA
		mov	ecx, [ecx+24h]
		test	ecx, ecx
		jz	short loc_5F9BDA
		push	190h
		push	277h
		push	50h
		push	20h
		call	ecx

loc_5F9BDA:				; CODE XREF: DisplayBootBitmap+7FA6Dj
					; DisplayBootBitmap+7FA74j
		test	ebx, ebx
		jz	short loc_5F9BEA
		push	1A3h
		mov	ecx, ebx
		call	_InbvBitBlt@12	; InbvBitBlt(x,x,x)

loc_5F9BEA:				; CODE XREF: DisplayBootBitmap+7FA88j
		test	edi, edi
		jz	short loc_5F9C6A
		push	0
		mov	ecx, edi
		call	_InbvBitBlt@12	; InbvBitBlt(x,x,x)
		jmp	short loc_5F9C6A
; 

loc_5F9BF9:				; CODE XREF: DisplayBootBitmap+33j
		xor	ecx, ecx
		mov	ds:dword_6D4D50, offset	_DisplayFilter@4 ; DisplayFilter(x)
		inc	ecx
		call	_InbvGetResourceAddress@4 ; InbvGetResourceAddress(x)
		push	4
		pop	ecx
		mov	ebx, eax
		call	_InbvGetResourceAddress@4 ; InbvGetResourceAddress(x)
		mov	edi, eax
		test	ebx, ebx
		jz	short loc_5F9C27
		xor	esi, esi
		mov	ecx, ebx
		push	0
		inc	esi
		call	_InbvBitBlt@12	; InbvBitBlt(x,x,x)

loc_5F9C27:				; CODE XREF: DisplayBootBitmap+7FAC5j
		xor	ebx, ebx
		test	edi, edi
		jz	short loc_5F9C35
		push	ebx
		mov	ecx, edi
		call	_InbvBitBlt@12	; InbvBitBlt(x,x,x)

loc_5F9C35:				; CODE XREF: DisplayBootBitmap+7FAD7j
		cmp	ds:byte_6FDE48,	0
		jnz	short loc_5F9C77
		push	ebx
		push	offset _InbvRotateGuiBootDisplay@4 ; InbvRotateGuiBootDisplay(x)
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esp+28h+var_4]
		mov	[esp+28h+var_4], ebx
		push	eax
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_5F9C6A
		push	[esp+10h+var_4]
		call	_ZwClose@4	; ZwClose(x)
		mov	ds:byte_6FDE48,	1

loc_5F9C6A:				; CODE XREF: DisplayBootBitmap+7FA98j
					; DisplayBootBitmap+7FAA3j ...
		cmp	ds:byte_6FDE48,	0
		jz	loc_57A192

loc_5F9C77:				; CODE XREF: DisplayBootBitmap+7FAE8j
		call	_InbvAcquireLock@0 ; InbvAcquireLock()
		mov	ds:_RotBarSelection, esi
		sub	esi, 1
		jnz	short loc_5F9C8C
		call	_RotBarInit@0	; RotBarInit()

loc_5F9C8C:				; CODE XREF: DisplayBootBitmap+7FB31j
		call	_InbvReleaseLock@0 ; InbvReleaseLock()
		jmp	loc_57A192
; END OF FUNCTION CHUNK	FOR DisplayBootBitmap
; 
; START	OF FUNCTION CHUNK FOR BvgaReleaseResources

loc_5F9C96:				; CODE XREF: BvgaReleaseResources+19j
		mov	eax, esi
		sub	eax, 3
		jz	loc_57A1E8
		dec	eax
		sub	eax, 1
		jz	loc_57A1E8
		jmp	loc_57A1CD
; END OF FUNCTION CHUNK	FOR BvgaReleaseResources
; 
; START	OF FUNCTION CHUNK FOR ExpSaInitialize

loc_5F9CB0:				; CODE XREF: ExpSaInitialize+D2j
		mov	eax, large fs:20h
		jmp	loc_57A3A7
; END OF FUNCTION CHUNK	FOR ExpSaInitialize
; 
; START	OF FUNCTION CHUNK FOR CcSetLoggedDataThreshold

loc_5F9CBB:				; CODE XREF: CcSetLoggedDataThreshold+64j
		mov	edx, eax
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_57A609
; 

loc_5F9CCA:				; CODE XREF: CcSetLoggedDataThreshold+71j
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_57A609
; 

loc_5F9CD7:				; CODE XREF: CcSetLoggedDataThreshold+84j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_57A63A
; 

loc_5F9CE7:				; CODE XREF: CcSetLoggedDataThreshold+A2j
		lea	ecx, [ebp+var_C]
		call	KxWaitForLockChainValid
		jmp	loc_57A675
; 

loc_5F9CF4:				; CODE XREF: CcSetLoggedDataThreshold+AFj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_57A665
; 

loc_5F9D04:				; CODE XREF: CcSetLoggedDataThreshold+CDj
		lea	ecx, [ebp+var_18]
		call	KxWaitForLockChainValid
		jmp	loc_57A680
; END OF FUNCTION CHUNK	FOR CcSetLoggedDataThreshold
; 
; START	OF FUNCTION CHUNK FOR KeAddTriageDumpDataBlock

loc_5F9D11:				; CODE XREF: KeAddTriageDumpDataBlock+40j
		lea	eax, [esi+24h]
		mov	[ebp+arg_8], eax

loc_5F9D17:				; CODE XREF: KeAddTriageDumpDataBlock+7F6B9j
		mov	edx, [eax-4]
		mov	eax, [eax]
		add	eax, edx
		cmp	ebx, eax
		jnb	short loc_5F9D3C
		cmp	ecx, edx
		jbe	short loc_5F9D3C
		cmp	ebx, edx
		jb	short loc_5F9D36
		cmp	ecx, eax
		jbe	loc_57A6F5
		mov	ebx, eax
		jmp	short loc_5F9D3C
; 

loc_5F9D36:				; CODE XREF: KeAddTriageDumpDataBlock+7F698j
		cmp	ecx, eax
		ja	short loc_5F9D3C
		mov	ecx, edx

loc_5F9D3C:				; CODE XREF: KeAddTriageDumpDataBlock+7F690j
					; KeAddTriageDumpDataBlock+7F694j ...
		mov	eax, [ebp+arg_8]
		inc	edi
		add	eax, 8
		mov	[ebp+arg_8], eax
		cmp	edi, [ebp+arg_0]
		jb	short loc_5F9D17
		mov	eax, [ebp+arg_0]
		jmp	loc_57A6D6
; END OF FUNCTION CHUNK	FOR KeAddTriageDumpDataBlock
; 
; START	OF FUNCTION CHUNK FOR KiValidateTriageDumpDataArray

loc_5F9D53:				; CODE XREF: KiValidateTriageDumpDataArray+95j
		cmp	[esi+14h], eax
		ja	loc_57A7D5
		jmp	loc_57A7AF
; 

loc_5F9D61:				; CODE XREF: KiValidateTriageDumpDataArray+A8j
		lea	eax, [esi+24h]
		mov	[ebp+var_4], eax

loc_5F9D67:				; CODE XREF: KiValidateTriageDumpDataArray+7F678j
		mov	edx, [eax]
		lea	ecx, [ebp+arg_0]
		push	ecx
		mov	ecx, edi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_57A7D5
		mov	eax, [ebp+var_4]
		inc	ebx
		mov	edi, [ebp+arg_0]
		add	eax, 8
		mov	[ebp+var_4], eax
		cmp	ebx, [ebp+var_8]
		jb	short loc_5F9D67
		jmp	loc_57A7C2
; END OF FUNCTION CHUNK	FOR KiValidateTriageDumpDataArray
; 
; START	OF FUNCTION CHUNK FOR PopVideoBrightnessSettingsCallback

loc_5F9D93:				; CODE XREF: PopVideoBrightnessSettingsCallback+24j
		cmp	[ebp+arg_8], 4
		jnz	loc_57AA3C
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	loc_57AA3C
		xor	esi, esi
		cmp	[eax], esi
		jz	loc_57AA3C
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	ds:byte_6C2E2A,	1
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		jmp	loc_57AA3C
; END OF FUNCTION CHUNK	FOR PopVideoBrightnessSettingsCallback
; 
; START	OF FUNCTION CHUNK FOR MmDbgMarkPfnModifiedWorker

loc_5F9DC8:				; CODE XREF: MmDbgMarkPfnModifiedWorker+1Bj
		xor	ecx, ecx
		lock and [esi],	ecx
		dec	eax
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	edi, [ebp+var_8]
		mov	bl, al
		mov	ecx, edi
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		mov	ecx, edi
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], edx
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	eax, 7FFFFFFFh
		lea	ecx, [edi+10h]
		lock and [ecx],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_8]
		mov	eax, ecx
		mov	edx, [ebp+var_C]
		or	eax, edx
		jz	loc_57AAB7
		push	edx
		push	ecx
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo
		jmp	loc_57AAB7
; END OF FUNCTION CHUNK	FOR MmDbgMarkPfnModifiedWorker
; 
; START	OF FUNCTION CHUNK FOR MiAddZeroingThreads

loc_5F9E27:				; CODE XREF: MiAddZeroingThreads+24j
		mov	eax, ecx
		sub	eax, esi
		jnz	short loc_5F9E3A
		inc	ds:_MiZeroThreadStats
		push	4
		jmp	loc_57AAF8
; 

loc_5F9E3A:				; CODE XREF: MiAddZeroingThreads+7F365j
		push	ebx
		mov	ebx, ds:dword_6D06C4
		mov	eax, ecx
		mov	[ebp+var_8], ebx
		xor	ebx, ebx
		mov	[ebp+var_4], eax
		test	ecx, ecx
		jz	loc_5F9EE5
		xor	esi, esi
		mov	[ebp+var_C], esi

loc_5F9E58:				; CODE XREF: MiAddZeroingThreads+7F40Cj
		mov	eax, [edx+64h]
		mov	al, [esi+eax+4]
		test	al, 1
		jz	short loc_5F9EC6
		mov	eax, [edx+64h]
		lea	edi, [ebp+var_24]
		and	[ebp+var_10], 0
		mov	esi, [esi+eax+8]
		lea	esi, [esi+58h]
		movsd
		movsd
		movsd
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	short loc_5F9E83
		or	eax, 0FFFFFFFFh
		jmp	short loc_5F9E89
; 

loc_5F9E83:				; CODE XREF: MiAddZeroingThreads+7F3B6j
		bsf	eax, eax
		mov	[ebp+var_10], eax

loc_5F9E89:				; CODE XREF: MiAddZeroingThreads+7F3BBj
		xor	esi, esi
		cmp	esi, [ebp+var_8]
		jnb	short loc_5F9EB6
		mov	edx, [ebp+var_8]
		lea	edi, _KiProcessorBlock[eax*4]

loc_5F9E9A:				; CODE XREF: MiAddZeroingThreads+7F3E5j
		mov	ecx, [edi]
		mov	eax, [ecx+4]
		cmp	eax, [ecx+0Ch]
		jnz	short loc_5F9EA5
		inc	esi

loc_5F9EA5:				; CODE XREF: MiAddZeroingThreads+7F3DCj
		add	edi, 4
		sub	edx, 1
		jnz	short loc_5F9E9A
		mov	edx, [ebp+var_14]
		mov	ecx, [ebp+var_18]
		cmp	esi, [ebp+var_8]

loc_5F9EB6:				; CODE XREF: MiAddZeroingThreads+7F3C8j
		jz	short loc_5F9ED6
		test	esi, esi
		mov	esi, [ebp+var_C]
		jz	short loc_5F9EC6
		mov	eax, ebx
		mov	[ebp+var_4], eax
		jmp	short loc_5F9EC9
; 

loc_5F9EC6:				; CODE XREF: MiAddZeroingThreads+7F39Bj
					; MiAddZeroingThreads+7F3F7j
		mov	eax, [ebp+var_4]

loc_5F9EC9:				; CODE XREF: MiAddZeroingThreads+7F3FEj
		inc	ebx
		add	esi, 1Ch
		mov	[ebp+var_C], esi
		cmp	ebx, ecx
		jb	short loc_5F9E58
		jmp	short loc_5F9EE5
; 

loc_5F9ED6:				; CODE XREF: MiAddZeroingThreads:loc_5F9EB6j
		cmp	ebx, ecx
		jz	short loc_5F9EE2
		inc	dword ptr [edx+0E4h]
		jmp	short loc_5F9EFC
; 

loc_5F9EE2:				; CODE XREF: MiAddZeroingThreads+7F412j
		mov	eax, [ebp+var_4]

loc_5F9EE5:				; CODE XREF: MiAddZeroingThreads+7F387j
					; MiAddZeroingThreads+7F40Ej
		mov	ebx, eax
		cmp	eax, ecx
		jnz	short loc_5F9EF6
		inc	dword ptr [edx+0ECh]
		push	2
		pop	eax
		jmp	short loc_5F9F1B
; 

loc_5F9EF6:				; CODE XREF: MiAddZeroingThreads+7F423j
		inc	dword ptr [edx+0E8h]

loc_5F9EFC:				; CODE XREF: MiAddZeroingThreads+7F41Aj
		imul	ecx, ebx, 1Ch
		push	0
		push	0
		add	ecx, [edx+64h]
		mov	al, [ecx+4]
		inc	dword ptr [edx+74h]
		lea	eax, [ecx+0Ch]
		and	byte ptr [ecx+4], 0FEh
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		xor	eax, eax

loc_5F9F1B:				; CODE XREF: MiAddZeroingThreads+7F42Ej
		pop	ebx
		jmp	loc_57AAF9
; END OF FUNCTION CHUNK	FOR MiAddZeroingThreads
; 
; START	OF FUNCTION CHUNK FOR KiEnableGroupScheduling

loc_5F9F21:				; CODE XREF: KiEnableGroupScheduling+60j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		jmp	loc_57AC12
; 

loc_5F9F2E:				; CODE XREF: KiEnableGroupScheduling+D7j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_57ACC3
; 

loc_5F9F3E:				; CODE XREF: KiEnableGroupScheduling+F9j
		lea	ecx, [ebp+var_14]
		call	KxWaitForLockChainValid

loc_5F9F46:				; CODE XREF: KiEnableGroupScheduling+E2j
		xor	ecx, ecx
		mov	[ebp+var_14], ebx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_57ACC3
; END OF FUNCTION CHUNK	FOR KiEnableGroupScheduling
; 
; START	OF FUNCTION CHUNK FOR KeUpdateGroupSchedulingConstants

loc_5F9F57:				; CODE XREF: KeUpdateGroupSchedulingConstants+18j
		lea	edx, [ebp+var_10]
		mov	ecx, offset _KiSchedulingGroupLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		jmp	loc_57ACEE
; 

loc_5F9F69:				; CODE XREF: KeUpdateGroupSchedulingConstants+E5j
		test	ds:byte_70EFC6,	1
		jz	short loc_5F9F7F
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5F9FA7
; 

loc_5F9F7F:				; CODE XREF: KeUpdateGroupSchedulingConstants+7F2A0j
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_5F9F9E
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jz	short loc_5F9FA7
		call	KxWaitForLockChainValid

loc_5F9F9E:				; CODE XREF: KeUpdateGroupSchedulingConstants+7F2B4j
		mov	[ebp+var_10], edi
		add	eax, 4
		lock xor [eax],	ebx

loc_5F9FA7:				; CODE XREF: KeUpdateGroupSchedulingConstants+7F2ADj
					; KeUpdateGroupSchedulingConstants+7F2C7j
		mov	cl, [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_57ADBB
; END OF FUNCTION CHUNK	FOR KeUpdateGroupSchedulingConstants
; 
; START	OF FUNCTION CHUNK FOR MiZeroPageThread

loc_5F9FB5:				; CODE XREF: MiZeroPageThread+17j
					; MiZeroPageThread+26j
		mov	eax, [edi+0E18h]
		xor	esi, esi
		mov	[esp+28h+var_18], eax
		push	esi
		mov	[esp+2Ch+var_14], esi
		or	dword ptr [eax+50h], 0FFFFFFFFh
		add	eax, 40h
		mov	ecx, eax
		mov	[esp+2Ch+var_C], eax
		call	_MiInitializeColorTable@8 ; MiInitializeColorTable(x,x)
		mov	ebx, large fs:124h
		mov	ecx, edi
		and	[esp+28h+var_10], esi
		mov	edx, ebx
		push	esi
		mov	[esp+2Ch+var_4], ebx
		or	dword ptr [ebx+300h], 400h
		call	_MiSetZeroPageThreadPriority@12	; MiSetZeroPageThreadPriority(x,x,x)
		mov	ebx, [esp+28h+var_18]
		mov	[esp+28h+var_8], eax

loc_5FA003:				; CODE XREF: MiZeroPageThread+7F28Dj
					; MiZeroPageThread+7F298j
		push	esi
		lea	edx, [esp+2Ch+var_10]
		mov	ecx, edi
		call	_MiWaitForFreePagesToZero@12 ; MiWaitForFreePagesToZero(x,x,x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5FA05A
		cmp	esi, eax
		jz	short loc_5FA028
		mov	ecx, [esp+28h+var_C]
		mov	esi, eax
		push	eax
		mov	[esp+2Ch+var_14], esi
		call	_MiInitializeColorTable@8 ; MiInitializeColorTable(x,x)

loc_5FA028:				; CODE XREF: MiZeroPageThread+7F256j
		mov	esi, [esp+28h+var_18]
		xor	ebx, ebx

loc_5FA02E:				; CODE XREF: MiZeroPageThread+7F280j
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	_MiGetPagesToZero@12 ; MiGetPagesToZero(x,x,x)
		test	eax, eax
		jnz	short loc_5FA042
		inc	ebx
		cmp	ebx, 2
		jbe	short loc_5FA02E

loc_5FA042:				; CODE XREF: MiZeroPageThread+7F27Aj
		mov	esi, [esp+28h+var_14]
		cmp	ebx, 2
		mov	ebx, [esp+28h+var_18]
		ja	short loc_5FA003
		mov	edx, edi
		mov	ecx, ebx
		call	_MiZeroPage@8	; MiZeroPage(x,x)
		jmp	short loc_5FA003
; 

loc_5FA05A:				; CODE XREF: MiZeroPageThread+7F252j
		push	[esp+28h+var_8]
		mov	esi, [esp+2Ch+var_4]
		mov	ecx, edi
		mov	edx, esi
		call	_MiSetZeroPageThreadPriority@12	; MiSetZeroPageThreadPriority(x,x,x)
		and	dword ptr [esi+300h], 0FFFFFBFFh
		mov	ecx, ebx
		call	_MiDeleteZeroThreadContext@4 ; MiDeleteZeroThreadContext(x)
		and	dword ptr [edi+0E18h], 0
		jmp	loc_57ADEC
; END OF FUNCTION CHUNK	FOR MiZeroPageThread
; 
; START	OF FUNCTION CHUNK FOR MiZeroBootLargePages

loc_5FA088:				; CODE XREF: MiZeroBootLargePages+3Cj
		mov	eax, 0C0000001h
		jmp	loc_57AFC4
; 

loc_5FA092:				; CODE XREF: MiZeroBootLargePages+C3j
		mov	ebx, [ebp+var_18]
		mov	esi, 0C000009Ah
		mov	eax, [ebp+var_24]
		mov	byte ptr [edi+0DFCh], 1
		jmp	loc_57AF04
; 

loc_5FA0A9:				; CODE XREF: MiZeroBootLargePages+8Cj
		mov	esi, eax
		jmp	loc_57AF04
; 

loc_5FA0B0:				; CODE XREF: MiZeroBootLargePages+151j
		xor	edi, edi
		mov	eax, edi
		mov	[ebp+var_28], eax
		jmp	loc_57AF8E
; 

loc_5FA0BC:				; CODE XREF: MiZeroBootLargePages+19Aj
		mov	edi, [ebp+var_1C]
		or	eax, 0FFFFFFFFh
		mov	byte ptr [edi+0DFCh], 1
		lock xadd [ecx], eax
		dec	eax
		jnz	short loc_5FA0DE
		xor	edx, edx
		lea	ecx, [edi+0DD4h]
		inc	edx
		call	KeSignalGate

loc_5FA0DE:				; CODE XREF: MiZeroBootLargePages+7F2D8j
		xor	edx, edx
		mov	ecx, edi
		call	MiZeroPageCalibrate
		mov	eax, [ebx+0FCh]
		test	eax, eax
		jz	short loc_5FA0F9
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5FA0F9:				; CODE XREF: MiZeroBootLargePages+7F2F9j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, [ebp+var_18]
		lea	ecx, [edi+0DCCh]
		jmp	loc_57AF15
; END OF FUNCTION CHUNK	FOR MiZeroBootLargePages
; 
; START	OF FUNCTION CHUNK FOR SepAdtDetermineInsertQueue

loc_5FA10F:				; CODE XREF: SepAdtDetermineInsertQueue+2Cj
		mov	eax, ds:dword_6D717C
		cmp	eax, ds:_SepAdtMinListLength
		jnb	short loc_5FA18E
		mov	ds:_SepAdtDiscardingAudits, bl
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_5FA14C
		push	6
		xor	eax, eax
		lea	edi, [esp+24h+var_18]
		pop	ecx
		rep stosd
		mov	eax, ds:_SepAdtCountEventsDiscarded
		mov	[esp+20h+var_8], eax
		lea	eax, [esp+20h+var_18]
		push	eax
		call	_SepAdtGenerateDiscardAudit@4 ;	SepAdtGenerateDiscardAudit(x)
		jmp	short loc_5FA183
; 

loc_5FA14C:				; CODE XREF: SepAdtDetermineInsertQueue+7F0A0j
		push	20206553h
		push	18h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_5FA183
		mov	eax, ds:_SepAdtCountEventsDiscarded
		push	1
		push	ecx
		mov	dword ptr [ecx+8], offset _SepAdtGenerateDiscardAudit@4	; SepAdtGenerateDiscardAudit(x)
		mov	[ecx+0Ch], ecx
		mov	[ecx], ebx
		mov	[ecx+10h], eax
		mov	byte ptr [ecx+14h], 1
		call	ExQueueWorkItem

loc_5FA183:				; CODE XREF: SepAdtDetermineInsertQueue+7F0C0j
					; SepAdtDetermineInsertQueue+7F0D7j
		mov	ds:_SepAdtCountEventsDiscarded,	ebx
		jmp	loc_57B0BC
; 

loc_5FA18E:				; CODE XREF: SepAdtDetermineInsertQueue+7F090j
		inc	ds:_SepAdtCountEventsDiscarded
		jmp	loc_57B0CF
; 

loc_5FA199:				; CODE XREF: SepAdtDetermineInsertQueue+3Dj
		mov	ds:_SepAdtDiscardingAudits, 1
		mov	ds:_SepAdtCountEventsDiscarded,	1
		jmp	loc_57B0CF
; END OF FUNCTION CHUNK	FOR SepAdtDetermineInsertQueue
; 
; START	OF FUNCTION CHUNK FOR WmipFirmwareTableHandler

loc_5FA1AF:				; CODE XREF: WmipFirmwareTableHandler+13j
					; WmipFirmwareTableHandler+27j	...
		mov	eax, 0C00000EFh
		jmp	loc_57B344
; END OF FUNCTION CHUNK	FOR WmipFirmwareTableHandler
; 
; START	OF FUNCTION CHUNK FOR PopNetEvaluationWorkerCallback

loc_5FA1B9:				; CODE XREF: PopNetEvaluationWorkerCallback+54j
		mov	[esp+20h+var_13], 1
		jmp	loc_57B42D
; 

loc_5FA1C3:				; CODE XREF: PopNetEvaluationWorkerCallback+68j
		cmp	ds:dword_6D6FD0, 0
		mov	bl, 1
		jz	loc_57B43C
		mov	cl, bl
		mov	[esp+20h+var_12], bl
		call	_PopNetSetResiliencyPhaseBias@4	; PopNetSetResiliencyPhaseBias(x)
		jmp	loc_57B43C
; 

loc_5FA1E2:				; CODE XREF: PopNetEvaluationWorkerCallback+9Cj
		cmp	ds:dword_6C238C, 0
		jnz	loc_57B470
		mov	ds:dword_6C238C, esi
		jmp	loc_57B470
; 

loc_5FA1FA:				; CODE XREF: PopNetEvaluationWorkerCallback+AEj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	esi, [esp+20h+var_10]
		mov	edi, [esp+20h+var_C]
		jmp	loc_57B487
; 

loc_5FA20F:				; CODE XREF: PopNetEvaluationWorkerCallback+F7j
		mov	ds:_PopNetDeferLogRequest, 1
		jmp	loc_57B3EB
; END OF FUNCTION CHUNK	FOR PopNetEvaluationWorkerCallback
; 
; START	OF FUNCTION CHUNK FOR PopReadUlongPowerKey

loc_5FA21B:				; CODE XREF: PopReadUlongPowerKey+1Aj
		mov	eax, [esi]
		cmp	eax, 64h
		jz	loc_57B520
		xor	edx, edx
		inc	edx
		cmp	eax, edx
		jb	short loc_5FA238
		push	0Ah
		pop	edx
		cmp	eax, edx
		jbe	loc_57B520

loc_5FA238:				; CODE XREF: PopReadUlongPowerKey+7ED31j
		mov	ecx, 0C0000232h
		mov	[esi], edx
		jmp	loc_57B520
; END OF FUNCTION CHUNK	FOR PopReadUlongPowerKey
; 
; START	OF FUNCTION CHUNK FOR PopReadRegKeyValue

loc_5FA244:				; CODE XREF: PopReadRegKeyValue+81j
		push	50455654h
		push	[ebp+var_C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_5FA263
		mov	edi, 0C0000017h
		jmp	loc_57B5B5
; 

loc_5FA263:				; CODE XREF: PopReadRegKeyValue+7ED31j
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+var_C]
		lea	eax, [ebp+var_14]
		push	esi
		push	2
		push	eax
		push	[ebp+var_8]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	edi, eax
		jmp	loc_57B5AD
; 

loc_5FA280:				; CODE XREF: PopReadRegKeyValue+89j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_5FA296
		cmp	[esi+4], eax
		jz	short loc_5FA296
		mov	edi, 0C0000024h
		jmp	loc_57B5B5
; 

loc_5FA296:				; CODE XREF: PopReadRegKeyValue+7ED5Fj
					; PopReadRegKeyValue+7ED64j
		mov	eax, [ebp+arg_0]
		cmp	[esi+8], eax
		jnz	short loc_5FA2B3
		push	eax		; size_t
		lea	eax, [esi+0Ch]
		push	eax		; void *
		push	[ebp+arg_8]	; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_57B5B5
; 

loc_5FA2B3:				; CODE XREF: PopReadRegKeyValue+7ED76j
		mov	edi, ebx
		jmp	loc_57B5B5
; 

loc_5FA2BA:				; CODE XREF: PopReadRegKeyValue+9Fj
		push	50455654h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_57B5CB
; END OF FUNCTION CHUNK	FOR PopReadRegKeyValue
; 
; START	OF FUNCTION CHUNK FOR KeSetAffinityProcess

loc_5FA2CA:				; CODE XREF: KeSetAffinityProcess+47j
		test	dl, 1
		jnz	loc_57B621
		mov	[ebp+var_1D], al
		jmp	loc_57B621
; 

loc_5FA2DB:				; CODE XREF: KeSetAffinityProcess+82j
		movzx	eax, word ptr [ecx+40h]
		xor	edx, edx
		mov	[ebp+var_40], eax
		mov	esi, ebx
		cmp	dx, ax
		jnb	loc_57B6DD
		mov	eax, [ebp+var_2C]
		lea	edi, [ecx+48h]
		mov	[ebp+var_28], edi
		lea	ecx, [eax+8]

loc_5FA2FB:				; CODE XREF: KeSetAffinityProcess+7ED52j
		mov	edx, [edi]
		test	edx, edx
		jz	short loc_5FA318
		cmp	si, [eax]
		jnb	short loc_5FA315
		mov	edi, [ecx]
		or	edi, edx
		cmp	edi, edx
		jz	short loc_5FA312
		mov	edx, edi
		mov	bl, 1

loc_5FA312:				; CODE XREF: KeSetAffinityProcess+7ED38j
		mov	edi, [ebp+var_28]

loc_5FA315:				; CODE XREF: KeSetAffinityProcess+7ED30j
		or	[ebp+var_34], edx

loc_5FA318:				; CODE XREF: KeSetAffinityProcess+7ED2Bj
		inc	esi
		add	edi, 4
		add	ecx, 4
		mov	[ebp+var_28], edi
		cmp	si, word ptr [ebp+var_40]
		jb	short loc_5FA2FB
		mov	ecx, [ebp+var_24]
		test	bl, bl
		jz	loc_57B6DD
		lea	esi, [ebp+var_3C]
		lea	edi, [ecx+40h]
		movsd
		movsd
		movsd
		jmp	loc_57B6A3
; END OF FUNCTION CHUNK	FOR KeSetAffinityProcess
; 
; START	OF FUNCTION CHUNK FOR LdrpVerifyAlternateResourceModuleEx

loc_5FA341:				; CODE XREF: LdrpVerifyAlternateResourceModuleEx+1Dj
		push	eax
		lea	eax, [ebp+var_4]
		xor	edx, edx
		push	eax
		call	LdrResGetRCConfig
		test	eax, eax
		jns	short loc_5FA36E
		cmp	eax, 0C000008Ah
		jnz	loc_57B7EA

loc_5FA35C:				; CODE XREF: LdrpVerifyAlternateResourceModuleEx+2Dj
		test	[ebp+arg_8], 1000000h
		jz	loc_57B7EA
		jmp	loc_57B7E2
; 

loc_5FA36E:				; CODE XREF: LdrpVerifyAlternateResourceModuleEx+7EBE9j
		push	ebx
		push	1000h
		lea	eax, [ebp+var_8]
		xor	edx, edx
		push	eax
		mov	ecx, esi
		call	LdrResGetRCConfig
		test	eax, eax
		js	loc_57B7EA
		mov	ebx, [ebp+var_4]
		mov	esi, [ebp+var_8]
		jmp	loc_57B7AA
; END OF FUNCTION CHUNK	FOR LdrpVerifyAlternateResourceModuleEx
; 
; START	OF FUNCTION CHUNK FOR RtlpHpMetadataCommit

loc_5FA394:				; CODE XREF: RtlpHpMetadataCommit+1Ej
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_RtlpHpEnvGetHeapManager@8 ; RtlpHpEnvGetHeapManager(x,x)
		mov	edx, ebx
		push	ecx
		sub	edx, [eax+4]
		lea	ecx, [eax+8]
		shr	edx, 14h
		add	edx, edx
		call	RtlCSparseBitmapBitmaskRead
		test	eax, eax
		jnz	short loc_5FA3BE
		push	2
		pop	eax
		jmp	loc_57B858
; 

loc_5FA3BE:				; CODE XREF: RtlpHpMetadataCommit+7EB82j
		dec	eax
		jmp	loc_57B858
; END OF FUNCTION CHUNK	FOR RtlpHpMetadataCommit
; 
; START	OF FUNCTION CHUNK FOR MiInitializeWorkingSetManagerParameters

loc_5FA3C4:				; CODE XREF: MiInitializeWorkingSetManagerParameters+1Ej
		and	[ebp+var_4], 0
		jmp	loc_57B900
; 

loc_5FA3CD:				; CODE XREF: MiInitializeWorkingSetManagerParameters+A2j
		mov	edi, eax
		jmp	loc_57B93E
; 

loc_5FA3D4:				; CODE XREF: MiInitializeWorkingSetManagerParameters+AEj
		lea	eax, [edi-200000h]
		shr	eax, 7
		add	eax, 10000h
		jmp	loc_57B94F
; 

loc_5FA3E7:				; CODE XREF: MiInitializeWorkingSetManagerParameters+C0j
		mov	eax, ecx
		jmp	loc_57B95C
; 

loc_5FA3EE:				; CODE XREF: MiInitializeWorkingSetManagerParameters+D5j
		mov	ecx, edi
		shr	ecx, 5
		jmp	loc_57B980
; 

loc_5FA3F8:				; CODE XREF: MiInitializeWorkingSetManagerParameters+F1j
		mov	ecx, edx
		jmp	loc_57B98D
; 

loc_5FA3FF:				; CODE XREF: MiInitializeWorkingSetManagerParameters+108j
		mov	eax, edx
		jmp	loc_57B9A4
; 

loc_5FA406:				; CODE XREF: MiInitializeWorkingSetManagerParameters+138j
		push	64h
		pop	eax
		jmp	loc_57B9DF
; 

loc_5FA40E:				; CODE XREF: MiInitializeWorkingSetManagerParameters+14Bj
		mov	eax, edi
		shr	eax, 1
		jnz	loc_57B9E7
		xor	eax, eax
		inc	eax
		jmp	loc_57B9E7
; 

loc_5FA420:				; CODE XREF: MiInitializeWorkingSetManagerParameters+19Bj
		test	edi, edi
		jz	short loc_5FA433
		mov	ecx, edi
		sub	ecx, eax
		shr	ecx, 1
		jz	short loc_5FA433
		add	eax, ecx
		jmp	loc_57BA39
; 

loc_5FA433:				; CODE XREF: MiInitializeWorkingSetManagerParameters+7EB8Cj
					; MiInitializeWorkingSetManagerParameters+7EB94j
		xor	eax, eax
		inc	eax
		jmp	loc_57BA39
; 

loc_5FA43B:				; CODE XREF: MiInitializeWorkingSetManagerParameters+1BFj
		mov	ecx, edi
		sub	ecx, eax
		shr	ecx, 1
		add	ecx, eax
		jmp	loc_57BA5B
; END OF FUNCTION CHUNK	FOR MiInitializeWorkingSetManagerParameters
; 
; START	OF FUNCTION CHUNK FOR PoFxRegisterDripsWatchdogCallback

loc_5FA448:				; CODE XREF: PoFxRegisterDripsWatchdogCallback+1Ej
		push	eax
		push	eax
		mov	edx, esi
		mov	ecx, 622h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)
		int	3		; Trap to Debugger

loc_5FA457:				; CODE XREF: MiAllocateMappedWriterMdls+3Dj
		cmp	[ebp+var_4], edi
		jnz	loc_57BB6A
		mov	edi, 0C000009Ah
		jmp	loc_57BB6A
; END OF FUNCTION CHUNK	FOR PoFxRegisterDripsWatchdogCallback
; 
; START	OF FUNCTION CHUNK FOR MiAllocateMappedWriterMdls

loc_5FA46A:				; CODE XREF: MiAllocateMappedWriterMdls+B7j
		movsx	eax, bh
		mov	edx, ecx
		push	eax
		mov	ecx, esi
		call	KiSetPriorityThread
		jmp	loc_57BBBC
; END OF FUNCTION CHUNK	FOR MiAllocateMappedWriterMdls
; 
; START	OF FUNCTION CHUNK FOR RtlPcToFileName

loc_5FA47C:				; CODE XREF: RtlPcToFileName+1Dj
					; RtlPcToFileName+2Aj
		push	offset _PsLoadedModuleSpinLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		cmp	cl, 1Bh
		jnb	short loc_5FA494
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5FA494:				; CODE XREF: RtlPcToFileName+7E8B8j
		mov	eax, 0C0000225h
		jmp	loc_57BC40
; END OF FUNCTION CHUNK	FOR RtlPcToFileName
; 
; START	OF FUNCTION CHUNK FOR PpmHeteroHgsBackupInit

loc_5FA49E:				; CODE XREF: PpmHeteroHgsBackupInit+26j
		push	0
		push	0
		mov	edx, offset _PpmHeteroHgsBackupProcessorInit@12	; PpmHeteroHgsBackupProcessorInit(x,x,x)
		mov	ecx, offset _PpmCheckRegistered
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)
		mov	cl, 1
		call	_PpmReinitializeHeteroEngine@4 ; PpmReinitializeHeteroEngine(x)
		jmp	loc_57BC79
; END OF FUNCTION CHUNK	FOR PpmHeteroHgsBackupInit
; 
; START	OF FUNCTION CHUNK FOR PpmHeteroInitializeHgsSupport

loc_5FA4BD:				; CODE XREF: PpmHeteroInitializeHgsSupport+74j
		mov	eax, [ebp+var_8]
		test	al, 1
		jz	loc_5FA58B
		test	al, 2
		jz	loc_5FA58B
		push	24h
		shr	eax, 8
		xor	edi, edi
		push	1
		and	eax, 0Fh
		inc	eax
		shl	eax, 0Ch
		push	eax
		push	edi
		push	edi
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		push	edi
		push	edi
		call	_MmAllocatePagesForMdlEx@36 ; MmAllocatePagesForMdlEx(x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_5FA4FE
		mov	esi, 0C000009Ah
		jmp	loc_57BCFD
; 

loc_5FA4FE:				; CODE XREF: PpmHeteroInitializeHgsSupport+7E874j
		test	byte ptr [ebx+6], 5
		jz	short loc_5FA509
		mov	esi, [ebx+0Ch]
		jmp	short loc_5FA51B
; 

loc_5FA509:				; CODE XREF: PpmHeteroInitializeHgsSupport+7E884j
		push	40000000h
		push	edi
		push	edi
		push	1
		push	edi
		push	ebx
		call	MmMapLockedPagesSpecifyCache
		mov	esi, eax

loc_5FA51B:				; CODE XREF: PpmHeteroInitializeHgsSupport+7E889j
		test	esi, esi
		jnz	short loc_5FA526
		mov	esi, 0C000009Ah
		jmp	short loc_5FA595
; 

loc_5FA526:				; CODE XREF: PpmHeteroInitializeHgsSupport+7E89Fj
		mov	eax, [ebx+1Ch]
		xor	edx, edx
		shld	edx, eax, 0Ch
		mov	ecx, 17D0h
		shl	eax, 0Ch
		or	eax, 1
		wrmsr
		push	edi
		xor	eax, eax
		inc	ecx
		push	offset _PpmHeteroHgsUpdateDpcRoutine@16	; PpmHeteroHgsUpdateDpcRoutine(x,x,x,x)
		inc	eax
		mov	edx, edi
		push	offset _PpmHeteroHgsUpdateDpc
		wrmsr
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	ds:_PpmHeteroHgsInterface, esi
		mov	esi, edi
		mov	ds:byte_70EE81,	3
		mov	ds:dword_70EE78, offset	_PpmHeteroHgsUpdateWorker@4 ; PpmHeteroHgsUpdateWorker(x)
		mov	ds:dword_70EE7C, edi
		mov	ds:_PpmHeteroHgsUpdateWorkItem,	edi
		mov	ds:_PpmHeteroHgsTableMdl, ebx
		mov	ds:_PpmHeteroHgsEnabled, 1
		jmp	loc_57BCFD
; 

loc_5FA58B:				; CODE XREF: PpmHeteroInitializeHgsSupport+7E844j
					; PpmHeteroInitializeHgsSupport+7E84Cj
		mov	ebx, [ebp+var_1C]
		mov	esi, 0C00000BBh
		xor	edi, edi

loc_5FA595:				; CODE XREF: PpmHeteroInitializeHgsSupport+7E8A6j
		test	ebx, ebx
		jz	loc_57BCFD
		xor	edx, edx
		mov	ecx, ebx
		call	_MiFreePagesFromMdl@8 ;	MiFreePagesFromMdl(x,x)
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_57BCFD
; END OF FUNCTION CHUNK	FOR PpmHeteroInitializeHgsSupport
; 
; START	OF FUNCTION CHUNK FOR PopOpenThermalLoggingKey

loc_5FA5B2:				; CODE XREF: PopOpenThermalLoggingKey+30j
		xor	esi, esi
		mov	eax, offset _PopThermalLoggingVolatileRegKey
		inc	esi
		jmp	loc_57BD76
; END OF FUNCTION CHUNK	FOR PopOpenThermalLoggingKey
; 
; START	OF FUNCTION CHUNK FOR SecureDump_PrepareForInit

loc_5FA5BF:				; CODE XREF: SecureDump_PrepareForInit+7Dj
		mov	ecx, [ebp+var_4]
		push	0
		push	ecx
		mov	eax, [ecx]
		mov	ds:dword_6CF2C8, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[ebp+var_4], 0
		cmp	ds:dword_6CF2C8, 0
		jz	loc_57BEA3
		jmp	loc_57BECD
; 

loc_5FA5E7:				; CODE XREF: SecureDump_PrepareForInit+A0j
		mov	ecx, [ebp+var_4]
		push	0
		push	ecx
		mov	eax, [ecx]
		mov	ds:dword_6CF2CC, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	ds:dword_6CF2CC, 0
		jz	short loc_5FA647
		push	offset dword_6CF2D4
		push	offset dword_6CF2D0
		push	3
		mov	edx, offset ??_C@_1BE@KFJNGKKA@?$AAP?$AAu?$AAb?$AAl?$AAi?$AAc?$AAK?$AAe?$AAy@FNODOBFM@
		mov	byte ptr [ebx],	1
		lea	ecx, [ebp+var_10]
		call	SecureDump_ReadRegistry
		test	eax, eax
		js	loc_57BECF
		push	offset dword_6CF2D8
		push	offset dword_6CF2DC
		push	1
		mov	edx, offset ??_C@_1BG@GFMKNFOD@?$AAT?$AAh?$AAu?$AAm?$AAb?$AAp?$AAr?$AAi?$AAn?$AAt@FNODOBFM@
		lea	ecx, [ebp+var_10]
		call	SecureDump_ReadRegistry
		test	eax, eax
		js	loc_57BECF

loc_5FA647:				; CODE XREF: SecureDump_PrepareForInit+7E7E4j
		mov	ds:_ForceDumpDisabled, 0
		jmp	loc_57BEDC
; 

loc_5FA653:				; CODE XREF: SecureDump_PrepareForInit+BAj
		mov	eax, ds:dword_6CF2D0
		test	eax, eax
		jz	short loc_5FA66B
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	ds:dword_6CF2D0, 0

loc_5FA66B:				; CODE XREF: SecureDump_PrepareForInit+7E83Ej
		test	esi, esi
		jz	loc_57BEE6
		mov	ecx, esi
		mov	ds:_SecureDmpEncryptionContext,	3
		call	_SecureDump_LogErrorEvent@4 ; SecureDump_LogErrorEvent(x)
		jmp	loc_57BEE6
; END OF FUNCTION CHUNK	FOR SecureDump_PrepareForInit
; 
; START	OF FUNCTION CHUNK FOR SecureDump_ReadRegistry

loc_5FA689:				; CODE XREF: SecureDump_ReadRegistry+48j
		mov	esi, [ebp+var_8]
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_5FA6DC
		mov	eax, [ebp+arg_0]
		cmp	eax, [esi+4]
		jnz	short loc_5FA6D5
		push	706D6453h
		push	ecx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx], eax
		test	eax, eax
		jz	short loc_5FA6CE
		mov	ecx, [ebp+arg_8]
		mov	eax, [esi+0Ch]
		mov	[ecx], eax
		push	dword ptr [esi+0Ch] ; size_t
		mov	eax, [esi+8]
		add	eax, esi
		push	eax		; void *
		push	dword ptr [ebx]	; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_5FA6E1
; 

loc_5FA6CE:				; CODE XREF: SecureDump_ReadRegistry+7E7C3j
		mov	edi, 0C000009Ah
		jmp	short loc_5FA6E1
; 

loc_5FA6D5:				; CODE XREF: SecureDump_ReadRegistry+7E7ADj
		mov	edi, 0C0000024h
		jmp	short loc_5FA6E1
; 

loc_5FA6DC:				; CODE XREF: SecureDump_ReadRegistry+7E7A5j
		mov	edi, 0C0000004h

loc_5FA6E1:				; CODE XREF: SecureDump_ReadRegistry+7E7E0j
					; SecureDump_ReadRegistry+7E7E7j ...
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_57BF3A
; END OF FUNCTION CHUNK	FOR SecureDump_ReadRegistry
; 
; START	OF FUNCTION CHUNK FOR BgkSetVirtualFrameBuffer

loc_5FA6EE:				; CODE XREF: BgkSetVirtualFrameBuffer+15j
		cmp	ds:dword_6D4D54, 0
		jnz	loc_57BF9C
		mov	eax, 0C00000F0h
		jmp	locret_57C0AD
; 

loc_5FA705:				; CODE XREF: BgkSetVirtualFrameBuffer+5Fj
		mov	ecx, eax
		jmp	loc_57BFEE
; 

loc_5FA70C:				; CODE XREF: BgkSetVirtualFrameBuffer+7Bj
		xor	dl, dl
		jmp	loc_57C010
; 

loc_5FA713:				; CODE XREF: BgkSetVirtualFrameBuffer+A4j
		mov	eax, 0C0000001h
		jmp	loc_57C0AA
; 

loc_5FA71D:				; CODE XREF: BgkSetVirtualFrameBuffer+B8j
		push	[ebp+var_8]
		push	esi
		push	eax
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		mov	[ebp+var_1], 1
		jmp	loc_57C046
; 

loc_5FA730:				; CODE XREF: BgkSetVirtualFrameBuffer+AEj
		call	_BgAcquireSpinLock@0 ; BgAcquireSpinLock()
		push	esi		; size_t
		push	dword ptr [edi+18h] ; void *
		push	dword ptr [ebx]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_1], 1
		jmp	loc_57C04B
; 

loc_5FA74C:				; CODE XREF: BgkSetVirtualFrameBuffer+D6j
		xor	edx, edx
		mov	[eax+4], edx
		mov	eax, [ebx+8]
		mov	[eax+0Ch], edx
		mov	ecx, [ebx+8]
		mov	eax, [edi+8]
		mov	[ecx+8], eax
		mov	ecx, [ebx+8]
		mov	eax, [edi+4]
		mov	[ecx+10h], eax
		jmp	loc_57C071
; 

loc_5FA76E:				; CODE XREF: BgkSetVirtualFrameBuffer+43j
					; BgkSetVirtualFrameBuffer+4Dj
		mov	eax, 0C0000002h
		jmp	loc_57C0AA
; END OF FUNCTION CHUNK	FOR BgkSetVirtualFrameBuffer
; 
; START	OF FUNCTION CHUNK FOR IoAddTriageDumpDataBlock

loc_5FA778:				; CODE XREF: IoAddTriageDumpDataBlock+48j
		push	esi
		push	edi
		push	ecx
		call	KeAddTriageDumpDataBlock
		jmp	loc_57C440
; END OF FUNCTION CHUNK	FOR IoAddTriageDumpDataBlock
; 
; START	OF FUNCTION CHUNK FOR IopAddTriageDumpDataBlock

loc_5FA785:				; CODE XREF: IopAddTriageDumpDataBlock+52j
					; IopAddTriageDumpDataBlock+7E378j
		mov	eax, [edx+4]
		cmp	edi, eax
		jnb	short loc_5FA7B3
		mov	esi, [edx]
		cmp	ecx, esi
		mov	[ebp+arg_4], esi
		mov	esi, [ebp+var_C]
		jbe	short loc_5FA7B3
		cmp	edi, [ebp+arg_4]
		jb	short loc_5FA7A9
		cmp	ecx, eax
		jbe	loc_57C4CB
		mov	edi, eax
		jmp	short loc_5FA7B3
; 

loc_5FA7A9:				; CODE XREF: IopAddTriageDumpDataBlock+7E353j
		cmp	ecx, eax
		ja	short loc_5FA7B3
		mov	ecx, [ebp+arg_4]
		mov	[ebp+arg_8], ecx

loc_5FA7B3:				; CODE XREF: IopAddTriageDumpDataBlock+7E342j
					; IopAddTriageDumpDataBlock+7E34Ej ...
		mov	eax, [ebp+var_4]
		add	edx, 8
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, [ebp+var_10]
		jb	short loc_5FA785
		mov	eax, [ebp+var_8]
		jmp	loc_57C4A0
; END OF FUNCTION CHUNK	FOR IopAddTriageDumpDataBlock
; 
; START	OF FUNCTION CHUNK FOR WheaWmiDispatch

loc_5FA7CA:				; CODE XREF: WheaWmiDispatch+22j
		push	[ebp+arg_14]	; int
		mov	edx, [ebp+arg_8] ; int
		push	[ebp+arg_C]	; int
		mov	ecx, [ebp+arg_4] ; void	*
		call	_WheapWmiExecuteMethod@16 ; WheapWmiExecuteMethod(x,x,x,x)
		jmp	loc_57C50B
; 

loc_5FA7E0:				; CODE XREF: WheaWmiDispatch+14j
		push	[ebp+arg_14]
		mov	edx, [ebp+arg_8]
		push	[ebp+arg_C]
		call	WheapWmiGetSingleInstance
		jmp	loc_57C50B
; 

loc_5FA7F3:				; CODE XREF: WheaWmiDispatch+Bj
		push	[ebp+arg_14]
		mov	edx, [ebp+arg_8]
		push	[ebp+arg_C]
		call	WheapWmiGetAllData
		jmp	loc_57C50B
; END OF FUNCTION CHUNK	FOR WheaWmiDispatch
; 
; START	OF FUNCTION CHUNK FOR WheapWmiRegisterInfo

loc_5FA806:				; CODE XREF: WheapWmiRegisterInfo+Dj
		cmp	edx, 4
		jb	short loc_5FA813
		mov	eax, [ebp+arg_0]
		push	4
		mov	[eax], ebx
		pop	ebx

loc_5FA813:				; CODE XREF: WheapWmiRegisterInfo+7E2E9j
		mov	eax, 0C0000023h
		jmp	loc_57C5A4
; END OF FUNCTION CHUNK	FOR WheapWmiRegisterInfo
; 
; START	OF FUNCTION CHUNK FOR IopInitializeOfflineCrashDump

loc_5FA81D:				; CODE XREF: IopInitializeOfflineCrashDump+65j
		mov	ds:dword_6D4D88, 0C0000225h
		jmp	loc_57C63D
; 

loc_5FA82C:				; CODE XREF: IopInitializeOfflineCrashDump+75j
		cmp	eax, 2
		ja	loc_57C629
		push	8
		pop	ecx
		push	0
		mov	edi, offset _PoOffCrashConfigTable
		lea	eax, [ebp+var_2C]
		rep movsd
		push	20019h
		push	eax
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	IopOpenRegistryKey
		test	eax, eax
		jns	short loc_5FA862
		mov	ds:dword_6D4D88, eax
		jmp	loc_57C633
; 

loc_5FA862:				; CODE XREF: IopInitializeOfflineCrashDump+7E2A8j
		mov	ecx, [ebp+var_1C]
		lea	eax, [ebp+var_20]
		push	eax
		xor	esi, esi
		mov	edx, offset ??_C@_1CG@ICFLECDK@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAO?$AAf?$AAf?$AAl?$AAi?$AAn?$AAe?$AAD?$AAu@FNODOBFM@
		push	esi
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_5FA8A1
		mov	ecx, [ebp+var_20]
		cmp	[ecx+0Ch], esi
		jz	short loc_5FA888
		mov	eax, [ecx+8]
		mov	ebx, [ecx+eax]

loc_5FA888:				; CODE XREF: IopInitializeOfflineCrashDump+7E2D2j
		push	esi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	ebx, 1
		jnz	short loc_5FA8A1
		mov	ds:_OfflineDumpEnabled,	bl
		mov	byte ptr [ebp+var_15], bl
		xor	ebx, ebx
		jmp	short loc_5FA8BF
; 

loc_5FA8A1:				; CODE XREF: IopInitializeOfflineCrashDump+7E2CAj
					; IopInitializeOfflineCrashDump+7E2E4j
		xor	ebx, ebx
		cmp	ds:_PoOffCrashConfigTable, 2
		mov	ds:_OfflineDumpEnabled,	bl
		jb	short loc_5FA8BF
		test	byte ptr ds:dword_6C3DA8, 4
		jz	short loc_5FA8BF
		mov	byte ptr [ebp+var_15], 4

loc_5FA8BF:				; CODE XREF: IopInitializeOfflineCrashDump+7E2F1j
					; IopInitializeOfflineCrashDump+7E302j	...
		push	ebx
		lea	eax, [ebp+var_24]
		mov	esi, offset ??_C@_1DO@NFBBLGPP@?$AAO?$AAf?$AAf?$AAl?$AAi?$AAn?$AAe?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy?$AAD?$AAu@FNODOBFM@
		push	eax
		lea	eax, [ebp+var_16]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_15+1]
		call	_IoGetEnvironmentVariableEx@20 ; IoGetEnvironmentVariableEx(x,x,x,x,x)
		test	eax, eax
		js	short loc_5FA8E3
		mov	al, [ebp+var_16]
		cmp	al, byte ptr [ebp+var_15]
		jz	short loc_5FA8F5

loc_5FA8E3:				; CODE XREF: IopInitializeOfflineCrashDump+7E32Bj
		push	7
		push	1
		lea	eax, [ebp+var_15]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_15+1]
		call	_IoSetEnvironmentVariableEx@20 ; IoSetEnvironmentVariableEx(x,x,x,x,x)

loc_5FA8F5:				; CODE XREF: IopInitializeOfflineCrashDump+7E333j
		cmp	ds:_OfflineDumpEnabled,	0
		jz	loc_57C633
		lea	ecx, [ebp+var_1C]
		call	_IopCachePreviousBootData@4 ; IopCachePreviousBootData(x)
		call	_IopInitializeInMemoryDumpData@0 ; IopInitializeInMemoryDumpData()
		call	_IopConstructInMemoryDumpHeader@0 ; IopConstructInMemoryDumpHeader()
		mov	ecx, [ebp+var_1C]
		lea	eax, [ebp+var_20]
		push	eax
		push	ebx
		mov	edx, offset ??_C@_1BO@PCHGCCLM@?$AAA?$AAt?$AAt?$AAe?$AAm?$AAp?$AAt?$AAO?$AAf?$AAf?$AAl?$AAi?$AAn?$AAe@FNODOBFM@
		call	IopGetRegistryValue
		test	eax, eax
		js	loc_57C633
		mov	ecx, [ebp+var_20]
		cmp	[ecx+0Ch], ebx
		jz	short loc_5FA941
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		mov	ds:_DumpPolicyAttemptOffline, eax

loc_5FA941:				; CODE XREF: IopInitializeOfflineCrashDump+7E386j
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_57C633
; 

loc_5FA94D:				; CODE XREF: IopInitializeOfflineCrashDump+89j
		push	0
		push	[ebp+var_1C]
		call	ObCloseHandle
		jmp	loc_57C63D
; END OF FUNCTION CHUNK	FOR IopInitializeOfflineCrashDump
; 
; START	OF FUNCTION CHUNK FOR SecureDump_Init

loc_5FA95C:				; CODE XREF: SecureDump_Init+17j
		mov	ds:byte_6CF2C4,	1
		call	_SecureDump_SymmetricEncryptionSetup@0 ; SecureDump_SymmetricEncryptionSetup()
		mov	esi, eax
		test	esi, esi
		js	loc_57C679
		call	_SecureDump_EncryptSymmetricKeyWithPublicKey@0 ; SecureDump_EncryptSymmetricKeyWithPublicKey()
		mov	esi, eax
		test	esi, esi
		js	loc_57C679
		mov	eax, ds:dword_6CF2D8
		add	eax, 1FA7h
		add	eax, ds:dword_6CF2E4
		and	eax, 0FFFFF000h
		mov	ds:dword_6CF2FC, eax
		jmp	loc_57C66F
; 

loc_5FA9A0:				; CODE XREF: SecureDump_Init+35j
		mov	esi, 0C0000001h
		jmp	loc_5FAA38
; 

loc_5FA9AA:				; CODE XREF: SecureDump_Init+3Ej
		test	eax, eax
		jnz	short loc_5FA9B8
		mov	eax, 0C0000010h
		jmp	loc_57C692
; 

loc_5FA9B8:				; CODE XREF: SecureDump_Init+7E360j
		test	esi, esi
		jns	short loc_5FAA38
		mov	ecx, ds:dword_6CF2EC
		mov	ds:byte_6CF2C4,	bl
		test	ecx, ecx
		jz	short loc_5FA9D7
		call	_BCryptCloseAlgorithmProvider@8	; BCryptCloseAlgorithmProvider(x,x)
		mov	ds:dword_6CF2EC, ebx

loc_5FA9D7:				; CODE XREF: SecureDump_Init+7E37Ej
		mov	ecx, ds:dword_6CF2F0
		test	ecx, ecx
		jz	short loc_5FA9EC
		call	_BCryptDestroyKey@4 ; BCryptDestroyKey(x)
		mov	ds:dword_6CF2F0, ebx

loc_5FA9EC:				; CODE XREF: SecureDump_Init+7E393j
		mov	eax, ds:dword_6CF2E0
		test	eax, eax
		jz	short loc_5FAA02
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ds:dword_6CF2E0, ebx

loc_5FAA02:				; CODE XREF: SecureDump_Init+7E3A7j
		mov	eax, ds:dword_6CF2DC
		test	eax, eax
		jz	short loc_5FAA18
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ds:dword_6CF2DC, ebx

loc_5FAA18:				; CODE XREF: SecureDump_Init+7E3BDj
		mov	eax, ds:dword_6CF2D0
		test	eax, eax
		jz	short loc_5FAA2E
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ds:dword_6CF2D0, ebx

loc_5FAA2E:				; CODE XREF: SecureDump_Init+7E3D3j
		mov	ds:_SecureDmpEncryptionContext,	3

loc_5FAA38:				; CODE XREF: SecureDump_Init+7E359j
					; SecureDump_Init+7E36Ej
		mov	eax, esi
		jmp	loc_57C692
; END OF FUNCTION CHUNK	FOR SecureDump_Init
; 
; START	OF FUNCTION CHUNK FOR PopFxLowPowerEpochCallback

loc_5FAA3F:				; CODE XREF: PopFxLowPowerEpochCallback+61j
		mov	ecx, [esi+40h]
		mov	byte ptr [ebp+arg_0+3],	bl
		test	ecx, ecx
		jz	short loc_5FAA59
		mov	al, ds:_PopFxLowPowerEpoch
		mov	byte ptr [ebp+arg_0+3],	al
		lea	eax, [ebp+arg_0+3]
		push	eax
		push	18h
		call	ecx

loc_5FAA59:				; CODE XREF: PopFxLowPowerEpochCallback+7E32Dj
		mov	esi, [esi]
		jmp	loc_57C775
; END OF FUNCTION CHUNK	FOR PopFxLowPowerEpochCallback
; 
; START	OF FUNCTION CHUNK FOR CcSetupWatchForRegistryChanges

loc_5FAA60:				; CODE XREF: CcSetupWatchForRegistryChanges+35j
		mov	edi, 0C000009Ah
		mov	[ebp+var_1C], edi
		jmp	loc_57C8DB
; 

loc_5FAA6D:				; CODE XREF: CcSetupWatchForRegistryChanges+A5j
		lea	eax, [ebx+20h]
		push	eax
		push	edi
		push	offset ??_C@_0EJ@PDDMCIBN@CcSetupWatchForRegistryChanges?3@FNODOBFM@
		jmp	short loc_5FAA8B
; 

loc_5FAA79:				; CODE XREF: CcSetupWatchForRegistryChanges+CEj
		test	edi, edi
		jns	loc_57C8D1
		lea	eax, [ebx+20h]
		push	eax
		push	edi		; char
		push	offset ??_C@_0EB@FFFDFNCH@CcSetupWatchForRegistryChanges?3@FNODOBFM@ ; char *

loc_5FAA8B:				; CODE XREF: CcSetupWatchForRegistryChanges+7E28Fj
		push	esi		; int
		push	7Fh		; int
		call	_DbgPrintEx
		add	esp, 14h
		jmp	loc_57C8DB
; END OF FUNCTION CHUNK	FOR CcSetupWatchForRegistryChanges

;  S U B	R O U T	I N E 


sub_5FAA9B	proc near		; DATA XREF: .text:006A7608o
		xor	esi, esi
		mov	edi, [ebp-1Ch]
		mov	ebx, [ebp-20h]
		jmp	sub_57C8F7
sub_5FAA9B	endp

; 
; START	OF FUNCTION CHUNK FOR sub_57C8F7

loc_5FAAA8:				; CODE XREF: sub_57C8F7+2j
		push	offset ??_C@_0EF@LAELPHAK@CcSetupWatchForRegistryChanges?3@FNODOBFM@ ; char *
		push	esi		; int
		push	7Fh		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		jmp	locret_57C907
; 

loc_5FAABD:				; CODE XREF: sub_57C8F7+Aj
		push	dword ptr [ebx+24h]
		push	dword ptr [ebx+20h]
		push	edi		; char
		push	offset ??_C@_0FA@MMLONJKN@CcSetupWatchForRegistryChanges?3@FNODOBFM@ ; char *
		push	2		; int
		push	7Fh		; int
		call	_DbgPrintEx
		add	esp, 18h
		mov	byte ptr [ebx+28h], 1
		push	1
		push	ebx
		call	ExQueueWorkItem
		jmp	locret_57C907
; END OF FUNCTION CHUNK	FOR sub_57C8F7
; 
; START	OF FUNCTION CHUNK FOR PpmHeteroHgsProcessorInit

loc_5FAAE6:				; CODE XREF: PpmHeteroHgsProcessorInit+24j
		xor	eax, eax
		lea	edi, [esp+38h+var_14]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		cpuid
		mov	esi, ebx
		lea	edi, [esp+3Ch+var_14]
		pop	ebx
		nop
		mov	[edi], eax
		xor	eax, eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		xor	ecx, ecx
		mov	[edi+0Ch], edx
		lea	edi, [esp+38h+var_24]
		stosd
		push	6
		stosd
		stosd
		stosd
		pop	eax
		push	ebx
		cpuid
		mov	esi, ebx
		lea	edi, [esp+3Ch+var_24]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	ecx, [esp+38h+var_28]
		mov	[edi+0Ch], edx
		mov	eax, [esp+38h+var_18]
		shr	eax, 10h
		cmp	[esp+38h+var_14], 7
		mov	[ecx+3F12h], ax
		jb	loc_57C9CA
		xor	eax, eax
		lea	edi, [esp+38h+var_24]
		stosd
		xor	ecx, ecx
		push	7
		stosd
		stosd
		stosd
		pop	eax
		push	ebx
		cpuid
		mov	esi, ebx
		lea	edi, [esp+3Ch+var_24]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		test	[esp+38h+var_18], 8000h
		jz	loc_57C9CA
		cmp	[esp+38h+var_14], 1Ah
		mov	ds:_PpmHeteroHgsHeteroCoreTypes, 1
		jb	loc_57C9CA
		xor	eax, eax
		lea	edi, [esp+38h+var_24]
		stosd
		xor	ecx, ecx
		push	1Ah
		stosd
		stosd
		stosd
		pop	eax
		push	ebx
		cpuid
		mov	esi, ebx
		lea	edi, [esp+3Ch+var_24]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	ecx, [esp+38h+var_28]
		mov	[edi+0Ch], edx
		mov	eax, [esp+38h+var_24]
		shr	eax, 18h
		mov	[ecx+3F17h], al
		jmp	loc_57C9CA
; END OF FUNCTION CHUNK	FOR PpmHeteroHgsProcessorInit
; 
; START	OF FUNCTION CHUNK FOR PoFxProcessorNotification

loc_5FABCC:				; CODE XREF: PoFxProcessorNotification+Dj
		mov	edx, [eax+44h]
		test	edx, edx
		jz	loc_57C9F5
		push	[ebp+arg_8]
		mov	eax, [ecx+28h]
		push	[ebp+arg_4]
		push	eax
		call	edx
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFF45h
		add	eax, 0C00000BBh
		jmp	loc_57C9FA
; END OF FUNCTION CHUNK	FOR PoFxProcessorNotification
; 
; START	OF FUNCTION CHUNK FOR ExInitializeFastResource

loc_5FABF9:				; CODE XREF: ExInitializeFastResource+Dj
		push	0
		push	1
		movzx	eax, al
		push	eax
		push	0
		jmp	short loc_5FAC0F
; 

loc_5FAC05:				; CODE XREF: ExInitializeFastResource+1Aj
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	10h

loc_5FAC0F:				; CODE XREF: ExInitializeFastResource+7E131j
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5FAC1A:				; CODE XREF: ExpInitializeResource+2Cj
		call	_RtlLogStackBackTraceEx@4 ; RtlLogStackBackTraceEx(x)
		movzx	edi, ax
		jmp	loc_57CBA8
; END OF FUNCTION CHUNK	FOR ExInitializeFastResource
; 
; START	OF FUNCTION CHUNK FOR PopProcessorSetPep

loc_5FAC27:				; CODE XREF: PopProcessorSetPep+Fj
		xor	esi, esi
		cmp	[eax+44h], esi
		jz	loc_57CBC3
		mov	ecx, [ebp+arg_0]
		mov	ds:_PopFxProcessorPlugin, eax
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	[eax+3EF0h], edi
		jmp	loc_57CBC8
; END OF FUNCTION CHUNK	FOR PopProcessorSetPep
; 
; START	OF FUNCTION CHUNK FOR PoFxSetComponentResidency

loc_5FAC4A:				; CODE XREF: PoFxSetComponentResidency+45j
		mov	eax, ds:dword_6C1D74
		push	offset _POP_ETW_EVENT_COMPONENT_RESIDENCY
		push	eax
		mov	[ebp+var_40], eax
		mov	eax, ds:_PopDiagHandle
		push	eax
		mov	[ebp+var_44], eax
		call	EtwEventEnabled
		test	al, al
		jz	loc_57CC21
		push	4
		pop	ecx
		lea	eax, [ebp+var_38]
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_34], eax
		xor	edx, edx
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_30], edx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	edx
		push	1
		push	edx
		push	edx
		push	offset _POP_ETW_EVENT_COMPONENT_RESIDENCY
		push	[ebp+var_40]
		mov	[ebp+var_28], edx
		push	[ebp+var_44]
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], 8
		mov	[ebp+var_8], edx
		call	EtwWriteEx
		jmp	loc_57CC21
; END OF FUNCTION CHUNK	FOR PoFxSetComponentResidency
; 
; START	OF FUNCTION CHUNK FOR PopPepComponentSetResidency

loc_5FACC5:				; CODE XREF: PopPepComponentSetResidency+70j
		push	2
		mov	edx, edi
		mov	[edi+80h], eax
		mov	ecx, ebx
		call	_PopPepCountReadyActivities@12 ; PopPepCountReadyActivities(x,x,x)
		push	1
		mov	edx, edi
		mov	ecx, ebx
		mov	esi, eax
		call	_PopPepUpdateIdleState@12 ; PopPepUpdateIdleState(x,x,x)
		push	2
		mov	edx, edi
		mov	ecx, ebx
		call	PopPepPromoteActivities
		push	2
		mov	edx, edi
		mov	ecx, ebx
		call	_PopPepCountReadyActivities@12 ; PopPepCountReadyActivities(x,x,x)
		mov	edx, eax
		mov	ecx, esi
		call	_PopPepRequestWork@8 ; PopPepRequestWork(x,x)
		jmp	loc_57CCB8
; END OF FUNCTION CHUNK	FOR PopPepComponentSetResidency
; 
; START	OF FUNCTION CHUNK FOR MiFreeUnusedPfnPages

loc_5FAD07:				; CODE XREF: MiFreeUnusedPfnPages+84j
		mov	eax, edi
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5FAD1A
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_5FAD1A:				; CODE XREF: MiFreeUnusedPfnPages+7E043j
		xor	edi, edi
		mov	[ebp+var_1C], edi
		test	esi, 7FFFFFFCh
		jz	loc_5FAEB9
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_8], eax
		cmp	esi, edx
		jb	short loc_5FAD6E
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_5FAD59
		cmp	esi, edx
		jb	short loc_5FAD6E
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_5FAD6E

loc_5FAD59:				; CODE XREF: MiFreeUnusedPfnPages+7E07Cj
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_20], eax
		mov	eax, [ebp+var_8]
		jmp	short loc_5FAD74
; 

loc_5FAD6E:				; CODE XREF: MiFreeUnusedPfnPages+7E073j
					; MiFreeUnusedPfnPages+7E080j ...
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_20], ecx

loc_5FAD74:				; CODE XREF: MiFreeUnusedPfnPages+7E09Ej
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	dl, [eax+1E6h]
		mov	[ebp+var_1], dl
		mov	edx, esi
		push	ecx
		mov	ecx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jnz	short loc_5FADB4
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jz	loc_5FAF90
		mov	eax, ecx
		jmp	short loc_5FAE32
; 

loc_5FADB4:				; CODE XREF: MiFreeUnusedPfnPages+7E0CFj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5FADCA
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_24]

loc_5FADCA:				; CODE XREF: MiFreeUnusedPfnPages+7E0F2j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_1C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	eax, [ebp+var_8]
		mov	dword ptr [ecx+10h], 0
		push	30h
		sub	ecx, [eax+1E8h]
		mov	eax, ecx
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_1], 1
		mov	edx, eax
		jnz	short loc_5FAE1A
		mov	eax, [ebp+var_8]
		movzx	ecx, byte ptr [eax+1E4h]
		bts	ecx, edx
		mov	[eax+1E4h], cl
		jmp	short loc_5FAE32
; 

loc_5FAE1A:				; CODE XREF: MiFreeUnusedPfnPages+7E135j
		mov	esi, [ebp+var_8]
		mov	al, 1
		mov	ecx, edx
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_C]
		mov	eax, [ebp+var_8]

loc_5FAE32:				; CODE XREF: MiFreeUnusedPfnPages+7E0E4j
					; MiFreeUnusedPfnPages+7E14Aj
		nop
		dec	byte ptr [eax+1E6h]
		mov	ecx, edi
		and	ecx, 1FFFFh
		mov	[ebp+var_24], ecx
		jz	short loc_5FAEA1
		test	edi, 8000h
		jz	short loc_5FAE5A
		xor	edx, edx
		mov	ecx, eax
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp+var_8]

loc_5FAE5A:				; CODE XREF: MiFreeUnusedPfnPages+7E17Ej
		test	byte ptr [ebp+var_1C+2], 1
		jz	short loc_5FAE6A
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5FAE6A:				; CODE XREF: MiFreeUnusedPfnPages+7E190j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5FAE83
		and	edi, eax
		mov	edx, edi
		mov	edi, [ebp+var_8]
		mov	ecx, edi
		call	KiAbThreadUnboostCpuPriority
		jmp	short loc_5FAE86
; 

loc_5FAE83:				; CODE XREF: MiFreeUnusedPfnPages+7E1A3j
		mov	edi, [ebp+var_8]

loc_5FAE86:				; CODE XREF: MiFreeUnusedPfnPages+7E1B3j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_5FAE9E
		push	[ebp+var_24]
		mov	edx, esi
		mov	ecx, edi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_5FAE9E:				; CODE XREF: MiFreeUnusedPfnPages+7E1C2j
		mov	eax, [ebp+var_8]

loc_5FAEA1:				; CODE XREF: MiFreeUnusedPfnPages+7E176j
		nop
		add	word ptr [eax+13Eh], 1
		jnz	short loc_5FAEB9
		nop
		add	eax, 70h
		cmp	[eax], eax
		jz	short loc_5FAEB9
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_5FAEB9:				; CODE XREF: MiFreeUnusedPfnPages+7E057j
					; MiFreeUnusedPfnPages+7E1DCj ...
		mov	ecx, [ebp+var_18]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		cmp	[ebp+var_30], 0
		jz	loc_57CEBF
		push	ecx
		push	12h
		pop	edx
		lea	ecx, [ebp+var_40]
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		mov	ecx, [ebp+var_18]
		or	edi, 0FFFFFFFFh
		jmp	loc_57CD19
; 

loc_5FAEE2:				; CODE XREF: MiFreeUnusedPfnPages+69j
		mov	eax, edi
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_5FAEF5
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_5FAEF5:				; CODE XREF: MiFreeUnusedPfnPages+7E21Ej
		xor	edi, edi
		mov	[ebp+var_1C], edi
		test	esi, 7FFFFFFCh
		jz	loc_57CEB7
		mov	eax, [ebp+var_C]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_20], esi
		cmp	eax, edx
		jb	short loc_5FAF49
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_5FAF38
		cmp	eax, edx
		jb	short loc_5FAF49
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_5FAF49

loc_5FAF38:				; CODE XREF: MiFreeUnusedPfnPages+7E25Bj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_C]

loc_5FAF49:				; CODE XREF: MiFreeUnusedPfnPages+7E252j
					; MiFreeUnusedPfnPages+7E25Fj ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	edx, eax
		mov	byte ptr [ebp+arg_0+3],	cl
		mov	ecx, [ebp+var_10]
		push	ecx
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jnz	short loc_5FAFA1
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_5FB013

loc_5FAF85:				; CODE XREF: MiFreeUnusedPfnPages+210j
		push	0
		push	[ebp+var_10]
		push	[ebp+var_C]
		push	esi
		jmp	short loc_5FAF97
; 

loc_5FAF90:				; CODE XREF: MiFreeUnusedPfnPages+7E0DCj
		push	0
		push	[ebp+var_20]
		push	esi
		push	ecx

loc_5FAF97:				; CODE XREF: MiFreeUnusedPfnPages+7E2C0j
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5FAFA1:				; CODE XREF: MiFreeUnusedPfnPages+7E2A7j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_5FAFB7
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_24]

loc_5FAFB7:				; CODE XREF: MiFreeUnusedPfnPages+7E2DFj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_1C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+arg_0+3],	1
		mov	edx, eax
		jnz	short loc_5FB001
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_5FB013
; 

loc_5FB001:				; CODE XREF: MiFreeUnusedPfnPages+7E31Fj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_20]

loc_5FB013:				; CODE XREF: MiFreeUnusedPfnPages+7E2B1j
					; MiFreeUnusedPfnPages+7E331j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+arg_0], eax
		jz	loc_57CEAC
		test	edi, 8000h
		jz	short loc_5FB03B
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5FB03B:				; CODE XREF: MiFreeUnusedPfnPages+7E362j
		test	byte ptr [ebp+var_1C+2], 1
		jz	short loc_5FB04B
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_5FB04B:				; CODE XREF: MiFreeUnusedPfnPages+7E371j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_5FB05F
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_5FB05F:				; CODE XREF: MiFreeUnusedPfnPages+7E384j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_57CEAC
		push	[ebp+arg_0]

loc_5FB072:				; CODE XREF: MiFreeUnusedPfnPages+218j
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_57CEAC
; 

loc_5FB081:				; CODE XREF: MiFreeUnusedPfnPages+17Aj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_1C]
		jmp	loc_57CE5E
; 

loc_5FB098:				; CODE XREF: MiFreeUnusedPfnPages+1B8j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_57CE8C
; END OF FUNCTION CHUNK	FOR MiFreeUnusedPfnPages
; 
; START	OF FUNCTION CHUNK FOR KeRegisterBugCheckCallback

loc_5FB0A7:				; CODE XREF: KeRegisterBugCheckCallback+8Aj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_57CF85
; END OF FUNCTION CHUNK	FOR KeRegisterBugCheckCallback
; 
; START	OF FUNCTION CHUNK FOR IopInitializeSystemVariableService

loc_5FB0B6:				; CODE XREF: IopInitializeSystemVariableService+97j
		cmp	[ebp+var_10], 4
		jnz	loc_57D0D5
		cmp	[ebp+var_C], 4
		jnz	loc_57D0D5
		mov	eax, [ebp+var_8]
		mov	ds:_IopSysEnvOverrideFlags, eax
		jmp	loc_57D0D5
; END OF FUNCTION CHUNK	FOR IopInitializeSystemVariableService
; 
; START	OF FUNCTION CHUNK FOR WheapCheckForAndReportErrorsFromPreviousSession

loc_5FB0D7:				; CODE XREF: WheapCheckForAndReportErrorsFromPreviousSession+5Cj
		mov	ecx, [esp+40h+var_38]
		test	ecx, ecx
		jz	short loc_5FB12E
		cmp	dword ptr [ecx], 52455043h
		jnz	short loc_5FB125
		mov	eax, [ecx+14h]
		cmp	eax, [esp+40h+var_30]
		ja	short loc_5FB125
		call	_WheapReportPersistedErrorRecord@4 ; WheapReportPersistedErrorRecord(x)
		cmp	al, 1
		jnz	short loc_5FB11A
		mov	edx, [esp+40h+var_38]
		mov	cl, 28h
		push	dword ptr [edx+64h]
		mov	eax, [edx+6Ch]
		push	dword ptr [edx+60h]
		mov	edx, [edx+70h]
		call	__aullshr
		movzx	eax, ax
		push	eax
		call	ds:__imp__PshedClearErrorRecord@12 ; PshedClearErrorRecord(x,x,x)

loc_5FB11A:				; CODE XREF: WheapCheckForAndReportErrorsFromPreviousSession+7DFD5j
		mov	ecx, [esp+4Ch+var_44]
		call	ExFreeHeapPool
		jmp	short loc_5FB12E
; 

loc_5FB125:				; CODE XREF: WheapCheckForAndReportErrorsFromPreviousSession+7DFC3j
					; WheapCheckForAndReportErrorsFromPreviousSession+7DFCCj
		call	ExFreeHeapPool
		mov	[esp+40h+var_38], esi

loc_5FB12E:				; CODE XREF: WheapCheckForAndReportErrorsFromPreviousSession+7DFBBj
					; WheapCheckForAndReportErrorsFromPreviousSession+7E001j
		mov	ecx, [esp+40h+var_28]
		mov	eax, ecx
		mov	edx, [esp+40h+var_24]
		and	eax, edx
		cmp	eax, 0FFFFFFFFh
		jnz	loc_57D164
		jmp	loc_57D184
; 

loc_5FB148:				; CODE XREF: WheapCheckForAndReportErrorsFromPreviousSession+68j
		call	_WheapReportBootError@4	; WheapReportBootError(x)
		mov	ecx, [esp+40h+var_34]
		call	ExFreeHeapPool
		mov	[esp+40h+var_34], esi
		jmp	loc_57D190
; END OF FUNCTION CHUNK	FOR WheapCheckForAndReportErrorsFromPreviousSession
; 
; START	OF FUNCTION CHUNK FOR WheapProcessEfiBadMemoryPage

loc_5FB15F:				; CODE XREF: WheapProcessEfiBadMemoryPage+38j
		mov	ecx, [ebp+var_8]
		call	_WheaPersistBadPageToBcd@4 ; WheaPersistBadPageToBcd(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_5FB17D
		push	7
		push	edi
		push	edi
		push	ebx
		push	offset ??_C@_1DC@FLHAMKMH@?$AAU?$AAn?$AAc?$AAo?$AAr?$AAr?$AAe?$AAc?$AAt?$AAe?$AAd?$AAB?$AAa?$AAd?$AAM@FNODOBFM@
		call	ds:__imp__HalSetEnvironmentVariableEx@20 ; HalSetEnvironmentVariableEx(x,x,x,x,x)

loc_5FB17D:				; CODE XREF: WheapProcessEfiBadMemoryPage+7DFD1j
		mov	eax, esi
		jmp	loc_57D1D8
; END OF FUNCTION CHUNK	FOR WheapProcessEfiBadMemoryPage
; 
; START	OF FUNCTION CHUNK FOR PopWnfAirplaneModeCallback

loc_5FB184:				; CODE XREF: PopWnfAirplaneModeCallback+69j
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_57D278
; END OF FUNCTION CHUNK	FOR PopWnfAirplaneModeCallback
; 
; START	OF FUNCTION CHUNK FOR FsRtlWorkerThread

loc_5FB193:				; CODE XREF: FsRtlWorkerThread+3Fj
		push	esi
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		shl	eax, 10h
		or	eax, 2
		push	eax
		push	0C8h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_5FB1B5:				; CODE XREF: IoRegisterPriorityCallback+59j
		mov	eax, [ebp+arg_0]
		add	ebx, 4
		add	eax, 4
		mov	[ebp+arg_0], eax
		cmp	ebx, 20h
		jb	loc_57D448
		mov	ecx, esi
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)
		mov	eax, 0C000000Dh
		jmp	loc_57D46B
; END OF FUNCTION CHUNK	FOR FsRtlWorkerThread
; 
; START	OF FUNCTION CHUNK FOR PopThermalPollingPowerSettingCallback

loc_5FB1DB:				; CODE XREF: PopThermalPollingPowerSettingCallback+31j
		cmp	ds:dword_6C2D0C, eax
		jnz	loc_57D4DD
		mov	al, bl
		jmp	loc_57D4DD
; 

loc_5FB1EE:				; CODE XREF: PopThermalPollingPowerSettingCallback+3Dj
		cmp	ds:_PopThermalPollingWakesAllowed, al
		jz	loc_57D4E9
		mov	ds:_PopThermalPollingWakesAllowed, al
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopPolicyDeviceLock
		call	ExAcquirePushLockSharedEx
		mov	esi, ds:_PopThermal
		cmp	esi, offset _PopThermal
		jz	short loc_5FB28B
		push	edi

loc_5FB229:				; CODE XREF: PopThermalPollingPowerSettingCallback+7DDE2j
		mov	eax, large fs:124h
		lea	edi, [esi+150h]
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[edi+4], eax
		cmp	[esi+0C8h], ebx
		jnz	short loc_5FB262
		test	byte ptr [esi+21h], 1
		jz	short loc_5FB26A
		cmp	[esi+48h], ebx
		jz	short loc_5FB26A

loc_5FB262:				; CODE XREF: PopThermalPollingPowerSettingCallback+7DDAFj
		push	dword ptr [esi+1Ch]
		call	IoCancelIrp

loc_5FB26A:				; CODE XREF: PopThermalPollingPowerSettingCallback+7DDB5j
					; PopThermalPollingPowerSettingCallback+7DDBAj
		cmp	[edi+4], ebx
		jz	short loc_5FB272
		mov	[edi+4], ebx

loc_5FB272:				; CODE XREF: PopThermalPollingPowerSettingCallback+7DDC7j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	esi, [esi]
		cmp	esi, offset _PopThermal
		jnz	short loc_5FB229
		pop	edi

loc_5FB28B:				; CODE XREF: PopThermalPollingPowerSettingCallback+7DD80j
		pop	esi
		cmp	ds:dword_6C2044, ebx
		jz	short loc_5FB29A
		mov	ds:dword_6C2044, ebx

loc_5FB29A:				; CODE XREF: PopThermalPollingPowerSettingCallback+7DDECj
		xor	edx, edx
		mov	ecx, offset _PopPolicyDeviceLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_57D4E9
; END OF FUNCTION CHUNK	FOR PopThermalPollingPowerSettingCallback
; 
; START	OF FUNCTION CHUNK FOR HvlPhase2Initialize

loc_5FB2B0:				; CODE XREF: HvlPhase2Initialize+70j
		call	_HvlpEtwRegister@0 ; HvlpEtwRegister()
		sub	esp, 28h
		lea	esi, [ebp+var_28]
		push	0Ah
		pop	ecx
		mov	edi, esp
		rep movsd
		call	_HvlpLogHypervisorLaunchError@40 ; HvlpLogHypervisorLaunchError(x,x,x,x,x,x,x,x,x,x)
		push	ds:dword_6CE9FC
		push	ds:_HvlGlobalSystemEventsHandle
		call	EtwUnregister
		mov	ds:_HvlGlobalSystemEventsHandle, ebx
		mov	ds:dword_6CE9FC, ebx
		jmp	loc_57D5A2
; 

loc_5FB2E9:				; CODE XREF: HvlPhase2Initialize+7Dj
		test	byte ptr ds:_HvlpFlags,	2
		jz	short loc_5FB2F7
		call	_HvlpDiscoverTopologyComplete@0	; HvlpDiscoverTopologyComplete()

loc_5FB2F7:				; CODE XREF: HvlPhase2Initialize+7DDC4j
		call	_HvlpInitializeHvCrashdumpPhase2@0 ; HvlpInitializeHvCrashdumpPhase2()
		test	byte ptr ds:_HvlpRootFlags, 1
		jz	short loc_5FB369
		call	_HvlpEtwRegister@0 ; HvlpEtwRegister()
		push	ebx
		xor	edx, edx
		mov	ecx, offset _HV_EVENTLOG_START_SUCCEEDED
		call	HvlpWriteEventLog
		call	_HvlpLogHypervisorSchedulerType@0 ; HvlpLogHypervisorSchedulerType()
		call	_HvlpLogIommuInitStatus@0 ; HvlpLogIommuInitStatus()
		call	_HvlpLogGuestStateScrubbingStatus@0 ; HvlpLogGuestStateScrubbingStatus()
		mov	eax, ds:_HvlpLogicalProcessorCount
		cmp	eax, 140h
		jnb	short loc_5FB353
		imul	ecx, eax, 68h
		add	ecx, offset _HvlpLogicalProcessorRegions
		cmp	[ecx], ebx
		jnz	short loc_5FB353
		lea	eax, [ecx+28h]
		movzx	edx, word ptr [eax]
		test	dx, dx
		jz	short loc_5FB353
		mov	ecx, [ecx+8]
		push	eax
		call	_HvlpLogProcessorStartupFailure@12 ; HvlpLogProcessorStartupFailure(x,x,x)

loc_5FB353:				; CODE XREF: HvlPhase2Initialize+7DE04j
					; HvlPhase2Initialize+7DE11j ...
		cmp	ds:_HvlpMinrootConfigurationError, 0
		jz	short loc_5FB369
		push	ebx
		xor	edx, edx
		mov	ecx, offset _HV_EVENTLOG_CORE_SCHEDULER_PROCESSOR_CONFIGURATION_WARNING
		call	HvlpWriteEventLog

loc_5FB369:				; CODE XREF: HvlPhase2Initialize+7DDD7j
					; HvlPhase2Initialize+7DE2Ej
		mov	ecx, ds:_ExCbEnlightenmentState
		test	ecx, ecx
		jz	short loc_5FB37C
		push	ebx
		push	ebx
		xor	edx, edx
		call	ExNotifyWithProcessing

loc_5FB37C:				; CODE XREF: HvlPhase2Initialize+7DE45j
		call	_HvlpRegisterPowerPolicyCallbacks@0 ; HvlpRegisterPowerPolicyCallbacks()
		jmp	loc_57D5AF
; END OF FUNCTION CHUNK	FOR HvlPhase2Initialize
; 
; START	OF FUNCTION CHUNK FOR SeEtwEnableCallback

loc_5FB386:				; CODE XREF: SeEtwEnableCallback+15j
		mov	eax, [ebp+arg_14]
		test	eax, eax
		jz	loc_57D70F
		cmp	[eax+0Ch], ecx
		jnz	loc_57D70F
		cmp	dword ptr [eax+8], 4
		jnz	loc_57D70F
		mov	ds:byte_6D7060,	cl
		mov	eax, [eax]
		mov	eax, [eax]
		mov	ds:_SepLearningModeSettings, eax
		jmp	loc_57D71B
; END OF FUNCTION CHUNK	FOR SeEtwEnableCallback
; 
; START	OF FUNCTION CHUNK FOR IoSetStartIoAttributes

loc_5FB3B8:				; CODE XREF: IoSetStartIoAttributes+1Fj
		mov	eax, [ecx+0B0h]
		or	dword ptr [eax+24h], 200h
		jmp	loc_57D75F
; END OF FUNCTION CHUNK	FOR IoSetStartIoAttributes
; 
; START	OF FUNCTION CHUNK FOR MiUnlockPartitionSystemThreads

loc_5FB3CA:				; CODE XREF: MiUnlockPartitionSystemThreads+34j
		test	cl, 4
		jnz	loc_57D79E
		mov	ecx, eax
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	eax, [ebp+var_8]
		jmp	loc_57D79E
; 

loc_5FB3E2:				; CODE XREF: MiUnlockPartitionSystemThreads+1ADj
		push	0
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5FB3F5:				; CODE XREF: MiUnlockPartitionSystemThreads+10Ej
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]
		jmp	loc_57D888
; 

loc_5FB40C:				; CODE XREF: MiUnlockPartitionSystemThreads+14Cj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_57D8B6
; 

loc_5FB41B:				; CODE XREF: MiUnlockPartitionSystemThreads+170j
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_57D8DA
; END OF FUNCTION CHUNK	FOR MiUnlockPartitionSystemThreads
; 
; START	OF FUNCTION CHUNK FOR PpmCheckMaintainArtificialDomain

loc_5FB42D:				; CODE XREF: PpmCheckMaintainArtificialDomain+7j
		mov	ecx, ds:_PpmCheckPipelines
		and	ds:_PpmCheckPipelineIndex, 0
		mov	ds:_PpmCheckCurrentPipelineId, 1
		mov	ecx, [ecx+4]
		mov	ds:_PpmCheckPipeline, ecx
		jmp	loc_57D931
; END OF FUNCTION CHUNK	FOR PpmCheckMaintainArtificialDomain
; 
; START	OF FUNCTION CHUNK FOR PopIrpWorkerControl

loc_5FB452:				; CODE XREF: PopIrpWorkerControl+36j
		inc	ds:_PopIrpWorkerPendingCount
		mov	bl, 1

loc_5FB45A:				; CODE XREF: PopIrpWorkerControl+3Cj
		mov	ecx, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	bl, bl
		jz	loc_57D96F
		xor	ecx, ecx
		call	PopCreateDynamicIrpWorker
		jmp	loc_57D96F
; END OF FUNCTION CHUNK	FOR PopIrpWorkerControl
; 
; START	OF FUNCTION CHUNK FOR HvlDebuggerSupportInitialize

loc_5FB475:				; CODE XREF: HvlDebuggerSupportInitialize+2Fj
		test	edi, edi
		jz	loc_57D9D7
		mov	eax, [edi+78h]
		test	eax, eax
		jz	loc_57D9D7
		push	(offset	loc_5A4347+3) ;	char *
		push	eax		; char *
		call	_strstr
		push	offset ??_C@_0BF@NAPPFGF@HYPERVISORDBGDEVICE?$DN@FNODOBFM@ ; char *
		push	dword ptr [edi+78h] ; char *
		mov	ebx, eax
		call	_strstr
		push	offset ??_C@_0BH@KEIMNFIN@HYPERVISORDBGACPIPATH?$DN@FNODOBFM@ ;	char *
		push	dword ptr [edi+78h] ; char *
		mov	esi, eax
		call	_strstr
		add	esp, 18h
		test	eax, eax
		jz	loc_5FB594
		push	offset ??_C@_01KICIPPFI@?2@FNODOBFM@ ; char *
		push	eax		; char *
		call	_strstr
		mov	esi, eax
		pop	ecx
		pop	ecx
		test	esi, esi
		jz	loc_57D9D7
		push	0A8h		; size_t
		lea	eax, [ebp+var_B0]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_20], 1
		mov	eax, 8000h
		test	ebx, ebx
		jnz	short loc_5FB4FC
		add	eax, 3

loc_5FB4FC:				; CODE XREF: HvlDebuggerSupportInitialize+7DB55j
		push	offset ??_C@_01CLKCMJKC@?5@FNODOBFM@ ; char *
		push	esi		; char *
		mov	[ebp+var_2C], ax
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_5FB524
		mov	ecx, esi
		lea	edx, [ecx+1]

loc_5FB516:				; CODE XREF: HvlDebuggerSupportInitialize+7DB79j
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_5FB516
		sub	ecx, edx
		movzx	eax, cx
		jmp	short loc_5FB529
; 

loc_5FB524:				; CODE XREF: HvlDebuggerSupportInitialize+7DB6Dj
		sub	eax, esi
		movzx	eax, ax

loc_5FB529:				; CODE XREF: HvlDebuggerSupportInitialize+7DB80j
		mov	word ptr [ebp+var_B8], ax
		mov	word ptr [ebp+var_B8+2], ax
		lea	eax, [ebp+var_B8]
		push	1
		push	eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_B4], esi
		push	eax
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	loc_57D9D7
		mov	eax, [ebp+var_BC]
		mov	[ebp+var_1C], eax
		movzx	eax, word ptr [ebp+var_C0]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_B0]
		push	eax
		push	0
		mov	[ebp+var_9D], 1
		call	ds:off_6B12C8	; xHalIommuUnblockDevice(x,x)
		lea	eax, [ebp+var_C0]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	loc_57D9D7
; 

loc_5FB594:				; CODE XREF: HvlDebuggerSupportInitialize+7DB14j
		test	ebx, ebx
		jz	short loc_5FB60F
		push	(offset	loc_5A435B+3) ;	char *
		push	ebx		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_57D9D7
		add	eax, 3
		push	eax		; char *
		call	_atol
		pop	ecx
		sub	eax, 1
		jz	short loc_5FB5FF
		sub	eax, 1
		jz	short loc_5FB5EF
		sub	eax, 1
		jz	short loc_5FB5DF
		sub	eax, 1
		jnz	loc_57D9D7
		mov	eax, ds:_KdHvComPortInUse
		mov	dword ptr [eax], 2E8h
		jmp	loc_57D9D7
; 

loc_5FB5DF:				; CODE XREF: HvlDebuggerSupportInitialize+7DC22j
		mov	eax, ds:_KdHvComPortInUse
		mov	dword ptr [eax], 3E8h
		jmp	loc_57D9D7
; 

loc_5FB5EF:				; CODE XREF: HvlDebuggerSupportInitialize+7DC1Dj
		mov	eax, ds:_KdHvComPortInUse
		mov	dword ptr [eax], 2F8h
		jmp	loc_57D9D7
; 

loc_5FB5FF:				; CODE XREF: HvlDebuggerSupportInitialize+7DC18j
		mov	eax, ds:_KdHvComPortInUse
		mov	dword ptr [eax], 3F8h
		jmp	loc_57D9D7
; 

loc_5FB60F:				; CODE XREF: HvlDebuggerSupportInitialize+7DBF4j
		test	esi, esi
		jz	loc_57D9D7
		push	offset ??_C@_01NEMOKFLO@?$DN@FNODOBFM@ ; "="
		push	esi		; char *
		call	_strstr
		mov	esi, eax
		pop	ecx
		pop	ecx
		test	esi, esi
		jz	loc_57D9D7
		lea	ecx, [esi+1]
		push	ecx		; char *
		call	_atol
		mov	[esp+0D4h+var_D4], offset ??_C@_01LFCBOECM@?4@FNODOBFM@
		push	esi		; char *
		mov	[ebp+var_B4], eax
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_57D9D7
		lea	esi, [eax+1]
		push	esi		; char *
		call	_atol
		mov	[esp+0D4h+var_D4], offset ??_C@_01LFCBOECM@?4@FNODOBFM@
		mov	ebx, eax
		push	esi		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_57D9D7
		lea	ecx, [eax+1]
		push	ecx		; char *
		call	_atol
		mov	esi, eax
		mov	[esp+0D4h+var_D4], (offset loc_5A436B+1)
		push	dword ptr [edi+78h] ; char *
		and	esi, 7
		and	ebx, 1Fh
		shl	esi, 5
		or	esi, ebx
		call	_strstr
		mov	edi, eax
		pop	ecx
		pop	ecx
		test	edi, edi
		jz	loc_57D9D7
		push	4		; size_t
		add	edi, 12h
		push	(offset	loc_5A437D+3) ;	char *
		push	edi		; char *
		call	_strncmp
		add	esp, 0Ch
		mov	ecx, 8001h
		test	eax, eax
		jnz	short loc_5FB6C7
		mov	edi, ecx
		jmp	short loc_5FB6E4
; 

loc_5FB6C7:				; CODE XREF: HvlDebuggerSupportInitialize+7DD1Fj
		push	3		; size_t
		push	offset ??_C@_03NPGNIJG@NET@FNODOBFM@ ; char *
		push	edi		; char *
		call	_strncmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_57D9D7
		mov	edi, 8003h

loc_5FB6E4:				; CODE XREF: HvlDebuggerSupportInitialize+7DD23j
		push	0A8h		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_B0]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	eax, 0FFFFh
		mov	[ebp+var_9D], 1
		mov	[ebp+var_A4], ax
		add	esp, 0Ch
		mov	eax, [ebp+var_B4]
		mov	[ebp+var_B0], eax
		mov	eax, 8001h
		mov	[ebp+var_A8], 0FFFFFFFFh
		mov	[ebp+var_AC], esi
		cmp	di, ax
		jz	short loc_5FB746
		mov	[ebp+var_A2], 2
		mov	[ebp+var_A0], 0FFh
		jmp	short loc_5FB756
; 

loc_5FB746:				; CODE XREF: HvlDebuggerSupportInitialize+7DD90j
		mov	[ebp+var_A2], 0Ch
		mov	[ebp+var_A0], 10h

loc_5FB756:				; CODE XREF: HvlDebuggerSupportInitialize+7DDA2j
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_3C], ebx
		push	eax
		push	ebx
		call	ds:off_6B1244	; xHalIommuUnblockDevice(x,x)
		jmp	loc_57D9D7
; END OF FUNCTION CHUNK	FOR HvlDebuggerSupportInitialize
; 
; START	OF FUNCTION CHUNK FOR MiSetSlabAllocatorPolicy

loc_5FB76C:				; CODE XREF: MiSetSlabAllocatorPolicy+2Aj
		cmp	dword ptr [esi+0F48h], 0ED800h
		jnb	short loc_5FB781
		cmp	eax, 2
		jnz	loc_57DA16

loc_5FB781:				; CODE XREF: MiSetSlabAllocatorPolicy+7DD90j
		lea	edx, [ebp+var_C]
		mov	ecx, offset dword_6D2FF0
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		or	dword ptr [esi+4], 8
		test	ds:byte_70EFC6,	1
		jz	short loc_5FB7A8
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FB7D4
; 

loc_5FB7A8:				; CODE XREF: MiSetSlabAllocatorPolicy+7DDB3j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5FB7C7
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5FB7D4
		call	KxWaitForLockChainValid

loc_5FB7C7:				; CODE XREF: MiSetSlabAllocatorPolicy+7DDC7j
		mov	[ebp+var_C], 0
		add	eax, 4
		lock xor [eax],	edi

loc_5FB7D4:				; CODE XREF: MiSetSlabAllocatorPolicy+7DDC0j
					; MiSetSlabAllocatorPolicy+7DDDAj
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_57DA16
; END OF FUNCTION CHUNK	FOR MiSetSlabAllocatorPolicy
; 
; START	OF FUNCTION CHUNK FOR PopCheckForAbnormalReset

loc_5FB7E2:				; CODE XREF: PopCheckForAbnormalReset+16j
		cmp	eax, 2
		ja	locret_57DB18
		cmp	ds:dword_6C3DA4, 0
		jz	locret_57DB18

loc_5FB7F8:				; CODE XREF: PopCheckForAbnormalReset+8j
		mov	ecx, ds:dword_6C3DA4
		jmp	_PopDiagTraceAbnormalReset@4 ; PopDiagTraceAbnormalReset(x)
; END OF FUNCTION CHUNK	FOR PopCheckForAbnormalReset
; 
; START	OF FUNCTION CHUNK FOR MiEmptyKernelStackCache

loc_5FB803:				; CODE XREF: MiEmptyKernelStackCache+15j
		xor	esi, esi
		mov	edi, esi
		mov	[ebp+var_4], esi
		cmp	ds:_KeNumberProcessors,	esi
		jbe	short loc_5FB838

loc_5FB812:				; CODE XREF: MiEmptyKernelStackCache+7DCFAj
		mov	ecx, edi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		add	eax, 4C4h
		cmp	[eax], esi
		jz	short loc_5FB82F
		xor	ecx, ecx
		xchg	ecx, [eax]
		test	ecx, ecx
		jz	short loc_5FB82F
		call	MiDeleteCachedKernelStack

loc_5FB82F:				; CODE XREF: MiEmptyKernelStackCache+7DCE4j
					; MiEmptyKernelStackCache+7DCECj
		inc	edi
		cmp	edi, ds:_KeNumberProcessors
		jb	short loc_5FB812

loc_5FB838:				; CODE XREF: MiEmptyKernelStackCache+7DCD4j
		xor	eax, eax
		cmp	ax, ds:_KeNumberNodes
		jnb	loc_57DB57
		mov	edi, esi
		mov	[ebp+var_8], esi

loc_5FB84C:				; CODE XREF: MiEmptyKernelStackCache+7DD60j
		push	2
		mov	ebx, edi
		pop	esi

loc_5FB851:				; CODE XREF: MiEmptyKernelStackCache+7DD45j
		mov	eax, ds:dword_6D069C
		add	eax, ebx
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jz	short loc_5FB87B
		mov	edi, [ebp+var_C]

loc_5FB869:				; CODE XREF: MiEmptyKernelStackCache+7DD3Dj
		mov	ecx, eax
		call	MiDeleteCachedKernelStack
		mov	ecx, edi
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jnz	short loc_5FB869

loc_5FB87B:				; CODE XREF: MiEmptyKernelStackCache+7DD28j
		add	ebx, 18h
		sub	esi, 1
		jnz	short loc_5FB851
		mov	esi, [ebp+var_4]
		mov	edi, [ebp+var_8]
		inc	esi
		movzx	eax, ds:_KeNumberNodes
		add	edi, 48h
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], edi
		cmp	esi, eax
		jb	short loc_5FB84C
		jmp	loc_57DB57
; END OF FUNCTION CHUNK	FOR MiEmptyKernelStackCache

;  S U B	R O U T	I N E 


sub_5FB8A3	proc near		; CODE XREF: KdPollBreakIn+Dj
					; KdPollBreakIn+1Aj
		push	ebx
		xor	bl, bl
		cmp	ds:_KdDebuggerEnabled, bl
		jnz	short loc_5FB8BA
		cmp	ds:_KdEventLoggingEnabled, bl
		jz	loc_5FB9CB

loc_5FB8BA:				; CODE XREF: sub_5FB8A3+9j
		push	esi
		push	edi
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		movzx	edi, large byte	ptr fs:51h
		mov	bh, al
		mov	edx, ds:_KdLogBuffer[edi*4]
		test	edx, edx
		jz	short loc_5FB8FB
		mov	ecx, [edx]
		lea	ecx, [ecx+1]
		shl	ecx, 4
		add	ecx, edx
		rdtsc
		mov	[ecx], eax
		mov	[ecx+4], edx
		movzx	eax, ds:_KdDebuggerNotPresent
		and	eax, 1
		shl	eax, 2
		and	dword ptr [ecx+0Ch], 0
		mov	[ecx+8], eax

loc_5FB8FB:				; CODE XREF: sub_5FB8A3+31j
		cmp	ds:byte_6CB514,	0
		jz	short loc_5FB90F
		mov	bl, 1
		mov	ds:byte_6CB514,	0
		jmp	short loc_5FB965
; 

loc_5FB90F:				; CODE XREF: sub_5FB8A3+5Fj
		test	ds:byte_70EFC6,	21h
		mov	esi, offset _KdDebuggerLock
		jz	short loc_5FB926
		mov	ecx, esi
		call	@KiTryToAcquireSpinLockInstrumented@4 ;	KiTryToAcquireSpinLockInstrumented(x)
		jmp	short loc_5FB931
; 

loc_5FB926:				; CODE XREF: sub_5FB8A3+78j
		lock bts dword ptr [esi], 0
		jnb	short loc_5FB935
		xor	al, al
		pause

loc_5FB931:				; CODE XREF: sub_5FB8A3+81j
		test	al, al
		jz	short loc_5FB965

loc_5FB935:				; CODE XREF: sub_5FB8A3+88j
		push	0
		push	0
		push	0
		push	0
		push	8
		call	ds:__imp__KdReceivePacket@20 ; KdReceivePacket(x,x,x,x,x)
		test	eax, eax
		jnz	short loc_5FB94B
		mov	bl, 1

loc_5FB94B:				; CODE XREF: sub_5FB8A3+A4j
		test	ds:byte_70EFC6,	1
		jz	short loc_5FB960
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5FB965
; 

loc_5FB960:				; CODE XREF: sub_5FB8A3+AFj
		xor	eax, eax
		lock and [esi],	eax

loc_5FB965:				; CODE XREF: sub_5FB8A3+6Aj
					; sub_5FB8A3+90j ...
		and	bl, ds:_KdDebuggerEnabled
		or	ds:_KdpControlCPressed,	bl
		mov	edi, ds:_KdLogBuffer[edi*4]
		test	edi, edi
		jz	short loc_5FB9C4
		mov	eax, [edi]
		mov	[ebp-4], eax
		lea	esi, [eax+1]
		shl	esi, 4
		add	esi, edi
		rdtsc
		mov	ecx, eax
		movzx	eax, ds:_KdDebuggerNotPresent
		sub	ecx, [esi]
		sbb	edx, [esi+4]
		and	eax, 1
		and	ecx, 0FFFFFFF0h
		mov	[esi+0Ch], edx
		add	eax, eax
		or	ecx, eax
		mov	eax, [esi+8]
		and	eax, 4
		or	ecx, eax
		mov	[esi+8], ecx
		mov	ecx, [ebp-4]
		cmp	ecx, 0FEh
		jnz	short loc_5FB9C1
		and	dword ptr [edi], 0
		jmp	short loc_5FB9C4
; 

loc_5FB9C1:				; CODE XREF: sub_5FB8A3+117j
		inc	ecx
		mov	[edi], ecx

loc_5FB9C4:				; CODE XREF: sub_5FB8A3+D7j
					; sub_5FB8A3+11Cj
		pop	edi
		pop	esi
		test	bh, bh
		jz	short loc_5FB9CB
		sti

loc_5FB9CB:				; CODE XREF: sub_5FB8A3+11j
					; sub_5FB8A3+125j
		mov	al, bl
		pop	ebx
		leave
		retn
sub_5FB8A3	endp

; 
; START	OF FUNCTION CHUNK FOR KdRefreshDebuggerNotPresent

loc_5FB9D0:				; CODE XREF: KdRefreshDebuggerNotPresent+18j
		cmp	ds:_KdDebuggerEnabled, 0
		jz	loc_57DBAA
		mov	ecx, offset ??_C@_0CE@NALIHKD@KDTARGET?3?5Refreshing?5KD?5connect@FNODOBFM@
		mov	[ebp+var_4], ecx
		lea	edx, [ecx+1]

loc_5FB9E8:				; CODE XREF: KdRefreshDebuggerNotPresent+7DE61j
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_5FB9E8
		sub	ecx, edx
		xor	edx, edx
		mov	word ptr [ebp+var_8], cx
		xor	ecx, ecx
		call	_KdEnterDebugger@8 ; KdEnterDebugger(x,x)
		lea	ecx, [ebp+var_8]
		mov	bh, al
		call	_KdpPrintString@4 ; KdpPrintString(x)
		mov	bl, ds:_KdDebuggerNotPresent
		mov	cl, bh
		call	_KdExitDebugger@4 ; KdExitDebugger(x)
		mov	al, bl
		jmp	loc_57DBAC
; END OF FUNCTION CHUNK	FOR KdRefreshDebuggerNotPresent
; 
; START	OF FUNCTION CHUNK FOR PsQueryCpuQuotaInformation

loc_5FBA1C:				; CODE XREF: PsQueryCpuQuotaInformation+18j
		cmp	[ebp+arg_0], 0
		jz	short loc_5FBA44
		push	dword ptr [ebp+arg_0]
		push	ds:dword_A94A1C
		push	ds:_SeIncreaseQuotaPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_5FBA44
		mov	eax, 0C0000061h
		jmp	loc_57DBE5
; 

loc_5FBA44:				; CODE XREF: PsQueryCpuQuotaInformation+7DE5Ej
					; PsQueryCpuQuotaInformation+7DE76j
		test	edi, edi
		jz	short loc_5FBA9D
		lea	ebx, [edi-4]
		test	bl, 7
		jnz	short loc_5FBA93
		cmp	edi, 4
		jb	short loc_5FBA93
		shr	ebx, 3
		xor	esi, esi
		cmp	[ebp+arg_0], 1
		jnz	short loc_5FBA8E
		mov	[ebp+ms_exc.disabled], esi
		push	4
		push	edi
		mov	edi, [ebp+var_1C]
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_5FBAA3
; END OF FUNCTION CHUNK	FOR PsQueryCpuQuotaInformation

;  S U B	R O U T	I N E 


sub_5FBA78	proc near		; DATA XREF: .text:006A77BCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_5FBA78	endp


;  S U B	R O U T	I N E 


sub_5FBA86	proc near		; DATA XREF: .text:006A77C0o

; FUNCTION CHUNK AT 005FBB56 SIZE 0000000F BYTES

		mov	eax, [ebp-20h]
		jmp	loc_5FBB56
sub_5FBA86	endp

; 
; START	OF FUNCTION CHUNK FOR PsQueryCpuQuotaInformation

loc_5FBA8E:				; CODE XREF: PsQueryCpuQuotaInformation+7DE9Cj
		mov	edi, [ebp+var_1C]
		jmp	short loc_5FBAA3
; 

loc_5FBA93:				; CODE XREF: PsQueryCpuQuotaInformation+7DE8Cj
					; PsQueryCpuQuotaInformation+7DE91j
		mov	eax, 0C0000004h
		jmp	loc_57DBE5
; 

loc_5FBA9D:				; CODE XREF: PsQueryCpuQuotaInformation+7DE84j
		xor	esi, esi
		mov	ebx, esi
		mov	edi, esi

loc_5FBAA3:				; CODE XREF: PsQueryCpuQuotaInformation+7DEB4j
					; PsQueryCpuQuotaInformation+7DECFj
		xor	ecx, ecx
		call	_MiGetNextSession@8 ; MiGetNextSession(x,x)
		mov	ecx, eax
		mov	[ebp+var_1C], ecx

loc_5FBAAF:				; CODE XREF: PsQueryCpuQuotaInformation+7DF29j
		test	ecx, ecx
		jz	short loc_5FBB11
		call	_MmGetSessionSchedulingGroupByProcess@4	; MmGetSessionSchedulingGroupByProcess(x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_5FBAE1
		cmp	esi, ebx
		jnb	short loc_5FBAE0
		mov	[ebp+ms_exc.disabled], 1
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[edi+esi*8+4], eax
		movzx	eax, word ptr [edx]
		mov	[edi+esi*8+8], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_5FBAE0:				; CODE XREF: PsQueryCpuQuotaInformation+7DEFEj
		inc	esi

loc_5FBAE1:				; CODE XREF: PsQueryCpuQuotaInformation+7DEFAj
		call	_MiGetNextSession@8 ; MiGetNextSession(x,x)
		mov	ecx, eax
		mov	[ebp+var_1C], eax
		jmp	short loc_5FBAAF
; END OF FUNCTION CHUNK	FOR PsQueryCpuQuotaInformation

;  S U B	R O U T	I N E 


sub_5FBAED	proc near		; DATA XREF: .text:006A77C8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		cmp	byte ptr [ebp+8], 1
		setz	al
		retn
sub_5FBAED	endp


;  S U B	R O U T	I N E 


sub_5FBB01	proc near		; DATA XREF: .text:006A77CCo
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-1Ch]
		call	_MmQuitNextSession@4 ; MmQuitNextSession(x)
		mov	eax, [ebp-24h]
		jmp	short loc_5FBB59
sub_5FBB01	endp

; 
; START	OF FUNCTION CHUNK FOR PsQueryCpuQuotaInformation

loc_5FBB11:				; CODE XREF: PsQueryCpuQuotaInformation+7DEEFj
		test	edi, edi
		jz	short loc_5FBB25
		mov	[ebp+ms_exc.disabled], 2
		mov	[edi], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_5FBB25:				; CODE XREF: PsQueryCpuQuotaInformation+7DF51j
		lea	ecx, ds:4[esi*8]
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		cmp	ebx, esi
		sbb	eax, eax
		and	eax, 0C0000023h
		jmp	loc_57DBE5
; END OF FUNCTION CHUNK	FOR PsQueryCpuQuotaInformation

;  S U B	R O U T	I N E 


sub_5FBB3F	proc near		; DATA XREF: .text:006A77D4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		cmp	byte ptr [ebp+8], 1
		setz	al
		retn
sub_5FBB3F	endp


;  S U B	R O U T	I N E 


sub_5FBB53	proc near		; DATA XREF: .text:006A77D8o
		mov	eax, [ebp-28h]
sub_5FBB53	endp

; START	OF FUNCTION CHUNK FOR sub_5FBA86

loc_5FBB56:				; CODE XREF: sub_5FBA86+3j
		mov	esp, [ebp-18h]

loc_5FBB59:				; CODE XREF: sub_5FBB01+Ej
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_57DBE5
; END OF FUNCTION CHUNK	FOR sub_5FBA86
; 
; START	OF FUNCTION CHUNK FOR PfLockExclusiveRelease

loc_5FBB65:				; CODE XREF: PfLockExclusiveRelease+1AAj
		push	0
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5FBB78:				; CODE XREF: PfLockExclusiveRelease+10Ej
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]
		jmp	loc_57DD48
; 

loc_5FBB8F:				; CODE XREF: PfLockExclusiveRelease+14Cj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		jmp	loc_57DD76
; 

loc_5FBB9E:				; CODE XREF: PfLockExclusiveRelease+170j
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_57DD9A
; END OF FUNCTION CHUNK	FOR PfLockExclusiveRelease

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DisplayFilter(x)
_DisplayFilter@4 proc near		; DATA XREF: DisplayBootBitmap+7FAA7o
					; Phase1InitializationDiscard(x)+28Bo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:byte_6FDED4,	0
		jnz	short loc_5FBBF2
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		push	esi
		push	edi
		mov	edi, offset ??_C@_01LFCBOECM@?4@FNODOBFM@
		mov	esi, [edx]

loc_5FBBCC:				; CODE XREF: DisplayFilter(x)+29j
		movzx	eax, byte ptr [esi+ecx]
		cmp	al, [edi+ecx]
		jnz	short loc_5FBBDF
		inc	ecx
		cmp	ecx, 2
		jnz	short loc_5FBBCC
		xor	eax, eax
		jmp	short loc_5FBBE4
; 

loc_5FBBDF:				; CODE XREF: DisplayFilter(x)+23j
		sbb	eax, eax
		or	eax, 1

loc_5FBBE4:				; CODE XREF: DisplayFilter(x)+2Dj
		pop	edi
		pop	esi
		test	eax, eax
		jnz	short loc_5FBBF2
		mov	dword ptr [edx], offset	byte_4253F8
		jmp	short loc_5FBC07
; 

loc_5FBBF2:				; CODE XREF: DisplayFilter(x)+Cj
					; DisplayFilter(x)+38j
		and	ds:dword_6D4D50, 0
		mov	cl, 1
		mov	ds:byte_6FDED4,	1
		call	DisplayBootBitmap

loc_5FBC07:				; CODE XREF: DisplayFilter(x)+40j
		pop	ebp
		retn	4
_DisplayFilter@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStringCbCatExA(x, x, x, x, x, x)
_RtlStringCbCatExA@24 proc near		; CODE XREF: INIT:00ACD776p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		push	edi
		push	eax
		mov	edi, ecx
		mov	[ebp+var_4], offset ??_C@_02KEGNLNML@?0?5@PBOPGDP@
		call	RtlStringLengthWorkerA
		mov	edx, eax
		test	edx, edx
		js	loc_5FBCB3
		mov	eax, [ebp+var_8]
		push	ebx
		push	esi
		push	0
		push	ecx
		mov	esi, 100h
		lea	ecx, [ebp+var_4]
		lea	ebx, [eax+edi]
		sub	esi, eax
		call	RtlStringExValidateSrcA
		mov	edx, eax
		test	edx, edx
		js	short loc_5FBC97
		cmp	esi, 1
		ja	short loc_5FBC72
		mov	ecx, [ebp+var_4]
		cmp	byte ptr [ecx],	0
		jz	short loc_5FBC93
		test	edi, edi
		jnz	short loc_5FBC6B
		mov	edx, 0C000000Dh
		jmp	short loc_5FBCB1
; 

loc_5FBC6B:				; CODE XREF: RtlStringCbCatExA(x,x,x,x,x,x)+57j
		mov	edx, 80000005h
		jmp	short loc_5FBC93
; 

loc_5FBC72:				; CODE XREF: RtlStringCbCatExA(x,x,x,x,x,x)+4Bj
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		push	ecx
		push	[ebp+var_4]
		mov	edx, esi
		mov	ecx, ebx
		push	eax
		call	RtlStringCopyWorkerA
		add	ebx, [ebp+var_8]
		mov	edx, eax
		sub	esi, [ebp+var_8]
		test	edx, edx
		js	short loc_5FBC97

loc_5FBC93:				; CODE XREF: RtlStringCbCatExA(x,x,x,x,x,x)+53j
					; RtlStringCbCatExA(x,x,x,x,x,x)+65j
		test	edx, edx
		jns	short loc_5FBC9F

loc_5FBC97:				; CODE XREF: RtlStringCbCatExA(x,x,x,x,x,x)+46j
					; RtlStringCbCatExA(x,x,x,x,x,x)+86j
		cmp	edx, 80000005h
		jnz	short loc_5FBCB1

loc_5FBC9F:				; CODE XREF: RtlStringCbCatExA(x,x,x,x,x,x)+8Aj
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_5FBCA8
		mov	[eax], ebx

loc_5FBCA8:				; CODE XREF: RtlStringCbCatExA(x,x,x,x,x,x)+99j
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_5FBCB1
		mov	[eax], esi

loc_5FBCB1:				; CODE XREF: RtlStringCbCatExA(x,x,x,x,x,x)+5Ej
					; RtlStringCbCatExA(x,x,x,x,x,x)+92j ...
		pop	esi
		pop	ebx

loc_5FBCB3:				; CODE XREF: RtlStringCbCatExA(x,x,x,x,x,x)+22j
		mov	eax, edx
		pop	edi
		leave
		retn	10h
_RtlStringCbCatExA@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl RtlStringCbPrintfExA(int,int,int,int,int,char *,char)
_RtlStringCbPrintfExA proc near		; CODE XREF: KiDisplayBlueScreen(x)+104p
					; Phase1InitializationDiscard(x)+33Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= byte ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	[ebp+arg_10]
		mov	edi, [ebp+arg_4]
		mov	edx, edi
		push	ecx
		mov	ecx, ebx
		call	RtlStringExValidateDestA
		mov	esi, eax
		test	esi, esi
		js	loc_5FBDCD
		push	[ebp+arg_10]
		mov	[ebp+var_4], ebx
		push	ecx
		lea	ecx, [ebp+arg_14]
		mov	[ebp+arg_4], edx
		call	RtlStringExValidateSrcA
		mov	esi, eax
		xor	eax, eax
		test	esi, esi
		js	short loc_5FBD7A
		test	[ebp+arg_10], 0FFFFE000h
		jz	short loc_5FBD11
		mov	esi, 0C000000Dh
		test	edi, edi
		jz	short loc_5FBD84
		mov	[ebx], al
		jmp	short loc_5FBD84
; 

loc_5FBD11:				; CODE XREF: _RtlStringCbPrintfExA+48j
		test	edi, edi
		jnz	short loc_5FBD31
		mov	eax, [ebp+arg_14]
		cmp	byte ptr [eax],	0
		jz	short loc_5FBD80
		mov	esi, ebx
		neg	esi
		sbb	esi, esi
		and	esi, 0BFFFFFF8h
		add	esi, 0C000000Dh
		jmp	short loc_5FBD80
; 

loc_5FBD31:				; CODE XREF: _RtlStringCbPrintfExA+59j
		mov	[ebp+arg_4], eax
		mov	ecx, ebx	; char *
		lea	eax, [ebp+arg_18]
		push	eax		; va_list
		push	[ebp+arg_14]	; char *
		lea	eax, [ebp+arg_4]
		push	eax		; int
		call	RtlStringVPrintfWorkerA
		mov	esi, eax
		mov	edx, edi
		mov	eax, [ebp+arg_4]
		sub	edx, eax
		mov	[ebp+var_8], edx
		mov	[ebp+arg_4], edx
		lea	ecx, [eax+ebx]
		mov	[ebp+var_4], ecx
		test	esi, esi
		js	short loc_5FBD84
		test	[ebp+arg_10], 200h
		jz	short loc_5FBD80
		cmp	edx, 1
		jbe	short loc_5FBD80
		push	[ebp+arg_10]
		call	RtlStringExHandleFillBehindNullA
		mov	edx, [ebp+var_8]
		jmp	short loc_5FBD80
; 

loc_5FBD7A:				; CODE XREF: _RtlStringCbPrintfExA+3Fj
		test	edi, edi
		jz	short loc_5FBD80
		mov	[ebx], al

loc_5FBD80:				; CODE XREF: _RtlStringCbPrintfExA+61j
					; _RtlStringCbPrintfExA+75j ...
		test	esi, esi
		jns	short loc_5FBDB6

loc_5FBD84:				; CODE XREF: _RtlStringCbPrintfExA+51j
					; _RtlStringCbPrintfExA+55j ...
		test	[ebp+arg_10], 1C00h
		jz	short loc_5FBDAA
		test	edi, edi
		jz	short loc_5FBDAA
		push	[ebp+arg_10]	; int
		lea	eax, [ebp+arg_4]
		mov	edx, edi	; size_t
		push	eax		; int
		lea	eax, [ebp+var_4]
		mov	ecx, ebx	; void *
		push	eax		; int
		push	0		; int
		call	RtlStringExHandleOtherFlagsA
		mov	edx, [ebp+arg_4]

loc_5FBDAA:				; CODE XREF: _RtlStringCbPrintfExA+D1j
					; _RtlStringCbPrintfExA+D5j
		test	esi, esi
		jns	short loc_5FBDB6
		cmp	esi, 80000005h
		jnz	short loc_5FBDD4

loc_5FBDB6:				; CODE XREF: _RtlStringCbPrintfExA+C8j
					; _RtlStringCbPrintfExA+F2j
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_5FBDC2
		mov	eax, [ebp+var_4]
		mov	[ecx], eax

loc_5FBDC2:				; CODE XREF: _RtlStringCbPrintfExA+101j
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_5FBDD4
		mov	[eax], edx
		jmp	short loc_5FBDD4
; 

loc_5FBDCD:				; CODE XREF: _RtlStringCbPrintfExA+21j
		test	edi, edi
		jz	short loc_5FBDD4
		mov	byte ptr [ebx],	0

loc_5FBDD4:				; CODE XREF: _RtlStringCbPrintfExA+FAj
					; _RtlStringCbPrintfExA+10Dj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_RtlStringCbPrintfExA endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlStringExHandleFillBehindNullA proc near ; CODE XREF:	_RtlStringCbPrintfExA+B6p

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	edx, 1
		jbe	short loc_5FBDFA
		lea	eax, [edx-1]
		push	eax		; size_t
		movzx	eax, [ebp+arg_0]
		push	eax		; int
		lea	eax, [ecx+1]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_5FBDFA:				; CODE XREF: RtlStringExHandleFillBehindNullA+8j
		xor	eax, eax
		pop	ebp
		retn	4
RtlStringExHandleFillBehindNullA endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall RtlStringExHandleOtherFlagsA(void *,size_t,int,int,int,int)
RtlStringExHandleOtherFlagsA proc near	; CODE XREF: _RtlStringCbPrintfExA+E8p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		push	ebx
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		test	edi, edi
		jz	short loc_5FBE33
		test	eax, 1000h
		jz	short loc_5FBE33
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		lea	edx, [ebx+ecx]
		mov	[eax], edx
		mov	eax, edi
		sub	eax, ecx
		mov	byte ptr [edx],	0
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		mov	eax, [ebp+arg_C]

loc_5FBE33:				; CODE XREF: RtlStringExHandleOtherFlagsA+10j
					; RtlStringExHandleOtherFlagsA+17j
		test	eax, 400h
		jz	short loc_5FBE79
		push	esi
		movzx	esi, al
		push	edi		; size_t
		push	esi		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		pop	esi
		jnz	short loc_5FBE5D
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		mov	[edx], ebx
		mov	[ecx], edi

loc_5FBE58:				; CODE XREF: RtlStringExHandleOtherFlagsA+77j
		mov	eax, [ebp+arg_C]
		jmp	short loc_5FBE7F
; 

loc_5FBE5D:				; CODE XREF: RtlStringExHandleOtherFlagsA+4Cj
		test	edi, edi
		jz	short loc_5FBE91
		mov	edx, [ebp+arg_4]
		lea	eax, [edi-1]
		mov	ecx, [ebp+arg_8]
		add	eax, ebx
		mov	[edx], eax
		mov	dword ptr [ecx], 1
		mov	byte ptr [eax],	0
		jmp	short loc_5FBE58
; 

loc_5FBE79:				; CODE XREF: RtlStringExHandleOtherFlagsA+38j
		mov	ecx, [ebp+arg_8]
		mov	edx, [ebp+arg_4]

loc_5FBE7F:				; CODE XREF: RtlStringExHandleOtherFlagsA+5Bj
		test	edi, edi
		jz	short loc_5FBE91
		test	eax, 800h
		jz	short loc_5FBE91
		mov	[edx], ebx
		mov	[ecx], edi
		mov	byte ptr [ebx],	0

loc_5FBE91:				; CODE XREF: RtlStringExHandleOtherFlagsA+5Fj
					; RtlStringExHandleOtherFlagsA+81j ...
		pop	edi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	10h
RtlStringExHandleOtherFlagsA endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlStringLengthWorkerA proc near	; CODE XREF: RtlStringCbCatExA(x,x,x,x,x,x)+19p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, 100h
		mov	edx, esi

loc_5FBEA7:				; CODE XREF: RtlStringLengthWorkerA+17j
		cmp	byte ptr [ecx],	0
		jz	short loc_5FBEB2
		inc	ecx
		sub	edx, 1
		jnz	short loc_5FBEA7

loc_5FBEB2:				; CODE XREF: RtlStringLengthWorkerA+11j
		mov	ecx, [ebp+arg_0]
		mov	eax, edx
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFFF3h
		add	eax, 0C000000Dh
		test	ecx, ecx
		jz	short loc_5FBED6
		test	edx, edx
		jz	short loc_5FBED3
		sub	esi, edx
		mov	[ecx], esi
		jmp	short loc_5FBED6
; 

loc_5FBED3:				; CODE XREF: RtlStringLengthWorkerA+32j
		and	dword ptr [ecx], 0

loc_5FBED6:				; CODE XREF: RtlStringLengthWorkerA+2Ej
					; RtlStringLengthWorkerA+38j
		pop	esi
		leave
		retn	4
RtlStringLengthWorkerA endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSIZETMult(x, x, x)
_RtlSIZETMult@12 proc near		; CODE XREF: PopBootStatCheckIntegrity(x)+44p
					; INIT:00ACD1CBp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ecx
		mov	ecx, [ebp+arg_0]
		mul	edx
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		pop	ebp
		retn	4
_RtlSIZETMult@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

___report_rangecheckfailure proc near	; CODE XREF: .text:loc_518259p
					; LdrpGetResourceFileName:loc_5798C6p ...

arg_4		= dword	ptr  8

		push	0
		push	ds:___security_cookie_complement
		push	ds:___security_cookie
		push	8
		push	0F7h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

; __stdcall CcCoalescingCallBack(x, x, x)
_CcCoalescingCallBack@12:		; DATA XREF: INIT:00AC34F1o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		lea	edx, [ebp+arg_4]
		push	0
		mov	ecx, offset _CcCoalescingCallBackHelper@8 ; CcCoalescingCallBackHelper(x,x)
		mov	[ebp+arg_4], eax
		call	CcForEachPartition
		pop	ebp
		retn	0Ch
___report_rangecheckfailure endp ; sp =	-14h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcCoalescingCallBackHelper(x, x)
_CcCoalescingCallBackHelper@8 proc near	; DATA XREF: ___report_rangecheckfailure+28o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_4]
		mov	eax, [eax]
		sub	eax, 1
		jz	loc_5FBFDA
		sub	eax, 1
		jz	short loc_5FBFAF
		sub	eax, 1
		jnz	loc_5FC05F
		mov	esi, [ebp+arg_0]
		lea	edx, [ebp+var_C]
		lea	ecx, [esi+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		xor	ecx, ecx
		push	0
		lea	edx, [ecx+1]
		mov	ecx, esi
		call	_CcScheduleLazyWriteScan@12 ; CcScheduleLazyWriteScan(x,x,x)
		jmp	short loc_5FBFCD
; 

loc_5FBF77:				; CODE XREF: CcCoalescingCallBackHelper(x,x)+ABj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5FBF9A
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	loc_5FC056
		call	KxWaitForLockChainValid

loc_5FBF9A:				; CODE XREF: CcCoalescingCallBackHelper(x,x)+51j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_5FC056
; 

loc_5FBFAF:				; CODE XREF: CcCoalescingCallBackHelper(x,x)+23j
		mov	esi, [ebp+arg_0]
		lea	edx, [ebp+var_C]
		lea	ecx, [esi+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		xor	edx, edx
		mov	byte ptr [esi+288h], 0
		mov	ecx, esi
		call	CcRescheduleLazyWriteScan

loc_5FBFCD:				; CODE XREF: CcCoalescingCallBackHelper(x,x)+4Aj
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_5FBF77
		jmp	short loc_5FC01A
; 

loc_5FBFDA:				; CODE XREF: CcCoalescingCallBackHelper(x,x)+1Aj
		mov	esi, [ebp+arg_0]
		lea	edx, [ebp+var_C]
		lea	ecx, [esi+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		xor	eax, eax
		mov	byte ptr [esi+190h], 0
		inc	eax
		cmp	dword ptr [esi+198h], 2000h
		mov	[esi+288h], al
		jb	short loc_5FC012
		push	0
		mov	dl, al
		mov	ecx, esi
		call	_CcScheduleLazyWriteScan@12 ; CcScheduleLazyWriteScan(x,x,x)
		xor	eax, eax
		inc	eax

loc_5FC012:				; CODE XREF: CcCoalescingCallBackHelper(x,x)+D7j
		test	ds:byte_70EFC6,	al
		jz	short loc_5FC027

loc_5FC01A:				; CODE XREF: CcCoalescingCallBackHelper(x,x)+ADj
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FC056
; 

loc_5FC027:				; CODE XREF: CcCoalescingCallBackHelper(x,x)+EDj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5FC046
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5FC056
		call	KxWaitForLockChainValid

loc_5FC046:				; CODE XREF: CcCoalescingCallBackHelper(x,x)+101j
		lea	ecx, [eax+4]
		mov	[ebp+var_C], 0
		xor	eax, eax
		inc	eax
		lock xor [ecx],	eax

loc_5FC056:				; CODE XREF: CcCoalescingCallBackHelper(x,x)+64j
					; CcCoalescingCallBackHelper(x,x)+7Fj ...
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5FC05F:				; CODE XREF: CcCoalescingCallBackHelper(x,x)+28j
		xor	eax, eax
		pop	edi
		inc	eax
		pop	esi
		leave
		retn	8
_CcCoalescingCallBackHelper@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcCrossPartitionDrainSectionDeletion()
_CcCrossPartitionDrainSectionDeletion@0	proc near ; CODE XREF: CcErrorCallbackRoutine(x)+11p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	esi
		mov	esi, ds:_CcSectionDeletionSequencePhase1
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		mov	edi, ds:dword_6CE9BC
		cmp	ds:dword_6CE9AC, edi
		ja	short loc_5FC0B0
		jnb	short loc_5FC0A8

loc_5FC090:				; CODE XREF: CcCrossPartitionDrainSectionDeletion()+3Cj
					; CcCrossPartitionDrainSectionDeletion()+46j
		push	offset _Cc10Milliseconds
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		cmp	ds:dword_6CE9AC, edi
		jb	short loc_5FC090
		ja	short loc_5FC0B0

loc_5FC0A8:				; CODE XREF: CcCrossPartitionDrainSectionDeletion()+26j
		cmp	ds:_CcSectionDeletionSequencePhase2, esi
		jb	short loc_5FC090

loc_5FC0B0:				; CODE XREF: CcCrossPartitionDrainSectionDeletion()+24j
					; CcCrossPartitionDrainSectionDeletion()+3Ej
		lea	edx, [ebp+var_C]
		mov	ecx, offset _CcMasterLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	ds:dword_6FDEF4, edi
		ja	short loc_5FC0DB
		jb	short loc_5FC0CF
		cmp	ds:_CcSectionDeletionSequencePhase3, esi
		jnb	short loc_5FC0DB

loc_5FC0CF:				; CODE XREF: CcCrossPartitionDrainSectionDeletion()+5Dj
		mov	ds:_CcSectionDeletionSequencePhase3, esi
		mov	ds:dword_6FDEF4, edi

loc_5FC0DB:				; CODE XREF: CcCrossPartitionDrainSectionDeletion()+5Bj
					; CcCrossPartitionDrainSectionDeletion()+65j
		test	ds:byte_70EFC6,	1
		pop	edi
		pop	esi
		jz	short loc_5FC0F3
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FC122
; 

loc_5FC0F3:				; CODE XREF: CcCrossPartitionDrainSectionDeletion()+7Cj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5FC112
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5FC122
		call	KxWaitForLockChainValid

loc_5FC112:				; CODE XREF: CcCrossPartitionDrainSectionDeletion()+90j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5FC122:				; CODE XREF: CcCrossPartitionDrainSectionDeletion()+89j
					; CcCrossPartitionDrainSectionDeletion()+A3j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn
_CcCrossPartitionDrainSectionDeletion@0	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 201. CcGetFileObjectFromBcb

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcGetFileObjectFromBcb(x)
		public _CcGetFileObjectFromBcb@4
_CcGetFileObjectFromBcb@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+70h]
		mov	eax, [eax+44h]
		and	eax, 0FFFFFFF8h
		pop	ebp
		retn	4
_CcGetFileObjectFromBcb@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 202. CcGetFileObjectFromSectionPtrs

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcGetFileObjectFromSectionPtrs(x)
		public _CcGetFileObjectFromSectionPtrs@4
_CcGetFileObjectFromSectionPtrs@4 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		mov	ecx, offset _CcMasterLock
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		xor	esi, esi
		stosd
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+4]
		test	eax, eax
		jz	short loc_5FC184
		mov	esi, [eax+44h]
		and	esi, 0FFFFFFF8h
		or	dword ptr [eax+60h], 100000h

loc_5FC184:				; CODE XREF: CcGetFileObjectFromSectionPtrs(x)+29j
		test	ds:byte_70EFC6,	1
		jz	short loc_5FC19A
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FC1C9
; 

loc_5FC19A:				; CODE XREF: CcGetFileObjectFromSectionPtrs(x)+3Fj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5FC1B9
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5FC1C9
		call	KxWaitForLockChainValid

loc_5FC1B9:				; CODE XREF: CcGetFileObjectFromSectionPtrs(x)+53j
		xor	edx, edx
		mov	[ebp+var_C], 0
		inc	edx
		lea	ecx, [eax+4]
		lock xor [ecx],	edx

loc_5FC1C9:				; CODE XREF: CcGetFileObjectFromSectionPtrs(x)+4Cj
					; CcGetFileObjectFromSectionPtrs(x)+66j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	4
_CcGetFileObjectFromSectionPtrs@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 203. CcGetFileObjectFromSectionPtrsRef

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcGetFileObjectFromSectionPtrsRef(x)
		public _CcGetFileObjectFromSectionPtrsRef@4
_CcGetFileObjectFromSectionPtrsRef@4 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		mov	ecx, offset _CcMasterLock
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		xor	esi, esi
		stosd
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+4]
		test	eax, eax
		jz	short loc_5FC21C
		mov	esi, [eax+44h]
		mov	edx, 746C6644h
		and	esi, 0FFFFFFF8h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag

loc_5FC21C:				; CODE XREF: CcGetFileObjectFromSectionPtrsRef(x)+29j
		test	ds:byte_70EFC6,	1
		jz	short loc_5FC232
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FC261
; 

loc_5FC232:				; CODE XREF: CcGetFileObjectFromSectionPtrsRef(x)+44j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5FC251
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5FC261
		call	KxWaitForLockChainValid

loc_5FC251:				; CODE XREF: CcGetFileObjectFromSectionPtrsRef(x)+58j
		xor	edx, edx
		mov	[ebp+var_C], 0
		inc	edx
		lea	ecx, [eax+4]
		lock xor [ecx],	edx

loc_5FC261:				; CODE XREF: CcGetFileObjectFromSectionPtrsRef(x)+51j
					; CcGetFileObjectFromSectionPtrsRef(x)+6Bj
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	4
_CcGetFileObjectFromSectionPtrsRef@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 231. CcSetDirtyPageThreshold

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcSetDirtyPageThreshold(x, x)
		public _CcSetDirtyPageThreshold@8
_CcSetDirtyPageThreshold@8 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, [edx+14h]
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_5FC292
		mov	eax, [ebp+arg_4]
		mov	[ecx+0A8h], eax

loc_5FC292:				; CODE XREF: CcSetDirtyPageThreshold(x,x)+10j
		mov	ecx, [edx+0Ch]
		mov	al, [ecx+4]
		test	al, 4
		jnz	short loc_5FC2A1
		or	al, 4
		mov	[ecx+4], al

loc_5FC2A1:				; CODE XREF: CcSetDirtyPageThreshold(x,x)+23j
		pop	ebp
		retn	8
_CcSetDirtyPageThreshold@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 182. CcAddDirtyPagesToExternalCache

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcAddDirtyPagesToExternalCache(x, x)
		public _CcAddDirtyPagesToExternalCache@8
_CcAddDirtyPagesToExternalCache@8 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		mov	eax, ds:_PspSystemPartition
		mov	ebx, [eax+4]
		test	esi, esi
		jz	loc_5FC351
		mov	edi, [ebp+arg_0]
		lea	ecx, [ebx+40h]
		lea	edx, [ebp+var_C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [edi+4]
		test	eax, eax
		jnz	short loc_5FC2F2
		push	eax
		xor	dl, dl
		mov	ecx, ebx
		call	_CcScheduleLazyWriteScan@12 ; CcScheduleLazyWriteScan(x,x,x)
		mov	eax, [edi+4]

loc_5FC2F2:				; CODE XREF: CcAddDirtyPagesToExternalCache(x,x)+39j
		push	esi
		add	eax, esi
		xor	edx, edx
		push	0
		xor	ecx, ecx
		mov	[edi+4], eax
		call	CcChargeDirtyPages
		test	ds:byte_70EFC6,	1
		jz	short loc_5FC319
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FC348
; 

loc_5FC319:				; CODE XREF: CcAddDirtyPagesToExternalCache(x,x)+60j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5FC338
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5FC348
		call	KxWaitForLockChainValid

loc_5FC338:				; CODE XREF: CcAddDirtyPagesToExternalCache(x,x)+74j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5FC348:				; CODE XREF: CcAddDirtyPagesToExternalCache(x,x)+6Dj
					; CcAddDirtyPagesToExternalCache(x,x)+87j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5FC351:				; CODE XREF: CcAddDirtyPagesToExternalCache(x,x)+20j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_CcAddDirtyPagesToExternalCache@8 endp

; 

; __stdcall CcAddExternalCache(x)
_CcAddExternalCache@4:			; CODE XREF: CcRegisterExternalCache(x,x)+40p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _CcExternalCacheListLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:dword_6CE714
		mov	eax, offset _CcExternalCacheList
		add	esi, 10h
		cmp	[ecx], eax
		jz	short loc_5FC38D
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5FC38D:				; CODE XREF: .text:005FC386j
		mov	[esi], eax
		mov	eax, ds:_CcNumberOfExternalCaches
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	ds:dword_6CE714, esi
		lea	edx, [eax+1]
		cmp	edx, eax
		jbe	short loc_5FC3D2
		test	ds:byte_70EFC6,	1
		mov	ds:_CcNumberOfExternalCaches, edx
		jz	short loc_5FC3C1
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5FC3C6
; 

loc_5FC3C1:				; CODE XREF: .text:005FC3B3j
		xor	eax, eax
		lock and [edi],	eax

loc_5FC3C6:				; CODE XREF: .text:005FC3BFj
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_5FC3D2:				; CODE XREF: .text:005FC3A4j
		push	0
		push	0
		push	0C0000420h
		push	137Eh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 0CCh
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 191. CcDeductDirtyPagesFromExternalCache

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcDeductDirtyPagesFromExternalCache(x, x)
		public _CcDeductDirtyPagesFromExternalCache@8
_CcDeductDirtyPagesFromExternalCache@8 proc near
					; CODE XREF: CcUnregisterExternalCache(x)+14p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		mov	eax, ds:_PspSystemPartition
		mov	edi, [eax+4]
		test	esi, esi
		jz	short loc_5FC488
		push	ebx
		mov	ebx, [ebp+arg_0]
		lea	ecx, [edi+40h]
		lea	edx, [ebp+var_C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebx+4]
		cmp	eax, esi
		jnb	short loc_5FC426
		mov	esi, eax

loc_5FC426:				; CODE XREF: CcDeductDirtyPagesFromExternalCache(x,x)+35j
		sub	eax, esi
		mov	[ebx+4], eax
		mov	eax, ds:_PspSystemPartition
		pop	ebx
		mov	eax, [eax+4]
		sub	[eax+198h], esi
		test	ds:byte_70EFC6,	1
		jz	short loc_5FC450
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FC47F
; 

loc_5FC450:				; CODE XREF: CcDeductDirtyPagesFromExternalCache(x,x)+54j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5FC46F
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5FC47F
		call	KxWaitForLockChainValid

loc_5FC46F:				; CODE XREF: CcDeductDirtyPagesFromExternalCache(x,x)+68j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5FC47F:				; CODE XREF: CcDeductDirtyPagesFromExternalCache(x,x)+61j
					; CcDeductDirtyPagesFromExternalCache(x,x)+7Bj
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5FC488:				; CODE XREF: CcDeductDirtyPagesFromExternalCache(x,x)+1Fj
		lea	eax, [edi+204h]
		cmp	[eax], eax
		jz	short loc_5FC499
		mov	ecx, edi
		call	_CcPostDeferredWrites@4	; CcPostDeferredWrites(x)

loc_5FC499:				; CODE XREF: CcDeductDirtyPagesFromExternalCache(x,x)+A3j
		pop	edi
		pop	esi
		leave
		retn	8
_CcDeductDirtyPagesFromExternalCache@8 endp


;  S U B	R O U T	I N E 


; __stdcall CcExceptionFilter(x)
_CcExceptionFilter@4 proc near		; CODE XREF: sub_5AA9AA+Dp
		mov	edi, edi
		push	ecx
		call	_FsRtlIsNtstatusExpected@4 ; FsRtlIsNtstatusExpected(x)
		xor	ecx, ecx
		test	al, al
		setnz	cl
		mov	eax, ecx
		retn
_CcExceptionFilter@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcLogExtraWBThreadAction(x,	x)
_CcLogExtraWBThreadAction@8 proc near	; CODE XREF: CcWorkerThread+12813Bp
					; CcWorkerThread+1281E9p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		mov	esi, ecx
		mov	ebx, edx
		lea	edx, [ebp+var_14]
		stosd
		lea	ecx, [esi+40h]
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		test	ds:byte_70EFC6,	1
		mov	eax, [esi+1A8h]
		mov	edi, [esi+198h]
		mov	[ebp+var_4], eax
		mov	eax, [esi+0C4h]
		mov	[ebp+var_8], eax
		jz	short loc_5FC501
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FC530
; 

loc_5FC501:				; CODE XREF: CcLogExtraWBThreadAction(x,x)+41j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_5FC520
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_5FC530
		call	KxWaitForLockChainValid

loc_5FC520:				; CODE XREF: CcLogExtraWBThreadAction(x,x)+55j
		xor	ecx, ecx
		mov	[ebp+var_14], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5FC530:				; CODE XREF: CcLogExtraWBThreadAction(x,x)+4Ej
					; CcLogExtraWBThreadAction(x,x)+68j
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esi+4]
		mov	ecx, ebx
		mov	edx, [ebp+var_8]
		mov	eax, [eax]
		push	dword ptr [eax+0FC0h]
		push	[ebp+var_4]
		push	edi
		call	_CcPerfLogExtraWBThreadAction@20 ; CcPerfLogExtraWBThreadAction(x,x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CcLogExtraWBThreadAction@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcNotifyExternalCaches(x)
_CcNotifyExternalCaches@4 proc near	; CODE XREF: CcQueueLazyWriteScanThread+875FDp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ds:_PspSystemPartition
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		mov	esi, [eax+4]
		mov	[ebp+var_4], ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _CcExternalCacheListLock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		and	[ebp+var_14], 0
		lea	ecx, [esi+40h]
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_10], ecx
		jz	short loc_5FC5A1
		mov	edx, ecx
		lea	ecx, [ebp+var_14]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FC5B2
; 

loc_5FC5A1:				; CODE XREF: CcNotifyExternalCaches(x)+3Cj
		lea	edx, [ebp+var_14]
		xchg	edx, [ecx]
		test	edx, edx
		jz	short loc_5FC5B2
		lea	ecx, [ebp+var_14]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_5FC5B2:				; CODE XREF: CcNotifyExternalCaches(x)+48j
					; CcNotifyExternalCaches(x)+51j
		mov	edx, [ebp+var_4]
		lea	eax, [esi+1A8h]
		push	edi
		push	0
		push	eax
		lea	edi, [esi+198h]
		mov	ecx, esi
		push	edi
		call	_CcCalculatePagesToWrite@20 ; CcCalculatePagesToWrite(x,x,x,x,x)
		push	64h
		pop	ecx
		mov	[ebp+var_8], ecx
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_5FC5DC
		mov	edi, ecx
		jmp	short loc_5FC5EF
; 

loc_5FC5DC:				; CODE XREF: CcNotifyExternalCaches(x)+7Fj
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_5FC5ED
		imul	eax, 64h
		xor	edx, edx
		div	ecx
		mov	edi, eax
		jmp	short loc_5FC5EF
; 

loc_5FC5ED:				; CODE XREF: CcNotifyExternalCaches(x)+89j
		xor	edi, edi

loc_5FC5EF:				; CODE XREF: CcNotifyExternalCaches(x)+83j
					; CcNotifyExternalCaches(x)+94j
		test	ds:byte_70EFC6,	1
		jz	short loc_5FC605
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FC634
; 

loc_5FC605:				; CODE XREF: CcNotifyExternalCaches(x)+9Fj
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_5FC624
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_5FC634
		call	KxWaitForLockChainValid

loc_5FC624:				; CODE XREF: CcNotifyExternalCaches(x)+B3j
		xor	ecx, ecx
		mov	[ebp+var_14], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5FC634:				; CODE XREF: CcNotifyExternalCaches(x)+ACj
					; CcNotifyExternalCaches(x)+C6j
		test	edi, edi
		jz	short loc_5FC663
		mov	esi, ds:_CcExternalCacheList
		jmp	short loc_5FC65B
; 

loc_5FC640:				; CODE XREF: CcNotifyExternalCaches(x)+10Aj
		lea	ecx, [esi-10h]
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_5FC659
		imul	eax, edi
		xor	edx, edx
		push	[ebp+var_4]
		div	[ebp+var_8]
		push	eax
		push	ecx
		call	dword ptr [ecx]

loc_5FC659:				; CODE XREF: CcNotifyExternalCaches(x)+F1j
		mov	esi, [esi]

loc_5FC65B:				; CODE XREF: CcNotifyExternalCaches(x)+E7j
		cmp	esi, offset _CcExternalCacheList
		jnz	short loc_5FC640

loc_5FC663:				; CODE XREF: CcNotifyExternalCaches(x)+DFj
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _CcExternalCacheListLock
		pop	edi
		jz	short loc_5FC67C
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5FC681
; 

loc_5FC67C:				; CODE XREF: CcNotifyExternalCaches(x)+119j
		xor	eax, eax
		lock and [ecx],	eax

loc_5FC681:				; CODE XREF: CcNotifyExternalCaches(x)+123j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		pop	ebx
		leave
		retn
_CcNotifyExternalCaches@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcOkToAddWriteBehindThread(x)
_CcOkToAddWriteBehindThread@4 proc near	; CODE XREF: CcWorkerThread+12808Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	esi, [ebx+1D0h]
		mov	edi, [ebx+0C4h]
		mov	edx, [ebx+144h]
		mov	eax, [esi+edi*8]
		mov	ecx, eax
		sub	ecx, edx
		mov	[esi+edi*8], edx
		cmp	eax, edx
		mov	edx, [ebx+1D0h]
		sbb	eax, eax
		xor	esi, esi
		not	eax
		inc	esi
		and	eax, ecx
		mov	ecx, [ebx+0C4h]
		mov	[ebp+var_8], eax
		test	ecx, ecx
		jz	short loc_5FC6DD
		mov	edi, [edx+ecx*8-4]
		jmp	short loc_5FC6E0
; 

loc_5FC6DD:				; CODE XREF: CcOkToAddWriteBehindThread(x)+48j
		mov	edi, [ebp+var_4]

loc_5FC6E0:				; CODE XREF: CcOkToAddWriteBehindThread(x)+4Ej
		mov	[edx+ecx*8+4], eax
		test	eax, eax
		jz	loc_5FC76F
		mov	eax, [ebx+1D4h]
		cmp	[ebp+var_8], edi
		jb	short loc_5FC700
		test	eax, eax
		jns	short loc_5FC6FD
		xor	eax, eax

loc_5FC6FD:				; CODE XREF: CcOkToAddWriteBehindThread(x)+6Cj
		inc	eax
		jmp	short loc_5FC707
; 

loc_5FC700:				; CODE XREF: CcOkToAddWriteBehindThread(x)+68j
		test	eax, eax
		jle	short loc_5FC706
		xor	eax, eax

loc_5FC706:				; CODE XREF: CcOkToAddWriteBehindThread(x)+75j
		dec	eax

loc_5FC707:				; CODE XREF: CcOkToAddWriteBehindThread(x)+71j
		mov	[ebx+1D4h], eax
		cmp	eax, 3
		jnz	short loc_5FC741
		and	dword ptr [ebx+1D4h], 0
		mov	ecx, [ebx+0C4h]
		push	2
		pop	esi
		cmp	ecx, [ebx+0C8h]
		jnb	short loc_5FC76F
		mov	eax, [ebx+144h]
		mov	[edx+ecx*8+8], eax
		mov	eax, [ebx+0C4h]
		and	dword ptr [edx+eax*8+0Ch], 0
		jmp	short loc_5FC76F
; 

loc_5FC741:				; CODE XREF: CcOkToAddWriteBehindThread(x)+83j
		cmp	eax, 0FFFFFFFDh
		jnz	short loc_5FC76F
		and	dword ptr [ebx+1D4h], 0
		mov	eax, [ebx+0C4h]
		push	3
		pop	esi
		test	eax, eax
		jz	short loc_5FC76F
		mov	ecx, [ebx+144h]
		mov	[edx+eax*8-8], ecx
		mov	ecx, [ebx+0C4h]
		and	dword ptr [edx+ecx*8-4], 0

loc_5FC76F:				; CODE XREF: CcOkToAddWriteBehindThread(x)+59j
					; CcOkToAddWriteBehindThread(x)+9Bj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_CcOkToAddWriteBehindThread@4 endp

; 

; __stdcall CcReEngageWorkerThreads(x, x, x)
_CcReEngageWorkerThreads@12:		; CODE XREF: CcWorkerThread+128043p
					; CcAdjustWriteBehindThreadPool+8D068p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	dword ptr [ebp-4], 0
		mov	eax, edx
		mov	[ebp-8], eax
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	eax, eax
		jz	short loc_5FC7ED
		lea	ebx, [esi+8Ch]

loc_5FC795:				; CODE XREF: .text:005FC7EBj
		mov	edi, [ebx]
		cmp	edi, ebx
		jz	short loc_5FC7ED
		cmp	[edi+4], ebx
		jnz	loc_5FC854
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	loc_5FC854
		mov	[ebx], eax
		mov	[eax+4], ebx
		xor	eax, eax
		inc	dword ptr [esi+88h]
		inc	eax
		lock xadd [esi+28Ch], eax
		inc	eax
		cmp	eax, 1
		jg	short loc_5FC7D0
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5FC7D0:				; CODE XREF: .text:005FC7C9j
		and	dword ptr [edi], 0
		xor	edx, edx
		push	dword ptr [esi+4]
		mov	ecx, edi
		push	0FFFFFFFFh
		call	ExQueueWorkItemToPartition
		mov	eax, [ebp-4]
		inc	eax
		mov	[ebp-4], eax
		cmp	eax, [ebp-8]
		jb	short loc_5FC795

loc_5FC7ED:				; CODE XREF: .text:005FC78Dj
					; .text:005FC799j
		and	dword ptr [ebp-4], 0
		cmp	dword ptr [ebp+8], 0
		jbe	short loc_5FC84D
		lea	ebx, [esi+0BCh]

loc_5FC7FD:				; CODE XREF: .text:005FC84Bj
		mov	edi, [ebx]
		cmp	edi, ebx
		jz	short loc_5FC84D
		cmp	[edi+4], ebx
		jnz	short loc_5FC854
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	short loc_5FC854
		mov	[ebx], eax
		mov	[eax+4], ebx
		xor	eax, eax
		inc	dword ptr [esi+0C4h]
		inc	eax
		lock xadd [esi+28Ch], eax
		inc	eax
		cmp	eax, 1
		jg	short loc_5FC830
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5FC830:				; CODE XREF: .text:005FC829j
		and	dword ptr [edi], 0
		xor	edx, edx
		push	dword ptr [esi+4]
		mov	ecx, edi
		push	0FFFFFFFFh
		call	ExQueueWorkItemToPartition
		mov	eax, [ebp-4]
		inc	eax
		mov	[ebp-4], eax
		cmp	eax, [ebp+8]
		jb	short loc_5FC7FD

loc_5FC84D:				; CODE XREF: .text:005FC7F5j
					; .text:005FC801j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_5FC854:				; CODE XREF: .text:005FC79Ej
					; .text:005FC7A9j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		db 2 dup(0CCh)
; Exported entry 223. CcRegisterExternalCache

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcRegisterExternalCache(x, x)
		public _CcRegisterExternalCache@8
_CcRegisterExternalCache@8 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		xor	esi, esi
		cmp	ds:_CcInitializationComplete, esi
		jz	short loc_5FC8B1
		push	43456343h
		push	18h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_5FC88D
		mov	esi, 0C000009Ah
		jmp	short loc_5FC8A9
; 

loc_5FC88D:				; CODE XREF: CcRegisterExternalCache(x,x)+26j
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		mov	edi, ebx
		rep stosd
		mov	ecx, [ebp+arg_0]
		mov	[ebx], ecx
		mov	ecx, ebx
		call	_CcAddExternalCache@4 ;	CcAddExternalCache(x)
		mov	ecx, [ebp+arg_4]
		pop	edi
		mov	[ecx], ebx

loc_5FC8A9:				; CODE XREF: CcRegisterExternalCache(x,x)+2Dj
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_5FC8B1:				; CODE XREF: CcRegisterExternalCache(x,x)+Fj
		push	esi
		push	esi
		push	0C0000420h
		push	1AEFh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_CcRegisterExternalCache@8 endp


; __stdcall CcRemoveExternalCache(x)
_CcRemoveExternalCache@4:		; CODE XREF: CcUnregisterExternalCache(x)+Bp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _CcExternalCacheListLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [esi+14h]
		add	esi, 10h
		mov	edx, [esi]
		cmp	[edx+4], esi
		jnz	short loc_5FC946
		cmp	[ecx], esi
		jnz	short loc_5FC946
		mov	eax, ds:_CcNumberOfExternalCaches
		mov	[ecx], edx
		mov	[edx+4], ecx
		lea	edx, [eax-1]
		cmp	edx, eax
		jnb	short loc_5FC931
		test	ds:byte_70EFC6,	1
		mov	ds:_CcNumberOfExternalCaches, edx
		jz	short loc_5FC920
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5FC925
; 

loc_5FC920:				; CODE XREF: .text:005FC912j
		xor	eax, eax
		lock and [edi],	eax

loc_5FC925:				; CODE XREF: .text:005FC91Ej
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_5FC931:				; CODE XREF: .text:005FC903j
		push	0
		push	0
		push	0C0000420h
		push	138Dh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5FC946:				; CODE XREF: .text:005FC8EEj
					; .text:005FC8F2j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		align 10h
; Exported entry 247. CcUnregisterExternalCache

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcUnregisterExternalCache(x)
		public _CcUnregisterExternalCache@4
_CcUnregisterExternalCache@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	_CcRemoveExternalCache@4 ; CcRemoveExternalCache(x)
		push	dword ptr [esi+4]
		push	esi
		call	_CcDeductDirtyPagesFromExternalCache@8 ; CcDeductDirtyPagesFromExternalCache(x,x)
		push	43456343h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		pop	ebp
		retn	4
_CcUnregisterExternalCache@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 248. CcWaitForCurrentLazyWriterActivity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcWaitForCurrentLazyWriterActivity()
		public _CcWaitForCurrentLazyWriterActivity@0
_CcWaitForCurrentLazyWriterActivity@0 proc near	; CODE XREF: PopGracefulShutdown(x)+1DFp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	edx, [ebp+var_4]
		push	0
		mov	ecx, offset _CcWaitForCurrentLazyWriterActivityHelper@8	; CcWaitForCurrentLazyWriterActivityHelper(x,x)
		call	CcForEachPartition
		mov	eax, [ebp+var_4]
		leave
		retn
_CcWaitForCurrentLazyWriterActivity@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcWaitForCurrentLazyWriterActivityHelper(x,	x)
_CcWaitForCurrentLazyWriterActivityHelper@8 proc near
					; DATA XREF: CcWaitForCurrentLazyWriterActivity()+10o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_CcWaitForCurrentLazyWriterActivityInternal@4 ;	CcWaitForCurrentLazyWriterActivityInternal(x)
		mov	ecx, [ebp+arg_4]
		cmp	dword ptr [ecx], 0
		jl	short loc_5FC9B8
		test	eax, eax
		jns	short loc_5FC9B8
		mov	[ecx], eax

loc_5FC9B8:				; CODE XREF: CcWaitForCurrentLazyWriterActivityHelper(x,x)+13j
					; CcWaitForCurrentLazyWriterActivityHelper(x,x)+17j
		mov	al, 1
		pop	ebp
		retn	8
_CcWaitForCurrentLazyWriterActivityHelper@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcWaitForCurrentLazyWriterActivityInternal(x)
_CcWaitForCurrentLazyWriterActivityInternal@4 proc near
					; CODE XREF: CcWaitForCurrentLazyWriterActivityHelper(x,x)+8p
					; CcExitPartition(x,x)+35p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		xor	eax, eax
		lea	edx, [esp+2Ch+var_2C]
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+38h+var_10]
		xor	ebx, ebx
		stosd
		mov	esi, ecx
		mov	[esp+38h+var_2C], ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+38h+var_1C]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+38h+var_28]
		stosd
		stosd
		stosd
		call	_CcAllocateWorkQueueEntry@8 ; CcAllocateWorkQueueEntry(x,x)
		test	eax, eax
		js	loc_5FCACD
		mov	edi, [esp+38h+var_2C]
		lea	eax, [esp+38h+var_10]
		push	ebx
		push	ebx
		push	eax
		mov	byte ptr [edi+48h], 4
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+38h+var_10]
		mov	[edi+8], eax
		test	ds:dword_70EFD0, 20000h
		jz	short loc_5FCA36
		push	ebx
		push	ebx
		lea	ecx, [esi+0ACh]
		mov	edx, edi
		call	CcPerfLogWorkItemEnqueue

loc_5FCA36:				; CODE XREF: CcWaitForCurrentLazyWriterActivityInternal(x)+67j
		lea	ecx, [esi+40h]
		lea	edx, [esp+38h+var_1C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		lea	eax, [esi+0ACh]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jz	short loc_5FCA54
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5FCA54:				; CODE XREF: CcWaitForCurrentLazyWriterActivityInternal(x)+8Fj
		mov	[edi], eax
		lea	ebx, [esi+0E0h]
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi
		mov	byte ptr [esi+191h], 1
		lock inc dword ptr [ebx]
		push	1
		mov	dl, 1
		mov	ecx, esi
		call	_CcScheduleLazyWriteScan@12 ; CcScheduleLazyWriteScan(x,x,x)
		lea	ecx, [esp+38h+var_1C]
		call	KeReleaseInStackQueuedSpinLock
		lea	edi, [esi+80h]
		jmp	short loc_5FCA9D
; 

loc_5FCA8A:				; CODE XREF: CcWaitForCurrentLazyWriterActivityInternal(x)+F5j
		call	KeReleaseInStackQueuedSpinLock
		push	offset _Cc5MicroSeconds
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)

loc_5FCA9D:				; CODE XREF: CcWaitForCurrentLazyWriterActivityInternal(x)+CAj
		lea	edx, [esp+38h+var_28]
		mov	ecx, edi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	dword ptr [esi+0D4h], 0
		lea	ecx, [esp+38h+var_28]
		jnz	short loc_5FCA8A
		call	KeReleaseInStackQueuedSpinLock
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+48h+var_10]
		push	eax
		call	KeWaitForSingleObject
		lock dec dword ptr [ebx]

loc_5FCACD:				; CODE XREF: CcWaitForCurrentLazyWriterActivityInternal(x)+3Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_CcWaitForCurrentLazyWriterActivityInternal@4 endp


;  S U B	R O U T	I N E 


; __stdcall CcCopyReadExceptionFilter(x, x)
_CcCopyReadExceptionFilter@8 proc near	; CODE XREF: sub_5B0E49+6p
					; CcMapAndCopyInToCache+138671p ...
		mov	eax, [ecx]
		mov	eax, [eax]
		mov	[edx], eax
		cmp	eax, 0C0000006h
		jnz	short loc_5FCAEE
		mov	eax, [ecx]
		cmp	dword ptr [eax+10h], 3
		jb	short loc_5FCAEE
		mov	eax, [eax+1Ch]
		mov	[edx], eax

loc_5FCAEE:				; CODE XREF: CcCopyReadExceptionFilter(x,x)+Bj
					; CcCopyReadExceptionFilter(x,x)+13j
		xor	eax, eax
		inc	eax
		retn
_CcCopyReadExceptionFilter@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 188. CcCopyWrite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcCopyWrite(x, x, x, x, x)
		public _CcCopyWrite@20
_CcCopyWrite@20	proc near		; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+32Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	CcCopyWriteEx
		pop	ebp
		retn	14h
_CcCopyWrite@20	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 192. CcDeferWrite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcDeferWrite(x, x, x, x, x,	x)
		public _CcDeferWrite@24
_CcDeferWrite@24 proc near

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		xor	eax, eax
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		push	77446343h
		push	38h
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		pop	eax
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_5FCB5B
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	[ebp+arg_4]
		jmp	loc_5FCCC9
; 

loc_5FCB5B:				; CODE XREF: CcDeferWrite(x,x,x,x,x,x)+30j
		push	ebx
		push	esi
		lea	edx, [ebp+var_C]
		mov	ecx, offset _CcMasterLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [ebp+arg_0]
		call	_CcGetPartitionFromFileObject@4	; CcGetPartitionFromFileObject(x)
		mov	esi, eax
		xor	ebx, ebx
		inc	ebx
		mov	ecx, ebx
		lea	eax, [esi+28Ch]
		lock xadd [eax], ecx
		inc	ecx
		cmp	ecx, ebx
		jg	short loc_5FCB8D
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5FCB8D:				; CODE XREF: CcDeferWrite(x,x,x,x,x,x)+6Bj
		test	ds:byte_70EFC6,	1
		jz	short loc_5FCBA3
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FCBCF
; 

loc_5FCBA3:				; CODE XREF: CcDeferWrite(x,x,x,x,x,x)+79j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5FCBC2
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5FCBCF
		call	KxWaitForLockChainValid

loc_5FCBC2:				; CODE XREF: CcDeferWrite(x,x,x,x,x,x)+8Dj
		mov	[ebp+var_C], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_5FCBCF:				; CODE XREF: CcDeferWrite(x,x,x,x,x,x)+86j
					; CcDeferWrite(x,x,x,x,x,x)+A0j
		mov	cl, [ebp+var_4]
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	ebx
		xor	ecx, ecx
		lea	edx, [esi+28Ch]
		inc	ecx
		mov	eax, ecx
		lock xadd [edx], eax
		inc	eax
		cmp	eax, ecx
		jg	short loc_5FCBF3
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5FCBF3:				; CODE XREF: CcDeferWrite(x,x,x,x,x,x)+D1j
		and	dword ptr [edi+14h], 0
		mov	eax, 2FCh
		mov	[edi], ax
		push	38h
		pop	eax
		mov	[edi+2], ax
		mov	eax, [ebp+arg_0]
		mov	[edi+4], eax
		mov	eax, [ebp+arg_10]
		mov	[edi+8], eax
		mov	eax, [ebp+arg_4]
		mov	[edi+18h], eax
		mov	eax, [ebp+arg_8]
		mov	[edi+1Ch], eax
		mov	eax, [ebp+arg_C]
		mov	[edi+20h], eax
		lea	eax, [edi+30h]
		push	eax
		mov	[edi+24h], esi
		call	KeQueryTickCount
		cmp	[ebp+arg_14], 0
		lea	eax, [esi+240h]
		mov	byte ptr [edi+28h], 0
		lea	edx, [edi+0Ch]
		lea	ecx, [esi+204h]
		push	eax
		jz	short loc_5FCC51
		call	@ExfInterlockedInsertHeadList@12 ; ExfInterlockedInsertHeadList(x,x,x)
		jmp	short loc_5FCC56
; 

loc_5FCC51:				; CODE XREF: CcDeferWrite(x,x,x,x,x,x)+12Dj
		call	@ExfInterlockedInsertTailList@12 ; ExfInterlockedInsertTailList(x,x,x)

loc_5FCC56:				; CODE XREF: CcDeferWrite(x,x,x,x,x,x)+134j
		mov	ecx, esi
		call	_CcPostDeferredWrites@4	; CcPostDeferredWrites(x)
		lea	ecx, [esi+40h]
		lea	edx, [ebp+var_18]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		xor	eax, eax
		mov	ecx, esi
		push	0
		lea	edx, [eax+1]
		call	_CcScheduleLazyWriteScan@12 ; CcScheduleLazyWriteScan(x,x,x)
		test	ds:byte_70EFC6,	1
		jz	short loc_5FCC8C
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FCCBB
; 

loc_5FCC8C:				; CODE XREF: CcDeferWrite(x,x,x,x,x,x)+162j
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	short loc_5FCCAB
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jz	short loc_5FCCBB
		call	KxWaitForLockChainValid

loc_5FCCAB:				; CODE XREF: CcDeferWrite(x,x,x,x,x,x)+176j
		xor	ecx, ecx
		mov	[ebp+var_18], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5FCCBB:				; CODE XREF: CcDeferWrite(x,x,x,x,x,x)+16Fj
					; CcDeferWrite(x,x,x,x,x,x)+189j
		mov	cl, [ebp+var_10]
		call	ebx
		mov	ecx, esi
		call	CcDereferencePartition
		pop	esi
		pop	ebx

loc_5FCCC9:				; CODE XREF: CcDeferWrite(x,x,x,x,x,x)+3Bj
		pop	edi
		leave
		retn	18h
_CcDeferWrite@24 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 193. CcErrorCallbackRoutine

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcErrorCallbackRoutine(x)
		public _CcErrorCallbackRoutine@4
_CcErrorCallbackRoutine@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	dword ptr [eax+4], 0C000A008h
		jnz	short loc_5FCCE9
		call	_CcCrossPartitionDrainSectionDeletion@0	; CcCrossPartitionDrainSectionDeletion()

loc_5FCCE9:				; CODE XREF: CcErrorCallbackRoutine(x)+Fj
		xor	eax, eax
		pop	ebp
		retn	4
_CcErrorCallbackRoutine@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 195. CcFastCopyWrite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcFastCopyWrite(x, x, x, x)
		public _CcFastCopyWrite@16
_CcFastCopyWrite@16 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_4]
		and	[ebp+var_4], 0
		push	0
		push	[ebp+arg_C]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		push	1
		push	[ebp+arg_8]
		push	eax
		push	[ebp+arg_0]
		call	CcCopyWriteEx
		leave
		retn	10h
_CcFastCopyWrite@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcHasTimeInMsElapsed(x, x)
_CcHasTimeInMsElapsed@8	proc near	; CODE XREF: CcPostDeferredWrites(x)+68p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ds:_CcSoftThrottleDelay
		lea	eax, [ebp+var_8]
		push	edi
		xor	ebx, ebx
		mov	edi, ecx
		push	eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	KeQueryTickCount
		push	ebx
		push	ds:_KeMaximumIncrement
		imul	eax, esi, 2710h
		push	ebx
		push	eax
		call	__aulldiv
		add	eax, [edi+30h]
		adc	edx, [edi+34h]
		pop	edi
		pop	esi
		pop	ebx
		cmp	[ebp+var_4], edx
		jl	short loc_5FCD6F
		jg	short loc_5FCD6B
		cmp	[ebp+var_8], eax
		jb	short loc_5FCD6F

loc_5FCD6B:				; CODE XREF: CcHasTimeInMsElapsed(x,x)+45j
		mov	al, 1
		leave
		retn
; 

loc_5FCD6F:				; CODE XREF: CcHasTimeInMsElapsed(x,x)+43j
					; CcHasTimeInMsElapsed(x,x)+4Aj
		xor	al, al
		leave
		retn
_CcHasTimeInMsElapsed@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcPostDeferredWrites(x)
_CcPostDeferredWrites@4	proc near	; CODE XREF: .text:004AD12Ep
					; .text:004AD230p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		push	edi
		mov	[ebp+var_8], esi
		lea	edi, [ebx+240h]

loc_5FCD8B:				; CODE XREF: CcPostDeferredWrites(x)+DBj
					; CcPostDeferredWrites(x)+FDj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	eax, [ebx+204h]
		mov	edi, [eax]
		jmp	short loc_5FCDEE
; 

loc_5FCDA5:				; CODE XREF: CcPostDeferredWrites(x)+7Dj
		cmp	byte ptr [ebx+28Ah], 1
		lea	esi, [edi-0Ch]
		ja	short loc_5FCDFA
		mov	eax, [esi+8]
		mov	ecx, [ebp+var_8]
		mov	edx, [esi+4]
		add	ecx, eax
		mov	[ebp+var_C], ecx
		xor	ecx, ecx
		push	ecx
		push	2
		push	[ebp+var_8]
		mov	ecx, ebx
		push	eax
		call	CcCanIWriteStreamEx
		test	al, al
		jz	short loc_5FCDE4
		cmp	byte ptr [esi+28h], 0
		jz	short loc_5FCDF4
		mov	ecx, esi
		call	_CcHasTimeInMsElapsed@8	; CcHasTimeInMsElapsed(x,x)
		test	al, al
		jnz	short loc_5FCDF4

loc_5FCDE4:				; CODE XREF: CcPostDeferredWrites(x)+5Ej
		mov	edi, [edi]
		lea	eax, [ebx+204h]
		xor	esi, esi

loc_5FCDEE:				; CODE XREF: CcPostDeferredWrites(x)+30j
		cmp	edi, eax
		jnz	short loc_5FCDA5
		jmp	short loc_5FCE10
; 

loc_5FCDF4:				; CODE XREF: CcPostDeferredWrites(x)+64j
					; CcPostDeferredWrites(x)+6Fj
		mov	eax, [ebp+var_C]
		mov	[ebp+var_8], eax

loc_5FCDFA:				; CODE XREF: CcPostDeferredWrites(x)+3Cj
		lea	eax, [esi+0Ch]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_5FCE75
		cmp	[ecx], eax
		jnz	short loc_5FCE75
		mov	[ecx], edx
		mov	[edx+4], ecx

loc_5FCE10:				; CODE XREF: CcPostDeferredWrites(x)+7Fj
		test	ds:byte_70EFC6,	1
		lea	edi, [ebx+240h]
		jz	short loc_5FCE2B
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5FCE30
; 

loc_5FCE2B:				; CODE XREF: CcPostDeferredWrites(x)+AAj
		xor	eax, eax
		lock and [edi],	eax

loc_5FCE30:				; CODE XREF: CcPostDeferredWrites(x)+B6j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_5FCE7A
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_5FCE53
		xor	esi, esi
		push	esi
		push	esi
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_5FCD8B
; 

loc_5FCE53:				; CODE XREF: CcPostDeferredWrites(x)+CFj
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		call	dword ptr [esi+18h]
		push	77446343h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, ebx
		call	CcDereferencePartition
		xor	esi, esi
		jmp	loc_5FCD8B
; 

loc_5FCE75:				; CODE XREF: CcPostDeferredWrites(x)+92j
					; CcPostDeferredWrites(x)+96j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5FCE7A:				; CODE XREF: CcPostDeferredWrites(x)+C8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CcPostDeferredWrites@4	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 198. CcFlushCacheToLsn

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcFlushCacheToLsn(x, x, x)
		public _CcFlushCacheToLsn@12
_CcFlushCacheToLsn@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	0
		push	[ebp+arg_4]
		push	0
		call	_CcFlushCachePriv@24 ; CcFlushCachePriv(x,x,x,x,x,x)
		pop	ebp
		retn	0Ch
_CcFlushCacheToLsn@12 endp ; sp	= -10h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcLockSystemCacheBuffer(x, x, x, x,	x)
_CcLockSystemCacheBuffer@20 proc near	; CODE XREF: CcGetVirtualAddress+153331p
					; CcMapAndCopyInToCache+1385C4p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	14h
		push	offset dword_6A77E0
		call	__SEH_prolog4
		mov	[ebp+var_24], edx
		xor	edi, edi
		mov	[ebp+var_1C], edi
		mov	ebx, [ebp+arg_8]
		mov	[ebx], edi
		push	edi
		push	edi
		push	edi
		push	[ebp+arg_0]
		push	ecx
		call	IoAllocateMdl
		mov	esi, eax
		mov	[ebp+arg_0], esi
		test	esi, esi
		jnz	short loc_5FCEDA
		mov	dword ptr [ebx], 0C000009Ah
		jmp	loc_5FCF5A
; 

loc_5FCEDA:				; CODE XREF: CcLockSystemCacheBuffer(x,x,x,x,x)+2Cj
		mov	[ebp+ms_exc.disabled], edi
		push	[ebp+arg_4]
		push	edi
		push	esi
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		jmp	short loc_5FCF1E
; 

loc_5FCEE9:				; DATA XREF: .text:006A77F4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_5FCEF7:				; DATA XREF: .text:006A77F8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_20]
		mov	ebx, [ebp+arg_8]
		mov	[ebx], eax
		push	eax
		call	_FsRtlIsNtstatusExpected@4 ; FsRtlIsNtstatusExpected(x)
		test	al, al
		jnz	short loc_5FCF12
		mov	dword ptr [ebx], 0C00000E8h

loc_5FCF12:				; CODE XREF: CcLockSystemCacheBuffer(x,x,x,x,x)+69j
		push	[ebp+arg_0]
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		xor	edi, edi
		mov	esi, edi

loc_5FCF1E:				; CODE XREF: CcLockSystemCacheBuffer(x,x,x,x,x)+46j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebx]
		test	ecx, ecx
		js	short loc_5FCF5A
		test	byte ptr [esi+6], 5
		jz	short loc_5FCF36
		mov	eax, [esi+0Ch]
		jmp	short loc_5FCF48
; 

loc_5FCF36:				; CODE XREF: CcLockSystemCacheBuffer(x,x,x,x,x)+8Ej
		push	40000000h
		push	edi
		push	edi
		push	1
		push	edi
		push	esi
		call	MmMapLockedPagesSpecifyCache
		mov	ecx, [ebx]

loc_5FCF48:				; CODE XREF: CcLockSystemCacheBuffer(x,x,x,x,x)+93j
		mov	[ebp+var_1C], eax
		test	eax, eax
		jnz	short loc_5FCF56
		mov	ecx, 0C000009Ah
		mov	[ebx], ecx

loc_5FCF56:				; CODE XREF: CcLockSystemCacheBuffer(x,x,x,x,x)+ACj
		test	ecx, ecx
		jns	short loc_5FCF6C

loc_5FCF5A:				; CODE XREF: CcLockSystemCacheBuffer(x,x,x,x,x)+34j
					; CcLockSystemCacheBuffer(x,x,x,x,x)+88j
		test	esi, esi
		jz	short loc_5FCF6C
		push	esi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	esi
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		mov	esi, edi

loc_5FCF6C:				; CODE XREF: CcLockSystemCacheBuffer(x,x,x,x,x)+B7j
					; CcLockSystemCacheBuffer(x,x,x,x,x)+BBj
		mov	eax, [ebp+var_24]
		mov	[eax], esi
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_CcLockSystemCacheBuffer@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcMmLogLostDelayedWriteError(x, x)
_CcMmLogLostDelayedWriteError@8	proc near ; CODE XREF: CcWriteBehindInternal+127BFAp
					; MiLdwPopupWorker(x)+2Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		push	ebx
		xor	eax, eax
		mov	[esp+0Ch+var_4], edx
		push	esi
		mov	[esp+10h+var_8], eax
		mov	esi, ecx
		lea	eax, [esp+10h+var_8]
		xor	ebx, ebx
		push	eax
		push	esi
		inc	ebx
		call	_IoQueryFileDosDeviceName@8 ; IoQueryFileDosDeviceName(x,x)
		mov	ecx, [esp+10h+var_8]
		test	eax, eax
		jz	short loc_5FCFB7
		lea	ecx, [esi+30h]

loc_5FCFB7:				; CODE XREF: CcMmLogLostDelayedWriteError(x,x)+2Cj
		xor	eax, eax
		cmp	[ecx], ax
		jz	short loc_5FCFCF
		cmp	[ecx+2], ax
		jz	short loc_5FCFCF
		mov	eax, [ecx+4]
		neg	eax
		sbb	eax, eax
		not	eax
		and	ebx, eax

loc_5FCFCF:				; CODE XREF: CcMmLogLostDelayedWriteError(x,x)+36j
					; CcMmLogLostDelayedWriteError(x,x)+3Cj
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_5FCFDB
		mov	eax, [eax+8]
		jmp	short loc_5FCFDE
; 

loc_5FCFDB:				; CODE XREF: CcMmLogLostDelayedWriteError(x,x)+4Ej
		mov	eax, [esi+4]

loc_5FCFDE:				; CODE XREF: CcMmLogLostDelayedWriteError(x,x)+53j
		push	ebx		; char
		push	[esp+14h+var_4]	; int
		push	dword ptr [esi+14h] ; int
		push	eax		; int
		push	ecx		; size_t
		call	_FsRtlLogCcFlushError@20 ; FsRtlLogCcFlushError(x,x,x,x,x)
		cmp	[esp+10h+var_8], 0
		mov	esi, eax
		jz	short loc_5FD001
		push	0
		push	[esp+14h+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_5FD001:				; CODE XREF: CcMmLogLostDelayedWriteError(x,x)+6Ej
		test	esi, esi
		pop	esi
		setz	al
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_CcMmLogLostDelayedWriteError@8	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; 
; Exported entry 225. CcRepinBcb

; __stdcall CcRepinBcb(x)
		public _CcRepinBcb@4
_CcRepinBcb@4:
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+8]
		mov	eax, 2FDh
		push	edi
		cmp	[esi], ax
		jnz	short loc_5FD047
		mov	ecx, [esi+70h]
		mov	edi, 0B4h
		add	ecx, edi
		call	ExAcquireFastMutex
		mov	ecx, [esi+70h]
		inc	dword ptr [esi+34h]
		add	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_5FD047:				; CODE XREF: .text:005FD023j
		push	0
		push	0
		push	0C0000420h
		push	2073h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 226. CcScheduleReadAhead

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcScheduleReadAhead(x, x, x)
		public _CcScheduleReadAhead@12
_CcScheduleReadAhead@12	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	CcScheduleReadAheadEx
		pop	ebp
		retn	0Ch
_CcScheduleReadAhead@12	endp

; 
		align 10h
; Exported entry 246. CcUnpinRepinnedBcb

; __stdcall CcUnpinRepinnedBcb(x, x, x)
		public _CcUnpinRepinnedBcb@12
_CcUnpinRepinnedBcb@12:
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+8]
		mov	eax, 2FDh
		push	edi
		cmp	[esi], ax
		jnz	loc_5FD1CE
		mov	ebx, [esi+70h]
		mov	ecx, ebx
		call	CcGetPartition
		mov	ecx, [ebp+10h]
		xor	edi, edi
		cmp	byte ptr [ebp+0Ch], 0
		mov	[ebp-8], eax
		mov	[ecx], edi
		jz	loc_5FD1BD
		test	dword ptr [ebx+60h], 200h
		jz	short loc_5FD0CD
		push	1
		lea	eax, [esi+38h]
		push	eax
		call	ExAcquireResourceExclusiveLite

loc_5FD0CD:				; CODE XREF: .text:005FD0C0j
		cmp	byte ptr [esi+2], 0
		jz	loc_5FD1B1
		mov	edx, [esi+4]
		push	ecx
		mov	ecx, [esi+74h]
		call	MmSetAddressRangeModifiedEx
		push	2
		mov	dl, 1
		mov	ecx, esi
		call	CcUnpinFileDataEx
		lea	eax, [ebx+44h]
		mov	ecx, eax
		mov	[ebp-4], eax
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	[ebp+0Ch], eax
		test	eax, eax
		jnz	short loc_5FD10C
		mov	ecx, ebx
		call	_CcSlowReferenceSharedCacheMapFileObject@4 ; CcSlowReferenceSharedCacheMapFileObject(x)
		mov	[ebp+0Ch], eax

loc_5FD10C:				; CODE XREF: .text:005FD100j
		test	ds:dword_70EFD0, 20000h
		jz	short loc_5FD12A
		push	1
		push	dword ptr [esi+4]
		lea	eax, [esi+8]
		mov	edx, ebx
		push	eax
		xor	ecx, ecx
		call	CcPerfLogFlushSection

loc_5FD12A:				; CODE XREF: .text:005FD116j
		mov	ebx, [ebp+10h]
		lea	edx, [esi+8]
		mov	eax, [ebp+0Ch]
		push	1
		push	ebx
		push	ecx
		push	dword ptr [esi+4]
		mov	ecx, [eax+14h]
		call	MmFlushSection
		mov	eax, [ebp-4]
		mov	ecx, [eax]
		mov	eax, ecx
		jmp	short loc_5FD160
; 

loc_5FD14B:				; CODE XREF: .text:005FD166j
		mov	esi, [ebp-4]
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		mov	esi, [ebp+8]
		cmp	eax, ecx
		jz	short loc_5FD175
		mov	ecx, eax

loc_5FD160:				; CODE XREF: .text:005FD149j
		xor	eax, [ebp+0Ch]
		cmp	eax, 7
		jb	short loc_5FD14B
		push	746C6644h
		push	dword ptr [ebp+0Ch]
		call	ObDereferenceObjectDeferDeleteWithTag

loc_5FD175:				; CODE XREF: .text:005FD15Cj
		mov	edx, [ebx]
		test	edx, edx
		jns	short loc_5FD18E
		mov	ecx, [esi+70h]
		call	CcIsFatalWriteError
		test	al, al
		jnz	short loc_5FD18E
		push	edi
		push	esi
		call	CcSetDirtyPinnedData

loc_5FD18E:				; CODE XREF: .text:005FD179j
					; .text:005FD185j
		push	edi
		xor	dl, dl
		mov	ecx, esi
		call	CcUnpinFileDataEx
		mov	ecx, [ebp-8]
		lea	eax, [ecx+204h]
		cmp	[eax], eax
		jz	short loc_5FD1AA
		call	_CcPostDeferredWrites@4	; CcPostDeferredWrites(x)

loc_5FD1AA:				; CODE XREF: .text:005FD1A3j
					; .text:005FD1BBj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_5FD1B1:				; CODE XREF: .text:005FD0D1j
		push	edi
		xor	dl, dl
		mov	ecx, esi
		call	CcUnpinFileDataEx
		jmp	short loc_5FD1AA
; 

loc_5FD1BD:				; CODE XREF: .text:005FD0B3j
		push	edi
		mov	dl, 1
		mov	ecx, esi
		call	CcUnpinFileDataEx
		mov	eax, [ebp+10h]
		mov	[eax], edi
		jmp	short loc_5FD1AA
; 

loc_5FD1CE:				; CODE XREF: .text:005FD095j
		xor	edi, edi
		push	edi
		push	edi
		push	0C0000420h
		push	20B5h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 0CCh
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 199. CcGetCachedDirtyPageCountForFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcGetCachedDirtyPageCountForFile(x)
		public _CcGetCachedDirtyPageCountForFile@4
_CcGetCachedDirtyPageCountForFile@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		or	eax, 0FFFFFFFFh
		test	ecx, ecx
		jz	short loc_5FD202
		mov	ecx, [ecx+4]
		test	ecx, ecx
		jz	short loc_5FD202
		mov	eax, [ecx+4Ch]

loc_5FD202:				; CODE XREF: CcGetCachedDirtyPageCountForFile(x)+Dj
					; CcGetCachedDirtyPageCountForFile(x)+14j
		pop	ebp
		retn	4
_CcGetCachedDirtyPageCountForFile@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 205. CcGetLsnForFileObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcGetLsnForFileObject(x, x)
		public _CcGetLsnForFileObject@8
_CcGetLsnForFileObject@8 proc near

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		xor	esi, esi
		mov	eax, [eax+14h]
		push	edi
		mov	edi, esi
		mov	[ebp+arg_0], esi
		mov	[ebp+var_8], esi
		mov	ebx, [eax+4]
		test	ebx, ebx
		jnz	short loc_5FD236
		mov	eax, esi
		mov	edx, edi
		jmp	loc_5FD2E0
; 

loc_5FD236:				; CODE XREF: CcGetLsnForFileObject(x,x)+20j
		lea	eax, [ebx+0B4h]
		mov	ecx, eax
		mov	[ebp+var_18], eax
		call	ExAcquireFastMutex
		lea	ecx, [ebx+10h]
		mov	ebx, [ebp+arg_0]
		mov	eax, [ecx]

loc_5FD24E:				; CODE XREF: CcGetLsnForFileObject(x,x)+BAj
		lea	edx, [eax-10h]
		cmp	eax, ecx
		jz	short loc_5FD2C7
		mov	eax, 2FDh
		cmp	[edx], ax
		jnz	short loc_5FD2C2
		cmp	byte ptr [edx+2], 0
		jz	short loc_5FD2C2
		mov	eax, [edx+20h]
		mov	ebx, [edx+24h]
		mov	[ebp+var_4], eax
		mov	eax, [edx+28h]
		mov	[ebp+var_10], eax
		mov	eax, [edx+2Ch]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_4]
		mov	[ebp+var_C], ebx
		or	eax, ebx
		mov	ebx, [ebp+arg_0]
		jz	short loc_5FD2C2
		mov	eax, esi
		or	eax, edi
		jz	short loc_5FD29D
		cmp	[ebp+var_C], edi
		jg	short loc_5FD2A5
		mov	eax, [ebp+var_4]
		jl	short loc_5FD2A0
		cmp	eax, esi
		jnb	short loc_5FD2A5
		jmp	short loc_5FD2A0
; 

loc_5FD29D:				; CODE XREF: CcGetLsnForFileObject(x,x)+80j
		mov	eax, [ebp+var_4]

loc_5FD2A0:				; CODE XREF: CcGetLsnForFileObject(x,x)+8Aj
					; CcGetLsnForFileObject(x,x)+90j
		mov	edi, [ebp+var_C]
		mov	esi, eax

loc_5FD2A5:				; CODE XREF: CcGetLsnForFileObject(x,x)+85j
					; CcGetLsnForFileObject(x,x)+8Ej
		mov	eax, [ebp+var_14]
		cmp	eax, [ebp+var_8]
		jl	short loc_5FD2C2
		mov	eax, [ebp+var_10]
		jg	short loc_5FD2B6
		cmp	eax, ebx
		jbe	short loc_5FD2C2

loc_5FD2B6:				; CODE XREF: CcGetLsnForFileObject(x,x)+A5j
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_14]
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_8], eax

loc_5FD2C2:				; CODE XREF: CcGetLsnForFileObject(x,x)+52j
					; CcGetLsnForFileObject(x,x)+58j ...
		mov	eax, [edx+10h]
		jmp	short loc_5FD24E
; 

loc_5FD2C7:				; CODE XREF: CcGetLsnForFileObject(x,x)+48j
		mov	ecx, [ebp+var_18]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_5FD2DB
		mov	[ecx], esi
		mov	[ecx+4], edi

loc_5FD2DB:				; CODE XREF: CcGetLsnForFileObject(x,x)+C9j
		mov	edx, [ebp+var_8]
		mov	eax, ebx

loc_5FD2E0:				; CODE XREF: CcGetLsnForFileObject(x,x)+26j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_CcGetLsnForFileObject@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 210. CcIsThereDirtyData

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcIsThereDirtyData(x)
		public _CcIsThereDirtyData@4
_CcIsThereDirtyData@4 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		lea	edx, [ebp+var_8]
		xor	ecx, ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], ecx
		mov	byte ptr [ebp+var_4], cl
		mov	ecx, offset _CcIsThereDirtyDataHelper@8	; CcIsThereDirtyDataHelper(x,x)
		push	1
		call	CcForEachPartition
		mov	al, byte ptr [ebp+var_4]
		leave
		retn	4
_CcIsThereDirtyData@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 211. CcIsThereDirtyDataEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcIsThereDirtyDataEx(x, x)
		public _CcIsThereDirtyDataEx@8
_CcIsThereDirtyDataEx@8	proc near

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		lea	edx, [ebp+var_18]
		xor	eax, eax
		mov	ecx, offset _CcMasterLock
		push	ebx
		push	edi
		lea	edi, [ebp+var_18]
		xor	bl, bl
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, ds:_CcVolumeCacheMapList
		mov	edx, offset _CcVolumeCacheMapList
		cmp	ecx, edx
		jz	loc_5FD41A
		mov	eax, [ebp+arg_0]
		push	esi
		mov	eax, [eax+8]

loc_5FD35F:				; CODE XREF: CcIsThereDirtyDataEx(x,x)+51j
		lea	esi, [ecx-0Ch]
		cmp	[esi+8], eax
		jz	short loc_5FD36F
		mov	ecx, [ecx]
		xor	esi, esi
		cmp	ecx, edx
		jnz	short loc_5FD35F

loc_5FD36F:				; CODE XREF: CcIsThereDirtyDataEx(x,x)+49j
		test	esi, esi
		jz	loc_5FD419
		mov	eax, ds:_PspSystemPartition
		mov	eax, [eax+4]
		and	[ebp+var_C], 0
		add	eax, 40h
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_8], eax
		jz	short loc_5FD39E
		mov	edx, eax
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FD3AF
; 

loc_5FD39E:				; CODE XREF: CcIsThereDirtyDataEx(x,x)+74j
		lea	edx, [ebp+var_C]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_5FD3AF
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_5FD3AF:				; CODE XREF: CcIsThereDirtyDataEx(x,x)+80j
					; CcIsThereDirtyDataEx(x,x)+89j
		mov	edx, [esi+14h]
		test	edx, edx
		jnz	short loc_5FD3BE
		cmp	[esi+84h], edx
		jz	short loc_5FD3D4

loc_5FD3BE:				; CODE XREF: CcIsThereDirtyDataEx(x,x)+98j
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_5FD3CF
		mov	eax, [esi+84h]
		add	eax, edx
		mov	[ecx], eax

loc_5FD3CF:				; CODE XREF: CcIsThereDirtyDataEx(x,x)+A7j
		xor	eax, eax
		lea	ebx, [eax+1]

loc_5FD3D4:				; CODE XREF: CcIsThereDirtyDataEx(x,x)+A0j
		test	ds:byte_70EFC6,	1
		jz	short loc_5FD3EA
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FD419
; 

loc_5FD3EA:				; CODE XREF: CcIsThereDirtyDataEx(x,x)+BFj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5FD409
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5FD419
		call	KxWaitForLockChainValid

loc_5FD409:				; CODE XREF: CcIsThereDirtyDataEx(x,x)+D3j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5FD419:				; CODE XREF: CcIsThereDirtyDataEx(x,x)+55j
					; CcIsThereDirtyDataEx(x,x)+CCj ...
		pop	esi

loc_5FD41A:				; CODE XREF: CcIsThereDirtyDataEx(x,x)+36j
		test	ds:byte_70EFC6,	1
		jz	short loc_5FD430
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FD45F
; 

loc_5FD430:				; CODE XREF: CcIsThereDirtyDataEx(x,x)+105j
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	short loc_5FD44F
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jz	short loc_5FD45F
		call	KxWaitForLockChainValid

loc_5FD44F:				; CODE XREF: CcIsThereDirtyDataEx(x,x)+119j
		lea	ecx, [eax+4]
		mov	[ebp+var_18], 0
		xor	eax, eax
		inc	eax
		lock xor [ecx],	eax

loc_5FD45F:				; CODE XREF: CcIsThereDirtyDataEx(x,x)+112j
					; CcIsThereDirtyDataEx(x,x)+12Cj
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	al, bl
		pop	ebx
		leave
		retn	8
_CcIsThereDirtyDataEx@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcIsThereDirtyDataHelper(x,	x)
_CcIsThereDirtyDataHelper@8 proc near	; DATA XREF: CcIsThereDirtyData(x)+18o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	edx, [ebp+var_14]
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		xor	ebx, ebx
		stosd
		stosd
		lea	eax, [esi+40h]
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		lea	ecx, [esi+18h]
		mov	esi, [ecx]
		sub	esi, 58h
		mov	[ebp+var_8], ecx
		lea	eax, [esi+58h]
		cmp	eax, ecx
		jmp	loc_5FD56A
; 

loc_5FD4B3:				; CODE XREF: CcIsThereDirtyDataHelper(x,x)+FDj
		mov	ecx, [esi+44h]
		mov	edx, [esi+60h]
		and	ecx, 0FFFFFFF8h
		test	edx, 800h
		jnz	short loc_5FD4E7
		mov	edi, [ebp+arg_4]
		mov	eax, [ecx+8]
		cmp	eax, [edi]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		jnz	short loc_5FD4E7
		cmp	dword ptr [esi+4Ch], 0
		jz	short loc_5FD4E7
		test	dword ptr [ecx+2Ch], 8000h
		jz	loc_5FD58B

loc_5FD4E7:				; CODE XREF: CcIsThereDirtyDataHelper(x,x)+52j
					; CcIsThereDirtyDataHelper(x,x)+62j ...
		inc	ebx
		cmp	ebx, 14h
		jb	short loc_5FD55C
		test	edx, 820h
		jnz	short loc_5FD55C
		or	dword ptr [esi+60h], 20h
		xor	ebx, ebx
		inc	ebx
		add	[esi+4Ch], ebx
		test	ds:byte_70EFC6,	bl
		jz	short loc_5FD514
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FD540
; 

loc_5FD514:				; CODE XREF: CcIsThereDirtyDataHelper(x,x)+95j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_5FD533
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_5FD540
		call	KxWaitForLockChainValid

loc_5FD533:				; CODE XREF: CcIsThereDirtyDataHelper(x,x)+A9j
		mov	[ebp+var_14], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_5FD540:				; CODE XREF: CcIsThereDirtyDataHelper(x,x)+A2j
					; CcIsThereDirtyDataHelper(x,x)+BCj
		mov	cl, [ebp+var_C]
		call	edi
		mov	ecx, [ebp+var_4]
		lea	edx, [ebp+var_14]
		xor	ebx, ebx
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		and	dword ptr [esi+60h], 0FFFFFFDFh
		xor	edx, edx
		inc	edx
		sub	[esi+4Ch], edx

loc_5FD55C:				; CODE XREF: CcIsThereDirtyDataHelper(x,x)+7Bj
					; CcIsThereDirtyDataHelper(x,x)+83j
		mov	esi, [ebp+arg_0]
		mov	esi, [esi]
		sub	esi, 58h
		lea	eax, [esi+58h]
		cmp	eax, [ebp+var_8]

loc_5FD56A:				; CODE XREF: CcIsThereDirtyDataHelper(x,x)+3Ej
		mov	[ebp+arg_0], eax
		jnz	loc_5FD4B3
		xor	ebx, ebx
		inc	ebx
		test	ds:byte_70EFC6,	bl
		jz	short loc_5FD5DE
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FD60A
; 

loc_5FD58B:				; CODE XREF: CcIsThereDirtyDataHelper(x,x)+71j
		xor	ebx, ebx
		inc	ebx
		test	ds:byte_70EFC6,	bl
		jz	short loc_5FD5A3
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FD5CF
; 

loc_5FD5A3:				; CODE XREF: CcIsThereDirtyDataHelper(x,x)+124j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_5FD5C2
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_5FD5CF
		call	KxWaitForLockChainValid

loc_5FD5C2:				; CODE XREF: CcIsThereDirtyDataHelper(x,x)+138j
		mov	[ebp+var_14], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_5FD5CF:				; CODE XREF: CcIsThereDirtyDataHelper(x,x)+131j
					; CcIsThereDirtyDataHelper(x,x)+14Bj
		mov	cl, [ebp+var_C]
		call	edi
		mov	eax, [ebp+arg_4]
		mov	[eax+4], bl
		xor	al, al
		jmp	short loc_5FD611
; 

loc_5FD5DE:				; CODE XREF: CcIsThereDirtyDataHelper(x,x)+10Cj
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_5FD5FD
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_5FD60A
		call	KxWaitForLockChainValid

loc_5FD5FD:				; CODE XREF: CcIsThereDirtyDataHelper(x,x)+173j
		mov	[ebp+var_14], 0
		lea	ecx, [eax+4]
		lock xor [ecx],	ebx

loc_5FD60A:				; CODE XREF: CcIsThereDirtyDataHelper(x,x)+119j
					; CcIsThereDirtyDataHelper(x,x)+186j
		mov	cl, [ebp+var_C]
		call	edi
		mov	al, bl

loc_5FD611:				; CODE XREF: CcIsThereDirtyDataHelper(x,x)+16Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_CcIsThereDirtyDataHelper@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 235. CcSetLogHandleForFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcSetLogHandleForFile(x, x,	x)
		public _CcSetLogHandleForFile@12
_CcSetLogHandleForFile@12 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		xor	edi, edi
		mov	eax, [eax+14h]
		mov	esi, [eax+4]
		cmp	[esi+4], edi
		jz	loc_5FD72F
		test	dword ptr [esi+60h], 1000000h
		jnz	loc_5FD71C
		mov	ecx, esi
		call	CcGetPartition
		mov	ebx, eax
		lea	edx, [ebp+var_C]
		lea	ecx, [ebx+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [ebp+arg_8]
		mov	[esi+9Ch], ecx
		cmp	[esi+98h], edi
		jz	short loc_5FD68C
		lea	eax, [esi+50h]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_5FD6DB
		cmp	[ecx], eax
		jnz	short loc_5FD6DB
		mov	[ecx], edx
		mov	[edx+4], ecx

loc_5FD68C:				; CODE XREF: CcSetLogHandleForFile(x,x,x)+57j
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_5FD6B7
		or	dword ptr [esi+60h], 2000000h
		lea	eax, [esi+50h]
		cmp	dword ptr [esi+4Ch], 0
		jz	short loc_5FD6D6
		lea	ecx, [ebx+30h]

loc_5FD6A6:				; CODE XREF: CcSetLogHandleForFile(x,x,x)+BCj
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_5FD6DB
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax

loc_5FD6B7:				; CODE XREF: CcSetLogHandleForFile(x,x,x)+74j
		mov	[esi+98h], edi
		test	ds:byte_70EFC6,	1
		pop	edi
		pop	esi
		pop	ebx
		jz	short loc_5FD6E0
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FD70F
; 

loc_5FD6D6:				; CODE XREF: CcSetLogHandleForFile(x,x,x)+84j
		lea	ecx, [ebx+10h]
		jmp	short loc_5FD6A6
; 

loc_5FD6DB:				; CODE XREF: CcSetLogHandleForFile(x,x,x)+64j
					; CcSetLogHandleForFile(x,x,x)+68j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5FD6E0:				; CODE XREF: CcSetLogHandleForFile(x,x,x)+AAj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5FD6FF
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5FD70F
		call	KxWaitForLockChainValid

loc_5FD6FF:				; CODE XREF: CcSetLogHandleForFile(x,x,x)+C8j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5FD70F:				; CODE XREF: CcSetLogHandleForFile(x,x,x)+B7j
					; CcSetLogHandleForFile(x,x,x)+DBj
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn	0Ch
; 

loc_5FD71C:				; CODE XREF: CcSetLogHandleForFile(x,x,x)+2Ej
		push	edi
		push	edi
		push	0C0000420h
		push	281h

loc_5FD728:				; CODE XREF: CcSetLogHandleForFile(x,x,x)+11Ej
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5FD72F:				; CODE XREF: CcSetLogHandleForFile(x,x,x)+21j
		push	edi
		push	edi
		push	0C0000420h
		push	27Bh
		jmp	short loc_5FD728
_CcSetLogHandleForFile@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcBuildUpHighPriorityMappings(x, x)
_CcBuildUpHighPriorityMappings@8 proc near ; CODE XREF:	CcGetVirtualAddress+153267p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ds:_CcMinimumFreeHighPriorityVacbs
		push	ebx
		push	esi
		mov	esi, [ecx+26Ch]
		mov	ebx, edx
		mov	[ebp+var_8], ecx
		push	edi
		cmp	esi, eax
		jnb	short loc_5FD79A
		mov	edi, eax
		lea	edx, [ebx+10h]
		sub	edi, esi
		mov	[ebp+var_4], edx
		cmp	edi, eax
		ja	short loc_5FD79A
		xor	esi, esi
		test	edi, edi
		jz	short loc_5FD79A

loc_5FD770:				; CODE XREF: CcBuildUpHighPriorityMappings(x,x)+5Bj
		cmp	esi, 1554h
		jnb	short loc_5FD79A
		mov	ecx, [ecx+4]
		call	MmReserveViewInSystemCache
		mov	ecx, [ebp+var_4]
		mov	[ecx], eax
		test	eax, eax
		jz	short loc_5FD79A
		inc	dword ptr [ebx+4]
		add	ecx, 18h
		inc	esi
		mov	[ebp+var_4], ecx
		mov	ecx, [ebp+var_8]
		cmp	esi, edi
		jb	short loc_5FD770

loc_5FD79A:				; CODE XREF: CcBuildUpHighPriorityMappings(x,x)+1Dj
					; CcBuildUpHighPriorityMappings(x,x)+2Bj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CcBuildUpHighPriorityMappings@8 endp


;  S U B	R O U T	I N E 


; __stdcall CcCanReuseVacb(x, x)
_CcCanReuseVacb@8 proc near		; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+F7p
					; CcUnmapInactiveViewsInternal(x,x,x,x)+176p ...
		mov	eax, ecx
		xor	ecx, ecx
		push	esi
		mov	esi, [eax+4]
		test	esi, esi
		jz	short loc_5FD7D2
		cmp	esi, 0FFFFFFFFh
		jz	short loc_5FD7D2
		cmp	[eax+8], cx
		jnz	short loc_5FD7D2
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_5FD7D2
		test	edx, edx
		jz	short loc_5FD7D0
		xor	eax, edx
		and	eax, 0FFE00000h
		neg	eax
		sbb	al, al
		lea	ecx, [eax+1]
		jmp	short loc_5FD7D2
; 

loc_5FD7D0:				; CODE XREF: CcCanReuseVacb(x,x)+1Fj
		mov	cl, 1

loc_5FD7D2:				; CODE XREF: CcCanReuseVacb(x,x)+Aj
					; CcCanReuseVacb(x,x)+Fj ...
		mov	al, cl
		pop	esi
		retn
_CcCanReuseVacb@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcDereferenceFileOffset(x, x, x)
_CcDereferenceFileOffset@12 proc near	; CODE XREF: sub_4952C0+125FE6p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	esi
		mov	esi, ecx
		cmp	dword ptr [esi+1Ch], 0
		jl	short loc_5FD824
		jg	short loc_5FD7F3
		cmp	dword ptr [esi+18h], 2000000h
		jbe	short loc_5FD824

loc_5FD7F3:				; CODE XREF: CcDereferenceFileOffset(x,x,x)+12j
		lea	ecx, [esi+0B4h]
		call	ExAcquireFastMutex
		lea	ecx, [esi+48h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		push	[ebp+arg_4]
		mov	ecx, esi
		push	[ebp+arg_0]
		push	0
		push	0FFFFFFFEh
		pop	edx
		call	_SetVacb@20	; SetVacb(x,x,x,x,x)
		xor	ecx, ecx
		mov	edx, esi
		inc	ecx
		call	_CcReleaseBcbLockAndVacbLock@8 ; CcReleaseBcbLockAndVacbLock(x,x)

loc_5FD824:				; CODE XREF: CcDereferenceFileOffset(x,x,x)+10j
					; CcDereferenceFileOffset(x,x,x)+1Bj
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
_CcDereferenceFileOffset@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcGetFirstVacbArrayWithReference(x)
_CcGetFirstVacbArrayWithReference@4 proc near
					; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+9Dp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	4
		mov	esi, ecx
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	bl, al

loc_5FD840:				; CODE XREF: CcGetFirstVacbArrayWithReference(x)+26j
		mov	ecx, esi
		call	CcReferenceVacbArray
		mov	edi, eax
		test	edi, edi
		jnz	short loc_5FD894
		inc	esi
		inc	eax
		cmp	esi, eax
		jb	short loc_5FD840
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+438h]
		jz	short loc_5FD874

loc_5FD868:				; CODE XREF: CcGetFirstVacbArrayWithReference(x)+83j
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FD8DB
; 

loc_5FD874:				; CODE XREF: CcGetFirstVacbArrayWithReference(x)+3Bj
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5FD890
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_5FD8DB
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5FD890:				; CODE XREF: CcGetFirstVacbArrayWithReference(x)+4Dj
		mov	[esi], edi
		jmp	short loc_5FD8D2
; 

loc_5FD894:				; CODE XREF: CcGetFirstVacbArrayWithReference(x)+20j
		mov	ecx, edi
		call	_CcRecalculateVacbArrayHighwaterMark@4 ; CcRecalculateVacbArrayHighwaterMark(x)
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+438h]
		jnz	short loc_5FD868
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5FD8CC
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_5FD8DB
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5FD8CC:				; CODE XREF: CcGetFirstVacbArrayWithReference(x)+89j
		mov	dword ptr [esi], 0

loc_5FD8D2:				; CODE XREF: CcGetFirstVacbArrayWithReference(x)+67j
		xor	ecx, ecx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5FD8DB:				; CODE XREF: CcGetFirstVacbArrayWithReference(x)+47j
					; CcGetFirstVacbArrayWithReference(x)+5Cj ...
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn
_CcGetFirstVacbArrayWithReference@4 endp

; 
		align 10h
; Exported entry 206. CcGetNumberOfMappedPages

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcGetNumberOfMappedPages(x,	x, x)
		public _CcGetNumberOfMappedPages@12
_CcGetNumberOfMappedPages@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	edi
		mov	eax, [eax+4]
		mov	edi, [ebp+arg_4]
		mov	[ebp+arg_0], eax
		mov	[edi], ecx
		mov	[edi+4], ecx
		mov	[ebx], ecx
		mov	[ebx+4], ecx
		test	eax, eax
		jz	short loc_5FD958
		push	esi
		lea	esi, [eax+48h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	eax, [ecx+17Ch]
		shld	edx, eax, 6
		shl	eax, 6
		mov	[edi+4], edx
		xor	edx, edx
		mov	[edi], eax
		mov	eax, [ecx+180h]
		mov	ecx, esi
		shld	edx, eax, 6
		shl	eax, 6
		mov	[ebx+4], edx
		xor	edx, edx
		mov	[ebx], eax
		call	ExReleasePushLockEx
		pop	esi

loc_5FD958:				; CODE XREF: CcGetNumberOfMappedPages(x,x,x)+24j
		pop	edi
		pop	ebx
		pop	ebp
		retn	0Ch
_CcGetNumberOfMappedPages@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcGetRandomVacbArrayWithReference()
_CcGetRandomVacbArrayWithReference@0 proc near
					; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x):loc_5FDE6Fp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi

loc_5FD967:				; CODE XREF: CcGetRandomVacbArrayWithReference()+29j
					; CcGetRandomVacbArrayWithReference()+97j
		push	offset _CcRandomSeed
		call	_RtlRandom@4	; RtlRandom(x)
		mov	ecx, ds:_CcVacbArraysHighestUsedIndex
		xor	edx, edx
		inc	ecx
		div	ecx
		mov	eax, ds:_CcVacbArrays
		mov	esi, edx
		cmp	dword ptr [eax+esi*4], 0
		jz	short loc_5FD967
		push	4
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, esi
		mov	bl, al
		call	CcReferenceVacbArray
		mov	edi, eax
		test	edi, edi
		jnz	short loc_5FD9FA
		mov	ecx, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [ecx+438h]
		jz	short loc_5FD9C2
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FD9ED
; 

loc_5FD9C2:				; CODE XREF: CcGetRandomVacbArrayWithReference()+56j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5FD9DE
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_5FD9ED
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5FD9DE:				; CODE XREF: CcGetRandomVacbArrayWithReference()+68j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5FD9ED:				; CODE XREF: CcGetRandomVacbArrayWithReference()+62j
					; CcGetRandomVacbArrayWithReference()+77j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_5FD967
; 

loc_5FD9FA:				; CODE XREF: CcGetRandomVacbArrayWithReference()+40j
		mov	ecx, edi
		call	_CcRecalculateVacbArrayHighwaterMark@4 ; CcRecalculateVacbArrayHighwaterMark(x)
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+438h]
		jz	short loc_5FDA22
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FDA4D
; 

loc_5FDA22:				; CODE XREF: CcGetRandomVacbArrayWithReference()+B6j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5FDA3E
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_5FDA4D
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5FDA3E:				; CODE XREF: CcGetRandomVacbArrayWithReference()+C8j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5FDA4D:				; CODE XREF: CcGetRandomVacbArrayWithReference()+C2j
					; CcGetRandomVacbArrayWithReference()+D7j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn
_CcGetRandomVacbArrayWithReference@0 endp


;  S U B	R O U T	I N E 


; __stdcall CcRecalculateVacbArrayHighwaterMark(x)
_CcRecalculateVacbArrayHighwaterMark@4 proc near
					; CODE XREF: CcGetFirstVacbArrayWithReference(x)+6Bp
					; CcGetRandomVacbArrayWithReference()+9Ep
		mov	edx, [ecx+8]
		add	edx, 1
		jz	short locret_5FDA7D
		imul	eax, edx, 18h
		add	eax, 0FFFFFFFCh
		add	eax, ecx

loc_5FDA6D:				; CODE XREF: CcRecalculateVacbArrayHighwaterMark(x)+1Ej
		cmp	dword ptr [eax], 0
		jnz	short locret_5FDA7D
		dec	edx
		sub	eax, 18h
		mov	[ecx+8], edx
		test	edx, edx
		jnz	short loc_5FDA6D

locret_5FDA7D:				; CODE XREF: CcRecalculateVacbArrayHighwaterMark(x)+6j
					; CcRecalculateVacbArrayHighwaterMark(x)+13j
		retn
_CcRecalculateVacbArrayHighwaterMark@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcReferenceFileOffset(x, x,	x)
_CcReferenceFileOffset@12 proc near	; CODE XREF: CcPinFileData+1265B8p

var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		cmp	[esi+1Ch], ecx
		jl	loc_5FDB19
		jg	short loc_5FDAA2
		cmp	dword ptr [esi+18h], 2000000h
		jbe	short loc_5FDB19

loc_5FDAA2:				; CODE XREF: CcReferenceFileOffset(x,x,x)+19j
		mov	edx, [esi+60h]
		lea	eax, [esp+18h+var_10]
		mov	[esp+18h+var_8], ecx
		mov	[esp+18h+var_4], ecx
		mov	ecx, ds:_CcMaxVacbLevelsSeen
		shr	edx, 9
		push	eax
		and	dl, 1
		mov	[esp+1Ch+var_C], eax
		lea	ecx, [ecx-1]
		mov	[esp+1Ch+var_10], eax
		call	_CcAllocateVacbLevels@12 ; CcAllocateVacbLevels(x,x,x)
		test	al, al
		jnz	short loc_5FDADC
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_5FDADC:				; CODE XREF: CcReferenceFileOffset(x,x,x)+52j
		lea	ecx, [esi+0B4h]
		call	ExAcquireFastMutex
		lea	ecx, [esi+48h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		push	[ebp+arg_4]
		lea	eax, [esp+24h+var_18]
		or	edx, 0FFFFFFFFh
		push	[ebp+arg_0]
		mov	ecx, esi
		push	eax
		call	_SetVacb@20	; SetVacb(x,x,x,x,x)
		xor	ecx, ecx
		mov	edx, esi
		inc	ecx
		call	_CcReleaseBcbLockAndVacbLock@8 ; CcReleaseBcbLockAndVacbLock(x,x)
		lea	ecx, [esp+20h+var_18]
		call	CcFreeUnusedVacbLevels

loc_5FDB19:				; CODE XREF: CcReferenceFileOffset(x,x,x)+13j
					; CcReferenceFileOffset(x,x,x)+22j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
_CcReferenceFileOffset@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcReferenceSharedCacheMapByVacb(x)
_CcReferenceSharedCacheMapByVacb@4 proc	near
					; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+1B5p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		mov	ecx, [esi+4]
		call	CcGetPartition
		add	eax, 40h
		mov	[ebp+var_C], ebx
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_8], eax
		jz	short loc_5FDB57
		mov	edx, eax
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FDB68
; 

loc_5FDB57:				; CODE XREF: CcReferenceSharedCacheMapByVacb(x)+29j
		lea	edx, [ebp+var_C]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_5FDB68
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_5FDB68:				; CODE XREF: CcReferenceSharedCacheMapByVacb(x)+35j
					; CcReferenceSharedCacheMapByVacb(x)+3Ej
		mov	ecx, [esi+4]
		mov	eax, [ecx+44h]
		and	eax, 0FFFFFFF8h
		mov	eax, [eax+14h]
		cmp	[eax+4], ecx
		jnz	short loc_5FDBC8
		inc	dword ptr [ecx+4]
		inc	dword ptr [ecx+178h]
		test	ds:byte_70EFC6,	1
		jz	short loc_5FDB9B
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_5FDB96:				; CODE XREF: CcReferenceSharedCacheMapByVacb(x)+93j
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_5FDC09
; 

loc_5FDB9B:				; CODE XREF: CcReferenceSharedCacheMapByVacb(x)+69j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5FDBBA
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5FDB96
		call	KxWaitForLockChainValid

loc_5FDBBA:				; CODE XREF: CcReferenceSharedCacheMapByVacb(x)+80j
		mov	[ebp+var_C], ebx
		add	eax, 4
		xor	ebx, ebx
		inc	ebx
		lock xor [eax],	ebx
		jmp	short loc_5FDC09
; 

loc_5FDBC8:				; CODE XREF: CcReferenceSharedCacheMapByVacb(x)+57j
		test	ds:byte_70EFC6,	1
		jz	short loc_5FDBDE
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FDC09
; 

loc_5FDBDE:				; CODE XREF: CcReferenceSharedCacheMapByVacb(x)+AFj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_5FDBFD
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_5FDC09
		call	KxWaitForLockChainValid

loc_5FDBFD:				; CODE XREF: CcReferenceSharedCacheMapByVacb(x)+C3j
		xor	edx, edx
		mov	[ebp+var_C], ebx
		inc	edx
		lea	ecx, [eax+4]
		lock xor [ecx],	edx

loc_5FDC09:				; CODE XREF: CcReferenceSharedCacheMapByVacb(x)+79j
					; CcReferenceSharedCacheMapByVacb(x)+A6j ...
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_CcReferenceSharedCacheMapByVacb@4 endp


;  S U B	R O U T	I N E 


; __stdcall CcRemoveVacbArray(x)
_CcRemoveVacbArray@4 proc near		; CODE XREF: CcDereferenceVacbArray+126927p
		mov	edx, ecx
		xor	eax, eax
		cmp	[edx+4], eax
		jnz	loc_5FDCB2
		push	esi
		mov	esi, ds:_CcVacbArrays
		push	edi
		mov	edi, [edx]
		cmp	[esi+edi*4], edx
		jnz	short loc_5FDCA4
		mov	ecx, ds:_CcVacbArraysHighestUsedIndex
		cmp	edi, ecx
		jnz	short loc_5FDC4B
		test	ecx, ecx
		jz	short loc_5FDC4B

loc_5FDC39:				; CODE XREF: CcRemoveVacbArray(x)+32j
		cmp	[esi+ecx*4], eax
		jnz	short loc_5FDC45
		sub	ecx, 1
		jnz	short loc_5FDC39
		jmp	short loc_5FDC4B
; 

loc_5FDC45:				; CODE XREF: CcRemoveVacbArray(x)+2Dj
		mov	ds:_CcVacbArraysHighestUsedIndex, ecx

loc_5FDC4B:				; CODE XREF: CcRemoveVacbArray(x)+24j
					; CcRemoveVacbArray(x)+28j ...
		mov	ecx, ds:_CcVacbArraysAllocated
		mov	[esi+edi*4], eax
		cmp	ecx, 1
		jb	short loc_5FDC91
		dec	ecx
		mov	edi, 1554h
		mov	ds:_CcVacbArraysAllocated, ecx
		lea	ecx, [edx+18h]

loc_5FDC68:				; CODE XREF: CcRemoveVacbArray(x)+72j
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_5FDC8C
		mov	esi, [ecx+4]
		cmp	[esi], ecx
		jnz	short loc_5FDC8C
		inc	eax
		mov	[esi], edx
		add	ecx, 18h
		mov	[edx+4], esi
		cmp	eax, edi
		jb	short loc_5FDC68
		sub	ds:_CcNumberOfFreeVacbs, edi
		pop	edi
		pop	esi
		retn
; 

loc_5FDC8C:				; CODE XREF: CcRemoveVacbArray(x)+5Ej
					; CcRemoveVacbArray(x)+65j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5FDC91:				; CODE XREF: CcRemoveVacbArray(x)+48j
		push	eax
		push	eax
		push	0C0000420h
		push	22Fh

loc_5FDC9D:				; CODE XREF: CcRemoveVacbArray(x)+A1j
					; CcRemoveVacbArray(x)+AFj
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5FDCA4:				; CODE XREF: CcRemoveVacbArray(x)+1Aj
		push	eax
		push	eax
		push	0C0000420h
		push	213h
		jmp	short loc_5FDC9D
; 

loc_5FDCB2:				; CODE XREF: CcRemoveVacbArray(x)+7j
		push	eax
		push	eax
		push	0C0000420h
		push	20Dh
		jmp	short loc_5FDC9D
_CcRemoveVacbArray@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcUnmapInactiveViews(x, x, x, x)
_CcUnmapInactiveViews@16 proc near	; CODE XREF: CcGetVacbMiss+117CE4p
					; MiObtainSystemCacheView+117CFEp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	eax, edx
		xor	bl, bl
		cmp	ds:_CcInitializationComplete, 0
		push	edi
		mov	[ebp+var_4], eax
		jz	loc_5FDDB0
		cmp	ds:_CcNumberOfMappedVacbs, 0
		jz	loc_5FDDB0
		test	ecx, ecx
		jnz	loc_5FDD9C
		call	_PsGetNextPartitionUnsafe@4 ; PsGetNextPartitionUnsafe(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_5FDD97
		mov	esi, offset _CcGlobalPartitionLock

loc_5FDD06:				; CODE XREF: CcUnmapInactiveViews(x,x,x,x)+D1j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	bh, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, [edi+4]
		test	esi, esi
		jz	short loc_5FDD3D
		cmp	byte ptr [esi+28Ah], 2
		jnb	short loc_5FDD3D
		xor	eax, eax
		inc	eax
		lock xadd [esi+28Ch], eax
		inc	eax
		cmp	eax, 1
		jg	short loc_5FDD3F
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_5FDD3F
; 

loc_5FDD3D:				; CODE XREF: CcUnmapInactiveViews(x,x,x,x)+5Aj
					; CcUnmapInactiveViews(x,x,x,x)+63j
		xor	esi, esi

loc_5FDD3F:				; CODE XREF: CcUnmapInactiveViews(x,x,x,x)+74j
					; CcUnmapInactiveViews(x,x,x,x)+7Bj
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _CcGlobalPartitionLock
		jz	short loc_5FDD57
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5FDD5C
; 

loc_5FDD57:				; CODE XREF: CcUnmapInactiveViews(x,x,x,x)+8Bj
		xor	eax, eax
		lock and [ecx],	eax

loc_5FDD5C:				; CODE XREF: CcUnmapInactiveViews(x,x,x,x)+95j
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_5FDD81
		push	[ebp+arg_4]
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		push	[ebp+arg_0]
		call	_CcUnmapInactiveViewsInternal@16 ; CcUnmapInactiveViewsInternal(x,x,x,x)
		mov	ecx, esi
		or	bl, al
		call	CcDereferencePartition

loc_5FDD81:				; CODE XREF: CcUnmapInactiveViews(x,x,x,x)+A6j
		mov	ecx, edi
		call	_PsGetNextPartitionUnsafe@4 ; PsGetNextPartitionUnsafe(x)
		mov	edi, eax
		mov	esi, offset _CcGlobalPartitionLock
		test	edi, edi
		jnz	loc_5FDD06

loc_5FDD97:				; CODE XREF: CcUnmapInactiveViews(x,x,x,x)+3Bj
		movzx	eax, bl
		jmp	short loc_5FDDB2
; 

loc_5FDD9C:				; CODE XREF: CcUnmapInactiveViews(x,x,x,x)+2Cj
		mov	ecx, [ecx+4]
		test	ecx, ecx
		jz	short loc_5FDDB0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_CcUnmapInactiveViewsInternal@16 ; CcUnmapInactiveViewsInternal(x,x,x,x)
		jmp	short loc_5FDDB2
; 

loc_5FDDB0:				; CODE XREF: CcUnmapInactiveViews(x,x,x,x)+17j
					; CcUnmapInactiveViews(x,x,x,x)+24j ...
		xor	eax, eax

loc_5FDDB2:				; CODE XREF: CcUnmapInactiveViews(x,x,x,x)+DAj
					; CcUnmapInactiveViews(x,x,x,x)+EEj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_CcUnmapInactiveViews@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcUnmapInactiveViewsInternal(x, x, x, x)
_CcUnmapInactiveViewsInternal@16 proc near ; CODE XREF:	CcUnmapInactiveViews(x,x,x,x)+B3p
					; CcUnmapInactiveViews(x,x,x,x)+E9p

var_4E		= byte ptr -4Eh
var_4C		= dword	ptr -4Ch
var_46		= byte ptr -46h
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		or	eax, 0FFFFFFFFh
		mov	[esp+4Ch+var_10], ecx
		push	ebx
		push	esi
		push	edi
		mov	[esp+58h+var_34], eax
		lea	edi, [esp+58h+var_C]
		xor	eax, eax
		mov	[esp+58h+var_1C], edx
		stosd
		xor	ecx, ecx
		mov	edx, ecx
		mov	[esp+58h+var_14], ecx
		mov	ebx, ecx
		mov	[esp+58h+var_40], edx
		mov	esi, ecx
		mov	[esp+58h+var_44], ebx
		stosd
		mov	[esp+58h+var_18], ecx
		mov	[esp+58h+var_2C], ecx
		mov	[esp+58h+var_30], ecx
		stosd
		mov	eax, [ebp+arg_4]
		mov	[esp+58h+var_38], ecx
		mov	[esp+58h+var_3C], esi
		test	eax, eax
		jz	short loc_5FDE17
		mov	[eax], ecx
		xor	eax, eax
		inc	eax
		mov	[esp+58h+var_2C], eax

loc_5FDE17:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+53j
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		inc	ecx
		and	eax, ecx
		mov	cl, al
		mov	[ebp+arg_0], eax
		xor	eax, eax
		inc	eax
		xor	cl, al
		mov	[esp+58h+var_46], cl

loc_5FDE2D:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+144j
					; CcUnmapInactiveViewsInternal(x,x,x,x)+4E3j ...
		mov	eax, [esp+58h+var_1C]
		cmp	edx, eax
		jnb	loc_5FE2A1
		cmp	esi, ds:_CcVacbArraysHighestUsedIndex
		ja	loc_5FE2A1
		test	ebx, ebx
		jnz	short loc_5FDE8A
		or	eax, 0FFFFFFFFh
		mov	[esp+58h+var_34], eax
		test	cl, cl
		jnz	short loc_5FDE6F
		mov	ecx, esi
		call	_CcGetFirstVacbArrayWithReference@4 ; CcGetFirstVacbArrayWithReference(x)
		mov	ebx, eax
		inc	esi
		mov	[esp+58h+var_44], ebx
		mov	[esp+58h+var_3C], esi
		test	ebx, ebx
		jnz	short loc_5FDE7A
		jmp	loc_5FDEF5
; 

loc_5FDE6F:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+99j
		call	_CcGetRandomVacbArrayWithReference@0 ; CcGetRandomVacbArrayWithReference()
		mov	ebx, eax
		mov	[esp+58h+var_44], eax

loc_5FDE7A:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+AFj
		xor	eax, eax
		inc	eax
		cmp	[ebx+4], eax
		jnz	short loc_5FDE86
		mov	ecx, ebx
		jmp	short loc_5FDEE6
; 

loc_5FDE86:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+C7j
		mov	cl, [esp+58h+var_46]

loc_5FDE8A:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+8Ej
		test	cl, cl
		jz	short loc_5FDF02
		xor	eax, eax
		mov	edi, eax

loc_5FDE92:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+117j
		push	offset _CcRandomSeed
		call	_RtlRandom@4	; RtlRandom(x)
		mov	ecx, [ebx+8]
		xor	edx, edx
		inc	ecx
		add	ebx, 10h
		div	ecx
		imul	eax, edx, 18h
		xor	edx, edx
		add	ebx, eax
		mov	ecx, ebx
		call	_CcCanReuseVacb@8 ; CcCanReuseVacb(x,x)
		test	al, al
		jnz	short loc_5FDEBA
		inc	edi

loc_5FDEBA:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+FEj
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, ebx
		jnz	loc_5FDF4B
		mov	ebx, [esp+58h+var_44]
		cmp	edi, 10h
		jbe	short loc_5FDE92
		xor	eax, eax
		inc	ds:_CcDbgRandomFailed
		mov	[esp+58h+var_46], al

loc_5FDEDE:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+190j
		mov	esi, [esp+58h+var_3C]

loc_5FDEE2:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+15Cj
		mov	ecx, [esp+58h+var_44]

loc_5FDEE6:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+CBj
		xor	dl, dl
		call	CcDereferenceVacbArray
		xor	eax, eax
		mov	ebx, eax
		mov	[esp+58h+var_44], ebx

loc_5FDEF5:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+B1j
		mov	cl, [esp+58h+var_46]
		mov	edx, [esp+58h+var_40]
		jmp	loc_5FDE2D
; 

loc_5FDF02:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+D3j
		mov	edx, [esp+58h+var_34]
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_5FDF13
		mov	edx, [ebx+8]
		inc	edx
		mov	[esp+58h+var_34], edx

loc_5FDF13:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+150j
		test	edx, edx
		jz	short loc_5FDEE2
		imul	eax, edx, 18h
		lea	esi, [ebx-8]
		add	esi, eax

loc_5FDF1F:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+185j
		dec	edx
		mov	ecx, esi
		mov	edi, esi
		mov	[esp+58h+var_34], edx
		mov	edx, [esp+58h+var_38]
		sub	esi, 18h
		call	_CcCanReuseVacb@8 ; CcCanReuseVacb(x,x)
		test	al, al
		jnz	short loc_5FDF40
		mov	edx, [esp+58h+var_34]
		test	edx, edx
		jnz	short loc_5FDF1F

loc_5FDF40:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+17Dj
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, edi
		jz	short loc_5FDEDE

loc_5FDF4B:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+10Aj
		push	4
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	edx, [esp+58h+var_38]
		mov	bl, al
		mov	ecx, esi
		mov	[esp+58h+var_45], bl
		call	_CcCanReuseVacb@8 ; CcCanReuseVacb(x,x)
		test	al, al
		jz	loc_5FE234
		mov	ecx, esi
		call	_CcReferenceSharedCacheMapByVacb@4 ; CcReferenceSharedCacheMapByVacb(x)
		test	al, al
		jz	loc_5FE234
		mov	edi, [esi+4]
		mov	eax, [esi+0Ch]
		mov	ebx, [esi+8]
		mov	[esp+58h+var_20], eax
		mov	eax, [edi+60h]
		and	eax, 200h
		mov	[esp+58h+var_28], eax
		mov	eax, large fs:20h
		lea	esi, [eax+438h]
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_5FDFB7
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FDFDE
; 

loc_5FDFB7:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+1F0j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5FDFD3
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_5FDFDE
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5FDFD3:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+202j
		xor	ecx, ecx
		add	eax, 4
		mov	[esi], ecx
		inc	ecx
		lock xor [eax],	ecx

loc_5FDFDE:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+1FCj
					; CcUnmapInactiveViewsInternal(x,x,x,x)+211j
		mov	cl, [esp+58h+var_45]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[esp+58h+var_28], 0
		jz	short loc_5FDFFA
		lea	ecx, [edi+0B4h]
		call	ExAcquireFastMutex

loc_5FDFFA:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+234j
		lea	ecx, [edi+48h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, edi
		call	CcGetPartition
		mov	esi, eax
		mov	[esp+58h+var_24], esi
		cmp	[esp+58h+var_10], esi
		jnz	loc_5FE21F
		mov	edx, [esp+58h+var_20]
		xor	eax, eax
		cmp	edx, eax
		jl	loc_5FE21F
		jg	short loc_5FE033
		cmp	ebx, eax
		jb	loc_5FE21F

loc_5FE033:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+270j
		mov	eax, [edi+1Ch]
		mov	ecx, [edi+18h]
		cmp	edx, eax
		jg	loc_5FE21F
		jl	short loc_5FE04B
		cmp	ebx, ecx
		jnb	loc_5FE21F

loc_5FE04B:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+288j
		test	eax, eax
		jl	short loc_5FE06A
		jg	short loc_5FE059
		cmp	ecx, 2000000h
		jbe	short loc_5FE06A

loc_5FE059:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+296j
		push	edx
		push	ebx
		mov	ecx, edi
		call	_CcGetVacbLargeOffset@12 ; CcGetVacbLargeOffset(x,x,x)
		mov	edx, [esp+58h+var_20]
		mov	esi, eax
		jmp	short loc_5FE075
; 

loc_5FE06A:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+294j
					; CcUnmapInactiveViewsInternal(x,x,x,x)+29Ej
		mov	eax, [edi+40h]
		mov	ecx, ebx
		shr	ecx, 12h
		mov	esi, [eax+ecx*4]

loc_5FE075:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+2AFj
		test	esi, esi
		jz	loc_5FE1A9
		xor	eax, eax
		cmp	[esi+8], ax
		jnz	loc_5FE1A9
		push	edx
		push	ebx
		push	eax
		xor	edx, edx
		mov	ecx, edi
		call	_SetVacb@20	; SetVacb(x,x,x,x,x)
		mov	edx, [esp+58h+var_24]
		mov	eax, [edx+26Ch]
		cmp	eax, ds:_CcMinimumFreeHighPriorityVacbs
		jnb	loc_5FE140
		xor	eax, eax
		lea	ebx, [eax+1]

loc_5FE0B0:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+38Fj
		mov	ecx, [esp+58h+var_30]
		or	ecx, 2
		mov	[esp+58h+var_30], ecx

loc_5FE0BB:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+3B5j
		mov	[esp+58h+var_38], eax

loc_5FE0BF:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+3A4j
					; CcUnmapInactiveViewsInternal(x,x,x,x)+3ADj
		push	ecx
		mov	edx, edi
		mov	ecx, esi
		call	CcUnmapVacb
		xor	ecx, ecx
		mov	edx, edi
		cmp	[esp+58h+var_28], ecx
		setnz	cl
		call	_CcReleaseBcbLockAndVacbLock@8 ; CcReleaseBcbLockAndVacbLock(x,x)
		test	ebx, ebx
		jnz	short loc_5FE0FD
		xor	eax, eax
		inc	eax
		inc	[esp+58h+var_40]
		mov	[esp+58h+var_14], eax
		cmp	[esp+58h+var_2C], ebx
		jz	short loc_5FE0FD
		mov	ecx, [ebp+arg_4]
		mov	eax, [esi]
		mov	[ecx], eax
		xor	eax, eax
		mov	[esi], eax
		mov	[esp+58h+var_2C], eax

loc_5FE0FD:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+322j
					; CcUnmapInactiveViewsInternal(x,x,x,x)+333j
		push	4
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[esp+58h+var_45], al
		mov	edx, esi
		push	ebx
		mov	ebx, [esp+5Ch+var_24]
		xor	eax, eax
		mov	ecx, ebx
		mov	[esi+4], eax
		call	_CcSetVacbInFreeList@12	; CcSetVacbInFreeList(x,x,x)
		mov	ecx, large fs:20h
		xor	eax, eax
		inc	eax
		lea	esi, [ecx+438h]
		test	ds:byte_70EFC6,	al
		jz	short loc_5FE173
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FE19A
; 

loc_5FE140:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+2ECj
		xor	eax, eax
		mov	ebx, eax
		cmp	[esp+58h+var_2C], eax
		jnz	loc_5FE0B0
		mov	ecx, [esp+58h+var_30]
		and	ecx, 0FFFFFFFDh
		mov	[esp+58h+var_30], ecx
		cmp	[esp+58h+var_38], eax
		jnz	loc_5FE0BF
		cmp	[ebp+arg_0], eax
		jz	loc_5FE0BF
		mov	eax, [esi]
		jmp	loc_5FE0BB
; 

loc_5FE173:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+379j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5FE18F
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_5FE19A
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5FE18F:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+3BEj
		xor	ecx, ecx
		add	eax, 4
		mov	[esi], ecx
		inc	ecx
		lock xor [eax],	ecx

loc_5FE19A:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+385j
					; CcUnmapInactiveViewsInternal(x,x,x,x)+3CDj
		mov	cl, [esp+58h+var_45]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	ecx, [ebx+40h]
		jmp	short loc_5FE1C0
; 

loc_5FE1A9:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+2BEj
					; CcUnmapInactiveViewsInternal(x,x,x,x)+2CAj
		xor	ecx, ecx
		mov	edx, edi
		cmp	[esp+58h+var_28], ecx
		setnz	cl
		call	_CcReleaseBcbLockAndVacbLock@8 ; CcReleaseBcbLockAndVacbLock(x,x)
		mov	ecx, [esp+58h+var_24]
		add	ecx, 40h

loc_5FE1C0:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+3EEj
					; CcUnmapInactiveViewsInternal(x,x,x,x)+479j
		lea	edx, [esp+58h+var_C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		push	ecx
		mov	ecx, edi
		call	CcDecrementOpenCount
		xor	ebx, ebx
		inc	ebx
		test	ds:byte_70EFC6,	bl
		jz	short loc_5FE1EA
		mov	edx, [ebp+4]
		lea	ecx, [esp+58h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FE219
; 

loc_5FE1EA:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+421j
		mov	eax, [esp+58h+var_C]
		test	eax, eax
		jnz	short loc_5FE20D
		mov	edx, [esp+58h+var_8]
		lea	eax, [esp+58h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+58h+var_C]
		cmp	eax, ecx
		jz	short loc_5FE219
		call	KxWaitForLockChainValid

loc_5FE20D:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+437j
		xor	ecx, ecx
		add	eax, 4
		mov	[esp+58h+var_C], ecx
		lock xor [eax],	ebx

loc_5FE219:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+42Fj
					; CcUnmapInactiveViewsInternal(x,x,x,x)+44Dj
		mov	cl, [esp+58h+var_4]
		jmp	short loc_5FE286
; 

loc_5FE21F:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+25Cj
					; CcUnmapInactiveViewsInternal(x,x,x,x)+26Aj ...
		xor	ecx, ecx
		mov	edx, edi
		cmp	[esp+58h+var_28], ecx
		setnz	cl
		call	_CcReleaseBcbLockAndVacbLock@8 ; CcReleaseBcbLockAndVacbLock(x,x)
		lea	ecx, [esi+40h]
		jmp	short loc_5FE1C0
; 

loc_5FE234:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+1ADj
					; CcUnmapInactiveViewsInternal(x,x,x,x)+1BCj
		xor	eax, eax
		mov	[esp+58h+var_38], eax
		mov	eax, large fs:20h
		lea	esi, [eax+438h]
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_5FE25D
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FE284
; 

loc_5FE25D:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+496j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5FE279
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_5FE284
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5FE279:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+4A8j
		xor	ecx, ecx
		add	eax, 4
		mov	[esi], ecx
		inc	ecx
		lock xor [eax],	ecx

loc_5FE284:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+4A2j
					; CcUnmapInactiveViewsInternal(x,x,x,x)+4B7j
		mov	cl, bl

loc_5FE286:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+464j
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [esp+58h+var_44]
		mov	cl, [esp+58h+var_46]
		mov	edx, [esp+58h+var_40]
		mov	esi, [esp+58h+var_3C]
		jmp	loc_5FDE2D
; 

loc_5FE2A1:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+7Aj
					; CcUnmapInactiveViewsInternal(x,x,x,x)+86j
		test	ebx, ebx
		jz	short loc_5FE2BE
		xor	dl, dl
		mov	ecx, ebx
		call	CcDereferenceVacbArray
		mov	edx, [esp+58h+var_40]
		xor	ebx, ebx
		mov	eax, [esp+58h+var_1C]
		mov	[esp+58h+var_44], ebx
		jmp	short loc_5FE2C0
; 

loc_5FE2BE:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+4EAj
		xor	ebx, ebx

loc_5FE2C0:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+503j
		cmp	[esp+58h+var_18], 0
		jnz	short loc_5FE32A
		cmp	edx, eax
		jnb	short loc_5FE32A
		xor	ecx, ecx
		mov	esi, eax
		inc	ecx
		sub	esi, edx
		mov	[esp+58h+var_18], ecx
		mov	ecx, offset _CcBcbTrimNotificationListLock
		shl	esi, 12h
		call	ExAcquireFastMutex
		mov	edi, ds:_CcBcbTrimNotificationList
		jmp	short loc_5FE300
; 

loc_5FE2EB:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+557j
		xor	eax, eax
		push	eax
		push	esi
		call	dword ptr [edi+8]
		mov	ecx, offset _CcBcbTrimNotificationListLock
		or	ebx, eax
		call	ExAcquireFastMutex
		mov	edi, [edi]

loc_5FE300:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+530j
		mov	ecx, offset _CcBcbTrimNotificationListLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		cmp	edi, offset _CcBcbTrimNotificationList
		jnz	short loc_5FE2EB
		mov	cl, [esp+60h+var_4E]
		test	ebx, ebx
		mov	ebx, [esp+60h+var_4C]
		mov	edx, [esp+18h]
		mov	esi, [esp+60h+var_44]
		jnz	loc_5FDE2D

loc_5FE32A:				; CODE XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+50Cj
					; CcUnmapInactiveViewsInternal(x,x,x,x)+510j
		lock inc ds:_CcDbgNumberOfCcUnmapInactiveViews
		mov	eax, [esp+60h+var_1C]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_CcUnmapInactiveViewsInternal@16 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 216. CcMdlWriteAbort

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcMdlWriteAbort(x, x)
		public _CcMdlWriteAbort@8
_CcMdlWriteAbort@8 proc	near

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		lea	edi, [esp+20h+var_C]
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+14h]
		mov	eax, [eax+4]
		mov	[esp+20h+var_10], eax
		mov	ax, [esi+6]
		and	ax, 2
		movzx	ebx, ax

loc_5FE375:				; CODE XREF: CcMdlWriteAbort(x,x)+49j
		mov	edi, [esi]
		test	bx, bx
		jz	short loc_5FE382
		push	esi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)

loc_5FE382:				; CODE XREF: CcMdlWriteAbort(x,x)+37j
		push	esi
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		mov	esi, edi
		test	edi, edi
		jnz	short loc_5FE375
		test	bx, bx
		jz	short loc_5FE407
		mov	ecx, [esp+24h+var_14]
		call	CcGetPartition
		lea	edx, [esp+24h+var_10]
		lea	ecx, [eax+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		push	ecx
		mov	ecx, [esp+28h+var_14]
		call	CcDecrementOpenCount
		test	ds:byte_70EFC6,	1
		jz	short loc_5FE3C9
		mov	edx, [ebp+4]
		lea	ecx, [esp+24h+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FE3FD
; 

loc_5FE3C9:				; CODE XREF: CcMdlWriteAbort(x,x)+76j
		mov	eax, [esp+24h+var_10]
		test	eax, eax
		jnz	short loc_5FE3EC
		mov	edx, [esp+24h+var_C]
		lea	eax, [esp+24h+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+24h+var_10]
		cmp	eax, ecx
		jz	short loc_5FE3FD
		call	KxWaitForLockChainValid

loc_5FE3EC:				; CODE XREF: CcMdlWriteAbort(x,x)+8Cj
		xor	ecx, ecx
		mov	[esp+24h+var_10], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_5FE3FD:				; CODE XREF: CcMdlWriteAbort(x,x)+84j
					; CcMdlWriteAbort(x,x)+A2j
		mov	cl, [esp+24h+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_5FE407:				; CODE XREF: CcMdlWriteAbort(x,x)+4Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_CcMdlWriteAbort@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcDeletePartition(x)
_CcDeletePartition@4 proc near		; CODE XREF: CcExitPartition(x,x)+1B5p
					; INIT:00AC3276p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	ebx, ebx
		push	ebx
		push	ebx
		lea	eax, [esi+290h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, esi
		call	CcDereferencePartition
		mov	eax, [esi+2B0h]
		test	eax, eax
		jz	short loc_5FE455
		push	ebx
		push	ebx
		push	eax
		call	_ZwWaitForSingleObject@12 ; ZwWaitForSingleObject(x,x,x)
		push	dword ptr [esi+2B0h]
		call	_ZwClose@4	; ZwClose(x)
		mov	[esi+2B0h], ebx

loc_5FE455:				; CODE XREF: CcDeletePartition(x)+2Aj
		lea	eax, [esi+168h]
		push	eax
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		test	al, al
		jnz	short loc_5FE46A
		call	KeFlushQueuedDpcs

loc_5FE46A:				; CODE XREF: CcDeletePartition(x)+53j
		cmp	[esi+289h], bl
		jz	short loc_5FE4BD
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _CcGlobalPartitionLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, [esi+4]
		mov	eax, 0FFFFh
		add	ds:_CcPartitionCount, ax
		and	dword ptr [edx+4], 0
		test	ds:byte_70EFC6,	1
		jz	short loc_5FE4AE
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5FE4B3
; 

loc_5FE4AE:				; CODE XREF: CcDeletePartition(x)+90j
		xor	eax, eax
		lock and [edi],	eax

loc_5FE4B3:				; CODE XREF: CcDeletePartition(x)+9Cj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	ebx, ebx

loc_5FE4BD:				; CODE XREF: CcDeletePartition(x)+60j
		lea	edi, [esi+8Ch]

loc_5FE4C3:				; CODE XREF: CcDeletePartition(x)+D5j
		mov	eax, [edi]
		cmp	eax, edi
		jz	short loc_5FE4E7
		mov	ecx, [eax]
		cmp	[eax+4], edi
		jnz	short loc_5FE53B
		cmp	[ecx+4], eax
		jnz	short loc_5FE53B
		push	71576343h
		mov	[edi], ecx
		push	eax
		mov	[ecx+4], edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_5FE4C3
; 

loc_5FE4E7:				; CODE XREF: CcDeletePartition(x)+B7j
		lea	edi, [esi+0BCh]

loc_5FE4ED:				; CODE XREF: CcDeletePartition(x)+FFj
		mov	eax, [edi]
		cmp	eax, edi
		jz	short loc_5FE511
		mov	ecx, [eax]
		cmp	[eax+4], edi
		jnz	short loc_5FE53B
		cmp	[ecx+4], eax
		jnz	short loc_5FE53B
		push	71576343h
		mov	[edi], ecx
		push	eax
		mov	[ecx+4], edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_5FE4ED
; 

loc_5FE511:				; CODE XREF: CcDeletePartition(x)+E1j
		lea	edi, [esi+0CCh]

loc_5FE517:				; CODE XREF: CcDeletePartition(x)+129j
		mov	eax, [edi]
		cmp	eax, edi
		jz	short loc_5FE540
		mov	ecx, [eax]
		cmp	[eax+4], edi
		jnz	short loc_5FE53B
		cmp	[ecx+4], eax
		jnz	short loc_5FE53B
		push	71576343h
		mov	[edi], ecx
		push	eax
		mov	[ecx+4], edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_5FE517
; 

loc_5FE53B:				; CODE XREF: CcDeletePartition(x)+BEj
					; CcDeletePartition(x)+C3j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5FE540:				; CODE XREF: CcDeletePartition(x)+10Bj
		mov	eax, [esi+1D0h]
		test	eax, eax
		jz	short loc_5FE55B
		push	70546343h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+1D0h], ebx

loc_5FE55B:				; CODE XREF: CcDeletePartition(x)+138j
		mov	ecx, esi
		call	_CcUninitializePartitionVacbs@4	; CcUninitializePartitionVacbs(x)
		mov	ecx, esi
		call	_CcUninitializeAsyncRead@4 ; CcUninitializeAsyncRead(x)
		push	dword ptr [esi+4]
		push	esi		; char
		push	offset ??_C@_0DO@GPPKKMBF@CcDeletePartition?3?5Partition?5De@FNODOBFM@ ; char *
		push	2		; int
		push	7Fh		; int
		call	_DbgPrintEx
		add	esp, 14h
		push	72506343h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn
_CcDeletePartition@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcDeleteSectionsForPartition(x, x)
_CcDeleteSectionsForPartition@8	proc near ; CODE XREF: CcExitPartition(x,x)+F3p
					; CcExitPartition(x,x)+FCp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		xor	eax, eax
		mov	[ebp+var_8], edx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		mov	ebx, ecx
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_28]
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	eax, [edx+40h]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[ebp+var_4], eax

loc_5FE5BD:				; CODE XREF: CcDeleteSectionsForPartition(x,x)+CFj
		lea	edx, [ebp+var_14]
		mov	ecx, eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebx]

loc_5FE5C9:				; CODE XREF: CcDeleteSectionsForPartition(x,x)+50j
		cmp	eax, ebx
		jz	loc_5FE73D
		lea	esi, [eax-58h]
		test	dword ptr [esi+60h], 800h
		jz	short loc_5FE5E1
		mov	eax, [eax]
		jmp	short loc_5FE5C9
; 

loc_5FE5E1:				; CODE XREF: CcDeleteSectionsForPartition(x,x)+4Cj
		call	_MmGetControlAreaPartition@4 ; MmGetControlAreaPartition(x)
		mov	ecx, [ebp+var_8]
		cmp	eax, [ecx+4]
		jnz	loc_5FE728
		lea	eax, [esi+90h]
		cmp	[eax], eax
		jnz	short loc_5FE60E
		mov	eax, [esi+60h]
		test	eax, 8000h
		jz	short loc_5FE670
		and	eax, 0FFFF7FFFh
		mov	[esi+60h], eax

loc_5FE60E:				; CODE XREF: CcDeleteSectionsForPartition(x,x)+6Bj
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jnz	short loc_5FE663
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_5FE638
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_5FE648
		call	KxWaitForLockChainValid

loc_5FE638:				; CODE XREF: CcDeleteSectionsForPartition(x,x)+8Fj
		xor	ecx, ecx
		mov	[ebp+var_14], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5FE648:				; CODE XREF: CcDeleteSectionsForPartition(x,x)+A2j
					; CcDeleteSectionsForPartition(x,x)+DFj
		mov	cl, [ebp+var_C]
		call	edi
		push	offset _Cc5Milliseconds
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)

loc_5FE65B:				; CODE XREF: CcDeleteSectionsForPartition(x,x)+100j
					; CcDeleteSectionsForPartition(x,x)+194j
		mov	eax, [ebp+var_4]
		jmp	loc_5FE5BD
; 

loc_5FE663:				; CODE XREF: CcDeleteSectionsForPartition(x,x)+88j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FE648
; 

loc_5FE670:				; CODE XREF: CcDeleteSectionsForPartition(x,x)+75j
		xor	ecx, ecx
		test	al, 20h
		jnz	short loc_5FE691
		cmp	[esi+4], ecx
		jnz	short loc_5FE691
		cmp	[esi+4Ch], ecx
		jnz	short loc_5FE691
		push	ecx
		push	ecx
		lea	eax, [ebp+var_14]
		xor	edx, edx
		push	eax
		mov	ecx, esi
		call	CcDeleteSharedCacheMap
		jmp	short loc_5FE65B
; 

loc_5FE691:				; CODE XREF: CcDeleteSectionsForPartition(x,x)+E5j
					; CcDeleteSectionsForPartition(x,x)+EAj ...
		or	eax, 10000h
		push	ecx
		mov	[esi+60h], eax
		lea	eax, [ebp+var_24]
		push	ecx
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [esi+0B0h]
		xor	ecx, ecx
		mov	[ebp+var_28], eax
		inc	ecx
		lea	eax, [ebp+var_28]
		mov	dl, cl
		or	eax, ecx
		push	ecx
		mov	ecx, [ebp+var_8]
		mov	[esi+0B0h], eax
		call	_CcScheduleLazyWriteScan@12 ; CcScheduleLazyWriteScan(x,x,x)
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_5FE6DE
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FE70D
; 

loc_5FE6DE:				; CODE XREF: CcDeleteSectionsForPartition(x,x)+140j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_5FE6FD
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_5FE70D
		call	KxWaitForLockChainValid

loc_5FE6FD:				; CODE XREF: CcDeleteSectionsForPartition(x,x)+154j
		xor	ecx, ecx
		mov	[ebp+var_14], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5FE70D:				; CODE XREF: CcDeleteSectionsForPartition(x,x)+14Dj
					; CcDeleteSectionsForPartition(x,x)+167j
		mov	cl, [ebp+var_C]
		call	edi
		push	0
		push	0
		push	0
		push	0
		lea	eax, [ebp+var_24]
		push	eax
		call	KeWaitForSingleObject
		jmp	loc_5FE65B
; 

loc_5FE728:				; CODE XREF: CcDeleteSectionsForPartition(x,x)+5Dj
		push	0
		push	0
		push	0C0000420h
		push	320h
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5FE73D:				; CODE XREF: CcDeleteSectionsForPartition(x,x)+3Cj
		xor	ebx, ebx
		inc	ebx
		test	ds:byte_70EFC6,	bl
		jz	short loc_5FE755
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FE781
; 

loc_5FE755:				; CODE XREF: CcDeleteSectionsForPartition(x,x)+1B7j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_5FE774
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_5FE781
		call	KxWaitForLockChainValid

loc_5FE774:				; CODE XREF: CcDeleteSectionsForPartition(x,x)+1CBj
		mov	[ebp+var_14], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_5FE781:				; CODE XREF: CcDeleteSectionsForPartition(x,x)+1C4j
					; CcDeleteSectionsForPartition(x,x)+1DEj
		mov	cl, [ebp+var_C]
		call	edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CcDeleteSectionsForPartition@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcExitPartition(x, x)
_CcExitPartition@8 proc	near		; CODE XREF: MiDeletePartitionResources(x)+29p
					; MiDrainCrossPartitionUsage(x)+DAp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ecx+4]
		xor	eax, eax
		mov	[ebp+var_8], ecx
		push	edi
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		test	esi, esi
		jz	loc_5FE945
		test	edx, edx
		jnz	loc_5FE88E
		push	2
		pop	edx
		mov	ecx, esi
		call	CcNotifyWriteBehindInternal
		mov	ecx, esi
		call	_CcWaitForCurrentLazyWriterActivityInternal@4 ;	CcWaitForCurrentLazyWriterActivityInternal(x)
		lea	edx, [ebp+var_14]
		lea	ecx, [esi+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _CcGlobalPartitionLock
		mov	[ebp+var_1], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		xor	ebx, ebx
		inc	ebx
		mov	[esi+28Ah], bl
		test	ds:byte_70EFC6,	bl
		jz	short loc_5FE802
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5FE807
; 

loc_5FE802:				; CODE XREF: CcExitPartition(x,x)+69j
		xor	eax, eax
		lock and [edi],	eax

loc_5FE807:				; CODE XREF: CcExitPartition(x,x)+75j
		mov	cl, [ebp+var_1]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	edi
		test	ds:byte_70EFC6,	bl
		jz	short loc_5FE827
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FE853
; 

loc_5FE827:				; CODE XREF: CcExitPartition(x,x)+8Dj
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_5FE846
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_5FE853
		call	KxWaitForLockChainValid

loc_5FE846:				; CODE XREF: CcExitPartition(x,x)+A1j
		mov	[ebp+var_14], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_5FE853:				; CODE XREF: CcExitPartition(x,x)+9Aj
					; CcExitPartition(x,x)+B4j
		mov	cl, [ebp+var_C]
		call	edi
		lea	edi, [esi+8]

loc_5FE85B:				; CODE XREF: CcExitPartition(x,x)+101j
		lea	ecx, [esi+18h]
		cmp	[edi], edi
		jnz	short loc_5FE87C
		lea	eax, [esi+24h]
		cmp	[ecx], eax
		jnz	short loc_5FE872
		cmp	[esi+1Ch], eax
		jnz	short loc_5FE872
		mov	al, bl
		jmp	short loc_5FE874
; 

loc_5FE872:				; CODE XREF: CcExitPartition(x,x)+DCj
					; CcExitPartition(x,x)+E1j
		xor	al, al

loc_5FE874:				; CODE XREF: CcExitPartition(x,x)+E5j
		test	al, al
		jnz	loc_5FE945

loc_5FE87C:				; CODE XREF: CcExitPartition(x,x)+D5j
		mov	edx, esi
		call	_CcDeleteSectionsForPartition@8	; CcDeleteSectionsForPartition(x,x)
		mov	edx, esi
		mov	ecx, edi
		call	_CcDeleteSectionsForPartition@8	; CcDeleteSectionsForPartition(x,x)
		jmp	short loc_5FE85B
; 

loc_5FE88E:				; CODE XREF: CcExitPartition(x,x)+23j
		lea	edx, [ebp+var_14]
		lea	ecx, [esi+40h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _CcGlobalPartitionLock
		mov	[ebp+var_1], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		xor	ebx, ebx
		mov	byte ptr [esi+28Ah], 2
		inc	ebx
		test	ds:byte_70EFC6,	bl
		jz	short loc_5FE8CC
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_5FE8D1
; 

loc_5FE8CC:				; CODE XREF: CcExitPartition(x,x)+133j
		xor	eax, eax
		lock and [edi],	eax

loc_5FE8D1:				; CODE XREF: CcExitPartition(x,x)+13Fj
		mov	cl, [ebp+var_1]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	edi
		test	ds:byte_70EFC6,	bl
		jz	short loc_5FE8F1
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FE91D
; 

loc_5FE8F1:				; CODE XREF: CcExitPartition(x,x)+157j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_5FE910
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_5FE91D
		call	KxWaitForLockChainValid

loc_5FE910:				; CODE XREF: CcExitPartition(x,x)+16Bj
		mov	[ebp+var_14], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_5FE91D:				; CODE XREF: CcExitPartition(x,x)+164j
					; CcExitPartition(x,x)+17Ej
		mov	cl, [ebp+var_C]
		call	edi
		mov	ecx, esi
		call	_CcPostDeferredWrites@4	; CcPostDeferredWrites(x)
		push	[ebp+var_8]
		push	esi		; char
		push	offset ??_C@_0FC@KAGCNAGF@CcExitPartition?3?5Partition?5Exit@FNODOBFM@ ; char *
		push	2		; int
		push	7Fh		; int
		call	_DbgPrintEx
		add	esp, 14h
		mov	ecx, esi
		call	_CcDeletePartition@4 ; CcDeletePartition(x)

loc_5FE945:				; CODE XREF: CcExitPartition(x,x)+1Bj
					; CcExitPartition(x,x)+EBj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CcExitPartition@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcUninitializePartitionVacbs(x)
_CcUninitializePartitionVacbs@4	proc near ; CODE XREF: CcDeletePartition(x)+14Dp

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	ebx, [edi+264h]

loc_5FE95B:				; CODE XREF: CcUninitializePartitionVacbs(x)+C6j
		mov	eax, [ebx]
		cmp	eax, ebx
		jz	loc_5FEA2F
		lea	esi, [eax-8]
		lea	eax, [esi+8]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_5FEA2A
		cmp	[ecx], eax
		jnz	loc_5FEA2A
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, [esi]
		call	_MmFreeSystemCacheReserveView@4	; MmFreeSystemCacheReserveView(x)
		and	dword ptr [esi], 0
		push	4
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		push	0
		mov	edx, esi
		mov	[ebp+var_1], al
		mov	ecx, edi
		call	_CcSetVacbInFreeList@12	; CcSetVacbInFreeList(x,x,x)
		mov	ecx, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [ecx+438h]
		jz	short loc_5FE9C8
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_5FE9F3
; 

loc_5FE9C8:				; CODE XREF: CcUninitializePartitionVacbs(x)+70j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_5FE9E4
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_5FE9F3
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_5FE9E4:				; CODE XREF: CcUninitializePartitionVacbs(x)+82j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_5FE9F3:				; CODE XREF: CcUninitializePartitionVacbs(x)+7Cj
					; CcUninitializePartitionVacbs(x)+91j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [edi+26Ch]
		xor	ecx, ecx
		inc	ecx
		cmp	eax, ecx
		jb	short loc_5FEA15
		dec	eax
		mov	[edi+26Ch], eax
		jmp	loc_5FE95B
; 

loc_5FEA15:				; CODE XREF: CcUninitializePartitionVacbs(x)+BDj
		push	0
		push	0
		push	0C0000420h
		push	6A1h

loc_5FEA23:				; CODE XREF: CcUninitializePartitionVacbs(x)+FBj
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_5FEA2A:				; CODE XREF: CcUninitializePartitionVacbs(x)+29j
					; CcUninitializePartitionVacbs(x)+31j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5FEA2F:				; CODE XREF: CcUninitializePartitionVacbs(x)+15j
		xor	ecx, ecx
		cmp	[edi+26Ch], ecx
		jz	short loc_5FEA47
		push	ecx
		push	ecx
		push	0C0000420h
		push	6A9h
		jmp	short loc_5FEA23
; 

loc_5FEA47:				; CODE XREF: CcUninitializePartitionVacbs(x)+EDj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CcUninitializePartitionVacbs@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcPerfLogCanWriteFail(x, x,	x, x)
_CcPerfLogCanWriteFail@16 proc near	; CODE XREF: CcCanIWrite+116575p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		test	ecx, ecx
		jz	short loc_5FEA6A
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_14], eax
		jmp	short loc_5FEA6E
; 

loc_5FEA6A:				; CODE XREF: CcPerfLogCanWriteFail(x,x,x,x)+14j
		and	[ebp+var_14], 0

loc_5FEA6E:				; CODE XREF: CcPerfLogCanWriteFail(x,x,x,x)+1Cj
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_28]
		and	[ebp+var_24], 0
		and	[ebp+var_1C], 0
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_4]
		push	(offset	off_401900+2)
		mov	[ebp+var_8], edx
		xor	edx, edx
		mov	[ebp+var_C], eax
		inc	edx
		push	1606h
		lea	eax, [ebp+var_14]
		mov	[ebp+var_20], 10h
		push	80020000h
		mov	[ebp+var_28], eax
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_CcPerfLogCanWriteFail@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcPerfLogExtraWBThreadAction(x, x, x, x, x)
_CcPerfLogExtraWBThreadAction@20 proc near ; CODE XREF:	CcLogExtraWBThreadAction(x,x)+9Cp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	2
		pop	eax
		cmp	ecx, eax
		jnz	short loc_5FEADC
		mov	[ebp+var_18], 1
		jmp	short loc_5FEAE4
; 

loc_5FEADC:				; CODE XREF: CcPerfLogExtraWBThreadAction(x,x,x,x,x)+17j
		cmp	ecx, 3
		jnz	short loc_5FEB28
		mov	[ebp+var_18], eax

loc_5FEAE4:				; CODE XREF: CcPerfLogExtraWBThreadAction(x,x,x,x,x)+20j
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_28]
		and	[ebp+var_24], 0
		and	[ebp+var_1C], 0
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_8]
		push	(offset	off_401900+2)
		mov	[ebp+var_14], edx
		xor	edx, edx
		mov	[ebp+var_8], eax
		inc	edx
		push	160Eh
		lea	eax, [ebp+var_18]
		mov	[ebp+var_20], 14h
		push	80020000h
		mov	[ebp+var_28], eax
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_5FEB28:				; CODE XREF: CcPerfLogExtraWBThreadAction(x,x,x,x,x)+25j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_CcPerfLogExtraWBThreadAction@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcAsyncReadWorkerThread(x)
_CcAsyncReadWorkerThread@4 proc	near	; DATA XREF: CcInitializeAsyncRead+201o
					; CcInitializeAsyncRead+2A5o

var_280		= dword	ptr -280h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 280h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	edi
		push	3
		pop	edi
		mov	ecx, [ebx+20h]
		mov	edx, [ebx+14h]
		mov	[ebp+var_240], ecx
		mov	[ebp+var_248], edx
		mov	eax, [ecx+244h]
		lea	eax, [eax+edx*8]
		mov	[ebp+var_244], eax
		cmp	[ebx+10h], edi
		jnz	loc_5FF010
		mov	eax, [ebx+18h]
		imul	edx, 194h
		push	esi
		mov	[ebp+var_214], edi
		xor	esi, esi
		push	40h
		lea	edi, [ebp+var_204]
		mov	[ebp+var_20C], esi
		add	edx, [ecx+25Ch]
		pop	ecx
		push	40h
		mov	[ebp+var_23C], edx
		and	dword ptr [edx+eax*4], 0
		xor	edx, edx
		mov	eax, [ebx+18h]
		mov	[ebp+var_220], eax
		mov	eax, [ebx+20h]
		mov	[ebp+var_210], eax
		xor	eax, eax
		rep stosd
		pop	ecx
		lea	edi, [ebp+var_104]
		mov	[ebp+var_218], edx
		rep stosd
		mov	edi, [ebp+var_210]
		mov	[ebp+var_228], edx
		mov	edx, [ebx+14h]
		mov	eax, edx
		shl	eax, 4
		mov	ecx, [edi+258h]
		add	ecx, eax
		mov	[ebp+var_238], eax
		imul	eax, edx, 194h
		mov	[ebp+var_21C], edx
		mov	[ebp+var_208], ecx
		mov	[ebp+var_250], ecx
		add	eax, [edi+25Ch]
		mov	[ebp+var_224], eax
		lea	eax, [edi+290h]
		mov	[ebp+var_24C], eax

loc_5FEC29:				; CODE XREF: CcAsyncReadWorkerThread(x)+442j
					; CcAsyncReadWorkerThread(x)+44Cj
		cmp	esi, 3Fh
		jnb	short loc_5FEC48
		mov	eax, [edi+250h]
		lea	eax, [eax+edx*8]
		cmp	[eax], eax
		jz	short loc_5FEC48
		xor	edx, edx
		lea	edi, [esi+1]
		mov	[ebp+var_214], edx
		jmp	short loc_5FECA8
; 

loc_5FEC48:				; CODE XREF: CcAsyncReadWorkerThread(x)+F6j
					; CcAsyncReadWorkerThread(x)+103j
		test	esi, esi
		jnz	short loc_5FEC84
		lea	eax, [ebp+var_280]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	8
		push	1
		lea	eax, [ebp+var_250]
		push	eax
		push	2
		call	KeWaitForMultipleObjects
		mov	edi, eax
		test	edi, edi
		jnz	short loc_5FEC7A
		xor	edx, edx

loc_5FEC72:				; CODE XREF: CcAsyncReadWorkerThread(x)+14Cj
					; CcAsyncReadWorkerThread(x)+164j
		mov	[ebp+var_214], edx
		jmp	short loc_5FECA2
; 

loc_5FEC7A:				; CODE XREF: CcAsyncReadWorkerThread(x)+138j
		cmp	edi, 1
		jnz	short loc_5FEC9C
		push	2
		pop	edx
		jmp	short loc_5FEC72
; 

loc_5FEC84:				; CODE XREF: CcAsyncReadWorkerThread(x)+114j
		push	ecx
		mov	edx, esi
		lea	ecx, [ebp+var_104]
		call	MmWaitMultipleForCacheManagerPrefetch
		mov	edi, eax
		cmp	edi, esi
		sbb	edx, edx
		neg	edx
		jmp	short loc_5FEC72
; 

loc_5FEC9C:				; CODE XREF: CcAsyncReadWorkerThread(x)+147j
		mov	edx, [ebp+var_214]

loc_5FECA2:				; CODE XREF: CcAsyncReadWorkerThread(x)+142j
		mov	ecx, [ebp+var_208]

loc_5FECA8:				; CODE XREF: CcAsyncReadWorkerThread(x)+110j
		mov	eax, edx
		sub	eax, 0
		jz	loc_5FEDEC
		sub	eax, 1
		jnz	loc_5FEF5A
		cmp	edi, esi
		jnb	loc_5FEF8F
		lea	eax, [ebp+var_204]
		lea	eax, [eax+edi*4]
		lfence	eax
		mov	ecx, [eax]
		mov	[ebp+var_230], eax
		mov	[ebp+var_22C], ecx
		test	ecx, ecx
		jz	loc_5FEF87
		mov	eax, [ecx+20h]
		test	eax, eax
		jz	loc_5FEF87
		push	73416343h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_22C]
		lea	eax, [ebp+var_104]
		lea	eax, [eax+edi*4]
		xor	edx, edx
		mov	[ebp+var_234], eax
		mov	[eax], edx
		lea	eax, [ebp+var_204]
		lea	eax, [eax+edi*4]
		mov	byte ptr [ecx+48h], 6
		mov	[eax], edx
		mov	eax, [ecx+8]
		mov	[ecx+20h], edx
		cmp	dword ptr [eax+170h], 1
		jnz	short loc_5FED4E
		cmp	dword ptr [ecx+1Ch], 20000h
		ja	short loc_5FED4E
		call	CcCompleteAsyncRead
		mov	ecx, [ebp+var_22C]
		call	_CcFreeWorkQueueEntry@4	; CcFreeWorkQueueEntry(x)
		jmp	short loc_5FED55
; 

loc_5FED4E:				; CODE XREF: CcAsyncReadWorkerThread(x)+1FBj
					; CcAsyncReadWorkerThread(x)+204j
		xor	edx, edx
		call	CcPostWorkQueueAsyncRead

loc_5FED55:				; CODE XREF: CcAsyncReadWorkerThread(x)+216j
		dec	esi
		mov	[ebp+var_20C], esi
		cmp	edi, esi
		jnb	short loc_5FEDA1
		mov	eax, [ebp+var_20C]
		lea	esi, [ebp+var_200]
		sub	eax, edi
		lea	esi, [esi+edi*4]
		shl	eax, 2
		lea	edx, [ebp+var_100]
		lea	edx, [edx+edi*4]
		mov	ecx, eax
		mov	edi, [ebp+var_230]
		shr	ecx, 2
		rep movsd
		mov	edi, [ebp+var_234]
		mov	esi, edx
		shr	eax, 2
		mov	ecx, eax
		rep movsd
		mov	esi, [ebp+var_20C]
		mov	edi, esi

loc_5FEDA1:				; CODE XREF: CcAsyncReadWorkerThread(x)+228j
		and	[ebp+edi*4+var_104], 0
		and	[ebp+edi*4+var_204], 0
		mov	ecx, [ebp+var_220]
		mov	eax, [ebp+var_224]
		lock dec dword ptr [eax+ecx*4]
		mov	ecx, [ebp+var_208]
		mov	edi, [ebp+var_210]
		test	ecx, ecx
		jnz	loc_5FEF6B
		mov	ecx, [edi+258h]
		add	ecx, [ebp+var_238]
		mov	[ebp+var_208], ecx
		jmp	loc_5FEF6B
; 

loc_5FEDEC:				; CODE XREF: CcAsyncReadWorkerThread(x)+177j
		mov	edi, [ebp+var_210]

loc_5FEDF2:				; CODE XREF: CcAsyncReadWorkerThread(x)+34Bj
					; CcAsyncReadWorkerThread(x)+397j
		xor	edx, edx
		lea	ecx, [edi+260h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+250h]
		mov	ecx, [ebp+var_21C]
		lea	edx, [eax+ecx*8]
		cmp	[edx], edx
		jz	loc_5FEF0B
		cmp	esi, 3Fh
		jnb	loc_5FEED2
		mov	ecx, edi
		call	CcFindNextWorkQueueEntry
		xor	edx, edx
		lea	ecx, [edi+260h]
		mov	esi, eax
		call	ExReleasePushLockEx
		mov	ecx, esi
		call	CcAsyncReadPrefetch
		test	al, al
		jz	short loc_5FEEB9
		mov	eax, [esi+20h]
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_5FEE86
		mov	eax, [ebp+var_20C]
		mov	[ebp+eax*4+var_204], esi
		mov	esi, eax
		mov	[ebp+eax*4+var_104], ecx
		inc	esi
		mov	eax, [ebp+var_220]
		mov	ecx, [ebp+var_224]
		mov	[ebp+var_20C], esi
		lock inc dword ptr [ecx+eax*4]
		cmp	esi, 3Fh
		sbb	eax, eax
		and	[ebp+var_208], eax
		jmp	loc_5FEDF2
; 

loc_5FEE86:				; CODE XREF: CcAsyncReadWorkerThread(x)+311j
		push	73416343h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi+8]
		and	dword ptr [esi+20h], 0
		mov	byte ptr [esi+48h], 6
		cmp	dword ptr [eax+170h], 1
		jnz	short loc_5FEEAE
		cmp	dword ptr [esi+1Ch], 20000h
		jbe	short loc_5FEEB9

loc_5FEEAE:				; CODE XREF: CcAsyncReadWorkerThread(x)+36Dj
		xor	edx, edx
		mov	ecx, esi
		call	CcPostWorkQueueAsyncRead
		jmp	short loc_5FEEC7
; 

loc_5FEEB9:				; CODE XREF: CcAsyncReadWorkerThread(x)+308j
					; CcAsyncReadWorkerThread(x)+376j
		mov	ecx, esi
		call	CcCompleteAsyncRead
		mov	ecx, esi
		call	_CcFreeWorkQueueEntry@4	; CcFreeWorkQueueEntry(x)

loc_5FEEC7:				; CODE XREF: CcAsyncReadWorkerThread(x)+381j
		mov	esi, [ebp+var_20C]
		jmp	loc_5FEDF2
; 

loc_5FEED2:				; CODE XREF: CcAsyncReadWorkerThread(x)+2E3j
		xor	edx, edx
		lea	ecx, [edi+260h]
		call	ExReleasePushLockEx
		push	[ebp+var_21C]
		lea	edx, [ebp+var_228]
		mov	ecx, edi
		call	CcShouldSpinAsyncReadWorkerThread
		xor	edx, edx
		lea	ecx, [edi+260h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_228]
		mov	[ebp+var_218], eax

loc_5FEF0B:				; CODE XREF: CcAsyncReadWorkerThread(x)+2DAj
		xor	edx, edx
		lea	ecx, [edi+260h]
		call	ExReleasePushLockEx
		mov	edx, [ebp+var_218]
		test	edx, edx
		jz	short loc_5FEF65
		mov	eax, [edx+18h]
		mov	ecx, [ebp+var_224]
		and	dword ptr [ecx+eax*4], 0
		and	dword ptr [edx], 0
		xor	edx, edx
		push	dword ptr [edi+4]
		mov	ecx, [ebp+var_218]
		push	0FFFFFFFFh
		call	ExQueueWorkItemToPartition
		mov	edx, [ebp+var_214]
		xor	eax, eax
		mov	[ebp+var_218], eax
		mov	[ebp+var_228], eax
		jmp	short loc_5FEF60
; 

loc_5FEF5A:				; CODE XREF: CcAsyncReadWorkerThread(x)+180j
		mov	edi, [ebp+var_210]

loc_5FEF60:				; CODE XREF: CcAsyncReadWorkerThread(x)+422j
		cmp	edx, 2
		jz	short loc_5FEF97

loc_5FEF65:				; CODE XREF: CcAsyncReadWorkerThread(x)+3EAj
					; CcAsyncReadWorkerThread(x)+457j
		mov	ecx, [ebp+var_208]

loc_5FEF6B:				; CODE XREF: CcAsyncReadWorkerThread(x)+299j
					; CcAsyncReadWorkerThread(x)+2B1j ...
		cmp	[ebp+var_220], 0
		mov	edx, [ebp+var_21C]
		jz	loc_5FEC29
		test	esi, esi
		jz	short loc_5FEFB2
		jmp	loc_5FEC29
; 

loc_5FEF87:				; CODE XREF: CcAsyncReadWorkerThread(x)+1AAj
					; CcAsyncReadWorkerThread(x)+1B5j
		mov	edi, [ebp+var_210]
		jmp	short loc_5FEF65
; 

loc_5FEF8F:				; CODE XREF: CcAsyncReadWorkerThread(x)+188j
		mov	edi, [ebp+var_210]
		jmp	short loc_5FEF6B
; 

loc_5FEF97:				; CODE XREF: CcAsyncReadWorkerThread(x)+42Dj
		cmp	[ebp+var_220], 0
		jnz	short loc_5FEFB2
		push	71576343h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, edi
		call	CcDereferencePartition

loc_5FEFB2:				; CODE XREF: CcAsyncReadWorkerThread(x)+44Aj
					; CcAsyncReadWorkerThread(x)+468j
		mov	eax, [ebx+18h]
		xor	edx, edx
		mov	ecx, [ebp+var_23C]
		mov	edi, [ebp+var_240]
		or	dword ptr [ecx+eax*4], 0FFFFFFFFh
		lea	esi, [edi+260h]
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_244]
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jz	short loc_5FEFE6
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_5FEFE6:				; CODE XREF: CcAsyncReadWorkerThread(x)+4A9j
		mov	edx, [ebp+var_248]
		mov	[ebx], ecx
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	[ecx+4], ebx
		mov	ecx, esi
		mov	eax, [edi+248h]
		dec	dword ptr [eax+edx*4]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, edi
		call	CcDereferencePartition
		pop	esi

loc_5FF010:				; CODE XREF: CcAsyncReadWorkerThread(x)+41j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_CcAsyncReadWorkerThread@4 endp


;  S U B	R O U T	I N E 


; __stdcall CcUninitializeAsyncRead(x)
_CcUninitializeAsyncRead@4 proc	near	; CODE XREF: CcDeletePartition(x)+154p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, 71576343h
		cmp	[esi+244h], ebx
		jz	short loc_5FF07B
		mov	edi, ebx

loc_5FF038:				; CODE XREF: CcUninitializeAsyncRead(x)+4Bj
					; CcUninitializeAsyncRead(x)+54j
		mov	eax, [esi+244h]
		lea	ecx, [eax+edi*8]
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	short loc_5FF06D
		cmp	[eax+4], ecx
		jnz	loc_5FF109
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_5FF109
		push	71576343h
		mov	[ecx], edx
		push	eax
		mov	[edx+4], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_5FF038
; 

loc_5FF06D:				; CODE XREF: CcUninitializeAsyncRead(x)+25j
		inc	edi
		cmp	edi, ds:_CcMaxNestingLevel
		jbe	short loc_5FF038
		mov	edi, 71576343h

loc_5FF07B:				; CODE XREF: CcUninitializeAsyncRead(x)+14j
		mov	eax, [esi+250h]
		test	eax, eax
		jz	short loc_5FF092
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+250h], ebx

loc_5FF092:				; CODE XREF: CcUninitializeAsyncRead(x)+63j
		mov	eax, [esi+254h]
		test	eax, eax
		jz	short loc_5FF0A9
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+254h], ebx

loc_5FF0A9:				; CODE XREF: CcUninitializeAsyncRead(x)+7Aj
		mov	eax, [esi+25Ch]
		test	eax, eax
		jz	short loc_5FF0C0
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+25Ch], ebx

loc_5FF0C0:				; CODE XREF: CcUninitializeAsyncRead(x)+91j
		mov	eax, [esi+258h]
		test	eax, eax
		jz	short loc_5FF0D7
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+258h], ebx

loc_5FF0D7:				; CODE XREF: CcUninitializeAsyncRead(x)+A8j
		mov	eax, [esi+248h]
		test	eax, eax
		jz	short loc_5FF0EE
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+248h], ebx

loc_5FF0EE:				; CODE XREF: CcUninitializeAsyncRead(x)+BFj
		mov	eax, [esi+24Ch]
		test	eax, eax
		jz	short loc_5FF105
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+24Ch], ebx

loc_5FF105:				; CODE XREF: CcUninitializeAsyncRead(x)+D6j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_5FF109:				; CODE XREF: CcUninitializeAsyncRead(x)+2Aj
					; CcUninitializeAsyncRead(x)+35j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall CmpHKeyNodeSize(x)
_CmpHKeyNodeSize@4:			; CODE XREF: CmRenameKey(x,x,x,x)+8EBp
		call	_CmpNameSize@4	; CmpNameSize(x)
		movzx	eax, ax
		add	eax, 4Ch
		retn
_CcUninitializeAsyncRead@4 endp	; sp = -0Ch


;  S U B	R O U T	I N E 


; __stdcall RtlUnicodeStringInit(x, x)
_RtlUnicodeStringInit@8	proc near	; CODE XREF: PAGE:00888DA3p
		mov	edi, edi
		push	ecx
		push	ecx
		call	RtlUnicodeStringInitWorker
		retn
_RtlUnicodeStringInit@8	endp


;  S U B	R O U T	I N E 


; __stdcall CmpHKeyNameLen(x)
_CmpHKeyNameLen@4 proc near		; CODE XREF: CmpLoadHiveVolatile(x,x)+218p
					; CmpLoadHiveVolatile(x,x)+2D5p ...
		test	byte ptr [ecx+2], 20h
		movzx	eax, word ptr [ecx+48h]
		jz	short locret_5FF130
		add	eax, eax

locret_5FF130:				; CODE XREF: CmpHKeyNameLen(x)+8j
		retn
_CmpHKeyNameLen@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpFreeCallbackContext(x)
_CmpFreeCallbackContext@4 proc near	; CODE XREF: CmpCallCallBacksEx:loc_91DCD2p
		mov	edx, ds:_KeNumberProcessors
		imul	edx, ds:_CmpCallBackCount
		cmp	edx, 40h
		jbe	short loc_5FF146
		push	40h
		pop	edx

loc_5FF146:				; CODE XREF: CmpFreeCallbackContext(x)+10j
		movzx	eax, word ptr ds:dword_6CE36C
		cmp	eax, edx
		jnb	short loc_5FF15D
		mov	edx, ecx
		mov	ecx, offset _CmpCallbackContextSList
		jmp	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
; 

loc_5FF15D:				; CODE XREF: CmpFreeCallbackContext(x)+1Ej
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
_CmpFreeCallbackContext@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCheckHivePrimaryFileReadWriteAccess(x)
_CmpCheckHivePrimaryFileReadWriteAccess@4 proc near
					; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+557p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+28h+var_10]
		stosd
		xor	ebx, ebx
		mov	[esp+28h+var_1C], ebx
		mov	esi, ecx
		mov	[esp+28h+var_18], ebx
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+28h+var_14], al
		lea	eax, [esp+28h+var_10]
		push	eax
		call	SeCaptureSubjectContext
		call	_IoGetFileObjectGenericMapping@0 ; IoGetFileObjectGenericMapping()
		push	ebx
		lea	ecx, [esp+2Ch+var_1C]
		xor	edx, edx
		push	ecx
		lea	ecx, [esp+30h+var_18]
		push	ecx
		push	[esp+34h+var_14]
		mov	ecx, esi
		push	eax
		push	ebx
		push	ebx
		push	3
		push	ebx
		lea	eax, [esp+4Ch+var_10]
		push	eax
		call	SeAccessCheckWithHintWithAdminlessChecks
		mov	bl, al
		lea	eax, [esp+28h+var_10]
		push	eax
		call	SeReleaseSubjectContext
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_CmpCheckHivePrimaryFileReadWriteAccess@4 endp


;  S U B	R O U T	I N E 


CmpMarkCachedFullKCBNameStale proc near	; CODE XREF: CmRenameKey(x,x,x,x)+CC8p
		add	ecx, 0A0h
		mov	eax, [ecx]
		test	eax, eax
		jz	short locret_5FF1F3
		xor	eax, eax
		inc	eax
		lock or	[ecx], eax

locret_5FF1F3:				; CODE XREF: CmpMarkCachedFullKCBNameStale+Aj
		retn
CmpMarkCachedFullKCBNameStale endp


;  S U B	R O U T	I N E 


KCBNeedsVirtualImage proc near		; CODE XREF: CmQueryLayeredKey+177B0Ep
					; CmQueryLayeredKey+177B30p ...
		cmp	ds:_CmpVEEnabled, 0
		jz	short loc_5FF22A
		test	dword ptr [ecx+68h], 2000000h
		jnz	short loc_5FF22A
		call	_CmpIsKcbInsideVirtualizedHive@4 ; CmpIsKcbInsideVirtualizedHive(x)
		test	al, al
		jz	short loc_5FF22A
		mov	eax, large fs:124h
		push	0
		mov	cl, [eax+15Ah]
		call	CmpIsSystemEntity
		neg	al
		sbb	al, al
		inc	al
		jmp	short locret_5FF22C
; 

loc_5FF22A:				; CODE XREF: KCBNeedsVirtualImage+7j
					; KCBNeedsVirtualImage+10j ...
		xor	al, al

locret_5FF22C:				; CODE XREF: KCBNeedsVirtualImage+34j
		retn	4
KCBNeedsVirtualImage endp


;  S U B	R O U T	I N E 


; __stdcall CmpIsRegistryLockContended()
_CmpIsRegistryLockContended@0 proc near	; CODE XREF: CmpEnumerateLayeredKey:loc_8CB468p
		mov	edi, edi
		push	esi
		mov	esi, offset _CmpRegistryLock
		push	esi
		call	_ExGetSharedWaiterCount@4 ; ExGetSharedWaiterCount(x)
		test	eax, eax
		jnz	short loc_5FF24F
		push	esi
		call	_ExGetExclusiveWaiterCount@4 ; ExGetExclusiveWaiterCount(x)
		test	eax, eax
		jnz	short loc_5FF24F
		xor	al, al
		pop	esi
		retn
; 

loc_5FF24F:				; CODE XREF: CmpIsRegistryLockContended()+10j
					; CmpIsRegistryLockContended()+1Aj
		mov	al, 1
		pop	esi
		retn
_CmpIsRegistryLockContended@0 endp


;  S U B	R O U T	I N E 


; __stdcall CmpLockKcbStackFlusherLocksExclusive(x)
_CmpLockKcbStackFlusherLocksExclusive@4	proc near ; CODE XREF: CmSaveKey(x,x,x,x)+12Ap
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		movsx	edi, word ptr [ebx+2]
		inc	edi
		xor	ecx, ecx
		jmp	short loc_5FF28B
; 

loc_5FF263:				; CODE XREF: CmpLockKcbStackFlusherLocksExclusive(x)+41j
		movzx	edx, word ptr [ebx+2]
		jmp	short loc_5FF278
; 

loc_5FF269:				; CODE XREF: CmpLockKcbStackFlusherLocksExclusive(x)+28j
		mov	ecx, ebx
		call	_CmpGetKcbAtLayerHeight@8 ; CmpGetKcbAtLayerHeight(x,x)
		mov	ecx, [eax+10h]
		cmp	ecx, esi
		jz	short loc_5FF27F
		dec	edx

loc_5FF278:				; CODE XREF: CmpLockKcbStackFlusherLocksExclusive(x)+14j
		test	dx, dx
		jns	short loc_5FF269
		jmp	short loc_5FF285
; 

loc_5FF27F:				; CODE XREF: CmpLockKcbStackFlusherLocksExclusive(x)+22j
		call	_HvLockHiveFlusherExclusive@4 ;	HvLockHiveFlusherExclusive(x)
		dec	edi

loc_5FF285:				; CODE XREF: CmpLockKcbStackFlusherLocksExclusive(x)+2Aj
		mov	ecx, esi
		test	edi, edi
		jz	short loc_5FF29A

loc_5FF28B:				; CODE XREF: CmpLockKcbStackFlusherLocksExclusive(x)+Ej
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_5FF263
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_5FF29A:				; CODE XREF: CmpLockKcbStackFlusherLocksExclusive(x)+36j
		pop	edi
		pop	esi
		pop	ebx
		jmp	_CmpQuitNextActiveHive@4 ; CmpQuitNextActiveHive(x)
_CmpLockKcbStackFlusherLocksExclusive@4	endp


;  S U B	R O U T	I N E 


; __stdcall CmpUnlockKcbStackFlusherLocksExclusive(x)
_CmpUnlockKcbStackFlusherLocksExclusive@4 proc near ; CODE XREF: CmSaveKey(x,x,x,x)+19Ap
					; CmSaveKey(x,x,x,x)+22Ep ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		movzx	esi, word ptr [edi+2]
		jmp	short loc_5FF2C0
; 

loc_5FF2AE:				; CODE XREF: CmpUnlockKcbStackFlusherLocksExclusive(x)+21j
		mov	edx, esi
		mov	ecx, edi
		call	_CmpGetKcbAtLayerHeight@8 ; CmpGetKcbAtLayerHeight(x,x)
		mov	ecx, [eax+10h]
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)
		dec	esi

loc_5FF2C0:				; CODE XREF: CmpUnlockKcbStackFlusherLocksExclusive(x)+Aj
		test	si, si
		jns	short loc_5FF2AE
		pop	edi
		pop	esi
		retn
_CmpUnlockKcbStackFlusherLocksExclusive@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpFreezeThawDpcRoutine(x, x, x, x)
_CmpFreezeThawDpcRoutine@16 proc near	; DATA XREF: CmpCmdInit+77o
		xor	ecx, ecx
		mov	edx, offset _CmpFreezeThawPending
		inc	ecx
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	short locret_5FF2E6
		push	1
		push	offset _CmpFreezeThawWorkItem
		call	ExQueueWorkItem

locret_5FF2E6:				; CODE XREF: CmpFreezeThawDpcRoutine(x,x,x,x)+10j
		retn	10h
_CmpFreezeThawDpcRoutine@16 endp


;  S U B	R O U T	I N E 


; __stdcall CmpLazyCommitDpcRoutine(x, x, x, x)
_CmpLazyCommitDpcRoutine@16 proc near	; DATA XREF: CmpInitializeTransactions()+60o
		cmp	ds:_CmpLazyCommitWorkItemActive, 0
		jz	short locret_5FF2FE
		push	1
		push	offset _CmpLazyCommitWorkItem
		call	ExQueueWorkItem

locret_5FF2FE:				; CODE XREF: CmpLazyCommitDpcRoutine(x,x,x,x)+7j
		retn	10h
_CmpLazyCommitDpcRoutine@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTransIsTransActive(x)
_CmpTransIsTransActive@4 proc near	; CODE XREF: CmpReportNotifyHelper+18133Bp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		call	_CmpTransGetTransPtr@4 ; CmpTransGetTransPtr(x)
		test	byte ptr [ebp+arg_0], 1
		jz	short loc_5FF31F
		xor	ecx, ecx
		cmp	[eax], ecx
		setz	cl
		mov	eax, ecx
		jmp	short loc_5FF329
; 

loc_5FF31F:				; CODE XREF: CmpTransIsTransActive(x)+11j
		push	eax
		call	ds:__imp__TmIsTransactionActive@4 ; TmIsTransactionActive(x)
		movzx	eax, al

loc_5FF329:				; CODE XREF: CmpTransIsTransActive(x)+1Cj
		pop	ebp
		retn	4
_CmpTransIsTransActive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAllocatePoolWithQuotaTag(x, x, x)
_CmpAllocatePoolWithQuotaTag@12	proc near
					; CODE XREF: CmUpdateFeatureConfiguration(x,x,x)+9Dp
					; CmUpdateFeatureUsageSubscription(x,x,x)+99p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		or	ecx, 8
		push	edx
		push	ecx
		call	ExAllocatePoolWithQuotaTag
		pop	ebp
		retn	4
_CmpAllocatePoolWithQuotaTag@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCoalescingCallback(x, x,	x)
_CmpCoalescingCallback@12 proc near	; DATA XREF: CmpCmdInit+B6o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		sub	eax, 1
		jz	short loc_5FF385
		sub	eax, 1
		jz	short loc_5FF37B
		sub	eax, 1
		jnz	short loc_5FF390
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		call	_CmpForceFlushForCoalescing@0 ;	CmpForceFlushForCoalescing()
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	short loc_5FF390
; 

loc_5FF37B:				; CODE XREF: CmpCoalescingCallback(x,x,x)+10j
		push	8
		pop	ecx
		call	_CmpEnableLazyFlush@4 ;	CmpEnableLazyFlush(x)
		jmp	short loc_5FF390
; 

loc_5FF385:				; CODE XREF: CmpCoalescingCallback(x,x,x)+Bj
		push	8
		pop	ecx
		mov	eax, offset _CmpHoldLazyFlush
		lock or	[eax], ecx

loc_5FF390:				; CODE XREF: CmpCoalescingCallback(x,x,x)+15j
					; CmpCoalescingCallback(x,x,x)+36j ...
		pop	ebp
		retn	0Ch
_CmpCoalescingCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGetValueCountForKeyNodeStack(x, x)
_CmpGetValueCountForKeyNodeStack@8 proc	near
					; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+270p

var_7E		= byte ptr -7Eh
var_7D		= byte ptr -7Dh
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_40		= dword	ptr -40h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 84h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+84h+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	34h		; size_t
		lea	eax, [esp+94h+var_74]
		mov	ebx, edx
		mov	esi, ecx
		mov	[esp+94h+var_78], ebx
		push	0		; int
		push	eax		; void *
		mov	[esp+9Ch+var_7C], esi
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+90h+var_40]
		push	3Ch		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [esp+90h+var_74]
		call	_CmpSortedValueEnumStackInitialize@4 ; CmpSortedValueEnumStackInitialize(x)
		lea	ecx, [esp+90h+var_40] ;	void *
		call	_CmpValueEnumStackInitialize@4 ; CmpValueEnumStackInitialize(x)
		movzx	esi, word ptr [esi]
		xor	al, al
		xor	edi, edi
		mov	[esp+90h+var_7D], al
		test	si, si
		js	loc_5FF507
		mov	ebx, [esp+90h+var_7C]

loc_5FF40B:				; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+A7j
		mov	edx, esi
		mov	ecx, ebx
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	edx, [eax+8]
		test	edx, edx
		jz	short loc_5FF437
		cmp	dword ptr [edx+24h], 0
		jz	short loc_5FF42C
		test	si, si
		jz	short loc_5FF42B
		mov	[esp+90h+var_7D], 1

loc_5FF42B:				; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+90j
		inc	edi

loc_5FF42C:				; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+8Bj
		mov	ecx, [eax]
		call	_CmpGetEffectiveKeyNodeSemantics@8 ; CmpGetEffectiveKeyNodeSemantics(x,x)
		test	eax, eax
		jnz	short loc_5FF43D

loc_5FF437:				; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+85j
		dec	esi
		test	si, si
		jns	short loc_5FF40B

loc_5FF43D:				; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+A1j
		mov	ebx, [esp+90h+var_78]
		test	di, di
		jz	loc_5FF507
		cmp	[esp+90h+var_7D], 0
		jnz	short loc_5FF469
		mov	ecx, [esp+90h+var_7C]
		xor	edx, edx
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	eax, [eax+8]
		mov	eax, [eax+24h]
		mov	[ebx], eax
		jmp	loc_5FF50A
; 

loc_5FF469:				; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+BBj
		xor	eax, eax
		inc	eax
		cmp	di, ax
		jle	short loc_5FF4CC
		mov	edx, [esp+90h+var_7C]
		lea	ecx, [esp+90h+var_74]
		call	_CmpSortedValueEnumStackStartFromKeyNodeStack@8	; CmpSortedValueEnumStackStartFromKeyNodeStack(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_5FF4B2
		lea	ecx, [esp+90h+var_74]
		xor	ebx, ebx
		call	_CmpSortedValueEnumStackAdvance@4 ; CmpSortedValueEnumStackAdvance(x)
		mov	edi, 8000001Ah
		jmp	short loc_5FF4A4
; 

loc_5FF496:				; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+114j
		test	esi, esi
		js	short loc_5FF50C
		lea	ecx, [esp+90h+var_74]
		inc	ebx
		call	_CmpSortedValueEnumStackAdvance@4 ; CmpSortedValueEnumStackAdvance(x)

loc_5FF4A4:				; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+100j
		mov	esi, eax
		cmp	esi, edi
		jnz	short loc_5FF496

loc_5FF4AA:				; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+171j
		mov	eax, [esp+90h+var_78]
		mov	[eax], ebx
		jmp	short loc_5FF50A
; 

loc_5FF4B2:				; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+EEj
		cmp	esi, 0C000009Ah
		jnz	short loc_5FF50C
		lea	ecx, [esp+90h+var_74]
		call	_CmpSortedValueEnumStackCleanup@4 ; CmpSortedValueEnumStackCleanup(x)
		lea	ecx, [esp+90h+var_74]
		call	_CmpSortedValueEnumStackInitialize@4 ; CmpSortedValueEnumStackInitialize(x)

loc_5FF4CC:				; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+DBj
		mov	edx, [esp+90h+var_7C]
		lea	ecx, [esp+90h+var_40]
		call	_CmpValueEnumStackStartFromKeyNodeStack@8 ; CmpValueEnumStackStartFromKeyNodeStack(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_5FF50C
		lea	ecx, [esp+90h+var_40]
		xor	ebx, ebx
		call	_CmpValueEnumStackAdvance@4 ; CmpValueEnumStackAdvance(x)
		mov	edi, 8000001Ah
		jmp	short loc_5FF4FF
; 

loc_5FF4F1:				; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+16Fj
		test	esi, esi
		js	short loc_5FF50C
		lea	ecx, [esp+90h+var_40]
		inc	ebx
		call	_CmpValueEnumStackAdvance@4 ; CmpValueEnumStackAdvance(x)

loc_5FF4FF:				; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+15Bj
		mov	esi, eax
		cmp	esi, edi
		jnz	short loc_5FF4F1
		jmp	short loc_5FF4AA
; 

loc_5FF507:				; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+6Dj
					; CmpGetValueCountForKeyNodeStack(x,x)+B0j
		and	dword ptr [ebx], 0

loc_5FF50A:				; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+D0j
					; CmpGetValueCountForKeyNodeStack(x,x)+11Cj
		xor	esi, esi

loc_5FF50C:				; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+104j
					; CmpGetValueCountForKeyNodeStack(x,x)+124j ...
		lea	ecx, [esp+90h+var_40]
		call	_CmpValueEnumStackCleanup@4 ; CmpValueEnumStackCleanup(x)
		lea	ecx, [esp+90h+var_74]
		call	_CmpSortedValueEnumStackCleanup@4 ; CmpSortedValueEnumStackCleanup(x)
		mov	ecx, [esp+90h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_CmpGetValueCountForKeyNodeStack@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpValueEnumStackEntryCleanup(x)
_CmpValueEnumStackEntryCleanup@4 proc near ; CODE XREF:	CmpValueEnumStackCleanup(x)+1Bp
		cmp	dword ptr [ecx+4], 0
		jz	short locret_5FF545
		mov	edx, [ecx]
		lea	eax, [ecx+8]
		push	eax
		push	edx
		call	dword ptr [edx+8]

locret_5FF545:				; CODE XREF: .text:0042CA20j
					; CmpValueEnumStackEntryCleanup(x)+4j
		retn
_CmpValueEnumStackEntryCleanup@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpValueEnumStackEntryInitialize(x)
_CmpValueEnumStackEntryInitialize@4 proc near
					; CODE XREF: CmpValueEnumStackStartFromKeyNodeStack(x,x)+59p
					; CmpValueEnumStackInitialize(x)+1Ep
		mov	edi, edi
		push	edi
		xor	eax, eax
		mov	edi, ecx
		add	ecx, 8
		stosd
		stosd
		stosd
		stosd
		stosd
		pop	edi
		jmp	_HvpGetCellContextInitialize@4 ; HvpGetCellContextInitialize(x)
_CmpValueEnumStackEntryInitialize@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpValueEnumStackGetCurrentValueHive(x)
_CmpValueEnumStackGetCurrentValueHive@4	proc near
					; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+133p
		mov	dx, [ecx+6]
		call	_CmpValueEnumStackGetEntryAtLayerHeight@8 ; CmpValueEnumStackGetEntryAtLayerHeight(x,x)
		mov	eax, [eax]
		retn
_CmpValueEnumStackGetCurrentValueHive@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpValueEnumStackStartFromKeyNodeStack(x, x)
_CmpValueEnumStackStartFromKeyNodeStack@8 proc near
					; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+140p
					; CmpValueEnumStackStartFromKcbStack(x,x,x)+48p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, edx
		push	ebx
		push	esi
		mov	[ebp+var_C], eax
		mov	esi, ecx
		movzx	eax, word ptr [eax]
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], esi
		cmp	ax, 2
		jl	short loc_5FF5D2
		dec	eax
		movzx	ebx, ax
		movsx	eax, bx
		imul	eax, 14h
		push	30374D43h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+38h], eax
		test	eax, eax
		jnz	short loc_5FF5AF
		mov	edi, 0C000009Ah
		jmp	loc_5FF673
; 

loc_5FF5AF:				; CODE XREF: CmpValueEnumStackStartFromKeyNodeStack(x,x)+3Cj
		xor	eax, eax
		cmp	ax, bx
		jge	short loc_5FF5D2
		mov	esi, edi
		mov	edi, [ebp+var_4]

loc_5FF5BB:				; CODE XREF: CmpValueEnumStackStartFromKeyNodeStack(x,x)+64j
		mov	ecx, [edi+38h]
		add	ecx, esi
		call	_CmpValueEnumStackEntryInitialize@4 ; CmpValueEnumStackEntryInitialize(x)
		add	esi, 14h
		sub	ebx, 1
		jnz	short loc_5FF5BB
		mov	esi, [ebp+var_4]
		xor	edi, edi

loc_5FF5D2:				; CODE XREF: CmpValueEnumStackStartFromKeyNodeStack(x,x)+1Ej
					; CmpValueEnumStackStartFromKeyNodeStack(x,x)+4Dj
		mov	eax, [ebp+var_C]
		movzx	eax, word ptr [eax]
		mov	[esi+0Ch], ax
		mov	esi, eax
		test	si, si
		js	loc_5FF673
		mov	ebx, [ebp+var_4]

loc_5FF5EA:				; CODE XREF: CmpValueEnumStackStartFromKeyNodeStack(x,x)+106j
		mov	edx, esi
		mov	ecx, ebx
		call	_CmpValueEnumStackGetEntryAtLayerHeight@8 ; CmpValueEnumStackGetEntryAtLayerHeight(x,x)
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_4], eax
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	[ebp+var_14], eax
		mov	edx, [eax+8]
		test	edx, edx
		jz	short loc_5FF669
		mov	ecx, [eax]
		mov	[ebp+var_10], ecx
		call	_CmpGetEffectiveKeyNodeSemantics@8 ; CmpGetEffectiveKeyNodeSemantics(x,x)
		cmp	eax, 1
		jz	short loc_5FF673
		test	byte ptr [edx+2], 40h
		mov	eax, edx
		mov	[ebp+var_8], ecx
		jnz	short loc_5FF65B
		mov	[ebp+var_8], ecx
		cmp	[edx+24h], edi
		jz	short loc_5FF65B
		mov	eax, [ebp+var_4]
		mov	[eax], ecx
		mov	ecx, [ebp+var_4]
		mov	eax, [edx+24h]
		mov	[ecx+10h], eax
		mov	eax, [ebp+var_4]
		mov	ecx, [edx+28h]
		add	eax, 8
		push	eax
		mov	eax, [ebp+var_10]
		push	ecx
		push	eax
		call	dword ptr [eax+4]
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_14]
		mov	[ecx+4], eax
		mov	eax, [edx+8]
		mov	edx, [edx]
		mov	[ebp+var_8], edx

loc_5FF65B:				; CODE XREF: CmpValueEnumStackStartFromKeyNodeStack(x,x)+B9j
					; CmpValueEnumStackStartFromKeyNodeStack(x,x)+C1j
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		call	_CmpGetEffectiveKeyNodeSemantics@8 ; CmpGetEffectiveKeyNodeSemantics(x,x)
		test	eax, eax
		jnz	short loc_5FF673

loc_5FF669:				; CODE XREF: CmpValueEnumStackStartFromKeyNodeStack(x,x)+9Fj
		dec	esi
		test	si, si
		jns	loc_5FF5EA

loc_5FF673:				; CODE XREF: CmpValueEnumStackStartFromKeyNodeStack(x,x)+43j
					; CmpValueEnumStackStartFromKeyNodeStack(x,x)+7Aj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpValueEnumStackStartFromKeyNodeStack@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmDeleteLayeredKey(x, x, x)
_CmDeleteLayeredKey@12 proc near	; CODE XREF: CmDeleteKey+182299p

var_64		= dword	ptr -64h
var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		xor	eax, eax
		mov	[ebp+var_1C], edx
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_44]
		xor	ebx, ebx
		stosd
		mov	edx, ecx
		lea	ecx, [ebp+var_44]
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_2C], ebx
		stosd
		mov	[ebp+var_28], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_24], ebx
		stosd
		mov	[ebp+var_20], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_54]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_64]
		stosd
		stosd
		stosd
		stosd
		call	_CmpInitializeKcbStack@4 ; CmpInitializeKcbStack(x)
		lea	ecx, [ebp+var_54]
		call	_CmpInitializeKcbStack@4 ; CmpInitializeKcbStack(x)
		mov	edi, [edx+8]
		lea	ecx, [ebp+var_34]
		mov	eax, [edi+24h]
		mov	[ebp+var_14], eax
		call	_HvpGetCellContextInitialize@4 ; HvpGetCellContextInitialize(x)
		lea	ecx, [ebp+var_2C]
		call	_HvpGetCellContextInitialize@4 ; HvpGetCellContextInitialize(x)
		lea	ecx, [ebp+var_64]
		call	_CmpInitializeDiscardReplaceContext@4 ;	CmpInitializeDiscardReplaceContext(x)
		xor	bh, bh
		test	dword ptr [edi+68h], 80000h
		mov	[ebp+var_5], bh
		jz	short loc_5FF70B
		mov	esi, 0C0000121h
		jmp	loc_5FF84A
; 

loc_5FF70B:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+85j
		mov	edx, edi
		lea	ecx, [ebp+var_44]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_5FF84A
		mov	edx, [ebp+var_14]
		lea	ecx, [ebp+var_54]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_5FF84A
		jmp	loc_5FF895
; 

loc_5FF739:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+23Ej
		lea	eax, [ebp+var_10]
		push	eax
		lea	ecx, [ebp+var_44]
		call	_CmpGetSubKeyCountForKcbStack@12 ; CmpGetSubKeyCountForKcbStack(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_5FF833
		cmp	[ebp+var_10], 0
		jnz	loc_5FFA86
		mov	eax, [edi+6Ch]
		test	eax, eax
		jz	short loc_5FF78E
		add	eax, 10h
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_5FF78E
		test	bl, bl
		jz	loc_5FF872
		cmp	ecx, eax
		jz	short loc_5FF78E
		mov	bh, 1
		lea	edx, [ebp+var_64]
		mov	ecx, edi
		mov	[ebp+var_5], bh
		call	_CmpPrepareDiscardAndReplaceKcbAndUnbackedHigherLayers@8 ; CmpPrepareDiscardAndReplaceKcbAndUnbackedHigherLayers(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_5FF833

loc_5FF78E:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+E4j
					; CmDeleteLayeredKey(x,x,x)+EDj ...
		mov	ecx, [edi+14h]
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_5FF86E
		mov	eax, [ebp+var_14]
		cmp	[eax+14h], ecx
		jnz	short loc_5FF7E0
		lea	ecx, [ebp+var_44]
		call	CmpUnlockKcbStack
		lea	ecx, [ebp+var_54]
		call	CmpUnlockKcbStack
		push	1
		xor	dl, dl
		lea	ecx, [ebp+var_54]
		call	_CmpPromoteKey@12 ; CmpPromoteKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C000017Ch
		jz	loc_5FF8C3
		test	esi, esi
		js	short loc_5FF843
		lea	ecx, [ebp+var_44]
		call	_CmpLockKcbStackExclusive@4 ; CmpLockKcbStackExclusive(x)
		test	bl, bl
		jz	loc_5FF8AC

loc_5FF7E0:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+126j
		lea	edx, [ebp+var_44]
		call	_CmpCreateTombstone@8 ;	CmpCreateTombstone(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_5FF833
		push	[ebp+var_1C]
		xor	edx, edx
		lea	ecx, [ebp+var_54]
		push	1
		call	_CmpReportNotifyForKcbStack@16 ; CmpReportNotifyForKcbStack(x,x,x,x)
		push	0
		push	[ebp+arg_0]
		mov	ecx, edi
		call	_CmpFlushNotifiesOnAllUnbackedHigherLayerKcbs@16 ; CmpFlushNotifiesOnAllUnbackedHigherLayerKcbs(x,x,x,x)
		push	0
		push	[ebp+arg_0]
		mov	ecx, edi
		push	8
		pop	edx
		call	CmpFlushNotifiesOnKeyBodyList
		mov	ecx, edi
		test	bh, bh
		jnz	loc_5FF8CA
		mov	edx, [ebp+arg_0]
		call	_CmpMarkKeyUnbacked@8 ;	CmpMarkKeyUnbacked(x,x)
		mov	ecx, edi
		call	_CmpDiscardKcb@4 ; CmpDiscardKcb(x)

loc_5FF831:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+244j
					; CmDeleteLayeredKey(x,x,x)+25Bj
		xor	esi, esi

loc_5FF833:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+CFj
					; CmDeleteLayeredKey(x,x,x)+10Ej ...
		lea	ecx, [ebp+var_44]
		call	CmpUnlockKcbStack
		lea	ecx, [ebp+var_54]
		call	CmpUnlockKcbStack

loc_5FF843:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+154j
					; CmDeleteLayeredKey(x,x,x)+24Bj
		mov	ecx, edi
		call	_CmpUnlockHashEntryByKcb@4 ; CmpUnlockHashEntryByKcb(x)

loc_5FF84A:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+8Cj
					; CmDeleteLayeredKey(x,x,x)+9Fj ...
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_64]
		call	CmpCleanupDiscardReplaceContext
		lea	ecx, [ebp+var_44]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		lea	ecx, [ebp+var_54]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_5FF86E:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+11Aj
		test	bl, bl
		jnz	short loc_5FF8DA

loc_5FF872:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+F1j
		lea	ecx, [ebp+var_44]
		call	CmpUnlockKcbStack
		lea	ecx, [ebp+var_54]
		call	CmpUnlockKcbStack
		mov	ecx, edi
		call	_CmpUnlockHashEntryByKcb@4 ; CmpUnlockHashEntryByKcb(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		mov	bl, 1

loc_5FF895:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+BAj
		mov	ecx, edi
		call	CmpLockHashEntryExclusiveByKcb
		lea	ecx, [ebp+var_54]
		call	_CmpLockKcbStackTopExclusiveRestShared@4 ; CmpLockKcbStackTopExclusiveRestShared(x)
		lea	ecx, [ebp+var_44]
		call	_CmpLockKcbStackExclusive@4 ; CmpLockKcbStackExclusive(x)

loc_5FF8AC:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+160j
		mov	ecx, [ebp+var_18]
		xor	edx, edx
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jz	loc_5FF739
		jmp	loc_5FF831
; 

loc_5FF8C3:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+14Cj
		xor	esi, esi
		jmp	loc_5FF843
; 

loc_5FF8CA:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+1A2j
		push	[ebp+arg_0]
		lea	edx, [ebp+var_64]
		call	_CmpCommitDiscardAndReplaceKcbAndUnbackedHigherLayers@12 ; CmpCommitDiscardAndReplaceKcbAndUnbackedHigherLayers(x,x,x)
		jmp	loc_5FF831
; 

loc_5FF8DA:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+1F6j
		mov	eax, [edi+10h]
		lea	edx, [ebp+var_34]
		push	edx
		push	ecx
		push	eax
		call	dword ptr [eax+4]
		mov	ebx, eax
		xor	edx, edx
		mov	[ebp+var_18], edx
		mov	ecx, [ebx+14h]
		add	ecx, [ebx+18h]
		jz	short loc_5FF931

loc_5FF8F5:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+2B5j
		mov	ecx, [edi+10h]
		lea	eax, [ebp+var_C]
		push	eax
		push	edx
		mov	edx, ebx
		call	_CmpFindSubKeyByNumber@16 ; CmpFindSubKeyByNumber(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_5FFA76
		mov	edx, [ebp+var_C]
		push	ecx
		mov	ecx, [edi+10h]
		push	1
		call	CmpMarkKeyDirty
		test	al, al
		jz	short loc_5FF943
		mov	edx, [ebp+var_18]
		mov	eax, [ebx+14h]
		inc	edx
		add	eax, [ebx+18h]
		mov	[ebp+var_18], edx
		cmp	edx, eax
		jb	short loc_5FF8F5

loc_5FF931:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+279j
		mov	edx, [edi+14h]
		push	ecx
		mov	ecx, [edi+10h]
		push	1
		call	CmpMarkKeyDirty
		test	al, al
		jnz	short loc_5FF9BD

loc_5FF943:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+2A4j
		mov	esi, 0C000009Ah
		jmp	loc_5FFA76
; 

loc_5FF94D:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+359j
		mov	eax, [edi+10h]
		lea	edx, [ebp+var_2C]
		push	edx
		push	ecx
		push	eax
		call	dword ptr [eax+4]
		test	byte ptr [eax+2], 20h
		lea	ecx, [eax+4Ch]
		movzx	edx, word ptr [eax+48h]
		jz	short loc_5FF96D
		call	_CmpHashCompressedComponent@8 ;	CmpHashCompressedComponent(x,x)
		jmp	short loc_5FF980
; 

loc_5FF96D:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+2EAj
		mov	[ebp+var_20], ecx
		lea	ecx, [ebp+var_24]
		mov	word ptr [ebp+var_24], dx
		mov	word ptr [ebp+var_24+2], dx
		call	_CmpHashUnicodeComponent@4 ; CmpHashUnicodeComponent(x)

loc_5FF980:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+2F1j
		mov	esi, eax
		lea	ecx, [ebp+var_2C]
		mov	eax, [edi+10h]
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		imul	eax, [edi+8], 25h
		mov	ecx, [edi+10h]
		mov	[ebp+var_18], ecx
		add	eax, esi
		mov	esi, [ebp+var_C]
		push	eax
		mov	edx, esi
		call	_CmpFindKcbInHashEntryByCellIndex@12 ; CmpFindKcbInHashEntryByCellIndex(x,x,x)
		test	eax, eax
		jz	short loc_5FF9B1
		or	dword ptr [eax+14h], 0FFFFFFFFh
		mov	ecx, [edi+10h]
		jmp	short loc_5FF9B4
; 

loc_5FF9B1:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+32Cj
		mov	ecx, [ebp+var_18]

loc_5FF9B4:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+335j
		push	1
		mov	edx, esi
		call	CmpFreeKeyByCell

loc_5FF9BD:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+2C7j
		mov	ecx, [edi+10h]
		lea	eax, [ebp+var_C]
		push	eax
		push	0
		mov	edx, ebx
		call	_CmpFindSubKeyByNumber@16 ; CmpFindSubKeyByNumber(x,x,x,x)
		mov	ecx, [ebp+var_C]
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_5FF94D
		mov	edx, [edi+14h]
		mov	ecx, [edi+10h]
		push	ebx
		call	_CmpFreeKeyValues@12 ; CmpFreeKeyValues(x,x,x)
		mov	al, [ebx+0Dh]
		mov	ecx, edi
		and	word ptr [ebx+2], 20h
		and	al, 0FDh
		or	al, 1
		mov	[ebx+0Dh], al
		xor	eax, eax
		mov	[ebx+37h], al
		and	dword ptr [ebx+34h], 0FF00FFFFh
		mov	[ebx+4], eax
		mov	[ebx+8], eax
		mov	[ebx+38h], eax
		mov	[ebx+3Ch], eax
		mov	[ebx+40h], eax
		mov	[ebx+34h], ax
		call	_CmpIncrementKcbSequenceNumber@4 ; CmpIncrementKcbSequenceNumber(x)
		push	1
		push	[ebp+arg_0]
		mov	edx, ebx
		call	_CmpRebuildKcbCacheFromNode@16 ; CmpRebuildKcbCacheFromNode(x,x,x,x)
		push	[ebp+var_1C]
		xor	edx, edx
		lea	ecx, [ebp+var_54]
		push	1
		call	_CmpReportNotifyForKcbStack@16 ; CmpReportNotifyForKcbStack(x,x,x,x)
		push	1
		push	[ebp+arg_0]
		mov	ecx, edi
		call	_CmpFlushNotifiesOnAllUnbackedHigherLayerKcbs@16 ; CmpFlushNotifiesOnAllUnbackedHigherLayerKcbs(x,x,x,x)
		push	1
		push	[ebp+arg_0]
		mov	ecx, edi
		push	8
		pop	edx
		call	CmpFlushNotifiesOnKeyBodyList
		cmp	[ebp+var_5], 0
		mov	ecx, edi
		jnz	short loc_5FFA69
		mov	edx, [ebp+arg_0]
		call	_CmpMarkKeyUnbacked@8 ;	CmpMarkKeyUnbacked(x,x)
		mov	ecx, edi
		call	_CmpDiscardKcb@4 ; CmpDiscardKcb(x)
		jmp	short loc_5FFA74
; 

loc_5FFA69:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+3DCj
		push	[ebp+arg_0]
		lea	edx, [ebp+var_64]
		call	_CmpCommitDiscardAndReplaceKcbAndUnbackedHigherLayers@12 ; CmpCommitDiscardAndReplaceKcbAndUnbackedHigherLayers(x,x,x)

loc_5FFA74:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+3EDj
		xor	esi, esi

loc_5FFA76:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+28Ej
					; CmDeleteLayeredKey(x,x,x)+2CEj
		mov	eax, [edi+10h]
		lea	ecx, [ebp+var_34]
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		jmp	loc_5FF833
; 

loc_5FFA86:				; CODE XREF: CmDeleteLayeredKey(x,x,x)+D9j
		mov	esi, 0C0000121h
		jmp	loc_5FF833
_CmDeleteLayeredKey@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCreateTombstone(x, x)
_CmpCreateTombstone@8 proc near		; CODE XREF: CmDeleteLayeredKey(x,x,x)+169p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		xor	eax, eax
		lea	ecx, [ebp+var_24]
		push	edi
		mov	edi, edx
		mov	[ebp+var_24], eax
		mov	[ebp+var_10], edi
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_8], eax
		call	_HvpGetCellContextInitialize@4 ; HvpGetCellContextInitialize(x)
		lea	ecx, [ebp+var_1C]
		call	_HvpGetCellContextInitialize@4 ; HvpGetCellContextInitialize(x)
		mov	dx, [edi+2]
		mov	ecx, edi
		call	_CmpGetKcbAtLayerHeight@8 ; CmpGetKcbAtLayerHeight(x,x)
		mov	ebx, eax
		xor	eax, eax
		mov	esi, [ebx+24h]
		movzx	edx, word ptr [ebx+22h]
		mov	[ebp+var_14], esi
		jmp	short loc_5FFAEA
; 

loc_5FFADC:				; CODE XREF: CmpCreateTombstone(x,x)+5Dj
		mov	ecx, edi
		call	_CmpGetKcbAtLayerHeight@8 ; CmpGetKcbAtLayerHeight(x,x)
		cmp	dword ptr [eax+14h], 0FFFFFFFFh
		jnz	short loc_5FFAEF
		dec	edx

loc_5FFAEA:				; CODE XREF: CmpCreateTombstone(x,x)+4Aj
		test	dx, dx
		jns	short loc_5FFADC

loc_5FFAEF:				; CODE XREF: CmpCreateTombstone(x,x)+57j
		mov	edi, [eax+14h]
		shr	edi, 1Fh
		cmp	dword ptr [esi+14h], 0
		jge	short loc_5FFAFE
		xor	edi, edi
		inc	edi

loc_5FFAFE:				; CODE XREF: CmpCreateTombstone(x,x)+69j
		mov	ecx, [ebx+10h]
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	eax, [ebx+28h]
		lea	ecx, [ebp+var_24]
		push	ecx
		lea	ecx, [ebp+var_8]
		push	ecx
		movzx	eax, word ptr [eax+0Ch]
		mov	ecx, [ebx+10h]
		add	eax, 4Ch
		push	edi
		mov	edx, eax
		mov	[ebp+var_C], eax
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	edi, [ebp+var_8]
		mov	[ebp+var_4], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_5FFB3B

loc_5FFB31:				; CODE XREF: CmpCreateTombstone(x,x)+198j
		mov	esi, 0C000009Ah
		jmp	loc_5FFCB7
; 

loc_5FFB3B:				; CODE XREF: CmpCreateTombstone(x,x)+9Fj
		push	[ebp+var_C]	; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [edi], 6B6Eh
		call	_CmpGetPhaseAccessBit@0	; CmpGetPhaseAccessBit()
		mov	[edi+0Ch], al
		mov	al, [edi+0Dh]
		and	al, 0FDh
		or	al, 1
		mov	[edi+0Dh], al
		mov	eax, [ebx+28h]
		test	byte ptr [eax],	1
		jz	short loc_5FFB70
		push	20h
		pop	eax
		mov	[edi+2], ax

loc_5FFB70:				; CODE XREF: CmpCreateTombstone(x,x)+D7j
		xor	ecx, ecx
		mov	[edi+4], ecx
		mov	[edi+8], ecx
		mov	eax, [esi+14h]
		mov	[edi+10h], eax
		or	eax, 0FFFFFFFFh
		mov	[edi+1Ch], eax
		mov	[edi+20h], eax
		mov	[edi+28h], eax
		mov	[edi+2Ch], eax
		mov	[edi+30h], eax
		xor	eax, eax
		mov	[edi+4Ah], ax
		and	dword ptr [edi+34h], 0FFF0FFFFh
		mov	[edi+37h], cl
		and	dword ptr [edi+34h], 0FF0FFFFFh
		mov	eax, [ebx+28h]
		movzx	eax, word ptr [eax+0Ch]
		push	eax		; size_t
		mov	[edi+48h], ax
		mov	eax, [ebx+28h]
		add	eax, 0Eh
		push	eax		; void *
		lea	eax, [edi+4Ch]
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+var_10]
		add	esp, 0Ch
		xor	edx, edx
		call	_CmpGetSecurityDescriptorForKcbStack@8 ; CmpGetSecurityDescriptorForKcbStack(x,x)
		mov	ecx, [ebx+10h]
		mov	esi, eax
		call	_CmLockHiveSecurityExclusive@4 ; CmLockHiveSecurityExclusive(x)
		mov	edx, [ebp+var_4]
		push	ecx		; int
		mov	ecx, [ebx+10h]
		push	esi		; void *
		push	edi		; int
		call	_CmpAssignSecurityDescriptor@20	; CmpAssignSecurityDescriptor(x,x,x,x,x)
		mov	ecx, [ebx+10h]
		mov	esi, eax
		call	_CmUnlockHiveSecurity@4	; CmUnlockHiveSecurity(x)
		test	esi, esi
		js	loc_5FFCB7
		mov	esi, [ebp+var_14]
		push	0
		mov	edx, [esi+14h]
		mov	ecx, [esi+10h]
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jnz	short loc_5FFC18
		mov	esi, 0C000017Dh
		jmp	loc_5FFCB7
; 

loc_5FFC18:				; CODE XREF: CmpCreateTombstone(x,x)+17Cj
		push	[ebp+var_4]
		mov	edx, [esi+14h]
		mov	ecx, [esi+10h]
		call	_CmpAddSubKey@12 ; CmpAddSubKey(x,x,x)
		test	al, al
		jz	loc_5FFB31
		mov	ecx, ebx
		call	_CmpIncrementKcbSequenceNumber@4 ; CmpIncrementKcbSequenceNumber(x)
		mov	eax, [ebp+var_4]
		mov	edx, edi
		or	[ebp+var_4], 0FFFFFFFFh
		push	0
		push	0
		mov	[ebx+14h], eax
		call	_CmpRebuildKcbCacheFromNode@16 ; CmpRebuildKcbCacheFromNode(x,x,x,x)
		mov	eax, [esi+14h]
		lea	edx, [ebp+var_1C]
		mov	ecx, [esi+10h]
		push	edx
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		push	dword ptr [esi+14h]
		mov	ecx, [esi+10h]
		mov	edx, eax
		mov	[ebp+var_8], eax
		call	_CmpUpdateKeyNodeAccessBits@12 ; CmpUpdateKeyNodeAccessBits(x,x,x)
		test	byte ptr [edi+2], 20h
		movzx	eax, word ptr [edi+48h]
		jz	short loc_5FFC7B
		lea	ecx, [eax+eax]
		movzx	edx, cx
		jmp	short loc_5FFC7D
; 

loc_5FFC7B:				; CODE XREF: CmpCreateTombstone(x,x)+1E1j
		mov	edx, eax

loc_5FFC7D:				; CODE XREF: CmpCreateTombstone(x,x)+1E9j
		mov	eax, [ebp+var_8]
		movzx	ecx, word ptr [eax+34h]
		movzx	eax, dx
		cmp	ecx, eax
		mov	eax, [ebp+var_8]
		jnb	short loc_5FFC92
		mov	[eax+34h], dx

loc_5FFC92:				; CODE XREF: CmpCreateTombstone(x,x)+1FCj
		mov	ecx, esi
		call	_CmpIncrementKcbSequenceNumber@4 ; CmpIncrementKcbSequenceNumber(x)
		mov	ax, [eax+34h]
		lea	ecx, [ebp+var_1C]
		mov	[esi+60h], ax
		mov	eax, [esi+10h]
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		mov	dl, 1
		mov	ecx, esi
		call	CmpCleanUpSubKeyInfo
		xor	esi, esi

loc_5FFCB7:				; CODE XREF: CmpCreateTombstone(x,x)+A6j
					; CmpCreateTombstone(x,x)+164j	...
		test	edi, edi
		jz	short loc_5FFCC6
		mov	eax, [ebx+10h]
		lea	ecx, [ebp+var_24]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_5FFCC6:				; CODE XREF: CmpCreateTombstone(x,x)+229j
		mov	eax, [ebp+var_4]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_5FFCDA
		mov	ecx, [ebx+10h]
		mov	edx, eax
		push	0
		call	CmpFreeKeyByCell

loc_5FFCDA:				; CODE XREF: CmpCreateTombstone(x,x)+23Cj
		mov	ecx, [ebx+10h]
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_CmpCreateTombstone@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmFcManagerNotifyFeatureUsage(x, x)
_CmFcManagerNotifyFeatureUsage@8 proc near ; CODE XREF:	RtlNotifyFeatureUsage(x)+8p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		xor	bh, bh
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jnz	short loc_5FFCFF
		mov	bl, 1Fh
		jmp	short loc_5FFD1D
; 

loc_5FFCFF:				; CODE XREF: CmFcManagerNotifyFeatureUsage(x,x)+10j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, al
		cmp	bl, 2
		jnb	short loc_5FFD1D
		mov	ecx, large fs:124h
		dec	word ptr [ecx+13Ch]
		nop
		mov	bh, 1

loc_5FFD1D:				; CODE XREF: CmFcManagerNotifyFeatureUsage(x,x)+14j
					; CmFcManagerNotifyFeatureUsage(x,x)+21j
		mov	ecx, offset unk_6CE1EC
		call	RtlAcquireSwapReference
		mov	edi, eax
		mov	ecx, ds:dword_6CE204[edi*4]
		test	ecx, ecx
		jnz	short loc_5FFD3B
		mov	esi, 0C000009Ah
		jmp	short loc_5FFD81
; 

loc_5FFD3B:				; CODE XREF: CmFcManagerNotifyFeatureUsage(x,x)+49j
		mov	edx, esi
		call	_RtlpFcAddDelayedUsageReportToBuffer@8 ; RtlpFcAddDelayedUsageReportToBuffer(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_5FFD81
		mov	edx, edi
		mov	ecx, offset unk_6CE1EC
		call	RtlReleaseSwapReference
		mov	al, ds:byte_6CE1FC
		or	edi, 0FFFFFFFFh
		test	al, al
		jz	short loc_5FFD7F
		cmp	bl, 2
		jnb	short loc_5FFD71
		mov	ecx, offset unk_6CE22C
		call	_CmFcpWorkItemQueueWork@4 ; CmFcpWorkItemQueueWork(x)
		jmp	short loc_5FFD7F
; 

loc_5FFD71:				; CODE XREF: CmFcManagerNotifyFeatureUsage(x,x)+7Aj
		push	0
		push	0
		push	offset unk_6CE20C
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)

loc_5FFD7F:				; CODE XREF: CmFcManagerNotifyFeatureUsage(x,x)+75j
					; CmFcManagerNotifyFeatureUsage(x,x)+86j
		xor	esi, esi

loc_5FFD81:				; CODE XREF: CmFcManagerNotifyFeatureUsage(x,x)+50j
					; CmFcManagerNotifyFeatureUsage(x,x)+5Dj
		cmp	edi, 0FFFFFFFFh
		jz	short loc_5FFD92
		mov	edx, edi
		mov	ecx, offset unk_6CE1EC
		call	RtlReleaseSwapReference

loc_5FFD92:				; CODE XREF: CmFcManagerNotifyFeatureUsage(x,x)+9Bj
		test	bh, bh
		jz	short loc_5FFD9B
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_5FFD9B:				; CODE XREF: CmFcManagerNotifyFeatureUsage(x,x)+ABj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_CmFcManagerNotifyFeatureUsage@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmFcpManagerArmFeatureUsageRetryTimer(x)
_CmFcpManagerArmFeatureUsageRetryTimer@4 proc near
					; CODE XREF: CmFcpManagerDrainUsageNotifications+ACp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ecx
		cmp	byte ptr [esi+0DDh], 0
		jnz	short loc_5FFDEE
		or	[ebp+var_10], 0FFFFFFFFh
		lea	eax, [ebp+var_18]
		or	[ebp+var_C], 0FFFFFFFFh
		xor	ecx, ecx
		push	eax
		push	ecx
		push	ecx
		push	0FFFFFFFFh
		push	0DC3CBA00h
		push	dword ptr [esi+130h]
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		call	ExSetTimer
		mov	byte ptr [esi+0DDh], 1

loc_5FFDEE:				; CODE XREF: CmFcpManagerArmFeatureUsageRetryTimer(x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmFcpManagerArmFeatureUsageRetryTimer@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmFcpManagerDrainUsageNotificationsDpc(x, x, x, x)
_CmFcpManagerDrainUsageNotificationsDpc@16 proc	near
					; DATA XREF: CmFcManagerInitialize(x)+83o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		lea	ecx, [ecx+10Ch]
		call	_CmFcpWorkItemQueueWork@4 ; CmFcpWorkItemQueueWork(x)
		pop	ebp
		retn	10h
_CmFcpManagerDrainUsageNotificationsDpc@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmFcpManagerRetryUsageNotificationsTimerRoutine(x, x)
_CmFcpManagerRetryUsageNotificationsTimerRoutine@8 proc	near
					; DATA XREF: CmFcManagerStartRuntimePhase(x)+277o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		lea	ecx, [ecx+134h]
		call	_CmFcpWorkItemQueueWork@4 ; CmFcpWorkItemQueueWork(x)
		pop	ebp
		retn	8
_CmFcpManagerRetryUsageNotificationsTimerRoutine@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmFcpWorkItemQueueWork(x)
_CmFcpWorkItemQueueWork@4 proc near	; CODE XREF: CmFcManagerNotifyFeatureUsage(x,x)+81p
					; CmFcpManagerDrainUsageNotificationsDpc(x,x,x,x)+Ep ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	3
		pop	eax
		lea	edx, [esi+14h]
		xchg	eax, [edx]
		test	al, 1
		jnz	short loc_5FFE4B
		lea	ecx, [esi+10h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		push	dword ptr [esi+18h]
		push	esi
		call	ExQueueWorkItem

loc_5FFE4B:				; CODE XREF: CmFcpWorkItemQueueWork(x)+Fj
		pop	esi
		retn
_CmFcpWorkItemQueueWork@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmFcpWorkItemWrapper(x)
_CmFcpWorkItemWrapper@4	proc near	; DATA XREF: CmFcpWorkItemInitialize(x,x,x,x)+1Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [esi+14h]

loc_5FFE5A:				; CODE XREF: CmFcpWorkItemWrapper(x)+20j
					; CmFcpWorkItemWrapper(x)+2Fj
		mov	edx, [edi]
		test	dl, 2
		jz	short loc_5FFE6F
		lock btr dword ptr [edi], 1
		push	dword ptr [esi+20h]
		push	esi
		call	dword ptr [esi+1Ch]
		jmp	short loc_5FFE5A
; 

loc_5FFE6F:				; CODE XREF: CmFcpWorkItemWrapper(x)+12j
		mov	ecx, edx
		mov	eax, edx
		and	ecx, 0FFFFFFFEh
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_5FFE5A
		lea	ecx, [esi+10h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_CmFcpWorkItemWrapper@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpQueryKeyDataFromKeyNodeStack(x, x, x, x,	x)
_CmpQueryKeyDataFromKeyNodeStack@20 proc near ;	CODE XREF: CmQueryLayeredKey+177D1Cp
					; CmpEnumerateLayeredKey+18CDBEp

var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	94h
		push	offset dword_6A7A18
		call	__SEH_prolog4
		mov	[ebp+var_5C], edx
		mov	[ebp+var_2C], ecx
		xor	ebx, ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_58], ebx
		push	30h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_94]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_1D], bl
		mov	[ebp+var_48], ebx
		or	[ebp+var_4C], 0FFFFFFFFh
		lea	ecx, [ebp+var_64]
		call	_HvpGetCellContextInitialize@4 ; HvpGetCellContextInitialize(x)
		xor	esi, esi
		xor	edi, edi
		mov	[ebp+var_50], edi
		mov	ecx, [ebp+var_2C]
		movzx	edx, word ptr [ecx]
		jmp	short loc_5FFEF2
; 

loc_5FFEE2:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+69j
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	ecx, [eax+8]
		test	ecx, ecx
		jnz	short loc_5FFEF9
		dec	edx
		mov	ecx, [ebp+var_2C]

loc_5FFEF2:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+54j
		test	dx, dx
		jns	short loc_5FFEE2
		jmp	short loc_5FFF03
; 

loc_5FFEF9:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+60j
		mov	esi, [eax]
		mov	edi, ecx
		mov	[ebp+var_50], ecx
		mov	ecx, [ebp+var_2C]

loc_5FFF03:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+6Bj
		mov	eax, [edi+4]
		mov	[ebp+var_24], eax
		mov	eax, [edi+8]
		mov	[ebp+var_34], eax
		movzx	eax, word ptr [edi+34h]
		mov	[ebp+var_40], eax
		mov	eax, [edi+38h]
		mov	[ebp+var_44], eax
		mov	eax, [edi+3Ch]
		mov	[ebp+var_38], eax
		mov	eax, [edi+40h]
		mov	[ebp+var_3C], eax
		cmp	[edi+0Dh], bl
		jl	short loc_5FFF3E
		mov	[ebp+var_1D], 1
		mov	[ebp+var_48], esi
		mov	eax, [edi+30h]
		mov	[ebp+var_4C], eax
		movzx	ebx, word ptr [edi+4Ah]

loc_5FFF3E:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+9Fj
		dec	edx
		test	dx, dx
		js	loc_600005
		mov	edi, [ebp+var_24]
		mov	esi, [ebp+var_40]

loc_5FFF4E:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+16Dj
		movzx	eax, dx
		mov	[ebp+var_24], eax
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	edx, [eax+8]
		test	edx, edx
		jz	loc_5FFFED
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		mov	ecx, eax
		call	_CmpGetEffectiveKeyNodeSemantics@8 ; CmpGetEffectiveKeyNodeSemantics(x,x)
		cmp	eax, 1
		jz	loc_5FFFFF
		mov	eax, [edx+4]
		mov	ecx, [edx+8]
		cmp	[ebp+var_34], ecx
		jg	short loc_5FFF8F
		jl	short loc_5FFF8A
		cmp	edi, eax
		jnb	short loc_5FFF8F

loc_5FFF8A:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+F8j
		mov	edi, eax
		mov	[ebp+var_34], ecx

loc_5FFF8F:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+F6j
					; CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+FCj
		mov	eax, [edx+34h]
		and	eax, 0FFFFh
		cmp	esi, eax
		jnb	short loc_5FFFA0
		mov	[ebp+var_40], eax
		mov	esi, eax

loc_5FFFA0:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+10Dj
		mov	eax, [edx+38h]
		cmp	[ebp+var_44], eax
		jnb	short loc_5FFFAB
		mov	[ebp+var_44], eax

loc_5FFFAB:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+11Aj
		mov	eax, [edx+3Ch]
		cmp	[ebp+var_38], eax
		jnb	short loc_5FFFB6
		mov	[ebp+var_38], eax

loc_5FFFB6:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+125j
		mov	eax, [edx+40h]
		cmp	[ebp+var_3C], eax
		jnb	short loc_5FFFC1
		mov	[ebp+var_3C], eax

loc_5FFFC1:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+130j
		mov	ecx, [ebp+var_28]
		cmp	[ebp+var_1D], 0
		jnz	short loc_5FFFE1
		cmp	byte ptr [edx+0Dh], 0
		jl	short loc_5FFFE1
		mov	[ebp+var_1D], 1
		mov	[ebp+var_48], ecx
		mov	eax, [edx+30h]
		mov	[ebp+var_4C], eax
		movzx	ebx, word ptr [edx+4Ah]

loc_5FFFE1:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+13Cj
					; CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+142j
		call	_CmpGetEffectiveKeyNodeSemantics@8 ; CmpGetEffectiveKeyNodeSemantics(x,x)
		test	eax, eax
		jnz	short loc_5FFFFF
		mov	ecx, [ebp+var_2C]

loc_5FFFED:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+D2j
		mov	eax, [ebp+var_24]
		dec	eax
		movzx	eax, ax
		mov	edx, eax
		test	ax, ax
		jns	loc_5FFF4E

loc_5FFFFF:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+E7j
					; CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+15Cj
					; DATA XREF: ...
		mov	[ebp+var_24], edi
		mov	edi, [ebp+var_50]

loc_600005:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+B6j
		cmp	[ebp+var_1D], 0
		jz	short loc_600022
		test	ebx, ebx
		jz	short loc_600022
		lea	eax, [ebp+var_64]
		push	eax
		push	[ebp+var_4C]
		mov	eax, [ebp+var_48]
		push	eax
		call	dword ptr [eax+4]
		mov	[ebp+var_28], eax
		jmp	short loc_600028
; 

loc_600022:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+17Dj
					; CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+181j
		and	[ebp+var_28], 0
		xor	ebx, ebx

loc_600028:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+194j
		mov	eax, [ebp+var_5C]
		test	eax, eax
		jnz	short loc_600088
		mov	edx, [ebp+var_24]
		mov	[ebp+var_94], edx
		mov	eax, [ebp+var_34]
		mov	[ebp+var_90], eax
		and	[ebp+ms_exc.disabled], 0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		mov	edx, edi
		lea	ecx, [ebp+var_94]
		call	_CmpPopulateKeyBasicInformation@20 ; CmpPopulateKeyBasicInformation(x,x,x,x,x)

loc_60005B:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+234j
					; CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+306j ...
		mov	esi, eax

loc_60005D:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+1FAj
					; CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+250j ...
		mov	[ebp+var_30], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_600230
; 

loc_60006C:				; DATA XREF: .text:006A7A2Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_98], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_60007D:				; DATA XREF: .text:006A7A30o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_98]
		jmp	short loc_60005D
; 

loc_600088:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+1A1j
		cmp	eax, 1
		jnz	short loc_6000E1
		mov	edx, [ebp+var_24]
		mov	[ebp+var_94], edx
		mov	eax, [ebp+var_34]
		mov	[ebp+var_90], eax
		mov	[ebp+ms_exc.disabled], 1
		push	[ebp+arg_8]	; int
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		push	ebx		; size_t
		push	[ebp+var_28]	; void *
		mov	edx, edi
		lea	ecx, [ebp+var_94]
		call	CmpPopulateKeyNodeInformation
		jmp	short loc_60005B
; 

loc_6000C2:				; DATA XREF: .text:006A7A38o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_9C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_6000D3:				; DATA XREF: .text:006A7A3Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_9C]
		jmp	loc_60005D
; 

loc_6000E1:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+1FFj
		lea	edx, [ebp+var_54]
		mov	ecx, [ebp+var_2C]
		call	_CmpGetSubKeyCountForKeyNodeStack@8 ; CmpGetSubKeyCountForKeyNodeStack(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_600230
		lea	edx, [ebp+var_58]
		mov	ecx, [ebp+var_2C]
		call	_CmpGetValueCountForKeyNodeStack@8 ; CmpGetValueCountForKeyNodeStack(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_600230
		mov	ecx, [ebp+var_54]
		test	ecx, ecx
		jnz	short loc_600119
		xor	esi, esi
		and	[ebp+var_44], esi
		jmp	short loc_60011C
; 

loc_600119:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+284j
		mov	esi, [ebp+var_40]

loc_60011C:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+28Bj
		mov	eax, [ebp+var_58]
		test	eax, eax
		jnz	short loc_600129
		and	[ebp+var_38], eax
		and	[ebp+var_3C], eax

loc_600129:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+295j
		mov	edx, [ebp+var_5C]
		cmp	edx, 4
		jnz	loc_6001B6
		mov	edx, [ebp+var_24]
		mov	[ebp+var_94], edx
		mov	edx, [ebp+var_34]
		mov	[ebp+var_90], edx
		mov	[ebp+var_88], ecx
		mov	[ebp+var_84], esi
		mov	[ebp+var_80], eax
		mov	eax, [ebp+var_38]
		mov	[ebp+var_7C], eax
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_78], eax
		movzx	eax, word ptr [edi+48h]
		test	byte ptr [edi+2], 20h
		jz	short loc_600171
		add	eax, eax
		movzx	eax, ax

loc_600171:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+2DEj
		movzx	eax, ax
		mov	[ebp+var_74], eax
		mov	[ebp+ms_exc.disabled], 2
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_94]
		call	_CmpPopulateKeyCachedInformation@16 ; CmpPopulateKeyCachedInformation(x,x,x,x)
		jmp	loc_60005B
; 

loc_600197:				; DATA XREF: .text:006A7A44o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_A0], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_6001A8:				; DATA XREF: .text:006A7A48o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_A0]
		jmp	loc_60005D
; 

loc_6001B6:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+2A3j
		cmp	edx, 2
		jnz	short loc_60022B
		mov	edx, [ebp+var_24]
		mov	[ebp+var_94], edx
		mov	edx, [ebp+var_34]
		mov	[ebp+var_90], edx
		mov	[ebp+var_80], ecx
		mov	[ebp+var_7C], esi
		mov	ecx, [ebp+var_44]
		mov	[ebp+var_78], ecx
		mov	[ebp+var_74], eax
		mov	eax, [ebp+var_38]
		mov	[ebp+var_70], eax
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_6C], eax
		mov	[ebp+ms_exc.disabled], 3
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	ebx
		mov	edx, [ebp+var_28]
		lea	ecx, [ebp+var_94]
		call	_CmpPopulateKeyFullInformation@24 ; CmpPopulateKeyFullInformation(x,x,x,x,x,x)
		jmp	loc_60005B
; 

loc_60020C:				; DATA XREF: .text:006A7A50o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_A4], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_60021D:				; DATA XREF: .text:006A7A54o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_A4]
		jmp	loc_60005D
; 

loc_60022B:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+32Dj
		mov	esi, 0C000000Dh

loc_600230:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+1DBj
					; CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+264j ...
		cmp	[ebp+var_28], 0
		jz	short loc_600241
		lea	eax, [ebp+var_64]
		push	eax
		mov	eax, [ebp+var_48]
		push	eax
		call	dword ptr [eax+8]

loc_600241:				; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+3A8j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_CmpQueryKeyDataFromKeyNodeStack@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmSiBugCheck(x, x, x, x)
_CmSiBugCheck@16 proc near		; CODE XREF: CmpInitializeValueNameString(x,x,x)+60p
					; HvpAllExceptionsFatalFilter(x)+Bp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		push	ecx
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_CmSiBugCheck@16 endp


;  S U B	R O U T	I N E 


; __stdcall CmpFreeBootRegistry()
_CmpFreeBootRegistry@0 proc near	; CODE XREF: HvHiveCleanup:loc_8CD490p
		mov	edi, edi
		push	ecx
		call	_MmFreeBootRegistry@0 ;	MmFreeBootRegistry()
		pop	ecx
		retn
_CmpFreeBootRegistry@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkPostModuleMessage(x, x,	x, x, x, x)
_DbgkPostModuleMessage@24 proc near	; CODE XREF: DbgkpPostModuleMessages(x,x,x)+A3p

var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0E4h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+0E4h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_C]
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	6
		mov	[esp+0F4h+var_E0], ecx
		lea	edi, [esp+0F4h+var_C8]
		pop	ecx
		mov	[esp+0F0h+var_D4], edx
		xor	edx, edx
		push	0A8h		; size_t
		rep stosd
		push	edx		; int
		lea	eax, [esp+0F8h+var_B0]
		mov	[esp+0F8h+var_D0], edx
		push	eax		; void *
		mov	[esp+0FCh+var_CC], edx
		mov	[esp+0FCh+var_DC], edx
		mov	[esp+0FCh+var_D8], edx
		call	_memset
		mov	eax, [ebp+arg_4]
		lea	edx, [esp+0FCh+var_DC]
		add	esp, 0Ch
		mov	[esp+0F0h+var_88], eax
		mov	eax, [ebp+arg_8]
		mov	ecx, esi
		mov	[esp+0F0h+var_98], 5
		mov	[esp+0F0h+var_8C], esi
		mov	[esp+0F0h+var_84], eax
		call	_MmGetFileNameForAddress@8 ; MmGetFileNameForAddress(x,x)
		xor	esi, esi
		test	eax, eax
		js	short loc_60034F
		push	20h
		lea	eax, [esp+0F4h+var_DC]
		mov	[esp+0F4h+var_C8], 18h
		mov	[esp+0F4h+var_C0], eax
		lea	eax, [esp+0F4h+var_D0]
		push	7
		push	eax
		lea	eax, [esp+0FCh+var_C8]
		mov	[esp+0FCh+var_C4], esi
		push	eax
		push	80100000h
		lea	eax, [esp+104h+var_90]
		mov	[esp+104h+var_BC], 640h
		push	eax
		mov	[esp+108h+var_B8], esi
		mov	[esp+108h+var_B4], esi
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_600345
		mov	[esp+0F0h+var_90], esi

loc_600345:				; CODE XREF: DbgkPostModuleMessage(x,x,x,x,x,x)+CBj
		push	esi
		push	[esp+0F4h+var_D8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_60034F:				; CODE XREF: DbgkPostModuleMessage(x,x,x,x,x,x)+86j
		mov	ecx, [esp+0F0h+var_E0]
		lea	eax, [esp+0F0h+var_B0]
		test	ebx, ebx
		jz	short loc_60036A
		mov	edx, [esp+0F0h+var_D4]
		push	ebx
		push	2
		push	eax
		call	_DbgkpQueueMessage@20 ;	DbgkpQueueMessage(x,x,x,x,x)
		jmp	short loc_600378
; 

loc_60036A:				; CODE XREF: DbgkPostModuleMessage(x,x,x,x,x,x)+E5j
		push	eax
		push	3
		pop	edx
		call	_DbgkpSendApiMessage@12	; DbgkpSendApiMessage(x,x,x)
		mov	eax, 0C0000001h

loc_600378:				; CODE XREF: DbgkPostModuleMessage(x,x,x,x,x,x)+F4j
		test	eax, eax
		jns	short loc_60038D
		cmp	[esp+0F0h+var_90], 0
		jz	short loc_60038D
		push	esi
		push	[esp+0F4h+var_90]
		call	ObCloseHandle

loc_60038D:				; CODE XREF: DbgkPostModuleMessage(x,x,x,x,x,x)+106j
					; DbgkPostModuleMessage(x,x,x,x,x,x)+10Dj
		mov	ecx, [esp+0F0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_DbgkPostModuleMessage@24 endp


;  S U B	R O U T	I N E 


; __stdcall DbgkpDereferenceErrorPort(x)
_DbgkpDereferenceErrorPort@4 proc near	; CODE XREF: DbgkFlushErrorPort+16BA70p
					; DbgkpRemoveErrorPort(x,x,x)+83p
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		jz	@DbgkpDeleteErrorPort@4	; DbgkpDeleteErrorPort(x)
		retn
_DbgkpDereferenceErrorPort@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpLkmdSnapData(x, x, x)
_DbgkpLkmdSnapData@12 proc near		; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+333p
					; DbgkCaptureLiveDump(x,x,x,x)+346p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_8]
		lea	eax, [ecx+80h]
		push	[ebp+arg_4]
		push	eax
		call	dword ptr [ecx+0A8h]
		pop	ebp
		retn	0Ch
_DbgkpLkmdSnapData@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpLkmdSnapDataEx(x, x, x, x, x, x)
_DbgkpLkmdSnapDataEx@24	proc near	; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+26Ap
					; DbgkCaptureLiveDump(x,x,x,x)+35Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		lea	eax, [ecx+80h]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		push	eax
		call	dword ptr [ecx+0A8h]
		pop	ebp
		retn	10h
_DbgkpLkmdSnapDataEx@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpLkmdSnapGlobals(x)
_DbgkpLkmdSnapGlobals@4	proc near	; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+131p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, ecx
		push	0FFFFh
		mov	[ebp+var_4], esi
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		push	esi
		mov	ebx, eax
		lea	eax, [edi+80h]
		push	esi
		push	esi
		mov	ecx, ebx
		shl	ecx, 2
		push	ecx
		push	offset _KiProcessorBlock
		push	eax
		call	dword ptr [edi+0A8h]
		test	ebx, ebx
		jz	short loc_600475

loc_600434:				; CODE XREF: DbgkpLkmdSnapGlobals(x)+7Aj
		mov	ecx, esi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		lea	ecx, [ebp+var_4]
		push	ecx
		push	0
		push	2
		push	5F00h
		push	eax
		lea	eax, [edi+80h]
		push	eax
		call	dword ptr [edi+0A8h]
		test	eax, eax
		js	short loc_600467
		mov	eax, [ebp+var_4]
		and	dword ptr [eax+4], 0
		mov	eax, [ebp+var_4]
		mov	[edi+esi*4], eax

loc_600467:				; CODE XREF: DbgkpLkmdSnapGlobals(x)+5Fj
		push	ecx
		push	edi
		mov	ecx, esi
		call	_KeEnumerateProcessorDpcs@16 ; KeEnumerateProcessorDpcs(x,x,x,x)
		inc	esi
		cmp	esi, ebx
		jb	short loc_600434

loc_600475:				; CODE XREF: DbgkpLkmdSnapGlobals(x)+39j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_DbgkpLkmdSnapGlobals@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpLkmdSnapKernelStack(x,	x, x, x, x, x)
_DbgkpLkmdSnapKernelStack@24 proc near	; CODE XREF: DbgkpLkmdSnapThreadInContext(x,x,x)+B5p

var_314		= dword	ptr -314h
var_308		= dword	ptr -308h
var_304		= dword	ptr -304h
var_300		= dword	ptr -300h
var_2FC		= dword	ptr -2FCh
var_2F8		= dword	ptr -2F8h
var_2F4		= dword	ptr -2F4h
var_2F0		= byte ptr -2F0h
var_2EC		= dword	ptr -2ECh
var_2E8		= dword	ptr -2E8h
var_2E4		= dword	ptr -2E4h
var_2E0		= dword	ptr -2E0h
var_2DC		= dword	ptr -2DCh
var_2D8		= dword	ptr -2D8h
var_224		= dword	ptr -224h
var_214		= dword	ptr -214h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 30Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+30Ch+var_4], eax
		mov	eax, [ebp+arg_C]
		and	[esp+30Ch+var_2E4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	[esp+318h+var_304], eax
		lea	edi, [esp+318h+var_2F8]
		xor	eax, eax
		mov	[esp+318h+var_308], ecx
		mov	ecx, [ebp+arg_0]
		stosd
		mov	[esp+318h+var_300], edx
		mov	[esp+318h+var_2FC], ecx
		stosd
		stosd
		stosd
		test	esi, esi
		jz	short loc_6004CD
		mov	edi, [esi+0C4h]
		jmp	short loc_6004D0
; 

loc_6004CD:				; CODE XREF: DbgkpLkmdSnapKernelStack(x,x,x,x,x,x)+49j
		mov	edi, [ecx+48h]

loc_6004D0:				; CODE XREF: DbgkpLkmdSnapKernelStack(x,x,x,x,x,x)+51j
		mov	bl, [ebp+arg_4]
		test	esi, esi
		jnz	short loc_6004FD
		test	bl, bl
		jz	short loc_6004FD
		push	2CCh		; size_t
		lea	eax, [esp+31Ch+var_2D8]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+318h+var_214], edi
		mov	[esp+318h+var_224], edi

loc_6004FD:				; CODE XREF: DbgkpLkmdSnapKernelStack(x,x,x,x,x,x)+5Bj
					; DbgkpLkmdSnapKernelStack(x,x,x,x,x,x)+5Fj
		mov	eax, [esp+318h+var_308]
		mov	edx, offset _DbgkpLkmdSnapKernelStackSegmentCallback@12	; DbgkpLkmdSnapKernelStackSegmentCallback(x,x,x)
		mov	ecx, [esp+318h+var_300]
		mov	[esp+318h+var_2F8], eax
		mov	eax, [esp+318h+var_304]
		mov	[esp+318h+var_2EC], eax
		lea	eax, [esp+318h+var_2F8]
		push	eax
		mov	[esp+31Ch+var_2F4], edi
		mov	[esp+31Ch+var_2F0], bl
		call	_KeEnumerateKernelStackSegments@12 ; KeEnumerateKernelStackSegments(x,x,x)
		test	bl, bl
		jz	short loc_60057B
		test	esi, esi
		jnz	short loc_600534
		lea	esi, [esp+318h+var_2D8]

loc_600534:				; CODE XREF: DbgkpLkmdSnapKernelStack(x,x,x,x,x,x)+B4j
		mov	eax, [esi+0B8h]
		mov	ecx, [esp+318h+var_308]
		and	[esp+318h+var_2E8], 0
		mov	[esp+318h+var_2E0], eax
		mov	eax, [esi+0B4h]
		lea	esi, [edi-10h]
		push	0
		push	esi
		push	5
		mov	[esp+324h+var_2DC], eax
		lea	eax, [esp+324h+var_2E8]
		push	10h
		push	eax
		lea	eax, [ecx+80h]
		push	eax
		call	dword ptr [ecx+0A8h]
		mov	eax, [esp+330h+var_314]
		mov	[eax+48h], esi
		mov	byte ptr [eax+90h], 0FFh

loc_60057B:				; CODE XREF: DbgkpLkmdSnapKernelStack(x,x,x,x,x,x)+B0j
		mov	ecx, [esp+330h+var_1C]
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_DbgkpLkmdSnapKernelStack@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpLkmdSnapKernelStackSegmentCallback(x, x, x)
_DbgkpLkmdSnapKernelStackSegmentCallback@12 proc near
					; DATA XREF: DbgkpLkmdSnapKernelStack(x,x,x,x,x,x)+87o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edx, [eax+4]
		xor	edi, edi
		mov	ecx, [esi+4]
		cmp	ecx, edx
		jb	short loc_6005BA
		cmp	ecx, [eax]
		jnb	short loc_6005BA
		cmp	byte ptr [esi+8], 0
		jnz	short loc_6005BA
		push	5
		pop	edi

loc_6005BA:				; CODE XREF: DbgkpLkmdSnapKernelStackSegmentCallback(x,x,x)+17j
					; DbgkpLkmdSnapKernelStackSegmentCallback(x,x,x)+1Bj ...
		mov	eax, [eax]
		mov	ecx, [esi]
		sub	eax, edx
		push	0
		push	0
		push	edi
		push	eax
		push	edx
		lea	eax, [ecx+80h]
		push	eax
		call	dword ptr [ecx+0A8h]
		test	eax, eax
		js	short loc_6005DF
		mov	eax, [esi+0Ch]
		or	dword ptr [eax+4], 2

loc_6005DF:				; CODE XREF: DbgkpLkmdSnapKernelStackSegmentCallback(x,x,x)+42j
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
_DbgkpLkmdSnapKernelStackSegmentCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpLkmdSnapObject(x, x, x)
_DbgkpLkmdSnapObject@12	proc near	; CODE XREF: DbgkpLkmdSnapPendingIrps(x,x,x)+A4p
					; DbgkpLkmdSnapPendingIrps(x,x,x)+B7p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		mov	[ebp+var_4], eax
		xor	ebx, ebx
		push	3
		mov	eax, esi
		mov	[ebp+var_8], ecx
		pop	edi
		mov	[ebp+arg_0], 4
		sub	eax, edi
		jz	short loc_600635
		sub	eax, 1
		jz	short loc_600623
		sub	eax, 1
		jnz	short loc_60063A
		cmp	word ptr [edx],	5
		mov	ebx, edx
		jnz	short loc_60063A
		lea	eax, [edi+7Dh]
		jmp	short loc_600645
; 

loc_600623:				; CODE XREF: DbgkpLkmdSnapObject(x,x,x)+2Aj
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4], edx
		cmp	[edx], ax
		jnz	short loc_60063A
		mov	eax, 0A8h
		jmp	short loc_600645
; 

loc_600635:				; CODE XREF: DbgkpLkmdSnapObject(x,x,x)+25j
		cmp	[edx], di
		jz	short loc_600641

loc_60063A:				; CODE XREF: DbgkpLkmdSnapObject(x,x,x)+2Fj
					; DbgkpLkmdSnapObject(x,x,x)+37j ...
		mov	eax, 0C0000005h
		jmp	short loc_60068C
; 

loc_600641:				; CODE XREF: DbgkpLkmdSnapObject(x,x,x)+53j
		movzx	eax, word ptr [edx+2]

loc_600645:				; CODE XREF: DbgkpLkmdSnapObject(x,x,x)+3Cj
					; DbgkpLkmdSnapObject(x,x,x)+4Ej
		push	0
		push	0
		push	0
		push	eax
		lea	edi, [ecx+80h]
		push	edx
		push	edi
		call	dword ptr [ecx+0A8h]
		test	eax, eax
		js	short loc_60068C
		sub	esi, [ebp+arg_0]
		jz	short loc_600671
		sub	esi, 1
		jnz	short loc_60068C
		movzx	ecx, word ptr [ebx+32h]
		mov	eax, [ebx+34h]
		jmp	short loc_60067B
; 

loc_600671:				; CODE XREF: DbgkpLkmdSnapObject(x,x,x)+7Cj
		mov	eax, [ebp+var_4]
		movzx	ecx, word ptr [eax+1Eh]
		mov	eax, [eax+20h]

loc_60067B:				; CODE XREF: DbgkpLkmdSnapObject(x,x,x)+8Aj
		xor	edx, edx
		push	edx
		push	edx
		push	edx
		push	ecx
		push	eax
		mov	eax, [ebp+var_8]
		push	edi
		call	dword ptr [eax+0A8h]

loc_60068C:				; CODE XREF: DbgkpLkmdSnapObject(x,x,x)+5Aj
					; DbgkpLkmdSnapObject(x,x,x)+77j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_DbgkpLkmdSnapObject@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpLkmdSnapThread(x, x, x, x)
_DbgkpLkmdSnapThread@16	proc near	; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+282p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	edi
		call	_KeEnumerateQueueApc@16	; KeEnumerateQueueApc(x,x,x,x)
		push	[ebp+arg_4]
		mov	edx, esi
		mov	ecx, edi
		push	[ebp+arg_0]
		call	_DbgkpLkmdLaunchSnapApc@16 ; DbgkpLkmdLaunchSnapApc(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_DbgkpLkmdSnapThread@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpLkmdSqmIncrementDword(x, x, x,	x)
_DbgkpLkmdSqmIncrementDword@16 proc near ; CODE	XREF: DbgkCaptureLiveDump(x,x,x,x)+CDp
					; DbgkpLkmdSqmStatus(x,x,x)+1Ep ...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_50], ecx
		mov	[ebp+var_44], eax
		xor	edx, edx
		push	4
		pop	ecx
		lea	eax, [ebp+var_50]
		mov	[ebp+var_48], 1
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	edx
		push	offset _SQM_INCREMENT_DWORD
		push	[ebp+arg_4]
		mov	[ebp+var_4C], 6
		push	[ebp+arg_0]
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], offset dword_4270C8
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], 10h
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_DbgkpLkmdSqmIncrementDword@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkCaptureLiveKernelDump(x)
_DbgkCaptureLiveKernelDump@4 proc near	; CODE XREF: NtSystemDebugControl+8362Ap

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	esi, esi
		push	edi		; char
		mov	edi, ecx
		mov	[ebp+var_14], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_10], bl
		test	edi, edi
		jnz	short loc_60077F
		mov	eax, 0C000000Dh
		jmp	loc_600A19
; 

loc_60077F:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+29j
		call	_DbgkpWerIsFullLiveDumpDisabled@0 ; DbgkpWerIsFullLiveDumpDisabled()
		test	al, al
		jz	short loc_6007A3
		push	offset ??_C@_0DN@OGIPNPDE@DBGK?3?5Full?5Live?5Kernel?5Dumps?5ar@FNODOBFM@ ; char *
		push	1		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		mov	eax, 0C0000804h
		jmp	loc_600A19
; 

loc_6007A3:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+3Cj
		cmp	bl, 1
		jnz	short loc_6007CA
		test	byte ptr [edi+20h], 4
		jz	short loc_6007CA
		cmp	ds:_KdPitchDebugger, 0
		jz	short loc_6007CA
		cmp	ds:_KdLocalDebugEnabled, 0
		jnz	short loc_6007CA
		mov	eax, 0C0000354h
		jmp	loc_600A19
; 

loc_6007CA:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+5Cj
					; DbgkCaptureLiveKernelDump(x)+62j ...
		mov	eax, large fs:124h
		mov	[ebp+var_C], esi
		mov	dword ptr [ebp+var_8], esi
		mov	[ebp+var_4], esi
		dec	word ptr [eax+13Ch]
		nop
		xor	eax, eax
		mov	ecx, offset _DbgkpBusy
		inc	eax
		xchg	eax, [ecx]
		cmp	eax, 1
		jnz	short loc_6007FA
		mov	esi, 0C000022Dh
		jmp	loc_600A0B
; 

loc_6007FA:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+A4j
		push	24h
		pop	ecx
		call	_DbgkpWerAllocatePool@4	; DbgkpWerAllocatePool(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_600822
		push	offset ??_C@_0CM@EDLMNNDN@DBGK?3?5Could?5not?5allocate?5IoLive@FNODOBFM@ ; char	*
		push	esi		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		mov	esi, 0C0000017h
		jmp	loc_600A02
; 

loc_600822:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+BCj
		mov	[ebx+8], esi
		mov	[ebx+0Ch], esi
		mov	[ebx+10h], esi
		mov	[ebx+14h], esi
		mov	[ebx+18h], esi
		mov	[ebx+1Ch], esi
		mov	[ebx+20h], esi
		mov	dword ptr [ebx], 1
		mov	dword ptr [ebx+4], 24h
		mov	eax, [edi+1Ch]
		test	eax, eax
		jz	short loc_60088B
		push	esi
		lea	ecx, [ebp+var_C]
		push	ecx
		push	57676244h
		push	[ebp+var_10]
		push	ds:_ExEventObjectType
		push	100001h
		push	eax
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_600889
		push	esi
		push	dword ptr [edi+1Ch] ; char
		push	offset ??_C@_0CM@IKAHHJHK@DBGK?3?5Invalid?5event?5handle?5?$CFp?0?5@FNODOBFM@ ;	char *

loc_600878:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+17Cj
		push	1		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 14h
		jmp	loc_6009D7
; 

loc_600889:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+123j
		xor	esi, esi

loc_60088B:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+FFj
		mov	eax, [edi+18h]
		test	eax, eax
		jnz	short loc_60089C
		mov	esi, 0C000000Dh
		jmp	loc_6009D7
; 

loc_60089C:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+146j
		push	esi
		lea	ecx, [ebp+var_8]
		push	ecx
		push	57676244h
		push	[ebp+var_10]
		push	ds:_IoFileObjectType
		push	2
		push	eax
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_6008C8
		push	esi
		push	dword ptr [edi+18h]
		push	offset ??_C@_0FE@HEDMKDPP@DBGK?3?5Invalid?5file?5handle?5?$CFp?0?5O@FNODOBFM@
		jmp	short loc_600878
; 

loc_6008C8:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+171j
		lea	eax, [ebp+var_4]
		push	eax
		push	57676244h
		push	0
		push	ds:_IoFileObjectType
		push	2
		push	0
		push	200h
		push	dword ptr [ebp+var_8]
		call	_ObOpenObjectByPointerWithTag@32 ; ObOpenObjectByPointerWithTag(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_60090A
		push	esi
		push	dword ptr [ebp+var_8] ;	char
		push	offset ??_C@_0EE@OHIJFJCN@DBGK?3?5ObOpenObjectByPointerWith@FNODOBFM@ ;	char *
		push	1		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 14h
		jmp	loc_6009CA
; 

loc_60090A:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+1A4j
		push	10h
		push	4
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_4]
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_600931
		push	esi
		push	offset ??_C@_0EA@KCADKKLJ@DBGK?3?5ZwQueryInformationFile?5fa@FNODOBFM@

loc_60092A:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+1F4j
		push	1
		jmp	loc_6009C0
; 

loc_600931:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+1D8j
		mov	esi, [ebp+var_1C]
		test	esi, esi
		jns	short loc_600940
		push	esi
		push	offset ??_C@_0EL@LPLJPMHP@DBGK?3?5ZwQueryInformationFile?5Io@FNODOBFM@
		jmp	short loc_60092A
; 

loc_600940:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+1ECj
		test	byte ptr [ebp+var_14], 30h
		jnz	short loc_60095E
		push	offset ??_C@_0DD@FJINFOOO@DBGK?3?5File?5was?5not?5opened?5for?5s@FNODOBFM@ ; char *
		push	1		; int
		push	5		; int
		mov	esi, 0C000000Dh
		call	_DbgPrintEx
		add	esp, 0Ch
		jmp	short loc_6009CA
; 

loc_60095E:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+1FAj
		mov	eax, [ebp+var_4]
		mov	[ebx+8], eax
		mov	eax, [ebp+var_C]
		mov	[ebx+0Ch], eax
		mov	eax, [edi+20h]
		test	al, 4
		jz	short loc_600978
		or	dword ptr [ebx+10h], 4
		mov	eax, [edi+20h]

loc_600978:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+225j
		test	al, 8
		jz	short loc_600980
		or	dword ptr [ebx+10h], 10h

loc_600980:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+230j
		test	byte ptr [edi+24h], 1
		jz	short loc_60098A
		or	dword ptr [ebx+14h], 1

loc_60098A:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+23Aj
		push	offset ??_C@_0CB@CNBNBKEO@DBGK?3?5Calling?5IoCaptureLiveDump@FNODOBFM@ ; char *
		push	3		; int
		push	5		; int
		call	_DbgPrintEx
		mov	edx, [edi+8]
		add	esp, 0Ch
		mov	ecx, [edi+4]
		push	0
		push	ebx
		push	dword ptr [edi+14h]
		push	dword ptr [edi+10h]
		push	dword ptr [edi+0Ch]
		call	_IoCaptureLiveDump@28 ;	IoCaptureLiveDump(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_6009CA
		push	esi		; char
		push	offset ??_C@_0CN@OIDMEGEJ@DBGK?3?5IoCaptureLiveDump?5failed?0@FNODOBFM@	; char *
		push	0		; int

loc_6009C0:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+1E2j
		push	5		; int
		call	_DbgPrintEx
		add	esp, 10h

loc_6009CA:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+1BBj
					; DbgkCaptureLiveKernelDump(x)+212j ...
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_6009D7
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_6009D7:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+13Aj
					; DbgkCaptureLiveKernelDump(x)+14Dj ...
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jz	short loc_6009E8
		mov	edx, 57676244h
		call	ObfDereferenceObjectWithTag

loc_6009E8:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+292j
		mov	eax, dword ptr [ebp+var_8]
		test	eax, eax
		jz	short loc_6009FB
		mov	edx, 57676244h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag

loc_6009FB:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+2A3j
		mov	ecx, ebx
		call	_DbgkpWerFreePool@4 ; DbgkpWerFreePool(x)

loc_600A02:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+D3j
		xor	eax, eax
		mov	ecx, offset _DbgkpBusy
		xchg	eax, [ecx]

loc_600A0B:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+ABj
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi

loc_600A19:				; CODE XREF: DbgkCaptureLiveKernelDump(x)+30j
					; DbgkCaptureLiveKernelDump(x)+54j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_DbgkCaptureLiveKernelDump@4 endp


;  S U B	R O U T	I N E 


; __stdcall DbgkpWerAllocateNonpagedPool(x)
_DbgkpWerAllocateNonpagedPool@4	proc near
					; CODE XREF: DbgkpWerInitializeDeferredLiveDump(x)+C6p
		push	57676244h
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		retn
_DbgkpWerAllocateNonpagedPool@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpTriageDumpCheckPresentHashTable(x, x, x, x)
_DbgkpTriageDumpCheckPresentHashTable@16 proc near
					; CODE XREF: DbgkpTriageDumpSnapData(x,x,x,x,x,x)+81p
					; DbgkpTriageDumpIsMemoryBlockPresent(x,x,x)+27p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, edx
		push	edi
		test	esi, esi
		jz	short loc_600A46
		or	dword ptr [esi], 0FFFFFFFFh

loc_600A46:				; CODE XREF: DbgkpTriageDumpCheckPresentHashTable(x,x,x,x)+11j
		mov	eax, ebx
		mov	ecx, [ecx+18h]
		shr	eax, 4
		xor	edx, edx
		mov	edi, 0DF3h
		mov	[ebp+var_4], ecx
		div	edi
		mov	edi, edx
		cmp	dword ptr [ecx+edi*4], 0
		jz	short loc_600AAA
		mov	eax, ebx
		mov	ebx, [ebp+arg_0]
		cdq
		mov	[ebp+var_8], eax
		mov	[ebp+arg_4], edx

loc_600A6E:				; CODE XREF: DbgkpTriageDumpCheckPresentHashTable(x,x,x,x)+6Ej
		mov	edx, [ecx+edi*4]
		cmp	[edx], eax
		jnz	short loc_600A86
		mov	eax, [edx+4]
		cmp	eax, [ebp+arg_4]
		jnz	short loc_600A86
		test	ebx, ebx
		jz	short loc_600AA0
		cmp	[edx+0Ch], ebx
		jz	short loc_600AA0

loc_600A86:				; CODE XREF: DbgkpTriageDumpCheckPresentHashTable(x,x,x,x)+43j
					; DbgkpTriageDumpCheckPresentHashTable(x,x,x,x)+4Bj
		mov	ecx, [ebp+var_4]
		lea	eax, [edi+1]
		cmp	eax, 0DF3h
		sbb	edi, edi
		and	edi, eax
		cmp	dword ptr [ecx+edi*4], 0
		jz	short loc_600AAA
		mov	eax, [ebp+var_8]
		jmp	short loc_600A6E
; 

loc_600AA0:				; CODE XREF: DbgkpTriageDumpCheckPresentHashTable(x,x,x,x)+4Fj
					; DbgkpTriageDumpCheckPresentHashTable(x,x,x,x)+54j
		test	esi, esi
		jz	short loc_600AA6
		mov	[esi], edi

loc_600AA6:				; CODE XREF: DbgkpTriageDumpCheckPresentHashTable(x,x,x,x)+72j
		mov	al, 1
		jmp	short loc_600AB2
; 

loc_600AAA:				; CODE XREF: DbgkpTriageDumpCheckPresentHashTable(x,x,x,x)+30j
					; DbgkpTriageDumpCheckPresentHashTable(x,x,x,x)+69j
		test	esi, esi
		jz	short loc_600AB0
		mov	[esi], edi

loc_600AB0:				; CODE XREF: DbgkpTriageDumpCheckPresentHashTable(x,x,x,x)+7Cj
		xor	al, al

loc_600AB2:				; CODE XREF: DbgkpTriageDumpCheckPresentHashTable(x,x,x,x)+78j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_DbgkpTriageDumpCheckPresentHashTable@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	DbgkpTriageDumpSnapData(int,void *,size_t,int,int,int)
_DbgkpTriageDumpSnapData@24 proc near	; DATA XREF: DbgkpTriageDumpInitialize(x,x,x,x)+56o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_14]
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		or	[ebp+arg_0], 0FFFFFFFFh
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	esi, [edi]
		test	ebx, ebx
		jz	short loc_600ADD
		mov	[ebx], eax

loc_600ADD:				; CODE XREF: DbgkpTriageDumpSnapData(x,x,x,x,x,x)+20j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	loc_600CC6
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	loc_600CC6
		cmp	[ebp+arg_C], 1
		jnz	short loc_600B27
		cmp	[ebp+arg_10], 0
		jnz	short loc_600B27
		test	byte ptr [esi+0F8Ch], 1
		jnz	short loc_600B27
		push	ecx		; size_t
		push	eax		; void *
		lea	eax, [esi+320h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		or	dword ptr [esi+0F8Ch], 1

loc_600B20:				; CODE XREF: DbgkpTriageDumpSnapData(x,x,x,x,x,x)+8Cj
					; DbgkpTriageDumpSnapData(x,x,x,x,x,x)+9Ej ...
		xor	eax, eax
		jmp	loc_600CCB
; 

loc_600B27:				; CODE XREF: DbgkpTriageDumpSnapData(x,x,x,x,x,x)+3Ej
					; DbgkpTriageDumpSnapData(x,x,x,x,x,x)+44j ...
		mov	edx, [edi+18h]
		mov	[ebp+arg_14], edx
		test	edx, edx
		jz	short loc_600B5C
		lea	edx, [ebp+arg_0]
		push	edx
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	_DbgkpTriageDumpCheckPresentHashTable@16 ; DbgkpTriageDumpCheckPresentHashTable(x,x,x,x)
		test	al, al
		jz	short loc_600B59
		test	ebx, ebx
		jz	short loc_600B20
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_14]
		mov	eax, [ecx+eax*4]
		mov	eax, [eax+8]
		add	eax, [edi]

loc_600B55:				; CODE XREF: DbgkpTriageDumpSnapData(x,x,x,x,x,x)+201j
		mov	[ebx], eax
		jmp	short loc_600B20
; 

loc_600B59:				; CODE XREF: DbgkpTriageDumpSnapData(x,x,x,x,x,x)+88j
		mov	ecx, [ebp+arg_8]

loc_600B5C:				; CODE XREF: DbgkpTriageDumpSnapData(x,x,x,x,x,x)+76j
		lea	eax, [ecx+7]
		lea	ecx, [ebp+var_4]
		and	eax, 0FFFFFFF8h
		push	ecx
		push	10h
		pop	edx
		mov	ecx, eax
		mov	[ebp+arg_14], eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_600CBF
		mov	ecx, [esi+1060h]
		lea	eax, [ebp+var_8]
		mov	edx, [edi+14h]
		push	eax
		call	_RtlULongPtrSub@12 ; RtlULongPtrSub(x,x,x)
		test	eax, eax
		js	loc_600CBF
		mov	eax, [ebp+var_4]
		cmp	eax, [ebp+var_8]
		ja	loc_600CBF
		push	[ebp+arg_8]	; size_t
		lea	eax, [edx+esi]
		push	[ebp+arg_4]	; void *
		push	eax		; void *
		call	_memcpy
		or	dword ptr [esi+0F8Ch], 800h
		add	esp, 0Ch
		add	dword ptr [esi+1060h], 0FFFFFFF0h
		mov	ecx, [esi+1060h]
		inc	dword ptr [esi+1064h]
		add	ecx, esi
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jnz	short loc_600BDC
		mov	eax, [ebp+arg_4]

loc_600BDC:				; CODE XREF: DbgkpTriageDumpSnapData(x,x,x,x,x,x)+11Ej
		cdq
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	eax, [edi+14h]
		mov	[ecx+8], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+0Ch], eax
		mov	eax, [ebp+arg_14]
		add	[edi+14h], eax
		mov	eax, [ebp+arg_C]
		dec	eax
		sub	eax, 1
		jz	short loc_600C7B
		sub	eax, 1
		jz	short loc_600C60
		sub	eax, 1
		jz	short loc_600C3C
		sub	eax, 1
		jnz	loc_600C94
		cmp	[esi+1028h], eax
		jnz	short loc_600C94
		mov	eax, [ecx+8]
		mov	[esi+1028h], eax
		mov	eax, [ecx+0Ch]
		mov	[esi+102Ch], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+1048h], eax
		or	dword ptr [esi+0F8Ch], 20h
		jmp	short loc_600C94
; 

loc_600C3C:				; CODE XREF: DbgkpTriageDumpSnapData(x,x,x,x,x,x)+14Cj
		cmp	dword ptr [esi+1020h], 0
		jnz	short loc_600C94
		mov	eax, [ecx+8]
		mov	[esi+1020h], eax
		mov	eax, [ebp+arg_4]
		or	dword ptr [esi+0F8Ch], 8
		mov	eax, [eax+18h]
		mov	[esi+10h], eax
		jmp	short loc_600C94
; 

loc_600C60:				; CODE XREF: DbgkpTriageDumpSnapData(x,x,x,x,x,x)+147j
		cmp	dword ptr [esi+1024h], 0
		jnz	short loc_600C94
		mov	eax, [ecx+8]
		mov	[esi+1024h], eax
		or	dword ptr [esi+0F8Ch], 10h
		jmp	short loc_600C94
; 

loc_600C7B:				; CODE XREF: DbgkpTriageDumpSnapData(x,x,x,x,x,x)+142j
		cmp	dword ptr [esi+101Ch], 0
		jnz	short loc_600C94
		mov	eax, [ecx+8]
		mov	[esi+101Ch], eax
		or	dword ptr [esi+0F8Ch], 4

loc_600C94:				; CODE XREF: DbgkpTriageDumpSnapData(x,x,x,x,x,x)+151j
					; DbgkpTriageDumpSnapData(x,x,x,x,x,x)+15Dj ...
		mov	eax, [edi+18h]
		test	eax, eax
		jz	short loc_600CAD
		cmp	dword ptr [edi+1Ch], 6F9h
		jnb	short loc_600CAD
		mov	edx, [ebp+arg_0]
		mov	[eax+edx*4], ecx
		inc	dword ptr [edi+1Ch]

loc_600CAD:				; CODE XREF: DbgkpTriageDumpSnapData(x,x,x,x,x,x)+1E0j
					; DbgkpTriageDumpSnapData(x,x,x,x,x,x)+1E9j
		test	ebx, ebx
		jz	loc_600B20
		mov	eax, [edi]
		add	eax, [ecx+8]
		jmp	loc_600B55
; 

loc_600CBF:				; CODE XREF: DbgkpTriageDumpSnapData(x,x,x,x,x,x)+BCj
					; DbgkpTriageDumpSnapData(x,x,x,x,x,x)+D6j ...
		mov	eax, 0C000009Ah
		jmp	short loc_600CCB
; 

loc_600CC6:				; CODE XREF: DbgkpTriageDumpSnapData(x,x,x,x,x,x)+29j
					; DbgkpTriageDumpSnapData(x,x,x,x,x,x)+34j
		mov	eax, 0C000000Dh

loc_600CCB:				; CODE XREF: DbgkpTriageDumpSnapData(x,x,x,x,x,x)+69j
					; DbgkpTriageDumpSnapData(x,x,x,x,x,x)+20Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_DbgkpTriageDumpSnapData@24 endp


;  S U B	R O U T	I N E 


; __stdcall EmpProviderDeregisterEntry(x)
_EmpProviderDeregisterEntry@4 proc near	; CODE XREF: PAGE:009578EBp
					; EmProviderDeregisterEntry(x)+17p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_600D2B
		lea	eax, [esi+0Ch]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_600D2D
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_600D2D
		mov	[ecx], edx
		lea	eax, [esi+14h]
		mov	[edx+4], ecx
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_600D2D
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_600D2D
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	eax, [esi]
		push	edi
		mov	edi, [eax+2Ch]
		jmp	short loc_600D1B
; 

loc_600D0F:				; CODE XREF: EmpProviderDeregisterEntry(x)+4Bj
		mov	ecx, [edi-4]
		xor	edx, edx
		call	EmpQueueRuleUpdateState
		mov	edi, [edi]

loc_600D1B:				; CODE XREF: EmpProviderDeregisterEntry(x)+3Bj
		test	edi, edi
		jnz	short loc_600D0F
		push	72704D45h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi

loc_600D2B:				; CODE XREF: EmpProviderDeregisterEntry(x)+7j
		pop	esi
		retn
; 

loc_600D2D:				; CODE XREF: EmpProviderDeregisterEntry(x)+11j
					; EmpProviderDeregisterEntry(x)+18j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_EmpProviderDeregisterEntry@4 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlGetFileExtents(x, x, x, x, x, x, x)
_FsRtlGetFileExtents@28	proc near	; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+1FCp
					; MiComputeIdealFirstSubsection(x)+36p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		and	[ebp+var_2C], 0
		and	[ebp+var_28], 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		push	ebx
		call	IoGetRelatedDeviceObject
		mov	esi, eax
		push	0
		movzx	ecx, byte ptr [esi+30h]
		push	ecx
		push	esi
		call	IoAllocateIrpEx
		mov	edi, eax
		test	edi, edi
		jnz	short loc_600D73
		mov	eax, 0C000009Ah
		jmp	short loc_600DEB
; 

loc_600D73:				; CODE XREF: FsRtlGetFileExtents(x,x,x,x,x,x,x)+38j
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	edx, [ebp+arg_10]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		mov	[edi+28h], eax
		mov	eax, large fs:124h
		mov	[edi+20h], cl
		mov	[edi+2Ch], ecx
		mov	ecx, [edi+60h]
		mov	[edi+50h], eax
		mov	[edi+3Ch], edx
		push	edi
		mov	word ptr [ecx-24h], 40Dh
		mov	[ecx-0Ch], ebx
		mov	dword ptr [ecx-18h], 9039Bh
		mov	dword ptr [ecx-1Ch], 18h
		mov	eax, [edx]
		push	esi
		lea	eax, ds:8[eax*8]
		mov	[ecx-20h], eax
		lea	eax, [ebp+var_24]
		mov	[ecx-14h], eax
		call	_IoSynchronousCallDriver@8 ; IoSynchronousCallDriver(x,x)
		push	edi
		mov	esi, eax
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		mov	eax, esi

loc_600DEB:				; CODE XREF: FsRtlGetFileExtents(x,x,x,x,x,x,x)+3Fj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_FsRtlGetFileExtents@28	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 540. FsRtlIncrementCcFastMdlReadWait

;  S U B	R O U T	I N E 


; __stdcall FsRtlIncrementCcFastMdlReadWait()
		public _FsRtlIncrementCcFastMdlReadWait@0
_FsRtlIncrementCcFastMdlReadWait@0 proc	near
		inc	large dword ptr	fs:644h
		retn
_FsRtlIncrementCcFastMdlReadWait@0 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 541. FsRtlIncrementCcFastReadNoWait

;  S U B	R O U T	I N E 


; __stdcall FsRtlIncrementCcFastReadNoWait()
		public _FsRtlIncrementCcFastReadNoWait@0
_FsRtlIncrementCcFastReadNoWait@0 proc near
		inc	large dword ptr	fs:600h
		retn
_FsRtlIncrementCcFastReadNoWait@0 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 543. FsRtlIncrementCcFastReadResourceMiss

;  S U B	R O U T	I N E 


; __stdcall FsRtlIncrementCcFastReadResourceMiss()
		public _FsRtlIncrementCcFastReadResourceMiss@0
_FsRtlIncrementCcFastReadResourceMiss@0	proc near
		inc	large dword ptr	fs:680h
		retn
_FsRtlIncrementCcFastReadResourceMiss@0	endp

; 
		align 8
; Exported entry 561. FsRtlIsDaxVolume

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlIsDaxVolume(x)
		public _FsRtlIsDaxVolume@4
_FsRtlIsDaxVolume@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_600E4B
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_600E4B
		test	dword ptr [eax+1Ch], 10000000h
		jz	short loc_600E4B
		mov	al, 1
		jmp	short loc_600E4D
; 

loc_600E4B:				; CODE XREF: FsRtlIsDaxVolume(x)+Dj
					; FsRtlIsDaxVolume(x)+14j ...
		xor	al, al

loc_600E4D:				; CODE XREF: FsRtlIsDaxVolume(x)+21j
		pop	ebp
		retn	4
_FsRtlIsDaxVolume@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 592. FsRtlMdlReadComplete

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlMdlReadComplete(x, x)
		public _FsRtlMdlReadComplete@8
_FsRtlMdlReadComplete@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		call	IoGetRelatedDeviceObject
		mov	ecx, [eax+8]
		mov	ecx, [ecx+28h]
		test	ecx, ecx
		jz	short loc_600E84
		cmp	dword ptr [ecx], 44h
		jbe	short loc_600E84
		mov	ecx, [ecx+44h]
		test	ecx, ecx
		jz	short loc_600E84
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ecx
		jmp	short loc_600E86
; 

loc_600E84:				; CODE XREF: FsRtlMdlReadComplete(x,x)+15j
					; FsRtlMdlReadComplete(x,x)+1Aj ...
		xor	al, al

loc_600E86:				; CODE XREF: FsRtlMdlReadComplete(x,x)+2Cj
		pop	ebp
		retn	8
_FsRtlMdlReadComplete@8	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 469. FsRtlAddMcbEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlAddMcbEntry(x,	x, x, x)
		public _FsRtlAddMcbEntry@16
_FsRtlAddMcbEntry@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		push	eax
		push	[ebp+arg_C]
		push	eax
		push	[ebp+arg_8]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	FsRtlAddLargeMcbEntry
		pop	ebp
		retn	10h
_FsRtlAddMcbEntry@16 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 531. FsRtlGetNextLargeMcbEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlGetNextLargeMcbEntry(x, x, x, x, x)
		public _FsRtlGetNextLargeMcbEntry@20
_FsRtlGetNextLargeMcbEntry@20 proc near	; CODE XREF: FsRtlGetNextMcbEntry(x,x,x,x,x)+2Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi]
		call	ExAcquireFastMutex
		push	[ebp+arg_10]
		lea	eax, [esi+4]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	eax
		call	_FsRtlGetNextBaseMcbEntry@20 ; FsRtlGetNextBaseMcbEntry(x,x,x,x,x)
		mov	ecx, [esi]
		mov	bl, al
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	14h
_FsRtlGetNextLargeMcbEntry@20 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 532. FsRtlGetNextMcbEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlGetNextMcbEntry(x, x, x, x, x)
		public _FsRtlGetNextMcbEntry@20
_FsRtlGetNextMcbEntry@20 proc near

var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		xor	eax, eax
		push	ebx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_FsRtlGetNextLargeMcbEntry@20 ;	FsRtlGetNextLargeMcbEntry(x,x,x,x,x)
		mov	bl, al
		test	bl, bl
		jz	short loc_600F46
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+arg_C]
		mov	[edx], ecx
		mov	ecx, [ebp+var_8]
		inc	ecx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, [ebp+var_8]
		mov	[eax], ecx
		mov	ecx, [ebp+arg_10]
		mov	eax, [ebp+var_18]
		mov	[ecx], eax

loc_600F46:				; CODE XREF: FsRtlGetNextMcbEntry(x,x,x,x,x)+35j
		mov	al, bl
		pop	ebx
		leave
		retn	14h
_FsRtlGetNextMcbEntry@20 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 581. FsRtlLookupLargeMcbEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlLookupLargeMcbEntry(x,	x, x, x, x, x, x, x)
		public _FsRtlLookupLargeMcbEntry@32
_FsRtlLookupLargeMcbEntry@32 proc near	; CODE XREF: FsRtlLookupMcbEntry(x,x,x,x,x)+30p

var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		push	0Ch
		push	offset dword_6A7CD0
		call	__SEH_prolog4
		mov	[ebp+var_19], 0
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi]
		call	ExAcquireFastMutex
		and	[ebp+ms_exc.disabled], 0
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		lea	eax, [esi+4]
		push	eax
		call	_FsRtlLookupBaseMcbEntry@32 ; FsRtlLookupBaseMcbEntry(x,x,x,x,x,x,x,x)
		mov	bl, al
		mov	[ebp+var_19], bl
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_600FB9
		mov	al, bl
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
_FsRtlLookupLargeMcbEntry@32 endp


;  S U B	R O U T	I N E 


sub_600FB3	proc near		; DATA XREF: .text:006A7CE8o
		mov	esi, [ebp+8]
		mov	bl, [ebp-19h]
sub_600FB3	endp


;  S U B	R O U T	I N E 


sub_600FB9	proc near		; CODE XREF: FsRtlLookupLargeMcbEntry(x,x,x,x,x,x,x,x)+48p
		mov	ecx, [esi]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		retn
sub_600FB9	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 584. FsRtlLookupLastLargeMcbEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlLookupLastLargeMcbEntry(x, x, x)
		public _FsRtlLookupLastLargeMcbEntry@12
_FsRtlLookupLastLargeMcbEntry@12 proc near ; CODE XREF:	FsRtlLookupLastMcbEntry(x,x,x)+1Cp

var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	0Ch
		push	offset dword_6A7CB0
		call	__SEH_prolog4
		mov	[ebp+var_19], 0
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi]
		call	ExAcquireFastMutex
		and	[ebp+ms_exc.disabled], 0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		lea	eax, [esi+4]
		push	eax
		call	_FsRtlLookupLastBaseMcbEntry@12	; FsRtlLookupLastBaseMcbEntry(x,x,x)
		mov	bl, al
		mov	[ebp+var_19], bl
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_60101E
		mov	al, bl
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_FsRtlLookupLastLargeMcbEntry@12 endp


;  S U B	R O U T	I N E 


sub_601018	proc near		; DATA XREF: .text:006A7CC8o
		mov	esi, [ebp+8]
		mov	bl, [ebp-19h]
sub_601018	endp


;  S U B	R O U T	I N E 


sub_60101E	proc near		; CODE XREF: FsRtlLookupLastLargeMcbEntry(x,x,x)+39p
		mov	ecx, [esi]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		retn
sub_60101E	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 585. FsRtlLookupLastLargeMcbEntryAndIndex

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlLookupLastLargeMcbEntryAndIndex(x, x, x, x)
		public _FsRtlLookupLastLargeMcbEntryAndIndex@16
_FsRtlLookupLastLargeMcbEntryAndIndex@16 proc near

var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	0Ch
		push	offset dword_6A7C90
		call	__SEH_prolog4
		mov	[ebp+var_19], 0
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi]
		call	ExAcquireFastMutex
		and	[ebp+ms_exc.disabled], 0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		lea	eax, [esi+4]
		push	eax
		call	_FsRtlLookupLastBaseMcbEntryAndIndex@16	; FsRtlLookupLastBaseMcbEntryAndIndex(x,x,x,x)
		mov	bl, al
		mov	[ebp+var_19], bl
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_601086
		mov	al, bl
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_FsRtlLookupLastLargeMcbEntryAndIndex@16 endp


;  S U B	R O U T	I N E 


sub_601080	proc near		; DATA XREF: .text:006A7CA8o
		mov	esi, [ebp+8]
		mov	bl, [ebp-19h]
sub_601080	endp


;  S U B	R O U T	I N E 


sub_601086	proc near		; CODE XREF: FsRtlLookupLastLargeMcbEntryAndIndex(x,x,x,x)+3Cp
		mov	ecx, [esi]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		retn
sub_601086	endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 586. FsRtlLookupLastMcbEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlLookupLastMcbEntry(x, x, x)
		public _FsRtlLookupLastMcbEntry@12
_FsRtlLookupLastMcbEntry@12 proc near

var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		push	ebx
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+arg_0]
		call	_FsRtlLookupLastLargeMcbEntry@12 ; FsRtlLookupLastLargeMcbEntry(x,x,x)
		mov	bl, al
		test	bl, bl
		jz	short loc_6010D2
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+arg_8]
		mov	[edx], ecx
		mov	ecx, [ebp+var_8]
		inc	ecx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, [ebp+var_8]
		mov	[eax], ecx

loc_6010D2:				; CODE XREF: FsRtlLookupLastMcbEntry(x,x,x)+25j
		mov	al, bl
		pop	ebx
		leave
		retn	0Ch
_FsRtlLookupLastMcbEntry@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 587. FsRtlLookupMcbEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlLookupMcbEntry(x, x, x, x, x)
		public _FsRtlLookupMcbEntry@20
_FsRtlLookupMcbEntry@20	proc near

var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	[ebp+arg_10]
		mov	esi, [ebp+arg_C]
		lea	ecx, [ebp+var_10]
		xor	edx, edx
		mov	eax, esi
		push	edx
		neg	eax
		mov	[ebp+var_8], edx
		push	edx
		sbb	eax, eax
		mov	[ebp+var_10], edx
		and	eax, ecx
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	edx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_FsRtlLookupLargeMcbEntry@32 ; FsRtlLookupLargeMcbEntry(x,x,x,x,x,x,x,x)
		mov	dl, al
		test	dl, dl
		jz	short loc_601132
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+arg_8]
		inc	ecx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, [ebp+var_8]
		mov	[eax], ecx
		test	esi, esi
		jz	short loc_601132
		mov	eax, [ebp+var_10]
		mov	[esi], eax

loc_601132:				; CODE XREF: FsRtlLookupMcbEntry(x,x,x,x,x)+39j
					; FsRtlLookupMcbEntry(x,x,x,x,x)+4Dj
		mov	al, dl
		pop	esi
		leave
		retn	14h
_FsRtlLookupMcbEntry@20	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 617. FsRtlNumberOfRunsInLargeMcb

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlNumberOfRunsInLargeMcb(x)
		public _FsRtlNumberOfRunsInLargeMcb@4
_FsRtlNumberOfRunsInLargeMcb@4 proc near ; CODE	XREF: FsRtlNumberOfRunsInMcb(x)+6j

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, [edi]
		call	ExAcquireFastMutex
		mov	ecx, [edi]
		mov	esi, [edi+8]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_FsRtlNumberOfRunsInLargeMcb@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 618. FsRtlNumberOfRunsInMcb

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlNumberOfRunsInMcb(x)
		public _FsRtlNumberOfRunsInMcb@4
_FsRtlNumberOfRunsInMcb@4 proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	_FsRtlNumberOfRunsInLargeMcb@4 ; FsRtlNumberOfRunsInLargeMcb(x)
_FsRtlNumberOfRunsInMcb@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 653. FsRtlRemoveLargeMcbEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlRemoveLargeMcbEntry(x,	x, x, x, x)
		public _FsRtlRemoveLargeMcbEntry@20
_FsRtlRemoveLargeMcbEntry@20 proc near	; CODE XREF: FsRtlRemoveMcbEntry(x,x,x)+12p

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		push	8
		push	offset dword_6A7CF0
		call	__SEH_prolog4
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi]
		call	ExAcquireFastMutex
		xor	eax, eax
		mov	[ebp+ms_exc.disabled], eax
		push	eax
		push	[ebp+arg_C]
		push	eax
		push	[ebp+arg_4]
		lea	eax, [esi+4]
		push	eax
		call	FsRtlRemoveBaseMcbEntry
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_6011C3
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_FsRtlRemoveLargeMcbEntry@20 endp


;  S U B	R O U T	I N E 


sub_6011C0	proc near		; DATA XREF: .text:006A7D08o
		mov	esi, [ebp+8]
sub_6011C0	endp


;  S U B	R O U T	I N E 


sub_6011C3	proc near		; CODE XREF: FsRtlRemoveLargeMcbEntry(x,x,x,x,x)+33p
		mov	ecx, [esi]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		retn
sub_6011C3	endp

; 
		align 10h
; Exported entry 654. FsRtlRemoveMcbEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlRemoveMcbEntry(x, x, x)
		public _FsRtlRemoveMcbEntry@12
_FsRtlRemoveMcbEntry@12	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_8]
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_FsRtlRemoveLargeMcbEntry@20 ; FsRtlRemoveLargeMcbEntry(x,x,x,x,x)
		pop	ebp
		retn	0Ch
_FsRtlRemoveMcbEntry@12	endp

; 
		align 10h
; Exported entry 659. FsRtlResetLargeMcb

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlResetLargeMcb(x, x)
		public _FsRtlResetLargeMcb@8
_FsRtlResetLargeMcb@8 proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		push	esi
		mov	esi, [ebp+arg_0]
		jz	short loc_601205
		and	dword ptr [esi+8], 0
		jmp	short loc_601217
; 

loc_601205:				; CODE XREF: FsRtlResetLargeMcb(x,x)+Dj
		mov	ecx, [esi]
		call	ExAcquireFastMutex
		mov	ecx, [esi]
		and	dword ptr [esi+8], 0
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_601217:				; CODE XREF: FsRtlResetLargeMcb(x,x)+13j
		pop	esi
		pop	ebp
		retn	8
_FsRtlResetLargeMcb@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 664. FsRtlSplitBaseMcb

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlSplitBaseMcb(x, x, x, x, x)
		public _FsRtlSplitBaseMcb@20
_FsRtlSplitBaseMcb@20 proc near		; CODE XREF: FsRtlSplitLargeMcb(x,x,x,x,x)+2Ep

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		push	eax
		mov	ecx, edi
		mov	[ebp+var_4], ebx
		call	_FsRtlFindLargeIndex@12	; FsRtlFindLargeIndex(x,x,x)
		test	al, al
		jz	loc_601338
		mov	esi, [ebp+var_4]
		mov	ecx, [edi+0Ch]
		cmp	dword ptr [ecx+esi*8+4], 0FFFFFFFFh
		jz	short loc_60128F
		mov	edx, ebx
		test	esi, esi
		jz	short loc_60125F
		mov	edx, [ecx+esi*8-8]

loc_60125F:				; CODE XREF: FsRtlSplitBaseMcb(x,x,x,x,x)+38j
		mov	eax, [ebp+arg_4]
		cmp	edx, eax
		jnz	short loc_60129A
		test	esi, esi
		jz	short loc_60129E
		mov	eax, [ecx+esi*8-4]
		mov	[ebp+arg_0], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_60128E
		lea	eax, [esi-1]
		mov	edx, ebx
		test	eax, eax
		jz	short loc_601283
		mov	edx, [ecx+esi*8-10h]

loc_601283:				; CODE XREF: FsRtlSplitBaseMcb(x,x,x,x,x)+5Cj
		mov	eax, [ecx+esi*8-8]
		sub	eax, edx
		add	eax, [ebp+arg_0]
		jnz	short loc_601297

loc_60128E:				; CODE XREF: FsRtlSplitBaseMcb(x,x,x,x,x)+53j
		dec	esi

loc_60128F:				; CODE XREF: FsRtlSplitBaseMcb(x,x,x,x,x)+32j
		mov	edx, [ebp+arg_C]
		jmp	loc_601331
; 

loc_601297:				; CODE XREF: FsRtlSplitBaseMcb(x,x,x,x,x)+6Bj
		mov	eax, [ebp+arg_4]

loc_60129A:				; CODE XREF: FsRtlSplitBaseMcb(x,x,x,x,x)+43j
		test	esi, esi
		jnz	short loc_6012A2

loc_60129E:				; CODE XREF: FsRtlSplitBaseMcb(x,x,x,x,x)+47j
		mov	ecx, ebx
		jmp	short loc_6012A6
; 

loc_6012A2:				; CODE XREF: FsRtlSplitBaseMcb(x,x,x,x,x)+7Bj
		mov	ecx, [ecx+esi*8-8]

loc_6012A6:				; CODE XREF: FsRtlSplitBaseMcb(x,x,x,x,x)+7Fj
		cmp	ecx, eax
		mov	edx, esi
		mov	ecx, edi
		jnz	short loc_6012D1
		push	1
		call	_FsRtlAddEntry@12 ; FsRtlAddEntry(x,x,x)
		test	al, al
		jz	short loc_6012DC
		mov	eax, [edi+0Ch]
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+arg_C]
		or	dword ptr [eax+esi*8+4], 0FFFFFFFFh
		add	ecx, edx
		mov	eax, [edi+0Ch]
		mov	[eax+esi*8], ecx
		jmp	short loc_601330
; 

loc_6012D1:				; CODE XREF: FsRtlSplitBaseMcb(x,x,x,x,x)+8Bj
		push	2
		call	_FsRtlAddEntry@12 ; FsRtlAddEntry(x,x,x)
		test	al, al
		jnz	short loc_6012E0

loc_6012DC:				; CODE XREF: FsRtlSplitBaseMcb(x,x,x,x,x)+96j
		xor	al, al
		jmp	short loc_60133A
; 

loc_6012E0:				; CODE XREF: FsRtlSplitBaseMcb(x,x,x,x,x)+B9j
		mov	ecx, [edi+0Ch]
		mov	edx, [ebp+arg_C]
		mov	eax, [ecx+esi*8+14h]
		mov	[ecx+esi*8+4], eax
		mov	eax, [edi+0Ch]
		mov	ecx, [ebp+arg_4]
		mov	[eax+esi*8], ecx
		add	ecx, edx
		mov	eax, [edi+0Ch]
		or	dword ptr [eax+esi*8+0Ch], 0FFFFFFFFh
		mov	eax, [edi+0Ch]
		mov	[eax+esi*8+8], ecx
		lea	eax, [esi+1]
		mov	ecx, [edi+0Ch]
		test	eax, eax
		mov	eax, ebx
		jz	short loc_601317
		mov	eax, [ecx+esi*8]

loc_601317:				; CODE XREF: FsRtlSplitBaseMcb(x,x,x,x,x)+F1j
		test	esi, esi
		jz	short loc_60131F
		mov	ebx, [ecx+esi*8-8]

loc_60131F:				; CODE XREF: FsRtlSplitBaseMcb(x,x,x,x,x)+F8j
		sub	eax, ebx
		add	[ecx+esi*8+14h], eax
		add	esi, 2
		jmp	short loc_601331
; 

loc_60132A:				; CODE XREF: FsRtlSplitBaseMcb(x,x,x,x,x)+113j
		mov	eax, [edi+0Ch]
		add	[eax+esi*8], edx

loc_601330:				; CODE XREF: FsRtlSplitBaseMcb(x,x,x,x,x)+AEj
		inc	esi

loc_601331:				; CODE XREF: FsRtlSplitBaseMcb(x,x,x,x,x)+71j
					; FsRtlSplitBaseMcb(x,x,x,x,x)+107j
		cmp	esi, [edi+4]
		jb	short loc_60132A
		mov	bl, 1

loc_601338:				; CODE XREF: FsRtlSplitBaseMcb(x,x,x,x,x)+21j
		mov	al, bl

loc_60133A:				; CODE XREF: FsRtlSplitBaseMcb(x,x,x,x,x)+BDj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_FsRtlSplitBaseMcb@20 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 665. FsRtlSplitLargeMcb

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlSplitLargeMcb(x, x, x,	x, x)
		public _FsRtlSplitLargeMcb@20
_FsRtlSplitLargeMcb@20 proc near

var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	0Ch
		push	offset dword_6A7C70
		call	__SEH_prolog4
		mov	[ebp+var_19], 0
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi]
		call	ExAcquireFastMutex
		and	[ebp+ms_exc.disabled], 0
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		lea	eax, [esi+4]
		push	eax
		call	_FsRtlSplitBaseMcb@20 ;	FsRtlSplitBaseMcb(x,x,x,x,x)
		mov	bl, al
		mov	[ebp+var_19], bl
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_6013A4
		mov	al, bl
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_FsRtlSplitLargeMcb@20 endp


;  S U B	R O U T	I N E 


sub_60139E	proc near		; DATA XREF: .text:006A7C88o
		mov	esi, [ebp+8]
		mov	bl, [ebp-19h]
sub_60139E	endp


;  S U B	R O U T	I N E 


sub_6013A4	proc near		; CODE XREF: FsRtlSplitLargeMcb(x,x,x,x,x)+3Fp
		mov	ecx, [esi]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		retn
sub_6013A4	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 671. FsRtlTruncateMcb

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlTruncateMcb(x,	x)
		public _FsRtlTruncateMcb@8
_FsRtlTruncateMcb@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_FsRtlTruncateLargeMcb@12 ; FsRtlTruncateLargeMcb(x,x,x)
		pop	ebp
		retn	8
_FsRtlTruncateMcb@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 482. FsRtlAreThereCurrentOrInProgressFileLocks

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlAreThereCurrentOrInProgressFileLocks(x)
		public _FsRtlAreThereCurrentOrInProgressFileLocks@4
_FsRtlAreThereCurrentOrInProgressFileLocks@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		mov	ecx, [edx+0Ch]
		test	ecx, ecx
		jz	short loc_6013E7
		cmp	[ecx+14h], eax
		jnz	short loc_6013EC
		cmp	[ecx+18h], eax
		jnz	short loc_6013EC

loc_6013E7:				; CODE XREF: FsRtlAreThereCurrentOrInProgressFileLocks(x)+Fj
		cmp	[edx+3Ch], eax
		jz	short loc_6013EE

loc_6013EC:				; CODE XREF: FsRtlAreThereCurrentOrInProgressFileLocks(x)+14j
					; FsRtlAreThereCurrentOrInProgressFileLocks(x)+19j
		mov	al, 1

loc_6013EE:				; CODE XREF: FsRtlAreThereCurrentOrInProgressFileLocks(x)+1Ej
		pop	ebp
		retn	4
_FsRtlAreThereCurrentOrInProgressFileLocks@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 483. FsRtlAreThereWaitingFileLocks

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlAreThereWaitingFileLocks(x)
		public _FsRtlAreThereWaitingFileLocks@4
_FsRtlAreThereWaitingFileLocks@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		test	ecx, ecx
		jz	short loc_601412
		mov	ecx, [ecx+0Ch]
		test	ecx, ecx
		jz	short loc_601412
		cmp	[ecx+1Ch], eax
		setnz	al

loc_601412:				; CODE XREF: FsRtlAreThereWaitingFileLocks(x)+Cj
					; FsRtlAreThereWaitingFileLocks(x)+13j
		pop	ebp
		retn	4
_FsRtlAreThereWaitingFileLocks@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 489. FsRtlCheckLockForOplockRequest

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlCheckLockForOplockRequest(x, x)
		public _FsRtlCheckLockForOplockRequest@8
_FsRtlCheckLockForOplockRequest@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+0Ch]
		test	edi, edi
		jz	loc_6014D2
		xor	ebx, ebx
		cmp	[edi+14h], ebx
		jnz	short loc_601441
		cmp	[edi+18h], ebx
		jz	loc_6014D2

loc_601441:				; CODE XREF: FsRtlCheckLockForOplockRequest(x,x)+1Bj
		mov	esi, [ebp+arg_4]
		mov	eax, [esi]
		or	eax, [esi+4]
		jz	loc_6014D2
		cmp	[ecx+3Ch], ebx
		jz	short loc_601458
		xor	al, al
		jmp	short loc_6014D4
; 

loc_601458:				; CODE XREF: FsRtlCheckLockForOplockRequest(x,x)+37j
		mov	eax, [esi]
		mov	esi, [esi+4]
		add	eax, 0FFFFFFFFh
		mov	[ebp+arg_4], eax
		adc	esi, 0FFFFFFFFh
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [edi+10h]
		mov	byte ptr [ebp+arg_0+3],	al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	esi, [edi+4]
		ja	short loc_6014A7
		jb	short loc_601485
		mov	eax, [ebp+arg_4]
		cmp	eax, [edi]
		jnb	short loc_6014A7

loc_601485:				; CODE XREF: FsRtlCheckLockForOplockRequest(x,x)+61j
		test	ds:byte_70EFC6,	1
		jz	short loc_60149B
		mov	edx, [ebp+4]
		lea	ecx, [edi+10h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6014A3
; 

loc_60149B:				; CODE XREF: FsRtlCheckLockForOplockRequest(x,x)+71j
		xor	ecx, ecx
		lea	eax, [edi+10h]
		lock and [eax],	ecx

loc_6014A3:				; CODE XREF: FsRtlCheckLockForOplockRequest(x,x)+7Ej
		mov	bl, 1
		jmp	short loc_6014C5
; 

loc_6014A7:				; CODE XREF: FsRtlCheckLockForOplockRequest(x,x)+5Fj
					; FsRtlCheckLockForOplockRequest(x,x)+68j
		test	ds:byte_70EFC6,	1
		jz	short loc_6014BD
		mov	edx, [ebp+4]
		lea	ecx, [edi+10h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6014C5
; 

loc_6014BD:				; CODE XREF: FsRtlCheckLockForOplockRequest(x,x)+93j
		xor	ecx, ecx
		lea	eax, [edi+10h]
		lock and [eax],	ecx

loc_6014C5:				; CODE XREF: FsRtlCheckLockForOplockRequest(x,x)+8Aj
					; FsRtlCheckLockForOplockRequest(x,x)+A0j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, bl
		jmp	short loc_6014D4
; 

loc_6014D2:				; CODE XREF: FsRtlCheckLockForOplockRequest(x,x)+10j
					; FsRtlCheckLockForOplockRequest(x,x)+20j ...
		mov	al, 1

loc_6014D4:				; CODE XREF: FsRtlCheckLockForOplockRequest(x,x)+3Bj
					; FsRtlCheckLockForOplockRequest(x,x)+B5j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_FsRtlCheckLockForOplockRequest@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlCheckNoExclusiveConflict(x, x,	x, x, x, x)
_FsRtlCheckNoExclusiveConflict@24 proc near ; CODE XREF: FsRtlFastCheckLockForWrite+E52FAp
					; FsRtlFastCheckLockForRead+E519Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		mov	eax, ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	ecx, [ebp+var_4]
		push	edi
		push	0
		push	ecx
		mov	ecx, [eax+8]
		mov	edi, edx
		push	esi
		mov	[ebp+var_C], eax
		mov	bl, 1

loc_601500:				; DATA XREF: KiTraceSetTimer(x,x,x)+D5o
		call	FsRtlFindFirstOverlappingExclusiveNode
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_601561
		mov	edx, [esi]
		mov	eax, [esi+4]
		mov	esi, [ebp+arg_C]
		mov	[ebp+var_8], edx
		mov	[ebp+arg_0], eax

loc_601519:				; CODE XREF: FsRtlCheckNoExclusiveConflict(x,x,x,x,x,x)+82j
		cmp	eax, [ecx+14h]
		jb	short loc_601561
		ja	short loc_601525
		cmp	edx, [ecx+10h]
		jb	short loc_601561

loc_601525:				; CODE XREF: FsRtlCheckNoExclusiveConflict(x,x,x,x,x,x)+43j
		mov	eax, [edi+4]
		cmp	eax, [ecx+34h]
		ja	short loc_60154B
		jb	short loc_601536
		mov	eax, [edi]
		cmp	eax, [ecx+30h]
		ja	short loc_60154B

loc_601536:				; CODE XREF: FsRtlCheckNoExclusiveConflict(x,x,x,x,x,x)+52j
		mov	eax, [ebp+arg_8]
		cmp	[ecx+28h], eax
		jnz	short loc_60155F
		cmp	[ecx+2Ch], esi
		jnz	short loc_60155F
		mov	eax, [ebp+arg_4]
		cmp	[ecx+24h], eax
		jnz	short loc_60155F

loc_60154B:				; CODE XREF: FsRtlCheckNoExclusiveConflict(x,x,x,x,x,x)+50j
					; FsRtlCheckNoExclusiveConflict(x,x,x,x,x,x)+59j
		push	ecx
		call	_RtlRealSuccessor@4 ; RtlRealSuccessor(x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_601561
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+var_8]
		jmp	short loc_601519
; 

loc_60155F:				; CODE XREF: FsRtlCheckNoExclusiveConflict(x,x,x,x,x,x)+61j
					; FsRtlCheckNoExclusiveConflict(x,x,x,x,x,x)+66j ...
		xor	bl, bl

loc_601561:				; CODE XREF: FsRtlCheckNoExclusiveConflict(x,x,x,x,x,x)+2Ej
					; FsRtlCheckNoExclusiveConflict(x,x,x,x,x,x)+41j ...
		cmp	[ebp+var_4], 0
		jz	short loc_601575
		push	[ebp+var_4]
		call	_RtlSplay@4	; RtlSplay(x)
		mov	ecx, [ebp+var_C]
		mov	[ecx+8], eax

loc_601575:				; CODE XREF: FsRtlCheckNoExclusiveConflict(x,x,x,x,x,x)+8Aj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	10h
_FsRtlCheckNoExclusiveConflict@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlCheckNoSharedConflict(x, x, x)
_FsRtlCheckNoSharedConflict@12 proc near ; CODE	XREF: FsRtlFastCheckLockForWrite+E52DEp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		push	esi
		push	edi
		push	0
		mov	edi, ecx
		mov	ebx, edx
		push	eax
		push	[ebp+arg_0]
		mov	ecx, [edi+4]
		call	FsRtlFindFirstOverlappingSharedNode
		cmp	[ebp+var_4], 0
		mov	esi, eax
		jz	short loc_6015B3
		push	[ebp+var_4]
		call	_RtlSplay@4	; RtlSplay(x)
		mov	[edi+4], eax

loc_6015B3:				; CODE XREF: FsRtlCheckNoSharedConflict(x,x,x)+28j
		test	esi, esi
		jz	short loc_6015D6
		lea	ecx, [esi-10h]
		cmp	byte ptr [ecx+4], 0
		jz	short loc_6015D2
		push	[ebp+arg_0]
		mov	edx, ebx
		call	_FsRtlFindFirstOverlapInNode@12	; FsRtlFindFirstOverlapInNode(x,x,x)
		neg	eax
		sbb	al, al
		inc	al
		jmp	short loc_6015D8
; 

loc_6015D2:				; CODE XREF: FsRtlCheckNoSharedConflict(x,x,x)+40j
		xor	al, al
		jmp	short loc_6015D8
; 

loc_6015D6:				; CODE XREF: FsRtlCheckNoSharedConflict(x,x,x)+37j
		mov	al, 1

loc_6015D8:				; CODE XREF: FsRtlCheckNoSharedConflict(x,x,x)+52j
					; FsRtlCheckNoSharedConflict(x,x,x)+56j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_FsRtlCheckNoSharedConflict@12 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 515. FsRtlFastUnlockAllByKey

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlFastUnlockAllByKey(x, x, x, x,	x)
		public _FsRtlFastUnlockAllByKey@20
_FsRtlFastUnlockAllByKey@20 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	1
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	FsRtlPrivateFastUnlockAll
		pop	ebp
		retn	14h
_FsRtlFastUnlockAllByKey@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlFindFirstOverlapInNode(x, x, x)
_FsRtlFindFirstOverlapInNode@12	proc near ; CODE XREF: sub_5CCC5F+3p
					; FsRtlCheckNoSharedConflict(x,x,x)+47p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ecx]
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	short loc_601665
		mov	ebx, [edx+4]
		mov	edi, [edx]
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_4], ebx

loc_60161E:				; CODE XREF: FsRtlFindFirstOverlapInNode(x,x,x)+60j
		mov	eax, [ecx+2Ch]
		mov	esi, [ecx+28h]
		mov	[ebp+arg_0], eax
		cmp	eax, ebx
		jb	short loc_60164C
		ja	short loc_601631
		cmp	esi, edi
		jb	short loc_60164C

loc_601631:				; CODE XREF: FsRtlFindFirstOverlapInNode(x,x,x)+28j
		mov	eax, [ecx+8]
		mov	ebx, [ecx+0Ch]
		mov	[ebp+var_8], eax
		or	eax, ebx
		jnz	short loc_60166E
		mov	eax, [ecx+10h]
		or	eax, [ecx+14h]
		jnz	short loc_60166E
		mov	ebx, [ebp+var_4]
		mov	eax, [ebp+arg_0]

loc_60164C:				; CODE XREF: FsRtlFindFirstOverlapInNode(x,x,x)+26j
					; FsRtlFindFirstOverlapInNode(x,x,x)+2Cj
		cmp	esi, [edx]
		jnz	short loc_60165F
		cmp	eax, [edx+4]
		jnz	short loc_60165F
		cmp	[ecx+8], edi
		jnz	short loc_60165F
		cmp	[ecx+0Ch], ebx
		jz	short loc_60167C

loc_60165F:				; CODE XREF: FsRtlFindFirstOverlapInNode(x,x,x)+4Bj
					; FsRtlFindFirstOverlapInNode(x,x,x)+50j ...
		mov	ecx, [ecx]
		test	ecx, ecx
		jnz	short loc_60161E

loc_601665:				; CODE XREF: FsRtlFindFirstOverlapInNode(x,x,x)+Ej
					; FsRtlFindFirstOverlapInNode(x,x,x)+6Ej ...
		xor	eax, eax

loc_601667:				; CODE XREF: FsRtlFindFirstOverlapInNode(x,x,x)+7Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_60166E:				; CODE XREF: FsRtlFindFirstOverlapInNode(x,x,x)+39j
					; FsRtlFindFirstOverlapInNode(x,x,x)+41j
		cmp	ebx, [edx+4]
		ja	short loc_601665
		jb	short loc_60167C
		mov	eax, [ebp+var_8]
		cmp	eax, [edx]
		ja	short loc_601665

loc_60167C:				; CODE XREF: FsRtlFindFirstOverlapInNode(x,x,x)+5Aj
					; FsRtlFindFirstOverlapInNode(x,x,x)+70j
		mov	eax, ecx
		jmp	short loc_601667
_FsRtlFindFirstOverlapInNode@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlPrivateCancelFileLockIrp(x, x)
_FsRtlPrivateCancelFileLockIrp@8 proc near ; CODE XREF:	FsRtlPrivateLock+EA42Bp
					; DATA XREF: FsRtlPrivateLock+EA410o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_4]
		xor	ecx, ecx
		and	[ebp+var_4], 0
		inc	ecx
		push	ebx
		push	esi
		mov	bh, [edx+25h]
		xor	bl, bl
		push	edi
		mov	edi, [edx+1Ch]
		add	edi, 10h
		cmp	[ebp+arg_0], 0
		jz	short loc_601712
		mov	eax, large fs:20h
		lea	esi, [eax+450h]
		test	ds:byte_70EFC6,	cl
		jz	short loc_6016C4
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6016EF
; 

loc_6016C4:				; CODE XREF: FsRtlPrivateCancelFileLockIrp(x,x)+36j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_6016E3
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_6016EF
		mov	ecx, esi
		call	KxWaitForLockChainValid
		xor	ecx, ecx
		inc	ecx

loc_6016E3:				; CODE XREF: FsRtlPrivateCancelFileLockIrp(x,x)+48j
		mov	dword ptr [esi], 0
		add	eax, 4
		lock xor [eax],	ecx

loc_6016EF:				; CODE XREF: FsRtlPrivateCancelFileLockIrp(x,x)+42j
					; FsRtlPrivateCancelFileLockIrp(x,x)+57j
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _FsRtlFileLockCancelCollideLock
		mov	bh, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	bl, 1
		mov	eax, offset _FsRtlFileLockCancelCollideList
		jmp	short loc_601759
; 

loc_601712:				; CODE XREF: FsRtlPrivateCancelFileLockIrp(x,x)+22j
		lea	eax, [edi+0Ch]

loc_601715:				; CODE XREF: FsRtlPrivateCancelFileLockIrp(x,x)+DCj
		mov	esi, [eax]
		jmp	short loc_601724
; 

loc_601719:				; CODE XREF: FsRtlPrivateCancelFileLockIrp(x,x)+A6j
		mov	ecx, [esi]
		cmp	[esi+0Ch], edx
		jz	short loc_60175E
		mov	eax, esi
		mov	esi, ecx

loc_601724:				; CODE XREF: FsRtlPrivateCancelFileLockIrp(x,x)+97j
		test	esi, esi
		jnz	short loc_601719
		test	bl, bl
		jz	loc_6017D2
		mov	ecx, edi
		xor	bl, bl
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _FsRtlFileLockCancelCollideLock
		jz	short loc_601751
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_601756
; 

loc_601751:				; CODE XREF: FsRtlPrivateCancelFileLockIrp(x,x)+C5j
		xor	eax, eax
		lock and [ecx],	eax

loc_601756:				; CODE XREF: FsRtlPrivateCancelFileLockIrp(x,x)+CFj
		lea	eax, [edi+0Ch]

loc_601759:				; CODE XREF: FsRtlPrivateCancelFileLockIrp(x,x)+90j
		mov	edx, [ebp+arg_4]
		jmp	short loc_601715
; 

loc_60175E:				; CODE XREF: FsRtlPrivateCancelFileLockIrp(x,x)+9Ej
		mov	[eax], ecx
		test	bl, bl
		jnz	short loc_60176C
		cmp	esi, [edi+10h]
		jnz	short loc_60176C
		mov	[edi+10h], eax

loc_60176C:				; CODE XREF: FsRtlPrivateCancelFileLockIrp(x,x)+E2j
					; FsRtlPrivateCancelFileLockIrp(x,x)+E7j
		and	dword ptr [edx+1Ch], 0
		test	bl, bl
		jz	short loc_601789
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _FsRtlFileLockCancelCollideLock
		jnz	short loc_601794
		xor	eax, eax
		lock and [ecx],	eax
		jmp	short loc_6017A3
; 

loc_601789:				; CODE XREF: FsRtlPrivateCancelFileLockIrp(x,x)+F2j
		test	ds:byte_70EFC6,	1
		jz	short loc_60179E
		mov	ecx, edi

loc_601794:				; CODE XREF: FsRtlPrivateCancelFileLockIrp(x,x)+100j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6017A3
; 

loc_60179E:				; CODE XREF: FsRtlPrivateCancelFileLockIrp(x,x)+110j
		xor	eax, eax
		lock and [edi],	eax

loc_6017A3:				; CODE XREF: FsRtlPrivateCancelFileLockIrp(x,x)+107j
					; FsRtlPrivateCancelFileLockIrp(x,x)+11Cj
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [esi+8]
		lea	eax, [ebp+var_4]
		mov	ecx, [esi+4]
		push	0
		push	eax
		push	0C0000120h
		push	[ebp+arg_4]
		call	FsRtlCompleteLockIrpReal
		mov	edx, esi
		mov	ecx, offset _FsRtlWaitingLockLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	short loc_6017F4
; 

loc_6017D2:				; CODE XREF: FsRtlPrivateCancelFileLockIrp(x,x)+AAj
		test	ds:byte_70EFC6,	1
		jz	short loc_6017E7
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6017EC
; 

loc_6017E7:				; CODE XREF: FsRtlPrivateCancelFileLockIrp(x,x)+159j
		xor	eax, eax
		lock and [edi],	eax

loc_6017EC:				; CODE XREF: FsRtlPrivateCancelFileLockIrp(x,x)+165j
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_6017F4:				; CODE XREF: FsRtlPrivateCancelFileLockIrp(x,x)+150j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_FsRtlPrivateCancelFileLockIrp@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlPrivateRemoveLock(x, x, x)
_FsRtlPrivateRemoveLock@12 proc	near	; CODE XREF: sub_4E26DD+EA2E8p
					; FsRtlPrivateCheckWaitingLocks+E98C8p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		cmp	byte ptr [edx+10h], 0
		lea	eax, [edx+8]
		push	ebx
		mov	ebx, [edx+18h]
		push	esi
		mov	esi, [edx+14h]
		push	edi
		push	[ebp+arg_0]
		mov	edi, [edx+1Ch]
		push	1
		push	0
		push	esi
		push	edi
		push	eax
		push	edx
		mov	edx, ebx
		jz	short loc_60182D
		call	FsRtlFastUnlockSingleExclusive
		jmp	short loc_601832
; 

loc_60182D:				; CODE XREF: FsRtlPrivateRemoveLock(x,x,x)+29j
		call	FsRtlFastUnlockSingleShared

loc_601832:				; CODE XREF: FsRtlPrivateRemoveLock(x,x,x)+30j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_FsRtlPrivateRemoveLock@12 endp

; 
		align 10h
; Exported entry 476. FsRtlAllocatePool

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlAllocatePool(x, x)
		public _FsRtlAllocatePool@8
_FsRtlAllocatePool@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	74725346h
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_601863
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_601863:				; CODE XREF: FsRtlAllocatePool(x,x)+17j
		pop	ebp
		retn	8
_FsRtlAllocatePool@8 endp ; sp = -4

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 477. FsRtlAllocatePoolWithQuota

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlAllocatePoolWithQuota(x, x)
		public _FsRtlAllocatePoolWithQuota@8
_FsRtlAllocatePoolWithQuota@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	74725346h
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ExAllocatePoolWithQuotaTag
		test	eax, eax
		jnz	short loc_60188F
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_60188F:				; CODE XREF: FsRtlAllocatePoolWithQuota(x,x)+17j
		pop	ebp
		retn	8
_FsRtlAllocatePoolWithQuota@8 endp ; sp	= -4

; 
		align 8
; Exported entry 478. FsRtlAllocatePoolWithQuotaTag

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlAllocatePoolWithQuotaTag(x, x,	x)
		public _FsRtlAllocatePoolWithQuotaTag@12
_FsRtlAllocatePoolWithQuotaTag@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ExAllocatePoolWithQuotaTag
		test	eax, eax
		jnz	short loc_6018B9
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_6018B9:				; CODE XREF: FsRtlAllocatePoolWithQuotaTag(x,x,x)+15j
		pop	ebp
		retn	0Ch
_FsRtlAllocatePoolWithQuotaTag@12 endp ; sp = -4

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 479. FsRtlAllocatePoolWithTag

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlAllocatePoolWithTag(x,	x, x)
		public _FsRtlAllocatePoolWithTag@12
_FsRtlAllocatePoolWithTag@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_6018E3
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_6018E3:				; CODE XREF: FsRtlAllocatePoolWithTag(x,x,x)+15j
		pop	ebp
		retn	0Ch
_FsRtlAllocatePoolWithTag@12 endp ; sp = -4

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 600. FsRtlNormalizeNtstatus

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlNormalizeNtstatus(x, x)
		public _FsRtlNormalizeNtstatus@8
_FsRtlNormalizeNtstatus@8 proc near	; CODE XREF: CcMapAndCopyInToCache+138585p
					; CcMapAndCopyInToCache+138660p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	esi
		call	_FsRtlIsNtstatusExpected@4 ; FsRtlIsNtstatusExpected(x)
		test	al, al
		jnz	short loc_601902
		mov	esi, [ebp+arg_4]

loc_601902:				; CODE XREF: FsRtlNormalizeNtstatus(x,x)+11j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_FsRtlNormalizeNtstatus@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 501. FsRtlCurrentOplock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlCurrentOplock(x)
		public _FsRtlCurrentOplock@4
_FsRtlCurrentOplock@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		xor	cl, cl
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_601929
		test	dword ptr [eax+48h], 701Eh
		jz	short loc_601929
		inc	cl

loc_601929:				; CODE XREF: FsRtlCurrentOplock(x)+Ej
					; FsRtlCurrentOplock(x)+17j
		mov	al, cl
		pop	ebp
		retn	4
_FsRtlCurrentOplock@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 620. FsRtlOplockBreakToNone

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlOplockBreakToNone(x, x, x, x, x, x)
		public _FsRtlOplockBreakToNone@24
_FsRtlOplockBreakToNone@24 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		cmp	[edx], ecx
		jnz	short loc_601946
		xor	eax, eax
		jmp	short loc_601976
; 

loc_601946:				; CODE XREF: FsRtlOplockBreakToNone(x,x,x,x,x,x)+Cj
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_8]
		test	eax, eax
		jnz	short loc_601954
		mov	eax, [esi+60h]

loc_601954:				; CODE XREF: FsRtlOplockBreakToNone(x,x,x,x,x,x)+1Bj
		cmp	[eax], cl
		jnz	short loc_601964
		test	dword ptr [eax+8], 100h
		jz	short loc_601964
		xor	ecx, ecx
		inc	ecx

loc_601964:				; CODE XREF: FsRtlOplockBreakToNone(x,x,x,x,x,x)+22j
					; FsRtlOplockBreakToNone(x,x,x,x,x,x)+2Bj
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	ecx
		push	esi
		push	edx
		call	_FsRtlOplockBreakToNoneEx@24 ; FsRtlOplockBreakToNoneEx(x,x,x,x,x,x)
		pop	esi

loc_601976:				; CODE XREF: FsRtlOplockBreakToNone(x,x,x,x,x,x)+10j
		pop	ebp
		retn	18h
_FsRtlOplockBreakToNone@24 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 621. FsRtlOplockBreakToNoneEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlOplockBreakToNoneEx(x,	x, x, x, x, x)
		public _FsRtlOplockBreakToNoneEx@24
_FsRtlOplockBreakToNoneEx@24 proc near	; CODE XREF: FsRtlOplockBreakToNone(x,x,x,x,x,x)+3Cp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		push	14h
		push	offset dword_6A7E10
		call	__SEH_prolog4
		mov	eax, [ebp+arg_0]
		mov	edi, [eax]
		mov	[ebp+var_24], edi
		xor	eax, eax
		mov	[ebp+var_20], eax
		mov	byte ptr [ebp+arg_0+3],	al
		mov	[ebp+var_19], al
		mov	[ebp+ms_exc.disabled], eax
		mov	ebx, [ebp+arg_8]
		test	bl, 10h
		jz	short loc_6019B6
		mov	esi, 0C000000Dh
		mov	[ebp+var_20], esi
		jmp	loc_601A38
; 

loc_6019B6:				; CODE XREF: FsRtlOplockBreakToNoneEx(x,x,x,x,x,x)+28j
		or	ebx, 8

loc_6019B9:				; CODE XREF: FsRtlOplockBreakToNoneEx(x,x,x,x,x,x)+B7j
		mov	[ebp+var_19], al
		cmp	byte ptr [ebp+arg_0+3],	0
		jnz	short loc_6019CE
		mov	ecx, [edi+4Ch]
		call	ExAcquireFastMutexUnsafe
		mov	byte ptr [ebp+arg_0+3],	1

loc_6019CE:				; CODE XREF: FsRtlOplockBreakToNoneEx(x,x,x,x,x,x)+41j
		mov	eax, [ebp+arg_4]
		mov	edx, [eax+60h]
		lea	ecx, [ebp+var_19]
		push	ecx
		lea	ecx, [ebp+arg_0+3]
		push	ecx
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	ecx
		push	ebx
		push	eax
		mov	ecx, edi
		call	FsRtlpOplockBreakToNone
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		jnz	short loc_601A2F
		mov	eax, [ebp+arg_4]
		mov	edx, [eax+60h]
		lea	ecx, [ebp+var_19]
		push	ecx
		lea	ecx, [ebp+arg_0+3]
		push	ecx
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	7000h
		push	ecx
		push	ebx
		push	eax
		mov	ecx, edi
		call	_FsRtlpOplockBreakByCacheFlags@60 ; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi

loc_601A2F:				; CODE XREF: FsRtlOplockBreakToNoneEx(x,x,x,x,x,x)+7Dj
		cmp	[ebp+var_19], 0
		push	0
		pop	eax
		jnz	short loc_6019B9

loc_601A38:				; CODE XREF: FsRtlOplockBreakToNoneEx(x,x,x,x,x,x)+32j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_601A5E
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_FsRtlOplockBreakToNoneEx@24 endp


;  S U B	R O U T	I N E 


sub_601A58	proc near		; DATA XREF: .text:006A7E28o
		mov	edi, [ebp-24h]
		mov	esi, [ebp-20h]
sub_601A58	endp


;  S U B	R O U T	I N E 


sub_601A5E	proc near		; CODE XREF: FsRtlOplockBreakToNoneEx(x,x,x,x,x,x)+C0p
		cmp	byte ptr [ebp+0Bh], 0
		jz	short locret_601A6C
		mov	ecx, [edi+4Ch]
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)

locret_601A6C:				; CODE XREF: sub_601A5E+4j
		retn
sub_601A5E	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 624. FsRtlOplockGetAnyBreakOwnerProcess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlOplockGetAnyBreakOwnerProcess(x)
		public _FsRtlOplockGetAnyBreakOwnerProcess@4
_FsRtlOplockGetAnyBreakOwnerProcess@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_601ABE
		mov	esi, [esi]
		test	esi, esi
		jz	short loc_601ABE
		mov	ecx, [esi+4Ch]
		push	edi
		call	ExAcquireFastMutexUnsafe
		mov	edi, [esi+8]
		test	edi, edi
		jnz	short loc_601AA5
		lea	eax, [esi+24h]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_601AB1
		mov	edi, [ecx+10h]
		test	edi, edi
		jz	short loc_601AB1

loc_601AA5:				; CODE XREF: FsRtlOplockGetAnyBreakOwnerProcess(x)+21j
		mov	edx, 746C6644h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag

loc_601AB1:				; CODE XREF: FsRtlOplockGetAnyBreakOwnerProcess(x)+2Aj
					; FsRtlOplockGetAnyBreakOwnerProcess(x)+31j
		mov	ecx, [esi+4Ch]
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	eax, edi
		pop	edi
		jmp	short loc_601AC0
; 

loc_601ABE:				; CODE XREF: FsRtlOplockGetAnyBreakOwnerProcess(x)+Bj
					; FsRtlOplockGetAnyBreakOwnerProcess(x)+11j
		xor	eax, eax

loc_601AC0:				; CODE XREF: FsRtlOplockGetAnyBreakOwnerProcess(x)+4Aj
		pop	esi
		pop	ebp
		retn	4
_FsRtlOplockGetAnyBreakOwnerProcess@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 627. FsRtlOplockKeysEqual

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlOplockKeysEqual(x, x)
		public _FsRtlOplockKeysEqual@8
_FsRtlOplockKeysEqual@8	proc near	; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1FAp
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+689p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		call	FsRtlpOplockKeysEqual
		pop	ebp
		retn	8
_FsRtlOplockKeysEqual@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpAcknowledgeOplockBreak(x, x, x, x, x)
_FsRtlpAcknowledgeOplockBreak@20 proc near ; CODE XREF:	FsRtlpOplockFsctrlInternal+F0369p
					; sub_9241A5+Ap

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_7		= byte ptr  0Fh
arg_8		= dword	ptr  10h

		push	1Ch
		push	offset dword_6A7DF0
		call	__SEH_prolog4
		mov	[ebp+var_24], edx
		mov	esi, ecx
		mov	[ebp+var_28], esi
		mov	edi, [ebp+arg_0]
		mov	ebx, 0C00000E3h
		mov	[ebp+var_20], ebx
		test	esi, esi

loc_601B01:				; DATA XREF: KiTraceSetTimer2(x,x,x)+D2o
		jnz	short loc_601B23
		mov	[edi+18h], ebx
		mov	dl, 1
		mov	ecx, edi
		call	IofCompleteRequest

loc_601B0F:				; CODE XREF: FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+211j
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_601B23:				; CODE XREF: FsRtlpAcknowledgeOplockBreak(x,x,x,x,x):loc_601B01j
		mov	ecx, [esi+4Ch]
		call	ExAcquireFastMutexUnsafe
		xor	ebx, ebx
		inc	ebx
		mov	byte ptr [ebp+arg_0+3],	bl
		and	[ebp+ms_exc.disabled], 0
		mov	[ebp+var_19], bl
		mov	eax, [esi+4]
		mov	ecx, [ebp+var_24]
		cmp	eax, [ecx+18h]
		jnz	loc_601CCC
		mov	edx, [ebp+arg_8]
		push	10h
		pop	eax
		mov	[ebp+arg_8], eax
		mov	ecx, eax
		call	FsRtlpOplockUpperLowerCompatible
		test	al, al
		jnz	short loc_601B75
		mov	eax, [esi+48h]
		test	eax, 100h
		jz	short loc_601B75
		and	eax, 0FFFFFEFFh
		mov	[esi+48h], eax
		or	eax, 400h
		mov	[esi+48h], eax

loc_601B75:				; CODE XREF: FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+79j
					; FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+83j
		cmp	[ebp+arg_4], 0
		jz	loc_601C52
		test	dword ptr [esi+48h], 100h
		jz	loc_601C52
		mov	eax, [edi+60h]
		mov	[ebp+var_2C], eax
		or	[eax+3], bl
		and	dword ptr [edi+18h], 0
		lea	ecx, [edi+58h]
		lea	eax, [esi+14h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jz	short loc_601BAB
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_601BAB:				; CODE XREF: FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+C4j
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[edx+4], ecx
		mov	[eax], ecx
		mov	[edi+1Ch], esi
		mov	[ebp+var_19], 0
		push	10h
		pop	eax
		mov	[ebp+var_24], eax
		push	7
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[edi+25h], al
		cmp	byte ptr [edi+24h], 0
		jz	short loc_601BDE
		mov	dl, bl
		mov	ecx, edi
		call	_FsRtlpCancelReadOnlyOplockIrp@8 ; FsRtlpCancelReadOnlyOplockIrp(x,x)
		jmp	short loc_601C45
; 

loc_601BDE:				; CODE XREF: FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+F1j
		mov	ecx, offset _FsRtlpReadOnlyOplockIrpCancelRoutine@8 ; FsRtlpReadOnlyOplockIrpCancelRoutine(x,x)
		lea	eax, [edi+38h]
		xchg	ecx, [eax]
		mov	al, [edi+25h]
		mov	[ebp+arg_7], al
		mov	eax, large fs:20h
		lea	edi, [eax+450h]
		test	ds:byte_70EFC6,	bl
		jz	short loc_601C0E
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_601C36
; 

loc_601C0E:				; CODE XREF: FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+120j
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_601C2A
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jz	short loc_601C36
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_601C2A:				; CODE XREF: FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+132j
		mov	dword ptr [edi], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_601C36:				; CODE XREF: FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+12Cj
					; FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+141j
		mov	cl, [ebp+arg_7]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_24]
		mov	[ebp+arg_8], eax

loc_601C45:				; CODE XREF: FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+FCj
		mov	ebx, 103h
		mov	[ebp+var_20], ebx
		mov	edi, [ebp+arg_8]
		jmp	short loc_601C85
; 

loc_601C52:				; CODE XREF: FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+99j
					; FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+A6j
		mov	eax, [esi+48h]
		test	eax, 300h
		jz	short loc_601C63
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		jmp	short loc_601C76
; 

loc_601C63:				; CODE XREF: FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+17Aj
		test	eax, 400h
		jz	short loc_601CCC
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	dword ptr [edi+1Ch], 8

loc_601C76:				; CODE XREF: FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+181j
		and	[edi+18h], ebx
		mov	dl, 1
		mov	ecx, edi
		call	IofCompleteRequest
		xor	edi, edi
		inc	edi

loc_601C85:				; CODE XREF: FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+170j
					; FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+1B3j
		lea	eax, [esi+2Ch]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_601C95
		call	_FsRtlpRemoveAndCompleteWaitingIrp@4 ; FsRtlpRemoveAndCompleteWaitingIrp(x)
		jmp	short loc_601C85
; 

loc_601C95:				; CODE XREF: FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+1ACj
		cmp	[ebp+var_19], 0
		jz	short loc_601CA3
		mov	ecx, [esi+4]
		call	ObfDereferenceObject

loc_601CA3:				; CODE XREF: FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+1B9j
		and	dword ptr [esi+4], 0
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	FsRtlpModifyThreadPriorities
		xor	edx, edx
		mov	ecx, esi
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		mov	byte ptr [esi+10h], 0
		mov	eax, [esi+48h]
		and	eax, 20h
		or	eax, edi
		mov	[esi+48h], eax
		jmp	short loc_601CE2
; 

loc_601CCC:				; CODE XREF: FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+61j
					; FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+188j
		mov	eax, 0C00000E3h
		mov	ebx, eax
		mov	[ebp+var_20], ebx
		mov	[edi+18h], eax
		mov	dl, 1
		mov	ecx, edi
		call	IofCompleteRequest

loc_601CE2:				; CODE XREF: FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+1EAj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		inc	eax
		call	sub_601CFF
		jmp	loc_601B0F
_FsRtlpAcknowledgeOplockBreak@20 endp


;  S U B	R O U T	I N E 


sub_601CF6	proc near		; DATA XREF: .text:006A7E08o
		mov	esi, [ebp-28h]
		mov	ebx, [ebp-20h]
		mov	al, [ebp+0Bh]
sub_601CF6	endp


;  S U B	R O U T	I N E 


sub_601CFF	proc near		; CODE XREF: FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+20Cp
		test	al, al
		jz	short locret_601D0B
		mov	ecx, [esi+4Ch]
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)

locret_601D0B:				; CODE XREF: sub_601CFF+2j
		retn
sub_601CFF	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpAcknowledgeOplockBreakByCacheFlags(x,	x, x, x, x, x)
_FsRtlpAcknowledgeOplockBreakByCacheFlags@24 proc near
					; CODE XREF: FsRtlpOplockFsctrlInternal+F0662p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_1F		= byte ptr -1Fh
var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
var_1C		= byte ptr -1Ch
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	2Ch
		push	offset dword_6A7DD0
		call	__SEH_prolog4
		mov	[ebp+var_30], edx
		mov	[ebp+var_24], ecx
		xor	eax, eax
		mov	[ebp+var_2C], eax
		mov	edi, eax
		mov	[ebp+var_28], edi
		mov	dl, al
		mov	[ebp+var_19], dl
		mov	[ebp+var_1A], dl
		mov	[ebp+var_1D], al
		mov	[ebp+var_1B], al
		mov	[ebp+var_1F], al
		mov	[ebp+var_1E], al
		test	ecx, ecx
		jnz	short loc_601D59
		mov	esi, 0C00000E3h
		mov	ecx, [ebp+arg_0]
		mov	[ecx+18h], esi
		mov	dl, 1
		call	IofCompleteRequest
		mov	eax, esi
		jmp	loc_602401
; 

loc_601D59:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+32j
		mov	ecx, [ecx+4Ch]
		call	ExAcquireFastMutexUnsafe
		xor	ebx, ebx
		inc	ebx
		mov	[ebp+var_20], bl
		and	[ebp+ms_exc.disabled], edi
		mov	eax, [ebp+var_24]
		mov	eax, [eax+48h]
		mov	esi, 0B000h
		test	eax, 0F00000h
		jnz	short loc_601D90
		mov	ecx, eax
		and	ecx, 1F0FFDFh
		cmp	ecx, esi
		jz	short loc_601D90
		cmp	ecx, 3000h
		jnz	short loc_601DAA

loc_601D90:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+6Ej
					; FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+7Aj
		and	eax, 1F0FFDFh
		cmp	eax, esi
		jz	short loc_601DA0
		cmp	eax, 3000h
		jnz	short loc_601DC7

loc_601DA0:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+8Bj
		mov	eax, [ebp+var_24]
		add	eax, 24h
		cmp	[eax], eax
		jnz	short loc_601DC7

loc_601DAA:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+82j
		mov	esi, 0C00000E3h
		mov	[ebp+var_2C], esi
		mov	ecx, [ebp+arg_0]
		mov	[ecx+18h], esi
		mov	dl, bl
		call	IofCompleteRequest
		mov	edi, [ebp+var_28]
		jmp	loc_6023F2
; 

loc_601DC7:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+92j
					; FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+9Cj
		mov	ebx, [ebp+arg_0]
		mov	eax, [ebx+0Ch]
		mov	edx, [eax+8]
		and	edx, 4
		mov	[ebp+arg_0], edx
		setnz	al
		mov	byte ptr [ebp+var_38], al
		test	edx, edx
		jz	short loc_601DFE
		push	6F725346h
		push	0Ch
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_28], edi
		xor	eax, eax
		stosd
		stosd
		stosd
		mov	edi, [ebp+var_28]
		mov	edx, [ebp+arg_0]

loc_601DFE:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+D2j
		mov	ecx, [ebp+var_24]
		mov	eax, [ecx+48h]
		and	eax, 1F0FFDFh
		mov	ecx, 307040h
		cmp	eax, ecx
		ja	loc_601EE9
		jz	short loc_601E48
		cmp	eax, 3000h
		jz	loc_601F2E
		cmp	eax, esi
		jz	loc_601F2E
		cmp	eax, 103000h
		jz	loc_601F2E
		cmp	eax, 105040h
		jz	short loc_601E48
		cmp	eax, 107040h
		jnz	loc_601F11

loc_601E48:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+10Aj
					; FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+12Fj ...
		mov	esi, [ebp+var_30]
		test	edx, edx
		jz	short loc_601E7B
		mov	eax, [ebp+var_24]
		mov	eax, [eax+4]
		mov	ecx, [esi+18h]
		cmp	eax, ecx
		jz	loc_601F11
		push	eax
		push	ecx
		call	_FsRtlOplockKeysEqual@8	; FsRtlOplockKeysEqual(x,x)
		test	al, al
		jz	loc_601F11
		mov	edx, [ebp+arg_0]
		mov	ecx, 307040h
		test	edx, edx
		jnz	short loc_601E92

loc_601E7B:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+141j
		mov	eax, [ebp+var_24]
		mov	eax, [eax+4]
		cmp	eax, [esi+18h]
		jnz	loc_601F11
		test	edx, edx
		jz	loc_60229A

loc_601E92:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+16Dj
		cmp	[ebp+arg_4], 0
		jnz	loc_60229A
		push	0
		xor	edx, edx
		mov	ecx, [ebp+var_24]
		call	FsRtlpModifyThreadPriorities
		xor	edx, edx
		mov	ecx, [ebp+var_24]
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		mov	eax, [ebp+var_24]
		mov	byte ptr [eax+10h], 0
		mov	ecx, [ebp+var_24]
		mov	eax, [ecx+48h]
		and	eax, 20h
		xor	edx, edx
		inc	edx
		or	eax, edx
		mov	[ecx+48h], eax
		mov	eax, [ebp+var_24]
		mov	eax, [eax+4]
		mov	[edi+8], eax
		mov	eax, [ebp+var_24]
		add	eax, 34h
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jz	loc_60226C

loc_601EE4:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+3A7j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_601EE9:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+104j
		cmp	eax, 507040h
		jz	loc_601E48
		cmp	eax, offset loc_803000
		jz	short loc_601F2E
		cmp	eax, 805040h
		jz	loc_601E48
		cmp	eax, offset loc_807040
		jz	loc_601E48

loc_601F11:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+136j
					; FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+14Ej ...
		mov	esi, 0C00000E3h
		mov	[ebp+var_2C], esi
		mov	[ebx+18h], esi
		xor	edx, edx
		inc	edx
		mov	ecx, ebx
		call	IofCompleteRequest

loc_601F26:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+665j
		mov	edi, [ebp+var_28]
		jmp	loc_6023EF
; 

loc_601F2E:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+111j
					; FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+119j ...
		mov	eax, [ebp+var_24]
		mov	esi, [eax+24h]

loc_601F34:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+53Ej
		mov	[ebp+var_34], esi
		mov	eax, [ebp+var_24]
		add	eax, 24h
		cmp	esi, eax
		jz	loc_602011
		mov	ecx, [ebp+var_30]
		add	ecx, 18h
		mov	[ebp+var_3C], ecx
		test	edx, edx
		jnz	short loc_601F61
		mov	eax, [esi+0Ch]
		cmp	eax, [ecx]
		jz	short loc_601F80
		test	edx, edx
		jz	loc_602248

loc_601F61:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+244j
		mov	eax, [esi+0Ch]
		mov	edx, [ecx]
		cmp	eax, edx
		jz	loc_602245
		mov	[ebp+var_3C], ecx
		push	eax
		push	edx
		call	_FsRtlOplockKeysEqual@8	; FsRtlOplockKeysEqual(x,x)
		test	al, al
		jz	loc_602245

loc_601F80:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+24Bj
		xor	edx, edx
		inc	edx
		mov	al, dl
		mov	[ebp+var_19], al
		mov	[ebp+var_1C], al
		mov	eax, [esi+18h]
		and	eax, 0F00000h
		cmp	eax, 800000h
		jnz	loc_602037
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	loc_602095
		mov	eax, [ebp+var_24]
		add	eax, 2Ch
		cmp	[eax], eax
		jnz	short loc_601FC3
		mov	edx, [ebp+arg_C]
		call	FsRtlpOplockUpperLowerCompatible
		test	al, al
		jnz	loc_602095

loc_601FC3:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+2A5j
		mov	edx, [ebx+0Ch]
		push	6
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd
		mov	dword ptr [edx+4], 3
		mov	eax, [ebp+var_24]
		add	eax, 2Ch
		mov	ecx, [eax]
		sub	ecx, eax
		neg	ecx
		sbb	ecx, ecx
		not	ecx
		and	ecx, [ebp+arg_C]
		mov	[edx+8], ecx
		xor	eax, eax
		inc	eax
		or	[edx+0Ch], eax
		mov	dl, al

loc_601FF4:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+384j
		mov	dword ptr [ebx+1Ch], 18h
		mov	esi, 8000002Eh
		mov	[ebx+18h], esi
		mov	ecx, ebx
		call	IofCompleteRequest
		mov	[ebp+var_2C], esi
		mov	[ebp+var_1A], 1

loc_602011:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+233j
		mov	edi, [ebp+var_28]

loc_602014:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+534j
		cmp	[ebp+var_19], 0
		jnz	loc_60224F
		mov	esi, 0C00000E3h
		mov	[ebp+var_2C], esi
		mov	[ebx+18h], esi
		mov	dl, 1
		mov	ecx, ebx
		call	IofCompleteRequest
		jmp	loc_6023EF
; 

loc_602037:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+28Cj
		cmp	eax, 100000h
		jnz	short loc_602095
		mov	ecx, [ebp+arg_4]
		mov	eax, ecx
		and	eax, 7000h
		cmp	eax, 3000h
		jbe	short loc_602095
		mov	eax, [ebp+var_24]
		add	eax, 2Ch
		cmp	[eax], eax
		jnz	short loc_602068
		mov	edx, [ebp+arg_C]
		call	FsRtlpOplockUpperLowerCompatible
		test	al, al
		jnz	short loc_602095
		xor	edx, edx
		inc	edx

loc_602068:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+34Bj
		mov	esi, [ebx+0Ch]
		push	6
		pop	ecx
		xor	eax, eax
		mov	edi, esi
		rep stosd
		mov	dword ptr [esi+4], 3
		mov	eax, [ebp+var_24]
		add	eax, 2Ch
		cmp	[eax], eax
		mov	eax, [ebp+arg_C]
		jz	short loc_60208A
		mov	eax, edx

loc_60208A:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+37Aj
		mov	[esi+8], eax
		or	[esi+0Ch], edx
		jmp	loc_601FF4
; 

loc_602095:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+297j
					; FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+2B1j ...
		mov	ecx, esi
		call	_FsRtlpOplockDequeueRH@4 ; FsRtlpOplockDequeueRH(x)
		cmp	[ebp+arg_0], 0
		jz	short loc_6020CD
		mov	eax, [esi+0Ch]
		mov	[edi+8], eax
		mov	eax, [ebp+var_24]
		add	eax, 34h
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_601EE4
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[ecx+4], edi
		mov	[eax], edi
		xor	edi, edi
		mov	[ebp+var_28], edi
		mov	edx, [ebp+arg_4]
		jmp	short loc_6020E6
; 

loc_6020CD:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+394j
		mov	[ebp+var_1D], 1
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jnz	short loc_6020E3
		mov	ecx, [esi+0Ch]
		call	ObfDereferenceObject
		mov	edx, [ebp+arg_4]

loc_6020E3:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+3CAj
		mov	edi, [ebp+var_28]

loc_6020E6:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+3BFj
		test	edx, edx
		jnz	short loc_602109
		mov	ecx, [ebp+var_24]
		call	FsRtlpComputeShareableOplockState
		and	[ebp+var_2C], 0
		and	dword ptr [ebx+18h], 0
		xor	edx, edx
		inc	edx
		mov	ecx, ebx
		call	IofCompleteRequest
		jmp	loc_602200
; 

loc_602109:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+3DCj
		mov	ecx, edx
		and	ecx, 4040h
		neg	ecx
		sbb	cl, cl
		inc	cl
		test	edx, 3010h
		setnz	al
		test	cl, al
		jz	short loc_602144
		push	[ebp+arg_C]
		push	1
		push	[ebp+var_38]
		push	[ebp+arg_8]
		push	edx
		push	ebx
		mov	edx, [ebp+var_30]
		lea	ecx, [ebp+var_24]
		call	_FsRtlpRequestShareableOplock@32 ; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)
		mov	[ebp+var_2C], eax
		jmp	loc_602200
; 

loc_602144:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+416j
		mov	eax, [ebp+var_24]
		mov	[eax], ebx
		mov	eax, [ebx+60h]
		or	byte ptr [eax+3], 1
		mov	[ebp+var_2C], 103h
		mov	eax, [ebp+var_24]
		mov	[ebx+1Ch], eax
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		mov	eax, [ebp+var_24]
		mov	[eax+8], ecx
		mov	ecx, large fs:124h
		mov	eax, [ebp+var_24]
		mov	[eax+0Ch], ecx
		mov	ecx, [ebp+var_24]
		mov	ecx, [ecx+0Ch]
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [ebp+var_24]
		mov	byte ptr [eax+10h], 0
		cmp	[ebp+arg_0], 0
		jz	short loc_6021A2
		mov	esi, [ebp+var_3C]
		mov	ecx, [esi]
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, [esi]
		jmp	short loc_6021A5
; 

loc_6021A2:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+486j
		mov	ecx, [esi+0Ch]

loc_6021A5:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+494j
		mov	eax, [ebp+var_24]
		mov	[eax+4], ecx
		mov	ecx, [ebp+var_24]
		mov	eax, [ecx+48h]
		and	eax, 20h
		or	eax, [ebp+arg_4]
		or	eax, 40h
		mov	[ecx+48h], eax
		lea	esi, [ebx+25h]
		push	esi
		call	_IoAcquireCancelSpinLock@4 ; IoAcquireCancelSpinLock(x)
		cmp	byte ptr [ebx+24h], 0
		jz	short loc_6021E1
		xor	edx, edx
		inc	edx
		mov	eax, [ebp+var_38]
		xor	al, dl
		movzx	eax, al
		push	eax
		mov	ecx, ebx
		call	_FsRtlpCancelExclusiveIrp@12 ; FsRtlpCancelExclusiveIrp(x,x,x)
		jmp	short loc_6021F4
; 

loc_6021E1:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+4BEj
		mov	ecx, offset _FsRtlpExclusiveIrpCancelRoutine@8 ; FsRtlpExclusiveIrpCancelRoutine(x,x)
		lea	eax, [ebx+38h]
		xchg	ecx, [eax]
		movzx	eax, byte ptr [esi]
		push	eax
		call	IoReleaseCancelSpinLock

loc_6021F4:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+4D3j
		mov	al, [ebp+var_1C]
		mov	edi, [ebp+var_28]
		mov	[ebp+var_19], al
		mov	esi, [ebp+var_34]

loc_602200:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+3F8j
					; FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+433j
		push	0
		mov	edx, esi
		mov	ecx, [ebp+var_24]
		call	FsRtlpModifyThreadPriorities
		mov	edx, esi
		mov	ecx, [ebp+var_24]
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		mov	ecx, [ebp+var_24]
		lea	eax, [ecx+24h]
		cmp	[eax], eax
		jnz	short loc_602224
		mov	byte ptr [ecx+10h], 0

loc_602224:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+512j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[ebp+arg_0], 0
		jz	short loc_60223C
		mov	eax, [ebp+var_24]
		or	dword ptr [eax+48h], 1000000h

loc_60223C:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+524j
		mov	[ebp+var_1A], 1
		jmp	loc_602014
; 

loc_602245:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+25Cj
					; FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+26Ej
		mov	edx, [ebp+arg_0]

loc_602248:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+24Fj
		mov	esi, [esi]
		jmp	loc_601F34
; 

loc_60224F:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+30Cj
		cmp	[ebp+var_1D], 0
		jz	short loc_60225D
		mov	ecx, [ebp+var_24]
		call	FsRtlpReleaseIrpsWaitingForRH

loc_60225D:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+547j
		cmp	[ebp+var_1A], 0
		jnz	loc_6023EF
		jmp	loc_6023BE
; 

loc_60226C:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+1D2j
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[ecx+4], edi
		mov	[eax], edi
		xor	edi, edi
		mov	[ebp+var_28], edi
		mov	eax, [ebp+var_24]
		and	[eax+4], edi
		mov	eax, [ebp+var_24]
		or	dword ptr [eax+48h], 1000000h
		and	[ebx+18h], edi
		mov	ecx, ebx
		call	IofCompleteRequest
		jmp	loc_6023BE
; 

loc_60229A:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+180j
					; FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+18Aj
		mov	eax, [ebp+var_24]
		mov	edx, [eax+48h]
		mov	eax, edx
		and	eax, 1F0FFDFh
		cmp	eax, 105040h
		jz	short loc_6022CE
		cmp	eax, 107040h
		jz	short loc_6022CE
		cmp	eax, ecx
		jz	short loc_6022CE
		cmp	eax, 507040h
		jz	short loc_6022CE
		cmp	eax, 805040h
		jz	short loc_6022CE
		cmp	eax, offset loc_807040
		jnz	short loc_602308

loc_6022CE:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+5A0j
					; FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+5A7j ...
		mov	ecx, edx
		shr	ecx, 1
		mov	esi, 200000h
		and	ecx, esi
		mov	eax, edx
		and	eax, 100000h
		or	ecx, eax
		shr	ecx, 1
		and	edx, esi
		or	ecx, edx
		shr	ecx, 7
		mov	eax, [ebp+arg_4]
		and	eax, 7000h
		cmp	eax, ecx
		jbe	short loc_602308
		mov	eax, [ebp+var_24]
		add	eax, 2Ch
		cmp	[eax], eax
		jz	short loc_602308
		xor	edx, edx
		inc	edx
		mov	al, dl
		jmp	short loc_60230B
; 

loc_602308:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+5C0j
					; FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+5E9j ...
		mov	al, [ebp+var_1B]

loc_60230B:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+5FAj
		test	al, al
		jz	short loc_602376
		mov	esi, [ebx+0Ch]
		push	6
		pop	ecx
		xor	eax, eax
		mov	edi, esi
		rep stosd
		mov	eax, [ebp+var_24]
		mov	eax, [eax+48h]
		shr	eax, 0Ch
		and	eax, 7
		mov	[esi+4], eax
		mov	eax, [ebp+var_24]
		mov	ecx, [eax+48h]
		mov	edx, ecx
		shr	edx, 1
		mov	edi, 200000h
		and	edx, edi
		mov	eax, ecx
		and	eax, 100000h
		or	edx, eax
		shr	edx, 1
		and	ecx, edi
		or	edx, ecx
		shr	edx, 13h
		mov	[esi+8], edx
		xor	eax, eax
		inc	eax
		or	[esi+0Ch], eax
		mov	dword ptr [ebx+1Ch], 18h
		mov	esi, 8000002Eh
		mov	[ebx+18h], esi
		mov	dl, al
		mov	ecx, ebx
		call	IofCompleteRequest
		mov	[ebp+var_2C], esi
		jmp	loc_601F26
; 

loc_602376:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+601j
		push	0
		xor	edx, edx
		mov	ecx, [ebp+var_24]
		call	FsRtlpModifyThreadPriorities
		xor	edx, edx
		mov	ecx, [ebp+var_24]
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		mov	eax, [ebp+var_24]
		mov	byte ptr [eax+10h], 0
		push	[ebp+arg_C]
		lea	eax, [ebp+var_1F]
		push	eax
		lea	eax, [ebp-1Eh]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		push	[ebp+var_38]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+var_30]
		mov	edx, ebx
		mov	ecx, [ebp+var_24]
		call	_FsRtlpGrantAnyOplockFromExclusive@40 ;	FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_2C], eax
		mov	edi, [ebp+var_28]

loc_6023BE:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+55Bj
					; FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+589j
		cmp	[ebp+var_1E], 0
		jz	short loc_6023D7

loc_6023C4:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+6C9j
		mov	eax, [ebp+var_24]
		add	eax, 2Ch
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_6023D7
		call	_FsRtlpRemoveAndCompleteWaitingIrp@4 ; FsRtlpRemoveAndCompleteWaitingIrp(x)
		jmp	short loc_6023C4
; 

loc_6023D7:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+6B6j
					; FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+6C2j
		cmp	[ebp+var_1F], 0
		jz	short loc_6023EF
		mov	ecx, [ebp+var_24]
		mov	ecx, [ecx+4]
		call	ObfDereferenceObject
		mov	eax, [ebp+var_24]
		and	dword ptr [eax+4], 0

loc_6023EF:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+21Dj
					; FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+326j ...
		xor	ebx, ebx
		inc	ebx

loc_6023F2:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+B6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_602419
		mov	eax, [ebp+var_2C]

loc_602401:				; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+48j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_FsRtlpAcknowledgeOplockBreakByCacheFlags@24 endp


;  S U B	R O U T	I N E 


sub_602413	proc near		; DATA XREF: .text:006A7DE8o
		mov	bl, [ebp-20h]
		mov	edi, [ebp-28h]
sub_602413	endp


;  S U B	R O U T	I N E 


sub_602419	proc near		; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+6EDp
		test	edi, edi
		jz	short loc_602425
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_602425:				; CODE XREF: sub_602419+2j
		test	bl, bl
		jz	short locret_602434
		mov	ecx, [ebp-24h]
		mov	ecx, [ecx+4Ch]
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)

locret_602434:				; CODE XREF: sub_602419+Ej
		retn
sub_602419	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpCallerIsAtomicRequestor(x, x,	x)
_FsRtlpCallerIsAtomicRequestor@12 proc near ; CODE XREF: LdrpGetResourceFileName+214p
					; FsRtlCheckOplockEx2+C62FFp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		xor	bl, bl
		add	ecx, 3Ch
		push	esi
		mov	esi, edx
		mov	eax, [ecx]
		jmp	short loc_602451
; 

loc_602447:				; CODE XREF: FsRtlpCallerIsAtomicRequestor(x,x,x)+1Ej
		lea	edx, [eax-1Ch]
		cmp	esi, [edx+0Ch]
		jz	short loc_602457
		mov	eax, [eax]

loc_602451:				; CODE XREF: FsRtlpCallerIsAtomicRequestor(x,x,x)+10j
		cmp	eax, ecx
		jnz	short loc_602447
		jmp	short loc_602462
; 

loc_602457:				; CODE XREF: FsRtlpCallerIsAtomicRequestor(x,x,x)+18j
		mov	ecx, [ebp+arg_0]
		mov	bl, 1
		test	ecx, ecx
		jz	short loc_602462
		mov	[ecx], edx

loc_602462:				; CODE XREF: FsRtlpCallerIsAtomicRequestor(x,x,x)+20j
					; FsRtlpCallerIsAtomicRequestor(x,x,x)+29j
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	4
_FsRtlpCallerIsAtomicRequestor@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpCancelExclusiveIrp(x,	x, x)
_FsRtlpCancelExclusiveIrp@12 proc near	; CODE XREF: LdrpGetResourceFileName+7DEp
					; FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+4CEp ...

var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
var_1C		= byte ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8

		push	14h
		push	offset dword_6A7D10
		call	__SEH_prolog4
		mov	[ebp+var_1C], dl
		mov	edi, [ecx+1Ch]
		mov	[ebp+var_24], edi
		xor	esi, esi
		lea	eax, [ecx+38h]
		xchg	esi, [eax]
		mov	al, [ecx+25h]
		mov	[ebp+var_1D], al
		mov	eax, large fs:20h
		lea	esi, [eax+450h]
		test	ds:byte_70EFC6,	1
		jz	short loc_6024AD
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6024D8
; 

loc_6024AD:				; CODE XREF: FsRtlpCancelExclusiveIrp(x,x,x)+35j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_6024C9
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_6024D8
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_6024C9:				; CODE XREF: FsRtlpCancelExclusiveIrp(x,x,x)+47j
		mov	dword ptr [esi], 0
		xor	ecx, ecx
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_6024D8:				; CODE XREF: FsRtlpCancelExclusiveIrp(x,x,x)+41j
					; FsRtlpCancelExclusiveIrp(x,x,x)+56j
		mov	cl, [ebp+var_1D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_1C], 0
		jnz	short loc_6024EF
		mov	ecx, [edi+4Ch]
		call	ExAcquireFastMutex

loc_6024EF:				; CODE XREF: FsRtlpCancelExclusiveIrp(x,x,x)+7Bj
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_602565
		cmp	byte ptr [eax+24h], 0
		jz	short loc_602565
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	FsRtlpModifyThreadPriorities
		xor	edx, edx
		mov	ecx, edi
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		mov	byte ptr [edi+10h], 0
		mov	eax, [edi]
		cmp	[eax+1Ch], edi
		jnz	short loc_602524
		and	dword ptr [eax+1Ch], 0
		mov	eax, [edi]

loc_602524:				; CODE XREF: FsRtlpCancelExclusiveIrp(x,x,x)+B2j
		mov	dword ptr [eax+18h], 0C0000120h
		mov	dl, 1
		mov	ecx, [edi]
		call	IofCompleteRequest
		and	dword ptr [edi], 0
		mov	ecx, [edi+4]
		call	ObfDereferenceObject
		and	dword ptr [edi+4], 0
		mov	eax, [edi+48h]
		and	eax, 20h
		or	eax, 1
		mov	[edi+48h], eax
		cmp	[ebp+arg_0], 0
		jz	short loc_602565

loc_602555:				; CODE XREF: FsRtlpCancelExclusiveIrp(x,x,x)+F9j
		lea	eax, [edi+2Ch]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_602565
		call	_FsRtlpRemoveAndCompleteWaitingIrp@4 ; FsRtlpRemoveAndCompleteWaitingIrp(x)
		jmp	short loc_602555
; 

loc_602565:				; CODE XREF: FsRtlpCancelExclusiveIrp(x,x,x)+8Dj
					; FsRtlpCancelExclusiveIrp(x,x,x)+93j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_602586
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_FsRtlpCancelExclusiveIrp@12 endp


;  S U B	R O U T	I N E 


sub_602583	proc near		; DATA XREF: .text:006A7D28o
		mov	edi, [ebp-24h]
sub_602583	endp


;  S U B	R O U T	I N E 


sub_602586	proc near		; CODE XREF: FsRtlpCancelExclusiveIrp(x,x,x)+102p
		cmp	byte ptr [ebp-1Ch], 0
		jnz	short locret_602594
		mov	ecx, [edi+4Ch]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

locret_602594:				; CODE XREF: sub_602586+4j
		retn
sub_602586	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpCancelReadOnlyOplockIrp(x, x)
_FsRtlpCancelReadOnlyOplockIrp@8 proc near
					; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+5F3p
					; FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+F7p ...

var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
var_1C		= byte ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	18h
		push	offset dword_6A7D30
		call	__SEH_prolog4
		mov	bl, dl
		mov	[ebp+var_1C], bl
		mov	edi, [ecx+1Ch]
		mov	[ebp+var_24], edi
		xor	esi, esi
		lea	eax, [ecx+38h]
		xchg	esi, [eax]
		mov	bh, [ecx+25h]
		mov	eax, large fs:20h
		lea	esi, [eax+450h]
		test	ds:byte_70EFC6,	1
		jz	short loc_6025D7
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_602602
; 

loc_6025D7:				; CODE XREF: FsRtlpCancelReadOnlyOplockIrp(x,x)+34j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_6025F3
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_602602
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_6025F3:				; CODE XREF: FsRtlpCancelReadOnlyOplockIrp(x,x)+46j
		mov	dword ptr [esi], 0
		xor	ecx, ecx
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_602602:				; CODE XREF: FsRtlpCancelReadOnlyOplockIrp(x,x)+40j
					; FsRtlpCancelReadOnlyOplockIrp(x,x)+55j
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	bh, bh
		test	bl, bl
		jnz	short loc_602618
		mov	ecx, [edi+4Ch]
		call	ExAcquireFastMutex

loc_602618:				; CODE XREF: FsRtlpCancelReadOnlyOplockIrp(x,x)+79j
		and	[ebp+ms_exc.disabled], 0
		lea	eax, [edi+14h]
		mov	esi, [eax]

loc_602621:				; CODE XREF: FsRtlpCancelReadOnlyOplockIrp(x,x)+B1j
		cmp	esi, eax
		jz	short loc_602648
		cmp	byte ptr [esi-34h], 0
		jz	short loc_602644
		mov	esi, [esi+4]
		push	0
		mov	edx, 0C0000120h
		mov	ecx, [esi]
		call	_FsRtlpRemoveAndCompleteReadOnlyIrp@12 ; FsRtlpRemoveAndCompleteReadOnlyIrp(x,x,x)
		mov	bh, 1
		mov	[ebp+var_1D], bh
		lea	eax, [edi+14h]

loc_602644:				; CODE XREF: FsRtlpCancelReadOnlyOplockIrp(x,x)+94j
		mov	esi, [esi]
		jmp	short loc_602621
; 

loc_602648:				; CODE XREF: FsRtlpCancelReadOnlyOplockIrp(x,x)+8Ej
		test	bh, bh
		jz	short loc_602653
		mov	ecx, edi
		call	FsRtlpComputeShareableOplockState

loc_602653:				; CODE XREF: FsRtlpCancelReadOnlyOplockIrp(x,x)+B5j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_602675
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_FsRtlpCancelReadOnlyOplockIrp@8 endp


;  S U B	R O U T	I N E 


sub_60266F	proc near		; DATA XREF: .text:006A7D48o
		mov	bl, [ebp-1Ch]
		mov	edi, [ebp-24h]
sub_60266F	endp


;  S U B	R O U T	I N E 


sub_602675	proc near		; CODE XREF: FsRtlpCancelReadOnlyOplockIrp(x,x)+C5p
		test	bl, bl
		jnz	short locret_602681
		mov	ecx, [edi+4Ch]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

locret_602681:				; CODE XREF: sub_602675+2j
		retn
sub_602675	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpCancelWaitingIrp(x, x)
_FsRtlpCancelWaitingIrp@8 proc near	; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+11Ep
					; FsRtlpWaitingIrpCancelRoutine(x,x)+Ap

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	18h
		push	offset dword_6A7D50
		call	__SEH_prolog4
		mov	bl, dl
		mov	[ebp+var_1C], bl
		mov	edi, [ecx+1Ch]
		mov	[ebp+var_24], edi
		xor	esi, esi
		lea	eax, [ecx+38h]
		xchg	esi, [eax]
		mov	bh, [ecx+25h]
		mov	eax, large fs:20h
		lea	esi, [eax+450h]
		test	ds:byte_70EFC6,	1
		jz	short loc_6026C4
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6026EF
; 

loc_6026C4:				; CODE XREF: FsRtlpCancelWaitingIrp(x,x)+34j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_6026E0
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_6026EF
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_6026E0:				; CODE XREF: FsRtlpCancelWaitingIrp(x,x)+46j
		mov	dword ptr [esi], 0
		xor	ecx, ecx
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_6026EF:				; CODE XREF: FsRtlpCancelWaitingIrp(x,x)+40j
					; FsRtlpCancelWaitingIrp(x,x)+55j
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bl, bl
		jnz	short loc_602703
		mov	ecx, [edi+4Ch]
		call	ExAcquireFastMutex

loc_602703:				; CODE XREF: FsRtlpCancelWaitingIrp(x,x)+77j
		and	[ebp+ms_exc.disabled], 0
		lea	eax, [edi+2Ch]
		mov	esi, [eax]

loc_60270C:				; CODE XREF: FsRtlpCancelWaitingIrp(x,x)+B0j
		mov	[ebp+var_20], esi
		cmp	esi, eax
		jz	short loc_602734
		mov	ecx, esi
		mov	edx, [esi+8]
		test	edx, edx
		jz	short loc_602730
		cmp	byte ptr [edx+24h], 0
		jz	short loc_602730
		mov	esi, [esi+4]
		mov	[ebp+var_20], esi
		call	_FsRtlpRemoveAndCompleteWaitingIrp@4 ; FsRtlpRemoveAndCompleteWaitingIrp(x)
		lea	eax, [edi+2Ch]

loc_602730:				; CODE XREF: FsRtlpCancelWaitingIrp(x,x)+98j
					; FsRtlpCancelWaitingIrp(x,x)+9Ej
		mov	esi, [esi]
		jmp	short loc_60270C
; 

loc_602734:				; CODE XREF: FsRtlpCancelWaitingIrp(x,x)+8Fj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_602756
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_FsRtlpCancelWaitingIrp@8 endp


;  S U B	R O U T	I N E 


sub_602750	proc near		; DATA XREF: .text:006A7D68o
		mov	bl, [ebp-1Ch]
		mov	edi, [ebp-24h]
sub_602750	endp


;  S U B	R O U T	I N E 


sub_602756	proc near		; CODE XREF: FsRtlpCancelWaitingIrp(x,x)+B9p
		test	bl, bl
		jnz	short locret_602762
		mov	ecx, [edi+4Ch]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

locret_602762:				; CODE XREF: sub_602756+2j
		retn
sub_602756	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpExclusiveIrpCancelRoutine(x, x)
_FsRtlpExclusiveIrpCancelRoutine@8 proc	near
					; DATA XREF: LdrpGetResourceFileName:loc_57A07Do
					; FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x):loc_6021E1o ...

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		xor	dl, dl
		push	1
		call	_FsRtlpCancelExclusiveIrp@12 ; FsRtlpCancelExclusiveIrp(x,x,x)
		pop	ebp
		retn	8
_FsRtlpExclusiveIrpCancelRoutine@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpGrantAnyOplockFromExclusive(x, x, x, x, x, x,	x, x, x, x)
_FsRtlpGrantAnyOplockFromExclusive@40 proc near
					; CODE XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+6A7p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	eax, [eax+18h]
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edi
		cmp	byte ptr [eax+25h], 0
		jz	short loc_6027E9
		test	ebx, 2000h
		jz	short loc_6027E9
		mov	esi, [esi+0Ch]
		xor	eax, eax
		push	6
		pop	ecx
		mov	edi, esi
		shr	ebx, 0Ch
		rep stosd
		mov	eax, [ebp+var_4]
		and	ebx, 5
		mov	ecx, edx
		mov	eax, [eax+48h]
		mov	[esi+8], ebx
		xor	ebx, ebx
		shr	eax, 0Ch
		inc	ebx
		or	[esi+0Ch], ebx
		and	eax, 7
		mov	[esi+4], eax
		mov	dl, bl
		mov	esi, 8000002Eh
		mov	dword ptr [ecx+1Ch], 18h
		mov	[ecx+18h], esi
		call	IofCompleteRequest
		mov	eax, esi
		jmp	loc_6029D2
; 

loc_6027E9:				; CODE XREF: FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+1Ej
					; FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+26j
		xor	edx, edx
		inc	edx
		cmp	byte ptr [ebp+arg_C], 0
		jz	short loc_602837
		mov	ecx, [ebp+arg_10]
		mov	eax, [edi+4]
		mov	ecx, [ecx]
		mov	[ecx+8], eax
		mov	eax, [ebp+arg_10]
		mov	ecx, [eax]
		mov	eax, [ebp+var_4]
		add	eax, 34h
		mov	edi, [eax]
		cmp	[edi+4], eax
		jz	short loc_602814
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_602814:				; CODE XREF: FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+95j
		mov	[ecx+4], eax
		mov	[ecx], edi
		mov	[edi+4], ecx
		mov	[eax], ecx
		mov	ecx, ebx
		mov	eax, [ebp+arg_10]
		and	dword ptr [eax], 0
		mov	eax, [ebp+var_4]
		and	dword ptr [eax+4], 0
		and	ecx, 3010h
		mov	eax, ecx
		jmp	short loc_60285C
; 

loc_602837:				; CODE XREF: FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+78j
		mov	eax, [ebp+arg_14]
		mov	[eax], dl
		test	ebx, ebx
		jnz	short loc_602847
		mov	eax, [ebp+arg_18]
		mov	[eax], dl
		jmp	short loc_602863
; 

loc_602847:				; CODE XREF: FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+C6j
		mov	eax, ebx
		and	eax, 3010h
		jz	short loc_60285F
		test	ebx, 4040h
		jnz	short loc_60285F
		and	dword ptr [edi+4], 0

loc_60285C:				; CODE XREF: FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+BDj
		mov	edi, [ebp+var_4]

loc_60285F:				; CODE XREF: FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+D6j
					; FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+DEj
		test	ebx, ebx
		jnz	short loc_60287F

loc_602863:				; CODE XREF: FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+CDj
		mov	eax, [edi+48h]
		mov	ecx, esi
		and	eax, 20h
		or	eax, edx
		mov	[edi+48h], eax
		xor	edi, edi
		and	[esi+18h], edi
		call	IofCompleteRequest
		jmp	loc_6029C0
; 

loc_60287F:				; CODE XREF: FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+E9j
		mov	ecx, ebx
		and	ecx, 4040h
		neg	ecx
		sbb	cl, cl
		inc	cl
		test	eax, eax
		setnz	al
		test	cl, al
		jz	short loc_6028B4
		push	[ebp+arg_1C]
		lea	ecx, [ebp+var_4]
		push	edx
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_0]
		push	[ebp+arg_8]
		push	ebx
		push	esi
		call	_FsRtlpRequestShareableOplock@32 ; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)
		mov	edi, eax
		jmp	loc_6029C0
; 

loc_6028B4:				; CODE XREF: FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+11Cj
		mov	[edi], esi
		mov	edi, 103h
		mov	eax, [esi+60h]
		or	[eax+3], dl
		mov	edx, 746C6644h
		mov	eax, [ebp+var_4]
		mov	[esi+1Ch], eax
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		mov	eax, [ebp+var_4]
		mov	[eax+8], ecx
		mov	ecx, large fs:124h
		mov	eax, [ebp+var_4]
		mov	[eax+0Ch], ecx
		mov	eax, [ebp+var_4]
		mov	ecx, [eax+0Ch]
		call	ObfReferenceObjectWithTag
		cmp	byte ptr [ebp+arg_C], 0
		mov	eax, [ebp+var_4]
		mov	byte ptr [eax+10h], 0
		jz	short loc_602921
		mov	edi, [ebp+arg_0]
		mov	edx, 746C6644h
		mov	ecx, [edi+18h]
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+var_4]
		mov	ecx, [edi+18h]
		mov	edi, 103h
		mov	[eax+4], ecx

loc_602921:				; CODE XREF: FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+189j
		mov	ecx, [ebp+var_4]
		push	7
		mov	eax, [ecx+48h]
		and	eax, 20h
		or	eax, ebx
		or	eax, 40h
		mov	[ecx+48h], eax
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		cmp	byte ptr [esi+24h], 0
		mov	[esi+25h], al
		jz	short loc_60295C
		cmp	byte ptr [ebp+arg_C], 0
		mov	ecx, esi
		setz	al
		xor	ebx, ebx
		movzx	eax, al
		push	eax
		lea	edx, [ebx+1]
		call	_FsRtlpCancelExclusiveIrp@12 ; FsRtlpCancelExclusiveIrp(x,x,x)
		jmp	short loc_6029C0
; 

loc_60295C:				; CODE XREF: FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+1C9j
		mov	ecx, offset _FsRtlpExclusiveIrpCancelRoutine@8 ; FsRtlpExclusiveIrpCancelRoutine(x,x)
		lea	eax, [esi+38h]
		xchg	ecx, [eax]
		mov	al, [esi+25h]
		xor	ebx, ebx
		mov	byte ptr [ebp+arg_10+3], al
		inc	ebx
		mov	eax, large fs:20h
		lea	esi, [eax+450h]
		test	ds:byte_70EFC6,	bl
		jz	short loc_60298F
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6029B7
; 

loc_60298F:				; CODE XREF: FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+209j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_6029AB
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_6029B7
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_6029AB:				; CODE XREF: FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+21Bj
		mov	dword ptr [esi], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_6029B7:				; CODE XREF: FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+215j
					; FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+22Aj
		mov	cl, byte ptr [ebp+arg_10+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_6029C0:				; CODE XREF: FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+102j
					; FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+137j ...
		cmp	byte ptr [ebp+arg_C], 0
		jz	short loc_6029D0
		mov	eax, [ebp+var_4]
		or	dword ptr [eax+48h], 1000000h

loc_6029D0:				; CODE XREF: FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+24Cj
		mov	eax, edi

loc_6029D2:				; CODE XREF: FsRtlpGrantAnyOplockFromExclusive(x,x,x,x,x,x,x,x,x,x)+6Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
_FsRtlpGrantAnyOplockFromExclusive@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpReadOnlyOplockIrpCancelRoutine(x, x)
_FsRtlpReadOnlyOplockIrpCancelRoutine@8	proc near
					; DATA XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x):loc_53C13Ao
					; FsRtlpAcknowledgeOplockBreak(x,x,x,x,x):loc_601BDEo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		xor	dl, dl
		call	_FsRtlpCancelReadOnlyOplockIrp@8 ; FsRtlpCancelReadOnlyOplockIrp(x,x)
		pop	ebp
		retn	8
_FsRtlpReadOnlyOplockIrpCancelRoutine@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpRemoveAndCompleteReadOnlyIrp(x, x, x)
_FsRtlpRemoveAndCompleteReadOnlyIrp@12 proc near
					; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+644p
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+575p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	eax, [edi+8]
		mov	[ebp+var_4], eax
		mov	ecx, [eax+18h]
		call	ObfDereferenceObject
		lea	esi, [edi-33h]
		push	esi
		call	_IoAcquireCancelSpinLock@4 ; IoAcquireCancelSpinLock(x)
		xor	ecx, ecx
		lea	eax, [edi-20h]
		xchg	ecx, [eax]
		movzx	eax, byte ptr [esi]
		push	eax
		call	IoReleaseCancelSpinLock
		mov	ecx, [edi]
		cmp	[ecx+4], edi
		jnz	short loc_602AA2
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	short loc_602AA2
		mov	[eax], ecx
		xor	edx, edx
		mov	[ecx+4], eax
		inc	edx
		mov	ecx, [ebp+var_4]
		mov	al, [edi-34h]
		cmp	dword ptr [ecx+0Ch], 90240h
		jnz	short loc_602A7F
		test	al, al
		jnz	short loc_602A76
		mov	ecx, [edi-4Ch]
		xor	eax, eax
		push	18h
		mov	[ecx+0Ch], eax
		mov	[ecx+10h], eax
		mov	[ecx+14h], eax
		mov	eax, [ebp+arg_0]
		shr	eax, 0Ch
		mov	[ecx], dx
		and	eax, 7
		pop	edx
		mov	[ecx+2], dx
		mov	dword ptr [ecx+4], 1
		mov	[ecx+8], eax
		jmp	short loc_602A8B
; 

loc_602A76:				; CODE XREF: FsRtlpRemoveAndCompleteReadOnlyIrp(x,x,x)+5Bj
		mov	ebx, 0C0000120h
		xor	edx, edx
		jmp	short loc_602A8B
; 

loc_602A7F:				; CODE XREF: FsRtlpRemoveAndCompleteReadOnlyIrp(x,x,x)+57j
		test	al, al
		jz	short loc_602A88
		mov	ebx, 0C0000120h

loc_602A88:				; CODE XREF: FsRtlpRemoveAndCompleteReadOnlyIrp(x,x,x)+95j
		push	8
		pop	edx

loc_602A8B:				; CODE XREF: FsRtlpRemoveAndCompleteReadOnlyIrp(x,x,x)+88j
					; FsRtlpRemoveAndCompleteReadOnlyIrp(x,x,x)+91j
		mov	[edi-3Ch], edx
		lea	ecx, [edi-58h]
		mov	dl, 1
		mov	[edi-40h], ebx
		call	IofCompleteRequest
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_602AA2:				; CODE XREF: FsRtlpRemoveAndCompleteReadOnlyIrp(x,x,x)+39j
					; FsRtlpRemoveAndCompleteReadOnlyIrp(x,x,x)+40j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_FsRtlpRemoveAndCompleteReadOnlyIrp@12 endp ; AL = character to	display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpRemoveAndCompleteWaitingIrp(x)
_FsRtlpRemoveAndCompleteWaitingIrp@4 proc near
					; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+583p
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+1A7p ...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	loc_602B6F
		cmp	[eax], esi
		jnz	loc_602B6F
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	edi, [esi+8]
		test	edi, edi
		jz	loc_602B5C
		push	ebx
		push	7
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[edi+25h], al
		xor	ecx, ecx
		lea	eax, [edi+38h]
		xchg	ecx, [eax]
		mov	al, [edi+25h]
		mov	[ebp+var_1], al
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	ebx, [eax+450h]
		jz	short loc_602B11
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_602B3C
; 

loc_602B11:				; CODE XREF: FsRtlpRemoveAndCompleteWaitingIrp(x)+5Cj
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_602B2D
		mov	ecx, [ebx+4]
		xor	edx, edx
		mov	eax, ebx
		lock cmpxchg [ecx], edx
		cmp	eax, ebx
		jz	short loc_602B3C
		mov	ecx, ebx
		call	KxWaitForLockChainValid

loc_602B2D:				; CODE XREF: FsRtlpRemoveAndCompleteWaitingIrp(x)+6Ej
		xor	ecx, ecx
		mov	dword ptr [ebx], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_602B3C:				; CODE XREF: FsRtlpRemoveAndCompleteWaitingIrp(x)+68j
					; FsRtlpRemoveAndCompleteWaitingIrp(x)+7Dj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esi+18h]
		mov	[edi+1Ch], eax
		movzx	eax, byte ptr [edi+24h]
		neg	eax
		pop	ebx
		sbb	eax, eax
		and	eax, 0C0000120h
		mov	[edi+18h], eax

loc_602B5C:				; CODE XREF: FsRtlpRemoveAndCompleteWaitingIrp(x)+2Aj
		push	edi
		push	dword ptr [esi+10h]
		call	dword ptr [esi+0Ch]
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		leave
		retn
; 

loc_602B6F:				; CODE XREF: FsRtlpRemoveAndCompleteWaitingIrp(x)+12j
					; FsRtlpRemoveAndCompleteWaitingIrp(x)+1Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_FsRtlpRemoveAndCompleteWaitingIrp@4 endp ; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpWaitOnIrp(x, x, x, x,	x, x, x, x, x, x, x, x)
_FsRtlpWaitOnIrp@48 proc near		; CODE XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+9F1p
					; FsRtlpOplockBreakToII+D0F09p	...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h
arg_13		= byte ptr  1Bh
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		push	28h
		push	offset dword_6A7D70
		call	__SEH_prolog4
		mov	esi, edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_24], 0C000009Ah
		xor	ecx, ecx
		mov	[ebp+var_1A], cl
		xor	eax, eax
		inc	eax
		mov	[ebp+var_19], al
		mov	eax, [ebp+arg_24]
		test	eax, eax
		jnz	short loc_602BA4
		lea	eax, [ebp+var_1A]
		mov	[ebp+arg_24], eax

loc_602BA4:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+28j
		mov	[eax], cl
		mov	[ebp+ms_exc.disabled], ecx
		push	6F725346h
		push	24h
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_28], ebx
		push	9
		pop	ecx
		xor	eax, eax
		mov	edi, ebx
		rep stosd
		test	esi, esi
		jz	short loc_602BF3
		mov	ecx, [esi+60h]
		mov	[ebx+8], esi
		mov	eax, [esi+1Ch]
		mov	[ebx+18h], eax
		cmp	byte ptr [ecx],	0Dh
		jnz	short loc_602BE8
		cmp	dword ptr [ecx+0Ch], 90014h
		jnz	short loc_602BE8
		xor	eax, eax
		inc	eax
		jmp	short loc_602BEA
; 

loc_602BE8:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+64j
					; FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+6Dj
		xor	al, al

loc_602BEA:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+72j
		mov	[ebx+1Dh], al
		mov	eax, [ecx+18h]
		mov	[ebx+20h], eax

loc_602BF3:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+53j
		mov	al, [ebp+arg_10]
		mov	[ebx+1Ch], al
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_602C0B
		mov	[ebx+0Ch], edi
		mov	eax, [ebp+arg_0]
		mov	[ebx+10h], eax
		jmp	short loc_602C25
; 

loc_602C0B:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+8Aj
		mov	dword ptr [ebx+0Ch], offset _FsRtlpOplockWaitCompleteRoutine@8 ; FsRtlpOplockWaitCompleteRoutine(x,x)
		mov	eax, [ebp+arg_C]
		mov	[ebx+10h], eax
		push	0
		push	0
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [ebp+arg_0]

loc_602C25:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+95j
		cmp	[ebp+arg_8], 0
		jz	short loc_602C30
		push	esi
		push	eax
		call	[ebp+arg_8]

loc_602C30:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+B5j
		mov	ecx, [ebp+var_20]
		lea	eax, [ecx+2Ch]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jz	short loc_602C42
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_602C42:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+C7j
		mov	[ebx], eax
		mov	[ebx+4], edx
		mov	[edx], ebx
		mov	[eax+4], ebx
		test	esi, esi
		jz	loc_602D08
		and	dword ptr [esi+18h], 0
		push	7
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[esi+25h], al
		mov	ebx, [ebp+var_20]
		mov	[esi+1Ch], ebx
		cmp	byte ptr [esi+24h], 0
		jz	short loc_602C9C
		test	edi, edi
		jz	short loc_602C83
		mov	eax, [esi+60h]
		xor	ecx, ecx
		inc	ecx
		or	[eax+3], cl
		mov	edi, 103h
		jmp	short loc_602C88
; 

loc_602C83:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+FDj
		mov	edi, 0C0000120h

loc_602C88:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+10Dj
		mov	[ebp+var_24], edi
		xor	eax, eax
		lea	edx, [eax+1]
		mov	ecx, esi
		call	_FsRtlpCancelWaitingIrp@8 ; FsRtlpCancelWaitingIrp(x,x)
		jmp	loc_602E43
; 

loc_602C9C:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+F9j
		mov	ecx, offset _FsRtlpWaitingIrpCancelRoutine@8 ; FsRtlpWaitingIrpCancelRoutine(x,x)
		lea	eax, [esi+38h]
		xchg	ecx, [eax]
		mov	bl, [esi+25h]
		mov	eax, large fs:20h
		lea	edi, [eax+450h]
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_602CCC
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_602CF7
; 

loc_602CCC:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+14Aj
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_602CE8
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jz	short loc_602CF7
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_602CE8:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+15Cj
		mov	dword ptr [edi], 0
		add	eax, 4
		xor	ecx, ecx
		inc	ecx
		lock xor [eax],	ecx

loc_602CF7:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+156j
					; FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+16Bj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [ebp+var_28]
		mov	ecx, [ebp+var_20]
		mov	edi, [ebp+arg_4]

loc_602D08:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+DAj
		test	edi, edi
		jnz	loc_602E2B
		mov	eax, [ebp+arg_14]
		or	eax, [ebp+arg_18]
		jz	short loc_602D25
		cmp	[ebp+arg_20], edi
		jz	short loc_602D25
		xor	eax, eax
		inc	eax
		mov	[ebp+arg_13], al
		jmp	short loc_602D29
; 

loc_602D25:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+1A2j
					; FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+1A7j
		mov	[ebp+arg_13], 0

loc_602D29:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+1AFj
		xor	al, al
		mov	byte ptr [ebp+arg_0+3],	al
		xor	eax, eax
		lea	edi, [ebp+var_38]
		stosd
		stosd
		stosd
		stosd
		mov	ecx, [ecx+4Ch]
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	[ebp+var_19], 0

loc_602D43:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+224j
		push	esi
		movzx	eax, [ebp+arg_13]
		neg	eax
		sbb	eax, eax
		lea	ecx, [ebp+arg_14]
		and	eax, ecx
		push	eax
		push	[ebp+arg_C]
		call	_FsRtlCancellableWaitForSingleObject@12	; FsRtlCancellableWaitForSingleObject(x,x,x)
		mov	edi, eax
		mov	[ebp+var_24], edi
		cmp	[ebp+arg_13], 0
		jz	short loc_602D9A
		mov	ecx, 102h
		cmp	edi, ecx
		jnz	short loc_602D9A
		mov	[ebp+arg_13], 0
		xor	eax, eax
		lea	edi, [ebp+var_38]
		stosd
		stosd
		stosd
		stosd
		and	[ebp+var_38], 0
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], ecx
		lea	eax, [ebp+var_38]
		push	eax
		call	[ebp+arg_20]
		xor	eax, eax
		inc	eax
		mov	byte ptr [ebp+arg_0+3],	al
		jmp	short loc_602D43
; 

loc_602D9A:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+1EFj
					; FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+1F8j
		cmp	byte ptr [ebp+arg_0+3],	0
		jz	short loc_602DB0
		xor	eax, eax
		inc	eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_2C], edi
		lea	eax, [ebp+var_38]
		push	eax
		call	[ebp+arg_20]

loc_602DB0:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+22Aj
		cmp	edi, 0C000004Bh
		jz	short loc_602DD4
		cmp	edi, 0C0000120h
		jz	short loc_602DD4
		test	esi, esi
		jz	short loc_602DCA
		mov	edi, [esi+18h]
		mov	[ebp+var_24], edi

loc_602DCA:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+24Ej
		mov	eax, [ebp+arg_24]
		xor	ecx, ecx
		inc	ecx
		mov	[eax], cl
		jmp	short loc_602E40
; 

loc_602DD4:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+242j
					; FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+24Aj
		test	esi, esi
		jz	short loc_602DE2
		push	esi
		call	IoCancelIrp
		xor	ebx, ebx
		jmp	short loc_602E14
; 

loc_602DE2:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+262j
		mov	esi, [ebp+var_20]
		mov	ecx, [esi+4Ch]
		call	ExAcquireFastMutex
		xor	eax, eax
		inc	eax
		mov	[ebp+var_19], al
		lea	ecx, [esi+2Ch]
		mov	eax, [ecx]

loc_602DF8:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+2B5j
		cmp	eax, ecx
		jz	short loc_602E07
		cmp	ebx, eax
		jnz	short loc_602E27
		mov	ecx, eax
		call	_FsRtlpRemoveAndCompleteWaitingIrp@4 ; FsRtlpRemoveAndCompleteWaitingIrp(x)

loc_602E07:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+286j
		mov	ecx, [esi+4Ch]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		xor	ebx, ebx
		mov	[ebp+var_19], bl

loc_602E14:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+26Cj
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+arg_C]
		call	KeWaitForSingleObject
		mov	eax, [ebp+arg_24]
		mov	[eax], bl
		jmp	short loc_602E40
; 

loc_602E27:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+28Aj
		mov	eax, [eax]
		jmp	short loc_602DF8
; 

loc_602E2B:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+196j
		test	esi, esi
		jz	short loc_602E38
		mov	eax, [esi+60h]
		xor	ecx, ecx
		inc	ecx
		or	[eax+3], cl

loc_602E38:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+2B9j
		mov	edi, 103h
		mov	[ebp+var_24], edi

loc_602E40:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+25Ej
					; FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+2B1j
		mov	ebx, [ebp+var_20]

loc_602E43:				; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+123j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_602E69
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	28h
_FsRtlpWaitOnIrp@48 endp


;  S U B	R O U T	I N E 


sub_602E63	proc near		; DATA XREF: .text:006A7D88o
		mov	edi, [ebp-24h]
		mov	ebx, [ebp-20h]
sub_602E63	endp


;  S U B	R O U T	I N E 


sub_602E69	proc near		; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+2D6p
		cmp	byte ptr [ebp-19h], 0
		jz	short locret_602E77
		mov	ecx, [ebx+4Ch]
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)

locret_602E77:				; CODE XREF: sub_602E69+4j
		retn
sub_602E69	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpWaitingIrpCancelRoutine(x, x)
_FsRtlpWaitingIrpCancelRoutine@8 proc near
					; DATA XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x):loc_602C9Co

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		xor	dl, dl
		call	_FsRtlpCancelWaitingIrp@8 ; FsRtlpCancelWaitingIrp(x,x)
		pop	ebp
		retn	8
_FsRtlpWaitingIrpCancelRoutine@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsFilterAllocateCompletionStack(x, x, x)
_FsFilterAllocateCompletionStack@12 proc near ;	CODE XREF: FsFilterCtrlInit+118F48p

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1], dl
		push	676D5346h
		xor	ebx, ebx
		and	[ebp+var_8], ebx
		movzx	esi, word ptr [edi+2Ch]
		shl	esi, 4
		push	esi
		push	200h
		mov	[eax], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_602F27
		cmp	[ebp+var_1], bl
		jz	short loc_602ECB
		mov	eax, 0C000009Ah
		jmp	short loc_602F30
; 

loc_602ECB:				; CODE XREF: FsFilterAllocateCompletionStack(x,x,x)+37j
		movzx	eax, byte ptr [edi+4]
		sub	eax, 0FAh
		jz	short loc_602EFC
		sub	eax, 1
		jz	short loc_602EEF
		sub	eax, 1
		jz	short loc_602EFC
		sub	eax, 1
		jz	short loc_602EEF
		sub	eax, 1
		jz	short loc_602EFC
		sub	eax, 1
		jnz	short loc_602F09

loc_602EEF:				; CODE XREF: FsFilterAllocateCompletionStack(x,x,x)+4Ej
					; FsFilterAllocateCompletionStack(x,x,x)+58j
		mov	ebx, ds:_AcquireOpsReservePool
		mov	eax, offset _AcquireOpsEvent
		jmp	short loc_602F0C
; 

loc_602EFC:				; CODE XREF: FsFilterAllocateCompletionStack(x,x,x)+49j
					; FsFilterAllocateCompletionStack(x,x,x)+53j ...
		mov	ebx, ds:_ReleaseOpsReservePool
		mov	eax, offset _ReleaseOpsEvent
		jmp	short loc_602F0C
; 

loc_602F09:				; CODE XREF: FsFilterAllocateCompletionStack(x,x,x)+62j
		mov	eax, [ebp+var_8]

loc_602F0C:				; CODE XREF: FsFilterAllocateCompletionStack(x,x,x)+6Fj
					; FsFilterAllocateCompletionStack(x,x,x)+7Cj
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	eax
		call	KeWaitForSingleObject
		mov	eax, large fs:124h
		mov	[ebx], eax
		lea	eax, [ebx+4]
		or	dword ptr [edi+24h], 2

loc_602F27:				; CODE XREF: FsFilterAllocateCompletionStack(x,x,x)+32j
		or	dword ptr [edi+24h], 1
		mov	[edi+30h], eax
		xor	eax, eax

loc_602F30:				; CODE XREF: FsFilterAllocateCompletionStack(x,x,x)+3Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_FsFilterAllocateCompletionStack@12 endp


;  S U B	R O U T	I N E 


; __stdcall FsFilterFreeCompletionStack(x)
_FsFilterFreeCompletionStack@4 proc near ; CODE	XREF: FsFilterCtrlFree(x)+4j
					; FsRtlAcquireFileForModWriteEx+1194CBp
		xor	edx, edx
		test	byte ptr [ecx+24h], 2
		jnz	short loc_602F4D
		push	676D5346h
		push	dword ptr [ecx+30h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
; 

loc_602F4D:				; CODE XREF: FsFilterFreeCompletionStack(x)+6j
		movzx	eax, byte ptr [ecx+4]
		sub	eax, 0FAh
		jz	short loc_602F78
		sub	eax, 1
		jz	short loc_602F71
		sub	eax, 1
		jz	short loc_602F78
		sub	eax, 1
		jz	short loc_602F71
		sub	eax, 1
		jz	short loc_602F78
		sub	eax, 1
		jnz	short loc_602F7D

loc_602F71:				; CODE XREF: FsFilterFreeCompletionStack(x)+24j
					; FsFilterFreeCompletionStack(x)+2Ej
		mov	edx, offset _AcquireOpsEvent
		jmp	short loc_602F7D
; 

loc_602F78:				; CODE XREF: FsFilterFreeCompletionStack(x)+1Fj
					; FsFilterFreeCompletionStack(x)+29j ...
		mov	edx, offset _ReleaseOpsEvent

loc_602F7D:				; CODE XREF: FsFilterFreeCompletionStack(x)+38j
					; FsFilterFreeCompletionStack(x)+3Fj
		mov	eax, [ecx+30h]
		push	0
		push	0
		push	edx
		and	dword ptr [eax-4], 0
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		retn
_FsFilterFreeCompletionStack@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McGenEventWrite_EtwWriteTransfer(x,	x, x, x, x)
_McGenEventWrite_EtwWriteTransfer@20 proc near
					; CODE XREF: McTemplateK0jq_EtwWriteTransfer(x,x,x,x,x)+4Ep
					; McTemplateK0xxxqq_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+76p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		xor	edx, edx
		mov	eax, [edi+8]
		mov	[esi+4], edx
		test	eax, eax
		jnz	short loc_602FB2
		mov	[esi], edx
		mov	ecx, edx
		mov	eax, edx
		jmp	short loc_602FBA
; 

loc_602FB2:				; CODE XREF: McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)+19j
		push	2
		mov	[esi], eax
		movzx	eax, word ptr [eax]
		pop	ecx

loc_602FBA:				; CODE XREF: McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)+21j
		push	esi
		push	[ebp+arg_4]
		mov	[esi+8], eax
		push	edx
		push	[ebp+arg_0]
		mov	[esi+0Ch], ecx
		mov	eax, [edi+4]
		mov	ecx, [edi]
		push	edx
		push	edx
		push	edx
		push	ebx
		push	eax
		push	ecx
		call	EtwWriteEx
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_McGenEventWrite_EtwWriteTransfer@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0jq_EtwWriteTransfer(x, x, x, x,	x)
_McTemplateK0jq_EtwWriteTransfer@20 proc near ;	CODE XREF: McGenControlCallbackV2+82034p
					; FsRtlpHeatRegisterVolume(x,x,x)+126p

var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], edx

loc_60300E:				; DATA XREF: .text:00459CDCo
					; MiDispatchFault+4AAo	...
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], edx

loc_603014:				; DATA XREF: MiGetNextPageTablePte:loc_458589o
					; .text:00459CC9o ...
		mov	edx, offset _TieredStorage_NewVolume
		push	ecx
		mov	ecx, offset _MS_StorageTiering_Provider_Context
		mov	[ebp+var_1C], 10h
		mov	[ebp+var_C], 4
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_McTemplateK0jq_EtwWriteTransfer@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0xxxqq_EtwWriteTransfer(x, x, x,	x, x, x, x, x, x, x, x)
_McTemplateK0xxxqq_EtwWriteTransfer@44 proc near ; CODE	XREF: FsRtlHeatLogIo(x,x,x,x,x)+A9p

var_64		= dword	ptr -64h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+arg_4]
		mov	[ebp+var_54], ecx
		lea	ecx, [ebp+arg_C]
		push	esi
		push	edi
		mov	[ebp+var_44], ecx
		xor	edi, edi
		push	8
		pop	esi
		lea	ecx, [ebp+arg_14]
		mov	[ebp+var_4C], esi
		mov	[ebp+var_34], ecx
		lea	ecx, [ebp+arg_1C]
		mov	[ebp+var_24], ecx
		lea	ecx, [ebp+arg_20]
		push	4
		mov	[ebp+var_14], ecx
		lea	ecx, [ebp+var_64]
		mov	[ebp+var_3C], esi
		mov	[ebp+var_2C], esi
		pop	esi
		push	ecx
		push	6
		push	eax
		mov	ecx, offset _MS_StorageTiering_Provider_Context
		mov	[ebp+var_50], edi
		mov	[ebp+var_48], edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], edi
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	24h
_McTemplateK0xxxqq_EtwWriteTransfer@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0xxxqqqq_EtwWriteTransfer(x, x, x, x, x,	x, x, x, x, x, x, x, x)
_McTemplateK0xxxqqqq_EtwWriteTransfer@52 proc near
					; CODE XREF: FsRtlHeatLogTierMove(x,x,x,x,x,x,x,x)+33p

var_84		= dword	ptr -84h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+arg_4]
		mov	[ebp+var_74], ecx
		lea	ecx, [ebp+arg_C]
		mov	[ebp+var_64], ecx
		lea	ecx, [ebp+arg_14]
		push	esi
		mov	[ebp+var_54], ecx
		xor	esi, esi
		push	edi
		lea	ecx, [ebp+arg_1C]
		mov	[ebp+var_70], esi
		mov	[ebp+var_44], ecx
		lea	ecx, [ebp+arg_20]
		push	8
		pop	edi
		mov	[ebp+var_34], ecx
		lea	ecx, [ebp+arg_24]
		mov	[ebp+var_24], ecx
		lea	ecx, [ebp+arg_28]
		push	4
		pop	edx
		mov	[ebp+var_14], ecx
		lea	ecx, [ebp+var_84]
		push	ecx
		push	edi
		mov	[ebp+var_3C], edx
		mov	ecx, offset _MS_StorageTiering_Provider_Context
		mov	[ebp+var_2C], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_C], edx
		mov	edx, offset _TieredStorage_TierMove
		push	eax
		mov	[ebp+var_6C], edi
		mov	[ebp+var_68], esi
		mov	[ebp+var_60], esi
		mov	[ebp+var_5C], edi
		mov	[ebp+var_58], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], edi
		mov	[ebp+var_48], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_38], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_8], esi
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	2Ch
_McTemplateK0xxxqqqq_EtwWriteTransfer@52 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 574. FsRtlIsSystemPagingFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlIsSystemPagingFile(x)
		public _FsRtlIsSystemPagingFile@4
_FsRtlIsSystemPagingFile@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_MmIsFileObjectAPagingFile@4 ; MmIsFileObjectAPagingFile(x)
		pop	ebp
		retn	4
_FsRtlIsSystemPagingFile@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 655. FsRtlRemovePerFileContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlRemovePerFileContext(x, x, x)
		public _FsRtlRemovePerFileContext@12
_FsRtlRemovePerFileContext@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	ebx
		push	esi
		xor	eax, eax
		lock cmpxchg [ecx], edx
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_60324D
		lea	esi, [ebx+4]
		cmp	[esi], esi
		jz	loc_60324D
		mov	ecx, large fs:124h
		push	edi
		dec	word ptr [ecx+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [ebp+arg_8]
		xor	edi, edi
		mov	eax, [esi]
		test	edx, edx
		jz	short loc_603215
		cmp	eax, esi
		jz	short loc_6031FB
		mov	ecx, [ebp+arg_4]

loc_6031EB:				; CODE XREF: FsRtlRemovePerFileContext(x,x,x)+60j
		cmp	[eax+8], ecx
		jnz	short loc_6031F5
		cmp	[eax+0Ch], edx
		jz	short loc_603220

loc_6031F5:				; CODE XREF: FsRtlRemovePerFileContext(x,x,x)+55j
		mov	eax, [eax]
		cmp	eax, esi
		jnz	short loc_6031EB

loc_6031FB:				; CODE XREF: FsRtlRemovePerFileContext(x,x,x)+4Dj
					; FsRtlRemovePerFileContext(x,x,x)+85j	...
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		pop	edi
		jmp	short loc_60324F
; 

loc_603215:				; CODE XREF: FsRtlRemovePerFileContext(x,x,x)+49j
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jnz	short loc_603242
		cmp	eax, esi
		jz	short loc_6031FB

loc_603220:				; CODE XREF: FsRtlRemovePerFileContext(x,x,x)+5Aj
					; FsRtlRemovePerFileContext(x,x,x)+A5j
		mov	edi, eax
		test	edi, edi
		jz	short loc_6031FB
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	short loc_603248
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	short loc_603248
		mov	[ecx], eax
		mov	[eax+4], ecx
		jmp	short loc_6031FB
; 

loc_60323B:				; CODE XREF: FsRtlRemovePerFileContext(x,x,x)+ABj
		cmp	[eax+8], ecx
		jz	short loc_603220
		mov	eax, [eax]

loc_603242:				; CODE XREF: FsRtlRemovePerFileContext(x,x,x)+81j
		cmp	eax, esi
		jnz	short loc_60323B
		jmp	short loc_6031FB
; 

loc_603248:				; CODE XREF: FsRtlRemovePerFileContext(x,x,x)+92j
					; FsRtlRemovePerFileContext(x,x,x)+99j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_60324D:				; CODE XREF: FsRtlRemovePerFileContext(x,x,x)+16j
					; FsRtlRemovePerFileContext(x,x,x)+21j
		xor	eax, eax

loc_60324F:				; CODE XREF: FsRtlRemovePerFileContext(x,x,x)+7Aj
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_FsRtlRemovePerFileContext@12 endp ; sp	= -4

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 657. FsRtlRemovePerStreamContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlRemovePerStreamContext(x, x, x)
		public _FsRtlRemovePerStreamContext@12
_FsRtlRemovePerStreamContext@12	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	loc_60332E
		test	byte ptr [esi+6], 2
		jz	loc_60332E
		mov	al, [esi+7]
		and	al, 0F0h
		cmp	al, 10h
		jb	short loc_603298
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+34h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		jmp	short loc_6032A0
; 

loc_603298:				; CODE XREF: FsRtlRemovePerStreamContext(x,x,x)+22j
		mov	ecx, [esi+28h]
		call	ExAcquireFastMutex

loc_6032A0:				; CODE XREF: FsRtlRemovePerStreamContext(x,x,x)+3Cj
		mov	edx, [ebp+arg_8]
		lea	eax, [esi+2Ch]
		mov	ecx, [eax]
		push	ebx
		push	edi
		xor	edi, edi
		test	edx, edx
		jz	short loc_6032E8
		cmp	ecx, eax
		jz	short loc_6032C7
		mov	ebx, [ebp+arg_4]

loc_6032B7:				; CODE XREF: FsRtlRemovePerStreamContext(x,x,x)+6Bj
		cmp	[ecx+8], ebx
		jnz	short loc_6032C1
		cmp	[ecx+0Ch], edx
		jz	short loc_6032F3

loc_6032C1:				; CODE XREF: FsRtlRemovePerStreamContext(x,x,x)+60j
		mov	ecx, [ecx]
		cmp	ecx, eax
		jnz	short loc_6032B7

loc_6032C7:				; CODE XREF: FsRtlRemovePerStreamContext(x,x,x)+58j
					; FsRtlRemovePerStreamContext(x,x,x)+97j ...
		mov	al, [esi+7]
		and	al, 0F0h
		cmp	al, 10h
		jb	short loc_603320
		lea	ecx, [esi+34h]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	short loc_603328
; 

loc_6032E8:				; CODE XREF: FsRtlRemovePerStreamContext(x,x,x)+54j
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jnz	short loc_603315
		cmp	ecx, eax
		jz	short loc_6032C7

loc_6032F3:				; CODE XREF: FsRtlRemovePerStreamContext(x,x,x)+65j
					; FsRtlRemovePerStreamContext(x,x,x)+B7j
		mov	edi, ecx
		test	edi, edi
		jz	short loc_6032C7
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	short loc_60331B
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	short loc_60331B
		mov	[ecx], eax
		mov	[eax+4], ecx
		jmp	short loc_6032C7
; 

loc_60330E:				; CODE XREF: FsRtlRemovePerStreamContext(x,x,x)+BDj
		cmp	[ecx+8], edx
		jz	short loc_6032F3
		mov	ecx, [ecx]

loc_603315:				; CODE XREF: FsRtlRemovePerStreamContext(x,x,x)+93j
		cmp	ecx, eax
		jnz	short loc_60330E
		jmp	short loc_6032C7
; 

loc_60331B:				; CODE XREF: FsRtlRemovePerStreamContext(x,x,x)+A4j
					; FsRtlRemovePerStreamContext(x,x,x)+ABj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_603320:				; CODE XREF: FsRtlRemovePerStreamContext(x,x,x)+74j
		mov	ecx, [esi+28h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_603328:				; CODE XREF: FsRtlRemovePerStreamContext(x,x,x)+8Cj
		mov	eax, edi
		pop	edi
		pop	ebx
		jmp	short loc_603330
; 

loc_60332E:				; CODE XREF: FsRtlRemovePerStreamContext(x,x,x)+Bj
					; FsRtlRemovePerStreamContext(x,x,x)+15j
		xor	eax, eax

loc_603330:				; CODE XREF: FsRtlRemovePerStreamContext(x,x,x)+D2j
		pop	esi
		pop	ebp
		retn	0Ch
_FsRtlRemovePerStreamContext@12	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 628. FsRtlPostPagingFileStackOverflow

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlPostPagingFileStackOverflow(x,	x, x)
		public _FsRtlPostPagingFileStackOverflow@12
_FsRtlPostPagingFileStackOverflow@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	1
		push	[ebp+arg_8]
		call	_FsRtlpPostStackOverflow@16 ; FsRtlpPostStackOverflow(x,x,x,x)
		pop	ebp
		retn	0Ch
_FsRtlPostPagingFileStackOverflow@12 endp

; 
		align 8
; Exported entry 629. FsRtlPostStackOverflow

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlPostStackOverflow(x, x, x)
		public _FsRtlPostStackOverflow@12
_FsRtlPostStackOverflow@12 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	[ebp+arg_8]
		call	_FsRtlpPostStackOverflow@16 ; FsRtlpPostStackOverflow(x,x,x,x)
		pop	ebp
		retn	0Ch
_FsRtlPostStackOverflow@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlStackOverflowRead(x)
_FsRtlStackOverflowRead@4 proc near	; DATA XREF: FsRtlpPostStackOverflow(x,x,x,x)+64o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		mov	esi, [ebp+arg_0]
		mov	dword ptr [eax+2D4h], 1
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]
		call	dword ptr [esi+10h]
		push	0
		cmp	esi, offset _StackOverflowFallback
		jnz	short loc_6033AB
		push	0
		push	offset _StackOverflowFallbackSerialEvent
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_6033B1
; 

loc_6033AB:				; CODE XREF: FsRtlStackOverflowRead(x)+2Aj
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_6033B1:				; CODE XREF: FsRtlStackOverflowRead(x)+38j
		mov	eax, large fs:124h
		pop	esi
		and	dword ptr [eax+2D4h], 0
		pop	ebp
		retn	4
_FsRtlStackOverflowRead@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpPostStackOverflow(x, x, x, x)
_FsRtlpPostStackOverflow@16 proc near	; CODE XREF: FsRtlPostPagingFileStackOverflow(x,x,x)+10p
					; FsRtlPostStackOverflow(x,x,x)+10p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	73725346h
		push	1Ch
		push	200h
		mov	edi, edx
		mov	[ebp+var_4], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	bl, [ebp+arg_4]
		mov	esi, eax
		xor	eax, eax
		test	esi, esi
		jnz	short loc_60340E
		test	bl, bl
		jnz	short loc_6033FB
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_6033FB:				; CODE XREF: FsRtlpPostStackOverflow(x,x,x,x)+2Cj
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _StackOverflowFallbackSerialEvent
		call	KeWaitForSingleObject
		mov	esi, offset _StackOverflowFallback

loc_60340E:				; CODE XREF: FsRtlpPostStackOverflow(x,x,x,x)+28j
		mov	eax, [ebp+var_4]
		and	dword ptr [esi], 0
		mov	[esi+14h], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+10h], eax
		movzx	eax, bl
		imul	eax, 28h
		push	esi
		mov	[esi+18h], edi
		mov	dword ptr [esi+8], offset _FsRtlStackOverflowRead@4 ; FsRtlStackOverflowRead(x)
		mov	[esi+0Ch], esi
		add	eax, offset _FsRtlWorkerQueues
		push	eax
		call	KeInsertQueue
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_FsRtlpPostStackOverflow@16 endp


;  S U B	R O U T	I N E 


; __stdcall xHalTranslateBusAddress(x, x, x, x,	x, x)
_xHalTranslateBusAddress@24 proc near	; DATA XREF: .data:006B122Co
					; .data:006B1230o
		push	7
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	5Ch
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_xHalTranslateBusAddress@24 endp


;  S U B	R O U T	I N E 


; __stdcall xHalTscSynchronization(x, x)
_xHalTscSynchronization@8 proc near	; CODE XREF: PnprWakeProcessors()+41p
					; KiInitializeDynamicProcessorDpc(x,x,x,x)+C1p	...
		push	0
		push	0
		mov	cl, 1
		call	_KeAdjustInterruptTime@12 ; KeAdjustInterruptTime(x,x,x)
		retn	8
_xHalTscSynchronization@8 endp


;  S U B	R O U T	I N E 


; __stdcall HvlConfigureMemoryZeroingOnReset(x)
_HvlConfigureMemoryZeroingOnReset@4 proc near ;	CODE XREF: HvlPhase1Initialize+86C30p
					; PopSaveHiberContext+BBE4p ...
		test	ds:_HvlpFlags, 40000h
		jz	short locret_603480
		xor	eax, eax
		test	cl, cl
		push	0
		setnz	al
		mov	ecx, 270h
		push	eax
		call	_HvlpSetRegister64@12 ;	HvlpSetRegister64(x,x,x)

locret_603480:				; CODE XREF: HvlConfigureMemoryZeroingOnReset(x)+Aj
		retn
_HvlConfigureMemoryZeroingOnReset@4 endp


;  S U B	R O U T	I N E 


; __stdcall HvlDisableEnlightenment(x)
_HvlDisableEnlightenment@4 proc	near	; CODE XREF: PopSaveHiberContext+B8F9p
		test	ecx, ecx
		jz	short loc_603496
		dec	ecx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 0FFFFE000h
		add	ecx, 2000h

loc_603496:				; CODE XREF: HvlDisableEnlightenment(x)+2j
		and	ds:_HvlEnlightenments, ecx
		retn
_HvlDisableEnlightenment@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlInvokeHypervisorDebugger(x, x)
_HvlInvokeHypervisorDebugger@8 proc near ; CODE	XREF: KeAccumulateTicks+12B986p
					; KeAccumulateTicks+12B9E4p ...

var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		test	byte ptr ds:_HvlpFlags,	2
		jz	short loc_6034B6
		test	byte ptr ds:_HvlpRootFlags, 1
		jz	short locret_6034D7

loc_6034B6:				; CODE XREF: HvlInvokeHypervisorDebugger(x,x)+Ej
		cmp	ds:_HvlHypervisorConnected, 0
		jz	short locret_6034D7
		xor	eax, eax
		mov	[ebp+var_8], 0Ah
		push	eax
		push	edx
		push	eax
		push	ecx
		push	eax
		push	1000Ah
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)

locret_6034D7:				; CODE XREF: HvlInvokeHypervisorDebugger(x,x)+17j
					; HvlInvokeHypervisorDebugger(x,x)+20j
		leave
		retn
_HvlInvokeHypervisorDebugger@8 endp


;  S U B	R O U T	I N E 


; __stdcall HvlIsCoreSharingPossible()
_HvlIsCoreSharingPossible@0 proc near	; CODE XREF: KeOptimizeSpecCtrlSettings(x)+6Ep
					; KeOptimizeSpecCtrlSettings(x)+2F8p ...
		mov	eax, ds:_HvlpFlags
		test	eax, 400000h
		jz	short loc_603510
		test	al, 2
		jz	short loc_60350D
		mov	eax, ds:_HvlpSchedulerType
		dec	eax
		sub	eax, 1
		jz	short loc_603510
		dec	eax
		sub	eax, 1
		jnz	short loc_60350D
		mov	eax, large fs:20h
		mov	ecx, [eax+402Ch]
		lea	eax, [ecx-1]
		test	eax, ecx
		jnz	short loc_603510

loc_60350D:				; CODE XREF: HvlIsCoreSharingPossible()+Ej
					; HvlIsCoreSharingPossible()+1Fj
		xor	al, al
		retn
; 

loc_603510:				; CODE XREF: HvlIsCoreSharingPossible()+Aj
					; HvlIsCoreSharingPossible()+19j ...
		mov	al, 1
		retn
_HvlIsCoreSharingPossible@0 endp


;  S U B	R O U T	I N E 


; __stdcall HvlIsNestedRootPartition()
_HvlIsNestedRootPartition@0 proc near	; CODE XREF: KiIntSteerDetermineSteeringEnabled+2568Bp
		test	byte ptr ds:_HvlpFlags,	2
		jz	short loc_60352C
		test	ds:_HvlpRootFlags, 400h
		jz	short loc_60352C
		xor	eax, eax
		inc	eax
		retn
; 

loc_60352C:				; CODE XREF: HvlIsNestedRootPartition()+7j
					; HvlIsNestedRootPartition()+13j
		xor	eax, eax
		retn
_HvlIsNestedRootPartition@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlLogGuestCrashInformation(x, x, x, x, x)
_HvlLogGuestCrashInformation@20	proc near ; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+490p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, edx
		test	ds:_HvlEnlightenments, 2000h
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		jz	short loc_6035BF
		lea	edx, [ebp+var_8]
		mov	ecx, 215h
		call	_HvlpGetRegister64@8 ; HvlpGetRegister64(x,x)
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		and	ecx, 80000000h
		or	eax, ecx
		jz	short loc_6035BF
		push	ebx
		push	edi
		mov	ecx, 210h
		call	_HvlpSetRegister64@12 ;	HvlpSetRegister64(x,x,x)
		push	ebx
		push	esi
		mov	ecx, 211h
		call	_HvlpSetRegister64@12 ;	HvlpSetRegister64(x,x,x)
		push	ebx
		push	[ebp+arg_0]
		mov	ecx, 212h
		call	_HvlpSetRegister64@12 ;	HvlpSetRegister64(x,x,x)
		push	ebx
		push	[ebp+arg_4]
		mov	ecx, 213h
		call	_HvlpSetRegister64@12 ;	HvlpSetRegister64(x,x,x)
		push	ebx
		push	[ebp+arg_8]
		mov	ecx, 214h
		call	_HvlpSetRegister64@12 ;	HvlpSetRegister64(x,x,x)
		push	80000000h
		push	ebx
		mov	ecx, 215h
		call	_HvlpSetRegister64@12 ;	HvlpSetRegister64(x,x,x)

loc_6035BF:				; CODE XREF: HvlLogGuestCrashInformation(x,x,x,x,x)+20j
					; HvlLogGuestCrashInformation(x,x,x,x,x)+3Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_HvlLogGuestCrashInformation@20	endp


;  S U B	R O U T	I N E 


; __stdcall HvlQueryL1tfMitigationInformation(x)
_HvlQueryL1tfMitigationInformation@4 proc near
					; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+369p
		test	byte ptr ds:_HvlpRootFlags, 1
		jnz	short loc_6035D5
		mov	eax, 0C00000BBh
		retn
; 

loc_6035D5:				; CODE XREF: HvlQueryL1tfMitigationInformation(x)+7j
		or	dword ptr [ecx], 60000h
		xor	eax, eax
		retn
_HvlQueryL1tfMitigationInformation@4 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 712. HvlRegisterInterruptCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlRegisterInterruptCallback(x, x, x)
		public _HvlRegisterInterruptCallback@12
_HvlRegisterInterruptCallback@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		cmp	esi, 4
		ja	short loc_603633
		cmp	ds:_HvlHypervisorConnected, 0
		jnz	short loc_603601
		mov	eax, 0C00000BBh
		jmp	short loc_603638
; 

loc_603601:				; CODE XREF: HvlRegisterInterruptCallback(x,x,x)+15j
		mov	edx, [ebp+arg_4]
		lea	ecx, _HvlpInterruptCallback[esi*4]
		push	edi
		mov	edi, offset _KeSetDmaIoCoherency@4 ; KeSetDmaIoCoherency(x)
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		pop	edi
		jnz	short loc_60362C
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_603628
		lea	eax, [esi+30h]
		mov	[ecx], eax

loc_603628:				; CODE XREF: HvlRegisterInterruptCallback(x,x,x)+3Ej
		xor	eax, eax
		jmp	short loc_603638
; 

loc_60362C:				; CODE XREF: HvlRegisterInterruptCallback(x,x,x)+37j
		mov	eax, 0C0000001h
		jmp	short loc_603638
; 

loc_603633:				; CODE XREF: HvlRegisterInterruptCallback(x,x,x)+Cj
		mov	eax, 0C000000Dh

loc_603638:				; CODE XREF: HvlRegisterInterruptCallback(x,x,x)+1Cj
					; HvlRegisterInterruptCallback(x,x,x)+47j ...
		pop	esi
		pop	ebp
		retn	0Ch
_HvlRegisterInterruptCallback@12 endp


;  S U B	R O U T	I N E 


; __stdcall HvlRestoreEnlightenment(x)
_HvlRestoreEnlightenment@4 proc	near	; CODE XREF: PopHiberCheckResume:loc_72A096p
		mov	edi, edi
		push	ecx
		test	byte ptr ds:_HvlpFlags,	2
		mov	eax, ds:_HvlpEnlightenments
		mov	ds:_HvlEnlightenments, eax
		jnz	short loc_60367B
		xor	ecx, ecx
		call	HvlpTryConfigureInterface
		xor	ecx, ecx
		test	eax, eax
		jns	short loc_60366E

loc_603660:				; CODE XREF: HvlRestoreEnlightenment(x)+3Cj
		push	ecx
		push	ecx
		push	ecx
		push	eax
		push	20001h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_60366E:				; CODE XREF: HvlRestoreEnlightenment(x)+21j
		call	_HvlpPhase0Enlightenments@4 ; HvlpPhase0Enlightenments(x)
		test	eax, eax
		jns	short loc_60367B
		xor	ecx, ecx
		jmp	short loc_603660
; 

loc_60367B:				; CODE XREF: HvlRestoreEnlightenment(x)+14j
					; HvlRestoreEnlightenment(x)+38j
		pop	ecx
		retn
_HvlRestoreEnlightenment@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 714. HvlUnregisterInterruptCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlUnregisterInterruptCallback(x, x)
		public _HvlUnregisterInterruptCallback@8
_HvlUnregisterInterruptCallback@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	eax, 4
		ja	short loc_6036A2
		lea	ecx, _HvlpInterruptCallback[eax*4]
		mov	edx, offset _KeSetDmaIoCoherency@4 ; KeSetDmaIoCoherency(x)
		mov	eax, [ebp+arg_4]
		lock cmpxchg [ecx], edx

loc_6036A2:				; CODE XREF: HvlUnregisterInterruptCallback(x,x)+Bj
		pop	ebp
		retn	8
_HvlUnregisterInterruptCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpHvIdentityInfoCallback(x, x, x,	x)
_HvlpHvIdentityInfoCallback@16 proc near ; DATA	XREF: HvlPhase1Initialize+86BC6o

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	esi, offset _HvlpSecondaryDumpDataGuid
		mov	eax, [ebx+1Ch]
		lea	edi, [ebx+0Ch]
		push	44h
		movsd
		movsd
		movsd
		movsd
		pop	edi
		test	eax, eax
		jz	short loc_60370D
		cmp	[ebx+4], edi
		jb	short loc_603717
		mov	esi, [ebx]
		lea	eax, [esi+8]
		mov	dword ptr [esi], 48564944h
		push	eax
		mov	[esi+4], edi
		call	_HviGetHypervisorVendorAndMaxFunction@4	; HviGetHypervisorVendorAndMaxFunction(x)
		lea	eax, [esi+18h]
		push	eax
		call	HviGetHypervisorInterface
		lea	eax, [esi+28h]
		push	eax
		call	_HviGetHypervisorVersion@4 ; HviGetHypervisorVersion(x)
		mov	eax, ds:_HvlpFlags
		mov	[esi+38h], eax
		mov	eax, ds:_HvlpRootFlags
		mov	[esi+3Ch], eax
		mov	eax, ds:_HvlpEnlightenments
		mov	[esi+40h], eax
		mov	[ebx+1Ch], esi

loc_60370D:				; CODE XREF: HvlpHvIdentityInfoCallback(x,x,x,x)+1Fj
					; HvlpHvIdentityInfoCallback(x,x,x,x)+73j
		mov	[ebx+20h], edi

loc_603710:				; CODE XREF: HvlpHvIdentityInfoCallback(x,x,x,x)+7Ej
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_603717:				; CODE XREF: HvlpHvIdentityInfoCallback(x,x,x,x)+24j
		test	eax, eax
		jz	short loc_60370D
		mov	eax, [ebx]
		and	dword ptr [ebx+20h], 0
		mov	[ebx+1Ch], eax
		jmp	short loc_603710
_HvlpHvIdentityInfoCallback@16 endp


;  S U B	R O U T	I N E 


; __stdcall HvlGetApicIdFromLpIndex(x, x)
_HvlGetApicIdFromLpIndex@8 proc	near	; CODE XREF: KiQueryProcessorNode+8A09Dp
		mov	edi, edi
		push	esi
		mov	esi, edx
		or	dword ptr [esi], 0FFFFFFFFh
		test	byte ptr ds:_HvlpFlags,	2
		jz	short loc_603745
		call	_HvlpGetLpcbByLpIndex@4	; HvlpGetLpcbByLpIndex(x)
		test	eax, eax
		jz	short loc_603745
		mov	eax, [eax+8]
		mov	[esi], eax

loc_603745:				; CODE XREF: HvlGetApicIdFromLpIndex(x,x)+Fj
					; HvlGetApicIdFromLpIndex(x,x)+18j
		pop	esi
		retn
_HvlGetApicIdFromLpIndex@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 698. HvlGetLpIndexFromApicId

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlGetLpIndexFromApicId(x)
		public _HvlGetLpIndexFromApicId@4
_HvlGetLpIndexFromApicId@4 proc	near	; CODE XREF: PpmIdleUpdateHvStates(x)+1Fp
					; PpmPerfRegisterHvCap(x)+1Fp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr ds:_HvlpFlags,	2
		jz	short loc_60376B
		mov	ecx, [ebp+arg_0]
		call	HvlpGetLpcbByApicId
		test	eax, eax
		jz	short loc_60376B
		mov	eax, [eax+4]
		jmp	short loc_60376E
; 

loc_60376B:				; CODE XREF: HvlGetLpIndexFromApicId(x)+Cj
					; HvlGetLpIndexFromApicId(x)+18j
		or	eax, 0FFFFFFFFh

loc_60376E:				; CODE XREF: HvlGetLpIndexFromApicId(x)+1Dj
		pop	ebp
		retn	4
_HvlGetLpIndexFromApicId@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 699. HvlGetLpIndexFromProcessorIndex

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlGetLpIndexFromProcessorIndex(x)
		public _HvlGetLpIndexFromProcessorIndex@4
_HvlGetLpIndexFromProcessorIndex@4 proc	near ; CODE XREF: PpmScaleIdleStateValues+81BAAp
					; HvlEnlightenProcessor+81977p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:byte_6B64F0,	0
		jz	short loc_60378A
		mov	eax, [ebp+arg_0]
		jmp	short loc_6037B0
; 

loc_60378A:				; CODE XREF: HvlGetLpIndexFromProcessorIndex(x)+Cj
		mov	edx, ds:_HvlpLogicalProcessorCount
		xor	ecx, ecx
		mov	eax, offset _HvlpLogicalProcessorRegions
		push	esi
		test	edx, edx
		jz	short loc_6037AC
		mov	esi, [ebp+arg_0]

loc_60379F:				; CODE XREF: HvlGetLpIndexFromProcessorIndex(x)+33j
		cmp	[eax+18h], esi
		jz	short loc_6037B4
		inc	ecx
		add	eax, 68h
		cmp	ecx, edx
		jb	short loc_60379F

loc_6037AC:				; CODE XREF: HvlGetLpIndexFromProcessorIndex(x)+23j
		or	eax, 0FFFFFFFFh

loc_6037AF:				; CODE XREF: HvlGetLpIndexFromProcessorIndex(x)+40j
		pop	esi

loc_6037B0:				; CODE XREF: HvlGetLpIndexFromProcessorIndex(x)+11j
		pop	ebp
		retn	4
; 

loc_6037B4:				; CODE XREF: HvlGetLpIndexFromProcessorIndex(x)+2Bj
		mov	eax, [eax+4]
		jmp	short loc_6037AF
_HvlGetLpIndexFromProcessorIndex@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlNotifyLongSpinWait(x)
_HvlNotifyLongSpinWait@4 proc near	; CODE XREF: .text:00453213p
					; MiWalkPageTablesRecursively(x,x,x)+5C3p ...

var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		xor	eax, eax
		mov	[ebp+var_8], 8
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_0]
		push	eax
		push	10008h
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		leave
		retn	4
_HvlNotifyLongSpinWait@4 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 701. HvlQueryActiveHypervisorProcessorCount

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlQueryActiveHypervisorProcessorCount(x)
		public _HvlQueryActiveHypervisorProcessorCount@4
_HvlQueryActiveHypervisorProcessorCount@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr ds:_HvlpFlags,	2
		jnz	short loc_6037F8
		mov	eax, 0C0000001h
		jmp	short loc_603804
; 

loc_6037F8:				; CODE XREF: HvlQueryActiveHypervisorProcessorCount(x)+Cj
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_HvlpActiveProcessorCount
		mov	[ecx], eax
		xor	eax, eax

loc_603804:				; CODE XREF: HvlQueryActiveHypervisorProcessorCount(x)+13j
		pop	ebp
		retn	4
_HvlQueryActiveHypervisorProcessorCount@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 702. HvlQueryActiveProcessors

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlQueryActiveProcessors(x,	x)
		public _HvlQueryActiveProcessors@8
_HvlQueryActiveProcessors@8 proc near	; CODE XREF: PAGE:00781683p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr ds:_HvlpFlags,	2
		jnz	short loc_603822
		mov	eax, 0C0000022h
		jmp	short loc_60387C
; 

loc_603822:				; CODE XREF: HvlQueryActiveProcessors(x,x)+Cj
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_603830
		mov	eax, 0C000000Dh
		jmp	short loc_60387C
; 

loc_603830:				; CODE XREF: HvlQueryActiveProcessors(x,x)+1Aj
		push	esi
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jnz	short loc_60383C
		xor	eax, eax
		jmp	short loc_603873
; 

loc_60383C:				; CODE XREF: HvlQueryActiveProcessors(x,x)+29j
		mov	eax, [edx]
		mov	ecx, ds:_HvlpActiveProcessorCount
		cmp	ecx, eax
		jb	short loc_60384A
		mov	ecx, eax

loc_60384A:				; CODE XREF: HvlQueryActiveProcessors(x,x)+39j
		test	ecx, ecx
		jz	short loc_603866
		push	edi
		mov	edi, offset dword_706024

loc_603854:				; CODE XREF: HvlQueryActiveProcessors(x,x)+54j
		mov	eax, [edi]
		lea	edi, [edi+68h]
		mov	[esi], eax
		lea	esi, [esi+4]
		sub	ecx, 1
		jnz	short loc_603854
		mov	eax, [edx]
		pop	edi

loc_603866:				; CODE XREF: HvlQueryActiveProcessors(x,x)+3Fj
		cmp	eax, ds:_HvlpActiveProcessorCount
		sbb	eax, eax
		and	eax, 0C0000023h

loc_603873:				; CODE XREF: HvlQueryActiveProcessors(x,x)+2Dj
		mov	ecx, ds:_HvlpActiveProcessorCount
		mov	[edx], ecx
		pop	esi

loc_60387C:				; CODE XREF: HvlQueryActiveProcessors(x,x)+13j
					; HvlQueryActiveProcessors(x,x)+21j
		pop	ebp
		retn	8
_HvlQueryActiveProcessors@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 704. HvlQueryHypervisorProcessorNodeNumber

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlQueryHypervisorProcessorNodeNumber(x, x)
		public _HvlQueryHypervisorProcessorNodeNumber@8
_HvlQueryHypervisorProcessorNodeNumber@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr ds:_HvlpFlags,	2
		jz	short loc_6038B5
		mov	ecx, [ebp+arg_0]
		cmp	ecx, 140h
		jnb	short loc_6038B5
		call	_HvlpGetLpcbByLpIndex@4	; HvlpGetLpcbByLpIndex(x)
		test	eax, eax
		jz	short loc_6038B5
		mov	cx, [eax+0Eh]
		mov	eax, [ebp+arg_4]
		mov	[eax], cx
		xor	eax, eax
		jmp	short loc_6038BA
; 

loc_6038B5:				; CODE XREF: HvlQueryHypervisorProcessorNodeNumber(x,x)+Cj
					; HvlQueryHypervisorProcessorNodeNumber(x,x)+17j ...
		mov	eax, 0C0000001h

loc_6038BA:				; CODE XREF: HvlQueryHypervisorProcessorNodeNumber(x,x)+2Ej
		pop	ebp
		retn	8
_HvlQueryHypervisorProcessorNodeNumber@8 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 705. HvlQueryNumaDistance

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlQueryNumaDistance(x, x, x)
		public _HvlQueryNumaDistance@12
_HvlQueryNumaDistance@12 proc near	; CODE XREF: KiComputeNumaCosts+2529Ap

var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= word ptr  8
arg_4		= word ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 30h
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+38h+var_18]
		rep stosd
		push	6
		pop	ecx
		lea	edi, [esp+38h+var_30]
		xor	edx, edx
		rep stosd
		push	8
		push	eax
		inc	edx
		lea	ecx, [esp+40h+var_18]
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	8
		push	0
		push	2
		pop	edx
		lea	ecx, [esp+40h+var_30]
		mov	esi, eax
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		movzx	ecx, [ebp+arg_0]
		mov	edi, eax
		push	[esp+38h+var_1C]
		push	[esp+3Ch+var_20]
		mov	ecx, ds:_KeNodeBlock[ecx*4]
		push	[esp+40h+var_4]
		push	[esp+44h+var_8]
		movzx	ecx, word ptr [ecx+8Ch]
		push	0
		push	78h
		mov	ecx, ds:_KeNodeBlock[ecx*4]
		mov	ecx, [ecx+98h]
		mov	[esi], ecx
		movzx	ecx, [ebp+arg_4]
		mov	ecx, ds:_KeNodeBlock[ecx*4]
		movzx	ecx, word ptr [ecx+8Ch]
		mov	eax, ds:_KeNodeBlock[ecx*4]
		mov	eax, [eax+98h]
		mov	[esi+4], eax
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		test	ax, ax
		jz	short loc_60396F
		or	edx, 0FFFFFFFFh
		mov	edi, edx
		jmp	short loc_603974
; 

loc_60396F:				; CODE XREF: HvlQueryNumaDistance(x,x,x)+A3j
		mov	edx, [edi]
		mov	edi, [edi+4]

loc_603974:				; CODE XREF: HvlQueryNumaDistance(x,x,x)+AAj
		mov	ecx, [ebp+arg_8]
		movzx	esi, ax
		neg	esi
		mov	[ecx], edx
		sbb	esi, esi
		mov	[ecx+4], edi
		and	esi, 0C0000001h
		lea	ecx, [esp+38h+var_30]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		lea	ecx, [esp+38h+var_18]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_HvlQueryNumaDistance@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 706. HvlQueryProcessorTopology

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlQueryProcessorTopology(x, x, x, x)
		public _HvlQueryProcessorTopology@16
_HvlQueryProcessorTopology@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_HvlQueryProcessorTopologyEx@20	; HvlQueryProcessorTopologyEx(x,x,x,x,x)
		pop	ebp
		retn	10h
_HvlQueryProcessorTopology@16 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 707. HvlQueryProcessorTopologyCount

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlQueryProcessorTopologyCount(x, x)
		public _HvlQueryProcessorTopologyCount@8
_HvlQueryProcessorTopologyCount@8 proc near ; CODE XREF: PAGE:0078169Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr ds:_HvlpFlags,	2
		jnz	short loc_6039E0
		mov	eax, 0C0000022h
		jmp	short loc_6039FE
; 

loc_6039E0:				; CODE XREF: HvlQueryProcessorTopologyCount(x,x)+Cj
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_6039EE
		mov	eax, ds:_HvlpPackageCount
		mov	[ecx], eax

loc_6039EE:				; CODE XREF: HvlQueryProcessorTopologyCount(x,x)+1Aj
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_6039FC
		mov	eax, ds:_HvlpCoreCount
		mov	[ecx], eax

loc_6039FC:				; CODE XREF: HvlQueryProcessorTopologyCount(x,x)+28j
		xor	eax, eax

loc_6039FE:				; CODE XREF: HvlQueryProcessorTopologyCount(x,x)+13j
		pop	ebp
		retn	8
_HvlQueryProcessorTopologyCount@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 708. HvlQueryProcessorTopologyEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlQueryProcessorTopologyEx(x, x, x, x, x)
		public _HvlQueryProcessorTopologyEx@20
_HvlQueryProcessorTopologyEx@20	proc near
					; CODE XREF: HvlQueryProcessorTopology(x,x,x,x)+13p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr ds:_HvlpFlags,	2
		jnz	short loc_603A1C
		mov	eax, 0C0000022h
		jmp	short loc_603A77
; 

loc_603A1C:				; CODE XREF: HvlQueryProcessorTopologyEx(x,x,x,x,x)+Cj
		mov	ecx, [ebp+arg_0]
		cmp	ecx, 140h
		jnb	short loc_603A72
		call	_HvlpGetLpcbByLpIndex@4	; HvlpGetLpcbByLpIndex(x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_603A72
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_603A40
		mov	cx, [edx+0Eh]
		mov	[eax], cx

loc_603A40:				; CODE XREF: HvlQueryProcessorTopologyEx(x,x,x,x,x)+30j
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_603A4C
		mov	eax, [edx+10h]
		mov	[ecx], eax

loc_603A4C:				; CODE XREF: HvlQueryProcessorTopologyEx(x,x,x,x,x)+3Ej
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	short loc_603A58
		mov	eax, [edx+14h]
		mov	[ecx], eax

loc_603A58:				; CODE XREF: HvlQueryProcessorTopologyEx(x,x,x,x,x)+4Aj
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_603A6E
		mov	ecx, [edx+18h]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_603A6B
		mov	[eax], ecx
		jmp	short loc_603A6E
; 

loc_603A6B:				; CODE XREF: HvlQueryProcessorTopologyEx(x,x,x,x,x)+5Ej
		or	dword ptr [eax], 0FFFFFFFFh

loc_603A6E:				; CODE XREF: HvlQueryProcessorTopologyEx(x,x,x,x,x)+56j
					; HvlQueryProcessorTopologyEx(x,x,x,x,x)+62j
		xor	eax, eax
		jmp	short loc_603A77
; 

loc_603A72:				; CODE XREF: HvlQueryProcessorTopologyEx(x,x,x,x,x)+1Ej
					; HvlQueryProcessorTopologyEx(x,x,x,x,x)+29j
		mov	eax, 0C000000Dh

loc_603A77:				; CODE XREF: HvlQueryProcessorTopologyEx(x,x,x,x,x)+13j
					; HvlQueryProcessorTopologyEx(x,x,x,x,x)+69j
		pop	ebp
		retn	14h
_HvlQueryProcessorTopologyEx@20	endp

; 
		align 10h
; Exported entry 709. HvlQueryProcessorTopologyHighestId

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlQueryProcessorTopologyHighestId(x, x)
		public _HvlQueryProcessorTopologyHighestId@8
_HvlQueryProcessorTopologyHighestId@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr ds:_HvlpFlags,	2
		jnz	short loc_603A95
		mov	eax, 0C0000022h
		jmp	short loc_603AB3
; 

loc_603A95:				; CODE XREF: HvlQueryProcessorTopologyHighestId(x,x)+Cj
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_603AA3
		mov	eax, ds:dword_6FE154
		mov	[ecx], eax

loc_603AA3:				; CODE XREF: HvlQueryProcessorTopologyHighestId(x,x)+1Aj
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_603AB1
		mov	eax, ds:dword_6FE158
		mov	[ecx], eax

loc_603AB1:				; CODE XREF: HvlQueryProcessorTopologyHighestId(x,x)+28j
		xor	eax, eax

loc_603AB3:				; CODE XREF: HvlQueryProcessorTopologyHighestId(x,x)+13j
		pop	ebp
		retn	8
_HvlQueryProcessorTopologyHighestId@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 710. HvlQueryStartedProcessors

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlQueryStartedProcessors(x, x)
		public _HvlQueryStartedProcessors@8
_HvlQueryStartedProcessors@8 proc near	; CODE XREF: EtwpQueryUsedProcessorCount+D3D7Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr ds:_HvlpFlags,	2
		jnz	short loc_603AD1
		mov	eax, 0C0000022h
		jmp	short loc_603B2B
; 

loc_603AD1:				; CODE XREF: HvlQueryStartedProcessors(x,x)+Cj
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_603ADF
		mov	eax, 0C000000Dh
		jmp	short loc_603B2B
; 

loc_603ADF:				; CODE XREF: HvlQueryStartedProcessors(x,x)+1Aj
		push	esi
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jnz	short loc_603AEB
		xor	eax, eax
		jmp	short loc_603B22
; 

loc_603AEB:				; CODE XREF: HvlQueryStartedProcessors(x,x)+29j
		mov	eax, [edx]
		mov	ecx, ds:_HvlpLogicalProcessorCount
		cmp	ecx, eax
		jb	short loc_603AF9
		mov	ecx, eax

loc_603AF9:				; CODE XREF: HvlQueryStartedProcessors(x,x)+39j
		test	ecx, ecx
		jz	short loc_603B15
		push	edi
		mov	edi, offset dword_706024

loc_603B03:				; CODE XREF: HvlQueryStartedProcessors(x,x)+54j
		mov	eax, [edi]
		lea	edi, [edi+68h]
		mov	[esi], eax
		lea	esi, [esi+4]
		sub	ecx, 1
		jnz	short loc_603B03
		mov	eax, [edx]
		pop	edi

loc_603B15:				; CODE XREF: HvlQueryStartedProcessors(x,x)+3Fj
		cmp	eax, ds:_HvlpLogicalProcessorCount
		sbb	eax, eax
		and	eax, 0C0000023h

loc_603B22:				; CODE XREF: HvlQueryStartedProcessors(x,x)+2Dj
		mov	ecx, ds:_HvlpLogicalProcessorCount
		mov	[edx], ecx
		pop	esi

loc_603B2B:				; CODE XREF: HvlQueryStartedProcessors(x,x)+13j
					; HvlQueryStartedProcessors(x,x)+21j
		pop	ebp
		retn	8
_HvlQueryStartedProcessors@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpAcquireHypercallPage(x,	x, x, x)
_HvlpAcquireHypercallPage@16 proc near	; CODE XREF: HvlQueryNumaDistance(x,x,x)+2Bp
					; HvlQueryNumaDistance(x,x,x)+3Dp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, edx
		test	byte ptr ds:_HvlpFlags,	8
		push	edi
		mov	edi, ecx
		jnz	short loc_603B8D
		mov	dword ptr [edi], 4
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	[edi+4], al
		mov	eax, large fs:20h
		mov	[edi+8], ebx
		test	bl, 1
		jz	short loc_603B6B
		mov	esi, [eax+3FC8h]
		jmp	short loc_603B7C
; 

loc_603B6B:				; CODE XREF: HvlpAcquireHypercallPage(x,x,x,x)+32j
		test	bl, 2
		jz	short loc_603B7C
		mov	esi, [eax+3FC8h]
		add	esi, 1000h

loc_603B7C:				; CODE XREF: HvlpAcquireHypercallPage(x,x,x,x)+3Aj
					; HvlpAcquireHypercallPage(x,x,x,x)+3Fj
		mov	ecx, [esi+8]
		mov	[edi+10h], ecx
		mov	ecx, [esi+0Ch]
		mov	[edi+14h], ecx
		jmp	loc_603C5A
; 

loc_603B8D:				; CODE XREF: HvlpAcquireHypercallPage(x,x,x,x)+16j
		mov	eax, large fs:20h
		mov	[ebp+var_4], eax
		lea	ecx, [eax+3FC0h]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_603BC7
		mov	eax, [ebp+var_4]
		mov	[edi+4], eax
		mov	eax, [esi+8]
		mov	[edi+10h], eax
		mov	eax, [esi+0Ch]
		mov	dword ptr [edi], 1
		mov	[edi+8], esi
		mov	[edi+14h], eax
		jmp	loc_603C5A
; 

loc_603BC7:				; CODE XREF: HvlpAcquireHypercallPage(x,x,x,x)+76j
		test	bl, 4
		jz	short loc_603BD3
		xor	eax, eax
		jmp	loc_603C5C
; 

loc_603BD3:				; CODE XREF: HvlpAcquireHypercallPage(x,x,x,x)+9Bj
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_603C19
		mov	ecx, [ebp+arg_4]
		lea	esi, [eax+7]
		and	esi, 0FFFFFFF8h
		mov	edx, 0FFFFF000h
		lea	eax, [ecx-1]
		add	eax, esi
		xor	eax, esi
		test	eax, edx
		jz	short loc_603BF8
		dec	esi
		add	esi, ecx
		and	esi, edx

loc_603BF8:				; CODE XREF: HvlpAcquireHypercallPage(x,x,x,x)+C2j
		mov	dword ptr [edi], 2
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[edi+4], al
		cmp	al, 2
		jnb	short loc_603C11
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()

loc_603C11:				; CODE XREF: HvlpAcquireHypercallPage(x,x,x,x)+DAj
		push	esi
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		jmp	short loc_603C54
; 

loc_603C19:				; CODE XREF: HvlpAcquireHypercallPage(x,x,x,x)+A9j
		mov	dword ptr [edi], 4
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	[edi+4], al
		mov	eax, large fs:20h
		mov	[edi+8], ebx
		test	bl, 1
		jz	short loc_603C3D
		mov	esi, [eax+3FC8h]
		jmp	short loc_603C4E
; 

loc_603C3D:				; CODE XREF: HvlpAcquireHypercallPage(x,x,x,x)+104j
		test	bl, 2
		jz	short loc_603C4E
		mov	esi, [eax+3FC8h]
		add	esi, 1000h

loc_603C4E:				; CODE XREF: HvlpAcquireHypercallPage(x,x,x,x)+10Cj
					; HvlpAcquireHypercallPage(x,x,x,x)+111j
		mov	eax, [esi+8]
		mov	edx, [esi+0Ch]

loc_603C54:				; CODE XREF: HvlpAcquireHypercallPage(x,x,x,x)+E8j
		mov	[edi+10h], eax
		mov	[edi+14h], edx

loc_603C5A:				; CODE XREF: HvlpAcquireHypercallPage(x,x,x,x)+59j
					; HvlpAcquireHypercallPage(x,x,x,x)+93j
		mov	eax, esi

loc_603C5C:				; CODE XREF: HvlpAcquireHypercallPage(x,x,x,x)+9Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_HvlpAcquireHypercallPage@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpCommitLpIndices()
_HvlpCommitLpIndices@0 proc near	; CODE XREF: HvlStartBootLogicalProcessors:loc_5F4450p

var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_18]
		rep stosd
		push	8
		xor	edx, edx
		lea	ecx, [ebp+var_18]
		xor	esi, esi
		inc	edx
		push	esi
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		mov	ecx, ds:_HvlpActiveProcessorCount
		push	esi
		push	esi
		push	[ebp+var_4]
		mov	dword ptr [eax], 5
		push	[ebp+var_8]
		mov	[eax+4], ecx
		push	esi
		push	87h
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		movzx	esi, ax
		lea	ecx, [ebp+var_18]
		neg	esi
		sbb	esi, esi
		and	esi, 0C0000001h
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_HvlpCommitLpIndices@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl HvlpCompareActiveLpcbs(const void	*,const	void *)
_HvlpCompareActiveLpcbs	proc near	; DATA XREF: HvlStartBootLogicalProcessors:loc_5F43E1o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	dl, [eax+60h]
		cmp	dl, [ecx+60h]
		jz	short loc_603CE7
		xor	eax, eax
		test	dl, dl

loc_603CDB:				; CODE XREF: _HvlpCompareActiveLpcbs+2Fj
		setz	al
		lea	eax, ds:0FFFFFFFFh[eax*2]
		pop	ebp
		retn
; 

loc_603CE7:				; CODE XREF: _HvlpCompareActiveLpcbs+11j
		mov	edx, [eax+24h]
		cmp	edx, [ecx+24h]
		jz	short loc_603CF5
		xor	eax, eax
		test	edx, edx
		jmp	short loc_603CDB
; 

loc_603CF5:				; CODE XREF: _HvlpCompareActiveLpcbs+29j
		mov	eax, [eax+4]
		mov	ecx, [ecx+4]
		cmp	ecx, eax
		jbe	short loc_603D04
		or	eax, 0FFFFFFFFh
		pop	ebp
		retn
; 

loc_603D04:				; CODE XREF: _HvlpCompareActiveLpcbs+39j
		sbb	eax, eax
		neg	eax
		pop	ebp
		retn
_HvlpCompareActiveLpcbs	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpComputeLpComparisonMetrics(x, x, x)
_HvlpComputeLpComparisonMetrics@12 proc	near ; CODE XREF: HvlpSelectLpSet(x,x,x)+2DCp
					; HvlpSelectVpSet(x,x,x)+430p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		imul	esi, [ebp+arg_0], 28h
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		mov	ecx, large fs:20h
		mov	eax, large fs:20h
		push	edi
		add	esi, edx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_20], esi
		or	dword ptr [esi+14h], 0FFFFFFFFh
		mov	[esi+10h], ebx
		mov	[esi+18h], ebx
		mov	[esi+1Ch], ebx
		mov	[esi+20h], ebx
		mov	[esi+24h], ebx
		mov	edi, [eax+340h]
		imul	edi, [ecx+344h]
		mov	eax, large fs:20h
		mov	ecx, [eax+344h]
		dec	edi
		mov	eax, [esi+4]
		not	edi
		mov	[ebp+var_8], eax
		dec	ecx
		and	[ebp+var_8], edi
		not	ecx
		mov	[ebp+var_10], edi
		mov	edi, eax
		shr	eax, 4
		and	edi, ecx
		movzx	eax, ax
		mov	[ebp+var_14], ecx
		mov	[ebp+var_18], edi
		mov	[ebp+var_1C], eax
		cmp	[ebp+var_4], ebx
		jbe	loc_603E40
		mov	ecx, [ebp+arg_0]
		lea	edi, [edx+4]
		mov	eax, [ebp+var_4]

loc_603D96:				; CODE XREF: HvlpComputeLpComparisonMetrics(x,x,x)+130j
		cmp	ebx, ecx
		jz	loc_603E34
		mov	ax, [edi+4]
		cmp	ax, [esi+8]
		jnz	short loc_603DAF
		cmp	ebx, ecx
		jnb	short loc_603DAF
		inc	dword ptr [esi+24h]

loc_603DAF:				; CODE XREF: HvlpComputeLpComparisonMetrics(x,x,x)+9Cj
					; HvlpComputeLpComparisonMetrics(x,x,x)+A0j
		cmp	byte ptr [edi-3], 0
		jz	short loc_603E31
		mov	ax, [edi+8]
		cmp	ax, [esi+0Ch]
		jnz	short loc_603DC2
		inc	dword ptr [esi+10h]

loc_603DC2:				; CODE XREF: HvlpComputeLpComparisonMetrics(x,x,x)+B3j
		mov	ecx, [edi]
		mov	eax, ecx
		and	eax, [ebp+var_10]
		cmp	eax, [ebp+var_8]
		jnz	short loc_603DD3
		inc	dword ptr [esi+18h]
		mov	ecx, [edi]

loc_603DD3:				; CODE XREF: HvlpComputeLpComparisonMetrics(x,x,x)+C2j
		mov	eax, ecx
		and	eax, [ebp+var_14]
		cmp	eax, [ebp+var_18]
		jnz	short loc_603DE2
		inc	dword ptr [esi+1Ch]
		mov	ecx, [edi]

loc_603DE2:				; CODE XREF: HvlpComputeLpComparisonMetrics(x,x,x)+D1j
		shr	ecx, 4
		movzx	eax, cx
		cmp	eax, [ebp+var_1C]
		jnz	short loc_603DF0
		inc	dword ptr [esi+20h]

loc_603DF0:				; CODE XREF: HvlpComputeLpComparisonMetrics(x,x,x)+E1j
		movzx	eax, word ptr [edi+6]
		movzx	ecx, word ptr [esi+0Ah]
		cmp	ax, cx
		jz	short loc_603E2E
		mov	edx, eax
		mov	eax, ds:_HvlpQueryNodeDistance
		test	eax, eax
		jz	short loc_603E15
		lea	esi, [ebp+var_C]
		push	esi
		push	edx
		push	ecx
		call	eax
		mov	esi, [ebp+var_20]
		jmp	short loc_603E1A
; 

loc_603E15:				; CODE XREF: HvlpComputeLpComparisonMetrics(x,x,x)+FCj
		mov	eax, 0C0000225h

loc_603E1A:				; CODE XREF: HvlpComputeLpComparisonMetrics(x,x,x)+109j
		mov	ecx, [ebp+arg_0]
		test	eax, eax
		js	short loc_603E31
		mov	eax, [ebp+var_C]
		cmp	eax, [esi+14h]
		jnb	short loc_603E31
		mov	[esi+14h], eax
		jmp	short loc_603E31
; 

loc_603E2E:				; CODE XREF: HvlpComputeLpComparisonMetrics(x,x,x)+F1j
		mov	ecx, [ebp+arg_0]

loc_603E31:				; CODE XREF: HvlpComputeLpComparisonMetrics(x,x,x)+A9j
					; HvlpComputeLpComparisonMetrics(x,x,x)+115j ...
		mov	eax, [ebp+var_4]

loc_603E34:				; CODE XREF: HvlpComputeLpComparisonMetrics(x,x,x)+8Ej
		inc	ebx
		add	edi, 28h
		cmp	ebx, eax
		jb	loc_603D96

loc_603E40:				; CODE XREF: HvlpComputeLpComparisonMetrics(x,x,x)+7Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_HvlpComputeLpComparisonMetrics@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpDepositPages(x,	x, x)
_HvlpDepositPages@12 proc near		; CODE XREF: HvlpStartLogicalProcessor+51p
					; HvlMapDeviceInterrupt(x,x,x,x,x)+22Cp ...

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		mov	edx, ecx
		mov	[esp+48h+var_3C], 80h
		push	6
		xor	eax, eax
		lea	edi, [esp+4Ch+var_18]
		pop	ecx
		rep stosd
		movzx	eax, dx
		mov	ecx, 200000h
		push	71h
		pop	ebx
		mov	eax, ds:_KeNodeBlock[eax*4]
		lea	edi, [ebx+0Fh]
		movzx	eax, word ptr [eax+8Ch]
		mov	[esp+48h+var_24], eax

loc_603E8A:				; CODE XREF: HvlpDepositPages(x,x,x)+1BAj
		xor	edx, edx
		mov	[esp+48h+var_2C], ecx
		mov	[esp+48h+var_28], edx

loc_603E94:				; CODE XREF: HvlpDepositPages(x,x,x)+1ADj
		mov	esi, ebx
		mov	[esp+48h+var_38], ebx
		and	esi, 20h
		jz	short loc_603EAC
		lea	eax, [edi+1FFh]
		and	eax, 0FFFFFE00h
		jmp	short loc_603EAE
; 

loc_603EAC:				; CODE XREF: HvlpDepositPages(x,x,x)+56j
		mov	eax, edi

loc_603EAE:				; CODE XREF: HvlpDepositPages(x,x,x)+63j
		push	0
		push	ebx
		push	[esp+50h+var_24]
		shl	eax, 0Ch
		push	1
		push	eax
		push	edx
		push	ecx
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		push	0
		push	0
		call	MmAllocatePartitionNodePagesForMdlEx
		mov	[esp+48h+var_30], eax
		test	eax, eax
		jnz	short loc_603EF2
		test	esi, esi
		jz	short loc_603EE8
		cmp	[ebp+arg_0], al
		jz	loc_603FE0
		test	bl, 40h
		jnz	loc_603FE0

loc_603EE8:				; CODE XREF: HvlpDepositPages(x,x,x)+8Dj
		mov	eax, 0C0000017h
		jmp	loc_604008
; 

loc_603EF2:				; CODE XREF: HvlpDepositPages(x,x,x)+89j
		mov	eax, [eax+14h]
		mov	edi, eax
		and	edi, 0FFFh
		neg	edi
		push	8
		sbb	edi, edi
		shr	eax, 0Ch
		neg	edi
		add	edi, eax
		mov	eax, [esp+4Ch+var_3C]
		sub	eax, edi
		cmp	[esp+4Ch+var_3C], edi
		push	0
		sbb	ecx, ecx
		xor	edx, edx
		not	ecx
		inc	edx
		and	ecx, eax
		mov	[esp+50h+var_3C], ecx
		lea	ecx, [esp+50h+var_18]
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		mov	ecx, ds:_HvlPartitionId
		mov	edx, eax
		mov	eax, [esp+48h+var_30]
		xor	esi, esi
		add	eax, 1Ch
		mov	[esp+48h+var_20], eax
		mov	[edx], ecx
		mov	ecx, ds:dword_70E274
		mov	[edx+4], ecx
		xor	ecx, ecx
		mov	[esp+48h+var_34], ecx
		test	edi, edi
		jz	short loc_603FC8
		add	edx, 8
		mov	ebx, eax
		mov	[esp+48h+var_1C], edx

loc_603F5F:				; CODE XREF: HvlpDepositPages(x,x,x)+17Bj
		mov	eax, edi
		sub	eax, ecx
		mov	ecx, 1FFh
		cmp	eax, ecx
		jb	short loc_603F76
		and	esi, 0FFFFF1FFh
		or	esi, ecx
		jmp	short loc_603F7F
; 

loc_603F76:				; CODE XREF: HvlpDepositPages(x,x,x)+123j
		xor	eax, esi
		and	eax, 0FFFh
		xor	esi, eax

loc_603F7F:				; CODE XREF: HvlpDepositPages(x,x,x)+12Dj
		mov	eax, esi
		and	eax, 0FFFh
		shl	eax, 2
		push	eax		; size_t
		push	ebx		; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	0
		push	0
		push	[esp+50h+var_4]
		push	[esp+54h+var_8]
		push	esi
		push	48h
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		mov	ecx, [esp+48h+var_34]
		add	ebx, 7FCh
		mov	edx, [esp+48h+var_1C]
		add	ecx, 1FFh
		mov	[esp+48h+var_34], ecx
		cmp	ecx, edi
		jb	short loc_603F5F
		mov	ebx, [esp+48h+var_38]

loc_603FC8:				; CODE XREF: HvlpDepositPages(x,x,x)+10Dj
		lea	ecx, [esp+48h+var_18]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		push	0
		push	[esp+4Ch+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [esp+48h+var_3C]

loc_603FE0:				; CODE XREF: HvlpDepositPages(x,x,x)+92j
					; HvlpDepositPages(x,x,x)+9Bj
		test	edi, edi
		jz	short loc_604006
		test	bl, 40h
		jz	short loc_603FF9
		mov	ecx, [esp+48h+var_2C]
		and	ebx, 0FFFFFFBFh
		mov	edx, [esp+48h+var_28]
		jmp	loc_603E94
; 

loc_603FF9:				; CODE XREF: HvlpDepositPages(x,x,x)+1A0j
		and	ebx, 0FFFFFFDFh
		or	ebx, 4
		xor	ecx, ecx
		jmp	loc_603E8A
; 

loc_604006:				; CODE XREF: HvlpDepositPages(x,x,x)+19Bj
		xor	eax, eax

loc_604008:				; CODE XREF: HvlpDepositPages(x,x,x)+A6j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_HvlpDepositPages@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvlpEnableNextLogicalProcessor proc near ; CODE	XREF: HvlStartBootLogicalProcessors+8A714p

var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		mov	ebx, ds:_HvlpLogicalProcessorCount
		xor	eax, eax
		push	esi
		imul	esi, ebx, 68h
		push	edi
		mov	edi, edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], eax
		add	esi, offset _HvlpLogicalProcessorRegions
		mov	[ebp+var_18], eax
		test	byte ptr ds:_HvlpRootFlags, 20h
		mov	[ebp+var_14], eax
		jz	short loc_604062
		lea	eax, [esi+28h]
		mov	[ebp+var_4], ebx
		push	eax		; void *
		mov	edx, ecx
		mov	ecx, ebx
		push	edi		; int
		call	HvlpStartLogicalProcessor
		test	eax, eax
		js	loc_6040EA
		jmp	short loc_604071
; 

loc_604062:				; CODE XREF: HvlpEnableNextLogicalProcessor+34j
		lea	edx, [ebp+var_4]
		call	_HvlpGetVpIndexFromApicId@8 ; HvlpGetVpIndexFromApicId(x,x)
		test	eax, eax
		js	short loc_6040EA
		mov	ebx, [ebp+var_4]

loc_604071:				; CODE XREF: HvlpEnableNextLogicalProcessor+4Fj
		test	byte ptr ds:_HvlpRootFlags, 10h
		jz	short loc_6040BC
		xor	eax, eax
		lea	edi, [ebp+var_28]
		stosd
		lea	edx, [ebp+var_28]
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		pop	ecx
		mov	[ebp+var_28], ebx
		call	_HvlpMapStatisticsPage@12 ; HvlpMapStatisticsPage(x,x,x)
		test	eax, eax
		js	short loc_6040EA
		push	2
		push	1000h
		push	[ebp+var_14]
		push	[ebp+var_18]
		call	_MmMapIoSpaceEx@16 ; MmMapIoSpaceEx(x,x,x,x)
		test	eax, eax
		jnz	short loc_6040B6
		mov	eax, 0C000009Ah
		jmp	short loc_6040EA
; 

loc_6040B6:				; CODE XREF: HvlpEnableNextLogicalProcessor+9Cj
		mov	edi, [ebp+var_8]
		mov	[esi+1Ch], eax

loc_6040BC:				; CODE XREF: HvlpEnableNextLogicalProcessor+67j
		mov	eax, [ebp+var_C]
		mov	[esi+8], eax
		movzx	eax, di
		mov	[esi+4], ebx
		mov	[esi+0Ch], di
		mov	eax, ds:_KeNodeBlock[eax*4]
		mov	ax, [eax+8Ch]
		or	dword ptr [esi+18h], 0FFFFFFFFh
		mov	[esi+0Eh], ax
		xor	eax, eax
		mov	dword ptr [esi], 1

loc_6040EA:				; CODE XREF: HvlpEnableNextLogicalProcessor+49j
					; HvlpEnableNextLogicalProcessor+5Bj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
HvlpEnableNextLogicalProcessor endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpGetLogicalProcessorProperty(x, x, x)
_HvlpGetLogicalProcessorProperty@12 proc near
					; CODE XREF: HvlLpGetMachineCheckContext(x,x,x,x)+29p

var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		push	esi
		push	edi
		push	6
		mov	ebx, ecx
		lea	edi, [ebp+var_3C]
		pop	ecx
		xor	eax, eax
		xor	edx, edx
		rep stosd
		push	6
		pop	ecx
		lea	edi, [ebp+var_24]
		inc	edx
		rep stosd
		push	8
		xor	edi, edi
		lea	ecx, [ebp+var_3C]
		push	edi
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	0CB8h
		push	edi
		push	2
		pop	edx
		lea	ecx, [ebp+var_24]
		mov	esi, eax
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	[ebp+var_10]
		mov	[ebp+var_8], eax
		push	[ebp+var_14]
		mov	[esi], ebx
		push	[ebp+var_28]
		mov	dword ptr [esi+4], 4
		push	[ebp+var_2C]
		push	edi
		push	7Ah
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		test	ax, ax
		jz	short loc_60415D
		mov	esi, 0C0000001h
		jmp	short loc_60416C
; 

loc_60415D:				; CODE XREF: HvlpGetLogicalProcessorProperty(x,x,x)+65j
		mov	esi, [ebp+var_8]
		mov	ecx, 32Eh
		mov	edi, [ebp+arg_0]
		rep movsd
		xor	esi, esi

loc_60416C:				; CODE XREF: HvlpGetLogicalProcessorProperty(x,x,x)+6Cj
		lea	ecx, [ebp+var_24]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		lea	ecx, [ebp+var_3C]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_HvlpGetLogicalProcessorProperty@12 endp


;  S U B	R O U T	I N E 


HvlpGetLpcbByApicId proc near		; CODE XREF: HvlStartBootLogicalProcessors+8A765p
					; KiQueryProcessorNode+8A0ACp ...
		mov	edi, edi
		push	esi
		mov	esi, ds:_HvlpLogicalProcessorCount
		xor	edx, edx
		mov	eax, offset _HvlpLogicalProcessorRegions
		test	esi, esi
		jz	short loc_6041A6

loc_604199:				; CODE XREF: HvlpGetLpcbByApicId+1Fj
		cmp	[eax+8], ecx
		jz	short loc_6041A8
		inc	edx
		add	eax, 68h
		cmp	edx, esi
		jb	short loc_604199

loc_6041A6:				; CODE XREF: HvlpGetLpcbByApicId+12j
		xor	eax, eax

loc_6041A8:				; CODE XREF: HvlpGetLpcbByApicId+17j
		pop	esi
		retn
HvlpGetLpcbByApicId endp


;  S U B	R O U T	I N E 


; __stdcall HvlpGetLpcbByLpIndex(x)
_HvlpGetLpcbByLpIndex@4	proc near	; CODE XREF: HvlEnlightenProcessor+8197Ep
					; HvlGetApicIdFromLpIndex(x,x)+11p ...
		mov	edi, edi
		push	esi
		mov	esi, ds:_HvlpLogicalProcessorCount
		mov	eax, offset _HvlpLogicalProcessorRegions
		cmp	ecx, esi
		jnb	short loc_6041CA
		imul	edx, ecx, 68h
		add	edx, eax
		cmp	[edx+4], ecx
		jnz	short loc_6041CA
		mov	eax, edx
		pop	esi
		retn
; 

loc_6041CA:				; CODE XREF: HvlpGetLpcbByLpIndex(x)+10j
					; HvlpGetLpcbByLpIndex(x)+1Aj
		xor	edx, edx
		test	esi, esi
		jz	short loc_6041DD

loc_6041D0:				; CODE XREF: HvlpGetLpcbByLpIndex(x)+31j
		cmp	[eax+4], ecx
		jz	short loc_6041E5
		inc	edx
		add	eax, 68h
		cmp	edx, esi
		jb	short loc_6041D0

loc_6041DD:				; CODE XREF: HvlpGetLpcbByLpIndex(x)+24j
		neg	ecx
		sbb	ecx, ecx
		not	ecx
		and	eax, ecx

loc_6041E5:				; CODE XREF: HvlpGetLpcbByLpIndex(x)+29j
		pop	esi
		retn
_HvlpGetLpcbByLpIndex@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpGetVpIndexFromApicId(x,	x)
_HvlpGetVpIndexFromApicId@8 proc near	; CODE XREF: HvlpEnableNextLogicalProcessor+54p
					; HvlHalGetVpIndexFromApicId(x,x)+10p

var_3C		= dword	ptr -3Ch
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		push	6
		mov	ebx, ecx
		mov	[esp+4Ch+var_3C], edx
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+48h+var_18]
		rep stosd
		push	6
		pop	ecx
		lea	edi, [esp+48h+var_30]
		xor	edx, edx
		rep stosd
		push	10h
		push	eax
		inc	edx
		lea	ecx, [esp+50h+var_18]
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	4
		mov	esi, eax
		lea	ecx, [esp+4Ch+var_30]
		xor	eax, eax
		push	eax
		push	2
		pop	edx
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	[esp+48h+var_1C]
		or	dword ptr [esi], 0FFFFFFFFh
		mov	edi, eax
		push	[esp+4Ch+var_20]
		or	dword ptr [esi+4], 0FFFFFFFFh
		xor	eax, eax
		push	[esp+50h+var_4]
		mov	[esi+8], eax
		push	[esp+54h+var_8]
		mov	[esi+0Ch], eax
		push	1
		push	9Ah
		mov	[esi+10h], ebx
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		mov	cx, ax
		test	cx, cx
		jz	short loc_60426D
		xor	eax, eax
		jmp	short loc_60426F
; 

loc_60426D:				; CODE XREF: HvlpGetVpIndexFromApicId(x,x)+80j
		mov	eax, [edi]

loc_60426F:				; CODE XREF: HvlpGetVpIndexFromApicId(x,x)+84j
		movzx	esi, cx
		mov	ecx, [esp+48h+var_3C]
		neg	esi
		sbb	esi, esi
		and	esi, 0C0000001h
		mov	[ecx], eax
		lea	ecx, [esp+48h+var_30]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		lea	ecx, [esp+48h+var_18]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_HvlpGetVpIndexFromApicId@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpInitializeBootProcessor(x)
_HvlpInitializeBootProcessor@4 proc near ; CODE	XREF: HvlPhase0Initialize+9F5A6p

var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		cmp	ds:_HvlHypervisorConnected, 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		jz	loc_60437A
		mov	ebx, large fs:20h
		lea	eax, [ebp+var_4]
		xor	esi, esi
		xor	ecx, ecx
		mov	[ebp+var_4], esi
		lock or	[eax], ecx
		mov	eax, ds:_HvlpFlags
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		test	eax, 80000h
		jz	short loc_60430D
		test	al, 2
		jnz	short loc_60430D
		push	4
		lea	eax, [ebp+var_18]
		push	eax
		push	1
		push	edi
		call	ds:dword_6B12D4
		test	eax, eax
		jnz	short loc_604307
		mov	eax, 0C000009Ah
		jmp	short loc_60437C
; 

loc_604307:				; CODE XREF: HvlpInitializeBootProcessor(x)+61j
		mov	[ebx+3FCCh], eax

loc_60430D:				; CODE XREF: HvlpInitializeBootProcessor(x)+4Aj
					; HvlpInitializeBootProcessor(x)+4Ej
		mov	eax, ds:_HvlpFlags
		test	al, 2
		jnz	short loc_604336
		test	eax, 8000h
		jz	short loc_604336
		push	4
		lea	eax, [ebp+var_20]
		push	eax
		push	1
		push	edi
		call	ds:dword_6B12D4
		test	eax, eax
		jz	short loc_604336
		mov	[ebx+4DCh], eax

loc_604336:				; CODE XREF: HvlpInitializeBootProcessor(x)+77j
					; HvlpInitializeBootProcessor(x)+7Ej ...
		test	byte ptr ds:_HvlpRootFlags, 10h
		jz	short loc_604373
		xor	eax, eax
		lea	edi, [ebp+var_30]
		stosd
		lea	edx, [ebp+var_30]
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_10]
		push	eax
		push	2
		pop	ecx
		call	_HvlpMapStatisticsPage@12 ; HvlpMapStatisticsPage(x,x,x)
		test	eax, eax
		js	short loc_60436D
		push	4
		push	1
		push	[ebp+var_C]
		push	[ebp+var_10]
		call	ds:dword_6B12D8
		mov	esi, eax

loc_60436D:				; CODE XREF: HvlpInitializeBootProcessor(x)+BCj
		mov	[ebx+3FD0h], esi

loc_604373:				; CODE XREF: HvlpInitializeBootProcessor(x)+A0j
		xor	cl, cl
		call	HvlEnlightenProcessor

loc_60437A:				; CODE XREF: HvlpInitializeBootProcessor(x)+14j
		xor	eax, eax

loc_60437C:				; CODE XREF: HvlpInitializeBootProcessor(x)+68j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_HvlpInitializeBootProcessor@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpLpComparison(x,	x, x, x)
_HvlpLpComparison@16 proc near		; CODE XREF: HvlpSelectLpSet(x,x,x)+31Bp
					; HvlpSelectVpSet(x,x,x)+47Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		imul	eax, esi, 28h
		imul	ecx, edi, 28h
		add	eax, edx
		add	ecx, edx
		mov	edx, [eax+10h]
		cmp	edx, [ecx+10h]
		jb	short loc_6043DC
		ja	short loc_6043D7
		mov	edx, [eax+14h]
		cmp	edx, [ecx+14h]
		jb	short loc_6043DC
		ja	short loc_6043D7
		mov	edx, [eax+18h]
		cmp	edx, [ecx+18h]
		ja	short loc_6043DC
		jb	short loc_6043D7
		mov	edx, [eax+1Ch]
		cmp	edx, [ecx+1Ch]
		ja	short loc_6043DC
		jb	short loc_6043D7
		mov	eax, [eax+20h]
		mov	ecx, [ecx+20h]
		cmp	eax, ecx
		ja	short loc_6043DC
		jb	short loc_6043D7
		cmp	esi, edi
		jb	short loc_6043DC
		ja	short loc_6043D7
		xor	eax, eax
		jmp	short loc_6043DF
; 

loc_6043D7:				; CODE XREF: HvlpLpComparison(x,x,x,x)+20j
					; HvlpLpComparison(x,x,x,x)+2Aj ...
		xor	eax, eax
		inc	eax
		jmp	short loc_6043DF
; 

loc_6043DC:				; CODE XREF: HvlpLpComparison(x,x,x,x)+1Ej
					; HvlpLpComparison(x,x,x,x)+28j ...
		or	eax, 0FFFFFFFFh

loc_6043DF:				; CODE XREF: HvlpLpComparison(x,x,x,x)+54j
					; HvlpLpComparison(x,x,x,x)+59j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_HvlpLpComparison@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpMapStatisticsPage(x, x,	x)
_HvlpMapStatisticsPage@12 proc near	; CODE XREF: HvlPhase1Initialize+86C0Ep
					; HvlpEnableNextLogicalProcessor+7Fp ...

var_88		= dword	ptr -88h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebx+8]
		push	esi
		push	edi
		push	6
		mov	esi, ecx
		mov	[ebp+var_50], eax
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_54], edx
		push	6
		lea	edi, [ebp+var_88]
		xor	edx, edx
		rep stosd
		pop	ecx
		lea	edi, [ebp+var_70]
		inc	edx
		rep stosd
		push	18h
		lea	eax, [ebp+var_48]
		push	eax
		lea	ecx, [ebp+var_88]
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	8
		mov	edi, eax
		lea	ecx, [ebp+var_70]
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		pop	edx
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	[ebp+var_5C]
		mov	[edi], esi
		add	edi, 8
		mov	esi, [ebp+var_54]
		push	[ebp+var_60]
		mov	[ebp+var_4C], eax
		push	[ebp+var_74]
		movsd
		push	[ebp+var_78]
		push	0
		movsd
		push	6Ch
		movsd
		movsd
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_4C]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	eax, [ebp+var_50]
		shld	edx, ecx, 0Ch
		shl	ecx, 0Ch
		mov	[eax], ecx
		lea	ecx, [ebp+var_70]
		mov	[eax+4], edx
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		lea	ecx, [ebp+var_88]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		mov	ecx, [ebp+var_4]
		movzx	eax, si
		neg	eax
		pop	edi
		sbb	eax, eax
		xor	ecx, ebp
		and	eax, 0C0000001h
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
_HvlpMapStatisticsPage@12 endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvlpQueryApicIdAndNumaNode proc	near	; CODE XREF: HvlStartBootLogicalProcessors+8A677p
					; HvlpSelectLpSet(x,x,x)+108p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		or	dword ptr [edx], 0FFFFFFFFh
		mov	eax, ds:_HvlpQueryProcessorNode
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, 0FFFFh
		mov	[esi], di
		test	eax, eax
		jz	short loc_6044EC
		push	esi
		push	edx
		push	ecx
		call	eax
		jmp	short loc_6044F6
; 

loc_6044EC:				; CODE XREF: HvlpQueryApicIdAndNumaNode+1Cj
		push	0
		push	edx
		push	ecx
		call	ds:off_6B132C	; LpcReplyWaitReplyPort(x,x,x)

loc_6044F6:				; CODE XREF: HvlpQueryApicIdAndNumaNode+23j
		cmp	[esi], di
		jnz	short loc_604500
		xor	ecx, ecx
		mov	[esi], cx

loc_604500:				; CODE XREF: HvlpQueryApicIdAndNumaNode+32j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
HvlpQueryApicIdAndNumaNode endp


;  S U B	R O U T	I N E 


; __stdcall HvlpReleaseHypercallPage(x)
_HvlpReleaseHypercallPage@4 proc near	; CODE XREF: HvlQueryNumaDistance(x,x,x)+CAp
					; HvlQueryNumaDistance(x,x,x)+D3p ...
		mov	eax, [ecx]
		xor	edx, edx
		test	al, 1
		jz	short loc_60452B
		mov	edx, [ecx+8]
		mov	eax, [ecx+10h]
		mov	[edx+8], eax
		mov	eax, [ecx+14h]
		mov	ecx, [ecx+4]
		mov	[edx+0Ch], eax
		add	ecx, 3FC0h
		jmp	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
; 

loc_60452B:				; CODE XREF: HvlpReleaseHypercallPage(x)+6j
		test	al, 2
		jz	short loc_60453D
		mov	cl, [ecx+4]
		cmp	cl, 2
		jnb	short locret_604579
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_60453D:				; CODE XREF: HvlpReleaseHypercallPage(x)+27j
		mov	eax, large fs:20h
		push	ebx
		mov	ebx, [ecx+8]
		test	bl, 1
		jz	short loc_604554
		mov	edx, [eax+3FC8h]
		jmp	short loc_604565
; 

loc_604554:				; CODE XREF: HvlpReleaseHypercallPage(x)+44j
		test	bl, 2
		jz	short loc_604565
		mov	edx, [eax+3FC8h]
		add	edx, 1000h

loc_604565:				; CODE XREF: HvlpReleaseHypercallPage(x)+4Cj
					; HvlpReleaseHypercallPage(x)+51j
		cmp	byte ptr [ecx+4], 0
		mov	eax, [ecx+10h]
		mov	[edx+8], eax
		mov	eax, [ecx+14h]
		mov	[edx+0Ch], eax
		pop	ebx
		jz	short locret_604579
		sti

locret_604579:				; CODE XREF: HvlpReleaseHypercallPage(x)+2Fj
					; HvlpReleaseHypercallPage(x)+70j
		retn
_HvlpReleaseHypercallPage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpSelectLpSet(x, x, x)
_HvlpSelectLpSet@12 proc near		; CODE XREF: HvlStartBootLogicalProcessors+8A6ECp

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		mov	ebx, ecx
		xor	ecx, ecx
		mov	esi, edx
		mov	[ebp+var_20], esi
		mov	[ebp+var_28], ecx
		stosd
		mov	[ebp+var_40], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_4C], ecx
		stosd
		mov	[ebp+var_3C], ecx
		stosd
		mov	eax, ds:_HvlpRootFlags
		test	al, 1
		jnz	short loc_6045DD
		mov	ds:_KeHypervisorNumprocSpecified, ecx
		mov	ds:_KeRootProcSpecified, ecx
		mov	ds:_KeRootProcNumaNodesSpecified, ecx
		mov	ds:_KeRootProcPerNodeSpecified,	ecx
		mov	ds:_KeRootProcPerCoreSpecified,	ecx
		mov	ds:_KeRootProcNumaNodeLpsSpecified, cl

loc_6045DD:				; CODE XREF: HvlpSelectLpSet(x,x,x)+3Dj
		test	eax, 800h
		jz	short loc_604606
		mov	ds:_KeRootProcSpecified, ecx
		mov	ds:_KeRootProcNumaNodesSpecified, ecx
		mov	ds:_KeRootProcPerNodeSpecified,	ecx
		mov	ds:_KeRootProcPerCoreSpecified,	1
		mov	ds:_KeRootProcNumaNodeLpsSpecified, cl

loc_604606:				; CODE XREF: HvlpSelectLpSet(x,x,x)+68j
		lea	eax, [ebp+var_18]
		push	eax
		call	_HviGetImplementationLimits@4 ;	HviGetImplementationLimits(x)
		mov	ecx, large fs:20h
		mov	eax, large fs:20h
		push	40h
		mov	eax, [eax+340h]
		imul	eax, [ecx+344h]
		pop	ecx
		mov	[ebp+var_30], ecx
		dec	eax
		not	eax
		mov	[ebp+var_2C], eax
		cmp	[ebp+var_18], ecx
		jnb	short loc_604640
		mov	ecx, [ebp+var_18]
		mov	[ebp+var_30], ecx

loc_604640:				; CODE XREF: HvlpSelectLpSet(x,x,x)+BEj
		mov	eax, ds:_KeRootProcSpecified
		test	eax, eax
		jz	short loc_604659
		cmp	eax, ecx
		jnb	short loc_604659
		cmp	ds:_KeRootProcNumaNodesSpecified, 0
		jnz	short loc_604659
		mov	[ebp+var_30], eax

loc_604659:				; CODE XREF: HvlpSelectLpSet(x,x,x)+CDj
					; HvlpSelectLpSet(x,x,x)+D1j ...
		push	ds:_KeRegisteredProcessors
		call	ds:__imp__HalEnumerateProcessors@4 ; HalEnumerateProcessors(x)
		xor	edi, edi
		mov	[ebp+var_50], eax
		test	ebx, ebx
		jz	loc_604709
		add	esi, 0Ah

loc_604675:				; CODE XREF: HvlpSelectLpSet(x,x,x)+189j
		lea	eax, [ebp+var_28]
		mov	byte ptr [esi-0Ah], 1
		push	eax
		lea	edx, [esi-6]
		mov	ecx, edi
		call	HvlpQueryApicIdAndNumaNode
		mov	[ebp+var_3C], eax
		cmp	eax, 0C0000225h
		jnz	short loc_60469B
		xor	eax, eax
		mov	[ebp+var_3C], eax
		mov	[esi-0Ah], al
		jmp	short loc_6046FD
; 

loc_60469B:				; CODE XREF: HvlpSelectLpSet(x,x,x)+115j
		test	eax, eax
		js	loc_604947
		mov	ecx, ds:_HvlpQueryProximityId
		mov	eax, [ebp+var_28]
		mov	[esi-2], ax
		test	ecx, ecx
		jz	short loc_6046C6
		lea	edx, [ebp+var_40]
		push	edx
		lea	edx, [ebp+var_4C]
		push	edx
		push	eax
		call	ecx
		mov	ecx, eax
		mov	eax, [ebp+var_28]
		jmp	short loc_6046CB
; 

loc_6046C6:				; CODE XREF: HvlpSelectLpSet(x,x,x)+138j
		mov	ecx, 0C0000225h

loc_6046CB:				; CODE XREF: HvlpSelectLpSet(x,x,x)+14Aj
		test	ecx, ecx
		js	short loc_6046F6
		mov	ecx, ds:_HvlpQueryProximityNode
		test	ecx, ecx
		jz	short loc_6046E9
		lea	eax, [ebp+var_44]
		push	eax
		push	[ebp+var_40]
		call	ecx
		mov	ecx, eax
		mov	eax, [ebp+var_28]
		jmp	short loc_6046EE
; 

loc_6046E9:				; CODE XREF: HvlpSelectLpSet(x,x,x)+15Dj
		mov	ecx, 0C0000225h

loc_6046EE:				; CODE XREF: HvlpSelectLpSet(x,x,x)+16Dj
		test	ecx, ecx
		js	short loc_6046F6
		mov	ax, word ptr [ebp+var_44]

loc_6046F6:				; CODE XREF: HvlpSelectLpSet(x,x,x)+153j
					; HvlpSelectLpSet(x,x,x)+176j
		mov	[esi], ax
		mov	[esi+2], ax

loc_6046FD:				; CODE XREF: HvlpSelectLpSet(x,x,x)+11Fj
		inc	edi
		add	esi, 28h
		cmp	edi, ebx
		jb	loc_604675

loc_604709:				; CODE XREF: HvlpSelectLpSet(x,x,x)+F2j
		mov	edx, [ebp+var_20]
		xor	ecx, ecx
		inc	ecx
		mov	esi, ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_24], esi
		lea	eax, [edx+1]
		mov	[ebp+var_38], ecx
		mov	[ebp+var_48], eax
		mov	[eax], cl

loc_604722:				; CODE XREF: HvlpSelectLpSet(x,x,x)+3BCj
					; HvlpSelectLpSet(x,x,x)+3C5j
		xor	ecx, ecx
		mov	[ebp+var_1C], ecx
		test	ebx, ebx
		jz	loc_604829
		mov	edi, edx

loc_604731:				; CODE XREF: HvlpSelectLpSet(x,x,x)+2A6j
		cmp	byte ptr [edi],	0
		jz	loc_604814
		cmp	byte ptr [edi+1], 0
		jnz	loc_604811
		movzx	edx, word ptr [edi+8]
		cmp	dx, ds:_KeNumberNodes
		jnb	loc_604811
		mov	eax, ds:_KeNodeBlock[edx*4]
		test	byte ptr [eax+0A5h], 2
		jz	loc_604811
		cmp	esi, 140h
		jz	loc_604811
		cmp	esi, [ebp+var_50]
		jz	loc_604811
		mov	eax, ds:_KeMaximumProcessors
		test	eax, eax
		jz	short loc_60478F
		cmp	esi, eax
		jz	loc_604811

loc_60478F:				; CODE XREF: HvlpSelectLpSet(x,x,x)+20Bj
		mov	eax, ds:_KeBootprocSpecified
		test	eax, eax
		jz	short loc_60479C
		cmp	esi, eax
		jz	short loc_604811

loc_60479C:				; CODE XREF: HvlpSelectLpSet(x,x,x)+21Cj
		mov	eax, ds:_KeNumprocSpecified
		test	eax, eax
		jz	short loc_6047A9
		cmp	ecx, eax
		jnb	short loc_604811

loc_6047A9:				; CODE XREF: HvlpSelectLpSet(x,x,x)+229j
		mov	eax, ds:_KeHypervisorNumprocSpecified
		test	eax, eax
		jz	short loc_6047B6
		cmp	esi, eax
		jz	short loc_604811

loc_6047B6:				; CODE XREF: HvlpSelectLpSet(x,x,x)+236j
		mov	eax, [ebp+var_38]
		cmp	eax, [ebp+var_30]
		jnz	short loc_6047DD
		mov	eax, [ebp+var_48]
		xor	ecx, ecx

loc_6047C3:				; CODE XREF: HvlpSelectLpSet(x,x,x)+25Aj
		cmp	[eax+7], dx
		jnz	short loc_6047CE
		cmp	byte ptr [eax],	0
		jnz	short loc_6047D6

loc_6047CE:				; CODE XREF: HvlpSelectLpSet(x,x,x)+24Dj
		inc	ecx
		add	eax, 28h
		cmp	ecx, ebx
		jb	short loc_6047C3

loc_6047D6:				; CODE XREF: HvlpSelectLpSet(x,x,x)+252j
		cmp	ecx, ebx
		mov	ecx, [ebp+var_1C]
		jz	short loc_604811

loc_6047DD:				; CODE XREF: HvlpSelectLpSet(x,x,x)+242j
		mov	eax, [ebp+var_34]
		cmp	eax, ds:_KeRegisteredProcessors
		jnz	short loc_604814
		mov	esi, [edi+4]
		and	esi, [ebp+var_2C]
		xor	edx, edx
		mov	ecx, [ebp+var_48]

loc_6047F3:				; CODE XREF: HvlpSelectLpSet(x,x,x)+28Ej
		mov	eax, [ecx+3]
		and	eax, [ebp+var_2C]
		cmp	esi, eax
		jnz	short loc_604802
		cmp	byte ptr [ecx],	0
		jnz	short loc_60480A

loc_604802:				; CODE XREF: HvlpSelectLpSet(x,x,x)+281j
		inc	edx
		add	ecx, 28h
		cmp	edx, ebx
		jb	short loc_6047F3

loc_60480A:				; CODE XREF: HvlpSelectLpSet(x,x,x)+286j
		mov	ecx, [ebp+var_1C]
		cmp	edx, ebx
		jnz	short loc_604814

loc_604811:				; CODE XREF: HvlpSelectLpSet(x,x,x)+1C4j
					; HvlpSelectLpSet(x,x,x)+1D5j ...
		mov	byte ptr [edi],	0

loc_604814:				; CODE XREF: HvlpSelectLpSet(x,x,x)+1BAj
					; HvlpSelectLpSet(x,x,x)+26Cj ...
		mov	esi, [ebp+var_24]
		inc	ecx
		add	edi, 28h
		mov	[ebp+var_1C], ecx
		cmp	ecx, ebx
		jb	loc_604731
		mov	edx, [ebp+var_20]

loc_604829:				; CODE XREF: HvlpSelectLpSet(x,x,x)+1AFj
		xor	eax, eax
		test	ebx, ebx
		jz	short loc_60483E
		mov	ecx, edx

loc_604831:				; CODE XREF: HvlpSelectLpSet(x,x,x)+2C2j
		cmp	byte ptr [ecx],	0
		jnz	short loc_60483E
		inc	eax
		add	ecx, 28h
		cmp	eax, ebx
		jb	short loc_604831

loc_60483E:				; CODE XREF: HvlpSelectLpSet(x,x,x)+2B3j
					; HvlpSelectLpSet(x,x,x)+2BAj
		cmp	eax, ebx
		jz	loc_604944
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_604866
		mov	edi, edx

loc_60484E:				; CODE XREF: HvlpSelectLpSet(x,x,x)+2EAj
		cmp	byte ptr [edi],	0
		jz	short loc_60485E
		push	esi
		mov	ecx, ebx
		call	_HvlpComputeLpComparisonMetrics@12 ; HvlpComputeLpComparisonMetrics(x,x,x)
		mov	edx, [ebp+var_20]

loc_60485E:				; CODE XREF: HvlpSelectLpSet(x,x,x)+2D7j
		inc	esi
		add	edi, 28h
		cmp	esi, ebx
		jb	short loc_60484E

loc_604866:				; CODE XREF: HvlpSelectLpSet(x,x,x)+2D0j
		or	[ebp+var_1C], 0FFFFFFFFh
		xor	eax, eax
		test	ebx, ebx
		jz	short loc_60487F
		mov	ecx, edx

loc_604872:				; CODE XREF: HvlpSelectLpSet(x,x,x)+303j
		cmp	byte ptr [ecx],	0
		jnz	short loc_6048A9
		inc	eax
		add	ecx, 28h
		cmp	eax, ebx
		jb	short loc_604872

loc_60487F:				; CODE XREF: HvlpSelectLpSet(x,x,x)+2F4j
		mov	eax, [ebp+var_1C]

loc_604882:				; CODE XREF: HvlpSelectLpSet(x,x,x)+332j
		lea	esi, [eax+1]
		cmp	esi, ebx
		jnb	short loc_6048B9
		imul	edi, esi, 28h
		add	edi, edx

loc_60488E:				; CODE XREF: HvlpSelectLpSet(x,x,x)+33Dj
		cmp	byte ptr [edi],	0
		jz	short loc_6048B1
		push	eax
		push	esi
		call	_HvlpLpComparison@16 ; HvlpLpComparison(x,x,x,x)
		mov	edx, [ebp+var_20]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_6048AE
		mov	eax, esi
		mov	[ebp+var_1C], eax
		jmp	short loc_6048B1
; 

loc_6048A9:				; CODE XREF: HvlpSelectLpSet(x,x,x)+2FBj
		mov	[ebp+var_1C], eax
		jmp	short loc_604882
; 

loc_6048AE:				; CODE XREF: HvlpSelectLpSet(x,x,x)+326j
		mov	eax, [ebp+var_1C]

loc_6048B1:				; CODE XREF: HvlpSelectLpSet(x,x,x)+317j
					; HvlpSelectLpSet(x,x,x)+32Dj
		inc	esi
		add	edi, 28h
		cmp	esi, ebx
		jb	short loc_60488E

loc_6048B9:				; CODE XREF: HvlpSelectLpSet(x,x,x)+30Dj
		imul	edi, eax, 28h
		xor	ecx, ecx
		add	edi, edx
		inc	[ebp+var_24]
		mov	[ebp+var_54], edi
		mov	esi, [edi+4]
		and	esi, [ebp+var_2C]
		mov	byte ptr [edi+1], 1
		test	ebx, ebx
		jz	short loc_604900
		mov	edi, [ebp+var_2C]
		add	edx, 4

loc_6048DA:				; CODE XREF: HvlpSelectLpSet(x,x,x)+37Bj
		cmp	ecx, eax
		jz	short loc_6048EF
		cmp	byte ptr [edx-3], 0
		jz	short loc_6048EF
		mov	eax, edi
		and	eax, [edx]
		cmp	eax, esi
		jz	short loc_6048F7
		mov	eax, [ebp+var_1C]

loc_6048EF:				; CODE XREF: HvlpSelectLpSet(x,x,x)+362j
					; HvlpSelectLpSet(x,x,x)+368j
		inc	ecx
		add	edx, 28h
		cmp	ecx, ebx
		jb	short loc_6048DA

loc_6048F7:				; CODE XREF: HvlpSelectLpSet(x,x,x)+370j
		mov	eax, [ebp+var_1C]
		mov	edi, [ebp+var_54]
		mov	edx, [ebp+var_20]

loc_604900:				; CODE XREF: HvlpSelectLpSet(x,x,x)+358j
		cmp	ecx, ebx
		jnz	short loc_604907
		inc	[ebp+var_34]

loc_604907:				; CODE XREF: HvlpSelectLpSet(x,x,x)+388j
		xor	ecx, ecx
		test	ebx, ebx
		jz	short loc_60492E
		add	edx, 8

loc_604910:				; CODE XREF: HvlpSelectLpSet(x,x,x)+3B2j
		cmp	ecx, eax
		jz	short loc_604926
		cmp	byte ptr [edx-7], 0
		jz	short loc_604926
		mov	ax, [edx]
		cmp	ax, [edi+8]
		jz	short loc_60492E
		mov	eax, [ebp+var_1C]

loc_604926:				; CODE XREF: HvlpSelectLpSet(x,x,x)+398j
					; HvlpSelectLpSet(x,x,x)+39Ej
		inc	ecx
		add	edx, 28h
		cmp	ecx, ebx
		jb	short loc_604910

loc_60492E:				; CODE XREF: HvlpSelectLpSet(x,x,x)+391j
					; HvlpSelectLpSet(x,x,x)+3A7j
		mov	edx, [ebp+var_20]
		mov	esi, [ebp+var_24]
		cmp	ecx, ebx
		jnz	loc_604722
		inc	[ebp+var_38]
		jmp	loc_604722
; 

loc_604944:				; CODE XREF: HvlpSelectLpSet(x,x,x)+2C6j
		mov	eax, [ebp+var_3C]

loc_604947:				; CODE XREF: HvlpSelectLpSet(x,x,x)+123j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_HvlpSelectLpSet@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpSelectVpSet(x, x, x)
_HvlpSelectVpSet@12 proc near		; CODE XREF: HvlStartBootLogicalProcessors+8A73Cp

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_32		= byte ptr -32h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_28]
		stosd
		mov	ebx, edx
		mov	[ebp+var_44], ebx
		mov	esi, ecx
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_31], al
		mov	ds:_HvlpMinrootConfigurationError, al
		mov	[ebp+var_32], al
		lea	eax, [ebp+var_28]
		push	eax
		call	_HviGetImplementationLimits@4 ;	HviGetImplementationLimits(x)
		mov	edi, 800h
		test	esi, esi
		jz	short loc_6049C8
		lea	ecx, [ebx+8]
		mov	edx, esi

loc_6049A1:				; CODE XREF: HvlpSelectVpSet(x,x,x)+6Ej
		mov	ax, [ecx]
		mov	word ptr [ecx-8], 1
		mov	[ecx+4], ax
		test	ds:_HvlpRootFlags, edi
		jz	short loc_6049BA
		xor	al, al
		jmp	short loc_6049BD
; 

loc_6049BA:				; CODE XREF: HvlpSelectVpSet(x,x,x)+5Cj
		mov	al, [ecx-6]

loc_6049BD:				; CODE XREF: HvlpSelectVpSet(x,x,x)+60j
		mov	[ecx-5], al
		add	ecx, 28h
		sub	edx, 1
		jnz	short loc_6049A1

loc_6049C8:				; CODE XREF: HvlpSelectVpSet(x,x,x)+42j
		test	ds:_HvlpFlags, 800000h
		jz	loc_604BFD
		test	ds:_HvlpRootFlags, edi
		jnz	loc_604BFD
		xor	ecx, ecx
		test	esi, esi
		jz	loc_604BFD
		lea	eax, [ebx+1Ch]

loc_6049F1:				; CODE XREF: HvlpSelectVpSet(x,x,x)+AAj
		cmp	byte ptr [eax-1Ah], 0
		jz	short loc_6049FC
		cmp	dword ptr [eax], 0
		ja	short loc_604A09

loc_6049FC:				; CODE XREF: HvlpSelectVpSet(x,x,x)+9Dj
		inc	ecx
		add	eax, 28h
		cmp	ecx, esi
		jb	short loc_6049F1
		jmp	loc_604BFD
; 

loc_604A09:				; CODE XREF: HvlpSelectVpSet(x,x,x)+A2j
		mov	eax, ds:_KeRootProcPerNodeSpecified
		mov	[ebp+var_31], 1
		test	al, 1
		jz	short loc_604A24
		xor	eax, eax
		mov	ds:_HvlpMinrootConfigurationError, 1
		mov	ds:_KeRootProcPerNodeSpecified,	eax

loc_604A24:				; CODE XREF: HvlpSelectVpSet(x,x,x)+BCj
		mov	eax, ds:_KeRootProcPerCoreSpecified
		test	al, 1
		jz	short loc_604A3B
		xor	eax, eax
		mov	ds:_HvlpMinrootConfigurationError, 1
		mov	ds:_KeRootProcPerCoreSpecified,	eax

loc_604A3B:				; CODE XREF: HvlpSelectVpSet(x,x,x)+D3j
		mov	eax, ds:_KeRootProcSpecified
		test	al, 1
		jz	short loc_604A52
		xor	eax, eax
		mov	ds:_HvlpMinrootConfigurationError, 1
		mov	ds:_KeRootProcSpecified, eax

loc_604A52:				; CODE XREF: HvlpSelectVpSet(x,x,x)+EAj
		mov	ecx, ds:_KeRootProcNumaNodesSpecified
		test	ecx, ecx
		jz	short loc_604A88
		xor	eax, eax
		test	ecx, ecx
		jz	short loc_604A75
		movzx	edx, word ptr [ebx+8]

loc_604A66:				; CODE XREF: HvlpSelectVpSet(x,x,x)+11Bj
		cmp	ds:_KeRootProcNumaNodes[eax*2],	dx
		jz	short loc_604A75
		inc	eax
		cmp	eax, ecx
		jb	short loc_604A66

loc_604A75:				; CODE XREF: HvlpSelectVpSet(x,x,x)+108j
					; HvlpSelectVpSet(x,x,x)+116j
		cmp	eax, ecx
		jnz	short loc_604A88
		xor	ecx, ecx
		mov	ds:_HvlpMinrootConfigurationError, 1
		mov	ds:_KeRootProcNumaNodesSpecified, ecx

loc_604A88:				; CODE XREF: HvlpSelectVpSet(x,x,x)+102j
					; HvlpSelectVpSet(x,x,x)+11Fj
		cmp	ds:_KeRootProcSpecified, 0
		jz	loc_604B43
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_30], eax
		test	ecx, ecx
		jnz	short loc_604AAE
		movzx	ecx, ds:_KeNumberNodes

loc_604AAE:				; CODE XREF: HvlpSelectVpSet(x,x,x)+14Dj
		xor	edx, edx
		test	ecx, ecx
		jz	short loc_604B12

loc_604AB4:				; CODE XREF: HvlpSelectVpSet(x,x,x)+1B4j
		cmp	ds:_KeRootProcNumaNodesSpecified, 0
		jz	short loc_604AD8
		movzx	edi, ds:_KeRootProcNumaNodes[edx*2]
		cmp	edi, 10h
		jnb	short loc_604B09
		cmp	byte ptr [ebp+edi+var_18], 0
		jnz	short loc_604B09
		mov	byte ptr [ebp+edi+var_18], 1
		jmp	short loc_604ADA
; 

loc_604AD8:				; CODE XREF: HvlpSelectVpSet(x,x,x)+163j
		mov	edi, edx

loc_604ADA:				; CODE XREF: HvlpSelectVpSet(x,x,x)+17Ej
		and	[ebp+var_38], 0
		lea	eax, [ebx+8]
		mov	[ebp+var_2C], eax

loc_604AE4:				; CODE XREF: HvlpSelectVpSet(x,x,x)+1ACj
		cmp	byte ptr [eax-6], 0
		jz	short loc_604AF8
		movzx	eax, word ptr [eax]
		cmp	eax, edi
		jz	loc_604BE3
		mov	eax, [ebp+var_2C]

loc_604AF8:				; CODE XREF: HvlpSelectVpSet(x,x,x)+190j
		inc	[ebp+var_38]
		add	eax, 28h
		mov	[ebp+var_2C], eax
		cmp	[ebp+var_38], esi
		jb	short loc_604AE4
		mov	eax, [ebp+var_30]

loc_604B09:				; CODE XREF: HvlpSelectVpSet(x,x,x)+170j
					; HvlpSelectVpSet(x,x,x)+177j ...
		inc	edx
		cmp	edx, ecx
		jb	short loc_604AB4
		test	eax, eax
		jnz	short loc_604B2D

loc_604B12:				; CODE XREF: HvlpSelectVpSet(x,x,x)+15Aj
		cmp	ds:_KeRootProcNumaNodesSpecified, 0
		jz	short loc_604B43
		and	ds:_KeRootProcNumaNodesSpecified, 0
		mov	ds:_HvlpMinrootConfigurationError, 1
		test	eax, eax
		jz	short loc_604B43

loc_604B2D:				; CODE XREF: HvlpSelectVpSet(x,x,x)+1B8j
		cmp	ds:_KeRootProcSpecified, eax
		ja	short loc_604B43
		and	ds:_KeRootProcSpecified, 0
		mov	ds:_HvlpMinrootConfigurationError, 1

loc_604B43:				; CODE XREF: HvlpSelectVpSet(x,x,x)+137j
					; HvlpSelectVpSet(x,x,x)+1C1j ...
		mov	cl, ds:_KeRootProcNumaNodeLpsSpecified
		test	cl, cl
		jz	loc_604BFD
		movzx	eax, word ptr [ebx+8]
		mov	edx, ds:_KeRootProcNumaNodeLps[eax*8]
		mov	eax, ds:dword_70E3C4[eax*8]
		mov	[ebp+var_40], eax
		mov	eax, edx
		and	eax, 1
		mov	[ebp+var_3C], edx
		or	eax, 0
		jnz	short loc_604B82
		xor	cl, cl
		mov	ds:_HvlpMinrootConfigurationError, 1
		mov	ds:_KeRootProcNumaNodeLpsSpecified, cl

loc_604B82:				; CODE XREF: HvlpSelectVpSet(x,x,x)+219j
		test	cl, cl
		jz	short loc_604BFD
		mov	eax, large fs:20h
		xor	edx, edx
		inc	edx
		mov	[ebp+var_2C], edx
		mov	edi, [eax+344h]
		mov	eax, [ebx+4]
		dec	edi
		not	edi
		and	eax, edi
		mov	[ebp+var_30], eax
		cmp	esi, edx
		jbe	short loc_604BFD
		lea	ecx, [ebx+4Ch]
		mov	[ebp+var_38], ecx

loc_604BAD:				; CODE XREF: HvlpSelectVpSet(x,x,x)+287j
		mov	eax, [ecx-20h]
		and	eax, edi
		cmp	eax, [ebp+var_30]
		jnz	short loc_604BD3
		mov	ecx, [ecx]
		xor	eax, eax
		inc	eax
		xor	edx, edx
		call	__allshl
		and	eax, [ebp+var_3C]
		and	edx, [ebp+var_40]
		or	eax, edx
		jz	short loc_604BEF
		mov	ecx, [ebp+var_38]
		mov	edx, [ebp+var_2C]

loc_604BD3:				; CODE XREF: HvlpSelectVpSet(x,x,x)+25Dj
		inc	edx
		add	ecx, 28h
		mov	[ebp+var_2C], edx
		mov	[ebp+var_38], ecx
		cmp	edx, esi
		jb	short loc_604BAD
		jmp	short loc_604BFD
; 

loc_604BE3:				; CODE XREF: HvlpSelectVpSet(x,x,x)+197j
		mov	eax, [ebp+var_30]
		inc	eax
		mov	[ebp+var_30], eax
		jmp	loc_604B09
; 

loc_604BEF:				; CODE XREF: HvlpSelectVpSet(x,x,x)+273j
		mov	ds:_KeRootProcNumaNodeLpsSpecified, 0
		mov	ds:_HvlpMinrootConfigurationError, 1

loc_604BFD:				; CODE XREF: HvlpSelectVpSet(x,x,x)+7Aj
					; HvlpSelectVpSet(x,x,x)+86j ...
		lea	eax, [ebx+1]
		mov	byte ptr [ebx+3], 1
		xor	ecx, ecx
		mov	[ebp+var_48], eax
		mov	byte ptr [eax],	1
		inc	ecx

loc_604C0D:				; CODE XREF: HvlpSelectVpSet(x,x,x)+4B0j
		mov	[ebp+var_38], ecx
		test	esi, esi
		jz	loc_604D56
		mov	edi, ebx
		mov	[ebp+var_30], esi
		mov	eax, esi

loc_604C1F:				; CODE XREF: HvlpSelectVpSet(x,x,x)+3F8j
		cmp	byte ptr [edi],	0
		jz	loc_604D44
		cmp	byte ptr [edi+1], 0
		jnz	loc_604D3C
		cmp	byte ptr [edi+2], 0
		jz	loc_604D3C
		cmp	ecx, [ebp+var_28]
		jz	loc_604D3C
		cmp	ds:_KeRootProcPerNodeSpecified,	0
		jz	short loc_604C82
		xor	edx, edx
		mov	[ebp+var_2C], esi
		lea	ecx, [ebx+8]
		mov	eax, esi

loc_604C58:				; CODE XREF: HvlpSelectVpSet(x,x,x)+31Cj
		cmp	byte ptr [ecx-7], 0
		jz	short loc_604C6B
		mov	ax, [ecx]
		cmp	ax, [edi+8]
		mov	eax, [ebp+var_2C]
		jnz	short loc_604C6B
		inc	edx

loc_604C6B:				; CODE XREF: HvlpSelectVpSet(x,x,x)+304j
					; HvlpSelectVpSet(x,x,x)+310j
		add	ecx, 28h
		sub	eax, 1
		mov	[ebp+var_2C], eax
		jnz	short loc_604C58
		cmp	edx, ds:_KeRootProcPerNodeSpecified
		jz	loc_604D39

loc_604C82:				; CODE XREF: HvlpSelectVpSet(x,x,x)+2F4j
		cmp	ds:_KeRootProcPerCoreSpecified,	0
		jz	short loc_604CDA
		mov	eax, large fs:20h
		lea	ecx, [ebx+4]
		and	[ebp+var_40], 0
		mov	ebx, [ebp+var_40]
		mov	edx, [eax+344h]
		mov	eax, [edi+4]
		dec	edx
		not	edx
		and	eax, edx
		mov	[ebp+var_3C], eax
		mov	eax, esi
		mov	[ebp+var_2C], eax

loc_604CB1:				; CODE XREF: HvlpSelectVpSet(x,x,x)+375j
		cmp	byte ptr [ecx-3], 0
		jz	short loc_604CC4
		mov	eax, edx
		and	eax, [ecx]
		cmp	eax, [ebp+var_3C]
		mov	eax, [ebp+var_2C]
		jnz	short loc_604CC4
		inc	ebx

loc_604CC4:				; CODE XREF: HvlpSelectVpSet(x,x,x)+35Dj
					; HvlpSelectVpSet(x,x,x)+369j
		add	ecx, 28h
		sub	eax, 1
		mov	[ebp+var_2C], eax
		jnz	short loc_604CB1
		cmp	ebx, ds:_KeRootProcPerCoreSpecified
		mov	ebx, [ebp+var_44]
		jz	short loc_604D39

loc_604CDA:				; CODE XREF: HvlpSelectVpSet(x,x,x)+331j
		mov	ecx, ds:_KeRootProcNumaNodesSpecified
		test	ecx, ecx
		jz	short loc_604CFF
		xor	eax, eax
		test	ecx, ecx
		jz	short loc_604D39
		movzx	edx, word ptr [edi+0Ch]

loc_604CEE:				; CODE XREF: HvlpSelectVpSet(x,x,x)+3A3j
		cmp	ds:_KeRootProcNumaNodes[eax*2],	dx
		jz	short loc_604CFF
		inc	eax
		cmp	eax, ecx
		jb	short loc_604CEE
		jmp	short loc_604D39
; 

loc_604CFF:				; CODE XREF: HvlpSelectVpSet(x,x,x)+38Aj
					; HvlpSelectVpSet(x,x,x)+39Ej
		mov	eax, ds:_KeRootProcSpecified
		test	eax, eax
		jz	short loc_604D0D
		cmp	[ebp+var_38], eax
		jz	short loc_604D39

loc_604D0D:				; CODE XREF: HvlpSelectVpSet(x,x,x)+3AEj
		cmp	ds:_KeRootProcNumaNodeLpsSpecified, 0
		jz	short loc_604D41
		mov	ecx, [edi+24h]
		xor	eax, eax
		inc	eax
		xor	edx, edx
		call	__allshl
		movzx	ecx, word ptr [edi+8]
		and	eax, ds:_KeRootProcNumaNodeLps[ecx*8]
		and	edx, ds:dword_70E3C4[ecx*8]
		or	eax, edx
		jnz	short loc_604D41

loc_604D39:				; CODE XREF: HvlpSelectVpSet(x,x,x)+324j
					; HvlpSelectVpSet(x,x,x)+380j ...
		mov	eax, [ebp+var_30]

loc_604D3C:				; CODE XREF: HvlpSelectVpSet(x,x,x)+2D4j
					; HvlpSelectVpSet(x,x,x)+2DEj ...
		mov	byte ptr [edi],	0
		jmp	short loc_604D44
; 

loc_604D41:				; CODE XREF: HvlpSelectVpSet(x,x,x)+3BCj
					; HvlpSelectVpSet(x,x,x)+3DFj
		mov	eax, [ebp+var_30]

loc_604D44:				; CODE XREF: HvlpSelectVpSet(x,x,x)+2CAj
					; HvlpSelectVpSet(x,x,x)+3E7j
		mov	ecx, [ebp+var_38]
		add	edi, 28h
		sub	eax, 1
		mov	[ebp+var_30], eax
		jnz	loc_604C1F

loc_604D56:				; CODE XREF: HvlpSelectVpSet(x,x,x)+2BAj
		xor	eax, eax
		test	esi, esi
		jz	short loc_604D6B
		mov	ecx, ebx

loc_604D5E:				; CODE XREF: HvlpSelectVpSet(x,x,x)+411j
		cmp	byte ptr [ecx],	0
		jnz	short loc_604D6B
		inc	eax
		add	ecx, 28h
		cmp	eax, esi
		jb	short loc_604D5E

loc_604D6B:				; CODE XREF: HvlpSelectVpSet(x,x,x)+402j
					; HvlpSelectVpSet(x,x,x)+409j
		cmp	eax, esi
		jz	loc_604E0D
		xor	edi, edi
		test	esi, esi
		jz	short loc_604D9B
		mov	eax, ebx
		mov	[ebp+var_2C], ebx

loc_604D7E:				; CODE XREF: HvlpSelectVpSet(x,x,x)+441j
		cmp	byte ptr [eax],	0
		jz	short loc_604D90
		push	edi
		mov	edx, ebx
		mov	ecx, esi
		call	_HvlpComputeLpComparisonMetrics@12 ; HvlpComputeLpComparisonMetrics(x,x,x)
		mov	eax, [ebp+var_2C]

loc_604D90:				; CODE XREF: HvlpSelectVpSet(x,x,x)+429j
		inc	edi
		add	eax, 28h
		mov	[ebp+var_2C], eax
		cmp	edi, esi
		jb	short loc_604D7E

loc_604D9B:				; CODE XREF: HvlpSelectVpSet(x,x,x)+41Fj
		or	ecx, 0FFFFFFFFh
		xor	eax, eax
		mov	[ebp+var_2C], ecx
		test	esi, esi
		jz	short loc_604DBD
		mov	edx, ebx

loc_604DA9:				; CODE XREF: HvlpSelectVpSet(x,x,x)+45Cj
		cmp	byte ptr [edx],	0
		jnz	short loc_604DB8
		inc	eax
		add	edx, 28h
		cmp	eax, esi
		jb	short loc_604DA9
		jmp	short loc_604DBD
; 

loc_604DB8:				; CODE XREF: HvlpSelectVpSet(x,x,x)+454j
		mov	ecx, eax
		mov	[ebp+var_2C], eax

loc_604DBD:				; CODE XREF: HvlpSelectVpSet(x,x,x)+44Dj
					; HvlpSelectVpSet(x,x,x)+45Ej
		lea	edi, [ecx+1]
		cmp	edi, esi
		jnb	short loc_604DF7
		imul	eax, edi, 28h
		add	eax, ebx
		mov	[ebp+var_30], eax

loc_604DCC:				; CODE XREF: HvlpSelectVpSet(x,x,x)+49Dj
		cmp	byte ptr [eax],	0
		jz	short loc_604DEC
		push	ecx
		push	edi
		mov	edx, ebx
		call	_HvlpLpComparison@16 ; HvlpLpComparison(x,x,x,x)
		cmp	eax, 0FFFFFFFFh
		mov	eax, [ebp+var_30]
		jnz	short loc_604DE9
		mov	ecx, edi
		mov	[ebp+var_2C], ecx
		jmp	short loc_604DEC
; 

loc_604DE9:				; CODE XREF: HvlpSelectVpSet(x,x,x)+488j
		mov	ecx, [ebp+var_2C]

loc_604DEC:				; CODE XREF: HvlpSelectVpSet(x,x,x)+477j
					; HvlpSelectVpSet(x,x,x)+48Fj
		inc	edi
		add	eax, 28h
		mov	[ebp+var_30], eax
		cmp	edi, esi
		jb	short loc_604DCC

loc_604DF7:				; CODE XREF: HvlpSelectVpSet(x,x,x)+46Aj
		imul	eax, ecx, 28h
		mov	ecx, [ebp+var_38]
		inc	ecx
		mov	byte ptr [eax+ebx+1], 1
		mov	byte ptr [eax+ebx+3], 1
		jmp	loc_604C0D
; 

loc_604E0D:				; CODE XREF: HvlpSelectVpSet(x,x,x)+415j
		cmp	[ebp+var_31], 0
		jz	short loc_604E66
		xor	eax, eax
		mov	[ebp+var_2C], eax
		test	esi, esi
		jz	short loc_604E66
		lea	edi, [ebx+1]

loc_604E1F:				; CODE XREF: HvlpSelectVpSet(x,x,x)+50Cj
		cmp	byte ptr [edi],	0
		jz	short loc_604E5B
		push	eax
		mov	edx, ebx
		mov	ecx, esi
		call	_HvlpComputeLpComparisonMetrics@12 ; HvlpComputeLpComparisonMetrics(x,x,x)
		cmp	dword ptr [edi+1Bh], 0
		jnz	short loc_604E58
		mov	byte ptr [edi],	0
		test	ds:_HvlpRootFlags, 800h
		jz	short loc_604E47
		xor	al, al
		jmp	short loc_604E4A
; 

loc_604E47:				; CODE XREF: HvlpSelectVpSet(x,x,x)+4E9j
		mov	al, [edi+1]

loc_604E4A:				; CODE XREF: HvlpSelectVpSet(x,x,x)+4EDj
		mov	[edi+2], al
		mov	ds:_HvlpMinrootConfigurationError, 1
		mov	[ebp+var_32], 1

loc_604E58:				; CODE XREF: HvlpSelectVpSet(x,x,x)+4DAj
		mov	eax, [ebp+var_2C]

loc_604E5B:				; CODE XREF: HvlpSelectVpSet(x,x,x)+4CAj
		inc	eax
		add	edi, 28h
		mov	[ebp+var_2C], eax
		cmp	eax, esi
		jb	short loc_604E1F

loc_604E66:				; CODE XREF: HvlpSelectVpSet(x,x,x)+4B9j
					; HvlpSelectVpSet(x,x,x)+4C2j
		cmp	ds:_KeRootProcNumaNodesSpecified, 0
		jnz	short loc_604EB4
		cmp	ds:_KeRootProcNumaNodeLpsSpecified, 0
		jnz	short loc_604EB4
		cmp	[ebp+var_32], 0
		jnz	short loc_604EB4
		xor	edx, edx
		test	esi, esi
		jz	short loc_604EB4
		add	ebx, 8

loc_604E87:				; CODE XREF: HvlpSelectVpSet(x,x,x)+55Aj
		cmp	byte ptr [ebx-6], 0
		jz	short loc_604EAC
		movzx	edi, word ptr [ebx]
		xor	ecx, ecx
		mov	eax, [ebp+var_48]

loc_604E95:				; CODE XREF: HvlpSelectVpSet(x,x,x)+54Ej
		cmp	[eax+7], di
		jnz	short loc_604EA0
		cmp	byte ptr [eax],	0
		jnz	short loc_604EA8

loc_604EA0:				; CODE XREF: HvlpSelectVpSet(x,x,x)+541j
		inc	ecx
		add	eax, 28h
		cmp	ecx, esi
		jb	short loc_604E95

loc_604EA8:				; CODE XREF: HvlpSelectVpSet(x,x,x)+546j
		cmp	ecx, esi
		jz	short loc_604EC7

loc_604EAC:				; CODE XREF: HvlpSelectVpSet(x,x,x)+533j
		inc	edx
		add	ebx, 28h
		cmp	edx, esi
		jb	short loc_604E87

loc_604EB4:				; CODE XREF: HvlpSelectVpSet(x,x,x)+515j
					; HvlpSelectVpSet(x,x,x)+51Ej ...
		xor	eax, eax

loc_604EB6:				; CODE XREF: HvlpSelectVpSet(x,x,x)+574j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_604EC7:				; CODE XREF: HvlpSelectVpSet(x,x,x)+552j
		mov	eax, 0C0000001h
		jmp	short loc_604EB6
_HvlpSelectVpSet@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpSetLogicalProcessorProperty(x, x, x)
_HvlpSetLogicalProcessorProperty@12 proc near
					; CODE XREF: HvlStartBootLogicalProcessors+8A7FDp
					; HvlConfigurePcc(x,x)+3Fp ...

var_1C		= dword	ptr -1Ch
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		push	6
		mov	esi, ecx
		lea	edi, [ebp+var_1C]
		pop	ecx
		xor	eax, eax
		mov	ebx, edx
		rep stosd
		push	0CC0h
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		push	eax
		inc	edx
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		mov	ecx, 32Eh
		mov	[eax], esi
		lea	edi, [eax+8]
		mov	esi, [ebp+arg_0]
		mov	[eax+4], ebx
		xor	eax, eax
		push	eax
		push	eax
		push	[ebp+var_8]
		rep movsd
		push	[ebp+var_C]
		push	eax
		push	79h
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		movzx	esi, ax
		lea	ecx, [ebp+var_1C]
		neg	esi
		sbb	esi, esi
		and	esi, 0C0000001h
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_HvlpSetLogicalProcessorProperty@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpSetupBootProcessorEarlyHypercallPages(x)
_HvlpSetupBootProcessorEarlyHypercallPages@4 proc near
					; CODE XREF: HvlPhase0Initialize+9F547p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	esi
		mov	esi, large fs:20h
		push	4
		push	eax
		push	6
		push	ecx
		call	ds:dword_6B12D4
		test	eax, eax
		jnz	short loc_604F6B
		mov	eax, 0C000009Ah
		jmp	short loc_604F9C
; 

loc_604F6B:				; CODE XREF: HvlpSetupBootProcessorEarlyHypercallPages(x)+28j
		mov	[esi+3FC8h], eax
		lea	ecx, [eax+8]
		mov	eax, [ebp+var_8]
		mov	esi, 1000h
		push	2
		pop	edx

loc_604F7F:				; CODE XREF: HvlpSetupBootProcessorEarlyHypercallPages(x)+5Ej
		mov	[ecx], eax
		mov	eax, [ebp+var_4]
		mov	[ecx+4], eax
		add	ecx, esi
		mov	eax, [ebp+var_8]
		add	eax, esi
		mov	[ebp+var_8], eax
		adc	[ebp+var_4], 0
		sub	edx, 1
		jnz	short loc_604F7F
		xor	eax, eax

loc_604F9C:				; CODE XREF: HvlpSetupBootProcessorEarlyHypercallPages(x)+2Fj
		pop	esi
		leave
		retn
_HvlpSetupBootProcessorEarlyHypercallPages@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpSetupCachedHypercallPages(x)
_HvlpSetupCachedHypercallPages@4 proc near ; CODE XREF:	HvlPhase1Initialize+86BE8p
					; HvlInitializeProcessor+A0426p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+3FC8h]
		lea	eax, [ecx+3FC0h]
		and	dword ptr [eax], 0
		add	edi, 2000h
		and	dword ptr [eax+4], 0
		mov	ebx, edi
		push	3
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], eax
		pop	edi

loc_604FCD:				; CODE XREF: HvlpSetupCachedHypercallPages(x)+4Dj
		push	ebx
		lea	esi, [ebx+1000h]
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		mov	[ebx], esi
		mov	ebx, esi
		mov	[esi-0FF8h], eax
		mov	[esi-0FF4h], edx
		sub	edi, 1
		jnz	short loc_604FCD
		mov	edi, [ebp+var_4]
		lea	esi, [edi+3000h]
		push	esi
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		mov	ecx, [ebp+var_8]
		and	dword ptr [esi], 0
		push	4
		mov	[edi+300Ch], edx
		mov	edx, edi
		push	esi
		mov	[edi+3008h], eax
		call	@InterlockedPushListSList@16 ; InterlockedPushListSList(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_HvlpSetupCachedHypercallPages@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpSetupSchedulerAssist(x)
_HvlpSetupSchedulerAssist@4 proc near	; CODE XREF: HvlEnlightenProcessor+81954p

var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		mov	edx, ecx
		xor	eax, eax
		push	esi
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+20h+var_18]
		rep stosd
		mov	edi, [edx+4DCh]
		test	edi, edi
		jz	short loc_605095
		push	10h
		xor	edx, edx
		mov	dword ptr [edi], 808h
		push	eax
		inc	edx
		mov	[edi+4], eax
		lea	ecx, [esp+28h+var_18]
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		mov	esi, eax
		push	edi
		mov	dword ptr [esi], 4
		mov	dword ptr [esi+4], 1
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		mov	[esi+8], eax
		xor	eax, eax
		push	eax
		push	eax
		push	[esp+28h+var_4]
		mov	[esi+0Ch], edx
		push	[esp+2Ch+var_8]
		push	eax
		push	8005h
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		lea	ecx, [esp+20h+var_18]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)

loc_605095:				; CODE XREF: HvlpSetupSchedulerAssist(x)+22j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_HvlpSetupSchedulerAssist@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	HvlpStartLogicalProcessor(int,void *)
HvlpStartLogicalProcessor proc near	; CODE XREF: HvlpEnableNextLogicalProcessor+42p

var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		push	6
		mov	[ebp+var_8], ecx
		lea	edi, [ebp+var_48]
		pop	ecx
		xor	eax, eax
		mov	ebx, edx
		rep stosd
		push	6
		pop	ecx
		push	38h		; size_t
		push	eax		; int
		push	[ebp+arg_4]	; void *
		lea	edi, [ebp+var_30]
		mov	[ebp+var_4], ebx
		rep stosd
		call	_memset
		movzx	eax, word ptr [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, ds:_KeNodeBlock[eax*4]
		movzx	edi, word ptr [eax+8Ch]
		mov	[ebp+var_C], edi
		jmp	short loc_6050E8
; 

loc_6050E5:				; CODE XREF: HvlpStartLogicalProcessor+F2j
		mov	ebx, [ebp+var_4]

loc_6050E8:				; CODE XREF: HvlpStartLogicalProcessor+48j
		push	0
		mov	ecx, edi
		call	_HvlpDepositPages@12 ; HvlpDepositPages(x,x,x)
		test	eax, eax
		jnz	loc_60519F
		push	18h
		xor	edx, edx
		lea	ecx, [ebp+var_48]
		push	eax
		inc	edx
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	38h
		push	0
		push	2
		pop	edx
		lea	ecx, [ebp+var_30]
		mov	esi, eax
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	[ebp+var_1C]
		and	dword ptr [esi+10h], 0
		push	[ebp+var_20]
		and	dword ptr [esi+14h], 0
		push	[ebp+var_34]
		movzx	ecx, di
		push	[ebp+var_38]
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_8]
		mov	ecx, ds:_KeNodeBlock[ecx*4]
		push	0
		mov	[esi], eax
		mov	[esi+4], ebx
		mov	ecx, [ecx+98h]
		push	76h
		mov	[esi+8], ecx
		mov	dword ptr [esi+0Ch], 80000001h
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		mov	ebx, eax
		push	0Bh
		pop	eax
		cmp	bx, ax
		jz	short loc_605177
		mov	eax, [ebp+arg_4]
		mov	edi, eax
		mov	esi, [ebp+arg_0]
		push	0Eh
		pop	ecx
		rep movsd
		mov	edi, [ebp+var_C]
		mov	[eax], bx

loc_605177:				; CODE XREF: HvlpStartLogicalProcessor+C7j
		lea	ecx, [ebp+var_30]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		lea	ecx, [ebp+var_48]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		push	0Bh
		pop	eax
		cmp	bx, ax
		jz	loc_6050E5
		movzx	eax, bx
		neg	eax
		sbb	eax, eax
		and	eax, 0C0000001h

loc_60519F:				; CODE XREF: HvlpStartLogicalProcessor+58j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
HvlpStartLogicalProcessor endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpStartVirtualProcessor(x, x)
_HvlpStartVirtualProcessor@8 proc near	; CODE XREF: HvlHalStartVirtualProcessor(x,x)+Bp

var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		push	6
		mov	esi, ecx
		lea	edi, [ebp+var_18]
		pop	ecx
		xor	eax, eax
		mov	ebx, edx
		rep stosd
		push	0F0h
		xor	edx, edx
		lea	ecx, [ebp+var_18]
		push	eax
		inc	edx
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	38h
		pop	ecx
		xor	edx, edx
		or	dword ptr [eax], 0FFFFFFFFh
		lea	edi, [eax+10h]
		or	dword ptr [eax+4], 0FFFFFFFFh
		push	edx
		push	edx
		push	[ebp+var_4]
		mov	[eax+8], esi
		mov	esi, ebx
		push	[ebp+var_8]
		mov	[eax+0Ch], edx
		push	edx
		rep movsd
		push	99h
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		movzx	esi, ax
		lea	ecx, [ebp+var_18]
		neg	esi
		sbb	esi, esi
		and	esi, 0C0000001h
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_HvlpStartVirtualProcessor@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlConfigureIdleStates(x, x)
_HvlConfigureIdleStates@8 proc near	; CODE XREF: PpmIdleUpdateHvStates(x)+35p

var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 198h
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+1A0h+var_190], ecx
		push	62h
		pop	ecx
		mov	esi, edx
		mov	[esp+1A0h+var_194], eax
		mov	[esp+1A0h+var_18C], eax
		lea	edi, [esp+1A0h+var_188]
		mov	[esp+1A0h+var_198], eax
		rep movsd
		lea	ecx, [esp+1A0h+var_198]
		call	_HvlpSetPowerProperty@4	; HvlpSetPowerProperty(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_HvlConfigureIdleStates@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlConfigurePcc(x, x)
_HvlConfigurePcc@8 proc	near		; CODE XREF: PpmPerfRegisterHvStates(x)+4Ap

var_CB8		= dword	ptr -0CB8h
var_C70		= dword	ptr -0C70h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0CBCh
		lea	eax, [ebp+var_C70]
		push	ebx
		push	esi
		push	edi
		push	0C70h		; size_t
		push	0		; int
		push	eax		; void *
		mov	esi, edx
		mov	ebx, ecx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_CB8]
		lea	edi, [ebp+var_CB8]
		push	12h
		pop	ecx
		push	eax
		rep movsd
		push	2
		pop	edx
		mov	ecx, ebx
		call	_HvlpSetLogicalProcessorProperty@12 ; HvlpSetLogicalProcessorProperty(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_HvlConfigurePcc@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlConfigurePerfStateCap(x,	x)
_HvlConfigurePerfStateCap@8 proc near	; CODE XREF: PpmPerfRegisterHvCap(x)+47p

var_CB8		= dword	ptr -0CB8h
var_CAC		= dword	ptr -0CACh

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0CBCh
		lea	eax, [esp+0CBCh+var_CAC]
		push	ebx
		push	esi
		push	edi
		push	0CACh		; size_t
		push	0		; int
		push	eax		; void *
		mov	esi, edx
		mov	ebx, ecx
		call	_memset
		add	esp, 0Ch
		lea	edi, [esp+0CC8h+var_CB8]
		movsd
		lea	eax, [esp+0CC8h+var_CB8]
		mov	ecx, ebx
		push	eax
		movsd
		push	3
		pop	edx
		movsd
		call	_HvlpSetLogicalProcessorProperty@12 ; HvlpSetLogicalProcessorProperty(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_HvlConfigurePerfStateCap@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlConfigurePerfStates(x, x)
_HvlConfigurePerfStates@8 proc near	; CODE XREF: PpmPerfRegisterHvStates(x)+5Bp

var_CB8		= dword	ptr -0CB8h
var_90		= dword	ptr -90h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0CBCh
		lea	eax, [ebp+var_90]
		push	ebx
		push	esi
		push	edi
		push	90h		; size_t
		push	0		; int
		push	eax		; void *
		mov	esi, edx
		mov	ebx, ecx
		call	_memset
		add	esp, 0Ch
		lea	edi, [ebp+var_CB8]
		mov	ecx, 30Ah
		lea	eax, [ebp+var_CB8]
		rep movsd
		xor	edx, edx
		mov	ecx, ebx
		push	eax
		call	_HvlpSetLogicalProcessorProperty@12 ; HvlpSetLogicalProcessorProperty(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_HvlConfigurePerfStates@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlConfigureThrottleStates(x, x)
_HvlConfigureThrottleStates@8 proc near	; CODE XREF: PpmPerfRegisterHvStates(x)+6Ep

var_CB8		= dword	ptr -0CB8h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0CB8h
		mov	eax, ecx
		mov	ecx, 32Eh
		push	esi
		push	edi
		mov	esi, edx
		lea	edi, [ebp+var_CB8]
		rep movsd
		lea	ecx, [ebp+var_CB8]
		xor	edx, edx
		push	ecx
		inc	edx
		mov	ecx, eax
		call	_HvlpSetLogicalProcessorProperty@12 ; HvlpSetLogicalProcessorProperty(x,x,x)
		pop	edi
		pop	esi
		leave
		retn
_HvlConfigureThrottleStates@8 endp


;  S U B	R O U T	I N E 


; __stdcall HvlGetDisabledSleepStates()
_HvlGetDisabledSleepStates@0 proc near	; CODE XREF: PopInitPlatformSettings:loc_AE9788p
		mov	eax, ds:_HvlpEnlightenments
		and	eax, 10000h
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFFF1h
		add	eax, 1Fh
		test	ds:_HvlpRootFlags, 400h
		jz	short locret_605392
		test	ds:_HvlEnlightenments, 20000000h
		push	1Fh
		pop	eax
		jz	short locret_605392
		push	17h
		pop	eax

locret_605392:				; CODE XREF: HvlGetDisabledSleepStates()+1Ej
					; HvlGetDisabledSleepStates()+2Dj
		retn
_HvlGetDisabledSleepStates@0 endp


;  S U B	R O U T	I N E 


; __stdcall HvlGetIdleGenerationCounter(x, x)
_HvlGetIdleGenerationCounter@8 proc near ; CODE	XREF: PpmSnapPerformanceAccumulation+12D897p
					; PpmSnapPerformanceAccumulation+12D9C2p ...
		mov	ecx, [ecx+3FD0h]
		mov	eax, ds:dword_6FE164
		push	esi
		mov	esi, [ecx+eax*8]
		mov	ecx, [ecx+eax*8+4]
		mov	eax, esi
		shrd	eax, ecx, 1
		mov	[edx], eax
		xor	eax, eax
		inc	eax
		shr	ecx, 1
		and	esi, eax
		mov	[edx+4], ecx
		or	esi, 0
		pop	esi
		jnz	short locret_6053C0
		xor	al, al

locret_6053C0:				; CODE XREF: HvlGetIdleGenerationCounter(x,x)+29j
		retn
_HvlGetIdleGenerationCounter@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlGetLogicalProcessorRunTime(x, x,	x)
_HvlGetLogicalProcessorRunTime@12 proc near ; CODE XREF: PpmIdleGuestPreselect(x,x)+34p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ecx+3FD0h]
		mov	ebx, edx
		mov	ecx, ds:dword_6FE160
		mov	edx, [ebp+arg_0]
		push	edi
		mov	edi, ds:dword_6FE15C
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ecx
		jmp	short loc_6053ED
; 

loc_6053EA:				; CODE XREF: HvlGetLogicalProcessorRunTime(x,x,x)+50j
		mov	ebx, [ebp+var_4]

loc_6053ED:				; CODE XREF: HvlGetLogicalProcessorRunTime(x,x,x)+27j
					; HvlGetLogicalProcessorRunTime(x,x,x)+58j
		mov	eax, [esi+edi*8]
		mov	[edx], eax
		mov	eax, [esi+edi*8+4]
		mov	[edx+4], eax
		mov	eax, [esi+ecx*8]
		mov	[ebx], eax
		mov	eax, [esi+ecx*8+4]
		mov	ecx, [esi+edi*8]
		cmp	[edx], ecx
		mov	ecx, [ebp+var_8]
		mov	[ebx+4], eax
		mov	ebx, [esi+edi*8+4]
		jnz	short loc_6053EA
		cmp	[edx+4], ebx
		mov	ebx, [ebp+var_4]
		jnz	short loc_6053ED
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	4
_HvlGetLogicalProcessorRunTime@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlGetPpmStatsForProcessor(x, x, x)
_HvlGetPpmStatsForProcessor@12 proc near
					; CODE XREF: PpmHvGetRuntimesForProcessor(x,x,x)+1Fp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, large fs:20h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_4], edi
		cmp	edi, eax
		jnz	loc_6054D7
		mov	ecx, ds:dword_6FE168
		mov	ebx, [edi+3FD0h]
		mov	[ebp+var_8], ecx

loc_605456:				; CODE XREF: HvlGetPpmStatsForProcessor(x,x,x)+68j
					; HvlGetPpmStatsForProcessor(x,x,x)+6Dj
		mov	esi, [ebx+ecx*8]
		mov	eax, [ebx+ecx*8+4]
		mov	edx, [edi+3FD0h]
		mov	ecx, ds:dword_6FE16C
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_C], eax
		mov	eax, [edx+ecx*8]
		mov	[edi], eax
		mov	eax, [edx+ecx*8+4]
		mov	ecx, edi
		mov	edi, [ebp+var_4]
		mov	[ecx+4], eax
		mov	ecx, [ebp+var_8]
		mov	eax, [ebx+ecx*8]
		mov	edx, [ebx+ecx*8+4]
		cmp	esi, eax
		jnz	short loc_605456
		cmp	[ebp+var_C], edx
		jnz	short loc_605456
		mov	edx, ds:dword_6FE170
		mov	edi, [edi+3FD0h]
		mov	ebx, [ebp+var_10]
		mov	[ebp+arg_0], edx

loc_6054A5:				; CODE XREF: HvlGetPpmStatsForProcessor(x,x,x)+A7j
					; HvlGetPpmStatsForProcessor(x,x,x)+AFj
		mov	eax, [edi+edx*8]
		mov	[ebx], eax
		mov	eax, [edi+edx*8+4]
		mov	[ebx+4], eax
		call	_HvlGetReferenceTime@0 ; HvlGetReferenceTime()
		mov	[ebp+var_4], edx
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_8], eax
		mov	esi, [edi+edx*8]
		mov	eax, [edi+edx*8+4]
		mov	[ebp+var_10], eax
		cmp	[ebx], esi
		jnz	short loc_6054A5
		mov	eax, [ebx+4]
		cmp	eax, [ebp+var_10]
		jnz	short loc_6054A5
		jmp	short loc_60551D
; 

loc_6054D7:				; CODE XREF: HvlGetPpmStatsForProcessor(x,x,x)+1Dj
		call	_HvlGetReferenceTime@0 ; HvlGetReferenceTime()
		mov	esi, [edi+3FD0h]
		mov	ecx, eax
		mov	eax, ds:dword_6FE160
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], ecx
		mov	edx, [esi+eax*8]
		sub	ecx, edx
		mov	esi, [esi+eax*8+4]
		mov	eax, [ebp+var_4]
		mov	edx, ds:dword_6FE16C
		sbb	eax, esi
		mov	esi, [edi+3FD0h]
		mov	[ebx], ecx
		mov	ecx, [ebp+arg_0]
		mov	[ebx+4], eax
		mov	eax, [esi+edx*8]
		mov	[ecx], eax
		mov	eax, [esi+edx*8+4]
		mov	[ecx+4], eax

loc_60551D:				; CODE XREF: HvlGetPpmStatsForProcessor(x,x,x)+B1j
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_HvlGetPpmStatsForProcessor@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlParkedVirtualProcessors(x)
_HvlParkedVirtualProcessors@4 proc near	; CODE XREF: PpmParkReportMask+12A082p

var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		test	byte ptr ds:_HvlpEnlightenments, 8
		jz	short locret_605579
		test	byte ptr ds:_HvlpFlags,	80h
		jz	short loc_60554D
		cmp	ds:_KiActiveGroups, 1
		ja	short locret_605579

loc_60554D:				; CODE XREF: HvlParkedVirtualProcessors(x)+17j
		mov	ecx, ds:dword_6B5BB8
		xor	eax, eax
		xor	edx, edx
		test	ecx, ecx
		jz	short loc_605560
		call	_HvlpAffinityToVirtualAffinity@4 ; HvlpAffinityToVirtualAffinity(x)

loc_605560:				; CODE XREF: HvlParkedVirtualProcessors(x)+2Fj
		push	0
		push	0
		push	edx
		push	eax
		push	0
		push	10009h
		mov	[ebp+var_8], 9
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)

locret_605579:				; CODE XREF: HvlParkedVirtualProcessors(x)+Ej
					; HvlParkedVirtualProcessors(x)+21j
		leave
		retn
_HvlParkedVirtualProcessors@4 endp

; 
		align 10h
; Exported entry 711. HvlReadPerformanceStateCounters

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlReadPerformanceStateCounters(x, x, x, x)
		public _HvlReadPerformanceStateCounters@16
_HvlReadPerformanceStateCounters@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_4]
		cmp	ebx, 2
		jnb	short loc_6055D2
		mov	ecx, [ebp+arg_0]
		call	_HvlpGetLpcbByLpIndex@4	; HvlpGetLpcbByLpIndex(x)
		test	eax, eax
		jz	short loc_6055D2
		mov	ecx, [ebp+arg_8]
		lfence	eax
		mov	edx, ds:dword_6FE174[ebx*8]
		push	esi
		mov	esi, ds:dword_6FE178[ebx*8]
		push	edi
		mov	edi, [eax+1Ch]
		mov	eax, [edi+edx*8]
		mov	[ecx], eax
		mov	eax, [edi+edx*8+4]
		mov	[ecx+4], eax
		mov	ecx, [ebp+arg_C]
		mov	eax, [edi+esi*8]
		mov	[ecx], eax
		mov	eax, [edi+esi*8+4]
		pop	edi
		mov	[ecx+4], eax
		pop	esi
		jmp	short loc_6055E4
; 

loc_6055D2:				; CODE XREF: HvlReadPerformanceStateCounters(x,x,x,x)+Cj
					; HvlReadPerformanceStateCounters(x,x,x,x)+18j
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		mov	[eax], ecx
		mov	[eax+4], ecx
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		mov	[eax+4], ecx

loc_6055E4:				; CODE XREF: HvlReadPerformanceStateCounters(x,x,x,x)+50j
		pop	ebx
		pop	ebp
		retn	10h
_HvlReadPerformanceStateCounters@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlRegisterLogicalProcessorFrequency(x, x)
_HvlRegisterLogicalProcessorFrequency@8	proc near
					; CODE XREF: PpmScaleIdleStateValues+81BB6j

var_198		= dword	ptr -198h
var_190		= dword	ptr -190h
var_188		= dword	ptr -188h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 198h
		push	esi
		push	edi
		push	198h		; size_t
		lea	eax, [esp+1A4h+var_198]
		mov	edi, edx
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		add	esp, 0Ch
		mov	[esp+1A0h+var_198], 2
		lea	ecx, [esp+1A0h+var_198]
		mov	[esp+1A0h+var_190], esi
		mov	[esp+1A0h+var_188], edi
		call	_HvlpSetPowerProperty@4	; HvlpSetPowerProperty(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_HvlRegisterLogicalProcessorFrequency@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlRegisterPerfFeedbackCounters(x, x)
_HvlRegisterPerfFeedbackCounters@8 proc	near
					; CODE XREF: PpmPerfRegisterHvPerfStateCounters(x)+9Cp

var_198		= dword	ptr -198h
var_190		= dword	ptr -190h
var_188		= dword	ptr -188h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 198h
		push	esi
		push	edi
		push	198h		; size_t
		lea	eax, [ebp+var_198]
		mov	edi, edx
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_190], esi
		mov	esi, edi
		mov	[ebp+var_198], 1
		lea	edi, [ebp+var_188]
		push	1Ah
		pop	ecx
		rep movsd
		lea	ecx, [ebp+var_198]
		call	_HvlpSetPowerProperty@4	; HvlpSetPowerProperty(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_HvlRegisterPerfFeedbackCounters@8 endp	; sp =	4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlSetPlatformIdleState(x)
_HvlSetPlatformIdleState@4 proc	near	; CODE XREF: PpmIdleGuestComplete(x,x,x,x,x)+38p
					; PpmIdleGuestPreExecute(x,x,x,x,x)+4Ap

var_198		= dword	ptr -198h
var_190		= dword	ptr -190h
var_188		= dword	ptr -188h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 19Ch
		push	esi
		push	198h		; size_t
		lea	eax, [esp+1A4h+var_198]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		movzx	eax, large byte	ptr fs:51h
		add	esp, 0Ch
		mov	[esp+1A0h+var_198], 3
		push	eax
		call	_HvlGetLpIndexFromProcessorIndex@4 ; HvlGetLpIndexFromProcessorIndex(x)
		lea	ecx, [esp+1A0h+var_198]
		mov	[esp+1A0h+var_190], eax
		mov	[esp+1A0h+var_188], esi
		call	_HvlpSetPowerProperty@4	; HvlpSetPowerProperty(x)
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_HvlSetPlatformIdleState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpConfigureLegacyPowerPolicySetting(x)
_HvlpConfigureLegacyPowerPolicySetting@4 proc near
					; CODE XREF: HvlpLegacyPowerPolicySettingCallback(x,x,x,x)+22p

var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		push	edi
		push	6
		mov	esi, ecx
		lea	edi, [ebp+var_18]
		pop	ecx
		xor	eax, eax
		xor	edx, edx
		rep stosd
		push	28h
		xor	edi, edi
		lea	ecx, [ebp+var_18]
		push	edi
		inc	edx
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		mov	ecx, [esi]
		push	edi
		push	edi
		push	[ebp+var_4]
		mov	[eax+8], ecx
		push	[ebp+var_8]
		mov	ecx, [esi+4]
		push	edi
		push	6Fh
		mov	dword ptr [eax], 2
		mov	[eax+0Ch], ecx
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		movzx	esi, ax
		lea	ecx, [ebp+var_18]
		neg	esi
		sbb	esi, esi
		and	esi, 0C0000001h
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_HvlpConfigureLegacyPowerPolicySetting@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpInitializePowerStatistics()
_HvlpInitializePowerStatistics@0 proc near ; CODE XREF:	HvlPhase1Initialize+86BEDp

var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		push	6
		pop	ecx
		lea	edi, [ebp+var_30]
		xor	ebx, ebx
		test	ds:_HvlEnlightenments, 408h
		rep stosd
		push	6
		pop	ecx
		lea	edi, [ebp+var_18]
		rep stosd
		jz	short loc_6057E5
		push	8
		xor	edx, edx
		lea	ecx, [ebp+var_30]
		push	ebx
		inc	edx
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	188h
		push	ebx
		push	2
		pop	edx
		lea	ecx, [ebp+var_18]
		mov	esi, eax
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	[ebp+var_4]
		mov	[esi+4], ebx
		mov	edi, eax
		push	[ebp+var_8]
		mov	dword ptr [esi], 4
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	ebx
		push	9Bh
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		test	ax, ax
		jz	short loc_6057C7
		mov	ebx, 0C0000001h
		jmp	short loc_6057D3
; 

loc_6057C7:				; CODE XREF: HvlpInitializePowerStatistics()+71j
		push	0Eh
		mov	esi, edi
		mov	edi, offset dword_6FE15C
		pop	ecx
		rep movsd

loc_6057D3:				; CODE XREF: HvlpInitializePowerStatistics()+78j
		lea	ecx, [ebp+var_18]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		lea	ecx, [ebp+var_30]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		mov	eax, ebx

loc_6057E5:				; CODE XREF: HvlpInitializePowerStatistics()+29j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_HvlpInitializePowerStatistics@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpLegacyPowerPolicySettingCallback(x, x, x, x)
_HvlpLegacyPowerPolicySettingCallback@16 proc near
					; DATA XREF: HvlpRegisterPowerPolicyCallbacks()+18o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	[ebp+arg_8], 4
		jnz	short loc_605813
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_605813
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_8], eax
		mov	eax, [ecx]
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_4], eax
		call	_HvlpConfigureLegacyPowerPolicySetting@4 ; HvlpConfigureLegacyPowerPolicySetting(x)
		jmp	short locret_605818
; 

loc_605813:				; CODE XREF: HvlpLegacyPowerPolicySettingCallback(x,x,x,x)+Bj
					; HvlpLegacyPowerPolicySettingCallback(x,x,x,x)+12j
		mov	eax, 0C000000Dh

locret_605818:				; CODE XREF: HvlpLegacyPowerPolicySettingCallback(x,x,x,x)+27j
		leave
		retn	10h
_HvlpLegacyPowerPolicySettingCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpMarkHvlPagesForHibernation()
_HvlpMarkHvlPagesForHibernation@0 proc near ; CODE XREF: HvlMarkHiberPhase()+7j

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		test	byte ptr ds:_HvlpFlags,	2
		push	edi
		mov	edi, 10000h
		jz	short loc_605842
		push	636C7648h
		push	esi
		push	offset _HvlGetReferenceTimeUsingTscPage@4 ; HvlGetReferenceTimeUsingTscPage(x)
		jmp	short loc_605866
; 

loc_605842:				; CODE XREF: HvlpMarkHvlPagesForHibernation()+17j
		push	646C7648h
		mov	ebx, 1000h
		push	ebx
		push	ds:_HvlpReferenceTscPage
		push	edi
		push	esi
		call	PoSetHiberRange
		push	636C7648h
		push	ebx
		push	ds:_HvlpHypercallCodeVa

loc_605866:				; CODE XREF: HvlpMarkHvlPagesForHibernation()+24j
		push	edi
		push	esi
		call	PoSetHiberRange
		push	646C7648h
		push	esi
		push	offset _HvlpFlags
		push	edi
		push	esi
		call	PoSetHiberRange
		push	0FFFFh
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	[ebp+var_4], eax
		mov	ebx, esi
		test	eax, eax
		jz	short loc_6058B6

loc_605892:				; CODE XREF: HvlpMarkHvlPagesForHibernation()+98j
		mov	ecx, ebx
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		push	646C7648h
		push	6000h
		push	dword ptr [eax+3FC8h]
		push	edi
		push	esi
		call	PoSetHiberRange
		inc	ebx
		cmp	ebx, [ebp+var_4]
		jb	short loc_605892

loc_6058B6:				; CODE XREF: HvlpMarkHvlPagesForHibernation()+74j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_HvlpMarkHvlPagesForHibernation@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpPowerPolicySettingCallback(x, x, x, x)
_HvlpPowerPolicySettingCallback@16 proc	near
					; DATA XREF: HvlpRegisterPowerPolicyCallbacks()+46o

var_198		= dword	ptr -198h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 198h
		cmp	[ebp+arg_8], 4
		push	esi
		push	edi
		jnz	short loc_60590C
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_60590C
		mov	esi, [ebp+arg_C]
		lea	eax, [esp+1A0h+var_198]
		mov	edi, [edi]
		push	198h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+1A0h+var_198], 5
		lea	ecx, [esp+1A0h+var_198]
		mov	[esp+1A0h+var_190], esi
		mov	[esp+1A0h+var_18C], edi
		call	_HvlpSetPowerProperty@4	; HvlpSetPowerProperty(x)
		jmp	short loc_605911
; 

loc_60590C:				; CODE XREF: HvlpPowerPolicySettingCallback(x,x,x,x)+14j
					; HvlpPowerPolicySettingCallback(x,x,x,x)+1Bj
		mov	eax, 0C000000Dh

loc_605911:				; CODE XREF: HvlpPowerPolicySettingCallback(x,x,x,x)+4Fj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	10h
_HvlpPowerPolicySettingCallback@16 endp


;  S U B	R O U T	I N E 


; __stdcall HvlpRegisterPowerPolicyCallbacks()
_HvlpRegisterPowerPolicyCallbacks@0 proc near ;	CODE XREF: HvlPhase2Initialize:loc_5FB37Cp
		mov	edi, edi
		push	esi
		push	edi
		xor	edi, edi
		test	byte ptr ds:_HvlpEnlightenments, 8
		jz	short loc_60594A
		mov	esi, edi

loc_60592A:				; CODE XREF: HvlpRegisterPowerPolicyCallbacks()+2Fj
		push	edi		; int
		push	dword ptr ds:(loc_AF6723+1)[esi] ; int
		push	offset _HvlpLegacyPowerPolicySettingCallback@16	; int
		push	dword ptr ds:(loc_AF671F+1)[esi] ; void	*
		push	edi		; int
		call	PoRegisterPowerSettingCallback
		add	esi, 8
		cmp	esi, 78h
		jb	short loc_60592A

loc_60594A:				; CODE XREF: HvlpRegisterPowerPolicyCallbacks()+Dj
		test	ds:_HvlpEnlightenments,	408h
		jz	short loc_605978
		mov	esi, edi

loc_605958:				; CODE XREF: HvlpRegisterPowerPolicyCallbacks()+5Dj
		push	edi		; int
		push	dword ptr ds:(_HvlpPowerSettingList+4)[esi] ; int
		push	offset _HvlpPowerPolicySettingCallback@16 ; int
		push	dword ptr ds:_HvlpPowerSettingList[esi]	; void *
		push	edi		; int
		call	PoRegisterPowerSettingCallback
		add	esi, 8
		cmp	esi, 28h
		jb	short loc_605958

loc_605978:				; CODE XREF: HvlpRegisterPowerPolicyCallbacks()+3Bj
		pop	edi
		pop	esi
		retn
_HvlpRegisterPowerPolicyCallbacks@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpSetPowerProperty(x)
_HvlpSetPowerProperty@4	proc near	; CODE XREF: HvlConfigureIdleStates(x,x)+31p
					; HvlRegisterLogicalProcessorFrequency(x,x)+3Cp ...

var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		push	6
		mov	esi, ecx
		lea	edi, [ebp+var_18]
		pop	ecx
		xor	eax, eax
		xor	edx, edx
		rep stosd
		push	198h
		xor	ebx, ebx
		lea	ecx, [ebp+var_18]
		push	ebx
		inc	edx
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	66h
		pop	ecx
		push	ebx
		push	ebx
		push	[ebp+var_4]
		mov	edi, eax
		push	[ebp+var_8]
		rep movsd
		push	ebx
		push	9Ch
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		movzx	esi, ax
		lea	ecx, [ebp+var_18]
		neg	esi
		sbb	esi, esi
		and	esi, 0C0000001h
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_HvlpSetPowerProperty@4	endp


;  S U B	R O U T	I N E 


; __stdcall HvlEndSystemInterrupt()
_HvlEndSystemInterrupt@0 proc near	; DATA XREF: HvlGetEnlightenmentInfo(x)+B6o
		mov	eax, large fs:20h
		mov	eax, [eax+3FCCh]
		btr	dword ptr [eax], 0
		jb	short locret_6059F8
		xor	eax, eax
		mov	ecx, 40000070h
		xor	edx, edx
		wrmsr

locret_6059F8:				; CODE XREF: HvlEndSystemInterrupt()+10j
		retn
_HvlEndSystemInterrupt@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlEnterSleepState(x)
_HvlEnterSleepState@4 proc near		; DATA XREF: HvlGetEnlightenmentInfo(x)+7Eo

var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 38h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+38h+var_4], eax
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+40h+var_38]
		rep stosd
		push	8
		lea	eax, [esp+44h+var_18]
		xor	edx, edx
		push	eax
		inc	edx
		lea	ecx, [esp+48h+var_38]
		xor	esi, esi
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		mov	ecx, [ebp+arg_0]
		push	esi
		push	esi
		push	[esp+48h+var_24]
		mov	[eax], ecx
		push	[esp+4Ch+var_28]
		push	esi
		push	84h
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		lea	ecx, [esp+40h+var_38]
		mov	esi, eax
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		mov	ecx, [esp+40h+var_4]
		movzx	eax, si
		neg	eax
		pop	edi
		sbb	eax, eax
		pop	esi
		xor	ecx, esp
		and	eax, 0C0000001h
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_HvlEnterSleepState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	HvlGetEnlightenmentInfo(void *)
_HvlGetEnlightenmentInfo@4 proc	near	; DATA XREF: HvlpDetermineEnlightenments()+46Fo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, 100h
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, ds:_HvlEnlightenments
		add	esp, 0Ch
		mov	[esi], eax
		xor	eax, eax
		cmp	ds:_HvlHypervisorConnected, al
		setnz	al
		mov	[esi+4], eax
		mov	eax, ds:_HvlLongSpinCountMask
		mov	[esi+14h], eax
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	short loc_605ABD
		mov	dword ptr [esi+18h], offset _HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)

loc_605ABD:				; CODE XREF: HvlGetEnlightenmentInfo(x)+3Fj
		test	ds:_HvlEnlightenments, edi
		jz	short loc_605ACC
		mov	dword ptr [esi+1Ch], offset _HvlGetReferenceTimeUsingTscPage@4 ; HvlGetReferenceTimeUsingTscPage(x)

loc_605ACC:				; CODE XREF: HvlGetEnlightenmentInfo(x)+4Ej
		mov	ecx, 4000h
		test	ds:_HvlEnlightenments, ecx
		jz	short loc_605AE0
		mov	dword ptr [esi+6Ch], offset _HvlSendSyntheticClusterIpi@8 ; HvlSendSyntheticClusterIpi(x,x)

loc_605AE0:				; CODE XREF: HvlGetEnlightenmentInfo(x)+62j
		test	ds:_HvlEnlightenments, 10000h
		jz	short loc_605B01
		mov	dword ptr [esi+20h], offset _HvlSetSystemSleepProperty@12 ; HvlSetSystemSleepProperty(x,x,x)
		mov	dword ptr [esi+24h], offset _HvlEnterSleepState@4 ; HvlEnterSleepState(x)
		mov	dword ptr [esi+28h], offset _HvlNotifyDebugDeviceAvailable@0 ; HvlNotifyDebugDeviceAvailable()

loc_605B01:				; CODE XREF: HvlGetEnlightenmentInfo(x)+75j
		mov	dword ptr [esi+70h], offset _HvlHalVpStartEnabled@0 ; HvlHalVpStartEnabled()
		test	ds:_HvlEnlightenments, 8000h
		jz	short loc_605B22
		mov	dword ptr [esi+74h], offset _HvlHalStartVirtualProcessor@8 ; HvlHalStartVirtualProcessor(x,x)
		mov	dword ptr [esi+78h], offset _HvlHalGetVpIndexFromApicId@8 ; HvlHalGetVpIndexFromApicId(x,x)

loc_605B22:				; CODE XREF: HvlGetEnlightenmentInfo(x)+9Dj
		test	byte ptr ds:_HvlEnlightenments,	10h
		jz	short loc_605B39
		mov	dword ptr [esi+8], offset _HvlEndSystemInterrupt@0 ; HvlEndSystemInterrupt()
		mov	dword ptr [esi+0Ch], offset _HvlWriteApicCommandRegister@8 ; HvlWriteApicCommandRegister(x,x)

loc_605B39:				; CODE XREF: HvlGetEnlightenmentInfo(x)+B4j
		test	byte ptr ds:_HvlpRootFlags, 80h
		jz	short loc_605B8F
		mov	dword ptr [esi+40h], offset _HvlQueryAssociatedProcessors@12 ; HvlQueryAssociatedProcessors(x,x,x)
		mov	dword ptr [esi+54h], offset _HvlLpGetMachineCheckContext@16 ; HvlLpGetMachineCheckContext(x,x,x,x)
		mov	dword ptr [esi+58h], offset _HvlSuspendPartition@8 ; HvlSuspendPartition(x,x)
		mov	dword ptr [esi+5Ch], offset _HvlResumePartition@8 ; HvlResumePartition(x,x)
		mov	dword ptr [esi+60h], offset _HvlSetSystemMachineCheckProperty@4	; HvlSetSystemMachineCheckProperty(x)
		mov	dword ptr [esi+64h], offset _HvlInvokeWheaErrorNotificationCallback@12 ; HvlInvokeWheaErrorNotificationCallback(x,x,x)
		mov	dword ptr [esi+68h], offset _HvlGetProcessorIndexFromVpIndex@4 ; HvlGetProcessorIndexFromVpIndex(x)
		mov	dword ptr [esi+44h], offset _HvlLpReadMultipleMsr@16 ; HvlLpReadMultipleMsr(x,x,x,x)
		mov	dword ptr [esi+48h], offset _HvlLpWriteMultipleMsr@16 ;	HvlLpWriteMultipleMsr(x,x,x,x)
		mov	dword ptr [esi+4Ch], offset _HvlLpReadCpuid@24 ; HvlLpReadCpuid(x,x,x,x,x,x)
		mov	dword ptr [esi+50h], offset _HvlLpWritebackInvalidate@4	; HvlLpWritebackInvalidate(x)

loc_605B8F:				; CODE XREF: HvlGetEnlightenmentInfo(x)+CBj
		test	ds:_HvlpRootFlags, edi
		jz	short loc_605BAC
		mov	dword ptr [esi+2Ch], offset _HvlMapDeviceInterrupt@20 ;	HvlMapDeviceInterrupt(x,x,x,x,x)
		mov	dword ptr [esi+30h], offset _HvlUnmapDeviceInterrupt@12	; HvlUnmapDeviceInterrupt(x,x,x)
		mov	dword ptr [esi+34h], offset _HvlRetargetDeviceInterrupt@24 ; HvlRetargetDeviceInterrupt(x,x,x,x,x,x)

loc_605BAC:				; CODE XREF: HvlGetEnlightenmentInfo(x)+120j
		mov	eax, ds:_HvlpRootFlags
		test	al, 1
		jz	short loc_605BC6
		test	eax, 200h
		jz	short loc_605BC6
		mov	dword ptr [esi+0C0h], offset _HvlSetQpcBias@8 ;	HvlSetQpcBias(x,x)

loc_605BC6:				; CODE XREF: HvlGetEnlightenmentInfo(x)+13Ej
					; HvlGetEnlightenmentInfo(x)+145j
		test	ds:_HvlpFlags, ecx
		jz	short loc_605BD8
		mov	dword ptr [esi+0C4h], offset _HvlGetQpcBias@0 ;	HvlGetQpcBias()

loc_605BD8:				; CODE XREF: HvlGetEnlightenmentInfo(x)+157j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_HvlGetEnlightenmentInfo@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlGetReferenceTime()
_HvlGetReferenceTime@0 proc near	; CODE XREF: HvlGetPpmStatsForProcessor(x,x,x)+8Dp
					; HvlGetPpmStatsForProcessor(x,x,x):loc_6054D7p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		xor	eax, eax
		test	ds:_HvlEnlightenments, 100h
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		jz	short loc_605C01
		push	eax
		call	_HvlGetReferenceTimeUsingTscPage@4 ; HvlGetReferenceTimeUsingTscPage(x)
		leave
		retn
; 

loc_605C01:				; CODE XREF: HvlGetReferenceTime()+19j
		lea	edx, [ebp+var_8]
		mov	ecx, 90004h
		call	_HvlpGetRegister64@8 ; HvlpGetRegister64(x,x)
		mov	edx, [ebp+var_4]
		mov	eax, [ebp+var_8]
		leave
		retn
_HvlGetReferenceTime@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlHalGetVpIndexFromApicId(x, x)
_HvlHalGetVpIndexFromApicId@8 proc near	; DATA XREF: HvlGetEnlightenmentInfo(x)+A6o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_4]
		and	[ebp+var_4], 0
		call	_HvlpGetVpIndexFromApicId@8 ; HvlpGetVpIndexFromApicId(x,x)
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_4]
		mov	[edx], ecx
		leave
		retn	8
_HvlHalGetVpIndexFromApicId@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlHalStartVirtualProcessor(x, x)
_HvlHalStartVirtualProcessor@8 proc near ; DATA	XREF: HvlGetEnlightenmentInfo(x)+9Fo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	_HvlpStartVirtualProcessor@8 ; HvlpStartVirtualProcessor(x,x)
		pop	ebp
		retn	8
_HvlHalStartVirtualProcessor@8 endp


;  S U B	R O U T	I N E 


; __stdcall HvlHalVpStartEnabled()
_HvlHalVpStartEnabled@0	proc near	; DATA XREF: HvlGetEnlightenmentInfo(x):loc_605B01o
		cmp	ds:_HvlVpStartDisabled,	0
		jnz	short loc_605C63
		test	ds:_HvlEnlightenments, 8000h
		jz	short loc_605C63
		mov	al, 1
		retn
; 

loc_605C63:				; CODE XREF: HvlHalVpStartEnabled()+7j
					; HvlHalVpStartEnabled()+13j
		xor	al, al
		retn
_HvlHalVpStartEnabled@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlInvokeWheaErrorNotificationCallback(x, x, x)
_HvlInvokeWheaErrorNotificationCallback@12 proc	near
					; DATA XREF: HvlGetEnlightenmentInfo(x)+F0o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, ds:_HvlpWheaErrorNotificationCallback
		mov	eax, 0C0000001h
		test	ecx, ecx
		jz	short loc_605C7D
		pop	ebp
		jmp	ecx
; 

loc_605C7D:				; CODE XREF: HvlInvokeWheaErrorNotificationCallback(x,x,x)+12j
		pop	ebp
		retn	0Ch
_HvlInvokeWheaErrorNotificationCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlLpGetMachineCheckContext(x, x, x, x)
_HvlLpGetMachineCheckContext@16	proc near ; DATA XREF: HvlGetEnlightenmentInfo(x)+D4o

var_CB8		= dword	ptr -0CB8h
var_CB0		= dword	ptr -0CB0h
var_CAC		= dword	ptr -0CACh
var_CA8		= dword	ptr -0CA8h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0CB8h
		lea	eax, [esp+0CB8h+var_CB8]
		push	0CB8h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+arg_0]
		lea	eax, [esp+0CC4h+var_CB8]
		add	esp, 0Ch
		push	eax
		call	_HvlpGetLogicalProcessorProperty@12 ; HvlpGetLogicalProcessorProperty(x,x,x)
		test	eax, eax
		jns	short loc_605CBA
		mov	eax, 0C0000001h
		jmp	short loc_605CDD
; 

loc_605CBA:				; CODE XREF: HvlLpGetMachineCheckContext(x,x,x,x)+30j
		mov	ecx, [ebp+arg_4]
		mov	eax, [esp+0CB8h+var_CB8]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_8]
		mov	eax, [esp+0CB8h+var_CB0]
		mov	[ecx], eax
		mov	eax, [esp+0CB8h+var_CAC]
		mov	[ecx+4], eax
		mov	ecx, [ebp+arg_C]
		mov	eax, [esp+0CB8h+var_CA8]
		mov	[ecx], eax
		xor	eax, eax

loc_605CDD:				; CODE XREF: HvlLpGetMachineCheckContext(x,x,x,x)+37j
		mov	esp, ebp
		pop	ebp
		retn	10h
_HvlLpGetMachineCheckContext@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlLpReadCpuid(x, x, x, x, x, x)
_HvlLpReadCpuid@24 proc	near		; DATA XREF: HvlGetEnlightenmentInfo(x)+10Co

var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_38]
		rep stosd
		push	6
		pop	ecx
		lea	edi, [ebp+var_20]
		xor	edx, edx
		rep stosd
		push	10h
		xor	ebx, ebx
		lea	ecx, [ebp+var_38]
		push	ebx
		inc	edx
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	10h
		push	ebx
		push	2
		pop	edx
		lea	ecx, [ebp+var_20]
		mov	esi, eax
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	[ebp+var_C]
		mov	ecx, [ebp+arg_0]
		mov	edi, eax
		push	[ebp+var_10]
		mov	[esi], ecx
		push	[ebp+var_24]
		mov	ecx, [ebp+arg_4]
		push	[ebp+var_28]
		mov	dword ptr [esi+4], 10000h
		push	1
		push	88h
		mov	[esi+8], ecx
		mov	[esi+0Ch], ebx
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		mov	ecx, [edi]
		movzx	esi, ax
		mov	eax, [ebp+arg_8]
		neg	esi
		sbb	esi, esi
		and	esi, 0C0000001h
		mov	[eax], ecx
		mov	eax, [ebp+arg_C]
		mov	ecx, [edi+4]
		mov	[eax], ecx
		mov	ecx, [ebp+arg_10]
		mov	edx, [edi+8]
		mov	[ecx], edx
		mov	ecx, [ebp+arg_14]
		mov	edx, [edi+0Ch]
		mov	[ecx], edx
		lea	ecx, [ebp+var_20]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		lea	ecx, [ebp+var_38]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
_HvlLpReadCpuid@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlLpReadMultipleMsr(x, x, x, x)
_HvlLpReadMultipleMsr@16 proc near	; DATA XREF: HvlGetEnlightenmentInfo(x)+FEo

var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		push	6
		pop	ecx
		lea	edi, [ebp+var_3C]
		mov	esi, ebx
		rep stosd
		push	6
		shl	esi, 4
		lea	edi, [ebp+var_24]
		pop	ecx
		rep stosd
		cmp	esi, 1000h
		ja	loc_605E77
		xor	edi, edi
		lea	ecx, [ebp+var_3C]
		mov	eax, ebx
		mov	[ebp+var_8], edi
		push	esi
		xor	edx, edx
		and	eax, 0FFFh
		push	edi
		inc	edx
		mov	[ebp+var_4], eax
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	esi
		push	edi
		push	2
		pop	edx
		lea	ecx, [ebp+var_24]
		mov	[ebp+arg_4], eax
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		mov	[ebp+var_8], eax
		mov	edx, edi
		test	ebx, ebx
		jz	short loc_605E1F
		mov	ecx, [ebp+arg_4]
		mov	esi, [ebp+arg_8]
		add	ecx, 8
		mov	edi, [ebp+arg_0]

loc_605E06:				; CODE XREF: HvlLpReadMultipleMsr(x,x,x,x)+87j
		mov	[ecx-8], edi
		mov	dword ptr [ecx-4], 10001h
		mov	eax, [esi+edx*4]
		inc	edx
		mov	[ecx], eax
		lea	ecx, [ecx+10h]
		cmp	edx, ebx
		jb	short loc_605E06
		xor	edi, edi

loc_605E1F:				; CODE XREF: HvlLpReadMultipleMsr(x,x,x,x)+64j
		push	[ebp+var_10]
		push	[ebp+var_14]
		push	[ebp+var_28]
		push	[ebp+var_2C]
		push	[ebp+var_4]
		push	88h
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		movzx	esi, ax
		neg	esi
		sbb	esi, esi
		and	esi, 0C0000001h
		test	ebx, ebx
		jz	short loc_605E63
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+var_8]

loc_605E4F:				; CODE XREF: HvlLpReadMultipleMsr(x,x,x,x)+CDj
		mov	eax, [ecx]
		lea	ecx, [ecx+10h]
		mov	[edx+edi*8], eax
		mov	eax, [ecx-0Ch]
		mov	[edx+edi*8+4], eax
		inc	edi
		cmp	edi, ebx
		jb	short loc_605E4F

loc_605E63:				; CODE XREF: HvlLpReadMultipleMsr(x,x,x,x)+B3j
		lea	ecx, [ebp+var_24]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		lea	ecx, [ebp+var_3C]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		mov	eax, esi
		jmp	short loc_605E7C
; 

loc_605E77:				; CODE XREF: HvlLpReadMultipleMsr(x,x,x,x)+2Bj
		mov	eax, 0C000000Dh

loc_605E7C:				; CODE XREF: HvlLpReadMultipleMsr(x,x,x,x)+E1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_HvlLpReadMultipleMsr@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlLpWriteMultipleMsr(x, x,	x, x)
_HvlLpWriteMultipleMsr@16 proc near	; DATA XREF: HvlGetEnlightenmentInfo(x)+105o

var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		push	6
		pop	ecx
		lea	edi, [ebp+var_20]
		rep stosd
		mov	eax, esi
		shl	eax, 5
		cmp	eax, 1000h
		jbe	short loc_605EB0
		mov	eax, 0C000000Dh
		jmp	loc_605F30
; 

loc_605EB0:				; CODE XREF: HvlLpWriteMultipleMsr(x,x,x,x)+21j
		mov	edi, esi
		lea	ecx, [ebp+var_20]
		push	eax
		xor	edx, edx
		and	edi, 0FFFh
		push	0
		inc	edx
		mov	[ebp+arg_4], edi
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		xor	edx, edx
		test	esi, esi
		jz	short loc_605F04
		mov	edi, [ebp+arg_8]
		lea	ecx, [eax+8]
		push	ebx
		mov	ebx, [ebp+arg_C]

loc_605ED9:				; CODE XREF: HvlLpWriteMultipleMsr(x,x,x,x)+7Bj
		mov	eax, [ebp+arg_0]
		mov	[ecx-8], eax
		mov	dword ptr [ecx-4], 10001h
		mov	eax, [edi+edx*4]
		mov	[ecx], eax
		lea	ecx, [ecx+20h]
		mov	eax, [ebx+edx*8]
		mov	[ecx-18h], eax
		mov	eax, [ebx+edx*8+4]
		inc	edx
		mov	[ecx-14h], eax
		cmp	edx, esi
		jb	short loc_605ED9
		mov	edi, [ebp+arg_4]
		pop	ebx

loc_605F04:				; CODE XREF: HvlLpWriteMultipleMsr(x,x,x,x)+4Aj
		push	0
		push	0
		push	[ebp+var_C]
		push	[ebp+var_10]
		push	edi
		push	89h
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		movzx	esi, ax
		lea	ecx, [ebp+var_20]
		neg	esi
		sbb	esi, esi
		and	esi, 0C0000001h
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		mov	eax, esi

loc_605F30:				; CODE XREF: HvlLpWriteMultipleMsr(x,x,x,x)+28j
		pop	edi
		pop	esi
		leave
		retn	10h
_HvlLpWriteMultipleMsr@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlLpWritebackInvalidate(x)
_HvlLpWritebackInvalidate@4 proc near	; DATA XREF: HvlGetEnlightenmentInfo(x)+113o

var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_20]
		rep stosd
		push	20h
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		xor	esi, esi
		inc	edx
		push	esi
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+arg_0]
		push	esi
		push	esi
		mov	[ecx+8], esi
		mov	[ecx+0Ch], esi
		mov	[ecx+10h], esi
		mov	[ecx+14h], esi
		mov	[ecx+18h], esi
		mov	[ecx+1Ch], esi
		push	[ebp+var_C]
		mov	[ecx], eax
		push	[ebp+var_10]
		mov	dword ptr [ecx+4], 10002h
		push	1
		push	89h
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		movzx	esi, ax
		lea	ecx, [ebp+var_20]
		neg	esi
		sbb	esi, esi
		and	esi, 0C0000001h
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	4
_HvlLpWritebackInvalidate@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlMapDeviceInterrupt(x, x,	x, x, x)
_HvlMapDeviceInterrupt@20 proc near	; DATA XREF: HvlGetEnlightenmentInfo(x)+122o

var_222		= byte ptr -222h
var_221		= byte ptr -221h
var_220		= dword	ptr -220h
var_218		= dword	ptr -218h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_198		= dword	ptr -198h
var_128		= dword	ptr -128h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 228h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+228h+var_4], eax
		mov	eax, [ebp+arg_10]
		push	esi
		push	edi
		push	0Ah
		mov	[esp+234h+var_208], eax
		lea	edi, [esp+234h+var_1C0]
		xor	eax, eax
		pop	ecx
		rep stosd
		push	6
		pop	ecx
		lea	edi, [esp+230h+var_200]
		rep stosd
		push	6
		pop	ecx
		lea	edi, [esp+230h+var_1E8]
		rep stosd
		lea	edi, [esp+230h+var_1CC]
		xor	ecx, ecx
		stosd
		inc	ecx
		stosd
		stosd
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_606013
		mov	eax, [eax]
		and	[esp+230h+var_1C8], 0
		mov	word ptr [esp+230h+var_1CC], cx
		mov	word ptr [esp+230h+var_1CC+2], cx
		mov	[esp+230h+var_1C4], eax

loc_606013:				; CODE XREF: HvlMapDeviceInterrupt(x,x,x,x,x)+51j
		mov	[esp+230h+var_221], 0

loc_606018:				; CODE XREF: HvlMapDeviceInterrupt(x,x,x,x,x)+241j
		push	48h
		pop	esi

loc_60601B:				; CODE XREF: HvlMapDeviceInterrupt(x,x,x,x,x)+236j
		and	[esp+230h+var_218], 0
		lea	eax, [esp+230h+var_198]
		push	38h
		push	eax
		push	2
		pop	edx
		lea	ecx, [esp+238h+var_1E8]
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		mov	[esp+230h+var_20C], eax
		lea	ecx, [esp+230h+var_200]
		push	90h
		lea	eax, [esp+234h+var_128]
		xor	edx, edx
		push	eax
		inc	edx
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		mov	[esp+23Ch+var_220], eax
		call	_memset
		mov	edx, [esp+23Ch+var_220]
		add	esp, 0Ch
		cmp	[ebp+arg_C], 0
		mov	esi, [ebp+arg_8]
		push	8
		lea	edi, [edx+28h]
		pop	ecx
		rep movsd
		jz	loc_60610B
		mov	eax, [esp+230h+var_200]
		lea	ecx, [esp+230h+var_1CC]
		and	al, 2
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		add	edx, 40h
		and	eax, 0FFFFF090h
		add	eax, 0FB0h
		push	eax
		call	_HvlpAffinityToHvProcessorSet@12 ; HvlpAffinityToHvProcessorSet(x,x,x)
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_6060F2
		lea	ecx, [esp+230h+var_200]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		xor	edi, edi
		lea	ecx, [esp+230h+var_200]
		push	edi
		xor	edx, edx
		push	edi
		inc	edx
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	48h
		mov	esi, eax
		pop	eax
		push	eax		; size_t
		push	edi		; int
		push	esi		; void *
		mov	[esp+23Ch+var_220], esi
		call	_memset
		mov	edx, [esp+23Ch+var_220]
		lea	edi, [esi+28h]
		mov	esi, [ebp+arg_8]
		add	esp, 0Ch
		lea	edx, [edx+40h]
		push	8
		pop	ecx
		rep movsd
		push	0FB0h
		lea	ecx, [esp+234h+var_1CC]
		call	_HvlpAffinityToHvProcessorSet@12 ; HvlpAffinityToHvProcessorSet(x,x,x)

loc_6060F2:				; CODE XREF: HvlMapDeviceInterrupt(x,x,x,x,x)+F8j
		mov	edx, [esp+230h+var_220]
		lea	ecx, [eax+50h]
		push	48h
		pop	esi
		lea	eax, [ecx-48h]
		or	dword ptr [edx+3Ch], 2
		cmp	esi, ecx
		sbb	ecx, ecx
		and	ecx, eax
		jmp	short loc_606118
; 

loc_60610B:				; CODE XREF: HvlMapDeviceInterrupt(x,x,x,x,x)+CBj
		mov	ecx, [esp+230h+var_218]
		lea	edi, [edx+38h]
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd

loc_606118:				; CODE XREF: HvlMapDeviceInterrupt(x,x,x,x,x)+15Ej
		mov	eax, [ebp+arg_0]
		xor	esi, esi
		or	dword ptr [edx], 0FFFFFFFFh
		or	dword ptr [edx+4], 0FFFFFFFFh
		cmp	[esp+230h+var_221], 0
		mov	[edx+8], eax
		mov	eax, [ebp+arg_4]
		mov	[edx+0Ch], eax
		mov	dword ptr [edx+10h], 1
		mov	[edx+14h], esi
		jz	short loc_606148
		mov	dword ptr [edx+10h], 3
		mov	[edx+14h], esi

loc_606148:				; CODE XREF: HvlMapDeviceInterrupt(x,x,x,x,x)+191j
		push	7Ch
		pop	edx
		push	[esp+230h+var_1D4]
		lea	eax, [ecx+7]
		mov	[esp+234h+var_218], edx
		push	[esp+234h+var_1D8]
		shl	eax, 0Eh
		push	[esp+238h+var_1EC]
		and	eax, 3FE0000h
		push	[esp+23Ch+var_1F0]
		or	eax, edx
		push	esi
		push	eax
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		mov	edi, eax
		mov	[esp+230h+var_218], edi
		test	di, di
		jnz	short loc_6061A0
		mov	eax, [esp+230h+var_20C]
		mov	esi, eax
		mov	edi, [esp+230h+var_208]
		push	0Ah
		pop	ecx
		movsd
		movsd
		movsd
		movsd
		lea	esi, [eax+10h]
		lea	edi, [esp+230h+var_1C0]
		rep movsd
		mov	edi, [esp+230h+var_218]
		xor	esi, esi
		jmp	short loc_6061A9
; 

loc_6061A0:				; CODE XREF: HvlMapDeviceInterrupt(x,x,x,x,x)+1D1j
		mov	ecx, edi
		call	_HvlpHvToNtStatus@4 ; HvlpHvToNtStatus(x)
		mov	esi, eax

loc_6061A9:				; CODE XREF: HvlMapDeviceInterrupt(x,x,x,x,x)+1F3j
		lea	ecx, [esp+230h+var_200]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		lea	ecx, [esp+230h+var_1E8]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		push	75h
		pop	eax
		cmp	di, 0Bh
		jz	short loc_6061C9
		cmp	di, ax
		jnz	short loc_6061F1

loc_6061C9:				; CODE XREF: HvlMapDeviceInterrupt(x,x,x,x,x)+217j
		cmp	di, ax
		setz	byte ptr [esp+230h+var_204]
		xor	ecx, ecx
		push	[esp+230h+var_204]
		call	_HvlpDepositPages@12 ; HvlpDepositPages(x,x,x)
		push	48h
		pop	esi
		test	eax, eax
		jns	loc_60601B
		mov	[esp+230h+var_221], 1
		jmp	loc_606018
; 

loc_6061F1:				; CODE XREF: HvlMapDeviceInterrupt(x,x,x,x,x)+21Cj
		test	esi, esi
		js	short loc_6061FE
		lea	ecx, [esp+230h+var_1C0]
		call	_HvlpLogIommuEvent@4 ; HvlpLogIommuEvent(x)

loc_6061FE:				; CODE XREF: HvlMapDeviceInterrupt(x,x,x,x,x)+248j
		mov	ecx, [esp+230h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
_HvlMapDeviceInterrupt@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlNotifyAllProcessorsStarted()
_HvlNotifyAllProcessorsStarted@0 proc near ; CODE XREF:	HvlStartBootLogicalProcessors+8A830p

var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_30]
		rep stosd
		push	8
		lea	eax, [ebp+var_18]
		xor	edx, edx
		push	eax
		inc	edx
		lea	ecx, [ebp+var_30]
		xor	esi, esi
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	esi
		push	esi
		push	[ebp+var_1C]
		mov	dword ptr [eax], 4
		push	[ebp+var_20]
		push	esi
		push	87h
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		lea	ecx, [ebp+var_30]
		mov	esi, eax
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		mov	ecx, esi
		call	_HvlpHvToNtStatus@4 ; HvlpHvToNtStatus(x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_HvlNotifyAllProcessorsStarted@0 endp ;	sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlNotifyDebugDeviceAvailable()
_HvlNotifyDebugDeviceAvailable@0 proc near ; DATA XREF:	HvlGetEnlightenmentInfo(x)+85o

var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 38h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+38h+var_4], eax
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+40h+var_38]
		rep stosd
		xor	esi, esi
		lea	eax, [esp+40h+var_18]
		push	8
		inc	esi
		lea	ecx, [esp+44h+var_38]
		push	eax
		mov	edx, esi
		xor	edi, edi
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	edi
		push	edi
		push	[esp+48h+var_24]
		mov	[eax], esi
		push	[esp+4Ch+var_28]
		push	edi
		push	87h
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		lea	ecx, [esp+40h+var_38]
		mov	esi, eax
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		mov	ecx, [esp+40h+var_4]
		movzx	eax, si
		neg	eax
		pop	edi
		sbb	eax, eax
		pop	esi
		xor	ecx, esp
		and	eax, 0C0000001h
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_HvlNotifyDebugDeviceAvailable@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlQueryAssociatedProcessors(x, x, x)
_HvlQueryAssociatedProcessors@12 proc near ; DATA XREF:	HvlGetEnlightenmentInfo(x)+CDo

var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		xor	eax, eax
		test	byte ptr ds:_HvlpFlags,	2
		push	edi
		push	6
		pop	ecx
		lea	edi, [ebp+var_34]
		rep stosd
		push	6
		pop	ecx
		lea	edi, [ebp+var_1C]
		rep stosd
		jnz	short loc_60633D
		mov	eax, 0C0000022h
		jmp	loc_6063E1
; 

loc_60633D:				; CODE XREF: HvlQueryAssociatedProcessors(x,x,x)+22j
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	short loc_60634E
		mov	eax, 0C000000Dh
		jmp	loc_6063E1
; 

loc_60634E:				; CODE XREF: HvlQueryAssociatedProcessors(x,x,x)+33j
		push	ebx
		push	esi
		push	8
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		xor	ebx, ebx
		inc	edx
		push	ebx
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	288h
		push	ebx
		push	2
		pop	edx
		lea	ecx, [ebp+var_1C]
		mov	esi, eax
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	[ebp+var_8]
		mov	ecx, [ebp+arg_0]
		push	[ebp+var_C]
		mov	[ebp+var_4], eax
		push	[ebp+var_20]
		mov	[esi], ecx
		push	[ebp+var_24]
		push	ebx
		push	8Ah
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		test	ax, ax
		jz	short loc_60639E
		mov	ebx, 0C0000001h
		jmp	short loc_6063CD
; 

loc_60639E:				; CODE XREF: HvlQueryAssociatedProcessors(x,x,x)+86j
		mov	eax, [ebp+var_4]
		mov	ecx, [eax]
		cmp	[edi], ecx
		jb	short loc_6063C6
		mov	edx, ebx
		test	ecx, ecx
		jz	short loc_6063CB
		mov	edi, [ebp+arg_8]
		lea	esi, [eax+4]

loc_6063B3:				; CODE XREF: HvlQueryAssociatedProcessors(x,x,x)+B0j
		movzx	eax, word ptr [esi]
		lea	esi, [esi+2]
		mov	[edi+edx*4], eax
		inc	edx
		cmp	edx, ecx
		jb	short loc_6063B3
		mov	edi, [ebp+arg_4]
		jmp	short loc_6063CB
; 

loc_6063C6:				; CODE XREF: HvlQueryAssociatedProcessors(x,x,x)+96j
		mov	ebx, 0C0000023h

loc_6063CB:				; CODE XREF: HvlQueryAssociatedProcessors(x,x,x)+9Cj
					; HvlQueryAssociatedProcessors(x,x,x)+B5j
		mov	[edi], ecx

loc_6063CD:				; CODE XREF: HvlQueryAssociatedProcessors(x,x,x)+8Dj
		lea	ecx, [ebp+var_1C]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		lea	ecx, [ebp+var_34]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		pop	esi
		mov	eax, ebx
		pop	ebx

loc_6063E1:				; CODE XREF: HvlQueryAssociatedProcessors(x,x,x)+29j
					; HvlQueryAssociatedProcessors(x,x,x)+3Aj
		pop	edi
		leave
		retn	0Ch
_HvlQueryAssociatedProcessors@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlResumePartition(x, x)
_HvlResumePartition@8 proc near		; DATA XREF: HvlGetEnlightenmentInfo(x)+E2o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_HvlSetPartitionProperty@20 ; HvlSetPartitionProperty(x,x,x,x,x)
		pop	ebp
		retn	8
_HvlResumePartition@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlRetargetDeviceInterrupt(x, x, x,	x, x, x)
_HvlRetargetDeviceInterrupt@24 proc near ; DATA	XREF: HvlGetEnlightenmentInfo(x)+130o

var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_150		= dword	ptr -150h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_108		= dword	ptr -108h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 190h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+190h+var_4], eax
		mov	eax, [ebp+arg_14]
		push	esi
		push	edi
		push	6
		pop	ecx
		mov	[esp+198h+var_17C], eax
		lea	edi, [esp+198h+var_170]
		xor	eax, eax
		xor	esi, esi
		rep stosd
		push	6
		pop	ecx
		lea	edi, [esp+198h+var_150]
		mov	[esp+198h+var_178], esi
		rep stosd
		push	80h
		lea	eax, [esp+19Ch+var_108]
		mov	[esp+19Ch+var_180], esi
		push	eax
		xor	eax, eax
		lea	ecx, [esp+1A0h+var_170]
		lea	edx, [eax+1]
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	38h
		mov	edi, eax
		pop	eax
		push	eax		; size_t
		push	esi		; int
		push	edi		; void *
		mov	[esp+1A4h+var_18C], edi
		mov	[esp+1A4h+var_174], eax
		call	_memset
		mov	esi, [ebp+arg_C]
		lea	ecx, [esp+1A4h+var_134]
		mov	eax, [ebp+arg_10]
		add	edi, 28h
		mov	edx, [esp+1A4h+var_18C]
		add	esp, 0Ch
		movsd
		movsd
		movsd
		movsd
		mov	eax, [eax]
		xor	edi, edi
		mov	[esp+198h+var_12C], eax
		inc	edi
		mov	eax, [esp+198h+var_170]
		xor	esi, esi
		and	al, 2
		mov	word ptr [esp+198h+var_134], di
		movzx	eax, al
		neg	eax
		mov	word ptr [esp+198h+var_134+2], di
		mov	[esp+198h+var_130], esi
		sbb	eax, eax
		add	edx, 30h
		and	eax, 0FFFFF080h
		add	eax, 0FC0h
		push	eax
		call	_HvlpAffinityToHvProcessorSet@12 ; HvlpAffinityToHvProcessorSet(x,x,x)
		mov	[esp+198h+var_188], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_606518
		lea	ecx, [esp+198h+var_170]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		push	esi
		push	esi
		mov	edx, edi
		lea	ecx, [esp+1A0h+var_170]
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	38h
		mov	edi, eax
		pop	eax
		push	eax		; size_t
		push	esi		; int
		push	edi		; void *
		mov	[esp+1A4h+var_18C], edi
		call	_memset
		mov	esi, [ebp+arg_C]
		lea	ecx, [esp+1A4h+var_134]
		mov	edx, [esp+1A4h+var_18C]
		add	edi, 28h
		add	esp, 0Ch
		add	edx, 30h
		movsd
		push	0FC0h
		movsd
		movsd
		movsd
		call	_HvlpAffinityToHvProcessorSet@12 ; HvlpAffinityToHvProcessorSet(x,x,x)
		mov	[esp+198h+var_188], eax

loc_606518:				; CODE XREF: HvlRetargetDeviceInterrupt(x,x,x,x,x,x)+CBj
		mov	ecx, [esp+198h+var_18C]
		mov	eax, [ebp+arg_0]
		mov	esi, [ebp+arg_8]
		push	2
		or	dword ptr [ecx], 0FFFFFFFFh
		lea	edi, [ecx+10h]
		or	dword ptr [ecx+4], 0FFFFFFFFh
		mov	[ecx+8], eax
		mov	eax, [ebp+arg_4]
		mov	[ecx+0Ch], eax
		pop	edx
		or	[ecx+2Ch], edx
		movsd
		movsd
		movsd
		movsd
		mov	edi, [esp+198h+var_17C]
		test	edi, edi
		jz	short loc_60656C
		push	10h
		lea	eax, [esp+19Ch+var_128]
		push	eax
		lea	ecx, [esp+1A0h+var_150]
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		mov	esi, [esp+198h+var_140]
		and	[esp+198h+var_184], 0
		mov	[esp+198h+var_180], eax
		mov	eax, [esp+198h+var_13C]
		push	7Fh
		jmp	short loc_606576
; 

loc_60656C:				; CODE XREF: HvlRetargetDeviceInterrupt(x,x,x,x,x,x)+147j
		xor	eax, eax
		mov	esi, eax
		mov	[esp+198h+var_184], eax
		push	7Eh

loc_606576:				; CODE XREF: HvlRetargetDeviceInterrupt(x,x,x,x,x,x)+16Cj
		mov	ecx, [esp+19Ch+var_188]
		add	ecx, 40h
		mov	[esp+19Ch+var_18C], eax
		mov	eax, ecx
		pop	edx
		push	[esp+198h+var_18C]
		shl	eax, 0Eh
		sub	eax, 0E0000h
		cmp	[esp+19Ch+var_174], ecx
		push	esi
		push	[esp+1A0h+var_15C]
		sbb	ecx, ecx
		push	[esp+1A4h+var_160]
		and	ecx, eax
		push	[esp+1A8h+var_184]
		add	ecx, 1C000h
		and	ecx, 3FE0000h
		or	ecx, edx
		push	ecx
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		test	ax, ax
		jnz	short loc_6065D0
		test	edi, edi
		jz	short loc_6065E8
		mov	esi, [esp+198h+var_180]
		movsd
		movsd
		movsd
		movsd
		mov	edi, [esp+198h+var_17C]
		jmp	short loc_6065DB
; 

loc_6065D0:				; CODE XREF: HvlRetargetDeviceInterrupt(x,x,x,x,x,x)+1BEj
		mov	ecx, eax
		call	_HvlpHvToNtStatus@4 ; HvlpHvToNtStatus(x)
		mov	[esp+198h+var_178], eax

loc_6065DB:				; CODE XREF: HvlRetargetDeviceInterrupt(x,x,x,x,x,x)+1D0j
		test	edi, edi
		jz	short loc_6065E8
		lea	ecx, [esp+198h+var_150]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)

loc_6065E8:				; CODE XREF: HvlRetargetDeviceInterrupt(x,x,x,x,x,x)+1C2j
					; HvlRetargetDeviceInterrupt(x,x,x,x,x,x)+1DFj
		lea	ecx, [esp+198h+var_170]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		mov	ecx, [esp+198h+var_4]
		mov	eax, [esp+198h+var_178]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
_HvlRetargetDeviceInterrupt@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlSendSyntheticClusterIpi(x, x)
_HvlSendSyntheticClusterIpi@8 proc near	; DATA XREF: HvlGetEnlightenmentInfo(x)+64o

var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_8], 0Bh
		mov	ecx, [ecx+8]
		call	_HvlpAffinityToVirtualAffinity@4 ; HvlpAffinityToVirtualAffinity(x)
		push	edx
		push	eax
		push	0
		push	[ebp+arg_4]
		push	0
		push	1000Bh
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		movzx	eax, ax
		neg	eax
		sbb	eax, eax
		and	eax, 0C0000001h
		leave
		retn	8
_HvlSendSyntheticClusterIpi@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlSetPartitionProperty(x, x, x, x,	x)
_HvlSetPartitionProperty@20 proc near	; CODE XREF: HvlResumePartition(x,x)+Fp
					; HvlSuspendPartition(x,x)+Fp

var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		xor	eax, eax
		test	byte ptr ds:_HvlpFlags,	2
		push	edi
		push	6
		pop	ecx
		lea	edi, [ebp+var_18]
		rep stosd
		pop	edi
		jnz	short loc_60666B
		mov	eax, 0C0000022h
		jmp	short locret_6066C1
; 

loc_60666B:				; CODE XREF: HvlSetPartitionProperty(x,x,x,x,x)+1Bj
		push	esi
		push	18h
		xor	edx, edx
		lea	ecx, [ebp+var_18]
		xor	esi, esi
		inc	edx
		push	esi
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		mov	ecx, [ebp+arg_0]
		push	esi
		push	esi
		push	[ebp+var_4]
		mov	[eax], ecx
		push	[ebp+var_8]
		mov	ecx, [ebp+arg_4]
		mov	[eax+4], ecx
		mov	ecx, [ebp+arg_8]
		push	esi
		mov	[eax+10h], ecx
		mov	ecx, [ebp+arg_C]
		push	45h
		mov	dword ptr [eax+8], 20000h
		mov	[eax+14h], ecx
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		lea	ecx, [ebp+var_18]
		mov	esi, eax
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		movzx	eax, si
		neg	eax
		pop	esi
		sbb	eax, eax
		and	eax, 0C0000001h

locret_6066C1:				; CODE XREF: HvlSetPartitionProperty(x,x,x,x,x)+22j
		leave
		retn	10h
_HvlSetPartitionProperty@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlSetQpcBias(x, x)
_HvlSetQpcBias@8 proc near		; DATA XREF: HvlGetEnlightenmentInfo(x)+147o

var_78		= dword	ptr -78h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_58		= dword	ptr -58h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 78h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+78h+var_4], eax
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+80h+var_78]
		rep stosd
		push	28h
		lea	eax, [esp+84h+var_58]
		xor	edx, edx
		push	eax
		inc	edx
		lea	ecx, [esp+88h+var_78]
		xor	esi, esi
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		mov	ecx, [ebp+arg_0]
		push	esi
		push	esi
		push	[esp+88h+var_64]
		mov	[eax+8], ecx
		push	[esp+8Ch+var_68]
		mov	ecx, [ebp+arg_4]
		push	esi
		push	6Fh
		mov	dword ptr [eax], 12h
		mov	[eax+0Ch], ecx
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		lea	ecx, [esp+80h+var_78]
		mov	esi, eax
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		mov	ecx, [esp+80h+var_4]
		movzx	eax, si
		neg	eax
		pop	edi
		sbb	eax, eax
		pop	esi
		xor	ecx, esp
		and	eax, 0C0000001h
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_HvlSetQpcBias@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlSetSystemMachineCheckProperty(x)
_HvlSetSystemMachineCheckProperty@4 proc near ;	DATA XREF: HvlGetEnlightenmentInfo(x)+E9o

var_78		= dword	ptr -78h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_58		= dword	ptr -58h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 78h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+78h+var_4], eax
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+80h+var_78]
		rep stosd
		push	28h
		lea	eax, [esp+84h+var_58]
		xor	edx, edx
		push	eax
		inc	edx
		lea	ecx, [esp+88h+var_78]
		xor	esi, esi
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		mov	edx, [ebp+arg_0]
		push	esi
		push	esi
		push	[esp+88h+var_64]
		mov	dword ptr [eax], 4
		push	[esp+8Ch+var_68]
		mov	ecx, [edx]
		push	esi
		mov	[eax+8], ecx
		mov	ecx, [edx+4]
		push	6Fh
		mov	[eax+0Ch], ecx
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		lea	ecx, [esp+80h+var_78]
		mov	esi, eax
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		mov	ecx, [esp+80h+var_4]
		movzx	eax, si
		neg	eax
		pop	edi
		sbb	eax, eax
		pop	esi
		xor	ecx, esp
		and	eax, 0C0000001h
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_HvlSetSystemMachineCheckProperty@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlSetSystemSleepProperty(x, x, x)
_HvlSetSystemSleepProperty@12 proc near	; DATA XREF: HvlGetEnlightenmentInfo(x)+77o

var_78		= dword	ptr -78h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_58		= dword	ptr -58h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 78h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+78h+var_4], eax
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+80h+var_78]
		rep stosd
		push	28h
		lea	eax, [esp+84h+var_58]
		xor	edx, edx
		push	eax
		inc	edx
		lea	ecx, [esp+88h+var_78]
		xor	esi, esi
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		mov	ecx, [ebp+arg_0]
		push	esi
		push	esi
		push	[esp+88h+var_64]
		mov	[eax+8], ecx
		push	[esp+8Ch+var_68]
		mov	cl, [ebp+arg_4]
		mov	[eax+0Ch], cl
		mov	cl, [ebp+arg_8]
		push	esi
		push	6Fh
		mov	dword ptr [eax], 3
		mov	[eax+0Dh], cl
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		lea	ecx, [esp+80h+var_78]
		mov	esi, eax
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		mov	ecx, [esp+80h+var_4]
		movzx	eax, si
		neg	eax
		pop	edi
		sbb	eax, eax
		pop	esi
		xor	ecx, esp
		and	eax, 0C0000001h
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_HvlSetSystemSleepProperty@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlSuspendPartition(x, x)
_HvlSuspendPartition@8 proc near	; DATA XREF: HvlGetEnlightenmentInfo(x)+DBo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	1
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_HvlSetPartitionProperty@20 ; HvlSetPartitionProperty(x,x,x,x,x)
		pop	ebp
		retn	8
_HvlSuspendPartition@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlUnmapDeviceInterrupt(x, x, x)
_HvlUnmapDeviceInterrupt@12 proc near	; DATA XREF: HvlGetEnlightenmentInfo(x)+129o

var_78		= dword	ptr -78h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_58		= dword	ptr -58h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 78h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+78h+var_4], eax
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+80h+var_78]
		rep stosd
		push	28h
		lea	eax, [esp+84h+var_58]
		xor	edx, edx
		push	eax
		inc	edx
		lea	ecx, [esp+88h+var_78]
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	esi, [ebp+arg_8]
		or	dword ptr [eax], 0FFFFFFFFh
		lea	edi, [eax+10h]
		or	dword ptr [eax+4], 0FFFFFFFFh
		mov	[eax+8], ecx
		mov	ecx, [ebp+arg_4]
		mov	[eax+0Ch], ecx
		xor	ecx, ecx
		movsd
		push	ecx
		push	ecx
		push	[esp+88h+var_64]
		movsd
		push	[esp+8Ch+var_68]
		push	ecx
		movsd
		push	7Dh
		movsd
		mov	[eax+20h], ecx
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		lea	ecx, [esp+80h+var_78]
		mov	esi, eax
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		mov	ecx, esi
		call	_HvlpHvToNtStatus@4 ; HvlpHvToNtStatus(x)
		mov	ecx, [esp+80h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_HvlUnmapDeviceInterrupt@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlGetEncryptedData(x, x, x, x, x)
_HvlGetEncryptedData@20	proc near	; DATA XREF: IopLoadCrashdumpDriver+A1o

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_8], 0
		jz	short loc_606927
		test	[ebp+arg_8], 0FFFh
		jnz	short loc_606927
		mov	eax, [ebp+arg_C]
		and	dword ptr [eax], 0
		mov	eax, 0C0000225h
		jmp	short loc_60692C
; 

loc_606927:				; CODE XREF: HvlGetEncryptedData(x,x,x,x,x)+9j
					; HvlGetEncryptedData(x,x,x,x,x)+12j
		mov	eax, 0C000000Dh

loc_60692C:				; CODE XREF: HvlGetEncryptedData(x,x,x,x,x)+1Fj
		pop	ebp
		retn	14h
_HvlGetEncryptedData@20	endp


;  S U B	R O U T	I N E 


; __stdcall HvlpInitializeHvCrashdumpPhase2()
_HvlpInitializeHvCrashdumpPhase2@0 proc	near ; CODE XREF: HvlPhase2Initialize:loc_5FB2F7p
		push	4
		pop	edx
		mov	ecx, offset _HvlpFlags
		call	IoAddTriageDumpDataBlock
		push	4
		pop	edx
		mov	ecx, offset _HvlpRootFlags
		call	IoAddTriageDumpDataBlock
		push	4
		pop	edx
		mov	ecx, offset _HvlpEnlightenments
		jmp	IoAddTriageDumpDataBlock
_HvlpInitializeHvCrashdumpPhase2@0 endp


;  S U B	R O U T	I N E 


; __stdcall HvlpEtwRegister()
_HvlpEtwRegister@0 proc	near		; CODE XREF: HvlPhase2Initialize:loc_5FB2B0p
					; HvlPhase2Initialize+7DDD9p
		mov	edi, edi
		push	ecx
		push	offset _HvlGlobalSystemEventsHandle
		push	0
		push	0
		push	offset _HvlGlobalSystemEventsGuid
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		movzx	eax, word ptr ds:?Traits@?1??EnableManifestedProviderForMicrosoftTelemetry@@9@9	; `EnableManifestedProviderForMicrosoftTelemetry'::`2'::Traits
		push	eax
		push	offset ?Traits@?1??EnableManifestedProviderForMicrosoftTelemetry@@9@9 ;	`EnableManifestedProviderForMicrosoftTelemetry'::`2'::Traits
		push	2
		push	ds:dword_6CE9FC
		push	ds:_HvlGlobalSystemEventsHandle
		call	EtwSetInformation
		pop	ecx
		retn
_HvlpEtwRegister@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpLogGuestStateScrubbingStatus()
_HvlpLogGuestStateScrubbingStatus@0 proc near ;	CODE XREF: HvlPhase2Initialize+7DDF5p

var_948		= dword	ptr -948h
var_938		= dword	ptr -938h
var_934		= dword	ptr -934h
var_930		= dword	ptr -930h
var_920		= dword	ptr -920h
var_91C		= dword	ptr -91Ch
var_914		= dword	ptr -914h
var_910		= dword	ptr -910h
var_90C		= dword	ptr -90Ch
var_908		= dword	ptr -908h
var_904		= dword	ptr -904h
var_900		= dword	ptr -900h
var_8FC		= dword	ptr -8FCh
var_8F8		= dword	ptr -8F8h
var_8F4		= dword	ptr -8F4h
var_8F0		= dword	ptr -8F0h
var_8EC		= dword	ptr -8ECh
var_8E8		= dword	ptr -8E8h
var_8E4		= dword	ptr -8E4h
var_8E0		= dword	ptr -8E0h
var_8DC		= dword	ptr -8DCh
var_8D8		= dword	ptr -8D8h
var_8D4		= dword	ptr -8D4h
var_8D0		= dword	ptr -8D0h
var_8CC		= dword	ptr -8CCh
var_8C8		= dword	ptr -8C8h
var_8C4		= dword	ptr -8C4h
var_8C0		= dword	ptr -8C0h
var_8BC		= dword	ptr -8BCh
var_8B8		= dword	ptr -8B8h
var_8B4		= dword	ptr -8B4h
var_8B0		= dword	ptr -8B0h
var_8AC		= dword	ptr -8ACh
var_8A8		= dword	ptr -8A8h
var_8A4		= dword	ptr -8A4h
var_8A0		= dword	ptr -8A0h
var_89C		= dword	ptr -89Ch
var_898		= dword	ptr -898h
var_894		= dword	ptr -894h
var_890		= dword	ptr -890h
var_88C		= dword	ptr -88Ch
var_888		= dword	ptr -888h
var_884		= dword	ptr -884h
var_880		= dword	ptr -880h
var_87C		= dword	ptr -87Ch
var_878		= dword	ptr -878h
var_874		= dword	ptr -874h
var_870		= dword	ptr -870h
var_86C		= dword	ptr -86Ch
var_868		= dword	ptr -868h
var_864		= dword	ptr -864h
var_860		= dword	ptr -860h
var_85C		= dword	ptr -85Ch
var_858		= dword	ptr -858h
var_854		= dword	ptr -854h
var_850		= dword	ptr -850h
var_84C		= dword	ptr -84Ch
var_848		= dword	ptr -848h
var_844		= dword	ptr -844h
var_840		= dword	ptr -840h
var_83C		= dword	ptr -83Ch
var_838		= dword	ptr -838h
var_834		= dword	ptr -834h
var_830		= dword	ptr -830h
var_82C		= dword	ptr -82Ch
var_828		= dword	ptr -828h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 948h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_948]
		and	ds:_HvlpGuestStateScrubbingStatus, eax
		xor	edx, edx
		rep stosd
		push	6
		pop	ecx
		lea	edi, [ebp+var_930]
		inc	edx
		rep stosd
		push	8
		lea	eax, [ebp+var_18]
		push	eax
		lea	ecx, [ebp+var_948]
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	408h
		mov	esi, eax
		lea	ecx, [ebp+var_930]
		lea	eax, [ebp+var_828]
		push	eax
		push	2
		pop	edx
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	[ebp+var_91C]
		mov	edi, eax
		mov	dword ptr [esi], 19h
		push	[ebp+var_920]
		push	[ebp+var_934]
		push	[ebp+var_938]
		push	0
		push	7Bh
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		test	ax, ax
		jnz	short loc_606A3B
		mov	eax, [edi]
		mov	ds:_HvlpGuestStateScrubbingStatus, eax

loc_606A3B:				; CODE XREF: HvlpLogGuestStateScrubbingStatus()+A3j
		lea	ecx, [ebp+var_930]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		lea	ecx, [ebp+var_948]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		mov	ecx, ds:_HvlpGuestStateScrubbingStatus
		test	ecx, ecx
		jz	loc_606CAB
		mov	eax, ecx
		lea	esi, [ebp+var_8EC]
		and	eax, 1
		mov	[ebp+var_8D8], esi
		mov	[ebp+var_8F0], eax
		xor	edx, edx
		lea	eax, [ebp+var_8F0]
		mov	[ebp+var_8E4], edx
		mov	[ebp+var_8E8], eax
		mov	eax, ecx
		shr	eax, 1
		and	eax, 1
		mov	[ebp+var_8DC], edx
		mov	[ebp+var_8EC], eax
		mov	eax, ecx
		shr	eax, 2
		and	eax, 1
		mov	[ebp+var_8D4], edx
		mov	[ebp+var_8F4], eax
		lea	eax, [ebp+var_8F4]
		mov	[ebp+var_8C8], eax
		mov	eax, ecx
		shr	eax, 3
		and	eax, 1
		mov	[ebp+var_8CC], edx
		mov	[ebp+var_8F8], eax
		lea	eax, [ebp+var_8F8]
		mov	[ebp+var_8B8], eax
		mov	eax, ecx
		shr	eax, 4
		and	eax, 1
		mov	[ebp+var_8C4], edx
		mov	[ebp+var_8FC], eax
		lea	eax, [ebp+var_8FC]
		mov	[ebp+var_8A8], eax
		mov	eax, ecx
		shr	eax, 5
		and	eax, 1
		mov	[ebp+var_8BC], edx
		mov	[ebp+var_900], eax
		lea	eax, [ebp+var_900]
		mov	[ebp+var_898], eax
		mov	eax, ecx
		shr	eax, 7
		and	eax, 1
		shr	ecx, 8
		mov	[ebp+var_904], eax
		and	ecx, 1
		lea	eax, [ebp+var_904]
		mov	[ebp+var_8B4], edx
		push	4
		pop	edi
		mov	[ebp+var_888], eax
		lea	eax, [ebp+var_908]
		mov	[ebp+var_878], eax
		lea	eax, [ebp+var_8E8]
		push	eax
		push	8
		mov	[ebp+var_8AC], edx
		mov	[ebp+var_8A4], edx
		mov	[ebp+var_89C], edx
		mov	[ebp+var_894], edx
		mov	[ebp+var_88C], edx
		mov	[ebp+var_884], edx
		mov	[ebp+var_87C], edx
		mov	[ebp+var_908], ecx
		mov	ecx, offset _HV_EVENTLOG_GUEST_STATE_SCRUBBING
		mov	[ebp+var_874], edx
		mov	[ebp+var_86C], edx
		pop	edx
		mov	[ebp+var_8E0], edi
		mov	[ebp+var_8D0], edi
		mov	[ebp+var_8C0], edi
		mov	[ebp+var_8B0], edi
		mov	[ebp+var_8A0], edi
		mov	[ebp+var_890], edi
		mov	[ebp+var_880], edi
		mov	[ebp+var_870], edi
		call	HvlpWriteEventLog
		mov	ecx, ds:_HvlpGuestStateScrubbingStatus
		mov	eax, ecx
		shr	eax, 0Bh
		xor	edx, edx
		and	eax, 1
		mov	[ebp+var_864], edx
		mov	[ebp+var_90C], eax
		lea	eax, [ebp+var_90C]
		mov	[ebp+var_868], eax
		mov	eax, ecx
		shr	eax, 1
		and	eax, 1
		mov	[ebp+var_85C], edx
		mov	[ebp+var_8EC], eax
		mov	eax, ecx
		shr	eax, 9
		and	eax, 1
		shr	ecx, 0Ah
		mov	[ebp+var_910], eax
		and	ecx, 1
		lea	eax, [ebp+var_910]
		mov	[ebp+var_854], edx
		mov	[ebp+var_848], eax
		lea	eax, [ebp+var_914]
		mov	[ebp+var_838], eax
		lea	eax, [ebp+var_868]
		mov	[ebp+var_84C], edx
		mov	[ebp+var_844], edx
		mov	[ebp+var_83C], edx
		mov	[ebp+var_914], ecx
		mov	ecx, offset _HV_EVENTLOG_MDS_MITIGATION_STATUS
		mov	[ebp+var_834], edx
		mov	[ebp+var_82C], edx
		mov	edx, edi
		push	eax
		mov	[ebp+var_860], edi
		mov	[ebp+var_858], esi
		mov	[ebp+var_850], edi
		mov	[ebp+var_840], edi
		mov	[ebp+var_830], edi
		call	HvlpWriteEventLog
		test	byte ptr ds:_HvlpGuestStateScrubbingStatus, 40h
		jz	short loc_606CAB
		push	0
		xor	edx, edx
		mov	ecx, offset _HV_EVENTLOG_GUEST_STATE_SCRUBBING_DISABLED_CORE_SCHEDULER
		call	HvlpWriteEventLog

loc_606CAB:				; CODE XREF: HvlpLogGuestStateScrubbingStatus()+CAj
					; HvlpLogGuestStateScrubbingStatus()+30Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_HvlpLogGuestStateScrubbingStatus@0 endp ; sp =	 4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpLogHypervisorLaunchError(x, x, x, x, x,	x, x, x, x, x)
_HvlpLogHypervisorLaunchError@40 proc near ; CODE XREF:	HvlPhase2Initialize+7DD96p

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	0Ah
		pop	ecx
		lea	esi, [ebp+arg_0]
		lea	edi, [ebp+var_70]
		rep movsd
		mov	eax, [ebp+var_6C]
		xor	ecx, ecx
		cmp	[ebp+var_70], 23h
		jnz	short loc_606D0D
		cmp	eax, ecx
		jnz	short loc_606D0D
		lea	eax, [ebp+var_68]
		mov	[ebp+var_44], ecx
		mov	[ebp+var_48], eax
		xor	edx, edx
		lea	eax, [ebp+var_48]
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_40], 4
		inc	edx
		push	eax
		mov	ecx, offset _HV_EVENTLOG_BAL_HYPERVISOR_INIT_FAILED
		jmp	short loc_606D1F
; 

loc_606D0D:				; CODE XREF: HvlpLogHypervisorLaunchError(x,x,x,x,x,x,x,x,x,x)+28j
					; HvlpLogHypervisorLaunchError(x,x,x,x,x,x,x,x,x,x)+2Cj
		cmp	[ebp+var_70], 26h
		jnz	short loc_606D24
		cmp	eax, ecx
		jnz	short loc_606D24
		push	ecx
		xor	edx, edx
		mov	ecx, offset _HV_EVENTLOG_BAL_TOO_MANY_RS_MEMORY_RANGES

loc_606D1F:				; CODE XREF: HvlpLogHypervisorLaunchError(x,x,x,x,x,x,x,x,x,x)+4Dj
		call	HvlpWriteEventLog

loc_606D24:				; CODE XREF: HvlpLogHypervisorLaunchError(x,x,x,x,x,x,x,x,x,x)+53j
					; HvlpLogHypervisorLaunchError(x,x,x,x,x,x,x,x,x,x)+57j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	28h
_HvlpLogHypervisorLaunchError@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpLogHypervisorSchedulerType()
_HvlpLogHypervisorSchedulerType@0 proc near ; CODE XREF: HvlPhase2Initialize+7DDEBp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_10], 0
		lea	eax, [ebp+var_14]
		and	[ebp+var_8], 0
		xor	edx, edx
		push	eax
		inc	edx
		mov	[ebp+var_14], offset _HvlpSchedulerType
		mov	ecx, offset _HV_EVENTLOG_SCHEDULER_TYPE
		mov	[ebp+var_C], 4
		call	HvlpWriteEventLog
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_HvlpLogHypervisorSchedulerType@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpLogIommuEvent(x)
_HvlpLogIommuEvent@4 proc near		; CODE XREF: HvlMapDeviceInterrupt(x,x,x,x,x)+24Ep

var_40		= dword	ptr -40h
var_34		= dword	ptr -34h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		test	byte ptr ds:_HvlpRootFlags, 1
		push	edi
		mov	edi, ecx
		jz	loc_606E3A
		cmp	byte ptr [edi],	0
		jz	loc_606E3A
		movzx	eax, word ptr [edi+2]
		sub	eax, 1
		jz	short loc_606DF8
		sub	eax, 1
		jz	short loc_606DF1
		sub	eax, 1
		jz	short loc_606DEA
		sub	eax, 1
		jz	short loc_606DDD
		sub	eax, 1
		jz	short loc_606DCD
		sub	eax, 1
		jnz	short loc_606E3A
		mov	ecx, offset _HV_EVENTLOG_IOMMU_FAILED_RESERVED_DEVICE
		jmp	short loc_606DFD
; 

loc_606DCD:				; CODE XREF: HvlpLogIommuEvent(x)+46j
		push	3
		pop	edx
		push	8
		pop	eax
		mov	ecx, offset _HV_EVENTLOG_IOMMU_FAILED_NO_DEVICE_ASSIGNMENT
		mov	[ebp+var_8], eax
		jmp	short loc_606E03
; 

loc_606DDD:				; CODE XREF: HvlpLogIommuEvent(x)+41j
		mov	ecx, offset _HV_EVENTLOG_IOMMU_FAILED_INVALID_IOAPIC
		xor	edx, edx
		inc	edx
		mov	[ebp+var_10], edx
		jmp	short loc_606E09
; 

loc_606DEA:				; CODE XREF: HvlpLogIommuEvent(x)+3Cj
		mov	ecx, offset _HV_EVENTLOG_IOMMU_FAILED_NO_RESOURCES
		jmp	short loc_606DFD
; 

loc_606DF1:				; CODE XREF: HvlpLogIommuEvent(x)+37j
		mov	ecx, offset _HV_EVENTLOG_IOMMU_FAILED_RID_CONFLICT
		jmp	short loc_606DFD
; 

loc_606DF8:				; CODE XREF: HvlpLogIommuEvent(x)+32j
		mov	ecx, offset _HV_EVENTLOG_IOMMU_WARNING_SCOPE_CONFLICT

loc_606DFD:				; CODE XREF: HvlpLogIommuEvent(x)+52j
					; HvlpLogIommuEvent(x)+76j ...
		push	2
		pop	edx
		push	8
		pop	eax

loc_606E03:				; CODE XREF: HvlpLogIommuEvent(x)+62j
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], eax

loc_606E09:				; CODE XREF: HvlpLogIommuEvent(x)+6Fj
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	esi, [ebp+var_34]

loc_606E10:				; CODE XREF: HvlpLogIommuEvent(x)+B4j
		and	dword ptr [esi-8], 0
		lea	eax, [edi+8]
		and	dword ptr [esi], 0
		lea	eax, [eax+ebx*8]
		mov	[esi-0Ch], eax
		lea	esi, [esi+10h]
		mov	eax, [ebp+ebx*4+var_10]
		inc	ebx
		mov	[esi-14h], eax
		cmp	ebx, edx
		jb	short loc_606E10
		lea	eax, [ebp+var_40]
		push	eax
		call	HvlpWriteEventLog
		pop	esi
		pop	ebx

loc_606E3A:				; CODE XREF: HvlpLogIommuEvent(x)+1Cj
					; HvlpLogIommuEvent(x)+25j ...
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_HvlpLogIommuEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpLogIommuInitStatus()
_HvlpLogIommuInitStatus@0 proc near	; CODE XREF: HvlPhase2Initialize+7DDF0p

var_900		= dword	ptr -900h
var_8F0		= dword	ptr -8F0h
var_8EC		= dword	ptr -8ECh
var_8E8		= dword	ptr -8E8h
var_8D8		= dword	ptr -8D8h
var_8D4		= dword	ptr -8D4h
var_8D0		= dword	ptr -8D0h
var_8CC		= dword	ptr -8CCh
var_8C8		= dword	ptr -8C8h
var_8C0		= dword	ptr -8C0h
var_8BC		= dword	ptr -8BCh
var_8B8		= dword	ptr -8B8h
var_8B0		= dword	ptr -8B0h
var_8A8		= dword	ptr -8A8h
var_8A4		= dword	ptr -8A4h
var_8A0		= dword	ptr -8A0h
var_898		= dword	ptr -898h
var_894		= dword	ptr -894h
var_890		= dword	ptr -890h
var_88C		= dword	ptr -88Ch
var_888		= dword	ptr -888h
var_884		= dword	ptr -884h
var_880		= dword	ptr -880h
var_87C		= dword	ptr -87Ch
var_878		= dword	ptr -878h
var_874		= dword	ptr -874h
var_870		= dword	ptr -870h
var_86C		= dword	ptr -86Ch
var_868		= dword	ptr -868h
var_864		= dword	ptr -864h
var_860		= dword	ptr -860h
var_85C		= dword	ptr -85Ch
var_858		= dword	ptr -858h
var_854		= dword	ptr -854h
var_850		= dword	ptr -850h
var_84C		= dword	ptr -84Ch
var_848		= dword	ptr -848h
var_844		= dword	ptr -844h
var_840		= dword	ptr -840h
var_83C		= dword	ptr -83Ch
var_838		= dword	ptr -838h
var_834		= dword	ptr -834h
var_830		= dword	ptr -830h
var_82C		= dword	ptr -82Ch
var_828		= dword	ptr -828h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 900h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_900]
		rep stosd
		push	6
		pop	ecx
		push	30h		; size_t
		lea	edi, [ebp+var_8E8]
		push	eax		; int
		rep stosd
		lea	eax, [ebp+var_8C8]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_18]
		xor	edx, edx
		lea	ecx, [ebp+var_900]
		inc	edx
		push	8
		push	eax
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	408h
		mov	esi, eax
		lea	ecx, [ebp+var_8E8]
		lea	eax, [ebp+var_828]
		push	eax
		push	2
		pop	edx
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	[ebp+var_8D4]
		mov	dword ptr [esi], 5
		mov	edi, eax
		push	[ebp+var_8D8]
		xor	esi, esi
		push	[ebp+var_8EC]
		push	[ebp+var_8F0]
		push	esi
		push	7Bh
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		test	ax, ax
		jnz	short loc_606F08
		push	0Ch
		mov	esi, edi
		lea	edi, [ebp+var_8C8]
		pop	ecx
		rep movsd
		xor	esi, esi

loc_606F08:				; CODE XREF: HvlpLogIommuInitStatus()+B0j
		lea	ecx, [ebp+var_8E8]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		lea	ecx, [ebp+var_900]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		movzx	eax, byte ptr [ebp+var_8C8]
		mov	[ebp+var_8CC], eax
		lea	eax, [ebp+var_8CC]
		mov	[ebp+var_898], eax
		movzx	eax, byte ptr [ebp+var_8C8+1]
		mov	[ebp+var_8D0], eax
		lea	eax, [ebp+var_8D0]
		mov	[ebp+var_888], eax
		lea	eax, [ebp+var_8C0]
		mov	[ebp+var_878], eax
		lea	eax, [ebp+var_8B8]
		mov	[ebp+var_868], eax
		lea	eax, [ebp+var_8B0]
		push	4
		pop	ecx
		mov	[ebp+var_858], eax
		lea	eax, [ebp+var_8A8]
		push	8
		mov	[ebp+var_848], eax
		lea	eax, [ebp+var_8A0]
		mov	[ebp+var_890], ecx
		mov	[ebp+var_880], ecx
		pop	ecx
		mov	[ebp+var_838], eax
		lea	eax, [ebp+var_898]
		push	eax
		push	7
		mov	[ebp+var_870], ecx
		mov	[ebp+var_860], ecx
		mov	[ebp+var_850], ecx
		mov	[ebp+var_840], ecx
		mov	[ebp+var_830], ecx
		mov	ecx, offset _HV_EVENTLOG_IOMMU_INIT
		pop	edx
		mov	[ebp+var_894], esi
		mov	[ebp+var_88C], esi
		mov	[ebp+var_884], esi
		mov	[ebp+var_87C], esi
		mov	[ebp+var_874], esi
		mov	[ebp+var_86C], esi
		mov	[ebp+var_864], esi
		mov	[ebp+var_85C], esi
		mov	[ebp+var_854], esi
		mov	[ebp+var_84C], esi
		mov	[ebp+var_844], esi
		mov	[ebp+var_83C], esi
		mov	[ebp+var_834], esi
		mov	[ebp+var_82C], esi
		call	HvlpWriteEventLog
		cmp	byte ptr [ebp+var_8C8+1], 0
		jz	short loc_607059
		cmp	[ebp+var_8C0], 1
		jnz	short loc_607059
		cmp	[ebp+var_8BC], esi
		jnz	short loc_607059
		mov	eax, [ebp+var_8A8]
		or	eax, [ebp+var_8A4]
		jz	short loc_607059
		push	esi
		xor	edx, edx
		mov	ecx, offset _HV_EVENTLOG_IOMMU_INIT_POLICY_ENABLE
		call	HvlpWriteEventLog

loc_607059:				; CODE XREF: HvlpLogIommuInitStatus()+1E4j
					; HvlpLogIommuInitStatus()+1EDj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_HvlpLogIommuInitStatus@0 endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpLogProcessorStartupFailure(x, x, x)
_HvlpLogProcessorStartupFailure@12 proc	near ; CODE XREF: HvlPhase2Initialize+7DE22p

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		xor	esi, esi
		mov	[ebp+var_6C], edx
		mov	[ebp+var_68], ecx
		lea	eax, [ebp+var_68]
		mov	[ebp+var_64], eax
		mov	[ebp+var_60], esi
		mov	[ebp+var_58], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_48], esi
		cmp	edx, 3Ch
		jz	short loc_6070B6
		push	4
		pop	ecx
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_4C], ecx
		mov	ecx, offset _HV_EVENTLOG_PROCESSOR_STARTUP_FAILED
		mov	[ebp+var_54], eax
		push	2
		jmp	short loc_607100
; 

loc_6070B6:				; CODE XREF: HvlpLogProcessorStartupFailure(x,x,x)+30j
		mov	ecx, [ebp+arg_0]
		push	8
		pop	edx
		mov	[ebp+var_5C], 4
		lea	eax, [ecx+8]
		mov	[ebp+var_4C], edx
		mov	[ebp+var_54], eax
		lea	eax, [ecx+10h]
		mov	[ebp+var_44], eax
		lea	eax, [ecx+18h]
		mov	[ebp+var_34], eax
		lea	eax, [ecx+20h]
		mov	[ebp+var_40], esi
		mov	ecx, offset _HV_EVENTLOG_PROCESSOR_CPUID_VALIDATION_ERROR
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], esi
		push	5

loc_607100:				; CODE XREF: HvlpLogProcessorStartupFailure(x,x,x)+48j
		pop	edx
		lea	eax, [ebp+var_64]
		push	eax
		call	HvlpWriteEventLog
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_HvlpLogProcessorStartupFailure@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvlpWriteEventLog proc near		; CODE XREF: HvlPhase2Initialize+7DDE6p
					; HvlPhase2Initialize+7DE38p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:_HvlGlobalSystemEventsHandle
		test	eax, eax
		jnz	short loc_60712F
		cmp	ds:dword_6CE9FC, eax
		jz	short loc_607142

loc_60712F:				; CODE XREF: HvlpWriteEventLog+Cj
		push	[ebp+arg_0]
		push	edx
		push	0
		push	ecx
		push	ds:dword_6CE9FC
		push	eax
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_607142:				; CODE XREF: HvlpWriteEventLog+14j
		pop	ebp
		retn	4
HvlpWriteEventLog endp


;  S U B	R O U T	I N E 


; __stdcall HvlpGetRegister64(x, x)
_HvlpGetRegister64@8 proc near		; CODE XREF: HvlGetReferenceTimeUsingTscPage(x)+87p
					; HvlEnlightenProcessor+81865p	...
		mov	eax, 90004h
		push	esi
		mov	esi, edx
		cmp	ecx, eax
		jg	short loc_6071B6
		jz	short loc_6071AF
		cmp	ecx, 210h
		jl	loc_6071F5
		cmp	ecx, 214h
		jle	short loc_6071A7
		cmp	ecx, 215h
		jz	short loc_6071A0
		cmp	ecx, 270h
		jz	short loc_607199
		cmp	ecx, 90002h
		jz	short loc_607192
		cmp	ecx, 90003h
		jnz	short loc_6071F5
		mov	ecx, 40000002h
		jmp	loc_607214
; 

loc_607192:				; CODE XREF: HvlpGetRegister64(x,x)+38j
		mov	ecx, 40000000h
		jmp	short loc_607214
; 

loc_607199:				; CODE XREF: HvlpGetRegister64(x,x)+30j
		mov	ecx, 40000116h
		jmp	short loc_607214
; 

loc_6071A0:				; CODE XREF: HvlpGetRegister64(x,x)+28j
		mov	ecx, 40000105h
		jmp	short loc_607214
; 

loc_6071A7:				; CODE XREF: HvlpGetRegister64(x,x)+20j
		add	ecx, 3FFFFEF0h
		jmp	short loc_607214
; 

loc_6071AF:				; CODE XREF: HvlpGetRegister64(x,x)+Cj
		mov	ecx, 40000020h
		jmp	short loc_607214
; 

loc_6071B6:				; CODE XREF: HvlpGetRegister64(x,x)+Aj
		cmp	ecx, 90007h
		jz	short loc_60720F
		cmp	ecx, 90013h
		jz	short loc_607208
		cmp	ecx, 90017h
		jz	short loc_607201
		cmp	ecx, 9FFFFh
		jle	short loc_6071F5
		cmp	ecx, 0A000Fh
		jle	short loc_6071ED
		cmp	ecx, 0A0013h
		jnz	short loc_6071F5
		mov	ecx, 40000083h
		jmp	short loc_607214
; 

loc_6071ED:				; CODE XREF: HvlpGetRegister64(x,x)+96j
		add	ecx, 3FF60090h
		jmp	short loc_607214
; 

loc_6071F5:				; CODE XREF: HvlpGetRegister64(x,x)+14j
					; HvlpGetRegister64(x,x)+40j ...
		push	offset unk_6B64F8
		call	_RtlRaiseException@4 ; RtlRaiseException(x)
		pop	esi
		retn
; 

loc_607201:				; CODE XREF: HvlpGetRegister64(x,x)+86j
		mov	ecx, 40000021h
		jmp	short loc_607214
; 

loc_607208:				; CODE XREF: HvlpGetRegister64(x,x)+7Ej
		mov	ecx, 40000073h
		jmp	short loc_607214
; 

loc_60720F:				; CODE XREF: HvlpGetRegister64(x,x)+76j
		mov	ecx, 40000004h

loc_607214:				; CODE XREF: HvlpGetRegister64(x,x)+47j
					; HvlpGetRegister64(x,x)+51j ...
		rdmsr
		mov	[esi], eax
		mov	[esi+4], edx
		pop	esi
		retn
_HvlpGetRegister64@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpSetRegister64(x, x, x)
_HvlpSetRegister64@12 proc near		; CODE XREF: HvlEnlightenProcessor+8194Dp
					; HvlEnlightenProcessor+819BFp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, 90007h
		cmp	ecx, eax
		jg	short loc_607279
		jz	short loc_607272
		cmp	ecx, 210h
		jl	short loc_6072B0
		cmp	ecx, 214h
		jle	short loc_60726A
		cmp	ecx, 215h
		jz	short loc_607263
		cmp	ecx, 270h
		jz	short loc_60725C
		cmp	ecx, 90002h
		jnz	short loc_6072B0
		mov	ecx, 40000000h
		jmp	short loc_6072C8
; 

loc_60725C:				; CODE XREF: HvlpSetRegister64(x,x,x)+2Ej
		mov	ecx, 40000116h
		jmp	short loc_6072C8
; 

loc_607263:				; CODE XREF: HvlpSetRegister64(x,x,x)+26j
		mov	ecx, 40000105h
		jmp	short loc_6072C8
; 

loc_60726A:				; CODE XREF: HvlpSetRegister64(x,x,x)+1Ej
		add	ecx, 3FFFFEF0h
		jmp	short loc_6072C8
; 

loc_607272:				; CODE XREF: HvlpSetRegister64(x,x,x)+Ej
		mov	ecx, 40000004h
		jmp	short loc_6072C8
; 

loc_607279:				; CODE XREF: HvlpSetRegister64(x,x,x)+Cj
		cmp	ecx, 90013h
		jz	short loc_6072C3
		cmp	ecx, 90017h
		jz	short loc_6072BC
		cmp	ecx, 9FFFFh
		jle	short loc_6072B0
		cmp	ecx, 0A000Fh
		jle	short loc_6072A8
		cmp	ecx, 0A0013h
		jnz	short loc_6072B0
		mov	ecx, 40000083h
		jmp	short loc_6072C8
; 

loc_6072A8:				; CODE XREF: HvlpSetRegister64(x,x,x)+7Aj
		add	ecx, 3FF60090h
		jmp	short loc_6072C8
; 

loc_6072B0:				; CODE XREF: HvlpSetRegister64(x,x,x)+16j
					; HvlpSetRegister64(x,x,x)+36j	...
		push	offset unk_6B64F8
		call	_RtlRaiseException@4 ; RtlRaiseException(x)
		jmp	short loc_6072D0
; 

loc_6072BC:				; CODE XREF: HvlpSetRegister64(x,x,x)+6Aj
		mov	ecx, 40000021h
		jmp	short loc_6072C8
; 

loc_6072C3:				; CODE XREF: HvlpSetRegister64(x,x,x)+62j
		mov	ecx, 40000073h

loc_6072C8:				; CODE XREF: HvlpSetRegister64(x,x,x)+3Dj
					; HvlpSetRegister64(x,x,x)+44j	...
		mov	edx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]
		wrmsr

loc_6072D0:				; CODE XREF: HvlpSetRegister64(x,x,x)+9Dj
		pop	ebp
		retn	8
_HvlpSetRegister64@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpDetermineEnlightenments()
_HvlpDetermineEnlightenments@0 proc near ; CODE	XREF: HvlPhase0Initialize+9F55Bp

var_90		= dword	ptr -90h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_54		= byte ptr -54h
var_48		= dword	ptr -48h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 94h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		xor	edx, edx
		push	esi
		push	edi
		lea	edi, [ebp+var_58]
		mov	[ebp+var_78], edx
		stosd
		push	6
		pop	ecx
		mov	[ebp+var_74], edx
		stosd
		mov	[ebp+var_70], edx
		mov	[ebp+var_6C], edx
		mov	ds:_HvlEnableIdleYield,	dl
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_28]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_48]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_68]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_90]
		rep stosd
		lea	eax, [ebp+var_28]
		push	eax
		call	HviGetEnlightenmentInformation
		xor	eax, eax
		lea	edi, [ebp+var_38]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_38]
		push	eax
		call	HviGetHypervisorFeatures
		lea	eax, [ebp+var_48]
		push	eax
		call	HviGetHypervisorFeatures
		lea	eax, [ebp+var_68]
		push	eax
		call	_HviGetHardwareFeatures@4 ; HviGetHardwareFeatures(x)
		mov	eax, [ebp+var_28]
		test	al, 1
		jz	short loc_60737D
		mov	edi, 800007h
		jmp	short loc_6073B1
; 

loc_60737D:				; CODE XREF: HvlpDetermineEnlightenments()+A0j
		test	al, 2
		jz	short loc_607388
		mov	edi, 800006h
		jmp	short loc_6073B1
; 

loc_607388:				; CODE XREF: HvlpDetermineEnlightenments()+ABj
		test	al, 4
		jz	short loc_6073AE
		test	eax, 20000h
		jnz	short loc_6073A9
		mov	eax, large fs:20h
		cmp	byte ptr [eax+3BEh], 1
		jz	short loc_6073A9
		mov	edi, offset loc_800004
		jmp	short loc_6073B1
; 

loc_6073A9:				; CODE XREF: HvlpDetermineEnlightenments()+BDj
					; HvlpDetermineEnlightenments()+CCj
		push	4
		pop	edi
		jmp	short loc_6073B1
; 

loc_6073AE:				; CODE XREF: HvlpDetermineEnlightenments()+B6j
		mov	edi, [ebp+var_6C]

loc_6073B1:				; CODE XREF: HvlpDetermineEnlightenments()+A7j
					; HvlpDetermineEnlightenments()+B2j ...
		mov	esi, [ebp+var_38]
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jz	short loc_6073C8
		or	ds:_HvlpFlags, 80000h

loc_6073C8:				; CODE XREF: HvlpDetermineEnlightenments()+E8j
		mov	edx, [ebp+var_28]
		test	dl, 8
		jz	short loc_6073DA
		or	edi, 10h
		or	ds:_HvlpFlags, 1

loc_6073DA:				; CODE XREF: HvlpDetermineEnlightenments()+FAj
		test	edx, 200h
		jz	short loc_6073EF
		or	edi, 1000h
		or	ds:_HvlpFlags, 10h

loc_6073EF:				; CODE XREF: HvlpDetermineEnlightenments()+10Cj
		test	[ebp+var_3C], 40000h
		jz	short loc_607406
		call	_HvlpLockHypercallMsr@0	; HvlpLockHypercallMsr()
		mov	edx, [ebp+var_28]
		or	edi, 100000h

loc_607406:				; CODE XREF: HvlpDetermineEnlightenments()+122j
		test	edx, 40000h
		jz	short loc_607418
		or	ds:_HvlpFlags, 400000h

loc_607418:				; CODE XREF: HvlpDetermineEnlightenments()+138j
		test	edx, 10000h
		jz	short loc_60742A
		or	ds:_HvlpFlags, 800000h

loc_60742A:				; CODE XREF: HvlpDetermineEnlightenments()+14Aj
		test	edx, 100000h
		jz	short loc_607438
		or	edi, 20000000h

loc_607438:				; CODE XREF: HvlpDetermineEnlightenments()+15Cj
		test	edx, 800h
		jz	short loc_60744A
		or	ds:_HvlpFlags, 80h

loc_60744A:				; CODE XREF: HvlpDetermineEnlightenments()+16Aj
		test	dl, 20h
		jz	short loc_607452
		or	edi, 20h

loc_607452:				; CODE XREF: HvlpDetermineEnlightenments()+179j
		test	edx, 400h
		jz	short loc_607460
		or	edi, 4000h

loc_607460:				; CODE XREF: HvlpDetermineEnlightenments()+184j
		test	byte ptr [ebp+var_3C], 20h
		jz	short loc_60746C
		or	edi, 200h

loc_60746C:				; CODE XREF: HvlpDetermineEnlightenments()+190j
		mov	eax, [ebp+var_24]
		test	eax, eax
		jle	short loc_607487
		bsr	ecx, eax
		xor	eax, eax
		or	edi, 40h
		inc	eax
		shl	eax, cl
		dec	eax
		or	eax, [ebp+var_24]
		mov	ds:_HvlLongSpinCountMask, eax

loc_607487:				; CODE XREF: HvlpDetermineEnlightenments()+19Dj
		mov	ecx, [ebp+var_34]
		xor	eax, eax
		and	ecx, 1000h
		or	eax, ecx
		jz	short loc_6074A9
		call	_HvlpTryToLockCpuManagementVersion@4 ; HvlpTryToLockCpuManagementVersion(x)
		mov	edx, [ebp+var_28]
		test	al, al
		jz	short loc_6074A9
		or	ds:_HvlpFlags, 2

loc_6074A9:				; CODE XREF: HvlpDetermineEnlightenments()+1C0j
					; HvlpDetermineEnlightenments()+1CCj
		test	[ebp+var_3C], 10000000h
		jz	short loc_6074B8
		or	edi, 4000000h

loc_6074B8:				; CODE XREF: HvlpDetermineEnlightenments()+1DCj
		mov	eax, ds:_HvlpFlags
		mov	[ebp+var_6C], eax
		test	al, 2
		jz	loc_60758F
		mov	eax, 40000007h
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	[ebp+var_70], ebx
		pop	ebx
		nop
		lea	esi, [ebp+var_58]
		mov	[esi], eax
		lea	eax, [ebp+var_58]
		mov	esi, [ebp+var_70]
		mov	[eax+4], esi
		mov	[eax+8], ecx
		mov	[eax+0Ch], edx
		test	[ebp+var_54], 1
		jz	short loc_6074F7
		or	edi, 400h

loc_6074F7:				; CODE XREF: HvlpDetermineEnlightenments()+21Bj
		test	[ebp+var_54], 2
		jz	short loc_607503
		or	edi, 20000h

loc_607503:				; CODE XREF: HvlpDetermineEnlightenments()+227j
		test	[ebp+var_54], 4
		jz	short loc_60750F
		or	edi, 40000h

loc_60750F:				; CODE XREF: HvlpDetermineEnlightenments()+233j
		mov	ecx, [ebp+var_58]
		test	cl, 1
		jz	short loc_60751E
		or	ds:_HvlpRootFlags, 20h

loc_60751E:				; CODE XREF: HvlpDetermineEnlightenments()+241j
		test	cl, 2
		jz	short loc_60752A
		or	ds:_HvlpRootFlags, 40h

loc_60752A:				; CODE XREF: HvlpDetermineEnlightenments()+24Dj
		test	ecx, ecx
		jns	short loc_607545
		or	edi, 10008h
		mov	ds:_HvlHyperVRootPartition, 1
		or	ds:_HvlpRootFlags, 187h

loc_607545:				; CODE XREF: HvlpDetermineEnlightenments()+258j
		mov	eax, ds:_HvlpRootFlags
		test	al, 1
		jz	short loc_60755D
		test	cl, 4
		jz	short loc_60755D
		or	eax, 200h
		mov	ds:_HvlpRootFlags, eax

loc_60755D:				; CODE XREF: HvlpDetermineEnlightenments()+278j
					; HvlpDetermineEnlightenments()+27Dj
		mov	edx, [ebp+var_34]
		xor	ecx, ecx
		and	edx, 100h
		or	ecx, edx
		jz	short loc_607574
		or	eax, 10h
		mov	ds:_HvlpRootFlags, eax

loc_607574:				; CODE XREF: HvlpDetermineEnlightenments()+296j
		mov	edx, [ebp+var_28]
		mov	esi, [ebp+var_38]
		test	edx, 1000h
		jz	short loc_60758C
		or	eax, 400h
		mov	ds:_HvlpRootFlags, eax

loc_60758C:				; CODE XREF: HvlpDetermineEnlightenments()+2ACj
		mov	eax, [ebp+var_6C]

loc_60758F:				; CODE XREF: HvlpDetermineEnlightenments()+1EEj
		test	byte ptr [ebp+var_3C], 80h
		jz	short loc_60759B
		or	edi, 800h

loc_60759B:				; CODE XREF: HvlpDetermineEnlightenments()+2BFj
		test	byte ptr [ebp+var_3C], 8
		jnz	short loc_6075A9
		or	eax, 4
		mov	ds:_HvlpFlags, eax

loc_6075A9:				; CODE XREF: HvlpDetermineEnlightenments()+2CBj
		mov	eax, esi
		and	eax, 2
		or	eax, 0
		jz	short loc_6075C5
		mov	eax, esi
		and	eax, 200h
		or	eax, 0
		jz	short loc_6075C5
		or	edi, 100h

loc_6075C5:				; CODE XREF: HvlpDetermineEnlightenments()+2DDj
					; HvlpDetermineEnlightenments()+2E9j
		mov	ecx, [ebp+var_34]
		xor	eax, eax
		and	ecx, 2
		or	eax, ecx
		jz	short loc_607619
		push	8
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		pop	edx
		lea	ecx, [ebp+var_90]
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	[ebp+var_7C]
		mov	esi, eax
		xor	eax, eax
		push	[ebp+var_80]
		push	eax
		push	eax
		push	eax
		push	46h
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		lea	ecx, [ebp+var_90]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		mov	eax, [esi]
		mov	edx, [ebp+var_28]
		mov	ds:_HvlPartitionId, eax
		mov	eax, [esi+4]
		mov	esi, [ebp+var_38]
		mov	ds:dword_70E274, eax

loc_607619:				; CODE XREF: HvlpDetermineEnlightenments()+2FBj
		test	[ebp+var_3C], 400h
		mov	eax, 2000h
		jz	short loc_607629
		or	edi, eax

loc_607629:				; CODE XREF: HvlpDetermineEnlightenments()+351j
		and	esi, 4
		or	esi, 0
		jz	short loc_607638
		or	ds:_HvlpFlags, 20h

loc_607638:				; CODE XREF: HvlpDetermineEnlightenments()+35Bj
		test	[ebp+var_3C], 4000h
		jnz	short loc_607647
		or	ds:_HvlpFlags, eax

loc_607647:				; CODE XREF: HvlpDetermineEnlightenments()+36Bj
		mov	esi, [ebp+var_34]
		xor	eax, eax
		mov	ecx, esi
		and	ecx, 10000h
		or	eax, ecx
		jz	short loc_60765F
		or	ds:_HvlpFlags, 40h

loc_60765F:				; CODE XREF: HvlpDetermineEnlightenments()+382j
		and	esi, 200000h
		xor	eax, eax
		or	eax, esi
		mov	esi, 8000h
		jz	short loc_607672
		or	edi, esi

loc_607672:				; CODE XREF: HvlpDetermineEnlightenments()+39Aj
		test	[ebp+var_68], 800000h
		jz	short loc_607685
		or	ds:_HvlpFlags, 1000000h

loc_607685:				; CODE XREF: HvlpDetermineEnlightenments()+3A5j
		test	edx, esi
		jz	short loc_60769B
		test	edi, 100h
		jz	short loc_60769B
		or	ds:_HvlpFlags, 4000h

loc_60769B:				; CODE XREF: HvlpDetermineEnlightenments()+3B3j
					; HvlpDetermineEnlightenments()+3BBj
		test	[ebp+var_68], 10000h
		jz	short loc_6076AE
		or	ds:_HvlpFlags, 40000h

loc_6076AE:				; CODE XREF: HvlpDetermineEnlightenments()+3CEj
		lea	ecx, [ebp+var_78]
		call	_HvlpQueryExtendedCapabilities@4 ; HvlpQueryExtendedCapabilities(x)
		xor	edx, edx
		mov	ecx, edx
		test	al, al
		jz	short loc_6076C1
		mov	ecx, [ebp+var_78]

loc_6076C1:				; CODE XREF: HvlpDetermineEnlightenments()+3E8j
		mov	eax, ecx
		and	eax, 10h
		or	eax, edx
		jz	short loc_6076D0
		or	ds:_HvlpFlags, esi

loc_6076D0:				; CODE XREF: HvlpDetermineEnlightenments()+3F4j
		mov	eax, ecx
		and	eax, 20h
		or	eax, edx
		jz	short loc_6076E3
		or	ds:_HvlpFlags, 10000h

loc_6076E3:				; CODE XREF: HvlpDetermineEnlightenments()+403j
		mov	eax, ecx
		and	eax, 8
		or	eax, edx
		jz	short loc_6076F6
		or	ds:_HvlpFlags, 100000h

loc_6076F6:				; CODE XREF: HvlpDetermineEnlightenments()+416j
		mov	eax, ecx
		and	eax, 40h
		or	eax, edx
		jz	short loc_607709
		or	ds:_HvlpFlags, 200000h

loc_607709:				; CODE XREF: HvlpDetermineEnlightenments()+429j
		mov	eax, ecx
		and	eax, 2
		or	eax, edx
		jz	short loc_607718
		or	edi, 200000h

loc_607718:				; CODE XREF: HvlpDetermineEnlightenments()+43Cj
		mov	eax, ecx
		and	eax, 4
		or	eax, edx
		jz	short loc_607737
		and	ecx, 80h
		or	edi, 400000h
		or	ecx, edx
		jz	short loc_607737
		or	edi, 8000000h

loc_607737:				; CODE XREF: HvlpDetermineEnlightenments()+44Bj
					; HvlpDetermineEnlightenments()+45Bj
		mov	eax, ds:_HvlpRescindedEnlightenments
		mov	ecx, [ebp+var_4]
		not	eax
		and	edi, eax
		mov	ds:dword_6B12D0, offset	_HvlGetEnlightenmentInfo@4 ; HvlGetEnlightenmentInfo(x)
		mov	ds:_HvlpEnlightenments,	edi
		xor	ecx, ebp
		mov	ds:_HvlEnlightenments, edi
		pop	edi
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_HvlpDetermineEnlightenments@0 endp ; sp =  4


;  S U B	R O U T	I N E 


; __stdcall HvlpEnlightenSwapContext()
_HvlpEnlightenSwapContext@0 proc near	; CODE XREF: HvlpPhase0Enlightenments(x)+25p
		mov	edx, offset _SwapContext@0 ; SwapContext()
		mov	eax, offset EnlightenedSwapContext
		mov	ecx, edx
		sub	eax, edx
		mov	[ecx-4], eax
		mov	eax, 0F9EBh
		mov	byte ptr [ecx-5], 0E9h
		mov	[ecx], ax
		retn
_HvlpEnlightenSwapContext@0 endp


;  S U B	R O U T	I N E 


; __stdcall HvlpLockHypercallMsr()
_HvlpLockHypercallMsr@0	proc near	; CODE XREF: HvlpDetermineEnlightenments()+124p
		mov	edi, edi
		push	esi
		mov	ecx, 40000001h
		rdmsr
		mov	esi, eax
		and	esi, 2
		or	esi, 0
		pop	esi
		jnz	short locret_6077A1
		or	eax, 2
		wrmsr

locret_6077A1:				; CODE XREF: HvlpLockHypercallMsr()+13j
		retn
_HvlpLockHypercallMsr@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpPhase0Enlightenments(x)
_HvlpPhase0Enlightenments@4 proc near	; CODE XREF: HvlRestoreEnlightenment(x):loc_60366Ep
					; HvlPhase0Initialize+9F597p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], ecx
		test	byte ptr ds:_HvlEnlightenments,	1
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		jz	short loc_6077CC
		call	_HvlpEnlightenSwapContext@0 ; HvlpEnlightenSwapContext()

loc_6077CC:				; CODE XREF: HvlpPhase0Enlightenments(x)+23j
		test	ds:_HvlEnlightenments, 100h
		jz	short loc_60783C
		lea	edx, [ebp+var_14]
		mov	ecx, 90017h
		call	_HvlpGetRegister64@8 ; HvlpGetRegister64(x,x)
		mov	esi, [ebp+var_14]
		mov	ebx, [ebp+var_10]
		or	esi, 1
		test	byte ptr ds:_HvlpFlags,	2
		mov	[ebp+var_10], ebx
		jnz	short loc_60786B
		mov	eax, [ebp+var_4]
		test	eax, eax
		jnz	short loc_607843
		push	ds:_HvlpReferenceTscPage
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		mov	ebx, edx
		and	esi, 0FFFh
		shrd	eax, ebx, 0Ch
		sar	ebx, 0Ch
		shld	ebx, eax, 0Ch
		shl	eax, 0Ch
		or	esi, eax
		or	ebx, edi

loc_607826:				; CODE XREF: HvlpPhase0Enlightenments(x)+C7j
					; HvlpPhase0Enlightenments(x)+E6j
		push	ebx
		push	esi
		mov	ecx, 90017h
		call	_HvlpSetRegister64@12 ;	HvlpSetRegister64(x,x,x)
		test	edi, edi
		jz	short loc_60783C
		mov	ds:_HvlpReferenceTscPage, edi

loc_60783C:				; CODE XREF: HvlpPhase0Enlightenments(x)+34j
					; HvlpPhase0Enlightenments(x)+92j
		xor	eax, eax

loc_60783E:				; CODE XREF: HvlpPhase0Enlightenments(x)+EDj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_607843:				; CODE XREF: HvlpPhase0Enlightenments(x)+5Dj
		push	4
		lea	ecx, [ebp+var_C]
		push	ecx
		push	1
		push	eax
		call	ds:dword_6B12D4
		mov	edi, eax
		test	edi, edi
		jz	short loc_60788A
		xor	esi, [ebp+var_C]
		xor	ebx, ebx
		and	esi, 0FFFh
		xor	esi, [ebp+var_C]
		xor	ebx, [ebp+var_8]
		jmp	short loc_607826
; 

loc_60786B:				; CODE XREF: HvlpPhase0Enlightenments(x)+56j
		push	4
		push	1
		mov	eax, esi
		mov	[ebp+var_8], ebx
		and	eax, 0FFFFF000h
		push	ebx
		push	eax
		mov	[ebp+var_C], eax
		call	ds:dword_6B12D8
		mov	edi, eax
		test	edi, edi
		jnz	short loc_607826

loc_60788A:				; CODE XREF: HvlpPhase0Enlightenments(x)+B4j
		mov	eax, 0C000009Ah
		jmp	short loc_60783E
_HvlpPhase0Enlightenments@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpQueryExtendedCapabilities(x)
_HvlpQueryExtendedCapabilities@4 proc near ; CODE XREF:	HvlpDetermineEnlightenments()+3DDp

var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	6
		mov	[ebp+var_1C], ecx
		lea	edi, [ebp+var_38]
		pop	ecx
		xor	eax, eax
		xor	esi, esi
		rep stosd
		push	8
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		pop	edx
		lea	ecx, [ebp+var_38]
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	[ebp+var_24]
		mov	edi, eax
		push	[ebp+var_28]
		push	esi
		push	esi
		push	esi
		push	8001h
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		lea	ecx, [ebp+var_38]
		mov	esi, eax
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		test	si, si
		jnz	short loc_60790C
		mov	ecx, [ebp+var_1C]
		mov	eax, [edi]
		mov	[ecx], eax
		mov	eax, [edi+4]
		mov	[ecx+4], eax
		mov	al, 1
		jmp	short loc_60790E
; 

loc_60790C:				; CODE XREF: HvlpQueryExtendedCapabilities(x)+68j
		xor	al, al

loc_60790E:				; CODE XREF: HvlpQueryExtendedCapabilities(x)+79j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_HvlpQueryExtendedCapabilities@4 endp ;	sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpTryToLockCpuManagementVersion(x)
_HvlpTryToLockCpuManagementVersion@4 proc near
					; CODE XREF: HvlpDetermineEnlightenments()+1C2p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		xor	eax, eax
		inc	eax
		mov	[ebp+var_4], ebx
		push	ebx
		mov	esi, 90007h
		mov	[ebp+var_8], eax
		push	eax
		mov	ecx, esi
		call	_HvlpSetRegister64@12 ;	HvlpSetRegister64(x,x,x)
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	_HvlpGetRegister64@8 ; HvlpGetRegister64(x,x)
		mov	edx, [ebp+var_4]
		mov	eax, ebx
		and	edx, 40000000h
		or	eax, edx
		jz	short loc_60796C
		push	80000000h
		push	1
		mov	ecx, esi
		call	_HvlpSetRegister64@12 ;	HvlpSetRegister64(x,x,x)
		mov	bl, 1

loc_60796C:				; CODE XREF: HvlpTryToLockCpuManagementVersion(x)+39j
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_HvlpTryToLockCpuManagementVersion@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlGetProcessorIndexFromVpIndex(x)
_HvlGetProcessorIndexFromVpIndex@4 proc	near ; DATA XREF: HvlGetEnlightenmentInfo(x)+F7o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_HvlpVirtualProcessorsIdentityMapped, 0
		jz	short loc_607985
		mov	eax, [ebp+arg_0]
		jmp	short loc_6079C3
; 

loc_607985:				; CODE XREF: HvlGetProcessorIndexFromVpIndex(x)+Cj
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, ebx
		shr	eax, 6
		and	bl, 3Fh
		push	0FFFFh
		mov	[ebp+arg_0], eax
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	edx, eax
		xor	eax, eax
		test	edx, edx
		jz	short loc_6079C0
		mov	ecx, [ebp+arg_0]

loc_6079A9:				; CODE XREF: HvlGetProcessorIndexFromVpIndex(x)+4Cj
		cmp	ds:_HvlpVirtualProcessorMapping[eax*2],	cl
		jnz	short loc_6079BB
		cmp	ds:byte_70E231[eax*2], bl
		jz	short loc_6079C2

loc_6079BB:				; CODE XREF: HvlGetProcessorIndexFromVpIndex(x)+3Ej
		inc	eax
		cmp	eax, edx
		jb	short loc_6079A9

loc_6079C0:				; CODE XREF: HvlGetProcessorIndexFromVpIndex(x)+32j
		xor	eax, eax

loc_6079C2:				; CODE XREF: HvlGetProcessorIndexFromVpIndex(x)+47j
		pop	ebx

loc_6079C3:				; CODE XREF: HvlGetProcessorIndexFromVpIndex(x)+11j
		pop	ebp
		retn	4
_HvlGetProcessorIndexFromVpIndex@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpAffinityToHvProcessorSet(x, x, x)
_HvlpAffinityToHvProcessorSet@12 proc near ; CODE XREF:	HvlMapDeviceInterrupt(x,x,x,x,x)+F0p
					; HvlMapDeviceInterrupt(x,x,x,x,x)+142p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= word ptr -0Ch
var_A		= word ptr -0Ah
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		mov	[ebp+var_A], ax
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, edx
		mov	[esi+8], eax
		mov	[esi+0Ch], eax
		mov	[esi+4], eax
		test	ecx, ecx
		jnz	short loc_6079F3
		mov	dword ptr [esi], 1
		jmp	loc_607AA7
; 

loc_6079F3:				; CODE XREF: HvlpAffinityToHvProcessorSet(x,x,x)+1Fj
		push	edi
		mov	[esi], eax
		mov	edi, eax
		xor	eax, eax
		mov	[ebp+var_C], ax
		mov	eax, [ecx+8]
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], ecx
		push	ebx

loc_607A08:				; CODE XREF: HvlpAffinityToHvProcessorSet(x,x,x)+ADj
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_607A7B
		mov	eax, [ebp+var_4]
		movzx	ebx, ds:_HvlpVirtualProcessorMapping[eax*2]
		movzx	eax, ds:byte_70E231[eax*2]
		mov	[ebp+var_8], eax
		cmp	ebx, edi
		jb	short loc_607A5F
		lea	eax, ds:8[ebx*8]
		cmp	eax, [ebp+arg_0]
		ja	short loc_607A76
		mov	eax, ebx
		sub	eax, edi
		add	edi, 2
		lea	eax, ds:8[eax*8]
		push	eax		; size_t
		lea	eax, [esi+edi*8]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	edi, [ebx+1]

loc_607A5F:				; CODE XREF: HvlpAffinityToHvProcessorSet(x,x,x)+6Aj
		mov	ecx, [ebp+var_8]
		xor	eax, eax
		inc	eax
		xor	edx, edx
		call	__allshl
		or	[esi+ebx*8+10h], eax
		or	[esi+ebx*8+14h], edx
		jmp	short loc_607A08
; 

loc_607A76:				; CODE XREF: HvlpAffinityToHvProcessorSet(x,x,x)+76j
		or	eax, 0FFFFFFFFh
		jmp	short loc_607AA5
; 

loc_607A7B:				; CODE XREF: HvlpAffinityToHvProcessorSet(x,x,x)+50j
		cmp	edi, 40h
		jz	short loc_607A94
		xor	eax, eax
		xor	edx, edx
		inc	eax
		mov	ecx, edi
		call	__allshl
		add	eax, 0FFFFFFFFh
		adc	edx, 0FFFFFFFFh
		jmp	short loc_607A9A
; 

loc_607A94:				; CODE XREF: HvlpAffinityToHvProcessorSet(x,x,x)+B7j
		or	eax, 0FFFFFFFFh
		or	edx, 0FFFFFFFFh

loc_607A9A:				; CODE XREF: HvlpAffinityToHvProcessorSet(x,x,x)+CBj
		mov	[esi+8], eax
		mov	eax, edi
		mov	[esi+0Ch], edx
		shl	eax, 3

loc_607AA5:				; CODE XREF: HvlpAffinityToHvProcessorSet(x,x,x)+B2j
		pop	ebx
		pop	edi

loc_607AA7:				; CODE XREF: HvlpAffinityToHvProcessorSet(x,x,x)+27j
		pop	esi
		leave
		retn	4
_HvlpAffinityToHvProcessorSet@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpAffinityToVirtualAffinity(x)
_HvlpAffinityToVirtualAffinity@4 proc near ; CODE XREF:	HvlParkedVirtualProcessors(x)+31p
					; HvlSendSyntheticClusterIpi(x,x)+14p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	ds:_HvlpVirtualProcessorsIdentityMapped, 0
		push	ebx
		mov	ebx, ecx
		jz	short loc_607AC4
		mov	eax, ebx
		xor	edx, edx
		jmp	short loc_607B1E
; 

loc_607AC4:				; CODE XREF: HvlpAffinityToVirtualAffinity(x)+10j
		push	esi
		xor	esi, esi
		mov	ecx, esi
		push	edi
		mov	[ebp+var_4], ecx
		mov	edi, offset unk_70E233

loc_607AD2:				; CODE XREF: HvlpAffinityToVirtualAffinity(x)+6Aj
		test	bl, 1
		jz	short loc_607AEF
		movzx	ecx, byte ptr [edi-2]
		xor	eax, eax
		inc	eax
		xor	edx, edx
		call	__allshl
		mov	ecx, [ebp+var_4]
		or	esi, eax
		or	ecx, edx
		mov	[ebp+var_4], ecx

loc_607AEF:				; CODE XREF: HvlpAffinityToVirtualAffinity(x)+29j
		shr	ebx, 1
		jz	short loc_607B18
		test	bl, 1
		jz	short loc_607B0F
		movzx	ecx, byte ptr [edi]
		xor	eax, eax
		inc	eax
		xor	edx, edx
		call	__allshl
		mov	ecx, [ebp+var_4]
		or	esi, eax
		or	ecx, edx
		mov	[ebp+var_4], ecx

loc_607B0F:				; CODE XREF: HvlpAffinityToVirtualAffinity(x)+4Aj
		shr	ebx, 1
		jz	short loc_607B18
		add	edi, 4
		jmp	short loc_607AD2
; 

loc_607B18:				; CODE XREF: HvlpAffinityToVirtualAffinity(x)+45j
					; HvlpAffinityToVirtualAffinity(x)+65j
		pop	edi
		mov	eax, esi
		mov	edx, ecx
		pop	esi

loc_607B1E:				; CODE XREF: HvlpAffinityToVirtualAffinity(x)+16j
		pop	ebx
		leave
		retn
_HvlpAffinityToVirtualAffinity@4 endp


;  S U B	R O U T	I N E 


; __stdcall HvlpAllocateOverlayPages(x)
_HvlpAllocateOverlayPages@4 proc near	; CODE XREF: HvlInitializeProcessor+A03A9p
					; HvlInitializeProcessor+A03D4p
		mov	edi, edi
		push	ebx
		xor	edx, edx
		push	esi
		push	edi
		mov	ecx, edx
		mov	esi, edx
		mov	edi, edx
		mov	ebx, edx

loc_607B30:				; CODE XREF: HvlpAllocateOverlayPages(x)+46j
		mov	eax, esi
		inc	esi
		cmp	eax, 4
		jnb	short loc_607B69
		push	80000000h
		push	4
		add	edi, 40000000h
		push	edx
		adc	ebx, edx
		mov	ecx, edi
		sub	ecx, 1
		mov	eax, ebx
		push	edx
		sbb	eax, edx
		push	eax
		push	ecx
		push	edx
		push	edx
		push	1000h
		call	MmAllocateContiguousNodeMemory
		mov	ecx, eax
		push	0
		pop	edx
		test	ecx, ecx
		jz	short loc_607B30

loc_607B69:				; CODE XREF: HvlpAllocateOverlayPages(x)+15j
		test	ecx, ecx
		jnz	short loc_607B88
		push	80000000h
		push	4
		push	edx
		push	edx
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		push	edx
		push	edx
		push	1000h
		call	MmAllocateContiguousNodeMemory
		mov	ecx, eax

loc_607B88:				; CODE XREF: HvlpAllocateOverlayPages(x)+4Aj
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		retn
_HvlpAllocateOverlayPages@4 endp


;  S U B	R O U T	I N E 


; __stdcall HvlpFreeOverlayPages(x)
_HvlpFreeOverlayPages@4	proc near	; CODE XREF: HvlInitializeProcessor+A0439p
					; HvlInitializeProcessor+A044Bp ...
		mov	edi, edi
		push	ecx
		push	ecx
		call	MmFreeContiguousMemory
		pop	ecx
		retn
_HvlpFreeOverlayPages@4	endp


;  S U B	R O U T	I N E 


; __stdcall HvlpHvToNtStatus(x)
_HvlpHvToNtStatus@4 proc near		; CODE XREF: HvlMapDeviceInterrupt(x,x,x,x,x)+1F7p
					; HvlNotifyAllProcessorsStarted()+68p ...
		movzx	eax, cx
		test	eax, eax
		jz	short loc_607BC1
		cmp	eax, 0Bh
		jz	short loc_607BBB
		cmp	eax, 1Dh
		jz	short loc_607BBB
		cmp	eax, 59h
		jz	short loc_607BB5
		or	eax, 0C0350000h
		retn
; 

loc_607BB5:				; CODE XREF: HvlpHvToNtStatus(x)+14j
		mov	eax, 350059h
		retn
; 

loc_607BBB:				; CODE XREF: HvlpHvToNtStatus(x)+Aj
					; HvlpHvToNtStatus(x)+Fj
		mov	eax, 0C000009Ah
		retn
; 

loc_607BC1:				; CODE XREF: HvlpHvToNtStatus(x)+5j
		xor	eax, eax
		retn
_HvlpHvToNtStatus@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2593. VslCreateSecureSection

;  S U B	R O U T	I N E 


; __stdcall VslCreateSecureSection(x, x, x, x, x)
		public _VslCreateSecureSection@20
_VslCreateSecureSection@20 proc	near
		mov	eax, 0C000009Dh
		retn	14h
_VslCreateSecureSection@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VslDebugReadWriteSecureProcess(x, x, x, x, x, x)
_VslDebugReadWriteSecureProcess@24 proc	near ; CODE XREF: MmCopyVirtualMemory+10ED28p
					; MmCopyVirtualMemory+10EDB9p

arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		and	dword ptr [eax], 0
		mov	eax, 0C000000Dh
		pop	ebp
		retn	10h
_VslDebugReadWriteSecureProcess@24 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2594. VslDeleteSecureSection
; Exported entry 2595. VslExchangeEntropy

;  S U B	R O U T	I N E 


; __stdcall VslDeleteSecureSection(x)
		public _VslDeleteSecureSection@4
_VslDeleteSecureSection@4 proc near
		mov	eax, 0C000009Dh	; VslDeleteSecureSection
		retn	4
_VslDeleteSecureSection@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2596. VslGetSecurePciDeviceAlternateFunctionNumberForVtl0Dma

;  S U B	R O U T	I N E 


; __stdcall VslGetSecurePciDeviceAlternateFunctionNumberForVtl0Dma(x, x, x, x)
		public _VslGetSecurePciDeviceAlternateFunctionNumberForVtl0Dma@16
_VslGetSecurePciDeviceAlternateFunctionNumberForVtl0Dma@16 proc	near
		or	al, 0FFh
		retn	10h
_VslGetSecurePciDeviceAlternateFunctionNumberForVtl0Dma@16 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2599. VslRetrieveMailbox

;  S U B	R O U T	I N E 


; __stdcall VslRetrieveMailbox(x, x, x,	x, x, x)
		public _VslRetrieveMailbox@24
_VslRetrieveMailbox@24 proc near
		mov	eax, 0C000009Dh
		retn	18h
_VslRetrieveMailbox@24 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry   5.
; Exported entry 2532. SkIsSecureKernel

;  S U B	R O U T	I N E 


; __stdcall VslTestRoutine()
		public _VslTestRoutine@0
_VslTestRoutine@0 proc near
		mov	eax, 0C0000002h	; ntoskrnl_5
		retn
_VslTestRoutine@0 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 717. InbvAcquireDisplayOwnership

;  S U B	R O U T	I N E 


; __stdcall InbvAcquireDisplayOwnership()
		public _InbvAcquireDisplayOwnership@0
_InbvAcquireDisplayOwnership@0 proc near ; CODE	XREF: KiDisplayBlueScreen(x)+141p
					; PopShutdownHandler(x,x,x,x,x)+12p
		mov	eax, ds:dword_6D4D4C
		test	eax, eax
		jz	short locret_607C2B
		mov	eax, [eax+4]
		test	eax, eax
		jz	short locret_607C2B
		jmp	eax
; 

locret_607C2B:				; CODE XREF: InbvAcquireDisplayOwnership()+7j
					; InbvAcquireDisplayOwnership()+Ej
		retn
_InbvAcquireDisplayOwnership@0 endp


;  S U B	R O U T	I N E 


; __stdcall InbvAcquireLock()
_InbvAcquireLock@0 proc	near		; CODE XREF: DisplayBootBitmap:loc_5F9B49p
					; DisplayBootBitmap:loc_5F9C77p ...
		mov	eax, ds:dword_6D4D4C
		test	eax, eax
		jz	short locret_607C3E
		mov	eax, [eax+4Ch]
		test	eax, eax
		jz	short locret_607C3E
		jmp	eax
; 

locret_607C3E:				; CODE XREF: InbvAcquireLock()+7j
					; InbvAcquireLock()+Ej
		retn
_InbvAcquireLock@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall InbvBitBlt(x, x, x)
_InbvBitBlt@12	proc near		; CODE XREF: DisplayBootBitmap+7FA91p
					; DisplayBootBitmap+7FA9Ep ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:dword_6D4D4C
		test	eax, eax
		jz	short loc_607C5C
		mov	eax, [eax+30h]
		test	eax, eax
		jz	short loc_607C5C
		push	[ebp+arg_0]
		push	0
		push	ecx
		call	eax

loc_607C5C:				; CODE XREF: InbvBitBlt(x,x,x)+Cj
					; InbvBitBlt(x,x,x)+13j
		pop	ebp
		retn	4
_InbvBitBlt@12	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 718. InbvCheckDisplayOwnership

;  S U B	R O U T	I N E 


; __stdcall InbvCheckDisplayOwnership()
		public _InbvCheckDisplayOwnership@0
_InbvCheckDisplayOwnership@0 proc near	; CODE XREF: InbvRotateGuiBootDisplay(x)+45p
		mov	eax, ds:dword_6D4D4C
		test	eax, eax
		jz	short loc_607C77
		mov	eax, [eax+20h]
		test	eax, eax
		jz	short loc_607C77
		jmp	eax
; 

loc_607C77:				; CODE XREF: InbvCheckDisplayOwnership()+7j
					; InbvCheckDisplayOwnership()+Ej
		xor	al, al
		retn
_InbvCheckDisplayOwnership@0 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 720. InbvEnableBootDriver

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall InbvEnableBootDriver(x)
		public _InbvEnableBootDriver@4
_InbvEnableBootDriver@4	proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:dword_6D4D4C
		test	eax, eax
		jz	short loc_607C97
		mov	eax, [eax+18h]
		test	eax, eax
		jz	short loc_607C97
		pop	ebp
		jmp	eax
; 

loc_607C97:				; CODE XREF: InbvEnableBootDriver(x)+Cj
					; InbvEnableBootDriver(x)+13j
		pop	ebp
		retn	4
_InbvEnableBootDriver@4	endp


;  S U B	R O U T	I N E 


; __stdcall InbvGetDisplayState()
_InbvGetDisplayState@0 proc near	; CODE XREF: FinalizeBootLogo()+5p
					; InbvRotateGuiBootDisplay(x)+28p ...
		mov	eax, ds:dword_6D4D4C
		test	eax, eax
		jz	short loc_607CAD
		mov	eax, [eax+48h]
		test	eax, eax
		jz	short loc_607CAD
		jmp	eax
; 

loc_607CAD:				; CODE XREF: InbvGetDisplayState()+7j
					; InbvGetDisplayState()+Ej
		push	2
		pop	eax
		retn
_InbvGetDisplayState@0 endp


;  S U B	R O U T	I N E 


; __stdcall InbvGetResourceAddress(x)
_InbvGetResourceAddress@4 proc near	; CODE XREF: DisplayBootBitmap+7FA52p
					; DisplayBootBitmap+7FA5Cp ...
		mov	eax, ds:dword_6D4D4C
		test	eax, eax
		jz	short loc_607CC5
		mov	eax, [eax+40h]
		test	eax, eax
		jz	short loc_607CC5
		push	ecx
		call	eax
		retn
; 

loc_607CC5:				; CODE XREF: InbvGetResourceAddress(x)+7j
					; InbvGetResourceAddress(x)+Ej
		xor	eax, eax
		retn
_InbvGetResourceAddress@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 725. InbvNotifyDisplayOwnershipLost

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall InbvNotifyDisplayOwnershipLost(x)
		public _InbvNotifyDisplayOwnershipLost@4
_InbvNotifyDisplayOwnershipLost@4 proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:dword_6D4D4C
		test	eax, eax
		jz	short loc_607CE4
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_607CE4
		pop	ebp
		jmp	eax
; 

loc_607CE4:				; CODE XREF: InbvNotifyDisplayOwnershipLost(x)+Cj
					; InbvNotifyDisplayOwnershipLost(x)+12j
		pop	ebp
		retn	4
_InbvNotifyDisplayOwnershipLost@4 endp


;  S U B	R O U T	I N E 


; __stdcall InbvReleaseLock()
_InbvReleaseLock@0 proc	near		; CODE XREF: DisplayBootBitmap+7FA00p
					; DisplayBootBitmap:loc_5F9C8Cp ...
		mov	eax, ds:dword_6D4D4C
		test	eax, eax
		jz	short locret_607CFA
		mov	eax, [eax+50h]
		test	eax, eax
		jz	short locret_607CFA
		jmp	eax
; 

locret_607CFA:				; CODE XREF: InbvReleaseLock()+7j
					; InbvReleaseLock()+Ej
		retn
_InbvReleaseLock@0 endp

; 
		align 10h
; Exported entry 726. InbvResetDisplay

;  S U B	R O U T	I N E 


; __stdcall InbvResetDisplay()
		public _InbvResetDisplay@0
_InbvResetDisplay@0 proc near
		mov	eax, ds:dword_6D4D4C
		test	eax, eax
		jz	short loc_607D12
		mov	eax, [eax+0Ch]
		test	eax, eax
		jz	short loc_607D12
		jmp	eax
; 

loc_607D12:				; CODE XREF: InbvResetDisplay()+7j
					; InbvResetDisplay()+Ej
		xor	al, al
		retn
_InbvResetDisplay@0 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 727. InbvSetScrollRegion

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall InbvSetScrollRegion(x, x, x, x)
		public _InbvSetScrollRegion@16
_InbvSetScrollRegion@16	proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:dword_6D4D4C
		test	eax, eax
		jz	short loc_607D32
		mov	eax, [eax+24h]
		test	eax, eax
		jz	short loc_607D32
		pop	ebp
		jmp	eax
; 

loc_607D32:				; CODE XREF: InbvSetScrollRegion(x,x,x,x)+Cj
					; InbvSetScrollRegion(x,x,x,x)+13j
		pop	ebp
		retn	10h
_InbvSetScrollRegion@16	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 728. InbvSetTextColor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall InbvSetTextColor(x)
		public _InbvSetTextColor@4
_InbvSetTextColor@4 proc near		; CODE XREF: DisplayBootBitmap+7FA0Cp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:dword_6D4D4C
		test	eax, eax
		jz	short loc_607D53
		mov	eax, [eax+28h]
		test	eax, eax
		jz	short loc_607D53
		pop	ebp
		jmp	eax
; 

loc_607D53:				; CODE XREF: InbvSetTextColor(x)+Cj
					; InbvSetTextColor(x)+13j
		or	eax, 0FFFFFFFFh
		pop	ebp
		retn	4
_InbvSetTextColor@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 730. InbvSolidColorFill

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall InbvSolidColorFill(x, x, x,	x, x)
		public _InbvSolidColorFill@20
_InbvSolidColorFill@20 proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:dword_6D4D4C
		test	eax, eax
		jz	short loc_607D77
		mov	eax, [eax+10h]
		test	eax, eax
		jz	short loc_607D77
		pop	ebp
		jmp	eax
; 

loc_607D77:				; CODE XREF: InbvSolidColorFill(x,x,x,x,x)+Cj
					; InbvSolidColorFill(x,x,x,x,x)+13j
		pop	ebp
		retn	14h
_InbvSolidColorFill@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FadePalette(x)
_FadePalette@4	proc near		; CODE XREF: RotBarUpdate()+1B1p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_PalettePtr
		push	ebx
		push	esi
		movzx	ebx, cl
		mov	ecx, offset _MainPalette
		push	edi
		mov	edi, offset unk_6B6549
		mov	[ebp+var_4], 14h
		lea	esi, [eax+2]
		sub	ecx, eax

loc_607DA2:				; CODE XREF: FadePalette(x)+62j
		movzx	eax, byte ptr [edi-1]
		xor	edx, edx
		imul	eax, ebx
		div	[ebp+var_4]
		xor	edx, edx
		mov	[esi-2], al
		movzx	eax, byte ptr [edi]
		add	edi, 4
		imul	eax, ebx
		div	[ebp+var_4]
		xor	edx, edx
		mov	[esi-1], al
		movzx	eax, byte ptr [ecx+esi]
		imul	eax, ebx
		mov	byte ptr [esi+1], 0
		div	[ebp+var_4]
		mov	[esi], al
		lea	esi, [esi+4]
		cmp	edi, (offset _BvgaTerminalBkgdColor+1)
		jl	short loc_607DA2
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_FadePalette@4	endp


;  S U B	R O U T	I N E 


; __stdcall FinalizeBootLogo()
_FinalizeBootLogo@0 proc near		; CODE XREF: StartFirstUserProcess:loc_AD579Dp
		call	_InbvAcquireLock@0 ; InbvAcquireLock()
		call	_InbvGetDisplayState@0 ; InbvGetDisplayState()
		test	eax, eax
		jnz	short loc_607E05
		push	eax
		push	1DFh
		push	27Fh
		push	eax
		push	eax
		call	ds:__imp__VidSolidColorFill@20 ; VidSolidColorFill(x,x,x,x,x)

loc_607E05:				; CODE XREF: FinalizeBootLogo()+Cj
		mov	ds:_PltRotBarStatus, 3
		jmp	_InbvReleaseLock@0 ; InbvReleaseLock()
_FinalizeBootLogo@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall InbvRotateGuiBootDisplay(x)
_InbvRotateGuiBootDisplay@4 proc near	; DATA XREF: DisplayBootBitmap+7FAEBo

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		or	[esp+8+var_4], 0FFFFFFFFh
		mov	[esp+8+var_8], 0FFF3CB00h

loc_607E2A:				; CODE XREF: InbvRotateGuiBootDisplay(x)+4Cj
		lea	eax, [esp+8+var_8]
		push	eax
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		call	_InbvAcquireLock@0 ; InbvAcquireLock()
		call	_InbvGetDisplayState@0 ; InbvGetDisplayState()
		test	eax, eax
		jnz	short loc_607E54
		mov	eax, ds:_RotBarSelection
		sub	eax, 1
		jnz	short loc_607E54
		call	_RotBarUpdate@0	; RotBarUpdate()

loc_607E54:				; CODE XREF: InbvRotateGuiBootDisplay(x)+2Fj
					; InbvRotateGuiBootDisplay(x)+39j
		call	_InbvReleaseLock@0 ; InbvReleaseLock()
		call	_InbvCheckDisplayOwnership@0 ; InbvCheckDisplayOwnership()
		test	al, al
		jnz	short loc_607E2A
		call	_InbvReleaseResources@0	; InbvReleaseResources()
		push	0
		call	PsTerminateSystemThread
		mov	esp, ebp
		pop	ebp
		retn	4
_InbvRotateGuiBootDisplay@4 endp


;  S U B	R O U T	I N E 


; __stdcall RotBarInit()
_RotBarInit@0	proc near		; CODE XREF: DisplayBootBitmap+7FB33p
		mov	eax, ds:_pbih
		xor	edx, edx
		push	ebx
		push	esi
		push	4
		pop	ebx
		push	ebx
		xor	esi, esi
		mov	dword ptr [eax], 28h
		push	9
		push	6
		push	esi
		inc	edx
		mov	[eax+10h], esi
		push	esi
		mov	ecx, 0B12h
		mov	[eax+20h], esi
		mov	[eax+24h], esi
		mov	ds:_PaletteNum,	esi
		mov	ds:_AnimBarPos,	esi
		mov	esi, ds:__imp__VidScreenToBufferBlt@24 ; VidScreenToBufferBlt(x,x,x,x,x,x)
		push	offset _Square1
		mov	[eax+4], edx
		mov	[eax+8], edx
		mov	[eax+0Ch], dx
		mov	[eax+0Eh], bx
		mov	[eax+14h], ebx
		mov	[eax+18h], ecx
		mov	[eax+1Ch], ecx
		mov	ds:_PltRotBarStatus, edx
		call	esi
		push	ebx
		push	9
		push	6
		push	0
		push	8
		push	offset _Square2
		call	esi
		push	ebx
		push	9
		push	6
		xor	ebx, ebx
		push	ebx
		push	10h
		push	offset _Square3
		call	esi
		push	ebx
		push	9
		push	16h
		push	ebx
		push	ebx
		call	ds:__imp__VidSolidColorFill@20 ; VidSolidColorFill(x,x,x,x,x)
		pop	esi
		pop	ebx
		retn
_RotBarInit@0	endp

; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 


; __stdcall RotBarUpdate()
_RotBarUpdate@0	proc near		; CODE XREF: InbvRotateGuiBootDisplay(x)+3Bp
		mov	eax, ds:_PltRotBarStatus
		push	ebx
		xor	ebx, ebx
		sub	eax, ebx
		jz	loc_608103
		sub	eax, 1
		jz	loc_6080B0
		sub	eax, 1
		jz	short loc_607F33
		sub	eax, 1
		jz	loc_608103
		jmp	loc_6080E9
; 

loc_607F33:				; CODE XREF: RotBarUpdate()+1Cj
		mov	ecx, ds:_AnimBarPos
		mov	eax, ecx
		push	esi
		push	edi
		sub	eax, ebx
		jz	loc_60807B
		push	4
		push	9
		push	6
		sub	eax, 1
		jz	loc_608064
		mov	edi, 162h
		push	edi
		sub	eax, 1
		jz	loc_608035
		sub	eax, 0Eh
		jz	loc_608006
		sub	eax, 1
		jz	short loc_607FEF
		mov	esi, ds:__imp__VidBufferToScreenBlt@24 ; VidBufferToScreenBlt(x,x,x,x,x,x)
		lea	eax, ds:0EBh[ecx*8]
		push	eax
		push	offset _Square1
		call	esi
		mov	eax, ds:_AnimBarPos
		push	4
		push	9
		push	6
		push	edi
		lea	eax, ds:0F3h[eax*8]
		push	eax
		push	offset _Square2
		call	esi
		mov	eax, ds:_AnimBarPos
		push	4
		push	9
		push	6
		push	edi
		lea	eax, ds:0FBh[eax*8]
		push	eax
		push	offset _Square3
		call	esi
		mov	eax, ds:_AnimBarPos
		cmp	eax, 3
		jle	loc_608096

loc_607FCA:				; CODE XREF: RotBarUpdate()+FDj
		push	12h
		add	eax, 10h
		pop	ecx
		cdq
		idiv	ecx
		push	ebx
		push	16Ah
		lea	eax, ds:0F8h[edx*8]
		push	eax
		push	edi
		lea	eax, ds:0F3h[edx*8]
		push	eax
		jmp	loc_608090
; 

loc_607FEF:				; CODE XREF: RotBarUpdate()+68j
		push	173h
		push	offset _Square1
		call	ds:__imp__VidBufferToScreenBlt@24 ; VidBufferToScreenBlt(x,x,x,x,x,x)

loc_607FFF:				; CODE XREF: RotBarUpdate()+12Cj
					; DATA XREF: PspGetJobLimitInformationValidFlags(x,x)+13o
		mov	eax, ds:_AnimBarPos
		jmp	short loc_607FCA
; 

loc_608006:				; CODE XREF: RotBarUpdate()+5Fj
		mov	esi, ds:__imp__VidBufferToScreenBlt@24 ; VidBufferToScreenBlt(x,x,x,x,x,x)
		push	16Bh
		push	offset _Square1
		call	esi
		mov	eax, ds:_AnimBarPos
		push	4
		push	9
		push	6
		push	edi
		lea	eax, ds:0F3h[eax*8]
		push	eax
		push	offset _Square2
		call	esi
		jmp	short loc_607FFF
; 

loc_608035:				; CODE XREF: RotBarUpdate()+56j
		mov	esi, ds:__imp__VidBufferToScreenBlt@24 ; VidBufferToScreenBlt(x,x,x,x,x,x)
		push	103h
		push	offset _Square2
		call	esi
		mov	eax, ds:_AnimBarPos
		push	4
		push	9
		push	6
		push	edi
		lea	eax, ds:0FBh[eax*8]
		push	eax
		push	offset _Square3
		call	esi
		jmp	short loc_608096
; 

loc_608064:				; CODE XREF: RotBarUpdate()+47j
		push	162h
		push	103h
		push	offset _Square3
		call	ds:__imp__VidBufferToScreenBlt@24 ; VidBufferToScreenBlt(x,x,x,x,x,x)
		jmp	short loc_608096
; 

loc_60807B:				; CODE XREF: RotBarUpdate()+38j
		push	ebx
		push	16Ah
		push	178h
		push	162h
		push	173h

loc_608090:				; CODE XREF: RotBarUpdate()+E3j
		call	ds:__imp__VidSolidColorFill@20 ; VidSolidColorFill(x,x,x,x,x)

loc_608096:				; CODE XREF: RotBarUpdate()+BDj
					; RotBarUpdate()+15Bj ...
		mov	eax, ds:_AnimBarPos
		inc	eax
		mov	ds:_AnimBarPos,	eax
		pop	edi
		pop	esi
		cmp	eax, 11h
		jle	short loc_6080E9
		mov	ds:_AnimBarPos,	ebx
		jmp	short loc_6080E9
; 

loc_6080B0:				; CODE XREF: RotBarUpdate()+13j
		mov	ebx, ds:_PaletteNum
		mov	cl, bl
		call	_FadePalette@4	; FadePalette(x)
		mov	eax, ds:_PalettePtr
		xor	ecx, ecx
		inc	ebx
		mov	ds:_PaletteNum,	ebx
		mov	[eax+4], ecx
		cmp	ebx, 14h
		jl	short loc_6080E7
		mov	ds:_PltRotBarStatus, 2
		mov	ds:_PaletteNum,	1

loc_6080E7:				; CODE XREF: RotBarUpdate()+1CAj
		xor	ebx, ebx

loc_6080E9:				; CODE XREF: RotBarUpdate()+27j
					; RotBarUpdate()+19Fj ...
		call	_InbvGetDisplayState@0 ; InbvGetDisplayState()
		test	eax, eax
		jnz	short loc_608103
		push	1E0h
		push	ebx
		push	offset _PaletteBmp
		call	ds:__imp__VidBitBlt@12 ; VidBitBlt(x,x,x)

loc_608103:				; CODE XREF: RotBarUpdate()+Aj
					; RotBarUpdate()+21j ...
		pop	ebx
		retn
_RotBarUpdate@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgkAcquireDisplayOwnership()
_BgkAcquireDisplayOwnership@0 proc near	; DATA XREF: .data:006B2C24o

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	edi
		push	7
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_20]
		rep stosd
		pop	edi
		cmp	ds:byte_6D4C7B,	al
		jz	short loc_60813E
		cmp	ds:byte_6D4C78,	al
		jnz	short loc_60813E
		mov	dl, 1
		xor	ecx, ecx
		call	BgLibraryEnable
		jmp	short loc_608177
; 

loc_60813E:				; CODE XREF: BgkAcquireDisplayOwnership()+24j
					; BgkAcquireDisplayOwnership()+2Cj
		mov	eax, ds:dword_6D4D54
		test	eax, eax
		jz	short loc_608177
		and	[ebp+var_24], 0
		lea	ecx, [ebp+var_24]
		push	ecx
		lea	ecx, [ebp+var_20]
		push	ecx
		push	1
		call	eax
		test	eax, eax
		js	short loc_608177
		mov	dl, 1
		lea	ecx, [ebp+var_20]
		call	BgLibraryEnable
		test	eax, eax
		js	short loc_608170
		mov	ds:byte_6D4C7B,	1

loc_608170:				; CODE XREF: BgkAcquireDisplayOwnership()+62j
		and	ds:dword_6D4C74, 0

loc_608177:				; CODE XREF: BgkAcquireDisplayOwnership()+37j
					; BgkAcquireDisplayOwnership()+40j ...
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_BgkAcquireDisplayOwnership@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgkDisplayString(x)
_BgkDisplayString@4 proc near		; DATA XREF: .data:006B2C34o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_6081FE
		cmp	byte ptr [edi],	0
		jnz	short loc_60819A
		mov	al, 1
		jmp	short loc_608200
; 

loc_60819A:				; CODE XREF: BgkDisplayString(x)+11j
		mov	esi, edi
		lea	ecx, [esi+1]

loc_60819F:				; CODE XREF: BgkDisplayString(x)+21j
		mov	al, [esi]
		inc	esi
		test	al, al
		jnz	short loc_60819F
		sub	esi, ecx
		push	4B494742h
		lea	eax, ds:2[esi*2]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+arg_0], edx
		test	edx, edx
		jz	short loc_6081FE
		xor	ecx, ecx
		test	esi, esi
		jz	short loc_6081DC

loc_6081CE:				; CODE XREF: BgkDisplayString(x)+57j
		movsx	ax, byte ptr [ecx+edi]
		mov	[edx+ecx*2], ax
		inc	ecx
		cmp	ecx, esi
		jb	short loc_6081CE

loc_6081DC:				; CODE XREF: BgkDisplayString(x)+49j
		xor	eax, eax
		mov	[edx+ecx*2], ax
		mov	ecx, edx
		push	ebx
		call	_BgkDisplayStringEx@4 ;	BgkDisplayStringEx(x)
		push	4B494742h
		push	[ebp+arg_0]
		mov	bl, al
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	al, bl
		pop	ebx
		jmp	short loc_608200
; 

loc_6081FE:				; CODE XREF: BgkDisplayString(x)+Cj
					; BgkDisplayString(x)+43j
		xor	al, al

loc_608200:				; CODE XREF: BgkDisplayString(x)+15j
					; BgkDisplayString(x)+79j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_BgkDisplayString@4 endp


;  S U B	R O U T	I N E 


; __stdcall BgkDisplayStringEx(x)
_BgkDisplayStringEx@4 proc near		; CODE XREF: BgkDisplayString(x)+62p
					; NtDisplayString(x)+1AEp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_608287
		xor	ebx, ebx
		cmp	[esi], bx
		jnz	short loc_60821B
		mov	al, 1
		jmp	short loc_608289
; 

loc_60821B:				; CODE XREF: BgkDisplayStringEx(x)+Fj
		call	_BgkpAcquireConsole@0 ;	BgkpAcquireConsole()
		test	al, al
		jz	short loc_608287
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_608229:				; CODE XREF: BgkDisplayStringEx(x)+2Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_608229
		sub	ecx, edx
		sar	ecx, 1
		push	ebx		; int
		push	ebx		; void *
		lea	eax, ds:2[ecx*2]
		push	eax		; int
		push	esi		; int
		push	17h		; int
		call	HeadlessDispatch
		cmp	ds:byte_6D4C7A,	bl
		jnz	short loc_60825A
		cmp	ds:byte_6D4C79,	bl
		jz	short loc_60826B

loc_60825A:				; CODE XREF: BgkDisplayStringEx(x)+4Aj
		mov	ds:byte_6D4C7A,	bl
		mov	ds:byte_6D4C79,	bl
		call	_BgDisplayFade@0 ; BgDisplayFade()

loc_60826B:				; CODE XREF: BgkDisplayStringEx(x)+52j
		mov	eax, ds:dword_6D4C74
		push	esi
		call	dword ptr [eax+0Ch]
		test	eax, eax
		mov	ecx, offset unk_6B5B9C
		setns	bl
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	al, bl
		jmp	short loc_608289
; 

loc_608287:				; CODE XREF: BgkDisplayStringEx(x)+8j
					; BgkDisplayStringEx(x)+1Cj
		xor	al, al

loc_608289:				; CODE XREF: BgkDisplayStringEx(x)+13j
					; BgkDisplayStringEx(x)+7Fj
		pop	esi
		pop	ebx
		retn
_BgkDisplayStringEx@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgkNotifyDisplayOwnershipLost(x)
_BgkNotifyDisplayOwnershipLost@4 proc near ; DATA XREF:	.data:off_6B2C20o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_60829D
		mov	ds:dword_6FDF58, eax

loc_60829D:				; CODE XREF: BgkNotifyDisplayOwnershipLost(x)+Aj
		push	offset _BgkpResetDisplay@12 ; BgkpResetDisplay(x,x,x)
		push	0
		call	BgkNotifyDisplayOwnershipChange
		cmp	ds:dword_6FD1C0, 2
		jz	short loc_6082C8
		push	204h
		push	20000h
		push	0
		push	0A0000h
		call	_MmMapIoSpaceEx@16 ; MmMapIoSpaceEx(x,x,x,x)

loc_6082C8:				; CODE XREF: BgkNotifyDisplayOwnershipLost(x)+24j
		pop	ebp
		retn	4
_BgkNotifyDisplayOwnershipLost@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgkSetTextColor(x)
_BgkSetTextColor@4 proc	near		; DATA XREF: .data:006B2C48o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		cmp	esi, 10h
		jnb	short loc_6082FF
		call	_BgkpAcquireConsole@0 ;	BgkpAcquireConsole()
		test	al, al
		jz	short loc_6082FF
		push	0
		lea	eax, _Palette[esi*4]
		push	eax
		mov	eax, ds:dword_6D4C74
		call	dword ptr [eax+8]
		mov	ecx, offset unk_6B5B9C
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_6082FF:				; CODE XREF: BgkSetTextColor(x)+Cj
					; BgkSetTextColor(x)+15j
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	4
_BgkSetTextColor@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgkSolidColorFill(x, x, x, x, x)
_BgkSolidColorFill@20 proc near		; DATA XREF: .data:006B2C30o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jnz	short loc_608360
		cmp	[ebp+arg_4], 0
		jnz	short loc_608360
		cmp	[ebp+arg_8], 27Fh
		jnz	short loc_608360
		cmp	[ebp+arg_C], 1DFh
		jnz	short loc_608360
		push	esi
		mov	esi, [ebp+arg_10]
		cmp	esi, 10h
		jnb	short loc_60835F
		call	_BgkpAcquireConsole@0 ;	BgkpAcquireConsole()
		test	al, al
		jz	short loc_60835F
		lea	eax, _Palette[esi*4]
		push	eax
		mov	eax, ds:dword_6D4C74
		push	0
		call	dword ptr [eax+8]
		mov	eax, ds:dword_6D4C74
		call	dword ptr [eax+4]
		mov	ecx, offset unk_6B5B9C
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_60835F:				; CODE XREF: BgkSolidColorFill(x,x,x,x,x)+2Aj
					; BgkSolidColorFill(x,x,x,x,x)+33j
		pop	esi

loc_608360:				; CODE XREF: BgkSolidColorFill(x,x,x,x,x)+9j
					; BgkSolidColorFill(x,x,x,x,x)+Fj ...
		pop	ebp
		retn	14h
_BgkSolidColorFill@20 endp


;  S U B	R O U T	I N E 


; __stdcall BgkpAcquireConsole()
_BgkpAcquireConsole@0 proc near		; CODE XREF: BgkDisplayStringEx(x):loc_60821Bp
					; BgkSetTextColor(x)+Ep ...
		mov	ecx, offset unk_6B5B9C
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		setnz	al
		retn
_BgkpAcquireConsole@0 endp


;  S U B	R O U T	I N E 


; __stdcall BgkpDisableConsole()
_BgkpDisableConsole@0 proc near		; CODE XREF: TxtpAddCacheEntry:loc_A7882Ep
		mov	edi, edi
		push	esi
		mov	esi, offset unk_6B5B9C
		mov	ecx, esi
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	ecx, esi
		pop	esi
		jmp	@ExRundownCompleted@4 ;	ExRundownCompleted(x)
_BgkpDisableConsole@0 endp


;  S U B	R O U T	I N E 


; __stdcall BgkpReleaseConsole()
_BgkpReleaseConsole@0 proc near		; CODE XREF: BgkDisplayCharacter(x,x,x,x,x)+54p
					; BgkGetConsoleState(x)+23p ...
		mov	ecx, offset unk_6B5B9C
		jmp	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
_BgkpReleaseConsole@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgkpResetDisplay(x,	x, x)
_BgkpResetDisplay@12 proc near		; DATA XREF: BgkNotifyDisplayOwnershipLost(x):loc_60829Do

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	[eax], ebx
		cmp	[ebp+arg_0], bl
		jz	short loc_608404
		cmp	ds:dword_6FD1C0, 2
		jz	short loc_608404
		mov	eax, ds:dword_6FDF58
		test	eax, eax
		jnz	short loc_6083C4
		mov	eax, 0C0000001h
		jmp	short loc_608409
; 

loc_6083C4:				; CODE XREF: BgkpResetDisplay(x,x,x)+26j
		push	32h
		push	50h
		call	eax
		push	1
		call	ds:__imp__VidResetDisplay@4 ; VidResetDisplay(x)
		xor	eax, eax
		mov	[esi+1], ax
		mov	eax, 280h
		mov	[esi+3], bl
		mov	[esi+14h], ebx
		mov	[esi+8], eax
		mov	[esi+0Ch], eax
		xor	eax, eax
		mov	[esi], bl
		mov	dword ptr [esi+4], 1E0h
		mov	dword ptr [esi+10h], 1
		mov	dword ptr [esi+18h], offset _BgkpVgaBltRoutine@12 ; BgkpVgaBltRoutine(x,x,x)
		jmp	short loc_608409
; 

loc_608404:				; CODE XREF: BgkpResetDisplay(x,x,x)+14j
					; BgkpResetDisplay(x,x,x)+1Dj
		mov	eax, 0C00000BBh

loc_608409:				; CODE XREF: BgkpResetDisplay(x,x,x)+2Dj
					; BgkpResetDisplay(x,x,x)+6Dj
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_BgkpResetDisplay@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgkpVgaBltRoutine(x, x, x)
_BgkpVgaBltRoutine@12 proc near		; DATA XREF: BgkpResetDisplay(x,x,x)+66o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_8], 0
		mov	eax, [ebp+arg_0]
		jz	short loc_608434
		push	dword ptr [eax+0Ch] ; size_t
		push	0		; int
		push	dword ptr [eax+10h] ; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, 0C0000001h
		jmp	short loc_60844C
; 

loc_608434:				; CODE XREF: BgkpVgaBltRoutine(x,x,x)+Cj
		push	dword ptr [eax+10h]
		push	dword ptr [eax]
		push	dword ptr [eax+4]
		mov	eax, [ebp+arg_4]
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		call	ds:__imp__VidBitBltEx@20 ; VidBitBltEx(x,x,x,x,x)
		xor	eax, eax

loc_60844C:				; CODE XREF: BgkpVgaBltRoutine(x,x,x)+23j
		pop	ebp
		retn	0Ch
_BgkpVgaBltRoutine@12 endp


;  S U B	R O U T	I N E 


; __stdcall BvgaAcquireDisplayOwnership()
_BvgaAcquireDisplayOwnership@0 proc near
					; CODE XREF: BvgaNotifyDisplayOwnershipChange(x,x)+14p
					; DATA XREF: .data:006B2C84o
		mov	eax, ds:_BvgaResetDisplayParameters
		test	eax, eax
		jz	short loc_608468
		cmp	ds:_BvgaDisplayState, 2
		jnz	short loc_608468
		push	32h
		push	50h
		call	eax

loc_608468:				; CODE XREF: BvgaAcquireDisplayOwnership()+7j
					; BvgaAcquireDisplayOwnership()+10j
		and	ds:_BvgaDisplayState, 0
		retn
_BvgaAcquireDisplayOwnership@0 endp


;  S U B	R O U T	I N E 


; __stdcall BvgaAcquireLock()
_BvgaAcquireLock@0 proc	near		; CODE XREF: BvgaBitBlt(x,x,x)+17p
					; BvgaDisplayString(x)+Ep ...
		mov	edi, edi
		push	ebx
		push	esi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, al
		mov	esi, offset _BootDriverLock
		cmp	bl, 2
		ja	short loc_60849B

loc_608486:				; CODE XREF: BvgaAcquireLock()+1Fj
		mov	ecx, esi
		call	@KeTestSpinLock@4 ; KeTestSpinLock(x)
		test	al, al
		jz	short loc_608486
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al

loc_60849B:				; CODE XREF: BvgaAcquireLock()+14j
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		pop	esi
		mov	ds:_BvgaOldIrql, bl
		pop	ebx
		retn
_BvgaAcquireLock@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BvgaBitBlt(x, x, x)
_BvgaBitBlt@12	proc near		; DATA XREF: .data:006B2CB0o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_BvgaBootDriverInstalled, 0
		jz	short loc_6084DB
		cmp	ds:_BvgaDisplayState, 0
		jnz	short loc_6084DB
		call	_BvgaAcquireLock@0 ; BvgaAcquireLock()
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:__imp__VidBitBlt@12 ; VidBitBlt(x,x,x)
		call	_BvgaReleaseLock@0 ; BvgaReleaseLock()

loc_6084DB:				; CODE XREF: BvgaBitBlt(x,x,x)+Cj
					; BvgaBitBlt(x,x,x)+15j
		pop	ebp
		retn	0Ch
_BvgaBitBlt@12	endp


;  S U B	R O U T	I N E 


; __stdcall BvgaCheckDisplayOwnership()
_BvgaCheckDisplayOwnership@0 proc near	; DATA XREF: .data:006B2CA0o
		cmp	ds:_BvgaDisplayState, 2
		setnz	al
		retn
_BvgaCheckDisplayOwnership@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BvgaDisplayString(x)
_BvgaDisplayString@4 proc near		; DATA XREF: .data:006B2C94o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_BvgaDisplayState, 0
		jnz	short loc_608539
		call	_BvgaAcquireLock@0 ; BvgaAcquireLock()
		cmp	ds:_BvgaBootDriverInstalled, 0
		jz	short loc_60850F
		push	[ebp+arg_0]
		call	ds:__imp__VidDisplayString@4 ; VidDisplayString(x)

loc_60850F:				; CODE XREF: BvgaDisplayString(x)+1Aj
		mov	ecx, [ebp+arg_0]
		lea	edx, [ecx+1]

loc_608515:				; CODE XREF: BvgaDisplayString(x)+30j
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_608515
		sub	ecx, edx
		push	0		; int
		push	0		; void *
		lea	eax, [ecx+1]
		push	eax		; int
		push	[ebp+arg_0]	; int
		push	3		; int
		call	HeadlessDispatch
		call	_BvgaReleaseLock@0 ; BvgaReleaseLock()
		mov	al, 1
		jmp	short loc_60853B
; 

loc_608539:				; CODE XREF: BvgaDisplayString(x)+Cj
		xor	al, al

loc_60853B:				; CODE XREF: BvgaDisplayString(x)+4Dj
		pop	ebp
		retn	4
_BvgaDisplayString@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BvgaEnableBootDriver(x)
_BvgaEnableBootDriver@4	proc near	; DATA XREF: .data:006B2C98o

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_BvgaBootDriverFullyInitialized, 0
		jz	short loc_60857E
		cmp	ds:_BvgaDisplayState, 2
		jge	short loc_60858B
		call	_BvgaAcquireLock@0 ; BvgaAcquireLock()
		cmp	ds:_BvgaDisplayState, 0
		jnz	short loc_60856A
		call	ds:__imp__VidCleanUp@0 ; VidCleanUp()

loc_60856A:				; CODE XREF: BvgaEnableBootDriver(x)+23j
		xor	eax, eax
		cmp	[ebp+arg_0], al
		setz	al
		mov	ds:_BvgaDisplayState, eax
		call	_BvgaReleaseLock@0 ; BvgaReleaseLock()
		jmp	short loc_60858B
; 

loc_60857E:				; CODE XREF: BvgaEnableBootDriver(x)+Cj
		xor	eax, eax
		cmp	[ebp+arg_0], al
		setz	al
		mov	ds:_BvgaDisplayState, eax

loc_60858B:				; CODE XREF: BvgaEnableBootDriver(x)+15j
					; BvgaEnableBootDriver(x)+3Dj
		pop	ebp
		retn	4
_BvgaEnableBootDriver@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BvgaGetResourceAddress(x)
_BvgaGetResourceAddress@4 proc near	; DATA XREF: .data:006B2CC0o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	eax, ds:_ResourceCount
		ja	short loc_6085A8
		mov	eax, ds:dword_6CD8DC[eax*4]
		jmp	short loc_6085AA
; 

loc_6085A8:				; CODE XREF: BvgaGetResourceAddress(x)+Ej
		xor	eax, eax

loc_6085AA:				; CODE XREF: BvgaGetResourceAddress(x)+17j
		pop	ebp
		retn	4
_BvgaGetResourceAddress@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BvgaNotifyDisplayOwnershipChange(x,	x)
_BvgaNotifyDisplayOwnershipChange@8 proc near ;	DATA XREF: .data:006B2C88o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	byte ptr [ebp+arg_0], 0
		jz	short loc_6085C9
		cmp	ds:_BvgaDisplayState, 0
		jz	short loc_6085D9
		call	_BvgaAcquireDisplayOwnership@0 ; BvgaAcquireDisplayOwnership()
		jmp	short loc_6085D9
; 

loc_6085C9:				; CODE XREF: BvgaNotifyDisplayOwnershipChange(x,x)+9j
		cmp	ds:_BvgaDisplayState, 2
		jz	short loc_6085D9
		push	0
		call	_BvgaNotifyDisplayOwnershipLost@4 ; BvgaNotifyDisplayOwnershipLost(x)

loc_6085D9:				; CODE XREF: BvgaNotifyDisplayOwnershipChange(x,x)+12j
					; BvgaNotifyDisplayOwnershipChange(x,x)+19j ...
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	BgkNotifyDisplayOwnershipChange
		xor	eax, eax
		pop	ebp
		retn	8
_BvgaNotifyDisplayOwnershipChange@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BvgaNotifyDisplayOwnershipLost(x)
_BvgaNotifyDisplayOwnershipLost@4 proc near
					; CODE XREF: BvgaNotifyDisplayOwnershipChange(x,x)+26p
					; DATA XREF: .data:off_6B2C80o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_BvgaBootDriverInstalled, 0
		jz	short loc_608625
		call	_BvgaAcquireLock@0 ; BvgaAcquireLock()
		cmp	ds:_BvgaDisplayState, 2
		jz	short loc_60860C
		call	ds:__imp__VidCleanUp@0 ; VidCleanUp()

loc_60860C:				; CODE XREF: BvgaNotifyDisplayOwnershipLost(x)+1Aj
		mov	eax, [ebp+arg_0]
		mov	ds:_BvgaDisplayState, 2
		mov	ds:_BvgaResetDisplayParameters,	eax
		call	_BvgaReleaseLock@0 ; BvgaReleaseLock()
		jmp	short loc_608637
; 

loc_608625:				; CODE XREF: BvgaNotifyDisplayOwnershipLost(x)+Cj
		mov	eax, [ebp+arg_0]
		mov	ds:_BvgaDisplayState, 2
		mov	ds:_BvgaResetDisplayParameters,	eax

loc_608637:				; CODE XREF: BvgaNotifyDisplayOwnershipLost(x)+39j
		pop	ebp
		retn	4
_BvgaNotifyDisplayOwnershipLost@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BvgaReleaseLock()
_BvgaReleaseLock@0 proc	near		; CODE XREF: BvgaBitBlt(x,x,x)+2Bp
					; BvgaDisplayString(x)+46p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ds:byte_70EFC6,	1
		push	ebx
		mov	bl, ds:_BvgaOldIrql
		jz	short loc_60865F
		mov	edx, [ebp+4]
		mov	ecx, offset _BootDriverLock
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_608669
; 

loc_60865F:				; CODE XREF: BvgaReleaseLock()+13j
		xor	ecx, ecx
		mov	eax, offset _BootDriverLock
		lock and [eax],	ecx

loc_608669:				; CODE XREF: BvgaReleaseLock()+22j
		cmp	bl, 2
		ja	short loc_608678
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_608678:				; CODE XREF: BvgaReleaseLock()+31j
		pop	ebx
		pop	ebp
		retn
_BvgaReleaseLock@0 endp


;  S U B	R O U T	I N E 


; __stdcall BvgaResetDisplay()
_BvgaResetDisplay@0 proc near		; DATA XREF: .data:006B2C8Co
		cmp	ds:_BvgaBootDriverInstalled, 0
		jz	short loc_608698
		cmp	ds:_BvgaDisplayState, 0
		jnz	short loc_608698
		push	1
		call	ds:__imp__VidResetDisplay@4 ; VidResetDisplay(x)
		mov	al, 1
		retn
; 

loc_608698:				; CODE XREF: BvgaResetDisplay()+7j
					; BvgaResetDisplay()+10j
		xor	al, al
		retn
_BvgaResetDisplay@0 endp


;  S U B	R O U T	I N E 


; __stdcall BvgaSetScrollRegion(x, x, x, x)
_BvgaSetScrollRegion@16	proc near	; DATA XREF: .data:006B2CA4o
		jmp	ds:__imp__VidSetScrollRegion@16	; VidSetScrollRegion(x,x,x,x)
_BvgaSetScrollRegion@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BvgaSetTextColor(x)
_BvgaSetTextColor@4 proc near		; DATA XREF: .data:006B2CA8o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	25h
		pop	eax
		push	0		; int
		push	0		; void *
		mov	ds:_BvgaTerminalTextColor, eax
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		push	8		; int
		push	eax		; int
		push	9		; int
		mov	[ebp+var_4], 28h
		call	HeadlessDispatch
		push	[ebp+arg_0]
		call	ds:__imp__VidSetTextColor@4 ; VidSetTextColor(x)
		leave
		retn	4
_BvgaSetTextColor@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BvgaSolidColorFill(x, x, x,	x, x)
_BvgaSolidColorFill@20 proc near	; DATA XREF: .data:006B2C90o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	ds:_BvgaDisplayState, 0
		jnz	short locret_608740
		call	_BvgaAcquireLock@0 ; BvgaAcquireLock()
		cmp	ds:_BvgaBootDriverInstalled, 0
		jz	short loc_60870B
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:__imp__VidSolidColorFill@20 ; VidSolidColorFill(x,x,x,x,x)

loc_60870B:				; CODE XREF: BvgaSolidColorFill(x,x,x,x,x)+1Cj
		push	esi
		push	28h
		pop	eax
		xor	esi, esi
		mov	ds:_BvgaTerminalBkgdColor, eax
		push	esi		; int
		push	esi		; void *
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_8]
		push	8		; int
		push	eax		; int
		push	9		; int
		mov	[ebp+var_8], 25h
		call	HeadlessDispatch
		push	esi		; int
		push	esi		; void *
		push	esi		; int
		push	esi		; int
		push	4		; int
		call	HeadlessDispatch
		call	_BvgaReleaseLock@0 ; BvgaReleaseLock()
		pop	esi

locret_608740:				; CODE XREF: BvgaSolidColorFill(x,x,x,x,x)+Ej
		leave
		retn	14h
_BvgaSolidColorFill@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BvgaUpdateProgressBar(x)
_BvgaUpdateProgressBar@4 proc near	; CODE XREF: BvgaIndicateProgress()+2Cp
					; DATA XREF: .data:006B2CB4o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_ShowProgressBar, 0
		jz	short loc_6087BC
		cmp	ds:_BvgaBootDriverInstalled, 0
		jz	short loc_6087BC
		cmp	ds:_BvgaDisplayState, 0
		jnz	short loc_6087BC
		mov	eax, ds:dword_6CD918
		mov	ecx, 2710h
		imul	eax, [ebp+arg_0]
		push	edi
		add	eax, ds:_BvgaProgressState
		imul	eax, 12h
		cdq
		idiv	ecx
		mov	edi, eax
		test	edi, edi
		jle	short loc_6087BB
		push	esi
		xor	esi, esi

loc_608788:				; CODE XREF: BvgaUpdateProgressBar(x)+74j
		call	_BvgaAcquireLock@0 ; BvgaAcquireLock()
		mov	ecx, ds:_ProgressBarTop
		mov	edx, ds:_ProgressBarLeft
		add	edx, esi
		push	0Bh
		lea	eax, [ecx+7]
		push	eax
		lea	eax, [edx+7]
		push	eax
		push	ecx
		push	edx
		call	ds:__imp__VidSolidColorFill@20 ; VidSolidColorFill(x,x,x,x,x)
		call	_BvgaReleaseLock@0 ; BvgaReleaseLock()
		add	esi, 9
		sub	edi, 1
		jnz	short loc_608788
		pop	esi

loc_6087BB:				; CODE XREF: BvgaUpdateProgressBar(x)+3Fj
		pop	edi

loc_6087BC:				; CODE XREF: BvgaUpdateProgressBar(x)+Cj
					; BvgaUpdateProgressBar(x)+15j	...
		pop	ebp
		retn	4
_BvgaUpdateProgressBar@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 737. IoAdjustStackSizeForRedirection

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoAdjustStackSizeForRedirection(x, x, x)
		public _IoAdjustStackSizeForRedirection@12
_IoAdjustStackSizeForRedirection@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	0Ah
		pop	ecx
		xor	edi, edi
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	esi, [ebp+arg_0]
		mov	bh, al
		mov	eax, [ebp+arg_4]
		mov	cl, [esi+30h]
		mov	bl, [eax+30h]
		cmp	cl, bl
		jl	short loc_6087ED
		xor	bl, bl
		jmp	short loc_60882F
; 

loc_6087ED:				; CODE XREF: IoAdjustStackSizeForRedirection(x,x,x)+22j
		mov	eax, [esi+10h]
		sub	bl, cl
		mov	edx, esi
		jmp	short loc_6087FB
; 

loc_6087F6:				; CODE XREF: IoAdjustStackSizeForRedirection(x,x,x)+38j
		mov	edx, eax
		mov	eax, [edx+10h]

loc_6087FB:				; CODE XREF: IoAdjustStackSizeForRedirection(x,x,x)+2Fj
		test	eax, eax
		jnz	short loc_6087F6
		movsx	ax, byte ptr [edx+30h]
		movzx	ecx, ax
		movsx	ax, bl
		movzx	eax, ax
		add	ecx, eax
		cmp	ecx, 7Dh
		jb	short loc_608828
		mov	edi, 0C000000Dh
		jmp	short loc_60882F
; 

loc_60881C:				; CODE XREF: IoAdjustStackSizeForRedirection(x,x,x)+65j
		mov	eax, [edx+0B0h]
		add	[edx+30h], bl
		mov	edx, [eax+18h]

loc_608828:				; CODE XREF: IoAdjustStackSizeForRedirection(x,x,x)+4Ej
		cmp	edx, esi
		jnz	short loc_60881C
		add	[esi+30h], bl

loc_60882F:				; CODE XREF: IoAdjustStackSizeForRedirection(x,x,x)+26j
					; IoAdjustStackSizeForRedirection(x,x,x)+55j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+468h]
		jz	short loc_608850
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_60887B
; 

loc_608850:				; CODE XREF: IoAdjustStackSizeForRedirection(x,x,x)+7Dj
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_60886C
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_60887B
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_60886C:				; CODE XREF: IoAdjustStackSizeForRedirection(x,x,x)+8Fj
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_60887B:				; CODE XREF: IoAdjustStackSizeForRedirection(x,x,x)+89j
					; IoAdjustStackSizeForRedirection(x,x,x)+9Ej
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		js	short loc_608890
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_608890
		mov	[ecx], bl

loc_608890:				; CODE XREF: IoAdjustStackSizeForRedirection(x,x,x)+C0j
					; IoAdjustStackSizeForRedirection(x,x,x)+C7j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_IoAdjustStackSizeForRedirection@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 738. IoAllocateAdapterChannel

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoAllocateAdapterChannel(x,	x, x, x, x)
		public _IoAllocateAdapterChannel@20
_IoAllocateAdapterChannel@20 proc near	; DATA XREF: PAGEVRFD:00AA8080o
					; PAGEVRFD:_pXdvIoAllocateAdapterChannelo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		lea	ecx, [eax+34h]
		mov	[ecx+1Ch], eax
		mov	eax, [eax+14h]
		push	ecx
		push	[ebp+arg_0]
		mov	[ecx+20h], eax
		mov	eax, [ebp+arg_10]
		mov	[ecx+14h], eax
		call	ds:__imp__HalAllocateAdapterChannel@16 ; HalAllocateAdapterChannel(x,x,x,x)
		pop	ebp
		retn	14h
_IoAllocateAdapterChannel@20 endp


;  S U B	R O U T	I N E 


; __stdcall IoAllocateGenericErrorLogEntry(x)
_IoAllocateGenericErrorLogEntry@4 proc near ; CODE XREF: PnpLogEvent(x,x,x,x,x)+40p
					; MiLogFailedDriverLoad(x,x,x,x)+16Dp ...
		mov	edi, edi
		push	ecx
		xor	edx, edx
		xor	ecx, ecx
		call	IopAllocateErrorLogEntry
		retn
_IoAllocateGenericErrorLogEntry@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 746. IoAllocateSfioStreamIdentifier

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoAllocateSfioStreamIdentifier(x, x, x, x)
		public _IoAllocateSfioStreamIdentifier@16
_IoAllocateSfioStreamIdentifier@16 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_6088F1
		mov	eax, 0C00000EFh
		jmp	short loc_60891E
; 

loc_6088F1:				; CODE XREF: IoAllocateSfioStreamIdentifier(x,x,x,x)+Aj
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_608919
		cmp	edx, 0FFFFFFEFh
		ja	short loc_608919
		cmp	[ebp+arg_8], 0
		jnz	short loc_60890A
		mov	eax, 0C00000F1h
		jmp	short loc_60891E
; 

loc_60890A:				; CODE XREF: IoAllocateSfioStreamIdentifier(x,x,x,x)+23j
		push	1
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_IopGetSetStreamIdentifier@20 ;	IopGetSetStreamIdentifier(x,x,x,x,x)
		jmp	short loc_60891E
; 

loc_608919:				; CODE XREF: IoAllocateSfioStreamIdentifier(x,x,x,x)+18j
					; IoAllocateSfioStreamIdentifier(x,x,x,x)+1Dj
		mov	eax, 0C00000F0h

loc_60891E:				; CODE XREF: IoAllocateSfioStreamIdentifier(x,x,x,x)+11j
					; IoAllocateSfioStreamIdentifier(x,x,x,x)+2Aj ...
		pop	ebp
		retn	10h
_IoAllocateSfioStreamIdentifier@16 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 751. IoAttachDeviceByPointer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoAttachDeviceByPointer(x, x)
		public _IoAttachDeviceByPointer@8
_IoAttachDeviceByPointer@8 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		call	IopAttachDeviceToDeviceStackSafe
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFFF2h
		add	eax, 0C000000Eh
		pop	ebp
		retn	8
_IoAttachDeviceByPointer@8 endp

; 
		align 10h
; Exported entry 778. IoClearIrpExtraCreateParameter

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoClearIrpExtraCreateParameter(x)
		public _IoClearIrpExtraCreateParameter@4
_IoClearIrpExtraCreateParameter@4 proc near ; CODE XREF: IopSymlinkAllocateAndAddECP+12519Ap

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	byte ptr [eax+8], 80h
		jz	short loc_608962
		and	dword ptr [eax+3Ch], 0

loc_608962:				; CODE XREF: IoClearIrpExtraCreateParameter(x)+Cj
		pop	ebp
		retn	4
_IoClearIrpExtraCreateParameter@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 779. IoCompleteRequest

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCompleteRequest(x, x)
		public _IoCompleteRequest@8
_IoCompleteRequest@8 proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	dl, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	IofCompleteRequest
		pop	ebp
		retn	8
_IoCompleteRequest@8 endp


;  S U B	R O U T	I N E 


; __stdcall IoDiskIoAttributionReference(x)
_IoDiskIoAttributionReference@4	proc near ; CODE XREF: IoDiskIoAttributionAllocate+12745Fp
		xor	eax, eax
		inc	eax
		lock xadd [ecx+10h], eax
		inc	eax
		cmp	eax, 1
		jg	short locret_608992
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

locret_608992:				; CODE XREF: IoDiskIoAttributionReference(x)+Cj
		retn
_IoDiskIoAttributionReference@4	endp

; 
		align 8
; Exported entry 831. IoFreeErrorLogEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoFreeErrorLogEntry(x)
		public _IoFreeErrorLogEntry@4
_IoFreeErrorLogEntry@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		add	esi, 0FFFFFFE0h
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_6089B0
		call	ObfDereferenceObject

loc_6089B0:				; CODE XREF: IoFreeErrorLogEntry(x)+11j
		mov	ecx, [esi+10h]
		test	ecx, ecx
		jz	short loc_6089BC
		call	ObfDereferenceObject

loc_6089BC:				; CODE XREF: IoFreeErrorLogEntry(x)+1Dj
		movzx	eax, word ptr [esi+2]
		mov	ecx, offset _IopErrorLogAllocation
		neg	eax
		lock xadd [ecx], eax
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		pop	ebp
		retn	4
_IoFreeErrorLogEntry@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 836. IoFreeSfioStreamIdentifier

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoFreeSfioStreamIdentifier(x, x)
		public _IoFreeSfioStreamIdentifier@8
_IoFreeSfioStreamIdentifier@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		push	0
		push	4
		pop	edx
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		mov	esi, eax
		mov	ebx, 0C0000225h
		test	esi, esi
		jz	short loc_608A6D
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		add	edi, 70h
		mov	byte ptr [ebp+arg_0+3],	al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [esi]
		cmp	ecx, esi
		jz	short loc_608A28
		mov	edx, [ebp+arg_4]

loc_608A1B:				; CODE XREF: IoFreeSfioStreamIdentifier(x,x)+49j
		mov	eax, [ecx]
		cmp	[ecx+0Ch], edx
		jz	short loc_608A3D
		mov	ecx, eax
		cmp	ecx, esi
		jnz	short loc_608A1B

loc_608A28:				; CODE XREF: IoFreeSfioStreamIdentifier(x,x)+39j
					; IoFreeSfioStreamIdentifier(x,x)+7Bj
		test	ds:byte_70EFC6,	1
		jz	short loc_608A5F
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_608A64
; 

loc_608A3D:				; CODE XREF: IoFreeSfioStreamIdentifier(x,x)+43j
		mov	edx, [ecx+4]
		cmp	[eax+4], ecx
		jnz	short loc_608A5A
		cmp	[edx], ecx
		jnz	short loc_608A5A
		push	0
		mov	[edx], eax
		push	ecx
		mov	[eax+4], edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ebx, ebx
		jmp	short loc_608A28
; 

loc_608A5A:				; CODE XREF: IoFreeSfioStreamIdentifier(x,x)+66j
					; IoFreeSfioStreamIdentifier(x,x)+6Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_608A5F:				; CODE XREF: IoFreeSfioStreamIdentifier(x,x)+52j
		xor	eax, eax
		lock and [edi],	eax

loc_608A64:				; CODE XREF: IoFreeSfioStreamIdentifier(x,x)+5Ej
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_608A6D:				; CODE XREF: IoFreeSfioStreamIdentifier(x,x)+20j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	8
_IoFreeSfioStreamIdentifier@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 860. IoGetDeviceToVerify

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetDeviceToVerify(x)
		public _IoGetDeviceToVerify@4
_IoGetDeviceToVerify@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+2D8h]
		pop	ebp
		retn	4
_IoGetDeviceToVerify@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 861. IoGetDiskDeviceObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetDiskDeviceObject(x, x)
		public _IoGetDiskDeviceObject@8
_IoGetDiskDeviceObject@8 proc near	; CODE XREF: IopAttachDeviceToDeviceStackSafe+D41C2p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		cmp	[edi+24h], esi
		jz	short loc_608AAD
		mov	eax, 0C000000Dh
		jmp	loc_608BCF
; 

loc_608AAD:				; CODE XREF: IoGetDiskDeviceObject(x,x)+Fj
		push	ebx
		push	9
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, [edi+0B0h]
		xor	ebx, ebx
		inc	ebx
		mov	byte ptr [ebp+arg_0+3],	al
		mov	ecx, [ecx+28h]
		test	ecx, ecx
		jnz	short loc_608B18
		mov	ecx, large fs:20h
		lea	edi, [ecx+460h]
		test	ds:byte_70EFC6,	bl
		jz	short loc_608AEA
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_608B0E
; 

loc_608AEA:				; CODE XREF: IoGetDiskDeviceObject(x,x)+4Aj
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_608B06
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jz	short loc_608B0E
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_608B06:				; CODE XREF: IoGetDiskDeviceObject(x,x)+5Cj
		mov	[edi], esi
		add	eax, 4
		lock xor [eax],	ebx

loc_608B0E:				; CODE XREF: IoGetDiskDeviceObject(x,x)+56j
					; IoGetDiskDeviceObject(x,x)+6Bj
		mov	esi, 0C000000Dh
		jmp	loc_608BC3
; 

loc_608B18:				; CODE XREF: IoGetDiskDeviceObject(x,x)+35j
		cmp	[ecx+14h], esi
		jz	short loc_608B22
		test	[ecx+4], bl
		jnz	short loc_608B6D

loc_608B22:				; CODE XREF: IoGetDiskDeviceObject(x,x)+89j
		mov	eax, large fs:20h
		lea	edi, [eax+460h]
		test	ds:byte_70EFC6,	bl
		jz	short loc_608B42
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_608B66
; 

loc_608B42:				; CODE XREF: IoGetDiskDeviceObject(x,x)+A2j
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_608B5E
		mov	ecx, [edi+4]
		mov	eax, edi
		xor	edx, edx
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jz	short loc_608B66
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_608B5E:				; CODE XREF: IoGetDiskDeviceObject(x,x)+B4j
		add	eax, 4
		mov	[edi], esi
		lock xor [eax],	ebx

loc_608B66:				; CODE XREF: IoGetDiskDeviceObject(x,x)+AEj
					; IoGetDiskDeviceObject(x,x)+C3j
		mov	esi, 0C000026Eh
		jmp	short loc_608BC3
; 

loc_608B6D:				; CODE XREF: IoGetDiskDeviceObject(x,x)+8Ej
		mov	eax, [ebp+arg_4]
		mov	edx, 746C6644h
		mov	ecx, [ecx+0Ch]
		mov	[eax], ecx
		call	ObfReferenceObjectWithTag
		mov	eax, large fs:20h
		lea	edi, [eax+460h]
		test	ds:byte_70EFC6,	bl
		jz	short loc_608B9F
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_608BC3
; 

loc_608B9F:				; CODE XREF: IoGetDiskDeviceObject(x,x)+FFj
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_608BBB
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jz	short loc_608BC3
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_608BBB:				; CODE XREF: IoGetDiskDeviceObject(x,x)+111j
		mov	[edi], esi
		lea	ecx, [eax+4]
		lock xor [ecx],	ebx

loc_608BC3:				; CODE XREF: IoGetDiskDeviceObject(x,x)+81j
					; IoGetDiskDeviceObject(x,x)+D9j ...
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi
		pop	ebx

loc_608BCF:				; CODE XREF: IoGetDiskDeviceObject(x,x)+16j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_IoGetDiskDeviceObject@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 870. IoGetInitiatorProcess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetInitiatorProcess(x)
		public _IoGetInitiatorProcess@4
_IoGetInitiatorProcess@4 proc near	; CODE XREF: IopCheckInitiatorHint(x,x)+C0p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		cmp	dword ptr [ecx+7Ch], 0
		jz	short loc_608BFB
		xor	edx, edx
		push	0
		inc	edx
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		test	eax, eax
		jz	short loc_608BFB
		mov	eax, [eax+4]
		jmp	short loc_608BFD
; 

loc_608BFB:				; CODE XREF: IoGetInitiatorProcess(x)+Cj
					; IoGetInitiatorProcess(x)+1Aj
		xor	eax, eax

loc_608BFD:				; CODE XREF: IoGetInitiatorProcess(x)+1Fj
		pop	ebp
		retn	4
_IoGetInitiatorProcess@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 876. IoGetOplockKeyContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetOplockKeyContext(x)
		public _IoGetOplockKeyContext@4
_IoGetOplockKeyContext@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		push	esi
		push	6
		pop	edx
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		test	eax, eax
		jz	short loc_608C27
		test	byte ptr [eax+2], 2
		jz	short loc_608C27
		lea	esi, [eax+14h]

loc_608C27:				; CODE XREF: IoGetOplockKeyContext(x)+16j
					; IoGetOplockKeyContext(x)+1Cj
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_IoGetOplockKeyContext@4 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 882. IoGetSfioStreamIdentifier

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetSfioStreamIdentifier(x, x)
		public _IoGetSfioStreamIdentifier@8
_IoGetSfioStreamIdentifier@8 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_608C5F
		cmp	[ebp+arg_4], 0
		jz	short loc_608C5F
		push	0
		lea	eax, [ebp+var_4]
		xor	edx, edx
		push	eax
		push	[ebp+arg_4]
		call	_IopGetSetStreamIdentifier@20 ;	IopGetSetStreamIdentifier(x,x,x,x,x)
		mov	eax, [ebp+var_4]
		jmp	short locret_608C61
; 

loc_608C5F:				; CODE XREF: IoGetSfioStreamIdentifier(x,x)+Fj
					; IoGetSfioStreamIdentifier(x,x)+15j
		xor	eax, eax

locret_608C61:				; CODE XREF: IoGetSfioStreamIdentifier(x,x)+2Aj
		leave
		retn	8
_IoGetSfioStreamIdentifier@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 891. IoInitializeIrpEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IoInitializeIrpEx(void *,int,__int16,char)
		public _IoInitializeIrpEx@16
_IoInitializeIrpEx@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	dword ptr [ebp+arg_C] ;	char
		mov	esi, [ebp+arg_0]
		push	dword ptr [ebp+arg_8] ;	__int16
		push	esi		; void *
		call	IoInitializeIrp
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_608C9A
		cmp	eax, 0FFFFFFFFh
		jz	short loc_608C94
		test	dword ptr [eax+1Ch], 8000000h
		jz	short loc_608C9A

loc_608C94:				; CODE XREF: IoInitializeIrpEx(x,x,x,x)+1Fj
		mov	eax, [esi+60h]
		mov	[esi+68h], eax

loc_608C9A:				; CODE XREF: IoInitializeIrpEx(x,x,x,x)+1Aj
					; IoInitializeIrpEx(x,x,x,x)+28j
		pop	esi
		pop	ebp
		retn	10h
_IoInitializeIrpEx@16 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 901. IoIsFileOriginRemote

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoIsFileOriginRemote(x)
		public _IoIsFileOriginRemote@4
_IoIsFileOriginRemote@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	al, [eax+2Fh]
		and	al, 1
		pop	ebp
		retn	4
_IoIsFileOriginRemote@4	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 907. IoMakeAssociatedIrp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoMakeAssociatedIrp(x, x)
		public _IoMakeAssociatedIrp@8
_IoMakeAssociatedIrp@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	IoMakeAssociatedIrpPriv
		pop	ebp
		retn	8
_IoMakeAssociatedIrp@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 912. IoPageRead

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoPageRead(x, x, x,	x, x)
		public _IoPageRead@20
_IoPageRead@20	proc near		; CODE XREF: PopReadPagesFromHiberFile(x,x,x)+191p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		test	cl, 3
		jz	short loc_608CF0
		mov	eax, ecx
		and	ecx, 0FFFFFFFCh
		and	eax, 1
		xor	eax, 1
		inc	eax

loc_608CF0:				; CODE XREF: IoPageRead(x,x,x,x,x)+Dj
		mov	edx, [ebp+arg_4]
		test	dl, 1
		jz	short loc_608CFE
		or	eax, 4
		and	edx, 0FFFFFFFEh

loc_608CFE:				; CODE XREF: IoPageRead(x,x,x,x,x)+21j
		test	dl, 2
		jz	short loc_608D09
		or	eax, 8
		and	edx, 0FFFFFFFDh

loc_608D09:				; CODE XREF: IoPageRead(x,x,x,x,x)+2Cj
		push	0
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	IoPageReadEx
		pop	ebp
		retn	14h
_IoPageRead@20	endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 928. IoRaiseHardError

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoRaiseHardError(x,	x, x)
		public _IoRaiseHardError@12
_IoRaiseHardError@12 proc near

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_36		= byte ptr -36h
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	34h
		push	offset dword_6A7EB0
		call	__SEH_prolog4_GS
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_40], ebx
		mov	[ebp+var_35], 0
		mov	edi, [ebx+50h]
		mov	[ebp+var_3C], edi
		test	byte ptr [edi+2FCh], 10h
		jnz	loc_608EE2
		mov	ecx, [edi+150h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	esi, eax
		mov	ecx, edi
		call	_IopGetThreadActiveConsoleId@4 ; IopGetThreadActiveConsoleId(x)
		lea	ecx, [esi+1]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, esi
		cmp	ecx, eax
		jnz	loc_608EE2
		mov	ecx, [ebx+60h]
		mov	eax, [ebx+8]
		and	eax, 3FF1FFFFh
		cmp	eax, 43h
		jz	short loc_608DE7
		cmp	byte ptr [ecx],	12h
		jz	short loc_608DE7
		mov	eax, large fs:124h
		mov	eax, [eax+13Ch]
		test	eax, eax
		setnz	cl
		test	eax, eax
		jnz	short loc_608DEA
		push	4350414Bh
		push	30h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_608EEC
		push	ebx
		push	0
		push	offset _IopRaiseHardError@12 ; IopRaiseHardError(x,x,x)
		push	offset _IopAbortRequest@4 ; IopAbortRequest(x)
		push	offset _IopDeallocateApc@20 ; IopDeallocateApc(x,x,x,x,x)
		movsx	ecx, byte ptr [ebx+26h]
		push	ecx
		push	edi
		push	esi
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	KeInsertQueueApc
		jmp	loc_608EF5
; 

loc_608DE7:				; CODE XREF: IoRaiseHardError(x,x,x)+5Cj
					; IoRaiseHardError(x,x,x)+61j
		mov	cl, [ebp+var_35]

loc_608DEA:				; CODE XREF: IoRaiseHardError(x,x,x)+76j
		test	cl, cl
		jz	loc_608EA5
		test	dword ptr [edi+58h], 400h
		jnz	loc_608EA5
		mov	[ebp+var_36], 1
		lea	ecx, [edi+2ECh]
		mov	[ebp+var_44], ecx
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_608E9F
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		mov	eax, [ebp+var_3C]
		mov	esi, [eax+0A8h]
		mov	ecx, [eax+150h]
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	ecx, eax
		jz	short loc_608E53
		mov	[ebp+var_35], 1
		lea	eax, [ebp+var_34]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		jmp	short loc_608E57
; 

loc_608E53:				; CODE XREF: IoRaiseHardError(x,x,x)+11Dj
		mov	[ebp+var_35], 0

loc_608E57:				; CODE XREF: IoRaiseHardError(x,x,x)+12Ej
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [esi+0F28h]
		and	al, 10h
		neg	al
		sbb	al, al
		and	al, [ebp+var_36]
		mov	[ebp+var_36], al
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_608E87
; 

loc_608E76:				; DATA XREF: .text:006A7EC4o
		xor	eax, eax
		inc	eax
		retn
; 

loc_608E7A:				; DATA XREF: .text:006A7EC8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_40]

loc_608E87:				; CODE XREF: IoRaiseHardError(x,x,x)+151j
		cmp	[ebp+var_35], 0
		jz	short loc_608E97
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_608E97:				; CODE XREF: IoRaiseHardError(x,x,x)+168j
		mov	ecx, [ebp+var_44]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_608E9F:				; CODE XREF: IoRaiseHardError(x,x,x)+F0j
		cmp	[ebp+var_36], 0
		jnz	short loc_608EE8

loc_608EA5:				; CODE XREF: IoRaiseHardError(x,x,x)+C9j
					; IoRaiseHardError(x,x,x)+D6j
		push	72456F49h
		push	1Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_608EEC
		mov	dword ptr [edx+8], offset _IopStartApcHardError@4 ; IopStartApcHardError(x)
		mov	[edx+0Ch], edx
		and	dword ptr [edx], 0
		mov	[edx+10h], ebx
		mov	ecx, [ebp+arg_4]
		mov	[edx+14h], ecx
		mov	eax, [ebp+arg_8]
		mov	[edx+18h], eax
		push	0
		push	edx
		call	ExQueueWorkItem
		jmp	short loc_608EF5
; 

loc_608EE2:				; CODE XREF: IoRaiseHardError(x,x,x)+23j
					; IoRaiseHardError(x,x,x)+48j
		test	byte ptr [ebx+8], 40h
		jz	short loc_608EEC

loc_608EE8:				; CODE XREF: IoRaiseHardError(x,x,x)+180j
		and	dword ptr [ebx+1Ch], 0

loc_608EEC:				; CODE XREF: IoRaiseHardError(x,x,x)+8Dj
					; IoRaiseHardError(x,x,x)+197j	...
		mov	dl, 1
		mov	ecx, ebx
		call	IofCompleteRequest

loc_608EF5:				; CODE XREF: IoRaiseHardError(x,x,x)+BFj
					; IoRaiseHardError(x,x,x)+1BDj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_IoRaiseHardError@12 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 929. IoRaiseInformationalHardError

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoRaiseInformationalHardError(x, x,	x)
		public _IoRaiseInformationalHardError@12
_IoRaiseInformationalHardError@12 proc near ; CODE XREF: MiCauseOverCommitPopup(x)+4Dp
					; PAGELK:0071F989p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_IopInitSystemCompletedEnoughForReInitRoutines, 0
		push	ebx
		push	esi
		push	edi
		jz	short loc_608F2D
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	short loc_608F36
		test	byte ptr [edi+2FCh], 10h
		jz	short loc_608F45

loc_608F2D:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+Fj
					; IoRaiseInformationalHardError(x,x,x)+37j ...
		xor	al, al

loc_608F2F:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+298j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_608F36:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+16j
		mov	eax, large fs:124h
		test	byte ptr [eax+2FCh], 10h
		jnz	short loc_608F2D

loc_608F45:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+1Fj
		mov	ebx, [ebp+arg_0]
		cmp	ebx, 0C000021Dh
		jz	short loc_608F2D
		cmp	ebx, 0C0000144h
		jz	short loc_608F2D
		cmp	ebx, 40000018h
		jz	short loc_608F2D
		test	edi, edi
		jnz	short loc_608F6D
		cmp	ds:dword_6CCF60, 19h
		jge	short loc_608F2D

loc_608F6D:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+56j
		cmp	ds:dword_6CCF74, 19h
		jg	short loc_608F2D
		push	72456F49h
		push	14h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_608F2D
		xor	eax, eax
		mov	[esi], eax
		mov	[esi+4], eax
		mov	[esi+0Ch], eax
		mov	[esi+10h], eax
		mov	[esi+8], ebx
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_608FE7
		movzx	eax, word ptr [ebx]
		test	ax, ax
		jz	short loc_608FE7
		push	72456F49h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_609132
		mov	cx, [ebx]
		mov	[esi+0Ch], cx
		mov	cx, [ebx]
		mov	[esi+0Eh], cx
		mov	[esi+10h], edx
		movzx	eax, word ptr [ebx]
		push	eax		; size_t
		push	dword ptr [ebx+4] ; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_608FE7:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+96j
					; IoRaiseInformationalHardError(x,x,x)+9Ej
		test	edi, edi
		jz	short loc_609032
		push	4350414Bh
		push	30h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_609123
		lock inc ds:dword_6CCF74
		push	esi
		xor	esi, esi
		push	esi
		push	offset _IopRaiseInformationalHardError@12 ; IopRaiseInformationalHardError(x,x,x)
		push	esi
		push	offset _IopDeallocateApc@20 ; IopDeallocateApc(x,x,x,x,x)
		push	esi
		push	edi
		push	ebx
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		push	esi
		push	esi
		push	esi
		push	ebx
		call	KeInsertQueueApc
		jmp	loc_6091A2
; 

loc_609032:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+DDj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset dword_6CCF58
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	ds:dword_6CCF60, 19h
		jl	short loc_609063

loc_60904F:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+173j
					; IoRaiseInformationalHardError(x,x,x)+18Ej
		test	ds:byte_70EFC6,	1
		jz	loc_609116
		mov	ecx, edi
		jmp	loc_609107
; 

loc_609063:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+141j
		mov	ecx, ds:_IopCurrentHardError
		test	ecx, ecx
		jz	short loc_60909C
		mov	eax, [esi+8]
		cmp	eax, [ecx+8]
		jnz	short loc_60909C
		mov	edx, [esi+10h]
		test	edx, edx
		jnz	short loc_609081
		cmp	[ecx+10h], edx
		jz	short loc_60904F

loc_609081:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+16Ej
		movzx	eax, word ptr [esi+0Ch]
		cmp	ax, [ecx+0Ch]
		jnz	short loc_60909C
		push	eax		; size_t
		push	dword ptr [ecx+10h] ; void *
		push	edx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_60904F

loc_60909C:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+15Fj
					; IoRaiseInformationalHardError(x,x,x)+167j ...
		mov	edi, ds:dword_6CCF50
		mov	edx, offset dword_6CCF50
		cmp	edi, edx
		jz	short loc_6090EB
		mov	eax, [esi+8]
		mov	[ebp+arg_8], eax

loc_6090B1:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+1DDj
		cmp	eax, [edi+8]
		jnz	short loc_6090E5
		mov	ecx, [esi+10h]
		test	ecx, ecx
		jnz	short loc_6090C2
		cmp	[edi+10h], ecx
		jz	short loc_6090F9

loc_6090C2:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+1AFj
		movzx	eax, word ptr [esi+0Ch]
		cmp	ax, [edi+0Ch]
		jnz	short loc_6090E2
		push	eax		; size_t
		push	dword ptr [edi+10h] ; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_6090F9
		mov	edx, offset dword_6CCF50

loc_6090E2:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+1BEj
		mov	eax, [ebp+arg_8]

loc_6090E5:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+1A8j
		mov	edi, [edi]
		cmp	edi, edx
		jnz	short loc_6090B1

loc_6090EB:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+19Dj
		mov	eax, ds:dword_6CCF54
		cmp	[eax], edx
		jz	short loc_60913F
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_6090F9:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+1B4j
					; IoRaiseInformationalHardError(x,x,x)+1CFj
		test	ds:byte_70EFC6,	1
		jz	short loc_609111
		mov	ecx, offset dword_6CCF58

loc_609107:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+152j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_60911B
; 

loc_609111:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+1F4j
		mov	edi, offset dword_6CCF58

loc_609116:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+14Aj
		xor	eax, eax
		lock and [edi],	eax

loc_60911B:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+203j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_609123:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+F4j
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_609132
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_609132:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+B4j
					; IoRaiseInformationalHardError(x,x,x)+21Cj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_608F2D
; 

loc_60913F:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+1E6j
		push	0
		push	1
		mov	[esi], edx
		mov	[esi+4], eax
		push	0
		mov	[eax], esi
		push	offset unk_6CCF5C
		mov	ds:dword_6CCF54, esi
		call	KeReleaseSemaphore
		cmp	ds:byte_6CCF70,	0
		jnz	short loc_609178
		push	1
		push	offset _IopHardError
		mov	ds:byte_6CCF70,	1
		call	ExQueueWorkItem

loc_609178:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+257j
		test	ds:byte_70EFC6,	1
		jz	short loc_609190
		mov	edx, [ebp+4]
		mov	ecx, offset dword_6CCF58
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_60919A
; 

loc_609190:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+273j
		xor	ecx, ecx
		mov	edi, offset dword_6CCF58
		lock and [edi],	ecx

loc_60919A:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+282j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_6091A2:				; CODE XREF: IoRaiseInformationalHardError(x,x,x)+121j
		mov	al, 1
		jmp	loc_608F2F
_IoRaiseInformationalHardError@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 974. IoSetActivityIdIrp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetActivityIdIrp(x, x)
		public _IoSetActivityIdIrp@8
_IoSetActivityIdIrp@8 proc near		; CODE XREF: IoReuseIrp(x,x)+170p
					; IoReuseIrp(x,x)+1F4p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	edx, edx
		mov	ecx, esi
		xor	ebx, ebx
		call	IopAllocateIrpExtension
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_6091D0
		mov	eax, 0C000009Ah
		jmp	short loc_609213
; 

loc_6091D0:				; CODE XREF: IoSetActivityIdIrp(x,x)+19j
		cmp	[ebp+arg_4], ebx
		jz	short loc_6091E3
		mov	esi, [ebp+arg_4]
		push	edi
		lea	edi, [ecx+10h]
		movsd
		movsd
		movsd
		movsd
		pop	edi
		jmp	short loc_609211
; 

loc_6091E3:				; CODE XREF: IoSetActivityIdIrp(x,x)+25j
		mov	eax, large fs:124h
		cmp	eax, [esi+50h]
		jnz	short loc_6091FD
		lea	eax, [ecx+10h]
		push	eax
		push	1
		call	EtwActivityIdControl
		mov	ebx, eax
		jmp	short loc_609202
; 

loc_6091FD:				; CODE XREF: IoSetActivityIdIrp(x,x)+3Ej
		mov	ebx, 0C00000BBh

loc_609202:				; CODE XREF: IoSetActivityIdIrp(x,x)+4Dj
		test	ebx, ebx
		jns	short loc_609211
		push	1
		xor	edx, edx
		mov	ecx, esi
		call	_IopFreeIrpExtension@12	; IopFreeIrpExtension(x,x,x)

loc_609211:				; CODE XREF: IoSetActivityIdIrp(x,x)+33j
					; IoSetActivityIdIrp(x,x)+56j
		mov	eax, ebx

loc_609213:				; CODE XREF: IoSetActivityIdIrp(x,x)+20j
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_IoSetActivityIdIrp@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 982. IoSetDeviceToVerify

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetDeviceToVerify(x, x)
		public _IoSetDeviceToVerify@8
_IoSetDeviceToVerify@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	[eax+2D8h], ecx
		pop	ebp
		retn	8
_IoSetDeviceToVerify@8 endp

; 
		align 8
; Exported entry 984. IoSetFileOrigin

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetFileOrigin(x, x)
		public _IoSetFileOrigin@8
_IoSetFileOrigin@8 proc	near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	edx, 0C0000030h
		push	edi
		mov	edi, 1000000h
		mov	eax, [esi+2Ch]
		mov	ecx, eax
		and	ecx, edi
		cmp	[ebp+arg_4], 0
		jz	short loc_609261
		test	ecx, ecx
		jnz	short loc_60926F
		or	eax, edi
		jmp	short loc_60926A
; 

loc_609261:				; CODE XREF: IoSetFileOrigin(x,x)+1Fj
		test	ecx, ecx
		jz	short loc_60926F
		and	eax, 0FEFFFFFFh

loc_60926A:				; CODE XREF: IoSetFileOrigin(x,x)+27j
		xor	edx, edx
		mov	[esi+2Ch], eax

loc_60926F:				; CODE XREF: IoSetFileOrigin(x,x)+23j
					; IoSetFileOrigin(x,x)+2Bj
		pop	edi
		mov	eax, edx
		pop	esi
		pop	ebp
		retn	8
_IoSetFileOrigin@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 989. IoSetHardErrorOrVerifyDevice

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetHardErrorOrVerifyDevice(x, x)
		public _IoSetHardErrorOrVerifyDevice@8
_IoSetHardErrorOrVerifyDevice@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+50h]
		test	ecx, ecx
		jz	short loc_609294
		mov	eax, [ebp+arg_4]
		mov	[ecx+2D8h], eax

loc_609294:				; CODE XREF: IoSetHardErrorOrVerifyDevice(x,x)+Dj
		pop	ebp
		retn	8
_IoSetHardErrorOrVerifyDevice@8	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 991. IoSetIoAttributionIrp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetIoAttributionIrp(x, x,	x)
		public _IoSetIoAttributionIrp@12
_IoSetIoAttributionIrp@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_6092D2
		test	eax, 0FFFFFFFCh
		jnz	short loc_6092D2
		test	al, 1
		jz	short loc_6092C5
		test	al, 2
		jnz	short loc_6092D2
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	IoSetDiskIoAttributionFromThread
		jmp	short loc_6092D7
; 

loc_6092C5:				; CODE XREF: IoSetIoAttributionIrp(x,x,x)+15j
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	IopSetDiskIoAttributionFromProcess
		jmp	short loc_6092D7
; 

loc_6092D2:				; CODE XREF: IoSetIoAttributionIrp(x,x,x)+Aj
					; IoSetIoAttributionIrp(x,x,x)+11j ...
		mov	eax, 0C000000Dh

loc_6092D7:				; CODE XREF: IoSetIoAttributionIrp(x,x,x)+26j
					; IoSetIoAttributionIrp(x,x,x)+33j
		pop	ebp
		retn	0Ch
_IoSetIoAttributionIrp@12 endp

; 
		align 10h
; Exported entry 995. IoSetIoPriorityHintIntoFileObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetIoPriorityHintIntoFileObject(x, x)
		public _IoSetIoPriorityHintIntoFileObject@8
_IoSetIoPriorityHintIntoFileObject@8 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, [ebp+arg_4]
		cmp	esi, 5
		jb	short loc_6092FA
		mov	eax, 0C000000Dh
		jmp	short loc_609312
; 

loc_6092FA:				; CODE XREF: IoSetIoPriorityHintIntoFileObject(x,x)+11j
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_4]
		call	IopAllocateFileObjectExtension
		test	eax, eax
		js	short loc_609312
		mov	ecx, [ebp+var_4]
		lea	edx, [esi+1]
		mov	[ecx+28h], edx

loc_609312:				; CODE XREF: IoSetIoPriorityHintIntoFileObject(x,x)+18j
					; IoSetIoPriorityHintIntoFileObject(x,x)+27j
		pop	esi
		leave
		retn	8
_IoSetIoPriorityHintIntoFileObject@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetOplockKeyContext(x, x,	x)
_IoSetOplockKeyContext@12 proc near	; CODE XREF: FsRtlCheckOplockEx2+C6390p
					; FsRtlpAttachOplockKey+B5872p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	si, [ebp+arg_0]
		mov	[ebp+var_8], edx
		xor	edx, edx
		push	edi
		xor	edi, edi
		inc	edx
		mov	[ebp+var_4], edi
		push	2
		pop	eax
		cmp	si, dx
		jz	short loc_609346
		cmp	si, ax
		jz	short loc_609346
		mov	eax, 0C000000Dh
		jmp	loc_6093F6
; 

loc_609346:				; CODE XREF: IoSetOplockKeyContext(x,x,x)+1Ej
					; IoSetOplockKeyContext(x,x,x)+23j
		cmp	[ecx+7Ch], edi
		jnz	short loc_60935C
		lea	edx, [ebp+var_4]
		call	IopAllocateFileObjectExtension
		test	eax, eax
		jns	short loc_609368
		jmp	loc_6093F6
; 

loc_60935C:				; CODE XREF: IoSetOplockKeyContext(x,x,x)+32j
		lea	eax, [ebp+var_4]
		push	eax
		push	6
		pop	edx
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)

loc_609368:				; CODE XREF: IoSetOplockKeyContext(x,x,x)+3Ej
		push	ebx
		mov	ecx, offset _IopOplockFoExtLookasideList
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_609380
		mov	eax, 0C000009Ah
		jmp	short loc_6093F5
; 

loc_609380:				; CODE XREF: IoSetOplockKeyContext(x,x,x)+60j
		push	2Ch		; size_t
		push	edi		; int
		push	ebx		; void *
		call	_memset
		movzx	eax, si
		add	esp, 0Ch
		mov	[ebx], si
		sub	eax, 1
		jz	short loc_6093C0
		sub	eax, 1
		jnz	short loc_6093D1
		mov	eax, [ebp+var_8]
		cmp	byte ptr [eax+20h], 0
		jz	short loc_6093B5
		mov	esi, eax
		lea	edi, [ebx+4]
		xor	ecx, ecx
		inc	ecx
		movsd
		movsd
		movsd
		movsd
		or	[ebx+2], cx

loc_6093B5:				; CODE XREF: IoSetOplockKeyContext(x,x,x)+8Cj
		cmp	byte ptr [eax+21h], 0
		jz	short loc_6093D1
		lea	esi, [eax+10h]
		jmp	short loc_6093C3
; 

loc_6093C0:				; CODE XREF: IoSetOplockKeyContext(x,x,x)+7Ej
		mov	esi, [ebp+var_8]

loc_6093C3:				; CODE XREF: IoSetOplockKeyContext(x,x,x)+A7j
		lea	edi, [ebx+14h]
		movsd
		push	2
		pop	eax
		movsd
		movsd
		movsd
		or	[ebx+2], ax

loc_6093D1:				; CODE XREF: IoSetOplockKeyContext(x,x,x)+83j
					; IoSetOplockKeyContext(x,x,x)+A2j
		mov	ecx, [ebp+var_4]
		push	ebx
		push	6
		pop	edx
		call	_IopSetTypeSpecificFoExtension@12 ; IopSetTypeSpecificFoExtension(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000001h
		jnz	short loc_6093F3
		mov	edx, ebx
		mov	ecx, offset _IopOplockFoExtLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)

loc_6093F3:				; CODE XREF: IoSetOplockKeyContext(x,x,x)+CEj
		mov	eax, esi

loc_6093F5:				; CODE XREF: IoSetOplockKeyContext(x,x,x)+67j
		pop	ebx

loc_6093F6:				; CODE XREF: IoSetOplockKeyContext(x,x,x)+2Aj
					; IoSetOplockKeyContext(x,x,x)+40j
		pop	edi
		pop	esi
		leave
		retn	4
_IoSetOplockKeyContext@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1007. IoSizeOfIrpEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSizeOfIrpEx(x, x)
		public _IoSizeOfIrpEx@8
_IoSizeOfIrpEx@8 proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_609422
		cmp	eax, 0FFFFFFFFh
		jz	short loc_60941B
		test	dword ptr [eax+1Ch], 8000000h
		jz	short loc_609422

loc_60941B:				; CODE XREF: IoSizeOfIrpEx(x,x)+Fj
		mov	al, [ebp+arg_4]
		add	al, 2
		jmp	short loc_609425
; 

loc_609422:				; CODE XREF: IoSizeOfIrpEx(x,x)+Aj
					; IoSizeOfIrpEx(x,x)+18j
		mov	al, [ebp+arg_4]

loc_609425:				; CODE XREF: IoSizeOfIrpEx(x,x)+1Fj
		cbw
		movzx	eax, ax
		imul	eax, 24h
		add	ax, 70h
		pop	ebp
		retn	8
_IoSizeOfIrpEx@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1011. IoStartNextPacketByKey

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoStartNextPacketByKey(x, x, x)
		public _IoStartNextPacketByKey@12
_IoStartNextPacketByKey@12 proc	near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+0B0h]
		test	dword ptr [eax+24h], 100h
		jz	short loc_60946D
		mov	edx, [ebp+arg_8]
		xor	eax, eax
		cmp	[ebp+arg_4], al
		setnz	al
		dec	eax
		and	eax, 0FFFFFF80h
		add	eax, 0C0h
		push	eax
		call	IopStartNextPacketByKeyEx
		jmp	short loc_609479
; 

loc_60946D:				; CODE XREF: IoStartNextPacketByKey(x,x,x)+15j
		push	[ebp+arg_8]
		movzx	edx, [ebp+arg_4]
		call	_IopStartNextPacketByKey@12 ; IopStartNextPacketByKey(x,x,x)

loc_609479:				; CODE XREF: IoStartNextPacketByKey(x,x,x)+31j
		pop	ebp
		retn	0Ch
_IoStartNextPacketByKey@12 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1013. IoStartTimer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoStartTimer(x)
		public _IoStartTimer@4
_IoStartTimer@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+0B0h]
		test	byte ptr [eax+10h], 0Fh
		jnz	short loc_60949E
		mov	ecx, [ecx+18h]
		call	_IopEnableTimer@4 ; IopEnableTimer(x)

loc_60949E:				; CODE XREF: IoStartTimer(x)+12j
		pop	ebp
		retn	4
_IoStartTimer@4	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1016. IoStopTimer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoStopTimer(x)
		public _IoStopTimer@4
_IoStopTimer@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	ecx, [ecx+18h]
		call	_IopDisableTimer@4 ; IopDisableTimer(x)
		pop	ebp
		retn	4
_IoStopTimer@4	endp

; 
		align 10h
; Exported entry 1021. IoTransferActivityId

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoTransferActivityId(x, x)
		public _IoTransferActivityId@8
_IoTransferActivityId@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, offset _IoTrace_ActivityIdTransfer
		mov	ecx, esi
		call	_IopIsActivityTracingEventEnabled@4 ; IopIsActivityTracingEventEnabled(x)
		test	al, al
		jz	short loc_6094F5
		xor	eax, eax
		push	eax
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	eax
		push	eax
		push	eax
		push	esi
		push	ds:dword_6CCFD4
		push	ds:_IoTraceHandle
		call	EtwWriteEx

loc_6094F5:				; CODE XREF: IoTransferActivityId(x,x)+14j
		pop	esi
		pop	ebp
		retn	8
_IoTransferActivityId@8	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1032. IoUnregisterPriorityCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoUnregisterPriorityCallback(x)
		public _IoUnregisterPriorityCallback@4
_IoUnregisterPriorityCallback@4	proc near ; CODE XREF: IopDeleteDriver+87p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		test	dword ptr [ebx+8], 200h
		jz	loc_6095A6
		mov	eax, large fs:124h
		push	edi
		mov	[ebp+var_4], eax
		dec	word ptr [eax+13Ch]
		nop
		xor	eax, eax
		mov	edi, offset _IopUpdatePriorityCallbackRoutine
		mov	[ebp+arg_0], eax
		push	esi

loc_609533:				; CODE XREF: IoUnregisterPriorityCallback(x)+9Bj
		mov	ecx, edi
		call	ExReferenceCallBackBlock
		mov	esi, eax
		test	esi, esi
		jz	short loc_60958D
		cmp	[esi+10h], ebx
		jnz	short loc_60956A
		push	esi
		xor	edx, edx
		mov	ecx, edi
		call	ExCompareExchangeCallBack
		test	al, al
		jz	short loc_60958D
		lock dec ds:_IopUpdatePriorityCallbackRoutineCount
		mov	eax, [ebp+arg_0]
		lea	edi, _IopUpdatePriorityCallbackRoutine[eax*4]
		mov	ecx, [edi]
		mov	eax, ecx
		jmp	short loc_6095BA
; 

loc_60956A:				; CODE XREF: IoUnregisterPriorityCallback(x)+44j
		mov	ecx, [edi]
		mov	eax, ecx
		jmp	short loc_60957F
; 

loc_609570:				; CODE XREF: IoUnregisterPriorityCallback(x)+85j
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jz	short loc_60958D
		mov	ecx, eax

loc_60957F:				; CODE XREF: IoUnregisterPriorityCallback(x)+6Fj
		xor	eax, esi
		cmp	eax, 7
		jb	short loc_609570
		mov	ecx, esi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_60958D:				; CODE XREF: IoUnregisterPriorityCallback(x)+3Fj
					; IoUnregisterPriorityCallback(x)+52j ...
		mov	eax, [ebp+arg_0]
		add	edi, 4
		inc	eax
		mov	[ebp+arg_0], eax
		cmp	eax, 8
		jb	short loc_609533
		mov	ecx, [ebp+var_4]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_6095A4:				; CODE XREF: IoUnregisterPriorityCallback(x)+E6j
		pop	esi
		pop	edi

loc_6095A6:				; CODE XREF: IoUnregisterPriorityCallback(x)+11j
		pop	ebx
		leave
		retn	4
; 

loc_6095AB:				; CODE XREF: IoUnregisterPriorityCallback(x)+C0j
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jz	short loc_6095C8
		mov	ecx, eax

loc_6095BA:				; CODE XREF: IoUnregisterPriorityCallback(x)+69j
		xor	eax, esi
		cmp	eax, 7
		jb	short loc_6095AB
		mov	ecx, esi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_6095C8:				; CODE XREF: IoUnregisterPriorityCallback(x)+B7j
		mov	ecx, [ebp+var_4]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, esi
		call	_ExWaitForCallBacks@4 ;	ExWaitForCallBacks(x)
		mov	ecx, esi
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)
		and	dword ptr [ebx+8], 0FFFFFDFFh
		jmp	short loc_6095A4
_IoUnregisterPriorityCallback@4	endp


;  S U B	R O U T	I N E 


; __stdcall IopCheckFileObjectExtensionFlag(x, x)
_IopCheckFileObjectExtensionFlag@8 proc	near
					; CODE XREF: IoCheckFileObjectOpenedAsCopyDestination(x)+Bp
					; IoCheckFileObjectOpenedAsCopySource(x)+Bp
		mov	eax, [ecx+7Ch]
		test	eax, eax
		jz	short loc_6095F5
		test	[eax], edx
		jz	short loc_6095F5
		mov	al, 1
		retn
; 

loc_6095F5:				; CODE XREF: IopCheckFileObjectExtensionFlag(x,x)+5j
					; IopCheckFileObjectExtensionFlag(x,x)+9j
		xor	al, al
		retn
_IopCheckFileObjectExtensionFlag@8 endp


;  S U B	R O U T	I N E 


; __stdcall IopCheckSessionDeviceAccess(x)
_IopCheckSessionDeviceAccess@4 proc near
					; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+260p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		lea	esi, [eax+1]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		call	_KeIsExecutingInArbitraryThreadContext@0 ; KeIsExecutingInArbitraryThreadContext()
		test	eax, eax
		jnz	short loc_60963A
		mov	eax, large fs:124h
		push	eax
		call	_PsGetThreadServerSilo@4 ; PsGetThreadServerSilo(x)
		test	eax, eax
		jz	short loc_60963A
		mov	eax, [eax+2F8h]
		jmp	short loc_60963F
; 

loc_60963A:				; CODE XREF: IopCheckSessionDeviceAccess(x)+28j
					; IopCheckSessionDeviceAccess(x)+38j
		mov	eax, offset _PspHostSiloGlobals

loc_60963F:				; CODE XREF: IopCheckSessionDeviceAccess(x)+40j
		mov	eax, [eax+28Ch]
		cmp	esi, [eax]
		jnz	short loc_609652
		cmp	ds:_IopSessionZeroAccessCheckEnabled, 0
		jz	short loc_609666

loc_609652:				; CODE XREF: IopCheckSessionDeviceAccess(x)+4Fj
		mov	ecx, edi
		call	_IopGetSessionIdFromPDO@4 ; IopGetSessionIdFromPDO(x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_609666
		cmp	esi, eax
		jz	short loc_609666
		xor	al, al
		jmp	short loc_609668
; 

loc_609666:				; CODE XREF: IopCheckSessionDeviceAccess(x)+58j
					; IopCheckSessionDeviceAccess(x)+64j ...
		mov	al, 1

loc_609668:				; CODE XREF: IopCheckSessionDeviceAccess(x)+6Cj
		pop	edi
		pop	esi
		retn
_IopCheckSessionDeviceAccess@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopGetFsRegistrationInProgress()
_IopGetFsRegistrationInProgress@0 proc near
					; CODE XREF: IoEnumerateRegisteredFiltersList:loc_8F9E44p
					; IoRegisterFsRegistrationChangeMountAware:loc_935FF9p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, large fs:20h
		mov	bl, al
		test	ds:byte_70EFC6,	1
		mov	bh, ds:_IopFsRegistrationInProgress
		lea	esi, [ecx+468h]
		jz	short loc_6096A4
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6096CF
; 

loc_6096A4:				; CODE XREF: IopGetFsRegistrationInProgress()+2Bj
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_6096C0
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_6096CF
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_6096C0:				; CODE XREF: IopGetFsRegistrationInProgress()+3Dj
		xor	edx, edx
		mov	dword ptr [esi], 0
		inc	edx
		lea	ecx, [eax+4]
		lock xor [ecx],	edx

loc_6096CF:				; CODE XREF: IopGetFsRegistrationInProgress()+37j
					; IopGetFsRegistrationInProgress()+4Cj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		mov	al, bh
		pop	ebx
		pop	ebp
		retn
_IopGetFsRegistrationInProgress@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopGetSetStreamIdentifier(x, x, x, x, x)
_IopGetSetStreamIdentifier@20 proc near	; CODE XREF: IoAllocateSfioStreamIdentifier(x,x,x,x)+34p
					; IoGetSfioStreamIdentifier(x,x)+22p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_10]
		mov	[ebp+var_C], edx
		push	eax		; int
		lea	eax, [ebp+var_8]
		xor	ebx, ebx
		push	eax		; int
		push	dword ptr [ebp+arg_8] ;	char
		mov	edi, ecx
		mov	[ebp+var_8], ebx
		push	8		; size_t
		push	4
		pop	edx
		call	IopGetSetSpecificExtension
		mov	ecx, eax
		test	ecx, ecx
		js	loc_60985C
		mov	esi, [ebp+var_8]
		test	esi, esi
		jz	loc_60985A
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		add	edi, 70h
		mov	[ebp+var_1], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [esi]
		test	ecx, ecx
		jnz	short loc_60973C
		mov	[esi+4], esi
		mov	ecx, esi
		mov	[esi], esi

loc_60973C:				; CODE XREF: IopGetSetStreamIdentifier(x,x,x,x,x)+56j
		cmp	ecx, esi
		jz	short loc_60974E
		mov	eax, [ebp+arg_0]

loc_609743:				; CODE XREF: IopGetSetStreamIdentifier(x,x,x,x,x)+6Fj
		cmp	[ecx+0Ch], eax
		jz	short loc_609766
		mov	ecx, [ecx]
		cmp	ecx, esi
		jnz	short loc_609743

loc_60974E:				; CODE XREF: IopGetSetStreamIdentifier(x,x,x,x,x)+61j
		test	ds:byte_70EFC6,	1
		jz	short loc_6097C0
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	esi, [ebp+var_8]
		jmp	short loc_6097C5
; 

loc_609766:				; CODE XREF: IopGetSetStreamIdentifier(x,x,x,x,x)+69j
		mov	eax, [ebp+arg_4]
		cmp	[ebp+arg_8], bl
		jz	short loc_609791
		mov	[eax], ebx
		test	ds:byte_70EFC6,	1
		jz	short loc_609785
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_60978A
; 

loc_609785:				; CODE XREF: IopGetSetStreamIdentifier(x,x,x,x,x)+9Aj
		xor	eax, eax
		lock and [edi],	eax

loc_60978A:				; CODE XREF: IopGetSetStreamIdentifier(x,x,x,x,x)+A6j
		mov	ebx, 0C0000021h
		jmp	short loc_6097B0
; 

loc_609791:				; CODE XREF: IopGetSetStreamIdentifier(x,x,x,x,x)+8Fj
		mov	ecx, [ecx+8]
		mov	[eax], ecx
		test	ds:byte_70EFC6,	1
		jz	short loc_6097AB
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6097B0
; 

loc_6097AB:				; CODE XREF: IopGetSetStreamIdentifier(x,x,x,x,x)+C0j
		xor	eax, eax
		lock and [edi],	eax

loc_6097B0:				; CODE XREF: IopGetSetStreamIdentifier(x,x,x,x,x)+B2j
					; IopGetSetStreamIdentifier(x,x,x,x,x)+CCj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, ebx
		jmp	loc_609863
; 

loc_6097C0:				; CODE XREF: IopGetSetStreamIdentifier(x,x,x,x,x)+78j
		xor	eax, eax
		lock and [edi],	eax

loc_6097C5:				; CODE XREF: IopGetSetStreamIdentifier(x,x,x,x,x)+87j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+arg_8], bl
		jz	loc_60985A
		mov	eax, [ebp+var_C]
		push	74536F49h
		add	eax, 10h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	dword ptr [ebp+arg_8], eax
		test	eax, eax
		jnz	short loc_6097FB
		mov	ecx, 0C000009Ah
		jmp	short loc_60985C
; 

loc_6097FB:				; CODE XREF: IopGetSetStreamIdentifier(x,x,x,x,x)+115j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jz	short loc_609816
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_609816:				; CODE XREF: IopGetSetStreamIdentifier(x,x,x,x,x)+132j
		mov	eax, dword ptr [ebp+arg_8]
		mov	[eax+4], ecx
		lea	edx, [eax+10h]
		mov	[eax], esi
		mov	[ecx], eax
		mov	ecx, [ebp+arg_0]
		mov	[esi+4], eax
		mov	[eax+8], edx
		mov	[eax+0Ch], ecx
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		test	ds:byte_70EFC6,	1
		jz	short loc_609849
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_60984E
; 

loc_609849:				; CODE XREF: IopGetSetStreamIdentifier(x,x,x,x,x)+15Ej
		xor	eax, eax
		lock and [edi],	eax

loc_60984E:				; CODE XREF: IopGetSetStreamIdentifier(x,x,x,x,x)+16Aj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		jmp	short loc_609863
; 

loc_60985A:				; CODE XREF: IopGetSetStreamIdentifier(x,x,x,x,x)+39j
					; IopGetSetStreamIdentifier(x,x,x,x,x)+F4j
		mov	ecx, ebx

loc_60985C:				; CODE XREF: IopGetSetStreamIdentifier(x,x,x,x,x)+2Ej
					; IopGetSetStreamIdentifier(x,x,x,x,x)+11Cj
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx
		mov	eax, ecx

loc_609863:				; CODE XREF: IopGetSetStreamIdentifier(x,x,x,x,x)+DEj
					; IopGetSetStreamIdentifier(x,x,x,x,x)+17Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_IopGetSetStreamIdentifier@20 endp


;  S U B	R O U T	I N E 


; __stdcall IopIsActivityTracingEventEnabled(x)
_IopIsActivityTracingEventEnabled@4 proc near ;	CODE XREF: IoReuseIrp(x,x)+190p
					; IoReuseIrp(x,x)+1BCp	...
		mov	edx, ds:_IoTraceHandle
		mov	eax, edx
		push	esi
		mov	esi, ds:dword_6CCFD4
		or	eax, esi
		jz	short loc_60988D
		push	ecx
		push	esi
		push	edx
		call	EtwEventEnabled
		test	al, al
		jz	short loc_60988D
		mov	al, 1
		pop	esi
		retn
; 

loc_60988D:				; CODE XREF: IopIsActivityTracingEventEnabled(x)+11j
					; IopIsActivityTracingEventEnabled(x)+1Dj
		xor	al, al
		pop	esi
		retn
_IopIsActivityTracingEventEnabled@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopIsKnownGoodLegacyFsFilter(x)
_IopIsKnownGoodLegacyFsFilter@4	proc near
					; CODE XREF: IopAttachDeviceToDeviceStackSafe+D404Dp
					; IoRegisterFsRegistrationChangeMountAware+85F2Ap
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		movzx	ebx, word ptr [edi]

loc_60989D:				; CODE XREF: IopIsKnownGoodLegacyFsFilter(x)+34j
		movzx	eax, ds:word_404CA0[esi*8]
		cmp	ax, bx
		jnz	short loc_6098C1
		push	eax		; size_t
		push	dword ptr [edi+4] ; void *
		push	ds:off_404CA4[esi*8] ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_6098C7

loc_6098C1:				; CODE XREF: IopIsKnownGoodLegacyFsFilter(x)+17j
		inc	esi
		cmp	esi, 3
		jb	short loc_60989D

loc_6098C7:				; CODE XREF: IopIsKnownGoodLegacyFsFilter(x)+2Ej
		pop	edi
		cmp	esi, 3
		pop	esi
		setb	al
		pop	ebx
		retn
_IopIsKnownGoodLegacyFsFilter@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopRemoveTimerFromTimerList(x)
_IopRemoveTimerFromTimerList@4 proc near ; CODE	XREF: IoDeleteDevice+D4166p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _IopTimerLock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	esi, [edi+4]
		mov	edx, [esi]
		mov	ecx, [esi+4]
		cmp	[edx+4], esi
		jnz	short loc_609939
		cmp	[ecx], esi
		jnz	short loc_609939
		mov	[ecx], edx
		mov	[edx+4], ecx
		cmp	word ptr [edi+2], 0
		jz	short loc_609910
		dec	ds:_IopTimerCount

loc_609910:				; CODE XREF: IopRemoveTimerFromTimerList(x)+37j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _IopTimerLock
		jz	short loc_609928
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_60992D
; 

loc_609928:				; CODE XREF: IopRemoveTimerFromTimerList(x)+4Bj
		xor	eax, eax
		lock and [ecx],	eax

loc_60992D:				; CODE XREF: IopRemoveTimerFromTimerList(x)+55j
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_609939:				; CODE XREF: IopRemoveTimerFromTimerList(x)+27j
					; IopRemoveTimerFromTimerList(x)+2Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_IopRemoveTimerFromTimerList@4 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopStartNextPacketByKey(x, x, x)
_IopStartNextPacketByKey@12 proc near	; CODE XREF: IopStartNextPacketByKeyEx+81F81p
					; IoStartNextPacketByKey(x,x,x)+3Ap

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	bl, bl
		mov	[ebp+var_1], bl
		mov	esi, ecx
		test	edi, edi
		jz	short loc_609961
		push	7
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	bl, al
		mov	[ebp+var_1], al

loc_609961:				; CODE XREF: IopStartNextPacketByKey(x,x,x)+14j
		push	[ebp+arg_0]
		and	dword ptr [esi+14h], 0
		lea	ecx, [esi+60h]
		push	ecx
		call	_KeRemoveByKeyDeviceQueue@8 ; KeRemoveByKeyDeviceQueue(x,x)
		test	eax, eax
		jz	short loc_6099F1
		lea	ebx, [eax-40h]
		mov	[esi+14h], ebx
		test	edi, edi
		jz	short loc_6099E7
		mov	eax, [esi+0B0h]
		test	dword ptr [eax+24h], 200h
		jz	short loc_609992
		and	dword ptr [ebx+38h], 0

loc_609992:				; CODE XREF: IopStartNextPacketByKey(x,x,x)+4Ej
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	edi, [eax+450h]
		jz	short loc_6099B3
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6099DE
; 

loc_6099B3:				; CODE XREF: IopStartNextPacketByKey(x,x,x)+67j
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_6099CF
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jz	short loc_6099DE
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_6099CF:				; CODE XREF: IopStartNextPacketByKey(x,x,x)+79j
		xor	ecx, ecx
		mov	dword ptr [edi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_6099DE:				; CODE XREF: IopStartNextPacketByKey(x,x,x)+73j
					; IopStartNextPacketByKey(x,x,x)+88j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_6099E7:				; CODE XREF: IopStartNextPacketByKey(x,x,x)+3Fj
		mov	eax, [esi+8]
		push	ebx
		push	esi
		call	dword ptr [eax+30h]
		jmp	short loc_609A49
; 

loc_6099F1:				; CODE XREF: IopStartNextPacketByKey(x,x,x)+35j
		test	edi, edi
		jz	short loc_609A49
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+450h]
		jz	short loc_609A16
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_609A41
; 

loc_609A16:				; CODE XREF: IopStartNextPacketByKey(x,x,x)+CAj
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_609A32
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_609A41
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_609A32:				; CODE XREF: IopStartNextPacketByKey(x,x,x)+DCj
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_609A41:				; CODE XREF: IopStartNextPacketByKey(x,x,x)+D6j
					; IopStartNextPacketByKey(x,x,x)+EBj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_609A49:				; CODE XREF: IopStartNextPacketByKey(x,x,x)+B1j
					; IopStartNextPacketByKey(x,x,x)+B5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_IopStartNextPacketByKey@12 endp


;  S U B	R O U T	I N E 


IopVerifierExAllocatePoolWithQuota proc	near ; CODE XREF: IoQueryInformationByName+18C5DEp
		cmp	ds:_ViVerifierEnabled, 0
		jz	short loc_609A9A
		test	ds:_VfRuleClasses, 0FFAFFFFFh
		jnz	short loc_609A6E
		test	byte ptr ds:dword_6FDE00, 6
		jz	short loc_609A9A

loc_609A6E:				; CODE XREF: IopVerifierExAllocatePoolWithQuota+13j
		mov	eax, ds:_MmVerifierData
		and	eax, 10h
		or	eax, 40h
		shr	eax, 1
		push	eax
		push	20206F49h
		push	edx
		push	200h
		call	ExAllocatePoolWithTagPriority
		test	eax, eax
		jnz	short locret_609AAA
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_609A9A:				; CODE XREF: IopVerifierExAllocatePoolWithQuota+7j
					; IopVerifierExAllocatePoolWithQuota+1Cj
		push	20206F49h
		push	edx
		push	200h
		call	ExAllocatePoolWithQuotaTag

locret_609AAA:				; CODE XREF: IopVerifierExAllocatePoolWithQuota+3Ej
		retn
IopVerifierExAllocatePoolWithQuota endp	; sp = -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall IopInterlockedDecrementUlong(x, x)
@IopInterlockedDecrementUlong@8	proc near
					; CODE XREF: IopDecrementDeviceObjectRefCount+D3F53p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	bl, al
		xor	eax, eax
		inc	eax
		sub	[esi], eax
		mov	eax, [esi]
		mov	edx, large fs:20h
		test	ds:byte_70EFC6,	1
		mov	[ebp+var_4], eax
		lea	esi, [edx+418h]
		lea	esi, [esi+edi*8]
		jz	short loc_609AEE
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_609B19
; 

loc_609AEE:				; CODE XREF: IopInterlockedDecrementUlong(x,x)+35j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_609B0A
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_609B19
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_609B0A:				; CODE XREF: IopInterlockedDecrementUlong(x,x)+47j
		lea	ecx, [eax+4]
		mov	dword ptr [esi], 0
		xor	eax, eax
		inc	eax
		lock xor [ecx],	eax

loc_609B19:				; CODE XREF: IopInterlockedDecrementUlong(x,x)+41j
					; IopInterlockedDecrementUlong(x,x)+56j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
@IopInterlockedDecrementUlong@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAllocateBackpocketIrp(x,	x, x)
_IopAllocateBackpocketIrp@12 proc near	; CODE XREF: IoPageReadEx+113036p
					; IoAsynchronousPageWrite+E8DE0p ...

var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		mov	bl, dl
		mov	[esp+18h+var_14], ecx
		push	esi
		push	edi
		cmp	bl, ds:byte_6CCE64
		jg	loc_609D68
		cmp	[ebp+arg_0], 0
		jz	loc_609C5D
		mov	eax, ds:dword_6CCE30
		cmp	eax, large fs:124h
		jz	loc_609C09
		or	[esp+20h+var_C], 0FFFFFFFFh
		xor	edi, edi
		inc	edi
		mov	[esp+20h+var_10], 0EE1E5D00h
		mov	eax, edi
		mov	ecx, offset dword_6CCE2C
		xchg	eax, [ecx]
		cmp	eax, edi
		jnz	short loc_609BC1
		xor	esi, esi

loc_609B84:				; CODE XREF: IopAllocateBackpocketIrp(x,x,x)+96j
		lea	eax, [esp+20h+var_10]
		push	eax
		push	esi
		push	esi
		push	esi
		push	offset unk_6CCE34
		call	KeWaitForSingleObject
		cmp	eax, 102h
		jnz	short loc_609BB4
		push	dword ptr [ebp+4]
		mov	ecx, [esp+24h+var_14]
		mov	dl, bl
		push	esi
		call	IopAllocateIrpExReturn
		test	eax, eax
		jnz	loc_609D6A

loc_609BB4:				; CODE XREF: IopAllocateBackpocketIrp(x,x,x)+72j
		mov	eax, edi
		mov	ecx, offset dword_6CCE2C
		xchg	eax, [ecx]
		cmp	eax, edi
		jz	short loc_609B84

loc_609BC1:				; CODE XREF: IopAllocateBackpocketIrp(x,x,x)+57j
		mov	esi, ds:dword_6CCE28
		mov	al, bl
		add	al, 2
		mov	ecx, 0B8h
		movzx	eax, al
		push	eax		; char
		movsx	ax, bl
		movzx	eax, ax
		imul	eax, 24h
		add	ax, cx
		movzx	eax, ax
		push	eax		; __int16
		push	esi		; void *
		call	IoInitializeIrp
		mov	eax, large fs:124h
		mov	byte ptr [esi+27h], 21h
		mov	ds:dword_6CCE30, eax

loc_609BFA:				; CODE XREF: IopAllocateBackpocketIrp(x,x,x)+1DBj
		add	dword ptr [esi+60h], 0FFFFFFB8h
		mov	eax, [esi+60h]
		mov	[esi+68h], eax
		jmp	loc_609D4C
; 

loc_609C09:				; CODE XREF: IopAllocateBackpocketIrp(x,x,x)+36j
		mov	esi, ds:dword_6CCE60
		test	esi, esi
		jz	short loc_609C4D
		mov	eax, [esi]
		mov	ecx, 0B8h
		mov	ds:dword_6CCE60, eax
		mov	al, bl
		add	al, 2
		movzx	eax, al
		push	eax		; char
		movsx	ax, bl
		movzx	eax, ax
		imul	eax, 24h
		add	ax, cx
		movzx	eax, ax
		push	eax		; __int16
		push	esi		; void *
		call	IoInitializeIrp
		add	dword ptr [esi+60h], 0FFFFFFB8h
		mov	eax, [esi+60h]
		mov	[esi+68h], eax
		jmp	loc_609D48
; 

loc_609C4D:				; CODE XREF: IopAllocateBackpocketIrp(x,x,x)+E8j
		xor	esi, esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	11Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_609C5D:				; CODE XREF: IopAllocateBackpocketIrp(x,x,x)+24j
		mov	eax, ds:dword_6CCE4C
		cmp	eax, large fs:124h
		jz	loc_609D09
		or	[esp+34h+var_18], 0FFFFFFFFh
		xor	edi, edi
		inc	edi
		mov	[esp+34h+var_1C], 0EE1E5D00h
		mov	eax, edi
		mov	ecx, offset dword_6CCE48
		xchg	eax, [ecx]
		cmp	eax, edi
		jnz	short loc_609CCB
		xor	esi, esi

loc_609C8E:				; CODE XREF: IopAllocateBackpocketIrp(x,x,x)+1A0j
		lea	eax, [esp+34h+var_1C]
		push	eax
		push	esi
		push	esi
		push	esi
		push	offset unk_6CCE50
		call	KeWaitForSingleObject
		cmp	eax, 102h
		jnz	short loc_609CBE
		push	dword ptr [ebp+4]
		mov	ecx, [esp+38h+var_28]
		mov	dl, bl
		push	esi
		call	IopAllocateIrpExReturn
		test	eax, eax
		jnz	loc_609D6A

loc_609CBE:				; CODE XREF: IopAllocateBackpocketIrp(x,x,x)+17Cj
		mov	eax, edi
		mov	ecx, offset dword_6CCE48
		xchg	eax, [ecx]
		cmp	eax, edi
		jz	short loc_609C8E

loc_609CCB:				; CODE XREF: IopAllocateBackpocketIrp(x,x,x)+161j
		mov	esi, ds:dword_6CCE44
		mov	al, bl
		add	al, 2
		mov	ecx, 0B8h
		movzx	eax, al
		push	eax		; char
		movsx	ax, bl
		movzx	eax, ax
		imul	eax, 24h
		add	ax, cx
		movzx	eax, ax
		push	eax		; __int16
		push	esi		; void *
		call	IoInitializeIrp
		mov	eax, large fs:124h
		mov	byte ptr [esi+27h], 21h
		mov	ds:dword_6CCE4C, eax
		jmp	loc_609BFA
; 

loc_609D09:				; CODE XREF: IopAllocateBackpocketIrp(x,x,x)+140j
		mov	esi, ds:dword_6CCE60
		test	esi, esi
		jz	short loc_609D68
		mov	eax, [esi]
		mov	ecx, 0B8h
		mov	ds:dword_6CCE60, eax
		mov	al, bl
		add	al, 2
		movzx	eax, al
		push	eax		; char
		movsx	ax, bl
		movzx	eax, ax
		imul	eax, 24h
		add	ax, cx
		movzx	eax, ax
		push	eax		; __int16
		push	esi		; void *
		call	IoInitializeIrp
		add	dword ptr [esi+60h], 0FFFFFFB8h
		mov	ecx, [esi+60h]
		mov	[esi+68h], ecx

loc_609D48:				; CODE XREF: IopAllocateBackpocketIrp(x,x,x)+11Fj
		mov	byte ptr [esi+27h], 21h

loc_609D4C:				; CODE XREF: IopAllocateBackpocketIrp(x,x,x)+DBj
		add	byte ptr [esi+22h], 0FEh
		add	byte ptr [esi+23h], 0FEh
		call	IopIsActivityTracingEnabled
		test	al, al
		jz	short loc_609D64
		mov	ecx, esi
		call	_IopInitActivityIdIrp@4	; IopInitActivityIdIrp(x)

loc_609D64:				; CODE XREF: IopAllocateBackpocketIrp(x,x,x)+232j
		mov	eax, esi
		jmp	short loc_609D6A
; 

loc_609D68:				; CODE XREF: IopAllocateBackpocketIrp(x,x,x)+1Aj
					; IopAllocateBackpocketIrp(x,x,x)+1E8j
		xor	eax, eax

loc_609D6A:				; CODE XREF: IopAllocateBackpocketIrp(x,x,x)+85j
					; IopAllocateBackpocketIrp(x,x,x)+18Fj	...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_IopAllocateBackpocketIrp@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAllocateReserveIrp(x, x,	x)
_IopAllocateReserveIrp@12 proc near	; CODE XREF: IoPageReadEx+112FF5p
					; IoAsynchronousPageWrite+E8DCBp ...

var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		mov	bl, dl
		mov	dword ptr [esp+10h+var_C], edx
		push	esi
		push	edi
		cmp	bl, ds:byte_6CCE64
		jg	loc_609F74
		mov	eax, [ebp+arg_0]
		xor	edi, edi
		add	bl, 2
		inc	edi
		mov	byte ptr [esp+18h+var_8], bl
		mov	[esp+18h+var_C], bl
		test	eax, eax
		jnz	loc_609E38
		mov	eax, edi
		mov	ecx, offset dword_6CCDE4
		xchg	eax, [ecx]
		cmp	eax, edi
		jnz	short loc_609DD6
		xor	esi, esi

loc_609DBB:				; CODE XREF: IopAllocateReserveIrp(x,x,x)+61j
		push	esi
		push	esi
		push	esi
		push	esi
		push	offset unk_6CCDE8
		call	KeWaitForSingleObject
		mov	eax, edi
		mov	ecx, offset dword_6CCDE4
		xchg	eax, [ecx]
		cmp	eax, edi
		jz	short loc_609DBB

loc_609DD6:				; CODE XREF: IopAllocateReserveIrp(x,x,x)+44j
		mov	eax, [esp+18h+var_8]
		push	dword ptr [esp+18h+var_C] ; char
		cbw
		movzx	eax, ax
		imul	eax, 24h
		add	ax, 70h
		movzx	eax, ax
		push	eax		; __int16
		push	ds:_IopReserveIrps ; void *
		call	IoInitializeIrp
		mov	eax, ds:_IopReserveIrps
		mov	byte ptr [eax+27h], 21h
		mov	ecx, ds:_IopReserveIrps
		add	dword ptr [ecx+60h], 0FFFFFFB8h
		mov	eax, [ecx+60h]
		add	byte ptr [ecx+23h], 0FEh
		add	byte ptr [ecx+22h], 0FEh
		mov	[ecx+68h], eax
		call	IopIsActivityTracingEnabled
		test	al, al
		jz	short loc_609E2E
		mov	ecx, ds:_IopReserveIrps
		call	_IopInitActivityIdIrp@4	; IopInitActivityIdIrp(x)

loc_609E2E:				; CODE XREF: IopAllocateReserveIrp(x,x,x)+AEj
		mov	eax, ds:_IopReserveIrps
		jmp	loc_609F76
; 

loc_609E38:				; CODE XREF: IopAllocateReserveIrp(x,x,x)+33j
		cmp	eax, edi
		jnz	loc_609ECA
		mov	eax, edi
		mov	ecx, offset dword_6CCDFC
		xchg	eax, [ecx]
		cmp	eax, edi
		jnz	short loc_609E6A
		xor	esi, esi

loc_609E4F:				; CODE XREF: IopAllocateReserveIrp(x,x,x)+F5j
		push	esi
		push	esi
		push	esi
		push	esi
		push	offset unk_6CCE00
		call	KeWaitForSingleObject
		mov	eax, edi
		mov	ecx, offset dword_6CCDFC
		xchg	eax, [ecx]
		cmp	eax, edi
		jz	short loc_609E4F

loc_609E6A:				; CODE XREF: IopAllocateReserveIrp(x,x,x)+D8j
		push	dword ptr [esp+18h+var_C] ; char
		movsx	ax, bl
		movzx	eax, ax
		imul	eax, 24h
		add	ax, 70h
		movzx	eax, ax
		push	eax		; __int16
		push	ds:dword_6CCDF8	; void *
		call	IoInitializeIrp
		mov	eax, ds:dword_6CCDF8
		mov	byte ptr [eax+27h], 21h
		mov	ecx, ds:dword_6CCDF8
		add	dword ptr [ecx+60h], 0FFFFFFB8h
		mov	eax, [ecx+60h]
		add	byte ptr [ecx+23h], 0FEh
		add	byte ptr [ecx+22h], 0FEh
		mov	[ecx+68h], eax
		call	IopIsActivityTracingEnabled
		test	al, al
		jz	short loc_609EC0
		mov	ecx, ds:dword_6CCDF8
		call	_IopInitActivityIdIrp@4	; IopInitActivityIdIrp(x)

loc_609EC0:				; CODE XREF: IopAllocateReserveIrp(x,x,x)+140j
		mov	eax, ds:dword_6CCDF8
		jmp	loc_609F76
; 

loc_609ECA:				; CODE XREF: IopAllocateReserveIrp(x,x,x)+C7j
		cmp	eax, 3
		jnz	loc_609F74
		xor	esi, esi
		mov	ecx, offset dword_6CCE14
		mov	[esp+18h+var_8], esi
		mov	[esp+18h+var_4], esi
		jmp	short loc_609F0F
; 

loc_609EE4:				; CODE XREF: IopAllocateReserveIrp(x,x,x)+1A2j
		or	[esp+18h+var_4], 0FFFFFFFFh
		lea	eax, [esp+18h+var_8]
		push	eax
		push	esi
		push	esi
		push	esi
		push	offset unk_6CCE18
		mov	[esp+2Ch+var_8], 0FD050F80h
		call	KeWaitForSingleObject
		cmp	eax, 102h
		jz	short loc_609F74
		mov	ecx, offset dword_6CCE14

loc_609F0F:				; CODE XREF: IopAllocateReserveIrp(x,x,x)+16Fj
		mov	eax, edi
		xchg	eax, [ecx]
		cmp	eax, edi
		jz	short loc_609EE4
		push	dword ptr [esp+18h+var_C] ; char
		movsx	ax, bl
		movzx	eax, ax
		imul	eax, 24h
		add	ax, 70h
		movzx	eax, ax
		push	eax		; __int16
		push	ds:dword_6CCE10	; void *
		call	IoInitializeIrp
		mov	eax, ds:dword_6CCE10
		mov	byte ptr [eax+27h], 21h
		mov	ecx, ds:dword_6CCE10
		add	dword ptr [ecx+60h], 0FFFFFFB8h
		mov	eax, [ecx+60h]
		add	byte ptr [ecx+23h], 0FEh
		add	byte ptr [ecx+22h], 0FEh
		mov	[ecx+68h], eax
		call	IopIsActivityTracingEnabled
		test	al, al
		jz	short loc_609F6D
		mov	ecx, ds:dword_6CCE10
		call	_IopInitActivityIdIrp@4	; IopInitActivityIdIrp(x)

loc_609F6D:				; CODE XREF: IopAllocateReserveIrp(x,x,x)+1EDj
		mov	eax, ds:dword_6CCE10
		jmp	short loc_609F76
; 

loc_609F74:				; CODE XREF: IopAllocateReserveIrp(x,x,x)+1Aj
					; IopAllocateReserveIrp(x,x,x)+15Aj ...
		xor	eax, eax

loc_609F76:				; CODE XREF: IopAllocateReserveIrp(x,x,x)+C0j
					; IopAllocateReserveIrp(x,x,x)+152j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_IopAllocateReserveIrp@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCheckHardErrorEmpty()
_IopCheckHardErrorEmpty@0 proc near	; CODE XREF: IopHardErrorThread(x):loc_95CCC6p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	bl, 1
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset dword_6CCF58
		mov	bh, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		and	ds:_IopCurrentHardError, 0
		cmp	ds:dword_6CCF50, offset	dword_6CCF50
		jnz	short loc_609FB8
		mov	ds:byte_6CCF70,	0
		xor	bl, bl

loc_609FB8:				; CODE XREF: IopCheckHardErrorEmpty()+2Ej
		test	ds:byte_70EFC6,	1
		jz	short loc_609FCD
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_609FD2
; 

loc_609FCD:				; CODE XREF: IopCheckHardErrorEmpty()+40j
		xor	eax, eax
		lock and [esi],	eax

loc_609FD2:				; CODE XREF: IopCheckHardErrorEmpty()+4Cj
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn
_IopCheckHardErrorEmpty@0 endp


;  S U B	R O U T	I N E 


; __stdcall IopDecrementDeviceObjectHandleCount(x)
_IopDecrementDeviceObjectHandleCount@4 proc near
					; CODE XREF: PnpSurpriseRemoveLockedDeviceNode(x,x,x)+19Fp
					; IopRemoveDevice(x,x)+116p ...
		push	0
		xor	dl, dl
		call	IopDecrementDeviceObjectRef
		retn
_IopDecrementDeviceObjectHandleCount@4 endp

; 
		align 4
		db 0CCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopDisableTimer(x)
_IopDisableTimer@4 proc	near		; CODE XREF: IoStopTimer(x)+Bp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _IopTimerLock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	[esi+2], di
		jz	short loc_60A021
		xor	eax, eax
		mov	[esi+2], ax
		sub	ds:_IopTimerCount, 1
		jnz	short loc_60A021
		inc	edi

loc_60A021:				; CODE XREF: IopDisableTimer(x)+22j
					; IopDisableTimer(x)+31j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _IopTimerLock
		jz	short loc_60A039
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_60A03E
; 

loc_60A039:				; CODE XREF: IopDisableTimer(x)+40j
		xor	eax, eax
		lock and [ecx],	eax

loc_60A03E:				; CODE XREF: IopDisableTimer(x)+4Aj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ds:dword_70EFC8, (offset loc_7FFFFF+1)
		jz	short loc_60A062
		push	dword ptr [esi+0Ch]
		mov	edx, [esi+14h]
		mov	ecx, 0F5Eh
		call	_EtwTraceIoTimerEvent@12 ; EtwTraceIoTimerEvent(x,x,x)

loc_60A062:				; CODE XREF: IopDisableTimer(x)+63j
		test	edi, edi
		pop	edi
		pop	esi
		pop	ebx
		jz	short loc_60A073
		push	offset _IopTimer
		call	_KeCancelTimer@4 ; KeCancelTimer(x)

loc_60A073:				; CODE XREF: IopDisableTimer(x)+7Aj
		pop	ebp
		retn
_IopDisableTimer@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopDisassociateThreadIrp()
_IopDisassociateThreadIrp@0 proc near	; CODE XREF: IoCancelThreadIo+167F3Fp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	eax, eax
		push	esi
		push	edi
		lea	ecx, [eax+1]
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, large fs:124h
		mov	bl, al
		lea	edi, [ecx+2CCh]
		cmp	[edi], edi
		jnz	short loc_60A0AA
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_60A0A4:				; CODE XREF: IopDisassociateThreadIrp()+AAj
					; IopDisassociateThreadIrp()+17Ej ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn
; 

loc_60A0AA:				; CODE XREF: IopDisassociateThreadIrp()+25j
		push	0Bh
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	esi, [edi]
		mov	bh, al
		movsx	edx, byte ptr [esi+12h]
		movsx	ecx, byte ptr [esi+13h]
		add	edx, 2
		cmp	ecx, edx
		jnz	short loc_60A121
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+470h]
		jz	short loc_60A0E6
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_60A111
; 

loc_60A0E6:				; CODE XREF: IopDisassociateThreadIrp()+63j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_60A102
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_60A111
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_60A102:				; CODE XREF: IopDisassociateThreadIrp()+75j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_60A111:				; CODE XREF: IopDisassociateThreadIrp()+6Fj
					; IopDisassociateThreadIrp()+84j
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	cl, bh
		call	esi
		mov	cl, bl
		call	esi
		jmp	short loc_60A0A4
; 

loc_60A121:				; CODE XREF: IopDisassociateThreadIrp()+4Ej
		mov	ecx, [esi+40h]
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag
		mov	eax, [edi]
		mov	ecx, [eax]
		cmp	[eax+4], edi
		jnz	loc_60A21E
		cmp	[ecx+4], eax
		jnz	loc_60A21E
		mov	[edi], ecx
		mov	edx, offset _IopDeadIrps
		mov	[ecx+4], edi
		mov	[esi+4], esi
		mov	[esi], esi
		mov	ecx, ds:dword_6CCECC
		cmp	[ecx], edx
		jnz	loc_60A21E
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	ds:dword_6CCECC, eax
		mov	al, [esi+13h]
		mov	edi, [esi+50h]
		cmp	al, [esi+12h]
		jg	short loc_60A195
		mov	eax, [esi+54h]
		test	eax, eax
		jz	short loc_60A195
		mov	edi, [edi+14h]
		cmp	[eax+4], edi
		jnz	short loc_60A195
		mov	edx, 746C6644h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag
		jmp	short loc_60A197
; 

loc_60A195:				; CODE XREF: IopDisassociateThreadIrp()+101j
					; IopDisassociateThreadIrp()+108j ...
		xor	edi, edi

loc_60A197:				; CODE XREF: IopDisassociateThreadIrp()+11Ej
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+470h]
		jz	short loc_60A1B8
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_60A1E3
; 

loc_60A1B8:				; CODE XREF: IopDisassociateThreadIrp()+135j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_60A1D4
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_60A1E3
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_60A1D4:				; CODE XREF: IopDisassociateThreadIrp()+147j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_60A1E3:				; CODE XREF: IopDisassociateThreadIrp()+141j
					; IopDisassociateThreadIrp()+156j
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	cl, bh
		call	esi
		mov	cl, bl
		call	esi
		test	edi, edi
		jz	loc_60A0A4
		push	30h
		push	edi
		call	_IoAllocateErrorLogEntry@8 ; IoAllocateErrorLogEntry(x,x)
		test	eax, eax
		jz	short loc_60A212
		push	eax
		mov	dword ptr [eax+0Ch], 80040036h
		call	IoWriteErrorLogEntry

loc_60A212:				; CODE XREF: IopDisassociateThreadIrp()+18Ej
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	loc_60A0A4
; 

loc_60A21E:				; CODE XREF: IopDisassociateThreadIrp()+C0j
					; IopDisassociateThreadIrp()+C9j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_IopDisassociateThreadIrp@0 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopEnableTimer(x)
_IopEnableTimer@4 proc near		; CODE XREF: IoStartTimer(x)+17p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _IopTimerLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	word ptr [esi+2], 0
		jnz	short loc_60A27B
		cmp	ds:_IopTimerCount, 0
		jnz	short loc_60A26E
		push	offset _IopTimerDpc
		push	23h
		push	3E8h
		push	0FFFFFFFFh
		push	0FF676980h
		push	offset _IopTimer
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)

loc_60A26E:				; CODE XREF: IopEnableTimer(x)+2Cj
		inc	ds:_IopTimerCount
		xor	eax, eax
		inc	eax
		mov	[esi+2], ax

loc_60A27B:				; CODE XREF: IopEnableTimer(x)+23j
		test	ds:byte_70EFC6,	1
		jz	short loc_60A290
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_60A295
; 

loc_60A290:				; CODE XREF: IopEnableTimer(x)+5Fj
		xor	eax, eax
		lock and [edi],	eax

loc_60A295:				; CODE XREF: IopEnableTimer(x)+6Bj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ds:dword_70EFC8, 800000h
		jz	short loc_60A2B9
		push	dword ptr [esi+0Ch]
		mov	edx, [esi+14h]
		mov	ecx, 0F5Dh
		call	_EtwTraceIoTimerEvent@12 ; EtwTraceIoTimerEvent(x,x,x)

loc_60A2B9:				; CODE XREF: IopEnableTimer(x)+84j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
_IopEnableTimer@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopExceptionFilter(x, x)
_IopExceptionFilter@8 proc near		; CODE XREF: .text:00522B66p
					; IopProcessBufferedIoCompletion(x,x)+66p ...
		mov	eax, [ecx]
		mov	eax, [eax]
		mov	[edx], eax
		cmp	eax, 0C0000006h
		jnz	short loc_60A2D8
		mov	ecx, [ecx]
		cmp	dword ptr [ecx+10h], 3
		jb	short loc_60A2D8
		mov	eax, [ecx+1Ch]
		mov	[edx], eax

loc_60A2D8:				; CODE XREF: IopExceptionFilter(x,x)+Bj
					; IopExceptionFilter(x,x)+13j
		cmp	eax, 80000002h
		jnz	short loc_60A2E5
		mov	dword ptr [edx], 0C00002C5h

loc_60A2E5:				; CODE XREF: IopExceptionFilter(x,x)+1Fj
		xor	eax, eax
		inc	eax
		retn
_IopExceptionFilter@8 endp


;  S U B	R O U T	I N E 


; __stdcall IopExceptionFilterMode(x)
_IopExceptionFilterMode@4 proc near	; CODE XREF: sub_925E4E+Dp
					; sub_925EA4+Dp
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
_IopExceptionFilterMode@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopFreeBackpocketIrp(x, x)
_IopFreeBackpocketIrp@8	proc near	; CODE XREF: IopFreeReserveIrp(x,x)+5Ej
		cmp	ecx, ds:dword_6CCE28
		jnz	short loc_60A317
		and	ds:dword_6CCE30, 0
		nop
		xor	eax, eax
		mov	ecx, offset dword_6CCE2C
		xchg	eax, [ecx]
		push	0
		movsx	eax, dl
		push	eax
		push	offset unk_6CCE34
		jmp	short loc_60A33B
; 

loc_60A317:				; CODE XREF: IopFreeBackpocketIrp(x,x)+6j
		cmp	ecx, ds:dword_6CCE44
		jnz	short loc_60A341
		and	ds:dword_6CCE4C, 0
		nop
		xor	eax, eax
		mov	ecx, offset dword_6CCE48
		xchg	eax, [ecx]
		push	0
		movsx	eax, dl
		push	eax
		push	offset unk_6CCE50

loc_60A33B:				; CODE XREF: IopFreeBackpocketIrp(x,x)+24j
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		retn
; 

loc_60A341:				; CODE XREF: IopFreeBackpocketIrp(x,x)+2Cj
		mov	eax, ds:dword_6CCE60
		mov	[ecx], eax
		mov	ds:dword_6CCE60, ecx
		retn
_IopFreeBackpocketIrp@8	endp


;  S U B	R O U T	I N E 


; __stdcall IopFreeReserveIrp(x, x)
_IopFreeReserveIrp@8 proc near		; CODE XREF: IopFreeIrp+82378p
		and	byte ptr [ecx+27h], 0DEh
		cmp	ecx, ds:_IopReserveIrps
		jnz	short loc_60A36F
		xor	eax, eax
		mov	ecx, offset dword_6CCDE4
		xchg	eax, [ecx]
		push	0
		push	1
		push	offset unk_6CCDE8
		jmp	short loc_60A3A5
; 

loc_60A36F:				; CODE XREF: IopFreeReserveIrp(x,x)+Aj
		cmp	ecx, ds:dword_6CCDF8
		jnz	short loc_60A38B
		xor	eax, eax
		mov	ecx, offset dword_6CCDFC
		xchg	eax, [ecx]
		push	0
		push	1
		push	offset unk_6CCE00
		jmp	short loc_60A3A5
; 

loc_60A38B:				; CODE XREF: IopFreeReserveIrp(x,x)+26j
		cmp	ecx, ds:dword_6CCE10
		jnz	short loc_60A3AB
		xor	eax, eax
		mov	ecx, offset dword_6CCE14
		xchg	eax, [ecx]
		push	0
		push	1
		push	offset unk_6CCE18

loc_60A3A5:				; CODE XREF: IopFreeReserveIrp(x,x)+1Ej
					; IopFreeReserveIrp(x,x)+3Aj
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		retn
; 

loc_60A3AB:				; CODE XREF: IopFreeReserveIrp(x,x)+42j
		mov	dl, 1
		jmp	_IopFreeBackpocketIrp@8	; IopFreeBackpocketIrp(x,x)
_IopFreeReserveIrp@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopGetDriverPathInformation(x, x, x)
_IopGetDriverPathInformation@12	proc near ; CODE XREF: PAGE:007F755Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, edx
		add	eax, 0FFFFFFF8h
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		mov	[ebp+var_4], ecx
		cmp	eax, [esi+4]
		jnb	short loc_60A3DB
		mov	eax, 0C000000Dh
		jmp	loc_60A4A2
; 

loc_60A3DB:				; CODE XREF: IopGetDriverPathInformation(x,x,x)+1Dj
		lea	eax, [esi+8]
		mov	[ebp+var_8], eax
		movzx	eax, word ptr [esi+4]
		mov	word ptr [ebp+var_C], ax
		mov	word ptr [ebp+var_C+2],	ax
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		push	ecx
		push	ds:_IoDriverObjectType
		lea	eax, [ebp+var_C]
		push	ecx
		push	ecx
		push	40h
		push	eax
		call	ObReferenceObjectByName
		test	eax, eax
		js	loc_60A4A2
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, [edi+8]
		mov	bl, al
		test	ecx, ecx
		jz	short loc_60A437
		mov	ecx, [ecx+8]
		test	ecx, ecx
		jz	short loc_60A437
		mov	edx, [ebp+var_4]
		call	_IopVerifyDriverObjectOnStack@8	; IopVerifyDriverObjectOnStack(x,x)
		test	al, al
		jz	short loc_60A437
		xor	eax, eax
		inc	eax
		jmp	short loc_60A442
; 

loc_60A437:				; CODE XREF: IopGetDriverPathInformation(x,x,x)+6Bj
					; IopGetDriverPathInformation(x,x,x)+72j ...
		mov	edx, [ebp+var_4]
		mov	ecx, [edi+4]
		call	_IopVerifyDriverObjectOnStack@8	; IopVerifyDriverObjectOnStack(x,x)

loc_60A442:				; CODE XREF: IopGetDriverPathInformation(x,x,x)+83j
		mov	[esi], al
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+468h]
		jz	short loc_60A465
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_60A490
; 

loc_60A465:				; CODE XREF: IopGetDriverPathInformation(x,x,x)+A5j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_60A481
		mov	ecx, [esi+4]
		mov	eax, esi
		xor	edx, edx
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_60A490
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_60A481:				; CODE XREF: IopGetDriverPathInformation(x,x,x)+B7j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_60A490:				; CODE XREF: IopGetDriverPathInformation(x,x,x)+B1j
					; IopGetDriverPathInformation(x,x,x)+C6j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject
		xor	eax, eax

loc_60A4A2:				; CODE XREF: IopGetDriverPathInformation(x,x,x)+24j
					; IopGetDriverPathInformation(x,x,x)+56j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_IopGetDriverPathInformation@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopInitActivityIdIrp(x)
_IopInitActivityIdIrp@4	proc near	; CODE XREF: IopAllocateIrpWithExtension(x,x,x,x)+46p
					; IopAllocateIrpPrivate+C6B94p	...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_42		= byte ptr -42h
var_41		= byte ptr -41h
var_40		= dword	ptr -40h
var_30		= dword	ptr -30h
ms_exc		= CPPEH_RECORD ptr -18h

		push	40h
		push	offset dword_6A7F90
		call	__SEH_prolog4_GS
		mov	[ebp+var_50], ecx
		xor	eax, eax
		lea	edi, [ebp+var_30]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_40]
		stosd
		stosd
		stosd
		stosd
		xor	ebx, ebx
		mov	[ebp+var_41], bl
		mov	[ebp+var_48], ebx
		mov	[ebp+var_4C], ebx
		mov	esi, large fs:124h
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jnz	loc_60A5B9
		mov	esi, [esi+35Ch]
		test	esi, esi
		jz	short loc_60A516
		mov	edi, offset _IoTrace_KernelIo_AllocateIrp
		mov	ecx, edi
		call	_IopIsActivityTracingEventEnabled@4 ; IopIsActivityTracingEventEnabled(x)
		test	al, al
		jz	loc_60A5AE
		mov	[ebp+var_48], esi
		mov	[ebp+var_4C], edi
		jmp	loc_60A5B9
; 

loc_60A516:				; CODE XREF: IopInitActivityIdIrp(x)+4Cj
		call	_PnpIsSafeToExamineUserModeTeb@0 ; PnpIsSafeToExamineUserModeTeb()
		test	al, al
		jz	loc_60A5B9
		mov	eax, [ebp+var_50]
		mov	al, [eax+27h]
		and	al, 21h
		cmp	al, 21h
		jz	loc_60A5B9
		mov	[ebp+var_42], bl
		mov	[ebp+ms_exc.disabled], ebx
		cmp	large fs:18h, ebx
		jz	short loc_60A55A
		mov	esi, large fs:18h
		add	esi, 0F50h
		lea	edi, [ebp+var_40]
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+var_42], 1

loc_60A55A:				; CODE XREF: IopInitActivityIdIrp(x)+97j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_60A573
; 

loc_60A563:				; DATA XREF: .text:006A7FA4o
		xor	eax, eax
		inc	eax
		retn
; 

loc_60A567:				; DATA XREF: .text:006A7FA8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx

loc_60A573:				; CODE XREF: IopInitActivityIdIrp(x)+B8j
		cmp	[ebp+var_42], 0
		jz	short loc_60A5B9
		push	10h		; size_t
		lea	eax, [ebp+var_40]
		push	eax		; void *
		push	offset _GUID_NULL ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_60A5B9
		mov	esi, offset _IoTrace_UserInitiatedIo
		mov	ecx, esi
		call	_IopIsActivityTracingEventEnabled@4 ; IopIsActivityTracingEventEnabled(x)
		test	al, al
		jz	short loc_60A5AB
		lea	eax, [ebp+var_40]
		mov	[ebp+var_48], eax
		mov	[ebp+var_4C], esi
		jmp	short loc_60A5B9
; 

loc_60A5AB:				; CODE XREF: IopInitActivityIdIrp(x)+F5j
		lea	esi, [ebp+var_40]

loc_60A5AE:				; CODE XREF: IopInitActivityIdIrp(x)+5Cj
		lea	edi, [ebp+var_30]
		movsd
		movsd
		movsd
		mov	[ebp+var_41], 1
		movsd

loc_60A5B9:				; CODE XREF: IopInitActivityIdIrp(x)+3Ej
					; IopInitActivityIdIrp(x)+68j ...
		cmp	[ebp+var_41], 0
		jnz	short loc_60A5CA
		lea	eax, [ebp+var_30]
		push	eax
		push	3
		call	EtwActivityIdControl

loc_60A5CA:				; CODE XREF: IopInitActivityIdIrp(x)+114j
		lea	eax, [ebp+var_30]
		push	eax
		mov	esi, [ebp+var_50]
		push	esi
		call	_IoSetActivityIdIrp@8 ;	IoSetActivityIdIrp(x,x)
		test	eax, eax
		js	short loc_60A608
		mov	eax, [esi+68h]
		or	word ptr [eax],	2
		cmp	[ebp+var_48], 0
		jz	short loc_60A608
		push	ebx
		push	ebx
		push	[ebp+var_48]
		lea	eax, [ebp+var_30]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+var_4C]
		push	ds:dword_6CCFD4
		push	ds:_IoTraceHandle
		call	EtwWriteEx

loc_60A608:				; CODE XREF: IopInitActivityIdIrp(x)+130j
					; IopInitActivityIdIrp(x)+13Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopInitActivityIdIrp@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopIrpExtensionControl(x, x)
_IopIrpExtensionControl@8 proc near	; CODE XREF: IopEtwEnableCallback(x,x,x,x,x,x,x,x,x):loc_95CB51p
					; IoRegisterIoTracking(x,x)+A8p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, edx
		stosd
		lea	edx, [ebp+var_C]
		mov	ebx, ecx
		mov	ecx, offset _IopFunctionPointerLock
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		xor	edx, edx
		inc	edx
		cmp	esi, edx
		jnz	short loc_60A673
		mov	eax, ds:_IopIrpExtensionStatus
		xor	cl, cl
		test	eax, eax
		jnz	short loc_60A650
		mov	cl, dl

loc_60A650:				; CODE XREF: IopIrpExtensionControl(x,x)+34j
		or	eax, ebx
		mov	ds:_IopIrpExtensionStatus, eax
		test	bl, dl
		jz	short loc_60A661
		inc	ds:dword_6FDA3C

loc_60A661:				; CODE XREF: IopIrpExtensionControl(x,x)+41j
		test	bl, 2
		jz	short loc_60A66C
		inc	ds:dword_6FDA40

loc_60A66C:				; CODE XREF: IopIrpExtensionControl(x,x)+4Cj
		cmp	cl, dl
		jnz	short loc_60A6B3
		push	edx
		jmp	short loc_60A6A8
; 

loc_60A673:				; CODE XREF: IopIrpExtensionControl(x,x)+29j
		test	bl, dl
		jz	short loc_60A687
		sub	ds:dword_6FDA3C, 1
		jnz	short loc_60A687
		and	ds:_IopIrpExtensionStatus, 0FFFFFFFEh

loc_60A687:				; CODE XREF: IopIrpExtensionControl(x,x)+5Dj
					; IopIrpExtensionControl(x,x)+66j
		test	bl, 2
		jz	short loc_60A69C
		sub	ds:dword_6FDA40, 1
		jnz	short loc_60A69C
		and	ds:_IopIrpExtensionStatus, 0FFFFFFFDh

loc_60A69C:				; CODE XREF: IopIrpExtensionControl(x,x)+72j
					; IopIrpExtensionControl(x,x)+7Bj
		cmp	ds:_IopIrpExtensionStatus, 0
		jnz	short loc_60A6B3
		push	edx
		xor	dl, dl

loc_60A6A8:				; CODE XREF: IopIrpExtensionControl(x,x)+59j
		push	4
		pop	ecx
		call	_IopUpdateFunctionPointers@12 ;	IopUpdateFunctionPointers(x,x,x)
		xor	edx, edx
		inc	edx

loc_60A6B3:				; CODE XREF: IopIrpExtensionControl(x,x)+56j
					; IopIrpExtensionControl(x,x)+8Bj
		pop	edi
		pop	esi
		pop	ebx
		test	ds:byte_70EFC6,	dl
		jz	short loc_60A6CB
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_60A6FA
; 

loc_60A6CB:				; CODE XREF: IopIrpExtensionControl(x,x)+A4j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_60A6ED
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_60A6FA
		call	KxWaitForLockChainValid
		xor	edx, edx
		inc	edx

loc_60A6ED:				; CODE XREF: IopIrpExtensionControl(x,x)+B8j
		mov	[ebp+var_C], 0
		add	eax, 4
		lock xor [eax],	edx

loc_60A6FA:				; CODE XREF: IopIrpExtensionControl(x,x)+B1j
					; IopIrpExtensionControl(x,x)+CBj
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn
_IopIrpExtensionControl@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLogEventIoMgrMountBegin(x, x, x)
_IopLogEventIoMgrMountBegin@12 proc near ; CODE	XREF: IopMountVolume+13C994p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_38], edx
		mov	[ebp+var_44], ecx
		movzx	eax, word ptr [ebx]
		mov	[ebp+var_40], eax
		shr	ax, 1
		cmp	byte ptr ds:dword_7051D4, 0
		movzx	eax, ax
		mov	[ebp+var_3C], eax
		jz	short loc_60A7AB
		push	esi
		mov	esi, ds:dword_6CCFDC
		push	edi
		mov	edi, ds:_IoMgrTraceHandle
		push	offset _IoMgr_MountBegin
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_60A7A9
		mov	eax, [ebp+var_38]
		xor	ecx, ecx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_24], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_40]
		movzx	eax, ax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	[ebp+var_44]
		mov	[ebp+var_30], ecx
		push	offset _IoMgr_MountBegin
		push	esi
		push	edi
		mov	[ebp+var_2C], 10h
		mov	[ebp+var_28], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], 2
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_60A7A9:				; CODE XREF: IopLogEventIoMgrMountBegin(x,x,x)+50j
		pop	edi
		pop	esi

loc_60A7AB:				; CODE XREF: IopLogEventIoMgrMountBegin(x,x,x)+32j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_IopLogEventIoMgrMountBegin@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLogEventIoMgrMountFailed(x, x, x, x)
_IopLogEventIoMgrMountFailed@16	proc near ; CODE XREF: IopMountVolume+13CB2Fp

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_48], edx
		mov	[ebp+var_54], ecx
		movzx	eax, word ptr [ebx]
		mov	[ebp+var_50], eax
		shr	ax, 1
		cmp	byte ptr ds:dword_7051D4, 0
		movzx	eax, ax
		mov	[ebp+var_4C], eax
		jz	loc_60A875
		push	esi
		mov	esi, ds:dword_6CCFDC
		push	edi
		mov	edi, ds:_IoMgrTraceHandle
		push	offset _IoMgr_MountFailed
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_60A873
		mov	eax, [ebp+var_48]
		xor	edx, edx
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_34], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_50]
		movzx	eax, ax
		push	4
		pop	ecx
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	[ebp+var_54]
		mov	[ebp+var_40], edx
		push	offset _IoMgr_MountFailed
		push	esi
		push	edi
		mov	[ebp+var_3C], 10h
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], 2
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_60A873:				; CODE XREF: IopLogEventIoMgrMountFailed(x,x,x,x)+54j
		pop	edi
		pop	esi

loc_60A875:				; CODE XREF: IopLogEventIoMgrMountFailed(x,x,x,x)+32j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_IopLogEventIoMgrMountFailed@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLogEventIoMgrMountSucceeded(x, x, x)
_IopLogEventIoMgrMountSucceeded@12 proc	near ; CODE XREF: IopMountVolume+13CB26p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_38], edx
		mov	[ebp+var_44], ecx
		movzx	eax, word ptr [ebx]
		mov	[ebp+var_40], eax
		shr	ax, 1
		cmp	byte ptr ds:dword_7051D4, 0
		movzx	eax, ax
		mov	[ebp+var_3C], eax
		jz	short loc_60A92A
		push	esi
		mov	esi, ds:dword_6CCFDC
		push	edi
		mov	edi, ds:_IoMgrTraceHandle
		push	offset _IoMgr_MountSucceeded
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_60A928
		mov	eax, [ebp+var_38]
		xor	ecx, ecx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_24], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_40]
		movzx	eax, ax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	[ebp+var_44]
		mov	[ebp+var_30], ecx
		push	offset _IoMgr_MountSucceeded
		push	esi
		push	edi
		mov	[ebp+var_2C], 10h
		mov	[ebp+var_28], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], 2
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_60A928:				; CODE XREF: IopLogEventIoMgrMountSucceeded(x,x,x)+50j
		pop	edi
		pop	esi

loc_60A92A:				; CODE XREF: IopLogEventIoMgrMountSucceeded(x,x,x)+32j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_IopLogEventIoMgrMountSucceeded@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopReferenceVerifyVpb(x, x,	x)
_IopReferenceVerifyVpb@12 proc near	; CODE XREF: IoVerifyVolume(x,x)+5Ap

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	9
		mov	esi, ecx
		mov	edi, edx
		pop	ecx
		xor	bl, bl
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	edx, [ebp+arg_0]
		mov	bh, al
		and	dword ptr [edi], 0
		mov	ecx, [esi+24h]
		and	dword ptr [edx], 0
		test	ecx, ecx
		jz	short loc_60A977
		test	byte ptr [ecx+4], 1
		jz	short loc_60A977
		mov	eax, [ecx+8]
		inc	bl
		mov	[edx], eax
		xor	dl, dl
		mov	[edi], ecx
		call	IopIncrementVpbRefCount

loc_60A977:				; CODE XREF: IopReferenceVerifyVpb(x,x,x)+26j
					; IopReferenceVerifyVpb(x,x,x)+2Cj
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+460h]
		jz	short loc_60A998
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_60A9C3
; 

loc_60A998:				; CODE XREF: IopReferenceVerifyVpb(x,x,x)+51j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_60A9B4
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_60A9C3
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_60A9B4:				; CODE XREF: IopReferenceVerifyVpb(x,x,x)+63j
		lea	ecx, [eax+4]
		mov	dword ptr [esi], 0
		xor	eax, eax
		inc	eax
		lock xor [ecx],	eax

loc_60A9C3:				; CODE XREF: IopReferenceVerifyVpb(x,x,x)+5Dj
					; IopReferenceVerifyVpb(x,x,x)+72j
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	4
_IopReferenceVerifyVpb@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopRemoveHardErrorPacket()
_IopRemoveHardErrorPacket@0 proc near	; CODE XREF: IopHardErrorThread(x)+22p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset dword_6CCF58
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, ds:dword_6CCF50
		mov	eax, offset dword_6CCF50
		mov	edx, [esi]
		cmp	[esi+4], eax
		jnz	short loc_60AA3F
		cmp	[edx+4], esi
		jnz	short loc_60AA3F
		mov	ds:dword_6CCF50, edx
		mov	[edx+4], eax
		test	ds:byte_70EFC6,	1
		mov	ds:_IopCurrentHardError, esi
		jz	short loc_60AA2B
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_60AA30
; 

loc_60AA2B:				; CODE XREF: IopRemoveHardErrorPacket()+49j
		xor	eax, eax
		lock and [edi],	eax

loc_60AA30:				; CODE XREF: IopRemoveHardErrorPacket()+55j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn
; 

loc_60AA3F:				; CODE XREF: IopRemoveHardErrorPacket()+2Cj
					; IopRemoveHardErrorPacket()+31j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_IopRemoveHardErrorPacket@0 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopTimerDispatch(x,	x, x, x)
_IopTimerDispatch@16 proc near		; DATA XREF: INIT:00AC2A94o

var_36		= byte ptr -36h
var_34		= dword	ptr -34h
var_2E		= byte ptr -2Eh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		push	ebx
		mov	ebx, ds:dword_70EFC8
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_4]
		and	ebx, (offset loc_7FFFFF+1)
		push	edi
		cmp	[esi], eax
		jz	loc_60AB3A
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _IopTimerLock
		mov	[esp+13h], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [esi]
		mov	esi, ds:_IopTimerQueueHead
		mov	[esp+40h+var_2C], eax
		cmp	esi, offset _IopTimerQueueHead
		jz	short loc_60AB16

loc_60AAA0:				; CODE XREF: IopTimerDispatch(x,x,x,x)+CBj
		test	eax, eax
		jz	short loc_60AB11
		xor	edx, edx
		cmp	[esi-2], dx
		jz	short loc_60AB07
		lea	eax, [esi+8]
		test	ebx, ebx
		jz	short loc_60AAF6
		push	8
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+40h+var_28]
		rep stosd
		push	edx
		mov	edx, 40800000h
		lea	ecx, [esp+44h+var_28]
		call	EtwGetKernelTraceTimestampSilo
		push	dword ptr [esi+0Ch]
		lea	edi, [esi+8]
		push	dword ptr [esi+10h]
		call	dword ptr [edi]
		lea	eax, [esp+18h]
		mov	edx, 40800000h
		push	eax
		push	400A02h
		push	4
		push	edi
		mov	ecx, 0F46h
		call	_EtwTraceTimedEvent@24 ; EtwTraceTimedEvent(x,x,x,x,x,x)
		jmp	short loc_60AAFE
; 

loc_60AAF6:				; CODE XREF: IopTimerDispatch(x,x,x,x)+6Dj
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+10h]
		call	dword ptr [eax]

loc_60AAFE:				; CODE XREF: IopTimerDispatch(x,x,x,x)+B0j
		mov	eax, [esp+48h+var_34]
		dec	eax
		mov	[esp+48h+var_34], eax

loc_60AB07:				; CODE XREF: IopTimerDispatch(x,x,x,x)+66j
		mov	esi, [esi]
		cmp	esi, offset _IopTimerQueueHead
		jnz	short loc_60AAA0

loc_60AB11:				; CODE XREF: IopTimerDispatch(x,x,x,x)+5Ej
		mov	edi, offset _IopTimerLock

loc_60AB16:				; CODE XREF: IopTimerDispatch(x,x,x,x)+5Aj
		test	ds:byte_70EFC6,	1
		jz	short loc_60AB2B
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_60AB30
; 

loc_60AB2B:				; CODE XREF: IopTimerDispatch(x,x,x,x)+D9j
		xor	eax, eax
		lock and [edi],	eax

loc_60AB30:				; CODE XREF: IopTimerDispatch(x,x,x,x)+E5j
		mov	cl, [esp+13h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_60AB3A:				; CODE XREF: IopTimerDispatch(x,x,x,x)+2Cj
		mov	ecx, [esp+48h+var_C]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_IopTimerDispatch@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopUpdateFunctionPointers(x, x, x)
_IopUpdateFunctionPointers@12 proc near	; CODE XREF: IopIrpExtensionControl(x,x)+93p
					; IoPerfInit(x)+5Cp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		mov	bh, [ebp+arg_0]
		mov	bl, dl
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		test	bh, bh
		jnz	short loc_60AB79
		lea	edx, [ebp+var_C]
		mov	ecx, offset _IopFunctionPointerLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)

loc_60AB79:				; CODE XREF: IopUpdateFunctionPointers(x,x,x)+1Cj
		test	bl, bl
		jz	short loc_60AB86
		mov	eax, ds:_IopFunctionPointerMask
		or	eax, esi
		jmp	short loc_60AB90
; 

loc_60AB86:				; CODE XREF: IopUpdateFunctionPointers(x,x,x)+2Dj
		mov	eax, esi
		not	eax
		and	eax, ds:_IopFunctionPointerMask

loc_60AB90:				; CODE XREF: IopUpdateFunctionPointers(x,x,x)+36j
		xor	esi, esi
		mov	ds:_IopFunctionPointerMask, eax
		inc	esi
		test	al, 1
		jz	short loc_60ABC0
		mov	eax, esi
		mov	ecx, offset _IopDispatchAllocateIrp
		xchg	eax, [ecx]
		mov	eax, esi
		mov	ecx, offset _IopDispatchCallDriver
		xchg	eax, [ecx]
		mov	eax, esi
		mov	ecx, offset _IopDispatchCompleteRequest
		xchg	eax, [ecx]
		mov	ecx, offset _IopDispatchFreeIrp
		mov	eax, esi
		jmp	short loc_60ABFF
; 

loc_60ABC0:				; CODE XREF: IopUpdateFunctionPointers(x,x,x)+4Cj
		xor	eax, eax
		mov	ecx, offset _IopDispatchFreeIrp
		xchg	eax, [ecx]
		mov	eax, ds:_IopFunctionPointerMask
		mov	edx, offset _IopDispatchCallDriver
		and	al, 2
		movzx	ecx, al
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 3
		mov	eax, ecx
		xchg	eax, [edx]
		mov	eax, offset _IopDispatchCompleteRequest
		xchg	ecx, [eax]
		test	byte ptr ds:_IopFunctionPointerMask, 4
		mov	ecx, offset _IopDispatchAllocateIrp
		jz	short loc_60ABFD
		push	2
		pop	eax
		jmp	short loc_60ABFF
; 

loc_60ABFD:				; CODE XREF: IopUpdateFunctionPointers(x,x,x)+A8j
		xor	eax, eax

loc_60ABFF:				; CODE XREF: IopUpdateFunctionPointers(x,x,x)+70j
					; IopUpdateFunctionPointers(x,x,x)+ADj
		xchg	eax, [ecx]
		test	bh, bh
		jnz	short loc_60AC50
		test	ds:byte_70EFC6,	1
		jz	short loc_60AC1B
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_60AC47
; 

loc_60AC1B:				; CODE XREF: IopUpdateFunctionPointers(x,x,x)+BEj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_60AC3A
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_60AC47
		call	KxWaitForLockChainValid

loc_60AC3A:				; CODE XREF: IopUpdateFunctionPointers(x,x,x)+D2j
		mov	[ebp+var_C], 0
		add	eax, 4
		lock xor [eax],	esi

loc_60AC47:				; CODE XREF: IopUpdateFunctionPointers(x,x,x)+CBj
					; IopUpdateFunctionPointers(x,x,x)+E5j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_60AC50:				; CODE XREF: IopUpdateFunctionPointers(x,x,x)+B5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_IopUpdateFunctionPointers@12 endp


;  S U B	R O U T	I N E 


; __stdcall IopVerifyDriverObjectOnStack(x, x)
_IopVerifyDriverObjectOnStack@8	proc near
					; CODE XREF: IopGetDriverPathInformation(x,x,x)+77p
					; IopGetDriverPathInformation(x,x,x)+8Bp
		mov	edi, edi
		push	esi
		mov	esi, edx
		call	_IopGetDeviceAttachmentBase@4 ;	IopGetDeviceAttachmentBase(x)
		jmp	short loc_60AC6B
; 

loc_60AC63:				; CODE XREF: IopVerifyDriverObjectOnStack(x,x)+16j
		cmp	[eax+8], esi
		jz	short loc_60AC73
		mov	eax, [eax+10h]

loc_60AC6B:				; CODE XREF: IopVerifyDriverObjectOnStack(x,x)+Aj
		test	eax, eax
		jnz	short loc_60AC63
		xor	al, al
		pop	esi
		retn
; 

loc_60AC73:				; CODE XREF: IopVerifyDriverObjectOnStack(x,x)+Fj
		mov	al, 1
		pop	esi
		retn
_IopVerifyDriverObjectOnStack@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoBugCheckTriageDumpDataCallback(x,	x, x, x)
_IoBugCheckTriageDumpDataCallback@16 proc near ; DATA XREF: IopInitializeTriageDumpData+ACo

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, ds:_IopTriageDumpDataArray
		test	ecx, ecx
		jz	short loc_60AC8B
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx

loc_60AC8B:				; CODE XREF: IoBugCheckTriageDumpDataCallback(x,x,x,x)+Dj
		pop	ebp
		retn	10h
_IoBugCheckTriageDumpDataCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoFillDumpHeader(x,	x, x, x, x, x, x, x)
_IoFillDumpHeader@32 proc near		; CODE XREF: IopConstructInMemoryDumpHeader()+63p
					; IopWriteCapsuleTriageDumpToFirmware(x,x,x,x,x,x,x,x)+A3p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	45474150h
		mov	esi, ecx
		mov	edi, edx
		push	1000h
		push	esi
		mov	[ebp+var_4], esi
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		mov	eax, [ebp+arg_0]
		mov	[esi+28h], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+2Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[esi+30h], eax
		mov	eax, [ebp+arg_C]
		mov	[esi+34h], eax
		mov	eax, [ebp+arg_10]
		mov	[esi+38h], eax
		mov	eax, [ebp+arg_14]
		mov	dword ptr [esi+4], 504D5544h
		test	eax, eax
		jz	short loc_60ACE6
		mov	eax, [eax+80h]
		mov	eax, [eax+18h]
		jmp	short loc_60ACE9
; 

loc_60ACE6:				; CODE XREF: IoFillDumpHeader(x,x,x,x,x,x,x,x)+4Aj
		mov	eax, cr3

loc_60ACE9:				; CODE XREF: IoFillDumpHeader(x,x,x,x,x,x,x,x)+55j
		mov	[esi+10h], eax
		mov	byte ptr [esi+5Ch], 1
		mov	dword ptr [esi+20h], 14Ch
		mov	[esi+0F88h], edi
		mov	eax, ds:_MmPfnDatabase
		push	0FFFFh
		mov	[esi+14h], eax
		mov	dword ptr [esi+18h], offset _PsLoadedModuleList
		mov	dword ptr [esi+1Ch], offset _PsActiveProcessHead
		mov	dword ptr [esi+60h], offset _KdDebuggerDataBlock
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	[esi+24h], eax
		xor	ebx, ebx
		mov	eax, ds:_NtBuildNumber
		shr	eax, 1Ch
		mov	[esi+8], eax
		movzx	eax, word ptr ds:_NtBuildNumber
		mov	[esi+0Ch], eax
		cmp	edi, 6
		jz	loc_60AE2A
		cmp	edi, 5
		jz	loc_60AE2A
		cmp	ds:_MmPhysicalMemoryBlock, ebx
		jz	loc_60AE2A
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 1
		jbe	short loc_60AD90
		mov	ecx, ds:_MmPhysicalMemoryBlock
		mov	edx, 2BCh
		mov	eax, [ecx]
		lea	eax, ds:8[eax*8]
		cmp	eax, edx
		jbe	short loc_60AD80
		mov	eax, edx

loc_60AD80:				; CODE XREF: IoFillDumpHeader(x,x,x,x,x,x,x,x)+EDj
		push	eax		; size_t
		push	ecx		; void *
		lea	eax, [esi+64h]
		push	eax		; void *
		call	_memcpy
		jmp	loc_60AE39
; 

loc_60AD90:				; CODE XREF: IoFillDumpHeader(x,x,x,x,x,x,x,x)+D5j
		call	_MmGetPhysicalMemoryRanges@0 ; MmGetPhysicalMemoryRanges()
		mov	edi, eax
		test	edi, edi
		jz	loc_60AE2A
		mov	ecx, [edi+8]
		mov	edx, ebx
		mov	[ebp+arg_0], ebx
		mov	eax, ecx
		mov	ebx, [edi+0Ch]
		or	eax, ebx
		jz	short loc_60ADD1
		mov	esi, edx

loc_60ADB2:				; CODE XREF: IoFillDumpHeader(x,x,x,x,x,x,x,x)+13Aj
		shrd	ecx, ebx, 0Ch
		add	esi, ecx
		inc	edx
		mov	eax, edx
		add	eax, eax
		mov	ecx, [edi+eax*8+8]
		mov	ebx, [edi+eax*8+0Ch]
		mov	eax, ecx
		or	eax, ebx
		jnz	short loc_60ADB2
		mov	[ebp+arg_0], esi
		mov	esi, [ebp+var_4]

loc_60ADD1:				; CODE XREF: IoFillDumpHeader(x,x,x,x,x,x,x,x)+11Fj
		lea	eax, ds:8[edx*8]
		cmp	eax, 2BCh
		jbe	short loc_60ADE2
		push	56h
		pop	edx

loc_60ADE2:				; CODE XREF: IoFillDumpHeader(x,x,x,x,x,x,x,x)+14Ej
		mov	eax, [ebp+arg_0]
		mov	[esi+64h], edx
		mov	[esi+68h], eax
		test	edx, edx
		jz	short loc_60AE1F
		lea	eax, [esi+70h]
		mov	ebx, edi
		mov	[ebp+arg_0], eax
		mov	esi, eax

loc_60ADF9:				; CODE XREF: IoFillDumpHeader(x,x,x,x,x,x,x,x)+18Bj
		mov	ecx, [ebx]
		lea	ebx, [ebx+10h]
		mov	eax, [ebx-0Ch]
		shrd	ecx, eax, 0Ch
		mov	[esi-4], ecx
		mov	ecx, [ebx-8]
		mov	eax, [ebx-4]
		shrd	ecx, eax, 0Ch
		mov	[esi], ecx
		lea	esi, [esi+8]
		sub	edx, 1
		jnz	short loc_60ADF9
		mov	esi, [ebp+var_4]

loc_60AE1F:				; CODE XREF: IoFillDumpHeader(x,x,x,x,x,x,x,x)+15Ej
		xor	ebx, ebx
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_60AE3C
; 

loc_60AE2A:				; CODE XREF: IoFillDumpHeader(x,x,x,x,x,x,x,x)+B2j
					; IoFillDumpHeader(x,x,x,x,x,x,x,x)+BBj ...
		push	2BCh		; size_t
		lea	eax, [esi+64h]
		push	ebx		; int
		push	eax		; void *
		call	_memset

loc_60AE39:				; CODE XREF: IoFillDumpHeader(x,x,x,x,x,x,x,x)+FCj
		add	esp, 0Ch

loc_60AE3C:				; CODE XREF: IoFillDumpHeader(x,x,x,x,x,x,x,x)+199j
		push	4B0h		; size_t
		lea	eax, [esi+320h]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	dword ptr [esi+7D0h], 80000003h
		add	esp, 0Ch
		mov	[esi+7D8h], ebx
		mov	[esi+7E0h], ebx
		mov	dword ptr [esi+7D4h], 1
		mov	[esi+7DCh], ebx
		mov	eax, ds:0FFDF0014h
		mov	[esi+0FC0h], eax
		mov	eax, ds:0FFDF0018h
		mov	[esi+0FC4h], eax
		mov	eax, ds:0FFDF0008h
		mov	[esi+0FB8h], eax
		mov	eax, ds:0FFDF000Ch
		mov	[esi+0FBCh], eax
		lea	eax, [esi+0F94h]
		push	eax
		call	_RtlGetNtProductType@4 ; RtlGetNtProductType(x)
		mov	eax, ds:0FFDF02D0h
		mov	[esi+0F98h], eax
		mov	eax, ds:0FFDF02C4h
		pop	edi
		mov	[esi+8A0h], ebx
		mov	[esi+8A4h], eax
		pop	esi
		pop	ebx
		leave
		retn	18h
_IoFillDumpHeader@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall IoFillTriageDumpBuffer(int,void *,char,int,int,int,int,int,int,int,int,int,int)
_IoFillTriageDumpBuffer@52 proc	near	; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+2A7p
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+4BBp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:_CmNtCSDVersion
		push	ebx
		push	esi
		mov	esi, [ebp+arg_18]
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		mov	[ebp+arg_18], eax
		mov	eax, [ebp+arg_28]
		xor	ecx, ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], ecx
		test	eax, eax
		jz	short loc_60AF00
		mov	[eax], ecx

loc_60AF00:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+2Aj
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_60AF09
		mov	[eax], ecx

loc_60AF09:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+33j
		cmp	edi, 6Ch
		jnb	short loc_60AF18
		mov	eax, 0C0000017h
		jmp	loc_60B370
; 

loc_60AF18:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+3Aj
		push	68h		; size_t
		push	ecx		; int
		push	ebx		; void *
		call	_memset
		mov	ecx, edi
		xor	edx, edx
		add	esp, 0Ch
		mov	edi, 1068h
		mov	[ebp+var_4], edi
		lea	eax, [ecx+1000h]
		sub	ecx, 4
		mov	[ebx+4], eax
		add	eax, 0FFFFFFFCh
		mov	[ebx+8], eax
		mov	eax, [ebp+arg_18]
		and	dword ptr [ecx+ebx], 0
		and	dword ptr [ebx+40h], 0
		cmp	[ebp+arg_C], edx
		mov	[ebp+var_8], ecx
		setnz	dl
		mov	dword ptr [ebx+0Ch], 320h
		add	edx, 82h
		mov	dword ptr [ebx+10h], 7D0h
		test	[ebp+arg_4], 100h
		mov	[ebx], eax
		mov	[ebx+44h], esi
		mov	[ebp+arg_18], edx
		jz	short loc_60AF9E
		lea	eax, [edi+38h]
		cmp	ecx, eax
		jbe	short loc_60AF92
		mov	[ebx+14h], edi
		or	edx, 100h
		mov	edi, eax
		mov	[ebp+var_4], edi
		jmp	short loc_60AF9B
; 

loc_60AF92:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+AEj
		or	esi, 100h
		mov	[ebx+44h], esi

loc_60AF9B:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+BEj
		mov	[ebp+arg_18], edx

loc_60AF9E:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+A7j
		test	byte ptr [ebp+arg_4], 4
		jz	short loc_60AFC7
		lea	eax, [edi+5F00h]
		cmp	eax, ecx
		jnb	short loc_60AFBE
		mov	[ebx+1Ch], edi
		or	edx, 4
		mov	edi, eax
		mov	[ebp+arg_18], edx
		mov	[ebp+var_4], edi
		jmp	short loc_60AFC7
; 

loc_60AFBE:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+DAj
		or	esi, 100h
		mov	[ebx+44h], esi

loc_60AFC7:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+D0j
					; IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+EAj
		test	byte ptr [ebp+arg_4], 8
		jz	short loc_60AFF0
		lea	eax, [edi+500h]
		cmp	eax, ecx
		jnb	short loc_60AFE7
		mov	[ebx+20h], edi
		or	edx, 8
		mov	edi, eax
		mov	[ebp+arg_18], edx
		mov	[ebp+var_4], edi
		jmp	short loc_60AFF0
; 

loc_60AFE7:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+103j
		or	esi, 100h
		mov	[ebx+44h], esi

loc_60AFF0:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+F9j
					; IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+113j
		test	byte ptr [ebp+arg_4], 10h
		jz	short loc_60B019
		lea	eax, [edi+4E0h]
		cmp	eax, ecx
		jnb	short loc_60B010
		mov	[ebx+24h], edi
		or	edx, 10h
		mov	edi, eax
		mov	[ebp+arg_18], edx
		mov	[ebp+var_4], edi
		jmp	short loc_60B019
; 

loc_60B010:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+12Cj
		or	esi, 100h
		mov	[ebx+44h], esi

loc_60B019:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+122j
					; IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+13Cj
		test	byte ptr [ebp+arg_4], 20h
		jz	short loc_60B091
		mov	eax, [ebp+arg_10]
		test	dword ptr [eax+5Ch], 20000h
		jz	short loc_60B091
		mov	esi, [ebp+arg_C]
		mov	edx, [eax+28h]
		mov	eax, [eax+24h]
		mov	esi, [esi+0C4h]
		cmp	eax, esi
		ja	short loc_60B042
		cmp	esi, edx
		jb	short loc_60B048

loc_60B042:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+16Aj
		mov	esi, [ebp+arg_10]
		mov	esi, [esi+24h]

loc_60B048:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+16Ej
		sub	edx, esi
		mov	eax, 3FFFh
		cmp	edx, eax
		jb	short loc_60B055
		mov	edx, eax

loc_60B055:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+17Fj
		mov	ecx, esi
		call	_IopGetMaxValidMemorySize@8 ; IopGetMaxValidMemorySize(x,x)
		mov	ecx, [ebp+var_8]
		test	eax, eax
		jz	short loc_60B08E
		lea	edx, [edi+eax]
		cmp	edx, ecx
		jnb	short loc_60B087
		mov	[ebx+28h], edi
		lea	edi, [edx+7]
		mov	edx, [ebp+arg_18]
		and	edi, 0FFFFFFF8h
		or	edx, 20h
		mov	[ebx+2Ch], eax
		mov	[ebx+48h], esi
		mov	[ebp+var_4], edi
		mov	[ebp+arg_18], edx
		jmp	short loc_60B091
; 

loc_60B087:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+196j
		or	dword ptr [ebx+44h], 100h

loc_60B08E:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+18Fj
		mov	edx, [ebp+arg_18]

loc_60B091:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+14Bj
					; IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+157j ...
		mov	esi, 400h
		test	[ebp+arg_4], esi
		jz	short loc_60B0C9
		lea	eax, [edi+380h]
		cmp	eax, ecx
		jnb	short loc_60B0C2
		mov	[ebx+58h], edi
		add	edi, 387h
		and	edi, 0FFFFFFF8h
		mov	dword ptr [ebx+5Ch], 380h
		or	edx, esi
		mov	[ebp+var_4], edi
		mov	[ebp+arg_18], edx
		jmp	short loc_60B0C9
; 

loc_60B0C2:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+1D1j
		or	dword ptr [ebx+44h], 100h

loc_60B0C9:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+1C7j
					; IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+1EEj
		cmp	[ebp+arg_0], 0
		lea	ecx, [ebx-1000h]
		jnz	short loc_60B0F5
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceSharedLite
		lea	ecx, [ebx-1000h]

loc_60B0F5:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+201j
		mov	eax, ds:_MmUnloadedDrivers
		mov	esi, [ebp+var_8]
		neg	eax
		sbb	eax, eax
		and	eax, 7D0h
		add	eax, 8
		add	eax, edi
		cmp	eax, esi
		jnb	short loc_60B124
		or	[ebp+arg_18], 40h
		add	ecx, edi
		mov	[ebx+18h], edi
		mov	edi, eax
		mov	[ebp+var_4], edi
		call	_MmWriteUnloadedDriverInformation@4 ; MmWriteUnloadedDriverInformation(x)
		jmp	short loc_60B12B
; 

loc_60B124:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+23Bj
		or	dword ptr [ebx+44h], 100h

loc_60B12B:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+250j
		test	byte ptr [ebp+arg_4], 40h
		jz	short loc_60B176
		mov	cl, [ebp+arg_0]
		lea	eax, [ebp+var_14]
		push	eax
		lea	edx, [ebp+var_C]
		call	_IoGetLoadedDriverInfo@12 ; IoGetLoadedDriverInfo(x,x,x)
		mov	edx, eax
		mov	[ebp+var_10], edx
		test	edx, edx
		js	short loc_60B176
		mov	edx, [ebp+var_C]
		imul	ecx, edx, 4Ch
		add	ecx, 7
		and	ecx, 0FFFFFFF8h
		jz	short loc_60B176
		lea	eax, [edi+ecx]
		cmp	eax, esi
		jnb	short loc_60B16F
		or	[ebp+arg_18], 40h
		mov	[ebx+30h], edi
		mov	edi, eax
		mov	[ebx+34h], edx
		mov	[ebp+var_4], edi
		jmp	short loc_60B176
; 

loc_60B16F:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+28Aj
		or	dword ptr [ebx+44h], 100h

loc_60B176:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+25Dj
					; IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+275j ...
		imul	ecx, [ebp+var_C], 6
		mov	eax, [ebp+var_14]
		add	eax, 7
		add	eax, ecx
		and	eax, 0FFFFFFF8h
		jz	short loc_60B1A2
		lea	ecx, [edi+eax]
		cmp	ecx, esi
		jnb	short loc_60B19B
		mov	[ebx+38h], edi
		mov	edi, ecx
		mov	[ebx+3Ch], eax
		mov	[ebp+var_4], edi
		jmp	short loc_60B1A2
; 

loc_60B19B:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+2BAj
		or	dword ptr [ebx+44h], 100h

loc_60B1A2:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+2B3j
					; IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+2C7j
		mov	ecx, [ebx+30h]
		test	ecx, ecx
		jz	short loc_60B1CB
		mov	eax, [ebx+38h]
		test	eax, eax
		jz	short loc_60B1CB
		mov	dl, [ebp+arg_0]
		push	eax
		push	ecx
		lea	ecx, [ebx-1000h]
		call	_IopWriteDriverList@16 ; IopWriteDriverList(x,x,x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jns	short loc_60B1CB
		and	dword ptr [ebx+30h], 0

loc_60B1CB:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+2D5j
					; IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+2DCj ...
		cmp	[ebp+arg_0], 0
		jnz	short loc_60B1E7
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_60B1E7:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+2FDj
		test	[ebp+arg_4], 800h
		jz	short loc_60B230
		mov	ecx, [ebx+48h]
		mov	eax, [ebx+2Ch]
		mov	edx, [ebp+arg_20]
		add	eax, ecx
		push	eax
		push	ecx
		push	[ebp+arg_C]
		mov	ecx, [ebp+arg_1C]
		push	[ebp+arg_24]
		call	_IopAddRunTimeTriageDataBlocks@24 ; IopAddRunTimeTriageDataBlocks(x,x,x,x,x,x)
		mov	edx, [ebp+arg_1C]
		mov	ecx, ebx
		push	esi
		push	edi
		push	[ebp+arg_20]
		call	_IopSizeTriageDumpDataBlocks@20	; IopSizeTriageDumpDataBlocks(x,x,x,x,x)
		add	eax, 7
		and	eax, 0FFFFFFF8h
		cmp	dword ptr [ebx+64h], 0
		mov	[ebp+var_4], eax
		jz	short loc_60B230
		or	[ebp+arg_18], 800h

loc_60B230:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+31Cj
					; IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+355j
		mov	eax, [ebx+14h]
		lea	edi, [ebx-1000h]
		test	eax, eax
		jz	short loc_60B245
		lea	ecx, [eax+edi]
		call	_MmWriteTriageInformation@4 ; MmWriteTriageInformation(x)

loc_60B245:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+369j
		mov	ecx, [ebx+1Ch]
		test	ecx, ecx
		jz	short loc_60B26D
		lea	eax, [ecx+5F00h]
		cmp	eax, esi
		ja	short loc_60B26D
		mov	eax, large fs:20h
		add	ecx, edi
		push	5F00h		; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_60B26D:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+378j
					; IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+382j
		mov	ecx, [ebx+20h]
		mov	edx, [ebp+arg_10]
		test	ecx, ecx
		jz	short loc_60B293
		lea	eax, [ecx+500h]
		cmp	eax, esi
		ja	short loc_60B293
		mov	esi, [edx+80h]
		add	edi, ecx
		mov	ecx, 140h
		rep movsd
		mov	esi, [ebp+var_8]

loc_60B293:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+3A3j
					; IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+3ADj
		mov	ecx, [ebx+24h]
		test	ecx, ecx
		jz	short loc_60B2B5
		lea	eax, [ecx+4E0h]
		cmp	eax, esi
		ja	short loc_60B2B5
		lea	edi, [ebx-1000h]
		mov	esi, edx
		add	edi, ecx
		mov	ecx, 138h
		rep movsd

loc_60B2B5:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+3C6j
					; IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+3D0j
		mov	ecx, [ebx+28h]
		mov	edi, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_60B2E2
		mov	edx, [ebx+2Ch]
		mov	esi, [ebx+48h]
		lea	eax, [edx+ecx]
		cmp	eax, edi
		ja	short loc_60B2E2
		push	edx		; size_t
		push	esi		; void *
		lea	esi, [ebx-1000h]
		lea	eax, [ecx+esi]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_60B2E8
; 

loc_60B2E2:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+3EBj
					; IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+3F8j
		lea	esi, [ebx-1000h]

loc_60B2E8:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+40Ej
		mov	ecx, [ebx+58h]
		test	ecx, ecx
		jz	short loc_60B300
		lea	eax, [ecx+380h]
		cmp	eax, edi
		ja	short loc_60B300
		add	ecx, esi
		call	_KdCopyDataBlock@4 ; KdCopyDataBlock(x)

loc_60B300:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+41Bj
					; IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+425j
		cmp	[ebp+arg_1C], 0
		jz	short loc_60B314
		mov	edx, [ebp+arg_1C]
		mov	ecx, ebx
		push	esi
		push	[ebp+arg_20]
		call	_IopFillTriageDumpDataBlocks@16	; IopFillTriageDumpDataBlocks(x,x,x,x)

loc_60B314:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+432j
		mov	edx, [ebp+arg_28]
		cmp	edi, 1EFFCh
		jnz	short loc_60B32A
		test	edx, edx
		jnz	short loc_60B32A
		mov	ecx, 20000h
		jmp	short loc_60B33C
; 

loc_60B32A:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+44Bj
					; IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+44Fj
		mov	ecx, [ebp+var_4]
		add	ecx, 4
		test	edx, edx
		jz	short loc_60B33C
		lea	eax, [ecx-1000h]
		mov	[edx], eax

loc_60B33C:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+456j
					; IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+460j
		mov	edx, [ebp+arg_8]
		test	edx, edx
		jz	short loc_60B348
		mov	eax, [ebp+arg_18]
		mov	[edx], eax

loc_60B348:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+46Fj
		mov	[ebx+4], ecx
		add	ecx, 0FFFFFFFCh
		mov	[ebx+8], ecx
		lea	eax, [ecx-1000h]
		cmp	eax, edi
		ja	short loc_60B36B
		mov	eax, [ebp+var_10]
		mov	dword ptr [ecx+ebx-1000h], 44475254h
		jmp	short loc_60B370
; 

loc_60B36B:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+487j
		mov	eax, 0C000009Ah

loc_60B370:				; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+41j
					; IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+497j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	2Ch
_IoFillTriageDumpBuffer@52 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoFreeDumpRange(x, x, x, x)
_IoFreeDumpRange@16 proc near		; CODE XREF: IopRemovePageDumpRange(x,x)+91p
					; IopLiveDumpCallRemovePagesCallbacks(x)+1F0p
					; DATA XREF: ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 1
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		jnz	short loc_60B3A5
		push	ebx
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		mov	esi, [ebp+arg_0]
		mov	cl, [esi+14h]
		and	cl, 1
		movzx	ecx, cl
		push	ecx
		push	[ebp+arg_8]
		shrd	eax, edx, 0Ch
		push	eax
		jmp	short loc_60B3BB
; 

loc_60B3A5:				; CODE XREF: IoFreeDumpRange(x,x,x,x)+Fj
		cmp	[ebp+arg_C], 2
		jnz	short loc_60B3CA
		mov	esi, [ebp+arg_0]
		mov	al, [esi+14h]
		and	al, 1
		movzx	eax, al
		push	eax
		push	[ebp+arg_8]
		push	ebx

loc_60B3BB:				; CODE XREF: IoFreeDumpRange(x,x,x,x)+2Cj
		mov	edx, [esi+10h]
		mov	ecx, [esi+8]
		call	_IopRemovePageFromPageMap@20 ; IopRemovePageFromPageMap(x,x,x,x,x)
		mov	edi, eax
		jmp	short loc_60B418
; 

loc_60B3CA:				; CODE XREF: IoFreeDumpRange(x,x,x,x)+32j
		mov	eax, [ebp+arg_8]
		xor	edi, edi
		mov	[ebp+arg_8], eax
		test	eax, eax
		jz	short loc_60B430
		mov	esi, [ebp+arg_0]

loc_60B3D9:				; CODE XREF: IoFreeDumpRange(x,x,x,x)+9Fj
		mov	ecx, ebx
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_60B40C
		push	ebx
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		mov	cl, [esi+14h]
		and	cl, 1
		movzx	ecx, cl
		push	ecx
		mov	ecx, [esi+8]
		shrd	eax, edx, 0Ch
		mov	edx, [esi+10h]
		push	1
		push	eax
		call	_IopRemovePageFromPageMap@20 ; IopRemovePageFromPageMap(x,x,x,x,x)
		test	eax, eax
		jns	short loc_60B40C
		mov	edi, eax

loc_60B40C:				; CODE XREF: IoFreeDumpRange(x,x,x,x)+6Bj
					; IoFreeDumpRange(x,x,x,x)+91j
		add	ebx, 1000h
		sub	[ebp+arg_8], 1
		jnz	short loc_60B3D9

loc_60B418:				; CODE XREF: IoFreeDumpRange(x,x,x,x)+51j
		cmp	edi, 0C0000141h
		jnz	short loc_60B430
		mov	al, [esi+14h]
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	edi, eax

loc_60B430:				; CODE XREF: IoFreeDumpRange(x,x,x,x)+5Dj
					; IoFreeDumpRange(x,x,x,x)+A7j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
_IoFreeDumpRange@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetLoadedDriverInfo(x, x,	x)
_IoGetLoadedDriverInfo@12 proc near	; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+269p
					; KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+3C6p

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ds:_PsLoadedModuleList
		mov	eax, edx
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], eax
		mov	[ebp+var_1], cl
		mov	ebx, edi
		cmp	esi, offset _PsLoadedModuleList
		jz	short loc_60B499

loc_60B45D:				; CODE XREF: IoGetLoadedDriverInfo(x,x,x)+5Bj
		test	cl, cl
		jz	short loc_60B482
		push	5Ch
		pop	edx
		mov	ecx, esi
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_60B4A9
		movzx	edx, word ptr [esi+2Ch]
		mov	ecx, [esi+30h]
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_60B4A9
		mov	cl, [ebp+var_1]

loc_60B482:				; CODE XREF: IoGetLoadedDriverInfo(x,x,x)+26j
		movzx	eax, word ptr [esi+2Ch]
		add	ebx, 9
		mov	esi, [esi]
		inc	edi
		add	ebx, eax
		cmp	esi, offset _PsLoadedModuleList
		jnz	short loc_60B45D
		mov	eax, [ebp+var_8]

loc_60B499:				; CODE XREF: IoGetLoadedDriverInfo(x,x,x)+22j
		mov	[eax], edi
		mov	eax, [ebp+arg_0]
		mov	[eax], ebx
		xor	eax, eax

loc_60B4A2:				; CODE XREF: IoGetLoadedDriverInfo(x,x,x)+75j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_60B4A9:				; CODE XREF: IoGetLoadedDriverInfo(x,x,x)+34j
					; IoGetLoadedDriverInfo(x,x,x)+44j
		mov	eax, 0C0000001h
		jmp	short loc_60B4A2
_IoGetLoadedDriverInfo@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoInitializeBugCheckProgress(x, x)
_IoInitializeBugCheckProgress@8	proc near ; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+808p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_C], 8
		call	_KeFrozenProcessorCount@0 ; KeFrozenProcessorCount()
		mov	ecx, ds:_KeNumberProcessors
		xor	ebx, ebx
		sub	ecx, eax
		inc	ebx
		cmp	ecx, ebx
		ja	loc_60B5E8
		call	ds:off_6B13E8	; KeIsCetCapable()
		cmp	al, bl
		jz	loc_60B5E2
		cmp	edi, 109h
		jz	loc_60B5E2
		cmp	ds:_BugCheckProgressEFICalled, esi
		jnz	loc_60B5E8
		mov	ecx, ds:_CrashdmpDumpBlock
		mov	ds:_BugCheckProgressEFICalled, ebx
		test	ecx, ecx
		jz	short loc_60B561
		mov	[ebp+var_14], edi
		mov	esi, (offset loc_425347+1)
		mov	ax, ds:0FFDF02C4h
		mov	word ptr [ebp+var_10], ax
		mov	ax, [ecx+33Ch]
		push	ebx
		inc	ax
		push	8
		mov	word ptr [ebp+var_10+2], ax
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		push	offset ??_C@_1BK@IKLNJPGD@?$AAB?$AAu?$AAg?$AAC?$AAh?$AAe?$AAc?$AAk?$AAC?$AAo?$AAd?$AAe@FNODOBFM@
		call	ds:_IopReportBugCheckProgress
		push	ebx
		push	4
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		push	offset ??_C@_1CG@CMLGNBH@?$AAB?$AAu?$AAg?$AAC?$AAh?$AAe?$AAc?$AAk?$AAP?$AAa?$AAr?$AAa?$AAm?$AAe?$AAt@FNODOBFM@
		jmp	short loc_60B5D3
; 

loc_60B561:				; CODE XREF: IoInitializeBugCheckProgress(x,x)+6Ej
		push	esi
		lea	eax, [ebp+var_C]
		mov	esi, (offset loc_425347+1)
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		push	offset ??_C@_1BK@IKLNJPGD@?$AAB?$AAu?$AAg?$AAC?$AAh?$AAe?$AAc?$AAk?$AAC?$AAo?$AAd?$AAe@FNODOBFM@
		call	ds:__imp__HalGetEnvironmentVariableEx@20 ; HalGetEnvironmentVariableEx(x,x,x,x,x)
		test	eax, eax
		jnz	short loc_60B5D9
		mov	[ebp+var_14], edi
		mov	ax, ds:0FFDF02C4h
		inc	word ptr [ebp+var_10+2]
		mov	word ptr [ebp+var_10], ax
		mov	eax, [ebp+var_4]
		and	eax, 0FFFFFE4Fh
		push	ebx
		or	eax, 4004Fh
		push	8
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		push	offset ??_C@_1BK@IKLNJPGD@?$AAB?$AAu?$AAg?$AAC?$AAh?$AAe?$AAc?$AAk?$AAC?$AAo?$AAd?$AAe@FNODOBFM@
		call	ds:_IopReportBugCheckProgress
		push	ebx
		push	4
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		push	offset ??_C@_1CG@CMLGNBH@?$AAB?$AAu?$AAg?$AAC?$AAh?$AAe?$AAc?$AAk?$AAP?$AAa?$AAr?$AAa?$AAm?$AAe?$AAt@FNODOBFM@
		call	ds:_IopReportBugCheckProgress
		push	ebx
		push	4
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		push	offset ??_C@_1CC@MCGNKLN@?$AAB?$AAu?$AAg?$AAC?$AAh?$AAe?$AAc?$AAk?$AAP?$AAr?$AAo?$AAg?$AAr?$AAe?$AAs@FNODOBFM@ ; "BugCheckProgress"

loc_60B5D3:				; CODE XREF: IoInitializeBugCheckProgress(x,x)+AFj
		call	ds:_IopReportBugCheckProgress

loc_60B5D9:				; CODE XREF: IoInitializeBugCheckProgress(x,x)+CDj
		and	ds:_BugCheckProgressEFICalled, 0
		jmp	short loc_60B5E8
; 

loc_60B5E2:				; CODE XREF: IoInitializeBugCheckProgress(x,x)+42j
					; IoInitializeBugCheckProgress(x,x)+4Ej
		mov	ds:_BugCheckProgressEFICalled, ebx

loc_60B5E8:				; CODE XREF: IoInitializeBugCheckProgress(x,x)+34j
					; IoInitializeBugCheckProgress(x,x)+5Aj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IoInitializeBugCheckProgress@8	endp


;  S U B	R O U T	I N E 


; __stdcall IoIsPartialDumpRetry()
_IoIsPartialDumpRetry@0	proc near	; CODE XREF: KeValidateBugCheckCallbackRecord(x,x,x)+5Bp
		mov	eax, ds:_CrashdmpDumpBlock
		test	eax, eax
		jz	short loc_60B602
		mov	eax, [eax+314h]
		shr	eax, 3
		and	al, 1
		retn
; 

loc_60B602:				; CODE XREF: IoIsPartialDumpRetry()+7j
		xor	al, al
		retn
_IoIsPartialDumpRetry@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSaveBugCheckProgress(x)
_IoSaveBugCheckProgress@4 proc near	; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+10Dp
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+381p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, ds:_CrashdmpDumpBlock
		push	esi
		push	edi
		mov	edi, ecx
		test	edx, edx
		jz	loc_60B6B3
		mov	esi, [edx+338h]
		test	esi, 60000h
		jnz	short loc_60B64D
		mov	eax, esi
		xor	eax, edi
		and	eax, 1FFh
		xor	eax, esi
		mov	[edx+338h], eax
		call	_IoUpdateBugCheckProgressEnvVariable@0 ; IoUpdateBugCheckProgressEnvVariable()

loc_60B64D:				; CODE XREF: IoSaveBugCheckProgress(x)+30j
		cmp	edi, 4
		jnz	short loc_60B6B3
		mov	edx, ds:_CrashdmpDumpBlock
		xor	eax, eax
		mov	ecx, [edx+304h]
		and	[ebp+var_20], 0
		cmp	ecx, edi
		mov	[ebp+var_2C], 674C6857h
		setz	al
		mov	[ebp+var_28], 1
		add	eax, 2300h
		mov	[ebp+var_24], 28h
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], 80000023h
		mov	[ebp+var_14], 18h
		mov	[ebp+var_10], 8
		mov	eax, [edx+338h]
		mov	[ebp+var_8], eax
		mov	eax, [edx+10h]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_2C]
		push	eax
		call	WheaLogInternalEvent

loc_60B6B3:				; CODE XREF: IoSaveBugCheckProgress(x)+1Ej
					; IoSaveBugCheckProgress(x)+4Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IoSaveBugCheckProgress@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetBugCheckProgressAndFlag(x, x)
_IoSetBugCheckProgressAndFlag@8	proc near
					; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+54Ap

var_16		= byte ptr -16h
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_4		= dword	ptr  8
arg_8		= dword	ptr  0Ch
arg_C		= dword	ptr  10h
arg_10		= dword	ptr  14h

		mov	ecx, ds:_CrashdmpDumpBlock
		test	ecx, ecx
		jz	short locret_60B6FA
		mov	eax, [ecx+338h]
		test	eax, 60000h
		jnz	short loc_60B6E6
		and	eax, 0FFFFFE25h
		or	eax, 25h
		mov	[ecx+338h], eax

loc_60B6E6:				; CODE XREF: IoSetBugCheckProgressAndFlag(x,x)+15j
		mov	eax, ds:_CrashdmpDumpBlock
		or	dword ptr [eax+338h], 800h
		jmp	_IoUpdateBugCheckProgressEnvVariable@0 ; IoUpdateBugCheckProgressEnvVariable()
; 

locret_60B6FA:				; CODE XREF: IoSetBugCheckProgressAndFlag(x,x)+8j
		retn
; 

; __stdcall IoSetDumpRange(x, x, x, x)
_IoSetDumpRange@16:			; CODE XREF: IopAddPageDumpRange(x,x)+C0p
					; IoSetDumpRangeForPartialKernelDump(x,x,x,x)+6j
					; DATA XREF: ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, [ebp+arg_10]
		sub	esp, 14h
		and	eax, 0Fh
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	eax, 1
		jnz	short loc_60B73D
		push	esi
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		mov	cl, [edi+14h]
		push	0
		and	cl, 1
		movzx	ecx, cl
		push	ecx
		push	ebx
		shrd	eax, edx, 0Ch
		push	eax
		push	dword ptr [edi+10h]
		jmp	loc_60B81A
; 

loc_60B73D:				; CODE XREF: IoSetBugCheckProgressAndFlag(x,x)+5Aj
		cmp	eax, 2
		jnz	loc_60B829
		mov	eax, ds:_MmPhysicalMemoryBlock
		xor	edx, edx
		mov	ecx, 0C0000141h
		mov	[esp+24h+var_14], edx
		mov	ebx, [eax]
		mov	[esp+24h+var_8], ebx
		test	ebx, ebx
		jz	short loc_60B7A6
		add	eax, 0Ch
		mov	[esp+24h+var_10], eax

loc_60B767:				; CODE XREF: IoSetBugCheckProgressAndFlag(x,x)+DBj
		mov	edi, [eax-4]
		cmp	edi, esi
		mov	[esp+24h+var_C], edi
		mov	edi, [ebp+arg_4]
		ja	short loc_60B7A6
		mov	eax, [eax]
		add	eax, [esp+24h+var_C]
		mov	ebx, [ebp+arg_C]
		cmp	eax, esi
		ja	short loc_60B7A0
		mov	eax, [esp+24h+var_10]
		inc	[esp+24h+var_14]
		add	eax, 8
		mov	edi, [esp+24h+var_8]
		cmp	[esp+24h+var_14], edi
		mov	edi, [ebp+arg_4]
		mov	[esp+24h+var_10], eax
		jb	short loc_60B767
		jmp	short loc_60B7A6
; 

loc_60B7A0:				; CODE XREF: IoSetBugCheckProgressAndFlag(x,x)+BFj
		sub	eax, esi
		cmp	ebx, eax
		jbe	short loc_60B80B

loc_60B7A6:				; CODE XREF: IoSetBugCheckProgressAndFlag(x,x)+9Dj
					; IoSetBugCheckProgressAndFlag(x,x)+B2j ...
		mov	eax, ds:_SpecialMemoryRanges
		test	eax, eax
		jz	loc_60B8A4
		mov	edi, [eax]
		test	edi, edi
		mov	[esp+24h+var_C], edi
		mov	edi, [ebp+arg_4]
		jz	loc_60B8A4
		add	eax, 0Ch
		mov	[esp+24h+var_10], eax

loc_60B7CB:				; CODE XREF: IoSetBugCheckProgressAndFlag(x,x)+139j
		mov	edi, [eax-4]
		cmp	edi, esi
		mov	[esp+24h+var_8], edi
		mov	edi, [ebp+arg_4]
		ja	loc_60B8A4
		mov	eax, [eax]
		add	eax, [esp+24h+var_8]
		mov	ebx, [ebp+arg_C]
		cmp	eax, esi
		ja	short loc_60B801
		mov	eax, [esp+24h+var_10]
		inc	edx
		add	eax, 8
		mov	[esp+24h+var_10], eax
		cmp	edx, [esp+24h+var_C]
		jb	short loc_60B7CB
		jmp	loc_60B8A4
; 

loc_60B801:				; CODE XREF: IoSetBugCheckProgressAndFlag(x,x)+127j
		sub	eax, esi
		cmp	ebx, eax
		ja	loc_60B8A4

loc_60B80B:				; CODE XREF: IoSetBugCheckProgressAndFlag(x,x)+E3j
		push	[ebp+arg_10]
		mov	al, [edi+14h]
		mov	ecx, [edi+10h]
		and	al, 1
		push	eax
		push	ebx
		push	esi
		push	ecx

loc_60B81A:				; CODE XREF: IoSetBugCheckProgressAndFlag(x,x)+77j
		mov	edx, [edi+8]
		mov	ecx, [edi+0Ch]
		call	_IopAddPageToPageMap@28	; IopAddPageToPageMap(x,x,x,x,x,x,x)
		mov	ecx, eax
		jmp	short loc_60B89C
; 

loc_60B829:				; CODE XREF: IoSetBugCheckProgressAndFlag(x,x)+7Fj
		xor	eax, eax
		mov	[esp+24h+var_15], 1
		test	ebx, ebx
		jz	loc_60B8B8

loc_60B838:				; CODE XREF: IoSetBugCheckProgressAndFlag(x,x)+1D0j
		mov	ecx, esi
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_60B884
		push	esi
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		mov	cl, [edi+14h]
		push	0
		and	cl, 1
		movzx	ecx, cl
		push	ecx
		mov	ecx, [edi+0Ch]
		shrd	eax, edx, 0Ch
		mov	edx, [edi+8]
		push	1
		push	eax
		push	dword ptr [edi+10h]
		call	_IopAddPageToPageMap@28	; IopAddPageToPageMap(x,x,x,x,x,x,x)
		mov	ecx, 0C0000023h
		cmp	eax, ecx
		jz	short loc_60B8BA
		test	eax, eax
		sets	al
		dec	al
		and	al, [esp+24h+var_15]
		mov	[esp+24h+var_15], al
		jmp	short loc_60B888
; 

loc_60B884:				; CODE XREF: IoSetBugCheckProgressAndFlag(x,x)+180j
		mov	al, [esp+24h+var_15]

loc_60B888:				; CODE XREF: IoSetBugCheckProgressAndFlag(x,x)+1C1j
		add	esi, 1000h
		sub	ebx, 1
		jnz	short loc_60B838
		cmp	al, 1
		jz	short loc_60B8B6
		mov	ecx, 0C0000141h

loc_60B89C:				; CODE XREF: IoSetBugCheckProgressAndFlag(x,x)+166j
		cmp	ecx, 0C0000141h
		jnz	short loc_60B8BA

loc_60B8A4:				; CODE XREF: IoSetBugCheckProgressAndFlag(x,x)+ECj
					; IoSetBugCheckProgressAndFlag(x,x)+FDj ...
		mov	al, [edi+14h]
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	ecx, eax
		jmp	short loc_60B8BA
; 

loc_60B8B6:				; CODE XREF: IoSetBugCheckProgressAndFlag(x,x)+1D4j
		xor	eax, eax

loc_60B8B8:				; CODE XREF: IoSetBugCheckProgressAndFlag(x,x)+171j
		mov	ecx, eax

loc_60B8BA:				; CODE XREF: IoSetBugCheckProgressAndFlag(x,x)+1B0j
					; IoSetBugCheckProgressAndFlag(x,x)+1E1j ...
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

; __stdcall IoUpdateBugCheckProgressEnvVariable()
_IoUpdateBugCheckProgressEnvVariable@0:	; CODE XREF: IoSaveBugCheckProgress(x)+43p
					; IoSetBugCheckProgressAndFlag(x,x)+34j ...
		call	_KeFrozenProcessorCount@0 ; KeFrozenProcessorCount()
		mov	ecx, ds:_KeNumberProcessors
		sub	ecx, eax
		xor	eax, eax
		inc	eax
		cmp	ecx, eax
		ja	short locret_60B90C
		cmp	ds:_BugCheckProgressEFICalled, 0
		jnz	short locret_60B90C
		push	eax
		mov	ds:_BugCheckProgressEFICalled, eax
		mov	eax, ds:_CrashdmpDumpBlock
		push	4
		add	eax, 338h
		push	eax
		push	(offset	loc_425347+1)
		push	offset ??_C@_1CC@MCGNKLN@?$AAB?$AAu?$AAg?$AAC?$AAh?$AAe?$AAc?$AAk?$AAP?$AAr?$AAo?$AAg?$AAr?$AAe?$AAs@FNODOBFM@ ; "BugCheckProgress"
		call	ds:_IopReportBugCheckProgress
		and	ds:_BugCheckProgressEFICalled, 0

locret_60B90C:				; CODE XREF: IoSetBugCheckProgressAndFlag(x,x)+216j
					; IoSetBugCheckProgressAndFlag(x,x)+21Fj
		retn
_IoSetBugCheckProgressAndFlag@8	endp


;  S U B	R O U T	I N E 


; __stdcall IoUpdateDumpPhysicalRanges()
_IoUpdateDumpPhysicalRanges@0 proc near	; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+4E7p
					; MiRemovePhysicalMemory(x,x,x)+300p
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, large fs:124h
		push	edi
		dec	word ptr [esi+13Ch]
		nop
		cmp	ds:_CrashdmpImageEntry,	0
		jz	short loc_60B95B
		cmp	ds:_CrashdmpInitialized, 1
		jnz	short loc_60B95B
		push	1
		mov	edi, offset _IopCrashDumpLock
		push	edi
		call	ExAcquireResourceExclusiveLite
		test	al, al
		jz	short loc_60B95B
		call	_IopGetPhysicalMemoryBlock@0 ; IopGetPhysicalMemoryBlock()
		test	eax, eax
		jz	short loc_60B954
		push	eax
		call	ds:dword_6D4AE0

loc_60B954:				; CODE XREF: IoUpdateDumpPhysicalRanges()+3Ej
		mov	ecx, edi
		call	ExReleaseResourceLite

loc_60B95B:				; CODE XREF: IoUpdateDumpPhysicalRanges()+1Bj
					; IoUpdateDumpPhysicalRanges()+24j ...
		cmp	ds:_OfflineDumpEnabled,	0
		jz	short loc_60B969
		call	_IopConstructInMemoryDumpHeader@0 ; IopConstructInMemoryDumpHeader()

loc_60B969:				; CODE XREF: IoUpdateDumpPhysicalRanges()+55j
		mov	ecx, esi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		pop	edi
		pop	esi
		pop	ecx
		retn
_IoUpdateDumpPhysicalRanges@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoWriteCrashDump(x,	x, x, x, x, x, x, x, x,	x)
_IoWriteCrashDump@40 proc near		; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+91Dp

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= byte ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_14]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		xor	ebx, ebx
		mov	[ebp+var_30], eax
		mov	eax, [ebp+arg_10]
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], edi
		mov	[ebp+var_34], esi
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], 0DFFh
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ebx
		call	KdCheckForDebugBreak
		cmp	ds:_CapsuleTriageDumpBlockInitialized, 1
		jnz	short loc_60B9E5
		push	[ebp+var_2C]
		mov	edx, [ebp+var_20]
		mov	ecx, edi
		push	[ebp+var_1C]
		push	esi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_IopWriteCapsuleTriageDumpToFirmware@32	; IopWriteCapsuleTriageDumpToFirmware(x,x,x,x,x,x,x,x)
		jmp	loc_60BEF6
; 

loc_60B9E5:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+50j
		mov	eax, [ebp+var_20]
		lea	edx, [ebp+var_14]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_4]
		push	ecx
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_8]
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_8], eax
		call	_MmSnapTriageDumpInformation@16	; MmSnapTriageDumpInformation(x,x,x,x)
		mov	eax, ds:_CrashdmpDumpBlock
		test	eax, eax
		jz	loc_60BEF4
		test	byte ptr [eax+314h], 1
		jz	short loc_60BA49
		cmp	dword ptr [eax+304h], 6
		jnz	short loc_60BA49
		mov	edx, ebx
		lea	ecx, [eax+318h]

loc_60BA30:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+C7j
		cmp	[ecx], edi
		jz	short loc_60BA3F
		inc	edx
		add	ecx, 4
		cmp	edx, 8
		jb	short loc_60BA30
		jmp	short loc_60BA49
; 

loc_60BA3F:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+BEj
		mov	dword ptr [eax+304h], 5

loc_60BA49:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+A9j
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+B2j ...
		cmp	[ebp+var_30], ebx
		jnz	short loc_60BA62
		mov	eax, ds:_CrashdmpDumpBlock
		mov	[ebp+var_28], 0CF7h
		mov	[eax+8], ebx
		xor	eax, eax
		inc	eax
		jmp	short loc_60BA64
; 

loc_60BA62:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+D8j
		mov	eax, ebx

loc_60BA64:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+ECj
		push	eax
		push	ebx
		push	1
		call	ds:dword_6D4AD8
		call	_VfDisableHalVerifier@0	; VfDisableHalVerifier()
		push	1
		call	ds:dword_6D4AF0
		push	20h
		pop	ecx
		mov	[ebp+var_15], al
		call	_IoSaveBugCheckProgress@4 ; IoSaveBugCheckProgress(x)
		mov	eax, ds:_CrashdmpDumpBlock
		mov	ecx, [ebp+var_20]
		mov	edx, [ebp+var_1C]
		mov	[eax+10h], edi
		mov	eax, ds:_CrashdmpDumpBlock
		mov	[eax+14h], ecx
		mov	eax, ds:_CrashdmpDumpBlock
		mov	ecx, [ebp+arg_0]
		mov	[eax+18h], ecx
		mov	eax, ds:_CrashdmpDumpBlock
		mov	ecx, [ebp+arg_4]
		mov	[eax+1Ch], ecx
		mov	eax, ds:_CrashdmpDumpBlock
		mov	ecx, [ebp+arg_8]
		mov	[eax+20h], ecx
		mov	ecx, 0B3h
		mov	edi, ds:_CrashdmpDumpBlock
		add	edi, 24h
		rep movsd
		mov	eax, ds:_CrashdmpDumpBlock
		mov	esi, [ebp+var_30]
		mov	dword ptr [eax+2F0h], offset _KdDebuggerDataBlock
		mov	eax, ds:_CrashdmpDumpBlock
		mov	dword ptr [eax+2F4h], offset _PsActiveProcessHead
		mov	eax, ds:_CrashdmpDumpBlock
		mov	dword ptr [eax+2F8h], offset _PsLoadedModuleList
		mov	ecx, ds:_CrashdmpDumpBlock
		mov	eax, ds:_MmPfnDatabase
		mov	[ecx+2FCh], eax
		mov	eax, ds:_CrashdmpDumpBlock
		mov	dword ptr [eax+0Ch], offset _KeBugCheckReasonCallbackListHead
		mov	eax, ds:_CrashdmpDumpBlock
		mov	dword ptr [eax+340h], offset _KeBugCheckTriageDumpDataArrayListHead
		test	esi, esi
		jz	short loc_60BB38
		mov	eax, [edx+80h]
		mov	ecx, [eax+18h]
		jmp	short loc_60BB3B
; 

loc_60BB38:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+1B7j
		mov	ecx, cr3

loc_60BB3B:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+1C2j
		mov	eax, ds:_CrashdmpDumpBlock
		mov	[eax+308h], ecx
		mov	eax, ds:_CrashdmpDumpBlock
		cmp	[eax+300h], ebx
		jnz	short loc_60BB61
		cmp	[ebp+var_15], 1
		jnz	short loc_60BB61
		test	esi, esi
		jnz	loc_60BC2C

loc_60BB61:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+1DDj
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+1E3j
		push	[ebp+var_2C]
		mov	edi, [ebp+var_34]
		mov	ecx, [ebp+var_24]
		push	edx
		mov	edx, [ebp+var_20]
		push	edi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_IopUpdateMinidumpContext@32 ; IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)
		push	ecx
		push	ecx
		lea	edx, [ebp+var_14]
		mov	ecx, edi
		call	_MmSnapTriageDumpInformation@16	; MmSnapTriageDumpInformation(x,x,x,x)
		cmp	[ebp+var_15], 1
		mov	eax, ds:_IopNumTriageDumpDataBlocks
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], 100h
		mov	[ebp+var_38], offset _IopTriageDumpDataBlocks
		jz	short loc_60BBCA
		mov	ecx, ds:_CrashdmpDumpBlock
		mov	eax, [ecx+310h]
		test	eax, eax
		jz	short loc_60BBCA
		add	eax, 201Ch
		mov	[ecx+300h], eax
		mov	eax, ds:_CrashdmpDumpBlock
		mov	[eax+8], ebx
		jmp	short loc_60BBED
; 

loc_60BBCA:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+22Fj
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+23Fj
		mov	ecx, ds:_CrashdmpDumpBlock
		cmp	[ecx+300h], ebx
		jnz	short loc_60BBED
		test	esi, esi
		jnz	short loc_60BBED
		mov	eax, [ecx+310h]
		add	eax, 1000h
		mov	[ecx+300h], eax

loc_60BBED:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+254j
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+262j ...
		mov	edx, ds:_CrashdmpDumpBlock
		lea	eax, [ebp+var_48]
		push	eax		; int
		lea	eax, [ebp+var_40]
		mov	ecx, 1F000h	; int
		push	eax		; int
		mov	edx, [edx+300h]	; void *
		push	eax		; int
		push	1		; int
		push	41h		; int
		push	ds:_CmNtCSDVersion ; int
		push	[ebp+var_1C]	; int
		push	edi		; int
		push	ebx		; int
		push	[ebp+var_28]	; int
		push	1		; char
		call	_IoFillTriageDumpBuffer@52 ; IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_60BEF4
		jmp	short loc_60BC31
; 

loc_60BC2C:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+1E7j
		mov	edi, [ebp+var_34]
		mov	esi, ebx

loc_60BC31:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+2B6j
		mov	ecx, ds:_CrashdmpDumpBlock
		mov	eax, [ecx+314h]
		mov	edx, eax
		and	edx, 2
		mov	[ebp+var_34], edx
		jz	short loc_60BC80
		cmp	dword ptr [ecx+304h], 6
		jnz	short loc_60BC80
		cmp	[ecx+8], ebx
		jz	short loc_60BC80
		push	[ebp+var_2C]
		mov	edx, [ebp+var_20]
		or	eax, 4
		push	[ebp+var_1C]
		mov	[ecx+314h], eax
		mov	ecx, [ebp+var_24]
		push	edi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_IoAddPagesForPartialKernelDump@32 ; IoAddPagesForPartialKernelDump(x,x,x,x,x,x,x,x)
		mov	esi, eax
		jmp	loc_60BD2A
; 

loc_60BC80:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+2D1j
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+2DAj ...
		mov	edx, [ecx+8]
		mov	[ebp+var_4C], edx
		test	edx, edx
		jz	loc_60BD2A
		mov	[ebp+var_50], ebx
		mov	eax, [edx+30h]
		mov	[ebp+var_3C], eax
		lea	eax, [edx+38h]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_5C], eax
		mov	[ebp+var_58], edx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_64], offset _IoSetDumpRange@16	; IoSetDumpRange(x,x,x,x)
		mov	[ebp+var_60], offset _IoFreeDumpRange@16 ; IoFreeDumpRange(x,x,x,x)
		mov	eax, [ecx+304h]
		mov	[ebp+var_28], 1
		cmp	eax, 6
		jnz	short loc_60BCD6
		xor	eax, eax
		cmp	[ebp+arg_18], al
		setnz	al
		mov	[ebp+var_44], eax
		jmp	short loc_60BCE7
; 

loc_60BCD6:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+353j
		cmp	eax, 5
		jnz	short loc_60BCEA
		cmp	[ebp+var_34], ebx
		jz	short loc_60BCEA
		mov	[ebp+var_44], 2

loc_60BCE7:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+360j
		mov	[ebp+var_28], ebx

loc_60BCEA:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+365j
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+36Aj
		mov	ecx, [ebp+var_24]
		call	_IopDumpCallAddPagesCallbacks@4	; IopDumpCallAddPagesCallbacks(x)
		push	21h
		pop	ecx
		call	_IoSaveBugCheckProgress@4 ; IoSaveBugCheckProgress(x)
		push	[ebp+var_44]
		mov	edx, [ebp+var_28]
		lea	ecx, [ebp+var_64]
		call	_MmGetDumpRange@12 ; MmGetDumpRange(x,x,x)
		mov	ecx, [ebp+var_24]
		call	_IopDumpCallRemovePagesCallbacks@4 ; IopDumpCallRemovePagesCallbacks(x)
		push	22h
		pop	ecx
		call	_IoSaveBugCheckProgress@4 ; IoSaveBugCheckProgress(x)
		lea	eax, [ebp+var_3C]
		push	eax
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	ecx, [ebp+var_4C]
		mov	[ecx+28h], eax
		mov	[ecx+2Ch], ebx

loc_60BD2A:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+307j
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+314j
		test	esi, esi
		js	short loc_60BD3F
		push	[ebp+var_30]
		push	ds:_CrashdmpDumpBlock
		call	ds:dword_6D4ADC
		mov	esi, eax

loc_60BD3F:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+3B8j
		cmp	esi, 0C000022Dh
		jnz	loc_60BE53
		mov	eax, ds:_CrashdmpDumpBlock
		test	byte ptr [eax+314h], 4
		jz	short loc_60BDA8
		push	27h
		pop	ecx
		call	_IoSaveBugCheckProgress@4 ; IoSaveBugCheckProgress(x)
		push	[ebp+var_2C]
		mov	eax, ds:_CrashdmpDumpBlock
		push	[ebp+var_1C]
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_24]
		or	dword ptr [eax+314h], 8
		push	edi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_IoAddPagesForPartialKernelDump@32 ; IoAddPagesForPartialKernelDump(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_60BE53
		push	[ebp+var_30]
		push	ds:_CrashdmpDumpBlock
		call	ds:dword_6D4ADC
		push	26h
		jmp	loc_60BE4B
; 

loc_60BDA8:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+3E3j
		cmp	[eax+300h], ebx
		jz	loc_60BE53
		or	dword ptr [eax+338h], 400h
		call	_IoUpdateBugCheckProgressEnvVariable@0 ; IoUpdateBugCheckProgressEnvVariable()
		push	[ebp+var_2C]
		mov	esi, [ebp+var_1C]
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_24]
		push	esi
		push	edi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_IopUpdateMinidumpContext@32 ; IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)
		push	ecx
		push	ecx
		lea	edx, [ebp+var_14]
		mov	ecx, edi
		call	_MmSnapTriageDumpInformation@16	; MmSnapTriageDumpInformation(x,x,x,x)
		mov	eax, ds:_IopNumTriageDumpDataBlocks
		mov	ecx, 1F000h	; int
		mov	edx, ds:_CrashdmpDumpBlock
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_48]
		push	eax		; int
		lea	eax, [ebp+var_40]
		mov	[ebp+var_3C], 100h
		push	eax		; int
		push	eax		; int
		push	1		; int
		push	41h		; int
		push	ds:_CmNtCSDVersion ; int
		mov	[ebp+var_38], offset _IopTriageDumpDataBlocks
		mov	edx, [edx+300h]	; void *
		push	esi		; int
		push	edi		; int
		push	ebx		; int
		push	0DFFh		; int
		push	1		; char
		call	_IoFillTriageDumpBuffer@52 ; IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_60BE53
		push	[ebp+var_30]
		push	ds:_CrashdmpDumpBlock
		call	ds:dword_6D4ADC
		push	23h

loc_60BE4B:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+42Fj
		pop	ecx
		mov	esi, eax
		call	_IoSaveBugCheckProgress@4 ; IoSaveBugCheckProgress(x)

loc_60BE53:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+3D1j
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+418j ...
		mov	eax, ds:_DumpPolicyAttemptOffline
		test	al, 1
		jz	short loc_60BE60
		test	esi, esi
		js	short loc_60BE6B

loc_60BE60:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+4E6j
		test	al, 2
		mov	al, [ebp+var_15]
		jz	short loc_60BEA9
		test	al, al
		jnz	short loc_60BEA9

loc_60BE6B:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+4EAj
		push	24h
		pop	ecx
		call	_IoSaveBugCheckProgress@4 ; IoSaveBugCheckProgress(x)
		push	ebx
		call	ds:off_6B13B4	; xKdReleasePciDeviceForDebugging(x)
		test	eax, eax
		js	short loc_60BEF4
		mov	eax, ds:_CrashdmpDumpBlock
		test	eax, eax
		jz	short loc_60BE96
		or	dword ptr [eax+338h], 1000h
		call	_IoUpdateBugCheckProgressEnvVariable@0 ; IoUpdateBugCheckProgressEnvVariable()

loc_60BE96:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+511j
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+533j
		push	0F4240h
		call	ds:__imp__KeStallExecutionProcessor@4 ;	KeStallExecutionProcessor(x)
		inc	ds:_AttemptOfflineStallCount
		jmp	short loc_60BE96
; 

loc_60BEA9:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+4F1j
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+4F5j
		test	esi, esi
		js	short loc_60BEF4
		cmp	al, 1
		jz	short loc_60BEEE
		mov	eax, ds:_CrashdmpDumpBlock
		cmp	[eax+310h], ebx
		jz	short loc_60BEEE
		call	_IoSetBugCheckProgressAndFlag@8	; IoSetBugCheckProgressAndFlag(x,x)
		mov	ecx, ds:_CrashdmpDumpBlock
		mov	ecx, [ecx+310h]
		call	_IopWriteTriageDumpToFirmware@4	; IopWriteTriageDumpToFirmware(x)
		mov	esi, eax
		mov	eax, ds:_CrashdmpDumpBlock
		test	eax, eax
		jz	short loc_60BEEE
		or	dword ptr [eax+338h], 10000000h
		call	_IoUpdateBugCheckProgressEnvVariable@0 ; IoUpdateBugCheckProgressEnvVariable()

loc_60BEEE:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+53Bj
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+548j ...
		test	esi, esi
		js	short loc_60BEF4
		mov	bl, 1

loc_60BEF4:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+9Cj
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+2B0j ...
		mov	al, bl

loc_60BEF6:				; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+6Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	20h
_IoWriteCrashDump@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAddBugcheckTriageDataFromParameters(x, x, x, x, x)
_IopAddBugcheckTriageDataFromParameters@20 proc	near
					; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+268p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		mov	edx, 1000h
		push	edi
		mov	edi, ecx
		mov	ecx, esi
		and	ecx, 0FFFFF000h
		call	IoAddTriageDumpDataBlock
		mov	ebx, [ebp+arg_0]
		mov	edx, 1000h
		mov	ecx, ebx
		and	ecx, 0FFFFF000h
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebp+arg_4]
		mov	edx, 1000h
		and	ecx, 0FFFFF000h
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebp+arg_8]
		mov	edx, 1000h
		and	ecx, 0FFFFF000h
		call	IoAddTriageDumpDataBlock
		cmp	edi, 0CDh
		jz	short loc_60BF9D
		cmp	edi, 0D6h
		jz	short loc_60BF9D
		cmp	edi, 0D1h
		jnz	short loc_60BFB3
		mov	ecx, esi
		call	_MmIsSpecialPoolAddress@4 ; MmIsSpecialPoolAddress(x)
		test	eax, eax
		jz	loc_60C1A8
		lea	ecx, [esi-1000h]
		mov	edx, 1000h
		and	ecx, 0FFFFF000h
		jmp	loc_60C1A3
; 

loc_60BF9D:				; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+5Fj
					; IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+67j
		lea	ecx, [esi-1000h]
		mov	edx, 1000h
		and	ecx, 0FFFFF000h
		call	IoAddTriageDumpDataBlock

loc_60BFB3:				; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+6Fj
		cmp	edi, 14Fh
		jz	short loc_60BFC3
		cmp	edi, 15Ch
		jnz	short loc_60BFEC

loc_60BFC3:				; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+B2j
		mov	ecx, [ebp+arg_8]
		push	8
		pop	edx
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_60BFEC
		mov	ecx, [ebp+arg_8]
		push	8
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebp+arg_8]
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_60BFEC
		call	_IopAddBugcheckTriageThread@4 ;	IopAddBugcheckTriageThread(x)

loc_60BFEC:				; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+BAj
					; IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+C9j ...
		cmp	edi, 19Ch
		jnz	short loc_60C020
		test	ebx, ebx
		jz	loc_60C1A8
		cmp	esi, 10h
		jz	short loc_60C019
		cmp	esi, 20h
		jz	short loc_60C019
		cmp	esi, 30h
		jz	short loc_60C019
		cmp	esi, 40h
		jz	short loc_60C019
		cmp	esi, 50h
		jnz	loc_60C1A8

loc_60C019:				; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+F8j
					; IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+FDj ...
		mov	ecx, ebx
		call	_IopAddBugcheckTriageThread@4 ;	IopAddBugcheckTriageThread(x)

loc_60C020:				; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+EBj
		cmp	edi, 9Fh
		jnz	short loc_60C05D
		cmp	esi, 4
		jnz	short loc_60C047
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	loc_60C1A8
		mov	edx, [ebp+arg_8]
		mov	ecx, eax
		call	_IopAddBugcheckPnpTriageData@8 ; IopAddBugcheckPnpTriageData(x,x)
		jmp	loc_60C1A8
; 

loc_60C047:				; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+124j
		cmp	esi, 3
		jnz	loc_60C1A8
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		call	_IopAddBugcheckPowerTriageData@12 ; IopAddBugcheckPowerTriageData(x,x,x)

loc_60C05D:				; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+11Fj
		cmp	edi, 1D5h
		jnz	short loc_60C06F
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		call	_IopAddBugcheckPnpWatchdogTriageData@8 ; IopAddBugcheckPnpWatchdogTriageData(x,x)

loc_60C06F:				; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+15Cj
		cmp	edi, 0A0h
		jnz	short loc_60C0D4
		cmp	esi, 618h
		jnz	short loc_60C087
		mov	ecx, [ebp+arg_4]
		call	_IopAddBugcheckTriageThread@4 ;	IopAddBugcheckTriageThread(x)

loc_60C087:				; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+176j
		cmp	esi, 619h
		jnz	short loc_60C0A9
		mov	ecx, [ebx+1Ch]
		call	_IopAddBugcheckTriageDeviceNode@4 ; IopAddBugcheckTriageDeviceNode(x)
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	loc_60C1A8
		mov	ecx, eax
		call	_IopAddBugcheckTriageDeviceNode@4 ; IopAddBugcheckTriageDeviceNode(x)

loc_60C0A9:				; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+186j
		cmp	esi, 0Fh
		jz	short loc_60C0C2
		cmp	esi, 0F0h
		jz	short loc_60C0C2
		cmp	esi, 0F1h
		jnz	loc_60C1A8

loc_60C0C2:				; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+1A5j
					; IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+1ADj
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	loc_60C1A8
		mov	ecx, eax
		call	_IopAddBugcheckTriageThread@4 ;	IopAddBugcheckTriageThread(x)

loc_60C0D4:				; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+16Ej
		cmp	edi, 101h
		jnz	short loc_60C159
		test	ebx, ebx
		jnz	loc_60C1A8
		mov	esi, [ebp+arg_4]
		mov	edx, 5F00h
		mov	ecx, esi
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	loc_60C1A8
		mov	edx, 5F00h
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+4168h]
		mov	edx, 2CCh
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+4]
		mov	edx, 4E0h
		mov	ecx, eax
		mov	[ebp+arg_8], eax
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_60C135
		mov	ecx, [ebp+arg_8]
		call	_IopAddBugcheckTriageThread@4 ;	IopAddBugcheckTriageThread(x)

loc_60C135:				; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+224j
		mov	eax, [esi+4168h]
		mov	edx, 2000h
		mov	ecx, [eax+0C4h]
		sub	ecx, 1000h
		and	ecx, 0FFFFF000h
		call	IoAddTriageDumpDataBlock
		jmp	short loc_60C15C
; 

loc_60C159:				; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+1D3j
		mov	esi, [ebp+arg_4]

loc_60C15C:				; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+250j
		cmp	edi, 1A0h
		jnz	short loc_60C176
		mov	ecx, esi
		call	_IopAddBugcheckTriageThread@4 ;	IopAddBugcheckTriageThread(x)
		push	0
		xor	edx, edx
		xor	ecx, ecx
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)

loc_60C176:				; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+25Bj
		cmp	edi, 124h
		jnz	short loc_60C1A8
		mov	edx, 80h
		mov	ecx, ebx
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_60C1A8
		movzx	eax, word ptr [ebx+0Ah]
		mov	edx, [ebx+14h]
		imul	eax, 48h
		sub	eax, 0FFFFFF80h
		cmp	edx, eax
		jnb	short loc_60C1A1
		mov	edx, eax

loc_60C1A1:				; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+296j
		mov	ecx, ebx

loc_60C1A3:				; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+91j
		call	IoAddTriageDumpDataBlock

loc_60C1A8:				; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+7Aj
					; IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+EFj ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_IopAddBugcheckTriageDataFromParameters@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAddPageDumpRange(x, x)
_IopAddPageDumpRange@8 proc near	; CODE XREF: IopDumpCallAddPagesCallbacks(x)+D8p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		push	edi
		mov	edi, edx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ebx
		mov	edx, ecx
		mov	[ebp+var_C], edx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		test	edi, edi
		jz	short loc_60C1D5
		mov	[edi], bl

loc_60C1D5:				; CODE XREF: IopAddPageDumpRange(x,x)+22j
		mov	ecx, [edx+4]
		mov	esi, ecx
		and	esi, 0FF0h
		xor	ecx, esi
		mov	[edx+4], ecx
		test	ecx, 7FFFFFFCh
		jz	short loc_60C1F7
		mov	eax, 0C00000F2h
		jmp	loc_60C281
; 

loc_60C1F7:				; CODE XREF: IopAddPageDumpRange(x,x)+3Cj
		test	ecx, ecx
		jns	short loc_60C20A
		and	ecx, 7FFFFFFFh
		mov	[ebp+var_1], 1
		mov	[edx+4], ecx
		jmp	short loc_60C20D
; 

loc_60C20A:				; CODE XREF: IopAddPageDumpRange(x,x)+4Aj
		mov	[ebp+var_1], bl

loc_60C20D:				; CODE XREF: IopAddPageDumpRange(x,x)+59j
		lea	eax, [ecx-1]
		test	eax, ecx
		jz	short loc_60C21B
		mov	eax, 0C000000Dh
		jmp	short loc_60C281
; 

loc_60C21B:				; CODE XREF: IopAddPageDumpRange(x,x)+63j
		mov	eax, [edx+10h]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_60C281
		test	cl, 1
		jnz	short loc_60C22D
		or	esi, 2

loc_60C22D:				; CODE XREF: IopAddPageDumpRange(x,x)+79j
		mov	edx, ds:_CrashdmpDumpBlock
		mov	ecx, [edx+8]
		mov	[ebp+var_20], ecx
		mov	eax, [ecx+30h]
		mov	[ebp+var_14], eax
		lea	eax, [ecx+38h]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_14]
		test	byte ptr [edx+314h], 4
		mov	[ebp+var_24], eax
		jz	short loc_60C261
		or	ebx, 3
		mov	[ebp+var_1C], offset _AvailablePagesForPartialDump
		mov	[ebp+var_18], ebx

loc_60C261:				; CODE XREF: IopAddPageDumpRange(x,x)+A3j
		mov	eax, [ebp+var_C]
		push	esi
		push	[ebp+var_8]
		push	dword ptr [eax+0Ch]
		lea	eax, [ebp+var_2C]
		push	eax
		call	_IoSetDumpRange@16 ; IoSetDumpRange(x,x,x,x)
		test	eax, eax
		js	short loc_60C281
		test	edi, edi
		jz	short loc_60C281
		mov	cl, [ebp+var_1]
		mov	[edi], cl

loc_60C281:				; CODE XREF: IopAddPageDumpRange(x,x)+43j
					; IopAddPageDumpRange(x,x)+6Aj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopAddPageDumpRange@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAddPageRangeToPageMaps(x, x, x, x, x)
_IopAddPageRangeToPageMaps@20 proc near	; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+5Dp
					; IopAddPageToPageMap(x,x,x,x,x,x,x)+150p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_4]
		mov	esi, edx
		mov	edi, ecx
		push	[ebp+arg_0]
		push	esi
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		test	edi, edi
		jz	loc_60C348
		mov	eax, [ebp+arg_8]
		test	eax, 0FF0h
		jz	loc_60C348
		shr	eax, 4
		movzx	ebx, al
		mov	eax, [esi]
		mov	[ebp+var_14], eax
		mov	eax, [esi+4]
		mov	esi, [edi+30h]
		add	esi, 7
		mov	[ebp+var_10], eax
		shr	esi, 3
		add	esi, 7
		and	esi, 0FFFFFFF8h
		test	ebx, ebx
		jz	short loc_60C348
		mov	eax, esi
		lea	ecx, [edi+38h]
		sub	eax, edi
		mov	[ebp+var_C], eax

loc_60C2E5:				; CODE XREF: IopAddPageRangeToPageMaps(x,x,x,x,x)+C0j
		mov	edx, [edi+20h]
		add	ecx, esi
		add	eax, ecx
		mov	[ebp+arg_8], ecx
		mov	[ebp+var_8], eax
		add	edx, 0FFFFF000h
		mov	eax, [edi+24h]
		adc	eax, 0FFFFFFFFh
		and	[ebp+var_4], 0
		cmp	[ebp+var_4], eax
		ja	short loc_60C348
		jb	short loc_60C30E
		cmp	[ebp+var_8], edx
		ja	short loc_60C348

loc_60C30E:				; CODE XREF: IopAddPageRangeToPageMaps(x,x,x,x,x)+81j
		mov	[ebp+var_10], ecx
		test	bl, 1
		jz	short loc_60C327
		push	[ebp+arg_4]
		lea	eax, [ebp+var_14]
		push	[ebp+arg_0]
		push	eax
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		jmp	short loc_60C33E
; 

loc_60C327:				; CODE XREF: IopAddPageRangeToPageMaps(x,x,x,x,x)+8Ej
		test	bl, 10h
		jz	short loc_60C341
		push	[ebp+arg_4]
		lea	eax, [ebp+var_14]
		push	[ebp+arg_0]
		push	eax
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		and	ebx, 0FFFFFFEFh

loc_60C33E:				; CODE XREF: IopAddPageRangeToPageMaps(x,x,x,x,x)+9Fj
		mov	ecx, [ebp+arg_8]

loc_60C341:				; CODE XREF: IopAddPageRangeToPageMaps(x,x,x,x,x)+A4j
		shr	ebx, 1
		mov	eax, [ebp+var_C]
		jnz	short loc_60C2E5

loc_60C348:				; CODE XREF: IopAddPageRangeToPageMaps(x,x,x,x,x)+1Dj
					; IopAddPageRangeToPageMaps(x,x,x,x,x)+2Bj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_IopAddPageRangeToPageMaps@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAddPageToPageMap(x, x, x, x, x, x, x)
_IopAddPageToPageMap@28	proc near	; CODE XREF: IoSetBugCheckProgressAndFlag(x,x)+15Fp
					; IoSetBugCheckProgressAndFlag(x,x)+1A4p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_8], ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], ebx
		push	esi
		push	edi
		test	eax, eax
		jz	short loc_60C37D
		mov	esi, [ebp+arg_4]
		lea	edi, [eax-1]
		mov	edx, [ebx]
		add	edi, esi
		cmp	esi, edx
		jb	short loc_60C386
		cmp	byte ptr [ebp+arg_C], 0
		jz	short loc_60C390

loc_60C37D:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+18j
					; IopAddPageToPageMap(x,x,x,x,x,x,x)+4Ej ...
		xor	eax, eax

loc_60C37F:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+46j
					; IopAddPageToPageMap(x,x,x,x,x,x,x)+17Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_60C386:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+26j
		cmp	edi, edx
		jb	short loc_60C39B
		cmp	byte ptr [ebp+arg_C], 0
		jnz	short loc_60C397

loc_60C390:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+2Cj
		mov	eax, 0C0000141h
		jmp	short loc_60C37F
; 

loc_60C397:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+3Fj
		mov	eax, edx
		sub	eax, esi

loc_60C39B:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+39j
		test	eax, eax
		jz	short loc_60C37D
		cmp	[ebp+arg_0], 0
		jnz	short loc_60C3B3
		push	[ebp+arg_10]
		mov	edx, ebx
		push	eax
		push	esi
		call	_IopAddPageRangeToPageMaps@20 ;	IopAddPageRangeToPageMaps(x,x,x,x,x)
		jmp	short loc_60C37D
; 

loc_60C3B3:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+54j
		mov	ecx, [ebx+4]
		lea	ebx, [esi+eax]
		mov	[ebp+arg_C], ecx
		mov	[ebp+arg_8], ebx

loc_60C3BF:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+167j
		cmp	ebx, esi
		jbe	short loc_60C37D
		lea	eax, [ebx-1]
		shr	eax, 5
		lea	ebx, [ecx+eax*4]
		mov	eax, esi
		shr	eax, 5
		mov	[ebp+arg_4], ebx
		lea	edx, [ecx+eax*4]
		cmp	edx, ebx
		jz	short loc_60C40A
		mov	edi, esi
		and	edi, 1Fh
		mov	ecx, ds:dword_40BA68[edi*4]
		or	ecx, [edx]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_60C407
		sub	esi, edi
		add	esi, 20h
		add	edx, 4

loc_60C3F6:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+B6j
		cmp	edx, ebx
		jnb	short loc_60C407
		cmp	dword ptr [edx], 0FFFFFFFFh
		jnz	short loc_60C407
		add	edx, 4
		add	esi, 20h
		jmp	short loc_60C3F6
; 

loc_60C407:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+9Dj
					; IopAddPageToPageMap(x,x,x,x,x,x,x)+A9j ...
		mov	ecx, [ebp+arg_C]

loc_60C40A:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+8Aj
		mov	eax, [ebp+arg_8]
		jmp	short loc_60C415
; 

loc_60C40F:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+C8j
		bt	[ecx], esi
		jnb	short loc_60C419
		inc	esi

loc_60C415:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+BEj
		cmp	esi, eax
		jb	short loc_60C40F

loc_60C419:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+C3j
		xor	edi, edi
		cmp	edx, ebx
		jz	short loc_60C459
		mov	ecx, [edx]
		mov	ebx, esi
		and	ebx, 1Fh
		mov	eax, ds:dword_40BA68[ebx*4]
		not	eax
		and	eax, ecx
		jnz	short loc_60C459
		push	20h
		pop	edi
		sub	edi, ebx
		cmp	edi, 0FFFFFFFFh
		jnb	short loc_60C478
		mov	ecx, [ebp+arg_4]
		add	edx, 4
		jmp	short loc_60C455
; 

loc_60C445:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+108j
		cmp	dword ptr [edx], 0
		jnz	short loc_60C459
		add	edi, 20h
		add	edx, 4
		cmp	edi, 0FFFFFFFFh
		jnb	short loc_60C478

loc_60C455:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+F4j
		cmp	edx, ecx
		jb	short loc_60C445

loc_60C459:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+CEj
					; IopAddPageToPageMap(x,x,x,x,x,x,x)+E2j ...
		mov	ebx, [ebp+arg_8]
		lea	eax, [edi+esi]
		cmp	eax, ebx
		jnb	short loc_60C47B
		mov	ecx, [ebp+arg_C]

loc_60C466:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+125j
		bt	[ecx], eax
		jb	short loc_60C47B
		cmp	edi, 0FFFFFFFFh
		jnb	short loc_60C47E
		inc	eax
		inc	edi
		cmp	eax, ebx
		jb	short loc_60C466
		jmp	short loc_60C47B
; 

loc_60C478:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+ECj
					; IopAddPageToPageMap(x,x,x,x,x,x,x)+104j
		mov	ebx, [ebp+arg_8]

loc_60C47B:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+112j
					; IopAddPageToPageMap(x,x,x,x,x,x,x)+11Aj ...
		cmp	edi, 0FFFFFFFFh

loc_60C47E:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+11Fj
		jbe	short loc_60C483
		or	edi, 0FFFFFFFFh

loc_60C483:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x):loc_60C47Ej
		test	edi, edi
		jz	loc_60C37D
		mov	eax, [ebp+arg_0]
		push	[ebp+arg_10]
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		mov	eax, [eax]
		cmp	edi, eax
		ja	short loc_60C4BB
		push	edi
		push	esi
		call	_IopAddPageRangeToPageMaps@20 ;	IopAddPageRangeToPageMaps(x,x,x,x,x)
		mov	eax, [ebp+arg_0]
		add	esi, edi
		sub	[eax], edi
		cmp	esi, ebx
		jnb	loc_60C37D
		mov	ecx, [ebp+arg_C]
		jmp	loc_60C3BF
; 

loc_60C4BB:				; CODE XREF: IopAddPageToPageMap(x,x,x,x,x,x,x)+14Cj
		push	eax
		push	esi
		call	_IopAddPageRangeToPageMaps@20 ;	IopAddPageRangeToPageMaps(x,x,x,x,x)
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax], 0
		mov	eax, 0C0000023h
		jmp	loc_60C37F
_IopAddPageToPageMap@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAddRunTimeTriageDataBlocks(x, x,	x, x, x, x)
_IopAddRunTimeTriageDataBlocks@24 proc near
					; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+334p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		mov	ecx, [edi+0B8h]
		call	_IopGetMaxValidMemorySizeDown@8	; IopGetMaxValidMemorySizeDown(x,x)
		mov	ecx, [edi+0B8h]
		mov	edx, 100h
		mov	esi, eax
		call	_IopGetMaxValidMemorySize@8 ; IopGetMaxValidMemorySize(x,x)
		mov	edx, ebx
		lea	ecx, [eax+esi]
		push	ecx
		mov	ecx, [edi+0B8h]
		sub	ecx, esi
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_4]
		call	IopAddTriageDumpDataBlock
		mov	esi, offset _IopRunTimeContextOffsets ;	"Ĵ"
		mov	ecx, 0B8h

loc_60C524:				; CODE XREF: IopAddRunTimeTriageDataBlocks(x,x,x,x,x,x)+8Aj
		movzx	eax, cx
		mov	eax, [eax+edi]
		cmp	eax, [ebp+arg_8]
		jb	short loc_60C534
		cmp	eax, [ebp+arg_C]
		jb	short loc_60C54C

loc_60C534:				; CODE XREF: IopAddRunTimeTriageDataBlocks(x,x,x,x,x,x)+5Bj
		mov	ecx, [ebp+var_4]
		and	eax, 0FFFFF000h
		push	1000h
		push	eax
		push	[ebp+arg_0]
		mov	edx, ebx
		call	IopAddTriageDumpDataBlock

loc_60C54C:				; CODE XREF: IopAddRunTimeTriageDataBlocks(x,x,x,x,x,x)+60j
		add	esi, 2
		mov	edx, 0FFFFh
		movzx	eax, word ptr [esi]
		mov	ecx, eax
		cmp	ax, dx
		jb	short loc_60C524
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_IopAddRunTimeTriageDataBlocks@24 endp


;  S U B	R O U T	I N E 


; __stdcall IopConstructInMemoryDumpHeader()
_IopConstructInMemoryDumpHeader@0 proc near
					; CODE XREF: IopInitializeOfflineCrashDump+7E361p
					; IoUpdateDumpPhysicalRanges()+57p
		mov	edi, edi
		push	ebx
		xor	edx, edx
		mov	ecx, offset _InMemData
		push	esi
		inc	edx
		push	edi
		mov	eax, edx
		xchg	eax, [ecx]
		cmp	eax, edx
		jz	loc_60C612
		and	ds:dword_6D4D90, 0
		cmp	ds:dword_6D4D6C, 0
		jz	short loc_60C5FF
		mov	ecx, ds:dword_6D4D7C
		mov	eax, ecx
		and	eax, edx
		mov	ebx, ds:dword_6D4D70[eax*4]
		test	ebx, ebx
		jz	short loc_60C5FF
		lea	eax, [ecx-1]
		and	eax, edx
		mov	edi, ds:dword_6D4D70[eax*4]
		test	edi, edi
		jz	short loc_60C5FF
		mov	eax, large fs:124h
		lea	ecx, [edi+18h]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	14Ch
		call	_IoFillDumpHeader@32 ; IoFillDumpHeader(x,x,x,x,x,x,x,x)
		mov	eax, ds:dword_6D4D80
		mov	[edi+838h], eax
		mov	eax, ds:dword_6D4D84
		mov	[edi+83Ch], eax
		mov	eax, ds:_PsInitialSystemProcess
		mov	eax, [eax+18h]
		mov	[edi+28h], eax
		mov	eax, 5353493Bh
		xchg	eax, [edi]
		mov	[ebx], eax
		inc	ds:dword_6D4D7C
		jmp	short loc_60C609
; 

loc_60C5FF:				; CODE XREF: IopConstructInMemoryDumpHeader()+27j
					; IopConstructInMemoryDumpHeader()+3Cj	...
		mov	ds:dword_6D4D90, 0C0000001h

loc_60C609:				; CODE XREF: IopConstructInMemoryDumpHeader()+98j
		xor	eax, eax
		mov	ecx, offset _InMemData
		xchg	eax, [ecx]

loc_60C612:				; CODE XREF: IopConstructInMemoryDumpHeader()+13j
		pop	edi
		pop	esi
		pop	ebx
		retn
_IopConstructInMemoryDumpHeader@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopDumpCallAddPagesCallbacks(x)
_IopDumpCallAddPagesCallbacks@4	proc near
					; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+379p
					; IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+269p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

		push	40h
		push	offset dword_6A7FD0
		call	__SEH_prolog4
		mov	[ebp+var_20], ecx
		xor	eax, eax
		lea	edi, [ebp+var_4C]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	esi, ds:_KeBugCheckAddRemovePagesCallbackListHead
		mov	[ebp+var_28], offset _KeBugCheckAddRemovePagesCallbackListHead
		xor	ebx, ebx

loc_60C63E:				; CODE XREF: IopDumpCallAddPagesCallbacks(x)+100j
		mov	[ebp+var_2C], esi
		cmp	esi, offset _KeBugCheckAddRemovePagesCallbackListHead
		jz	loc_60C71B
		mov	[ebp+var_30], esi
		mov	eax, esi
		mov	[ebp+var_24], eax
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	4
		pop	edx
		mov	ecx, esi
		call	_KeValidateBugCheckCallbackRecord@12 ; KeValidateBugCheckCallbackRecord(x,x,x)
		test	al, al
		jz	loc_60C70E
		mov	[ebp+var_4C], ebx
		mov	eax, [ebp+var_20]
		mov	[ebp+var_44], eax
		mov	edi, ebx

loc_60C679:				; CODE XREF: IopDumpCallAddPagesCallbacks(x)+E3j
		mov	[ebp+var_40], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_19], bl
		mov	[ebp+ms_exc.disabled], ebx
		push	14h
		lea	eax, [ebp+var_4C]
		push	eax
		mov	eax, [ebp+var_30]
		push	eax
		push	4
		call	dword ptr [eax+8]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_60C6DE
; 

loc_60C6A0:				; DATA XREF: .text:006A7FE4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_60C6AE:				; DATA XREF: .text:006A7FE8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_34]
		mov	eax, ds:_CrashdmpDumpBlock
		test	eax, eax
		jz	short loc_60C6CC
		or	dword ptr [eax+338h], 4000h
		call	_IoUpdateBugCheckProgressEnvVariable@0 ; IoUpdateBugCheckProgressEnvVariable()

loc_60C6CC:				; CODE XREF: IopDumpCallAddPagesCallbacks(x)+A5j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp+var_2C]
		mov	eax, [ebp+var_38]
		mov	[ebp+var_24], eax

loc_60C6DE:				; CODE XREF: IopDumpCallAddPagesCallbacks(x)+88j
		test	edi, edi
		js	short loc_60C6F5
		cmp	[ebp+var_3C], 0
		jz	short loc_60C6F5
		lea	edx, [ebp+var_19]
		lea	ecx, [ebp+var_4C]
		call	_IopAddPageDumpRange@8 ; IopAddPageDumpRange(x,x)
		mov	edi, eax

loc_60C6F5:				; CODE XREF: IopDumpCallAddPagesCallbacks(x)+CAj
					; IopDumpCallAddPagesCallbacks(x)+D0j
		cmp	[ebp+var_19], 0
		jnz	loc_60C679
		test	edi, edi
		sets	al
		add	al, 3
		mov	ecx, [ebp+var_24]
		mov	[ecx+18h], al
		jmp	short loc_60C714
; 

loc_60C70E:				; CODE XREF: IopDumpCallAddPagesCallbacks(x)+52j
		cmp	[ebp+var_28], 0
		jz	short loc_60C71B

loc_60C714:				; CODE XREF: IopDumpCallAddPagesCallbacks(x)+F6j
		mov	esi, [esi]
		jmp	loc_60C63E
; 

loc_60C71B:				; CODE XREF: IopDumpCallAddPagesCallbacks(x)+31j
					; IopDumpCallAddPagesCallbacks(x)+FCj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopDumpCallAddPagesCallbacks@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopDumpCallRemovePagesCallbacks(x)
_IopDumpCallRemovePagesCallbacks@4 proc	near
					; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+397p
					; IoAddPagesForPartialKernelDump(x,x,x,x,x,x,x,x)+50p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

		push	40h
		push	offset dword_6A7FB0
		call	__SEH_prolog4
		mov	[ebp+var_20], ecx
		xor	eax, eax
		lea	edi, [ebp+var_4C]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	esi, ds:_KeBugCheckAddRemovePagesCallbackListHead
		mov	[ebp+var_28], offset _KeBugCheckAddRemovePagesCallbackListHead
		xor	ebx, ebx

loc_60C753:				; CODE XREF: IopDumpCallRemovePagesCallbacks(x)+100j
		mov	[ebp+var_2C], esi
		cmp	esi, offset _KeBugCheckAddRemovePagesCallbackListHead
		jz	loc_60C830
		mov	[ebp+var_30], esi
		mov	eax, esi
		mov	[ebp+var_24], eax
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	6
		pop	edx
		mov	ecx, esi
		call	_KeValidateBugCheckCallbackRecord@12 ; KeValidateBugCheckCallbackRecord(x,x,x)
		test	al, al
		jz	loc_60C823
		mov	[ebp+var_4C], ebx
		mov	eax, [ebp+var_20]
		mov	[ebp+var_44], eax
		mov	edi, ebx

loc_60C78E:				; CODE XREF: IopDumpCallRemovePagesCallbacks(x)+E3j
		mov	[ebp+var_40], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_19], bl
		mov	[ebp+ms_exc.disabled], ebx
		push	14h
		lea	eax, [ebp+var_4C]
		push	eax
		mov	eax, [ebp+var_30]
		push	eax
		push	6
		call	dword ptr [eax+8]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_60C7F3
; 

loc_60C7B5:				; DATA XREF: .text:006A7FC4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_60C7C3:				; DATA XREF: .text:006A7FC8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_34]
		mov	eax, ds:_CrashdmpDumpBlock
		test	eax, eax
		jz	short loc_60C7E1
		or	dword ptr [eax+338h], 4000h
		call	_IoUpdateBugCheckProgressEnvVariable@0 ; IoUpdateBugCheckProgressEnvVariable()

loc_60C7E1:				; CODE XREF: IopDumpCallRemovePagesCallbacks(x)+A5j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp+var_2C]
		mov	eax, [ebp+var_38]
		mov	[ebp+var_24], eax

loc_60C7F3:				; CODE XREF: IopDumpCallRemovePagesCallbacks(x)+88j
		test	edi, edi
		js	short loc_60C80A
		cmp	[ebp+var_3C], 0
		jz	short loc_60C80A
		lea	edx, [ebp+var_19]
		lea	ecx, [ebp+var_4C]
		call	_IopRemovePageDumpRange@8 ; IopRemovePageDumpRange(x,x)
		mov	edi, eax

loc_60C80A:				; CODE XREF: IopDumpCallRemovePagesCallbacks(x)+CAj
					; IopDumpCallRemovePagesCallbacks(x)+D0j
		cmp	[ebp+var_19], 0
		jnz	loc_60C78E
		test	edi, edi
		sets	al
		add	al, 3
		mov	ecx, [ebp+var_24]
		mov	[ecx+18h], al
		jmp	short loc_60C829
; 

loc_60C823:				; CODE XREF: IopDumpCallRemovePagesCallbacks(x)+52j
		cmp	[ebp+var_28], 0
		jz	short loc_60C830

loc_60C829:				; CODE XREF: IopDumpCallRemovePagesCallbacks(x)+F6j
		mov	esi, [esi]
		jmp	loc_60C753
; 

loc_60C830:				; CODE XREF: IopDumpCallRemovePagesCallbacks(x)+31j
					; IopDumpCallRemovePagesCallbacks(x)+FCj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopDumpCallRemovePagesCallbacks@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopFillTriageDumpDataBlocks(x, x, x, x)
_IopFillTriageDumpDataBlocks@16	proc near
					; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+43Dp

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	3Ch
		push	offset dword_6A7FF0
		call	__SEH_prolog4
		mov	[ebp+var_4C], edx
		mov	[ebp+var_40], ecx
		and	[ebp+var_28], 0
		and	[ebp+var_24], 0
		mov	eax, [ecx+60h]
		add	eax, [ebp+arg_4]
		mov	[ebp+var_2C], eax
		mov	edi, eax
		mov	[ebp+var_34], edi
		mov	esi, [ecx+64h]
		shl	esi, 4
		add	esi, eax
		mov	[ebp+var_30], esi
		xor	ebx, ebx

loc_60C875:				; CODE XREF: IopFillTriageDumpDataBlocks(x,x,x,x)+154j
		mov	[ebp+var_20], ebx
		cmp	ebx, edx
		jnb	loc_60C999
		imul	eax, ebx, 0Ch
		mov	ecx, [ebp+arg_0]
		mov	ecx, [eax+ecx+8]
		xor	edx, edx

loc_60C88C:				; CODE XREF: IopFillTriageDumpDataBlocks(x,x,x,x)+14Bj
		mov	[ebp+var_38], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_1C], ecx
		imul	eax, ebx, 0Ch
		mov	ebx, [ebp+arg_0]
		cmp	edx, [eax+ebx]
		mov	ebx, [ebp+var_20]
		jnb	loc_60C990
		mov	eax, edi
		sub	eax, [ebp+var_2C]
		sar	eax, 4
		mov	edx, [ebp+var_40]
		cmp	eax, [edx+64h]
		jnb	loc_60C999
		mov	eax, [edx+4]
		mov	edx, [ebp+arg_4]
		add	edx, eax
		mov	[ebp+var_44], edx
		lea	eax, [edi+10h]
		cmp	eax, edx
		ja	loc_60C999
		mov	eax, [ecx]
		mov	[ebp+var_48], eax
		lea	edx, [ebp+var_24]
		push	edx
		mov	edx, eax
		mov	ecx, [ecx+4]
		call	_RtlULongPtrSub@12 ; RtlULongPtrSub(x,x,x)
		test	eax, eax
		js	loc_60C999
		lea	eax, [ebp+var_28]
		push	eax
		mov	edx, [ebp+var_24]
		mov	ecx, esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_60C999
		mov	ecx, [ebp+var_44]
		cmp	[ebp+var_28], ecx
		ja	loc_60C999
		mov	eax, [ebp+var_48]
		cdq
		mov	[edi], eax
		mov	[edi+4], edx
		mov	eax, esi
		sub	eax, [ebp+arg_4]
		mov	[edi+8], eax
		mov	eax, [ebp+var_1C]
		mov	ecx, [eax+4]
		sub	ecx, [eax]
		mov	[edi+0Ch], ecx
		and	[ebp+ms_exc.disabled], 0
		push	ecx		; size_t
		push	dword ptr [eax]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_1C]
		jmp	short loc_60C978
; 

loc_60C946:				; DATA XREF: .text:006A8004o
		xor	eax, eax
		inc	eax
		retn
; 

loc_60C94A:				; DATA XREF: .text:006A8008o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, ds:_CrashdmpDumpBlock
		test	eax, eax
		jz	short loc_60C965
		or	dword ptr [eax+338h], 200000h
		call	_IoUpdateBugCheckProgressEnvVariable@0 ; IoUpdateBugCheckProgressEnvVariable()

loc_60C965:				; CODE XREF: IopFillTriageDumpDataBlocks(x,x,x,x)+114j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_20]
		mov	ecx, [ebp+var_3C]
		mov	esi, [ebp+var_30]
		mov	edi, [ebp+var_34]

loc_60C978:				; CODE XREF: IopFillTriageDumpDataBlocks(x,x,x,x)+104j
		add	esi, [edi+0Ch]
		mov	[ebp+var_30], esi
		add	edi, 10h
		mov	[ebp+var_34], edi
		mov	edx, [ebp+var_38]
		inc	edx
		add	ecx, 8
		jmp	loc_60C88C
; 

loc_60C990:				; CODE XREF: IopFillTriageDumpDataBlocks(x,x,x,x)+61j
		inc	ebx
		mov	edx, [ebp+var_4C]
		jmp	loc_60C875
; 

loc_60C999:				; CODE XREF: IopFillTriageDumpDataBlocks(x,x,x,x)+3Aj
					; IopFillTriageDumpDataBlocks(x,x,x,x)+75j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_IopFillTriageDumpDataBlocks@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopGetMaxValidMemorySize(x,	x)
_IopGetMaxValidMemorySize@8 proc near	; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+185p
					; IopAddRunTimeTriageDataBlocks(x,x,x,x,x,x)+29p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	eax, edi
		mov	ecx, 1000h
		and	eax, 0FFFh
		xor	esi, esi
		sub	ecx, eax
		and	edi, 0FFFFF000h
		mov	[ebp+var_4], ecx
		test	ebx, ebx
		jz	short loc_60C9F7

loc_60C9D5:				; CODE XREF: IopGetMaxValidMemorySize(x,x)+46j
		mov	ecx, edi
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_60C9F3
		add	esi, [ebp+var_4]
		mov	eax, 1000h
		add	edi, eax
		jz	short loc_60C9F3
		mov	[ebp+var_4], eax
		cmp	esi, ebx
		jb	short loc_60C9D5

loc_60C9F3:				; CODE XREF: IopGetMaxValidMemorySize(x,x)+33j
					; IopGetMaxValidMemorySize(x,x)+3Fj
		cmp	esi, ebx
		jb	short loc_60C9F9

loc_60C9F7:				; CODE XREF: IopGetMaxValidMemorySize(x,x)+28j
		mov	esi, ebx

loc_60C9F9:				; CODE XREF: IopGetMaxValidMemorySize(x,x)+4Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_IopGetMaxValidMemorySize@8 endp


;  S U B	R O U T	I N E 


; __stdcall IopGetMaxValidMemorySizeDown(x, x)
_IopGetMaxValidMemorySizeDown@8	proc near
					; CODE XREF: IopAddRunTimeTriageDataBlocks(x,x,x,x,x,x)+17p
					; IopMarkPagesForRunTimeTriageDataBlocks(x,x,x,x)+13p
		mov	edi, edi
		push	esi
		push	edi
		lea	edi, [ecx-1]
		xor	esi, esi
		and	edi, 0FFFFF000h
		jnz	short loc_60CA15
		xor	eax, eax
		jmp	short loc_60CA4E
; 

loc_60CA15:				; CODE XREF: IopGetMaxValidMemorySizeDown(x,x)+Fj
		push	ebx
		mov	ebx, edi
		and	ebx, 0FFFh

loc_60CA1E:				; CODE XREF: IopGetMaxValidMemorySizeDown(x,x)+3Ej
		mov	ecx, edi
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_60CA40
		add	esi, ebx
		test	edi, edi
		jz	short loc_60CA40
		mov	eax, 1000h
		sub	edi, eax
		mov	ebx, eax
		cmp	esi, 100h
		jb	short loc_60CA1E

loc_60CA40:				; CODE XREF: IopGetMaxValidMemorySizeDown(x,x)+27j
					; IopGetMaxValidMemorySizeDown(x,x)+2Dj
		mov	ebx, 100h
		cmp	esi, ebx
		jb	short loc_60CA4B
		mov	esi, ebx

loc_60CA4B:				; CODE XREF: IopGetMaxValidMemorySizeDown(x,x)+47j
		mov	eax, esi
		pop	ebx

loc_60CA4E:				; CODE XREF: IopGetMaxValidMemorySizeDown(x,x)+13j
		pop	edi
		pop	esi
		retn
_IopGetMaxValidMemorySizeDown@8	endp


;  S U B	R O U T	I N E 


IopGetMaxValidSectionSize proc near	; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+334p
					; KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+4B8p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	esi, esi
		mov	ebx, ecx
		test	edi, edi
		jz	short loc_60CA71

loc_60CA60:				; CODE XREF: IopGetMaxValidSectionSize+1Ej
		lea	ecx, [esi+ebx]
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_60CA71
		inc	esi
		cmp	esi, edi
		jb	short loc_60CA60

loc_60CA71:				; CODE XREF: IopGetMaxValidSectionSize+Dj
					; IopGetMaxValidSectionSize+19j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
IopGetMaxValidSectionSize endp


;  S U B	R O U T	I N E 


IopGetMaxValidSectionSizeDown proc near	; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+4A1p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		xor	edi, edi
		cmp	esi, ebx
		jnb	short loc_60CA88
		mov	ebx, esi

loc_60CA88:				; CODE XREF: IopGetMaxValidSectionSizeDown+Dj
		test	ebx, ebx
		jz	short loc_60CA9D

loc_60CA8C:				; CODE XREF: IopGetMaxValidSectionSizeDown+24j
		mov	ecx, esi
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_60CA9D
		inc	edi
		dec	esi
		cmp	edi, ebx
		jb	short loc_60CA8C

loc_60CA9D:				; CODE XREF: IopGetMaxValidSectionSizeDown+13j
					; IopGetMaxValidSectionSizeDown+1Ej
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
IopGetMaxValidSectionSizeDown endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopInitializeInMemoryDumpData()
_IopInitializeInMemoryDumpData@0 proc near ; CODE XREF:	IopInitializeOfflineCrashDump+7E35Cp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_16		= dword	ptr -16h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ecx, ecx
		mov	[ebp+var_16+2],	77FA9ABDh
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_10], 4D320359h
		inc	ecx
		mov	[ebp+var_C], 0F42860BDh
		push	edi
		mov	[ebp+var_8], 4B788FE7h
		mov	eax, ecx
		mov	byte ptr [ebp+var_16], bl
		mov	edx, offset _InMemData
		mov	[ebp+var_30], 353594B3h
		mov	[ebp+var_2C], 302E4594h
		mov	[ebp+var_28], 97DACBD4h
		mov	[ebp+var_24], 0B50211F1h
		mov	[ebp+var_20], 610836E8h
		mov	[ebp+var_1C], 199B7088h
		xchg	eax, [edx]
		cmp	eax, ecx
		jz	loc_60CC50
		push	ecx
		lea	eax, [ebp+var_16]
		mov	ds:dword_6D4D8C, ebx
		push	eax
		push	260000A0h
		push	10200003h
		push	ecx
		mov	ds:dword_6D4D7C, ebx
		mov	byte ptr [ebp+var_16+1], bl
		call	_ZwFilterBootOption@20 ; ZwFilterBootOption(x,x,x,x,x)
		test	eax, eax
		jns	short loc_60CB4E
		cmp	eax, 80430006h
		jnz	short loc_60CB52
		cmp	ds:_KdDebuggerEnabled, bl
		jz	short loc_60CB52

loc_60CB4E:				; CODE XREF: IopInitializeInMemoryDumpData()+9Aj
		mov	byte ptr [ebp+var_16+1], 1

loc_60CB52:				; CODE XREF: IopInitializeInMemoryDumpData()+A1j
					; IopInitializeInMemoryDumpData()+A9j
		mov	ds:dword_6D4D78, 1398h

loc_60CB5C:				; CODE XREF: IopInitializeInMemoryDumpData()+11Ej
		push	80000000h
		push	4
		xor	edi, edi
		push	edi
		push	edi
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		push	edi
		push	edi
		push	ds:dword_6D4D78
		call	MmAllocateContiguousNodeMemory
		mov	ds:dword_6D4D70[ebx], eax
		test	eax, eax
		jz	loc_60CC1D
		push	ds:dword_6D4D78	; size_t
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	edi, ds:dword_6D4D70[ebx]
		lea	esi, [ebp+var_30]
		add	esp, 0Ch
		cmp	byte ptr [ebp+var_16+1], 0
		push	6
		pop	ecx
		rep movsd
		jz	short loc_60CBBB
		mov	ecx, ds:dword_6D4D70[ebx]
		add	ecx, 1018h
		call	_KdCopyDataBlock@4 ; KdCopyDataBlock(x)

loc_60CBBB:				; CODE XREF: IopInitializeInMemoryDumpData()+105j
		add	ebx, 4
		cmp	ebx, 8
		jb	short loc_60CB5C
		rdtsc
		xor	ebx, ebx
		mov	ds:dword_6D4D80, eax
		rdtsc
		inc	ebx
		mov	ds:dword_6D4D84, eax
		mov	ecx, ebx
		call	ExGenRandom
		push	7
		push	8
		and	eax, 7FFFFFFFh
		lea	edx, [ebp+var_16+2]
		push	offset dword_6D4D80
		mov	ecx, offset ??_C@_1BK@BNBFJDPA@?$AAD?$AAu?$AAm?$AAp?$AAI?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe@FNODOBFM@
		mov	ds:dword_6D4D84, eax
		call	_IoSetEnvironmentVariableEx@20 ; IoSetEnvironmentVariableEx(x,x,x,x,x)
		test	eax, eax
		jns	short loc_60CC15
		mov	ecx, 45474150h
		mov	ds:dword_6D4D8C, eax
		mov	ds:dword_6D4D80, ecx
		mov	ds:dword_6D4D84, ecx

loc_60CC15:				; CODE XREF: IopInitializeInMemoryDumpData()+15Aj
		mov	ds:dword_6D4D6C, ebx
		jmp	short loc_60CC47
; 

loc_60CC1D:				; CODE XREF: IopInitializeInMemoryDumpData()+DDj
		mov	ds:dword_6D4D8C, 0C0000017h
		mov	esi, edi

loc_60CC29:				; CODE XREF: IopInitializeInMemoryDumpData()+1A2j
		mov	eax, ds:dword_6D4D70[esi]
		test	eax, eax
		jz	short loc_60CC3F
		push	eax
		call	MmFreeContiguousMemory
		mov	ds:dword_6D4D70[esi], edi

loc_60CC3F:				; CODE XREF: IopInitializeInMemoryDumpData()+18Ej
		add	esi, 4
		cmp	esi, 8
		jb	short loc_60CC29

loc_60CC47:				; CODE XREF: IopInitializeInMemoryDumpData()+178j
		xor	eax, eax
		mov	ecx, offset _InMemData
		xchg	eax, [ecx]

loc_60CC50:				; CODE XREF: IopInitializeInMemoryDumpData()+6Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IopInitializeInMemoryDumpData@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopRemovePageDumpRange(x, x)
_IopRemovePageDumpRange@8 proc near	; CODE XREF: IopDumpCallRemovePagesCallbacks(x)+D8p

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_24]
		push	6
		xor	eax, eax
		mov	ebx, edx
		pop	ecx
		rep stosd
		xor	ecx, ecx
		mov	[ebp+var_4], ecx
		test	ebx, ebx
		jz	short loc_60CC83
		mov	[ebx], cl

loc_60CC83:				; CODE XREF: IopRemovePageDumpRange(x,x)+20j
		mov	edx, [esi+4]
		test	edx, 7FFFFFFCh
		jz	short loc_60CC95
		mov	eax, 0C00000F2h
		jmp	short loc_60CD02
; 

loc_60CC95:				; CODE XREF: IopRemovePageDumpRange(x,x)+2Dj
		test	edx, edx
		jns	short loc_60CCA6
		and	edx, 7FFFFFFFh
		mov	byte ptr [ebp+var_4], 1
		mov	[esi+4], edx

loc_60CCA6:				; CODE XREF: IopRemovePageDumpRange(x,x)+38j
		lea	eax, [edx-1]
		test	eax, edx
		jz	short loc_60CCB4
		mov	eax, 0C000000Dh
		jmp	short loc_60CD02
; 

loc_60CCB4:				; CODE XREF: IopRemovePageDumpRange(x,x)+4Cj
		mov	edi, [esi+10h]
		test	edi, edi
		jnz	short loc_60CCBF
		xor	eax, eax
		jmp	short loc_60CD02
; 

loc_60CCBF:				; CODE XREF: IopRemovePageDumpRange(x,x)+5Aj
		mov	esi, [esi+0Ch]
		and	edx, 1
		jnz	short loc_60CCCA
		shr	esi, 0Ch

loc_60CCCA:				; CODE XREF: IopRemovePageDumpRange(x,x)+66j
		mov	eax, ds:_CrashdmpDumpBlock
		xor	edx, 1
		add	edx, edx
		push	edx
		push	edi
		mov	ecx, [eax+8]
		push	esi
		mov	eax, [ecx+30h]
		mov	[ebp+var_C], eax
		lea	eax, [ecx+38h]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_IoFreeDumpRange@16 ; IoFreeDumpRange(x,x,x,x)
		test	eax, eax
		js	short loc_60CD02
		test	ebx, ebx
		jz	short loc_60CD02
		mov	ecx, [ebp+var_4]
		mov	[ebx], cl

loc_60CD02:				; CODE XREF: IopRemovePageDumpRange(x,x)+34j
					; IopRemovePageDumpRange(x,x)+53j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopRemovePageDumpRange@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopRemovePageFromPageMap(x,	x, x, x, x)
_IopRemovePageFromPageMap@20 proc near	; CODE XREF: IoFreeDumpRange(x,x,x,x)+4Ap
					; IoFreeDumpRange(x,x,x,x)+8Ap

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_8], ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_10], esi
		push	edi
		test	eax, eax
		jz	loc_60CE4D
		mov	edi, [ebp+arg_0]
		lea	ebx, [eax-1]
		mov	edx, [ecx]
		add	ebx, edi
		mov	[ebp+var_4], ebx
		cmp	edi, edx
		jb	short loc_60CD42
		cmp	[ebp+arg_8], 0
		jnz	loc_60CE4D
		jmp	short loc_60CD4C
; 

loc_60CD42:				; CODE XREF: IopRemovePageFromPageMap(x,x,x,x,x)+2Dj
		cmp	ebx, edx
		jb	short loc_60CD61
		cmp	[ebp+arg_8], 0
		jnz	short loc_60CD56

loc_60CD4C:				; CODE XREF: IopRemovePageFromPageMap(x,x,x,x,x)+39j
		mov	eax, 0C0000141h
		jmp	loc_60CE4F
; 

loc_60CD56:				; CODE XREF: IopRemovePageFromPageMap(x,x,x,x,x)+43j
		lea	ebx, [edx-1]
		mov	eax, ebx
		mov	[ebp+var_4], ebx
		sub	eax, edi
		inc	eax

loc_60CD61:				; CODE XREF: IopRemovePageFromPageMap(x,x,x,x,x)+3Dj
		test	eax, eax
		jz	loc_60CE4D
		test	esi, esi
		jnz	short loc_60CD7A
		push	eax
		push	edi
		push	ecx
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		jmp	loc_60CE4D
; 

loc_60CD7A:				; CODE XREF: IopRemovePageFromPageMap(x,x,x,x,x)+64j
					; IopRemovePageFromPageMap(x,x,x,x,x)+140j
		mov	edx, [ecx]
		cmp	edi, edx
		mov	ecx, [ecx+4]
		sbb	esi, esi
		mov	[ebp+arg_4], edx
		and	esi, edi
		mov	dword ptr [ebp+arg_8], ecx
		lea	ebx, [edx-1]

loc_60CD8E:				; CODE XREF: IopRemovePageFromPageMap(x,x,x,x,x)+119j
		and	[ebp+var_C], 0
		mov	eax, ebx
		sub	eax, esi
		mov	[ebp+arg_0], esi
		inc	eax
		cmp	eax, 1
		jnb	short loc_60CDA4
		or	esi, 0FFFFFFFFh
		jmp	short loc_60CE0E
; 

loc_60CDA4:				; CODE XREF: IopRemovePageFromPageMap(x,x,x,x,x)+96j
		mov	eax, ebx
		xor	edx, edx
		shr	eax, 5
		inc	edx
		lea	eax, [ecx+eax*4]
		mov	ecx, esi
		mov	[ebp+var_C], eax
		and	ecx, 1Fh
		shl	edx, cl
		mov	eax, esi
		mov	ecx, dword ptr [ebp+arg_8]
		dec	edx
		shr	eax, 5
		lea	esi, [ecx+eax*4]
		mov	eax, [esi]
		not	eax
		or	eax, edx
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_60CDE6
		mov	ecx, [ebp+var_C]

loc_60CDD3:				; CODE XREF: IopRemovePageFromPageMap(x,x,x,x,x)+DAj
		add	esi, 4
		cmp	esi, ecx
		ja	short loc_60CDFE
		mov	eax, [esi]
		not	eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_60CDD3
		mov	ecx, dword ptr [ebp+arg_8]

loc_60CDE6:				; CODE XREF: IopRemovePageFromPageMap(x,x,x,x,x)+C7j
		not	eax
		sub	esi, ecx
		bsf	eax, eax
		sar	esi, 2
		shl	esi, 5
		add	esi, eax
		cmp	esi, ebx
		jbe	short loc_60CE06
		or	esi, 0FFFFFFFFh
		jmp	short loc_60CE0B
; 

loc_60CDFE:				; CODE XREF: IopRemovePageFromPageMap(x,x,x,x,x)+D1j
		mov	ecx, dword ptr [ebp+arg_8]
		or	esi, 0FFFFFFFFh
		jmp	short loc_60CE0B
; 

loc_60CE06:				; CODE XREF: IopRemovePageFromPageMap(x,x,x,x,x)+F0j
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_60CE25

loc_60CE0B:				; CODE XREF: IopRemovePageFromPageMap(x,x,x,x,x)+F5j
					; IopRemovePageFromPageMap(x,x,x,x,x)+FDj
		mov	edx, [ebp+arg_4]

loc_60CE0E:				; CODE XREF: IopRemovePageFromPageMap(x,x,x,x,x)+9Bj
		cmp	[ebp+arg_0], 0
		jz	short loc_60CE25
		lea	ebx, [edi+1]
		cmp	ebx, edx
		jbe	short loc_60CE1D
		mov	ebx, edx

loc_60CE1D:				; CODE XREF: IopRemovePageFromPageMap(x,x,x,x,x)+112j
		dec	ebx
		xor	esi, esi
		jmp	loc_60CD8E
; 

loc_60CE25:				; CODE XREF: IopRemovePageFromPageMap(x,x,x,x,x)+102j
					; IopRemovePageFromPageMap(x,x,x,x,x)+10Bj
		cmp	esi, edi
		jb	short loc_60CE4D
		cmp	esi, 0FFFFFFFFh
		jz	short loc_60CE4D
		push	1
		push	esi
		push	[ebp+var_8]
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		mov	eax, [ebp+var_10]
		lea	edi, [esi+1]
		mov	ecx, [ebp+var_8]
		inc	dword ptr [eax]
		cmp	edi, [ebp+var_4]
		jbe	loc_60CD7A

loc_60CE4D:				; CODE XREF: IopRemovePageFromPageMap(x,x,x,x,x)+18j
					; IopRemovePageFromPageMap(x,x,x,x,x)+33j ...
		xor	eax, eax

loc_60CE4F:				; CODE XREF: IopRemovePageFromPageMap(x,x,x,x,x)+4Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_IopRemovePageFromPageMap@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopSizeTriageDumpDataBlocks(x, x, x, x, x)
_IopSizeTriageDumpDataBlocks@20	proc near
					; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+343p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	eax, edx
		mov	ecx, [ebp+arg_4]
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_8], eax
		and	dword ptr [esi+64h], 0
		mov	[ebp+var_4], esi
		test	eax, eax
		jz	short loc_60CECD
		mov	edx, [ebp+arg_0]

loc_60CE7A:				; CODE XREF: IopSizeTriageDumpDataBlocks(x,x,x,x,x)+6Cj
		mov	eax, [edx+8]
		xor	edi, edi
		mov	[ebp+arg_4], eax
		cmp	[edx], edi
		jbe	short loc_60CEBB

loc_60CE86:				; CODE XREF: IopSizeTriageDumpDataBlocks(x,x,x,x,x)+63j
		mov	eax, [eax+4]
		mov	esi, [ebp+arg_4]
		sub	eax, [esi]
		mov	esi, [ebp+var_4]
		add	eax, 7
		and	eax, 0FFFFFFF8h
		add	eax, 10h
		add	eax, ecx
		cmp	eax, [ebp+arg_8]
		jnb	short loc_60CEC6
		test	edi, edi
		jnz	short loc_60CEA8
		mov	[esi+60h], ecx

loc_60CEA8:				; CODE XREF: IopSizeTriageDumpDataBlocks(x,x,x,x,x)+4Dj
		inc	dword ptr [esi+64h]
		mov	ecx, eax
		mov	eax, [ebp+arg_4]
		inc	edi
		add	eax, 8
		mov	[ebp+arg_4], eax
		cmp	edi, [edx]
		jb	short loc_60CE86

loc_60CEBB:				; CODE XREF: IopSizeTriageDumpDataBlocks(x,x,x,x,x)+2Ej
		inc	ebx
		add	edx, 0Ch
		cmp	ebx, [ebp+var_8]
		jb	short loc_60CE7A
		jmp	short loc_60CECD
; 

loc_60CEC6:				; CODE XREF: IopSizeTriageDumpDataBlocks(x,x,x,x,x)+49j
		or	dword ptr [esi+44h], 100h

loc_60CECD:				; CODE XREF: IopSizeTriageDumpDataBlocks(x,x,x,x,x)+1Fj
					; IopSizeTriageDumpDataBlocks(x,x,x,x,x)+6Ej
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	0Ch
_IopSizeTriageDumpDataBlocks@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopUpdateMinidumpContext(x,	x, x, x, x, x, x, x)
_IopUpdateMinidumpContext@32 proc near	; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+204p
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+466p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	eax, ecx
		xor	ecx, ecx
		mov	[ebp+var_C], edx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], ecx
		cmp	[ebp+arg_14], ecx
		jz	short loc_60CF0E
		mov	ebx, [ebp+arg_C]
		push	ebx
		push	ecx
		push	[ebp+arg_14]
		mov	dword ptr [ebx], 10007h
		call	KeContextFromKframes
		jmp	short loc_60CF67
; 

loc_60CF0E:				; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+21j
		sub	eax, 7Eh
		jz	loc_60D038
		sub	eax, 1
		jz	short loc_60CF70
		sub	eax, 6Bh
		jnz	loc_60D040
		mov	al, [edx+90h]
		mov	[ebp+arg_10], edx
		cmp	al, 2
		jnz	short loc_60CF47
		mov	eax, [edx+148h]
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	ebx, [eax+4168h]
		jmp	short loc_60CF67
; 

loc_60CF47:				; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+5Aj
		mov	ecx, [edx+48h]
		mov	ebx, [ebp+arg_C]
		lea	eax, [ecx+0Ch]
		mov	[ebx+0C4h], eax
		mov	eax, [eax]
		mov	[ebx+0B4h], eax
		mov	eax, [ecx+8]
		mov	[ebx+0B8h], eax

loc_60CF67:				; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+36j
					; IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+6Fj ...
		mov	byte ptr [ebp+var_4], 1
		jmp	loc_60D043
; 

loc_60CF70:				; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+44j
		cmp	edx, 8
		jnz	loc_60D040
		mov	ebx, [ebp+arg_C]
		test	edi, edi
		jz	short loc_60CF67
		test	dword ptr [edi+24h], 20000h
		jz	short loc_60CF8F
		movzx	eax, word ptr [edi+50h]
		jmp	short loc_60CFA1
; 

loc_60CF8F:				; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+B1j
		test	byte ptr [edi+4Ch], 1
		jz	short loc_60CF9E
		movzx	eax, word ptr [edi+50h]
		or	eax, 3
		jmp	short loc_60CFA1
; 

loc_60CF9E:				; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+BDj
		push	10h
		pop	eax

loc_60CFA1:				; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+B7j
					; IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+C6j
		mov	[ebx+0C8h], eax
		movzx	eax, word ptr [edi+5Ch]
		mov	[ebx+8Ch], eax
		movzx	eax, word ptr [edi+58h]
		mov	[ebx+90h], eax
		movzx	eax, word ptr [edi+48h]
		mov	[ebx+94h], eax
		movzx	eax, word ptr [edi+54h]
		mov	[ebx+98h], eax
		movzx	eax, word ptr [edi+4Ch]
		mov	[ebx+0BCh], eax
		mov	eax, [edi+38h]
		mov	[ebx+0C4h], eax
		mov	eax, [edi+20h]
		mov	[ebx+0B8h], eax
		mov	eax, [edi+3Ch]
		mov	[ebx+0B4h], eax
		mov	eax, [edi+28h]
		mov	[ebx+0B0h], eax
		mov	eax, [edi+34h]
		mov	[ebx+0A4h], eax
		mov	eax, [edi+2Ch]
		mov	[ebx+0ACh], eax
		mov	eax, [edi+30h]
		mov	[ebx+0A8h], eax
		mov	eax, [edi+44h]
		mov	[ebx+9Ch], eax
		mov	eax, [edi+40h]
		mov	[ebx+0A0h], eax
		mov	eax, [edi+24h]
		mov	[ebx+0C0h], eax
		jmp	loc_60CF67
; 

loc_60D038:				; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+3Bj
		test	ebx, ebx
		jnz	loc_60CF67

loc_60D040:				; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+49j
					; IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+9Dj
		mov	ebx, [ebp+arg_C]

loc_60D043:				; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+95j
		mov	edx, large fs:2330h
		mov	eax, edx
		sub	eax, ds:_KeKernelStackSize
		mov	esi, [ebx+0C4h]
		cmp	eax, esi
		ja	short loc_60D07D
		cmp	esi, edx
		jnb	short loc_60D07D
		sub	edx, esi
		mov	eax, 3FFFh
		cmp	edx, eax
		jb	short loc_60D06D
		mov	edx, eax

loc_60D06D:				; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+193j
		mov	ecx, esi
		call	_IopGetMaxValidMemorySize@8 ; IopGetMaxValidMemorySize(x,x)
		mov	edx, eax
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock

loc_60D07D:				; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+184j
					; IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+188j
		cmp	[ebp+var_8], 133h
		jnz	loc_60D113
		mov	eax, [ebp+arg_10]
		mov	ecx, [eax+148h]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		push	2
		mov	[ebp+arg_10], eax
		add	eax, 21E0h
		pop	ecx
		mov	[ebp+arg_C], eax
		mov	[ebp+arg_14], ecx

loc_60D0A9:				; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+20Cj
		mov	edi, [eax]
		test	edi, edi
		jz	short loc_60D0D6

loc_60D0AF:				; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+1F8j
		push	20h
		pop	edx
		lea	ecx, [edi-4]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+18h]
		cmp	ecx, 1
		jz	short loc_60D0CA
		push	60h
		pop	edx
		call	IoAddTriageDumpDataBlock

loc_60D0CA:				; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+1EAj
		mov	edi, [edi]
		test	edi, edi
		jnz	short loc_60D0AF
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+arg_14]

loc_60D0D6:				; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+1D7j
		add	eax, 18h
		sub	ecx, 1
		mov	[ebp+arg_C], eax
		mov	[ebp+arg_14], ecx
		jnz	short loc_60D0A9
		mov	edx, [ebp+arg_10]
		mov	edi, [ebp+arg_0]
		mov	ecx, [edx+4060h]
		test	ecx, ecx
		jz	short loc_60D113
		mov	edx, [edx+4064h]
		cmp	ecx, edx
		jz	short loc_60D113
		mov	eax, ds:dword_7050A0
		sub	edx, ecx
		shl	eax, 2
		cmp	edx, eax
		jbe	short loc_60D10E
		mov	edx, eax

loc_60D10E:				; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+234j
		call	IoAddTriageDumpDataBlock

loc_60D113:				; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+1AEj
					; IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+21Cj ...
		mov	esi, ds:_PopThermal
		jmp	short loc_60D129
; 

loc_60D11B:				; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+259j
		mov	edx, 3A0h
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		mov	esi, [esi]

loc_60D129:				; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+243j
		cmp	esi, offset _PopThermal
		jnz	short loc_60D11B
		push	[ebp+arg_8]
		mov	edx, [ebp+var_C]
		push	[ebp+arg_4]
		mov	ecx, [ebp+var_8]
		push	edi
		call	_IopAddBugcheckTriageDataFromParameters@20 ; IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)
		cmp	byte ptr [ebp+var_4], 0
		jz	short loc_60D16B
		mov	eax, ds:_CrashdmpDumpBlock
		test	eax, eax
		jz	short loc_60D16B
		or	dword ptr [eax+10h], 10000000h
		mov	ecx, 0B3h
		mov	edi, ds:_CrashdmpDumpBlock
		mov	esi, ebx
		add	edi, 24h
		rep movsd

loc_60D16B:				; CODE XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+271j
					; IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+27Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_IopUpdateMinidumpContext@32 endp


;  S U B	R O U T	I N E 


IopValidateSectionSize proc near	; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+1F5p
					; KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+237p	...
		mov	eax, [edx]
		push	esi
		mov	esi, ecx
		push	edi
		add	eax, esi
		mov	edi, 1FFFCh
		cmp	eax, edi
		jnb	short loc_60D187
		mov	al, 1
		jmp	short loc_60D195
; 

loc_60D187:				; CODE XREF: IopValidateSectionSize+Fj
		mov	ecx, edi
		sub	ecx, esi
		cmp	esi, edi
		sbb	eax, eax
		and	eax, ecx
		mov	[edx], eax
		xor	al, al

loc_60D195:				; CODE XREF: IopValidateSectionSize+13j
		pop	edi
		pop	esi
		retn
IopValidateSectionSize endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopWriteCapsuleTriageDumpToFirmware(x, x, x, x, x, x, x, x)
_IopWriteCapsuleTriageDumpToFirmware@32	proc near
					; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+67p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		and	[ebp+var_30], 0
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	[ebp+var_18], eax
		mov	ebx, edx
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_28], eax
		mov	eax, ds:_CapsuleTriageDumpBlock
		mov	[ebp+var_20], ebx
		mov	[ebp+var_24], ecx
		push	esi
		push	edi
		test	eax, eax
		jnz	short loc_60D1DB
		xor	al, al
		jmp	loc_60D2D6
; 

loc_60D1DB:				; CODE XREF: IopWriteCapsuleTriageDumpToFirmware(x,x,x,x,x,x,x,x)+3Aj
		add	eax, 201Ch
		mov	[ebp+var_2C], eax
		call	_VfDisableHalVerifier@0	; VfDisableHalVerifier()
		push	[ebp+var_28]
		mov	esi, [ebp+arg_8]
		push	[ebp+var_18]
		mov	edi, [ebp+arg_4]
		push	[ebp+var_1C]
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_24]
		push	esi
		push	edi
		mov	[ebp+var_14], ebx
		mov	ebx, [ebp+arg_0]
		push	ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], esi
		call	_IopUpdateMinidumpContext@32 ; IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_1C]
		lea	edx, [ebp+var_14]
		call	_MmSnapTriageDumpInformation@16	; MmSnapTriageDumpInformation(x,x,x,x)
		push	[ebp+var_18]
		push	esi
		mov	esi, [ebp+var_2C]
		push	edi
		push	ebx
		push	[ebp+var_20]
		lea	ebx, [esi-1000h]
		push	[ebp+var_24]
		mov	ecx, ebx
		push	4
		pop	edx
		call	_IoFillDumpHeader@32 ; IoFillDumpHeader(x,x,x,x,x,x,x,x)
		mov	eax, ds:_IopNumTriageDumpDataBlocks
		mov	edx, esi	; void *
		mov	[ebp+var_3C], eax
		mov	ecx, 1F000h	; int
		lea	eax, [ebp+var_30]
		mov	[ebp+var_38], 100h
		push	eax		; int
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_34], offset _IopTriageDumpDataBlocks
		push	eax		; int
		push	eax		; int
		push	1		; int
		push	41h		; int
		push	ds:_CmNtCSDVersion ; int
		push	[ebp+var_18]	; int
		push	[ebp+var_1C]	; int
		push	0		; int
		push	0DFFh		; int
		push	1		; char
		call	_IoFillTriageDumpBuffer@52 ; IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	edx, eax
		lea	edi, [ebx+3Ch]
		push	8
		xor	eax, eax
		pop	ecx
		rep stosd
		xor	ecx, ecx
		mov	[ebx+0F90h], ecx
		mov	eax, [esi+4]
		or	dword ptr [ebx+8A0h], 88h
		mov	[ebx+0FA0h], eax
		mov	[ebx+0FA4h], ecx
		mov	dword ptr [ebx+0F8Ch], 0DFFh
		test	edx, edx
		js	short loc_60D2D4
		mov	ecx, ds:_CapsuleTriageDumpBlock
		call	_IopWriteTriageDumpToFirmware@4	; IopWriteTriageDumpToFirmware(x)
		test	eax, eax
		js	short loc_60D2D2
		mov	cl, 1
		jmp	short loc_60D2D4
; 

loc_60D2D2:				; CODE XREF: IopWriteCapsuleTriageDumpToFirmware(x,x,x,x,x,x,x,x)+134j
		xor	ecx, ecx

loc_60D2D4:				; CODE XREF: IopWriteCapsuleTriageDumpToFirmware(x,x,x,x,x,x,x,x)+125j
					; IopWriteCapsuleTriageDumpToFirmware(x,x,x,x,x,x,x,x)+138j
		mov	al, cl

loc_60D2D6:				; CODE XREF: IopWriteCapsuleTriageDumpToFirmware(x,x,x,x,x,x,x,x)+3Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_IopWriteCapsuleTriageDumpToFirmware@32	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopWriteDriverList(x, x, x,	x)
_IopWriteDriverList@16 proc near	; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+2E9p
					; KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+420p

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ds:_PsLoadedModuleList
		push	esi
		mov	esi, [ebp+arg_4]
		add	esi, ecx
		mov	[ebp+var_1], dl
		mov	[ebp+var_8], ecx
		mov	[ebp+arg_4], esi
		push	edi
		mov	edi, [ebp+arg_0]
		cmp	ebx, offset _PsLoadedModuleList
		jz	loc_60D3B2
		lea	eax, [edi+48h]
		add	eax, ecx
		mov	[ebp+arg_0], eax

loc_60D31C:				; CODE XREF: IopWriteDriverList(x,x,x,x)+BFj
		cmp	dl, 1
		jnz	short loc_60D33F
		push	5Ch
		pop	edx
		mov	ecx, ebx
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_60D3AB
		movzx	edx, word ptr [ebx+2Ch]
		mov	ecx, [ebx+30h]
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_60D3AB

loc_60D33F:				; CODE XREF: IopWriteDriverList(x,x,x,x)+38j
		movzx	eax, word ptr [ebx+2Ch]
		shr	eax, 1
		mov	[esi], eax
		add	eax, eax
		push	eax		; size_t
		push	dword ptr [ebx+30h] ; void *
		lea	eax, [esi+4]
		push	eax		; void *
		call	_memcpy
		mov	eax, [esi]
		add	esp, 0Ch
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		mov	[esi+eax*2+4], cx
		mov	esi, ebx
		push	12h
		lea	edi, [edx-44h]
		pop	ecx
		rep movsd
		mov	eax, [ebx+58h]
		mov	esi, [ebp+arg_4]
		mov	[edx], eax
		mov	eax, [ebx+54h]
		mov	[edx-24h], eax
		mov	eax, esi
		sub	eax, [ebp+var_8]
		mov	[edx-48h], eax
		add	edx, 4Ch
		mov	eax, [esi]
		mov	ebx, [ebx]
		mov	[ebp+arg_0], edx
		lea	esi, [esi+eax*2]
		add	esi, 0Dh
		and	esi, 0FFFFFFF8h
		mov	[ebp+arg_4], esi
		cmp	ebx, offset _PsLoadedModuleList
		jz	short loc_60D3B2
		mov	dl, [ebp+var_1]
		jmp	loc_60D31C
; 

loc_60D3AB:				; CODE XREF: IopWriteDriverList(x,x,x,x)+46j
					; IopWriteDriverList(x,x,x,x)+56j
		mov	eax, 0C0000001h
		jmp	short loc_60D3B4
; 

loc_60D3B2:				; CODE XREF: IopWriteDriverList(x,x,x,x)+27j
					; IopWriteDriverList(x,x,x,x)+BAj
		xor	eax, eax

loc_60D3B4:				; CODE XREF: IopWriteDriverList(x,x,x,x)+C9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_IopWriteDriverList@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopWriteTriageDumpToFirmware(x)
_IopWriteTriageDumpToFirmware@4	proc near
					; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+55Bp
					; IopWriteCapsuleTriageDumpToFirmware(x,x,x,x,x,x,x,x)+12Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		jnz	short loc_60D3D7
		mov	eax, 0C00000A3h
		jmp	loc_60D489
; 

loc_60D3D7:				; CODE XREF: IopWriteTriageDumpToFirmware(x)+10j
		push	esi
		lea	eax, [ebx+1000h]
		mov	esi, offset _CrashdmpGuid
		mov	[ebp+var_4], eax
		xor	ecx, ecx
		mov	dword ptr [eax+10h], 1Ch
		push	edi
		mov	edi, [ebp+var_4]
		mov	[ebp+var_8], ecx
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ebp+var_4]
		mov	edi, 2001Ch
		mov	esi, ebx
		mov	dword ptr [eax+14h], 70000h
		mov	eax, [ebp+var_4]
		mov	[eax+18h], edi
		mov	ebx, [ebp+var_4]

loc_60D414:				; CODE XREF: IopWriteTriageDumpToFirmware(x)+9Bj
		test	ecx, ecx
		ja	short loc_60D426
		jb	short loc_60D422
		cmp	edi, 1000h
		jnb	short loc_60D426

loc_60D422:				; CODE XREF: IopWriteTriageDumpToFirmware(x)+5Dj
		mov	eax, edi
		jmp	short loc_60D42D
; 

loc_60D426:				; CODE XREF: IopWriteTriageDumpToFirmware(x)+5Bj
					; IopWriteTriageDumpToFirmware(x)+65j ...
		mov	eax, 1000h
		xor	ecx, ecx

loc_60D42D:				; CODE XREF: IopWriteTriageDumpToFirmware(x)+69j
		push	ebx
		mov	[esi], eax
		mov	[esi+4], ecx
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		add	ebx, [esi]
		sub	edi, [esi]
		mov	ecx, [ebp+var_8]
		sbb	ecx, [esi+4]
		mov	[esi+8], eax
		mov	[esi+0Ch], edx
		add	esi, 10h
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		ja	short loc_60D426
		jb	short loc_60D458
		test	edi, edi
		jnz	short loc_60D414

loc_60D458:				; CODE XREF: IopWriteTriageDumpToFirmware(x)+97j
		mov	ebx, [ebp+var_C]
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0
		and	dword ptr [esi+8], 0
		and	dword ptr [esi+0Ch], 0
		push	ebx
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		mov	edi, eax
		mov	esi, edx
		call	_KiScanBugCheckCallbackList@0 ;	KiScanBugCheckCallbackList()
		push	esi
		push	edi
		push	1
		lea	eax, [ebp+var_4]
		push	eax
		call	ds:off_6B136C	; ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete(x,x,x,x)
		pop	edi
		pop	esi

loc_60D489:				; CODE XREF: IopWriteTriageDumpToFirmware(x)+17j
		pop	ebx
		leave
		retn
_IopWriteTriageDumpToFirmware@4	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1109. KeCapturePersistentThreadState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	KeCapturePersistentThreadState(int,size_t,int,int,int,int,int,size_t)
		public _KeCapturePersistentThreadState@32
_KeCapturePersistentThreadState@32 proc	near
					; CODE XREF: DbgkpWerCaptureLiveTriageDump(x)+8Fp
					; LkmdTelCreateReport(x,x,x,x,x,x)+121p

var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_1C]
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		test	ebx, ebx
		jz	loc_60D9B2
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jnz	short loc_60D4C0
		mov	esi, large fs:124h
		mov	[ebp+arg_4], esi

loc_60D4C0:				; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+23j
		cmp	ds:_ForceDumpDisabled, 0
		jnz	loc_60D9B2
		lea	ecx, [ebp+var_14]
		call	SecureDump_GetSecureDumpSettings
		test	eax, eax
		js	loc_60D9B2
		cmp	byte ptr [ebp+var_14], 0
		jnz	loc_60D9B2
		push	20000h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		mov	edi, 45474150h
		push	edi
		push	1000h
		push	ebx
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		mov	[ebx], edi
		mov	dword ptr [ebx+4], 504D5544h
		movzx	eax, word ptr ds:_NtBuildNumber
		mov	[ebx+0Ch], eax
		mov	eax, ds:_NtBuildNumber
		shr	eax, 1Ch
		mov	[ebx+8], eax
		mov	eax, [esi+80h]
		push	0FFFFh
		mov	eax, [eax+18h]
		mov	[ebx+10h], eax
		mov	eax, ds:_MmPfnDatabase
		mov	[ebx+14h], eax
		mov	dword ptr [ebx+18h], offset _PsLoadedModuleList
		mov	dword ptr [ebx+1Ch], offset _PsActiveProcessHead
		mov	dword ptr [ebx+20h], 14Ch
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	esi, [ebp+arg_0]
		xor	edi, edi
		mov	[ebx+24h], eax
		mov	eax, [ebp+arg_8]
		mov	[ebx+28h], eax
		mov	eax, [ebp+arg_C]
		mov	[ebx+2Ch], eax
		mov	eax, [ebp+arg_10]
		mov	[ebx+30h], eax
		mov	eax, [ebp+arg_14]
		mov	[ebx+34h], eax
		mov	eax, [ebp+arg_18]
		mov	[ebx+38h], eax
		mov	byte ptr [ebx+5Ch], 1
		mov	dword ptr [ebx+7D0h], 80000003h
		mov	[ebx+7D8h], edi
		mov	[ebx+7E0h], edi
		mov	dword ptr [ebx+7D4h], 1
		mov	eax, [esi+0B8h]
		mov	[ebx+7DCh], eax
		mov	dword ptr [ebx+0FA0h], 20000h
		mov	[ebx+0FA4h], edi
		mov	eax, ds:0FFDF0014h
		mov	[ebx+0FC0h], eax
		mov	eax, ds:0FFDF0018h
		mov	[ebx+0FC4h], eax
		mov	eax, ds:0FFDF0008h
		mov	[ebx+0FB8h], eax
		mov	eax, ds:0FFDF000Ch
		mov	[ebx+0FBCh], eax
		lea	eax, [ebx+0F94h]
		push	eax
		mov	dword ptr [ebx+0F88h], 4
		mov	dword ptr [ebx+0F8Ch], 82h
		mov	dword ptr [ebx+8A0h], 18h
		call	_RtlGetNtProductType@4 ; RtlGetNtProductType(x)
		mov	eax, ds:0FFDF02D0h
		lea	edx, [ebp+arg_1C]
		mov	[ebx+0F98h], eax
		mov	ecx, 0B3h
		mov	eax, ds:0FFDF02C4h
		mov	[ebx+8A4h], eax
		mov	[ebx+1044h], edi
		mov	eax, ds:_CmNtCSDVersion
		mov	[ebx+1040h], edi
		lea	edi, [ebx+320h]
		mov	[ebx+1000h], eax
		mov	dword ptr [ebx+1004h], 20000h
		mov	dword ptr [ebx+1010h], 7D0h
		or	dword ptr [ebx+0F8Ch], 1
		mov	dword ptr [ebx+100Ch], 320h
		rep movsd
		mov	esi, 380h
		mov	[ebp+arg_1C], esi
		mov	edi, 1068h
		mov	ecx, edi
		call	IopValidateSectionSize
		test	al, al
		jz	short loc_60D6BC
		or	dword ptr [ebx+0F8Ch], 400h
		lea	ecx, [ebx+1068h]
		mov	dword ptr [ebx+60h], offset _KdDebuggerDataBlock
		mov	[ebx+1058h], edi
		mov	[ebx+105Ch], esi
		call	_KdCopyDataBlock@4 ; KdCopyDataBlock(x)
		mov	edi, 13E8h

loc_60D6BC:				; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+1FCj
		lea	edx, [ebp+arg_1C]
		mov	[ebp+arg_1C], 5F00h
		mov	ecx, edi
		call	IopValidateSectionSize
		test	al, al
		jz	short loc_60D6F7
		mov	eax, large fs:20h
		push	[ebp+arg_1C]	; size_t
		or	dword ptr [ebx+0F8Ch], 4
		push	eax		; void *
		lea	eax, [edi+ebx]
		mov	[ebx+101Ch], edi
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		add	edi, [ebp+arg_1C]

loc_60D6F7:				; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+23Ej
		lea	esi, [edi+7]
		mov	[ebp+arg_1C], 500h
		and	esi, 0FFFFFFF8h
		lea	edx, [ebp+arg_1C]
		mov	ecx, esi
		call	IopValidateSectionSize
		test	al, al
		jz	short loc_60D73E
		or	dword ptr [ebx+0F8Ch], 8
		mov	edi, esi
		mov	esi, [ebp+arg_4]
		push	[ebp+arg_1C]	; size_t
		mov	[ebx+1020h], edi
		lea	eax, [edi+ebx]
		push	dword ptr [esi+80h] ; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		add	edi, [ebp+arg_1C]
		jmp	short loc_60D741
; 

loc_60D73E:				; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+27Fj
		mov	esi, [ebp+arg_4]

loc_60D741:				; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+2ABj
		lea	eax, [edi+7]
		mov	[ebp+arg_1C], 4E0h
		and	eax, 0FFFFFFF8h
		lea	edx, [ebp+arg_1C]
		mov	ecx, eax
		mov	[ebp+arg_4], eax
		call	IopValidateSectionSize
		test	al, al
		jz	short loc_60D782
		mov	edi, [ebp+arg_4]
		push	[ebp+arg_1C]	; size_t
		or	dword ptr [ebx+0F8Ch], 10h
		push	esi		; void *
		lea	eax, [edi+ebx]
		mov	[ebx+1024h], edi
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		add	edi, [ebp+arg_1C]

loc_60D782:				; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+2CCj
		test	dword ptr [esi+5Ch], 20000h
		jz	loc_60D818
		mov	eax, [ebp+arg_0]
		mov	ecx, [esi+24h]
		mov	edx, [esi+28h]
		mov	eax, [eax+0C4h]
		mov	[ebp+arg_4], eax
		cmp	ecx, eax
		ja	short loc_60D7A9
		cmp	eax, edx
		jb	short loc_60D7B2

loc_60D7A9:				; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+312j
		mov	eax, ecx
		mov	[ebp+arg_4], eax
		cmp	edx, ecx
		jbe	short loc_60D7B6

loc_60D7B2:				; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+316j
		sub	edx, eax
		jmp	short loc_60D7B8
; 

loc_60D7B6:				; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+31Fj
		xor	edx, edx

loc_60D7B8:				; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+323j
		mov	ecx, 3FFFh
		cmp	edx, ecx
		jb	short loc_60D7C3
		mov	edx, ecx

loc_60D7C3:				; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+32Ej
		mov	ecx, eax
		call	IopGetMaxValidSectionSize
		mov	[ebp+arg_1C], eax
		test	eax, eax
		jz	short loc_60D818
		lea	edx, [ebp+arg_1C]
		mov	ecx, edi
		call	IopValidateSectionSize
		test	al, al
		jnz	short loc_60D7E9
		or	dword ptr [ebx+1044h], 100h

loc_60D7E9:				; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+34Cj
		or	dword ptr [ebx+0F8Ch], 20h
		mov	esi, [ebp+arg_1C]
		mov	eax, [ebp+arg_4]
		push	esi		; size_t
		push	eax		; void *
		mov	[ebx+1048h], eax
		lea	eax, [edi+ebx]
		push	eax		; void *
		mov	[ebx+1028h], edi
		mov	[ebx+102Ch], esi
		call	_memcpy
		add	esp, 0Ch
		add	edi, esi

loc_60D818:				; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+2F8j
					; KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+33Ej
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_60D900
		mov	eax, large fs:124h
		lea	esi, [edi+7]
		and	[ebp+var_4], 0
		and	esi, 0FFFFFFF8h
		and	[ebp+var_8], 0
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceSharedLite
		lea	eax, [ebp+var_8]
		xor	cl, cl
		push	eax
		lea	edx, [ebp+var_4]
		call	_IoGetLoadedDriverInfo@12 ; IoGetLoadedDriverInfo(x,x,x)
		test	eax, eax
		js	loc_60D8F1
		imul	eax, [ebp+var_4], 4Ch
		add	eax, 7
		and	eax, 0FFFFFFF8h
		mov	[ebp+arg_1C], eax
		jz	short loc_60D8E7
		lea	edx, [ebp+arg_1C]
		mov	ecx, esi
		call	IopValidateSectionSize
		test	al, al
		jz	short loc_60D8E7
		mov	eax, [ebp+arg_1C]
		imul	ecx, [ebp+var_4], 6
		add	eax, esi
		mov	[ebp+arg_4], eax
		mov	eax, [ebp+var_8]
		add	eax, 7
		add	eax, ecx
		and	eax, 0FFFFFFF8h
		mov	[ebp+arg_1C], eax
		jz	short loc_60D8E7
		mov	ecx, [ebp+arg_4]
		call	IopValidateSectionSize
		test	al, al
		jz	short loc_60D8E7
		push	[ebp+arg_4]
		xor	dl, dl
		mov	ecx, ebx
		push	esi
		call	_IopWriteDriverList@16 ; IopWriteDriverList(x,x,x,x)
		test	eax, eax
		js	short loc_60D8F1
		or	dword ptr [ebx+0F8Ch], 40h
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_4]
		mov	[ebx+1034h], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebx+1030h], esi
		mov	[ebx+1038h], ecx
		mov	[ebx+103Ch], eax
		lea	edi, [ecx+eax]
		jmp	short loc_60D8F1
; 

loc_60D8E7:				; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+3E0j
					; KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+3EEj	...
		or	dword ptr [ebx+1044h], 100h

loc_60D8F1:				; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+3CDj
					; KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+427j	...
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_60D900:				; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+38Fj
		add	edi, 7
		mov	[ebp+arg_1C], 1010h
		and	edi, 0FFFFFFF8h
		lea	edx, [ebp+arg_1C]
		mov	ecx, edi
		call	IopValidateSectionSize
		mov	eax, [ebp+arg_1C]
		cmp	eax, 10h
		jbe	short loc_60D997
		mov	esi, [ebp+arg_0]
		add	eax, 0FFFFFFF0h
		mov	edx, eax
		mov	[ebp+arg_4], eax
		shr	edx, 1
		mov	ecx, [esi+0B8h]
		call	IopGetMaxValidSectionSizeDown
		test	eax, eax
		jz	short loc_60D997
		mov	esi, [esi+0B8h]
		mov	edx, [ebp+arg_4]
		sub	esi, eax
		inc	esi
		mov	ecx, esi
		call	IopGetMaxValidSectionSize
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	short loc_60D997
		or	dword ptr [ebx+0F8Ch], 800h
		lea	ecx, [edi+17h]
		mov	[ebx+1060h], edi
		mov	eax, esi
		mov	dword ptr [ebx+1064h], 1
		and	ecx, 0FFFFFFF8h
		cdq
		mov	[edi+ebx], eax
		mov	eax, [ebp+arg_4]
		push	eax		; size_t
		mov	[edi+ebx+8], ecx
		add	ecx, ebx
		push	esi		; void *
		push	ecx		; void *
		mov	[edi+ebx+4], edx
		mov	[edi+ebx+0Ch], eax
		call	_memcpy
		add	esp, 0Ch

loc_60D997:				; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+48Cj
					; KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+4A8j	...
		mov	dword ptr [ebx+1008h], 1FFFCh
		mov	eax, 20000h
		mov	dword ptr [ebx+1FFFCh],	44475254h
		jmp	short loc_60D9B4
; 

loc_60D9B2:				; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+18j
					; KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+36j ...
		xor	eax, eax

loc_60D9B4:				; CODE XREF: KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)+51Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
_KeCapturePersistentThreadState@32 endp

; 
		align 10h
; Exported entry 1165. KeInitializeCrashDumpHeader

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeCrashDumpHeader(x, x, x, x, x)
		public _KeInitializeCrashDumpHeader@20
_KeInitializeCrashDumpHeader@20	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_10]
		mov	ecx, 1000h
		test	eax, eax
		jz	short loc_60D9D3
		mov	[eax], ecx

loc_60D9D3:				; CODE XREF: KeInitializeCrashDumpHeader(x,x,x,x,x)+Fj
		xor	edx, edx
		inc	edx
		cmp	[ebp+arg_0], edx
		jz	short loc_60D9E2
		mov	eax, 0C00000EFh
		jmp	short loc_60DA13
; 

loc_60D9E2:				; CODE XREF: KeInitializeCrashDumpHeader(x,x,x,x,x)+19j
		cmp	[ebp+arg_4], 0
		jz	short loc_60D9EF
		mov	eax, 0C00000F0h
		jmp	short loc_60DA13
; 

loc_60D9EF:				; CODE XREF: KeInitializeCrashDumpHeader(x,x,x,x,x)+26j
		cmp	[ebp+arg_C], ecx
		jnb	short loc_60D9FB
		mov	eax, 0C00000F2h
		jmp	short loc_60DA13
; 

loc_60D9FB:				; CODE XREF: KeInitializeCrashDumpHeader(x,x,x,x,x)+32j
		mov	eax, large fs:124h
		mov	ecx, [ebp+arg_8]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	_IoFillDumpHeader@32 ; IoFillDumpHeader(x,x,x,x,x,x,x,x)
		xor	eax, eax

loc_60DA13:				; CODE XREF: KeInitializeCrashDumpHeader(x,x,x,x,x)+20j
					; KeInitializeCrashDumpHeader(x,x,x,x,x)+2Dj ...
		pop	ebp
		retn	14h
_KeInitializeCrashDumpHeader@20	endp


;  S U B	R O U T	I N E 


sub_60DA17	proc near		; CODE XREF: NtRemoveIoCompletionEx+F91E6p
		cmp	ds:_ViVerifierEnabled, 0
		jz	short loc_60DA54
		test	ds:_VfRuleClasses, 0FFAFFFFFh
		jnz	short loc_60DA35
		test	byte ptr ds:dword_6FDE00, 6
		jz	short loc_60DA54

loc_60DA35:				; CODE XREF: sub_60DA17+13j
		mov	eax, ds:_MmVerifierData
		and	eax, 10h
		or	eax, 40h
		shr	eax, 1
		push	eax
		push	20206F49h
		push	edx
		push	200h
		call	ExAllocatePoolWithTagPriority
		retn
; 

loc_60DA54:				; CODE XREF: sub_60DA17+7j
					; sub_60DA17+1Cj
		push	20206F49h
		push	edx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		retn
sub_60DA17	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 810. IoDecrementKeepAliveCount

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoDecrementKeepAliveCount(x, x)
		public _IoDecrementKeepAliveCount@8
_IoDecrementKeepAliveCount@8 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_8]
		push	ebx
		push	eax
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	eax
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		call	_IopAdjustFileObjectKeepAliveCount@20 ;	IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_60DB51
		cmp	[ebp+var_4], 0
		jnz	loc_60DB51
		push	esi
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset dword_6CCF98
		mov	byte ptr [ebp+arg_4+3],	al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edi, [ebp+var_8]
		lea	esi, [edi+18h]
		push	esi
		call	KeQuerySystemTime
		add	dword ptr [esi], 2FAF080h
		adc	dword ptr [esi+4], 0
		dec	dword ptr [edi+10h]
		cmp	byte ptr [edi+8], 0
		jnz	short loc_60DB18
		mov	eax, ds:dword_6CCF94
		mov	ecx, offset dword_6CCF90
		cmp	[eax], ecx
		jz	short loc_60DAE9
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_60DAE9:				; CODE XREF: IoDecrementKeepAliveCount(x,x)+78j
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	ds:dword_6CCF94, edi
		mov	byte ptr [edi+8], 1
		cmp	ds:byte_6CCFB0,	0
		jnz	short loc_60DB29
		push	1
		push	offset _IopKeepAliveTracker
		mov	ds:byte_6CCFB0,	1
		call	ExQueueWorkItem
		jmp	short loc_60DB29
; 

loc_60DB18:				; CODE XREF: IoDecrementKeepAliveCount(x,x)+6Aj
		mov	eax, ds:dword_6CCFB4
		test	eax, eax
		jz	short loc_60DB29
		push	0
		push	eax
		call	_KeAlertThread@8 ; KeAlertThread(x,x)

loc_60DB29:				; CODE XREF: IoDecrementKeepAliveCount(x,x)+97j
					; IoDecrementKeepAliveCount(x,x)+ACj ...
		test	ds:byte_70EFC6,	1
		mov	ecx, offset dword_6CCF98
		pop	edi
		pop	esi
		jz	short loc_60DB43
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_60DB48
; 

loc_60DB43:				; CODE XREF: IoDecrementKeepAliveCount(x,x)+CDj
		xor	eax, eax
		lock and [ecx],	eax

loc_60DB48:				; CODE XREF: IoDecrementKeepAliveCount(x,x)+D7j
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_60DB51:				; CODE XREF: IoDecrementKeepAliveCount(x,x)+28j
					; IoDecrementKeepAliveCount(x,x)+32j
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_IoDecrementKeepAliveCount@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 889. IoIncrementKeepAliveCount

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoIncrementKeepAliveCount(x, x)
		public _IoIncrementKeepAliveCount@8
_IoIncrementKeepAliveCount@8 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		call	_IopAdjustFileObjectKeepAliveCount@20 ;	IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_60DC50
		cmp	[ebp+var_8], 1
		jnz	loc_60DC50
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jz	short loc_60DBC8
		mov	ecx, [ebp+arg_4]
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+var_4]
		xor	edx, edx
		mov	ecx, [ebp+arg_4]
		inc	edx
		movzx	eax, byte ptr [eax+0Ah]
		push	eax
		push	[ebp+arg_0]
		call	_PspAdjustKeepAliveCountProcess@16 ; PspAdjustKeepAliveCountProcess(x,x,x,x)
		jmp	loc_60DC50
; 

loc_60DBC8:				; CODE XREF: IoIncrementKeepAliveCount(x,x)+41j
		push	ebx
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset dword_6CCF98
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [ebp+var_4]
		inc	dword ptr [ecx+10h]
		cmp	byte ptr [ecx+8], 0
		jnz	short loc_60DC2C
		mov	eax, ds:dword_6CCF90
		mov	edx, offset dword_6CCF90
		cmp	[eax+4], edx
		jz	short loc_60DBFE
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_60DBFE:				; CODE XREF: IoIncrementKeepAliveCount(x,x)+9Aj
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[eax+4], ecx
		mov	ds:dword_6CCF90, ecx
		mov	byte ptr [ecx+8], 1
		cmp	ds:byte_6CCFB0,	0
		jnz	short loc_60DC2C
		push	1
		push	offset _IopKeepAliveTracker
		mov	ds:byte_6CCFB0,	1
		call	ExQueueWorkItem

loc_60DC2C:				; CODE XREF: IoIncrementKeepAliveCount(x,x)+8Bj
					; IoIncrementKeepAliveCount(x,x)+BAj
		test	ds:byte_70EFC6,	1
		jz	short loc_60DC41
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_60DC46
; 

loc_60DC41:				; CODE XREF: IoIncrementKeepAliveCount(x,x)+D6j
		xor	eax, eax
		lock and [edi],	eax

loc_60DC46:				; CODE XREF: IoIncrementKeepAliveCount(x,x)+E2j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	ebx

loc_60DC50:				; CODE XREF: IoIncrementKeepAliveCount(x,x)+29j
					; IoIncrementKeepAliveCount(x,x)+33j ...
		mov	eax, esi
		pop	esi
		leave
		retn	8
_IoIncrementKeepAliveCount@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 927. IoQueueWorkItemToNode

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoQueueWorkItemToNode(x, x,	x, x, x)
		public _IoQueueWorkItemToNode@20
_IoQueueWorkItemToNode@20 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		push	[ebp+arg_C]
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	IopQueueWorkItemProlog
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_8]
		mov	ecx, eax
		call	_ExQueueWorkItemExFromIo@12 ; ExQueueWorkItemExFromIo(x,x,x)
		mov	bl, al
		test	bl, bl
		jnz	short loc_60DC8E
		mov	ecx, [esi+14h]
		call	ObfDereferenceObject

loc_60DC8E:				; CODE XREF: IoQueueWorkItemToNode(x,x,x,x,x)+28j
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	14h
_IoQueueWorkItemToNode@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoRevokeHandlesForProcess(x, x)
_IoRevokeHandlesForProcess@8 proc near	; CODE XREF: PAGE:007AA178p

var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_88		= dword	ptr -88h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_2C		= dword	ptr -2Ch
var_1C		= dword	ptr -1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0B4h
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		mov	ecx, esi
		call	_PsIsProcessAppContainer@4 ; PsIsProcessAppContainer(x)
		test	al, al
		jnz	short loc_60DCBD
		xor	eax, eax
		jmp	loc_60DDDC
; 

loc_60DCBD:				; CODE XREF: IoRevokeHandlesForProcess(x,x)+1Ej
		mov	ecx, esi
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		mov	[esp+0C0h+var_AC], eax
		test	eax, eax
		jnz	short loc_60DCD6
		mov	eax, 0C000000Dh
		jmp	loc_60DDDC
; 

loc_60DCD6:				; CODE XREF: IoRevokeHandlesForProcess(x,x)+34j
		mov	ebx, 90h
		lea	eax, [esp+0C0h+var_90]
		push	ebx		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		mov	[esp+0CCh+var_A0], edi
		add	esp, 0Ch
		mov	[esp+0C0h+var_A4], eax
		mov	[esp+0C0h+var_98], eax
		lea	edi, [esp+0C0h+var_2C]
		mov	[esp+0C0h+var_94], eax
		xor	ecx, ecx
		mov	word ptr [esp+0C0h+var_90+2], bx
		inc	ecx
		push	8
		pop	eax
		mov	word ptr [esp+0C0h+var_90], ax
		xor	eax, eax
		mov	[esp+0C0h+var_80], ecx
		stosd
		push	14h
		mov	[esp+0C4h+var_A8], 18h
		mov	[esp+0C4h+var_9C], 240h
		stosd
		stosd
		stosd
		stosd
		pop	eax
		mov	word ptr [esp+0C0h+var_2C], ax
		mov	[esp+0C0h+var_1C], ecx
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		lea	ecx, [esp+0C0h+var_B4]
		mov	[esp+0C0h+var_1C], eax
		push	ecx
		push	eax
		lea	eax, [esp+0C8h+var_90]
		xor	edi, edi
		push	eax
		push	edi
		push	edi
		push	edi
		push	ds:_IoFileObjectType
		lea	eax, [esp+0DCh+var_A8]
		push	eax
		call	ObOpenObjectByNameEx
		cmp	[esp+0C0h+var_80], 0BEAA0251h
		mov	ebx, eax
		jnz	short loc_60DDD3
		mov	ebx, [esp+0C0h+var_88]
		test	ebx, ebx
		js	short loc_60DDD3
		mov	eax, [esp+0C0h+var_7C]
		push	edi
		mov	[esp+0C4h+var_B4], eax
		lea	eax, [esp+0C4h+var_B4]
		push	eax
		push	offset _IopCheckHandleForRevocation@16 ; IopCheckHandleForRevocation(x,x,x,x)
		push	[esp+0CCh+var_AC]
		mov	[esp+0D0h+var_B0], esi
		call	ExEnumHandleTable
		mov	ecx, [esp+0C0h+var_B4]
		call	IopGetDevicePDO
		mov	edi, eax
		test	edi, edi
		jz	short loc_60DDC5
		mov	edx, esi
		mov	ecx, edi
		call	_PnpDisableUserModeNotifications@8 ; PnpDisableUserModeNotifications(x,x)
		mov	edx, 746C6644h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_60DDC5:				; CODE XREF: IoRevokeHandlesForProcess(x,x)+118j
		mov	ecx, [esp+0C0h+var_B4]
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag

loc_60DDD3:				; CODE XREF: IoRevokeHandlesForProcess(x,x)+E1j
					; IoRevokeHandlesForProcess(x,x)+E9j
		mov	ecx, esi
		call	_ObDereferenceProcessHandleTable@4 ; ObDereferenceProcessHandleTable(x)
		mov	eax, ebx

loc_60DDDC:				; CODE XREF: IoRevokeHandlesForProcess(x,x)+22j
					; IoRevokeHandlesForProcess(x,x)+3Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_IoRevokeHandlesForProcess@8 endp

; 
		align 8
; Exported entry 1023. IoTryQueueWorkItem

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoTryQueueWorkItem(x, x, x,	x)
		public _IoTryQueueWorkItem@16
_IoTryQueueWorkItem@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		push	[ebp+arg_C]
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	IopQueueWorkItemProlog
		mov	ecx, ds:_PspSystemPartition
		mov	edx, eax
		push	1
		push	[ebp+arg_8]
		mov	ecx, [ecx+8]
		call	ExpTryQueueWorkItem
		mov	bl, al
		test	bl, bl
		jnz	short loc_60DE32
		mov	ecx, [esi+14h]
		call	ObfDereferenceObject
		mov	ecx, [esi+1Ch]
		test	ecx, ecx
		jz	short loc_60DE32
		call	ObfDereferenceObject
		and	dword ptr [esi+1Ch], 0

loc_60DE32:				; CODE XREF: IoTryQueueWorkItem(x,x,x,x)+30j
					; IoTryQueueWorkItem(x,x,x,x)+3Fj
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	10h
_IoTryQueueWorkItem@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAdjustFileObjectKeepAliveCount(x, x, x, x, x)
_IopAdjustFileObjectKeepAliveCount@20 proc near
					; CODE XREF: IoDecrementKeepAliveCount(x,x)+1Fp
					; IoIncrementKeepAliveCount(x,x)+20p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	[ebp+var_10], edx
		mov	eax, ecx
		xor	ecx, ecx
		mov	[ebp+var_14], eax
		xor	edx, edx
		mov	[ebp+var_8], ecx
		push	edi
		inc	edx
		mov	esi, ecx
		mov	ebx, ecx
		push	ecx		; int
		cmp	[ebp+arg_0], ecx
		jz	short loc_60DECF
		lea	ecx, [ebp+var_8]
		push	ecx		; int
		push	edx		; char
		push	10h		; size_t
		mov	ecx, eax
		call	IopGetSetSpecificExtension
		mov	edi, eax
		mov	[ebp+var_C], edi
		test	edi, edi
		js	loc_60DFD8
		push	10h
		mov	edi, 200h
		pop	edx
		mov	ecx, edi
		call	IopVerifierExAllocatePool
		mov	esi, eax
		test	esi, esi
		jz	short loc_60DEA8
		push	20h
		pop	edx
		mov	ecx, edi
		call	IopVerifierExAllocatePool
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_60DEA8
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi

loc_60DEA8:				; CODE XREF: IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+53j
					; IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+63j
		mov	edi, [ebp+var_8]
		mov	[ebp+var_8], edi

loc_60DEAE:				; CODE XREF: IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+A6j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_1], al
		mov	eax, [ebp+var_14]
		add	eax, 70h
		mov	ecx, eax
		mov	[ebp+var_18], eax
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [edi+0Ch]
		mov	edx, [ebp+var_10]
		jmp	short loc_60DEF3
; 

loc_60DECF:				; CODE XREF: IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+23j
		mov	[ebp+var_C], ecx
		mov	ecx, eax
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		mov	edi, eax
		mov	[ebp+var_8], edi
		test	edi, edi
		jnz	short loc_60DEAE
		mov	eax, 0C000000Dh
		jmp	loc_60DFD8
; 

loc_60DEEC:				; CODE XREF: IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+BBj
		cmp	[ecx+4], edx
		jz	short loc_60DF52
		mov	ecx, [ecx]

loc_60DEF3:				; CODE XREF: IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+93j
		test	ecx, ecx
		jnz	short loc_60DEEC
		cmp	[ebp+arg_0], ecx
		jz	loc_60DF92
		test	esi, esi
		jz	loc_60DF8B
		xor	eax, eax
		mov	edi, esi
		push	8
		pop	ecx
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	edi, ebx
		rep stosd
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+0Ch]
		mov	[esi], eax
		mov	eax, [ebp+var_14]
		mov	[ecx+0Ch], esi
		xor	ecx, ecx
		inc	ecx
		mov	[esi+4], edx
		mov	[esi+8], ecx
		mov	[esi+0Ch], ebx
		mov	[ebx+0Ch], edx
		mov	[ebx+14h], eax
		test	dword ptr [eax+2Ch], 20000000h
		jz	short loc_60DF76
		mov	eax, [eax+7Ch]
		test	eax, eax
		jz	short loc_60DF4E
		test	byte ptr [eax],	8
		jnz	short loc_60DF76

loc_60DF4E:				; CODE XREF: IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+10Dj
		mov	al, cl
		jmp	short loc_60DF78
; 

loc_60DF52:				; CODE XREF: IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+B5j
		cmp	[ebp+arg_0], 0
		mov	edx, [ecx+8]
		jz	short loc_60DF5E
		inc	edx
		jmp	short loc_60DF5F
; 

loc_60DF5E:				; CODE XREF: IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+11Fj
		dec	edx

loc_60DF5F:				; CODE XREF: IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+122j
		mov	eax, [ebp+arg_8]
		mov	edi, edx
		mov	[ecx+8], edi
		mov	ecx, [ecx+0Ch]
		mov	[eax], ecx
		mov	eax, [ebp+arg_4]
		mov	[eax], edx

loc_60DF71:				; CODE XREF: IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+14Fj
		mov	edi, [ebp+var_C]
		jmp	short loc_60DF97
; 

loc_60DF76:				; CODE XREF: IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+106j
					; IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+112j
		xor	al, al

loc_60DF78:				; CODE XREF: IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+116j
		mov	[ebx+0Ah], al
		xor	esi, esi
		mov	eax, [ebp+arg_8]
		mov	[eax], ebx
		xor	ebx, ebx
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		jmp	short loc_60DF71
; 

loc_60DF8B:				; CODE XREF: IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+C8j
		mov	edi, 0C000009Ah
		jmp	short loc_60DF97
; 

loc_60DF92:				; CODE XREF: IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+C0j
		mov	edi, 0C000000Dh

loc_60DF97:				; CODE XREF: IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+13Aj
					; IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+156j
		test	ds:byte_70EFC6,	1
		jz	short loc_60DFAD
		mov	edx, [ebp+4]
		mov	ecx, [ebp+var_18]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_60DFB5
; 

loc_60DFAD:				; CODE XREF: IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+164j
		mov	eax, [ebp+var_18]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_60DFB5:				; CODE XREF: IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+171j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_60DFCA
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_60DFCA:				; CODE XREF: IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+186j
		test	ebx, ebx
		jz	short loc_60DFD6
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_60DFD6:				; CODE XREF: IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+192j
		mov	eax, edi

loc_60DFD8:				; CODE XREF: IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+3Aj
					; IopAdjustFileObjectKeepAliveCount(x,x,x,x,x)+ADj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_IopAdjustFileObjectKeepAliveCount@20 endp

; 
		align 10h
		db 0CCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCheckHandleForRevocation(x, x, x, x)
_IopCheckHandleForRevocation@16	proc near ; DATA XREF: IoRevokeHandlesForProcess(x,x)+F9o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		mov	edx, [esi]
		and	edx, 0FFFFFFF8h
		mov	eax, edx
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [edx+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		cmp	eax, ds:_IoFileObjectType
		jnz	short loc_60E02A
		lea	ecx, [edx+18h]
		mov	edx, [ebp+arg_C]
		mov	eax, [ecx+4]
		cmp	eax, [edx]
		jnz	short loc_60E02A
		mov	edx, [edx+4]
		call	_IopRevokeFileObjectForProcess@8 ; IopRevokeFileObjectForProcess(x,x)

loc_60E02A:				; CODE XREF: IopCheckHandleForRevocation(x,x,x,x)+32j
					; IopCheckHandleForRevocation(x,x,x,x)+3Fj
		xor	eax, eax
		inc	eax
		lock xadd [esi], eax
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+arg_4]
		xor	esi, esi
		add	ecx, 20h
		mov	[ebp+arg_4], esi
		xor	edx, edx
		lock or	[eax], edx
		cmp	[ecx], esi
		jz	short loc_60E04E
		push	esi
		call	ExpUnblockPushLock

loc_60E04E:				; CODE XREF: IopCheckHandleForRevocation(x,x,x,x)+65j
		xor	al, al
		pop	esi
		pop	ebp
		retn	10h
_IopCheckHandleForRevocation@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopKeepAliveWorker(x)
_IopKeepAliveWorker@4 proc near		; DATA XREF: INIT:00AC2B0Ao

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	ecx, offset dword_6CCF98
		push	ebx
		push	esi
		push	edi
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	ecx, large fs:124h
		mov	ds:dword_6CCFB4, ecx

loc_60E07A:				; CODE XREF: IopKeepAliveWorker(x)+16Cj
		mov	bl, al

loc_60E07C:				; CODE XREF: IopKeepAliveWorker(x)+78j
		xor	edx, edx

loc_60E07E:				; CODE XREF: IopKeepAliveWorker(x)+6Fj
		mov	esi, ds:dword_6CCF90
		cmp	esi, offset dword_6CCF90
		jz	loc_60E1CB
		mov	edi, [esi+10h]
		mov	[esp+18h+var_8], edx
		mov	[esp+18h+var_4], edx
		mov	[esi+10h], edx
		test	edi, edi
		jnz	short loc_60E0CF
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_60E1C6
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_60E1C6
		mov	[ecx], eax
		mov	[eax+4], ecx
		cmp	byte ptr [esi+9], 1
		mov	[esi+8], dl
		jnz	short loc_60E07E
		push	edx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_60E07C
; 

loc_60E0CF:				; CODE XREF: IopKeepAliveWorker(x)+4Bj
		mov	dl, bl
		mov	ecx, offset dword_6CCF98
		call	KfReleaseSpinLock
		test	edi, edi
		jle	short loc_60E104

loc_60E0DF:				; CODE XREF: IopKeepAliveWorker(x)+A8j
		mov	ecx, [esi+0Ch]
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		movzx	eax, byte ptr [esi+0Ah]
		xor	edx, edx
		mov	ecx, [esi+0Ch]
		inc	edx
		push	eax
		push	dword ptr [esi+14h]
		call	_PspAdjustKeepAliveCountProcess@16 ; PspAdjustKeepAliveCountProcess(x,x,x,x)
		sub	edi, 1
		jnz	short loc_60E0DF
		jmp	loc_60E1B7
; 

loc_60E104:				; CODE XREF: IopKeepAliveWorker(x)+88j
		jns	loc_60E1B7
		cmp	edi, 0FFFFFFFFh
		jz	short loc_60E134
		or	ebx, 0FFFFFFFFh
		sub	ebx, edi

loc_60E114:				; CODE XREF: IopKeepAliveWorker(x)+DDj
		movzx	eax, byte ptr [esi+0Ah]
		or	edx, 0FFFFFFFFh
		mov	ecx, [esi+0Ch]
		push	eax
		push	dword ptr [esi+14h]
		call	_PspAdjustKeepAliveCountProcess@16 ; PspAdjustKeepAliveCountProcess(x,x,x,x)
		mov	ecx, [esi+0Ch]
		call	ObfDereferenceObject
		sub	ebx, 1
		jnz	short loc_60E114

loc_60E134:				; CODE XREF: IopKeepAliveWorker(x)+B8j
		mov	bl, [esi+0Ah]
		mov	ecx, [esi+0Ch]
		mov	dl, bl
		call	_PsGetKeepAliveCountProcess@8 ;	PsGetKeepAliveCountProcess(x,x)
		cmp	eax, 1
		jz	short loc_60E149
		push	ebx
		jmp	short loc_60E189
; 

loc_60E149:				; CODE XREF: IopKeepAliveWorker(x)+EFj
		mov	ecx, offset dword_6CCF98
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	bl, al
		lea	eax, [esp+18h+var_8]
		push	eax
		call	KeQuerySystemTime
		mov	ecx, [esp+18h+var_4]
		lea	edi, [esi+18h]
		cmp	ecx, [edi+4]
		jl	short loc_60E19E
		jg	short loc_60E175
		mov	eax, [esp+18h+var_8]
		cmp	eax, [edi]
		jb	short loc_60E19E

loc_60E175:				; CODE XREF: IopKeepAliveWorker(x)+116j
		mov	dl, bl
		mov	ecx, offset dword_6CCF98
		call	KfReleaseSpinLock
		movzx	eax, byte ptr [esi+0Ah]
		mov	ecx, [esi+0Ch]
		push	eax

loc_60E189:				; CODE XREF: IopKeepAliveWorker(x)+F2j
		push	dword ptr [esi+14h]
		or	edx, 0FFFFFFFFh
		call	_PspAdjustKeepAliveCountProcess@16 ; PspAdjustKeepAliveCountProcess(x,x,x,x)
		mov	ecx, [esi+0Ch]
		call	ObfDereferenceObject
		jmp	short loc_60E1B7
; 

loc_60E19E:				; CODE XREF: IopKeepAliveWorker(x)+114j
					; IopKeepAliveWorker(x)+11Ej
		dec	dword ptr [esi+10h]
		mov	dl, bl
		mov	ecx, offset dword_6CCF98
		call	KfReleaseSpinLock
		push	edi
		push	1
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)

loc_60E1B7:				; CODE XREF: IopKeepAliveWorker(x)+AAj
					; IopKeepAliveWorker(x):loc_60E104j ...
		mov	ecx, offset dword_6CCF98
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		jmp	loc_60E07A
; 

loc_60E1C6:				; CODE XREF: IopKeepAliveWorker(x)+52j
					; IopKeepAliveWorker(x)+5Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_60E1CB:				; CODE XREF: IopKeepAliveWorker(x)+35j
		mov	ds:byte_6CCFB0,	dl
		mov	ecx, offset dword_6CCF98
		mov	ds:dword_6CCFB4, edx
		mov	dl, bl
		call	KfReleaseSpinLock
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_IopKeepAliveWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopRevokeFileObjectForProcess(x, x)
_IopRevokeFileObjectForProcess@8 proc near
					; CODE XREF: IopCheckHandleForRevocation(x,x,x,x)+44p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	ebx, ebx
		lea	edx, [esp+10h+var_4]
		mov	[esp+10h+var_4], ebx
		mov	esi, ecx
		call	IopAllocateFileObjectExtension
		test	eax, eax
		js	short loc_60E218
		mov	eax, [esp+10h+var_4]
		or	dword ptr [eax], 4
		mov	eax, ebx

loc_60E218:				; CODE XREF: IopRevokeFileObjectForProcess(x,x)+21j
		cmp	eax, 0C000009Ah
		jnz	short loc_60E227
		mov	eax, ds:_IopRevocationExtension
		mov	[esi+7Ch], eax

loc_60E227:				; CODE XREF: IopRevokeFileObjectForProcess(x,x)+31j
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		mov	edx, edi
		mov	ecx, esi
		call	IopCancelIrpsInFileObjectList
		xor	edx, edx
		mov	ecx, esi
		call	_IopCancelIrpsInThreadListForCurrentProcess@8 ;	IopCancelIrpsInThreadListForCurrentProcess(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_IopRevokeFileObjectForProcess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAllowRemoteDASD()
_IopAllowRemoteDASD@0 proc near		; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+39Ap

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		xor	eax, eax
		push	ebx
		push	esi
		mov	bl, al
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_18]
		push	offset ??_C@_1CA@BHBGKHBP@?$AAA?$AAl?$AAl?$AAo?$AAw?$AAR?$AAe?$AAm?$AAo?$AAt?$AAe?$AAD?$AAA?$AAS?$AAD@FNODOBFM@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1JM@NKOMBJJF@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@FNODOBFM@
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	esi, esi
		lea	eax, [ebp+var_10]
		push	esi
		push	20019h
		push	eax
		xor	edx, edx
		lea	ecx, [ebp+var_4]
		call	IopOpenRegistryKey
		test	eax, eax
		js	short loc_60E2CF
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		push	eax
		push	esi
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_60E2C7
		mov	ecx, [ebp+var_8]
		cmp	[ecx+0Ch], esi
		jz	short loc_60E2C0
		mov	eax, [ecx+8]
		cmp	[ecx+eax], esi
		jz	short loc_60E2C0
		mov	bl, 1

loc_60E2C0:				; CODE XREF: IopAllowRemoteDASD()+70j
					; IopAllowRemoteDASD()+78j
		push	esi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_60E2C7:				; CODE XREF: IopAllowRemoteDASD()+68j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_60E2CF:				; CODE XREF: IopAllowRemoteDASD()+54j
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_IopAllowRemoteDASD@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCheckStackForTransactionSupport(x)
_IopCheckStackForTransactionSupport@4 proc near
					; CODE XREF: IopAllocateFoExtensionsOnCreate+126A28p
					; IopRetrieveTransactionParameters+FE66Ap
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, 40000h
		test	[esi+1Ch], edi
		jnz	short loc_60E362
		push	ebx
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	bl, al

loc_60E2F3:				; CODE XREF: IopCheckStackForTransactionSupport(x)+36j
		test	[esi+1Ch], edi
		jnz	short loc_60E30D
		mov	esi, [esi+0B0h]
		test	esi, esi
		jz	short loc_60E307
		mov	esi, [esi+18h]
		jmp	short loc_60E309
; 

loc_60E307:				; CODE XREF: IopCheckStackForTransactionSupport(x)+2Bj
		xor	esi, esi

loc_60E309:				; CODE XREF: IopCheckStackForTransactionSupport(x)+30j
		test	esi, esi
		jnz	short loc_60E2F3

loc_60E30D:				; CODE XREF: IopCheckStackForTransactionSupport(x)+21j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	edi, [eax+468h]
		jz	short loc_60E32E
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_60E359
; 

loc_60E32E:				; CODE XREF: IopCheckStackForTransactionSupport(x)+4Bj
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_60E34A
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jz	short loc_60E359
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_60E34A:				; CODE XREF: IopCheckStackForTransactionSupport(x)+5Dj
		xor	edx, edx
		mov	dword ptr [edi], 0
		inc	edx
		lea	ecx, [eax+4]
		lock xor [ecx],	edx

loc_60E359:				; CODE XREF: IopCheckStackForTransactionSupport(x)+57j
					; IopCheckStackForTransactionSupport(x)+6Cj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx

loc_60E362:				; CODE XREF: IopCheckStackForTransactionSupport(x)+11j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn
_IopCheckStackForTransactionSupport@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopIsSecurityContextAppContainer(x)
_IopIsSecurityContextAppContainer@4 proc near
					; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+7D6p

var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		lea	edx, [ebp-1]
		mov	[ebp+var_1], 0
		call	_SeIsAppContainerOrIdentifyLevelContext@8 ; SeIsAppContainerOrIdentifyLevelContext(x,x)
		mov	al, [ebp+var_1]
		leave
		retn
_IopIsSecurityContextAppContainer@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 776. IoClearAdapterCryptoEngineExtension

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoClearAdapterCryptoEngineExtension(x)
		public _IoClearAdapterCryptoEngineExtension@4
_IoClearAdapterCryptoEngineExtension@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	edi
		push	7
		pop	edx
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jz	short loc_60E3C4
		mov	ecx, [ebp+arg_0]
		push	7
		pop	edx
		call	IopAllocateIrpExtension
		mov	edi, eax
		test	edi, edi
		jz	short loc_60E3C4
		mov	ecx, [ebp+arg_0]
		add	edi, 20h
		xor	eax, eax
		push	0
		push	7
		stosd
		pop	edx
		stosd
		stosd
		stosd
		call	_IopFreeIrpExtension@12	; IopFreeIrpExtension(x,x,x)
		xor	eax, eax
		jmp	short loc_60E3C9
; 

loc_60E3C4:				; CODE XREF: IoClearAdapterCryptoEngineExtension(x)+13j
					; IoClearAdapterCryptoEngineExtension(x)+24j
		mov	eax, 0C0000225h

loc_60E3C9:				; CODE XREF: IoClearAdapterCryptoEngineExtension(x)+3Ej
		pop	edi
		pop	ebp
		retn	4
_IoClearAdapterCryptoEngineExtension@4 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 777. IoClearFsTrackOffsetState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoClearFsTrackOffsetState(x)
		public _IoClearFsTrackOffsetState@4
_IoClearFsTrackOffsetState@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	5
		pop	edx
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jnz	short loc_60E3EE
		mov	eax, 0C0000225h
		jmp	short loc_60E3FD
; 

loc_60E3EE:				; CODE XREF: IoClearFsTrackOffsetState(x)+12j
		mov	ecx, [ebp+arg_0]
		push	0
		push	5
		pop	edx
		call	_IopFreeIrpExtension@12	; IopFreeIrpExtension(x,x,x)
		xor	eax, eax

loc_60E3FD:				; CODE XREF: IoClearFsTrackOffsetState(x)+19j
		pop	ebp
		retn	4
_IoClearFsTrackOffsetState@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 840. IoGetAdapterCryptoEngineExtension

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetAdapterCryptoEngineExtension(x, x)
		public _IoGetAdapterCryptoEngineExtension@8
_IoGetAdapterCryptoEngineExtension@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	7
		pop	edx
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jz	short loc_60E42C
		mov	eax, [ebp+arg_4]
		mov	ecx, [esi+68h]
		add	ecx, 20h
		mov	[eax], ecx
		xor	eax, eax
		jmp	short loc_60E431
; 

loc_60E42C:				; CODE XREF: IoGetAdapterCryptoEngineExtension(x,x)+15j
		mov	eax, 0C0000225h

loc_60E431:				; CODE XREF: IoGetAdapterCryptoEngineExtension(x,x)+24j
		pop	esi
		pop	ebp
		retn	8
_IoGetAdapterCryptoEngineExtension@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 867. IoGetFsZeroingOffset

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetFsZeroingOffset(x, x)
		public _IoGetFsZeroingOffset@8
_IoGetFsZeroingOffset@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	4
		pop	edx
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jz	short loc_60E461
		mov	eax, [esi+68h]
		mov	ecx, [eax+20h]
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		xor	eax, eax
		jmp	short loc_60E466
; 

loc_60E461:				; CODE XREF: IoGetFsZeroingOffset(x,x)+15j
		mov	eax, 0C0000225h

loc_60E466:				; CODE XREF: IoGetFsZeroingOffset(x,x)+24j
		pop	esi
		pop	ebp
		retn	8
_IoGetFsZeroingOffset@8	endp

; 
		align 10h
; Exported entry 976. IoSetAdapterCryptoEngineExtension

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetAdapterCryptoEngineExtension(x, x)
		public _IoSetAdapterCryptoEngineExtension@8
_IoSetAdapterCryptoEngineExtension@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	7
		pop	edx
		call	_IopIrpHasValidCombinationOfExtensionTypes@8 ; IopIrpHasValidCombinationOfExtensionTypes(x,x)
		test	al, al
		jnz	short loc_60E48B
		mov	eax, 0C00000BBh
		jmp	short loc_60E4B1
; 

loc_60E48B:				; CODE XREF: IoSetAdapterCryptoEngineExtension(x,x)+12j
		mov	ecx, [ebp+arg_0]
		push	7
		pop	edx
		call	IopAllocateIrpExtension
		test	eax, eax
		jnz	short loc_60E4A1
		mov	eax, 0C000009Ah
		jmp	short loc_60E4B1
; 

loc_60E4A1:				; CODE XREF: IoSetAdapterCryptoEngineExtension(x,x)+28j
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		lea	edi, [eax+20h]
		xor	eax, eax
		movsd
		movsd
		movsd
		movsd
		pop	edi
		pop	esi

loc_60E4B1:				; CODE XREF: IoSetAdapterCryptoEngineExtension(x,x)+19j
					; IoSetAdapterCryptoEngineExtension(x,x)+2Fj
		pop	ebp
		retn	8
_IoSetAdapterCryptoEngineExtension@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 985. IoSetFsTrackOffsetState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetFsTrackOffsetState(x, x, x, x)
		public _IoSetFsTrackOffsetState@16
_IoSetFsTrackOffsetState@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	5
		pop	edx
		call	_IopIrpHasValidCombinationOfExtensionTypes@8 ; IopIrpHasValidCombinationOfExtensionTypes(x,x)
		test	al, al
		jnz	short loc_60E4D5
		mov	eax, 0C00000BBh
		jmp	short loc_60E501
; 

loc_60E4D5:				; CODE XREF: IoSetFsTrackOffsetState(x,x,x,x)+12j
		mov	ecx, [ebp+arg_0]
		push	5
		pop	edx
		call	IopAllocateIrpExtension
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_60E4ED
		mov	eax, 0C000009Ah
		jmp	short loc_60E501
; 

loc_60E4ED:				; CODE XREF: IoSetFsTrackOffsetState(x,x,x,x)+2Aj
		mov	eax, [ebp+arg_4]
		mov	[ecx+20h], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+24h], eax
		mov	eax, [ebp+arg_C]
		mov	[ecx+28h], eax
		xor	eax, eax

loc_60E501:				; CODE XREF: IoSetFsTrackOffsetState(x,x,x,x)+19j
					; IoSetFsTrackOffsetState(x,x,x,x)+31j
		pop	ebp
		retn	10h
_IoSetFsTrackOffsetState@16 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 986. IoSetFsZeroingOffset

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetFsZeroingOffset(x, x)
		public _IoSetFsZeroingOffset@8
_IoSetFsZeroingOffset@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		push	4
		pop	edx
		mov	ecx, edi
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jz	short loc_60E52F
		mov	ecx, [edi+68h]
		mov	eax, [ebp+arg_4]
		mov	[ecx+20h], eax
		jmp	short loc_60E534
; 

loc_60E52F:				; CODE XREF: IoSetFsZeroingOffset(x,x)+18j
		mov	esi, 0C0000225h

loc_60E534:				; CODE XREF: IoSetFsZeroingOffset(x,x)+23j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_IoSetFsZeroingOffset@8	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 987. IoSetFsZeroingOffsetRequired

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetFsZeroingOffsetRequired(x)
		public _IoSetFsZeroingOffsetRequired@4
_IoSetFsZeroingOffsetRequired@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	4
		pop	edx
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jz	short loc_60E55C
		mov	eax, 0C0000021h
		jmp	short loc_60E58E
; 

loc_60E55C:				; CODE XREF: IoSetFsZeroingOffsetRequired(x)+12j
		mov	ecx, [ebp+arg_0]
		push	4
		pop	edx
		call	_IopIrpHasValidCombinationOfExtensionTypes@8 ; IopIrpHasValidCombinationOfExtensionTypes(x,x)
		test	al, al
		jnz	short loc_60E572
		mov	eax, 0C00000BBh
		jmp	short loc_60E58E
; 

loc_60E572:				; CODE XREF: IoSetFsZeroingOffsetRequired(x)+28j
		mov	ecx, [ebp+arg_0]
		push	4
		pop	edx
		call	IopAllocateIrpExtension
		test	eax, eax
		jnz	short loc_60E588
		mov	eax, 0C000009Ah
		jmp	short loc_60E58E
; 

loc_60E588:				; CODE XREF: IoSetFsZeroingOffsetRequired(x)+3Ej
		and	dword ptr [eax+20h], 0
		xor	eax, eax

loc_60E58E:				; CODE XREF: IoSetFsZeroingOffsetRequired(x)+19j
					; IoSetFsZeroingOffsetRequired(x)+2Fj ...
		pop	ebp
		retn	4
_IoSetFsZeroingOffsetRequired@4	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1008. IoSizeofGenericIrpExtension

;  S U B	R O U T	I N E 


; __stdcall IoSizeofGenericIrpExtension()
		public _IoSizeofGenericIrpExtension@0
_IoSizeofGenericIrpExtension@0 proc near
		push	4
		pop	eax
		retn
_IoSizeofGenericIrpExtension@0 endp


;  S U B	R O U T	I N E 


; __stdcall IopIrpHasValidCombinationOfExtensionTypes(x, x)
_IopIrpHasValidCombinationOfExtensionTypes@8 proc near
					; CODE XREF: IopSetCopyInformationExtension(x,x)+Bp
					; IoSetAdapterCryptoEngineExtension(x,x)+Bp ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		nop
		cmp	byte ptr [ecx+27h], 0
		jl	short loc_60E5EB
		mov	esi, [ecx+68h]
		test	esi, esi
		jz	short loc_60E5EB
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		shl	edx, cl
		test	dl, 0B2h
		jz	short loc_60E5F0
		movzx	ecx, word ptr [esi+2]
		test	cl, 0B2h
		jz	short loc_60E5EB
		mov	eax, ecx
		and	eax, 0B2h
		cmp	eax, edx
		jz	short loc_60E5EB
		cmp	edi, 1
		jz	short loc_60E607
		test	cl, 2
		jz	short loc_60E607
		and	dword ptr [esi+20h], 0
		and	ecx, 0FFFEh
		and	dword ptr [esi+24h], 0
		mov	[esi+2], cx

loc_60E5EB:				; CODE XREF: IopIrpHasValidCombinationOfExtensionTypes(x,x)+Bj
					; IopIrpHasValidCombinationOfExtensionTypes(x,x)+12j ...
		mov	al, 1

loc_60E5ED:				; CODE XREF: IopIrpHasValidCombinationOfExtensionTypes(x,x)+6Ej
		pop	edi
		pop	esi
		retn
; 

loc_60E5F0:				; CODE XREF: IopIrpHasValidCombinationOfExtensionTypes(x,x)+1Ej
		mov	ecx, 200h
		test	edx, ecx
		jz	short loc_60E5EB
		movzx	eax, word ptr [esi+2]
		test	eax, ecx
		jz	short loc_60E5EB
		and	eax, ecx
		cmp	eax, edx
		jz	short loc_60E5EB

loc_60E607:				; CODE XREF: IopIrpHasValidCombinationOfExtensionTypes(x,x)+37j
					; IopIrpHasValidCombinationOfExtensionTypes(x,x)+3Cj
		xor	al, al
		jmp	short loc_60E5ED
_IopIrpHasValidCombinationOfExtensionTypes@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SessionGetSessionStateInfo(x, x)
_SessionGetSessionStateInfo@8 proc near	; CODE XREF: IoGetContainerInformation(x,x,x,x)+42p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, edx
		lea	edx, [ebp+var_4]
		call	_MmGetIoSessionState@8 ; MmGetIoSessionState(x,x)
		mov	[esi+4], eax
		mov	eax, [ebp+var_4]
		cmp	eax, ds:0FFDF02D8h
		setz	al
		mov	[esi+8], al
		mov	eax, [ebp+var_4]
		mov	[esi], eax
		pop	esi
		leave
		retn
_SessionGetSessionStateInfo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall IopPerfCallDriver(x, x)
@IopPerfCallDriver@8 proc near		; CODE XREF: IofCallDriverSpecifyReturn+849ADp
					; IofCallDriver+C67E4p	...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, edx
		inc	edi
		mov	ebx, ecx
		test	byte ptr ds:_IopPerfStatus, 2
		jz	short loc_60E676
		mov	edx, edi
		mov	ecx, esi
		call	_IopIrpHasValidCombinationOfExtensionTypes@8 ; IopIrpHasValidCombinationOfExtensionTypes(x,x)
		test	al, al
		jz	short loc_60E676
		mov	edx, edi
		mov	ecx, esi
		call	IopAllocateIrpExtension
		test	eax, eax
		jz	short loc_60E676
		add	eax, 20h
		push	eax
		call	KeQuerySystemTime

loc_60E676:				; CODE XREF: IopPerfCallDriver(x,x)+17j
					; IopPerfCallDriver(x,x)+24j ...
		test	byte ptr ds:_IopPerfStatus, 1
		mov	ecx, ebx
		jz	short loc_60E6C0
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag
		lock xadd ds:_IopPerfDriverUniqueMatchId, edi
		inc	edi
		mov	ecx, [ebx+8]
		mov	edx, esi
		push	edi
		call	_IopPerfLogCallEvent@12	; IopPerfLogCallEvent(x,x,x)
		mov	edx, esi
		mov	ecx, ebx
		call	IopfCallDriver
		mov	edx, edi
		mov	[ebp+var_4], eax
		mov	ecx, esi
		call	_IopPerfLogCallReturnEvent@8 ; IopPerfLogCallReturnEvent(x,x)
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	eax, [ebp+var_4]
		jmp	short loc_60E6C7
; 

loc_60E6C0:				; CODE XREF: IopPerfCallDriver(x,x)+45j
		mov	edx, esi
		call	IopfCallDriver

loc_60E6C7:				; CODE XREF: IopPerfCallDriver(x,x)+84j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
@IopPerfCallDriver@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall IopPerfCompleteRequest(x, x)
@IopPerfCompleteRequest@8 proc near	; CODE XREF: IofCompleteRequest+C875Fp
					; IovCompleteRequest(x,x)+129p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= byte ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_48]
		mov	dh, dl
		cmp	word ptr [ebx],	6
		stosd
		mov	[ebp+var_19], dh
		stosd
		stosd
		stosd
		stosd
		jnz	loc_60E88A
		mov	cl, [ebx+22h]
		mov	dl, [ebx+23h]
		mov	al, cl
		inc	al
		cmp	dl, al
		jg	loc_60E88A
		xor	esi, esi
		mov	eax, esi
		mov	edi, esi
		mov	[ebp+var_34], eax
		cmp	dl, cl
		jg	loc_60E7A7
		mov	edi, [ebx+60h]
		cmp	[edi+14h], esi
		jz	short loc_60E79F
		test	byte ptr ds:_IopPerfStatus, 2
		jz	short loc_60E786
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jz	short loc_60E783
		push	4
		pop	edx
		mov	ecx, ebx
		call	_IopIrpHasExtensionType@8 ; IopIrpHasExtensionType(x,x)
		test	al, al
		jnz	short loc_60E783
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		mov	esi, [ebx+68h]
		push	eax
		call	KeQuerySystemTime
		mov	ecx, [ebp+var_30]
		sub	ecx, [esi+20h]
		mov	eax, [ebp+var_2C]
		mov	edx, [edi+14h]
		sbb	eax, [esi+24h]
		push	eax
		push	ecx
		mov	ecx, [edx+2Ch]
		call	_IopProcessIoTracking@12 ; IopProcessIoTracking(x,x,x)
		xor	edx, edx
		mov	ecx, ebx
		push	1
		inc	edx
		call	_IopFreeIrpExtension@12	; IopFreeIrpExtension(x,x,x)

loc_60E783:				; CODE XREF: IopPerfCompleteRequest(x,x)+70j
					; IopPerfCompleteRequest(x,x)+7Ej
		mov	dh, [ebp+var_19]

loc_60E786:				; CODE XREF: IopPerfCompleteRequest(x,x)+62j
		mov	eax, [edi+14h]
		mov	ecx, [eax+8]
		test	ecx, ecx
		jz	short loc_60E7A4
		mov	al, [edi]
		cmp	al, 1Bh
		ja	short loc_60E7A4
		movzx	eax, al
		mov	eax, [ecx+eax*4+38h]
		jmp	short loc_60E7A7
; 

loc_60E79F:				; CODE XREF: IopPerfCompleteRequest(x,x)+59j
		mov	eax, [edi+1Ch]
		jmp	short loc_60E7A7
; 

loc_60E7A4:				; CODE XREF: IopPerfCompleteRequest(x,x)+C2j
					; IopPerfCompleteRequest(x,x)+C8j
		mov	eax, [ebp+var_34]

loc_60E7A7:				; CODE XREF: IopPerfCompleteRequest(x,x)+4Dj
					; IopPerfCompleteRequest(x,x)+D1j ...
		test	byte ptr ds:_IopPerfStatus, 1
		jz	loc_60E88A
		xor	esi, esi
		inc	esi
		lock xadd ds:_IopPerfDriverUniqueMatchId, esi
		inc	esi
		and	[ebp+var_14], 0
		lea	ecx, [ebp+var_18]
		and	[ebp+var_C], 0
		xor	edx, edx
		push	offset byte_401802
		mov	[ebp+var_30], eax
		inc	edx
		push	134h
		lea	eax, [ebp+var_30]
		mov	[ebp+var_2C], ebx
		push	20000010h
		mov	[ebp+var_28], esi
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], 0Ch
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		test	edi, edi
		jz	short loc_60E834
		cmp	dword ptr [ebx+18h], 0
		mov	eax, [edi+20h]
		mov	[ebp+var_44], eax
		mov	[ebp+var_48], edi
		mov	[ebp+var_3C], esi
		mov	al, [edi+3]
		mov	[ebp+var_38], al
		mov	al, [edi+3]
		jl	short loc_60E875
		test	al, 40h
		jz	short loc_60E879

loc_60E81B:				; CODE XREF: IopPerfCompleteRequest(x,x)+1ABj
					; IopPerfCompleteRequest(x,x)+1B5j
		mov	eax, [edi+1Ch]
		mov	[ebp+var_40], eax
		mov	eax, [edi+20h]
		mov	[ebp+var_44], eax

loc_60E827:				; CODE XREF: IopPerfCompleteRequest(x,x)+1BCj
		lea	eax, [ebp+var_48]
		mov	dword ptr [edi+1Ch], offset _IopPerfCompletionRoutine@12 ; IopPerfCompletionRoutine(x,x,x)
		mov	[edi+20h], eax

loc_60E834:				; CODE XREF: IopPerfCompleteRequest(x,x)+12Ej
		mov	dl, [ebp+var_19]
		mov	ecx, ebx
		call	@IopfCompleteRequest@8 ; IopfCompleteRequest(x,x)
		and	[ebp+var_14], 0
		lea	eax, [ebp+var_2C]
		and	[ebp+var_C], 0
		lea	ecx, [ebp+var_18]
		push	offset byte_401802
		push	135h
		xor	edx, edx
		mov	[ebp+var_2C], ebx
		push	20000010h
		inc	edx
		mov	[ebp+var_28], esi
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], 8
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	short loc_60E893
; 

loc_60E875:				; CODE XREF: IopPerfCompleteRequest(x,x)+149j
		test	al, al
		js	short loc_60E81B

loc_60E879:				; CODE XREF: IopPerfCompleteRequest(x,x)+14Dj
		cmp	byte ptr [ebx+24h], 0
		jz	short loc_60E883
		test	al, 20h
		jnz	short loc_60E81B

loc_60E883:				; CODE XREF: IopPerfCompleteRequest(x,x)+1B1j
		or	al, 0C0h
		mov	[edi+3], al
		jmp	short loc_60E827
; 

loc_60E88A:				; CODE XREF: IopPerfCompleteRequest(x,x)+2Aj
					; IopPerfCompleteRequest(x,x)+3Cj ...
		mov	dl, dh
		mov	ecx, ebx
		call	@IopfCompleteRequest@8 ; IopfCompleteRequest(x,x)

loc_60E893:				; CODE XREF: IopPerfCompleteRequest(x,x)+1A7j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
@IopPerfCompleteRequest@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoPerfInit(x)
_IoPerfInit@4	proc near		; CODE XREF: EtwpEnableKernelTrace+129ACBp
					; IoRegisterIoTracking(x,x)+B0p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	edi
		xor	eax, eax
		mov	[ebp+var_1], 0
		lea	edi, [ebp+var_10]
		mov	ebx, ecx
		stosd
		lea	edx, [ebp+var_10]
		mov	ecx, offset _IopFunctionPointerLock
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, ds:_IopPerfStatus
		xor	edx, edx
		inc	edx
		mov	cl, dl
		test	eax, eax
		jz	short loc_60E8D8
		mov	cl, [ebp+var_1]

loc_60E8D8:				; CODE XREF: IoPerfInit(x)+31j
		or	eax, ebx
		mov	ds:_IopPerfStatus, eax
		test	bl, dl
		jz	short loc_60E8E9
		inc	ds:dword_6FDF78

loc_60E8E9:				; CODE XREF: IoPerfInit(x)+3Fj
		pop	edi
		test	bl, 2
		pop	ebx
		jz	short loc_60E8F6
		inc	ds:dword_6FDF7C

loc_60E8F6:				; CODE XREF: IoPerfInit(x)+4Cj
		cmp	cl, dl
		jnz	short loc_60E906
		push	edx
		push	2
		pop	ecx
		call	_IopUpdateFunctionPointers@12 ;	IopUpdateFunctionPointers(x,x,x)
		xor	edx, edx
		inc	edx

loc_60E906:				; CODE XREF: IoPerfInit(x)+56j
		test	ds:byte_70EFC6,	dl
		jz	short loc_60E91B
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_60E94A
; 

loc_60E91B:				; CODE XREF: IoPerfInit(x)+6Aj
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_60E93D
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jz	short loc_60E94A
		call	KxWaitForLockChainValid
		xor	edx, edx
		inc	edx

loc_60E93D:				; CODE XREF: IoPerfInit(x)+7Ej
		mov	[ebp+var_10], 0
		add	eax, 4
		lock xor [eax],	edx

loc_60E94A:				; CODE XREF: IoPerfInit(x)+77j
					; IoPerfInit(x)+91j
		mov	cl, [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		leave
		retn
_IoPerfInit@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoPerfReset(x)
_IoPerfReset@4	proc near		; CODE XREF: EtwpDisableKernelTrace+1299D1p
					; PAGE:0095F557p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	ebx
		push	edi
		lea	edi, [ebp+var_C]
		mov	ebx, ecx
		stosd
		mov	ecx, offset _IopFunctionPointerLock
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		test	bl, 1
		jz	short loc_60E98D
		sub	ds:dword_6FDF78, 1
		jnz	short loc_60E98D
		and	ds:_IopPerfStatus, 0FFFFFFFEh

loc_60E98D:				; CODE XREF: IoPerfReset(x)+24j
					; IoPerfReset(x)+2Dj
		pop	edi
		test	bl, 2
		pop	ebx
		jz	short loc_60E9A4
		sub	ds:dword_6FDF7C, 1
		jnz	short loc_60E9A4
		and	ds:_IopPerfStatus, 0FFFFFFFDh

loc_60E9A4:				; CODE XREF: IoPerfReset(x)+3Bj
					; IoPerfReset(x)+44j
		push	esi
		xor	esi, esi
		inc	esi
		cmp	ds:_IopPerfStatus, 0
		jnz	short loc_60E9BC
		push	esi
		push	2
		xor	dl, dl
		pop	ecx
		call	_IopUpdateFunctionPointers@12 ;	IopUpdateFunctionPointers(x,x,x)

loc_60E9BC:				; CODE XREF: IoPerfReset(x)+58j
		test	ds:byte_70EFC6,	1
		jz	short loc_60E9D2
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_60E9FE
; 

loc_60E9D2:				; CODE XREF: IoPerfReset(x)+6Cj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_60E9F1
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_60E9FE
		call	KxWaitForLockChainValid

loc_60E9F1:				; CODE XREF: IoPerfReset(x)+80j
		mov	[ebp+var_C], 0
		add	eax, 4
		lock xor [eax],	esi

loc_60E9FE:				; CODE XREF: IoPerfReset(x)+79j
					; IoPerfReset(x)+93j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		pop	esi
		leave
		retn
_IoPerfReset@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopPerfCompletionRoutine(x,	x, x)
_IopPerfCompletionRoutine@12 proc near	; DATA XREF: IopPerfCompleteRequest(x,x)+15Eo
					; IopPerfCompletionRoutine(x,x,x):loc_60EAF6o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_16		= byte ptr -16h
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	[ebp+var_1C], eax
		push	edi
		mov	edi, [ebp+arg_8]
		mov	al, [ebx+22h]
		inc	al
		mov	[ebp+var_16], al
		mov	esi, [edi]
		mov	al, [ebx+23h]
		mov	[ebp+var_15], al
		mov	al, [esi+3]
		and	al, 2
		or	al, [edi+10h]
		mov	[esi+3], al
		mov	ecx, [edi+8]
		mov	[esi+1Ch], ecx
		mov	edx, [edi+4]
		mov	[esi+20h], edx
		test	ecx, ecx
		jnz	short loc_60EA70
		cmp	[ebx+21h], cl
		jz	short loc_60EA6C
		mov	al, [ebx+23h]
		cmp	al, [ebx+22h]
		jg	short loc_60EA6C
		mov	eax, [ebx+60h]
		or	byte ptr [eax+3], 1

loc_60EA6C:				; CODE XREF: IopPerfCompletionRoutine(x,x,x)+4Fj
					; IopPerfCompletionRoutine(x,x,x)+57j
		xor	ecx, ecx
		jmp	short loc_60EAC0
; 

loc_60EA70:				; CODE XREF: IopPerfCompletionRoutine(x,x,x)+4Aj
		mov	eax, [edi+0Ch]
		push	edx
		push	ebx
		push	[ebp+var_1C]
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], eax
		call	ecx
		and	[ebp+var_10], 0
		lea	ecx, [ebp+var_14]
		and	[ebp+var_8], 0
		xor	edx, edx
		push	offset byte_401802
		mov	[ebp+var_1C], eax
		inc	edx
		push	125h
		lea	eax, [ebp+var_28]
		mov	[ebp+var_C], 0Ch
		push	20000010h
		mov	[ebp+var_14], eax
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_1C]
		cmp	ecx, 0C0000016h
		jz	short loc_60EB00

loc_60EAC0:				; CODE XREF: IopPerfCompletionRoutine(x,x,x)+62j
		mov	al, [ebp+var_15]
		cmp	al, [ebp+var_16]
		jz	short loc_60EB00
		and	dword ptr [edi+8], 0
		add	esi, 24h
		mov	eax, [esi+20h]
		mov	[edi+4], eax
		mov	[edi], esi
		mov	al, [esi+3]
		mov	[edi+10h], al
		cmp	dword ptr [ebx+18h], 0
		mov	al, [esi+3]
		jl	short loc_60EB13
		test	al, 40h
		jz	short loc_60EB17

loc_60EAEA:				; CODE XREF: IopPerfCompletionRoutine(x,x,x)+109j
					; IopPerfCompletionRoutine(x,x,x)+113j
		mov	eax, [esi+1Ch]
		mov	[edi+8], eax
		mov	eax, [esi+20h]
		mov	[edi+4], eax

loc_60EAF6:				; CODE XREF: IopPerfCompletionRoutine(x,x,x)+11Aj
		mov	dword ptr [esi+1Ch], offset _IopPerfCompletionRoutine@12 ; IopPerfCompletionRoutine(x,x,x)
		mov	[esi+20h], edi

loc_60EB00:				; CODE XREF: IopPerfCompletionRoutine(x,x,x)+B2j
					; IopPerfCompletionRoutine(x,x,x)+BAj
		mov	eax, ecx
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_60EB13:				; CODE XREF: IopPerfCompletionRoutine(x,x,x)+D8j
		test	al, al
		js	short loc_60EAEA

loc_60EB17:				; CODE XREF: IopPerfCompletionRoutine(x,x,x)+DCj
		cmp	byte ptr [ebx+24h], 0
		jz	short loc_60EB21
		test	al, 20h
		jnz	short loc_60EAEA

loc_60EB21:				; CODE XREF: IopPerfCompletionRoutine(x,x,x)+10Fj
		or	al, 0C0h
		mov	[esi+3], al
		jmp	short loc_60EAF6
_IopPerfCompletionRoutine@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopPerfLogCallEvent(x, x, x)
_IopPerfLogCallEvent@12	proc near	; CODE XREF: IopPerfCallDriver(x,x)+60p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		and	[ebp+var_28], 0
		test	byte ptr [edx+8], 8
		push	esi
		mov	esi, [edx+60h]
		movzx	eax, byte ptr [esi-24h]
		mov	[ebp+var_34], eax
		movzx	eax, byte ptr [esi-23h]
		mov	[ebp+var_30], eax
		movzx	eax, byte ptr [esi-24h]
		mov	eax, [ecx+eax*4+38h]
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], eax
		jz	short loc_60EB7A
		mov	eax, [edx+0Ch]
		test	eax, eax
		jz	short loc_60EB76
		mov	eax, [eax+64h]
		jmp	short loc_60EB7D
; 

loc_60EB76:				; CODE XREF: IopPerfLogCallEvent(x,x,x)+47j
		xor	eax, eax
		jmp	short loc_60EB7D
; 

loc_60EB7A:				; CODE XREF: IopPerfLogCallEvent(x,x,x)+40j
		mov	eax, [edx+64h]

loc_60EB7D:				; CODE XREF: IopPerfLogCallEvent(x,x,x)+4Cj
					; IopPerfLogCallEvent(x,x,x)+50j
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	short loc_60EB8E
		mov	eax, [eax+0Ch]
		test	eax, eax
		jz	short loc_60EB8E
		mov	[ebp+var_28], eax

loc_60EB8E:				; CODE XREF: IopPerfLogCallEvent(x,x,x)+5Aj
					; IopPerfLogCallEvent(x,x,x)+61j
		and	[ebp+var_18], 0
		lea	eax, [ebp+var_34]
		and	[ebp+var_10], 0
		lea	ecx, [ebp+var_1C]
		push	offset byte_401802
		push	122h
		xor	edx, edx
		mov	[ebp+var_1C], eax
		push	20000010h
		inc	edx
		mov	[ebp+var_14], 18h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_IopPerfLogCallEvent@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopPerfLogCallReturnEvent(x, x)
_IopPerfLogCallReturnEvent@8 proc near	; CODE XREF: IopPerfCallDriver(x,x)+75p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_10], 0
		lea	eax, [ebp+var_1C]
		and	[ebp+var_8], 0
		push	offset byte_401802
		mov	[ebp+var_18], edx
		xor	edx, edx
		push	123h
		mov	[ebp+var_1C], ecx
		inc	edx
		push	20000010h
		lea	ecx, [ebp+var_14]
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], 8
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IopPerfLogCallReturnEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopProcessIoTracking(x, x, x)
_IopProcessIoTracking@12 proc near	; CODE XREF: IopPerfCompleteRequest(x,x)+A6p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_20]
		push	6
		mov	edx, ecx
		mov	[ebp+var_28], eax
		pop	ecx
		rep stosd
		mov	[ebp+var_21], al
		mov	eax, [ebx+8]
		mov	[ebp+var_18], eax
		mov	eax, [ebx+0Ch]
		push	18h
		mov	[ebp+var_14], eax
		pop	eax
		mov	[ebp+var_10], edx
		mov	word ptr [ebp+var_20], ax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_60EC89
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		mov	[ebp+var_21], 1

loc_60EC89:				; CODE XREF: IopProcessIoTracking(x,x,x)+56j
		mov	esi, offset _IopPerfIoTrackingLock
		xor	ecx, ecx
		mov	eax, esi
		mov	[ebp+var_34], ecx
		and	eax, 7FFFFFFCh
		mov	[ebp+var_30], eax
		jnz	short loc_60ECA6
		xor	edi, edi
		jmp	loc_60EDCD
; 

loc_60ECA6:				; CODE XREF: IopProcessIoTracking(x,x,x)+7Ej
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jz	short loc_60ECD7
		mov	[ebp+var_28], ecx
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		mov	edi, ecx
		jmp	loc_60ED99
; 

loc_60ECD7:				; CODE XREF: IopProcessIoTracking(x,x,x)+A4j
		mov	dl, [esi+1E4h]
		mov	[ebp+var_2C], ecx
		test	dl, dl
		jnz	short loc_60ECFA
		lea	edx, [esi+222h]
		cmp	[edx], cl
		jz	short loc_60ED28
		xor	al, al
		xchg	al, [edx]
		mov	dl, [esi+1E4h]
		or	dl, al

loc_60ECFA:				; CODE XREF: IopProcessIoTracking(x,x,x)+C3j
		movzx	ecx, dl
		bsf	eax, ecx
		imul	edx, eax, 30h
		btr	ecx, eax
		mov	[ebp+var_2C], eax
		mov	[esi+1E4h], cl
		add	edx, [esi+1E8h]

loc_60ED15:				; CODE XREF: IopProcessIoTracking(x,x,x)+12Ej
		mov	edi, edx
		mov	[ebp+var_28], edi
		test	edx, edx
		jnz	short loc_60ED4F

loc_60ED1E:				; CODE XREF: IopProcessIoTracking(x,x,x)+11Dj
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_60ED99
; 

loc_60ED28:				; CODE XREF: IopProcessIoTracking(x,x,x)+CDj
		test	dword ptr ds:byte_70EFC4, 200h
		mov	[ebp+var_28], ecx
		jnz	short loc_60ED3E
		mov	[ebp+var_28], ecx
		mov	edi, ecx
		jmp	short loc_60ED1E
; 

loc_60ED3E:				; CODE XREF: IopProcessIoTracking(x,x,x)+116j
		mov	edx, offset _IopPerfIoTrackingLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		mov	edx, [ebp+var_28]
		jmp	short loc_60ED15
; 

loc_60ED4F:				; CODE XREF: IopProcessIoTracking(x,x,x)+FDj
		mov	ecx, ds:dword_6D07D0
		mov	eax, offset _IopPerfIoTrackingLock
		shr	eax, 15h
		cmp	ecx, offset _IopPerfIoTrackingLock
		ja	short loc_60ED8C
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_60ED7F
		cmp	ecx, offset _IopPerfIoTrackingLock
		ja	short loc_60ED8C
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_60ED8C

loc_60ED7F:				; CODE XREF: IopProcessIoTracking(x,x,x)+14Dj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	short loc_60ED8F
; 

loc_60ED8C:				; CODE XREF: IopProcessIoTracking(x,x,x)+144j
					; IopProcessIoTracking(x,x,x)+155j ...
		or	eax, 0FFFFFFFFh

loc_60ED8F:				; CODE XREF: IopProcessIoTracking(x,x,x)+16Bj
		mov	[edx+14h], eax
		nop
		mov	eax, [ebp+var_30]
		mov	[edx+10h], eax

loc_60ED99:				; CODE XREF: IopProcessIoTracking(x,x,x)+B3j
					; IopProcessIoTracking(x,x,x)+107j
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp+var_34]
		push	eax
		mov	edx, offset _IopPerfIoTrackingLock
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_60EDC8
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_60EDC8
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_60EDC8:				; CODE XREF: IopProcessIoTracking(x,x,x)+19Aj
					; IopProcessIoTracking(x,x,x)+1A2j
		mov	esi, offset _IopPerfIoTrackingLock

loc_60EDCD:				; CODE XREF: IopProcessIoTracking(x,x,x)+82j
		push	11h
		pop	ecx
		xor	eax, eax
		lock cmpxchg [esi], ecx
		test	eax, eax
		jz	short loc_60EDF4
		mov	ecx, esi
		call	@ExfTryAcquirePushLockShared@4 ; ExfTryAcquirePushLockShared(x)
		test	al, al
		jnz	short loc_60EDF4
		test	edi, edi
		jz	short loc_60EE3A
		mov	edx, edi
		mov	ecx, esi
		call	KeAbPostReleaseEx
		jmp	short loc_60EE3A
; 

loc_60EDF4:				; CODE XREF: IopProcessIoTracking(x,x,x)+1B9j
					; IopProcessIoTracking(x,x,x)+1C4j
		mov	eax, [ebp+var_28]
		test	eax, eax
		jz	short loc_60EDFF
		or	byte ptr [eax+0Eh], 1

loc_60EDFF:				; CODE XREF: IopProcessIoTracking(x,x,x)+1DAj
		mov	esi, ds:_IopPerfIoTrackingListHead
		mov	edi, offset _IopPerfIoTrackingListHead
		jmp	short loc_60EE15
; 

loc_60EE0C:				; CODE XREF: IopProcessIoTracking(x,x,x)+1F8j
		lea	eax, [ebp+var_20]
		push	eax
		call	dword ptr [esi+8]
		mov	esi, [esi]

loc_60EE15:				; CODE XREF: IopProcessIoTracking(x,x,x)+1EBj
		cmp	esi, edi
		jnz	short loc_60EE0C
		push	11h
		xor	ecx, ecx
		mov	esi, offset _IopPerfIoTrackingLock
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_60EE33
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_60EE33:				; CODE XREF: IopProcessIoTracking(x,x,x)+20Bj
		mov	ecx, esi
		call	KeAbPostRelease

loc_60EE3A:				; CODE XREF: IopProcessIoTracking(x,x,x)+1C8j
					; IopProcessIoTracking(x,x,x)+1D3j
		cmp	[ebp+var_21], 1
		jnz	short loc_60EE4C
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_60EE4C:				; CODE XREF: IopProcessIoTracking(x,x,x)+21Fj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
_IopProcessIoTracking@12 endp ;	sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall wil_details_FeatureReporting_IncrementOpportunityInCache(x,	x, x, x)
_wil_details_FeatureReporting_IncrementOpportunityInCache@16 proc near
					; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+CCp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	eax, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], eax
		xor	ebx, ebx
		cmp	edi, 5
		mov	eax, [eax]
		mov	[ebp+var_4], eax
		setz	bl

loc_60EE82:				; CODE XREF: wil_details_FeatureReporting_IncrementOpportunityInCache(x,x,x,x)+A1j
		and	dword ptr [esi+4], 0
		or	eax, 1
		mov	ecx, eax
		shr	ecx, 16h
		and	ecx, 1
		cmp	ecx, ebx
		jz	short loc_60EEC5
		mov	edx, eax
		shr	edx, 0Fh
		and	edx, 7Fh
		jbe	short loc_60EEB9
		xor	ecx, ecx
		mov	[esi+4], edx
		cmp	edi, 1
		setz	cl
		and	eax, 0FFC07FFFh
		lea	ecx, ds:1[ecx*4]
		mov	[esi+8], ecx

loc_60EEB9:				; CODE XREF: wil_details_FeatureReporting_IncrementOpportunityInCache(x,x,x,x)+3Cj
		mov	ecx, ebx
		and	eax, 0FFBFFFFFh
		shl	ecx, 16h
		or	eax, ecx

loc_60EEC5:				; CODE XREF: wil_details_FeatureReporting_IncrementOpportunityInCache(x,x,x,x)+32j
		mov	ecx, [ebp+arg_0]
		mov	edx, eax
		shr	edx, 0Fh
		and	edx, 7Fh
		add	ecx, edx
		cmp	ecx, 7Fh
		ja	short loc_60EEDB
		cmp	ecx, edx
		jnb	short loc_60EEE4

loc_60EEDB:				; CODE XREF: wil_details_FeatureReporting_IncrementOpportunityInCache(x,x,x,x)+74j
		mov	ecx, [ebp+arg_0]
		mov	[esi+8], edi
		mov	[esi+4], edx

loc_60EEE4:				; CODE XREF: wil_details_FeatureReporting_IncrementOpportunityInCache(x,x,x,x)+78j
		shl	ecx, 0Fh
		lea	edx, [ebp+var_4]
		xor	ecx, eax
		and	ecx, 3F8000h
		xor	ecx, eax
		push	ecx
		mov	ecx, [ebp+var_8]
		call	_wil_atomic_uint32_compare_exchange_relaxed@12 ; wil_atomic_uint32_compare_exchange_relaxed(x,x,x)
		test	eax, eax
		mov	eax, [ebp+var_4]
		jz	loc_60EE82
		not	eax
		and	eax, 1
		and	dword ptr [esi+10h], 0
		pop	edi
		mov	[esi], eax
		pop	esi
		pop	ebx
		leave
		retn	8
_wil_details_FeatureReporting_IncrementOpportunityInCache@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall wil_details_FeatureReporting_IncrementUsageInCache(x, x, x,	x)
_wil_details_FeatureReporting_IncrementUsageInCache@16 proc near
					; CODE XREF: wil_details_FeatureReporting_RecordUsageInCache(x,x,x,x)+BCp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	eax, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], eax
		xor	ebx, ebx
		cmp	edi, 4
		mov	eax, [eax]
		mov	[ebp+var_4], eax
		setz	bl

loc_60EF3B:				; CODE XREF: wil_details_FeatureReporting_IncrementUsageInCache(x,x,x,x)+A7j
		and	dword ptr [esi+4], 0
		or	eax, 1
		mov	ecx, eax
		shr	ecx, 0Eh
		and	ecx, 1
		cmp	ecx, ebx
		jz	short loc_60EF7E
		mov	edx, eax
		shr	edx, 5
		and	edx, 1FFh
		jbe	short loc_60EF72
		mov	ecx, edi
		mov	[esi+4], edx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 0FFFFFFFCh
		add	ecx, 4
		and	eax, 0FFFFC01Fh
		mov	[esi+8], ecx

loc_60EF72:				; CODE XREF: wil_details_FeatureReporting_IncrementUsageInCache(x,x,x,x)+3Fj
		mov	ecx, ebx
		and	eax, 0FFFFBFFFh
		shl	ecx, 0Eh
		or	eax, ecx

loc_60EF7E:				; CODE XREF: wil_details_FeatureReporting_IncrementUsageInCache(x,x,x,x)+32j
		mov	ecx, [ebp+arg_0]
		mov	edx, eax
		shr	edx, 5
		and	edx, 1FFh
		add	ecx, edx
		cmp	ecx, 1FFh
		ja	short loc_60EF9A
		cmp	ecx, edx
		jnb	short loc_60EFA3

loc_60EF9A:				; CODE XREF: wil_details_FeatureReporting_IncrementUsageInCache(x,x,x,x)+7Aj
		mov	ecx, [ebp+arg_0]
		mov	[esi+8], edi
		mov	[esi+4], edx

loc_60EFA3:				; CODE XREF: wil_details_FeatureReporting_IncrementUsageInCache(x,x,x,x)+7Ej
		shl	ecx, 5
		lea	edx, [ebp+var_4]
		xor	ecx, eax
		and	ecx, 3FE0h
		xor	ecx, eax
		push	ecx
		mov	ecx, [ebp+var_8]
		call	_wil_atomic_uint32_compare_exchange_relaxed@12 ; wil_atomic_uint32_compare_exchange_relaxed(x,x,x)
		test	eax, eax
		mov	eax, [ebp+var_4]
		jz	loc_60EF3B
		not	eax
		and	eax, 1
		and	dword ptr [esi+10h], 0
		pop	edi
		mov	[esi], eax
		pop	esi
		pop	ebx
		leave
		retn	8
_wil_details_FeatureReporting_IncrementUsageInCache@16 endp


;  S U B	R O U T	I N E 


; __stdcall wil_details_StagingConfigFeature_HasUniqueState(x)
_wil_details_StagingConfigFeature_HasUniqueState@4 proc	near
					; CODE XREF: wil_details_StagingConfig_QueryFeatureState+CF809p
					; wil_details_StagingConfig_EnumerateFeatures(x,x,x)+20p
		cmp	dword ptr [ecx], 0
		jz	short loc_60F013
		mov	edx, [ecx+4]
		mov	ecx, edx
		shr	ecx, 2
		mov	eax, edx
		or	ecx, edx
		shr	ecx, 2
		or	ecx, edx
		and	ecx, 300h
		neg	ecx
		sbb	cl, cl
		and	eax, 3F000000h
		inc	cl
		neg	eax
		sbb	al, al
		inc	al
		test	cl, al
		jz	short loc_60F00F
		test	dl, 2
		jz	short loc_60F013

loc_60F00F:				; CODE XREF: wil_details_StagingConfigFeature_HasUniqueState(x)+2Fj
		xor	eax, eax
		inc	eax
		retn
; 

loc_60F013:				; CODE XREF: wil_details_StagingConfigFeature_HasUniqueState(x)+3j
					; wil_details_StagingConfigFeature_HasUniqueState(x)+34j
		xor	eax, eax
		retn
_wil_details_StagingConfigFeature_HasUniqueState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall wil_details_StagingConfig_EnumerateFeatures(x, x, x)
_wil_details_StagingConfig_EnumerateFeatures@12	proc near
					; CODE XREF: wil_StagingConfig_QueryFeatureState+11D598p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+14h]
		mov	ecx, [ecx+18h]
		push	ebx
		push	edi
		movzx	ebx, word ptr [eax+4]
		xor	edi, edi
		mov	[ebp+var_4], ecx
		test	ebx, ebx
		jz	short loc_60F066
		push	esi
		mov	esi, ecx

loc_60F034:				; CODE XREF: wil_details_StagingConfig_EnumerateFeatures(x,x,x)+5Cj
		mov	ecx, esi
		call	_wil_details_StagingConfigFeature_HasUniqueState@4 ; wil_details_StagingConfigFeature_HasUniqueState(x)
		test	eax, eax
		jz	short loc_60F06C
		test	byte ptr [esi+4], 1
		jnz	short loc_60F05C
		mov	edx, [ebp+var_4]
		xor	ecx, ecx

loc_60F04A:				; CODE XREF: wil_details_StagingConfig_EnumerateFeatures(x,x,x)+44j
		cmp	ecx, edi
		jz	short loc_60F054
		mov	eax, [esi]
		cmp	eax, [edx]
		jz	short loc_60F06C

loc_60F054:				; CODE XREF: wil_details_StagingConfig_EnumerateFeatures(x,x,x)+36j
		inc	ecx
		add	edx, 0Ch
		cmp	ecx, ebx
		jb	short loc_60F04A

loc_60F05C:				; CODE XREF: wil_details_StagingConfig_EnumerateFeatures(x,x,x)+2Dj
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 1

loc_60F065:				; CODE XREF: wil_details_StagingConfig_EnumerateFeatures(x,x,x)+5Ej
		pop	esi

loc_60F066:				; CODE XREF: wil_details_StagingConfig_EnumerateFeatures(x,x,x)+19j
		pop	edi
		pop	ebx
		leave
		retn	4
; 

loc_60F06C:				; CODE XREF: wil_details_StagingConfig_EnumerateFeatures(x,x,x)+27j
					; wil_details_StagingConfig_EnumerateFeatures(x,x,x)+3Cj
		inc	edi
		add	esi, 0Ch
		cmp	edi, ebx
		jb	short loc_60F034
		jmp	short loc_60F065
_wil_details_StagingConfig_EnumerateFeatures@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_60F076	proc near		; CODE XREF: PAGE:007F7D95p
					; PAGE:007F899Ap ...

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	1
		mov	esi, ecx
		push	edx
		push	esi
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		test	byte ptr ds:_MmTrackLockedPages, 1
		jz	short loc_60F0A5
		mov	eax, [ebp+arg_4]
		mov	ecx, esi
		mov	edx, [ebp+arg_8]
		push	eax
		mov	eax, [eax+8]
		mov	edx, [eax+edx*4+38h]
		call	_MmUpdateMdlTracker@12 ; MmUpdateMdlTracker(x,x,x)

loc_60F0A5:				; CODE XREF: sub_60F076+18j
		pop	esi
		pop	ebp
		retn	0Ch
sub_60F076	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_60F0AA	proc near		; CODE XREF: PAGE:007F66D7p
					; NtSetEaFile(x,x,x,x)+2E2p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	[ebp+arg_0]
		mov	esi, ecx
		push	edx
		push	esi
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		test	byte ptr ds:_MmTrackLockedPages, 1
		jz	short loc_60F0DA
		mov	eax, [ebp+arg_4]
		mov	ecx, esi
		mov	edx, [ebp+arg_8]
		push	eax
		mov	eax, [eax+8]
		mov	edx, [eax+edx*4+38h]
		call	_MmUpdateMdlTracker@12 ; MmUpdateMdlTracker(x,x,x)

loc_60F0DA:				; CODE XREF: sub_60F0AA+19j
		pop	esi
		pop	ebp
		retn	0Ch
sub_60F0AA	endp


;  S U B	R O U T	I N E 


sub_60F0DF	proc near		; CODE XREF: PAGE:loc_7F6491p
					; NtSetEaFile(x,x,x,x):loc_95F76Fp ...
		cmp	ds:_ViVerifierEnabled, 0
		jz	short loc_60F11D
		test	ds:_VfRuleClasses, 0FFAFFFFFh
		jnz	short loc_60F0FD
		test	byte ptr ds:dword_6FDE00, 6
		jz	short loc_60F11D

loc_60F0FD:				; CODE XREF: sub_60F0DF+13j
		mov	eax, ds:_MmVerifierData
		and	eax, 10h
		or	eax, 40h
		shr	eax, 1
		push	eax
		push	20206F49h
		push	10h
		push	200h
		call	ExAllocatePoolWithTagPriority
		retn
; 

loc_60F11D:				; CODE XREF: sub_60F0DF+7j
					; sub_60F0DF+1Cj
		push	20206F49h
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		retn
sub_60F0DF	endp


;  S U B	R O U T	I N E 


sub_60F12F	proc near		; CODE XREF: IopAllocateAndPopulateWriteIrp(x,x)+DEp
					; NtWriteFileGather(x,x,x,x,x,x,x,x,x)+14Bp ...
		cmp	ds:_ViVerifierEnabled, 0
		jz	short loc_60F175
		test	ds:_VfRuleClasses, 0FFAFFFFFh
		jnz	short loc_60F14D
		test	byte ptr ds:dword_6FDE00, 6
		jz	short loc_60F175

loc_60F14D:				; CODE XREF: sub_60F12F+13j
		mov	eax, ds:_MmVerifierData
		and	eax, 10h
		or	eax, 40h
		shr	eax, 1
		push	eax
		push	20206F49h
		push	edx
		push	ecx
		call	ExAllocatePoolWithTagPriority
		test	eax, eax
		jnz	short locret_60F181
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_60F175:				; CODE XREF: sub_60F12F+7j
					; sub_60F12F+1Cj
		push	20206F49h
		push	edx
		push	ecx
		call	ExAllocatePoolWithQuotaTag

locret_60F181:				; CODE XREF: sub_60F12F+3Aj
		retn
sub_60F12F	endp ; sp = -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopProbeAndLockSelectedPages proc near	; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+505p

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	0
		push	[ebp+arg_0]
		mov	esi, ecx
		push	edx
		push	esi
		call	MmProbeAndLockSelectedPages
		test	byte ptr ds:_MmTrackLockedPages, 1
		jz	short loc_60F1B4
		mov	eax, [ebp+arg_8]
		mov	ecx, esi
		mov	edx, [ebp+arg_C]
		push	eax
		mov	eax, [eax+8]
		mov	edx, [eax+edx*4+38h]
		call	_MmUpdateMdlTracker@12 ; MmUpdateMdlTracker(x,x,x)

loc_60F1B4:				; CODE XREF: IopProbeAndLockSelectedPages+1Bj
		pop	esi
		pop	ebp
		retn	10h
IopProbeAndLockSelectedPages endp


;  S U B	R O U T	I N E 


; __stdcall IopLiveDumpGetMillisecondCounter(x)
_IopLiveDumpGetMillisecondCounter@4 proc near
					; CODE XREF: IopLiveDumpCorralProcessors(x)+8Dp
					; IopLiveDumpCorralProcessors(x)+13Ep ...
		mov	edi, edi
		push	ebx
		push	esi
		xor	esi, esi
		mov	bl, cl
		push	esi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		push	esi
		push	3E8h
		push	edx
		push	eax
		call	__allmul
		push	ds:dword_6CCB7C
		push	ds:_PerformanceFrequency
		push	edx
		push	eax
		call	__alldiv
		mov	ecx, edx
		test	bl, bl
		jz	short loc_60F1F2
		mov	edx, esi
		jmp	short loc_60F20E
; 

loc_60F1F2:				; CODE XREF: IopLiveDumpGetMillisecondCounter(x)+33j
		mov	esi, ds:dword_6FDF88
		sub	esi, ds:dword_6FDF80
		mov	edx, ds:dword_6FDF8C
		sbb	edx, ds:dword_6FDF84
		add	esi, eax
		adc	edx, ecx

loc_60F20E:				; CODE XREF: IopLiveDumpGetMillisecondCounter(x)+37j
		mov	ds:dword_6FDF80, eax
		mov	eax, esi
		mov	ds:dword_6FDF88, esi
		pop	esi
		mov	ds:dword_6FDF8C, edx
		mov	ds:dword_6FDF84, ecx
		pop	ebx
		retn
_IopLiveDumpGetMillisecondCounter@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopLiveDumpIsTracingEnabled()
_IopLiveDumpIsTracingEnabled@0 proc near ; CODE	XREF: IopLiveDumpTrace(x)p
					; IopLiveDumpTraceAllocationFromVMMemoryPartitionFailure(x,x)+19p ...
		mov	eax, ds:_IopLiveDumpEtwRegHandle
		or	eax, ds:dword_6FD4A4
		jz	short loc_60F243
		cmp	ds:_IopLiveDumpEtwEnabled, 0
		jz	short loc_60F243
		mov	al, 1
		retn
; 

loc_60F243:				; CODE XREF: IopLiveDumpIsTracingEnabled()+Bj
					; IopLiveDumpIsTracingEnabled()+14j
		xor	al, al
		retn
_IopLiveDumpIsTracingEnabled@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpIsUnderMemoryPressure(x,	x, x)
_IopLiveDumpIsUnderMemoryPressure@12 proc near
					; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+1B4p
					; IopLiveDumpAllocAndInitResources(x)+3Fp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		test	ecx, ecx
		jz	short loc_60F256
		cmp	[ecx+4], eax
		jnz	short loc_60F26B

loc_60F256:				; CODE XREF: IopLiveDumpIsUnderMemoryPressure(x,x,x)+9j
		test	edx, edx
		jz	short loc_60F25F
		cmp	[edx+4], eax
		jnz	short loc_60F26B

loc_60F25F:				; CODE XREF: IopLiveDumpIsUnderMemoryPressure(x,x,x)+12j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_60F26D
		cmp	[ecx+4], eax
		jz	short loc_60F26D

loc_60F26B:				; CODE XREF: IopLiveDumpIsUnderMemoryPressure(x,x,x)+Ej
					; IopLiveDumpIsUnderMemoryPressure(x,x,x)+17j
		mov	al, 1

loc_60F26D:				; CODE XREF: IopLiveDumpIsUnderMemoryPressure(x,x,x)+1Ej
					; IopLiveDumpIsUnderMemoryPressure(x,x,x)+23j
		pop	ebp
		retn	4
_IopLiveDumpIsUnderMemoryPressure@12 endp


;  S U B	R O U T	I N E 


; __stdcall IopLiveDumpTrace(x)
_IopLiveDumpTrace@4 proc near		; CODE XREF: IopLiveDumpStartDumpDataBuffering(x)+18p
					; IopLiveDumpStartDumpDataBuffering(x)+34p ...
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	short locret_60F291
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	ecx
		push	ds:dword_6FD4A4
		push	ds:_IopLiveDumpEtwRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

locret_60F291:				; CODE XREF: IopLiveDumpTrace(x)+7j
		retn
_IopLiveDumpTrace@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpTraceAllocationFromVMMemoryPartitionFailure(x, x)
_IopLiveDumpTraceAllocationFromVMMemoryPartitionFailure@8 proc near
					; CODE XREF: IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)+132p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	[ebp+var_28], 0C0000017h
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	short loc_60F2F7
		lea	eax, [ecx+2ACh]
		xor	edx, edx
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	offset _LIVEDUMP_EVENT_SIZING_WORKFLOW_BUFFER_ALLOCATION_FROM_VM_MEMORY_PARTITION_FAILURE
		push	ds:dword_6FD4A4
		mov	[ebp+var_20], edx
		push	ds:_IopLiveDumpEtwRegHandle
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_60F2F7:				; CODE XREF: IopLiveDumpTraceAllocationFromVMMemoryPartitionFailure(x,x)+20j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IopLiveDumpTraceAllocationFromVMMemoryPartitionFailure@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpTraceBufferAllocation(x)
_IopLiveDumpTraceBufferAllocation@4 proc near
					; CODE XREF: IopLiveDumpAllocAndInitResources(x)+32Dp

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 94h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	loc_60F40B
		mov	eax, [ecx+1C4h]
		push	esi
		mov	esi, 1000h
		mul	esi
		push	8
		mov	[ebp+var_7C], eax
		mov	eax, [ecx+1C8h]
		mov	[ebp+var_78], edx
		mul	esi
		mov	[ebp+var_84], eax
		mov	eax, [ecx+1CCh]
		mov	[ebp+var_80], edx
		mul	esi
		xor	esi, esi
		mov	[ebp+var_94], eax
		mov	eax, [ecx+58h]
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_94]
		mov	[ebp+var_44], eax
		lea	eax, [ecx+1F0h]
		mov	[ebp+var_34], eax
		lea	eax, [ecx+1F8h]
		mov	[ebp+var_24], eax
		lea	eax, [ecx+0B0h]
		mov	[ebp+var_90], edx
		pop	edx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	7
		push	esi
		push	offset _LIVEDUMP_EVENT_SIZING_WORKFLOW_BUFFER_ALLOCATION
		push	ds:dword_6FD4A4
		mov	[ebp+var_88], esi
		push	ds:_IopLiveDumpEtwRegHandle
		mov	[ebp+var_70], esi
		mov	[ebp+var_6C], edx
		mov	[ebp+var_68], esi
		mov	[ebp+var_60], esi
		mov	[ebp+var_5C], edx
		mov	[ebp+var_58], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	esi

loc_60F40B:				; CODE XREF: IopLiveDumpTraceBufferAllocation(x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IopLiveDumpTraceBufferAllocation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpTraceBufferEstimation(x)
_IopLiveDumpTraceBufferEstimation@4 proc near
					; CODE XREF: IopLiveDumpEstimateMemoryPages(x)+175p

var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0DCh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	loc_60F5A7
		mov	eax, [ecx+3Ch]
		push	esi
		mov	esi, 1000h
		mul	esi
		push	8
		mov	[ebp+var_BC], eax
		mov	eax, [ecx+38h]
		mov	[ebp+var_B8], edx
		mul	esi
		mov	[ebp+var_C4], eax
		mov	eax, [ecx+48h]
		mov	[ebp+var_C0], edx
		mul	esi
		mov	[ebp+var_CC], eax
		mov	eax, [ecx+4Ch]
		mov	[ebp+var_C8], edx
		mul	esi
		mov	[ebp+var_DC], eax
		mov	eax, [ecx+50h]
		mov	[ebp+var_D8], edx
		mul	esi
		xor	esi, esi
		mov	[ebp+var_D4], eax
		lea	eax, [ebp+var_BC]
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_C4]
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_CC]
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_D4]
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_DC]
		mov	[ebp+var_74], eax
		lea	eax, [ecx+108h]
		mov	[ebp+var_64], eax
		lea	eax, [ecx+110h]
		mov	[ebp+var_54], eax
		lea	eax, [ecx+118h]
		mov	[ebp+var_44], eax
		lea	eax, [ecx+128h]
		mov	[ebp+var_34], eax
		lea	eax, [ecx+130h]
		mov	[ebp+var_24], eax
		lea	eax, [ecx+0A8h]
		mov	[ebp+var_D0], edx
		pop	edx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_B4]
		mov	[ebp+var_B0], esi
		mov	[ebp+var_AC], edx
		mov	[ebp+var_A8], esi
		mov	[ebp+var_A0], esi
		mov	[ebp+var_9C], edx
		mov	[ebp+var_98], esi
		mov	[ebp+var_90], esi
		mov	[ebp+var_8C], edx
		mov	[ebp+var_88], esi
		mov	[ebp+var_80], esi
		mov	[ebp+var_7C], edx
		mov	[ebp+var_78], esi
		mov	[ebp+var_70], esi
		mov	[ebp+var_6C], edx
		mov	[ebp+var_68], esi
		mov	[ebp+var_60], esi
		mov	[ebp+var_5C], edx
		mov	[ebp+var_58], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], esi
		push	eax
		push	0Bh
		push	esi
		push	offset _LIVEDUMP_EVENT_SIZING_WORKFLOW_BUFFER_ESTIMATION
		push	ds:dword_6FD4A4
		push	ds:_IopLiveDumpEtwRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	esi

loc_60F5A7:				; CODE XREF: IopLiveDumpTraceBufferEstimation(x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IopLiveDumpTraceBufferEstimation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpTraceCaptureDumpDataBufferingDuration(x)
_IopLiveDumpTraceCaptureDumpDataBufferingDuration@4 proc near
					; CODE XREF: IopLiveDumpStartDumpDataBuffering(x)+53p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	loc_60F683
		xor	ebx, ebx
		cmp	[esi+0FCh], ebx
		jnz	loc_60F683
		test	byte ptr [esi+0BCh], 1
		jz	loc_60F683
		lea	eax, [ebp+var_18]
		mov	[ebp+var_14], ebx
		push	eax
		push	1
		push	ebx
		push	offset _LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_SYSTEM_QUISCED_DUMP_DATA_BUFFERING
		push	ds:dword_6FD4A4
		lea	edi, [esi+170h]
		mov	[ebp+var_10], 8
		push	ds:_IopLiveDumpEtwRegHandle
		mov	[ebp+var_18], edi
		mov	[ebp+var_C], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		cmp	ds:dword_6B2CE0, 5
		jbe	short loc_60F683
		push	2000h
		push	ebx
		mov	ecx, offset dword_6B2CE0
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_60F683
		mov	eax, [edi]
		mov	[ebp+var_50], eax
		mov	eax, [edi+4]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	3
		lea	eax, [esi+220h]
		mov	[ebp+var_24], ebx
		push	eax
		lea	eax, [esi+230h]
		mov	[ebp+var_20], 8
		push	eax
		push	offset loc_41BBBD
		push	offset dword_6B2CE0
		mov	[ebp+var_1C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_60F683:				; CODE XREF: IopLiveDumpTraceCaptureDumpDataBufferingDuration(x)+1Ej
					; IopLiveDumpTraceCaptureDumpDataBufferingDuration(x)+2Cj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IopLiveDumpTraceCaptureDumpDataBufferingDuration@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpTraceCaptureGenerateIptSecondaryDataDuration(x, x, x)
_IopLiveDumpTraceCaptureGenerateIptSecondaryDataDuration@12 proc near
					; CODE XREF: IopLiveDumpGenerateIptSecondaryData()+174p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	loc_60F75B
		xor	edi, edi
		cmp	[esi+0FCh], edi
		jnz	loc_60F75B
		test	byte ptr [esi+0BCh], 1
		jz	loc_60F75B
		push	8
		pop	ebx
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_14], edi
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	1
		push	edi
		push	offset _LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_SYSTEM_QUISCED_GENERATE_IPT_SECONDARY_DATA
		push	ds:dword_6FD4A4
		mov	[ebp+var_10], ebx
		push	ds:_IopLiveDumpEtwRegHandle
		mov	[ebp+var_C], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		cmp	ds:dword_6B2CE0, 5
		jbe	short loc_60F75B
		push	2000h
		push	edi
		mov	ecx, offset dword_6B2CE0
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_60F75B
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	3
		lea	eax, [esi+220h]
		mov	[ebp+var_24], edi
		push	eax
		lea	eax, [esi+230h]
		mov	[ebp+var_20], ebx
		push	eax
		push	offset loc_41B99E
		push	offset dword_6B2CE0
		mov	[ebp+var_1C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_60F75B:				; CODE XREF: IopLiveDumpTraceCaptureGenerateIptSecondaryDataDuration(x,x,x)+1Ej
					; IopLiveDumpTraceCaptureGenerateIptSecondaryDataDuration(x,x,x)+2Cj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_IopLiveDumpTraceCaptureGenerateIptSecondaryDataDuration@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpTraceCaptureMemoryPages(x)
_IopLiveDumpTraceCaptureMemoryPages@4 proc near
					; CODE XREF: IopLiveDumpCaptureMemoryPages(x)+11Ap

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	loc_60F82D
		lea	eax, [ecx+138h]
		mov	[ebp+var_74], eax
		lea	eax, [ecx+140h]
		mov	[ebp+var_64], eax
		lea	eax, [ecx+148h]
		mov	[ebp+var_54], eax
		lea	eax, [ecx+158h]
		mov	[ebp+var_44], eax
		lea	eax, [ecx+160h]
		push	esi
		xor	esi, esi
		mov	[ebp+var_34], eax
		push	8
		pop	edx
		lea	eax, [ecx+168h]
		mov	[ebp+var_70], esi
		mov	[ebp+var_24], eax
		lea	eax, [ecx+170h]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	7
		push	esi
		push	offset _LIVEDUMP_EVENT_CAPTURE_WORKFLOW_CAPTURE_MEMORY_PAGES
		push	ds:dword_6FD4A4
		mov	[ebp+var_6C], edx
		push	ds:_IopLiveDumpEtwRegHandle
		mov	[ebp+var_68], esi
		mov	[ebp+var_60], esi
		mov	[ebp+var_5C], edx
		mov	[ebp+var_58], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	esi

loc_60F82D:				; CODE XREF: IopLiveDumpTraceCaptureMemoryPages(x)+19j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IopLiveDumpTraceCaptureMemoryPages@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpTraceCaptureProcessorContextDuration(x, x, x)
_IopLiveDumpTraceCaptureProcessorContextDuration@12 proc near
					; CODE XREF: IopLiveDumpEndMirroringCallback(x)+146p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	loc_60F911
		xor	edi, edi
		cmp	[esi+0FCh], edi
		jnz	loc_60F911
		test	byte ptr [esi+0BCh], 1
		jz	loc_60F911
		test	byte ptr [esi+30h], 1
		mov	eax, offset _LIVEDUMP_EVENT_SIZING_WORKFLOW_SYSTEM_QUISCED_CAPTURE_PROCESSOR_CONTEXT
		jnz	short loc_60F888
		mov	eax, offset _LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_SYSTEM_QUISCED_CAPTURE_PROCESSOR_CONTEXT

loc_60F888:				; CODE XREF: IopLiveDumpTraceCaptureProcessorContextDuration(x,x,x)+48j
		lea	ecx, [ebp+arg_0]
		mov	[ebp+var_14], edi
		mov	[ebp+var_18], ecx
		lea	ecx, [ebp+var_18]
		push	ecx
		push	1
		push	edi
		push	eax
		push	ds:dword_6FD4A4
		mov	[ebp+var_10], 8
		push	ds:_IopLiveDumpEtwRegHandle
		mov	[ebp+var_C], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		cmp	ds:dword_6B2CE0, 5
		jbe	short loc_60F911
		push	2000h
		mov	ebx, offset dword_6B2CE0
		push	edi
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_60F911
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	3
		lea	eax, [esi+220h]
		mov	[ebp+var_24], edi
		push	eax
		lea	eax, [esi+230h]
		mov	[ebp+var_20], 8
		push	eax
		push	offset loc_41BABB
		push	ebx
		mov	[ebp+var_1C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_60F911:				; CODE XREF: IopLiveDumpTraceCaptureProcessorContextDuration(x,x,x)+1Ej
					; IopLiveDumpTraceCaptureProcessorContextDuration(x,x,x)+2Cj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_IopLiveDumpTraceCaptureProcessorContextDuration@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpTraceCorralProcessorsDuration(x,	x, x, x, x, x, x, x, x)
_IopLiveDumpTraceCorralProcessorsDuration@36 proc near
					; CODE XREF: IopLiveDumpCorralProcessors(x)+1B2p

var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0CCh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	loc_60FAAD
		xor	edi, edi
		cmp	[esi+0FCh], edi
		jnz	loc_60FAAD
		test	byte ptr [esi+0BCh], 1
		jz	loc_60FAAD
		test	byte ptr [esi+30h], 1
		mov	eax, offset _LIVEDUMP_EVENT_SIZING_WORKFLOW_SYSTEM_QUISCED_CORRAL_PROCESSORS
		jnz	short loc_60F974
		mov	eax, offset _LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_SYSTEM_QUISCED_CORRAL_PROCESSORS

loc_60F974:				; CODE XREF: IopLiveDumpTraceCorralProcessorsDuration(x,x,x,x,x,x,x,x,x)+4Bj
		lea	ecx, [ebp+arg_0]
		mov	[ebp+var_44], edi
		mov	[ebp+var_48], ecx
		lea	ecx, [ebp+arg_8]
		mov	[ebp+var_38], ecx
		lea	ecx, [ebp+arg_10]
		push	8
		pop	ebx
		mov	[ebp+var_28], ecx
		lea	ecx, [ebp+arg_18]
		mov	[ebp+var_18], ecx
		lea	ecx, [ebp+var_48]
		push	ecx
		push	4
		push	edi
		push	eax
		push	ds:dword_6FD4A4
		mov	[ebp+var_40], ebx
		push	ds:_IopLiveDumpEtwRegHandle
		mov	[ebp+var_3C], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		cmp	ds:dword_6B2CE0, 5
		jbe	loc_60FAAD
		push	2000h
		push	edi
		mov	ecx, offset dword_6B2CE0
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_60FAAD
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_B0], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_AC], eax
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_88], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_B8], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_78], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_C0], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_BC], eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_68], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_C8], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_A8]
		push	eax
		push	6
		lea	eax, [esi+220h]
		mov	[ebp+var_84], edi
		push	eax
		lea	eax, [esi+230h]
		mov	[ebp+var_80], ebx
		push	eax
		push	offset loc_41B813
		push	offset dword_6B2CE0
		mov	[ebp+var_7C], edi
		mov	[ebp+var_74], edi
		mov	[ebp+var_70], ebx
		mov	[ebp+var_6C], edi
		mov	[ebp+var_64], edi
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], edi
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_60FAAD:				; CODE XREF: IopLiveDumpTraceCorralProcessorsDuration(x,x,x,x,x,x,x,x,x)+21j
					; IopLiveDumpTraceCorralProcessorsDuration(x,x,x,x,x,x,x,x,x)+2Fj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	20h
_IopLiveDumpTraceCorralProcessorsDuration@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpTraceDumpFileWriteEnd(x,	x, x)
_IopLiveDumpTraceDumpFileWriteEnd@12 proc near
					; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+555p
					; IoWriteDeferredLiveDumpData(x)+47p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	loc_60FBDA
		test	edx, edx
		mov	edx, offset _LIVEDUMP_EVENT_WRITE_DUMPDATA_TO_FILE_END
		jz	short loc_60FAEB
		mov	edx, offset _LIVEDUMP_EVENT_WRITE_DEFERRED_DUMPDATA_TO_FILE_END

loc_60FAEB:				; CODE XREF: IopLiveDumpTraceDumpFileWriteEnd(x,x,x)+26j
		push	ebx
		mov	ebx, [ecx+180h]
		xor	ecx, ecx
		push	esi
		push	edi
		mov	[ebp+var_58], ebx
		cmp	[ebp+arg_0], ecx
		jl	short loc_60FB4A
		mov	esi, [ebx+0FA0h]
		mov	edi, [ebx+0FA4h]
		mov	[ebp+var_60], esi
		mov	[ebp+var_5C], edi
		mov	ecx, [ebx+1020h]
		mov	eax, [ebx+1024h]
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], ecx
		mov	ecx, [ebp+var_58]
		mov	[ebp+var_64], eax
		mov	ebx, [ebx+1028h]
		mov	ecx, [ecx+102Ch]
		shld	ecx, ebx, 0Ch
		shl	ebx, 0Ch
		sub	esi, ebx
		sbb	edi, ecx
		sub	esi, [ebp+var_6C]
		sbb	edi, eax
		mov	eax, ecx
		xor	ecx, ecx
		jmp	short loc_60FB5E
; 

loc_60FB4A:				; CODE XREF: IopLiveDumpTraceDumpFileWriteEnd(x,x,x)+3Ej
		mov	[ebp+var_60], ecx
		mov	esi, ecx
		mov	[ebp+var_5C], ecx
		mov	edi, ecx
		mov	[ebp+var_68], ecx
		mov	ebx, ecx
		mov	[ebp+var_64], ecx
		mov	eax, ecx

loc_60FB5E:				; CODE XREF: IopLiveDumpTraceDumpFileWriteEnd(x,x,x)+8Aj
		mov	[ebp+var_70], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_74]
		push	8
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_50], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_40], ecx
		pop	ecx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		mov	[ebp+var_7C], esi
		xor	esi, esi
		push	esi
		push	edx
		push	ds:dword_6FD4A4
		mov	[ebp+var_74], ebx
		push	ds:_IopLiveDumpEtwRegHandle
		mov	[ebp+var_78], edi
		mov	[ebp+var_4C], 4
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx

loc_60FBDA:				; CODE XREF: IopLiveDumpTraceDumpFileWriteEnd(x,x,x)+19j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_IopLiveDumpTraceDumpFileWriteEnd@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpTraceEstimatedAndAllocatedPageCount(x, x, x)
_IopLiveDumpTraceEstimatedAndAllocatedPageCount@12 proc	near
					; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+3DBp

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, [ecx+30h]
		mov	eax, edx
		shr	eax, 9
		shr	edx, 0Ah
		and	eax, 1
		and	edx, 1
		mov	[ebp+var_58], eax
		mov	[ebp+var_5C], edx
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	short loc_60FC94
		push	esi
		push	edi
		lea	eax, [ebp+arg_0]
		xor	edi, edi
		mov	[ebp+var_54], eax
		lea	eax, [ecx+1C0h]
		push	8
		pop	esi
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_34], eax
		lea	eax, [ecx+2B0h]
		push	4
		pop	edx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		push	edi
		push	offset _LIVEDUMP_EVENT_ESTIMATED_AND_ALLOCATED_MEMORY_PAGES
		push	ds:dword_6FD4A4
		mov	[ebp+var_50], edi
		push	ds:_IopLiveDumpEtwRegHandle
		mov	[ebp+var_4C], esi
		mov	[ebp+var_48], edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], esi
		mov	[ebp+var_38], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	edi
		pop	esi

loc_60FC94:				; CODE XREF: IopLiveDumpTraceEstimatedAndAllocatedPageCount(x,x,x)+30j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_IopLiveDumpTraceEstimatedAndAllocatedPageCount@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpTraceInterfaceEnd(x, x, x)
_IopLiveDumpTraceInterfaceEnd@12 proc near
					; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+57Dp
					; IoDiscardDeferredLiveDumpData(x)+12p	...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+18h+var_4], eax
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	short loc_60FD0C
		test	edx, edx
		jnz	short loc_60FCCC
		mov	eax, offset _LIVEDUMP_EVENT_CAPTURE_API_END
		jmp	short loc_60FCDB
; 

loc_60FCCC:				; CODE XREF: IopLiveDumpTraceInterfaceEnd(x,x,x)+21j
		mov	eax, offset _LIVEDUMP_EVENT_WRITE_DEFERRED_DATA_API_END
		cmp	edx, 1
		jz	short loc_60FCDB
		mov	eax, offset _LIVEDUMP_EVENT_DISCARD_DEFERRED_DATA_API_END

loc_60FCDB:				; CODE XREF: IopLiveDumpTraceInterfaceEnd(x,x,x)+28j
					; IopLiveDumpTraceInterfaceEnd(x,x,x)+32j
		lea	ecx, [ebp+arg_0]
		mov	[esp+18h+var_10], 4
		mov	[esp+18h+var_18], ecx
		xor	edx, edx
		lea	ecx, [esp+18h+var_18]
		mov	[esp+18h+var_14], edx
		push	ecx
		push	1
		push	edx
		push	eax
		push	ds:dword_6FD4A4
		mov	[esp+2Ch+var_C], edx
		push	ds:_IopLiveDumpEtwRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_60FD0C:				; CODE XREF: IopLiveDumpTraceInterfaceEnd(x,x,x)+1Dj
		mov	ecx, [esp+18h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_IopLiveDumpTraceInterfaceEnd@12 endp


;  S U B	R O U T	I N E 


; __stdcall IopLiveDumpTraceInterfaceStart(x)
_IopLiveDumpTraceInterfaceStart@4 proc near
					; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+A3p
					; IoDiscardDeferredLiveDumpData(x)+8p ...
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	short locret_60FD57
		test	ecx, ecx
		jnz	short loc_60FD31
		mov	eax, offset _LIVEDUMP_EVENT_CAPTURE_API_START
		jmp	short loc_60FD40
; 

loc_60FD31:				; CODE XREF: IopLiveDumpTraceInterfaceStart(x)+Bj
		mov	eax, offset _LIVEDUMP_EVENT_WRITE_DEFERRED_DATA_API_START
		cmp	ecx, 1
		jz	short loc_60FD40
		mov	eax, offset _LIVEDUMP_EVENT_DISCARD_DEFERRED_DATA_API_START

loc_60FD40:				; CODE XREF: IopLiveDumpTraceInterfaceStart(x)+12j
					; IopLiveDumpTraceInterfaceStart(x)+1Cj
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	eax
		push	ds:dword_6FD4A4
		push	ds:_IopLiveDumpEtwRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

locret_60FD57:				; CODE XREF: IopLiveDumpTraceInterfaceStart(x)+7j
		retn
_IopLiveDumpTraceInterfaceStart@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpTraceMarkImportantDumpDataDuration(x, x,	x)
_IopLiveDumpTraceMarkImportantDumpDataDuration@12 proc near
					; CODE XREF: IopLiveDumpMarkImportantDumpData(x,x)+15Cp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	loc_60FE30
		xor	edi, edi
		cmp	[esi+0FCh], edi
		jnz	loc_60FE30
		test	byte ptr [esi+0BCh], 1
		jz	loc_60FE30
		test	byte ptr [esi+30h], 1
		mov	eax, offset _LIVEDUMP_EVENT_SIZING_WORKFLOW_SYSTEM_QUISCED_MARK_IMPORTANT_DUMP_DATA
		jnz	short loc_60FDA7
		mov	eax, offset _LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_SYSTEM_QUISCED_MARK_IMPORTANT_DUMP_DATA

loc_60FDA7:				; CODE XREF: IopLiveDumpTraceMarkImportantDumpDataDuration(x,x,x)+48j
		lea	ecx, [ebp+arg_0]
		mov	[ebp+var_14], edi
		mov	[ebp+var_18], ecx
		lea	ecx, [ebp+var_18]
		push	ecx
		push	1
		push	edi
		push	eax
		push	ds:dword_6FD4A4
		mov	[ebp+var_10], 8
		push	ds:_IopLiveDumpEtwRegHandle
		mov	[ebp+var_C], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		cmp	ds:dword_6B2CE0, 5
		jbe	short loc_60FE30
		push	2000h
		mov	ebx, offset dword_6B2CE0
		push	edi
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_60FE30
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	3
		lea	eax, [esi+220h]
		mov	[ebp+var_24], edi
		push	eax
		lea	eax, [esi+230h]
		mov	[ebp+var_20], 8
		push	eax
		push	offset loc_41BB75
		push	ebx
		mov	[ebp+var_1C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_60FE30:				; CODE XREF: IopLiveDumpTraceMarkImportantDumpDataDuration(x,x,x)+1Ej
					; IopLiveDumpTraceMarkImportantDumpDataDuration(x,x,x)+2Cj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_IopLiveDumpTraceMarkImportantDumpDataDuration@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpTraceMarkRequiredDumpDataDuration(x, x, x)
_IopLiveDumpTraceMarkRequiredDumpDataDuration@12 proc near
					; CODE XREF: IopLiveDumpMarkRequiredDumpData(x,x)+181p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	loc_60FF19
		xor	edi, edi
		cmp	[esi+0FCh], edi
		jnz	loc_60FF19
		test	byte ptr [esi+0BCh], 1
		jz	loc_60FF19
		test	byte ptr [esi+30h], 1
		mov	eax, offset _LIVEDUMP_EVENT_SIZING_WORKFLOW_SYSTEM_QUISCED_MARK_REQUIRED_DUMP_DATA
		jnz	short loc_60FE90
		mov	eax, offset _LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_SYSTEM_QUISCED_MARK_REQUIRED_DUMP_DATA

loc_60FE90:				; CODE XREF: IopLiveDumpTraceMarkRequiredDumpDataDuration(x,x,x)+48j
		lea	ecx, [ebp+arg_0]
		mov	[ebp+var_14], edi
		mov	[ebp+var_18], ecx
		lea	ecx, [ebp+var_18]
		push	ecx
		push	1
		push	edi
		push	eax
		push	ds:dword_6FD4A4
		mov	[ebp+var_10], 8
		push	ds:_IopLiveDumpEtwRegHandle
		mov	[ebp+var_C], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		cmp	ds:dword_6B2CE0, 5
		jbe	short loc_60FF19
		push	2000h
		mov	ebx, offset dword_6B2CE0
		push	edi
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_60FF19
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	3
		lea	eax, [esi+220h]
		mov	[ebp+var_24], edi
		push	eax
		lea	eax, [esi+230h]
		mov	[ebp+var_20], 8
		push	eax
		push	offset loc_41BA75
		push	ebx
		mov	[ebp+var_1C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_60FF19:				; CODE XREF: IopLiveDumpTraceMarkRequiredDumpDataDuration(x,x,x)+1Ej
					; IopLiveDumpTraceMarkRequiredDumpDataDuration(x,x,x)+2Cj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_IopLiveDumpTraceMarkRequiredDumpDataDuration@12 endp


;  S U B	R O U T	I N E 


; __stdcall IopLiveDumpTraceMirroringPhase0End(x)
_IopLiveDumpTraceMirroringPhase0End@4 proc near
					; CODE XREF: IopLiveDumpEndMirroringCallback(x)+2A6p
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	short locret_60FF5A
		test	byte ptr [ecx+30h], 1
		mov	eax, offset _LIVEDUMP_EVENT_SIZING_WORKFLOW_MIRRORING_PHASE0_END
		jnz	short loc_60FF43
		mov	eax, offset _LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_MIRRORING_PHASE0_END

loc_60FF43:				; CODE XREF: IopLiveDumpTraceMirroringPhase0End(x)+12j
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	eax
		push	ds:dword_6FD4A4
		push	ds:_IopLiveDumpEtwRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

locret_60FF5A:				; CODE XREF: IopLiveDumpTraceMirroringPhase0End(x)+7j
		retn
_IopLiveDumpTraceMirroringPhase0End@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopLiveDumpTraceMirroringPhase1End(x)
_IopLiveDumpTraceMirroringPhase1End@4 proc near
					; CODE XREF: IopLiveDumpEndMirroringCallback(x)+3Ep
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	short locret_60FF8B
		test	byte ptr [ecx+30h], 1
		mov	eax, offset _LIVEDUMP_EVENT_SIZING_WORKFLOW_MIRRORING_PHASE1_END
		jnz	short loc_60FF74
		mov	eax, offset _LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_MIRRORING_PHASE1_END

loc_60FF74:				; CODE XREF: IopLiveDumpTraceMirroringPhase1End(x)+12j
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	eax
		push	ds:dword_6FD4A4
		push	ds:_IopLiveDumpEtwRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

locret_60FF8B:				; CODE XREF: IopLiveDumpTraceMirroringPhase1End(x)+7j
		retn
_IopLiveDumpTraceMirroringPhase1End@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpTraceMirroringStart(x)
_IopLiveDumpTraceMirroringStart@4 proc near
					; CODE XREF: IopLiveDumpStartMirroringCallback()p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, ds:_IopLiveDumpContext
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	short locret_60FFC8
		test	byte ptr [ecx+30h], 1
		mov	eax, offset _LIVEDUMP_EVENT_SIZING_WORKFLOW_MIRRORING_START
		jnz	short loc_60FFB1
		mov	eax, offset _LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_MIRRORING_START

loc_60FFB1:				; CODE XREF: IopLiveDumpTraceMirroringStart(x)+1Ej
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	eax
		push	ds:dword_6FD4A4
		push	ds:_IopLiveDumpEtwRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

locret_60FFC8:				; CODE XREF: IopLiveDumpTraceMirroringStart(x)+13j
		leave
		retn
_IopLiveDumpTraceMirroringStart@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpTraceMmDuplicateMemoryFailure(x,	x)
_IopLiveDumpTraceMmDuplicateMemoryFailure@8 proc near
					; CODE XREF: IopLiveDumpCaptureMemoryPages(x)+134p
					; IopLiveDumpEstimateMemoryPages(x)+133p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_28], edx
		cmp	edx, 102h
		setz	al
		mov	[ebp+var_2C], eax
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	short loc_610044
		test	byte ptr [ecx+30h], 1
		mov	eax, offset _LIVEDUMP_EVENT_SIZING_WORKFLOW_MM_DUPLICATE_MEMORY_FAILURE
		jnz	short loc_610006

loc_610001:				; DATA XREF: .text:00408564o
		mov	eax, offset _LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_MM_DUPLICATE_MEMORY_FAILURE

loc_610006:				; CODE XREF: IopLiveDumpTraceMmDuplicateMemoryFailure(x,x)+35j
		push	esi
		push	4
		pop	edx
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_1C], edx
		mov	[ebp+var_24], ecx
		xor	esi, esi
		lea	ecx, [ebp+var_2C]
		mov	[ebp+var_20], esi
		mov	[ebp+var_14], ecx
		lea	ecx, [ebp+var_24]
		push	ecx
		push	2
		push	esi
		push	eax
		push	ds:dword_6FD4A4
		mov	[ebp+var_18], esi
		push	ds:_IopLiveDumpEtwRegHandle
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	esi

loc_610044:				; CODE XREF: IopLiveDumpTraceMmDuplicateMemoryFailure(x,x)+2Aj
					; DATA XREF: .text:??_C@_1EM@PHONPJKB@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAq?$AAu?$AAe?$AAr?$AAy@FNODOBFM@o	...
		mov	ecx, [ebp+var_4]

loc_610047:
		xor	ecx, ebp

loc_610049:				; DATA XREF: .text:??_C@_1DO@NODDNLBC@?$AAL?$AAa?$AAz?$AAy?$AAW?$AAr?$AAi?$AAt?$AAe?$AAr?$AAP?$AAe?$AAr?$AAc?$AAe@FNODOBFM@o
					; .text:??_C@_1BO@EOPFHBP@?$AAL?$AAa?$AAr?$AAg?$AAe?$AAW?$AAr?$AAi?$AAt?$AAe?$AAS?$AAi?$AAz?$AAe@FNODOBFM@o ...
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IopLiveDumpTraceMmDuplicateMemoryFailure@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpTraceOpenVMMemoryPartitionFailure(x, x)
_IopLiveDumpTraceOpenVMMemoryPartitionFailure@8	proc near
					; CODE XREF: IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)+1E7p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp

loc_610053:				; DATA XREF: .text:??_C@_1BK@CIGKBGGO@?$AAT?$AAa?$AAr?$AAg?$AAe?$AAt?$AAN?$AAt?$AAP?$AAa?$AAt?$AAh@FNODOBFM@o
		mov	ebp, esp

loc_610055:				; DATA XREF: .text:_PnpWatchdogSecondChanceRegNameo
					; .text:_PnpWatchdogFirstChanceRegNameo
		sub	esp, 28h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	[ebp+var_28], edx
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	short loc_6100B1

loc_61006E:				; DATA XREF: .text:00405994o
					; .text:005A4E1Co
		lea	eax, [ecx+2ACh]
		xor	edx, edx
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	offset _LIVEDUMP_EVENT_SIZING_WORKFLOW_OPEN_VM_MEMORY_PARTITION_FAILURE
		push	ds:dword_6FD4A4
		mov	[ebp+var_20], edx
		push	ds:_IopLiveDumpEtwRegHandle
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_6100B1:				; CODE XREF: IopLiveDumpTraceOpenVMMemoryPartitionFailure(x,x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IopLiveDumpTraceOpenVMMemoryPartitionFailure@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpTracePopulateBitmapForDumpDuration(x, x,	x, x, x)
_IopLiveDumpTracePopulateBitmapForDumpDuration@20 proc near
					; CODE XREF: IopLiveDumpPopulateBitmapForDump(x)+15Dp

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	loc_6101BC
		xor	edi, edi
		cmp	[esi+0FCh], edi
		jnz	loc_6101BC
		test	byte ptr [esi+0BCh], 1
		jz	loc_6101BC
		test	byte ptr [esi+30h], 1
		mov	eax, offset _LIVEDUMP_EVENT_SIZING_WORKFLOW_SYSTEM_QUISCED_POPULATE_BITMAP_FOR_DUMP
		jnz	short loc_61010C
		mov	eax, offset _LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_SYSTEM_QUISCED_POPULATE_BITMAP_FOR_DUMP

loc_61010C:				; CODE XREF: IopLiveDumpTracePopulateBitmapForDumpDuration(x,x,x,x,x)+48j
		push	8
		pop	ebx
		lea	ecx, [ebp+arg_0]
		mov	[ebp+var_24], edi
		mov	[ebp+var_28], ecx
		lea	ecx, [ebp+arg_8]
		mov	[ebp+var_18], ecx
		lea	ecx, [ebp+var_28]
		push	ecx
		push	2
		push	edi
		push	eax
		push	ds:dword_6FD4A4
		mov	[ebp+var_20], ebx
		push	ds:_IopLiveDumpEtwRegHandle
		mov	[ebp+var_1C], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		cmp	ds:dword_6B2CE0, 5
		jbe	short loc_6101BC
		push	2000h
		push	edi
		mov	ecx, offset dword_6B2CE0
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_6101BC
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_70], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_78], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	4
		lea	eax, [esi+220h]
		mov	[ebp+var_44], edi
		push	eax
		lea	eax, [esi+230h]
		mov	[ebp+var_40], ebx
		push	eax
		push	offset loc_41BB07
		push	offset dword_6B2CE0
		mov	[ebp+var_3C], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_6101BC:				; CODE XREF: IopLiveDumpTracePopulateBitmapForDumpDuration(x,x,x,x,x)+1Ej
					; IopLiveDumpTracePopulateBitmapForDumpDuration(x,x,x,x,x)+2Cj	...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_IopLiveDumpTracePopulateBitmapForDumpDuration@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpTraceRemovePagesCallbackFailure(x, x, x)
_IopLiveDumpTraceRemovePagesCallbackFailure@12 proc near
					; CODE XREF: IopLiveDumpCallRemovePagesCallbacks(x)+210p
					; IopLiveDumpCallRemovePagesCallbacks(x)+22Dp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	short loc_610226
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_24], ecx
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_24]
		mov	[ebp+var_20], ecx
		push	eax
		push	2
		push	ecx
		push	offset _LIVEDUMP_EVENT_SIZING_WORKFLOW_REMOVEPAGES_CALLBACK_FAILURE
		push	ds:dword_6FD4A4
		mov	[ebp+var_1C], edx
		push	ds:_IopLiveDumpEtwRegHandle
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_610226:				; CODE XREF: IopLiveDumpTraceRemovePagesCallbackFailure(x,x,x)+19j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_IopLiveDumpTraceRemovePagesCallbackFailure@12 endp


;  S U B	R O U T	I N E 


; __stdcall IopLiveDumpTraceSystemQuiesceEnd(x)
_IopLiveDumpTraceSystemQuiesceEnd@4 proc near
					; CODE XREF: IopLiveDumpUncorralProcessors(x,x)+A6p
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	short locret_610264
		test	byte ptr [ecx+30h], 1
		mov	eax, offset _LIVEDUMP_EVENT_SIZING_WORKFLOW_SYSTEM_QUIESCE_END
		jnz	short loc_61024D
		mov	eax, offset _LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_SYSTEM_QUIESCE_END

loc_61024D:				; CODE XREF: IopLiveDumpTraceSystemQuiesceEnd(x)+12j
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	eax
		push	ds:dword_6FD4A4
		push	ds:_IopLiveDumpEtwRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

locret_610264:				; CODE XREF: IopLiveDumpTraceSystemQuiesceEnd(x)+7j
		retn
_IopLiveDumpTraceSystemQuiesceEnd@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopLiveDumpTraceSystemQuiesceStart(x)
_IopLiveDumpTraceSystemQuiesceStart@4 proc near
					; CODE XREF: IopLiveDumpCorralProcessors(x)+80p
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	short locret_610295
		test	byte ptr [ecx+30h], 1
		mov	eax, offset _LIVEDUMP_EVENT_SIZING_WORKFLOW_SYSTEM_QUIESCE_START
		jnz	short loc_61027E
		mov	eax, offset _LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_SYSTEM_QUIESCE_START

loc_61027E:				; CODE XREF: IopLiveDumpTraceSystemQuiesceStart(x)+12j
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	eax
		push	ds:dword_6FD4A4
		push	ds:_IopLiveDumpEtwRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

locret_610295:				; CODE XREF: IopLiveDumpTraceSystemQuiesceStart(x)+7j
		retn
_IopLiveDumpTraceSystemQuiesceStart@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpTraceUncorralProcessorsDuration(x, x, x,	x, x, x, x, x, x)
_IopLiveDumpTraceUncorralProcessorsDuration@36 proc near
					; CODE XREF: IopLiveDumpUncorralProcessors(x,x)+CAp

var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0CCh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		test	al, al
		jz	loc_610421
		xor	edi, edi
		cmp	[esi+0FCh], edi
		jnz	loc_610421
		test	byte ptr [esi+0BCh], 1
		jz	loc_610421
		test	byte ptr [esi+30h], 1
		mov	eax, offset _LIVEDUMP_EVENT_SIZING_WORKFLOW_SYSTEM_QUISCED_UNCORRAL_PROCESSORS
		jnz	short loc_6102E8
		mov	eax, offset _LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_SYSTEM_QUISCED_UNCORRAL_PROCESSORS

loc_6102E8:				; CODE XREF: IopLiveDumpTraceUncorralProcessorsDuration(x,x,x,x,x,x,x,x,x)+4Bj
		lea	ecx, [ebp+arg_0]
		mov	[ebp+var_44], edi
		mov	[ebp+var_48], ecx
		lea	ecx, [ebp+arg_8]
		mov	[ebp+var_38], ecx
		lea	ecx, [ebp+arg_10]
		push	8
		pop	ebx
		mov	[ebp+var_28], ecx
		lea	ecx, [ebp+arg_18]
		mov	[ebp+var_18], ecx
		lea	ecx, [ebp+var_48]
		push	ecx
		push	4
		push	edi
		push	eax
		push	ds:dword_6FD4A4
		mov	[ebp+var_40], ebx
		push	ds:_IopLiveDumpEtwRegHandle
		mov	[ebp+var_3C], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		cmp	ds:dword_6B2CE0, 5
		jbe	loc_610421
		push	2000h
		push	edi
		mov	ecx, offset dword_6B2CE0
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_610421
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_B0], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_AC], eax
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_88], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_B8], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_78], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_C0], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_BC], eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_68], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_C8], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_A8]
		push	eax
		push	6
		lea	eax, [esi+220h]
		mov	[ebp+var_84], edi
		push	eax
		lea	eax, [esi+230h]
		mov	[ebp+var_80], ebx
		push	eax
		push	offset loc_41B77E
		push	offset dword_6B2CE0
		mov	[ebp+var_7C], edi
		mov	[ebp+var_74], edi
		mov	[ebp+var_70], ebx
		mov	[ebp+var_6C], edi
		mov	[ebp+var_64], edi
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], edi
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_610421:				; CODE XREF: IopLiveDumpTraceUncorralProcessorsDuration(x,x,x,x,x,x,x,x,x)+21j
					; IopLiveDumpTraceUncorralProcessorsDuration(x,x,x,x,x,x,x,x,x)+2Fj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	20h
_IopLiveDumpTraceUncorralProcessorsDuration@36 endp


;  S U B	R O U T	I N E 


; __stdcall IopLiveDumpUnLockPages()
_IopLiveDumpUnLockPages@0 proc near	; CODE XREF: IopLiveDumpUncorralProcessors(x,x):loc_72D46Bp
		mov	ecx, ds:_ExPageLockHandle
		xor	edx, edx
		jmp	MiLockPagableImageSection
_IopLiveDumpUnLockPages@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStringCbLengthA(x, x, x)
_RtlStringCbLengthA@12 proc near	; CODE XREF: KiValidateComponentName(x,x)+73p
					; IopLiveDumpCallRemovePagesCallbacks(x)+C0p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], esi
		test	ecx, ecx
		jz	short loc_610467
		cmp	edx, 7FFFFFFFh
		ja	short loc_610467
		lea	eax, [ebp+var_4]
		push	eax
		call	sub_610485
		mov	esi, [ebp+var_4]
		mov	ecx, eax
		jmp	short loc_61046C
; 

loc_610467:				; CODE XREF: RtlStringCbLengthA(x,x,x)+Ej
					; RtlStringCbLengthA(x,x,x)+16j
		mov	ecx, 0C000000Dh

loc_61046C:				; CODE XREF: RtlStringCbLengthA(x,x,x)+26j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_61047E
		test	ecx, ecx
		js	short loc_61047B
		mov	[eax], esi
		jmp	short loc_61047E
; 

loc_61047B:				; CODE XREF: RtlStringCbLengthA(x,x,x)+36j
		and	dword ptr [eax], 0

loc_61047E:				; CODE XREF: RtlStringCbLengthA(x,x,x)+32j
					; RtlStringCbLengthA(x,x,x)+3Aj
		mov	eax, ecx
		pop	esi
		leave
		retn	4
_RtlStringCbLengthA@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_610485	proc near		; CODE XREF: RtlStringCbLengthA(x,x,x)+1Cp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		test	edx, edx
		jz	short loc_61049C

loc_610491:				; CODE XREF: sub_610485+15j
		cmp	byte ptr [ecx],	0
		jz	short loc_61049C
		inc	ecx
		sub	edx, 1
		jnz	short loc_610491

loc_61049C:				; CODE XREF: sub_610485+Aj
					; sub_610485+Fj
		mov	ecx, [ebp+arg_0]
		mov	eax, edx
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFFF3h
		add	eax, 0C000000Dh
		test	ecx, ecx
		jz	short loc_6104C0
		test	edx, edx
		jz	short loc_6104BD
		sub	esi, edx
		mov	[ecx], esi
		jmp	short loc_6104C0
; 

loc_6104BD:				; CODE XREF: sub_610485+30j
		and	dword ptr [ecx], 0

loc_6104C0:				; CODE XREF: sub_610485+2Cj
					; sub_610485+36j
		pop	esi
		pop	ebp
		retn	4
sub_610485	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopErrorLogDpc(x, x, x, x)
_IopErrorLogDpc@16 proc	near		; DATA XREF: IopErrorLogQueueRequest()+20o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jz	short loc_6104DA
		push	0
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_6104DA:				; CODE XREF: IopErrorLogDpc(x,x,x,x)+9j
		and	ds:dword_6CCB6C, 0
		and	ds:_IopErrorLogWorkItem, 0
		push	1
		push	offset _IopErrorLogWorkItem
		mov	ds:dword_6CCB68, offset	IopErrorLogThread
		call	ExQueueWorkItem
		pop	ebp
		retn	10h
_IopErrorLogDpc@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopErrorLogRequeueEntry(x)
_IopErrorLogRequeueEntry@4 proc	near	; CODE XREF: IopErrorLogThread+A0765p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _IopErrorLogLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:_IopErrorLogListHead
		mov	eax, offset _IopErrorLogListHead
		cmp	[ecx+4], eax
		jz	short loc_610535
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_610535:				; CODE XREF: IopErrorLogRequeueEntry(x)+2Cj
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[ecx+4], esi
		test	ds:byte_70EFC6,	1
		mov	ds:_IopErrorLogListHead, esi
		mov	ds:_ErrorLogSessionOpened, 0
		jz	short loc_61055F
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_610564
; 

loc_61055F:				; CODE XREF: IopErrorLogRequeueEntry(x)+4Fj
		xor	eax, eax
		lock and [edi],	eax

loc_610564:				; CODE XREF: IopErrorLogRequeueEntry(x)+5Bj
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_IopErrorLogRequeueEntry@4 endp


;  S U B	R O U T	I N E 


sub_610570	proc near		; CODE XREF: IopErrorLogThread+A06D1p
					; IopErrorLogQueueRequest()+Bp
		cmp	ds:_ViVerifierEnabled, 0
		jz	short loc_6105A9
		test	ds:_VfRuleClasses, 0FFAFFFFFh
		jnz	short loc_61058E
		test	byte ptr ds:dword_6FDE00, 6
		jz	short loc_6105A9

loc_61058E:				; CODE XREF: sub_610570+13j
		mov	eax, ds:_MmVerifierData
		and	eax, 10h
		or	eax, 40h
		shr	eax, 1
		push	eax
		push	20206F49h
		push	edx
		push	ecx
		call	ExAllocatePoolWithTagPriority
		retn
; 

loc_6105A9:				; CODE XREF: sub_610570+7j
					; sub_610570+1Cj
		push	20206F49h
		push	edx
		push	ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		retn
sub_610570	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SecureDump_EncryptSymmetricKeyWithPublicKey()
_SecureDump_EncryptSymmetricKeyWithPublicKey@0 proc near ; CODE	XREF: SecureDump_Init+7E326p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		xor	ecx, ecx
		mov	[ebp+var_20], offset ??_C@_1O@HECGKAIN@?$AAS?$AAH?$AAA?$AA2?$AA5?$AA6@FNODOBFM@
		push	esi
		push	edi
		push	ecx
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ecx
		push	eax
		push	ecx
		push	ecx
		push	(offset	off_5A496C+2)
		push	ecx
		push	ds:dword_6CF2F0
		xor	ebx, ebx
		mov	[ebp+var_C], ecx
		mov	edi, ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_1C], ecx
		inc	ebx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_14], ecx
		mov	ds:dword_6CF2F8, 2
		call	ds:__imp__BCryptExportKey@28 ; BCryptExportKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_610735
		push	706D6453h
		push	[ebp+var_4]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_610633

loc_610629:				; CODE XREF: SecureDump_EncryptSymmetricKeyWithPublicKey()+154j
		mov	esi, 0C000009Ah
		jmp	loc_610735
; 

loc_610633:				; CODE XREF: SecureDump_EncryptSymmetricKeyWithPublicKey()+71j
		push	0
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_4]
		push	edi
		push	(offset	off_5A496C+2)
		push	0
		push	ds:dword_6CF2F0
		call	ds:__imp__BCryptExportKey@28 ; BCryptExportKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_610735
		push	ebx
		push	0
		mov	edx, (offset off_5A4964+2)
		lea	ecx, [ebp+var_C]
		call	_BCryptOpenAlgorithmProvider@16	; BCryptOpenAlgorithmProvider(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_610735
		push	ecx
		push	ds:dword_6CF2D4
		lea	eax, [ebp+var_8]
		push	ds:dword_6CF2D0
		push	eax
		push	ecx
		mov	ecx, [ebp+var_C]
		call	_BCryptImportKeyPair@28	; BCryptImportKeyPair(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_61069C

loc_610694:				; CODE XREF: SecureDump_EncryptSymmetricKeyWithPublicKey()+101j
		push	3
		pop	ebx
		jmp	loc_610735
; 

loc_61069C:				; CODE XREF: SecureDump_EncryptSymmetricKeyWithPublicKey()+DCj
		push	ecx
		lea	eax, [ebp+var_14]
		mov	edx, offset ??_C@_1BE@FGBADLPC@?$AAK?$AAe?$AAy?$AAL?$AAe?$AAn?$AAg?$AAt?$AAh@FNODOBFM@
		push	eax
		push	ecx
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_10]
		push	eax
		call	_BCryptGetProperty@24 ;	BCryptGetProperty(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_610694
		cmp	[ebp+var_10], 800h
		push	4
		jz	short loc_6106CC
		pop	ebx
		mov	esi, 0C0000001h
		jmp	short loc_610735
; 

loc_6106CC:				; CODE XREF: SecureDump_EncryptSymmetricKeyWithPublicKey()+10Cj
		mov	ecx, [ebp+var_8]
		xor	eax, eax
		push	offset dword_6CF2E4
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_20]
		mov	edx, edi
		push	eax
		push	[ebp+var_4]
		call	_BCryptEncrypt@40 ; BCryptEncrypt(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_610735
		push	706D6453h
		push	ds:dword_6CF2E4
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ds:dword_6CF2E0, eax
		test	eax, eax
		jz	loc_610629
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		push	4
		push	offset dword_6CF2E4
		push	ds:dword_6CF2E4
		push	eax
		push	0
		push	0
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_4]
		call	_BCryptEncrypt@40 ; BCryptEncrypt(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax

loc_610735:				; CODE XREF: SecureDump_EncryptSymmetricKeyWithPublicKey()+55j
					; SecureDump_EncryptSymmetricKeyWithPublicKey()+78j ...
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jz	short loc_610741
		call	_BCryptCloseAlgorithmProvider@8	; BCryptCloseAlgorithmProvider(x,x)

loc_610741:				; CODE XREF: SecureDump_EncryptSymmetricKeyWithPublicKey()+184j
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_61074D
		call	_BCryptDestroyKey@4 ; BCryptDestroyKey(x)

loc_61074D:				; CODE XREF: SecureDump_EncryptSymmetricKeyWithPublicKey()+190j
		test	edi, edi
		jz	short loc_610759
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_610759:				; CODE XREF: SecureDump_EncryptSymmetricKeyWithPublicKey()+199j
		test	esi, esi
		jns	short loc_610764
		mov	ecx, ebx
		call	_SecureDump_LogErrorEvent@4 ; SecureDump_LogErrorEvent(x)

loc_610764:				; CODE XREF: SecureDump_EncryptSymmetricKeyWithPublicKey()+1A5j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_SecureDump_EncryptSymmetricKeyWithPublicKey@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SecureDump_Encrypt_DmpData(x, x, x,	x, x, x, x)
_SecureDump_Encrypt_DmpData@28 proc near
					; CODE XREF: IopLiveDumpWriteBuffer(x,x,x,x,x,x)+3Ap
					; DATA XREF: IopInitializeCrashDump+957F0o

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_C]
		mov	eax, [ebp+arg_18]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_1C], ecx
		mov	ebx, esi
		mov	[ebp+var_18], edx
		push	edi
		mov	edi, 0C0000001h
		mov	[ebp+var_20], eax
		cmp	ds:byte_6CF2C4,	bl
		jnz	short loc_6107AB
		add	edi, 0Fh
		jmp	loc_61088A
; 

loc_6107AB:				; CODE XREF: SecureDump_Encrypt_DmpData(x,x,x,x,x,x,x)+36j
		test	ecx, ecx
		jz	loc_610885
		test	edx, edx
		jnz	short loc_6107C3
		mov	eax, [ebp+arg_10]
		or	eax, [ebp+arg_14]
		jnz	loc_610885

loc_6107C3:				; CODE XREF: SecureDump_Encrypt_DmpData(x,x,x,x,x,x,x)+4Aj
		mov	eax, ds:dword_6CF2E8
		push	esi
		push	eax
		push	[ebp+arg_8]
		mov	[ebp+var_10], eax
		push	[ebp+arg_4]
		call	__aullrem
		or	eax, edx
		jnz	loc_610885
		mov	eax, [ebp+arg_8]
		cmp	eax, esi
		jb	loc_610885
		mov	edx, [ebp+var_10]
		ja	short loc_6107F9
		cmp	[ebp+arg_4], edx
		jb	loc_610885

loc_6107F9:				; CODE XREF: SecureDump_Encrypt_DmpData(x,x,x,x,x,x,x)+83j
		cmp	[ebp+arg_14], eax
		ja	short loc_610814
		jb	short loc_610808
		mov	ecx, [ebp+arg_10]
		cmp	ecx, [ebp+arg_4]
		jnb	short loc_610814

loc_610808:				; CODE XREF: SecureDump_Encrypt_DmpData(x,x,x,x,x,x,x)+93j
		mov	esi, [ebp+arg_4]
		mov	ebx, eax
		mov	edi, 80000005h
		jmp	short loc_61088A
; 

loc_610814:				; CODE XREF: SecureDump_Encrypt_DmpData(x,x,x,x,x,x,x)+91j
					; SecureDump_Encrypt_DmpData(x,x,x,x,x,x,x)+9Bj
		mov	[ebp+var_14], esi
		mov	ecx, esi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		cmp	eax, esi
		jb	short loc_610881
		ja	short loc_61082D
		cmp	[ebp+arg_4], esi
		jbe	short loc_610881

loc_61082D:				; CODE XREF: SecureDump_Encrypt_DmpData(x,x,x,x,x,x,x)+BBj
					; SecureDump_Encrypt_DmpData(x,x,x,x,x,x,x)+106j ...
		push	esi
		lea	eax, [ebp+var_14]
		push	eax
		mov	eax, [ebp+var_18]
		push	edx
		add	eax, ecx
		push	eax
		push	8
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		push	edx
		mov	edx, [ebp+var_1C]
		lea	edx, [ecx+edx]
		mov	ecx, ds:dword_6CF2F0
		call	_BCryptEncrypt@40 ; BCryptEncrypt(x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_10]
		mov	edi, eax
		test	edi, edi
		js	short loc_610881
		add	ecx, [ebp+var_14]
		mov	edx, ds:dword_6CF2E8
		adc	ebx, esi
		mov	[ebp+var_10], ecx
		cmp	[ebp+var_14], edx
		jnz	short loc_61087C
		cmp	ebx, [ebp+arg_8]
		jb	short loc_61082D
		ja	short loc_610881
		cmp	ecx, [ebp+arg_4]
		jb	short loc_61082D
		jmp	short loc_610881
; 

loc_61087C:				; CODE XREF: SecureDump_Encrypt_DmpData(x,x,x,x,x,x,x)+101j
		mov	edi, 0C0000001h

loc_610881:				; CODE XREF: SecureDump_Encrypt_DmpData(x,x,x,x,x,x,x)+B9j
					; SecureDump_Encrypt_DmpData(x,x,x,x,x,x,x)+C0j ...
		mov	esi, ecx
		jmp	short loc_61088A
; 

loc_610885:				; CODE XREF: SecureDump_Encrypt_DmpData(x,x,x,x,x,x,x)+42j
					; SecureDump_Encrypt_DmpData(x,x,x,x,x,x,x)+52j ...
		mov	edi, 0C000000Dh

loc_61088A:				; CODE XREF: SecureDump_Encrypt_DmpData(x,x,x,x,x,x,x)+3Bj
					; SecureDump_Encrypt_DmpData(x,x,x,x,x,x,x)+A7j ...
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_610896
		mov	[eax], esi
		mov	[eax+4], ebx

loc_610896:				; CODE XREF: SecureDump_Encrypt_DmpData(x,x,x,x,x,x,x)+124j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
_SecureDump_Encrypt_DmpData@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SecureDump_Get_SecureDumpHeader(int,void *,size_t)
_SecureDump_Get_SecureDumpHeader@12 proc near ;	CODE XREF: IopLiveDumpWriteDumpFile(x)+259p
					; DATA XREF: IopInitializeCrashDump+957E9o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:byte_6CF2C4,	0
		push	edi
		jz	loc_6109CE
		mov	edi, [ebp+arg_8]
		cmp	edi, ds:dword_6CF2FC
		jb	loc_6109CE
		mov	eax, ds:dword_6CF2D8
		add	eax, 0FA8h
		add	eax, ds:dword_6CF2E4
		cmp	edi, eax
		jb	loc_6109CE
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	ebx, ebx
		push	edi		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		mov	ecx, [ebp+arg_0]
		mov	dword ptr [esi+8], 1
		mov	eax, ds:dword_6CF2FC
		mov	[esi+0Ch], eax
		mov	eax, [ecx]
		mov	[esi], eax
		mov	eax, [ecx+4]
		mov	[esi+4], eax
		mov	eax, [ecx+20h]
		mov	[esi+20h], eax
		mov	eax, [ecx+0F88h]
		mov	[esi+0F88h], eax
		mov	eax, [ecx+0FA0h]
		add	eax, 0FFFh
		mov	[esi+0FA4h], ebx
		add	eax, edi
		and	eax, 0FFFFF000h
		mov	[esi+0FA0h], eax
		mov	eax, [ecx+8A0h]
		or	eax, 100h
		mov	[esi+8A0h], eax
		mov	eax, [ecx+28h]
		mov	[esi+28h], eax
		mov	[esi+2Ch], ebx
		mov	[esi+30h], ebx
		mov	[esi+34h], ebx
		mov	[esi+38h], ebx
		mov	dword ptr [esi+14h], 0FA8h
		mov	eax, ds:dword_6CF2E4
		push	eax		; size_t
		mov	[esi+10h], eax
		lea	eax, [esi+0FA8h]
		push	ds:dword_6CF2E0	; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, ds:dword_6CF2E8
		mov	ecx, [esi+14h]
		add	ecx, [esi+10h]
		mov	[esi+8ACh], eax
		mov	eax, ds:dword_6CF2F4
		mov	[esi+8A4h], eax
		mov	[esi+1Ch], ecx
		mov	eax, ds:dword_6CF2D8
		push	eax		; size_t
		mov	[esi+18h], eax
		lea	eax, [ecx+esi]
		push	ds:dword_6CF2DC	; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, ds:dword_6CF2F8
		add	esp, 24h
		mov	[esi+8A8h], eax
		xor	eax, eax
		pop	esi
		pop	ebx
		jmp	short loc_6109D3
; 

loc_6109CE:				; CODE XREF: SecureDump_Get_SecureDumpHeader(x,x,x)+Dj
					; SecureDump_Get_SecureDumpHeader(x,x,x)+1Cj ...
		mov	eax, 0C000000Dh

loc_6109D3:				; CODE XREF: SecureDump_Get_SecureDumpHeader(x,x,x)+123j
		pop	edi
		pop	ebp
		retn	0Ch
_SecureDump_Get_SecureDumpHeader@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SecureDump_LogErrorEvent(x)
_SecureDump_LogErrorEvent@4 proc near	; CODE XREF: SecureDump_PrepareForInit+7E863p
					; SecureDump_EncryptSymmetricKeyWithPublicKey()+1A9p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ds:dword_6CCFDC
		mov	ebx, offset _IoMgr_DumpEncryptionFailure
		push	edi
		mov	edi, ds:_IoMgrTraceHandle
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_18], ecx
		call	EtwEventEnabled
		test	al, al
		jz	short loc_610A31
		lea	eax, [ebp+var_18]
		mov	[ebp+var_C], 4
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], ecx
		push	eax
		push	1
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_610A31:				; CODE XREF: SecureDump_LogErrorEvent(x)+33j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_SecureDump_LogErrorEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SecureDump_SymmetricEncryptionSetup()
_SecureDump_SymmetricEncryptionSetup@0 proc near ; CODE	XREF: SecureDump_Init+7E317p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	eax, eax
		xor	ebx, ebx
		push	edi
		inc	eax
		mov	[ebp+var_8], ebx
		push	eax
		push	(offset	off_5A4914+2)
		mov	edx, (offset loc_5A4902+4)
		mov	[ebp+var_4], ebx
		mov	ecx, offset dword_6CF2EC
		mov	ds:dword_6CF2F4, eax
		call	_BCryptOpenAlgorithmProvider@16	; BCryptOpenAlgorithmProvider(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_610B27
		push	706D6453h
		push	40h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_610A9A
		mov	esi, 0C000009Ah
		jmp	loc_610B27
; 

loc_610A9A:				; CODE XREF: SecureDump_SymmetricEncryptionSetup()+4Ej
		push	ecx
		push	40h
		mov	edx, edi
		call	_BCryptGenRandom@16 ; BCryptGenRandom(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_610AB3
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_610B23
; 

loc_610AB3:				; CODE XREF: SecureDump_SymmetricEncryptionSetup()+68j
		push	ecx
		mov	ecx, ds:dword_6CF2EC
		mov	edx, offset dword_6CF2F0
		push	40h
		push	edi
		push	ebx
		push	ebx
		call	_BCryptGenerateSymmetricKey@28 ; BCryptGenerateSymmetricKey(x,x,x,x,x,x,x)
		push	ebx
		push	edi
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		js	short loc_610B27
		push	ecx
		lea	eax, [ebp+var_8]
		mov	edx, offset ??_C@_1BE@FGBADLPC@?$AAK?$AAe?$AAy?$AAL?$AAe?$AAn?$AAg?$AAt?$AAh@FNODOBFM@
		push	eax
		push	ecx
		mov	ecx, ds:dword_6CF2F0
		lea	eax, [ebp+var_4]
		push	eax
		call	_BCryptGetProperty@24 ;	BCryptGetProperty(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_610B27
		cmp	[ebp+var_4], 200h
		jnz	short loc_610B23
		push	ecx
		mov	ecx, ds:dword_6CF2F0
		mov	edx, offset ??_C@_1CG@ONBEMBCH@?$AAM?$AAe?$AAs?$AAs?$AAa?$AAg?$AAe?$AAB?$AAl?$AAo?$AAc?$AAk?$AAL?$AAe?$AAn@FNODOBFM@
		push	4
		push	offset dword_6CF2E8
		mov	ds:dword_6CF2E8, 1000h
		call	_BCryptSetProperty@20 ;	BCryptSetProperty(x,x,x,x,x)
		mov	esi, eax

loc_610B23:				; CODE XREF: SecureDump_SymmetricEncryptionSetup()+71j
					; SecureDump_SymmetricEncryptionSetup()+BDj
		test	esi, esi
		jns	short loc_610B2F

loc_610B27:				; CODE XREF: SecureDump_SymmetricEncryptionSetup()+33j
					; SecureDump_SymmetricEncryptionSetup()+55j ...
		xor	ecx, ecx
		inc	ecx
		call	_SecureDump_LogErrorEvent@4 ; SecureDump_LogErrorEvent(x)

loc_610B2F:				; CODE XREF: SecureDump_SymmetricEncryptionSetup()+E5j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_SecureDump_SymmetricEncryptionSetup@0 endp


;  S U B	R O U T	I N E 


; __stdcall IoBoostThreadOutstandingIo(x)
_IoBoostThreadOutstandingIo@4 proc near	; CODE XREF: PsBoostThreadOutstandingIoQoS(x)+7j
					; KiAbProcessThreadLocks+D5D7Cp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, ds:_IopIoRateExtensionHost
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_610B5D
		push	esi
		call	dword ptr [eax+8]
		mov	ecx, ds:_IopIoRateExtensionHost
		pop	esi
		lea	ecx, [ecx+24h]
		jmp	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
; 

loc_610B5D:				; CODE XREF: IoBoostThreadOutstandingIo(x)+12j
		pop	esi
		retn
_IoBoostThreadOutstandingIo@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoNotifyQuotaState(x, x, x,	x, x)
_IoNotifyQuotaState@20 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		lea	eax, [esp+8+var_8]
		and	[esp+8+var_4], 0
		lea	edx, [esp+8+var_4]
		and	[esp+8+var_8], 0
		push	esi
		push	edi
		push	eax
		call	_IopAcquireReferencesFromIoAttributionHandle@12	; IopAcquireReferencesFromIoAttributionHandle(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_610BC7
		mov	ecx, [esp+10h+var_8]
		mov	edi, 746C6644h
		mov	edx, edi
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jnz	short loc_610BA5
		mov	esi, 0C0000189h
		jmp	short loc_610BC7
; 

loc_610BA5:				; CODE XREF: IoNotifyQuotaState(x,x,x,x,x)+3Dj
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_C]
		mov	ecx, [esp+18h+var_8]
		push	[ebp+arg_8]
		call	_PsIoRateControlOverQuotaNotify@20 ; PsIoRateControlOverQuotaNotify(x,x,x,x,x)
		xor	esi, esi
		mov	ecx, [esp+10h+var_8]
		mov	edx, edi
		call	ObfDereferenceObjectWithTag

loc_610BC7:				; CODE XREF: IoNotifyQuotaState(x,x,x,x,x)+29j
					; IoNotifyQuotaState(x,x,x,x,x)+44j
		mov	edi, [esp+10h+var_4]
		test	edi, edi
		jz	short loc_610BE1
		lea	ecx, [edi+8Ch]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, edi
		call	_IoDiskIoAttributionDereference@4 ; IoDiskIoAttributionDereference(x)

loc_610BE1:				; CODE XREF: IoNotifyQuotaState(x,x,x,x,x)+6Ej
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	14h
_IoNotifyQuotaState@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoUpdateThreadIoRateThrottle(x, x)
_IoUpdateThreadIoRateThrottle@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		mov	edx, esi
		lea	eax, [ecx+334h]
		lock xadd [eax], edx
		test	edx, edx
		jz	short loc_610C11
		lea	eax, [edx+esi]
		test	eax, eax
		jnz	short loc_610C16
		xor	edx, edx
		inc	edx

loc_610C11:				; CODE XREF: IoUpdateThreadIoRateThrottle(x,x)+1Aj
		call	KeAbProcessBaseIoPriorityChangeInternal

loc_610C16:				; CODE XREF: IoUpdateThreadIoRateThrottle(x,x)+21j
		pop	esi
		pop	ebp
		retn	8
_IoUpdateThreadIoRateThrottle@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopIssueTrEERequest(x, x, x, x, x, x, x, x,	x)
_IopIssueTrEERequest@36	proc near	; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+13Ap
					; IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+1C8p ...

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+5Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+5Ch+var_54], eax
		mov	eax, [ebp+arg_18]
		push	ebx
		mov	[esp+60h+var_4C], eax
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	ebx, [ebp+arg_C]
		lea	edi, [esp+68h+var_18]
		mov	[esp+68h+var_58], eax
		mov	[esp+68h+var_48], eax
		mov	[esp+68h+var_44], eax
		mov	[esp+68h+var_40], eax
		stosd
		mov	[esp+68h+var_50], edx
		mov	[esp+68h+var_3C], ecx
		mov	ecx, [ebp+arg_8]
		stosd
		mov	[esp+68h+var_30], ecx
		mov	ecx, 568004h
		stosd
		stosd
		mov	eax, esi
		cdq
		xor	esi, esi
		mov	[esp+68h+var_38], eax
		mov	eax, ebx
		mov	[esp+68h+var_34], edx
		cdq
		mov	[esp+68h+var_28], eax
		mov	eax, [ebp+arg_10]
		mov	[esp+68h+var_20], eax
		lea	eax, [esp+68h+var_58]
		push	eax
		push	10h
		lea	eax, [esp+70h+var_18]
		mov	[esp+70h+var_24], edx
		push	eax
		push	30h
		lea	eax, [esp+78h+var_48]
		mov	[esp+78h+var_2C], esi
		push	eax
		push	[esp+7Ch+var_54]
		xor	dl, dl
		mov	[esp+80h+var_1C], esi
		push	[esp+80h+var_50]
		call	_IopIssueSystemEnvironmentRequest@36 ; IopIssueSystemEnvironmentRequest(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_610CF5
		cmp	[esp+68h+var_58], 10h
		jb	short loc_610CF0
		mov	ecx, [esp+68h+var_4C]
		test	ecx, ecx
		jz	short loc_610CDF
		push	[esp+68h+var_C]
		push	[esp+6Ch+var_10]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)

loc_610CDF:				; CODE XREF: IopIssueTrEERequest(x,x,x,x,x,x,x,x,x)+B5j
		mov	ecx, [ebp+arg_14]
		cmp	[esp+68h+var_C], esi
		ja	short loc_610CF5
		jb	short loc_610CF0
		cmp	[esp+68h+var_10], ecx
		jnb	short loc_610CF5

loc_610CF0:				; CODE XREF: IopIssueTrEERequest(x,x,x,x,x,x,x,x,x)+ADj
					; IopIssueTrEERequest(x,x,x,x,x,x,x,x,x)+CDj
		mov	eax, 0C0000186h

loc_610CF5:				; CODE XREF: IopIssueTrEERequest(x,x,x,x,x,x,x,x,x)+A6j
					; IopIssueTrEERequest(x,x,x,x,x,x,x,x,x)+CBj ...
		mov	ecx, [esp+68h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_IopIssueTrEERequest@36	endp


;  S U B	R O U T	I N E 


sub_610D09	proc near		; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+41p
					; IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+60p ...
		cmp	ds:_ViVerifierEnabled, 0
		jz	short loc_610D43
		test	ds:_VfRuleClasses, 0FFAFFFFFh
		jnz	short loc_610D27
		test	byte ptr ds:dword_6FDE00, 6
		jz	short loc_610D43

loc_610D27:				; CODE XREF: sub_610D09+13j
		mov	eax, ds:_MmVerifierData
		and	eax, 10h
		or	eax, 40h
		shr	eax, 1
		push	eax
		push	20206F49h
		push	edx
		push	1
		call	ExAllocatePoolWithTagPriority
		retn
; 

loc_610D43:				; CODE XREF: sub_610D09+7j
					; sub_610D09+1Cj
		push	20206F49h
		push	edx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		retn
sub_610D09	endp


;  S U B	R O U T	I N E 


; __stdcall IopAddBugcheckPnpTriageData(x, x)
_IopAddBugcheckPnpTriageData@8 proc near
					; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+136p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		xor	esi, esi
		call	_IopAddBugcheckTriageThread@4 ;	IopAddBugcheckTriageThread(x)
		push	10h
		pop	edx
		mov	ecx, edi
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jnz	short loc_610D73

loc_610D6C:				; CODE XREF: IopAddBugcheckPnpTriageData(x,x)+2Aj
		mov	esi, 0C0000001h
		jmp	short loc_610D97
; 

loc_610D73:				; CODE XREF: IopAddBugcheckPnpTriageData(x,x)+19j
		mov	eax, 8001h
		cmp	[edi], ax
		jnz	short loc_610D6C
		push	10h
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+4]
		call	_IopAddBugcheckTriageCompletionQueue@4 ; IopAddBugcheckTriageCompletionQueue(x)
		mov	ecx, [edi+8]
		call	_IopAddBugcheckTriageWorkQueue@4 ; IopAddBugcheckTriageWorkQueue(x)

loc_610D97:				; CODE XREF: IopAddBugcheckPnpTriageData(x,x)+20j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_IopAddBugcheckPnpTriageData@8 endp


;  S U B	R O U T	I N E 


; __stdcall IopAddBugcheckPnpWatchdogTriageData(x, x)
_IopAddBugcheckPnpWatchdogTriageData@8 proc near
					; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+163p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, edx
		push	edi
		xor	edi, edi
		call	_IopAddBugcheckTriageThread@4 ;	IopAddBugcheckTriageThread(x)
		push	30h
		pop	edx
		mov	ecx, esi
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jnz	short loc_610DC0
		mov	edi, 0C0000001h
		jmp	short loc_610E16
; 

loc_610DC0:				; CODE XREF: IopAddBugcheckPnpWatchdogTriageData(x,x)+1Bj
		push	30h
		pop	edx
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+18h]
		call	_IopAddBugcheckTriageCompletionQueue@4 ; IopAddBugcheckTriageCompletionQueue(x)
		mov	ecx, [esi+1Ch]
		call	_IopAddBugcheckTriageWorkQueue@4 ; IopAddBugcheckTriageWorkQueue(x)
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_610DE6
		call	_IopAddBugcheckTriageThread@4 ;	IopAddBugcheckTriageThread(x)

loc_610DE6:				; CODE XREF: IopAddBugcheckPnpWatchdogTriageData(x,x)+43j
		mov	ecx, [esi+10h]
		test	ecx, ecx
		jz	short loc_610DF2
		call	_IopAddBugcheckTriageThread@4 ;	IopAddBugcheckTriageThread(x)

loc_610DF2:				; CODE XREF: IopAddBugcheckPnpWatchdogTriageData(x,x)+4Fj
		mov	ecx, [esi+14h]
		test	ecx, ecx
		jz	short loc_610DFE
		call	_IopAddBugcheckTriageThread@4 ;	IopAddBugcheckTriageThread(x)

loc_610DFE:				; CODE XREF: IopAddBugcheckPnpWatchdogTriageData(x,x)+5Bj
		mov	ecx, [esi+24h]
		test	ecx, ecx
		jz	short loc_610E0A
		call	_IopAddBugcheckTriageDevice@4 ;	IopAddBugcheckTriageDevice(x)

loc_610E0A:				; CODE XREF: IopAddBugcheckPnpWatchdogTriageData(x,x)+67j
		mov	ecx, [esi+20h]
		test	ecx, ecx
		jz	short loc_610E16
		call	_IopAddBugcheckTriageDeviceNode@4 ; IopAddBugcheckTriageDeviceNode(x)

loc_610E16:				; CODE XREF: IopAddBugcheckPnpWatchdogTriageData(x,x)+22j
					; IopAddBugcheckPnpWatchdogTriageData(x,x)+73j
		mov	eax, edi
		pop	edi
		pop	esi
		retn
_IopAddBugcheckPnpWatchdogTriageData@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAddBugcheckPowerTriageData(x, x,	x)
_IopAddBugcheckPowerTriageData@12 proc near
					; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+151p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		xor	eax, eax
		mov	ebx, edx
		push	esi
		mov	[ebp+var_8], eax
		mov	esi, eax
		mov	[ebp+var_4], eax
		call	_IopAddBugcheckTriageDevice@4 ;	IopAddBugcheckTriageDevice(x)
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		call	_IopAddBugcheckTriageIrp@8 ; IopAddBugcheckTriageIrp(x,x)
		push	14h
		pop	edx
		mov	ecx, ebx
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jnz	short loc_610E57

loc_610E4D:				; CODE XREF: IopAddBugcheckPowerTriageData(x,x,x)+44j
		mov	esi, 0C0000001h
		jmp	loc_610F5B
; 

loc_610E57:				; CODE XREF: IopAddBugcheckPowerTriageData(x,x,x)+30j
		mov	eax, 8000h
		cmp	[ebx], ax
		jnz	short loc_610E4D
		push	edi
		push	18h
		pop	edx
		mov	ecx, ebx
		call	IoAddTriageDumpDataBlock
		mov	edi, [ebx+4]
		mov	[ebp+arg_0], edi
		test	edi, edi
		jz	short loc_610EE3
		push	8
		pop	edx
		mov	ecx, edi
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_610EDE
		push	8
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		jmp	short loc_610ED6
; 

loc_610E90:				; CODE XREF: IopAddBugcheckPowerTriageData(x,x,x)+BFj
		cmp	edi, [ebx+4]
		jz	short loc_610EE3
		mov	eax, [ebp+var_4]
		cmp	eax, 0Ah
		jge	short loc_610EE3
		push	10h
		inc	eax
		mov	ecx, edi
		pop	edx
		mov	[ebp+var_4], eax
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_610EDE
		push	10h
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebp+arg_0]
		cmp	[edi+4], eax
		jnz	short loc_610EDE
		mov	ecx, [edi+8]
		mov	dl, 1
		call	_IopAddBugcheckTriageIrp@8 ; IopAddBugcheckTriageIrp(x,x)
		mov	ecx, [edi+0Ch]
		call	_IopAddBugcheckTriageDevice@4 ;	IopAddBugcheckTriageDevice(x)
		mov	[ebp+arg_0], edi

loc_610ED6:				; CODE XREF: IopAddBugcheckPowerTriageData(x,x,x)+73j
		mov	edi, [edi]
		test	edi, edi
		jnz	short loc_610E90
		jmp	short loc_610EE3
; 

loc_610EDE:				; CODE XREF: IopAddBugcheckPowerTriageData(x,x,x)+67j
					; IopAddBugcheckPowerTriageData(x,x,x)+92j ...
		mov	esi, 0C0000001h

loc_610EE3:				; CODE XREF: IopAddBugcheckPowerTriageData(x,x,x)+59j
					; IopAddBugcheckPowerTriageData(x,x,x)+78j ...
		mov	edi, [ebx+8]
		mov	[ebp+arg_0], edi
		test	edi, edi
		jz	short loc_610F52
		push	8
		pop	edx
		mov	ecx, edi
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_610F4D
		push	8
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		jmp	short loc_610F45
; 

loc_610F07:				; CODE XREF: IopAddBugcheckPowerTriageData(x,x,x)+12Ej
		cmp	edi, [ebx+8]
		jz	short loc_610F52
		mov	eax, [ebp+var_8]
		cmp	eax, 0Ah
		jge	short loc_610F52
		push	10h
		inc	eax
		mov	ecx, edi
		pop	edx
		mov	[ebp+var_8], eax
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_610F4D
		push	10h
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebp+arg_0]
		cmp	[edi+4], eax
		jnz	short loc_610F4D
		mov	ecx, [edi+8]
		call	_IopAddBugcheckTriageThread@4 ;	IopAddBugcheckTriageThread(x)
		mov	esi, eax
		mov	[ebp+arg_0], edi

loc_610F45:				; CODE XREF: IopAddBugcheckPowerTriageData(x,x,x)+EAj
		mov	edi, [edi]
		test	edi, edi
		jnz	short loc_610F07
		jmp	short loc_610F52
; 

loc_610F4D:				; CODE XREF: IopAddBugcheckPowerTriageData(x,x,x)+DEj
					; IopAddBugcheckPowerTriageData(x,x,x)+109j ...
		mov	esi, 0C0000001h

loc_610F52:				; CODE XREF: IopAddBugcheckPowerTriageData(x,x,x)+D0j
					; IopAddBugcheckPowerTriageData(x,x,x)+EFj ...
		mov	ecx, [ebx+0Ch]
		call	_IopAddBugcheckTriageWorkQueue@4 ; IopAddBugcheckTriageWorkQueue(x)
		pop	edi

loc_610F5B:				; CODE XREF: IopAddBugcheckPowerTriageData(x,x,x)+37j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_IopAddBugcheckPowerTriageData@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAddBugcheckTriageCompletionQueue(x)
_IopAddBugcheckTriageCompletionQueue@4 proc near
					; CODE XREF: IopAddBugcheckPnpTriageData(x,x)+39p
					; IopAddBugcheckPnpWatchdogTriageData(x,x)+31p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	edi
		push	8
		xor	edi, edi
		mov	ebx, ecx
		pop	edx
		mov	[ebp+var_4], edi
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jnz	short loc_610F86
		mov	edi, 0C0000001h
		jmp	short loc_610FE9
; 

loc_610F86:				; CODE XREF: IopAddBugcheckTriageCompletionQueue(x)+1Aj
		push	esi
		push	8
		pop	edx
		mov	ecx, ebx
		call	IoAddTriageDumpDataBlock
		mov	esi, [ebx]
		test	esi, esi
		jz	short loc_610FE8
		cmp	esi, ebx
		jz	short loc_610FE8
		mov	[ebp+var_8], ebx

loc_610F9E:				; CODE XREF: IopAddBugcheckTriageCompletionQueue(x)+7Cj
		cmp	esi, ebx
		jz	short loc_610FE8
		mov	eax, [ebp+var_4]
		cmp	eax, 0Ah
		jge	short loc_610FE8
		push	10h
		inc	eax
		mov	ecx, esi
		pop	edx
		mov	[ebp+var_4], eax
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_610FE3
		push	10h
		pop	edx
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebp+var_8]
		cmp	[esi+4], eax
		jnz	short loc_610FE3
		mov	ecx, [esi+8]
		call	_IopAddBugcheckTriageDeviceNode@4 ; IopAddBugcheckTriageDeviceNode(x)
		mov	[ebp+var_8], esi
		mov	edi, eax
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_610F9E
		jmp	short loc_610FE8
; 

loc_610FE3:				; CODE XREF: IopAddBugcheckTriageCompletionQueue(x)+57j
					; IopAddBugcheckTriageCompletionQueue(x)+69j
		mov	edi, 0C0000001h

loc_610FE8:				; CODE XREF: IopAddBugcheckTriageCompletionQueue(x)+32j
					; IopAddBugcheckTriageCompletionQueue(x)+36j ...
		pop	esi

loc_610FE9:				; CODE XREF: IopAddBugcheckTriageCompletionQueue(x)+21j
		mov	eax, edi
		pop	edi
		pop	ebx
		leave
		retn
_IopAddBugcheckTriageCompletionQueue@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAddBugcheckTriageDevice(x)
_IopAddBugcheckTriageDevice@4 proc near	; CODE XREF: IopAddBugcheckPnpWatchdogTriageData(x,x)+69p
					; IopAddBugcheckPowerTriageData(x,x,x)+15p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		mov	[ebp+var_4], edi

loc_610FFF:				; CODE XREF: IopAddBugcheckTriageDevice(x)+80j
		mov	edx, 0B8h
		mov	ecx, esi
		inc	edi
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_611079
		movzx	eax, word ptr [esi+2]
		mov	ecx, 3000h
		cmp	ax, cx
		ja	short loc_611031
		lea	ebx, [eax+7]
		mov	ecx, esi
		and	ebx, 0FFFFFFF8h
		mov	edx, ebx
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jnz	short loc_611036

loc_611031:				; CODE XREF: IopAddBugcheckTriageDevice(x)+2Dj
		mov	ebx, 0B8h

loc_611036:				; CODE XREF: IopAddBugcheckTriageDevice(x)+40j
		mov	edx, ebx
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		mov	ebx, [esi+0B0h]
		mov	ecx, ebx
		push	40h
		pop	edx
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_61105D
		push	40h
		pop	edx
		mov	ecx, ebx
		call	IoAddTriageDumpDataBlock

loc_61105D:				; CODE XREF: IopAddBugcheckTriageDevice(x)+62j
		mov	ecx, [esi+8]
		call	_IopAddBugcheckTriageDriver@4 ;	IopAddBugcheckTriageDriver(x)
		mov	esi, [esi+10h]
		test	esi, esi
		jz	short loc_611071
		cmp	edi, 0Ah
		jl	short loc_610FFF

loc_611071:				; CODE XREF: IopAddBugcheckTriageDevice(x)+7Bj
		mov	eax, [ebp+var_4]

loc_611074:				; CODE XREF: IopAddBugcheckTriageDevice(x)+8Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_611079:				; CODE XREF: IopAddBugcheckTriageDevice(x)+1Fj
		mov	eax, 0C0000001h
		jmp	short loc_611074
_IopAddBugcheckTriageDevice@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopAddBugcheckTriageDeviceNode(x)
_IopAddBugcheckTriageDeviceNode@4 proc near
					; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+18Bp
					; IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+19Dp ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		mov	ebx, edi

loc_61108B:				; CODE XREF: IopAddBugcheckTriageDeviceNode(x)+66j
		push	30h
		pop	edx
		mov	ecx, esi
		inc	edi
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_6110EA
		push	30h
		pop	edx
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]
		call	_IopAddBugcheckTriageUnicodeString@8 ; IopAddBugcheckTriageUnicodeString(x,x)
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		call	_IopAddBugcheckTriageUnicodeString@8 ; IopAddBugcheckTriageUnicodeString(x,x)
		mov	ecx, [esi+24h]
		test	ecx, ecx
		jz	short loc_6110C8
		xor	dl, dl
		call	_IopAddBugcheckTriageIrp@8 ; IopAddBugcheckTriageIrp(x,x)

loc_6110C8:				; CODE XREF: IopAddBugcheckTriageDeviceNode(x)+3Fj
		mov	ecx, [esi+28h]
		test	ecx, ecx
		jz	short loc_6110D4
		call	_IopAddBugcheckTriagePoFxDevice@4 ; IopAddBugcheckTriagePoFxDevice(x)

loc_6110D4:				; CODE XREF: IopAddBugcheckTriageDeviceNode(x)+4Dj
		mov	ecx, [esi+10h]
		call	_IopAddBugcheckTriageDevice@4 ;	IopAddBugcheckTriageDevice(x)
		mov	esi, [esi+8]
		test	esi, esi
		jz	short loc_6110EF
		cmp	edi, 0Ah
		jl	short loc_61108B
		jmp	short loc_6110EF
; 

loc_6110EA:				; CODE XREF: IopAddBugcheckTriageDeviceNode(x)+18j
		mov	ebx, 0C0000001h

loc_6110EF:				; CODE XREF: IopAddBugcheckTriageDeviceNode(x)+61j
					; IopAddBugcheckTriageDeviceNode(x)+68j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		retn
_IopAddBugcheckTriageDeviceNode@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopAddBugcheckTriageDriver(x)
_IopAddBugcheckTriageDriver@4 proc near	; CODE XREF: IopAddBugcheckTriageDevice(x)+71p
		mov	edi, edi
		push	esi
		push	edi
		mov	edx, 0A8h
		mov	esi, ecx
		xor	edi, edi
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jnz	short loc_611112
		mov	edi, 0C0000001h
		jmp	short loc_611129
; 

loc_611112:				; CODE XREF: IopAddBugcheckTriageDriver(x)+14j
		mov	edx, 0A8h
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		call	_IopAddBugcheckTriageUnicodeString@8 ; IopAddBugcheckTriageUnicodeString(x,x)

loc_611129:				; CODE XREF: IopAddBugcheckTriageDriver(x)+1Bj
		mov	eax, edi
		pop	edi
		pop	esi
		retn
_IopAddBugcheckTriageDriver@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAddBugcheckTriageIrp(x, x)
_IopAddBugcheckTriageIrp@8 proc	near	; CODE XREF: IopAddBugcheckPowerTriageData(x,x,x)+1Fp
					; IopAddBugcheckPowerTriageData(x,x,x)+ABp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		push	70h
		mov	[ebp+var_1], dl
		xor	ebx, ebx
		pop	edx
		mov	edi, ecx
		mov	[ebp+var_10], ebx
		mov	esi, ebx
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	loc_611259
		movzx	ecx, word ptr [edi+2]
		mov	eax, 800h
		cmp	cx, ax
		ja	loc_61124F
		mov	al, [edi+22h]
		mov	[ebp+var_2], al
		cmp	al, 40h
		jg	loc_61124F
		mov	eax, ecx
		mov	ecx, edi
		mov	[ebp+var_C], eax
		add	eax, 7
		and	eax, 0FFFFFFF8h
		mov	edx, eax
		mov	[ebp+var_14], eax
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	loc_61124F
		mov	edx, [ebp+var_14]
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		cmp	[ebp+var_1], 1
		jnz	loc_61125E
		mov	cl, [ebp+var_2]
		mov	eax, ebx
		movsx	ebx, cl
		mov	[ebp+var_14], eax
		mov	[ebp+var_8], ebx
		test	cl, cl
		jle	loc_61125E
		mov	edx, [ebp+var_C]
		mov	ecx, ebx
		add	edx, edi
		mov	[ebp+var_C], edx

loc_6111C8:				; CODE XREF: IopAddBugcheckTriageIrp(x,x)+119j
		movsx	eax, al
		imul	ebx, eax, 24h
		lea	eax, [edi+94h]
		add	eax, ebx
		cmp	eax, edx
		ja	short loc_611259
		mov	ebx, [ebx+edi+84h]
		test	ebx, ebx
		jz	short loc_61123E
		mov	eax, [ebp+var_10]

loc_6111E8:				; CODE XREF: IopAddBugcheckTriageIrp(x,x)+F2j
		inc	eax
		mov	edx, 0B8h
		mov	ecx, ebx
		mov	[ebp+var_10], eax
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_611233
		mov	ebx, [ebx+0B0h]
		mov	ecx, ebx
		push	40h
		pop	edx
		mov	[ebp+var_18], ebx
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_611233
		mov	ebx, [ebx+18h]
		test	ebx, ebx
		jz	short loc_611224
		mov	eax, [ebp+var_10]
		cmp	eax, 0Ah
		jl	short loc_6111E8
		jmp	short loc_611238
; 

loc_611224:				; CODE XREF: IopAddBugcheckTriageIrp(x,x)+EAj
		mov	ecx, [ebp+var_18]
		mov	ecx, [ecx+14h]
		call	_IopAddBugcheckTriageDeviceNode@4 ; IopAddBugcheckTriageDeviceNode(x)
		mov	esi, eax
		jmp	short loc_611238
; 

loc_611233:				; CODE XREF: IopAddBugcheckTriageIrp(x,x)+CCj
					; IopAddBugcheckTriageIrp(x,x)+E3j
		mov	esi, 0C0000001h

loc_611238:				; CODE XREF: IopAddBugcheckTriageIrp(x,x)+F4j
					; IopAddBugcheckTriageIrp(x,x)+103j
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_8]

loc_61123E:				; CODE XREF: IopAddBugcheckTriageIrp(x,x)+B5j
		mov	eax, [ebp+var_14]
		inc	eax
		mov	[ebp+var_14], eax
		cmp	eax, ecx
		jl	loc_6111C8
		jmp	short loc_61125E
; 

loc_61124F:				; CODE XREF: IopAddBugcheckTriageIrp(x,x)+33j
					; IopAddBugcheckTriageIrp(x,x)+41j ...
		push	70h
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock

loc_611259:				; CODE XREF: IopAddBugcheckTriageIrp(x,x)+21j
					; IopAddBugcheckTriageIrp(x,x)+AAj
		mov	esi, 0C0000001h

loc_61125E:				; CODE XREF: IopAddBugcheckTriageIrp(x,x)+74j
					; IopAddBugcheckTriageIrp(x,x)+8Aj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_IopAddBugcheckTriageIrp@8 endp


;  S U B	R O U T	I N E 


; __stdcall IopAddBugcheckTriagePoFxDevice(x)
_IopAddBugcheckTriagePoFxDevice@4 proc near
					; CODE XREF: IopAddBugcheckTriageDeviceNode(x)+4Fp
		mov	edi, edi
		push	esi
		push	edi
		push	20h
		pop	edx
		mov	edi, ecx
		xor	esi, esi
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jnz	short loc_611280
		mov	esi, 0C0000001h
		jmp	short loc_611298
; 

loc_611280:				; CODE XREF: IopAddBugcheckTriagePoFxDevice(x)+12j
		push	20h
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		test	ecx, ecx
		jz	short loc_611298
		xor	dl, dl
		call	_IopAddBugcheckTriageIrp@8 ; IopAddBugcheckTriageIrp(x,x)

loc_611298:				; CODE XREF: IopAddBugcheckTriagePoFxDevice(x)+19j
					; IopAddBugcheckTriagePoFxDevice(x)+2Aj
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_IopAddBugcheckTriagePoFxDevice@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAddBugcheckTriageThread(x)
_IopAddBugcheckTriageThread@4 proc near	; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+E0p
					; IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+114p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, 4E0h
		xor	edi, edi
		mov	edx, ebx
		mov	[ebp+var_4], edi
		mov	esi, ecx
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	loc_61134D
		mov	edx, ebx
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		test	dword ptr [esi+5Ch], 20000h
		jz	short loc_611304
		mov	edx, [esi+28h]
		mov	eax, [esi+24h]
		mov	ebx, [esi+48h]
		mov	eax, 1FFFh
		sub	edx, ebx
		cmp	edx, eax
		jb	short loc_6112EA
		mov	edx, eax

loc_6112EA:				; CODE XREF: IopAddBugcheckTriageThread(x)+49j
		add	ebx, 7
		and	ebx, 0FFFFFFF8h
		mov	ecx, ebx
		call	_IopGetMaxValidMemorySize@8 ; IopGetMaxValidMemorySize(x,x)
		test	eax, eax
		jz	short loc_611304
		mov	edx, eax
		mov	ecx, ebx
		call	IoAddTriageDumpDataBlock

loc_611304:				; CODE XREF: IopAddBugcheckTriageThread(x)+35j
					; IopAddBugcheckTriageThread(x)+5Cj
		lea	ebx, [esi+2CCh]
		mov	esi, [ebx]
		mov	[ebp+var_8], ebx
		jmp	short loc_611347
; 

loc_611311:				; CODE XREF: IopAddBugcheckTriageThread(x)+ACj
		cmp	esi, ebx
		jz	short loc_611352
		mov	eax, [ebp+var_4]
		cmp	eax, 0Ah
		jge	short loc_611352
		push	70h
		inc	eax
		lea	ecx, [esi-10h]
		pop	edx
		mov	[ebp+var_4], eax
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_61134D
		mov	eax, [ebp+var_8]
		lea	ecx, [esi-10h]
		cmp	[ecx+14h], eax
		jnz	short loc_61134D
		mov	dl, 1
		call	_IopAddBugcheckTriageIrp@8 ; IopAddBugcheckTriageIrp(x,x)
		mov	[ebp+var_8], esi
		mov	esi, [esi]

loc_611347:				; CODE XREF: IopAddBugcheckTriageThread(x)+72j
		test	esi, esi
		jnz	short loc_611311
		jmp	short loc_611352
; 

loc_61134D:				; CODE XREF: IopAddBugcheckTriageThread(x)+1Fj
					; IopAddBugcheckTriageThread(x)+91j ...
		mov	edi, 0C0000001h

loc_611352:				; CODE XREF: IopAddBugcheckTriageThread(x)+76j
					; IopAddBugcheckTriageThread(x)+7Ej ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopAddBugcheckTriageThread@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAddBugcheckTriageUnicodeString(x, x)
_IopAddBugcheckTriageUnicodeString@8 proc near
					; CODE XREF: IopAddBugcheckTriageDeviceNode(x)+2Ap
					; IopAddBugcheckTriageDeviceNode(x)+35p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		shr	eax, 10h
		xor	esi, esi
		test	ax, ax
		jz	short loc_6113B9
		mov	ecx, [ebp+arg_4]
		push	edi
		mov	edi, 100h
		cmp	ax, di
		ja	short loc_61139E
		lea	edi, [eax+7]
		and	edi, 0FFFFFFF8h
		mov	edx, edi
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_611397
		mov	ecx, [ebp+arg_4]
		mov	edx, edi
		call	IoAddTriageDumpDataBlock
		jmp	short loc_6113B8
; 

loc_611397:				; CODE XREF: IopAddBugcheckTriageUnicodeString(x,x)+30j
		mov	esi, 0C0000001h
		jmp	short loc_6113B8
; 

loc_61139E:				; CODE XREF: IopAddBugcheckTriageUnicodeString(x,x)+1Fj
		mov	edx, edi
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_6113B8
		mov	ecx, [ebp+arg_4]
		mov	edx, edi
		call	IoAddTriageDumpDataBlock
		mov	esi, 80000005h

loc_6113B8:				; CODE XREF: IopAddBugcheckTriageUnicodeString(x,x)+3Cj
					; IopAddBugcheckTriageUnicodeString(x,x)+43j ...
		pop	edi

loc_6113B9:				; CODE XREF: IopAddBugcheckTriageUnicodeString(x,x)+11j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_IopAddBugcheckTriageUnicodeString@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAddBugcheckTriageWorkQueue(x)
_IopAddBugcheckTriageWorkQueue@4 proc near ; CODE XREF:	IopAddBugcheckPnpTriageData(x,x)+41p
					; IopAddBugcheckPnpWatchdogTriageData(x,x)+39p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edx, 1A0h
		mov	esi, ecx
		mov	edi, ebx
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_611435
		mov	edx, 1A0h
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		lea	eax, [esi+194h]
		mov	esi, [eax]
		mov	[ebp+var_8], eax
		test	esi, esi
		jz	short loc_61143A
		mov	[ebp+var_4], eax

loc_6113FC:				; CODE XREF: IopAddBugcheckTriageWorkQueue(x)+71j
		cmp	esi, eax
		jz	short loc_61143A
		cmp	ebx, 0Ah
		jge	short loc_61143A
		push	8
		pop	edx
		mov	ecx, esi
		inc	ebx
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_611435
		mov	eax, [ebp+var_4]
		cmp	[esi+4], eax
		jnz	short loc_611435
		lea	ecx, [esi-140h]
		call	_IopAddBugcheckTriageThread@4 ;	IopAddBugcheckTriageThread(x)
		mov	eax, [ebp+var_8]
		mov	[ebp+var_4], esi
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_6113FC
		jmp	short loc_61143A
; 

loc_611435:				; CODE XREF: IopAddBugcheckTriageWorkQueue(x)+1Cj
					; IopAddBugcheckTriageWorkQueue(x)+52j	...
		mov	edi, 0C0000001h

loc_61143A:				; CODE XREF: IopAddBugcheckTriageWorkQueue(x)+37j
					; IopAddBugcheckTriageWorkQueue(x)+3Ej	...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopAddBugcheckTriageWorkQueue@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoAddPagesForPartialKernelDump(x, x, x, x, x, x, x,	x)
_IoAddPagesForPartialKernelDump@32 proc	near
					; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+300p
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+40Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:_CrashdmpDumpBlock
		push	esi
		push	edi
		push	[ebp+arg_14]
		mov	eax, [eax+348h]
		mov	esi, edx
		push	[ebp+arg_10]
		mov	edi, ecx
		mov	ds:_AvailablePagesForPartialDump, eax
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_IopAddMiniDumpPagesToPartialKernelDump@32 ; IopAddMiniDumpPagesToPartialKernelDump(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_61148D
		push	[ebp+arg_8]
		mov	edx, esi
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, edi
		call	_IopAddLiveDumpPagesToPartialKernelDump@20 ; IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_61148F

loc_61148D:				; CODE XREF: IoAddPagesForPartialKernelDump(x,x,x,x,x,x,x,x)+34j
		xor	esi, esi

loc_61148F:				; CODE XREF: IoAddPagesForPartialKernelDump(x,x,x,x,x,x,x,x)+4Aj
		mov	ecx, edi
		call	_IopDumpCallRemovePagesCallbacks@4 ; IopDumpCallRemovePagesCallbacks(x)
		push	22h
		pop	ecx
		call	_IoSaveBugCheckProgress@4 ; IoSaveBugCheckProgress(x)
		mov	edi, ds:_CrashdmpDumpBlock
		mov	eax, ds:_AvailablePagesForPartialDump
		mov	edx, [edi+34Ch]
		mov	ecx, [edi+348h]
		test	edx, edx
		jb	short loc_6114CD
		ja	short loc_6114BF
		cmp	ecx, eax
		jbe	short loc_6114CD

loc_6114BF:				; CODE XREF: IoAddPagesForPartialKernelDump(x,x,x,x,x,x,x,x)+78j
		sub	ecx, eax
		mov	eax, [edi+8]
		sbb	edx, 0
		mov	[eax+28h], ecx
		mov	[eax+2Ch], edx

loc_6114CD:				; CODE XREF: IoAddPagesForPartialKernelDump(x,x,x,x,x,x,x,x)+76j
					; IoAddPagesForPartialKernelDump(x,x,x,x,x,x,x,x)+7Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	18h
_IoAddPagesForPartialKernelDump@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetDumpRangeForPartialKernelDump(x, x, x,	x)
_IoSetDumpRangeForPartialKernelDump@16 proc near
					; DATA XREF: IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+57o
					; IopAddMiniDumpPagesToPartialKernelDump(x,x,x,x,x,x,x,x)+69o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	_IoSetDumpRange@16 ; IoSetDumpRange(x,x,x,x)
_IoSetDumpRangeForPartialKernelDump@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAddLiveDumpPagesToPartialKernelDump(x, x, x, x, x)
_IopAddLiveDumpPagesToPartialKernelDump@20 proc	near
					; CODE XREF: IoAddPagesForPartialKernelDump(x,x,x,x,x,x,x,x)+41p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_C], ecx
		lea	edi, [ebp+var_24]
		mov	[ebp+var_10], edx
		stosd
		xor	ebx, ebx
		mov	esi, ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_28], esi
		mov	edx, offset _KdDebuggerDataBlock
		or	esi, 3
		stosd
		push	380h
		stosd
		mov	eax, ds:_CrashdmpDumpBlock
		mov	ecx, [eax+8]
		mov	eax, [ecx+30h]
		mov	[ebp+var_18], eax
		lea	eax, [ecx+38h]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_30], ecx
		lea	ecx, [ebp+var_3C]
		mov	[ebp+var_34], eax
		mov	[ebp+var_2C], offset _AvailablePagesForPartialDump
		mov	[ebp+var_3C], offset _IoSetDumpRangeForPartialKernelDump@16 ; IoSetDumpRangeForPartialKernelDump(x,x,x,x)
		mov	[ebp+var_38], ebx
		mov	[ebp+var_28], esi
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	loc_611761
		mov	eax, ds:_KeNumberProcessors
		lea	ecx, [ebp+var_3C]
		shl	eax, 2
		mov	edx, offset _KiProcessorBlock
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	loc_611761
		cmp	ds:_KeNumberProcessors,	ebx
		jbe	short loc_61159C

loc_611577:				; CODE XREF: IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+BAj
		mov	edx, ds:_KiProcessorBlock[ebx*4]
		lea	ecx, [ebp+var_3C]
		push	5F00h
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	loc_611761
		inc	ebx
		cmp	ebx, ds:_KeNumberProcessors
		jb	short loc_611577

loc_61159C:				; CODE XREF: IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+95j
		mov	eax, ds:dword_70E328
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], offset _KeActiveProcessors

loc_6115AB:				; CODE XREF: IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+E9j
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		lea	ecx, [ebp+var_3C]
		test	eax, eax
		jnz	short loc_6115D0
		mov	edx, [ebp+var_8]
		call	_IopMarkPagesForProcessorData@8	; IopMarkPagesForProcessorData(x,x)
		test	eax, eax
		jns	short loc_6115AB
		jmp	loc_611761
; 

loc_6115D0:				; CODE XREF: IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+DDj
		push	2
		pop	edx
		call	_MmAddPrivateDataToCrashDump@8 ; MmAddPrivateDataToCrashDump(x,x)
		test	eax, eax
		js	loc_611761
		push	720h
		mov	edx, 0FFDF0000h
		lea	ecx, [ebp+var_3C]
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	loc_611761
		push	4
		pop	edx
		lea	ecx, [ebp+var_3C]
		call	_MmAddPrivateDataToCrashDump@8 ; MmAddPrivateDataToCrashDump(x,x)
		test	eax, eax
		js	loc_611761
		push	8
		pop	edx
		lea	ecx, [ebp+var_3C]
		call	_MmAddPrivateDataToCrashDump@8 ; MmAddPrivateDataToCrashDump(x,x)
		test	eax, eax
		js	loc_611761
		mov	edx, ds:_MmPhysicalMemoryBlock
		test	edx, edx
		jz	short loc_611644
		mov	eax, [edx]
		lea	ecx, [ebp+var_3C]
		lea	eax, ds:8[eax*8]
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	loc_611761

loc_611644:				; CODE XREF: IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+148j
		push	20h
		pop	edx
		lea	ecx, [ebp+var_3C]
		call	_MmAddPrivateDataToCrashDump@8 ; MmAddPrivateDataToCrashDump(x,x)
		test	eax, eax
		js	loc_611761
		mov	ebx, [ebp+var_C]
		cmp	ebx, 15Fh
		jnz	short loc_6116B1
		cmp	[ebp+var_10], 2
		jnz	short loc_6116B1
		mov	esi, [ebp+arg_0]
		lea	ecx, [ebp+var_3C]
		push	20h
		mov	edx, esi
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	loc_611761
		mov	edx, [esi+1Ch]
		lea	ecx, [ebp+var_3C]
		call	_IopMarkPagesForDeviceNode@8 ; IopMarkPagesForDeviceNode(x,x)
		mov	ecx, 0C0000023h
		cmp	eax, ecx
		jnz	short loc_61169A
		mov	eax, ecx
		jmp	loc_611761
; 

loc_61169A:				; CODE XREF: IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+1B1j
		mov	edx, [ebp+arg_8]
		test	edx, edx
		jz	short loc_6116B1
		lea	ecx, [ebp+var_3C]
		call	_IopMarkPagesForDeviceNode@8 ; IopMarkPagesForDeviceNode(x,x)
		test	eax, eax
		js	loc_611761

loc_6116B1:				; CODE XREF: IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+180j
					; IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+186j ...
		lea	ecx, [ebp+var_3C]
		call	_ExAddPrivateDataToCrashDump@8 ; ExAddPrivateDataToCrashDump(x,x)
		test	eax, eax
		js	loc_611761
		mov	esi, ds:_PsActiveProcessHead
		cmp	esi, offset _PsActiveProcessHead
		jz	short loc_611738

loc_6116CF:				; CODE XREF: IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+253j
		lea	edx, [esi-0E8h]
		lea	ebx, [edx+1D0h]
		mov	edi, [ebx]
		lea	ecx, [ebp+var_3C]
		push	500h
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_611761
		jmp	short loc_611727
; 

loc_6116F0:				; CODE XREF: IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+249j
		lea	edx, [edi-2E4h]
		push	4E0h
		lea	ecx, [ebp+var_3C]
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_611761
		lea	edx, [edi-2E4h]
		mov	eax, [edx+24h]
		mov	ecx, [edx+28h]
		mov	edx, [edx+24h]
		sub	ecx, eax
		push	ecx
		lea	ecx, [ebp+var_3C]
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_611761
		mov	edi, [edi]

loc_611727:				; CODE XREF: IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+20Ej
		cmp	edi, ebx
		jnz	short loc_6116F0
		mov	esi, [esi]
		cmp	esi, offset _PsActiveProcessHead
		jnz	short loc_6116CF
		mov	ebx, [ebp+var_C]

loc_611738:				; CODE XREF: IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+1EDj
		push	10h
		pop	edx
		lea	ecx, [ebp+var_3C]
		call	_MmAddPrivateDataToCrashDump@8 ; MmAddPrivateDataToCrashDump(x,x)
		test	eax, eax
		js	short loc_611761
		mov	ecx, ebx
		call	_IopDumpCallAddPagesCallbacks@4	; IopDumpCallAddPagesCallbacks(x)
		push	21h
		pop	ecx
		call	_IoSaveBugCheckProgress@4 ; IoSaveBugCheckProgress(x)
		xor	edx, edx
		lea	ecx, [ebp+var_3C]
		inc	edx
		call	_MmAddPrivateDataToCrashDump@8 ; MmAddPrivateDataToCrashDump(x,x)

loc_611761:				; CODE XREF: IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+6Bj
					; IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+89j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_IopAddLiveDumpPagesToPartialKernelDump@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAddMiniDumpPagesToPartialKernelDump(x, x, x, x, x, x, x,	x)
_IopAddMiniDumpPagesToPartialKernelDump@32 proc	near
					; CODE XREF: IoAddPagesForPartialKernelDump(x,x,x,x,x,x,x,x)+2Dp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_14], esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		cmp	ds:_AvailablePagesForPartialDump, esi
		jnz	short loc_611792
		mov	eax, 0C0000023h
		jmp	loc_611889
; 

loc_611792:				; CODE XREF: IopAddMiniDumpPagesToPartialKernelDump(x,x,x,x,x,x,x,x)+1Ej
		push	[ebp+arg_14]
		mov	eax, ds:_CrashdmpDumpBlock
		mov	edi, [ebp+arg_10]
		push	edi
		push	[ebp+arg_C]
		mov	ecx, [eax+8]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		mov	eax, [ecx+30h]
		push	[ebp+arg_0]
		mov	[ebp+var_10], eax
		lea	eax, [ecx+38h]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_24], esi
		or	esi, 3
		mov	[ebp+var_1C], ecx
		mov	ecx, ebx
		mov	[ebp+var_20], eax
		mov	[ebp+var_18], offset _AvailablePagesForPartialDump
		mov	[ebp+var_28], offset _IoSetDumpRangeForPartialKernelDump@16 ; IoSetDumpRangeForPartialKernelDump(x,x,x,x)
		mov	[ebp+var_14], esi
		call	_IopUpdateMinidumpContext@32 ; IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)
		lea	ecx, [ebp+var_28]
		call	_MmAddUnloadedDriverInformationToCrashDump@4 ; MmAddUnloadedDriverInformationToCrashDump(x)
		test	eax, eax
		js	loc_611889
		lea	ecx, [ebp+var_28]
		call	_IopMarkPagesForLoadedDriverInformation@4 ; IopMarkPagesForLoadedDriverInformation(x)
		test	eax, eax
		js	loc_611889
		mov	edx, [ebp+arg_C]
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		mov	ecx, edi
		push	eax
		call	_IopCalculateStackInformation@16 ; IopCalculateStackInformation(x,x,x,x)
		mov	esi, [ebp+var_4]
		mov	ebx, [ebp+var_8]
		test	al, al
		jz	short loc_611830
		mov	edx, [ebp+arg_C]
		lea	eax, [ebx+esi]
		push	eax
		push	esi
		lea	ecx, [ebp+var_28]
		call	_IopMarkPagesForRunTimeTriageDataBlocks@16 ; IopMarkPagesForRunTimeTriageDataBlocks(x,x,x,x)
		test	eax, eax
		js	short loc_611889

loc_611830:				; CODE XREF: IopAddMiniDumpPagesToPartialKernelDump(x,x,x,x,x,x,x,x)+B2j
		lea	ecx, [ebp+var_28]
		call	_IopMarkPagesForDpcData@4 ; IopMarkPagesForDpcData(x)
		test	eax, eax
		js	short loc_611889
		mov	edx, [edi+80h]
		lea	ecx, [ebp+var_28]
		push	500h
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_611889
		push	4E0h
		mov	edx, edi
		lea	ecx, [ebp+var_28]
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_611889
		push	ebx
		mov	edx, esi
		lea	ecx, [ebp+var_28]
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_611889
		mov	edx, ds:_CrashdmpDumpBlock
		lea	ecx, [ebp+var_28]
		mov	edx, [edx+340h]
		call	_IopAddTriageDumpDataToPartialKernelDump@8 ; IopAddTriageDumpDataToPartialKernelDump(x,x)

loc_611889:				; CODE XREF: IopAddMiniDumpPagesToPartialKernelDump(x,x,x,x,x,x,x,x)+25j
					; IopAddMiniDumpPagesToPartialKernelDump(x,x,x,x,x,x,x,x)+82j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_IopAddMiniDumpPagesToPartialKernelDump@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAddTriageDumpDataToPartialKernelDump(x, x)
_IopAddTriageDumpDataToPartialKernelDump@8 proc	near
					; CODE XREF: IopAddMiniDumpPagesToPartialKernelDump(x,x,x,x,x,x,x,x)+11Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	eax, ecx
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], eax
		test	edi, edi
		jz	short loc_611904
		mov	esi, [edi]
		cmp	esi, edi
		jz	short loc_611904

loc_6118AF:				; CODE XREF: IopAddTriageDumpDataToPartialKernelDump(x,x)+72j
		cmp	dword ptr [esi+8], 0
		jbe	short loc_6118F9
		push	dword ptr [esi+18h]
		mov	edx, [esi+1Ch]
		mov	ecx, eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		xor	eax, eax
		mov	[ebp+var_4], eax
		cmp	[esi+8], eax
		jbe	short loc_6118F9
		mov	edi, [ebp+var_8]
		lea	ebx, [esi+24h]

loc_6118D2:				; CODE XREF: IopAddTriageDumpDataToPartialKernelDump(x,x)+64j
		mov	edx, [ebx-4]
		test	edx, edx
		jz	short loc_6118EA
		mov	ecx, [ebx]
		test	ecx, ecx
		jz	short loc_6118EA
		push	ecx
		mov	ecx, edi
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		mov	eax, [ebp+var_4]

loc_6118EA:				; CODE XREF: IopAddTriageDumpDataToPartialKernelDump(x,x)+47j
					; IopAddTriageDumpDataToPartialKernelDump(x,x)+4Dj
		inc	eax
		add	ebx, 8
		mov	[ebp+var_4], eax
		cmp	eax, [esi+8]
		jb	short loc_6118D2
		mov	edi, [ebp+var_C]

loc_6118F9:				; CODE XREF: IopAddTriageDumpDataToPartialKernelDump(x,x)+23j
					; IopAddTriageDumpDataToPartialKernelDump(x,x)+3Aj
		mov	eax, [esi]
		mov	esi, eax
		cmp	eax, edi
		mov	eax, [ebp+var_8]
		jnz	short loc_6118AF

loc_611904:				; CODE XREF: IopAddTriageDumpDataToPartialKernelDump(x,x)+17j
					; IopAddTriageDumpDataToPartialKernelDump(x,x)+1Dj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
_IopAddTriageDumpDataToPartialKernelDump@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCalculateStackInformation(x, x, x, x)
_IopCalculateStackInformation@16 proc near
					; CODE XREF: IopAddMiniDumpPagesToPartialKernelDump(x,x,x,x,x,x,x,x)+A5p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		test	esi, esi
		jz	short loc_611959
		test	dword ptr [esi+5Ch], 20000h
		jz	short loc_611959
		mov	ecx, [edx+0C4h]
		mov	eax, [esi+24h]
		mov	edx, [esi+28h]
		push	edi
		cmp	eax, ecx
		ja	short loc_611938
		cmp	ecx, edx
		jb	short loc_61193B

loc_611938:				; CODE XREF: IopCalculateStackInformation(x,x,x,x)+27j
		mov	ecx, [esi+24h]

loc_61193B:				; CODE XREF: IopCalculateStackInformation(x,x,x,x)+2Bj
		mov	edi, [ebp+arg_0]
		sub	edx, ecx
		mov	esi, [ebp+arg_4]
		mov	[edi], ecx
		mov	[esi], edx
		call	_IopGetMaxValidMemorySize@8 ; IopGetMaxValidMemorySize(x,x)
		cmp	[edi], ebx
		mov	[esi], eax
		pop	edi
		jbe	short loc_611959
		test	eax, eax
		jz	short loc_611959
		mov	bl, 1

loc_611959:				; CODE XREF: IopCalculateStackInformation(x,x,x,x)+Dj
					; IopCalculateStackInformation(x,x,x,x)+16j ...
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	8
_IopCalculateStackInformation@16 endp


;  S U B	R O U T	I N E 


; __stdcall IopMarkPagesForDeviceNode(x, x)
_IopMarkPagesForDeviceNode@8 proc near	; CODE XREF: IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+1A5p
					; IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+1C4p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		push	2Ch
		mov	esi, edx
		mov	edi, ecx
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_61199D
		movzx	eax, word ptr [esi+14h]
		mov	ecx, edi
		mov	edx, [esi+18h]
		add	eax, 2
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_61199D
		movzx	eax, word ptr [esi+1Ch]
		mov	ecx, edi
		mov	edx, [esi+20h]
		add	eax, 2
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)

loc_61199D:				; CODE XREF: IopMarkPagesForDeviceNode(x,x)+12j
					; IopMarkPagesForDeviceNode(x,x)+28j
		pop	edi
		pop	esi
		pop	ecx
		retn
_IopMarkPagesForDeviceNode@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopMarkPagesForDpcData(x)
_IopMarkPagesForDpcData@4 proc near	; CODE XREF: IopAddMiniDumpPagesToPartialKernelDump(x,x,x,x,x,x,x,x)+CBp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4], ecx
		xor	edi, edi
		cmp	ds:_KeNumberProcessors,	eax
		jbe	loc_611A6B

loc_6119BF:				; CODE XREF: IopMarkPagesForDpcData(x)+C4j
		mov	esi, ds:_KiProcessorBlock[edi*4]
		test	esi, esi
		jz	loc_611A5E
		mov	edx, [esi+4060h]
		test	edx, edx
		jz	short loc_611A04
		mov	ebx, ds:dword_7050A0
		mov	eax, [esi+4064h]
		shl	ebx, 2
		sub	eax, edx
		cmp	eax, ebx
		jbe	short loc_6119EF
		mov	eax, ebx

loc_6119EF:				; CODE XREF: IopMarkPagesForDpcData(x)+4Aj
		test	eax, eax
		jnz	short loc_6119FB
		mov	eax, ds:_KiDpcWatchdogProfileArrayLength
		shl	eax, 2

loc_6119FB:				; CODE XREF: IopMarkPagesForDpcData(x)+50j
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		mov	ecx, [ebp+var_4]

loc_611A04:				; CODE XREF: IopMarkPagesForDpcData(x)+35j
		and	[ebp+var_8], 0
		lea	ebx, [esi+21E0h]

loc_611A0E:				; CODE XREF: IopMarkPagesForDpcData(x)+BBj
		push	18h
		mov	edx, ebx
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_611A6B
		mov	esi, [ebx]
		jmp	short loc_611A48
; 

loc_611A1F:				; CODE XREF: IopMarkPagesForDpcData(x)+A9j
		mov	ecx, [ebp+var_4]
		lea	edx, [esi-4]
		push	20h
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_611A6B
		mov	edx, [esi+18h]
		cmp	edx, 1
		jz	short loc_611A46
		mov	ecx, [ebp+var_4]
		push	60h
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_611A6B

loc_611A46:				; CODE XREF: IopMarkPagesForDpcData(x)+95j
		mov	esi, [esi]

loc_611A48:				; CODE XREF: IopMarkPagesForDpcData(x)+7Cj
		test	esi, esi
		jnz	short loc_611A1F
		mov	ecx, [ebp+var_8]
		add	ebx, 18h
		inc	ecx
		mov	[ebp+var_8], ecx
		cmp	ecx, 2
		mov	ecx, [ebp+var_4]
		jb	short loc_611A0E

loc_611A5E:				; CODE XREF: IopMarkPagesForDpcData(x)+27j
		inc	edi
		cmp	edi, ds:_KeNumberProcessors
		jb	loc_6119BF

loc_611A6B:				; CODE XREF: IopMarkPagesForDpcData(x)+18j
					; IopMarkPagesForDpcData(x)+78j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopMarkPagesForDpcData@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopMarkPagesForLoadedDriverInformation(x)
_IopMarkPagesForLoadedDriverInformation@4 proc near
					; CODE XREF: IopAddMiniDumpPagesToPartialKernelDump(x,x,x,x,x,x,x,x)+8Bp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, offset _PsLoadedModuleList
		mov	edi, ecx
		push	8
		mov	edx, ebx
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_611AED
		mov	esi, ds:_PsLoadedModuleList
		jmp	short loc_611AE9
; 

loc_611A91:				; CODE XREF: IopMarkPagesForLoadedDriverInformation(x)+7Bj
		push	5Ch
		mov	edx, esi
		mov	ecx, edi
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_611AED
		movzx	eax, word ptr [esi+2Ch]
		mov	ecx, edi
		mov	edx, [esi+30h]
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_611AED
		movzx	eax, word ptr [esi+24h]
		mov	ecx, edi
		mov	edx, [esi+28h]
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_611AED
		mov	edx, [esi+14h]
		mov	ecx, edi
		push	20h
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_611AED
		push	dword ptr [esi+20h]
		mov	edx, [esi+18h]
		mov	ecx, edi
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_611AED
		mov	esi, [esi]

loc_611AE9:				; CODE XREF: IopMarkPagesForLoadedDriverInformation(x)+1Fj
		cmp	esi, ebx
		jnz	short loc_611A91

loc_611AED:				; CODE XREF: IopMarkPagesForLoadedDriverInformation(x)+17j
					; IopMarkPagesForLoadedDriverInformation(x)+2Ej ...
		pop	edi
		pop	esi
		pop	ebx
		retn
_IopMarkPagesForLoadedDriverInformation@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopMarkPagesForProcessorData(x, x)
_IopMarkPagesForProcessorData@8	proc near
					; CODE XREF: IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+E2p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ds:_KiProcessorBlock[edx*4]
		push	edi
		push	6020h
		mov	edi, ecx
		lea	edx, [esi-20h]
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	loc_611BC3
		mov	edx, [esi+4]
		mov	ecx, edi
		push	4E0h
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	loc_611BC3
		mov	eax, [esi+4]
		mov	ecx, edi
		push	500h
		mov	edx, [eax+80h]
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_611BC3
		mov	edx, [esi+4168h]
		mov	ecx, edi
		push	2CCh
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_611BC3
		mov	eax, [esi+4168h]
		mov	ebx, 2000h
		push	ebx
		mov	ecx, edi
		mov	edx, [eax+0C4h]
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_611BC3
		mov	eax, [esi+4168h]
		mov	ecx, edi
		push	ebx
		mov	edx, [eax+0B8h]
		sub	edx, 1000h
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_611BC3
		movzx	eax, word ptr [esi+30Eh]
		mov	ecx, edi
		mov	edx, [esi+310h]
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_611BC3
		movzx	eax, word ptr [esi+316h]
		mov	ecx, edi
		mov	edx, [esi+318h]
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)

loc_611BC3:				; CODE XREF: IopMarkPagesForProcessorData(x,x)+1Dj
					; IopMarkPagesForProcessorData(x,x)+34j ...
		pop	edi
		pop	esi
		pop	ebx
		retn
_IopMarkPagesForProcessorData@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopMarkPagesForRunTimeTriageDataBlocks(x, x, x, x)
_IopMarkPagesForRunTimeTriageDataBlocks@16 proc	near
					; CODE XREF: IopAddMiniDumpPagesToPartialKernelDump(x,x,x,x,x,x,x,x)+BFp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	ecx, [edi+0B8h]
		call	_IopGetMaxValidMemorySizeDown@8	; IopGetMaxValidMemorySizeDown(x,x)
		mov	ecx, [edi+0B8h]
		mov	edx, 100h
		mov	esi, eax
		call	_IopGetMaxValidMemorySize@8 ; IopGetMaxValidMemorySize(x,x)
		mov	edx, [edi+0B8h]
		sub	edx, esi
		lea	ecx, [eax+esi]
		push	ecx
		mov	ecx, ebx
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_611C53
		mov	esi, offset _IopRunTimeContextOffsets ;	"Ĵ"
		mov	edx, 0B8h

loc_611C14:				; CODE XREF: IopMarkPagesForRunTimeTriageDataBlocks(x,x,x,x)+88j
		movzx	eax, dx
		mov	edx, [eax+edi]
		cmp	edx, [ebp+arg_0]
		jb	short loc_611C24
		cmp	edx, [ebp+arg_4]
		jb	short loc_611C3C

loc_611C24:				; CODE XREF: IopMarkPagesForRunTimeTriageDataBlocks(x,x,x,x)+56j
		push	1000h
		and	edx, 0FFFFF000h
		mov	ecx, ebx
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_611C51

loc_611C3C:				; CODE XREF: IopMarkPagesForRunTimeTriageDataBlocks(x,x,x,x)+5Bj
		add	esi, 2
		mov	[ebp+var_4], 0FFFFh
		movzx	eax, word ptr [esi]
		mov	edx, eax
		cmp	ax, word ptr [ebp+var_4]
		jb	short loc_611C14

loc_611C51:				; CODE XREF: IopMarkPagesForRunTimeTriageDataBlocks(x,x,x,x)+73j
		mov	eax, ecx

loc_611C53:				; CODE XREF: IopMarkPagesForRunTimeTriageDataBlocks(x,x,x,x)+41j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_IopMarkPagesForRunTimeTriageDataBlocks@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0dzd_EtwWriteTransfer(x,	x, x, x, x, x)
_McTemplateK0dzd_EtwWriteTransfer@24 proc near ; CODE XREF: IopInitializeBootDrivers+2D2B6p

var_44		= dword	ptr -44h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, [ebp+arg_8]
		lea	eax, [ebp+arg_4]
		push	ebx
		push	edi
		xor	edi, edi
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], edi
		mov	[ebp+var_28], edi
		push	4
		pop	ebx
		mov	[ebp+var_2C], ebx
		test	edx, edx
		jz	short loc_611CA8
		mov	ecx, edx
		push	esi
		lea	esi, [ecx+2]

loc_611C8F:				; CODE XREF: McTemplateK0dzd_EtwWriteTransfer(x,x,x,x,x,x)+3Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_611C8F
		sub	ecx, esi
		sar	ecx, 1
		pop	esi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_611CAB
; 

loc_611CA8:				; CODE XREF: McTemplateK0dzd_EtwWriteTransfer(x,x,x,x,x,x)+2Dj
		push	0Ah
		pop	ecx

loc_611CAB:				; CODE XREF: McTemplateK0dzd_EtwWriteTransfer(x,x,x,x,x,x)+4Cj
		test	edx, edx
		jnz	short loc_611CB4
		mov	edx, (offset off_5A4D00+2)

loc_611CB4:				; CODE XREF: McTemplateK0dzd_EtwWriteTransfer(x,x,x,x,x,x)+53j
		lea	eax, [ebp+arg_C]
		mov	[ebp+var_24], edx
		mov	[ebp+var_14], eax
		mov	edx, offset _KMPnPEvt_DriverOverride_SetOverride
		lea	eax, [ebp+var_44]
		mov	[ebp+var_1C], ecx
		push	eax
		push	ebx
		push	edi
		mov	ecx, offset _MS_KernelPnP_Provider_Context
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], edi
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_McTemplateK0dzd_EtwWriteTransfer@24 endp


;  S U B	R O U T	I N E 


; __stdcall PnpInitializeProcessor(x)
_PnpInitializeProcessor@4 proc near	; CODE XREF: KeStartDynamicProcessor(x,x,x,x)+68p
		mov	ecx, ds:_IopRootDeviceNode
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		mov	ecx, [ecx+10h]
		push	1
		push	eax
		push	6
		pop	edx
		call	PnpRequestDeviceAction
		xor	eax, eax
		retn
_PnpInitializeProcessor@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlStringExHandleFillBehindNullW proc near ; CODE XREF:	RtlStringCbPrintfExW+EE497p
					; RtlStringCchPrintfExW+D2B94p

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	edx, 2
		jbe	short loc_611D2F
		lea	eax, [edx-2]
		push	eax		; size_t
		movzx	eax, [ebp+arg_0]
		push	eax		; int
		lea	eax, [ecx+2]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_611D2F:				; CODE XREF: RtlStringExHandleFillBehindNullW+8j
		xor	eax, eax
		pop	ebp
		retn	4
RtlStringExHandleFillBehindNullW endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall StringExHandleOtherFlagsW(void	*,size_t,int,int,int,int)
StringExHandleOtherFlagsW proc near	; CODE XREF: RtlStringCbPrintfExW+EE44Ap
					; RtlStringCbCopyExW+D356Cp ...

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		shr	edi, 1
		jz	short loc_611D5E
		test	eax, 1000h
		jz	short loc_611D5E
		mov	ecx, [ebp+arg_4]
		mov	[ecx], ebx
		mov	ecx, [ebp+arg_8]
		mov	[ecx], edi
		xor	ecx, ecx
		mov	[ebx], cx

loc_611D5E:				; CODE XREF: StringExHandleOtherFlagsW+11j
					; StringExHandleOtherFlagsW+18j
		test	eax, 400h
		jz	short loc_611DA5
		push	edx		; size_t
		movzx	esi, al
		push	esi		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		jnz	short loc_611D86
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		mov	[edx], ebx
		mov	[ecx], edi

loc_611D81:				; CODE XREF: StringExHandleOtherFlagsW+6Ej
		mov	eax, [ebp+arg_C]
		jmp	short loc_611DAB
; 

loc_611D86:				; CODE XREF: StringExHandleOtherFlagsW+40j
		test	edi, edi
		jz	short loc_611DBF
		mov	edx, [ebp+arg_4]
		lea	eax, [ebx-2]
		mov	ecx, [ebp+arg_8]
		lea	eax, [eax+edi*2]
		xor	esi, esi
		mov	[eax], si
		mov	[edx], eax
		mov	dword ptr [ecx], 1
		jmp	short loc_611D81
; 

loc_611DA5:				; CODE XREF: StringExHandleOtherFlagsW+2Ej
		mov	ecx, [ebp+arg_8]
		mov	edx, [ebp+arg_4]

loc_611DAB:				; CODE XREF: StringExHandleOtherFlagsW+4Fj
		test	edi, edi
		jz	short loc_611DBF
		test	eax, 800h
		jz	short loc_611DBF
		xor	eax, eax
		mov	[edx], ebx
		mov	[ecx], edi
		mov	[ebx], ax

loc_611DBF:				; CODE XREF: StringExHandleOtherFlagsW+53j
					; StringExHandleOtherFlagsW+78j ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	10h
StringExHandleOtherFlagsW endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall RtlUnicodeStringExHandleOtherFlags(void *,int,int,int,int,int,int)
RtlUnicodeStringExHandleOtherFlags proc	near
					; CODE XREF: RtlUnicodeStringCopyStringEx+7AB42p
					; _RtlUnicodeStringPrintfEx+115p

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+arg_10]
		push	esi
		mov	esi, edx
		mov	edx, [ebp+arg_4]
		push	edi
		mov	edi, ecx
		mov	ecx, [ebp+arg_8]
		test	ebx, 1000h
		jz	short loc_611DEF
		and	dword ptr [edx], 0
		mov	[ecx], edi
		mov	[eax], esi

loc_611DEF:				; CODE XREF: RtlUnicodeStringExHandleOtherFlags+1Ej
		test	ebx, 400h
		jz	short loc_611E18
		lea	eax, [esi+esi]
		push	eax		; size_t
		movzx	eax, bl
		push	eax		; int
		push	edi		; void *
		call	_memset
		mov	ecx, [ebp+arg_8]
		add	esp, 0Ch
		mov	eax, [ebp+arg_C]
		mov	edx, [ebp+arg_4]
		mov	[ecx], edi
		mov	[eax], esi
		and	dword ptr [edx], 0

loc_611E18:				; CODE XREF: RtlUnicodeStringExHandleOtherFlags+2Dj
		test	ebx, 800h
		jz	short loc_611E27
		and	dword ptr [edx], 0
		mov	[ecx], edi
		mov	[eax], esi

loc_611E27:				; CODE XREF: RtlUnicodeStringExHandleOtherFlags+56j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	14h
RtlUnicodeStringExHandleOtherFlags endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 949. IoReleaseRemoveLockAndWaitEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoReleaseRemoveLockAndWaitEx(x, x, x)
		public _IoReleaseRemoveLockAndWaitEx@12
_IoReleaseRemoveLockAndWaitEx@12 proc near ; CODE XREF:	PopFxAcpiUnregisterDevice(x,x)+40p
					; PopFxUnregisterDevice(x)+A7p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	byte ptr [esi],	1
		lea	ecx, [esi+4]
		lock dec dword ptr [ecx]
		or	edi, 0FFFFFFFFh
		mov	eax, edi
		lock xadd [ecx], eax
		dec	eax
		xor	ecx, ecx
		test	eax, eax
		jle	short loc_611E65
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		lea	eax, [esi+8]
		push	eax
		call	KeWaitForSingleObject

loc_611E65:				; CODE XREF: IoReleaseRemoveLockAndWaitEx(x,x,x)+21j
		cmp	[ebp+arg_8], 58h
		jnz	short loc_611EB1
		push	ebx
		lea	ebx, [esi+38h]
		lock xadd [ebx], edi
		dec	edi
		jns	short loc_611EB0
		mov	eax, [esi+50h]
		mov	edx, [ebp+arg_4]
		mov	eax, [eax+4]
		cmp	edx, eax
		jz	short loc_611E9E
		test	ds:_MmVerifierData, 800h
		jz	short loc_611E9B
		push	eax
		mov	ecx, esi
		call	_VfRemLockReportBadReleaseAndWaitTag@12	; VfRemLockReportBadReleaseAndWaitTag(x,x,x)
		test	eax, eax
		jnz	short loc_611E9E

loc_611E9B:				; CODE XREF: IoReleaseRemoveLockAndWaitEx(x,x,x)+58j
		lock inc dword ptr [ebx]

loc_611E9E:				; CODE XREF: IoReleaseRemoveLockAndWaitEx(x,x,x)+4Cj
					; IoReleaseRemoveLockAndWaitEx(x,x,x)+64j
		push	0
		push	dword ptr [esi+50h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, ds:_MmBadPointer
		mov	[esi+50h], eax

loc_611EB0:				; CODE XREF: IoReleaseRemoveLockAndWaitEx(x,x,x)+3Fj
		pop	ebx

loc_611EB1:				; CODE XREF: IoReleaseRemoveLockAndWaitEx(x,x,x)+34j
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
_IoReleaseRemoveLockAndWaitEx@12 endp


;  S U B	R O U T	I N E 


; __stdcall PiListEntryToDependencyEdge(x, x)
_PiListEntryToDependencyEdge@8 proc near ; CODE	XREF: PipNotifyDeviceDependencyList+6DF28p
					; IoDuplicateDependency(x,x)+7Ep ...
		test	edx, edx
		jz	short loc_611EBE
		add	ecx, 0FFFFFFF8h

loc_611EBE:				; CODE XREF: PiListEntryToDependencyEdge(x,x)+2j
		mov	eax, ecx
		retn
_PiListEntryToDependencyEdge@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipAddDependencyEdgeBetweenNodes(x,	x, x)
_PipAddDependencyEdgeBetweenNodes@12 proc near ; CODE XREF: PipDependencyCopyEdge(x,x)+22p
					; PipSetDependency(x,x)+54p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, ecx
		xor	esi, esi
		push	edi
		mov	edi, edx
		lea	edx, [ebx+8]
		mov	eax, [edx]
		jmp	short loc_611EDF
; 

loc_611ED6:				; CODE XREF: PipAddDependencyEdgeBetweenNodes(x,x,x)+20j
		mov	ecx, eax
		mov	eax, [eax]
		cmp	[ecx+10h], edi
		jz	short loc_611EF7

loc_611EDF:				; CODE XREF: PipAddDependencyEdgeBetweenNodes(x,x,x)+13j
		cmp	eax, edx
		jnz	short loc_611ED6
		mov	edx, edi
		mov	ecx, ebx
		call	_PipCheckValidNewDependencyEdge@8 ; PipCheckValidNewDependencyEdge(x,x)
		test	al, al
		jnz	short loc_611F01
		mov	esi, 0C0000001h
		jmp	short loc_611F2D
; 

loc_611EF7:				; CODE XREF: PipAddDependencyEdgeBetweenNodes(x,x,x)+1Cj
		mov	edx, [ebp+arg_0]
		call	_PipAddRequestToEdge@8 ; PipAddRequestToEdge(x,x)
		jmp	short loc_611F2D
; 

loc_611F01:				; CODE XREF: PipAddDependencyEdgeBetweenNodes(x,x,x)+2Dj
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, ebx
		call	_PipCreateNewDependencyEdge@12 ; PipCreateNewDependencyEdge(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_611F1A
		mov	esi, 0C000009Ah
		jmp	short loc_611F2D
; 

loc_611F1A:				; CODE XREF: PipAddDependencyEdgeBetweenNodes(x,x,x)+50j
		mov	eax, [ecx+10h]
		cmp	[eax+18h], esi
		jz	short loc_611F2D
		mov	ecx, [ecx+14h]
		mov	ecx, [ecx+18h]
		call	_PipAddtoRebuildPowerRelationsQueue@4 ;	PipAddtoRebuildPowerRelationsQueue(x)

loc_611F2D:				; CODE XREF: PipAddDependencyEdgeBetweenNodes(x,x,x)+34j
					; PipAddDependencyEdgeBetweenNodes(x,x,x)+3Ej ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PipAddDependencyEdgeBetweenNodes@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipCreateNewDependencyEdge(x, x, x)
_PipCreateNewDependencyEdge@12 proc near
					; CODE XREF: PipAddDependencyEdgeBetweenNodes(x,x,x)+47p

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	53706E50h
		push	28h
		push	200h
		mov	ebx, edx
		mov	edi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_611F8A
		mov	edx, [ebp+arg_0]
		lea	ecx, [esi+1Ch]
		and	dword ptr [esi+18h], 0
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		mov	ecx, esi
		mov	[esi+14h], edi
		mov	[esi+10h], ebx
		mov	byte ptr [esi+24h], 0
		call	_PipAddRequestToEdge@8 ; PipAddRequestToEdge(x,x)
		test	eax, eax
		jnz	short loc_611F93
		push	53706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi

loc_611F8A:				; CODE XREF: PipCreateNewDependencyEdge(x,x,x)+21j
					; PipCreateNewDependencyEdge(x,x,x)+D8j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_611F93:				; CODE XREF: PipCreateNewDependencyEdge(x,x,x)+45j
		mov	ecx, edi
		call	_PipReferenceDependencyNode@4 ;	PipReferenceDependencyNode(x)
		mov	ecx, ebx
		call	_PipReferenceDependencyNode@4 ;	PipReferenceDependencyNode(x)
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PiDependencyEdgeWriteLock
		mov	byte ptr [ebp+arg_0+3],	al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	edx, [ebx+10h]
		mov	eax, [edx+4]
		lea	ecx, [esi+8]
		cmp	[eax], edx
		jnz	short loc_612013
		mov	[ecx+4], eax
		mov	[ecx], edx
		mov	[eax], ecx
		lea	eax, [edi+8]
		mov	[edx+4], ecx
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_612013
		mov	[esi], eax
		mov	ecx, offset _PiDependencyEdgeWriteLock
		mov	[esi+4], edx
		mov	[edx], esi
		mov	[eax+4], esi
		test	ds:byte_70EFC6,	1
		jz	short loc_611FF7
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_611FFC
; 

loc_611FF7:				; CODE XREF: PipCreateNewDependencyEdge(x,x,x)+B5j
		xor	eax, eax
		lock and [ecx],	eax

loc_611FFC:				; CODE XREF: PipCreateNewDependencyEdge(x,x,x)+BFj
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, ebx
		mov	ecx, edi
		call	_PipNotifyDependenciesChanged@8	; PipNotifyDependenciesChanged(x,x)
		jmp	loc_611F8A
; 

loc_612013:				; CODE XREF: PipCreateNewDependencyEdge(x,x,x)+89j
					; PipCreateNewDependencyEdge(x,x,x)+9Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall PipFreeDependencyEdge(x, x)
_PipFreeDependencyEdge@8:		; CODE XREF: PipDeleteAllDependencyRelations(x)+4Fp
					; PipDeleteAllDependencyRelations(x)+84p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		lea	edi, [esi+1Ch]

loc_612028:				; CODE XREF: PipCreateNewDependencyEdge(x,x,x)+116j
		mov	ecx, [edi]
		cmp	ecx, edi
		jz	short loc_61204E
		mov	eax, [ecx]
		cmp	[ecx+4], edi
		jnz	loc_6120E5
		cmp	[eax+4], ecx
		jnz	loc_6120E5
		mov	[edi], eax
		mov	[eax+4], edi
		call	_PipFreeBindingRequestEntry@4 ;	PipFreeBindingRequestEntry(x)
		jmp	short loc_612028
; 

loc_61204E:				; CODE XREF: PipCreateNewDependencyEdge(x,x,x)+F6j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PiDependencyEdgeWriteLock
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	ebx, ebx
		jz	short loc_61206B
		mov	ecx, [esi+18h]
		or	[ebx+18h], ecx

loc_61206B:				; CODE XREF: PipCreateNewDependencyEdge(x,x,x)+12Dj
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	short loc_6120E5
		cmp	[eax], esi
		jnz	short loc_6120E5
		mov	[eax], ecx
		lea	edi, [esi+8]
		mov	[ecx+4], eax
		mov	edx, [edi]
		mov	eax, [edi+4]
		cmp	[edx+4], edi
		jnz	short loc_6120E5
		cmp	[eax], edi
		jnz	short loc_6120E5
		mov	[eax], edx
		mov	ecx, offset _PiDependencyEdgeWriteLock
		mov	[edx+4], eax
		test	ds:byte_70EFC6,	1
		jz	short loc_6120AC
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6120B1
; 

loc_6120AC:				; CODE XREF: PipCreateNewDependencyEdge(x,x,x)+16Aj
		xor	eax, eax
		lock and [ecx],	eax

loc_6120B1:				; CODE XREF: PipCreateNewDependencyEdge(x,x,x)+174j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [esi+10h]
		mov	ecx, [esi+14h]
		call	_PipNotifyDependenciesChanged@8	; PipNotifyDependenciesChanged(x,x)
		mov	ecx, [esi+10h]
		call	_PipDereferenceDependencyNode@4	; PipDereferenceDependencyNode(x)
		mov	ecx, [esi+14h]
		call	_PipDereferenceDependencyNode@4	; PipDereferenceDependencyNode(x)
		push	53706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_6120E5:				; CODE XREF: PipCreateNewDependencyEdge(x,x,x)+FDj
					; PipCreateNewDependencyEdge(x,x,x)+106j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall PipMergeDependencyTypes(x, x)
_PipMergeDependencyTypes@8:		; CODE XREF: PipAddRequestToEdge(x,x)+F8p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PiDependencyEdgeWriteLock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		or	[esi+18h], edi
		mov	ecx, offset _PiDependencyEdgeWriteLock
		test	ds:byte_70EFC6,	1
		jz	short loc_612123
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_612128
; 

loc_612123:				; CODE XREF: PipCreateNewDependencyEdge(x,x,x)+1E1j
		xor	eax, eax
		lock and [ecx],	eax

loc_612128:				; CODE XREF: PipCreateNewDependencyEdge(x,x,x)+1EBj
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_PipCreateNewDependencyEdge@12 endp


;  S U B	R O U T	I N E 


; __stdcall PipMoveListEntries(x, x)
_PipMoveListEntries@8 proc near		; CODE XREF: PipMergeDependencyEdgeList(x,x,x)+F3p
					; PipMergeDependencyNodes(x,x)+1Ap
		mov	edi, edi
		push	esi
		mov	esi, [edx]
		cmp	esi, edx
		jz	short loc_61217F
		cmp	[esi+4], edx
		jnz	short loc_612181
		mov	eax, [edx+4]
		cmp	[eax], edx
		jnz	short loc_612181
		mov	[eax], esi
		mov	[esi+4], eax
		mov	[edx+4], edx
		mov	[edx], edx
		mov	eax, [ecx]
		mov	edx, [ecx+4]
		cmp	[eax+4], ecx
		jnz	short loc_612181
		cmp	[edx], ecx
		jnz	short loc_612181
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_612181
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_612181
		mov	[edx], esi
		mov	eax, [esi+4]
		mov	[ecx+4], eax
		mov	eax, [esi+4]
		mov	[eax], ecx
		mov	[esi+4], edx

loc_61217F:				; CODE XREF: PipMoveListEntries(x,x)+7j
		pop	esi
		retn
; 

loc_612181:				; CODE XREF: PipMoveListEntries(x,x)+Cj
					; PipMoveListEntries(x,x)+13j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PipMoveListEntries@8 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl RtlUnicodeStringPrintfEx(int,int,void *,int,char)
_RtlUnicodeStringPrintfEx proc near	; CODE XREF: PiCreateDriverRedirectedStateKey+8C713p
					; PiBuildAndOpenDeviceDirectoryPath(x,x,x,x,x)+82p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	ecx, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		push	ecx
		mov	ecx, [ebp+arg_0]
		mov	edi, ebx
		mov	[ebp+var_8], ebx
		call	sub_6122E4
		mov	esi, eax
		test	esi, esi
		js	short loc_6121BC
		test	ecx, ecx
		jz	short loc_6121BC
		movzx	edi, word ptr [ecx+2]
		mov	eax, [ecx+4]
		mov	[ebp+var_8], eax
		shr	edi, 1
		jmp	short loc_6121BE
; 

loc_6121BC:				; CODE XREF: _RtlUnicodeStringPrintfEx+22j
					; _RtlUnicodeStringPrintfEx+26j
		mov	eax, ebx

loc_6121BE:				; CODE XREF: _RtlUnicodeStringPrintfEx+34j
		test	esi, esi
		js	loc_6122DD
		mov	ecx, [ebp+arg_C]
		mov	edx, edi
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ebx
		test	eax, 100h
		jz	short loc_6121EA
		test	ecx, ecx
		jnz	short loc_6121EA
		mov	ecx, offset ??_C@_11LOCGONAA@@FNODOBFM@
		mov	[ebp+arg_C], ecx

loc_6121EA:				; CODE XREF: _RtlUnicodeStringPrintfEx+56j
					; _RtlUnicodeStringPrintfEx+5Aj
		mov	esi, ebx
		test	eax, 0FFFFE000h
		jz	short loc_612200
		mov	ecx, [ebp+var_8]
		mov	esi, 0C000000Dh
		jmp	loc_612280
; 

loc_612200:				; CODE XREF: _RtlUnicodeStringPrintfEx+6Bj
		test	edi, edi
		jnz	short loc_612224

loc_612204:				; DATA XREF: .text:00405FE4o
		cmp	[ecx], bx
		jz	loc_6122AB
		mov	ecx, [ebp+var_8]
		mov	esi, ecx
		neg	esi
		sbb	esi, esi
		and	esi, 0BFFFFFF8h
		add	esi, 0C000000Dh
		jmp	short loc_612280
; 

loc_612224:				; CODE XREF: _RtlUnicodeStringPrintfEx+7Cj
		lea	eax, [ebp+arg_10]
		mov	edx, edi	; size_t
		push	eax		; va_list
		push	ecx		; wchar_t *
		mov	ecx, [ebp+var_8] ; wchar_t *
		lea	eax, [ebp+var_C]
		push	eax		; int
		call	sub_612334
		mov	ebx, [ebp+var_C]
		mov	esi, eax
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		sub	edx, ebx
		mov	[ebp+var_8], edx
		mov	[ebp+var_10], edx
		lea	eax, [ecx+ebx*2]
		mov	[ebp+var_4], eax
		test	esi, esi
		js	short loc_61227A
		mov	ecx, [ebp+arg_8] ; void	*
		test	ecx, 200h
		jz	short loc_6122A8
		mov	edi, eax
		test	edx, edx
		jz	short loc_612275
		lea	eax, [edx+edx]
		push	eax		; size_t
		movzx	eax, cl
		push	eax		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch

loc_612275:				; CODE XREF: _RtlUnicodeStringPrintfEx+DCj
		mov	edx, [ebp+var_8]
		jmp	short loc_6122AE
; 

loc_61227A:				; CODE XREF: _RtlUnicodeStringPrintfEx+CBj
		mov	eax, [ebp+arg_8]
		mov	edx, [ebp+var_8]

loc_612280:				; CODE XREF: _RtlUnicodeStringPrintfEx+75j
					; _RtlUnicodeStringPrintfEx+9Cj
		test	eax, 1C00h
		jz	short loc_6122AB
		test	edi, edi
		jz	short loc_6122AB
		push	eax		; int
		lea	eax, [ebp+var_10]
		mov	edx, edi	; int
		push	eax		; int
		lea	eax, [ebp+var_4]
		push	eax		; int
		lea	eax, [ebp+var_C]
		push	eax		; int
		push	ecx		; int
		call	RtlUnicodeStringExHandleOtherFlags
		mov	edx, [ebp+var_10]
		mov	ebx, [ebp+var_C]
		jmp	short loc_6122AB
; 

loc_6122A8:				; CODE XREF: _RtlUnicodeStringPrintfEx+D6j
		mov	edx, [ebp+var_8]

loc_6122AB:				; CODE XREF: _RtlUnicodeStringPrintfEx+81j
					; _RtlUnicodeStringPrintfEx+FFj ...
		mov	edi, [ebp+var_4]

loc_6122AE:				; CODE XREF: _RtlUnicodeStringPrintfEx+F2j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_6122BB
		lea	eax, [ebx+ebx]
		mov	[ecx], ax

loc_6122BB:				; CODE XREF: _RtlUnicodeStringPrintfEx+12Dj
		test	esi, esi
		jns	short loc_6122C7
		cmp	esi, 80000005h
		jnz	short loc_6122DD

loc_6122C7:				; CODE XREF: _RtlUnicodeStringPrintfEx+137j
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_6122DD
		xor	eax, eax
		mov	[ecx+4], edi
		mov	[ecx], ax
		lea	eax, [edx+edx]
		mov	[ecx+2], ax

loc_6122DD:				; CODE XREF: _RtlUnicodeStringPrintfEx+3Aj
					; _RtlUnicodeStringPrintfEx+13Fj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_RtlUnicodeStringPrintfEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_6122E4	proc near		; CODE XREF: _RtlUnicodeStringPrintfEx+19p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		test	ecx, ecx
		jnz	short loc_6122F8
		test	[ebp+arg_0], 100h
		jnz	short loc_612330

loc_6122F8:				; CODE XREF: sub_6122E4+9j
		push	ebx
		movzx	ebx, word ptr [ecx]
		test	bl, 1
		jnz	short loc_61232A
		movzx	edx, word ptr [ecx+2]
		test	dl, 1
		jnz	short loc_61232A
		cmp	bx, dx
		ja	short loc_61232A
		push	esi
		mov	esi, 0FFFEh
		cmp	dx, si
		pop	esi
		ja	short loc_61232A
		cmp	[ecx+4], eax
		jnz	short loc_61232F
		test	bx, bx
		jnz	short loc_61232A
		test	dx, dx
		jz	short loc_61232F

loc_61232A:				; CODE XREF: sub_6122E4+1Bj
					; sub_6122E4+24j ...
		mov	eax, 0C000000Dh

loc_61232F:				; CODE XREF: sub_6122E4+3Aj
					; sub_6122E4+44j
		pop	ebx

loc_612330:				; CODE XREF: sub_6122E4+12j
		pop	ebp
		retn	4
sub_6122E4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall sub_612334(wchar_t *,size_t,int,wchar_t *,va_list)
sub_612334	proc near		; CODE XREF: _RtlUnicodeStringPrintfEx+ACp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	[ebp+arg_8]	; va_list
		mov	esi, edx
		xor	edi, edi
		push	[ebp+arg_4]	; wchar_t *
		push	esi		; size_t
		push	ecx		; wchar_t *
		call	__vsnwprintf
		add	esp, 10h
		test	eax, eax
		js	short loc_612357
		cmp	eax, esi
		jbe	short loc_61235E

loc_612357:				; CODE XREF: sub_612334+1Dj
		mov	edi, 80000005h
		mov	eax, esi

loc_61235E:				; CODE XREF: sub_612334+21j
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
sub_612334	endp

; 
		align 10h
; Exported entry 966. IoRequestDeviceEject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoRequestDeviceEject(x)
		public _IoRequestDeviceEject@4
_IoRequestDeviceEject@4	proc near	; CODE XREF: PipProcessStartPhase2+6E39Ap
					; PipProcessRestartPhase2(x)+5Fp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_0]
		call	_IoRequestDeviceEjectEx@16 ; IoRequestDeviceEjectEx(x,x,x,x)
		pop	ebp
		retn	4
_IoRequestDeviceEject@4	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 967. IoRequestDeviceEjectEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoRequestDeviceEjectEx(x, x, x, x)
		public _IoRequestDeviceEjectEx@16
_IoRequestDeviceEjectEx@16 proc	near	; CODE XREF: IoRequestDeviceEject(x)+Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		test	esi, esi
		jz	loc_612539
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_61245E
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_61245E
		push	46706E50h
		push	5B4h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_6123E7
		mov	eax, 0C000009Ah

loc_6123E0:				; CODE XREF: IoRequestDeviceEjectEx(x,x,x,x)+D1j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_6123E7:				; CODE XREF: IoRequestDeviceEjectEx(x,x,x,x)+4Ej
		mov	eax, [esi+0B0h]
		mov	esi, [eax+14h]
		mov	eax, [ebp+arg_4]
		mov	[edi], eax
		mov	eax, [ebp+arg_8]
		mov	[edi+4], eax
		movzx	eax, word ptr [esi+14h]
		push	eax		; size_t
		push	dword ptr [esi+18h] ; void *
		lea	eax, [edi+20h]
		push	eax		; void *
		call	_memcpy
		movzx	eax, word ptr [esi+14h]
		xor	ecx, ecx
		mov	esi, [ebp+arg_C]
		add	esp, 0Ch
		shr	eax, 1
		mov	[edi+eax*2+20h], cx
		test	esi, esi
		jz	short loc_61242F
		mov	edx, 45706E50h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag

loc_61242F:				; CODE XREF: IoRequestDeviceEjectEx(x,x,x,x)+96j
		xor	eax, eax
		mov	[edi+8], esi
		mov	[edi+1B4h], ax
		xor	ebx, ebx
		lea	eax, [edi+10h]
		mov	[edi+1B0h], ebx
		push	1
		push	eax
		mov	dword ptr [eax+8], offset _PnpRequestDeviceEjectExWorker@4 ; PnpRequestDeviceEjectExWorker(x)
		mov	[eax+0Ch], edi
		mov	[eax], ebx
		call	ExQueueWorkItem
		xor	eax, eax
		jmp	short loc_6123E0
; 

loc_61245E:				; CODE XREF: IoRequestDeviceEjectEx(x,x,x,x)+20j
					; IoRequestDeviceEjectEx(x,x,x,x)+30j
		movzx	edx, word ptr [esi+2]
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_61249B
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_61249B
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_61249B:				; CODE XREF: IoRequestDeviceEjectEx(x,x,x,x)+E3j
					; IoRequestDeviceEjectEx(x,x,x,x)+F7j
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_612539
		mov	edx, 1F4h
		lea	edi, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		cmp	[edi], bx
		jz	short loc_6124D3
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [edi+4]
		call	IoAddTriageDumpDataBlock

loc_6124D3:				; CODE XREF: IoRequestDeviceEjectEx(x,x,x,x)+131j
		mov	edx, [esi+0B0h]
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_612507
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [esi+0B0h]

loc_612507:				; CODE XREF: IoRequestDeviceEjectEx(x,x,x,x)+157j
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_612539
		lea	ecx, [eax+1Ch]
		cmp	[ecx], bx
		jz	short loc_612539
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_612539:				; CODE XREF: IoRequestDeviceEjectEx(x,x,x,x)+Fj
					; IoRequestDeviceEjectEx(x,x,x,x)+11Bj	...
		push	ebx
		push	ebx
		push	esi
		push	2
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_IoRequestDeviceEjectEx@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0hzr0_EtwWriteTransfer(x, x, x, x, x)
_McTemplateK0hzr0_EtwWriteTransfer@20 proc near
					; CODE XREF: IoRequestDeviceRemovalForReset(x,x)+103p

var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_1C], 2
		mov	[ebp+var_24], eax
		xor	ecx, ecx
		mov	eax, [ebp+arg_8]
		mov	edx, offset _KMPnPEvt_DeviceReset_Start
		mov	[ebp+var_14], eax
		movzx	eax, word ptr [ebp+arg_4]
		add	eax, eax
		mov	[ebp+var_20], ecx
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		push	ecx
		mov	ecx, offset _MS_KernelPnP_Provider_Context
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_McTemplateK0hzr0_EtwWriteTransfer@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0hzr0qqhzr4_EtwWriteTransfer(x, x, x, x,	x, x, x, x, x)
_McTemplateK0hzr0qqhzr4_EtwWriteTransfer@36 proc near
					; CODE XREF: IopDeviceRemovalForResetComplete(x)+67p

var_74		= dword	ptr -74h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_64], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_54], eax
		movzx	eax, word ptr [ebp+arg_4]
		add	eax, eax
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+arg_C]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_10]
		push	esi
		mov	[ebp+var_34], eax
		xor	esi, esi
		push	2
		pop	edx
		lea	eax, [ebp+arg_14]
		mov	[ebp+var_5C], edx
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_14], eax
		movzx	eax, word ptr [ebp+arg_14]
		push	4
		pop	ecx
		add	eax, eax
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	7
		mov	[ebp+var_2C], ecx
		mov	ecx, offset _MS_KernelPnP_Provider_Context
		mov	[ebp+var_1C], edx
		mov	edx, offset _KMPnPEvt_DeviceReset_Stop
		push	esi
		mov	[ebp+var_60], esi
		mov	[ebp+var_58], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_48], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_38], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_8], esi
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
_McTemplateK0hzr0qqhzr4_EtwWriteTransfer@36 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1022. IoTranslateBusAddress

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoTranslateBusAddress(x, x,	x, x, x, x)
		public _IoTranslateBusAddress@24
_IoTranslateBusAddress@24 proc near

var_5A		= byte ptr -5Ah
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3E		= byte ptr -3Eh
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+44h+var_4], eax
		mov	eax, [ebp+arg_10]
		mov	[esp+44h+var_38], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[esp+48h+var_34], eax
		xor	ebx, ebx
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_14]
		push	edi
		mov	[esp+50h+var_3C], eax
		lea	edi, [esp+50h+var_14]
		xor	eax, eax
		mov	[esp+50h+var_28], esi
		stosd
		mov	[esp+50h+var_30], ebx
		mov	[esp+50h+var_2C], ebx
		stosd
		stosd
		stosd
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	al, al
		jnz	loc_612801
		cmp	ds:_IopRootDeviceNode, ebx
		jz	loc_612801
		mov	edi, [esp+50h+var_38]
		xor	edx, edx
		inc	edx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_6126CA
		mov	eax, ebx
		mov	cl, 3
		jmp	short loc_6126D6
; 

loc_6126CA:				; CODE XREF: IoTranslateBusAddress(x,x,x,x,x,x)+6Ej
		cmp	eax, edx
		jnz	loc_6127FD
		mov	eax, edx
		mov	cl, dl

loc_6126D6:				; CODE XREF: IoTranslateBusAddress(x,x,x,x,x,x)+74j
		mov	word ptr [esp+50h+var_24+2], ax
		mov	eax, [ebp+arg_8]
		mov	byte ptr [esp+50h+var_24], cl
		xor	ecx, ecx
		mov	[esp+50h+var_20], eax
		mov	eax, [ebp+arg_C]
		mov	byte ptr [esp+50h+var_24+1], 3
		mov	[esp+50h+var_1C], eax
		mov	[esp+50h+var_18], edx
		call	PpDevNodeLockTree
		mov	ecx, [esp+50h+var_34]
		mov	edx, [esp+50h+var_3C]
		call	_IopFindLegacyBusDeviceNode@8 ;	IopFindLegacyBusDeviceNode(x,x)
		mov	esi, eax
		mov	[esp+50h+var_3C], eax
		cmp	esi, ds:_IopRootDeviceNode
		jz	loc_6127C3
		mov	edi, [esp+50h+var_24]

loc_612720:				; CODE XREF: IoTranslateBusAddress(x,x,x,x,x,x)+165j
		lea	eax, [esp+50h+var_2C]
		xor	ecx, ecx
		push	eax
		push	edi
		mov	edx, esi
		inc	ecx
		call	_IopFindResourceHandlerInfo@16 ; IopFindResourceHandlerInfo(x,x,x,x)
		mov	[esp+13h], al
		test	al, al
		jnz	short loc_612753
		mov	edx, [esi+10h]
		lea	eax, [esp+50h+var_30]
		push	eax
		xor	ecx, ecx
		push	edi
		inc	ecx
		call	IopQueryResourceHandlerInterface
		test	eax, eax
		js	short loc_6127A8
		mov	esi, [esp+50h+var_30]
		jmp	short loc_61275E
; 

loc_612753:				; CODE XREF: IoTranslateBusAddress(x,x,x,x,x,x)+E2j
		mov	eax, [esp+50h+var_2C]
		test	eax, eax
		jz	short loc_6127AC
		mov	esi, [eax+0Ch]

loc_61275E:				; CODE XREF: IoTranslateBusAddress(x,x,x,x,x,x)+FDj
		lea	eax, [esp+50h+var_14]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esp+64h+var_24]
		push	eax
		push	dword ptr [esi+4]
		call	dword ptr [esi+10h]
		mov	[esp+6Ch+var_50], eax
		cmp	[esp+13h], bl
		jnz	short loc_61278D
		push	dword ptr [esi+4]
		call	dword ptr [esi+0Ch]
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+70h+var_54]

loc_61278D:				; CODE XREF: IoTranslateBusAddress(x,x,x,x,x,x)+126j
		test	eax, eax
		js	short loc_6127F6
		lea	esi, [esp+70h+var_34]
		lea	edi, [esp+70h+var_44]
		movsd
		movsd
		movsd
		movsd
		cmp	eax, 120h
		jz	short loc_6127BF
		mov	esi, [esp+14h]

loc_6127A8:				; CODE XREF: IoTranslateBusAddress(x,x,x,x,x,x)+F7j
		mov	edi, [esp+70h+var_44]

loc_6127AC:				; CODE XREF: IoTranslateBusAddress(x,x,x,x,x,x)+105j
		mov	esi, [esi+8]
		mov	[esp+14h], esi
		cmp	esi, ds:_IopRootDeviceNode
		jnz	loc_612720

loc_6127BF:				; CODE XREF: IoTranslateBusAddress(x,x,x,x,x,x)+14Ej
		mov	edi, [esp+70h+var_58]

loc_6127C3:				; CODE XREF: IoTranslateBusAddress(x,x,x,x,x,x)+C2j
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		movzx	eax, byte ptr [esp+70h+var_44]
		cmp	eax, 3
		jz	short loc_6127E1
		cmp	eax, 7
		jz	short loc_6127E1
		cmp	eax, 1
		jnz	short loc_6127FD
		xor	ebx, ebx
		inc	ebx

loc_6127E1:				; CODE XREF: IoTranslateBusAddress(x,x,x,x,x,x)+17Ej
					; IoTranslateBusAddress(x,x,x,x,x,x)+183j
		mov	edx, [esp+70h+var_48]
		mov	[edi], ebx
		mov	ecx, [esp+30h]
		mov	[edx], ecx
		mov	ecx, [esp+70h+var_3C]
		mov	[edx+4], ecx
		jmp	short loc_61280C
; 

loc_6127F6:				; CODE XREF: IoTranslateBusAddress(x,x,x,x,x,x)+13Bj
		xor	ecx, ecx
		call	PpDevNodeUnlockTree

loc_6127FD:				; CODE XREF: IoTranslateBusAddress(x,x,x,x,x,x)+78j
					; IoTranslateBusAddress(x,x,x,x,x,x)+188j
		xor	al, al
		jmp	short loc_61280E
; 

loc_612801:				; CODE XREF: IoTranslateBusAddress(x,x,x,x,x,x)+51j
					; IoTranslateBusAddress(x,x,x,x,x,x)+5Dj
		mov	eax, [ebp+arg_8]
		mov	[esi], eax
		mov	eax, [ebp+arg_C]
		mov	[esi+4], eax

loc_61280C:				; CODE XREF: IoTranslateBusAddress(x,x,x,x,x,x)+1A0j
		mov	al, 1

loc_61280E:				; CODE XREF: IoTranslateBusAddress(x,x,x,x,x,x)+1ABj
		mov	ecx, [esp+50h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
_IoTranslateBusAddress@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpHandleEnumerateHandlesAgainstPdoStack(x,	x, x)
_PnpHandleEnumerateHandlesAgainstPdoStack@12 proc near
					; CODE XREF: PnpCollectOpenHandles(x,x,x)+4Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_612834:				; CODE XREF: PnpHandleEnumerateHandlesAgainstPdoStack(x,x,x)+C6j
		push	[ebp+arg_0]
		mov	edx, offset _PnpCollectOpenHandlesCallBack@20 ;	PnpCollectOpenHandlesCallBack(x,x,x,x,x)
		mov	ecx, edi
		call	_PnpHandleEnumerateHandlesAgainstDeviceObject@12 ; PnpHandleEnumerateHandlesAgainstDeviceObject(x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	loc_6128F0
		push	9
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	byte ptr [ebp+var_C], al
		xor	ebx, ebx
		mov	eax, [edi+24h]
		test	eax, eax
		jz	short loc_612870
		mov	ebx, [eax+8]
		test	ebx, ebx
		jz	short loc_612870
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_612870:				; CODE XREF: PnpHandleEnumerateHandlesAgainstPdoStack(x,x,x)+3Ej
					; PnpHandleEnumerateHandlesAgainstPdoStack(x,x,x)+45j
		push	[ebp+var_C]
		call	IoReleaseVpbSpinLock
		test	ebx, ebx
		jz	short loc_6128B4
		push	ebx
		call	_IoGetDeviceAttachmentBaseRef@4	; IoGetDeviceAttachmentBaseRef(x)
		push	[ebp+arg_0]
		mov	esi, eax
		mov	edx, offset _PnpCollectOpenHandlesCallBack@20 ;	PnpCollectOpenHandlesCallBack(x,x,x,x,x)
		mov	ecx, esi
		call	_PnpHandleEnumerateHandlesAgainstDeviceObject@12 ; PnpHandleEnumerateHandlesAgainstDeviceObject(x,x,x)
		mov	ecx, esi
		mov	[ebp+var_8], eax
		call	ObfDereferenceObject
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	ebx, [ebp+var_8]
		test	ebx, ebx
		jz	short loc_6128B7
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	short loc_6128FA
; 

loc_6128B4:				; CODE XREF: PnpHandleEnumerateHandlesAgainstPdoStack(x,x,x)+58j
		mov	ebx, [ebp+var_8]

loc_6128B7:				; CODE XREF: PnpHandleEnumerateHandlesAgainstPdoStack(x,x,x)+87j
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	esi, [edi+10h]
		mov	[ebp+var_1], al
		test	esi, esi
		jz	short loc_6128D3
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	al, [ebp+var_1]

loc_6128D3:				; CODE XREF: PnpHandleEnumerateHandlesAgainstPdoStack(x,x,x)+A5j
		push	0Ah
		mov	dl, al
		pop	ecx
		call	KeReleaseQueuedSpinLock
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	edi, esi
		test	esi, esi
		jnz	loc_612834
		jmp	short loc_6128FA
; 

loc_6128F0:				; CODE XREF: PnpHandleEnumerateHandlesAgainstPdoStack(x,x,x)+26j
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	ebx, [ebp+var_8]

loc_6128FA:				; CODE XREF: PnpHandleEnumerateHandlesAgainstPdoStack(x,x,x)+90j
					; PnpHandleEnumerateHandlesAgainstPdoStack(x,x,x)+CCj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
_PnpHandleEnumerateHandlesAgainstPdoStack@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoProcessPassiveInterrupts(x)
_IoProcessPassiveInterrupts@4 proc near	; CODE XREF: KiDispatchPassiveInterrupts(x)+Bp
					; KiInterruptDispatchCommon(x,x,x,x,x)+2DEp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		call	_IopFindPassiveInterruptBlock@4	; IopFindPassiveInterruptBlock(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_61297E
		cmp	dword ptr [esi+18h], 0
		jnz	short loc_612925
		push	1
		push	dword ptr [esi+10h]
		call	ds:off_6B1300	; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)

loc_612925:				; CODE XREF: IoProcessPassiveInterrupts(x)+15j
		push	ebx
		push	edi
		mov	cl, 1Ah
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		lea	edi, [esi+28h]
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	byte ptr [esi+2Ch], 0
		mov	byte ptr [esi+2Dh], 1
		jnz	short loc_612958
		xor	eax, eax
		mov	byte ptr [esi+2Ch], 1
		push	eax
		push	eax
		push	eax
		lea	ecx, [esi+40h]
		xor	edx, edx
		call	KiInsertQueueDpc

loc_612958:				; CODE XREF: IoProcessPassiveInterrupts(x)+40j
		test	ds:byte_70EFC6,	1
		jz	short loc_61296D
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_612972
; 

loc_61296D:				; CODE XREF: IoProcessPassiveInterrupts(x)+5Cj
		xor	eax, eax
		lock and [edi],	eax

loc_612972:				; CODE XREF: IoProcessPassiveInterrupts(x)+68j
		pop	edi
		mov	cl, bl
		pop	ebx
		pop	esi
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_61297E:				; CODE XREF: IoProcessPassiveInterrupts(x)+Fj
		pop	esi
		pop	ebp
		retn
_IoProcessPassiveInterrupts@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopDereferencePassiveInterruptBlock(x)
_IopDereferencePassiveInterruptBlock@4 proc near
					; CODE XREF: IopPassiveInterruptWorker(x)+101p
					; IoDisconnectInterrupt+A6D6Bp	...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ds:__imp_@KfRaiseIrql@4 ; KfRaiseIrql(x)
		xor	bl, bl
		push	edi
		mov	edi, ecx
		mov	cl, 1Ah
		call	esi
		mov	ecx, offset _PassiveInterruptListLock
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	cl, 1Ah
		call	esi
		lea	esi, [edi+28h]
		mov	bh, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		or	ecx, 0FFFFFFFFh
		lock xadd [edi+70h], ecx
		dec	ecx
		jnz	short loc_6129D6
		mov	ecx, [edi]
		mov	eax, [edi+4]
		cmp	[ecx+4], edi
		jnz	short loc_6129EB
		cmp	[eax], edi
		jnz	short loc_6129EB
		mov	[eax], ecx
		inc	bl
		mov	[ecx+4], eax

loc_6129D6:				; CODE XREF: IopDereferencePassiveInterruptBlock(x)+3Ej
		test	ds:byte_70EFC6,	1
		jz	short loc_6129F0
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6129F5
; 

loc_6129EB:				; CODE XREF: IopDereferencePassiveInterruptBlock(x)+48j
					; IopDereferencePassiveInterruptBlock(x)+4Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_6129F0:				; CODE XREF: IopDereferencePassiveInterruptBlock(x)+5Cj
		xor	eax, eax
		lock and [esi],	eax

loc_6129F5:				; CODE XREF: IopDereferencePassiveInterruptBlock(x)+68j
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	cl, bh
		call	esi
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PassiveInterruptListLock
		jz	short loc_612A17
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_612A1C
; 

loc_612A17:				; CODE XREF: IopDereferencePassiveInterruptBlock(x)+8Aj
		xor	eax, eax
		lock and [ecx],	eax

loc_612A1C:				; CODE XREF: IopDereferencePassiveInterruptBlock(x)+94j
		mov	cl, [ebp+var_1]
		call	esi
		test	bl, bl
		jz	short loc_612A30
		push	6269704Bh
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_612A30:				; CODE XREF: IopDereferencePassiveInterruptBlock(x)+A2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopDereferencePassiveInterruptBlock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopFindPassiveInterruptBlock(x)
_IopFindPassiveInterruptBlock@4	proc near ; CODE XREF: IoProcessPassiveInterrupts(x)+6p
					; IoDisconnectInterrupt+A6D58p	...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		mov	cl, 1Ah
		push	edi
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edi, offset _PassiveInterruptListLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, esi
		call	_IopFindPassiveInterruptBlockLocked@4 ;	IopFindPassiveInterruptBlockLocked(x)
		test	ds:byte_70EFC6,	1
		mov	esi, eax
		jz	short loc_612A73
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_612A78
; 

loc_612A73:				; CODE XREF: IopFindPassiveInterruptBlock(x)+30j
		xor	eax, eax
		lock and [edi],	eax

loc_612A78:				; CODE XREF: IopFindPassiveInterruptBlock(x)+3Cj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn
_IopFindPassiveInterruptBlock@4	endp


;  S U B	R O U T	I N E 


; __stdcall IopFindPassiveInterruptBlockLocked(x)
_IopFindPassiveInterruptBlockLocked@4 proc near
					; CODE XREF: IopFindPassiveInterruptBlock(x)+22p
					; IopInsertPassiveInterruptBlock(x,x)+28p
		mov	eax, ds:_PassiveInterruptList
		xor	edx, edx
		push	esi
		mov	esi, offset _PassiveInterruptList
		jmp	short loc_612A9D
; 

loc_612A96:				; CODE XREF: IopFindPassiveInterruptBlockLocked(x)+18j
		cmp	[eax+0Ch], ecx
		jz	short loc_612AA3
		mov	eax, [eax]

loc_612A9D:				; CODE XREF: IopFindPassiveInterruptBlockLocked(x)+Dj
		cmp	eax, esi
		jnz	short loc_612A96
		jmp	short loc_612AA9
; 

loc_612AA3:				; CODE XREF: IopFindPassiveInterruptBlockLocked(x)+12j
		mov	edx, eax
		lock inc dword ptr [eax+70h]

loc_612AA9:				; CODE XREF: IopFindPassiveInterruptBlockLocked(x)+1Aj
		mov	eax, edx
		pop	esi
		retn
_IopFindPassiveInterruptBlockLocked@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopInsertPassiveInterruptBlock(x, x)
_IopInsertPassiveInterruptBlock@8 proc near
					; CODE XREF: IopAllocatePassiveInterruptBlock(x,x)+F0p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	cl, 1Ah
		mov	byte ptr [edi],	1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, offset _PassiveInterruptListLock
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [esi+0Ch]
		call	_IopFindPassiveInterruptBlockLocked@4 ;	IopFindPassiveInterruptBlockLocked(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_612B05
		lock inc dword ptr [esi+70h]
		mov	ecx, ds:dword_6CC9CC
		mov	eax, offset _PassiveInterruptList
		cmp	[ecx], eax
		jz	short loc_612AF8
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_612AF8:				; CODE XREF: IopInsertPassiveInterruptBlock(x,x)+44j
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	ds:dword_6CC9CC, esi

loc_612B05:				; CODE XREF: IopInsertPassiveInterruptBlock(x,x)+31j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PassiveInterruptListLock
		jz	short loc_612B1D
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_612B22
; 

loc_612B1D:				; CODE XREF: IopInsertPassiveInterruptBlock(x,x)+64j
		xor	eax, eax
		lock and [ecx],	eax

loc_612B22:				; CODE XREF: IopInsertPassiveInterruptBlock(x,x)+6Ej
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jz	short loc_612B32
		mov	byte ptr [edi],	0

loc_612B32:				; CODE XREF: IopInsertPassiveInterruptBlock(x,x)+80j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
_IopInsertPassiveInterruptBlock@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopPassiveInterruptDpc(x, x, x, x)
_IopPassiveInterruptDpc@16 proc	near	; DATA XREF: IopAllocatePassiveInterruptBlock(x,x)+C7o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		add	eax, 30h
		push	eax
		push	offset _PassiveInterruptRealtimeWorkQueue
		call	KeInsertQueue
		pop	ebp
		retn	10h
_IopPassiveInterruptDpc@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopPassiveInterruptWorker(x)
_IopPassiveInterruptWorker@4 proc near	; DATA XREF: IopAllocatePassiveInterruptBlock(x,x)+DFo

var_20		= dword	ptr -20h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		mov	dl, 1
		stosd
		mov	ecx, ebx
		stosd
		stosd
		call	_IopAcquireReleaseDispatcherLock@8 ; IopAcquireReleaseDispatcherLock(x,x)
		cmp	byte ptr [ebx+14h], 0
		jnz	short loc_612B98
		lea	esi, [ebx+1Ch]
		lea	edi, [ebp+var_20]
		movsd
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		movsd
		movsd
		call	KeSetSystemGroupAffinityThread

loc_612B98:				; CODE XREF: IopPassiveInterruptWorker(x)+2Dj
		mov	cl, 1Ah
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		lea	esi, [ebx+28h]
		mov	[ebp+var_11], al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		jmp	short loc_612C00
; 

loc_612BB5:				; CODE XREF: IopPassiveInterruptWorker(x)+B1j
		mov	byte ptr [ebx+2Dh], 0
		test	ds:byte_70EFC6,	1
		jz	short loc_612BCE
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_612BD3
; 

loc_612BCE:				; CODE XREF: IopPassiveInterruptWorker(x)+6Dj
		xor	eax, eax
		lock and [esi],	eax

loc_612BD3:				; CODE XREF: IopPassiveInterruptWorker(x)+79j
		mov	cl, [ebp+var_11]
		call	edi
		mov	edx, [ebx+0Ch]
		xor	ecx, ecx
		cmp	[ebx+14h], cl
		push	0
		push	0
		push	1
		setnz	cl
		call	_KiInterruptDispatchCommon@20 ;	KiInterruptDispatchCommon(x,x,x,x,x)
		mov	cl, 1Ah
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, esi
		mov	[ebp+var_11], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)

loc_612C00:				; CODE XREF: IopPassiveInterruptWorker(x)+60j
		cmp	byte ptr [ebx+2Dh], 0
		jnz	short loc_612BB5
		mov	byte ptr [ebx+2Ch], 0
		test	ds:byte_70EFC6,	1
		jz	short loc_612C1F
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_612C24
; 

loc_612C1F:				; CODE XREF: IopPassiveInterruptWorker(x)+BEj
		xor	eax, eax
		lock and [esi],	eax

loc_612C24:				; CODE XREF: IopPassiveInterruptWorker(x)+CAj
		mov	cl, [ebp+var_11]
		call	edi
		cmp	byte ptr [ebx+14h], 0
		jnz	short loc_612C38
		lea	eax, [ebp+var_10]
		push	eax
		call	KeRevertToUserGroupAffinityThread

loc_612C38:				; CODE XREF: IopPassiveInterruptWorker(x)+DAj
		xor	dl, dl
		mov	ecx, ebx
		call	_IopAcquireReleaseDispatcherLock@8 ; IopAcquireReleaseDispatcherLock(x,x)
		cmp	dword ptr [ebx+18h], 0
		jnz	short loc_612C52
		push	2
		push	dword ptr [ebx+10h]
		call	ds:off_6B1304	; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)

loc_612C52:				; CODE XREF: IopPassiveInterruptWorker(x)+F2j
		mov	ecx, ebx
		call	_IopDereferencePassiveInterruptBlock@4 ; IopDereferencePassiveInterruptBlock(x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_IopPassiveInterruptWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl IopDebugPrint(int,char *,char)
_IopDebugPrint	proc near		; CODE XREF: PnpCollectOpenHandles(x,x,x)+1Fp
					; PnpCollectOpenHandles(x,x,x)+6Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	1		; char
		lea	eax, [ebp+arg_8]
		mov	ecx, offset ??_C@_08OMFOKBDN@NTOSPNP?3@FNODOBFM@
		push	eax		; va_list
		push	[ebp+arg_4]	; char *
		push	[ebp+arg_0]	; int
		push	20h
		pop	edx
		call	vDbgPrintExWithPrefixInternal
		mov	eax, [ebp+arg_0]
		pop	ebp
		retn
_IopDebugPrint	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpBugcheckPowerTimeout(x)
_PnpBugcheckPowerTimeout@4 proc	near	; CODE XREF: PopBuildDeviceNotifyListWatchdog(x,x,x,x)+11p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, ds:_PnpDelayedRemoveWorkerThread
		sub	esp, 14h
		mov	edx, ds:_PopWatchdogSleepTimeout
		test	ecx, ecx
		jnz	short loc_612CB5
		mov	ecx, ds:_PnpDeviceEventThread
		test	ecx, ecx
		jnz	short loc_612CB5
		mov	ecx, ds:_PnpDeviceActionThread

loc_612CB5:				; CODE XREF: PnpBugcheckPowerTimeout(x)+16j
					; PnpBugcheckPowerTimeout(x)+20j
		push	2
		mov	eax, 8001h
		mov	[ebp+var_10], offset _PnpDeviceCompletionQueue
		mov	word ptr [ebp+var_14], ax
		pop	eax
		mov	word ptr [ebp+var_14+2], ax
		mov	eax, ds:_ExWorkerQueue
		mov	[ebp+var_C], eax
		mov	eax, ds:_IoWorkerQueue
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	ecx
		push	edx
		push	4
		push	9Fh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

; __stdcall PnpFindMountableDevice(x)
_PnpFindMountableDevice@4:		; CODE XREF: IopRemoveDevice(x,x)+5Cp
					; PiIrpQueryRemoveDevice(x,x)+46p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	esi, ecx
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	bl, al
		jmp	short loc_612D14
; 

loc_612D05:				; CODE XREF: PnpBugcheckPowerTimeout(x)+89j
		test	byte ptr [esi+1Ch], 40h
		jz	short loc_612D11
		cmp	dword ptr [esi+24h], 0
		jnz	short loc_612D18

loc_612D11:				; CODE XREF: PnpBugcheckPowerTimeout(x)+7Cj
		mov	esi, [esi+10h]

loc_612D14:				; CODE XREF: PnpBugcheckPowerTimeout(x)+76j
		test	esi, esi
		jnz	short loc_612D05

loc_612D18:				; CODE XREF: PnpBugcheckPowerTimeout(x)+82j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	edi, [eax+468h]
		jz	short loc_612D39
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_612D64
; 

loc_612D39:				; CODE XREF: PnpBugcheckPowerTimeout(x)+9Ej
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_612D55
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jz	short loc_612D64
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_612D55:				; CODE XREF: PnpBugcheckPowerTimeout(x)+B0j
		xor	edx, edx
		mov	dword ptr [edi], 0
		inc	edx
		lea	ecx, [eax+4]
		lock xor [ecx],	edx

loc_612D64:				; CODE XREF: PnpBugcheckPowerTimeout(x)+AAj
					; PnpBugcheckPowerTimeout(x)+BFj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn
_PnpBugcheckPowerTimeout@4 endp	; sp = -2Ch


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpIsAnyDeviceInUse(x, x, x)
_PnpIsAnyDeviceInUse@12	proc near	; CODE XREF: IopCompleteUnloadOrDelete+D418Ap
					; PnpIsChainDereferenced(x,x,x,x,x)+40p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		push	esi
		mov	edx, eax
		mov	esi, eax

loc_612D7F:				; CODE XREF: PnpIsAnyDeviceInUse(x,x,x)+27j
		test	edx, edx
		jnz	short loc_612D9C
		mov	eax, [ecx+esi*4]
		jmp	short loc_612D92
; 

loc_612D88:				; CODE XREF: PnpIsAnyDeviceInUse(x,x,x)+21j
		mov	edx, [eax+4]
		test	edx, edx
		jnz	short loc_612D96
		mov	eax, [eax+10h]

loc_612D92:				; CODE XREF: PnpIsAnyDeviceInUse(x,x,x)+13j
		test	eax, eax
		jnz	short loc_612D88

loc_612D96:				; CODE XREF: PnpIsAnyDeviceInUse(x,x,x)+1Aj
		inc	esi
		cmp	esi, 1
		jb	short loc_612D7F

loc_612D9C:				; CODE XREF: PnpIsAnyDeviceInUse(x,x,x)+Ej
		mov	ecx, [ebp+arg_0]
		pop	esi
		test	ecx, ecx
		jz	short loc_612DA6
		mov	[ecx], eax

loc_612DA6:				; CODE XREF: PnpIsAnyDeviceInUse(x,x,x)+2Fj
		xor	eax, eax
		test	edx, edx
		setnz	al
		pop	ebp
		retn	4
_PnpIsAnyDeviceInUse@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpLockMountableDevice(x)
_PnpLockMountableDevice@4 proc near	; CODE XREF: IopRemoveDevice(x,x)+6Dp
					; IopRemoveDevice(x,x)+F1p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	esi, esi
		jz	loc_612E44
		xor	eax, eax

loc_612DC6:				; CODE XREF: PnpLockMountableDevice(x)+91j
		cmp	[esi+24h], eax
		jz	short loc_612DDB
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esi+9Ch]
		push	eax
		call	KeWaitForSingleObject

loc_612DDB:				; CODE XREF: PnpLockMountableDevice(x)+18j
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, large fs:20h
		mov	bl, al
		test	ds:byte_70EFC6,	1
		mov	esi, [esi+10h]
		lea	edi, [ecx+468h]
		jz	short loc_612E0A
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_612E35
; 

loc_612E0A:				; CODE XREF: PnpLockMountableDevice(x)+4Bj
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_612E26
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jz	short loc_612E35
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_612E26:				; CODE XREF: PnpLockMountableDevice(x)+5Dj
		xor	ecx, ecx
		mov	dword ptr [edi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_612E35:				; CODE XREF: PnpLockMountableDevice(x)+57j
					; PnpLockMountableDevice(x)+6Cj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		pop	eax
		test	esi, esi
		jnz	short loc_612DC6

loc_612E44:				; CODE XREF: PnpLockMountableDevice(x)+Dj
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn
_PnpLockMountableDevice@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpMarkDeviceForRemove(x, x, x)
_PnpMarkDeviceForRemove@12 proc	near	; CODE XREF: PnpSurpriseRemoveLockedDeviceNode(x,x,x)+F3p
					; IopRemoveDevice(x,x)+7Ap ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, edx
		mov	[ebp+var_4], ebx
		push	edi
		mov	edi, ecx
		test	ebx, ebx
		jz	loc_612F91
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0
		mov	[esi], edi
		jmp	loc_612F91
; 

loc_612E74:				; CODE XREF: PnpMarkDeviceForRemove(x,x,x)+149j
		cmp	dword ptr [edi+24h], 0
		jz	loc_612F21
		push	9
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, [edi+24h]
		mov	byte ptr [ebp+arg_0+3],	al
		movzx	eax, word ptr [ecx+4]
		test	ebx, ebx
		jz	short loc_612EC0
		or	eax, 8
		mov	[ecx+4], ax
		test	al, 1
		jz	short loc_612EC9
		mov	ecx, [ecx+8]
		mov	edx, 746C6644h
		mov	[esi], edi
		mov	[esi+4], ecx
		call	ObfReferenceObjectWithTag
		mov	ecx, [esi+4]
		xor	eax, eax
		lea	edx, [eax+1]
		call	IopIncrementDeviceObjectRefCount
		jmp	short loc_612EC9
; 

loc_612EC0:				; CODE XREF: PnpMarkDeviceForRemove(x,x,x)+48j
		and	eax, 0FFF7h
		mov	[ecx+4], ax

loc_612EC9:				; CODE XREF: PnpMarkDeviceForRemove(x,x,x)+53j
					; PnpMarkDeviceForRemove(x,x,x)+74j
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	ebx, [eax+460h]
		jz	short loc_612EEA
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_612F15
; 

loc_612EEA:				; CODE XREF: PnpMarkDeviceForRemove(x,x,x)+92j
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_612F06
		mov	ecx, [ebx+4]
		xor	edx, edx
		mov	eax, ebx
		lock cmpxchg [ecx], edx
		cmp	eax, ebx
		jz	short loc_612F15
		mov	ecx, ebx
		call	KxWaitForLockChainValid

loc_612F06:				; CODE XREF: PnpMarkDeviceForRemove(x,x,x)+A4j
		xor	ecx, ecx
		mov	dword ptr [ebx], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_612F15:				; CODE XREF: PnpMarkDeviceForRemove(x,x,x)+9Ej
					; PnpMarkDeviceForRemove(x,x,x)+B3j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [ebp+var_4]

loc_612F21:				; CODE XREF: PnpMarkDeviceForRemove(x,x,x)+2Ej
		test	ebx, ebx
		jz	short loc_612F2B
		cmp	dword ptr [esi+4], 0
		jnz	short loc_612F99

loc_612F2B:				; CODE XREF: PnpMarkDeviceForRemove(x,x,x)+D9j
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	edi, [edi+10h]
		mov	byte ptr [ebp+arg_0+3],	al
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	ebx, [eax+468h]
		jz	short loc_612F5A
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_612F85
; 

loc_612F5A:				; CODE XREF: PnpMarkDeviceForRemove(x,x,x)+102j
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_612F76
		mov	ecx, [ebx+4]
		xor	edx, edx
		mov	eax, ebx
		lock cmpxchg [ecx], edx
		cmp	eax, ebx
		jz	short loc_612F85
		mov	ecx, ebx
		call	KxWaitForLockChainValid

loc_612F76:				; CODE XREF: PnpMarkDeviceForRemove(x,x,x)+114j
		xor	ecx, ecx
		mov	dword ptr [ebx], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_612F85:				; CODE XREF: PnpMarkDeviceForRemove(x,x,x)+10Ej
					; PnpMarkDeviceForRemove(x,x,x)+123j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [ebp+var_4]

loc_612F91:				; CODE XREF: PnpMarkDeviceForRemove(x,x,x)+16j
					; PnpMarkDeviceForRemove(x,x,x)+25j
		test	edi, edi
		jnz	loc_612E74

loc_612F99:				; CODE XREF: PnpMarkDeviceForRemove(x,x,x)+DFj
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_612FA2
		mov	eax, [esi]

loc_612FA2:				; CODE XREF: PnpMarkDeviceForRemove(x,x,x)+154j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PnpMarkDeviceForRemove@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpUnlockMountableDevice(x)
_PnpUnlockMountableDevice@4 proc near	; CODE XREF: PnpSurpriseRemoveLockedDeviceNode(x,x,x)+FAp
					; IopRemoveDevice(x,x)+84p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jmp	short loc_61302E
; 

loc_612FB6:				; CODE XREF: PnpUnlockMountableDevice(x)+87j
		cmp	dword ptr [esi+24h], 0
		jz	short loc_612FCC
		push	0
		push	0
		lea	eax, [esi+9Ch]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_612FCC:				; CODE XREF: PnpUnlockMountableDevice(x)+11j
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, large fs:20h
		mov	bl, al
		test	ds:byte_70EFC6,	1
		mov	esi, [esi+10h]
		lea	edi, [ecx+468h]
		jz	short loc_612FFB
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_613026
; 

loc_612FFB:				; CODE XREF: PnpUnlockMountableDevice(x)+44j
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_613017
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jz	short loc_613026
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_613017:				; CODE XREF: PnpUnlockMountableDevice(x)+56j
		xor	ecx, ecx
		mov	dword ptr [edi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_613026:				; CODE XREF: PnpUnlockMountableDevice(x)+50j
					; PnpUnlockMountableDevice(x)+65j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_61302E:				; CODE XREF: PnpUnlockMountableDevice(x)+Bj
		test	esi, esi
		jnz	short loc_612FB6
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn
_PnpUnlockMountableDevice@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpUpdateExtensionFlags(x, x, x, x,	x)
_PnpUpdateExtensionFlags@20 proc near	; CODE XREF: PnpIsChainDereferenced(x,x,x,x,x)+4Dp
					; PnpIsChainDereferenced(x,x,x,x,x)+B1p

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ecx]
		jmp	short loc_61305A
; 

loc_613041:				; CODE XREF: PnpUpdateExtensionFlags(x,x,x,x,x)+24j
		cmp	[ebp+arg_4], 0
		mov	eax, [ecx+0B0h]
		jz	short loc_613053
		or	dword ptr [eax+10h], 4
		jmp	short loc_613057
; 

loc_613053:				; CODE XREF: PnpUpdateExtensionFlags(x,x,x,x,x)+13j
		and	dword ptr [eax+10h], 0FFFFFFFBh

loc_613057:				; CODE XREF: PnpUpdateExtensionFlags(x,x,x,x,x)+19j
		mov	ecx, [ecx+10h]

loc_61305A:				; CODE XREF: PnpUpdateExtensionFlags(x,x,x,x,x)+7j
		test	ecx, ecx
		jnz	short loc_613041
		pop	ebp
		retn	0Ch
_PnpUpdateExtensionFlags@20 endp


;  S U B	R O U T	I N E 


; __stdcall PipIsDevNodeEffectivelyRemoved(x)
_PipIsDevNodeEffectivelyRemoved@4 proc near
					; CODE XREF: IopRetryDeviceRemovalForReset(x)+27p
		mov	eax, [ecx+0ACh]
		add	eax, 0FFFFFCF2h
		push	6
		pop	ecx
		cmp	ecx, eax
		sbb	eax, eax
		inc	eax
		retn
_PipIsDevNodeEffectivelyRemoved@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipRestoreDevNodeState(x)
_PipRestoreDevNodeState@4 proc near	; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+A9p
					; PipDeviceRemovalCheckDeviceNodeState(x,x,x)+26p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PnpSpinLock
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, [ebx+0B0h]
		mov	edx, esi
		mov	edi, [ebx+0ACh]
		mov	ecx, edi
		call	PipAreDriversLoadedWorker
		mov	ecx, ebx
		mov	[ebp+var_C], eax
		call	_PipIsDevNodeDNStarted@4 ; PipIsDevNodeDNStarted(x)
		mov	ecx, [ebx+104h]
		xor	edx, edx
		mov	[ebx+0ACh], esi
		mov	[ebp+var_8], eax
		push	14h
		mov	[ebx+ecx*4+0B4h], edi
		mov	ecx, offset _PnpSpinLock
		mov	eax, [ebx+104h]
		inc	eax
		pop	esi
		div	esi
		mov	[ebx+104h], edx
		test	ds:byte_70EFC6,	1
		jz	short loc_6130F7
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6130FC
; 

loc_6130F7:				; CODE XREF: PipRestoreDevNodeState(x)+75j
		xor	eax, eax
		lock and [ecx],	eax

loc_6130FC:				; CODE XREF: PipRestoreDevNodeState(x)+7Fj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebx+18h]
		test	esi, esi
		jz	short loc_613153
		mov	edx, [ebx+0B0h]
		mov	ecx, [ebx+0ACh]
		call	PipAreDriversLoadedWorker
		cmp	eax, [ebp+var_C]
		jnz	short loc_613132
		mov	ecx, ebx
		call	_PipIsDevNodeDNStarted@4 ; PipIsDevNodeDNStarted(x)
		mov	edi, [ebp+var_8]
		cmp	eax, edi
		jz	short loc_613153
		jmp	short loc_613135
; 

loc_613132:				; CODE XREF: PipRestoreDevNodeState(x)+AAj
		mov	edi, [ebp+var_8]

loc_613135:				; CODE XREF: PipRestoreDevNodeState(x)+BAj
		push	0Bh
		mov	edx, esi
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		mov	ecx, ebx
		call	_PipIsDevNodeDNStarted@4 ; PipIsDevNodeDNStarted(x)
		cmp	eax, edi
		jz	short loc_613153
		mov	edx, [ebx+18h]
		push	1Ah
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent

loc_613153:				; CODE XREF: PipRestoreDevNodeState(x)+94j
					; PipRestoreDevNodeState(x)+B8j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PipRestoreDevNodeState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpDevNodeRemoveFromTree(x)
_PpDevNodeRemoveFromTree@4 proc	near	; CODE XREF: IoReportDetectedDevice+892A3p
					; PnpUnlinkDeviceRemovalRelations(x,x,x)+91p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_1], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _PnpSpinLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_6131FB
		add	eax, 4
		jmp	short loc_613189
; 

loc_613187:				; CODE XREF: PpDevNodeRemoveFromTree(x)+35j
		mov	eax, ecx

loc_613189:				; CODE XREF: PpDevNodeRemoveFromTree(x)+2Dj
		mov	ecx, [eax]
		cmp	ecx, esi
		jnz	short loc_613187
		mov	ecx, [esi]
		mov	[eax], ecx
		mov	edx, [esi+8]
		cmp	dword ptr [edx+4], 0
		jnz	short loc_6131A4
		xor	eax, eax
		jmp	short loc_6131A8
; 

loc_6131A0:				; CODE XREF: PpDevNodeRemoveFromTree(x)+4Ej
		mov	eax, ecx
		mov	ecx, [eax]

loc_6131A4:				; CODE XREF: PpDevNodeRemoveFromTree(x)+42j
		test	ecx, ecx
		jnz	short loc_6131A0

loc_6131A8:				; CODE XREF: PpDevNodeRemoveFromTree(x)+46j
		mov	[edx+0Ch], eax
		test	ds:byte_70EFC6,	1
		jz	short loc_6131C0
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6131C5
; 

loc_6131C0:				; CODE XREF: PpDevNodeRemoveFromTree(x)+5Aj
		xor	eax, eax
		lock and [edi],	eax

loc_6131C5:				; CODE XREF: PpDevNodeRemoveFromTree(x)+66j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	eax, [esi+190h]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_6132CF
		cmp	[ecx], eax
		jnz	loc_6132CF
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, esi
		call	_PnpOrphanNotification@4 ; PnpOrphanNotification(x)
		mov	[ebp+var_1], 1
		jmp	short loc_61321D
; 

loc_6131FB:				; CODE XREF: PpDevNodeRemoveFromTree(x)+28j
		test	ds:byte_70EFC6,	1
		jz	short loc_613210
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_613215
; 

loc_613210:				; CODE XREF: PpDevNodeRemoveFromTree(x)+AAj
		xor	eax, eax
		lock and [edi],	eax

loc_613215:				; CODE XREF: PpDevNodeRemoveFromTree(x)+B6j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_61321D:				; CODE XREF: PpDevNodeRemoveFromTree(x)+A1j
		lea	ebx, [esi+64h]
		mov	edi, [ebx]
		jmp	short loc_61326C
; 

loc_613224:				; CODE XREF: PpDevNodeRemoveFromTree(x)+116j
		lea	eax, [edi-0Ch]
		mov	edi, [edi]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_6132CF
		cmp	[ecx], eax
		jnz	loc_6132CF
		mov	[ecx], edx
		lea	ebx, [eax+0Ch]
		mov	[edx+4], ecx
		mov	edx, [eax+0Ch]
		mov	ecx, [eax+10h]
		cmp	[edx+4], ebx
		jnz	short loc_6132CF
		lea	ebx, [eax+0Ch]
		cmp	[ecx], ebx
		lea	ebx, [esi+64h]
		jnz	short loc_6132CF
		push	72775044h
		mov	[ecx], edx
		push	eax
		mov	[edx+4], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_61326C:				; CODE XREF: PpDevNodeRemoveFromTree(x)+CAj
		cmp	edi, ebx
		jnz	short loc_613224
		lea	ebx, [esi+6Ch]
		mov	edi, [ebx]
		jmp	short loc_6132B6
; 

loc_613277:				; CODE XREF: PpDevNodeRemoveFromTree(x)+160j
		mov	ecx, [edi]
		mov	eax, edi
		mov	edi, ecx
		mov	edx, [eax+4]
		cmp	[ecx+4], eax
		jnz	short loc_6132CF
		cmp	[edx], eax
		jnz	short loc_6132CF
		mov	[edx], ecx
		lea	ebx, [eax+0Ch]
		mov	[ecx+4], edx
		mov	edx, [eax+0Ch]
		mov	ecx, [eax+10h]
		cmp	[edx+4], ebx
		jnz	short loc_6132CF
		lea	ebx, [eax+0Ch]
		cmp	[ecx], ebx
		lea	ebx, [esi+6Ch]
		jnz	short loc_6132CF
		push	72775044h
		mov	[ecx], edx
		push	eax
		mov	[edx+4], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_6132B6:				; CODE XREF: PpDevNodeRemoveFromTree(x)+11Dj
		cmp	edi, ebx
		jnz	short loc_613277
		xor	eax, eax
		pop	edi
		mov	[esi+8], eax
		mov	[esi+4], eax
		mov	[esi], eax
		mov	[esi+0Ch], eax
		mov	al, [ebp+var_1]
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_6132CF:				; CODE XREF: PpDevNodeRemoveFromTree(x)+83j
					; PpDevNodeRemoveFromTree(x)+8Bj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PpDevNodeRemoveFromTree@4 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpRemoveLockedDeviceNode(x, x, x)
_PnpRemoveLockedDeviceNode@12 proc near	; CODE XREF: PnpDeleteLockedDeviceNode(x,x,x,x,x,x)+5Ep

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_18], esi
		mov	eax, [esi+10h]
		mov	[ebp+var_10], eax
		call	_PpHotSwapInitRemovalPolicy@4 ;	PpHotSwapInitRemovalPolicy(x)
		mov	edi, [esi+4]
		test	edi, edi
		jz	short loc_613357

loc_6132FF:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+81j
		mov	eax, [edi]
		mov	[ebp+var_C], eax
		mov	eax, [edi+10Ch]
		test	al, 10h
		jz	short loc_613317
		and	eax, 0FFFFFFEFh
		mov	[edi+10Ch], eax

loc_613317:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+38j
		cmp	dword ptr [edi+11Ch], 0
		jnz	short loc_61332D
		cmp	dword ptr [edi+168h], 0
		jnz	short loc_61332D
		test	al, 40h
		jz	short loc_613341

loc_61332D:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+4Aj
					; PnpRemoveLockedDeviceNode(x,x,x)+53j
		mov	ecx, [edi+10h]
		push	2
		pop	edx
		call	_IopRemoveDevice@8 ; IopRemoveDevice(x,x)
		xor	edx, edx
		mov	ecx, edi
		call	_IopReleaseDeviceResources@8 ; IopReleaseDeviceResources(x,x)

loc_613341:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+57j
		push	ecx
		mov	edx, 314h
		mov	ecx, edi
		call	PipSetDevNodeState
		mov	eax, [ebp+var_C]
		mov	edi, eax
		test	eax, eax
		jnz	short loc_6132FF

loc_613357:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+29j
		mov	eax, [esi+0ACh]
		cmp	eax, 30Eh
		jz	short loc_61336B
		cmp	eax, 30Fh
		jnz	short loc_613388

loc_61336B:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+8Ej
		cmp	dword ptr [esi+0B0h], 311h
		jz	loc_613650
		mov	ecx, esi
		call	_PipRestoreDevNodeState@4 ; PipRestoreDevNodeState(x)
		mov	eax, [esi+0ACh]

loc_613388:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+95j
		add	eax, 0FFFFFCFFh
		cmp	eax, 13h
		ja	short loc_6133A6
		movzx	eax, ds:byte_613664[eax]
		jmp	ds:off_613658[eax*4]

loc_6133A0:				; DATA XREF: .text:0061365Co
		mov	[ebp+var_1], 0
		jmp	short loc_6133AA
; 

loc_6133A6:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+BCj
					; PnpRemoveLockedDeviceNode(x,x,x)+C5j
					; DATA XREF: ...
		mov	[ebp+var_1], 1

loc_6133AA:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+D0j
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+var_8]
		mov	eax, [eax+10h]
		test	eax, eax
		jz	short loc_6133C2

loc_6133B7:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+E9j
		mov	eax, [eax+10h]
		inc	ecx
		test	eax, eax
		jnz	short loc_6133B7
		mov	[ebp+var_8], ecx

loc_6133C2:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+E1j
		xor	edi, edi
		and	[ebp+var_C], edi
		test	ecx, ecx
		jz	loc_613467
		push	65647050h
		lea	eax, ds:8[ecx*4]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_613467
		mov	ecx, [ebp+var_8]
		push	65647050h
		lea	eax, ds:8[ecx*4]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_61347C
		mov	eax, [ebp+var_8]
		lea	ebx, ds:8[eax*4]
		push	ebx		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		push	ebx		; size_t
		push	0		; int
		push	[ebp+var_C]	; void *
		call	_memset
		mov	eax, [ebp+var_10]
		add	esp, 0Ch
		mov	ebx, [eax+10h]
		mov	eax, [ebp+var_C]
		mov	[ebp+var_8], eax
		test	ebx, ebx
		jz	short loc_613464
		mov	esi, edi

loc_613440:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+18Bj
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, [ebp+var_8]
		mov	[esi], ebx
		lea	esi, [esi+4]
		mov	eax, [ebx+8]
		mov	[ecx], eax
		add	ecx, 4
		mov	ebx, [ebx+10h]
		mov	[ebp+var_8], ecx
		test	ebx, ebx
		jnz	short loc_613440
		mov	esi, [ebp+var_18]

loc_613464:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+168j
		mov	ebx, [ebp+var_14]

loc_613467:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+F5j
					; PnpRemoveLockedDeviceNode(x,x,x)+116j ...
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[ebp+var_2], al
		mov	edx, edi
		test	edi, edi
		jz	short loc_6134A7
		mov	ecx, [edi]
		jmp	short loc_6134A3
; 

loc_61347C:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+134j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edi, edi
		jmp	short loc_613467
; 

loc_613488:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+1D1j
		mov	eax, [ecx+0B0h]
		and	dword ptr [eax+10h], 0FFFFFFFBh
		mov	eax, [edx]
		lea	edx, [edx+4]
		mov	eax, [eax+0B0h]
		or	dword ptr [eax+10h], 8
		mov	ecx, [edx]

loc_6134A3:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+1A6j
		test	ecx, ecx
		jnz	short loc_613488

loc_6134A7:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+1A2j
		mov	ecx, [ebp+var_10]
		mov	dl, [ebp+var_2]
		push	0Ah
		mov	eax, [ecx+0B0h]
		and	dword ptr [eax+10h], 0FFFFFFFBh
		mov	eax, [ecx+0B0h]
		pop	ecx
		or	dword ptr [eax+10h], 8
		call	KeReleaseQueuedSpinLock
		cmp	[ebp+var_1], 0
		jz	short loc_613501
		mov	ecx, [ebp+var_10]
		push	2
		pop	edx
		call	_IopRemoveDevice@8 ; IopRemoveDevice(x,x)
		cmp	dword ptr [esi+0ACh], 310h
		jnz	short loc_6134EE
		lea	ecx, [esi+14h]
		call	_PnpDisableDeviceInterfaces@4 ;	PnpDisableDeviceInterfaces(x)

loc_6134EE:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+210j
		mov	edx, [esi+10Ch]
		mov	ecx, esi
		shr	edx, 4
		and	edx, 1
		call	_IopReleaseDeviceResources@8 ; IopReleaseDeviceResources(x,x)

loc_613501:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+1F9j
		test	byte ptr [esi+10Ch], 10h
		jnz	short loc_613523
		mov	eax, [esi+174h]
		push	3
		pop	edx
		cmp	eax, edx
		jz	short loc_61351C
		cmp	eax, 4
		jnz	short loc_613523

loc_61351C:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+241j
		mov	ecx, esi
		call	_PpProfileCommitTransitioningDock@8 ; PpProfileCommitTransitioningDock(x,x)

loc_613523:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+234j
					; PnpRemoveLockedDeviceNode(x,x,x)+246j
		test	edi, edi
		jz	short loc_613591
		cmp	dword ptr [edi], 0
		jz	short loc_61357F
		mov	eax, [ebp+var_C]
		mov	esi, edi
		sub	eax, edi
		mov	[ebp+var_8], eax
		mov	ebx, eax

loc_613538:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+2A3j
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, [esi]
		mov	dl, al
		push	0Ah
		mov	ecx, [ecx+0B0h]
		and	dword ptr [ecx+10h], 0FFFFFFF7h
		mov	ecx, [esi]
		mov	ecx, [ecx+0B0h]
		or	dword ptr [ecx+10h], 10h
		pop	ecx
		call	KeReleaseQueuedSpinLock
		mov	ecx, [ebx+esi]
		call	PnpUnloadAttachedDriver
		mov	ecx, [esi]
		call	ObfDereferenceObject
		lea	esi, [esi+4]
		cmp	dword ptr [esi], 0
		jnz	short loc_613538
		mov	esi, [ebp+var_18]
		mov	ebx, [ebp+var_14]

loc_61357F:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+256j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_613591:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+251j
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	edi, [ebp+var_10]
		push	0Ah
		pop	ecx
		mov	edx, [edi+0B0h]
		and	dword ptr [edx+10h], 0FFFFFFF7h
		mov	edx, [edi+0B0h]
		or	dword ptr [edx+10h], 10h
		mov	dl, al
		call	KeReleaseQueuedSpinLock
		test	byte ptr [esi+10Ch], 10h
		mov	edx, 312h
		jnz	short loc_6135CB
		add	edx, 2

loc_6135CB:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+2F2j
		push	ecx
		mov	ecx, esi
		call	PipSetDevNodeState
		test	ebx, ebx
		jz	short loc_613627
		test	dword ptr [esi+10Ch], 6000h
		jz	short loc_613609
		cmp	ebx, 18h
		jz	short loc_613609
		cmp	ebx, 16h
		jz	short loc_613609
		mov	edx, ebx
		mov	ecx, esi
		call	_PipIsProblemReadonly@8	; PipIsProblemReadonly(x,x)
		test	eax, eax
		jz	short loc_613627
		mov	edx, [esi+114h]
		call	_PipIsProblemReadonly@8	; PipIsProblemReadonly(x,x)
		test	eax, eax
		jnz	short loc_613627

loc_613609:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+30Dj
					; PnpRemoveLockedDeviceNode(x,x,x)+312j ...
		mov	ecx, esi
		call	PipClearDevNodeProblem
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_61361D
		mov	eax, [esi+108h]

loc_61361D:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+341j
		push	eax
		mov	edx, ebx
		mov	ecx, esi
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)

loc_613627:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+301j
					; PnpRemoveLockedDeviceNode(x,x,x)+324j ...
		test	byte ptr [esi+10Ch], 10h
		jnz	short loc_613637
		mov	ecx, edi
		call	PnpDeleteAllDependencyRelations

loc_613637:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+35Aj
		push	1
		mov	edx, ebx
		mov	ecx, esi
		call	_PiDmaGuardProcessPostRemove@12	; PiDmaGuardProcessPostRemove(x,x,x)
		mov	edx, [esi+18h]
		test	edx, edx
		jz	short loc_613650
		push	17h
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent

loc_613650:				; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+A1j
					; PnpRemoveLockedDeviceNode(x,x,x)+373j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PnpRemoveLockedDeviceNode@12 endp

; 
		align 4
off_613658	dd offset loc_6133A6	; DATA XREF: PnpRemoveLockedDeviceNode(x,x,x)+C5r
		dd offset loc_6133A0
		dd offset loc_6133A6
byte_613664	db 0			; DATA XREF: PnpRemoveLockedDeviceNode(x,x,x)+BEr
		align 4
		dd 2000002h, 2020202h, 20202h, 1000000h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0p_EtwWriteTransfer(x, x, x, x)
_McTemplateK0p_EtwWriteTransfer@16 proc	near ; CODE XREF: sub_8E1E83+7p
					; PiProcessNewDeviceNode+6ECCDp ...

var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+arg_4]
		and	[ebp+var_10], 0
		and	[ebp+var_8], 0
		mov	[ebp+var_14], ecx
		lea	ecx, [ebp+var_24]
		push	ecx
		push	2
		push	eax
		mov	ecx, offset _MS_KernelPnP_Provider_Context
		mov	[ebp+var_C], 4
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_McTemplateK0p_EtwWriteTransfer@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0pz_EtwWriteTransfer(x, x, x, x,	x)
_McTemplateK0pz_EtwWriteTransfer@20 proc near ;	CODE XREF: PiProcessNewDeviceNode+6E698p

var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, [ebp+arg_8]
		lea	eax, [ebp+arg_4]
		push	edi
		xor	edi, edi
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], 4
		mov	[ebp+var_18], edi
		test	edx, edx
		jz	short loc_61370F
		mov	ecx, edx
		push	esi
		lea	esi, [ecx+2]

loc_6136F6:				; CODE XREF: McTemplateK0pz_EtwWriteTransfer(x,x,x,x,x)+3Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_6136F6
		sub	ecx, esi
		sar	ecx, 1
		pop	esi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_613712
; 

loc_61370F:				; CODE XREF: McTemplateK0pz_EtwWriteTransfer(x,x,x,x,x)+2Dj
		push	0Ah
		pop	ecx

loc_613712:				; CODE XREF: McTemplateK0pz_EtwWriteTransfer(x,x,x,x,x)+4Cj
		test	edx, edx
		jnz	short loc_61371B
		mov	edx, (offset off_5A4D00+2)

loc_61371B:				; CODE XREF: McTemplateK0pz_EtwWriteTransfer(x,x,x,x,x)+53j
		lea	eax, [ebp+var_34]
		mov	[ebp+var_14], edx
		push	eax
		push	3
		mov	[ebp+var_C], ecx
		mov	edx, offset _KMPnPEvt_ProcessNewDevice_InstancePath
		push	edi
		mov	ecx, offset _MS_KernelPnP_Provider_Context
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], edi
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_McTemplateK0pz_EtwWriteTransfer@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0q_EtwWriteTransfer(x, x, x, x)
_McTemplateK0q_EtwWriteTransfer@16 proc	near ; CODE XREF: PnpCallAddDevice+B1p

var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_C], 4
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_24]
		mov	[ebp+var_10], ecx
		push	eax
		push	2
		mov	[ebp+var_8], ecx
		mov	edx, offset _KMPnPEvt_DeviceAdd_Stop
		push	ecx
		mov	ecx, offset _MS_KernelPnP_Provider_Context
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_McTemplateK0q_EtwWriteTransfer@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0qhzr1z_EtwWriteTransfer(x, x, x, x, x, x, x)
_McTemplateK0qhzr1z_EtwWriteTransfer@28	proc near ; CODE XREF: PnpCallAddDevice+8BB20p

var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, [ebp+arg_10]
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_24], eax
		movzx	eax, word ptr [ebp+arg_8]
		push	edi
		xor	edi, edi
		mov	[ebp+var_3C], 4
		add	eax, eax
		mov	[ebp+var_40], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], 2
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], edi
		test	edx, edx
		jz	short loc_61380D
		mov	ecx, edx
		push	esi
		lea	esi, [ecx+2]

loc_6137F4:				; CODE XREF: McTemplateK0qhzr1z_EtwWriteTransfer(x,x,x,x,x,x,x)+66j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_6137F4
		sub	ecx, esi
		sar	ecx, 1
		pop	esi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_613810
; 

loc_61380D:				; CODE XREF: McTemplateK0qhzr1z_EtwWriteTransfer(x,x,x,x,x,x,x)+55j
		push	0Ah
		pop	ecx

loc_613810:				; CODE XREF: McTemplateK0qhzr1z_EtwWriteTransfer(x,x,x,x,x,x,x)+74j
		test	edx, edx
		jnz	short loc_613819
		mov	edx, (offset off_5A4D00+2)

loc_613819:				; CODE XREF: McTemplateK0qhzr1z_EtwWriteTransfer(x,x,x,x,x,x,x)+7Bj
		lea	eax, [ebp+var_54]
		mov	[ebp+var_14], edx
		push	eax
		push	5
		mov	[ebp+var_C], ecx
		mov	edx, offset _KMPnPEvt_DeviceAdd_Start
		push	edi
		mov	ecx, offset _MS_KernelPnP_Provider_Context
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], edi
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_McTemplateK0qhzr1z_EtwWriteTransfer@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0z_EtwWriteTransfer(x, x, x, x)
_McTemplateK0z_EtwWriteTransfer@16 proc	near ; CODE XREF: PnpLogActionQueueEvent+8E593p
					; PnpProcessTargetDeviceEvent+6DBCEp ...

var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	edi
		mov	edi, edx
		xor	ebx, ebx
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_613888
		mov	ecx, edx
		push	esi
		lea	esi, [ecx+2]

loc_61386F:				; CODE XREF: McTemplateK0z_EtwWriteTransfer(x,x,x,x)+2Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_61386F
		sub	ecx, esi
		sar	ecx, 1
		pop	esi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_61388B
; 

loc_613888:				; CODE XREF: McTemplateK0z_EtwWriteTransfer(x,x,x,x)+1Dj
		push	0Ah
		pop	ecx

loc_61388B:				; CODE XREF: McTemplateK0z_EtwWriteTransfer(x,x,x,x)+3Cj
		test	edx, edx
		jnz	short loc_613894
		mov	edx, (offset off_5A4D00+2)

loc_613894:				; CODE XREF: McTemplateK0z_EtwWriteTransfer(x,x,x,x)+43j
		lea	eax, [ebp+var_24]
		mov	[ebp+var_14], edx
		push	eax
		push	2
		mov	[ebp+var_C], ecx
		mov	edx, edi
		push	ebx
		mov	ecx, offset _MS_KernelPnP_Provider_Context
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_McTemplateK0z_EtwWriteTransfer@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDisableUserModeNotifications(x, x)
_PnpDisableUserModeNotifications@8 proc	near
					; CODE XREF: IoRevokeHandlesForProcess(x,x)+11Ep

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	edi
		mov	ecx, offset _PiUEventClientRegistrationListLock
		call	ExAcquireFastMutex
		mov	edi, offset _PiUEventDevHandleClientList

loc_6138E0:				; CODE XREF: PnpDisableUserModeNotifications(x,x)+57j
		mov	esi, [edi]
		jmp	short loc_61390D
; 

loc_6138E4:				; CODE XREF: PnpDisableUserModeNotifications(x,x)+4Cj
		mov	ecx, [esi+8]
		call	ExAcquireFastMutex
		mov	ecx, [ebp+var_4]
		mov	eax, [esi+1Ch]
		cmp	eax, [ecx+0E4h]
		jnz	short loc_613903
		cmp	[esi+10h], ebx
		jnz	short loc_613903
		mov	byte ptr [esi+14h], 1

loc_613903:				; CODE XREF: PnpDisableUserModeNotifications(x,x)+35j
					; PnpDisableUserModeNotifications(x,x)+3Aj
		mov	ecx, [esi+8]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	esi, [esi]

loc_61390D:				; CODE XREF: PnpDisableUserModeNotifications(x,x)+1Fj
		cmp	esi, edi
		jnz	short loc_6138E4
		add	edi, 8
		cmp	edi, offset _PnpDelayedRemoveWorkItem
		jb	short loc_6138E0
		mov	ecx, offset _PiUEventClientRegistrationListLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PnpDisableUserModeNotifications@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0j_EtwWriteTransfer(x, x, x, x)
_McTemplateK0j_EtwWriteTransfer@16 proc	near ; CODE XREF: PpCheckInDriverDatabase+B09C4p

var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		mov	[ebp+var_14], eax
		mov	edx, offset _KMPnPEvt_Driver_Blocked
		lea	eax, [ebp+var_24]
		mov	[ebp+var_10], ecx
		push	eax
		push	2
		mov	[ebp+var_8], ecx
		push	ecx
		mov	ecx, offset _MS_KernelPnP_Provider_Context
		mov	[ebp+var_C], 10h
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_McTemplateK0j_EtwWriteTransfer@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopSetLegacyResourcesFlag(x)
_IopSetLegacyResourcesFlag@4 proc near	; CODE XREF: IopLegacyResourceAllocation(x,x,x,x,x)+21Fp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	0Ah
		mov	esi, ecx
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, large fs:20h
		mov	bl, al
		or	dword ptr [esi+8], 40h
		test	ds:byte_70EFC6,	1
		lea	esi, [ecx+468h]
		jz	short loc_6139AF
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6139DA
; 

loc_6139AF:				; CODE XREF: IopSetLegacyResourcesFlag(x)+2Bj
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_6139CB
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_6139DA
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_6139CB:				; CODE XREF: IopSetLegacyResourcesFlag(x)+3Dj
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_6139DA:				; CODE XREF: IopSetLegacyResourcesFlag(x)+37j
					; IopSetLegacyResourcesFlag(x)+4Cj
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_IopSetLegacyResourcesFlag@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0zjdd_EtwWriteTransfer(x, x, x, x, x, x,	x)
_McTemplateK0zjdd_EtwWriteTransfer@28 proc near
					; CODE XREF: PiPnpRtlCmActionCallback+115A77p

var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	edi
		mov	edi, edx
		xor	ebx, ebx
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_613A23
		mov	ecx, edx
		push	esi
		lea	esi, [ecx+2]

loc_613A0A:				; CODE XREF: McTemplateK0zjdd_EtwWriteTransfer(x,x,x,x,x,x,x)+2Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_613A0A
		sub	ecx, esi
		sar	ecx, 1
		pop	esi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_613A26
; 

loc_613A23:				; CODE XREF: McTemplateK0zjdd_EtwWriteTransfer(x,x,x,x,x,x,x)+1Dj
		push	0Ah
		pop	ecx

loc_613A26:				; CODE XREF: McTemplateK0zjdd_EtwWriteTransfer(x,x,x,x,x,x,x)+3Cj
		test	edx, edx
		jnz	short loc_613A2F
		mov	edx, (offset off_5A4D00+2)

loc_613A2F:				; CODE XREF: McTemplateK0zjdd_EtwWriteTransfer(x,x,x,x,x,x,x)+43j
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_C]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_10]
		push	4
		mov	[ebp+var_3C], ecx
		pop	ecx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		mov	[ebp+var_44], edx
		mov	edx, edi
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_C], ecx
		mov	ecx, offset _MS_KernelPnP_Provider_Context
		push	ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], 10h
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_McTemplateK0zjdd_EtwWriteTransfer@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0pqzzzzzzz_EtwWriteTransfer(x, x, x, x, x, x, x,	x, x, x, x, x)
_McTemplateK0pqzzzzzzz_EtwWriteTransfer@48 proc	near ; CODE XREF: PiDqIrpQueryCreate+118AE0p

var_A4		= dword	ptr -0A4h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, [ebp+arg_C]
		lea	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		mov	[ebp+var_94], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_90], ebx
		mov	[ebp+var_88], ebx
		mov	[ebp+var_84], eax
		mov	[ebp+var_80], ebx
		mov	[ebp+var_78], ebx
		push	4
		pop	ecx
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_7C], ecx
		test	edx, edx
		jz	short loc_613B03
		mov	ecx, edx
		lea	esi, [ecx+2]

loc_613AEB:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+62j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_613AEB
		sub	ecx, esi
		sar	ecx, 1
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_613B06
; 

loc_613B03:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+52j
		push	0Ah
		pop	ecx

loc_613B06:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+6Fj
		test	edx, edx
		jnz	short loc_613B0F
		mov	edx, (offset off_5A4D00+2)

loc_613B0F:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+76j
		mov	[ebp+var_74], edx
		mov	edx, [ebp+arg_10]
		mov	[ebp+var_70], ebx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], ebx
		test	edx, edx
		jz	short loc_613B3F
		mov	ecx, edx
		lea	esi, [ecx+2]

loc_613B27:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+9Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_613B27
		sub	ecx, esi
		sar	ecx, 1
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_613B42
; 

loc_613B3F:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+8Ej
		push	0Ah
		pop	ecx

loc_613B42:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+ABj
		test	edx, edx
		jnz	short loc_613B4B
		mov	edx, (offset off_5A4D00+2)

loc_613B4B:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+B2j
		mov	[ebp+var_64], edx
		mov	edx, [ebp+arg_14]
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], ebx
		test	edx, edx
		jz	short loc_613B7B
		mov	ecx, edx
		lea	esi, [ecx+2]

loc_613B63:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+DAj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_613B63
		sub	ecx, esi
		sar	ecx, 1
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_613B7E
; 

loc_613B7B:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+CAj
		push	0Ah
		pop	ecx

loc_613B7E:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+E7j
		test	edx, edx
		jnz	short loc_613B87
		mov	edx, (offset off_5A4D00+2)

loc_613B87:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+EEj
		mov	[ebp+var_54], edx
		mov	edx, [ebp+arg_18]
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], ebx
		test	edx, edx
		jz	short loc_613BB7
		mov	ecx, edx
		lea	esi, [ecx+2]

loc_613B9F:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+116j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_613B9F
		sub	ecx, esi
		sar	ecx, 1
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_613BBA
; 

loc_613BB7:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+106j
		push	0Ah
		pop	ecx

loc_613BBA:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+123j
		test	edx, edx
		jnz	short loc_613BC3
		mov	edx, (offset off_5A4D00+2)

loc_613BC3:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+12Aj
		mov	[ebp+var_44], edx
		mov	edx, [ebp+arg_1C]
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], ebx
		test	edx, edx
		jz	short loc_613BF3
		mov	ecx, edx
		lea	esi, [ecx+2]

loc_613BDB:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+152j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_613BDB
		sub	ecx, esi
		sar	ecx, 1
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_613BF6
; 

loc_613BF3:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+142j
		push	0Ah
		pop	ecx

loc_613BF6:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+15Fj
		test	edx, edx
		jnz	short loc_613BFF
		mov	edx, (offset off_5A4D00+2)

loc_613BFF:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+166j
		mov	[ebp+var_34], edx
		mov	edx, [ebp+arg_20]
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ebx
		test	edx, edx
		jz	short loc_613C2F
		mov	ecx, edx
		lea	esi, [ecx+2]

loc_613C17:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+18Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_613C17
		sub	ecx, esi
		sar	ecx, 1
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_613C32
; 

loc_613C2F:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+17Ej
		push	0Ah
		pop	ecx

loc_613C32:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+19Bj
		test	edx, edx
		jnz	short loc_613C3B
		mov	edx, (offset off_5A4D00+2)

loc_613C3B:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+1A2j
		mov	[ebp+var_24], edx
		mov	edx, [ebp+arg_24]
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ebx
		test	edx, edx
		jz	short loc_613C6B
		mov	ecx, edx
		lea	esi, [ecx+2]

loc_613C53:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+1CAj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_613C53
		sub	ecx, esi
		sar	ecx, 1
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_613C6E
; 

loc_613C6B:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+1BAj
		push	0Ah
		pop	ecx

loc_613C6E:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+1D7j
		test	edx, edx
		jnz	short loc_613C77
		mov	edx, (offset off_5A4D00+2)

loc_613C77:				; CODE XREF: McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)+1DEj
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_14], edx
		push	eax
		push	0Ah
		mov	[ebp+var_C], ecx
		mov	edx, offset _KMPnPEvt_DevQuery_QueryStart
		push	edi
		mov	ecx, offset _MS_KernelPnP_Provider_Context
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	28h
_McTemplateK0pqzzzzzzz_EtwWriteTransfer@48 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDqIrpCancel(x, x)
_PiDqIrpCancel@8 proc near		; DATA XREF: PiDqIrpQueryGetResult+1F0o

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	byte ptr [ebp+arg_4+3],	0
		mov	eax, [ebx+60h]
		mov	eax, [eax+18h]
		mov	esi, [eax+10h]
		mov	al, [ebx+25h]
		mov	[ebp+var_1], al
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	edi, [eax+450h]
		jz	short loc_613CED
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_613D18
; 

loc_613CED:				; CODE XREF: PiDqIrpCancel(x,x)+32j
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_613D09
		mov	ecx, [edi+4]
		xor	edx, edx
		mov	eax, edi
		lock cmpxchg [ecx], edx
		cmp	eax, edi
		jz	short loc_613D18
		mov	ecx, edi
		call	KxWaitForLockChainValid

loc_613D09:				; CODE XREF: PiDqIrpCancel(x,x)+44j
		xor	ecx, ecx
		mov	dword ptr [edi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_613D18:				; CODE XREF: PiDqIrpCancel(x,x)+3Ej
					; PiDqIrpCancel(x,x)+53j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, esi
		call	_PiDqQueryLock@4 ; PiDqQueryLock(x)
		xor	edi, edi
		cmp	[esi+5Ch], edi
		jz	short loc_613D3C
		xor	eax, eax
		mov	[esi+5Ch], edi
		inc	eax
		and	dword ptr [esi+74h], 0FFFFFFEFh
		mov	byte ptr [ebp+arg_4+3],	al

loc_613D3C:				; CODE XREF: PiDqIrpCancel(x,x)+80j
		mov	ecx, esi
		call	_PiDqQueryUnlock@4 ; PiDqQueryUnlock(x)
		cmp	byte ptr [ebp+arg_4+3],	0
		jz	short loc_613D5C
		xor	dl, dl
		mov	[ebx+1Ch], edi
		mov	ecx, ebx
		mov	dword ptr [ebx+18h], 0C0000120h
		call	IofCompleteRequest

loc_613D5C:				; CODE XREF: PiDqIrpCancel(x,x)+9Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PiDqIrpCancel@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0zzjzitd_EtwWriteTransfer(x, x, x, x, x,	x, x, x, x, x, x)
_McTemplateK0zzjzitd_EtwWriteTransfer@44 proc near
					; CODE XREF: PiDevCfgLogDeviceMigrated(x,x,x)+99p

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		xor	edi, edi
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_88], edi
		push	0Ah
		pop	esi
		test	edx, edx
		jz	short loc_613DB2
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_613D94:				; CODE XREF: McTemplateK0zzjzitd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+3Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_88]
		jnz	short loc_613D94
		sub	ecx, edi
		sar	ecx, 1
		xor	edi, edi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_613DB4
; 

loc_613DB2:				; CODE XREF: McTemplateK0zzjzitd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+2Aj
		mov	ecx, esi

loc_613DB4:				; CODE XREF: McTemplateK0zzjzitd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+4Dj
		test	edx, edx
		jnz	short loc_613DBD
		mov	edx, (offset off_5A4D00+2)

loc_613DBD:				; CODE XREF: McTemplateK0zzjzitd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+53j
		mov	[ebp+var_74], edx
		mov	edx, [ebp+arg_8]
		mov	[ebp+var_70], edi
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], edi
		test	edx, edx
		jz	short loc_613DF3
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_613DD5:				; CODE XREF: McTemplateK0zzjzitd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+7Fj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_88]
		jnz	short loc_613DD5
		sub	ecx, edi
		sar	ecx, 1
		xor	edi, edi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_613DF5
; 

loc_613DF3:				; CODE XREF: McTemplateK0zzjzitd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+6Bj
		mov	ecx, esi

loc_613DF5:				; CODE XREF: McTemplateK0zzjzitd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+8Ej
		test	edx, edx
		jnz	short loc_613DFE
		mov	edx, (offset off_5A4D00+2)

loc_613DFE:				; CODE XREF: McTemplateK0zzjzitd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+94j
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_64], edx
		mov	edx, [ebp+arg_10]
		mov	[ebp+var_60], edi
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], edi
		mov	[ebp+var_54], eax
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], 10h
		mov	[ebp+var_48], edi
		test	edx, edx
		jz	short loc_613E43
		mov	ecx, edx
		lea	esi, [ecx+2]

loc_613E29:				; CODE XREF: McTemplateK0zzjzitd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+CFj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_613E29
		sub	ecx, esi
		sar	ecx, 1
		lea	esi, ds:2[ecx*2]
		test	edx, edx
		jnz	short loc_613E48

loc_613E43:				; CODE XREF: McTemplateK0zzjzitd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+BFj
		mov	edx, (offset off_5A4D00+2)

loc_613E48:				; CODE XREF: McTemplateK0zzjzitd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+DEj
		push	8
		lea	eax, [ebp+arg_14]
		mov	[ebp+var_44], edx
		pop	edx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_1C]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_20]
		push	4
		pop	ecx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_84]
		push	eax
		push	edx
		mov	[ebp+var_2C], edx
		mov	edx, ebx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_C], ecx
		mov	ecx, offset _MS_KernelPnP_Provider_Context
		push	edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], esi
		mov	[ebp+var_38], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], edi
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	24h
_McTemplateK0zzjzitd_EtwWriteTransfer@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0zzjzzzdd_EtwWriteTransfer(x, x,	x, x, x, x, x, x, x, x,	x)
_McTemplateK0zzjzzzdd_EtwWriteTransfer@44 proc near
					; CODE XREF: PiDevCfgLogDeviceStarted(x)+39Dp

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 98h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		xor	edi, edi
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_98], edi
		push	0Ah
		pop	esi
		test	edx, edx
		jz	short loc_613EFC
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_613EDE:				; CODE XREF: McTemplateK0zzjzzzdd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+3Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_98]
		jnz	short loc_613EDE
		sub	ecx, edi
		sar	ecx, 1
		xor	edi, edi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_613EFE
; 

loc_613EFC:				; CODE XREF: McTemplateK0zzjzzzdd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+2Aj
		mov	ecx, esi

loc_613EFE:				; CODE XREF: McTemplateK0zzjzzzdd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+4Dj
		test	edx, edx
		jnz	short loc_613F07
		mov	edx, (offset off_5A4D00+2)

loc_613F07:				; CODE XREF: McTemplateK0zzjzzzdd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+53j
		mov	[ebp+var_84], edx
		mov	edx, [ebp+arg_8]
		mov	[ebp+var_80], edi
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_78], edi
		test	edx, edx
		jz	short loc_613F40
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_613F22:				; CODE XREF: McTemplateK0zzjzzzdd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+82j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_98]
		jnz	short loc_613F22
		sub	ecx, edi
		sar	ecx, 1
		xor	edi, edi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_613F42
; 

loc_613F40:				; CODE XREF: McTemplateK0zzjzzzdd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+6Ej
		mov	ecx, esi

loc_613F42:				; CODE XREF: McTemplateK0zzjzzzdd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+91j
		test	edx, edx
		jnz	short loc_613F4B
		mov	edx, (offset off_5A4D00+2)

loc_613F4B:				; CODE XREF: McTemplateK0zzjzzzdd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+97j
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_74], edx
		mov	edx, [ebp+arg_10]
		mov	[ebp+var_70], edi
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], edi
		mov	[ebp+var_64], eax
		mov	[ebp+var_60], edi
		mov	[ebp+var_5C], 10h
		mov	[ebp+var_58], edi
		test	edx, edx
		jz	short loc_613F94
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_613F76:				; CODE XREF: McTemplateK0zzjzzzdd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+D6j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_98]
		jnz	short loc_613F76
		sub	ecx, edi
		sar	ecx, 1
		xor	edi, edi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_613F96
; 

loc_613F94:				; CODE XREF: McTemplateK0zzjzzzdd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+C2j
		mov	ecx, esi

loc_613F96:				; CODE XREF: McTemplateK0zzjzzzdd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+E5j
		test	edx, edx
		jnz	short loc_613F9F
		mov	edx, (offset off_5A4D00+2)

loc_613F9F:				; CODE XREF: McTemplateK0zzjzzzdd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+EBj
		mov	[ebp+var_54], edx
		mov	edx, [ebp+arg_14]
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edi
		test	edx, edx
		jz	short loc_613FD5
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_613FB7:				; CODE XREF: McTemplateK0zzjzzzdd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+117j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_98]
		jnz	short loc_613FB7
		sub	ecx, edi
		sar	ecx, 1
		xor	edi, edi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_613FD7
; 

loc_613FD5:				; CODE XREF: McTemplateK0zzjzzzdd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+103j
		mov	ecx, esi

loc_613FD7:				; CODE XREF: McTemplateK0zzjzzzdd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+126j
		test	edx, edx
		jnz	short loc_613FE0
		mov	edx, (offset off_5A4D00+2)

loc_613FE0:				; CODE XREF: McTemplateK0zzjzzzdd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+12Cj
		mov	[ebp+var_44], edx
		mov	edx, [ebp+arg_18]
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edi
		test	edx, edx
		jz	short loc_614012
		mov	ecx, edx
		lea	esi, [ecx+2]

loc_613FF8:				; CODE XREF: McTemplateK0zzjzzzdd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+154j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_613FF8
		sub	ecx, esi
		sar	ecx, 1
		lea	esi, ds:2[ecx*2]
		test	edx, edx
		jnz	short loc_614017

loc_614012:				; CODE XREF: McTemplateK0zzjzzzdd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+144j
		mov	edx, (offset off_5A4D00+2)

loc_614017:				; CODE XREF: McTemplateK0zzjzzzdd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+163j
		lea	eax, [ebp+arg_1C]
		mov	[ebp+var_34], edx
		mov	[ebp+var_24], eax
		mov	edx, ebx
		push	4
		pop	ecx
		lea	eax, [ebp+arg_20]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_94]
		push	eax
		push	9
		mov	[ebp+var_C], ecx
		mov	ecx, offset _MS_KernelPnP_Provider_Context
		push	edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], edi
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	24h
_McTemplateK0zzjzzzdd_EtwWriteTransfer@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x, x, x, x, x, x, x, x,	x, x, x, x, x, x, x, x,	x)
_McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer@68	proc near
					; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+89Dp

var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch
arg_38		= dword	ptr  40h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0F8h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		xor	edi, edi
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_F8], edi
		push	0Ah
		pop	esi
		test	edx, edx
		jz	short loc_6140BA
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_61409C:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_F8]
		jnz	short loc_61409C
		sub	ecx, edi
		sar	ecx, 1
		xor	edi, edi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_6140BC
; 

loc_6140BA:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2Aj
		mov	ecx, esi

loc_6140BC:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4Dj
		test	edx, edx
		jnz	short loc_6140C5
		mov	edx, (offset off_5A4D00+2)

loc_6140C5:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+53j
		mov	[ebp+var_E4], edx
		mov	edx, [ebp+arg_8]
		mov	[ebp+var_E0], edi
		mov	[ebp+var_DC], ecx
		mov	[ebp+var_D8], edi
		test	edx, edx
		jz	short loc_614107
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_6140E9:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8Bj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_F8]
		jnz	short loc_6140E9
		sub	ecx, edi
		sar	ecx, 1
		xor	edi, edi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_614109
; 

loc_614107:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+77j
		mov	ecx, esi

loc_614109:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+9Aj
		test	edx, edx
		jnz	short loc_614112
		mov	edx, (offset off_5A4D00+2)

loc_614112:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A0j
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_D4], edx
		mov	edx, [ebp+arg_10]
		mov	[ebp+var_D0], edi
		mov	[ebp+var_CC], ecx
		mov	[ebp+var_C8], edi
		mov	[ebp+var_C4], eax
		mov	[ebp+var_C0], edi
		mov	[ebp+var_BC], 10h
		mov	[ebp+var_B8], edi
		test	edx, edx
		jz	short loc_614173
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_614155:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+F7j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_F8]
		jnz	short loc_614155
		sub	ecx, edi
		sar	ecx, 1
		xor	edi, edi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_614175
; 

loc_614173:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+E3j
		mov	ecx, esi

loc_614175:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+106j
		test	edx, edx
		jnz	short loc_61417E
		mov	edx, (offset off_5A4D00+2)

loc_61417E:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+10Cj
		mov	[ebp+var_B4], edx
		mov	edx, [ebp+arg_14]
		mov	[ebp+var_B0], edi
		mov	[ebp+var_AC], ecx
		mov	[ebp+var_A8], edi
		test	edx, edx
		jz	short loc_6141C0
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_6141A2:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+144j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_F8]
		jnz	short loc_6141A2
		sub	ecx, edi
		sar	ecx, 1
		xor	edi, edi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_6141C2
; 

loc_6141C0:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+130j
		mov	ecx, esi

loc_6141C2:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+153j
		test	edx, edx
		jnz	short loc_6141CB
		mov	edx, (offset off_5A4D00+2)

loc_6141CB:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+159j
		mov	[ebp+var_A4], edx
		mov	edx, [ebp+arg_18]
		mov	[ebp+var_A0], edi
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_98], edi
		test	edx, edx
		jz	short loc_61420D
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_6141EF:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+191j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_F8]
		jnz	short loc_6141EF
		sub	ecx, edi
		sar	ecx, 1
		xor	edi, edi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_61420F
; 

loc_61420D:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+17Dj
		mov	ecx, esi

loc_61420F:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1A0j
		test	edx, edx
		jnz	short loc_614218
		mov	edx, (offset off_5A4D00+2)

loc_614218:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1A6j
		mov	[ebp+var_94], edx
		lea	eax, [ebp+arg_1C]
		mov	edx, [ebp+arg_20]
		mov	[ebp+var_90], edi
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_88], edi
		mov	[ebp+var_84], eax
		mov	[ebp+var_80], edi
		mov	[ebp+var_7C], 4
		mov	[ebp+var_78], edi
		test	edx, edx
		jz	short loc_614270
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_614252:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1F4j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_F8]
		jnz	short loc_614252
		sub	ecx, edi
		sar	ecx, 1
		xor	edi, edi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_614272
; 

loc_614270:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1E0j
		mov	ecx, esi

loc_614272:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+203j
		test	edx, edx
		jnz	short loc_61427B
		mov	edx, (offset off_5A4D00+2)

loc_61427B:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+209j
		mov	[ebp+var_74], edx
		lea	eax, [ebp+arg_24]
		mov	edx, [ebp+arg_28]
		mov	[ebp+var_70], edi
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], edi
		mov	[ebp+var_64], eax
		mov	[ebp+var_60], edi
		mov	[ebp+var_5C], 4
		mov	[ebp+var_58], edi
		test	edx, edx
		jz	short loc_6142C4
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_6142A6:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+248j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_F8]
		jnz	short loc_6142A6
		sub	ecx, edi
		sar	ecx, 1
		xor	edi, edi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_6142C6
; 

loc_6142C4:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+234j
		mov	ecx, esi

loc_6142C6:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+257j
		test	edx, edx
		jnz	short loc_6142CF
		mov	edx, (offset off_5A4D00+2)

loc_6142CF:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+25Dj
		mov	[ebp+var_54], edx
		mov	edx, [ebp+arg_2C]
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edi
		test	edx, edx
		jz	short loc_614305
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_6142E7:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+289j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_F8]
		jnz	short loc_6142E7
		sub	ecx, edi
		sar	ecx, 1
		xor	edi, edi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_614307
; 

loc_614305:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+275j
		mov	ecx, esi

loc_614307:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+298j
		test	edx, edx
		jnz	short loc_614310
		mov	edx, (offset off_5A4D00+2)

loc_614310:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+29Ej
		lea	eax, [ebp+arg_30]
		mov	[ebp+var_44], edx
		mov	edx, [ebp+arg_38]
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_34]
		mov	[ebp+var_40], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], edi
		push	4
		pop	ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_1C], ecx
		test	edx, edx
		jz	short loc_614363
		mov	ecx, edx
		lea	esi, [ecx+2]

loc_614349:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2E7j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_614349
		sub	ecx, esi
		sar	ecx, 1
		lea	esi, ds:2[ecx*2]
		test	edx, edx
		jnz	short loc_614368

loc_614363:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2D7j
		mov	edx, (offset off_5A4D00+2)

loc_614368:				; CODE XREF: McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2F6j
		lea	eax, [ebp+var_F4]
		mov	[ebp+var_14], edx
		push	eax
		push	0Fh
		push	edi
		mov	edx, ebx
		mov	[ebp+var_10], edi
		mov	ecx, offset _MS_KernelPnP_Provider_Context
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], edi
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	3Ch
_McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer@68	endp


;  S U B	R O U T	I N E 


; __stdcall PiDevCfgCompareDrivers(x, x)
_PiDevCfgCompareDrivers@8 proc near	; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+3C5p
					; PiDevCfgFindDeviceDriver(x,x,x)+733p
		mov	edi, edi
		push	ebx
		mov	ebx, [ecx+6Ch]
		push	esi
		mov	esi, [edx+6Ch]
		push	edi
		mov	edi, esi
		and	edi, 4
		test	bl, 4
		jz	short loc_6143B9
		xor	eax, eax
		test	edi, edi
		setz	al
		jmp	short loc_6143BF
; 

loc_6143B9:				; CODE XREF: PiDevCfgCompareDrivers(x,x)+13j
		test	edi, edi
		jnz	short loc_6143E7
		xor	eax, eax

loc_6143BF:				; CODE XREF: PiDevCfgCompareDrivers(x,x)+1Cj
		test	eax, eax
		jnz	loc_614448
		and	esi, 2
		test	bl, 2
		jz	short loc_6143D7
		test	esi, esi
		setnz	al
		dec	eax
		jmp	short loc_6143DB
; 

loc_6143D7:				; CODE XREF: PiDevCfgCompareDrivers(x,x)+32j
		test	esi, esi
		jnz	short loc_614447

loc_6143DB:				; CODE XREF: PiDevCfgCompareDrivers(x,x)+3Aj
		test	eax, eax
		jnz	short loc_614448
		mov	eax, [ecx+38h]
		cmp	eax, [edx+38h]
		jnb	short loc_6143EC

loc_6143E7:				; CODE XREF: PiDevCfgCompareDrivers(x,x)+20j
					; PiDevCfgCompareDrivers(x,x)+63j ...
		or	eax, 0FFFFFFFFh
		jmp	short loc_614448
; 

loc_6143EC:				; CODE XREF: PiDevCfgCompareDrivers(x,x)+4Aj
		jnz	short loc_614445
		mov	ebx, [ecx+44h]
		mov	edi, [edx+44h]
		mov	esi, [ecx+40h]
		mov	eax, [edx+40h]
		cmp	ebx, edi
		jl	short loc_614406
		jg	short loc_6143E7
		cmp	esi, eax
		jbe	short loc_614408
		jmp	short loc_6143E7
; 

loc_614406:				; CODE XREF: PiDevCfgCompareDrivers(x,x)+61j
		cmp	esi, eax

loc_614408:				; CODE XREF: PiDevCfgCompareDrivers(x,x)+67j
		jnz	short loc_614445
		cmp	ebx, edi
		jnz	short loc_614445
		mov	ebx, [ecx+4Ch]
		mov	edi, [edx+4Ch]
		mov	esi, [ecx+48h]
		mov	eax, [edx+48h]
		cmp	ebx, edi
		jl	short loc_614426
		jg	short loc_6143E7
		cmp	esi, eax
		jbe	short loc_614428
		jmp	short loc_6143E7
; 

loc_614426:				; CODE XREF: PiDevCfgCompareDrivers(x,x)+81j
		cmp	esi, eax

loc_614428:				; CODE XREF: PiDevCfgCompareDrivers(x,x)+87j
		jnz	short loc_614445
		cmp	ebx, edi
		jnz	short loc_614445
		cmp	dword ptr [ecx+54h], 0
		mov	eax, [edx+54h]
		jz	short loc_61443D
		test	eax, eax
		jnz	short loc_614441
		jmp	short loc_6143E7
; 

loc_61443D:				; CODE XREF: PiDevCfgCompareDrivers(x,x)+9Aj
		test	eax, eax
		jnz	short loc_614445

loc_614441:				; CODE XREF: PiDevCfgCompareDrivers(x,x)+9Ej
		xor	eax, eax
		jmp	short loc_614448
; 

loc_614445:				; CODE XREF: PiDevCfgCompareDrivers(x,x):loc_6143ECj
					; PiDevCfgCompareDrivers(x,x):loc_614408j ...
		xor	eax, eax

loc_614447:				; CODE XREF: PiDevCfgCompareDrivers(x,x)+3Ej
		inc	eax

loc_614448:				; CODE XREF: PiDevCfgCompareDrivers(x,x)+26j
					; PiDevCfgCompareDrivers(x,x)+42j ...
		pop	edi
		pop	esi
		pop	ebx
		retn
_PiDevCfgCompareDrivers@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgConfigureDeviceInterfaceCallback(x,	x, x, x)
_PiDevCfgConfigureDeviceInterfaceCallback@16 proc near
					; DATA XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+12Fo

arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_C]
		cmp	dword ptr [esi+8], 0
		jl	short loc_61446F
		push	dword ptr [esi+4]
		mov	edx, [esi]
		mov	ecx, [ebp+arg_4]
		call	_PiDevCfgConfigureDeviceInterface@12 ; PiDevCfgConfigureDeviceInterface(x,x,x)
		test	eax, eax
		jns	short loc_61446F
		mov	[esi+8], eax

loc_61446F:				; CODE XREF: PiDevCfgConfigureDeviceInterfaceCallback(x,x,x,x)+Dj
					; PiDevCfgConfigureDeviceInterfaceCallback(x,x,x,x)+1Ej
		xor	al, al
		pop	esi
		pop	ebp
		retn	10h
_PiDevCfgConfigureDeviceInterfaceCallback@16 endp


;  S U B	R O U T	I N E 


; int __fastcall PiDevCfgGetDriverConfigurationKeyScope(wchar_t	*)
_PiDevCfgGetDriverConfigurationKeyScope@4 proc near
					; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+17Dp
					; PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+373p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, ecx
		mov	esi, edi

loc_614481:				; CODE XREF: PiDevCfgGetDriverConfigurationKeyScope(x)+22j
		push	ebx		; wchar_t *
		push	ds:off_A3FD54[esi*8] ; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_61449C
		inc	esi
		cmp	esi, 7
		jb	short loc_614481
		jmp	short loc_6144A3
; 

loc_61449C:				; CODE XREF: PiDevCfgGetDriverConfigurationKeyScope(x)+1Cj
		mov	edi, ds:dword_A3FD58[esi*8]

loc_6144A3:				; CODE XREF: PiDevCfgGetDriverConfigurationKeyScope(x)+24j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_PiDevCfgGetDriverConfigurationKeyScope@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PiDevCfgGetMigrationDeviceIdScore(wchar_t *)
_PiDevCfgGetMigrationDeviceIdScore@8 proc near
					; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+2B4p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	esi, edx
		xor	ecx, ecx
		mov	[ebp+var_18], esi
		mov	[ebp+var_8], ecx
		mov	[ebp+var_1], cl
		push	edi
		mov	edi, ecx
		test	ebx, ebx
		jz	loc_614652
		test	esi, esi
		jz	loc_614652
		mov	[ebp+var_10], 4000h
		mov	[ebp+var_14], esi
		cmp	[esi], cx
		jz	loc_614652
		mov	si, word ptr [ebp+var_10]

loc_6144EC:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+DAj
		movzx	eax, word ptr [ebx]
		mov	edx, ebx
		mov	[ebp+var_C], edx
		mov	ecx, eax
		test	ax, ax
		jz	short loc_614542

loc_6144FB:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+8Bj
		push	[ebp+var_14]	; wchar_t *
		push	edx		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_614538
		mov	edx, [ebp+var_C]
		mov	ecx, edx
		lea	eax, [ecx+2]
		mov	[ebp+var_C], eax

loc_614515:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+76j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_8]
		jnz	short loc_614515
		sub	ecx, [ebp+var_C]
		xor	eax, eax
		sar	ecx, 1
		lea	edx, [edx+ecx*2]
		add	edx, 2
		mov	[ebp+var_C], edx
		cmp	[edx], ax
		jnz	short loc_6144FB
		jmp	short loc_614547
; 

loc_614538:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+5Fj
		mov	eax, [ebp+var_C]
		mov	[ebp+var_1], 1
		movzx	ecx, word ptr [eax]

loc_614542:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+50j
		test	cx, cx
		jnz	short loc_61454A

loc_614547:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+8Dj
		or	edi, [ebp+var_10]

loc_61454A:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+9Cj
		push	2
		pop	eax
		cmp	si, ax
		jbe	short loc_614559
		shr	si, 1
		mov	word ptr [ebp+var_10], si

loc_614559:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+A7j
		mov	edx, [ebp+var_14]
		mov	ecx, edx
		lea	eax, [ecx+2]
		mov	[ebp+var_14], eax

loc_614564:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+C5j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_8]
		jnz	short loc_614564
		sub	ecx, [ebp+var_14]
		xor	eax, eax
		sar	ecx, 1
		lea	edx, [edx+ecx*2]
		add	edx, 2
		mov	[ebp+var_14], edx
		cmp	[edx], ax
		jnz	loc_6144EC
		mov	esi, [ebp+var_18]
		cmp	[ebp+var_1], al
		jz	loc_614652
		push	esi		; wchar_t *
		push	ebx		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_6145A8
		or	edi, 8000h

loc_6145A8:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+F7j
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_6145AD:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+10Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_8]
		jnz	short loc_6145AD
		jmp	short loc_6145E7
; 

loc_6145BB:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+149j
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_6145C0:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+121j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_8]
		jnz	short loc_6145C0
		sub	ecx, edx
		sar	ecx, 1
		lea	ebx, [ebx+ecx*2]
		add	ebx, 2
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_6145DB:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+13Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_8]
		jnz	short loc_6145DB

loc_6145E7:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+110j
		sub	ecx, edx
		xor	eax, eax
		sar	ecx, 1
		cmp	[ebx+ecx*2+2], ax
		jnz	short loc_6145BB
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_6145F9:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+15Aj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_8]
		jnz	short loc_6145F9
		jmp	short loc_614633
; 

loc_614607:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+195j
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_61460C:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+16Dj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_8]
		jnz	short loc_61460C
		sub	ecx, edx
		sar	ecx, 1
		lea	esi, [esi+ecx*2]
		add	esi, 2
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_614627:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+188j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_8]
		jnz	short loc_614627

loc_614633:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+15Cj
		sub	ecx, edx
		xor	eax, eax
		sar	ecx, 1
		cmp	[esi+ecx*2+2], ax
		jnz	short loc_614607
		push	esi		; wchar_t *
		push	ebx		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_614657
		or	edi, 1
		jmp	short loc_614657
; 

loc_614652:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+1Ej
					; PiDevCfgGetMigrationDeviceIdScore(x,x)+26j ...
		mov	edi, 0FFFFh

loc_614657:				; CODE XREF: PiDevCfgGetMigrationDeviceIdScore(x,x)+1A2j
					; PiDevCfgGetMigrationDeviceIdScore(x,x)+1A7j
		mov	ax, di
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PiDevCfgGetMigrationDeviceIdScore@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgMatchDriverConfigurationId(x, x)
_PiDevCfgMatchDriverConfigurationId@8 proc near
					; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+36Dp
					; PiDevCfgFindDeviceDriver(x,x,x)+69Fp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ax, [ecx+14h]
		push	ebx
		push	esi
		push	edi
		shr	ax, 1
		mov	esi, edx
		movzx	edi, ax
		xor	bl, bl
		push	edi		; size_t
		push	dword ptr [ecx+18h] ; wchar_t *
		mov	[ebp+var_4], ecx
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_6146BE
		cmp	word ptr [esi+edi*2], 3Ah
		jnz	short loc_6146BE
		mov	ecx, [ebp+var_4]
		lea	esi, [esi+edi*2]
		add	esi, 2
		mov	ax, [ecx+24h]
		shr	ax, 1
		movzx	edi, ax
		push	edi		; size_t
		push	dword ptr [ecx+28h] ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_6146BE
		cmp	word ptr [esi+edi*2], 2Ch
		jnz	short loc_6146BE
		inc	bl

loc_6146BE:				; CODE XREF: PiDevCfgMatchDriverConfigurationId(x,x)+29j
					; PiDevCfgMatchDriverConfigurationId(x,x)+30j ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_PiDevCfgMatchDriverConfigurationId@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgParseInterfaceKeyName(x, x,	x)
_PiDevCfgParseInterfaceKeyName@12 proc near
					; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+2C4p
					; PiDevCfgConfigureDeviceInterfaces(x,x,x)+357p

var_8		= word ptr -8
var_6		= word ptr -6
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	4Ch
		pop	ecx
		cmp	[esi], cx
		jb	short loc_614726
		mov	eax, [esi+4]
		mov	[ebp+var_4], eax
		mov	ax, [esi+2]
		mov	[ebp+var_6], ax
		lea	eax, [ebp-8]
		push	edx
		push	eax
		mov	[ebp+var_8], cx
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_61472B
		mov	ecx, [esi+4]
		movzx	eax, word ptr [ecx+4Ch]
		cmp	eax, 23h
		jnz	short loc_614719
		mov	eax, [ebp+arg_0]
		add	ecx, 4Eh
		movzx	edx, word ptr [ecx]
		neg	edx
		sbb	edx, edx
		and	edx, ecx
		mov	[eax], edx
		jmp	short loc_61472B
; 

loc_614719:				; CODE XREF: PiDevCfgParseInterfaceKeyName(x,x,x)+3Fj
		test	ax, ax
		jnz	short loc_614726
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax], 0
		jmp	short loc_61472B
; 

loc_614726:				; CODE XREF: PiDevCfgParseInterfaceKeyName(x,x,x)+11j
					; PiDevCfgParseInterfaceKeyName(x,x,x)+57j
		mov	ebx, 0C0000001h

loc_61472B:				; CODE XREF: PiDevCfgParseInterfaceKeyName(x,x,x)+33j
					; PiDevCfgParseInterfaceKeyName(x,x,x)+52j ...
		shr	ebx, 1Fh
		xor	bl, 1
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
_PiDevCfgParseInterfaceKeyName@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgParsePropertyKeyName(x, x, x)
_PiDevCfgParsePropertyKeyName@12 proc near
					; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+2C8p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_2C], eax
		cmp	word ptr [esi],	50h
		jnb	short loc_614768
		mov	ebx, 0C0000001h
		jmp	loc_614816
; 

loc_614768:				; CODE XREF: PiDevCfgParsePropertyKeyName(x,x,x)+23j
		mov	eax, [esi+4]
		push	4Ch
		mov	[ebp+var_20], eax
		pop	eax
		mov	word ptr [ebp+var_24], ax
		mov	ax, [esi+2]
		mov	word ptr [ebp+var_24+2], ax
		lea	eax, [ebp+var_24]
		push	edx
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_614816
		push	edi
		mov	edi, [esi+4]
		push	2Ch
		pop	eax
		cmp	[edi+4Ch], ax
		jnz	short loc_614810
		movzx	esi, word ptr [esi]
		add	edi, 4Eh
		shr	esi, 1
		sub	esi, 27h
		cmp	word ptr [edi+esi*2], 0
		jnz	short loc_614810
		push	eax		; wchar_t
		push	edi		; wchar_t *
		call	_wcschr
		mov	[ebp+var_20], eax
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_6147CC
		mov	esi, eax
		sub	esi, edi
		sar	esi, 1
		add	eax, 2
		mov	[ebp+var_20], eax

loc_6147CC:				; CODE XREF: PiDevCfgParsePropertyKeyName(x,x,x)+85j
		push	esi
		push	edi
		push	0Bh
		pop	edx
		lea	ecx, [ebp+var_1C]
		call	RtlStringCchCopyNW
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_614815
		mov	edx, [ebp+var_28]
		lea	ecx, [ebp+var_1C]
		add	edx, 10h
		call	_PnpStringToDwordValue@8 ; PnpStringToDwordValue(x,x)
		test	al, al
		jz	short loc_614810
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jz	short loc_614815
		mov	ecx, [ebp+var_20]
		mov	dword ptr [eax], 1
		test	ecx, ecx
		jz	short loc_614815
		mov	edx, eax
		call	_PnpStringToDwordValue@8 ; PnpStringToDwordValue(x,x)
		test	al, al
		jnz	short loc_614815

loc_614810:				; CODE XREF: PiDevCfgParsePropertyKeyName(x,x,x)+63j
					; PiDevCfgParsePropertyKeyName(x,x,x)+75j ...
		mov	ebx, 0C0000001h

loc_614815:				; CODE XREF: PiDevCfgParsePropertyKeyName(x,x,x)+A4j
					; PiDevCfgParsePropertyKeyName(x,x,x)+BDj ...
		pop	edi

loc_614816:				; CODE XREF: PiDevCfgParsePropertyKeyName(x,x,x)+2Aj
					; PiDevCfgParsePropertyKeyName(x,x,x)+52j
		mov	ecx, [ebp+var_4]
		shr	ebx, 1Fh
		xor	ecx, ebp
		xor	bl, 1
		pop	esi
		mov	al, bl
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PiDevCfgParsePropertyKeyName@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgParseVariableName(x, x, x)
_PiDevCfgParseVariableName@12 proc near	; CODE XREF: PiDevCfgQueryResolveValue(x,x,x,x)+86p
					; PiDevCfgConfigureDeviceInterfaces(x,x,x)+249p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	24h
		xor	esi, esi
		mov	ebx, edx
		pop	eax
		mov	edi, esi
		cmp	[ecx], ax
		jnz	short loc_6148A1
		lea	esi, [ecx+2]
		movzx	eax, word ptr [esi]
		test	ax, ax
		jz	short loc_6148A1
		mov	edx, eax

loc_614851:				; CODE XREF: PiDevCfgParseVariableName(x,x,x)+64j
		cmp	dx, 3Fh
		jnz	short loc_61485E
		mov	ecx, 10000h
		jmp	short loc_614883
; 

loc_61485E:				; CODE XREF: PiDevCfgParseVariableName(x,x,x)+27j
		cmp	dx, 21h
		jnz	short loc_61486B
		mov	ecx, 20000h
		jmp	short loc_614883
; 

loc_61486B:				; CODE XREF: PiDevCfgParseVariableName(x,x,x)+34j
		cmp	dx, 2Bh
		jnz	short loc_614878
		mov	ecx, 40000h
		jmp	short loc_614883
; 

loc_614878:				; CODE XREF: PiDevCfgParseVariableName(x,x,x)+41j
		cmp	dx, 2Dh
		jnz	short loc_614896
		mov	ecx, 80000h

loc_614883:				; CODE XREF: PiDevCfgParseVariableName(x,x,x)+2Ej
					; PiDevCfgParseVariableName(x,x,x)+3Bj	...
		add	esi, 2
		or	ecx, edi
		mov	edi, ecx
		movzx	eax, word ptr [esi]
		mov	edx, eax
		test	ax, ax
		jnz	short loc_614851
		jmp	short loc_6148A1
; 

loc_614896:				; CODE XREF: PiDevCfgParseVariableName(x,x,x)+4Ej
		push	24h
		pop	eax
		cmp	dx, ax
		jnz	short loc_6148A1
		add	esi, 2

loc_6148A1:				; CODE XREF: PiDevCfgParseVariableName(x,x,x)+14j
					; PiDevCfgParseVariableName(x,x,x)+1Fj	...
		push	esi
		push	ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+arg_0]
		test	esi, esi
		mov	[eax], edi
		setnz	al
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PiDevCfgParseVariableName@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgPopCopyKeyEntry(x, x, x, x)
_PiDevCfgPopCopyKeyEntry@16 proc near	; CODE XREF: PiDevCfgCopyDeviceKeys(x,x,x,x)+80p
					; PiDevCfgCopyDeviceKeys(x,x,x,x)+D4p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		cmp	[ecx], ecx
		jz	short loc_6148F5
		mov	esi, [ecx+4]
		cmp	[esi], ecx
		jnz	short loc_6148FF
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_6148FF
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	eax, [esi+8]
		mov	ecx, [esi+0Ch]
		mov	[edx], eax
		mov	eax, [ebp+arg_0]
		push	0
		push	esi
		mov	[eax], ecx
		mov	eax, [ebp+arg_4]
		mov	ecx, [esi+10h]
		mov	[eax], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_6148F5:				; CODE XREF: PiDevCfgPopCopyKeyEntry(x,x,x,x)+Aj
		test	esi, esi
		pop	esi
		setnz	al
		pop	ebp
		retn	8
; 

loc_6148FF:				; CODE XREF: PiDevCfgPopCopyKeyEntry(x,x,x,x)+11j
					; PiDevCfgPopCopyKeyEntry(x,x,x,x)+18j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PiDevCfgPopCopyKeyEntry@16 endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall PiDevCfgPopDriverNodeEntry(x, x)
_PiDevCfgPopDriverNodeEntry@8 proc near	; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+33p
					; PiDevCfgQueryIncludedDriverConfigurations(x)+5Dp
		mov	edi, edi
		push	esi
		xor	esi, esi
		cmp	[ecx], ecx
		jz	short loc_614931
		mov	esi, [ecx+4]
		cmp	[esi], ecx
		jnz	short loc_614938
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_614938
		mov	[ecx+4], eax
		mov	[eax], ecx
		test	edx, edx
		jz	short loc_614929
		mov	eax, [esi+8]
		mov	[edx], eax

loc_614929:				; CODE XREF: PiDevCfgPopDriverNodeEntry(x,x)+1Ej
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_614931:				; CODE XREF: PiDevCfgPopDriverNodeEntry(x,x)+7j
		test	esi, esi
		pop	esi
		setnz	al
		retn
; 

loc_614938:				; CODE XREF: PiDevCfgPopDriverNodeEntry(x,x)+Ej
					; PiDevCfgPopDriverNodeEntry(x,x)+15j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PiDevCfgPopDriverNodeEntry@8 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgPushCopyKeyEntry(x,	x, x, x)
_PiDevCfgPushCopyKeyEntry@16 proc near	; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+48Fp
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+AA8p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		push	6
		mov	[ebp+var_8], ecx
		lea	edi, [ebp+var_20]
		pop	ecx
		push	63647050h
		xor	eax, eax
		mov	[ebp+var_4], edx
		push	14h
		rep stosd
		push	1
		xor	ebx, ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_614978
		mov	ebx, 0C000009Ah
		jmp	loc_614A3B
; 

loc_614978:				; CODE XREF: PiDevCfgPushCopyKeyEntry(x,x,x,x)+2Fj
		mov	eax, [ebp+arg_4]
		lea	edi, [esi+8]
		mov	[esi+10h], eax
		test	eax, eax
		mov	eax, [ebp+var_4]
		jns	loc_614A0C
		and	[ebp+var_10], ebx
		and	[ebp+var_C], ebx
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_20]
		push	eax
		push	20019h
		push	edi
		mov	[ebp+var_20], 18h
		mov	[ebp+var_14], 200h
		mov	[ebp+var_18], offset _PiDevCfgEmptyString
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_614A2F
		mov	eax, [ebp+arg_0]
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_20]
		push	eax
		push	0F003Fh
		lea	eax, [esi+0Ch]
		mov	[ebp+var_20], 18h
		push	eax
		mov	[ebp+var_14], 200h
		mov	[ebp+var_18], offset _PiDevCfgEmptyString
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_614A03
		push	dword ptr [edi]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_614A2F
; 

loc_614A03:				; CODE XREF: PiDevCfgPushCopyKeyEntry(x,x,x,x)+BBj
		or	dword ptr [esi+10h], 40000000h
		jmp	short loc_614A14
; 

loc_614A0C:				; CODE XREF: PiDevCfgPushCopyKeyEntry(x,x,x,x)+49j
		mov	[edi], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+0Ch], eax

loc_614A14:				; CODE XREF: PiDevCfgPushCopyKeyEntry(x,x,x,x)+CDj
		mov	eax, [ebp+var_8]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jz	short loc_614A23
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_614A23:				; CODE XREF: PiDevCfgPushCopyKeyEntry(x,x,x,x)+DFj
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		xor	esi, esi

loc_614A2F:				; CODE XREF: PiDevCfgPushCopyKeyEntry(x,x,x,x)+80j
					; PiDevCfgPushCopyKeyEntry(x,x,x,x)+C4j
		test	esi, esi
		jz	short loc_614A3B
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_614A3B:				; CODE XREF: PiDevCfgPushCopyKeyEntry(x,x,x,x)+36j
					; PiDevCfgPushCopyKeyEntry(x,x,x,x)+F4j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_PiDevCfgPushCopyKeyEntry@16 endp


;  S U B	R O U T	I N E 


; __stdcall PiDevCfgPushDriverNodeEntry(x, x)
_PiDevCfgPushDriverNodeEntry@8 proc near
					; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+48p
					; PiDevCfgQueryIncludedDriverConfigurations(x)+2DBp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	63647050h
		push	0Ch
		push	1
		mov	ebx, edx
		mov	esi, ecx
		xor	edi, edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_614A68
		mov	edi, 0C000009Ah
		jmp	short loc_614A81
; 

loc_614A68:				; CODE XREF: PiDevCfgPushDriverNodeEntry(x,x)+1Bj
		mov	[eax+8], ebx
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jz	short loc_614A77
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_614A77:				; CODE XREF: PiDevCfgPushDriverNodeEntry(x,x)+2Cj
		mov	[eax], esi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[esi+4], eax

loc_614A81:				; CODE XREF: PiDevCfgPushDriverNodeEntry(x,x)+22j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_PiDevCfgPushDriverNodeEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgQueryResolveValue(x, x, x, x)
_PiDevCfgQueryResolveValue@16 proc near	; CODE XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+132p
					; PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+168p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	eax, edx
		xor	edx, edx
		lea	ecx, [ebp+var_8]
		push	edi
		push	ecx
		mov	[ebp+var_8], edx
		mov	ecx, eax
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_4], edx
		push	edx
		mov	edx, [ebp+arg_0]
		call	IopGetRegistryValue
		mov	esi, [ebp+var_8]
		mov	edi, eax
		xor	edx, edx
		test	edi, edi
		js	loc_614B56
		xor	eax, eax
		mov	[esi+6], ax
		cmp	[ebx+8], edx
		jz	loc_614BCB
		mov	eax, [esi+4]
		cmp	eax, 1
		jz	short loc_614AE5
		cmp	eax, 2
		jnz	loc_614BCB

loc_614AE5:				; CODE XREF: PiDevCfgQueryResolveValue(x,x,x,x)+53j
		mov	eax, [esi+0Ch]
		cmp	eax, 2
		jb	loc_614BCB
		mov	ecx, [esi+8]
		shr	eax, 1
		lea	eax, [ecx+eax*2]
		cmp	[eax+esi-2], dx
		jnz	loc_614BCB
		lea	eax, [ebp+var_C]
		add	ecx, esi
		push	eax
		lea	edx, [ebp+var_14]
		call	_PiDevCfgParseVariableName@12 ;	PiDevCfgParseVariableName(x,x,x)
		test	al, al
		jz	loc_614BC9
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, ebx
		call	_PiDevCfgResolveVariable@12 ; PiDevCfgResolveVariable(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_614B54
		mov	ecx, [ebp+var_4]
		mov	eax, [esi+10h]
		push	63647050h
		mov	ecx, [ecx+14h]
		add	ecx, 1Ah
		add	eax, ecx
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_614B6A
		mov	edi, 0C000009Ah

loc_614B54:				; CODE XREF: PiDevCfgQueryResolveValue(x,x,x,x)+A5j
					; PiDevCfgQueryResolveValue(x,x,x,x)+140j
		xor	edx, edx

loc_614B56:				; CODE XREF: PiDevCfgQueryResolveValue(x,x,x,x)+38j
					; PiDevCfgQueryResolveValue(x,x,x,x)+14Bj
		test	esi, esi
		jz	short loc_614B61
		push	edx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_614B61:				; CODE XREF: PiDevCfgQueryResolveValue(x,x,x,x)+D1j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_614B6A:				; CODE XREF: PiDevCfgQueryResolveValue(x,x,x,x)+C6j
		mov	eax, [esi]
		mov	ecx, [ebp+var_4]
		mov	[ebx], eax
		mov	eax, [esi+10h]
		mov	[ebx+10h], eax
		mov	eax, [ecx+10h]
		mov	[ebx+4], eax
		mov	eax, [ecx+14h]
		mov	[ebx+0Ch], eax
		mov	eax, [esi+10h]
		add	eax, 16h
		mov	[ebx+8], eax
		lea	eax, [esi+14h]
		push	dword ptr [esi+10h] ; size_t
		push	eax		; void *
		lea	eax, [ebx+14h]
		push	eax		; void *
		call	_memcpy
		mov	eax, [esi+10h]
		xor	ecx, ecx
		shr	eax, 1
		add	esp, 0Ch
		mov	[esi+eax*2+14h], cx
		mov	eax, [ebp+var_4]
		push	dword ptr [eax+14h] ; size_t
		push	dword ptr [eax+18h] ; void *
		mov	eax, [ebx+8]
		add	eax, ebx
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		mov	[eax], ebx
		jmp	short loc_614B54
; 

loc_614BC9:				; CODE XREF: PiDevCfgQueryResolveValue(x,x,x,x)+8Dj
		xor	edx, edx

loc_614BCB:				; CODE XREF: PiDevCfgQueryResolveValue(x,x,x,x)+47j
					; PiDevCfgQueryResolveValue(x,x,x,x)+58j ...
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		mov	esi, edx
		jmp	short loc_614B56
_PiDevCfgQueryResolveValue@16 endp


;  S U B	R O U T	I N E 


; __stdcall PnpDuplicateUnicodeString(x, x)
_PnpDuplicateUnicodeString@8 proc near	; CODE XREF: PiDevCfgProcessDeviceCallback+6C460p
					; PiDevCfgAppendMultiSz(x,x,x,x)+C9p ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		cmp	dword ptr [esi+4], 0
		jz	short loc_614C0C
		movzx	eax, word ptr [esi+2]
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	ecx, eax
		mov	[edi+4], ecx
		test	ecx, ecx
		jnz	short loc_614BF9
		xor	al, al
		jmp	short loc_614C20
; 

loc_614BF9:				; CODE XREF: PnpDuplicateUnicodeString(x,x)+1Fj
		movzx	eax, word ptr [esi+2]
		push	eax		; size_t
		push	dword ptr [esi+4] ; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_614C10
; 

loc_614C0C:				; CODE XREF: PnpDuplicateUnicodeString(x,x)+Cj
		and	dword ptr [edi+4], 0

loc_614C10:				; CODE XREF: PnpDuplicateUnicodeString(x,x)+36j
		mov	ax, [esi]
		mov	[edi], ax
		mov	ax, [esi+2]
		mov	[edi+2], ax
		mov	al, 1

loc_614C20:				; CODE XREF: PnpDuplicateUnicodeString(x,x)+23j
		pop	edi
		pop	esi
		retn
_PnpDuplicateUnicodeString@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpMultiSzContainsString(x,	x, x)
_PnpMultiSzContainsString@12 proc near	; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+16Cp
					; PiDevCfgAppendMultiSz(x,x,x,x)+225p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		xor	esi, esi
		lea	eax, [ebp+var_10]
		push	edx
		push	eax
		mov	edi, ecx
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	short loc_614C72
; 

loc_614C49:				; CODE XREF: PnpMultiSzContainsString(x,x,x)+52j
		push	edi
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_614C79
		movzx	eax, word ptr [ebp+var_8]
		shr	eax, 1
		lea	edi, [edi+eax*2]
		add	edi, 2

loc_614C72:				; CODE XREF: PnpMultiSzContainsString(x,x,x)+24j
		cmp	[edi], si
		jnz	short loc_614C49
		jmp	short loc_614C7B
; 

loc_614C79:				; CODE XREF: PnpMultiSzContainsString(x,x,x)+41j
		mov	esi, edi

loc_614C7B:				; CODE XREF: PnpMultiSzContainsString(x,x,x)+54j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	4
_PnpMultiSzContainsString@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpRegistryValueExists(x, x)
_PnpRegistryValueExists@8 proc near	; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+4A3p
					; PiDevCfgMigrateRootDevice(x,x,x)+8Ap	...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		xor	ebx, ebx
		mov	[ebp+var_18], ebx
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_18]
		push	eax
		push	10h
		lea	eax, [ebp+var_14]
		push	eax
		push	ebx
		push	edx
		push	ecx
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_614CC2
		cmp	eax, 80000005h
		jnz	short loc_614CC4

loc_614CC2:				; CODE XREF: PnpRegistryValueExists(x,x)+36j
		mov	bl, 1

loc_614CC4:				; CODE XREF: PnpRegistryValueExists(x,x)+3Dj
		mov	ecx, [ebp+var_4]
		mov	al, bl
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PnpRegistryValueExists@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpStringToDwordValue(x, x)
_PnpStringToDwordValue@8 proc near	; CODE XREF: PiDevCfgParsePropertyKeyName(x,x,x)+AFp
					; PiDevCfgParsePropertyKeyName(x,x,x)+CEp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	ebx, ebx
		cmp	word ptr [ecx],	30h
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], ebx
		jnz	short loc_614CFE
		movzx	eax, word ptr [ecx+2]
		cmp	eax, 78h
		jz	short loc_614CF7
		cmp	eax, 58h
		jnz	short loc_614CFE

loc_614CF7:				; CODE XREF: PnpStringToDwordValue(x,x)+1Cj
		add	ecx, 4
		push	10h
		jmp	short loc_614D00
; 

loc_614CFE:				; CODE XREF: PnpStringToDwordValue(x,x)+13j
					; PnpStringToDwordValue(x,x)+21j
		push	0Ah

loc_614D00:				; CODE XREF: PnpStringToDwordValue(x,x)+28j
		pop	eax
		push	eax		; int
		lea	eax, [ebp+var_4]
		push	eax		; wchar_t **
		push	ecx		; wchar_t *
		call	_wcstoul
		mov	[esi], eax
		add	esp, 0Ch
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_614D1F
		cmp	[eax], bx
		jnz	short loc_614D1F
		mov	bl, 1

loc_614D1F:				; CODE XREF: PnpStringToDwordValue(x,x)+42j
					; PnpStringToDwordValue(x,x)+47j
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_PnpStringToDwordValue@8 endp


;  S U B	R O U T	I N E 


; __stdcall PnpValidateMultiSzData(x, x)
_PnpValidateMultiSzData@8 proc near	; CODE XREF: PnpValidateRegistryMultiSz(x)+10p
					; PnpValidateRegistryValue(x)+31p ...
		xor	eax, eax
		push	esi
		cmp	edx, 4
		jb	short loc_614D3F
		mov	esi, edx
		shr	esi, 1
		cmp	[ecx+esi*2-2], ax
		jnz	short loc_614D3F
		cmp	[ecx+esi*2-4], ax
		jz	short loc_614D49

loc_614D3F:				; CODE XREF: PnpValidateMultiSzData(x,x)+6j
					; PnpValidateMultiSzData(x,x)+11j
		cmp	edx, 2
		jnz	short loc_614D4B
		cmp	[ecx], ax
		jnz	short loc_614D4B

loc_614D49:				; CODE XREF: PnpValidateMultiSzData(x,x)+18j
		mov	al, 1

loc_614D4B:				; CODE XREF: PnpValidateMultiSzData(x,x)+1Dj
					; PnpValidateMultiSzData(x,x)+22j
		pop	esi
		retn
_PnpValidateMultiSzData@8 endp


;  S U B	R O U T	I N E 


; __stdcall PnpValidateRegistryMultiSz(x)
_PnpValidateRegistryMultiSz@4 proc near	; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+2F1p
					; PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+8Bp ...
		mov	edx, ecx
		cmp	dword ptr [edx+4], 7
		jnz	short loc_614D69
		mov	ecx, [edx+8]
		add	ecx, edx
		mov	edx, [edx+0Ch]
		call	_PnpValidateMultiSzData@8 ; PnpValidateMultiSzData(x,x)
		test	al, al
		jz	short loc_614D69
		mov	al, 1
		retn
; 

loc_614D69:				; CODE XREF: PnpValidateRegistryMultiSz(x)+6j
					; PnpValidateRegistryMultiSz(x)+17j
		xor	al, al
		retn
_PnpValidateRegistryMultiSz@4 endp


;  S U B	R O U T	I N E 


; __stdcall PnpValidateRegistryString(x)
_PnpValidateRegistryString@4 proc near	; CODE XREF: PiDevCfgBuildIndirectString(x,x,x,x)+138p
					; PiDevCfgQueryPolicyStringList(x,x,x)+1A6p ...
		xor	edx, edx
		push	ebx
		inc	edx
		xor	ebx, ebx
		push	esi
		cmp	[ecx+4], edx
		jnz	short loc_614D8F
		mov	esi, [ecx+0Ch]
		cmp	esi, 2
		jb	short loc_614D8F
		mov	eax, [ecx+8]
		shr	esi, 1
		lea	eax, [eax+esi*2]
		cmp	[eax+ecx-2], bx
		jz	short loc_614D91

loc_614D8F:				; CODE XREF: PnpValidateRegistryString(x)+Aj
					; PnpValidateRegistryString(x)+12j
		mov	dl, bl

loc_614D91:				; CODE XREF: PnpValidateRegistryString(x)+21j
		pop	esi
		mov	al, dl
		pop	ebx
		retn
_PnpValidateRegistryString@4 endp


;  S U B	R O U T	I N E 


; __stdcall PnpValidateRegistryValue(x)
_PnpValidateRegistryValue@4 proc near	; CODE XREF: PiDevCfgResolveVariable(x,x,x)+35Ap
					; PiDevCfgResolveVariableKeyCopy(x,x,x)+5Bp ...
		mov	edx, ecx
		push	esi
		mov	eax, [edx+4]
		test	eax, eax
		jz	short loc_614DF2
		cmp	eax, 2
		jbe	short loc_614DD9
		cmp	eax, 4
		jz	short loc_614DD0
		cmp	eax, 7
		jz	short loc_614DBF
		cmp	eax, 8000h
		jz	short loc_614DBB
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_614DF2

loc_614DBB:				; CODE XREF: PnpValidateRegistryValue(x)+1Ej
		xor	cl, cl
		jmp	short loc_614DF4
; 

loc_614DBF:				; CODE XREF: PnpValidateRegistryValue(x)+17j
		mov	ecx, [edx+8]
		add	ecx, edx
		mov	edx, [edx+0Ch]
		call	_PnpValidateMultiSzData@8 ; PnpValidateMultiSzData(x,x)
		mov	cl, al
		jmp	short loc_614DF4
; 

loc_614DD0:				; CODE XREF: PnpValidateRegistryValue(x)+12j
		cmp	dword ptr [edx+0Ch], 4
		setz	cl
		jmp	short loc_614DF4
; 

loc_614DD9:				; CODE XREF: PnpValidateRegistryValue(x)+Dj
		mov	esi, [edx+0Ch]
		xor	ecx, ecx
		cmp	esi, 2
		jb	short loc_614DF4
		mov	eax, [edx+8]
		shr	esi, 1
		lea	eax, [eax+esi*2]
		cmp	[eax+edx-2], cx
		jnz	short loc_614DF4

loc_614DF2:				; CODE XREF: PnpValidateRegistryValue(x)+8j
					; PnpValidateRegistryValue(x)+23j
		mov	cl, 1

loc_614DF4:				; CODE XREF: PnpValidateRegistryValue(x)+27j
					; PnpValidateRegistryValue(x)+38j ...
		mov	al, cl
		pop	esi
		retn
_PnpValidateRegistryValue@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0zd_EtwWriteTransfer(x, x, x, x,	x)
_McTemplateK0zd_EtwWriteTransfer@20 proc near ;	CODE XREF: PnpLogActionQueueEvent+8E6B2p

var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	edi
		mov	edi, edx
		xor	ebx, ebx
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_614E36
		mov	ecx, edx
		push	esi
		lea	esi, [ecx+2]

loc_614E1D:				; CODE XREF: McTemplateK0zd_EtwWriteTransfer(x,x,x,x,x)+2Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_614E1D
		sub	ecx, esi
		sar	ecx, 1
		pop	esi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_614E39
; 

loc_614E36:				; CODE XREF: McTemplateK0zd_EtwWriteTransfer(x,x,x,x,x)+1Dj
		push	0Ah
		pop	ecx

loc_614E39:				; CODE XREF: McTemplateK0zd_EtwWriteTransfer(x,x,x,x,x)+3Cj
		test	edx, edx
		jnz	short loc_614E42
		mov	edx, (offset off_5A4D00+2)

loc_614E42:				; CODE XREF: McTemplateK0zd_EtwWriteTransfer(x,x,x,x,x)+43j
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_24], edx
		mov	[ebp+var_14], eax
		mov	edx, edi
		lea	eax, [ebp+var_34]
		mov	[ebp+var_1C], ecx
		push	eax
		push	3
		push	ebx
		mov	ecx, offset _MS_KernelPnP_Provider_Context
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], ebx
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_McTemplateK0zd_EtwWriteTransfer@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0zdq_EtwWriteTransfer(x,	x, x, x, x, x)
_McTemplateK0zdq_EtwWriteTransfer@24 proc near ; CODE XREF: PnpLogActionQueueEvent+8E6E8p

var_44		= dword	ptr -44h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	edi
		mov	edi, edx
		xor	ebx, ebx
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_614EC2
		mov	ecx, edx
		push	esi
		lea	esi, [ecx+2]

loc_614EA9:				; CODE XREF: McTemplateK0zdq_EtwWriteTransfer(x,x,x,x,x,x)+2Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_614EA9
		sub	ecx, esi
		sar	ecx, 1
		pop	esi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_614EC5
; 

loc_614EC2:				; CODE XREF: McTemplateK0zdq_EtwWriteTransfer(x,x,x,x,x,x)+1Dj
		push	0Ah
		pop	ecx

loc_614EC5:				; CODE XREF: McTemplateK0zdq_EtwWriteTransfer(x,x,x,x,x,x)+3Cj
		test	edx, edx
		jnz	short loc_614ECE
		mov	edx, (offset off_5A4D00+2)

loc_614ECE:				; CODE XREF: McTemplateK0zdq_EtwWriteTransfer(x,x,x,x,x,x)+43j
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_C]
		push	4
		pop	ecx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		mov	[ebp+var_34], edx
		mov	edx, edi
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_C], ecx
		mov	ecx, offset _MS_KernelPnP_Provider_Context
		push	ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_McTemplateK0zdq_EtwWriteTransfer@24 endp


;  S U B	R O U T	I N E 


; __stdcall PnpCancelDeviceActionRequest(x)
_PnpCancelDeviceActionRequest@4	proc near ; CODE XREF: sub_8E013A+DEp
					; PiQueueDeviceRequest(x,x,x,x,x)+E2p
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	edi, ecx
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [edi+38h]
		call	ExAcquirePushLockExclusiveEx
		xor	edx, edx
		mov	byte ptr [edi+3Ch], 1
		lea	ecx, [edi+38h]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		pop	edi
		pop	esi
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_PnpCancelDeviceActionRequest@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpRemoveDeviceActionRequestFromQueue(x)
_PnpRemoveDeviceActionRequestFromQueue@4 proc near ; CODE XREF:	sub_8E013A+23p
					; PiQueueDeviceRequest(x,x,x,x,x)+D0p

var_6		= byte ptr -6
var_5		= byte ptr -5
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, ecx
		xor	bl, bl
		call	edi
		mov	ecx, offset _PnpSpinLock
		mov	[esp+18h+var_5], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	[esi+34h], bl
		jnz	short loc_614FF0
		mov	edx, [esi]
		mov	ecx, [esi+4]
		cmp	[edx+4], esi
		jnz	short loc_615008
		cmp	[ecx], esi
		jnz	short loc_615008
		mov	[ecx], edx
		xor	ebx, ebx
		mov	[edx+4], ecx
		inc	ebx
		mov	eax, [esi+0Ch]
		mov	[esp+18h+var_4], eax
		call	edi
		mov	edi, offset dword_6C3838
		mov	[esp+18h+var_6], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		sub	ds:dword_6C383C, ebx
		jnz	short loc_614FC1
		push	4
		pop	ecx
		call	_PopDirectedDripsClearDisengageReason@4	; PopDirectedDripsClearDisengageReason(x)

loc_614FC1:				; CODE XREF: PnpRemoveDeviceActionRequestFromQueue(x)+62j
		test	ds:byte_70EFC6,	1
		jz	short loc_614FD6
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_614FDB
; 

loc_614FD6:				; CODE XREF: PnpRemoveDeviceActionRequestFromQueue(x)+73j
		xor	eax, eax
		lock and [edi],	eax

loc_614FDB:				; CODE XREF: PnpRemoveDeviceActionRequestFromQueue(x)+7Fj
		mov	cl, [esp+18h+var_6]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [esp+18h+var_4]
		mov	ecx, ebx
		call	PopDirectedDripsDiagNotifyPnpActionQueueEvent

loc_614FF0:				; CODE XREF: PnpRemoveDeviceActionRequestFromQueue(x)+2Bj
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PnpSpinLock
		jz	short loc_61500D
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_615012
; 

loc_615008:				; CODE XREF: PnpRemoveDeviceActionRequestFromQueue(x)+35j
					; PnpRemoveDeviceActionRequestFromQueue(x)+39j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_61500D:				; CODE XREF: PnpRemoveDeviceActionRequestFromQueue(x)+A7j
		xor	eax, eax
		lock and [ecx],	eax

loc_615012:				; CODE XREF: PnpRemoveDeviceActionRequestFromQueue(x)+B1j
		mov	cl, [esp+18h+var_5]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bl, bl
		jz	short loc_615046
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_615031
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag

loc_615031:				; CODE XREF: PnpRemoveDeviceActionRequestFromQueue(x)+D0j
		or	eax, 0FFFFFFFFh
		lock xadd [esi+30h], eax
		jnz	short loc_615046
		push	32706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_615046:				; CODE XREF: PnpRemoveDeviceActionRequestFromQueue(x)+C9j
					; PnpRemoveDeviceActionRequestFromQueue(x)+E4j
		pop	edi
		pop	esi
		movzx	eax, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PnpRemoveDeviceActionRequestFromQueue@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpRemoveDeviceActionRequests(x)
_PnpRemoveDeviceActionRequests@4 proc near ; CODE XREF:	PipSetDevNodeState+85D09p

var_A		= byte ptr -0Ah
var_9		= byte ptr -9
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10h
		push	esi
		push	edi
		mov	[esp+18h+var_8], ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _PnpSpinLock
		mov	[esp+18h+var_9], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, ds:_PnpEnumerationRequestList
		cmp	esi, offset _PnpEnumerationRequestList
		jz	loc_615167
		mov	eax, [esp+18h+var_8]

loc_61508D:				; CODE XREF: PnpRemoveDeviceActionRequests(x)+10Cj
		mov	edi, [esi]
		cmp	[esi+8], eax
		jnz	loc_615154
		mov	eax, [esi+4]
		cmp	[edi+4], esi
		jnz	loc_61517C
		cmp	[eax], esi
		jnz	loc_61517C
		mov	[eax], edi
		mov	[edi+4], eax
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	short loc_6150BE
		mov	dword ptr [eax], 0C000000Eh

loc_6150BE:				; CODE XREF: PnpRemoveDeviceActionRequests(x)+66j
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_6150CF
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_6150CF:				; CODE XREF: PnpRemoveDeviceActionRequests(x)+73j
		mov	eax, [esi+0Ch]
		mov	[esp+18h+var_4], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset dword_6C3838
		mov	[esp+18h+var_A], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		sub	ds:dword_6C383C, 1
		jnz	short loc_6150FB
		push	4
		pop	ecx
		call	_PopDirectedDripsClearDisengageReason@4	; PopDirectedDripsClearDisengageReason(x)

loc_6150FB:				; CODE XREF: PnpRemoveDeviceActionRequests(x)+A1j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset dword_6C3838
		jz	short loc_615113
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_615118
; 

loc_615113:				; CODE XREF: PnpRemoveDeviceActionRequests(x)+B7j
		xor	eax, eax
		lock and [ecx],	eax

loc_615118:				; CODE XREF: PnpRemoveDeviceActionRequests(x)+C1j
		mov	cl, [esp+18h+var_A]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [esp+18h+var_4]
		xor	ecx, ecx
		inc	ecx
		call	PopDirectedDripsDiagNotifyPnpActionQueueEvent
		mov	ecx, [esi+8]
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag
		or	eax, 0FFFFFFFFh
		lock xadd [esi+30h], eax
		jnz	short loc_615150
		push	32706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_615150:				; CODE XREF: PnpRemoveDeviceActionRequests(x)+F3j
		mov	eax, [esp+18h+var_8]

loc_615154:				; CODE XREF: PnpRemoveDeviceActionRequests(x)+42j
		mov	esi, edi
		cmp	edi, offset _PnpEnumerationRequestList
		jnz	loc_61508D
		mov	edi, offset _PnpSpinLock

loc_615167:				; CODE XREF: PnpRemoveDeviceActionRequests(x)+33j
		test	ds:byte_70EFC6,	1
		jz	short loc_615181
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_615186
; 

loc_61517C:				; CODE XREF: PnpRemoveDeviceActionRequests(x)+4Ej
					; PnpRemoveDeviceActionRequests(x)+56j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_615181:				; CODE XREF: PnpRemoveDeviceActionRequests(x)+11Ej
		xor	eax, eax
		lock and [edi],	eax

loc_615186:				; CODE XREF: PnpRemoveDeviceActionRequests(x)+12Aj
		mov	cl, [esp+18h+var_9]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_PnpRemoveDeviceActionRequests@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0izzx_EtwWriteTransfer(x, x, x, x, x, x,	x, x, x)
_McTemplateK0izzx_EtwWriteTransfer@36 proc near	; CODE XREF: PnpWatchdogEtwWrite(x,x)+11Ep
					; PnpWatchdogEtwWrite(x,x)+1C0p

var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_3C], 8
		mov	ebx, edx
		mov	[ebp+var_40], edi
		mov	edx, [ebp+arg_C]
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_44], eax
		mov	[ebp+var_38], edi
		push	0Ah
		pop	esi
		test	edx, edx
		jz	short loc_6151EC
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_6151D1:				; CODE XREF: McTemplateK0izzx_EtwWriteTransfer(x,x,x,x,x,x,x,x,x)+45j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_40]
		jnz	short loc_6151D1
		sub	ecx, edi
		sar	ecx, 1
		xor	edi, edi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_6151EE
; 

loc_6151EC:				; CODE XREF: McTemplateK0izzx_EtwWriteTransfer(x,x,x,x,x,x,x,x,x)+34j
		mov	ecx, esi

loc_6151EE:				; CODE XREF: McTemplateK0izzx_EtwWriteTransfer(x,x,x,x,x,x,x,x,x)+54j
		test	edx, edx
		jnz	short loc_6151F7
		mov	edx, (offset off_5A4D00+2)

loc_6151F7:				; CODE XREF: McTemplateK0izzx_EtwWriteTransfer(x,x,x,x,x,x,x,x,x)+5Aj
		mov	[ebp+var_34], edx
		mov	edx, [ebp+arg_10]
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edi
		test	edx, edx
		jz	short loc_615229
		mov	ecx, edx
		lea	esi, [ecx+2]

loc_61520F:				; CODE XREF: McTemplateK0izzx_EtwWriteTransfer(x,x,x,x,x,x,x,x,x)+82j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_61520F
		sub	ecx, esi
		sar	ecx, 1
		lea	esi, ds:2[ecx*2]
		test	edx, edx
		jnz	short loc_61522E

loc_615229:				; CODE XREF: McTemplateK0izzx_EtwWriteTransfer(x,x,x,x,x,x,x,x,x)+72j
		mov	edx, (offset off_5A4D00+2)

loc_61522E:				; CODE XREF: McTemplateK0izzx_EtwWriteTransfer(x,x,x,x,x,x,x,x,x)+91j
		lea	eax, [ebp+arg_14]
		mov	[ebp+var_24], edx
		mov	[ebp+var_14], eax
		mov	edx, ebx
		lea	eax, [ebp+var_54]
		mov	[ebp+var_20], edi
		push	eax
		push	5
		push	edi
		mov	ecx, offset _MS_KernelPnP_Provider_Context
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], 8
		mov	[ebp+var_8], edi
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
_McTemplateK0izzx_EtwWriteTransfer@36 endp


;  S U B	R O U T	I N E 


; int __fastcall PnpInitializeTriageBlock(void *)
_PnpInitializeTriageBlock@4 proc near	; CODE XREF: PnpWatchdogBugcheck(x)+47p
		mov	edi, edi
		push	esi
		push	2Ch		; size_t
		mov	esi, ecx
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, ds:_PnpDeviceEventThread
		add	esp, 0Ch
		mov	[esi+0Ch], eax
		mov	dword ptr [esi], 504E5057h
		mov	dword ptr [esi+4], 1
		mov	eax, ds:_PnpDeviceActionThread
		mov	[esi+10h], eax
		mov	eax, ds:_PnpDelayedRemoveWorkerThread
		mov	[esi+14h], eax
		mov	eax, ds:_ExWorkerQueue
		mov	dword ptr [esi+18h], offset _PnpDeviceCompletionQueue
		mov	[esi+1Ch], eax
		pop	esi
		retn
_PnpInitializeTriageBlock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpWatchdogBugcheck(x)
_PnpWatchdogBugcheck@4 proc near	; DATA XREF: PnpAllocateWatchdog+44o

var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		push	esi
		push	edi
		push	2Ch		; size_t
		xor	edi, edi
		lea	eax, [ebp+var_38]
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_4], edi
		mov	ebx, edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], ebx
		call	KeQueryInterruptTime
		mov	esi, [ebp+arg_0]
		push	edi
		push	2710h
		sub	eax, [esi]
		sbb	edx, [esi+4]
		push	edx
		push	eax
		call	__aulldiv
		lea	ecx, [ebp+var_38] ; void *
		mov	[ebp+arg_0], eax
		call	_PnpInitializeTriageBlock@4 ; PnpInitializeTriageBlock(x)
		mov	edx, [esi+0Ch]
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_30], edx
		push	eax
		lea	eax, [ebp+var_C]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_4]
		call	_PnpWatchdogExtractTriageInformation@20	; PnpWatchdogExtractTriageInformation(x,x,x,x,x)
		mov	ecx, [ebp+var_14]
		mov	esi, [ebp+var_4]
		mov	[ebp+var_18], esi
		test	ecx, ecx
		jz	loc_6154C1
		movzx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	edx, [ebp+var_14]
		mov	ecx, [edx+8]
		test	ecx, ecx
		jz	short loc_615379
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	edx, [ebp+var_14]
		mov	ecx, [edx+8]
		add	ecx, 1Ch
		cmp	[ecx], di
		jz	short loc_615379
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebp+var_14]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [ebp+var_14]

loc_615379:				; CODE XREF: PnpWatchdogBugcheck(x)+8Aj
					; PnpWatchdogBugcheck(x)+A1j
		test	edx, edx
		jz	short loc_615388
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_61538A
; 

loc_615388:				; CODE XREF: PnpWatchdogBugcheck(x)+C2j
		mov	eax, edi

loc_61538A:				; CODE XREF: PnpWatchdogBugcheck(x)+CDj
		test	eax, eax
		jz	loc_6154C1
		test	edx, edx
		jz	short loc_6153A4
		mov	eax, [edx+0B0h]
		mov	edi, [eax+14h]
		mov	ecx, [eax+14h]
		jmp	short loc_6153A6
; 

loc_6153A4:				; CODE XREF: PnpWatchdogBugcheck(x)+DBj
		xor	ecx, ecx

loc_6153A6:				; CODE XREF: PnpWatchdogBugcheck(x)+E9j
		mov	edx, 1F4h
		call	IoAddTriageDumpDataBlock
		xor	eax, eax
		cmp	[edi+14h], ax
		jz	short loc_6153CF
		push	2
		pop	edx
		lea	ecx, [edi+14h]
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi+14h]
		mov	ecx, [edi+18h]
		call	IoAddTriageDumpDataBlock

loc_6153CF:				; CODE XREF: PnpWatchdogBugcheck(x)+FDj
		mov	ecx, [ebp+var_14]
		xor	edi, edi
		test	ecx, ecx
		jz	short loc_6153E3
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_6153E5
; 

loc_6153E3:				; CODE XREF: PnpWatchdogBugcheck(x)+11Dj
		mov	eax, edi

loc_6153E5:				; CODE XREF: PnpWatchdogBugcheck(x)+128j
		cmp	[eax+1Ch], di
		jz	short loc_61543B
		test	ecx, ecx
		jz	short loc_6153FA
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_6153FC
; 

loc_6153FA:				; CODE XREF: PnpWatchdogBugcheck(x)+134j
		mov	ecx, edi

loc_6153FC:				; CODE XREF: PnpWatchdogBugcheck(x)+13Fj
		push	2
		add	ecx, 1Ch
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebp+var_14]
		test	ecx, ecx
		jz	short loc_615419
		mov	eax, [ecx+0B0h]
		mov	edx, [eax+14h]
		jmp	short loc_61541B
; 

loc_615419:				; CODE XREF: PnpWatchdogBugcheck(x)+153j
		mov	edx, edi

loc_61541B:				; CODE XREF: PnpWatchdogBugcheck(x)+15Ej
		test	ecx, ecx
		jz	short loc_61542A
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_61542C
; 

loc_61542A:				; CODE XREF: PnpWatchdogBugcheck(x)+164j
		mov	ecx, edi

loc_61542C:				; CODE XREF: PnpWatchdogBugcheck(x)+16Fj
		movzx	edx, word ptr [edx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebp+var_14]

loc_61543B:				; CODE XREF: PnpWatchdogBugcheck(x)+130j
		test	ecx, ecx
		jz	short loc_61544A
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_61544C
; 

loc_61544A:				; CODE XREF: PnpWatchdogBugcheck(x)+184j
		mov	eax, edi

loc_61544C:				; CODE XREF: PnpWatchdogBugcheck(x)+18Fj
		cmp	[eax+8], edi
		jz	short loc_6154C1
		test	ecx, ecx
		jz	short loc_615460
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_615462
; 

loc_615460:				; CODE XREF: PnpWatchdogBugcheck(x)+19Aj
		mov	eax, edi

loc_615462:				; CODE XREF: PnpWatchdogBugcheck(x)+1A5j
		mov	eax, [eax+8]
		cmp	[eax+1Ch], di
		jz	short loc_6154C1
		test	ecx, ecx
		jz	short loc_61547A
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_61547C
; 

loc_61547A:				; CODE XREF: PnpWatchdogBugcheck(x)+1B4j
		mov	ecx, edi

loc_61547C:				; CODE XREF: PnpWatchdogBugcheck(x)+1BFj
		mov	ecx, [ecx+8]
		push	2
		add	ecx, 1Ch
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebp+var_14]
		test	ecx, ecx
		jz	short loc_61549C
		mov	eax, [ecx+0B0h]
		mov	edx, [eax+14h]
		jmp	short loc_61549E
; 

loc_61549C:				; CODE XREF: PnpWatchdogBugcheck(x)+1D6j
		mov	edx, edi

loc_61549E:				; CODE XREF: PnpWatchdogBugcheck(x)+1E1j
		test	ecx, ecx
		jz	short loc_6154AD
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_6154AF
; 

loc_6154AD:				; CODE XREF: PnpWatchdogBugcheck(x)+1E7j
		mov	ecx, edi

loc_6154AF:				; CODE XREF: PnpWatchdogBugcheck(x)+1F2j
		mov	eax, [edx+8]
		mov	ecx, [ecx+8]
		movzx	edx, word ptr [eax+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_6154C1:				; CODE XREF: PnpWatchdogBugcheck(x)+73j
					; PnpWatchdogBugcheck(x)+D3j ...
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_6154D0
		mov	eax, [eax+18h]
		add	eax, 0Ch
		jmp	short loc_6154DB
; 

loc_6154D0:				; CODE XREF: PnpWatchdogBugcheck(x)+20Dj
		test	esi, esi
		jz	loc_615583
		lea	eax, [esi+1Ch]

loc_6154DB:				; CODE XREF: PnpWatchdogBugcheck(x)+215j
		test	eax, eax
		jz	loc_615583
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_61550D
		movzx	eax, word ptr [eax+2]
		test	ax, ax
		jz	short loc_61550D
		cmp	eax, 4
		jb	short loc_6154FC
		mov	ebx, [ecx]
		jmp	short loc_61550D
; 

loc_6154FC:				; CODE XREF: PnpWatchdogBugcheck(x)+23Dj
		push	eax		; size_t
		push	ecx		; void *
		lea	eax, [ebp+var_8]
		push	eax		; void *
		call	_memcpy
		mov	ebx, [ebp+var_8]
		add	esp, 0Ch

loc_61550D:				; CODE XREF: PnpWatchdogBugcheck(x)+22Fj
					; PnpWatchdogBugcheck(x)+238j ...
		test	esi, esi
		jz	short loc_615583
		mov	edx, 1F4h
		lea	edi, [esi+14h]
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		xor	edx, edx
		cmp	[edi], dx
		jz	short loc_61553E
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [edi+4]
		call	IoAddTriageDumpDataBlock
		xor	edx, edx

loc_61553E:				; CODE XREF: PnpWatchdogBugcheck(x)+26Cj
		lea	edi, [esi+1Ch]
		cmp	[edi], dx
		jz	short loc_61555D
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [esi+20h]
		call	IoAddTriageDumpDataBlock
		xor	edx, edx

loc_61555D:				; CODE XREF: PnpWatchdogBugcheck(x)+28Bj
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_615583
		lea	ecx, [eax+1Ch]
		cmp	[ecx], dx
		jz	short loc_615583
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_615583:				; CODE XREF: PnpWatchdogBugcheck(x)+219j
					; PnpWatchdogBugcheck(x)+224j ...
		push	[ebp+arg_0]
		lea	eax, [ebp+var_38]
		push	[ebp+var_C]
		push	eax
		push	ebx
		push	1D5h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_PnpWatchdogBugcheck@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpWatchdogExtractTriageInformation(x, x, x, x, x)
_PnpWatchdogExtractTriageInformation@20	proc near ; CODE XREF: PnpWatchdogBugcheck(x)+63p
					; PnpWatchdogEtwWrite(x,x)+38p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		xor	esi, esi
		mov	[ebp+var_4], esi
		mov	eax, [edi+0Ch]
		mov	[ebx], esi
		sub	eax, 1
		jz	loc_615644
		sub	eax, 1
		jz	short loc_615628
		sub	eax, 1
		jz	short loc_6155F7
		sub	eax, 1
		jz	short loc_6155E2
		sub	eax, 1
		jz	short loc_6155D2
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_6155D2:				; CODE XREF: PnpWatchdogExtractTriageInformation(x,x,x,x,x)+32j
		mov	edx, [edi+10h]
		mov	eax, [ebp+arg_0]
		mov	ecx, [edx+8]
		mov	[eax], ecx
		mov	ecx, [edx+4]
		jmp	short loc_61560F
; 

loc_6155E2:				; CODE XREF: PnpWatchdogExtractTriageInformation(x,x,x,x,x)+2Dj
		mov	edx, [edi+10h]
		mov	eax, [ebp+arg_0]
		mov	ecx, [edx+0Ch]
		mov	[eax], ecx
		mov	eax, [edx+4]
		mov	ecx, [edx+8]
		mov	[ebx], eax
		jmp	short loc_61560F
; 

loc_6155F7:				; CODE XREF: PnpWatchdogExtractTriageInformation(x,x,x,x,x)+28j
		mov	eax, [ebp+arg_0]
		mov	ecx, ds:_PnpDelayedRemoveWorkerThread
		mov	[eax], ecx
		mov	ecx, [edi+10h]
		mov	eax, [ecx]
		mov	esi, [ecx+4]
		mov	[ebx], eax

loc_61560C:				; CODE XREF: PnpWatchdogExtractTriageInformation(x,x,x,x,x)+A9j
					; PnpWatchdogExtractTriageInformation(x,x,x,x,x)+BEj ...
		mov	ecx, [ebp+var_4]

loc_61560F:				; CODE XREF: PnpWatchdogExtractTriageInformation(x,x,x,x,x)+47j
					; PnpWatchdogExtractTriageInformation(x,x,x,x,x)+5Cj ...
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_615618
		mov	[eax], esi

loc_615618:				; CODE XREF: PnpWatchdogExtractTriageInformation(x,x,x,x,x)+7Bj
		mov	eax, [ebp+arg_8]
		pop	edi
		pop	esi
		pop	ebx
		test	eax, eax
		jz	short locret_615624
		mov	[eax], ecx

locret_615624:				; CODE XREF: PnpWatchdogExtractTriageInformation(x,x,x,x,x)+87j
		leave
		retn	0Ch
; 

loc_615628:				; CODE XREF: PnpWatchdogExtractTriageInformation(x,x,x,x,x)+23j
		mov	eax, [ebp+arg_0]
		mov	ecx, ds:_PnpDeviceActionThread
		mov	[eax], ecx
		mov	eax, [edi+10h]
		mov	eax, [eax+8]
		mov	[ebx], eax
		test	eax, eax
		jz	short loc_615666
		mov	esi, [eax+10h]
		jmp	short loc_61560C
; 

loc_615644:				; CODE XREF: PnpWatchdogExtractTriageInformation(x,x,x,x,x)+1Aj
		mov	eax, [ebp+arg_0]
		mov	ecx, ds:_PnpDeviceEventThread
		mov	[eax], ecx
		mov	eax, [edi+10h]
		mov	esi, [eax+68h]
		test	esi, esi
		jz	short loc_61560C
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	[ebx], eax
		jmp	short loc_61560C
; 

loc_615666:				; CODE XREF: PnpWatchdogExtractTriageInformation(x,x,x,x,x)+A4j
		mov	ecx, esi
		jmp	short loc_61560F
_PnpWatchdogExtractTriageInformation@20	endp


;  S U B	R O U T	I N E 


; __stdcall PnpWatchdogGetElapsedTime(x)
_PnpWatchdogGetElapsedTime@4 proc near	; CODE XREF: PnpWatchdogEtwWrite(x,x)+1Ep
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	KeQueryInterruptTime
		sub	eax, [esi]
		push	0
		sbb	edx, [esi+4]
		push	2710h
		push	edx
		push	eax
		call	__aulldiv
		pop	esi
		retn
_PnpWatchdogGetElapsedTime@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDiagnosticTraceAppVeto(x, x, x, x)
_PnpDiagnosticTraceAppVeto@16 proc near	; CODE XREF: PnpLogVetoInformation(x,x)+A0p

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_58]
		push	esi
		xor	esi, esi
		mov	[ebp+var_58], edx
		mov	[ebp+var_54], eax
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], 4
		mov	[ebp+var_48], esi
		push	edi
		test	ecx, ecx
		jz	short loc_6156C7
		mov	ax, [ecx]
		shr	ax, 1
		movzx	edx, ax
		jmp	short loc_6156C9
; 

loc_6156C7:				; CODE XREF: PnpDiagnosticTraceAppVeto(x,x,x,x)+31j
		mov	edx, esi

loc_6156C9:				; CODE XREF: PnpDiagnosticTraceAppVeto(x,x,x,x)+3Cj
		movzx	eax, dx
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], esi
		mov	[ebp+var_38], esi
		push	2
		pop	edi
		mov	[ebp+var_3C], edi
		test	ecx, ecx
		jz	short loc_6156EA
		mov	eax, [ecx+4]
		jmp	short loc_6156EC
; 

loc_6156EA:				; CODE XREF: PnpDiagnosticTraceAppVeto(x,x,x,x)+5Aj
		mov	eax, esi

loc_6156EC:				; CODE XREF: PnpDiagnosticTraceAppVeto(x,x,x,x)+5Fj
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_34], eax
		movzx	eax, dx
		add	eax, eax
		mov	[ebp+var_30], esi
		mov	dx, [ecx]
		mov	[ebp+var_2C], eax
		shr	dx, 1
		movzx	eax, dx
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_24], eax
		mov	eax, [ecx+4]
		mov	ecx, offset _KMPnPEvt_DeviceEject_Pend
		mov	[ebp+var_14], eax
		movzx	eax, dx
		add	eax, eax
		mov	[ebp+var_28], esi
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		pop	edx
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_8], esi
		call	_PnpDiagnosticTrace@12 ; PnpDiagnosticTrace(x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PnpDiagnosticTraceAppVeto@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpSetDeviceInstanceRemovalEvent(x)
_PnpSetDeviceInstanceRemovalEvent@4 proc near
					; CODE XREF: PnpUnlinkDeviceRemovalRelations(x,x,x)+FCp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	ds:dword_6CC5E4, 0
		mov	eax, ecx
		mov	[ebp+var_8], eax
		jz	short loc_61576C
		mov	eax, 0C0000189h
		leave
		retn
; 

loc_61576C:				; CODE XREF: PnpSetDeviceInstanceRemovalEvent(x)+13j
		movzx	eax, word ptr [eax+14h]
		add	eax, 46h
		push	ebx
		mov	[ebp+var_4], eax
		lea	ecx, [eax+48h]
		call	_PnpCreateDeviceEventEntry@4 ; PnpCreateDeviceEventEntry(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_61578C
		mov	eax, 0C000009Ah
		jmp	short loc_6157F0
; 

loc_61578C:				; CODE XREF: PnpSetDeviceInstanceRemovalEvent(x)+33j
		push	esi
		mov	eax, [ebp+var_4]
		mov	esi, offset _GUID_DEVINST_REMOVE_COMPLETE
		push	edi
		lea	edi, [ebx+48h]
		mov	dword ptr [ebx+58h], 0Ah
		xor	ecx, ecx
		mov	[ebx+64h], eax
		movsd
		mov	[ebx+10h], ecx
		mov	[ebx+8], ecx
		mov	[ebx+1Ch], ecx
		movsd
		mov	[ebx+20h], ecx
		mov	[ebx+5Ch], ecx
		mov	[ebx+60h], ecx
		movsd
		mov	[ebx+68h], ecx
		movsd
		mov	esi, [ebp+var_8]
		mov	ecx, [esi+18h]
		test	ecx, ecx
		jz	short loc_6157DA
		movzx	eax, word ptr [esi+14h]
		push	eax		; size_t
		push	ecx		; void *
		lea	eax, [ebx+6Ch]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_6157DA:				; CODE XREF: PnpSetDeviceInstanceRemovalEvent(x)+76j
		movzx	eax, word ptr [esi+14h]
		xor	ecx, ecx
		shr	eax, 1
		mov	[ebx+eax*2+6Ch], cx
		mov	ecx, ebx
		call	PnpInsertEventInQueue
		pop	edi
		pop	esi

loc_6157F0:				; CODE XREF: PnpSetDeviceInstanceRemovalEvent(x)+3Aj
		pop	ebx
		leave
		retn
_PnpSetDeviceInstanceRemovalEvent@4 endp


;  S U B	R O U T	I N E 


; __stdcall PnprCompleteWake()
_PnprCompleteWake@0 proc near		; CODE XREF: PnprInitiateReplaceOperation()+23Fp
					; PnprQuiesceWorker(x):loc_72E501p
		mov	edi, edi
		push	ecx
		call	_PnprUnlockPagesForReplace@0 ; PnprUnlockPagesForReplace()
		pop	ecx
		retn
_PnprCompleteWake@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprCopyReservedMapping()
_PnprCopyReservedMapping@0 proc	near	; CODE XREF: PnprRecopyMirrorPages():loc_615F68p

var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_48		= dword	ptr -48h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 9Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+9Ch+var_4], eax
		mov	eax, ds:_PnprContext
		push	ebx
		push	esi
		push	edi
		imul	edi, [eax+80h],	0Ch
		xor	ebx, ebx
		mov	[esp+0A8h+var_98], ebx
		mov	[esp+0A8h+var_94], ebx
		add	edi, [eax+6Ch]
		mov	[esp+0A8h+var_8C], edi
		mov	esi, [edi]
		test	byte ptr [esi+6], 1
		jz	short loc_615851
		push	esi
		push	51706E50h
		push	dword ptr [edi+4]
		call	_MmUnmapReservedMapping@12 ; MmUnmapReservedMapping(x,x,x)
		mov	esi, [edi]

loc_615851:				; CODE XREF: PnprCopyReservedMapping()+42j
		push	40h		; size_t
		lea	eax, [esp+0ACh+var_88]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+0A8h+var_48]
		push	40h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		and	esi, 0FFFFF000h
		push	esi
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		mov	esi, eax
		lea	ecx, [esp+0A8h+var_98]
		mov	eax, edx
		push	eax
		push	esi
		mov	[esp+0B0h+var_9C], eax
		call	_PnprGetPageDestination@12 ; PnprGetPageDestination(x,x,x)
		test	eax, eax
		js	short loc_6158BF
		mov	ecx, [esp+0A8h+var_98]
		mov	eax, [esp+0A8h+var_94]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_6158A8
		cmp	eax, 7FFFFFFFh
		jz	short loc_6158BF

loc_6158A8:				; CODE XREF: PnprCopyReservedMapping()+A2j
		mov	edx, [esp+0A8h+var_9C]
		xor	ebx, ebx
		shrd	esi, edx, 0Ch
		shrd	ecx, eax, 0Ch
		mov	[esp+0A8h+var_88], esi
		inc	ebx
		mov	[esp+0A8h+var_48], ecx

loc_6158BF:				; CODE XREF: PnprCopyReservedMapping()+95j
					; PnprCopyReservedMapping()+A9j
		mov	esi, [edi+4]
		lea	eax, [esi+10000h]
		mov	[esp+0A8h+var_90], eax
		cmp	esi, eax
		jnb	short loc_615948

loc_6158D0:				; CODE XREF: PnprCopyReservedMapping()+149j
		mov	ecx, esi
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		call	_MiGetContainingPageTable@4 ; MiGetContainingPageTable(x)
		mov	[esp+0A8h+var_9C], eax
		test	ebx, ebx
		jz	short loc_6158F4
		cmp	eax, [esp+ebx*4+0A8h+var_8C]
		jz	short loc_61593C

loc_6158F4:				; CODE XREF: PnprCopyReservedMapping()+EFj
		mov	ecx, eax
		xor	eax, eax
		shld	eax, ecx, 0Ch
		shl	ecx, 0Ch
		push	eax
		push	ecx
		lea	ecx, [esp+0B0h+var_98]
		call	_PnprGetPageDestination@12 ; PnprGetPageDestination(x,x,x)
		test	eax, eax
		js	short loc_61593C
		mov	ecx, [esp+0A8h+var_98]
		mov	eax, [esp+0A8h+var_94]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_615922
		cmp	eax, 7FFFFFFFh
		jz	short loc_61593C

loc_615922:				; CODE XREF: PnprCopyReservedMapping()+11Cj
		cmp	ebx, 10h
		jnb	loc_615B07
		mov	edx, [esp+0A8h+var_9C]
		shrd	ecx, eax, 0Ch
		mov	[esp+ebx*4+0A8h+var_88], edx
		mov	[esp+ebx*4+0A8h+var_48], ecx
		inc	ebx

loc_61593C:				; CODE XREF: PnprCopyReservedMapping()+F5j
					; PnprCopyReservedMapping()+10Fj ...
		add	esi, 1000h
		cmp	esi, [esp+0A8h+var_90]
		jb	short loc_6158D0

loc_615948:				; CODE XREF: PnprCopyReservedMapping()+D1j
		mov	eax, ds:_PnprContext
		imul	esi, [eax+80h],	0Ch
		add	esi, [eax+68h]
		mov	eax, [esi]
		and	eax, 0FFFFF000h
		push	eax
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		mov	ecx, edx
		mov	[esp+0A8h+var_90], eax
		push	ecx
		mov	[esp+0ACh+var_9C], ecx
		lea	ecx, [esp+0ACh+var_98]
		push	eax
		call	_PnprGetPageDestination@12 ; PnprGetPageDestination(x,x,x)
		test	eax, eax
		js	short loc_6159B7
		mov	ecx, [esp+0A8h+var_98]
		mov	eax, [esp+0A8h+var_94]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_615991
		cmp	eax, 7FFFFFFFh
		jz	short loc_6159B7

loc_615991:				; CODE XREF: PnprCopyReservedMapping()+18Bj
		cmp	ebx, 10h
		jnb	loc_615B07
		mov	edx, [esp+0A8h+var_90]
		mov	edi, [esp+0A8h+var_9C]
		shrd	edx, edi, 0Ch
		mov	edi, [esp+0A8h+var_8C]
		shrd	ecx, eax, 0Ch
		mov	[esp+ebx*4+0A8h+var_88], edx
		mov	[esp+ebx*4+0A8h+var_48], ecx
		inc	ebx

loc_6159B7:				; CODE XREF: PnprCopyReservedMapping()+17Ej
					; PnprCopyReservedMapping()+192j
		mov	esi, [esi+4]
		lea	eax, [esi+10000h]
		mov	[esp+0A8h+var_9C], eax
		cmp	esi, eax
		jnb	loc_615A51

loc_6159CC:				; CODE XREF: PnprCopyReservedMapping()+24Ej
		mov	ecx, esi
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		call	_MiGetContainingPageTable@4 ; MiGetContainingPageTable(x)
		mov	[esp+0A8h+var_90], eax
		cmp	ebx, 10h
		ja	loc_615B07
		test	ebx, ebx
		jz	short loc_6159F9
		cmp	eax, [esp+ebx*4+0A8h+var_8C]
		jz	short loc_615A41

loc_6159F9:				; CODE XREF: PnprCopyReservedMapping()+1F4j
		mov	ecx, eax
		xor	eax, eax
		shld	eax, ecx, 0Ch
		shl	ecx, 0Ch
		push	eax
		push	ecx
		lea	ecx, [esp+0B0h+var_98]
		call	_PnprGetPageDestination@12 ; PnprGetPageDestination(x,x,x)
		test	eax, eax
		js	short loc_615A41
		mov	ecx, [esp+0A8h+var_98]
		mov	eax, [esp+0A8h+var_94]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_615A27
		cmp	eax, 7FFFFFFFh
		jz	short loc_615A41

loc_615A27:				; CODE XREF: PnprCopyReservedMapping()+221j
		cmp	ebx, 10h
		jnb	loc_615B07
		mov	edx, [esp+0A8h+var_90]
		shrd	ecx, eax, 0Ch
		mov	[esp+ebx*4+0A8h+var_88], edx
		mov	[esp+ebx*4+0A8h+var_48], ecx
		inc	ebx

loc_615A41:				; CODE XREF: PnprCopyReservedMapping()+1FAj
					; PnprCopyReservedMapping()+214j ...
		add	esi, 1000h
		cmp	esi, [esp+0A8h+var_9C]
		jb	loc_6159CC

loc_615A51:				; CODE XREF: PnprCopyReservedMapping()+1C9j
		test	ebx, ebx
		jz	loc_615B23
		mov	ecx, [edi]
		mov	edx, ebx
		shl	edx, 0Dh
		xor	esi, esi
		mov	eax, edx
		shr	eax, 0Ch
		mov	[ecx], esi
		mov	[ecx+10h], esi
		mov	[ecx+18h], esi
		mov	esi, ebx
		lea	eax, ds:1Ch[eax*4]
		mov	[ecx+14h], edx
		mov	[ecx+4], ax
		xor	eax, eax
		mov	[ecx+6], ax
		lea	eax, [esp+0A8h+var_88]
		mov	edi, [edi]
		shl	esi, 2
		add	edi, 1Ch
		push	esi		; size_t
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [esp+0A8h+var_48]
		push	esi		; size_t
		push	eax		; void *
		lea	eax, [esi+edi]
		push	eax		; void *
		call	_memcpy
		mov	edx, [esp+0B4h+var_8C]
		add	esp, 0Ch
		mov	ecx, [edx]
		mov	ax, [edx+8]
		push	1
		or	[ecx+6], ax
		push	dword ptr [edx]
		push	51706E50h
		push	dword ptr [edx+4]
		call	MmMapLockedPagesWithReservedMapping
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_615B0E
		mov	eax, ds:_PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_615AE7
		mov	ecx, 1756h

loc_615AE7:				; CODE XREF: PnprCopyReservedMapping()+2E3j
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_615AFA
		push	0Ah
		pop	ecx

loc_615AFA:				; CODE XREF: PnprCopyReservedMapping()+2F8j
		mov	[eax+264h], ecx
		mov	eax, 0C000009Ah
		jmp	short loc_615B25
; 

loc_615B07:				; CODE XREF: PnprCopyReservedMapping()+128j
					; PnprCopyReservedMapping()+197j ...
		mov	eax, 0C000000Dh
		jmp	short loc_615B25
; 

loc_615B0E:				; CODE XREF: PnprCopyReservedMapping()+2D4j
		mov	eax, ebx
		shl	ebx, 0Ch
		shl	eax, 0Ch
		add	ebx, ecx
		push	eax		; size_t
		push	ecx		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_615B23:				; CODE XREF: PnprCopyReservedMapping()+256j
		xor	eax, eax

loc_615B25:				; CODE XREF: PnprCopyReservedMapping()+308j
					; PnprCopyReservedMapping()+30Fj
		mov	ecx, [esp+0A8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_PnprCopyReservedMapping@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprGetPageDestination(x, x, x)
_PnprGetPageDestination@12 proc	near	; CODE XREF: PnprCopyReservedMapping()+8Ep
					; PnprCopyReservedMapping()+108p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_PnprContext
		xor	edx, edx
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	ecx, [eax+258h]
		mov	eax, [eax+14h]
		push	edi
		mov	[ebp+var_4], ecx
		mov	edi, [eax+4]
		test	edi, edi
		jz	short loc_615B93
		add	eax, 18h

loc_615B62:				; CODE XREF: PnprGetPageDestination(x,x,x)+57j
		mov	esi, [eax-4]
		mov	ecx, [eax-8]
		cmp	[ebp+arg_4], esi
		jb	short loc_615B8B
		ja	short loc_615B74
		cmp	[ebp+arg_0], ecx
		jb	short loc_615B8B

loc_615B74:				; CODE XREF: PnprGetPageDestination(x,x,x)+33j
		add	ecx, [eax]
		adc	esi, [eax+4]
		add	ecx, 0FFFFFFFFh
		adc	esi, 0FFFFFFFFh
		cmp	[ebp+arg_4], esi
		jb	short loc_615B9F
		ja	short loc_615B8B
		cmp	[ebp+arg_0], ecx
		jbe	short loc_615B9F

loc_615B8B:				; CODE XREF: PnprGetPageDestination(x,x,x)+31j
					; PnprGetPageDestination(x,x,x)+38j ...
		inc	edx
		add	eax, 10h
		cmp	edx, edi
		jb	short loc_615B62

loc_615B93:				; CODE XREF: PnprGetPageDestination(x,x,x)+23j
		mov	eax, 0C0000225h

loc_615B98:				; CODE XREF: PnprGetPageDestination(x,x,x)+7Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_615B9F:				; CODE XREF: PnprGetPageDestination(x,x,x)+48j
					; PnprGetPageDestination(x,x,x)+4Fj
		mov	eax, ds:_PnprContext
		push	ebx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	dword ptr [eax+228h]
		call	[ebp+var_4]
		jmp	short loc_615B98
_PnprGetPageDestination@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprGetStackLimits(x, x)
_PnprGetStackLimits@8 proc near		; CODE XREF: PnprRecopyMirrorPages()+1Ep
					; PnprQuiesceProcessorDpc(x,x,x,x)+27Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_KeGetCurrentStackPointer@0 ; KeGetCurrentStackPointer()
		mov	[esi], eax
		lea	eax, [ebp+var_4]
		push	edi
		push	eax
		call	_KeGetCurrentStackPointer@0 ; KeGetCurrentStackPointer()
		lea	edx, [ebp+var_8]
		mov	ecx, eax
		call	KeQueryCurrentStackInformationEx
		pop	edi
		pop	esi
		leave
		retn
_PnprGetStackLimits@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprMirrorPhysicalMemory(x,	x, x, x)
_PnprMirrorPhysicalMemory@16 proc near	; DATA XREF: PnprInitiateReplaceOperation()+128o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:_PnprContext
		push	ebx
		cmp	byte ptr [eax+9Ch], 0
		jbe	short loc_615C1B
		push	2
		pop	ecx
		cmp	[eax+94h], ecx
		jge	short loc_615C10
		mov	eax, ds:_PnprContext
		mov	[eax+94h], ecx

loc_615C10:				; CODE XREF: PnprMirrorPhysicalMemory(x,x,x,x)+1Dj
		xor	cl, cl
		xor	bl, bl
		call	_PnprGetMillisecondCounter@4 ; PnprGetMillisecondCounter(x)
		jmp	short loc_615C1D
; 

loc_615C1B:				; CODE XREF: PnprMirrorPhysicalMemory(x,x,x,x)+12j
		mov	bl, 1

loc_615C1D:				; CODE XREF: PnprMirrorPhysicalMemory(x,x,x,x)+33j
		push	[ebp+arg_C]
		mov	cl, bl
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PnprMarkOrMirrorPages@20 ; PnprMarkOrMirrorPages(x,x,x,x,x)
		pop	ebx
		pop	ebp
		retn	10h
_PnprMirrorPhysicalMemory@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprQueryReplaceFeatures(x,	x)
_PnprQueryReplaceFeatures@8 proc near	; CODE XREF: PnpReplacePartitionUnit(x)+620p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		push	7
		xor	eax, eax
		lea	edi, [ebp+var_24]
		pop	ecx
		rep stosd
		mov	ecx, [esi+8]
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		test	cl, 4
		jz	short loc_615C60
		push	8
		jmp	short loc_615C67
; 

loc_615C60:				; CODE XREF: PnprQueryReplaceFeatures(x,x)+25j
		test	cl, 8
		jz	short loc_615C68
		push	10h

loc_615C67:				; CODE XREF: PnprQueryReplaceFeatures(x,x)+29j
		pop	eax

loc_615C68:				; CODE XREF: PnprQueryReplaceFeatures(x,x)+2Ej
		test	cl, 10h
		jz	short loc_615C70
		or	eax, 20h

loc_615C70:				; CODE XREF: PnprQueryReplaceFeatures(x,x)+36j
		test	eax, eax
		jnz	short loc_615CC6
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_24]
		push	eax		; void *
		push	ebx		; int
		push	1Ch		; __int16
		mov	ecx, [ecx]
		mov	edx, offset _GUID_PARTITION_UNIT_INTERFACE_STANDARD
		push	1		; __int16
		call	PnpQueryInterface
		test	eax, eax
		jns	short loc_615C94
		xor	eax, eax
		jmp	short loc_615CC6
; 

loc_615C94:				; CODE XREF: PnprQueryReplaceFeatures(x,x)+59j
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_20]
		call	[ebp+var_10]
		test	eax, eax
		js	short loc_615CBE
		test	byte ptr [ebp+var_4], 1
		jz	short loc_615CAC
		push	8
		jmp	short loc_615CB4
; 

loc_615CAC:				; CODE XREF: PnprQueryReplaceFeatures(x,x)+71j
		test	byte ptr [ebp+var_4], 2
		jz	short loc_615CB5
		push	10h

loc_615CB4:				; CODE XREF: PnprQueryReplaceFeatures(x,x)+75j
		pop	ebx

loc_615CB5:				; CODE XREF: PnprQueryReplaceFeatures(x,x)+7Bj
		test	byte ptr [ebp+var_4], 4
		jz	short loc_615CBE
		or	ebx, 20h

loc_615CBE:				; CODE XREF: PnprQueryReplaceFeatures(x,x)+6Bj
					; PnprQueryReplaceFeatures(x,x)+84j
		push	[ebp+var_20]
		call	[ebp+var_18]
		mov	eax, ebx

loc_615CC6:				; CODE XREF: PnprQueryReplaceFeatures(x,x)+3Dj
					; PnprQueryReplaceFeatures(x,x)+5Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PnprQueryReplaceFeatures@8 endp


;  S U B	R O U T	I N E 


; __stdcall PnprQuiesce()
_PnprQuiesce@0	proc near		; CODE XREF: PnprEndMirroring(x)+19p
					; PnprInitiateReplaceOperation()+19Ap
		mov	edi, edi
		push	ecx
		mov	eax, ds:_PnprContext
		push	esi
		xor	esi, esi
		push	edi
		test	byte ptr [eax+30h], 20h
		jnz	short loc_615D39
		xor	edi, edi
		add	eax, 1DCh
		inc	edi
		push	edi
		push	esi
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	eax, ds:_PnprContext
		push	esi
		push	esi
		push	esi
		push	esi
		add	eax, 1ECh
		push	eax
		call	KeWaitForSingleObject
		mov	eax, ds:_PnprContext
		mov	esi, [eax+21Ch]
		test	esi, esi
		jns	short loc_615D3E
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_615D1F
		mov	ecx, 76Bh

loc_615D1F:				; CODE XREF: PnprQuiesce()+4Dj
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jz	short loc_615D31
		mov	edi, ecx

loc_615D31:				; CODE XREF: PnprQuiesce()+62j
		mov	[eax+264h], edi
		jmp	short loc_615D43
; 

loc_615D39:				; CODE XREF: PnprQuiesce()+10j
		call	_PnprLockPagesForReplace@0 ; PnprLockPagesForReplace()

loc_615D3E:				; CODE XREF: PnprQuiesce()+43j
		call	_PnprQuiesceProcessors@0 ; PnprQuiesceProcessors()

loc_615D43:				; CODE XREF: PnprQuiesce()+6Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ecx
		retn
_PnprQuiesce@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprRecopyAddress(x, x)
_PnprRecopyAddress@8 proc near		; CODE XREF: PnprRecopyMappingReserve(x)+67p
					; PnprRecopyMirrorPages()+3Fp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		and	esi, 0FFFFF000h
		lea	edi, [ecx+edx]
		cmp	esi, edi
		jnb	short loc_615D85
		mov	ebx, 1000h

loc_615D69:				; CODE XREF: PnprRecopyAddress(x,x)+3Aj
		push	esi
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		push	0
		push	ebx
		push	edx
		push	eax
		mov	cl, 1
		call	_PnprMarkOrMirrorPages@20 ; PnprMarkOrMirrorPages(x,x,x,x,x)
		test	eax, eax
		js	short loc_615D87
		add	esi, ebx
		cmp	esi, edi
		jb	short loc_615D69

loc_615D85:				; CODE XREF: PnprRecopyAddress(x,x)+19j
		xor	eax, eax

loc_615D87:				; CODE XREF: PnprRecopyAddress(x,x)+34j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PnprRecopyAddress@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprRecopyMappingReserve(x)
_PnprRecopyMappingReserve@4 proc near	; CODE XREF: PnprRecopyMirrorPages()+61p
					; PnprRecopyMirrorPages()+7Ap

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		xor	edx, edx
		push	edi
		xor	esi, esi
		mov	edi, ecx
		inc	ebx

loc_615DA3:				; CODE XREF: PnprRecopyMappingReserve(x)+60j
		mov	ecx, esi
		shl	ecx, 0Ch
		add	ecx, [edi+4]
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		call	_MiGetContainingPageTable@4 ; MiGetContainingPageTable(x)
		cmp	eax, edx
		jz	short loc_615DEA
		xor	ecx, ecx
		mov	[esp+10h+var_4], eax
		push	0
		shld	ecx, eax, 0Ch
		push	1000h
		push	ecx
		shl	eax, 0Ch
		mov	cl, bl
		push	eax
		call	_PnprMarkOrMirrorPages@20 ; PnprMarkOrMirrorPages(x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_615E03
		mov	edx, [esp+10h+var_4]

loc_615DEA:				; CODE XREF: PnprRecopyMappingReserve(x)+33j
		inc	esi
		cmp	esi, 10h
		jb	short loc_615DA3
		mov	ecx, [edi]
		push	1Ch
		pop	edx
		call	_PnprRecopyAddress@8 ; PnprRecopyAddress(x,x)
		xor	eax, eax

loc_615DFC:				; CODE XREF: PnprRecopyMappingReserve(x)+A3j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_615E03:				; CODE XREF: PnprRecopyMappingReserve(x)+56j
		mov	eax, ds:_PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_615E17
		mov	ecx, 1659h

loc_615E17:				; CODE XREF: PnprRecopyMappingReserve(x)+82j
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jz	short loc_615E29
		mov	ebx, ecx

loc_615E29:				; CODE XREF: PnprRecopyMappingReserve(x)+97j
		mov	[eax+264h], ebx
		mov	eax, edx
		jmp	short loc_615DFC
_PnprRecopyMappingReserve@4 endp


;  S U B	R O U T	I N E 


; __stdcall PnprRecopyMirrorPages()
_PnprRecopyMirrorPages@0 proc near	; CODE XREF: PnprSwapFinalize()+17p
		movzx	ecx, large byte	ptr fs:51h
		mov	eax, ds:_PnprContext
		push	ebx
		push	esi
		lea	edx, [ecx+48h]
		lea	edx, [eax+edx*4]
		add	eax, 0A0h
		push	edi
		lea	ecx, [eax+ecx*4]
		call	_PnprGetStackLimits@8 ;	PnprGetStackLimits(x,x)
		mov	eax, ds:_PnprContext
		xor	esi, esi
		cmp	[eax+7Ch], esi
		jbe	short loc_615EC9
		mov	edi, esi
		mov	ebx, 120h

loc_615E69:				; CODE XREF: PnprRecopyMirrorPages()+94j
		mov	edx, [ebx+eax]
		mov	ecx, [ebx+eax-80h]
		sub	edx, ecx
		call	_PnprRecopyAddress@8 ; PnprRecopyAddress(x,x)
		mov	edx, eax
		test	edx, edx
		js	loc_615F39
		mov	ecx, ds:_PnprContext
		cmp	esi, [ecx+80h]
		jz	short loc_615EB8
		mov	ecx, [ecx+6Ch]
		add	ecx, edi
		call	_PnprRecopyMappingReserve@4 ; PnprRecopyMappingReserve(x)
		mov	edx, eax
		mov	eax, ds:_PnprContext
		test	edx, edx
		js	loc_615F28
		mov	ecx, [eax+68h]
		add	ecx, edi
		call	_PnprRecopyMappingReserve@4 ; PnprRecopyMappingReserve(x)
		mov	edx, eax
		test	edx, edx
		js	short loc_615F12

loc_615EB8:				; CODE XREF: PnprRecopyMirrorPages()+5Aj
		mov	eax, ds:_PnprContext
		inc	esi
		add	ebx, 4
		add	edi, 0Ch
		cmp	esi, [eax+7Ch]
		jb	short loc_615E69

loc_615EC9:				; CODE XREF: PnprRecopyMirrorPages()+2Dj
		mov	edx, 2A0h
		mov	ecx, eax
		call	_PnprRecopyAddress@8 ; PnprRecopyAddress(x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_615F68
		mov	ecx, ds:_PnprContext
		mov	edx, [ecx+260h]
		test	edx, edx
		jnz	short loc_615EF4
		mov	edx, 1601h

loc_615EF4:				; CODE XREF: PnprRecopyMirrorPages()+BAj
					; PnprRecopyMirrorPages()+14Ej	...
		mov	[ecx+260h], edx
		mov	eax, [ecx+264h]
		test	eax, eax
		jnz	short loc_615F05
		inc	eax

loc_615F05:				; CODE XREF: PnprRecopyMirrorPages()+CFj
		mov	[ecx+264h], eax
		mov	eax, esi
		jmp	loc_615F93
; 

loc_615F12:				; CODE XREF: PnprRecopyMirrorPages()+83j
		mov	eax, ds:_PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_615F4D
		mov	ecx, 15F5h
		jmp	short loc_615F4D
; 

loc_615F28:				; CODE XREF: PnprRecopyMirrorPages()+6Fj
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_615F4D
		mov	ecx, 15EDh
		jmp	short loc_615F4D
; 

loc_615F39:				; CODE XREF: PnprRecopyMirrorPages()+48j
		mov	eax, ds:_PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_615F4D
		mov	ecx, 15DDh

loc_615F4D:				; CODE XREF: PnprRecopyMirrorPages()+ECj
					; PnprRecopyMirrorPages()+F3j ...
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_615F5E
		inc	ecx

loc_615F5E:				; CODE XREF: PnprRecopyMirrorPages()+128j
		mov	[eax+264h], ecx
		mov	eax, edx
		jmp	short loc_615F93
; 

loc_615F68:				; CODE XREF: PnprRecopyMirrorPages()+A6j
		call	_PnprCopyReservedMapping@0 ; PnprCopyReservedMapping()
		mov	esi, eax
		test	esi, esi
		jns	short loc_615F91
		mov	ecx, ds:_PnprContext
		mov	edx, [ecx+260h]
		test	edx, edx
		jnz	loc_615EF4
		mov	edx, 160Dh
		jmp	loc_615EF4
; 

loc_615F91:				; CODE XREF: PnprRecopyMirrorPages()+13Ej
		xor	eax, eax

loc_615F93:				; CODE XREF: PnprRecopyMirrorPages()+DAj
					; PnprRecopyMirrorPages()+133j
		pop	edi
		pop	esi
		pop	ebx
		retn
_PnprRecopyMirrorPages@0 endp


;  S U B	R O U T	I N E 


; __stdcall PnprSwap()
_PnprSwap@0	proc near		; CODE XREF: PnprEndMirroring(x)+28p
					; PnprInitiateReplaceOperation()+1A8p
		mov	ecx, ds:_PnprContext
		push	ebx
		push	esi
		xor	ebx, ebx
		xor	esi, esi
		mov	eax, [ecx+14h]
		inc	ebx
		push	edi
		cmp	[eax+4], esi
		jz	loc_61603C
		test	byte ptr [ecx+30h], 8
		jnz	loc_61603C
		push	2
		pop	edx
		cmp	[ecx+94h], edx
		jge	short loc_615FD1
		mov	eax, ds:_PnprContext
		mov	[eax+94h], edx

loc_615FD1:				; CODE XREF: PnprSwap()+2Dj
		call	_PnprMirrorMarkedPages@0 ; PnprMirrorMarkedPages()
		mov	edi, eax
		test	edi, edi
		jns	short loc_61600D
		mov	ecx, ds:_PnprContext
		mov	edx, [ecx+260h]
		test	edx, edx
		jnz	short loc_615FF1
		mov	edx, 0B02h

loc_615FF1:				; CODE XREF: PnprSwap()+53j
		mov	eax, [ecx+264h]
		mov	[ecx+260h], edx
		test	eax, eax
		jnz	short loc_616002
		inc	eax

loc_616002:				; CODE XREF: PnprSwap()+68j
					; PnprSwap()+E0j ...
		mov	[ecx+264h], eax
		jmp	loc_616125
; 

loc_61600D:				; CODE XREF: PnprSwap()+43j
		mov	eax, ds:_PnprContext
		mov	[eax+98h], ebx
		mov	dword ptr [eax+94h], 3
		jmp	short loc_61602B
; 

loc_616024:				; CODE XREF: PnprSwap()+A3j
		pause
		mov	eax, ds:_PnprContext

loc_61602B:				; CODE XREF: PnprSwap()+8Bj
		mov	eax, [eax+98h]
		mov	ecx, ds:_PnprContext
		cmp	eax, [ecx+7Ch]
		jl	short loc_616024

loc_61603C:				; CODE XREF: PnprSwap()+14j
					; PnprSwap()+1Ej
		mov	eax, [ecx+254h]
		test	eax, eax
		jz	short loc_61607E
		push	dword ptr [ecx+228h]
		call	eax
		mov	edi, eax
		test	edi, edi
		jns	short loc_61607E
		mov	ecx, ds:_PnprContext
		mov	eax, [ecx+260h]
		test	eax, eax
		jnz	short loc_616069
		mov	eax, 0B16h

loc_616069:				; CODE XREF: PnprSwap()+CBj
		mov	[ecx+260h], eax
		mov	eax, [ecx+264h]
		test	eax, eax
		jnz	short loc_616002
		push	8
		pop	eax
		jmp	short loc_616002
; 

loc_61607E:				; CODE XREF: PnprSwap()+ADj
					; PnprSwap()+BBj
		mov	ecx, ds:_PnprContext
		mov	[ecx+98h], ebx
		mov	dword ptr [ecx+94h], 4
		mov	ecx, [ecx+98h]
		jmp	short loc_6160A9
; 

loc_61609C:				; CODE XREF: PnprSwap()+11Aj
		pause
		mov	eax, ds:_PnprContext
		mov	ecx, [eax+98h]

loc_6160A9:				; CODE XREF: PnprSwap()+103j
		mov	eax, ds:_PnprContext
		cmp	ecx, [eax+7Ch]
		jl	short loc_61609C
		call	_PnprSwapFinalize@0 ; PnprSwapFinalize()
		mov	ecx, ds:_PnprContext
		mov	edi, eax
		mov	eax, [ecx+14h]
		cmp	[eax+4], esi
		jz	short loc_616125
		cmp	[ecx+7Ch], esi
		jbe	short loc_616125
		mov	ebx, esi

loc_6160CF:				; CODE XREF: PnprSwap()+18Cj
		mov	eax, [ecx+68h]
		add	eax, ebx
		jz	short loc_6160F0
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_6160F0
		test	byte ptr [ecx+6], 1
		jz	short loc_6160F0
		push	ecx
		push	51706E50h
		push	dword ptr [eax+4]
		call	_MmUnmapReservedMapping@12 ; MmUnmapReservedMapping(x,x,x)

loc_6160F0:				; CODE XREF: PnprSwap()+13Dj
					; PnprSwap()+143j ...
		mov	eax, ds:_PnprContext
		mov	eax, [eax+6Ch]
		add	eax, ebx
		jz	short loc_616116
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_616116
		test	byte ptr [ecx+6], 1
		jz	short loc_616116
		push	ecx
		push	51706E50h
		push	dword ptr [eax+4]
		call	_MmUnmapReservedMapping@12 ; MmUnmapReservedMapping(x,x,x)

loc_616116:				; CODE XREF: PnprSwap()+163j
					; PnprSwap()+169j ...
		mov	ecx, ds:_PnprContext
		inc	esi
		add	ebx, 0Ch
		cmp	esi, [ecx+7Ch]
		jb	short loc_6160CF

loc_616125:				; CODE XREF: PnprSwap()+71j
					; PnprSwap()+12Fj ...
		mov	eax, edi
		mov	dword ptr [ecx+94h], 5
		pop	edi
		pop	esi
		pop	ebx
		retn
_PnprSwap@0	endp


;  S U B	R O U T	I N E 


; __stdcall PnprSwapFinalize()
_PnprSwapFinalize@0 proc near		; CODE XREF: PnprSwap()+11Cp
		mov	ecx, ds:_PnprContext
		push	esi
		xor	esi, esi
		mov	eax, [ecx+14h]
		cmp	[eax+4], esi
		jz	short loc_616151
		test	byte ptr [ecx+30h], 8
		jnz	short loc_616151
		call	_PnprRecopyMirrorPages@0 ; PnprRecopyMirrorPages()

loc_616151:				; CODE XREF: PnprSwapFinalize()+Fj
					; PnprSwapFinalize()+15j
		mov	eax, ds:_PnprContext
		and	dword ptr [eax+30h], 0FFFFFFFBh
		mov	eax, [eax+30h]
		test	al, 20h
		jnz	short loc_616163
		wbinvd

loc_616163:				; CODE XREF: PnprSwapFinalize()+2Aj
		nop
		mov	eax, ds:_PnprContext
		cmp	[eax+24Ch], esi
		jz	short loc_6161D6
		xor	cl, cl
		call	_PnprGetMillisecondCounter@4 ; PnprGetMillisecondCounter(x)
		mov	ecx, ds:_PnprContext
		push	dword ptr [ecx+228h]
		mov	[ecx+27Ch], eax
		call	dword ptr [ecx+24Ch]
		mov	esi, eax
		test	esi, esi
		jns	short loc_6161C3
		mov	eax, ds:_PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_6161AA
		mov	ecx, 0BA4h

loc_6161AA:				; CODE XREF: PnprSwapFinalize()+6Ej
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_6161BD
		push	8
		pop	ecx

loc_6161BD:				; CODE XREF: PnprSwapFinalize()+83j
		mov	[eax+264h], ecx

loc_6161C3:				; CODE XREF: PnprSwapFinalize()+5Fj
		xor	cl, cl
		call	_PnprGetMillisecondCounter@4 ; PnprGetMillisecondCounter(x)
		mov	ecx, ds:_PnprContext
		mov	[ecx+280h], eax

loc_6161D6:				; CODE XREF: PnprSwapFinalize()+3Aj
		mov	eax, esi
		pop	esi
		retn
_PnprSwapFinalize@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiSwIrpCancelStartCreate(x,	x)
_PiSwIrpCancelStartCreate@8 proc near	; DATA XREF: PiSwIrpStartCreateWorker+17Co

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	bl, bl
		mov	eax, [edi+60h]
		mov	bh, [edi+25h]
		mov	eax, [eax+18h]
		mov	eax, [eax+10h]
		mov	[ebp+arg_4], eax
		mov	eax, large fs:20h
		test	ds:byte_70EFC6,	1
		lea	esi, [eax+450h]
		jz	short loc_616217
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_616242
; 

loc_616217:				; CODE XREF: PiSwIrpCancelStartCreate(x,x)+2Fj
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_616233
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_616242
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_616233:				; CODE XREF: PiSwIrpCancelStartCreate(x,x)+41j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_616242:				; CODE XREF: PiSwIrpCancelStartCreate(x,x)+3Bj
					; PiSwIrpCancelStartCreate(x,x)+50j
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	eax, eax
		inc	eax
		push	eax
		push	offset _PiSwLockObj
		call	ExAcquireResourceExclusiveLite
		mov	eax, [ebp+arg_4]
		xor	esi, esi
		cmp	[eax+4Ch], esi
		jz	short loc_616278
		xor	ecx, ecx
		mov	[eax+4Ch], esi
		inc	ecx
		mov	bl, cl

loc_616278:				; CODE XREF: PiSwIrpCancelStartCreate(x,x)+94j
		mov	ecx, offset _PiSwLockObj
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	bl, bl
		jz	short loc_6162A5
		xor	dl, dl
		mov	[edi+1Ch], esi
		mov	ecx, edi
		mov	dword ptr [edi+18h], 0C0000120h
		call	IofCompleteRequest

loc_6162A5:				; CODE XREF: PiSwIrpCancelStartCreate(x,x)+B6j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_PiSwIrpCancelStartCreate@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0d_EtwWriteTransfer(x, x, x, x)
_McTemplateK0d_EtwWriteTransfer@16 proc	near
					; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+16Dp
					; PiCMGetDeviceInterfaceList+11882Fp

var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_C], 4
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_24]
		mov	[ebp+var_10], ecx
		push	eax
		push	2
		mov	[ebp+var_8], ecx
		push	ecx
		mov	ecx, offset _MS_KernelPnP_Provider_Context
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_McTemplateK0d_EtwWriteTransfer@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0dz_EtwWriteTransfer(x, x, x, x,	x)
_McTemplateK0dz_EtwWriteTransfer@20 proc near ;	CODE XREF: PipProcessStartPhase2+6E338p
					; PipProcessStartPhase2+6E3AFp	...

var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_1C], 4
		mov	edi, edx
		mov	[ebp+var_20], ebx
		mov	edx, [ebp+arg_8]
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_24], eax
		mov	[ebp+var_18], ebx
		test	edx, edx
		jz	short loc_616343
		mov	ecx, edx
		push	esi
		lea	esi, [ecx+2]

loc_61632A:				; CODE XREF: McTemplateK0dz_EtwWriteTransfer(x,x,x,x,x)+41j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_61632A
		sub	ecx, esi
		sar	ecx, 1
		pop	esi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_616346
; 

loc_616343:				; CODE XREF: McTemplateK0dz_EtwWriteTransfer(x,x,x,x,x)+30j
		push	0Ah
		pop	ecx

loc_616346:				; CODE XREF: McTemplateK0dz_EtwWriteTransfer(x,x,x,x,x)+4Fj
		test	edx, edx
		jnz	short loc_61634F
		mov	edx, (offset off_5A4D00+2)

loc_61634F:				; CODE XREF: McTemplateK0dz_EtwWriteTransfer(x,x,x,x,x)+56j
		lea	eax, [ebp+var_34]
		mov	[ebp+var_14], edx
		push	eax
		push	3
		mov	[ebp+var_C], ecx
		mov	edx, edi
		push	ebx
		mov	ecx, offset _MS_KernelPnP_Provider_Context
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_McTemplateK0dz_EtwWriteTransfer@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0jzt_EtwWriteTransfer(x,	x, x, x, x, x)
_McTemplateK0jzt_EtwWriteTransfer@24 proc near
					; CODE XREF: PiCMGetDeviceInterfaceList+1187D9p

var_44		= dword	ptr -44h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, [ebp+arg_8]
		mov	eax, [ebp+arg_4]
		push	edi
		xor	edi, edi
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], 10h
		mov	[ebp+var_28], edi
		test	edx, edx
		jz	short loc_6163CC
		mov	ecx, edx
		push	esi
		lea	esi, [ecx+2]

loc_6163B3:				; CODE XREF: McTemplateK0jzt_EtwWriteTransfer(x,x,x,x,x,x)+3Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_6163B3
		sub	ecx, esi
		sar	ecx, 1
		pop	esi
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_6163CF
; 

loc_6163CC:				; CODE XREF: McTemplateK0jzt_EtwWriteTransfer(x,x,x,x,x,x)+2Dj
		push	0Ah
		pop	ecx

loc_6163CF:				; CODE XREF: McTemplateK0jzt_EtwWriteTransfer(x,x,x,x,x,x)+4Cj
		test	edx, edx
		jnz	short loc_6163D8
		mov	edx, (offset off_5A4D00+2)

loc_6163D8:				; CODE XREF: McTemplateK0jzt_EtwWriteTransfer(x,x,x,x,x,x)+53j
		push	4
		lea	eax, [ebp+arg_C]
		mov	[ebp+var_1C], ecx
		pop	ecx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		mov	[ebp+var_24], edx
		mov	edx, offset _KMPnPEvt_CfgMgr_DeviceInterfaceList_Start
		mov	[ebp+var_C], ecx
		mov	ecx, offset _MS_KernelPnP_Provider_Context
		push	edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], edi
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_McTemplateK0jzt_EtwWriteTransfer@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall McTemplateK0zzt_EtwWriteTransfer(x,	x, x, x, x, x)
_McTemplateK0zzt_EtwWriteTransfer@24 proc near
					; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+D8p

var_44		= dword	ptr -44h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		push	0Ah
		xor	ebx, ebx
		pop	esi
		test	edx, edx
		jz	short loc_616458
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_616440:				; CODE XREF: McTemplateK0zzt_EtwWriteTransfer(x,x,x,x,x,x)+2Fj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_616440
		sub	ecx, edi
		sar	ecx, 1
		lea	ecx, ds:2[ecx*2]
		jmp	short loc_61645A
; 

loc_616458:				; CODE XREF: McTemplateK0zzt_EtwWriteTransfer(x,x,x,x,x,x)+1Fj
		mov	ecx, esi

loc_61645A:				; CODE XREF: McTemplateK0zzt_EtwWriteTransfer(x,x,x,x,x,x)+3Cj
		mov	edi, (offset off_5A4D00+2)
		test	edx, edx
		jnz	short loc_616465
		mov	edx, edi

loc_616465:				; CODE XREF: McTemplateK0zzt_EtwWriteTransfer(x,x,x,x,x,x)+47j
		mov	[ebp+var_34], edx
		mov	edx, [ebp+arg_8]
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ebx
		test	edx, edx
		jz	short loc_616497
		mov	ecx, edx
		lea	esi, [ecx+2]

loc_61647D:				; CODE XREF: McTemplateK0zzt_EtwWriteTransfer(x,x,x,x,x,x)+6Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_61647D
		sub	ecx, esi
		sar	ecx, 1
		lea	esi, ds:2[ecx*2]
		test	edx, edx
		jnz	short loc_616499

loc_616497:				; CODE XREF: McTemplateK0zzt_EtwWriteTransfer(x,x,x,x,x,x)+5Cj
		mov	edx, edi

loc_616499:				; CODE XREF: McTemplateK0zzt_EtwWriteTransfer(x,x,x,x,x,x)+7Bj
		push	4
		pop	ecx
		lea	eax, [ebp+arg_C]
		mov	[ebp+var_24], edx
		mov	[ebp+var_14], eax
		mov	edx, offset _KMPnPEvt_CfgMgr_DeviceList_Start
		lea	eax, [ebp+var_44]
		mov	[ebp+var_C], ecx
		push	eax
		push	ecx
		push	ebx
		mov	ecx, offset _MS_KernelPnP_Provider_Context
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		call	_McGenEventWrite_EtwWriteTransfer@20 ; McGenEventWrite_EtwWriteTransfer(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_McTemplateK0zzt_EtwWriteTransfer@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl PipSortDevicesByOrdinal(const void *,const void *)
_PipSortDevicesByOrdinal proc near	; DATA XREF: PipSortDeviceObjectList(x):loc_987A00o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	edx, [eax+8]
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax+8]
		cmp	ecx, edx
		sbb	eax, eax
		neg	eax
		cmp	edx, ecx
		sbb	ecx, ecx
		neg	ecx
		sub	eax, ecx
		pop	ebp
		retn
_PipSortDevicesByOrdinal endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PpvUtilFailDriver(x, x, x,	x)
@PpvUtilFailDriver@16 proc near		; CODE XREF: IoGetDeviceProperty+14A3CDp
					; PiProcessNewDeviceNode+6E753p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_PpvUtilVerifierEnabled, 0
		jz	short loc_61652F
		sub	ecx, 0
		jz	short loc_616533
		sub	ecx, 1
		jz	short loc_616522
		sub	ecx, 1
		jnz	short loc_61652F
		mov	ecx, 24Dh
		jmp	short loc_616527
; 

loc_616522:				; CODE XREF: PpvUtilFailDriver(x,x,x,x)+16j
		mov	ecx, 24Bh

loc_616527:				; CODE XREF: PpvUtilFailDriver(x,x,x,x)+22j
		push	[ebp+arg_0]
		call	_VfErrorReport8@12 ; VfErrorReport8(x,x,x)

loc_61652F:				; CODE XREF: PpvUtilFailDriver(x,x,x,x)+Cj
					; PpvUtilFailDriver(x,x,x,x)+1Bj
		pop	ebp
		retn	8
; 

loc_616533:				; CODE XREF: PpvUtilFailDriver(x,x,x,x)+11j
		pop	ebp
		jmp	_VfErrorReport7@16 ; VfErrorReport7(x,x,x,x)
@PpvUtilFailDriver@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopDeviceEjectComplete(x, x, x)
_IopDeviceEjectComplete@12 proc	near	; DATA XREF: IopEjectDevice(x,x)+11Bo

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_8]
		push	esi
		push	3
		pop	esi
		lea	eax, [ecx+28h]
		xchg	esi, [eax]
		lea	eax, [ecx+8]
		and	dword ptr [eax], 0
		push	1
		push	eax
		mov	dword ptr [eax+8], offset _PnpProcessCompletedEject@4 ;	PnpProcessCompletedEject(x)
		mov	[eax+0Ch], ecx
		call	ExQueueWorkItem
		cmp	esi, 1
		pop	esi
		jz	short loc_616570
		push	[ebp+arg_4]
		call	_IoFreeIrp@4	; IoFreeIrp(x)

loc_616570:				; CODE XREF: IopDeviceEjectComplete(x,x,x)+2Dj
		mov	eax, 0C0000016h
		pop	ebp
		retn	0Ch
_IopDeviceEjectComplete@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDiagnosticCompletionRoutine(x, x, x)
_PnpDiagnosticCompletionRoutine@12 proc	near ; DATA XREF: PnpStartDeviceNode+92DA3o
					; PiIrpQueryRemoveDevice(x,x)+9Co

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_8]
		mov	eax, [ecx+18h]
		mov	[esi+14h], eax
		test	eax, eax
		jns	short loc_61659D
		call	_IoFindDeviceThatFailedIrp@4 ; IoFindDeviceThatFailedIrp(x)
		test	eax, eax
		jz	short loc_61659D
		mov	eax, [eax+8]
		mov	[esi], eax

loc_61659D:				; CODE XREF: PnpDiagnosticCompletionRoutine(x,x,x)+14j
					; PnpDiagnosticCompletionRoutine(x,x,x)+1Dj
		push	ecx
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		push	0
		push	0
		lea	eax, [esi+4]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	eax, 0C0000016h
		pop	esi
		pop	ebp
		retn	0Ch
_PnpDiagnosticCompletionRoutine@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDrvDbFindNode(x, x)
_PiDrvDbFindNode@8 proc	near		; CODE XREF: PiDrvDbMountNode(x)+47p
					; PiDrvDbQuerySystemPathWin32(x,x)+1EAp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ds:_PiDrvDbNodeList
		mov	eax, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], eax
		cmp	esi, offset _PiDrvDbNodeList
		jz	short loc_616608

loc_6165DC:				; CODE XREF: PiDrvDbFindNode(x,x)+41j
		push	1
		push	eax
		lea	eax, [esi+8]
		mov	ebx, esi
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_6165FD
		mov	esi, [esi]
		mov	ebx, edi
		mov	eax, [ebp+var_4]
		cmp	esi, offset _PiDrvDbNodeList
		jnz	short loc_6165DC

loc_6165FD:				; CODE XREF: PiDrvDbFindNode(x,x)+32j
		test	ebx, ebx
		jz	short loc_616608
		mov	eax, [ebp+var_8]
		mov	[eax], ebx
		jmp	short loc_61660D
; 

loc_616608:				; CODE XREF: PiDrvDbFindNode(x,x)+20j
					; PiDrvDbFindNode(x,x)+45j
		mov	edi, 0C0000225h

loc_61660D:				; CODE XREF: PiDrvDbFindNode(x,x)+4Cj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PiDrvDbFindNode@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCollapseRebalanceRequests(x)
_PiCollapseRebalanceRequests@4 proc near ; CODE	XREF: PnpProcessRebalance(x)+62p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, offset _PnpSpinLock
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	edx, ds:_PnpEnumerationRequestList
		mov	esi, offset _PnpEnumerationRequestList
		mov	ebx, [edi+4]
		mov	cl, al
		mov	[ebp+var_1], cl
		cmp	edx, esi
		jz	short loc_61667F

loc_616640:				; CODE XREF: PiCollapseRebalanceRequests(x)+66j
		cmp	byte ptr [edx+10h], 0
		mov	eax, [edx]
		jnz	short loc_61667C
		cmp	dword ptr [edx+0Ch], 6
		jnz	short loc_616676
		cmp	byte ptr [edx+14h], 0
		jz	short loc_616676
		cmp	[eax+4], edx
		jnz	short loc_61668F
		mov	ecx, [edx+4]
		cmp	[ecx], edx
		jnz	short loc_61668F
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	short loc_61668F
		mov	[edx], edi
		mov	[edx+4], ecx
		mov	[ecx], edx
		mov	[edi+4], edx

loc_616676:				; CODE XREF: PiCollapseRebalanceRequests(x)+38j
					; PiCollapseRebalanceRequests(x)+3Ej
		mov	edx, eax
		cmp	eax, esi
		jnz	short loc_616640

loc_61667C:				; CODE XREF: PiCollapseRebalanceRequests(x)+32j
		mov	cl, [ebp+var_1]

loc_61667F:				; CODE XREF: PiCollapseRebalanceRequests(x)+2Aj
		mov	dl, cl
		mov	ecx, offset _PnpSpinLock
		call	KfReleaseSpinLock
		mov	esi, [ebx]
		jmp	short loc_6166A2
; 

loc_61668F:				; CODE XREF: PiCollapseRebalanceRequests(x)+43j
					; PiCollapseRebalanceRequests(x)+4Aj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_616694:				; CODE XREF: PiCollapseRebalanceRequests(x)+90j
		mov	ecx, [esi+8]
		call	ObfDereferenceObject
		and	dword ptr [esi+8], 0
		mov	esi, [esi]

loc_6166A2:				; CODE XREF: PiCollapseRebalanceRequests(x)+79j
		cmp	esi, edi
		jnz	short loc_616694
		cmp	ebx, [edi+4]
		pop	edi
		pop	esi
		setnz	al
		pop	ebx
		leave
		retn
_PiCollapseRebalanceRequests@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiRebalanceOptOut(x)
_PiRebalanceOptOut@4 proc near		; CODE XREF: PnpQueryStopDeviceNode(x,x)+1Cp

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_59		= dword	ptr -59h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	eax, [ebp+var_68]
		push	ebx
		push	eax
		push	4
		lea	eax, [ebp+var_64]
		mov	[ebp+var_64], ebx
		push	eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_68], ebx
		push	eax
		push	offset _DEVPKEY_Device_DHP_Rebalance_Policy
		mov	esi, ecx
		mov	[ebp+var_60], ebx
		mov	ecx, ds:_PiPnpRtlCtx
		push	ebx
		push	ebx
		mov	edx, [esi+18h]
		push	1
		mov	byte ptr [ebp+var_59], bl
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_616711
		cmp	[ebp+var_60], 7
		jnz	short loc_616711
		cmp	[ebp+var_64], 1
		jz	short loc_616768
		cmp	[ebp+var_64], 2
		jz	short loc_61676A

loc_616711:				; CODE XREF: PiRebalanceOptOut(x)+4Cj
					; PiRebalanceOptOut(x)+52j
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_6C], ebx
		push	eax
		lea	eax, [ebp+var_59+1]
		push	eax
		push	4Eh
		push	6
		push	dword ptr [esi+10h]
		call	IoGetDeviceProperty
		test	eax, eax
		js	short loc_61676A
		mov	ecx, ds:_PiPnpRtlCtx
		lea	eax, [ebp+var_68]
		push	ebx
		push	eax
		push	1
		lea	eax, [ebp+var_59]
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		push	offset _DEVPKEY_DeviceClass_DHPRebalanceOptOut
		push	ebx
		push	ebx
		push	2
		lea	edx, [ebp+var_59+1]
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_61676A
		cmp	[ebp+var_60], 11h
		jnz	short loc_61676A
		cmp	[ebp+var_68], 1
		jnz	short loc_61676A
		cmp	byte ptr [ebp+var_59], 0FFh
		jnz	short loc_61676A

loc_616768:				; CODE XREF: PiRebalanceOptOut(x)+58j
		mov	bl, 1

loc_61676A:				; CODE XREF: PiRebalanceOptOut(x)+5Ej
					; PiRebalanceOptOut(x)+79j ...
		mov	ecx, [ebp+var_4]
		mov	al, bl
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PiRebalanceOptOut@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpProcessRebalance(x)
_PnpProcessRebalance@4 proc near	; CODE XREF: .text:005DD75Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	[esp+18h+var_8], ebx
		mov	[esp+18h+var_4], ebx
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_6167A6
		mov	eax, [ecx+0B0h]
		mov	edi, [eax+14h]
		jmp	short loc_6167AC
; 

loc_6167A6:				; CODE XREF: PnpProcessRebalance(x)+1Fj
		mov	edi, ds:_IopRootDeviceNode

loc_6167AC:				; CODE XREF: PnpProcessRebalance(x)+2Aj
		mov	al, [esi+14h]
		mov	edx, [edi+0ACh]
		mov	byte ptr [esp+18h+var_C], al
		cmp	edx, 313h
		jz	loc_616879
		cmp	edx, 314h
		jz	loc_616879
		cmp	[esi+10h], bl
		jnz	short loc_6167EB
		test	al, al
		jz	short loc_6167EB
		mov	ecx, esi
		call	_PiCollapseRebalanceRequests@4 ; PiCollapseRebalanceRequests(x)
		test	al, al
		jz	short loc_6167EB
		mov	edi, ds:_IopRootDeviceNode

loc_6167EB:				; CODE XREF: PnpProcessRebalance(x)+5Aj
					; PnpProcessRebalance(x)+5Ej ...
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	ebx
		push	ebx
		push	ebx
		push	4
		mov	ebx, offset _PpRegistrySemaphore
		push	ebx
		call	KeWaitForSingleObject
		push	[esp+18h+var_C]
		xor	edx, edx
		mov	ecx, edi
		push	0
		call	_PnpRebalance@16 ; PnpRebalance(x,x,x,x)
		push	0
		push	1
		push	0
		push	ebx
		mov	edi, eax
		call	KeReleaseSemaphore
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	edi, edi
		js	short loc_616875
		mov	ecx, ds:_IopRootDeviceNode
		mov	edx, 746C6644h
		mov	al, ds:_PnPBootDriversInitialized
		mov	[esp+18h+var_8], 3
		mov	byte ptr [esp+18h+var_4], al
		mov	ecx, [ecx+10h]
		call	ObfReferenceObjectWithTag
		mov	ecx, ds:_IopRootDeviceNode
		xor	eax, eax
		push	eax
		push	1
		push	eax
		push	eax
		lea	eax, [esp+28h+var_8]
		mov	edx, esi
		push	eax
		call	PipProcessDevNodeTree
		mov	edi, eax

loc_616875:				; CODE XREF: PnpProcessRebalance(x)+BAj
		mov	eax, edi
		jmp	short loc_616888
; 

loc_616879:				; CODE XREF: PnpProcessRebalance(x)+45j
					; PnpProcessRebalance(x)+51j
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag
		mov	eax, 0C0000056h

loc_616888:				; CODE XREF: PnpProcessRebalance(x)+FDj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PnpProcessRebalance@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpIsChainDereferenced(x, x, x, x, x)
_PnpIsChainDereferenced@20 proc	near	; CODE XREF: PnpProcessQueryRemoveAndEject(x)+3AAp
					; PipEventRemovalCheckOpenHandles(x,x,x)+43p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	[ebp+var_8], edx
		mov	[ebp+var_10], ecx
		test	edi, edi
		jz	short loc_6168AA
		and	dword ptr [edi], 0

loc_6168AA:				; CODE XREF: PnpIsChainDereferenced(x,x,x,x,x)+16j
		and	[ebp+var_C], 0
		xor	ebx, ebx
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		xor	esi, esi
		mov	[ebp+var_1], al
		cmp	[ebp+var_8], ebx
		jle	short loc_61691D
		mov	edi, [ebp+var_10]

loc_6168C5:				; CODE XREF: PnpIsChainDereferenced(x,x,x,x,x)+89j
		and	[ebp+var_C], 0
		lea	eax, [ebp+var_C]
		push	eax
		mov	ecx, edi
		call	_PnpIsAnyDeviceInUse@12	; PnpIsAnyDeviceInUse(x,x,x)
		push	ecx
		push	1
		push	ecx
		mov	ecx, edi
		mov	ebx, eax
		call	_PnpUpdateExtensionFlags@20 ; PnpUpdateExtensionFlags(x,x,x,x,x)
		cmp	[ebp+arg_0], 0
		jnz	short loc_61690D
		test	ebx, ebx
		jnz	short loc_616911
		mov	dl, [ebp+var_1]
		push	0Ah
		pop	ecx
		call	KeReleaseQueuedSpinLock
		mov	edx, [ebp+arg_4]
		mov	ecx, [edi]
		call	_PnpChainDereferenceComplete@8 ; PnpChainDereferenceComplete(x,x)
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[ebp+var_1], al
		jmp	short loc_616911
; 

loc_61690D:				; CODE XREF: PnpIsChainDereferenced(x,x,x,x,x)+56j
		test	ebx, ebx
		jnz	short loc_61691A

loc_616911:				; CODE XREF: PnpIsChainDereferenced(x,x,x,x,x)+5Aj
					; PnpIsChainDereferenced(x,x,x,x,x)+7Cj
		inc	esi
		add	edi, 4
		cmp	esi, [ebp+var_8]
		jl	short loc_6168C5

loc_61691A:				; CODE XREF: PnpIsChainDereferenced(x,x,x,x,x)+80j
		mov	edi, [ebp+arg_8]

loc_61691D:				; CODE XREF: PnpIsChainDereferenced(x,x,x,x,x)+31j
		cmp	[ebp+arg_0], 0
		mov	eax, [ebp+var_C]
		jz	short loc_61694D
		test	ebx, ebx
		jz	short loc_61694D
		test	edi, edi
		jz	short loc_616930
		mov	[edi], eax

loc_616930:				; CODE XREF: PnpIsChainDereferenced(x,x,x,x,x)+9Dj
		test	esi, esi
		js	short loc_61694D
		mov	eax, [ebp+var_10]
		lea	edx, [eax+esi*4]

loc_61693A:				; CODE XREF: PnpIsChainDereferenced(x,x,x,x,x)+BCj
		push	ecx
		push	0
		push	ecx
		mov	ecx, edx
		call	_PnpUpdateExtensionFlags@20 ; PnpUpdateExtensionFlags(x,x,x,x,x)
		sub	edx, 4
		sub	esi, 1
		jns	short loc_61693A

loc_61694D:				; CODE XREF: PnpIsChainDereferenced(x,x,x,x,x)+95j
					; PnpIsChainDereferenced(x,x,x,x,x)+99j ...
		mov	dl, [ebp+var_1]
		push	0Ah
		pop	ecx
		call	KeReleaseQueuedSpinLock
		cmp	[ebp+arg_0], 0
		jnz	short loc_616963
		xor	eax, eax
		inc	eax
		jmp	short loc_616965
; 

loc_616963:				; CODE XREF: PnpIsChainDereferenced(x,x,x,x,x)+CDj
		mov	eax, ebx

loc_616965:				; CODE XREF: PnpIsChainDereferenced(x,x,x,x,x)+D2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PnpIsChainDereferenced@20 endp


;  S U B	R O U T	I N E 


; __stdcall PiDmaGuardQueueRemoveEntry(x)
_PiDmaGuardQueueRemoveEntry@4 proc near	; CODE XREF: PiDmaGuardProcessPostRemove(x,x,x):loc_985A2Fp
		mov	edi, edi
		push	ecx
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	edi, offset _PipDgqListLock
		push	edi
		call	ExAcquireResourceExclusiveLite
		mov	ecx, ds:_PipDgqListHead
		mov	edx, offset _PipDgqListHead
		jmp	short loc_6169A4
; 

loc_61699B:				; CODE XREF: PiDmaGuardQueueRemoveEntry(x)+3Aj
		mov	eax, [ecx]
		cmp	[ecx+8], esi
		jz	short loc_6169BF
		mov	ecx, eax

loc_6169A4:				; CODE XREF: PiDmaGuardQueueRemoveEntry(x)+2Dj
		cmp	ecx, edx
		jnz	short loc_61699B

loc_6169A8:				; CODE XREF: PiDmaGuardQueueRemoveEntry(x)+69j
		mov	ecx, edi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_6169BF:				; CODE XREF: PiDmaGuardQueueRemoveEntry(x)+34j
		cmp	[eax+4], ecx
		jnz	short loc_6169D7
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_6169D7
		mov	[edx], eax
		mov	[eax+4], edx
		call	_PipDgqFreeEntry@4 ; PipDgqFreeEntry(x)
		jmp	short loc_6169A8
; 

loc_6169D7:				; CODE XREF: PiDmaGuardQueueRemoveEntry(x)+56j
					; PiDmaGuardQueueRemoveEntry(x)+5Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PiDmaGuardQueueRemoveEntry@4 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopEliminateBogusConflict(x, x)
_IopEliminateBogusConflict@8 proc near	; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+38p
					; IopQueryConflictFillConflicts(x,x,x,x,x,x)+C5p ...

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], ebx
		push	esi
		push	edi
		mov	edi, edx
		test	ebx, ebx
		jz	loc_616AB5
		test	edi, edi
		jz	loc_616AB5
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[ebp+var_1], al
		mov	ecx, ebx

loc_616A0B:				; CODE XREF: IopEliminateBogusConflict(x,x)+3Cj
		cmp	ecx, edi
		jz	loc_616ABC
		mov	ecx, [ecx+10h]
		test	ecx, ecx
		jnz	short loc_616A0B
		mov	eax, large fs:20h
		xor	ebx, ebx
		inc	ebx
		lea	esi, [eax+468h]
		test	ds:byte_70EFC6,	bl
		jz	short loc_616A3D
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_616A65
; 

loc_616A3D:				; CODE XREF: IopEliminateBogusConflict(x,x)+53j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_616A59
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_616A65
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_616A59:				; CODE XREF: IopEliminateBogusConflict(x,x)+65j
		mov	dword ptr [esi], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_616A65:				; CODE XREF: IopEliminateBogusConflict(x,x)+5Fj
					; IopEliminateBogusConflict(x,x)+74j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		mov	eax, 1000h
		test	[ecx+10Ch], eax
		jz	short loc_616AB5
		test	[edi+1Ch], eax
		jnz	short loc_616AB5
		mov	eax, [edi+8]
		test	eax, eax
		jz	short loc_616AB5
		add	ecx, 1Ch
		movzx	edx, word ptr [ecx]
		test	dx, dx
		jz	short loc_616AB5
		mov	eax, [eax+18h]
		add	eax, 0Ch
		cmp	dx, [eax]
		jnz	short loc_616AB5
		push	ebx
		push	eax
		push	ecx
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jz	short loc_616B10

loc_616AB5:				; CODE XREF: IopEliminateBogusConflict(x,x)+14j
					; IopEliminateBogusConflict(x,x)+1Cj ...
		xor	al, al

loc_616AB7:				; CODE XREF: IopEliminateBogusConflict(x,x)+136j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_616ABC:				; CODE XREF: IopEliminateBogusConflict(x,x)+31j
		mov	eax, large fs:20h
		xor	ebx, ebx
		inc	ebx
		lea	esi, [eax+468h]
		test	ds:byte_70EFC6,	bl
		jz	short loc_616ADF
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_616B07
; 

loc_616ADF:				; CODE XREF: IopEliminateBogusConflict(x,x)+F5j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_616AFB
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_616B07
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_616AFB:				; CODE XREF: IopEliminateBogusConflict(x,x)+107j
		mov	dword ptr [esi], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_616B07:				; CODE XREF: IopEliminateBogusConflict(x,x)+101j
					; IopEliminateBogusConflict(x,x)+116j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_616B10:				; CODE XREF: IopEliminateBogusConflict(x,x)+D7j
		mov	al, bl
		jmp	short loc_616AB7
_IopEliminateBogusConflict@8 endp


;  S U B	R O U T	I N E 


; __stdcall KdCopyDataBlock(x)
_KdCopyDataBlock@4 proc	near		; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+429p
					; IopInitializeInMemoryDumpData()+113p	...
		cmp	ds:_KdpDataBlockEncoded, 0
		push	edi
		mov	edi, ecx
		jnz	short loc_616B2E
		push	esi
		mov	ecx, 0E0h
		mov	esi, offset _KdDebuggerDataBlock
		rep movsd
		pop	esi

loc_616B2E:				; CODE XREF: KdCopyDataBlock(x)+Aj
		pop	edi
		retn
_KdCopyDataBlock@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1070. KdDeregisterPowerHandler

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdDeregisterPowerHandler(x)
		public _KdDeregisterPowerHandler@4
_KdDeregisterPowerHandler@4 proc near

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	esi, offset _KdpPowerSpinLock
		mov	[ebp+var_2], al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:_KdpPowerListHead
		xor	ebx, ebx
		mov	[ebp+var_1], bl
		mov	edx, offset _KdpPowerListHead
		jmp	short loc_616B71
; 

loc_616B66:				; CODE XREF: KdDeregisterPowerHandler(x)+3Ej
		mov	ebx, ecx
		mov	eax, [ecx]
		cmp	[ebp+arg_0], ecx
		jz	short loc_616B8A
		mov	ecx, eax

loc_616B71:				; CODE XREF: KdDeregisterPowerHandler(x)+2Fj
		cmp	ecx, edx
		jnz	short loc_616B66

loc_616B75:				; CODE XREF: KdDeregisterPowerHandler(x)+6Aj
		test	ds:byte_70EFC6,	1
		jz	short loc_616BA6
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_616BAB
; 

loc_616B8A:				; CODE XREF: KdDeregisterPowerHandler(x)+38j
		mov	edx, [ecx+4]
		cmp	[eax+4], ecx
		jnz	short loc_616BA1
		cmp	[edx], ecx
		jnz	short loc_616BA1
		mov	[edx], eax
		mov	[eax+4], edx
		mov	[ebp+var_1], 1
		jmp	short loc_616B75
; 

loc_616BA1:				; CODE XREF: KdDeregisterPowerHandler(x)+5Bj
					; KdDeregisterPowerHandler(x)+5Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_616BA6:				; CODE XREF: KdDeregisterPowerHandler(x)+47j
		xor	eax, eax
		lock and [esi],	eax

loc_616BAB:				; CODE XREF: KdDeregisterPowerHandler(x)+53j
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_1], 0
		jnz	short loc_616BC1
		mov	eax, 0C0000225h
		jmp	short loc_616BCE
; 

loc_616BC1:				; CODE XREF: KdDeregisterPowerHandler(x)+83j
		push	6F49644Bh
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax

loc_616BCE:				; CODE XREF: KdDeregisterPowerHandler(x)+8Aj
		pop	esi
		pop	ebx
		leave
		retn	4
_KdDeregisterPowerHandler@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1081. KdRegisterPowerHandler

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdRegisterPowerHandler(x, x, x)
		public _KdRegisterPowerHandler@12
_KdRegisterPowerHandler@12 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	6F49644Bh
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_616BFD
		mov	eax, 0C000009Ah
		jmp	short loc_616C6D
; 

loc_616BFD:				; CODE XREF: KdRegisterPowerHandler(x,x,x)+1Bj
		mov	eax, [ebp+arg_0]
		mov	cl, 1Fh
		push	ebx
		mov	[esi+8], eax
		mov	eax, [ebp+arg_4]
		push	edi
		mov	[esi+0Ch], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edi, offset _KdpPowerSpinLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:dword_A9B03C
		mov	eax, offset _KdpPowerListHead
		cmp	[ecx], eax
		jz	short loc_616C35
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_616C35:				; CODE XREF: KdRegisterPowerHandler(x,x,x)+55j
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		test	ds:byte_70EFC6,	1
		mov	ds:dword_A9B03C, esi
		jz	short loc_616C57
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_616C5C
; 

loc_616C57:				; CODE XREF: KdRegisterPowerHandler(x,x,x)+70j
		xor	eax, eax
		lock and [edi],	eax

loc_616C5C:				; CODE XREF: KdRegisterPowerHandler(x,x,x)+7Cj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+arg_8]
		pop	edi
		pop	ebx
		mov	[eax], esi
		xor	eax, eax

loc_616C6D:				; CODE XREF: KdRegisterPowerHandler(x,x,x)+22j
		pop	esi
		pop	ebp
		retn	0Ch
_KdRegisterPowerHandler@12 endp


;  S U B	R O U T	I N E 


; __stdcall ExceptionRecord32To64(x, x)
_ExceptionRecord32To64@8 proc near	; CODE XREF: KdpReportExceptionStateChange(x,x,x)+77p
		mov	eax, [ecx]
		push	esi
		mov	esi, edx
		push	edi
		push	0Fh
		pop	edi
		mov	[esi], eax
		mov	eax, [ecx+4]
		mov	[esi+4], eax
		mov	eax, [ecx+8]
		and	dword ptr [esi+0Ch], 0
		mov	[esi+8], eax
		mov	eax, [ecx+0Ch]
		cdq
		mov	[esi+10h], eax
		mov	[esi+14h], edx
		mov	eax, [ecx+10h]
		mov	[esi+18h], eax
		add	esi, 20h
		add	ecx, 14h

loc_616CA3:				; CODE XREF: ExceptionRecord32To64(x,x)+42j
		mov	eax, [ecx]
		lea	ecx, [ecx+4]
		cdq
		mov	[esi], eax
		lea	esi, [esi+8]
		mov	[esi-4], edx
		sub	edi, 1
		jnz	short loc_616CA3
		pop	edi
		pop	esi
		retn
_ExceptionRecord32To64@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1066. KdAcquireDebuggerLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdAcquireDebuggerLock(x)
		public _KdAcquireDebuggerLock@4
_KdAcquireDebuggerLock@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [ebp+arg_0]
		mov	[ecx], al
		mov	ecx, offset _KdDebuggerLock
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		pop	ebp
		retn	4
_KdAcquireDebuggerLock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdCallPowerHandlers(x)
_KdCallPowerHandlers@4 proc near	; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+BA8p
					; PpmExitCoordinatedIdle+12BD9Dp ...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	ds:_KdpPowerListHead, 0
		push	ebx
		mov	ebx, ecx
		jnz	short loc_616CF4
		xor	eax, eax
		jmp	short loc_616D56
; 

loc_616CF4:				; CODE XREF: KdCallPowerHandlers(x)+10j
		push	esi
		push	edi
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, offset _KdpPowerSpinLock
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, ds:_KdpPowerListHead
		xor	edi, edi
		jmp	short loc_616D24
; 

loc_616D15:				; CODE XREF: KdCallPowerHandlers(x)+4Cj
		push	dword ptr [esi+0Ch]
		push	ebx
		call	dword ptr [esi+8]
		mov	edi, eax
		test	edi, edi
		js	short loc_616D2C
		mov	esi, [esi]

loc_616D24:				; CODE XREF: KdCallPowerHandlers(x)+35j
		cmp	esi, offset _KdpPowerListHead
		jnz	short loc_616D15

loc_616D2C:				; CODE XREF: KdCallPowerHandlers(x)+42j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _KdpPowerSpinLock
		jz	short loc_616D44
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_616D49
; 

loc_616D44:				; CODE XREF: KdCallPowerHandlers(x)+5Aj
		xor	eax, eax
		lock and [ecx],	eax

loc_616D49:				; CODE XREF: KdCallPowerHandlers(x)+64j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi

loc_616D56:				; CODE XREF: KdCallPowerHandlers(x)+14j
		pop	ebx
		leave
		retn
_KdCallPowerHandlers@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1067. KdChangeOption

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdChangeOption(x, x, x, x, x, x)
		public _KdChangeOption@24
_KdChangeOption@24 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_KdPitchDebugger, 0
		jz	short loc_616D73
		mov	eax, 0C0000354h
		jmp	short loc_616DBF
; 

loc_616D73:				; CODE XREF: KdChangeOption(x,x,x,x,x,x)+Cj
		cmp	[ebp+arg_0], 0
		jz	short loc_616D80
		mov	eax, 0C0000003h
		jmp	short loc_616DAE
; 

loc_616D80:				; CODE XREF: KdChangeOption(x,x,x,x,x,x)+19j
		cmp	[ebp+arg_4], 1
		jnz	short loc_616DBA
		cmp	[ebp+arg_C], 0
		jnz	short loc_616DBA
		cmp	[ebp+arg_10], 0
		jnz	short loc_616DBA
		test	ds:_KdBlockEnable, 80h
		jz	short loc_616DA2
		mov	eax, 0C0000022h
		jmp	short loc_616DBF
; 

loc_616DA2:				; CODE XREF: KdChangeOption(x,x,x,x,x,x)+3Bj
		mov	eax, [ebp+arg_8]
		mov	al, [eax]
		mov	ds:_KdBlockEnable, al
		xor	eax, eax

loc_616DAE:				; CODE XREF: KdChangeOption(x,x,x,x,x,x)+20j
		mov	ecx, [ebp+arg_14]
		test	ecx, ecx
		jz	short loc_616DBF
		and	dword ptr [ecx], 0
		jmp	short loc_616DBF
; 

loc_616DBA:				; CODE XREF: KdChangeOption(x,x,x,x,x,x)+26j
					; KdChangeOption(x,x,x,x,x,x)+2Cj ...
		mov	eax, 0C000000Dh

loc_616DBF:				; CODE XREF: KdChangeOption(x,x,x,x,x,x)+13j
					; KdChangeOption(x,x,x,x,x,x)+42j ...
		pop	ebp
		retn	18h
_KdChangeOption@24 endp

; 
		align 8
; Exported entry 1071. KdDisableDebugger

;  S U B	R O U T	I N E 


; __stdcall KdDisableDebugger()
		public _KdDisableDebugger@0
_KdDisableDebugger@0 proc near		; CODE XREF: NtSystemDebugControl+83116p
		jmp	$+5
_KdDisableDebugger@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdDisableDebuggerWithLock(x)
_KdDisableDebuggerWithLock@4 proc near	; CODE XREF: KdRegisterDebuggerDataBlock+60Bp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_KdPitchDebugger, 0
		jz	short loc_616DE2
		mov	eax, 0C0000354h
		pop	ebp
		retn
; 

loc_616DE2:				; CODE XREF: KdDisableDebuggerWithLock(x)+Cj
		cmp	ds:_KdBlockEnable, 0
		jz	short loc_616DF2
		mov	eax, 0C0000022h
		pop	ebp
		retn
; 

loc_616DF2:				; CODE XREF: KdDisableDebuggerWithLock(x)+1Cj
		push	ebx
		push	esi
		push	edi
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edi, offset _KdDebuggerLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	ds:_KdDisableCount, 0
		jnz	short loc_616E7C
		mov	cl, ds:_KdDebuggerEnabled
		mov	ds:_KdPreviouslyEnabled, cl
		test	cl, cl
		jz	short loc_616E4B
		call	_KdpAllowDisable@0 ; KdpAllowDisable()
		mov	esi, eax
		test	esi, esi
		jns	short loc_616E4B
		test	ds:byte_70EFC6,	1
		jz	short loc_616E44
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_616E9E
; 

loc_616E44:				; CODE XREF: KdDisableDebuggerWithLock(x)+69j
		xor	eax, eax
		lock and [edi],	eax
		jmp	short loc_616E9E
; 

loc_616E4B:				; CODE XREF: KdDisableDebuggerWithLock(x)+55j
					; KdDisableDebuggerWithLock(x)+60j
		cmp	ds:_KdDebuggerEnabled, 0
		jz	short loc_616E7C
		call	_KdpSuspendAllBreakpoints@0 ; KdpSuspendAllBreakpoints()
		xor	eax, eax
		mov	ds:0FFDF02D4h, al
		push	eax
		push	40000004h
		mov	ds:_KdDebuggerNotPresent, 1
		mov	ds:_KdDebuggerEnabled, al
		mov	ds:_KdpDebugRoutineSelect, eax
		call	_KdPowerTransitionEx@8 ; KdPowerTransitionEx(x,x)

loc_616E7C:				; CODE XREF: KdDisableDebuggerWithLock(x)+45j
					; KdDisableDebuggerWithLock(x)+85j
		inc	ds:_KdDisableCount
		test	ds:byte_70EFC6,	1
		jz	short loc_616E97
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_616E9C
; 

loc_616E97:				; CODE XREF: KdDisableDebuggerWithLock(x)+BCj
		xor	eax, eax
		lock and [edi],	eax

loc_616E9C:				; CODE XREF: KdDisableDebuggerWithLock(x)+C8j
		xor	esi, esi

loc_616E9E:				; CODE XREF: KdDisableDebuggerWithLock(x)+75j
					; KdDisableDebuggerWithLock(x)+7Cj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn
_KdDisableDebuggerWithLock@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1072. KdEnableDebugger

;  S U B	R O U T	I N E 


; __stdcall KdEnableDebugger()
		public _KdEnableDebugger@0
_KdEnableDebugger@0 proc near		; CODE XREF: KiDispatchException+10DF28p
					; KeInsertQueue+D6248p	...
		mov	edi, edi
		push	ebx
		xor	ecx, ecx
		push	esi
		inc	ecx
		call	_KeRelaxTimingConstraints@4 ; KeRelaxTimingConstraints(x)
		mov	cl, 1
		mov	bl, al
		call	_KdEnableDebuggerWithLock@4 ; KdEnableDebuggerWithLock(x)
		movzx	ecx, bl
		mov	esi, eax
		call	_KeRelaxTimingConstraints@4 ; KeRelaxTimingConstraints(x)
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_KdEnableDebugger@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdEnableDebuggerWithLock(x)
_KdEnableDebuggerWithLock@4 proc near	; CODE XREF: KdEnableDebugger()+10p
					; KeBugCheck2(x,x,x,x,x,x)+883p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ebx
		xor	eax, eax
		mov	bl, cl
		mov	bh, al
		push	esi
		cmp	ds:_KdPitchDebugger, al
		jz	short loc_616EF8
		mov	eax, 0C0000354h
		jmp	loc_616FEF
; 

loc_616EF8:				; CODE XREF: KdEnableDebuggerWithLock(x)+16j
		cmp	ds:_KdBlockEnable, al
		jz	short loc_616F0A
		mov	eax, 0C0000022h
		jmp	loc_616FEF
; 

loc_616F0A:				; CODE XREF: KdEnableDebuggerWithLock(x)+28j
		mov	esi, offset _KdDebuggerLock
		test	bl, bl
		jz	short loc_616F26
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, esi
		mov	bh, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		xor	eax, eax

loc_616F26:				; CODE XREF: KdEnableDebuggerWithLock(x)+3Bj
		mov	edx, ds:_KdDisableCount
		test	edx, edx
		jnz	short loc_616F6C
		test	bl, bl
		jz	short loc_616F60
		test	ds:byte_70EFC6,	1
		jz	short loc_616F49
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_616F4E
; 

loc_616F49:				; CODE XREF: KdEnableDebuggerWithLock(x)+65j
		xor	eax, eax
		lock and [esi],	eax

loc_616F4E:				; CODE XREF: KdEnableDebuggerWithLock(x)+71j
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, 0C000000Dh
		jmp	loc_616FEF
; 

loc_616F60:				; CODE XREF: KdEnableDebuggerWithLock(x)+5Cj
		push	eax
		push	eax
		call	KdInitSystem
		jmp	loc_616FED
; 

loc_616F6C:				; CODE XREF: KdEnableDebuggerWithLock(x)+58j
		sub	edx, 1
		mov	ds:_KdDisableCount, edx
		jnz	short loc_616FC7
		cmp	ds:_KdPreviouslyEnabled, 0
		jz	short loc_616FC7
		push	eax
		test	bl, bl
		jz	short loc_616FAE
		push	40000001h
		call	_KdPowerTransitionEx@8 ; KdPowerTransitionEx(x,x)
		mov	ds:_KdpDebugRoutineSelect, 1
		mov	ds:_KdDebuggerEnabled, 1
		mov	byte ptr ds:0FFDF02D4h,	1
		call	_KdpRestoreAllBreakpoints@0 ; KdpRestoreAllBreakpoints()
		jmp	short loc_616FC7
; 

loc_616FAE:				; CODE XREF: KdEnableDebuggerWithLock(x)+ADj
		push	eax
		mov	ds:_PoHiberInProgress, 1
		call	KdInitSystem
		call	_KdpRestoreAllBreakpoints@0 ; KdpRestoreAllBreakpoints()
		mov	ds:_PoHiberInProgress, 0

loc_616FC7:				; CODE XREF: KdEnableDebuggerWithLock(x)+9Fj
					; KdEnableDebuggerWithLock(x)+A8j ...
		test	bl, bl
		jz	short loc_616FED
		test	ds:byte_70EFC6,	1
		jz	short loc_616FE0
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_616FE5
; 

loc_616FE0:				; CODE XREF: KdEnableDebuggerWithLock(x)+FCj
		xor	eax, eax
		lock and [esi],	eax

loc_616FE5:				; CODE XREF: KdEnableDebuggerWithLock(x)+108j
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_616FED:				; CODE XREF: KdEnableDebuggerWithLock(x)+91j
					; KdEnableDebuggerWithLock(x)+F3j
		xor	eax, eax

loc_616FEF:				; CODE XREF: KdEnableDebuggerWithLock(x)+1Dj
					; KdEnableDebuggerWithLock(x)+2Fj ...
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_KdEnableDebuggerWithLock@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1078. KdPowerTransition

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdPowerTransition(x)
		public _KdPowerTransition@4
_KdPowerTransition@4 proc near		; CODE XREF: PopHandleNextState(x,x)+137p
					; PopHandleNextState(x,x)+171p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	1
		push	[ebp+arg_0]
		call	_KdPowerTransitionEx@8 ; KdPowerTransitionEx(x,x)
		pop	ebp
		retn	4
_KdPowerTransition@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1079. KdPowerTransitionEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdPowerTransitionEx(x, x)
		public _KdPowerTransitionEx@8
_KdPowerTransitionEx@8 proc near	; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+B9Ep
					; PpmExitCoordinatedIdle+12BDA9p ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		cmp	ds:_KdPitchDebugger, 0
		jnz	loc_61713C
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, edi
		and	eax, 40000000h
		xor	edi, eax
		cmp	ds:_KdDebuggerEnabled, 0
		jnz	short loc_617045
		test	eax, eax
		jz	loc_61713B

loc_617045:				; CODE XREF: KdPowerTransitionEx(x,x)+29j
		mov	esi, ds:_KdTransportMaxPacketSize
		mov	eax, edi
		and	eax, 80000000h
		sub	esi, 480h
		xor	edi, eax
		neg	esi
		push	ebx
		sbb	esi, esi
		or	bh, 0FFh
		not	esi
		and	esi, eax
		cmp	[ebp+arg_4], 0
		jz	short loc_617093
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_617089
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_617089
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bh, al

loc_617089:				; CODE XREF: KdPowerTransitionEx(x,x)+61j
					; KdPowerTransitionEx(x,x)+6Bj
		mov	ecx, offset _KdDebuggerLock
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)

loc_617093:				; CODE XREF: KdPowerTransitionEx(x,x)+58j
		cmp	edi, 1
		jz	short loc_6170BA
		lea	eax, [edi-2]
		cmp	eax, 2
		ja	short loc_6170B3
		push	offset _KdpContext
		or	esi, 4
		push	esi
		call	ds:__imp__KdPower@8 ; KdPower(x,x)
		mov	esi, eax
		jmp	short loc_61710A
; 

loc_6170B3:				; CODE XREF: KdPowerTransitionEx(x,x)+8Cj
		mov	esi, 0C000000Dh
		jmp	short loc_61710A
; 

loc_6170BA:				; CODE XREF: KdPowerTransitionEx(x,x)+84j
		mov	ecx, large fs:20h
		call	@PpmCancelExitLatencyTrace@4 ; PpmCancelExitLatencyTrace(x)
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jnz	short loc_6170D3
		mov	bl, 1Fh
		jmp	short loc_6170E0
; 

loc_6170D3:				; CODE XREF: KdPowerTransitionEx(x,x)+BBj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, al
		cmp	bl, 2
		jb	short loc_6170EA

loc_6170E0:				; CODE XREF: KdPowerTransitionEx(x,x)+BFj
		push	0
		push	1
		call	ds:off_6B12E4	; RtlEndStrongEnumerationHashTable(x,x)

loc_6170EA:				; CODE XREF: KdPowerTransitionEx(x,x)+CCj
		push	offset _KdpContext
		or	esi, 1
		push	esi
		call	ds:__imp__KdPower@8 ; KdPower(x,x)
		mov	esi, eax
		cmp	bl, 2
		jb	short loc_61710A
		push	0
		push	0
		call	ds:off_6B12E4	; RtlEndStrongEnumerationHashTable(x,x)

loc_61710A:				; CODE XREF: KdPowerTransitionEx(x,x)+9Fj
					; KdPowerTransitionEx(x,x)+A6j	...
		cmp	[ebp+arg_4], 0
		jz	short loc_61713A
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _KdDebuggerLock
		jz	short loc_617128
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_61712D
; 

loc_617128:				; CODE XREF: KdPowerTransitionEx(x,x)+10Aj
		xor	eax, eax
		lock and [ecx],	eax

loc_61712D:				; CODE XREF: KdPowerTransitionEx(x,x)+114j
		cmp	bh, 0FFh
		jz	short loc_61713A
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_61713A:				; CODE XREF: KdPowerTransitionEx(x,x)+FCj
					; KdPowerTransitionEx(x,x)+11Ej
		pop	ebx

loc_61713B:				; CODE XREF: KdPowerTransitionEx(x,x)+2Dj
		pop	edi

loc_61713C:				; CODE XREF: KdPowerTransitionEx(x,x)+Fj
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_KdPowerTransitionEx@8 endp

; 
		align 8
; Exported entry 1082. KdReleaseDebuggerLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdReleaseDebuggerLock(x)
		public _KdReleaseDebuggerLock@4
_KdReleaseDebuggerLock@4 proc near

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ds:byte_70EFC6,	1
		jz	short loc_617165
		mov	edx, [ebp+4]
		mov	ecx, offset _KdDebuggerLock
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_61716F
; 

loc_617165:				; CODE XREF: KdReleaseDebuggerLock(x)+Cj
		xor	ecx, ecx
		mov	eax, offset _KdDebuggerLock
		lock and [eax],	ecx

loc_61716F:				; CODE XREF: KdReleaseDebuggerLock(x)+1Bj
		mov	cl, [ebp+arg_0]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebp
		retn	4
_KdReleaseDebuggerLock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdUpdateTimeSlipEvent(x)
_KdUpdateTimeSlipEvent@4 proc near	; CODE XREF: PAGE:loc_7B35CDp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	ds:_KdPitchDebugger, 0
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jnz	short loc_6171DB
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _KdpTimeSlipEventLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:_KdpTimeSlipEvent
		test	ecx, ecx
		jz	short loc_6171B3
		call	ObfDereferenceObject

loc_6171B3:				; CODE XREF: KdUpdateTimeSlipEvent(x)+30j
		test	ds:byte_70EFC6,	1
		mov	ds:_KdpTimeSlipEvent, esi
		jz	short loc_6171CE
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6171D3
; 

loc_6171CE:				; CODE XREF: KdUpdateTimeSlipEvent(x)+44j
		xor	eax, eax
		lock and [edi],	eax

loc_6171D3:				; CODE XREF: KdUpdateTimeSlipEvent(x)+50j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_6171DB:				; CODE XREF: KdUpdateTimeSlipEvent(x)+12j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn
_KdUpdateTimeSlipEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpGetContextEx(x, x, x)
_KdpGetContextEx@12 proc near		; CODE XREF: KdpSendWaitContinue(x,x,x,x)+171p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax+10h]
		mov	ebx, edx
		mov	esi, [eax+14h]
		push	38h
		pop	ecx
		push	[ebp+arg_0]
		mov	word ptr [ebp+var_C], cx
		mov	ecx, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		call	_KdpGetContext@12 ; KdpGetContext(x,x,x)
		mov	ecx, [ebp+var_4]
		and	dword ptr [ecx+18h], 0
		cmp	dword ptr [ecx+8], 0
		jnz	short loc_61726E
		movzx	eax, word ptr [ebx]
		cmp	edi, eax
		jb	short loc_617227
		mov	edi, eax

loc_617227:				; CODE XREF: KdpGetContextEx(x,x,x)+42j
		sub	eax, edi
		cmp	esi, eax
		jbe	short loc_61722F
		mov	esi, eax

loc_61722F:				; CODE XREF: KdpGetContextEx(x,x,x)+4Aj
		test	edi, edi
		jz	short loc_617246
		test	esi, esi
		jz	short loc_617246
		mov	ecx, [ebx+4]
		push	esi
		lea	edx, [ecx+edi]
		call	_KdpQuickMoveMemory@12 ; KdpQuickMoveMemory(x,x,x)
		mov	ecx, [ebp+var_4]

loc_617246:				; CODE XREF: KdpGetContextEx(x,x,x)+50j
					; KdpGetContextEx(x,x,x)+54j
		mov	[ecx+10h], edi
		movzx	eax, word ptr [ebx]
		mov	[ecx+14h], eax
		mov	[ecx+18h], esi
		movzx	ecx, word ptr [ebx]
		cmp	esi, ecx
		jz	short loc_617264
		test	esi, esi
		jz	short loc_61726B
		lea	eax, [edi+esi]
		cmp	eax, ecx
		jnz	short loc_61726B

loc_617264:				; CODE XREF: KdpGetContextEx(x,x,x)+76j
		mov	ds:_KdpContextSent, 1

loc_61726B:				; CODE XREF: KdpGetContextEx(x,x,x)+7Aj
					; KdpGetContextEx(x,x,x)+81j
		mov	[ebx], si

loc_61726E:				; CODE XREF: KdpGetContextEx(x,x,x)+3Bj
		push	offset _KdpContext
		push	ebx
		lea	eax, [ebp+var_C]
		push	eax
		push	2
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KdpGetContextEx@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpSetCommonState(x, x, x)
_KdpSetCommonState@12 proc near		; CODE XREF: KdpReportCommandStringStateChange(x,x,x)+5Dp
					; KdpReportExceptionStateChange(x,x,x)+6Cp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ax, ds:_KeProcessorLevel
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		push	0FFFFh
		mov	edi, edx
		mov	[ebp+var_4], ebx
		mov	[esi+4], ax
		movzx	eax, large byte	ptr fs:51h
		mov	[esi], ecx
		mov	[esi+6], ax
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		movzx	ecx, word ptr [esi+6]
		mov	[esi+8], eax
		cmp	eax, ecx
		ja	short loc_6172CD
		lea	eax, [ecx+1]
		mov	[esi+8], eax

loc_6172CD:				; CODE XREF: KdpSetCommonState(x,x,x)+3Ej
		mov	eax, large fs:124h
		cdq
		mov	[esi+10h], eax
		mov	[esi+14h], edx
		mov	edi, [edi+0B8h]
		mov	eax, edi
		cdq
		push	30h		; size_t
		mov	[esi+18h], eax
		lea	eax, [esi+0C0h]
		push	ebx		; int
		push	eax		; void *
		mov	[esi+1Ch], edx
		call	_memset
		add	esp, 0Ch
		lea	ecx, [ebp+var_4]
		push	ecx
		push	4
		push	ebx
		push	ebx
		push	edi
		push	10h
		pop	edx
		lea	ecx, [esi+0CCh]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		mov	ebx, [ebp+var_4]
		mov	ecx, edi
		mov	[esi+0C8h], bx
		lea	edx, [ebx-1]
		add	edx, edi
		call	_KdpDeleteBreakpointRange@8 ; KdpDeleteBreakpointRange(x,x)
		test	al, al
		jz	short loc_617344
		lea	eax, [ebp+var_4]
		mov	edx, ebx
		push	eax
		push	4
		push	0
		push	0
		push	edi
		lea	ecx, [esi+0CCh]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)

loc_617344:				; CODE XREF: KdpSetCommonState(x,x,x)+A3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KdpSetCommonState@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpSetContextEx(x, x, x)
_KdpSetContextEx@12 proc near		; CODE XREF: KdpSendWaitContinue(x,x,x,x)+182p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_18], 0
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		push	38h
		pop	eax
		mov	word ptr [ebp+var_18], ax
		movzx	eax, word ptr [esi+6]
		mov	[ebp+var_14], esi
		cmp	eax, 20h
		jnb	loc_61743B
		cmp	ds:_KiProcessorBlock[eax*4], 0
		jz	loc_61743B
		cmp	ds:_KdpContextSent, 0
		jz	loc_61743B
		mov	edi, [esi+18h]
		cmp	edi, 1000h
		ja	loc_617432
		mov	eax, [esi+10h]
		cmp	eax, edi
		jnb	loc_617432
		mov	ebx, [esi+14h]
		test	ebx, ebx
		jz	short loc_617432
		mov	edx, eax
		add	edx, ebx
		push	0
		pop	ecx
		adc	ecx, ecx
		mov	[ebp+var_C], edx
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		ja	short loc_617432
		jb	short loc_6173CF
		cmp	edx, edi
		ja	short loc_617432

loc_6173CF:				; CODE XREF: KdpSetContextEx(x,x,x)+7Ej
		mov	edx, [ebp+var_8]
		lea	ecx, dword_6FE1A0[eax]
		push	ebx
		mov	edx, [edx+4]
		call	_KdpQuickMoveMemory@12 ; KdpQuickMoveMemory(x,x,x)
		cmp	[ebp+var_C], edi
		jnz	short loc_617429
		cmp	[ebp+var_10], 0
		jnz	short loc_617429
		movzx	ecx, word ptr [esi+6]
		movzx	eax, large byte	ptr fs:51h
		cmp	cx, ax
		jz	short loc_61740D
		mov	eax, ds:_KiProcessorBlock[ecx*4]
		mov	eax, [eax+4168h]
		mov	[ebp+arg_0], eax

loc_61740D:				; CODE XREF: KdpSetContextEx(x,x,x)+B0j
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		mov	ecx, offset dword_6FE1A0
		call	_KdpSanitizeContextFlags@12 ; KdpSanitizeContextFlags(x,x,x)
		mov	edx, [ebp+var_4]
		push	ecx
		mov	ecx, [ebp+arg_0]
		call	_KdpCopyContext@12 ; KdpCopyContext(x,x,x)

loc_617429:				; CODE XREF: KdpSetContextEx(x,x,x)+99j
					; KdpSetContextEx(x,x,x)+9Fj
		and	dword ptr [esi+8], 0
		mov	[esi+18h], ebx
		jmp	short loc_617442
; 

loc_617432:				; CODE XREF: KdpSetContextEx(x,x,x)+53j
					; KdpSetContextEx(x,x,x)+5Ej ...
		mov	dword ptr [esi+8], 0C000000Dh
		jmp	short loc_617442
; 

loc_61743B:				; CODE XREF: KdpSetContextEx(x,x,x)+29j
					; KdpSetContextEx(x,x,x)+37j ...
		mov	dword ptr [esi+8], 0C0000001h

loc_617442:				; CODE XREF: KdpSetContextEx(x,x,x)+E5j
					; KdpSetContextEx(x,x,x)+EEj
		push	offset _KdpContext
		push	0
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KdpSetContextEx@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpWriteCustomBreakpoint(x,	x, x)
_KdpWriteCustomBreakpoint@12 proc near	; CODE XREF: KdpSendWaitContinue(x,x,x,x)+19Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		push	esi
		mov	esi, ecx
		push	38h
		pop	eax
		mov	word ptr [ebp+var_8], ax
		movzx	eax, byte ptr [esi+25h]
		mov	dl, [esi+24h]
		mov	ecx, [esi+10h]
		push	eax
		push	dword ptr [esi+1Ch]
		mov	[ebp+var_4], esi
		push	dword ptr [esi+18h]
		call	_KdpAddBreakpoint@20 ; KdpAddBreakpoint(x,x,x,x,x)
		mov	[esi+20h], eax
		neg	eax
		push	offset _KdpContext
		sbb	eax, eax
		and	eax, 3FFFFFFFh
		add	eax, 0C0000001h
		mov	[esi+8], eax
		lea	eax, [ebp+var_8]
		push	0
		push	eax
		push	2
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	esi
		leave
		retn	4
_KdpWriteCustomBreakpoint@12 endp


;  S U B	R O U T	I N E 


; __stdcall RunLengthEncode(x, x)
_RunLengthEncode@8 proc	near		; CODE XREF: KdpReadPhysicalMemory(x,x,x,x)+CCp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		test	edx, edx
		jz	short loc_6174E2
		mov	eax, esi
		or	eax, edx
		test	al, 3
		jnz	short loc_6174E2
		mov	edi, [esi]
		xor	ecx, ecx
		shr	edx, 2
		inc	ecx
		cmp	edx, ecx
		jbe	short loc_6174DE

loc_6174D4:				; CODE XREF: RunLengthEncode(x,x)+26j
		cmp	[esi+ecx*4], edi
		jnz	short loc_6174E2
		inc	ecx
		cmp	ecx, edx
		jb	short loc_6174D4

loc_6174DE:				; CODE XREF: RunLengthEncode(x,x)+1Cj
		mov	al, 1
		jmp	short loc_6174E4
; 

loc_6174E2:				; CODE XREF: RunLengthEncode(x,x)+8j
					; RunLengthEncode(x,x)+10j ...
		xor	al, al

loc_6174E4:				; CODE XREF: RunLengthEncode(x,x)+2Aj
		pop	edi
		pop	esi
		retn
_RunLengthEncode@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdSetDbgPrintBufferSize(x)
_KdSetDbgPrintBufferSize@4 proc	near	; CODE XREF: NtSystemDebugControl+8327Cp
					; MiInitSystem:loc_AE193Ep

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		cmp	ds:_KdPitchDebugger, 0
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], ebx
		jz	short loc_617508
		mov	eax, 0C0000354h
		jmp	loc_617694
; 

loc_617508:				; CODE XREF: KdSetDbgPrintBufferSize(x)+15j
		cmp	ebx, 1000000h
		jbe	short loc_61751A
		mov	eax, 0C00000EFh
		jmp	loc_617694
; 

loc_61751A:				; CODE XREF: KdSetDbgPrintBufferSize(x)+27j
		mov	eax, 1000h
		push	esi
		cmp	ebx, eax
		jbe	short loc_617547
		push	6250644Bh
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_C], eax
		test	esi, esi
		jnz	short loc_617552
		mov	eax, 0C0000017h
		jmp	loc_617693
; 

loc_617547:				; CODE XREF: KdSetDbgPrintBufferSize(x)+3Bj
		mov	esi, offset _KdPrintDefaultCircularBuffer
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], esi

loc_617552:				; CODE XREF: KdSetDbgPrintBufferSize(x)+54j
		push	edi
		mov	edi, offset _KdpPrintSpinLock
		mov	[ebp+var_14], edi

loc_61755B:				; CODE XREF: KdSetDbgPrintBufferSize(x)+ACj
		nop
		mov	ecx, ds:_KdpPrintSpinLock
		mov	eax, ds:dword_6FE044
		or	ecx, eax
		jnz	short loc_617591
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_1], al
		xor	edx, edx
		xor	eax, eax
		nop
		xor	ebx, ebx
		xor	ecx, ecx
		inc	ebx
		lock cmpxchg8b qword ptr [edi]
		or	eax, edx
		jz	short loc_617595
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_617591:				; CODE XREF: KdSetDbgPrintBufferSize(x)+82j
		pause
		jmp	short loc_61755B
; 

loc_617595:				; CODE XREF: KdSetDbgPrintBufferSize(x)+9Fj
		mov	eax, large fs:20h
		xor	edi, edi
		mov	edx, ds:_KdPrintBufferSize
		mov	ebx, [ebp+var_8]
		mov	ds:dword_6FE048, eax
		mov	eax, ds:_KdPrintCircularBuffer
		mov	[ebp+var_10], eax
		cmp	ebx, edx
		jbe	short loc_617632
		mov	ecx, ds:_KdPrintWritePointer
		sub	ecx, eax
		mov	[ebp+var_8], ecx
		cmp	ecx, edx
		jb	short loc_6175CC
		mov	ds:_KdPrintRolloverCount, edi

loc_6175CC:				; CODE XREF: KdSetDbgPrintBufferSize(x)+DDj
		sbb	ecx, ecx
		and	ecx, [ebp+var_8]
		mov	[ebp+var_8], ecx
		cmp	ds:_KdPrintRolloverCount, edi
		jz	short loc_6175F3
		mov	edi, edx
		add	eax, ecx
		sub	edi, ecx
		push	edi		; size_t
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+var_10]
		add	esp, 0Ch
		mov	ecx, [ebp+var_8]

loc_6175F3:				; CODE XREF: KdSetDbgPrintBufferSize(x)+F3j
		push	ecx		; size_t
		push	eax		; void *
		lea	eax, [esi+edi]
		push	eax		; void *
		call	_memcpy
		add	edi, [ebp+var_8]
		add	esp, 0Ch
		cmp	ds:_KdPrintRolloverCount, 0
		jz	short loc_617632
		xor	eax, eax
		cmp	[esi], al
		jz	short loc_61761E

loc_617613:				; CODE XREF: KdSetDbgPrintBufferSize(x)+135j
		cmp	eax, edi
		jnb	short loc_61761E
		inc	eax
		cmp	byte ptr [esi+eax], 0
		jnz	short loc_617613

loc_61761E:				; CODE XREF: KdSetDbgPrintBufferSize(x)+12Aj
					; KdSetDbgPrintBufferSize(x)+12Ej
		inc	eax
		cmp	eax, edi
		jnb	short loc_617632
		sub	edi, eax
		add	eax, esi
		push	edi		; size_t
		push	eax		; void *
		push	esi		; void *
		call	_memmove
		add	esp, 0Ch

loc_617632:				; CODE XREF: KdSetDbgPrintBufferSize(x)+CEj
					; KdSetDbgPrintBufferSize(x)+124j ...
		mov	eax, ebx
		add	esi, edi
		sub	eax, edi
		xor	edi, edi
		push	eax		; size_t
		push	edi		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_C]
		add	esp, 0Ch
		inc	ds:_KdPrintBufferChanges
		mov	ecx, [ebp+var_14]
		mov	ds:_KdPrintCircularBuffer, eax
		xor	eax, eax
		mov	ds:_KdPrintBufferSize, ebx
		mov	ds:_KdPrintWritePointer, esi
		mov	ds:_KdPrintRolloverCount, edi
		mov	ds:dword_6FE048, edi
		xchg	eax, [ecx]
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_617690
		cmp	eax, offset _KdPrintDefaultCircularBuffer
		jz	short loc_617690
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_617690:				; CODE XREF: KdSetDbgPrintBufferSize(x)+199j
					; KdSetDbgPrintBufferSize(x)+1A0j
		xor	eax, eax
		pop	edi

loc_617693:				; CODE XREF: KdSetDbgPrintBufferSize(x)+5Bj
		pop	esi

loc_617694:				; CODE XREF: KdSetDbgPrintBufferSize(x)+1Cj
					; KdSetDbgPrintBufferSize(x)+2Ej
		pop	ebx
		leave
		retn
_KdSetDbgPrintBufferSize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpReport(x, x, x, x, x, x)
_KdpReport@24	proc near		; CODE XREF: KdpTrap(x,x,x,x,x,x)+FDp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax]
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], ecx
		cmp	eax, 80000003h
		jz	loc_61776A
		cmp	eax, 80000004h
		jz	loc_61776A
		cmp	eax, 0C0000420h
		jz	loc_61776A
		test	byte ptr ds:_NtGlobalFlag, 1
		jnz	loc_61776A
		cmp	[ebp+arg_C], 0
		jz	loc_617783

loc_6176E5:				; CODE XREF: KdpReport(x,x,x,x,x,x)+D7j
					; KdpReport(x,x,x,x,x,x)+E6j
		call	_KdEnterDebugger@8 ; KdEnterDebugger(x,x)
		mov	ebx, large fs:20h
		mov	[ebp+var_1], al
		mov	eax, [ebp+arg_4]
		push	eax
		mov	ecx, [ebx+4168h]
		mov	[ebp+var_10], ebx
		mov	edx, [eax]
		call	_KdpCopyContext@12 ; KdpCopyContext(x,x,x)
		lea	edi, [ebx+18h]
		push	edi
		call	_KiSaveProcessorControlState@4 ; KiSaveProcessorControlState(x)
		mov	edx, [ebx+4168h]
		mov	ecx, ebx
		push	[ebp+var_8]
		push	[ebp+var_C]
		mov	esi, [edx]
		call	_KiSaveProcessorDebugState@16 ;	KiSaveProcessorDebugState(x,x,x,x)
		push	dword ptr [ebp+arg_C]
		mov	edx, [ebx+4168h]
		mov	ecx, [ebp+arg_0]
		call	_KdpReportExceptionStateChange@12 ; KdpReportExceptionStateChange(x,x,x)
		mov	ecx, [ebp+arg_4]
		mov	bl, al
		mov	eax, [ebp+var_10]
		mov	edx, esi
		push	dword ptr [eax+4168h]
		call	_KdpCopyContext@12 ; KdpCopyContext(x,x,x)
		push	edi
		call	_KiRestoreProcessorControlState@4 ; KiRestoreProcessorControlState(x)
		mov	cl, [ebp+var_1]
		call	_KdExitDebugger@4 ; KdExitDebugger(x)
		mov	ds:_KdpControlCPressed,	0
		mov	al, bl

loc_617763:				; CODE XREF: KdpReport(x,x,x,x,x,x)+EEj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_61776A:				; CODE XREF: KdpReport(x,x,x,x,x,x)+1Bj
					; KdpReport(x,x,x,x,x,x)+26j ...
		cmp	[ebp+arg_C], 0
		jnz	loc_6176E5
		cmp	eax, 0C0000037h
		jz	short loc_617783
		test	eax, eax
		js	loc_6176E5

loc_617783:				; CODE XREF: KdpReport(x,x,x,x,x,x)+48j
					; KdpReport(x,x,x,x,x,x)+E2j
		xor	al, al
		jmp	short loc_617763
_KdpReport@24	endp


;  S U B	R O U T	I N E 


; __stdcall KdpPollBreakInWithPortLock()
_KdpPollBreakInWithPortLock@0 proc near	; CODE XREF: KdpPrintString(x)+BCp
		xor	eax, eax
		push	ebx
		mov	bl, al
		cmp	ds:_KdDebuggerEnabled, al
		jz	short loc_6177B5
		cmp	ds:byte_6CB514,	al
		jz	short loc_6177A3
		mov	ds:byte_6CB514,	al
		jmp	short loc_6177B3
; 

loc_6177A3:				; CODE XREF: KdpPollBreakInWithPortLock()+13j
		push	eax
		push	eax
		push	eax
		push	eax
		push	8
		call	ds:__imp__KdReceivePacket@20 ; KdReceivePacket(x,x,x,x,x)
		test	eax, eax
		jnz	short loc_6177B5

loc_6177B3:				; CODE XREF: KdpPollBreakInWithPortLock()+1Aj
		mov	bl, 1

loc_6177B5:				; CODE XREF: KdpPollBreakInWithPortLock()+Bj
					; KdpPollBreakInWithPortLock()+2Aj
		mov	al, bl
		pop	ebx
		retn
_KdpPollBreakInWithPortLock@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdSetOwedBreakpoints(x)
_KdSetOwedBreakpoints@4	proc near	; CODE XREF: Dr_kite_a+399p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_KdPitchDebugger, 0
		jnz	short loc_6177D8
		cmp	ds:_KdpOweBreakpoint, 0
		jz	short loc_6177D8
		mov	ecx, [ebp+arg_0]
		call	_KdpSetOwedBreakpoints@4 ; KdpSetOwedBreakpoints(x)

loc_6177D8:				; CODE XREF: KdSetOwedBreakpoints(x)+Cj
					; KdSetOwedBreakpoints(x)+15j
		pop	ebp
		retn	4
_KdSetOwedBreakpoints@4	endp


;  S U B	R O U T	I N E 


; __stdcall KdpIsBreakpoint(x, x)
_KdpIsBreakpoint@8 proc	near		; CODE XREF: KdpLowRestoreBreakpoint(x)+3Bp
					; KdpLowWriteContent(x)+3Dp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		movzx	eax, byte ptr [esi+1Ch]
		sub	eax, 1
		jz	short loc_617829
		sub	eax, 1
		jz	short loc_61781E
		dec	eax
		sub	eax, 1
		jz	short loc_617812
		sub	eax, 4
		jnz	short loc_61780E
		mov	eax, [edx]
		cmp	eax, [esi+8]
		jnz	short loc_61780E
		mov	eax, [edx+4]
		cmp	eax, [esi+0Ch]
		jnz	short loc_61780E
		xor	eax, eax
		inc	eax
		pop	esi
		retn
; 

loc_61780E:				; CODE XREF: KdpIsBreakpoint(x,x)+1Cj
					; KdpIsBreakpoint(x,x)+23j ...
		xor	eax, eax
		pop	esi
		retn
; 

loc_617812:				; CODE XREF: KdpIsBreakpoint(x,x)+17j
		mov	eax, [edx]
		sub	eax, [esi+8]
		neg	eax
		pop	esi
		sbb	eax, eax
		inc	eax
		retn
; 

loc_61781E:				; CODE XREF: KdpIsBreakpoint(x,x)+11j
		mov	cx, [edx]
		xor	eax, eax
		cmp	cx, [esi+8]
		jmp	short loc_617830
; 

loc_617829:				; CODE XREF: KdpIsBreakpoint(x,x)+Cj
		mov	cl, [edx]
		xor	eax, eax
		cmp	cl, [esi+8]

loc_617830:				; CODE XREF: KdpIsBreakpoint(x,x)+4Bj
		setz	al
		pop	esi
		retn
_KdpIsBreakpoint@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpWriteInstructionBuffer(x, x, x, x)
_KdpWriteInstructionBuffer@16 proc near	; CODE XREF: KdpInsertBreakpoint(x,x)+16p
					; KdpRemoveBreakpoint(x,x)+16p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, dl
		sub	eax, 1
		jz	short loc_61786F
		sub	eax, 1
		jz	short loc_617866
		dec	eax
		sub	eax, 1
		jz	short loc_61785F
		sub	eax, 4
		jnz	short loc_617874
		mov	eax, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, [ebp+arg_4]
		mov	[ecx+4], eax
		jmp	short loc_617874
; 

loc_61785F:				; CODE XREF: KdpWriteInstructionBuffer(x,x,x,x)+16j
		mov	eax, [ebp+arg_0]
		mov	[ecx], eax
		jmp	short loc_617874
; 

loc_617866:				; CODE XREF: KdpWriteInstructionBuffer(x,x,x,x)+10j
		mov	ax, word ptr [ebp+arg_0]
		mov	[ecx], ax
		jmp	short loc_617874
; 

loc_61786F:				; CODE XREF: KdpWriteInstructionBuffer(x,x,x,x)+Bj
		mov	al, byte ptr [ebp+arg_0]
		mov	[ecx], al

loc_617874:				; CODE XREF: KdpWriteInstructionBuffer(x,x,x,x)+1Bj
					; KdpWriteInstructionBuffer(x,x,x,x)+28j ...
		pop	ebp
		retn	8
_KdpWriteInstructionBuffer@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpIsTryFinallyReturn(x, x)
_KdpIsTryFinallyReturn@8 proc near	; CODE XREF: KdpLevelChange(x,x,x)+92p
					; KdpLevelChange(x,x,x)+117p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	esi, ecx
		push	ebx
		push	4
		pop	edi
		push	edi
		push	ebx
		push	ebx
		push	dword ptr [edx+0C4h]
		mov	edx, edi
		mov	[ebp+var_8], ebx
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_C], ebx
		mov	byte ptr [ebp+var_1], bl
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_61791F
		mov	eax, [ebp+var_8]
		cmp	ds:_KdpCurrentSymbolStart, eax
		jnb	short loc_61791F
		cmp	eax, ds:_KdpCurrentSymbolEnd
		jnb	short loc_61791F
		push	ebx
		push	edi
		push	ebx
		add	eax, 0FFFFFFFBh
		lea	ecx, [ebp+var_1]
		push	ebx
		xor	edx, edx
		push	eax
		inc	edx
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_61791F
		mov	eax, [ebp+var_8]
		lea	ecx, [ebp+var_C]
		push	ebx
		push	edi
		push	ebx
		add	eax, 0FFFFFFFCh
		mov	edx, edi
		push	ebx
		push	eax
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_61791F
		cmp	byte ptr [ebp+var_1], 0E8h
		jnz	short loc_6178FE
		mov	eax, [ebp+var_C]
		add	eax, [ebp+var_8]
		cmp	eax, esi
		jz	short loc_61791F

loc_6178FE:				; CODE XREF: KdpIsTryFinallyReturn(x,x)+7Aj
		push	ebx
		push	edi
		push	ebx
		lea	eax, [esi-1]
		xor	edx, edx
		push	ebx
		push	eax
		inc	edx
		lea	ecx, [ebp+var_1]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_61791F
		cmp	byte ptr [ebp+var_1], 0C9h
		jz	short loc_61791F
		mov	al, 1
		jmp	short loc_617921
; 

loc_61791F:				; CODE XREF: KdpIsTryFinallyReturn(x,x)+31j
					; KdpIsTryFinallyReturn(x,x)+3Cj ...
		xor	al, al

loc_617921:				; CODE XREF: KdpIsTryFinallyReturn(x,x)+A5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KdpIsTryFinallyReturn@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 123. KeAcquireGuardedMutexUnsafe

;  S U B	R O U T	I N E 


; __fastcall KeAcquireGuardedMutexUnsafe(x)
		public @KeAcquireGuardedMutexUnsafe@4
@KeAcquireGuardedMutexUnsafe@4 proc near
		mov	edi, edi
		push	ecx
		call	ExAcquireFastMutexUnsafe
		pop	ecx
		retn
@KeAcquireGuardedMutexUnsafe@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 137. KeReleaseGuardedMutexUnsafe

;  S U B	R O U T	I N E 


; __fastcall KeReleaseGuardedMutexUnsafe(x)
		public @KeReleaseGuardedMutexUnsafe@4
@KeReleaseGuardedMutexUnsafe@4 proc near
		mov	edi, edi
		push	ecx
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		pop	ecx
		retn
@KeReleaseGuardedMutexUnsafe@4 endp


;  S U B	R O U T	I N E 


; __stdcall KeRelaxTimingConstraints(x)
_KeRelaxTimingConstraints@4 proc near	; CODE XREF: KdEnableDebugger()+7p
					; KdEnableDebugger()+1Ap ...
		cmp	ds:_KeEnableWatchdogTimeout, 0
		push	ebx
		setz	bl
		test	ecx, ecx
		jnz	short loc_61798A
		test	bl, bl
		jz	short loc_617986
		push	esi
		push	edi
		mov	edi, ds:_KeNumberProcessors
		xor	esi, esi
		test	edi, edi
		jz	short loc_617984

loc_617965:				; CODE XREF: KeRelaxTimingConstraints(x)+3Ej
		mov	ecx, ds:_KiProcessorBlock[esi*4]
		and	dword ptr [ecx+3B0Ch], 0
		and	dword ptr [ecx+4B0h], 0
		call	KiResetGlobalDpcWatchdogProfiler
		inc	esi
		cmp	esi, edi
		jb	short loc_617965

loc_617984:				; CODE XREF: KeRelaxTimingConstraints(x)+1Fj
		pop	edi
		pop	esi

loc_617986:				; CODE XREF: KeRelaxTimingConstraints(x)+11j
		mov	al, 1
		jmp	short loc_61798C
; 

loc_61798A:				; CODE XREF: KeRelaxTimingConstraints(x)+Dj
		xor	al, al

loc_61798C:				; CODE XREF: KeRelaxTimingConstraints(x)+44j
		mov	ds:_KeEnableWatchdogTimeout, al
		mov	al, bl
		pop	ebx
		retn
_KeRelaxTimingConstraints@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiDpcWatchdogCaptureStack(x)
_KiDpcWatchdogCaptureStack@4 proc near	; CODE XREF: KeAccumulateTicks+12B9B1p
					; KeAccumulateTicks+12BA3Fp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_KiDpcWatchdogProfileArrayLength
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	ebx, [esi+4060h]
		mov	edi, [esi+4064h]
		lea	eax, [ebx+eax*4]
		cdq
		add	eax, 0FFFFFFF4h
		mov	ecx, edx
		mov	[ebp+var_4], eax
		mov	eax, edi
		adc	ecx, 0FFFFFFFFh
		cdq
		add	eax, 0D4h
		adc	edx, 0
		cmp	edx, ecx
		jb	short loc_6179DE
		ja	short loc_6179D6
		cmp	eax, [ebp+var_4]
		jbe	short loc_6179DE

loc_6179D6:				; CODE XREF: KiDpcWatchdogCaptureStack(x)+3Aj
		mov	[esi+4064h], ebx
		mov	edi, ebx

loc_6179DE:				; CODE XREF: KiDpcWatchdogCaptureStack(x)+38j
					; KiDpcWatchdogCaptureStack(x)+3Fj
		push	200h
		push	32h
		lea	eax, [edi+8]
		push	eax
		call	RtlWalkFrameChain
		cmp	eax, 2
		jbe	short loc_617A20
		cmp	eax, 34h
		ja	short loc_617A20
		lea	ecx, [eax-2]
		mov	[edi], cx
		lea	eax, ds:4[eax*4]
		add	[esi+4064h], eax
		xor	eax, eax
		mov	edi, [esi+4064h]
		stosd
		stosd
		stosd
		mov	eax, [esi+4064h]
		and	dword ptr [eax-4], 0

loc_617A20:				; CODE XREF: KiDpcWatchdogCaptureStack(x)+5Cj
					; KiDpcWatchdogCaptureStack(x)+61j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KiDpcWatchdogCaptureStack@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiConfigureHeteroProcessorsTarget(x, x, x, x)
_KiConfigureHeteroProcessorsTarget@16 proc near
					; DATA XREF: KeConfigureHeteroProcessors(x,x,x)+1B3o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= word ptr -2
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_C], 0
		or	eax, 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_C]
		lock xadd [edi], eax
		dec	eax
		mov	esi, eax
		mov	ebx, 80000000h
		not	esi
		and	esi, ebx
		test	eax, 7FFFFFFFh
		jnz	short loc_617A62
		mov	eax, [edi+4]
		or	eax, esi
		mov	[edi], eax
		jmp	short loc_617A6A
; 

loc_617A5A:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+43j
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx

loc_617A62:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+2Aj
		mov	eax, [edi]
		and	eax, ebx
		cmp	eax, esi
		jnz	short loc_617A5A

loc_617A6A:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+33j
		cmp	large byte ptr fs:51h, 0
		jnz	loc_617C6B
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		mov	eax, ds:_KeNumberProcessors
		mov	esi, [ecx]
		test	eax, eax
		jz	short loc_617AE3
		add	esi, 8
		mov	edi, eax

loc_617A8D:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+B9j
		mov	ebx, ds:_KiProcessorBlock[edx*4]
		mov	al, [esi-1]
		mov	[ebp+var_8], ebx
		mov	[ebx+3ED2h], al
		mov	al, [esi]
		mov	[ebx+3ED1h], al
		mov	al, [esi-2]
		mov	[ebx+3ED0h], al
		cmp	byte ptr [esi],	0
		mov	eax, [ebp+var_8]
		movzx	ebx, byte ptr [ebx+3C5h]
		mov	eax, [eax+3C8h]
		jnz	short loc_617ACF
		or	ds:dword_70E75C[ebx*8],	eax
		jmp	short loc_617AD8
; 

loc_617ACF:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+9Fj
		not	eax
		and	ds:dword_70E75C[ebx*8],	eax

loc_617AD8:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+A8j
		inc	edx
		add	esi, 3
		cmp	edx, edi
		jb	short loc_617A8D
		mov	edi, [ebp+arg_C]

loc_617AE3:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+61j
		mov	ax, ds:_KeNumberNodes
		xor	ebx, ebx
		xor	edx, edx
		mov	[ebp+var_8], ebx
		xor	esi, esi
		mov	[ebp+var_2], ax
		cmp	dx, ax
		jnb	short loc_617B5B

loc_617AFB:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+131j
		movzx	eax, si
		mov	eax, ds:_KeNodeBlock[eax*4]
		mov	[ebp+var_10], eax
		mov	ebx, [eax+84h]
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		jz	short loc_617B4E
		cmp	[ebp+var_8], 0
		jnz	short loc_617B96
		mov	ebx, [ebp+var_10]
		mov	[ebp+var_8], ebx
		jmp	short loc_617B51
; 

loc_617B4E:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+119j
		mov	ebx, [ebp+var_8]

loc_617B51:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+127j
		inc	esi
		cmp	si, [ebp+var_2]
		jb	short loc_617AFB
		mov	ecx, [ebp+arg_4]

loc_617B5B:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+D4j
		xor	esi, esi

loc_617B5D:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+178j
		mov	ds:_KeHeteroSystem, esi
		mov	ds:_KeHeteroSystemVirtual, esi
		mov	ds:_KeHeteroSystemQos, esi
		test	ebx, ebx
		jz	loc_617C66
		xor	edx, edx
		inc	edx
		cmp	[ecx+8], esi
		jz	short loc_617B9F
		mov	ds:_KeHeteroSystem, edx
		mov	ds:_KeHeteroSystemVirtual, edx
		mov	ds:_KeHeteroSystemQos, edx
		jmp	loc_617C66
; 

loc_617B96:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+11Fj
		mov	ecx, [ebp+arg_4]
		xor	esi, esi
		mov	ebx, esi
		jmp	short loc_617B5D
; 

loc_617B9F:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+158j
		cmp	[ecx+0Ch], esi
		jz	short loc_617C00
		movzx	edi, word ptr [ebx+88h]
		mov	eax, [ecx+4]
		mov	ds:_KeHeteroSystem, edx
		mov	ds:_KeHeteroSystemQos, eax
		test	di, di
		jnz	short loc_617BC6
		mov	eax, [ecx+18h]
		mov	[ebp-4], eax
		jmp	short loc_617BC9
; 

loc_617BC6:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+197j
		mov	[ebp-4], esi

loc_617BC9:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+19Fj
		test	di, di
		jnz	short loc_617BD6
		mov	eax, [ecx+24h]
		mov	[ebp+arg_4], eax
		jmp	short loc_617BD9
; 

loc_617BD6:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+1A7j
		mov	[ebp+arg_4], esi

loc_617BD9:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+1AFj
		test	di, di
		jnz	short loc_617BE6
		mov	esi, [ecx+30h]
		mov	ecx, [ecx+3Ch]
		jmp	short loc_617BE8
; 

loc_617BE6:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+1B7j
		xor	ecx, ecx

loc_617BE8:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+1BFj
		mov	eax, [ebx+84h]
		and	esi, eax
		and	[ebp-4], eax
		and	[ebp+arg_4], eax
		and	ecx, eax
		mov	edi, [ebp-4]
		mov	[ebp+var_8], ecx
		jmp	short loc_617C0E
; 

loc_617C00:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+17Dj
		mov	esi, [ebx+84h]
		mov	edi, esi
		mov	[ebp+var_8], esi
		mov	[ebp+arg_4], esi

loc_617C0E:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+1D9j
					; KiConfigureHeteroProcessorsTarget(x,x,x,x)+23Cj
		lea	eax, [edx+0Eh]
		imul	ecx, eax, 0Ch
		mov	eax, edx
		add	ecx, ebx
		sub	eax, 1
		jz	short loc_617C52
		sub	eax, 1
		jz	short loc_617C3F
		sub	eax, 1
		jz	short loc_617C34
		sub	eax, 1
		jnz	short loc_617C5D
		mov	eax, [ebp+var_8]
		mov	[ecx+4], esi
		jmp	short loc_617C45
; 

loc_617C34:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+200j
		mov	eax, [ebp+var_8]
		mov	[ecx+4], esi
		mov	[ecx+8], esi
		jmp	short loc_617C5B
; 

loc_617C3F:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+1FBj
		mov	eax, [ebp+arg_4]
		mov	[ecx+4], edi

loc_617C45:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+20Dj
		mov	[ecx], eax
		mov	eax, [ebx+84h]
		mov	[ecx+8], eax
		jmp	short loc_617C5D
; 

loc_617C52:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+1F6j
		mov	eax, [ebp+arg_4]
		mov	[ecx+4], edi
		mov	[ecx+8], edi

loc_617C5B:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+218j
		mov	[ecx], eax

loc_617C5D:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+205j
					; KiConfigureHeteroProcessorsTarget(x,x,x,x)+22Bj
		inc	edx
		cmp	edx, 5
		jb	short loc_617C0E
		mov	edi, [ebp+arg_C]

loc_617C66:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+14Cj
					; KiConfigureHeteroProcessorsTarget(x,x,x,x)+16Cj
		mov	ebx, 80000000h

loc_617C6B:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+4Dj
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		dec	eax
		mov	esi, eax
		not	esi
		and	esi, ebx
		test	eax, 7FFFFFFFh
		jnz	short loc_617C89
		mov	eax, [edi+4]
		or	eax, esi
		mov	[edi], eax
		jmp	short loc_617C9F
; 

loc_617C89:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+259j
		and	[ebp+var_14], 0
		jmp	short loc_617C97
; 

loc_617C8F:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+278j
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx

loc_617C97:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+268j
		mov	eax, [edi]
		and	eax, ebx
		cmp	eax, esi
		jnz	short loc_617C8F

loc_617C9F:				; CODE XREF: KiConfigureHeteroProcessorsTarget(x,x,x,x)+262j
		mov	eax, [ebp+arg_8]
		lock dec dword ptr [eax]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_KiConfigureHeteroProcessorsTarget@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiDisableFgBoostDecayRegistryChangeHandler(x)
_KiDisableFgBoostDecayRegistryChangeHandler@4 proc near
					; DATA XREF: KiRegisterForDisableFgBoostDecayRegistryNotification+17o

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		call	_KiGetDisableFgBoostDecayRegKeyHandle@0	; KiGetDisableFgBoostDecayRegKeyHandle()
		test	eax, eax
		js	short locret_617CED
		push	0
		push	4
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		push	offset ??_C@_1CI@BPFKPPAM@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAF?$AAG?$AAB?$AAo?$AAo?$AAs?$AAt?$AAD@FNODOBFM@
		push	ds:_KiDisableFgBoostDecayRegistryHandle
		call	RtlQueryImageFileKeyOption
		test	eax, eax
		js	short locret_617CED
		cmp	[ebp+var_4], 0
		setnz	ds:_KiForegrounBoostVelocityFlag
		call	KiRegisterForDisableFgBoostDecayRegistryNotification

locret_617CED:				; CODE XREF: KiDisableFgBoostDecayRegistryChangeHandler(x)+11j
					; KiDisableFgBoostDecayRegistryChangeHandler(x)+2Fj
		leave
		retn	4
_KiDisableFgBoostDecayRegistryChangeHandler@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiReconfigureNodeSchedulingInformation(x, x)
_KiReconfigureNodeSchedulingInformation@8 proc near
					; CODE XREF: KiInitializeDynamicProcessorDpc(x,x,x,x)+DBp
		mov	eax, [edx+3C8h]
		or	[ecx+94h], eax
		push	esi
		mov	esi, [ecx+10Ch]
		test	[edx+4034h], esi
		jnz	short loc_617D1A
		mov	eax, [edx+3C8h]
		or	eax, esi
		mov	[ecx+10Ch], eax

loc_617D1A:				; CODE XREF: KiReconfigureNodeSchedulingInformation(x,x)+19j
		mov	eax, [edx+4020h]
		or	[ecx+90h], eax
		mov	eax, [edx+402Ch]
		pop	esi
		cmp	eax, [edx+3C8h]
		jz	short locret_617D3C
		or	byte ptr [ecx+0A5h], 20h

locret_617D3C:				; CODE XREF: KiReconfigureNodeSchedulingInformation(x,x)+42j
		retn
_KiReconfigureNodeSchedulingInformation@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeConfigureDynamicMemory(x,	x, x)
_KeConfigureDynamicMemory@12 proc near	; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+268p
					; MiMapNewPfns(x,x,x,x,x)+141p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	[ebp+arg_0]
		call	_HvlConfigureDynamicMemory@12 ;	HvlConfigureDynamicMemory(x,x,x)
		mov	esp, ebp
		pop	ebp
		retn	4
_KeConfigureDynamicMemory@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeAdjustTimerDelayProcess(x, x, x, x)
_KeAdjustTimerDelayProcess@16 proc near	; CODE XREF: PspSetProcessTimerDelayForKTimers(x)+198p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, large fs:20h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+var_10], al
		lea	eax, [edi+34h]
		push	eax
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		lea	ebx, [edi+2Ch]
		mov	esi, [ebx]
		cmp	esi, ebx
		jz	short loc_617DAB
		mov	edi, [ebp+var_4]

loc_617D8D:				; CODE XREF: KeAdjustTimerDelayProcess(x,x,x,x)+53j
		mov	edx, [ebp+var_8]
		lea	ecx, [esi-1D4h]
		push	edi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_KiAdjustThreadTimer@20	; KiAdjustThreadTimer(x,x,x,x,x)
		mov	esi, [esi]
		cmp	esi, ebx
		jnz	short loc_617D8D
		mov	edi, [ebp+var_C]

loc_617DAB:				; CODE XREF: KeAdjustTimerDelayProcess(x,x,x,x)+35j
		mov	eax, [ebp+var_4]
		mov	[edi+0ACh], eax
		lea	eax, [edi+34h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		push	[ebp+var_10]
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		push	0
		push	1
		call	KiExitDispatcher
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_KeAdjustTimerDelayProcess@16 endp


;  S U B	R O U T	I N E 


; __stdcall KeIsProcessPowerThrottled(x, x)
_KeIsProcessPowerThrottled@8 proc near	; CODE XREF: ExpGetProcessInformation+10B5B2p
		mov	eax, [ecx+64h]
		shr	eax, 7
		and	eax, 7
		mov	eax, ds:_KiProcessPolicyToQosMappingTable[eax*4]
		cmp	eax, 5
		jnz	short loc_617DF3
		cmp	dl, 1
		jnz	short loc_617DF8

loc_617DEF:				; CODE XREF: KeIsProcessPowerThrottled(x,x)+21j
		xor	eax, eax
		inc	eax
		retn
; 

loc_617DF3:				; CODE XREF: KeIsProcessPowerThrottled(x,x)+13j
		cmp	eax, 2
		jz	short loc_617DEF

loc_617DF8:				; CODE XREF: KeIsProcessPowerThrottled(x,x)+18j
		xor	eax, eax
		retn
_KeIsProcessPowerThrottled@8 endp


;  S U B	R O U T	I N E 


; __stdcall KeRetryOutswapProcess(x)
_KeRetryOutswapProcess@4 proc near	; CODE XREF: .text:005E9111p
					; MmReleaseCommitForMemResetPages(x,x)+180p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	bl, al
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		lea	ecx, [edi+7Ch]
		mov	esi, [ecx]
		push	7
		pop	eax
		and	esi, eax
		cmp	esi, 1
		jnz	short loc_617E23
		lock xor [ecx],	eax

loc_617E23:				; CODE XREF: KeRetryOutswapProcess(x)+23j
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	esi, 1
		jnz	short loc_617E63
		mov	eax, ds:_KiProcessOutSwapListHead

loc_617E3D:				; CODE XREF: KeRetryOutswapProcess(x)+55j
		mov	[edi+54h], eax
		lea	ecx, [edi+54h]
		mov	edx, eax
		mov	esi, offset _KiProcessOutSwapListHead
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_617E3D
		test	eax, eax
		jnz	short loc_617E63
		push	eax
		push	0Ah
		push	offset _KiSwapEvent
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_617E63:				; CODE XREF: KeRetryOutswapProcess(x)+3Bj
					; KeRetryOutswapProcess(x)+59j
		pop	edi
		pop	esi
		pop	ebx
		retn
_KeRetryOutswapProcess@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1113. KeClockTimerPowerChange

;  S U B	R O U T	I N E 


; __stdcall KeClockTimerPowerChange(x)
		public _KeClockTimerPowerChange@4
_KeClockTimerPowerChange@4 proc	near
		inc	ds:_KiClockStats
		retn	4
_KeClockTimerPowerChange@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1150. KeGetClockTimerResolution

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeGetClockTimerResolution(x, x)
		public _KeGetClockTimerResolution@8
_KeGetClockTimerResolution@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	eax, ds:_KeTimeIncrement
		mov	[ecx], eax
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_KiLastRequestedTimeIncrement
		mov	[ecx], eax
		pop	ebp
		retn	8
_KeGetClockTimerResolution@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1155. KeGetNextClockTickDuration

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeGetNextClockTickDuration()
		public _KeGetNextClockTickDuration@0
_KeGetNextClockTickDuration@0 proc near

var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		lea	ecx, [ebp+var_8]
		mov	edi, esi
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	ebx, ds:dword_6CABA4
		mov	ecx, eax
		cmp	ebx, edx
		jb	short loc_617ED4
		ja	short loc_617EC8
		cmp	ds:_KiClockTimerNextTickTime, ecx
		jbe	short loc_617ED4

loc_617EC8:				; CODE XREF: KeGetNextClockTickDuration()+22j
		mov	esi, ds:_KiClockTimerNextTickTime
		mov	edi, ebx
		sub	esi, ecx
		sbb	edi, edx

loc_617ED4:				; CODE XREF: KeGetNextClockTickDuration()+20j
					; KeGetNextClockTickDuration()+2Aj
		mov	edx, edi
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KeGetNextClockTickDuration@0 endp


;  S U B	R O U T	I N E 


; __stdcall KeResumeClockTimerSafe()
_KeResumeClockTimerSafe@0 proc near	; CODE XREF: IopLiveDumpProcessCorralStateChange(x,x):loc_72D2AFp
					; PnprQuiesceProcessorDpc(x,x,x,x):loc_72E044p	...
		mov	edi, edi
		push	ebx
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_617F0B
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 1Ch
		jnb	short loc_617F0B
		mov	cl, 1Ch
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		call	KiResumeClockTimer
		mov	cl, bl
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_617F0B:				; CODE XREF: KeResumeClockTimerSafe()+Aj
					; KeResumeClockTimerSafe()+14j
		pop	ebx
		jmp	KiResumeClockTimer
_KeResumeClockTimerSafe@0 endp


;  S U B	R O U T	I N E 


; __stdcall KeSuspendClockTimerSafe()
_KeSuspendClockTimerSafe@0 proc	near	; CODE XREF: IopLiveDumpProcessCorralStateChange(x,x):loc_72D2C1p
					; PnprQuiesceProcessorDpc(x,x,x,x):loc_72DF88p	...
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_617F3D
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 1Ch
		jnb	short loc_617F3D
		push	ebx
		mov	cl, 1Ch
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		call	_KiSuspendClockTimer@0 ; KiSuspendClockTimer()
		mov	cl, bl
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_617F3D:				; CODE XREF: KeSuspendClockTimerSafe()+7j
					; KeSuspendClockTimerSafe()+11j
		jmp	_KiSuspendClockTimer@0 ; KiSuspendClockTimer()
_KeSuspendClockTimerSafe@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiAdjustTimersAfterDripsExit(x, x, x)
_KiAdjustTimersAfterDripsExit@12 proc near ; CODE XREF:	KeResumeClockTimerFromIdle+12B4A2p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		xor	eax, eax
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_20]
		push	8
		pop	ecx
		rep stosd
		cmp	ds:_KiSerializeTimerExpiration,	eax
		jz	loc_618022
		mov	esi, [ebp+arg_0]
		mov	ecx, 989680h
		sub	esi, ds:_KiClockTimerOneShotStartTime
		mov	edi, [ebp+arg_4]
		sbb	edi, ds:dword_6CAB2C
		mov	eax, ds:_KiTimerRebaseThresholdOnDripsExit
		mul	ecx
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], edi
		cmp	edi, edx
		jl	loc_618022
		jg	short loc_617F9B
		cmp	esi, eax
		jbe	loc_618022

loc_617F9B:				; CODE XREF: KiAdjustTimersAfterDripsExit(x,x,x)+4Fj
		mov	ecx, ds:0FFDF03B0h
		mov	eax, ds:0FFDF03B4h
		add	ecx, esi
		mov	ds:0FFDF03B0h, ecx
		adc	eax, edi
		xor	edx, edx
		mov	ds:0FFDF03B4h, eax
		mov	eax, 0FFDF03B0h
		mov	ecx, [eax]
		mov	eax, [eax+4]
		cmp	eax, edx
		jg	short loc_617FD0
		jl	short loc_617FCB
		cmp	ecx, edx
		jnb	short loc_617FD0

loc_617FCB:				; CODE XREF: KiAdjustTimersAfterDripsExit(x,x,x)+83j
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_617FD0:				; CODE XREF: KiAdjustTimersAfterDripsExit(x,x,x)+81j
					; KiAdjustTimersAfterDripsExit(x,x,x)+87j
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_C]
		neg	ecx
		mov	[ebp+var_10], ecx
		mov	ecx, ebx
		adc	eax, edx
		mov	[ebp+var_1C], edx
		neg	eax
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], edx
		xor	dl, dl
		mov	byte ptr [ebp+var_20], 1
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], 1
		call	_KiSelectActiveTimerTable@8 ; KiSelectActiveTimerTable(x,x)
		mov	cl, 2
		mov	esi, eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, large fs:20h
		mov	bl, al
		lea	eax, [ebp+var_20]
		mov	edx, esi
		push	eax
		call	KiAdjustTimerDueTimes
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_618022:				; CODE XREF: KiAdjustTimersAfterDripsExit(x,x,x)+1Dj
					; KiAdjustTimersAfterDripsExit(x,x,x)+49j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_KiAdjustTimersAfterDripsExit@12 endp


;  S U B	R O U T	I N E 


; __stdcall KiResetClockInterval(x)
_KiResetClockInterval@4	proc near	; CODE XREF: KiSetVirtualHeteroClockIntervalRequest(x)+21p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	esi
		push	offset _KiClockIntervalRequests
		call	RtlRbRemoveNode
		mov	edx, [esi+14h]
		mov	byte ptr [esi+0Ch], 0
		pop	esi
		test	edx, edx
		jz	short loc_61804E
		push	1
		xor	ecx, ecx
		call	PoTraceSystemTimerResolutionKernel

loc_61804E:				; CODE XREF: KiResetClockInterval(x)+1Aj
		jmp	_KiSetClockIntervalToMinimumRequested@0	; KiSetClockIntervalToMinimumRequested()
_KiResetClockInterval@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiAcquireQueuedSpinLockCheckForFreeze(x, x)
@KiAcquireQueuedSpinLockCheckForFreeze@8 proc near ; CODE XREF:	sub_59C2E7+63p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	eax, [esi+4]
		xchg	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_618072
		or	dword ptr [esi+4], 2
		jmp	short loc_6180B5
; 

loc_618072:				; CODE XREF: KiAcquireQueuedSpinLockCheckForFreeze(x,x)+17j
		or	dword ptr [esi+4], 1
		mov	[ecx], esi
		mov	edi, large fs:20h
		mov	eax, [esi+4]
		test	al, 1
		jz	short loc_6180B5
		add	edi, 21A0h

loc_61808C:				; CODE XREF: KiAcquireQueuedSpinLockCheckForFreeze(x,x)+60j
		mov	eax, [edi]
		test	al, 4
		jz	short loc_6180AC
		mov	edx, [edi]
		mov	ecx, edx
		and	ecx, 0FFFFFFFBh
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_6180AC
		xor	edx, edx
		mov	ecx, ebx
		call	_KiFreezeTargetExecution@8 ; KiFreezeTargetExecution(x,x)

loc_6180AC:				; CODE XREF: KiAcquireQueuedSpinLockCheckForFreeze(x,x)+3Dj
					; KiAcquireQueuedSpinLockCheckForFreeze(x,x)+4Ej
		pause
		mov	eax, [esi+4]
		test	al, 1
		jnz	short loc_61808C

loc_6180B5:				; CODE XREF: KiAcquireQueuedSpinLockCheckForFreeze(x,x)+1Dj
					; KiAcquireQueuedSpinLockCheckForFreeze(x,x)+31j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
@KiAcquireQueuedSpinLockCheckForFreeze@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiProcessDebugRegister(x, x)
@KiProcessDebugRegister@8 proc near	; CODE XREF: VdmOpcodeSetDrx+6Ep
					; VdmOpcodeSetDrx+8Cp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		mov	bl, [eax+3]
		mov	eax, ds:_KiDebugRegisterTrapOffsets[edx*4]
		and	bl, 0DFh
		mov	[ebp+var_4], ecx
		cmp	[esi+eax], ecx
		jz	short loc_618104
		mov	ecx, [esi+28h]
		test	bl, bl
		movzx	eax, bl
		setz	byte ptr [ebp+var_4]
		bts	eax, edx
		test	ecx, 0FFFF23FFh
		jnz	short loc_618117
		or	al, 10h
		or	ecx, 0F0000h
		jmp	short loc_618114
; 

loc_618104:				; CODE XREF: KiProcessDebugRegister(x,x)+25j
		test	bl, bl
		jz	short loc_618129
		movzx	eax, bl
		btr	eax, edx
		cmp	al, 10h
		jnz	short loc_618117
		mov	al, cl

loc_618114:				; CODE XREF: KiProcessDebugRegister(x,x)+46j
		mov	[esi+28h], ecx

loc_618117:				; CODE XREF: KiProcessDebugRegister(x,x)+3Cj
					; KiProcessDebugRegister(x,x)+54j
		cmp	bl, al
		jz	short loc_618129
		mov	ecx, large fs:124h
		mov	dl, al
		call	_KiSetDebugActiveMask@8	; KiSetDebugActiveMask(x,x)

loc_618129:				; CODE XREF: KiProcessDebugRegister(x,x)+4Aj
					; KiProcessDebugRegister(x,x)+5Dj
		mov	al, byte ptr [ebp+var_4]
		pop	esi
		pop	ebx
		leave
		retn
@KiProcessDebugRegister@8 endp


;  S U B	R O U T	I N E 


; __fastcall KiUpdateDr7(x)
@KiUpdateDr7@4	proc near		; CODE XREF: VdmOpcodeGetDrx+70p
		mov	eax, large fs:124h
		mov	al, [eax+3]
		and	al, 10h
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, ecx
		retn
@KiUpdateDr7@4	endp


;  S U B	R O U T	I N E 


; __stdcall KiSetDebugActiveMask(x, x)
_KiSetDebugActiveMask@8	proc near	; CODE XREF: KeContextToKframes+167DBAp
					; KiRecordDr7+16792Dp ...
		mov	edi, edi
		push	esi
		mov	esi, [ecx]
		push	edi
		movzx	edi, dl
		shl	edi, 18h

loc_618153:				; CODE XREF: KiSetDebugActiveMask(x,x)+20j
		mov	edx, esi
		and	esi, 20FFFFFFh
		or	esi, edi
		mov	eax, edx
		lock cmpxchg [ecx], esi
		mov	esi, eax
		cmp	esi, edx
		jnz	short loc_618153
		pop	edi
		pop	esi
		retn
_KiSetDebugActiveMask@8	endp


;  S U B	R O U T	I N E 


; __fastcall KiResetProcessorTraceBuffer()
@KiResetProcessorTraceBuffer@0 proc near ; CODE	XREF: _SwapContext_NoNpxLoad+F1p
					; _EnlightenedSwapContext_SaveIpt+204p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, 570h
		mov	bl, al
		rdmsr
		mov	esi, eax
		mov	edi, edx
		mov	ecx, esi
		and	ecx, 1
		or	ecx, 0
		jz	short loc_6181B1
		and	eax, 0FFFFFFFEh
		mov	ecx, 570h
		wrmsr
		xor	eax, eax
		xor	edx, edx
		add	ecx, 0FFFFFFF1h
		wrmsr
		mov	ecx, 571h
		wrmsr
		dec	ecx
		mov	eax, esi
		mov	edx, edi
		wrmsr

loc_6181B1:				; CODE XREF: KiResetProcessorTraceBuffer()+22j
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
@KiResetProcessorTraceBuffer@0 endp

; [00000005 BYTES: COLLAPSED FUNCTION SymCryptFatal(x).	PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 


; __fastcall SymCryptRestoreXmm(x)
@SymCryptRestoreXmm@4 proc near		; CODE XREF: SymCryptSha256AppendBlocks(x,x,x,x)+56p
		jmp	@SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
@SymCryptRestoreXmm@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeComputeSha256(x, x, x)
_KeComputeSha256@12 proc near		; CODE XREF: ExpKdPullRemoteFileForUser(x)+118p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	@SymCryptSha256@12 ; SymCryptSha256(x,x,x)
_KeComputeSha256@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1116. KeConvertAuxiliaryCounterToPerformanceCounter

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeConvertAuxiliaryCounterToPerformanceCounter(x, x,	x, x)
		public _KeConvertAuxiliaryCounterToPerformanceCounter@16
_KeConvertAuxiliaryCounterToPerformanceCounter@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:off_6B13DC	; xHalConvertPerformanceCounterToAuxiliaryCounter(x,x,x,x)
		pop	ebp
		retn	10h
_KeConvertAuxiliaryCounterToPerformanceCounter@16 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1117. KeConvertPerformanceCounterToAuxiliaryCounter

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeConvertPerformanceCounterToAuxiliaryCounter(x, x,	x, x)
		public _KeConvertPerformanceCounterToAuxiliaryCounter@16
_KeConvertPerformanceCounterToAuxiliaryCounter@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:off_6B13D8	; xHalConvertPerformanceCounterToAuxiliaryCounter(x,x,x,x)
		pop	ebp
		retn	10h
_KeConvertPerformanceCounterToAuxiliaryCounter@16 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1122. KeDeregisterBoundCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeDeregisterBoundCallback(x)
		public _KeDeregisterBoundCallback@4
_KeDeregisterBoundCallback@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	edi, 0C0000008h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _KiBoundsCallback
		call	ExReferenceCallBackBlock
		mov	esi, eax
		test	esi, esi
		jz	short loc_6182A0
		mov	eax, [esi+4]
		push	ebx
		xor	bl, bl
		cmp	eax, [ebp+arg_0]
		jnz	short loc_61825A
		push	esi
		xor	edx, edx
		mov	ecx, offset _KiBoundsCallback
		call	ExCompareExchangeCallBack
		mov	bl, al

loc_61825A:				; CODE XREF: KeDeregisterBoundCallback(x)+33j
		mov	ecx, ds:_KiBoundsCallback
		mov	eax, ecx
		jmp	short loc_61827D
; 

loc_618264:				; CODE XREF: KeDeregisterBoundCallback(x)+6Cj
		lea	edx, [ecx+1]
		mov	eax, ecx
		mov	edi, offset _KiBoundsCallback
		lock cmpxchg [edi], edx
		mov	edi, 0C0000008h
		cmp	eax, ecx
		jz	short loc_61828B
		mov	ecx, eax

loc_61827D:				; CODE XREF: KeDeregisterBoundCallback(x)+4Cj
		xor	eax, esi
		cmp	eax, 7
		jb	short loc_618264
		mov	ecx, esi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_61828B:				; CODE XREF: KeDeregisterBoundCallback(x)+63j
		test	bl, bl
		pop	ebx
		jz	short loc_6182A0
		mov	ecx, esi
		call	_ExWaitForCallBacks@4 ;	ExWaitForCallBacks(x)
		mov	ecx, esi
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)
		xor	edi, edi

loc_6182A0:				; CODE XREF: KeDeregisterBoundCallback(x)+28j
					; KeDeregisterBoundCallback(x)+78j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_KeDeregisterBoundCallback@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1125. KeDeregisterNmiCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeDeregisterNmiCallback(x)
		public _KeDeregisterNmiCallback@4
_KeDeregisterNmiCallback@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		pop	ebp
		jmp	_KiDeregisterNmiSxCallback@12 ;	KiDeregisterNmiSxCallback(x,x,x)
_KeDeregisterNmiCallback@4 endp


;  S U B	R O U T	I N E 


; __stdcall KeGetProcessQosFromPolicy(x)
_KeGetProcessQosFromPolicy@4 proc near	; CODE XREF: PspSetProcessPpmPolicy+122D43p
		mov	eax, ds:_KiProcessPolicyToQosMappingTable[ecx*4]
		retn
_KeGetProcessQosFromPolicy@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeProcessorProfileControlArea(x, x,	x)
_KeProcessorProfileControlArea@12 proc near ; CODE XREF: PAGE:007B4420p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_10		= byte ptr -10h
var_8		= dword	ptr -8
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	[ebp+arg_0], 0
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	[ebp+var_28], esi
		jz	short loc_6182F9
		mov	eax, 0C0000022h
		jmp	loc_6183F6
; 

loc_6182F9:				; CODE XREF: KeProcessorProfileControlArea(x,x,x)+1Ej
		cmp	edx, 8
		jz	short loc_618308
		mov	eax, 0C0000004h
		jmp	loc_6183F6
; 

loc_618308:				; CODE XREF: KeProcessorProfileControlArea(x,x,x)+2Dj
		mov	al, [esi+4]
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_19], al
		test	al, al
		jz	short loc_61834D
		push	41435050h
		mov	edi, 0A0h
		push	edi
		push	204h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_20], ebx
		test	ebx, ebx
		jnz	short loc_618341
		and	[esi], eax
		mov	eax, 0C000009Ah
		jmp	loc_6183F6
; 

loc_618341:				; CODE XREF: KeProcessorProfileControlArea(x,x,x)+64j
		push	edi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch

loc_61834D:				; CODE XREF: KeProcessorProfileControlArea(x,x,x)+46j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, large fs:20h
		mov	ecx, edi
		mov	[ebp+var_1A], al
		mov	[ebp+var_24], edi
		call	_KiIsIntelPebsSupported@4 ; KiIsIntelPebsSupported(x)
		test	al, al
		jnz	short loc_618375
		and	dword ptr [esi], 0
		mov	esi, 0C00000BBh
		jmp	short loc_6183DF
; 

loc_618375:				; CODE XREF: KeProcessorProfileControlArea(x,x,x)+9Aj
		cmp	[ebp+var_19], 0
		jz	loc_618407
		mov	eax, [edi+4078h]
		test	eax, eax
		jz	short loc_618392
		mov	[esi], eax
		mov	esi, 0C000020Ah
		jmp	short loc_6183DF
; 

loc_618392:				; CODE XREF: KeProcessorProfileControlArea(x,x,x)+B8j
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		inc	eax
		lea	edi, [ebp+var_18]
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	ebx, [ebp+var_20]
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	ecx, [ebp+var_24]
		mov	[edi+0Ch], edx
		test	[ebp+var_10], 4
		mov	[ecx+4078h], ebx
		jz	short loc_6183CB
		push	28h
		jmp	short loc_6183CD
; 

loc_6183CB:				; CODE XREF: KeProcessorProfileControlArea(x,x,x)+F6j
		push	14h

loc_6183CD:				; CODE XREF: KeProcessorProfileControlArea(x,x,x)+FAj
		pop	eax
		add	eax, ebx
		mov	[ecx+407Ch], eax
		mov	eax, [ebp+var_28]
		mov	[eax], ebx
		xor	ebx, ebx

loc_6183DD:				; CODE XREF: KeProcessorProfileControlArea(x,x,x)+142j
		xor	esi, esi

loc_6183DF:				; CODE XREF: KeProcessorProfileControlArea(x,x,x)+A4j
					; KeProcessorProfileControlArea(x,x,x)+C1j ...
		mov	cl, [ebp+var_1A]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jz	short loc_6183F4
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_6183F4:				; CODE XREF: KeProcessorProfileControlArea(x,x,x)+11Bj
		mov	eax, esi

loc_6183F6:				; CODE XREF: KeProcessorProfileControlArea(x,x,x)+25j
					; KeProcessorProfileControlArea(x,x,x)+34j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_618407:				; CODE XREF: KeProcessorProfileControlArea(x,x,x)+AAj
		and	dword ptr [esi], 0
		cmp	dword ptr [edi+4078h], 0
		jnz	short loc_6183DD
		mov	esi, 0C00000A0h
		jmp	short loc_6183DF
_KeProcessorProfileControlArea@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1218. KeQueryAuxiliaryCounterFrequency

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryAuxiliaryCounterFrequency(x)
		public _KeQueryAuxiliaryCounterFrequency@4
_KeQueryAuxiliaryCounterFrequency@4 proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:off_6B13E0	; xKdReleasePciDeviceForDebugging(x)
_KeQueryAuxiliaryCounterFrequency@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryReadyQueueStatsProcessor(x, x, x, x,	x)
_KeQueryReadyQueueStatsProcessor@20 proc near ;	CODE XREF: KiChooseTargetProcessor+C8B1Bp
					; KiCanSelectSoftParkedProcessor(x,x)+30p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		cmp	dword ptr [esi+4020h], 0
		jz	short loc_618487
		mov	edi, [esi+4024h]
		and	[ebp+var_4], 0

loc_61844C:				; CODE XREF: KeQueryReadyQueueStatsProcessor(x,x,x,x,x)+36j
		lock bts dword ptr [edi], 0
		jnb	short loc_618463

loc_618453:				; CODE XREF: KeQueryReadyQueueStatsProcessor(x,x,x,x,x)+34j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_618453
		jmp	short loc_61844C
; 

loc_618463:				; CODE XREF: KeQueryReadyQueueStatsProcessor(x,x,x,x,x)+26j
		mov	eax, [ebp+arg_4]
		mov	ecx, [edi+134h]
		mov	[eax], ecx
		mov	ecx, [ebp+arg_8]
		mov	eax, [edi+138h]
		mov	[ecx], eax
		mov	eax, [edi+13Ch]
		mov	[ecx+4], eax
		xor	eax, eax
		lock and [edi],	eax

loc_618487:				; CODE XREF: KeQueryReadyQueueStatsProcessor(x,x,x,x,x)+15j
		and	[ebp+var_8], 0
		lea	edi, [esi+2224h]

loc_618491:				; CODE XREF: KeQueryReadyQueueStatsProcessor(x,x,x,x,x)+7Bj
		lock bts dword ptr [edi], 0
		jnb	short loc_6184A8

loc_618498:				; CODE XREF: KeQueryReadyQueueStatsProcessor(x,x,x,x,x)+79j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_618498
		jmp	short loc_618491
; 

loc_6184A8:				; CODE XREF: KeQueryReadyQueueStatsProcessor(x,x,x,x,x)+6Bj
		mov	ecx, [ebp+arg_0]
		mov	eax, [esi+3B38h]
		mov	[ebx], eax
		mov	eax, [esi+3B88h]
		mov	[ecx], eax
		mov	eax, [esi+3B8Ch]
		mov	[ecx+4], eax
		xor	eax, eax
		lock and [edi],	eax
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_KeQueryReadyQueueStatsProcessor@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryWakeSource(x, x)
_KeQueryWakeSource@8 proc near		; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+1034p

var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edi, edx
		push	84h		; size_t
		push	ebx		; int
		push	edi		; void *
		mov	esi, ecx
		mov	[ebp+var_1], bl
		mov	[ebp+var_8], ebx
		mov	[ebp+var_2], bl
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_8]
		push	ebx
		push	eax
		call	ds:off_6B13BC	; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)
		test	eax, eax
		jns	short loc_61851A
		cmp	eax, 0C0000001h
		jnz	loc_6185B9
		mov	[esi], ebx
		jmp	loc_6185B7
; 

loc_61851A:				; CODE XREF: KeQueryWakeSource(x,x)+36j
		cmp	[ebp+var_8], 0D1h
		jz	short loc_618589
		cmp	[ebp+var_8], 0D3h
		jz	short loc_618589
		mov	cl, 1Fh
		mov	dword ptr [esi], 5
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_2], al
		call	_KiGetInterruptObjectFromVector@4 ; KiGetInterruptObjectFromVector(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_618553
		mov	dword ptr [esi], 2
		jmp	short loc_61857C
; 

loc_618553:				; CODE XREF: KeQueryWakeSource(x,x)+79j
		xor	eax, eax
		mov	ecx, ebx

loc_618557:				; CODE XREF: KeQueryWakeSource(x,x)+AAj
		mov	edx, [ecx+10h]
		test	edx, edx
		jnz	short loc_618565
		mov	edx, [ecx+0Ch]
		test	edx, edx
		jz	short loc_618568

loc_618565:				; CODE XREF: KeQueryWakeSource(x,x)+8Cj
		mov	[edi+eax*4], edx

loc_618568:				; CODE XREF: KeQueryWakeSource(x,x)+93j
		mov	ecx, [ecx+4]
		inc	eax
		test	ecx, ecx
		jz	short loc_61857C
		add	ecx, 0FFFFFFFCh
		cmp	ecx, ebx
		jz	short loc_61857C
		cmp	eax, 3
		jb	short loc_618557

loc_61857C:				; CODE XREF: KeQueryWakeSource(x,x)+81j
					; KeQueryWakeSource(x,x)+9Ej ...
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		jmp	short loc_6185B9
; 

loc_618589:				; CODE XREF: KeQueryWakeSource(x,x)+51j
					; KeQueryWakeSource(x,x)+5Aj
		lea	ecx, [ebp+var_10]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		push	edx
		push	eax
		lea	edx, [ebp+var_2]
		lea	ecx, [ebp-1]
		call	_KiGetPastDueIRTimerInfo@16 ; KiGetPastDueIRTimerInfo(x,x,x,x)
		test	eax, eax
		jz	short loc_6185B2
		mov	al, [ebp+var_1]
		mov	[edi], al
		mov	al, [ebp+var_2]
		push	6
		mov	[edi+2], al
		pop	eax
		jmp	short loc_6185B5
; 

loc_6185B2:				; CODE XREF: KeQueryWakeSource(x,x)+D0j
		xor	eax, eax
		inc	eax

loc_6185B5:				; CODE XREF: KeQueryWakeSource(x,x)+E0j
		mov	[esi], eax

loc_6185B7:				; CODE XREF: KeQueryWakeSource(x,x)+45j
		mov	eax, ebx

loc_6185B9:				; CODE XREF: KeQueryWakeSource(x,x)+3Dj
					; KeQueryWakeSource(x,x)+B7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KeQueryWakeSource@8 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 1249. KeRegisterBoundCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRegisterBoundCallback(x)
		public _KeRegisterBoundCallback@4
_KeRegisterBoundCallback@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		call	_MmVerifyCallbackFunction@4 ; MmVerifyCallbackFunction(x)
		test	eax, eax
		jz	short loc_618606
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	edi
		call	_ExAllocateCallBack@8 ;	ExAllocateCallBack(x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_618605
		push	esi
		mov	edx, edi
		mov	ecx, offset _KiBoundsCallback
		call	ExCompareExchangeCallBack
		test	al, al
		jz	short loc_6185FE
		mov	esi, [ebp+arg_0]
		jmp	short loc_618605
; 

loc_6185FE:				; CODE XREF: KeRegisterBoundCallback(x)+34j
		mov	ecx, edi
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_618605:				; CODE XREF: KeRegisterBoundCallback(x)+23j
					; KeRegisterBoundCallback(x)+39j
		pop	edi

loc_618606:				; CODE XREF: KeRegisterBoundCallback(x)+12j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_KeRegisterBoundCallback@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1252. KeRegisterNmiCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRegisterNmiCallback(x, x)
		public _KeRegisterNmiCallback@8
_KeRegisterNmiCallback@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	esi
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		call	_KiRegisterNmiSxCallback@16 ; KiRegisterNmiSxCallback(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_618633
		mov	ecx, [ebp+arg_0]
		call	_KiTraceLogNmiCallback@4 ; KiTraceLogNmiCallback(x)

loc_618633:				; CODE XREF: KeRegisterNmiCallback(x,x)+17j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_KeRegisterNmiCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetMaxDynamicTickDuration(x, x)
_KeSetMaxDynamicTickDuration@8 proc near ; CODE	XREF: PopEnforceDeepSleep+A5F6Ep
					; PopEnforceDeepSleep+A5FA7p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		mov	eax, ds:_KeMaximumIncrement
		push	ebx
		push	esi
		push	edi
		cmp	edx, ecx
		ja	short loc_618661
		jb	short loc_61865B
		mov	edi, [ebp+arg_0]
		cmp	eax, edi
		jnb	short loc_618664

loc_61865B:				; CODE XREF: KeSetMaxDynamicTickDuration(x,x)+18j
		mov	edi, eax
		mov	ecx, edx
		jmp	short loc_618664
; 

loc_618661:				; CODE XREF: KeSetMaxDynamicTickDuration(x,x)+16j
		mov	edi, [ebp+arg_0]

loc_618664:				; CODE XREF: KeSetMaxDynamicTickDuration(x,x)+1Fj
					; KeSetMaxDynamicTickDuration(x,x)+25j	...
		mov	esi, ds:_KiMaxDynamicTickDuration
		mov	eax, esi
		mov	edx, ds:dword_70505C
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], edx
		mov	[ebp+arg_4], offset _KiMaxDynamicTickDuration
		nop
		mov	esi, [ebp+arg_4]
		mov	ebx, edi
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, [ebp+var_4]
		jnz	short loc_618664
		cmp	edx, [ebp+var_8]
		jnz	short loc_618664
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_KeSetMaxDynamicTickDuration@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetTimeAdjustment(x, x)
_KeSetTimeAdjustment@8 proc near	; CODE XREF: ExpInsertTimerResolutionEntry+178028p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	esi
		mov	esi, [ebp+arg_4]
		xor	eax, eax
		push	edi
		lea	edi, [ebp+var_14]
		mov	byte ptr [ebp+var_1], 0
		stosd
		stosd
		stosd
		stosd
		mov	edi, [ebp+arg_0]
		cmp	edi, ds:_KeTimeAdjustmentFrequency
		jnz	short loc_6186C7
		cmp	esi, ds:dword_70E724
		jz	short loc_618718

loc_6186C7:				; CODE XREF: KeSetTimeAdjustment(x,x)+23j
		mov	eax, edi
		or	eax, esi
		jnz	short loc_6186D4
		mov	eax, 0C0000094h
		jmp	short loc_618721
; 

loc_6186D4:				; CODE XREF: KeSetTimeAdjustment(x,x)+31j
		test	esi, esi
		jnz	short loc_6186DF
		cmp	edi, 2
		jb	short loc_61871C
		test	esi, esi

loc_6186DF:				; CODE XREF: KeSetTimeAdjustment(x,x)+3Cj
		ja	short loc_61871C
		jb	short loc_6186E8
		cmp	edi, 0FFFFFFFFh
		ja	short loc_61871C

loc_6186E8:				; CODE XREF: KeSetTimeAdjustment(x,x)+47j
		lea	edx, [ebp+var_1]
		mov	ecx, edi
		call	RtlGenerateQpcToIncrementConstants
		mov	[ebp+var_14], eax
		lea	ecx, [ebp+var_14]
		mov	al, byte ptr [ebp+var_1]
		push	0
		mov	[ebp+var_10], edx
		xor	edx, edx
		push	0
		mov	[ebp+var_C], al
		mov	ds:_KeTimeAdjustmentFrequency, edi
		mov	ds:dword_70E724, esi
		call	KiUpdateSystemTime

loc_618718:				; CODE XREF: KeSetTimeAdjustment(x,x)+2Bj
		xor	eax, eax
		jmp	short loc_618721
; 

loc_61871C:				; CODE XREF: KeSetTimeAdjustment(x,x)+41j
					; KeSetTimeAdjustment(x,x):loc_6186DFj	...
		mov	eax, 0C0000095h

loc_618721:				; CODE XREF: KeSetTimeAdjustment(x,x)+38j
					; KeSetTimeAdjustment(x,x)+80j
		pop	edi
		pop	esi
		leave
		retn	8
_KeSetTimeAdjustment@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiDeregisterNmiSxCallback(x, x, x)
_KiDeregisterNmiSxCallback@12 proc near	; CODE XREF: KeDeregisterNmiCallback(x)+9j

var_18		= dword	ptr -18h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_18], ecx
		lea	edi, [ebp+var_10]
		xor	ebx, ebx
		stosd
		stosd
		stosd
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _KiNmiCallbackListLock
		mov	[ebp+var_11], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, ds:_KiNmiCallbackListHead
		mov	ecx, offset _KiNmiCallbackListHead
		test	esi, esi
		jz	loc_6187F8
		mov	eax, [ebp+var_18]

loc_618774:				; CODE XREF: KiDeregisterNmiSxCallback(x,x,x)+58j
		cmp	[esi+0Ch], eax
		jz	short loc_618781
		mov	ecx, esi
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_618774

loc_618781:				; CODE XREF: KiDeregisterNmiSxCallback(x,x,x)+50j
		test	esi, esi
		jz	short loc_6187F8
		cmp	[esi+0Ch], eax
		jnz	short loc_6187F8
		mov	eax, [esi]
		mov	[ecx], eax
		test	ds:byte_70EFC6,	1
		jz	short loc_6187A3
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6187A8
; 

loc_6187A3:				; CODE XREF: KiDeregisterNmiSxCallback(x,x,x)+6Ej
		xor	eax, eax
		lock and [edi],	eax

loc_6187A8:				; CODE XREF: KiDeregisterNmiSxCallback(x,x,x)+7Aj
		mov	cl, [ebp+var_11]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edi, ebx
		cmp	ds:_KeNumberProcessors,	ebx
		jbe	short loc_6187E9

loc_6187BB:				; CODE XREF: KiDeregisterNmiSxCallback(x,x,x)+B3j
		mov	ecx, edi
		test	ebx, ebx
		jnz	short loc_6187CC
		lea	edx, [ebp+var_10]
		call	_KiSetSystemAffinityThreadToProcessor@8	; KiSetSystemAffinityThreadToProcessor(x,x)
		inc	ebx
		jmp	short loc_6187D3
; 

loc_6187CC:				; CODE XREF: KiDeregisterNmiSxCallback(x,x,x)+98j
		xor	edx, edx
		call	_KiSetSystemAffinityThreadToProcessor@8	; KiSetSystemAffinityThreadToProcessor(x,x)

loc_6187D3:				; CODE XREF: KiDeregisterNmiSxCallback(x,x,x)+A3j
		inc	edi
		cmp	edi, ds:_KeNumberProcessors
		jb	short loc_6187BB
		test	ebx, ebx
		jz	short loc_6187E9
		lea	eax, [ebp+var_10]
		push	eax
		call	KeRevertToUserGroupAffinityThread

loc_6187E9:				; CODE XREF: KiDeregisterNmiSxCallback(x,x,x)+92j
					; KiDeregisterNmiSxCallback(x,x,x)+B7j
		push	494D4E4Bh
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		jmp	short loc_618820
; 

loc_6187F8:				; CODE XREF: KiDeregisterNmiSxCallback(x,x,x)+44j
					; KiDeregisterNmiSxCallback(x,x,x)+5Cj	...
		test	ds:byte_70EFC6,	1
		jz	short loc_61880D
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_618812
; 

loc_61880D:				; CODE XREF: KiDeregisterNmiSxCallback(x,x,x)+D8j
		xor	eax, eax
		lock and [edi],	eax

loc_618812:				; CODE XREF: KiDeregisterNmiSxCallback(x,x,x)+E4j
		mov	cl, [ebp+var_11]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, 0C0000008h

loc_618820:				; CODE XREF: KiDeregisterNmiSxCallback(x,x,x)+CFj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_KiDeregisterNmiSxCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiFatalExceptionHandler(x, x, x, x)
_KiFatalExceptionHandler@16 proc near	; CODE XREF: Ki386FatalExceptionHandler(x,x,x,x)j

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax+18h]
		push	dword ptr [eax+14h]
		push	dword ptr [eax+0Ch]
		push	dword ptr [eax]
		push	1Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_KiFatalExceptionHandler@16 endp


;  S U B	R O U T	I N E 


; __stdcall KiFatalFilter(x, x)
_KiFatalFilter@8 proc near		; CODE XREF: sub_5C1D1A+6p
					; KiInitializeKernel(x,x,x,x,x,x)+762p	...
		push	dword ptr [edx+4]
		mov	eax, [edx]
		push	eax
		push	dword ptr [eax+0Ch]
		push	dword ptr [eax]
		push	ecx
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_KiFatalFilter@8 endp


;  S U B	R O U T	I N E 


; __stdcall KiHandleBound()
_KiHandleBound@0 proc near		; CODE XREF: V86_kit5_a+2DCp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _KiBoundsCallback
		mov	ecx, ebx
		call	ExReferenceCallBackBlock
		mov	esi, eax
		test	esi, esi
		jz	short loc_6188B6
		mov	eax, [esi+4]
		call	eax
		mov	ecx, ds:_KiBoundsCallback
		mov	edi, eax
		mov	edx, ecx
		xor	edx, esi
		cmp	edx, 7
		jnb	short loc_6188AF

loc_618899:				; CODE XREF: KiHandleBound()+4Fj
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [ebx], edx
		cmp	eax, ecx
		jz	short loc_6188B6
		mov	ecx, eax
		xor	eax, esi
		cmp	eax, 7
		jb	short loc_618899

loc_6188AF:				; CODE XREF: KiHandleBound()+39j
		mov	ecx, esi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_6188B6:				; CODE XREF: KiHandleBound()+23j
					; KiHandleBound()+46j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_KiHandleBound@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiHandleNmi()
_KiHandleNmi@0	proc near		; CODE XREF: sub_59C2E7+38p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ds:_KiNmiCallbackListHead
		xor	bl, bl
		jmp	short loc_6188E7
; 

loc_6188DA:				; CODE XREF: KiHandleNmi()+24j
		push	[ebp+var_4]
		push	dword ptr [esi+8]
		call	dword ptr [esi+4]
		mov	esi, [esi]
		or	bl, al

loc_6188E7:				; CODE XREF: KiHandleNmi()+10j
		mov	byte ptr [ebp+var_4], bl
		test	esi, esi
		jnz	short loc_6188DA
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_KiHandleNmi@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiRegisterNmiSxCallback(x, x, x, x)
_KiRegisterNmiSxCallback@16 proc near	; CODE XREF: KeRegisterNmiCallback(x,x)+Ep
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	494D4E4Bh
		push	10h
		push	200h
		mov	edi, edx
		mov	ebx, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_618967
		mov	[esi+4], ebx
		mov	[esi+8], edi
		mov	[esi+0Ch], esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _KiNmiCallbackListLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, ds:_KiNmiCallbackListHead
		mov	[esi], edx
		test	ds:byte_70EFC6,	1
		mov	ds:_KiNmiCallbackListHead, esi
		jz	short loc_618957
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_61895C
; 

loc_618957:				; CODE XREF: KiRegisterNmiSxCallback(x,x,x,x)+55j
		xor	eax, eax
		lock and [edi],	eax

loc_61895C:				; CODE XREF: KiRegisterNmiSxCallback(x,x,x,x)+61j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esi+0Ch]

loc_618967:				; CODE XREF: KiRegisterNmiSxCallback(x,x,x,x)+21j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_KiRegisterNmiSxCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeAddEnclavePage(x,	x, x, x, x, x)
_KeAddEnclavePage@24 proc near		; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+29Fp
					; MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+446p

var_D8		= dword	ptr -0D8h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_44		= dword	ptr -44h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFC0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A84B8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		push	ecx
		push	ecx
		push	ebx
		sub	esp, 0D8h
		mov	eax, ds:___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_44], eax
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_C8], edx
		mov	[ebp+var_C4], ecx
		mov	edi, [ebx+8]
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_CC], eax
		mov	esi, [ebx+14h]
		push	40h		; size_t
		push	0		; int
		lea	eax, [ebp+var_C0]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, ds:dword_70E754
		and	ecx, 8
		and	dword ptr [esi], 0
		xor	esi, esi
		mov	eax, esi
		or	eax, ecx
		jz	loc_618B1F
		mov	edx, [ebx+10h]
		test	dl, 40h
		jnz	short loc_618A4D
		xor	ecx, ecx
		inc	ecx
		mov	eax, edx
		and	eax, ecx
		test	dl, 2
		jz	short loc_618A1A
		or	eax, 2

loc_618A1A:				; CODE XREF: KeAddEnclavePage(x,x,x,x,x,x)+A7j
		test	dl, 4
		jz	short loc_618A22
		or	eax, 4

loc_618A22:				; CODE XREF: KeAddEnclavePage(x,x,x,x,x,x)+AFj
		test	dl, 8
		jz	short loc_618A2E
		or	eax, 100h
		jmp	short loc_618A33
; 

loc_618A2E:				; CODE XREF: KeAddEnclavePage(x,x,x,x,x,x)+B7j
		or	eax, 200h

loc_618A33:				; CODE XREF: KeAddEnclavePage(x,x,x,x,x,x)+BEj
		mov	[ebp+var_C0], eax
		mov	eax, [ebp+var_C8]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_70], eax
		jmp	short loc_618A7C
; 

loc_618A4D:				; CODE XREF: KeAddEnclavePage(x,x,x,x,x,x)+9Bj
		mov	ecx, ds:dword_70E754
		and	ecx, 20h
		mov	eax, esi
		or	eax, ecx
		jz	loc_618B18
		push	0Dh
		pop	ecx
		mov	eax, edx
		and	eax, 0Fh
		cmp	al, 3
		jz	short loc_618A76
		mov	eax, 0C0000045h
		jmp	loc_618B24
; 

loc_618A76:				; CODE XREF: KeAddEnclavePage(x,x,x,x,x,x)+FCj
		mov	[ebp+var_78], esi
		mov	[ebp+var_70], esi

loc_618A7C:				; CODE XREF: KeAddEnclavePage(x,x,x,x,x,x)+DDj
		mov	[ebp+var_6C], esi
		mov	[ebp+var_74], esi
		mov	eax, [ebp+var_CC]
		mov	[ebp+var_80], eax
		mov	[ebp+var_7C], esi
		mov	eax, [ebp+var_C4]
		mov	[ebp+var_68], eax
		mov	[ebp+var_64], esi
		mov	[ebp+var_4], esi
		push	esi
		push	edi
		lea	eax, [ebp+var_80]
		push	eax
		push	ecx
		call	_KiEncls@16	; KiEncls(x,x,x,x)
		test	byte ptr [ebx+10h], 50h
		jnz	short loc_618AE4
		mov	esi, 1000h
		mov	[ebp+var_D0], esi

loc_618ABA:				; CODE XREF: KeAddEnclavePage(x,x,x,x,x,x)+174j
		push	0
		push	edi
		push	[ebp+var_C4]
		push	6
		call	_KiEncls@16	; KiEncls(x,x,x,x)
		add	edi, 100h
		mov	[ebp+var_D8], edi
		sub	esi, 100h
		mov	[ebp+var_D0], esi
		jnz	short loc_618ABA

loc_618AE4:				; CODE XREF: KeAddEnclavePage(x,x,x,x,x,x)+13Fj
		mov	[ebp+var_4], 0FFFFFFFEh
		xor	eax, eax
		jmp	short loc_618B24
; 

loc_618AEF:				; DATA XREF: .text:006A84CCo
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0D4h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_618B03:				; DATA XREF: .text:006A84D0o
		mov	ebx, [ebp-1Ch]
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0D4h]
		jmp	short loc_618B24
; 

loc_618B18:				; CODE XREF: KeAddEnclavePage(x,x,x,x,x,x)+ECj
		mov	eax, 0C0000018h
		jmp	short loc_618B24
; 

loc_618B1F:				; CODE XREF: KeAddEnclavePage(x,x,x,x,x,x)+8Fj
		mov	eax, 0C00000BBh

loc_618B24:				; CODE XREF: KeAddEnclavePage(x,x,x,x,x,x)+103j
					; KeAddEnclavePage(x,x,x,x,x,x)+17Fj ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		mov	ecx, [ebp+var_44]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	10h
_KeAddEnclavePage@24 endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeBlockEnclavePage(x)
_KeBlockEnclavePage@4 proc near		; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+45Ep

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	0Ch
		push	offset dword_6A8498
		call	__SEH_prolog4
		mov	esi, ecx
		mov	edx, ds:dword_70E754
		and	edx, 8
		xor	eax, eax
		or	eax, edx
		jz	short loc_618BA3
		and	[ebp+ms_exc.disabled], 0

loc_618B65:				; CODE XREF: KeBlockEnclavePage(x)+30j
		push	0
		push	esi
		push	0
		push	9
		call	_KiEncls@16	; KiEncls(x,x,x,x)
		cmp	eax, 0Fh
		jz	short loc_618B65
		mov	ecx, eax
		call	_KiEnclsStatus@4 ; KiEnclsStatus(x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_618BA8
; 

loc_618B86:				; DATA XREF: .text:006A84ACo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_618B94:				; DATA XREF: .text:006A84B0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]
		jmp	short loc_618BA8
; 

loc_618BA3:				; CODE XREF: KeBlockEnclavePage(x)+1Bj
		mov	eax, 0C00000BBh

loc_618BA8:				; CODE XREF: KeBlockEnclavePage(x)+40j
					; KeBlockEnclavePage(x)+5Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KeBlockEnclavePage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeCanChangeEnclavePageProtection(x,	x)
_KeCanChangeEnclavePageProtection@8 proc near
					; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+3E3p

var_CC		= dword	ptr -0CCh
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_44		= dword	ptr -44h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFC0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A8418
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		push	ecx
		push	ecx
		push	ebx
		sub	esp, 0D8h
		mov	eax, ds:___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_44], eax
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_CC], edx
		mov	esi, ecx
		mov	edx, ds:dword_70E754
		and	edx, 20h
		xor	eax, eax
		or	eax, edx
		jz	loc_618CB6
		push	40h		; size_t
		push	0		; int
		lea	eax, [ebp+var_C0]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_C0], 7
		and	[ebp+var_4], 0

loc_618C43:				; CODE XREF: KeCanChangeEnclavePageProtection(x,x)+9Fj
		push	0
		push	esi
		lea	eax, [ebp+var_C0]
		push	eax
		push	0Eh
		call	_KiEncls@16	; KiEncls(x,x,x,x)
		cmp	eax, 0Fh
		jz	short loc_618C43
		mov	ecx, eax
		call	_KiEnclsStatus@4 ; KiEnclsStatus(x)
		mov	ecx, eax
		jmp	short loc_618CA5
; 

loc_618C64:				; DATA XREF: .text:006A842Co
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C8h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_618C78:				; DATA XREF: .text:006A8430o
		mov	ebx, [ebp-1Ch]
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-0C8h]
		mov	[ebp-0C4h], ecx
		cmp	ecx, 0C00004A2h
		jnz	short loc_618CAB
		mov	al, [ebp-0CCh]
		and	al, 80h
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	ecx, eax

loc_618CA5:				; CODE XREF: KeCanChangeEnclavePageProtection(x,x)+AAj
		mov	[ebp+var_C4], ecx

loc_618CAB:				; CODE XREF: KeCanChangeEnclavePageProtection(x,x)+D8j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, ecx
		jmp	short loc_618CBB
; 

loc_618CB6:				; CODE XREF: KeCanChangeEnclavePageProtection(x,x)+64j
		mov	eax, 0C00000BBh

loc_618CBB:				; CODE XREF: KeCanChangeEnclavePageProtection(x,x)+FCj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		mov	ecx, [ebp+var_44]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_KeCanChangeEnclavePageProtection@8 endp ; sp =	 4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeChangeEnclavePageProtection(x, x)
_KeChangeEnclavePageProtection@8 proc near
					; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x):loc_63696Fp

var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_44		= dword	ptr -44h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFC0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A83F8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		push	ecx
		push	ecx
		push	ebx
		sub	esp, 0D8h
		mov	eax, ds:___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_44], eax
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_C4], edx
		mov	edi, ecx
		mov	esi, ds:dword_70E754
		and	esi, 20h
		xor	eax, eax
		or	eax, esi
		jz	loc_618E03
		push	40h		; size_t
		push	0		; int
		lea	eax, [ebp+var_C0]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, [ebp+var_C4]
		test	cl, 8
		jz	short loc_618D70
		push	0Fh
		pop	esi
		mov	[ebp+var_C0], 100h
		jmp	short loc_618DB1
; 

loc_618D70:				; CODE XREF: KeChangeEnclavePageProtection(x,x)+86j
		test	cl, cl
		jns	short loc_618D83
		push	0Fh
		pop	esi
		mov	[ebp+var_C0], 400h
		jmp	short loc_618DB1
; 

loc_618D83:				; CODE XREF: KeChangeEnclavePageProtection(x,x)+99j
		push	0Eh
		pop	esi
		mov	eax, ecx
		xor	edx, edx
		inc	edx
		and	eax, edx
		jz	short loc_618D95
		mov	[ebp+var_C0], edx

loc_618D95:				; CODE XREF: KeChangeEnclavePageProtection(x,x)+B4j
		test	cl, 2
		jz	short loc_618DA3
		or	eax, 2
		mov	[ebp+var_C0], eax

loc_618DA3:				; CODE XREF: KeChangeEnclavePageProtection(x,x)+BFj
		test	cl, 4
		jz	short loc_618DB1
		or	eax, 4
		mov	[ebp+var_C0], eax

loc_618DB1:				; CODE XREF: KeChangeEnclavePageProtection(x,x)+95j
					; KeChangeEnclavePageProtection(x,x)+A8j ...
		and	[ebp+var_4], 0

loc_618DB5:				; CODE XREF: KeChangeEnclavePageProtection(x,x)+EFj
		push	0
		push	edi
		lea	eax, [ebp+var_C0]
		push	eax
		push	esi
		call	_KiEncls@16	; KiEncls(x,x,x,x)
		cmp	eax, 0Fh
		jz	short loc_618DB5
		mov	ecx, eax
		call	_KiEnclsStatus@4 ; KiEnclsStatus(x)
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_618E08
; 

loc_618DDA:				; DATA XREF: .text:006A840Co
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C8h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_618DEE:				; DATA XREF: .text:006A8410o
		mov	ebx, [ebp-1Ch]
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0C8h]
		jmp	short loc_618E08
; 

loc_618E03:				; CODE XREF: KeChangeEnclavePageProtection(x,x)+64j
		mov	eax, 0C00000BBh

loc_618E08:				; CODE XREF: KeChangeEnclavePageProtection(x,x)+FFj
					; KeChangeEnclavePageProtection(x,x)+128j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		mov	ecx, [ebp+var_44]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_KeChangeEnclavePageProtection@8 endp ;	sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeCreateEnclaveMetadataPage(x)
_KeCreateEnclaveMetadataPage@4 proc near
					; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+52Fp
					; MiInitializeEnclaveMetadataPage()+ECp

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	0Ch
		push	offset dword_6A84F8
		call	__SEH_prolog4
		mov	edx, ds:dword_70E754
		and	edx, 8
		xor	eax, eax
		or	eax, edx
		jz	short loc_618E79
		and	[ebp+ms_exc.disabled], 0
		push	0
		push	ecx
		push	3
		push	0Ah
		call	_KiEncls@16	; KiEncls(x,x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	short loc_618E7E
; 

loc_618E5C:				; DATA XREF: .text:006A850Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_618E6A:				; DATA XREF: .text:006A8510o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]
		jmp	short loc_618E7E
; 

loc_618E79:				; CODE XREF: KeCreateEnclaveMetadataPage(x)+19j
		mov	eax, 0C00000BBh

loc_618E7E:				; CODE XREF: KeCreateEnclaveMetadataPage(x)+34j
					; KeCreateEnclaveMetadataPage(x)+51j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KeCreateEnclaveMetadataPage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeOutPageEnclavePage(x, x, x)
_KeOutPageEnclavePage@12 proc near	; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+4B0p

var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFF80h
		sub	esp, 178h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+178h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		push	80h		; size_t
		mov	[esp+184h+var_124], eax
		mov	edi, edx
		lea	eax, [esp+184h+var_100]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, ds:dword_70E754
		xor	edx, edx
		and	ecx, 8
		mov	eax, edx
		add	esp, 0Ch
		or	eax, ecx
		jz	short loc_618F29
		push	[esp+180h+var_124]
		lea	eax, [esp+184h+var_100]
		mov	[esp+184h+var_118], edi
		mov	[esp+184h+var_110], eax
		lea	eax, [esp+184h+var_120]
		push	esi
		push	eax
		push	0Bh
		mov	[esp+190h+var_114], edx
		mov	[esp+190h+var_10C], edx
		mov	[esp+190h+var_120], edx
		mov	[esp+190h+var_11C], edx
		mov	[esp+190h+var_108], edx
		mov	[esp+190h+var_104], edx
		call	_KiEncls@16	; KiEncls(x,x,x,x)
		mov	ecx, eax
		call	_KiEnclsStatus@4 ; KiEnclsStatus(x)
		jmp	short loc_618F2E
; 

loc_618F29:				; CODE XREF: KeOutPageEnclavePage(x,x,x)+4Fj
		mov	eax, 0C00000BBh

loc_618F2E:				; CODE XREF: KeOutPageEnclavePage(x,x,x)+99j
		mov	ecx, [esp+180h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_KeOutPageEnclavePage@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRemoveEnclavePage(x)
_KeRemoveEnclavePage@4 proc near	; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+31Ap
					; MiDecommitHardwareEnclavePages(x,x,x,x,x)+524p ...

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	0Ch
		push	offset dword_6A8538
		call	__SEH_prolog4
		mov	ecx, ds:dword_70E754
		and	ecx, 8
		xor	edx, edx
		mov	eax, edx
		or	eax, ecx
		jz	short loc_618F9D
		mov	[ebp+ms_exc.disabled], edx
		push	edx
		push	[ebp+arg_0]
		push	edx
		push	3
		call	_KiEncls@16	; KiEncls(x,x,x,x)
		mov	ecx, eax
		call	_KiEnclsStatus@4 ; KiEnclsStatus(x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_618FA2
; 

loc_618F80:				; DATA XREF: .text:006A854Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_618F8E:				; DATA XREF: .text:006A8550o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]
		jmp	short loc_618FA2
; 

loc_618F9D:				; CODE XREF: KeRemoveEnclavePage(x)+1Bj
		mov	eax, 0C00000BBh

loc_618FA2:				; CODE XREF: KeRemoveEnclavePage(x)+3Aj
					; KeRemoveEnclavePage(x)+57j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KeRemoveEnclavePage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeTrackEnclaveTbFlush(x)
_KeTrackEnclaveTbFlush@4 proc near	; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+13Ap
					; MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+405p

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	0Ch
		push	offset dword_6A8438
		call	__SEH_prolog4
		mov	edx, ds:dword_70E754
		and	edx, 8
		xor	eax, eax
		or	eax, edx
		jz	short loc_61900C
		and	[ebp+ms_exc.disabled], 0
		push	0
		push	ecx
		push	0
		push	0Ch
		call	_KiEncls@16	; KiEncls(x,x,x,x)
		mov	ecx, eax
		call	_KiEnclsStatus@4 ; KiEnclsStatus(x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_619011
; 

loc_618FEF:				; DATA XREF: .text:006A844Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_618FFD:				; DATA XREF: .text:006A8450o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]
		jmp	short loc_619011
; 

loc_61900C:				; CODE XREF: KeTrackEnclaveTbFlush(x)+19j
		mov	eax, 0C00000BBh

loc_619011:				; CODE XREF: KeTrackEnclaveTbFlush(x)+39j
					; KeTrackEnclaveTbFlush(x)+56j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KeTrackEnclaveTbFlush@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiEnclsStatus(x)
_KiEnclsStatus@4 proc near		; CODE XREF: KeBlockEnclavePage(x)+34p
					; KeCanChangeEnclavePageProtection(x,x)+A3p ...
		sub	ecx, 0
		jz	short loc_61905C
		sub	ecx, 7
		jz	short loc_619056
		sub	ecx, 5
		jz	short loc_619050
		sub	ecx, 1
		jz	short loc_619056
		sub	ecx, 1
		jz	short loc_619056
		sub	ecx, 3
		jz	short loc_619056
		sub	ecx, 3
		jz	short loc_61904A
		mov	eax, 0C0000001h
		retn
; 

loc_61904A:				; CODE XREF: KiEnclsStatus(x)+21j
		mov	eax, 0C0000018h
		retn
; 

loc_619050:				; CODE XREF: KiEnclsStatus(x)+Dj
		mov	eax, 130h
		retn
; 

loc_619056:				; CODE XREF: KiEnclsStatus(x)+8j
					; KiEnclsStatus(x)+12j	...
		mov	eax, 0C0000043h
		retn
; 

loc_61905C:				; CODE XREF: KiEnclsStatus(x)+3j
		xor	eax, eax
		retn
_KiEnclsStatus@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiSetHaltedNmiandDoubleFaultHandler()
_KiSetHaltedNmiandDoubleFaultHandler@0 proc near ; CODE	XREF: KiProcessorStart+5235Dp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, large fs:1Ch
		mov	eax, [edi+38h]
		mov	edx, [edi+3Ch]
		movzx	esi, word ptr [eax+12h]
		shr	esi, 3
		movzx	ecx, byte ptr [edx+esi*8+7]
		movzx	eax, byte ptr [edx+esi*8+4]
		shl	ecx, 8
		add	ecx, eax
		movzx	eax, word ptr [edx+esi*8+2]
		shl	ecx, 10h
		mov	dword ptr [ecx+eax+20h], offset	_KiDummyNmiHandler@0 ; KiDummyNmiHandler()
		mov	eax, [edi+38h]
		mov	edx, [edi+3Ch]
		pop	edi
		movzx	esi, word ptr [eax+42h]
		shr	esi, 3
		movzx	ecx, byte ptr [edx+esi*8+7]
		movzx	eax, byte ptr [edx+esi*8+4]
		shl	ecx, 8
		add	ecx, eax
		movzx	eax, word ptr [edx+esi*8+2]
		shl	ecx, 10h
		pop	esi
		mov	dword ptr [ecx+eax+20h], offset	_KiDummyDoubleFaultHandler@0 ; KiDummyDoubleFaultHandler()
		retn
_KiSetHaltedNmiandDoubleFaultHandler@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiStartDynamicProcessor(x, x, x, x)
_KiStartDynamicProcessor@16 proc near	; CODE XREF: KeStartDynamicProcessor(x,x,x,x)+4Fp

var_450		= dword	ptr -450h
var_43C		= dword	ptr -43Ch
var_434		= dword	ptr -434h
var_430		= dword	ptr -430h
var_42C		= dword	ptr -42Ch
var_428		= dword	ptr -428h
var_424		= dword	ptr -424h
var_420		= dword	ptr -420h
var_41C		= dword	ptr -41Ch
var_418		= dword	ptr -418h
var_414		= dword	ptr -414h
var_410		= dword	ptr -410h
var_40C		= dword	ptr -40Ch
var_408		= dword	ptr -408h
var_404		= dword	ptr -404h
var_400		= dword	ptr -400h
var_3FC		= dword	ptr -3FCh
var_3F8		= dword	ptr -3F8h
var_3F0		= dword	ptr -3F0h
var_3E8		= dword	ptr -3E8h
var_3E4		= dword	ptr -3E4h
var_3D0		= dword	ptr -3D0h
var_340		= dword	ptr -340h
var_330		= dword	ptr -330h
var_328		= dword	ptr -328h
var_4		= dword	ptr -4
arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 42Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+42Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		lea	eax, [esp+438h+var_3F0]
		push	0C8h		; size_t
		xor	ebx, ebx
		mov	[esp+43Ch+var_424], edx
		push	ebx		; int
		push	eax		; void *
		mov	[esp+444h+var_41C], edi
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+438h+var_328]
		push	320h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		movzx	eax, [ebp+arg_0]
		lea	edx, [esp+444h+var_424]
		add	esp, 0Ch
		mov	[esp+438h+var_428], eax
		lea	eax, [esp+438h+var_428]
		mov	[esp+438h+var_404], ebx
		mov	esi, ebx
		mov	[esp+438h+var_420], ebx
		mov	ecx, edi
		mov	[esp+438h+var_418], esi
		push	eax
		mov	[esp+43Ch+var_414], ebx
		mov	[esp+43Ch+var_3FC], ebx
		mov	[esp+43Ch+var_3F8], ebx
		mov	[esp+43Ch+var_410], ebx
		mov	[esp+43Ch+var_40C], ebx
		mov	[esp+43Ch+var_408], ebx
		mov	[esp+43Ch+var_400], ebx
		call	KiQueryProcessorNode
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_619520
		cmp	ds:_KeNumberProcessors,	20h
		movzx	eax, word ptr [esp+438h+var_428]
		mov	eax, ds:_KeNodeBlock[eax*4]
		mov	[esp+438h+var_420], eax
		mov	[esp+438h+var_400], eax
		jz	loc_619519
		mov	eax, ds:_KeNumprocSpecified
		test	eax, eax
		jz	short loc_61919C
		cmp	ds:_KeNumberProcessors,	eax
		jnb	loc_619519

loc_61919C:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+C9j
		push	[esp+438h+var_424]
		push	ds:_KeRegisteredProcessors
		call	ds:__imp__HalRegisterDynamicProcessor@8	; HalRegisterDynamicProcessor(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_619531
		mov	ecx, ds:_KeMaximumProcessors
		call	_KiComputeProcessorDataSize@4 ;	KiComputeProcessorDataSize(x)
		movzx	edx, word ptr [esp+440h+var_430]
		mov	ecx, eax
		mov	[esp+440h+var_41C], eax
		call	_MmAllocateIndependentPages@8 ;	MmAllocateIndependentPages(x,x)
		mov	ebx, eax
		mov	[esp+440h+var_404], ebx
		test	ebx, ebx
		jnz	short loc_6191E5

loc_6191DB:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+140j
					; KiStartDynamicProcessor(x,x,x,x)+153j ...
		mov	ebx, 0C000009Ah
		jmp	loc_619531
; 

loc_6191E5:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+114j
		movzx	edx, word ptr [esp+440h+var_430]
		mov	ecx, 7000h
		call	_MmAllocateIndependentPages@8 ;	MmAllocateIndependentPages(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_619207
		mov	edx, [esp+440h+var_41C]
		mov	ecx, ebx
		call	_MmFreeIndependentPages@8 ; MmFreeIndependentPages(x,x)
		jmp	short loc_6191DB
; 

loc_619207:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+133j
		mov	edx, [esp+440h+var_430]
		mov	ecx, edi
		call	_ExCreatePoolTagTable@8	; ExCreatePoolTagTable(x,x)
		mov	[esp+440h+var_400], eax
		test	eax, eax
		jz	short loc_6191DB
		movzx	edx, word ptr [esp+440h+var_430]
		xor	ecx, ecx
		push	0
		call	MmCreateKernelStack
		mov	[esp+440h+var_418], eax
		test	eax, eax
		jz	short loc_6191DB
		movzx	edx, word ptr [esp+440h+var_430]
		xor	ecx, ecx
		push	0
		call	MmCreateKernelStack
		mov	[esp+440h+var_414], eax
		test	eax, eax
		jz	short loc_6191DB
		movzx	edx, word ptr [esp+440h+var_430]
		lea	ecx, [esp+440h+var_410]
		call	_MmAllocateIsrStack@8 ;	MmAllocateIsrStack(x,x)
		test	al, al
		jz	short loc_6191DB
		movzx	edx, word ptr [esp+440h+var_430]
		lea	ecx, [esp+440h+var_40C]
		call	_MmAllocateIsrStack@8 ;	MmAllocateIsrStack(x,x)
		test	al, al
		jz	loc_6191DB
		push	[esp+440h+var_40C] ; int
		mov	eax, [esp+444h+var_414]
		lea	edx, [esp+444h+var_3F8]	; int
		push	[esp+444h+var_410] ; int
		lea	ecx, [esp+448h+var_330]	; void *
		push	eax		; int
		mov	eax, [esp+44Ch+var_418]
		push	eax		; int
		push	ds:_KeMaximumProcessors	; int
		push	esi		; void *
		push	ebx		; void *
		push	edi		; int
		call	_KiInitializeProcessorState@40 ; KiInitializeProcessorState(x,x,x,x,x,x,x,x,x,x)
		movzx	edx, word ptr [esp+440h+var_430]
		mov	edi, offset _KiNodeInit
		imul	ecx, edx, 140h
		mov	esi, eax
		mov	[esp+440h+var_420], esi
		add	ecx, edi
		cmp	ds:_KeNodeBlock[edx*4],	ecx
		jnz	short loc_61930E
		mov	ecx, ds:_KeMaximumProcessors
		shl	ecx, 5
		add	ecx, 603Fh
		and	ecx, 0FFFFFFC0h
		add	ecx, 500h
		push	180h		; size_t
		add	ebx, ecx
		push	0		; int
		push	ebx		; void *
		mov	[esp+44Ch+var_428], ebx
		call	_memset
		movzx	eax, word ptr [esp+44Ch+var_430]
		add	esp, 0Ch
		imul	esi, eax, 140h
		push	50h
		pop	ecx
		add	esi, edi
		mov	edi, ebx
		rep movsd
		movzx	eax, word ptr [esp+440h+var_430]
		mov	esi, [esp+440h+var_420]
		mov	ds:_KeNodeBlock[eax*4],	ebx
		jmp	short loc_619312
; 

loc_61930E:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+1F3j
		mov	ebx, [esp+440h+var_428]

loc_619312:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+247j
		xor	edx, edx
		mov	[esi+338h], ebx
		inc	edx
		mov	ecx, esi
		call	KiAddProcessorToGroupDatabase
		mov	ecx, esi
		call	MmInitializeProcessor
		test	eax, eax
		jnz	short loc_619337
		mov	ebx, 0C0000001h
		jmp	loc_619526
; 

loc_619337:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+266j
		movzx	edx, word ptr [esp+440h+var_430]
		mov	ecx, esi
		call	KiInitializePrcbContext
		mov	ebx, eax
		test	ebx, ebx
		js	loc_619526
		mov	ecx, esi
		call	KeInitializeTimerTable
		mov	ebx, eax
		test	ebx, ebx
		js	loc_619526
		mov	dl, 1
		mov	ecx, esi
		call	ExInitializeProcessor
		mov	ebx, eax
		test	ebx, ebx
		js	loc_619526
		mov	ecx, esi
		call	ObInitializeProcessor
		mov	ebx, eax
		test	ebx, ebx
		js	loc_619526
		xor	edx, edx
		mov	ecx, esi
		call	IoInitializeProcessor
		mov	ebx, eax
		test	ebx, ebx
		js	loc_619526
		mov	ecx, esi
		call	_CcInitializeProcessor@4 ; CcInitializeProcessor(x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_619526
		mov	ecx, esi
		call	_EtwInitializeProcessor@4 ; EtwInitializeProcessor(x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_619526
		xor	edx, edx
		mov	ecx, esi
		call	_WheaInitializeProcessor@8 ; WheaInitializeProcessor(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_619526
		mov	edx, [esp+440h+var_42C]
		mov	ecx, esi
		call	HvlInitializeProcessor
		mov	ebx, eax
		test	ebx, ebx
		js	loc_619526
		and	dword ptr [esi+4078h], 0
		lea	eax, [esi+407Ch]
		mov	[eax], eax
		xor	eax, eax
		push	2
		pop	edi
		push	ds:_ExPageLockHandle
		inc	eax
		mov	ds:_KiProcessorStartControl, edi
		mov	ds:_KiBarrierWait, eax
		mov	ds:_KiProcessorStartData, eax
		call	_MmLockPagableSectionByHandle@4	; MmLockPagableSectionByHandle(x)
		mov	eax, ds:_KeLoaderBlock
		mov	[esp+440h+var_3FC], eax
		test	eax, eax
		jnz	short loc_619437
		mov	eax, ds:_PsLoadedModuleList
		mov	[esp+440h+var_3E8], eax
		mov	eax, ds:dword_6C6E3C
		mov	[esp+440h+var_3E4], eax
		lea	eax, [esp+440h+var_3F8]
		mov	ds:_KeLoaderBlock, eax

loc_619437:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+355j
		movzx	eax, byte ptr [esi+3C4h]
		xor	ecx, ecx
		mov	edx, [esi+3CCh]
		push	0
		push	[esp+444h+var_42C]
		push	eax
		movzx	eax, byte ptr [esi+3C5h]
		push	eax
		call	_KiDynamicProcessorAddNotification@24 ;	KiDynamicProcessorAddNotification(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_6194CA
		push	[esp+440h+var_430]
		lea	eax, [esp+444h+var_330]
		push	[esp+444h+var_42C]
		push	[esp+448h+var_424]
		push	eax
		call	ds:__imp__HalStartDynamicProcessor@16 ;	HalStartDynamicProcessor(x,x,x,x)
		cmp	eax, 3
		jnz	short loc_61949A
		push	[esp+450h+var_43C]
		push	[esp+454h+var_434]
		push	eax
		lea	eax, [esp+45Ch+var_340]
		push	eax
		push	1DFh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_61949A:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+3B8j
		cmp	eax, edi
		jz	short loc_6194C5
		call	KiStartWaitAcknowledge
		and	ds:_KiProcessorStartControl, 0
		jmp	short loc_6194AE
; 

loc_6194AC:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+3F2j
		pause

loc_6194AE:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+3E5j
		mov	eax, [esp+464h+var_3D0]
		test	eax, eax
		jnz	short loc_6194AC
		mov	ecx, esi
		call	_KiInitializeDynamicProcessor@4	; KiInitializeDynamicProcessor(x)
		xor	edi, edi
		inc	edi
		jmp	short loc_6194CA
; 

loc_6194C5:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+3D7j
		mov	ebx, 0C0000001h

loc_6194CA:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+399j
					; KiStartDynamicProcessor(x,x,x,x)+3FEj
		movzx	eax, byte ptr [esi+3C4h]
		mov	ecx, edi
		mov	edx, [esi+3CCh]
		push	ebx
		push	[esp+468h+var_450]
		push	eax
		movzx	eax, byte ptr [esi+3C5h]
		push	eax
		call	_KiDynamicProcessorAddNotification@24 ;	KiDynamicProcessorAddNotification(x,x,x,x,x,x)
		test	ebx, ebx
		js	short loc_619501
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_WheaInitializeProcessor@8 ; WheaInitializeProcessor(x,x)
		mov	ecx, esi
		call	_CmInitializeProcessor@4 ; CmInitializeProcessor(x)

loc_619501:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+429j
		mov	eax, [esp+464h+var_420]
		xor	edx, edx
		mov	ecx, ds:_ExPageLockHandle
		mov	ds:_KeLoaderBlock, eax
		call	MiLockPagableImageSection
		jmp	short loc_61951E
; 

loc_619519:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+BCj
					; KiStartDynamicProcessor(x,x,x,x)+D1j
		mov	ebx, 0C0000259h

loc_61951E:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+452j
		test	ebx, ebx

loc_619520:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+9Bj
		jns	loc_6195C2

loc_619526:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+26Dj
					; KiStartDynamicProcessor(x,x,x,x)+282j ...
		test	esi, esi
		jz	short loc_619531
		mov	ecx, esi
		call	_KiRemoveProcessorFromGroupDatabase@4 ;	KiRemoveProcessorFromGroupDatabase(x)

loc_619531:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+EBj
					; KiStartDynamicProcessor(x,x,x,x)+11Bj ...
		mov	edx, [esp+438h+var_400]
		test	edx, edx
		jz	short loc_619550
		mov	esi, [esp+438h+var_420]
		mov	edi, edx
		push	50h
		pop	ecx
		rep movsd
		movzx	eax, word ptr [esp+438h+var_428]
		mov	ds:_KeNodeBlock[eax*4],	edx

loc_619550:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+472j
		mov	esi, [esp+438h+var_418]
		test	esi, esi
		jz	short loc_619566
		mov	ecx, esi
		call	_HvlDeleteProcessor@4 ;	HvlDeleteProcessor(x)
		mov	ecx, esi
		call	_EtwDeleteProcessor@4 ;	EtwDeleteProcessor(x)

loc_619566:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+491j
		mov	eax, [esp+438h+var_3FC]
		test	eax, eax
		jz	short loc_619579
		mov	edx, [esp+438h+var_414]
		mov	ecx, eax
		call	_MmFreeIndependentPages@8 ; MmFreeIndependentPages(x,x)

loc_619579:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+4A7j
		cmp	[esp+438h+var_3F8], 0
		mov	esi, [esp+438h+var_41C]
		jz	short loc_61958B
		mov	ecx, esi
		call	_ExDeletePoolTagTable@4	; ExDeletePoolTagTable(x)

loc_61958B:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+4BDj
		mov	eax, [esp+438h+var_410]
		test	eax, eax
		jz	short loc_61959C
		xor	edx, edx
		mov	ecx, eax
		call	_MmDeleteKernelStack@8 ; MmDeleteKernelStack(x,x)

loc_61959C:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+4CCj
		mov	eax, [esp+438h+var_40C]
		test	eax, eax
		jz	short loc_6195AD
		xor	edx, edx
		mov	ecx, eax
		call	_MmDeleteKernelStack@8 ; MmDeleteKernelStack(x,x)

loc_6195AD:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+4DDj
		mov	ecx, [esp+438h+var_408]
		test	ecx, ecx
		jz	short loc_6195BA
		call	_MmFreeIsrStack@4 ; MmFreeIsrStack(x)

loc_6195BA:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+4EEj
		and	ds:_KiProcessorBlock[esi*4], 0

loc_6195C2:				; CODE XREF: KiStartDynamicProcessor(x,x,x,x):loc_619520j
		mov	ecx, [esp+438h+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_KiStartDynamicProcessor@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeVdmInsertQueueApc(x, x, x, x, x, x, x, x)
_KeVdmInsertQueueApc@32	proc near	; CODE XREF: VdmpDelayIntDpcRoutine(x,x,x,x)+89p
					; VdmpDelayIntDpcRoutine(x,x,x,x)+ACp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		push	edi
		mov	edi, edx
		cmp	byte ptr [esi],	12h
		jz	short loc_619603
		mov	byte ptr [esi],	12h
		mov	byte ptr [esi+2], 30h
		mov	[esi+2Ch], cl
		mov	[esi+2Eh], cl
		jmp	loc_6196A0
; 

loc_619603:				; CODE XREF: KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+14j
		mov	ebx, [esi+8]
		mov	[ebp+var_10], ebx
		test	ebx, ebx
		jz	loc_6196A0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		add	ebx, 2Ch
		mov	[ebp+var_1], al
		and	[ebp+var_C], 0
		mov	[ebp+var_8], ebx

loc_619624:				; CODE XREF: KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+5Ej
		lock bts dword ptr [ebx], 0
		jnb	short loc_61963B

loc_61962B:				; CODE XREF: KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+5Cj
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_61962B
		jmp	short loc_619624
; 

loc_61963B:				; CODE XREF: KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+4Ej
		cmp	byte ptr [esi+2Eh], 0
		jz	short loc_61968F
		mov	eax, [esi+8]
		cmp	[ebp+var_10], eax
		jnz	loc_61970A
		cmp	eax, edi
		jz	loc_61970A
		mov	byte ptr [esi+2Eh], 0
		lea	ebx, [esi+0Ch]
		mov	edx, [esi+0Ch]
		mov	ecx, [esi+10h]
		cmp	[edx+4], ebx
		jnz	loc_619705
		lea	ebx, [esi+0Ch]
		cmp	[ecx], ebx
		mov	ebx, [ebp+var_8]
		jnz	loc_619705
		mov	[ecx], edx
		mov	[edx+4], ecx
		cmp	ecx, edx
		jnz	short loc_61968F
		cmp	byte ptr [esi+2Dh], 0
		jnz	short loc_6196FC
		mov	byte ptr [eax+85h], 0

loc_61968F:				; CODE XREF: KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+64j
					; KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+A5j ...
		mov	cl, [ebp+var_1]
		mov	dword ptr [ebx], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	ecx, ecx

loc_6196A0:				; CODE XREF: KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+23j
					; KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+30j
		mov	al, [ebp+arg_0]
		mov	[esi+2Dh], al
		mov	eax, [ebp+arg_4]
		mov	[esi+14h], eax
		mov	eax, [ebp+arg_C]
		mov	[esi+1Ch], eax
		mov	eax, [ebp+arg_10]
		mov	[esi+8], edi
		mov	dword ptr [esi+18h], offset _VdmpRundownRoutine@4 ; VdmpRundownRoutine(x)
		mov	[esi+24h], ecx
		mov	[esi+28h], ecx
		mov	[esi+20h], eax
		mov	byte ptr [ebp+arg_4+3],	cl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ebx, large fs:20h
		and	[ebp+var_14], 0
		mov	[ebp+arg_C], ebx
		lea	ebx, [edi+2Ch]
		mov	byte ptr [ebp+arg_10], al

loc_6196E5:				; CODE XREF: KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+11Fj
		lock bts dword ptr [ebx], 0
		jnb	short loc_61971D

loc_6196EC:				; CODE XREF: KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+11Dj
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_6196EC
		jmp	short loc_6196E5
; 

loc_6196FC:				; CODE XREF: KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+ABj
		and	byte ptr [eax+86h], 0FDh
		jmp	short loc_61968F
; 

loc_619705:				; CODE XREF: KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+8Aj
					; KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+98j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_61970A:				; CODE XREF: KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+6Cj
					; KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+74j
		mov	cl, [ebp+var_1]
		mov	dword ptr [ebx], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, 1
		jmp	short loc_61979B
; 

loc_61971D:				; CODE XREF: KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+10Fj
		test	dword ptr [edi+58h], 4000h
		mov	ebx, [ebp+arg_C]
		jz	short loc_619763
		cmp	byte ptr [esi+2Eh], 0
		jnz	short loc_619763
		mov	ecx, esi
		mov	byte ptr [esi+2Eh], 1
		call	KiInsertQueueApc
		push	2
		mov	edx, esi
		mov	ecx, ebx
		call	_KiSignalThreadForApc@12 ; KiSignalThreadForApc(x,x,x)
		cmp	[ebp+arg_0], 1
		jnz	short loc_61975F
		cmp	dword ptr [ebx+3B1Ch], 0
		jnz	short loc_61975F
		or	byte ptr [edi+86h], 2
		mov	byte ptr [ebp+arg_4+3],	1

loc_61975F:				; CODE XREF: KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+16Ej
					; KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+177j
		mov	bl, 1
		jmp	short loc_619765
; 

loc_619763:				; CODE XREF: KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+14Cj
					; KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+152j
		xor	bl, bl

loc_619765:				; CODE XREF: KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+186j
		cmp	byte ptr [ebp+arg_4+3],	0
		mov	dword ptr [edi+2Ch], 0
		jnz	short loc_619786
		push	[ebp+arg_10]
		mov	ecx, [ebp+arg_C]
		xor	edx, edx
		push	[ebp+arg_14]
		push	1
		call	KiExitDispatcher
		jmp	short loc_619799
; 

loc_619786:				; CODE XREF: KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+195j
		mov	edx, [ebp+arg_14]
		mov	ecx, edi
		call	KeBoostPriorityThread
		mov	cl, byte ptr [ebp+arg_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_619799:				; CODE XREF: KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+1A9j
		mov	al, bl

loc_61979B:				; CODE XREF: KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+140j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_KeVdmInsertQueueApc@32	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Ki386GetSelectorParameters(x, x, x,	x)
_Ki386GetSelectorParameters@16 proc near
					; CODE XREF: Ke386SetVdmInterruptHandler(x,x,x,x,x)+28p
					; VdmConvertToLinearAddress(x,x)+4Ep ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		xor	eax, eax
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		xor	ebx, ebx
		and	dword ptr [eax], 0
		mov	al, byte ptr [ebp+arg_0]
		and	al, 7
		cmp	al, 7
		jz	short loc_6197CC
		xor	al, al
		jmp	loc_6198DD
; 

loc_6197CC:				; CODE XREF: Ki386GetSelectorParameters(x,x,x,x)+21j
		mov	eax, large fs:124h
		mov	cl, 2
		push	esi
		push	edi
		mov	esi, [eax+80h]
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		movzx	edi, byte ptr [esi+23h]
		movzx	ecx, byte ptr [esi+20h]
		mov	edx, [ebp+arg_0]
		shl	edi, 8
		and	edx, 0FFF8h
		or	edi, ecx
		mov	[ebp+var_1], al
		movzx	ecx, word ptr [esi+1Eh]
		mov	eax, [esi+20h]
		shl	edi, 10h
		and	eax, 0F0000h
		or	edi, ecx
		movzx	ecx, word ptr [esi+1Ch]
		or	ecx, eax
		cmp	edx, ecx
		jnb	short loc_619830
		test	edi, edi
		jz	short loc_619830
		shr	edx, 3
		mov	byte ptr [ebp+arg_0+3],	1
		mov	esi, [edi+edx*8]
		mov	eax, [edi+edx*8+4]
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], eax
		jmp	short loc_619836
; 

loc_619830:				; CODE XREF: Ki386GetSelectorParameters(x,x,x,x)+72j
					; Ki386GetSelectorParameters(x,x,x,x)+76j
		mov	esi, [ebp+var_C]
		mov	byte ptr [ebp+arg_0+3],	bl

loc_619836:				; CODE XREF: Ki386GetSelectorParameters(x,x,x,x)+8Cj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, byte ptr [ebp+arg_0+3]
		test	al, al
		jz	loc_6198D6
		mov	ecx, [ebp+var_8]
		test	ecx, 8000h
		jnz	short loc_61985C
		push	40h
		pop	ebx
		xor	al, al
		jmp	short loc_6198D6
; 

loc_61985C:				; CODE XREF: Ki386GetSelectorParameters(x,x,x,x)+B1j
		movzx	edx, byte ptr [ebp+var_8+3]
		mov	edi, ecx
		shl	edx, 8
		and	edi, 0F0000h
		movzx	eax, cl
		xor	ebx, ebx
		or	edx, eax
		movzx	eax, word ptr [ebp+var_C+2]
		shl	edx, 10h
		or	edx, eax
		movzx	eax, si
		or	edi, eax
		mov	eax, ecx
		shr	eax, 8
		mov	esi, eax
		mov	[ebp+var_8], eax
		and	eax, 18h
		and	esi, 2
		cmp	al, 18h
		jnz	short loc_61989E
		test	esi, esi
		setnz	bl
		add	ebx, 4
		jmp	short loc_6198B3
; 

loc_61989E:				; CODE XREF: Ki386GetSelectorParameters(x,x,x,x)+F0j
		test	esi, esi
		setnz	bl
		test	byte ptr [ebp+var_8], 4
		lea	ebx, ds:1[ebx*2]
		jz	short loc_6198B3
		or	ebx, 10h

loc_6198B3:				; CODE XREF: Ki386GetSelectorParameters(x,x,x,x)+FAj
					; Ki386GetSelectorParameters(x,x,x,x)+10Cj
		test	ecx, 400000h
		jz	short loc_6198BE
		or	ebx, 8

loc_6198BE:				; CODE XREF: Ki386GetSelectorParameters(x,x,x,x)+117j
		test	ecx, 800000h
		jz	short loc_6198C9
		or	ebx, 20h

loc_6198C9:				; CODE XREF: Ki386GetSelectorParameters(x,x,x,x)+122j
		mov	ecx, [ebp+arg_8]
		mov	al, byte ptr [ebp+arg_0+3]
		mov	[ecx], edx
		mov	ecx, [ebp+arg_C]
		mov	[ecx], edi

loc_6198D6:				; CODE XREF: Ki386GetSelectorParameters(x,x,x,x)+A2j
					; Ki386GetSelectorParameters(x,x,x,x)+B8j
		mov	ecx, [ebp+arg_4]
		pop	edi
		pop	esi
		mov	[ecx], ebx

loc_6198DD:				; CODE XREF: Ki386GetSelectorParameters(x,x,x,x)+25j
		pop	ebx
		leave
		retn	10h
_Ki386GetSelectorParameters@16 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 135. KeQueryHeteroCpuPolicyThread

;  S U B	R O U T	I N E 


; __fastcall KeQueryHeteroCpuPolicyThread(x, x)
		public @KeQueryHeteroCpuPolicyThread@8
@KeQueryHeteroCpuPolicyThread@8	proc near
					; CODE XREF: KeSetUserHeteroCpuPolicyThread(x,x)+Cp
					; NtQueryInformationThread+F57FBp
		test	edx, edx
		jz	short loc_6198FD
		movzx	eax, byte ptr [ecx+62h]
		and	eax, 7Fh
		cmp	eax, 8
		jnz	short locret_619901
		mov	eax, ds:_KiDefaultHeteroCpuPolicy
		retn
; 

loc_6198FD:				; CODE XREF: KeQueryHeteroCpuPolicyThread(x,x)+2j
		movzx	eax, byte ptr [ecx+61h]

locret_619901:				; CODE XREF: KeQueryHeteroCpuPolicyThread(x,x)+Ej
		retn
@KeQueryHeteroCpuPolicyThread@8	endp


;  S U B	R O U T	I N E 


; __stdcall KeAlertResumeThread(x)
_KeAlertResumeThread@4 proc near	; CODE XREF: NtAlertResumeThread(x,x)+8Dp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		push	0
		push	esi
		mov	bl, al
		call	_KeAlertThread@8 ; KeAlertThread(x,x)
		mov	ecx, esi
		call	_KeResumeThread@4 ; KeResumeThread(x)
		mov	cl, bl
		mov	esi, eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_KeAlertResumeThread@4 endp


;  S U B	R O U T	I N E 


; __stdcall KeIsThreadRunning(x)
_KeIsThreadRunning@4 proc near		; CODE XREF: KeSetProcess+C7p
					; KeTerminateThread+213p ...
		mov	al, [ecx+90h]
		cmp	al, 2
		jnz	short loc_61994D
		mov	ecx, [ecx+148h]
		movzx	eax, large byte	ptr fs:51h
		cmp	ecx, eax
		jnz	short loc_61994D
		mov	al, 1
		retn
; 

loc_61994D:				; CODE XREF: KeIsThreadRunning(x)+8j
					; KeIsThreadRunning(x)+1Aj
		xor	al, al
		retn
_KeIsThreadRunning@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryActualAffinityThread(x, x)
_KeQueryActualAffinityThread@8 proc near ; CODE	XREF: NtQueryInformationThread+F5B0Dp

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	eax, eax
		mov	ebx, ecx
		mov	[edi+6], eax
		mov	[edi+0Ah], ax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[ebp+var_8], 0
		lea	esi, [ebx+2Ch]
		mov	[ebp+var_1], al

loc_619977:				; CODE XREF: KeQueryActualAffinityThread(x,x)+3Cj
		lock bts dword ptr [esi], 0
		jnb	short loc_61998E

loc_61997E:				; CODE XREF: KeQueryActualAffinityThread(x,x)+3Aj
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_61997E
		jmp	short loc_619977
; 

loc_61998E:				; CODE XREF: KeQueryActualAffinityThread(x,x)+2Cj
		mov	ax, [ebx+168h]
		mov	cl, [ebp+var_1]
		mov	[edi+4], ax
		mov	eax, [ebx+164h]
		mov	[edi], eax
		mov	dword ptr [esi], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KeQueryActualAffinityThread@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1276. KeRevertToUserAffinityThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRevertToUserAffinityThread()
		public _KeRevertToUserAffinityThread@0
_KeRevertToUserAffinityThread@0	proc near

var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_10]
		push	eax
		call	KeRevertToUserGroupAffinityThread
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_KeRevertToUserAffinityThread@0	endp

; 
		align 10h
; Exported entry 1277. KeRevertToUserAffinityThreadEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRevertToUserAffinityThreadEx(x)
		public _KeRevertToUserAffinityThreadEx@4
_KeRevertToUserAffinityThreadEx@4 proc near
					; CODE XREF: VerifierKeRevertToUserAffinityThreadEx(x)j
					; DATA XREF: PAGEVRFD:_pXdvKeRevertToUserAffinityThreadExo

var_10		= dword	ptr -10h
var_C		= word ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		cmp	ds:_KeForceGroupAwareness, 0
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_10], eax
		pop	edi
		jz	short loc_619A25
		mov	ax, ds:_KiActiveGroups
		dec	ax
		jmp	short loc_619A27
; 

loc_619A25:				; CODE XREF: KeRevertToUserAffinityThreadEx(x)+29j
		xor	eax, eax

loc_619A27:				; CODE XREF: KeRevertToUserAffinityThreadEx(x)+33j
		mov	[ebp+var_C], ax
		lea	eax, [ebp+var_10]
		push	eax
		call	KeRevertToUserGroupAffinityThread
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_KeRevertToUserAffinityThreadEx@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1292. KeSetHeteroCpuPolicyThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetHeteroCpuPolicyThread(x, x, x)
		public _KeSetHeteroCpuPolicyThread@12
_KeSetHeteroCpuPolicyThread@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		call	_KiSetHeteroPolicyThread@16 ; KiSetHeteroPolicyThread(x,x,x,x)
		pop	ebp
		retn	0Ch
_KeSetHeteroCpuPolicyThread@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1293. KeSetIdealProcessorThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetIdealProcessorThread(x, x)
		public _KeSetIdealProcessorThread@8
_KeSetIdealProcessorThread@8 proc near	; CODE XREF: NtSetInformationThread+104120p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		mov	ecx, [ebp+arg_0]
		cmp	ecx, large fs:124h
		jnz	short loc_619A84
		mov	ax, [ecx+168h]
		jmp	short loc_619A8B
; 

loc_619A84:				; CODE XREF: KeSetIdealProcessorThread(x,x)+14j
		mov	ax, [ecx+158h]

loc_619A8B:				; CODE XREF: KeSetIdealProcessorThread(x,x)+1Dj
		mov	word ptr [ebp+arg_0], ax
		lea	edx, [ebp+arg_0]
		mov	al, [ebp+arg_4]
		mov	byte ptr [ebp+arg_0+2],	al
		lea	eax, [ebp+var_4]
		push	eax
		mov	byte ptr [ebp+arg_0+3],	0
		call	_KeSetIdealProcessorThreadByNumber@12 ;	KeSetIdealProcessorThreadByNumber(x,x,x)
		mov	al, byte ptr [ebp+var_4+2]
		leave
		retn	8
_KeSetIdealProcessorThread@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetIdealProcessorThreadByNumber(x, x, x)
_KeSetIdealProcessorThreadByNumber@12 proc near
					; CODE XREF: KeSetIdealProcessorThread(x,x)+3Bp
					; NtSetInformationThread+1044ECp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		push	edx
		mov	esi, ecx
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_619AD9
		lea	ecx, [ebp+var_4]
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	KeSetIdealProcessorThreadEx
		mov	ecx, [ebp+var_4]
		mov	edi, eax
		jmp	short loc_619AF5
; 

loc_619AD9:				; CODE XREF: KeSetIdealProcessorThreadByNumber(x,x,x)+17j
		mov	edi, 0C000000Dh
		cmp	esi, large fs:124h
		jnz	short loc_619AEF
		mov	ecx, [esi+16Ch]
		jmp	short loc_619AF5
; 

loc_619AEF:				; CODE XREF: KeSetIdealProcessorThreadByNumber(x,x,x)+39j
		mov	ecx, [esi+88h]

loc_619AF5:				; CODE XREF: KeSetIdealProcessorThreadByNumber(x,x,x)+2Bj
					; KeSetIdealProcessorThreadByNumber(x,x,x)+41j
		push	[ebp+arg_0]
		push	ecx
		call	_KeGetProcessorNumberFromIndex@8 ; KeGetProcessorNumberFromIndex(x,x)
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn	4
_KeSetIdealProcessorThreadByNumber@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1299. KeSetSystemAffinityThread

;  S U B	R O U T	I N E 


; __stdcall KeSetSystemAffinityThread(x)
		public _KeSetSystemAffinityThread@4
_KeSetSystemAffinityThread@4 proc near	; CODE XREF: VerifierKeSetSystemAffinityThread(x)j
					; DATA XREF: PAGEVRFD:_pXdvKeSetSystemAffinityThreado
		jmp	_KeSetSystemAffinityThreadEx@4 ; KeSetSystemAffinityThreadEx(x)
_KeSetSystemAffinityThread@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1300. KeSetSystemAffinityThreadEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetSystemAffinityThreadEx(x)
		public _KeSetSystemAffinityThreadEx@4
_KeSetSystemAffinityThreadEx@4 proc near ; CODE	XREF: KeSetSystemAffinityThread(x)j

var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		xor	eax, eax
		cmp	ds:_KeForceGroupAwareness, 0
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C], eax
		pop	edi
		jz	short loc_619B48
		mov	ax, ds:_KiActiveGroups
		dec	ax
		jmp	short loc_619B4A
; 

loc_619B48:				; CODE XREF: KeSetSystemAffinityThreadEx(x)+27j
		xor	eax, eax

loc_619B4A:				; CODE XREF: KeSetSystemAffinityThreadEx(x)+31j
		mov	[ebp+var_8], ax
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	KeSetSystemGroupAffinityThread
		mov	eax, [ebp+var_18]
		leave
		retn	4
_KeSetSystemAffinityThreadEx@4 endp


;  S U B	R O U T	I N E 


; __stdcall KeSetUserHeteroCpuPolicyThread(x, x)
_KeSetUserHeteroCpuPolicyThread@8 proc near ; CODE XREF: NtSetInformationThread+10470Cp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		xor	edx, edx
		inc	edx
		call	@KeQueryHeteroCpuPolicyThread@8	; KeQueryHeteroCpuPolicyThread(x,x)
		push	1
		push	1
		mov	edx, edi
		mov	ecx, ebx
		mov	esi, eax
		call	_KiSetHeteroPolicyThread@16 ; KiSetHeteroPolicyThread(x,x,x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_KeSetUserHeteroCpuPolicyThread@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeTryToFreezeThreadStack(x,	x)
_KeTryToFreezeThreadStack@8 proc near	; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+287p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		mov	ebx, edx
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		cmp	dword ptr [esi+150h], offset _KiInitialProcess
		jnz	short loc_619BAE
		xor	al, al
		jmp	short loc_619C10
; 

loc_619BAE:				; CODE XREF: KeTryToFreezeThreadStack(x,x)+20j
		push	edi
		lea	edi, [esi+2Ch]
		mov	[ebp+var_C], eax

loc_619BB5:				; CODE XREF: KeTryToFreezeThreadStack(x,x)+42j
		lock bts dword ptr [edi], 0
		jnb	short loc_619BCC

loc_619BBC:				; CODE XREF: KeTryToFreezeThreadStack(x,x)+40j
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_619BBC
		jmp	short loc_619BB5
; 

loc_619BCC:				; CODE XREF: KeTryToFreezeThreadStack(x,x)+32j
		lea	eax, [ebp+var_8]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_4]
		call	KiAcquireThreadStateLock
		cmp	al, 4
		jbe	short loc_619BEA
		cmp	al, 5
		jz	short loc_619C14
		cmp	al, 7
		jz	short loc_619BEA
		cmp	al, 9
		jnz	short loc_619C26

loc_619BEA:				; CODE XREF: KeTryToFreezeThreadStack(x,x)+54j
					; KeTryToFreezeThreadStack(x,x)+5Cj ...
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_619BFB
		xor	ecx, ecx
		add	eax, 2224h
		lock and [eax],	ecx

loc_619BFB:				; CODE XREF: KeTryToFreezeThreadStack(x,x)+67j
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_619C07
		xor	ecx, ecx
		lock and [eax],	ecx

loc_619C07:				; CODE XREF: KeTryToFreezeThreadStack(x,x)+78j
		mov	dword ptr [edi], 0
		xor	al, al

loc_619C0F:				; CODE XREF: KeTryToFreezeThreadStack(x,x)+A5j
		pop	edi

loc_619C10:				; CODE XREF: KeTryToFreezeThreadStack(x,x)+24j
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_619C14:				; CODE XREF: KeTryToFreezeThreadStack(x,x)+58j
		mov	ecx, esi
		call	_KiIsKernelStackSwappable@4 ; KiIsKernelStackSwappable(x)
		test	eax, eax
		jz	short loc_619BEA
		mov	al, [esi+55h]
		test	al, al
		jnz	short loc_619BEA

loc_619C26:				; CODE XREF: KeTryToFreezeThreadStack(x,x)+60j
		mov	eax, [ebp+var_4]
		mov	[ebx], eax
		mov	al, 1
		jmp	short loc_619C0F
_KeTryToFreezeThreadStack@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1217. KeQueryActiveProcessors

;  S U B	R O U T	I N E 


; __stdcall KeQueryActiveProcessors()
		public _KeQueryActiveProcessors@0
_KeQueryActiveProcessors@0 proc	near	; CODE XREF: VerifierKeQueryActiveProcessors()j
					; DATA XREF: PAGEVRFD:_pXdvKeQueryActiveProcessorso
		mov	eax, ds:dword_70E328
		retn
_KeQueryActiveProcessors@0 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1229. KeQueryMaximumProcessorCount

;  S U B	R O U T	I N E 


; __stdcall KeQueryMaximumProcessorCount()
		public _KeQueryMaximumProcessorCount@0
_KeQueryMaximumProcessorCount@0	proc near
		push	0
		call	KeQueryMaximumProcessorCountEx
		retn
_KeQueryMaximumProcessorCount@0	endp ; sp = -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryNodeActiveDpcGangAffinity(x,	x, x)
_KeQueryNodeActiveDpcGangAffinity@12 proc near
					; CODE XREF: MiCombineAllPhysicalMemory(x)+100p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	_KeQueryNodeActiveAffinity@12 ;	KeQueryNodeActiveAffinity(x,x,x)
		pop	ebp
		retn	4
_KeQueryNodeActiveDpcGangAffinity@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiNonNumaQueryNodeCapacity(x, x)
_KiNonNumaQueryNodeCapacity@8 proc near	; CODE XREF: KiPerformGroupConfiguration+59p
					; DATA XREF: .data:_KiNumaQueryNodeCapacityo

arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jz	short loc_619C6D
		mov	eax, 0C0000225h
		jmp	short loc_619C79
; 

loc_619C6D:				; CODE XREF: KiNonNumaQueryNodeCapacity(x,x)+Aj
		mov	ecx, [ebp+arg_4]
		mov	eax, ds:_KiMaximumGroupSize
		mov	[ecx], eax
		xor	eax, eax

loc_619C79:				; CODE XREF: KiNonNumaQueryNodeCapacity(x,x)+11j
		pop	ebp
		retn	8
_KiNonNumaQueryNodeCapacity@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiNonNumaQueryNodeDistance(x, x, x)
_KiNonNumaQueryNodeDistance@12 proc near ; CODE	XREF: KiPerformGroupConfiguration+10Cp
					; DATA XREF: .data:_KiNumaQueryNodeDistanceo

arg_0		= word ptr  8
arg_4		= word ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jnz	short loc_619C9A
		cmp	[ebp+arg_4], 0
		jnz	short loc_619C9A
		mov	eax, [ebp+arg_8]
		and	dword ptr [eax], 0
		xor	eax, eax
		jmp	short loc_619C9F
; 

loc_619C9A:				; CODE XREF: KiNonNumaQueryNodeDistance(x,x,x)+Aj
					; KiNonNumaQueryNodeDistance(x,x,x)+11j
		mov	eax, 0C0000225h

loc_619C9F:				; CODE XREF: KiNonNumaQueryNodeDistance(x,x,x)+1Bj
		pop	ebp
		retn	0Ch
_KiNonNumaQueryNodeDistance@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiQueryProximityNode(x, x)
_KiQueryProximityNode@8	proc near	; DATA XREF: KeNumaInitialize()+5Fo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_KiNumaQueryProximityNode
_KiQueryProximityNode@8	endp


;  S U B	R O U T	I N E 


; __stdcall KiRemoveProcessorFromGroupDatabase(x)
_KiRemoveProcessorFromGroupDatabase@4 proc near
					; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+467p
					; KeStartAllProcessors+257A1p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+338h]
		mov	eax, [esi+3C8h]
		not	eax
		movzx	edx, word ptr [ecx+88h]
		and	ds:_KiGroupBlock[edx*8], eax
		jnz	short loc_619CD7
		call	_KiUncommitNodeAssignment@4 ; KiUncommitNodeAssignment(x)

loc_619CD7:				; CODE XREF: KiRemoveProcessorFromGroupDatabase(x)+21j
		mov	eax, [esi+3CCh]
		movzx	ecx, byte ptr [esi+3C5h]
		shl	ecx, 6
		and	ds:_KiProcessorIndexToNumberMappingTable[eax*4], 0
		movzx	eax, byte ptr [esi+3C4h]
		add	ecx, eax
		pop	esi
		and	ds:_KiProcessorNumberToIndexMappingTable[ecx*4], 0
		retn
_KiRemoveProcessorFromGroupDatabase@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiUncommitNodeAssignment(x)
_KiUncommitNodeAssignment@4 proc near	; CODE XREF: KiRemoveProcessorFromGroupDatabase(x)+23p
		mov	ax, ds:_KeNumberNodes
		push	edi
		movzx	edi, word ptr [ecx+88h]
		xor	ecx, ecx
		cmp	cx, ax
		jnb	short loc_619D4F
		push	esi
		mov	ecx, offset _KeNodeBlock
		movzx	esi, ax

loc_619D20:				; CODE XREF: KiUncommitNodeAssignment(x)+4Aj
		mov	eax, [ecx]
		mov	dl, [eax+0A5h]
		test	dl, 2
		jz	short loc_619D3F
		cmp	[eax+88h], di
		jnz	short loc_619D3F
		and	dl, 0FBh
		mov	[eax+0A5h], dl

loc_619D3F:				; CODE XREF: KiUncommitNodeAssignment(x)+29j
					; KiUncommitNodeAssignment(x)+32j
		and	dword ptr [eax+80h], 0
		add	ecx, 4
		sub	esi, 1
		jnz	short loc_619D20
		pop	esi

loc_619D4F:				; CODE XREF: KiUncommitNodeAssignment(x)+13j
		mov	eax, 0FFFFh
		add	ds:word_6D4E28,	ax
		pop	edi
		retn
_KiUncommitNodeAssignment@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeCheckForTimer(x, x)
_KeCheckForTimer@8 proc	near		; CODE XREF: ExpFreePoolChecks+D1CCFp
					; ExFreeHeapPool+C7563p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		test	ds:_KeTimerCheckFlags, 1
		push	esi
		mov	esi, ecx
		jz	loc_619E75
		push	edi
		lea	edi, [esi+edx]
		push	0FFFFh
		mov	[ebp+var_20], edi
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		and	[ebp+var_18], 0
		mov	[ebp+var_24], eax
		test	eax, eax
		jz	loc_619E74
		mov	ecx, offset _KiProcessorBlock
		mov	[ebp+var_10], ecx
		push	ebx

loc_619D9E:				; CODE XREF: KeCheckForTimer(x,x)+110j
		xor	ebx, ebx

loc_619DA0:				; CODE XREF: KeCheckForTimer(x,x)+FAj
		mov	eax, [ecx]
		and	[ebp+var_14], 0
		add	eax, 22A0h
		add	eax, ebx
		mov	[ebp+var_C], eax
		add	eax, 4
		mov	[ebp+var_8], eax

loc_619DB6:				; CODE XREF: KeCheckForTimer(x,x)+E8j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		and	[ebp+var_1C], 0
		mov	edi, [ebp+var_C]
		mov	[ebp+var_1], al

loc_619DC8:				; CODE XREF: KeCheckForTimer(x,x)+80j
		lock bts dword ptr [edi], 0
		jnb	short loc_619DDF

loc_619DCF:				; CODE XREF: KeCheckForTimer(x,x)+7Ej
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_619DCF
		jmp	short loc_619DC8
; 

loc_619DDF:				; CODE XREF: KeCheckForTimer(x,x)+70j
		mov	eax, [ebp+var_8]
		mov	edi, [ebp+var_20]
		mov	edx, [eax]
		cmp	edx, eax
		jz	short loc_619E20
		lea	ecx, [esi-28h]

loc_619DEE:				; CODE XREF: KeCheckForTimer(x,x)+C1j
		lea	eax, [edx-18h]
		mov	edx, [edx]
		cmp	eax, ecx
		jbe	short loc_619DFB
		cmp	eax, edi
		jb	short loc_619E78

loc_619DFB:				; CODE XREF: KeCheckForTimer(x,x)+98j
		mov	ecx, [eax+20h]
		test	ecx, ecx
		jz	short loc_619E18
		lea	eax, [esi-20h]
		cmp	ecx, eax
		jbe	short loc_619E0D
		cmp	ecx, edi
		jb	short loc_619E87

loc_619E0D:				; CODE XREF: KeCheckForTimer(x,x)+AAj
		mov	eax, [ecx+0Ch]
		cmp	eax, esi
		jb	short loc_619E18
		cmp	eax, edi
		jb	short loc_619E8E

loc_619E18:				; CODE XREF: KeCheckForTimer(x,x)+A3j
					; KeCheckForTimer(x,x)+B5j
		lea	ecx, [esi-28h]
		cmp	edx, [ebp+var_8]
		jnz	short loc_619DEE

loc_619E20:				; CODE XREF: KeCheckForTimer(x,x)+8Cj
		mov	eax, [ebp+var_C]
		xor	ecx, ecx
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_14]
		add	[ebp+var_8], 18h
		inc	eax
		add	[ebp+var_C], 18h
		mov	[ebp+var_14], eax
		cmp	eax, 100h
		jb	loc_619DB6
		mov	ecx, [ebp+var_10]
		mov	edx, 1800h
		add	ebx, edx
		cmp	ebx, edx
		jb	loc_619DA0
		mov	eax, [ebp+var_18]
		add	ecx, 4
		inc	eax
		mov	[ebp+var_10], ecx
		mov	[ebp+var_18], eax
		cmp	eax, [ebp+var_24]
		jb	loc_619D9E
		pop	ebx

loc_619E74:				; CODE XREF: KeCheckForTimer(x,x)+32j
		pop	edi

loc_619E75:				; CODE XREF: KeCheckForTimer(x,x)+12j
		pop	esi
		leave
		retn
; 

loc_619E78:				; CODE XREF: KeCheckForTimer(x,x)+9Cj
		push	edi
		push	esi
		push	eax
		push	0

loc_619E7D:				; CODE XREF: KeCheckForTimer(x,x)+12Fj
					; KeCheckForTimer(x,x)+136j
		push	0C7h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_619E87:				; CODE XREF: KeCheckForTimer(x,x)+AEj
		push	edi
		push	esi
		push	ecx
		push	1
		jmp	short loc_619E7D
; 

loc_619E8E:				; CODE XREF: KeCheckForTimer(x,x)+B9j
		push	edi
		push	esi
		push	eax
		push	2
		jmp	short loc_619E7D
_KeCheckForTimer@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryTimerDueTime(x)
_KeQueryTimerDueTime@4 proc near	; CODE XREF: ExGetNextWakeTimeForDeepSleep()+30p
					; ExGetWakeTimerList(x,x)+27Dp	...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		mov	ebx, edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	[ebp+var_1], al
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		test	byte ptr [esi+3], 40h
		jz	short loc_619EC0
		mov	edi, [esi+10h]
		mov	ebx, [esi+14h]

loc_619EC0:				; CODE XREF: KeQueryTimerDueTime(x)+23j
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		mov	edx, ebx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KeQueryTimerDueTime@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 127. KeAcquireInStackQueuedSpinLockRaiseToSynch

;  S U B	R O U T	I N E 


; __fastcall KeAcquireInStackQueuedSpinLockRaiseToSynch(x, x)
		public @KeAcquireInStackQueuedSpinLockRaiseToSynch@8
@KeAcquireInStackQueuedSpinLockRaiseToSynch@8 proc near
					; CODE XREF: VerifierKeAcquireInStackQueuedSpinLockRaiseToSynchCommon(x,x,x)+4Cp
		mov	edi, edi
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		and	dword ptr [esi], 0
		mov	[esi+4], edi
		call	ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()
		mov	[esi+8], al
		test	ds:byte_70EFC6,	21h
		jz	short loc_619F0A
		mov	edx, edi
		mov	ecx, esi
		pop	edi
		pop	esi
		jmp	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
; 

loc_619F0A:				; CODE XREF: KeAcquireInStackQueuedSpinLockRaiseToSynch(x,x)+1Ej
		mov	edx, esi
		xchg	edx, [edi]
		pop	edi
		test	edx, edx
		jz	short loc_619F1B
		mov	ecx, esi
		pop	esi
		jmp	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
; 

loc_619F1B:				; CODE XREF: KeAcquireInStackQueuedSpinLockRaiseToSynch(x,x)+32j
		pop	esi
		retn
@KeAcquireInStackQueuedSpinLockRaiseToSynch@8 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 129. KeAcquireQueuedSpinLockRaiseToSynch

;  S U B	R O U T	I N E 


; __fastcall KeAcquireQueuedSpinLockRaiseToSynch(x)
		public @KeAcquireQueuedSpinLockRaiseToSynch@4
@KeAcquireQueuedSpinLockRaiseToSynch@4 proc near
					; CODE XREF: VerifierKeAcquireQueuedSpinLockRaiseToSynch(x)+33p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()
		mov	edx, large fs:20h
		add	esi, 83h
		mov	bl, al
		lea	ecx, [edx+esi*8]
		mov	esi, [ecx+4]
		test	ds:byte_70EFC6,	21h
		jz	short loc_619F55
		mov	edx, esi
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_619F62
; 

loc_619F55:				; CODE XREF: KeAcquireQueuedSpinLockRaiseToSynch(x)+28j
		mov	edx, ecx
		xchg	edx, [esi]
		test	edx, edx
		jz	short loc_619F62
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_619F62:				; CODE XREF: KeAcquireQueuedSpinLockRaiseToSynch(x)+31j
					; KeAcquireQueuedSpinLockRaiseToSynch(x)+39j
		pop	esi
		mov	al, bl
		pop	ebx
		retn
@KeAcquireQueuedSpinLockRaiseToSynch@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KeReleaseQueuedSpinLockFromDpcLevel(x)
@KeReleaseQueuedSpinLockFromDpcLevel@4 proc near ; CODE	XREF: sub_59C2E7+D3p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	ds:byte_70EFC6,	1
		push	esi
		mov	esi, ecx
		jz	short loc_619F83
		mov	edx, [ebp+4]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_619FAE
; 

loc_619F83:				; CODE XREF: KeReleaseQueuedSpinLockFromDpcLevel(x)+10j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_619F9F
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_619FAE
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_619F9F:				; CODE XREF: KeReleaseQueuedSpinLockFromDpcLevel(x)+20j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_619FAE:				; CODE XREF: KeReleaseQueuedSpinLockFromDpcLevel(x)+1Aj
					; KeReleaseQueuedSpinLockFromDpcLevel(x)+2Fj
		pop	esi
		pop	ecx
		pop	ebp
		retn
@KeReleaseQueuedSpinLockFromDpcLevel@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 145. KeTryToAcquireQueuedSpinLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KeTryToAcquireQueuedSpinLock(x, x)
		public @KeTryToAcquireQueuedSpinLock@8
@KeTryToAcquireQueuedSpinLock@8	proc near

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, large fs:20h
		mov	bl, al
		lea	ecx, [esi+418h]
		lea	ecx, [ecx+edi*8]
		mov	edx, [ecx+4]
		call	@KxTryToAcquireQueuedSpinLock@8	; KxTryToAcquireQueuedSpinLock(x,x)
		test	eax, eax
		jnz	short loc_619FF5
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		jmp	short loc_619FFD
; 

loc_619FF5:				; CODE XREF: KeTryToAcquireQueuedSpinLock(x,x)+30j
		mov	eax, [ebp+var_4]
		mov	[eax], bl
		xor	eax, eax
		inc	eax

loc_619FFD:				; CODE XREF: KeTryToAcquireQueuedSpinLock(x,x)+3Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
@KeTryToAcquireQueuedSpinLock@8	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 146. KeTryToAcquireQueuedSpinLockRaiseToSynch

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KeTryToAcquireQueuedSpinLockRaiseToSynch(x, x)
		public @KeTryToAcquireQueuedSpinLockRaiseToSynch@8
@KeTryToAcquireQueuedSpinLockRaiseToSynch@8 proc near
					; CODE XREF: VerifierKeTryToAcquireQueuedSpinLockRaiseToSynch(x,x)+38p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()
		mov	esi, large fs:20h
		mov	bl, al
		lea	ecx, [esi+418h]
		lea	ecx, [ecx+edi*8]
		mov	edx, [ecx+4]
		call	@KxTryToAcquireQueuedSpinLock@8	; KxTryToAcquireQueuedSpinLock(x,x)
		test	eax, eax
		jnz	short loc_61A045
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		jmp	short loc_61A04D
; 

loc_61A045:				; CODE XREF: KeTryToAcquireQueuedSpinLockRaiseToSynch(x,x)+30j
		mov	eax, [ebp+var_4]
		mov	[eax], bl
		xor	eax, eax
		inc	eax

loc_61A04D:				; CODE XREF: KeTryToAcquireQueuedSpinLockRaiseToSynch(x,x)+3Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
@KeTryToAcquireQueuedSpinLockRaiseToSynch@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiAcquireQueuedSpinLockInstrumented(x, x)
@KiAcquireQueuedSpinLockInstrumented@8 proc near ; CODE	XREF: MiCopyOnWrite(x,x,x,x)+57Ap
					; MiAgePte(x,x,x)+86p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, large fs:20h
		xor	ebx, ebx
		test	ds:byte_70EFC6,	1
		mov	eax, edx
		push	edi
		mov	[ebp+var_C], eax
		mov	edi, ebx
		mov	[ebp+var_8], ebx
		jz	short loc_61A08D
		mov	ebx, [esi+4A0h]
		rdtsc
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_1], 1
		jmp	short loc_61A090
; 

loc_61A08D:				; CODE XREF: KiAcquireQueuedSpinLockInstrumented(x,x)+25j
		mov	[ebp+var_1], bl

loc_61A090:				; CODE XREF: KiAcquireQueuedSpinLockInstrumented(x,x)+39j
		inc	dword ptr [esi+40A0h]
		mov	edx, ecx
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_61A0B2
		push	ecx
		call	@KxWaitForLockOwnerShipWithIrql@12 ; KxWaitForLockOwnerShipWithIrql(x,x,x)
		inc	dword ptr [esi+40A4h]
		mov	edi, eax
		add	[esi+40A8h], edi

loc_61A0B2:				; CODE XREF: KiAcquireQueuedSpinLockInstrumented(x,x)+4Aj
		cmp	[ebp+var_1], 0
		jz	short loc_61A0CF
		push	1
		rdtsc
		push	ebx
		mov	ecx, edx
		mov	edx, eax
		sub	edx, [ebp+var_8]
		push	edi
		push	ecx
		mov	ecx, [ebp+var_C]
		push	eax
		call	@PerfLogSpinLockAcquire@28 ; PerfLogSpinLockAcquire(x,x,x,x,x,x,x)

loc_61A0CF:				; CODE XREF: KiAcquireQueuedSpinLockInstrumented(x,x)+64j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
@KiAcquireQueuedSpinLockInstrumented@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiReleaseQueuedSpinLockInstrumented(x, x)
@KiReleaseQueuedSpinLockInstrumented@8 proc near
					; CODE XREF: AlpcpQueueIoCompletionPort(x,x,x,x)+56p
					; MiCopyOnWrite(x,x,x,x)+5BBp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		rdtsc
		mov	[esp+18h+var_4], eax
		mov	[esp+18h+var_8], edx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_61A110
		mov	ecx, [edi+4]
		xor	esi, esi
		mov	eax, edi
		lock cmpxchg [ecx], esi
		cmp	eax, edi
		jz	short loc_61A11F
		mov	ecx, edi
		call	KxWaitForLockChainValid
		mov	edx, [esp+18h+var_8]

loc_61A110:				; CODE XREF: KiReleaseQueuedSpinLockInstrumented(x,x)+20j
		xor	ecx, ecx
		mov	dword ptr [edi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_61A11F:				; CODE XREF: KiReleaseQueuedSpinLockInstrumented(x,x)+2Fj
		mov	ecx, [edi+4]
		push	edx
		push	[esp+1Ch+var_4]
		mov	edx, ebx
		call	@PerfLogSpinLockRelease@16 ; PerfLogSpinLockRelease(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
@KiReleaseQueuedSpinLockInstrumented@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiTryToAcquireQueuedSpinLockInstrumented(x, x)
@KiTryToAcquireQueuedSpinLockInstrumented@8 proc near
					; CODE XREF: KxTryToAcquireQueuedSpinLock(x,x):loc_4BDE3Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	esi, large fs:20h
		mov	ebx, ecx
		test	ds:byte_70EFC6,	1
		push	edi
		mov	edi, edx
		jz	short loc_61A16E
		rdtsc
		mov	[ebp+var_8], eax
		mov	cl, 1
		mov	eax, [esi+4A0h]
		mov	[ebp+var_4], eax
		jmp	short loc_61A170
; 

loc_61A16E:				; CODE XREF: KiTryToAcquireQueuedSpinLockInstrumented(x,x)+25j
		xor	cl, cl

loc_61A170:				; CODE XREF: KiTryToAcquireQueuedSpinLockInstrumented(x,x)+37j
		cmp	dword ptr [edi], 0
		jnz	short loc_61A1A7
		xor	eax, eax
		lock cmpxchg [edi], ebx
		test	eax, eax
		jnz	short loc_61A1A7
		inc	dword ptr [esi+40A0h]
		test	cl, cl
		jz	short loc_61A1A2
		push	1
		push	[ebp+var_4]
		rdtsc
		mov	ecx, edx
		mov	edx, eax
		sub	edx, [ebp+var_8]
		push	0
		push	ecx
		push	eax
		mov	ecx, edi
		call	@PerfLogSpinLockAcquire@28 ; PerfLogSpinLockAcquire(x,x,x,x,x,x,x)

loc_61A1A2:				; CODE XREF: KiTryToAcquireQueuedSpinLockInstrumented(x,x)+52j
		xor	eax, eax
		inc	eax
		jmp	short loc_61A1AB
; 

loc_61A1A7:				; CODE XREF: KiTryToAcquireQueuedSpinLockInstrumented(x,x)+3Ej
					; KiTryToAcquireQueuedSpinLockInstrumented(x,x)+48j
		pause
		xor	eax, eax

loc_61A1AB:				; CODE XREF: KiTryToAcquireQueuedSpinLockInstrumented(x,x)+70j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
@KiTryToAcquireQueuedSpinLockInstrumented@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KxWaitForLockOwnerShipWithIrql(x, x, x)
@KxWaitForLockOwnerShipWithIrql@12 proc	near
					; CODE XREF: KiAcquireQueuedSpinLockInstrumented(x,x)+4Dp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		or	dword ptr [esi+4], 1
		and	[ebp+var_4], 0
		mov	[edx], esi

loc_61A1C3:				; CODE XREF: KxWaitForLockOwnerShipWithIrql(x,x,x)+20j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi+4]
		test	al, 1
		jnz	short loc_61A1C3
		mov	eax, [ebp+var_4]
		pop	esi
		leave
		retn	4
@KxWaitForLockOwnerShipWithIrql@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 126. KeAcquireInStackQueuedSpinLockForDpc

;  S U B	R O U T	I N E 


; __fastcall KeAcquireInStackQueuedSpinLockForDpc(x, x)
		public @KeAcquireInStackQueuedSpinLockForDpc@8
@KeAcquireInStackQueuedSpinLockForDpc@8	proc near
		mov	edi, edi
		push	esi
		mov	esi, edx
		call	_KiIsDpcThreadActive@0 ; KiIsDpcThreadActive()
		test	eax, eax
		jz	short loc_61A1F3
		pop	esi
		jmp	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
; 

loc_61A1F3:				; CODE XREF: KeAcquireInStackQueuedSpinLockForDpc(x,x)+Cj
		and	dword ptr [esi], 0
		mov	[esi+4], ecx
		test	ds:byte_70EFC6,	21h
		jz	short loc_61A20C
		mov	edx, ecx
		mov	ecx, esi
		pop	esi
		jmp	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
; 

loc_61A20C:				; CODE XREF: KeAcquireInStackQueuedSpinLockForDpc(x,x)+21j
		xchg	edx, [ecx]
		test	edx, edx
		jz	short loc_61A21A
		mov	ecx, esi
		pop	esi
		jmp	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
; 

loc_61A21A:				; CODE XREF: KeAcquireInStackQueuedSpinLockForDpc(x,x)+31j
		pop	esi
		retn
@KeAcquireInStackQueuedSpinLockForDpc@8	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 130. KeAcquireSpinLockForDpc

;  S U B	R O U T	I N E 


; __fastcall KeAcquireSpinLockForDpc(x)
		public @KeAcquireSpinLockForDpc@4
@KeAcquireSpinLockForDpc@4 proc	near
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		call	_KiIsDpcThreadActive@0 ; KiIsDpcThreadActive()
		test	eax, eax
		jz	short loc_61A23A
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bl, al
		jmp	short loc_61A23C
; 

loc_61A23A:				; CODE XREF: KeAcquireSpinLockForDpc(x)+Dj
		mov	bl, 2

loc_61A23C:				; CODE XREF: KeAcquireSpinLockForDpc(x)+17j
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		pop	esi
		mov	al, bl
		pop	ebx
		retn
@KeAcquireSpinLockForDpc@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 139. KeReleaseInStackQueuedSpinLockForDpc

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KeReleaseInStackQueuedSpinLockForDpc(x)
		public @KeReleaseInStackQueuedSpinLockForDpc@4
@KeReleaseInStackQueuedSpinLockForDpc@4	proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		call	_KiIsDpcThreadActive@0 ; KiIsDpcThreadActive()
		test	eax, eax
		jz	short loc_61A2A7
		test	ds:byte_70EFC6,	1
		jz	short loc_61A271
		mov	edx, [ebp+4]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_61A29C
; 

loc_61A271:				; CODE XREF: KeReleaseInStackQueuedSpinLockForDpc(x)+18j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_61A28D
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_61A29C
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_61A28D:				; CODE XREF: KeReleaseInStackQueuedSpinLockForDpc(x)+28j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_61A29C:				; CODE XREF: KeReleaseInStackQueuedSpinLockForDpc(x)+22j
					; KeReleaseInStackQueuedSpinLockForDpc(x)+37j
		mov	cl, [esi+8]
		pop	esi
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_61A2A7:				; CODE XREF: KeReleaseInStackQueuedSpinLockForDpc(x)+Fj
		test	ds:byte_70EFC6,	1
		jz	short loc_61A2BA
		mov	edx, [ebp+4]
		pop	esi
		pop	ebp
		jmp	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
; 

loc_61A2BA:				; CODE XREF: KeReleaseInStackQueuedSpinLockForDpc(x)+61j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_61A2D6
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_61A2E5
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_61A2D6:				; CODE XREF: KeReleaseInStackQueuedSpinLockForDpc(x)+71j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_61A2E5:				; CODE XREF: KeReleaseInStackQueuedSpinLockForDpc(x)+80j
		pop	esi
		pop	ebp
		retn
@KeReleaseInStackQueuedSpinLockForDpc@4	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 142. KeReleaseSpinLockForDpc

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KeReleaseSpinLockForDpc(x,	x)
		public @KeReleaseSpinLockForDpc@8
@KeReleaseSpinLockForDpc@8 proc	near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	bl, dl
		call	_KiIsDpcThreadActive@0 ; KiIsDpcThreadActive()
		test	eax, eax
		jz	short loc_61A320
		test	ds:byte_70EFC6,	1
		jz	short loc_61A311
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_61A316
; 

loc_61A311:				; CODE XREF: KeReleaseSpinLockForDpc(x,x)+18j
		xor	eax, eax
		lock and [ecx],	eax

loc_61A316:				; CODE XREF: KeReleaseSpinLockForDpc(x,x)+22j
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_61A320:				; CODE XREF: KeReleaseSpinLockForDpc(x,x)+Fj
		test	ds:byte_70EFC6,	1
		jz	short loc_61A333
		mov	edx, [ebp+4]
		pop	ebx
		pop	ebp
		jmp	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
; 

loc_61A333:				; CODE XREF: KeReleaseSpinLockForDpc(x,x)+3Aj
		xor	eax, eax
		lock and [ecx],	eax
		pop	ebx
		pop	ebp
		retn
@KeReleaseSpinLockForDpc@8 endp

; 
		align 10h
; Exported entry 131. KeAcquireSpinLockRaiseToSynch

;  S U B	R O U T	I N E 


; __fastcall KeAcquireSpinLockRaiseToSynch(x)
		public @KeAcquireSpinLockRaiseToSynch@4
@KeAcquireSpinLockRaiseToSynch@4 proc near
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()
		mov	ecx, esi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		pop	esi
		mov	al, bl
		pop	ebx
		retn
@KeAcquireSpinLockRaiseToSynch@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiAcquireSpinLockInstrumented(x)
@KiAcquireSpinLockInstrumented@4 proc near ; CODE XREF:	KxAcquireSpinLock(x)+7j
					; .text:00522CF4p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		xor	eax, eax
		push	esi
		mov	esi, large fs:20h
		test	ds:byte_70EFC6,	1
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		jz	short loc_61A394
		rdtsc
		mov	[ebp+var_C], eax
		mov	bl, 1
		mov	eax, [esi+4A0h]
		mov	[ebp+var_4], eax
		jmp	short loc_61A396
; 

loc_61A394:				; CODE XREF: KiAcquireSpinLockInstrumented(x)+26j
		mov	bl, al

loc_61A396:				; CODE XREF: KiAcquireSpinLockInstrumented(x)+38j
		inc	dword ptr [esi+40A0h]
		lock bts dword ptr [edi], 0
		jnb	short loc_61A3B7
		call	KxWaitForSpinLockAndAcquire
		inc	dword ptr [esi+40A4h]
		add	[esi+40A8h], eax
		mov	[ebp+var_8], eax

loc_61A3B7:				; CODE XREF: KiAcquireSpinLockInstrumented(x)+47j
		test	bl, bl
		jz	short loc_61A3D5
		push	0
		push	[ebp+var_4]
		rdtsc
		push	[ebp+var_8]
		mov	ecx, edx
		mov	edx, eax
		sub	edx, [ebp+var_C]
		push	ecx
		push	eax
		mov	ecx, edi
		call	@PerfLogSpinLockAcquire@28 ; PerfLogSpinLockAcquire(x,x,x,x,x,x,x)

loc_61A3D5:				; CODE XREF: KiAcquireSpinLockInstrumented(x)+5Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
@KiAcquireSpinLockInstrumented@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiReleaseSpinLockInstrumented(x, x)
@KiReleaseSpinLockInstrumented@8 proc near
					; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+34Ep
					; MiCompleteProtoPteFault(x,x,x,x,x,x)+649p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	esi
		mov	esi, edx
		xor	eax, eax
		lock and [ecx],	eax
		rdtsc
		push	edx
		push	eax
		mov	edx, esi
		call	@PerfLogSpinLockRelease@16 ; PerfLogSpinLockRelease(x,x,x,x)
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
@KiReleaseSpinLockInstrumented@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiTryToAcquireSpinLockInstrumented(x)
@KiTryToAcquireSpinLockInstrumented@4 proc near
					; CODE XREF: KeTryToAcquireSpinLockAtDpcLevel(x)+7j
					; sub_5FB8A3+7Cp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		and	[ebp+var_8], 0
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, large fs:20h
		inc	ebx
		push	edi
		mov	edi, ecx
		test	ds:byte_70EFC6,	bl
		jz	short loc_61A434
		rdtsc
		mov	[ebp+var_8], eax
		mov	cl, bl
		mov	eax, [esi+4A0h]
		mov	[ebp+var_4], eax
		jmp	short loc_61A436
; 

loc_61A434:				; CODE XREF: KiTryToAcquireSpinLockInstrumented(x)+25j
		xor	cl, cl

loc_61A436:				; CODE XREF: KiTryToAcquireSpinLockInstrumented(x)+37j
		lock bts dword ptr [edi], 0
		jnb	short loc_61A443
		xor	bl, bl
		pause
		jmp	short loc_61A466
; 

loc_61A443:				; CODE XREF: KiTryToAcquireSpinLockInstrumented(x)+40j
		inc	dword ptr [esi+40A0h]
		test	cl, cl
		jz	short loc_61A466
		push	0
		push	[ebp+var_4]
		rdtsc
		mov	ecx, edx
		mov	edx, eax
		sub	edx, [ebp+var_8]
		push	0
		push	ecx
		push	eax
		mov	ecx, edi
		call	@PerfLogSpinLockAcquire@28 ; PerfLogSpinLockAcquire(x,x,x,x,x,x,x)

loc_61A466:				; CODE XREF: KiTryToAcquireSpinLockInstrumented(x)+46j
					; KiTryToAcquireSpinLockInstrumented(x)+50j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
@KiTryToAcquireSpinLockInstrumented@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1089. KeAcquireSpinLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeAcquireSpinLock(x, x)
		public _KeAcquireSpinLock@8
_KeAcquireSpinLock@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, [ebp+arg_0]
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [ebp+arg_4]
		mov	[ecx], bl
		pop	ebx
		pop	ebp
		retn	8
_KeAcquireSpinLock@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1090. KeAcquireSpinLockAtDpcLevel

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeAcquireSpinLockAtDpcLevel(x)
		public _KeAcquireSpinLockAtDpcLevel@4
_KeAcquireSpinLockAtDpcLevel@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		pop	ebp
		retn	4
_KeAcquireSpinLockAtDpcLevel@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1258. KeReleaseSpinLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeReleaseSpinLock(x, x)
		public _KeReleaseSpinLock@8
_KeReleaseSpinLock@8 proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ds:byte_70EFC6,	1
		jz	short loc_61A4C8
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_61A4D0
; 

loc_61A4C8:				; CODE XREF: KeReleaseSpinLock(x,x)+Cj
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_61A4D0:				; CODE XREF: KeReleaseSpinLock(x,x)+19j
		mov	cl, [ebp+arg_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebp
		retn	8
_KeReleaseSpinLock@8 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1259. KeReleaseSpinLockFromDpcLevel

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeReleaseSpinLockFromDpcLevel(x)
		public _KeReleaseSpinLockFromDpcLevel@4
_KeReleaseSpinLockFromDpcLevel@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ds:byte_70EFC6,	1
		jz	short loc_61A4FD
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_61A505
; 

loc_61A4FD:				; CODE XREF: KeReleaseSpinLockFromDpcLevel(x)+Cj
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_61A505:				; CODE XREF: KeReleaseSpinLockFromDpcLevel(x)+19j
		pop	ebp
		retn	4
_KeReleaseSpinLockFromDpcLevel@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 134. KeInvalidateRangeAllCaches

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KeInvalidateRangeAllCaches(x, x)
		public @KeInvalidateRangeAllCaches@8
@KeInvalidateRangeAllCaches@8 proc near	; CODE XREF: KiFlushRangeAllCaches(x,x,x,x,x)+66p
					; MiFlushFileOnlyMdl(x,x,x,x)+63p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_KeFeatureBits
		push	ebx
		push	esi
		and	eax, 40000h
		mov	esi, edx
		or	eax, 0
		push	edi
		mov	edi, ecx
		jz	short loc_61A58A
		cmp	esi, ds:_KiLargestCacheSize
		jnb	short loc_61A58A
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, al
		cmp	bl, 1Fh
		jnb	short loc_61A581
		call	ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()
		mov	ecx, ds:_KeNumberProcessors
		sub	ecx, 1
		jz	short loc_61A579
		xor	eax, eax
		xor	ecx, ecx
		push	eax
		push	eax
		push	eax
		push	offset _KiInvalidateRangeAllCachesTarget@16 ; KiInvalidateRangeAllCachesTarget(x,x,x,x)
		xor	edx, edx
		inc	ecx
		call	_KiIpiSendPacket@24 ; KiIpiSendPacket(x,x,x,x,x,x)
		mov	ecx, large fs:20h
		jmp	short loc_61A56F
; 

loc_61A56D:				; CODE XREF: KeInvalidateRangeAllCaches(x,x)+69j
		pause

loc_61A56F:				; CODE XREF: KeInvalidateRangeAllCaches(x,x)+5Dj
		mov	eax, [ecx+2120h]
		test	eax, eax
		jnz	short loc_61A56D

loc_61A579:				; CODE XREF: KeInvalidateRangeAllCaches(x,x)+40j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_61A581:				; CODE XREF: KeInvalidateRangeAllCaches(x,x)+2Fj
		push	esi
		push	edi
		call	KeInvalidateRangeAllCachesNoIpi
		jmp	short loc_61A58F
; 

loc_61A58A:				; CODE XREF: KeInvalidateRangeAllCaches(x,x)+1Aj
					; KeInvalidateRangeAllCaches(x,x)+22j
		call	KeInvalidateAllCaches

loc_61A58F:				; CODE XREF: KeInvalidateRangeAllCaches(x,x)+7Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
@KeInvalidateRangeAllCaches@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KeCheckAndApplyBamQos(x, x)
@KeCheckAndApplyBamQos@8 proc near	; CODE XREF: KiCheckForPendingQosUpdate+12EACBj
					; PsImpersonateContainerOfThread+B7730p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	ds:_KeHeteroSystemQos, 0
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jz	loc_61A65C
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	esi, [esi+244h]
		movzx	ecx, byte ptr [edi+4D8h]
		and	esi, 0FFh
		mov	[ebp+var_1], al
		cmp	esi, ecx
		jz	loc_61A655
		xor	ecx, ecx
		inc	ecx
		cmp	esi, 2
		jz	short loc_61A5DE
		cmp	esi, ecx
		jz	short loc_61A5DE
		xor	cl, cl

loc_61A5DE:				; CODE XREF: KeCheckAndApplyBamQos(x,x)+42j
					; KeCheckAndApplyBamQos(x,x)+46j
		mov	eax, [edi+338h]
		movzx	edx, byte ptr [edi+3C4h]
		add	eax, 108h
		test	cl, cl
		jz	short loc_61A5FA
		lock bts [eax],	edx
		jmp	short loc_61A5FE
; 

loc_61A5FA:				; CODE XREF: KeCheckAndApplyBamQos(x,x)+5Ej
		lock btr [eax],	edx

loc_61A5FE:				; CODE XREF: KeCheckAndApplyBamQos(x,x)+64j
		push	ebx
		mov	ebx, [edi+4D8h]
		mov	edx, esi
		mov	ecx, edi
		and	ebx, 300h
		call	_PoSetProcessorQoS@8 ; PoSetProcessorQoS(x,x)
		mov	ecx, [edi+4D8h]
		and	ecx, 0FFFFFCFFh
		test	al, al
		jnz	short loc_61A62E
		and	esi, 3
		shl	esi, 8
		or	esi, ecx
		jmp	short loc_61A630
; 

loc_61A62E:				; CODE XREF: KeCheckAndApplyBamQos(x,x)+8Ej
		mov	esi, ecx

loc_61A630:				; CODE XREF: KeCheckAndApplyBamQos(x,x)+98j
		mov	[edi+4D8h], esi
		and	esi, 300h
		neg	esi
		sbb	esi, esi
		xor	eax, eax
		neg	esi
		test	ebx, ebx
		pop	ebx
		setnz	al
		cmp	eax, esi
		jz	short loc_61A655
		mov	ecx, edi
		call	_KeUpdatePendingQosRequest@4 ; KeUpdatePendingQosRequest(x)

loc_61A655:				; CODE XREF: KeCheckAndApplyBamQos(x,x)+36j
					; KeCheckAndApplyBamQos(x,x)+B8j
		cmp	[ebp+var_1], 0
		jz	short loc_61A65C
		sti

loc_61A65C:				; CODE XREF: KeCheckAndApplyBamQos(x,x)+13j
					; KeCheckAndApplyBamQos(x,x)+C5j
		pop	edi
		pop	esi
		leave
		retn
@KeCheckAndApplyBamQos@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiFindRankBiasedIdleSmtSet(x, x)
@KiFindRankBiasedIdleSmtSet@8 proc near	; CODE XREF: KiChooseTargetProcessor+C8984p
					; KiTryLocalThreadSchedule+C8812p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ecx+338h]
		push	ebx
		push	esi
		add	eax, 0Ch
		mov	ebx, edx
		push	edi
		push	0
		pop	edi
		mov	esi, [eax]
		and	esi, [ebx]
		jz	short loc_61A6D7

loc_61A67E:				; CODE XREF: KiFindRankBiasedIdleSmtSet(x,x)+6Bj
		bsf	ecx, esi
		and	[ebp+var_4], 0
		xor	edx, edx
		inc	edx
		shl	edx, cl
		xor	esi, edx
		mov	eax, ds:_KiProcessorBlock[ecx*4]
		mov	ecx, [eax+3C8h]
		not	ecx
		and	ecx, [eax+402Ch]
		mov	eax, ecx
		and	eax, esi
		cmp	eax, ecx
		jnz	short loc_61A6AD
		xor	esi, ecx
		jmp	short loc_61A6C9
; 

loc_61A6AD:				; CODE XREF: KiFindRankBiasedIdleSmtSet(x,x)+47j
		and	[ebp+var_8], 0
		bsf	eax, ecx
		mov	eax, ds:_KiProcessorBlock[eax*4]
		test	dword ptr [eax+4D8h], 400h
		jz	short loc_61A6C9
		or	edi, edx

loc_61A6C9:				; CODE XREF: KiFindRankBiasedIdleSmtSet(x,x)+4Bj
					; KiFindRankBiasedIdleSmtSet(x,x)+65j
		test	esi, esi
		jnz	short loc_61A67E
		test	edi, edi
		jz	short loc_61A6D7
		mov	[ebx], edi
		mov	al, 1
		jmp	short loc_61A6D9
; 

loc_61A6D7:				; CODE XREF: KiFindRankBiasedIdleSmtSet(x,x)+1Cj
					; KiFindRankBiasedIdleSmtSet(x,x)+6Fj
		xor	al, al

loc_61A6D9:				; CODE XREF: KiFindRankBiasedIdleSmtSet(x,x)+75j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
@KiFindRankBiasedIdleSmtSet@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiSelectIdleProcessor(x, x, x, x, x, x)
@KiSelectIdleProcessor@24 proc near	; CODE XREF: KiChooseTargetProcessor+C8A22p
					; KiChooseTargetProcessor+C8A5Bp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	esi, esi
		mov	[ebp+var_8], edx
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_4], ecx
		test	edi, edi
		jnz	short loc_61A731
		mov	edi, [edx+84h]
		and	edi, ecx
		jnz	short loc_61A70B
		xor	eax, eax
		jmp	loc_61A840
; 

loc_61A70B:				; CODE XREF: KiSelectIdleProcessor(x,x,x,x,x,x)+24j
		movzx	eax, word ptr [edx+58h]
		mov	eax, ds:_KiProcessorBlock[eax*4]
		movzx	ecx, byte ptr [eax+3C4h]
		ror	edi, cl
		bsf	eax, edi
		add	eax, ecx
		mov	ecx, [ebp+var_4]
		and	eax, 1Fh
		mov	edi, ds:_KiProcessorBlock[eax*4]

loc_61A731:				; CODE XREF: KiSelectIdleProcessor(x,x,x,x,x,x)+1Aj
		push	ebx
		mov	ebx, [edx]
		mov	eax, ebx
		and	eax, ecx
		cmp	[ebp+arg_C], 0
		mov	[ebp+arg_4], eax
		mov	[ebp+var_4], eax
		jz	short loc_61A75B
		test	eax, eax
		jnz	short loc_61A766
		mov	eax, [edx+0Ch]
		mov	ebx, [edx+4Ch]
		and	ebx, eax
		mov	eax, ebx
		and	eax, ecx
		mov	[ebp+arg_4], eax
		mov	ecx, eax
		jmp	short loc_61A75E
; 

loc_61A75B:				; CODE XREF: KiSelectIdleProcessor(x,x,x,x,x,x)+64j
		mov	ecx, [ebp+var_4]

loc_61A75E:				; CODE XREF: KiSelectIdleProcessor(x,x,x,x,x,x)+7Bj
		test	ecx, ecx
		jz	loc_61A83D

loc_61A766:				; CODE XREF: KiSelectIdleProcessor(x,x,x,x,x,x)+68j
		test	byte ptr [edx+0A5h], 20h
		jz	loc_61A7FA
		mov	cl, byte ptr [ebp+arg_8]
		test	cl, cl
		jz	short loc_61A78E
		lea	edx, [ebp+arg_4]
		mov	ecx, edi
		call	@KiFindRankBiasedIdleSmtSet@8 ;	KiFindRankBiasedIdleSmtSet(x,x)
		test	al, al
		jnz	short loc_61A7B7
		mov	edx, [ebp+arg_0]
		mov	cl, byte ptr [ebp+arg_8]

loc_61A78E:				; CODE XREF: KiSelectIdleProcessor(x,x,x,x,x,x)+9Aj
		mov	eax, [edx+4]
		mov	[ebp+arg_8], eax
		mov	eax, [ebp+arg_4]
		and	[ebp+arg_8], eax
		jnz	short loc_61A7BC
		test	cl, cl
		jnz	loc_61A83D
		mov	ecx, [ebp+var_8]
		cmp	[ecx+338h], edx
		jnz	short loc_61A7FA
		lea	edx, [ebp+arg_4]
		call	KiReduceByEffectiveIdleSmtSet

loc_61A7B7:				; CODE XREF: KiSelectIdleProcessor(x,x,x,x,x,x)+A8j
		mov	eax, [ebp+arg_4]
		jmp	short loc_61A7FA
; 

loc_61A7BC:				; CODE XREF: KiSelectIdleProcessor(x,x,x,x,x,x)+BCj
		test	cl, cl
		jz	short loc_61A7F7
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, ds:_RtlpBitsClearTotal[ebx]
		movzx	eax, cl
		cmp	eax, ds:_KiPerfIsoEnabled
		jb	short loc_61A83D

loc_61A7F7:				; CODE XREF: KiSelectIdleProcessor(x,x,x,x,x,x)+E0j
		mov	eax, [ebp+arg_8]

loc_61A7FA:				; CODE XREF: KiSelectIdleProcessor(x,x,x,x,x,x)+8Fj
					; KiSelectIdleProcessor(x,x,x,x,x,x)+CFj ...
		test	[edi+3C8h], eax
		jz	short loc_61A806
		mov	esi, edi
		jmp	short loc_61A83D
; 

loc_61A806:				; CODE XREF: KiSelectIdleProcessor(x,x,x,x,x,x)+122j
		mov	ecx, [edi+402Ch]
		and	ecx, eax
		jnz	short loc_61A823
		test	ds:_KiCacheAwareScheduling, 1
		jz	short loc_61A825
		mov	ecx, [edi+4034h]
		and	ecx, eax
		jz	short loc_61A825

loc_61A823:				; CODE XREF: KiSelectIdleProcessor(x,x,x,x,x,x)+130j
		mov	eax, ecx

loc_61A825:				; CODE XREF: KiSelectIdleProcessor(x,x,x,x,x,x)+139j
					; KiSelectIdleProcessor(x,x,x,x,x,x)+143j
		movzx	ecx, byte ptr [edi+3C4h]
		ror	eax, cl
		bsf	eax, eax
		add	eax, ecx
		and	eax, 1Fh
		mov	esi, ds:_KiProcessorBlock[eax*4]

loc_61A83D:				; CODE XREF: KiSelectIdleProcessor(x,x,x,x,x,x)+82j
					; KiSelectIdleProcessor(x,x,x,x,x,x)+C0j ...
		mov	eax, esi
		pop	ebx

loc_61A840:				; CODE XREF: KiSelectIdleProcessor(x,x,x,x,x,x)+28j
		pop	edi
		pop	esi
		leave
		retn	10h
@KiSelectIdleProcessor@24 endp


;  S U B	R O U T	I N E 


; __stdcall KeSetThreadBamQosLevel(x, x)
_KeSetThreadBamQosLevel@8 proc near	; CODE XREF: PsImpersonateContainerOfThread+B7710p
					; KiConvertDynamicHeteroPolicy(x,x,x)+2Bp
		mov	edi, edi
		push	esi
		push	edi
		lea	edi, [ecx+244h]

loc_61A850:				; CODE XREF: KeSetThreadBamQosLevel(x,x)+1Ej
		mov	esi, [edi]
		mov	ecx, esi
		and	ecx, 0FFFFFF00h
		mov	eax, esi
		or	ecx, edx
		lock cmpxchg [edi], ecx
		cmp	eax, esi
		jnz	short loc_61A850
		pop	edi
		pop	esi
		retn
_KeSetThreadBamQosLevel@8 endp


;  S U B	R O U T	I N E 


; __stdcall KeUpdatePendingQosRequest(x)
_KeUpdatePendingQosRequest@4 proc near	; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+4D2p
					; sub_5B68A6+5Dp ...
		test	dword ptr [ecx+4D8h], 300h
		jz	short loc_61A896
		xor	eax, eax
		inc	eax
		lock xadd ds:_KiPendingVirtualHeteroRequest, eax
		inc	eax
		cmp	eax, 1
		jnz	short locret_61A8D9
		cmp	byte ptr [ecx+3D0h], 0
		jz	short loc_61A8B0
		xor	cl, cl

loc_61A891:				; CODE XREF: KeUpdatePendingQosRequest(x)+45j
		jmp	_KiSetVirtualHeteroClockIntervalRequest@4 ; KiSetVirtualHeteroClockIntervalRequest(x)
; 

loc_61A896:				; CODE XREF: KeUpdatePendingQosRequest(x)+Aj
		or	eax, 0FFFFFFFFh
		lock xadd ds:_KiPendingVirtualHeteroRequest, eax
		jnz	short locret_61A8D9
		cmp	byte ptr [ecx+3D0h], 0
		jz	short loc_61A8B0
		mov	cl, 1
		jmp	short loc_61A891
; 

loc_61A8B0:				; CODE XREF: KeUpdatePendingQosRequest(x)+24j
					; KeUpdatePendingQosRequest(x)+41j
		mov	eax, ds:dword_6CB35C
		mov	ecx, ds:_KiClockTimerOwner
		test	eax, eax
		jnz	short loc_61A8C8
		lea	eax, [ecx+20h]
		mov	ds:word_6CB342,	ax

loc_61A8C8:				; CODE XREF: KeUpdatePendingQosRequest(x)+54j
		xor	eax, eax
		xor	edx, edx
		push	eax
		push	eax
		push	eax
		mov	ecx, offset _KiSetVirtualHeteroClockIntervalRequestDpc
		call	KiInsertQueueDpc

locret_61A8D9:				; CODE XREF: KeUpdatePendingQosRequest(x)+1Bj
					; KeUpdatePendingQosRequest(x)+38j
		retn
_KeUpdatePendingQosRequest@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiAdjustThreadTimer(x, x, x, x, x)
_KiAdjustThreadTimer@20	proc near	; CODE XREF: KeAdjustTimerDelayProcess(x,x,x,x)+4Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1], 0
		mov	ebx, edx
		mov	[ebp+var_C], ebx
		lea	ecx, [esi+1C4h]
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		cmp	byte ptr [esi+18Ch], 1
		jge	short loc_61A921
		test	dword ptr [esi+5Ch], 4000h
		jnz	short loc_61A921
		mov	edx, ebx
		mov	ecx, esi
		call	KiSuspendThread
		test	al, al
		jz	loc_61A9D8
		mov	[ebp+var_1], 1

loc_61A921:				; CODE XREF: KiAdjustThreadTimer(x,x,x,x,x)+27j
					; KiAdjustThreadTimer(x,x,x,x,x)+30j
		and	[ebp+var_8], 0
		push	edi
		lea	edi, [esi+2Ch]

loc_61A929:				; CODE XREF: KiAdjustThreadTimer(x,x,x,x,x)+64j
		lock bts dword ptr [edi], 0
		jnb	short loc_61A940

loc_61A930:				; CODE XREF: KiAdjustThreadTimer(x,x,x,x,x)+62j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_61A930
		jmp	short loc_61A929
; 

loc_61A940:				; CODE XREF: KiAdjustThreadTimer(x,x,x,x,x)+54j
		mov	eax, [esi+58h]
		mov	ecx, 60000h
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_61A9B7
		test	byte ptr [esi+0B9h], 1
		jnz	short loc_61A9B7
		mov	ebx, [ebp+arg_4]
		mov	eax, [esi+0C8h]
		mov	ecx, [esi+0CCh]
		mov	edx, [ebp+arg_0]
		test	ebx, ebx
		jg	short loc_61A98F
		jl	short loc_61A973
		test	edx, edx
		jnb	short loc_61A985

loc_61A973:				; CODE XREF: KiAdjustThreadTimer(x,x,x,x,x)+93j
		sub	eax, edx
		sbb	ecx, ebx
		js	short loc_61A9A8
		jg	short loc_61A97F
		test	eax, eax
		jz	short loc_61A9A8

loc_61A97F:				; CODE XREF: KiAdjustThreadTimer(x,x,x,x,x)+9Fj
		xor	eax, eax
		xor	ecx, ecx
		jmp	short loc_61A9A8
; 

loc_61A985:				; CODE XREF: KiAdjustThreadTimer(x,x,x,x,x)+97j
		test	ebx, ebx
		jl	short loc_61A9A8
		jg	short loc_61A98F
		test	edx, edx
		jz	short loc_61A9A8

loc_61A98F:				; CODE XREF: KiAdjustThreadTimer(x,x,x,x,x)+91j
					; KiAdjustThreadTimer(x,x,x,x,x)+AFj
		mov	edi, eax
		sub	edi, edx
		mov	edx, ecx
		sbb	edx, ebx
		cmp	edx, ecx
		jg	short loc_61A9A5
		jl	short loc_61A9A1
		cmp	edi, eax
		jnb	short loc_61A9A5

loc_61A9A1:				; CODE XREF: KiAdjustThreadTimer(x,x,x,x,x)+C1j
		mov	eax, edi
		mov	ecx, edx

loc_61A9A5:				; CODE XREF: KiAdjustThreadTimer(x,x,x,x,x)+BFj
					; KiAdjustThreadTimer(x,x,x,x,x)+C5j
		lea	edi, [esi+2Ch]

loc_61A9A8:				; CODE XREF: KiAdjustThreadTimer(x,x,x,x,x)+9Dj
					; KiAdjustThreadTimer(x,x,x,x,x)+A3j ...
		mov	ebx, [ebp+var_C]
		mov	[esi+0C8h], eax
		mov	[esi+0CCh], ecx

loc_61A9B7:				; CODE XREF: KiAdjustThreadTimer(x,x,x,x,x)+72j
					; KiAdjustThreadTimer(x,x,x,x,x)+7Bj
		cmp	[ebp+var_1], 0
		mov	eax, [ebp+arg_8]
		mov	[esi+240h], eax
		mov	dword ptr [edi], 0
		pop	edi
		jz	short loc_61A9D8
		push	0
		mov	edx, ebx
		mov	ecx, esi
		call	KiResumeThread

loc_61A9D8:				; CODE XREF: KiAdjustThreadTimer(x,x,x,x,x)+3Dj
					; KiAdjustThreadTimer(x,x,x,x,x)+F1j
		mov	ecx, 0FFFFFF7Fh
		lea	eax, [esi+1C4h]
		lock and [eax],	ecx
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_KiAdjustThreadTimer@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiConvertDynamicHeteroPolicy(x, x, x)
_KiConvertDynamicHeteroPolicy@12 proc near
					; CODE XREF: KiCheckPreferredHeteroProcessor(x,x,x)+2Ep
					; KiFindReadyThread+16BD99p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		push	esi
		push	edi
		push	eax
		mov	edi, ecx
		call	_KiGetHeteroThreadQos@12 ; KiGetHeteroThreadQos(x,x,x)
		movzx	edx, byte ptr [edi+244h]
		mov	esi, eax
		cmp	esi, edx
		jz	short loc_61AA1C
		mov	edx, esi
		mov	ecx, edi
		call	_KeSetThreadBamQosLevel@8 ; KeSetThreadBamQosLevel(x,x)

loc_61AA1C:				; CODE XREF: KiConvertDynamicHeteroPolicy(x,x,x)+25j
		mov	eax, [ebp+var_4]
		pop	edi
		lea	eax, [eax+esi*2]
		mov	eax, ds:_KiDynamicHeteroCpuPolicy[eax*4]
		pop	esi
		leave
		retn	4
_KiConvertDynamicHeteroPolicy@12 endp


;  S U B	R O U T	I N E 


; __stdcall KiEvaluateQosPreemptionTarget(x, x)
_KiEvaluateQosPreemptionTarget@8 proc near
					; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+16Bp
		test	byte ptr [ecx+2238h], 2
		jnz	short loc_61AA6B
		mov	eax, [ecx+33Ch]
		mov	al, [eax]
		cmp	al, [edx+87h]
		jge	short loc_61AA6B
		mov	eax, [ecx+8]
		test	eax, eax
		jnz	short loc_61AA52
		mov	eax, [ecx+4]

loc_61AA52:				; CODE XREF: KiEvaluateQosPreemptionTarget(x,x)+1Ej
		mov	ecx, [eax+244h]
		and	ecx, 0FFh
		cmp	ecx, 2
		jz	short loc_61AA68
		cmp	ecx, 1
		jnz	short loc_61AA6B

loc_61AA68:				; CODE XREF: KiEvaluateQosPreemptionTarget(x,x)+32j
		mov	al, 1
		retn
; 

loc_61AA6B:				; CODE XREF: KiEvaluateQosPreemptionTarget(x,x)+7j
					; KiEvaluateQosPreemptionTarget(x,x)+17j ...
		xor	al, al
		retn
_KiEvaluateQosPreemptionTarget@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiGenerateHeteroSets(x, x, x, x, x,	x)
_KiGenerateHeteroSets@24 proc near	; CODE XREF: KiCheckPreferredHeteroProcessor(x,x,x)+53p
					; KiHeteroChooseTargetProcessor(x,x,x,x)+72p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		add	eax, 0Eh
		imul	eax, 0Ch
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, [eax+ecx]
		mov	edx, [eax+ecx+4]
		and	esi, edi
		mov	eax, [eax+ecx+8]
		and	edx, edi
		and	eax, edi
		jnz	short loc_61AA9E
		mov	eax, edi
		mov	edx, edi
		mov	esi, edi
		xor	edi, edi
		inc	edi
		jmp	short loc_61AAB0
; 

loc_61AA9E:				; CODE XREF: KiGenerateHeteroSets(x,x,x,x,x,x)+23j
		xor	edi, edi
		test	edx, edx
		jnz	short loc_61AAAA
		mov	edx, eax
		mov	esi, eax
		jmp	short loc_61AAB0
; 

loc_61AAAA:				; CODE XREF: KiGenerateHeteroSets(x,x,x,x,x,x)+34j
		test	esi, esi
		jnz	short loc_61AAB0
		mov	esi, edx

loc_61AAB0:				; CODE XREF: KiGenerateHeteroSets(x,x,x,x,x,x)+2Ej
					; KiGenerateHeteroSets(x,x,x,x,x,x)+3Aj ...
		mov	ecx, [ebp+arg_4]
		mov	[ecx], esi
		mov	ecx, [ebp+arg_8]
		mov	[ecx], edx
		mov	ecx, [ebp+arg_C]
		mov	[ecx], eax
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
_KiGenerateHeteroSets@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiGetHeteroThreadQos(x, x, x)
_KiGetHeteroThreadQos@12 proc near	; CODE XREF: KiConvertDynamicHeteroPolicy(x,x,x)+15p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		xor	ebx, ebx
		inc	ebx
		mov	esi, [edi+36Ch]
		test	esi, esi
		jz	short loc_61AB0D
		mov	esi, [esi+244h]
		mov	eax, 0FFh
		mov	edx, [edi+244h]
		and	esi, eax
		and	edx, eax
		mov	ecx, esi
		call	_KiQosResponseRequired@8 ; KiQosResponseRequired(x,x)
		test	al, al
		jnz	loc_61AC26
		mov	esi, edx
		jmp	loc_61AC26
; 

loc_61AB0D:				; CODE XREF: KiGetHeteroThreadQos(x,x,x)+19j
		mov	al, [edi+60h]
		cmp	al, 1
		jnz	short loc_61AB1B
		push	3
		jmp	loc_61AC25
; 

loc_61AB1B:				; CODE XREF: KiGetHeteroThreadQos(x,x,x)+4Bj
		mov	al, [edi+60h]
		cmp	al, 2
		jnz	short loc_61AB29
		push	4
		jmp	loc_61AC25
; 

loc_61AB29:				; CODE XREF: KiGetHeteroThreadQos(x,x,x)+59j
		mov	eax, [edi+244h]
		shr	eax, 8
		and	eax, 3
		jz	short loc_61AB54
		sub	eax, 1
		jz	loc_61AC23
		sub	eax, 1
		jz	short loc_61AB4D
		sub	eax, 1
		jmp	loc_61ABE6
; 

loc_61AB4D:				; CODE XREF: KiGetHeteroThreadQos(x,x,x)+7Cj
		mov	esi, ebx
		jmp	loc_61AC26
; 

loc_61AB54:				; CODE XREF: KiGetHeteroThreadQos(x,x,x)+6Ej
		mov	eax, [edi+150h]
		mov	ecx, ds:_KiDynamicHeteroCpuPolicyMask
		mov	esi, [eax+64h]
		shr	esi, 7
		and	esi, 7
		test	cl, 4
		jz	short loc_61AB9F
		cmp	esi, 3
		jz	short loc_61ABD7
		mov	edx, [edi+40h]
		mov	ebx, [edi+44h]
		cmp	edx, ebx
		ja	short loc_61AB7F
		mov	edx, ebx

loc_61AB7F:				; CODE XREF: KiGetHeteroThreadQos(x,x,x)+B4j
		xor	ebx, ebx
		cmp	edx, ds:_KiDynamicHeteroCpuPolicyExpectedCycles
		jnb	short loc_61AB9B
		cmp	ds:_KeHeteroSystemQos, ebx
		jz	short loc_61AB9C
		test	cl, 8
		jz	short loc_61AB9C
		jmp	loc_61AC23
; 

loc_61AB9B:				; CODE XREF: KiGetHeteroThreadQos(x,x,x)+C0j
		inc	ebx

loc_61AB9C:				; CODE XREF: KiGetHeteroThreadQos(x,x,x)+C8j
					; KiGetHeteroThreadQos(x,x,x)+CDj
		mov	edx, [ebp+var_4]

loc_61AB9F:				; CODE XREF: KiGetHeteroThreadQos(x,x,x)+A5j
		cmp	esi, 3
		jz	short loc_61ABD7
		test	cl, 20h
		jnz	short loc_61ABD7
		mov	ecx, edi
		call	_KiIsThreadRankBiased@8	; KiIsThreadRankBiased(x,x)
		test	al, al
		jnz	short loc_61AC23
		mov	eax, [edi+150h]
		cmp	byte ptr [eax+1BBh], 1
		jz	short loc_61AC23
		mov	ecx, ds:_KiDynamicHeteroCpuPolicyMask
		test	cl, 2
		jz	short loc_61ABD7
		cmp	byte ptr [edi+87h], 8
		jl	short loc_61AC23

loc_61ABD7:				; CODE XREF: KiGetHeteroThreadQos(x,x,x)+AAj
					; KiGetHeteroThreadQos(x,x,x)+DBj ...
		test	cl, 1
		jz	short loc_61ABEA
		mov	al, [eax+2A2h]
		cmp	al, 2
		jnz	short loc_61ABEA

loc_61ABE6:				; CODE XREF: KiGetHeteroThreadQos(x,x,x)+81j
					; KiGetHeteroThreadQos(x,x,x)+138j ...
		xor	esi, esi
		jmp	short loc_61AC26
; 

loc_61ABEA:				; CODE XREF: KiGetHeteroThreadQos(x,x,x)+113j
					; KiGetHeteroThreadQos(x,x,x)+11Dj
		mov	esi, ds:_KiProcessPolicyToQosMappingTable[esi*4]
		cmp	esi, 5
		jnz	short loc_61AC26
		mov	cl, [edi+87h]
		cmp	cl, 0Fh
		jge	short loc_61ABE6
		test	byte ptr ds:_KiDynamicHeteroCpuPolicyMask, 2
		jz	short loc_61AC23
		movsx	eax, cl
		cmp	eax, ds:_KiDynamicHeteroCpuPolicyImportantPriority
		jge	short loc_61ABE6
		test	dword ptr [edi+58h], 400h
		jz	short loc_61AC23
		cmp	cl, 8
		jge	short loc_61ABE6

loc_61AC23:				; CODE XREF: KiGetHeteroThreadQos(x,x,x)+73j
					; KiGetHeteroThreadQos(x,x,x)+CFj ...
		push	2

loc_61AC25:				; CODE XREF: KiGetHeteroThreadQos(x,x,x)+4Fj
					; KiGetHeteroThreadQos(x,x,x)+5Dj
		pop	esi

loc_61AC26:				; CODE XREF: KiGetHeteroThreadQos(x,x,x)+39j
					; KiGetHeteroThreadQos(x,x,x)+41j ...
		mov	ecx, [ebp+arg_0]
		mov	eax, esi
		pop	edi
		pop	esi
		mov	[ecx], ebx
		pop	ebx
		leave
		retn	4
_KiGetHeteroThreadQos@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiHeteroChooseTargetProcessor(x, x,	x, x)
_KiHeteroChooseTargetProcessor@16 proc near ; CODE XREF: KiDeferredReadySingleThread+C92D4p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		xor	eax, eax
		mov	[ebp+var_34], ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_10], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		movzx	edx, byte ptr [ebx+61h]
		mov	[ebp+var_C], ebx
		mov	[ebp+var_14], edx
		push	esi
		push	edi
		mov	edi, [eax]
		mov	[ebp+var_1C], edi
		cmp	edx, 5
		jb	short loc_61AC73
		push	ecx
		mov	ecx, ebx
		call	_KiConvertDynamicHeteroPolicy@12 ; KiConvertDynamicHeteroPolicy(x,x,x)
		mov	edx, eax
		mov	[ebp+var_14], eax

loc_61AC73:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+30j
		mov	ecx, [ebx+16Ch]
		mov	byte ptr [ebp+arg_0+3],	0
		mov	eax, ds:_KiProcessorBlock[ecx*4]
		mov	[ebp+var_18], eax
		mov	esi, [eax+338h]
		mov	[ebp+var_4], esi
		jmp	short loc_61AC95
; 

loc_61AC92:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+3C3j
		mov	esi, [ebp+var_4]

loc_61AC95:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+5Cj
					; KiHeteroChooseTargetProcessor(x,x,x,x)+3A7j
		lea	eax, [ebp+var_10]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	edx
		mov	edx, edi
		call	_KiGenerateHeteroSets@24 ; KiGenerateHeteroSets(x,x,x,x,x,x)
		cmp	byte ptr [ebp+arg_0+3],	0
		mov	edx, eax
		mov	edi, [esi]
		jz	short loc_61ACC1
		test	edi, edi
		jnz	short loc_61ACC1
		mov	eax, [esi+0Ch]
		mov	edi, [esi+4Ch]
		and	edi, eax

loc_61ACC1:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+7Fj
					; KiHeteroChooseTargetProcessor(x,x,x,x)+83j
		mov	ecx, [ebp+var_10]
		test	edi, ecx
		jnz	short loc_61ACE4
		test	edx, edx
		jnz	short loc_61ACE4
		mov	eax, [esi+48h]
		mov	ecx, [ebp+var_10]
		test	eax, ecx
		jnz	short loc_61ACE4
		mov	eax, [ebp+var_1C]
		mov	ecx, eax
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_20], eax

loc_61ACE4:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+92j
					; KiHeteroChooseTargetProcessor(x,x,x,x)+96j ...
		mov	dl, byte ptr [ebp+arg_0+3]
		and	edi, ecx
		test	dl, dl
		jz	short loc_61ACFC
		test	edi, edi
		jnz	short loc_61ACFC
		mov	eax, [esi+0Ch]
		mov	edi, [esi+4Ch]
		and	edi, eax
		and	edi, [ebp+var_10]

loc_61ACFC:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+B7j
					; KiHeteroChooseTargetProcessor(x,x,x,x)+BBj
		mov	esi, [esi+4]
		test	ds:_KiVelocityFlags, 4000h
		jz	short loc_61AD25
		cmp	byte ptr [ebx+244h], 0
		jnz	short loc_61AD25
		mov	eax, [ebp+var_14]
		cmp	eax, 1
		jz	short loc_61AD21
		cmp	eax, 2
		jnz	short loc_61AD25

loc_61AD21:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+E6j
		mov	al, 1
		jmp	short loc_61AD27
; 

loc_61AD25:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+D5j
					; KiHeteroChooseTargetProcessor(x,x,x,x)+DEj ...
		xor	al, al

loc_61AD27:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+EFj
		mov	ecx, [ebp+var_4]
		test	al, al
		jz	loc_61ADC4
		mov	eax, esi
		and	eax, [ebp+var_8]
		jnz	loc_61ADC4
		mov	eax, [ecx+48h]
		mov	ebx, [ecx+108h]
		and	ebx, eax
		mov	eax, [ecx+8]
		and	ebx, [ebp+var_8]
		mov	edx, ebx
		and	edx, eax
		jz	short loc_61AD56
		mov	ebx, edx

loc_61AD56:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+11Ej
		test	ebx, ebx
		jz	short loc_61ADBE
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_C]
		push	0
		push	ebx
		call	_KiSelectProcessorToPreempt@16 ; KiSelectProcessorToPreempt(x,x,x,x)
		mov	[ebp+var_2C], eax
		test	[eax+3C8h], ebx
		jz	short loc_61ADBB
		and	[ebp+var_28], 0
		lea	ebx, [eax+2224h]
		mov	[ebp+var_24], ebx

loc_61AD80:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+161j
		lock bts dword ptr [ebx], 0
		jnb	short loc_61AD97

loc_61AD87:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+15Fj
		lea	ecx, [ebp+var_28]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_61AD87
		jmp	short loc_61AD80
; 

loc_61AD97:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+151j
		mov	ebx, [ebp+var_2C]
		mov	ecx, ebx
		mov	edx, [ebp+var_C]
		call	_KiEvaluateQosPreemptionTarget@8 ; KiEvaluateQosPreemptionTarget(x,x)
		test	al, al
		jnz	loc_61AF93
		mov	eax, [ebp+var_24]
		xor	ecx, ecx
		lock and [eax],	ecx
		mov	ecx, [ebp+var_4]
		mov	ebx, edx
		jmp	short loc_61ADC1
; 

loc_61ADBB:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+13Dj
		mov	ecx, [ebp+var_4]

loc_61ADBE:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+124j
		mov	ebx, [ebp+var_C]

loc_61ADC1:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+185j
		mov	dl, byte ptr [ebp+arg_0+3]

loc_61ADC4:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+F8j
					; KiHeteroChooseTargetProcessor(x,x,x,x)+103j
		test	edi, edi
		jz	loc_61AFE0
		test	byte ptr [ecx+0A5h], 20h
		jz	short loc_61AE0D
		mov	ecx, [ecx+104h]
		call	_KiIsQosGroupingActive@0 ; KiIsQosGroupingActive()
		test	al, al
		jz	short loc_61AE07
		and	ecx, edi
		jz	short loc_61AE07
		movzx	eax, byte ptr [ebx+244h]
		cmp	eax, 2
		jz	short loc_61ADFD
		cmp	eax, 1
		jz	short loc_61ADFD
		xor	al, al
		jmp	short loc_61ADFF
; 

loc_61ADFD:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+1BEj
					; KiHeteroChooseTargetProcessor(x,x,x,x)+1C3j
		mov	al, 1

loc_61ADFF:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+1C7j
		test	al, al
		jz	short loc_61AE07
		mov	edi, ecx
		not	esi

loc_61AE07:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+1AEj
					; KiHeteroChooseTargetProcessor(x,x,x,x)+1B2j ...
		and	esi, edi
		jz	short loc_61AE0D
		mov	edi, esi

loc_61AE0D:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+19Fj
					; KiHeteroChooseTargetProcessor(x,x,x,x)+1D5j
		mov	eax, edi
		xor	edx, edx
		and	eax, [ebp+var_20]
		jnz	short loc_61AE1E
		mov	eax, [ebp+var_8]
		and	eax, edi
		jz	short loc_61AE20
		inc	edx

loc_61AE1E:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+1E0j
		mov	edi, eax

loc_61AE20:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+1E7j
		cmp	ds:_KeHeteroSystemQos, 0
		jz	short loc_61AE46
		mov	eax, [ebp+var_34]
		movzx	ecx, byte ptr [ebx+244h]
		mov	eax, [eax+338h]
		mov	eax, [eax+ecx*4+0E4h]
		and	eax, edi
		jz	short loc_61AE46
		mov	edi, eax

loc_61AE46:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+1F3j
					; KiHeteroChooseTargetProcessor(x,x,x,x)+20Ej
		mov	eax, [ebp+var_18]
		mov	esi, eax
		test	[eax+3C8h], edi
		jz	short loc_61AE5B
		test	edx, edx
		jz	loc_61AF44

loc_61AE5B:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+21Dj
		test	edx, edx
		jnz	loc_61AEF5
		mov	eax, [eax+402Ch]
		and	eax, edi
		jz	short loc_61AE6F
		mov	edi, eax

loc_61AE6F:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+237j
		mov	eax, ds:_KiHeteroSchedulerOptions
		test	al, 1
		jz	short loc_61AE7C
		test	al, 4
		jmp	short loc_61AE93
; 

loc_61AE7C:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+242j
		test	byte ptr ds:_KiDynamicHeteroCpuPolicyMask, 10h
		setnz	cl
		bt	ds:_KiVelocityFlags, 0Ch
		setb	al
		test	cl, al

loc_61AE93:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+246j
		jz	short loc_61AED5
		and	[ebp+var_30], 0
		and	[ebp+var_2C], 0
		jmp	short loc_61AEA1
; 

loc_61AE9F:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+276j
		pause

loc_61AEA1:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+269j
		mov	edx, [ebx+34h]
		mov	eax, [ebx+30h]
		cmp	edx, [ebx+38h]
		jnz	short loc_61AE9F
		mov	ecx, ds:_KiFavoredCoreCycleTimeBits
		call	__aullshr
		mov	ecx, eax
		mov	esi, edx
		mov	eax, [ebp+var_18]
		movzx	eax, byte ptr [eax+3C4h]
		cdq
		add	eax, ecx
		adc	edx, esi
		push	edx
		push	eax
		mov	edx, edi
		call	_KiFindBiasedProcessorIndex@16 ; KiFindBiasedProcessorIndex(x,x,x,x)
		jmp	short loc_61AEEC
; 

loc_61AED5:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x):loc_61AE93j
		and	[ebp+var_40], 0
		mov	eax, esi
		movzx	ecx, byte ptr [eax+3C4h]
		ror	edi, cl
		bsf	eax, edi
		add	eax, ecx
		and	eax, 1Fh

loc_61AEEC:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+29Fj
		mov	esi, ds:_KiProcessorBlock[eax*4]
		jmp	short loc_61AF44
; 

loc_61AEF5:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+229j
		xor	esi, esi
		xor	dl, dl
		test	edi, edi
		jz	short loc_61AF44
		mov	ebx, [ebp+var_14]

loc_61AF00:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+30Bj
		and	[ebp+var_44], 0
		bsf	eax, edi
		and	eax, 1Fh
		mov	eax, ds:_KiProcessorBlock[eax*4]
		cmp	ebx, 3
		jz	short loc_61AF23
		cmp	ebx, 4
		jz	short loc_61AF23
		mov	cl, [eax+3ED1h]
		jmp	short loc_61AF29
; 

loc_61AF23:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+2E0j
					; KiHeteroChooseTargetProcessor(x,x,x,x)+2E5j
		mov	cl, [eax+3ED2h]

loc_61AF29:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+2EDj
		test	esi, esi
		jz	short loc_61AF31
		cmp	cl, dl
		jbe	short loc_61AF35

loc_61AF31:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+2F7j
		mov	esi, eax
		mov	dl, cl

loc_61AF35:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+2FBj
		mov	eax, [eax+3C8h]
		not	eax
		and	edi, eax
		jnz	short loc_61AF00
		mov	ebx, [ebp+var_C]

loc_61AF44:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+221j
					; KiHeteroChooseTargetProcessor(x,x,x,x)+2BFj ...
		mov	eax, [ebp+arg_4]
		lea	edi, [esi+2224h]
		and	[ebp+var_38], 0
		mov	dword ptr [eax], 1

loc_61AF57:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+338j
		lock bts dword ptr [edi], 0
		jnb	short loc_61AF6E

loc_61AF5E:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+336j
		lea	ecx, [ebp+var_38]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_61AF5E
		jmp	short loc_61AF57
; 

loc_61AF6E:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+328j
		mov	al, [esi+2238h]
		test	al, al
		jz	loc_61B0D1
		cmp	byte ptr [ebp+arg_0+3],	0
		jz	loc_61B07B
		cmp	al, 6
		jz	loc_61B0D1
		jmp	loc_61B07B
; 

loc_61AF93:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+172j
		mov	esi, [ebp+var_4]
		mov	ecx, [esi+4]
		mov	edi, [esi+8]
		mov	eax, [esi+48h]
		mov	edx, [esi+108h]
		and	edx, eax
		and	edx, [ebp+var_8]
		test	[ebp+var_8], ecx
		jnz	short loc_61AFCA
		mov	ecx, [ebx+3C8h]
		and	ecx, edi
		neg	ecx
		sbb	cl, cl
		inc	cl
		test	edx, edi
		setnz	al
		test	cl, al
		jz	loc_61B088

loc_61AFCA:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+379j
		mov	eax, [ebp+var_24]
		xor	ecx, ecx
		lock and [eax],	ecx
		mov	ebx, [ebp+var_C]

loc_61AFD5:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+44Fj
		mov	edx, [ebp+var_14]
		mov	edi, [ebp+var_1C]
		jmp	loc_61AC95
; 

loc_61AFE0:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+192j
		test	dl, dl
		jnz	short loc_61AFFD
		mov	edx, [ebp+var_18]
		call	@KiCanSelectSoftParkedProcessor@8 ; KiCanSelectSoftParkedProcessor(x,x)
		mov	edx, [ebp+var_14]
		mov	edi, [ebp+var_1C]
		mov	byte ptr [ebp+arg_0+3],	al
		test	al, al
		jnz	loc_61AC92

loc_61AFFD:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+3AEj
		mov	ecx, [ebp+var_8]
		mov	edi, [ebp+var_10]
		sub	ecx, edi
		mov	edx, [ebp+var_18]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, [ebp+var_8]
		push	ecx
		push	edi
		mov	ecx, ebx
		call	_KiSelectProcessorToPreempt@16 ; KiSelectProcessorToPreempt(x,x,x,x)
		mov	esi, eax
		test	[esi+3C8h], edi
		jnz	short loc_61B03E
		movzx	ecx, byte ptr [esi+3C4h]
		and	[ebp+var_48], 0
		ror	edi, cl
		bsf	eax, edi
		add	eax, ecx
		and	eax, 1Fh
		mov	esi, ds:_KiProcessorBlock[eax*4]

loc_61B03E:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+3ECj
		and	[ebp+var_3C], 0
		lea	edi, [esi+2224h]

loc_61B048:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+429j
		lock bts dword ptr [edi], 0
		jnb	short loc_61B05F

loc_61B04F:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+427j
		lea	ecx, [ebp+var_3C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_61B04F
		jmp	short loc_61B048
; 

loc_61B05F:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+419j
		cmp	byte ptr [ebp+arg_0+3],	0
		mov	eax, [ebp+var_4]
		mov	edx, [eax]
		jz	short loc_61B074
		mov	ecx, [eax+0Ch]
		mov	eax, [eax+4Ch]
		and	eax, ecx
		or	edx, eax

loc_61B074:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+434j
		mov	eax, [ebp+var_10]
		test	edx, eax
		jz	short loc_61B09F

loc_61B07B:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+34Cj
					; KiHeteroChooseTargetProcessor(x,x,x,x)+35Aj
		xor	eax, eax
		lock and [edi],	eax
		mov	esi, [ebp+var_4]
		jmp	loc_61AFD5
; 

loc_61B088:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+390j
		mov	al, [ebx+2238h]
		mov	ecx, [ebp+arg_4]
		not	al
		movzx	eax, al
		and	eax, 1
		mov	[ecx], eax
		mov	eax, ebx
		jmp	short loc_61B0D3
; 

loc_61B09F:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+445j
		mov	ecx, [ebp+arg_4]
		and	dword ptr [ecx], 0
		test	byte ptr [esi+2238h], 2
		jz	short loc_61B0D1
		xor	ecx, ecx
		lock and [edi],	ecx
		push	eax
		mov	edx, ebx
		mov	ecx, esi
		call	@KiSelectCandidateProcessor@12 ; KiSelectCandidateProcessor(x,x,x)
		mov	esi, eax
		test	byte ptr [esi+2238h], 1
		jnz	short loc_61B0D1
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 1

loc_61B0D1:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+342j
					; KiHeteroChooseTargetProcessor(x,x,x,x)+354j ...
		mov	eax, esi

loc_61B0D3:				; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+469j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_KiHeteroChooseTargetProcessor@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIpiUpdateThreadTag(x, x, x, x)
_KiIpiUpdateThreadTag@16 proc near	; DATA XREF: KeUpdateThreadTag+950BAo

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		mov	edx, [eax]
		test	edx, edx
		jnz	short loc_61B0F2
		lock btr dword ptr [ecx], 14h
		jmp	short loc_61B0F7
; 

loc_61B0F2:				; CODE XREF: KiIpiUpdateThreadTag(x,x,x,x)+Fj
		lock bts dword ptr [ecx], 14h

loc_61B0F7:				; CODE XREF: KiIpiUpdateThreadTag(x,x,x,x)+16j
		mov	[ecx+60h], dl
		pop	ebp
		retn	10h
_KiIpiUpdateThreadTag@16 endp


;  S U B	R O U T	I N E 


; __stdcall KiIsForegroundThreadWithBoost(x)
_KiIsForegroundThreadWithBoost@4 proc near ; CODE XREF:	KiComputeNewPriority:loc_5AD135p
					; KiDirectSwitchThread+12AF5Ap	...
		mov	eax, [ecx+150h]
		mov	al, [eax+2A2h]
		cmp	al, 2
		jnz	short loc_61B120
		test	byte ptr [ecx+5Ch], 8
		jnz	short loc_61B120
		test	byte ptr [ecx+15Ch], 0Fh
		jz	short loc_61B120
		dec	al
		retn
; 

loc_61B120:				; CODE XREF: KiIsForegroundThreadWithBoost(x)+Ej
					; KiIsForegroundThreadWithBoost(x)+14j	...
		xor	al, al
		retn
_KiIsForegroundThreadWithBoost@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiIsQosGroupingClass(x)
_KiIsQosGroupingClass@4	proc near	; CODE XREF: PpmPerfArbitratorApplyProcessorState+81B3Dp
		xor	eax, eax
		inc	eax
		cmp	ecx, 2
		jz	short locret_61B131
		cmp	ecx, eax
		jz	short locret_61B131
		xor	al, al

locret_61B131:				; CODE XREF: KiIsQosGroupingClass(x)+6j
					; KiIsQosGroupingClass(x)+Aj
		retn
_KiIsQosGroupingClass@4	endp


;  S U B	R O U T	I N E 


; __stdcall KiQosResponseRequired(x, x)
_KiQosResponseRequired@8 proc near	; CODE XREF: PsImpersonateContainerOfThread+B7703p
					; PsImpersonateContainerOfThread+B7723p ...
		xor	al, al
		cmp	ecx, edx
		jz	short locret_61B148
		cmp	ecx, 3
		jz	short loc_61B146
		cmp	edx, 3
		jz	short loc_61B146
		cmp	ecx, edx
		jge	short locret_61B148

loc_61B146:				; CODE XREF: KiQosResponseRequired(x,x)+9j
					; KiQosResponseRequired(x,x)+Ej
		mov	al, 1

locret_61B148:				; CODE XREF: KiQosResponseRequired(x,x)+4j
					; KiQosResponseRequired(x,x)+12j
		retn
_KiQosResponseRequired@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSelectProcessorToPreempt(x, x, x,	x)
_KiSelectProcessorToPreempt@16 proc near
					; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+12Fp
					; KiHeteroChooseTargetProcessor(x,x,x,x)+3DFp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		and	ebx, [edx+4020h]
		push	esi
		push	edi
		mov	[ebp+var_38], edx
		lea	eax, [ebx-1]
		mov	[ebp+var_2C], ecx
		mov	[ebp+arg_0], ebx
		test	eax, ebx
		jz	loc_61B293
		mov	eax, [edx+4024h]
		movzx	esi, byte ptr [eax+128h]
		movzx	edi, byte ptr [eax+129h]
		add	eax, 108h
		push	esi		; size_t
		push	eax		; void *
		lea	eax, [ebp+var_24]
		mov	[ebp+var_34], edi
		add	eax, edi
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+var_2C]
		lea	edx, [edi+esi]
		add	esp, 0Ch
		mov	[ebp+var_30], edx
		or	esi, 0FFFFFFFFh
		mov	al, [ecx+87h]
		mov	[ebp+var_25], al
		mov	eax, [ebp+var_38]
		mov	eax, [eax+338h]
		mov	eax, [eax+104h]
		mov	[ebp+var_2C], eax
		call	_KiIsQosGroupingActive@0 ; KiIsQosGroupingActive()
		test	al, al
		jz	short loc_61B226
		test	[ebp+var_2C], ebx
		jz	short loc_61B226
		movzx	eax, byte ptr [ecx+244h]
		cmp	eax, 2
		jz	short loc_61B1F1
		cmp	eax, 1
		jz	short loc_61B1F1
		xor	al, al
		jmp	short loc_61B1F3
; 

loc_61B1F1:				; CODE XREF: KiSelectProcessorToPreempt(x,x,x,x)+9Dj
					; KiSelectProcessorToPreempt(x,x,x,x)+A2j
		mov	al, 1

loc_61B1F3:				; CODE XREF: KiSelectProcessorToPreempt(x,x,x,x)+A6j
		test	al, al
		jz	short loc_61B226
		mov	ecx, edi
		cmp	edi, edx
		jnb	short loc_61B226
		mov	edi, edx

loc_61B1FF:				; CODE XREF: KiSelectProcessorToPreempt(x,x,x,x)+D5j
		mov	eax, [ebp+var_2C]
		xor	edx, edx
		inc	edx
		shl	edx, cl
		and	eax, edx
		test	eax, ebx
		jz	short loc_61B21B
		mov	al, byte ptr [ebp+ecx+var_24]
		cmp	al, [ebp+var_25]
		jge	short loc_61B21B
		mov	[ebp+var_25], al
		mov	esi, ecx

loc_61B21B:				; CODE XREF: KiSelectProcessorToPreempt(x,x,x,x)+C2j
					; KiSelectProcessorToPreempt(x,x,x,x)+CBj
		inc	ecx
		cmp	ecx, edi
		jb	short loc_61B1FF
		mov	edi, [ebp+var_34]
		mov	edx, [ebp+var_30]

loc_61B226:				; CODE XREF: KiSelectProcessorToPreempt(x,x,x,x)+8Cj
					; KiSelectProcessorToPreempt(x,x,x,x)+91j ...
		cmp	[ebp+arg_4], 0
		jz	short loc_61B25F
		test	esi, esi
		jns	short loc_61B287
		mov	ecx, edi
		cmp	edi, edx
		jnb	short loc_61B25F
		mov	bl, [ebp+var_25]
		mov	edi, [ebp+arg_4]

loc_61B23C:				; CODE XREF: KiSelectProcessorToPreempt(x,x,x,x)+10Bj
		xor	eax, eax
		inc	eax
		shl	eax, cl
		test	eax, edi
		jz	short loc_61B251
		mov	al, byte ptr [ebp+ecx+var_24]
		cmp	al, bl
		jge	short loc_61B251
		mov	bl, al
		mov	esi, ecx

loc_61B251:				; CODE XREF: KiSelectProcessorToPreempt(x,x,x,x)+FAj
					; KiSelectProcessorToPreempt(x,x,x,x)+102j
		inc	ecx
		cmp	ecx, edx
		jb	short loc_61B23C
		mov	edi, [ebp+var_34]
		mov	[ebp+var_25], bl
		mov	ebx, [ebp+arg_0]

loc_61B25F:				; CODE XREF: KiSelectProcessorToPreempt(x,x,x,x)+E1j
					; KiSelectProcessorToPreempt(x,x,x,x)+EBj
		test	esi, esi
		jns	short loc_61B287
		jmp	short loc_61B27F
; 

loc_61B265:				; CODE XREF: KiSelectProcessorToPreempt(x,x,x,x)+138j
		xor	eax, eax
		mov	ecx, edi
		inc	eax
		shl	eax, cl
		test	eax, ebx
		jz	short loc_61B27E
		mov	al, byte ptr [ebp+edi+var_24]
		cmp	al, [ebp+var_25]
		jge	short loc_61B27E
		mov	[ebp+var_25], al
		mov	esi, edi

loc_61B27E:				; CODE XREF: KiSelectProcessorToPreempt(x,x,x,x)+125j
					; KiSelectProcessorToPreempt(x,x,x,x)+12Ej
		inc	edi

loc_61B27F:				; CODE XREF: KiSelectProcessorToPreempt(x,x,x,x)+11Aj
		cmp	edi, edx
		jb	short loc_61B265
		test	esi, esi
		js	short loc_61B290

loc_61B287:				; CODE XREF: KiSelectProcessorToPreempt(x,x,x,x)+E5j
					; KiSelectProcessorToPreempt(x,x,x,x)+118j
		mov	eax, ds:_KiProcessorBlock[esi*4]
		jmp	short loc_61B295
; 

loc_61B290:				; CODE XREF: KiSelectProcessorToPreempt(x,x,x,x)+13Cj
		mov	edx, [ebp+var_38]

loc_61B293:				; CODE XREF: KiSelectProcessorToPreempt(x,x,x,x)+2Cj
		mov	eax, edx

loc_61B295:				; CODE XREF: KiSelectProcessorToPreempt(x,x,x,x)+145j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_KiSelectProcessorToPreempt@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSendHeteroRescheduleIntRequest(x)
_KiSendHeteroRescheduleIntRequest@4 proc near ;	CODE XREF: KiIdleSchedule+16AC61p
					; KiSwapThread+C207Ep ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	edx, ecx
		mov	ecx, [edx+338h]

loc_61B2B5:				; DATA XREF: .text:004299B9o
		mov	eax, [edx+402Ch]
		test	[ecx+4], eax
		jz	short locret_61B32F
		and	[ebp+var_8], 0
		or	[ebp+var_4], 0FFFFFFFFh
		mov	edx, [edx+3C8h]
		mov	eax, [ecx]
		push	esi
		mov	esi, [ecx+0B8h]
		test	edx, eax
		jz	short loc_61B32E
		test	edx, esi
		jz	short loc_61B32E
		mov	edx, [ecx+48h]
		mov	eax, [ecx+0Ch]
		mov	ecx, [ecx+84h]
		not	eax
		xor	ecx, esi
		and	ecx, eax
		lea	eax, [ebp+var_4]
		and	ecx, edx
		lea	edx, [ebp+var_8]
		push	ecx
		push	eax
		call	_KiSendHeteroRescheduleIntRequestHelper@16 ; KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)
		test	al, al
		jz	short loc_61B32E
		mov	esi, [ebp+var_4]
		xor	eax, eax
		push	ecx
		inc	eax
		mov	ecx, esi
		shl	eax, cl
		xor	edx, edx
		push	0
		mov	ecx, eax
		call	_KiSendHeteroRescheduleIntRequestHelper@16 ; KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)
		test	al, al
		jnz	short loc_61B32E
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		btc	ecx, esi
		push	ecx
		push	0
		call	_KiSendHeteroRescheduleIntRequestHelper@16 ; KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)

loc_61B32E:				; CODE XREF: KiSendHeteroRescheduleIntRequest(x)+33j
					; KiSendHeteroRescheduleIntRequest(x)+37j ...
		pop	esi

locret_61B32F:				; CODE XREF: KiSendHeteroRescheduleIntRequest(x)+18j
		leave
		retn
_KiSendHeteroRescheduleIntRequest@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSendHeteroRescheduleIntRequestHelper(x, x, x, x)
_KiSendHeteroRescheduleIntRequestHelper@16 proc	near
					; CODE XREF: KiSendHeteroRescheduleIntRequest(x)+55p
					; KiSendHeteroRescheduleIntRequest(x)+6Fp ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		and	[ebp+var_14], 0
		mov	eax, edx
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		mov	[ebp+var_18], edx
		xor	esi, esi
		xor	edx, edx
		mov	[ebp+var_20], esi
		xor	bl, bl
		mov	[ebp+var_10], edx
		mov	[ebp+var_1], bl
		test	ecx, ecx
		jz	loc_61B4E3
		push	edi

loc_61B362:				; CODE XREF: KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)+19Fj
		bsf	eax, ecx
		btc	ecx, eax
		mov	[ebp+var_C], eax
		and	[ebp+var_24], 0
		mov	[ebp+var_2C], ecx
		mov	edi, ds:_KiProcessorBlock[eax*4]
		mov	[ebp+var_8], edi
		lea	ebx, [edi+2224h]

loc_61B382:				; CODE XREF: KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)+66j
		lock bts dword ptr [ebx], 0
		jnb	short loc_61B399

loc_61B389:				; CODE XREF: KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)+64j
		lea	ecx, [ebp+var_24]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_61B389
		jmp	short loc_61B382
; 

loc_61B399:				; CODE XREF: KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)+56j
		test	byte ptr [edi+2238h], 1
		mov	esi, [edi+4]
		jz	loc_61B4C6
		cmp	dword ptr [edi+8], 0
		jnz	loc_61B4C6
		mov	al, [edi+2239h]
		test	al, al
		jnz	loc_61B4C6
		push	0
		mov	edx, edi
		mov	ecx, esi
		call	_KiCheckPreferredHeteroProcessor@12 ; KiCheckPreferredHeteroProcessor(x,x,x)
		test	eax, eax
		jz	loc_61B4C6
		cmp	[ebp+var_1C], 0
		jnz	loc_61B48D
		lea	edi, [esi+220h]
		lock inc word ptr [edi]
		xor	eax, eax
		lock and [ebx],	eax
		and	[ebp+var_28], eax
		lea	ebx, [esi+2Ch]

loc_61B3F3:				; CODE XREF: KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)+D7j
		lock bts dword ptr [ebx], 0
		jnb	short loc_61B40A

loc_61B3FA:				; CODE XREF: KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)+D5j
		lea	ecx, [ebp+var_28]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_61B3FA
		jmp	short loc_61B3F3
; 

loc_61B40A:				; CODE XREF: KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)+C7j
		lea	eax, [ebp+var_14]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_8]
		call	KiAcquireThreadStateLock
		lock dec word ptr [edi]
		mov	al, [esi+90h]
		cmp	al, 2
		jnz	short loc_61B466
		mov	ebx, [ebp+var_8]
		mov	al, [ebx+2239h]
		test	al, al
		jnz	short loc_61B466
		mov	edi, [ebp+var_8]
		mov	ecx, esi
		push	0
		mov	edx, edi
		call	_KiCheckPreferredHeteroProcessor@12 ; KiCheckPreferredHeteroProcessor(x,x,x)
		test	eax, eax
		jz	short loc_61B469
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 0Ch
		jb	short loc_61B469
		mov	ecx, [ebp+var_C]
		mov	dl, 2
		mov	byte ptr [ebx+2239h], 1
		call	_KiSendSoftwareInterrupt@8 ; KiSendSoftwareInterrupt(x,x)
		mov	[ebp+var_1], 1
		jmp	short loc_61B469
; 

loc_61B466:				; CODE XREF: KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)+F3j
					; KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)+100j
		mov	edi, [ebp+var_8]

loc_61B469:				; CODE XREF: KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)+112j
					; KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)+11Cj	...
		test	edi, edi
		jz	short loc_61B478
		xor	ecx, ecx
		lea	eax, [edi+2224h]
		lock and [eax],	ecx

loc_61B478:				; CODE XREF: KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)+13Aj
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_61B484
		xor	ecx, ecx
		lock and [eax],	ecx

loc_61B484:				; CODE XREF: KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)+14Cj
		mov	dword ptr [esi+2Ch], 0
		jmp	short loc_61B4CB
; 

loc_61B48D:				; CODE XREF: KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)+A7j
		test	dword ptr [esi+5Ch], 1000h
		jnz	short loc_61B4C6
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_C]
		bts	edx, ecx
		mov	[ebp+var_10], edx
		mov	edx, [ebp+var_18]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_61B4B5
		movsx	eax, byte ptr [esi+87h]
		cmp	eax, edx
		jle	short loc_61B4C6

loc_61B4B5:				; CODE XREF: KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)+177j
		movsx	edx, byte ptr [esi+87h]
		mov	[ebp+var_18], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1], 1

loc_61B4C6:				; CODE XREF: KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)+72j
					; KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)+7Cj ...
		xor	eax, eax
		lock and [ebx],	eax

loc_61B4CB:				; CODE XREF: KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)+15Aj
		mov	ecx, [ebp+var_2C]
		test	ecx, ecx
		jnz	loc_61B362
		mov	edx, [ebp+var_10]
		mov	eax, [ebp+var_1C]
		mov	bl, [ebp+var_1]
		mov	esi, [ebp+var_20]
		pop	edi

loc_61B4E3:				; CODE XREF: KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)+2Aj
		test	eax, eax
		jz	short loc_61B4E9
		mov	[eax], edx

loc_61B4E9:				; CODE XREF: KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)+1B4j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_61B4F2
		mov	[ecx], esi

loc_61B4F2:				; CODE XREF: KiSendHeteroRescheduleIntRequestHelper(x,x,x,x)+1BDj
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	8
_KiSendHeteroRescheduleIntRequestHelper@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSetHeteroPolicyThread(x, x, x, x)
_KiSetHeteroPolicyThread@16 proc near	; CODE XREF: KeSetHeteroCpuPolicyThread(x,x,x)+10p
					; KeSetUserHeteroCpuPolicyThread(x,x)+1Bp ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		xor	eax, eax
		mov	ebx, edx
		push	esi
		push	edi
		mov	[ebp+var_24], ebx
		mov	esi, ecx
		mov	[ebp+var_14], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_18], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[ebp+var_20], 0
		lea	edi, [esi+2Ch]
		mov	[ebp+var_1], al

loc_61B530:				; CODE XREF: KiSetHeteroPolicyThread(x,x,x,x)+4Bj
		lock bts dword ptr [edi], 0
		jnb	short loc_61B547

loc_61B537:				; CODE XREF: KiSetHeteroPolicyThread(x,x,x,x)+49j
		lea	ecx, [ebp+var_20]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_61B537
		jmp	short loc_61B530
; 

loc_61B547:				; CODE XREF: KiSetHeteroPolicyThread(x,x,x,x)+3Bj
		cmp	[ebp+arg_0], 0
		mov	eax, [esi+16Ch]
		mov	ecx, [esi+88h]
		mov	[ebp+var_10], eax
		mov	[ebp+var_30], ecx
		jz	short loc_61B577
		mov	al, [esi+62h]
		xor	al, bl
		movzx	ebx, byte ptr [esi+61h]
		and	al, 7Fh
		xor	[esi+62h], al
		mov	eax, [ebp+var_10]
		jl	short loc_61B58E
		mov	ebx, [ebp+var_24]
		jmp	short loc_61B58E
; 

loc_61B577:				; CODE XREF: KiSetHeteroPolicyThread(x,x,x,x)+63j
		cmp	[ebp+arg_4], 0
		jnz	short loc_61B58E
		mov	al, [esi+62h]
		movzx	ebx, al
		and	ebx, 7Fh
		and	al, 7Fh
		mov	[esi+62h], al
		mov	eax, [ebp+var_10]

loc_61B58E:				; CODE XREF: KiSetHeteroPolicyThread(x,x,x,x)+76j
					; KiSetHeteroPolicyThread(x,x,x,x)+7Bj	...
		cmp	ebx, 8
		jnz	short loc_61B599
		mov	ebx, ds:_KiDefaultHeteroCpuPolicy

loc_61B599:				; CODE XREF: KiSetHeteroPolicyThread(x,x,x,x)+97j
		cmp	ds:_KeHeteroSystem, 0
		jnz	short loc_61B5A8
		xor	ebx, ebx
		and	byte ptr [esi+62h], 7Fh

loc_61B5A8:				; CODE XREF: KiSetHeteroPolicyThread(x,x,x,x)+A6j
		movzx	ecx, byte ptr [esi+61h]
		cmp	ecx, ebx
		jnz	short loc_61B5C4
		mov	cl, [ebp+var_1]
		mov	dword ptr [edi], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_61B797
; 

loc_61B5C4:				; CODE XREF: KiSetHeteroPolicyThread(x,x,x,x)+B4j
		mov	edi, ds:_KiProcessorBlock[eax*4]
		mov	eax, ebx
		cmp	ebx, 5
		jl	short loc_61B5DA
		push	edi
		mov	ecx, esi
		call	_KiConvertDynamicHeteroPolicy@12 ; KiConvertDynamicHeteroPolicy(x,x,x)

loc_61B5DA:				; CODE XREF: KiSetHeteroPolicyThread(x,x,x,x)+D6j
		mov	edx, [esi+164h]
		lea	ecx, [ebp+var_14]
		push	ecx
		lea	ecx, [ebp+var_28]
		push	ecx
		lea	ecx, [ebp+var_1C]
		push	ecx
		mov	ecx, [edi+338h]
		push	eax
		call	_KiGenerateHeteroSets@24 ; KiGenerateHeteroSets(x,x,x,x,x,x)
		mov	eax, [ebp+var_1C]
		test	[edi+3C8h], eax
		jnz	short loc_61B629
		movzx	ecx, byte ptr [edi+3C4h]
		ror	eax, cl
		bsf	eax, eax
		mov	[ebp+var_2C], eax
		add	eax, ecx
		and	eax, 1Fh
		test	byte ptr [esi+58h], 8
		mov	[esi+16Ch], eax
		jnz	short loc_61B629
		mov	[esi+88h], eax

loc_61B629:				; CODE XREF: KiSetHeteroPolicyThread(x,x,x,x)+107j
					; KiSetHeteroPolicyThread(x,x,x,x)+127j
		and	[ebp+arg_0], 0
		lea	eax, [ebp+var_18]
		push	eax
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	KiAcquireThreadStateLock
		mov	edi, [ebp+var_8]
		movzx	eax, al
		mov	[esi+61h], bl
		sub	eax, 1
		jz	short loc_61B6C5
		sub	eax, 1
		jz	short loc_61B687
		sub	eax, 1
		jnz	loc_61B6EA
		mov	eax, [ebp+var_14]
		test	[edi+3C8h], eax
		jnz	loc_61B6EA
		lea	edx, [ebp+var_C]
		mov	ecx, edi
		call	KiSelectNextThread
		mov	ecx, esi
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		mov	eax, [ebp+var_C]
		lea	ecx, [esi+9Ch]
		mov	[ecx], eax
		mov	[ebp+var_C], ecx
		jmp	short loc_61B6EA
; 

loc_61B687:				; CODE XREF: KiSetHeteroPolicyThread(x,x,x,x)+152j
		mov	eax, [ebp+var_14]
		test	[edi+3C8h], eax
		jnz	short loc_61B6EA
		mov	al, [esi+90h]
		cmp	al, 2
		jnz	short loc_61B6BC
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 0Ch
		mov	edi, [ebp+var_8]
		cmp	dword ptr [edi+8], 0
		jnz	short loc_61B6EA
		lea	edx, [ebp+var_C]
		mov	ecx, edi
		call	KiSelectNextThread
		xor	edx, edx
		inc	edx
		jmp	short loc_61B6ED
; 

loc_61B6BC:				; CODE XREF: KiSetHeteroPolicyThread(x,x,x,x)+1A0j
		or	byte ptr [esi+54h], 8
		mov	edi, [ebp+var_8]
		jmp	short loc_61B6EA
; 

loc_61B6C5:				; CODE XREF: KiSetHeteroPolicyThread(x,x,x,x)+14Dj
		movsx	eax, byte ptr [esi+87h]
		mov	ecx, edi
		mov	edx, [ebp+var_18]
		push	eax
		push	esi
		call	_KiRemoveThreadFromAnyReadyQueue@16 ; KiRemoveThreadFromAnyReadyQueue(x,x,x,x)
		movsx	edx, byte ptr [esi+87h]
		lea	eax, [ebp+var_C]
		push	eax
		mov	ecx, esi
		call	_KiPrepareReadyThreadForRescheduling@12	; KiPrepareReadyThreadForRescheduling(x,x,x)

loc_61B6EA:				; CODE XREF: KiSetHeteroPolicyThread(x,x,x,x)+157j
					; KiSetHeteroPolicyThread(x,x,x,x)+166j ...
		mov	edx, [ebp+arg_0]

loc_61B6ED:				; CODE XREF: KiSetHeteroPolicyThread(x,x,x,x)+1C0j
		mov	ecx, [esi+16Ch]
		mov	eax, [esi+88h]
		mov	[ebp+arg_0], ecx
		mov	[ebp+arg_4], eax
		test	edi, edi
		jz	short loc_61B70E
		lea	eax, [edi+2224h]
		xor	edi, edi
		lock and [eax],	edi

loc_61B70E:				; CODE XREF: KiSetHeteroPolicyThread(x,x,x,x)+207j
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	short loc_61B71A
		xor	edi, edi
		lock and [eax],	edi

loc_61B71A:				; CODE XREF: KiSetHeteroPolicyThread(x,x,x,x)+219j
		mov	dword ptr [esi+2Ch], 0
		test	edx, edx
		jz	short loc_61B745
		mov	al, large fs:51h
		movzx	edx, al
		mov	eax, [ebp+var_8]
		mov	ecx, [eax+3CCh]
		cmp	edx, ecx
		jz	short loc_61B742
		mov	dl, 2
		call	_KiSendSoftwareInterrupt@8 ; KiSendSoftwareInterrupt(x,x)

loc_61B742:				; CODE XREF: KiSetHeteroPolicyThread(x,x,x,x)+23Fj
		mov	ecx, [ebp+arg_0]

loc_61B745:				; CODE XREF: KiSetHeteroPolicyThread(x,x,x,x)+229j
		mov	edi, 8000000h
		test	ds:dword_70EFD0, edi
		jz	short loc_61B77C
		push	ecx
		push	[ebp+var_10]
		mov	edx, 546h
		mov	ecx, esi
		call	_EtwTraceIdealProcessor@16 ; EtwTraceIdealProcessor(x,x,x,x)
		test	ds:dword_70EFD0, edi
		jz	short loc_61B77C
		push	[ebp+arg_4]
		mov	edx, 547h
		mov	ecx, esi
		push	[ebp+var_30]
		call	_EtwTraceIdealProcessor@16 ; EtwTraceIdealProcessor(x,x,x,x)

loc_61B77C:				; CODE XREF: KiSetHeteroPolicyThread(x,x,x,x)+256j
					; KiSetHeteroPolicyThread(x,x,x,x)+26Ej
		mov	esi, large fs:20h
		lea	edx, [ebp+var_C]
		mov	ecx, esi
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		mov	dl, [ebp+var_1]
		mov	ecx, esi
		call	KiCheckForThreadDispatch

loc_61B797:				; CODE XREF: KiSetHeteroPolicyThread(x,x,x,x)+C5j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_KiSetHeteroPolicyThread@16 endp


;  S U B	R O U T	I N E 


; __stdcall KiSetVirtualHeteroClockIntervalRequest(x)
_KiSetVirtualHeteroClockIntervalRequest@4 proc near
					; CODE XREF: KeUpdatePendingQosRequest(x):loc_61A891j
					; KiSetVirtualHeteroClockIntervalRequestDpcRoutine(x,x,x,x)+Ap
		mov	edi, edi
		push	ebx
		mov	bl, cl
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bh, al
		test	bl, bl
		jz	short loc_61B7C8
		cmp	ds:byte_6B65A4,	0
		jz	short loc_61B7EC
		mov	ecx, offset _KiVirtualHeteroClockRequest
		call	_KiResetClockInterval@4	; KiResetClockInterval(x)
		jmp	short loc_61B7EC
; 

loc_61B7C8:				; CODE XREF: KiSetVirtualHeteroClockIntervalRequest(x)+11j
		cmp	ds:byte_6B65A4,	0
		jnz	short loc_61B7EC
		mov	ecx, ds:_KiQosHysteresisTimerPeriod
		test	ecx, ecx
		jz	short loc_61B7EC
		push	offset _KiVirtualHeteroClockRequest
		xor	dl, dl
		call	KiSetClockInterval
		call	_KiSendClockInterruptToClockOwner@0 ; KiSendClockInterruptToClockOwner()

loc_61B7EC:				; CODE XREF: KiSetVirtualHeteroClockIntervalRequest(x)+1Aj
					; KiSetVirtualHeteroClockIntervalRequest(x)+26j ...
		mov	cl, bh
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_KiSetVirtualHeteroClockIntervalRequest@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiSetVirtualHeteroClockIntervalRequestDpcRoutine(x,	x, x, x)
_KiSetVirtualHeteroClockIntervalRequestDpcRoutine@16 proc near
					; DATA XREF: KiInitSystem+14Fo
		mov	eax, ds:_KiPendingVirtualHeteroRequest
		test	eax, eax
		setz	cl
		call	_KiSetVirtualHeteroClockIntervalRequest@4 ; KiSetVirtualHeteroClockIntervalRequest(x)
		retn	10h
_KiSetVirtualHeteroClockIntervalRequestDpcRoutine@16 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1085. Ke386IoSetAccessProcess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Ke386IoSetAccessProcess(x, x)
		public _Ke386IoSetAccessProcess@8
_Ke386IoSetAccessProcess@8 proc	near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= word ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		push	edi
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_4]
		pop	edi
		cmp	eax, 1
		jbe	short loc_61B82B
		xor	al, al
		jmp	short locret_61B85E
; 

loc_61B82B:				; CODE XREF: Ke386IoSetAccessProcess(x,x)+19j
		test	eax, eax
		jnz	short loc_61B836
		mov	eax, 20ACh
		jmp	short loc_61B844
; 

loc_61B836:				; CODE XREF: Ke386IoSetAccessProcess(x,x)+21j
		imul	eax, 2024h
		sub	eax, 1F9Ch
		movzx	eax, ax

loc_61B844:				; CODE XREF: Ke386IoSetAccessProcess(x,x)+28j
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_C], ecx
		lea	ecx, [ebp+var_10]
		push	ecx
		push	offset _KiLoadIopmOffset@16 ; KiLoadIopmOffset(x,x,x,x)
		mov	[ebp+var_4], ax
		call	_KeGenericCallDpc@8 ; KeGenericCallDpc(x,x)
		mov	al, 1

locret_61B85E:				; CODE XREF: Ke386IoSetAccessProcess(x,x)+1Dj
		leave
		retn	8
_Ke386IoSetAccessProcess@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1086. Ke386QueryIoAccessMap

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	Ke386QueryIoAccessMap(int,void *)
		public _Ke386QueryIoAccessMap@8
_Ke386QueryIoAccessMap@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		cmp	esi, 1
		jbe	short loc_61B879
		xor	al, al
		jmp	short loc_61B8D3
; 

loc_61B879:				; CODE XREF: Ke386QueryIoAccessMap(x,x)+Cj
		test	esi, esi
		jnz	short loc_61B894
		push	2000h		; size_t
		push	0FFh		; int
		push	[ebp+arg_4]	; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_61B8D1
; 

loc_61B894:				; CODE XREF: Ke386QueryIoAccessMap(x,x)+14j
		push	ebx
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, large fs:1Ch
		mov	bl, al
		imul	edx, esi, 2024h
		push	2000h		; size_t
		mov	ecx, [ecx+40h]
		add	edx, 0FFFFE064h
		add	ecx, edx
		push	ecx		; void *
		push	[ebp+arg_4]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx

loc_61B8D1:				; CODE XREF: Ke386QueryIoAccessMap(x,x)+2Bj
		mov	al, 1

loc_61B8D3:				; CODE XREF: Ke386QueryIoAccessMap(x,x)+10j
		pop	esi
		pop	ebp
		retn	8
_Ke386QueryIoAccessMap@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1087. Ke386SetIoAccessMap

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Ke386SetIoAccessMap(x, x)
		public _Ke386SetIoAccessMap@8
_Ke386SetIoAccessMap@8 proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		mov	edx, [ebp+arg_0]
		cmp	edx, 1
		ja	short loc_61B920
		test	edx, edx
		jz	short loc_61B920
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_10], ecx
		mov	ecx, large fs:124h
		mov	[ebp+var_8], edx
		mov	ecx, [ecx+80h]
		mov	[ebp+var_C], ecx
		lea	ecx, [ebp+var_10]
		push	ecx
		push	offset _KiSetIoMap@16 ;	KiSetIoMap(x,x,x,x)
		call	_KeGenericCallDpc@8 ; KeGenericCallDpc(x,x)
		mov	al, 1
		jmp	short locret_61B922
; 

loc_61B920:				; CODE XREF: Ke386SetIoAccessMap(x,x)+12j
					; Ke386SetIoAccessMap(x,x)+16j
		xor	al, al

locret_61B922:				; CODE XREF: Ke386SetIoAccessMap(x,x)+41j
		leave
		retn	8
_Ke386SetIoAccessMap@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiLoadIopmOffset(x,	x, x, x)
_KiLoadIopmOffset@16 proc near		; DATA XREF: Ke386IoSetAccessProcess(x,x)+42o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, large fs:1Ch
		mov	eax, [esi+20h]
		mov	eax, [eax+4]
		mov	edx, [eax+80h]
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax+4]
		mov	ax, [eax+0Ch]
		mov	[ecx+76h], ax
		mov	ecx, [esi+40h]
		mov	ax, [edx+76h]
		mov	[ecx+66h], ax
		mov	eax, [ebp+arg_8]
		lock dec dword ptr [eax]
		pop	esi
		pop	ebp
		retn	10h
_KiLoadIopmOffset@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSetIoMap(x, x, x,	x)
_KiSetIoMap@16	proc near		; DATA XREF: Ke386SetIoAccessMap(x,x)+35o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, large fs:1Ch
		push	2000h		; size_t
		mov	eax, [edi+20h]
		mov	eax, [eax+4]
		mov	esi, [eax+80h]
		mov	eax, [ebp+arg_4]
		imul	ecx, [eax+8], 2024h
		push	dword ptr [eax]	; void *
		mov	eax, [edi+40h]
		add	ecx, 0FFFFE064h
		add	eax, ecx
		push	eax		; void *
		call	_memcpy
		mov	ecx, [edi+40h]
		add	esp, 0Ch
		mov	ax, [esi+76h]
		mov	[ecx+66h], ax
		mov	eax, [ebp+arg_8]
		lock dec dword ptr [eax]
_KiSetIoMap@16	endp

		pop	edi
		pop	esi
		pop	ebp
		retn	10h
; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1091. KeAddGroupAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeAddGroupAffinityEx(x, x, x)
		public _KeAddGroupAffinityEx@12
_KeAddGroupAffinityEx@12 proc near

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_8]
		or	[ecx+8], eax
		pop	ebp
		retn	0Ch
_KeAddGroupAffinityEx@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1093. KeAddProcessorGroupAffinity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeAddProcessorGroupAffinity(x, x)
		public _KeAddProcessorGroupAffinity@8
_KeAddProcessorGroupAffinity@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		mov	ecx, [edx]
		bts	ecx, eax
		mov	[edx], ecx
		pop	ebp
		retn	8
_KeAddProcessorGroupAffinity@8 endp

; 
		align 10h
; Exported entry 1111. KeCheckProcessorGroupAffinity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeCheckProcessorGroupAffinity(x, x)
		public _KeCheckProcessorGroupAffinity@8
_KeCheckProcessorGroupAffinity@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	eax, [eax]
		shr	eax, cl
		and	eax, 1
		pop	ebp
		retn	8
_KeCheckProcessorGroupAffinity@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1118. KeCopyAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeCopyAffinityEx(x,	x)
		public _KeCopyAffinityEx@8
_KeCopyAffinityEx@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_0]
		movsd
		movsd
		movsd
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_KeCopyAffinityEx@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1119. KeCountSetBitsAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeCountSetBitsAffinityEx(x)
		public _KeCountSetBitsAffinityEx@4
_KeCountSetBitsAffinityEx@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [eax+8]
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		pop	ebx
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		movzx	eax, cl
		pop	ebp
		retn	4
_KeCountSetBitsAffinityEx@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1138. KeFindFirstSetLeftAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeFindFirstSetLeftAffinityEx(x)
		public _KeFindFirstSetLeftAffinityEx@4
_KeFindFirstSetLeftAffinityEx@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_61BA84
		bsr	eax, eax
		jmp	short locret_61BA87
; 

loc_61BA84:				; CODE XREF: KeFindFirstSetLeftAffinityEx(x)+Ej
		or	eax, 0FFFFFFFFh

locret_61BA87:				; CODE XREF: KeFindFirstSetLeftAffinityEx(x)+13j
		leave
		retn	4
_KeFindFirstSetLeftAffinityEx@4	endp

; 
		align 10h
; Exported entry 1139. KeFindFirstSetLeftGroupAffinity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeFindFirstSetLeftGroupAffinity(x)
		public _KeFindFirstSetLeftGroupAffinity@4
_KeFindFirstSetLeftGroupAffinity@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_61BAA4
		or	eax, 0FFFFFFFFh
		jmp	short locret_61BAA7
; 

loc_61BAA4:				; CODE XREF: KeFindFirstSetLeftGroupAffinity(x)+Dj
		bsr	eax, eax

locret_61BAA7:				; CODE XREF: KeFindFirstSetLeftGroupAffinity(x)+12j
		leave
		retn	4
_KeFindFirstSetLeftGroupAffinity@4 endp

; 
		align 10h
; Exported entry 1140. KeFindFirstSetRightAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeFindFirstSetRightAffinityEx(x)
		public _KeFindFirstSetRightAffinityEx@4
_KeFindFirstSetRightAffinityEx@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_61BAC5
		bsf	eax, eax
		jmp	short locret_61BAC8
; 

loc_61BAC5:				; CODE XREF: KeFindFirstSetRightAffinityEx(x)+Ej
		or	eax, 0FFFFFFFFh

locret_61BAC8:				; CODE XREF: KeFindFirstSetRightAffinityEx(x)+13j
		leave
		retn	4
_KeFindFirstSetRightAffinityEx@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1190. KeInterlockedClearProcessorAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInterlockedClearProcessorAffinityEx(x, x)
		public _KeInterlockedClearProcessorAffinityEx@8
_KeInterlockedClearProcessorAffinityEx@8 proc near
					; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+122Dp
					; KiTransitionSchedulingGroupGeneration+1691E1p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+arg_0]
		push	esi
		push	edi
		xor	edi, edi
		add	edx, 8
		inc	edi
		shl	edi, cl
		mov	esi, edi
		not	esi
		mov	eax, [edx]

loc_61BAEC:				; CODE XREF: KeInterlockedClearProcessorAffinityEx(x,x)+23j
		mov	ecx, eax
		and	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_61BAEC
		mov	ecx, eax
		and	edi, ecx
		neg	edi
		sbb	edi, edi
		neg	edi
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_KeInterlockedClearProcessorAffinityEx@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1200. KeIsSubsetAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeIsSubsetAffinityEx(x, x)
		public _KeIsSubsetAffinityEx@8
_KeIsSubsetAffinityEx@8	proc near	; CODE XREF: PpmPerfApplyDomainStates+12A070p
					; sub_5B88E8+5p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+8]
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+8]
		and	eax, ecx
		sub	eax, ecx
		neg	eax
		sbb	eax, eax
		inc	eax
		pop	ebp
		retn	8
_KeIsSubsetAffinityEx@8	endp

; 
		align 10h
; Exported entry 1222. KeQueryGroupAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryGroupAffinityEx(x, x)
		public _KeQueryGroupAffinityEx@8
_KeQueryGroupAffinityEx@8 proc near

arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		jnz	short loc_61BB44
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+8]
		jmp	short loc_61BB46
; 

loc_61BB44:				; CODE XREF: KeQueryGroupAffinityEx(x,x)+Aj
		xor	eax, eax

loc_61BB46:				; CODE XREF: KeQueryGroupAffinityEx(x,x)+12j
		pop	ebp
		retn	8
_KeQueryGroupAffinityEx@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1264. KeRemoveGroupAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRemoveGroupAffinityEx(x, x, x)
		public _KeRemoveGroupAffinityEx@12
_KeRemoveGroupAffinityEx@12 proc near

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_8]
		not	eax
		and	[ecx+8], eax
		pop	ebp
		retn	0Ch
_KeRemoveGroupAffinityEx@12 endp

; 
		align 8
; Exported entry 1265. KeRemoveProcessorAffinityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRemoveProcessorAffinityEx(x, x)
		public _KeRemoveProcessorAffinityEx@8
_KeRemoveProcessorAffinityEx@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		mov	ecx, [edx+8]
		btr	ecx, eax
		mov	[edx+8], ecx
		pop	ebp
		retn	8
_KeRemoveProcessorAffinityEx@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeXorAffinityEx(x, x, x)
_KeXorAffinityEx@12 proc near		; CODE XREF: PpmParkReportParkedCores+129EBBp
					; PpmParkComputeDiff()+75p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		inc	eax
		push	0
		and	dword ptr [esi+4], 0
		mov	[esi+2], ax
		mov	[esi], ax
		mov	eax, [ecx+8]
		xor	eax, [edx+8]
		mov	[esi+8], eax
		pop	eax
		setnz	al
		pop	esi
		pop	ebp
		retn	4
_KeXorAffinityEx@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall KeBugCheck2(int,int,int,int,int,int,int,int)
_KeBugCheck2@24	proc near		; CODE XREF: KiBugCheck2(x,x,x,x,x,x)+C1p
					; V86_kira_a+84Ap

var_3B6		= byte ptr -3B6h
var_3B2		= byte ptr -3B2h
var_3B1		= byte ptr -3B1h
var_3B0		= dword	ptr -3B0h
var_3AC		= dword	ptr -3ACh
var_3A8		= byte ptr -3A8h
var_3A6		= byte ptr -3A6h
var_3A5		= byte ptr -3A5h
var_3A4		= dword	ptr -3A4h
var_3A0		= dword	ptr -3A0h
var_39C		= byte ptr -39Ch
var_39A		= byte ptr -39Ah
var_399		= byte ptr -399h
var_398		= dword	ptr -398h
var_394		= dword	ptr -394h
var_390		= dword	ptr -390h
var_38C		= dword	ptr -38Ch
var_388		= dword	ptr -388h
var_384		= dword	ptr -384h
var_380		= dword	ptr -380h
var_37C		= dword	ptr -37Ch
var_378		= dword	ptr -378h
var_374		= dword	ptr -374h
var_370		= dword	ptr -370h
var_36C		= dword	ptr -36Ch
var_368		= dword	ptr -368h
var_364		= dword	ptr -364h
var_360		= dword	ptr -360h
var_35C		= dword	ptr -35Ch
var_350		= dword	ptr -350h
var_8C		= byte ptr -8Ch
var_80		= byte ptr -80h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3ACh
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		mov	[esp+3ACh+var_384], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	ebx, [ebp+arg_C]
		mov	[esp+3B0h+var_370], eax
		mov	eax, [ebp+arg_14]
		mov	[esp+3B0h+var_390], eax
		xor	eax, eax
		push	esi
		push	edi		; char
		lea	edi, [esp+3B8h+var_35C]
		mov	[esp+3B8h+var_38C], ebx
		stosd
		mov	[esp+3B8h+var_388], ecx
		mov	[esp+11h], cl
		mov	byte ptr [esp+3B8h+var_394], cl
		stosd
		mov	[esp+3B8h+var_39A], cl
		mov	[esp+3B8h+var_3A4], ecx
		mov	[esp+3B8h+var_398], ecx
		stosd
		mov	eax, large fs:124h
		cmp	ds:_IopAutoReboot, ecx
		mov	[esp+3B8h+var_80], cl
		mov	[esp+3B8h+var_374], eax
		setnz	[esp+3B8h+var_399]
		mov	[esp+3B8h+var_364], offset _KiBugCheckProgress@4 ; KiBugCheckProgress(x)
		mov	byte ptr [esp+1Dh], 1
		mov	byte ptr [esp+3B8h+var_378], 1
		mov	[esp+3B8h+var_37C], ecx
		mov	[esp+3B8h+var_368], ecx
		mov	[esp+3B8h+var_380], ecx
		mov	[esp+3B8h+var_36C], ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_61BC49
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()

loc_61BC49:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+96j
		mov	eax, large fs:124h
		cmp	dword ptr [eax+20h], 0
		jnz	short loc_61BC93
		mov	edx, large fs:20h
		mov	edi, offset _KiBugCheckActive
		mov	eax, ds:_KiBugCheckActive
		mov	edx, [edx+3CCh]
		shl	edx, 4
		or	edx, 3
		jmp	short loc_61BC80
; 

loc_61BC74:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+DDj
		mov	ecx, eax
		mov	esi, edx
		lock cmpxchg [edi], esi
		cmp	eax, ecx
		jz	short loc_61BC8C

loc_61BC80:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+C7j
		mov	ecx, eax
		and	ecx, 3
		cmp	cl, 3
		jnz	short loc_61BC74
		jmp	short loc_61BCE8
; 

loc_61BC8C:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+D3j
		mov	[esp+3B8h+var_3A6], 1
		jmp	short loc_61BCED
; 

loc_61BC93:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+A8j
		lea	eax, [esp+3B8h+var_368]
		push	eax
		lea	eax, [esp+3BCh+var_380]
		push	eax
		call	_KeGetCurrentStackPointer@0 ; KeGetCurrentStackPointer()
		lea	edx, [esp+3C0h+var_36C]
		mov	ecx, eax
		call	KeQueryCurrentStackInformationEx
		mov	edx, large fs:20h
		mov	bl, al
		mov	eax, ds:_KiBugCheckActive
		mov	edi, offset _KiBugCheckActive
		mov	edx, [edx+3CCh]
		shl	edx, 4
		or	edx, 3
		jmp	short loc_61BCDA
; 

loc_61BCCE:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+137j
		mov	ecx, eax
		mov	esi, edx
		lock cmpxchg [edi], esi
		cmp	eax, ecx
		jz	short loc_61BD31

loc_61BCDA:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+121j
		mov	ecx, eax
		and	ecx, 3
		cmp	cl, 3
		jnz	short loc_61BCCE
		mov	ebx, [esp+3B8h+var_38C]

loc_61BCE8:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+DFj
		mov	[esp+3B8h+var_3A6], 0

loc_61BCED:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+E6j
					; KeBugCheck2(x,x,x,x,x,x)+1D4j
		mov	esi, large fs:20h
		push	dword ptr ds:0FFDF05F4h
		mov	[esp+3BCh+var_38C], esi
		mov	eax, [esi+3CCh]
		mov	ecx, [esi+47B8h]
		mov	[esp+3BCh+var_360], eax
		mov	eax, ds:0FFDF05F0h
		or	eax, 100h
		push	eax
		call	_KeSaveSupervisorState@12 ; KeSaveSupervisorState(x,x,x)
		mov	eax, ds:dword_6C26F8
		test	eax, eax
		jnz	short loc_61BD84

loc_61BD27:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+1EDj
		mov	[esp+3B8h+var_3A5], 0
		jmp	loc_61BDD3
; 

loc_61BD31:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+12Dj
		test	bl, bl
		jz	short loc_61BD76
		mov	eax, [esp+3B8h+var_36C]
		test	eax, eax
		jz	short loc_61BD76
		cmp	eax, 5
		jz	short loc_61BD76
		cmp	eax, 7
		jz	short loc_61BD76
		cmp	eax, 8
		jz	short loc_61BD76
		cmp	eax, 9
		jz	short loc_61BD76
		mov	eax, [esp+3B8h+var_368]
		mov	ecx, 3000h
		sub	eax, [esp+3B8h+var_380]
		cmp	eax, ecx
		ja	short loc_61BD64
		mov	ecx, eax

loc_61BD64:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+1B5j
		push	ecx		; size_t
		push	[esp+3BCh+var_380] ; void *
		push	offset _KiPreBugcheckStackSaveArea ; void *
		call	_memcpy
		add	esp, 0Ch

loc_61BD76:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+188j
					; KeBugCheck2(x,x,x,x,x,x)+190j ...
		mov	ebx, [esp+3B8h+var_38C]
		mov	[esp+3B8h+var_3A6], 1
		jmp	loc_61BCED
; 

loc_61BD84:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+17Aj
		cmp	ds:_PopSimulateHiberBugcheck, 0
		jz	short loc_61BD94
		mov	ds:_PoPowerDownActionInProgress, 0

loc_61BD94:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+1E0j
		cmp	byte ptr [eax+3], 0
		jz	short loc_61BD27
		cmp	[esp+3B8h+var_3A6], 0
		jz	short loc_61BDC9
		push	offset ??_C@_0LI@GLJCKFNB@?6A?5bugcheck?5occurred?5during?5the@FNODOBFM@ ; char	*
		push	0		; int
		push	65h		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		cmp	[ebp+arg_0], 0Ah
		jnz	short loc_61BDC9
		push	offset ??_C@_0LC@NEPBNGAN@Memory?5was?5accessed?5during?5this@FNODOBFM@	; char *
		push	0		; int
		push	65h		; int
		call	_DbgPrintEx
		add	esp, 0Ch

loc_61BDC9:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+1F4j
					; KeBugCheck2(x,x,x,x,x,x)+20Bj
		and	[esp+3B8h+var_364], 0
		mov	[esp+3B8h+var_3A5], 1

loc_61BDD3:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+181j
		cmp	[esp+3B8h+var_3A6], 0
		lea	edi, [esp+3B8h+var_350]
		mov	esi, [esi+4168h]
		mov	ecx, 0B3h
		rep movsd
		jz	loc_61C348
		cmp	ds:_ViVerifierEnabled, 0
		jz	short loc_61BE00
		push	2
		pop	ecx
		call	_VfNotifyVerifierOfEvent@4 ; VfNotifyVerifierOfEvent(x)

loc_61BE00:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+24Bj
		cmp	[esp+3B8h+var_3A5], 0
		jnz	short loc_61BE0C
		call	_KiSaveCurrentEtwTraceBuffer@0 ; KiSaveCurrentEtwTraceBuffer()

loc_61BE0C:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+25Aj
		push	34h
		pop	edx
		mov	ecx, offset _KseEngine
		call	IoAddTriageDumpDataBlock
		mov	edi, [ebp+arg_0]
		cmp	edi, 0E5h
		jnz	short loc_61BE39
		call	_KiScanBugCheckCallbackList@0 ;	KiScanBugCheckCallbackList()
		push	0
		call	ds:off_6B139C	; NtCompleteConnectPort(x)
		push	3
		call	ds:__imp__HalReturnToFirmware@4	; HalReturnToFirmware(x)

loc_61BE39:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+277j
		cmp	edi, 0C00002D1h
		jnz	short loc_61BE49
		mov	edi, 0C3h
		mov	[ebp+arg_0], edi

loc_61BE49:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+294j
		mov	edx, [esp+3C0h+var_38C]
		mov	eax, 0CBh
		mov	ecx, [ebp+arg_8]
		mov	esi, [esp+3C0h+var_378]
		mov	ds:_KiBugCheckData, edi
		mov	ds:dword_6CA684, edx
		mov	ds:dword_6CA688, ecx
		mov	ds:dword_6CA68C, ebx
		mov	ds:dword_6CA690, esi
		cmp	edi, eax
		ja	loc_61C1B1
		jz	loc_61C1A8
		mov	eax, edi
		sub	eax, 0Ah
		jz	loc_61C109
		sub	eax, 42h
		jz	loc_61C0D5
		sub	eax, 4
		jz	loc_61BF4B
		sub	eax, 2Bh
		jz	loc_61BF2D
		sub	eax, 13h
		jz	short loc_61BEB9
		sub	eax, 30h
		jnz	loc_61BFED

loc_61BEB9:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+303j
					; KeBugCheck2(x,x,x,x,x,x)+620j
		mov	eax, [esp+3C0h+var_398]
		test	eax, eax
		jnz	short loc_61BED8
		test	ebx, ebx
		jz	loc_61BFED
		test	bl, 3
		jnz	loc_61BFED
		mov	eax, ebx
		mov	[esp+3C0h+var_398], ebx

loc_61BED8:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+314j
		cmp	edi, 8Eh
		jz	loc_61BFED
		mov	esi, [eax+68h]
		mov	[esp+3C0h+var_3A0], esi
		call	_KeIsAttachedProcess@0 ; KeIsAttachedProcess()
		test	al, al
		jz	loc_61BFED
		mov	ecx, esi
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		test	eax, eax
		jz	loc_61BFED
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	loc_61BFED

loc_61BF23:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+617j
		mov	[esp+3C0h+var_39C], 1
		jmp	loc_61BFED
; 

loc_61BF2D:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+2FAj
		mov	al, bl
		not	al
		and	al, 1
		mov	byte ptr [esp+3C0h+var_3A4+1], al
		mov	eax, ebx
		shr	eax, 1
		not	al
		and	eax, 0FFFFFF01h
		mov	[esp+3C0h+var_380], eax
		jmp	loc_61BFED
; 

loc_61BF4B:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+2F1j
		mov	eax, [esp+3C0h+var_398]
		xor	edi, edi
		test	eax, eax
		jnz	short loc_61BF6C
		test	ebx, ebx
		jz	loc_61C060
		test	bl, 3
		jnz	loc_61C060
		mov	eax, ebx
		mov	[esp+3C0h+var_398], eax

loc_61BF6C:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+3A8j
		mov	esi, [eax+68h]
		lea	edx, [esp+3C0h+var_390]
		lea	eax, [esp+3C0h+var_3B0+1]
		mov	[esp+3C0h+var_3A0], esi
		push	eax
		push	0
		mov	ecx, esi
		mov	ds:dword_6CA68C, esi
		call	_KiPcToFileHeader@16 ; KiPcToFileHeader(x,x,x,x)
		mov	edi, eax
		call	_KeIsAttachedProcess@0 ; KeIsAttachedProcess()
		test	al, al
		jz	short loc_61BFBE
		mov	ecx, esi
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		test	eax, eax
		jz	short loc_61BFBE
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_61BFBE
		mov	[esp+3C0h+var_39C], 1

loc_61BFBE:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+3E9j
					; KeBugCheck2(x,x,x,x,x,x)+3F4j ...
		mov	ebx, [esp+3C0h+var_38C]
		mov	ecx, ebx
		call	_MmIsSpecialPoolAddress@4 ; MmIsSpecialPoolAddress(x)
		cmp	eax, 1
		jnz	loc_61C06A
		xor	eax, eax
		cmp	byte ptr [esp+3C0h+var_3B0+1], 1
		setnz	al
		dec	eax
		and	eax, 0FFFFFFF7h
		add	eax, 0D5h
		mov	ds:_KiBugCheckData, eax

loc_61BFEA:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+4F1j
					; KeBugCheck2(x,x,x,x,x,x)+4F8j
		mov	edi, [ebp+arg_0]

loc_61BFED:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+308j
					; KeBugCheck2(x,x,x,x,x,x)+318j ...
		mov	ebx, [esp+3C0h+var_3AC]
		mov	esi, ebx

loc_61BFF3:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+515j
					; KeBugCheck2(x,x,x,x,x,x)+525j ...
		call	ds:off_6B13AC	; SymCryptFatalIntercept(x)
		and	ds:_HvlEnlightenments, 2000h
		push	60h
		pop	ecx
		call	_IoSaveBugCheckProgress@4 ; IoSaveBugCheckProgress(x)
		xor	eax, eax
		cmp	ds:dword_6B65D4, eax
		jz	short loc_61C016
		inc	eax

loc_61C016:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+468j
		push	eax
		call	ds:off_6B1294	; KeSetDmaIoCoherency(x)
		push	ds:dword_6CA690
		mov	edx, ds:dword_6CA684
		push	ds:dword_6CA68C
		mov	ecx, ds:_KiBugCheckData
		push	ds:dword_6CA688
		call	_HvlLogGuestCrashInformation@20	; HvlLogGuestCrashInformation(x,x,x,x,x)
		mov	ecx, ds:_KiBugCheckDriver
		test	ecx, ecx
		jz	loc_61C23C
		push	ecx
		lea	edx, [esp+3C8h+var_8C]
		call	_KiBugCheckUnicodeToAnsi@12 ; KiBugCheckUnicodeToAnsi(x,x,x)
		jmp	loc_61C257
; 

loc_61C060:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+3ACj
					; KeBugCheck2(x,x,x,x,x,x)+3B5j
		mov	byte ptr [esp+3C0h+var_3B0+1], 1
		jmp	loc_61BFBE
; 

loc_61C06A:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+421j
		cmp	[esp+3C0h+var_3A0], ebx
		jnz	short loc_61C0A1
		mov	ecx, ebx
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		cmp	eax, 1
		jnz	short loc_61C0A1
		mov	eax, [esp+3C0h+var_37C]
		mov	eax, [eax+0A8h]
		test	eax, eax
		jz	short loc_61C092
		cmp	eax, ds:_MmSystemRangeStart
		jb	short loc_61C0A1

loc_61C092:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+4DDj
		mov	ds:_KiBugCheckData, 0CFh
		jmp	loc_61BFEA
; 

loc_61C0A1:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+4C3j
					; KeBugCheck2(x,x,x,x,x,x)+4CFj ...
		test	edi, edi
		jnz	loc_61BFEA
		mov	ecx, ebx
		call	_MmLocateUnloadedDriver@4 ; MmLocateUnloadedDriver(x)
		mov	ebx, [esp+3C0h+var_3AC]
		mov	esi, ebx
		mov	edi, [ebp+arg_0]
		mov	ds:_KiBugCheckDriver, eax
		test	eax, eax
		jz	loc_61BFF3
		mov	ds:_KiBugCheckData, 0CEh
		jmp	loc_61BFF3
; 

loc_61C0D5:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+2E8j
		mov	ds:_KiBugCheckData, edx
		mov	eax, [ecx]
		mov	ds:dword_6CA684, eax
		mov	eax, [ecx+4]
		mov	ds:dword_6CA688, eax
		mov	eax, [ecx+8]
		mov	ds:dword_6CA68C, eax
		mov	eax, [ecx+0Ch]
		mov	[esp+3C0h+var_39C], 1
		mov	byte ptr [esp+3C0h+var_3A4+2], 1
		mov	ds:dword_6CA690, eax
		jmp	loc_61BFF3
; 

loc_61C109:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+2DFj
		cmp	esi, ds:_ExPoolCodeStart
		jb	short loc_61C128
		cmp	esi, ds:_ExPoolCodeEnd
		jnb	short loc_61C128
		mov	ds:_KiBugCheckData, 0C5h
		jmp	loc_61BFED
; 

loc_61C128:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+564j
					; KeBugCheck2(x,x,x,x,x,x)+56Cj
		lea	eax, [esp+3C0h+var_3B0+1]
		mov	ecx, esi
		push	eax
		push	0
		lea	edx, [esp+3C8h+var_390]
		call	_KiPcToFileHeader@16 ; KiPcToFileHeader(x,x,x,x)
		cmp	byte ptr [esp+3C0h+var_3B0+1], 1
		jnz	short loc_61C199
		mov	ebx, [esp+3C0h+var_38C]
		lea	eax, [esp+3C0h+var_3B0+1]
		push	eax
		push	1
		lea	edx, [esp+3C8h+var_390]
		mov	ecx, ebx
		call	_KiPcToFileHeader@16 ; KiPcToFileHeader(x,x,x,x)
		test	eax, eax
		jz	short loc_61C176
		mov	eax, [esp+3C0h+var_390]
		add	eax, 2Ch
		mov	ds:_KiBugCheckData, 0D3h
		mov	ds:_KiBugCheckDriver, eax
		jmp	loc_61BFED
; 

loc_61C176:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+5AEj
		mov	ecx, ebx
		call	_MmLocateUnloadedDriver@4 ; MmLocateUnloadedDriver(x)
		mov	ds:_KiBugCheckDriver, eax
		test	eax, eax
		jz	loc_61BFED
		mov	ds:_KiBugCheckData, 0D4h
		jmp	loc_61BFED
; 

loc_61C199:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+594j
		mov	ds:_KiBugCheckData, 0D1h
		jmp	loc_61BFED
; 

loc_61C1A8:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+2D4j
		mov	[esp+3C0h+var_3A0], edx
		jmp	loc_61BFED
; 

loc_61C1B1:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+2CEj
		mov	eax, edi
		sub	eax, 0D8h
		jz	short loc_61C22F
		sub	eax, 12h
		jz	short loc_61C224
		sub	eax, 5
		jz	loc_61BF23
		sub	eax, 0Dh
		jz	loc_61BEB9
		sub	eax, 41h
		jz	short loc_61C218
		sub	eax, 12h
		jnz	loc_61BFED
		cmp	ecx, 100h
		jnb	short loc_61C1F6
		test	esi, esi
		jz	short loc_61C1F6
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_61C1F6
		mov	[esp+3C0h+var_37C], eax

loc_61C1F6:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+63Aj
					; KeBugCheck2(x,x,x,x,x,x)+63Ej ...
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+3A8h]
		shr	eax, 0Ch
		not	al
		and	al, 1
		mov	[esp+3C0h+var_39C], al
		jmp	loc_61BFED
; 

loc_61C218:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+629j
		push	8
		pop	eax
		mov	[esp+3C0h+var_384], eax
		jmp	loc_61BFED
; 

loc_61C224:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+612j
		mov	ds:_KiBugCheckDriver, ebx
		jmp	loc_61BFED
; 

loc_61C22F:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+60Dj
		lea	eax, [edx+2Ch]
		mov	ds:_KiBugCheckDriver, eax
		jmp	loc_61BFED	; char
; 

loc_61C23C:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+49Dj
		cmp	[esp+3C4h+var_3A4], 0
		jz	short loc_61C257
		push	1
		push	1
		lea	edx, [esp+3CCh+var_3A4]
		lea	ecx, [esp+3CCh+var_8C]
		call	_KiDumpParameterImages@16 ; KiDumpParameterImages(x,x,x,x)

loc_61C257:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+4B0j
					; KeBugCheck2(x,x,x,x,x,x)+696j
		cmp	ds:_KdPitchDebugger, 0
		jnz	short loc_61C270
		and	ds:dword_6B1AB4, 0
		lea	eax, [esp+3C4h+var_35C]
		mov	ds:dword_6B1AB0, eax

loc_61C270:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+6B3j
		cmp	edi, 0E2h
		jz	loc_61C348
		cmp	ds:_KdDebuggerEnabled, 0
		jnz	short loc_61C292
		cmp	ds:_KdEventLoggingEnabled, 0
		jz	loc_61C348

loc_61C292:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+6D8j
		cmp	ds:_KiHypervisorInitiatedCrashDump, 0
		jnz	loc_61C348
		call	KdRefreshDebuggerNotPresent
		test	al, al
		jz	short loc_61C2B5
		cmp	ds:_KdEventLoggingPresent, 0
		jz	loc_61C348

loc_61C2B5:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+6FBj
		push	ds:dword_6CA690
		push	ds:dword_6CA68C
		push	ds:dword_6CA688
		push	ds:dword_6CA684
		push	ds:_KiBugCheckData ; char
		push	offset ??_C@_0FA@NGBMEEAN@?6?$CK?$CK?$CK?5Fatal?5System?5Error?3?50x?$CF08l@FNODOBFM@ ;	char *
		push	0		; int
		push	65h
		pop	edi
		push	edi		; int
		call	_DbgPrintEx
		add	esp, 20h
		cmp	ds:_KiBugCheckDriver, 0
		jz	short loc_61C307
		lea	eax, [esp+3C4h+var_8C]
		push	eax		; char
		push	offset ??_C@_0BG@EHFEKHCI@Driver?5at?5fault?3?5?$CFs?4?6@FNODOBFM@ ; "Driver at	fault: %s.\n"
		push	0		; int
		push	edi		; int
		call	_DbgPrintEx
		add	esp, 10h

loc_61C307:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+742j
		cmp	[esp+3C4h+var_3A6], 0
		jz	short loc_61C32E
		test	ebx, ebx
		jz	short loc_61C31E
		push	ebx		; char *
		push	0		; int
		push	edi		; int
		call	_DbgPrintEx
		add	esp, 0Ch

loc_61C31E:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+765j
		test	esi, esi
		jz	short loc_61C32E
		push	esi		; char *
		push	0		; int
		push	edi		; int
		call	_DbgPrintEx
		add	esp, 0Ch

loc_61C32E:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+761j
					; KeBugCheck2(x,x,x,x,x,x)+775j
		cmp	ds:_KdDebuggerEnabled, 0
		jz	short loc_61C348
		cmp	ds:_KdDebuggerNotPresent, 0
		jnz	short loc_61C348
		push	3
		pop	ecx
		call	_KiBugCheckDebugBreak@4	; KiBugCheckDebugBreak(x)

loc_61C348:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+23Ej
					; KeBugCheck2(x,x,x,x,x,x)+6CBj ...
		cli
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		cmp	[esp+3C4h+var_3B2], 0
		jz	loc_61C4D7
		cmp	ds:_KeNumberProcessors,	1
		jbe	short loc_61C3AA
		cmp	ds:_KiHypervisorInitiatedCrashDump, 0
		jnz	short loc_61C3AA
		mov	edx, [esp+3C4h+var_398]
		mov	ecx, edx
		call	_KiSetDebuggerOwner@4 ;	KiSetDebuggerOwner(x)
		mov	esi, offset _KeActiveProcessors
		lea	edi, [esp+3C4h+var_368]
		movsd
		movsd
		movsd
		mov	ecx, [esp+3C4h+var_360]
		mov	eax, [edx+3CCh]
		btr	ecx, eax
		mov	[esp+3C4h+var_360], ecx
		lea	ecx, [esp+3C4h+var_368]
		call	_KiSendFreeze@8	; KiSendFreeze(x,x)
		push	0F4240h
		call	ds:__imp__KeStallExecutionProcessor@4 ;	KeStallExecutionProcessor(x)

loc_61C3AA:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+7B8j
					; KeBugCheck2(x,x,x,x,x,x)+7C1j
		mov	ebx, [ebp+arg_0]
		mov	ecx, ebx
		mov	edx, [esp+3C8h+var_394]
		call	_IoInitializeBugCheckProgress@8	; IoInitializeBugCheckProgress(x,x)
		xor	ecx, ecx
		inc	ecx
		call	_IoSaveBugCheckProgress@4 ; IoSaveBugCheckProgress(x)
		cmp	byte ptr [esp+13h], 0
		jnz	short loc_61C41A
		cmp	ds:_CrashdmpDumpBlock, 0
		jz	short loc_61C3D7
		cmp	byte ptr [esp+3C8h+var_388], 0
		jnz	short loc_61C3E0

loc_61C3D7:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+823j
		mov	eax, [esp+3C8h+var_38C]
		or	eax, 4
		jmp	short loc_61C3E4
; 

loc_61C3E0:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+82Aj
		mov	eax, [esp+3C8h+var_38C]

loc_61C3E4:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+833j
		cmp	byte ptr [esp+3C8h+var_3AC+3], 0
		jnz	short loc_61C3EE
		or	eax, 2

loc_61C3EE:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+83Ej
		cmp	byte ptr [esp+3C8h+var_3AC+1], 0
		jnz	short loc_61C3F8
		or	eax, 1

loc_61C3F8:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+848j
		mov	ecx, eax
		call	_KiDisplayBlueScreen@4 ; KiDisplayBlueScreen(x)
		push	ecx
		call	_KiInvokeBugCheckEntryCallbacks@12 ; KiInvokeBugCheckEntryCallbacks(x,x,x)
		push	2
		pop	ecx
		call	_IoSaveBugCheckProgress@4 ; IoSaveBugCheckProgress(x)
		call	_KiInvokeBugCheckAddTriageDumpDataCallbacks@0 ;	KiInvokeBugCheckAddTriageDumpDataCallbacks()
		push	5
		pop	ecx
		call	_IoSaveBugCheckProgress@4 ; IoSaveBugCheckProgress(x)

loc_61C41A:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+81Aj
		cmp	ds:_KdDebuggerEnabled, 0
		jnz	short loc_61C433
		cmp	ds:_KdPitchDebugger, 0
		jnz	short loc_61C433
		xor	cl, cl
		call	_KdEnableDebuggerWithLock@4 ; KdEnableDebuggerWithLock(x)

loc_61C433:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+876j
					; KeBugCheck2(x,x,x,x,x,x)+87Fj
		cmp	byte ptr [esp+3C8h+var_388], 0
		lea	esi, [esp+3C8h+var_360]
		mov	edi, dword ptr [esp+3C8h+var_39C]
		mov	ecx, 0B3h
		mov	edi, [edi+4168h]
		rep movsd
		jz	loc_61C542
		cmp	ebx, 0EFh
		jnz	short loc_61C495
		push	0
		xor	edx, edx
		xor	ecx, ecx
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		cmp	ds:_CriticalProcessExceptionData, 0
		jz	short loc_61C495
		push	28h
		pop	edx
		mov	ecx, offset _CriticalProcessExceptionData
		call	IoAddTriageDumpDataBlock
		mov	ax, ds:word_6BBF90
		test	ax, ax
		jz	short loc_61C495
		mov	ecx, ds:dword_6BBF94
		movzx	edx, ax
		call	IoAddTriageDumpDataBlock

loc_61C495:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+8AEj
					; KeBugCheck2(x,x,x,x,x,x)+8C2j ...
		push	[esp+3C8h+var_3A0]
		mov	edx, ds:dword_6CA684
		lea	eax, [esp+3CCh+var_360]
		push	[esp+3CCh+var_3A4]
		mov	ecx, ds:_KiBugCheckData
		push	[esp+3D0h+var_374]
		push	[esp+3D4h+var_384]
		push	eax
		push	ds:dword_6CA690
		push	ds:dword_6CA68C
		push	ds:dword_6CA688
		call	_IoWriteCrashDump@40 ; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)
		push	3
		pop	ecx
		call	_IoSaveBugCheckProgress@4 ; IoSaveBugCheckProgress(x)
		jmp	short loc_61C542
; 

loc_61C4D7:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+7ABj
		mov	eax, ds:_KiBugCheckActive
		mov	ecx, eax
		shr	ecx, 4
		mov	[esp+3C4h+var_37C], eax
		cmp	[esp+3C4h+var_36C], ecx
		jz	short loc_61C4F2

loc_61C4EB:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+945j
		call	KiPollFreezeExecution
		jmp	short loc_61C4EB
; 

loc_61C4F2:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+93Ej
		cmp	ds:_KiHypervisorInitiatedCrashDump, 0
		jnz	loc_61C5AF
		mov	ecx, eax
		and	cl, 0Ch
		cmp	cl, 8
		jnb	loc_61C5AF
		mov	ecx, ds:_CrashdmpDumpBlock
		test	ecx, ecx
		jz	short loc_61C52A
		or	dword ptr [ecx+338h], 20000h
		call	_IoUpdateBugCheckProgressEnvVariable@0 ; IoUpdateBugCheckProgressEnvVariable()
		mov	eax, [esp+3C4h+var_37C]

loc_61C52A:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+96Aj
		push	4
		pop	ecx
		mov	edx, offset _KiBugCheckActive
		lock xadd [edx], ecx
		test	al, 0Ch
		jz	short loc_61C542
		push	4
		pop	ecx
		call	_KiBugCheckDebugBreak@4	; KiBugCheckDebugBreak(x)

loc_61C542:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+8A2j
					; KeBugCheck2(x,x,x,x,x,x)+92Aj ...
		cmp	[esp+3C4h+var_3B1], 0
		jnz	short loc_61C54E
		call	_KiScanBugCheckCallbackList@0 ;	KiScanBugCheckCallbackList()

loc_61C54E:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+99Cj
		call	ds:off_6B13A4	; SymCryptFatalIntercept(x)
		push	4
		pop	ecx
		call	_IoSaveBugCheckProgress@4 ; IoSaveBugCheckProgress(x)
		cmp	[esp+3C4h+var_3A5], 0
		jz	short loc_61C59E
		call	_KiBugcheckUnloadDebugSymbols@0	; KiBugcheckUnloadDebugSymbols()
		push	0
		call	ds:off_6B139C	; NtCompleteConnectPort(x)
		cmp	ds:_PoPowerDownActionInProgress, 0
		jz	short loc_61C582
		cmp	ds:_PoPowerResetActionInProgress, 0
		jz	short loc_61C596

loc_61C582:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+9CCj
		cmp	ds:_PoModernStandbyActionInProgress, 0
		jnz	short loc_61C596
		cmp	byte ptr [esp+3C8h+var_3AC+1], 0
		jz	short loc_61C596
		push	3
		jmp	short loc_61C598
; 

loc_61C596:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+9D5j
					; KeBugCheck2(x,x,x,x,x,x)+9DEj ...
		push	1

loc_61C598:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+9E9j
		call	ds:__imp__HalReturnToFirmware@4	; HalReturnToFirmware(x)

loc_61C59E:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+9B6j
		push	4
		pop	ecx
		call	_KiBugCheckDebugBreak@4	; KiBugCheckDebugBreak(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_61C5AF:				; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+94Ej
					; KeBugCheck2(x,x,x,x,x,x)+95Cj ...
		call	ds:off_6B1234	; xHalHaltSystem()
		jmp	short loc_61C5AF
_KeBugCheck2@24	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1123. KeDeregisterBugCheckCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeDeregisterBugCheckCallback(x)
		public _KeDeregisterBugCheckCallback@4
_KeDeregisterBugCheckCallback@4	proc near

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	esi, offset _KeBugCheckCallbackLock
		mov	[ebp+var_1], al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [ebp+arg_0]
		xor	ebx, ebx
		cmp	byte ptr [ecx+1Ch], 1
		jnz	short loc_61C5FE
		mov	[ecx+1Ch], bl
		mov	edx, [ecx]
		mov	eax, [ecx+4]
		cmp	[edx+4], ecx
		jnz	short loc_61C613
		cmp	[eax], ecx
		jnz	short loc_61C613
		mov	[eax], edx
		mov	bl, 1
		mov	[edx+4], eax

loc_61C5FE:				; CODE XREF: KeDeregisterBugCheckCallback(x)+28j
		test	ds:byte_70EFC6,	1
		jz	short loc_61C618
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_61C61D
; 

loc_61C613:				; CODE XREF: KeDeregisterBugCheckCallback(x)+35j
					; KeDeregisterBugCheckCallback(x)+39j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_61C618:				; CODE XREF: KeDeregisterBugCheckCallback(x)+49j
		xor	eax, eax
		lock and [esi],	eax

loc_61C61D:				; CODE XREF: KeDeregisterBugCheckCallback(x)+55j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
_KeDeregisterBugCheckCallback@4	endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 1132. KeEnterKernelDebugger

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeEnterKernelDebugger()
		public _KeEnterKernelDebugger@0
_KeEnterKernelDebugger@0 proc near	; CODE XREF: sub_59C2E7+87p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		xor	ecx, ecx
		mov	edx, offset _KiHardwareTrigger
		inc	ecx
		mov	eax, ecx
		xchg	eax, [edx]
		cli
		cmp	ds:_KdDebuggerEnabled, 0
		jnz	short loc_61C66C
		cmp	ds:_KdPitchDebugger, 0
		jnz	short loc_61C66C
		mov	eax, offset unk_6FE064
		xchg	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_61C66C
		push	ecx
		push	ecx
		call	KdInitSystem

loc_61C66C:				; CODE XREF: KeEnterKernelDebugger()+1Cj
					; KeEnterKernelDebugger()+25j ...
		push	5
		pop	ecx
		call	_KiBugCheckDebugBreak@4	; KiBugCheckDebugBreak(x)
		mov	esp, ebp
		pop	ebp
		retn
_KeEnterKernelDebugger@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeGetBugMessageText(x, x)
_KeGetBugMessageText@8 proc near	; CODE XREF: KiDisplayBlueScreen(x)+E1p
					; CmpCreateHwProfileFriendlyName(x,x,x,x)+CCp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

		push	1Ch
		push	offset dword_6A8680
		call	__SEH_prolog4
		mov	edi, edx
		mov	[ebp+var_19], 0
		and	[ebp+ms_exc.disabled], 0
		mov	edx, ds:_KiBugCodeMessages
		test	edx, edx
		jz	short loc_61C706
		lea	eax, [edx+4]
		mov	[ebp+var_28], eax
		mov	edx, [edx]

loc_61C6A0:				; CODE XREF: KeGetBugMessageText(x,x)+85j
		mov	[ebp+var_20], edx
		test	edx, edx
		jz	short loc_61C706
		mov	esi, [eax]
		cmp	ecx, esi
		jb	short loc_61C6F6
		cmp	ecx, [eax+4]
		ja	short loc_61C6F6
		mov	edx, ds:_KiBugCodeMessages
		mov	[ebp+var_24], edx
		add	edx, [eax+8]
		sub	ecx, esi

loc_61C6C0:				; CODE XREF: KeGetBugMessageText(x,x)+58j
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	short loc_61C6D2
		movzx	eax, word ptr [edx]
		add	edx, eax
		dec	ecx
		jmp	short loc_61C6C0
; 

loc_61C6D2:				; CODE XREF: KeGetBugMessageText(x,x)+50j
		add	edx, 4
		mov	ecx, edx
		lea	esi, [ecx+1]

loc_61C6DA:				; CODE XREF: KeGetBugMessageText(x,x)+67j
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_61C6DA
		sub	ecx, esi
		mov	[ebp+var_2C], ecx
		mov	[edi+4], edx
		mov	[edi], cx
		mov	[edi+2], cx
		mov	[ebp+var_19], 1
		jmp	short loc_61C706
; 

loc_61C6F6:				; CODE XREF: KeGetBugMessageText(x,x)+33j
					; KeGetBugMessageText(x,x)+38j
		add	eax, 0Ch
		mov	[ebp+var_28], eax
		dec	edx
		jmp	short loc_61C6A0
; 

loc_61C6FF:				; DATA XREF: .text:006A8694o
		xor	eax, eax
		inc	eax
		retn
; 

loc_61C703:				; DATA XREF: .text:006A8698o
		mov	esp, [ebp+ms_exc.old_esp]

loc_61C706:				; CODE XREF: KeGetBugMessageText(x,x)+1Ej
					; KeGetBugMessageText(x,x)+2Dj	...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	al, [ebp+var_19]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KeGetBugMessageText@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeValidateBugCheckCallbackRecord(x,	x, x)
_KeValidateBugCheckCallbackRecord@12 proc near
					; CODE XREF: IopDumpCallAddPagesCallbacks(x)+4Bp
					; IopDumpCallRemovePagesCallbacks(x)+4Bp ...

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		mov	[ebp+var_1], 0
		push	esi
		test	bl, 3
		jnz	loc_61C7CE
		mov	esi, ebx
		and	esi, 0FFFh
		push	edi
		add	esi, 101Bh
		mov	edi, ebx
		shr	esi, 0Ch
		and	edi, 0FFFFF000h
		test	esi, esi
		jz	short loc_61C76F

loc_61C759:				; CODE XREF: KeValidateBugCheckCallbackRecord(x,x,x)+4Dj
		mov	ecx, edi
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_61C7BD
		add	edi, 1000h
		sub	esi, 1
		jnz	short loc_61C759

loc_61C76F:				; CODE XREF: KeValidateBugCheckCallbackRecord(x,x,x)+37j
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebx+4]
		cmp	eax, [ecx]
		jnz	short loc_61C7BD
		mov	esi, ebx
		call	_IoIsPartialDumpRetry@0	; IoIsPartialDumpRetry()
		test	al, al
		jz	short loc_61C793
		mov	al, [ebx+18h]
		cmp	al, 3
		jz	short loc_61C78F
		cmp	al, 4
		jnz	short loc_61C793

loc_61C78F:				; CODE XREF: KeValidateBugCheckCallbackRecord(x,x,x)+69j
		mov	byte ptr [ebx+18h], 1

loc_61C793:				; CODE XREF: KeValidateBugCheckCallbackRecord(x,x,x)+62j
					; KeValidateBugCheckCallbackRecord(x,x,x)+6Dj
		cmp	byte ptr [ebx+18h], 1
		jnz	short loc_61C7BF
		mov	eax, [ebx+0Ch]
		mov	ecx, [ebx+8]
		add	eax, ecx
		mov	edx, [ebx+14h]
		add	eax, edx
		cmp	[ebx+10h], eax
		jnz	short loc_61C7BF
		cmp	edx, [ebp+var_8]
		jnz	short loc_61C7BF
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_61C7BF
		mov	al, 1
		jmp	short loc_61C7C2
; 

loc_61C7BD:				; CODE XREF: KeValidateBugCheckCallbackRecord(x,x,x)+42j
					; KeValidateBugCheckCallbackRecord(x,x,x)+57j
		xor	esi, esi

loc_61C7BF:				; CODE XREF: KeValidateBugCheckCallbackRecord(x,x,x)+77j
					; KeValidateBugCheckCallbackRecord(x,x,x)+89j ...
		mov	al, [ebp+var_1]

loc_61C7C2:				; CODE XREF: KeValidateBugCheckCallbackRecord(x,x,x)+9Bj
		pop	edi

loc_61C7C3:				; CODE XREF: KeValidateBugCheckCallbackRecord(x,x,x)+B3j
		mov	ebx, [ebp+arg_0]
		mov	[ebx], esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_61C7CE:				; CODE XREF: KeValidateBugCheckCallbackRecord(x,x,x)+15j
		mov	al, [ebp+var_1]
		xor	esi, esi
		jmp	short loc_61C7C3
_KeValidateBugCheckCallbackRecord@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiBugCheckAnsiToUnicode(x, x)
_KiBugCheckAnsiToUnicode@8 proc	near	; CODE XREF: KiDisplayBlueScreen(x)+13Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		movzx	esi, word ptr [ecx]
		push	edi
		mov	edi, edx
		mov	ax, [edi+2]
		shr	ax, 1
		dec	ax
		movzx	eax, ax
		cmp	si, ax
		jnb	short loc_61C7F7
		mov	eax, esi

loc_61C7F7:				; CODE XREF: KiBugCheckAnsiToUnicode(x,x)+1Ej
		mov	ecx, [ecx+4]
		xor	ebx, ebx
		movzx	edx, ax
		xor	esi, esi
		mov	[ebp+var_4], edx
		mov	edx, [edi+4]
		mov	[ebp+var_8], edx
		cmp	bx, ax
		jnb	short loc_61C82B
		movzx	ebx, ax
		mov	eax, [ebp+var_4]
		movzx	esi, ax

loc_61C818:				; CODE XREF: KiBugCheckAnsiToUnicode(x,x)+51j
		movsx	ax, byte ptr [ecx]
		inc	ecx
		mov	[edx], ax
		lea	edx, [edx+2]
		sub	ebx, 1
		jnz	short loc_61C818
		mov	edx, [ebp+var_8]

loc_61C82B:				; CODE XREF: KiBugCheckAnsiToUnicode(x,x)+38j
		movzx	eax, si
		xor	ecx, ecx
		mov	[edx+eax*2], cx
		lea	eax, [esi+esi]
		mov	[edi], ax
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KiBugCheckAnsiToUnicode@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiBugCheckConvertParameterValueToUnicodeString(x, x)
_KiBugCheckConvertParameterValueToUnicodeString@8 proc near
					; CODE XREF: KiDisplayBlueScreen(x)+1FCp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	[ebp+var_C], ebx
		movzx	esi, word ptr [ebx+2]
		mov	edx, [ebx+4]
		shr	esi, 1
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], esi
		cmp	esi, 0Bh
		jnz	short loc_61C8AC
		push	30h
		pop	eax
		push	78h
		mov	[edx], ax
		lea	ebx, [edx+4]
		pop	eax
		mov	[edx+2], ax
		xor	edi, edi
		mov	esi, ecx

loc_61C877:				; CODE XREF: KiBugCheckConvertParameterValueToUnicodeString(x,x)+60j
		push	1Ch
		pop	ecx
		sub	ecx, edi
		mov	edx, esi
		shr	edx, cl
		and	edx, 0Fh
		cmp	edx, 0Ah
		push	2
		sbb	eax, eax
		add	edi, 4
		and	eax, 0FFFFFFF9h
		add	eax, 37h
		add	ax, dx
		mov	[ebx], ax
		pop	eax
		add	ebx, eax
		cmp	edi, 20h
		jb	short loc_61C877
		mov	esi, [ebp+var_8]
		mov	ebx, [ebp+var_C]
		mov	edx, [ebp+var_10]
		jmp	short loc_61C8C3
; 

loc_61C8AC:				; CODE XREF: KiBugCheckConvertParameterValueToUnicodeString(x,x)+22j
		lea	ecx, [esi-1]
		test	ecx, ecx
		jz	short loc_61C8C3
		shr	ecx, 1
		mov	eax, 2D002Dh
		mov	edi, edx
		rep stosd
		adc	ecx, ecx
		rep stosw

loc_61C8C3:				; CODE XREF: KiBugCheckConvertParameterValueToUnicodeString(x,x)+6Bj
					; KiBugCheckConvertParameterValueToUnicodeString(x,x)+72j
		push	2
		xor	eax, eax
		mov	[edx+esi*2-2], ax
		mov	ax, [ebx+2]
		pop	ecx
		pop	edi
		sub	ax, cx
		pop	esi
		mov	[ebx], ax
		pop	ebx
		leave
		retn
_KiBugCheckConvertParameterValueToUnicodeString@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiBugCheckConvertProgressValueToUnicodeString(x, x)
_KiBugCheckConvertProgressValueToUnicodeString@8 proc near
					; CODE XREF: KiBugCheckProgress(x)+C6p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	eax, ecx
		push	edi
		movzx	ebx, word ptr [esi+2]
		mov	edi, [esi+4]
		shr	ebx, 1
		mov	[ebp+var_4], edi
		lea	ecx, [ebx-1]
		cmp	eax, 64h
		ja	short loc_61C931

loc_61C8FD:				; CODE XREF: KiBugCheckConvertProgressValueToUnicodeString(x,x)+41j
		xor	edx, edx
		mov	[ebp+var_4], 0Ah
		div	[ebp+var_4]
		dec	ecx
		mov	[ebp+var_4], eax
		lea	eax, [edx+30h]
		mov	[edi+ecx*2], ax
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_61C91F
		test	ecx, ecx
		jnz	short loc_61C8FD

loc_61C91F:				; CODE XREF: KiBugCheckConvertProgressValueToUnicodeString(x,x)+3Dj
		test	ecx, ecx
		jz	short loc_61C946

loc_61C923:				; CODE XREF: KiBugCheckConvertProgressValueToUnicodeString(x,x)+51j
		sub	ecx, 1
		push	20h
		pop	eax
		mov	[edi+ecx*2], ax
		jnz	short loc_61C923
		jmp	short loc_61C946
; 

loc_61C931:				; CODE XREF: KiBugCheckConvertProgressValueToUnicodeString(x,x)+1Fj
		test	ecx, ecx
		jz	short loc_61C946
		shr	ecx, 1
		mov	eax, 2D002Dh
		rep stosd
		adc	ecx, ecx
		rep stosw
		mov	edi, [ebp+var_4]

loc_61C946:				; CODE XREF: KiBugCheckConvertProgressValueToUnicodeString(x,x)+45j
					; KiBugCheckConvertProgressValueToUnicodeString(x,x)+53j ...
		xor	eax, eax
		mov	[edi+ebx*2-2], ax
		mov	ax, [esi+2]
		sub	ax, 2
		pop	edi
		mov	[esi], ax
		pop	esi
		pop	ebx
		leave
		retn
_KiBugCheckConvertProgressValueToUnicodeString@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiBugCheckDebugBreak(x)
_KiBugCheckDebugBreak@4	proc near	; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+798p
					; KeBugCheck2(x,x,x,x,x,x)+992p ...

var_38		= dword	ptr -38h
var_34		= byte ptr -34h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	28h
		push	offset dword_6A8638
		call	__SEH_prolog4	; int
		mov	[ebp+var_1C], ecx
		xor	esi, esi
		push	0FFFFFFFEh
		pop	edi

loc_61C971:				; CODE XREF: KiBugCheckDebugBreak(x)+A0j
		mov	[ebp+ms_exc.disabled], esi
		push	[ebp+var_1C]	; int
		call	_DbgBreakPointWithStatus@4 ; DbgBreakPointWithStatus(x)
		jmp	short loc_61C9F6
; 

loc_61C97E:				; DATA XREF: .text:006A864Co
		xor	eax, eax
		inc	eax
		retn
; 

loc_61C982:				; DATA XREF: .text:006A8650o
		mov	esp, [ebp+ms_exc.old_esp]
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_38]
		rep stosd
		mov	[ebp+var_20], 18h
		lea	eax, [ebp+var_20]
		push	eax		; int
		lea	eax, [ebp+var_38]
		push	eax		; void *
		xor	esi, esi
		push	esi		; int
		push	esi		; int
		push	10h		; int
		call	HeadlessDispatch
		test	eax, eax
		js	short loc_61C9E3
		cmp	[ebp+var_38], 1
		jnz	short loc_61C9E3
		cmp	[ebp+var_34], 0
		jz	short loc_61C9E3
		push	esi		; int
		push	esi		; void *
		push	3		; int
		push	(offset	loc_5A4E51+1) ;	int
		push	3		; int
		call	HeadlessDispatch
		push	0Ch
		pop	edx
		mov	ecx, (offset ??_C@_03EOCNLBMA@?$AN?6?$CK@FNODOBFM@+4) ;	int
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)

loc_61C9D6:				; CODE XREF: KiBugCheckDebugBreak(x)+84j
		push	esi		; int
		push	esi		; void *
		push	esi		; int
		push	esi		; int
		push	0Fh		; int
		call	HeadlessDispatch
		jmp	short loc_61C9D6
; 

loc_61C9E3:				; CODE XREF: KiBugCheckDebugBreak(x)+4Ej
					; KiBugCheckDebugBreak(x)+54j ...
		mov	[ebp+ms_exc.disabled], 1
		call	ds:off_6B1234	; xHalHaltSystem()
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi

loc_61C9F6:				; CODE XREF: KiBugCheckDebugBreak(x)+1Fj
		mov	[ebp+ms_exc.disabled], edi
		cmp	[ebp+var_1C], 3
		jnz	loc_61C971
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KiBugCheckDebugBreak@4	endp


;  S U B	R O U T	I N E 


sub_61CA13	proc near		; DATA XREF: .text:006A8658o
		xor	eax, eax
		inc	eax
		retn
sub_61CA13	endp


;  S U B	R O U T	I N E 


sub_61CA17	proc near		; DATA XREF: .text:006A865Co
		mov	esp, [ebp-18h]

loc_61CA1A:				; CODE XREF: sub_61CA17:loc_61CA1Aj
		jmp	short loc_61CA1A
sub_61CA17	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiBugCheckProgress(x)
_KiBugCheckProgress@4 proc near		; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+6Co

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		cmp	ds:_IopAutoReboot, 0
		push	esi
		mov	[ebp+var_14], eax
		setnz	byte ptr [ebp+var_24]
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		push	8
		pop	eax
		mov	word ptr [ebp+var_14+2], ax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_10], eax
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		test	byte ptr ds:dword_6B6BB8, 2
		mov	esi, [ebp+arg_0]
		jz	short loc_61CA73
		push	[ebp+var_24]
		lea	edx, [ebp+var_20]
		mov	ecx, esi
		call	_BgpFwDisplayBugCheckProgressUpdate@12 ; BgpFwDisplayBugCheckProgressUpdate(x,x,x)

loc_61CA73:				; CODE XREF: KiBugCheckProgress(x)+48j
		call	BgpFwReleaseLock
		test	esi, esi
		jz	loc_61CB00
		push	0Eh
		pop	edx
		mov	ecx, offset ??_C@_1O@LHPILDCB@?$AA?$AN?$AA?$BL?$AA?$FL?$AA0?$AAK?$AA?$AN@FNODOBFM@ ; int
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jz	short loc_61CADD
		cmp	[ebp+var_1C], 0
		jz	short loc_61CADD
		cmp	[ebp+var_18], 0
		jz	short loc_61CADD
		movzx	edx, word ptr [ecx] ; int
		mov	ecx, [ecx+4]	; int
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)
		push	4
		pop	edx
		mov	ecx, offset ??_C@_13HOIJIPNN@?$AA?5@FNODOBFM@ ;	int
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)
		mov	ecx, [ebp+var_1C]
		movzx	edx, word ptr [ecx] ; int
		mov	ecx, [ecx+4]	; int
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)
		movzx	edx, word ptr [ebp+var_14] ; int
		mov	ecx, [ebp+var_10] ; int
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)
		mov	ecx, [ebp+var_18]
		movzx	edx, word ptr [ecx]
		mov	ecx, [ecx+4]
		jmp	short loc_61CAFB
; 

loc_61CADD:				; CODE XREF: KiBugCheckProgress(x)+76j
					; KiBugCheckProgress(x)+7Cj ...
		lea	edx, [ebp+var_14]
		mov	ecx, esi
		call	_KiBugCheckConvertProgressValueToUnicodeString@8 ; KiBugCheckConvertProgressValueToUnicodeString(x,x)
		movzx	edx, word ptr [ebp+var_14] ; int
		mov	ecx, [ebp+var_10] ; int
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)
		push	4
		pop	edx
		mov	ecx, (offset loc_5A4E51+5) ; int

loc_61CAFB:				; CODE XREF: KiBugCheckProgress(x)+BFj
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)

loc_61CB00:				; CODE XREF: KiBugCheckProgress(x)+5Ej
		cmp	esi, 64h
		pop	esi
		jnz	short loc_61CB13
		push	6
		pop	edx
		mov	ecx, offset ??_C@_15JNBOKNOG@?$AA?$AN?$AA?6@FNODOBFM@ ;	int
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)

loc_61CB13:				; CODE XREF: KiBugCheckProgress(x)+E8j
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_KiBugCheckProgress@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiBugCheckUnicodeToAnsi(x, x, x)
_KiBugCheckUnicodeToAnsi@12 proc near	; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+4ABp
					; KiDumpParameterImages(x,x,x,x)+CAp
		mov	edi, edi
		push	esi
		movzx	esi, word ptr [ecx]
		shr	esi, 1
		push	edi
		mov	edi, edx
		cmp	esi, 80h
		jb	short loc_61CB39
		push	7Fh
		pop	esi

loc_61CB39:				; CODE XREF: KiBugCheckUnicodeToAnsi(x,x,x)+11j
		mov	edx, [ecx+4]
		mov	ecx, edi
		test	esi, esi
		jz	short loc_61CB4F

loc_61CB42:				; CODE XREF: KiBugCheckUnicodeToAnsi(x,x,x)+2Aj
		mov	al, [edx]
		lea	edx, [edx+2]
		mov	[ecx], al
		inc	ecx
		sub	esi, 1
		jnz	short loc_61CB42

loc_61CB4F:				; CODE XREF: KiBugCheckUnicodeToAnsi(x,x,x)+1Dj
		mov	eax, edi
		mov	byte ptr [ecx],	0
		pop	edi
		pop	esi
		retn	4
_KiBugCheckUnicodeToAnsi@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiBugcheckUnloadDebugSymbols()
_KiBugcheckUnloadDebugSymbols@0	proc near ; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+9B8p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		cmp	ds:_KiHypervisorInitiatedCrashDump, 0
		jnz	short locret_61CB8F
		or	[ebp+var_14], 0FFFFFFFFh
		xor	eax, eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_4], eax
		mov	eax, 4
		mov	ecx, 0
		mov	edx, [ebp+var_4]
		int	2Dh		; Internal routine for MSDOS (IRET)
		int	3		; Trap to Debugger

locret_61CB8F:				; CODE XREF: KiBugcheckUnloadDebugSymbols()+Fj
		leave
		retn
_KiBugcheckUnloadDebugSymbols@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiDisplayBlueScreen(x)
_KiDisplayBlueScreen@4 proc near	; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+84Fp

var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_168		= dword	ptr -168h
var_68		= dword	ptr -68h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1ACh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		xor	esi, esi
		mov	[ebp+var_1A8], ecx
		lea	eax, [ebp+var_198]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_1A4], esi
		mov	[ebp+var_1A0], esi
		mov	[ebp+var_19C], esi
		call	_KiEnableHeadlessBlueScreen@0 ;	KiEnableHeadlessBlueScreen()
		mov	ecx, 81h
		call	_IoSaveBugCheckProgress@4 ; IoSaveBugCheckProgress(x)
		mov	edi, ds:_KiBugCheckDriver
		test	edi, edi
		jnz	short loc_61CC07
		push	esi
		push	4
		mov	edx, offset dword_6CA684
		xor	ecx, ecx
		call	_KiDumpParameterImages@16 ; KiDumpParameterImages(x,x,x,x)
		mov	edi, ds:_KiBugCheckDriver
		test	edi, edi
		jz	short loc_61CC26

loc_61CC07:				; CODE XREF: KiDisplayBlueScreen(x)+5Bj
		push	1Eh
		pop	eax
		cmp	[edi], ax
		jnz	short loc_61CC26
		push	eax		; size_t
		push	offset aVerifierext_sy ; "VerifierExt.sys"
		push	dword ptr [edi+4] ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_61CC26
		mov	edi, esi

loc_61CC26:				; CODE XREF: KiDisplayBlueScreen(x)+74j
					; KiDisplayBlueScreen(x)+7Cj ...
		lea	eax, [ebp+var_168]
		mov	[ebp+var_190], 1000000h
		push	16h
		mov	[ebp+var_18C], eax
		lea	ecx, [ebp+var_68]
		mov	eax, esi
		pop	ebx

loc_61CC44:				; CODE XREF: KiDisplayBlueScreen(x)+D3j
		push	14h
		pop	edx
		mov	[ebp+eax*8+var_184], ecx
		add	ecx, ebx
		mov	word ptr [ebp+eax*8+var_188], dx
		mov	word ptr [ebp+eax*8+var_188+2],	bx
		inc	eax
		cmp	eax, 4
		jb	short loc_61CC44
		mov	ecx, ds:_KiBugCheckData
		lea	edx, [ebp+var_1A4]
		call	_KeGetBugMessageText@8 ; KeGetBugMessageText(x,x)
		test	al, al
		jnz	short loc_61CCC1
		push	ds:_KiBugCheckData ; char
		lea	eax, [ebp+var_19C]
		push	offset ??_C@_06BJBFBFHM@0x?$CF08x@FNODOBFM@ ; char *
		push	esi		; int
		push	esi		; int
		push	eax		; int
		lea	eax, [ebp+var_10]
		push	0Bh		; int
		push	eax		; int
		call	_RtlStringCbPrintfExA
		lea	eax, [ebp+var_10]
		add	esp, 1Ch
		mov	[ebp+var_1A0], eax
		lea	ecx, [ebp+var_10]
		mov	ax, word ptr [ebp+var_19C]
		sub	ax, cx
		mov	word ptr [ebp+var_1A4],	ax
		mov	word ptr [ebp+var_1A4+2], ax

loc_61CCC1:				; CODE XREF: KiDisplayBlueScreen(x)+E8j
		lea	edx, [ebp+var_190]
		lea	ecx, [ebp+var_1A4]
		call	_KiBugCheckAnsiToUnicode@8 ; KiBugCheckAnsiToUnicode(x,x)
		call	_InbvAcquireDisplayOwnership@0 ; InbvAcquireDisplayOwnership()
		mov	ecx, 82h
		call	_IoSaveBugCheckProgress@4 ; IoSaveBugCheckProgress(x)
		mov	eax, ds:_KiBugCheckData
		mov	ebx, esi
		mov	[ebp+var_198], esi
		mov	[ebp+var_194], ebx
		mov	[ebp+var_19C], eax
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		test	byte ptr ds:dword_6B6BB8, 2
		jz	short loc_61CD2C
		push	[ebp+var_1A8]
		mov	ecx, [ebp+var_19C]
		lea	eax, [ebp+var_198]
		push	eax
		push	edi
		mov	edx, offset dword_6CA684
		call	_BgpFwDisplayBugCheckScreen@20 ; BgpFwDisplayBugCheckScreen(x,x,x,x,x)
		mov	ebx, [ebp+var_194]

loc_61CD2C:				; CODE XREF: KiDisplayBlueScreen(x)+175j
		call	BgpFwReleaseLock
		mov	ecx, 80h
		call	_IoSaveBugCheckProgress@4 ; IoSaveBugCheckProgress(x)
		mov	edi, [ebp+var_198]
		test	edi, edi
		jz	short loc_61CD7D
		test	ebx, ebx
		jz	short loc_61CD7D
		push	6
		pop	edx
		mov	ecx, offset ??_C@_15JNBOKNOG@?$AA?$AN?$AA?6@FNODOBFM@ ;	int
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)
		movzx	edx, word ptr [edi] ; int
		mov	ecx, [edi+4]	; int
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)
		push	6
		mov	edi, offset ??_C@_15JNBOKNOG@?$AA?$AN?$AA?6@FNODOBFM@
		pop	edx
		mov	ecx, edi	; int
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)
		movzx	edx, word ptr [ebx] ; int
		mov	ecx, [ebx+4]	; int
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)
		jmp	short loc_61CDA2
; 

loc_61CD7D:				; CODE XREF: KiDisplayBlueScreen(x)+1B2j
					; KiDisplayBlueScreen(x)+1B6j
		lea	ebx, [ebp+var_188]
		mov	edi, esi

loc_61CD85:				; CODE XREF: KiDisplayBlueScreen(x)+20Aj
		mov	ecx, ds:dword_6CA684[edi]
		mov	edx, ebx
		call	_KiBugCheckConvertParameterValueToUnicodeString@8 ; KiBugCheckConvertParameterValueToUnicodeString(x,x)
		add	edi, 4
		add	ebx, 8
		cmp	edi, 10h
		jb	short loc_61CD85
		mov	edi, offset ??_C@_15JNBOKNOG@?$AA?$AN?$AA?6@FNODOBFM@

loc_61CDA2:				; CODE XREF: KiDisplayBlueScreen(x)+1EAj
		push	6
		pop	ebx
		mov	edx, ebx	; int
		mov	ecx, edi	; int
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)
		movzx	edx, word ptr [ebp+var_190] ; int
		mov	ecx, [ebp+var_18C] ; int
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)
		cmp	ds:_KiBugCheckDriver, esi
		jz	short loc_61CDE2
		mov	edx, ebx	; int
		mov	ecx, edi	; int
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)
		mov	ecx, ds:_KiBugCheckDriver
		movzx	edx, word ptr [ecx] ; int
		mov	ecx, [ecx+4]	; int
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)

loc_61CDE2:				; CODE XREF: KiDisplayBlueScreen(x)+235j
		mov	edx, ebx	; int
		mov	ecx, edi	; int
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)
		mov	edx, ebx	; int
		mov	ecx, edi	; int
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)

loc_61CDF4:				; CODE XREF: KiDisplayBlueScreen(x)+284j
		movzx	edx, word ptr [ebp+esi*8+var_188] ; int
		mov	ecx, [ebp+esi*8+var_184] ; int
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)
		mov	edx, ebx	; int
		mov	ecx, edi	; int
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)
		inc	esi
		cmp	esi, 4
		jb	short loc_61CDF4
		mov	edx, ebx	; int
		mov	ecx, edi	; int
		call	_KiHeadlessDisplayString@8 ; KiHeadlessDisplayString(x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_KiDisplayBlueScreen@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiDumpParameterImages(x, x,	x, x)
_KiDumpParameterImages@16 proc near	; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+6A7p
					; KiDisplayBlueScreen(x)+67p

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_86		= dword	ptr -86h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 98h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_90], 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	byte ptr [ebp+var_86+1], 1
		mov	byte ptr [ebp+var_86], 0
		mov	edi, edx
		mov	[ebp+var_98], edi
		test	ebx, ebx
		jz	short loc_61CE6D
		mov	byte ptr [ebx],	0

loc_61CE6D:				; CODE XREF: KiDumpParameterImages(x,x,x,x)+39j
		xor	esi, esi
		cmp	[ebp+arg_0], esi
		jbe	loc_61CF63

loc_61CE78:				; CODE XREF: KiDumpParameterImages(x,x,x,x)+12Ej
		mov	ecx, [edi+esi*4]
		lea	eax, [ebp+var_86]
		and	[ebp+var_94], 0
		lea	edx, [ebp+var_90]
		push	eax
		push	1
		call	_KiPcToFileHeader@16 ; KiPcToFileHeader(x,x,x,x)
		mov	[ebp+var_8C], eax
		test	eax, eax
		jnz	short loc_61CEC0
		mov	ecx, [edi+esi*4]
		mov	[ebp+var_8C], ecx
		call	_MmLocateUnloadedDriver@4 ; MmLocateUnloadedDriver(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_61CF53
		cmp	[ebp+arg_4], 0
		jz	short loc_61CF04
		jmp	short loc_61CEF0
; 

loc_61CEC0:				; CODE XREF: KiDumpParameterImages(x,x,x,x)+6Fj
		mov	edi, [ebp+var_90]
		mov	ecx, [edi+18h]
		call	MmIsAddressValidEx
		cmp	al, 1
		jnz	short loc_61CEE7
		push	dword ptr [edi+18h]
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jz	short loc_61CEE7
		mov	eax, [eax+8]
		mov	[ebp+var_94], eax

loc_61CEE7:				; CODE XREF: KiDumpParameterImages(x,x,x,x)+A1j
					; KiDumpParameterImages(x,x,x,x)+ADj
		add	edi, 2Ch
		cmp	[ebp+arg_4], 0
		jz	short loc_61CEFE

loc_61CEF0:				; CODE XREF: KiDumpParameterImages(x,x,x,x)+8Fj
		push	ecx
		lea	edx, [ebp+var_86+2]
		mov	ecx, edi
		call	_KiBugCheckUnicodeToAnsi@12 ; KiBugCheckUnicodeToAnsi(x,x,x)

loc_61CEFE:				; CODE XREF: KiDumpParameterImages(x,x,x,x)+BFj
		mov	ecx, [ebp+var_8C]

loc_61CF04:				; CODE XREF: KiDumpParameterImages(x,x,x,x)+8Dj
		test	ebx, ebx
		jz	short loc_61CF46
		cmp	byte ptr [ebp+var_86+1], 0
		mov	eax, offset ??_C@_03EOCNLBMA@?$AN?6?$CK@FNODOBFM@
		jnz	short loc_61CF1B
		mov	eax, offset ??_C@_01NBENCBCI@?$CK@FNODOBFM@

loc_61CF1B:				; CODE XREF: KiDumpParameterImages(x,x,x,x)+E5j
		push	[ebp+var_94]
		push	ecx
		mov	ecx, [ebp+var_98]
		push	dword ptr [ecx+esi*4]
		lea	ecx, [ebp+var_86+2]
		push	ecx
		push	eax		; char
		push	offset ??_C@_0DG@HBEOGLKD@?$CFs?$CK?$CK?5?5?$CF12s?5?9?5Address?5?$CFp?5base?5at@FNODOBFM@ ; "%s**  %12s - Address %p base at %p, Dat"...
		push	80h		; int
		push	ebx		; char *
		call	RtlStringCbPrintfA
		add	esp, 20h

loc_61CF46:				; CODE XREF: KiDumpParameterImages(x,x,x,x)+D7j
		mov	ds:_KiBugCheckDriver, edi
		mov	byte ptr [ebp+var_86+1], 0

loc_61CF53:				; CODE XREF: KiDumpParameterImages(x,x,x,x)+83j
		mov	edi, [ebp+var_98]
		inc	esi
		cmp	esi, [ebp+arg_0]
		jb	loc_61CE78

loc_61CF63:				; CODE XREF: KiDumpParameterImages(x,x,x,x)+43j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_KiDumpParameterImages@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiEnableHeadlessBlueScreen()
_KiEnableHeadlessBlueScreen@0 proc near	; CODE XREF: KiDisplayBlueScreen(x)+44p

var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ds:_KiBugCheckData
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], eax
		push	esi		; int
		push	esi		; void *
		push	esi		; int
		push	esi		; int
		push	0Eh		; int
		mov	byte ptr [ebp+var_1], 1
		call	HeadlessDispatch
		push	esi		; int
		push	esi		; void *
		push	1		; int
		lea	eax, [ebp+var_1]
		push	eax		; int
		push	1		; int
		call	HeadlessDispatch
		push	esi		; int
		push	esi		; void *
		push	4		; int
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	14h		; int
		call	HeadlessDispatch
		pop	esi
		leave
		retn
_KiEnableHeadlessBlueScreen@0 endp


;  S U B	R O U T	I N E 


; int __fastcall KiHeadlessDisplayString(int,int)
_KiHeadlessDisplayString@8 proc	near	; CODE XREF: KiBugCheckDebugBreak(x)+74p
					; KiBugCheckProgress(x)+6Cp ...
		mov	edi, edi
		push	ecx
		test	ecx, ecx
		jz	short loc_61CFCF
		test	edx, edx
		jz	short loc_61CFCF
		push	0		; int
		push	0		; void *
		push	edx		; int
		push	ecx		; int
		push	17h		; int
		call	HeadlessDispatch

loc_61CFCF:				; CODE XREF: KiHeadlessDisplayString(x,x)+5j
					; KiHeadlessDisplayString(x,x)+9j
		pop	ecx
		retn
_KiHeadlessDisplayString@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInvokeBugCheckAddTriageDumpDataCallbacks()
_KiInvokeBugCheckAddTriageDumpDataCallbacks@0 proc near
					; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+862p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	38h
		push	offset dword_6A85F8
		call	__SEH_prolog4
		push	8
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_48]
		rep stosd
		and	[ebp+var_1C], eax
		mov	eax, offset _KeBugCheckReasonCallbackListHead
		mov	[ebp+var_28], eax
		mov	esi, ds:_KeBugCheckReasonCallbackListHead
		test	esi, esi
		jz	loc_61D105
		cmp	ds:dword_6CB3FC, 0
		jz	loc_61D105
		mov	[ebp+var_20], eax

loc_61D010:				; CODE XREF: KiInvokeBugCheckAddTriageDumpDataCallbacks()+12Fj
		mov	[ebp+var_24], esi
		cmp	esi, [ebp+var_28]
		jz	loc_61D105
		lea	eax, [ebp+var_20]
		push	eax
		push	7
		pop	edx
		mov	ecx, esi
		call	_KeValidateBugCheckCallbackRecord@12 ; KeValidateBugCheckCallbackRecord(x,x,x)
		test	al, al
		jz	loc_61D0F8
		and	[ebp+var_48], 0
		mov	[ebp+var_44], 1
		mov	[ebp+var_40], 2000000h
		mov	eax, ds:_KiBugCheckData
		mov	[ebp+var_3C], eax
		mov	eax, ds:dword_6CA684
		mov	[ebp+var_38], eax
		mov	eax, ds:dword_6CA688
		mov	[ebp+var_34], eax
		mov	eax, ds:dword_6CA68C
		mov	[ebp+var_30], eax
		mov	eax, ds:dword_6CA690
		mov	[ebp+var_2C], eax
		and	[ebp+ms_exc.disabled], 0
		push	20h
		lea	eax, [ebp+var_48]
		push	eax
		push	esi
		push	7
		call	dword ptr [esi+8]
		mov	ecx, [ebp+var_48]
		test	ecx, ecx
		jz	short loc_61D0DF
		push	2000000h
		call	KiValidateTriageDumpDataArray
		test	al, al
		jz	short loc_61D0DF
		lea	edx, [ebp+var_1C]
		mov	ecx, [esi+0Ch]
		call	_KiValidateComponentName@8 ; KiValidateComponentName(x,x)
		test	al, al
		jz	short loc_61D0DF
		mov	ecx, [esi+0Ch]
		mov	eax, [ebp+var_48]
		mov	[eax+1Ch], ecx
		mov	edx, [ebp+var_1C]
		inc	edx
		mov	eax, [ebp+var_48]
		mov	[eax+18h], edx
		mov	eax, [ebp+var_48]
		mov	ecx, ds:dword_6CB404
		cmp	dword ptr [ecx], offset	_KeBugCheckTriageDumpDataArrayListHead
		jz	short loc_61D0C9
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_61D0C9:				; CODE XREF: KiInvokeBugCheckAddTriageDumpDataCallbacks()+F1j
		mov	dword ptr [eax], offset	_KeBugCheckTriageDumpDataArrayListHead
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	ds:dword_6CB404, eax
		mov	byte ptr [esi+18h], 3
		jmp	short loc_61D0E3
; 

loc_61D0DF:				; CODE XREF: KiInvokeBugCheckAddTriageDumpDataCallbacks()+B0j
					; KiInvokeBugCheckAddTriageDumpDataCallbacks()+BEj ...
		mov	byte ptr [esi+18h], 4

loc_61D0E3:				; CODE XREF: KiInvokeBugCheckAddTriageDumpDataCallbacks()+10Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_61D0FE
; 

loc_61D0EC:				; DATA XREF: .text:006A860Co
		xor	eax, eax
		inc	eax
		retn
; 

loc_61D0F0:				; DATA XREF: .text:006A8610o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_24]
		jmp	short loc_61D0DF
; 

loc_61D0F8:				; CODE XREF: KiInvokeBugCheckAddTriageDumpDataCallbacks()+5Bj
		cmp	[ebp+var_20], 0
		jz	short loc_61D105

loc_61D0FE:				; CODE XREF: KiInvokeBugCheckAddTriageDumpDataCallbacks()+119j
		mov	esi, [esi]
		jmp	loc_61D010
; 

loc_61D105:				; CODE XREF: KiInvokeBugCheckAddTriageDumpDataCallbacks()+29j
					; KiInvokeBugCheckAddTriageDumpDataCallbacks()+36j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KiInvokeBugCheckAddTriageDumpDataCallbacks@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInvokeBugCheckEntryCallbacks(x, x, x)
_KiInvokeBugCheckEntryCallbacks@12 proc	near ; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+855p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	14h
		push	offset dword_6A8618
		call	__SEH_prolog4
		mov	eax, offset _KeBugCheckReasonCallbackListHead
		mov	[ebp+var_24], eax
		mov	esi, ds:_KeBugCheckReasonCallbackListHead
		test	esi, esi
		jz	short loc_61D18E
		cmp	ds:dword_6CB3FC, 0
		jz	short loc_61D18E
		mov	[ebp+var_1C], eax

loc_61D13F:				; CODE XREF: KiInvokeBugCheckEntryCallbacks(x,x,x)+77j
		mov	[ebp+var_20], esi
		cmp	esi, [ebp+var_24]
		jz	short loc_61D18E
		lea	eax, [ebp+var_1C]
		push	eax
		xor	edx, edx
		inc	edx
		mov	ecx, esi
		call	_KeValidateBugCheckCallbackRecord@12 ; KeValidateBugCheckCallbackRecord(x,x,x)
		test	al, al
		jz	short loc_61D184
		and	[ebp+ms_exc.disabled], 0
		push	0
		push	0
		push	esi
		push	1
		call	dword ptr [esi+8]
		mov	byte ptr [esi+18h], 3

loc_61D16B:				; CODE XREF: KiInvokeBugCheckEntryCallbacks(x,x,x)+6Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_61D18A
; 

loc_61D174:				; DATA XREF: .text:006A862Co
		xor	eax, eax
		inc	eax
		retn
; 

loc_61D178:				; DATA XREF: .text:006A8630o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_20]
		mov	byte ptr [esi+18h], 4
		jmp	short loc_61D16B
; 

loc_61D184:				; CODE XREF: KiInvokeBugCheckEntryCallbacks(x,x,x)+42j
		cmp	[ebp+var_1C], 0
		jz	short loc_61D18E

loc_61D18A:				; CODE XREF: KiInvokeBugCheckEntryCallbacks(x,x,x)+5Dj
		mov	esi, [esi]
		jmp	short loc_61D13F
; 

loc_61D18E:				; CODE XREF: KiInvokeBugCheckEntryCallbacks(x,x,x)+1Cj
					; KiInvokeBugCheckEntryCallbacks(x,x,x)+25j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KiInvokeBugCheckEntryCallbacks@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiPcToFileHeader(x,	x, x, x)
_KiPcToFileHeader@16 proc near		; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+3DBp
					; KeBugCheck2(x,x,x,x,x,x)+58Ap ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		cmp	ds:_InitializationPhase, 2
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], ecx
		jnb	short loc_61D1C5
		mov	edi, ds:_KeLoaderBlock
		add	edi, 10h
		jmp	short loc_61D1CA
; 

loc_61D1C5:				; CODE XREF: KiPcToFileHeader(x,x,x,x)+18j
		mov	edi, offset _PsLoadedModuleList

loc_61D1CA:				; CODE XREF: KiPcToFileHeader(x,x,x,x)+23j
		mov	eax, [ebp+arg_4]
		xor	ebx, ebx
		mov	esi, [edi]
		mov	[eax], bl
		test	esi, esi
		jz	short loc_61D21B
		mov	[ebp+var_4], ebx
		jmp	short loc_61D217
; 

loc_61D1DC:				; CODE XREF: KiPcToFileHeader(x,x,x,x)+79j
		mov	ecx, esi
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_61D239
		mov	ecx, [ebp+var_4]
		inc	ecx
		mov	[ebp+var_4], ecx
		cmp	ecx, 2
		ja	short loc_61D1FD
		cmp	[ebp+arg_0], 1
		jnz	short loc_61D1FD
		mov	esi, [esi]
		jmp	short loc_61D217
; 

loc_61D1FD:				; CODE XREF: KiPcToFileHeader(x,x,x,x)+51j
					; KiPcToFileHeader(x,x,x,x)+57j
		mov	edx, esi
		mov	esi, [esi]
		mov	eax, [edx+18h]
		mov	[ebp+var_C], eax
		cmp	[ebp+var_8], eax
		jb	short loc_61D217
		mov	eax, [edx+20h]
		add	eax, [ebp+var_C]
		cmp	[ebp+var_8], eax
		jb	short loc_61D224

loc_61D217:				; CODE XREF: KiPcToFileHeader(x,x,x,x)+3Aj
					; KiPcToFileHeader(x,x,x,x)+5Bj ...
		cmp	esi, edi
		jnz	short loc_61D1DC

loc_61D21B:				; CODE XREF: KiPcToFileHeader(x,x,x,x)+35j
					; KiPcToFileHeader(x,x,x,x)+8Fj ...
		mov	eax, ebx

loc_61D21D:				; CODE XREF: KiPcToFileHeader(x,x,x,x)+9Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_61D224:				; CODE XREF: KiPcToFileHeader(x,x,x,x)+75j
		mov	eax, [ebp+var_10]
		mov	ebx, [ebp+var_C]
		mov	[eax], edx
		cmp	ecx, 2
		ja	short loc_61D21B
		mov	eax, [ebp+arg_4]
		mov	byte ptr [eax],	1
		jmp	short loc_61D21B
; 

loc_61D239:				; CODE XREF: KiPcToFileHeader(x,x,x,x)+45j
		xor	eax, eax
		jmp	short loc_61D21D
_KiPcToFileHeader@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSaveCurrentEtwTraceBuffer()
_KiSaveCurrentEtwTraceBuffer@0 proc near ; CODE	XREF: KeBugCheck2(x,x,x,x,x,x)+25Cp

var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, large fs:20h
		sub	esp, 0Ch
		xor	eax, eax
		mov	edx, [edx+3CCh]
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_C]
		push	eax
		push	2
		pop	ecx
		call	_EtwGetProcessorBuffer@12 ; EtwGetProcessorBuffer(x,x,x)
		test	eax, eax
		js	short loc_61D2B2
		mov	ecx, [ebp+var_C]
		mov	edi, 2000h
		mov	eax, [ebp+var_4]
		add	eax, ecx
		mov	ds:_KiCurrentEtwBufferBase, ecx
		mov	edx, eax
		mov	ds:_KiCurrentEtwBufferOffset, eax
		sub	edx, ecx
		cmp	edx, edi
		jb	short loc_61D293
		lea	ecx, [eax-2000h]
		mov	edx, edi

loc_61D293:				; CODE XREF: KiSaveCurrentEtwTraceBuffer()+4Cj
		call	IoAddTriageDumpDataBlock
		push	4
		pop	edx
		mov	ecx, offset _KiCurrentEtwBufferBase
		call	IoAddTriageDumpDataBlock
		push	4
		pop	edx
		mov	ecx, offset _KiCurrentEtwBufferOffset
		call	IoAddTriageDumpDataBlock

loc_61D2B2:				; CODE XREF: KiSaveCurrentEtwTraceBuffer()+2Cj
		cmp	ds:_ErrorLogSessionOpened, 0
		jz	short loc_61D323
		mov	edx, large fs:20h
		lea	eax, [ebp+var_C]
		movzx	ecx, ds:_IopErrorLogSession
		push	eax
		mov	edx, [edx+3CCh]
		call	_EtwGetProcessorBuffer@12 ; EtwGetProcessorBuffer(x,x,x)
		test	eax, eax
		js	short loc_61D323
		mov	ecx, [ebp+var_C]
		mov	edi, 1000h
		mov	eax, [ebp+var_4]
		add	eax, ecx
		mov	ds:_KiCurrentErrLogBufferBase, ecx
		mov	edx, eax
		mov	ds:_KiCurrentErrLogBufferOffset, eax
		sub	edx, ecx
		cmp	edx, edi
		jb	short loc_61D304
		lea	ecx, [eax-1000h]
		mov	edx, edi

loc_61D304:				; CODE XREF: KiSaveCurrentEtwTraceBuffer()+BDj
		call	IoAddTriageDumpDataBlock
		push	4
		pop	edx
		mov	ecx, offset _KiCurrentErrLogBufferBase
		call	IoAddTriageDumpDataBlock
		push	4
		pop	edx
		mov	ecx, offset _KiCurrentErrLogBufferOffset
		call	IoAddTriageDumpDataBlock

loc_61D323:				; CODE XREF: KiSaveCurrentEtwTraceBuffer()+7Cj
					; KiSaveCurrentEtwTraceBuffer()+9Dj
		pop	edi
		leave
		retn
_KiSaveCurrentEtwTraceBuffer@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiScanBugCheckCallbackList()
_KiScanBugCheckCallbackList@0 proc near	; CODE XREF: IopWriteTriageDumpToFirmware(x)+B9p
					; KeBugCheck2(x,x,x,x,x,x)+279p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	10h
		push	offset dword_6A8660
		call	__SEH_prolog4
		mov	edi, offset _KeBugCheckCallbackListHead
		mov	[ebp+var_20], edi
		mov	ebx, ds:_KeBugCheckCallbackListHead
		test	ebx, ebx
		jz	short loc_61D3BD
		cmp	ds:dword_6CB3EC, 0
		jz	short loc_61D3BD

loc_61D34D:				; CODE XREF: KiScanBugCheckCallbackList()+95j
		mov	[ebp+var_1C], ebx
		cmp	ebx, [ebp+var_20]
		jz	short loc_61D3BD
		test	bl, 3
		jnz	short loc_61D3BD
		xor	esi, esi

loc_61D35C:				; CODE XREF: KiScanBugCheckCallbackList()+46j
		lea	ecx, [ebx+esi]
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_61D3BD
		inc	esi
		cmp	esi, 20h
		jb	short loc_61D35C
		cmp	[ebx+4], edi
		jnz	short loc_61D3BD
		mov	ecx, [ebx+10h]
		mov	edx, [ebx+0Ch]
		mov	esi, [ebx+8]
		mov	eax, [ebx+14h]
		add	eax, esi
		add	eax, edx
		add	eax, ecx
		cmp	byte ptr [ebx+1Ch], 1
		jnz	short loc_61D3B7
		cmp	[ebx+18h], eax
		jnz	short loc_61D3B7
		mov	byte ptr [ebx+1Ch], 2
		and	[ebp+ms_exc.disabled], 0
		push	ecx
		push	edx
		call	esi
		mov	byte ptr [ebx+1Ch], 3
		jmp	short loc_61D3B0
; 

loc_61D3A2:				; DATA XREF: .text:006A8674o
		xor	eax, eax
		inc	eax
		retn
; 

loc_61D3A6:				; DATA XREF: .text:006A8678o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_1C]
		mov	byte ptr [ebx+1Ch], 4

loc_61D3B0:				; CODE XREF: KiScanBugCheckCallbackList()+7Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_61D3B7:				; CODE XREF: KiScanBugCheckCallbackList()+63j
					; KiScanBugCheckCallbackList()+68j
		mov	edi, ebx
		mov	ebx, [ebx]
		jmp	short loc_61D34D
; 

loc_61D3BD:				; CODE XREF: KiScanBugCheckCallbackList()+1Cj
					; KiScanBugCheckCallbackList()+25j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KiScanBugCheckCallbackList@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiValidateComponentName(x, x)
_KiValidateComponentName@8 proc	near	; CODE XREF: KiInvokeBugCheckAddTriageDumpDataCallbacks()+C6p
					; IopShutdownBaseFileSystems(x)+19Ap

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], edx
		mov	ebx, ecx
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_61D456
		mov	ecx, ebx
		mov	eax, ebx
		and	ecx, 0FFFFF000h
		sub	eax, ecx
		mov	[ebp+var_C], ecx
		push	esi
		mov	esi, 101h
		cmp	eax, 0EFFh
		jbe	short loc_61D438
		lea	eax, [ebp+var_4]
		mov	edx, 1000h
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_61D41E
		mov	edi, [ebp+var_4]

loc_61D41E:				; CODE XREF: KiValidateComponentName(x,x)+4Cj
		test	edi, edi
		jz	short loc_61D42D
		mov	ecx, edi
		call	MmIsAddressValidEx
		test	al, al
		jnz	short loc_61D438

loc_61D42D:				; CODE XREF: KiValidateComponentName(x,x)+53j
		mov	esi, [ebp+var_C]
		sub	esi, ebx
		add	esi, 1000h

loc_61D438:				; CODE XREF: KiValidateComponentName(x,x)+3Aj
					; KiValidateComponentName(x,x)+5Ej
		lea	eax, [ebp+var_8]
		mov	edx, esi
		push	eax
		mov	ecx, ebx
		call	_RtlStringCbLengthA@12 ; RtlStringCbLengthA(x,x,x)
		pop	esi
		test	eax, eax
		js	short loc_61D456
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_8]
		mov	[ecx], eax
		mov	al, 1
		jmp	short loc_61D458
; 

loc_61D456:				; CODE XREF: KiValidateComponentName(x,x)+1Ej
					; KiValidateComponentName(x,x)+7Bj
		xor	al, al

loc_61D458:				; CODE XREF: KiValidateComponentName(x,x)+87j
		pop	edi
		pop	ebx
		leave
		retn
_KiValidateComponentName@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1290. KeSetEventBoostPriority

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetEventBoostPriority(x, x)
		public _KeSetEventBoostPriority@8
_KeSetEventBoostPriority@8 proc	near	; CODE XREF: NtSetEventBoostPriority(x)+4Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jnz	short loc_61D470
		lea	edx, [ebp+arg_4]

loc_61D470:				; CODE XREF: KeSetEventBoostPriority(x,x)+Aj
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		push	eax
		push	1
		push	eax
		push	eax
		call	KeSetEventBoostPriorityEx
		pop	ebp
		retn	8
_KeSetEventBoostPriority@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiGetInterruptObjectFromVector(x)
_KiGetInterruptObjectFromVector@4 proc near ; CODE XREF: KeQueryWakeSource(x,x)+70p
					; KiInterruptDispatchCommon(x,x,x,x,x)+C6p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		xor	esi, esi
		stosd
		stosd
		stosd
		stosd
		cmp	ecx, 0FFh
		ja	short loc_61D4B7
		lea	edx, [ebp+var_10]
		call	KiGetVectorInfo
		cmp	[ebp+var_10], 1
		jz	short loc_61D4B4
		cmp	[ebp+var_10], 2
		jnz	short loc_61D4B7

loc_61D4B4:				; CODE XREF: KiGetInterruptObjectFromVector(x)+29j
		mov	esi, [ebp+var_C]

loc_61D4B7:				; CODE XREF: KiGetInterruptObjectFromVector(x)+1Bj
					; KiGetInterruptObjectFromVector(x)+2Fj
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_KiGetInterruptObjectFromVector@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1120. KeCountSetBitsGroupAffinity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeCountSetBitsGroupAffinity(x)
		public _KeCountSetBitsGroupAffinity@4
_KeCountSetBitsGroupAffinity@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [eax]
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		pop	ebx
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		movzx	eax, cl
		pop	ebp
		retn	4
_KeCountSetBitsGroupAffinity@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1169. KeInitializeEnumerationContextFromAffinity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeEnumerationContextFromAffinity(x, x, x)
		public _KeInitializeEnumerationContextFromAffinity@12
_KeInitializeEnumerationContextFromAffinity@12 proc near

arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	ax, [ebp+arg_4]
		and	dword ptr [ecx], 0
		mov	[ecx+8], ax
		mov	eax, [ebp+arg_8]
		mov	[ecx+4], eax
		pop	ebp
		retn	0Ch
_KeInitializeEnumerationContextFromAffinity@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiFindBiasedProcessorIndex(x, x, x,	x)
_KiFindBiasedProcessorIndex@16 proc near
					; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+29Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	esi, esi
		not	edx
		movzx	eax, dl
		shr	edx, 8
		mov	bl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		mov	ecx, edx
		shr	ecx, 8
		add	bl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, bl
		movzx	eax, cl
		cdq
		push	edx
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	__aullrem
		add	eax, 1
		jz	short loc_61D58D

loc_61D579:				; CODE XREF: KiFindBiasedProcessorIndex(x,x,x,x)+64j
		and	[ebp+arg_4], 0
		inc	esi
		bsf	edx, edi
		add	esi, edx
		lea	ecx, [edx+1]
		shr	edi, cl
		sub	eax, 1
		jnz	short loc_61D579

loc_61D58D:				; CODE XREF: KiFindBiasedProcessorIndex(x,x,x,x)+50j
		pop	edi
		lea	eax, [esi-1]
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_KiFindBiasedProcessorIndex@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiDynamicProcessorAddNotification(x, x, x, x, x, x)
_KiDynamicProcessorAddNotification@24 proc near
					; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+390p
					; KiStartDynamicProcessor(x,x,x,x)+422p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= word ptr -0Ch
var_A		= byte ptr -0Ah
var_9		= byte ptr -9
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= word ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ax, [ebp+arg_0]
		mov	[ebp+var_C], ax
		mov	al, [ebp+arg_4]
		mov	[ebp+var_A], al
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_18], ecx
		xor	ecx, ecx
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_1C]
		push	ecx
		mov	[ebp+var_14], edx
		lea	edx, [ebp+var_18]
		mov	[ebp+var_9], cl
		mov	[ebp+var_1C], ecx
		mov	ecx, ds:_ExCbProcessorAdd
		push	eax
		call	ExNotifyWithProcessing
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_KiDynamicProcessorAddNotification@24 endp


;  S U B	R O U T	I N E 


; __stdcall KiInitDynamicProcessorIpi(x, x, x, x)
_KiInitDynamicProcessorIpi@16 proc near	; DATA XREF: KiInitializeDynamicProcessorDpc(x,x,x,x)+85o
		call	_KiConfigureDynamicProcessor@0 ; KiConfigureDynamicProcessor()
		retn	10h
_KiInitDynamicProcessorIpi@16 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1128. KeDispatchSecondaryInterrupt

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeDispatchSecondaryInterrupt(x, x, x)
		public _KeDispatchSecondaryInterrupt@12
_KeDispatchSecondaryInterrupt@12 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		lea	eax, [esp+14h+var_8]
		shr	esi, 14h
		push	edi
		mov	[esp+18h+var_4], eax
		and	esi, 1
		mov	[esp+18h+var_8], eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		mov	bl, al
		xor	al, al
		cmp	al, bl
		lea	eax, [esp+1Ch+var_8]
		sbb	edi, edi
		xor	ecx, ecx
		and	edi, eax
		inc	ecx
		push	edi
		push	esi
		call	_KiInterruptDispatchCommon@20 ;	KiInterruptDispatchCommon(x,x,x,x,x)
		mov	bh, al
		test	bl, bl
		jz	short loc_61D656
		mov	ecx, edi
		call	_KiInsertSecondarySignalList@4 ; KiInsertSecondarySignalList(x)

loc_61D656:				; CODE XREF: KeDispatchSecondaryInterrupt(x,x,x)+4Bj
		pop	edi
		pop	esi
		mov	al, bh
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_KeDispatchSecondaryInterrupt@12 endp


;  S U B	R O U T	I N E 


; __stdcall KiAcquireSecondaryPassiveConnectLock(x)
_KiAcquireSecondaryPassiveConnectLock@4	proc near
					; CODE XREF: KiConnectSecondaryInterrupt(x)+72p
					; KiDisconnectSecondaryInterrupt(x,x)+23p
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ecx+4]
		push	eax
		call	KeWaitForSingleObject
		retn
_KiAcquireSecondaryPassiveConnectLock@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiConnectSecondaryInterrupt(x)
_KiConnectSecondaryInterrupt@4 proc near ; CODE	XREF: KeConnectInterrupt:loc_5E2D70p

var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	ds:_KiSecondaryInterruptServicesEnabled, 0
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jnz	short loc_61D69D
		mov	eax, 0C0000001h
		jmp	loc_61D7BD
; 

loc_61D69D:				; CODE XREF: KiConnectSecondaryInterrupt(x)+12j
		mov	edx, [esi+2Ch]
		xor	bh, bh
		mov	cl, [esi+30h]
		xor	bl, bl
		mov	edi, [esi+34h]
		add	edx, 0FFFFFF00h
		mov	[ebp+var_2], bh
		mov	[ebp+var_1], bl
		cmp	edx, 0FFh
		ja	loc_61D7B8
		cmp	cl, 1Ah
		ja	loc_61D7B8
		cmp	edi, ds:_KeNumberProcessors
		jnb	loc_61D7B8
		mov	al, [esi+31h]
		cmp	al, cl
		jnb	short loc_61D6E6
		test	al, al
		jnz	loc_61D7B8

loc_61D6E6:				; CODE XREF: KiConnectSecondaryInterrupt(x)+5Dj
		imul	edi, edx, 1Ch
		add	edi, ds:_KiGlobalSecondaryIDT
		mov	ecx, edi
		call	_KiAcquireSecondaryPassiveConnectLock@4	; KiAcquireSecondaryPassiveConnectLock(x)
		mov	cl, 1Ah
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, edi
		mov	[ebp+var_3], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	byte ptr [esi+33h], 0
		jnz	short loc_61D76A
		mov	ebx, [edi+18h]
		test	ebx, ebx
		jnz	short loc_61D727
		lea	eax, [esi+4]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[edi+14h], bl
		mov	bl, 1
		mov	[edi+18h], esi
		jmp	short loc_61D763
; 

loc_61D727:				; CODE XREF: KiConnectSecondaryInterrupt(x)+94j
		cmp	byte ptr [esi+38h], 0
		jz	short loc_61D760
		cmp	byte ptr [ebx+38h], 0
		jz	short loc_61D760
		mov	eax, [ebx+40h]
		cmp	eax, [esi+40h]
		jnz	short loc_61D760
		mov	edx, esi
		mov	[ebp+var_1], 1
		mov	ecx, ebx
		mov	[ebp+var_2], 1
		call	_KiInsertInterruptObjectOrdered@8 ; KiInsertInterruptObjectOrdered(x,x)
		cmp	byte ptr [ebx+31h], 0
		jnz	short loc_61D760
		cmp	byte ptr [esi+31h], 0
		mov	bl, [ebp+var_1]
		jz	short loc_61D763
		mov	[edi+18h], esi
		jmp	short loc_61D763
; 

loc_61D760:				; CODE XREF: KiConnectSecondaryInterrupt(x)+ACj
					; KiConnectSecondaryInterrupt(x)+B2j ...
		mov	bl, [ebp+var_1]

loc_61D763:				; CODE XREF: KiConnectSecondaryInterrupt(x)+A6j
					; KiConnectSecondaryInterrupt(x)+DAj ...
		mov	bh, [ebp+var_2]
		mov	byte ptr [esi+33h], 1

loc_61D76A:				; CODE XREF: KiConnectSecondaryInterrupt(x)+8Dj
		test	ds:byte_70EFC6,	1
		jz	short loc_61D77F
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_61D784
; 

loc_61D77F:				; CODE XREF: KiConnectSecondaryInterrupt(x)+F2j
		xor	eax, eax
		lock and [edi],	eax

loc_61D784:				; CODE XREF: KiConnectSecondaryInterrupt(x)+FEj
		mov	cl, [ebp+var_3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	0
		lea	eax, [edi+4]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	bl, bl
		jz	short loc_61D7B8
		movzx	eax, bh
		neg	eax
		sbb	eax, eax
		and	eax, 127h
		jmp	short loc_61D7BD
; 

loc_61D7B8:				; CODE XREF: KiConnectSecondaryInterrupt(x)+3Dj
					; KiConnectSecondaryInterrupt(x)+46j ...
		mov	eax, 0C00000EFh

loc_61D7BD:				; CODE XREF: KiConnectSecondaryInterrupt(x)+19j
					; KiConnectSecondaryInterrupt(x)+137j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KiConnectSecondaryInterrupt@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiDisconnectSecondaryInterrupt(x, x)
_KiDisconnectSecondaryInterrupt@8 proc near ; CODE XREF: KeDisconnectInterrupt+89542p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		xor	bl, bl
		mov	eax, [esi+2Ch]
		add	eax, 0FFFFFF00h
		imul	edi, eax, 1Ch
		add	edi, ds:_KiGlobalSecondaryIDT
		mov	ecx, edi
		call	_KiAcquireSecondaryPassiveConnectLock@4	; KiAcquireSecondaryPassiveConnectLock(x)
		mov	cl, 1Ah
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, edi
		mov	bh, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	[esi+33h], bl
		jz	short loc_61D810
		mov	eax, [edi+18h]
		cmp	eax, esi
		jnz	short loc_61D810
		add	eax, 4
		cmp	[eax], eax
		jnz	short loc_61D810
		inc	bl

loc_61D810:				; CODE XREF: KiDisconnectSecondaryInterrupt(x,x)+3Cj
					; KiDisconnectSecondaryInterrupt(x,x)+43j ...
		test	ds:byte_70EFC6,	1
		jz	short loc_61D825
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_61D82A
; 

loc_61D825:				; CODE XREF: KiDisconnectSecondaryInterrupt(x,x)+55j
		xor	eax, eax
		lock and [edi],	eax

loc_61D82A:				; CODE XREF: KiDisconnectSecondaryInterrupt(x,x)+61j
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bl, bl
		mov	ebx, [ebp+var_4]
		jz	short loc_61D840
		push	ebx
		call	ds:__imp__HalDisableInterrupt@4	; HalDisableInterrupt(x)

loc_61D840:				; CODE XREF: KiDisconnectSecondaryInterrupt(x,x)+75j
		xor	ecx, ecx
		mov	edx, esi
		push	ebx
		inc	ecx
		call	KiDisconnectInterruptCommon
		push	0
		push	0
		lea	ecx, [edi+4]
		mov	esi, eax
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_KiDisconnectSecondaryInterrupt@8 endp


;  S U B	R O U T	I N E 


; __stdcall KiDisconnectSecondaryInterruptInternal(x, x)
_KiDisconnectSecondaryInterruptInternal@8 proc near
					; CODE XREF: KiDisconnectInterruptCommon:loc_5DFC3Fp
					; KiProcessPendingDisconnect(x,x,x):loc_620F02p
		cmp	byte ptr [ecx+33h], 0
		mov	eax, 0C00000EFh
		jz	short locret_61D8D0
		mov	eax, [ecx+2Ch]
		sub	eax, 100h
		imul	edx, eax, 1Ch
		add	edx, ds:_KiGlobalSecondaryIDT
		mov	eax, [edx+18h]
		cmp	eax, ecx
		jnz	short loc_61D8A6
		add	eax, 4
		cmp	[eax], eax
		jnz	short loc_61D89D
		and	dword ptr [edx+18h], 0
		jmp	short loc_61D8A6
; 

loc_61D89D:				; CODE XREF: KiDisconnectSecondaryInterruptInternal(x,x)+28j
		mov	eax, [ecx+4]
		sub	eax, 4
		mov	[edx+18h], eax

loc_61D8A6:				; CODE XREF: KiDisconnectSecondaryInterruptInternal(x,x)+21j
					; KiDisconnectSecondaryInterruptInternal(x,x)+2Ej
		push	esi
		lea	eax, [ecx+4]
		push	edi
		mov	edi, [eax]
		cmp	[edi+4], eax
		jnz	short loc_61D8D1
		mov	esi, [eax+4]
		cmp	[esi], eax
		jnz	short loc_61D8D1
		mov	[esi], edi
		mov	[edi+4], esi
		mov	eax, [edx+18h]
		neg	eax
		mov	byte ptr [ecx+33h], 0
		pop	edi
		sbb	eax, eax
		and	eax, 128h
		pop	esi

locret_61D8D0:				; CODE XREF: KiDisconnectSecondaryInterruptInternal(x,x)+9j
		retn
; 

loc_61D8D1:				; CODE XREF: KiDisconnectSecondaryInterruptInternal(x,x)+43j
					; KiDisconnectSecondaryInterruptInternal(x,x)+4Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall KiInsertSecondarySignalList(x)
_KiInsertSecondarySignalList@4:		; CODE XREF: KeDispatchSecondaryInterrupt(x,x,x)+4Fp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		cmp	[esi], esi
		jz	loc_61D988
		push	ebx
		push	edi
		mov	cl, 1Ah
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edi, offset _KiSecondarySignalListLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:_KiSecondarySignalList
		mov	eax, offset _KiSecondarySignalList
		mov	edx, ds:dword_6C75FC
		cmp	[ecx+4], eax
		jnz	short loc_61D983
		cmp	[edx], eax
		jnz	short loc_61D983
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_61D983
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_61D983
		mov	[edx], esi
		mov	eax, [esi+4]
		mov	ds:dword_6C75FC, eax
		mov	eax, [esi+4]
		mov	dword ptr [eax], offset	_KiSecondarySignalList
		cmp	ds:_KiSecondarySignalDpcRunning, 0
		mov	[esi+4], edx
		jnz	short loc_61D95D
		xor	eax, eax
		mov	ds:_KiSecondarySignalDpcRunning, 1
		push	eax
		push	eax
		push	eax
		xor	edx, edx
		mov	ecx, offset _KiSecondarySignalDpc
		call	KiInsertQueueDpc

loc_61D95D:				; CODE XREF: KiDisconnectSecondaryInterruptInternal(x,x)+D6j
		test	ds:byte_70EFC6,	1
		jz	short loc_61D972
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_61D977
; 

loc_61D972:				; CODE XREF: KiDisconnectSecondaryInterruptInternal(x,x)+F7j
		xor	eax, eax
		lock and [edi],	eax

loc_61D977:				; CODE XREF: KiDisconnectSecondaryInterruptInternal(x,x)+103j
		pop	edi
		mov	cl, bl
		pop	ebx
		pop	esi
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_61D983:				; CODE XREF: KiDisconnectSecondaryInterruptInternal(x,x)+A5j
					; KiDisconnectSecondaryInterruptInternal(x,x)+A9j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_61D988:				; CODE XREF: KiDisconnectSecondaryInterruptInternal(x,x)+73j
		pop	esi
		pop	ebp
		retn
_KiDisconnectSecondaryInterruptInternal@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiMaskSecondaryInterruptInternal(x,	x)
_KiMaskSecondaryInterruptInternal@8 proc near ;	CODE XREF: KiIntSteerDisable+894D3p

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		lea	esi, [ecx-100h]
		mov	[ebp+var_8], edx
		push	edi
		imul	edi, esi, 1Ch
		mov	cl, 1Ah
		xor	ebx, ebx
		add	edi, ds:_KiGlobalSecondaryIDT
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, edi
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		imul	edx, esi, 1Ch
		add	edx, ds:_KiGlobalSecondaryIDT
		cmp	[edx+14h], bl
		jnz	short loc_61D9D0
		mov	eax, [edx+18h]
		test	eax, eax
		jnz	short loc_61D9F7

loc_61D9D0:				; CODE XREF: KiMaskSecondaryInterruptInternal(x,x)+3Cj
		test	ds:byte_70EFC6,	1
		jz	short loc_61D9E5
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_61D9EA
; 

loc_61D9E5:				; CODE XREF: KiMaskSecondaryInterruptInternal(x,x)+4Cj
		xor	eax, eax
		lock and [edi],	eax

loc_61D9EA:				; CODE XREF: KiMaskSecondaryInterruptInternal(x,x)+58j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		jmp	short loc_61DA47
; 

loc_61D9F7:				; CODE XREF: KiMaskSecondaryInterruptInternal(x,x)+43j
		lea	esi, [eax+4]
		mov	ecx, esi

loc_61D9FC:				; CODE XREF: KiMaskSecondaryInterruptInternal(x,x)+7Cj
		mov	eax, [ecx+38h]
		test	al, 1
		jz	short loc_61DA0F
		mov	ecx, [ecx]
		cmp	ecx, esi
		jnz	short loc_61D9FC
		mov	byte ptr [edx+14h], 1
		jmp	short loc_61DA14
; 

loc_61DA0F:				; CODE XREF: KiMaskSecondaryInterruptInternal(x,x)+76j
		mov	ebx, 128h

loc_61DA14:				; CODE XREF: KiMaskSecondaryInterruptInternal(x,x)+82j
		test	ds:byte_70EFC6,	1
		jz	short loc_61DA29
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_61DA2E
; 

loc_61DA29:				; CODE XREF: KiMaskSecondaryInterruptInternal(x,x)+90j
		xor	eax, eax
		lock and [edi],	eax

loc_61DA2E:				; CODE XREF: KiMaskSecondaryInterruptInternal(x,x)+9Cj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jnz	short loc_61DA45
		push	ebx
		push	[ebp+var_8]
		call	ds:off_6B1300	; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)

loc_61DA45:				; CODE XREF: KiMaskSecondaryInterruptInternal(x,x)+AEj
		mov	eax, ebx

loc_61DA47:				; CODE XREF: KiMaskSecondaryInterruptInternal(x,x)+6Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KiMaskSecondaryInterruptInternal@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiProcessSecondarySignalList(x, x, x, x)
_KiProcessSecondarySignalList@16 proc near
					; DATA XREF: KeInitializeSecondaryInterruptServices(x)+5Co

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		lea	eax, [esp+14h+var_8]
		mov	cl, 1Ah
		push	edi
		mov	[esp+18h+var_4], eax
		mov	[esp+18h+var_8], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	esi, offset _KiSecondarySignalListLock
		mov	bl, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, ds:_KiSecondarySignalList
		mov	edi, offset _KiSecondarySignalList
		cmp	edx, edi
		jz	short loc_61DAE9
		mov	eax, [esp+18h+var_8]
		lea	esi, [esp+18h+var_8]
		mov	ecx, [esp+18h+var_4]
		cmp	[eax+4], esi
		jnz	short loc_61DB05
		mov	eax, esi
		cmp	[ecx], eax
		jnz	short loc_61DB05
		cmp	[edx+4], edi
		jnz	short loc_61DB05
		mov	eax, ds:dword_6C75FC
		cmp	[eax], edi
		jnz	short loc_61DB05
		mov	[ecx], edi
		mov	edx, esi
		mov	eax, ds:dword_6C75FC
		mov	[esp+18h+var_4], eax
		mov	[eax], edx
		mov	eax, ds:_KiSecondarySignalList
		mov	ds:dword_6C75FC, ecx
		cmp	[eax+4], edi
		jnz	short loc_61DB05
		cmp	[ecx], edi
		jnz	short loc_61DB05
		mov	[ecx], eax
		mov	esi, offset _KiSecondarySignalListLock
		mov	[eax+4], ecx
		mov	ds:dword_6C75FC, edi
		mov	ds:_KiSecondarySignalList, edi

loc_61DAE9:				; CODE XREF: KiProcessSecondarySignalList(x,x,x,x)+3Dj
		test	ds:byte_70EFC6,	1
		mov	ds:_KiSecondarySignalDpcRunning, 0
		jz	short loc_61DB0A
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_61DB0F
; 

loc_61DB05:				; CODE XREF: KiProcessSecondarySignalList(x,x,x,x)+4Ej
					; KiProcessSecondarySignalList(x,x,x,x)+54j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_61DB0A:				; CODE XREF: KiProcessSecondarySignalList(x,x,x,x)+ABj
		xor	eax, eax
		lock and [esi],	eax

loc_61DB0F:				; CODE XREF: KiProcessSecondarySignalList(x,x,x,x)+B7j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	ecx, [esp+18h+var_8]
		call	_KiProcessDisconnectList@4 ; KiProcessDisconnectList(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_KiProcessSecondarySignalList@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiUnmaskSecondaryInterruptInternal(x, x)
_KiUnmaskSecondaryInterruptInternal@8 proc near	; CODE XREF: KeUnmaskInterrupt+889F9p
					; KeConnectInterrupt+84992p

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		lea	esi, [ecx-100h]
		mov	[ebp+var_8], edx
		push	edi
		imul	edi, esi, 1Ch
		mov	cl, 1Ah
		xor	ebx, ebx
		add	edi, ds:_KiGlobalSecondaryIDT
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, edi
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		imul	ecx, esi, 1Ch
		add	ecx, ds:_KiGlobalSecondaryIDT
		cmp	[ecx+14h], bl
		jnz	short loc_61DB88
		test	ds:byte_70EFC6,	1
		jz	short loc_61DB7C
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_61DB81
; 

loc_61DB7C:				; CODE XREF: KiUnmaskSecondaryInterruptInternal(x,x)+45j
		xor	eax, eax
		lock and [edi],	eax

loc_61DB81:				; CODE XREF: KiUnmaskSecondaryInterruptInternal(x,x)+51j
		mov	ebx, 128h
		jmp	short loc_61DBA9
; 

loc_61DB88:				; CODE XREF: KiUnmaskSecondaryInterruptInternal(x,x)+3Cj
		mov	eax, [ecx+18h]
		test	eax, eax
		jnz	short loc_61DBB4
		test	ds:byte_70EFC6,	1
		jz	short loc_61DBA4
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_61DBA9
; 

loc_61DBA4:				; CODE XREF: KiUnmaskSecondaryInterruptInternal(x,x)+6Dj
		xor	eax, eax
		lock and [edi],	eax

loc_61DBA9:				; CODE XREF: KiUnmaskSecondaryInterruptInternal(x,x)+5Dj
					; KiUnmaskSecondaryInterruptInternal(x,x)+79j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_61DC04
; 

loc_61DBB4:				; CODE XREF: KiUnmaskSecondaryInterruptInternal(x,x)+64j
		lea	edx, [eax+4]
		mov	eax, edx

loc_61DBB9:				; CODE XREF: KiUnmaskSecondaryInterruptInternal(x,x)+A1j
		mov	esi, [eax+38h]
		shl	esi, 1Fh
		sar	esi, 1Fh
		test	esi, esi
		jz	short loc_61DBCE
		mov	eax, [eax]
		cmp	eax, edx
		jnz	short loc_61DBB9
		jmp	short loc_61DBD1
; 

loc_61DBCE:				; CODE XREF: KiUnmaskSecondaryInterruptInternal(x,x)+9Bj
		mov	[ecx+14h], bl

loc_61DBD1:				; CODE XREF: KiUnmaskSecondaryInterruptInternal(x,x)+A3j
		test	ds:byte_70EFC6,	1
		jz	short loc_61DBE6
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_61DBEB
; 

loc_61DBE6:				; CODE XREF: KiUnmaskSecondaryInterruptInternal(x,x)+AFj
		xor	eax, eax
		lock and [edi],	eax

loc_61DBEB:				; CODE XREF: KiUnmaskSecondaryInterruptInternal(x,x)+BBj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jnz	short loc_61DC04
		push	ebx
		push	[ebp+var_8]
		call	ds:off_6B1304	; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)
		mov	ebx, eax

loc_61DC04:				; CODE XREF: KiUnmaskSecondaryInterruptInternal(x,x)+89j
					; KiUnmaskSecondaryInterruptInternal(x,x)+CDj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_KiUnmaskSecondaryInterruptInternal@8 endp

; 
		align 10h
; Exported entry 1143. KeFlushEntireTb

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeFlushEntireTb(x, x)
		public _KeFlushEntireTb@8
_KeFlushEntireTb@8 proc	near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, ds:_HvlEnlightenments
		push	ebx
		test	al, 4
		jz	short loc_61DC52
		test	al, 2
		jnz	short loc_61DC43
		test	eax, 800000h
		jz	short loc_61DC3A
		push	3
		pop	ecx
		call	_KiIsFlushEntire@4 ; KiIsFlushEntire(x)
		test	al, al
		jnz	short loc_61DC43

loc_61DC3A:				; CODE XREF: KeFlushEntireTb(x,x)+1Cj
		cmp	ds:_KeNumberProcessors,	1
		jz	short loc_61DC52

loc_61DC43:				; CODE XREF: KeFlushEntireTb(x,x)+15j
					; KeFlushEntireTb(x,x)+28j
		push	1
		push	1
		xor	edx, edx
		xor	ecx, ecx
		call	_KiFlushAddressSpaceTb@16 ; KiFlushAddressSpaceTb(x,x,x,x)
		jmp	short loc_61DC57
; 

loc_61DC52:				; CODE XREF: KeFlushEntireTb(x,x)+11j
					; KeFlushEntireTb(x,x)+31j
		call	_KxFlushEntireTb@4 ; KxFlushEntireTb(x)

loc_61DC57:				; CODE XREF: KeFlushEntireTb(x,x)+40j
		cmp	ds:_ExTbFlushActive, 0
		jz	short loc_61DC7D
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	3
		xor	edx, edx
		xor	ecx, ecx
		mov	bl, al
		call	_ExFlushTb@12	; ExFlushTb(x,x,x)
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_61DC7D:				; CODE XREF: KeFlushEntireTb(x,x)+4Ej
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_KeFlushEntireTb@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiFlushAddressSpaceTb(x, x,	x, x)
_KiFlushAddressSpaceTb@16 proc near	; CODE XREF: KeFlushTb+12A21Dp
					; KeFlushEntireTb(x,x)+3Bp

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		test	ecx, ecx
		jnz	short loc_61DCCB
		test	edx, edx
		jnz	short loc_61DCCB
		cmp	[ebp+arg_4], dl
		jz	short loc_61DCCB
		call	ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()
		mov	ecx, offset _KiTbFlushTimeStamp
		mov	bl, al
		call	_KxSetTimeStampBusy@4 ;	KxSetTimeStampBusy(x)
		test	al, al
		jz	short loc_61DCC1
		push	[ebp+arg_0]
		xor	edx, edx
		xor	ecx, ecx
		call	_HvlpSlowFlushAddressSpaceTb@12	; HvlpSlowFlushAddressSpaceTb(x,x,x)
		lock inc ds:_KiTbFlushTimeStamp

loc_61DCC1:				; CODE XREF: KiFlushAddressSpaceTb(x,x,x,x)+28j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_61DCD3
; 

loc_61DCCB:				; CODE XREF: KiFlushAddressSpaceTb(x,x,x,x)+9j
					; KiFlushAddressSpaceTb(x,x,x,x)+Dj ...
		push	[ebp+arg_0]
		call	_HvlpSlowFlushAddressSpaceTb@12	; HvlpSlowFlushAddressSpaceTb(x,x,x)

loc_61DCD3:				; CODE XREF: KiFlushAddressSpaceTb(x,x,x,x)+45j
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
_KiFlushAddressSpaceTb@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiFlushAffinity(x)
_KiFlushAffinity@4 proc	near		; CODE XREF: KeFlushMultipleRangeTb+1BFp
					; KeStackAttachProcess+3EEp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	ecx, ecx
		jnz	short loc_61DCFD
		and	[ebp+var_4], ecx
		lea	eax, [ebp+var_4]
		lock or	[eax], ecx
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		add	eax, 58h
		leave
		retn
; 

loc_61DCFD:				; CODE XREF: KiFlushAffinity(x)+8j
		xor	eax, eax
		leave
		retn
_KiFlushAffinity@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiIsFlushEntire(x)
_KiIsFlushEntire@4 proc	near		; CODE XREF: KeFlushTb+12A196p
					; KiHypercallForLocalFlush+D83F2p ...
		cmp	ds:_KiFlushPcid, 0
		jnz	short loc_61DD22
		cmp	ds:_KiKvaShadow, 0
		jz	short loc_61DD25
		sub	ecx, 0
		jz	short loc_61DD22
		sub	ecx, 1
		jz	short loc_61DD2E
		sub	ecx, 1
		jnz	short loc_61DD2E

loc_61DD22:				; CODE XREF: KiIsFlushEntire(x)+7j
					; KiIsFlushEntire(x)+15j ...
		xor	al, al
		retn
; 

loc_61DD25:				; CODE XREF: KiIsFlushEntire(x)+10j
		test	ecx, ecx
		jz	short loc_61DD2E
		cmp	ecx, 2
		jle	short loc_61DD22

loc_61DD2E:				; CODE XREF: KiIsFlushEntire(x)+1Aj
					; KiIsFlushEntire(x)+1Fj ...
		mov	al, 1
		retn
_KiIsFlushEntire@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiPrepareFlushCurrentAffinity(x)
_KiPrepareFlushCurrentAffinity@4 proc near ; CODE XREF:	KeFlushCurrentTbOnly+D8417p
					; KeFlushSingleCurrentTb+8CB93p ...
		mov	eax, large fs:20h
		xor	edx, edx
		and	dword ptr [ecx+4], 0
		inc	edx
		mov	[ecx], dx
		mov	[ecx+2], dx
		and	dword ptr [ecx+8], 0
		mov	eax, [eax+3C8h]
		mov	[ecx+8], eax
		retn
_KiPrepareFlushCurrentAffinity@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiPrepareFlushParameters(x,	x, x)
_KiPrepareFlushParameters@12 proc near	; CODE XREF: KeFlushMultipleRangeTb+1ADp
					; KeStackAttachProcess+3D9p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		xor	edx, edx
		push	edi
		mov	edi, [ebp+arg_0]
		cmp	ds:_KiKvaShadow, dl
		jz	short loc_61DD83
		sub	ecx, edx
		jz	short loc_61DD7B
		sub	ecx, 1
		jz	short loc_61DD77
		sub	ecx, 1
		jz	short loc_61DD7B

loc_61DD77:				; CODE XREF: KiPrepareFlushParameters(x,x,x)+1Dj
		mov	al, 1
		jmp	short loc_61DD7D
; 

loc_61DD7B:				; CODE XREF: KiPrepareFlushParameters(x,x,x)+18j
					; KiPrepareFlushParameters(x,x,x)+22j
		mov	al, dl

loc_61DD7D:				; CODE XREF: KiPrepareFlushParameters(x,x,x)+26j
		mov	[esi], edx
		mov	[edi], al
		jmp	short loc_61DDAF
; 

loc_61DD83:				; CODE XREF: KiPrepareFlushParameters(x,x,x)+14j
		sub	ecx, edx
		jz	short loc_61DDAA
		sub	ecx, 1
		jz	short loc_61DD95
		sub	ecx, 1
		jnz	short loc_61DDAA
		mov	[edi], dl
		jmp	short loc_61DDAD
; 

loc_61DD95:				; CODE XREF: KiPrepareFlushParameters(x,x,x)+37j
		mov	eax, large fs:124h
		mov	[edi], dl
		mov	eax, [eax+80h]
		mov	eax, [eax+18h]
		mov	[esi], eax
		jmp	short loc_61DDAF
; 

loc_61DDAA:				; CODE XREF: KiPrepareFlushParameters(x,x,x)+32j
					; KiPrepareFlushParameters(x,x,x)+3Cj
		mov	byte ptr [edi],	1

loc_61DDAD:				; CODE XREF: KiPrepareFlushParameters(x,x,x)+40j
		mov	[esi], edx

loc_61DDAF:				; CODE XREF: KiPrepareFlushParameters(x,x,x)+2Ej
					; KiPrepareFlushParameters(x,x,x)+55j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_KiPrepareFlushParameters@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1272. KeReportCacheIncoherentDevice

;  S U B	R O U T	I N E 


; __stdcall KeReportCacheIncoherentDevice()
		public _KeReportCacheIncoherentDevice@0
_KeReportCacheIncoherentDevice@0 proc near
		mov	ds:_KiSystemFullyCoherent, 0
		retn
_KeReportCacheIncoherentDevice@0 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1317. KeSystemFullyCacheCoherent

;  S U B	R O U T	I N E 


; __stdcall KeSystemFullyCacheCoherent()
		public _KeSystemFullyCacheCoherent@0
_KeSystemFullyCacheCoherent@0 proc near
		mov	eax, ds:_KiSystemFullyCoherent
		retn
_KeSystemFullyCacheCoherent@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiFlushRangeAllCaches(x, x,	x, x, x)
_KiFlushRangeAllCaches@20 proc near	; CODE XREF: KeFlushIoBuffers+D9D15p

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	[ebp+arg_8], 0
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, edx
		jz	short loc_61DE0D
		cmp	[ebp+arg_4], 0
		jz	short loc_61DE0D
		mov	eax, ds:_KeLargestCacheLine
		dec	eax
		test	eax, edi
		jz	short loc_61DE03
		push	ecx
		push	edi
		push	4

loc_61DDF7:				; CODE XREF: KiFlushRangeAllCaches(x,x,x,x,x)+3Bj
		push	1Fh
		push	0E6h

loc_61DDFE:				; CODE XREF: KiFlushRangeAllCaches(x,x,x,x,x)+60j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_61DE03:				; CODE XREF: KiFlushRangeAllCaches(x,x,x,x,x)+21j
		test	eax, esi
		jz	short loc_61DE0D
		push	ecx
		push	esi
		push	5
		jmp	short loc_61DDF7
; 

loc_61DE0D:				; CODE XREF: KiFlushRangeAllCaches(x,x,x,x,x)+11j
					; KiFlushRangeAllCaches(x,x,x,x,x)+17j	...
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 1Fh
		jnz	short loc_61DE32
		mov	eax, ds:_KiBugCheckActive
		test	al, 3
		jnz	short loc_61DE32
		push	0
		push	1
		push	0BADh
		push	86h
		push	55h
		jmp	short loc_61DDFE
; 

loc_61DE32:				; CODE XREF: KiFlushRangeAllCaches(x,x,x,x,x)+45j
					; KiFlushRangeAllCaches(x,x,x,x,x)+4Ej
		mov	edx, esi
		mov	ecx, edi
		call	@KeInvalidateRangeAllCaches@8 ;	KeInvalidateRangeAllCaches(x,x)
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	0Ch
_KiFlushRangeAllCaches@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeEnumerateProcessorDpcs(x,	x, x, x)
_KeEnumerateProcessorDpcs@16 proc near	; CODE XREF: DbgkpLkmdSnapGlobals(x)+72p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ds:_KiProcessorBlock[ecx*4]
		mov	cl, 1Fh
		push	edi
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	2
		add	esi, 21E8h
		mov	[ebp+var_1], al
		pop	ebx
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], ebx

loc_61DE6E:				; CODE XREF: KeEnumerateProcessorDpcs(x,x,x,x)+87j
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edi, [esi-8]
		test	edi, edi
		jz	short loc_61DEA3
		mov	esi, [ebp+arg_0]
		lea	ebx, [esi+80h]

loc_61DE85:				; CODE XREF: KeEnumerateProcessorDpcs(x,x,x,x)+59j
		xor	ecx, ecx
		lea	eax, [edi-4]
		push	ecx
		push	ecx
		push	ecx
		push	20h
		push	eax
		push	ebx
		call	dword ptr [esi+0A8h]
		mov	edi, [edi]
		test	edi, edi
		jnz	short loc_61DE85
		mov	esi, [ebp+var_8]
		mov	ebx, [ebp+var_C]

loc_61DEA3:				; CODE XREF: KeEnumerateProcessorDpcs(x,x,x,x)+38j
		test	ds:byte_70EFC6,	1
		jz	short loc_61DEB8
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_61DEBD
; 

loc_61DEB8:				; CODE XREF: KeEnumerateProcessorDpcs(x,x,x,x)+68j
		xor	eax, eax
		lock and [esi],	eax

loc_61DEBD:				; CODE XREF: KeEnumerateProcessorDpcs(x,x,x,x)+74j
		add	esi, 18h
		sub	ebx, 1
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], ebx
		jnz	short loc_61DE6E
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_KeEnumerateProcessorDpcs@16 endp

; 
		align 10h
; Exported entry 1302. KeSetTargetProcessorDpc

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetTargetProcessorDpc(x, x)
		public _KeSetTargetProcessorDpc@8
_KeSetTargetProcessorDpc@8 proc	near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_6		= byte ptr  0Eh
arg_7		= byte ptr  0Fh

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_KeForceGroupAwareness, 0
		push	esi
		jz	short loc_61DEFC
		mov	ax, ds:_KiActiveGroups
		dec	ax
		movzx	esi, ax
		jmp	short loc_61DEFE
; 

loc_61DEFC:				; CODE XREF: KeSetTargetProcessorDpc(x,x)+Dj
		xor	esi, esi

loc_61DEFE:				; CODE XREF: KeSetTargetProcessorDpc(x,x)+1Aj
		push	esi
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	dl, [ebp+arg_4]
		movsx	ecx, dl
		cmp	ecx, eax
		jnb	short loc_61DF25
		lea	eax, [ebp+arg_4]
		mov	word ptr [ebp+arg_4], si
		push	eax
		push	[ebp+arg_0]
		mov	[ebp+arg_6], dl
		mov	[ebp+arg_7], 0
		call	_KeSetTargetProcessorDpcEx@8 ; KeSetTargetProcessorDpcEx(x,x)

loc_61DF25:				; CODE XREF: KeSetTargetProcessorDpc(x,x)+2Cj
		pop	esi
		pop	ebp
		retn	8
_KeSetTargetProcessorDpc@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1309. KeSignalCallDpcSynchronize

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSignalCallDpcSynchronize(x)
		public _KeSignalCallDpcSynchronize@4
_KeSignalCallDpcSynchronize@4 proc near	; CODE XREF: KiInitializeDynamicProcessorDpc(x,x,x,x)+Cp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		dec	eax
		mov	esi, eax
		mov	ecx, 80000000h
		not	esi
		xor	ebx, ebx
		and	esi, ecx
		test	eax, 7FFFFFFFh
		jnz	short loc_61DF60
		mov	eax, [edi+4]
		or	eax, esi
		inc	ebx
		mov	[edi], eax
		jmp	short loc_61DF7F
; 

loc_61DF60:				; CODE XREF: KeSignalCallDpcSynchronize(x)+25j
		mov	eax, [edi]
		and	eax, ecx
		mov	[ebp+arg_0], ebx
		cmp	eax, esi
		jz	short loc_61DF7F

loc_61DF6B:				; CODE XREF: KeSignalCallDpcSynchronize(x)+4Ej
		lea	ecx, [ebp+arg_0]
		call	KeYieldProcessorEx
		mov	ecx, [edi]
		and	ecx, 80000000h
		cmp	ecx, esi
		jnz	short loc_61DF6B

loc_61DF7F:				; CODE XREF: KeSignalCallDpcSynchronize(x)+2Fj
					; KeSignalCallDpcSynchronize(x)+3Aj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	4
_KeSignalCallDpcSynchronize@4 endp


;  S U B	R O U T	I N E 


; __fastcall KiRestoreThreadIptState(x)
@KiRestoreThreadIptState@4 proc	near	; CODE XREF: _SwapContext_RestoreIpt+12p
					; _EnlightenedSwapContext_RestoreIpt+12p
		mov	eax, [ecx+238h]
		and	eax, 100h
		or	eax, 0
		jz	_KiInitIptState@0 ; KiInitIptState()
		mov	ecx, [ecx+4Ch]
		add	ecx, ds:_KeXStateLength
		jmp	_KiRestoreIptState@4 ; KiRestoreIptState(x)
@KiRestoreThreadIptState@4 endp


;  S U B	R O U T	I N E 


; __fastcall KiSaveThreadIptState(x)
@KiSaveThreadIptState@4	proc near	; CODE XREF: _SwapContext_SaveIpt+12p
					; _EnlightenedSwapContext_SaveIpt+12p
		mov	ecx, [ecx+4Ch]
		add	ecx, ds:_KeXStateLength
		jmp	_KiSaveIptState@4 ; KiSaveIptState(x)
@KiSaveThreadIptState@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeAllocateXStateContext(x, x, x)
_KeAllocateXStateContext@12 proc near	; CODE XREF: ViCtxAllocateXStateContexts(x)+Ep
					; ViCtxAllocateXStateContexts(x)+25p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, 240h
		push	edi
		mov	edi, ecx
		cmp	esi, eax
		jnb	short loc_61DFCF
		mov	esi, eax

loc_61DFCF:				; CODE XREF: KeAllocateXStateContext(x,x,x)+13j
		push	76615358h
		lea	eax, [esi+3Fh]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi+18h], eax
		test	eax, eax
		jnz	short loc_61DFF0
		mov	eax, 0C0000017h
		jmp	short loc_61E010
; 

loc_61DFF0:				; CODE XREF: KeAllocateXStateContext(x,x,x)+2Fj
		add	eax, 3Fh
		mov	[edi+8], esi
		and	eax, 0FFFFFFC0h
		push	40h		; size_t
		mov	[edi+10h], eax
		add	eax, 200h
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax

loc_61E010:				; CODE XREF: KeAllocateXStateContext(x,x,x)+36j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_KeAllocateXStateContext@12 endp


;  S U B	R O U T	I N E 


; __stdcall KeFreeXStateContext(x)
_KeFreeXStateContext@4 proc near	; CODE XREF: ViCtxAllocateXStateContexts(x)+31p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_61E041
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_61E041
		push	76615358h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[esi], eax
		mov	[esi+4], eax
		mov	[esi+8], eax
		mov	[esi+18h], eax
		mov	[esi+10h], eax

loc_61E041:				; CODE XREF: KeFreeXStateContext(x)+7j
					; KeFreeXStateContext(x)+Ej
		pop	esi
		retn
_KeFreeXStateContext@4 endp


;  S U B	R O U T	I N E 


; __stdcall KeGetSupervisorStateExtensionHost()
_KeGetSupervisorStateExtensionHost@0 proc near
					; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x):loc_960689p
		mov	eax, ds:_KiSupervisorStateExtensionHost
		retn
_KeGetSupervisorStateExtensionHost@0 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1160. KeGetXSaveFeatureFlags

;  S U B	R O U T	I N E 


; __stdcall KeGetXSaveFeatureFlags()
		public _KeGetXSaveFeatureFlags@0
_KeGetXSaveFeatureFlags@0 proc near
		mov	eax, ds:0FFDF03D8h
		xor	edx, edx
		or	eax, ds:0FFDF03DCh
		jz	short loc_61E073
		mov	ecx, ds:0FFDF03ECh
		mov	edx, ecx
		and	edx, 1
		shl	edx, 3
		test	cl, 2
		jz	short loc_61E073
		or	edx, 10h

loc_61E073:				; CODE XREF: KeGetXSaveFeatureFlags()+Dj
					; KeGetXSaveFeatureFlags()+20j
		mov	eax, edx
		retn
_KeGetXSaveFeatureFlags@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRestoreSupervisorState(x,	x, x)
_KeRestoreSupervisorState@12 proc near	; CODE XREF: KiFreezeTargetExecution(x,x)+1B8p
					; IopLiveDumpProcessCorralStateChange(x,x)+8Dp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_61E0ED
		mov	eax, [ebp+arg_0]
		and	eax, 100h
		or	eax, 0
		push	ebx
		jz	short loc_61E094
		mov	bl, 1
		jmp	short loc_61E096
; 

loc_61E094:				; CODE XREF: KeRestoreSupervisorState(x,x,x)+18j
		xor	bl, bl

loc_61E096:				; CODE XREF: KeRestoreSupervisorState(x,x,x)+1Cj
		mov	eax, ds:_KeFeatureBits
		and	eax, 400000h
		or	eax, 0
		jz	short loc_61E0CA
		mov	ecx, ds:0FFDF05F0h
		mov	eax, ecx
		mov	edx, ds:0FFDF05F4h
		or	eax, edx
		jz	short loc_61E0CA
		and	edx, [ebp+arg_4]
		and	ecx, [ebp+arg_0]
		push	edx
		push	ecx
		lea	ecx, [esi-200h]
		call	_RtlXRestoreS@12 ; RtlXRestoreS(x,x,x)

loc_61E0CA:				; CODE XREF: KeRestoreSupervisorState(x,x,x)+2Dj
					; KeRestoreSupervisorState(x,x,x)+3Fj
		cmp	ds:_KiIptMsrMask, 0
		jz	short loc_61E0EC
		test	bl, bl
		jz	short loc_61E0EC
		mov	eax, ds:0FFDF0600h
		sub	eax, ds:0FFDF03E8h
		lea	ecx, [eax+40h]
		add	ecx, esi
		call	_KiRestoreIptState@4 ; KiRestoreIptState(x)

loc_61E0EC:				; CODE XREF: KeRestoreSupervisorState(x,x,x)+5Bj
					; KeRestoreSupervisorState(x,x,x)+5Fj
		pop	ebx

loc_61E0ED:				; CODE XREF: KeRestoreSupervisorState(x,x,x)+Aj
		pop	esi
		pop	ebp
		retn	8
_KeRestoreSupervisorState@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSaveSupervisorState(x, x,	x)
_KeSaveSupervisorState@12 proc near	; CODE XREF: KiFreezeTargetExecution(x,x)+92p
					; KeBugCheck2(x,x,x,x,x,x)+16Ep ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_61E168
		cmp	ds:_KiIptMsrMask, 0
		push	edi
		mov	edi, [ebp+arg_0]
		jz	short loc_61E12C
		mov	eax, edi
		and	eax, 100h
		or	eax, 0
		jz	short loc_61E12C
		mov	eax, ds:0FFDF0600h
		sub	eax, ds:0FFDF03E8h
		lea	ecx, [eax+40h]
		add	ecx, esi
		call	_KiSaveIptState@4 ; KiSaveIptState(x)

loc_61E12C:				; CODE XREF: KeSaveSupervisorState(x,x,x)+17j
					; KeSaveSupervisorState(x,x,x)+23j
		mov	eax, ds:_KeFeatureBits
		and	eax, 400000h
		or	eax, 0
		jz	short loc_61E167
		mov	ecx, ds:0FFDF05F0h
		mov	eax, ecx
		mov	edx, ds:0FFDF05F4h
		or	eax, edx
		jz	short loc_61E167
		mov	eax, [ebp+arg_4]
		and	edi, ecx
		and	eax, edx
		mov	[esi+8], edi
		push	eax
		push	edi
		lea	ecx, [esi-200h]
		mov	[esi+0Ch], eax
		call	_RtlXSaveS@12	; RtlXSaveS(x,x,x)

loc_61E167:				; CODE XREF: KeSaveSupervisorState(x,x,x)+47j
					; KeSaveSupervisorState(x,x,x)+59j
		pop	edi

loc_61E168:				; CODE XREF: KeSaveSupervisorState(x,x,x)+Aj
		pop	esi
		pop	ebp
		retn	8
_KeSaveSupervisorState@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiGetSavedIptState(x, x, x)
_KiGetSavedIptState@12 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		test	esi, esi
		jz	short loc_61E1E1
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	short loc_61E1E1
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_0]
		call	_KiGetSavedSupervisorState@8 ; KiGetSavedSupervisorState(x,x)
		test	eax, eax
		js	short loc_61E1E6
		call	_KiXSavesManagesIpt@0 ;	KiXSavesManagesIpt()
		test	al, al
		jz	short loc_61E1AF
		push	edi
		push	8
		push	[ebp+var_4]
		call	_RtlLocateSupervisorFeature@12 ; RtlLocateSupervisorFeature(x,x,x)
		mov	[esi], eax
		jmp	short loc_61E1DD
; 

loc_61E1AF:				; CODE XREF: KiGetSavedIptState(x,x,x)+31j
		cmp	ds:_KiIptMsrMask, 0
		jz	short loc_61E1D7
		mov	ecx, ds:0FFDF0600h
		sub	ecx, ds:0FFDF03E8h
		mov	eax, [ebp+var_4]
		add	eax, 40h
		add	eax, ecx
		mov	[esi], eax
		mov	eax, ds:_KiIptSaveAreaLength
		mov	[edi], eax
		jmp	short loc_61E1DD
; 

loc_61E1D7:				; CODE XREF: KiGetSavedIptState(x,x,x)+49j
		and	dword ptr [esi], 0
		and	dword ptr [edi], 0

loc_61E1DD:				; CODE XREF: KiGetSavedIptState(x,x,x)+40j
					; KiGetSavedIptState(x,x,x)+68j
		xor	eax, eax
		jmp	short loc_61E1E6
; 

loc_61E1E1:				; CODE XREF: KiGetSavedIptState(x,x,x)+11j
					; KiGetSavedIptState(x,x,x)+18j
		mov	eax, 0C000000Dh

loc_61E1E6:				; CODE XREF: KiGetSavedIptState(x,x,x)+28j
					; KiGetSavedIptState(x,x,x)+72j
		pop	edi
		pop	esi
		leave
		retn	0Ch
_KiGetSavedIptState@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiGetSavedSupervisorState(x, x)
_KiGetSavedSupervisorState@8 proc near	; CODE XREF: KiGetSavedIptState(x,x,x)+21p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jb	short loc_61E23B
		cmp	al, 1Fh
		jnb	short loc_61E208
		cmp	ds:_PoAllProcIntrDisabled, 0
		jz	short loc_61E23B

loc_61E208:				; CODE XREF: KiGetSavedSupervisorState(x,x)+11j
		mov	eax, [ebp+arg_0]
		cmp	eax, ds:_KeNumberProcessors
		jb	short loc_61E21A
		mov	eax, 0C000000Dh
		jmp	short loc_61E240
; 

loc_61E21A:				; CODE XREF: KiGetSavedSupervisorState(x,x)+25j
		lfence	eax
		mov	eax, ds:_KiProcessorBlock[eax*4]
		test	eax, eax
		jz	short loc_61E23B
		mov	ecx, [eax+47B8h]
		test	ecx, ecx
		jz	short loc_61E23B
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		xor	eax, eax
		jmp	short loc_61E240
; 

loc_61E23B:				; CODE XREF: KiGetSavedSupervisorState(x,x)+Dj
					; KiGetSavedSupervisorState(x,x)+1Aj ...
		mov	eax, 0C0000001h

loc_61E240:				; CODE XREF: KiGetSavedSupervisorState(x,x)+2Cj
					; KiGetSavedSupervisorState(x,x)+4Dj
		pop	ebp
		retn	8
_KiGetSavedSupervisorState@8 endp


;  S U B	R O U T	I N E 


; __stdcall KiInitIptState()
_KiInitIptState@0 proc near		; CODE XREF: KiRestoreThreadIptState(x)+Ej
		xor	eax, eax
		xor	edx, edx
		mov	ecx, 570h
		wrmsr
		test	byte ptr ds:_KiIptMsrMask, 2
		jz	short loc_61E25D
		add	ecx, 0FFFFFFF0h
		wrmsr

loc_61E25D:				; CODE XREF: KiInitIptState()+12j
		test	byte ptr ds:_KiIptMsrMask, 4
		jz	short loc_61E271
		xor	eax, eax
		mov	ecx, 561h
		xor	edx, edx
		wrmsr

loc_61E271:				; CODE XREF: KiInitIptState()+20j
		xor	eax, eax
		xor	edx, edx
		mov	ecx, 571h
		wrmsr
		test	byte ptr ds:_KiIptMsrMask, 10h
		jz	short loc_61E288
		inc	ecx
		wrmsr

loc_61E288:				; CODE XREF: KiInitIptState()+3Fj
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, 581h

loc_61E291:				; CODE XREF: KiInitIptState()+71j
		mov	ecx, offset _KiIptMsrMask
		lea	eax, [edi+5]
		bt	[ecx], eax
		jnb	short loc_61E2B7
		xor	eax, eax
		lea	ecx, [esi-1]
		xor	edx, edx
		inc	edi
		wrmsr
		mov	ecx, esi
		add	esi, 2
		wrmsr
		cmp	esi, 589h
		jb	short loc_61E291

loc_61E2B7:				; CODE XREF: KiInitIptState()+58j
		pop	edi
		pop	esi
		retn
_KiInitIptState@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIpiUpdateExtendedSupervisorState(x)
_KiIpiUpdateExtendedSupervisorState@4 proc near
					; DATA XREF: KiUpdateSavedSupervisorState()+D3o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, large fs:20h
		mov	eax, [ebp+arg_0]
		mov	edx, [ecx+3CCh]
		cmp	edx, [eax+4]
		jnb	short loc_61E2EE
		cmp	dword ptr [ecx+47B8h], 0
		jnz	short loc_61E2EE
		mov	eax, [eax]
		mov	eax, [eax+edx*4]
		add	eax, 3Fh
		and	eax, 0FFFFFFC0h
		mov	[ecx+47B8h], eax

loc_61E2EE:				; CODE XREF: KiIpiUpdateExtendedSupervisorState(x)+18j
					; KiIpiUpdateExtendedSupervisorState(x)+21j
		xor	eax, eax
		pop	ebp
		retn	4
_KiIpiUpdateExtendedSupervisorState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiRestoreIptState(x)
_KiRestoreIptState@4 proc near		; CODE XREF: KeRestoreIptStateAfterProcessorComesOnline+8CB2Cj
					; KiRestoreThreadIptState(x)+1Dj ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	ds:_KiXSaveAreaLength, 0
		push	esi
		mov	esi, ecx
		jz	loc_61E3B2
		mov	eax, [esi]
		push	ebx
		push	edi
		push	8
		mov	[ebp+var_4], eax
		mov	eax, [esi+4]
		pop	ebx
		add	esi, ebx
		mov	[ebp+var_8], eax
		test	byte ptr ds:_KiIptMsrMask, 2
		jz	short loc_61E334
		mov	eax, [esi]
		mov	ecx, 560h
		mov	edx, [esi+4]
		add	esi, ebx
		wrmsr

loc_61E334:				; CODE XREF: KiRestoreIptState(x)+30j
		test	byte ptr ds:_KiIptMsrMask, 4
		jz	short loc_61E34B
		mov	eax, [esi]
		mov	ecx, 561h
		mov	edx, [esi+4]
		add	esi, ebx
		wrmsr

loc_61E34B:				; CODE XREF: KiRestoreIptState(x)+47j
		mov	eax, [esi]
		mov	ecx, 571h
		mov	edx, [esi+4]
		add	esi, ebx
		wrmsr
		test	byte ptr ds:_KiIptMsrMask, 10h
		jz	short loc_61E36C
		mov	eax, [esi]
		inc	ecx
		mov	edx, [esi+4]
		add	esi, ebx
		wrmsr

loc_61E36C:				; CODE XREF: KiRestoreIptState(x)+6Cj
		xor	ebx, ebx
		mov	edi, 581h

loc_61E373:				; CODE XREF: KiRestoreIptState(x)+ADj
		mov	ecx, offset _KiIptMsrMask
		lea	eax, [ebx+5]
		bt	[ecx], eax
		jnb	short loc_61E3A3
		mov	eax, [esi]
		lea	ecx, [edi-1]
		mov	edx, [esi+4]
		wrmsr
		mov	eax, [esi+8]
		mov	ecx, edi
		mov	edx, [esi+0Ch]
		add	edi, 2
		add	esi, 10h
		inc	ebx
		wrmsr
		cmp	edi, 589h
		jb	short loc_61E373

loc_61E3A3:				; CODE XREF: KiRestoreIptState(x)+8Aj
		mov	eax, [ebp+var_4]
		mov	ecx, 570h
		mov	edx, [ebp+var_8]
		pop	edi
		wrmsr
		pop	ebx

loc_61E3B2:				; CODE XREF: KiRestoreIptState(x)+11j
		pop	esi
		leave
		retn
_KiRestoreIptState@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiSaveIptState(x)
_KiSaveIptState@4 proc near		; CODE XREF: KeSaveIptStateBeforeProcessorGoesOffline+8BE31j
					; KiSaveThreadIptState(x)+9j ...
		cmp	ds:_KiXSaveAreaLength, 0
		push	edi
		mov	edi, ecx
		jz	loc_61E473
		push	ebx
		mov	ecx, 570h
		xor	ebx, ebx
		rdmsr
		push	esi
		mov	esi, eax
		mov	[edi], eax
		mov	[edi+4], edx
		and	esi, 1
		add	edi, 8
		or	esi, ebx
		jz	short loc_61E3E9
		add	eax, 0FFFFFFFFh
		adc	edx, 0FFFFFFFFh
		wrmsr

loc_61E3E9:				; CODE XREF: KiSaveIptState(x)+2Aj
		test	byte ptr ds:_KiIptMsrMask, 2
		jz	short loc_61E401
		mov	ecx, 560h
		rdmsr
		mov	[edi], eax
		mov	[edi+4], edx
		add	edi, 8

loc_61E401:				; CODE XREF: KiSaveIptState(x)+3Bj
		test	byte ptr ds:_KiIptMsrMask, 4
		jz	short loc_61E419
		mov	ecx, 561h
		rdmsr
		mov	[edi], eax
		mov	[edi+4], edx
		add	edi, 8

loc_61E419:				; CODE XREF: KiSaveIptState(x)+53j
		mov	ecx, 571h
		rdmsr
		mov	[edi], eax
		mov	[edi+4], edx
		add	edi, 8
		test	byte ptr ds:_KiIptMsrMask, 10h
		jz	short loc_61E43C
		inc	ecx
		rdmsr
		mov	[edi], eax
		mov	[edi+4], edx
		add	edi, 8

loc_61E43C:				; CODE XREF: KiSaveIptState(x)+7Aj
		mov	esi, 581h

loc_61E441:				; CODE XREF: KiSaveIptState(x)+BAj
		mov	ecx, offset _KiIptMsrMask
		lea	eax, [ebx+5]
		bt	[ecx], eax
		jnb	short loc_61E471
		lea	ecx, [esi-1]
		rdmsr
		mov	[edi], eax
		mov	ecx, esi
		mov	[edi+4], edx
		add	esi, 2
		rdmsr
		mov	[edi+8], eax
		mov	[edi+0Ch], edx
		add	edi, 10h
		inc	ebx
		cmp	esi, 589h
		jb	short loc_61E441

loc_61E471:				; CODE XREF: KiSaveIptState(x)+97j
		pop	esi
		pop	ebx

loc_61E473:				; CODE XREF: KiSaveIptState(x)+Aj
		pop	edi
		retn
_KiSaveIptState@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiXSavesManagesIpt()
_KiXSavesManagesIpt@0 proc near		; CODE XREF: KiGetSavedIptState(x,x,x)+2Ap
					; KiQueryIptSupport(x,x)+13p
		mov	eax, ds:_KeFeatureBits
		and	eax, 400000h
		or	eax, 0
		jz	short loc_61E496
		mov	eax, ds:0FFDF05F0h
		and	eax, 100h
		or	eax, 0
		jz	short loc_61E496
		mov	al, 1
		retn
; 

loc_61E496:				; CODE XREF: KiXSavesManagesIpt()+Dj
					; KiXSavesManagesIpt()+1Cj
		xor	al, al
		retn
_KiXSavesManagesIpt@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeEnumerateQueueApc(x, x, x, x)
_KeEnumerateQueueApc@16	proc near	; CODE XREF: DbgkpLkmdSnapThread(x,x,x,x)+10p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[ebp+var_C], 0
		lea	ebx, [esi+2Ch]
		mov	[ebp+var_1], al
		mov	[ebp+var_10], ebx

loc_61E4B9:				; CODE XREF: KeEnumerateQueueApc(x,x,x,x)+35j
		lock bts dword ptr [ebx], 0
		jnb	short loc_61E4D0

loc_61E4C0:				; CODE XREF: KeEnumerateQueueApc(x,x,x,x)+33j
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_61E4C0
		jmp	short loc_61E4B9
; 

loc_61E4D0:				; CODE XREF: KeEnumerateQueueApc(x,x,x,x)+25j
		mov	ebx, [ebp+arg_0]
		add	esi, 70h
		push	2
		pop	eax
		mov	[ebp+var_8], eax

loc_61E4DC:				; CODE XREF: KeEnumerateQueueApc(x,x,x,x)+79j
		mov	edi, [esi]
		cmp	edi, esi
		jz	short loc_61E509
		lea	ecx, [ebx+80h]

loc_61E4E8:				; CODE XREF: KeEnumerateQueueApc(x,x,x,x)+6Bj
		xor	edx, edx
		lea	eax, [edi-0Ch]
		push	edx
		push	edx
		push	edx
		push	30h
		push	eax
		push	ecx
		call	dword ptr [ebx+0A8h]
		mov	edi, [edi]
		lea	ecx, [ebx+80h]
		cmp	edi, esi
		jnz	short loc_61E4E8
		mov	eax, [ebp+var_8]

loc_61E509:				; CODE XREF: KeEnumerateQueueApc(x,x,x,x)+47j
		add	esi, 8
		sub	eax, 1
		mov	[ebp+var_8], eax
		jnz	short loc_61E4DC
		mov	ebx, [ebp+var_10]
		mov	cl, [ebp+var_1]
		mov	dword ptr [ebx], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_KeEnumerateQueueApc@16	endp


;  S U B	R O U T	I N E 


; __stdcall KeIsApcRunningThread(x)
_KeIsApcRunningThread@4	proc near	; CODE XREF: VerifierKeIsApcRunningThread(x)+8p
		movzx	eax, byte ptr [ecx+84h]
		retn
_KeIsApcRunningThread@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeTryToInsertQueueApc(x, x,	x)
_KeTryToInsertQueueApc@12 proc near	; CODE XREF: EtwpQueueStackWalkApc(x,x,x,x)+E6p
					; EtwpCovSampCaptureQueueApc(x)+E5p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= dword	ptr -5
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], edx
		push	edi
		mov	byte ptr [ebp+var_1], 0
		mov	edi, [esi+8]
		mov	ecx, edi
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		test	al, al
		jz	short loc_61E5CB
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jnz	short loc_61E565
		mov	byte ptr [ebp+var_5], 1Fh
		jmp	short loc_61E56E
; 

loc_61E565:				; CODE XREF: KeTryToInsertQueueApc(x,x,x)+28j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	byte ptr [ebp+var_5], al

loc_61E56E:				; CODE XREF: KeTryToInsertQueueApc(x,x,x)+2Ej
		mov	eax, large fs:20h
		lea	edx, [ebp+var_1]
		mov	ecx, edi
		mov	[ebp+var_10], eax
		call	_KiTryToAcquireThreadLock@8 ; KiTryToAcquireThreadLock(x,x)
		test	al, al
		jz	short loc_61E5CB
		test	dword ptr [edi+58h], 4000h
		push	ebx
		jz	short loc_61E5BD
		cmp	byte ptr [esi+2Eh], 0
		jnz	short loc_61E5BD
		mov	eax, [ebp+var_C]
		xor	ebx, ebx
		mov	[esi+24h], eax
		inc	ebx
		mov	eax, [ebp+arg_0]
		mov	ecx, esi
		mov	[esi+2Eh], bl
		mov	[esi+28h], eax
		call	KiInsertQueueApc
		push	[ebp+var_5]
		mov	ecx, [ebp+var_10]
		mov	edx, esi
		call	_KiSignalThreadForApc@12 ; KiSignalThreadForApc(x,x,x)
		jmp	short loc_61E5BF
; 

loc_61E5BD:				; CODE XREF: KeTryToInsertQueueApc(x,x,x)+58j
					; KeTryToInsertQueueApc(x,x,x)+5Ej
		xor	bl, bl

loc_61E5BF:				; CODE XREF: KeTryToInsertQueueApc(x,x,x)+86j
		mov	al, bl
		mov	dword ptr [edi+2Ch], 0
		pop	ebx
		jmp	short loc_61E5CD
; 

loc_61E5CB:				; CODE XREF: KeTryToInsertQueueApc(x,x,x)+1Fj
					; KeTryToInsertQueueApc(x,x,x)+4Ej
		xor	al, al

loc_61E5CD:				; CODE XREF: KeTryToInsertQueueApc(x,x,x)+94j
		pop	edi
		pop	esi
		leave
		retn	4
_KeTryToInsertQueueApc@12 endp

; 
		align 8
; Exported entry 1184. KeInsertByKeyDeviceQueue

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInsertByKeyDeviceQueue(x,	x, x)
		public _KeInsertByKeyDeviceQueue@12
_KeInsertByKeyDeviceQueue@12 proc near	; CODE XREF: IoStartPacket+81FB8p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	bl, bl
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		mov	edi, [ebp+arg_0]
		mov	eax, [ebp+arg_8]
		mov	[esi+8], eax
		lea	ecx, [edi+0Ch]
		call	_KiIsDpcThreadActive@0 ; KiIsDpcThreadActive()
		test	eax, eax
		jz	short loc_61E60F
		lea	edx, [ebp+var_C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		jmp	short loc_61E63C
; 

loc_61E60F:				; CODE XREF: KeInsertByKeyDeviceQueue(x,x,x)+2Bj
		and	[ebp+var_C], 0
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_8], ecx
		jz	short loc_61E62B
		mov	edx, ecx
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_61E63C
; 

loc_61E62B:				; CODE XREF: KeInsertByKeyDeviceQueue(x,x,x)+45j
		lea	edx, [ebp+var_C]
		xchg	edx, [ecx]
		test	edx, edx
		jz	short loc_61E63C
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_61E63C:				; CODE XREF: KeInsertByKeyDeviceQueue(x,x,x)+35j
					; KeInsertByKeyDeviceQueue(x,x,x)+51j ...
		mov	al, [edi+10h]
		xor	edx, edx
		inc	edx
		mov	[edi+10h], dl
		cmp	al, dl
		jnz	short loc_61E67D
		lea	ecx, [edi+4]
		cmp	[ecx], ecx
		jz	short loc_61E665
		mov	eax, [ecx+4]
		mov	edx, [ebp+arg_8]
		cmp	edx, [eax+8]
		jnb	short loc_61E662

loc_61E65B:				; CODE XREF: KeInsertByKeyDeviceQueue(x,x,x)+88j
		mov	ecx, [ecx]
		cmp	edx, [ecx+8]
		jnb	short loc_61E65B

loc_61E662:				; CODE XREF: KeInsertByKeyDeviceQueue(x,x,x)+81j
		xor	edx, edx
		inc	edx

loc_61E665:				; CODE XREF: KeInsertByKeyDeviceQueue(x,x,x)+76j
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jz	short loc_61E671
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_61E671:				; CODE XREF: KeInsertByKeyDeviceQueue(x,x,x)+92j
		mov	[esi], ecx
		mov	bl, dl
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[ecx+4], esi

loc_61E67D:				; CODE XREF: KeInsertByKeyDeviceQueue(x,x,x)+6Fj
		mov	[esi+0Ch], bl
		call	_KiIsDpcThreadActive@0 ; KiIsDpcThreadActive()
		test	eax, eax
		jz	short loc_61E6D8
		test	ds:byte_70EFC6,	dl
		jz	short loc_61E69E
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_61E6CD
; 

loc_61E69E:				; CODE XREF: KeInsertByKeyDeviceQueue(x,x,x)+B7j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_61E6C0
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_61E6CD
		call	KxWaitForLockChainValid
		xor	edx, edx
		inc	edx

loc_61E6C0:				; CODE XREF: KeInsertByKeyDeviceQueue(x,x,x)+CBj
		mov	[ebp+var_C], 0
		add	eax, 4
		lock xor [eax],	edx

loc_61E6CD:				; CODE XREF: KeInsertByKeyDeviceQueue(x,x,x)+C4j
					; KeInsertByKeyDeviceQueue(x,x,x)+DEj
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_61E71C
; 

loc_61E6D8:				; CODE XREF: KeInsertByKeyDeviceQueue(x,x,x)+AFj
		test	ds:byte_70EFC6,	dl
		jz	short loc_61E6ED
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_61E71C
; 

loc_61E6ED:				; CODE XREF: KeInsertByKeyDeviceQueue(x,x,x)+106j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_61E70F
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_61E71C
		call	KxWaitForLockChainValid
		xor	edx, edx
		inc	edx

loc_61E70F:				; CODE XREF: KeInsertByKeyDeviceQueue(x,x,x)+11Aj
		mov	[ebp+var_C], 0
		lea	ecx, [eax+4]
		lock xor [ecx],	edx

loc_61E71C:				; CODE XREF: KeInsertByKeyDeviceQueue(x,x,x)+FEj
					; KeInsertByKeyDeviceQueue(x,x,x)+113j	...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	0Ch
_KeInsertByKeyDeviceQueue@12 endp

; 
		align 4
		db 2 dup(0CCh)
; 
; Exported entry 1260. KeRemoveByKeyDeviceQueue

; __stdcall KeRemoveByKeyDeviceQueue(x,	x)
		public _KeRemoveByKeyDeviceQueue@8
_KeRemoveByKeyDeviceQueue@8:		; CODE XREF: IopStartNextPacketByKey(x,x,x)+2Ep
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp-0Ch]
		xor	ebx, ebx
		stosd
		mov	esi, ebx
		stosd
		stosd
		mov	edi, [ebp+8]
		lea	ecx, [edi+0Ch]
		call	_KiIsDpcThreadActive@0 ; KiIsDpcThreadActive()
		test	eax, eax
		jz	short loc_61E75A
		lea	edx, [ebp-0Ch]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		jmp	short loc_61E786
; 

loc_61E75A:				; CODE XREF: .text:0061E74Ej
		test	ds:byte_70EFC6,	21h
		mov	[ebp-8], ecx
		mov	[ebp-0Ch], ebx
		jz	short loc_61E775
		mov	edx, ecx
		lea	ecx, [ebp-0Ch]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_61E786
; 

loc_61E775:				; CODE XREF: .text:0061E767j
		lea	edx, [ebp-0Ch]
		xchg	edx, [ecx]
		test	edx, edx
		jz	short loc_61E786
		lea	ecx, [ebp-0Ch]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_61E786:				; CODE XREF: .text:0061E758j
					; .text:0061E773j ...
		lea	eax, [edi+4]
		mov	ecx, [eax]
		cmp	ecx, eax
		jnz	short loc_61E794
		mov	[edi+10h], bl
		jmp	short loc_61E7CC
; 

loc_61E794:				; CODE XREF: .text:0061E78Dj
		mov	eax, [eax+4]
		mov	esi, ecx
		mov	ecx, [ebp+0Ch]
		cmp	[eax+8], ecx
		jb	short loc_61E7AE
		mov	eax, esi
		jmp	short loc_61E7A9
; 

loc_61E7A5:				; CODE XREF: .text:0061E7ACj
		mov	eax, [eax]
		mov	esi, eax

loc_61E7A9:				; CODE XREF: .text:0061E7A3j
		cmp	ecx, [eax+8]
		ja	short loc_61E7A5

loc_61E7AE:				; CODE XREF: .text:0061E79Fj
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	loc_61E86B
		cmp	[eax], esi
		jnz	loc_61E86B
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	[esi+0Ch], bl

loc_61E7CC:				; CODE XREF: .text:0061E792j
		call	_KiIsDpcThreadActive@0 ; KiIsDpcThreadActive()
		test	eax, eax
		jz	short loc_61E821
		test	ds:byte_70EFC6,	1
		jz	short loc_61E7EB
		mov	edx, [ebp+4]
		lea	ecx, [ebp-0Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_61E816
; 

loc_61E7EB:				; CODE XREF: .text:0061E7DCj
		mov	eax, [ebp-0Ch]
		test	eax, eax
		jnz	short loc_61E80A
		mov	edx, [ebp-8]
		lea	eax, [ebp-0Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-0Ch]
		cmp	eax, ecx
		jz	short loc_61E816
		call	KxWaitForLockChainValid

loc_61E80A:				; CODE XREF: .text:0061E7F0j
		xor	ecx, ecx
		mov	[ebp-0Ch], ebx
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_61E816:				; CODE XREF: .text:0061E7E9j
					; .text:0061E803j
		mov	cl, [ebp-4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_61E862
; 

loc_61E821:				; CODE XREF: .text:0061E7D3j
		test	ds:byte_70EFC6,	1
		jz	short loc_61E837
		mov	edx, [ebp+4]
		lea	ecx, [ebp-0Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_61E862
; 

loc_61E837:				; CODE XREF: .text:0061E828j
		mov	eax, [ebp-0Ch]
		test	eax, eax
		jnz	short loc_61E856
		mov	edx, [ebp-8]
		lea	eax, [ebp-0Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-0Ch]
		cmp	eax, ecx
		jz	short loc_61E862
		call	KxWaitForLockChainValid

loc_61E856:				; CODE XREF: .text:0061E83Cj
		xor	edx, edx
		mov	[ebp-0Ch], ebx
		inc	edx
		lea	ecx, [eax+4]
		lock xor [ecx],	edx

loc_61E862:				; CODE XREF: .text:0061E81Fj
					; .text:0061E835j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_61E86B:				; CODE XREF: .text:0061E7B6j
					; .text:0061E7BEj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1261. KeRemoveByKeyDeviceQueueIfBusy

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRemoveByKeyDeviceQueueIfBusy(x, x)
		public _KeRemoveByKeyDeviceQueueIfBusy@8
_KeRemoveByKeyDeviceQueueIfBusy@8 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		xor	ebx, ebx
		stosd
		mov	esi, ebx
		stosd
		stosd
		mov	edi, [ebp+arg_0]
		lea	ecx, [edi+0Ch]
		call	_KiIsDpcThreadActive@0 ; KiIsDpcThreadActive()
		test	eax, eax
		jz	short loc_61E8A5
		lea	edx, [ebp+var_C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		jmp	short loc_61E8D1
; 

loc_61E8A5:				; CODE XREF: KeRemoveByKeyDeviceQueueIfBusy(x,x)+24j
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], ebx
		jz	short loc_61E8C0
		mov	edx, ecx
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_61E8D1
; 

loc_61E8C0:				; CODE XREF: KeRemoveByKeyDeviceQueueIfBusy(x,x)+3Dj
		lea	edx, [ebp+var_C]
		xchg	edx, [ecx]
		test	edx, edx
		jz	short loc_61E8D1
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_61E8D1:				; CODE XREF: KeRemoveByKeyDeviceQueueIfBusy(x,x)+2Ej
					; KeRemoveByKeyDeviceQueueIfBusy(x,x)+49j ...
		cmp	[edi+10h], bl
		jz	short loc_61E8E2
		lea	eax, [edi+4]
		mov	ecx, [eax]
		cmp	ecx, eax
		jnz	short loc_61E905
		mov	[edi+10h], bl

loc_61E8E2:				; CODE XREF: KeRemoveByKeyDeviceQueueIfBusy(x,x)+5Fj
					; KeRemoveByKeyDeviceQueueIfBusy(x,x)+C8j
		call	_KiIsDpcThreadActive@0 ; KiIsDpcThreadActive()
		test	eax, eax
		jz	loc_61E97A
		test	ds:byte_70EFC6,	1
		jz	short loc_61E944
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_61E96F
; 

loc_61E905:				; CODE XREF: KeRemoveByKeyDeviceQueueIfBusy(x,x)+68j
		mov	edx, [ebp+arg_4]

loc_61E908:				; CODE XREF: KeRemoveByKeyDeviceQueueIfBusy(x,x)+9Ej
		mov	esi, ecx
		cmp	edx, [ecx+8]
		jbe	short loc_61E915
		mov	ecx, [ecx]
		cmp	ecx, eax
		jnz	short loc_61E908

loc_61E915:				; CODE XREF: KeRemoveByKeyDeviceQueueIfBusy(x,x)+98j
		cmp	ecx, eax
		jz	short loc_61E927
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	short loc_61E93F
		cmp	[eax], esi
		jmp	short loc_61E933
; 

loc_61E927:				; CODE XREF: KeRemoveByKeyDeviceQueueIfBusy(x,x)+A2j
		mov	esi, [eax]
		mov	ecx, [esi]
		cmp	[esi+4], eax
		jnz	short loc_61E93F
		cmp	[ecx+4], esi

loc_61E933:				; CODE XREF: KeRemoveByKeyDeviceQueueIfBusy(x,x)+B0j
		jnz	short loc_61E93F
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	[esi+0Ch], bl
		jmp	short loc_61E8E2
; 

loc_61E93F:				; CODE XREF: KeRemoveByKeyDeviceQueueIfBusy(x,x)+ACj
					; KeRemoveByKeyDeviceQueueIfBusy(x,x)+B9j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_61E944:				; CODE XREF: KeRemoveByKeyDeviceQueueIfBusy(x,x)+81j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_61E963
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_61E96F
		call	KxWaitForLockChainValid

loc_61E963:				; CODE XREF: KeRemoveByKeyDeviceQueueIfBusy(x,x)+D4j
		xor	ecx, ecx
		mov	[ebp+var_C], ebx
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_61E96F:				; CODE XREF: KeRemoveByKeyDeviceQueueIfBusy(x,x)+8Ej
					; KeRemoveByKeyDeviceQueueIfBusy(x,x)+E7j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_61E9BB
; 

loc_61E97A:				; CODE XREF: KeRemoveByKeyDeviceQueueIfBusy(x,x)+74j
		test	ds:byte_70EFC6,	1
		jz	short loc_61E990
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_61E9BB
; 

loc_61E990:				; CODE XREF: KeRemoveByKeyDeviceQueueIfBusy(x,x)+10Cj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_61E9AF
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_61E9BB
		call	KxWaitForLockChainValid

loc_61E9AF:				; CODE XREF: KeRemoveByKeyDeviceQueueIfBusy(x,x)+120j
		xor	edx, edx
		mov	[ebp+var_C], ebx
		inc	edx
		lea	ecx, [eax+4]
		lock xor [ecx],	edx

loc_61E9BB:				; CODE XREF: KeRemoveByKeyDeviceQueueIfBusy(x,x)+103j
					; KeRemoveByKeyDeviceQueueIfBusy(x,x)+119j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_KeRemoveByKeyDeviceQueueIfBusy@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1263. KeRemoveEntryDeviceQueue

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRemoveEntryDeviceQueue(x,	x)
		public _KeRemoveEntryDeviceQueue@8
_KeRemoveEntryDeviceQueue@8 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_C]
		sub	esp, 0Ch
		xor	eax, eax
		lea	ecx, [ecx+0Ch]
		push	ebx
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebp+arg_4]
		mov	bl, [eax+0Ch]
		cmp	bl, 1
		jnz	short loc_61EA0B
		mov	byte ptr [eax+0Ch], 0
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_61EA21
		cmp	[ecx], eax
		jnz	short loc_61EA21
		mov	[ecx], edx
		mov	[edx+4], ecx

loc_61EA0B:				; CODE XREF: KeRemoveEntryDeviceQueue(x,x)+29j
		test	ds:byte_70EFC6,	1
		jz	short loc_61EA26
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_61EA55
; 

loc_61EA21:				; CODE XREF: KeRemoveEntryDeviceQueue(x,x)+37j
					; KeRemoveEntryDeviceQueue(x,x)+3Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_61EA26:				; CODE XREF: KeRemoveEntryDeviceQueue(x,x)+49j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_61EA45
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_61EA55
		call	KxWaitForLockChainValid

loc_61EA45:				; CODE XREF: KeRemoveEntryDeviceQueue(x,x)+62j
		xor	edx, edx
		mov	[ebp+var_C], 0
		inc	edx
		lea	ecx, [eax+4]
		lock xor [ecx],	edx

loc_61EA55:				; CODE XREF: KeRemoveEntryDeviceQueue(x,x)+56j
					; KeRemoveEntryDeviceQueue(x,x)+75j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	al, bl
		pop	ebx
		leave
		retn	8
_KeRemoveEntryDeviceQueue@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiMaskInterruptDpc(x, x, x,	x)
_KiMaskInterruptDpc@16 proc near	; DATA XREF: KiIntSteerDisable+8954Fo

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edx, [ebp+arg_C]
		mov	bl, al
		mov	ecx, [ebp+arg_8]
		call	KiMaskInterruptInternal
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx
		pop	ebp
		retn	10h
_KiMaskInterruptDpc@16 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 1173. KeInitializeMutant

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeMutant(x, x)
		public _KeInitializeMutant@8
_KeInitializeMutant@8 proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	dl, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	0
		call	KiInitializeMutant
		pop	ebp
		retn	8
_KeInitializeMutant@8 endp

; 
		align 10h
; Exported entry 1186. KeInsertHeadQueue

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInsertHeadQueue(x, x)
		public _KeInsertHeadQueue@8
_KeInsertHeadQueue@8 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	ebx, [esi+8]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, [ebp+arg_4]
		mov	byte ptr [ebp+var_8], al
		mov	eax, large fs:20h
		test	dword ptr ds:byte_70EFC4, 1000000h
		mov	[ebp+arg_0], eax
		mov	eax, [eax+4]
		mov	[ebp+var_4], eax
		jz	short loc_61EAFC
		mov	ecx, eax
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		movzx	eax, al
		push	eax
		call	_EtwTraceEnqueueWork@12	; EtwTraceEnqueueWork(x,x,x)

loc_61EAFC:				; CODE XREF: KeInsertHeadQueue(x,x)+35j
		mov	ecx, esi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	eax, [esi+4]
		mov	[ebp+arg_4], eax
		cmp	[ebx], ebx
		jz	short loc_61EB3A
		mov	eax, [esi+18h]
		cmp	eax, [esi+1Ch]
		jnb	short loc_61EB3A
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+0A4h]
		cmp	eax, esi
		jnz	short loc_61EB2B
		cmp	byte ptr [ecx+18Bh], 0Fh
		jz	short loc_61EB3A

loc_61EB2B:				; CODE XREF: KeInsertHeadQueue(x,x)+70j
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		push	edi
		call	KiWakeQueueWaiter
		test	al, al
		jnz	short loc_61EB6E

loc_61EB3A:				; CODE XREF: KeInsertHeadQueue(x,x)+5Bj
					; KeInsertHeadQueue(x,x)+63j ...
		mov	edx, [esi+4]
		lea	eax, [edx+1]
		mov	[esi+4], eax
		lea	eax, [esi+10h]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jz	short loc_61EB52
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_61EB52:				; CODE XREF: KeInsertHeadQueue(x,x)+9Bj
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[ecx+4], edi
		mov	[eax], edi
		test	edx, edx
		jnz	short loc_61EB6E
		cmp	[ebx], ebx
		jz	short loc_61EB6E
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	@KiWakeOtherQueueWaiters@8 ; KiWakeOtherQueueWaiters(x,x)

loc_61EB6E:				; CODE XREF: KeInsertHeadQueue(x,x)+88j
					; KeInsertHeadQueue(x,x)+AEj ...
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		push	[ebp+var_8]
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	0
		push	1
		call	KiExitDispatcher
		mov	eax, [ebp+arg_4]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_KeInsertHeadQueue@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIpiProcessRequests(x, x)
_KiIpiProcessRequests@8	proc near	; CODE XREF: KeFreezeExecution(x,x)+ABp
					; KeFreezeExecution(x,x)+104p

var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_A		= byte ptr -0Ah
var_9		= byte ptr -9
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, large fs:20h
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	[esp+18h+var_9], 0
		mov	[esp+18h+var_4], esi
		lea	eax, [esi+21A0h]
		xchg	ebx, [eax]
		mov	[esp+18h+var_8], ebx
		test	bl, 4
		jz	short loc_61EBCE
		call	_KiFreezeTargetExecution@8 ; KiFreezeTargetExecution(x,x)
		mov	[esp+18h+var_9], 1

loc_61EBCE:				; CODE XREF: KiIpiProcessRequests(x,x)+31j
		test	bl, 10h
		jz	short loc_61EC06
		mov	eax, ds:_KiSynchPacket
		and	eax, 0FFFFFFFEh
		mov	[esi+2128h], edi
		push	dword ptr [eax+2168h]
		push	dword ptr [eax+2164h]
		push	dword ptr [eax+2160h]
		mov	eax, [eax+2170h]
		push	ds:_KiSynchPacket
		call	eax
		mov	[esp+28h+var_19], 1

loc_61EC06:				; CODE XREF: KiIpiProcessRequests(x,x)+40j
		lea	edi, [esi+4920h]
		cmp	dword ptr [edi], 0
		jz	short loc_61EC5B
		xor	esi, esi
		xchg	esi, [edi]
		test	esi, esi
		jz	short loc_61EC5B
		mov	ebx, [esp+28h+var_14]
		mov	[esp+28h+var_19], 1

loc_61EC22:				; CODE XREF: KiIpiProcessRequests(x,x)+BEj
					; KiIpiProcessRequests(x,x)+C4j
		mov	edx, esi
		mov	ecx, esi
		mov	esi, [esi]
		sub	edx, ebx
		sub	edx, 5EE0h
		sar	edx, 5
		mov	edx, ds:_KiProcessorBlock[edx*4]
		call	KiIpiProcessRequest
		mov	eax, [ebx+4DCh]
		test	eax, eax
		jz	short loc_61EC4D
		lock dec dword ptr [eax+20h]

loc_61EC4D:				; CODE XREF: KiIpiProcessRequests(x,x)+B6j
		test	esi, esi
		jnz	short loc_61EC22
		xchg	esi, [edi]
		test	esi, esi
		jnz	short loc_61EC22
		mov	ebx, [esp+28h+var_18]

loc_61EC5B:				; CODE XREF: KiIpiProcessRequests(x,x)+7Ej
					; KiIpiProcessRequests(x,x)+86j
		mov	esi, ds:__imp_@HalRequestSoftwareInterrupt@4 ; HalRequestSoftwareInterrupt(x)
		and	ebx, 1
		jz	short loc_61EC6A
		mov	cl, 1
		call	esi

loc_61EC6A:				; CODE XREF: KiIpiProcessRequests(x,x)+D3j
		test	byte ptr [esp+28h+var_18], 2
		jz	short loc_61EC77
		mov	cl, 2
		call	esi
		mov	bl, 1

loc_61EC77:				; CODE XREF: KiIpiProcessRequests(x,x)+DEj
		mov	al, 1
		test	bl, bl
		jnz	short loc_61EC81
		mov	al, [esp+28h+var_19]

loc_61EC81:				; CODE XREF: KiIpiProcessRequests(x,x)+EAj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_KiIpiProcessRequests@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeFreezeExecution(x, x)
_KeFreezeExecution@8 proc near		; CODE XREF: ExpWaitForBootDevices(x)+D4p
					; KdEnterDebugger(x,x)+83p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_12		= byte ptr -12h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		and	[ebp+var_20], 0
		xor	eax, eax
		and	[ebp+var_28], 0
		and	[ebp+var_24], 0
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		mov	[ebp+var_1C], edx
		stosd
		mov	[ebp+var_18], ecx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_34]
		stosd
		stosd
		stosd
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	cl, 1Fh
		mov	[ebp+var_12], al
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, large fs:20h
		mov	ds:_KiFreezeFlag, 4
		mov	[ebp+var_11], al
		mov	ecx, [ecx+2174h]
		and	cl, 0Fh
		cmp	cl, 4
		jz	loc_61EFE6
		mov	edi, 7A120h

loc_61ECFA:				; CODE XREF: KeFreezeExecution(x,x)+B2j
		mov	esi, edi

loc_61ECFC:				; CODE XREF: KeFreezeExecution(x,x)+C1j
		test	ds:byte_70EFC6,	21h
		mov	eax, offset _KdDebuggerLock
		jz	short loc_61ED15
		mov	ecx, eax
		call	@KiTryToAcquireSpinLockInstrumented@4 ;	KiTryToAcquireSpinLockInstrumented(x)
		mov	bl, al
		jmp	short loc_61ED20
; 

loc_61ED15:				; CODE XREF: KeFreezeExecution(x,x)+80j
		lock bts dword ptr [eax], 0
		jnb	short loc_61ED4B
		xor	bl, bl
		pause

loc_61ED20:				; CODE XREF: KeFreezeExecution(x,x)+8Bj
		test	bl, bl
		jnz	short loc_61ED4D
		cmp	ds:_KiFreezeExecutionLock, 0
		jz	short loc_61ED3C
		mov	edx, [ebp+var_1C]
		mov	ecx, [ebp+var_18]
		call	_KiIpiProcessRequests@8	; KiIpiProcessRequests(x,x)
		test	al, al
		jnz	short loc_61ECFA

loc_61ED3C:				; CODE XREF: KeFreezeExecution(x,x)+A3j
		push	4
		call	ds:__imp__KeStallExecutionProcessor@4 ;	KeStallExecutionProcessor(x)
		sub	esi, 1
		jz	short loc_61ED4D
		jmp	short loc_61ECFC
; 

loc_61ED4B:				; CODE XREF: KeFreezeExecution(x,x)+92j
		mov	bl, 1

loc_61ED4D:				; CODE XREF: KeFreezeExecution(x,x)+9Aj
					; KeFreezeExecution(x,x)+BFj
		sub	edi, esi
		movzx	esi, bl
		shl	edi, 2
		neg	esi
		sbb	esi, esi
		and	esi, edi

loc_61ED5B:				; CODE XREF: KeFreezeExecution(x,x)+10Bj
		mov	eax, offset _KiFreezeExecutionLock
		mov	edi, 493E0h

loc_61ED65:				; CODE XREF: KeFreezeExecution(x,x)+11Fj
					; KeFreezeExecution(x,x)+14Fj
		test	ds:byte_70EFC6,	21h
		jz	short loc_61ED77
		mov	ecx, eax
		call	@KiTryToAcquireSpinLockInstrumented@4 ;	KiTryToAcquireSpinLockInstrumented(x)
		jmp	short loc_61ED82
; 

loc_61ED77:				; CODE XREF: KeFreezeExecution(x,x)+E4j
		lock bts dword ptr [eax], 0
		jnb	short loc_61EDE0
		xor	al, al
		pause

loc_61ED82:				; CODE XREF: KeFreezeExecution(x,x)+EDj
		test	al, al
		jnz	short loc_61EDE0
		mov	edx, [ebp+var_1C]
		mov	ecx, [ebp+var_18]
		call	_KiIpiProcessRequests@8	; KiIpiProcessRequests(x,x)
		test	al, al
		jnz	short loc_61ED5B
		push	0Ah
		call	ds:__imp__KeStallExecutionProcessor@4 ;	KeStallExecutionProcessor(x)
		mov	eax, edi
		dec	edi
		test	eax, eax
		mov	eax, offset _KiFreezeExecutionLock
		jnz	short loc_61ED65
		test	ds:byte_70EFC6,	21h
		mov	edi, 493E0h
		mov	eax, offset _KiFreezeLockBackup
		jz	short loc_61EDC5
		mov	ecx, eax
		call	@KiTryToAcquireSpinLockInstrumented@4 ;	KiTryToAcquireSpinLockInstrumented(x)
		jmp	short loc_61EDD0
; 

loc_61EDC5:				; CODE XREF: KeFreezeExecution(x,x)+132j
		lock bts dword ptr [eax], 0
		jnb	short loc_61EDD9
		xor	al, al
		pause

loc_61EDD0:				; CODE XREF: KeFreezeExecution(x,x)+13Bj
		cmp	al, 1
		mov	eax, offset _KiFreezeExecutionLock
		jnz	short loc_61ED65

loc_61EDD9:				; CODE XREF: KeFreezeExecution(x,x)+142j
		or	ds:_KiFreezeFlag, 1

loc_61EDE0:				; CODE XREF: KeFreezeExecution(x,x)+F4j
					; KeFreezeExecution(x,x)+FCj
		test	bl, bl
		jnz	short loc_61EDF7
		mov	eax, ds:_KiFreezeFlag
		test	al, 1
		jz	short loc_61EDF7
		or	eax, 8
		mov	ds:_KiFreezeFlag, eax
		jmp	short loc_61EDFD
; 

loc_61EDF7:				; CODE XREF: KeFreezeExecution(x,x)+15Aj
					; KeFreezeExecution(x,x)+163j
		mov	ds:_KdPortLocked, bl

loc_61EDFD:				; CODE XREF: KeFreezeExecution(x,x)+16Dj
		cmp	esi, ds:_KdDebuggerLockMaxWaitTime
		jbe	short loc_61EE0B
		mov	ds:_KdDebuggerLockMaxWaitTime, esi

loc_61EE0B:				; CODE XREF: KeFreezeExecution(x,x)+17Bj
		mov	ebx, large fs:20h
		cmp	byte ptr [ebx+11h], 0
		jnz	short loc_61EE2D
		cmp	ds:_PoAllProcIntrDisabled, 0
		jnz	short loc_61EE2D
		mov	edx, [ebx+4]
		mov	ecx, ebx
		push	0
		call	_KiUpdateTotalCyclesCurrentThread@12 ; KiUpdateTotalCyclesCurrentThread(x,x,x)

loc_61EE2D:				; CODE XREF: KeFreezeExecution(x,x)+18Ej
					; KeFreezeExecution(x,x)+197j
		push	0
		push	1
		call	ds:off_6B12E4	; RtlEndStrongEnumerationHashTable(x,x)
		cmp	ds:_KeNumberProcessors,	1
		mov	ds:_KiClockLatencyMeasurementEnabled, 0
		jbe	loc_61EF17
		cmp	ds:_PoAllProcIntrDisabled, 0
		jnz	loc_61EF17
		mov	ds:_KiFreezeOwner, ebx
		mov	ecx, ebx
		mov	dword ptr [ebx+2174h], 4
		call	_KiSetDebuggerOwner@4 ;	KiSetDebuggerOwner(x)
		mov	ecx, ds:_PpmNonInterruptibleCount
		mov	eax, ds:_KiFreezeTimeout
		test	eax, eax
		jz	short loc_61EE8F
		test	ecx, ecx
		jnz	short loc_61EE8F
		mov	eax, ds:_KiFreezeTimeout
		imul	eax, 4E20h
		jmp	short loc_61EE94
; 

loc_61EE8F:				; CODE XREF: KeFreezeExecution(x,x)+1F4j
					; KeFreezeExecution(x,x)+1F8j
		mov	eax, 4E20h

loc_61EE94:				; CODE XREF: KeFreezeExecution(x,x)+205j
		mov	dword ptr [ebx+3B00h], 1
		lea	edi, [ebp+var_10]
		mov	esi, offset _KeActiveProcessors
		mov	[ebp+var_18], eax
		movsd
		movsd
		movsd
		mov	eax, [ebx+3CCh]
		mov	ecx, [ebp+var_8]
		btr	ecx, eax
		mov	eax, ds:_KiBugCheckActive
		mov	[ebp+var_8], ecx
		lea	ecx, [ebp+var_10]
		call	_KiSendFreeze@8	; KiSendFreeze(x,x)
		mov	eax, [ebp+var_8]
		mov	ebx, [ebp+var_18]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_34], eax

loc_61EED7:				; CODE XREF: KeFreezeExecution(x,x)+284j
					; KeFreezeExecution(x,x)+28Dj
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_61EF17
		mov	eax, [ebp+var_20]
		mov	esi, ds:_KiProcessorBlock[eax*4]
		jmp	short loc_61EF01
; 

loc_61EEF4:				; CODE XREF: KeFreezeExecution(x,x)+282j
		test	ebx, ebx
		jz	short loc_61EF0E
		push	32h
		call	ds:__imp__KeStallExecutionProcessor@4 ;	KeStallExecutionProcessor(x)
		dec	ebx

loc_61EF01:				; CODE XREF: KeFreezeExecution(x,x)+26Aj
		mov	eax, [esi+2174h]
		cmp	eax, 2
		jnz	short loc_61EEF4
		jmp	short loc_61EED7
; 

loc_61EF0E:				; CODE XREF: KeFreezeExecution(x,x)+26Ej
		or	ds:_KiFreezeFlag, 2
		jmp	short loc_61EED7
; 

loc_61EF17:				; CODE XREF: KeFreezeExecution(x,x)+1BDj
					; KeFreezeExecution(x,x)+1CAj ...
		cmp	ds:_PoAllProcIntrDisabled, 0
		mov	al, [ebp+var_11]
		mov	ds:_KiOldIrql, al
		jnz	loc_61EFE6
		call	_RtlWriteTryAcquireTickLock@4 ;	RtlWriteTryAcquireTickLock(x)
		test	al, al
		jz	loc_61EFE6
		lea	eax, [ebp+var_28]
		push	eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	esi, eax
		mov	edi, (offset loc_98967E+2)
		sub	esi, ds:0FFDF0350h
		sbb	edx, ds:0FFDF0354h
		xor	ebx, ebx
		mov	eax, edx
		mul	edi
		push	ebx
		push	[ebp+var_28]
		mov	ecx, eax
		mov	eax, esi
		mul	edi
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		mov	esi, eax
		add	esi, ds:0FFDF0008h
		adc	edx, ds:0FFDF000Ch
		mov	ds:0FFDF0010h, edx
		mov	ds:0FFDF0008h, esi
		mov	ds:0FFDF000Ch, edx
		mov	edi, ds:_KeMaximumIncrement
		test	edi, edi
		jz	short loc_61EFD2
		push	ebx
		push	edi
		push	edx
		push	esi
		call	__aulldiv
		lea	ecx, [eax+1]
		imul	ecx, edi
		sub	ecx, esi
		mov	ds:_KiTickOffset, ecx
		mov	ds:dword_7186C8, edx
		mov	ds:_KeTickCount, eax
		mov	ds:dword_7186C4, edx
		mov	ds:0FFDF0328h, edx
		mov	ds:0FFDF0320h, eax
		mov	ds:0FFDF0324h, edx

loc_61EFD2:				; CODE XREF: KeFreezeExecution(x,x)+30Fj
		mov	edx, 0FFDF0340h
		mov	ecx, [edx]
		mov	eax, [edx+4]
		add	ecx, 1
		mov	[edx], ecx
		adc	eax, ebx
		mov	[edx+4], eax

loc_61EFE6:				; CODE XREF: KeFreezeExecution(x,x)+67j
					; KeFreezeExecution(x,x)+29Ej ...
		mov	ecx, [ebp+var_4]
		mov	al, [ebp+var_12]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_KeFreezeExecution@8 endp


;  S U B	R O U T	I N E 


; __stdcall KeFrozenProcessorCount()
_KeFrozenProcessorCount@0 proc near	; CODE XREF: IoInitializeBugCheckProgress(x,x)+22p
					; IoSetBugCheckProgressAndFlag(x,x):IoUpdateBugCheckProgressEnvVariable()p
		mov	edi, edi
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, esi
		cmp	ds:_KeNumberProcessors,	esi
		jbe	short loc_61F029

loc_61F008:				; CODE XREF: KeFrozenProcessorCount()+2Fj
		mov	ecx, edi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		test	eax, eax
		jz	short loc_61F020
		mov	eax, [eax+2174h]
		and	al, 0Fh
		cmp	al, 2
		jnz	short loc_61F020
		inc	esi

loc_61F020:				; CODE XREF: KeFrozenProcessorCount()+19j
					; KeFrozenProcessorCount()+25j
		inc	edi
		cmp	edi, ds:_KeNumberProcessors
		jb	short loc_61F008

loc_61F029:				; CODE XREF: KeFrozenProcessorCount()+Ej
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_KeFrozenProcessorCount@0 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 1311. KeStallWhileFrozen

;  S U B	R O U T	I N E 


; __stdcall KeStallWhileFrozen(x)
		public _KeStallWhileFrozen@4
_KeStallWhileFrozen@4 proc near
		mov	ecx, large fs:20h
		xor	dl, dl
		call	_KiCheckStall@8	; KiCheckStall(x,x)
		retn	4
_KeStallWhileFrozen@4 endp


;  S U B	R O U T	I N E 


; __stdcall KeSwitchFrozenProcessor(x)
_KeSwitchFrozenProcessor@4 proc	near	; CODE XREF: KdpSendWaitContinue(x,x,x,x)+3E3p
		mov	edi, edi
		push	esi
		push	0FFFFh
		mov	esi, ecx
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		cmp	esi, eax
		jnb	short loc_61F0C7
		cmp	ds:_PoAllProcIntrDisabled, 0
		jnz	short loc_61F0C7
		lfence	eax
		mov	ecx, ds:_KiProcessorBlock[esi*4]
		mov	eax, [ecx+2174h]
		cmp	eax, 2
		jz	short loc_61F07A
		cmp	eax, 4
		jnz	short loc_61F0C7

loc_61F07A:				; CODE XREF: KeSwitchFrozenProcessor(x)+2Fj
		mov	esi, large fs:20h
		call	_KiSetDebuggerOwner@4 ;	KiSetDebuggerOwner(x)
		mov	eax, [esi+2174h]
		and	al, 0Fh
		cmp	al, 2
		jnz	short loc_61F096
		push	3
		jmp	short loc_61F0C9
; 

loc_61F096:				; CODE XREF: KeSwitchFrozenProcessor(x)+4Cj
		mov	eax, [esi+2174h]
		and	al, 0Fh
		cmp	al, 4
		jz	short loc_61F0A6
		xor	eax, eax
		pop	esi
		retn
; 

loc_61F0A6:				; CODE XREF: KeSwitchFrozenProcessor(x)+5Cj
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)

loc_61F0AE:				; CODE XREF: KeSwitchFrozenProcessor(x)+81j
		mov	eax, ds:_KiDebuggerOwner
		cmp	esi, eax
		setz	al
		test	al, al
		jnz	short loc_61F0C7
		mov	dl, 1
		mov	ecx, esi
		call	_KiCheckStall@8	; KiCheckStall(x,x)
		jmp	short loc_61F0AE
; 

loc_61F0C7:				; CODE XREF: KeSwitchFrozenProcessor(x)+11j
					; KeSwitchFrozenProcessor(x)+1Aj ...
		push	2

loc_61F0C9:				; CODE XREF: KeSwitchFrozenProcessor(x)+50j
		pop	eax
		pop	esi
		retn
_KeSwitchFrozenProcessor@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeThawExecution(x)
_KeThawExecution@4 proc	near		; CODE XREF: ExpWaitForBootDevices(x)+E6p
					; KdExitDebugger(x)+C2p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ds:_KiFreezeFlag
		and	bl, 8
		mov	[ebp+var_2], cl
		neg	bl
		push	esi
		sbb	bl, bl
		xor	esi, esi
		push	esi
		not	bl
		and	bl, ds:_KdPortLocked
		push	esi
		call	ds:off_6B12E4	; RtlEndStrongEnumerationHashTable(x,x)
		cmp	ds:_PoAllProcIntrDisabled, 0
		jnz	short loc_61F11E
		push	esi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ds:0FFDF0350h, eax
		mov	ds:0FFDF0354h, edx
		mov	ds:_KiInterruptTimeErrorAccumulator, esi
		mov	ds:dword_6D4B04, esi

loc_61F11E:				; CODE XREF: KeThawExecution(x)+32j
		call	_KiSendThawExecution@4 ; KiSendThawExecution(x)
		mov	al, ds:_KiOldIrql
		mov	[ebp+var_1], al
		mov	eax, ds:_KiFreezeFlag
		mov	ds:_KiFreezeFlag, esi
		test	al, 1
		jz	short loc_61F151
		test	ds:byte_70EFC6,	1
		jz	short loc_61F14A
		mov	ecx, offset _KiFreezeLockBackup
		jmp	short loc_61F15F
; 

loc_61F14A:				; CODE XREF: KeThawExecution(x)+75j
		mov	eax, offset _KiFreezeLockBackup
		jmp	short loc_61F16E
; 

loc_61F151:				; CODE XREF: KeThawExecution(x)+6Cj
		test	ds:byte_70EFC6,	1
		jz	short loc_61F169
		mov	ecx, offset _KiFreezeExecutionLock

loc_61F15F:				; CODE XREF: KeThawExecution(x)+7Cj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_61F173
; 

loc_61F169:				; CODE XREF: KeThawExecution(x)+8Cj
		mov	eax, offset _KiFreezeExecutionLock

loc_61F16E:				; CODE XREF: KeThawExecution(x)+83j
		xor	ecx, ecx
		lock and [eax],	ecx

loc_61F173:				; CODE XREF: KeThawExecution(x)+9Bj
		test	bl, bl
		jz	short loc_61F199
		test	ds:byte_70EFC6,	1
		jz	short loc_61F18F
		mov	edx, [ebp+4]
		mov	ecx, offset _KdDebuggerLock
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_61F199
; 

loc_61F18F:				; CODE XREF: KeThawExecution(x)+B2j
		xor	ecx, ecx
		mov	eax, offset _KdDebuggerLock
		lock and [eax],	ecx

loc_61F199:				; CODE XREF: KeThawExecution(x)+A9j
					; KeThawExecution(x)+C1j
		call	_KeFlushCurrentTb@0 ; KeFlushCurrentTb()
		mov	ecx, large fs:20h
		call	_KiEndDebugAccumulation@4 ; KiEndDebugAccumulation(x)
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_2], 0
		jz	short loc_61F1BA
		sti

loc_61F1BA:				; CODE XREF: KeThawExecution(x)+EBj
		pop	esi
		pop	ebx
		leave
		retn
_KeThawExecution@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiCheckStall(x, x)
_KiCheckStall@8	proc near		; CODE XREF: KiFreezeTargetExecution(x,x)+160p
					; KeStallWhileFrozen(x)+9p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_14], 0
		and	[ebp+var_10], 0
		push	ebx
		mov	ebx, ds:_KiFreezeStallOwner
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1], dl
		cmp	edi, ebx
		jnz	short loc_61F23F
		push	esi
		lea	eax, [ebp+var_14]
		push	eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		push	[ebp+var_10]
		mov	esi, eax
		mov	[ebp+var_8], eax
		sub	esi, ds:_KiLastStallTick
		mov	ecx, edx
		push	[ebp+var_14]
		mov	eax, ecx
		mov	[ebp+var_C], ecx
		sbb	eax, ds:dword_6C758C
		mov	ecx, 3E8h
		mul	ecx
		mov	edx, 3E8h
		mov	ecx, eax
		mov	eax, esi
		mul	edx
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		pop	esi
		test	edx, edx
		jnz	short loc_61F22F
		cmp	eax, 1F4h
		jbe	short loc_61F23F

loc_61F22F:				; CODE XREF: KiCheckStall(x,x)+68j
		mov	eax, [ebp+var_8]
		mov	ds:_KiLastStallTick, eax
		mov	eax, [ebp+var_C]
		mov	ds:dword_6C758C, eax

loc_61F23F:				; CODE XREF: KiCheckStall(x,x)+1Fj
					; KiCheckStall(x,x)+6Fj
		cmp	[ebp+var_1], 0
		mov	eax, ds:_KiDebuggerOwner
		jz	short loc_61F25C
		test	ebx, ebx
		jz	short loc_61F25C
		cmp	ebx, edi
		jz	short loc_61F25C
		test	eax, eax
		jz	short loc_61F25C
		cmp	eax, edi
		jz	short loc_61F25C
		pause

loc_61F25C:				; CODE XREF: KiCheckStall(x,x)+8Aj
					; KiCheckStall(x,x)+8Ej ...
		pop	edi
		pop	ebx
		leave
		retn
_KiCheckStall@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiEndDebugAccumulation(x)
_KiEndDebugAccumulation@4 proc near	; CODE XREF: KiFreezeTargetExecution(x,x)+19Cp
					; KeThawExecution(x)+D9p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	edi
		mov	edi, ecx
		cmp	byte ptr [edi+11h], 0
		jnz	short loc_61F2EE
		cmp	ds:_PoAllProcIntrDisabled, 0
		jnz	short loc_61F2EE
		push	ebx
		push	esi
		mov	byte ptr [edi+11h], 1
		nop
		mov	ecx, [edi+3B68h]
		mov	esi, [edi+3B6Ch]
		rdtsc
		mov	ebx, eax
		mov	eax, edx
		sub	ebx, [edi+3B40h]
		sbb	eax, [edi+3B44h]
		add	ecx, ebx
		mov	[ebp+var_4], eax
		adc	esi, eax
		mov	[edi+3B90h], esi
		mov	[edi+3B68h], ecx
		mov	[edi+3B6Ch], esi
		mov	ecx, [edi+4]
		test	byte ptr [ecx+2], 20h
		jz	short loc_61F2CE
		push	eax
		push	ebx
		mov	ecx, edi
		call	@KiAccumulateProcessorCycleStats@12 ; KiAccumulateProcessorCycleStats(x,x,x)
		mov	ecx, [edi+4]
		mov	eax, [ebp+var_4]

loc_61F2CE:				; CODE XREF: KiEndDebugAccumulation(x)+5Dj
		add	[edi+3B40h], ebx
		pop	esi
		adc	[edi+3B44h], eax
		test	byte ptr [ecx+2], 2
		pop	ebx
		jz	short loc_61F2E9
		xor	dl, dl
		call	@KiBeginCounterAccumulation@8 ;	KiBeginCounterAccumulation(x,x)

loc_61F2E9:				; CODE XREF: KiEndDebugAccumulation(x)+80j
		nop
		mov	byte ptr [edi+11h], 0

loc_61F2EE:				; CODE XREF: KiEndDebugAccumulation(x)+Dj
					; KiEndDebugAccumulation(x)+16j
		pop	edi
		leave
		retn
_KiEndDebugAccumulation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSendFreeze(x, x)
_KiSendFreeze@8	proc near		; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+7EFp
					; KeFreezeExecution(x,x)+23Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		mov	edi, ecx
		xor	eax, eax
		and	[ebp+var_4], eax
		xor	esi, esi
		mov	[ebp+var_8], eax
		mov	eax, [edi+8]
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], edi

loc_61F310:				; CODE XREF: KiSendFreeze(x,x)+46j
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_61F339
		mov	eax, [ebp+var_4]
		push	4
		pop	ecx
		mov	eax, ds:_KiProcessorBlock[eax*4]
		add	eax, 21A0h
		lock or	[eax], ecx
		inc	esi
		jmp	short loc_61F310
; 

loc_61F339:				; CODE XREF: KiSendFreeze(x,x)+2Ej
		test	esi, esi
		jz	short loc_61F352
		mov	eax, large fs:20h
		push	edi
		push	0
		inc	dword ptr [eax+40B4h]
		call	ds:__imp__HalRequestIpi@8 ; HalRequestIpi(x,x)

loc_61F352:				; CODE XREF: KiSendFreeze(x,x)+4Aj
		pop	edi
		pop	esi
		leave
		retn
_KiSendFreeze@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSendThawExecution(x)
_KiSendThawExecution@4 proc near	; CODE XREF: KeThawExecution(x):loc_61F11Ep

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= word ptr -18h
var_16		= word ptr -16h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		xor	edx, edx
		mov	[ebp+var_16], ax
		xor	ecx, ecx
		mov	eax, large fs:20h
		mov	[ebp+var_14], edx
		mov	[eax+2174h], edx
		call	_KiSetDebuggerOwner@4 ;	KiSetDebuggerOwner(x)
		lea	ecx, [ebp+var_14]
		call	KeIsBugCheckActive
		test	al, al
		jz	short loc_61F3A8
		mov	ecx, large fs:20h
		mov	eax, [ebp+var_14]
		cmp	eax, [ecx+3CCh]
		jz	loc_61F468

loc_61F3A8:				; CODE XREF: KiSendThawExecution(x)+3Aj
		cmp	ds:_KeNumberProcessors,	2
		jb	loc_61F468
		cmp	ds:_PoAllProcIntrDisabled, dl
		jnz	loc_61F468
		push	esi
		xor	eax, eax
		mov	[ebp+var_C], edx
		inc	eax
		mov	[ebp+var_8], edx
		push	3
		mov	word ptr [ebp+var_10], ax
		mov	word ptr [ebp+var_10+2], ax
		mov	[ebp+var_14], edx
		pop	esi
		cmp	ds:_KeNumberProcessors,	edx
		jbe	short loc_61F416

loc_61F3E1:				; CODE XREF: KiSendThawExecution(x)+BEj
		mov	eax, [ebp+var_14]
		mov	ecx, ds:_KiProcessorBlock[eax*4]
		mov	eax, large fs:20h
		cmp	ecx, eax
		jz	short loc_61F407
		mov	eax, [ecx+2174h]
		and	al, 0Fh
		cmp	al, 2
		jz	short loc_61F445
		mov	[ecx+2174h], edx

loc_61F407:				; CODE XREF: KiSendThawExecution(x)+9Dj
		mov	ecx, [ebp+var_14]

loc_61F40A:				; CODE XREF: KiSendThawExecution(x)+101j
		inc	ecx
		mov	[ebp+var_14], ecx
		cmp	ecx, ds:_KeNumberProcessors
		jb	short loc_61F3E1

loc_61F416:				; CODE XREF: KiSendThawExecution(x)+89j
		xor	eax, eax
		mov	[ebp+var_18], ax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_20], eax

loc_61F428:				; CODE XREF: KiSendThawExecution(x)+10Fj
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_61F467
		mov	eax, [ebp+var_14]
		mov	ecx, ds:_KiProcessorBlock[eax*4]
		jmp	short loc_61F45B
; 

loc_61F445:				; CODE XREF: KiSendThawExecution(x)+A9j
		mov	[ecx+2174h], esi
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_14]
		bts	eax, ecx
		mov	[ebp+var_8], eax
		jmp	short loc_61F40A
; 

loc_61F459:				; CODE XREF: KiSendThawExecution(x)+10Dj
		pause

loc_61F45B:				; CODE XREF: KiSendThawExecution(x)+EDj
		mov	eax, [ecx+2174h]
		cmp	eax, esi
		jz	short loc_61F459
		jmp	short loc_61F428
; 

loc_61F467:				; CODE XREF: KiSendThawExecution(x)+E1j
		pop	esi

loc_61F468:				; CODE XREF: KiSendThawExecution(x)+4Cj
					; KiSendThawExecution(x)+59j ...
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_KiSendThawExecution@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiSetDebuggerOwner(x)
_KiSetDebuggerOwner@4 proc near		; CODE XREF: KiFreezeTargetExecution(x,x)+157p
					; KeBugCheck2(x,x,x,x,x,x)+7C9p ...
		mov	eax, ds:_KiDebuggerIsStallOwner
		test	eax, eax
		jnz	short loc_61F4AC
		test	ecx, ecx
		jz	short loc_61F4AC
		cmp	ds:_KeNumberProcessors,	1
		jz	short loc_61F4AC
		mov	eax, 0FFDF03C6h
		mov	al, [eax]
		test	al, al
		jnz	short loc_61F4AC
		cmp	dword ptr [ecx+3CCh], 0
		jz	short loc_61F4A5
		mov	eax, ds:_KiProcessorBlock
		jmp	short loc_61F4AE
; 

loc_61F4A5:				; CODE XREF: KiSetDebuggerOwner(x)+28j
		mov	eax, ds:dword_70E344
		jmp	short loc_61F4AE
; 

loc_61F4AC:				; CODE XREF: KiSetDebuggerOwner(x)+7j
					; KiSetDebuggerOwner(x)+Bj ...
		mov	eax, ecx

loc_61F4AE:				; CODE XREF: KiSetDebuggerOwner(x)+2Fj
					; KiSetDebuggerOwner(x)+36j
		mov	ds:_KiFreezeStallOwner,	eax
		mov	eax, offset _KiDebuggerOwner
		xchg	ecx, [eax]
		retn
_KiSetDebuggerOwner@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiBeginCounterAccumulation(x, x)
@KiBeginCounterAccumulation@8 proc near	; CODE XREF: KiStartThreadCycleAccumulation+6F068p
					; KiBeginThreadAccountingPeriod+16B38Ep ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	esi, [ecx+0F4h]
		mov	[ebp+var_1], dl
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], esi
		mov	eax, [esi+20h]
		mov	ebx, [esi+24h]
		mov	[ebp+var_10], eax
		or	eax, ebx
		mov	[ebp+var_14], ebx
		jz	short loc_61F53B
		mov	eax, ds:_KiHwCountersCount
		xor	ebx, ebx
		push	edi
		xor	edi, edi
		mov	[ebp+var_18], eax
		inc	edi
		mov	edx, ebx
		mov	[ebp+var_8], edx
		test	eax, eax
		jz	short loc_61F537
		lea	eax, [esi+30h]
		mov	esi, eax

loc_61F500:				; CODE XREF: KiBeginCounterAccumulation(x,x)+74j
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_14]
		and	ecx, edi
		and	eax, ebx
		or	ecx, eax
		jz	short loc_61F51F
		mov	ecx, ds:_KiHwCounters[edx*4]
		rdpmc
		mov	[esi+4], edx
		mov	edx, [ebp+var_8]
		mov	[esi], eax

loc_61F51F:				; CODE XREF: KiBeginCounterAccumulation(x,x)+51j
		shld	ebx, edi, 1
		add	esi, 18h
		add	edi, edi
		inc	edx
		mov	[ebp+var_8], edx
		cmp	edx, [ebp+var_18]
		jb	short loc_61F500
		mov	esi, [ebp+var_1C]
		mov	ecx, [ebp+var_20]

loc_61F537:				; CODE XREF: KiBeginCounterAccumulation(x,x)+3Ej
		mov	dl, [ebp+var_1]
		pop	edi

loc_61F53B:				; CODE XREF: KiBeginCounterAccumulation(x,x)+27j
		test	byte ptr [esi+0Ch], 1
		jz	short loc_61F55E
		test	dl, dl
		jz	short loc_61F55E
		inc	dword ptr [esi+10h]
		xor	eax, eax
		movzx	ecx, byte ptr [ecx+18Bh]
		inc	eax
		xor	edx, edx
		call	__allshl
		or	[esi], eax
		or	[esi+4], edx

loc_61F55E:				; CODE XREF: KiBeginCounterAccumulation(x,x)+84j
					; KiBeginCounterAccumulation(x,x)+88j
		pop	esi
		pop	ebx
		leave
		retn
@KiBeginCounterAccumulation@8 endp


;  S U B	R O U T	I N E 


; __stdcall KeDisableProfiling(x, x)
_KeDisableProfiling@8 proc near		; CODE XREF: KeTerminateThread+1685A2p
					; NtSetInformationThread+104443p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, 0C0000302h
		mov	eax, [edi+0F4h]
		test	eax, eax
		jz	short loc_61F5A2
		cmp	[eax+8], edx
		jz	short loc_61F583
		mov	esi, 0C000000Dh
		jmp	short loc_61F5A2
; 

loc_61F583:				; CODE XREF: KeDisableProfiling(x,x)+18j
		lock btr dword ptr [edi], 11h
		lock btr dword ptr [edi], 10h
		mov	ecx, [edi+0F4h]
		xor	esi, esi
		push	esi
		push	ecx
		mov	[edi+0F4h], esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_61F5A2:				; CODE XREF: KeDisableProfiling(x,x)+13j
					; KeDisableProfiling(x,x)+1Fj
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_KeDisableProfiling@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1211. KeProfileInterruptWithSource

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeProfileInterruptWithSource(x, x)
		public _KeProfileInterruptWithSource@8
_KeProfileInterruptWithSource@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		inc	large dword ptr	fs:5C0h
		mov	eax, large fs:124h
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	eax, [eax+80h]
		add	eax, 10h
		push	eax
		call	_KiProcessProfileList@12 ; KiProcessProfileList(x,x,x)
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	offset _KiProfileListHead
		call	_KiProcessProfileList@12 ; KiProcessProfileList(x,x,x)
		pop	ebp
		retn	8
_KeProfileInterruptWithSource@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeStartProfile(x)
_KeStartProfile@4 proc near		; CODE XREF: EtwpPmcProfileInit()+19p
					; EtwpTimeProfileInit()+26j ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= word ptr -18h
var_16		= word ptr -16h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		mov	eax, ds:_KeNumberProcessors
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+30h+var_1C], eax
		mov	eax, ds:_KeNumberProcessors
		xor	ebx, ebx
		inc	ebx
		mov	[esp+30h+var_C], edi
		push	0FFFFh
		mov	[esp+34h+var_8], edi
		mov	[esp+34h+var_24], ecx
		mov	[esp+34h+var_20], eax
		mov	[esp+34h+var_18], bx
		mov	[esp+34h+var_16], bx
		mov	[esp+34h+var_14], edi
		mov	[esp+34h+var_10], edi
		call	KeQueryMaximumProcessorCountEx
		push	666F7250h
		lea	esi, ds:18h[eax*4]
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+34h+var_10], eax
		test	eax, eax
		jnz	short loc_61F662
		mov	al, bl
		jmp	short loc_61F6A3
; 

loc_61F662:				; CODE XREF: KeStartProfile(x)+75j
		push	esi		; size_t
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+34h+var_28]
		push	eax
		cmp	ds:_KeNumberProcessors,	ebx
		jbe	short loc_61F686
		push	offset _KiStartProfileTarget@4 ; KiStartProfileTarget(x)
		call	KeIpiGenericCall
		jmp	short loc_61F68B
; 

loc_61F686:				; CODE XREF: KeStartProfile(x)+91j
		call	_KiStartProfileTarget@4	; KiStartProfileTarget(x)

loc_61F68B:				; CODE XREF: KeStartProfile(x)+9Dj
		cmp	[esp+34h+var_10], edi
		jz	short loc_61F69F
		push	666F7250h
		push	[esp+38h+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_61F69F:				; CODE XREF: KeStartProfile(x)+A8j
		mov	al, byte ptr [esp+34h+var_C]

loc_61F6A3:				; CODE XREF: KeStartProfile(x)+79j
		mov	ecx, [esp+34h+var_8]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_KeStartProfile@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeStopProfile(x)
_KeStopProfile@4 proc near		; CODE XREF: EtwpDisableKernelTrace+129A36p
					; EtwpDisableKernelTrace+129A56p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= word ptr -18h
var_16		= word ptr -16h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		mov	eax, ds:_KeNumberProcessors
		mov	[esp+24h+var_1C], eax
		mov	eax, ds:_KeNumberProcessors
		mov	[esp+24h+var_20], eax
		xor	eax, eax
		inc	eax
		mov	[esp+24h+var_24], ecx
		push	esi
		xor	esi, esi
		mov	[esp+28h+var_18], ax
		cmp	ds:_KeNumberProcessors,	eax
		mov	[esp+28h+var_16], ax
		lea	eax, [esp+28h+var_24]
		mov	[esp+28h+var_C], esi
		mov	[esp+28h+var_8], esi
		mov	[esp+28h+var_14], esi
		mov	[esp+28h+var_10], esi
		push	eax
		jbe	short loc_61F719
		push	offset _KiStopProfileTarget@4 ;	KiStopProfileTarget(x)
		call	KeIpiGenericCall
		jmp	short loc_61F71E
; 

loc_61F719:				; CODE XREF: KeStopProfile(x)+56j
		call	_KiStopProfileTarget@4 ; KiStopProfileTarget(x)

loc_61F71E:				; CODE XREF: KeStopProfile(x)+62j
		cmp	[esp+28h+var_C], esi
		jz	short loc_61F72E
		push	esi
		push	[esp+2Ch+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_61F72E:				; CODE XREF: KeStopProfile(x)+6Dj
		mov	ecx, [esp+28h+var_4]
		mov	al, byte ptr [esp+28h+var_8]
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_KeStopProfile@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiCopyCounters(x)
_KiCopyCounters@4 proc near		; CODE XREF: Dr_kass_a+417p
					; KiSystemServicePostCall()+75p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	cl, 1
		push	edi
		mov	eax, [esi+0F4h]
		mov	[ebp+arg_0], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al

loc_61F761:				; CODE XREF: KiCopyCounters(x)+41j
					; KiCopyCounters(x)+45j
		mov	eax, [esi+30h]
		mov	edi, [esi+34h]
		mov	[ebp+var_4], eax
		sti
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_KiCopyCountersWorker@8	; KiCopyCountersWorker(x,x)
		cli
		test	eax, eax
		jnz	short loc_61F789
		mov	eax, [esi+30h]
		mov	ecx, [esi+34h]
		cmp	[ebp+var_4], eax
		jnz	short loc_61F761
		cmp	edi, ecx
		jnz	short loc_61F761

loc_61F789:				; CODE XREF: KiCopyCounters(x)+36j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KiCopyCounters@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiEndCounterAccumulation(x)
_KiEndCounterAccumulation@4 proc near	; CODE XREF: KiEndThreadAccountingPeriod+C984Bp
					; KiEndThreadCycleAccumulation+6F3D2p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	edi
		mov	edi, [ecx+0F4h]
		mov	ecx, [edi+20h]
		mov	eax, ecx
		mov	edx, [edi+24h]
		or	eax, edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], edx
		jz	short loc_61F812
		mov	eax, ds:_KiHwCountersCount
		xor	edx, edx
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], edx
		inc	esi
		mov	[ebp+var_C], eax
		xor	ebx, ebx
		test	eax, eax
		jz	short loc_61F810
		add	edi, 30h

loc_61F7D4:				; CODE XREF: KiEndCounterAccumulation(x)+76j
		mov	eax, [ebp+var_8]
		and	ecx, esi
		and	eax, ebx
		or	ecx, eax
		jz	short loc_61F7FB
		mov	ecx, ds:_KiHwCounters[edx*4]
		rdpmc
		mov	ecx, eax
		sub	ecx, [edi]
		add	[edi+8], ecx
		mov	[edi+4], edx
		adc	dword ptr [edi+0Ch], 0
		mov	edx, [ebp+var_4]
		mov	[edi], eax

loc_61F7FB:				; CODE XREF: KiEndCounterAccumulation(x)+45j
		mov	ecx, [ebp+var_10]
		add	edi, 18h
		shld	ebx, esi, 1
		add	esi, esi
		inc	edx
		mov	[ebp+var_4], edx
		cmp	edx, [ebp+var_C]
		jb	short loc_61F7D4

loc_61F810:				; CODE XREF: KiEndCounterAccumulation(x)+37j
		pop	esi
		pop	ebx

loc_61F812:				; CODE XREF: KiEndCounterAccumulation(x)+1Fj
		pop	edi
		leave
		retn
_KiEndCounterAccumulation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiProcessProfileList(x, x, x)
_KiProcessProfileList@12 proc near	; CODE XREF: KeProfileInterruptWithSource(x,x)+22p
					; KeProfileInterruptWithSource(x,x)+32p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, ecx
		mov	ecx, large fs:20h
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], ecx
		mov	esi, [edi]
		jmp	short loc_61F884
; 

loc_61F835:				; CODE XREF: KiProcessProfileList(x,x,x)+71j
		movsx	eax, word ptr [esi+2Ch]
		cmp	eax, edx
		jnz	short loc_61F882
		cmp	word ptr [esi-4], 11h
		jnz	short loc_61F851
		mov	edx, [esi+10h]
		mov	ecx, ebx
		call	dword ptr [esi+0Ch]
		mov	edx, [ebp+var_8]
		jmp	short loc_61F87F
; 

loc_61F851:				; CODE XREF: KiProcessProfileList(x,x,x)+2Dj
		mov	eax, [esi+28h]
		mov	ecx, [ecx+3CCh]
		shr	eax, cl
		test	al, 1
		jz	short loc_61F87F
		mov	eax, [ebx+68h]
		mov	ecx, [esi+0Ch]
		cmp	eax, ecx
		jb	short loc_61F87F
		cmp	eax, [esi+10h]
		jnb	short loc_61F87F
		sub	eax, ecx
		mov	ecx, [esi+14h]
		shr	eax, cl
		and	eax, 0FFFFFFFCh
		add	eax, [esi+18h]
		lock inc dword ptr [eax]

loc_61F87F:				; CODE XREF: KiProcessProfileList(x,x,x)+3Aj
					; KiProcessProfileList(x,x,x)+49j ...
		mov	ecx, [ebp+var_4]

loc_61F882:				; CODE XREF: KiProcessProfileList(x,x,x)+26j
		mov	esi, [esi]

loc_61F884:				; CODE XREF: KiProcessProfileList(x,x,x)+1Ej
		cmp	esi, edi
		jnz	short loc_61F835
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KiProcessProfileList@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSetIntervalWorker(x, x)
_KiSetIntervalWorker@8 proc near	; DATA XREF: KeSetIntervalProfile(x,x)+6Ao

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		push	8
		push	0
		call	ds:off_6B2BC8	; xHalSetSystemInformation(x,x,x)
		pop	ebp
		retn	8
_KiSetIntervalWorker@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiStartProfileTarget(x)
_KiStartProfileTarget@4	proc near	; CODE XREF: KeStartProfile(x):loc_61F686p
					; DATA XREF: KeStartProfile(x)+93o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= word ptr -0Ch
var_A		= word ptr -0Ah
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	cl, ds:_KiProfileIrql
		xor	eax, eax
		and	[ebp+var_4], eax
		push	ebx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_A], ax
		mov	ebx, [edi]
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	byte ptr [ebp+arg_0+3],	al
		or	ecx, 0FFFFFFFFh
		lock xadd [edi+4], ecx
		jnz	short loc_61F8E0
		cmp	byte ptr [ebx+32h], 0
		jz	short loc_61F8EB
		mov	byte ptr [edi+1Ch], 0

loc_61F8E0:				; CODE XREF: KiStartProfileTarget(x)+2Fj
					; KiStartProfileTarget(x)+13Fj
		lea	ecx, [edi+8]
		lock dec dword ptr [ecx]
		jmp	loc_61F9F0
; 

loc_61F8EB:				; CODE XREF: KiStartProfileTarget(x)+35j
		mov	ecx, [ebx+0Ch]
		xor	eax, eax
		inc	eax
		mov	[ebx+32h], al
		lea	eax, [ebx+4]
		test	ecx, ecx
		jz	short loc_61F915
		mov	edx, [ecx+14h]
		add	ecx, 10h
		cmp	[edx], ecx
		jnz	loc_61F9E9
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		jmp	short loc_61F934
; 

loc_61F915:				; CODE XREF: KiStartProfileTarget(x)+54j
		mov	ecx, ds:dword_6CB30C
		mov	edx, offset _KiProfileListHead
		cmp	[ecx], edx
		jnz	loc_61F9E9
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	ds:dword_6CB30C, eax

loc_61F934:				; CODE XREF: KiStartProfileTarget(x)+6Ej
		push	esi
		mov	esi, ds:_KiProfileSourceListHead
		mov	ecx, offset _KiProfileSourceListHead
		cmp	esi, ecx
		jz	short loc_61F953
		movsx	eax, word ptr [ebx+30h]

loc_61F948:				; CODE XREF: KiStartProfileTarget(x)+ACj
		cmp	[esi+8], eax
		jz	short loc_61F98B
		mov	esi, [esi]
		cmp	esi, ecx
		jnz	short loc_61F948

loc_61F953:				; CODE XREF: KiStartProfileTarget(x)+9Dj
		mov	esi, [edi+18h]
		xor	edx, edx
		mov	[edi+18h], edx
		movsx	eax, word ptr [ebx+30h]
		mov	[esi+8], eax
		xor	eax, eax
		inc	eax
		mov	[esi+10h], edx
		mov	[esi+0Ch], ax
		mov	[esi+0Eh], ax
		mov	[esi+14h], edx
		mov	eax, ds:_KiProfileSourceListHead
		cmp	[eax+4], ecx
		jnz	short loc_61F9E9
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[eax+4], esi
		mov	ds:_KiProfileSourceListHead, esi

loc_61F98B:				; CODE XREF: KiStartProfileTarget(x)+A6j
		xor	eax, eax
		lea	ecx, [ebx+24h]
		mov	[ebp+var_C], ax
		mov	eax, [ecx+8]
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], ecx

loc_61F99D:				; CODE XREF: KiStartProfileTarget(x)+110j
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_61F9B7
		mov	eax, [ebp+var_4]
		inc	dword ptr [esi+eax*4+18h]
		jmp	short loc_61F99D
; 

loc_61F9B7:				; CODE XREF: KiStartProfileTarget(x)+107j
		lea	eax, [edi+0Ch]
		add	esi, 0Ch
		push	eax
		push	esi
		lea	eax, [ebx+24h]
		push	eax
		call	_KeSubtractAffinityEx@12 ; KeSubtractAffinityEx(x,x,x)
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		lock or	[eax], ecx
		push	esi
		lea	eax, [ebx+24h]
		push	eax
		push	esi
		call	_KeOrAffinityEx@12 ; KeOrAffinityEx(x,x,x)
		mov	byte ptr [edi+1Ch], 1
		pop	esi
		jmp	loc_61F8E0
; 

loc_61F9E9:				; CODE XREF: KiStartProfileTarget(x)+5Ej
					; KiStartProfileTarget(x)+7Dj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_61F9EE:				; CODE XREF: KiStartProfileTarget(x)+14Fj
		pause

loc_61F9F0:				; CODE XREF: KiStartProfileTarget(x)+41j
		mov	eax, [ecx]
		test	eax, eax
		jg	short loc_61F9EE
		mov	ecx, large fs:20h
		movzx	eax, byte ptr [ecx+3C5h]
		mov	eax, [edi+eax*4+14h]
		test	[ecx+3C8h], eax
		jz	short loc_61FA1B
		movsx	eax, word ptr [ebx+30h]
		push	eax
		call	ds:__imp__HalStartProfileInterrupt@4 ; HalStartProfileInterrupt(x)

loc_61FA1B:				; CODE XREF: KiStartProfileTarget(x)+169j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	ebx
		leave
		retn	4
_KiStartProfileTarget@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiStopProfileTarget(x)
_KiStopProfileTarget@4 proc near	; CODE XREF: KeStopProfile(x):loc_61F719p
					; DATA XREF: KeStopProfile(x)+58o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= word ptr -0Ch
var_A		= word ptr -0Ah
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	cl, ds:_KiProfileIrql
		xor	eax, eax
		and	[ebp+var_4], eax
		push	ebx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_A], ax
		mov	ebx, [edi]
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	byte ptr [ebp+arg_0+3],	al
		or	ecx, 0FFFFFFFFh
		lock xadd [edi+4], ecx
		jnz	loc_61FB15
		cmp	byte ptr [ebx+32h], 0
		jz	loc_61FB15
		lea	eax, [ebx+4]
		mov	byte ptr [ebx+32h], 0
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_61FA8F
		mov	edx, [eax+4]
		cmp	[ecx+4], eax
		jnz	loc_61FB1D
		cmp	[edx], eax
		jnz	loc_61FB1D
		mov	[edx], ecx
		mov	[ecx+4], edx

loc_61FA8F:				; CODE XREF: KiStopProfileTarget(x)+4Aj
		mov	eax, ds:_KiProfileSourceListHead
		movsx	ecx, word ptr [ebx+30h]
		push	esi

loc_61FA99:				; CODE XREF: KiStopProfileTarget(x)+76j
		mov	esi, eax
		mov	eax, [eax]
		cmp	[esi+8], ecx
		jnz	short loc_61FA99
		xor	eax, eax
		lea	ecx, [ebx+24h]
		mov	[ebp+var_C], ax
		mov	eax, [ecx+8]
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], ecx

loc_61FAB4:				; CODE XREF: KiStopProfileTarget(x)+A3j
					; KiStopProfileTarget(x)+AEj
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_61FADA
		mov	ecx, [ebp+var_4]
		sub	dword ptr [esi+ecx*4+18h], 1
		jnz	short loc_61FAB4
		mov	eax, [edi+14h]
		bts	eax, ecx
		mov	[edi+14h], eax
		jmp	short loc_61FAB4
; 

loc_61FADA:				; CODE XREF: KiStopProfileTarget(x)+99j
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		lock or	[eax], ecx
		lea	ecx, [esi+0Ch]
		push	ecx
		lea	eax, [edi+0Ch]
		push	eax
		push	ecx
		call	_KeSubtractAffinityEx@12 ; KeSubtractAffinityEx(x,x,x)
		cmp	dword ptr [esi+14h], 0
		jnz	short loc_61FB10
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	short loc_61FB1D
		cmp	[eax], esi
		jnz	short loc_61FB1D
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	[edi+18h], esi

loc_61FB10:				; CODE XREF: KiStopProfileTarget(x)+CEj
		mov	byte ptr [edi+1Ch], 1
		pop	esi

loc_61FB15:				; CODE XREF: KiStopProfileTarget(x)+2Fj
					; KiStopProfileTarget(x)+39j
		lea	ecx, [edi+8]
		lock dec dword ptr [ecx]
		jmp	short loc_61FB24
; 

loc_61FB1D:				; CODE XREF: KiStopProfileTarget(x)+52j
					; KiStopProfileTarget(x)+5Aj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_61FB22:				; CODE XREF: KiStopProfileTarget(x)+FEj
		pause

loc_61FB24:				; CODE XREF: KiStopProfileTarget(x)+F1j
		mov	eax, [ecx]
		test	eax, eax
		jg	short loc_61FB22
		mov	ecx, large fs:20h
		movzx	eax, byte ptr [ecx+3C5h]
		mov	eax, [edi+eax*4+14h]
		test	[ecx+3C8h], eax
		jz	short loc_61FB4F
		movsx	eax, word ptr [ebx+30h]
		push	eax
		call	ds:__imp__HalStopProfileInterrupt@4 ; HalStopProfileInterrupt(x)

loc_61FB4F:				; CODE XREF: KiStopProfileTarget(x)+118j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	ebx
		leave
		retn	4
_KiStopProfileTarget@4 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 1242. KeRaiseUserException

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRaiseUserException(x)
		public _KeRaiseUserException@4
_KeRaiseUserException@4	proc near	; CODE XREF: ExHandleLogBadReference+950D5p
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+74Fp ...

var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	10h
		push	offset dword_6A86C0
		call	__SEH_prolog4
		mov	edi, large fs:124h
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, al
		mov	[ebp+var_19], bl
		cmp	bl, 1
		jnb	short loc_61FB93
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		mov	[ebp+var_19], bl

loc_61FB93:				; CODE XREF: KeRaiseUserException(x)+21j
		mov	esi, [edi+6Ch]
		test	esi, esi
		jz	loc_61FC2A
		test	byte ptr [esi+6Ch], 1
		jnz	short loc_61FBB1
		test	dword ptr [esi+70h], 20000h
		jnz	short loc_61FBB1
		xor	al, al
		jmp	short loc_61FBB3
; 

loc_61FBB1:				; CODE XREF: KeRaiseUserException(x)+3Fj
					; KeRaiseUserException(x)+48j
		mov	al, 1

loc_61FBB3:				; CODE XREF: KeRaiseUserException(x)+4Cj
		cmp	al, 1
		jnz	short loc_61FC2A
		mov	ecx, [edi+0A8h]
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [ebp+arg_0]
		mov	[ecx+1A4h], eax
		mov	ecx, esi
		call	KiEspFromTrapFrame
		sub	eax, 4
		mov	[ebp+var_20], eax
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_61FBE4
		mov	byte ptr [ecx],	0

loc_61FBE4:				; CODE XREF: KeRaiseUserException(x)+7Cj
		mov	al, [eax]
		mov	ecx, [ebp+var_20]
		mov	[ecx], al
		mov	al, [ecx+3]
		mov	[ecx+3], al
		mov	eax, [esi+68h]
		mov	edx, [ebp+var_20]
		mov	[edx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, esi
		call	KiEspToTrapFrame
		mov	eax, ds:_KeRaiseUserExceptionDispatcher
		mov	[esi+68h], eax
		push	0
		push	esi
		call	KiSetupForInstrumentationReturn
		jmp	short loc_61FC2A
; 

loc_61FC19:				; DATA XREF: .text:006A86D4o
		xor	eax, eax
		inc	eax
		retn
; 

loc_61FC1D:				; DATA XREF: .text:006A86D8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	bl, [ebp+var_19]

loc_61FC2A:				; CODE XREF: KeRaiseUserException(x)+35j
					; KeRaiseUserException(x)+52j ...
		cmp	bl, 1
		jnb	short loc_61FC37
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_61FC37:				; CODE XREF: KeRaiseUserException(x)+CAj
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KeRaiseUserException@4	endp


;  S U B	R O U T	I N E 


; __stdcall KiCheckForAtlThunk(x, x)
_KiCheckForAtlThunk@8 proc near		; CODE XREF: KiDispatchException+10DE9Ap
		test	byte ptr [ecx+14h], 8
		push	esi
		jz	short loc_61FC8A
		mov	eax, [ecx+18h]
		lea	esi, [edx+0B8h]
		cmp	eax, [esi]
		jnz	short loc_61FC8A
		lea	eax, [edx+0A8h]
		mov	ecx, esi
		push	eax
		lea	eax, [edx+0ACh]
		push	eax
		lea	eax, [edx+0B0h]
		add	edx, 0C4h
		push	eax
		call	_KiEmulateAtlThunk@20 ;	KiEmulateAtlThunk(x,x,x,x,x)
		test	eax, eax
		jz	short loc_61FC8A
		mov	al, 1
		pop	esi
		retn
; 

loc_61FC8A:				; CODE XREF: KiCheckForAtlThunk(x,x)+5j
					; KiCheckForAtlThunk(x,x)+12j ...
		xor	al, al
		pop	esi
		retn
_KiCheckForAtlThunk@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeCpuSetQueryUnparkRecommendation(x, x, x)
_KeCpuSetQueryUnparkRecommendation@12 proc near
					; CODE XREF: PpmParkCalculateCoreParkingMask+12A049p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx

loc_61FC9A:				; CODE XREF: KeCpuSetQueryUnparkRecommendation(x,x,x)+2Bj
		mov	ecx, offset _KiCpuSetSequence
		call	_RtlBeginReadTickLock@4	; RtlBeginReadTickLock(x)
		mov	ebx, ds:_KiSystemAllowedCpuSets[edi*8]
		mov	ecx, offset _KiCpuSetSequence
		push	edx
		push	eax
		call	_RtlTryEndReadTickLock@12 ; RtlTryEndReadTickLock(x,x,x)
		test	eax, eax
		jz	short loc_61FC9A
		mov	eax, [ebp+arg_0]
		not	ebx
		and	ebx, esi
		jnz	short loc_61FCCB
		and	dword ptr [eax], 0
		xor	al, al
		jmp	short loc_61FCFD
; 

loc_61FCCB:				; CODE XREF: KeCpuSetQueryUnparkRecommendation(x,x,x)+34j
		mov	[eax], ebx
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		movzx	ecx, bl
		add	dl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, ebx
		shr	eax, 8
		mov	al, ds:_RtlpBitsClearTotal[eax]
		add	al, ds:_RtlpBitsClearTotal[ecx]
		add	al, dl

loc_61FCFD:				; CODE XREF: KeCpuSetQueryUnparkRecommendation(x,x,x)+3Bj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_KeCpuSetQueryUnparkRecommendation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryCpuSetsProcess(x, x,	x, x)
_KeQueryCpuSetsProcess@16 proc near	; CODE XREF: PAGE:0083ED0Dp

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		cmp	[ebp+arg_4], eax
		push	ebx
		setz	al
		push	esi
		mov	esi, ecx
		push	edi
		lea	eax, ds:428h[eax*4]
		mov	edi, edx
		add	eax, esi
		mov	[ebp+arg_4], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		add	esi, 34h
		mov	bl, al
		push	esi
		call	ExAcquireSpinLockSharedAtDpcLevel
		mov	eax, [ebp+arg_4]
		push	esi
		mov	ecx, [eax]
		and	dword ptr [edi+4], 0
		mov	[edi], ecx
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		xor	eax, eax
		pop	esi
		inc	eax
		pop	ebx
		pop	ebp
		retn	8
_KeQueryCpuSetsProcess@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryCpuSetsThread(x, x, x)
_KeQueryCpuSetsThread@12 proc near	; CODE XREF: NtQueryInformationThread+F5917p

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[ebp+var_8], 0
		lea	esi, [ebx+2Ch]
		mov	[ebp+var_1], al

loc_61FD76:				; CODE XREF: KeQueryCpuSetsThread(x,x,x)+33j
		lock bts dword ptr [esi], 0
		jnb	short loc_61FD8D

loc_61FD7D:				; CODE XREF: KeQueryCpuSetsThread(x,x,x)+31j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_61FD7D
		jmp	short loc_61FD76
; 

loc_61FD8D:				; CODE XREF: KeQueryCpuSetsThread(x,x,x)+23j
		mov	eax, [ebx+38Ch]
		and	dword ptr [edi+4], 0
		mov	cl, [ebp+var_1]
		mov	[edi], eax
		mov	dword ptr [esi], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		xor	eax, eax
		pop	esi
		inc	eax
		pop	ebx
		leave
		retn	4
_KeQueryCpuSetsThread@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRecomputeCpuSetAffinityProcess(x)
_KeRecomputeCpuSetAffinityProcess@4 proc near ;	CODE XREF: PAGE:007AA612p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	esi, [edi+34h]
		mov	bl, al
		push	esi
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	_KiUpdateThreadCpuSetAffinitiesProcess@8 ; KiUpdateThreadCpuSetAffinitiesProcess(x,x)
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	esi, large fs:20h
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		mov	dl, bl
		mov	ecx, esi
		call	KiCheckForThreadDispatch
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KeRecomputeCpuSetAffinityProcess@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1298. KeSetSelectedCpuSetsThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetSelectedCpuSetsThread(x, x, x)
		public _KeSetSelectedCpuSetsThread@12
_KeSetSelectedCpuSetsThread@12 proc near ; CODE	XREF: NtSetInformationThread+1047B4p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	ecx, ebx
		call	_KiValidateCpuSetMasks@8 ; KiValidateCpuSetMasks(x,x)
		test	eax, eax
		js	loc_61FEFB
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		and	[ebp+arg_0], 0
		mov	esi, [edi+150h]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+arg_8+3],	al
		lea	eax, [esi+34h]
		push	eax
		mov	[ebp+var_C], eax
		call	ExAcquireSpinLockSharedAtDpcLevel
		and	[ebp+var_4], 0
		lea	esi, [edi+2Ch]

loc_61FE4F:				; CODE XREF: KeSetSelectedCpuSetsThread(x,x,x)+5Ej
		lock bts dword ptr [esi], 0
		jnb	short loc_61FE66

loc_61FE56:				; CODE XREF: KeSetSelectedCpuSetsThread(x,x,x)+5Cj
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_61FE56
		jmp	short loc_61FE4F
; 

loc_61FE66:				; CODE XREF: KeSetSelectedCpuSetsThread(x,x,x)+4Ej
		cmp	[ebp+arg_4], 0
		mov	eax, [edi+16Ch]
		mov	[ebp+var_8], eax
		jnz	short loc_61FE79
		xor	eax, eax
		jmp	short loc_61FE7B
; 

loc_61FE79:				; CODE XREF: KeSetSelectedCpuSetsThread(x,x,x)+6Dj
		mov	eax, [ebx]

loc_61FE7B:				; CODE XREF: KeSetSelectedCpuSetsThread(x,x,x)+71j
		lea	edx, [ebp+arg_0]
		mov	[edi+38Ch], eax
		mov	ecx, edi
		call	_KiUpdateThreadCpuSets@8 ; KiUpdateThreadCpuSets(x,x)
		mov	esi, eax
		mov	eax, [edi+16Ch]
		mov	dword ptr [edi+2Ch], 0
		test	ds:dword_70EFD0, 8000000h
		jz	short loc_61FEB6
		push	eax
		push	[ebp+var_8]
		mov	edx, 546h
		mov	ecx, edi
		call	_EtwTraceIdealProcessor@16 ; EtwTraceIdealProcessor(x,x,x,x)

loc_61FEB6:				; CODE XREF: KeSetSelectedCpuSetsThread(x,x,x)+9Ej
		push	[ebp+var_C]
		call	ExReleaseSpinLockSharedFromDpcLevel
		test	esi, esi
		jz	short loc_61FEDC
		mov	al, large fs:51h
		mov	ecx, [esi+3CCh]
		movzx	eax, al
		cmp	eax, ecx
		jz	short loc_61FEDC
		mov	dl, 2
		call	_KiSendSoftwareInterrupt@8 ; KiSendSoftwareInterrupt(x,x)

loc_61FEDC:				; CODE XREF: KeSetSelectedCpuSetsThread(x,x,x)+BAj
					; KeSetSelectedCpuSetsThread(x,x,x)+CDj
		mov	esi, large fs:20h
		lea	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		mov	dl, byte ptr [ebp+arg_8+3]
		mov	ecx, esi
		call	KiCheckForThreadDispatch
		pop	edi
		xor	eax, eax
		pop	esi

loc_61FEFB:				; CODE XREF: KeSetSelectedCpuSetsThread(x,x,x)+18j
		pop	ebx
		leave
		retn	0Ch
_KeSetSelectedCpuSetsThread@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetTagCpuSets(x, x, x, x)
_KeSetTagCpuSets@16 proc near		; CODE XREF: PAGE:007B49EAp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, edx
		mov	[ebp+var_14], ebx
		mov	edx, ebx
		mov	[ebp+var_18], esi
		mov	ecx, esi
		call	_KiValidateCpuSetMasks@8 ; KiValidateCpuSetMasks(x,x)
		test	eax, eax
		js	loc_61FFDD
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _KiCpuSetLock
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, offset _KiCpuSetSequence
		call	RtlWriteAcquireTickLock
		xor	edi, edi
		mov	[ebp+var_8], edi
		test	ebx, ebx
		jz	short loc_61FF98

loc_61FF4C:				; CODE XREF: KeSetTagCpuSets(x,x,x,x)+96j
		mov	eax, [esi+edi*8]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_61FF90
		mov	edi, [ebp+arg_4]
		mov	ebx, eax

loc_61FF5B:				; CODE XREF: KeSetTagCpuSets(x,x,x,x)+85j
		bsf	esi, ebx
		xor	eax, eax
		xor	edx, edx
		inc	eax
		mov	[ebp+var_10], esi
		mov	ecx, esi
		call	__allshl
		shl	esi, 4
		not	eax
		add	esi, ds:_KiCpuSetData
		and	ebx, eax
		mov	eax, [ebp+arg_0]
		mov	[esi+8], eax
		mov	[esi+0Ch], edi
		test	ebx, ebx
		jnz	short loc_61FF5B
		mov	edi, [ebp+var_8]
		mov	ebx, [ebp+var_14]
		mov	esi, [ebp+var_18]

loc_61FF90:				; CODE XREF: KeSetTagCpuSets(x,x,x,x)+54j
		inc	edi
		mov	[ebp+var_8], edi
		cmp	edi, ebx
		jb	short loc_61FF4C

loc_61FF98:				; CODE XREF: KeSetTagCpuSets(x,x,x,x)+4Aj
		mov	eax, ds:_KiCpuSetSequence
		mov	ecx, offset _KiCpuSetLock
		mov	edx, ds:dword_70E6F4
		add	eax, 1
		mov	ds:_KiCpuSetSequence, eax
		adc	edx, 0
		test	ds:byte_70EFC6,	1
		mov	ds:dword_70E6F4, edx
		pop	edi
		jz	short loc_61FFCD
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_61FFD2
; 

loc_61FFCD:				; CODE XREF: KeSetTagCpuSets(x,x,x,x)+C1j
		xor	eax, eax
		lock and [ecx],	eax

loc_61FFD2:				; CODE XREF: KeSetTagCpuSets(x,x,x,x)+CBj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax

loc_61FFDD:				; CODE XREF: KeSetTagCpuSets(x,x,x,x)+1Fj
		pop	esi
		pop	ebx
		leave
		retn	8
_KeSetTagCpuSets@16 endp

; [00000005 BYTES: COLLAPSED FUNCTION KeValidateCpuSetMasks(x,x). PRESS	KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiComputeCpuSetAffinityMask(x, x, x, x)
_KiComputeCpuSetAffinityMask@16	proc near ; CODE XREF: KiIntSteerComputeCpuSet(x,x)+20p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	[ebp+var_4], edi

loc_61FFFA:				; CODE XREF: KiComputeCpuSetAffinityMask(x,x,x,x)+60j
		mov	ecx, offset _KiCpuSetSequence

loc_61FFFF:				; DATA XREF: .text:0041BB10o
		call	_RtlBeginReadTickLock@4	; RtlBeginReadTickLock(x)

loc_620004:				; DATA XREF: .text:0042551Co
		mov	ebx, eax
		mov	eax, edx
		mov	[ebp+var_8], eax
		test	esi, esi
		jz	short loc_620013
		cmp	[edi], ebx
		jz	short loc_62004A

loc_620013:				; CODE XREF: KiComputeCpuSetAffinityMask(x,x,x,x)+25j
		mov	edx, [ebp+arg_4]
		xor	edi, edi
		test	edx, edx
		jz	short loc_620035

loc_62001C:				; CODE XREF: KiComputeCpuSetAffinityMask(x,x,x,x)+48j
		mov	eax, ds:_KiCpuSetAffinities
		and	[ebp+var_C], 0
		bsf	ecx, edx
		btr	edx, ecx
		or	edi, [eax+ecx*4]
		test	edx, edx
		jnz	short loc_62001C
		mov	eax, [ebp+var_8]

loc_620035:				; CODE XREF: KiComputeCpuSetAffinityMask(x,x,x,x)+32j
		push	eax
		push	ebx
		mov	ecx, offset _KiCpuSetSequence
		call	_RtlTryEndReadTickLock@12 ; RtlTryEndReadTickLock(x,x,x)
		test	eax, eax
		jnz	short loc_62004E
		mov	edi, [ebp+var_4]
		jmp	short loc_61FFFA
; 

loc_62004A:				; CODE XREF: KiComputeCpuSetAffinityMask(x,x,x,x)+29j
		mov	eax, [esi]
		jmp	short loc_62005B
; 

loc_62004E:				; CODE XREF: KiComputeCpuSetAffinityMask(x,x,x,x)+5Bj
		mov	eax, [ebp+var_4]
		mov	[eax], ebx
		test	esi, esi
		jz	short loc_620059
		mov	[esi], edi

loc_620059:				; CODE XREF: KiComputeCpuSetAffinityMask(x,x,x,x)+6Dj
		mov	eax, edi

loc_62005B:				; CODE XREF: KiComputeCpuSetAffinityMask(x,x,x,x)+64j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_KiComputeCpuSetAffinityMask@16	endp


;  S U B	R O U T	I N E 


; __stdcall KiGetL2L3AssociativityAmd(x)
_KiGetL2L3AssociativityAmd@4 proc near	; CODE XREF: KiSetCacheInformationAmd(x)+FFp
					; KiSetCacheInformationAmd(x)+15Fp
		movzx	ecx, cl
		xor	eax, eax
		sub	ecx, eax

loc_620069:				; DATA XREF: .text:004284AAo
		jz	short locret_620091
		push	2
		pop	eax
		sub	ecx, eax
		jz	short locret_620091

loc_620072:				; DATA XREF: .text:004067B8o
		sub	ecx, eax
		jz	short loc_62008F
		sub	ecx, eax
		jz	short loc_62008C
		sub	ecx, eax
		jz	short loc_620089
		sub	ecx, 7
		jz	short loc_620086
		mov	al, 1
		retn
; 

loc_620086:				; CODE XREF: KiGetL2L3AssociativityAmd(x)+1Fj
		or	al, 0FFh
		retn
; 

loc_620089:				; CODE XREF: KiGetL2L3AssociativityAmd(x)+1Aj
		mov	al, 10h
		retn
; 

loc_62008C:				; CODE XREF: KiGetL2L3AssociativityAmd(x)+16j
		mov	al, 8
		retn
; 

loc_62008F:				; CODE XREF: KiGetL2L3AssociativityAmd(x)+12j
		mov	al, 4

locret_620091:				; CODE XREF: KiGetL2L3AssociativityAmd(x):loc_620069j
					; KiGetL2L3AssociativityAmd(x)+Ej
		retn
_KiGetL2L3AssociativityAmd@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiAddSpecCtrlSsbdBit(x)
_KiAddSpecCtrlSsbdBit@4	proc near	; CODE XREF: KeOptimizeSpecCtrlSettings(x)+523p
					; KeOptimizeSpecCtrlSettings(x)+577p ...
		cmp	ds:_KiSsbdMsr, 48h
		jnz	short locret_62009F
		or	word ptr [ecx],	4

locret_62009F:				; CODE XREF: KiAddSpecCtrlSsbdBit(x)+7j
		retn
_KiAddSpecCtrlSsbdBit@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiDetectAmdNonArchSsbdSupport(x, x)
_KiDetectAmdNonArchSsbdSupport@8 proc near ; CODE XREF:	KeOptimizeSpecCtrlSettings(x)+F5p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[ebp+var_20], ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		stosd
		mov	edi, edx
		mov	eax, [edi]
		mov	ecx, [edi+4]
		mov	[ebp+var_18], eax
		and	eax, 80h
		or	eax, 0
		mov	[ebp+var_1C], ecx
		jnz	loc_6201AF
		mov	eax, 80000000h
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		lea	ebx, [ebp+var_14]
		mov	[ebx], eax
		mov	eax, 80000008h
		mov	[ebx+4], esi
		mov	[ebx+8], ecx
		mov	[ebx+0Ch], edx
		cmp	[ebp+var_14], eax
		jb	short loc_620120
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		lea	ebx, [ebp+var_14]
		mov	[ebx], eax
		mov	[ebx+4], esi
		mov	[ebx+8], ecx
		mov	[ebx+0Ch], edx
		xor	ebx, ebx
		mov	eax, [ebp+var_10]
		jmp	short loc_620124
; 

loc_620120:				; CODE XREF: KiDetectAmdNonArchSsbdSupport(x,x)+60j
		xor	ebx, ebx
		mov	eax, ebx

loc_620124:				; CODE XREF: KiDetectAmdNonArchSsbdSupport(x,x)+7Ej
		test	eax, 2000000h
		jz	short loc_62014A
		mov	eax, 0C001011Fh
		mov	[edi+8], eax
		mov	ds:_KiSsbdMsr, eax
		mov	eax, [ebp+var_18]
		or	eax, 80h
		mov	[edi], eax
		mov	eax, [ebp+var_1C]
		mov	[edi+4], eax
		jmp	short loc_6201AF
; 

loc_62014A:				; CODE XREF: KiDetectAmdNonArchSsbdSupport(x,x)+89j
		call	HviIsAnyHypervisorPresent
		test	al, al
		jnz	short loc_6201AF
		mov	eax, [ebp+var_20]
		movsx	eax, byte ptr [eax+14h]
		sub	eax, 15h
		jz	short loc_62017B
		sub	eax, 1
		jz	short loc_620176
		sub	eax, 1
		jnz	short loc_6201AF
		mov	ecx, 400h
		mov	[edi+14h], ebx
		mov	[edi+10h], ecx
		jmp	short loc_62018A
; 

loc_620176:				; CODE XREF: KiDetectAmdNonArchSsbdSupport(x,x)+C2j
		push	2
		pop	eax
		jmp	short loc_620180
; 

loc_62017B:				; CODE XREF: KiDetectAmdNonArchSsbdSupport(x,x)+BDj
		mov	eax, 400000h

loc_620180:				; CODE XREF: KiDetectAmdNonArchSsbdSupport(x,x)+D9j
		mov	[edi+10h], ebx
		mov	ecx, ebx
		mov	ebx, eax
		mov	[edi+14h], eax

loc_62018A:				; CODE XREF: KiDetectAmdNonArchSsbdSupport(x,x)+D4j
		mov	eax, [edi+4]
		or	dword ptr [edi], 80h
		mov	[edi+4], eax
		mov	eax, 0C0011020h
		mov	[edi+8], eax
		mov	ds:_KiSsbdMsr, eax
		mov	ds:_KiSsbdBit, ecx
		mov	ds:dword_6B3FCC, ebx

loc_6201AF:				; CODE XREF: KiDetectAmdNonArchSsbdSupport(x,x)+36j
					; KiDetectAmdNonArchSsbdSupport(x,x)+A8j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_KiDetectAmdNonArchSsbdSupport@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiDetectAmdSsbdSupport(x, x)
_KiDetectAmdSsbdSupport@8 proc near	; CODE XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+1DBp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, 80h
		test	ecx, 1000000h
		jz	short loc_6201DB
		mov	eax, [edx+4]
		or	[edx], esi
		mov	[edx+4], eax

loc_6201DB:				; CODE XREF: KiDetectAmdSsbdSupport(x,x)+13j
		test	ecx, 4000000h
		mov	ecx, [edx]
		jz	short loc_6201F3
		mov	eax, [edx+4]
		or	ecx, 180h
		mov	[edx], ecx
		mov	[edx+4], eax

loc_6201F3:				; CODE XREF: KiDetectAmdSsbdSupport(x,x)+25j
		and	ecx, esi
		xor	eax, eax
		or	ecx, eax
		pop	esi
		jz	short locret_6201FE
		mov	al, 1

locret_6201FE:				; CODE XREF: KiDetectAmdSsbdSupport(x,x)+3Cj
		leave
		retn
_KiDetectAmdSsbdSupport@8 endp


;  S U B	R O U T	I N E 


; __stdcall KiSetNonArchSsbd()
_KiSetNonArchSsbd@0 proc near		; CODE XREF: KeOptimizeSpecCtrlSettings(x)+EFAp
		mov	ecx, ds:_KiSsbdMsr
		cmp	ecx, 48h
		jz	short locret_62021F
		push	esi
		rdmsr
		or	eax, ds:_KiSsbdBit
		or	edx, ds:dword_6B3FCC
		push	edi
		pop	edi
		wrmsr
		pop	esi

locret_62021F:				; CODE XREF: KiSetNonArchSsbd()+9j
		retn
_KiSetNonArchSsbd@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiUpdateSpecCtrlEnhancedIBRS(x, x)
_KiUpdateSpecCtrlEnhancedIBRS@8	proc near ; CODE XREF: KiUpdateSpeculationControl(x)+F1p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		lea	edi, [ebp+var_20]
		mov	edx, ecx
		mov	esi, offset _KiSpeculationFeatures
		push	6
		pop	ecx
		rep movsd
		mov	esi, [edx+21B0h]
		mov	eax, esi
		mov	ecx, [edx+21B4h]
		or	eax, ecx
		jz	short loc_62028D
		cmp	esi, [ebx+4A0h]
		jnz	short loc_62025E
		cmp	ecx, [ebx+4A4h]
		jz	short loc_62028D

loc_62025E:				; CODE XREF: KiUpdateSpecCtrlEnhancedIBRS(x,x)+34j
		mov	ecx, [ebp+var_20]
		mov	eax, ecx
		and	eax, 400h
		or	eax, 0
		jnz	short loc_62028D
		mov	al, [edx+21B8h]
		and	ecx, 8
		or	al, 4
		or	ecx, 0
		mov	[edx+21B8h], al
		jnz	short loc_620294
		or	al, 10h
		mov	[edx+21B8h], al
		jmp	short loc_620294
; 

loc_62028D:				; CODE XREF: KiUpdateSpecCtrlEnhancedIBRS(x,x)+2Cj
					; KiUpdateSpecCtrlEnhancedIBRS(x,x)+3Cj ...
		and	byte ptr [edx+21B8h], 0EBh

loc_620294:				; CODE XREF: KiUpdateSpecCtrlEnhancedIBRS(x,x)+61j
					; KiUpdateSpecCtrlEnhancedIBRS(x,x)+6Bj
		mov	ax, [edx+21BAh]
		xor	ecx, ecx
		inc	ecx
		or	ax, cx
		mov	[edx+21BCh], cx
		mov	[edx+21C0h], cx
		mov	edi, [ebx+4A0h]
		movzx	esi, ax
		mov	eax, [ebx+4A4h]
		mov	[ebp+var_4], eax
		mov	eax, [ebx+3A8h]
		test	eax, 400000h
		jnz	short loc_6202D5
		xor	eax, eax
		mov	edi, ecx
		mov	[ebp+var_4], eax

loc_6202D5:				; CODE XREF: KiUpdateSpecCtrlEnhancedIBRS(x,x)+ACj
		mov	ecx, [ebp+var_1C]
		xor	eax, eax
		and	ecx, 40h
		or	eax, ecx
		mov	eax, 80h
		jz	short loc_62034B
		cmp	ds:_KiSsbdMsr, 48h
		jnz	short loc_62034B
		push	4
		pop	eax
		or	[edx+21BCh], ax
		or	[edx+21C0h], ax
		or	esi, eax

loc_620302:				; CODE XREF: KiUpdateSpecCtrlEnhancedIBRS(x,x)+134j
		mov	ecx, [ebp+var_4]

loc_620305:				; CODE XREF: KiUpdateSpecCtrlEnhancedIBRS(x,x)+155j
					; KiUpdateSpecCtrlEnhancedIBRS(x,x)+15Ej
		mov	eax, [ebp+var_1C]
		and	eax, 400000h
		mov	[ebp+var_4], eax
		xor	eax, eax
		or	eax, [ebp+var_4]
		jz	short loc_620333
		mov	eax, 400h
		or	[edx+21BCh], ax
		or	[edx+21C0h], ax
		or	[edx+21BEh], ax
		or	esi, eax

loc_620333:				; CODE XREF: KiUpdateSpecCtrlEnhancedIBRS(x,x)+F5j
		mov	eax, edi
		or	eax, ecx
		jz	short loc_620380
		test	byte ptr [edx+21B9h], 18h
		jz	short loc_620380
		or	byte ptr [edx+21B8h], 80h
		jmp	short loc_620387
; 

loc_62034B:				; CODE XREF: KiUpdateSpecCtrlEnhancedIBRS(x,x)+C4j
					; KiUpdateSpecCtrlEnhancedIBRS(x,x)+CDj
		mov	ecx, [ebp+var_1C]
		and	ecx, eax
		xor	eax, eax
		or	eax, ecx
		jz	short loc_620302
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		or	eax, ecx
		push	4
		pop	eax
		jz	short loc_62036B
		or	[edx+21BCh], ax
		or	esi, eax

loc_62036B:				; CODE XREF: KiUpdateSpecCtrlEnhancedIBRS(x,x)+140j
		test	dword ptr [ebx+494h], 2000h
		jz	short loc_620305
		or	[edx+21C0h], ax
		jmp	short loc_620305
; 

loc_620380:				; CODE XREF: KiUpdateSpecCtrlEnhancedIBRS(x,x)+117j
					; KiUpdateSpecCtrlEnhancedIBRS(x,x)+120j
		and	byte ptr [edx+21B8h], 7Fh

loc_620387:				; CODE XREF: KiUpdateSpecCtrlEnhancedIBRS(x,x)+129j
		or	edi, ecx
		mov	ecx, [ebp+var_20]
		jnz	short loc_6203C4
		mov	eax, ecx
		and	eax, 800h
		or	eax, 0
		jz	short loc_6203C4
		test	dword ptr [ebx+3A8h], 1000h
		jz	short loc_6203AF
		test	byte ptr [edx+21BAh], 1
		jnz	short loc_6203C4

loc_6203AF:				; CODE XREF: KiUpdateSpecCtrlEnhancedIBRS(x,x)+184j
		mov	eax, 0FFFEh
		and	[edx+21BCh], ax
		and	esi, eax
		and	[edx+21C0h], ax

loc_6203C4:				; CODE XREF: KiUpdateSpecCtrlEnhancedIBRS(x,x)+16Cj
					; KiUpdateSpecCtrlEnhancedIBRS(x,x)+178j ...
		and	ecx, 2000h
		or	ecx, 0
		jz	short loc_6203DB
		mov	eax, 80h
		or	[edx+21BCh], ax

loc_6203DB:				; CODE XREF: KiUpdateSpecCtrlEnhancedIBRS(x,x)+1ADj
		cmp	si, [edx+21BAh]
		jz	short loc_6203F4
		mov	[edx+21BAh], si
		movzx	eax, si
		push	48h
		cdq
		pop	ecx
		wrmsr

loc_6203F4:				; CODE XREF: KiUpdateSpecCtrlEnhancedIBRS(x,x)+1C2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KiUpdateSpecCtrlEnhancedIBRS@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeAbCrossThreadDelete(x, x)
_KeAbCrossThreadDelete@8 proc near	; CODE XREF: .text:005D0F55p

var_6A		= byte ptr -6Ah
var_69		= byte ptr -69h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		push	ebx
		push	esi
		push	edi
		push	7
		xor	eax, eax
		mov	[esp+7Ch+var_5C], edx
		mov	edx, ecx
		mov	[esp+7Ch+var_54], eax
		pop	ecx
		lea	edi, [esp+78h+var_3C]
		mov	[esp+78h+var_50], edx
		rep stosd
		push	8
		pop	ecx
		lea	edi, [esp+78h+var_20]
		mov	[esp+78h+var_64], eax
		rep stosd
		mov	edi, [esp+78h+var_5C]
		mov	ecx, edi
		mov	[esp+78h+var_60], eax
		call	_KeAbThreadAreAllEntriesFree@4 ; KeAbThreadAreAllEntriesFree(x)
		test	eax, eax
		jnz	loc_62068B
		mov	eax, edx
		mov	ecx, edx
		and	eax, 7FFFFFFCh
		mov	[esp+78h+var_68], eax
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		test	eax, eax
		jz	short loc_620472
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[esp+78h+var_58], eax
		jmp	short loc_620477
; 

loc_620472:				; CODE XREF: KeAbCrossThreadDelete(x,x)+5Fj
		or	[esp+78h+var_58], 0FFFFFFFFh

loc_620477:				; CODE XREF: KeAbCrossThreadDelete(x,x)+77j
		mov	al, [edi+1E4h]
		movsx	ecx, al
		mov	al, [edi+222h]
		movsx	eax, al
		or	eax, ecx
		xor	eax, 3Fh
		bsr	edx, eax
		mov	[esp+78h+var_54], edx
		jz	loc_62068B
		mov	ecx, [esp+78h+var_68]

loc_62049F:				; CODE XREF: KeAbCrossThreadDelete(x,x)+106j
		imul	esi, edx, 30h
		btr	eax, edx
		mov	[esp+78h+var_48], eax
		add	esi, [edi+1E8h]
		lea	eax, [esi+10h]
		mov	[esp+78h+var_4C], eax
		mov	eax, [eax]
		and	eax, 7FFFFFFCh
		cmp	eax, ecx
		jnz	short loc_6204F4
		xor	eax, eax
		xor	edx, edx
		nop
		mov	edi, [esp+78h+var_4C]
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		test	byte ptr [esi+0Eh], 1
		mov	edi, [esp+78h+var_5C]
		jz	short loc_6204F0
		mov	ecx, eax
		and	ecx, 7FFFFFFCh
		cmp	ecx, [esp+78h+var_68]
		jnz	short loc_6204F0
		cmp	edx, [esp+78h+var_58]
		jz	short loc_620506

loc_6204F0:				; CODE XREF: KeAbCrossThreadDelete(x,x)+E1j
					; KeAbCrossThreadDelete(x,x)+EFj
		mov	ecx, [esp+78h+var_68]

loc_6204F4:				; CODE XREF: KeAbCrossThreadDelete(x,x)+C6j
		mov	eax, [esp+78h+var_48]
		bsr	edx, eax
		mov	[esp+78h+var_54], edx
		jnz	short loc_62049F
		jmp	loc_62068B
; 

loc_620506:				; CODE XREF: KeAbCrossThreadDelete(x,x)+F5j
		test	eax, eax
		js	loc_620669
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[esp+78h+var_44], 0
		lea	ecx, [edi+2Ch]
		mov	[esp+78h+var_69], al
		mov	edi, ecx

loc_620522:				; CODE XREF: KeAbCrossThreadDelete(x,x)+13Fj
		lock bts dword ptr [edi], 0
		jnb	short loc_62053A

loc_620529:				; CODE XREF: KeAbCrossThreadDelete(x,x)+13Dj
		lea	ecx, [esp+78h+var_44]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_620529
		jmp	short loc_620522
; 

loc_62053A:				; CODE XREF: KeAbCrossThreadDelete(x,x)+12Ej
		mov	edi, [esp+78h+var_5C]
		lea	eax, [esp+78h+var_60]
		push	eax
		lea	edx, [esp+7Ch+var_64]
		mov	ecx, edi
		call	KiAcquireThreadStateLock
		cmp	al, 2
		jnz	loc_6205F8
		mov	eax, [edi+148h]
		mov	[esp+78h+var_48], eax
		mov	eax, [esp+78h+var_64]
		test	eax, eax
		jz	short loc_620572
		xor	ecx, ecx
		add	eax, 2224h
		lock and [eax],	ecx

loc_620572:				; CODE XREF: KeAbCrossThreadDelete(x,x)+16Dj
		mov	eax, [esp+78h+var_60]
		test	eax, eax
		jz	short loc_62057F
		xor	ecx, ecx
		lock and [eax],	ecx

loc_62057F:				; CODE XREF: KeAbCrossThreadDelete(x,x)+17Fj
		mov	cl, [esp+78h+var_69]
		mov	dword ptr [edi+2Ch], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esp+78h+var_50]
		push	0
		mov	[esp+7Ch+var_2C], eax
		lea	eax, [esp+7Ch+var_3C]
		push	1
		push	eax
		mov	[esp+84h+var_28], esi
		mov	[esp+84h+var_24], edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+78h+var_3C]
		push	eax
		push	offset _KeAbCrossThreadDeleteDpcRoutine@16 ; KeAbCrossThreadDeleteDpcRoutine(x,x,x,x)
		lea	eax, [esp+80h+var_20]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	eax, [esp+78h+var_4]
		test	eax, eax
		jnz	short loc_6205D6
		mov	eax, [esp+78h+var_48]
		add	eax, 20h
		mov	word ptr [esp+78h+var_20+2], ax

loc_6205D6:				; CODE XREF: KeAbCrossThreadDelete(x,x)+1CFj
		xor	eax, eax
		lea	ecx, [esp+78h+var_20]
		push	eax
		push	eax
		push	eax
		xor	edx, edx
		call	KiInsertQueueDpc
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+88h+var_3C]
		push	eax
		call	KeWaitForSingleObject
		jmp	short loc_620671
; 

loc_6205F8:				; CODE XREF: KeAbCrossThreadDelete(x,x)+157j
		mov	al, [edi+55h]
		test	al, al
		mov	eax, [esp+78h+var_64]
		jnz	short loc_620631
		test	eax, eax
		jz	short loc_620611
		xor	ecx, ecx
		add	eax, 2224h
		lock and [eax],	ecx

loc_620611:				; CODE XREF: KeAbCrossThreadDelete(x,x)+20Cj
		mov	eax, [esp+78h+var_60]
		test	eax, eax
		jz	short loc_62061E
		xor	ecx, ecx
		lock and [eax],	ecx

loc_62061E:				; CODE XREF: KeAbCrossThreadDelete(x,x)+21Ej
		mov	cl, [esp+78h+var_69]
		mov	dword ptr [edi+2Ch], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_620669
; 

loc_620631:				; CODE XREF: KeAbCrossThreadDelete(x,x)+208j
		test	eax, eax
		jz	short loc_62063F
		xor	ecx, ecx
		add	eax, 2224h
		lock and [eax],	ecx

loc_62063F:				; CODE XREF: KeAbCrossThreadDelete(x,x)+23Aj
		mov	eax, [esp+78h+var_60]
		test	eax, eax
		jz	short loc_62064C
		xor	ecx, ecx
		lock and [eax],	ecx

loc_62064C:				; CODE XREF: KeAbCrossThreadDelete(x,x)+24Cj
		mov	cl, [esp+78h+var_69]
		mov	dword ptr [edi+2Ch], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	offset _KeAbCrossThreadDeleteNopDpcRoutine@16 ;	KeAbCrossThreadDeleteNopDpcRoutine(x,x,x,x)
		call	_KeGenericCallDpc@8 ; KeGenericCallDpc(x,x)

loc_620669:				; CODE XREF: KeAbCrossThreadDelete(x,x)+10Fj
					; KeAbCrossThreadDelete(x,x)+236j
		mov	al, [esi+10h]
		or	al, 1
		mov	[esi+10h], al

loc_620671:				; CODE XREF: KeAbCrossThreadDelete(x,x)+1FDj
		and	[esp+78h+var_40], 0
		lea	eax, [esp+78h+var_40]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [esp+78h+var_50]
		mov	edx, esi
		push	edi
		call	_KiAbCrossThreadRelease@12 ; KiAbCrossThreadRelease(x,x,x)

loc_62068B:				; CODE XREF: KeAbCrossThreadDelete(x,x)+45j
					; KeAbCrossThreadDelete(x,x)+9Cj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_KeAbCrossThreadDelete@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeAbCrossThreadDeleteDpcRoutine(x, x, x, x)
_KeAbCrossThreadDeleteDpcRoutine@16 proc near ;	DATA XREF: KeAbCrossThreadDelete(x,x)+1BAo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ecx, [esi+14h]
		cmp	eax, [esi+18h]
		jnz	short loc_6206B2
		mov	edx, ecx
		call	_KeAbMarkCrossThreadReleasable@8 ; KeAbMarkCrossThreadReleasable(x,x)
		jmp	short loc_6206BA
; 

loc_6206B2:				; CODE XREF: KeAbCrossThreadDeleteDpcRoutine(x,x,x,x)+15j
		mov	al, [ecx+10h]
		or	al, 1
		mov	[ecx+10h], al

loc_6206BA:				; CODE XREF: KeAbCrossThreadDeleteDpcRoutine(x,x,x,x)+1Ej
		push	0
		push	0
		push	esi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	esi
		pop	ebp
		retn	10h
_KeAbCrossThreadDeleteDpcRoutine@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeAbCrossThreadRelease(x, x, x)
_KeAbCrossThreadRelease@12 proc	near	; CODE XREF: ExpReleaseDisownedFastResourceExclusive(x,x)+F2p
					; ExpReleaseDisownedFastResourceShared(x,x)+F2p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	dl, 1
		jz	short loc_6206E5
		shr	edx, 1
		movzx	eax, dl
		imul	edx, eax, 30h
		add	edx, [esi+1E8h]

loc_6206E5:				; CODE XREF: KeAbCrossThreadRelease(x,x,x)+Cj
		push	esi
		call	_KiAbCrossThreadRelease@12 ; KiAbCrossThreadRelease(x,x,x)
		pop	esi
		pop	ebp
		retn	4
_KeAbCrossThreadRelease@12 endp


;  S U B	R O U T	I N E 


; __stdcall KeAbEncodeLockHandle(x)
_KeAbEncodeLockHandle@4	proc near	; CODE XREF: KeWaitForMultipleObjects+128CC7p
					; KiWaitForAllObjects+D80BEp ...
		movzx	eax, byte ptr [ecx+0Ch]
		push	3Dh
		pop	edx
		sub	edx, eax
		push	30h
		sub	ecx, [ecx+edx*8]
		mov	eax, ecx
		cdq
		pop	ecx
		idiv	ecx
		add	al, al
		or	al, 1
		retn
_KeAbEncodeLockHandle@4	endp


;  S U B	R O U T	I N E 


; __stdcall KeAbMarkCrossThreadReleasable(x, x)
_KeAbMarkCrossThreadReleasable@8 proc near
					; CODE XREF: KeAbCrossThreadDeleteDpcRoutine(x,x,x,x)+19p
					; .text:0068871Ep
		mov	edi, edi
		push	ebx
		mov	ebx, edx
		test	bl, 1
		jz	short loc_620728
		mov	ecx, large fs:124h
		shr	ebx, 1
		movzx	eax, bl
		imul	ebx, eax, 30h
		add	ebx, [ecx+1E8h]

loc_620728:				; CODE XREF: KeAbMarkCrossThreadReleasable(x,x)+8j
		cmp	dword ptr [ebx+10h], 0
		jl	short loc_620735
		mov	ecx, ebx
		call	_KiAbForceProcessLockEntry@4 ; KiAbForceProcessLockEntry(x)

loc_620735:				; CODE XREF: KeAbMarkCrossThreadReleasable(x,x)+23j
		mov	al, [ebx+10h]
		or	al, 1
		mov	[ebx+10h], al
		pop	ebx
		retn
_KeAbMarkCrossThreadReleasable@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiAbCrossThreadRelease(x, x, x)
_KiAbCrossThreadRelease@12 proc	near	; CODE XREF: KeAbCrossThreadDelete(x,x)+28Dp
					; KeAbCrossThreadRelease(x,x,x)+1Dp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		mov	ecx, ebx
		call	KiAbEntryRemoveFromTree
		mov	esi, [ebx+2Ch]
		mov	edx, edi
		and	byte ptr [ebx+0Eh], 0FEh
		mov	eax, esi
		and	eax, 1FFFFh
		and	esi, 0FFFE0000h
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		mov	[ebx+2Ch], esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	eax
		call	KiAbThreadRemoveBoosts
		mov	dword ptr [ebx+10h], 0
		sub	ebx, [esi+1E8h]
		add	esi, 222h
		mov	eax, ebx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		lock or	[esi], dl
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KiAbCrossThreadRelease@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiAbForceProcessLockEntry(x)
_KiAbForceProcessLockEntry@4 proc near	; CODE XREF: KeAbMarkCrossThreadReleasable(x,x)+27p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_8], esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_1], al
		lea	edi, [ebp+var_24]
		mov	eax, large fs:20h
		mov	ecx, ebx
		mov	[ebp+var_14], eax
		add	eax, 45E0h
		mov	[ebp+var_10], eax
		xor	eax, eax
		stosd
		mov	[ebp+var_C], esi
		mov	[ebp+var_18], esi
		stosd
		stosd
		lea	eax, [ebp+var_24]
		xor	edi, edi
		inc	edi
		push	eax
		mov	edx, edi
		call	KiAbEntryGetLockedHeadEntry
		mov	esi, eax
		test	esi, esi
		jz	loc_6208E6
		test	byte ptr [ebx+0Dh], 1
		jz	loc_6208A4
		cmp	ebx, esi
		jz	short loc_620814
		mov	edx, esi
		mov	ecx, ebx
		call	_KiAbEntryUpdateWaiterTreePosition@8 ; KiAbEntryUpdateWaiterTreePosition(x,x)

loc_620814:				; CODE XREF: KiAbForceProcessLockEntry(x)+60j
		lea	edx, [ebp+var_C]
		mov	ecx, esi
		call	_KiAbDetermineMinOwnerCpuPriority@8 ; KiAbDetermineMinOwnerCpuPriority(x,x)
		mov	edx, esi
		mov	ecx, ebx
		call	_KiAbTryIncrementIoWaiterCounts@8 ; KiAbTryIncrementIoWaiterCounts(x,x)
		mov	ecx, ebx
		mov	edi, eax
		call	_KiAbEntryGetCpuPriorityKey@4 ;	KiAbEntryGetCpuPriorityKey(x)
		mov	bl, al
		cmp	byte ptr [ebp+var_C], bl
		jl	short loc_620879
		test	edi, edi
		jnz	short loc_62087D
		test	ds:byte_70EFC6,	1
		jnz	short loc_6208AD
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	short loc_620867
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jz	loc_6208E6
		call	KxWaitForLockChainValid

loc_620867:				; CODE XREF: KiAbForceProcessLockEntry(x)+A0j
		xor	ecx, ecx
		mov	[ebp+var_24], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	short loc_6208E6
; 

loc_620879:				; CODE XREF: KiAbForceProcessLockEntry(x)+8Cj
		test	edi, edi
		jz	short loc_62088F

loc_62087D:				; CODE XREF: KiAbForceProcessLockEntry(x)+90j
		push	[ebp+var_10]
		lea	eax, [ebp+var_8]
		mov	edx, edi
		push	0
		push	eax
		mov	ecx, esi
		call	_KiAbIoBoostOwners@20 ;	KiAbIoBoostOwners(x,x,x,x,x)

loc_62088F:				; CODE XREF: KiAbForceProcessLockEntry(x)+D2j
		push	[ebp+var_10]
		lea	eax, [ebp+var_8]
		mov	dl, bl
		push	0
		push	eax
		mov	ecx, esi
		call	_KiAbCpuBoostOwners@20 ; KiAbCpuBoostOwners(x,x,x,x,x)
		xor	edi, edi
		inc	edi

loc_6208A4:				; CODE XREF: KiAbForceProcessLockEntry(x)+58j
		test	ds:byte_70EFC6,	1
		jz	short loc_6208BA

loc_6208AD:				; CODE XREF: KiAbForceProcessLockEntry(x)+99j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6208E6
; 

loc_6208BA:				; CODE XREF: KiAbForceProcessLockEntry(x)+102j
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	short loc_6208D9
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jz	short loc_6208E6
		call	KxWaitForLockChainValid

loc_6208D9:				; CODE XREF: KiAbForceProcessLockEntry(x)+116j
		mov	[ebp+var_24], 0
		add	eax, 4
		lock xor [eax],	edi

loc_6208E6:				; CODE XREF: KiAbForceProcessLockEntry(x)+4Ej
					; KiAbForceProcessLockEntry(x)+B3j ...
		mov	ecx, [ebp+var_14]
		lea	edx, [ebp+var_8]
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		mov	dl, [ebp+var_1]
		mov	ecx, [ebp+var_14]
		call	KiCheckForThreadDispatch
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KiAbForceProcessLockEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiDispatchPassiveInterrupts(x)
_KiDispatchPassiveInterrupts@4 proc near ; CODE	XREF: KiChainedDispatch()+12Dp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	ecx, [ecx+2Ch]
		call	_IoProcessPassiveInterrupts@4 ;	IoProcessPassiveInterrupts(x)
		pop	ebp
		retn	4
_KiDispatchPassiveInterrupts@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiFindFirstPassiveInterruptObject(x)
_KiFindFirstPassiveInterruptObject@4 proc near
					; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+12Ap
		mov	eax, ecx

loc_620917:				; CODE XREF: KiFindFirstPassiveInterruptObject(x)+14j
		cmp	byte ptr [eax+31h], 0
		jz	short locret_620933
		mov	eax, [eax+4]
		test	eax, eax
		jz	short loc_620931
		add	eax, 0FFFFFFFCh
		cmp	eax, ecx
		jnz	short loc_620917
		cmp	byte ptr [eax+31h], 0
		jz	short locret_620933

loc_620931:				; CODE XREF: KiFindFirstPassiveInterruptObject(x)+Dj
		xor	eax, eax

locret_620933:				; CODE XREF: KiFindFirstPassiveInterruptObject(x)+6j
					; KiFindFirstPassiveInterruptObject(x)+1Aj
		retn
_KiFindFirstPassiveInterruptObject@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiInsertInterruptObjectOrdered(x, x)
_KiInsertInterruptObjectOrdered@8 proc near ; CODE XREF: KiConnectInterruptInternal+82499p
					; KiConnectSecondaryInterrupt(x)+C8p
		cmp	byte ptr [edx+31h], 0
		push	esi
		jz	short loc_620989
		cmp	byte ptr [ecx+31h], 0
		jz	short loc_620989
		mov	eax, [ecx+8]
		lea	esi, [ecx+4]
		cmp	byte ptr [eax+2Dh], 0
		jz	short loc_620963
		mov	ecx, [esi+4]
		lea	eax, [edx+4]
		cmp	[ecx], esi
		jnz	short loc_62098E
		mov	[eax], esi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[esi+4], eax
		pop	esi
		retn
; 

loc_620963:				; CODE XREF: KiInsertInterruptObjectOrdered(x,x)+17j
		mov	eax, esi

loc_620965:				; CODE XREF: KiInsertInterruptObjectOrdered(x,x)+3Dj
		cmp	byte ptr [eax+2Dh], 0
		mov	ecx, eax
		jz	short loc_620973
		mov	eax, [eax]
		cmp	eax, esi
		jnz	short loc_620965

loc_620973:				; CODE XREF: KiInsertInterruptObjectOrdered(x,x)+37j
					; KiInsertInterruptObjectOrdered(x,x)+58j
		lea	eax, [edx+4]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_62098E
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		pop	esi
		retn
; 

loc_620989:				; CODE XREF: KiInsertInterruptObjectOrdered(x,x)+5j
					; KiInsertInterruptObjectOrdered(x,x)+Bj
		add	ecx, 4
		jmp	short loc_620973
; 

loc_62098E:				; CODE XREF: KiInsertInterruptObjectOrdered(x,x)+21j
					; KiInsertInterruptObjectOrdered(x,x)+47j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_KiInsertInterruptObjectOrdered@8 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInterruptDispatchCommon(x, x, x, x, x)
_KiInterruptDispatchCommon@20 proc near	; CODE XREF: IopPassiveInterruptWorker(x)+96p
					; KeDispatchSecondaryInterrupt(x,x,x)+42p

var_50		= byte ptr -50h
var_4F		= byte ptr -4Fh
var_4E		= byte ptr -4Eh
var_4D		= byte ptr -4Dh
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= word ptr -18h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	ebx, ebx
		push	edi
		mov	[esp+60h+var_40], edx
		mov	[esp+60h+var_4C], ecx
		mov	[esp+60h+var_38], esi
		mov	[esp+60h+var_28], eax
		mov	[esp+60h+var_24], ebx
		mov	[esp+60h+var_20], ebx
		mov	[esp+60h+var_44], ebx
		mov	[esp+60h+var_3C], ebx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[esp+60h+var_4D], al
		lea	edi, [esp+60h+var_10]
		xor	eax, eax
		mov	[esp+60h+var_4F], bl
		stosd
		mov	[esp+60h+var_34], ebx
		stosd
		stosd
		test	esi, esi
		jnz	short loc_6209FB
		lea	esi, [esp+60h+var_24]
		mov	[esp+60h+var_38], esi

loc_6209FB:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+5Ej
		mov	[esi+4], esi
		mov	[esi], esi
		cmp	[esp+60h+var_4C], ebx
		jnz	short loc_620A62
		lea	eax, [esp+60h+var_44]
		mov	[esp+60h+var_48], ebx
		push	eax
		call	_KeGetCurrentProcessorNumberEx@4 ; KeGetCurrentProcessorNumberEx(x)
		movzx	ecx, byte ptr [esp+60h+var_44+2]
		lea	edi, [esp+60h+var_1C]
		xor	eax, eax
		xor	edx, edx
		stosd
		stosd
		stosd
		mov	ax, word ptr [esp+60h+var_44]
		mov	[esp+60h+var_18], ax
		xor	eax, eax
		inc	eax
		call	__allshl
		mov	[esp+60h+var_1C], eax
		lea	eax, [esp+60h+var_10]
		push	eax
		lea	eax, [esp+64h+var_1C]
		push	eax
		call	KeSetSystemGroupAffinityThread
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [esp+60h+var_40]
		mov	[esp+60h+var_50], al
		call	_KiGetInterruptObjectFromVector@4 ; KiGetInterruptObjectFromVector(x)
		mov	edi, eax
		jmp	short loc_620AA9
; 

loc_620A62:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+71j
		mov	eax, [esp+60h+var_40]
		mov	cl, 1Ah
		add	eax, 0FFFFFF00h
		imul	edi, eax, 1Ch
		add	edi, ds:_KiGlobalSecondaryIDT
		mov	[esp+60h+var_48], edi
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, edi
		mov	[esp+60h+var_50], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [esp+60h+var_40]
		mov	edi, ebx
		add	eax, 0FFFFFF00h
		cmp	eax, 100h
		jnb	short loc_620AA9
		imul	eax, 1Ch
		add	eax, ds:_KiGlobalSecondaryIDT
		mov	edi, [eax+18h]

loc_620AA9:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+CDj
					; KiInterruptDispatchCommon(x,x,x,x,x)+108j
		test	edi, edi
		jz	loc_620C22
		inc	word ptr [edi+3Ah]
		test	[ebp+arg_0], 1
		jz	short loc_620AC6
		mov	ecx, edi
		call	_KiFindFirstPassiveInterruptObject@4 ; KiFindFirstPassiveInterruptObject(x)
		mov	esi, eax
		jmp	short loc_620AC8
; 

loc_620AC6:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+126j
		mov	esi, edi

loc_620AC8:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+131j
		mov	eax, 0FFFFh
		test	esi, esi
		jz	loc_620C0E
		mov	eax, [edi+40h]
		mov	[esp+60h+var_2C], eax

loc_620ADC:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+252j
		mov	dl, bl
		mov	ecx, ebx
		mov	[esp+60h+var_4E], dl

loc_620AE4:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+22Cj
					; KiInterruptDispatchCommon(x,x,x,x,x)+23Fj
		cmp	[esp+60h+var_4D], 2
		jbe	short loc_620AF4
		cmp	[esi+31h], bl
		jz	loc_620BEA

loc_620AF4:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+156j
		mov	eax, [esi+3Ch]
		test	al, 1
		jnz	loc_620BA9
		inc	ecx
		inc	word ptr [esi+3Ah]
		mov	[esp+60h+var_30], ecx
		cmp	[esp+60h+var_4C], ebx
		jz	short loc_620B2E
		test	ds:byte_70EFC6,	1
		jz	short loc_620B25
		mov	edx, [ebp+4]
		mov	ecx, [esp+60h+var_48]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_620B2E
; 

loc_620B25:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+182j
		mov	eax, [esp+60h+var_48]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_620B2E:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+179j
					; KiInterruptDispatchCommon(x,x,x,x,x)+190j
		mov	cl, [esp+60h+var_50]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	[esp+60h+var_40]
		mov	dl, [esp+64h+var_50]
		mov	ecx, esi
		call	_KiInvokeInterruptServiceRoutine@12 ; KiInvokeInterruptServiceRoutine(x,x,x)
		mov	[esp+60h+var_4F], al
		mov	[esp+60h+var_3C], 2
		cmp	[esp+60h+var_4C], ebx
		jnz	short loc_620B67
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esp+60h+var_50], al
		jmp	short loc_620B7C
; 

loc_620B67:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+1C4j
		mov	cl, 1Ah
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [esp+60h+var_48]
		mov	[esp+60h+var_50], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)

loc_620B7C:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+1D2j
		mov	eax, [esi+4]
		mov	edx, esi
		push	[esp+60h+var_38]
		mov	ecx, [esp+64h+var_4C]
		mov	[esp+64h+var_44], eax
		mov	eax, 0FFFFh
		add	[esi+3Ah], ax
		call	_KiProcessPendingDisconnect@12 ; KiProcessPendingDisconnect(x,x,x)
		mov	eax, [esp+60h+var_44]
		mov	ecx, [esp+60h+var_30]
		mov	dl, [esp+60h+var_4E]
		jmp	short loc_620BAC
; 

loc_620BA9:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+166j
		mov	eax, [esi+4]

loc_620BAC:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+214j
		lea	esi, [eax-4]
		cmp	[esp+60h+var_2C], ebx
		jnz	short loc_620BC4
		cmp	[esp+60h+var_4F], bl
		jnz	short loc_620C09
		cmp	esi, edi
		jz	short loc_620C09
		jmp	loc_620AE4
; 

loc_620BC4:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+220j
		cmp	[esp+60h+var_4F], bl
		jz	short loc_620BD0
		mov	dl, 1
		mov	[esp+60h+var_4E], dl

loc_620BD0:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+235j
		cmp	esi, edi
		jnz	loc_620AE4
		test	dl, dl
		jz	short loc_620C04
		cmp	ecx, 1
		jbe	short loc_620C04
		mov	[esp+60h+var_4F], bl
		jmp	loc_620ADC
; 

loc_620BEA:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+15Bj
		cmp	[esp+60h+var_3C], 2
		mov	bl, 1
		jz	short loc_620BFB
		mov	[esp+60h+var_3C], 1

loc_620BFB:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+25Ej
		mov	eax, [esi+2Ch]
		mov	[esp+60h+var_34], eax
		jmp	short loc_620C09
; 

loc_620C04:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+247j
					; KiInterruptDispatchCommon(x,x,x,x,x)+24Cj
		mov	[esp+60h+var_4F], 1

loc_620C09:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+226j
					; KiInterruptDispatchCommon(x,x,x,x,x)+22Aj ...
		mov	eax, 0FFFFh

loc_620C0E:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+13Cj
		mov	esi, [esp+60h+var_38]
		mov	edx, edi
		mov	ecx, [esp+60h+var_4C]
		add	[edi+3Ah], ax
		push	esi
		call	_KiProcessPendingDisconnect@12 ; KiProcessPendingDisconnect(x,x,x)

loc_620C22:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+118j
		cmp	[esp+60h+var_4C], 0
		jnz	short loc_620C3F
		mov	cl, [esp+60h+var_50]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	eax, [esp+60h+var_10]
		push	eax
		call	KeRevertToUserGroupAffinityThread
		jmp	short loc_620C69
; 

loc_620C3F:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+294j
		test	ds:byte_70EFC6,	1
		jz	short loc_620C56
		mov	edx, [ebp+4]
		mov	ecx, [esp+60h+var_48]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_620C5F
; 

loc_620C56:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+2B3j
		mov	eax, [esp+60h+var_48]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_620C5F:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+2C1j
		mov	cl, [esp+60h+var_50]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_620C69:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+2AAj
		test	bl, bl
		jz	short loc_620C76
		mov	ecx, [esp+60h+var_34]
		call	_IoProcessPassiveInterrupts@4 ;	IoProcessPassiveInterrupts(x)

loc_620C76:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+2D8j
		cmp	[esp+60h+var_4D], 2
		jnb	short loc_620C84
		mov	ecx, esi
		call	_KiProcessDisconnectList@4 ; KiProcessDisconnectList(x)

loc_620C84:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+2E8j
		mov	ecx, [esp+60h+var_28]
		test	ecx, ecx
		jz	short loc_620C92
		mov	eax, [esp+60h+var_3C]
		mov	[ecx], eax

loc_620C92:				; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+2F7j
		mov	ecx, [esp+60h+var_4]
		mov	al, [esp+60h+var_4F]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_KiInterruptDispatchCommon@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInvokeInterruptServiceRoutine(x, x, x)
_KiInvokeInterruptServiceRoutine@12 proc near
					; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+1AFp

var_94		= dword	ptr -94h
var_74		= dword	ptr -74h
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= byte ptr -30h
var_2F		= byte ptr -2Fh
var_2E		= byte ptr -2Eh
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 98h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_30], dl
		push	8
		xor	eax, eax
		mov	[ebp+var_34], 1
		pop	ecx
		lea	edi, [ebp+var_2C]
		mov	bh, [esi+31h]
		rep stosd
		lea	edi, [ebp+var_48]
		mov	[ebp+var_2E], bh
		stosd
		push	8
		pop	ecx
		push	0Ah
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_94]
		rep stosd
		pop	ecx
		lea	edi, [ebp+var_74]
		rep stosd
		xor	ecx, ecx
		mov	[ebp+var_2F], cl
		mov	bl, cl
		test	bh, bh
		jz	short loc_620D30
		cmp	dl, bh
		jz	short loc_620D17
		mov	cl, bh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_30], al
		xor	ecx, ecx

loc_620D17:				; CODE XREF: KiInvokeInterruptServiceRoutine(x,x,x)+5Ej
		mov	eax, [esi+24h]
		cmp	eax, 0FFFFFFFDh
		jz	short loc_620D28
		cmp	eax, 0FFFFFFFFh
		jnz	loc_620DC9

loc_620D28:				; CODE XREF: KiInvokeInterruptServiceRoutine(x,x,x)+73j
		mov	byte ptr [ebp+var_34], cl
		jmp	loc_620DC9
; 

loc_620D30:				; CODE XREF: KiInvokeInterruptServiceRoutine(x,x,x)+5Aj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	dword ptr [esi+50h]
		call	KeWaitForSingleObject
		mov	ebx, dword ptr ds:byte_70EFC4
		shr	ebx, 0Eh
		and	bl, 1
		cmp	ds:_KdDebuggerEnabled, 0
		mov	[ebp+var_2D], bl
		jz	short loc_620DC3
		xor	edi, edi
		cmp	ds:_KiPassiveWatchdogTimeout, edi
		jz	short loc_620DBE
		push	edi
		push	1
		lea	eax, [ebp+var_48]
		mov	[ebp+var_38], esi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		lea	eax, [ebp+var_74]
		push	eax
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		lea	eax, [ebp+var_48]
		push	eax
		push	offset _KiPassiveIsrWatchdog@16	; KiPassiveIsrWatchdog(x,x,x,x)
		lea	eax, [ebp+var_94]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	eax, ds:_KiPassiveWatchdogTimeout
		mov	ecx, 0FF676980h
		imul	ecx
		lea	ecx, [ebp+var_74]
		push	edx
		push	eax
		lea	eax, [ebp+var_94]
		xor	edx, edx
		push	eax
		push	edi
		call	KiSetTimerEx
		mov	[ebp+var_2F], 1

loc_620DBE:				; CODE XREF: KiInvokeInterruptServiceRoutine(x,x,x)+C0j
		mov	bh, [ebp+var_2E]
		jmp	short loc_620DCB
; 

loc_620DC3:				; CODE XREF: KiInvokeInterruptServiceRoutine(x,x,x)+B6j
		mov	bl, [ebp+var_2D]
		mov	bh, [ebp+var_2E]

loc_620DC9:				; CODE XREF: KiInvokeInterruptServiceRoutine(x,x,x)+78j
					; KiInvokeInterruptServiceRoutine(x,x,x)+81j
		xor	edi, edi

loc_620DCB:				; CODE XREF: KiInvokeInterruptServiceRoutine(x,x,x)+117j
		mov	eax, large fs:124h
		mov	[esi+5Ch], eax
		test	bl, bl
		jz	short loc_620DE6
		push	edi
		mov	edx, 20004000h
		lea	ecx, [ebp+var_2C]
		call	EtwGetKernelTraceTimestampSilo

loc_620DE6:				; CODE XREF: KiInvokeInterruptServiceRoutine(x,x,x)+12Cj
		mov	dl, byte ptr [ebp+var_34]
		mov	ecx, esi
		call	KiCallInterruptServiceRoutine
		mov	[ebp+var_2E], al
		test	bl, bl
		jz	short loc_620E0D
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_2C]
		push	ecx
		movzx	ecx, al
		shl	edx, 8
		or	edx, ecx
		mov	ecx, esi
		call	PerfInfoLogInterrupt

loc_620E0D:				; CODE XREF: KiInvokeInterruptServiceRoutine(x,x,x)+14Bj
		cmp	[ebp+var_2F], 0
		jz	short loc_620E2D
		lea	eax, [ebp+var_74]
		push	eax
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		test	al, al
		jnz	short loc_620E2D
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_48]
		push	eax
		call	KeWaitForSingleObject

loc_620E2D:				; CODE XREF: KiInvokeInterruptServiceRoutine(x,x,x)+167j
					; KiInvokeInterruptServiceRoutine(x,x,x)+174j
		mov	[esi+5Ch], edi
		test	bh, bh
		jz	short loc_620E45
		mov	al, [ebp+var_30]
		cmp	al, bh
		jz	short loc_620E5B
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_620E5B
; 

loc_620E45:				; CODE XREF: KiInvokeInterruptServiceRoutine(x,x,x)+188j
		push	edi
		push	edi
		push	dword ptr [esi+50h]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_620E5B:				; CODE XREF: KiInvokeInterruptServiceRoutine(x,x,x)+18Fj
					; KiInvokeInterruptServiceRoutine(x,x,x)+199j
		cmp	[ebp+var_2E], 1
		mov	ecx, [ebp+var_8]
		pop	edi
		setz	al
		xor	ecx, ebp
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_KiInvokeInterruptServiceRoutine@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiPassiveIsrWatchdog(x, x, x, x)
_KiPassiveIsrWatchdog@16 proc near	; DATA XREF: KiInvokeInterruptServiceRoutine(x,x,x)+DFo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		push	0
		push	0
		push	esi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	dword ptr [esi+10h] ; char
		push	(offset	loc_5A4F15+1) ;	char *
		push	0		; int
		push	65h		; int
		call	_DbgPrintEx
		add	esp, 10h
		int	3		; Trap to Debugger
		pop	esi
		pop	ebp
		retn	10h
_KiPassiveIsrWatchdog@16 endp


;  S U B	R O U T	I N E 


; __stdcall KiProcessDisconnectList(x)
_KiProcessDisconnectList@4 proc	near	; CODE XREF: KiProcessSecondarySignalList(x,x,x,x)+CFp
					; KiInterruptDispatchCommon(x,x,x,x,x)+2ECp
		mov	edi, edi
		push	esi
		mov	esi, ecx

loc_620EA5:				; CODE XREF: KiProcessDisconnectList(x)+23j
					; KiProcessDisconnectList(x)+2Fj
		mov	eax, [esi]
		cmp	eax, esi
		jz	short loc_620ED6
		cmp	[eax+4], esi
		jnz	short loc_620ED1
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_620ED1
		mov	[esi], ecx
		mov	[ecx+4], esi
		mov	eax, [eax+54h]
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_620EA5
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_620EA5
; 

loc_620ED1:				; CODE XREF: KiProcessDisconnectList(x)+Ej
					; KiProcessDisconnectList(x)+15j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_620ED6:				; CODE XREF: KiProcessDisconnectList(x)+9j
		pop	esi
		retn
_KiProcessDisconnectList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiProcessPendingDisconnect(x, x, x)
_KiProcessPendingDisconnect@12 proc near
					; CODE XREF: KiInterruptDispatchCommon(x,x,x,x,x)+203p
					; KiInterruptDispatchCommon(x,x,x,x,x)+28Ap

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, edx
		push	edi
		test	byte ptr [esi+3Ch], 2
		jz	short loc_620F26
		cmp	word ptr [esi+3Ah], 0
		jnz	short loc_620F26
		mov	edi, [esi+58h]
		test	ecx, ecx
		mov	ecx, esi
		mov	edx, [edi+4]
		jnz	short loc_620F02
		call	KiDisconnectInterruptInternal
		jmp	short loc_620F07
; 

loc_620F02:				; CODE XREF: KiProcessPendingDisconnect(x,x,x)+21j
		call	_KiDisconnectSecondaryInterruptInternal@8 ; KiDisconnectSecondaryInterruptInternal(x,x)

loc_620F07:				; CODE XREF: KiProcessPendingDisconnect(x,x,x)+28j
		mov	[edi+8], eax
		add	esi, 4
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jz	short loc_620F1C
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_620F1C:				; CODE XREF: KiProcessPendingDisconnect(x,x,x)+3Dj
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi

loc_620F26:				; CODE XREF: KiProcessPendingDisconnect(x,x,x)+Ej
					; KiProcessPendingDisconnect(x,x,x)+15j
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
_KiProcessPendingDisconnect@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSynchronizePassiveInterruptExecution(x, x, x)
_KiSynchronizePassiveInterruptExecution@12 proc	near
					; CODE XREF: KeSynchronizeExecution(x,x,x)+91p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+arg_0]
		xor	edi, edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	dword ptr [esi+50h]
		call	KeWaitForSingleObject
		push	[ebp+arg_8]
		call	[ebp+arg_4]
		push	edi
		push	edi
		push	dword ptr [esi+50h]
		mov	bl, al
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	0Ch
_KiSynchronizePassiveInterruptExecution@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeGetAffinitizedInterruptsInfo(x)
_KeGetAffinitizedInterruptsInfo@4 proc near ; CODE XREF: PAGE:00781E0Bp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	10h
		push	offset dword_6A8700
		call	__SEH_prolog4
		mov	ebx, ecx
		xor	edx, edx
		mov	[ebp+ms_exc.disabled], edx
		mov	esi, offset _KiIntSteerAffinitizedInterrupts
		mov	edi, ebx
		movsd
		movsd
		movsd
		mov	ecx, [ebx+8]
		mov	eax, ds:_KiClockTimerOwner
		bts	ecx, eax
		mov	[ebx+8], ecx
		jmp	short loc_620FBE
; 

loc_620FA8:				; DATA XREF: .text:006A8714o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_620FB8:				; DATA XREF: .text:006A8718o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edx, [ebp+var_1C]

loc_620FBE:				; CODE XREF: KeGetAffinitizedInterruptsInfo(x)+2Bj
		mov	[ebp+var_20], edx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, edx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KeGetAffinitizedInterruptsInfo@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeIntSteerAssignCpuSet(x, x, x)
_KeIntSteerAssignCpuSet@12 proc	near	; CODE XREF: PAGE:009658D6p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ecx+64h]
		push	edi
		mov	edi, edx
		test	esi, esi
		jnz	short loc_620FF1
		mov	esi, 0C00000BBh
		jmp	short loc_621059
; 

loc_620FF1:				; CODE XREF: KeIntSteerAssignCpuSet(x,x,x)+Ej
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _KiIntTrackSpinlock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	[ebp+arg_0], 0
		mov	eax, [esi+8]
		jz	short loc_62101D
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, eax
		call	_KiIntSteerAssignCpuSet@12 ; KiIntSteerAssignCpuSet(x,x,x)
		mov	esi, eax
		jmp	short loc_621033
; 

loc_62101D:				; CODE XREF: KeIntSteerAssignCpuSet(x,x,x)+31j
		xor	esi, esi
		cmp	[eax+70h], esi
		jz	short loc_621033
		xor	ecx, ecx
		mov	[eax+70h], esi
		mov	[eax+74h], cx
		mov	[eax+8Ch], esi

loc_621033:				; CODE XREF: KeIntSteerAssignCpuSet(x,x,x)+41j
					; KeIntSteerAssignCpuSet(x,x,x)+48j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _KiIntTrackSpinlock
		jz	short loc_62104B
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_621050
; 

loc_62104B:				; CODE XREF: KeIntSteerAssignCpuSet(x,x,x)+65j
		xor	eax, eax
		lock and [ecx],	eax

loc_621050:				; CODE XREF: KeIntSteerAssignCpuSet(x,x,x)+6Fj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx

loc_621059:				; CODE XREF: KeIntSteerAssignCpuSet(x,x,x)+15j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_KeIntSteerAssignCpuSet@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeIntSteerAssignCpuSetForGsiv(x, x,	x)
_KeIntSteerAssignCpuSetForGsiv@12 proc near ; CODE XREF: PAGE:007B494Dp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		lea	esi, [edi+1]
		neg	esi
		sbb	esi, esi
		and	esi, 0C0000225h
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _KiIntTrackSpinlock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:_KiIntTrackRootList
		cmp	ecx, offset _KiIntTrackRootList
		jz	short loc_6210D7
		xor	edx, edx

loc_62109E:				; CODE XREF: KeIntSteerAssignCpuSetForGsiv(x,x,x)+65j
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_6210B9
		cmp	[ecx+70h], edx
		jz	short loc_6210BE
		xor	eax, eax
		mov	[ecx+70h], edx
		mov	[ecx+74h], ax
		mov	[ecx+8Ch], edx
		jmp	short loc_6210BE
; 

loc_6210B9:				; CODE XREF: KeIntSteerAssignCpuSetForGsiv(x,x,x)+40j
		cmp	[ecx+10h], edi
		jz	short loc_6210CA

loc_6210BE:				; CODE XREF: KeIntSteerAssignCpuSetForGsiv(x,x,x)+45j
					; KeIntSteerAssignCpuSetForGsiv(x,x,x)+56j
		mov	ecx, [ecx]
		cmp	ecx, offset _KiIntTrackRootList
		jnz	short loc_62109E
		jmp	short loc_6210D7
; 

loc_6210CA:				; CODE XREF: KeIntSteerAssignCpuSetForGsiv(x,x,x)+5Bj
		push	[ebp+arg_0]
		mov	edx, [ebp+var_4]
		call	_KiIntSteerAssignCpuSet@12 ; KiIntSteerAssignCpuSet(x,x,x)
		mov	esi, eax

loc_6210D7:				; CODE XREF: KeIntSteerAssignCpuSetForGsiv(x,x,x)+39j
					; KeIntSteerAssignCpuSetForGsiv(x,x,x)+67j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _KiIntTrackSpinlock
		jz	short loc_6210EF
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6210F4
; 

loc_6210EF:				; CODE XREF: KeIntSteerAssignCpuSetForGsiv(x,x,x)+82j
		xor	eax, eax
		lock and [ecx],	eax

loc_6210F4:				; CODE XREF: KeIntSteerAssignCpuSetForGsiv(x,x,x)+8Cj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_KeIntSteerAssignCpuSetForGsiv@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIntSteerAssignCpuSet(x, x, x)
_KiIntSteerAssignCpuSet@12 proc	near	; CODE XREF: KeIntSteerAssignCpuSet(x,x,x)+3Ap
					; KeIntSteerAssignCpuSetForGsiv(x,x,x)+6Fp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		cmp	byte ptr [esi+6Ch], 0
		jnz	short loc_62111A
		mov	eax, 0C00000BBh
		jmp	short loc_621155
; 

loc_62111A:				; CODE XREF: KiIntSteerAssignCpuSet(x,x,x)+Cj
		cmp	[esi+30h], dx
		jz	short loc_621127
		mov	eax, 0C000000Dh
		jmp	short loc_621155
; 

loc_621127:				; CODE XREF: KiIntSteerAssignCpuSet(x,x,x)+19j
		mov	eax, [ebp+arg_0]
		cmp	[esi+70h], eax
		jnz	short loc_621133
		xor	eax, eax
		jmp	short loc_621155
; 

loc_621133:				; CODE XREF: KiIntSteerAssignCpuSet(x,x,x)+28j
		mov	[esi+70h], eax
		call	_KiIntSteerComputeCpuSet@8 ; KiIntSteerComputeCpuSet(x,x)
		test	eax, eax
		jns	short loc_621155
		xor	edx, edx
		cmp	[esi+70h], edx
		jz	short loc_621155
		xor	ecx, ecx
		mov	[esi+70h], edx
		mov	[esi+74h], cx
		mov	[esi+8Ch], edx

loc_621155:				; CODE XREF: KiIntSteerAssignCpuSet(x,x,x)+13j
					; KiIntSteerAssignCpuSet(x,x,x)+20j ...
		pop	esi
		pop	ebp
		retn	4
_KiIntSteerAssignCpuSet@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIntSteerComputeCpuSet(x, x)
_KiIntSteerComputeCpuSet@8 proc	near	; CODE XREF: KiIntSteerCalculateDistribution+12FB65p
					; KiIntSteerAssignCpuSet(x,x,x)+31p

var_C		= dword	ptr -0Ch
var_8		= word ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		xor	ebx, ebx
		push	dword ptr [esi+70h]
		stosd
		lea	edx, [esi+7Ch]
		push	ecx
		xor	ecx, ecx
		stosd
		call	_KiComputeCpuSetAffinityMask@16	; KiComputeCpuSetAffinityMask(x,x,x,x)
		mov	edi, eax
		lea	edx, [ebp+var_C]
		mov	ecx, esi
		mov	[ebp+var_C], edi
		call	_KiIntSteerVerifyDestination@8 ; KiIntSteerVerifyDestination(x,x)
		test	eax, eax
		jns	short loc_621197
		mov	ebx, 0C0000001h

loc_621197:				; CODE XREF: KiIntSteerComputeCpuSet(x,x)+36j
		test	ebx, ebx
		js	short loc_6211AE
		mov	ax, [ebp+var_8]
		mov	[esi+90h], ax
		mov	[esi+8Ch], edi
		jmp	short loc_6211B5
; 

loc_6211AE:				; CODE XREF: KiIntSteerComputeCpuSet(x,x)+3Fj
		and	dword ptr [esi+8Ch], 0

loc_6211B5:				; CODE XREF: KiIntSteerComputeCpuSet(x,x)+52j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_KiIntSteerComputeCpuSet@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIntSteerLogStatus(x)
_KiIntSteerLogStatus@4 proc near	; CODE XREF: KiIntSteerEventTraceControlCallback(x,x,x,x,x,x,x,x,x)+17p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	edi
		mov	bl, cl
		call	KiIntSteerLogMask
		mov	cl, bl
		call	KiIntSteerLogProc
		mov	edi, offset _PPM_ETW_INTERRUPT_STEERING_STATE_RETARGET
		test	bl, bl
		jz	short loc_6211E2
		mov	edi, (offset loc_409B07+1)

loc_6211E2:				; CODE XREF: KiIntSteerLogStatus(x)+1Fj
		mov	ecx, edi
		call	_KiIntSteerEtwEventEnabled@4 ; KiIntSteerEtwEventEnabled(x)
		test	al, al
		jz	short loc_62123A
		push	esi
		mov	esi, ds:_KiIntTrackRootList
		jmp	short loc_62122E
; 

loc_6211F6:				; CODE XREF: KiIntSteerLogStatus(x)+7Bj
		test	bl, bl
		jnz	short loc_621208
		mov	eax, [esi+8Ch]
		cmp	eax, [esi+80h]
		jz	short loc_62122C

loc_621208:				; CODE XREF: KiIntSteerLogStatus(x)+3Cj
		lea	ecx, [esi+8]
		mov	eax, [ecx]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], eax
		cmp	eax, ecx
		jz	short loc_62122C
		mov	esi, eax

loc_621219:				; CODE XREF: KiIntSteerLogStatus(x)+6Bj
		mov	edx, edi
		mov	ecx, esi
		call	KiIntSteerLogState
		mov	esi, [esi]
		cmp	esi, [ebp+var_C]
		jnz	short loc_621219
		mov	esi, [ebp+var_4]

loc_62122C:				; CODE XREF: KiIntSteerLogStatus(x)+4Aj
					; KiIntSteerLogStatus(x)+59j
		mov	esi, [esi]

loc_62122E:				; CODE XREF: KiIntSteerLogStatus(x)+38j
		mov	[ebp+var_4], esi
		cmp	esi, offset _KiIntTrackRootList
		jnz	short loc_6211F6
		pop	esi

loc_62123A:				; CODE XREF: KiIntSteerLogStatus(x)+2Fj
		pop	edi
		pop	ebx
		leave
		retn
_KiIntSteerLogStatus@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiRestoreProcessorState(x, x)
_KiRestoreProcessorState@8 proc	near	; CODE XREF: KiFreezeTargetExecution(x,x)+17Fp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, large fs:20h
		mov	esi, ecx
		lea	eax, [edi+18h]
		push	eax
		call	_KiRestoreProcessorControlState@4 ; KiRestoreProcessorControlState(x)
		test	byte ptr [esi+6Ch], 1
		jnz	short loc_62126B
		test	dword ptr [esi+70h], 20000h
		mov	byte ptr [ebp+var_4], 0
		jz	short loc_62126F

loc_62126B:				; CODE XREF: KiRestoreProcessorState(x,x)+1Ej
		mov	byte ptr [ebp+var_4], 1

loc_62126F:				; CODE XREF: KiRestoreProcessorState(x,x)+2Bj
		mov	eax, [edi+4168h]
		push	[ebp+var_4]
		push	dword ptr [eax]
		push	eax
		push	0
		push	esi
		call	KeContextToKframes
		pop	edi
		pop	esi
		leave
		retn
_KiRestoreProcessorState@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSaveProcessorDebugState(x, x, x, x)
_KiSaveProcessorDebugState@16 proc near	; CODE XREF: KdpReport(x,x,x,x,x,x)+8Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	eax, [esi]
		not	eax
		and	eax, [edi+416Ch]
		jz	short loc_6212B9
		push	esi
		push	[ebp+arg_4]
		or	eax, 10000h
		push	[ebp+arg_0]
		mov	[esi], eax
		call	KeContextFromKframes
		mov	eax, [edi+416Ch]
		mov	[esi], eax

loc_6212B9:				; CODE XREF: KiSaveProcessorDebugState(x,x,x,x)+15j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_KiSaveProcessorDebugState@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSaveProcessorState(x, x)
_KiSaveProcessorState@8	proc near	; CODE XREF: KiFreezeTargetExecution(x,x)+CCp
					; sub_59C2E7+33p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, large fs:20h
		mov	ecx, [esi+4168h]
		mov	eax, [esi+416Ch]
		push	ecx
		push	0
		push	[ebp+arg_0]
		mov	[ecx], eax
		call	KeContextFromKframes
		lea	eax, [esi+18h]
		push	eax
		call	_KiSaveProcessorControlState@4 ; KiSaveProcessorControlState(x)
		pop	esi
		pop	ebp
		retn	8
_KiSaveProcessorState@8	endp ; sp = -4


;  S U B	R O U T	I N E 


; __stdcall KiIsKernelStackSwappable(x)
_KiIsKernelStackSwappable@4 proc near	; CODE XREF: KeTryToFreezeThreadStack(x,x)+8Ep
		cmp	byte ptr [ecx+93h], 0
		jz	short loc_62130F
		test	byte ptr [ecx+5Ch], 40h
		jz	short loc_62130F
		cmp	byte ptr [ecx+87h], 19h
		jge	short loc_62130F
		xor	eax, eax
		inc	eax
		retn
; 

loc_62130F:				; CODE XREF: KiIsKernelStackSwappable(x)+7j
					; KiIsKernelStackSwappable(x)+Dj ...
		xor	eax, eax
		retn
_KiIsKernelStackSwappable@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSatisfyThreadWait(x, x, x, x, x)
_KiSatisfyThreadWait@20	proc near	; CODE XREF: KeWaitForMultipleObjects+128EF8p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		push	esi
		push	edi
		mov	byte ptr [ebx+90h], 2
		mov	dword ptr [ebx+2Ch], 0
		mov	eax, [ebx+94h]
		mov	ecx, [ebx+248h]
		mov	[ebp+var_8], eax
		test	ecx, ecx
		jz	short loc_62135D
		push	1
		xor	edx, edx
		mov	dword ptr [ebx+248h], 0
		call	KeAbPreAcquire
		test	eax, eax
		jz	short loc_62135D
		or	byte ptr [eax+0Eh], 1

loc_62135D:				; CODE XREF: KiSatisfyThreadWait(x,x,x,x,x)+2Ej
					; KiSatisfyThreadWait(x,x,x,x,x)+45j
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_6213AE
		mov	esi, [ebp+arg_4]
		movzx	eax, al
		imul	edi, eax, 18h
		add	edi, esi

loc_62136F:				; CODE XREF: KiSatisfyThreadWait(x,x,x,x,x)+9Aj
		mov	al, [esi+9]
		cmp	al, 5
		jnb	short loc_6213A7
		mov	eax, [esi+10h]
		mov	ecx, eax
		mov	[ebp+arg_8], eax
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		cmp	byte ptr [esi+9], 4
		jnz	short loc_62139C
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	short loc_6213C5
		cmp	[eax], esi
		jnz	short loc_6213C5
		mov	[eax], ecx
		mov	[ecx+4], eax

loc_62139C:				; CODE XREF: KiSatisfyThreadWait(x,x,x,x,x)+75j
		mov	eax, [ebp+arg_8]
		mov	ecx, 0FFFFFF7Fh
		lock and [eax],	ecx

loc_6213A7:				; CODE XREF: KiSatisfyThreadWait(x,x,x,x,x)+62j
		add	esi, 18h
		cmp	esi, edi
		jnz	short loc_62136F

loc_6213AE:				; CODE XREF: KiSatisfyThreadWait(x,x,x,x,x)+50j
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		call	KiExitThreadWait
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_6213C5:				; CODE XREF: KiSatisfyThreadWait(x,x,x,x,x)+7Fj
					; KiSatisfyThreadWait(x,x,x,x,x)+83j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_KiSatisfyThreadWait@20	endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiAcquireReleaseDpcData(x)
_KiAcquireReleaseDpcData@4 proc	near	; CODE XREF: KeRemoveQueueDpcEx+DC2D6p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		xor	edx, edx
		lock or	[eax], edx
		lea	esi, [ecx+8]
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_621415
		push	ebx
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	ecx, esi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	ds:byte_70EFC6,	1
		jz	short loc_62140A
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_62140F
; 

loc_62140A:				; CODE XREF: KiAcquireReleaseDpcData(x)+32j
		xor	eax, eax
		lock and [esi],	eax

loc_62140F:				; CODE XREF: KiAcquireReleaseDpcData(x)+3Ej
		test	bl, bl
		pop	ebx
		jz	short loc_621415
		sti

loc_621415:				; CODE XREF: KiAcquireReleaseDpcData(x)+1Aj
					; KiAcquireReleaseDpcData(x)+48j
		pop	esi
		leave
		retn
_KiAcquireReleaseDpcData@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiDpcRuntimeHistoryHashTableAllocate(x, x)
_KiDpcRuntimeHistoryHashTableAllocate@8	proc near
					; CODE XREF: KiInsertNewDpcRuntime(x,x,x,x)+55p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	74687244h
		push	[ebp+arg_0]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	8
_KiDpcRuntimeHistoryHashTableAllocate@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInsertNewDpcRuntime(x, x,	x, x)
_KiInsertNewDpcRuntime@16 proc near	; CODE XREF: KiExecuteAllDpcs+12E540p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1C], edx
		or	ebx, 0FFFFFFFFh
		mov	[ebp+var_18], edi
		mov	eax, [edi+4]
		shr	eax, 5
		lea	esi, [eax+eax]
		cmp	[edi], esi
		jb	loc_621598
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_621598
		mov	esi, [ebp+var_4]
		cmp	esi, 4
		jnb	short loc_621480
		push	4
		pop	esi

loc_621480:				; CODE XREF: KiInsertNewDpcRuntime(x,x,x,x)+48j
		mov	eax, esi
		push	0
		shl	eax, 2
		push	eax
		call	_KiDpcRuntimeHistoryHashTableAllocate@8	; KiDpcRuntimeHistoryHashTableAllocate(x,x)
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		jz	loc_621595
		lea	ecx, [esi-1]
		test	ecx, esi
		jz	short loc_6214B2
		or	ecx, 0FFFFFFFFh
		test	esi, esi
		jz	short loc_6214AD

loc_6214A8:				; CODE XREF: KiInsertNewDpcRuntime(x,x,x,x)+78j
		inc	ecx
		shr	esi, 1
		jnz	short loc_6214A8

loc_6214AD:				; CODE XREF: KiInsertNewDpcRuntime(x,x,x,x)+73j
		xor	esi, esi
		inc	esi
		shl	esi, cl

loc_6214B2:				; CODE XREF: KiInsertNewDpcRuntime(x,x,x,x)+6Cj
		mov	eax, 4000000h
		cmp	esi, eax
		jbe	short loc_6214BD
		mov	esi, eax

loc_6214BD:				; CODE XREF: KiInsertNewDpcRuntime(x,x,x,x)+86j
		and	[ebp+var_4], 0
		mov	edx, esi
		shl	edx, 2
		mov	eax, edi
		or	eax, 1
		mov	[ebp+var_8], ebx
		lea	ecx, [edx+ebx]
		shr	edx, 2
		cmp	ecx, ebx
		sbb	ecx, ecx
		not	ecx
		and	ecx, edx
		jbe	short loc_6214ED
		mov	edx, ebx
		mov	ebx, [ebp+var_4]

loc_6214E3:				; CODE XREF: KiInsertNewDpcRuntime(x,x,x,x)+B8j
		inc	ebx
		mov	[edx], eax
		lea	edx, [edx+4]
		cmp	ebx, ecx
		jb	short loc_6214E3

loc_6214ED:				; CODE XREF: KiInsertNewDpcRuntime(x,x,x,x)+A9j
		mov	eax, [edi+4]
		or	edx, 0FFFFFFFFh
		mov	ecx, eax
		xor	ebx, ebx
		and	ecx, 1Fh
		shl	edx, cl
		mov	[ebp+var_10], edx
		test	eax, 0FFFFFFE0h
		jbe	short loc_621572

loc_621506:				; CODE XREF: KiInsertNewDpcRuntime(x,x,x,x)+13Dj
		mov	edx, [edi+8]
		mov	[ebp+var_14], edx

loc_62150C:				; CODE XREF: KiInsertNewDpcRuntime(x,x,x,x)+12Fj
		mov	ecx, [edx+ebx*4]
		mov	[ebp+var_8], ecx
		test	ecx, 1
		jnz	short loc_621564
		mov	eax, [ecx]
		mov	[edx+ebx*4], eax
		mov	edx, [ecx+4]
		and	edx, [ebp+var_10]
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	edi, [ebp+var_8]
		imul	ecx, eax, 25h
		movzx	eax, dh
		mov	[ebp+var_4], edx
		lea	edx, [esi-1]
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+3]
		imul	ecx, 25h
		add	ecx, eax
		and	edx, ecx
		mov	ecx, [ebp+var_C]
		mov	eax, [ecx+edx*4]
		mov	[edi], eax
		mov	eax, edi
		mov	[ecx+edx*4], eax
		mov	edx, [ebp+var_14]
		jmp	short loc_62150C
; 

loc_621564:				; CODE XREF: KiInsertNewDpcRuntime(x,x,x,x)+E5j
		mov	edi, [ebp+var_18]
		inc	ebx
		mov	eax, [edi+4]
		shr	eax, 5
		cmp	ebx, eax
		jb	short loc_621506

loc_621572:				; CODE XREF: KiInsertNewDpcRuntime(x,x,x,x)+D1j
		mov	ecx, [edi+8]
		mov	eax, [ebp+var_C]
		mov	[edi+8], eax
		mov	eax, [edi+4]
		shl	esi, 5
		and	eax, 1Fh
		or	esi, eax
		mov	[edi+4], esi
		test	ecx, ecx
		jz	short loc_621595
		push	0
		push	ecx
		call	_CmpFreePoolLookaside@8	; CmpFreePoolLookaside(x,x)

loc_621595:				; CODE XREF: KiInsertNewDpcRuntime(x,x,x,x)+61j
					; KiInsertNewDpcRuntime(x,x,x,x)+158j
		or	ebx, 0FFFFFFFFh

loc_621598:				; CODE XREF: KiInsertNewDpcRuntime(x,x,x,x)+25j
					; KiInsertNewDpcRuntime(x,x,x,x)+3Cj
		push	74687244h
		push	18h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_621609
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_1C]
		mov	[esi+8], ecx
		mov	ecx, [ebp+arg_4]
		mov	[esi+0Ch], ecx
		mov	[esi+4], eax
		mov	byte ptr [esi+10h], 1
		mov	ecx, [edi+4]
		mov	edx, ecx
		and	ecx, 1Fh
		shr	edx, 5
		shl	ebx, cl
		and	ebx, eax
		movzx	eax, bl
		add	eax, offset unk_B15DCB
		mov	[ebp+arg_4], ebx
		imul	ecx, eax, 25h
		movzx	eax, bh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+arg_4+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+arg_4+3]
		imul	ecx, 25h
		add	ecx, eax
		dec	edx
		and	edx, ecx
		mov	ecx, [edi+8]
		mov	eax, [ecx+edx*4]
		mov	[esi], eax
		mov	[ecx+edx*4], esi
		inc	dword ptr [edi]

loc_621609:				; CODE XREF: KiInsertNewDpcRuntime(x,x,x,x)+17Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_KiInsertNewDpcRuntime@16 endp


;  S U B	R O U T	I N E 


; __stdcall KiRemoveEntryDpcList(x, x)
_KiRemoveEntryDpcList@8	proc near	; CODE XREF: KeRemoveQueueDpcEx+DC1F9p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, [ecx]
		mov	esi, ecx
		cmp	edi, edx
		jz	short loc_621626

loc_62161C:				; CODE XREF: KiRemoveEntryDpcList(x,x)+14j
		mov	eax, [edi]
		mov	esi, edi
		mov	edi, eax
		cmp	eax, edx
		jnz	short loc_62161C

loc_621626:				; CODE XREF: KiRemoveEntryDpcList(x,x)+Aj
		mov	eax, [edx]
		mov	[esi], eax
		test	eax, eax
		jnz	short loc_621631
		mov	[ecx+4], esi

loc_621631:				; CODE XREF: KiRemoveEntryDpcList(x,x)+1Cj
		pop	edi
		pop	esi
		retn
_KiRemoveEntryDpcList@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiUpdateExistingDpcRuntime(x, x, x,	x, x)
_KiUpdateExistingDpcRuntime@20 proc near ; CODE	XREF: KiExecuteAllDpcs+12E52Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		push	3
		pop	ecx
		mul	ecx
		mov	byte ptr [edi+10h], 1
		mov	esi, eax
		mov	eax, [ebp+arg_4]
		mul	ecx
		mov	ecx, [edi+8]
		add	esi, edx
		mov	edx, [edi+0Ch]
		shrd	eax, esi, 2
		shrd	ecx, edx, 2
		shr	esi, 2
		shr	edx, 2
		add	eax, ecx
		mov	[edi+8], eax
		adc	esi, edx
		mov	[edi+0Ch], esi
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
_KiUpdateExistingDpcRuntime@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeClearForceIdle()
_KeClearForceIdle@0 proc near		; CODE XREF: PopDeepSleepSetDisengageReason+16E15Ap

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		push	esi
		push	edi
		cli
		xor	esi, esi
		mov	edi, offset _KiForceIdleLock
		mov	[esp+10h+var_4], esi

loc_62168F:				; CODE XREF: KeClearForceIdle()+31j
		lock bts dword ptr [edi], 0
		jnb	short loc_6216AA

loc_621696:				; CODE XREF: KeClearForceIdle()+2Fj
		lea	ecx, [esp+10h+var_4]
		call	KeYieldProcessorEx
		mov	eax, ds:_KiForceIdleLock
		test	eax, eax
		jnz	short loc_621696
		jmp	short loc_62168F
; 

loc_6216AA:				; CODE XREF: KeClearForceIdle()+1Dj
		cmp	ds:_KiForceIdleDisabled, esi
		jnz	short loc_621727
		mov	eax, ds:_KiForceIdleState
		sub	eax, 1
		jz	short loc_6216FD
		sub	eax, 1
		jz	short loc_6216E8
		sub	eax, 1
		jz	short loc_6216D7
		sub	eax, 1
		jnz	short loc_621727
		push	3
		mov	dl, 1
		pop	ecx
		call	_KiResetForceIdle@8 ; KiResetForceIdle(x,x)
		jmp	short loc_621727
; 

loc_6216D7:				; CODE XREF: KeClearForceIdle()+4Dj
		mov	ecx, ds:_KiForceIdleStartTime
		mov	eax, ds:dword_6CB38C
		or	ecx, eax
		jz	short loc_621727
		jmp	short loc_62171B
; 

loc_6216E8:				; CODE XREF: KeClearForceIdle()+48j
		mov	ecx, ds:_KiForceIdleState
		xor	edx, edx
		mov	ds:_KiForceIdleState, esi
		call	_PoTraceForceIdleStateChange@8 ; PoTraceForceIdleStateChange(x,x)
		jmp	short loc_62171B
; 

loc_6216FD:				; CODE XREF: KeClearForceIdle()+43j
		mov	ecx, ds:_KiForceIdleState
		xor	edx, edx
		mov	ds:_KiForceIdleState, esi
		call	_PoTraceForceIdleStateChange@8 ; PoTraceForceIdleStateChange(x,x)
		push	esi
		push	offset _KiForceIdleStartDpc
		call	KeRemoveQueueDpcEx

loc_62171B:				; CODE XREF: KeClearForceIdle()+6Fj
					; KeClearForceIdle()+84j
		mov	ds:_KiForceIdleStartTime, esi
		mov	ds:dword_6CB38C, esi

loc_621727:				; CODE XREF: KeClearForceIdle()+39j
					; KeClearForceIdle()+52j ...
		xor	eax, eax
		lock and [edi],	eax
		sti
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_KeClearForceIdle@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetForceIdle()
_KeSetForceIdle@0 proc near		; CODE XREF: PopDeepSleepClearDisengageReason+16E131p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		cli
		mov	[ebp+var_4], eax

loc_621747:				; CODE XREF: KeSetForceIdle()+31j
		mov	eax, offset _KiForceIdleLock
		lock bts dword ptr [eax], 0
		jnb	short loc_621766

loc_621753:				; CODE XREF: KeSetForceIdle()+2Fj
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, ds:_KiForceIdleLock
		test	eax, eax
		jnz	short loc_621753
		jmp	short loc_621747
; 

loc_621766:				; CODE XREF: KeSetForceIdle()+1Ej
		cmp	ds:_KiForceIdleDisabled, 0
		jnz	short loc_6217C2
		push	ebx
		mov	ebx, ds:_KiForceIdleState
		lea	ecx, [ebp+var_C]
		push	esi
		push	edi
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	esi, eax
		mov	edi, edx
		mov	eax, ds:_KiForceIdleGracePeriodInSec
		mov	ecx, (offset loc_98967E+2)
		mul	ecx
		add	esi, eax
		adc	edi, edx
		test	ebx, ebx
		jz	short loc_62179F
		cmp	ebx, 3
		jnz	short loc_6217BF
		jmp	short loc_6217B3
; 

loc_62179F:				; CODE XREF: KeSetForceIdle()+63j
		mov	ecx, ds:_KiForceIdleState
		push	2
		pop	edx
		mov	ds:_KiForceIdleState, edx
		call	_PoTraceForceIdleStateChange@8 ; PoTraceForceIdleStateChange(x,x)

loc_6217B3:				; CODE XREF: KeSetForceIdle()+6Aj
		mov	ds:_KiForceIdleStartTime, esi
		mov	ds:dword_6CB38C, edi

loc_6217BF:				; CODE XREF: KeSetForceIdle()+68j
		pop	edi
		pop	esi
		pop	ebx

loc_6217C2:				; CODE XREF: KeSetForceIdle()+3Aj
		xor	eax, eax
		mov	ecx, offset _KiForceIdleLock
		lock and [ecx],	eax
		sti
		leave
		retn
_KeSetForceIdle@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiForceIdleParkUnparkDpcRoutine(x, x, x, x)
_KiForceIdleParkUnparkDpcRoutine@16 proc near ;	DATA XREF: KiInitializeForceIdle+12o

arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, large fs:20h
		mov	dl, [ebp+arg_8]
		call	_KiForceIdleParkUnparkProcessor@8 ; KiForceIdleParkUnparkProcessor(x,x)
		lock dec ds:_KiForceIdlePendingDpcCount
		pop	ebp
		retn	10h
_KiForceIdleParkUnparkDpcRoutine@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiForceIdleParkUnparkProcessor(x, x)
_KiForceIdleParkUnparkProcessor@8 proc near
					; CODE XREF: KiForceIdleParkUnparkDpcRoutine(x,x,x,x)+Fp
					; KiForceIdleUpdateSchedulerParkState(x)+10Ap

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		test	dl, dl
		jz	short loc_62186C
		cmp	byte ptr [esi+3ED4h], 0
		jnz	short loc_621811
		push	dword ptr [esi+3CCh]
		push	offset _KiForceIdleUnparkRestoreMask
		jmp	short loc_621825
; 

loc_621811:				; CODE XREF: KiForceIdleParkUnparkProcessor(x,x)+14j
		cmp	byte ptr [esi+3D9Bh], 0
		jz	short loc_621834
		push	dword ptr [esi+3CCh]
		push	offset _KiForceIdleSoftParkRestoreMask

loc_621825:				; CODE XREF: KiForceIdleParkUnparkProcessor(x,x)+21j
		call	_KeInterlockedSetProcessorAffinityEx@8 ; KeInterlockedSetProcessorAffinityEx(x,x)
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KeTransitionProcessorParkState@8 ; KeTransitionProcessorParkState(x,x)

loc_621834:				; CODE XREF: KiForceIdleParkUnparkProcessor(x,x)+2Aj
		and	[ebp+var_4], 0
		push	edi
		lea	edi, [esi+2224h]

loc_62183F:				; CODE XREF: KiForceIdleParkUnparkProcessor(x,x)+66j
		lock bts dword ptr [edi], 0
		jnb	short loc_621856

loc_621846:				; CODE XREF: KiForceIdleParkUnparkProcessor(x,x)+64j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_621846
		jmp	short loc_62183F
; 

loc_621856:				; CODE XREF: KiForceIdleParkUnparkProcessor(x,x)+56j
		mov	byte ptr [esi+2239h], 0
		xor	eax, eax
		mov	byte ptr [esi+223Bh], 0
		lock and [edi],	eax
		pop	edi
		jmp	short loc_62189E
; 

loc_62186C:				; CODE XREF: KiForceIdleParkUnparkProcessor(x,x)+Bj
		cmp	byte ptr [esi+3D9Bh], 0
		mov	eax, [esi+3CCh]
		push	eax
		jz	short loc_62188B
		push	offset _KiForceIdleSoftParkRestoreMask
		call	_KeInterlockedClearProcessorAffinityEx@8 ; KeInterlockedClearProcessorAffinityEx(x,x)
		push	2
		pop	edx
		jmp	short loc_621897
; 

loc_62188B:				; CODE XREF: KiForceIdleParkUnparkProcessor(x,x)+8Cj
		push	offset _KiForceIdleUnparkRestoreMask
		call	_KeInterlockedClearProcessorAffinityEx@8 ; KeInterlockedClearProcessorAffinityEx(x,x)
		xor	edx, edx

loc_621897:				; CODE XREF: KiForceIdleParkUnparkProcessor(x,x)+9Bj
		mov	ecx, esi
		call	_KeTransitionProcessorParkState@8 ; KeTransitionProcessorParkState(x,x)

loc_62189E:				; CODE XREF: KiForceIdleParkUnparkProcessor(x,x)+7Cj
		pop	esi
		leave
		retn
_KiForceIdleParkUnparkProcessor@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiForceIdleStartDpcRoutine(x, x, x,	x)
_KiForceIdleStartDpcRoutine@16 proc near ; DATA	XREF: KiInitializeForceIdle+40o

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		cli
		mov	[ebp+var_4], ebx
		mov	esi, offset _KiForceIdleLock

loc_6218B4:				; CODE XREF: KiForceIdleStartDpcRoutine(x,x,x,x)+2Bj
		lock bts dword ptr [esi], 0
		jnb	short loc_6218CE

loc_6218BB:				; CODE XREF: KiForceIdleStartDpcRoutine(x,x,x,x)+29j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, ds:_KiForceIdleLock
		test	eax, eax
		jnz	short loc_6218BB
		jmp	short loc_6218B4
; 

loc_6218CE:				; CODE XREF: KiForceIdleStartDpcRoutine(x,x,x,x)+18j
		mov	eax, ds:_KiForceIdleState
		cmp	eax, 1
		jz	short loc_6218DC
		mov	bl, 1
		jmp	short loc_621900
; 

loc_6218DC:				; CODE XREF: KiForceIdleStartDpcRoutine(x,x,x,x)+35j
		mov	ecx, ds:_KiForceIdleState
		push	4
		pop	edx
		mov	ds:_KiForceIdleState, edx
		call	_PoTraceForceIdleStateChange@8 ; PoTraceForceIdleStateChange(x,x)
		call	KeQueryInterruptTime
		mov	ds:_KiForceIdleActiveLastStartTime, eax
		mov	ds:dword_6CB1A4, edx

loc_621900:				; CODE XREF: KiForceIdleStartDpcRoutine(x,x,x,x)+39j
		xor	eax, eax
		lock and [esi],	eax
		sti
		pop	esi
		test	bl, bl
		pop	ebx
		jnz	short locret_621913
		mov	cl, 1
		call	_KiForceIdleUpdateSchedulerParkState@4 ; KiForceIdleUpdateSchedulerParkState(x)

locret_621913:				; CODE XREF: KiForceIdleStartDpcRoutine(x,x,x,x)+69j
		leave
		retn	10h
_KiForceIdleStartDpcRoutine@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiForceIdleStopDpcRoutine(x, x, x, x)
_KiForceIdleStopDpcRoutine@16 proc near	; DATA XREF: KiInitializeForceIdle+56o

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		xor	cl, cl
		call	_KiForceIdleUpdateSchedulerParkState@4 ; KiForceIdleUpdateSchedulerParkState(x)
		cli
		xor	esi, esi
		mov	edi, offset _KiForceIdleLock
		mov	[ebp+var_4], esi

loc_621931:				; CODE XREF: KiForceIdleStopDpcRoutine(x,x,x,x)+32j
		lock bts dword ptr [edi], 0
		jnb	short loc_62194B

loc_621938:				; CODE XREF: KiForceIdleStopDpcRoutine(x,x,x,x)+30j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, ds:_KiForceIdleLock
		test	eax, eax
		jnz	short loc_621938
		jmp	short loc_621931
; 

loc_62194B:				; CODE XREF: KiForceIdleStopDpcRoutine(x,x,x,x)+1Fj
		mov	ecx, ds:_KiForceIdleStartTime
		mov	eax, ds:dword_6CB38C
		or	ecx, eax
		mov	ecx, ds:_KiForceIdleState
		mov	ds:_KiForceIdleWatchdogResetCount, esi
		mov	ds:_KiForceIdleActiveLastStartTime, esi
		mov	ds:dword_6CB1A4, esi
		jz	short loc_621975
		push	2
		pop	esi

loc_621975:				; CODE XREF: KiForceIdleStopDpcRoutine(x,x,x,x)+59j
		mov	edx, esi
		mov	ds:_KiForceIdleState, esi
		call	_PoTraceForceIdleStateChange@8 ; PoTraceForceIdleStateChange(x,x)
		xor	eax, eax
		lock and [edi],	eax
		sti
		pop	edi
		pop	esi
		leave
		retn	10h
_KiForceIdleStopDpcRoutine@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiForceIdleUpdateSchedulerParkState(x)
_KiForceIdleUpdateSchedulerParkState@4 proc near
					; CODE XREF: KiForceIdleStartDpcRoutine(x,x,x,x)+6Dp
					; KiForceIdleStopDpcRoutine(x,x,x,x)+Ap

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_1A		= word ptr -1Ah
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		and	[ebp+var_14], eax
		push	ebx
		mov	[ebp+var_1A], ax
		mov	bl, cl
		mov	eax, large fs:20h
		push	esi
		mov	[ebp+var_18], eax
		jmp	short loc_6219BA
; 

loc_6219B8:				; CODE XREF: KiForceIdleUpdateSchedulerParkState(x)+33j
		pause

loc_6219BA:				; CODE XREF: KiForceIdleUpdateSchedulerParkState(x)+28j
		mov	eax, ds:_KiForceIdlePendingDpcCount
		test	eax, eax
		jnz	short loc_6219B8
		push	edi
		lea	edi, [ebp+var_10]
		test	bl, bl
		jnz	short loc_6219E4
		mov	esi, offset _KiForceIdleUnparkRestoreMask
		lea	eax, [ebp+var_10]
		push	eax
		push	offset _KiForceIdleSoftParkRestoreMask
		push	eax
		movsd
		movsd
		movsd
		call	_KeOrAffinityEx@12 ; KeOrAffinityEx(x,x,x)
		jmp	short loc_6219EC
; 

loc_6219E4:				; CODE XREF: KiForceIdleUpdateSchedulerParkState(x)+3Bj
		mov	esi, offset _KeActiveProcessors
		movsd
		movsd
		movsd

loc_6219EC:				; CODE XREF: KiForceIdleUpdateSchedulerParkState(x)+54j
		mov	ecx, [ebp+var_18]
		mov	edx, [ebp+var_8]
		mov	eax, edx
		not	edx
		pop	edi
		mov	ecx, [ecx+3CCh]
		shr	eax, cl
		test	al, 1
		movzx	eax, dl
		mov	cl, ds:_RtlpBitsClearTotal[eax]
		jz	short loc_621A33
		shr	edx, 8
		movzx	eax, dl
		shr	edx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, ds:_RtlpBitsClearTotal[edx]
		movzx	eax, cl
		dec	eax
		jmp	short loc_621A57
; 

loc_621A33:				; CODE XREF: KiForceIdleUpdateSchedulerParkState(x)+7Cj
		shr	edx, 8
		movzx	eax, dl
		shr	edx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		shr	edx, 8
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, ds:_RtlpBitsClearTotal[edx]
		movzx	eax, cl

loc_621A57:				; CODE XREF: KiForceIdleUpdateSchedulerParkState(x)+A3j
		mov	ds:_KiForceIdlePendingDpcCount,	eax
		xor	eax, eax
		mov	[ebp+var_1C], ax
		xor	esi, esi
		mov	eax, [ebp+var_8]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_24], eax

loc_621A70:				; CODE XREF: KiForceIdleUpdateSchedulerParkState(x)+10Fj
					; KiForceIdleUpdateSchedulerParkState(x)+122j
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_621AB2
		mov	ecx, [ebp+var_14]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, large fs:20h
		cmp	eax, ecx
		jnz	short loc_621A9F
		mov	dl, bl
		mov	ecx, eax
		call	_KiForceIdleParkUnparkProcessor@8 ; KiForceIdleParkUnparkProcessor(x,x)
		jmp	short loc_621A70
; 

loc_621A9F:				; CODE XREF: KiForceIdleUpdateSchedulerParkState(x)+104j
		push	esi
		push	esi
		push	esi
		movzx	edx, bl
		lea	ecx, [eax+3F18h]
		call	KiInsertQueueDpc
		jmp	short loc_621A70
; 

loc_621AB2:				; CODE XREF: KiForceIdleUpdateSchedulerParkState(x)+F1j
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_KiForceIdleUpdateSchedulerParkState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiResetForceIdle(x,	x)
_KiResetForceIdle@8 proc near		; CODE XREF: KeClockInterruptNotify+12EB29p
					; KeResumeClockTimerFromIdle:loc_5B8005p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_8], 0
		and	[esp+0Ch+var_4], 0
		push	ebx
		push	esi
		mov	bh, dl
		xor	bl, bl
		mov	esi, offset _KiForceIdleLock
		push	edi
		mov	edi, ecx
		test	bh, bh
		jnz	short loc_621B0E
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		and	[esp+18h+var_C], 0
		mov	bl, al

loc_621AF3:				; CODE XREF: KiResetForceIdle(x,x)+4Cj
		lock bts dword ptr [esi], 0
		jnb	short loc_621B0E

loc_621AFA:				; CODE XREF: KiResetForceIdle(x,x)+4Aj
		lea	ecx, [esp+18h+var_C]
		call	KeYieldProcessorEx
		mov	eax, ds:_KiForceIdleLock
		test	eax, eax
		jnz	short loc_621AFA
		jmp	short loc_621AF3
; 

loc_621B0E:				; CODE XREF: KiResetForceIdle(x,x)+25j
					; KiResetForceIdle(x,x)+38j
		call	_KeIsForceIdleEngaged@0	; KeIsForceIdleEngaged()
		test	al, al
		jz	short loc_621B92
		mov	ecx, ds:_KiForceIdleState
		push	3
		pop	esi
		mov	edx, esi
		mov	ds:_KiForceIdleState, esi
		call	_PoTraceForceIdleStateChange@8 ; PoTraceForceIdleStateChange(x,x)
		cmp	edi, esi
		jnz	short loc_621B37
		xor	ecx, ecx
		xor	esi, esi
		jmp	short loc_621B54
; 

loc_621B37:				; CODE XREF: KiResetForceIdle(x,x)+6Fj
		lea	ecx, [esp+18h+var_8]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	ecx, eax
		mov	esi, edx
		mov	eax, ds:_KiForceIdleGracePeriodInSec
		mov	edx, (offset loc_98967E+2)
		mul	edx
		add	ecx, eax
		adc	esi, edx

loc_621B54:				; CODE XREF: KiResetForceIdle(x,x)+75j
		mov	ds:_KiForceIdleStartTime, ecx
		mov	ecx, ds:_KiClockTimerOwner
		mov	ds:dword_6CB38C, esi
		mov	eax, ds:dword_6CB1DC
		test	eax, eax
		jnz	short loc_621B78
		lea	eax, [ecx+20h]
		mov	ds:word_6CB1C2,	ax

loc_621B78:				; CODE XREF: KiResetForceIdle(x,x)+ADj
		push	0
		push	0
		push	offset _KiForceIdleStopDpc
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)
		mov	ecx, edi
		call	_PoTraceForceIdleReset@4 ; PoTraceForceIdleReset(x)
		mov	esi, offset _KiForceIdleLock

loc_621B92:				; CODE XREF: KiResetForceIdle(x,x)+55j
		test	bh, bh
		jnz	short loc_621BA0
		xor	eax, eax
		lock and [esi],	eax
		test	bl, bl
		jz	short loc_621BA0
		sti

loc_621BA0:				; CODE XREF: KiResetForceIdle(x,x)+D4j
					; KiResetForceIdle(x,x)+DDj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_KiResetForceIdle@8 endp


;  S U B	R O U T	I N E 


; __stdcall KiIsThreadRankBiased(x, x)
_KiIsThreadRankBiased@8	proc near	; CODE XREF: KiDeferredReadySingleThread+C92A9p
					; KiGetHeteroThreadQos(x,x,x)+E4p
		cmp	byte ptr [ecx+87h], 10h
		jge	short loc_621BEC
		mov	eax, [ecx+50h]
		test	eax, eax
		jz	short loc_621BEC
		test	edx, edx
		jnz	short loc_621BC2
		mov	edx, large fs:20h

loc_621BC2:				; CODE XREF: KiIsThreadRankBiased(x,x)+12j
		mov	eax, [ecx+50h]
		test	eax, eax
		jz	short loc_621BEC
		add	eax, [edx+3B34h]
		test	eax, eax
		jz	short loc_621BEC

loc_621BD3:				; CODE XREF: KiIsThreadRankBiased(x,x)+3Cj
		test	byte ptr [eax+5Ch], 8
		jnz	short loc_621BE7
		mov	eax, [eax+0F4h]
		xor	cl, cl
		test	eax, eax
		jnz	short loc_621BD3
		jmp	short loc_621BE9
; 

loc_621BE7:				; CODE XREF: KiIsThreadRankBiased(x,x)+30j
		mov	cl, 1

loc_621BE9:				; CODE XREF: KiIsThreadRankBiased(x,x)+3Ej
		mov	al, cl
		retn
; 

loc_621BEC:				; CODE XREF: KiIsThreadRankBiased(x,x)+7j
					; KiIsThreadRankBiased(x,x)+Ej	...
		xor	al, al
		retn
_KiIsThreadRankBiased@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSelectThreadFromScbQueue(x, x, x,	x, x)
_KiSelectThreadFromScbQueue@20 proc near ; CODE	XREF: KiChooseLowestRankedThread+D52C6p
					; KiSelectThreadFromScbQueue(x,x,x,x,x)+68p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		mov	eax, [esi+4]
		test	al, 1
		jz	short loc_621C14
		cmp	eax, 1
		jz	loc_621C94
		or	esi, 1
		xor	esi, eax
		jmp	short loc_621C16
; 

loc_621C14:				; CODE XREF: KiSelectThreadFromScbQueue(x,x,x,x,x)+13j
		mov	esi, eax

loc_621C16:				; CODE XREF: KiSelectThreadFromScbQueue(x,x,x,x,x)+23j
		test	esi, esi
		jz	short loc_621C94
		mov	ecx, [ebp+arg_0]
		xor	ebx, ebx
		mov	edi, [ebp+arg_8]
		inc	ebx
		shl	ebx, cl

loc_621C25:				; CODE XREF: KiSelectThreadFromScbQueue(x,x,x,x,x)+A3j
		lea	edx, [esi-50h]
		movzx	eax, word ptr [edx+5Eh]
		cmp	eax, ebx
		jnb	short loc_621CA2
		cmp	edx, [ebp+arg_4]
		jz	short loc_621C9D
		lea	ecx, [edx+0ECh]
		test	byte ptr [ecx+4], 1
		mov	eax, [ecx]
		jz	short loc_621C49
		test	eax, eax
		jz	short loc_621C60
		xor	eax, ecx

loc_621C49:				; CODE XREF: KiSelectThreadFromScbQueue(x,x,x,x,x)+52j
		test	eax, eax
		jz	short loc_621C60
		mov	edx, [ebp+var_4]
		push	edi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_KiSelectThreadFromScbQueue@20 ; KiSelectThreadFromScbQueue(x,x,x,x,x)
		test	eax, eax
		jnz	short loc_621C96

loc_621C60:				; CODE XREF: KiSelectThreadFromScbQueue(x,x,x,x,x)+56j
					; KiSelectThreadFromScbQueue(x,x,x,x,x)+5Cj
		cmp	byte ptr [edi],	0
		jnz	short loc_621C94
		mov	eax, [esi+4]
		mov	ecx, esi
		test	eax, eax
		jz	short loc_621C88
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_621C90

loc_621C76:				; CODE XREF: KiSelectThreadFromScbQueue(x,x,x,x,x)+8Fj
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_621C76
		jmp	short loc_621C90
; 

loc_621C82:				; CODE XREF: KiSelectThreadFromScbQueue(x,x,x,x,x)+9Fj
		cmp	[esi], ecx
		jz	short loc_621C90
		mov	ecx, esi

loc_621C88:				; CODE XREF: KiSelectThreadFromScbQueue(x,x,x,x,x)+7Dj
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_621C82

loc_621C90:				; CODE XREF: KiSelectThreadFromScbQueue(x,x,x,x,x)+85j
					; KiSelectThreadFromScbQueue(x,x,x,x,x)+91j ...
		test	esi, esi
		jnz	short loc_621C25

loc_621C94:				; CODE XREF: KiSelectThreadFromScbQueue(x,x,x,x,x)+18j
					; KiSelectThreadFromScbQueue(x,x,x,x,x)+29j ...
		xor	eax, eax

loc_621C96:				; CODE XREF: KiSelectThreadFromScbQueue(x,x,x,x,x)+6Fj
					; KiSelectThreadFromScbQueue(x,x,x,x,x)+BEj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_621C9D:				; CODE XREF: KiSelectThreadFromScbQueue(x,x,x,x,x)+44j
		mov	byte ptr [edi],	1
		jmp	short loc_621C94
; 

loc_621CA2:				; CODE XREF: KiSelectThreadFromScbQueue(x,x,x,x,x)+3Fj
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_4]
		call	_KiSelectThreadFromSchedulingGroup@12 ;	KiSelectThreadFromSchedulingGroup(x,x,x)
		jmp	short loc_621C96
_KiSelectThreadFromScbQueue@20 endp


;  S U B	R O U T	I N E 


; __stdcall KiUpdateChildrenCpuTarget(x, x)
_KiUpdateChildrenCpuTarget@8 proc near	; CODE XREF: KiUpdateCpuTargetByWeight+186p
					; KiUpdateCpuTargetByRate+1C9p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	bl, dl
		mov	esi, [edi]

loc_621CBA:				; CODE XREF: KiUpdateChildrenCpuTarget(x,x)+26j
		lea	ecx, [esi-38h]
		mov	dl, bl
		test	byte ptr [ecx+4], 1
		jnz	short loc_621CCC
		call	KiUpdateCpuTargetByWeight
		jmp	short loc_621CD1
; 

loc_621CCC:				; CODE XREF: KiUpdateChildrenCpuTarget(x,x)+14j
		call	KiUpdateCpuTargetByRate

loc_621CD1:				; CODE XREF: KiUpdateChildrenCpuTarget(x,x)+1Bj
		mov	esi, [esi]
		cmp	esi, edi
		jnz	short loc_621CBA
		pop	edi
		pop	esi
		pop	ebx
		retn
_KiUpdateChildrenCpuTarget@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiGetPastDueIRTimerInfo(x, x, x, x)
_KiGetPastDueIRTimerInfo@16 proc near	; CODE XREF: KeResumeClockTimerFromIdle+12B47Fp
					; KeQueryWakeSource(x,x)+C9p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, ecx
		cmp	eax, ds:dword_6CB18C
		jb	short loc_621D2C
		ja	short loc_621CFB
		mov	eax, [ebp+arg_0]
		cmp	eax, ds:dword_6CB188
		jb	short loc_621D2C

loc_621CFB:				; CODE XREF: KiGetPastDueIRTimerInfo(x,x,x,x)+13j
		mov	ecx, ds:dword_6CB184
		test	cl, 1
		jz	short loc_621D1B
		cmp	ecx, 1
		jnz	short loc_621D0F
		xor	eax, eax
		jmp	short loc_621D1D
; 

loc_621D0F:				; CODE XREF: KiGetPastDueIRTimerInfo(x,x,x,x)+2Ej
		mov	eax, offset unk_6CB180
		or	eax, 1
		xor	eax, ecx
		jmp	short loc_621D1D
; 

loc_621D1B:				; CODE XREF: KiGetPastDueIRTimerInfo(x,x,x,x)+29j
		mov	eax, ecx

loc_621D1D:				; CODE XREF: KiGetPastDueIRTimerInfo(x,x,x,x)+32j
					; KiGetPastDueIRTimerInfo(x,x,x,x)+3Ej
		mov	cl, [eax-1Ah]
		mov	[esi], cl
		mov	cl, [eax-19h]
		xor	eax, eax
		mov	[edx], cl
		inc	eax
		jmp	short loc_621D2E
; 

loc_621D2C:				; CODE XREF: KiGetPastDueIRTimerInfo(x,x,x,x)+11j
					; KiGetPastDueIRTimerInfo(x,x,x,x)+1Ej
		xor	eax, eax

loc_621D2E:				; CODE XREF: KiGetPastDueIRTimerInfo(x,x,x,x)+4Fj
		pop	esi
		pop	ebp
		retn	8
_KiGetPastDueIRTimerInfo@16 endp


;  S U B	R O U T	I N E 


; __stdcall KiTimer2TypeFlagsToEtwFlags(x)
_KiTimer2TypeFlagsToEtwFlags@4 proc near ; CODE	XREF: KiExpireTimer2+F1FABp
					; KiTraceSetTimer2(x,x,x)+A2p
		mov	al, cl
		and	al, 2
		add	al, al
		test	cl, 4
		jz	short loc_621D40
		or	al, 8

loc_621D40:				; CODE XREF: KiTimer2TypeFlagsToEtwFlags(x)+9j
		test	cl, 8
		jz	short locret_621D47
		or	al, 10h

locret_621D47:				; CODE XREF: KiTimer2TypeFlagsToEtwFlags(x)+10j
		retn
_KiTimer2TypeFlagsToEtwFlags@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiTraceCancelTimer2(x, x)
_KiTraceCancelTimer2@8 proc near	; CODE XREF: KeCancelTimer2+F2036p
					; KeDisableTimer2+F2059p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_10], 0
		xor	edx, edx
		and	[ebp+var_8], 0
		inc	edx
		imul	eax, ecx, 0C8BE1499h
		lea	ecx, [ebp+var_14]
		push	602h
		push	0F6Ah
		push	40020000h
		mov	[ebp+var_C], 4
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_14], eax
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_KiTraceCancelTimer2@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiTraceSetTimer2(x,	x, x)
_KiTraceSetTimer2@12 proc near		; CODE XREF: KeSetTimer2+F19B9p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		and	[ebp+var_10], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		mov	edx, [ebp+arg_0]
		push	edi
		push	0
		mov	eax, [esi+44h]
		mov	edi, [esi+40h]
		mov	bh, [esi+51h]
		mov	[ebp+var_48], eax
		mov	eax, [esi+28h]
		mov	[ebp+var_34], eax
		mov	eax, [esi+2Ch]
		mov	[ebp+var_30], eax
		mov	eax, [esi+30h]
		mov	[ebp+var_2C], eax
		mov	eax, [esi+34h]
		mov	[ebp+var_28], eax
		mov	eax, [esi+38h]
		mov	[ebp+var_24], eax
		mov	eax, [esi+3Ch]
		mov	[ebp+var_20], eax
		call	_KiUpdateTimer2Flags@12	; KiUpdateTimer2Flags(x,x,x)
		cmp	[ebp+arg_0], 1
		jnz	short loc_621E1D
		test	ds:byte_70EFC6,	1
		jz	short loc_621E13
		mov	edx, [ebp+4]
		mov	ecx, offset _KiTimer2CollectionLock
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_621E1D
; 

loc_621E13:				; CODE XREF: KiTraceSetTimer2(x,x,x)+64j
		xor	ecx, ecx
		mov	eax, offset _KiTimer2CollectionLock
		lock and [eax],	ecx

loc_621E1D:				; CODE XREF: KiTraceSetTimer2(x,x,x)+5Bj
					; KiTraceSetTimer2(x,x,x)+73j
		test	bl, bl
		jz	short loc_621E28
		mov	ecx, esi
		call	_KiTraceCancelTimer2@8 ; KiTraceCancelTimer2(x,x)

loc_621E28:				; CODE XREF: KiTraceSetTimer2(x,x,x)+81j
		imul	eax, esi, 0C8BE1499h
		mov	cl, bh
		mov	[ebp+var_18], edi
		mov	[ebp+var_1C], eax
		imul	eax, [ebp+var_48], 0C8BE1499h
		mov	[ebp+var_14], eax
		call	_KiTimer2TypeFlagsToEtwFlags@4 ; KiTimer2TypeFlagsToEtwFlags(x)
		mov	cl, al
		mov	byte ptr [ebp+var_10], cl
		test	edi, edi
		jz	short loc_621E54
		or	cl, 1
		mov	byte ptr [ebp+var_10], cl

loc_621E54:				; CODE XREF: KiTraceSetTimer2(x,x,x)+AEj
		mov	eax, [ebp+var_24]
		or	eax, [ebp+var_20]
		jz	short loc_621E62
		or	cl, 2
		mov	byte ptr [ebp+var_10], cl

loc_621E62:				; CODE XREF: KiTraceSetTimer2(x,x,x)+BCj
		and	[ebp+var_40], 0
		lea	eax, [ebp+var_34]
		and	[ebp+var_38], 0
		lea	ecx, [ebp+var_44]
		push	(offset	loc_601B01+1)
		push	0F68h
		xor	edx, edx
		mov	[ebp+var_44], eax
		push	40020000h
		inc	edx
		mov	[ebp+var_3C], 28h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_KiTraceSetTimer2@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiTraceSetTimer(x, x, x)
_KiTraceSetTimer@12 proc near		; CODE XREF: KiResumeThread+1681C1p
					; KiAdjustTimerDueTimes+84346p	...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= word ptr -18h
var_16		= byte ptr -16h
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_F		= byte ptr -0Fh
var_E		= word ptr -0Eh
var_8		= dword	ptr -8
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, edx
		mov	[ebp+var_15], bl
		mov	eax, [esi+10h]
		movzx	ecx, byte ptr [esi+3]
		mov	[ebp+var_24], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_20], eax
		mov	eax, [esi+24h]
		mov	[ebp+var_14], eax
		mov	al, [esi+1]
		shr	al, 2
		shr	ecx, 1
		mov	[ebp+var_10], al
		and	ecx, 1Fh
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	[ebp+var_1C], esi
		movzx	ecx, byte ptr [eax+3C5h]
		mov	[ebp+var_18], cx
		mov	al, [eax+3C4h]
		mov	[ebp+var_16], al
		mov	eax, large fs:124h
		mov	[ebp+var_15], bl
		mov	[ebp+var_F], bl
		mov	eax, [eax+80h]
		mov	ax, [eax+0E4h]
		mov	[ebp+var_E], ax
		cmp	[ebp+var_10], bl
		jz	short loc_621F31
		mov	al, 1
		mov	[ebp+var_15], al
		jmp	short loc_621F34
; 

loc_621F31:				; CODE XREF: KiTraceSetTimer(x,x,x)+86j
		mov	al, [ebp+var_15]

loc_621F34:				; CODE XREF: KiTraceSetTimer(x,x,x)+8Dj
		test	edi, edi
		jz	short loc_621F3D
		or	al, 2
		mov	[ebp+var_15], al

loc_621F3D:				; CODE XREF: KiTraceSetTimer(x,x,x)+94j
		mov	dl, [ebp+arg_0]
		cmp	[esi+24h], ebx
		jz	short loc_621F4C
		mov	ecx, 0F52h
		jmp	short loc_621F59
; 

loc_621F4C:				; CODE XREF: KiTraceSetTimer(x,x,x)+A1j
		xor	ecx, ecx
		test	dl, dl
		setnz	cl
		add	ecx, 0F53h

loc_621F59:				; CODE XREF: KiTraceSetTimer(x,x,x)+A8j
		lea	eax, [ebp+var_24]
		mov	[ebp+var_30], ebx
		mov	[ebp+var_34], eax
		xor	eax, eax
		test	dl, dl
		mov	[ebp+var_2C], 18h
		mov	[ebp+var_28], ebx
		setnz	al
		xor	edx, edx
		dec	eax
		inc	edx
		and	eax, offset loc_601500
		add	eax, 602h
		push	eax
		push	ecx
		push	40020000h
		lea	ecx, [ebp+var_34]
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_KiTraceSetTimer@12 endp


;  S U B	R O U T	I N E 


; __stdcall KiExtendProcessAffinity(x, x)
_KiExtendProcessAffinity@8 proc	near	; CODE XREF: KeStartThread+311p
					; KeSetAffinityThread(x,x)+8Dp
		mov	edi, edi
		push	esi
		movzx	esi, dx
		push	edi
		mov	edi, ds:dword_70E328[esi*4]
		mov	eax, [ecx+esi*4+48h]
		test	eax, eax
		jnz	short loc_621FC4
		or	[ecx+48h], edi
		push	edx
		xor	edx, edx
		call	_KiSetIdealNodeProcessByGroup@12 ; KiSetIdealNodeProcessByGroup(x,x,x)
		jmp	short loc_621FCA
; 

loc_621FC4:				; CODE XREF: KiExtendProcessAffinity(x,x)+14j
		or	eax, edi
		mov	[ecx+esi*4+48h], eax

loc_621FCA:				; CODE XREF: KiExtendProcessAffinity(x,x)+21j
		pop	edi
		pop	esi
		retn
_KiExtendProcessAffinity@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRundownPriQueue(x)
_KeRundownPriQueue@4 proc near		; CODE XREF: ExpWorkQueueDestroy(x)+47p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	byte ptr [ebp+var_4], al
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		push	1
		push	20h
		lea	eax, [esi+110h]
		mov	ecx, esi
		push	eax
		lea	edx, [esi+194h]
		call	KeRundownQueueCommon
		mov	eax, 0FFFFFF7Fh
		lock and [esi],	eax
		mov	ecx, esi
		call	_KiAcquireReleaseObjectRundownLockExclusive@4 ;	KiAcquireReleaseObjectRundownLockExclusive(x)
		push	[ebp+var_4]
		mov	ecx, large fs:20h
		xor	edx, edx
		push	0
		push	1
		call	KiExitDispatcher
		pop	esi
		leave
		retn
_KeRundownPriQueue@4 endp


;  S U B	R O U T	I N E 


; __stdcall KeSetMaximumCountPriQueue(x, x)
_KeSetMaximumCountPriQueue@8 proc near	; CODE XREF: ExpWorkQueueManagerThread+91F8Dp
		test	edx, edx
		jnz	short loc_62202F
		mov	edx, ds:_KeNumberProcessors

loc_62202F:				; CODE XREF: KeSetMaximumCountPriQueue(x,x)+2j
		mov	[ecx+190h], edx
		retn
_KeSetMaximumCountPriQueue@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiMonitorCacheErrata(x, x)
@KiMonitorCacheErrata@8	proc near	; DATA XREF: KiInitializeCacheErrataSupport(x)+77o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	edx, large fs:20h
		mov	ecx, ds:_KiCacheErrataMonitor
		push	esi
		mov	byte ptr [ebp+var_1], 0
		imul	eax, [edx+3CCh], 0Ch
		lea	esi, [ecx+38h]
		mov	[ebp+var_10], ecx
		add	esi, eax
		or	eax, 0FFFFFFFFh
		xchg	eax, [esi]
		mov	eax, ds:_KiSanitizedProfileInterval
		sub	[esi+4], eax
		mov	eax, [esi+4]
		test	eax, eax
		jg	loc_62215D
		imul	eax, [esi+8], 0Ch
		add	ecx, 38h
		add	ecx, eax
		cmp	esi, ecx
		jz	loc_622144
		mov	eax, [edx+3CCh]
		lock btr [ecx],	eax
		setb	al
		test	al, al
		jnz	loc_622144
		mov	eax, [esi+8]
		mov	cl, 1Fh
		push	ebx
		push	edi
		xor	edi, edi
		mov	ebx, ds:_KiProcessorBlock[eax*4]
		mov	eax, [ebx+4]
		mov	[ebp+var_C], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_2], al
		lea	eax, [ebx+2224h]
		lock bts dword ptr [eax], 0
		jb	short loc_622113
		mov	ecx, [ebx+4]
		lea	edx, [ebp+var_1]
		mov	[ebp+var_8], ecx
		call	_KiTryToAcquireThreadLock@8 ; KiTryToAcquireThreadLock(x,x)
		test	al, al
		jz	short loc_622108
		mov	edi, [ecx+80h]
		cmp	edi, offset _KiInitialProcess
		jz	short loc_622101
		mov	edx, 61727245h
		mov	ecx, edi
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		mov	ecx, [ebp+var_8]
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	edi, eax

loc_622101:				; CODE XREF: KiMonitorCacheErrata(x,x)+B1j
		mov	dword ptr [ecx+2Ch], 0

loc_622108:				; CODE XREF: KiMonitorCacheErrata(x,x)+A3j
		xor	ecx, ecx
		lea	eax, [ebx+2224h]
		lock and [eax],	ecx

loc_622113:				; CODE XREF: KiMonitorCacheErrata(x,x)+91j
		mov	eax, [ebp+var_C]
		cmp	eax, [ebx+4]
		jnz	short loc_622122
		mov	ecx, ebx
		call	_MmReadProcessPageTables@4 ; MmReadProcessPageTables(x)

loc_622122:				; CODE XREF: KiMonitorCacheErrata(x,x)+E3j
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	short loc_622142
		cmp	edi, offset _KiInitialProcess
		jz	short loc_622142
		push	61727245h
		push	edi
		call	ObDereferenceObjectDeferDeleteWithTag

loc_622142:				; CODE XREF: KiMonitorCacheErrata(x,x)+F7j
					; KiMonitorCacheErrata(x,x)+FFj
		pop	edi
		pop	ebx

loc_622144:				; CODE XREF: KiMonitorCacheErrata(x,x)+4Cj
					; KiMonitorCacheErrata(x,x)+61j
		mov	eax, [ebp+var_10]
		xor	edx, edx
		mov	eax, [eax]
		mov	[esi+4], eax
		mov	eax, [esi+8]
		mov	ecx, ds:_KeNumberProcessors
		inc	eax
		div	ecx
		mov	[esi+8], edx

loc_62215D:				; CODE XREF: KiMonitorCacheErrata(x,x)+3Bj
		pop	esi
		leave
		retn
@KiMonitorCacheErrata@8	endp


;  S U B	R O U T	I N E 


; __stdcall KeKeepProcessorAlive(x, x)
_KeKeepProcessorAlive@8	proc near	; CODE XREF: MmReadProcessPageTables(x)+1D1p
		imul	eax, [ecx+3CCh], 0Ch
		push	esi
		push	edi
		mov	edi, ds:_KiCacheErrataMonitor
		or	esi, 0FFFFFFFFh
		mov	dword ptr [ecx+3B00h], 1
		add	eax, 38h
		add	eax, edi
		xchg	esi, [eax]
		imul	eax, [edx+3CCh], 0Ch
		mov	eax, [eax+edi+38h]
		test	[ecx+3C8h], eax
		pop	edi
		setnz	al
		pop	esi
		retn
_KeKeepProcessorAlive@8	endp


;  S U B	R O U T	I N E 


; __stdcall KeQueryImplementedPhysicalBits()
_KeQueryImplementedPhysicalBits@0 proc near
					; CODE XREF: KeQueryKvaShadowInformation(x,x,x):loc_992053p
		mov	eax, ds:_KiImplementedPhysicalBits
		retn
_KeQueryImplementedPhysicalBits@0 endp


;  S U B	R O U T	I N E 


; __stdcall KiDisableCacheErrataSource()
_KiDisableCacheErrataSource@0 proc near	; CODE XREF: KeRestoreProcessorSpecificFeatures():loc_551B9Cp
					; KiInitializeCacheErrataSupport(x)+Ep	...
		mov	ecx, 0C0010015h
		rdmsr
		push	esi
		or	eax, 8
		mov	esi, 0C0011023h
		wrmsr
		mov	ecx, esi
		call	@ReadAMDMsr@4	; ReadAMDMsr(x)
		cmp	ds:_KiTLBCOverride, 1
		jnz	short loc_6221C9
		and	eax, 0FFDFFFFFh
		jmp	short loc_6221CE
; 

loc_6221C9:				; CODE XREF: KiDisableCacheErrataSource()+20j
		or	eax, 800000h

loc_6221CE:				; CODE XREF: KiDisableCacheErrataSource()+27j
		push	edx
		or	eax, 2
		push	eax
		push	esi
		call	_WriteAMDMsr@12	; WriteAMDMsr(x,x,x)
		pop	esi
		retn
_KiDisableCacheErrataSource@0 endp


;  S U B	R O U T	I N E 


; __stdcall KiSanitizeProfileInterval(x)
_KiSanitizeProfileInterval@4 proc near	; CODE XREF: KeSetIntervalProfile(x,x)+4Cp
		mov	eax, ds:_KiCacheErrataMonitor
		mov	edx, [ecx]
		mov	eax, [eax]
		cmp	edx, eax
		jbe	short loc_6221EC
		mov	[ecx], eax
		mov	edx, eax

loc_6221EC:				; CODE XREF: KiSanitizeProfileInterval(x)+Bj
		mov	ds:_KiSanitizedProfileInterval,	edx
		retn
_KiSanitizeProfileInterval@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiCanSelectSoftParkedProcessor(x, x)
@KiCanSelectSoftParkedProcessor@8 proc near
					; CODE XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+3B3p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	ecx, edx
		push	ebx
		xor	ebx, ebx
		cmp	ds:_KeSoftParkedQueueThreshold,	ebx
		jz	short loc_622246
		lea	eax, [ebp+var_C]
		mov	[ebp+var_14], ebx
		push	eax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_10], ebx
		push	eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_C], ebx
		push	eax
		lea	edx, [ebp+var_4]
		mov	[ebp+var_8], ebx
		call	_KeQueryReadyQueueStatsProcessor@20 ; KeQueryReadyQueueStatsProcessor(x,x,x,x,x)
		mov	ecx, [ebp+var_C]
		add	ecx, [ebp+var_14]
		mov	eax, [ebp+var_8]
		adc	eax, [ebp+var_10]
		mov	edx, ds:_KeSoftParkedQueueThreshold
		cmp	eax, ebx
		jb	short loc_622246
		ja	short loc_622244
		cmp	ecx, edx
		jbe	short loc_622246

loc_622244:				; CODE XREF: KiCanSelectSoftParkedProcessor(x,x)+4Bj
		mov	bl, 1

loc_622246:				; CODE XREF: KiCanSelectSoftParkedProcessor(x,x)+13j
					; KiCanSelectSoftParkedProcessor(x,x)+49j ...
		mov	al, bl
		pop	ebx
		leave
		retn
@KiCanSelectSoftParkedProcessor@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall KiSelectCandidateProcessor(x, x, x)
@KiSelectCandidateProcessor@12 proc near ; CODE	XREF: KiChooseTargetProcessor+C8C06p
					; KiHeteroChooseTargetProcessor(x,x,x,x)+484p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, [edx+164h]
		mov	esi, [ebx+338h]
		and	edi, [esi+84h]
		lea	eax, [esi+54h]
		push	eax
		mov	[ebp+var_4], eax
		call	ExAcquireSpinLockSharedAtDpcLevel
		and	edi, [esi+48h]
		mov	eax, edi
		and	eax, [ebp+arg_0]
		jz	short loc_622281
		mov	edi, eax

loc_622281:				; CODE XREF: KiSelectCandidateProcessor(x,x,x)+32j
		test	edi, edi
		jz	short loc_62229D
		movzx	ecx, byte ptr [ebx+3C4h]
		ror	edi, cl
		bsf	eax, edi
		add	eax, ecx
		and	eax, 1Fh
		mov	ebx, ds:_KiProcessorBlock[eax*4]

loc_62229D:				; CODE XREF: KiSelectCandidateProcessor(x,x,x)+38j
		and	[ebp+arg_0], 0
		lea	esi, [ebx+2224h]

loc_6222A7:				; CODE XREF: KiSelectCandidateProcessor(x,x,x)+71j
		lock bts dword ptr [esi], 0
		jnb	short loc_6222BE

loc_6222AE:				; CODE XREF: KiSelectCandidateProcessor(x,x,x)+6Fj
		lea	ecx, [ebp+arg_0]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_6222AE
		jmp	short loc_6222A7
; 

loc_6222BE:				; CODE XREF: KiSelectCandidateProcessor(x,x,x)+61j
		push	[ebp+var_4]
		call	ExReleaseSpinLockSharedFromDpcLevel
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
@KiSelectCandidateProcessor@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeTransitionProcessorParkState(x, x)
_KeTransitionProcessorParkState@8 proc near
					; CODE XREF: KiForceIdleParkUnparkProcessor(x,x)+41p
					; KiForceIdleParkUnparkProcessor(x,x)+ABp ...

var_30		= byte ptr -30h
var_2F		= byte ptr -2Fh
var_2C		= byte ptr -2Ch
var_2B		= byte ptr -2Bh
var_2A		= byte ptr -2Ah
var_29		= byte ptr -29h
var_28		= byte ptr -28h
var_27		= byte ptr -27h
var_26		= byte ptr -26h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, ecx
		mov	[esp+34h+var_8], ebx
		mov	[esp+34h+var_4], ebx
		mov	[esp+34h+var_20], ebx
		mov	[esp+0Fh], bl
		mov	ecx, [esi+338h]
		mov	[esp+34h+var_27], bl
		mov	[esp+34h+var_26], bl
		mov	[esp+34h+var_29], bl
		mov	[esp+34h+var_2B], bl
		mov	[esp+34h+var_28], bl
		inc	ebx
		mov	[esp+34h+var_24], ecx
		push	edi
		mov	edi, [esi+3C8h]
		mov	[esp+38h+var_1C], edi
		test	edx, edx
		jnz	short loc_62232C
		test	[ecx+4Ch], edi
		mov	[esp+38h+var_28], bl
		setnz	[esp+38h+var_2A]
		jmp	short loc_622365
; 

loc_62232C:				; CODE XREF: KeTransitionProcessorParkState(x,x)+4Dj
		test	[ecx+48h], edi
		jz	short loc_62234D
		mov	[esp+38h+var_2B], bl
		mov	al, bl
		mov	[esp+38h+var_29], al
		cmp	edx, 2
		jnz	short loc_622346
		mov	[esp+38h+var_2A], bl
		jmp	short loc_622365
; 

loc_622346:				; CODE XREF: KeTransitionProcessorParkState(x,x)+6Fj
		mov	[esp+38h+var_2A], 0
		jmp	short loc_622355
; 

loc_62234D:				; CODE XREF: KeTransitionProcessorParkState(x,x)+60j
		mov	al, [esp+38h+var_29]
		mov	[esp+38h+var_2A], bl

loc_622355:				; CODE XREF: KeTransitionProcessorParkState(x,x)+7Cj
		mov	[esp+38h+var_2B], al
		cmp	edx, ebx
		jnz	short loc_622365
		mov	[esp+38h+var_29], bl
		mov	[esp+38h+var_2B], al

loc_622365:				; CODE XREF: KeTransitionProcessorParkState(x,x)+5Bj
					; KeTransitionProcessorParkState(x,x)+75j ...
		lea	eax, [ecx+54h]
		push	eax
		mov	[esp+3Ch+var_10], eax
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		and	[esp+38h+var_18], 0
		lea	edi, [esi+2224h]

loc_62237D:				; CODE XREF: KeTransitionProcessorParkState(x,x)+C4j
		lock bts dword ptr [edi], 0
		jnb	short loc_622395

loc_622384:				; CODE XREF: KeTransitionProcessorParkState(x,x)+C2j
		lea	ecx, [esp+38h+var_18]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_622384
		jmp	short loc_62237D
; 

loc_622395:				; CODE XREF: KeTransitionProcessorParkState(x,x)+B3j
		mov	cl, [esp+38h+var_2B]
		mov	edi, [esp+38h+var_1C]
		test	cl, cl
		jnz	short loc_6223A8
		cmp	[esp+38h+var_28], 0
		jz	short loc_622427

loc_6223A8:				; CODE XREF: KeTransitionProcessorParkState(x,x)+D0j
		mov	edx, [esp+38h+var_24]
		add	edx, 48h
		lock xor [edx],	edi
		mov	eax, [esi+4020h]
		test	eax, eax
		jz	short loc_622427
		and	eax, [edx]
		mov	edx, [esi+4024h]
		jnz	short loc_6223CC
		mov	[esp+38h+var_26], bl
		jmp	short loc_622427
; 

loc_6223CC:				; CODE XREF: KeTransitionProcessorParkState(x,x)+F5j
		cmp	eax, edi
		jnz	short loc_6223F3
		movzx	eax, byte ptr [edx+12Ch]
		mov	eax, ds:_KiProcessorBlock[eax*4]
		and	dword ptr [eax+4028h], 0
		mov	al, [esi+3C4h]
		mov	[esi+4028h], ebx
		jmp	short loc_622421
; 

loc_6223F3:				; CODE XREF: KeTransitionProcessorParkState(x,x)+FFj
		cmp	dword ptr [esi+4028h], 0
		jz	short loc_622427
		test	cl, cl
		jz	short loc_622427
		bsr	eax, eax
		mov	[esp+38h+var_14], eax
		mov	eax, ds:_KiProcessorBlock[eax*4]
		and	dword ptr [esi+4028h], 0
		mov	[eax+4028h], ebx
		mov	al, [eax+3C4h]

loc_622421:				; CODE XREF: KeTransitionProcessorParkState(x,x)+122j
		mov	[edx+12Ch], al

loc_622427:				; CODE XREF: KeTransitionProcessorParkState(x,x)+D7j
					; KeTransitionProcessorParkState(x,x)+EBj ...
		cmp	[esp+38h+var_2A], 0
		jz	short loc_622438
		mov	eax, [esp+38h+var_24]
		add	eax, 4Ch
		lock xor [eax],	edi

loc_622438:				; CODE XREF: KeTransitionProcessorParkState(x,x)+15Dj
		push	[esp+38h+var_10]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		cmp	[esp+38h+var_28], 0
		mov	edi, [esi+0Ch]
		jz	loc_6224DA
		movzx	eax, byte ptr [esi+2238h]
		mov	ecx, eax
		test	al, 2
		jz	loc_622571
		sub	eax, 2
		cmp	[esp+38h+var_2A], 0
		jz	short loc_62246D
		lea	eax, [ecx-6]

loc_62246D:				; CODE XREF: KeTransitionProcessorParkState(x,x)+199j
		mov	[esi+2238h], al
		test	eax, eax
		jnz	short loc_622482
		mov	ecx, [esp+38h+var_1C]
		mov	edx, [esp+38h+var_24]
		lock xor [edx],	ecx

loc_622482:				; CODE XREF: KeTransitionProcessorParkState(x,x)+1A6j
		mov	byte ptr [esp+38h+var_24], 0
		test	eax, eax
		jnz	short loc_622495
		mov	[esi+223Bh], bl
		mov	byte ptr [esp+38h+var_24], bl

loc_622495:				; CODE XREF: KeTransitionProcessorParkState(x,x)+1BAj
		push	[esp+38h+var_24]
		mov	edx, edi
		mov	ecx, esi
		push	0
		call	_KiUpdateThreadPriority@16 ; KiUpdateThreadPriority(x,x,x,x)
		xor	ecx, ecx
		lea	eax, [esi+2224h]
		lock and [eax],	ecx
		cmp	byte ptr [esp+38h+var_24], cl
		jz	short loc_6224CC
		cmp	ds:_KeHeteroSystem, ecx
		jz	short loc_6224CC
		cmp	ds:_KeHeteroSystemVirtual, ecx
		jnz	short loc_6224CC
		mov	ecx, esi
		call	_KiSendHeteroRescheduleIntRequest@4 ; KiSendHeteroRescheduleIntRequest(x)

loc_6224CC:				; CODE XREF: KeTransitionProcessorParkState(x,x)+1E4j
					; KeTransitionProcessorParkState(x,x)+1ECj ...
		mov	eax, 0FFDF036Ah
		lock inc word ptr [eax]
		jmp	loc_6226E7
; 

loc_6224DA:				; CODE XREF: KeTransitionProcessorParkState(x,x)+17Aj
		mov	cl, [esp+38h+var_2B]
		test	cl, cl
		jnz	short loc_622510
		cmp	[esp+38h+var_29], cl
		jnz	short loc_622510
		movzx	ecx, byte ptr [esi+2238h]
		mov	eax, ecx
		and	al, 6
		cmp	al, 2
		jnz	short loc_622571
		add	ecx, 4
		lea	eax, [esi+2224h]
		mov	[esi+2238h], cl
		xor	ecx, ecx
		lock and [eax],	ecx
		jmp	loc_6226E7
; 

loc_622510:				; CODE XREF: KeTransitionProcessorParkState(x,x)+211j
					; KeTransitionProcessorParkState(x,x)+217j
		movzx	eax, byte ptr [esi+2238h]
		test	cl, cl
		jz	short loc_622532
		test	al, 6
		jnz	short loc_622571
		add	eax, 2
		cmp	eax, 2
		jnz	short loc_622532
		mov	ecx, [esp+38h+var_1C]
		mov	edx, [esp+38h+var_24]
		lock xor [edx],	ecx

loc_622532:				; CODE XREF: KeTransitionProcessorParkState(x,x)+24Aj
					; KeTransitionProcessorParkState(x,x)+256j
		cmp	[esp+38h+var_2A], 0
		jz	short loc_62253C
		xor	eax, 4

loc_62253C:				; CODE XREF: KeTransitionProcessorParkState(x,x)+268j
		mov	ecx, [esi+8]
		mov	[esi+2238h], al
		test	ecx, ecx
		jz	short loc_622576
		cmp	ecx, edi
		jz	short loc_622576
		and	dword ptr [esi+8], 0
		lea	eax, [ecx+5Ch]
		lock btr dword ptr [eax], 0Ch
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		lea	eax, [ecx+9Ch]
		and	dword ptr [eax], 0
		xor	ecx, ecx
		mov	[esp+38h+var_20], eax
		mov	al, bl
		jmp	short loc_62257A
; 

loc_622571:				; CODE XREF: KeTransitionProcessorParkState(x,x)+18Bj
					; KeTransitionProcessorParkState(x,x)+226j ...
		push	21h
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_622576:				; CODE XREF: KeTransitionProcessorParkState(x,x)+278j
					; KeTransitionProcessorParkState(x,x)+27Cj
		mov	al, [esp+38h+var_27]

loc_62257A:				; CODE XREF: KeTransitionProcessorParkState(x,x)+2A0j
		mov	edx, [esi+4]
		mov	[esp+38h+var_27], bl
		cmp	edx, edi
		jz	short loc_6225C4
		test	ecx, ecx
		jnz	short loc_6225D3
		call	_KiIsDpcThreadActive@0 ; KiIsDpcThreadActive()
		test	eax, eax
		jnz	short loc_6225BD
		mov	[edx+15Dh], bl
		lea	eax, [edx+5Ch]
		lock bts dword ptr [eax], 0Ch
		push	ecx
		mov	edx, ebx
		mov	[esi+8], edi
		mov	ecx, esi
		call	KiSetProcessorIdle
		mov	al, [esi+223Ch]
		not	al
		and	al, bl
		mov	[esp+3Ch+var_29], al
		jmp	short loc_6225D3
; 

loc_6225BD:				; CODE XREF: KeTransitionProcessorParkState(x,x)+2C1j
		mov	[esp+38h+var_27], 0
		jmp	short loc_6225D3
; 

loc_6225C4:				; CODE XREF: KeTransitionProcessorParkState(x,x)+2B4j
		test	al, al
		jz	short loc_6225D3
		push	0
		mov	edx, ebx
		mov	ecx, esi
		call	KiSetProcessorIdle

loc_6225D3:				; CODE XREF: KeTransitionProcessorParkState(x,x)+2B8j
					; KeTransitionProcessorParkState(x,x)+2ECj ...
		cmp	[esp+3Ch+var_2F], 0
		jz	loc_6226A9
		push	ebx
		mov	dl, 7Fh
		mov	ecx, edi
		call	KiAbProcessThreadPriorityModification
		cmp	[esp+3Ch+var_2B], 0
		push	7Fh
		pop	ecx
		mov	[edi+87h], cl
		jz	short loc_62261D
		test	byte ptr [edi+2], 4
		jz	short loc_622615
		mov	edx, esi
		mov	ecx, edi
		call	KiIsThreadRankNonZero
		test	al, al
		mov	al, bl
		jnz	short loc_622613
		mov	al, [edi+87h]

loc_622613:				; CODE XREF: KeTransitionProcessorParkState(x,x)+33Cj
		mov	cl, al

loc_622615:				; CODE XREF: KeTransitionProcessorParkState(x,x)+32Dj
		mov	eax, [esi+33Ch]
		mov	[eax], cl

loc_62261D:				; CODE XREF: KeTransitionProcessorParkState(x,x)+327j
		cmp	ds:_KiGroupSchedulingEnabled, 0
		jz	short loc_622654
		and	[esp+3Ch+var_10], 0
		jmp	short loc_622636
; 

loc_62262D:				; CODE XREF: KeTransitionProcessorParkState(x,x)+378j
		lea	ecx, [esp+3Ch+var_10]
		call	KeYieldProcessorEx

loc_622636:				; CODE XREF: KeTransitionProcessorParkState(x,x)+35Cj
		mov	eax, ds:dword_7186C4
		mov	ecx, ds:_KeTickCount
		cmp	eax, ds:dword_7186C8
		jnz	short loc_62262D
		push	eax
		push	ecx
		mov	dl, bl
		mov	ecx, esi
		call	KiGroupSchedulingGenerationEnd

loc_622654:				; CODE XREF: KeTransitionProcessorParkState(x,x)+355j
		lea	eax, [esp+3Ch+var_24]
		push	eax
		lea	edx, [esi+3B20h]
		lea	ecx, [esi+3BE0h]
		call	_KiFlushReadyLists@12 ;	KiFlushReadyLists(x,x,x)
		cmp	[esp+3Ch+var_2A], 0
		jz	short loc_6226A9
		mov	edi, [esi+4024h]
		and	[esp+3Ch+var_C], 0

loc_62267C:				; CODE XREF: KeTransitionProcessorParkState(x,x)+3C3j
		lock bts dword ptr [edi], 0
		jnb	short loc_622694

loc_622683:				; CODE XREF: KeTransitionProcessorParkState(x,x)+3C1j
		lea	ecx, [esp+3Ch+var_C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_622683
		jmp	short loc_62267C
; 

loc_622694:				; CODE XREF: KeTransitionProcessorParkState(x,x)+3B2j
		lea	eax, [esp+3Ch+var_24]
		push	eax
		lea	edx, [edi+4]
		lea	ecx, [edi+8]
		call	_KiFlushReadyLists@12 ;	KiFlushReadyLists(x,x,x)
		xor	eax, eax
		lock and [edi],	eax

loc_6226A9:				; CODE XREF: KeTransitionProcessorParkState(x,x)+309j
					; KeTransitionProcessorParkState(x,x)+3A0j
		xor	ecx, ecx
		lea	eax, [esi+2224h]
		lock and [eax],	ecx
		lea	edx, [esp+3Ch+var_24]
		mov	ecx, esi
		call	_KiReadyDeferredReadyList@8 ; KiReadyDeferredReadyList(x,x)
		mov	dl, 2
		mov	ecx, esi
		call	KiCheckForThreadDispatch
		cmp	[esp+3Ch+var_2F], 0
		jz	short loc_6226D8
		mov	eax, 0FFDF036Ah
		lock dec word ptr [eax]

loc_6226D8:				; CODE XREF: KeTransitionProcessorParkState(x,x)+3FEj
		cmp	[esp+3Ch+var_29], 0
		jz	short loc_6226E7
		mov	cl, 2
		call	ds:__imp_@HalRequestSoftwareInterrupt@4	; HalRequestSoftwareInterrupt(x)

loc_6226E7:				; CODE XREF: KeTransitionProcessorParkState(x,x)+206j
					; KeTransitionProcessorParkState(x,x)+23Cj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_KeTransitionProcessorParkState@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiFlushReadyLists(x, x, x)
_KiFlushReadyLists@12 proc near		; CODE XREF: KeTransitionProcessorParkState(x,x)+396p
					; KeTransitionProcessorParkState(x,x)+3D0p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_10], ecx
		push	esi
		mov	[ebp+var_C], ebx
		mov	esi, [ebx]
		test	esi, esi
		jz	short loc_622767
		push	edi

loc_622707:				; CODE XREF: KiFlushReadyLists(x,x,x)+73j
		and	[ebp+var_8], 0
		bsf	eax, esi
		lea	ecx, [ecx+eax*8]
		mov	edi, [ecx]
		lea	eax, [esi-1]
		and	esi, eax
		mov	[ebp+var_8], esi
		cmp	[edi+4], ecx
		jnz	short loc_62276D
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	short loc_62276D
		mov	ebx, [ebp+arg_0]
		mov	esi, edi
		mov	[eax], edi
		mov	[edi+4], eax
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		mov	[ebp+var_4], edi

loc_622739:				; CODE XREF: KiFlushReadyLists(x,x,x)+66j
		lea	ecx, [edi-9Ch]
		mov	edx, edi
		or	dword ptr [ecx+58h], 2
		mov	edi, [edi]
		call	_KiEnterDeferredReadyState@4 ; KiEnterDeferredReadyState(x)
		mov	eax, [ebx]
		mov	[edx], eax
		mov	[ebx], edx
		cmp	edi, esi
		jnz	short loc_622739
		mov	esi, [ebp+var_8]
		mov	ebx, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		test	esi, esi
		jnz	short loc_622707
		and	dword ptr [ebx], 0
		pop	edi

loc_622767:				; CODE XREF: KiFlushReadyLists(x,x,x)+16j
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_62276D:				; CODE XREF: KiFlushReadyLists(x,x,x)+30j
					; KiFlushReadyLists(x,x,x)+37j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall KiEmulateAtlThunk(x, x, x, x, x)
_KiEmulateAtlThunk@20:			; CODE XREF: KiCheckForAtlThunk(x,x)+31p
		push	28h
		push	offset dword_6A8740
		call	__SEH_prolog4
		mov	[ebp+var_34], edx
		mov	edi, ecx
		mov	[ebp+var_28], edi
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	byte ptr [eax+6Bh], 4
		jz	short loc_62279F
		xor	eax, eax
		jmp	loc_6229B0
; 

loc_62279F:				; CODE XREF: KiFlushReadyLists(x,x,x)+A8j
		mov	esi, [edi]
		mov	eax, [edx]
		mov	[ebp+var_20], eax
		xor	edx, edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_4], edx
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_6227BB
		mov	ecx, eax

loc_6227BB:				; CODE XREF: KiFlushReadyLists(x,x,x)+C9j
		nop
		mov	al, [ecx]
		mov	eax, large fs:18h
		add	eax, 0FCAh
		mov	[ebp+var_38], eax
		movzx	ecx, word ptr [eax]
		xor	ebx, ebx
		inc	ebx
		test	cl, bl
		jz	short loc_6227E4
		mov	[ebp+var_19], bl
		and	ecx, 0FFFEh
		mov	[eax], cx
		jmp	short loc_6227E7
; 

loc_6227E4:				; CODE XREF: KiFlushReadyLists(x,x,x)+E6j
		mov	[ebp+var_19], dl

loc_6227E7:				; CODE XREF: KiFlushReadyLists(x,x,x)+F4j
		cmp	dword ptr [esi], 42444C7h
		jnz	short loc_622842
		cmp	byte ptr [esi+8], 0E9h
		jnz	short loc_622842
		mov	eax, [esi+9]
		add	eax, 0Dh
		add	eax, esi
		mov	[ebp+arg_4], eax
		mov	[ebp+var_2C], eax
		push	ebx
		push	eax
		mov	edx, [ebp+var_20]
		mov	ecx, esi
		call	_MmCheckForSafeExecution@16 ; MmCheckForSafeExecution(x,x,x,x)
		test	al, al
		jz	loc_6229A6
		cmp	[ebp+var_19], 0
		jz	loc_6229A6
		mov	edx, [esi+4]
		mov	eax, [ebp+var_20]
		add	eax, 4
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_622836
		mov	eax, ecx

loc_622836:				; CODE XREF: KiFlushReadyLists(x,x,x)+144j
		mov	[eax], edx
		mov	eax, [ebp+arg_4]

loc_62283B:				; CODE XREF: KiFlushReadyLists(x,x,x)+194j
		mov	[edi], eax
		jmp	loc_62299A
; 

loc_622842:				; CODE XREF: KiFlushReadyLists(x,x,x)+FFj
					; KiFlushReadyLists(x,x,x)+105j
		mov	al, [esi]
		cmp	al, 0B9h
		jnz	short loc_622884
		cmp	byte ptr [esi+5], 0E9h
		jnz	short loc_622884
		mov	eax, [esi+6]
		add	eax, 0Ah
		add	eax, esi
		mov	[ebp+arg_0], eax
		push	ebx
		push	eax
		mov	edx, [ebp+var_20]
		mov	ecx, esi
		call	_MmCheckForSafeExecution@16 ; MmCheckForSafeExecution(x,x,x,x)
		test	al, al
		jz	loc_6229A6
		cmp	[ebp+var_19], 0
		jz	loc_6229A6
		mov	ecx, [esi+1]
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		mov	eax, [ebp+arg_0]
		jmp	short loc_62283B
; 

loc_622884:				; CODE XREF: KiFlushReadyLists(x,x,x)+158j
					; KiFlushReadyLists(x,x,x)+15Ej
		cmp	al, 0BAh
		jnz	short loc_6228C7
		cmp	byte ptr [esi+5], 0B9h
		jnz	short loc_6228C7
		mov	ecx, 0E1FFh
		cmp	[esi+0Ah], cx
		jnz	short loc_6228C7
		mov	edi, [esi+6]
		push	edx
		push	edi
		mov	edx, [ebp+var_20]
		mov	ecx, esi
		call	_MmCheckForSafeExecution@16 ; MmCheckForSafeExecution(x,x,x,x)
		test	al, al
		jz	loc_6229A6
		mov	ecx, [esi+1]
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		mov	eax, [ebp+arg_4]

loc_6228BB:				; CODE XREF: KiFlushReadyLists(x,x,x)+21Aj
		mov	[eax], edi
		mov	eax, [ebp+var_28]
		mov	[eax], edi
		jmp	loc_62299A
; 

loc_6228C7:				; CODE XREF: KiFlushReadyLists(x,x,x)+198j
					; KiFlushReadyLists(x,x,x)+19Ej ...
		cmp	al, 0B9h
		jnz	short loc_62290A
		cmp	byte ptr [esi+5], 0B8h
		jnz	short loc_62290A
		mov	ecx, 0E0FFh
		cmp	[esi+0Ah], cx
		jnz	short loc_62290A
		mov	edi, [esi+6]
		push	ebx
		push	edi
		mov	edx, [ebp+var_20]
		mov	ecx, esi
		call	_MmCheckForSafeExecution@16 ; MmCheckForSafeExecution(x,x,x,x)
		test	al, al
		jz	loc_6229A6
		cmp	[ebp+var_19], 0
		jz	loc_6229A6
		mov	ecx, [esi+1]
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		mov	eax, [ebp+arg_0]
		jmp	short loc_6228BB
; 

loc_62290A:				; CODE XREF: KiFlushReadyLists(x,x,x)+1DBj
					; KiFlushReadyLists(x,x,x)+1E1j ...
		cmp	al, 59h
		jnz	loc_6229A6
		cmp	byte ptr [esi+1], 58h
		jnz	loc_6229A6
		cmp	byte ptr [esi+2], 51h
		jnz	loc_6229A6
		cmp	byte ptr [esi+3], 0FFh
		jnz	short loc_6229A6
		cmp	byte ptr [esi+4], 60h
		jnz	short loc_6229A6
		cmp	byte ptr [esi+5], 4
		jnz	short loc_6229A6
		mov	eax, [ebp+var_20]
		add	eax, 4
		mov	[ebp+arg_8], eax
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_62294D
		mov	eax, ecx

loc_62294D:				; CODE XREF: KiFlushReadyLists(x,x,x)+25Bj
		nop
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		add	eax, 4
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_622962
		mov	eax, ecx

loc_622962:				; CODE XREF: KiFlushReadyLists(x,x,x)+270j
		nop
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		push	edx
		push	eax
		mov	edx, [ebp+var_20]
		mov	ecx, esi
		call	_MmCheckForSafeExecution@16 ; MmCheckForSafeExecution(x,x,x,x)
		test	al, al
		jz	short loc_6229A6
		mov	eax, [ebp+var_20]
		mov	eax, [eax]
		mov	edx, [ebp+arg_4]
		mov	[edx], eax
		mov	esi, [ebp+arg_8]
		mov	ecx, [esi]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	eax, [edx]
		mov	[esi], eax
		mov	eax, [ebp+var_30]
		mov	[edi], eax
		mov	eax, [ebp+var_34]
		mov	[eax], esi

loc_62299A:				; CODE XREF: KiFlushReadyLists(x,x,x)+14Fj
					; KiFlushReadyLists(x,x,x)+1D4j
		mov	[ebp+var_24], ebx
		jmp	short loc_6229A6
; 

loc_62299F:				; DATA XREF: .text:006A8754o
		xor	eax, eax
		inc	eax
		retn
; 

loc_6229A3:				; DATA XREF: .text:006A8758o
		mov	esp, [ebp+var_18]

loc_6229A6:				; CODE XREF: KiFlushReadyLists(x,x,x)+123j
					; KiFlushReadyLists(x,x,x)+12Dj ...
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+var_24]

loc_6229B0:				; CODE XREF: KiFlushReadyLists(x,x,x)+ACj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_KiFlushReadyLists@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepLoadShimProvider(x)
_KsepLoadShimProvider@4	proc near	; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+D7p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	edx, edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edx
		push	esi
		test	ecx, ecx
		jnz	short loc_6229DE
		mov	eax, 0C000000Dh
		jmp	short loc_622A2D
; 

loc_6229DE:				; CODE XREF: KsepLoadShimProvider(x)+13j
		test	byte ptr [ecx+28h], 2
		jnz	short loc_6229EB
		mov	eax, 0C00000BBh
		jmp	short loc_622A2D
; 

loc_6229EB:				; CODE XREF: KsepLoadShimProvider(x)+20j
		mov	eax, [ecx+1Ch]
		test	eax, eax
		jnz	short loc_6229F9
		mov	eax, 0C0000001h
		jmp	short loc_622A2D
; 

loc_6229F9:				; CODE XREF: KsepLoadShimProvider(x)+2Ej
		push	edx		; int
		push	eax		; void *
		mov	edx, (offset loc_5A4F45+5)
		lea	ecx, [ebp+var_8]
		call	KsepStringConcatenate
		mov	esi, eax
		test	esi, esi
		js	short loc_622A23
		lea	eax, [ebp+var_8]
		push	eax
		call	_ZwLoadDriver@4	; ZwLoadDriver(x)
		lea	esi, [eax+3FFFFEF2h]
		neg	esi
		sbb	esi, esi
		and	esi, eax

loc_622A23:				; CODE XREF: KsepLoadShimProvider(x)+4Aj
		lea	ecx, [ebp+var_8]
		call	KsepStringFree
		mov	eax, esi

loc_622A2D:				; CODE XREF: KsepLoadShimProvider(x)+1Aj
					; KsepLoadShimProvider(x)+27j ...
		pop	esi
		leave
		retn
_KsepLoadShimProvider@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseSetCompletionHook(x, x, x, x)
_KseSetCompletionHook@16 proc near	; DATA XREF: KsepEngineInitialize+63o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	18h
		pop	ecx
		call	_KsepPoolAllocateNonPaged@4 ; KsepPoolAllocateNonPaged(x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_622A4A
		mov	eax, 0C000009Ah
		jmp	short loc_622A84
; 

loc_622A4A:				; CODE XREF: KseSetCompletionHook(x,x,x,x)+11j
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax+60h]
		mov	eax, [ebp+arg_0]
		mov	[edx], eax
		mov	eax, [ebp+arg_8]
		mov	[edx+4], eax
		mov	eax, [ebp+arg_C]
		mov	[edx+8], eax
		mov	eax, [ecx+1Ch]
		mov	[edx+0Ch], eax
		mov	eax, [ecx+20h]
		mov	[edx+10h], eax
		movzx	eax, byte ptr [ecx+3]
		mov	[edx+14h], eax
		xor	eax, eax
		mov	dword ptr [ecx+1Ch], offset _KsepCompletionSafeWrapper@12 ; KsepCompletionSafeWrapper(x,x,x)
		mov	[ecx+20h], edx
		mov	byte ptr [ecx+3], 0E0h

loc_622A84:				; CODE XREF: KseSetCompletionHook(x,x,x,x)+18j
		pop	ebp
		retn	10h
_KseSetCompletionHook@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepCompletionSafeWrapper(x, x, x)
_KsepCompletionSafeWrapper@12 proc near	; DATA XREF: KseSetCompletionHook(x,x,x,x)+46o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		xor	ebx, ebx
		push	edi
		mov	edi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_622AAB
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_622AAB
		push	dword ptr [esi+8]
		push	edi
		push	dword ptr [esi]
		call	eax

loc_622AAB:				; CODE XREF: KsepCompletionSafeWrapper(x,x,x)+12j
					; KsepCompletionSafeWrapper(x,x,x)+19j
		mov	eax, [esi+14h]
		cmp	[edi+18h], ebx
		jl	short loc_622AE4
		test	al, 40h
		jz	short loc_622AE8

loc_622AB7:				; CODE XREF: KsepCompletionSafeWrapper(x,x,x)+5Ej
					; KsepCompletionSafeWrapper(x,x,x)+67j
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_622AC9
		push	dword ptr [esi+10h]
		push	edi
		push	[ebp+arg_0]
		call	eax
		mov	ebx, eax

loc_622AC9:				; CODE XREF: KsepCompletionSafeWrapper(x,x,x)+34j
					; KsepCompletionSafeWrapper(x,x,x)+6Cj	...
		push	6245534Bh
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lock inc ds:dword_6C6FAC
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_622AE4:				; CODE XREF: KsepCompletionSafeWrapper(x,x,x)+29j
		test	al, al
		js	short loc_622AB7

loc_622AE8:				; CODE XREF: KsepCompletionSafeWrapper(x,x,x)+2Dj
		cmp	[edi+24h], bl
		jz	short loc_622AF1
		test	al, 20h
		jnz	short loc_622AB7

loc_622AF1:				; CODE XREF: KsepCompletionSafeWrapper(x,x,x)+63j
		cmp	[edi+21h], bl
		jz	short loc_622AC9
		mov	eax, [edi+60h]
		mov	ebx, 103h
		or	byte ptr [eax+3], 1
		jmp	short loc_622AC9
_KsepCompletionSafeWrapper@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl KsepDebugPrint(int,char *,char)
_KsepDebugPrint	proc near		; CODE XREF: KseDriverLoadImage(x)+123p
					; KseDriverLoadImage(x)+17Ep ...

arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	1		; char
		lea	eax, [ebp+arg_8]
		mov	ecx, offset ??_C@_00CNPNBAHC@@FNODOBFM@
		push	eax		; va_list
		push	[ebp+arg_4]	; char *
		push	0		; int
		push	65h
		pop	edx
		call	vDbgPrintExWithPrefixInternal
		pop	ebp
		retn
_KsepDebugPrint	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepEvntLogShimsApplied(x, x, x)
_KsepEvntLogShimsApplied@12 proc near	; CODE XREF: KseDriverLoadImage(x)+B8p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 78h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		and	[ebp+var_68], 0
		and	[ebp+var_58], 0
		push	ebx
		push	esi
		mov	[ebp+var_64], ecx
		mov	ebx, edx
		mov	ecx, ds:_KseEtwHandle
		xor	esi, esi
		mov	edx, ds:dword_6FD4D4
		mov	eax, ecx
		or	eax, edx
		mov	[ebp+var_78], ebx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_50], edi
		mov	[ebp+var_70], esi
		jz	loc_622D11
		push	offset _KseShimsApplied
		push	edx
		push	ecx
		call	EtwEventEnabled
		test	al, al
		jz	loc_622D11
		test	edi, edi
		jz	loc_622D11
		test	ebx, ebx
		jz	loc_622D11
		cmp	[ebp+var_64], esi
		jz	loc_622D11
		imul	ecx, edi, 56h
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	edi, eax
		mov	[ebp+var_74], edi
		test	edi, edi
		jz	loc_622D11
		mov	eax, [ebp+var_50]
		and	[ebp+var_5C], esi
		lea	ecx, [edi+eax*8]
		mov	[ebp+var_6C], ecx
		test	eax, eax
		jz	loc_622CEC
		mov	ecx, ebx
		mov	esi, edi
		mov	bx, word ptr [ebp+var_68]
		mov	edi, [ebp+var_6C]
		push	4Eh
		mov	[ebp+var_60], ecx
		pop	edx

loc_622BD0:				; CODE XREF: KsepEvntLogShimsApplied(x,x,x)+E7j
		and	dword ptr [esi], 0
		mov	[esi+4], edi
		add	edi, edx
		mov	[esi+2], dx
		mov	edx, esi
		push	0
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	ax, [esi]
		add	esi, 8
		push	4
		pop	ecx
		add	ax, cx
		mov	ecx, [ebp+var_60]
		add	bx, ax
		add	ecx, 34h
		mov	eax, [ebp+var_5C]
		inc	eax
		mov	[ebp+var_60], ecx
		push	4Eh
		mov	[ebp+var_5C], eax
		pop	edx
		cmp	eax, [ebp+var_50]
		jb	short loc_622BD0
		mov	esi, [ebp+var_70]
		mov	edi, [ebp+var_74]
		test	bx, bx
		jz	loc_622CEC
		movzx	ecx, bx
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	esi, eax
		mov	[ebp+var_54], esi
		test	esi, esi
		jz	loc_622CEC
		xor	edx, edx
		mov	word ptr [ebp+var_58+2], bx
		mov	ebx, edx
		cmp	[ebp+var_50], edx
		jbe	short loc_622C81
		mov	esi, edi

loc_622C3F:				; CODE XREF: KsepEvntLogShimsApplied(x,x,x)+157j
		push	esi
		lea	eax, [ebp+var_58]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		test	eax, eax
		js	loc_622D22
		mov	ecx, [ebp+var_50]
		lea	eax, [ecx-1]
		cmp	ebx, eax
		jz	short loc_622C74
		push	offset ??_C@_13LBAGMAIH@?$AA?6@FNODOBFM@ ; void	*
		lea	eax, [ebp+var_58]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		test	eax, eax
		js	loc_622D22
		mov	ecx, [ebp+var_50]

loc_622C74:				; CODE XREF: KsepEvntLogShimsApplied(x,x,x)+136j
		inc	ebx
		add	esi, 8
		cmp	ebx, ecx
		jb	short loc_622C3F
		mov	esi, [ebp+var_54]
		xor	edx, edx

loc_622C81:				; CODE XREF: KsepEvntLogShimsApplied(x,x,x)+118j
		mov	ecx, [ebp+var_64]
		push	4
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	eax, [ecx+4]
		mov	[ebp+var_4C], eax
		movzx	eax, word ptr [ecx]
		add	eax, 2
		mov	[ebp+var_38], edx
		mov	[ebp+var_44], eax
		mov	eax, [ebp+var_78]
		add	eax, 2Ch
		mov	[ebp+var_30], edx
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_2C], eax
		movzx	eax, word ptr [ebp+var_58]
		pop	ecx
		add	eax, 2
		mov	[ebp+var_34], ecx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	ecx
		push	edx
		push	offset _KseShimsApplied
		push	ds:dword_6FD4D4
		mov	[ebp+var_28], edx
		push	ds:_KseEtwHandle
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_622CEC:				; CODE XREF: KsepEvntLogShimsApplied(x,x,x)+96j
					; KsepEvntLogShimsApplied(x,x,x)+F2j ...
		mov	ebx, 6145534Bh
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lock inc ds:dword_6C6FA4
		test	esi, esi
		jz	short loc_622D11
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lock inc ds:dword_6C6FA4

loc_622D11:				; CODE XREF: KsepEvntLogShimsApplied(x,x,x)+40j
					; KsepEvntLogShimsApplied(x,x,x)+54j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_622D22:				; CODE XREF: KsepEvntLogShimsApplied(x,x,x)+128j
					; KsepEvntLogShimsApplied(x,x,x)+148j
		mov	esi, [ebp+var_54]
		jmp	short loc_622CEC
_KsepEvntLogShimsApplied@12 endp


;  S U B	R O U T	I N E 


; __stdcall KsepPoolAllocateNonPaged(x)
_KsepPoolAllocateNonPaged@4 proc near	; CODE XREF: KseSetCompletionHook(x,x,x,x)+8p
					; KseShimDriverIoCallbacks+B06C2p
		mov	edi, edi
		push	esi
		push	edi
		push	6245534Bh
		mov	edi, ecx
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_622D58
		lock inc ds:dword_6C6FA8
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_622D5F
; 

loc_622D58:				; CODE XREF: KsepPoolAllocateNonPaged(x)+1Aj
		lock inc ds:dword_6C6FB4

loc_622D5F:				; CODE XREF: KsepPoolAllocateNonPaged(x)+2Fj
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_KsepPoolAllocateNonPaged@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepCacheHwIdFree(x)
_KsepCacheHwIdFree@4 proc near		; DATA XREF: KsepEngineInitialize+3Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_622D8B
		lea	ecx, [esi+14h]
		call	KsepStringFree
		push	6145534Bh
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lock inc ds:dword_6C6FA4

loc_622D8B:				; CODE XREF: KsepCacheHwIdFree(x)+Bj
		pop	esi
		pop	ebp
		retn	4
_KsepCacheHwIdFree@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	KseHookExAllocatePoolWithTag(int,size_t,int)
_KseHookExAllocatePoolWithTag@12 proc near ; DATA XREF:	.data:006B31E4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:dword_6B31E8
		mov	esi, eax
		test	esi, esi
		jz	short loc_622DB9
		push	[ebp+arg_4]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch

loc_622DB9:				; CODE XREF: KseHookExAllocatePoolWithTag(x,x,x)+19j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	0Ch
_KseHookExAllocatePoolWithTag@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseDsCallbackHookAddDevice(x, x)
_KseDsCallbackHookAddDevice@8 proc near	; DATA XREF: .data:006B3318o

var_420		= dword	ptr -420h
var_41C		= dword	ptr -41Ch
var_414		= dword	ptr -414h
var_410		= dword	ptr -410h
var_40C		= dword	ptr -40Ch
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 414h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+414h+var_4], eax
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[esp+41Ch+var_414], eax
		mov	[esp+41Ch+var_410], eax
		mov	[esp+41Ch+var_40C], eax
		mov	eax, ds:dword_6B2EA4
		push	edi
		mov	edi, [ebp+arg_4]
		push	esi
		call	dword ptr [eax]
		push	edi
		push	esi
		call	dword ptr [eax+0Ch]
		mov	ebx, eax
		lea	eax, [esp+42Ch+var_420]
		push	eax
		lea	eax, [esp+430h+var_414]
		push	eax
		push	400h
		push	1
		push	edi
		call	IoGetDeviceProperty
		test	eax, eax
		lea	eax, [esp+42Ch+var_414]
		jns	short loc_622E26
		mov	eax, offset ??_C@_1BA@CIBIBIEE@?$AA?$DM?$AAe?$AAr?$AAr?$AAo?$AAr?$AA?$DO@FNODOBFM@

loc_622E26:				; CODE XREF: KseDsCallbackHookAddDevice(x,x)+5Fj
		push	eax
		lea	eax, [esp+430h+var_41C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, [esi+10h]
		lea	eax, [esp+42Ch+var_41C]
		mov	ecx, [esi+0Ch]
		push	eax
		mov	eax, [esi+18h]
		add	eax, 0Ch
		push	eax
		push	ebx
		push	edi
		push	esi
		call	_KsepDsEventAddDevice@28 ; KsepDsEventAddDevice(x,x,x,x,x,x,x)
		mov	ecx, [esp+42Ch+var_10]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_KseDsCallbackHookAddDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseDsCallbackHookDriverStartIo(x, x)
_KseDsCallbackHookDriverStartIo@8 proc near ; DATA XREF: .data:006B32F8o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:dword_6B2EA4
		push	esi
		mov	esi, [ebp+arg_0]
		push	dword ptr [esi+8]
		call	dword ptr [eax]
		push	[ebp+arg_4]
		push	esi
		call	dword ptr [eax+4]
		push	[ebp+arg_4]
		mov	ecx, [esi+8]
		mov	edx, esi
		call	_KsepDsEventDriverStartIo@12 ; KsepDsEventDriverStartIo(x,x,x)
		pop	esi
		pop	ebp
		retn	8
_KseDsCallbackHookDriverStartIo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseDsCallbackHookDriverUnload(x)
_KseDsCallbackHookDriverUnload@4 proc near ; DATA XREF:	.data:006B3308o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:dword_6B2EA4
		push	esi
		mov	esi, [ebp+arg_0]
		push	esi
		call	dword ptr [eax]
		push	esi
		call	dword ptr [eax+8]
		mov	edx, [esi+0Ch]
		mov	ecx, esi
		call	_KsepDsEventDriverUnload@8 ; KsepDsEventDriverUnload(x,x)
		pop	esi
		pop	ebp
		retn	4
_KseDsCallbackHookDriverUnload@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseDsCallbackHookIrpDeviceControlFunction(x, x)
_KseDsCallbackHookIrpDeviceControlFunction@8 proc near ; DATA XREF: .data:006B3358o
					; .data:006B3368o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		push	dword ptr [ebx+8]
		mov	eax, [esi+60h]
		movzx	edi, byte ptr [eax]
		mov	eax, ds:dword_6B2EA4
		call	dword ptr [eax]
		push	esi
		push	ebx
		call	dword ptr [eax+edi*4+10h]
		mov	ecx, [ebx+8]
		mov	esi, eax
		push	esi
		push	edi
		push	[ebp+arg_4]
		mov	edx, ebx
		call	_KsepDsEventDataIrp@20 ; KsepDsEventDataIrp(x,x,x,x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_KseDsCallbackHookIrpDeviceControlFunction@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseDsCallbackHookIrpFunction(x, x)
_KseDsCallbackHookIrpFunction@8	proc near ; DATA XREF: .data:006B3328o
					; .data:006B3338o ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, [ebx+60h]
		push	dword ptr [edi+8]
		movzx	esi, byte ptr [eax]
		mov	eax, ds:dword_6B2EA4
		call	dword ptr [eax]
		push	ebx
		push	edi
		call	dword ptr [eax+esi*4+10h]
		mov	ebx, eax
		cmp	esi, 3
		jz	short loc_622F22
		cmp	esi, 4
		jnz	short loc_622F31

loc_622F22:				; CODE XREF: KseDsCallbackHookIrpFunction(x,x)+29j
		mov	ecx, [edi+8]
		mov	edx, edi
		push	ebx
		push	esi
		push	[ebp+arg_4]
		call	_KsepDsEventDataIrp@20 ; KsepDsEventDataIrp(x,x,x,x,x)

loc_622F31:				; CODE XREF: KseDsCallbackHookIrpFunction(x,x)+2Ej
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	8
_KseDsCallbackHookIrpFunction@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseDsCallbackHookIrpPnpFunction(x, x)
_KseDsCallbackHookIrpPnpFunction@8 proc	near ; DATA XREF: .data:006B3388o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	eax, [edi+60h]
		movzx	esi, byte ptr [eax]
		movzx	eax, byte ptr [eax+1]
		mov	[ebp+arg_4], eax
		test	eax, eax
		jnz	short loc_622F62
		push	0
		push	offset _KseDsCompletionHookForStartDevice@12 ; KseDsCompletionHookForStartDevice(x,x,x)
		jmp	short loc_622F6E
; 

loc_622F62:				; CODE XREF: KseDsCallbackHookIrpPnpFunction(x,x)+1Dj
		cmp	eax, 4
		jnz	short loc_622F78
		push	0
		push	offset _KseDsCompletionHookForStopDevice@12 ; KseDsCompletionHookForStopDevice(x,x,x)

loc_622F6E:				; CODE XREF: KseDsCallbackHookIrpPnpFunction(x,x)+26j
		mov	eax, ds:dword_6B2EA4
		push	edi
		push	ebx
		call	dword ptr [eax+4]

loc_622F78:				; CODE XREF: KseDsCallbackHookIrpPnpFunction(x,x)+2Bj
		mov	eax, ds:dword_6B2EA4
		push	dword ptr [ebx+8]
		call	dword ptr [eax]
		push	edi
		push	ebx
		call	dword ptr [eax+esi*4+10h]
		mov	ecx, [ebx+8]
		mov	esi, eax
		push	esi
		push	[ebp+arg_4]
		mov	edx, ebx
		push	edi
		call	_KsepDsEventPnpIrp@20 ;	KsepDsEventPnpIrp(x,x,x,x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_KseDsCallbackHookIrpPnpFunction@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseDsCallbackHookIrpPowerFunction(x, x)
_KseDsCallbackHookIrpPowerFunction@8 proc near ; DATA XREF: .data:006B3378o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	edx, [ecx+60h]
		xor	esi, esi
		push	edi
		xor	edi, edi
		movzx	eax, byte ptr [edx]
		mov	[ebp+var_4], eax
		movzx	eax, byte ptr [edx+1]
		mov	[ebp+var_8], eax
		cmp	eax, 3
		jz	short loc_622FD0
		cmp	eax, 2
		jnz	short loc_622FEC

loc_622FD0:				; CODE XREF: KseDsCallbackHookIrpPowerFunction(x,x)+27j
		mov	edi, [edx+8]
		mov	esi, [edx+0Ch]
		cmp	edi, 1
		jnz	short loc_622FEC
		mov	eax, ds:dword_6B2EA4
		push	0
		push	offset _KseDsCompletionHookForPowerDevice@12 ; KseDsCompletionHookForPowerDevice(x,x,x)
		push	ecx
		push	ebx
		call	dword ptr [eax+4]

loc_622FEC:				; CODE XREF: KseDsCallbackHookIrpPowerFunction(x,x)+2Cj
					; KseDsCallbackHookIrpPowerFunction(x,x)+37j
		mov	eax, ds:dword_6B2EA4
		push	dword ptr [ebx+8]
		call	dword ptr [eax]
		push	[ebp+arg_4]
		mov	ecx, [ebp+var_4]
		push	ebx
		call	dword ptr [eax+ecx*4+10h]
		mov	ecx, eax
		mov	eax, [ebp+var_8]
		mov	[ebp+arg_0], ecx
		cmp	eax, 3
		jz	short loc_623013
		cmp	eax, 2
		jnz	short loc_623046

loc_623013:				; CODE XREF: KseDsCallbackHookIrpPowerFunction(x,x)+6Aj
		sub	edi, 0
		jz	short loc_623031
		sub	edi, 1
		jnz	short loc_623046
		push	ecx
		mov	ecx, [ebx+8]
		mov	edx, ebx
		push	esi
		push	1
		push	eax
		push	[ebp+arg_4]
		call	_KsepDsEventDevicePowerIrp@28 ;	KsepDsEventDevicePowerIrp(x,x,x,x,x,x,x)
		jmp	short loc_623043
; 

loc_623031:				; CODE XREF: KseDsCallbackHookIrpPowerFunction(x,x)+74j
		push	ecx
		mov	ecx, [ebx+8]
		mov	edx, ebx
		push	esi
		push	0
		push	eax
		push	[ebp+arg_4]
		call	_KsepDsEventSystemPowerIrp@28 ;	KsepDsEventSystemPowerIrp(x,x,x,x,x,x,x)

loc_623043:				; CODE XREF: KseDsCallbackHookIrpPowerFunction(x,x)+8Dj
		mov	ecx, [ebp+arg_0]

loc_623046:				; CODE XREF: KseDsCallbackHookIrpPowerFunction(x,x)+6Fj
					; KseDsCallbackHookIrpPowerFunction(x,x)+79j
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	8
_KseDsCallbackHookIrpPowerFunction@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseDsCompletionHookForPowerDevice(x, x, x)
_KseDsCompletionHookForPowerDevice@12 proc near
					; DATA XREF: KseDsCallbackHookIrpPowerFunction(x,x)+40o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	edx, ecx
		push	dword ptr [eax+18h]
		mov	ecx, [ecx+8]
		push	eax
		call	_KsepDsEventDevicePowerCompleted@16 ; KsepDsEventDevicePowerCompleted(x,x,x,x)
		pop	ebp
		retn	0Ch
_KseDsCompletionHookForPowerDevice@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseDsCompletionHookForStartDevice(x, x, x)
_KseDsCompletionHookForStartDevice@12 proc near
					; DATA XREF: KseDsCallbackHookIrpPnpFunction(x,x)+21o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	edx, ecx
		push	dword ptr [eax+18h]
		mov	ecx, [ecx+8]
		push	eax
		call	_KsepDsEventPnpStartDevice@16 ;	KsepDsEventPnpStartDevice(x,x,x,x)
		pop	ebp
		retn	0Ch
_KseDsCompletionHookForStartDevice@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseDsCompletionHookForStopDevice(x,	x, x)
_KseDsCompletionHookForStopDevice@12 proc near
					; DATA XREF: KseDsCallbackHookIrpPnpFunction(x,x)+2Fo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	edx, ecx
		push	dword ptr [eax+18h]
		mov	ecx, [ecx+8]
		push	eax
		call	_KsepDsEventPnpStopDevice@16 ; KsepDsEventPnpStopDevice(x,x,x,x)
		pop	ebp
		retn	0Ch
_KseDsCompletionHookForStopDevice@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseDsHookDriverTargeted(x, x, x, x,	x)
_KseDsHookDriverTargeted@20 proc near	; DATA XREF: .data:006B2EACo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_C]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_8]
		call	_KsepDsEventDriverLoad@20 ; KsepDsEventDriverLoad(x,x,x,x,x)
		xor	eax, eax
		pop	ebp
		retn	14h
_KseDsHookDriverTargeted@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseDsHookDriverUntargeted(x)
_KseDsHookDriverUntargeted@4 proc near	; DATA XREF: .data:006B2EA8o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		call	_KsepDsEventDriverUnload@8 ; KsepDsEventDriverUnload(x,x)
		xor	eax, eax
		pop	ebp
		retn	4
_KseDsHookDriverUntargeted@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseDsHookExAllocatePool(x, x)
_KseDsHookExAllocatePool@8 proc	near	; DATA XREF: .data:006B3410o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:dword_6B3414
		mov	edx, [ebp+4]
		mov	esi, eax
		push	656E6F4Eh
		push	[ebp+arg_4]
		mov	ecx, esi
		push	[ebp+arg_0]
		call	_KsepDsEventPoolAllocate@20 ; KsepDsEventPoolAllocate(x,x,x,x,x)
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_KseDsHookExAllocatePool@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseDsHookExAllocatePoolWithTag(x, x, x)
_KseDsHookExAllocatePoolWithTag@12 proc	near ; DATA XREF: .data:006B33F0o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:dword_6B33F4
		push	[ebp+arg_8]
		mov	edx, [ebp+4]
		mov	esi, eax
		push	[ebp+arg_4]
		mov	ecx, esi
		push	[ebp+arg_0]
		call	_KsepDsEventPoolAllocate@20 ; KsepDsEventPoolAllocate(x,x,x,x,x)
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	0Ch
_KseDsHookExAllocatePoolWithTag@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseDsHookExFreePool(x)
_KseDsHookExFreePool@4 proc near	; DATA XREF: .data:006B3420o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		call	ds:dword_6B3424
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		push	656E6F4Eh
		call	_KsepDsEventPoolFree@12	; KsepDsEventPoolFree(x,x,x)
		pop	ebp
		retn	4
_KseDsHookExFreePool@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseDsHookExFreePoolWithTag(x, x)
_KseDsHookExFreePoolWithTag@8 proc near	; DATA XREF: .data:006B3400o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:dword_6B3404
		push	[ebp+arg_4]
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	_KsepDsEventPoolFree@12	; KsepDsEventPoolFree(x,x,x)
		pop	ebp
		retn	8
_KseDsHookExFreePoolWithTag@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseDsHookIoCreateDevice(x, x, x, x,	x, x, x)
_KseDsHookIoCreateDevice@28 proc near	; DATA XREF: .data:006B33D0o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_18]
		push	edi
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:dword_6B33D4
		mov	esi, eax
		test	esi, esi
		js	short loc_6231AD
		mov	edx, [edi]
		jmp	short loc_6231AF
; 

loc_6231AD:				; CODE XREF: KseDsHookIoCreateDevice(x,x,x,x,x,x,x)+27j
		xor	edx, edx

loc_6231AF:				; CODE XREF: KseDsHookIoCreateDevice(x,x,x,x,x,x,x)+2Bj
		mov	ecx, [ebp+arg_0]
		push	esi
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	_KsepDsEventIoCreateDevice@24 ;	KsepDsEventIoCreateDevice(x,x,x,x,x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	1Ch
_KseDsHookIoCreateDevice@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseDsHookPoRequestPowerIrp(x, x, x,	x, x, x)
_KseDsHookPoRequestPowerIrp@24 proc near ; DATA	XREF: .data:006B33E0o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	ebx
		push	esi
		call	ds:dword_6B33E4
		mov	ecx, [esi+8]
		mov	edi, eax
		push	edi
		push	[ebp+arg_8]
		movzx	edx, bl
		push	edx
		push	[ebp+var_4]
		mov	edx, esi
		call	_KsepDsEventRequestPowerIrp@24 ; KsepDsEventRequestPowerIrp(x,x,x,x,x,x)
		mov	ecx, [ebp+arg_14]
		test	ecx, ecx
		jz	short loc_623214
		mov	eax, [ebp+var_4]
		mov	[ecx], eax

loc_623214:				; CODE XREF: KseDsHookPoRequestPowerIrp(x,x,x,x,x,x)+44j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_KseDsHookPoRequestPowerIrp@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepDsEventAddDevice(x, x, x, x, x,	x, x)
_KsepDsEventAddDevice@28 proc near	; CODE XREF: KseDsCallbackHookAddDevice(x,x)+86p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ds:_KseEtwHandle
		mov	eax, esi
		push	edi
		mov	edi, ds:dword_6FD4D4
		or	eax, edi
		mov	[ebp+var_7C], edx
		mov	[ebp+var_78], ecx
		jz	loc_6232F3
		push	ebx
		mov	ebx, offset _KseDsEventAddDevice
		push	ebx
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	loc_6232F2
		push	4
		pop	ecx
		lea	eax, [ebp+var_78]
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_74], eax
		xor	edx, edx
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_64], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_34], eax
		mov	[ebp+var_2C], ecx
		mov	ecx, [ebp+arg_C]
		mov	[ebp+var_70], edx
		mov	[ebp+var_68], edx
		mov	[ebp+var_60], edx
		mov	eax, [ecx+4]
		mov	[ebp+var_24], eax
		movzx	eax, word ptr [ecx]
		mov	ecx, [ebp+arg_10]
		add	eax, 2
		mov	[ebp+var_1C], eax
		mov	[ebp+var_58], edx
		mov	[ebp+var_50], edx
		mov	eax, [ecx+4]
		mov	[ebp+var_14], eax
		movzx	eax, word ptr [ecx]
		add	eax, 2
		mov	[ebp+var_48], edx
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	7
		push	edx
		push	ebx
		push	edi
		push	esi
		mov	[ebp+var_40], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_6232F2:				; CODE XREF: KsepDsEventAddDevice(x,x,x,x,x,x,x)+40j
		pop	ebx

loc_6232F3:				; CODE XREF: KsepDsEventAddDevice(x,x,x,x,x,x,x)+2Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_KsepDsEventAddDevice@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepDsEventDataIrp(x, x, x,	x, x)
_KsepDsEventDataIrp@20 proc near	; CODE XREF: KseDsCallbackHookIrpDeviceControlFunction(x,x)+30p
					; KseDsCallbackHookIrpFunction(x,x)+3Ap

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ds:_KseEtwHandle
		mov	eax, esi
		push	edi
		mov	edi, ds:dword_6FD4D4
		or	eax, edi
		mov	[ebp+var_5C], edx
		mov	[ebp+var_58], ecx
		jz	short loc_6233A1
		push	ebx
		mov	ebx, offset _KseDsEventDataIrp
		push	ebx
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_6233A0
		lea	eax, [ebp+var_58]
		xor	edx, edx
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_4]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		push	edx
		push	ebx
		push	edi
		push	esi
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_6233A0:				; CODE XREF: KsepDsEventDataIrp(x,x,x,x,x)+3Cj
		pop	ebx

loc_6233A1:				; CODE XREF: KsepDsEventDataIrp(x,x,x,x,x)+2Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_KsepDsEventDataIrp@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepDsEventDevicePowerCompleted(x, x, x, x)
_KsepDsEventDevicePowerCompleted@16 proc near
					; CODE XREF: KseDsCompletionHookForPowerDevice(x,x,x)+14p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ds:_KseEtwHandle
		mov	eax, esi
		push	edi
		mov	edi, ds:dword_6FD4D4
		or	eax, edi
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], ecx
		jz	short loc_62343F
		push	ebx
		mov	ebx, offset _KseDsEventDevicePowerCompleted
		push	ebx
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_62343E
		lea	eax, [ebp+var_48]
		xor	edx, edx
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_0]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	edx
		push	ebx
		push	edi
		push	esi
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_62343E:				; CODE XREF: KsepDsEventDevicePowerCompleted(x,x,x,x)+3Cj
		pop	ebx

loc_62343F:				; CODE XREF: KsepDsEventDevicePowerCompleted(x,x,x,x)+2Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_KsepDsEventDevicePowerCompleted@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepDsEventDevicePowerIrp(x, x, x, x, x, x,	x)
_KsepDsEventDevicePowerIrp@28 proc near	; CODE XREF: KseDsCallbackHookIrpPowerFunction(x,x)+88p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ds:_KseEtwHandle
		mov	eax, esi
		push	edi
		mov	edi, ds:dword_6FD4D4
		or	eax, edi
		mov	[ebp+var_7C], edx
		mov	[ebp+var_78], ecx
		jz	loc_62350F
		push	ebx
		mov	ebx, offset _KseDsEventDevicePowerIrp
		push	ebx
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_62350E
		lea	eax, [ebp+var_78]
		xor	edx, edx
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_C]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_10]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	7
		push	edx
		push	ebx
		push	edi
		push	esi
		mov	[ebp+var_70], edx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_62350E:				; CODE XREF: KsepDsEventDevicePowerIrp(x,x,x,x,x,x,x)+40j
		pop	ebx

loc_62350F:				; CODE XREF: KsepDsEventDevicePowerIrp(x,x,x,x,x,x,x)+2Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_KsepDsEventDevicePowerIrp@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepDsEventDriverLoad(x, x,	x, x, x)
_KsepDsEventDriverLoad@20 proc near	; CODE XREF: KseDsHookDriverTargeted(x,x,x,x,x)+14p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ds:_KseEtwHandle
		mov	ebx, ecx
		push	edi
		mov	edi, ds:dword_6FD4D4
		mov	eax, esi
		or	eax, edi
		mov	[ebp+var_58], edx
		jz	short loc_6235C4
		push	offset _KseDsEventDriverLoad
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_6235C4
		mov	eax, [ebx+4]
		xor	edx, edx
		mov	[ebp+var_54], eax
		movzx	eax, word ptr [ebx]
		add	eax, 2
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_4]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		push	edx
		push	offset _KseDsEventDriverLoad
		push	edi
		push	esi
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_6235C4:				; CODE XREF: KsepDsEventDriverLoad(x,x,x,x,x)+2Aj
					; KsepDsEventDriverLoad(x,x,x,x,x)+3Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_KsepDsEventDriverLoad@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepDsEventDriverStartIo(x,	x, x)
_KsepDsEventDriverStartIo@12 proc near	; CODE XREF: KseDsCallbackHookDriverStartIo(x,x)+22p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ds:_KseEtwHandle
		mov	eax, esi
		push	edi
		mov	edi, ds:dword_6FD4D4
		or	eax, edi
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], ecx
		jz	short loc_623655
		push	ebx
		mov	ebx, offset _KseDsEventStartIo
		push	ebx
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_623654
		lea	eax, [ebp+var_38]
		xor	edx, edx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_3C]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	ebx
		push	edi
		push	esi
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_623654:				; CODE XREF: KsepDsEventDriverStartIo(x,x,x)+3Cj
		pop	ebx

loc_623655:				; CODE XREF: KsepDsEventDriverStartIo(x,x,x)+2Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_KsepDsEventDriverStartIo@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepDsEventDriverUnload(x, x)
_KsepDsEventDriverUnload@8 proc	near	; CODE XREF: KseDsCallbackHookDriverUnload(x)+1Ap
					; KseDsHookDriverUntargeted(x)+Ap

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ds:_KseEtwHandle
		mov	eax, esi
		push	edi
		mov	edi, ds:dword_6FD4D4
		or	eax, edi
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], ecx
		jz	short loc_6236D6
		push	ebx
		mov	ebx, offset _KseDsEventDriverUnload
		push	ebx
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_6236D5
		push	4
		pop	ecx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_24], eax
		xor	edx, edx
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_20], edx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	ebx
		push	edi
		push	esi
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_6236D5:				; CODE XREF: KsepDsEventDriverUnload(x,x)+3Cj
		pop	ebx

loc_6236D6:				; CODE XREF: KsepDsEventDriverUnload(x,x)+2Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_KsepDsEventDriverUnload@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepDsEventIoCreateDevice(x, x, x, x, x, x)
_KsepDsEventIoCreateDevice@24 proc near	; CODE XREF: KseDsHookIoCreateDevice(x,x,x,x,x,x,x)+3Cp

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		movzx	eax, [ebp+arg_8]
		push	esi
		mov	esi, ds:_KseEtwHandle
		mov	[ebp+var_70], eax
		mov	eax, esi
		push	edi
		mov	edi, ds:dword_6FD4D4
		or	eax, edi
		mov	[ebp+var_6C], edx
		mov	[ebp+var_68], ecx
		jz	loc_62379C
		push	ebx
		mov	ebx, offset _KseDsEventCreateDevice
		push	ebx
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_62379B
		lea	eax, [ebp+var_68]
		xor	edx, edx
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_70]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	6
		push	edx
		push	ebx
		push	edi
		push	esi
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_62379B:				; CODE XREF: KsepDsEventIoCreateDevice(x,x,x,x,x,x)+47j
		pop	ebx

loc_62379C:				; CODE XREF: KsepDsEventIoCreateDevice(x,x,x,x,x,x)+31j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_KsepDsEventIoCreateDevice@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepDsEventPnpIrp(x, x, x, x, x)
_KsepDsEventPnpIrp@20 proc near		; CODE XREF: KseDsCallbackHookIrpPnpFunction(x,x)+5Ap

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ds:_KseEtwHandle
		mov	eax, esi
		push	edi
		mov	edi, ds:dword_6FD4D4
		or	eax, edi
		mov	[ebp+var_5C], edx
		mov	[ebp+var_58], ecx
		jz	short loc_62384A
		push	ebx
		mov	ebx, offset _KseDsEventPnpIrp
		push	ebx
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_623849
		lea	eax, [ebp+var_58]
		xor	edx, edx
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_4]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		push	edx
		push	ebx
		push	edi
		push	esi
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_623849:				; CODE XREF: KsepDsEventPnpIrp(x,x,x,x,x)+3Cj
		pop	ebx

loc_62384A:				; CODE XREF: KsepDsEventPnpIrp(x,x,x,x,x)+2Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_KsepDsEventPnpIrp@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepDsEventPnpStartDevice(x, x, x, x)
_KsepDsEventPnpStartDevice@16 proc near	; CODE XREF: KseDsCompletionHookForStartDevice(x,x,x)+14p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ds:_KseEtwHandle
		mov	eax, esi
		push	edi
		mov	edi, ds:dword_6FD4D4
		or	eax, edi
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], ecx
		jz	short loc_6238E8
		push	ebx
		mov	ebx, offset _KseDsEventStartDevice
		push	ebx
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_6238E7
		lea	eax, [ebp+var_48]
		xor	edx, edx
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_0]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	edx
		push	ebx
		push	edi
		push	esi
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_6238E7:				; CODE XREF: KsepDsEventPnpStartDevice(x,x,x,x)+3Cj
		pop	ebx

loc_6238E8:				; CODE XREF: KsepDsEventPnpStartDevice(x,x,x,x)+2Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_KsepDsEventPnpStartDevice@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepDsEventPnpStopDevice(x,	x, x, x)
_KsepDsEventPnpStopDevice@16 proc near	; CODE XREF: KseDsCompletionHookForStopDevice(x,x,x)+14p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ds:_KseEtwHandle
		mov	eax, esi
		push	edi
		mov	edi, ds:dword_6FD4D4
		or	eax, edi
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], ecx
		jz	short loc_623986
		push	ebx
		mov	ebx, offset _KseDsEventStopDevice
		push	ebx
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_623985
		lea	eax, [ebp+var_48]
		xor	edx, edx
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_0]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	edx
		push	ebx
		push	edi
		push	esi
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_623985:				; CODE XREF: KsepDsEventPnpStopDevice(x,x,x,x)+3Cj
		pop	ebx

loc_623986:				; CODE XREF: KsepDsEventPnpStopDevice(x,x,x,x)+2Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_KsepDsEventPnpStopDevice@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepDsEventPoolAllocate(x, x, x, x,	x)
_KsepDsEventPoolAllocate@20 proc near	; CODE XREF: KseDsHookExAllocatePool(x,x)+24p
					; KseDsHookExAllocatePoolWithTag(x,x,x)+25p

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ds:_KseEtwHandle
		mov	eax, esi
		push	edi
		mov	edi, ds:dword_6FD4D4
		or	eax, edi
		mov	[ebp+var_5C], edx
		mov	[ebp+var_58], ecx
		jz	short loc_623A34
		push	ebx
		mov	ebx, offset _KseDsEventPoolAllocate
		push	ebx
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_623A33
		lea	eax, [ebp+var_58]
		xor	edx, edx
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_4]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		push	edx
		push	ebx
		push	edi
		push	esi
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_623A33:				; CODE XREF: KsepDsEventPoolAllocate(x,x,x,x,x)+3Cj
		pop	ebx

loc_623A34:				; CODE XREF: KsepDsEventPoolAllocate(x,x,x,x,x)+2Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_KsepDsEventPoolAllocate@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepDsEventPoolFree(x, x, x)
_KsepDsEventPoolFree@12	proc near	; CODE XREF: KseDsHookExFreePool(x)+19p
					; KseDsHookExFreePoolWithTag(x,x)+1Ap

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ds:_KseEtwHandle
		mov	eax, esi
		push	edi
		mov	edi, ds:dword_6FD4D4
		or	eax, edi
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], ecx
		jz	short loc_623AC4
		push	ebx
		mov	ebx, offset _KseDsEventPoolFree
		push	ebx
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_623AC3
		lea	eax, [ebp+var_38]
		xor	edx, edx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_3C]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	ebx
		push	edi
		push	esi
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_623AC3:				; CODE XREF: KsepDsEventPoolFree(x,x,x)+3Cj
		pop	ebx

loc_623AC4:				; CODE XREF: KsepDsEventPoolFree(x,x,x)+2Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_KsepDsEventPoolFree@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepDsEventRequestPowerIrp(x, x, x,	x, x, x)
_KsepDsEventRequestPowerIrp@24 proc near
					; CODE XREF: KseDsHookPoRequestPowerIrp(x,x,x,x,x,x)+3Ap

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ds:_KseEtwHandle
		mov	eax, esi
		push	edi
		mov	edi, ds:dword_6FD4D4
		or	eax, edi
		mov	[ebp+var_6C], edx
		mov	[ebp+var_68], ecx
		jz	loc_623B85
		push	ebx
		mov	ebx, offset _KseDsEventRequestPowerIrp
		push	ebx
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_623B84
		lea	eax, [ebp+var_68]
		xor	edx, edx
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_8]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	6
		push	edx
		push	ebx
		push	edi
		push	esi
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_623B84:				; CODE XREF: KsepDsEventRequestPowerIrp(x,x,x,x,x,x)+40j
		pop	ebx

loc_623B85:				; CODE XREF: KsepDsEventRequestPowerIrp(x,x,x,x,x,x)+2Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_KsepDsEventRequestPowerIrp@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepDsEventSystemPowerIrp(x, x, x, x, x, x,	x)
_KsepDsEventSystemPowerIrp@28 proc near	; CODE XREF: KseDsCallbackHookIrpPowerFunction(x,x)+9Cp

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ds:_KseEtwHandle
		mov	eax, esi
		push	edi
		mov	edi, ds:dword_6FD4D4
		or	eax, edi
		mov	[ebp+var_7C], edx
		mov	[ebp+var_78], ecx
		jz	loc_623C55
		push	ebx
		mov	ebx, offset _KseDsEventSystemPowerIrp
		push	ebx
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_623C54
		lea	eax, [ebp+var_78]
		xor	edx, edx
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_C]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_10]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	7
		push	edx
		push	ebx
		push	edi
		push	esi
		mov	[ebp+var_70], edx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_623C54:				; CODE XREF: KsepDsEventSystemPowerIrp(x,x,x,x,x,x,x)+40j
		pop	ebx

loc_623C55:				; CODE XREF: KsepDsEventSystemPowerIrp(x,x,x,x,x,x,x)+2Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_KsepDsEventSystemPowerIrp@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseSkipDriverUnloadCallbackHookDriverUnload(x)
_KseSkipDriverUnloadCallbackHookDriverUnload@4 proc near ; DATA	XREF: .data:006B3440o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, [ecx+0Ch]
		call	_KsepSkipDriverUnloadEventDriverUnload@8 ; KsepSkipDriverUnloadEventDriverUnload(x,x)
		pop	ebp
		retn	4
_KseSkipDriverUnloadCallbackHookDriverUnload@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseSkipDriverUnloadHookDriverTargeted(x, x,	x, x, x)
_KseSkipDriverUnloadHookDriverTargeted@20 proc near ; DATA XREF: .data:006B2EC8o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_C]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_8]
		call	_KsepSkipDriverUnloadEventDriverLoad@20	; KsepSkipDriverUnloadEventDriverLoad(x,x,x,x,x)
		xor	eax, eax
		pop	ebp
		retn	14h
_KseSkipDriverUnloadHookDriverTargeted@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseSkipDriverUnloadHookDriverUntargeted(x)
_KseSkipDriverUnloadHookDriverUntargeted@4 proc	near ; DATA XREF: .data:006B2EC4o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		call	_KsepSkipDriverUnloadEventDriverUnload@8 ; KsepSkipDriverUnloadEventDriverUnload(x,x)
		xor	eax, eax
		pop	ebp
		retn	4
_KseSkipDriverUnloadHookDriverUntargeted@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepSkipDriverUnloadEventDriverLoad(x, x, x, x, x)
_KsepSkipDriverUnloadEventDriverLoad@20	proc near
					; CODE XREF: KseSkipDriverUnloadHookDriverTargeted(x,x,x,x,x)+14p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ds:_KseEtwHandle
		mov	ebx, ecx
		push	edi
		mov	edi, ds:dword_6FD4D4
		mov	eax, esi
		or	eax, edi
		mov	[ebp+var_58], edx
		jz	short loc_623D52
		push	offset _KseSkipDriverUnloadEventDriverLoad
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_623D52
		mov	eax, [ebx+4]
		xor	edx, edx
		mov	[ebp+var_54], eax
		movzx	eax, word ptr [ebx]
		add	eax, 2
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_4]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		push	edx
		push	offset _KseSkipDriverUnloadEventDriverLoad
		push	edi
		push	esi
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_623D52:				; CODE XREF: KsepSkipDriverUnloadEventDriverLoad(x,x,x,x,x)+2Aj
					; KsepSkipDriverUnloadEventDriverLoad(x,x,x,x,x)+3Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_KsepSkipDriverUnloadEventDriverLoad@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepSkipDriverUnloadEventDriverUnload(x, x)
_KsepSkipDriverUnloadEventDriverUnload@8 proc near
					; CODE XREF: KseSkipDriverUnloadCallbackHookDriverUnload(x)+Bp
					; KseSkipDriverUnloadHookDriverUntargeted(x)+Ap

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ds:_KseEtwHandle
		mov	eax, esi
		push	edi
		mov	edi, ds:dword_6FD4D4
		or	eax, edi
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], ecx
		jz	short loc_623DD4
		push	ebx
		mov	ebx, offset _KseSkipDriverUnloadEventDriverUnload
		push	ebx
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_623DD3
		push	4
		pop	ecx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_24], eax
		xor	edx, edx
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_20], edx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	ebx
		push	edi
		push	esi
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_623DD3:				; CODE XREF: KsepSkipDriverUnloadEventDriverUnload(x,x)+3Cj
		pop	ebx

loc_623DD4:				; CODE XREF: KsepSkipDriverUnloadEventDriverUnload(x,x)+2Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_KsepSkipDriverUnloadEventDriverUnload@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteCachedSegment(x)
_MiDeleteCachedSegment@4 proc near	; CODE XREF: MiDereferenceSegmentThread+86CF3p
					; MiRemoveUnusedSegments(x,x)+137p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	[ebp+var_C], ebx
		lea	eax, [ebx+340h]
		push	eax
		call	ExAcquireSpinLockExclusive
		lea	edi, [ebx+424h]
		mov	[ebp+var_1], al
		mov	esi, [edi]
		cmp	esi, edi
		jz	loc_623EBD

loc_623E11:				; CODE XREF: MiDeleteCachedSegment(x)+43j
		lea	ebx, [esi-4]
		lea	eax, [ebx+24h]
		push	eax
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		test	eax, eax
		jnz	short loc_623E27
		mov	esi, [esi]
		cmp	esi, edi
		jnz	short loc_623E11

loc_623E27:				; CODE XREF: MiDeleteCachedSegment(x)+3Dj
		cmp	esi, edi
		jz	loc_623EBA
		mov	ecx, ebx
		call	MiUnlinkUnusedControlArea
		mov	edi, [ebp+var_C]
		lea	eax, [edi+340h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	eax, [ebx+1Ch]
		push	0
		pop	esi
		and	eax, 20h
		jnz	short loc_623E76
		cmp	[ebx+28h], esi
		jz	short loc_623E76
		test	byte ptr [edi+4], 1
		jnz	short loc_623E76
		mov	ecx, ebx
		call	MiInsertUnusedSegment
		lea	eax, [ebx+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_623ED4
; 

loc_623E76:				; CODE XREF: MiDeleteCachedSegment(x)+6Cj
					; MiDeleteCachedSegment(x)+71j	...
		mov	[ebp+var_C], esi
		mov	edi, esi
		mov	[ebp+var_8], edi
		test	eax, eax
		jnz	short loc_623E9F
		mov	dl, [ebp+var_1]
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_8]
		mov	ecx, ebx
		push	eax
		call	_MiFlushControlArea@16 ; MiFlushControlArea(x,x,x,x)
		mov	edi, [ebp+var_8]
		cmp	eax, 1
		jnz	short loc_623EAD
		mov	esi, [ebp+var_C]

loc_623E9F:				; CODE XREF: MiDeleteCachedSegment(x)+9Ej
		mov	dl, [ebp+var_1]
		mov	ecx, ebx
		push	esi
		call	MiDestroySection
		xor	esi, esi
		inc	esi

loc_623EAD:				; CODE XREF: MiDeleteCachedSegment(x)+B8j
		test	edi, edi
		jz	short loc_623ED4
		mov	ecx, edi
		call	_MiReleaseControlAreaWaiters@4 ; MiReleaseControlAreaWaiters(x)
		jmp	short loc_623ED4
; 

loc_623EBA:				; CODE XREF: MiDeleteCachedSegment(x)+47j
		mov	ebx, [ebp+var_C]

loc_623EBD:				; CODE XREF: MiDeleteCachedSegment(x)+29j
		lea	eax, [ebx+340h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	esi, esi

loc_623ED4:				; CODE XREF: MiDeleteCachedSegment(x)+92j
					; MiDeleteCachedSegment(x)+CDj	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_MiDeleteCachedSegment@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteCachedSubsection(x)
_MiDeleteCachedSubsection@4 proc near	; CODE XREF: MiRemoveUnusedSegments(x,x)+152p

var_3E		= byte ptr -3Eh
var_3D		= byte ptr -3Dh
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2A		= byte ptr -2Ah
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		and	[esp+2Ch+var_8], 0
		and	[esp+2Ch+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		lea	eax, [esi+340h]
		push	eax
		mov	[esp+3Ch+var_14], eax
		call	ExAcquireSpinLockExclusive
		mov	[esp+38h+var_29], al
		lea	eax, [esi+42Ch]
		mov	ebx, [eax]
		mov	[esp+38h+var_1C], eax
		cmp	ebx, eax
		jz	loc_6243A4

loc_623F1D:				; CODE XREF: MiDeleteCachedSubsection(x)+68j
		lea	edi, [ebx-34h]
		mov	esi, [edi]
		mov	[esp+38h+var_18], edi
		mov	[esp+38h+var_24], esi
		lea	eax, [esi+24h]
		push	eax
		mov	[esp+3Ch+var_20], eax
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		test	eax, eax
		mov	eax, [esp+38h+var_1C]
		jnz	short loc_623F45
		mov	ebx, [ebx]
		cmp	ebx, eax
		jnz	short loc_623F1D

loc_623F45:				; CODE XREF: MiDeleteCachedSubsection(x)+62j
		cmp	ebx, eax
		jz	loc_6243A4
		lea	eax, [edi+34h]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_62439F
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_62439F
		mov	[edx], ecx
		mov	[ecx+4], edx
		mov	ecx, 0FFF7h
		and	[edi+12h], cx
		mov	ecx, edi
		mov	[eax+4], eax
		mov	[eax], eax
		call	_MiReduceUnusedSubsectionCount@4 ; MiReduceUnusedSubsectionCount(x)
		push	[esp+38h+var_14]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	eax, [esi+1Ch]
		xor	ecx, ecx
		inc	ecx
		test	al, cl
		jz	short loc_623FA6
		push	[esp+38h+var_20]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	esi, 0C0000073h
		jmp	loc_6243B2
; 

loc_623FA6:				; CODE XREF: MiDeleteCachedSubsection(x)+B6j
		test	al, 8
		jz	short loc_623FCE
		cmp	dword ptr [edi+24h], 0
		jge	short loc_623FCA
		mov	ecx, edi
		call	_MiInsertUnusedSubsection@8 ; MiInsertUnusedSubsection(x,x)
		lea	eax, [esi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	esi, 0C0000020h
		jmp	loc_6243B2
; 

loc_623FCA:				; CODE XREF: MiDeleteCachedSubsection(x)+D3j
		mov	ebx, ecx
		jmp	short loc_623FD0
; 

loc_623FCE:				; CODE XREF: MiDeleteCachedSubsection(x)+CDj
		xor	ebx, ebx

loc_623FD0:				; CODE XREF: MiDeleteCachedSubsection(x)+F1j
		cmp	dword ptr [edi+3Ch], 0
		jz	short loc_623FE7
		push	0
		push	0
		push	edi
		push	42004h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_623FE7:				; CODE XREF: MiDeleteCachedSubsection(x)+F9j
		mov	[edi+3Ch], ecx
		mov	eax, 0FFFEh
		and	[edi+10h], ax
		mov	ecx, esi
		call	_MiRemoveUnusedSegment@4 ; MiRemoveUnusedSegment(x)
		or	dword ptr [esi+1Ch], 100h
		mov	eax, [edi+4]
		mov	[esp+4Ch+var_28], eax
		cmp	ebx, 1
		jnz	short loc_624069
		inc	dword ptr [esi+28h]
		lea	ebx, [esi+24h]
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+4Ch+var_3D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, edi
		call	_MiIsSubsectionClean@4 ; MiIsSubsectionClean(x)
		test	eax, eax
		jnz	short loc_624037
		mov	[esp+4Ch+var_3C], eax
		jmp	loc_624238
; 

loc_624037:				; CODE XREF: MiDeleteCachedSubsection(x)+151j
		cmp	eax, 1
		jnz	short loc_62405C
		push	ebx
		call	ExAcquireSpinLockExclusive
		or	dword ptr [edi+24h], 80000000h
		mov	bl, al
		lea	eax, [esi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_62405C:				; CODE XREF: MiDeleteCachedSubsection(x)+15Fj
		mov	[esp+4Ch+var_3C], 0C0000020h
		jmp	loc_624238
; 

loc_624069:				; CODE XREF: MiDeleteCachedSubsection(x)+130j
		lea	edi, [esi+40h]
		mov	[esp+4Ch+var_34], edi

loc_624070:				; CODE XREF: MiDeleteCachedSubsection(x)+1B1j
					; MiDeleteCachedSubsection(x)+1B7j
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[esp+4Ch+var_30], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_624070
		cmp	edx, [esp+4Ch+var_30]
		jnz	short loc_624070
		mov	esi, [esp+4Ch+var_38]
		mov	edi, [esp+20h]
		mov	ds:dword_6D525C, esi
		mov	eax, [esi+20h]
		and	eax, 0FFFFFFF8h
		mov	[esp+4Ch+var_38], eax
		jz	short loc_6240BA
		mov	edx, 746C6644h
		mov	ecx, eax
		call	ObfReferenceObjectWithTag

loc_6240BA:				; CODE XREF: MiDeleteCachedSubsection(x)+1D1j
		lea	ebx, [esi+24h]
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+4Ch+var_3D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [edi+4]
		mov	eax, [edi+1Ch]
		mov	[esp+4Ch+var_20], ecx
		sub	ecx, 8
		lea	eax, [ecx+eax*8]
		mov	ecx, [esp+4Ch+var_38]
		mov	[esp+4Ch+var_24], eax
		call	FsRtlAcquireFileForCcFlushEx
		push	ebx
		mov	[esp+50h+var_3C], eax
		call	ExAcquireSpinLockExclusive
		mov	edi, [esp+4Ch+var_34]
		mov	[esp+4Ch+var_3D], al

loc_6240FC:				; CODE XREF: MiDeleteCachedSubsection(x)+245j
					; MiDeleteCachedSubsection(x)+24Dj
		mov	eax, [edi]
		mov	ebx, eax
		mov	edx, [edi+4]
		sub	ebx, 1
		mov	ecx, edx
		mov	[esp+4Ch+var_34], eax
		mov	[esp+4Ch+var_30], edx
		sbb	ecx, 0
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [esp+4Ch+var_34]
		mov	ebx, edx
		cmp	eax, ecx
		jnz	short loc_6240FC
		mov	edx, [esp+4Ch+var_30]
		cmp	ebx, edx
		jnz	short loc_6240FC
		and	ds:dword_6D525C, 0
		add	ecx, 0FFFFFFFFh
		mov	ebx, [esp+4Ch+var_3C]
		mov	edi, [esp+20h]
		adc	edx, 0FFFFFFFFh
		mov	[esp+4Ch+var_34], ecx
		mov	[esp+4Ch+var_30], edx
		test	ebx, ebx
		js	short loc_6241AD
		test	byte ptr [esi+1Ch], 1
		jnz	short loc_6241AD
		inc	dword ptr [esi+28h]
		lea	eax, [esi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+4Ch+var_3D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, large fs:124h
		mov	edx, [esp+4Ch+var_24]
		mov	ecx, [esp+4Ch+var_20]
		mov	dword ptr [eax+2D4h], 1
		lea	eax, [esp+4Ch+var_1C]
		push	eax
		push	2
		push	0
		push	edi
		push	edi
		call	MiFlushSectionInternal
		mov	ebx, [esp+4Ch+var_38]
		mov	ecx, ebx
		mov	[esp+4Ch+var_3C], eax
		mov	eax, large fs:124h
		and	dword ptr [eax+2D4h], 0
		call	FsRtlReleaseFileForCcFlush
		jmp	short loc_624209
; 

loc_6241AD:				; CODE XREF: MiDeleteCachedSubsection(x)+26Ej
					; MiDeleteCachedSubsection(x)+274j
		mov	eax, ecx
		or	eax, edx
		jz	short loc_6241B6
		inc	dword ptr [esi+28h]

loc_6241B6:				; CODE XREF: MiDeleteCachedSubsection(x)+2D6j
		lea	eax, [esi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+4Ch+var_3D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		js	short loc_6241DF
		mov	ecx, [esp+4Ch+var_38]
		call	FsRtlReleaseFileForCcFlush
		mov	ebx, 0C0000189h
		mov	[esp+4Ch+var_3C], ebx

loc_6241DF:				; CODE XREF: MiDeleteCachedSubsection(x)+2F0j
		mov	eax, [esp+4Ch+var_34]
		or	eax, [esp+4Ch+var_30]
		jnz	short loc_624205
		mov	ecx, esi
		call	MiDeleteControlArea
		mov	ecx, [esp+4Ch+var_38]
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag
		mov	eax, ebx
		jmp	loc_6243BE
; 

loc_624205:				; CODE XREF: MiDeleteCachedSubsection(x)+30Cj
		mov	ebx, [esp+4Ch+var_38]

loc_624209:				; CODE XREF: MiDeleteCachedSubsection(x)+2D0j
		mov	ecx, [esi+20h]
		mov	eax, ecx
		jmp	short loc_624226
; 

loc_624210:				; CODE XREF: MiDeleteCachedSubsection(x)+350j
		lea	edx, [ecx+1]
		mov	eax, ecx
		lea	edi, [esi+20h]
		lock cmpxchg [edi], edx
		mov	edi, [esp+20h]
		cmp	eax, ecx
		jz	short loc_624238
		mov	ecx, eax

loc_624226:				; CODE XREF: MiDeleteCachedSubsection(x)+333j
		xor	eax, ebx
		cmp	eax, 7
		jb	short loc_624210
		push	746C6644h
		push	ebx
		call	ObDereferenceObjectDeferDeleteWithTag

loc_624238:				; CODE XREF: MiDeleteCachedSubsection(x)+157j
					; MiDeleteCachedSubsection(x)+189j ...
		lea	ebx, [esi+24h]
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	ecx, [esi+1Ch]
		xor	edx, edx
		inc	edx
		mov	[esp+4Ch+var_3D], al
		test	cl, dl
		jz	short loc_62425A
		and	ecx, 0FFFFFEFFh
		mov	[esi+1Ch], ecx
		jmp	short loc_6242BE
; 

loc_62425A:				; CODE XREF: MiDeleteCachedSubsection(x)+372j
		cmp	[esp+4Ch+var_3C], 0
		jl	short loc_6242AF
		cmp	[edi+3Ch], edx
		jnz	short loc_6242A7
		test	[edi+10h], dl
		jnz	short loc_6242A7
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+4Ch+var_3D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		mov	ecx, edi
		mov	[esp+20h], eax
		call	_MiPurgeSubsection@4 ; MiPurgeSubsection(x)
		test	eax, eax
		jnz	short loc_624291
		inc	eax
		mov	[esp+20h], eax

loc_624291:				; CODE XREF: MiDeleteCachedSubsection(x)+3AFj
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	ecx, [esi+1Ch]
		xor	edx, edx
		mov	[esp+4Ch+var_3D], al
		inc	edx
		mov	eax, [esp+20h]
		jmp	short loc_6242B1
; 

loc_6242A7:				; CODE XREF: MiDeleteCachedSubsection(x)+389j
					; MiDeleteCachedSubsection(x)+38Ej
		mov	[esp+4Ch+var_3C], 0C0000001h

loc_6242AF:				; CODE XREF: MiDeleteCachedSubsection(x)+384j
		mov	eax, edx

loc_6242B1:				; CODE XREF: MiDeleteCachedSubsection(x)+3CAj
		and	ecx, 0FFFFFEFFh
		mov	[esi+1Ch], ecx
		test	cl, dl
		jz	short loc_6242F6

loc_6242BE:				; CODE XREF: MiDeleteCachedSubsection(x)+37Dj
		mov	ecx, edi
		call	MiDecrementSubsectionViewCount
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_MiDecrementModifiedWriteCount@8 ; MiDecrementModifiedWriteCount(x,x)
		push	ebx
		mov	esi, eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+4Ch+var_3D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_6242EC
		mov	ecx, esi
		call	_MiReleaseControlAreaWaiters@4 ; MiReleaseControlAreaWaiters(x)

loc_6242EC:				; CODE XREF: MiDeleteCachedSubsection(x)+408j
		mov	eax, 0C0000001h
		jmp	loc_6243BE
; 

loc_6242F6:				; CODE XREF: MiDeleteCachedSubsection(x)+3E1j
		cmp	eax, edx
		jz	short loc_62431E
		cmp	[edi+3Ch], edx
		jnz	short loc_62431E
		cmp	dword ptr [edi+40h], 0
		jnz	short loc_62431E
		test	[edi+10h], dl
		jnz	short loc_62431E
		lea	ecx, [edi+44h]
		xor	edx, edx
		call	_MiUpdateSystemProtoPtesTree@8 ; MiUpdateSystemProtoPtesTree(x,x)
		and	dword ptr [edi+4], 0
		and	dword ptr [edi+3Ch], 0
		jmp	short loc_624340
; 

loc_62431E:				; CODE XREF: MiDeleteCachedSubsection(x)+41Dj
					; MiDeleteCachedSubsection(x)+422j ...
		mov	ecx, edi
		mov	[esp+4Ch+var_3C], 0C0000001h
		call	MiDecrementSubsectionViewCount
		cmp	dword ptr [edi+3Ch], 0
		jnz	short loc_62433A
		mov	ecx, edi
		call	_MiInsertUnusedSubsection@8 ; MiInsertUnusedSubsection(x,x)

loc_62433A:				; CODE XREF: MiDeleteCachedSubsection(x)+456j
		xor	eax, eax
		mov	[esp+4Ch+var_28], eax

loc_624340:				; CODE XREF: MiDeleteCachedSubsection(x)+441j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_MiDecrementModifiedWriteCount@8 ; MiDecrementModifiedWriteCount(x,x)
		mov	ecx, [esi+14h]
		mov	edi, eax
		or	ecx, [esi+0Ch]
		jnz	short loc_624361
		cmp	dword ptr [esi+10h], 0
		mov	ecx, esi
		jz	short loc_624373
		call	MiInsertUnusedSegment

loc_624361:				; CODE XREF: MiDeleteCachedSubsection(x)+477j
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+4Ch+var_3D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_62437E
; 

loc_624373:				; CODE XREF: MiDeleteCachedSubsection(x)+47Fj
		mov	dl, [esp+4Ch+var_3D]
		push	0
		call	MiDestroySection

loc_62437E:				; CODE XREF: MiDeleteCachedSubsection(x)+496j
		test	edi, edi
		jz	short loc_624389
		mov	ecx, edi
		call	_MiReleaseControlAreaWaiters@4 ; MiReleaseControlAreaWaiters(x)

loc_624389:				; CODE XREF: MiDeleteCachedSubsection(x)+4A5j
		mov	eax, [esp+4Ch+var_28]
		test	eax, eax
		jz	short loc_624399
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_624399:				; CODE XREF: MiDeleteCachedSubsection(x)+4B4j
		mov	eax, [esp+4Ch+var_3C]
		jmp	short loc_6243BE
; 

loc_62439F:				; CODE XREF: MiDeleteCachedSubsection(x)+7Aj
					; MiDeleteCachedSubsection(x)+85j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_6243A4:				; CODE XREF: MiDeleteCachedSubsection(x)+3Cj
					; MiDeleteCachedSubsection(x)+6Cj
		push	[esp+38h+var_14]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	esi, 0C0000225h

loc_6243B2:				; CODE XREF: MiDeleteCachedSubsection(x)+C6j
					; MiDeleteCachedSubsection(x)+EAj
		mov	cl, [esp+38h+var_29]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi

loc_6243BE:				; CODE XREF: MiDeleteCachedSubsection(x)+325j
					; MiDeleteCachedSubsection(x)+416j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiDeleteCachedSubsection@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteControlAreaList(x)
_MiDeleteControlAreaList@4 proc	near	; CODE XREF: MiDereferenceSegmentThread+86C7Ep
					; MiDereferenceSegmentThread+86D0Cp

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	ebx, [edi+340h]

loc_6243D6:				; CODE XREF: MiDeleteControlAreaList(x)+46j
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	esi, [edi+44Ch]
		mov	[ebp+var_1], al
		test	esi, esi
		jz	short loc_6243F1
		mov	ecx, [esi]
		mov	[edi+44Ch], ecx

loc_6243F1:				; CODE XREF: MiDeleteControlAreaList(x)+22j
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_62440D
		mov	ecx, esi
		call	MiDeleteControlArea
		jmp	short loc_6243D6
; 

loc_62440D:				; CODE XREF: MiDeleteControlAreaList(x)+3Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiDeleteControlAreaList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFlushControlArea(x, x, x,	x)
_MiFlushControlArea@16 proc near	; CODE XREF: MiDeleteCachedSegment(x)+ADp
					; MiProcessDeleteOnClose(x)+D9p

var_3E		= byte ptr -3Eh
var_3D		= byte ptr -3Dh
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+50h+var_3D], dl
		xor	ecx, ecx
		mov	[esp+50h+var_3C], edi
		mov	[eax], ecx
		mov	eax, [ebp+arg_0]
		or	dword ptr [edi+1Ch], 100h
		mov	[esp+50h+var_24], ecx
		mov	[esp+50h+var_20], ecx
		mov	[eax], ecx
		lea	eax, [esp+50h+var_8]
		mov	[esp+50h+var_4], eax
		mov	[esp+50h+var_8], eax
		mov	eax, [edi+2Ch]
		mov	[esp+50h+var_1C], eax
		lea	eax, [esp+50h+var_1C]
		mov	[edi+2Ch], eax
		lea	eax, [edi+40h]
		mov	[esp+50h+var_10], 40107h
		mov	edi, eax
		mov	[esp+50h+var_14], ecx
		mov	[esp+50h+var_18], 4
		mov	[esp+50h+var_C], ecx
		mov	[esp+50h+var_34], eax

loc_624480:				; CODE XREF: MiFlushControlArea(x,x,x,x)+8Aj
					; MiFlushControlArea(x,x,x,x)+90j
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[esp+50h+var_30], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_624480
		cmp	edx, [esp+50h+var_30]
		jnz	short loc_624480
		mov	edi, [esp+50h+var_3C]
		mov	ds:dword_6D525C, edi
		mov	ebx, [edi+20h]
		and	ebx, 0FFFFFFF8h
		mov	[esp+50h+var_38], ebx
		jz	short loc_6244C6
		mov	edx, 746C6644h
		mov	ecx, ebx
		call	ObfReferenceObjectWithTag

loc_6244C6:				; CODE XREF: MiFlushControlArea(x,x,x,x)+A6j
		lea	eax, [edi+24h]
		push	eax
		mov	[esp+54h+var_28], eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+50h+var_3D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	esi, esi
		mov	ecx, ebx
		and	[esp+50h+var_30], esi
		call	FsRtlAcquireFileForCcFlushEx
		test	eax, eax
		js	short loc_6244F6
		mov	[esp+50h+var_30], 1

loc_6244F6:				; CODE XREF: MiFlushControlArea(x,x,x,x)+DAj
		lea	eax, [edi+24h]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	edi, [esp+50h+var_34]
		mov	[esp+50h+var_3D], al

loc_624507:				; CODE XREF: MiFlushControlArea(x,x,x,x)+116j
					; MiFlushControlArea(x,x,x,x)+11Ej
		mov	eax, [edi]
		mov	ebx, eax
		mov	edx, [edi+4]
		sub	ebx, 1
		mov	ecx, edx
		mov	[esp+50h+var_34], eax
		mov	[esp+50h+var_2C], edx
		sbb	ecx, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [esp+50h+var_34]
		cmp	eax, ecx
		jnz	short loc_624507
		mov	eax, [esp+50h+var_2C]
		cmp	edx, eax
		jnz	short loc_624507
		and	ds:dword_6D525C, esi
		add	ecx, 0FFFFFFFFh
		mov	ebx, [esp+50h+var_30]
		mov	edi, [esp+50h+var_3C]
		adc	eax, 0FFFFFFFFh
		test	ebx, ebx
		jz	loc_6245FF
		test	byte ptr [edi+1Ch], 1
		jnz	loc_6245FF
		inc	dword ptr [edi+28h]
		lea	eax, [edi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+50h+var_3D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, large fs:124h
		xor	ebx, ebx
		xor	edx, edx
		xor	ecx, ecx
		mov	dword ptr [eax+2D4h], 1
		lea	eax, [esp+50h+var_24]
		push	eax
		push	2
		push	ebx
		push	ebx
		lea	eax, [edi+50h]
		push	eax
		call	MiFlushSectionInternal
		mov	ecx, eax
		mov	eax, large fs:124h
		mov	[esp+50h+var_34], ecx
		mov	[eax+2D4h], ebx
		test	ecx, ecx
		jns	short loc_6245BE
		push	ebx
		push	40h
		push	20h
		mov	edx, 70646D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax

loc_6245BE:				; CODE XREF: MiFlushControlArea(x,x,x,x)+198j
		mov	ebx, [esp+50h+var_38]
		mov	eax, [ebx+4]
		mov	edx, [eax+20h]
		lea	eax, [edi+24h]
		push	eax
		mov	[esp+54h+var_3C], edx
		call	ExAcquireSpinLockExclusive
		and	dword ptr [edi+1Ch], 0FFFFFEFFh
		xor	edx, edx
		inc	edx
		mov	[esp+50h+var_3D], al
		mov	ecx, edi
		call	_MiDecrementModifiedWriteCount@8 ; MiDecrementModifiedWriteCount(x,x)
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, [esp+50h+var_3C]
		shr	eax, 4
		and	eax, 1
		mov	[esp+50h+var_3C], eax
		jmp	short loc_624624
; 

loc_6245FF:				; CODE XREF: MiFlushControlArea(x,x,x,x)+136j
					; MiFlushControlArea(x,x,x,x)+140j
		and	dword ptr [edi+1Ch], 0FFFFFEFFh
		or	ecx, eax
		mov	[esp+50h+var_14], 1
		jz	loc_6246FE
		mov	ebx, [esp+50h+var_38]
		xor	ecx, ecx
		and	[esp+50h+var_3C], ecx
		mov	[esp+50h+var_34], ecx

loc_624624:				; CODE XREF: MiFlushControlArea(x,x,x,x)+1EBj
		lea	edx, [esp+50h+var_1C]
		mov	ecx, edi
		call	_MiRemoveWakeListEntry@8 ; MiRemoveWakeListEntry(x,x)
		mov	ecx, [edi+14h]
		mov	eax, [edi+1Ch]
		or	ecx, [edi+0Ch]
		and	eax, 1
		or	ecx, eax
		jnz	loc_6246C3
		cmp	[esp+50h+var_14], ecx
		jz	short loc_62464E
		cmp	[edi+10h], ecx
		jnz	short loc_6246BC

loc_62464E:				; CODE XREF: MiFlushControlArea(x,x,x,x)+235j
		mov	eax, [esp+50h+var_34]
		test	eax, eax
		jns	short loc_6246AF
		cmp	dword ptr [edi+10h], 0
		jz	short loc_6246AF
		cmp	eax, 0C0000433h
		jz	short loc_6246BC
		mov	edx, [esp+50h+var_3C]
		xor	ecx, ecx
		push	eax
		inc	ecx
		call	MmIsWriteErrorFatal
		test	eax, eax
		jz	short loc_6246BC
		test	esi, esi
		jz	short loc_6246AF
		mov	edi, [edi+20h]
		and	edi, 0FFFFFFF8h
		jz	short loc_62468C
		mov	edx, 746C6644h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag

loc_62468C:				; CODE XREF: MiFlushControlArea(x,x,x,x)+26Cj
		mov	ecx, [esp+50h+var_34]
		and	dword ptr [esi], 0
		push	1
		push	esi
		mov	[esi+10h], edi
		mov	[esi+14h], ecx
		mov	byte ptr [esi+1Ch], 1
		mov	dword ptr [esi+8], offset _MiLdwPopupWorker@4 ;	MiLdwPopupWorker(x)
		mov	[esi+0Ch], esi
		call	ExQueueWorkItem

loc_6246AF:				; CODE XREF: MiFlushControlArea(x,x,x,x)+242j
					; MiFlushControlArea(x,x,x,x)+248j ...
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx
		xor	eax, eax
		inc	eax
		jmp	loc_624741
; 

loc_6246BC:				; CODE XREF: MiFlushControlArea(x,x,x,x)+23Aj
					; MiFlushControlArea(x,x,x,x)+24Fj ...
		mov	ecx, edi
		call	MiInsertUnusedSegment

loc_6246C3:				; CODE XREF: MiFlushControlArea(x,x,x,x)+22Bj
		push	[esp+50h+var_28]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+50h+var_3D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[esp+50h+var_30], 1
		jnz	short loc_6246E4
		mov	ecx, ebx
		call	FsRtlReleaseFileForCcFlush

loc_6246E4:				; CODE XREF: MiFlushControlArea(x,x,x,x)+2C9j
		mov	edx, 746C6644h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		test	esi, esi
		jz	short loc_62473F
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_62473F
; 

loc_6246FE:				; CODE XREF: MiFlushControlArea(x,x,x,x)+1FEj
		lea	edx, [esp+50h+var_1C]
		mov	ecx, edi
		call	_MiRemoveWakeListEntry@8 ; MiRemoveWakeListEntry(x,x)
		lea	eax, [edi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+50h+var_3D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	ebx, 1
		mov	ebx, [esp+50h+var_38]
		jnz	short loc_62472C
		mov	ecx, ebx
		call	FsRtlReleaseFileForCcFlush

loc_62472C:				; CODE XREF: MiFlushControlArea(x,x,x,x)+311j
		mov	ecx, edi
		call	MiDeleteControlArea
		mov	edx, 746C6644h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_62473F:				; CODE XREF: MiFlushControlArea(x,x,x,x)+2E0j
					; MiFlushControlArea(x,x,x,x)+2EAj
		xor	eax, eax

loc_624741:				; CODE XREF: MiFlushControlArea(x,x,x,x)+2A5j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_MiFlushControlArea@16 endp


;  S U B	R O U T	I N E 


; __stdcall MiFreeExcessSegments()
_MiFreeExcessSegments@0	proc near	; CODE XREF: MiCountSystemPool:loc_4ADA78p
					; MmResourcesAvailable(x,x,x):loc_4D709Ep ...
		mov	ecx, ds:dword_6D5EFC
		xor	edx, edx
		mov	eax, ds:dword_6D5F54
		push	esi
		push	0Ah
		pop	esi
		div	esi
		imul	eax, 9
		cmp	ecx, eax
		jb	short loc_624798
		call	_MiShouldTrimUnusedSegments@0 ;	MiShouldTrimUnusedSegments()
		test	eax, eax
		jz	short loc_624798
		xor	ecx, ecx
		jmp	short loc_62478D
; 

loc_624771:				; CODE XREF: MiFreeExcessSegments()+4Cj
		mov	eax, [esi]
		cmp	dword ptr [eax+420h], 0
		jz	short loc_62478B
		push	0
		push	0
		add	eax, 370h
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_62478B:				; CODE XREF: MiFreeExcessSegments()+30j
		mov	ecx, esi

loc_62478D:				; CODE XREF: MiFreeExcessSegments()+25j
		call	_PsGetNextPartition@4 ;	PsGetNextPartition(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_624771

loc_624798:				; CODE XREF: MiFreeExcessSegments()+18j
					; MiFreeExcessSegments()+21j
		pop	esi
		retn
_MiFreeExcessSegments@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIsSubsectionClean(x)
_MiIsSubsectionClean@4 proc near	; CODE XREF: MiDeleteCachedSubsection(x)+14Ap

var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		xor	ebx, ebx
		push	esi
		push	edi
		cmp	[ecx+40h], ebx
		jz	loc_62488D
		mov	eax, [ecx+1Ch]
		mov	esi, [ecx+4]
		lea	edx, [esi+eax*8]
		mov	eax, [ecx]
		mov	[ebp+var_8], edx
		cmp	[eax+10h], ebx
		jz	loc_62488D
		mov	al, 21h
		mov	edi, ebx
		mov	byte ptr [ebp+var_1], al
		cmp	esi, edx
		jnb	loc_624889

loc_6247D6:				; CODE XREF: MiIsSubsectionClean(x)+B3j
		test	esi, 0FFFh
		jz	short loc_6247E2
		cmp	al, 21h
		jnz	short loc_62480D

loc_6247E2:				; CODE XREF: MiIsSubsectionClean(x)+42j
		cmp	al, 21h
		jz	short loc_6247EF
		mov	dl, al
		mov	ecx, edi
		call	MiUnlockProtoPoolPage

loc_6247EF:				; CODE XREF: MiIsSubsectionClean(x)+4Aj
		lea	edx, [ebp+var_1]
		mov	ecx, esi
		call	MiCheckProtoPtePageState
		mov	edi, eax
		test	edi, edi
		jnz	short loc_62480D
		and	esi, 0FFFFF000h
		add	esi, 1000h
		jmp	short loc_624847
; 

loc_62480D:				; CODE XREF: MiIsSubsectionClean(x)+46j
					; MiIsSubsectionClean(x)+63j
		xor	edx, edx
		mov	ecx, esi
		call	MiLockLeafPage
		mov	edx, eax
		test	edx, edx
		jz	short loc_624844
		mov	ecx, [esi]
		nop
		and	ecx, 1
		lea	eax, [edx+10h]
		or	ecx, ebx
		jnz	short loc_624863
		cmp	[edx+14h], bx
		jnz	short loc_624856
		mov	al, [edx+16h]
		lea	ecx, [edx+10h]
		mov	ebx, 7FFFFFFFh
		lock and [ecx],	ebx
		push	0
		pop	ebx
		test	al, 18h
		jnz	short loc_624851

loc_624844:				; CODE XREF: MiIsSubsectionClean(x)+80j
		add	esi, 8

loc_624847:				; CODE XREF: MiIsSubsectionClean(x)+71j
		mov	al, byte ptr [ebp+var_1]
		cmp	esi, [ebp+var_8]
		jb	short loc_6247D6
		jmp	short loc_62487A
; 

loc_624851:				; CODE XREF: MiIsSubsectionClean(x)+A8j
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_62487A
; 

loc_624856:				; CODE XREF: MiIsSubsectionClean(x)+93j
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		push	2
		pop	ebx
		jmp	short loc_62487A
; 

loc_624863:				; CODE XREF: MiIsSubsectionClean(x)+8Dj
		mov	al, [edx+16h]
		lea	ecx, [edx+10h]
		mov	ebx, 7FFFFFFFh
		lock and [ecx],	ebx
		test	al, 18h
		push	0
		pop	ebx
		setz	bl
		inc	ebx

loc_62487A:				; CODE XREF: MiIsSubsectionClean(x)+B5j
					; MiIsSubsectionClean(x)+BAj ...
		mov	dl, byte ptr [ebp+var_1]
		cmp	dl, 21h
		jz	short loc_624889
		mov	ecx, edi
		call	MiUnlockProtoPoolPage

loc_624889:				; CODE XREF: MiIsSubsectionClean(x)+36j
					; MiIsSubsectionClean(x)+E6j
		mov	eax, ebx
		jmp	short loc_62488F
; 

loc_62488D:				; CODE XREF: MiIsSubsectionClean(x)+10j
					; MiIsSubsectionClean(x)+27j
		xor	eax, eax

loc_62488F:				; CODE XREF: MiIsSubsectionClean(x)+F1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiIsSubsectionClean@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakeUnusedSegmentDeleteOnClose(x)
_MiMakeUnusedSegmentDeleteOnClose@4 proc near ;	CODE XREF: MiDrainCrossPartitionUsage(x)+D0p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [esi+340h]
		push	edi
		call	ExAcquireSpinLockExclusive
		lea	ecx, [esi+424h]
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[ebp+var_8], ecx

loc_6248BC:				; CODE XREF: MiMakeUnusedSegmentDeleteOnClose(x)+59j
		mov	bl, al
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	short loc_62490A
		add	eax, 0FFFFFFFCh
		mov	[ebp+var_4], eax
		add	eax, 24h
		push	eax
		mov	[ebp+var_C], eax
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		test	eax, eax
		jnz	short loc_6248EF
		push	edi

loc_6248DB:				; CODE XREF: MiMakeUnusedSegmentDeleteOnClose(x)+74j
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	esi
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+var_8]
		jmp	short loc_6248BC
; 

loc_6248EF:				; CODE XREF: MiMakeUnusedSegmentDeleteOnClose(x)+44j
		mov	ecx, [ebp+var_4]
		call	MiUnlinkUnusedControlArea
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	ecx, [ebp+var_4]
		call	MiInsertUnusedSegment
		push	[ebp+var_C]
		jmp	short loc_6248DB
; 

loc_62490A:				; CODE XREF: MiMakeUnusedSegmentDeleteOnClose(x)+2Ej
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiMakeUnusedSegmentDeleteOnClose@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiProcessDeleteOnClose(x)
_MiProcessDeleteOnClose@4 proc near	; CODE XREF: MiDereferenceSegmentThread+86CD5p
					; MiDereferenceSegmentThread+86D05p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_10], 0
		and	[ebp+var_4], 0
		or	[ebp+var_8], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx

loc_624932:				; CODE XREF: MiProcessDeleteOnClose(x)+A5j
					; MiProcessDeleteOnClose(x)+C6j ...
		lea	esi, [edi+340h]

loc_624938:				; CODE XREF: MiProcessDeleteOnClose(x)+7Fj
					; MiProcessDeleteOnClose(x)+FAj
		push	esi
		call	ExAcquireSpinLockExclusive
		lea	edx, [edi+3E4h]
		mov	bl, al
		mov	eax, [edx]
		cmp	eax, edx
		jz	loc_624A4D
		mov	ecx, [ebp+var_4]
		inc	ecx
		mov	[ebp+var_4], ecx
		test	cl, 3Fh
		jnz	short loc_62496B
		mov	ecx, [ebp+var_8]
		cmp	[edi+344h], ecx
		jnb	loc_624A23

loc_62496B:				; CODE XREF: MiProcessDeleteOnClose(x)+41j
		mov	ecx, [edi+344h]
		lea	esi, [eax-4]
		lea	eax, [esi+24h]
		mov	[ebp+var_8], ecx
		push	eax
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		test	eax, eax
		jnz	short loc_62499A
		lea	esi, [edi+340h]
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_624938
; 

loc_62499A:				; CODE XREF: MiProcessDeleteOnClose(x)+69j
		mov	ecx, esi
		call	MiUnlinkUnusedControlArea
		lea	eax, [edi+340h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		test	byte ptr [esi+1Ch], 20h
		mov	ecx, esi
		jz	short loc_6249C3
		push	0
		mov	dl, bl
		call	MiDestroySection
		jmp	loc_624932
; 

loc_6249C3:				; CODE XREF: MiProcessDeleteOnClose(x)+9Aj
		cmp	dword ptr [esi+28h], 0
		jz	short loc_6249E4
		call	MiInsertUnusedSegment
		lea	eax, [esi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_624932
; 

loc_6249E4:				; CODE XREF: MiProcessDeleteOnClose(x)+AEj
		and	[ebp+var_C], 0
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_10]
		mov	dl, bl
		push	eax
		call	_MiFlushControlArea@16 ; MiFlushControlArea(x,x,x,x)
		cmp	eax, 1
		jnz	short loc_624A08
		push	[ebp+var_C]
		mov	dl, bl
		mov	ecx, esi
		call	MiDestroySection

loc_624A08:				; CODE XREF: MiProcessDeleteOnClose(x)+E1j
		mov	ecx, [ebp+var_10]
		lea	esi, [edi+340h]
		test	ecx, ecx
		jz	loc_624938
		call	_MiReleaseControlAreaWaiters@4 ; MiReleaseControlAreaWaiters(x)
		jmp	loc_624932
; 

loc_624A23:				; CODE XREF: MiProcessDeleteOnClose(x)+4Cj
		cmp	eax, edx
		jz	short loc_624A4D
		mov	byte ptr [edi+418h], 1
		lea	ecx, [edi+3F0h]
		push	ds:dword_4057CC
		xor	edx, edx
		push	ds:_Mi10Milliseconds
		push	0
		push	0
		call	KiSetTimerEx
		jmp	short loc_624A54
; 

loc_624A4D:				; CODE XREF: MiProcessDeleteOnClose(x)+31j
					; MiProcessDeleteOnClose(x)+10Cj
		mov	byte ptr [edi+418h], 0

loc_624A54:				; CODE XREF: MiProcessDeleteOnClose(x)+132j
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiProcessDeleteOnClose@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiProcessingPageExtendComplete(x, x, x)
_MiProcessingPageExtendComplete@12 proc	near ; CODE XREF: MiProcessDereferenceList+8FB3Dp
					; MiProcessDereferenceList+8FBF0p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	edx, [ebp+arg_0]
		add	edx, 340h
		test	byte ptr [esi+2Fh], 4
		jz	short loc_624A93
		xor	ecx, ecx
		lea	eax, [edi+28h]
		xchg	ecx, [eax]
		push	edx
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		jmp	short loc_624AB3
; 

loc_624A93:				; CODE XREF: MiProcessingPageExtendComplete(x,x,x)+19j
		push	edx
		call	ExAcquireSpinLockExclusive
		xor	ecx, ecx
		mov	bl, al
		cmp	[esi+30h], ecx
		jz	short loc_624AB3
		mov	eax, [esi+14h]
		push	ecx
		mov	[edi+14h], eax
		lea	eax, [edi+18h]
		push	ecx
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_624AB3:				; CODE XREF: MiProcessingPageExtendComplete(x,x,x)+2Aj
					; MiProcessingPageExtendComplete(x,x,x)+39j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	4
_MiProcessingPageExtendComplete@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPurgeSubsection(x)
_MiPurgeSubsection@4 proc near		; CODE XREF: MiDeleteCachedSubsection(x)+3A8p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	bl, 21h
		mov	[ebp+var_C], edi
		mov	byte ptr [ebp+var_1], bl
		mov	eax, [edi]
		mov	esi, [edi+4]
		mov	[ebp+var_14], eax
		mov	eax, [edi+1Ch]
		lea	ecx, [esi+eax*8]
		xor	eax, eax
		inc	eax
		mov	[ebp+var_30], ecx
		mov	[ebp+var_10], eax
		xor	eax, eax
		mov	[ebp+var_8], eax
		cmp	esi, ecx
		jnb	loc_624D15

loc_624AF5:				; CODE XREF: MiPurgeSubsection(x)+1E9j
		test	esi, 0FFFh
		jz	short loc_624B02
		cmp	bl, 21h
		jnz	short loc_624B5F

loc_624B02:				; CODE XREF: MiPurgeSubsection(x)+3Fj
		cmp	bl, 21h
		jz	short loc_624B10
		mov	dl, bl
		mov	ecx, eax
		call	MiUnlockProtoPoolPage

loc_624B10:				; CODE XREF: MiPurgeSubsection(x)+49j
		lea	edx, [ebp+var_1]
		mov	ecx, esi
		call	MiCheckProtoPtePageState
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	short loc_624B35
		mov	bl, byte ptr [ebp+var_1]
		and	esi, 0FFFFF000h
		add	esi, 1000h
		jmp	loc_624CA2
; 

loc_624B35:				; CODE XREF: MiPurgeSubsection(x)+63j
		mov	ebx, [ebp+var_14]
		add	ebx, 24h
		push	ebx
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		xor	eax, eax
		inc	eax
		cmp	[edi+3Ch], eax
		jnz	loc_624D00
		test	[edi+10h], al
		jnz	loc_624D00
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	bl, byte ptr [ebp+var_1]

loc_624B5F:				; CODE XREF: MiPurgeSubsection(x)+44j
		xor	edx, edx
		mov	ecx, esi
		call	MiLockLeafPage
		mov	edi, [esi]
		mov	edx, eax
		xor	eax, eax
		mov	[ebp+var_24], eax
		nop
		mov	ecx, [esi+4]
		mov	eax, edi
		test	edx, edx
		jnz	short loc_624BA4
		and	eax, 0C00h
		or	eax, edx
		jnz	loc_624C99
		mov	eax, edi
		or	eax, ecx
		jz	loc_624C99
		mov	eax, [ebp+var_C]
		push	edi
		push	esi
		push	eax
		push	4
		push	0DEh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_624BA4:				; CODE XREF: MiPurgeSubsection(x)+BDj
		and	eax, 1
		or	eax, 0
		jnz	loc_624CB2
		mov	eax, ds:dword_6D0700
		mov	edx, ds:dword_6D0704
		mov	[ebp+var_20], eax
		or	eax, edx
		mov	[ebp+var_24], edx
		mov	edx, edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], ecx
		jz	short loc_624BED
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_624BE8
		mov	edi, [ebp+var_20]
		mov	ecx, [ebp+var_24]
		not	edi
		not	ecx
		and	edi, edx
		and	ecx, [ebp+var_18]
		jmp	short loc_624BED
; 

loc_624BE8:				; CODE XREF: MiPurgeSubsection(x)+119j
		mov	ecx, [ebp+var_18]
		mov	edi, edx

loc_624BED:				; CODE XREF: MiPurgeSubsection(x)+10Fj
					; MiPurgeSubsection(x)+12Aj
		shrd	edi, ecx, 0Ch
		and	edi, 3FFFFFFh
		imul	eax, edi, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_18], eax
		test	byte ptr [eax+16h], 10h
		jnz	loc_624CAD
		xor	ecx, ecx
		cmp	[eax+14h], cx
		jnz	loc_624CAD
		mov	edx, [ebp+var_C]
		push	2
		push	ecx
		mov	ecx, [ebp+var_14]
		call	MiDereferenceControlAreaPfnList
		mov	ecx, [ebp+var_18]
		mov	eax, [ecx+8]
		mov	[esi], eax
		nop
		mov	eax, [ecx+0Ch]
		xor	edx, edx
		mov	[esi+4], eax
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		push	2
		pop	edx
		mov	ecx, edi
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		mov	eax, [ebp+var_18]
		mov	ecx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	ecx
		mov	edi, [ebp+var_8]
		xor	eax, eax
		mov	[ebp+var_2C], eax
		lea	eax, [edi+10h]
		mov	[ebp+var_24], eax
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_624C87
		mov	edi, eax

loc_624C6C:				; CODE XREF: MiPurgeSubsection(x)+1BCj
					; MiPurgeSubsection(x)+1C3j
		lea	ecx, [ebp+var_2C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_624C6C
		lock bts dword ptr [edi], 1Fh
		jb	short loc_624C6C
		mov	edi, [ebp+var_8]
		mov	bl, byte ptr [ebp+var_1]

loc_624C87:				; CODE XREF: MiPurgeSubsection(x)+1ACj
		mov	ecx, edi
		call	MiDecrementShareCount
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_624C99:				; CODE XREF: MiPurgeSubsection(x)+C6j
					; MiPurgeSubsection(x)+D0j
		mov	eax, [ebp+var_8]
		add	esi, 8
		mov	edi, [ebp+var_C]

loc_624CA2:				; CODE XREF: MiPurgeSubsection(x)+74j
		cmp	esi, [ebp+var_30]
		jb	loc_624AF5
		jmp	short loc_624CC2
; 

loc_624CAD:				; CODE XREF: MiPurgeSubsection(x)+14Bj
					; MiPurgeSubsection(x)+157j
		add	eax, 10h
		jmp	short loc_624CB5
; 

loc_624CB2:				; CODE XREF: MiPurgeSubsection(x)+EEj
		lea	eax, [edx+10h]

loc_624CB5:				; CODE XREF: MiPurgeSubsection(x)+1F4j
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		xor	eax, eax
		mov	[ebp+var_10], eax

loc_624CC2:				; CODE XREF: MiPurgeSubsection(x)+1EFj
		cmp	bl, 21h
		jz	short loc_624CD1
		mov	ecx, [ebp+var_8]
		mov	dl, bl
		call	MiUnlockProtoPoolPage

loc_624CD1:				; CODE XREF: MiPurgeSubsection(x)+209j
		mov	edi, [ebp+var_10]
		test	edi, edi
		jnz	short loc_624D18
		mov	esi, [ebp+var_14]
		add	esi, 24h
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		xor	ecx, ecx
		mov	eax, [ebp+var_C]
		inc	ecx
		push	esi
		or	[eax+10h], cx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_624D18
; 

loc_624D00:				; CODE XREF: MiPurgeSubsection(x)+8Bj
					; MiPurgeSubsection(x)+94j
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	dl, byte ptr [ebp+var_1]
		mov	ecx, [ebp+var_8]
		call	MiUnlockProtoPoolPage
		xor	eax, eax
		jmp	short loc_624D1A
; 

loc_624D15:				; CODE XREF: MiPurgeSubsection(x)+33j
		mov	edi, [ebp+var_10]

loc_624D18:				; CODE XREF: MiPurgeSubsection(x)+21Aj
					; MiPurgeSubsection(x)+242j
		mov	eax, edi

loc_624D1A:				; CODE XREF: MiPurgeSubsection(x)+257j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiPurgeSubsection@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiQueueControlAreaDelete(x)
_MiQueueControlAreaDelete@4 proc near	; CODE XREF: MiDereferenceControlAreaProbe(x,x):loc_495EBDp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, offset unk_6D5180
		push	edi
		and	dword ptr [esi], 0
		call	ExAcquireSpinLockExclusive
		mov	edx, ds:dword_6D528C
		mov	bl, al
		mov	[esi], edx
		push	edi
		mov	ds:dword_6D528C, esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	0
		push	offset unk_6D527C
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		retn
_MiQueueControlAreaDelete@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRemoveUnusedSegments(x, x)
_MiRemoveUnusedSegments@8 proc near	; CODE XREF: MiProcessDereferenceList+8FBC5p
					; MiDereferenceSegmentThread+86C98p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	eax, edx
		mov	esi, ecx
		xor	ecx, ecx
		mov	[esp+1Ch+var_8], eax
		mov	[esp+1Ch+var_C], ecx
		mov	[esp+1Ch+var_10], ecx
		push	edi
		test	eax, eax
		jz	short loc_624D9E
		mov	edi, ds:dword_6D5EFC
		cmp	eax, edi
		jnb	short loc_624D96
		sub	edi, eax
		jmp	short loc_624D98
; 

loc_624D96:				; CODE XREF: MiRemoveUnusedSegments(x,x)+2Cj
		xor	edi, edi

loc_624D98:				; CODE XREF: MiRemoveUnusedSegments(x,x)+30j
		and	[esp+20h+var_14], ecx
		jmp	short loc_624DA8
; 

loc_624D9E:				; CODE XREF: MiRemoveUnusedSegments(x,x)+22j
		mov	[esp+20h+var_14], 20h
		xor	edi, edi

loc_624DA8:				; CODE XREF: MiRemoveUnusedSegments(x,x)+38j
		imul	eax, [esi+0F48h], 3E8h
		xor	edx, edx
		div	ds:dword_6D5D88
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_624EF1
		mov	eax, ds:dword_6CF3CC
		xor	edx, edx
		mov	ebx, 3E8h
		div	ebx
		mov	ebx, [esi+420h]
		imul	eax, ecx
		cmp	eax, ebx
		jbe	short loc_624DE1
		mov	eax, ebx

loc_624DE1:				; CODE XREF: MiRemoveUnusedSegments(x,x)+79j
		test	eax, eax
		jz	loc_624EF1
		sub	ebx, eax
		mov	eax, 100000h
		cmp	ebx, eax
		jnb	short loc_624DF6
		mov	ebx, eax

loc_624DF6:				; CODE XREF: MiRemoveUnusedSegments(x,x)+8Ej
					; MiRemoveUnusedSegments(x,x)+13Ej ...
		cmp	[esp+20h+var_8], 0
		mov	ecx, ds:dword_6D5EFC
		jz	short loc_624E0D
		cmp	ecx, edi
		jbe	loc_624EEB
		jmp	short loc_624E3A
; 

loc_624E0D:				; CODE XREF: MiRemoveUnusedSegments(x,x)+9Dj
		cmp	[esp+20h+var_14], 0
		jz	loc_624EEB
		mov	eax, ds:dword_6D5F54
		xor	edx, edx
		mov	[esp+20h+var_4], 0Ah
		div	[esp+20h+var_4]
		imul	eax, 9
		cmp	ecx, eax
		jb	loc_624EEB
		dec	[esp+20h+var_14]

loc_624E3A:				; CODE XREF: MiRemoveUnusedSegments(x,x)+A7j
		call	_MiShouldTrimUnusedSegments@0 ;	MiShouldTrimUnusedSegments()
		test	eax, eax
		jz	loc_624EEB
		cmp	[esi+420h], ebx
		jbe	loc_624EEB
		mov	eax, [esp+20h+var_10]
		inc	eax
		mov	[esp+20h+var_10], eax
		test	al, 3Fh
		jnz	short loc_624E8F
		xor	edx, edx
		mov	ecx, esi
		call	MiProcessDereferenceList
		cmp	[esp+20h+var_10], 80h
		jb	short loc_624E81
		push	0
		push	0
		push	40h
		pop	edx
		xor	ecx, ecx
		call	_CcUnmapInactiveViews@16 ; CcUnmapInactiveViews(x,x,x,x)

loc_624E81:				; CODE XREF: MiRemoveUnusedSegments(x,x)+10Dj
		push	offset _MiShortTime
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)

loc_624E8F:				; CODE XREF: MiRemoveUnusedSegments(x,x)+FAj
		lea	eax, [esi+424h]
		cmp	[eax], eax
		jz	short loc_624EAA
		mov	ecx, esi
		call	_MiDeleteCachedSegment@4 ; MiDeleteCachedSegment(x)
		test	eax, eax
		jz	loc_624DF6
		jmp	short loc_624EC3
; 

loc_624EAA:				; CODE XREF: MiRemoveUnusedSegments(x,x)+133j
		lea	eax, [esi+42Ch]
		cmp	[eax], eax
		jz	short loc_624ED0
		mov	ecx, esi
		call	_MiDeleteCachedSubsection@4 ; MiDeleteCachedSubsection(x)
		test	eax, eax
		js	loc_624DF6

loc_624EC3:				; CODE XREF: MiRemoveUnusedSegments(x,x)+144j
		mov	[esp+20h+var_C], 1
		jmp	loc_624DF6
; 

loc_624ED0:				; CODE XREF: MiRemoveUnusedSegments(x,x)+14Ej
		xor	eax, eax
		cmp	[esi+40h], eax
		jnz	short loc_624EEB
		push	eax
		push	eax
		push	40h
		pop	edx
		xor	ecx, ecx
		call	_CcUnmapInactiveViews@16 ; CcUnmapInactiveViews(x,x,x,x)
		test	eax, eax
		jnz	loc_624DF6

loc_624EEB:				; CODE XREF: MiRemoveUnusedSegments(x,x)+A1j
					; MiRemoveUnusedSegments(x,x)+AEj ...
		mov	eax, [esp+20h+var_C]
		jmp	short loc_624EF3
; 

loc_624EF1:				; CODE XREF: MiRemoveUnusedSegments(x,x)+5Aj
					; MiRemoveUnusedSegments(x,x)+7Fj
		xor	eax, eax

loc_624EF3:				; CODE XREF: MiRemoveUnusedSegments(x,x)+18Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiRemoveUnusedSegments@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiRemoveWakeListEntry(x, x)
_MiRemoveWakeListEntry@8 proc near	; CODE XREF: MiCleanSection+8D10Dp
					; MiFlushControlArea(x,x,x,x)+218p ...
		mov	edi, edi
		push	esi
		lea	esi, [ecx+2Ch]
		mov	ecx, [esi]
		mov	eax, [ecx]
		jmp	short loc_624F0C
; 

loc_624F06:				; CODE XREF: MiRemoveWakeListEntry(x,x)+14j
		mov	esi, ecx
		mov	ecx, eax
		mov	eax, [eax]

loc_624F0C:				; CODE XREF: MiRemoveWakeListEntry(x,x)+Aj
		cmp	ecx, edx
		jnz	short loc_624F06
		mov	[esi], eax
		pop	esi
		retn
_MiRemoveWakeListEntry@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiReserveLowPrioritySystemPtes(x)
_MiReserveLowPrioritySystemPtes@4 proc near ; CODE XREF: MiCopyToUserVa(x,x,x,x)+274p
					; MiZeroLargePage+60p ...
		mov	edx, ecx
		mov	ecx, offset dword_6D35E0
		jmp	MiReservePtes
_MiReserveLowPrioritySystemPtes@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiReturnCrossPartitionControlAreaCharges(x)
_MiReturnCrossPartitionControlAreaCharges@4 proc near ;	CODE XREF: MiRemoveMappedPtes+267p
					; MiUnmapImageInSystemSpace+29j ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [esi+24h]
		push	edi
		call	ExAcquireSpinLockExclusive
		lea	ecx, [esi+50h]
		mov	bl, al
		call	MiDecrementSubsectionViewCount
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_MiReturnCrossPartitionControlAreaCharges@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetDeleteOnClose(x, x)
_MiSetDeleteOnClose@8 proc near		; CODE XREF: MiWriteComplete+11A9C7p
					; MiRelocateImage+14DE33p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		lea	edi, [esi+24h]
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	ecx, [esi+1Ch]
		mov	bl, al
		mov	eax, 40000h
		test	ecx, eax
		jnz	short loc_624F94
		test	ecx, 8000000h
		jz	short loc_624F8F
		mov	ecx, esi
		call	_MiRemoveUnusedSegment@4 ; MiRemoveUnusedSegment(x)
		or	dword ptr [esi+1Ch], 40000h
		mov	ecx, esi
		call	MiInsertUnusedSegment
		jmp	short loc_624F94
; 

loc_624F8F:				; CODE XREF: MiSetDeleteOnClose(x,x)+2Bj
		or	ecx, eax
		mov	[esi+1Ch], ecx

loc_624F94:				; CODE XREF: MiSetDeleteOnClose(x,x)+23j
					; MiSetDeleteOnClose(x,x)+42j
		cmp	[ebp+var_4], 1
		jnz	short loc_624F9E
		or	dword ptr [esi+1Ch], 10h

loc_624F9E:				; CODE XREF: MiSetDeleteOnClose(x,x)+4Dj
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiSetDeleteOnClose@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiShouldTrimUnusedSegments()
_MiShouldTrimUnusedSegments@0 proc near	; CODE XREF: MiCheckControlArea:loc_5F042Cp
					; MiFreeExcessSegments()+1Ap ...
		mov	edi, edi
		push	esi
		mov	esi, ds:dword_6CF3CC
		test	esi, esi
		jz	short loc_62500D
		cmp	ds:dword_6D4254, 6000000h
		jnb	short loc_624FF2
		mov	eax, ds:dword_6D07D0
		xor	edx, edx
		push	3
		neg	eax
		pop	ecx
		div	ecx
		mov	ecx, ds:dword_6D3D68
		shl	ecx, 15h
		cmp	ecx, eax
		ja	short loc_625008
		mov	ecx, ds:dword_6D3D6C
		shl	ecx, 15h
		cmp	ecx, eax
		ja	short loc_625008

loc_624FF2:				; CODE XREF: MiShouldTrimUnusedSegments()+17j
		mov	eax, ds:dword_6D5F54
		xor	edx, edx
		push	64h
		pop	ecx
		div	ecx
		shr	esi, 0Ch
		imul	eax, 3
		cmp	esi, eax
		jbe	short loc_62500D

loc_625008:				; CODE XREF: MiShouldTrimUnusedSegments()+32j
					; MiShouldTrimUnusedSegments()+3Fj
		xor	eax, eax
		inc	eax
		pop	esi
		retn
; 

loc_62500D:				; CODE XREF: MiShouldTrimUnusedSegments()+Bj
					; MiShouldTrimUnusedSegments()+55j
		xor	eax, eax
		pop	esi
		retn
_MiShouldTrimUnusedSegments@0 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1397. MmForceSectionClosedEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmForceSectionClosedEx(x, x)
		public _MmForceSectionClosedEx@8
_MmForceSectionClosedEx@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	ecx, ebx
		and	ecx, 0FFFFFFF8h
		neg	ecx
		push	esi
		sbb	cl, cl
		inc	cl
		test	bl, 3
		setnz	al
		test	cl, al
		jz	short loc_62507B
		test	bl, 1
		jz	short loc_62504B
		mov	ecx, [ebp+arg_0]
		mov	edx, ebx
		and	edx, 0FFFFFFFDh
		call	MiForceSectionClosed
		mov	esi, eax
		jmp	short loc_62504E
; 

loc_62504B:				; CODE XREF: MmForceSectionClosedEx(x,x)+22j
		xor	esi, esi
		inc	esi

loc_62504E:				; CODE XREF: MmForceSectionClosedEx(x,x)+33j
		test	bl, 2
		jz	short loc_625062
		mov	ecx, [ebp+arg_0]
		and	ebx, 0FFFFFFFEh
		mov	edx, ebx
		call	MiForceSectionClosed
		jmp	short loc_625065
; 

loc_625062:				; CODE XREF: MmForceSectionClosedEx(x,x)+3Bj
		xor	eax, eax
		inc	eax

loc_625065:				; CODE XREF: MmForceSectionClosedEx(x,x)+4Aj
		cmp	esi, 2
		pop	esi
		pop	ebx
		jz	short loc_625077
		cmp	eax, 2
		jz	short loc_625077
		mov	al, 1

loc_625073:				; CODE XREF: MmForceSectionClosedEx(x,x)+63j
		pop	ebp
		retn	8
; 

loc_625077:				; CODE XREF: MmForceSectionClosedEx(x,x)+54j
					; MmForceSectionClosedEx(x,x)+59j
		xor	al, al
		jmp	short loc_625073
; 

loc_62507B:				; CODE XREF: MmForceSectionClosedEx(x,x)+1Dj
		push	0
		push	0
		push	ebx
		push	43000h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_MmForceSectionClosedEx@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCheckCommitReleaseFromVad(x, x, x, x, x, x)
_MiCheckCommitReleaseFromVad@24	proc near
					; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+343p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		xor	eax, eax
		mov	[ebp+var_2C], ecx
		mov	ecx, [ebp+arg_4]
		push	ebx
		mov	ebx, eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_28], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_8], edx
		mov	edx, 0FFFFFh
		and	eax, edx
		mov	[ebp+var_4], ebx
		push	esi
		push	edi
		lea	edi, ds:0C0000000h[eax*8]
		mov	eax, [ecx+10h]
		mov	ecx, [ebp+arg_0]
		and	eax, edx
		lea	esi, ds:0C0000000h[eax*8]
		mov	[ebp+var_C], esi
		call	MiLockWorkingSetShared
		mov	byte ptr [ebp+var_20], al
		cmp	edi, esi
		ja	loc_6252F4

loc_6250E1:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+25Ej
		lea	eax, [ebp+var_24]
		mov	edx, esi
		push	eax
		xor	eax, eax
		mov	ecx, edi
		push	eax
		push	[ebp+var_20]
		push	eax
		call	MiGetNextPageTable
		mov	esi, eax
		cmp	esi, edi
		jz	short loc_625129
		test	esi, esi
		jnz	short loc_62510A
		mov	eax, [ebp+var_C]
		sub	eax, edi
		sar	eax, 3
		inc	eax
		jmp	short loc_625111
; 

loc_62510A:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+70j
		mov	eax, esi
		sub	eax, edi
		sar	eax, 3

loc_625111:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+7Bj
		mov	ecx, [ebp+arg_4]
		mov	edx, edi
		push	eax
		call	_MiComputeCommitChargeForZeroPteRange@12 ; MiComputeCommitChargeForZeroPteRange(x,x,x)
		add	ebx, eax
		mov	[ebp+var_4], ebx
		test	esi, esi
		jz	loc_6252F1

loc_625129:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+6Cj
		mov	ecx, [ebp+var_C]
		mov	eax, esi
		shr	eax, 9
		mov	edi, esi
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_30], eax
		mov	eax, esi
		and	eax, 0FFFFF000h
		add	eax, 0FF8h
		mov	[ebp+var_1C], eax
		cmp	eax, ecx
		jbe	short loc_625158
		mov	eax, ecx
		mov	[ebp+var_1C], ecx

loc_625158:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+C4j
		cmp	esi, eax
		ja	loc_6252DB

loc_625160:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+248j
		mov	ebx, [edi]
		nop
		mov	esi, [edi+4]
		mov	eax, ebx
		or	eax, esi
		jnz	short loc_62517D
		mov	ecx, [ebp+arg_4]
		mov	edx, edi
		push	1
		call	_MiComputeCommitChargeForZeroPteRange@12 ; MiComputeCommitChargeForZeroPteRange(x,x,x)
		jmp	loc_6252A8
; 

loc_62517D:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+DDj
		mov	eax, ebx
		xor	ecx, ecx
		and	eax, 1
		or	eax, ecx
		mov	eax, ebx
		jz	short loc_625206
		and	eax, 200h
		or	eax, ecx
		jz	loc_6252CC
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+1Ch]
		and	al, 70h
		cmp	al, 40h
		jnz	short loc_6251B4
		mov	ecx, edi
		call	_MiRotatedToFrameBuffer@4 ; MiRotatedToFrameBuffer(x)
		test	eax, eax
		jnz	loc_6252CC
		xor	ecx, ecx

loc_6251B4:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+114j
		nop
		shrd	ebx, esi, 0Ch
		and	ebx, 1FFFFFFh
		imul	edx, ebx, 1Ch
		add	edx, ds:_MmPfnDatabase
		test	dword ptr [edx+18h], (offset loc_7FFFFF+1)
		jnz	short loc_6251DE
		mov	eax, [edx+4]
		test	eax, eax
		js	short loc_6251DE
		jnz	loc_6252CC

loc_6251DE:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+142j
					; MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+149j
		mov	eax, [ebp+var_8]
		cmp	[eax+148h], ecx
		jz	short loc_625201
		mov	edx, [edx+4]
		mov	ecx, eax
		or	edx, 80000000h
		call	_MiLocateCloneAddress@8	; MiLocateCloneAddress(x,x)
		test	eax, eax
		jnz	loc_6252CC

loc_625201:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+15Aj
		mov	ebx, [ebp+var_4]
		jmp	short loc_625231
; 

loc_625206:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+FBj
		and	eax, 400h
		or	eax, ecx
		jz	loc_6252AF
		push	esi
		push	ebx
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		test	eax, eax
		jz	short loc_62523A
		shrd	ebx, esi, 5
		and	ebx, 5
		cmp	bl, 5
		mov	ebx, [ebp+var_4]
		jnz	loc_6252CF

loc_625231:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+177j
					; MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+2D1j
		inc	ebx

loc_625232:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+220j
		mov	[ebp+var_4], ebx
		jmp	loc_6252CF
; 

loc_62523A:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+18Fj
		push	esi
		push	ebx
		call	_MI_PROTO_FORMAT_COMBINED@8 ; MI_PROTO_FORMAT_COMBINED(x,x)
		test	al, al
		jnz	loc_6252CC
		mov	eax, [ebp+var_8]
		cmp	dword ptr [eax+148h], 0
		jz	short loc_62528F
		mov	eax, ds:dword_6D0704
		mov	edx, esi
		mov	ecx, ds:dword_6D0700
		mov	[ebp+var_14], eax
		mov	eax, ecx
		or	eax, [ebp+var_14]
		jz	short loc_625281
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_62527F
		mov	esi, [ebp+var_14]
		not	esi
		and	esi, edx
		jmp	short loc_625281
; 

loc_62527F:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+1E7j
		mov	esi, edx

loc_625281:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+1DDj
					; MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+1F0j
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	_MiLocateCloneAddress@8	; MiLocateCloneAddress(x,x)
		test	eax, eax
		jnz	short loc_6252CC

loc_62528F:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+1C6j
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+var_28]
		mov	edx, edi
		push	eax
		shr	edx, 3
		push	1
		and	edx, 0FFFFFh
		call	_MiComputeImageVadCommitCharge@16 ; MiComputeImageVadCommitCharge(x,x,x,x)

loc_6252A8:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+EBj
		mov	ebx, [ebp+var_4]
		add	ebx, eax
		jmp	short loc_625232
; 

loc_6252AF:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+180j
		mov	eax, ebx
		and	eax, 800h
		or	eax, ecx
		jz	short loc_625336
		xor	edx, edx
		mov	ecx, edi
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_625307
		sub	edi, 8

loc_6252CC:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+104j
					; MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+11Fj ...
		mov	ebx, [ebp+var_4]

loc_6252CF:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+19Ej
					; MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+1A8j ...
		add	edi, 8
		cmp	edi, [ebp+var_1C]
		jbe	loc_625160

loc_6252DB:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+CDj
		mov	edx, [ebp+var_30]
		mov	ecx, [ebp+arg_0]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	esi, [ebp+var_C]
		cmp	edi, esi
		jbe	loc_6250E1

loc_6252F1:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+96j
		mov	al, byte ptr [ebp+var_20]

loc_6252F4:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+4Ej
		mov	ecx, [ebp+arg_0]
		mov	dl, al
		call	MiUnlockWorkingSetShared
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
; 

loc_625307:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+23Aj
		test	byte ptr [edx+16h], 10h
		jnz	short loc_625329
		mov	ecx, [edx+8]
		mov	eax, [edx+0Ch]
		shrd	ecx, eax, 2
		test	cl, 1
		jnz	short loc_625329
		xor	eax, eax
		cmp	[edx+14h], ax
		jnz	short loc_625329
		mov	eax, [ebp+arg_C]
		inc	dword ptr [eax]

loc_625329:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+27Ej
					; MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+28Dj ...
		mov	ecx, 7FFFFFFFh
		lea	eax, [edx+10h]
		lock and [eax],	ecx
		jmp	short loc_6252CC
; 

loc_625336:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+22Bj
		mov	ecx, ebx
		mov	eax, esi
		shrd	ecx, eax, 2
		test	cl, 1
		jz	short loc_625363
		cmp	[ebp+arg_8], 0
		jz	short loc_6252CC
		mov	ecx, [ebp+var_2C]
		push	esi
		push	ebx
		call	_MiIsPteInStore@16 ; MiIsPteInStore(x,x,x,x)
		test	eax, eax

loc_625355:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+2E0j
		mov	ebx, [ebp+var_4]
		jz	loc_6252CF
		jmp	loc_625231
; 

loc_625363:				; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+2B4j
		shrd	ebx, esi, 5
		and	bl, 1Fh
		cmp	bl, 10h
		jmp	short loc_625355
_MiCheckCommitReleaseFromVad@24	endp


;  S U B	R O U T	I N E 


; __stdcall MiClearCommitReleaseState(x)
_MiClearCommitReleaseState@4 proc near	; CODE XREF: MmCleanProcessAddressSpace:loc_921A59p
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, offset unk_6D3C40
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		jz	short loc_62538A
		lea	edi, [esi+80h]

loc_62538A:				; CODE XREF: MiClearCommitReleaseState(x)+13j
		push	edi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [edi+4], 0
		mov	dl, al
		mov	cl, [esi+63h]
		and	cl, 9Fh
		mov	[esi+63h], cl
		mov	ecx, esi
		call	MiUnlockWorkingSetExclusive
		pop	edi
		pop	esi
		pop	ecx
		retn
_MiClearCommitReleaseState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiComputeCommitChargeForZeroPteRange(x, x, x)
_MiComputeCommitChargeForZeroPteRange@12 proc near
					; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+8Ap
					; MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+E6p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	ebx, ecx
		xor	esi, esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], esi
		mov	edx, [ebx+1Ch]
		test	edx, 100000h
		jz	short loc_6253D1
		cmp	[ebx+20h], esi
		jge	short loc_62541D
		mov	esi, [ebp+arg_0]
		jmp	short loc_62541D
; 

loc_6253D1:				; CODE XREF: MiComputeCommitChargeForZeroPteRange(x,x,x)+1Bj
		mov	eax, edx
		and	al, 70h
		cmp	al, 20h
		jz	short loc_6253EF
		mov	eax, 280h
		mov	esi, edx
		and	esi, eax
		sub	esi, eax
		neg	esi
		sbb	esi, esi
		not	esi
		and	esi, [ebp+arg_0]
		jmp	short loc_62541D
; 

loc_6253EF:				; CODE XREF: MiComputeCommitChargeForZeroPteRange(x,x,x)+2Dj
		mov	eax, [ebp+arg_0]
		shr	edi, 3
		and	edi, 0FFFFFh
		test	eax, eax
		jmp	short loc_625418
; 

loc_6253FF:				; CODE XREF: MiComputeCommitChargeForZeroPteRange(x,x,x)+71j
		lea	ecx, [ebp+var_4]
		mov	edx, edi
		push	ecx
		push	eax
		mov	ecx, ebx
		call	_MiComputeImageVadCommitCharge@16 ; MiComputeImageVadCommitCharge(x,x,x,x)
		add	edi, [ebp+var_4]
		add	esi, eax
		mov	eax, [ebp+arg_0]
		sub	eax, [ebp+var_4]

loc_625418:				; CODE XREF: MiComputeCommitChargeForZeroPteRange(x,x,x)+53j
		mov	[ebp+arg_0], eax
		jnz	short loc_6253FF

loc_62541D:				; CODE XREF: MiComputeCommitChargeForZeroPteRange(x,x,x)+20j
					; MiComputeCommitChargeForZeroPteRange(x,x,x)+25j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiComputeCommitChargeForZeroPteRange@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiComputeImageVadCommitCharge(x, x,	x, x)
_MiComputeImageVadCommitCharge@16 proc near
					; CODE XREF: MiCheckCommitReleaseFromVad(x,x,x,x,x,x)+216p
					; MiComputeCommitChargeForZeroPteRange(x,x,x)+5Ep

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		lea	eax, [ebp+var_4]
		xor	esi, esi
		push	eax
		push	6
		mov	[ebp+var_4], esi
		call	MiGetProtoPteAddress
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_625450
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 1
		xor	eax, eax
		jmp	short loc_625494
; 

loc_625450:				; CODE XREF: MiComputeImageVadCommitCharge(x,x,x,x)+1Bj
		push	ebx
		mov	ebx, [ebp+var_4]
		push	edi
		sub	ecx, [ebx+4]
		mov	edi, [ebx+1Ch]
		mov	edx, edi
		sar	ecx, 3
		sub	edx, ecx
		cmp	edx, [ebp+arg_0]
		jbe	short loc_62546A
		mov	edx, [ebp+arg_0]

loc_62546A:				; CODE XREF: MiComputeImageVadCommitCharge(x,x,x,x)+3Fj
		mov	al, [ebx+10h]
		and	al, 0Ah
		cmp	al, 0Ah
		jnz	short loc_62548B
		mov	eax, [ebx+24h]
		and	eax, 3FFFFFFFh
		sub	edi, eax
		cmp	ecx, edi
		jnb	short loc_62548B
		mov	esi, edi
		sub	esi, ecx
		cmp	esi, edx
		jbe	short loc_62548B
		mov	esi, edx

loc_62548B:				; CODE XREF: MiComputeImageVadCommitCharge(x,x,x,x)+4Bj
					; MiComputeImageVadCommitCharge(x,x,x,x)+59j ...
		mov	ecx, [ebp+arg_4]
		mov	eax, esi
		pop	edi
		pop	ebx
		mov	[ecx], edx

loc_625494:				; CODE XREF: MiComputeImageVadCommitCharge(x,x,x,x)+28j
		pop	esi
		leave
		retn	8
_MiComputeImageVadCommitCharge@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDecrementVadsBeingDeleted(x)
_MiDecrementVadsBeingDeleted@4 proc near
					; CODE XREF: MiFinishPlaceholderVadReplacement(x,x,x)+77p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+50h], eax
		dec	eax
		jnz	short locret_6254B6
		push	0
		push	0
		push	dword ptr [ecx+60h]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

locret_6254B6:				; CODE XREF: MiDecrementVadsBeingDeleted(x)+Fj
		leave
		retn
_MiDecrementVadsBeingDeleted@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiIsVadEligibleForCommitRelease(x)
_MiIsVadEligibleForCommitRelease@4 proc	near ; CODE XREF: .text:005B2379p
					; MiProcessCommitIntact(x)+4Cp	...
		call	_MiVadSupportsPrivateCommit@4 ;	MiVadSupportsPrivateCommit(x)
		test	eax, eax
		jz	short loc_6254E7
		call	_MiVadMapsLargeImage@4 ; MiVadMapsLargeImage(x)
		test	eax, eax
		jnz	short loc_6254E7
		mov	eax, [ecx+20h]
		and	eax, 7FFFFFFFh
		cmp	eax, 0FFFFDh
		jnb	short loc_6254E7
		test	eax, eax
		jz	short loc_6254E7
		test	byte ptr [ecx+1Ch], 8
		jnz	short loc_6254E7
		xor	eax, eax
		inc	eax
		retn
; 

loc_6254E7:				; CODE XREF: MiIsVadEligibleForCommitRelease(x)+7j
					; MiIsVadEligibleForCommitRelease(x)+10j ...
		xor	eax, eax
		retn
_MiIsVadEligibleForCommitRelease@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogOutswappedProcessCommitReacquire(x, x,	x, x)
_MiLogOutswappedProcessCommitReacquire@16 proc near
					; CODE XREF: MiReAcquireOutSwappedProcessCommit(x)+86p
					; MiReAcquireOutSwappedProcessCommit(x)+9Cp

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ds:dword_6D35BC
		mov	[ebp+var_64], edx
		mov	[ebp+var_5C], ecx
		test	edi, edi
		jz	loc_625604
		cmp	[ebp+arg_0], 0
		jnz	short loc_625550
		cmp	dword ptr [edi], 5
		jbe	loc_625604
		xor	esi, esi
		mov	ecx, edi
		push	esi
		push	4
		pop	ebx
		push	ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_625604
		mov	edx, [ebp+var_5C]
		lea	ecx, [ebp+var_38]
		lea	edx, [edx+1ACh]
		call	_tlgCreate1Sz_char
		mov	edx, offset loc_41C99C
		jmp	short loc_6255BA
; 

loc_625550:				; CODE XREF: MiLogOutswappedProcessCommitReacquire(x,x,x,x)+2Dj
		cmp	[ebp+arg_4], 0
		jz	short loc_62558D
		cmp	dword ptr [edi], 5
		jbe	loc_625604
		xor	esi, esi
		mov	ecx, edi
		push	esi
		push	4
		pop	ebx
		push	ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_625604
		mov	edx, [ebp+var_5C]
		lea	ecx, [ebp+var_38]
		lea	edx, [edx+1ACh]
		call	_tlgCreate1Sz_char
		mov	edx, offset loc_41C9EC
		jmp	short loc_6255BA
; 

loc_62558D:				; CODE XREF: MiLogOutswappedProcessCommitReacquire(x,x,x,x)+6Aj
		cmp	dword ptr [edi], 5
		jbe	short loc_625604
		xor	esi, esi
		mov	ecx, edi
		push	esi
		push	4
		pop	ebx
		push	ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_625604
		mov	edx, [ebp+var_5C]
		lea	ecx, [ebp+var_38]
		lea	edx, [edx+1ACh]
		call	_tlgCreate1Sz_char
		mov	edx, offset dword_41CA40

loc_6255BA:				; CODE XREF: MiLogOutswappedProcessCommitReacquire(x,x,x,x)+64j
					; MiLogOutswappedProcessCommitReacquire(x,x,x,x)+A1j
		mov	ecx, [ebp+var_5C]
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], esi
		mov	eax, [ecx+0E4h]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_64]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	5
		push	ecx
		push	ecx
		push	1
		push	ecx
		push	ecx
		mov	ecx, edi
		mov	[ebp+var_64], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], 8
		mov	[ebp+var_C], esi
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)

loc_625604:				; CODE XREF: MiLogOutswappedProcessCommitReacquire(x,x,x,x)+23j
					; MiLogOutswappedProcessCommitReacquire(x,x,x,x)+32j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_MiLogOutswappedProcessCommitReacquire@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogOutswappedProcessCommitRelease(x, x, x)
_MiLogOutswappedProcessCommitRelease@12	proc near
					; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+7C1p

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_4C		= dword	ptr -4Ch
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, ds:dword_6D35BC
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		test	esi, esi
		jz	loc_6256D1
		cmp	dword ptr [esi], 5
		jbe	loc_6256D1
		push	0
		push	4
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_6256D1
		lea	edx, [edi+1ACh]
		lea	ecx, [ebp+var_4C]
		call	_tlgCreate1Sz_char
		mov	eax, [edi+0E4h]
		xor	edx, edx
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_7C]
		push	8
		pop	ecx
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	6
		push	ecx
		push	ecx
		push	1
		push	ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_78], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_80], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], edx
		mov	edx, offset loc_41CA94
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_34], 4
		mov	[ebp+var_7C], ebx
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)

loc_6256D1:				; CODE XREF: MiLogOutswappedProcessCommitRelease(x,x,x)+24j
					; MiLogOutswappedProcessCommitRelease(x,x,x)+2Dj ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_MiLogOutswappedProcessCommitRelease@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogResetPagesCommitRelease(x, x)
_MiLogResetPagesCommitRelease@8	proc near ; CODE XREF: MiReleaseCommitForResetPages(x)+6A0p

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ds:dword_6D35BC
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		test	esi, esi
		jz	loc_62579B
		cmp	dword ptr [esi], 5
		jbe	loc_62579B
		push	0
		push	4
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_62579B
		lea	edx, [edi+1ACh]
		lea	ecx, [ebp+var_48]
		call	_tlgCreate1Sz_char
		mov	eax, [edi+0E4h]
		xor	edx, edx
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_78]
		push	8
		pop	ecx
		mov	[ebp+var_28], eax
		mov	eax, [edi+2C8h]
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	6
		push	ecx
		push	ecx
		push	1
		push	ecx
		mov	[ebp+var_34], edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_74], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_7C], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edx
		mov	edx, offset loc_41C936
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_30], 4
		mov	[ebp+var_78], ebx
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)

loc_62579B:				; CODE XREF: MiLogResetPagesCommitRelease(x,x)+24j
					; MiLogResetPagesCommitRelease(x,x)+2Dj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiLogResetPagesCommitRelease@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakeOutswappedPageResident(x, x, x, x, x)
_MiMakeOutswappedPageResident@20 proc near ; CODE XREF:	MmInSwapProcess+16264Dp
					; MiInSwapPageDirectories(x,x)+55p

var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_112		= dword	ptr -112h
var_100		= dword	ptr -100h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_A0		= dword	ptr -0A0h
var_98		= dword	ptr -98h
var_68		= dword	ptr -68h
var_64		= word ptr -64h
var_62		= word ptr -62h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 158h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebx+8]
		mov	[ebp+var_13C], eax
		mov	eax, [ebx+0Ch]
		push	esi
		push	edi
		mov	[ebp+var_138], eax
		lea	edi, [ebp+var_158]
		xor	eax, eax
		mov	[ebp+var_11C], edx
		stosd
		mov	esi, ecx
		xor	ecx, ecx
		mov	[ebp+var_128], esi
		push	108h		; size_t
		push	ecx		; int
		stosd
		mov	byte ptr [ebp+var_112],	cl
		mov	[ebp+var_134], ecx
		stosd
		lea	eax, [ebp+var_112+2]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_625829
; 

loc_625823:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+166j
					; MiMakeOutswappedPageResident(x,x,x,x,x)+183j	...
		mov	esi, [ebp+var_128]

loc_625829:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+77j
					; MiMakeOutswappedPageResident(x,x,x,x,x)+F5j
		cmp	[ebp+var_11C], 0C0603018h
		jnz	short loc_625850
		mov	edi, [esi+1A0h]
		mov	[ebp+var_118], edi
		nop
		mov	esi, [esi+1A4h]
		mov	[ebp+var_124], esi
		jmp	short loc_625890
; 

loc_625850:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+89j
		mov	ecx, [ebp+var_138]
		lea	edx, [ebp+var_112]
		push	80000000h
		call	MiMapPageInHyperSpaceWorker
		add	eax, [ebp+var_13C]
		mov	edi, [eax]
		mov	[ebp+var_118], edi
		nop
		mov	esi, [eax+4]
		mov	ecx, eax
		mov	dl, byte ptr [ebp+var_112]
		push	80000000h
		mov	[ebp+var_124], esi
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)

loc_625890:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+A4j
		push	esi
		push	edi
		call	_MiInvalidPteConforms@12 ; MiInvalidPteConforms(x,x,x)
		mov	esi, [ebp+var_128]
		test	eax, eax
		jz	short loc_625829
		mov	eax, edi
		and	eax, 800h
		or	eax, 0
		jz	loc_625A71
		mov	eax, ds:dword_6D0700
		mov	esi, edi
		mov	edx, ds:dword_6D0704
		mov	ecx, [ebp+var_124]
		mov	[ebp+var_120], eax
		or	eax, edx
		mov	[ebp+var_12C], edx
		mov	edx, ecx
		jz	short loc_6258FA
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_6258F6
		mov	esi, [ebp+var_120]
		mov	ecx, [ebp+var_12C]
		not	esi
		not	ecx
		and	esi, edi
		and	ecx, edx
		jmp	short loc_6258FA
; 

loc_6258F6:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+134j
		mov	esi, edi
		mov	ecx, edx

loc_6258FA:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+12Aj
					; MiMakeOutswappedPageResident(x,x,x,x,x)+14Aj
		shrd	esi, ecx, 0Ch
		and	esi, 3FFFFFFh
		mov	[ebp+var_12C], esi
		cmp	esi, ds:dword_6D07B0
		ja	loc_625823
		mov	eax, ds:dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_625823
		imul	esi, 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		cmp	[ebp+var_11C], 0C0603018h
		mov	cl, al
		mov	byte ptr [ebp+var_112+1], cl
		jnz	short loc_625972
		mov	edx, [ebp+var_128]
		mov	eax, [edx+1A0h]
		mov	[ebp+var_118], eax
		nop
		mov	edx, [edx+1A4h]
		jmp	short loc_6259B6
; 

loc_625972:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+1ABj
		mov	ecx, [ebp+var_138]
		xor	edx, edx
		push	80000000h
		call	MiMapPageInHyperSpaceWorker
		add	eax, [ebp+var_13C]
		mov	ecx, [eax]
		mov	[ebp+var_118], ecx
		nop
		mov	ecx, [eax+4]
		mov	dl, 21h
		mov	[ebp+var_120], ecx
		mov	ecx, eax
		push	80000000h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		mov	cl, byte ptr [ebp+var_112+1]
		mov	edx, [ebp+var_120]

loc_6259B6:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+1C6j
		lea	eax, [esi+10h]
		cmp	[ebp+var_118], edi
		jnz	short loc_625A04
		cmp	edx, [ebp+var_124]
		jnz	short loc_625A04
		mov	al, [esi+16h]
		xor	edx, edx
		and	al, 7
		mov	ecx, esi
		cmp	al, 6
		jz	short loc_625A2E
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		test	eax, eax
		jnz	short loc_625A0E
		xor	edx, edx
		mov	ecx, esi
		call	_MiDiscardTransitionPteEx@8 ; MiDiscardTransitionPteEx(x,x)
		lea	edi, [esi+10h]
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	cl, byte ptr [ebp+var_112+1]

loc_6259F9:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+262j
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_625823
; 

loc_625A04:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+215j
					; MiMakeOutswappedPageResident(x,x,x,x,x)+21Dj
		mov	edx, 7FFFFFFFh
		lock and [eax],	edx
		jmp	short loc_6259F9
; 

loc_625A0E:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+233j
		mov	al, [esi+16h]
		lea	edi, [esi+10h]
		inc	word ptr [esi+14h]
		and	al, 0FEh
		or	al, 6
		mov	[esi+16h], al
		mov	eax, [edi]
		and	eax, 0C0000001h
		or	eax, 1
		mov	[esi+10h], eax
		jmp	short loc_625A37
; 

loc_625A2E:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+22Aj
		inc	edx
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		lea	edi, [esi+10h]

loc_625A37:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+282j
		mov	ecx, esi
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		mov	esi, eax
		mov	[ebp+var_118], edx
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	cl, byte ptr [ebp+var_112+1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_118]
		mov	eax, esi
		or	eax, ecx
		jz	loc_625F3D
		push	ecx
		push	esi
		jmp	loc_625F31
; 

loc_625A71:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+101j
		push	dword ptr [ebx+10h]
		lea	edx, [ebp+var_158]
		xor	ecx, ecx
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		mov	eax, [ebp+var_158]
		xor	ecx, ecx
		inc	ecx
		lock xadd [eax], ecx
		inc	ecx
		mov	eax, [ebp+var_154]
		dec	ecx
		and	eax, ecx
		mov	ecx, offset _MiSystemPartition
		or	eax, [ebp+var_150]
		push	200h
		mov	edx, eax
		mov	[ebp+var_120], eax
		call	MiGetPage
		mov	esi, eax
		mov	[ebp+var_12C], esi
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_625AF5
		mov	edi, [ebp+var_120]

loc_625AC8:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+343j
		mov	esi, offset _MiSystemPartition
		mov	ecx, esi
		call	_MiWaitForFreePage@8 ; MiWaitForFreePage(x,x)
		push	200h
		mov	edx, edi
		mov	ecx, esi
		call	MiGetPage
		mov	esi, eax
		mov	[ebp+var_12C], eax
		cmp	esi, 0FFFFFFFFh
		jz	short loc_625AC8
		mov	edi, [ebp+var_118]

loc_625AF5:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+316j
		imul	eax, esi, 1Ch
		mov	edx, edi
		mov	ecx, esi
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_130], eax
		mov	eax, [ebp+var_124]
		shrd	edx, eax, 5
		and	edx, 1Fh
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		cmp	[ebp+var_11C], 0C0603018h
		mov	ecx, edx
		mov	[ebp+var_120], eax
		mov	[ebp+var_118], ecx
		jnz	short loc_625B50
		mov	edx, [ebp+var_128]
		mov	[edx+1A0h], eax
		nop
		mov	[edx+1A4h], ecx
		mov	eax, 0A00h
		mov	ecx, esi
		jmp	short loc_625B9B
; 

loc_625B50:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+388j
		mov	ecx, [ebp+var_138]
		lea	edx, [ebp+var_112]
		push	80000000h
		call	MiMapPageInHyperSpaceWorker
		add	eax, [ebp+var_13C]
		mov	ecx, [ebp+var_120]
		mov	[eax], ecx
		nop
		mov	ecx, [ebp+var_118]
		mov	dl, byte ptr [ebp+var_112]
		mov	[eax+4], ecx
		mov	ecx, eax
		push	80000000h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		mov	ecx, [ebp+var_138]
		mov	eax, 200h

loc_625B9B:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+3A4j
		mov	edx, [ebp+var_11C]
		push	eax
		push	ecx
		mov	ecx, esi
		call	MiInitializePfnForOtherProcess
		mov	ecx, [ebp+var_130]
		mov	eax, [ebp+var_124]
		add	ecx, 8
		mov	[ebp+var_118], ecx
		mov	[ecx+4], eax
		mov	[ecx], edi
		mov	ecx, [ebp+var_11C]
		shl	ecx, 9
		mov	eax, ecx
		and	eax, 0FFFh
		mov	[ebp+var_14C], eax
		add	eax, 1FFFh
		shr	eax, 0Ch
		and	ecx, 0FFFFF000h
		mov	[ebp+var_148], ecx
		lea	eax, ds:1Ch[eax*4]
		mov	[ebp+var_144], eax

loc_625BFB:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+6D6j
					; MiMakeOutswappedPageResident(x,x,x,x,x)+6EAj
		xor	edx, edx
		lea	ecx, [ebp+var_112+2] ; void *
		call	_MiInitializeInPageSupport@8 ; MiInitializeInPageSupport(x,x)
		mov	ecx, [ebp+var_118]
		push	dword ptr [ecx+4]
		push	dword ptr [ecx]
		mov	ecx, offset _MiSystemPartition
		call	_MiIsPteInStore@16 ; MiIsPteInStore(x,x,x,x)
		mov	ecx, [ebp+var_98]
		neg	eax
		sbb	eax, eax
		and	ecx, 0FFFFFEFFh
		and	eax, 100h
		or	eax, ecx
		mov	ecx, [ebp+var_118]
		or	eax, 200000h
		mov	[ebp+var_98], eax
		mov	edi, [ecx]
		mov	eax, [ecx+4]
		shrd	edi, eax, 0Ch
		and	edi, 0Fh
		mov	[ebp+var_124], edi
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		test	[ebp+var_98], 100h
		mov	edx, eax
		jnz	short loc_625C7B
		xor	ecx, ecx
		shld	ecx, edx, 0Ch
		shl	edx, 0Ch
		mov	[ebp+var_D4], ecx
		jmp	short loc_625C8F
; 

loc_625C7B:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+4BEj
		mov	eax, edi
		and	edx, 0FFFFFFFh
		shl	eax, 1Ch
		or	edx, eax
		and	[ebp+var_D4], 0

loc_625C8F:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+4CFj
		mov	ecx, [ebp+var_130]
		mov	[ebp+var_D8], edx
		mov	edx, 80000018h
		push	0
		call	_MiSetPageTablePfnBuddy@12 ; MiSetPageTablePfnBuddy(x,x,x)
		mov	eax, [ebp+var_144]
		mov	ecx, 1000h
		mov	[ebp+var_64], ax
		xor	edx, edx
		mov	eax, [ebp+var_148]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+var_14C]
		mov	[ebp+var_50], eax
		mov	eax, 4002h
		mov	[ebp+var_62], ax
		mov	eax, ds:dword_6D5D94[edi*4]
		mov	[ebp+var_54], ecx
		mov	[ebp+var_A0], ecx
		mov	ecx, 800h
		mov	[ebp+var_68], edx
		mov	[ebp+var_4C], esi
		mov	[ebp+var_140], eax
		test	[eax+74h], cx
		jnz	loc_625D8A
		test	[ebp+var_98], 100h
		jnz	short loc_625D2E
		mov	ecx, [eax+1Ch]
		lea	eax, [ebp+var_E0]
		push	edx
		push	edx
		push	eax
		lea	eax, [ebp+var_100]
		push	eax
		lea	eax, [ebp+var_D8]
		push	eax
		lea	edx, [ebp+var_68]
		call	IoPageReadEx
		jmp	short loc_625D68
; 

loc_625D2E:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+55Ej
		mov	[ebp+var_E0], edx
		lea	ecx, [ebp+var_D8]
		mov	[ebp+var_DC], edx
		mov	[ebp+var_120], edx
		lea	edx, [ebp+var_120]
		call	?SmKeyConvert@@YGJPAT_MM_STORE_KEY@@PAT_SM_PAGE_KEY@@@Z	; SmKeyConvert(_MM_STORE_KEY *,_SM_PAGE_KEY *)
		lea	eax, [ebp+var_E0]
		push	eax
		lea	eax, [ebp+var_100]
		push	eax
		lea	eax, [ebp+var_68]
		push	eax
		call	SMKM_STORE_MGR_SM_TRAITS___SmPageRead

loc_625D68:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+582j
		test	eax, eax
		jns	short loc_625D88
		mov	[ebp+var_E0], eax
		xor	eax, eax
		push	eax
		push	eax
		mov	[ebp+var_DC], eax
		lea	eax, [ebp+var_100]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_625D88:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+5C0j
		xor	edx, edx

loc_625D8A:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+54Ej
		push	edx
		push	edx
		push	edx
		push	9
		lea	eax, [ebp+var_100]
		push	eax
		call	KeWaitForSingleObject
		and	[ebp+var_134], 0
		mov	eax, [ebp+var_98]
		test	eax, 100h
		jz	short loc_625E0E
		lea	edx, [ebp+var_134]
		lea	ecx, [ebp+var_112+2]
		call	MiStoreFaultComplete
		mov	edi, [ebp+var_130]
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [ebp+var_134]
		mov	edx, ecx
		shr	edx, 10h
		mov	byte ptr [ebp+var_112+1], al
		test	edx, edx
		jz	short loc_625DF1
		dec	edx
		movzx	ecx, cx
		shl	edx, 10h
		or	edx, ecx
		mov	[ebp+var_134], edx

loc_625DF1:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+636j
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, byte ptr [ebp+var_112+1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_98]

loc_625E0E:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+603j
		mov	edi, [ebp+var_E0]
		test	edi, edi
		js	short loc_625E3F
		mov	ecx, [ebp+var_140]
		cmp	dword ptr [ecx+80h], 0
		jz	short loc_625E3F
		or	eax, 400000h
		lea	ecx, [ebp+var_112+2]
		mov	[ebp+var_98], eax
		call	MiValidatePagefilePageHash
		mov	edi, eax

loc_625E3F:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+66Cj
					; MiMakeOutswappedPageResident(x,x,x,x,x)+67Bj
		test	byte ptr [ebp+var_62], 1
		jz	short loc_625E51
		lea	eax, [ebp+var_68]
		push	eax
		push	[ebp+var_5C]
		call	MmUnmapLockedPages

loc_625E51:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+699j
		mov	ecx, [ebp+var_130]
		xor	edx, edx
		push	0
		call	_MiSetPageTablePfnBuddy@12 ; MiSetPageTablePfnBuddy(x,x,x)
		test	edi, edi
		jns	short loc_625EB6
		mov	edx, 1000h
		mov	ecx, edi
		call	_MiIsRetryIoStatus@8 ; MiIsRetryIoStatus(x,x)
		test	eax, eax
		jz	short loc_625E99
		mov	eax, [ebp+var_134]
		test	al, 1
		jz	short loc_625E86
		test	al, 2
		jz	loc_625BFB

loc_625E86:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+6D2j
		push	offset _MiHalfSecond
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	loc_625BFB
; 

loc_625E99:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+6C8j
		xor	ecx, ecx
		inc	ecx
		call	_MiFlushAllFilesystemPages@4 ; MiFlushAllFilesystemPages(x)
		push	[ebp+var_D8]
		push	[ebp+var_124]
		push	edi
		push	edi

loc_625EAF:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+72Fj
		push	77h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_625EB6:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+6B8j
		cmp	[ebp+var_DC], 1000h
		jz	short loc_625EDB
		xor	ecx, ecx
		inc	ecx
		call	_MiFlushAllFilesystemPages@4 ; MiFlushAllFilesystemPages(x)
		push	[ebp+var_D8]
		push	[ebp+var_124]
		push	edi
		push	2
		jmp	short loc_625EAF
; 

loc_625EDB:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+716j
		mov	ecx, [ebp+var_130]
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	byte ptr [ebp+var_112+1], al
		mov	eax, [ebp+var_118]
		push	0
		push	80h
		mov	edi, [eax]
		mov	esi, [eax+4]
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [ebp+var_118]
		mov	[ecx], eax
		mov	eax, [ebp+var_130]
		mov	[ecx+4], edx
		mov	ecx, 7FFFFFFFh
		or	byte ptr [eax+16h], 10h
		add	eax, 10h
		lock and [eax],	ecx
		mov	cl, byte ptr [ebp+var_112+1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	esi
		push	edi

loc_625F31:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+2C2j
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo

loc_625F3D:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+2BAj
		mov	edx, [ebp+var_12C]
		mov	ecx, [ebp+var_11C]
		push	80000004h
		call	MiMakeValidPte
		cmp	[ebp+var_11C], 0C0603018h
		mov	edi, edx
		mov	esi, eax
		mov	[ebp+var_118], edi
		jnz	loc_626014
		mov	ecx, [ebp+var_128]
		mov	edx, esi
		and	[ebp+var_11C], 0
		add	ecx, 1A0h
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_625FDE
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_625FC6
		xor	eax, eax
		inc	eax
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	[ebp+var_11C], eax
		jnz	short loc_625FE4

loc_625FA6:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+832j
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		mov	eax, [ebp+var_11C]
		jz	short loc_625FE4
		mov	edi, [ebp+var_118]
		mov	edx, esi
		or	edi, 80000000h
		jmp	short loc_625FE4
; 

loc_625FC6:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+7E8j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_625FA6

loc_625FDE:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+7DFj
		mov	eax, [ebp+var_11C]

loc_625FE4:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+7FAj
					; MiMakeOutswappedPageResident(x,x,x,x,x)+80Aj	...
		mov	[ecx+4], edi
		nop
		mov	[ecx], edx
		test	eax, eax
		jz	short loc_625FF5
		push	edi
		push	edx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_625FF5:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+842j
		mov	edi, [ebp+var_118]

loc_625FFB:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+91Cj
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		pop	edi
		mov	eax, esi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	0Ch
; 

loc_626014:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+7BDj
		mov	ecx, [ebp+var_138]
		lea	edx, [ebp+var_112]
		push	80000000h
		call	MiMapPageInHyperSpaceWorker
		and	[ebp+var_12C], 0
		mov	ecx, eax
		add	ecx, [ebp+var_13C]
		mov	edx, edi
		mov	[ebp+var_140], ecx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_626098
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_62607C
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	eax, esi
		mov	[ebp+var_12C], 1
		jnz	short loc_62609A

loc_626068:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+8ECj
		and	eax, 1
		or	eax, 0
		mov	eax, esi
		jz	short loc_62609A
		mov	edx, edi
		or	edx, 80000000h
		jmp	short loc_62609A
; 

loc_62607C:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+8A7j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		mov	eax, esi
		jz	short loc_62609A
		jmp	short loc_626068
; 

loc_626098:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+89Ej
		mov	eax, esi

loc_62609A:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+8BCj
					; MiMakeOutswappedPageResident(x,x,x,x,x)+8C6j	...
		mov	[ecx+4], edx
		nop
		cmp	[ebp+var_12C], 0
		mov	[ecx], eax
		jz	short loc_6260B6
		push	edx
		push	eax
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		mov	ecx, [ebp+var_140]

loc_6260B6:				; CODE XREF: MiMakeOutswappedPageResident(x,x,x,x,x)+8FDj
		mov	dl, byte ptr [ebp+var_112]
		push	80000000h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		jmp	loc_625FFB
_MiMakeOutswappedPageResident@20 endp


;  S U B	R O U T	I N E 


; __stdcall MiProcessCommitIntact(x)
_MiProcessCommitIntact@4 proc near	; CODE XREF: MiProbeLeafPteAccess(x,x)+50Bp
					; MiSplitReducedCommitClonePage(x)+13p
		mov	eax, large fs:124h
		push	esi
		mov	esi, ecx
		mov	ecx, offset unk_6D3C54
		mov	edx, [eax+80h]
		mov	al, [edx+2A0h]
		and	al, 7
		cmp	al, 2
		jz	short loc_6260F1
		lea	ecx, [edx+2D4h]

loc_6260F1:				; CODE XREF: MiProcessCommitIntact(x)+1Ej
		mov	al, [edx+2A3h]
		and	al, 60h
		cmp	al, 60h
		jnz	short loc_626124
		cmp	dword ptr [ecx], 0
		jz	short loc_626124
		cmp	esi, ds:dword_6D07D0
		jnb	short loc_626124
		mov	ecx, esi
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		test	eax, eax
		jz	short loc_626120
		mov	ecx, eax
		call	_MiIsVadEligibleForCommitRelease@4 ; MiIsVadEligibleForCommitRelease(x)
		test	eax, eax
		jz	short loc_626124

loc_626120:				; CODE XREF: MiProcessCommitIntact(x)+48j
		xor	eax, eax
		pop	esi
		retn
; 

loc_626124:				; CODE XREF: MiProcessCommitIntact(x)+30j
					; MiProcessCommitIntact(x)+35j	...
		xor	eax, eax
		inc	eax
		pop	esi
		retn
_MiProcessCommitIntact@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReAcquireCommitFailWorker(x)
_MiReAcquireCommitFailWorker@4 proc near
					; DATA XREF: MiReAcquireOutSwappedProcessCommit(x)+113o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, 0C000012Dh
		call	_PsTerminateProcess@8 ;	PsTerminateProcess(x,x)
		mov	ecx, [ebp+arg_0]
		call	_KeForceResumeProcess@4	; KeForceResumeProcess(x)
		mov	ecx, [ebp+arg_0]
		call	ObfDereferenceObject
		pop	ebp
		retn	4
_MiReAcquireCommitFailWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReAcquireOutSwappedProcessCommit(x)
_MiReAcquireOutSwappedProcessCommit@4 proc near	; CODE XREF: MmInSwapProcess+44p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		xor	edx, edx
		push	esi
		mov	edi, ecx
		call	KeForceAttachProcess
		lea	eax, [edi+240h]
		mov	ecx, offset unk_6D3C40
		mov	[ebp+var_18], eax
		lea	edx, [edi+2C0h]
		mov	al, [edi+2A0h]
		mov	ebx, ecx
		and	al, 7
		mov	[ebp+var_14], edx
		mov	[ebp+var_C], ecx
		cmp	al, 2
		jz	short loc_626190
		mov	ebx, edx

loc_626190:				; CODE XREF: MiReAcquireOutSwappedProcessCommit(x)+3Dj
		mov	eax, large fs:124h
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_10], eax
		cmp	ds:dword_7051F0, ecx
		jnz	short loc_6261A9
		mov	[ebp+var_4], ecx
		jmp	short loc_6261CE
; 

loc_6261A9:				; CODE XREF: MiReAcquireOutSwappedProcessCommit(x)+53j
		test	byte ptr [edi+0FCh], 8
		jz	short loc_6261B9
		mov	eax, ecx
		mov	[ebp+var_4], esi
		jmp	short loc_6261E4
; 

loc_6261B9:				; CODE XREF: MiReAcquireOutSwappedProcessCommit(x)+61j
		mov	edx, [ebx+8]
		push	ecx
		mov	ecx, offset _MiSystemPartition
		call	MiChargeCommit
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_6261DF

loc_6261CE:				; CODE XREF: MiReAcquireOutSwappedProcessCommit(x)+58j
		mov	edx, [ebx+8]
		mov	ecx, edi
		push	esi
		push	esi
		call	_MiLogOutswappedProcessCommitReacquire@16 ; MiLogOutswappedProcessCommitReacquire(x,x,x,x)
		jmp	loc_62626E
; 

loc_6261DF:				; CODE XREF: MiReAcquireOutSwappedProcessCommit(x)+7Dj
		xor	ecx, ecx
		mov	eax, esi
		inc	ecx

loc_6261E4:				; CODE XREF: MiReAcquireOutSwappedProcessCommit(x)+68j
		mov	edx, [ebx+8]
		push	eax
		push	ecx
		mov	ecx, edi
		call	_MiLogOutswappedProcessCommitReacquire@16 ; MiLogOutswappedProcessCommitReacquire(x,x,x,x)
		mov	ecx, 100h
		lea	eax, [edi+3A8h]
		lock or	[eax], ecx
		mov	al, [edi+2A0h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short loc_626215
		lea	eax, [edi+2C0h]

loc_626215:				; CODE XREF: MiReAcquireOutSwappedProcessCommit(x)+BEj
		push	eax
		mov	[ebp+var_8], eax
		call	ExAcquireSpinLockExclusive
		mov	edx, [ebp+var_8]
		lea	ecx, [edi+240h]
		mov	[edx+4], esi
		mov	dl, [edi+2A3h]
		or	dl, 60h
		mov	[edi+2A3h], dl
		mov	dl, al
		call	MiUnlockWorkingSetExclusive
		mov	ecx, [ebp+var_10]
		mov	edx, edi
		call	MiBeginProcessClean
		xor	dl, dl
		mov	ecx, edi
		call	KeFreezeProcess
		mov	edx, 746C6644h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag
		mov	eax, [ebx+14h]
		mov	dword ptr [eax+8], offset _MiReAcquireCommitFailWorker@4 ; MiReAcquireCommitFailWorker(x)
		mov	[eax+0Ch], edi
		mov	[eax], esi

loc_62626E:				; CODE XREF: MiReAcquireOutSwappedProcessCommit(x)+8Bj
		mov	al, [edi+2A0h]
		and	al, 7
		cmp	al, 2
		jnz	short loc_626281
		mov	eax, offset unk_6D3C40
		jmp	short loc_626287
; 

loc_626281:				; CODE XREF: MiReAcquireOutSwappedProcessCommit(x)+129j
		mov	eax, [ebp+var_14]
		mov	[ebp+var_C], eax

loc_626287:				; CODE XREF: MiReAcquireOutSwappedProcessCommit(x)+130j
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	ch, al
		mov	eax, [ebp+var_C]
		mov	[eax+4], esi
		movzx	edx, byte ptr [edi+2A3h]
		mov	cl, dl
		and	cl, 60h
		cmp	cl, 40h
		jnz	short loc_6262B2
		and	dl, 0BFh
		or	dl, 20h
		mov	[edi+2A3h], dl

loc_6262B2:				; CODE XREF: MiReAcquireOutSwappedProcessCommit(x)+155j
		mov	edi, [ebx+14h]
		cmp	[ebp+var_4], esi
		jz	short loc_6262C0
		mov	[ebx+8], esi
		mov	[ebx+14h], esi

loc_6262C0:				; CODE XREF: MiReAcquireOutSwappedProcessCommit(x)+169j
		mov	dl, ch
		mov	ecx, [ebp+var_18]
		call	MiUnlockWorkingSetExclusive
		xor	edx, edx
		xor	ecx, ecx
		call	_KeForceDetachProcess@8	; KeForceDetachProcess(x,x)
		mov	eax, [edi+14h]
		test	eax, eax
		jz	short loc_6262E2
		push	esi
		push	esi
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_6262E2:				; CODE XREF: MiReAcquireOutSwappedProcessCommit(x)+189j
		push	esi
		push	edi
		cmp	[ebp+var_4], esi
		jz	short loc_6262F0
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_6262FA
; 

loc_6262F0:				; CODE XREF: MiReAcquireOutSwappedProcessCommit(x)+198j
		call	ExQueueWorkItem
		mov	esi, 0C000012Dh

loc_6262FA:				; CODE XREF: MiReAcquireOutSwappedProcessCommit(x)+19Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_MiReAcquireOutSwappedProcessCommit@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReleaseCommitForResetPages(x)
_MiReleaseCommitForResetPages@4	proc near ; CODE XREF: MmOutSwapProcess+162533p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		push	esi
		push	edi
		mov	edi, ecx
		xor	edx, edx
		push	0
		mov	[ebp+var_1C], edi
		call	KeForceAttachProcess
		lea	eax, [edi+240h]
		mov	[ebp+var_38], eax
		mov	al, [edi+2A0h]
		and	al, 7
		cmp	al, 2
		jnz	short loc_62634E
		mov	[ebp+var_28], offset unk_6D3C48
		mov	eax, offset unk_6D3C54
		jmp	short loc_62635D
; 

loc_62634E:				; CODE XREF: MiReleaseCommitForResetPages(x)+3Dj
		lea	eax, [edi+2C8h]
		mov	[ebp+var_28], eax
		lea	eax, [edi+2D4h]

loc_62635D:				; CODE XREF: MiReleaseCommitForResetPages(x)+4Bj
		mov	esi, large fs:124h
		mov	eax, [eax]
		mov	[ebp+var_C], esi
		mov	[ebp+var_34], eax
		test	byte ptr [eax+18h], 1
		jz	loc_626936
		dec	word ptr [esi+13Eh]
		nop
		add	edi, 134h
		xor	edx, edx
		mov	ecx, edi
		mov	[ebp+var_14], edi
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [esi+304h], 1
		nop
		mov	ecx, [ebp+var_1C]
		xor	edi, edi
		mov	[ebp+var_10], edi
		mov	eax, [ecx+350h]
		jmp	short loc_6263AF
; 

loc_6263A8:				; CODE XREF: MiReleaseCommitForResetPages(x)+B0j
		mov	edi, eax
		mov	[ebp+var_10], eax
		mov	eax, [eax]

loc_6263AF:				; CODE XREF: MiReleaseCommitForResetPages(x)+A5j
		test	eax, eax
		jnz	short loc_6263A8
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_18], eax
		test	edi, edi
		jz	loc_62678D

loc_6263C1:				; CODE XREF: MiReleaseCommitForResetPages(x)+483j
		dec	word ptr [esi+13Eh]
		nop
		lea	esi, [edi+18h]
		xor	edx, edx
		mov	ecx, esi
		mov	[ebp+var_8], esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_C]
		or	byte ptr [eax+304h], 80h
		nop
		mov	ecx, edi
		call	_MiIsVadEligibleForCommitRelease@4 ; MiIsVadEligibleForCommitRelease(x)
		test	eax, eax
		jnz	loc_626590
		mov	eax, [ebp+var_C]
		and	byte ptr [eax+304h], 7Fh
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_626410
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_626410:				; CODE XREF: MiReleaseCommitForResetPages(x)+106j
		xor	edi, edi
		mov	[ebp+var_20], edi
		test	esi, 7FFFFFFCh
		jz	loc_626739
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_30], esi
		cmp	eax, edx
		jb	short loc_626468
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_626453
		cmp	eax, edx
		jb	short loc_626468
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_626468

loc_626453:				; CODE XREF: MiReleaseCommitForResetPages(x)+143j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_8]
		jmp	short loc_62646E
; 

loc_626468:				; CODE XREF: MiReleaseCommitForResetPages(x)+13Aj
					; MiReleaseCommitForResetPages(x)+147j	...
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_24], ecx

loc_62646E:				; CODE XREF: MiReleaseCommitForResetPages(x)+165j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	dl
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_2C], ecx
		test	ecx, ecx
		jnz	short loc_6264BA
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_62652C

loc_6264A7:				; CODE XREF: MiReleaseCommitForResetPages(x)+345j
		push	0
		push	[ebp+var_24]
		push	[ebp+var_8]

loc_6264AF:				; CODE XREF: MiReleaseCommitForResetPages(x)+538j
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_6264BA:				; CODE XREF: MiReleaseCommitForResetPages(x)+196j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_6264D0
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_2C]

loc_6264D0:				; CODE XREF: MiReleaseCommitForResetPages(x)+1C5j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_20], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_62651A
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_62652C
; 

loc_62651A:				; CODE XREF: MiReleaseCommitForResetPages(x)+205j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_30]

loc_62652C:				; CODE XREF: MiReleaseCommitForResetPages(x)+1A0j
					; MiReleaseCommitForResetPages(x)+217j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_30], eax
		jz	loc_626721
		test	edi, 8000h
		jz	short loc_626554
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_626554:				; CODE XREF: MiReleaseCommitForResetPages(x)+248j
		test	byte ptr [ebp+var_20+2], 1
		jz	short loc_626564
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_626564:				; CODE XREF: MiReleaseCommitForResetPages(x)+257j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_626578
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_626578:				; CODE XREF: MiReleaseCommitForResetPages(x)+26Aj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_626721
		push	[ebp+var_30]
		jmp	loc_626717
; 

loc_626590:				; CODE XREF: MiReleaseCommitForResetPages(x)+EBj
		mov	ecx, edi
		call	_MiWalkResetCommitPages@4 ; MiWalkResetCommitPages(x)
		mov	eax, [ebp+var_C]
		and	byte ptr [eax+304h], 7Fh
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_6265B5
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_6265B5:				; CODE XREF: MiReleaseCommitForResetPages(x)+2ABj
		xor	edi, edi
		mov	[ebp+var_20], edi
		test	esi, 7FFFFFFCh
		jz	loc_626739
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_2C], esi
		cmp	eax, edx
		jb	short loc_62660D
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_6265F8
		cmp	eax, edx
		jb	short loc_62660D
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_62660D

loc_6265F8:				; CODE XREF: MiReleaseCommitForResetPages(x)+2E8j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_8]
		jmp	short loc_626613
; 

loc_62660D:				; CODE XREF: MiReleaseCommitForResetPages(x)+2DFj
					; MiReleaseCommitForResetPages(x)+2ECj	...
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_24], ecx

loc_626613:				; CODE XREF: MiReleaseCommitForResetPages(x)+30Aj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	dl
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_62664E
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jz	loc_6264A7
		jmp	short loc_6266C0
; 

loc_62664E:				; CODE XREF: MiReleaseCommitForResetPages(x)+33Bj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_626664
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_626664:				; CODE XREF: MiReleaseCommitForResetPages(x)+359j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_20], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_6266AE
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_6266C0
; 

loc_6266AE:				; CODE XREF: MiReleaseCommitForResetPages(x)+399j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_2C]

loc_6266C0:				; CODE XREF: MiReleaseCommitForResetPages(x)+34Bj
					; MiReleaseCommitForResetPages(x)+3ABj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_30], eax
		jz	short loc_626721
		test	edi, 8000h
		jz	short loc_6266E4
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_6266E4:				; CODE XREF: MiReleaseCommitForResetPages(x)+3D8j
		test	byte ptr [ebp+var_20+2], 1
		jz	short loc_6266F4
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_6266F4:				; CODE XREF: MiReleaseCommitForResetPages(x)+3E7j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_626708
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_626708:				; CODE XREF: MiReleaseCommitForResetPages(x)+3FAj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_626721
		push	[ebp+var_30]

loc_626717:				; CODE XREF: MiReleaseCommitForResetPages(x)+28Aj
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_626721:				; CODE XREF: MiReleaseCommitForResetPages(x)+23Cj
					; MiReleaseCommitForResetPages(x)+281j	...
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_626739
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_626739
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_626739:				; CODE XREF: MiReleaseCommitForResetPages(x)+11Aj
					; MiReleaseCommitForResetPages(x)+2BFj	...
		mov	esi, [ebp+var_C]
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebp+var_10]
		mov	ecx, edi
		mov	eax, [edi+4]
		test	eax, eax
		jz	short loc_626766
		mov	edi, eax
		mov	ecx, [edi]
		test	ecx, ecx
		jmp	short loc_62675F
; 

loc_626757:				; CODE XREF: MiReleaseCommitForResetPages(x)+461j
		mov	eax, [ecx]
		mov	edi, ecx
		mov	ecx, eax
		test	eax, eax

loc_62675F:				; CODE XREF: MiReleaseCommitForResetPages(x)+454j
		mov	[ebp+var_10], edi
		jnz	short loc_626757
		jmp	short loc_626782
; 

loc_626766:				; CODE XREF: MiReleaseCommitForResetPages(x)+44Cj
		mov	edi, [edi+8]
		and	edi, 0FFFFFFFCh
		mov	[ebp+var_10], edi
		jz	short loc_626782

loc_626771:				; CODE XREF: MiReleaseCommitForResetPages(x)+47Cj
		cmp	[edi], ecx
		jz	short loc_62677F
		mov	ecx, edi
		mov	edi, [edi+8]
		and	edi, 0FFFFFFFCh
		jnz	short loc_626771

loc_62677F:				; CODE XREF: MiReleaseCommitForResetPages(x)+472j
		mov	[ebp+var_10], edi

loc_626782:				; CODE XREF: MiReleaseCommitForResetPages(x)+463j
					; MiReleaseCommitForResetPages(x)+46Ej
		test	edi, edi
		jnz	loc_6263C1
		or	eax, 0FFFFFFFFh

loc_62678D:				; CODE XREF: MiReleaseCommitForResetPages(x)+BAj
		and	byte ptr [esi+304h], 0FEh
		mov	edx, [ebp+var_14]
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_6267AB
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp+var_14]

loc_6267AB:				; CODE XREF: MiReleaseCommitForResetPages(x)+49Ej
		xor	edi, edi
		mov	[ebp+var_24], edi
		test	edx, 7FFFFFFCh
		jz	loc_62692C
		mov	esi, large fs:124h
		mov	eax, edx
		mov	ecx, ds:dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_2C], esi
		cmp	edx, ecx
		jb	short loc_6267FC
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_6267EB
		cmp	edx, ecx
		jb	short loc_6267FC
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_6267FC

loc_6267EB:				; CODE XREF: MiReleaseCommitForResetPages(x)+4DBj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, [ebp+var_14]
		mov	[ebp+var_18], eax

loc_6267FC:				; CODE XREF: MiReleaseCommitForResetPages(x)+4D2j
					; MiReleaseCommitForResetPages(x)+4DFj	...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	[ebp+var_18]
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_62683E
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_6268B0
		mov	edi, [ebp+var_14]
		push	ecx
		push	[ebp+var_18]
		push	edi
		jmp	loc_6264AF
; 

loc_62683E:				; CODE XREF: MiReleaseCommitForResetPages(x)+524j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_626854
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_626854:				; CODE XREF: MiReleaseCommitForResetPages(x)+549j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_24], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_62689E
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_6268B0
; 

loc_62689E:				; CODE XREF: MiReleaseCommitForResetPages(x)+589j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_2C]

loc_6268B0:				; CODE XREF: MiReleaseCommitForResetPages(x)+52Ej
					; MiReleaseCommitForResetPages(x)+59Bj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_30], eax
		jz	short loc_626911
		test	edi, 8000h
		jz	short loc_6268D4
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_6268D4:				; CODE XREF: MiReleaseCommitForResetPages(x)+5C8j
		test	byte ptr [ebp+var_24+2], 1
		jz	short loc_6268E4
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_6268E4:				; CODE XREF: MiReleaseCommitForResetPages(x)+5D7j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_6268F8
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_6268F8:				; CODE XREF: MiReleaseCommitForResetPages(x)+5EAj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_626911
		push	[ebp+var_30]
		mov	edx, [ebp+var_14]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_626911:				; CODE XREF: MiReleaseCommitForResetPages(x)+5C0j
					; MiReleaseCommitForResetPages(x)+601j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_626929
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_626929
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_626929:				; CODE XREF: MiReleaseCommitForResetPages(x)+619j
					; MiReleaseCommitForResetPages(x)+621j
		mov	esi, [ebp+var_C]

loc_62692C:				; CODE XREF: MiReleaseCommitForResetPages(x)+4B5j
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebp+var_1C]

loc_626936:				; CODE XREF: MiReleaseCommitForResetPages(x)+6Fj
		xor	esi, esi
		lea	eax, [edi+2CCh]
		xchg	esi, [eax]
		test	esi, esi
		jz	short loc_626950
		mov	edx, esi
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit

loc_626950:				; CODE XREF: MiReleaseCommitForResetPages(x)+641j
		mov	al, [edi+2A0h]
		and	al, 7
		cmp	al, 2
		jnz	short loc_626963
		mov	edi, offset unk_6D3C40
		jmp	short loc_626969
; 

loc_626963:				; CODE XREF: MiReleaseCommitForResetPages(x)+659j
		add	edi, 2C0h

loc_626969:				; CODE XREF: MiReleaseCommitForResetPages(x)+660j
		push	edi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [edi+4], 0
		mov	dl, al
		mov	eax, [ebp+var_34]
		mov	edi, [eax+14h]
		and	dword ptr [eax+14h], 0
		mov	ecx, [eax+10h]
		cmp	ecx, esi
		jbe	short loc_62698A
		sub	ecx, esi
		jmp	short loc_62698C
; 

loc_62698A:				; CODE XREF: MiReleaseCommitForResetPages(x)+683j
		xor	ecx, ecx

loc_62698C:				; CODE XREF: MiReleaseCommitForResetPages(x)+687j
		mov	[eax+10h], ecx
		mov	ecx, [ebp+var_28]
		add	[ecx], esi
		mov	ecx, [ebp+var_38]
		call	MiUnlockWorkingSetExclusive
		mov	ecx, [ebp+var_1C]
		mov	edx, esi
		call	_MiLogResetPagesCommitRelease@8	; MiLogResetPagesCommitRelease(x,x)
		xor	edx, edx
		xor	ecx, ecx
		call	_KeForceDetachProcess@8	; KeForceDetachProcess(x,x)
		push	0
		push	0
		push	edi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_MiReleaseCommitForResetPages@4	endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReleaseOutSwappedProcessCommit(x)
_MiReleaseOutSwappedProcessCommit@4 proc near ;	CODE XREF: MmOutSwapProcess+6Ep

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 50h
		and	[ebp+var_30], 0
		xor	edx, edx
		push	esi
		push	edi
		mov	esi, ecx
		push	0
		mov	[ebp+var_14], esi
		call	KeForceAttachProcess
		lea	edi, [esi+240h]
		mov	ecx, offset unk_6D3C40
		mov	al, [edi+60h]
		lea	edx, [edi+80h]
		and	al, 7
		mov	[ebp+var_24], edi
		mov	[ebp+var_50], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_40], ecx
		cmp	al, 2
		jz	short loc_626A19
		mov	[ebp+var_40], edx

loc_626A19:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+52j
		mov	eax, large fs:124h
		mov	edx, 7243694Dh
		push	0
		push	40h
		push	1Ch
		pop	ecx
		mov	[ebp+var_8], eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		jz	loc_62718B
		mov	cl, [edi+60h]
		mov	esi, offset unk_6D3C40
		and	cl, 7
		cmp	cl, 2
		jz	short loc_626A56
		lea	esi, [edi+80h]

loc_626A56:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+8Cj
		push	esi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [esi+4], 0
		mov	dl, al
		mov	cl, [edi+63h]
		or	cl, 60h
		mov	[edi+63h], cl
		mov	ecx, edi
		call	MiUnlockWorkingSetExclusive
		xor	eax, eax
		inc	eax
		mov	[ebp+var_18], eax
		cmp	ds:dword_7051F0, eax
		jnz	short loc_626A87
		xor	esi, esi
		jmp	loc_62711A
; 

loc_626A87:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+BCj
		and	[ebp+var_2C], 0
		and	[ebp+var_20], 0
		mov	eax, ds:dword_6D5100
		mov	edi, [ebp+var_14]
		test	eax, eax
		jz	short loc_626AAD
		mov	ecx, edi
		call	_SmStoreExistsForProcess@4 ; SmStoreExistsForProcess(x)
		test	eax, eax
		jz	short loc_626AAD
		mov	[ebp+var_2C], 1

loc_626AAD:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+D7j
					; MiReleaseOutSwappedProcessCommit(x)+E2j
		mov	esi, [ebp+var_8]
		dec	word ptr [esi+13Eh]
		nop
		lea	eax, [edi+134h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_18], eax
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [esi+304h], 1
		nop
		mov	eax, [ebp+var_14]
		xor	edi, edi
		mov	[ebp+var_10], edi
		mov	eax, [eax+350h]
		jmp	short loc_626AE9
; 

loc_626AE2:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+129j
		mov	edi, eax
		mov	[ebp+var_10], eax
		mov	eax, [eax]

loc_626AE9:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+11Ej
		test	eax, eax
		jnz	short loc_626AE2
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_28], eax
		test	edi, edi
		jz	loc_626F0F

loc_626AFB:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+544j
		dec	word ptr [esi+13Eh]
		nop
		lea	esi, [edi+18h]
		xor	edx, edx
		mov	ecx, esi
		mov	[ebp+var_C], esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_8]
		or	byte ptr [eax+304h], 80h
		nop
		mov	ecx, edi
		call	_MiIsVadEligibleForCommitRelease@4 ; MiIsVadEligibleForCommitRelease(x)
		test	eax, eax
		jnz	loc_626CEF
		mov	eax, [ebp+var_8]
		and	byte ptr [eax+304h], 7Fh
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_626B4A
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_626B4A:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+17Fj
		xor	edi, edi
		mov	[ebp+var_34], edi
		test	esi, 7FFFFFFCh
		jz	loc_626CE0
		mov	eax, [ebp+var_C]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_48], esi
		cmp	eax, edx
		jb	short loc_626BA2
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_626B8D
		cmp	eax, edx
		jb	short loc_626BA2
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_626BA2

loc_626B8D:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+1BCj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_C]
		jmp	short loc_626BA8
; 

loc_626BA2:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+1B3j
					; MiReleaseOutSwappedProcessCommit(x)+1C0j ...
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_38], ecx

loc_626BA8:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+1DEj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	dl
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_44], ecx
		test	ecx, ecx
		jnz	short loc_626BF4
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_626C66

loc_626BE1:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+3FCj
		push	0
		push	[ebp+var_38]
		push	[ebp+var_C]

loc_626BE9:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+5F9j
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_626BF4:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+20Fj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_626C0A
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_44]

loc_626C0A:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+23Ej
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_34], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		cdq
		push	30h
		pop	ecx
		idiv	ecx
		mov	edx, eax
		xor	eax, eax
		inc	eax
		cmp	byte ptr [ebp+var_4+3],	al
		jnz	short loc_626C56
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_626C66
; 

loc_626C56:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+280j
		mov	ecx, edx
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_48]

loc_626C66:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+219j
					; MiReleaseOutSwappedProcessCommit(x)+292j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_48], eax
		jz	short loc_626CC8
		test	edi, 8000h
		jz	short loc_626C8A
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_626C8A:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+2BDj
		xor	eax, eax
		inc	eax
		test	byte ptr [ebp+var_34+2], al
		jz	short loc_626C9B
		mov	edx, eax
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_626C9B:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+2CEj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_626CAF
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_626CAF:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+2E0j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_626CC8
		push	[ebp+var_48]
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_626CC8:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+2B5j
					; MiReleaseOutSwappedProcessCommit(x)+2F7j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_626CE0
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_626CE0
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_626CE0:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+193j
					; MiReleaseOutSwappedProcessCommit(x)+30Fj ...
		mov	esi, [ebp+var_8]
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_626EC5
; 

loc_626CEF:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+164j
		mov	eax, [ebp+var_1C]
		mov	ecx, offset _MiSystemPartition
		mov	edx, [ebp+var_14]
		add	eax, 10h
		push	eax
		push	[ebp+var_2C]
		push	edi
		push	[ebp+var_24]
		call	_MiCheckCommitReleaseFromVad@24	; MiCheckCommitReleaseFromVad(x,x,x,x,x,x)
		mov	[ebp+var_4C], eax
		or	ecx, 0FFFFFFFFh
		mov	eax, [ebp+var_8]
		and	byte ptr [eax+304h], 7Fh
		lock xadd [esi], ecx
		and	cl, 6
		cmp	cl, 2
		jnz	short loc_626D2D
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_626D2D:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+362j
		xor	edi, edi
		mov	[ebp+var_34], edi
		test	esi, 7FFFFFFCh
		jz	loc_626EB2
		mov	eax, [ebp+var_C]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_44], esi
		cmp	eax, edx
		jb	short loc_626D85
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_626D70
		cmp	eax, edx
		jb	short loc_626D85
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_626D85

loc_626D70:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+39Fj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_C]
		jmp	short loc_626D8B
; 

loc_626D85:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+396j
					; MiReleaseOutSwappedProcessCommit(x)+3A3j ...
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_38], ecx

loc_626D8B:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+3C1j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	dl
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_48], ecx
		test	ecx, ecx
		jnz	short loc_626DC6
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jz	loc_626BE1
		jmp	short loc_626E38
; 

loc_626DC6:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+3F2j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_626DDC
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_48]

loc_626DDC:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+410j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_34], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		cdq
		push	30h
		pop	ecx
		idiv	ecx
		mov	edx, eax
		xor	eax, eax
		inc	eax
		cmp	byte ptr [ebp+var_4+3],	al
		jnz	short loc_626E28
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_626E38
; 

loc_626E28:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+452j
		mov	ecx, edx
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_44]

loc_626E38:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+402j
					; MiReleaseOutSwappedProcessCommit(x)+464j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_48], eax
		jz	short loc_626E9A
		test	edi, 8000h
		jz	short loc_626E5C
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_626E5C:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+48Fj
		xor	eax, eax
		inc	eax
		test	byte ptr [ebp+var_34+2], al
		jz	short loc_626E6D
		mov	edx, eax
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_626E6D:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+4A0j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_626E81
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_626E81:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+4B2j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_626E9A
		push	[ebp+var_48]
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_626E9A:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+487j
					; MiReleaseOutSwappedProcessCommit(x)+4C9j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_626EB2
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_626EB2
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_626EB2:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+376j
					; MiReleaseOutSwappedProcessCommit(x)+4E1j ...
		mov	esi, [ebp+var_8]
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+var_20]
		add	eax, [ebp+var_4C]
		mov	[ebp+var_20], eax

loc_626EC5:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+328j
		mov	edi, [ebp+var_10]
		mov	ecx, edi
		mov	eax, [edi+4]
		test	eax, eax
		jz	short loc_626EE8
		mov	edi, eax
		mov	ecx, [edi]
		test	ecx, ecx
		jmp	short loc_626EE1
; 

loc_626ED9:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+522j
		mov	eax, [ecx]
		mov	edi, ecx
		mov	ecx, eax
		test	eax, eax

loc_626EE1:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+515j
		mov	[ebp+var_10], edi
		jnz	short loc_626ED9
		jmp	short loc_626F04
; 

loc_626EE8:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+50Dj
		mov	edi, [edi+8]
		and	edi, 0FFFFFFFCh
		mov	[ebp+var_10], edi
		jz	short loc_626F04

loc_626EF3:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+53Dj
		cmp	[edi], ecx
		jz	short loc_626F01
		mov	ecx, edi
		mov	edi, [edi+8]
		and	edi, 0FFFFFFFCh
		jnz	short loc_626EF3

loc_626F01:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+533j
		mov	[ebp+var_10], edi

loc_626F04:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+524j
					; MiReleaseOutSwappedProcessCommit(x)+52Fj
		test	edi, edi
		jnz	loc_626AFB
		or	eax, 0FFFFFFFFh

loc_626F0F:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+133j
		and	byte ptr [esi+304h], 0FEh
		mov	edx, [ebp+var_18]
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_626F2D
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp+var_18]

loc_626F2D:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+55Fj
		xor	edi, edi
		mov	[ebp+var_38], edi
		test	edx, 7FFFFFFCh
		jz	loc_6270AF
		mov	esi, large fs:124h
		mov	eax, edx
		mov	ecx, ds:dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_48], esi
		cmp	edx, ecx
		jb	short loc_626F7E
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_626F6D
		cmp	edx, ecx
		jb	short loc_626F7E
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_626F7E

loc_626F6D:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+59Cj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, [ebp+var_18]
		mov	[ebp+var_28], eax

loc_626F7E:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+593j
					; MiReleaseOutSwappedProcessCommit(x)+5A0j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	[ebp+var_28]
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_4C], ecx
		test	ecx, ecx
		jnz	short loc_626FC0
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_627032
		mov	eax, [ebp+var_18]
		push	ecx
		push	[ebp+var_28]
		push	eax
		jmp	loc_626BE9
; 

loc_626FC0:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+5E5j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_626FD6
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_4C]

loc_626FD6:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+60Aj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_38], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		cdq
		push	30h
		pop	ecx
		idiv	ecx
		mov	edx, eax
		xor	eax, eax
		inc	eax
		cmp	byte ptr [ebp+var_4+3],	al
		jnz	short loc_627022
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_627032
; 

loc_627022:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+64Cj
		mov	ecx, edx
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_48]

loc_627032:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+5EFj
					; MiReleaseOutSwappedProcessCommit(x)+65Ej
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_4C], eax
		jz	short loc_627094
		test	edi, 8000h
		jz	short loc_627056
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_627056:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+689j
		xor	eax, eax
		inc	eax
		test	byte ptr [ebp+var_38+2], al
		jz	short loc_627067
		mov	edx, eax
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_627067:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+69Aj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_62707B
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_62707B:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+6ACj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_627094
		push	[ebp+var_4C]
		mov	edx, [ebp+var_18]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_627094:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+681j
					; MiReleaseOutSwappedProcessCommit(x)+6C3j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_6270AC
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_6270AC
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_6270AC:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+6DBj
					; MiReleaseOutSwappedProcessCommit(x)+6E3j
		mov	esi, [ebp+var_8]

loc_6270AF:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+576j
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [ebp+var_14]
		xor	ecx, ecx
		lea	eax, [edi+2CCh]
		xchg	ecx, [eax]
		cmp	[ebp+var_2C], 0
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_20]
		mov	[ebp+var_18], ecx
		mov	esi, [eax+10h]
		jz	short loc_627107
		lea	edx, [ebp+var_30]
		mov	ecx, edi
		call	_SmQueryStoreCommitUsage@8 ; SmQueryStoreCommitUsage(x,x)
		mov	ecx, [ebp+var_30]
		mov	eax, ecx
		and	eax, 0FFFh
		neg	eax
		sbb	eax, eax
		shr	ecx, 0Ch
		neg	eax
		add	eax, ecx
		mov	ecx, [ebp+var_20]
		mov	[ebp+var_30], eax
		cmp	ecx, eax
		jbe	short loc_627102
		sub	ecx, eax
		jmp	short loc_627104
; 

loc_627102:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+73Aj
		xor	ecx, ecx

loc_627104:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+73Ej
		mov	[ebp+var_18], ecx

loc_627107:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+711j
		test	ecx, ecx
		jz	short loc_627117
		mov	edx, ecx
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit

loc_627117:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+747j
		mov	edi, [ebp+var_24]

loc_62711A:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+C0j
		mov	al, [edi+60h]
		and	al, 7
		cmp	al, 2
		jnz	short loc_62712A
		mov	eax, offset unk_6D3C40
		jmp	short loc_627130
; 

loc_62712A:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+75Fj
		mov	eax, [ebp+var_50]
		mov	[ebp+var_3C], eax

loc_627130:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+766j
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+var_3C]
		mov	ah, al
		and	dword ptr [ecx+4], 0
		mov	ecx, [ebp+var_18]
		mov	edx, [edi+60h]
		mov	[ebp+var_50], edx
		test	ecx, ecx
		jnz	short loc_627154
		shr	edx, 18h
		and	dl, 9Fh
		jmp	short loc_627170
; 

loc_627154:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+788j
		mov	edi, [ebp+var_40]
		mov	al, byte ptr [ebp+var_50+3]
		and	al, 0DFh
		or	al, 40h
		mov	[edi+8], ecx
		mov	dl, al
		mov	ecx, [ebp+var_1C]
		and	[ebp+var_1C], 0
		mov	[edi+14h], ecx
		mov	edi, [ebp+var_24]

loc_627170:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+790j
		mov	[edi+63h], dl
		mov	ecx, edi
		mov	dl, ah
		call	MiUnlockWorkingSetExclusive
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_14]
		push	esi
		call	_MiLogOutswappedProcessCommitRelease@12	; MiLogOutswappedProcessCommitRelease(x,x,x)
		mov	esi, [ebp+var_1C]

loc_62718B:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+78j
		xor	edx, edx
		xor	ecx, ecx
		call	_KeForceDetachProcess@8	; KeForceDetachProcess(x,x)
		test	esi, esi
		jz	short loc_6271A0
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_6271A0:				; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+7D4j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_MiReleaseOutSwappedProcessCommit@4 endp ; sp =	 4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWalkResetCommitPages(x)
_MiWalkResetCommitPages@4 proc near	; CODE XREF: MiReleaseCommitForResetPages(x)+291p

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_52		= byte ptr -52h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_5C], 0
		lea	eax, [ebp+var_58]
		push	esi
		push	edi
		push	4Ch		; size_t
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		mov	esi, [eax+80h]
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_10], eax
		add	esi, 240h
		push	7
		pop	eax
		mov	word ptr [ebp+var_58], ax
		mov	ecx, esi
		mov	eax, [edi+0Ch]
		shl	eax, 0Ch
		mov	[ebp+var_44], eax
		mov	eax, [edi+10h]
		shl	eax, 0Ch
		or	eax, 0FFFh
		mov	[ebp+var_18], offset _MiWalkResetCommitPte@12 ;	MiWalkResetCommitPte(x,x,x)
		mov	[ebp+var_48], esi
		mov	[ebp+var_40], eax
		call	MiLockWorkingSetShared
		lea	ecx, [ebp+var_58]
		mov	[ebp+var_52], al
		call	MiWalkPageTables
		mov	dl, [ebp+var_52]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_5C]
		xor	ecx, ebp
		pop	edi
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiWalkResetCommitPages@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWalkResetCommitPte(x, x, x)
_MiWalkResetCommitPte@12 proc near	; DATA XREF: MiWalkResetCommitPages(x)+5Fo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		cmp	[ebp+arg_8], 0
		push	esi
		push	edi
		jnz	short loc_6272BC
		mov	ecx, [ebp+arg_4]
		mov	edx, [ecx]
		nop
		mov	eax, edx
		xor	edi, edi
		and	eax, 401h
		or	eax, edi
		jnz	short loc_6272BC
		and	edx, 800h
		or	edx, edi
		jz	short loc_6272BC
		xor	edx, edx
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_6272BC
		test	byte ptr [esi+16h], 10h
		jnz	short loc_6272B1
		mov	edx, [esi+8]
		mov	ecx, [esi+0Ch]
		shrd	edx, ecx, 2
		test	dl, 1
		jnz	short loc_6272B1
		cmp	[esi+14h], di
		jnz	short loc_6272B1
		xor	edx, edx
		mov	ecx, esi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		xor	edx, edx
		mov	ecx, esi
		call	_MiDiscardTransitionPteEx@8 ; MiDiscardTransitionPteEx(x,x)
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+48h]
		inc	dword ptr [eax]

loc_6272B1:				; CODE XREF: MiWalkResetCommitPte(x,x,x)+40j
					; MiWalkResetCommitPte(x,x,x)+4Fj ...
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx

loc_6272BC:				; CODE XREF: MiWalkResetCommitPte(x,x,x)+10j
					; MiWalkResetCommitPte(x,x,x)+23j ...
		pop	edi
		xor	eax, eax
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_MiWalkResetCommitPte@12 endp


;  S U B	R O U T	I N E 


; __stdcall MmEnableProcessSvm()
_MmEnableProcessSvm@0 proc near		; CODE XREF: ExShareAddressSpaceWithDevice(x,x):loc_68B57Cp
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	edi, offset unk_6D3C40
		mov	esi, [eax+80h]
		mov	al, [esi+2A0h]
		and	al, 7
		cmp	al, 2
		jz	short loc_6272EB
		lea	edi, [esi+2C0h]

loc_6272EB:				; CODE XREF: MmEnableProcessSvm()+1Dj
		push	edi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [edi+4], 0
		lea	ecx, [esi+240h]
		mov	dl, [esi+2A3h]
		or	dl, 2
		mov	[esi+2A3h], dl
		mov	dl, al
		pop	edi
		pop	esi
		jmp	MiUnlockWorkingSetExclusive
_MmEnableProcessSvm@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmReleaseCommitForMemResetPages(x, x)
_MmReleaseCommitForMemResetPages@8 proc	near ; CODE XREF: PAGE:007AA467p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= byte ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+58h+var_30], edx
		push	6
		mov	ebx, ecx
		lea	edi, [esp+5Ch+var_1C]
		pop	ecx
		rep stosd
		lea	edi, [esp+58h+var_4C]
		mov	[esp+58h+var_38], ebx
		stosd
		xor	esi, esi
		push	esi
		push	esi
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+60h+var_2C]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esp+60h+var_2C]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	edi, [ebx+240h]
		mov	al, [edi+60h]
		and	al, 7
		cmp	al, 2
		jnz	short loc_627379
		mov	[esp+58h+var_3C], offset unk_6D3C54
		jmp	short loc_627383
; 

loc_627379:				; CODE XREF: MmReleaseCommitForMemResetPages(x,x)+5Aj
		lea	eax, [edi+94h]
		mov	[esp+58h+var_3C], eax

loc_627383:				; CODE XREF: MmReleaseCommitForMemResetPages(x,x)+64j
		mov	al, [edi+63h]
		and	al, 60h
		cmp	al, 40h
		jz	short loc_627396
		mov	esi, 0C0000189h
		jmp	loc_6274E4
; 

loc_627396:				; CODE XREF: MmReleaseCommitForMemResetPages(x,x)+77j
		lea	edx, [esp+58h+var_4C]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edx, edi
		mov	ecx, ebx
		call	_MiPrepareAttachThread@8 ; MiPrepareAttachThread(x,x)
		test	ds:byte_70EFC6,	1
		mov	ebx, eax
		mov	[esp+58h+var_34], ebx
		jz	short loc_6273CA
		mov	edx, [ebp+4]
		lea	ecx, [esp+58h+var_4C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6273FA
; 

loc_6273CA:				; CODE XREF: MmReleaseCommitForMemResetPages(x,x)+A7j
		mov	eax, [esp+58h+var_4C]
		test	eax, eax
		jnz	short loc_6273ED
		mov	edx, [esp+58h+var_48]
		lea	eax, [esp+58h+var_4C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+58h+var_4C]
		cmp	eax, ecx
		jz	short loc_6273FA
		call	KxWaitForLockChainValid

loc_6273ED:				; CODE XREF: MmReleaseCommitForMemResetPages(x,x)+BDj
		xor	ecx, ecx
		mov	[esp+58h+var_4C], esi
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_6273FA:				; CODE XREF: MmReleaseCommitForMemResetPages(x,x)+B5j
					; MmReleaseCommitForMemResetPages(x,x)+D3j
		mov	cl, [esp+58h+var_44]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jnz	short loc_627412
		mov	esi, 0C000A003h
		jmp	loc_6274E4
; 

loc_627412:				; CODE XREF: MmReleaseCommitForMemResetPages(x,x)+F3j
		mov	ecx, [esp+58h+var_38]
		lea	edx, [esp+58h+var_1C]
		push	esi
		call	KeForceAttachProcess
		mov	al, [edi+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short loc_627434
		lea	eax, [edi+80h]

loc_627434:				; CODE XREF: MmReleaseCommitForMemResetPages(x,x)+119j
		push	eax
		mov	[esp+5Ch+var_40], eax
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		mov	eax, [esp+58h+var_40]
		mov	[eax+4], esi
		mov	al, [edi+63h]
		and	al, 60h
		cmp	al, 40h
		jz	short loc_627457
		mov	esi, 0C0000189h
		jmp	short loc_6274BD
; 

loc_627457:				; CODE XREF: MmReleaseCommitForMemResetPages(x,x)+13Bj
		mov	ecx, [esp+58h+var_3C]
		mov	ecx, [ecx]
		cmp	[ecx+14h], esi
		jz	short loc_627469
		mov	esi, 0C0000476h
		jmp	short loc_6274BD
; 

loc_627469:				; CODE XREF: MmReleaseCommitForMemResetPages(x,x)+14Dj
		xor	edx, edx
		lea	eax, [esp+58h+var_2C]
		cmp	[esp+58h+var_30], edx
		mov	[ecx+14h], eax
		mov	eax, [ecx+18h]
		setnz	dl
		and	eax, 0FFFFFFFEh
		or	edx, eax
		mov	[ecx+18h], edx
		mov	dl, bl
		mov	ecx, edi
		call	MiUnlockWorkingSetExclusive
		mov	ecx, [esp+58h+var_38]
		mov	bl, 21h
		call	_KeRetryOutswapProcess@4 ; KeRetryOutswapProcess(x)
		xor	edx, edx
		lea	ecx, [esp+58h+var_1C]
		call	_KeForceDetachProcess@8	; KeForceDetachProcess(x,x)
		mov	ecx, edi
		call	MiAttachThreadDone
		push	esi
		push	esi
		push	esi
		push	1Ah
		lea	eax, [esp+68h+var_2C]
		mov	[esp+68h+var_34], esi
		push	eax
		call	KeWaitForSingleObject

loc_6274BD:				; CODE XREF: MmReleaseCommitForMemResetPages(x,x)+142j
					; MmReleaseCommitForMemResetPages(x,x)+154j
		cmp	bl, 21h
		jz	short loc_6274CB
		mov	dl, bl
		mov	ecx, edi
		call	MiUnlockWorkingSetExclusive

loc_6274CB:				; CODE XREF: MmReleaseCommitForMemResetPages(x,x)+1ADj
		cmp	[esp+58h+var_34], 0
		jz	short loc_6274E4
		xor	edx, edx
		lea	ecx, [esp+58h+var_1C]
		call	_KeForceDetachProcess@8	; KeForceDetachProcess(x,x)
		mov	ecx, edi
		call	MiAttachThreadDone

loc_6274E4:				; CODE XREF: MmReleaseCommitForMemResetPages(x,x)+7Ej
					; MmReleaseCommitForMemResetPages(x,x)+FAj ...
		mov	ecx, [esp+58h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_MmReleaseCommitForMemResetPages@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmSetCommitReleaseEligibility(x, x)
_MmSetCommitReleaseEligibility@8 proc near ; CODE XREF:	PAGE:007AA44Fp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[esp+38h+var_20], edx
		push	6
		xor	eax, eax
		lea	edi, [esp+3Ch+var_1C]
		pop	ecx
		rep stosd
		mov	eax, large fs:124h
		xor	edi, edi
		mov	[esp+38h+var_24], edi
		cmp	[eax+80h], ebx
		jz	short loc_62754C
		lea	eax, [esp+38h+var_1C]
		mov	[esp+38h+var_24], 1
		push	eax
		xor	edx, edx
		mov	ecx, ebx
		call	KiStackAttachProcess

loc_62754C:				; CODE XREF: MmSetCommitReleaseEligibility(x,x)+3Cj
		lea	esi, [ebx+240h]
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short loc_627566
		lea	eax, [esi+80h]

loc_627566:				; CODE XREF: MmSetCommitReleaseEligibility(x,x)+66j
		push	eax
		mov	[esp+3Ch+var_28], eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [esp+38h+var_28]
		mov	[ecx+4], edi
		test	byte ptr [ebx+0FCh], 20h
		mov	ecx, [esi+60h]
		mov	[esp+38h+var_28], ecx
		jz	short loc_62758E
		mov	edi, 0C000010Ah
		jmp	short loc_6275A9
; 

loc_62758E:				; CODE XREF: MmSetCommitReleaseEligibility(x,x)+8Dj
		cmp	[esp+38h+var_20], edi
		jz	short loc_62759F
		shr	ecx, 18h
		and	cl, 0BFh
		or	cl, 20h
		jmp	short loc_6275A6
; 

loc_62759F:				; CODE XREF: MmSetCommitReleaseEligibility(x,x)+9Aj
		mov	cl, byte ptr [esp+38h+var_28+3]
		and	cl, 9Fh

loc_6275A6:				; CODE XREF: MmSetCommitReleaseEligibility(x,x)+A5j
		mov	[esi+63h], cl

loc_6275A9:				; CODE XREF: MmSetCommitReleaseEligibility(x,x)+94j
		mov	dl, al
		mov	ecx, esi
		call	MiUnlockWorkingSetExclusive
		cmp	[esp+38h+var_24], 0
		jz	short loc_6275C4
		xor	edx, edx
		lea	ecx, [esp+38h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_6275C4:				; CODE XREF: MmSetCommitReleaseEligibility(x,x)+BFj
		mov	ecx, [esp+38h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_MmSetCommitReleaseEligibility@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiExceptionForMappedVa(x)
_MiExceptionForMappedVa@4 proc near	; CODE XREF: .text:loc_449461p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		mov	[ebp+var_8], ecx
		mov	ebx, offset unk_6CF5A4
		push	esi
		mov	eax, [eax+80h]
		xor	ecx, ecx
		push	edi
		inc	ecx
		mov	[ebp+var_C], eax
		xor	esi, esi
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)

loc_627604:				; CODE XREF: MiExceptionForMappedVa(x)+97j
		mov	edi, eax
		mov	ecx, edi
		call	MiLockWorkingSetShared
		mov	ecx, [ebx+8]
		mov	[ebp+var_1], al
		jmp	short loc_627634
; 

loc_627615:				; CODE XREF: MiExceptionForMappedVa(x)+5Ej
		mov	edx, [ecx+34h]
		mov	eax, [ecx+18h]
		and	edx, 0FFFFF000h
		add	eax, edx
		cmp	[ebp+var_8], eax
		jnb	short loc_627631
		cmp	[ebp+var_8], edx
		jnb	short loc_62763A
		mov	ecx, [ecx]
		jmp	short loc_627634
; 

loc_627631:				; CODE XREF: MiExceptionForMappedVa(x)+4Ej
		mov	ecx, [ecx+4]

loc_627634:				; CODE XREF: MiExceptionForMappedVa(x)+3Bj
					; MiExceptionForMappedVa(x)+57j
		test	ecx, ecx
		jnz	short loc_627615
		jmp	short loc_62763E
; 

loc_62763A:				; CODE XREF: MiExceptionForMappedVa(x)+53j
		test	ecx, ecx
		jnz	short loc_627671

loc_62763E:				; CODE XREF: MiExceptionForMappedVa(x)+60j
		mov	dl, [ebp+var_1]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		cmp	ebx, offset unk_6CF5A4
		jnz	short loc_627683
		mov	eax, [ebp+var_C]
		mov	edi, [eax+180h]
		test	edi, edi
		jz	short loc_627683
		push	eax
		call	_PsIsSystemProcess@4 ; PsIsSystemProcess(x)
		test	al, al
		jnz	short loc_627683
		lea	ebx, [edi+70h]
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		jmp	short loc_627604
; 

loc_627671:				; CODE XREF: MiExceptionForMappedVa(x)+64j
		mov	esi, [ecx+24h]
		mov	ecx, edi
		mov	dl, [ebp+var_1]
		call	MiUnlockWorkingSetShared
		shr	esi, 1
		and	esi, 1

loc_627683:				; CODE XREF: MiExceptionForMappedVa(x)+76j
					; MiExceptionForMappedVa(x)+83j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_MiExceptionForMappedVa@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiShowBadMapper(x, x)
_MiShowBadMapper@8 proc	near		; CODE XREF: .text:0047173Fp
					; .text:0047FC39p ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_25		= dword	ptr -25h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	bl, ds:byte_6D311F
		mov	eax, ecx
		mov	[ebp+var_2C], eax
		mov	byte ptr [ebp+var_25], 0
		push	esi
		push	edi
		test	bl, bl
		jnz	loc_627745
		test	dl, 1
		jz	short loc_6276CB
		cmp	ds:_KdPitchDebugger, bl
		jnz	short loc_6276CB
		cmp	ds:_KdDebuggerNotPresent, bl
		jz	short loc_62774A

loc_6276CB:				; CODE XREF: MiShowBadMapper(x,x)+2Fj
					; MiShowBadMapper(x,x)+37j
		test	dl, 4
		jz	loc_62775B
		push	8
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_25+1]
		rep stosd
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_25+1]
		push	eax
		push	8
		push	1
		call	RtlCaptureStackBackTrace
		lea	ecx, [ebp+var_25]
		call	_MmLockLoadedModuleListExclusive@4 ; MmLockLoadedModuleListExclusive(x)
		xor	esi, esi

loc_6276F9:				; CODE XREF: MiShowBadMapper(x,x)+9Fj
		mov	ecx, [ebp+esi*4+var_25+1]
		cmp	ecx, ds:_MmHighestUserAddress
		jbe	short loc_62772F
		xor	edx, edx
		call	_MiLookupDataTableEntry@8 ; MiLookupDataTableEntry(x,x)
		test	eax, eax
		jz	short loc_627725
		test	dword ptr [eax+34h], 2000000h
		jz	short loc_627725
		test	ds:_MmVerifierData, 400000h
		jz	short loc_62772D

loc_627725:				; CODE XREF: MiShowBadMapper(x,x)+84j
					; MiShowBadMapper(x,x)+8Dj
		inc	esi
		cmp	esi, 8
		jb	short loc_6276F9
		jmp	short loc_62772F
; 

loc_62772D:				; CODE XREF: MiShowBadMapper(x,x)+99j
		mov	bl, 1

loc_62772F:				; CODE XREF: MiShowBadMapper(x,x)+79j
					; MiShowBadMapper(x,x)+A1j
		push	offset _PsLoadedModuleSpinLock
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_25]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_2C]

loc_627745:				; CODE XREF: MiShowBadMapper(x,x)+26j
		cmp	bl, 1
		jnz	short loc_62775B

loc_62774A:				; CODE XREF: MiShowBadMapper(x,x)+3Fj
		push	0
		push	0
		push	eax
		push	1233h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_62775B:				; CODE XREF: MiShowBadMapper(x,x)+44j
					; MiShowBadMapper(x,x)+BEj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiShowBadMapper@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakeDriverPageStayResident(x, x, x)
_MiMakeDriverPageStayResident@12 proc near
					; CODE XREF: MiMakeDriverPagesPrivate(x,x,x,x)+42Ap

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ecx+98h]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, edx
		mov	edx, [eax+4]
		mov	esi, edi
		sub	esi, [ecx+18h]
		shr	esi, 0Ch
		mov	eax, esi
		mov	[ebp+var_4], ebx
		shr	eax, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [edx+eax*4]
		sar	eax, cl
		test	al, 1
		jnz	loc_627826
		mov	ecx, esi
		and	esi, 7
		shr	ecx, 3
		movsx	eax, byte ptr [ecx+edx]
		bts	eax, esi
		mov	[ecx+edx], al
		mov	edx, edi
		mov	ecx, ebx
		call	MiLocateWsle
		mov	al, [eax]
		and	al, 0Fh
		cmp	al, 9
		jz	short loc_627826
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		mov	ecx, [edi-40000000h]
		nop
		mov	eax, [edi-3FFFFFFCh]
		nop
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	ebx, ecx, 1Ch
		add	ebx, ds:_MmPfnDatabase
		and	[ebp+arg_0], 0
		lea	esi, [ebx+10h]
		jmp	short loc_627808
; 

loc_6277FA:				; CODE XREF: MiMakeDriverPageStayResident(x,x,x)+9Cj
					; MiMakeDriverPageStayResident(x,x,x)+A3j
		lea	ecx, [ebp+arg_0]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_6277FA

loc_627808:				; CODE XREF: MiMakeDriverPageStayResident(x,x,x)+8Ej
		lock bts dword ptr [esi], 1Fh
		jb	short loc_6277FA
		mov	ecx, [ebp+var_4]
		lea	edx, [edi-40000000h]
		push	ebx
		call	MiRemoveSystemImagePage
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax

loc_627826:				; CODE XREF: MiMakeDriverPageStayResident(x,x,x)+34j
					; MiMakeDriverPageStayResident(x,x,x)+5Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiMakeDriverPageStayResident@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetInstructionPointer()
_MiGetInstructionPointer@0 proc	near	; CODE XREF: MiAddMdlTracker(x,x,x)+1D9p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+4]
		pop	ebp
		retn
_MiGetInstructionPointer@0 endp


;  S U B	R O U T	I N E 


; __stdcall MmDeleteProcessor(x)
_MmDeleteProcessor@4 proc near		; CODE XREF: MmInitializeProcessor+5B0Ap
					; KeStartAllProcessors+25815p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, [esi+3D34h]
		test	edx, edx
		jz	short loc_62786B
		shr	edx, 9
		mov	ecx, offset dword_6D35E0
		and	edx, offset loc_7FFFF8
		push	100h
		sub	edx, 40000000h
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		and	dword ptr [esi+3D34h], 0

loc_62786B:				; CODE XREF: MmDeleteProcessor(x)+Dj
		mov	eax, [esi+4D4h]
		test	eax, eax
		jz	short loc_627884
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+4D4h], 0

loc_627884:				; CODE XREF: MmDeleteProcessor(x)+3Cj
		pop	esi
		retn
_MmDeleteProcessor@4 endp ; sp = -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiEnableNewPfns(x, x, x)
_MiEnableNewPfns@12 proc near		; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+425p

var_44		= dword	ptr -44h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		and	eax, 100h
		mov	edi, ecx
		push	0
		pop	ecx
		setz	cl
		mov	[ebp+var_14], edi
		xor	ebx, ebx
		mov	[ebp+var_C], ecx
		test	eax, eax
		mov	esi, edx
		mov	eax, esi
		mov	[ebp+var_18], esi
		setz	bl
		sub	eax, edi
		inc	ebx
		mov	[ebp+var_8], eax
		test	[ebp+arg_0], 1800h
		mov	[ebp+var_10], ebx
		jz	loc_62796F
		xor	edx, edx
		call	_MiDetermineNewPfnHeatState@8 ;	MiDetermineNewPfnHeatState(x,x)
		imul	edi, 1Ch
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		shr	ecx, 9
		mov	[ebp+var_10], ecx
		add	edi, ds:_MmPfnDatabase
		mov	[ebp+arg_0], edi
		test	ecx, ecx
		jz	loc_6279D1
		mov	esi, [ebp+var_14]

loc_6278F7:				; CODE XREF: MiEnableNewPfns(x,x,x)+E5j
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	cl, [edi+16h]
		mov	bl, al
		mov	edx, [ebp+var_18]
		and	cl, 0F8h
		or	cl, byte ptr [ebp+var_C]
		xor	eax, eax
		mov	[edi+16h], cl
		lea	edi, [ebp+var_44]
		push	7
		pop	ecx
		rep stosd
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+18h]
		and	eax, 0FEFFFFFFh
		or	eax, 2000000h
		mov	[ebp+var_2C], eax
		mov	[ecx+18h], eax
		call	_MiSetFreeZeroPfnCold@8	; MiSetFreeZeroPfnCold(x,x)
		xor	eax, eax
		lea	edi, [ebp+var_28]
		stosd
		lea	ecx, [ebp+var_28]
		stosd
		stosd
		stosd
		mov	eax, [ebp+var_C]
		and	[ebp+var_20], 0
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], eax
		mov	[ebp+var_1C], bl
		call	_MiInsertLargePageInNodeList@4 ; MiInsertLargePageInNodeList(x)
		mov	edi, [ebp+arg_0]
		add	esi, 200h
		add	edi, 3800h
		sub	[ebp+var_10], 1
		mov	[ebp+arg_0], edi
		jnz	short loc_6278F7
		jmp	short loc_6279CE
; 

loc_62796F:				; CODE XREF: MiEnableNewPfns(x,x,x)+3Fj
		push	2
		pop	edx
		call	_MiDetermineNewPfnHeatState@8 ;	MiDetermineNewPfnHeatState(x,x)
		test	eax, eax
		jz	short loc_627984
		or	ebx, 400h
		mov	[ebp+var_10], ebx

loc_627984:				; CODE XREF: MiEnableNewPfns(x,x,x)+F3j
		imul	eax, edi, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+arg_0], eax
		cmp	edi, esi
		jnb	short loc_6279CE
		mov	esi, [ebp+var_10]

loc_627997:				; CODE XREF: MiEnableNewPfns(x,x,x)+146j
		mov	ecx, eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	edx, esi
		mov	ecx, edi
		mov	bl, al
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		mov	ecx, [ebp+arg_0]
		mov	eax, 7FFFFFFFh
		add	ecx, 10h
		lock and [ecx],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+arg_0]
		inc	edi
		add	eax, 1Ch
		mov	[ebp+arg_0], eax
		cmp	edi, [ebp+var_18]
		jb	short loc_627997

loc_6279CE:				; CODE XREF: MiEnableNewPfns(x,x,x)+E7j
					; MiEnableNewPfns(x,x,x)+10Cj
		mov	eax, [ebp+var_8]

loc_6279D1:				; CODE XREF: MiEnableNewPfns(x,x,x)+68j
		mov	edx, eax
		mov	ecx, offset _MiSystemPartition
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_6279EA
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_6279EA:				; CODE XREF: MiEnableNewPfns(x,x,x)+159j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiEnableNewPfns@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeDynamicPfns(x, x, x, x,	x, x)
_MiInitializeDynamicPfns@24 proc near	; CODE XREF: MiMapNewPfns(x,x,x,x,x)+155p
					; MiRemovePhysicalMemory(x,x,x)+1E7p

var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_91		= dword	ptr -91h
var_8C		= dword	ptr -8Ch
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ECh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_A8], edi
		mov	esi, ecx
		mov	[ebp+var_98], esi
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_AC], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_A0], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_A4], eax
		xor	eax, eax
		push	88h		; size_t
		push	eax		; int
		mov	[ebp+var_E8], eax
		mov	[ebp+var_E4], eax
		mov	[ebp+var_E0], eax
		mov	[ebp+var_DC], eax
		mov	[ebp+var_D4], eax
		mov	[ebp+var_D0], eax
		mov	[ebp+var_CC], eax
		mov	[ebp+var_C8], eax
		mov	[ebp+var_C4], eax
		mov	[ebp+var_C0], eax
		mov	[ebp+var_B8], eax
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_91+1]
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+arg_4]
		add	esp, 0Ch
		imul	ebx, esi, 1Ch
		mov	eax, ecx
		and	eax, 6
		mov	byte ptr [ebp+var_91], 5
		mov	[ebp+var_B0], eax
		add	ebx, ds:_MmPfnDatabase
		mov	[ebp+var_9C], ebx
		cmp	eax, 4
		jnz	short loc_627AFD
		push	offset unk_6D4EB0
		mov	byte ptr [ebp+var_91], 6
		call	ExAcquireSpinLockExclusive
		add	ds:dword_6D5D88, edi
		mov	bl, al
		push	offset unk_6D4EB0
		mov	ds:byte_6D4E4C,	1
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [ebp+var_9C]
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_B0]

loc_627AFD:				; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+C9j
		test	cl, 1
		jz	loc_627CAE
		cmp	eax, 4
		jnz	short loc_627B11
		or	ecx, 40h
		mov	[ebp+arg_4], ecx

loc_627B11:				; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+118j
		test	ecx, 1800h
		jz	short loc_627B38
		push	0
		xor	edx, edx
		xor	ecx, ecx
		call	_MiDetermineNewPfnHeatState@8 ;	MiDetermineNewPfnHeatState(x,x)
		neg	eax
		sbb	eax, eax
		inc	eax
		push	eax
		push	1
		push	edx
		push	edi
		mov	edx, esi
		call	_MiInitializeAllResidentPageBasePfns@28	; MiInitializeAllResidentPageBasePfns(x,x,x,x,x,x,x)
		mov	ecx, [ebp+arg_4]

loc_627B38:				; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+126j
		test	cl, 2
		jz	short loc_627B54
		mov	eax, [ebp+var_A0]
		push	edi
		mov	ecx, [eax]
		mov	edx, ecx
		mov	ebx, [eax+4]
		mov	ecx, [ecx]
		call	_MiReferenceControlAreaPfn@12 ;	MiReferenceControlAreaPfn(x,x,x)
		jmp	short loc_627B56
; 

loc_627B54:				; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+14Aj
		xor	ebx, ebx

loc_627B56:				; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+161j
		and	[ebp+var_9C], 0
		mov	byte ptr [ebp+var_91], 21h
		test	edi, edi
		jz	loc_627D66
		mov	esi, [ebp+arg_4]
		mov	eax, [ebp+var_98]

loc_627B75:				; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+2B2j
		mov	edx, edi
		mov	ecx, eax
		call	MiRestrictRangeToNode
		cmp	[ebp+var_A0], 0
		mov	edi, eax
		jz	short loc_627C04
		mov	ecx, ebx
		mov	eax, 1000h
		and	ecx, 0FFFh
		sub	eax, ecx
		shr	eax, 3
		cmp	edi, eax
		jbe	short loc_627BA1
		mov	edi, eax

loc_627BA1:				; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+1ACj
		lea	edx, [ebp+var_91]
		mov	ecx, ebx
		call	MiLockProtoPoolPage
		mov	[ebp+var_9C], eax
		test	eax, eax
		jnz	short loc_627BE0

loc_627BB8:				; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+1EAj
		push	0
		push	0
		push	ebx
		push	2
		call	MmAccessFault
		lea	edx, [ebp+var_91]
		mov	ecx, ebx
		call	MiLockProtoPoolPage
		mov	esi, eax
		mov	[ebp+var_9C], esi
		test	esi, esi
		jz	short loc_627BB8
		mov	esi, [ebp+arg_4]

loc_627BE0:				; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+1C5j
		mov	eax, [ebp+var_A0]
		mov	edx, edi
		push	dword ptr [eax+8]
		push	ebx
		push	dword ptr [eax]
		push	esi
		push	ecx
		imul	ecx, [ebp+var_98], 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	_MiInitializeUnusablePfns@28 ; MiInitializeUnusablePfns(x,x,x,x,x,x,x)
		jmp	short loc_627C66
; 

loc_627C04:				; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+196j
		mov	ecx, [ebp+var_98]
		call	MiSearchNumaNodeTable
		xor	edx, edx
		lea	ecx, [ebp+var_91+1] ; void *
		inc	edx		; int
		mov	eax, [eax+4]
		push	eax		; int
		call	_MiInitializeDpcGang@12	; MiInitializeDpcGang(x,x,x)
		mov	eax, [ebp+var_AC]
		mov	ecx, [ebp+var_A4]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+var_98]
		mov	[ebp+var_91+1],	eax
		mov	eax, [ebp+var_30]
		or	eax, 4
		mov	[ebp+var_34], esi
		mov	[ebp+var_8C], edi
		mov	[ebp+var_40], ecx
		test	ecx, ecx
		jz	short loc_627C55
		or	eax, 8

loc_627C55:				; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+25Fj
		or	eax, 2
		lea	ecx, [ebp+var_91+1]
		mov	[ebp+var_30], eax
		call	_MiStartDpcGang@4 ; MiStartDpcGang(x)

loc_627C66:				; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+211j
		test	ebx, ebx
		jz	short loc_627C7E
		mov	dl, byte ptr [ebp+var_91]
		mov	ecx, [ebp+var_9C]
		call	MiUnlockProtoPoolPage
		lea	ebx, [ebx+edi*8]

loc_627C7E:				; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+277j
		mov	eax, [ebp+var_98]
		sub	[ebp+var_A8], edi
		add	eax, edi
		shl	edi, 0Ch
		add	[ebp+var_A4], edi
		mov	edi, [ebp+var_A8]
		mov	[ebp+var_98], eax
		test	edi, edi
		jnz	loc_627B75
		jmp	loc_627D66
; 

loc_627CAE:				; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+10Fj
		test	cl, 2
		jnz	short loc_627CC7
		push	0
		push	0
		push	edi
		mov	edx, esi
		mov	ecx, offset _MiSystemPartition
		call	MiUpdateLargePageBitMap
		mov	ecx, [ebp+arg_4]

loc_627CC7:				; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+2C0j
		mov	eax, 80000000h
		mov	[ebp+var_D8], eax
		mov	[ebp+var_BC], eax
		mov	al, byte ptr [ebp+var_B8+2]
		and	al, 0F8h
		or	al, byte ptr [ebp+var_91]
		mov	byte ptr [ebp+var_B8+2], al
		imul	eax, edi, 1Ch
		add	eax, ebx
		mov	[ebp+var_AC], eax
		cmp	ebx, eax
		jnb	short loc_627D66
		and	ecx, 10h
		mov	[ebp+arg_4], ecx

loc_627D01:				; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+373j
		mov	ecx, ebx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		test	byte ptr [ebx+17h], 40h
		mov	byte ptr [ebp+var_91], al
		jz	short loc_627D1D
		xor	edx, edx
		mov	ecx, ebx
		call	_MiSetPfnRemovalRequested@8 ; MiSetPfnRemovalRequested(x,x)

loc_627D1D:				; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+321j
		push	7
		pop	ecx
		lea	esi, [ebp+var_CC]
		mov	edi, ebx
		rep movsd
		mov	ecx, ebx
		call	MiAbortCombineScan
		cmp	[ebp+arg_4], 0
		jz	short loc_627D44
		push	7
		pop	ecx
		lea	esi, [ebp+var_E8]
		mov	edi, ebx
		rep movsd

loc_627D44:				; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+344j
		mov	ecx, 7FFFFFFFh
		lea	eax, [ebx+10h]
		lock and [eax],	ecx
		mov	cl, byte ptr [ebp+var_91]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		add	ebx, 1Ch
		cmp	ebx, [ebp+var_AC]
		jb	short loc_627D01

loc_627D66:				; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+175j
					; MiInitializeDynamicPfns(x,x,x,x,x,x)+2B8j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_MiInitializeDynamicPfns@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPerformMemoryChange(x, x,	x, x, x)
_MiPerformMemoryChange@20 proc near	; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+3D1p
					; MiRemovePhysicalMemory(x,x,x)+1AAp

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	offset unk_6D4EB0
		mov	edi, edx
		mov	ebx, ecx
		call	ExAcquireSpinLockExclusive
		mov	esi, ds:_MmPhysicalMemoryBlock
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_1], al
		dec	dword ptr [esi-4]
		mov	esi, [esi-4]
		mov	eax, ds:dword_6D4E58
		neg	esi
		mov	edx, [ecx]
		sbb	esi, esi
		not	esi
		and	esi, ds:_MmPhysicalMemoryBlock
		mov	ds:_MmPhysicalMemoryBlock, edx
		dec	dword ptr [eax-4]
		mov	edx, [eax-4]
		mov	eax, [ebp+arg_4]
		neg	edx
		mov	[ecx], esi
		sbb	edx, edx
		not	edx
		mov	ecx, [eax]
		and	edx, ds:dword_6D4E58
		mov	[eax], edx
		lea	eax, [edi-1]
		add	eax, ebx
		mov	ds:dword_6D4E58, ecx
		test	[ebp+arg_8], 1
		jz	short loc_627E0D
		cmp	eax, ds:dword_6D5D84
		jbe	short loc_627DF3
		mov	ds:dword_6D5D84, eax

loc_627DF3:				; CODE XREF: MiPerformMemoryChange(x,x,x,x,x)+75j
		push	edi
		push	ebx
		push	offset dword_6D35B4
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		test	[ebp+arg_8], 4
		jnz	short loc_627E36
		add	ds:dword_6D5D88, edi
		jmp	short loc_627E2F
; 

loc_627E0D:				; CODE XREF: MiPerformMemoryChange(x,x,x,x,x)+6Dj
		cmp	eax, ds:dword_6D5D84
		jnz	short loc_627E1D
		lea	eax, [ebx-1]
		mov	ds:dword_6D5D84, eax

loc_627E1D:				; CODE XREF: MiPerformMemoryChange(x,x,x,x,x)+9Cj
		push	edi
		push	ebx
		push	offset dword_6D35B4
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		sub	ds:dword_6D5D88, edi

loc_627E2F:				; CODE XREF: MiPerformMemoryChange(x,x,x,x,x)+94j
		mov	ds:byte_6D4E4C,	1

loc_627E36:				; CODE XREF: MiPerformMemoryChange(x,x,x,x,x)+8Cj
		call	MiInitializeNonPagedPoolThresholds
		push	offset unk_6D4EB0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MiPerformMemoryChange@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPfnDatabaseVaIsUnique(x)
_MiPfnDatabaseVaIsUnique@4 proc	near	; CODE XREF: MiGetNextNonGapPfnPage+85D6Bp
					; MiGetNextNonGapPfnPage+85DBEp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	edx, [ecx]
		push	esi
		xor	esi, esi
		nop
		mov	ecx, [ecx+4]
		mov	eax, edx
		and	eax, 1
		or	eax, esi
		jz	short loc_627E90
		nop
		mov	esi, ds:dword_6D3518
		cmp	esi, ds:dword_6D351C
		jz	short loc_627E8B
		shrd	edx, ecx, 0Ch
		and	edx, 1FFFFFFh
		cmp	edx, esi
		jz	short loc_627E90

loc_627E8B:				; CODE XREF: MiPfnDatabaseVaIsUnique(x)+26j
		xor	eax, eax
		inc	eax
		jmp	short loc_627E92
; 

loc_627E90:				; CODE XREF: MiPfnDatabaseVaIsUnique(x)+17j
					; MiPfnDatabaseVaIsUnique(x)+34j
		xor	eax, eax

loc_627E92:				; CODE XREF: MiPfnDatabaseVaIsUnique(x)+39j
		pop	esi
		leave
		retn
_MiPfnDatabaseVaIsUnique@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRemoveBadPages(x,	x, x)
_MiRemoveBadPages@12 proc near		; CODE XREF: MmRemovePhysicalMemory(x,x)+51p

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		test	ds:_MiFlags, 8000000h
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		jnz	short loc_627EB8
		mov	eax, 0C0000002h
		jmp	loc_627F88
; 

loc_627EB8:				; CODE XREF: MiRemoveBadPages(x,x,x)+17j
		mov	eax, large fs:124h
		imul	edi, esi, 1Ch
		mov	[ebp+var_8], eax
		add	edi, ds:_MmPfnDatabase
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset unk_6D4EAC
		call	ExAcquirePushLockSharedEx
		xor	ebx, ebx
		cmp	[ebp+arg_0], ebx
		jbe	short loc_627F5B

loc_627EE5:				; CODE XREF: MiRemoveBadPages(x,x,x)+C4j
		cmp	esi, ds:dword_6D07B0
		ja	loc_627FA7
		mov	eax, ds:dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_627FA7
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, edi
		mov	[ebp+var_1], al
		lea	edx, [edi+10h]
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jz	short loc_627F8F
		xor	edx, edx
		call	_MiUnlinkPageFromBadList@8 ; MiUnlinkPageFromBadList(x,x)
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	_MiSetPfnRemovalRequested@8 ; MiSetPfnRemovalRequested(x,x)
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		or	dword ptr [eax], 40000000h
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	ebx
		add	edi, 1Ch
		inc	esi
		cmp	ebx, [ebp+arg_0]
		jb	short loc_627EE5

loc_627F5B:				; CODE XREF: MiRemoveBadPages(x,x,x)+4Ej
		xor	edi, edi

loc_627F5D:				; CODE XREF: MiRemoveBadPages(x,x,x)+119j
					; MiRemoveBadPages(x,x,x)+126j
		push	11h
		xor	edx, edx
		mov	esi, offset unk_6D4EAC
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_627F77
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_627F77:				; CODE XREF: MiRemoveBadPages(x,x,x)+D9j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_8]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, edi

loc_627F88:				; CODE XREF: MiRemoveBadPages(x,x,x)+1Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_627F8F:				; CODE XREF: MiRemoveBadPages(x,x,x)+8Fj
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edi, 0C0000476h
		jmp	short loc_627FAC
; 

loc_627FA7:				; CODE XREF: MiRemoveBadPages(x,x,x)+56j
					; MiRemoveBadPages(x,x,x)+73j
		mov	edi, 0C00000EFh

loc_627FAC:				; CODE XREF: MiRemoveBadPages(x,x,x)+110j
		test	ebx, ebx
		jz	short loc_627F5D
		sub	esi, ebx
		mov	edx, ebx
		mov	ecx, esi
		call	_MiReturnBadPagesToBadList@8 ; MiReturnBadPagesToBadList(x,x)
		jmp	short loc_627F5D
_MiRemoveBadPages@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReplicatePfnDatabaseMappings(x, x)
_MiReplicatePfnDatabaseMappings@8 proc near ; CODE XREF: MiPfnRangeIsZero+85D5Dp

var_A0		= dword	ptr -0A0h
var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A0h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [ebp+var_A0]
		mov	edi, edx
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		add	esp, 0Ch
		shl	esi, 9
		shl	edi, 9
		mov	ecx, esi
		mov	edx, edi
		call	MiReplicatePteChange
		and	[ebp+var_8C], 0
		mov	[ebp+var_98], 21h
		jmp	short loc_62801C
; 

loc_628010:				; CODE XREF: MiReplicatePfnDatabaseMappings(x,x)+67j
		xor	edx, edx
		push	esi
		inc	edx
		call	_MiInsertRecursiveTbFlushEntries@12 ; MiInsertRecursiveTbFlushEntries(x,x,x)
		add	esi, 8

loc_62801C:				; CODE XREF: MiReplicatePfnDatabaseMappings(x,x)+51j
		lea	ecx, [ebp+var_A0]
		cmp	esi, edi
		jbe	short loc_628010
		call	MiFlushTbList
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiReplicatePfnDatabaseMappings@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiReturnBadPagesToBadList(x, x)
_MiReturnBadPagesToBadList@8 proc near	; CODE XREF: MiRemoveBadPages(x,x,x)+121p
					; MmRemovePhysicalMemory(x,x)+B0p
		mov	edi, edi
		push	ebx
		push	esi
		imul	esi, ecx, 1Ch
		push	edi
		mov	edi, edx
		add	esi, ds:_MmPfnDatabase
		test	edi, edi
		jz	short loc_628095

loc_62804D:				; CODE XREF: MiReturnBadPagesToBadList(x,x)+5Aj
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		cmp	dword ptr [esi+4], 0
		mov	bl, al
		jnz	short loc_628063
		mov	dword ptr [esi+4], 0FFFFFFFCh

loc_628063:				; CODE XREF: MiReturnBadPagesToBadList(x,x)+21j
		and	dword ptr [esi+18h], 0FF800000h
		xor	eax, eax
		push	20h
		pop	edx
		mov	ecx, esi
		mov	[esi+14h], ax
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		add	esi, 1Ch
		sub	edi, 1
		jnz	short loc_62804D

loc_628095:				; CODE XREF: MiReturnBadPagesToBadList(x,x)+12j
		pop	edi
		pop	esi
		pop	ebx
		retn
_MiReturnBadPagesToBadList@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUnlinkBadPages(x,	x)
_MiUnlinkBadPages@8 proc near		; CODE XREF: MmMarkPhysicalMemoryAsGood(x,x)+38p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		imul	esi, edi, 1Ch
		xor	ebx, ebx
		and	[ebp+var_C], ebx
		mov	cl, 2
		add	esi, ds:_MmPfnDatabase
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_1], al
		cmp	edi, [ebp+var_8]
		jnb	loc_6281CD
		mov	ecx, [ebp+var_C]
		add	esi, 10h
		mov	edx, [ebp+var_8]

loc_6280D4:				; CODE XREF: MiUnlinkBadPages(x,x)+12Ej
		cmp	edi, ds:dword_6D07B0
		ja	loc_6281BD
		mov	eax, ds:dword_6D35B8
		mov	edx, edi
		shr	edx, 5
		mov	ecx, edi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_6281B4
		and	[ebp+var_10], 0
		jmp	short loc_628111
; 

loc_628103:				; CODE XREF: MiUnlinkBadPages(x,x)+76j
					; MiUnlinkBadPages(x,x)+7Dj
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_628103

loc_628111:				; CODE XREF: MiUnlinkBadPages(x,x)+68j
		lock bts dword ptr [esi], 1Fh
		jb	short loc_628103
		mov	dl, [esi+7]
		lea	ecx, [esi-10h]
		test	dl, 40h
		jz	short loc_628130
		xor	edx, edx
		call	_MiSetPfnRemovalRequested@8 ; MiSetPfnRemovalRequested(x,x)
		and	byte ptr [esi+7], 7Fh
		jmp	short loc_628156
; 

loc_628130:				; CODE XREF: MiUnlinkBadPages(x,x)+88j
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jz	short loc_62817E
		and	dl, 7Fh
		mov	[esi+7], dl
		xor	edx, edx
		call	_MiUnlinkPageFromBadList@8 ; MiUnlinkPageFromBadList(x,x)
		or	dword ptr [esi], 40000000h
		mov	ecx, edi
		push	2
		pop	edx
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)

loc_628156:				; CODE XREF: MiUnlinkBadPages(x,x)+95j
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		inc	edx
		call	MiReturnCommit
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		inc	edx
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_62817D
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_62817D:				; CODE XREF: MiUnlinkBadPages(x,x)+D9j
		inc	ebx

loc_62817E:				; CODE XREF: MiUnlinkBadPages(x,x)+9Ej
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	al, [ebp+var_1]
		mov	ecx, [ebp+var_C]
		cmp	al, 2
		jnb	short loc_6281BA
		test	cl, 0Fh
		jnz	short loc_6281BA
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	short loc_6281B4
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_1], al
		jmp	short loc_6281B7
; 

loc_6281B4:				; CODE XREF: MiUnlinkBadPages(x,x)+5Ej
					; MiUnlinkBadPages(x,x)+103j
		mov	al, [ebp+var_1]

loc_6281B7:				; CODE XREF: MiUnlinkBadPages(x,x)+119j
		mov	ecx, [ebp+var_C]

loc_6281BA:				; CODE XREF: MiUnlinkBadPages(x,x)+F5j
					; MiUnlinkBadPages(x,x)+FAj
		mov	edx, [ebp+var_8]

loc_6281BD:				; CODE XREF: MiUnlinkBadPages(x,x)+41j
		inc	edi
		add	esi, 1Ch
		inc	ecx
		mov	[ebp+var_C], ecx
		cmp	edi, edx
		jb	loc_6280D4

loc_6281CD:				; CODE XREF: MiUnlinkBadPages(x,x)+2Cj
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_MiUnlinkBadPages@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1408. MmGetPageBadStatus

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmGetPageBadStatus(x)
		public _MmGetPageBadStatus@4
_MmGetPageBadStatus@4 proc near		; CODE XREF: WheapPersistPageForMemoryError(x)+32p
					; WheapPfaMemoryCheck(x,x)+2Ep

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, [eax]
		mov	eax, [eax+4]
		shrd	esi, eax, 0Ch
		cmp	esi, ds:dword_6D07B0
		ja	short loc_62825E
		mov	eax, ds:dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_62825E
		imul	esi, 1Ch
		push	edi
		xor	edi, edi
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, esi
		mov	dl, al
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jz	short loc_62823B
		mov	edi, 0C0000709h
		jmp	short loc_628246
; 

loc_62823B:				; CODE XREF: MmGetPageBadStatus(x)+51j
		test	byte ptr [esi+17h], 40h
		jz	short loc_628246
		mov	edi, 103h

loc_628246:				; CODE XREF: MmGetPageBadStatus(x)+58j
					; MmGetPageBadStatus(x)+5Ej
		mov	eax, 7FFFFFFFh
		lea	ecx, [esi+10h]
		lock and [ecx],	eax
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		jmp	short loc_628263
; 

loc_62825E:				; CODE XREF: MmGetPageBadStatus(x)+18j
					; MmGetPageBadStatus(x)+31j
		mov	eax, 0C00000EFh

loc_628263:				; CODE XREF: MmGetPageBadStatus(x)+7Bj
		pop	esi
		pop	ebp
		retn	4
_MmGetPageBadStatus@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1447. MmMarkPhysicalMemoryAsBad

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmMarkPhysicalMemoryAsBad(x, x)
		public _MmMarkPhysicalMemoryAsBad@8
_MmMarkPhysicalMemoryAsBad@8 proc near	; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+59Cp
					; WheapAttemptPhysicalPageOffline(x,x,x,x,x,x)+8Ep

var_32		= byte ptr -32h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	ecx, [ebp+arg_0]
		and	[esp+34h+var_10], 0
		push	ebx
		push	esi
		mov	edx, [ecx]
		mov	esi, 0FFFh
		mov	eax, edx
		and	eax, esi
		push	edi
		cmp	eax, 1
		ja	loc_62875B
		mov	ebx, [ebp+arg_4]
		test	[ebx], esi
		jz	short loc_6282A8
		mov	eax, 0C00000F0h
		jmp	loc_628760
; 

loc_6282A8:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+2Fj
		test	ds:_MiFlags, 8000000h
		jnz	short loc_6282BE
		mov	eax, 0C0000002h
		jmp	loc_628760
; 

loc_6282BE:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+45j
		mov	eax, [ecx+4]
		mov	esi, edx
		mov	ecx, [ebx]
		shrd	esi, eax, 0Ch
		mov	eax, [ebx+4]
		shrd	ecx, eax, 0Ch
		mov	[esp+40h+var_4], ecx
		lea	edi, [esi+ecx]
		mov	[esp+40h+var_2C], edi
		cmp	esi, edi
		jnb	loc_62875B
		and	[esp+40h+var_28], 0
		not	edx
		and	[esp+40h+var_1C], 0
		xor	eax, eax
		and	edx, 1
		mov	[esp+40h+var_14], eax
		mov	eax, large fs:124h
		shl	edx, 1Ch
		add	edx, 2C100000h
		mov	[esp+40h+var_20], eax
		mov	[esp+40h+var_18], edx
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset unk_6D4EAC
		call	ExAcquirePushLockSharedEx
		imul	ebx, esi, 1Ch
		add	ebx, ds:_MmPfnDatabase
		lea	edx, [ebx+10h]
		mov	[esp+40h+var_30], edx

loc_628333:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+45Dj
		cmp	esi, ds:dword_6D07B0
		ja	loc_6286B5
		mov	eax, ds:dword_6D35B8
		mov	ecx, esi
		shr	ecx, 5
		mov	edi, esi
		and	edi, 1Fh
		mov	[esp+40h+var_C], ecx
		mov	[esp+40h+var_8], edi
		mov	eax, [eax+ecx*4]
		mov	ecx, edi
		shr	eax, cl
		and	eax, 1
		jz	loc_6286B1
		mov	ecx, ebx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, ds:dword_6D4EA4
		mov	[esp+40h+var_31], al
		call	PsReferencePartitionSafe
		movzx	edi, al
		mov	ecx, 7FFFFFFFh
		mov	eax, [esp+40h+var_30]
		neg	edi
		sbb	edi, edi
		lock and [eax],	ecx
		mov	cl, [esp+40h+var_31]
		and	edi, offset _MiSystemPartition
		jnz	short loc_6283B6
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	[esp+40h+var_28], 0C000010Ah

loc_6283A9:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+22Fj
					; MmMarkPhysicalMemoryAsBad(x,x)+288j ...
		mov	edx, [esp+40h+var_30]

loc_6283AD:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+1C5j
		mov	edi, [esp+40h+var_2C]
		jmp	loc_6286BD
; 

loc_6283B6:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+12Cj
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	0
		push	2
		pop	edx
		mov	ecx, edi
		call	MiAcquireNonPagedResources
		test	eax, eax
		js	loc_62873D
		mov	ecx, ebx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	dl, al
		mov	[esp+40h+var_31], dl
		cmp	edi, offset _MiSystemPartition
		jz	short loc_628437
		mov	eax, [esp+40h+var_30]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	2
		pop	edx
		mov	ecx, edi
		call	MiReturnCommit
		push	2
		pop	edx
		mov	ecx, edi
		call	MiReturnResavailToPrcb
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_62841F
		lea	eax, [edi+1000h]
		lock xadd [eax], ecx

loc_62841F:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+1A6j
		mov	ecx, [edi+64h]
		call	PsDereferencePartition
		mov	edx, [esp+40h+var_30]
		dec	esi
		sub	ebx, 1Ch
		sub	edx, 1Ch
		jmp	loc_6283AD
; 

loc_628437:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+178j
		test	[esp+40h+var_18], 10000000h
		jz	short loc_62844D
		mov	al, [ebx+17h]
		test	al, al
		js	short loc_62844D
		or	al, 80h
		mov	[ebx+17h], al

loc_62844D:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+1D2j
					; MmMarkPhysicalMemoryAsBad(x,x)+1D9j
		test	byte ptr [ebx+17h], 40h
		jz	short loc_6284A1
		mov	eax, [esp+40h+var_30]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	2
		pop	edx
		mov	ecx, edi
		call	MiReturnCommit
		push	2
		pop	edx
		mov	ecx, edi
		call	MiReturnResavailToPrcb
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_62848B
		lea	eax, [edi+1000h]
		lock xadd [eax], ecx

loc_62848B:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+212j
		mov	ecx, [edi+64h]
		call	PsDereferencePartition
		mov	eax, 103h
		mov	[esp+40h+var_28], eax
		jmp	loc_6283A9
; 

loc_6284A1:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+1E4j
		mov	al, [ebx+16h]
		and	al, 7
		cmp	al, 5
		jnz	short loc_6284FA
		mov	ecx, ebx
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jz	short loc_6284FA
		mov	eax, [esp+40h+var_30]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	2
		pop	edx
		mov	ecx, edi
		call	MiReturnCommit
		push	2
		pop	edx
		mov	ecx, edi
		call	MiReturnResavailToPrcb
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_6284ED
		lea	eax, [edi+1000h]
		lock xadd [eax], ecx

loc_6284ED:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+274j
		mov	ecx, [edi+64h]
		call	PsDereferencePartition
		jmp	loc_6283A9
; 

loc_6284FA:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+23Bj
					; MmMarkPhysicalMemoryAsBad(x,x)+246j
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	_MiSetPfnRemovalRequested@8 ; MiSetPfnRemovalRequested(x,x)
		mov	eax, [esp+40h+var_30]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [esp+40h+var_31]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	11h
		xor	ecx, ecx
		mov	edx, offset unk_6D4EAC
		pop	eax
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jz	short loc_628539
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	edx, offset unk_6D4EAC

loc_628539:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+2BEj
		mov	ecx, edx
		call	KeAbPostRelease
		mov	ecx, [esp+40h+var_20]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		lea	eax, [esp+40h+var_10]
		mov	edx, esi
		push	eax
		push	0
		push	[esp+48h+var_18]
		mov	eax, 80000000h
		mov	ecx, edi
		push	eax
		push	eax
		push	1
		push	1
		push	0
		push	esi
		call	_MiFindContiguousPages@44 ; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)
		mov	[esp+40h+var_24], eax
		xor	eax, eax
		mov	[esp+40h+var_28], eax
		mov	eax, [esp+40h+var_20]
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset unk_6D4EAC
		call	ExAcquirePushLockSharedEx
		cmp	esi, ds:dword_6D07B0
		ja	loc_62865B
		mov	ecx, [esp+40h+var_C]
		mov	eax, ds:dword_6D35B8
		mov	eax, [eax+ecx*4]
		mov	ecx, [esp+40h+var_8]
		shr	eax, cl
		and	eax, 1
		jz	loc_62865B
		mov	ecx, ebx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		cmp	[esp+40h+var_24], 0
		mov	dl, al
		mov	[esp+40h+var_31], dl
		jl	short loc_62861D
		test	byte ptr [ebx+17h], 40h
		jz	short loc_6285FD
		and	dword ptr [ebx+18h], 0FF800000h
		xor	eax, eax
		push	20h
		pop	edx
		mov	ecx, ebx
		mov	[ebx+14h], ax
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)
		mov	eax, [esp+40h+var_30]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [esp+40h+var_31]

loc_6285F5:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+3ECj
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_628663
; 

loc_6285FD:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+35Fj
		mov	eax, [esp+40h+var_30]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_MiFreeContiguousPages@8 ; MiFreeContiguousPages(x,x)
		jmp	short loc_628687
; 

loc_62861D:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+359j
		mov	ecx, ebx
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jnz	short loc_628646
		test	byte ptr [ebx+17h], 40h
		jz	short loc_62864B
		mov	eax, 103h
		mov	ds:byte_6D311C,	1
		mov	[esp+40h+var_14], 1
		mov	[esp+40h+var_28], eax

loc_628646:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+3B9j
		and	[esp+40h+var_24], 0

loc_62864B:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+3BFj
		mov	eax, [esp+40h+var_30]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, dl
		jmp	short loc_6285F5
; 

loc_62865B:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+326j
					; MmMarkPhysicalMemoryAsBad(x,x)+341j
		mov	[esp+40h+var_28], 0C00000F0h

loc_628663:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+38Ej
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	MiReturnCommit
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	MiReturnResavailToPrcb
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_628687
		lea	eax, [edi+1000h]
		lock xadd [eax], ecx

loc_628687:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+3AEj
					; MmMarkPhysicalMemoryAsBad(x,x)+40Ej
		mov	ecx, [edi+64h]
		call	PsDereferencePartition
		mov	eax, [esp+40h+var_24]
		cmp	eax, 0C000012Dh
		jz	short loc_6286A5
		cmp	eax, 0C000009Ah
		jnz	loc_6283A9

loc_6286A5:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+42Bj
		mov	ebx, eax
		mov	[esp+40h+var_1C], eax

loc_6286AB:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+4E3j
		mov	edi, [esp+40h+var_2C]
		jmp	short loc_6286D4
; 

loc_6286B1:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+F3j
		mov	edi, [esp+40h+var_2C]

loc_6286B5:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+CCj
		mov	[esp+40h+var_28], 0C00000F0h

loc_6286BD:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+144j
		inc	esi
		add	edx, 1Ch
		add	ebx, 1Ch
		mov	[esp+40h+var_30], edx
		cmp	esi, edi
		jb	loc_628333
		mov	ebx, [esp+40h+var_28]

loc_6286D4:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+442j
		push	11h
		xor	ecx, ecx
		mov	edx, offset unk_6D4EAC
		pop	eax
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jz	short loc_6286F3
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	edx, offset unk_6D4EAC

loc_6286F3:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+478j
		mov	ecx, edx
		call	KeAbPostRelease
		mov	ecx, [esp+40h+var_20]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		cmp	[esp+40h+var_14], 1
		jnz	short loc_62871C
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_42538D+3)
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)

loc_62871C:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+49Bj
		sub	esi, edi
		mov	ecx, 1000h
		mov	edi, [esp+40h+var_4]
		lea	eax, [edi+esi]
		mul	ecx
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		mov	[ecx+4], edx
		cmp	edi, 1
		jnz	short loc_628755
		mov	eax, ebx
		jmp	short loc_628760
; 

loc_62873D:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+15Fj
		mov	ecx, [edi+64h]
		mov	eax, 0C000009Ah
		mov	ebx, eax
		mov	[esp+40h+var_1C], eax
		call	PsDereferencePartition
		jmp	loc_6286AB
; 

loc_628755:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+4CAj
		mov	eax, [esp+40h+var_1C]
		jmp	short loc_628760
; 

loc_62875B:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+24j
					; MmMarkPhysicalMemoryAsBad(x,x)+70j
		mov	eax, 0C00000EFh

loc_628760:				; CODE XREF: MmMarkPhysicalMemoryAsBad(x,x)+36j
					; MmMarkPhysicalMemoryAsBad(x,x)+4Cj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_MmMarkPhysicalMemoryAsBad@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1448. MmMarkPhysicalMemoryAsGood

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmMarkPhysicalMemoryAsGood(x, x)
		public _MmMarkPhysicalMemoryAsGood@8
_MmMarkPhysicalMemoryAsGood@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, 0FFFh
		push	esi
		test	[eax], ecx
		jnz	short loc_6287BB
		mov	esi, [ebp+arg_4]
		test	[esi], ecx
		jz	short loc_62878E
		mov	eax, 0C00000F0h
		jmp	short loc_6287C0
; 

loc_62878E:				; CODE XREF: MmMarkPhysicalMemoryAsGood(x,x)+17j
		mov	ecx, [eax]
		mov	eax, [eax+4]
		mov	edx, [esi]
		shrd	ecx, eax, 0Ch
		mov	eax, [esi+4]
		shrd	edx, eax, 0Ch
		add	edx, ecx
		cmp	ecx, edx
		jnb	short loc_6287BB
		call	_MiUnlinkBadPages@8 ; MiUnlinkBadPages(x,x)
		mov	ecx, 1000h
		mul	ecx
		mov	[esi], eax
		xor	eax, eax
		mov	[esi+4], edx
		jmp	short loc_6287C0
; 

loc_6287BB:				; CODE XREF: MmMarkPhysicalMemoryAsGood(x,x)+10j
					; MmMarkPhysicalMemoryAsGood(x,x)+36j
		mov	eax, 0C00000EFh

loc_6287C0:				; CODE XREF: MmMarkPhysicalMemoryAsGood(x,x)+1Ej
					; MmMarkPhysicalMemoryAsGood(x,x)+4Bj
		pop	esi
		pop	ebp
		retn	8
_MmMarkPhysicalMemoryAsGood@8 endp


;  S U B	R O U T	I N E 


; __stdcall MmKernelVerifierEnabled()
_MmKernelVerifierEnabled@0 proc	near	; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+1Ep
					; VerifierExFreePool(x)+6p ...
		movzx	eax, byte ptr ds:_MiFlags
		shr	eax, 1
		and	eax, 1
		retn
_MmKernelVerifierEnabled@0 endp


;  S U B	R O U T	I N E 


; __stdcall MiAddingWorkingSetPageShortly(x, x)
_MiAddingWorkingSetPageShortly@8 proc near ; CODE XREF:	MiAddWorkingSetEntries+145571p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi+40h]
		add	edi, edx
		cmp	edi, [esi+3Ch]
		jbe	short loc_628805
		test	byte ptr [esi+63h], 8
		jnz	short loc_628805
		call	_MiWorkingSetVeryLarge@4 ; MiWorkingSetVeryLarge(x)
		cmp	eax, 1
		jz	short loc_6287FD
		test	byte ptr [esi+60h], 40h
		jz	short loc_628805
		cmp	edi, [esi+50h]
		jbe	short loc_628805

loc_6287FD:				; CODE XREF: MiAddingWorkingSetPageShortly(x,x)+1Ej
		mov	al, [esi+63h]
		or	al, 8
		mov	[esi+63h], al

loc_628805:				; CODE XREF: MiAddingWorkingSetPageShortly(x,x)+Ej
					; MiAddingWorkingSetPageShortly(x,x)+14j ...
		pop	edi
		pop	esi
		retn
_MiAddingWorkingSetPageShortly@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiConfirmPageIsZero(x)
_MiConfirmPageIsZero@4 proc near	; CODE XREF: MiSharePages(x,x,x,x,x)+80Ep
		mov	eax, [ecx+10h]
		push	ebx
		xor	ebx, ebx
		and	eax, 3FFFFFFFh
		inc	ebx
		push	esi
		push	edi
		cmp	eax, ebx
		jnz	short loc_62886A
		cmp	[ecx+14h], bx
		jnz	short loc_62886A
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, ecx
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		push	80000000h
		xor	edx, edx
		mov	ecx, eax
		call	MiMapPageInHyperSpaceWorker
		mov	ecx, eax
		mov	esi, ecx
		lea	edi, [ecx+0FFCh]

loc_628846:				; CODE XREF: MiConfirmPageIsZero(x)+4Cj
		mov	eax, [edi]
		or	eax, [esi]
		jnz	short loc_628856
		add	esi, 4
		sub	edi, 4
		cmp	esi, edi
		jbe	short loc_628846

loc_628856:				; CODE XREF: MiConfirmPageIsZero(x)+42j
		push	80000000h
		mov	dl, 21h
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		cmp	esi, edi
		jbe	short loc_62886A
		mov	eax, ebx
		jmp	short loc_62886C
; 

loc_62886A:				; CODE XREF: MiConfirmPageIsZero(x)+10j
					; MiConfirmPageIsZero(x)+16j ...
		xor	eax, eax

loc_62886C:				; CODE XREF: MiConfirmPageIsZero(x)+60j
		pop	edi
		pop	esi
		pop	ebx
		retn
_MiConfirmPageIsZero@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiEmptyWorkingSet(x, x)
_MiEmptyWorkingSet@8 proc near		; CODE XREF: MmProcessWorkingSetControl+14EE34p
		push	0FFFFFFFFh
		push	0
		call	_MiEmptyWorkingSetInitiate@16 ;	MiEmptyWorkingSetInitiate(x,x,x,x)
		retn
_MiEmptyWorkingSet@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFillPageExtraInfo(x, x, x)
_MiFillPageExtraInfo@12	proc near	; CODE XREF: MiLogAllocateWsleEvent(x,x,x)+40p
					; MiLogRemoveWsleEvent(x,x)+1Ap

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		and	eax, 0FFFFF000h
		test	edx, edx
		jz	short loc_628897
		cmp	edx, 1
		jnz	short loc_628894
		or	eax, edx
		jmp	short loc_628897
; 

loc_628894:				; CODE XREF: MiFillPageExtraInfo(x,x,x)+14j
		or	eax, 2

loc_628897:				; CODE XREF: MiFillPageExtraInfo(x,x,x)+Fj
					; MiFillPageExtraInfo(x,x,x)+18j
		mov	[ecx], eax
		pop	ebp
		retn	4
_MiFillPageExtraInfo@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogAllocateWsleEvent(x, x, x)
_MiLogAllocateWsleEvent@12 proc	near	; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+9D2p

var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_34]
		push	6
		pop	ecx
		xor	eax, eax
		mov	ebx, edx
		rep stosd
		lea	edx, [ebp+var_34]
		mov	ecx, esi
		call	_MiIdentifyPfnWrapper@8	; MiIdentifyPfnWrapper(x,x)
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_6288EB
		push	[ebp+arg_0]
		mov	edx, ebx
		lea	ecx, [ebp+var_24]
		call	_MiFillPageExtraInfo@12	; MiFillPageExtraInfo(x,x,x)
		mov	eax, 282h
		push	18h
		jmp	short loc_6288F2
; 

loc_6288EB:				; CODE XREF: MiLogAllocateWsleEvent(x,x,x)+36j
		mov	eax, 276h
		push	10h

loc_6288F2:				; CODE XREF: MiLogAllocateWsleEvent(x,x,x)+4Cj
		and	[ebp+var_18], 0
		lea	edx, [ebp+var_34]
		and	[ebp+var_10], 0
		pop	ecx
		push	11401B02h
		mov	[ebp+var_1C], edx
		xor	edx, edx
		push	eax
		mov	[ebp+var_14], ecx
		inc	edx
		push	28000001h
		lea	ecx, [ebp+var_1C]
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_MiLogAllocateWsleEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogPerfMemoryEvent(x, x, x, x, x)
_MiLogPerfMemoryEvent@20 proc near	; CODE XREF: MiLogMapFileEvent(x,x)+3Ep
					; MiLogMemResetInfo(x,x,x)+4Dp	...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_10], 0
		and	[ebp+var_8], 0
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_8]
		or	eax, 11000200h
		push	eax
		push	ecx
		push	edx
		xor	edx, edx
		lea	ecx, [ebp+var_14]
		inc	edx
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_MiLogPerfMemoryEvent@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogRemoveWsleEvent(x, x)
_MiLogRemoveWsleEvent@8	proc near	; CODE XREF: .text:005B0897p
					; MiRemoveWsleList+104F41p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_18], 0
		push	ecx
		lea	ecx, [ebp+var_18]
		call	_MiFillPageExtraInfo@12	; MiFillPageExtraInfo(x,x,x)
		and	[ebp+var_10], 0
		mov	eax, ecx
		and	[ebp+var_8], 0
		lea	ecx, [ebp+var_14]
		push	11401B02h
		push	283h
		xor	edx, edx
		mov	[ebp+var_14], eax
		push	28000000h
		inc	edx
		mov	[ebp+var_C], 4
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiLogRemoveWsleEvent@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetWsleProtection(x, x, x)
_MiSetWsleProtection@12	proc near	; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+460p

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		call	MiLocateWsle
		mov	esi, eax
		mov	edx, edi
		mov	al, [ebp+arg_0]
		mov	ecx, ebx
		shl	al, 4
		xor	al, [esi]
		and	al, 70h
		xor	al, [esi]
		mov	[ebp+arg_0], al
		call	MiLocateWsle
		mov	ecx, eax
		mov	al, [ebp+arg_0]
		pop	edi
		pop	esi
		pop	ebx
		mov	[ecx], al
		pop	ebp
		retn	4
_MiSetWsleProtection@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdateWorkingSetPrivateSize(x, x,	x, x)
_MiUpdateWorkingSetPrivateSize@16 proc near
					; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+471p
					; MiDemoteCombinedPte(x,x,x)+231p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	ebx, edx
		stosd
		mov	esi, ecx
		stosd
		stosd
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	short loc_628A66
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C80
		jz	short loc_628A39
		lea	eax, [esi+0C0h]

loc_628A39:				; CODE XREF: MiUpdateWorkingSetPrivateSize(x,x,x,x)+2Aj
		and	[ebp+var_C], 0
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_8], eax
		jz	short loc_628A55
		mov	edx, eax
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_628A66
; 

loc_628A55:				; CODE XREF: MiUpdateWorkingSetPrivateSize(x,x,x,x)+40j
		lea	edx, [ebp+var_C]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_628A66
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_628A66:				; CODE XREF: MiUpdateWorkingSetPrivateSize(x,x,x,x)+1Cj
					; MiUpdateWorkingSetPrivateSize(x,x,x,x)+4Cj ...
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebx+40000000h]
		add	[esi+4Ch], ecx
		cmp	eax, offset loc_7FFFFF
		jbe	short loc_628A7C
		add	[esi+44h], ecx

loc_628A7C:				; CODE XREF: MiUpdateWorkingSetPrivateSize(x,x,x,x)+70j
		test	edi, edi
		pop	edi
		pop	esi
		pop	ebx
		jnz	short locret_628AC8
		test	ds:byte_70EFC6,	1
		jz	short loc_628A99
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short locret_628AC8
; 

loc_628A99:				; CODE XREF: MiUpdateWorkingSetPrivateSize(x,x,x,x)+83j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_628AB8
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short locret_628AC8
		call	KxWaitForLockChainValid

loc_628AB8:				; CODE XREF: MiUpdateWorkingSetPrivateSize(x,x,x,x)+97j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

locret_628AC8:				; CODE XREF: MiUpdateWorkingSetPrivateSize(x,x,x,x)+7Aj
					; MiUpdateWorkingSetPrivateSize(x,x,x,x)+90j ...
		leave
		retn	8
_MiUpdateWorkingSetPrivateSize@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWorkingSetVeryLarge(x)
_MiWorkingSetVeryLarge@4 proc near	; CODE XREF: .text:005DF87Ap
					; MiAddingWorkingSetPageShortly(x,x)+16p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ecx+0Ch]
		push	ebx
		push	esi
		mov	esi, [ecx+48h]
		mov	ecx, [eax+14h]
		mov	[ebp+var_8], ecx
		push	edi
		cmp	esi, ecx
		jbe	short loc_628B53
		mov	ecx, ds:dword_6D5D88
		mov	ebx, esi
		and	ebx, 3Fh
		jnz	short loc_628B11
		xor	edx, edx
		mov	[ebp+var_4], 14h
		mov	eax, ecx
		mov	edi, ds:dword_6D5E00
		div	[ebp+var_4]
		cmp	edi, eax
		jnb	short loc_628B14
		cmp	esi, eax
		jb	short loc_628B14
		jmp	short loc_628B4E
; 

loc_628B11:				; CODE XREF: MiWorkingSetVeryLarge(x)+25j
		or	edi, 0FFFFFFFFh

loc_628B14:				; CODE XREF: MiWorkingSetVeryLarge(x)+3Dj
					; MiWorkingSetVeryLarge(x)+41j
		sub	esi, [ebp+var_8]
		shr	ecx, 2
		imul	eax, ecx, 3
		cmp	esi, eax
		jb	short loc_628B53
		mov	esi, ds:dword_6D5D40
		xor	edx, edx
		inc	edx
		mov	ecx, offset _MiSystemPartition
		call	_MiGetStandbyRepurposed@8 ; MiGetStandbyRepurposed(x,x)
		cmp	eax, [esi+24h]
		jz	short loc_628B53
		test	ebx, ebx
		jz	short loc_628B43
		mov	edi, ds:dword_6D5E00

loc_628B43:				; CODE XREF: MiWorkingSetVeryLarge(x)+6Fj
		imul	ecx, [esi+4D4h], 0Ah
		cmp	edi, ecx
		jnb	short loc_628B53

loc_628B4E:				; CODE XREF: MiWorkingSetVeryLarge(x)+43j
		xor	eax, eax
		inc	eax
		jmp	short loc_628B55
; 

loc_628B53:				; CODE XREF: MiWorkingSetVeryLarge(x)+18j
					; MiWorkingSetVeryLarge(x)+53j	...
		xor	eax, eax

loc_628B55:				; CODE XREF: MiWorkingSetVeryLarge(x)+85j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiWorkingSetVeryLarge@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAddMdlTracker(x, x, x)
_MiAddMdlTracker@12 proc near		; CODE XREF: .text:004651DDp
					; MiProbeAndLockComplete+177703p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= byte ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	edi
		xor	eax, eax
		mov	[ebp+var_10], edx
		lea	edi, [ebp+var_2C]
		mov	[ebp+var_C], ecx
		stosd
		stosd
		stosd
		mov	edi, ecx
		mov	eax, [edi+8]
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	short loc_628B8D
		mov	eax, ds:_PsInitialSystemProcess
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_628DF3

loc_628B8D:				; CODE XREF: MiAddMdlTracker(x,x,x)+21j
		push	ebx
		mov	ebx, [eax+1ECh]
		mov	[ebp+var_4], ebx
		test	ebx, ebx
		jz	loc_628DF2
		cmp	dword ptr [ebx+10h], 0
		jz	loc_628DF2
		push	esi
		mov	ecx, offset unk_6D32C0
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	esi, eax
		mov	[ebp+var_18], esi
		test	esi, esi
		jnz	short loc_628BC5
		and	[ebx+10h], eax
		jmp	loc_628DF1
; 

loc_628BC5:				; CODE XREF: MiAddMdlTracker(x,x,x)+61j
		mov	ecx, [ebp+var_10]
		lea	edx, [edi+1Ch]
		mov	[esi+0Ch], edi
		mov	[esi+14h], ecx
		mov	eax, [edi+10h]
		mov	[esi+10h], eax
		mov	eax, [edi+18h]
		mov	[esi+18h], eax
		mov	eax, [edi+14h]
		mov	[esi+1Ch], eax
		mov	eax, [edx]
		mov	[esi+28h], eax
		mov	eax, ecx
		shl	eax, 2
		mov	[ebp+var_20], eax
		lea	edi, [edx+eax]
		mov	[ebp+var_1C], edi
		cmp	eax, 10h
		jb	loc_628C84
		lea	eax, [edi-10h]
		mov	ebx, 24234428h
		mov	[ebp+var_14], eax
		mov	esi, 85EBCA77h
		xor	edi, edi
		mov	ecx, 61C8864Fh

loc_628C16:				; CODE XREF: MiAddMdlTracker(x,x,x)+109j
		imul	eax, [edx], 7A143589h
		sub	ebx, eax
		imul	eax, [edx+4], 7A143589h
		rol	ebx, 0Dh
		imul	ebx, 9E3779B1h
		sub	esi, eax
		imul	eax, [edx+8], 7A143589h
		rol	esi, 0Dh
		imul	esi, 9E3779B1h
		sub	edi, eax
		imul	eax, [edx+0Ch],	7A143589h
		rol	edi, 0Dh
		add	edx, 10h
		imul	edi, 9E3779B1h
		sub	ecx, eax
		rol	ecx, 0Dh
		imul	ecx, 9E3779B1h
		cmp	edx, [ebp+var_14]
		jbe	short loc_628C16
		mov	eax, [ebp+var_20]
		rol	ecx, 12h
		rol	edi, 0Ch
		add	ecx, edi
		rol	esi, 7
		mov	edi, [ebp+var_1C]
		add	ecx, esi
		mov	esi, [ebp+var_18]
		rol	ebx, 1
		add	ecx, ebx
		mov	ebx, [ebp+var_4]
		jmp	short loc_628C89
; 

loc_628C84:				; CODE XREF: MiAddMdlTracker(x,x,x)+9Fj
		mov	ecx, 165667B1h

loc_628C89:				; CODE XREF: MiAddMdlTracker(x,x,x)+128j
		add	ecx, eax
		lea	eax, [edx+4]
		mov	[ebp+var_20], eax
		cmp	eax, edi
		ja	short loc_628CB4
		mov	ebx, eax

loc_628C97:				; CODE XREF: MiAddMdlTracker(x,x,x)+155j
		imul	eax, [edx], 3D4D51C3h
		mov	edx, ebx
		lea	ebx, [edx+4]
		sub	ecx, eax
		rol	ecx, 11h
		imul	ecx, 27D4EB2Fh
		cmp	ebx, edi
		jbe	short loc_628C97
		mov	ebx, [ebp+var_4]

loc_628CB4:				; CODE XREF: MiAddMdlTracker(x,x,x)+139j
		and	[ebp+var_20], 0
		mov	eax, edi
		sub	eax, edx
		cmp	edi, edx
		sbb	edi, edi
		not	edi
		and	edi, eax
		jbe	short loc_628CE6
		mov	ebx, [ebp+var_20]

loc_628CC9:				; CODE XREF: MiAddMdlTracker(x,x,x)+187j
		movzx	eax, byte ptr [edx]
		imul	eax, 165667B1h
		add	eax, ecx
		rol	eax, 0Bh
		imul	ecx, eax, 9E3779B1h
		inc	edx
		inc	ebx
		cmp	ebx, edi
		jb	short loc_628CC9
		mov	ebx, [ebp+var_4]

loc_628CE6:				; CODE XREF: MiAddMdlTracker(x,x,x)+16Aj
		mov	eax, ecx
		and	[ebp+var_20], 0
		shr	eax, 0Fh
		lea	edx, [esi+2Ch]
		xor	eax, ecx
		mov	edi, edx
		imul	ecx, eax, 85EBCA77h
		push	8
		mov	eax, ecx
		shr	eax, 0Dh
		xor	eax, ecx
		imul	eax, 0C2B2AE3Dh
		mov	ecx, eax
		shr	ecx, 10h
		xor	ecx, eax
		xor	eax, eax
		mov	[esi+24h], ecx
		pop	ecx
		rep stosd
		lea	eax, [ebp+var_20]
		push	eax
		push	edx
		push	8
		push	0
		call	RtlCaptureStackBackTrace
		test	ax, ax
		jnz	short loc_628D3B
		mov	eax, [ebp+4]
		mov	[esi+30h], eax
		call	_MiGetInstructionPointer@0 ; MiGetInstructionPointer()
		mov	[esi+2Ch], eax

loc_628D3B:				; CODE XREF: MiAddMdlTracker(x,x,x)+1D1j
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebx+0Ch]
		mov	[esi+20h], eax
		lea	edx, [ebp+var_2C]
		mov	eax, [ebp+var_8]
		mov	[esi+4Ch], eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebx]
		mov	byte ptr [ebp+arg_0], 0
		test	eax, eax
		jz	short loc_628D92
		mov	ecx, [ebp+var_C]

loc_628D5F:				; CODE XREF: MiAddMdlTracker(x,x,x)+221j
		cmp	ecx, [eax+0Ch]
		jb	short loc_628D73
		jbe	short loc_628D7D
		mov	edx, [eax+4]
		test	edx, edx
		jnz	short loc_628D79
		mov	byte ptr [ebp+arg_0], 1
		jmp	short loc_628D92
; 

loc_628D73:				; CODE XREF: MiAddMdlTracker(x,x,x)+208j
		mov	edx, [eax]
		test	edx, edx
		jz	short loc_628D8E

loc_628D79:				; CODE XREF: MiAddMdlTracker(x,x,x)+211j
		mov	eax, edx
		jmp	short loc_628D5F
; 

loc_628D7D:				; CODE XREF: MiAddMdlTracker(x,x,x)+20Aj
		push	dword ptr [ebx+8]
		push	ecx
		push	eax
		push	1
		push	0D9h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_628D8E:				; CODE XREF: MiAddMdlTracker(x,x,x)+21Dj
		mov	byte ptr [ebp+arg_0], 0

loc_628D92:				; CODE XREF: MiAddMdlTracker(x,x,x)+200j
					; MiAddMdlTracker(x,x,x)+217j
		push	esi
		push	[ebp+arg_0]
		push	eax
		push	ebx
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		mov	eax, [ebp+var_10]
		add	[ebx+8], eax
		test	ds:byte_70EFC6,	1
		jz	short loc_628DB9
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_2C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_628DE8
; 

loc_628DB9:				; CODE XREF: MiAddMdlTracker(x,x,x)+250j
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jnz	short loc_628DD8
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_2C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_2C]
		cmp	eax, ecx
		jz	short loc_628DE8
		call	KxWaitForLockChainValid

loc_628DD8:				; CODE XREF: MiAddMdlTracker(x,x,x)+264j
		xor	ecx, ecx
		mov	[ebp+var_2C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_628DE8:				; CODE XREF: MiAddMdlTracker(x,x,x)+25Dj
					; MiAddMdlTracker(x,x,x)+277j
		mov	cl, [ebp+var_24]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_628DF1:				; CODE XREF: MiAddMdlTracker(x,x,x)+66j
		pop	esi

loc_628DF2:				; CODE XREF: MiAddMdlTracker(x,x,x)+3Fj
					; MiAddMdlTracker(x,x,x)+49j
		pop	ebx

loc_628DF3:				; CODE XREF: MiAddMdlTracker(x,x,x)+2Dj
		pop	edi
		leave
		retn	4
_MiAddMdlTracker@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeliverPicoExceptionForProbedPage(x, x)
_MiDeliverPicoExceptionForProbedPage@8 proc near ; CODE	XREF: MiFaultInProbeAddress+DB70Ep

var_58		= dword	ptr -58h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	50h		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_58]
		push	ebx		; int
		push	eax		; void *
		mov	edi, edx
		mov	esi, ecx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_58], 0C0000005h
		mov	[ebp+var_48], 2
		mov	[ebp+var_40], esi
		test	edi, edi
		jz	short loc_628E3E
		mov	[ebp+var_44], 1

loc_628E3E:				; CODE XREF: MiDeliverPicoExceptionForProbedPage(x,x)+3Dj
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_58]
		push	eax
		call	ds:dword_6BEDF0
		mov	ecx, [ebp+var_4]
		movzx	eax, al
		neg	eax
		pop	edi
		sbb	eax, eax
		xor	ecx, ebp
		and	eax, 3FFFFFFBh
		pop	esi
		add	eax, 0C0000005h
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiDeliverPicoExceptionForProbedPage@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeMdlTracker(x,	x)
_MiFreeMdlTracker@8 proc near		; CODE XREF: .text:0047A194p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_C], edx
		lea	edi, [ebp+var_18]
		mov	[ebp+var_8], ecx
		stosd
		xor	esi, esi
		inc	esi
		stosd
		stosd
		mov	edi, [ecx+8]
		test	edi, edi
		jnz	short loc_628E9D
		mov	edi, ds:_PsInitialSystemProcess
		test	edi, edi
		jz	loc_628F75

loc_628E9D:				; CODE XREF: MiFreeMdlTracker(x,x)+21j
		mov	ebx, [edi+1ECh]
		test	ebx, ebx
		jz	loc_628F75
		xor	eax, eax
		lea	ecx, [ebx+0Ch]
		lea	edx, [ebp+var_18]
		mov	[ebp+var_4], eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	esi, [ebx]
		test	esi, esi
		jz	short loc_628EF5
		mov	ecx, [ebp+var_8]

loc_628EC4:				; CODE XREF: MiFreeMdlTracker(x,x)+68j
		cmp	ecx, [esi+0Ch]
		jb	short loc_628ED0
		jbe	short loc_628ED8
		mov	esi, [esi+4]
		jmp	short loc_628ED2
; 

loc_628ED0:				; CODE XREF: MiFreeMdlTracker(x,x)+5Bj
		mov	esi, [esi]

loc_628ED2:				; CODE XREF: MiFreeMdlTracker(x,x)+62j
		test	esi, esi
		jnz	short loc_628EC4
		jmp	short loc_628EF5
; 

loc_628ED8:				; CODE XREF: MiFreeMdlTracker(x,x)+5Dj
		test	esi, esi
		jz	short loc_628EF5
		xor	edx, edx
		mov	[ebp+var_4], esi
		mov	ecx, esi
		call	_MiValidateMdlTracker@8	; MiValidateMdlTracker(x,x)
		push	esi
		push	ebx
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		mov	eax, [ebp+var_C]
		sub	[ebx+8], eax

loc_628EF5:				; CODE XREF: MiFreeMdlTracker(x,x)+53j
					; MiFreeMdlTracker(x,x)+6Aj ...
		test	ds:byte_70EFC6,	1
		jz	short loc_628F38
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_628F09:				; CODE XREF: MiFreeMdlTracker(x,x)+E4j
		xor	esi, esi
		inc	esi

loc_628F0C:				; CODE XREF: MiFreeMdlTracker(x,x)+FBj
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_4]
		test	eax, eax
		jnz	short loc_628F69
		cmp	[ebx+10h], eax
		jz	short loc_628F75
		push	dword ptr [edi+1ECh]
		push	dword ptr [edi+150h]
		push	[ebp+var_8]
		push	esi
		push	76h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_628F38:				; CODE XREF: MiFreeMdlTracker(x,x)+90j
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	short loc_628F57
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jz	short loc_628F09
		call	KxWaitForLockChainValid

loc_628F57:				; CODE XREF: MiFreeMdlTracker(x,x)+D1j
		xor	esi, esi
		mov	[ebp+var_18], 0
		add	eax, 4
		inc	esi
		lock xor [eax],	esi
		jmp	short loc_628F0C
; 

loc_628F69:				; CODE XREF: MiFreeMdlTracker(x,x)+AEj
		mov	edx, eax
		mov	ecx, offset unk_6D32C0
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)

loc_628F75:				; CODE XREF: MiFreeMdlTracker(x,x)+2Bj
					; MiFreeMdlTracker(x,x)+39j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_MiFreeMdlTracker@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLockSwitchedMdlTrackerCompare(x, x)
_MiLockSwitchedMdlTrackerCompare@8 proc	near
					; DATA XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+B1o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+28h]
		cmp	eax, [ebp+arg_0]
		jbe	short loc_628F91
		or	eax, 0FFFFFFFFh
		jmp	short loc_628F95
; 

loc_628F91:				; CODE XREF: MiLockSwitchedMdlTrackerCompare(x,x)+Ej
		sbb	eax, eax
		neg	eax

loc_628F95:				; CODE XREF: MiLockSwitchedMdlTrackerCompare(x,x)+13j
		pop	ebp
		retn	8
_MiLockSwitchedMdlTrackerCompare@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLockTrackerCompare(x, x)
_MiLockTrackerCompare@8	proc near	; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+138p
					; PspJobIoRateVolumeEntryInsert(x,x)+53p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+0Ch]
		cmp	eax, [ebp+arg_0]
		jbe	short loc_628FAE
		or	eax, 0FFFFFFFFh
		jmp	short loc_628FB2
; 

loc_628FAE:				; CODE XREF: MiLockTrackerCompare(x,x)+Ej
		sbb	eax, eax
		neg	eax

loc_628FB2:				; CODE XREF: MiLockTrackerCompare(x,x)+13j
		pop	ebp
		retn	8
_MiLockTrackerCompare@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRetardMdl(x)
_MiRetardMdl@4	proc near		; CODE XREF: .text:0044910Dp
					; MiFreePagesFromMdl(x,x)+3Dp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edx, [esi+18h]
		lea	ebx, [esi+1Ch]
		add	edx, [esi+10h]
		mov	eax, [esi+14h]
		and	edx, 0FFFh
		add	eax, 0FFFh
		add	eax, edx
		shr	eax, 0Ch
		xor	edx, edx
		lea	edi, [ebx+eax*4]

loc_628FE3:				; CODE XREF: MiRetardMdl(x)+5Dj
		mov	ecx, [edi]
		lea	eax, [edi+4]
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], eax
		cmp	edi, ebx
		jz	short loc_629001

loc_628FF2:				; CODE XREF: MiRetardMdl(x)+46j
		mov	eax, [edi-4]
		mov	[edi], eax
		add	edi, 0FFFFFFFCh
		cmp	edi, ebx
		jnz	short loc_628FF2
		mov	ecx, [ebp+var_4]

loc_629001:				; CODE XREF: MiRetardMdl(x)+3Aj
		mov	eax, ecx
		add	ebx, 4
		and	eax, 7FFFFFFFh
		inc	edx
		mov	[edi], eax
		mov	edi, [ebp+var_8]
		test	ecx, ecx
		jns	short loc_628FE3
		movzx	eax, word ptr [esi+6]
		shl	edx, 0Ch
		add	[esi+14h], edx
		sub	[esi+10h], edx
		test	al, 1
		jz	short loc_629029
		sub	[esi+0Ch], edx

loc_629029:				; CODE XREF: MiRetardMdl(x)+6Ej
		and	eax, 0FFFFFDFFh
		pop	edi
		mov	[esi+6], ax
		mov	eax, edx
		pop	esi
		pop	ebx
		leave
		retn
_MiRetardMdl@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSplitReducedCommitClonePage(x)
_MiSplitReducedCommitClonePage@4 proc near ; CODE XREF:	MiProbeLeafPteAccess(x,x)+4D1p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	ecx, [esi]
		call	_MiProcessCommitIntact@4 ; MiProcessCommitIntact(x)
		test	eax, eax
		jnz	short loc_62905F
		mov	eax, 0C0000005h
		jmp	loc_6291EA
; 

loc_62905F:				; CODE XREF: MiSplitReducedCommitClonePage(x)+1Aj
		mov	ecx, esi
		call	_MiUnlockProbePacketWorkingSet@4 ; MiUnlockProbePacketWorkingSet(x)
		mov	edi, [esi]
		xor	ebx, ebx
		mov	eax, large fs:124h
		inc	ebx
		mov	ecx, [esi+34h]
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		mov	[ebp+var_C], ebx
		sub	edi, 40000000h
		mov	[ebp+var_10], eax
		dec	word ptr [eax+13Eh]
		nop
		add	ecx, 138h
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esi+34h]
		mov	edx, ebx
		call	MiChargeFullProcessCommitment
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_6290E1
		mov	edi, [esi+34h]
		or	edx, 0FFFFFFFFh
		add	edi, 138h
		lock xadd [edi], edx
		and	dl, 6
		cmp	dl, 2
		jnz	short loc_6290CD
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_6290CD:				; CODE XREF: MiSplitReducedCommitClonePage(x)+8Bj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_10]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_6291E1
; 

loc_6290E1:				; CODE XREF: MiSplitReducedCommitClonePage(x)+73j
		mov	ecx, esi
		call	_MiLockProbePacketWorkingSet@4 ; MiLockProbePacketWorkingSet(x)
		mov	ecx, [esi+3Ch]
		lea	eax, [ebp+var_4]
		push	eax
		mov	edx, edi
		call	MiLockLowestValidPageTable
		mov	[esi+10h], eax
		mov	eax, [ebp+var_4]
		cmp	eax, edi
		jnz	loc_62918D
		mov	ecx, [eax]
		nop
		mov	edx, [eax+4]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_62918D
		nop
		shrd	ecx, edx, 0Ch
		and	ecx, 1FFFFFFh
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_62918D
		test	dword ptr [ecx+18h], 800000h
		jnz	short loc_629143
		mov	eax, [ecx+4]
		test	eax, eax
		js	short loc_629143
		jnz	short loc_62918D

loc_629143:				; CODE XREF: MiSplitReducedCommitClonePage(x)+FFj
					; MiSplitReducedCommitClonePage(x)+106j
		mov	edx, [ecx+4]
		mov	eax, [esi+34h]
		or	edx, 80000000h
		mov	ecx, eax
		call	_MiLocateCloneAddress@8	; MiLocateCloneAddress(x,x)
		test	eax, eax
		jz	short loc_62918D
		mov	ecx, [ecx+24Ch]
		push	dword ptr [ecx+8Ch]
		push	dword ptr [ecx+88h]
		mov	ecx, eax
		call	_MI_IS_CLONE_COMMIT_CHARGED@12 ; MI_IS_CLONE_COMMIT_CHARGED(x,x,x)
		test	eax, eax
		jnz	short loc_62918D
		mov	ecx, [esi]
		mov	edx, edi
		push	eax
		push	0FFFFFFFFh
		call	_MiCopyOnWrite@16 ; MiCopyOnWrite(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_62918D
		and	[ebp+var_C], 0

loc_62918D:				; CODE XREF: MiSplitReducedCommitClonePage(x)+C5j
					; MiSplitReducedCommitClonePage(x)+D9j	...
		mov	ecx, esi
		call	_MiUnlockProbePacketWorkingSet@4 ; MiUnlockProbePacketWorkingSet(x)
		cmp	[ebp+var_C], 0
		jz	short loc_6291A5
		mov	ecx, [esi+34h]
		xor	edx, edx
		inc	edx
		call	_MiReturnFullProcessCommitment@8 ; MiReturnFullProcessCommitment(x,x)

loc_6291A5:				; CODE XREF: MiSplitReducedCommitClonePage(x)+15Fj
		mov	edi, [esi+34h]
		or	eax, 0FFFFFFFFh
		add	edi, 138h
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_6291C2
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_6291C2:				; CODE XREF: MiSplitReducedCommitClonePage(x)+180j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_10]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		test	ebx, ebx
		jns	short loc_6291DF
		mov	ecx, [esi+3Ch]
		mov	edx, ebx
		call	MiCopyOnWriteCheckConditions

loc_6291DF:				; CODE XREF: MiSplitReducedCommitClonePage(x)+19Aj
		xor	ebx, ebx

loc_6291E1:				; CODE XREF: MiSplitReducedCommitClonePage(x)+A3j
		mov	ecx, esi
		call	_MiLockProbePacketWorkingSet@4 ; MiLockProbePacketWorkingSet(x)
		mov	eax, ebx

loc_6291EA:				; CODE XREF: MiSplitReducedCommitClonePage(x)+21j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiSplitReducedCommitClonePage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiValidateMdlTracker(x, x)
_MiValidateMdlTracker@8	proc near	; CODE XREF: MiFreeMdlTracker(x,x)+77p
					; MmUpdateMdlTrackerForMdlSwitch(x,x)+92p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		mov	[ebp+var_14], ebx
		mov	edi, [ebx+0Ch]
		mov	eax, [ebx+14h]
		mov	[ebp+var_C], edi
		mov	esi, [edi+18h]
		add	esi, [edi+10h]
		mov	ecx, [edi+14h]
		and	esi, 0FFFh
		add	ecx, 0FFFh
		add	ecx, esi
		shr	ecx, 0Ch
		cmp	eax, ecx
		jz	short loc_62923A
		shl	eax, 10h
		or	eax, ecx
		push	eax
		push	ebx
		push	edi
		push	5

loc_629233:				; CODE XREF: MiValidateMdlTracker(x,x)+64j
					; MiValidateMdlTracker(x,x)+1A6j
		push	76h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_62923A:				; CODE XREF: MiValidateMdlTracker(x,x)+38j
		mov	edx, [ebx+28h]
		lea	esi, [edi+1Ch]
		mov	eax, [esi]
		mov	[ebp+var_8], edx
		cmp	edx, eax
		jz	short loc_629255
		shl	edx, 10h
		or	edx, eax
		push	edx
		push	ebx
		push	edi
		push	6
		jmp	short loc_629233
; 

loc_629255:				; CODE XREF: MiValidateMdlTracker(x,x)+58j
		cmp	[ebp+var_4], 0
		jz	loc_62939A
		shl	ecx, 2
		mov	[ebp+var_18], ecx
		lea	eax, [esi+ecx]
		mov	[ebp+var_4], eax
		cmp	ecx, 10h
		jb	loc_6292F6
		add	eax, 0FFFFFFF0h
		mov	edi, 24234428h
		mov	[ebp+var_10], eax
		mov	edx, 85EBCA77h
		xor	ebx, ebx
		mov	ecx, 61C8864Fh

loc_62928B:				; CODE XREF: MiValidateMdlTracker(x,x)+E9j
		imul	eax, [esi], 7A143589h
		sub	edi, eax
		imul	eax, [esi+4], 7A143589h
		rol	edi, 0Dh
		imul	edi, 9E3779B1h
		sub	edx, eax
		imul	eax, [esi+8], 7A143589h
		rol	edx, 0Dh
		imul	edx, 9E3779B1h
		sub	ebx, eax
		imul	eax, [esi+0Ch],	7A143589h
		rol	ebx, 0Dh
		add	esi, 10h
		imul	ebx, 9E3779B1h
		sub	ecx, eax
		rol	ecx, 0Dh
		imul	ecx, 9E3779B1h
		cmp	esi, [ebp+var_10]
		jbe	short loc_62928B
		mov	eax, [ebp+var_4]
		rol	ecx, 12h
		rol	ebx, 0Ch
		add	ecx, ebx
		rol	edx, 7
		mov	ebx, [ebp+var_14]
		add	ecx, edx
		mov	edx, [ebp+var_8]
		rol	edi, 1
		add	ecx, edi
		jmp	short loc_6292FB
; 

loc_6292F6:				; CODE XREF: MiValidateMdlTracker(x,x)+7Fj
		mov	ecx, 165667B1h

loc_6292FB:				; CODE XREF: MiValidateMdlTracker(x,x)+105j
		add	ecx, [ebp+var_18]
		lea	edi, [esi+4]
		mov	[ebp+var_18], edi
		cmp	edi, eax
		ja	short loc_62932D
		mov	edi, [ebp+var_4]
		mov	edx, [ebp+var_18]

loc_62930E:				; CODE XREF: MiValidateMdlTracker(x,x)+137j
		imul	eax, [esi], 3D4D51C3h
		mov	esi, edx
		lea	edx, [esi+4]
		sub	ecx, eax
		rol	ecx, 11h
		imul	ecx, 27D4EB2Fh
		cmp	edx, edi
		jbe	short loc_62930E
		mov	edx, [ebp+var_8]
		mov	eax, edi

loc_62932D:				; CODE XREF: MiValidateMdlTracker(x,x)+117j
		sub	eax, esi
		cmp	[ebp+var_4], esi
		sbb	edi, edi
		not	edi
		and	edi, eax
		mov	[ebp+var_18], edi
		mov	edi, [ebp+var_C]
		jbe	short loc_629365
		mov	edi, [ebp+var_18]
		xor	edx, edx

loc_629345:				; CODE XREF: MiValidateMdlTracker(x,x)+16Ej
		movzx	eax, byte ptr [esi]
		imul	eax, 165667B1h
		add	eax, ecx
		rol	eax, 0Bh
		imul	ecx, eax, 9E3779B1h
		inc	esi
		inc	edx
		cmp	edx, edi
		jb	short loc_629345
		mov	edx, [ebp+var_8]
		mov	edi, [ebp+var_C]

loc_629365:				; CODE XREF: MiValidateMdlTracker(x,x)+14Fj
		mov	eax, ecx
		shr	eax, 0Fh
		xor	eax, ecx
		imul	ecx, eax, 85EBCA77h
		mov	eax, ecx
		shr	eax, 0Dh
		xor	eax, ecx
		imul	eax, 0C2B2AE3Dh
		mov	ecx, eax
		shr	ecx, 10h
		xor	ecx, eax
		cmp	[ebx+24h], ecx
		jz	short loc_62939A
		shl	edx, 10h
		or	edx, ecx
		push	edx
		push	ebx
		push	edi
		push	7
		jmp	loc_629233
; 

loc_62939A:				; CODE XREF: MiValidateMdlTracker(x,x)+6Aj
					; MiValidateMdlTracker(x,x)+19Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiValidateMdlTracker@8	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1367. MmAdvanceMdl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmAdvanceMdl(x, x)
		public _MmAdvanceMdl@8
_MmAdvanceMdl@8	proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	edx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		cmp	esi, [edx+14h]
		jb	short loc_6293C1
		mov	eax, 0C00000F0h
		jmp	loc_6294FB
; 

loc_6293C1:				; CODE XREF: MmAdvanceMdl(x,x)+11j
		xor	eax, eax
		inc	eax
		mov	ds:byte_6D34D8,	al
		mov	ecx, [edx+14h]
		push	ebx
		mov	ebx, [edx+10h]
		mov	[ebp+var_8], eax
		mov	eax, [edx+18h]
		mov	[ebp+var_4], eax
		add	eax, ebx
		mov	[ebp+arg_4], ebx
		and	eax, 0FFFh
		lea	ebx, [ecx+0FFFh]
		add	ebx, eax
		mov	eax, [ebp+var_4]
		push	edi
		xor	edi, edi
		shr	ebx, 0Ch
		test	eax, eax
		jz	short loc_629459
		mov	edi, 1000h
		sub	edi, eax
		mov	ax, [edx+6]
		and	ax, word ptr [ebp+var_8]
		movzx	eax, ax
		mov	[ebp+var_8], eax
		cmp	esi, edi
		jnb	short loc_629431
		mov	eax, [ebp+var_4]
		sub	ecx, esi
		add	eax, esi
		mov	[edx+14h], ecx
		cmp	word ptr [ebp+var_8], 0
		mov	[edx+18h], eax
		jz	loc_6294F7
		add	[edx+0Ch], esi
		jmp	loc_6294F7
; 

loc_629431:				; CODE XREF: MmAdvanceMdl(x,x)+6Bj
		mov	eax, [ebp+arg_4]
		sub	ecx, edi
		and	dword ptr [edx+18h], 0
		add	eax, 1000h
		sub	esi, edi
		mov	[ebp+arg_4], eax
		cmp	word ptr [ebp+var_8], 0
		mov	[edx+10h], eax
		mov	[edx+14h], ecx
		jz	short loc_629454
		add	[edx+0Ch], edi

loc_629454:				; CODE XREF: MmAdvanceMdl(x,x)+ABj
		xor	eax, eax
		lea	edi, [eax+1]

loc_629459:				; CODE XREF: MmAdvanceMdl(x,x)+52j
		test	esi, esi
		jz	short loc_629487
		sub	ecx, esi
		mov	eax, esi
		and	eax, 0FFFh
		mov	[edx+14h], ecx
		mov	ecx, esi
		mov	[edx+18h], eax
		shr	ecx, 0Ch
		mov	eax, ecx
		add	edi, ecx
		shl	eax, 0Ch
		add	eax, [ebp+arg_4]
		test	byte ptr [edx+6], 1
		mov	[edx+10h], eax
		jz	short loc_629487
		add	[edx+0Ch], esi

loc_629487:				; CODE XREF: MmAdvanceMdl(x,x)+B7j
					; MmAdvanceMdl(x,x)+DEj
		test	edi, edi
		jz	short loc_6294F7
		mov	esi, 200h
		test	[edx+6], si
		jz	short loc_6294A6
		lea	ecx, [edx+1Ch]
		lea	ecx, [ecx+ebx*4]

loc_62949C:				; CODE XREF: MmAdvanceMdl(x,x)+100j
		mov	eax, [ecx]
		inc	ebx
		lea	ecx, [ecx+4]
		test	eax, eax
		jns	short loc_62949C

loc_6294A6:				; CODE XREF: MmAdvanceMdl(x,x)+F0j
		test	edi, edi
		jz	short loc_6294E9
		lea	eax, [edx+1Ch]
		mov	[ebp+arg_4], eax

loc_6294B0:				; CODE XREF: MmAdvanceMdl(x,x)+13Bj
		mov	ecx, eax
		xor	esi, esi
		mov	edx, [ecx]
		test	ebx, ebx
		jz	short loc_6294DC

loc_6294BA:				; CODE XREF: MmAdvanceMdl(x,x)+133j
		inc	esi
		cmp	esi, ebx
		jz	short loc_6294C9
		mov	eax, [ecx+4]
		and	eax, 7FFFFFFFh
		jmp	short loc_6294D0
; 

loc_6294C9:				; CODE XREF: MmAdvanceMdl(x,x)+119j
		mov	eax, edx
		or	eax, 80000000h

loc_6294D0:				; CODE XREF: MmAdvanceMdl(x,x)+123j
		mov	[ecx], eax
		add	ecx, 4
		cmp	esi, ebx
		jb	short loc_6294BA
		mov	eax, [ebp+arg_4]

loc_6294DC:				; CODE XREF: MmAdvanceMdl(x,x)+114j
		sub	edi, 1
		jnz	short loc_6294B0
		mov	edx, [ebp+arg_0]
		mov	esi, 200h

loc_6294E9:				; CODE XREF: MmAdvanceMdl(x,x)+104j
		movzx	eax, word ptr [edx+6]
		test	eax, esi
		jnz	short loc_6294F7
		or	eax, esi
		mov	[edx+6], ax

loc_6294F7:				; CODE XREF: MmAdvanceMdl(x,x)+7Fj
					; MmAdvanceMdl(x,x)+88j ...
		pop	edi
		xor	eax, eax
		pop	ebx

loc_6294FB:				; CODE XREF: MmAdvanceMdl(x,x)+18j
		pop	esi
		leave
		retn	8
_MmAdvanceMdl@8	endp


;  S U B	R O U T	I N E 


; __stdcall MmProbeAndLockPagesPrivate(x, x)
_MmProbeAndLockPagesPrivate@8 proc near	; CODE XREF: sub_A1AF61+3Fp
					; sub_A1CBC6+D6p ...
		push	3
		mov	dl, 1
		call	_MiProbeAndLockPages@12	; MiProbeAndLockPages(x,x,x)
		retn
_MmProbeAndLockPagesPrivate@8 endp ; sp	= -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmUpdateMdlTracker(x, x, x)
_MmUpdateMdlTracker@12 proc near	; CODE XREF: sub_4F0630+DFA1Cp
					; IopProbeAndLockPages+D3E62p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4], edx
		lea	edi, [ebp+var_10]
		mov	ebx, ecx
		stosd
		mov	esi, [ebx+8]
		stosd
		stosd
		test	esi, esi
		jnz	short loc_62952F
		mov	esi, ds:_PsInitialSystemProcess

loc_62952F:				; CODE XREF: MmUpdateMdlTracker(x,x,x)+1Dj
		mov	esi, [esi+1ECh]
		test	esi, esi
		jz	loc_6295D2
		lea	ecx, [esi+0Ch]
		lea	edx, [ebp+var_10]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)

loc_629548:				; CODE XREF: MmUpdateMdlTracker(x,x,x)+47j
		mov	esi, [esi]

loc_62954A:				; CODE XREF: MmUpdateMdlTracker(x,x,x)+4Ej
		test	esi, esi
		jz	short loc_62957C
		cmp	ebx, [esi+0Ch]
		jb	short loc_629548
		jbe	short loc_62955A
		mov	esi, [esi+4]
		jmp	short loc_62954A
; 

loc_62955A:				; CODE XREF: MmUpdateMdlTracker(x,x,x)+49j
		test	esi, esi
		jz	short loc_62957C
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_62956C
		test	eax, eax
		jz	short loc_62957C

loc_62956C:				; CODE XREF: MmUpdateMdlTracker(x,x,x)+5Cj
		mov	[esi+2Ch], ecx
		lea	edi, [esi+34h]
		mov	[esi+30h], eax
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd

loc_62957C:				; CODE XREF: MmUpdateMdlTracker(x,x,x)+42j
					; MmUpdateMdlTracker(x,x,x)+52j ...
		xor	edi, edi
		inc	edi
		test	ds:byte_70EFC6,	1
		jz	short loc_629595
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6295C1
; 

loc_629595:				; CODE XREF: MmUpdateMdlTracker(x,x,x)+7Cj
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_6295B4
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jz	short loc_6295C1
		call	KxWaitForLockChainValid

loc_6295B4:				; CODE XREF: MmUpdateMdlTracker(x,x,x)+90j
		mov	[ebp+var_10], 0
		lea	ecx, [eax+4]
		lock xor [ecx],	edi

loc_6295C1:				; CODE XREF: MmUpdateMdlTracker(x,x,x)+89j
					; MmUpdateMdlTracker(x,x,x)+A3j
		mov	cl, [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_6295D2
		mov	eax, edi
		jmp	short loc_6295D4
; 

loc_6295D2:				; CODE XREF: MmUpdateMdlTracker(x,x,x)+2Dj
					; MmUpdateMdlTracker(x,x,x)+C2j
		xor	eax, eax

loc_6295D4:				; CODE XREF: MmUpdateMdlTracker(x,x,x)+C6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MmUpdateMdlTracker@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmUpdateMdlTrackerForMdlSwitch(x, x)
_MmUpdateMdlTrackerForMdlSwitch@8 proc near ; CODE XREF: VmProbeAndLockPages(x,x,x)+71p
					; VmUnlockPages(x,x)+46p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= byte ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	edi
		xor	eax, eax
		mov	[ebp+var_14], edx
		test	byte ptr ds:_MmTrackLockedPages, 1
		lea	edi, [ebp+var_20]
		stosd
		mov	ebx, ecx
		stosd
		stosd
		jz	loc_6297BB
		mov	edi, [ebx+8]
		test	edi, edi
		jnz	short loc_62960C
		mov	edi, ds:_PsInitialSystemProcess

loc_62960C:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+29j
		push	esi
		mov	esi, [edi+1ECh]
		mov	[ebp+var_4], esi
		test	esi, esi
		jz	loc_6297BA
		lea	ecx, [esi+0Ch]
		lea	edx, [ebp+var_20]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		xor	edx, edx
		inc	edx
		cmp	[ebp+var_14], 0
		jz	short loc_629696

loc_629632:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+83j
		mov	esi, [esi]

loc_629634:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+8Aj
		test	esi, esi
		jnz	short loc_62965B

loc_629638:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+8Ej
		mov	eax, [ebp+var_4]
		cmp	dword ptr [eax+10h], 0
		jz	loc_62976C
		push	dword ptr [edi+1ECh]
		push	dword ptr [edi+150h]
		push	ebx
		push	8

loc_629654:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+F8j
		push	76h

loc_629656:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+18Cj
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_62965B:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+5Bj
		cmp	ebx, [esi+0Ch]
		jb	short loc_629632
		jbe	short loc_629667
		mov	esi, [esi+4]
		jmp	short loc_629634
; 

loc_629667:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+85j
		test	esi, esi
		jz	short loc_629638
		mov	ecx, esi
		call	_MiValidateMdlTracker@8	; MiValidateMdlTracker(x,x)
		mov	edi, [ebp+var_4]
		and	dword ptr [esi+0Ch], 7FFFFFFFh
		push	esi
		push	edi
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		mov	edx, [ebx+1Ch]
		lea	eax, [edi+4]
		mov	[ebp+var_14], eax
		mov	ecx, offset _MiLockSwitchedMdlTrackerCompare@8 ; MiLockSwitchedMdlTrackerCompare(x,x)
		mov	[ebp+var_10], edx
		jmp	short loc_629701
; 

loc_629696:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+55j
		lea	eax, [esi+4]
		mov	esi, [eax]
		mov	[ebp+var_14], eax
		test	esi, esi
		jz	short loc_6296B7
		mov	ecx, [ebx+1Ch]

loc_6296A5:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+DAj
		cmp	ecx, [esi+28h]
		jb	short loc_6296B1
		jbe	short loc_6296D8
		mov	esi, [esi+4]
		jmp	short loc_6296B3
; 

loc_6296B1:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+CDj
		mov	esi, [esi]

loc_6296B3:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+D4j
		test	esi, esi
		jnz	short loc_6296A5

loc_6296B7:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+C5j
					; MmUpdateMdlTrackerForMdlSwitch(x,x)+FFj
		mov	eax, [ebp+var_4]
		cmp	dword ptr [eax+10h], 0
		jz	loc_62976C
		push	dword ptr [edi+1ECh]
		push	dword ptr [edi+150h]
		push	ebx
		push	9
		jmp	loc_629654
; 

loc_6296D8:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+CFj
		test	esi, esi
		jz	short loc_6296B7
		mov	ecx, esi
		mov	[esi+0Ch], ebx
		call	_MiValidateMdlTracker@8	; MiValidateMdlTracker(x,x)
		push	esi
		push	[ebp+var_14]
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		mov	edi, [ebp+var_4]
		mov	ecx, offset _MiLockTrackerCompare@8 ; MiLockTrackerCompare(x,x)
		mov	eax, edi
		mov	[ebp+var_14], edi
		mov	edx, ebx
		mov	[ebp+var_10], ebx

loc_629701:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+B9j
		mov	eax, [eax]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], eax
		mov	byte ptr [ebp+var_8], 0
		test	eax, eax
		jz	short loc_629747

loc_629711:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+166j
		push	eax
		push	edx
		call	ecx ; MiLockTrackerCompare(x,x)	; MiLockTrackerCompare(x,x)
		test	eax, eax
		jle	short loc_62972B
		mov	eax, [ebp+var_4]
		mov	ecx, [eax+4]
		test	ecx, ecx
		jnz	short loc_629736
		xor	ebx, ebx
		inc	ebx
		mov	byte ptr [ebp+var_8], bl
		jmp	short loc_62974A
; 

loc_62972B:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+13Cj
		jns	short loc_629759
		mov	eax, [ebp+var_4]
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_629743

loc_629736:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+146j
		mov	edx, [ebp+var_10]
		mov	eax, ecx
		mov	[ebp+var_4], ecx
		mov	ecx, [ebp+var_C]
		jmp	short loc_629711
; 

loc_629743:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+159j
		mov	byte ptr [ebp+var_8], 0

loc_629747:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+134j
		xor	ebx, ebx
		inc	ebx

loc_62974A:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+14Ej
		push	esi
		push	[ebp+var_8]
		push	eax
		push	[ebp+var_14]
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		jmp	short loc_62976F
; 

loc_629759:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x):loc_62972Bj
		push	dword ptr [edi+8]
		push	ebx
		push	[ebp+var_4]
		push	2
		push	0D9h
		jmp	loc_629656
; 

loc_62976C:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+64j
					; MmUpdateMdlTrackerForMdlSwitch(x,x)+E3j
		xor	ebx, ebx
		inc	ebx

loc_62976F:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+17Cj
		test	ds:byte_70EFC6,	1
		jz	short loc_629785
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_20]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6297B1
; 

loc_629785:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+19Bj
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	short loc_6297A4
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_20]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_20]
		cmp	eax, ecx
		jz	short loc_6297B1
		call	KxWaitForLockChainValid

loc_6297A4:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+1AFj
		mov	[ebp+var_20], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_6297B1:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+1A8j
					; MmUpdateMdlTrackerForMdlSwitch(x,x)+1C2j
		mov	cl, [ebp+var_18]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_6297BA:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+3Dj
		pop	esi

loc_6297BB:				; CODE XREF: MmUpdateMdlTrackerForMdlSwitch(x,x)+1Ej
		pop	edi
		pop	ebx
		leave
		retn
_MmUpdateMdlTrackerForMdlSwitch@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogPerfMemoryRangeEvent(x, x, x, x)
_MiLogPerfMemoryRangeEvent@16 proc near	; CODE XREF: MiDeleteVad(x,x,x)+104Ep
					; MiCommitPoolMemory+1135FAp ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, eax
		mov	ebx, edx
		not	esi
		shr	eax, 1
		and	esi, 1
		and	eax, 0Fh
		push	edi
		or	esi, 278h
		xor	edx, edx
		xor	edi, edi
		cmp	eax, 0Dh
		jnz	short loc_6297FD
		mov	edx, ebx
		shld	edi, edx, 4
		shl	edx, 4

loc_6297FD:				; CODE XREF: MiLogPerfMemoryRangeEvent(x,x,x,x)+33j
		and	[ebp+var_14], 0
		or	eax, edx
		and	[ebp+var_C], 0
		xor	edx, edx
		mov	[ebp+var_20], ecx
		inc	edx
		xor	ecx, ecx
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_4]
		or	ecx, edi
		push	11401B02h
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_28]
		push	esi
		mov	[ebp+var_24], ecx
		lea	ecx, [ebp+var_18]
		push	20000001h
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], 10h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_MiLogPerfMemoryRangeEvent@16 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 1368. MmAllocateContiguousMemory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmAllocateContiguousMemory(x, x, x)
		public _MmAllocateContiguousMemory@12
_MmAllocateContiguousMemory@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+arg_8]
		shrd	ecx, eax, 0Ch
		mov	eax, ds:dword_6D07B0
		cmp	ecx, eax
		jbe	short loc_62986D
		mov	ecx, eax

loc_62986D:				; CODE XREF: MmAllocateContiguousMemory(x,x,x)+16j
		push	ecx
		push	80000000h
		push	6
		push	0
		push	ecx
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	MiAllocateContiguousMemory
		pop	ebp
		retn	0Ch
_MmAllocateContiguousMemory@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUnmapMdlCommon(x,	x, x, x, x)
_MiUnmapMdlCommon@20 proc near		; CODE XREF: MmUnmapReservedMapping(x,x,x)+F1p

var_D2		= byte ptr -0D2h
var_D1		= byte ptr -0D1h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0D4h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+0D4h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		lea	eax, [esp+0DCh+var_A0]
		push	edi
		push	98h		; size_t
		mov	ebx, ecx
		mov	[esp+0E4h+var_B8], esi
		push	0		; int
		push	eax		; void *
		mov	[esp+0ECh+var_B4], ebx
		call	_memset
		mov	eax, [ebp+arg_4]
		mov	edx, offset loc_7FFFF8
		and	[esp+0ECh+var_8C], 0
		mov	ecx, 40000000h
		shr	ebx, 9
		add	eax, 1Ch
		and	ebx, edx
		mov	[esp+0ECh+var_C8], eax
		sub	ebx, ecx
		mov	[esp+0ECh+var_98], 21h
		mov	edi, ebx
		mov	[esp+0ECh+var_C0], ebx
		shr	edi, 9
		add	esp, 0Ch
		and	edi, edx
		sub	edi, ecx
		lea	eax, [ebx+esi*8]
		mov	[esp+0E0h+var_BC], eax
		mov	[esp+0E0h+var_D0], edi
		mov	ecx, [edi]
		nop
		mov	eax, [edi+4]
		and	ecx, 80h
		or	ecx, 0
		mov	[esp+0E0h+var_A4], eax
		jz	short loc_629967
		push	offset unk_6D340C
		call	ExAcquireSpinLockExclusive
		mov	edx, ds:dword_6D3414
		mov	ecx, esi
		mov	[esp+0E0h+var_D1], al
		mov	[esp+0E0h+var_CC], edx
		shr	ecx, 9
		jmp	short loc_62993C
; 

loc_62993A:				; CODE XREF: MiUnmapMdlCommon(x,x,x,x,x)+B9j
		mov	edx, [edx]

loc_62993C:				; CODE XREF: MiUnmapMdlCommon(x,x,x,x,x)+B2j
		sub	ecx, 1
		jnz	short loc_62993A
		mov	eax, [edx]
		mov	ds:dword_6D3414, eax
		and	[edx], ecx
		push	offset unk_6D340C
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+0E0h+var_D1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [esp+0E0h+var_CC]
		jmp	loc_629A9D
; 

loc_629967:				; CODE XREF: MiUnmapMdlCommon(x,x,x,x,x)+93j
		xor	esi, esi
		jmp	loc_629A9D
; 

loc_62996E:				; CODE XREF: MiUnmapMdlCommon(x,x,x,x,x)+21Bj
		test	esi, esi
		jz	loc_629A55
		and	[esp+0E0h+var_B0], 0
		and	[esp+0E0h+var_AC], 0
		mov	ecx, [edi]
		nop
		mov	edx, [edi+4]
		mov	eax, ecx
		and	eax, 80h
		or	eax, 0
		jz	loc_629AC7
		nop
		mov	eax, [esp+0E0h+var_C8]
		shrd	ecx, edx, 0Ch
		and	ecx, 1FFFFFFh
		cmp	[eax], ecx
		jnz	loc_629AC7
		mov	edi, esi
		mov	esi, [esi]
		mov	eax, edi
		mov	[esp+0E0h+var_CC], esi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		push	[esp+0E0h+var_D0]
		xor	edx, edx
		lea	ecx, [esp+0E4h+var_A0]
		inc	edx
		mov	esi, eax
		call	_MiInsertLargeTbFlushEntry@12 ;	MiInsertLargeTbFlushEntry(x,x,x)
		push	0B0000006h
		mov	edx, esi
		mov	ecx, ebx
		call	MiMakeValidPte
		mov	ebx, eax
		mov	[esp+0E0h+var_B0], edx
		mov	ecx, edi
		mov	[esp+0E0h+var_C4], ebx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [esp+0E0h+var_D0]
		mov	edx, 7FFFFFFFh
		and	dword ptr [edi], 0
		mov	[edi+4], ecx
		lea	ecx, [edi+10h]
		lock and [ecx],	edx
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		nop
		mov	edi, [esp+0E0h+var_D0]

loc_629A16:				; CODE XREF: MiUnmapMdlCommon(x,x,x,x,x)+1ACj
					; MiUnmapMdlCommon(x,x,x,x,x)+1B2j
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[esp+0E0h+var_D0], ecx
		nop
		mov	ecx, [esp+0E0h+var_B0]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [esp+0E0h+var_C4]
		cmp	eax, esi
		jnz	short loc_629A16
		cmp	edx, [esp+0E0h+var_D0]
		jnz	short loc_629A16
		mov	ebx, [esp+0E0h+var_C0]
		add	edi, 8
		mov	esi, [esp+0E0h+var_CC]
		mov	eax, 1000h
		mov	[esp+0E0h+var_D0], edi
		mov	ecx, 800h
		jmp	short loc_629A93
; 

loc_629A55:				; CODE XREF: MiUnmapMdlCommon(x,x,x,x,x)+EAj
		mov	ecx, [ebx]
		nop
		mov	eax, [ebx+4]
		mov	[esp+0E0h+var_A8], ecx
		and	ecx, 1
		or	ecx, 0
		mov	[esp+0E0h+var_A4], eax
		jz	short loc_629AE1
		push	0
		mov	edx, ebx
		lea	ecx, [esp+0E4h+var_A0]
		push	1
		shl	edx, 9
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	eax, ds:_ZeroPte
		mov	[ebx], eax
		nop
		mov	eax, ds:dword_40F9FC
		push	8
		mov	[ebx+4], eax
		pop	eax
		push	4
		pop	ecx

loc_629A93:				; CODE XREF: MiUnmapMdlCommon(x,x,x,x,x)+1CDj
		add	ebx, eax
		add	[esp+0E0h+var_C8], ecx
		mov	[esp+0E0h+var_C0], ebx

loc_629A9D:				; CODE XREF: MiUnmapMdlCommon(x,x,x,x,x)+DCj
					; MiUnmapMdlCommon(x,x,x,x,x)+E3j
		cmp	ebx, [esp+0E0h+var_BC]
		jb	loc_62996E
		lea	ecx, [esp+0E0h+var_A0]
		call	MiFlushTbList
		mov	ecx, [esp+0E0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_629AC7:				; CODE XREF: MiUnmapMdlCommon(x,x,x,x,x)+10Aj
					; MiUnmapMdlCommon(x,x,x,x,x)+121j
		push	[esp+0E0h+var_B8]
		push	[ebp+arg_0]
		push	[esp+0E8h+var_B4]
		push	10Eh

loc_629AD7:				; CODE XREF: MiUnmapMdlCommon(x,x,x,x,x)+26Bj
		push	0DAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_629AE1:				; CODE XREF: MiUnmapMdlCommon(x,x,x,x,x)+1E3j
		push	[esp+0F4h+var_CC]
		push	[ebp+arg_0]
		push	[esp+0FCh+var_C8]
		push	10Bh
		jmp	short loc_629AD7
_MiUnmapMdlCommon@20 endp

; 
		align 8
; Exported entry 1434. MmMapLockedPages

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmMapLockedPages(x,	x)
		public _MmMapLockedPages@8
_MmMapLockedPages@8 proc near		; CODE XREF: ViFlushDoubleBuffer(x,x,x,x,x)+95p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	20h
		push	1
		push	0
		push	1
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	MmMapLockedPagesSpecifyCache
		pop	ebp
		retn	8
_MmMapLockedPages@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1482. MmUnmapReservedMapping

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmUnmapReservedMapping(x, x, x)
		public _MmUnmapReservedMapping@12
_MmUnmapReservedMapping@12 proc	near	; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+122D4Bp
					; SmFpFree+122A56p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	eax, 200h
		test	[edi+6], ax
		jz	short loc_629B3D
		mov	ecx, edi
		call	_MiRetardMdl@4	; MiRetardMdl(x)
		mov	esi, [ebp+arg_0]
		sub	esi, eax
		jmp	short loc_629B40
; 

loc_629B3D:				; CODE XREF: MmUnmapReservedMapping(x,x,x)+14j
		mov	esi, [ebp+arg_0]

loc_629B40:				; CODE XREF: MmUnmapReservedMapping(x,x,x)+22j
		mov	ecx, [edi+10h]
		add	ecx, [edi+18h]
		mov	eax, [edi+14h]
		and	ecx, 0FFFh
		add	eax, 0FFFh
		add	eax, ecx
		shr	eax, 0Ch
		push	offset unk_6D340C
		mov	[ebp+arg_8], eax
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	ebx, ds:dword_6D3410
		mov	edx, esi
		mov	byte ptr [ebp+arg_0+3],	al
		and	edx, 0FFFFF000h
		jmp	short loc_629B93
; 

loc_629B79:				; CODE XREF: MmUnmapReservedMapping(x,x,x)+7Cj
		mov	ecx, [ebx+0Ch]
		cmp	edx, ecx
		jb	short loc_629B91
		mov	eax, [ebx+10h]
		shl	eax, 0Ch
		add	eax, ecx
		cmp	edx, eax
		jb	short loc_629BA4
		mov	ebx, [ebx+4]
		jmp	short loc_629B93
; 

loc_629B91:				; CODE XREF: MmUnmapReservedMapping(x,x,x)+65j
		mov	ebx, [ebx]

loc_629B93:				; CODE XREF: MmUnmapReservedMapping(x,x,x)+5Ej
					; MmUnmapReservedMapping(x,x,x)+76j
		test	ebx, ebx
		jnz	short loc_629B79

loc_629B97:				; CODE XREF: MmUnmapReservedMapping(x,x,x)+8Dj
		push	2
		push	[ebp+arg_4]
		push	esi
		push	106h
		jmp	short loc_629BCE
; 

loc_629BA4:				; CODE XREF: MmUnmapReservedMapping(x,x,x)+71j
		test	ebx, ebx
		jz	short loc_629B97
		push	offset unk_6D340C
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+arg_4]
		cmp	[ebx+14h], ecx
		jz	short loc_629BD8
		mov	edx, [ebp+arg_8]
		push	edx
		push	ecx
		push	esi
		push	102h

loc_629BCE:				; CODE XREF: MmUnmapReservedMapping(x,x,x)+89j
					; MmUnmapReservedMapping(x,x,x)+EBj ...
		push	0DAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_629BD8:				; CODE XREF: MmUnmapReservedMapping(x,x,x)+A8j
		test	byte ptr [ebx+18h], 1
		mov	edx, [ebx+10h]
		mov	[ebp+arg_0], edx
		jz	short loc_629BF0
		mov	eax, esi
		sub	eax, [ebx+0Ch]
		shr	eax, 0Ch
		sub	edx, eax
		jmp	short loc_629BF3
; 

loc_629BF0:				; CODE XREF: MmUnmapReservedMapping(x,x,x)+C9j
		mov	esi, [ebx+0Ch]

loc_629BF3:				; CODE XREF: MmUnmapReservedMapping(x,x,x)+D5j
		mov	eax, [ebp+arg_8]
		push	eax
		cmp	eax, edx
		jbe	short loc_629C06
		push	[ebp+arg_0]
		push	esi
		push	10Ah
		jmp	short loc_629BCE
; 

loc_629C06:				; CODE XREF: MmUnmapReservedMapping(x,x,x)+E0j
		push	edi
		push	ecx
		mov	ecx, esi
		call	_MiUnmapMdlCommon@20 ; MiUnmapMdlCommon(x,x,x,x,x)
		test	byte ptr [ebx+18h], 1
		jnz	short loc_629C4E
		mov	eax, [ebx+10h]
		mov	ecx, esi
		mov	edx, [ebp+arg_8]
		add	eax, 0F8000000h
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		lea	ebx, [edx-8000000h]
		lea	eax, [ecx+eax*8]
		lea	ebx, [ecx+ebx*8]
		mov	[ebp+arg_0], eax
		cmp	ebx, eax
		jnb	short loc_629C4E

loc_629C3E:				; CODE XREF: MmUnmapReservedMapping(x,x,x)+133j
		mov	ecx, [ebx]
		nop
		or	ecx, [ebx+4]
		jnz	short loc_629C6B
		add	ebx, 8
		cmp	ebx, [ebp+arg_0]
		jb	short loc_629C3E

loc_629C4E:				; CODE XREF: MmUnmapReservedMapping(x,x,x)+FAj
					; MmUnmapReservedMapping(x,x,x)+123j
		and	word ptr [edi+6], 0FFDEh
		mov	ax, [edi+6]
		test	al, 4
		jz	short loc_629C64
		mov	eax, [edi+10h]
		add	eax, [edi+18h]
		mov	[edi+0Ch], eax

loc_629C64:				; CODE XREF: MmUnmapReservedMapping(x,x,x)+140j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_629C6B:				; CODE XREF: MmUnmapReservedMapping(x,x,x)+12Bj
		push	edx
		push	[ebp+arg_4]
		push	esi
		push	10Ch
		jmp	loc_629BCE
_MmUnmapReservedMapping@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1374. MmAllocateMdlForIoSpace

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmAllocateMdlForIoSpace(x, x, x)
		public _MmAllocateMdlForIoSpace@12
_MmAllocateMdlForIoSpace@12 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	eax, eax
		mov	edx, eax
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, edi
		mov	[ebp+arg_0], eax
		test	ebx, ebx
		jz	short loc_629CFD

loc_629C9F:				; CODE XREF: MmAllocateMdlForIoSpace(x,x,x)+7Aj
		mov	eax, [esi+8]
		mov	[ebp+arg_4], eax
		test	eax, 0FFFh
		jnz	short loc_629D14
		test	dword ptr [esi], 0FFFh
		jnz	short loc_629D14
		mov	ecx, [esi]
		mov	eax, [esi+4]
		shrd	ecx, eax, 0Ch
		cmp	ecx, ds:dword_6D07B0
		ja	short loc_629CDF
		mov	eax, ds:dword_6D35B8
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jnz	short loc_629D14
		mov	edx, [ebp+var_4]

loc_629CDF:				; CODE XREF: MmAllocateMdlForIoSpace(x,x,x)+44j
		mov	eax, [ebp+arg_4]
		add	eax, edx
		cmp	eax, edx
		jb	short loc_629D14
		mov	edx, eax
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		add	esi, 10h
		inc	eax
		mov	[ebp+arg_0], eax
		cmp	eax, ebx
		jb	short loc_629C9F
		xor	eax, eax

loc_629CFD:				; CODE XREF: MmAllocateMdlForIoSpace(x,x,x)+1Ej
		push	eax
		push	eax
		push	eax
		push	edx
		push	eax
		call	IoAllocateMdl
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_629D1B
		mov	eax, 0C000009Ah
		jmp	short loc_629D65
; 

loc_629D14:				; CODE XREF: MmAllocateMdlForIoSpace(x,x,x)+2Bj
					; MmAllocateMdlForIoSpace(x,x,x)+33j ...
		mov	eax, 0C00000EFh
		jmp	short loc_629D65
; 

loc_629D1B:				; CODE XREF: MmAllocateMdlForIoSpace(x,x,x)+8Cj
		lea	eax, [ecx+1Ch]
		mov	[ebp+arg_0], eax
		test	ebx, ebx
		jz	short loc_629D51

loc_629D25:				; CODE XREF: MmAllocateMdlForIoSpace(x,x,x)+D0j
		mov	esi, [edi+8]
		mov	edx, [edi]
		mov	eax, [edi+4]
		shr	esi, 0Ch
		shrd	edx, eax, 0Ch
		test	esi, esi
		jz	short loc_629D49
		mov	eax, [ebp+arg_0]

loc_629D3B:				; CODE XREF: MmAllocateMdlForIoSpace(x,x,x)+C5j
		mov	[eax], edx
		add	eax, 4
		inc	edx
		sub	esi, 1
		jnz	short loc_629D3B
		mov	[ebp+arg_0], eax

loc_629D49:				; CODE XREF: MmAllocateMdlForIoSpace(x,x,x)+B7j
		add	edi, 10h
		sub	ebx, 1
		jnz	short loc_629D25

loc_629D51:				; CODE XREF: MmAllocateMdlForIoSpace(x,x,x)+A4j
		and	dword ptr [ecx+8], 0
		mov	eax, 802h
		or	[ecx+6], ax
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		xor	eax, eax

loc_629D65:				; CODE XREF: MmAllocateMdlForIoSpace(x,x,x)+93j
					; MmAllocateMdlForIoSpace(x,x,x)+9Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MmAllocateMdlForIoSpace@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1405. MmGetCacheAttribute

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmGetCacheAttribute(x, x, x)
		public _MmGetCacheAttribute@12
_MmGetCacheAttribute@12	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_MmGetCacheAttributeEx@16 ; MmGetCacheAttributeEx(x,x,x,x)
		pop	ebp
		retn	0Ch
_MmGetCacheAttribute@12	endp ; sp = -10h

; 
		align 4
		db 3 dup(0CCh)
; 
; Exported entry 1406. MmGetCacheAttributeEx

; __stdcall MmGetCacheAttributeEx(x, x,	x, x)
		public _MmGetCacheAttributeEx@16
_MmGetCacheAttributeEx@16:		; CODE XREF: MmGetCacheAttribute(x,x,x)+10p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	dword ptr [ebp+10h], 0FFFFFFFEh
		jz	short loc_629DA7
		mov	eax, 0C00000F0h
		jmp	loc_629E53
; 

loc_629DA7:				; CODE XREF: .text:00629D9Bj
		mov	eax, [ebp+0Ch]
		push	ebx
		push	esi
		mov	esi, [ebp+8]
		xor	ebx, ebx
		shrd	esi, eax, 0Ch
		push	edi
		xor	edi, edi
		inc	ebx
		cmp	esi, ds:dword_6D07B0
		ja	short loc_629DFF
		mov	eax, ds:dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, ebx
		jz	short loc_629DFF
		imul	ecx, esi, 1Ch
		add	ecx, ds:_MmPfnDatabase
		cmp	[ecx+14h], di
		jnz	short loc_629DF6
		mov	eax, ds:dword_6D3058
		cmp	eax, large fs:124h
		jnz	short loc_629E57

loc_629DF6:				; CODE XREF: .text:00629DE6j
		movzx	eax, byte ptr [ecx+16h]
		shr	eax, 6
		jmp	short loc_629E1E
; 

loc_629DFF:				; CODE XREF: .text:00629DBFj
					; .text:00629DD7j
		test	byte ptr [ebp+10h], 1
		jz	short loc_629E4B
		mov	ecx, esi
		call	_MiLookupIoPageNode@4 ;	MiLookupIoPageNode(x)
		test	eax, eax
		jz	short loc_629E1B
		mov	edx, eax
		mov	ecx, esi
		call	_MiGetIoPfnCacheAttribute@8 ; MiGetIoPfnCacheAttribute(x,x)
		jmp	short loc_629E1E
; 

loc_629E1B:				; CODE XREF: .text:00629E0Ej
		push	3
		pop	eax

loc_629E1E:				; CODE XREF: .text:00629DFDj
					; .text:00629E19j
		cmp	eax, ebx
		jnz	short loc_629E29
		mov	eax, [ebp+14h]
		mov	[eax], ebx
		jmp	short loc_629E40
; 

loc_629E29:				; CODE XREF: .text:00629E20j
		test	eax, eax
		jnz	short loc_629E34
		mov	eax, [ebp+14h]
		mov	[eax], edi
		jmp	short loc_629E40
; 

loc_629E34:				; CODE XREF: .text:00629E2Bj
		push	2
		pop	ecx
		cmp	eax, ecx
		jnz	short loc_629E44
		mov	eax, [ebp+14h]
		mov	[eax], ecx

loc_629E40:				; CODE XREF: .text:00629E27j
					; .text:00629E32j
		xor	eax, eax
		jmp	short loc_629E50
; 

loc_629E44:				; CODE XREF: .text:00629E39j
		mov	eax, 0C00000EFh
		jmp	short loc_629E50
; 

loc_629E4B:				; CODE XREF: .text:00629E03j
		mov	eax, 0C0000141h

loc_629E50:				; CODE XREF: .text:00629E42j
					; .text:00629E49j
		pop	edi
		pop	esi
		pop	ebx

loc_629E53:				; CODE XREF: .text:00629DA2j
		pop	ebp
		retn	10h
; 

loc_629E57:				; CODE XREF: .text:00629DF4j
		movzx	eax, byte ptr [ecx+16h]
		push	edi
		and	eax, 7
		push	eax
		push	esi
		push	1232h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 3 dup(0CCh)
		db 3 dup(0CCh)
; Exported entry 1415. MmGetVirtualForPhysical

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmGetVirtualForPhysical(x, x)
		public _MmGetVirtualForPhysical@8
_MmGetVirtualForPhysical@8 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, edx
		mov	eax, [ebp+arg_4]
		and	edx, 0FFFh
		shrd	ecx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		imul	ecx, 1Ch
		mov	eax, [ecx+eax+4]
		shl	eax, 9
		add	eax, edx
		pop	ebp
		retn	8
_MmGetVirtualForPhysical@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1459. MmProtectMdlSystemAddress

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmProtectMdlSystemAddress(x, x)
		public _MmProtectMdlSystemAddress@8
_MmProtectMdlSystemAddress@8 proc near

var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0D4h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+0D4h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [esp+0DCh+var_A0]
		push	edi
		push	98h		; size_t
		push	0		; int
		push	eax		; void *
		mov	[esp+0ECh+var_A4], esi
		call	_memset
		add	esp, 0Ch
		test	byte ptr [esi+6], 1
		jnz	short loc_629EEE
		mov	eax, 0C0000019h
		jmp	loc_62A26F
; 

loc_629EEE:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+3Ej
		mov	ebx, [esi+0Ch]
		mov	ecx, ebx
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jz	short loc_629F06
		mov	eax, 0C00000BBh
		jmp	loc_62A26F
; 

loc_629F06:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+56j
		mov	ecx, [ebp+arg_4]
		call	_MiMakeProtectionMask@4	; MiMakeProtectionMask(x)
		mov	[esp+0E0h+var_B4], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_62A26A
		mov	ecx, eax
		shr	ecx, 3
		cmp	ecx, 2
		jz	loc_62A26A
		cmp	ecx, 1
		jz	loc_62A26A
		cmp	ecx, 3
		jnz	short loc_629F3F
		test	al, 7
		jnz	loc_62A26A

loc_629F3F:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+91j
		and	eax, 5
		cmp	al, 5
		jz	loc_62A26A
		mov	eax, [esi+14h]
		mov	ecx, ebx
		and	[esp+0E0h+var_8C], 0
		mov	edi, ebx
		and	[esp+0E0h+var_C8], 0
		and	ecx, 0FFFh
		shr	edi, 9
		add	eax, 0FFFh
		add	ecx, eax
		mov	[esp+0E0h+var_98], 21h
		and	edi, offset loc_7FFFF8
		shr	ecx, 0Ch
		and	ebx, 0FFFFF000h
		mov	[esp+0E0h+var_A8], ecx
		sub	edi, 40000000h
		mov	[esp+0E0h+var_CC], ebx
		mov	[esp+0E0h+var_D0], ebx
		test	ecx, ecx
		jz	loc_62A23F

loc_629F9C:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+395j
		mov	esi, [edi]
		xor	ecx, ecx
		mov	[esp+0E0h+var_C0], ecx
		nop
		mov	edx, [edi+4]
		mov	eax, esi
		and	eax, 1
		mov	[esp+0E0h+var_B0], esi
		or	eax, ecx
		mov	[esp+0E0h+var_AC], edx
		jz	short loc_629FF4
		xor	eax, eax
		inc	eax
		mov	[esp+0E0h+var_C4], eax
		nop
		shrd	esi, edx, 0Ch
		mov	edx, [esp+0E0h+var_D0]
		push	ecx
		push	eax
		lea	ecx, [esp+0E8h+var_A0]
		and	esi, 1FFFFFFh
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		cmp	[esp+0E0h+var_D0], ebx
		jnz	loc_62A089
		mov	ecx, ebx
		call	_MiMappingHasIoTracker@4 ; MiMappingHasIoTracker(x)
		mov	[esp+0E0h+var_C8], eax
		jmp	loc_62A089
; 

loc_629FF4:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+113j
		mov	eax, esi
		and	eax, 800h
		or	eax, ecx
		jz	loc_62A25D
		mov	ecx, esi
		mov	eax, edx
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		cmp	cl, 18h
		jnz	loc_62A25D
		mov	eax, ds:dword_6D0700
		mov	ecx, esi
		mov	ebx, ds:dword_6D0704
		mov	[esp+0E0h+var_C4], eax
		or	eax, ebx
		mov	[esp+0E0h+var_C0], ebx
		mov	ebx, [esp+0E0h+var_CC]
		mov	[esp+0E0h+var_D4], edx
		jz	short loc_62A05C
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		mov	eax, edx
		jnz	short loc_62A056
		mov	esi, [esp+0E0h+var_C4]
		mov	edx, [esp+0E0h+var_C0]
		not	esi
		not	edx
		and	esi, ecx
		and	edx, eax
		jmp	short loc_62A060
; 

loc_62A056:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+19Ej
		mov	esi, ecx
		mov	edx, eax
		jmp	short loc_62A060
; 

loc_62A05C:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+192j
		mov	eax, [esp+0E0h+var_D4]

loc_62A060:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+1B0j
					; MmProtectMdlSystemAddress(x,x)+1B6j
		and	[esp+0E0h+var_C4], 0
		shrd	esi, edx, 0Ch
		mov	[esp+0E0h+var_BC], eax
		and	esi, 3FFFFFFh
		cmp	[esp+0E0h+var_D0], ebx
		jnz	short loc_62A089
		and	ecx, 8
		or	ecx, 0
		jz	short loc_62A089
		mov	[esp+0E0h+var_C8], 1

loc_62A089:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+13Aj
					; MmProtectMdlSystemAddress(x,x)+14Bj ...
		cmp	[esp+0E0h+var_B4], 18h
		jnz	short loc_62A0C7
		push	18h
		pop	edx
		mov	ecx, esi
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		cmp	[esp+0E0h+var_C8], 1
		mov	esi, [esp+0E0h+var_D0]
		mov	[esp+0E0h+var_B0], eax
		mov	[esp+0E0h+var_AC], edx
		jnz	short loc_62A0BC
		cmp	esi, ebx
		jnz	short loc_62A0BC
		or	eax, 8
		mov	[esp+0E0h+var_AC], edx
		mov	[esp+0E0h+var_B0], eax

loc_62A0BC:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+207j
					; MmProtectMdlSystemAddress(x,x)+20Bj
		mov	[edi], eax
		nop
		mov	[edi+4], edx
		jmp	loc_62A227
; 

loc_62A0C7:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+1EAj
		cmp	esi, ds:dword_6D07B0
		ja	short loc_62A0FC
		mov	eax, ds:dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_62A0FC
		mov	ecx, [esp+0E0h+var_B4]
		imul	edx, esi, 1Ch
		add	edx, ds:_MmPfnDatabase
		call	_MiMakeProtectionPfnCompatible@8 ; MiMakeProtectionPfnCompatible(x,x)
		jmp	short loc_62A175
; 

loc_62A0FC:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+229j
					; MmProtectMdlSystemAddress(x,x)+242j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		mov	bl, al
		call	MiIoSpaceIsConstant
		mov	cl, bl
		mov	[esp+0E0h+var_C0], eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esp+0E0h+var_C0]
		test	eax, eax
		jz	short loc_62A129
		mov	ecx, [eax+14h]
		jmp	short loc_62A157
; 

loc_62A129:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+27Ej
		mov	ecx, esi
		call	_MiLookupIoPageNode@4 ;	MiLookupIoPageNode(x)
		test	eax, eax
		jz	loc_62A24C
		mov	ecx, esi
		and	ecx, 1FFFFFFh
		sub	ecx, [eax+14h]
		mov	eax, [eax+18h]
		mov	ax, [eax+ecx*2]
		mov	word ptr [esp+0E0h+var_D4], ax
		movzx	ecx, word ptr [esp+0E0h+var_D4]
		shr	ecx, 0Eh

loc_62A157:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+283j
		mov	eax, [esp+0E0h+var_B4]
		mov	ebx, [esp+0E0h+var_CC]
		and	eax, 7
		sub	ecx, 0
		jz	short loc_62A172
		dec	ecx
		sub	ecx, 1
		jnz	short loc_62A175
		or	eax, 18h
		jmp	short loc_62A175
; 

loc_62A172:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+2C1j
		or	eax, 8

loc_62A175:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+256j
					; MmProtectMdlSystemAddress(x,x)+2C7j ...
		or	eax, 0A0000000h
		mov	edx, esi
		push	eax
		mov	ecx, edi
		call	MiMakeValidPte
		cmp	[esp+0E0h+var_C4], 1
		mov	esi, eax
		mov	[esp+0E0h+var_BC], edx
		mov	[esp+0E0h+var_BC], edx
		mov	[esp+0E0h+var_B0], esi
		mov	[esp+0E0h+var_AC], edx
		jnz	short loc_62A1A5
		nop
		mov	[edi], esi
		mov	[edi+4], edx
		jmp	short loc_62A211
; 

loc_62A1A5:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+2F7j
		and	[esp+0E0h+var_D4], 0
		mov	ecx, edi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_62A1FA
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_62A1DC
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	short loc_62A1FE

loc_62A1CA:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+352j
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	short loc_62A1FE
		or	edx, 80000000h
		jmp	short loc_62A1FE
; 

loc_62A1DC:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+318j
		mov	eax, large fs:124h
		mov	ecx, [esp+0E0h+var_D4]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_62A1CA
		jmp	short loc_62A1FE
; 

loc_62A1FA:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+30Fj
		mov	ecx, [esp+0E0h+var_D4]

loc_62A1FE:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+324j
					; MmProtectMdlSystemAddress(x,x)+32Ej ...
		mov	[edi+4], edx
		nop
		mov	[edi], esi
		test	ecx, ecx
		jz	short loc_62A211
		push	edx
		push	esi
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_62A211:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+2FFj
					; MmProtectMdlSystemAddress(x,x)+362j
		cmp	[esp+0E0h+var_C8], 1
		mov	esi, [esp+0E0h+var_D0]
		jnz	short loc_62A227
		cmp	esi, ebx
		jnz	short loc_62A227
		mov	ecx, ebx
		call	_MiMappingHasIoReferences@4 ; MiMappingHasIoReferences(x)

loc_62A227:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+21Ej
					; MmProtectMdlSystemAddress(x,x)+376j ...
		add	esi, 1000h
		add	edi, 8
		sub	[esp+0E0h+var_A8], 1
		mov	[esp+0E0h+var_D0], esi
		jnz	loc_629F9C

loc_62A23F:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+F2j
		lea	ecx, [esp+0E0h+var_A0]
		call	MiFlushTbList
		xor	eax, eax
		jmp	short loc_62A26F
; 

loc_62A24C:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+28Ej
		push	0
		push	1
		push	esi
		push	61949h

loc_62A256:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+3C4j
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_62A25D:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+159j
					; MmProtectMdlSystemAddress(x,x)+16Dj
		push	esi
		push	edi
		push	[esp+0FCh+var_B8]
		push	1235h
		jmp	short loc_62A256
; 

loc_62A26A:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+71j
					; MmProtectMdlSystemAddress(x,x)+7Fj ...
		mov	eax, 0C0000045h

loc_62A26F:				; CODE XREF: MmProtectMdlSystemAddress(x,x)+45j
					; MmProtectMdlSystemAddress(x,x)+5Dj ...
		mov	ecx, [esp+0E0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_MmProtectMdlSystemAddress@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAllocateFastLargePagesForMdl(x, x, x)
_MiAllocateFastLargePagesForMdl@12 proc	near ; CODE XREF: MiFindPagesForMdl:loc_49B762p

var_B8		= dword	ptr -0B8h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_34		= dword	ptr -34h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B8h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		push	88h		; size_t
		lea	eax, [ebp+var_94]
		mov	[ebp+var_98], edx
		push	0		; int
		push	eax		; void *
		mov	ebx, ecx
		call	_memset
		mov	esi, [ebx+24h]
		lea	edi, [ebp+var_B8]
		xor	eax, eax
		mov	[ebp+var_AC], esi
		add	esp, 0Ch
		stosd
		stosd
		push	2
		pop	ecx
		push	1Ch
		stosd
		mov	eax, [ebx+20h]
		pop	edx
		test	eax, eax
		jnz	short loc_62A2E2
		push	0Ch
		pop	eax
		jmp	short loc_62A2F4
; 

loc_62A2E2:				; CODE XREF: MiAllocateFastLargePagesForMdl(x,x,x)+55j
		cmp	eax, ecx
		jnz	short loc_62A2EA
		mov	eax, edx
		jmp	short loc_62A2F4
; 

loc_62A2EA:				; CODE XREF: MiAllocateFastLargePagesForMdl(x,x,x)+5Ej
		sub	eax, 3
		neg	eax
		sbb	eax, eax
		and	eax, 4

loc_62A2F4:				; CODE XREF: MiAllocateFastLargePagesForMdl(x,x,x)+5Aj
					; MiAllocateFastLargePagesForMdl(x,x,x)+62j
		mov	ecx, [ebp+var_98]
		and	ecx, 1
		cmp	dword ptr [ebx+8], 100000h
		mov	[ebp+var_98], ecx
		lea	ecx, ds:1[ecx*2]
		jnz	short loc_62A316
		or	ecx, 4

loc_62A316:				; CODE XREF: MiAllocateFastLargePagesForMdl(x,x,x)+8Bj
		mov	edi, [esi+14h]
		mov	edx, [ebx+14h]
		push	ecx
		lea	ecx, [ebp+var_B8]
		shr	edi, 0Ch
		push	ecx
		mov	ecx, [ebx]
		sub	edx, edi
		push	eax
		push	[ebp+arg_0]
		push	dword ptr [ebx+10h]
		call	_MiAllocateLargeZeroPages@28 ; MiAllocateLargeZeroPages(x,x,x,x,x,x,x)
		mov	[ebp+var_A8], eax
		test	eax, eax
		jz	loc_62A448
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		push	[ebp+arg_0]	; int
		cmp	al, 2
		lea	ecx, [ebp+var_94] ; void *
		sbb	edx, edx
		and	edx, 0FFFFFFFEh
		add	edx, 2		; int
		call	_MiInitializeDpcGang@12	; MiInitializeDpcGang(x,x,x)
		mov	eax, large fs:124h
		add	edi, 7
		or	[ebp+var_34], 40h
		mov	eax, [eax+80h]
		mov	[ebx+28h], eax
		lea	eax, [esi+edi*4]
		xor	edi, edi
		mov	[ebp+var_94], ebx
		mov	[ebp+var_9C], eax
		mov	[ebp+var_A0], edi

loc_62A390:				; CODE XREF: MiAllocateFastLargePagesForMdl(x,x,x)+17Dj
		mov	ebx, [ebp+edi+var_B8]
		mov	esi, ds:_MiLargePageSizes[edi]
		test	ebx, ebx
		jz	short loc_62A3F7

loc_62A3A1:				; CODE XREF: MiAllocateFastLargePagesForMdl(x,x,x)+169j
		mov	eax, [ebx]
		mov	[ebp+var_A4], eax
		mov	eax, ebx
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		xor	edx, edx
		mov	edi, eax
		test	esi, esi
		jz	short loc_62A3D8
		mov	eax, [ebp+var_9C]

loc_62A3C5:				; CODE XREF: MiAllocateFastLargePagesForMdl(x,x,x)+14Aj
		lea	ecx, [edi+edx]
		mov	[eax], ecx
		add	eax, 4
		inc	edx
		cmp	edx, esi
		jb	short loc_62A3C5
		mov	[ebp+var_9C], eax

loc_62A3D8:				; CODE XREF: MiAllocateFastLargePagesForMdl(x,x,x)+137j
		mov	edx, ebx
		lea	ecx, [ebp+var_94]
		call	_MiInsertDpcGang@8 ; MiInsertDpcGang(x,x)
		mov	eax, [ebp+var_A4]
		mov	ebx, eax
		test	eax, eax
		jnz	short loc_62A3A1
		mov	edi, [ebp+var_A0]

loc_62A3F7:				; CODE XREF: MiAllocateFastLargePagesForMdl(x,x,x)+119j
		add	edi, 4
		mov	[ebp+var_A0], edi
		cmp	edi, 0Ch
		jb	short loc_62A390
		mov	esi, [ebp+var_AC]
		lea	ecx, [ebp+var_94]
		mov	eax, [ebp+var_A8]
		shl	eax, 0Ch
		add	[esi+14h], eax
		call	_MiStartDpcGang@4 ; MiStartDpcGang(x)
		lea	ecx, [ebp+var_94]
		call	_MiEndDpcGang@4	; MiEndDpcGang(x)
		and	dword ptr [esi+8], 0
		push	2
		pop	eax
		or	[esi+6], ax
		cmp	[ebp+var_98], 0
		jz	short loc_62A448
		mov	dword ptr [esi+0Ch], 1

loc_62A448:				; CODE XREF: MiAllocateFastLargePagesForMdl(x,x,x)+B9j
					; MiAllocateFastLargePagesForMdl(x,x,x)+1B9j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_MiAllocateFastLargePagesForMdl@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAllocateSkipPagesForMdl(x, x, x)
_MiAllocateSkipPagesForMdl@12 proc near	; CODE XREF: MiFindPagesForMdl:loc_49B769p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		or	[ebp+var_8], 0FFFFFFFFh
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		mov	ecx, [esi+24h]
		mov	eax, [esi+0Ch]
		mov	edx, [esi+8]
		mov	[ebp+var_10], eax
		mov	ebx, [ecx+14h]
		mov	eax, [esi+10h]
		shr	ebx, 0Ch
		mov	[ebp+var_C], edx
		test	eax, eax
		jnz	short loc_62A490
		mov	edi, [esi+14h]
		sub	edi, ebx
		jmp	short loc_62A492
; 

loc_62A490:				; CODE XREF: MiAllocateSkipPagesForMdl(x,x,x)+2Ej
		mov	edi, eax

loc_62A492:				; CODE XREF: MiAllocateSkipPagesForMdl(x,x,x)+35j
		or	[ebp+var_4], 60000000h
		lea	edx, [ebp+var_8]
		push	edx
		mov	edx, [ebp+var_C]
		push	ecx
		push	[ebp+var_4]
		push	80000000h
		push	[ebp+arg_0]
		push	dword ptr [esi+20h]
		push	edi
		push	eax
		push	[ebp+var_10]
		jmp	short loc_62A4E8
; 

loc_62A4B6:				; CODE XREF: MiAllocateSkipPagesForMdl(x,x,x)+98j
		add	ebx, edi
		cmp	ebx, [esi+14h]
		jz	short loc_62A4F3
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		lea	edx, [eax-1]
		sub	eax, ecx
		cmp	eax, edi
		jb	short loc_62A4F3
		lea	eax, [ebp+var_8]
		push	eax
		push	dword ptr [esi+24h]
		push	[ebp+var_4]
		push	80000000h
		push	[ebp+arg_0]
		push	dword ptr [esi+20h]
		push	edi
		push	dword ptr [esi+10h]
		push	edx
		mov	edx, ecx

loc_62A4E8:				; CODE XREF: MiAllocateSkipPagesForMdl(x,x,x)+5Bj
		mov	ecx, [esi]
		call	_MiFindContiguousPages@44 ; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_62A4B6

loc_62A4F3:				; CODE XREF: MiAllocateSkipPagesForMdl(x,x,x)+62j
					; MiAllocateSkipPagesForMdl(x,x,x)+71j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiAllocateSkipPagesForMdl@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeLargeMdlLeafPfns(x, x)
_MiInitializeLargeMdlLeafPfns@8	proc near ; CODE XREF: MiDoGangAssignment(x,x)+22p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, edx
		mov	eax, ecx
		push	esi
		push	edi
		mov	[ebp+var_C], eax
		test	dword ptr [ebx+4], 80000200h
		mov	ecx, [ebx+28h]
		mov	[ebp+var_10], ecx
		jz	short loc_62A525
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		jmp	short loc_62A53A
; 

loc_62A525:				; CODE XREF: MiInitializeLargeMdlLeafPfns(x,x)+1Fj
		push	0
		push	80h
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_4], edx

loc_62A53A:				; CODE XREF: MiInitializeLargeMdlLeafPfns(x,x)+29j
		mov	edi, [eax]
		test	edi, edi
		jz	short loc_62A58F

loc_62A540:				; CODE XREF: MiInitializeLargeMdlLeafPfns(x,x)+93j
		mov	esi, [edi]
		test	esi, 1FFFFFFEh
		jnz	short loc_62A54E
		xor	esi, esi
		jmp	short loc_62A55A
; 

loc_62A54E:				; CODE XREF: MiInitializeLargeMdlLeafPfns(x,x)+4Ej
		and	esi, 0FFFFFFFEh
		or	esi, 0E0000000h
		shl	esi, 2

loc_62A55A:				; CODE XREF: MiInitializeLargeMdlLeafPfns(x,x)+52j
		mov	ecx, edi
		mov	[eax], esi
		call	_MiGetPfnPageSizeIndex@4 ; MiGetPfnPageSizeIndex(x)
		push	[ebp+var_4]
		mov	ecx, edi
		push	[ebp+var_8]
		mov	edx, ds:_MiLargePageSizes[eax*4]
		push	dword ptr [ebx+4]
		push	[ebp+var_10]
		call	_MiInitializeMdlLeafPfns@24 ; MiInitializeMdlLeafPfns(x,x,x,x,x,x)
		mov	edi, esi
		test	esi, esi
		jz	short loc_62A58F
		call	KeShouldYieldProcessor
		test	eax, eax
		mov	eax, [ebp+var_C]
		jz	short loc_62A540

loc_62A58F:				; CODE XREF: MiInitializeLargeMdlLeafPfns(x,x)+44j
					; MiInitializeLargeMdlLeafPfns(x,x)+87j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiInitializeLargeMdlLeafPfns@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogMdlRangeEvent(x, x, x)
_MiLogMdlRangeEvent@12 proc near	; CODE XREF: MiFreePagesFromMdl(x,x)+13Bp
					; MiAllocatePagesForMdl+121512p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_24], edx
		imul	esi, [edi], 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	eax, [esi+18h]
		and	eax, 70000000h
		cmp	eax, 10000000h
		jnz	short loc_62A5E4
		mov	esi, [esi]
		test	esi, 1FFFFFFEh
		jnz	short loc_62A5D4
		xor	esi, esi
		jmp	short loc_62A5E0
; 

loc_62A5D4:				; CODE XREF: MiLogMdlRangeEvent(x,x,x)+3Aj
		and	esi, 0FFFFFFFEh
		or	esi, 0E0000000h
		shl	esi, 2

loc_62A5E0:				; CODE XREF: MiLogMdlRangeEvent(x,x,x)+3Ej
		push	9
		jmp	short loc_62A5E8
; 

loc_62A5E4:				; CODE XREF: MiLogMdlRangeEvent(x,x,x)+30j
		xor	esi, esi
		push	0Ah

loc_62A5E8:				; CODE XREF: MiLogMdlRangeEvent(x,x,x)+4Ej
		mov	ebx, [ebp+arg_0]
		pop	eax
		test	ebx, ebx
		jz	short loc_62A65A
		xor	ecx, ecx
		shld	ecx, esi, 4
		shl	esi, 4
		or	esi, eax
		mov	[ebp+var_20], ecx

loc_62A5FE:				; CODE XREF: MiLogMdlRangeEvent(x,x,x)+C4j
		mov	eax, [edi]
		mov	[ebp+var_30], ecx
		mov	ecx, edi
		mov	[ebp+var_2C], eax
		mov	[ebp+var_34], esi

loc_62A60B:				; CODE XREF: MiLogMdlRangeEvent(x,x,x)+85j
		add	edi, 4
		sub	ebx, 1
		jz	short loc_62A61B
		mov	eax, [edi-4]
		inc	eax
		cmp	[edi], eax
		jz	short loc_62A60B

loc_62A61B:				; CODE XREF: MiLogMdlRangeEvent(x,x,x)+7Dj
		and	[ebp+var_18], 0
		mov	eax, edi
		and	[ebp+var_10], 0
		sub	eax, ecx
		push	11401B02h
		sar	eax, 2
		lea	ecx, [ebp+var_1C]
		push	edx
		mov	[ebp+var_28], eax
		xor	edx, edx
		lea	eax, [ebp+var_34]
		mov	[ebp+var_14], 10h
		push	20000001h
		inc	edx
		mov	[ebp+var_1C], eax
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_20]
		mov	edx, [ebp+var_24]
		test	ebx, ebx
		jnz	short loc_62A5FE

loc_62A65A:				; CODE XREF: MiLogMdlRangeEvent(x,x,x)+5Aj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_MiLogMdlRangeEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl MiMdlPageSort(const void *,const void *)
_MiMdlPageSort	proc near		; DATA XREF: MiSortMdlFrames(x)+3o
					; AsiPopulateHashes(x)+9Ao

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		mov	eax, [ebp+arg_4]
		mov	eax, [eax]
		cmp	eax, ecx
		jbe	short loc_62A683
		or	eax, 0FFFFFFFFh
		pop	ebp
		retn
; 

loc_62A683:				; CODE XREF: _MiMdlPageSort+11j
		sbb	eax, eax
		neg	eax
		pop	ebp
		retn
_MiMdlPageSort	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReturnMdlExcess(x)
_MiReturnMdlExcess@4 proc near		; CODE XREF: MiAllocatePagesForMdl+1214F9p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+24h]
		mov	eax, [edi+14h]
		mov	ecx, [edi]
		mov	[ebp+var_C], esi
		mov	ebx, [esi+14h]
		shr	ebx, 0Ch
		sub	eax, ebx
		mov	[ebp+var_10], ebx
		mov	edx, eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], ecx
		call	MiReturnCommit
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_62A6D5
		mov	ecx, [ebp+var_4]
		add	ecx, 1000h
		lock xadd [ecx], eax

loc_62A6D5:				; CODE XREF: MiReturnMdlExcess(x)+3Dj
		cmp	[ebp+var_4], offset _MiSystemPartition
		mov	ecx, [ebp+var_8]
		jnz	short loc_62A6EE
		mov	eax, ecx
		mov	edx, offset dword_6D3620
		neg	eax
		lock xadd [edx], eax

loc_62A6EE:				; CODE XREF: MiReturnMdlExcess(x)+56j
		test	ebx, ebx
		jnz	short loc_62A705

loc_62A6F2:				; CODE XREF: MiReturnMdlExcess(x)+A1j
		xor	esi, esi
		push	esi
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[edi+24h], esi
		jmp	loc_62A799
; 

loc_62A705:				; CODE XREF: MiReturnMdlExcess(x)+67j
		mov	eax, [edi+4]
		test	al, 4
		jz	short loc_62A72C
		test	al, 40h
		jnz	short loc_62A721
		mov	ecx, edi
		call	_MiInitializeMdlBatchPages@4 ; MiInitializeMdlBatchPages(x)
		mov	edx, [edi+4]
		mov	ecx, esi
		call	MiInitializeMdlPages

loc_62A721:				; CODE XREF: MiReturnMdlExcess(x)+85j
		xor	edx, edx
		mov	ecx, esi
		call	_MiFreePagesFromMdl@8 ;	MiFreePagesFromMdl(x,x)
		jmp	short loc_62A6F2
; 

loc_62A72C:				; CODE XREF: MiReturnMdlExcess(x)+81j
		cmp	ecx, 1000h
		jbe	short loc_62A799
		xor	esi, esi
		lea	ecx, ds:1Ch[ebx*4]
		push	esi
		push	40h
		mov	edx, 69646D4Dh
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_62A799
		mov	edx, [ebp+var_10]
		xor	eax, eax
		mov	[ebx+6], ax
		mov	eax, edx
		shl	eax, 0Ch
		mov	[ebx+14h], eax
		mov	eax, edx
		shl	eax, 2
		lea	ecx, ds:1Ch[edx*4]
		push	eax		; size_t
		mov	[ebx], esi
		mov	[ebx+4], cx
		mov	[ebx+10h], esi
		mov	[ebx+18h], esi
		mov	eax, [edi+24h]
		add	eax, 1Ch
		push	eax		; void *
		lea	eax, [ebx+1Ch]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		push	esi
		push	dword ptr [edi+24h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[edi+24h], ebx

loc_62A799:				; CODE XREF: MiReturnMdlExcess(x)+77j
					; MiReturnMdlExcess(x)+A9j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiReturnMdlExcess@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiSortMdlFrames(x)
_MiSortMdlFrames@4 proc	near		; CODE XREF: MiRemoveMdlPages(x,x)+2Ap
					; MiAllocateUserPhysicalPages(x,x,x,x,x)+427p
		mov	eax, [ecx+14h]
		push	offset _MiMdlPageSort ;	int __cdecl (*)(const void *,const void	*)
		shr	eax, 0Ch
		push	4		; size_t
		push	eax		; size_t
		lea	eax, [ecx+1Ch]
		push	eax		; void *
		call	_qsort
		add	esp, 10h
		retn
_MiSortMdlFrames@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetGraphicsPtes(x, x, x, x, x, x)
_MiSetGraphicsPtes@24 proc near		; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+162p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	eax, ecx
		lea	esi, [ecx+edx]
		shr	eax, 9
		mov	edi, offset loc_7FFFF8
		and	eax, edi
		shr	esi, 9
		sub	eax, 40000000h
		and	esi, edi
		mov	edi, [ebp+arg_C]
		xor	ebx, ebx
		mov	[ebp+var_18], eax
		sub	esi, 40000008h
		mov	eax, edi
		mov	[ebp+var_20], ebx
		and	eax, 1
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_24], eax
		jz	short loc_62A813
		test	ebx, ebx
		jz	short loc_62A813
		mov	eax, [ebx]
		mov	[ebp+var_10], eax
		mov	eax, [ebx+4]
		lea	ebx, [ebp+var_10]
		mov	[ebp+var_C], eax

loc_62A813:				; CODE XREF: MiSetGraphicsPtes(x,x,x,x,x,x)+46j
					; MiSetGraphicsPtes(x,x,x,x,x,x)+4Aj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		add	eax, 240h
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	MiLockWorkingSetShared
		mov	ecx, [ebp+var_18]
		shr	edi, 1
		mov	byte ptr [ebp+arg_0+3],	al
		not	edi
		mov	eax, [ebp+var_C]
		and	edi, 1
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_10]
		mov	[ebp+arg_C], edi
		mov	[ebp+var_C], eax

loc_62A84A:				; CODE XREF: MiSetGraphicsPtes(x,x,x,x,x,x)+185j
		mov	[ebp+var_8], ecx
		mov	eax, ecx
		cmp	ecx, esi
		ja	loc_62A937

loc_62A857:				; CODE XREF: MiSetGraphicsPtes(x,x,x,x,x,x)+172j
		mov	edi, eax
		and	edi, 0FFFFF000h
		add	edi, 0FF8h
		cmp	edi, esi
		jbe	short loc_62A86B
		mov	edi, esi

loc_62A86B:				; CODE XREF: MiSetGraphicsPtes(x,x,x,x,x,x)+AEj
		lea	ecx, [ebp+var_1C]
		mov	edx, eax
		push	ecx
		mov	ecx, [ebp+var_4]
		call	MiLockLowestValidPageTable
		mov	edx, [ebp+var_8]
		mov	ecx, eax
		mov	eax, edx
		mov	[ebp+var_1C], ecx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	ecx, eax
		jnz	short loc_62A8BE
		cmp	[ebp+arg_C], 0
		jnz	short loc_62A8C4
		mov	[ebp+var_8], edx
		mov	eax, edx
		cmp	edx, edi
		ja	short loc_62A8F0

loc_62A8A3:				; CODE XREF: MiSetGraphicsPtes(x,x,x,x,x,x)+103j
		mov	ecx, [eax]
		nop
		mov	eax, [eax+4]
		or	ecx, eax
		jnz	loc_62A946
		mov	eax, [ebp+var_8]
		add	eax, 8
		mov	[ebp+var_8], eax
		cmp	eax, edi
		jbe	short loc_62A8A3

loc_62A8BE:				; CODE XREF: MiSetGraphicsPtes(x,x,x,x,x,x)+D9j
		cmp	[ebp+arg_C], 0
		jz	short loc_62A8F0

loc_62A8C4:				; CODE XREF: MiSetGraphicsPtes(x,x,x,x,x,x)+DFj
		mov	ecx, [ebp+arg_4]
		mov	eax, edi
		sub	eax, edx
		shr	ecx, 0Ch
		sar	eax, 3
		xor	edx, edx
		inc	eax
		div	ecx
		cmp	[ebp+var_24], 0
		jz	short loc_62A8E9
		imul	eax, [ebp+arg_4]
		add	[ebp+var_C], eax
		adc	[ebp+var_14], 0
		jmp	short loc_62A8F0
; 

loc_62A8E9:				; CODE XREF: MiSetGraphicsPtes(x,x,x,x,x,x)+121j
		test	ebx, ebx
		jz	short loc_62A8F0
		lea	ebx, [ebx+eax*8]

loc_62A8F0:				; CODE XREF: MiSetGraphicsPtes(x,x,x,x,x,x)+E8j
					; MiSetGraphicsPtes(x,x,x,x,x,x)+109j ...
		mov	edx, [ebp+var_1C]
		mov	ecx, [ebp+var_4]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	ecx, [ebp+var_4]
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_62A910
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	short loc_62A923

loc_62A910:				; CODE XREF: MiSetGraphicsPtes(x,x,x,x,x,x)+14Cj
		mov	dl, byte ptr [ebp+arg_0+3]
		mov	ecx, [ebp+var_4]
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_4]
		call	MiLockWorkingSetShared

loc_62A923:				; CODE XREF: MiSetGraphicsPtes(x,x,x,x,x,x)+155j
		lea	eax, [edi+8]
		mov	[ebp+var_8], eax
		cmp	eax, esi
		jbe	loc_62A857
		mov	edi, [ebp+arg_C]
		mov	ecx, [ebp+var_18]

loc_62A937:				; CODE XREF: MiSetGraphicsPtes(x,x,x,x,x,x)+98j
		inc	edi
		mov	[ebp+arg_C], edi
		cmp	edi, 2
		jb	loc_62A84A
		jmp	short loc_62A958
; 

loc_62A946:				; CODE XREF: MiSetGraphicsPtes(x,x,x,x,x,x)+F2j
		mov	edx, [ebp+var_1C]
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_20], 0C0000018h
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_62A958:				; CODE XREF: MiSetGraphicsPtes(x,x,x,x,x,x)+18Bj
		mov	dl, byte ptr [ebp+arg_0+3]
		mov	ecx, [ebp+var_4]
		call	MiUnlockWorkingSetShared
		mov	eax, [ebp+var_20]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_MiSetGraphicsPtes@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	MiCopySinglePage(int,size_t,int,char)
_MiCopySinglePage@24 proc near		; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+19Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_F		= byte ptr  17h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_8], ecx
		push	esi
		push	edi
		mov	ecx, ebx
		mov	edi, ebx
		shr	ecx, 5
		and	edi, 1Fh
		mov	[ebp+var_4], ecx
		cmp	ebx, ds:dword_6D07B0
		jbe	short loc_62A996
		xor	eax, eax
		jmp	short loc_62A9A5
; 

loc_62A996:				; CODE XREF: MiCopySinglePage(x,x,x,x,x,x)+23j
		mov	eax, ds:dword_6D35B8
		mov	eax, [eax+ecx*4]
		mov	ecx, edi
		shr	eax, cl
		and	eax, 1

loc_62A9A5:				; CODE XREF: MiCopySinglePage(x,x,x,x,x,x)+27j
		test	eax, eax
		jz	loc_62AB5A
		imul	esi, ebx, 1Ch
		add	esi, ds:_MmPfnDatabase
		test	[ebp+arg_C], 1
		jz	short loc_62A9CA
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	dl, al
		mov	[ebp+arg_F], al
		jmp	short loc_62A9CF
; 

loc_62A9CA:				; CODE XREF: MiCopySinglePage(x,x,x,x,x,x)+4Dj
		mov	dl, 21h
		mov	[ebp+arg_F], dl

loc_62A9CF:				; CODE XREF: MiCopySinglePage(x,x,x,x,x,x)+5Bj
		cmp	ebx, ds:dword_6D07B0
		ja	loc_62AB42
		mov	ecx, [ebp+var_4]
		mov	eax, ds:dword_6D35B8
		mov	eax, [eax+ecx*4]
		mov	ecx, edi
		shr	eax, cl
		and	eax, 1
		jz	loc_62AB42
		cmp	byte ptr [esi+17h], 0
		jl	loc_62AB23
		movzx	eax, byte ptr [esi+16h]
		shr	eax, 6
		mov	[ebp+var_4], eax
		cmp	eax, 3
		jnz	short loc_62AA18
		xor	edx, edx
		mov	ecx, esi
		push	1
		inc	edx
		call	MiChangePageAttribute

loc_62AA18:				; CODE XREF: MiCopySinglePage(x,x,x,x,x,x)+9Dj
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	loc_62AAAE
		xor	ecx, ecx
		mov	edx, esi
		inc	ecx
		call	_MiMakeProtectionPfnCompatible@8 ; MiMakeProtectionPfnCompatible(x,x)
		or	eax, 20000000h
		mov	edx, ebx
		push	eax
		mov	ecx, edi
		call	MiMakeValidPte
		and	[ebp+arg_8], 0
		mov	ecx, edi
		mov	ebx, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_62AA91
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_62AA74
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	short loc_62AA94

loc_62AA62:				; CODE XREF: MiCopySinglePage(x,x,x,x,x,x)+120j
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	short loc_62AA94
		or	edx, 80000000h
		jmp	short loc_62AA94
; 

loc_62AA74:				; CODE XREF: MiCopySinglePage(x,x,x,x,x,x)+E7j
		mov	eax, large fs:124h
		mov	ecx, [ebp+arg_8]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_62AA62
		jmp	short loc_62AA94
; 

loc_62AA91:				; CODE XREF: MiCopySinglePage(x,x,x,x,x,x)+DEj
		mov	ecx, [ebp+arg_8]

loc_62AA94:				; CODE XREF: MiCopySinglePage(x,x,x,x,x,x)+F3j
					; MiCopySinglePage(x,x,x,x,x,x)+FDj ...
		mov	[edi+4], edx
		nop
		mov	[edi], ebx
		test	ecx, ecx
		jz	short loc_62AAA7
		push	edx
		push	ebx
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_62AAA7:				; CODE XREF: MiCopySinglePage(x,x,x,x,x,x)+12Fj
		mov	ebx, edi
		shl	ebx, 9
		jmp	short loc_62AABE
; 

loc_62AAAE:				; CODE XREF: MiCopySinglePage(x,x,x,x,x,x)+B0j
		push	0A0000000h
		xor	edx, edx
		mov	ecx, ebx
		call	MiMapPageInHyperSpaceWorker
		mov	ebx, eax

loc_62AABE:				; CODE XREF: MiCopySinglePage(x,x,x,x,x,x)+13Fj
		push	[ebp+arg_4]	; size_t
		add	ebx, [ebp+arg_0]
		push	ebx		; void *
		push	[ebp+var_8]	; void *
		call	_memcpy
		add	esp, 0Ch
		test	edi, edi
		jz	short loc_62AAE6
		mov	eax, ds:_ZeroPte
		mov	[edi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[edi+4], eax
		jmp	short loc_62AAF4
; 

loc_62AAE6:				; CODE XREF: MiCopySinglePage(x,x,x,x,x,x)+165j
		push	80000000h
		mov	dl, 21h
		mov	ecx, ebx
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)

loc_62AAF4:				; CODE XREF: MiCopySinglePage(x,x,x,x,x,x)+177j
		cmp	[ebp+var_4], 3
		jnz	short loc_62AB06
		push	3
		push	3
		pop	edx
		mov	ecx, esi
		call	MiChangePageAttribute

loc_62AB06:				; CODE XREF: MiCopySinglePage(x,x,x,x,x,x)+18Bj
		mov	cl, [ebp+arg_F]
		cmp	cl, 21h
		jz	short loc_62AB1F
		mov	edx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	edx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_62AB1F:				; CODE XREF: MiCopySinglePage(x,x,x,x,x,x)+19Fj
		xor	eax, eax
		jmp	short loc_62AB5F
; 

loc_62AB23:				; CODE XREF: MiCopySinglePage(x,x,x,x,x,x)+8Aj
		cmp	dl, 21h
		jz	short loc_62AB3B
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_62AB3B:				; CODE XREF: MiCopySinglePage(x,x,x,x,x,x)+1B9j
		mov	eax, 0C0000709h
		jmp	short loc_62AB5F
; 

loc_62AB42:				; CODE XREF: MiCopySinglePage(x,x,x,x,x,x)+68j
					; MiCopySinglePage(x,x,x,x,x,x)+80j
		cmp	dl, 21h
		jz	short loc_62AB5A
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_62AB5A:				; CODE XREF: MiCopySinglePage(x,x,x,x,x,x)+3Aj
					; MiCopySinglePage(x,x,x,x,x,x)+1D8j
		mov	eax, 0C0000141h

loc_62AB5F:				; CODE XREF: MiCopySinglePage(x,x,x,x,x,x)+1B4j
					; MiCopySinglePage(x,x,x,x,x,x)+1D3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_MiCopySinglePage@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiTranslatePageForCopy(x, x, x, x, x)
_MiTranslatePageForCopy@20 proc	near	; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+250p

var_88		= dword	ptr -88h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_30		= byte ptr -30h
var_2C		= dword	ptr -2Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	[ebp+var_7C], eax
		mov	esi, edx
		mov	eax, [ebp+arg_4]
		push	edi
		mov	[ebp+var_68], eax
		mov	edi, ecx
		xor	eax, eax
		mov	[ebp+var_78], esi
		push	40h		; size_t
		push	eax		; int
		mov	[ebp+var_88], eax
		mov	[ebp+var_58], eax
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_4C]
		push	eax		; void *
		mov	[ebp+var_74], edi
		mov	[ebp+var_50], ebx
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		push	50h		; size_t
		push	eax		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_7C]
		or	ecx, 0FFFFFFFFh
		add	esp, 0Ch
		mov	edx, edi
		mov	[eax], ecx
		xor	ecx, ecx
		mov	eax, [ebp+var_68]
		mov	[eax], ecx
		lea	eax, [ebp+var_4C]
		mov	[ebx], ecx
		mov	[ebx+4], ecx
		xor	ebx, ebx
		push	eax		; void *
		push	ebx		; int
		push	ebx		; char
		call	_MiInitializePageFaultPacket@20	; MiInitializePageFaultPacket(x,x,x,x,x)
		cmp	edi, 0C0000000h
		jb	short loc_62ABF8
		cmp	edi, 0C07FFFFFh
		jbe	short loc_62AC1D

loc_62ABF8:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+88j
		mov	ecx, ds:_MmPfnDatabase
		cmp	edi, ecx
		jb	short loc_62AC11
		mov	eax, ds:dword_6D07B0
		inc	eax
		imul	eax, 1Ch
		add	eax, ecx
		cmp	edi, eax
		jb	short loc_62AC1D

loc_62AC11:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+9Aj
		mov	ecx, edi
		call	_MiVaInWsleSpace@4 ; MiVaInWsleSpace(x)
		cmp	eax, 8
		jz	short loc_62AC27

loc_62AC1D:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+90j
					; MiTranslatePageForCopy(x,x,x,x,x)+A9j
		mov	eax, 0C00000EFh
		jmp	loc_62B0D9
; 

loc_62AC27:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+B5j
		cmp	edi, ds:dword_6D2E88
		jb	short loc_62AC9F
		cmp	edi, ds:dword_6D2E8C
		ja	short loc_62AC9F
		mov	eax, large fs:124h
		mov	esi, [eax+80h]
		add	esi, 240h
		mov	ecx, esi
		mov	[ebp+var_38], esi
		call	MiLockWorkingSetShared
		mov	edx, [ebp+var_40]
		mov	ecx, esi
		mov	[ebp+var_30], al
		lea	eax, [ebp+var_58]
		push	eax
		call	MiLockLowestValidPageTable
		mov	ecx, eax
		mov	eax, edi
		shr	eax, 12h
		and	eax, 3FF8h
		mov	[ebp+var_2C], ecx
		sub	eax, 3FA00000h
		cmp	ecx, eax
		jz	loc_62ADDC
		mov	eax, [ebp+var_58]
		mov	ecx, [eax]
		nop
		mov	eax, [eax+4]
		mov	ebx, 0C0000005h
		or	ecx, eax
		jz	short loc_62AC97

loc_62AC92:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+370j
					; MiTranslatePageForCopy(x,x,x,x,x)+477j ...
		mov	ebx, 0C00000D8h

loc_62AC97:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+12Aj
					; MiTranslatePageForCopy(x,x,x,x,x)+3FFj ...
		or	ecx, 0FFFFFFFFh
		jmp	loc_62B0B8
; 

loc_62AC9F:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+C7j
					; MiTranslatePageForCopy(x,x,x,x,x)+CFj
		cmp	edi, ds:dword_6D07D0
		jnb	short loc_62ACCF
		mov	edx, ebx

loc_62ACA9:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+1A2j
		push	5

loc_62ACAB:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+18Fj
					; MiTranslatePageForCopy(x,x,x,x,x)+198j
		pop	ecx

loc_62ACAC:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+17Cj
					; MiTranslatePageForCopy(x,x,x,x,x)+1A7j
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)

loc_62ACB1:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+1B0j
		or	dword ptr [esi+4], 4
		mov	ecx, eax
		push	esi
		push	ebx
		push	edx
		mov	edx, edi
		call	MiSynchronizeSystemVa
		test	eax, eax
		jnz	short loc_62AD22
		mov	eax, 0C00000A0h
		jmp	loc_62B0D9
; 

loc_62ACCF:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+13Fj
		mov	eax, edi
		shr	eax, 15h
		movzx	edx, byte ptr ds:dword_6D3994[eax]
		cmp	edx, 8
		jnz	short loc_62ACE4
		xor	ecx, ecx
		jmp	short loc_62ACAC
; 

loc_62ACE4:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+178j
		cmp	edx, 1
		jz	short loc_62AD0F
		cmp	edx, 0Bh
		jz	short loc_62AD0F
		cmp	edx, 6
		jnz	short loc_62ACF7
		push	2
		jmp	short loc_62ACAB
; 

loc_62ACF7:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+18Bj
		cmp	edx, 9
		jnz	short loc_62AD00
		push	3
		jmp	short loc_62ACAB
; 

loc_62AD00:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+194j
		cmp	edx, 3
		jz	short loc_62AD0A
		cmp	edx, 0Ch
		jnz	short loc_62ACA9

loc_62AD0A:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+19Dj
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_62ACAC
; 

loc_62AD0F:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+181j
					; MiTranslatePageForCopy(x,x,x,x,x)+186j
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		test	eax, eax
		jnz	short loc_62ACB1
		mov	eax, 0C0000005h
		jmp	loc_62B0D9
; 

loc_62AD22:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+15Dj
		add	esi, 18h
		lea	edi, [ebp+var_38]
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_78]
		mov	eax, [edi+10h]
		test	eax, eax
		jz	loc_62ADDC
		mov	eax, [ebp+eax*4+var_40]
		mov	ecx, [eax]
		nop
		mov	eax, [eax+4]
		nop
		mov	edx, [ebp+var_4C]
		xor	esi, esi
		mov	edi, [edi+10h]
		inc	esi
		shrd	ecx, eax, 0Ch
		shr	edx, 0Ch
		and	ecx, 1FFFFFFh
		mov	[ebp+var_50], ecx
		test	edi, edi
		jz	short loc_62AD7C

loc_62AD62:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+211j
		mov	eax, edx
		shr	edx, 9
		and	eax, 1FFh
		imul	eax, esi
		shl	esi, 9
		add	ecx, eax
		sub	edi, 1
		jnz	short loc_62AD62
		mov	[ebp+var_50], ecx

loc_62AD7C:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+1FAj
		cmp	ecx, ds:dword_6D07B0
		ja	loc_62B0B0
		mov	eax, ds:dword_6D35B8
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_62B0B0
		mov	ecx, [ebp+var_50]
		xor	edx, edx
		imul	esi, ecx, 1Ch
		mov	[ebp+var_6C], edx
		add	esi, 10h
		add	esi, ds:_MmPfnDatabase
		lock bts dword ptr [esi], 1Fh
		jnb	loc_62B0B8

loc_62ADC2:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+268j
					; MiTranslatePageForCopy(x,x,x,x,x)+26Fj
		lea	ecx, [ebp+var_6C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_62ADC2
		lock bts dword ptr [esi], 1Fh
		jb	short loc_62ADC2
		jmp	loc_62AEB0
; 

loc_62ADDC:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+114j
					; MiTranslatePageForCopy(x,x,x,x,x)+1CEj
		mov	esi, [ebp+var_40]
		mov	byte ptr [ebp+var_54], 21h
		jmp	short loc_62AE31
; 

loc_62ADE5:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+2DFj
		mov	eax, ecx
		and	eax, 400h
		or	eax, 0
		mov	eax, ecx
		jnz	loc_62AF11
		and	eax, 3E0h
		xor	edx, edx
		cmp	eax, 300h
		jz	loc_62AFC5
		or	eax, edx
		jz	loc_62AFC5
		and	ecx, 800h
		or	ecx, edx
		jz	loc_62AEF4
		lea	edx, [ebp+var_54]
		mov	ecx, esi
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		test	eax, eax
		jnz	loc_62AEB8

loc_62AE31:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+27Dj
		mov	ecx, [esi]
		nop
		mov	edx, [esi+4]
		mov	eax, ecx
		and	eax, 1
		mov	[ebp+var_60], edx
		or	eax, 0
		mov	[ebp+var_64], ecx
		jz	short loc_62ADE5
		nop
		shrd	ecx, edx, 0Ch
		and	ecx, 1FFFFFFh
		mov	[ebp+var_50], ecx
		cmp	ecx, ds:dword_6D07B0
		ja	loc_62B0B3
		mov	eax, ds:dword_6D35B8
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_62B0B0
		mov	ecx, [ebp+var_50]
		xor	edx, edx
		imul	esi, ecx, 1Ch
		mov	[ebp+var_80], edx
		add	esi, 10h
		add	esi, ds:_MmPfnDatabase
		lock bts dword ptr [esi], 1Fh
		jnb	loc_62B0B8

loc_62AE9B:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+341j
					; MiTranslatePageForCopy(x,x,x,x,x)+348j
		lea	ecx, [ebp+var_80]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_62AE9B
		lock bts dword ptr [esi], 1Fh
		jb	short loc_62AE9B

loc_62AEB0:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+271j
		mov	ecx, [ebp+var_50]
		jmp	loc_62B0B8
; 

loc_62AEB8:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+2C5j
		mov	cl, [eax+16h]
		test	cl, 20h
		jnz	short loc_62AED3
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, eax
		jmp	loc_62B0B8
; 

loc_62AED3:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+358j
		test	cl, 8
		jnz	loc_62AC92
		lea	ecx, [ebp+var_5C]
		mov	[ebp+var_5C], 1
		push	ecx
		push	[ebp+var_54]
		xor	ecx, ecx
		mov	edx, eax
		push	ecx
		jmp	loc_62B083
; 

loc_62AEF4:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+2B3j
		lea	ecx, [ebp+var_64]
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		or	ecx, 0FFFFFFFFh
		test	eax, eax
		jz	loc_62B0A9
		mov	ebx, 0C00000D8h
		jmp	loc_62B0B8
; 

loc_62AF11:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+28Bj
		xor	esi, esi
		and	eax, 2
		or	eax, esi
		mov	esi, edx
		jz	short loc_62AF6A
		mov	eax, ds:dword_6D0704
		mov	ebx, esi
		mov	edi, ds:dword_6D0700
		mov	[ebp+var_58], eax
		mov	eax, edi
		or	eax, [ebp+var_58]
		jz	short loc_62AF49
		mov	eax, ecx
		xor	esi, esi
		and	eax, 10h
		or	eax, esi
		jnz	short loc_62AF47
		mov	esi, [ebp+var_58]
		not	esi
		and	esi, ebx
		jmp	short loc_62AF49
; 

loc_62AF47:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+3D6j
		mov	esi, ebx

loc_62AF49:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+3CBj
					; MiTranslatePageForCopy(x,x,x,x,x)+3DFj
		xor	eax, eax
		cmp	esi, eax
		jnz	short loc_62AF55
		and	ecx, 0FFFFFBFFh

loc_62AF55:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+3E7j
		mov	eax, [ebp+var_50]
		and	ecx, 0FFFFFFFDh
		mov	ebx, 111h
		mov	[eax], ecx
		mov	[eax+4], edx
		jmp	loc_62AC97
; 

loc_62AF6A:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+3B4j
		mov	edi, ds:dword_6D0704
		mov	eax, ds:dword_6D0700
		mov	[ebp+var_5C], edi
		or	eax, edi
		mov	edi, [ebp+var_74]
		mov	[ebp+var_50], edx
		mov	[ebp+var_58], esi
		jz	short loc_62AFA0
		mov	eax, ecx
		xor	esi, esi
		and	eax, 10h
		or	eax, esi
		jnz	short loc_62AF9A
		mov	esi, [ebp+var_5C]
		not	esi
		and	esi, [ebp+var_58]
		jmp	short loc_62AF9D
; 

loc_62AF9A:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+428j
		mov	esi, [ebp+var_58]

loc_62AF9D:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+432j
		mov	[ebp+var_50], esi

loc_62AFA0:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+41Dj
		push	edx
		push	ecx
		call	_MiIsPrototypePteVadLookup@8 ; MiIsPrototypePteVadLookup(x,x)
		test	eax, eax
		jz	short loc_62AFCF
		lea	eax, [ebp+var_88]
		mov	ecx, edi
		push	eax
		lea	edx, [ebp+var_70]
		call	MiCheckVirtualAddress
		mov	esi, eax
		mov	[ebp+var_50], esi
		test	esi, esi
		jnz	short loc_62AFCF

loc_62AFC5:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+29Dj
					; MiTranslatePageForCopy(x,x,x,x,x)+2A5j ...
		mov	ebx, 0C0000005h
		jmp	loc_62AC97
; 

loc_62AFCF:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+443j
					; MiTranslatePageForCopy(x,x,x,x,x)+45Dj
		lea	edx, [ebp+var_54]
		mov	ecx, esi
		call	MiLockProtoPoolPage
		mov	esi, eax
		test	esi, esi
		jz	loc_62AC92
		mov	ecx, [ebp+var_50]
		xor	edx, edx
		call	MiLockLeafPage
		mov	edi, eax
		mov	eax, [ebp+var_50]
		mov	edx, [eax]
		nop
		mov	eax, [eax+4]
		mov	ecx, edx
		mov	[ebp+var_70], eax
		and	ecx, 1
		mov	[ebp+var_60], eax
		xor	eax, eax
		or	ecx, eax
		mov	[ebp+var_64], edx
		jz	short loc_62B026

loc_62B00C:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+4FEj
		sub	edi, ds:_MmPfnDatabase
		mov	eax, edi
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		mov	ecx, eax
		mov	eax, [ebp+var_68]
		mov	[eax], esi
		jmp	loc_62B0B8
; 

loc_62B026:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+4A4j
		mov	eax, edx
		or	eax, [ebp+var_70]
		jnz	short loc_62B039
		mov	dl, byte ptr [ebp+var_54]
		mov	ecx, esi
		call	MiUnlockProtoPoolPage
		jmp	short loc_62AFC5
; 

loc_62B039:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+4C5j
		mov	eax, edx
		xor	ecx, ecx
		and	eax, 400h
		or	eax, ecx
		jz	short loc_62B055
		mov	ecx, esi

loc_62B048:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+504j
		mov	dl, byte ptr [ebp+var_54]

loc_62B04B:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+539j
		call	MiUnlockProtoPoolPage
		jmp	loc_62AC92
; 

loc_62B055:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+4DEj
		and	edx, 800h
		or	edx, ecx
		jz	short loc_62B090
		mov	al, [edi+16h]
		test	al, 20h
		jz	short loc_62B00C
		mov	ecx, esi
		test	al, 8
		jnz	short loc_62B048
		xor	ebx, ebx
		inc	ebx
		mov	edx, ebx
		call	_MiObtainProtoReference@8 ; MiObtainProtoReference(x,x)
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_5C], ebx
		push	eax
		push	[ebp+var_54]
		mov	edx, edi
		push	esi

loc_62B083:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+389j
		lea	ecx, [ebp+var_4C]
		call	MiWaitForCollidedFaultComplete
		jmp	loc_62AC92
; 

loc_62B090:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+4F7j
		lea	ecx, [ebp+var_64]
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		mov	dl, byte ptr [ebp+var_54]
		mov	ecx, esi
		test	eax, eax
		jnz	short loc_62B04B
		call	MiUnlockProtoPoolPage
		or	ecx, 0FFFFFFFFh

loc_62B0A9:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+39Bj
		mov	ebx, 111h
		jmp	short loc_62B0B8
; 

loc_62B0B0:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+21Cj
					; MiTranslatePageForCopy(x,x,x,x,x)+237j ...
		mov	ecx, [ebp+var_50]

loc_62B0B3:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+2F5j
		mov	ebx, 0C0000141h

loc_62B0B8:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+134j
					; MiTranslatePageForCopy(x,x,x,x,x)+256j ...
		mov	eax, [ebp+var_78]
		lea	esi, [ebp+var_38]
		lea	edi, [eax+18h]
		movsd
		movsd
		movsd
		movsd
		test	ebx, ebx
		js	short loc_62B0D0
		mov	eax, [ebp+var_7C]
		mov	[eax], ecx
		jmp	short loc_62B0D7
; 

loc_62B0D0:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+561j
		mov	ecx, eax
		call	_MiUnlockSystemVa@4 ; MiUnlockSystemVa(x)

loc_62B0D7:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+568j
		mov	eax, ebx

loc_62B0D9:				; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+BCj
					; MiTranslatePageForCopy(x,x,x,x,x)+164j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_MiTranslatePageForCopy@20 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1388. MmCopyMemory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmCopyMemory(x, x, x, x, x,	x)
		public _MmCopyMemory@24
_MmCopyMemory@24 proc near

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_40		= dword	ptr -40h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0A8h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+0A8h+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+0A8h+var_9C], eax
		mov	eax, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_C]
		mov	[esp+0ACh+var_98], eax
		mov	eax, [ebp+arg_14]
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[esp+0B0h+var_84], eax
		xor	eax, eax
		push	50h		; size_t
		push	eax		; int
		lea	eax, [esp+0B8h+var_58]
		mov	[esp+0B8h+var_A4], esi
		push	eax		; void *
		call	_memset
		mov	eax, [esp+0BCh+var_84]
		xor	ecx, ecx
		mov	[esp+0BCh+var_80], ecx
		add	esp, 0Ch
		mov	[eax], ecx
		mov	ecx, dword ptr [ebp+arg_10]
		test	ecx, ecx
		jz	loc_62B4A2
		test	ecx, 0FFFFFFFCh
		jnz	loc_62B4A2
		lea	eax, [ecx-1]
		test	eax, ecx
		jnz	loc_62B4A2
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 1
		ja	loc_62B4A2
		mov	eax, dword ptr [ebp+arg_10]
		and	eax, 1
		mov	[esp+0B0h+var_88], eax
		jz	short loc_62B1A0
		push	[esp+0B0h+var_98]
		mov	ecx, esi
		push	edi
		call	_MiCheckPhysicalAddressRange@12	; MiCheckPhysicalAddressRange(x,x,x)
		test	eax, eax
		jnz	short loc_62B1D2

loc_62B196:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+B6j
					; MmCopyMemory(x,x,x,x,x,x)+C3j ...
		mov	eax, 0C0000018h
		jmp	loc_62B4A7
; 

loc_62B1A0:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+95j
		lea	ecx, [edi+esi]
		cmp	ecx, edi
		jbe	short loc_62B196
		mov	eax, ds:_MmHighestUserAddress
		cmp	edi, eax
		ja	short loc_62B1CA
		cmp	ecx, eax
		ja	short loc_62B196
		push	[esp+0B0h+var_84]
		push	esi
		push	[esp+0B8h+var_9C]
		push	edi
		push	0FFFFFFFFh
		call	_ZwReadVirtualMemory@20	; ZwReadVirtualMemory(x,x,x,x,x)
		jmp	loc_62B4A7
; 

loc_62B1CA:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+BFj
		cmp	edi, ds:dword_6D07D0
		jb	short loc_62B196

loc_62B1D2:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+A5j
		mov	eax, [esp+0B0h+var_A4]
		xor	ecx, ecx
		mov	ecx, large fs:124h
		mov	esi, edi
		add	eax, 0FFFh
		mov	[esp+0B0h+var_6C], ecx
		and	esi, 0FFFh
		add	eax, esi
		mov	[esp+0B0h+var_90], esi
		mov	ecx, [ecx+80h]
		shr	eax, 0Ch
		mov	[esp+0B0h+var_68], ecx
		mov	edx, eax
		mov	ecx, offset dword_6D35E0
		mov	[esp+0B0h+var_78], eax
		call	MiReservePtes
		and	[esp+0B0h+var_A8], 0
		mov	ecx, 1000h
		sub	ecx, esi
		mov	[esp+0B0h+var_64], eax
		mov	[esp+0B0h+var_8C], eax
		mov	eax, [esp+0B0h+var_A4]
		mov	[esp+0B0h+var_A0], ecx
		cmp	ecx, eax
		jbe	short loc_62B237
		mov	[esp+0B0h+var_A0], eax

loc_62B237:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+142j
		mov	edx, [esp+0B0h+var_88]
		test	edx, edx
		jz	short loc_62B24F
		mov	edx, [esp+0B0h+var_98]
		mov	ecx, edi
		shrd	ecx, edx, 0Ch
		mov	edx, [esp+0B0h+var_88]
		jmp	short loc_62B252
; 

loc_62B24F:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+14Ej
		or	ecx, 0FFFFFFFFh

loc_62B252:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+15Ej
		mov	[esp+0B0h+var_94], ecx
		test	eax, eax
		jz	loc_62B47A

loc_62B25E:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+236j
		xor	eax, eax
		mov	[esp+0B0h+var_7C], eax
		mov	[esp+0B0h+var_60], eax
		mov	[esp+0B0h+var_5C], eax
		test	edx, edx
		jz	loc_62B32A
		mov	[esp+0B0h+var_98], eax

loc_62B278:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+33Ej
		push	dword ptr [ebp+arg_10] ; char
		mov	ecx, [esp+0B4h+var_9C]
		push	[esp+0B4h+var_8C] ; int
		push	[esp+0B8h+var_A0] ; size_t
		push	esi		; int
		mov	esi, [esp+0C0h+var_94]
		mov	edx, esi
		call	_MiCopySinglePage@24 ; MiCopySinglePage(x,x,x,x,x,x)
		cmp	[esp+0B0h+var_98], 0
		mov	[esp+0B0h+var_A8], eax
		jz	short loc_62B2CF
		mov	eax, ds:_MmPfnDatabase
		mov	edx, 7FFFFFFFh
		imul	ecx, esi, 1Ch
		add	eax, 10h
		add	eax, ecx
		lock and [eax],	edx
		mov	ecx, [esp+0B0h+var_7C]
		test	ecx, ecx
		jz	short loc_62B2C2
		mov	dl, 2
		call	MiUnlockProtoPoolPage

loc_62B2C2:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+1CAj
		lea	ecx, [esp+0B0h+var_58]
		call	_MiUnlockSystemVa@4 ; MiUnlockSystemVa(x)
		mov	eax, [esp+0B0h+var_A8]

loc_62B2CF:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+1ADj
		test	eax, eax
		js	loc_62B47A

loc_62B2D7:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+378j
		mov	ecx, [esp+0B0h+var_A0]

loc_62B2DB:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+35Aj
		mov	eax, [esp+0B0h+var_A4]
		add	edi, ecx
		add	[esp+0B0h+var_80], ecx
		sub	eax, ecx
		add	[esp+0B0h+var_9C], ecx
		mov	ecx, 1000h
		inc	[esp+0B0h+var_94]
		mov	[esp+0B0h+var_A4], eax
		mov	[esp+0B0h+var_A0], eax
		cmp	eax, ecx
		jbe	short loc_62B304
		mov	[esp+0B0h+var_A0], ecx

loc_62B304:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+20Fj
		mov	ecx, [esp+0B0h+var_8C]
		xor	esi, esi
		mov	[esp+0B0h+var_90], esi
		test	ecx, ecx
		jz	short loc_62B319
		add	ecx, 8
		mov	[esp+0B0h+var_8C], ecx

loc_62B319:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+221j
					; MmCopyMemory(x,x,x,x,x,x)+32Cj
		test	eax, eax
		jz	loc_62B47A
		mov	edx, [esp+0B0h+var_88]
		jmp	loc_62B25E
; 

loc_62B32A:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+17Fj
		lea	eax, [esp+0B0h+var_60]
		mov	ecx, edi
		push	eax
		lea	eax, [esp+0B4h+var_7C]
		push	eax
		lea	eax, [esp+0B8h+var_94]
		push	eax
		lea	edx, [esp+0BCh+var_58]
		call	_MiTranslatePageForCopy@20 ; MiTranslatePageForCopy(x,x,x,x,x)
		mov	[esp+0B0h+var_A8], eax
		test	eax, eax
		jns	loc_62B420
		cmp	eax, 0C00000D8h
		jnz	loc_62B47A
		mov	ecx, [esp+0B0h+var_6C]
		xor	eax, eax
		mov	[esp+0B0h+var_74], eax
		mov	[esp+0B0h+var_70], eax
		call	_MiGetEffectivePagePriorityThread@4 ; MiGetEffectivePagePriorityThread(x)
		mov	esi, eax
		mov	[esp+0B0h+var_74], edi
		mov	eax, edi
		and	esi, 7
		and	eax, 1FFFFFh
		mov	ecx, 200000h
		sub	ecx, eax
		or	esi, 80B8h
		mov	eax, [esp+0B0h+var_A4]
		mov	[esp+0B0h+var_70], eax
		cmp	eax, ecx
		jbe	short loc_62B39B
		mov	[esp+0B0h+var_70], ecx

loc_62B39B:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+2A6j
		mov	ecx, ds:dword_6D07D0
		xor	edx, edx
		inc	edx
		cmp	edi, ecx
		jb	short loc_62B3ED
		mov	eax, edi
		shr	eax, 15h
		cmp	byte ptr ds:dword_6D3994[eax], dl
		jz	short loc_62B3C7
		cmp	edi, ecx
		jb	short loc_62B3ED
		mov	eax, edi
		shr	eax, 15h
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_62B3ED

loc_62B3C7:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+2C4j
		mov	eax, [esp+0B0h+var_68]
		cmp	dword ptr [eax+180h], 0
		jz	loc_62B46C
		push	eax
		call	_PsIsSystemProcess@4 ; PsIsSystemProcess(x)
		test	al, al
		jnz	loc_62B46C
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		mov	edx, eax

loc_62B3ED:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+2B7j
					; MmCopyMemory(x,x,x,x,x,x)+2C8j ...
		cmp	edi, ds:dword_6D2E88
		jb	short loc_62B3FD
		cmp	edi, ds:dword_6D2E8C
		jbe	short loc_62B473

loc_62B3FD:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+304j
		push	esi
		xor	ecx, ecx
		push	edx
		lea	edx, [esp+0B4h+var_70]
		inc	ecx
		call	MiPrefetchVirtualMemory
		mov	[esp+0ACh+var_A4], eax
		test	eax, eax
		js	short loc_62B47A
		mov	esi, [esp+0ACh+var_8C]
		mov	eax, [esp+0ACh+var_A0]
		jmp	loc_62B319
; 

loc_62B420:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+25Bj
		mov	ecx, [esp+0B0h+var_40]
		mov	[esp+0B0h+var_98], ecx
		cmp	eax, 111h
		jnz	loc_62B278
		lea	ecx, [esp+0B0h+var_58]
		call	_MiUnlockSystemVa@4 ; MiUnlockSystemVa(x)
		mov	ecx, [esp+0B0h+var_A0]
		mov	edx, ecx
		and	[esp+0B0h+var_A8], 0
		test	ecx, ecx
		jz	loc_62B2DB
		mov	ecx, [esp+0B0h+var_9C]
		sub	ecx, esi

loc_62B455:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+376j
		mov	eax, esi
		and	eax, 7
		mov	al, byte ptr [esp+eax+0B0h+var_60]
		mov	[ecx+esi], al
		inc	esi
		sub	edx, 1
		jnz	short loc_62B455
		jmp	loc_62B2D7
; 

loc_62B46C:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+2E3j
					; MmCopyMemory(x,x,x,x,x,x)+2F1j
		mov	esi, 0C0000005h
		jmp	short loc_62B47E
; 

loc_62B473:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+30Cj
		mov	esi, 0C00000EFh
		jmp	short loc_62B47E
; 

loc_62B47A:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+169j
					; MmCopyMemory(x,x,x,x,x,x)+1E2j ...
		mov	esi, [esp+0B0h+var_A8]

loc_62B47E:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+382j
					; MmCopyMemory(x,x,x,x,x,x)+389j
		mov	edx, [esp+0B0h+var_64]
		test	edx, edx
		jz	short loc_62B494
		push	[esp+0B0h+var_78]
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_62B494:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+395j
		mov	eax, [esp+0B4h+var_88]
		mov	ecx, [esp+0B4h+var_84]
		add	[eax], ecx
		mov	eax, esi
		jmp	short loc_62B4A7
; 

loc_62B4A2:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+60j
					; MmCopyMemory(x,x,x,x,x,x)+6Cj ...
		mov	eax, 0C00000F2h

loc_62B4A7:				; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+ACj
					; MmCopyMemory(x,x,x,x,x,x)+D6j ...
		mov	ecx, [esp+0B0h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
_MmCopyMemory@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmTryIdentifyPage(x, x)
_MmTryIdentifyPage@8 proc near		; CODE XREF: IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+F7p

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		imul	esi, ecx, 1Ch
		xor	eax, eax
		mov	[ebp+var_8], edx
		xor	ebx, ebx
		mov	cl, 2
		inc	ebx
		stosd
		stosd
		stosd
		stosd
		add	esi, ds:_MmPfnDatabase
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	dl, al
		lea	edi, [esi+10h]
		mov	[ebp+var_1], dl
		lock bts dword ptr [edi], 1Fh
		jb	short loc_62B520
		test	byte ptr [esi+17h], 40h
		jnz	short loc_62B514
		mov	ecx, esi
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jnz	short loc_62B514
		mov	edx, [ebp+var_8]
		call	_MiIdentifyPfn@8 ; MiIdentifyPfn(x,x)
		mov	dl, [ebp+var_1]
		jmp	short loc_62B516
; 

loc_62B514:				; CODE XREF: MmTryIdentifyPage(x,x)+3Dj
					; MmTryIdentifyPage(x,x)+48j
		xor	ebx, ebx

loc_62B516:				; CODE XREF: MmTryIdentifyPage(x,x)+55j
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		jmp	short loc_62B522
; 

loc_62B520:				; CODE XREF: MmTryIdentifyPage(x,x)+37j
		xor	ebx, ebx

loc_62B522:				; CODE XREF: MmTryIdentifyPage(x,x)+61j
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_MmTryIdentifyPage@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetExceptionInfo(x, x, x)
_MiGetExceptionInfo@12 proc near	; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+4E6p
					; sub_91D66A+10p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		push	edi
		xor	edi, edi
		inc	edi
		and	dword ptr [esi], 0
		mov	edx, [ecx]
		mov	eax, [edx]
		cmp	eax, 0C0000005h
		jz	short loc_62B559
		cmp	eax, 80000001h
		jz	short loc_62B559
		cmp	eax, 0C0000006h
		jnz	short loc_62B568

loc_62B559:				; CODE XREF: MiGetExceptionInfo(x,x,x)+18j
					; MiGetExceptionInfo(x,x,x)+1Fj
		cmp	[edx+10h], edi
		jbe	short loc_62B568
		mov	ecx, [ebp+arg_0]
		mov	[esi], edi
		mov	edx, [edx+18h]
		mov	[ecx], edx

loc_62B568:				; CODE XREF: MiGetExceptionInfo(x,x,x)+26j
					; MiGetExceptionInfo(x,x,x)+2Bj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_MiGetExceptionInfo@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMirrorReduceBlackToActiveAndPrivatePages(x)
_MiMirrorReduceBlackToActiveAndPrivatePages@4 proc near
					; CODE XREF: MiMirrorBlackPhase(x)+3Fp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 20h
		and	[ebp+var_14], 0
		mov	[ebp+var_1C], ecx
		xor	ecx, ecx
		push	esi
		push	edi
		mov	[ebp+var_8], ecx

loc_62B598:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+223j
		mov	edx, ds:dword_6D3064
		cmp	ecx, edx
		mov	eax, ds:dword_6D3068
		sbb	esi, esi
		mov	[ebp+var_4], edx
		and	esi, ecx
		mov	[ebp+var_C], eax
		lea	edi, [edx-1]

loc_62B5B2:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+CDj
		and	[ebp+var_18], 0
		mov	eax, edi
		sub	eax, esi
		mov	[ebp+var_10], esi
		inc	eax
		cmp	eax, 1
		jnb	short loc_62B5C8
		or	esi, 0FFFFFFFFh
		jmp	short loc_62B62B
; 

loc_62B5C8:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+51j
		mov	ecx, [ebp+var_C]
		mov	eax, edi
		shr	eax, 5
		xor	edx, edx
		inc	edx
		lea	eax, [ecx+eax*4]
		mov	ecx, esi
		mov	[ebp+var_18], eax
		and	ecx, 1Fh
		shl	edx, cl
		mov	eax, esi
		mov	ecx, [ebp+var_C]
		dec	edx
		shr	eax, 5
		lea	esi, [ecx+eax*4]
		mov	eax, [esi]
		not	eax
		or	eax, edx
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_62B60D
		mov	ecx, [ebp+var_18]

loc_62B5FA:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+98j
		add	esi, 4
		cmp	esi, ecx
		ja	short loc_62B642
		mov	eax, [esi]
		not	eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_62B5FA
		mov	ecx, [ebp+var_C]

loc_62B60D:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+85j
		not	eax
		sub	esi, ecx
		bsf	eax, eax
		sar	esi, 2
		shl	esi, 5
		add	esi, eax
		cmp	esi, edi
		ja	short loc_62B642
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_62B647

loc_62B625:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+D5j
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_4]

loc_62B62B:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+56j
		cmp	[ebp+var_10], 0
		jz	short loc_62B647
		lea	edi, [ecx+1]
		cmp	edi, edx
		jbe	short loc_62B63A
		mov	edi, edx

loc_62B63A:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+C6j
		dec	edi
		xor	esi, esi
		jmp	loc_62B5B2
; 

loc_62B642:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+8Fj
					; MiMirrorReduceBlackToActiveAndPrivatePages(x)+AEj
		or	esi, 0FFFFFFFFh
		jmp	short loc_62B625
; 

loc_62B647:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+B3j
					; MiMirrorReduceBlackToActiveAndPrivatePages(x)+BFj
		cmp	esi, [ebp+var_8]
		jb	loc_62B799
		cmp	esi, 0FFFFFFFFh
		jz	loc_62B799
		mov	eax, ds:dword_6D3064
		cmp	eax, esi
		ja	short loc_62B66B
		and	[ebp+var_4], 0
		jmp	loc_62B76D
; 

loc_62B66B:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+F0j
		mov	ecx, ds:dword_6D3068
		dec	eax
		shr	eax, 5
		mov	edi, esi
		mov	[ebp+var_C], edi
		lea	eax, [ecx+eax*4]
		mov	[ebp+var_8], eax
		mov	eax, esi
		shr	eax, 5
		lea	edx, [ecx+eax*4]
		cmp	edx, [ebp+var_8]
		jz	short loc_62B6C8
		mov	ecx, esi
		and	ecx, 1Fh
		mov	[ebp+var_18], ecx
		mov	ecx, ds:dword_40BA68[ecx*4]
		or	ecx, [edx]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_62B6C8
		sub	edi, [ebp+var_18]
		add	edx, 4
		mov	eax, [ebp+var_8]
		add	edi, 20h
		mov	[ebp+var_C], edi
		cmp	edx, eax
		jnb	short loc_62B6C8

loc_62B6B6:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+153j
		cmp	dword ptr [edx], 0FFFFFFFFh
		jnz	short loc_62B6C5
		add	edx, 4
		add	edi, 20h
		cmp	edx, eax
		jb	short loc_62B6B6

loc_62B6C5:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+149j
		mov	[ebp+var_C], edi

loc_62B6C8:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+11Bj
					; MiMirrorReduceBlackToActiveAndPrivatePages(x)+131j ...
		mov	ecx, ds:dword_6D3064
		cmp	edi, ecx
		jnb	short loc_62B6E4

loc_62B6D2:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+16Fj
		mov	eax, ds:dword_6D3068
		bt	[eax], edi
		jnb	short loc_62B6E1
		inc	edi
		cmp	edi, ecx
		jb	short loc_62B6D2

loc_62B6E1:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+16Aj
		mov	[ebp+var_C], edi

loc_62B6E4:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+160j
		xor	ecx, ecx
		mov	[ebp+var_4], ecx
		cmp	edx, [ebp+var_8]
		jz	short loc_62B735
		mov	ecx, [edx]
		mov	eax, edi
		and	eax, 1Fh
		mov	[ebp+var_18], eax
		mov	eax, ds:dword_40BA68[eax*4]
		not	eax
		and	eax, ecx
		jnz	short loc_62B732
		push	20h
		pop	ecx
		sub	ecx, [ebp+var_18]
		mov	[ebp+var_4], ecx
		cmp	ecx, 0FFFFFFFFh
		jnb	short loc_62B761
		add	edx, 4
		jmp	short loc_62B72B
; 

loc_62B718:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+1BEj
		cmp	dword ptr [edx], 0
		jnz	short loc_62B735
		add	ecx, 20h
		add	edx, 4
		mov	[ebp+var_4], ecx
		cmp	ecx, 0FFFFFFFFh
		jnb	short loc_62B761

loc_62B72B:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+1A6j
		cmp	edx, [ebp+var_8]
		jb	short loc_62B718
		jmp	short loc_62B735
; 

loc_62B732:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+193j
		mov	ecx, [ebp+var_4]

loc_62B735:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+17Cj
					; MiMirrorReduceBlackToActiveAndPrivatePages(x)+1ABj ...
		mov	eax, ds:dword_6D3064
		lea	edx, [ecx+edi]
		cmp	edx, eax
		jnb	short loc_62B75E
		mov	edi, eax

loc_62B743:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+1E6j
		mov	eax, ds:dword_6D3068
		bt	[eax], edx
		jb	short loc_62B758
		cmp	ecx, 0FFFFFFFFh
		jnb	short loc_62B758
		inc	edx
		inc	ecx
		cmp	edx, edi
		jb	short loc_62B743

loc_62B758:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+1DBj
					; MiMirrorReduceBlackToActiveAndPrivatePages(x)+1E0j
		mov	edi, [ebp+var_C]
		mov	[ebp+var_4], ecx

loc_62B75E:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+1CFj
		cmp	ecx, 0FFFFFFFFh

loc_62B761:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+1A1j
					; MiMirrorReduceBlackToActiveAndPrivatePages(x)+1B9j
		jbe	short loc_62B769
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_4], ecx

loc_62B769:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x):loc_62B761j
		test	ecx, ecx
		jnz	short loc_62B773

loc_62B76D:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+F6j
		mov	edi, ds:dword_6D3064

loc_62B773:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+1FBj
		mov	ecx, [ebp+var_1C]
		sub	edi, esi
		push	edi
		mov	edx, esi
		call	_MiMirrorRemoveInactivePages@12	; MiMirrorRemoveInactivePages(x,x,x)
		mov	ecx, [ebp+var_4]
		add	[ebp+var_14], eax
		add	ecx, esi
		add	ecx, edi
		mov	[ebp+var_8], ecx
		cmp	ecx, ds:dword_6D3064
		jb	loc_62B598

loc_62B799:				; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+DAj
					; MiMirrorReduceBlackToActiveAndPrivatePages(x)+E3j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_MiMirrorReduceBlackToActiveAndPrivatePages@4 endp ; sp	=  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMirrorRemoveBlackChildPartitionPages(x, x)
_MiMirrorRemoveBlackChildPartitionPages@8 proc near ; DATA XREF: MiMirrorBlackPhase(x)+2Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		cmp	esi, offset _MiSystemPartition
		jz	short loc_62B7E6
		mov	eax, [ebp+arg_4]
		mov	esi, [esi+38h]
		mov	eax, [eax]
		mov	[ebp+arg_0], eax
		test	esi, esi
		jz	short loc_62B7E6
		push	edi
		xor	edi, edi
		cmp	[esi], edi
		jbe	short loc_62B7E5
		push	ebx
		lea	ebx, [esi+8]

loc_62B7CD:				; CODE XREF: MiMirrorRemoveBlackChildPartitionPages(x,x)+40j
		push	dword ptr [ebx+4]
		mov	edx, [ebx]
		mov	ecx, eax
		call	MiMirrorOmitPagesFromCopy
		mov	eax, [ebp+arg_0]
		lea	ebx, [ebx+8]
		inc	edi
		cmp	edi, [esi]
		jb	short loc_62B7CD
		pop	ebx

loc_62B7E5:				; CODE XREF: MiMirrorRemoveBlackChildPartitionPages(x,x)+25j
		pop	edi

loc_62B7E6:				; CODE XREF: MiMirrorRemoveBlackChildPartitionPages(x,x)+Fj
					; MiMirrorRemoveBlackChildPartitionPages(x,x)+1Ej
		pop	esi
		pop	ebp
		retn	8
_MiMirrorRemoveBlackChildPartitionPages@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMirrorRemoveInactivePages(x, x, x)
_MiMirrorRemoveInactivePages@12	proc near
					; CODE XREF: MiMirrorReduceBlackToActiveAndPrivatePages(x)+20Bp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		or	[ebp+var_8], 0FFFFFFFFh
		mov	eax, ecx
		push	ebx
		push	esi
		mov	[ebp+var_18], eax
		xor	ebx, ebx
		mov	eax, [eax+4]
		imul	esi, edx, 1Ch
		mov	[ebp+var_C], eax
		imul	eax, [ebp+arg_0], 1Ch
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], ebx
		add	esi, ds:_MmPfnDatabase
		add	eax, esi
		mov	[ebp+var_14], eax
		cmp	esi, eax
		jnb	loc_62B9CB
		mov	[ebp+var_10], 1Ch

loc_62B82D:				; CODE XREF: MiMirrorRemoveInactivePages(x,x,x)+1C6j
		mov	edx, [esi+18h]
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+arg_0], ecx
		test	edx, (offset loc_7FFFFF+1)
		jz	loc_62B914
		mov	ecx, esi
		call	_MiGetBaseResidentPageForBugCheck@4 ; MiGetBaseResidentPageForBugCheck(x)
		mov	edx, eax
		mov	ecx, edx
		movzx	eax, byte ptr [edx+16h]
		and	eax, 7
		mov	[ebp+var_1C], eax
		call	_MiGetPfnPageSizeIndex@4 ; MiGetPfnPageSizeIndex(x)
		mov	ebx, [edx+4]
		mov	ecx, eax
		test	ebx, ebx
		jz	short loc_62B86B
		or	ebx, 80000000h

loc_62B86B:				; CODE XREF: MiMirrorRemoveInactivePages(x,x,x)+78j
		mov	eax, [edx+18h]
		and	eax, 70000000h
		mov	ecx, ds:_MiLargePageSizes[ecx*4]
		mov	[ebp+var_20], eax
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	[ebp+var_10]
		mov	edx, ecx
		neg	edx
		and	edx, eax
		sub	edx, eax
		mov	eax, [ebp+var_14]
		add	edx, ecx
		sub	eax, esi
		mov	[ebp+arg_0], edx
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, [ebp+arg_0]
		cmp	ecx, eax
		jbe	short loc_62B8AD
		mov	ecx, eax
		mov	[ebp+arg_0], ecx

loc_62B8AD:				; CODE XREF: MiMirrorRemoveInactivePages(x,x,x)+BBj
		mov	eax, [ebp+var_1C]
		cmp	eax, 1
		jbe	loc_62B9D4
		cmp	eax, 5
		jz	loc_62B9D4
		cmp	[ebp+var_20], 10000000h
		jz	loc_62B9D4
		test	byte ptr [ebp+var_C], 40h
		jz	loc_62B98A
		test	ebx, ebx
		jz	loc_62B98A
		mov	ecx, ebx
		call	_MiGetLeafVa@4	; MiGetLeafVa(x)
		mov	ebx, [ebp+var_4]
		cmp	eax, ds:_MmSystemRangeStart
		ja	loc_62B98D

loc_62B8F7:				; CODE XREF: MiMirrorRemoveInactivePages(x,x,x)+13Bj
					; MiMirrorRemoveInactivePages(x,x,x)+149j ...
		mov	ecx, [ebp+arg_0]

loc_62B8FA:				; CODE XREF: MiMirrorRemoveInactivePages(x,x,x)+130j
					; MiMirrorRemoveInactivePages(x,x,x)+1ECj
		test	edi, edi
		jnz	short loc_62B90D
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	[ebp+var_10]
		mov	[ebp+var_8], eax

loc_62B90D:				; CODE XREF: MiMirrorRemoveInactivePages(x,x,x)+111j
		add	edi, ecx
		jmp	loc_62B9A9
; 

loc_62B914:				; CODE XREF: MiMirrorRemoveInactivePages(x,x,x)+51j
		mov	al, [esi+16h]
		and	al, 7
		cmp	al, 6
		jnz	short loc_62B8FA
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_62B8F7
		mov	eax, edx
		and	eax, 70000000h
		cmp	eax, 10000000h
		jz	short loc_62B8F7
		test	dword ptr [esi+10h], 3FFFFFFFh
		jz	short loc_62B94D
		and	edx, offset loc_7FFFFF
		cmp	edx, (offset loc_7FFFFA+3)
		jz	short loc_62B8F7

loc_62B94D:				; CODE XREF: MiMirrorRemoveInactivePages(x,x,x)+152j
		test	byte ptr [ebp+var_C], 40h
		jz	short loc_62B98D
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_62B960
		or	ecx, 80000000h

loc_62B960:				; CODE XREF: MiMirrorRemoveInactivePages(x,x,x)+16Dj
		lea	eax, [ecx+40000000h]
		mov	edx, offset loc_7FFFFF
		cmp	eax, edx
		ja	short loc_62B98D
		shl	ecx, 9
		lea	eax, [ecx+40000000h]
		cmp	eax, edx
		jbe	short loc_62B98D
		cmp	ecx, ds:_MmSystemRangeStart
		jbe	loc_62B8F7
		jmp	short loc_62B98D
; 

loc_62B98A:				; CODE XREF: MiMirrorRemoveInactivePages(x,x,x)+E8j
					; MiMirrorRemoveInactivePages(x,x,x)+F0j
		mov	ebx, [ebp+var_4]

loc_62B98D:				; CODE XREF: MiMirrorRemoveInactivePages(x,x,x)+106j
					; MiMirrorRemoveInactivePages(x,x,x)+166j ...
		test	edi, edi
		jz	short loc_62B9A6
		mov	eax, [ebp+var_18]
		add	ebx, edi
		mov	edx, [ebp+var_8]
		push	edi
		mov	[ebp+var_4], ebx
		mov	ecx, [eax]
		call	MiMirrorOmitPagesFromCopy
		xor	edi, edi

loc_62B9A6:				; CODE XREF: MiMirrorRemoveInactivePages(x,x,x)+1A4j
		mov	ecx, [ebp+arg_0]

loc_62B9A9:				; CODE XREF: MiMirrorRemoveInactivePages(x,x,x)+124j
		imul	eax, ecx, 1Ch
		add	esi, eax
		cmp	esi, [ebp+var_14]
		jb	loc_62B82D
		test	edi, edi
		jz	short loc_62B9CB
		mov	eax, [ebp+var_18]
		add	ebx, edi
		mov	edx, [ebp+var_8]
		push	edi
		mov	ecx, [eax]
		call	MiMirrorOmitPagesFromCopy

loc_62B9CB:				; CODE XREF: MiMirrorRemoveInactivePages(x,x,x)+35j
					; MiMirrorRemoveInactivePages(x,x,x)+1CEj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
; 

loc_62B9D4:				; CODE XREF: MiMirrorRemoveInactivePages(x,x,x)+C8j
					; MiMirrorRemoveInactivePages(x,x,x)+D1j ...
		mov	ebx, [ebp+var_4]
		jmp	loc_62B8FA
_MiMirrorRemoveInactivePages@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetPagesModified(x, x)
_MiSetPagesModified@8 proc near		; CODE XREF: MiCreateNewSection(x,x)+250p

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_38		= dword	ptr -38h
ms_exc		= CPPEH_RECORD ptr -18h

		push	98h
		push	offset dword_6A8860
		call	__SEH_prolog4_GS
		mov	[ebp+var_6C], edx
		mov	esi, ecx
		mov	[ebp+var_68], esi
		xor	ebx, ebx
		mov	[ebp+var_8C], ebx
		push	0Ah
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_44]
		rep stosd
		mov	ecx, offset _MiSystemPartition
		mov	[ebp+var_A0], ecx
		mov	eax, [esi]
		mov	[ebp+var_74], eax
		mov	[ebp+var_7C], eax
		mov	edi, [eax+4]
		mov	[ebp+var_80], edi
		push	ebx
		mov	edx, edi
		call	MiChargeCommit
		test	eax, eax
		jnz	short loc_62BA34
		mov	eax, 0C000012Dh
		jmp	loc_62BD7A
; 

loc_62BA34:				; CODE XREF: MiSetPagesModified(x,x)+4Cj
		mov	eax, [esi+54h]
		mov	[ebp+var_70], eax
		mov	[ebp+var_5C], eax
		lea	eax, [eax+edi*8]
		mov	[ebp+var_88], eax
		mov	eax, large fs:124h
		mov	[ebp+var_84], eax
		mov	ecx, eax
		call	_MiGetEffectivePagePriorityThread@4 ; MiGetEffectivePagePriorityThread(x)
		push	5
		pop	ecx
		cmp	eax, ecx
		ja	short loc_62BA62
		mov	ecx, eax

loc_62BA62:				; CODE XREF: MiSetPagesModified(x,x)+82j
		push	ds:dword_40B6EC
		push	ds:_MiLargeZero
		push	[ebp+var_6C]
		push	ebx
		push	ecx
		xor	edx, edx
		mov	ecx, esi
		call	_MiPrefetchControlArea@28 ; MiPrefetchControlArea(x,x,x,x,x,x,x)
		lea	eax, [ebp+var_44]
		push	eax
		push	3
		pop	edx
		mov	ecx, esi
		call	MiMapImageInSystemSpace
		mov	esi, eax
		test	esi, esi
		jns	short loc_62BAA3
		mov	edx, edi
		mov	ecx, offset _MiSystemPartition
		call	MiReturnCommit
		mov	eax, esi
		jmp	loc_62BD7A
; 

loc_62BAA3:				; CODE XREF: MiSetPagesModified(x,x)+B2j
		mov	eax, [ebp+var_38]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+var_44]
		mov	esi, eax
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		mov	[ebp+var_50], ebx
		mov	[ebp+var_6C], ebx
		mov	edx, [ebp+var_70]

loc_62BAC6:				; CODE XREF: MiSetPagesModified(x,x)+3E0j
		mov	[ebp+var_54], eax
		mov	[ebp+var_58], esi
		mov	[ebp+var_64], eax
		cmp	edx, [ebp+var_88]
		jnb	loc_62BCDE
		mov	ecx, [edx]
		nop
		or	ecx, [edx+4]
		jz	loc_62BDA8

loc_62BAE7:				; CODE XREF: MiSetPagesModified(x,x)+26Aj
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+var_64]
		mov	al, [eax]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_4C]
		call	MiLockWorkingSetShared
		mov	[ebp+var_45], al
		lea	eax, [ebp+var_8C]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp+var_4C]
		call	MiLockLowestValidPageTable
		mov	[ebp+var_78], eax
		mov	ecx, esi
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		cmp	eax, ecx
		jnz	loc_62BC31
		mov	ecx, [esi]
		and	ecx, 1
		or	ecx, ebx
		jz	loc_62BC31
		inc	[ebp+var_50]
		mov	[ebp+var_98], ebx
		mov	[ebp+var_94], ebx
		mov	ecx, [esi]
		nop
		mov	eax, [esi+4]
		mov	[ebp+var_A8], ecx
		mov	[ebp+var_A4], eax
		nop
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		mov	[ebp+var_54], ecx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	loc_62BC13
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_90], ebx
		lea	edx, [ecx+10h]
		mov	[ebp+var_58], edx
		lock bts dword ptr [edx], 1Fh
		jnb	short loc_62BBB7

loc_62BB99:				; CODE XREF: MiSetPagesModified(x,x)+1CFj
					; MiSetPagesModified(x,x)+1D6j
		lea	ecx, [ebp+var_90]
		call	KeYieldProcessorEx
		mov	edx, [ebp+var_58]
		mov	eax, [edx]
		test	eax, eax
		js	short loc_62BB99
		lock bts dword ptr [edx], 1Fh
		jb	short loc_62BB99
		mov	ecx, [ebp+var_54]

loc_62BBB7:				; CODE XREF: MiSetPagesModified(x,x)+1BBj
		lea	eax, [ecx+8]
		mov	[ebp+var_94], eax
		mov	eax, [eax]
		and	eax, 400h
		or	eax, ebx
		jnz	short loc_62BBE9
		test	byte ptr [ecx+16h], 8
		jnz	short loc_62BBE9
		push	ebx
		xor	edx, edx
		inc	edx
		mov	ecx, [ebp+var_94]
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	[ebp+var_5C], eax
		mov	[ebp+var_60], edx
		mov	ecx, [ebp+var_54]

loc_62BBE9:				; CODE XREF: MiSetPagesModified(x,x)+1EDj
					; MiSetPagesModified(x,x)+1F3j
		or	byte ptr [ecx+16h], 10h
		mov	eax, 7FFFFFFFh
		mov	ecx, [ebp+var_58]
		lock and [ecx],	eax
		mov	ecx, [ebp+var_5C]
		mov	eax, ecx
		mov	edx, [ebp+var_60]
		or	eax, edx
		jz	short loc_62BC13
		push	edx
		push	ecx
		xor	edx, edx
		inc	edx
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo

loc_62BC13:				; CODE XREF: MiSetPagesModified(x,x)+19Ej
					; MiSetPagesModified(x,x)+226j
		mov	edx, [ebp+var_78]
		mov	ecx, [ebp+var_4C]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [ebp+var_45]
		mov	ecx, [ebp+var_4C]
		call	MiUnlockWorkingSetShared
		mov	edx, [ebp+var_70]
		jmp	loc_62BDA8
; 

loc_62BC31:				; CODE XREF: MiSetPagesModified(x,x)+14Cj
					; MiSetPagesModified(x,x)+159j
		mov	edx, eax
		mov	ecx, [ebp+var_4C]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [ebp+var_45]
		mov	ecx, [ebp+var_4C]
		call	MiUnlockWorkingSetShared
		jmp	loc_62BAE7
; 

loc_62BC4B:				; DATA XREF: .text:006A8874o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_9C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_62BC5C:				; DATA XREF: .text:006A8878o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_9C]
		cmp	ebx, 0C0000005h
		jz	loc_62BD8A
		mov	eax, [ebp+var_6C]
		test	eax, eax
		jnz	short loc_62BCC5
		mov	esi, [ebp+var_68]
		mov	ecx, esi
		call	MiReferenceControlAreaFile
		mov	edi, eax
		mov	ecx, [edi+4]
		test	byte ptr [ecx+20h], 10h
		push	0
		pop	eax
		setnz	al
		inc	eax
		mov	[ebp+var_60], eax
		mov	[ebp+var_6C], eax
		add	esi, 20h
		mov	ecx, [esi]
		mov	eax, ecx
		jmp	short loc_62BCB0
; 

loc_62BCA1:				; CODE XREF: MiSetPagesModified(x,x)+2D9j
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jz	short loc_62BCC2
		mov	ecx, eax

loc_62BCB0:				; CODE XREF: MiSetPagesModified(x,x)+2C3j
		xor	eax, edi
		cmp	eax, 7
		jb	short loc_62BCA1
		push	746C6644h
		push	edi
		call	ObDereferenceObjectDeferDeleteWithTag

loc_62BCC2:				; CODE XREF: MiSetPagesModified(x,x)+2D0j
		mov	eax, [ebp+var_60]

loc_62BCC5:				; CODE XREF: MiSetPagesModified(x,x)+29Aj
		cmp	eax, 2
		jnz	loc_62BD8A
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_7C]
		mov	[ebp+var_74], eax
		mov	edi, [ebp+var_80]

loc_62BCDE:				; CODE XREF: MiSetPagesModified(x,x)+F9j
		mov	esi, [ebp+var_50]
		lea	ecx, [ebp+var_44]
		call	MiUnmapImageInSystemSpace
		mov	ecx, [ebp+var_68]
		call	_MiGetCommittedPages@4 ; MiGetCommittedPages(x)
		mov	[ebp+var_78], eax
		mov	ecx, eax
		sub	ecx, esi
		add	edi, ecx
		jz	short loc_62BD0C
		mov	edx, edi
		mov	ecx, [ebp+var_A0]
		call	MiReturnCommit
		mov	eax, [ebp+var_78]

loc_62BD0C:				; CODE XREF: MiSetPagesModified(x,x)+31Ej
		sub	esi, eax
		jz	short loc_62BD78
		mov	eax, [ebp+var_84]
		dec	word ptr [eax+13Eh]
		nop
		mov	edi, [ebp+var_74]
		add	edi, 1Ch
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	edx, esi
		mov	ecx, [ebp+var_68]
		call	_MiUpdateControlAreaCommitCount@8 ; MiUpdateControlAreaCommitCount(x,x)
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_62BD66
		mov	edx, [edi]
		test	dl, 5
		jnz	short loc_62BD66
		test	dl, al
		jz	short loc_62BD66
		lea	esi, [edx+4]
		mov	ecx, esi
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_62BD66
		push	esi
		mov	ecx, edi
		call	@ExpWakePushLock@8 ; ExpWakePushLock(x,x)

loc_62BD66:				; CODE XREF: MiSetPagesModified(x,x)+366j
					; MiSetPagesModified(x,x)+36Dj	...
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_84]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_62BD78:				; CODE XREF: MiSetPagesModified(x,x)+332j
		mov	eax, ebx

loc_62BD7A:				; CODE XREF: MiSetPagesModified(x,x)+53j
					; MiSetPagesModified(x,x)+C2j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_62BD8A:				; CODE XREF: MiSetPagesModified(x,x)+28Fj
					; MiSetPagesModified(x,x)+2ECj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	eax, [ebp+var_54]
		mov	[ebp+var_64], eax
		mov	esi, [ebp+var_58]
		mov	eax, [ebp+var_7C]
		mov	[ebp+var_74], eax
		mov	edx, [ebp+var_5C]
		mov	edi, [ebp+var_80]

loc_62BDA8:				; CODE XREF: MiSetPagesModified(x,x)+105j
					; MiSetPagesModified(x,x)+250j
		add	edx, 8
		mov	[ebp+var_70], edx
		mov	[ebp+var_5C], edx
		add	esi, 8
		mov	eax, [ebp+var_64]
		add	eax, 1000h
		jmp	loc_62BAC6
_MiSetPagesModified@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiDeleteMappedMdls(x)
_MiDeleteMappedMdls@4 proc near		; CODE XREF: CmpInitializeLoadOptions+88C78p
					; MiEnablePartitionMappedWrites+14EF7Ep
		mov	edi, edi
		push	esi
		lea	esi, [ecx+15Ch]

loc_62BDCA:				; CODE XREF: MiDeleteMappedMdls(x)+28j
		mov	ecx, [esi]
		cmp	ecx, esi
		jz	short loc_62BDF0
		cmp	[ecx+4], esi
		jnz	short loc_62BDEB
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_62BDEB
		xor	edx, edx
		mov	[esi], eax
		inc	edx
		mov	[eax+4], esi
		call	_MiFreeModWriterEntry@8	; MiFreeModWriterEntry(x,x)
		jmp	short loc_62BDCA
; 

loc_62BDEB:				; CODE XREF: MiDeleteMappedMdls(x)+12j
					; MiDeleteMappedMdls(x)+19j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_62BDF0:				; CODE XREF: MiDeleteMappedMdls(x)+Dj
		pop	esi
		retn
_MiDeleteMappedMdls@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFlushAllFilesystemPages(x)
_MiFlushAllFilesystemPages@4 proc near	; CODE XREF: .text:00449590p
					; .text:004540D6p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	edx, edx
		mov	ecx, large fs:124h
		call	_PsQueryThreadStartAddress@8 ; PsQueryThreadStartAddress(x,x)
		mov	esi, eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 1
		ja	loc_62BEE7
		call	_MiIsWorkingSetTrimThread@0 ; MiIsWorkingSetTrimThread()
		test	eax, eax
		jnz	loc_62BEE7
		cmp	esi, offset MiModifiedPageWriter
		jz	loc_62BEE7
		cmp	esi, offset MiMappedPageWriter
		jz	loc_62BEE7
		cmp	edi, 1
		jnz	short loc_62BE78
		inc	eax
		lock xadd ds:dword_6D3030, eax
		inc	eax
		cmp	eax, edi
		jnz	loc_62BEE7
		cmp	ds:byte_6D35B0,	0
		mov	eax, ds:dword_6D5D40
		jz	short loc_62BE78
		inc	dword ptr [eax+14h]
		mov	ecx, offset _MiSystemPartition
		push	4
		pop	edx
		call	MiQueueWorkingSetRequest

loc_62BE78:				; CODE XREF: MiFlushAllFilesystemPages(x)+54j
					; MiFlushAllFilesystemPages(x)+74j
		lock inc ds:dword_6D5008
		mov	eax, ds:dword_6D5F00
		cmp	eax, ds:dword_6D5F58
		jz	short loc_62BEE0
		mov	edi, ds:dword_6D4FC0
		xor	ebx, ebx
		mov	esi, ebx

loc_62BE96:				; CODE XREF: MiFlushAllFilesystemPages(x)+ECj
		push	ebx
		push	ebx
		push	offset unk_6D500C
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	ebx
		push	2
		pop	edx
		mov	ecx, offset _CcNotifyWriteBehindHelper@8 ; CcNotifyWriteBehindHelper(x,x)
		call	CcForEachPartition
		mov	eax, ds:dword_6D5F00
		cmp	eax, ds:dword_6D5F58
		jz	short loc_62BEE0
		push	offset _Mi30Milliseconds
		push	ebx
		push	ebx
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	eax, ds:dword_6D4FC0
		cmp	edi, eax
		jz	short loc_62BED7
		mov	edi, eax
		or	esi, 0FFFFFFFFh

loc_62BED7:				; CODE XREF: MiFlushAllFilesystemPages(x)+DEj
		inc	esi
		cmp	esi, 0FFh
		jb	short loc_62BE96

loc_62BEE0:				; CODE XREF: MiFlushAllFilesystemPages(x)+98j
					; MiFlushAllFilesystemPages(x)+C9j
		lock dec ds:dword_6D5008

loc_62BEE7:				; CODE XREF: MiFlushAllFilesystemPages(x)+26j
					; MiFlushAllFilesystemPages(x)+33j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiFlushAllFilesystemPages@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiDeletePartition(x)
_MiDeletePartition@4 proc near		; CODE XREF: MmCreatePartition(x,x)+114p
					; PspTeardownPartition(x)+2Bp
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		movzx	esi, word ptr [edi]
		call	_MiDrainCrossPartitionUsage@4 ;	MiDrainCrossPartitionUsage(x)
		mov	ecx, edi
		call	_MiDeletePartitionResources@4 ;	MiDeletePartitionResources(x)
		mov	ecx, esi
		call	_MiFreePartitionId@4 ; MiFreePartitionId(x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ecx
		retn
_MiDeletePartition@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPartitionWorkingSetManager(x)
_MiPartitionWorkingSetManager@4	proc near ; DATA XREF: MiIsWorkingSetTrimThread()+13o
					; MiInitializePartitionThreads(x)+4Ao

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, large fs:124h
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	11h
		push	eax
		call	KeSetPriorityThread
		lea	eax, [esi+3Ch]
		mov	[ebp+var_C], offset unk_6D3548
		mov	[ebp+var_10], eax
		mov	eax, [esi+0F00h]
		add	eax, 48h
		xor	edi, edi
		mov	[ebp+var_8], eax

loc_62BF57:				; CODE XREF: MiPartitionWorkingSetManager(x)+5Ej
					; MiPartitionWorkingSetManager(x)+6Ej
		push	edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	1
		lea	eax, [ebp+var_10]
		push	eax
		push	3
		call	KeWaitForMultipleObjects
		sub	eax, edi
		jz	short loc_62BF87
		sub	eax, 1
		jz	short loc_62BF7C
		sub	eax, 1
		jnz	short loc_62BF57
		xor	edx, edx
		inc	edx
		jmp	short loc_62BF7E
; 

loc_62BF7C:				; CODE XREF: MiPartitionWorkingSetManager(x)+59j
		xor	edx, edx

loc_62BF7E:				; CODE XREF: MiPartitionWorkingSetManager(x)+63j
		mov	ecx, esi
		call	_MiWorkingSetManager@8 ; MiWorkingSetManager(x,x)
		jmp	short loc_62BF57
; 

loc_62BF87:				; CODE XREF: MiPartitionWorkingSetManager(x)+54j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_MiPartitionWorkingSetManager@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiValidateStrongCodeDriverImage(x, x)
_MiValidateStrongCodeDriverImage@8 proc	near
					; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+351p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	[ebp+var_4], edx
		movzx	edx, word ptr [ecx+14h]
		push	esi
		movzx	esi, word ptr [ecx+6]
		add	edx, 3Ch
		push	edi
		test	esi, esi
		jz	short loc_62C006
		add	edx, ecx

loc_62BFB4:				; CODE XREF: MiValidateStrongCodeDriverImage(x,x)+6Dj
		mov	edi, [edx]
		test	edi, 20000000h
		jz	short loc_62BFFE
		mov	eax, edi
		and	eax, 82000000h
		cmp	eax, 80000000h
		jz	short loc_62C025
		mov	ebx, [edx-14h]
		mov	eax, [edx-1Ch]
		add	eax, 0FFFh
		and	eax, 0FFFFF000h
		lea	ecx, [ebx+0FFFh]
		and	ecx, 0FFFFF000h
		cmp	ecx, eax
		jnb	short loc_62BFFE
		test	byte ptr [ebp+var_4], 1
		jnz	short loc_62C019
		test	ebx, ebx
		jnz	short loc_62C00D
		test	edi, 2000000h
		jz	short loc_62C00D

loc_62BFFE:				; CODE XREF: MiValidateStrongCodeDriverImage(x,x)+25j
					; MiValidateStrongCodeDriverImage(x,x)+53j
		add	edx, 28h
		sub	esi, 1
		jnz	short loc_62BFB4

loc_62C006:				; CODE XREF: MiValidateStrongCodeDriverImage(x,x)+19j
		xor	eax, eax

loc_62C008:				; CODE XREF: MiValidateStrongCodeDriverImage(x,x)+9Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_62C00D:				; CODE XREF: MiValidateStrongCodeDriverImage(x,x)+5Dj
					; MiValidateStrongCodeDriverImage(x,x)+65j
		mov	ds:dword_6CF4F4, 0C4h
		jmp	short loc_62C02F
; 

loc_62C019:				; CODE XREF: MiValidateStrongCodeDriverImage(x,x)+59j
		mov	ds:dword_6CF4F4, 0C3h
		jmp	short loc_62C02F
; 

loc_62C025:				; CODE XREF: MiValidateStrongCodeDriverImage(x,x)+33j
		mov	ds:dword_6CF4F4, 0C2h

loc_62C02F:				; CODE XREF: MiValidateStrongCodeDriverImage(x,x)+80j
					; MiValidateStrongCodeDriverImage(x,x)+8Cj
		mov	eax, 0C000007Bh
		jmp	short loc_62C008
_MiValidateStrongCodeDriverImage@8 endp


;  S U B	R O U T	I N E 


; __stdcall MmLocateUnloadedDriver(x)
_MmLocateUnloadedDriver@4 proc near	; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+500p
					; KeBugCheck2(x,x,x,x,x,x)+5CDp ...
		mov	edi, edi
		push	esi
		mov	esi, ds:_MmUnloadedDrivers
		push	edi
		test	esi, esi
		jz	short loc_62C06F
		mov	edi, ds:_MmLastUnloadedDriver
		xor	edx, edx
		test	edi, edi
		jz	short loc_62C06F
		imul	eax, edi, 18h
		add	eax, 0FFFFFFF0h
		add	eax, esi

loc_62C058:				; CODE XREF: MmLocateUnloadedDriver(x)+37j
		cmp	dword ptr [eax-4], 0
		jz	short loc_62C067
		cmp	ecx, [eax]
		jb	short loc_62C067
		cmp	ecx, [eax+4]
		jb	short loc_62C074

loc_62C067:				; CODE XREF: MmLocateUnloadedDriver(x)+26j
					; MmLocateUnloadedDriver(x)+2Aj
		inc	edx
		sub	eax, 18h
		cmp	edx, edi
		jb	short loc_62C058

loc_62C06F:				; CODE XREF: MmLocateUnloadedDriver(x)+Cj
					; MmLocateUnloadedDriver(x)+18j
		xor	eax, eax

loc_62C071:				; CODE XREF: MmLocateUnloadedDriver(x)+41j
		pop	edi
		pop	esi
		retn
; 

loc_62C074:				; CODE XREF: MmLocateUnloadedDriver(x)+2Fj
		add	eax, 0FFFFFFF8h
		jmp	short loc_62C071
_MmLocateUnloadedDriver@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmReplaceImportEntry(x, x)
_MmReplaceImportEntry@8	proc near	; CODE XREF: KsepPatchImportTableEntry(x,x,x,x)+38p
					; ViThunkReplaceImportEntry(x,x)+4Dp ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 20h
		and	[ebp+var_10], 0
		cmp	ds:_PsLoadedModuleList,	0
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	[ebp+var_14], edi
		jz	short loc_62C0EB
		xor	edx, edx
		inc	edx
		call	_MiLookupDataTableEntry@8 ; MiLookupDataTableEntry(x,x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	loc_62C2DA
		lea	ecx, [ebp+var_10]
		push	ecx
		push	0Ch
		push	1
		push	dword ptr [eax+18h]
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		test	eax, eax
		jz	short loc_62C0E1
		mov	ecx, [ebp+var_10]
		test	ecx, ecx
		jz	short loc_62C0E1
		cmp	esi, eax
		jb	short loc_62C0E1
		add	eax, ecx
		cmp	esi, eax
		jb	short loc_62C0EB

loc_62C0E1:				; CODE XREF: MmReplaceImportEntry(x,x)+55j
					; MmReplaceImportEntry(x,x)+5Cj ...
		push	edi
		push	esi
		push	[ebp+var_18]
		jmp	loc_62C2DE
; 

loc_62C0EB:				; CODE XREF: MmReplaceImportEntry(x,x)+2Ej
					; MmReplaceImportEntry(x,x)+66j
		mov	ecx, esi
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jz	short loc_62C0FD
		mov	[esi], edi
		jmp	loc_62C2D1
; 

loc_62C0FD:				; CODE XREF: MmReplaceImportEntry(x,x)+7Bj
		mov	ecx, ds:dword_6D07D0
		mov	eax, esi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_C], eax
		mov	eax, esi
		shr	eax, 15h
		cmp	esi, ecx
		jb	short loc_62C13B
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_62C134
		cmp	esi, ecx
		jb	short loc_62C13B
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_62C13B

loc_62C134:				; CODE XREF: MmReplaceImportEntry(x,x)+ACj
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		jmp	short loc_62C143
; 

loc_62C13B:				; CODE XREF: MmReplaceImportEntry(x,x)+A3j
					; MmReplaceImportEntry(x,x)+B0j ...
		xor	ecx, ecx
		inc	ecx
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)

loc_62C143:				; CODE XREF: MmReplaceImportEntry(x,x)+C0j
		mov	ecx, eax
		mov	[ebp+var_8], eax
		xor	edi, edi
		call	MiLockWorkingSetShared
		mov	byte ptr [ebp+var_4+3],	al

loc_62C152:				; CODE XREF: MmReplaceImportEntry(x,x)+17Bj
					; MmReplaceImportEntry(x,x)+1B5j
		test	edi, edi
		jz	short loc_62C16B
		mov	edx, [ebp+var_C]
		test	edx, 0FFFh
		jnz	short loc_62C18C
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_62C16B:				; CODE XREF: MmReplaceImportEntry(x,x)+DBj
		mov	edi, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h
		push	0
		mov	edx, edi
		call	MiLockPageTableInternal
		mov	edx, [ebp+var_C]

loc_62C18C:				; CODE XREF: MmReplaceImportEntry(x,x)+E6j
		mov	ecx, [edx]
		mov	[ebp+var_10], ecx
		nop
		mov	eax, [edx+4]
		mov	[ebp+var_18], eax
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jnz	short loc_62C1BB
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [ebp+var_4+3]
		mov	ecx, [ebp+var_8]
		call	MiUnlockWorkingSetShared
		mov	al, [esi]
		jmp	short loc_62C21A
; 

loc_62C1BB:				; CODE XREF: MmReplaceImportEntry(x,x)+127j
		nop
		mov	eax, ecx
		mov	ecx, [ebp+var_18]
		shrd	eax, ecx, 0Ch
		and	eax, 1FFFFFFh
		mov	[ebp+var_1C], eax
		imul	eax, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	ecx, eax
		mov	[ebp+var_18], eax
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jz	short loc_62C233
		push	0
		push	0FFFFFFFFh
		mov	ecx, esi
		call	_MiCopyOnWrite@16 ; MiCopyOnWrite(x,x,x,x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jns	loc_62C152
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [ebp+var_4+3]
		mov	ecx, [ebp+var_8]
		call	MiUnlockWorkingSetShared
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_8]
		call	MiCopyOnWriteCheckConditions

loc_62C21A:				; CODE XREF: MmReplaceImportEntry(x,x)+140j
		mov	ecx, [ebp+var_8]
		call	MiLockWorkingSetShared
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		push	0
		call	MiLockPageTableInternal
		jmp	loc_62C152
; 

loc_62C233:				; CODE XREF: MmReplaceImportEntry(x,x)+169j
		mov	eax, [ebp+var_10]
		and	eax, 42h
		or	eax, 0
		jz	short loc_62C245
		mov	ecx, [ebp+var_14]
		mov	[esi], ecx
		jmp	short loc_62C2BC
; 

loc_62C245:				; CODE XREF: MmReplaceImportEntry(x,x)+1C3j
		mov	ecx, [ebp+var_1C]
		xor	edx, edx
		push	80000000h
		call	MiMapPageInHyperSpaceWorker
		mov	ecx, [ebp+var_14]
		and	esi, 0FFFh
		add	eax, esi
		mov	dl, 21h
		push	80000000h
		mov	[eax], ecx
		mov	ecx, eax
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		mov	eax, [ebp+var_18]
		and	[ebp+var_1C], 0
		lea	esi, [eax+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_62C298

loc_62C280:				; CODE XREF: MmReplaceImportEntry(x,x)+213j
					; MmReplaceImportEntry(x,x)+21Aj
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_62C280
		lock bts dword ptr [esi], 1Fh
		jb	short loc_62C280
		mov	eax, [ebp+var_18]

loc_62C298:				; CODE XREF: MmReplaceImportEntry(x,x)+205j
		mov	ecx, eax
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		mov	ecx, 7FFFFFFFh
		lock and [esi],	ecx
		mov	ecx, eax
		or	ecx, edx
		jz	short loc_62C2BC
		push	edx
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		push	eax
		inc	edx
		call	MiReleasePageFileInfo

loc_62C2BC:				; CODE XREF: MmReplaceImportEntry(x,x)+1CAj
					; MmReplaceImportEntry(x,x)+232j
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [ebp+var_4+3]
		mov	ecx, [ebp+var_8]
		call	MiUnlockWorkingSetShared

loc_62C2D1:				; CODE XREF: MmReplaceImportEntry(x,x)+7Fj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_62C2DA:				; CODE XREF: MmReplaceImportEntry(x,x)+3Dj
		push	edi
		push	esi
		push	0

loc_62C2DE:				; CODE XREF: MmReplaceImportEntry(x,x)+6Dj
		push	1014h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_MmReplaceImportEntry@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCopyKstack(x, x, x)
_MiCopyKstack@12 proc near		; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+29Ep
					; MiStackTheftIsr(x)+66p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		sub	ecx, ds:_MmPfnDatabase
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	eax, ecx
		cdq
		push	1Ch
		pop	ecx
		idiv	ecx
		mov	[ebp+var_C], edi
		mov	ebx, eax
		mov	eax, [edi+4]
		mov	edi, eax
		or	edi, 80000000h
		mov	eax, edi
		shl	eax, 9
		push	1000h		; size_t
		push	eax		; void *
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_0]
		shl	eax, 9
		push	eax		; void *
		call	_memcpy
		mov	ecx, [edi]
		add	esp, 0Ch
		nop
		mov	eax, [edi+4]
		nop
		and	ebx, 1FFFFFFh
		xor	edx, edx
		shld	edx, ebx, 0Ch
		and	ecx, 0FFFh
		and	eax, 0FFFFFFE0h
		shl	ebx, 0Ch
		or	ebx, ecx
		or	edx, eax
		mov	[ebp+arg_0], ebx
		mov	[ebp+var_4], edx

loc_62C35C:				; CODE XREF: MiCopyKstack(x,x,x)+8Aj
					; MiCopyKstack(x,x,x)+8Fj
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp+var_8], ecx
		nop
		mov	ecx, [ebp+var_4]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [ebp+arg_0]
		cmp	eax, esi
		jnz	short loc_62C35C
		cmp	edx, [ebp+var_8]
		jnz	short loc_62C35C
		mov	edi, [ebp+var_C]
		mov	eax, [ebp+var_10]
		mov	cl, [edi+16h]
		and	cl, 0FDh
		or	cl, 5
		and	dword ptr [edi+18h], 8FFFFFFFh
		mov	[edi+16h], cl
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiCopyKstack@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDoStackCopy(x, x,	x, x)
_MiDoStackCopy@16 proc near		; DATA XREF: MiSwapStackPage(x,x,x,x,x,x,x)+3B8o
					; MiJumpStack(x)+8o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_C]
		mov	ecx, [esi]
		imul	edi, ecx, 1Ch
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_C], esi
		add	edi, ds:_MmPfnDatabase
		cmp	[esi+1Ch], eax
		setnz	al
		inc	eax
		movzx	ebx, ax
		cmp	ecx, ds:dword_6D07B0
		ja	short loc_62C41A
		mov	eax, ds:dword_6D35B8
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_62C41A
		mov	eax, [edi+18h]
		and	eax, 70000000h
		cmp	eax, 20000000h
		jnz	short loc_62C41A
		mov	ecx, [edi]
		test	ecx, 1FFFFFFEh
		jnz	short loc_62C40C
		xor	ecx, ecx
		jmp	short loc_62C41D
; 

loc_62C40C:				; CODE XREF: MiDoStackCopy(x,x,x,x)+6Aj
		and	ecx, 0FFFFFFFEh
		or	ecx, 0E0000000h
		shl	ecx, 2
		jmp	short loc_62C41D
; 

loc_62C41A:				; CODE XREF: MiDoStackCopy(x,x,x,x)+3Aj
					; MiDoStackCopy(x,x,x,x)+51j ...
		push	0FFFFFFF0h
		pop	ecx

loc_62C41D:				; CODE XREF: MiDoStackCopy(x,x,x,x)+6Ej
					; MiDoStackCopy(x,x,x,x)+7Cj
		cmp	ecx, 0FFFFFFF0h
		jz	short loc_62C461
		mov	al, [edi+16h]
		and	al, 7
		cmp	al, 6
		jnz	short loc_62C461
		cmp	[edi+14h], bx
		jnz	short loc_62C461
		cmp	ecx, 0FFFFFFF8h
		jnz	short loc_62C468
		mov	eax, large fs:124h
		cmp	[esi+0Ch], eax
		jz	short loc_62C468
		push	0
		push	1
		push	3000h
		lea	eax, [ebp+var_C]
		push	eax
		push	offset _MiJumpStackTarget@4 ; MiJumpStackTarget(x)
		call	KeExpandKernelStackAndCalloutInternal
		test	eax, eax
		jns	short loc_62C471
		mov	[esi+14h], eax
		jmp	short loc_62C468
; 

loc_62C461:				; CODE XREF: MiDoStackCopy(x,x,x,x)+84j
					; MiDoStackCopy(x,x,x,x)+8Dj ...
		mov	dword ptr [esi+14h], 0C0000434h

loc_62C468:				; CODE XREF: MiDoStackCopy(x,x,x,x)+98j
					; MiDoStackCopy(x,x,x,x)+A3j ...
		lea	eax, [ebp+var_C]
		push	eax
		call	_MiJumpStackTarget@4 ; MiJumpStackTarget(x)

loc_62C471:				; CODE XREF: MiDoStackCopy(x,x,x,x)+BEj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_MiDoStackCopy@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiJumpStack(x)
_MiJumpStack@4	proc near		; DATA XREF: MiSwapStackPage(x,x,x,x,x,x,x)+3CEo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		push	offset _MiDoStackCopy@16 ; MiDoStackCopy(x,x,x,x)
		call	_KeGenericCallDpc@8 ; KeGenericCallDpc(x,x)
		pop	ebp
		retn	4
_MiJumpStack@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiJumpStackTarget(x)
_MiJumpStackTarget@4 proc near		; CODE XREF: MiDoStackCopy(x,x,x,x)+D0p
					; DATA XREF: MiDoStackCopy(x,x,x,x)+B2o

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, [ebp+arg_0]
		or	ecx, 0FFFFFFFFh
		and	[ebp+var_1C], 0
		push	ebx
		push	esi
		mov	ebx, [eax]
		push	edi
		mov	edi, [eax+8]
		mov	eax, ecx
		lock xadd [edi], eax
		dec	eax
		mov	esi, eax
		mov	edx, 80000000h
		not	esi
		and	esi, edx
		test	eax, 7FFFFFFFh
		jnz	loc_62C658
		mov	eax, [edi+4]
		or	eax, esi
		mov	[edi], eax
		cmp	dword ptr [ebx+14h], 0
		jnz	loc_62C678
		imul	edi, [ebx], 1Ch
		xor	eax, eax
		imul	ecx, [ebx+4], 1Ch
		add	edi, ds:_MmPfnDatabase
		add	ecx, ds:_MmPfnDatabase
		cmp	[ebx+1Ch], eax
		mov	[ebp+var_18], ecx
		setnz	al
		and	[ebp+var_C], 0
		inc	eax
		movzx	esi, ax
		mov	eax, [ebx+20h]
		mov	ecx, eax
		mov	[ebp+var_14], esi
		mov	[ebp+var_8], eax
		call	MiLockWorkingSetShared
		and	[ebp+var_10], 0
		mov	[ebp+var_1], al
		lea	eax, [edi+10h]
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_62C538
		lea	esi, [edi+10h]

loc_62C520:				; CODE XREF: MiJumpStackTarget(x)+9Ej
					; MiJumpStackTarget(x)+A5j
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_62C520
		lock bts dword ptr [esi], 1Fh
		jb	short loc_62C520
		mov	esi, [ebp+var_14]

loc_62C538:				; CODE XREF: MiJumpStackTarget(x)+8Dj
		cmp	dword ptr [ebx+10h], offset _MiSystemPartition
		mov	eax, [ebx+18h]
		mov	[ebp+var_14], eax
		jnz	loc_62C60A
		mov	edx, esi
		mov	ecx, edi
		call	_MiCanStealKernelStack@8 ; MiCanStealKernelStack(x,x)
		cmp	eax, 1
		jnz	loc_62C60A
		mov	ecx, [edi]
		mov	edx, ecx
		and	ecx, 0FFFFFFFEh
		or	ecx, 0E0000000h
		and	edx, 1FFFFFFEh
		jz	short loc_62C580
		mov	eax, ecx
		shl	eax, 2
		cmp	eax, 0FFFFFFF0h
		jz	loc_62C60A

loc_62C580:				; CODE XREF: MiJumpStackTarget(x)+E2j
		test	edx, edx
		jz	loc_62C60A
		mov	eax, ecx
		shl	eax, 2
		test	eax, eax
		jz	short loc_62C60A
		mov	esi, [edi+4]
		or	esi, 80000000h
		mov	eax, esi
		shl	eax, 9
		cmp	[ebp+var_14], eax
		jnz	short loc_62C60A
		mov	ecx, [ebp+var_8]
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		push	1
		mov	edx, esi
		call	MiLockPageTableInternal
		neg	eax
		sbb	eax, eax
		and	eax, esi
		mov	[ebp+var_C], eax
		jz	short loc_62C60A
		cmp	dword ptr [ebx+1Ch], 0
		jz	short loc_62C5DB
		mov	ecx, edi
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		and	dword ptr [ebx+1Ch], 0

loc_62C5DB:				; CODE XREF: MiJumpStackTarget(x)+140j
		test	ds:_MiFlags, 800h
		jnz	short loc_62C5FF
		push	[ebp+var_18]
		mov	edx, edi
		xor	ecx, ecx
		call	MiSwapStackPageNoDpc
		dec	eax
		neg	eax
		sbb	eax, eax
		and	eax, 0C0000434h
		jmp	short loc_62C60F
; 

loc_62C5FF:				; CODE XREF: MiJumpStackTarget(x)+157j
		mov	ecx, ebx
		call	_MiStackTheftFreezeProcessors@4	; MiStackTheftFreezeProcessors(x)
		xor	eax, eax
		jmp	short loc_62C60F
; 

loc_62C60A:				; CODE XREF: MiJumpStackTarget(x)+B7j
					; MiJumpStackTarget(x)+C9j ...
		mov	eax, 0C0000434h

loc_62C60F:				; CODE XREF: MiJumpStackTarget(x)+16Fj
					; MiJumpStackTarget(x)+17Aj
		lea	ecx, [ebx+14h]
		mov	[ecx], eax
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_62C630
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_62C630:				; CODE XREF: MiJumpStackTarget(x)+196j
		mov	dl, [ebp+var_1]
		mov	ecx, [ebp+var_8]
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebx+8]
		mov	eax, ds:_ZeroPte
		mov	[ecx], eax
		nop
		mov	ecx, [ebx+8]
		mov	edx, 80000000h
		mov	eax, ds:dword_40F9FC
		mov	[ecx+4], eax
		jmp	short loc_62C675
; 

loc_62C658:				; CODE XREF: MiJumpStackTarget(x)+31j
		mov	eax, [edi]
		and	eax, edx
		cmp	eax, esi
		jz	short loc_62C678

loc_62C660:				; CODE XREF: MiJumpStackTarget(x)+1E5j
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		mov	edx, 80000000h
		and	eax, edx
		cmp	eax, esi
		jnz	short loc_62C660

loc_62C675:				; CODE XREF: MiJumpStackTarget(x)+1C8j
		or	ecx, 0FFFFFFFFh

loc_62C678:				; CODE XREF: MiJumpStackTarget(x)+42j
					; MiJumpStackTarget(x)+1D0j
		mov	ebx, [ebp+arg_0]
		mov	edi, [ebx+8]
		lock xadd [edi], ecx
		dec	ecx
		mov	esi, ecx
		mov	eax, 7FFFFFFFh
		not	esi
		and	esi, edx
		test	ecx, eax
		jnz	short loc_62C69B
		mov	eax, [edi+4]
		or	eax, esi
		mov	[edi], eax
		jmp	short loc_62C6B8
; 

loc_62C69B:				; CODE XREF: MiJumpStackTarget(x)+202j
		mov	eax, [edi]
		and	[ebp+var_20], 0
		and	eax, edx
		jmp	short loc_62C6B4
; 

loc_62C6A5:				; CODE XREF: MiJumpStackTarget(x)+228j
		lea	ecx, [ebp+var_20]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		and	eax, 80000000h

loc_62C6B4:				; CODE XREF: MiJumpStackTarget(x)+215j
		cmp	eax, esi
		jnz	short loc_62C6A5

loc_62C6B8:				; CODE XREF: MiJumpStackTarget(x)+20Bj
		mov	eax, [ebx+4]
		lock dec dword ptr [eax]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiJumpStackTarget@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiStackTheftFreezeProcessors(x)
_MiStackTheftFreezeProcessors@4	proc near ; CODE XREF: MiJumpStackTarget(x)+173p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		imul	edi, [esi+4], 1Ch
		add	edi, ds:_MmPfnDatabase
		mov	ecx, edi
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		mov	cl, 1Bh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	0FFFFh
		mov	bl, al
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		push	esi
		push	offset _MiStackTheftIsr@4 ; MiStackTheftIsr(x)
		mov	[esi+28h], eax
		mov	[esi+24h], eax
		call	KeIpiGenericCall
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		pop	edi
		pop	esi
		pop	ebx
		retn
_MiStackTheftFreezeProcessors@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiStackTheftIsr(x)
_MiStackTheftIsr@4 proc	near		; DATA XREF: MiStackTheftFreezeProcessors(x)+2Do

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_0]
		mov	cl, 1Fh
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax+18h]
		mov	[ebp+var_8], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edx, [ebp+arg_0]
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_1], al
		mov	ecx, edi
		lea	ebx, [edx+24h]
		lock xadd [ebx], ecx
		dec	ecx
		mov	esi, ecx
		not	esi
		and	esi, 80000000h
		test	ecx, 7FFFFFFFh
		jnz	loc_62C7DF
		mov	eax, [ebx+4]
		or	eax, esi
		mov	[ebx], eax
		imul	edi, [edx], 1Ch
		imul	esi, [edx+4], 1Ch
		push	dword ptr [edx+8]
		add	edi, ds:_MmPfnDatabase
		add	esi, ds:_MmPfnDatabase
		mov	edx, edi
		mov	ecx, esi
		call	_MiCopyKstack@12 ; MiCopyKstack(x,x,x)
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		call	KeFlushSingleCurrentTb
		mov	edx, edi
		mov	ecx, esi
		call	_MiSwitchKstackPages@8 ; MiSwitchKstackPages(x,x)
		mov	edx, 7FFFFFFFh
		or	eax, 0FFFFFFFFh
		and	[edi+18h], edx
		and	byte ptr [edi+16h], 0C7h
		and	byte ptr [edi+17h], 0DFh
		lock xadd [ebx], eax
		dec	eax
		mov	esi, eax
		mov	edi, 80000000h
		not	esi
		and	esi, edi
		test	eax, edx
		jnz	short loc_62C7C7

loc_62C7BE:				; CODE XREF: MiStackTheftIsr(x)+F3j
		mov	eax, [ebx+4]
		or	eax, esi
		mov	[ebx], eax
		jmp	short loc_62C82B
; 

loc_62C7C7:				; CODE XREF: MiStackTheftIsr(x)+A3j
		and	[ebp+arg_0], 0
		jmp	short loc_62C7D5
; 

loc_62C7CD:				; CODE XREF: MiStackTheftIsr(x)+C2j
		lea	ecx, [ebp+arg_0]
		call	KeYieldProcessorEx

loc_62C7D5:				; CODE XREF: MiStackTheftIsr(x)+B2j
		mov	eax, [ebx]
		and	eax, edi
		cmp	eax, esi
		jnz	short loc_62C7CD
		jmp	short loc_62C82B
; 

loc_62C7DF:				; CODE XREF: MiStackTheftIsr(x)+3Fj
		and	[ebp+var_C], 0
		jmp	short loc_62C7ED
; 

loc_62C7E5:				; CODE XREF: MiStackTheftIsr(x)+DFj
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx

loc_62C7ED:				; CODE XREF: MiStackTheftIsr(x)+CAj
		mov	eax, [ebx]
		mov	ecx, 80000000h
		and	eax, ecx
		cmp	eax, esi
		jnz	short loc_62C7E5
		lock xadd [ebx], edi
		dec	edi
		mov	esi, edi
		mov	edx, 7FFFFFFFh
		not	esi
		and	esi, ecx
		test	edi, edx
		jz	short loc_62C7BE
		mov	eax, [ebx]
		and	[ebp+var_10], 0
		and	eax, ecx
		jmp	short loc_62C827
; 

loc_62C818:				; CODE XREF: MiStackTheftIsr(x)+110j
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		and	eax, 80000000h

loc_62C827:				; CODE XREF: MiStackTheftIsr(x)+FDj
		cmp	eax, esi
		jnz	short loc_62C818

loc_62C82B:				; CODE XREF: MiStackTheftIsr(x)+ACj
					; MiStackTheftIsr(x)+C4j
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		call	KeFlushSingleCurrentTb
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiStackTheftIsr@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiSwitchKstackPages(x, x)
_MiSwitchKstackPages@8 proc near	; CODE XREF: MiSwapStackPage(x,x,x,x,x,x,x)+2B1p
					; MiStackTheftIsr(x)+79p
		mov	edi, edi
		push	esi
		push	ecx
		mov	esi, ecx
		call	_MiCopyPfnEntryEx@12 ; MiCopyPfnEntryEx(x,x,x)
		mov	al, [esi+16h]
		and	al, 0FEh
		or	al, 6
		mov	[esi+16h], al
		mov	eax, [esi+18h]
		and	eax, 0AFFFFFFFh
		or	eax, 20000000h
		mov	[esi+18h], eax
		pop	esi
		retn
_MiSwitchKstackPages@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1416. MmGrowKernelStack

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmGrowKernelStack(x)
		public _MmGrowKernelStack@4
_MmGrowKernelStack@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	3000h
		push	[ebp+arg_0]
		call	MmGrowKernelStackEx
		pop	ebp
		retn	4
_MmGrowKernelStack@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiShouldYieldProcessor()
_MiShouldYieldProcessor@0 proc near	; CODE XREF: NtUnlockVirtualMemory(x,x,x,x):loc_49FADBp
					; NtUnlockVirtualMemory(x,x,x,x)+609p ...
		jmp	KeShouldYieldProcessor
_MiShouldYieldProcessor@0 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1423. MmIsNonPagedSystemAddressValid

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmIsNonPagedSystemAddressValid(x)
		public _MmIsNonPagedSystemAddressValid@4
_MmIsNonPagedSystemAddressValid@4 proc near
					; CODE XREF: VfUtilSynchronizationObjectSanityChecks(x,x)+41p
					; VerifierIoInitializeWorkItem(x,x)+4Cp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	eax, ds:dword_6D07D0
		jb	short loc_62C8BA
		shr	eax, 15h
		mov	al, byte ptr ds:dword_6D3994[eax]
		cmp	al, 6
		jz	short loc_62C8B6
		cmp	al, 1
		jz	short loc_62C8B6
		cmp	al, 0Bh
		jnz	short loc_62C8BA

loc_62C8B6:				; CODE XREF: MmIsNonPagedSystemAddressValid(x)+1Bj
					; MmIsNonPagedSystemAddressValid(x)+1Fj
		xor	al, al
		jmp	short loc_62C8BC
; 

loc_62C8BA:				; CODE XREF: MmIsNonPagedSystemAddressValid(x)+Ej
					; MmIsNonPagedSystemAddressValid(x)+23j
		mov	al, 1

loc_62C8BC:				; CODE XREF: MmIsNonPagedSystemAddressValid(x)+27j
		pop	ebp
		retn	4
_MmIsNonPagedSystemAddressValid@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiClearCacheFromNode(x)
_MiClearCacheFromNode@4	proc near	; CODE XREF: MiReferenceIoPages+DCCA6p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ecx+18h]
		lea	edx, [ecx+400h]
		jmp	short loc_62C8F4
; 

loc_62C8D1:				; CODE XREF: MiClearCacheFromNode(x)+36j
		mov	ax, [ecx]
		mov	word ptr [ebp+var_4], ax
		test	[ebp+var_4], 3FFFh
		jnz	short loc_62C8F1
		mov	eax, 0C000h
		or	word ptr [ebp+var_4], ax
		mov	ax, word ptr [ebp+var_4]
		mov	[ecx], ax

loc_62C8F1:				; CODE XREF: MiClearCacheFromNode(x)+1Fj
		add	ecx, 2

loc_62C8F4:				; CODE XREF: MiClearCacheFromNode(x)+Fj
		cmp	ecx, edx
		jb	short loc_62C8D1
		leave
		retn
_MiClearCacheFromNode@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetIoPfnCacheAttribute(x,	x)
_MiGetIoPfnCacheAttribute@8 proc near	; CODE XREF: .text:00629E14p

var_4		= word ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [edx+18h]
		and	ecx, 1FFFFFFh
		sub	ecx, [edx+14h]
		mov	ax, [eax+ecx*2]
		mov	[ebp+var_4], ax
		movzx	eax, ax
		shr	eax, 0Eh
		leave
		retn
_MiGetIoPfnCacheAttribute@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIsProbeActive(x, x, x)
_MiIsProbeActive@12 proc near		; CODE XREF: MmIsIoSpaceActive(x,x,x)+29p
					; MiReplaceRotateWithDemandZero(x,x,x)+109p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		push	offset unk_6D3440
		mov	ebx, edx
		mov	[ebp+var_8], edi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	edx, ds:dword_6D3444
		mov	[ebp+var_1], al
		test	edx, edx
		jz	loc_62CA99
		test	[ebp+arg_0], 1
		jnz	loc_62CA38
		dec	ebx
		mov	[ebp+var_20], edi
		add	ebx, edi
		mov	[ebp+var_1C], ebx

loc_62C964:				; CODE XREF: MiIsProbeActive(x,x,x)+65j
		mov	eax, [edx+14h]
		cmp	ebx, eax
		jb	short loc_62C97D
		add	eax, 200h
		cmp	edi, eax
		jbe	loc_62CA2E
		mov	edx, [edx+4]
		jmp	short loc_62C97F
; 

loc_62C97D:				; CODE XREF: MiIsProbeActive(x,x,x)+4Dj
		mov	edx, [edx]

loc_62C97F:				; CODE XREF: MiIsProbeActive(x,x,x)+5Fj
		test	edx, edx
		jnz	short loc_62C964
		jmp	loc_62CA2E
; 

loc_62C988:				; CODE XREF: MiIsProbeActive(x,x,x)+114j
		mov	eax, [edx+14h]
		mov	[ebp+var_10], eax
		cmp	ebx, eax
		jb	loc_62CA99
		mov	ecx, [edx+18h]
		mov	dword ptr [ebp+arg_0], ecx
		mov	ecx, edi
		sub	ecx, eax
		cmp	edi, eax
		sbb	eax, eax
		not	eax
		and	eax, ecx
		mov	ecx, dword ptr [ebp+arg_0]
		lea	edi, [ecx+eax*2]
		mov	ecx, [ebp+var_10]
		add	ecx, 200h
		lea	eax, [ebx+1]
		cmp	eax, ecx
		mov	ecx, dword ptr [ebp+arg_0]
		ja	short loc_62C9CE
		mov	eax, ebx
		sub	eax, [ebp+var_10]
		lea	ecx, [ecx+eax*2]
		add	ecx, 2
		jmp	short loc_62C9D4
; 

loc_62C9CE:				; CODE XREF: MiIsProbeActive(x,x,x)+A3j
		add	ecx, 400h

loc_62C9D4:				; CODE XREF: MiIsProbeActive(x,x,x)+B0j
		cmp	edi, ecx
		jnb	short loc_62C9F7

loc_62C9D8:				; CODE XREF: MiIsProbeActive(x,x,x)+D1j
		mov	ax, [edi]
		mov	word ptr [ebp+var_C], ax
		test	[ebp+var_C], 3FFFh
		jnz	short loc_62C9F1
		add	edi, 2
		cmp	edi, ecx
		jb	short loc_62C9D8
		jmp	short loc_62C9F4
; 

loc_62C9F1:				; CODE XREF: MiIsProbeActive(x,x,x)+CAj
		xor	esi, esi
		inc	esi

loc_62C9F4:				; CODE XREF: MiIsProbeActive(x,x,x)+D3j
		mov	ebx, [ebp+var_1C]

loc_62C9F7:				; CODE XREF: MiIsProbeActive(x,x,x)+BAj
		cmp	esi, 1
		jz	loc_62CA99
		mov	eax, [edx+4]
		mov	ecx, edx
		test	eax, eax
		jz	short loc_62CA23
		mov	edx, eax
		mov	ecx, [edx]
		test	ecx, ecx
		jz	short loc_62CA2B

loc_62CA11:				; CODE XREF: MiIsProbeActive(x,x,x)+FDj
		mov	eax, [ecx]
		mov	edx, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_62CA11
		jmp	short loc_62CA2B
; 

loc_62CA1D:				; CODE XREF: MiIsProbeActive(x,x,x)+10Dj
		cmp	[edx], ecx
		jz	short loc_62CA2B
		mov	ecx, edx

loc_62CA23:				; CODE XREF: MiIsProbeActive(x,x,x)+EBj
		mov	edx, [edx+8]
		and	edx, 0FFFFFFFCh
		jnz	short loc_62CA1D

loc_62CA2B:				; CODE XREF: MiIsProbeActive(x,x,x)+F3j
					; MiIsProbeActive(x,x,x)+FFj ...
		mov	edi, [ebp+var_8]

loc_62CA2E:				; CODE XREF: MiIsProbeActive(x,x,x)+56j
					; MiIsProbeActive(x,x,x)+67j
		test	edx, edx
		jnz	loc_62C988
		jmp	short loc_62CA99
; 

loc_62CA38:				; CODE XREF: MiIsProbeActive(x,x,x)+39j
		or	edx, 0FFFFFFFFh
		lea	ebx, [edi+ebx*8]
		mov	[ebp+var_14], edx
		mov	ecx, esi
		mov	[ebp+var_10], ecx
		cmp	edi, ebx
		jnb	short loc_62CA99

loc_62CA4A:				; CODE XREF: MiIsProbeActive(x,x,x)+1EFj
		mov	edi, [edi]
		nop
		mov	eax, [ebp+var_8]
		mov	eax, [eax+4]
		shrd	edi, eax, 0Ch
		and	edi, 1FFFFFFh
		cmp	edi, ds:dword_6D07B0
		ja	short loc_62CAB8
		mov	eax, ds:dword_6D35B8
		mov	edx, edi
		shr	edx, 5
		mov	ecx, edi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_62CAB5
		test	[ebp+arg_0], 2
		jz	short loc_62CAFB
		mov	eax, ds:_MmPfnDatabase
		imul	ecx, edi, 1Ch
		push	2
		pop	edx
		cmp	[ecx+eax+14h], dx
		jbe	short loc_62CAFB

loc_62CA96:				; CODE XREF: MiIsProbeActive(x,x,x)+210j
		xor	esi, esi
		inc	esi

loc_62CA99:				; CODE XREF: MiIsProbeActive(x,x,x)+2Fj
					; MiIsProbeActive(x,x,x)+74j ...
		push	offset unk_6D3440
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_62CAB5:				; CODE XREF: MiIsProbeActive(x,x,x)+160j
		mov	ecx, [ebp+var_10]

loc_62CAB8:				; CODE XREF: MiIsProbeActive(x,x,x)+147j
		mov	eax, [ebp+var_14]
		mov	edx, edi
		and	edx, 0FFFFFE00h
		cmp	eax, 0FFFFFFFFh
		jz	short loc_62CACC
		cmp	eax, edx
		jz	short loc_62CAFB

loc_62CACC:				; CODE XREF: MiIsProbeActive(x,x,x)+1AAj
		test	ecx, ecx
		jz	short loc_62CAD5
		cmp	[ecx+14h], edx
		jz	short loc_62CB17

loc_62CAD5:				; CODE XREF: MiIsProbeActive(x,x,x)+1B2j
		mov	ecx, ds:dword_6D3444
		jmp	short loc_62CAF4
; 

loc_62CADD:				; CODE XREF: MiIsProbeActive(x,x,x)+1DAj
		mov	eax, [ecx+14h]
		cmp	edi, eax
		jb	short loc_62CAF2
		add	eax, 200h
		cmp	edi, eax
		jb	short loc_62CB10
		mov	ecx, [ecx+4]
		jmp	short loc_62CAF4
; 

loc_62CAF2:				; CODE XREF: MiIsProbeActive(x,x,x)+1C6j
		mov	ecx, [ecx]

loc_62CAF4:				; CODE XREF: MiIsProbeActive(x,x,x)+1BFj
					; MiIsProbeActive(x,x,x)+1D4j
		test	ecx, ecx
		jnz	short loc_62CADD

loc_62CAF8:				; CODE XREF: MiIsProbeActive(x,x,x)+1F6j
		mov	[ebp+var_14], edx

loc_62CAFB:				; CODE XREF: MiIsProbeActive(x,x,x)+166j
					; MiIsProbeActive(x,x,x)+178j ...
		mov	edi, [ebp+var_8]
		add	edi, 8
		mov	[ebp+var_8], edi
		cmp	edi, ebx
		jnb	short loc_62CA99
		mov	ecx, [ebp+var_10]
		jmp	loc_62CA4A
; 

loc_62CB10:				; CODE XREF: MiIsProbeActive(x,x,x)+1CFj
		test	ecx, ecx
		jz	short loc_62CAF8
		mov	[ebp+var_10], ecx

loc_62CB17:				; CODE XREF: MiIsProbeActive(x,x,x)+1B7j
		sub	edi, [ecx+14h]
		mov	eax, [ecx+18h]
		mov	ax, [eax+edi*2]
		mov	word ptr [ebp+var_C], ax
		test	[ebp+var_C], 3FFFh
		jnz	loc_62CA96
		jmp	short loc_62CAFB
_MiIsProbeActive@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakeIoRangePermanent(x)
_MiMakeIoRangePermanent@4 proc near	; CODE XREF: MiMakeIoRangePermanentDpc(x,x,x,x)+38p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_8], 0
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, [eax+0Ch]
		xor	esi, esi
		mov	edi, [eax+10h]
		mov	[ebp+var_18], eax
		sub	edi, ebx
		mov	eax, [eax+14h]
		push	offset unk_6D3440
		mov	[ebp+var_24], eax
		mov	[ebp+var_C], esi
		call	ExAcquireSpinLockExclusive
		mov	[ebp+var_1], al
		add	edi, 1
		jz	loc_62CCAF

loc_62CB71:				; CODE XREF: MiMakeIoRangePermanent(x)+171j
		mov	ecx, ds:dword_6D3448
		test	ecx, ecx

loc_62CB79:				; CODE XREF: MiMakeIoRangePermanent(x)+6Aj
		jz	loc_62CC28
		mov	eax, [ecx+14h]
		cmp	ebx, eax
		jb	short loc_62CB98
		lea	edx, [eax+200h]
		mov	[ebp+var_1C], edx
		cmp	ebx, edx
		jb	short loc_62CBA0
		mov	eax, [ecx+4]
		jmp	short loc_62CB9A
; 

loc_62CB98:				; CODE XREF: MiMakeIoRangePermanent(x)+50j
		mov	eax, [ecx]

loc_62CB9A:				; CODE XREF: MiMakeIoRangePermanent(x)+62j
		mov	ecx, eax
		test	eax, eax
		jmp	short loc_62CB79
; 

loc_62CBA0:				; CODE XREF: MiMakeIoRangePermanent(x)+5Dj
		mov	edx, ebx
		and	edx, 1FFFFFFh
		sub	edx, eax
		mov	eax, [ecx+18h]
		mov	[ebp+var_20], eax
		lea	ecx, [eax+edx*2]
		lea	eax, [ebx+edi]
		cmp	eax, [ebp+var_1C]
		jbe	short loc_62CBC2
		mov	eax, 400h
		jmp	short loc_62CBC7
; 

loc_62CBC2:				; CODE XREF: MiMakeIoRangePermanent(x)+85j
		lea	eax, [edi+edx]
		add	eax, eax

loc_62CBC7:				; CODE XREF: MiMakeIoRangePermanent(x)+8Cj
		mov	edx, [ebp+var_20]
		add	edx, eax
		cmp	ecx, edx
		jnb	loc_62CCA0

loc_62CBD4:				; CODE XREF: MiMakeIoRangePermanent(x)+D5j
		mov	ax, [ecx]
		mov	word ptr [ebp+var_10], ax
		test	[ebp+var_10], 3FFFh
		jnz	short loc_62CBF6
		mov	eax, 4000h
		mov	word ptr [ebp+var_10], ax
		mov	ax, word ptr [ebp+var_10]
		mov	[ecx], ax
		jmp	short loc_62CC02
; 

loc_62CBF6:				; CODE XREF: MiMakeIoRangePermanent(x)+AEj
		movzx	eax, word ptr [ebp+var_10]
		shr	eax, 0Eh
		cmp	eax, [ebp+var_24]
		jnz	short loc_62CC13

loc_62CC02:				; CODE XREF: MiMakeIoRangePermanent(x)+C0j
		add	ecx, 2
		inc	ebx
		dec	edi
		cmp	ecx, edx
		jb	short loc_62CBD4
		mov	esi, [ebp+var_C]
		jmp	loc_62CCA0
; 

loc_62CC13:				; CODE XREF: MiMakeIoRangePermanent(x)+CCj
		inc	ds:dword_6D3474
		mov	eax, 0C0000018h
		mov	esi, [ebp+var_C]
		xor	edi, edi
		mov	[ebp+var_8], eax
		jmp	short loc_62CCA3
; 

loc_62CC28:				; CODE XREF: MiMakeIoRangePermanent(x):loc_62CB79j
		mov	edx, ebx
		mov	ecx, offset dword_6D344C
		call	MiRemoveUnmappedIoNode
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_62CC46
		mov	eax, ebx
		and	eax, 1FFh
		jmp	short loc_62CC8F
; 

loc_62CC46:				; CODE XREF: MiMakeIoRangePermanent(x)+107j
		mov	edx, [ecx+14h]
		mov	byte ptr [ebp+var_14], 0
		test	esi, esi
		jz	short loc_62CC71

loc_62CC51:				; CODE XREF: MiMakeIoRangePermanent(x)+137j
		cmp	edx, [esi+14h]
		jb	short loc_62CC63
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_62CC69
		mov	byte ptr [ebp+var_14], 1
		jmp	short loc_62CC71
; 

loc_62CC63:				; CODE XREF: MiMakeIoRangePermanent(x)+120j
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_62CC6D

loc_62CC69:				; CODE XREF: MiMakeIoRangePermanent(x)+127j
		mov	esi, eax
		jmp	short loc_62CC51
; 

loc_62CC6D:				; CODE XREF: MiMakeIoRangePermanent(x)+133j
		mov	byte ptr [ebp+var_14], 0

loc_62CC71:				; CODE XREF: MiMakeIoRangePermanent(x)+11Bj
					; MiMakeIoRangePermanent(x)+12Dj
		push	ecx
		push	[ebp+var_14]
		lea	eax, [ebp+var_C]
		push	esi
		push	eax
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		mov	ecx, [ebp+var_20]
		mov	eax, ebx
		mov	esi, [ebp+var_C]
		and	eax, 1FFFFFFh
		sub	eax, [ecx+14h]

loc_62CC8F:				; CODE XREF: MiMakeIoRangePermanent(x)+110j
		mov	ecx, 200h
		sub	ecx, eax
		cmp	ecx, edi
		jbe	short loc_62CC9C
		mov	ecx, edi

loc_62CC9C:				; CODE XREF: MiMakeIoRangePermanent(x)+164j
		sub	edi, ecx
		add	ebx, ecx

loc_62CCA0:				; CODE XREF: MiMakeIoRangePermanent(x)+9Aj
					; MiMakeIoRangePermanent(x)+DAj
		mov	eax, [ebp+var_8]

loc_62CCA3:				; CODE XREF: MiMakeIoRangePermanent(x)+F2j
		test	edi, edi
		jnz	loc_62CB71
		test	eax, eax
		js	short loc_62CD07

loc_62CCAF:				; CODE XREF: MiMakeIoRangePermanent(x)+37j
		mov	ecx, ds:dword_6D347C
		mov	edi, [ebp+var_18]
		mov	byte ptr [ebp+var_14], 0
		test	ecx, ecx
		jz	short loc_62CCF8
		mov	edx, [edi+10h]

loc_62CCC3:				; CODE XREF: MiMakeIoRangePermanent(x)+1B1j
		cmp	edx, [ecx+0Ch]
		jb	short loc_62CCDD
		mov	eax, [edi+0Ch]
		cmp	eax, [ecx+10h]
		jbe	short loc_62CCE7
		mov	eax, [ecx+4]
		test	eax, eax
		jnz	short loc_62CCE3
		mov	byte ptr [ebp+var_14], 1
		jmp	short loc_62CCF8
; 

loc_62CCDD:				; CODE XREF: MiMakeIoRangePermanent(x)+192j
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_62CCF4

loc_62CCE3:				; CODE XREF: MiMakeIoRangePermanent(x)+1A1j
		mov	ecx, eax
		jmp	short loc_62CCC3
; 

loc_62CCE7:				; CODE XREF: MiMakeIoRangePermanent(x)+19Aj
		inc	ds:dword_6D3478
		mov	ebx, 0C0000018h
		jmp	short loc_62CD0A
; 

loc_62CCF4:				; CODE XREF: MiMakeIoRangePermanent(x)+1ADj
		mov	byte ptr [ebp+var_14], 0

loc_62CCF8:				; CODE XREF: MiMakeIoRangePermanent(x)+18Aj
					; MiMakeIoRangePermanent(x)+1A7j
		push	edi
		push	[ebp+var_14]
		push	ecx
		push	offset dword_6D347C
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)

loc_62CD07:				; CODE XREF: MiMakeIoRangePermanent(x)+179j
		mov	ebx, [ebp+var_8]

loc_62CD0A:				; CODE XREF: MiMakeIoRangePermanent(x)+1BEj
		push	offset unk_6D3440
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_62CD34
; 

loc_62CD1F:				; CODE XREF: MiMakeIoRangePermanent(x)+202j
		push	esi
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_C]

loc_62CD34:				; CODE XREF: MiMakeIoRangePermanent(x)+1E9j
		test	esi, esi
		jnz	short loc_62CD1F
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_MiMakeIoRangePermanent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakeIoRangePermanentDpc(x, x, x, x)
_MiMakeIoRangePermanentDpc@16 proc near	; DATA XREF: MmSetPermanentCacheAttribute(x,x,x,x,x,x)+A5o

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		or	ebx, 0FFFFFFFFh
		push	edi
		mov	edi, [ebp+arg_C]
		mov	eax, ebx
		lock xadd [edi], eax
		dec	eax
		mov	esi, eax
		mov	ecx, 80000000h
		not	esi
		and	esi, ecx
		test	eax, 7FFFFFFFh
		jnz	short loc_62CD93
		mov	eax, [edi+4]
		or	eax, esi
		mov	esi, [ebp+arg_4]
		mov	[edi], eax
		mov	ecx, [esi]
		call	_MiMakeIoRangePermanent@4 ; MiMakeIoRangePermanent(x)
		mov	[esi+4], eax
		mov	ecx, 80000000h
		jmp	short loc_62CD9B
; 

loc_62CD86:				; CODE XREF: MiMakeIoRangePermanentDpc(x,x,x,x)+5Aj
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	ecx, 80000000h

loc_62CD93:				; CODE XREF: MiMakeIoRangePermanentDpc(x,x,x,x)+2Aj
		mov	eax, [edi]
		and	eax, ecx
		cmp	eax, esi
		jnz	short loc_62CD86

loc_62CD9B:				; CODE XREF: MiMakeIoRangePermanentDpc(x,x,x,x)+45j
		lock xadd [edi], ebx
		dec	ebx
		mov	esi, ebx
		not	esi
		and	esi, ecx
		test	ebx, 7FFFFFFFh
		jnz	short loc_62CDB7
		mov	eax, [edi+4]
		or	eax, esi
		mov	[edi], eax
		jmp	short loc_62CDD4
; 

loc_62CDB7:				; CODE XREF: MiMakeIoRangePermanentDpc(x,x,x,x)+6Dj
		mov	eax, [edi]
		and	[ebp+arg_C], 0
		and	eax, ecx
		jmp	short loc_62CDD0
; 

loc_62CDC1:				; CODE XREF: MiMakeIoRangePermanentDpc(x,x,x,x)+93j
		lea	ecx, [ebp+arg_C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		and	eax, 80000000h

loc_62CDD0:				; CODE XREF: MiMakeIoRangePermanentDpc(x,x,x,x)+80j
		cmp	eax, esi
		jnz	short loc_62CDC1

loc_62CDD4:				; CODE XREF: MiMakeIoRangePermanentDpc(x,x,x,x)+76j
		mov	eax, [ebp+arg_8]
		lock dec dword ptr [eax]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_MiMakeIoRangePermanentDpc@16 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1422. MmIsIoSpaceActive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmIsIoSpaceActive(x, x, x)
		public _MmIsIoSpaceActive@12
_MmIsIoSpaceActive@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_8]
		shrd	ecx, eax, 0Ch
		xor	eax, eax
		add	edx, [ebp+arg_0]
		push	0
		adc	eax, [ebp+arg_4]
		add	edx, 0FFFFFFFFh
		adc	eax, 0FFFFFFFFh
		shrd	edx, eax, 0Ch
		sub	edx, ecx
		inc	edx
		call	_MiIsProbeActive@12 ; MiIsProbeActive(x,x,x)
		pop	ebp
		retn	0Ch
_MmIsIoSpaceActive@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCaptureSystemCachePte(x)
_MiCaptureSystemCachePte@4 proc	near	; CODE XREF: MiMapSystemCachePage(x,x,x)+1Bp

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1], 0
		push	edi
		xor	ecx, ecx
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	ebx, eax
		mov	edx, esi
		lea	eax, [ebp-1]
		mov	ecx, ebx
		push	eax
		call	_MiLockWorkingSetOptimal@12 ; MiLockWorkingSetOptimal(x,x,x)
		mov	edi, [esi]
		nop
		mov	esi, [esi+4]
		mov	edx, eax
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [ebp+var_1]
		mov	ecx, ebx
		call	MiUnlockWorkingSetShared
		mov	eax, edi
		mov	edx, esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiCaptureSystemCachePte@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMapFrame(x, x)
_MiMapFrame@8	proc near		; CODE XREF: .text:0047C930p
					; MiMapSystemCachePage(x,x,x)+E6p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		push	4
		pop	ebx
		cmp	edx, ds:dword_6D07B0
		ja	short loc_62CEB3
		mov	eax, ds:dword_6D35B8
		mov	esi, edx
		shr	esi, 5
		mov	ecx, edx
		and	ecx, 1Fh
		mov	eax, [eax+esi*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_62CEB3
		mov	eax, ds:_MmPfnDatabase
		imul	ecx, edx, 1Ch
		movzx	eax, byte ptr [ecx+eax+16h]
		shr	eax, 6
		test	eax, eax
		jz	short loc_62CEB0
		cmp	eax, 3
		jz	short loc_62CEB0
		cmp	eax, 2
		jnz	short loc_62CEB3
		push	1Ch
		jmp	short loc_62CEB2
; 

loc_62CEB0:				; CODE XREF: MiMapFrame(x,x)+41j
					; MiMapFrame(x,x)+46j
		push	0Ch

loc_62CEB2:				; CODE XREF: MiMapFrame(x,x)+4Fj
		pop	ebx

loc_62CEB3:				; CODE XREF: MiMapFrame(x,x)+14j
					; MiMapFrame(x,x)+2Dj ...
		or	ebx, 0A0000000h
		mov	ecx, edi
		push	ebx
		call	MiMakeValidPte
		mov	ecx, edi
		mov	esi, eax
		xor	ebx, ebx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_62CF0D
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_62CEE5
		inc	ebx
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	short loc_62CF0D
		jmp	short loc_62CEFD
; 

loc_62CEE5:				; CODE XREF: MiMapFrame(x,x)+78j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_62CF0D

loc_62CEFD:				; CODE XREF: MiMapFrame(x,x)+84j
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	short loc_62CF0D
		or	edx, 80000000h

loc_62CF0D:				; CODE XREF: MiMapFrame(x,x)+6Fj
					; MiMapFrame(x,x)+82j ...
		mov	[edi+4], edx
		nop
		mov	[edi], esi
		test	ebx, ebx
		jz	short loc_62CF1E
		push	edx
		push	esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_62CF1E:				; CODE XREF: MiMapFrame(x,x)+B6j
		shl	edi, 9
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiMapFrame@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMapSystemCachePage(x, x, x)
_MiMapSystemCachePage@12 proc near	; CODE XREF: .text:0047C305p
					; .text:0047C5F5p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	eax, edx
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		mov	[ebp+var_14], ecx

loc_62CF41:				; CODE XREF: MiMapSystemCachePage(x,x,x)+BBj
		mov	ecx, eax
		call	_MiCaptureSystemCachePte@4 ; MiCaptureSystemCachePte(x)
		mov	esi, eax
		and	eax, 1
		or	eax, 0
		jz	loc_62D027
		nop
		shrd	esi, edx, 0Ch
		and	esi, 1FFFFFFh
		cmp	esi, ds:dword_6D07B0
		ja	loc_62D027
		mov	eax, ds:dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_62D027
		imul	edi, esi, 1Ch
		add	edi, ds:_MmPfnDatabase
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_1], al
		mov	edx, [ecx]
		nop
		mov	ecx, [ecx+4]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_1C], ecx
		lea	ecx, [edi+10h]
		mov	[ebp+var_10], ecx
		mov	ecx, edx
		and	ecx, 1
		mov	[ebp+var_20], edx
		or	ecx, 0
		jz	short loc_62D018
		nop
		mov	ecx, [ebp+var_C]
		shrd	edx, ecx, 0Ch
		and	edx, 1FFFFFFh
		cmp	edx, esi
		jz	short loc_62CFE8
		mov	ecx, [ebp+var_10]
		mov	edx, 7FFFFFFFh
		lock and [ecx],	edx
		mov	cl, al
		call	ebx
		mov	eax, [ebp+var_8]
		jmp	loc_62CF41
; 

loc_62CFE8:				; CODE XREF: MiMapSystemCachePage(x,x,x)+A7j
		xor	edx, edx
		mov	ecx, edi
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		test	eax, eax
		jz	short loc_62D015
		or	byte ptr [edi+16h], 10h
		lea	ecx, [edi+10h]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	cl, [ebp+var_1]
		call	ebx
		mov	ecx, [ebp+var_14]
		mov	edx, esi
		call	_MiMapFrame@8	; MiMapFrame(x,x)
		jmp	short loc_62D029
; 

loc_62D015:				; CODE XREF: MiMapSystemCachePage(x,x,x)+CBj
		mov	al, [ebp+var_1]

loc_62D018:				; CODE XREF: MiMapSystemCachePage(x,x,x)+95j
		lea	ecx, [edi+10h]
		mov	edx, 7FFFFFFFh
		lock and [ecx],	edx
		mov	cl, al
		call	ebx

loc_62D027:				; CODE XREF: MiMapSystemCachePage(x,x,x)+28j
					; MiMapSystemCachePage(x,x,x)+3Fj ...
		xor	eax, eax

loc_62D029:				; CODE XREF: MiMapSystemCachePage(x,x,x)+EBj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiMapSystemCachePage@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRemoveSystemCacheReferences(x, x,	x)
_MiRemoveSystemCacheReferences@12 proc near ; CODE XREF: MmMapViewInSystemCache+117BFCp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi]
		lea	eax, [edi+24h]
		push	eax
		call	ExAcquireSpinLockExclusive
		push	[ebp+arg_4]
		mov	ecx, esi
		mov	bl, al
		push	[ebp+arg_0]
		call	_MiRemoveViewsFromSection@16 ; MiRemoveViewsFromSection(x,x,x,x)
		dec	dword ptr [edi+14h]
		mov	dl, bl
		dec	dword ptr [edi+30h]
		mov	ecx, edi
		call	MiCheckControlArea
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
_MiRemoveSystemCacheReferences@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiSessionPoolVaRemaining()
_MiSessionPoolVaRemaining@0 proc near	; CODE XREF: MmResourcesAvailable(x,x,x)+44p
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		mov	ecx, [eax+23E8h]
		mov	edi, ecx
		mov	esi, [eax+6Ch]
		mov	eax, ds:dword_6D41D8
		mov	edx, ds:dword_6D4254
		shl	edi, 15h
		test	eax, eax
		jz	short loc_62D0B0
		cmp	ecx, eax
		jb	short loc_62D0A5
		xor	edx, edx
		jmp	short loc_62D0B0
; 

loc_62D0A5:				; CODE XREF: MiSessionPoolVaRemaining()+33j
		sub	eax, ecx
		shl	eax, 15h
		cmp	edx, eax
		jbe	short loc_62D0B0
		mov	edx, eax

loc_62D0B0:				; CODE XREF: MiSessionPoolVaRemaining()+2Fj
					; MiSessionPoolVaRemaining()+37j ...
		shl	esi, 0Ch
		mov	ecx, edi
		sub	ecx, esi
		cmp	esi, edi
		pop	edi
		sbb	eax, eax
		and	eax, ecx
		add	eax, edx
		pop	esi
		retn
_MiSessionPoolVaRemaining@0 endp


;  S U B	R O U T	I N E 


; __stdcall MmIsSpecialPoolAddress(x)
_MmIsSpecialPoolAddress@4 proc near	; CODE XREF: IopAddBugcheckTriageDataFromParameters(x,x,x,x,x)+73p
					; KeBugCheck2(x,x,x,x,x,x)+419p
		lea	eax, [ecx+40000000h]
		cmp	eax, offset loc_7FFFFF
		jbe	short loc_62D0E3
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		call	MmIsAddressValidEx

loc_62D0E3:				; CODE XREF: MmIsSpecialPoolAddress(x)+Bj
		xor	eax, eax
		retn
_MmIsSpecialPoolAddress@4 endp


;  S U B	R O U T	I N E 


; __stdcall MmQuerySpecialPoolBlockSize(x)
_MmQuerySpecialPoolBlockSize@4 proc near ; CODE	XREF: ExQueryPoolBlockSize(x,x)+23p
		mov	eax, ecx
		mov	edx, 0FFFh
		and	eax, 0FFFFF000h
		test	ecx, edx
		jnz	short loc_62D0FB
		add	eax, 0FF8h

loc_62D0FB:				; CODE XREF: MmQuerySpecialPoolBlockSize(x)+Ej
		mov	eax, [eax]
		and	eax, edx
		retn
_MmQuerySpecialPoolBlockSize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIssueNoPtesBugcheck(x)
_MiIssueNoPtesBugcheck@4 proc near	; CODE XREF: MmMapLockedPagesSpecifyCache+134EA9p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_4], ebx
		call	_MiGetHighestPteConsumer@4 ; MiGetHighestPteConsumer(x)
		mov	esi, eax
		call	_MmGetNumberOfFreeSystemPtes@0 ; MmGetNumberOfFreeSystemPtes()
		push	ebx
		push	eax
		test	esi, esi
		jz	short loc_62D133
		push	[ebp+var_4]
		push	esi
		push	0D8h

loc_62D12E:				; CODE XREF: MiIssueNoPtesBugcheck(x)+37j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_62D133:				; CODE XREF: MiIssueNoPtesBugcheck(x)+23j
		push	edi
		push	ebx
		push	3Fh
		jmp	short loc_62D12E
_MiIssueNoPtesBugcheck@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1437. MmMapMdl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmMapMdl(x,	x, x, x)
		public _MmMapMdl@16
_MmMapMdl@16	proc near

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	ecx, [ebp+arg_4]
		and	[esp+1Ch+var_18], 0
		push	ebx
		push	esi
		push	edi
		call	_MiMakeProtectionMask@4	; MiMakeProtectionMask(x)
		mov	edi, eax
		and	eax, 7
		cmp	edi, 0FFFFFFFFh
		jz	loc_62D2AA
		cmp	edi, 18h
		jz	loc_62D2AA
		cmp	eax, 5
		jz	loc_62D2AA
		test	al, 2
		jnz	loc_62D2AA
		mov	eax, edi
		and	eax, 0FFFFFFF8h
		cmp	eax, 10h
		jz	loc_62D2AA
		mov	esi, [ebp+arg_0]
		test	byte ptr [esi+6], 5
		jz	short loc_62D1A8
		push	dword ptr [esi+0Ch]
		push	[ebp+arg_C]
		call	[ebp+arg_8]
		xor	eax, eax
		jmp	loc_62D2AF
; 

loc_62D1A8:				; CODE XREF: MmMapMdl(x,x,x,x)+58j
		mov	ecx, [esi+10h]
		add	ecx, [esi+18h]
		mov	ebx, [esi+14h]
		and	ecx, 0FFFh
		add	ebx, 0FFFh
		add	ebx, ecx
		shr	ebx, 0Ch
		cmp	ds:_MmProtectFreedNonPagedPool,	1
		mov	eax, ebx
		mov	[esp+28h+var_C], ebx
		mov	[esp+28h+var_10], ebx
		jnz	short loc_62D1DC
		lea	eax, [ebx+1]
		mov	[esp+28h+var_10], eax

loc_62D1DC:				; CODE XREF: MmMapMdl(x,x,x,x)+95j
		mov	edx, eax
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		mov	ecx, eax
		mov	[esp+28h+var_4], ecx
		test	ecx, ecx
		jnz	short loc_62D1FC
		mov	eax, 0C000009Ah
		jmp	loc_62D2AF
; 

loc_62D1FC:				; CODE XREF: MmMapMdl(x,x,x,x)+B2j
		mov	eax, ecx
		mov	edx, ebx
		shl	eax, 9
		add	eax, [esi+18h]
		mov	[esp+28h+var_14], eax
		lea	eax, [esp+28h+var_18]
		push	eax
		push	0
		push	edi
		lea	eax, [esi+1Ch]
		push	eax
		call	_MiFillSystemPtes@24 ; MiFillSystemPtes(x,x,x,x,x,x)
		mov	[esp+38h+var_18], eax
		test	eax, eax
		js	short loc_62D290
		mov	ebx, [esp+38h+var_28]
		and	ebx, 1
		jz	short loc_62D23E
		mov	ecx, [esp+38h+var_24]
		call	_MiMappingHasIoReferences@4 ; MiMappingHasIoReferences(x)
		mov	eax, 800h
		or	[esi+6], ax

loc_62D23E:				; CODE XREF: MmMapMdl(x,x,x,x)+ECj
		test	byte ptr ds:dword_7051B4, 1
		jz	short loc_62D272
		cmp	ds:_MmProtectFreedNonPagedPool,	1
		mov	[esp+38h+var_28], ebx
		jnz	short loc_62D25D
		mov	eax, ebx
		or	eax, 2
		mov	[esp+38h+var_28], eax

loc_62D25D:				; CODE XREF: MmMapMdl(x,x,x,x)+114j
		mov	ecx, edi
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		push	eax
		push	[esp+3Ch+var_28]
		xor	edx, edx
		mov	ecx, esi
		call	_MiInsertPteTracker@16 ; MiInsertPteTracker(x,x,x,x)

loc_62D272:				; CODE XREF: MmMapMdl(x,x,x,x)+107j
		mov	esi, [esp+38h+var_24]
		xor	edi, edi
		push	esi
		push	[ebp+arg_C]
		call	[ebp+arg_8]
		test	ebx, ebx
		jz	short loc_62D294
		mov	edx, [esp+40h+var_24]
		mov	ecx, esi
		call	MiZeroAndFlushPtes
		jmp	short loc_62D294
; 

loc_62D290:				; CODE XREF: MmMapMdl(x,x,x,x)+E3j
		mov	edi, [esp+38h+var_18]

loc_62D294:				; CODE XREF: MmMapMdl(x,x,x,x)+143j
					; MmMapMdl(x,x,x,x)+150j
		push	[esp+38h+var_20]
		mov	edx, [esp+3Ch+var_14]
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		mov	eax, edi
		jmp	short loc_62D2AF
; 

loc_62D2AA:				; CODE XREF: MmMapMdl(x,x,x,x)+23j
					; MmMapMdl(x,x,x,x)+2Cj ...
		mov	eax, 0C0000045h

loc_62D2AF:				; CODE XREF: MmMapMdl(x,x,x,x)+65j
					; MmMapMdl(x,x,x,x)+B9j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_MmMapMdl@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAddPartitionDataToCrashDump(x)
_MiAddPartitionDataToCrashDump@4 proc near
					; CODE XREF: MmAddPrivateDataToCrashDump(x,x)+143p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	edx, ds:dword_6D3018
		mov	eax, ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], eax
		push	4
		mov	[ebp+var_C], edi
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_62D411
		mov	edx, ds:dword_6D3008
		mov	ecx, [ebp+var_10]
		push	8
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_62D411
		mov	edx, ds:dword_6D3008
		push	edi
		pop	ecx
		mov	eax, [edx]
		test	al, 1Fh
		mov	edx, [edx+4]
		setnz	cl
		shr	eax, 5
		add	ecx, eax
		shl	ecx, 2
		push	ecx
		mov	ecx, [ebp+var_10]
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		mov	esi, eax
		mov	[ebp+var_14], esi
		jmp	loc_62D409
; 

loc_62D33C:				; CODE XREF: MiAddPartitionDataToCrashDump(x)+153j
		mov	eax, ds:dword_6D3008
		mov	edx, [eax]
		cmp	edi, edx
		mov	ecx, [eax+4]
		sbb	esi, esi
		mov	[ebp+var_4], edx
		and	esi, edi
		mov	[ebp+var_8], ecx
		lea	edi, [edx-1]

loc_62D355:				; CODE XREF: MiAddPartitionDataToCrashDump(x)+11Fj
		and	[ebp+var_18], 0
		mov	eax, edi
		sub	eax, esi
		inc	eax
		cmp	eax, 1
		jnb	short loc_62D368
		or	ecx, 0FFFFFFFFh
		jmp	short loc_62D3C3
; 

loc_62D368:				; CODE XREF: MiAddPartitionDataToCrashDump(x)+A9j
		mov	eax, edi
		xor	edx, edx
		shr	eax, 5
		inc	edx
		lea	eax, [ecx+eax*4]
		mov	ecx, esi
		mov	[ebp+var_18], eax
		and	ecx, 1Fh
		shl	edx, cl
		mov	eax, esi
		mov	ecx, [ebp+var_8]
		dec	edx
		shr	eax, 5
		lea	ecx, [ecx+eax*4]
		mov	eax, [ecx]
		not	eax
		or	eax, edx
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_62D3A7
		mov	edx, [ebp+var_18]

loc_62D397:				; CODE XREF: MiAddPartitionDataToCrashDump(x)+EDj
		add	ecx, 4
		cmp	ecx, edx
		ja	short loc_62D3DC
		mov	eax, [ecx]
		not	eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_62D397

loc_62D3A7:				; CODE XREF: MiAddPartitionDataToCrashDump(x)+DAj
		sub	ecx, [ebp+var_8]
		not	eax
		bsf	eax, eax
		sar	ecx, 2
		shl	ecx, 5
		add	ecx, eax
		cmp	ecx, edi
		ja	short loc_62D3DC
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_62D3E1

loc_62D3C0:				; CODE XREF: MiAddPartitionDataToCrashDump(x)+127j
		mov	edx, [ebp+var_4]

loc_62D3C3:				; CODE XREF: MiAddPartitionDataToCrashDump(x)+AEj
		test	esi, esi
		jz	short loc_62D3E1
		mov	edi, [ebp+var_C]
		inc	edi
		cmp	edi, edx
		jbe	short loc_62D3D1
		mov	edi, edx

loc_62D3D1:				; CODE XREF: MiAddPartitionDataToCrashDump(x)+115j
		mov	ecx, [ebp+var_8]
		dec	edi
		xor	esi, esi
		jmp	loc_62D355
; 

loc_62D3DC:				; CODE XREF: MiAddPartitionDataToCrashDump(x)+E4j
					; MiAddPartitionDataToCrashDump(x)+101j
		or	ecx, 0FFFFFFFFh
		jmp	short loc_62D3C0
; 

loc_62D3E1:				; CODE XREF: MiAddPartitionDataToCrashDump(x)+106j
					; MiAddPartitionDataToCrashDump(x)+10Dj
		mov	esi, [ebp+var_14]
		cmp	ecx, [ebp+var_C]
		jb	short loc_62D411
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_62D411
		mov	eax, ds:dword_6D3018
		lea	edi, [ecx+1]
		mov	[ebp+var_C], edi
		mov	edx, [eax+ecx*4]
		mov	ecx, [ebp+var_10]
		call	_MiAddPartitionToCrashDump@8 ; MiAddPartitionToCrashDump(x,x)
		mov	esi, eax
		mov	[ebp+var_14], eax

loc_62D409:				; CODE XREF: MiAddPartitionDataToCrashDump(x)+7Fj
		test	esi, esi
		jns	loc_62D33C

loc_62D411:				; CODE XREF: MiAddPartitionDataToCrashDump(x)+37j
					; MiAddPartitionDataToCrashDump(x)+51j	...
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_MiAddPartitionDataToCrashDump@4 endp ;	sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAddPartitionToCrashDump(x, x)
_MiAddPartitionToCrashDump@8 proc near	; CODE XREF: MiAddPartitionDataToCrashDump(x)+147p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		mov	esi, edx
		mov	eax, ecx
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], eax
		push	edi
		cmp	esi, offset _MiSystemPartition
		jz	short loc_62D486
		call	_MiSizeMemoryListLocks@0 ; MiSizeMemoryListLocks()
		movzx	esi, ds:_KeNumberNodes
		mov	edx, ds:dword_6D06D4
		shl	esi, 4
		add	esi, edx
		shl	edx, 4
		imul	edi, esi, 28h
		mov	esi, [ebp+var_8]
		mov	[ebp+var_8], esi
		add	edi, 1B47h
		and	edi, 0FFFFFFF8h
		add	edi, eax
		add	edi, edx
		call	_MiGetPartitionLargePageListCount@0 ; MiGetPartitionLargePageListCount()
		imul	eax, 0Ch
		add	eax, edi
		jmp	short loc_62D4AB
; 

loc_62D486:				; CODE XREF: MiAddPartitionToCrashDump(x,x)+2Cj
		push	1B40h
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	loc_62D524
		mov	eax, [esi+10h]
		mov	[ebp+var_8], eax
		movzx	eax, ds:_KeNumberNodes
		imul	eax, 280h

loc_62D4AB:				; CODE XREF: MiAddPartitionToCrashDump(x,x)+68j
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		mov	edi, [esi+0F4Ch]
		mov	[ebp+var_C], eax
		cmp	edi, 10h
		jbe	short loc_62D4C8
		push	10h
		pop	edi

loc_62D4C8:				; CODE XREF: MiAddPartitionToCrashDump(x,x)+A7j
		test	edi, edi
		jz	short loc_62D524
		add	esi, 0F54h
		mov	[ebp+var_8], esi

loc_62D4D5:				; CODE XREF: MiAddPartitionToCrashDump(x,x)+103j
		mov	esi, [esi]
		test	esi, esi
		jz	short loc_62D513
		mov	ecx, esi
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_62D513
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		push	0A0h
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		mov	edx, [esi+1Ch]
		mov	ecx, [ebp+var_4]
		push	80h
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		push	dword ptr [esi+34h]
		mov	ecx, [ebp+var_4]
		push	dword ptr [esi+30h]
		call	_MiAddUnicodeStringToCrashDump@12 ; MiAddUnicodeStringToCrashDump(x,x,x)

loc_62D513:				; CODE XREF: MiAddPartitionToCrashDump(x,x)+BDj
					; MiAddPartitionToCrashDump(x,x)+C8j
		mov	esi, [ebp+var_8]
		add	esi, 4
		mov	[ebp+var_8], esi
		sub	edi, 1
		jnz	short loc_62D4D5
		mov	eax, [ebp+var_C]

loc_62D524:				; CODE XREF: MiAddPartitionToCrashDump(x,x)+76j
					; MiAddPartitionToCrashDump(x,x)+AEj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_MiAddPartitionToCrashDump@8 endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAddPhysicalPagesToCrashDump(x)
_MiAddPhysicalPagesToCrashDump@4 proc near ; CODE XREF:	MmGetDumpRange(x,x,x)+D4p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ds:_MmPhysicalMemoryBlock
		push	esi
		xor	esi, esi
		mov	[ebp+var_10], ecx
		cmp	[eax], esi
		jbe	loc_62D626
		push	ebx
		push	edi

loc_62D54A:				; CODE XREF: MiAddPhysicalPagesToCrashDump(x)+F1j
		and	[ebp+var_C], 0
		cmp	dword ptr [eax+esi*8+0Ch], 0
		mov	ebx, [eax+esi*8+8]
		jbe	loc_62D61B

loc_62D55D:				; CODE XREF: MiAddPhysicalPagesToCrashDump(x)+E8j
		imul	edi, ebx, 1Ch
		mov	[ebp+var_4], 1
		add	edi, ds:_MmPfnDatabase
		mov	edx, [edi+18h]
		test	edx, (offset loc_7FFFFF+1)
		jz	short loc_62D59C
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		lea	edx, [ebp+var_4]
		push	eax
		mov	ecx, edi
		call	_MiGetPagesRemainingInResidentPage@12 ;	MiGetPagesRemainingInResidentPage(x,x,x)
		cmp	[ebp+var_4], 6
		mov	edi, eax
		jnz	short loc_62D602
		cmp	[ebp+var_8], 1
		jmp	short loc_62D5F1
; 

loc_62D59C:				; CODE XREF: MiAddPhysicalPagesToCrashDump(x)+49j
		mov	cl, [edi+16h]
		mov	al, cl
		and	al, 0C0h
		cmp	al, 40h
		jnz	short loc_62D5FF
		and	cl, 7
		cmp	cl, 6
		jnz	short loc_62D5D9
		mov	eax, edx
		and	eax, 70000000h
		cmp	eax, 10000000h
		jz	short loc_62D5FF
		test	dword ptr [edi+10h], 3FFFFFFFh
		mov	edi, [ebp+var_4]
		jz	short loc_62D5F3
		and	edx, offset loc_7FFFFF
		cmp	edx, (offset loc_7FFFFA+3)
		jnz	short loc_62D5F3
		jmp	short loc_62D602
; 

loc_62D5D9:				; CODE XREF: MiAddPhysicalPagesToCrashDump(x)+80j
		cmp	cl, 2
		jz	short loc_62D5E3
		cmp	cl, 3
		jnz	short loc_62D5FF

loc_62D5E3:				; CODE XREF: MiAddPhysicalPagesToCrashDump(x)+AFj
		mov	eax, [edi+8]
		mov	edi, [ebp+var_4]
		and	eax, 400h
		or	eax, 0

loc_62D5F1:				; CODE XREF: MiAddPhysicalPagesToCrashDump(x)+6Dj
		jnz	short loc_62D602

loc_62D5F3:				; CODE XREF: MiAddPhysicalPagesToCrashDump(x)+9Aj
					; MiAddPhysicalPagesToCrashDump(x)+A8j
		mov	eax, [ebp+var_10]
		push	2
		push	edi
		push	ebx
		push	eax
		call	dword ptr [eax]
		jmp	short loc_62D602
; 

loc_62D5FF:				; CODE XREF: MiAddPhysicalPagesToCrashDump(x)+78j
					; MiAddPhysicalPagesToCrashDump(x)+8Ej	...
		mov	edi, [ebp+var_4]

loc_62D602:				; CODE XREF: MiAddPhysicalPagesToCrashDump(x)+67j
					; MiAddPhysicalPagesToCrashDump(x)+AAj	...
		mov	ecx, [ebp+var_C]
		add	ebx, edi
		mov	eax, ds:_MmPhysicalMemoryBlock
		add	ecx, edi
		mov	[ebp+var_C], ecx
		cmp	ecx, [eax+esi*8+0Ch]
		jb	loc_62D55D

loc_62D61B:				; CODE XREF: MiAddPhysicalPagesToCrashDump(x)+2Aj
		inc	esi
		cmp	esi, [eax]
		jb	loc_62D54A
		pop	edi
		pop	ebx

loc_62D626:				; CODE XREF: MiAddPhysicalPagesToCrashDump(x)+15j
		pop	esi
		leave
		retn
_MiAddPhysicalPagesToCrashDump@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAddRangeToCrashDump(x, x,	x, x, x)
_MiAddRangeToCrashDump@20 proc near	; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+219p
					; MmAddRangeToCrashDump(x,x,x)+B8p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		xor	ebx, ebx
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+arg_4]
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ebx
		mov	eax, [ecx+esi*8]
		cmp	edi, eax
		jnb	short loc_62D64D
		mov	edi, eax

loc_62D64D:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+20j
		mov	eax, [ecx+esi*8+4]
		cmp	[ebp+arg_0], eax
		jbe	short loc_62D65B
		mov	[ebp+arg_0], eax
		jmp	short loc_62D65E
; 

loc_62D65B:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+2Bj
		mov	eax, [ebp+arg_0]

loc_62D65E:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+30j
		cmp	edi, eax
		ja	short loc_62D6C7
		lea	eax, [edi+8]
		shl	eax, 9
		mov	[ebp+var_C], eax

loc_62D66B:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+9Cj
		cmp	esi, 1
		jnz	short loc_62D675
		call	KdCheckForDebugBreak

loc_62D675:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+45j
		and	[ebp+var_20], 0
		and	[ebp+var_1C], 0
		mov	edx, [edi]
		nop
		mov	ecx, [edi+4]
		mov	ebx, edx
		and	ebx, 1
		mov	eax, ebx
		or	eax, 0
		jz	short loc_62D6D0
		nop
		mov	esi, edx
		mov	eax, ecx
		shrd	esi, eax, 0Ch
		mov	eax, [ebp+arg_8]
		and	esi, 1FFFFFFh
		cmp	esi, ds:dword_6D3518[eax*4]
		jz	short loc_62D6B3
		cmp	esi, ds:dword_6D3510[eax*4]
		jnz	short loc_62D6D7

loc_62D6B3:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+7Fj
		mov	esi, eax

loc_62D6B5:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+A9j
					; MiAddRangeToCrashDump(x,x,x,x,x)+10Dj ...
		mov	ebx, [ebp+var_4]

loc_62D6B8:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+1AFj
					; MiAddRangeToCrashDump(x,x,x,x,x)+1BAj ...
		add	[ebp+var_C], 1000h
		add	edi, 8
		cmp	edi, [ebp+arg_0]
		jbe	short loc_62D66B

loc_62D6C7:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+37j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
; 

loc_62D6D0:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+64j
		test	esi, esi
		jnz	short loc_62D6B5
		mov	eax, [ebp+arg_8]

loc_62D6D7:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+88j
		cmp	eax, 1
		jnz	short loc_62D73B
		cmp	edi, 0C0603018h
		jz	short loc_62D733
		cmp	ds:dword_6D07D0, 0C0000000h
		jnb	short loc_62D6F8
		cmp	edi, 0C0603010h
		jz	short loc_62D733

loc_62D6F8:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+C5j
		push	2
		mov	eax, edi
		pop	ecx

loc_62D6FD:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+DAj
		shl	eax, 9
		sub	ecx, 1
		jnz	short loc_62D6FD
		cmp	eax, ds:dword_6D07D0
		jnb	short loc_62D711
		xor	eax, eax
		jmp	short loc_62D71B
; 

loc_62D711:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+E2j
		shr	eax, 15h
		movzx	eax, byte ptr ds:dword_6D3994[eax]

loc_62D71B:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+E6j
		mov	ebx, [ebp+arg_4]
		cmp	dword ptr [ebx+18h], 1
		jnz	short loc_62D72E
		cmp	eax, 1
		jz	short loc_62D733
		cmp	eax, 0Bh
		jz	short loc_62D733

loc_62D72E:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+F9j
		cmp	eax, 8
		jnz	short loc_62D746

loc_62D733:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+B9j
					; MiAddRangeToCrashDump(x,x,x,x,x)+CDj	...
		mov	esi, [ebp+arg_8]
		jmp	loc_62D6B5
; 

loc_62D73B:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+B1j
		test	eax, eax
		jz	loc_62D84C
		mov	ebx, [ebp+arg_4]

loc_62D746:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+108j
		and	edx, 80h
		or	edx, 0
		jz	loc_62D7E8
		cmp	esi, ds:dword_6D07B0
		ja	short loc_62D733
		mov	eax, ds:dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		and	esi, 1Fh
		mov	ecx, esi
		mov	esi, [ebp+arg_8]
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_62D6B5
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		shl	ecx, 9
		test	esi, esi
		jle	short loc_62D796
		mov	eax, esi

loc_62D78B:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+16Bj
		shl	ecx, 9
		shl	edx, 9
		sub	eax, 1
		jnz	short loc_62D78B

loc_62D796:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+15Ej
		mov	ebx, [ebx+10h]
		mov	eax, ebx
		and	eax, 0FFFFF000h
		cmp	ecx, eax
		jnb	short loc_62D7AC
		mov	ecx, ebx
		and	ecx, 0FFFFF000h

loc_62D7AC:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+179j
		lea	eax, [edx-1]
		mov	edx, [ebp+arg_4]
		mov	edx, [edx+14h]
		or	edx, 0FFFh
		cmp	eax, edx
		jbe	short loc_62D7C1
		mov	eax, edx

loc_62D7C1:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+194j
		sub	eax, ecx
		inc	eax
		push	1
		shr	eax, 0Ch
		push	eax
		mov	eax, [ebp+var_8]
		push	ecx
		push	eax
		call	dword ptr [eax]
		jmp	loc_62D96C
; 

loc_62D7D6:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+348j
		test	ebx, ebx
		js	loc_62D6B8
		mov	ebx, eax
		mov	[ebp+var_4], ebx
		jmp	loc_62D6B8
; 

loc_62D7E8:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+126j
		cmp	esi, ds:dword_6D07B0
		ja	short loc_62D826
		mov	eax, ds:dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_62D826
		mov	eax, [ebp+var_8]
		push	2
		push	1
		push	esi
		push	eax
		call	dword ptr [eax]
		mov	ebx, [ebp+var_4]
		test	eax, eax
		jns	short loc_62D829
		test	ebx, ebx
		js	short loc_62D829
		mov	ebx, eax
		mov	[ebp+var_4], ebx
		jmp	short loc_62D829
; 

loc_62D826:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+1C5j
					; MiAddRangeToCrashDump(x,x,x,x,x)+1DEj
		mov	ebx, [ebp+var_4]

loc_62D829:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+1F0j
					; MiAddRangeToCrashDump(x,x,x,x,x)+1F4j ...
		mov	esi, [ebp+arg_8]
		mov	edx, edi
		mov	ecx, [ebp+var_8]
		shl	edx, 9
		lea	eax, [esi-1]
		push	eax
		push	[ebp+arg_4]
		lea	eax, [edx+0FF8h]
		push	eax
		call	_MiAddRangeToCrashDump@20 ; MiAddRangeToCrashDump(x,x,x,x,x)
		jmp	loc_62D96F
; 

loc_62D84C:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+114j
		or	ebx, 0
		jnz	short loc_62D8B3
		mov	eax, edx
		and	eax, 400h
		or	eax, ebx
		jnz	loc_62D733
		mov	eax, edx
		and	eax, 800h
		or	eax, ebx
		jz	loc_62D733
		mov	eax, ds:dword_6D0700
		mov	esi, edx
		mov	ebx, ds:dword_6D0704
		mov	[ebp+var_14], eax
		or	eax, ebx
		mov	[ebp+var_1C], ebx
		mov	ebx, ecx
		mov	[ebp+var_10], ecx
		jz	short loc_62D8A9
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_62D8A5
		mov	esi, [ebp+var_14]
		mov	ecx, [ebp+var_1C]
		not	esi
		not	ecx
		and	esi, edx
		and	ecx, ebx
		jmp	short loc_62D8A9
; 

loc_62D8A5:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+26Aj
		mov	esi, edx
		mov	ecx, ebx

loc_62D8A9:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+260j
					; MiAddRangeToCrashDump(x,x,x,x,x)+27Aj
		shrd	esi, ecx, 0Ch
		and	esi, 3FFFFFFh

loc_62D8B3:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+226j
		mov	ebx, edi
		shl	ebx, 9
		cmp	esi, ds:dword_6D07B0
		ja	loc_62D733
		mov	eax, ds:dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	edx, [eax+edx*4]
		shr	edx, cl
		and	edx, 1
		jz	loc_62D733
		imul	ecx, esi, 1Ch
		add	ecx, ds:_MmPfnDatabase
		cmp	ebx, ds:dword_6D07D0
		jb	short loc_62D956
		shr	ebx, 15h
		cmp	byte ptr ds:dword_6D3994[ebx], 9
		jnz	short loc_62D956
		mov	eax, ds:_MmHighestUserAddress
		mov	ebx, [ecx+4]
		shr	eax, 9
		or	ebx, 80000000h
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	ebx, eax
		ja	short loc_62D956
		cmp	ebx, 0C0000000h
		jb	short loc_62D956
		test	dword ptr [ecx+10h], 3FFFFFFFh
		jz	short loc_62D946
		mov	al, [ecx+16h]
		and	al, 7
		cmp	al, 6
		jnz	short loc_62D946
		mov	eax, [ecx+18h]
		and	eax, offset loc_7FFFFF
		cmp	eax, (offset loc_7FFFFA+3)
		jz	short loc_62D956

loc_62D946:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+303j
					; MiAddRangeToCrashDump(x,x,x,x,x)+30Cj
		mov	eax, esi
		sub	eax, ds:dword_6D3098
		neg	eax
		sbb	eax, eax
		not	eax
		and	edx, eax

loc_62D956:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+2C7j
					; MiAddRangeToCrashDump(x,x,x,x,x)+2D3j ...
		cmp	edx, 1
		jnz	loc_62D733
		mov	eax, [ebp+var_8]
		push	2
		push	edx
		push	esi
		push	eax
		call	dword ptr [eax]
		mov	esi, [ebp+arg_8]

loc_62D96C:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+1A8j
		mov	ebx, [ebp+var_4]

loc_62D96F:				; CODE XREF: MiAddRangeToCrashDump(x,x,x,x,x)+21Ej
		test	eax, eax
		js	loc_62D7D6
		jmp	loc_62D6B8
_MiAddRangeToCrashDump@20 endp


;  S U B	R O U T	I N E 


; __stdcall MiAddTriageDumpPtes(x)
_MiAddTriageDumpPtes@4 proc near	; CODE XREF: MmSnapTriageDumpInformation(x,x,x,x)+E7p
					; MmSnapTriageDumpInformation(x,x,x,x)+FFp
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		mov	esi, ebx
		xor	edi, edi

loc_62D987:				; CODE XREF: MiAddTriageDumpPtes(x)+37j
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		test	edi, edi
		jnz	short loc_62D9A5
		mov	ecx, ebx
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	short loc_62D9AF

loc_62D9A5:				; CODE XREF: MiAddTriageDumpPtes(x)+1Cj
		push	8
		pop	edx
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock

loc_62D9AF:				; CODE XREF: MiAddTriageDumpPtes(x)+27j
		inc	edi
		cmp	edi, 2
		jb	short loc_62D987
		pop	edi
		pop	esi
		pop	ebx
		retn
_MiAddTriageDumpPtes@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAddUnicodeStringToCrashDump(x, x,	x)
_MiAddUnicodeStringToCrashDump@12 proc near ; CODE XREF: MiAddPartitionToCrashDump(x,x)+F2p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		shr	esi, 10h
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_MiIsAddressRangeValid@8 ; MiIsAddressRangeValid(x,x)
		test	eax, eax
		jnz	short loc_62D9DD
		mov	eax, 0C0000001h
		jmp	short loc_62D9EA
; 

loc_62D9DD:				; CODE XREF: MiAddUnicodeStringToCrashDump(x,x,x)+1Bj
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		push	esi
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		xor	eax, eax

loc_62D9EA:				; CODE XREF: MiAddUnicodeStringToCrashDump(x,x,x)+22j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_MiAddUnicodeStringToCrashDump@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCrashdumpRemovePte(x, x, x)
_MiCrashdumpRemovePte@12 proc near	; DATA XREF: MmRemoveSystemCacheFromDump(x)+2Fo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	[ebp+arg_8], 1
		jge	short loc_62DA40
		mov	eax, [ebp+arg_4]
		mov	edx, [eax]
		nop
		mov	ecx, [eax+4]
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jz	short loc_62DA40
		nop
		mov	eax, ds:_MmPfnDatabase
		shrd	edx, ecx, 0Ch
		and	edx, 1FFFFFFh
		imul	ecx, edx, 1Ch
		mov	eax, [ecx+eax+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jnz	short loc_62DA40
		mov	eax, [ebp+arg_0]
		push	2
		push	1
		push	edx
		mov	eax, [eax+48h]
		push	eax
		call	dword ptr [eax+4]

loc_62DA40:				; CODE XREF: MiCrashdumpRemovePte(x,x,x)+Bj
					; MiCrashdumpRemovePte(x,x,x)+1Ej ...
		xor	eax, eax
		leave
		retn	0Ch
_MiCrashdumpRemovePte@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiIsAddressRangeValid(x, x)
_MiIsAddressRangeValid@8 proc near	; CODE XREF: MiAddUnicodeStringToCrashDump(x,x,x)+14p
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [edx+0FFFh]
		and	ecx, 0FFFh
		and	esi, 0FFFFF000h
		add	edi, ecx
		and	edi, 0FFFFF000h
		add	edi, esi
		jmp	short loc_62DA7B
; 

loc_62DA6A:				; CODE XREF: MiIsAddressRangeValid(x,x)+37j
		mov	ecx, esi
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_62DA85
		add	esi, 1000h

loc_62DA7B:				; CODE XREF: MiIsAddressRangeValid(x,x)+22j
		cmp	esi, edi
		jb	short loc_62DA6A
		xor	eax, eax
		inc	eax

loc_62DA82:				; CODE XREF: MiIsAddressRangeValid(x,x)+41j
		pop	edi
		pop	esi
		retn
; 

loc_62DA85:				; CODE XREF: MiIsAddressRangeValid(x,x)+2Dj
		xor	eax, eax
		jmp	short loc_62DA82
_MiIsAddressRangeValid@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmAddPrivateDataToCrashDump(x, x)
_MmAddPrivateDataToCrashDump@8 proc near
					; CODE XREF: IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+F3p
					; IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+120p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	ebx, edx
		xor	esi, esi
		mov	[ebp+var_C], ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edi
		test	bl, 1
		jz	short loc_62DAC0
		mov	eax, ds:dword_6D07B0
		mov	edx, ds:_MmPfnDatabase
		inc	eax
		imul	eax, 1Ch
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		jns	short loc_62DAC0
		mov	esi, eax

loc_62DAC0:				; CODE XREF: MmAddPrivateDataToCrashDump(x,x)+1Aj
					; MmAddPrivateDataToCrashDump(x,x)+33j
		test	bl, 2
		jz	loc_62DB4A
		mov	eax, ds:_KeNumberProcessors
		and	[ebp+var_8], 0
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	short loc_62DB4A
		mov	ebx, [ebp+var_8]

loc_62DADC:				; CODE XREF: MmAddPrivateDataToCrashDump(x,x)+BCj
		mov	eax, ds:_KiProcessorBlock[ebx*4]
		and	[ebp+var_8], 0
		mov	eax, [eax+4]
		mov	eax, [eax+80h]
		mov	[ebp+var_14], eax
		mov	edx, [eax+194h]

loc_62DAF9:				; CODE XREF: MmAddPrivateDataToCrashDump(x,x)+9Fj
		mov	ecx, [edx]
		nop
		mov	eax, [edx+4]
		add	edx, 8
		push	2
		shrd	ecx, eax, 0Ch
		push	1
		and	ecx, 1FFFFFFh
		mov	[ebp+var_10], edx
		push	ecx
		push	edi
		call	dword ptr [edi]
		test	eax, eax
		js	short loc_62DB3F
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_10]
		inc	eax
		mov	[ebp+var_8], eax
		cmp	eax, 4
		jb	short loc_62DAF9
		mov	eax, [ebp+var_14]
		push	2
		push	1
		mov	eax, [eax+18h]
		shr	eax, 0Ch
		push	eax
		push	edi
		call	dword ptr [edi]
		test	eax, eax
		jns	short loc_62DB41

loc_62DB3F:				; CODE XREF: MmAddPrivateDataToCrashDump(x,x)+90j
		mov	esi, eax

loc_62DB41:				; CODE XREF: MmAddPrivateDataToCrashDump(x,x)+B4j
		inc	ebx
		cmp	ebx, [ebp+var_18]
		jb	short loc_62DADC
		mov	ebx, [ebp+var_C]

loc_62DB4A:				; CODE XREF: MmAddPrivateDataToCrashDump(x,x)+3Aj
					; MmAddPrivateDataToCrashDump(x,x)+4Ej
		test	bl, 4
		jz	short loc_62DB6A
		mov	eax, ds:_PsNtosImageEnd
		mov	ecx, edi
		mov	edx, ds:_PsNtosImageBase
		sub	eax, edx
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		jns	short loc_62DB6A
		mov	esi, eax

loc_62DB6A:				; CODE XREF: MmAddPrivateDataToCrashDump(x,x)+C4j
					; MmAddPrivateDataToCrashDump(x,x)+DDj
		test	bl, 8
		jz	short loc_62DB8A
		mov	eax, ds:_PsHalImageEnd
		mov	ecx, edi
		mov	edx, ds:_PsHalImageBase
		sub	eax, edx
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		jns	short loc_62DB8A
		mov	esi, eax

loc_62DB8A:				; CODE XREF: MmAddPrivateDataToCrashDump(x,x)+E4j
					; MmAddPrivateDataToCrashDump(x,x)+FDj
		test	bl, 10h
		jz	short loc_62DBC5
		mov	edi, ds:dword_6D35C0
		cmp	edi, offset dword_6D35C0
		jz	short loc_62DBC2
		mov	ebx, [ebp+var_4]

loc_62DBA0:				; CODE XREF: MmAddPrivateDataToCrashDump(x,x)+134j
		push	7000h
		lea	edx, [edi-50h]
		mov	ecx, ebx
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		jns	short loc_62DBB5
		mov	esi, eax

loc_62DBB5:				; CODE XREF: MmAddPrivateDataToCrashDump(x,x)+128j
		mov	edi, [edi]
		cmp	edi, offset dword_6D35C0
		jnz	short loc_62DBA0
		mov	ebx, [ebp+var_C]

loc_62DBC2:				; CODE XREF: MmAddPrivateDataToCrashDump(x,x)+112j
		mov	edi, [ebp+var_4]

loc_62DBC5:				; CODE XREF: MmAddPrivateDataToCrashDump(x,x)+104j
		test	bl, 20h
		jz	short loc_62DBD7
		mov	ecx, edi
		call	_MiAddPartitionDataToCrashDump@4 ; MiAddPartitionDataToCrashDump(x)
		test	eax, eax
		jns	short loc_62DBD7
		mov	esi, eax

loc_62DBD7:				; CODE XREF: MmAddPrivateDataToCrashDump(x,x)+13Fj
					; MmAddPrivateDataToCrashDump(x,x)+14Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_MmAddPrivateDataToCrashDump@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmAddRangeToCrashDump(x, x,	x)
_MmAddRangeToCrashDump@12 proc near	; CODE XREF: IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+64p
					; IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+82p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, large fs:124h
		mov	[ebp+var_24], ecx
		xor	ecx, ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_8], ecx
		mov	eax, [eax+80h]
		push	ebx
		push	esi
		mov	esi, edx
		mov	edx, [ebp+arg_0]
		test	dword ptr [eax+3A8h], 1000h
		push	edi
		jz	short loc_62DC34
		call	_MiIsWorkingSetTrimThread@0 ; MiIsWorkingSetTrimThread()
		test	eax, eax
		jnz	short loc_62DC34
		mov	[ebp+var_8], 1

loc_62DC34:				; CODE XREF: MmAddRangeToCrashDump(x,x,x)+44j
					; MmAddRangeToCrashDump(x,x,x)+4Dj
		lea	edi, [edx-1]
		mov	[ebp+var_10], esi
		add	edi, esi
		mov	eax, offset loc_7FFFF8
		mov	[ebp+var_C], edi
		mov	edx, 40000000h

loc_62DC49:				; CODE XREF: MmAddRangeToCrashDump(x,x,x)+85j
		shr	esi, 9
		shr	edi, 9
		and	esi, eax
		and	edi, eax
		sub	esi, edx
		sub	edi, edx
		mov	[ebp+ecx*8+var_20], esi
		mov	[ebp+ecx*8+var_1C], edi
		inc	ecx
		cmp	ecx, 2
		jb	short loc_62DC49
		mov	eax, ds:_KiBugCheckActive
		mov	bl, 21h
		test	al, 3
		jnz	short loc_62DC8A
		mov	eax, ds:dword_6D3058
		cmp	eax, large fs:124h
		jz	short loc_62DC8A
		push	offset dword_6D2E64
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	bl, al

loc_62DC8A:				; CODE XREF: MmAddRangeToCrashDump(x,x,x)+90j
					; MmAddRangeToCrashDump(x,x,x)+9Ej
		mov	ecx, [ebp+var_24]
		lea	eax, [ebp+var_20]
		push	1
		push	eax
		push	edi
		mov	edx, esi
		call	_MiAddRangeToCrashDump@20 ; MiAddRangeToCrashDump(x,x,x,x,x)
		mov	esi, eax
		cmp	bl, 21h
		jz	short loc_62DCB4
		push	offset dword_6D2E64
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_62DCB4:				; CODE XREF: MmAddRangeToCrashDump(x,x,x)+C2j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_MmAddRangeToCrashDump@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmAddUnloadedDriverInformationToCrashDump(x)
_MmAddUnloadedDriverInformationToCrashDump@4 proc near
					; CODE XREF: IopAddMiniDumpPagesToPartialKernelDump(x,x,x,x,x,x,x,x)+7Bp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, ds:_MmUnloadedDrivers
		mov	eax, ecx
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		test	edx, edx
		jnz	short loc_62DCE3
		xor	eax, eax
		jmp	short loc_62DD28
; 

loc_62DCE3:				; CODE XREF: MmAddUnloadedDriverInformationToCrashDump(x)+16j
		push	4B0h
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_62DD28
		mov	edi, ds:_MmLastUnloadedDriver
		xor	ebx, ebx
		test	edi, edi
		jz	short loc_62DD28
		imul	esi, edi, 18h

loc_62DD00:				; CODE XREF: MmAddUnloadedDriverInformationToCrashDump(x)+5Fj
		mov	ecx, ds:_MmUnloadedDrivers
		mov	edx, [esi+ecx-14h]
		test	edx, edx
		jz	short loc_62DD28
		movzx	eax, word ptr [esi+ecx-16h]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_62DD28
		inc	ebx
		sub	esi, 18h
		cmp	ebx, edi
		jb	short loc_62DD00

loc_62DD28:				; CODE XREF: MmAddUnloadedDriverInformationToCrashDump(x)+1Aj
					; MmAddUnloadedDriverInformationToCrashDump(x)+28j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MmAddUnloadedDriverInformationToCrashDump@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmGetDumpRange(x, x, x)
_MmGetDumpRange@12 proc	near		; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+38Fp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		mov	[ebp+var_10], esi
		push	1Ch
		pop	ebx
		test	edx, edx
		jnz	loc_62DE31
		mov	eax, ds:_KeNumberProcessors
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_62DDB6

loc_62DD56:				; CODE XREF: MmGetDumpRange(x,x,x)+84j
		mov	eax, ds:_KiProcessorBlock[edi*4]
		xor	ebx, ebx
		mov	eax, [eax+4]
		mov	eax, [eax+80h]
		mov	[ebp+var_8], eax
		mov	edx, [eax+194h]

loc_62DD71:				; CODE XREF: MmGetDumpRange(x,x,x)+6Dj
		mov	ecx, [edx]
		nop
		mov	eax, [edx+4]
		add	edx, 8
		push	2
		shrd	ecx, eax, 0Ch
		push	1
		and	ecx, 1FFFFFFh
		mov	[ebp+var_4], edx
		push	ecx
		push	esi
		call	dword ptr [esi]
		test	eax, eax
		js	short loc_62DDAD
		mov	edx, [ebp+var_4]
		inc	ebx
		cmp	ebx, 4
		jb	short loc_62DD71
		mov	eax, [ebp+var_8]
		push	2
		push	1
		mov	eax, [eax+18h]
		shr	eax, 0Ch
		push	eax
		push	esi
		call	dword ptr [esi]

loc_62DDAD:				; CODE XREF: MmGetDumpRange(x,x,x)+64j
		inc	edi
		cmp	edi, [ebp+var_C]
		jb	short loc_62DD56
		push	1Ch
		pop	ebx

loc_62DDB6:				; CODE XREF: MmGetDumpRange(x,x,x)+27j
		mov	edx, ds:dword_6D07D0
		mov	ecx, esi
		mov	eax, edx
		neg	eax
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	[ebp+arg_0], 1
		jz	short loc_62DDE6
		mov	eax, ds:_KiBugCheckActive
		test	al, 3
		jz	short loc_62DDE6
		push	ds:_MmUserProbeAddress
		xor	edx, edx
		mov	ecx, esi
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)

loc_62DDE6:				; CODE XREF: MmGetDumpRange(x,x,x)+9Fj
					; MmGetDumpRange(x,x,x)+A8j
		mov	eax, cr3
		cdq
		mov	ecx, 1000h
		idiv	ecx
		push	2
		push	1
		push	eax
		push	esi
		call	dword ptr [esi]
		test	[ebp+arg_0], 2
		jz	short loc_62DE0D
		mov	ecx, esi
		call	_MiAddPhysicalPagesToCrashDump@4 ; MiAddPhysicalPagesToCrashDump(x)
		mov	ecx, esi
		call	_MmRemoveSystemCacheFromDump@4 ; MmRemoveSystemCacheFromDump(x)

loc_62DE0D:				; CODE XREF: MmGetDumpRange(x,x,x)+D0j
		mov	edi, ds:dword_6CF348
		jmp	short loc_62DE2B
; 

loc_62DE15:				; CODE XREF: MmGetDumpRange(x,x,x)+100j
		mov	eax, edi
		mov	edi, [edi]
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	ebx
		push	2
		push	1
		push	eax
		push	esi
		call	dword ptr [esi+4]

loc_62DE2B:				; CODE XREF: MmGetDumpRange(x,x,x)+E6j
		test	edi, edi
		jnz	short loc_62DE15
		jmp	short loc_62DE5D
; 

loc_62DE31:				; CODE XREF: MmGetDumpRange(x,x,x)+17j
		mov	eax, ds:_MmPhysicalMemoryBlock
		cmp	[eax], edi
		jbe	short loc_62DE5D

loc_62DE3A:				; CODE XREF: MmGetDumpRange(x,x,x)+12Ej
		test	ds:_MiFlags, 8000h
		jnz	short loc_62DE53
		push	2
		push	dword ptr [eax+edi*8+0Ch]
		push	dword ptr [eax+edi*8+8]
		push	esi
		call	dword ptr [esi]

loc_62DE53:				; CODE XREF: MmGetDumpRange(x,x,x)+117j
		mov	eax, ds:_MmPhysicalMemoryBlock
		inc	edi
		cmp	edi, [eax]
		jb	short loc_62DE3A

loc_62DE5D:				; CODE XREF: MmGetDumpRange(x,x,x)+102j
					; MmGetDumpRange(x,x,x)+10Bj
		xor	edx, edx
		mov	dword ptr [ebp+arg_0], edx

loc_62DE62:				; CODE XREF: MmGetDumpRange(x,x,x)+1EEj
					; MmGetDumpRange(x,x,x)+201j ...
		mov	eax, ds:dword_6D3008
		mov	ecx, [eax]
		cmp	edx, ecx
		mov	esi, [eax+4]
		sbb	ebx, ebx
		mov	[ebp+var_8], ecx
		and	ebx, edx
		lea	edi, [ecx-1]

loc_62DE78:				; CODE XREF: MmGetDumpRange(x,x,x)+1C8j
		and	[ebp+var_C], 0
		mov	eax, edi
		sub	eax, ebx
		inc	eax
		cmp	eax, 1
		jnb	short loc_62DE8B
		or	ecx, 0FFFFFFFFh
		jmp	short loc_62DEE2
; 

loc_62DE8B:				; CODE XREF: MmGetDumpRange(x,x,x)+157j
		mov	eax, edi
		xor	edx, edx
		shr	eax, 5
		mov	ecx, ebx
		and	ecx, 1Fh
		inc	edx
		shl	edx, cl
		dec	edx
		lea	eax, [esi+eax*4]
		mov	[ebp+var_C], eax
		mov	eax, ebx
		shr	eax, 5
		lea	ecx, [esi+eax*4]
		mov	eax, [ecx]
		not	eax
		or	eax, edx
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_62DEC7
		mov	edx, [ebp+var_C]

loc_62DEB7:				; CODE XREF: MmGetDumpRange(x,x,x)+198j
		add	ecx, 4
		cmp	ecx, edx
		ja	short loc_62DEF7
		mov	eax, [ecx]
		not	eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_62DEB7

loc_62DEC7:				; CODE XREF: MmGetDumpRange(x,x,x)+185j
		not	eax
		sub	ecx, esi
		bsf	eax, eax
		sar	ecx, 2
		shl	ecx, 5
		add	ecx, eax
		cmp	ecx, edi
		ja	short loc_62DEF7
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_62DEFC

loc_62DEDF:				; CODE XREF: MmGetDumpRange(x,x,x)+1CDj
		mov	edx, dword ptr [ebp+arg_0]

loc_62DEE2:				; CODE XREF: MmGetDumpRange(x,x,x)+15Cj
		test	ebx, ebx
		jz	short loc_62DEFC
		mov	ecx, [ebp+var_8]
		lea	edi, [edx+1]
		cmp	edi, ecx
		jbe	short loc_62DEF2
		mov	edi, ecx

loc_62DEF2:				; CODE XREF: MmGetDumpRange(x,x,x)+1C1j
		dec	edi
		xor	ebx, ebx
		jmp	short loc_62DE78
; 

loc_62DEF7:				; CODE XREF: MmGetDumpRange(x,x,x)+18Fj
					; MmGetDumpRange(x,x,x)+1ABj
		or	ecx, 0FFFFFFFFh
		jmp	short loc_62DEDF
; 

loc_62DEFC:				; CODE XREF: MmGetDumpRange(x,x,x)+1B0j
					; MmGetDumpRange(x,x,x)+1B7j
		mov	esi, [ebp+var_10]
		cmp	ecx, dword ptr [ebp+arg_0]
		jb	short loc_62DF54
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_62DF54
		mov	eax, ds:dword_6D3018
		lea	edx, [ecx+1]
		mov	dword ptr [ebp+arg_0], edx
		mov	edi, [eax+ecx*4]
		test	byte ptr [edi+4], 2
		jz	loc_62DE62
		mov	edi, [edi+908h]
		mov	ebx, offset loc_7FFFFF
		cmp	edi, ebx
		jz	loc_62DE62

loc_62DF34:				; CODE XREF: MmGetDumpRange(x,x,x)+21Dj
		push	2
		push	1
		push	edi
		push	esi
		call	dword ptr [esi+4]
		mov	eax, ds:_MmPfnDatabase
		imul	ecx, edi, 1Ch
		mov	edi, [ecx+eax]
		cmp	edi, ebx
		jnz	short loc_62DF34
		mov	edx, dword ptr [ebp+arg_0]
		jmp	loc_62DE62
; 

loc_62DF54:				; CODE XREF: MmGetDumpRange(x,x,x)+1D5j
					; MmGetDumpRange(x,x,x)+1DAj
		cmp	ds:byte_6D311C,	1
		jnz	short loc_62DF9F
		imul	ebx, ds:dword_6D5D84, 1Ch
		mov	edi, ds:_MmPfnDatabase
		add	ebx, edi
		jmp	short loc_62DF9B
; 

loc_62DF6E:				; CODE XREF: MmGetDumpRange(x,x,x)+270j
		test	byte ptr [edi+17h], 40h
		jnz	short loc_62DF7F
		mov	ecx, edi
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jz	short loc_62DF96

loc_62DF7F:				; CODE XREF: MmGetDumpRange(x,x,x)+245j
		push	2
		push	1
		push	1Ch
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		pop	ecx
		cdq
		idiv	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]

loc_62DF96:				; CODE XREF: MmGetDumpRange(x,x,x)+250j
		push	1Ch
		pop	eax
		add	edi, eax

loc_62DF9B:				; CODE XREF: MmGetDumpRange(x,x,x)+23Fj
		cmp	edi, ebx
		jbe	short loc_62DF6E

loc_62DF9F:				; CODE XREF: MmGetDumpRange(x,x,x)+22Ej
		cmp	ds:dword_6D3580, 0
		jz	short loc_62DFAF
		mov	ecx, esi
		call	_MiRemoveEnclavePagesFromDump@4	; MiRemoveEnclavePagesFromDump(x)

loc_62DFAF:				; CODE XREF: MmGetDumpRange(x,x,x)+279j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MmGetDumpRange@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1438. MmMapMemoryDumpMdl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmMapMemoryDumpMdl(x)
		public _MmMapMemoryDumpMdl@4
_MmMapMemoryDumpMdl@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, ds:dword_6D306C
		push	0
		push	[ebp+arg_0]
		shl	ecx, 9
		call	MiMapMemoryDumpMdl
		pop	ebp
		retn	4
_MmMapMemoryDumpMdl@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmRemoveSystemCacheFromDump(x)
_MmRemoveSystemCacheFromDump@4 proc near ; CODE	XREF: MmGetDumpRange(x,x,x)+DBp
					; IopLiveDumpRemoveSystemCacheFromDump(x,x,x)+5Ap

var_58		= dword	ptr -58h
var_52		= byte ptr -52h
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	4Ch		; size_t
		lea	eax, [ebp+var_58]
		mov	edi, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		or	[ebp+var_40], 0FFFFFFFFh
		add	esp, 0Ch
		xor	ecx, ecx
		mov	[ebp+var_10], edi
		mov	[ebp+var_18], offset _MiCrashdumpRemovePte@12 ;	MiCrashdumpRemovePte(x,x,x)
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	ecx, ds:_KiBugCheckActive
		mov	esi, eax
		mov	[ebp+var_48], esi
		test	cl, 3
		jnz	short loc_62E05B
		mov	ecx, ds:dword_6D3058
		cmp	ecx, large fs:124h
		jz	short loc_62E05B
		push	6
		pop	eax
		mov	ecx, esi
		mov	word ptr [ebp+var_58], ax
		call	MiLockWorkingSetShared
		mov	[ebp+var_52], al

loc_62E042:				; CODE XREF: MmRemoveSystemCacheFromDump(x)+A4j
		lea	ecx, [ebp+var_58]
		call	MiWalkPageTables
		mov	dl, [ebp+var_52]
		mov	ecx, esi
		cmp	dl, 21h
		jnz	short loc_62E08C
		call	_MiUnlockWorkingSetExclusiveUnorderedAtDpc@4 ; MiUnlockWorkingSetExclusiveUnorderedAtDpc(x)
		jmp	short loc_62E091
; 

loc_62E05B:				; CODE XREF: MmRemoveSystemCacheFromDump(x)+49j
					; MmRemoveSystemCacheFromDump(x)+58j
		mov	[ebp+var_52], 21h
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short loc_62E073
		lea	eax, [esi+80h]

loc_62E073:				; CODE XREF: MmRemoveSystemCacheFromDump(x)+94j
		push	eax
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		test	eax, eax
		jnz	short loc_62E042
		push	eax
		push	eax
		push	edi
		push	50000h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_62E08C:				; CODE XREF: MmRemoveSystemCacheFromDump(x)+7Bj
		call	MiUnlockWorkingSetShared

loc_62E091:				; CODE XREF: MmRemoveSystemCacheFromDump(x)+82j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MmRemoveSystemCacheFromDump@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmSnapTriageDumpInformation(x, x, x, x)
_MmSnapTriageDumpInformation@16	proc near
					; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+90p
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+210p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		mov	eax, ds:dword_6D5740
		mov	ds:_MiTriageDumpData, eax
		mov	eax, ds:dword_6D30F8
		mov	ds:dword_6C69A4, eax
		mov	eax, ds:dword_6D30F4
		mov	ds:dword_6C69A8, eax
		mov	eax, ds:dword_6D30FC
		mov	ds:dword_6C69AC, eax
		mov	eax, ds:dword_6D3100
		mov	ds:dword_6C69B0, eax
		mov	eax, ds:dword_6D30EC
		mov	ds:dword_6C69B4, eax
		mov	eax, ds:_KeFeatureBits
		xor	esi, esi
		mov	ds:dword_6C69B8, eax
		mov	eax, ds:dword_70E754
		mov	ds:dword_6C69C0, esi
		mov	ds:dword_6C69C4, esi
		mov	ds:dword_6C69CC, esi
		mov	ds:dword_6C69BC, eax
		mov	ds:dword_6C69C8, esi
		mov	ds:dword_6C69D0, esi
		mov	ds:dword_6C69D4, esi
		mov	eax, ds:0FFDF0240h
		mov	ecx, ds:_KiI386ExceptionChainTerminator
		mov	ds:dword_6C69C0, eax
		mov	eax, ds:_MiFlags
		mov	ds:dword_6C69C4, eax
		mov	ds:dword_6C69CC, ecx
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_62E175
		mov	ecx, ds:dword_6C69CC
		lea	ecx, [ecx+8]
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_62E175
		mov	ecx, ds:dword_6C69CC
		mov	eax, [ecx]
		mov	ds:dword_6C69D0, eax
		mov	eax, [ecx+4]
		mov	ds:dword_6C69D4, eax
		jmp	short loc_62E181
; 

loc_62E175:				; CODE XREF: MmSnapTriageDumpInformation(x,x,x,x)+ABj
					; MmSnapTriageDumpInformation(x,x,x,x)+BDj
		mov	ds:dword_6C69D0, esi
		mov	ds:dword_6C69D4, esi

loc_62E181:				; CODE XREF: MmSnapTriageDumpInformation(x,x,x,x)+D4j
		mov	edi, esi

loc_62E183:				; CODE XREF: MmSnapTriageDumpInformation(x,x,x,x)+F0j
		mov	ecx, [ebx+edi*4]
		call	_MiAddTriageDumpPtes@4 ; MiAddTriageDumpPtes(x)
		inc	edi
		cmp	edi, 4
		jb	short loc_62E183
		mov	edi, [ebp+var_4]

loc_62E194:				; CODE XREF: MmSnapTriageDumpInformation(x,x,x,x)+10Aj
		movzx	ecx, word ptr ds:_IopRunTimeContextOffsets[esi]	; "Ĵ"
		mov	ecx, [ecx+edi]
		call	_MiAddTriageDumpPtes@4 ; MiAddTriageDumpPtes(x)
		add	esi, 2
		cmp	esi, 12h
		jb	short loc_62E194
		push	38h
		pop	edx
		mov	ecx, offset _MiTriageDumpData
		call	IoAddTriageDumpDataBlock
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MmSnapTriageDumpInformation@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmWriteTriageInformation(x)
_MmWriteTriageInformation@4 proc near	; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+36Ep

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ds:_MmSpecialPoolTag
		push	esi
		xor	esi, esi
		mov	[ebp+var_30], 34h
		push	edi
		inc	esi
		mov	[ebp+var_2C], eax
		mov	edi, ecx
		mov	[ebp+var_34], esi
		call	_VfTriageActionTaken@0 ; VfTriageActionTaken()
		mov	[ebp+var_28], eax
		mov	eax, ds:_MmVerifierData
		mov	[ebp+var_24], eax
		mov	eax, ds:_MiFlags
		shr	eax, 1
		and	eax, esi
		lea	esi, [ebp+var_34]
		mov	[ebp+var_20], eax
		mov	eax, ds:dword_6D35D8
		mov	[ebp+var_1C], eax
		mov	eax, ds:dword_6CF344
		mov	[ebp+var_18], eax
		mov	eax, ds:dword_6D35DC
		mov	[ebp+var_14], eax
		mov	eax, ds:dword_6D35D4
		mov	[ebp+var_10], eax
		mov	eax, ds:dword_6D5EFC
		mov	[ebp+var_C], eax
		mov	eax, ds:dword_6D5BC0
		push	0Dh
		mov	[ebp+var_8], eax
		mov	eax, ds:dword_6D5BC4
		pop	ecx
		mov	[ebp+var_4], eax
		rep movsd
		pop	edi
		pop	esi
		leave
		retn
_MmWriteTriageInformation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmWriteUnloadedDriverInformation(x)
_MmWriteUnloadedDriverInformation@4 proc near
					; CODE XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+24Bp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	ds:_MmUnloadedDrivers, 0
		push	edi
		mov	[ebp+var_4], ecx
		jz	short loc_62E2D2
		push	ebx
		mov	ebx, ds:_MmLastUnloadedDriver
		push	esi
		push	18h
		lea	esi, [ecx+4]
		dec	ebx
		xor	edi, edi
		pop	ecx

loc_62E264:				; CODE XREF: MmWriteUnloadedDriverInformation(x)+89j
		cmp	ebx, 32h
		jb	short loc_62E26C
		push	31h
		pop	ebx

loc_62E26C:				; CODE XREF: MmWriteUnloadedDriverInformation(x)+27j
		imul	edx, ebx, 18h
		add	edx, ds:_MmUnloadedDrivers
		mov	eax, [edx]
		mov	[esi], eax
		mov	eax, [edx+4]
		mov	[esi+4], eax
		cmp	dword ptr [edx+4], 0
		jz	short loc_62E2CB
		mov	eax, [edx+8]
		mov	[esi+20h], eax
		mov	eax, [edx+0Ch]
		mov	[esi+24h], eax
		cmp	[esi], cx
		jbe	short loc_62E299
		mov	[esi], cx

loc_62E299:				; CODE XREF: MmWriteUnloadedDriverInformation(x)+54j
		movzx	eax, word ptr [esi+2]
		cmp	ax, cx
		jbe	short loc_62E2A8
		mov	[esi+2], cx
		mov	eax, ecx

loc_62E2A8:				; CODE XREF: MmWriteUnloadedDriverInformation(x)+60j
		lea	ecx, [esi+8]
		movzx	eax, ax
		push	eax		; size_t
		mov	[esi+4], ecx
		push	dword ptr [edx+4] ; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		add	esi, 28h
		dec	ebx
		inc	edi
		push	18h
		pop	ecx
		cmp	edi, 32h
		jb	short loc_62E264

loc_62E2CB:				; CODE XREF: MmWriteUnloadedDriverInformation(x)+43j
		mov	ecx, [ebp+var_4]
		pop	esi
		pop	ebx
		jmp	short loc_62E2D4
; 

loc_62E2D2:				; CODE XREF: MmWriteUnloadedDriverInformation(x)+11j
		xor	edi, edi

loc_62E2D4:				; CODE XREF: MmWriteUnloadedDriverInformation(x)+90j
		mov	[ecx], edi
		pop	edi
		leave
		retn
_MmWriteUnloadedDriverInformation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiZeroPageFile(x)
_MiZeroPageFile@4 proc near		; CODE XREF: MiZeroAllPageFiles()+118p
					; DATA XREF: MiZeroAllPageFiles()+FCo

var_8A		= byte ptr -8Ah
var_89		= byte ptr -89h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= word ptr -64h
var_62		= word ptr -62h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 8Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+8Ch+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [esp+94h+var_68]
		push	edi
		push	5Ch		; size_t
		xor	edi, edi
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	eax, [esi+14h]
		add	esp, 0Ch
		mov	ebx, [esi+10h]
		mov	[esp+98h+var_7C], eax
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 800h
		test	[ebx+74h], ax
		push	1Ch
		pop	eax
		mov	[esp+98h+var_58], edi
		mov	[esp+98h+var_50], edi
		mov	[esp+98h+var_54], edi
		mov	[esp+98h+var_64], ax
		jz	short loc_62E357
		push	2
		pop	eax
		push	10h
		mov	[esp+9Ch+var_62], ax
		lea	edi, [esp+9Ch+var_4C]
		mov	eax, ds:dword_6D34F0
		pop	ecx
		rep stosd
		xor	edi, edi
		jmp	short loc_62E35E
; 

loc_62E357:				; CODE XREF: MiZeroPageFile(x)+62j
		xor	eax, eax
		mov	[esp+98h+var_62], ax

loc_62E35E:				; CODE XREF: MiZeroPageFile(x)+7Cj
		lea	eax, [ebx+88h]
		mov	[esp+98h+var_88], edi
		push	eax
		mov	esi, edi
		mov	[esp+9Ch+var_80], edi
		call	ExAcquireSpinLockExclusive
		mov	edi, [ebx]
		xor	ecx, ecx
		inc	ecx
		mov	[esp+98h+var_89], al
		mov	[esp+98h+var_84], ecx
		cmp	edi, ecx
		jbe	loc_62E44E

loc_62E389:				; CODE XREF: MiZeroPageFile(x)+16Fj
		mov	eax, [ebx+38h]
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+8]
		mov	eax, [eax+edx*4]
		sar	eax, cl
		test	al, 1
		jnz	short loc_62E3C2
		mov	ecx, [esp+98h+var_84]
		test	esi, esi
		jnz	short loc_62E3AC
		mov	[esp+98h+var_80], ecx

loc_62E3AC:				; CODE XREF: MiZeroPageFile(x)+CDj
		inc	esi
		cmp	esi, 10h
		jz	short loc_62E3B9
		lea	eax, [edi-1]
		cmp	ecx, eax
		jnz	short loc_62E3C6

loc_62E3B9:				; CODE XREF: MiZeroPageFile(x)+D7j
					; MiZeroPageFile(x)+EBj
		xor	eax, eax
		inc	eax
		mov	[esp+98h+var_88], eax
		jmp	short loc_62E3CA
; 

loc_62E3C2:				; CODE XREF: MiZeroPageFile(x)+C5j
		test	esi, esi
		jnz	short loc_62E3B9

loc_62E3C6:				; CODE XREF: MiZeroPageFile(x)+DEj
		mov	eax, [esp+98h+var_88]

loc_62E3CA:				; CODE XREF: MiZeroPageFile(x)+E7j
		test	eax, eax
		jz	short loc_62E43D
		lea	edi, [ebx+88h]
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+98h+var_89]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, 800h
		test	[ebx+74h], ax
		jz	short loc_62E3F8
		shl	esi, 0Ch
		mov	[esp+98h+var_54], esi
		jmp	short loc_62E42A
; 

loc_62E3F8:				; CODE XREF: MiZeroPageFile(x)+114j
		mov	eax, [esp+98h+var_80]
		mov	ecx, 1000h
		mul	ecx
		push	0
		mov	[esp+9Ch+var_70], eax
		mov	eax, esi
		mov	[esp+9Ch+var_6C], edx
		mul	ecx
		mov	ecx, [ebx+1Ch]
		mov	[esp+9Ch+var_78], eax
		lea	eax, [esp+9Ch+var_78]
		mov	[esp+9Ch+var_74], edx
		lea	edx, [esp+9Ch+var_70]
		push	eax
		call	MmZeroPageWrite

loc_62E42A:				; CODE XREF: MiZeroPageFile(x)+11Dj
		and	[esp+98h+var_88], 0
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	edi, [ebx]
		xor	esi, esi
		mov	[esp+98h+var_89], al

loc_62E43D:				; CODE XREF: MiZeroPageFile(x)+F3j
		mov	ecx, [esp+98h+var_84]
		inc	ecx
		mov	[esp+98h+var_84], ecx
		cmp	ecx, edi
		jb	loc_62E389

loc_62E44E:				; CODE XREF: MiZeroPageFile(x)+AAj
		lea	eax, [ebx+88h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+98h+var_89]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, 800h
		test	[ebx+74h], ax
		jz	short loc_62E484
		test	byte ptr [esp+98h+var_62], 1
		jz	short loc_62E484
		lea	eax, [esp+98h+var_68]
		push	eax
		push	[esp+9Ch+var_5C]
		call	MmUnmapLockedPages

loc_62E484:				; CODE XREF: MiZeroPageFile(x)+194j
					; MiZeroPageFile(x)+19Bj
		push	0
		push	0
		push	[esp+0A0h+var_7C]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [esp+98h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_MiZeroPageFile@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeFaultVaListCore(x, x, x, x)
_MiInitializeFaultVaListCore@16	proc near ; CODE XREF: MiInitializePrototypePtes+14DEE0p
					; MmVirtualAccessFault(x,x,x)+41p

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	al, [ebp+arg_4]
		and	dword ptr [ecx+0Ch], 0
		and	dword ptr [ecx+10h], 0
		mov	[ecx], al
		mov	eax, [ebp+arg_0]
		mov	byte ptr [ecx+1], 0
		mov	[ecx+4], edx
		mov	[ecx+8], eax
		pop	ebp
		retn	8
_MiInitializeFaultVaListCore@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockAndSelectSessionAttachProcess proc near ;	CODE XREF: MmPrefetchVirtualMemory+135AD0p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		mov	ecx, offset dword_6D3540
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, esi
		call	MiSelectSessionAttachProcess
		test	ds:byte_70EFC6,	1
		mov	esi, eax
		jz	short loc_62E50B
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_62E53A
; 

loc_62E50B:				; CODE XREF: MiLockAndSelectSessionAttachProcess+31j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_62E52A
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_62E53A
		call	KxWaitForLockChainValid

loc_62E52A:				; CODE XREF: MiLockAndSelectSessionAttachProcess+45j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_62E53A:				; CODE XREF: MiLockAndSelectSessionAttachProcess+3Ej
					; MiLockAndSelectSessionAttachProcess+58j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
MiLockAndSelectSessionAttachProcess endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPrefetchJumpVad(x, x, x)
_MiPrefetchJumpVad@12 proc near		; CODE XREF: .text:005B271Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [ebx+10h]
		mov	eax, [ebx+1Ch]
		inc	esi
		shl	esi, 0Ch
		mov	[ebp+var_8], edi
		test	al, 4
		jnz	loc_62E642
		test	eax, 100000h
		jz	loc_62E638
		and	eax, 70h
		cmp	eax, 30h
		jz	loc_62E642
		cmp	eax, 10h
		jz	loc_62E642
		mov	ecx, ebx
		call	_MiIsVadLargePrivate@4 ; MiIsVadLargePrivate(x)
		test	eax, eax
		jnz	loc_62E642
		mov	edx, [ebp+arg_0]
		mov	eax, 40000000h
		mov	edi, edx
		shr	esi, 9
		shr	edi, 9
		sub	esi, eax
		and	edi, offset loc_7FFFF8
		mov	ecx, 0FFFFF000h
		sub	edi, eax
		mov	eax, edi
		and	eax, ecx
		add	eax, 1000h
		cmp	esi, eax
		jbe	short loc_62E62A
		mov	esi, edi
		and	esi, ecx
		add	esi, 1000h
		jmp	short loc_62E62A
; 

loc_62E5D3:				; CODE XREF: MiPrefetchJumpVad(x,x,x)+E3j
		mov	ecx, [edi]
		nop
		mov	eax, [edi+4]
		add	edi, 8
		mov	[ebp+var_4], eax
		mov	eax, ecx
		or	eax, [ebp+var_4]
		jz	short loc_62E620
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jnz	short loc_62E617
		mov	eax, ecx
		and	eax, 400h
		or	eax, 0
		jnz	short loc_62E62E
		mov	eax, ecx
		and	eax, 800h
		or	eax, 0
		jnz	short loc_62E617
		push	[ebp+var_4]
		push	ecx
		call	_IS_PTE_NOT_DEMAND_ZERO@8 ; IS_PTE_NOT_DEMAND_ZERO(x,x)
		test	eax, eax
		jnz	short loc_62E62E
		jmp	short loc_62E620
; 

loc_62E617:				; CODE XREF: MiPrefetchJumpVad(x,x,x)+A5j
					; MiPrefetchJumpVad(x,x,x)+BDj
		mov	ecx, [ebp+var_8]
		push	ebx
		call	MiUpdatePrefetchPriority

loc_62E620:				; CODE XREF: MiPrefetchJumpVad(x,x,x)+9Bj
					; MiPrefetchJumpVad(x,x,x)+CCj
		add	[ebp+arg_0], 1000h
		mov	edx, [ebp+arg_0]

loc_62E62A:				; CODE XREF: MiPrefetchJumpVad(x,x,x)+7Cj
					; MiPrefetchJumpVad(x,x,x)+88j
		cmp	edi, esi
		jb	short loc_62E5D3

loc_62E62E:				; CODE XREF: MiPrefetchJumpVad(x,x,x)+B1j
					; MiPrefetchJumpVad(x,x,x)+CAj
		mov	esi, edi
		mov	edi, [ebp+var_8]
		shl	esi, 9
		jmp	short loc_62E642
; 

loc_62E638:				; CODE XREF: MiPrefetchJumpVad(x,x,x)+28j
		mov	eax, [ebx+28h]
		test	eax, 1000000h
		jz	short loc_62E64F

loc_62E642:				; CODE XREF: MiPrefetchJumpVad(x,x,x)+1Dj
					; MiPrefetchJumpVad(x,x,x)+34j	...
		mov	edx, esi
		mov	ecx, edi
		call	MiLeapPrefetch
		mov	byte ptr [edi+1], 1

loc_62E64F:				; CODE XREF: MiPrefetchJumpVad(x,x,x)+F7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiPrefetchJumpVad@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPrefetchPreallocatePages(x, x, x,	x, x, x)
_MiPrefetchPreallocatePages@24 proc near ; CODE	XREF: MiPrefetchVirtualMemory+BA14Fp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		mov	esi, edx
		mov	[ebp+var_4], esi
		mov	ebx, ecx
		stosd
		stosd
		mov	eax, [ebp+arg_4]
		cmp	eax, 1
		jz	loc_62E862
		test	byte ptr [eax+60h], 7
		jnz	loc_62E862
		mov	eax, [ebp+arg_8]
		mov	edi, [ebp+arg_C]
		mov	edx, [ebx]
		mov	ecx, [eax+4]
		add	ecx, [eax]
		mov	eax, edi
		and	eax, 0FFE00000h
		test	edx, edx
		jz	short loc_62E6A6
		cmp	eax, edx
		jz	loc_62E84F

loc_62E6A6:				; CODE XREF: MiPrefetchPreallocatePages(x,x,x,x,x,x)+46j
		cmp	edi, ds:_MmHighestUserAddress
		ja	loc_62E869
		test	edi, edi
		jz	loc_62E869
		cmp	eax, edi
		jnz	loc_62E869
		sub	ecx, edi
		cmp	ecx, 200000h
		jb	loc_62E869
		and	dword ptr [ebx], 0
		cmp	edi, [ebx+0Ch]
		jb	short loc_62E6E1
		cmp	edi, [ebx+10h]
		jbe	loc_62E771

loc_62E6E1:				; CODE XREF: MiPrefetchPreallocatePages(x,x,x,x,x,x)+80j
		lea	eax, [ebp+arg_8]
		mov	ecx, edi
		push	eax
		push	2
		pop	edx
		call	MiObtainReferencedVadEx
		mov	esi, eax
		test	esi, esi
		jz	loc_62E84C
		mov	ecx, [esi+1Ch]
		test	ecx, 100000h
		jz	loc_62E845
		test	cl, 70h
		jnz	loc_62E845
		mov	eax, [esi+10h]
		shl	eax, 0Ch
		or	eax, 0FFFh
		mov	[ebp+arg_8], eax
		sub	eax, edi
		inc	eax
		cmp	eax, 200000h
		jb	loc_62E845
		mov	eax, ecx
		shr	eax, 0Ch
		and	eax, 3Fh
		mov	[ebp+arg_C], eax
		jz	loc_62E845
		shr	ecx, 7
		and	ecx, 1Fh
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		cmp	eax, 1
		jnz	loc_62E845
		mov	eax, [esi+0Ch]
		mov	ecx, esi
		shl	eax, 0Ch
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[ebx+10h], eax
		mov	eax, [ebp+arg_C]
		mov	[ebx+14h], eax
		call	MiUnlockAndDereferenceVadShared
		mov	esi, [ebp+var_4]

loc_62E771:				; CODE XREF: MiPrefetchPreallocatePages(x,x,x,x,x,x)+85j
		mov	eax, [esi+2Ch]
		test	eax, eax
		jz	short loc_62E7AE
		cmp	eax, [ebx+4]
		jnz	short loc_62E7A0
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, eax
		call	MiSearchNumaNodeTable
		mov	ecx, [ebx+14h]
		dec	ecx
		cmp	[eax+4], ecx
		jnz	short loc_62E7A0
		mov	[ebx], edi
		jmp	loc_62E84F
; 

loc_62E7A0:				; CODE XREF: MiPrefetchPreallocatePages(x,x,x,x,x,x)+125j
					; MiPrefetchPreallocatePages(x,x,x,x,x,x)+141j
		push	0
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, ebx
		call	_MiPrefetchReleasePreallocatedPages@16 ; MiPrefetchReleasePreallocatedPages(x,x,x,x)

loc_62E7AE:				; CODE XREF: MiPrefetchPreallocatePages(x,x,x,x,x,x)+120j
		and	dword ptr [ebx+4], 0
		mov	ecx, [ebx+8]
		test	ecx, ecx
		jnz	short loc_62E7DB
		mov	ecx, [ebp+arg_0]
		mov	edx, 200h
		push	6
		push	400h
		call	MiAcquireNonPagedResources
		xor	ecx, ecx
		test	eax, eax
		setns	cl
		mov	[ebx+8], ecx
		test	ecx, ecx
		jz	short loc_62E84F

loc_62E7DB:				; CODE XREF: MiPrefetchPreallocatePages(x,x,x,x,x,x)+161j
		push	dword ptr [ebx+14h]
		mov	ecx, [ebp+arg_4]
		lea	edx, [ebp+var_10]
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		mov	eax, [ebp+var_10]
		xor	esi, esi
		inc	esi
		lock xadd [eax], esi
		inc	esi
		dec	esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		push	0
		and	ecx, esi
		mov	byte ptr [ebp+arg_4+3],	al
		or	ecx, [ebp+var_8]
		push	4
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	1
		call	_MiGetLargePage@24 ; MiGetLargePage(x,x,x,x,x,x)
		mov	esi, [ebp+var_4]
		mov	[esi+2Ch], eax
		test	eax, eax
		jz	short loc_62E832
		push	0
		push	0
		push	1
		push	2
		xor	edx, edx
		mov	ecx, eax
		call	_MiConvertEntireLargePageToSmall@24 ; MiConvertEntireLargePageToSmall(x,x,x,x,x,x)

loc_62E832:				; CODE XREF: MiPrefetchPreallocatePages(x,x,x,x,x,x)+1C9j
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esi+2Ch]
		mov	[ebx], edi
		mov	[ebx+4], eax
		jmp	short loc_62E84F
; 

loc_62E845:				; CODE XREF: MiPrefetchPreallocatePages(x,x,x,x,x,x)+ACj
					; MiPrefetchPreallocatePages(x,x,x,x,x,x)+B5j ...
		mov	ecx, esi
		call	MiUnlockAndDereferenceVadShared

loc_62E84C:				; CODE XREF: MiPrefetchPreallocatePages(x,x,x,x,x,x)+9Dj
		mov	esi, [ebp+var_4]

loc_62E84F:				; CODE XREF: MiPrefetchPreallocatePages(x,x,x,x,x,x)+4Aj
					; MiPrefetchPreallocatePages(x,x,x,x,x,x)+145j	...
		cmp	dword ptr [ebx], 0
		jnz	short loc_62E862
		push	0
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, ebx
		call	_MiPrefetchReleasePreallocatedPages@16 ; MiPrefetchReleasePreallocatedPages(x,x,x,x)

loc_62E862:				; CODE XREF: MiPrefetchPreallocatePages(x,x,x,x,x,x)+20j
					; MiPrefetchPreallocatePages(x,x,x,x,x,x)+2Aj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_62E869:				; CODE XREF: MiPrefetchPreallocatePages(x,x,x,x,x,x)+56j
					; MiPrefetchPreallocatePages(x,x,x,x,x,x)+5Ej ...
		and	dword ptr [ebx], 0
		jmp	short loc_62E84F
_MiPrefetchPreallocatePages@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPrefetchReleasePreallocatedPages(x, x, x,	x)
_MiPrefetchReleasePreallocatedPages@16 proc near ; CODE	XREF: MiPrefetchVirtualMemory+BA1C7p
					; MiPrefetchPreallocatePages(x,x,x,x,x,x)+153p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		xor	ebx, ebx
		mov	ecx, [edi+2Ch]
		mov	[esi], ebx
		mov	[esi+4], ebx
		test	ecx, ecx
		jz	short loc_62E890
		call	_MiFreePageChain@4 ; MiFreePageChain(x)
		mov	[edi+2Ch], ebx

loc_62E890:				; CODE XREF: MiPrefetchReleasePreallocatedPages(x,x,x,x)+18j
		cmp	[ebp+arg_4], ebx
		jz	short loc_62E8C6
		cmp	[esi+8], ebx
		jz	short loc_62E8C6
		mov	edi, [ebp+arg_0]
		mov	ebx, 200h
		mov	edx, ebx
		mov	ecx, edi
		call	MiReturnCommit
		mov	edx, ebx
		mov	ecx, edi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_62E8C2
		lea	ecx, [edi+1000h]
		lock xadd [ecx], eax

loc_62E8C2:				; CODE XREF: MiPrefetchReleasePreallocatedPages(x,x,x,x)+48j
		and	dword ptr [esi+8], 0

loc_62E8C6:				; CODE XREF: MiPrefetchReleasePreallocatedPages(x,x,x,x)+25j
					; MiPrefetchReleasePreallocatedPages(x,x,x,x)+2Aj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_MiPrefetchReleasePreallocatedPages@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiConvertPteToRotateProtection(x, x)
_MiConvertPteToRotateProtection@8 proc near ; CODE XREF: MiSwitchToTransition(x,x,x)+364p
					; MiUnmapFrameBuffer(x,x,x,x)+102p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		and	eax, 800h
		or	eax, 0
		jz	short loc_62E8E4
		push	4
		pop	eax
		jmp	short loc_62E8E7
; 

loc_62E8E4:				; CODE XREF: MiConvertPteToRotateProtection(x,x)+10j
		xor	eax, eax
		inc	eax

loc_62E8E7:				; CODE XREF: MiConvertPteToRotateProtection(x,x)+15j
		pop	ebp
		retn	8
_MiConvertPteToRotateProtection@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteRotateAndStopFaults(x, x, x)
_MiDeleteRotateAndStopFaults@12	proc near
					; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+2FFp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+30h+var_1C], ecx
		push	6
		pop	ecx
		lea	edi, [esp+30h+var_18]
		mov	[esp+30h+var_20], edx
		rep stosd
		mov	eax, large fs:124h
		mov	esi, offset unk_6D3C40
		mov	ebx, [eax+80h]
		lea	edi, [ebx+240h]
		mov	al, [edi+60h]
		and	al, 7
		cmp	al, 2
		jz	short loc_62E932
		lea	esi, [edi+80h]

loc_62E932:				; CODE XREF: MiDeleteRotateAndStopFaults(x,x,x)+3Fj
		push	esi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [esi+4], 0
		mov	ecx, edi
		mov	esi, [ebp+arg_0]
		mov	edx, [ebx+13Ch]
		mov	[esi], edx
		mov	dl, al
		mov	[ebx+13Ch], esi
		call	MiUnlockWorkingSetExclusive
		mov	edx, [esp+30h+var_20]
		lea	eax, [esp+30h+var_18]
		mov	ecx, [esp+30h+var_1C]
		push	eax
		push	0
		call	_MiDeleteVirtualAddresses@16 ; MiDeleteVirtualAddresses(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MiDeleteRotateAndStopFaults@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeSlowPte(x, x, x)
_MiInitializeSlowPte@12	proc near	; CODE XREF: MiSlowRotateCopy(x,x,x)+8Ap
					; MiSlowRotateCopy(x,x,x)+9Ep

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		push	4
		pop	esi
		cmp	edi, ds:dword_6D07B0
		ja	short loc_62E9B6
		mov	eax, ds:dword_6D35B8
		mov	ecx, edi
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_62E9B6
		imul	edx, edi, 1Ch
		mov	ecx, esi
		add	edx, ds:_MmPfnDatabase
		call	_MiMakeProtectionPfnCompatible@8 ; MiMakeProtectionPfnCompatible(x,x)
		mov	esi, eax
		jmp	short loc_62E9CB
; 

loc_62E9B6:				; CODE XREF: MiInitializeSlowPte(x,x,x)+16j
					; MiInitializeSlowPte(x,x,x)+2Dj
		mov	eax, [ebp+arg_0]
		sub	eax, 0
		jz	short loc_62E9C8
		dec	eax
		sub	eax, 1
		jnz	short loc_62E9CB
		push	1Ch
		jmp	short loc_62E9CA
; 

loc_62E9C8:				; CODE XREF: MiInitializeSlowPte(x,x,x)+49j
		push	0Ch

loc_62E9CA:				; CODE XREF: MiInitializeSlowPte(x,x,x)+53j
		pop	esi

loc_62E9CB:				; CODE XREF: MiInitializeSlowPte(x,x,x)+41j
					; MiInitializeSlowPte(x,x,x)+4Fj
		or	esi, 0A0000000h
		mov	edx, edi
		push	esi
		mov	ecx, ebx
		call	MiMakeValidPte
		mov	ecx, ebx
		mov	esi, eax
		xor	edi, edi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_62EA27
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_62E9FF
		inc	edi
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	short loc_62EA27
		jmp	short loc_62EA17
; 

loc_62E9FF:				; CODE XREF: MiInitializeSlowPte(x,x,x)+7Ej
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_62EA27

loc_62EA17:				; CODE XREF: MiInitializeSlowPte(x,x,x)+8Aj
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	short loc_62EA27
		or	edx, 80000000h

loc_62EA27:				; CODE XREF: MiInitializeSlowPte(x,x,x)+75j
					; MiInitializeSlowPte(x,x,x)+88j ...
		mov	[ebx+4], edx
		nop
		mov	[ebx], esi
		test	edi, edi
		jz	short loc_62EA38
		push	edx
		push	esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_62EA38:				; CODE XREF: MiInitializeSlowPte(x,x,x)+BCj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiInitializeSlowPte@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMarkMdlComplete(x, x)
_MiMarkMdlComplete@8 proc near		; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+5DFp

var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [edx+24h]
		jmp	short loc_62EA53
; 

loc_62EA4B:				; CODE XREF: MiMarkMdlComplete(x,x)+16j
		test	byte ptr [eax+24h], 8
		jnz	short loc_62EA57
		mov	eax, [eax]

loc_62EA53:				; CODE XREF: MiMarkMdlComplete(x,x)+Aj
		test	eax, eax
		jnz	short loc_62EA4B

loc_62EA57:				; CODE XREF: MiMarkMdlComplete(x,x)+10j
		push	ebx
		mov	ebx, [ecx+14h]
		add	ecx, 1Ch
		shr	ebx, 0Ch
		push	edi
		mov	edi, [eax+4]
		mov	[ebp+var_8], edi
		test	ebx, ebx
		jz	short loc_62EAA9
		mov	edi, ecx
		push	esi

loc_62EA6F:				; CODE XREF: MiMarkMdlComplete(x,x)+64j
		imul	esi, [edi], 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		or	byte ptr [esi+16h], 10h
		lea	ecx, [esi+10h]
		and	byte ptr [esi+16h], 0DFh
		mov	edx, 7FFFFFFFh
		and	dword ptr [esi], 0
		lock and [ecx],	edx
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	edi, [edi+4]
		sub	ebx, 1
		jnz	short loc_62EA6F
		mov	edi, [ebp+var_8]
		pop	esi

loc_62EAA9:				; CODE XREF: MiMarkMdlComplete(x,x)+2Bj
		and	dword ptr [edi+34h], 0
		cmp	dword ptr [edi+68h], 1
		mov	dword ptr [edi+30h], 0C000009Ah
		jle	short loc_62EAC7
		push	0
		push	0
		lea	eax, [edi+20h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_62EAC7:				; CODE XREF: MiMarkMdlComplete(x,x)+79j
		pop	edi
		pop	ebx
		leave
		retn
_MiMarkMdlComplete@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReplaceRotateWithDemandZero(x, x,	x)
_MiReplaceRotateWithDemandZero@12 proc near
					; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+412p

var_172		= byte ptr -172h
var_171		= byte ptr -171h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= word ptr -14Ch
var_148		= dword	ptr -148h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 174h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+174h+var_4], eax
		and	[esp+174h+var_158], 0
		lea	eax, [esp+174h+var_150]
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		push	0		; int
		push	eax		; void *
		mov	edi, edx
		mov	ebx, ecx
		call	_memset
		mov	eax, large fs:124h
		mov	ecx, offset loc_7FFFF8
		shr	ebx, 9
		xor	edx, edx
		and	ebx, ecx
		shr	edi, 9
		and	edi, ecx
		mov	[esp+18Ch+var_16C], edx
		mov	eax, [eax+80h]
		sub	ebx, 40000000h
		mov	ecx, ebx
		mov	[esp+18Ch+var_168], edx
		shr	ecx, 9
		add	eax, 240h
		and	ecx, offset loc_7FFFF8
		mov	[esp+18Ch+var_150], 1
		sub	ecx, 40000000h
		mov	[esp+18Ch+var_14C], dx
		add	esp, 0Ch
		mov	[esp+180h+var_154], ecx
		sub	edi, 40000000h
		mov	[esp+180h+var_140], edx
		mov	[esp+180h+var_164], edi
		mov	ecx, eax
		mov	esi, edx
		mov	[esp+180h+var_148], 21h
		mov	[esp+180h+var_13C], edx
		mov	edi, edx
		mov	[esp+180h+var_170], eax
		call	MiLockWorkingSetShared
		mov	[esp+180h+var_171], al
		cmp	ebx, [esp+180h+var_164]
		ja	loc_62ED69

loc_62EB90:				; CODE XREF: MiReplaceRotateWithDemandZero(x,x,x)+195j
					; MiReplaceRotateWithDemandZero(x,x,x)+1BAj ...
		test	edi, edi
		jz	short loc_62EBA7
		test	ebx, 0FFFh
		jnz	short loc_62EBC5
		mov	ecx, [esp+180h+var_170]
		mov	edx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_62EBA7:				; CODE XREF: MiReplaceRotateWithDemandZero(x,x,x)+C7j
		mov	ecx, [esp+180h+var_170]
		mov	edi, ebx
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h
		push	0
		mov	edx, edi
		call	MiLockPageTableInternal

loc_62EBC5:				; CODE XREF: MiReplaceRotateWithDemandZero(x,x,x)+CFj
		mov	eax, [esp+180h+var_168]
		test	eax, eax
		jnz	short loc_62EBDD
		xor	edx, edx
		mov	ecx, ebx
		push	3
		inc	edx
		call	_MiIsProbeActive@12 ; MiIsProbeActive(x,x,x)
		mov	[esp+180h+var_168], eax

loc_62EBDD:				; CODE XREF: MiReplaceRotateWithDemandZero(x,x,x)+100j
		mov	edx, [ebp+arg_0]
		lea	ecx, [esp+180h+var_158]
		push	ecx
		push	eax
		mov	ecx, ebx
		call	_MiUnmapFrameBuffer@16 ; MiUnmapFrameBuffer(x,x,x,x)
		test	eax, eax
		jz	short loc_62EBF9
		mov	[esp+180h+var_168], 1

loc_62EBF9:				; CODE XREF: MiReplaceRotateWithDemandZero(x,x,x)+124j
		mov	eax, [esp+180h+var_158]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_62EC2D
		test	esi, esi
		jz	short loc_62EC1D
		mov	ecx, [esp+esi*8+180h+var_BC]
		cmp	ecx, eax
		jnz	short loc_62EC1D
		lea	eax, [ecx+1]
		mov	[esp+esi*8+180h+var_BC], eax
		jmp	short loc_62EC2D
; 

loc_62EC1D:				; CODE XREF: MiReplaceRotateWithDemandZero(x,x,x)+139j
					; MiReplaceRotateWithDemandZero(x,x,x)+144j
		mov	[esp+esi*8+180h+var_B8], eax
		inc	eax
		mov	[esp+esi*8+180h+var_B4], eax
		inc	esi

loc_62EC2D:				; CODE XREF: MiReplaceRotateWithDemandZero(x,x,x)+135j
					; MiReplaceRotateWithDemandZero(x,x,x)+150j
		push	0
		mov	edx, ebx
		lea	ecx, [esp+184h+var_150]
		push	1
		shl	edx, 9
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		inc	[esp+180h+var_16C]
		add	ebx, 8
		mov	[esp+180h+var_15C], ebx
		test	ebx, 0FFFh
		jz	short loc_62EC8B
		cmp	ebx, [esp+180h+var_164]
		ja	short loc_62EC8B
		cmp	esi, 16h
		jz	short loc_62EC8B
		test	bl, 78h
		jnz	loc_62EB90
		mov	ecx, [esp+180h+var_170]
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_62EC8B
		mov	edx, edi
		call	_MiPageTableLockIsContended@8 ;	MiPageTableLockIsContended(x,x)
		test	eax, eax
		jnz	short loc_62EC8B
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	loc_62EB90

loc_62EC8B:				; CODE XREF: MiReplaceRotateWithDemandZero(x,x,x)+185j
					; MiReplaceRotateWithDemandZero(x,x,x)+18Bj ...
		lea	ecx, [esp+180h+var_150]
		call	MiFlushTbList
		and	[esp+180h+var_160], 0
		test	esi, esi
		jz	short loc_62ECC3
		mov	ebx, [esp+180h+var_160]

loc_62ECA1:				; CODE XREF: MiReplaceRotateWithDemandZero(x,x,x)+1F2j
		mov	edx, [esp+ebx*8+180h+var_B8]
		xor	ecx, ecx
		mov	eax, [esp+ebx*8+180h+var_B4]
		inc	ecx
		sub	eax, edx
		push	eax
		call	MiDereferenceIoPages
		inc	ebx
		cmp	ebx, esi
		jb	short loc_62ECA1
		mov	ebx, [esp+180h+var_15C]

loc_62ECC3:				; CODE XREF: MiReplaceRotateWithDemandZero(x,x,x)+1D0j
		mov	eax, [esp+180h+var_154]
		mov	ecx, [eax]
		nop
		mov	eax, [eax+4]
		and	[esp+180h+var_15C], 0
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	eax, ecx, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[esp+180h+var_160], eax
		lea	esi, [eax+10h]
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_62ED0D

loc_62ECF3:				; CODE XREF: MiReplaceRotateWithDemandZero(x,x,x)+235j
					; MiReplaceRotateWithDemandZero(x,x,x)+23Cj
		lea	ecx, [esp+180h+var_15C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_62ECF3
		lock bts dword ptr [esi], 1Fh
		jb	short loc_62ECF3
		mov	eax, [esp+180h+var_160]

loc_62ED0D:				; CODE XREF: MiReplaceRotateWithDemandZero(x,x,x)+226j
		mov	edx, [esp+180h+var_16C]
		mov	ecx, eax
		neg	edx
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	ecx, [esp+180h+var_170]
		mov	edx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [esp+180h+var_171]
		mov	ecx, [esp+180h+var_170]
		call	MiUnlockWorkingSetShared
		cmp	ebx, [esp+180h+var_164]
		ja	short loc_62ED69
		mov	ecx, [esp+180h+var_170]
		mov	eax, ebx
		shr	eax, 9
		xor	esi, esi
		and	[esp+180h+var_16C], esi
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		xor	edi, edi
		mov	[esp+180h+var_154], eax
		call	MiLockWorkingSetShared
		jmp	loc_62EB90
; 

loc_62ED69:				; CODE XREF: MiReplaceRotateWithDemandZero(x,x,x)+BFj
					; MiReplaceRotateWithDemandZero(x,x,x)+273j
		mov	ecx, [esp+180h+var_4]
		mov	eax, [esp+180h+var_168]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_MiReplaceRotateWithDemandZero@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRotateComplete(x)
_MiRotateComplete@4 proc near		; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+35Ep

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax+80h]
		mov	esi, offset unk_6D3C40
		mov	[ebp+var_4], ecx
		lea	ebx, [eax+240h]
		lea	edi, [eax+13Ch]
		mov	al, [ebx+60h]
		and	al, 7
		cmp	al, 2
		jz	short loc_62EDBC
		lea	esi, [ebx+80h]

loc_62EDBC:				; CODE XREF: MiRotateComplete(x)+30j
		push	esi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [esi+4], 0
		mov	dl, al
		mov	eax, [edi]
		mov	ecx, [ebp+var_4]
		jmp	short loc_62EDD3
; 

loc_62EDCF:				; CODE XREF: MiRotateComplete(x)+51j
		mov	edi, eax
		mov	eax, [eax]

loc_62EDD3:				; CODE XREF: MiRotateComplete(x)+49j
		cmp	eax, ecx
		jnz	short loc_62EDCF
		mov	eax, [eax]
		mov	ecx, ebx
		mov	[edi], eax
		call	MiUnlockWorkingSetExclusive
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiRotateComplete@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSlowRotateCopy(x,	x, x)
_MiSlowRotateCopy@12 proc near		; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+32Fp
					; MmRotatePhysicalView(x,x,x,x,x,x)+5D6p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [esp+28h+var_10]
		mov	esi, ecx
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		mov	edi, [edx+14h]
		add	edx, 1Ch
		shr	edi, 0Ch
		mov	[esp+28h+var_18], edi
		mov	eax, [eax+1Ch]
		mov	ebx, eax
		and	ebx, 0C00h
		mov	[esp+28h+var_1C], edx
		test	eax, 380h
		setnz	cl
		cmp	ebx, 0C00h
		setz	al
		test	cl, al
		jz	short loc_62EE3A
		push	2
		pop	ebx
		jmp	short loc_62EE47
; 

loc_62EE3A:				; CODE XREF: MiSlowRotateCopy(x,x,x)+4Cj
		sub	ebx, 400h
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 1

loc_62EE47:				; CODE XREF: MiSlowRotateCopy(x,x,x)+51j
		test	edi, edi
		jz	loc_62EEDC
		sub	esi, edx
		mov	[esp+28h+var_14], esi

loc_62EE55:				; CODE XREF: MiSlowRotateCopy(x,x,x)+EFj
		xor	ecx, ecx
		lea	edx, [esp+28h+var_10]
		inc	ecx
		call	_MiGetPteMappingPair@8 ; MiGetPteMappingPair(x,x)
		mov	esi, [esp+28h+var_4]
		mov	ecx, esi
		mov	edx, [esp+28h+var_1C]
		push	ebx
		lea	edi, [esi+8]
		mov	edx, [edx]
		call	_MiInitializeSlowPte@12	; MiInitializeSlowPte(x,x,x)
		mov	eax, [esp+28h+var_1C]
		mov	ecx, [esp+28h+var_14]
		push	ebx
		mov	edx, [ecx+eax+1Ch]
		mov	ecx, edi
		call	_MiInitializeSlowPte@12	; MiInitializeSlowPte(x,x,x)
		mov	eax, esi
		shl	eax, 9
		push	1000h		; size_t
		push	eax		; void *
		mov	eax, edi
		shl	eax, 9
		push	eax		; void *
		call	_memcpy
		mov	eax, ds:_ZeroPte
		add	esp, 0Ch
		mov	[esi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[esi+4], eax
		mov	eax, ds:_ZeroPte
		mov	[edi], eax
		nop
		mov	eax, ds:dword_40F9FC
		lea	ecx, [esp+28h+var_10]
		mov	[edi+4], eax
		call	_MiReturnPteMappingPair@4 ; MiReturnPteMappingPair(x)
		add	[esp+28h+var_1C], 4
		sub	[esp+28h+var_18], 1
		jnz	loc_62EE55

loc_62EEDC:				; CODE XREF: MiSlowRotateCopy(x,x,x)+62j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MiSlowRotateCopy@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSwitchToTransition(x, x, x)
_MiSwitchToTransition@12 proc near	; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+585p

var_130		= dword	ptr -130h
var_128		= dword	ptr -128h
var_121		= byte ptr -121h
var_120		= dword	ptr -120h
var_119		= byte ptr -119h
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 12Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+12Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+138h+var_108], ecx
		lea	edi, [esp+138h+var_AC]
		xor	esi, esi
		stosd
		mov	ebx, edx
		push	98h		; size_t
		push	esi		; int
		stosd
		stosd
		lea	eax, [esp+140h+var_A0]
		push	eax		; void *
		call	_memset
		mov	ecx, large fs:124h
		add	esp, 0Ch
		mov	[esp+138h+var_D8], esi
		mov	[esp+138h+var_D4], esi
		mov	[esp+138h+var_CC], ecx
		mov	eax, [ecx+80h]
		mov	[esp+138h+var_120], eax
		call	_MiGetEffectivePagePriorityThread@4 ; MiGetEffectivePagePriorityThread(x)
		mov	edx, [esp+138h+var_108]
		mov	ecx, ebx
		add	edx, 1Ch
		mov	[esp+138h+var_C4], eax
		mov	[esp+138h+var_DC], edx
		call	_MiGetReadyInPageBlock@4 ; MiGetReadyInPageBlock(x)
		mov	[esp+138h+var_E0], eax
		lea	edx, [esp+138h+var_AC]
		mov	eax, [esp+138h+var_108]
		push	esi
		mov	[esp+13Ch+var_FC], esi
		mov	[esp+13Ch+var_E8], esi
		mov	ecx, [eax+10h]
		mov	edi, [eax+14h]
		mov	[esp+13Ch+var_BC], ecx
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		shr	edi, 0Ch
		sub	ecx, 40000000h
		mov	[esp+13Ch+var_F8], ecx
		mov	ecx, [esp+13Ch+var_120]
		add	ecx, 240h
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		push	2
		pop	eax
		push	eax
		mov	edx, edi
		mov	[esp+13Ch+var_110], offset loc_7FFFFF
		mov	ecx, offset _MiSystemPartition
		mov	[esp+13Ch+var_128], esi
		mov	ebx, esi
		call	MiObtainFaultCharges
		or	[esp+138h+var_E4], 0FFFFFFFFh
		mov	edi, esi
		mov	[esp+138h+var_10C], eax
		test	eax, eax
		jz	loc_62F0B3

loc_62EFE1:				; CODE XREF: MiSwitchToTransition(x,x,x)+181j
		mov	ecx, [esp+138h+var_AC]
		xor	eax, eax
		inc	eax
		lock xadd [ecx], eax
		inc	eax
		mov	edx, [esp+138h+var_A8]
		dec	eax
		and	edx, eax
		mov	ecx, offset _MiSystemPartition
		or	edx, [esp+138h+var_A4]
		push	esi
		call	MiGetPage
		mov	[esp+138h+var_104], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_62F025
		mov	ecx, offset _MiSystemPartition
		test	edi, edi
		jnz	short loc_62F06E
		call	_MiWaitForFreePage@8 ; MiWaitForFreePage(x,x)
		jmp	short loc_62F060
; 

loc_62F025:				; CODE XREF: MiSwitchToTransition(x,x,x)+12Ej
		mov	edx, [ebp+arg_0]
		imul	ebx, eax, 1Ch
		add	ebx, ds:_MmPfnDatabase
		mov	ecx, ebx
		call	_MiPageAttributeBatchChangeNeeded@8 ; MiPageAttributeBatchChangeNeeded(x,x)
		cmp	eax, 1
		jnz	short loc_62F04B
		mov	eax, [esp+138h+var_128]
		mov	[ebx+8], eax
		mov	[ebx+0Ch], esi
		mov	[esp+138h+var_128], ebx

loc_62F04B:				; CODE XREF: MiSwitchToTransition(x,x,x)+156j
		mov	edx, [esp+138h+var_110]
		mov	ecx, ebx
		push	esi
		call	_MiSetPfnBlink@12 ; MiSetPfnBlink(x,x,x)
		mov	eax, [esp+138h+var_104]
		inc	edi
		mov	[esp+138h+var_110], eax

loc_62F060:				; CODE XREF: MiSwitchToTransition(x,x,x)+13Ej
		mov	eax, [esp+138h+var_10C]
		cmp	edi, eax
		jnz	loc_62EFE1
		jmp	short loc_62F08C
; 

loc_62F06E:				; CODE XREF: MiSwitchToTransition(x,x,x)+137j
		mov	edx, [esp+138h+var_10C]
		sub	edx, edi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_62F086
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_62F086:				; CODE XREF: MiSwitchToTransition(x,x,x)+196j
		mov	eax, edi
		mov	[esp+138h+var_10C], edi

loc_62F08C:				; CODE XREF: MiSwitchToTransition(x,x,x)+187j
		mov	edi, [esp+138h+var_128]
		test	edi, edi
		jz	short loc_62F0B3
		lea	ecx, [esp+138h+var_D8]
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		push	[esp+138h+var_D4]
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	[esp+13Ch+var_D8]
		call	MiChangePageAttributeBatch
		mov	eax, [esp+138h+var_10C]

loc_62F0B3:				; CODE XREF: MiSwitchToTransition(x,x,x)+F6j
					; MiSwitchToTransition(x,x,x)+1ADj
		mov	edi, [esp+138h+var_F8]
		mov	[esp+138h+var_100], esi
		mov	[esp+138h+var_110], esi
		lea	eax, [edi+eax*8]
		mov	[esp+138h+var_104], eax
		mov	eax, [esp+138h+var_120]
		lea	ecx, [eax+240h]
		call	MiLockWorkingSetShared
		mov	[esp+138h+var_121], al
		cmp	edi, [esp+138h+var_104]
		jnb	loc_62F3B7
		mov	eax, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[esp+138h+var_C0], eax

loc_62F0EC:				; CODE XREF: MiSwitchToTransition(x,x,x)+4AFj
		mov	eax, [esp+138h+var_100]
		mov	[esp+138h+var_C8], ebx
		test	eax, eax
		jz	short loc_62F111
		test	edi, 0FFFh
		jnz	short loc_62F141
		mov	ecx, [esp+138h+var_120]
		mov	edx, eax
		lea	ecx, [ecx+240h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_62F111:				; CODE XREF: MiSwitchToTransition(x,x,x)+211j
		mov	ecx, [esp+138h+var_120]
		mov	eax, edi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		push	esi
		mov	edx, eax
		mov	[esp+13Ch+var_100], eax
		lea	ecx, [ecx+240h]
		call	MiLockPageTableInternal
		mov	ecx, edi
		call	_MiGetContainingPageTable@4 ; MiGetContainingPageTable(x)
		mov	[esp+138h+var_E4], eax

loc_62F141:				; CODE XREF: MiSwitchToTransition(x,x,x)+219j
		xor	edx, edx
		mov	ecx, edi
		push	3
		inc	edx
		call	_MiIsProbeActive@12 ; MiIsProbeActive(x,x,x)
		test	eax, eax
		jnz	loc_62F39A
		mov	ecx, [edi]
		mov	[esp+138h+var_F8], esi
		mov	[esp+138h+var_128], ecx
		nop
		mov	eax, [edi+4]
		mov	[esp+138h+var_EC], eax
		mov	eax, ecx
		and	eax, 1
		or	eax, esi
		jz	loc_62F3E4
		nop
		mov	eax, [esp+138h+var_EC]
		mov	edx, ecx
		mov	esi, ds:_MmPfnDatabase
		shrd	edx, eax, 0Ch
		push	0
		mov	eax, edx
		mov	[esp+13Ch+var_118], edx
		and	eax, 1FFFFFFh
		mov	[esp+13Ch+var_114], esi
		imul	edx, eax, 1Ch
		add	edx, esi
		pop	esi
		cmp	eax, ds:dword_6D07B0
		ja	short loc_62F206
		mov	ecx, eax
		and	eax, 1Fh
		mov	[esp+138h+var_118], eax
		mov	eax, ds:dword_6D35B8
		shr	ecx, 5
		mov	eax, [eax+ecx*4]
		mov	ecx, [esp+138h+var_118]
		shr	eax, cl
		and	eax, 1
		jz	short loc_62F202
		mov	eax, [edx+4]
		or	eax, 80000000h
		cmp	eax, edi
		jz	loc_62F3D4
		mov	eax, [edx+18h]
		xor	ecx, ecx
		inc	ecx
		test	eax, (offset loc_7FFFFF+1)
		jnz	short loc_62F1EC
		and	eax, offset loc_7FFFFF
		cmp	eax, (offset loc_7FFFFA+3)
		jnz	short loc_62F1EF

loc_62F1EC:				; CODE XREF: MiSwitchToTransition(x,x,x)+2F9j
		push	2
		pop	ecx

loc_62F1EF:				; CODE XREF: MiSwitchToTransition(x,x,x)+305j
		movzx	eax, word ptr [edx+14h]
		cmp	ax, cx
		jb	loc_62F515
		ja	loc_62F3CA

loc_62F202:				; CODE XREF: MiSwitchToTransition(x,x,x)+2DCj
		mov	ecx, [esp+138h+var_128]

loc_62F206:				; CODE XREF: MiSwitchToTransition(x,x,x)+2BDj
		lea	edx, [ebx+10h]
		mov	eax, ebx
		mov	[esp+138h+var_F8], edx
		mov	ebx, offset loc_7FFFFF
		mov	edx, [edx]
		and	edx, ebx
		mov	[esp+138h+var_118], eax
		cmp	edx, ebx
		jnz	short loc_62F228
		mov	edx, [esp+138h+var_114]
		mov	ebx, esi
		jmp	short loc_62F231
; 

loc_62F228:				; CODE XREF: MiSwitchToTransition(x,x,x)+339j
		imul	ebx, edx, 1Ch
		mov	edx, [esp+138h+var_114]
		add	ebx, edx

loc_62F231:				; CODE XREF: MiSwitchToTransition(x,x,x)+341j
		sub	eax, edx
		mov	[esp+138h+var_114], 1Ch
		cdq
		idiv	[esp+138h+var_114]
		push	[esp+138h+var_EC]
		mov	[esp+13Ch+var_114], eax
		push	ecx
		call	_MiConvertPteToRotateProtection@8 ; MiConvertPteToRotateProtection(x,x)
		mov	ecx, [ebp+arg_0]
		mov	[esp+138h+var_128], eax
		cmp	ecx, 2
		jnz	short loc_62F25F
		or	eax, 18h
		jmp	short loc_62F266
; 

loc_62F25F:				; CODE XREF: MiSwitchToTransition(x,x,x)+373j
		test	ecx, ecx
		jnz	short loc_62F26A
		or	eax, 8

loc_62F266:				; CODE XREF: MiSwitchToTransition(x,x,x)+378j
		mov	[esp+138h+var_128], eax

loc_62F26A:				; CODE XREF: MiSwitchToTransition(x,x,x)+37Cj
		mov	ecx, eax
		xor	eax, eax
		and	ecx, 1Fh
		shld	eax, ecx, 5
		shl	ecx, 5
		push	eax
		push	ecx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [esp+138h+var_118]
		mov	[esp+138h+var_B8], eax
		mov	[esp+138h+var_B4], edx
		mov	[ecx+8], eax
		mov	eax, [esp+138h+var_E8]
		mov	[ecx+0Ch], edx
		test	al, 1
		jnz	short loc_62F2C3
		mov	edx, [esp+138h+var_E0]
		mov	esi, [esp+138h+var_CC]
		or	dword ptr [edx+78h], 20h
		mov	[edx+58h], esi
		xor	esi, esi
		or	eax, 1
		mov	[edx+94h], ecx
		mov	[edx+30h], esi
		mov	[edx+34h], esi
		mov	[esp+138h+var_E8], eax

loc_62F2C3:				; CODE XREF: MiSwitchToTransition(x,x,x)+3B8j
		mov	eax, [ecx+18h]
		xor	eax, [esp+138h+var_E4]
		and	eax, offset loc_7FFFFF
		xor	[ecx+18h], eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [esp+138h+var_E0]
		mov	[esp+138h+var_119], al
		mov	eax, [esp+138h+var_118]
		or	byte ptr [eax+16h], 20h
		test	ecx, ecx
		jz	short loc_62F2F0
		add	ecx, 10h
		jmp	short loc_62F2F2
; 

loc_62F2F0:				; CODE XREF: MiSwitchToTransition(x,x,x)+404j
		mov	ecx, esi

loc_62F2F2:				; CODE XREF: MiSwitchToTransition(x,x,x)+409j
		mov	edx, [esp+138h+var_C8]
		mov	[edx], ecx
		xor	edx, edx
		mov	ecx, [esp+138h+var_F8]
		inc	edx
		and	dword ptr [ecx], 0C0000000h
		mov	ecx, eax
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		mov	ecx, [esp+138h+var_118]
		mov	al, [ecx+16h]
		and	al, 0FAh
		mov	[ecx+4], edi
		or	al, 2
		mov	[ecx+16h], al
		mov	al, [ecx+17h]
		xor	al, byte ptr [esp+138h+var_C4]
		and	al, 7
		xor	[ecx+17h], al
		mov	ecx, 7FFFFFFFh
		mov	eax, [esp+138h+var_F8]
		lock and [eax],	ecx
		mov	cl, [esp+138h+var_119]
		call	[esp+138h+var_C0]
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		inc	edx
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_62F357
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_62F357:				; CODE XREF: MiSwitchToTransition(x,x,x)+467j
		mov	edx, [esp+138h+var_128]
		mov	ecx, [esp+138h+var_114]
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		mov	[esp+138h+var_B8], eax
		mov	[esp+138h+var_B4], edx
		mov	[edi], eax
		nop
		mov	ecx, [esp+138h+var_DC]
		mov	eax, [esp+138h+var_114]
		mov	[edi+4], edx
		add	edi, 8
		mov	[ecx], eax
		add	ecx, 4
		inc	[esp+138h+var_110]
		mov	[esp+138h+var_DC], ecx
		cmp	edi, [esp+138h+var_104]
		jb	loc_62F0EC

loc_62F39A:				; CODE XREF: MiSwitchToTransition(x,x,x)+26Aj
					; MiSwitchToTransition(x,x,x)+4EDj
		mov	eax, [esp+138h+var_100]
		test	eax, eax
		jz	short loc_62F3B3
		mov	ecx, [esp+138h+var_120]
		mov	edx, eax
		lea	ecx, [ecx+240h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_62F3B3:				; CODE XREF: MiSwitchToTransition(x,x,x)+4BBj
		mov	al, [esp+138h+var_121]

loc_62F3B7:				; CODE XREF: MiSwitchToTransition(x,x,x)+1F8j
		mov	ecx, [esp+138h+var_120]
		mov	dl, al
		lea	ecx, [ecx+240h]
		call	MiUnlockWorkingSetShared
		jmp	short loc_62F421
; 

loc_62F3CA:				; CODE XREF: MiSwitchToTransition(x,x,x)+317j
		mov	[esp+138h+var_FC], 1
		jmp	short loc_62F39A
; 

loc_62F3D4:				; CODE XREF: MiSwitchToTransition(x,x,x)+2E8j
		push	edx
		push	[esp+13Ch+var_128]
		push	edi
		push	41300h
		jmp	loc_62F520
; 

loc_62F3E4:				; CODE XREF: MiSwitchToTransition(x,x,x)+289j
		mov	edx, [esp+138h+var_108]
		push	edx
		push	ecx
		push	edi
		push	41200h
		jmp	loc_62F520
; 

loc_62F3F5:				; CODE XREF: MiSwitchToTransition(x,x,x)+53Ej
		mov	eax, [ebx+10h]
		mov	ecx, offset loc_7FFFFF
		and	eax, ecx
		mov	edi, ebx
		cmp	eax, ecx
		jnz	short loc_62F409
		mov	ebx, esi
		jmp	short loc_62F412
; 

loc_62F409:				; CODE XREF: MiSwitchToTransition(x,x,x)+51Ej
		imul	ebx, eax, 1Ch
		add	ebx, ds:_MmPfnDatabase

loc_62F412:				; CODE XREF: MiSwitchToTransition(x,x,x)+522j
		lea	ecx, [edi+8]
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		mov	ecx, edi
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)

loc_62F421:				; CODE XREF: MiSwitchToTransition(x,x,x)+4E3j
		test	ebx, ebx
		jnz	short loc_62F3F5
		mov	ebx, [esp+148h+var_120]
		mov	eax, [esp+2Ch]
		cmp	ebx, eax
		jz	short loc_62F458
		sub	eax, ebx
		mov	ecx, offset _MiSystemPartition
		mov	edx, eax
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_62F44C
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_62F44C:				; CODE XREF: MiSwitchToTransition(x,x,x)+55Cj
		test	ebx, ebx
		jnz	short loc_62F458
		mov	[esp+148h+var_10C], 1

loc_62F458:				; CODE XREF: MiSwitchToTransition(x,x,x)+54Aj
					; MiSwitchToTransition(x,x,x)+569j
		mov	edi, [esp+148h+var_118]
		mov	eax, ebx
		shl	eax, 0Ch
		mov	[edi+14h], eax
		test	ebx, ebx
		jz	loc_62F4FA
		mov	eax, [esp+148h+var_130]
		mov	ecx, ebx
		add	eax, 14Ch
		lock xadd [eax], ecx
		mov	edx, [esp+148h+var_CC]
		lea	ecx, [esp+148h+var_B0]
		xor	eax, eax
		mov	[esp+148h+var_B0], 1
		push	eax
		push	ebx
		and	edx, 0FFFFF000h
		mov	word ptr [esp+150h+var_AC], ax
		mov	[esp+150h+var_A0], eax
		mov	[esp+150h+var_A8], 21h
		mov	[esp+150h+var_9C], eax
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		lea	ecx, [esp+148h+var_B0]
		call	MiFlushTbList
		push	2
		pop	eax
		or	[edi+6], ax
		mov	esi, ebx
		mov	eax, [esp+148h+var_130]
		mov	[edi+8], eax
		add	eax, 150h
		lock xadd [eax], esi
		test	byte ptr ds:_MmTrackLockedPages, 1
		jz	short loc_62F4FA
		push	4
		mov	edx, ebx
		mov	ecx, edi
		call	_MiAddMdlTracker@12 ; MiAddMdlTracker(x,x,x)

loc_62F4FA:				; CODE XREF: MiSwitchToTransition(x,x,x)+581j
					; MiSwitchToTransition(x,x,x)+608j
		mov	ecx, [esp+148h+var_14]
		mov	eax, [esp+148h+var_10C]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_62F515:				; CODE XREF: MiSwitchToTransition(x,x,x)+311j
		push	edx
		push	[esp+13Ch+var_128]
		push	edi
		push	41301h

loc_62F520:				; CODE XREF: MiSwitchToTransition(x,x,x)+4FAj
					; MiSwitchToTransition(x,x,x)+50Bj
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_MiSwitchToTransition@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUnmapFrameBuffer(x, x, x,	x)
_MiUnmapFrameBuffer@16 proc near	; CODE XREF: .text:0045888Ep
					; MiReplaceRotateWithDemandZero(x,x,x)+11Dp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ecx
		mov	[ebp+var_8], edx
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_14], eax
		or	dword ptr [ecx], 0FFFFFFFFh
		mov	ecx, [eax]
		push	edi
		mov	[ebp+var_C], esi
		mov	[ebp+var_4], ecx
		nop
		mov	eax, [eax+4]
		mov	[ebp+var_C], eax
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], eax
		nop
		mov	ebx, ecx
		shrd	ebx, eax, 0Ch
		and	ebx, 1FFFFFFh
		cmp	ebx, ds:dword_6D07B0
		jbe	short loc_62F571
		mov	edi, esi
		jmp	short loc_62F588
; 

loc_62F571:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+43j
		mov	eax, ds:dword_6D35B8
		mov	edx, ebx
		shr	edx, 5
		mov	ecx, ebx
		and	ecx, 1Fh
		mov	edi, [eax+edx*4]
		shr	edi, cl
		and	edi, 1

loc_62F588:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+47j
		push	esi
		push	80h
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	ecx, [ebp+var_8]
		mov	esi, eax
		mov	eax, edx
		cmp	ecx, 2
		jnz	short loc_62F5A7
		or	esi, 300h
		jmp	short loc_62F5D1
; 

loc_62F5A7:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+75j
		test	ecx, ecx
		jnz	short loc_62F5B3
		or	esi, 100h
		jmp	short loc_62F5D1
; 

loc_62F5B3:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+81j
		cmp	ecx, 3
		jnz	short loc_62F5D1
		test	edi, edi
		jz	short loc_62F5C2
		xor	esi, esi
		xor	eax, eax
		jmp	short loc_62F5D1
; 

loc_62F5C2:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+92j
		mov	esi, [ebp+var_4]
		mov	eax, [ebp+var_C]
		and	esi, 0FFFFFFFEh
		or	esi, 400h

loc_62F5D1:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+7Dj
					; MiUnmapFrameBuffer(x,x,x,x)+89j ...
		imul	ecx, ebx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		test	edi, edi
		jz	short loc_62F60C
		mov	edx, [ecx+18h]
		xor	ebx, ebx
		inc	ebx
		mov	edi, ebx
		test	edx, (offset loc_7FFFFF+1)
		jnz	short loc_62F5FC
		and	edx, offset loc_7FFFFF
		cmp	edx, (offset loc_7FFFFA+3)
		jnz	short loc_62F5FF

loc_62F5FC:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+C4j
		push	2
		pop	edi

loc_62F5FF:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+D2j
		movzx	edx, word ptr [ecx+14h]
		cmp	dx, di
		jb	short loc_62F65C
		ja	short loc_62F614
		jmp	short loc_62F611
; 

loc_62F60C:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+B4j
		mov	ecx, [ebp+arg_4]
		mov	[ecx], ebx

loc_62F611:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+E2j
		mov	ebx, [ebp+arg_0]

loc_62F614:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+E0j
		cmp	[ebp+var_8], 3
		jz	short loc_62F64A
		push	[ebp+var_C]
		and	esi, 0FFFFFF1Fh
		mov	ecx, eax
		push	[ebp+var_4]
		mov	edx, esi
		call	_MiConvertPteToRotateProtection@8 ; MiConvertPteToRotateProtection(x,x)
		mov	esi, eax
		xor	eax, eax
		shld	eax, esi, 5
		xor	eax, eax
		shl	esi, 5
		or	esi, edx
		xor	esi, edx
		and	esi, 3E0h
		xor	esi, edx
		xor	eax, ecx

loc_62F64A:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+F0j
		mov	ecx, [ebp+var_14]
		mov	[ecx], esi
		nop
		pop	edi
		mov	[ecx+4], eax
		mov	eax, ebx
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_62F65C:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+DEj
		push	ecx
		push	[ebp+var_4]
		mov	ecx, [ebp+var_14]
		push	ecx
		push	41301h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

; __stdcall MiWaitForRotateToComplete(x, x)
_MiWaitForRotateToComplete@8:		; CODE XREF: .text:005B23A0p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		shr	ecx, 0Ch
		mov	edx, large fs:124h
		xor	esi, esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_4], edx
		mov	eax, [edx+80h]
		mov	[ebp+var_C], eax
		lea	ebx, [eax+240h]
		mov	eax, [eax+13Ch]
		test	eax, eax
		jz	loc_62F778

loc_62F6B0:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+247j
		mov	esi, [eax+4]
		cmp	ecx, [esi+0Ch]
		jb	loc_62F76B
		cmp	ecx, [esi+10h]
		ja	loc_62F76B
		cmp	[eax+8], edx
		jz	loc_62F775
		xor	eax, eax
		inc	eax
		mov	[ebp+var_8], eax
		test	[edi+9], al
		jnz	short loc_62F704
		mov	ecx, edi
		call	_MiUnlockFaultWorkingSet@4 ; MiUnlockFaultWorkingSet(x)
		mov	al, [ebx+60h]
		mov	esi, offset unk_6D3C40
		and	al, 7
		cmp	al, 2
		jz	short loc_62F6F4
		lea	esi, [ebx+80h]

loc_62F6F4:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+1C4j
		push	esi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [esi+4], 0
		or	byte ptr [edi+9], 1
		jmp	short loc_62F75A
; 

loc_62F704:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+1AFj
		lock xadd [esi+14h], eax
		jz	short loc_62F77F
		mov	dl, [edi+8]
		mov	ecx, ebx
		call	MiUnlockWorkingSetExclusive
		mov	eax, [ebp+var_4]
		dec	word ptr [eax+13Eh]
		nop
		lea	ecx, [esi+18h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebp+var_4]
		or	byte ptr [eax+305h], 40h
		nop
		mov	ecx, esi
		call	MiUnlockAndDereferenceVadShared
		mov	al, [ebx+60h]
		mov	esi, offset unk_6D3C40
		and	al, 7
		cmp	al, 2
		jz	short loc_62F750
		lea	esi, [ebx+80h]

loc_62F750:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+220j
		push	esi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [esi+4], 0

loc_62F75A:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+1DAj
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		mov	edx, [ebp+var_4]
		mov	eax, [eax+13Ch]
		jmp	short loc_62F76D
; 

loc_62F76B:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+18Ej
					; MiUnmapFrameBuffer(x,x,x,x)+197j
		mov	eax, [eax]

loc_62F76D:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+241j
		test	eax, eax
		jnz	loc_62F6B0

loc_62F775:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+1A0j
		mov	esi, [ebp+var_8]

loc_62F778:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+182j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_62F77F:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+1E1j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall MiFreeVadEvents(x)
_MiFreeVadEvents@4:			; CODE XREF: MiAllocateChildVads+B4A23p
					; MiDeletePartialCloneVads(x,x)+DDp
		mov	eax, [ecx+24h]
		test	eax, eax
		jz	short locret_62F79D
		push	esi

loc_62F78C:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+272j
		mov	esi, [eax]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		test	esi, esi
		jnz	short loc_62F78C
		pop	esi

locret_62F79D:				; CODE XREF: MiUnmapFrameBuffer(x,x,x,x)+261j
		retn
_MiUnmapFrameBuffer@16 endp ; sp = -68h


;  S U B	R O U T	I N E 


; __stdcall MiLocateLockedVadEvent(x, x)
_MiLocateLockedVadEvent@8 proc near	; CODE XREF: MiCopyLargeVad(x,x,x)+39p
		mov	eax, [ecx+24h]
		jmp	short loc_62F7AA
; 

loc_62F7A3:				; CODE XREF: MiLocateLockedVadEvent(x,x)+Ej
		test	[eax+24h], edx
		jnz	short locret_62F7AE
		mov	eax, [eax]

loc_62F7AA:				; CODE XREF: MiLocateLockedVadEvent(x,x)+3j
		test	eax, eax
		jnz	short loc_62F7A3

locret_62F7AE:				; CODE XREF: MiLocateLockedVadEvent(x,x)+8j
		retn
_MiLocateLockedVadEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIsAddressInDriverView(x)
_MiIsAddressInDriverView@4 proc	near	; CODE XREF: MiCompleteProtoPteFault(x,x,x,x,x,x)+8D8p

var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		lea	ecx, [ebp-1]
		mov	[ebp+var_1], bl
		call	_MmLockLoadedModuleListShared@4	; MmLockLoadedModuleListShared(x)
		mov	edx, ds:_PsLoadedModuleList
		mov	edi, offset _PsLoadedModuleList
		jmp	short loc_62F7E6
; 

loc_62F7D4:				; CODE XREF: MiIsAddressInDriverView(x)+39j
		mov	ecx, [edx+18h]
		cmp	esi, ecx
		jb	short loc_62F7E4
		mov	eax, [edx+20h]
		add	eax, ecx
		cmp	esi, eax
		jb	short loc_62F7EC

loc_62F7E4:				; CODE XREF: MiIsAddressInDriverView(x)+2Aj
		mov	edx, [edx]

loc_62F7E6:				; CODE XREF: MiIsAddressInDriverView(x)+23j
		cmp	edx, edi
		jnz	short loc_62F7D4
		jmp	short loc_62F7EF
; 

loc_62F7EC:				; CODE XREF: MiIsAddressInDriverView(x)+33j
		xor	ebx, ebx
		inc	ebx

loc_62F7EF:				; CODE XREF: MiIsAddressInDriverView(x)+3Bj
		push	offset _PsLoadedModuleSpinLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		cmp	cl, 1Bh
		jnb	short loc_62F807
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_62F807:				; CODE XREF: MiIsAddressInDriverView(x)+50j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_MiIsAddressInDriverView@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiMakeProtoReadOnly(x, x)
_MiMakeProtoReadOnly@8 proc near	; CODE XREF: .text:0045E3CFp
					; MiFinishHardFault(x,x,x,x)+5CEp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi]
		nop
		mov	dl, [edx+16h]
		xor	eax, eax
		mov	ebx, [edi+4]
		inc	eax
		shr	dl, 6
		xor	ecx, ecx
		cmp	dl, al
		jz	short loc_62F83C
		test	dl, dl
		jnz	short loc_62F832
		push	9
		jmp	short loc_62F83B
; 

loc_62F832:				; CODE XREF: MiMakeProtoReadOnly(x,x)+1Ej
		cmp	dl, 2
		jnz	short loc_62F83C
		push	19h
		xor	ecx, ecx

loc_62F83B:				; CODE XREF: MiMakeProtoReadOnly(x,x)+22j
		pop	eax

loc_62F83C:				; CODE XREF: MiMakeProtoReadOnly(x,x)+1Aj
					; MiMakeProtoReadOnly(x,x)+27j
		shld	ecx, eax, 5
		and	esi, 0FFFFFC1Fh
		shl	eax, 5
		or	ebx, ecx
		or	esi, eax
		mov	[edi], esi
		nop
		mov	[edi+4], ebx
		pop	edi
		pop	esi
		pop	ebx
		retn
_MiMakeProtoReadOnly@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReleaseFaultPte(x)
_MiReleaseFaultPte@4 proc near		; CODE XREF: MiValidateImagePfn+175p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		mov	esi, ecx
		stosd
		stosd
		mov	eax, ds:_ZeroPte
		mov	[esi], eax
		nop
		mov	eax, ds:dword_40F9FC
		xor	ebx, ebx
		inc	ebx
		shl	ecx, 9
		push	ebx
		xor	edx, edx
		mov	[esi+4], eax
		call	KeFlushSingleTb
		sub	esi, ds:dword_6D34C4
		lea	edx, [ebp+var_14]
		mov	edi, offset unk_6D34CC
		sar	esi, 3
		mov	ecx, offset dword_6D34C8
		mov	[ebp+var_8], 10h
		mov	[ebp+var_4], edi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, esi
		and	esi, 7
		shr	ecx, 3
		movsx	eax, byte ptr [ecx+edi]
		btr	eax, esi
		mov	[ecx+edi], al
		test	ds:byte_70EFC6,	bl
		jz	short loc_62F8D6
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_62F902
; 

loc_62F8D6:				; CODE XREF: MiReleaseFaultPte(x)+70j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_62F8F5
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_62F902
		call	KxWaitForLockChainValid

loc_62F8F5:				; CODE XREF: MiReleaseFaultPte(x)+84j
		mov	[ebp+var_14], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_62F902:				; CODE XREF: MiReleaseFaultPte(x)+7Dj
					; MiReleaseFaultPte(x)+97j
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiReleaseFaultPte@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReserveFaultPte()
_MiReserveFaultPte@0 proc near		; CODE XREF: MiValidateImagePfn:loc_8EF942p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_8], 10h
		lea	edi, [ebp+var_14]
		mov	[ebp+var_4], offset unk_6D34CC
		stosd
		lea	edx, [ebp+var_14]
		mov	ecx, offset dword_6D34C8
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		push	0
		xor	edi, edi
		lea	eax, [ebp+var_8]
		inc	edi
		push	edi
		push	eax
		call	RtlFindClearBitsAndSet
		test	ds:byte_70EFC6,	1
		mov	esi, eax
		jz	short loc_62F964
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_62F990
; 

loc_62F964:				; CODE XREF: MiReserveFaultPte()+45j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_62F983
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_62F990
		call	KxWaitForLockChainValid

loc_62F983:				; CODE XREF: MiReserveFaultPte()+59j
		mov	[ebp+var_14], 0
		add	eax, 4
		lock xor [eax],	edi

loc_62F990:				; CODE XREF: MiReserveFaultPte()+52j
					; MiReserveFaultPte()+6Cj
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_62F9A2
		xor	eax, eax
		jmp	short loc_62F9AA
; 

loc_62F9A2:				; CODE XREF: MiReserveFaultPte()+8Cj
		mov	eax, ds:dword_6D34C4
		lea	eax, [eax+esi*8]

loc_62F9AA:				; CODE XREF: MiReserveFaultPte()+90j
		pop	edi
		pop	esi
		leave
		retn
_MiReserveFaultPte@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAgeWorkingSetEPTCallback(x, x, x,	x, x)
_MiAgeWorkingSetEPTCallback@20 proc near ; DATA	XREF: MiAgeWorkingSetTail+15634Co

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax+10h]
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+arg_8]
		mov	esi, [eax]
		nop
		mov	ebx, [eax+4]
		mov	eax, [ebp+arg_4]
		mov	edi, [ebp+arg_10]
		mov	edx, [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_4], eax
		mov	eax, edx
		and	eax, 2
		or	eax, ecx
		jz	short loc_62F9F7
		mov	eax, esi
		and	eax, 20h
		or	eax, ecx
		jz	short loc_62F9ED
		inc	ecx

loc_62F9ED:				; CODE XREF: MiAgeWorkingSetEPTCallback(x,x,x,x,x)+3Cj
		test	byte ptr [edi],	3
		jz	short loc_62FA09
		or	ecx, 2
		jmp	short loc_62FA09
; 

loc_62F9F7:				; CODE XREF: MiAgeWorkingSetEPTCallback(x,x,x,x,x)+33j
		and	edx, 1
		or	edx, ecx
		jz	short loc_62FA09
		xor	ecx, ecx
		inc	ecx
		test	byte ptr [edi],	3
		jz	short loc_62FA09
		push	5
		pop	ecx

loc_62FA09:				; CODE XREF: MiAgeWorkingSetEPTCallback(x,x,x,x,x)+42j
					; MiAgeWorkingSetEPTCallback(x,x,x,x,x)+47j ...
		nop
		mov	edx, [ebp+arg_8]
		shrd	esi, ebx, 0Ch
		push	ecx
		mov	ecx, [ebp+arg_0]
		and	esi, 1FFFFFFh
		imul	eax, esi, 1Ch
		push	edi
		add	eax, ds:_MmPfnDatabase
		push	eax
		push	[ebp+arg_C]
		call	_MiAgePteWorker@24 ; MiAgePteWorker(x,x,x,x,x,x)
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	14h
_MiAgeWorkingSetEPTCallback@20 endp


;  S U B	R O U T	I N E 


; __stdcall MiEmptyAllWorkingSets(x)
_MiEmptyAllWorkingSets@4 proc near	; CODE XREF: MiMirrorBrownPhase(x)+86p
					; MmPerformMemoryListCommand+D411p
		cmp	ds:byte_6D35B0,	0
		mov	eax, [ecx+0F00h]
		jz	short locret_62FA51
		inc	dword ptr [eax+14h]
		push	4
		pop	edx
		jmp	MiQueueWorkingSetRequest
; 

locret_62FA51:				; CODE XREF: MiEmptyAllWorkingSets(x)+Dj
		retn
_MiEmptyAllWorkingSets@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiEmptyTargetedWorkingSet(x)
_MiEmptyTargetedWorkingSet@4 proc near	; CODE XREF: MiTrimAllSystemPagableMemory(x,x)+B8p
					; MiTrimAllSystemPagableMemory(x,x):loc_63027Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		mov	ecx, offset dword_6D3540
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		lea	eax, [esi+10h]
		mov	edx, [eax]
		xor	ebx, ebx
		test	edx, edx
		jz	loc_62FB1A
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_62FB30
		cmp	[ecx], eax
		jnz	loc_62FB30
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	[eax], ebx
		mov	al, [esi+61h]
		and	al, 0FBh
		or	al, 2
		mov	[esi+61h], al
		test	ds:byte_70EFC6,	1
		jz	short loc_62FAC4
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_62FAEF
; 

loc_62FAC4:				; CODE XREF: MiEmptyTargetedWorkingSet(x)+63j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_62FAE3
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_62FAEF
		call	KxWaitForLockChainValid

loc_62FAE3:				; CODE XREF: MiEmptyTargetedWorkingSet(x)+77j
		xor	ecx, ecx
		mov	[ebp+var_C], ebx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_62FAEF:				; CODE XREF: MiEmptyTargetedWorkingSet(x)+70j
					; MiEmptyTargetedWorkingSet(x)+8Aj
		mov	cl, [ebp+var_4]
		call	edi
		push	0FFFFFFFFh
		push	ebx
		xor	edx, edx
		mov	ecx, esi
		call	_MiEmptyWorkingSetInitiate@16 ;	MiEmptyWorkingSetInitiate(x,x,x,x)
		lea	edx, [ebp+var_C]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		and	byte ptr [esi+61h], 0F9h
		xor	edx, edx
		mov	ecx, esi
		call	MiReturnWsToExpansionList

loc_62FB1A:				; CODE XREF: MiEmptyTargetedWorkingSet(x)+31j
		test	ds:byte_70EFC6,	1
		jz	short loc_62FB35
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_62FB60
; 

loc_62FB30:				; CODE XREF: MiEmptyTargetedWorkingSet(x)+3Dj
					; MiEmptyTargetedWorkingSet(x)+45j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_62FB35:				; CODE XREF: MiEmptyTargetedWorkingSet(x)+CFj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_62FB54
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_62FB60
		call	KxWaitForLockChainValid

loc_62FB54:				; CODE XREF: MiEmptyTargetedWorkingSet(x)+E8j
		xor	ecx, ecx
		mov	[ebp+var_C], ebx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_62FB60:				; CODE XREF: MiEmptyTargetedWorkingSet(x)+DCj
					; MiEmptyTargetedWorkingSet(x)+FBj
		mov	cl, [ebp+var_4]
		call	edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiEmptyTargetedWorkingSet@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetPrivatePageCount(x)
_MiGetPrivatePageCount@4 proc near	; CODE XREF: MiAllocateCrcList(x,x,x)+1Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		mov	ecx, offset dword_6D3540
		stosd
		stosd
		xor	edi, edi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		add	esi, 0F04h
		mov	ecx, [esi]
		jmp	short loc_62FBA4
; 

loc_62FB97:				; CODE XREF: MiGetPrivatePageCount(x)+3Cj
		mov	eax, [ecx+34h]
		add	eax, edi
		cmp	eax, edi
		jbe	short loc_62FBA2
		mov	edi, eax

loc_62FBA2:				; CODE XREF: MiGetPrivatePageCount(x)+34j
		mov	ecx, [ecx]

loc_62FBA4:				; CODE XREF: MiGetPrivatePageCount(x)+2Bj
		cmp	ecx, esi
		jnz	short loc_62FB97
		test	ds:byte_70EFC6,	1
		jz	short loc_62FBBE
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_62FBED
; 

loc_62FBBE:				; CODE XREF: MiGetPrivatePageCount(x)+45j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_62FBDD
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_62FBED
		call	KxWaitForLockChainValid

loc_62FBDD:				; CODE XREF: MiGetPrivatePageCount(x)+59j
		xor	edx, edx
		mov	[ebp+var_C], 0
		inc	edx
		lea	ecx, [eax+4]
		lock xor [ecx],	edx

loc_62FBED:				; CODE XREF: MiGetPrivatePageCount(x)+52j
					; MiGetPrivatePageCount(x)+6Cj
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn
_MiGetPrivatePageCount@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiInsertVmAccessedEntry(x, x)
_MiInsertVmAccessedEntry@8 proc	near	; CODE XREF: MiAgePte(x,x,x)+279p
					; .text:0045AF30p ...
		mov	edi, edi
		push	esi
		mov	esi, [ecx]
		xor	eax, eax
		cmp	esi, [ecx+4]
		jnz	short loc_62FC0B
		inc	eax
		pop	esi
		retn
; 

loc_62FC0B:				; CODE XREF: MiInsertVmAccessedEntry(x,x)+Aj
		shr	edx, 0Ch
		shld	eax, edx, 0Ch
		shl	edx, 0Ch
		mov	[ecx+esi*8+0Ch], eax
		xor	eax, eax
		mov	[ecx+esi*8+8], edx
		inc	dword ptr [ecx]
		pop	esi
		retn
_MiInsertVmAccessedEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogContinueTrim(x, x)
_MiLogContinueTrim@8 proc near		; CODE XREF: MiCheckSystemTrimEndCriteria+8824Ep

var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ds:dword_6D35BC
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	loc_62FD24
		cmp	dword ptr [esi], 5
		jbe	loc_62FD24
		push	0
		push	1
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_62FD24
		movzx	eax, byte ptr [edi]
		xor	edx, edx
		and	eax, 7Fh
		mov	[ebp+var_54], edx
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_58], eax
		mov	eax, [edi+34h]
		mov	[ebp+var_88], eax
		lea	eax, [ebp+var_88]
		mov	[ebp+var_48], eax
		mov	eax, [edi+2Ch]
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_90]
		mov	[ebp+var_38], eax
		mov	eax, [edi+28h]
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_98]
		push	8
		pop	ecx
		mov	[ebp+var_28], eax
		mov	eax, [ebx+0FC0h]
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	7
		push	edx
		push	edx
		push	offset loc_41CCE3
		push	esi
		mov	[ebp+var_50], 4
		mov	[ebp+var_4C], edx
		mov	[ebp+var_84], edx
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_8C], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_94], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_9C], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_62FD24:				; CODE XREF: MiLogContinueTrim(x,x)+24j
					; MiLogContinueTrim(x,x)+2Dj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiLogContinueTrim@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiObtainFreePages(x)
_MiObtainFreePages@4 proc near		; CODE XREF: .text:0045F545p
					; MiRemoveLowestPriorityStandbyPage(x,x,x):loc_548ACBp	...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi+0F00h]
		test	edi, edi
		jz	short loc_62FDB7
		cmp	byte ptr [edi+2Ch], 1
		jz	short loc_62FDB7
		push	ebx
		mov	ebx, [esi+64h]
		mov	ecx, ebx
		call	PsReferencePartitionSafe
		test	al, al
		jz	short loc_62FD6E
		mov	ecx, [ebx+4]
		test	ecx, ecx
		jz	short loc_62FD67
		xor	edx, edx
		inc	edx
		call	CcNotifyWriteBehindInternal

loc_62FD67:				; CODE XREF: MiObtainFreePages(x)+2Aj
		mov	ecx, ebx
		call	PsDereferencePartition

loc_62FD6E:				; CODE XREF: MiObtainFreePages(x)+23j
		mov	eax, [esi+10C0h]
		xor	ebx, ebx
		mov	ecx, [esi+1118h]
		sub	eax, ecx
		cmp	eax, 10h
		jb	short loc_62FD97
		push	ebx
		push	ebx
		lea	eax, [esi+1CCh]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [esi+1118h]

loc_62FD97:				; CODE XREF: MiObtainFreePages(x)+4Ej
		cmp	ecx, 10h
		jb	short loc_62FDA6
		or	edx, 0FFFFFFFFh
		mov	ecx, esi
		call	MiWakeModifiedPageWriter

loc_62FDA6:				; CODE XREF: MiObtainFreePages(x)+67j
		cmp	[edi+4Ah], bl
		jz	short loc_62FDB6
		push	ebx
		push	ebx
		lea	eax, [edi+48h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_62FDB6:				; CODE XREF: MiObtainFreePages(x)+76j
		pop	ebx

loc_62FDB7:				; CODE XREF: MiObtainFreePages(x)+Ej
					; MiObtainFreePages(x)+14j
		pop	edi
		pop	esi
		retn
_MiObtainFreePages@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiProcessVmAccessedInfo(x, x, x, x)
_MiProcessVmAccessedInfo@16 proc near	; CODE XREF: MiAgeWorkingSetTail+156351p
					; MiTrimWorkingSetTail+F30ADp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		mov	eax, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], edi
		mov	ecx, [eax+10h]
		mov	[ebp+var_C], ecx
		mov	eax, [edi]
		lea	esi, [edi+8]
		lea	eax, [esi+eax*8]
		cmp	esi, eax
		jnb	short loc_62FE18
		mov	edi, eax
		push	ebx

loc_62FDE3:				; CODE XREF: MiProcessVmAccessedInfo(x,x,x,x)+58j
		mov	ebx, [esi]
		mov	eax, [esi+4]
		shrd	ebx, eax, 0Ch
		shl	ebx, 0Ch
		mov	edx, ebx
		call	_MiRecheckEPTAccessedVa@8 ; MiRecheckEPTAccessedVa(x,x)
		test	eax, eax
		jz	short loc_62FE0A
		push	[ebp+arg_4]
		push	ebx
		push	eax
		push	esi
		push	[ebp+var_8]
		call	[ebp+arg_0]
		test	eax, eax
		jnz	short loc_62FE14

loc_62FE0A:				; CODE XREF: MiProcessVmAccessedInfo(x,x,x,x)+3Ej
		mov	ecx, [ebp+var_C]
		add	esi, 8
		cmp	esi, edi
		jb	short loc_62FDE3

loc_62FE14:				; CODE XREF: MiProcessVmAccessedInfo(x,x,x,x)+4Ej
		mov	edi, [ebp+var_10]
		pop	ebx

loc_62FE18:				; CODE XREF: MiProcessVmAccessedInfo(x,x,x,x)+24j
		and	dword ptr [edi], 0
		pop	edi
		pop	esi
		leave
		retn	8
_MiProcessVmAccessedInfo@16 endp


;  S U B	R O U T	I N E 


; __stdcall MiQueryEPTAccessedState(x, x, x)
_MiQueryEPTAccessedState@12 proc near	; CODE XREF: MiAgeWorkingSetTail+156336p
					; MiTrimWorkingSetTail+F3092p ...
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	esi, [edi+1Ch]
		call	MiReleaseWalkLocks
		mov	eax, large fs:124h
		lea	edx, [ebx+8]
		push	ecx
		push	dword ptr [ebx]
		mov	ecx, [eax+80h]
		mov	ecx, [ecx+3E4h]
		call	_VmpQueryAccessedState@16 ; VmpQueryAccessedState(x,x,x,x)
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	MiReacquireWalkLocks
		test	eax, eax
		jnz	short loc_62FE61
		and	[ebx], eax

loc_62FE61:				; CODE XREF: MiQueryEPTAccessedState(x,x,x)+3Cj
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		retn	4
_MiQueryEPTAccessedState@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRecheckEPTAccessedVa(x, x)
_MiRecheckEPTAccessedVa@8 proc near	; CODE XREF: MiProcessVmAccessedInfo(x,x,x,x)+37p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, edx
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		mov	esi, [edi-40000000h]
		nop
		and	esi, 1
		or	esi, 0
		jz	short loc_62FEA6
		call	_MiTryLocateWsle@8 ; MiTryLocateWsle(x,x)
		and	al, 0Fh
		cmp	al, 0Ah
		jz	short loc_62FEA6
		cmp	al, 9
		jz	short loc_62FEA6
		cmp	al, 8
		jz	short loc_62FEA6
		lea	eax, [edi-40000000h]
		jmp	short loc_62FEA8
; 

loc_62FEA6:				; CODE XREF: MiRecheckEPTAccessedVa(x,x)+21j
					; MiRecheckEPTAccessedVa(x,x)+2Cj ...
		xor	eax, eax

loc_62FEA8:				; CODE XREF: MiRecheckEPTAccessedVa(x,x)+3Cj
		pop	edi
		pop	esi
		leave
		retn
_MiRecheckEPTAccessedVa@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiResetAccessBitPteWorker(x, x, x, x, x, x)
_MiResetAccessBitPteWorker@24 proc near	; CODE XREF: MiResetAccessBitsEPTCallback(x,x,x,x,x)+63p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	[esp+14h+var_8], edx
		mov	ebx, ecx
		mov	edx, [ebp+arg_0]
		push	edi
		mov	[esp+18h+var_4], ebx
		call	MiGetVaAge
		xor	edx, edx
		movzx	esi, al
		inc	edx
		cmp	esi, 7
		jnz	short loc_62FEEE
		mov	ecx, [ebp+arg_4]
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		cmp	eax, ds:dword_6D3158
		jnb	short loc_62FEEE
		and	[esp+18h+var_C], 0
		jmp	short loc_62FF08
; 

loc_62FEEE:				; CODE XREF: MiResetAccessBitPteWorker(x,x,x,x,x,x)+29j
					; MiResetAccessBitPteWorker(x,x,x,x,x,x)+39j
		mov	[esp+18h+var_C], edx
		test	esi, esi
		jz	short loc_62FF08
		cmp	esi, 7
		jnb	short loc_62FF08
		push	0
		push	edx
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	MiSetVaAgeList

loc_62FF08:				; CODE XREF: MiResetAccessBitPteWorker(x,x,x,x,x,x)+40j
					; MiResetAccessBitPteWorker(x,x,x,x,x,x)+48j ...
		mov	edi, [ebp+arg_C]
		xor	esi, esi
		mov	ebx, [ebp+arg_8]
		and	edi, 4
		jnz	short loc_62FF18
		mov	esi, [ebx+4]

loc_62FF18:				; CODE XREF: MiResetAccessBitPteWorker(x,x,x,x,x,x)+67j
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		mov	ecx, [esp+18h+var_4]
		test	edi, edi
		setnz	al
		push	eax
		push	dword ptr [ebx]
		push	esi
		push	[esp+24h+var_8]
		call	_MiClearPteAccessed@24 ; MiClearPteAccessed(x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_62FF64
		cmp	[esp+28h+var_1C], 1
		jnz	short loc_62FF57
		test	edi, edi
		jnz	short loc_62FF57
		cmp	[ebx], edi
		jz	short loc_62FF57
		test	esi, esi
		jnz	short loc_62FF5B
		mov	edx, [esp+28h+var_18]
		mov	ecx, [esp+28h+var_14]
		call	_MiLogPageAccess@8 ; MiLogPageAccess(x,x)

loc_62FF57:				; CODE XREF: MiResetAccessBitPteWorker(x,x,x,x,x,x)+90j
					; MiResetAccessBitPteWorker(x,x,x,x,x,x)+94j ...
		test	esi, esi
		jz	short loc_62FF64

loc_62FF5B:				; CODE XREF: MiResetAccessBitPteWorker(x,x,x,x,x,x)+9Cj
		xor	edx, edx
		mov	ecx, esi
		call	_MiFlushTbListEarly@8 ;	MiFlushTbListEarly(x,x)

loc_62FF64:				; CODE XREF: MiResetAccessBitPteWorker(x,x,x,x,x,x)+89j
					; MiResetAccessBitPteWorker(x,x,x,x,x,x)+ADj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_MiResetAccessBitPteWorker@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiResetAccessBitsEPTCallback(x, x, x, x, x)
_MiResetAccessBitsEPTCallback@20 proc near ; DATA XREF:	MiResetAccessBitsTail+9113Do

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	eax, [eax+10h]
		push	edi
		mov	esi, [ebx]
		mov	[ebp+arg_0], eax
		nop
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		mov	edi, [ebx+4]
		mov	edx, [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_4], eax
		mov	eax, edx
		and	eax, 2
		or	eax, ecx
		mov	eax, [ebp+arg_10]
		jnz	short loc_62FFB1
		and	edx, 1
		or	edx, ecx
		jz	short loc_62FFD5
		cmp	[eax+4], ecx
		jz	short loc_62FFB1
		push	4
		pop	ecx

loc_62FFB1:				; CODE XREF: MiResetAccessBitsEPTCallback(x,x,x,x,x)+33j
					; MiResetAccessBitsEPTCallback(x,x,x,x,x)+3Fj
		nop
		push	ecx
		mov	ecx, [ebp+arg_0]
		mov	edx, ebx
		shrd	esi, edi, 0Ch
		push	eax
		and	esi, 1FFFFFFh
		imul	eax, esi, 1Ch
		add	eax, ds:_MmPfnDatabase
		push	eax
		push	[ebp+arg_C]
		call	_MiResetAccessBitPteWorker@24 ;	MiResetAccessBitPteWorker(x,x,x,x,x,x)

loc_62FFD5:				; CODE XREF: MiResetAccessBitsEPTCallback(x,x,x,x,x)+3Aj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	14h
_MiResetAccessBitsEPTCallback@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSimpleAgePte(x, x, x)
_MiSimpleAgePte@12 proc	near		; DATA XREF: MiSimpleAging+FEBBDo

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	ecx, [ebx]
		mov	edi, [esi+10h]
		mov	[ebp+var_4], edi
		nop
		mov	eax, [ebx+4]

loc_630003:				; DATA XREF: .text:0042550Co
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], eax
		nop
		shrd	ecx, eax, 0Ch
		lea	eax, [ebp+var_10]
		mov	edx, ebx
		and	ecx, 1FFFFFFh
		imul	ecx, 1Ch
		push	eax
		xor	eax, eax
		add	ecx, ds:_MmPfnDatabase
		cmp	[ebp+arg_8], eax
		mov	[ebp+var_8], ecx
		setz	al
		push	eax
		push	ecx
		mov	ecx, edi
		call	_MiWalkVaCheckCommon@20	; MiWalkVaCheckCommon(x,x,x,x,x)
		test	eax, eax
		jz	short loc_6300B1
		mov	ecx, [ebp+var_4]
		mov	edi, ebx
		mov	esi, [esi+48h]
		shl	edi, 9
		mov	edx, edi
		call	MiGetVaAge
		xor	ecx, ecx
		test	al, al
		mov	eax, [ebp+var_10]
		setz	cl
		and	eax, 20h
		or	eax, 0
		mov	[ebp+arg_4], ecx
		jz	short loc_63009D
		mov	ecx, [esi+0C0h]

loc_630068:				; DATA XREF: .text:005A4918o
		test	ecx, ecx
		jz	short loc_630089
		cmp	edi, ds:_MmHighestUserAddress

loc_630072:				; DATA XREF: .text:005A7A28o
		ja	short loc_630089

loc_630074:				; DATA XREF: .text:004085B4o
					; .text:004085E8o
		mov	edx, edi
		call	_MiInsertVmAccessedEntry@8 ; MiInsertVmAccessedEntry(x,x)
		test	eax, eax
		jz	short loc_63009A
		push	[ebp+arg_0]
		call	_MiSimpleAgeWorkingSetTail@4 ; MiSimpleAgeWorkingSetTail(x)
		jmp	short loc_6300B3
; 

loc_630089:				; CODE XREF: MiSimpleAgePte(x,x,x)+8Cj
					; MiSimpleAgePte(x,x,x):loc_630072j
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		push	3
		push	esi
		push	[ebp+var_8]
		push	edi
		call	_MiAgePteWorker@24 ; MiAgePteWorker(x,x,x,x,x,x)

loc_63009A:				; CODE XREF: MiSimpleAgePte(x,x,x)+9Fj
		mov	ecx, [ebp+arg_4]

loc_63009D:				; CODE XREF: MiSimpleAgePte(x,x,x)+82j
		test	ecx, ecx
		jz	short loc_6300B1
		inc	dword ptr [esi+1Ch]
		mov	ecx, [esi+1Ch]
		cmp	ecx, [esi+20h]
		jb	short loc_6300B1
		push	3
		pop	eax
		jmp	short loc_6300B3
; 

loc_6300B1:				; CODE XREF: MiSimpleAgePte(x,x,x)+5Bj
					; MiSimpleAgePte(x,x,x)+C1j ...
		xor	eax, eax

loc_6300B3:				; CODE XREF: MiSimpleAgePte(x,x,x)+A9j
					; MiSimpleAgePte(x,x,x)+D1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MiSimpleAgePte@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSimpleAgeWorkingSetEPTCallback(x,	x, x, x, x)
_MiSimpleAgeWorkingSetEPTCallback@20 proc near ; DATA XREF: MiSimpleAgeWorkingSetTail(x)+39o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ebx, [eax+10h]
		push	edi
		mov	edx, [esi]
		nop
		mov	eax, [ebp+arg_4]
		mov	edi, [esi+4]
		mov	ecx, [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_4], eax
		mov	eax, ecx
		and	eax, 2
		or	eax, 0
		jz	short loc_6300EC
		push	3
		jmp	short loc_6300F6
; 

loc_6300EC:				; CODE XREF: MiSimpleAgeWorkingSetEPTCallback(x,x,x,x,x)+2Cj
		and	ecx, 1
		or	ecx, 0
		jz	short loc_63011C
		push	5

loc_6300F6:				; CODE XREF: MiSimpleAgeWorkingSetEPTCallback(x,x,x,x,x)+30j
		pop	eax
		nop
		shrd	edx, edi, 0Ch
		push	eax
		push	[ebp+arg_10]
		and	edx, 1FFFFFFh
		mov	ecx, ebx
		imul	eax, edx, 1Ch
		mov	edx, esi
		add	eax, ds:_MmPfnDatabase
		push	eax
		push	[ebp+arg_C]
		call	_MiAgePteWorker@24 ; MiAgePteWorker(x,x,x,x,x,x)

loc_63011C:				; CODE XREF: MiSimpleAgeWorkingSetEPTCallback(x,x,x,x,x)+38j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	14h
_MiSimpleAgeWorkingSetEPTCallback@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSimpleAgeWorkingSetTail(x)
_MiSimpleAgeWorkingSetTail@4 proc near	; CODE XREF: MiSimpleAgePte(x,x,x)+A4p
					; DATA XREF: MiSimpleAging+FEBC7o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, [edi+48h]

loc_630132:				; CODE XREF: MiSimpleAgeWorkingSetTail(x)+43j
		mov	ecx, [esi+24h]
		call	MiFlushTbList
		mov	edx, [esi+0C0h]
		test	edx, edx
		jz	short loc_63016A
		cmp	dword ptr [edx], 0
		jz	short loc_63016A
		push	ecx
		mov	ecx, edi
		call	_MiQueryEPTAccessedState@12 ; MiQueryEPTAccessedState(x,x,x)
		test	eax, eax
		jz	short loc_63016A
		mov	edx, [esi+0C0h]
		mov	ecx, edi
		push	esi
		push	offset _MiSimpleAgeWorkingSetEPTCallback@20 ; MiSimpleAgeWorkingSetEPTCallback(x,x,x,x,x)
		call	_MiProcessVmAccessedInfo@16 ; MiProcessVmAccessedInfo(x,x,x,x)
		jmp	short loc_630132
; 

loc_63016A:				; CODE XREF: MiSimpleAgeWorkingSetTail(x)+1Dj
					; MiSimpleAgeWorkingSetTail(x)+22j ...
		pop	edi
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	4
_MiSimpleAgeWorkingSetTail@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiTrimAllSystemPagableMemory(x, x)
_MiTrimAllSystemPagableMemory@8	proc near ; CODE XREF: MmTrimAllSystemPagableMemory(x)+Bp
					; MmVerifierTrimMemory()+6Bp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	eax, ecx
		mov	[ebp+var_10], edx
		push	3
		xor	esi, esi
		mov	[ebp+var_8], eax
		mov	ebx, offset unk_6D3640
		pop	edi
		mov	[ebp+var_4], edi
		test	eax, eax
		jnz	short loc_6301BA
		mov	edx, esi
		mov	ecx, ebx

loc_63019A:				; CODE XREF: MiTrimAllSystemPagableMemory(x,x)+41j
		test	ecx, ecx
		jz	short loc_6301AA
		mov	eax, ds:dword_6D3558[edx*4]
		cmp	eax, [ecx+4]
		jnz	short loc_6301B5

loc_6301AA:				; CODE XREF: MiTrimAllSystemPagableMemory(x,x)+2Aj
		inc	edx
		add	ecx, 100h
		cmp	edx, edi
		jb	short loc_63019A

loc_6301B5:				; CODE XREF: MiTrimAllSystemPagableMemory(x,x)+36j
		cmp	edx, 6
		jz	short loc_6301C4

loc_6301BA:				; CODE XREF: MiTrimAllSystemPagableMemory(x,x)+22j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 1
		jbe	short loc_6301CB

loc_6301C4:				; CODE XREF: MiTrimAllSystemPagableMemory(x,x)+46j
		xor	eax, eax
		jmp	loc_6302B2
; 

loc_6301CB:				; CODE XREF: MiTrimAllSystemPagableMemory(x,x)+50j
		xor	eax, eax
		mov	[ebp+var_C], esi
		mov	edi, esi
		inc	eax
		lock xadd ds:dword_6D3544, eax
		inc	eax
		cmp	eax, 1
		jg	loc_63029C
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	loc_63029C
		mov	edi, large fs:124h
		mov	[ebp+var_C], 1
		dec	word ptr [edi+13Eh]
		nop
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	short loc_630250
		mov	ecx, offset dword_6D3558
		push	3
		mov	[ebp+var_8], ecx
		pop	eax

loc_63021A:				; CODE XREF: MiTrimAllSystemPagableMemory(x,x)+DAj
		test	ebx, ebx
		jz	short loc_63023A
		mov	eax, [ecx]
		cmp	eax, [ebx+4]
		jz	short loc_630237
		xor	esi, esi
		mov	ecx, ebx
		inc	esi
		call	_MiEmptyTargetedWorkingSet@4 ; MiEmptyTargetedWorkingSet(x)
		mov	ecx, [ebp+var_8]
		mov	eax, [ebx+4]
		mov	[ecx], eax

loc_630237:				; CODE XREF: MiTrimAllSystemPagableMemory(x,x)+B1j
		mov	eax, [ebp+var_4]

loc_63023A:				; CODE XREF: MiTrimAllSystemPagableMemory(x,x)+AAj
		add	ecx, 4
		add	ebx, 100h
		sub	eax, 1
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], eax
		jnz	short loc_63021A
		jmp	short loc_630284
; 

loc_630250:				; CODE XREF: MiTrimAllSystemPagableMemory(x,x)+9Bj
		cmp	eax, 1
		jnz	short loc_630263
		mov	ecx, [edi+80h]
		add	ecx, 240h
		jmp	short loc_63027C
; 

loc_630263:				; CODE XREF: MiTrimAllSystemPagableMemory(x,x)+E1j
		mov	eax, [edi+80h]
		test	dword ptr [eax+0FCh], 10000h
		jz	short loc_630284
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		mov	ecx, eax

loc_63027C:				; CODE XREF: MiTrimAllSystemPagableMemory(x,x)+EFj
		call	_MiEmptyTargetedWorkingSet@4 ; MiEmptyTargetedWorkingSet(x)
		xor	esi, esi
		inc	esi

loc_630284:				; CODE XREF: MiTrimAllSystemPagableMemory(x,x)+DCj
					; MiTrimAllSystemPagableMemory(x,x)+101j
		cmp	[ebp+var_10], 1
		jnz	short loc_63029C
		cmp	esi, 1
		jnz	short loc_63029C
		push	8
		pop	edx
		mov	ecx, offset _MiSystemPartition
		call	MiPurgePartitionStandby

loc_63029C:				; CODE XREF: MiTrimAllSystemPagableMemory(x,x)+6Dj
					; MiTrimAllSystemPagableMemory(x,x)+7Aj ...
		lock dec ds:dword_6D3544
		cmp	[ebp+var_C], 1
		jnz	short loc_6302B0
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_6302B0:				; CODE XREF: MiTrimAllSystemPagableMemory(x,x)+135j
		mov	eax, esi

loc_6302B2:				; CODE XREF: MiTrimAllSystemPagableMemory(x,x)+54j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiTrimAllSystemPagableMemory@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiTrimPteWorker(x, x, x, x,	x, x, x)
_MiTrimPteWorker@28 proc near		; CODE XREF: MiTrimWorkingSetEPTCallback(x,x,x,x,x)+7Bp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	eax, ecx
		push	edi
		push	[ebp+arg_10]
		mov	[esp+1Ch+var_8], edx
		push	[ebp+arg_C]
		mov	ebx, [eax+10h]
		mov	ecx, ebx
		mov	edx, [ebp+arg_0]
		push	esi
		push	[ebp+arg_4]
		mov	[esp+28h+var_4], eax
		call	_MiTrimThisWsle@24 ; MiTrimThisWsle(x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_630337
		mov	edx, [ebp+arg_0]
		lea	ecx, [esi+1Ch]
		push	0
		push	1
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		test	byte ptr [esi],	10h
		jz	short loc_63030C
		mov	edx, [esp+28h+var_18]
		mov	ecx, ebx
		call	MI_WSLE_LOG_ACCESS

loc_63030C:				; CODE XREF: MiTrimPteWorker(x,x,x,x,x,x,x)+48j
		inc	dword ptr [esi+8]
		mov	eax, [esi+8]
		cmp	eax, [esi+4]
		jz	short loc_63031F
		mov	eax, [esi+28h]
		cmp	eax, [esi+24h]
		jnz	short loc_630337

loc_63031F:				; CODE XREF: MiTrimPteWorker(x,x,x,x,x,x,x)+5Ej
		mov	ecx, [esp+28h+var_14]
		mov	edx, esi
		call	MiTrimWorkingSetBuildup
		mov	ecx, [esi+8]
		cmp	ecx, [esi+4]
		jnz	short loc_630337
		xor	eax, eax
		inc	eax
		jmp	short loc_630339
; 

loc_630337:				; CODE XREF: MiTrimPteWorker(x,x,x,x,x,x,x)+34j
					; MiTrimPteWorker(x,x,x,x,x,x,x)+66j ...
		xor	eax, eax

loc_630339:				; CODE XREF: MiTrimPteWorker(x,x,x,x,x,x,x)+7Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
_MiTrimPteWorker@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiTrimWorkingSetEPTCallback(x, x, x, x, x)
_MiTrimWorkingSetEPTCallback@20	proc near ; DATA XREF: MiTrimWorkingSetTail+F30A8o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	edx, [ebp+arg_10]
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, [edi+10h]
		call	_MiTrimmedEnough@8 ; MiTrimmedEnough(x,x)
		test	eax, eax
		jz	short loc_630361
		xor	eax, eax
		inc	eax
		jmp	short loc_6303C4
; 

loc_630361:				; CODE XREF: MiTrimWorkingSetEPTCallback(x,x,x,x,x)+18j
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, [ebx]
		nop
		mov	eax, [ebx+4]
		xor	edx, edx
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_4], eax
		mov	eax, ecx
		and	eax, 2
		or	eax, edx
		jz	short loc_63038E
		mov	eax, esi
		and	eax, 20h
		or	eax, edx
		jmp	short loc_630393
; 

loc_63038E:				; CODE XREF: MiTrimWorkingSetEPTCallback(x,x,x,x,x)+41j
		and	ecx, 1
		or	ecx, edx

loc_630393:				; CODE XREF: MiTrimWorkingSetEPTCallback(x,x,x,x,x)+4Aj
		jz	short loc_630398
		xor	edx, edx
		inc	edx

loc_630398:				; CODE XREF: MiTrimWorkingSetEPTCallback(x,x,x,x,x):loc_630393j
		nop
		mov	eax, [ebp+arg_0]
		mov	ecx, edi
		shrd	esi, eax, 0Ch
		push	0
		and	esi, 1FFFFFFh
		imul	eax, esi, 1Ch
		push	edx
		push	[ebp+arg_10]
		mov	edx, ebx
		add	eax, ds:_MmPfnDatabase
		push	eax
		push	[ebp+arg_C]
		call	_MiTrimPteWorker@28 ; MiTrimPteWorker(x,x,x,x,x,x,x)
		pop	esi
		pop	ebx

loc_6303C4:				; CODE XREF: MiTrimWorkingSetEPTCallback(x,x,x,x,x)+1Dj
		pop	edi
		leave
		retn	14h
_MiTrimWorkingSetEPTCallback@20	endp


;  S U B	R O U T	I N E 


; __stdcall MiTrimmedEnough(x, x)
_MiTrimmedEnough@8 proc	near		; CODE XREF: MiTrimWorkingSetTail+F30BBp
					; MiTrimWorkingSetEPTCallback(x,x,x,x,x)+11p
		mov	edi, edi
		push	esi
		mov	esi, [edx+8]
		push	edi
		mov	edi, [edx+4]
		cmp	esi, edi
		jz	short loc_6303FD
		mov	eax, [edx]
		test	eax, 400h
		jz	short loc_6303F9
		test	eax, 800h
		jz	short loc_6303EF
		cmp	esi, 100h
		jnb	short loc_6303FD

loc_6303EF:				; CODE XREF: MiTrimmedEnough(x,x)+1Cj
		mov	eax, [edx+18h]
		sub	eax, edi
		cmp	[ecx+48h], eax
		jbe	short loc_6303FD

loc_6303F9:				; CODE XREF: MiTrimmedEnough(x,x)+15j
		xor	eax, eax
		jmp	short loc_630400
; 

loc_6303FD:				; CODE XREF: MiTrimmedEnough(x,x)+Cj
					; MiTrimmedEnough(x,x)+24j ...
		xor	eax, eax
		inc	eax

loc_630400:				; CODE XREF: MiTrimmedEnough(x,x)+32j
		pop	edi
		pop	esi
		retn
_MiTrimmedEnough@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdateOldPagesEPTCallback(x, x, x, x, x)
_MiUpdateOldPagesEPTCallback@20	proc near ; DATA XREF: MiUpdateOldWorkingSetPagesTail+95A08o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	ebx, [eax+10h]
		mov	edx, [edi]
		nop
		mov	eax, [ebp+arg_4]
		mov	esi, [edi+4]
		mov	ecx, [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_4], eax
		mov	eax, ecx
		and	eax, 2
		or	eax, 0
		jz	short loc_63043B
		mov	eax, edx
		and	eax, 20h
		or	eax, 0
		jmp	short loc_630441
; 

loc_63043B:				; CODE XREF: MiUpdateOldPagesEPTCallback(x,x,x,x,x)+2Cj
		and	ecx, 1
		or	ecx, 0

loc_630441:				; CODE XREF: MiUpdateOldPagesEPTCallback(x,x,x,x,x)+36j
		jnz	short loc_630464
		nop
		push	[ebp+arg_10]
		shrd	edx, esi, 0Ch
		mov	ecx, ebx
		and	edx, 1FFFFFFh
		imul	eax, edx, 1Ch
		mov	edx, edi
		add	eax, ds:_MmPfnDatabase
		push	eax
		call	MiUpdateOldPteWorker

loc_630464:				; CODE XREF: MiUpdateOldPagesEPTCallback(x,x,x,x,x):loc_630441j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	14h
_MiUpdateOldPagesEPTCallback@20	endp


;  S U B	R O U T	I N E 


; __stdcall MmEmptyAllWorkingSets()
_MmEmptyAllWorkingSets@0 proc near	; CODE XREF: PopTransitionToSleep:loc_729929p
					; PopTransitionToSleep:loc_729951p ...
		mov	edi, edi
		push	esi
		xor	ecx, ecx
		jmp	short loc_630492
; 

loc_630474:				; CODE XREF: MmEmptyAllWorkingSets()+2Ej
		cmp	ds:byte_6D35B0,	0
		mov	ecx, [esi]
		mov	eax, [ecx+0F00h]
		jz	short loc_630490
		inc	dword ptr [eax+14h]
		push	4
		pop	edx
		call	MiQueueWorkingSetRequest

loc_630490:				; CODE XREF: MmEmptyAllWorkingSets()+16j
		mov	ecx, esi

loc_630492:				; CODE XREF: MmEmptyAllWorkingSets()+5j
		call	_PsGetNextPartition@4 ;	PsGetNextPartition(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_630474
		pop	esi
		retn
_MmEmptyAllWorkingSets@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmQuerySessionWorkingSetInformation(x, x)
_MmQuerySessionWorkingSetInformation@8 proc near
					; CODE XREF: EtwpLogSessionWorkingSetInfo(x)+53p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_8], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	[ebp+var_C], edx
		stosd
		mov	ebx, ecx
		mov	ecx, offset dword_6D3540
		stosd
		stosd
		imul	eax, [edx], 14h
		xor	edi, edi
		lea	edx, [ebp+var_18]
		add	eax, ebx
		mov	[ebp+var_4], eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	esi, ds:dword_6D35C0
		cmp	esi, offset dword_6D35C0
		jz	short loc_63050B
		mov	eax, [ebp+var_4]

loc_6304E3:				; CODE XREF: MmQuerySessionWorkingSetInformation(x,x)+6Aj
		lea	edx, [esi-50h]
		cmp	ebx, eax
		jnz	short loc_6304F3
		mov	[ebp+var_8], 0C0000004h
		jmp	short loc_630500
; 

loc_6304F3:				; CODE XREF: MmQuerySessionWorkingSetInformation(x,x)+49j
		mov	ecx, ebx
		call	_MiFillSessionWorkingSetEntry@8	; MiFillSessionWorkingSetEntry(x,x)
		mov	eax, [ebp+var_4]
		add	ebx, 14h

loc_630500:				; CODE XREF: MmQuerySessionWorkingSetInformation(x,x)+52j
		mov	esi, [esi]
		inc	edi
		cmp	esi, offset dword_6D35C0
		jnz	short loc_6304E3

loc_63050B:				; CODE XREF: MmQuerySessionWorkingSetInformation(x,x)+3Fj
		test	ds:byte_70EFC6,	1
		jz	short loc_630521
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_630550
; 

loc_630521:				; CODE XREF: MmQuerySessionWorkingSetInformation(x,x)+73j
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	short loc_630540
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jz	short loc_630550
		call	KxWaitForLockChainValid

loc_630540:				; CODE XREF: MmQuerySessionWorkingSetInformation(x,x)+87j
		xor	edx, edx
		mov	[ebp+var_18], 0
		inc	edx
		lea	ecx, [eax+4]
		lock xor [ecx],	edx

loc_630550:				; CODE XREF: MmQuerySessionWorkingSetInformation(x,x)+80j
					; MmQuerySessionWorkingSetInformation(x,x)+9Aj
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_C]
		mov	[eax], edi
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MmQuerySessionWorkingSetInformation@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1475. MmTrimAllSystemPagableMemory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmTrimAllSystemPagableMemory(x)
		public _MmTrimAllSystemPagableMemory@4
_MmTrimAllSystemPagableMemory@4	proc near ; CODE XREF: MmShutdownSystem(x)+35p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		call	_MiTrimAllSystemPagableMemory@8	; MiTrimAllSystemPagableMemory(x,x)
		pop	ecx
		pop	ebp
		retn	4
_MmTrimAllSystemPagableMemory@4	endp


;  S U B	R O U T	I N E 


; __stdcall MmTrimFilePagesFromWorkingSets()
_MmTrimFilePagesFromWorkingSets@0 proc near ; CODE XREF: PopTransitionToSleep:loc_729934p
		cmp	ds:byte_6D35B0,	0
		jz	short locret_6305A8
		push	esi
		xor	ecx, ecx
		jmp	short loc_63059C
; 

loc_63058E:				; CODE XREF: MmTrimFilePagesFromWorkingSets()+25j
		mov	ecx, [esi]
		mov	edx, 100h
		call	MiQueueWorkingSetRequest
		mov	ecx, esi

loc_63059C:				; CODE XREF: MmTrimFilePagesFromWorkingSets()+Cj
		call	_PsGetNextPartition@4 ;	PsGetNextPartition(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_63058E
		pop	esi

locret_6305A8:				; CODE XREF: MmTrimFilePagesFromWorkingSets()+7j
		retn
_MmTrimFilePagesFromWorkingSets@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDecommitLargePte(x, x, x,	x, x, x)
_MiDecommitLargePte@24 proc near	; CODE XREF: .text:004762BDp
					; .text:0047669Dp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		mov	esi, [ecx+1Ch]
		shr	esi, 12h
		and	esi, 3
		push	edi
		mov	edi, edx
		xor	edx, edx
		mov	[ebp+var_14], edx
		mov	eax, ds:_MiVadPageSizes[esi*4]
		mov	[ebp+var_24], eax
		call	_MiGetVadPtesInCluster@4 ; MiGetVadPtesInCluster(x)
		mov	[ebp+var_4], eax
		mov	ebx, edx
		mov	eax, ds:_MiVadPageIndices[esi*4]
		test	eax, eax
		jnz	short loc_6305E6
		inc	ebx
		sub	ebx, eax

loc_6305E6:				; CODE XREF: MiDecommitLargePte(x,x,x,x,x,x)+38j
		mov	esi, [edi]
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], edx
		nop
		mov	ecx, [edi+4]
		mov	edx, esi
		and	edx, 1
		mov	[ebp+var_30], esi
		mov	eax, edx
		mov	[ebp+var_2C], ecx
		or	eax, 0
		mov	[ebp+var_8], edx
		jz	short loc_630614
		nop
		shrd	esi, ecx, 0Ch
		and	esi, 1FFFFFFh
		jmp	short loc_63065D
; 

loc_630614:				; CODE XREF: MiDecommitLargePte(x,x,x,x,x,x)+5Cj
		mov	eax, ds:dword_6D0700
		mov	edx, ds:dword_6D0704
		mov	[ebp+var_18], eax
		or	eax, edx
		mov	[ebp+var_1C], edx
		mov	edx, [ebp+var_8]
		mov	[ebp+var_C], esi
		mov	[ebp+var_10], ecx
		jz	short loc_630653
		mov	ecx, esi
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_630650
		mov	esi, [ebp+var_18]
		mov	ecx, [ebp+var_1C]
		not	esi
		and	esi, [ebp+var_C]
		not	ecx
		and	ecx, [ebp+var_10]
		jmp	short loc_630653
; 

loc_630650:				; CODE XREF: MiDecommitLargePte(x,x,x,x,x,x)+93j
		mov	ecx, [ebp+var_10]

loc_630653:				; CODE XREF: MiDecommitLargePte(x,x,x,x,x,x)+87j
					; MiDecommitLargePte(x,x,x,x,x,x)+A5j
		shrd	esi, ecx, 0Ch
		and	esi, 3FFFFFFh

loc_63065D:				; CODE XREF: MiDecommitLargePte(x,x,x,x,x,x)+69j
		mov	ecx, [ebp+arg_8]
		xor	eax, eax
		cmp	[ebp+var_4], eax
		jbe	short loc_63067B
		mov	edx, [ebp+arg_C]

loc_63066A:				; CODE XREF: MiDecommitLargePte(x,x,x,x,x,x)+CDj
		mov	[edi+eax*8], ecx
		nop
		mov	[edi+eax*8+4], edx
		inc	eax
		cmp	eax, [ebp+var_4]
		jb	short loc_63066A
		mov	edx, [ebp+var_8]

loc_63067B:				; CODE XREF: MiDecommitLargePte(x,x,x,x,x,x)+BCj
		or	ecx, [ebp+arg_C]
		jnz	short loc_630695
		cmp	ebx, 1
		jz	short loc_630695
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		call	_MiReducePteUseCount@8 ; MiReducePteUseCount(x,x)
		mov	edx, [ebp+var_8]
		mov	[ebp+var_14], eax

loc_630695:				; CODE XREF: MiDecommitLargePte(x,x,x,x,x,x)+D5j
					; MiDecommitLargePte(x,x,x,x,x,x)+DAj
		or	edx, 0
		jz	short loc_6306CE
		mov	eax, 0C0000000h
		mov	edx, edi
		cmp	edi, eax
		jb	short loc_6306B4

loc_6306A5:				; CODE XREF: MiDecommitLargePte(x,x,x,x,x,x)+109j
		cmp	edx, 0C07FFFFFh
		ja	short loc_6306B4
		shl	edx, 9
		cmp	edx, eax
		jnb	short loc_6306A5

loc_6306B4:				; CODE XREF: MiDecommitLargePte(x,x,x,x,x,x)+FAj
					; MiDecommitLargePte(x,x,x,x,x,x)+102j
		mov	ecx, [ebp+arg_4]
		test	ebx, ebx
		jnz	short loc_6306C6
		push	ebx
		push	[ebp+var_24]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		jmp	short loc_6306CE
; 

loc_6306C6:				; CODE XREF: MiDecommitLargePte(x,x,x,x,x,x)+110j
		push	edi
		mov	edx, ebx
		call	_MiInsertLargeTbFlushEntry@12 ;	MiInsertLargeTbFlushEntry(x,x,x)

loc_6306CE:				; CODE XREF: MiDecommitLargePte(x,x,x,x,x,x)+EFj
					; MiDecommitLargePte(x,x,x,x,x,x)+11Bj
		mov	edi, [ebp+arg_0]
		imul	esi, 1Ch
		mov	edi, [edi+14h]
		add	esi, ds:_MmPfnDatabase
		and	[ebp+var_1C], 0
		lea	ebx, [esi+10h]
		jmp	short loc_6306F4
; 

loc_6306E6:				; CODE XREF: MiDecommitLargePte(x,x,x,x,x,x)+149j
					; MiDecommitLargePte(x,x,x,x,x,x)+150j
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		js	short loc_6306E6

loc_6306F4:				; CODE XREF: MiDecommitLargePte(x,x,x,x,x,x)+13Bj
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_6306E6
		mov	cl, [esi+16h]
		mov	al, cl
		shr	edi, 2
		and	al, 0FDh
		or	al, 5
		mov	[esi+16h], al
		xor	edi, [esi]
		mov	eax, [ebp+arg_0]
		and	edi, 1FFFFFFEh
		xor	edi, [esi]
		mov	[esi], edi
		mov	[eax+14h], esi
		mov	al, [esi+16h]
		xor	al, cl
		and	al, 7
		xor	al, [esi+16h]
		mov	[esi+16h], al
		mov	eax, 7FFFFFFFh
		lock and [ebx],	eax
		mov	eax, [ebp+var_14]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_MiDecommitLargePte@24 endp


;  S U B	R O U T	I N E 


; __stdcall MiSubsectionNeedsExtents(x)
_MiSubsectionNeedsExtents@4 proc near	; CODE XREF: MmExtendSection+130FEEp
					; MiExtendSection+130C6Fp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi]
		add	esi, 24h
		push	esi
		call	ExAcquireSpinLockExclusive
		or	dword ptr [edi+24h], 40000000h
		mov	bl, al
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_MiSubsectionNeedsExtents@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdateActiveSubsection(x)
_MiUpdateActiveSubsection@4 proc near	; CODE XREF: MmExtendSection:loc_8EE5B6p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edi
		mov	ebx, [esi]
		add	ebx, 24h
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	[ebp+var_1], al

loc_630787:				; CODE XREF: MiUpdateActiveSubsection(x)+BDj
		cmp	[esi+4], edi
		jz	loc_63081F
		test	dword ptr [esi+24h], 40000000h
		jz	loc_63081F
		mov	ecx, esi
		call	_MiReferenceSubsection@8 ; MiReferenceSubsection(x,x)
		push	ebx
		cmp	eax, 2
		jl	loc_630843
		mov	eax, [esi+24h]
		mov	ecx, [esi+1Ch]
		and	eax, 3FFFFFFFh
		sub	ecx, eax
		mov	[ebp+var_C], ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	edi
		push	[ebp+var_C]
		xor	edx, edx
		mov	ecx, esi
		push	dword ptr [esi+4]
		call	_MiAllocateFileExtents@20 ; MiAllocateFileExtents(x,x,x,x,x)
		push	ebx
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], edi
		call	ExAcquireSpinLockExclusive
		mov	[ebp+var_1], al
		cmp	[ebp+var_8], edi
		jl	short loc_63080A
		mov	ecx, [esi+24h]
		mov	eax, [esi+1Ch]
		and	ecx, 3FFFFFFFh
		sub	eax, ecx
		cmp	[ebp+var_C], eax
		jz	short loc_63080A
		mov	[ebp+var_10], 1

loc_63080A:				; CODE XREF: MiUpdateActiveSubsection(x)+87j
					; MiUpdateActiveSubsection(x)+9Aj
		push	ecx
		mov	edx, esi
		mov	ecx, esi
		call	_MiDecrementSubsections@12 ; MiDecrementSubsections(x,x,x)
		cmp	[ebp+var_10], 1
		jz	short loc_630822
		cmp	[ebp+var_8], edi
		jl	short loc_63082A

loc_63081F:				; CODE XREF: MiUpdateActiveSubsection(x)+23j
					; MiUpdateActiveSubsection(x)+30j
		mov	esi, [esi+8]

loc_630822:				; CODE XREF: MiUpdateActiveSubsection(x)+B1j
		test	esi, esi
		jnz	loc_630787

loc_63082A:				; CODE XREF: MiUpdateActiveSubsection(x)+B6j
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	edi, [ebp+var_8]

loc_630833:				; CODE XREF: MiUpdateActiveSubsection(x)+E1j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_630843:				; CODE XREF: MiUpdateActiveSubsection(x)+41j
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		jmp	short loc_630833
_MiUpdateActiveSubsection@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFlushComplete(x, x, x)
_MiFlushComplete@12 proc near		; CODE XREF: MiIssueAsynchronousFlush(x,x,x,x,x,x,x,x,x)+8Cp
					; DATA XREF: MiIssueAsynchronousFlush(x,x,x,x,x,x,x,x,x)+5Do

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, [edi+28h]
		movzx	eax, word ptr [esi+6]
		mov	edx, eax
		test	eax, 200h
		jz	short loc_630870
		mov	ecx, esi
		call	_MiRetardMdl@4	; MiRetardMdl(x)
		movzx	edx, word ptr [esi+6]

loc_630870:				; CODE XREF: MiFlushComplete(x,x,x)+19j
		mov	ecx, [esi+18h]
		lea	ebx, [esi+1Ch]
		add	ecx, [esi+10h]
		mov	eax, [esi+14h]
		and	ecx, 0FFFh
		add	eax, 0FFFh
		add	eax, ecx
		shr	eax, 0Ch
		lea	eax, [ebx+eax*4]
		mov	[ebp+arg_0], eax
		test	dl, 1
		jz	short loc_6308A3
		push	esi
		push	dword ptr [esi+0Ch]
		call	MmUnmapLockedPages
		mov	eax, [ebp+arg_0]

loc_6308A3:				; CODE XREF: MiFlushComplete(x,x,x)+4Bj
		mov	ebx, [ebp+arg_4]
		lea	ecx, [esi+1Ch]
		push	ebx
		mov	edx, eax
		call	MiUnlockMdlWritePages
		cmp	dword ptr [ebx], 0
		jge	short loc_6308BA
		and	dword ptr [ebx+4], 0

loc_6308BA:				; CODE XREF: MiFlushComplete(x,x,x)+6Aj
		mov	ecx, [edi+10h]
		xor	edx, edx
		call	_MiDecrementModifiedWriteCount@8 ; MiDecrementModifiedWriteCount(x,x)
		test	eax, eax
		jz	short loc_6308CF
		mov	ecx, eax
		call	_MiReleaseControlAreaWaiters@4 ; MiReleaseControlAreaWaiters(x)

loc_6308CF:				; CODE XREF: MiFlushComplete(x,x,x)+7Cj
		lea	eax, [edi+2Ch]
		cmp	esi, eax
		jz	short loc_6308E4
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lea	eax, [edi+2Ch]
		mov	[edi+28h], eax

loc_6308E4:				; CODE XREF: MiFlushComplete(x,x,x)+8Aj
		xor	eax, eax
		push	eax
		push	eax
		mov	[edi+8], eax
		lea	eax, [edi+18h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [edi+14h]
		test	ecx, ecx
		jz	short loc_630913
		mov	eax, [ebx]
		test	eax, eax
		jns	short loc_630904
		mov	[ecx+0Ch], eax

loc_630904:				; CODE XREF: MiFlushComplete(x,x,x)+B5j
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+8], eax
		jnz	short loc_630913
		call	_MiFreeOverlappedFlushEntry@4 ;	MiFreeOverlappedFlushEntry(x)

loc_630913:				; CODE XREF: MiFlushComplete(x,x,x)+AFj
					; MiFlushComplete(x,x,x)+C2j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_MiFlushComplete@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiFreeOverlappedFlushEntry(x)
_MiFreeOverlappedFlushEntry@4 proc near	; CODE XREF: MiFlushComplete(x,x,x)+C4p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	ecx, [esi]
		mov	edx, ecx
		push	dword ptr [esi+4]
		mov	edi, [esi+14h]
		mov	ecx, [ecx]
		call	_MiFlushRelease@12 ; MiFlushRelease(x,x,x)
		mov	eax, [esi+18h]
		xor	ebx, ebx
		test	eax, eax
		jz	short loc_630942
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_630942:				; CODE XREF: MiFreeOverlappedFlushEntry(x)+1Fj
		mov	ecx, [esi+10h]
		mov	eax, [esi+0Ch]
		mov	[ecx], eax
		cmp	[esi+0Ch], ebx
		jge	short loc_630955
		mov	eax, [esi+10h]
		mov	[eax+4], ebx

loc_630955:				; CODE XREF: MiFreeOverlappedFlushEntry(x)+33j
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	ebx
		push	ebx
		push	edi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		retn
_MiFreeOverlappedFlushEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIssueAsynchronousFlush(x,	x, x, x, x, x, x, x, x)
_MiIssueAsynchronousFlush@36 proc near	; CODE XREF: MiFlushSectionInternal+14F556p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_4], ecx
		xor	edi, edi
		push	edi
		push	edi
		lea	eax, [esi+18h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	ecx, [esi+28h]
		mov	[esi], edi
		mov	[esi+4], edi
		mov	edi, [ebp+arg_4]
		mov	eax, [ecx+14h]
		shr	eax, 0Ch
		add	eax, 7
		mov	[ebp+var_8], ecx
		lea	eax, [ecx+eax*4]
		mov	[esi+8], eax
		test	edi, edi
		jz	short loc_6309AC
		lock inc dword ptr [edi+8]

loc_6309AC:				; CODE XREF: MiIssueAsynchronousFlush(x,x,x,x,x,x,x,x,x)+3Ej
		lea	eax, [esi+0Ch]
		mov	edx, ecx
		mov	ecx, [ebp+var_4]
		push	eax
		push	esi
		push	[ebp+arg_18]
		lea	eax, [ebp+arg_8]
		push	[ebp+arg_10]
		push	0
		push	[ebp+arg_14]
		push	esi
		push	offset _MiFlushComplete@12 ; MiFlushComplete(x,x,x)
		push	eax
		call	IoAsynchronousPageWrite
		mov	edx, 0C0000000h
		mov	[ebp+arg_0], eax
		mov	ecx, eax
		and	ecx, edx
		cmp	ecx, edx
		mov	cl, 1
		jnz	short loc_630A16
		and	dword ptr [esi+4], 0
		mov	[esi], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	0
		push	esi
		push	esi
		mov	bl, al
		call	_MiFlushComplete@12 ; MiFlushComplete(x,x,x)
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	short loc_630A0B
		mov	eax, [ebp+arg_0]
		mov	[edi+0Ch], eax

loc_630A0B:				; CODE XREF: MiIssueAsynchronousFlush(x,x,x,x,x,x,x,x,x)+9Bj
		mov	eax, [ebp+var_8]

loc_630A0E:				; CODE XREF: MiIssueAsynchronousFlush(x,x,x,x,x,x,x,x,x)+118j
		and	dword ptr [eax+14h], 0
		xor	eax, eax
		jmp	short loc_630A8C
; 

loc_630A16:				; CODE XREF: MiIssueAsynchronousFlush(x,x,x,x,x,x,x,x,x)+78j
		xor	edi, edi

loc_630A18:				; CODE XREF: MiIssueAsynchronousFlush(x,x,x,x,x,x,x,x,x)+113j
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		lea	ecx, [ebx+460h]

loc_630A24:				; CODE XREF: MiIssueAsynchronousFlush(x,x,x,x,x,x,x,x,x)+D8j
		add	esi, 8Ch
		cmp	esi, ecx
		jb	short loc_630A30
		mov	esi, ebx

loc_630A30:				; CODE XREF: MiIssueAsynchronousFlush(x,x,x,x,x,x,x,x,x)+C4j
		cmp	dword ptr [esi+8], 0
		jz	short loc_630A82
		cmp	dword ptr [esi+1Ch], 1
		jz	short loc_630A82
		inc	edi
		cmp	edi, 8
		jnz	short loc_630A24
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	eax, [ebx+480h]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	13h
		push	1
		lea	eax, [ebx+460h]
		push	eax
		push	edi
		call	KeWaitForMultipleObjects
		mov	esi, ebx

loc_630A69:				; CODE XREF: MiIssueAsynchronousFlush(x,x,x,x,x,x,x,x,x)+10Fj
		cmp	dword ptr [esi], 0
		jl	short loc_630A7D
		add	esi, 8Ch
		sub	edi, 1
		jnz	short loc_630A69
		mov	cl, 1
		jmp	short loc_630A18
; 

loc_630A7D:				; CODE XREF: MiIssueAsynchronousFlush(x,x,x,x,x,x,x,x,x)+104j
		mov	eax, [esi+28h]
		jmp	short loc_630A0E
; 

loc_630A82:				; CODE XREF: MiIssueAsynchronousFlush(x,x,x,x,x,x,x,x,x)+CCj
					; MiIssueAsynchronousFlush(x,x,x,x,x,x,x,x,x)+D2j
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi

loc_630A8C:				; CODE XREF: MiIssueAsynchronousFlush(x,x,x,x,x,x,x,x,x)+ACj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_MiIssueAsynchronousFlush@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWaitForAsynchronousFlushes(x)
_MiWaitForAsynchronousFlushes@4	proc near ; CODE XREF: MiFlushSectionInternal+14F648p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	cl, 1
		push	edi
		mov	edi, esi
		lea	eax, [esi+460h]
		mov	[ebp+var_4], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	cl, al
		xor	ebx, ebx
		mov	eax, [ebp+var_4]

loc_630AB8:				; CODE XREF: MiWaitForAsynchronousFlushes(x)+67j
		cmp	[edi+8], ebx
		jz	short loc_630AF2
		cmp	dword ptr [edi+1Ch], 1
		jz	short loc_630AF2
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	eax, [esi+480h]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	13h
		push	1
		push	[ebp+var_4]
		push	8
		call	KeWaitForMultipleObjects
		mov	cl, 1
		mov	edi, esi
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	cl, al
		mov	eax, [ebp+var_4]
		jmp	short loc_630AF8
; 

loc_630AF2:				; CODE XREF: MiWaitForAsynchronousFlushes(x)+28j
					; MiWaitForAsynchronousFlushes(x)+2Ej
		add	edi, 8Ch

loc_630AF8:				; CODE XREF: MiWaitForAsynchronousFlushes(x)+5Dj
		cmp	edi, eax
		jb	short loc_630AB8
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_630B02:				; CODE XREF: MiWaitForAsynchronousFlushes(x)+7Ej
		mov	eax, [esi]
		test	eax, eax
		js	short loc_630B15
		add	esi, 8Ch
		cmp	esi, [ebp+var_4]
		jb	short loc_630B02
		jmp	short loc_630B17
; 

loc_630B15:				; CODE XREF: MiWaitForAsynchronousFlushes(x)+73j
		mov	ebx, eax

loc_630B17:				; CODE XREF: MiWaitForAsynchronousFlushes(x)+80j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_MiWaitForAsynchronousFlushes@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReplaceLockedPage(x, x, x, x, x)
_MiReplaceLockedPage@20	proc near	; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+ABDp

var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ecx
		xor	ecx, ecx
		inc	ecx
		mov	eax, [edi+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, ecx
		jnz	loc_630BE9
		cmp	[edi+14h], cx
		jnz	loc_630BE9
		mov	ecx, edi
		call	_MiCanPageMove@4 ; MiCanPageMove(x)
		test	eax, eax
		jz	loc_630BE9
		mov	eax, edi
		mov	byte ptr [ebp+var_1], 21h
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	esi, eax
		mov	ecx, esi
		call	MiSearchNumaNodeTable
		mov	cl, ds:byte_6D068C
		push	[ebp+arg_4]
		mov	edx, [eax+4]
		shl	edx, cl
		mov	ecx, ds:dword_6D06D0
		and	ecx, esi
		or	edx, ecx
		mov	ecx, offset _MiSystemPartition
		call	MiGetPage
		cmp	eax, 0FFFFFFFFh
		jz	short loc_630BE9
		mov	ecx, [edi+4]
		lea	edx, [ebp+var_1]
		imul	esi, eax, 1Ch
		or	ecx, 80000000h
		add	esi, ds:_MmPfnDatabase
		call	MiLockProtoPoolPage
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_630BE2
		push	ecx
		push	[ebp+arg_8]
		mov	ecx, [ebp+var_8]
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		push	eax
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, edi
		call	_MiTradeActivePage@24 ;	MiTradeActivePage(x,x,x,x,x,x)
		mov	dl, byte ptr [ebp+var_1]
		mov	ecx, ebx
		test	eax, eax
		jnz	short loc_630BF2
		call	MiUnlockProtoPoolPage

loc_630BE2:				; CODE XREF: MiReplaceLockedPage(x,x,x,x,x)+9Bj
		mov	ecx, esi
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)

loc_630BE9:				; CODE XREF: MiReplaceLockedPage(x,x,x,x,x)+1Cj
					; MiReplaceLockedPage(x,x,x,x,x)+26j ...
		xor	eax, eax

loc_630BEB:				; CODE XREF: MiReplaceLockedPage(x,x,x,x,x)+FCj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_630BF2:				; CODE XREF: MiReplaceLockedPage(x,x,x,x,x)+BDj
		call	MiUnlockProtoPoolPage
		mov	edx, ds:_ZeroPte
		lea	ecx, [edi+8]
		mov	[ecx], edx
		mov	edx, ds:dword_40F9FC
		mov	[ecx+4], edx
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		mov	ecx, edi
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		xor	eax, eax
		inc	eax
		jmp	short loc_630BEB
_MiReplaceLockedPage@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakeSystemLeavesNonZero(x, x, x)
_MiMakeSystemLeavesNonZero@12 proc near	; CODE XREF: MiCreateSystemPageTable+109EFAp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, [ecx+18h]
		shl	edx, 9
		push	edi
		mov	edi, [ecx+14h]
		test	eax, eax
		jle	short loc_630C52
		push	ebx
		mov	ecx, offset loc_7FFFF8
		mov	ebx, 40000000h

loc_630C3E:				; CODE XREF: MiMakeSystemLeavesNonZero(x,x,x)+33j
		shr	edi, 9
		shr	esi, 9
		and	edi, ecx
		and	esi, ecx
		sub	edi, ebx
		sub	esi, ebx
		sub	eax, 1
		jnz	short loc_630C3E
		pop	ebx

loc_630C52:				; CODE XREF: MiMakeSystemLeavesNonZero(x,x,x)+15j
		cmp	edi, edx
		jnb	short loc_630C58
		mov	edi, edx

loc_630C58:				; CODE XREF: MiMakeSystemLeavesNonZero(x,x,x)+38j
		lea	eax, [edx+1000h]
		cmp	esi, eax
		jb	short loc_630C68
		lea	esi, [edx+0FF8h]

loc_630C68:				; CODE XREF: MiMakeSystemLeavesNonZero(x,x,x)+44j
		push	0
		sub	esi, edi
		push	300h
		sar	esi, 3
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		add	esi, 1
		jz	short loc_630C8C

loc_630C7E:				; CODE XREF: MiMakeSystemLeavesNonZero(x,x,x)+6Ej
		mov	[edi], eax
		nop
		mov	[edi+4], edx
		lea	edi, [edi+8]
		sub	esi, 1
		jnz	short loc_630C7E

loc_630C8C:				; CODE XREF: MiMakeSystemLeavesNonZero(x,x,x)+60j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_MiMakeSystemLeavesNonZero@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReturnPfnList(x)
_MiReturnPfnList@4 proc	near		; CODE XREF: MiDeleteSparseRange(x,x)+2Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		mov	[ebp+var_8], edi
		test	edi, edi
		jmp	short loc_630D00
; 

loc_630CA8:				; CODE XREF: MiReturnPfnList(x)+71j
		mov	eax, [edi]
		mov	[ebp+var_C], eax
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, edi
		mov	esi, eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	bl, al
		xor	ecx, ecx
		mov	eax, [ebp+var_8]
		add	edi, 10h
		push	2
		pop	edx
		and	dword ptr [edi], 0C0000000h
		mov	[eax+14h], cx
		mov	ecx, esi
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_C]
		inc	ecx
		mov	edi, eax
		mov	[ebp+var_8], eax
		test	eax, eax

loc_630D00:				; CODE XREF: MiReturnPfnList(x)+14j
		mov	[ebp+var_4], ecx
		jnz	short loc_630CA8
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn
_MiReturnPfnList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReturnSplitPageCharges(x,	x, x)
_MiReturnSplitPageCharges@12 proc near	; CODE XREF: MiDeleteSparseRange(x,x)+3Cp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	MiReturnCommit
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, edi
		call	_MiReturnSystemCharges@12 ; MiReturnSystemCharges(x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_MiReturnSplitPageCharges@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUnlinkSessionList(x)
_MiUnlinkSessionList@4 proc near	; CODE XREF: MiReleaseProcessReferenceToSessionDataPage:loc_8D542Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		mov	ecx, offset dword_6D3540
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		lea	edx, [esi+50h]
		mov	ecx, [edx]
		test	ecx, ecx
		jz	short loc_630D77
		mov	eax, [edx+4]
		cmp	[ecx+4], edx
		jnz	short loc_630D8F
		cmp	[eax], edx
		jnz	short loc_630D8F
		mov	[eax], ecx
		mov	[ecx+4], eax
		lea	eax, [esi+58h]
		push	eax
		push	offset dword_6D05D8
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)

loc_630D77:				; CODE XREF: MiUnlinkSessionList(x)+28j
		test	ds:byte_70EFC6,	1
		pop	edi
		pop	esi
		jz	short loc_630D94
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_630DC3
; 

loc_630D8F:				; CODE XREF: MiUnlinkSessionList(x)+30j
					; MiUnlinkSessionList(x)+34j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_630D94:				; CODE XREF: MiUnlinkSessionList(x)+52j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_630DB3
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_630DC3
		call	KxWaitForLockChainValid

loc_630DB3:				; CODE XREF: MiUnlinkSessionList(x)+6Bj
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_630DC3:				; CODE XREF: MiUnlinkSessionList(x)+5Fj
					; MiUnlinkSessionList(x)+7Ej
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn
_MiUnlinkSessionList@4 endp


;  S U B	R O U T	I N E 


; __stdcall MmGetSessionObjectByProcess(x)
_MmGetSessionObjectByProcess@4 proc near ; CODE	XREF: PspEstablishDfssHierarchy(x,x,x)+23p
		mov	eax, [ecx+180h]
		test	eax, eax
		jz	short loc_630DE8
		test	dword ptr [ecx+3A8h], 1000h
		jnz	short loc_630DE8
		mov	eax, [eax+2Ch]
		retn
; 

loc_630DE8:				; CODE XREF: MmGetSessionObjectByProcess(x)+8j
					; MmGetSessionObjectByProcess(x)+14j
		xor	eax, eax
		retn
_MmGetSessionObjectByProcess@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiChangingSubsectionProtos(x, x, x)
_MiChangingSubsectionProtos@12 proc near ; CODE	XREF: MmPurgeSection+1362E6p
					; MiPurgeFileOnlyPfn(x)+61p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_4], edi
		mov	eax, [edi]
		mov	[ebp+var_10], eax
		lea	ecx, [eax+24h]
		mov	eax, edx
		and	eax, 8
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], eax
		mov	eax, edx
		and	eax, 10h
		xor	esi, esi
		mov	[ebp+var_18], eax
		mov	eax, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[ebp+var_1C], eax

loc_630E26:				; CODE XREF: MiChangingSubsectionProtos(x,x,x)+153j
					; MiChangingSubsectionProtos(x,x,x)+170j
		push	ecx
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+var_18]
		mov	byte ptr [ebp+arg_0+3],	al
		test	ecx, ecx
		jz	short loc_630E51
		push	1
		mov	edx, ebx
		mov	ecx, edi
		call	_MiUnlinkSubsectionWaitBlock@12	; MiUnlinkSubsectionWaitBlock(x,x,x)
		cmp	dword ptr [ebx+8], 2
		mov	[ebx+4], esi
		jz	loc_630F60
		mov	ecx, [ebp+var_18]

loc_630E51:				; CODE XREF: MiChangingSubsectionProtos(x,x,x)+49j
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_20]
		neg	eax
		sbb	eax, eax
		and	eax, 40h
		mov	[ebx+4], eax
		test	dl, 20h
		jz	short loc_630E6E
		or	eax, 100h
		mov	[ebx+4], eax

loc_630E6E:				; CODE XREF: MiChangingSubsectionProtos(x,x,x)+79j
		test	ecx, ecx
		jz	short loc_630E79
		or	dword ptr [ebx+4], 80h

loc_630E79:				; CODE XREF: MiChangingSubsectionProtos(x,x,x)+85j
		mov	ecx, [ebp+var_4]
		cmp	[ecx+4], esi
		jz	short loc_630E8A
		test	dl, 1
		jnz	loc_630F67

loc_630E8A:				; CODE XREF: MiChangingSubsectionProtos(x,x,x)+94j
		mov	edx, [ebp+var_8]
		mov	edi, esi
		mov	[ebp+var_14], esi
		test	edx, edx
		jnz	short loc_630ED9
		mov	eax, [ebp+var_10]
		test	byte ptr [eax+1Ch], 20h
		jz	short loc_630EA4
		mov	edi, [eax+2Ch]
		jmp	short loc_630EA7
; 

loc_630EA4:				; CODE XREF: MiChangingSubsectionProtos(x,x,x)+B2j
		mov	edi, [ecx+0Ch]

loc_630EA7:				; CODE XREF: MiChangingSubsectionProtos(x,x,x)+B7j
		test	edi, edi
		jz	short loc_630ED9

loc_630EAB:				; CODE XREF: MiChangingSubsectionProtos(x,x,x)+CAj
		test	byte ptr [edi+4], 40h
		jz	short loc_630EB7
		mov	edi, [edi]
		test	edi, edi
		jnz	short loc_630EAB

loc_630EB7:				; CODE XREF: MiChangingSubsectionProtos(x,x,x)+C4j
		test	edi, edi
		jz	short loc_630ED9
		push	esi
		xor	edx, edx
		call	KeAbPreAcquire
		mov	edx, eax
		mov	[ebp+var_14], edx
		test	edx, edx
		jz	short loc_630ED3
		mov	ecx, edx
		call	_KeAbPreWait@4	; KeAbPreWait(x)

loc_630ED3:				; CODE XREF: MiChangingSubsectionProtos(x,x,x)+DFj
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]

loc_630ED9:				; CODE XREF: MiChangingSubsectionProtos(x,x,x)+A9j
					; MiChangingSubsectionProtos(x,x,x)+BEj ...
		lea	eax, [ebx+0Ch]
		mov	[ebx+8], esi
		mov	word ptr [eax],	107h
		mov	byte ptr [eax+2], 4
		mov	[eax+4], esi
		add	eax, 8
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [ebp+var_10]
		test	byte ptr [eax+1Ch], 20h
		jz	short loc_630F09
		mov	eax, [eax+2Ch]
		mov	[ebx], eax
		mov	eax, [ebp+var_10]
		mov	[eax+2Ch], ebx
		jmp	short loc_630F11
; 

loc_630F09:				; CODE XREF: MiChangingSubsectionProtos(x,x,x)+10Fj
		mov	eax, [ecx+0Ch]
		mov	[ebx], eax
		mov	[ecx+0Ch], ebx

loc_630F11:				; CODE XREF: MiChangingSubsectionProtos(x,x,x)+11Cj
		test	edx, edx
		jnz	short loc_630F7E
		test	edi, edi
		jz	short loc_630F6E
		push	[ebp+var_C]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		call	[ebp+var_1C]
		push	ecx
		push	12h
		pop	edx
		lea	ecx, [ebx+0Ch]
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		mov	eax, [ebp+var_14]
		mov	edi, [ebp+var_4]
		mov	ecx, [ebp+var_C]
		test	eax, eax
		jz	loc_630E26
		push	esi
		mov	edx, eax
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	edx, [ebp+var_14]
		mov	ecx, edi
		call	KeAbPostReleaseEx
		mov	ecx, [ebp+var_C]
		jmp	loc_630E26
; 

loc_630F60:				; CODE XREF: MiChangingSubsectionProtos(x,x,x)+5Dj
		mov	esi, 0C0000434h
		jmp	short loc_630F7E
; 

loc_630F67:				; CODE XREF: MiChangingSubsectionProtos(x,x,x)+99j
		mov	esi, 0C000020Ah
		jmp	short loc_630F7E
; 

loc_630F6E:				; CODE XREF: MiChangingSubsectionProtos(x,x,x)+12Cj
		push	esi
		xor	edx, edx
		call	KeAbPreAcquire
		test	eax, eax
		jz	short loc_630F7E
		or	byte ptr [eax+0Eh], 1

loc_630F7E:				; CODE XREF: MiChangingSubsectionProtos(x,x,x)+128j
					; MiChangingSubsectionProtos(x,x,x)+17Aj ...
		push	[ebp+var_C]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		call	[ebp+var_1C]
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiChangingSubsectionProtos@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCopyFileOnlyGlobalSubsectionPage(x, x, x,	x, x, x, x)
_MiCopyFileOnlyGlobalSubsectionPage@28 proc near
					; CODE XREF: MiResolveMappedFileFault+10B00Fp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		and	[ebp+var_4], 0
		xor	eax, eax
		and	[ebp+var_20], eax
		push	ebx
		imul	ebx, [ebp+arg_8], 1Ch
		push	esi
		mov	esi, ds:_MmPfnDatabase
		add	esi, 10h
		mov	[ebp+var_C], edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_8], eax
		add	esi, ebx
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_630FE5

loc_630FCA:				; CODE XREF: MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+41j
					; MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+48j
		lea	ecx, [ebp+var_20]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_630FCA
		lock bts dword ptr [esi], 1Fh
		jb	short loc_630FCA
		mov	eax, [ebp+var_8]
		mov	[ebp+var_1C], eax

loc_630FE5:				; CODE XREF: MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+33j
		mov	edx, [ebp+arg_0]
		mov	esi, ds:_MmPfnDatabase
		add	esi, ebx
		mov	[ebp+var_10], esi
		mov	ebx, [edx]
		nop
		mov	ecx, [edx+4]
		mov	eax, ebx
		and	eax, 400h
		or	eax, 0
		jnz	short loc_631050
		mov	eax, ds:dword_6D0700
		mov	esi, ds:dword_6D0704
		mov	[ebp+var_24], eax
		or	eax, esi
		mov	[ebp+var_28], esi
		mov	esi, [ebp+var_10]
		mov	[ebp+var_14], ebx
		mov	[ebp+var_18], ecx
		jz	short loc_631044
		mov	ecx, ebx
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_631041
		mov	ebx, [ebp+var_24]
		mov	ecx, [ebp+var_28]
		not	ebx
		and	ebx, [ebp+var_14]
		not	ecx
		and	ecx, [ebp+var_18]
		jmp	short loc_631044
; 

loc_631041:				; CODE XREF: MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+98j
		mov	ecx, [ebp+var_18]

loc_631044:				; CODE XREF: MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+8Cj
					; MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+AAj
		shrd	ebx, ecx, 0Ch
		and	ebx, 3FFFFFFh
		jmp	short loc_631053
; 

loc_631050:				; CODE XREF: MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+6Ej
		or	ebx, 0FFFFFFFFh

loc_631053:				; CODE XREF: MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+B9j
		mov	ecx, [ebp+arg_8]
		push	ebx
		call	_MiInitializeTransitionPfn@12 ;	MiInitializeTransitionPfn(x,x,x)
		mov	al, [esi+16h]
		mov	ecx, edi
		and	al, 0FAh
		or	al, 2
		mov	[esi+16h], al
		xor	eax, eax
		inc	eax
		mov	[esi+14h], ax
		lea	eax, [edi+10h]
		or	byte ptr [esi+16h], 20h
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	[esi], ecx
		mov	ecx, 7FFFFFFFh
		mov	eax, [edi+78h]
		shr	eax, 9
		xor	al, [esi+17h]
		and	al, 7
		xor	[esi+17h], al
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	eax, [ebp+var_C]
		mov	eax, [eax]
		mov	[ebp+var_18], eax
		lea	esi, [eax+24h]
		push	esi
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	eax, [ebp+var_18]
		push	esi
		inc	dword ptr [eax+10h]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	eax, [ebp+arg_10]
		mov	ecx, [ebp+arg_0]
		sub	ecx, [eax+24h]
		mov	eax, [ebp+var_C]
		sar	ecx, 3
		mov	eax, [eax+4]
		lea	ecx, [eax+ecx*8]
		mov	eax, ecx
		xor	eax, [ebp+arg_0]
		test	eax, 0FFFFF000h
		lea	eax, [ebp+var_4]
		push	eax
		jnz	short loc_6310E3
		call	MiTryLockLeafPage
		mov	ecx, [ebp+var_1C]
		jmp	short loc_6310EF
; 

loc_6310E3:				; CODE XREF: MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+142j
		lea	eax, [ebp+var_8]
		push	eax
		call	MiTryLockProtoPoolPageAtDpc
		mov	ecx, [ebp+var_8]

loc_6310EF:				; CODE XREF: MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+14Cj
		mov	esi, eax
		test	esi, esi
		js	loc_63126C
		mov	eax, [ebp+var_4]
		test	byte ptr [eax+17h], 40h
		jz	short loc_631120
		add	eax, 10h
		mov	edx, 7FFFFFFFh
		lock and [eax],	edx
		test	ecx, ecx
		jz	short loc_631118
		mov	dl, 2
		call	MiUnlockProtoPoolPage

loc_631118:				; CODE XREF: MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+17Aj
		mov	eax, [ebp+var_4]
		mov	esi, 0C0000709h

loc_631120:				; CODE XREF: MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+16Bj
		test	esi, esi
		js	loc_63126C
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_28], eax
		test	cl, 1
		jz	short loc_631150
		and	ecx, 0FFFFFFFEh
		cmp	byte ptr [ecx],	1
		jnz	short loc_631150
		call	_MiAdvanceFaultList@4 ;	MiAdvanceFaultList(x)
		or	dword ptr [edi+78h], 8

loc_631150:				; CODE XREF: MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+1A8j
					; MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+1B0j
		mov	esi, [ebp+arg_0]
		mov	eax, [esi]
		nop
		mov	ecx, [esi+4]
		mov	[edi+64h], ecx
		mov	ecx, large fs:124h
		mov	[edi+60h], eax
		mov	[edi+8Ch], esi
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		cmp	eax, 2
		jge	short loc_63117D
		or	dword ptr [edi+78h], 80h

loc_63117D:				; CODE XREF: MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+1DFj
		push	20h
		pop	eax
		mov	[edi+0ACh], ax
		xor	ecx, ecx
		mov	eax, [ebp+arg_8]
		mov	edx, esi
		mov	[edi+0C4h], eax
		push	42h
		pop	eax
		mov	[edi+0AEh], ax
		mov	eax, [ebp+arg_10]
		mov	[edi+0A8h], ecx
		mov	[edi+0B8h], ecx
		mov	[edi+0C0h], ecx
		mov	ecx, [ebp+var_C]
		mov	dword ptr [edi+0BCh], 1000h
		push	dword ptr [eax+20h]
		call	MiStartingOffset
		and	dword ptr [edi+7Ch], 0
		mov	[edi+38h], eax
		mov	eax, [ebp+var_10]
		mov	[edi+3Ch], edx
		xor	edx, edx
		mov	[edi+90h], esi
		inc	edx
		mov	esi, [ebp+arg_C]
		mov	ecx, esi
		mov	[edi+94h], eax
		mov	eax, [ebp+var_18]
		mov	[edi+80h], eax
		mov	dword ptr [edi+70h], 1000h
		call	_MiObtainProtoReference@8 ; MiObtainProtoReference(x,x)
		mov	edx, [ebp+var_28]
		mov	ecx, [ebp+arg_8]
		push	44h
		push	0
		mov	[edi+5Ch], esi
		call	_MiCopyPage@16	; MiCopyPage(x,x,x,x)
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_631225
		imul	edx, ebx, 1Ch
		mov	ecx, edi
		add	edx, ds:_MmPfnDatabase
		call	_MiFlowThroughInsertNode@8 ; MiFlowThroughInsertNode(x,x)

loc_631225:				; CODE XREF: MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+27Ej
		mov	eax, [ebp+var_4]
		mov	ecx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	ecx
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_631241
		mov	dl, 2
		call	MiUnlockProtoPoolPage

loc_631241:				; CODE XREF: MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+2A3j
		mov	dl, 2
		mov	ecx, esi
		call	MiUnlockProtoPoolPage
		inc	large dword ptr	fs:3E20h
		xor	eax, eax
		push	eax
		push	eax
		mov	[edi+30h], eax
		lea	eax, [edi+10h]
		push	eax
		mov	dword ptr [edi+34h], 1000h
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		xor	eax, eax
		jmp	short loc_6312A5
; 

loc_63126C:				; CODE XREF: MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+15Ej
					; MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+18Dj
		mov	edi, [ebp+var_10]
		and	[ebp+var_2C], 0
		lea	ebx, [edi+10h]
		jmp	short loc_631286
; 

loc_631278:				; CODE XREF: MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+2EFj
					; MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+2F6j
		lea	ecx, [ebp+var_2C]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		js	short loc_631278

loc_631286:				; CODE XREF: MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+2E1j
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_631278
		mov	ecx, edi
		call	MiHandleInPageError
		mov	ecx, edi
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		mov	eax, 7FFFFFFFh
		lock and [ebx],	eax
		mov	eax, esi

loc_6312A5:				; CODE XREF: MiCopyFileOnlyGlobalSubsectionPage(x,x,x,x,x,x,x)+2D5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_MiCopyFileOnlyGlobalSubsectionPage@28 endp


;  S U B	R O U T	I N E 


; __stdcall MiDecrementProtoShareCounts(x, x)
_MiDecrementProtoShareCounts@8 proc near ; CODE	XREF: MiAllocateFileExtents(x,x,x,x,x)+4C6p
		mov	edi, edi
		push	esi
		imul	esi, ecx, 1Ch
		push	edi
		mov	edi, edx
		add	esi, ds:_MmPfnDatabase
		test	edi, edi
		jz	short loc_6312EC
		push	ebx

loc_6312C0:				; CODE XREF: MiDecrementProtoShareCounts(x,x)+3Dj
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, esi
		mov	bl, al
		call	MiDecrementShareCount
		mov	eax, 7FFFFFFFh
		lea	ecx, [esi+10h]
		lock and [ecx],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		add	esi, 1Ch
		sub	edi, 1
		jnz	short loc_6312C0
		pop	ebx

loc_6312EC:				; CODE XREF: MiDecrementProtoShareCounts(x,x)+11j
		pop	edi
		pop	esi
		retn
_MiDecrementProtoShareCounts@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteExtentPfns(x)
_MiDeleteExtentPfns@4 proc near		; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+16Cp
					; DATA XREF: MiWakeFileOnlyReaper()+17o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+18h+var_C]
		mov	ebx, offset dword_6CF4A8
		stosd
		stosd
		stosd
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_631325
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	KeAbPreAcquire
		test	eax, eax
		jz	short loc_631325
		or	byte ptr [eax+0Eh], 1

loc_631325:				; CODE XREF: MiDeleteExtentPfns(x)+21j
					; MiDeleteExtentPfns(x)+30j ...
		call	_MiPurgeBadFileOnlyPages@0 ; MiPurgeBadFileOnlyPages()
		jmp	short loc_631337
; 

loc_63132C:				; CODE XREF: MiDeleteExtentPfns(x)+4Fj
		push	32h
		xor	edx, edx
		xor	ecx, ecx
		call	_MiRemovePhysicalMemory@12 ; MiRemovePhysicalMemory(x,x,x)

loc_631337:				; CODE XREF: MiDeleteExtentPfns(x)+3Bj
		cmp	ds:dword_6CF494, 0
		jnz	short loc_63132C
		lea	edx, [esp+18h+var_C]
		mov	ecx, offset unk_6D5750
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	esi, ds:dword_6CF494
		test	edi, edi
		jnz	short loc_631370
		test	esi, esi
		jnz	short loc_631365
		cmp	ds:byte_6CF4BD,	1
		jnz	short loc_631374

loc_631365:				; CODE XREF: MiDeleteExtentPfns(x)+6Bj
		lea	ecx, [esp+18h+var_C]
		call	_MiWaitForExtentDeletions@4 ; MiWaitForExtentDeletions(x)
		jmp	short loc_6313E7
; 

loc_631370:				; CODE XREF: MiDeleteExtentPfns(x)+67j
		test	esi, esi
		jz	short loc_6313D3

loc_631374:				; CODE XREF: MiDeleteExtentPfns(x)+74j
		test	ds:byte_70EFC6,	1
		jz	short loc_63138B
		mov	edx, [ebp+4]
		lea	ecx, [esp+18h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6313BF
; 

loc_63138B:				; CODE XREF: MiDeleteExtentPfns(x)+8Cj
		mov	eax, [esp+18h+var_C]
		test	eax, eax
		jnz	short loc_6313AE
		mov	edx, [esp+18h+var_8]
		lea	eax, [esp+18h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+18h+var_C]
		cmp	eax, ecx
		jz	short loc_6313BF
		call	KxWaitForLockChainValid

loc_6313AE:				; CODE XREF: MiDeleteExtentPfns(x)+A2j
		xor	ecx, ecx
		mov	[esp+18h+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_6313BF:				; CODE XREF: MiDeleteExtentPfns(x)+9Aj
					; MiDeleteExtentPfns(x)+B8j
		mov	cl, [esp+18h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jnz	loc_631325
		jmp	short loc_6313DC
; 

loc_6313D3:				; CODE XREF: MiDeleteExtentPfns(x)+83j
		lea	ecx, [esp+18h+var_C]
		call	_MiWakeExtentDeletionWaiters@4 ; MiWakeExtentDeletionWaiters(x)

loc_6313DC:				; CODE XREF: MiDeleteExtentPfns(x)+E2j
		test	edi, edi
		jz	short loc_6313E7
		mov	ecx, ebx
		call	KeAbPostRelease

loc_6313E7:				; CODE XREF: MiDeleteExtentPfns(x)+7Fj
					; MiDeleteExtentPfns(x)+EFj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MiDeleteExtentPfns@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiEliminateStaleExtents(x, x, x)
_MiEliminateStaleExtents@12 proc near	; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+33Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edx
		mov	esi, ecx
		mov	byte ptr [ebp+var_1], 21h
		cmp	[ebp+arg_0], edi
		jbe	short loc_631481

loc_63140A:				; CODE XREF: MiEliminateStaleExtents(x,x,x)+35j
					; MiEliminateStaleExtents(x,x,x)+8Fj
		lea	edx, [ebp+var_1]
		mov	ecx, esi
		call	MiLockProtoPoolPage
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	short loc_631427
		push	eax
		push	eax
		push	esi
		push	2
		call	MmAccessFault
		jmp	short loc_63140A
; 

loc_631427:				; CODE XREF: MiEliminateStaleExtents(x,x,x)+29j
					; MiEliminateStaleExtents(x,x,x)+7Fj
		mov	eax, [ebp+var_8]
		mov	eax, [eax+edi*4]
		mov	[ebp+var_C], eax
		cmp	eax, 80000000h
		jz	short loc_631460
		xor	edx, edx
		mov	ecx, esi
		call	MiLockLeafPage
		test	eax, eax
		jz	short loc_63145F
		mov	ecx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	ecx
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_C]
		or	eax, 40000000h
		mov	[ecx+edi*4], eax
		jmp	short loc_631460
; 

loc_63145F:				; CODE XREF: MiEliminateStaleExtents(x,x,x)+52j
		nop

loc_631460:				; CODE XREF: MiEliminateStaleExtents(x,x,x)+45j
					; MiEliminateStaleExtents(x,x,x)+6Dj
		add	esi, 8
		inc	edi
		cmp	edi, [ebp+arg_0]
		jnb	short loc_631471
		test	esi, 0FFFh
		jnz	short loc_631427

loc_631471:				; CODE XREF: MiEliminateStaleExtents(x,x,x)+77j
		mov	dl, byte ptr [ebp+var_1]
		mov	ecx, [ebp+var_10]
		call	MiUnlockProtoPoolPage
		cmp	edi, [ebp+arg_0]
		jb	short loc_63140A

loc_631481:				; CODE XREF: MiEliminateStaleExtents(x,x,x)+18j
		pop	edi
		pop	esi
		leave
		retn	4
_MiEliminateStaleExtents@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFlushFileOnlyMdl(x, x, x,	x)
_MiFlushFileOnlyMdl@16 proc near	; CODE XREF: MiFlushSectionInternal+14F57Cp
					; MiGatherMappedPages+1185BCp

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	ecx, [esi+18h]
		add	ecx, [esi+10h]
		mov	edi, [esi+14h]
		and	ecx, 0FFFh
		and	dword ptr [eax+4], 0
		add	edi, 0FFFh
		and	dword ptr [eax], 0
		add	edi, ecx
		shr	edi, 0Ch
		cmp	ds:byte_6D06C8,	0
		jnz	short loc_631520
		test	byte ptr [esi+6], 5
		jz	short loc_6314CA
		mov	ebx, [esi+0Ch]
		jmp	short loc_6314DF
; 

loc_6314CA:				; CODE XREF: MiFlushFileOnlyMdl(x,x,x,x)+3Cj
		push	0C0000010h
		push	0
		push	0
		push	1
		push	0
		push	esi
		call	MmMapLockedPagesSpecifyCache
		mov	ebx, eax

loc_6314DF:				; CODE XREF: MiFlushFileOnlyMdl(x,x,x,x)+41j
		test	ebx, ebx
		jz	short loc_6314F8
		mov	edx, edi
		mov	ecx, ebx
		shl	edx, 0Ch
		call	@KeInvalidateRangeAllCaches@8 ;	KeInvalidateRangeAllCaches(x,x)
		push	esi
		push	dword ptr [esi+0Ch]
		call	MmUnmapLockedPages

loc_6314F8:				; CODE XREF: MiFlushFileOnlyMdl(x,x,x,x)+5Aj
		add	esi, 1Ch
		test	edi, edi
		jz	short loc_63151D
		mov	eax, edi
		mov	[ebp+var_4], edi

loc_631504:				; CODE XREF: MiFlushFileOnlyMdl(x,x,x,x)+94j
		test	ebx, ebx
		jnz	short loc_631512
		mov	ecx, [esi]
		call	_MiPersistPage@4 ; MiPersistPage(x)
		mov	eax, [ebp+var_4]

loc_631512:				; CODE XREF: MiFlushFileOnlyMdl(x,x,x,x)+7Fj
		add	esi, 4
		sub	eax, 1
		mov	[ebp+var_4], eax
		jnz	short loc_631504

loc_63151D:				; CODE XREF: MiFlushFileOnlyMdl(x,x,x,x)+76j
		mov	eax, [ebp+arg_4]

loc_631520:				; CODE XREF: MiFlushFileOnlyMdl(x,x,x,x)+36j
		and	dword ptr [eax], 0
		shl	edi, 0Ch
		mov	[eax+4], edi
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiFlushFileOnlyMdl@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetDanglingExtent(x)
_MiGetDanglingExtent@4 proc near	; CODE XREF: MiRemovePhysicalMemory(x,x,x)+72p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= byte ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	dword ptr [ecx], 0
		lea	edx, [ebp+var_1C]
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_10], ecx
		lea	edi, [ebp+var_1C]
		mov	ecx, offset unk_6D5750
		stosd
		xor	esi, esi
		stosd
		stosd
		xor	edi, edi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)

loc_63155B:				; CODE XREF: MiGetDanglingExtent(x)+46j
		mov	eax, ds:dword_6CF494
		test	eax, eax
		jz	short loc_63157A
		test	esi, esi
		jnz	short loc_63156A
		mov	edi, eax

loc_63156A:				; CODE XREF: MiGetDanglingExtent(x)+34j
		mov	ecx, [eax]
		inc	esi
		add	eax, 0FFFFFFE4h
		mov	ds:dword_6CF494, ecx
		cmp	ecx, eax
		jz	short loc_63155B

loc_63157A:				; CODE XREF: MiGetDanglingExtent(x)+30j
		test	ds:byte_70EFC6,	1
		mov	[ebp+var_8], edi
		jz	short loc_631593
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6315C2
; 

loc_631593:				; CODE XREF: MiGetDanglingExtent(x)+52j
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_6315B2
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jz	short loc_6315C2
		call	KxWaitForLockChainValid

loc_6315B2:				; CODE XREF: MiGetDanglingExtent(x)+66j
		xor	ecx, ecx
		mov	[ebp+var_1C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_6315C2:				; CODE XREF: MiGetDanglingExtent(x)+5Fj
					; MiGetDanglingExtent(x)+79j
		mov	cl, [ebp+var_14]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jnz	short loc_6315D7
		or	eax, 0FFFFFFFFh
		jmp	loc_631659
; 

loc_6315D7:				; CODE XREF: MiGetDanglingExtent(x)+9Bj
		imul	eax, esi, 1Ch
		mov	cl, 2
		push	ebx
		mov	ebx, edi
		sub	ebx, eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		lea	ecx, [ebx+1Ch]
		mov	[ebp+var_1], al
		cmp	ecx, edi
		ja	short loc_63163C
		mov	eax, [ebp+var_8]
		lea	edi, [ecx+10h]
		sub	eax, ecx
		xor	edx, edx
		push	1Ch
		pop	ecx
		div	ecx
		inc	eax
		mov	[ebp+var_8], eax

loc_631604:				; CODE XREF: MiGetDanglingExtent(x)+105j
		and	[ebp+var_C], 0
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_631626

loc_63160F:				; CODE XREF: MiGetDanglingExtent(x)+E8j
					; MiGetDanglingExtent(x)+EFj
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_63160F
		lock bts dword ptr [edi], 1Fh
		jb	short loc_63160F
		mov	eax, [ebp+var_8]

loc_631626:				; CODE XREF: MiGetDanglingExtent(x)+DBj
		mov	ecx, 7FFFFFFFh
		lock and [edi],	ecx
		add	edi, 1Ch
		sub	eax, 1
		mov	[ebp+var_8], eax
		jnz	short loc_631604
		mov	al, [ebp+var_1]

loc_63163C:				; CODE XREF: MiGetDanglingExtent(x)+BDj
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_10]
		push	1Ch
		pop	ecx
		mov	[eax], esi
		sub	ebx, ds:_MmPfnDatabase
		lea	eax, [ecx+ebx]
		cdq
		idiv	ecx
		pop	ebx

loc_631659:				; CODE XREF: MiGetDanglingExtent(x)+A0j
		pop	edi
		pop	esi
		leave
		retn
_MiGetDanglingExtent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPersistPage(x)
_MiPersistPage@4 proc near		; CODE XREF: MiFlushFileOnlyMdl(x,x,x,x)+83p
					; MiPurgeFileOnlyPfn(x)+16Dp

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	ds:byte_6D06C8,	0
		push	esi
		push	edi
		mov	[ebp+var_1], 0
		jnz	short loc_63169A
		mov	edi, 80000000h
		lea	edx, [ebp-1]
		push	edi
		call	MiMapPageInHyperSpaceWorker
		mov	esi, eax
		mov	edx, 1000h
		mov	ecx, esi
		call	@KeInvalidateRangeAllCaches@8 ;	KeInvalidateRangeAllCaches(x,x)
		mov	dl, [ebp+var_1]
		mov	ecx, esi
		push	edi
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)

loc_63169A:				; CODE XREF: MiPersistPage(x)+14j
		pop	edi
		pop	esi
		leave
		retn
_MiPersistPage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPurgeBadFileOnlyPages()
_MiPurgeBadFileOnlyPages@0 proc	near	; CODE XREF: MiDeleteExtentPfns(x):loc_631325p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_C], 0
		xor	eax, eax
		and	[ebp+var_8], 0
		push	ebx
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		push	esi
		push	edi
		lea	edi, [ebp+var_24]
		stosd
		stosd
		stosd

loc_6316BF:				; CODE XREF: MiPurgeBadFileOnlyPages()+D9j
		mov	esi, offset unk_6D5750

loc_6316C4:				; CODE XREF: MiPurgeBadFileOnlyPages()+223j
					; MiPurgeBadFileOnlyPages()+22Ej ...
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		and	[ebp+var_24], 0
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_1], al
		mov	[ebp+var_20], esi
		jz	short loc_6316EB
		mov	edx, esi
		lea	ecx, [ebp+var_24]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6316FC
; 

loc_6316EB:				; CODE XREF: MiPurgeBadFileOnlyPages()+3Fj
		lea	edx, [ebp+var_24]
		xchg	edx, [esi]
		test	edx, edx
		jz	short loc_6316FC
		lea	ecx, [ebp+var_24]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_6316FC:				; CODE XREF: MiPurgeBadFileOnlyPages()+4Bj
					; MiPurgeBadFileOnlyPages()+54j
		mov	esi, ds:dword_6CF488
		mov	ds:byte_6CF4BE,	0
		mov	[ebp+var_14], esi
		cmp	esi, offset loc_7FFFFF
		jz	loc_63193F
		imul	edi, esi, 1Ch
		add	edi, ds:_MmPfnDatabase
		lea	eax, [edi+10h]
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_63177C
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_631743
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_631772
; 

loc_631743:				; CODE XREF: MiPurgeBadFileOnlyPages()+96j
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	short loc_631762
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jz	short loc_631772
		call	KxWaitForLockChainValid

loc_631762:				; CODE XREF: MiPurgeBadFileOnlyPages()+AAj
		xor	ecx, ecx
		mov	[ebp+var_24], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_631772:				; CODE XREF: MiPurgeBadFileOnlyPages()+A3j
					; MiPurgeBadFileOnlyPages()+BDj
		mov	cl, [ebp+var_1]
		call	ebx
		jmp	loc_6316BF
; 

loc_63177C:				; CODE XREF: MiPurgeBadFileOnlyPages()+8Bj
		mov	eax, ds:dword_6CF480
		mov	edx, 80h
		mov	ecx, edi
		mov	[ebp+var_18], eax
		call	_MiUnlinkPageFromBadList@8 ; MiUnlinkPageFromBadList(x,x)
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_6317A8
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6317D7
; 

loc_6317A8:				; CODE XREF: MiPurgeBadFileOnlyPages()+FBj
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	short loc_6317C7
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jz	short loc_6317D7
		call	KxWaitForLockChainValid

loc_6317C7:				; CODE XREF: MiPurgeBadFileOnlyPages()+10Fj
		xor	ecx, ecx
		mov	[ebp+var_24], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_6317D7:				; CODE XREF: MiPurgeBadFileOnlyPages()+108j
					; MiPurgeBadFileOnlyPages()+122j
		xor	eax, eax
		mov	ecx, edi
		lea	edx, [eax+1]
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_C], 0
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		xor	eax, eax
		lea	edx, [eax+1]
		call	_MiPreventControlAreaDeletion@16 ; MiPreventControlAreaDeletion(x,x,x,x)
		mov	[ebp+var_10], eax
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ebx
		cmp	[ebp+var_10], 0
		jz	short loc_63187A
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_631824
		call	_MiReleaseControlAreaWaiters@4 ; MiReleaseControlAreaWaiters(x)

loc_631824:				; CODE XREF: MiPurgeBadFileOnlyPages()+17Fj
		mov	ecx, edi
		call	_MiPurgeFileOnlyPfn@4 ;	MiPurgeFileOnlyPfn(x)
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jz	short loc_631837
		call	_MiDecrementSubsection@4 ; MiDecrementSubsection(x)

loc_631837:				; CODE XREF: MiPurgeBadFileOnlyPages()+192j
		mov	esi, [ebp+var_10]
		add	esi, 24h
		push	esi
		call	ExAcquireSpinLockExclusive
		xor	ecx, ecx
		mov	bl, al
		mov	eax, [ebp+var_10]
		lea	edx, [ecx+1]
		mov	ecx, eax
		and	dword ptr [eax+1Ch], 0FFFFFFFBh
		call	_MiDecrementModifiedWriteCount@8 ; MiDecrementModifiedWriteCount(x,x)
		push	esi
		mov	[ebp+var_8], eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		mov	ebx, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	ebx
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_631877
		call	_MiReleaseControlAreaWaiters@4 ; MiReleaseControlAreaWaiters(x)

loc_631877:				; CODE XREF: MiPurgeBadFileOnlyPages()+1D2j
		mov	esi, [ebp+var_14]

loc_63187A:				; CODE XREF: MiPurgeBadFileOnlyPages()+178j
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, edi
		mov	[ebp+var_1], al
		call	_MiRemoveLockedPageCharge@4 ; MiRemoveLockedPageCharge(x)
		test	eax, eax
		jz	short loc_6318A5
		xor	eax, eax
		xor	edx, edx
		inc	eax
		mov	ecx, edi
		push	eax
		call	_MiSetPfnTbFlushStamp@12 ; MiSetPfnTbFlushStamp(x,x,x)
		mov	edx, esi
		mov	ecx, edi
		call	MiPfnReferenceCountIsZero

loc_6318A5:				; CODE XREF: MiPurgeBadFileOnlyPages()+1EFj
		movzx	esi, word ptr [edi+14h]
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ebx
		test	si, si
		mov	esi, offset unk_6D5750
		jz	loc_6316C4
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	loc_6316C4
		sub	eax, 1
		jnz	loc_6316C4
		lea	edx, [ebp+var_24]
		mov	ecx, esi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		xor	eax, eax
		inc	eax
		cmp	ds:dword_6CF480, 0
		jz	short loc_6318F6
		mov	ds:byte_6CF4BE,	al

loc_6318F6:				; CODE XREF: MiPurgeBadFileOnlyPages()+251j
		test	ds:byte_70EFC6,	al
		jz	short loc_63190B
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63193A
; 

loc_63190B:				; CODE XREF: MiPurgeBadFileOnlyPages()+25Ej
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	short loc_63192A
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jz	short loc_63193A
		call	KxWaitForLockChainValid

loc_63192A:				; CODE XREF: MiPurgeBadFileOnlyPages()+272j
		xor	ecx, ecx
		mov	[ebp+var_24], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_63193A:				; CODE XREF: MiPurgeBadFileOnlyPages()+26Bj
					; MiPurgeBadFileOnlyPages()+285j
		mov	cl, [ebp+var_1C]
		jmp	short loc_631989
; 

loc_63193F:				; CODE XREF: MiPurgeBadFileOnlyPages()+74j
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_631957
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_24]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_631986
; 

loc_631957:				; CODE XREF: MiPurgeBadFileOnlyPages()+2AAj
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	short loc_631976
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_24]
		cmp	eax, ecx
		jz	short loc_631986
		call	KxWaitForLockChainValid

loc_631976:				; CODE XREF: MiPurgeBadFileOnlyPages()+2BEj
		xor	ecx, ecx
		mov	[ebp+var_24], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_631986:				; CODE XREF: MiPurgeBadFileOnlyPages()+2B7j
					; MiPurgeBadFileOnlyPages()+2D1j
		mov	cl, [ebp+var_1]

loc_631989:				; CODE XREF: MiPurgeBadFileOnlyPages()+29Fj
		call	ebx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiPurgeBadFileOnlyPages@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPurgeFileOnlyPfn(x)
_MiPurgeFileOnlyPfn@4 proc near		; CODE XREF: MiPurgeBadFileOnlyPages()+188p

var_4C		= dword	ptr -4Ch
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		mov	edx, ecx
		lea	edi, [ebp+var_4C]
		push	7
		xor	eax, eax
		mov	[ebp+var_14], edx
		pop	ecx
		mov	esi, [edx+8]
		mov	ebx, [edx+0Ch]
		mov	edx, ds:dword_6D0704
		rep stosd
		mov	ecx, ds:dword_6D0700
		mov	eax, ecx
		or	eax, edx
		jz	short loc_6319D0
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_6319D0
		not	edx
		and	ebx, edx

loc_6319D0:				; CODE XREF: MiPurgeFileOnlyPfn(x)+30j
					; MiPurgeFileOnlyPfn(x)+3Aj
		mov	edi, [ebp+var_14]
		lea	eax, [ebp+var_4C]
		push	eax
		push	20h
		xor	esi, esi
		mov	byte ptr [ebp+var_1], 21h
		mov	edi, [edi+4]
		mov	ecx, ebx
		or	edi, 80000000h
		mov	[ebp+var_C], esi
		pop	edx
		mov	[ebp+var_18], edi
		call	_MiChangingSubsectionProtos@12 ; MiChangingSubsectionProtos(x,x,x)
		lea	edx, [ebp+var_1]
		mov	ecx, edi
		call	MiCheckProtoPtePageState
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_631A3E
		xor	edx, edx
		mov	ecx, edi
		call	MiLockLeafPage
		mov	esi, eax
		test	esi, esi
		jz	short loc_631A38
		and	[ebp+var_2C], 0
		mov	ecx, [edi]
		mov	[ebp+var_2C], ecx
		nop
		mov	edx, [edi+4]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_631A5F

loc_631A2D:				; CODE XREF: MiPurgeFileOnlyPfn(x)+11Ej
					; MiPurgeFileOnlyPfn(x)+152j
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx

loc_631A38:				; CODE XREF: MiPurgeFileOnlyPfn(x)+84j
		mov	esi, [ebp+var_C]

loc_631A3B:				; CODE XREF: MiPurgeFileOnlyPfn(x)+18Aj
		mov	eax, [ebp+var_8]

loc_631A3E:				; CODE XREF: MiPurgeFileOnlyPfn(x)+75j
		mov	dl, byte ptr [ebp+var_1]
		cmp	dl, 21h
		jz	short loc_631A4D
		mov	ecx, eax
		call	MiUnlockProtoPoolPage

loc_631A4D:				; CODE XREF: MiPurgeFileOnlyPfn(x)+B4j
		push	esi
		push	0
		lea	edx, [ebp+var_4C]
		mov	ecx, ebx
		call	_MiSubsectionProtosCreated@16 ;	MiSubsectionProtosCreated(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_631A5F:				; CODE XREF: MiPurgeFileOnlyPfn(x)+9Bj
		mov	eax, ds:dword_6D0700
		mov	edi, ds:dword_6D0704
		mov	[ebp+var_1C], eax
		or	eax, edi
		mov	[ebp+var_24], edi
		mov	edi, [ebp+var_18]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_14], edx
		jz	short loc_631A97
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_631A97
		mov	ecx, [ebp+var_1C]
		mov	edx, [ebp+var_24]
		not	ecx
		and	ecx, [ebp+var_10]
		not	edx
		and	edx, [ebp+var_14]

loc_631A97:				; CODE XREF: MiPurgeFileOnlyPfn(x)+EBj
					; MiPurgeFileOnlyPfn(x)+F5j
		shrd	ecx, edx, 0Ch
		mov	edx, ds:_MmPfnDatabase
		and	ecx, 3FFFFFFh
		imul	eax, ecx, 1Ch
		add	eax, edx
		cmp	esi, eax
		jnz	loc_631A2D
		mov	eax, [esi+0Ch]
		mov	ecx, [esi+8]
		mov	[ebp+var_24], eax
		mov	eax, ecx
		and	eax, 400h
		or	eax, 0
		jz	short loc_631B1F
		and	ecx, 1
		or	ecx, 0
		jnz	short loc_631B1F
		mov	eax, [esi+4]
		or	eax, 80000000h
		cmp	eax, edi
		jnz	short loc_631B1F
		mov	al, [esi+16h]
		test	al, 8
		jnz	loc_631A2D
		test	al, 10h
		jz	short loc_631B0A
		cmp	[esi+17h], cl
		jl	short loc_631B05
		mov	eax, esi
		sub	eax, edx
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, eax
		call	_MiPersistPage@4 ; MiPersistPage(x)
		mov	al, [esi+16h]

loc_631B05:				; CODE XREF: MiPurgeFileOnlyPfn(x)+15Fj
		and	al, 0EFh
		mov	[esi+16h], al

loc_631B0A:				; CODE XREF: MiPurgeFileOnlyPfn(x)+15Aj
		push	1
		push	2
		mov	edx, esi
		mov	ecx, edi
		call	MiDeleteTransitionPte
		xor	esi, esi
		inc	esi
		jmp	loc_631A3B
; 

loc_631B1F:				; CODE XREF: MiPurgeFileOnlyPfn(x)+137j
					; MiPurgeFileOnlyPfn(x)+13Fj ...
		push	[ebp+var_2C]
		push	dword ptr [esi+4]
		push	edi
		push	2
		push	0DEh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_MiPurgeFileOnlyPfn@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiQueueExtentPfnDeletion(x)
_MiQueueExtentPfnDeletion@4 proc near	; CODE XREF: MiWorkingSetManager(x,x)+263p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		stosd
		stosd
		test	esi, esi
		jz	loc_631BDD
		and	[ebp+var_C], 0
		mov	eax, offset unk_6D5750
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_8], eax
		jz	short loc_631B70
		mov	edx, eax
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_631B81
; 

loc_631B70:				; CODE XREF: MiQueueExtentPfnDeletion(x)+2Fj
		lea	edx, [ebp+var_C]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_631B81
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_631B81:				; CODE XREF: MiQueueExtentPfnDeletion(x)+3Bj
					; MiQueueExtentPfnDeletion(x)+44j
		mov	eax, ds:dword_6CF494
		mov	[esi], eax
		mov	ds:dword_6CF494, esi
		call	_MiWakeFileOnlyReaper@0	; MiWakeFileOnlyReaper()
		test	ds:byte_70EFC6,	1
		jz	short loc_631BAC
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_631C3D
; 

loc_631BAC:				; CODE XREF: MiQueueExtentPfnDeletion(x)+67j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_631BCB
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_631C3D
		call	KxWaitForLockChainValid

loc_631BCB:				; CODE XREF: MiQueueExtentPfnDeletion(x)+7Ej
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	short loc_631C3D
; 

loc_631BDD:				; CODE XREF: MiQueueExtentPfnDeletion(x)+16j
		lea	edx, [ebp+var_C]
		mov	ecx, offset unk_6D5750
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		call	_MiWakeFileOnlyReaper@0	; MiWakeFileOnlyReaper()
		test	ds:byte_70EFC6,	1
		jz	short loc_631C05
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_631C34
; 

loc_631C05:				; CODE XREF: MiQueueExtentPfnDeletion(x)+C3j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_631C24
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_631C34
		call	KxWaitForLockChainValid

loc_631C24:				; CODE XREF: MiQueueExtentPfnDeletion(x)+D7j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_631C34:				; CODE XREF: MiQueueExtentPfnDeletion(x)+D0j
					; MiQueueExtentPfnDeletion(x)+EAj
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_631C3D:				; CODE XREF: MiQueueExtentPfnDeletion(x)+74j
					; MiQueueExtentPfnDeletion(x)+91j ...
		pop	edi
		pop	esi
		leave
		retn
_MiQueueExtentPfnDeletion@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRefillPurgedExtents(x, x)
_MiRefillPurgedExtents@8 proc near	; CODE XREF: MiPfPutPagesInTransition+62Fp
					; MiPfPrepareReadList+151289p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	ecx, [eax]
		mov	edi, edx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], ecx
		lea	esi, [ecx+24h]
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		mov	eax, [ebp+var_4]
		push	esi
		inc	dword ptr [eax+14h]
		inc	dword ptr [eax+18h]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_8]
		push	2
		push	1
		push	edi
		sub	edi, [ecx+4]
		sar	edi, 3
		mov	edx, edi
		call	_MiAllocateFileExtents@20 ; MiAllocateFileExtents(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		mov	esi, eax
		call	_MiDereferenceControlArea@4 ; MiDereferenceControlArea(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_MiRefillPurgedExtents@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSplitDirectMapPage(x, x, x)
_MiSplitDirectMapPage@12 proc near	; CODE XREF: .text:00478ABCp

var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		imul	eax, [ebp+arg_0], 1Ch
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_14], ecx
		push	edi
		add	eax, ds:_MmPfnDatabase
		inc	esi
		mov	[ebp+var_8], eax
		mov	eax, [edx]
		lock xadd [eax], esi
		inc	esi
		mov	edi, [edx+4]
		dec	esi
		mov	eax, [ecx]
		and	edi, esi
		or	edi, [edx+8]
		mov	esi, offset _MiSystemPartition
		push	0
		mov	edx, edi
		mov	[ebp+var_18], eax
		mov	ecx, esi
		call	MiGetPage
		mov	ebx, eax
		mov	[ebp+var_10], ebx
		jmp	short loc_631D03
; 

loc_631CEA:				; CODE XREF: MiSplitDirectMapPage(x,x,x)+66j
		xor	edx, edx
		mov	ecx, esi
		call	_MiWaitForFreePage@8 ; MiWaitForFreePage(x,x)
		push	0
		mov	edx, edi
		mov	ecx, esi
		call	MiGetPage
		mov	ebx, eax
		mov	[ebp+var_10], eax

loc_631D03:				; CODE XREF: MiSplitDirectMapPage(x,x,x)+48j
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_631CEA
		mov	esi, [ebp+var_8]
		mov	ecx, esi
		imul	edi, ebx, 1Ch
		add	edi, ds:_MmPfnDatabase
		mov	[ebp+var_C], edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, edi
		mov	[ebp+var_1], al
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		movzx	edx, byte ptr [esi+16h]
		mov	ecx, edi
		push	1
		shr	edx, 6
		call	_MiFinalizePageAttribute@12 ; MiFinalizePageAttribute(x,x,x)
		mov	eax, [ebp+var_14]
		lea	edi, [ebp+var_34]
		push	7
		pop	ecx
		rep movsd
		mov	ax, [eax+10h]
		shr	ax, 1
		and	ax, 1Fh
		movzx	eax, ax
		cdq
		shld	edx, eax, 5
		shl	eax, 5
		push	edx
		push	eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[ebp+var_2C], eax
		nop
		mov	esi, [ebp+var_C]
		mov	[ebp+var_28], edx
		lea	edx, [ebp+var_34]
		push	ecx
		mov	ecx, esi
		call	_MiCopyPfnEntryEx@12 ; MiCopyPfnEntryEx(x,x,x)
		or	byte ptr [esi+16h], 10h
		xor	edx, edx
		xor	eax, eax
		inc	edx
		mov	ecx, esi
		mov	[esi+14h], ax
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		push	2
		push	ecx
		mov	ecx, [ebp+var_18]
		xor	edx, edx
		call	MiDereferenceControlAreaPfnList
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		push	6
		push	0
		call	_MiCopyPage@16	; MiCopyPage(x,x,x,x)
		mov	edi, [ebp+var_8]
		xor	edx, edx
		push	80000000h
		mov	al, [edi+16h]
		and	al, 0FDh
		or	al, 5
		mov	[edi+16h], al
		mov	ecx, [edi+18h]
		and	ecx, offset loc_7FFFFF
		call	MiMapPageInHyperSpaceWorker
		mov	ecx, [edi+4]
		shr	ecx, 3
		and	ecx, 1FFh
		lea	edi, [eax+ecx*8]
		mov	ecx, [edi]
		nop
		mov	eax, [edi+4]
		push	eax
		push	ecx
		mov	ecx, ebx
		call	_MiUpdateTransitionPteFrame@12 ; MiUpdateTransitionPteFrame(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_18], edx
		mov	[ebp+arg_0], ebx

loc_631DEC:				; CODE XREF: MiSplitDirectMapPage(x,x,x)+165j
					; MiSplitDirectMapPage(x,x,x)+16Aj
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp+var_14], ecx
		nop
		mov	ecx, [ebp+var_18]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [ebp+arg_0]
		cmp	eax, esi
		jnz	short loc_631DEC
		cmp	edx, [ebp+var_14]
		jnz	short loc_631DEC
		push	80000000h
		mov	dl, 21h
		mov	ecx, edi
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		mov	eax, [ebp+var_C]
		mov	ecx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	ecx
		mov	eax, [ebp+var_8]
		add	eax, 10h
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_10]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiSplitDirectMapPage@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSubsectionProtosCreated(x, x, x, x)
_MiSubsectionProtosCreated@16 proc near	; CODE XREF: MmPurgeSection+136326p
					; MiPurgeFileOnlyPfn(x)+C5p ...

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	edi, [esi]
		call	KeAbPostRelease
		lea	eax, [edi+24h]
		push	eax
		call	ExAcquireSpinLockExclusive
		test	byte ptr [edi+1Ch], 20h
		mov	[ebp+var_1], al
		jz	short loc_631E73
		mov	ecx, [edi+2Ch]
		and	dword ptr [edi+2Ch], 0
		jmp	short loc_631EA6
; 

loc_631E73:				; CODE XREF: MiSubsectionProtosCreated(x,x,x,x)+24j
		cmp	[ebp+arg_4], 0
		mov	edx, [esi+24h]
		jz	short loc_631E84
		or	edx, 40000000h
		jmp	short loc_631E9C
; 

loc_631E84:				; CODE XREF: MiSubsectionProtosCreated(x,x,x,x)+36j
		mov	eax, [esi+1Ch]
		mov	ecx, edx
		and	ecx, 3FFFFFFFh
		sub	eax, ecx
		cmp	[ebp+arg_0], eax
		jnz	short loc_631E9F
		and	edx, 0BFFFFFFFh

loc_631E9C:				; CODE XREF: MiSubsectionProtosCreated(x,x,x,x)+3Ej
		mov	[esi+24h], edx

loc_631E9F:				; CODE XREF: MiSubsectionProtosCreated(x,x,x,x)+50j
		mov	ecx, [esi+0Ch]
		and	dword ptr [esi+0Ch], 0

loc_631EA6:				; CODE XREF: MiSubsectionProtosCreated(x,x,x,x)+2Dj
		test	ecx, ecx
		jz	short loc_631EDE

loc_631EAA:				; CODE XREF: MiSubsectionProtosCreated(x,x,x,x)+98j
		mov	esi, [ecx]
		cmp	ecx, ebx
		jz	short loc_631ED8
		test	byte ptr [ecx+4], 40h
		mov	dword ptr [ecx+8], 1
		jnz	short loc_631ED8
		test	dword ptr [ebx+4], 100h
		jz	short loc_631ECD
		mov	dword ptr [ecx+8], 2

loc_631ECD:				; CODE XREF: MiSubsectionProtosCreated(x,x,x,x)+80j
		xor	edx, edx
		add	ecx, 0Ch
		inc	edx
		call	KeSignalGate

loc_631ED8:				; CODE XREF: MiSubsectionProtosCreated(x,x,x,x)+6Aj
					; MiSubsectionProtosCreated(x,x,x,x)+77j
		mov	ecx, esi
		test	esi, esi
		jnz	short loc_631EAA

loc_631EDE:				; CODE XREF: MiSubsectionProtosCreated(x,x,x,x)+64j
		lea	eax, [edi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiSubsectionProtosCreated@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUnlinkSubsectionWaitBlock(x, x, x)
_MiUnlinkSubsectionWaitBlock@12	proc near ; CODE XREF: MiChangingSubsectionProtos(x,x,x)+51p
					; MiAllocateFileExtents(x,x,x,x,x)+227p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	[ebp+arg_0], 1
		mov	eax, edx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], eax
		mov	esi, [edi]
		jnz	short loc_631F13
		mov	bl, 21h
		jmp	short loc_631F21
; 

loc_631F13:				; CODE XREF: MiUnlinkSubsectionWaitBlock(x,x,x)+16j
		lea	eax, [esi+24h]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		mov	eax, [ebp+var_4]

loc_631F21:				; CODE XREF: MiUnlinkSubsectionWaitBlock(x,x,x)+1Aj
		xor	ecx, ecx
		cmp	[eax+8], ecx
		jnz	short loc_631F61
		mov	edx, [esi+1Ch]
		and	edx, 20h
		jz	short loc_631F35
		mov	eax, [esi+2Ch]
		jmp	short loc_631F38
; 

loc_631F35:				; CODE XREF: MiUnlinkSubsectionWaitBlock(x,x,x)+37j
		mov	eax, [edi+0Ch]

loc_631F38:				; CODE XREF: MiUnlinkSubsectionWaitBlock(x,x,x)+3Cj
		test	eax, eax
		jz	short loc_631F53

loc_631F3C:				; CODE XREF: MiUnlinkSubsectionWaitBlock(x,x,x)+50j
		cmp	eax, [ebp+var_4]
		jz	short loc_631F49
		mov	ecx, eax
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_631F3C

loc_631F49:				; CODE XREF: MiUnlinkSubsectionWaitBlock(x,x,x)+48j
		test	ecx, ecx
		jz	short loc_631F53
		mov	eax, [eax]
		mov	[ecx], eax
		jmp	short loc_631F61
; 

loc_631F53:				; CODE XREF: MiUnlinkSubsectionWaitBlock(x,x,x)+43j
					; MiUnlinkSubsectionWaitBlock(x,x,x)+54j
		mov	eax, [eax]
		test	edx, edx
		jz	short loc_631F5E
		mov	[esi+2Ch], eax
		jmp	short loc_631F61
; 

loc_631F5E:				; CODE XREF: MiUnlinkSubsectionWaitBlock(x,x,x)+60j
		mov	[edi+0Ch], eax

loc_631F61:				; CODE XREF: MiUnlinkSubsectionWaitBlock(x,x,x)+2Fj
					; MiUnlinkSubsectionWaitBlock(x,x,x)+5Aj ...
		cmp	bl, 21h
		jz	short loc_631F77
		lea	eax, [esi+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_631F77:				; CODE XREF: MiUnlinkSubsectionWaitBlock(x,x,x)+6Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiUnlinkSubsectionWaitBlock@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWaitForExtentDeletions(x)
_MiWaitForExtentDeletions@4 proc near	; CODE XREF: MiDeleteExtentPfns(x)+7Ap

var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_E		= byte ptr -0Eh
var_D		= byte ptr -0Dh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	esi, ecx
		push	ebx
		xor	edx, edx
		mov	[ebp+var_D], bl
		mov	ecx, offset dword_6CF4A8
		call	KeAbPreAcquire
		mov	edi, eax
		test	edi, edi
		jz	short loc_631FAA
		mov	ecx, edi
		call	_KeAbPreWait@4	; KeAbPreWait(x)

loc_631FAA:				; CODE XREF: MiWaitForExtentDeletions(x)+23j
		xor	eax, eax
		mov	[ebp+var_10], 7
		inc	eax
		mov	[ebp+var_E], 4
		test	ds:byte_70EFC6,	1
		mov	[ebp-0Fh], al
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	eax, ds:dword_6CF4A8
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_C], ebx
		mov	ds:dword_6CF4A8, eax
		jz	short loc_631FE9
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_632010
; 

loc_631FE9:				; CODE XREF: MiWaitForExtentDeletions(x)+5Dj
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_632005
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_632010
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_632005:				; CODE XREF: MiWaitForExtentDeletions(x)+6Fj
		xor	ecx, ecx
		mov	[esi], ebx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_632010:				; CODE XREF: MiWaitForExtentDeletions(x)+69j
					; MiWaitForExtentDeletions(x)+7Ej
		mov	cl, [esi+8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	ecx
		push	12h
		pop	edx
		lea	ecx, [ebp+var_10]
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		test	edi, edi
		jz	short loc_632041
		mov	esi, offset dword_6CF4A8
		mov	edx, edi
		push	ebx
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	edx, edi
		mov	ecx, esi
		call	KeAbPostReleaseEx

loc_632041:				; CODE XREF: MiWaitForExtentDeletions(x)+A9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiWaitForExtentDeletions@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWakeExtentDeletionWaiters(x)
_MiWakeExtentDeletionWaiters@4 proc near ; CODE	XREF: MiDeleteExtentPfns(x)+E8p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		test	ds:byte_70EFC6,	1
		push	edi
		mov	edi, ds:dword_6CF4A8
		mov	ds:byte_6CF4BD,	bl
		mov	ds:dword_6CF4A8, ebx
		jz	short loc_63209C
		mov	edx, [ebp+4]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_632075:				; CODE XREF: MiWakeExtentDeletionWaiters(x)+69j
		xor	ebx, ebx
		inc	ebx

loc_632078:				; CODE XREF: MiWakeExtentDeletionWaiters(x)+7Dj
		mov	cl, [esi+8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	short loc_632097

loc_632085:				; CODE XREF: MiWakeExtentDeletionWaiters(x)+4Fj
		mov	esi, [edi]
		lea	ecx, [edi+4]
		mov	edx, ebx
		call	KeSignalGate
		mov	edi, esi
		test	esi, esi
		jnz	short loc_632085

loc_632097:				; CODE XREF: MiWakeExtentDeletionWaiters(x)+3Dj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
; 

loc_63209C:				; CODE XREF: MiWakeExtentDeletionWaiters(x)+25j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_6320B8
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_632075
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_6320B8:				; CODE XREF: MiWakeExtentDeletionWaiters(x)+5Aj
		mov	[esi], ebx
		add	eax, 4
		xor	ebx, ebx
		inc	ebx
		lock xor [eax],	ebx
		jmp	short loc_632078
_MiWakeExtentDeletionWaiters@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiWakeFileOnlyReaper()
_MiWakeFileOnlyReaper@0	proc near	; CODE XREF: MiInsertPageInList(x,x)+749p
					; MiQueueExtentPfnDeletion(x)+5Bp ...
		cmp	ds:byte_6CF4BD,	0
		jnz	short locret_6320FC
		and	ds:dword_6CF498, 0
		push	1
		push	offset dword_6CF498
		mov	ds:dword_6CF4A0, offset	_MiDeleteExtentPfns@4 ;	MiDeleteExtentPfns(x)
		mov	ds:dword_6CF4A4, 1
		call	ExQueueWorkItem
		mov	ds:byte_6CF4BD,	1

locret_6320FC:				; CODE XREF: MiWakeFileOnlyReaper()+7j
		retn
_MiWakeFileOnlyReaper@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAttemptPageFileReduction(x)
_MiAttemptPageFileReduction@4 proc near	; CODE XREF: MiProcessDereferenceList+8FAB0p

var_A8		= dword	ptr -0A8h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ACh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_A8]
		push	30h		; size_t
		mov	ebx, ecx
		mov	[ebp+var_70], edi
		push	edi		; int
		push	eax		; void *
		mov	[ebp+var_74], ebx
		mov	[ebp+var_6C], edi
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_68]
		push	5Ch		; size_t
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_68]
		push	edi
		push	edi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		test	byte ptr [ebx+2Fh], 10h
		mov	esi, [ebx+0Ch]
		mov	[ebp+var_78], esi
		mov	[ebp+var_58], esi
		jz	short loc_6321A0
		add	esi, 340h
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		mov	eax, [ebp+var_74]
		push	esi
		mov	[eax+10h], edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp+var_78]
		mov	edx, [esi+1114h]
		mov	ecx, [esi+10BCh]
		call	_MiOkToShrinkPageFiles@8 ; MiOkToShrinkPageFiles(x,x)
		test	eax, eax
		jz	short loc_6321FC
		mov	[ebp+var_54], 10h
		jmp	short loc_6321AD
; 

loc_6321A0:				; CODE XREF: MiAttemptPageFileReduction(x)+5Ej
		movzx	eax, byte ptr [ebx+2Ch]
		mov	[ebp+var_54], eax
		mov	eax, [ebx+14h]
		mov	[ebp+var_50], eax

loc_6321AD:				; CODE XREF: MiAttemptPageFileReduction(x)+A1j
		lea	eax, [ebp+var_68]
		mov	ecx, esi
		push	eax
		push	eax
		push	offset _MiAttemptPageFileReductionApc@12 ; MiAttemptPageFileReductionApc(x,x,x)
		lea	edx, [ebp+var_A8]
		call	_MiQueueSyncModifiedWriterApc@20 ; MiQueueSyncModifiedWriterApc(x,x,x,x,x)
		add	esi, 0F54h

loc_6321CA:				; CODE XREF: MiAttemptPageFileReduction(x)+FDj
		mov	edx, [ebp+edi*4+var_4C]
		test	edx, edx
		jz	short loc_6321F3
		mov	ecx, [esi]
		xor	eax, eax
		shld	eax, edx, 0Ch
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_70]
		push	eax
		push	8
		shl	edx, 0Ch
		push	13h
		mov	[ebp+var_70], edx
		push	dword ptr [ecx+1Ch]
		call	_IoSetInformation@16 ; IoSetInformation(x,x,x,x)

loc_6321F3:				; CODE XREF: MiAttemptPageFileReduction(x)+D3j
		inc	edi
		add	esi, 4
		cmp	edi, 10h
		jb	short loc_6321CA

loc_6321FC:				; CODE XREF: MiAttemptPageFileReduction(x)+98j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiAttemptPageFileReduction@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAttemptPageFileReductionApc(x, x,	x)
_MiAttemptPageFileReductionApc@12 proc near ; DATA XREF: MiAttemptPageFileReduction(x)+B7o

var_52		= byte ptr -52h
var_4E		= byte ptr -4Eh
var_4D		= byte ptr -4Dh
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		mov	ebx, [eax+14h]
		mov	edi, [eax+10h]
		mov	[esp+60h+var_10], edx
		mov	[esp+60h+var_C], edx
		mov	[esp+60h+var_8], edx
		mov	[esp+60h+var_4], edx
		mov	[esp+60h+var_34], ebx
		cmp	ebx, 10h
		jnb	short loc_63224E
		mov	ecx, [eax+18h]
		mov	esi, 7FFFFFFFh
		mov	[esp+60h+var_24], edx
		lea	eax, [ebx+1]
		jmp	short loc_632298
; 

loc_63224E:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+30j
		mov	esi, [edi+1114h]
		mov	edx, esi
		mov	ecx, [edi+10BCh]
		call	_MiOkToShrinkPageFiles@8 ; MiOkToShrinkPageFiles(x,x)
		test	eax, eax
		jz	loc_6325B0
		mov	eax, esi
		xor	edx, edx
		push	0Ah
		pop	esi
		div	esi
		mov	ebx, 8000h
		xor	edx, edx
		mov	esi, eax
		mov	[esp+60h+var_24], ebx
		mov	eax, [edi+0F4Ch]
		inc	edx
		shl	esi, 3
		sub	esi, ecx
		mov	ecx, 4000h
		sub	esi, ebx
		xor	ebx, ebx
		mov	[esp+60h+var_34], ebx

loc_632298:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+41j
		mov	[esp+60h+var_20], eax
		mov	[esp+60h+var_40], edx
		mov	[esp+60h+var_4C], ecx
		mov	[esp+60h+var_44], esi
		cmp	ebx, eax
		jnb	loc_6325B0
		lea	eax, ds:0F54h[ebx*4]
		mov	[esp+60h+var_30], eax

loc_6322BB:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+33Dj
		cmp	ecx, esi
		ja	loc_6325B0
		mov	ebx, [eax+edi]
		movzx	eax, word ptr [ebx+74h]
		test	al, 10h
		jz	short loc_6322D6
		test	edx, edx
		jnz	loc_63252A

loc_6322D6:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+C1j
		test	al, 40h
		jnz	loc_63252A
		mov	eax, [ebx]
		cmp	eax, [ebx+8]
		jz	loc_63252A
		cmp	[ebx+0Ch], ecx
		jb	loc_63252A
		mov	eax, [ebx+90h]
		mov	[esp+60h+var_48], eax
		lea	eax, [ebx+88h]
		push	eax
		mov	[esp+64h+var_2C], eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebx+38h]
		mov	[esp+60h+var_4D], al
		lea	eax, [ecx+4]
		mov	[esp+60h+var_14], eax
		lea	eax, [ecx+0Ch]
		mov	[esp+60h+var_28], eax
		mov	eax, [ebx]
		mov	[esp+60h+var_38], eax
		lea	edx, [eax-1]
		mov	eax, [ecx+8]
		mov	edi, edx
		mov	[esp+60h+var_1C], eax
		shr	edi, 3
		and	dl, 7
		mov	cl, dl
		mov	al, [edi+eax]
		sar	al, cl
		test	al, 1
		jnz	loc_6323F2
		mov	eax, [esp+60h+var_28]
		mov	eax, [eax+4]
		mov	[esp+60h+var_18], eax
		mov	al, [edi+eax]
		sar	al, cl
		test	al, 1
		jnz	loc_6323F2
		mov	edi, [esp+60h+var_38]
		mov	ecx, esi
		mov	eax, edi
		mov	[esp+60h+var_3C], ecx
		sub	eax, [ebx+8]
		cmp	esi, eax
		jbe	short loc_632379
		mov	ecx, eax
		mov	[esp+60h+var_3C], eax

loc_632379:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+166j
		mov	eax, [esp+60h+var_1C]
		mov	edx, edi
		sub	edx, ecx
		lea	ecx, [esp+60h+var_1C]
		and	edx, 0FFFFFFE0h
		sub	edi, edx
		shr	edx, 5
		push	ecx
		mov	[esp+64h+var_10], edi
		mov	[esp+64h+var_8], edi
		lea	eax, [eax+edx*4]
		mov	[esp+64h+var_C], eax
		mov	eax, [esp+64h+var_18]
		lea	eax, [eax+edx*4]
		mov	[esp+64h+var_4], eax
		lea	eax, [edi-1]
		push	eax
		mov	[esp+68h+var_18], eax
		lea	eax, [esp+68h+var_10]
		push	eax
		call	RtlFindLastBackwardRunClear
		mov	edi, eax
		mov	eax, [esp+60h+var_3C]
		cmp	edi, eax
		jbe	short loc_6323C6
		mov	edi, eax

loc_6323C6:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+1B7j
		lea	eax, [esp+60h+var_3C]
		push	eax
		push	[esp+64h+var_18]
		lea	eax, [esp+68h+var_8]
		push	eax
		call	RtlFindLastBackwardRunClear
		cmp	edi, eax
		jbe	short loc_6323DF
		mov	edi, eax

loc_6323DF:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+1D0j
		cmp	[esp+60h+var_40], 0
		mov	edx, [esp+60h+var_4C]
		jnz	short loc_6323F8
		mov	eax, edx
		neg	eax
		and	edi, eax
		jmp	short loc_6323F8
; 

loc_6323F2:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+137j
					; MiAttemptPageFileReductionApc(x,x,x)+14Fj
		mov	edx, [esp+60h+var_4C]
		xor	edi, edi

loc_6323F8:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+1DDj
					; MiAttemptPageFileReductionApc(x,x,x)+1E5j
		test	edi, edi
		jnz	short loc_632419
		mov	eax, [esp+60h+var_2C]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+60h+var_4D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edi, [esp+60h+var_48]
		jmp	loc_632526
; 

loc_632419:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+1EFj
		mov	esi, [esp+60h+var_38]
		mov	eax, [ebx+8Ch]
		sub	esi, edi
		mov	[esp+60h+var_3C], esi
		test	eax, eax
		jz	short loc_63248E

loc_63242D:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+229j
		mov	ecx, eax
		mov	eax, [eax+4]
		test	eax, eax
		jnz	short loc_63242D
		test	ecx, ecx
		jz	short loc_63248E
		mov	eax, [ecx-4]
		test	eax, eax
		jz	short loc_63248E
		cmp	esi, eax
		ja	short loc_63248E
		lea	esi, [eax+1]
		mov	[esp+60h+var_3C], esi
		cmp	esi, eax
		jb	short loc_632471
		mov	ecx, [esp+60h+var_38]
		mov	edi, ecx
		sub	edi, esi
		cmp	[esp+60h+var_40], 0
		jnz	short loc_63246D
		mov	eax, edx
		mov	esi, ecx
		neg	eax
		and	edi, eax
		sub	esi, edi
		mov	[esp+60h+var_3C], esi

loc_63246D:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+252j
		test	edi, edi
		jnz	short loc_63248E

loc_632471:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+243j
		mov	eax, [esp+60h+var_2C]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+60h+var_4D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edi, [esp+60h+var_48]
		jmp	loc_632522
; 

loc_63248E:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+220j
					; MiAttemptPageFileReductionApc(x,x,x)+22Dj ...
		sub	[ebx+0Ch], edi
		sub	[ebx+18h], edi
		push	edi
		push	esi
		push	[esp+68h+var_14]
		mov	[ebx], esi
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		push	edi
		push	esi
		push	[esp+68h+var_28]
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		push	ecx
		push	0
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	MiInvalidatePageFileBitmapsCache
		lea	eax, [ebx+88h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+60h+var_4D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		sub	[esp+60h+var_44], edi
		test	byte ptr [ebx+74h], 10h
		jnz	short loc_632510
		mov	eax, [esp+60h+var_24]
		mov	ecx, [esp+60h+var_48]
		add	eax, edi
		push	2
		mov	edx, eax
		mov	[esp+64h+var_14], eax
		call	MiChargeCommit
		test	eax, eax
		jz	short loc_63254D
		mov	edx, edi
		mov	edi, [esp+60h+var_48]
		push	0
		mov	ecx, edi
		call	_MiReduceCommitLimits@12 ; MiReduceCommitLimits(x,x,x)
		mov	edx, [esp+60h+var_14]
		mov	ecx, edi
		call	MiReturnCommit
		jmp	short loc_632514
; 

loc_632510:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+2CCj
		mov	edi, [esp+60h+var_48]

loc_632514:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+303j
		mov	eax, [ebp+arg_0]
		mov	ecx, [esp+60h+var_30]
		mov	[eax+ecx-0F38h], esi

loc_632522:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+27Ej
		mov	esi, [esp+60h+var_44]

loc_632526:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+209j
		mov	ecx, [esp+60h+var_4C]

loc_63252A:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+C5j
					; MiAttemptPageFileReductionApc(x,x,x)+CDj ...
		mov	ebx, [esp+60h+var_34]
		mov	eax, [esp+60h+var_30]
		inc	ebx
		add	eax, 4
		mov	[esp+60h+var_34], ebx
		mov	[esp+60h+var_30], eax
		cmp	ebx, [esp+60h+var_20]
		jnb	short loc_6325B0
		mov	edx, [esp+60h+var_40]
		jmp	loc_6322BB
; 

loc_63254D:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+2E7j
		lea	eax, [ebx+88h]
		push	eax
		call	ExAcquireSpinLockExclusive
		add	[ebx+0Ch], edi
		lea	ecx, [edi+esi]
		mov	esi, [ebx+38h]
		add	[ebx+18h], edi
		push	edi
		push	[esp+64h+var_3C]
		mov	[esp+68h+var_4D], al
		lea	eax, [esi+4]
		push	eax
		mov	[ebx], ecx
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		push	edi
		mov	edi, [esp+64h+var_3C]
		lea	eax, [esi+0Ch]
		push	edi
		push	eax
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		cmp	edi, [ebx+3Ch]
		jnb	short loc_632590
		mov	[ebx+3Ch], edi

loc_632590:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+380j
		push	edi
		xor	edx, edx
		mov	ecx, ebx
		call	MiCoalescePageFileBitmapsCache
		lea	eax, [ebx+88h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+13h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_6325B0:				; CODE XREF: MiAttemptPageFileReductionApc(x,x,x)+58j
					; MiAttemptPageFileReductionApc(x,x,x)+9Fj ...
		push	0
		push	0
		push	[ebp+arg_0]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_MiAttemptPageFileReductionApc@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCheckAndUpdatePagingFileMinimum(x, x)
_MiCheckAndUpdatePagingFileMinimum@8 proc near ; CODE XREF: MiCreatePagingFile+96341p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	ebx, edx
		inc	esi
		lea	eax, [edi+88h]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	[ebp+var_1], al
		cmp	ebx, [edi]
		ja	short loc_6325ED
		mov	[edi+8], ebx
		jmp	short loc_6325EF
; 

loc_6325ED:				; CODE XREF: MiCheckAndUpdatePagingFileMinimum(x,x)+21j
		xor	esi, esi

loc_6325EF:				; CODE XREF: MiCheckAndUpdatePagingFileMinimum(x,x)+26j
		lea	ecx, [edi+88h]
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_MiCheckAndUpdatePagingFileMinimum@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiExtendPagingFileMaximum(x, x, x)
_MiExtendPagingFileMaximum@12 proc near	; CODE XREF: MiCreatePagingFile+962FBp

var_46		= byte ptr -46h
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_14		= dword	ptr -14h
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+58h+var_44], ebx
		lea	eax, [ebx+4]
		mov	[esp+58h+var_30], edi
		push	eax
		mov	[esp+5Ch+var_38], eax
		call	_RtlSetAllBits@4 ; RtlSetAllBits(x)
		lea	eax, [ebx+0Ch]
		push	eax
		mov	[esp+5Ch+var_24], eax
		call	_RtlSetAllBits@4 ; RtlSetAllBits(x)
		lea	eax, [edi+88h]
		push	eax
		mov	[esp+5Ch+var_20], eax
		call	ExAcquireSpinLockExclusive
		mov	esi, [edi+38h]
		mov	edx, offset loc_7FFFF8
		mov	ecx, [ebp+arg_0]
		mov	[esp+58h+var_46], al
		mov	[esp+58h+var_34], esi
		mov	eax, [esi+4]
		mov	[esp+58h+var_28], eax
		test	ecx, ecx
		jz	short loc_6326D2
		mov	ebx, [edi+80h]
		mov	esi, 40000000h
		shl	eax, 2
		shr	ecx, 9
		mov	edi, eax
		shr	ebx, 9
		and	ecx, edx
		sub	ecx, esi
		and	ebx, edx
		sub	ebx, esi
		mov	[esp+58h+var_2C], ecx
		and	edi, 0FFFh
		mov	[esp+58h+var_3C], ebx
		neg	edi
		sbb	edi, edi
		shr	eax, 0Ch
		neg	edi
		add	edi, eax
		mov	esi, edi
		mov	[esp+58h+var_40], edi
		shl	esi, 3
		push	esi		; size_t
		push	ebx		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	esi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	esi, [esp+64h+var_34]
		add	esp, 0Ch
		mov	edi, [esp+58h+var_30]
		mov	eax, [esp+58h+var_28]
		jmp	short loc_6326E1
; 

loc_6326D2:				; CODE XREF: MiExtendPagingFileMaximum(x,x,x)+60j
		and	[esp+58h+var_3C], 0
		xor	ecx, ecx
		and	[esp+58h+var_40], ecx
		mov	[esp+58h+var_2C], ecx

loc_6326E1:				; CODE XREF: MiExtendPagingFileMaximum(x,x,x)+C5j
		push	0
		test	al, 1Fh
		pop	ebx
		setnz	bl
		shr	eax, 5
		add	ebx, eax
		mov	eax, [esp+58h+var_44]
		shl	ebx, 2
		push	ebx		; size_t
		push	dword ptr [esi+8] ; void *
		push	dword ptr [eax+8] ; void *
		call	_memcpy
		mov	eax, [esp+64h+var_44]
		add	esp, 0Ch
		push	ebx		; size_t
		push	dword ptr [esi+10h] ; void *
		push	dword ptr [eax+10h] ; void *
		call	_memcpy
		mov	eax, [esi+4]
		add	esp, 0Ch
		shl	ebx, 3
		sub	ebx, eax
		jz	short loc_632739
		push	ebx
		push	eax
		push	[esp+60h+var_38]
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		push	ebx
		push	dword ptr [esi+0Ch]
		push	[esp+60h+var_24]
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)

loc_632739:				; CODE XREF: MiExtendPagingFileMaximum(x,x,x)+114j
		mov	eax, [esp+58h+var_38]
		lea	edx, [esp+58h+var_14]
		push	5
		pop	ecx
		push	1
		mov	eax, [eax]
		mov	[edi+4], eax
		lea	edi, [esp+5Ch+var_14]
		mov	eax, [esp+5Ch+var_34]
		rep movsd
		mov	esi, [esp+5Ch+var_30]
		mov	ecx, esi
		mov	[esp+5Ch+var_14], eax
		call	_MiDerefPageFileSpaceBitmaps@12	; MiDerefPageFileSpaceBitmaps(x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	ebx, eax
		mov	eax, [esp+58h+var_44]
		mov	[esi+38h], eax
		lea	eax, [esi+88h]
		push	eax
		mov	[esi+80h], ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+58h+var_46]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	edi, edi
		test	ebx, ebx
		jz	short loc_632799
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_632799:				; CODE XREF: MiExtendPagingFileMaximum(x,x,x)+185j
		mov	eax, [esp+58h+var_3C]
		test	eax, eax
		jz	loc_6328D0
		mov	esi, [esp+58h+var_40]
		test	esi, esi
		jz	loc_6328C3
		mov	ebx, [esp+58h+var_2C]
		mov	edx, esi
		mov	esi, [esp+58h+var_20]
		mov	[esp+58h+var_30], edx

loc_6327BF:				; CODE XREF: MiExtendPagingFileMaximum(x,x,x)+2AAj
		mov	ecx, [ebx]
		mov	[esp+58h+var_20], edi
		nop
		mov	eax, [ebx+4]
		mov	[esp+58h+var_20], eax
		mov	eax, ecx
		and	eax, 1
		or	eax, edi
		jz	loc_6328AB
		nop
		mov	eax, [esp+58h+var_20]
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		mov	[esp+58h+var_2C], ecx
		mov	eax, [ecx+4]
		or	eax, 80000000h
		cmp	eax, ebx
		jz	loc_6328AB
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		push	esi
		mov	[esp+5Ch+var_45], al
		call	ExAcquireSpinLockExclusive
		mov	edx, [ebx]
		mov	[esp+58h+var_46], al
		mov	[esp+58h+var_20], edi
		nop
		mov	eax, [ebx+4]
		mov	ecx, edx
		and	ecx, 1
		or	ecx, edi
		jz	short loc_63287E
		nop
		shrd	edx, eax, 0Ch
		and	edx, 1FFFFFFh
		imul	eax, edx, 1Ch
		mov	edx, [esp+58h+var_2C]
		add	eax, ds:_MmPfnDatabase
		cmp	edx, eax
		jnz	short loc_63287E
		mov	eax, [edx+4]
		or	eax, 80000000h
		cmp	eax, ebx
		jz	short loc_63287E
		mov	eax, ebx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	ecx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		shrd	ecx, eax, 0Ch
		mov	[edx+4], ebx
		xor	ecx, [edx+18h]
		and	ecx, offset loc_7FFFFF
		xor	[edx+18h], ecx

loc_63287E:				; CODE XREF: MiExtendPagingFileMaximum(x,x,x)+21Fj
					; MiExtendPagingFileMaximum(x,x,x)+23Bj ...
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+58h+var_46]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esp+58h+var_2C]
		mov	ecx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	ecx
		mov	cl, [esp+58h+var_45]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [esp+58h+var_30]

loc_6328AB:				; CODE XREF: MiExtendPagingFileMaximum(x,x,x)+1C9j
					; MiExtendPagingFileMaximum(x,x,x)+1F5j
		add	ebx, 8
		sub	edx, 1
		mov	[esp+58h+var_30], edx
		jnz	loc_6327BF
		mov	esi, [esp+58h+var_40]
		mov	eax, [esp+58h+var_3C]

loc_6328C3:				; CODE XREF: MiExtendPagingFileMaximum(x,x,x)+1A0j
		push	esi
		mov	edx, eax
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_6328D0:				; CODE XREF: MiExtendPagingFileMaximum(x,x,x)+194j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MiExtendPagingFileMaximum@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFinishPageFileExtension(x, x, x)
_MiFinishPageFileExtension@12 proc near	; CODE XREF: MiAttemptPageFileExtension(x,x,x)+145p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_10], ecx
		push	esi
		push	edi
		mov	[ebp+var_8], ebx
		lea	eax, [ebx+88h]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	esi, [ebx+38h]
		mov	ebx, [ebx]
		mov	edi, [ebp+arg_0]
		push	edi
		push	ebx
		lea	ecx, [esi+4]
		mov	[ebp+var_1], al
		push	ecx
		mov	[ebp+var_C], ebx
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		push	edi
		push	ebx
		lea	eax, [esi+0Ch]
		push	eax
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		mov	esi, [ebp+var_8]
		xor	edx, edx
		push	[ebp+var_C]
		mov	ecx, esi
		add	[esi], edi
		add	[esi+0Ch], edi
		add	[esi+18h], edi
		inc	dword ptr [esi+44h]
		mov	bl, [esi+76h]
		call	MiCoalescePageFileBitmapsCache
		mov	ecx, [esi+90h]
		xor	edi, edi
		push	edi
		xor	edx, edx
		call	MiUpdateReserveClusterInfo
		lea	eax, [esi+88h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bl, 1
		jz	short loc_632973
		mov	eax, [ebp+var_10]
		push	edi
		push	edi
		add	eax, 210h
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_632973:				; CODE XREF: MiFinishPageFileExtension(x,x,x)+88j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiFinishPageFileExtension@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeModifiedReservations(x, x)
_MiFreeModifiedReservations@8 proc near	; CODE XREF: MiCheckFreeModifiedReservations+D216Cp
					; MiPageFileNoFreeSpace(x,x)+1Bp

var_26		= byte ptr -26h
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+38h+var_10], edx
		lea	edi, [esp+38h+var_C]
		stosd
		stosd
		stosd
		movzx	eax, word ptr [ecx+74h]
		test	al, 40h
		jnz	loc_632B78
		mov	ecx, [ecx+90h]
		mov	esi, edx
		neg	esi
		mov	[esp+38h+var_24], ecx
		sbb	esi, esi
		and	[esp+38h+var_20], 0
		and	eax, 0Fh
		and	esi, 0FFFF0000h
		imul	eax, 14h
		add	esi, 10000h
		mov	[esp+38h+var_1C], eax
		mov	edi, [eax+ecx+748h]
		cmp	edi, offset loc_7FFFFF
		jz	loc_632B78
		add	ecx, 10D0h
		mov	[esp+38h+var_18], ecx

loc_6329E9:				; CODE XREF: MiFreeModifiedReservations(x,x)+1F8j
		imul	ebx, edi, 1Ch
		add	ebx, ds:_MmPfnDatabase
		mov	ecx, ebx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		and	[esp+38h+var_C], 0
		test	ds:byte_70EFC6,	21h
		mov	[esp+38h+var_25], al
		mov	eax, [esp+38h+var_18]
		mov	[esp+38h+var_8], eax
		jz	short loc_632A20
		mov	edx, eax
		lea	ecx, [esp+38h+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_632A33
; 

loc_632A20:				; CODE XREF: MiFreeModifiedReservations(x,x)+97j
		lea	edx, [esp+38h+var_C]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_632A33
		lea	ecx, [esp+38h+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_632A33:				; CODE XREF: MiFreeModifiedReservations(x,x)+A4j
					; MiFreeModifiedReservations(x,x)+AEj
		mov	eax, [esp+38h+var_24]
		mov	ecx, [esp+38h+var_1C]
		cmp	edi, [ecx+eax+748h]
		jz	short loc_632AA9
		test	ds:byte_70EFC6,	1
		jz	short loc_632A5B
		mov	edx, [ebp+4]
		lea	ecx, [esp+38h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_632A8F
; 

loc_632A5B:				; CODE XREF: MiFreeModifiedReservations(x,x)+D1j
		mov	eax, [esp+38h+var_C]
		test	eax, eax
		jnz	short loc_632A7E
		mov	edx, [esp+38h+var_8]
		lea	eax, [esp+38h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+38h+var_C]
		cmp	eax, ecx
		jz	short loc_632A8F
		call	KxWaitForLockChainValid

loc_632A7E:				; CODE XREF: MiFreeModifiedReservations(x,x)+E7j
		xor	ecx, ecx
		mov	[esp+38h+var_C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_632A8F:				; CODE XREF: MiFreeModifiedReservations(x,x)+DFj
					; MiFreeModifiedReservations(x,x)+FDj
		lea	eax, [ebx+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [esp+38h+var_25]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_632B5D
; 

loc_632AA9:				; CODE XREF: MiFreeModifiedReservations(x,x)+C8j
		xor	eax, eax
		mov	ecx, ebx
		lea	edx, [eax+1]
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		mov	edi, [ebx+8]
		mov	edx, 88h
		mov	ecx, [ebx+0Ch]
		mov	eax, edi
		mov	[esp+38h+var_14], ecx
		and	eax, 0FFFFFFFDh
		mov	[ebx+0Ch], ecx
		mov	ecx, ebx
		mov	[ebx+8], eax
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)
		test	ds:byte_70EFC6,	1
		jz	short loc_632AED
		mov	edx, [ebp+4]
		lea	ecx, [esp+38h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_632B21
; 

loc_632AED:				; CODE XREF: MiFreeModifiedReservations(x,x)+163j
		mov	eax, [esp+38h+var_C]
		test	eax, eax
		jnz	short loc_632B10
		mov	edx, [esp+38h+var_8]
		lea	eax, [esp+38h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+38h+var_C]
		cmp	eax, ecx
		jz	short loc_632B21
		call	KxWaitForLockChainValid

loc_632B10:				; CODE XREF: MiFreeModifiedReservations(x,x)+179j
		xor	ecx, ecx
		mov	[esp+38h+var_C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_632B21:				; CODE XREF: MiFreeModifiedReservations(x,x)+171j
					; MiFreeModifiedReservations(x,x)+18Fj
		lea	eax, [ebx+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		push	[esp+38h+var_14]
		mov	ecx, [esp+3Ch+var_24]
		xor	eax, eax
		push	edi
		lea	edx, [eax+1]
		call	MiReleasePageFileInfo
		mov	cl, [esp+38h+var_25]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esp+38h+var_20]
		inc	eax
		cmp	[esp+38h+var_10], 0
		mov	[esp+38h+var_20], eax
		jnz	short loc_632B5D
		cmp	eax, esi
		jnb	short loc_632B78

loc_632B5D:				; CODE XREF: MiFreeModifiedReservations(x,x)+12Aj
					; MiFreeModifiedReservations(x,x)+1DDj
		mov	eax, [esp+38h+var_24]
		mov	ecx, [esp+38h+var_1C]
		mov	edi, [ecx+eax+748h]
		cmp	edi, offset loc_7FFFFF
		jnz	loc_6329E9

loc_632B78:				; CODE XREF: MiFreeModifiedReservations(x,x)+21j
					; MiFreeModifiedReservations(x,x)+5Fj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiFreeModifiedReservations@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIrpCompletionApcRoutine(x, x, x)
_MiIrpCompletionApcRoutine@12 proc near	; DATA XREF: MiTrimUnusedPageFileRegionsWorker(x)+1D9o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	0
		push	[ebp+arg_0]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	ebp
		retn	0Ch
_MiIrpCompletionApcRoutine@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIssuePageExtendRequest(x,	x, x, x)
_MiIssuePageExtendRequest@16 proc near	; CODE XREF: MmResourcesAvailable(x,x,x)+A7p
					; MiChargeCommit+14DA7Ap ...

var_44		= dword	ptr -44h
var_2C		= dword	ptr -2Ch
var_1C		= dword	ptr -1Ch
var_18		= byte ptr -18h
var_15		= byte ptr -15h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		push	34h		; size_t
		lea	eax, [ebp+var_44]
		mov	[ebp+var_4], ecx
		push	0		; int
		push	eax		; void *
		mov	edi, edx
		call	_memset
		mov	ebx, [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, large fs:124h
		mov	esi, ebx
		mov	ecx, [ebp+var_4]
		and	esi, 8
		mov	[ebp+arg_0], esi
		jz	short loc_632BD7
		cmp	byte ptr [ecx+419h], 0
		jz	loc_632DC8

loc_632BD7:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+34j
		mov	edx, ebx
		and	edx, 2
		mov	[ebp+var_10], edx
		jz	short loc_632C33
		mov	eax, esi
		neg	eax
		sbb	eax, eax
		xor	edx, edx
		and	eax, 29Ch
		inc	edx
		lea	esi, [eax+0E8h]
		xor	eax, eax
		add	esi, ecx
		lea	ecx, [esi+28h]
		lock cmpxchg [ecx], edx
		test	eax, eax
		jnz	loc_632DC8
		mov	al, [esi+2Fh]
		add	edi, 0FFFh
		and	edi, 0FFFFF000h
		test	bl, 4
		jz	short loc_632C20
		or	al, 1
		jmp	short loc_632C22
; 

loc_632C20:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+86j
		and	al, 0FEh

loc_632C22:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+8Aj
		and	[ebp+arg_4], 0
		xor	ebx, ebx
		mov	edx, [ebp+arg_0]
		mov	[esi+2Fh], al
		jmp	loc_632D12
; 

loc_632C33:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+4Bj
		xor	edx, edx
		mov	ecx, eax
		call	_PsQueryThreadStartAddress@8 ; PsQueryThreadStartAddress(x,x)
		cmp	eax, offset MiDereferenceSegmentThread
		jz	loc_632DC8
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_632DC8
		test	esi, esi
		jz	short loc_632C65
		add	edi, 0FFFFh
		and	edi, 0FFFF0000h

loc_632C65:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+C3j
		mov	eax, [ebp+var_4]
		lea	esi, [ebp+var_44]
		xor	ecx, ecx
		mov	eax, [eax+0F4Ch]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_18], al
		mov	al, [ebp+var_15]
		and	al, 0EAh
		mov	[ebp+var_1C], 1
		mov	[ebp+var_44], ecx
		test	bl, 1
		jz	short loc_632C94
		or	al, 2
		jmp	short loc_632C96
; 

loc_632C94:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+FAj
		and	al, 0FDh

loc_632C96:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+FEj
		push	ecx
		mov	[ebp+var_15], al
		lea	eax, [ebp+var_2C]
		push	ecx
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	short loc_632CB2
		mov	ebx, offset _MiOneSecond
		jmp	short loc_632D0B
; 

loc_632CB2:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+115j
		mov	eax, [ebp+var_8]
		cmp	[ebp+arg_4], eax
		jnb	short loc_632CBE
		xor	ebx, ebx
		jmp	short loc_632D0B
; 

loc_632CBE:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+124j
		mov	ebx, offset _MiOneSecond
		xor	ecx, ecx
		mov	[ebp+var_C], ebx
		test	eax, eax
		jz	short loc_632D03
		mov	edx, [ebp+var_4]
		add	edx, 0F54h
		mov	[ebp+arg_4], edx
		mov	edx, [ebp+arg_0]
		mov	esi, [ebp+arg_4]

loc_632CDE:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+167j
		mov	ebx, [esi]
		mov	[ebp+arg_4], ebx
		test	byte ptr [ebx+74h], 50h
		jnz	short loc_632CF5
		mov	eax, ebx
		mov	eax, [eax]
		cmp	eax, [ebx+4]
		mov	eax, [ebp+var_8]
		jb	short loc_632CFD

loc_632CF5:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+153j
		inc	ecx
		add	esi, 4
		cmp	ecx, eax
		jb	short loc_632CDE

loc_632CFD:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+15Fj
		mov	ebx, [ebp+var_C]
		lea	esi, [ebp+var_44]

loc_632D03:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+136j
		cmp	ecx, eax
		jz	loc_632DC8

loc_632D0B:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+11Cj
					; MiIssuePageExtendRequest(x,x,x,x)+128j
		mov	[ebp+arg_4], 1

loc_632D12:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+9Aj
		mov	cl, [esi+2Fh]
		test	edx, edx
		jz	short loc_632D1E
		or	cl, 8
		jmp	short loc_632D21
; 

loc_632D1E:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+183j
		and	cl, 0F7h

loc_632D21:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+188j
		and	dword ptr [esi+14h], 0
		cmp	ebx, offset _MiOneSecond
		mov	edx, [ebp+arg_4]
		setz	al
		mov	[esi+10h], edi
		mov	edi, [ebp+var_4]
		dec	al
		and	dword ptr [esi+30h], 0
		and	cl, 0DFh
		and	al, 20h
		mov	[esi+0Ch], edi
		or	al, cl
		mov	ecx, esi
		push	21h
		mov	[esi+2Fh], al
		call	_MiQueuePageFileExtension@12 ; MiQueuePageFileExtension(x,x,x)
		cmp	[ebp+var_10], 0
		jnz	short loc_632DC8
		push	ebx
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esi+18h]
		push	eax
		call	KeWaitForSingleObject
		cmp	eax, 102h
		jnz	short loc_632DBD
		add	edi, 340h
		push	edi
		call	ExAcquireSpinLockExclusive
		cmp	dword ptr [esi+1Ch], 0
		mov	bl, al
		jnz	short loc_632DAF
		mov	ecx, [esi+30h]
		test	ecx, ecx
		jnz	short loc_632DA7
		lea	ecx, [esi+4]
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_632DA2
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	short loc_632DA2
		mov	[eax], edx
		mov	[edx+4], eax
		jmp	short loc_632DAB
; 

loc_632DA2:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+1FEj
					; MiIssuePageExtendRequest(x,x,x,x)+205j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_632DA7:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+1F4j
		and	dword ptr [ecx+30h], 0

loc_632DAB:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+20Cj
		and	dword ptr [esi+14h], 0

loc_632DAF:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+1EDj
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_632DBD:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+1D9j
		cmp	dword ptr [esi+14h], 0
		jz	short loc_632DC8
		xor	eax, eax
		inc	eax
		jmp	short loc_632DCA
; 

loc_632DC8:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+3Dj
					; MiIssuePageExtendRequest(x,x,x,x)+6Ej ...
		xor	eax, eax

loc_632DCA:				; CODE XREF: MiIssuePageExtendRequest(x,x,x,x)+232j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiIssuePageExtendRequest@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPageFileNoFreeSpace(x, x)
_MiPageFileNoFreeSpace@8 proc near	; CODE XREF: MiGatherPagefilePages+131D51p
					; MiGatherPagefilePages+131DEAp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_C], edx
		xor	edi, edi
		inc	edi
		mov	edx, edi
		mov	esi, [ebx+90h]
		call	_MiFreeModifiedReservations@8 ;	MiFreeModifiedReservations(x,x)
		and	[ebp+var_8], 0
		lea	eax, [ebx+88h]
		push	eax
		call	ExAcquireSpinLockExclusive
		cmp	dword ptr [ebx+0Ch], 0
		mov	[ebp+var_1], al
		jnz	short loc_632E13
		or	byte ptr [ebx+76h], 1
		mov	[ebp+var_8], edi
		jmp	short loc_632E1B
; 

loc_632E13:				; CODE XREF: MiPageFileNoFreeSpace(x,x)+37j
		mov	ecx, [ebp+var_C]
		call	MiMakePagefileWriterEntryAvailable

loc_632E1B:				; CODE XREF: MiPageFileNoFreeSpace(x,x)+40j
		lea	eax, [ebx+88h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_8], edi
		jnz	loc_632EEE
		mov	eax, [ebp+var_C]
		mov	dword ptr [eax], 99887711h
		mov	eax, [esi+10BCh]
		mov	ecx, [esi+1114h]
		mov	edx, [esi+0D84h]
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], edx
		cmp	eax, ecx
		jbe	short loc_632E61
		mov	[ebp+var_C], ecx

loc_632E61:				; CODE XREF: MiPageFileNoFreeSpace(x,x)+8Bj
		test	byte ptr [ebx+74h], 10h
		jnz	loc_632EEE
		push	0Ah
		xor	edx, edx
		mov	eax, ecx
		pop	ebx
		div	ebx
		shl	eax, 3
		cmp	[ebp+var_C], eax
		jbe	short loc_632E8A
		cmp	ecx, [ebp+var_8]
		jnb	short loc_632E8A
		mov	ecx, esi
		call	_MiCauseOverCommitPopup@4 ; MiCauseOverCommitPopup(x)
		jmp	short loc_632ED3
; 

loc_632E8A:				; CODE XREF: MiPageFileNoFreeSpace(x,x)+A9j
					; MiPageFileNoFreeSpace(x,x)+AEj
		cmp	dword ptr [esi+1118h], 1000h
		jb	short loc_632EEE
		mov	ebx, [esi+0F4Ch]
		xor	ecx, ecx
		xor	edi, edi
		test	ebx, ebx
		jz	short loc_632EC5
		lea	edx, [esi+0F54h]

loc_632EAA:				; CODE XREF: MiPageFileNoFreeSpace(x,x)+F2j
		mov	eax, [edx]
		test	byte ptr [eax+74h], 50h
		jnz	short loc_632EBD
		mov	eax, [eax+0Ch]
		add	eax, ecx
		cmp	eax, ecx
		jb	short loc_632EC5
		mov	ecx, eax

loc_632EBD:				; CODE XREF: MiPageFileNoFreeSpace(x,x)+DFj
		inc	edi
		add	edx, 4
		cmp	edi, ebx
		jb	short loc_632EAA

loc_632EC5:				; CODE XREF: MiPageFileNoFreeSpace(x,x)+D1j
					; MiPageFileNoFreeSpace(x,x)+E8j
		mov	edi, [esi+1118h]
		cmp	edi, ecx
		jbe	short loc_632EEE
		sub	edi, ecx
		jz	short loc_632EEE

loc_632ED3:				; CODE XREF: MiPageFileNoFreeSpace(x,x)+B7j
		mov	eax, [esi+1114h]
		cmp	eax, [esi+0D84h]
		jnb	short loc_632EEE
		push	0
		push	6
		mov	edx, edi
		mov	ecx, esi
		call	_MiIssuePageExtendRequest@16 ; MiIssuePageExtendRequest(x,x,x,x)

loc_632EEE:				; CODE XREF: MiPageFileNoFreeSpace(x,x)+62j
					; MiPageFileNoFreeSpace(x,x)+94j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiPageFileNoFreeSpace@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiQueuePageFileExtension(x,	x, x)
_MiQueuePageFileExtension@12 proc near	; CODE XREF: MiContractPagingFiles+17230Fp
					; MiIssuePageExtendRequest(x,x,x,x)+1BAp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	bl, [ebp+arg_0]
		mov	[ebp+var_8], edx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+0Ch]
		lea	eax, [esi+3B8h]
		mov	[ebp+var_C], eax
		lea	ecx, [esi+340h]
		mov	[ebp+var_4], ecx
		cmp	bl, 21h
		jnz	short loc_632F2E
		push	ecx
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		lea	eax, [esi+3B8h]

loc_632F2E:				; CODE XREF: MiQueuePageFileExtension(x,x,x)+2Bj
		test	byte ptr [edi+2Fh], 8
		lea	ecx, [edi+4]
		jz	short loc_632F4D
		lea	edx, [eax+1Ch]
		mov	eax, [edx+4]
		cmp	[eax], edx
		jnz	short loc_632F57
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	[edx+4], ecx
		jmp	short loc_632F72
; 

loc_632F4D:				; CODE XREF: MiQueuePageFileExtension(x,x,x)+42j
		mov	edx, [eax+28h]
		add	eax, 24h
		cmp	[edx], eax
		jz	short loc_632F5C

loc_632F57:				; CODE XREF: MiQueuePageFileExtension(x,x,x)+4Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_632F5C:				; CODE XREF: MiQueuePageFileExtension(x,x,x)+62j
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		cmp	dword ptr [edi+10h], 0FFFFFFFFh
		jz	short loc_632F72
		inc	dword ptr [esi+488h]

loc_632F72:				; CODE XREF: MiQueuePageFileExtension(x,x,x)+58j
					; MiQueuePageFileExtension(x,x,x)+77j
		push	[ebp+var_4]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	[ebp+var_8]
		xor	edx, edx
		push	ecx
		mov	ecx, [ebp+var_C]
		push	1
		call	KeReleaseSemaphoreEx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiQueuePageFileExtension@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiQueueSyncModifiedWriterApc(x, x, x, x, x)
_MiQueueSyncModifiedWriterApc@20 proc near ; CODE XREF:	MiAttemptPageFileReduction(x)+C2p
					; MiTrimUnusedPageFileRegionsWorker(x)+15Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	[ebp+arg_4]
		xor	edi, edi
		mov	esi, edx
		push	edi
		push	[ebp+arg_0]
		push	edi
		push	offset _KiSchedulerApcNop@20 ; KiSchedulerApcNop(x,x,x,x,x)
		push	edi
		push	dword ptr [ecx+238h]
		push	esi
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		push	edi
		push	edi
		push	edi
		push	esi
		call	KeInsertQueueApc
		push	edi
		push	edi
		push	edi
		push	edi
		push	[ebp+arg_8]
		call	KeWaitForSingleObject
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
_MiQueueSyncModifiedWriterApc@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiTrimUnusedPageFileRegionsApc(x, x, x)
_MiTrimUnusedPageFileRegionsApc@12 proc	near
					; DATA XREF: MiTrimUnusedPageFileRegionsWorker(x)+153o

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	ecx, [ebx+10h]
		mov	eax, [ebx+14h]
		mov	[esp+28h+var_10], ecx
		mov	eax, [ecx+eax*4+0F54h]
		mov	[esp+28h+var_1C], eax
		mov	eax, [ebx+1Ch]
		push	eax
		push	0
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	edi, eax
		mov	esi, edx
		mov	eax, [esp+28h+var_1C]
		and	edi, 0FFFF0FFFh
		push	0Fh
		mov	cx, [eax+74h]
		pop	eax
		and	cx, ax
		movzx	eax, cx
		mov	ecx, [esp+28h+var_10]
		cdq
		shld	edx, eax, 0Ch
		push	0ABh
		push	dword ptr [ebx+18h]
		shl	eax, 0Ch
		or	esi, edx
		or	edi, eax
		mov	[esp+30h+var_4], esi
		lea	edx, [esp+30h+var_8]
		mov	[esp+30h+var_8], edi
		call	MiFindFreePageFileSpace
		mov	[esp+28h+var_C], eax
		cmp	eax, [ebx+18h]
		jb	loc_6330EA
		mov	eax, ds:dword_6D0704
		mov	edx, ds:dword_6D0700
		mov	ecx, [esp+28h+var_4]
		mov	edi, ecx
		mov	esi, [esp+28h+var_8]
		mov	[esp+28h+var_18], eax
		mov	eax, edx
		or	eax, [esp+28h+var_18]
		jz	short loc_63308E
		mov	eax, esi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_63308E
		mov	ecx, [esp+28h+var_18]
		not	ecx
		and	ecx, edi

loc_63308E:				; CODE XREF: MiTrimUnusedPageFileRegionsApc(x,x,x)+A1j
					; MiTrimUnusedPageFileRegionsApc(x,x,x)+ABj
		mov	eax, [esp+28h+var_C]
		add	eax, ecx
		mov	[ebx+1Ch], ecx
		push	eax
		push	0
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	edi, eax
		mov	esi, edx
		mov	eax, [esp+28h+var_1C]
		and	edi, 0FFFF0FFFh
		push	0Fh
		mov	cx, [eax+74h]
		pop	eax
		and	cx, ax
		movzx	eax, cx
		mov	ecx, [esp+28h+var_10]
		cdq
		shld	edx, eax, 0Ch
		push	6Bh
		shl	eax, 0Ch
		or	esi, edx
		or	edi, eax
		mov	[esp+2Ch+var_4], esi
		mov	eax, [esp+2Ch+var_1C]
		lea	edx, [esp+2Ch+var_8]
		mov	[esp+2Ch+var_8], edi
		push	dword ptr [eax]
		call	MiFindFreePageFileSpace
		add	eax, [esp+28h+var_C]
		mov	[ebx+20h], eax

loc_6330EA:				; CODE XREF: MiTrimUnusedPageFileRegionsApc(x,x,x)+7Cj
		push	0
		push	0
		push	ebx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_MiTrimUnusedPageFileRegionsApc@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiTrimUnusedPageFileRegionsWorker(x)
_MiTrimUnusedPageFileRegionsWorker@4 proc near
					; DATA XREF: MiCheckTrimUnusedPageFileRegions+F445Co

var_E6		= byte ptr -0E6h
var_E4		= dword	ptr -0E4h
var_D2		= byte ptr -0D2h
var_D0		= dword	ptr -0D0h
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		sub	esp, 0D8h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+0D8h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		push	30h
		mov	[esp+0E4h+var_88], eax
		xor	esi, esi
		pop	eax
		push	eax		; size_t
		lea	eax, [esp+0E4h+var_50]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+0E0h+var_58], esi
		xor	eax, eax
		mov	[esp+0E0h+var_54], esi
		mov	esi, large fs:124h
		lea	edi, [esp+0E0h+var_84]
		mov	[esp+0E0h+var_90], esi
		push	9
		pop	ecx
		rep stosd
		push	6
		pop	ecx
		push	eax
		lea	edi, [esp+0E4h+var_20]
		rep stosd
		push	eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	edi, [esp+0E0h+var_88]
		mov	[esp+0E0h+var_8C], eax
		mov	[esp+0E0h+var_60], edx
		lea	ecx, [edi+23Ch]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_63363C
		dec	word ptr [esi+13Eh]
		nop
		lea	esi, [edi+2ACh]
		xor	edx, edx
		mov	ecx, esi
		mov	[esp+0E0h+var_B4], esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esp+0E0h+var_90]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [edi+0F4Ch]
		and	[esp+0E0h+var_94], 0
		mov	[esp+0E0h+var_98], eax
		test	eax, eax
		jz	loc_633424
		lea	esi, [edi+0F54h]
		mov	ecx, eax
		mov	[esp+0E0h+var_AC], esi

loc_6331D9:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+31Dj
		mov	esi, [esi]
		mov	edx, 850h
		push	10h
		mov	[esp+0E4h+var_D0], esi
		mov	ax, [esi+74h]
		and	ax, dx
		pop	edx
		cmp	ax, dx
		jnz	loc_633404
		xor	eax, eax
		push	eax
		push	eax
		mov	[esp+0E8h+var_84], eax
		mov	[esp+0E8h+var_80], eax
		mov	[esp+0E8h+var_7C], eax
		mov	[esp+0E8h+var_78], eax
		mov	[esp+0E8h+var_68], eax
		mov	[esp+0E8h+var_64], eax
		lea	eax, [esp+0E8h+var_84]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [esp+0E0h+var_94]
		mov	ecx, esi
		mov	[esp+0E0h+var_70], eax
		mov	[esp+0E0h+var_6C], 2000h
		mov	[esp+0E0h+var_74], edi
		call	MiPageFileLargestBitmapsRun
		cmp	eax, [esp+0E0h+var_6C]
		jb	loc_633400

loc_633248:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+2FDj
		lea	eax, [esp+0E0h+var_84]
		mov	ecx, edi
		push	eax
		push	eax
		push	offset _MiTrimUnusedPageFileRegionsApc@12 ; MiTrimUnusedPageFileRegionsApc(x,x,x)
		lea	edx, [esp+0ECh+var_50]
		call	_MiQueueSyncModifiedWriterApc@20 ; MiQueueSyncModifiedWriterApc(x,x,x,x,x)
		cmp	[esp+0E0h+var_64], 0
		jz	loc_633400
		mov	eax, [esp+0E0h+var_68]
		mov	ecx, 1000h
		and	[esp+0E0h+var_20], 0
		mul	ecx
		mov	[esp+0E0h+var_1C], 1
		mov	[esp+0E0h+var_18], eax
		mov	eax, [esp+0E0h+var_64]
		mov	[esp+0E0h+var_14], edx
		mul	ecx
		mov	[esp+0E0h+var_10], eax
		lea	eax, [esp+0E0h+var_84]
		push	eax
		mov	[esp+0E4h+var_C], edx
		call	_KeResetEvent@4	; KeResetEvent(x)
		xor	ecx, ecx
		lea	eax, [esp+0E0h+var_20]
		push	ecx
		push	ecx
		push	18h
		push	eax
		push	98208h
		lea	eax, [esp+0F4h+var_58]
		push	eax
		lea	eax, [esp+0F8h+var_84]
		push	eax
		push	offset _MiIrpCompletionApcRoutine@12 ; MiIrpCompletionApcRoutine(x,x,x)
		push	ecx
		push	dword ptr [esi+84h]
		call	_ZwFsControlFile@40 ; ZwFsControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	[esp+0E0h+var_B0], eax
		cmp	eax, 103h
		jnz	short loc_63330D
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+0F0h+var_84]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esp+0E0h+var_58]
		mov	[esp+0E0h+var_B0], eax

loc_63330D:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+1F3j
		push	[esp+0E0h+var_60]
		mov	edx, [esp+0E4h+var_68]
		mov	ecx, esi
		push	[esp+0E4h+var_8C]
		push	3
		call	_MiTransferSoftwarePte@20 ; MiTransferSoftwarePte(x,x,x,x,x)
		mov	ecx, eax
		mov	eax, edx
		mov	edx, ds:dword_6D0700
		mov	esi, eax
		mov	[esp+0E0h+var_B8], eax
		mov	eax, ds:dword_6D0704
		mov	[esp+0E0h+var_A0], ecx
		mov	[esp+0E0h+var_A0], eax
		mov	eax, edx
		or	eax, [esp+0E0h+var_A0]
		mov	[esp+0E0h+var_A8], ecx
		jz	short loc_633381
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_633374
		mov	ecx, [esp+0E0h+var_A0]
		not	edx
		and	edx, [esp+0E0h+var_A8]
		not	ecx
		mov	eax, esi
		mov	[esp+0E0h+var_A0], edx
		and	ecx, eax
		mov	esi, ecx
		mov	ecx, [esp+0E0h+var_A8]
		jmp	short loc_633385
; 

loc_633374:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+259j
		mov	esi, [esp+0E0h+var_B8]
		mov	eax, ecx
		and	eax, 0FFFFFFEFh
		mov	[esp+0E0h+var_A0], eax

loc_633381:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+24Fj
		mov	eax, [esp+0E0h+var_B8]

loc_633385:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+275j
		mov	edx, [esp+0E0h+var_64]
		and	[esp+0E0h+var_A0], 0
		mov	[esp+0E0h+var_A4], edx
		test	edx, edx
		jz	short loc_6333D2

loc_633396:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+2D3j
		push	eax
		push	ecx
		push	2
		pop	edx
		mov	ecx, edi
		call	MiReleasePageFileInfo
		push	[esp+0E0h+var_B8]
		mov	eax, [esp+0E4h+var_A0]
		add	esi, 1
		push	[esp+0E4h+var_A8]
		adc	eax, 0
		push	eax
		push	esi
		mov	[esp+0F0h+var_A0], eax
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		sub	[esp+0E0h+var_A4], 1
		mov	ecx, eax
		mov	eax, edx
		mov	[esp+0E0h+var_A8], ecx
		mov	[esp+0E0h+var_B8], eax
		jnz	short loc_633396

loc_6333D2:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+297j
		cmp	[esp+0E0h+var_B0], 0
		jl	short loc_633400
		lea	eax, [esp+0E0h+var_84]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	eax, [esp+0E0h+var_68]
		add	eax, [esp+0E0h+var_64]
		mov	esi, [esp+0E0h+var_D0]
		and	[esp+0E0h+var_64], 0
		mov	[esp+0E0h+var_68], eax
		cmp	eax, [esi]
		jb	loc_633248

loc_633400:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+145j
					; MiTrimUnusedPageFileRegionsWorker(x)+169j ...
		mov	ecx, [esp+0E0h+var_98]

loc_633404:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+F4j
		mov	eax, [esp+0E0h+var_94]
		mov	esi, [esp+0E0h+var_AC]
		inc	eax
		add	esi, 4
		mov	[esp+0E0h+var_94], eax
		mov	[esp+0E0h+var_AC], esi
		cmp	eax, ecx
		jb	loc_6331D9
		mov	esi, [esp+0E0h+var_B4]

loc_633424:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+CAj
		mov	eax, [esp+0E0h+var_90]
		dec	word ptr [eax+13Eh]
		nop
		or	edx, 0FFFFFFFFh
		mov	[esp+0E0h+var_AC], edx
		mov	eax, edx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_63344A
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_63344A:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+344j
		xor	edi, edi
		mov	[esp+0E0h+var_B0], edi
		test	esi, 7FFFFFFCh
		jz	loc_6335F0
		mov	eax, [esp+0E0h+var_B4]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		cmp	eax, edx
		push	0FFFFFFFFh
		mov	[esp+0E4h+var_D0], edx
		mov	[esp+0E4h+var_8C], esi
		pop	edx
		jb	short loc_63348A
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_633499

loc_63348A:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+382j
		cmp	eax, [esp+0E0h+var_D0]
		jb	short loc_6334AE
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_6334AE

loc_633499:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+38Bj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[esp+0E0h+var_AC], eax
		mov	eax, [esp+0E0h+var_B4]

loc_6334AE:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+391j
					; MiTrimUnusedPageFileRegionsWorker(x)+39Aj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	[esp+0Fh], cl
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[esp+0E0h+var_D0], ecx
		test	ecx, ecx
		jnz	short loc_6334FD
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_633573
		push	ecx
		push	[esp+0E4h+var_AC]
		push	[esp+0E8h+var_B4]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_6334FD:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+3DCj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_633514
		call	KiAbEntryRemoveFromTree
		mov	ecx, [esp+0F4h+var_E4]

loc_633514:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+40Cj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+0F4h+var_C4], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [esp+0Fh], 1
		mov	edx, eax
		jnz	short loc_633560
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_633573
; 

loc_633560:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+44Fj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [esp+0F4h+var_A0]

loc_633573:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+3E6j
					; MiTrimUnusedPageFileRegionsWorker(x)+461j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+0F4h+var_E4], eax
		jz	short loc_6335D8
		test	edi, 8000h
		jz	short loc_633598
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_633598:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+490j
		test	byte ptr [esp+0F4h+var_C4+2], 1
		jz	short loc_6335A9
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_6335A9:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+4A0j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_6335BD
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_6335BD:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+4B3j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_6335D8
		push	[esp+0F4h+var_E4]
		mov	edx, [esp+0F8h+var_C8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_6335D8:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+488j
					; MiTrimUnusedPageFileRegionsWorker(x)+4CAj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_6335F0
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_6335F0
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_6335F0:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+359j
					; MiTrimUnusedPageFileRegionsWorker(x)+4E4j ...
		mov	ecx, [esp+0F4h+var_A4]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [esp+0F4h+var_9C]
		mov	ecx, edi
		call	MiContractWsSwapPageFile
		lea	ecx, [edi+23Ch]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		and	[esp+0F4h+var_70], 0
		xor	ecx, ecx
		mov	[edi+290h], eax
		lea	eax, [esp+0F4h+var_70]
		mov	[edi+294h], edx
		lock or	[eax], ecx
		and	[edi+288h], ecx

loc_63363C:				; CODE XREF: MiTrimUnusedPageFileRegionsWorker(x)+8Fj
		mov	ecx, [edi+64h]
		call	PsDereferencePartition
		mov	ecx, [esp+0F4h+var_18]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_MiTrimUnusedPageFileRegionsWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdatePagingFileMinimum(x, x)
_MiUpdatePagingFileMinimum@8 proc near	; CODE XREF: MiExtendPagingFiles(x)+66p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		lea	esi, [edi+88h]
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		mov	eax, [ebp+var_4]
		add	[edi+8], eax
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiUpdatePagingFileMinimum@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDecommitLargePoolVa(x, x,	x)
_MiDecommitLargePoolVa@12 proc near	; CODE XREF: MiDeleteNonPagedPoolPte+E35A6p

var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B0		= dword	ptr -0B0h
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_9C		= dword	ptr -9Ch
var_90		= dword	ptr -90h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C0h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		xor	ebx, ebx
		mov	[ebp+var_A8], ecx
		lea	eax, [ebp+var_A4]
		mov	esi, edx
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [esi]
		add	esp, 0Ch
		mov	[ebp+var_9C], 21h
		mov	[ebp+var_90], ebx
		mov	[ebp+var_B0], ebx
		nop
		mov	eax, [esi+4]
		mov	[ebp+var_BC], ecx
		mov	[ebp+var_B8], eax
		nop
		mov	edi, [ebp+arg_0]
		shrd	ecx, eax, 0Ch
		mov	eax, ds:_MmPfnDatabase
		and	ecx, 1FFFFFFh
		imul	edx, ecx, 1Ch
		mov	[ebp+var_B0], ecx
		mov	[edx+eax], ebx
		test	ds:byte_70EFC4,	1
		jz	short loc_633726
		mov	ecx, [ebp+var_A8]
		xor	edx, edx
		push	edi
		push	0Ah
		call	_MiLogPerfMemoryRangeEvent@16 ;	MiLogPerfMemoryRangeEvent(x,x,x,x)

loc_633726:				; CODE XREF: MiDecommitLargePoolVa(x,x,x)+85j
		mov	eax, ds:_ZeroPte
		mov	[esi], eax
		nop
		mov	eax, ds:dword_40F9FC
		lea	ecx, [ebp+var_A4]
		xor	edx, edx
		mov	[esi+4], eax
		push	esi
		inc	edx
		call	_MiInsertLargeTbFlushEntry@12 ;	MiInsertLargeTbFlushEntry(x,x,x)
		lea	eax, [esi+3FA00000h]
		cmp	eax, 3FFFh
		ja	short loc_63375E
		shl	esi, 9
		mov	edx, esi
		mov	ecx, esi
		call	MiReplicatePteChange

loc_63375E:				; CODE XREF: MiDecommitLargePoolVa(x,x,x)+C1j
		lea	ecx, [ebp+var_A4]
		call	MiFlushTbList

loc_633769:				; CODE XREF: MiDecommitLargePoolVa(x,x,x)+E7j
		cmp	ds:_MiLargePageSizes[ebx*4], edi
		jz	short loc_633778
		inc	ebx
		cmp	ebx, 2
		jb	short loc_633769

loc_633778:				; CODE XREF: MiDecommitLargePoolVa(x,x,x)+E1j
		mov	ecx, [ebp+var_B0]
		mov	edx, ebx
		push	4
		call	_MiFreeLargePageMemory@12 ; MiFreeLargePageMemory(x,x,x)
		neg	edi
		mov	eax, offset unk_6D3614
		lock xadd [eax], edi
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_MiDecommitLargePoolVa@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiInitPerfMemoryFlags(x, x)
_MiInitPerfMemoryFlags@8 proc near	; CODE XREF: MiMapUserLargePages(x,x,x)+280p
					; MiUnloadSystemImage+14B8C5p ...
		xor	eax, eax
		test	ecx, ecx
		setnz	al
		and	edx, 0Fh
		add	edx, edx
		or	eax, edx
		retn
_MiInitPerfMemoryFlags@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeLargeNonPagedPoolLeafFrames(x, x)
_MiInitializeLargeNonPagedPoolLeafFrames@8 proc	near
					; CODE XREF: MiLinkPoolCommitChain+15E343p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		imul	esi, edx, 1Ch
		mov	ebx, ecx
		mov	edx, ds:_PsInitialSystemProcess
		mov	eax, ebx
		shr	eax, 9
		mov	ecx, 40000000h
		sub	eax, ecx
		push	edi
		add	esi, ds:_MmPfnDatabase
		test	edx, edx
		jz	short loc_6337F5
		lea	ecx, [eax+3FA00000h]
		mov	eax, [edx+194h]
		shr	ecx, 0Ch
		mov	edi, [eax+ecx*8]
		mov	eax, [eax+ecx*8+4]
		jmp	short loc_633805
; 

loc_6337F5:				; CODE XREF: MiInitializeLargeNonPagedPoolLeafFrames(x,x)+29j
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, ecx
		mov	edi, [eax]
		nop
		mov	eax, [eax+4]

loc_633805:				; CODE XREF: MiInitializeLargeNonPagedPoolLeafFrames(x,x)+41j
		shrd	edi, eax, 0Ch
		mov	ecx, esi
		call	_MiLockPage@4	; MiLockPage(x)
		mov	dl, [esi+16h]
		mov	ecx, esi
		and	dword ptr [esi], 0
		and	dl, 0FEh
		or	dl, 6
		mov	[esi+4], ebx
		mov	[esi+16h], dl
		mov	edx, [esi+18h]
		xor	edx, edi
		and	edx, offset loc_7FFFFF
		xor	[esi+18h], edx
		mov	dl, al
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiInitializeLargeNonPagedPoolLeafFrames@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogNonPagedPoolReleaseEvent(x)
_MiLogNonPagedPoolReleaseEvent@4 proc near ; CODE XREF:	MiLockNonPagedPoolPte:loc_5BD4A7p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx

loc_633855:				; CODE XREF: MiLogNonPagedPoolReleaseEvent(x)+93j
		xor	eax, eax
		lea	edi, [ebp+var_28]
		stosd
		stosd
		stosd
		stosd
		mov	edx, [esi+4]
		or	edx, 80000000h
		mov	ebx, edx

loc_633869:				; CODE XREF: MiLogNonPagedPoolReleaseEvent(x)+40j
		mov	esi, [esi]
		mov	edi, edx
		sub	edx, 8
		test	esi, esi
		jz	short loc_633880
		mov	eax, [esi+4]
		or	eax, 80000000h
		cmp	eax, edx
		jz	short loc_633869

loc_633880:				; CODE XREF: MiLogNonPagedPoolReleaseEvent(x)+34j
		mov	ecx, [ebp+var_28]
		sub	ebx, edx
		mov	eax, [ebp+var_24]
		and	ecx, 0FFFFFFF5h
		and	[ebp+var_14], 0
		or	ecx, 5
		and	[ebp+var_C], 0
		xor	edx, edx
		push	11401B02h
		mov	[ebp+var_24], eax
		inc	edx
		push	279h
		mov	[ebp+var_28], ecx
		lea	eax, [ebp+var_28]
		shl	edi, 9
		lea	ecx, [ebp+var_18]
		sar	ebx, 3
		push	20000001h
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], 10h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		test	esi, esi
		jnz	short loc_633855
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiLogNonPagedPoolReleaseEvent@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiPfnIsNonPagedPool(x)
_MiPfnIsNonPagedPool@4 proc near	; CODE XREF: MiIsPfnLocked+94E10p
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_633912
		mov	eax, [ecx+4]
		shl	eax, 9
		cmp	eax, ds:dword_6D07D0
		jb	short loc_633912
		shr	eax, 15h
		cmp	byte ptr ds:dword_6D3994[eax], 5
		jnz	short loc_633912
		mov	al, [ecx+16h]
		and	al, 7
		cmp	al, 6
		jnz	short loc_633912
		xor	eax, eax
		inc	eax
		retn
; 

loc_633912:				; CODE XREF: MiPfnIsNonPagedPool(x)+7j
					; MiPfnIsNonPagedPool(x)+15j ...
		xor	eax, eax
		retn
_MiPfnIsNonPagedPool@4 endp


;  S U B	R O U T	I N E 


; __stdcall MmIsNonPagedPoolNx(x)
_MmIsNonPagedPoolNx@4 proc near		; CODE XREF: EtwTracePool(x,x,x,x,x)+5Cp
		mov	eax, ecx
		shr	eax, 12h
		and	eax, 3FF8h
		push	esi
		mov	edx, [eax-3FA00000h]
		nop
		mov	esi, [eax-3F9FFFFCh]
		mov	eax, edx
		and	eax, 80h
		or	eax, 0
		jnz	short loc_63394F
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		mov	edx, [ecx-40000000h]
		nop
		mov	esi, [ecx-3FFFFFFCh]

loc_63394F:				; CODE XREF: MmIsNonPagedPoolNx(x)+22j
		test	esi, esi
		pop	esi
		jl	short loc_63395D
		jg	short loc_63395A
		test	edx, edx
		jb	short loc_63395D

loc_63395A:				; CODE XREF: MmIsNonPagedPoolNx(x)+3Fj
		xor	eax, eax
		retn
; 

loc_63395D:				; CODE XREF: MmIsNonPagedPoolNx(x)+3Dj
					; MmIsNonPagedPoolNx(x)+43j
		xor	eax, eax
		inc	eax
		retn
_MmIsNonPagedPoolNx@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCheckPhysicalAddressRange(x, x, x)
_MiCheckPhysicalAddressRange@12	proc near ; CODE XREF: MmCopyMemory(x,x,x,x,x,x)+9Ep
					; MiDbgTranslatePhysicalAddress(x,x,x,x)+3Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	edx, edx
		add	ecx, [ebp+arg_0]
		push	esi
		adc	edx, [ebp+arg_4]
		push	edi
		cmp	edx, [ebp+arg_4]
		jb	short loc_6339D8
		ja	short loc_63397C
		cmp	ecx, [ebp+arg_0]
		jbe	short loc_6339D8

loc_63397C:				; CODE XREF: MiCheckPhysicalAddressRange(x,x,x)+14j
		mov	esi, ds:_KiMtrrMaskBase
		add	ecx, 0FFFFFFFFh
		mov	edi, ds:dword_6B3FAC
		mov	eax, esi
		adc	edx, 0FFFFFFFFh
		or	eax, edi
		jz	short loc_6339A5
		mov	eax, ecx
		and	eax, 0FFFFF000h
		cmp	edx, edi
		jb	short loc_6339A5
		ja	short loc_6339D8
		cmp	eax, esi
		ja	short loc_6339D8

loc_6339A5:				; CODE XREF: MiCheckPhysicalAddressRange(x,x,x)+31j
					; MiCheckPhysicalAddressRange(x,x,x)+3Cj
		mov	eax, large fs:20h
		cmp	byte ptr [eax+3BEh], 2
		jnz	short loc_6339D3
		cmp	edx, 0FDh
		jb	short loc_6339D3
		ja	short loc_6339C2
		test	ecx, ecx
		jb	short loc_6339D3

loc_6339C2:				; CODE XREF: MiCheckPhysicalAddressRange(x,x,x)+5Bj
		cmp	[ebp+arg_4], 0FFh
		jb	short loc_6339D8
		ja	short loc_6339D3
		cmp	[ebp+arg_0], 0FFFFFFFFh
		jbe	short loc_6339D8

loc_6339D3:				; CODE XREF: MiCheckPhysicalAddressRange(x,x,x)+51j
					; MiCheckPhysicalAddressRange(x,x,x)+59j ...
		xor	eax, eax
		inc	eax
		jmp	short loc_6339DA
; 

loc_6339D8:				; CODE XREF: MiCheckPhysicalAddressRange(x,x,x)+12j
					; MiCheckPhysicalAddressRange(x,x,x)+19j ...
		xor	eax, eax

loc_6339DA:				; CODE XREF: MiCheckPhysicalAddressRange(x,x,x)+75j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_MiCheckPhysicalAddressRange@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	MiCopyFromUntrustedMemory(size_t,int)
_MiCopyFromUntrustedMemory@16 proc near	; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+119p
					; MiDbgCopyMemoryTarget(x,x,x,x)+14Bp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	28h
		push	offset dword_6A88E0
		call	__SEH_prolog4_GS
		mov	[ebp+var_28], ecx
		xor	ebx, ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	esi, [ebp+arg_0]
		cmp	[ebp+arg_4], ebx
		jnz	short loc_633A1C
		mov	eax, edx
		or	eax, ecx
		or	eax, esi
		test	al, 3
		jnz	short loc_633A1C
		push	esi		; size_t
		push	edx		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_633AD2
; 

loc_633A1C:				; CODE XREF: MiCopyFromUntrustedMemory(x,x,x,x)+20j
					; MiCopyFromUntrustedMemory(x,x,x,x)+2Aj
		mov	[ebp+var_2C], ecx

loc_633A1F:				; CODE XREF: MiCopyFromUntrustedMemory(x,x,x,x)+D9j
		test	esi, esi
		jz	loc_633AD2
		cmp	[ebp+arg_4], 0
		jz	short loc_633A36
		mov	ecx, [ebp+arg_4]
		cmp	ecx, esi
		jbe	short loc_633A4C
		jmp	short loc_633A49
; 

loc_633A36:				; CODE XREF: MiCopyFromUntrustedMemory(x,x,x,x)+4Bj
		mov	ecx, esi
		and	ecx, 3
		jnz	short loc_633A42
		push	4
		pop	ecx
		jmp	short loc_633A4C
; 

loc_633A42:				; CODE XREF: MiCopyFromUntrustedMemory(x,x,x,x)+5Bj
		lea	eax, [ecx-1]
		test	eax, ecx
		jz	short loc_633A4C

loc_633A49:				; CODE XREF: MiCopyFromUntrustedMemory(x,x,x,x)+54j
		xor	ecx, ecx
		inc	ecx

loc_633A4C:				; CODE XREF: MiCopyFromUntrustedMemory(x,x,x,x)+52j
					; MiCopyFromUntrustedMemory(x,x,x,x)+60j ...
		lea	eax, [ecx-1]
		test	eax, edx
		jz	short loc_633A56
		xor	ecx, ecx
		inc	ecx

loc_633A56:				; CODE XREF: MiCopyFromUntrustedMemory(x,x,x,x)+71j
		mov	eax, ecx
		sub	eax, 1
		jz	short loc_633A8A
		sub	eax, 1
		jz	short loc_633A81
		dec	eax
		sub	eax, 1
		jz	short loc_633A7A
		sub	eax, 4
		jnz	short loc_633A8F
		mov	eax, [edx]
		mov	[ebp+var_24], eax
		mov	eax, [edx+4]
		mov	[ebp+var_20], eax
		jmp	short loc_633A8F
; 

loc_633A7A:				; CODE XREF: MiCopyFromUntrustedMemory(x,x,x,x)+86j
		mov	eax, [edx]
		mov	[ebp+var_24], eax
		jmp	short loc_633A8F
; 

loc_633A81:				; CODE XREF: MiCopyFromUntrustedMemory(x,x,x,x)+80j
		mov	ax, [edx]
		mov	word ptr [ebp+var_24], ax
		jmp	short loc_633A8F
; 

loc_633A8A:				; CODE XREF: MiCopyFromUntrustedMemory(x,x,x,x)+7Bj
		mov	al, [edx]
		mov	byte ptr [ebp+var_24], al

loc_633A8F:				; CODE XREF: MiCopyFromUntrustedMemory(x,x,x,x)+8Bj
					; MiCopyFromUntrustedMemory(x,x,x,x)+98j ...
		mov	edi, ebx

loc_633A91:				; CODE XREF: MiCopyFromUntrustedMemory(x,x,x,x)+CDj
		mov	[ebp+var_30], edi
		cmp	edi, ecx
		jnb	short loc_633AAF
		mov	al, byte ptr [ebp+edi+var_24]
		mov	ebx, [ebp+var_28]
		mov	[ebx], al
		mov	eax, ebx
		inc	eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_2C], eax
		xor	ebx, ebx
		inc	edi
		jmp	short loc_633A91
; 

loc_633AAF:				; CODE XREF: MiCopyFromUntrustedMemory(x,x,x,x)+B6j
		sub	esi, ecx
		mov	[ebp+arg_0], esi
		add	edx, ecx
		mov	[ebp+var_38], edx
		jmp	loc_633A1F
; 

loc_633ABE:				; DATA XREF: .text:006A88F4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_633ACC:				; DATA XREF: .text:006A88F8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_34]

loc_633AD2:				; CODE XREF: MiCopyFromUntrustedMemory(x,x,x,x)+37j
					; MiCopyFromUntrustedMemory(x,x,x,x)+41j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiCopyFromUntrustedMemory@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	MiCopyToUntrustedMemory(size_t,int)
_MiCopyToUntrustedMemory@16 proc near	; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+211p
					; MiDbgCopyMemoryTarget(x,x,x,x)+13Fp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	28h
		push	offset dword_6A88C0
		call	__SEH_prolog4_GS
		mov	edi, edx
		mov	[ebp+var_28], edi
		mov	esi, ecx
		xor	ebx, ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	edx, [ebp+arg_0]
		cmp	[ebp+arg_4], ebx
		jnz	short loc_633B2D
		mov	eax, edi
		or	eax, esi
		or	eax, edx
		test	al, 3
		jnz	short loc_633B2D
		push	edx		; size_t
		push	edi		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_633BE4
; 

loc_633B2D:				; CODE XREF: MiCopyToUntrustedMemory(x,x,x,x)+24j
					; MiCopyToUntrustedMemory(x,x,x,x)+2Ej
		mov	[ebp+var_2C], edi

loc_633B30:				; CODE XREF: MiCopyToUntrustedMemory(x,x,x,x)+DEj
		mov	[ebp+var_34], esi
		test	edx, edx
		jz	loc_633BE4
		cmp	[ebp+arg_4], 0
		jz	short loc_633B4A
		mov	ecx, [ebp+arg_4]
		cmp	ecx, edx
		jbe	short loc_633B60
		jmp	short loc_633B5D
; 

loc_633B4A:				; CODE XREF: MiCopyToUntrustedMemory(x,x,x,x)+52j
		mov	ecx, edx
		and	ecx, 3
		jnz	short loc_633B56
		push	4
		pop	ecx
		jmp	short loc_633B60
; 

loc_633B56:				; CODE XREF: MiCopyToUntrustedMemory(x,x,x,x)+62j
		lea	eax, [ecx-1]
		test	eax, ecx
		jz	short loc_633B60

loc_633B5D:				; CODE XREF: MiCopyToUntrustedMemory(x,x,x,x)+5Bj
		xor	ecx, ecx
		inc	ecx

loc_633B60:				; CODE XREF: MiCopyToUntrustedMemory(x,x,x,x)+59j
					; MiCopyToUntrustedMemory(x,x,x,x)+67j	...
		lea	eax, [ecx-1]
		test	eax, esi
		jz	short loc_633B6A
		xor	ecx, ecx
		inc	ecx

loc_633B6A:				; CODE XREF: MiCopyToUntrustedMemory(x,x,x,x)+78j
		mov	edi, ebx
		mov	[ebp+var_30], edi
		mov	eax, [ebp+var_28]

loc_633B72:				; CODE XREF: MiCopyToUntrustedMemory(x,x,x,x)+9Dj
		cmp	edi, ecx
		jnb	short loc_633B8C
		mov	al, [eax]
		mov	byte ptr [ebp+edi+var_24], al
		mov	eax, [ebp+var_28]
		inc	eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_2C], eax
		inc	edi
		mov	[ebp+var_30], edi
		jmp	short loc_633B72
; 

loc_633B8C:				; CODE XREF: MiCopyToUntrustedMemory(x,x,x,x)+87j
		mov	eax, ecx
		sub	eax, 1
		jz	short loc_633BBF
		sub	eax, 1
		jz	short loc_633BB7
		dec	eax
		sub	eax, 1
		jz	short loc_633BB0
		sub	eax, 4
		jnz	short loc_633BC4
		mov	eax, [ebp+var_24]
		mov	[esi], eax
		mov	eax, [ebp+var_20]
		mov	[esi+4], eax
		jmp	short loc_633BC4
; 

loc_633BB0:				; CODE XREF: MiCopyToUntrustedMemory(x,x,x,x)+AFj
		mov	eax, [ebp+var_24]
		mov	[esi], eax
		jmp	short loc_633BC4
; 

loc_633BB7:				; CODE XREF: MiCopyToUntrustedMemory(x,x,x,x)+A9j
		mov	eax, [ebp+var_24]
		mov	[esi], ax
		jmp	short loc_633BC4
; 

loc_633BBF:				; CODE XREF: MiCopyToUntrustedMemory(x,x,x,x)+A4j
		mov	eax, [ebp+var_24]
		mov	[esi], al

loc_633BC4:				; CODE XREF: MiCopyToUntrustedMemory(x,x,x,x)+B4j
					; MiCopyToUntrustedMemory(x,x,x,x)+C1j	...
		sub	edx, ecx
		mov	[ebp+arg_0], edx
		add	esi, ecx
		jmp	loc_633B30
; 

loc_633BD0:				; DATA XREF: .text:006A88D4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_38], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_633BDE:				; DATA XREF: .text:006A88D8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_38]

loc_633BE4:				; CODE XREF: MiCopyToUntrustedMemory(x,x,x,x)+3Bj
					; MiCopyToUntrustedMemory(x,x,x,x)+48j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiCopyToUntrustedMemory@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDbgCopyMemory(x, x, x, x,	x, x)
_MiDbgCopyMemory@24 proc near		; CODE XREF: MmDbgCopyMemory(x,x,x,x,x,x)+62p

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	50h
		push	offset dword_6A88A0
		call	__SEH_prolog4
		mov	[ebp+var_1C], ecx
		mov	ebx, [ebp+arg_C]
		xor	ecx, ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ecx
		xor	eax, eax
		lea	edi, [ebp+var_3C]
		stosd
		stosd
		stosd
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], ecx
		mov	edi, edx
		test	edi, edi
		jnz	short loc_633C37
		mov	eax, 0C00000F1h
		jmp	loc_633D3F
; 

loc_633C37:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+2Cj
		mov	edx, ebx
		and	edx, 40h
		mov	[ebp+var_20], edx
		mov	ecx, ebx
		push	2
		pop	eax
		mov	[ebp+arg_C], eax
		and	ecx, eax
		test	edx, edx
		jz	short loc_633C5F
		test	ecx, ecx
		jnz	short loc_633CAC
		test	bl, 1
		jz	short loc_633CAC
		mov	eax, ebx
		and	eax, 4
		jnz	short loc_633C64
		jmp	short loc_633CAC
; 

loc_633C5F:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+4Cj
		mov	eax, ebx
		and	eax, 4

loc_633C64:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+5Cj
		test	ecx, ecx
		jz	short loc_633C9A
		test	eax, eax
		jnz	short loc_633C76
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 1
		ja	short loc_633CAC

loc_633C76:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+6Bj
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		lea	edx, [ebp+var_3C]
		mov	ecx, ebx
		call	_MiDbgTranslatePhysicalAddress@16 ; MiDbgTranslatePhysicalAddress(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_633DDC
		mov	eax, 0C0000001h
		jmp	loc_633D3F
; 

loc_633C9A:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+67j
		test	eax, eax
		jnz	loc_633D9C
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 1
		jbe	short loc_633CB6

loc_633CAC:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+50j
					; MiDbgCopyMemory(x,x,x,x,x,x)+55j ...
		mov	eax, 0C00000F2h
		jmp	loc_633D3F
; 

loc_633CB6:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+ABj
		mov	esi, [ebp+arg_0]
		cmp	esi, ds:dword_6D07D0
		jnb	loc_633D6E
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, ebx
		and	ecx, 1
		mov	[ebp+arg_4], ecx
		jz	short loc_633CE0
		push	edi
		push	edi
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	ecx, [ebp+arg_4]
		jmp	short loc_633D00
; 

loc_633CE0:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+D2j
		lea	eax, [edi-1]
		test	eax, esi
		jz	short loc_633CEC
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_633CEC:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+E6j
		lea	eax, [esi+edi]
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	short loc_633CFD
		cmp	eax, esi
		jnb	short loc_633D00

loc_633CFD:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+F8j
		mov	byte ptr [edx],	0

loc_633D00:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+DFj
					; MiDbgCopyMemory(x,x,x,x,x,x)+FCj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	ecx, ecx
		jnz	loc_633E07

loc_633D0F:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+1E0j
		push	[ebp+arg_8]	; int
		push	edi		; size_t
		mov	edx, esi
		mov	ecx, [ebp+var_1C]
		call	_MiCopyFromUntrustedMemory@16 ;	MiCopyFromUntrustedMemory(x,x,x,x)

loc_633D1D:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+216j
		mov	edi, eax

loc_633D1F:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+1FCj
		test	byte ptr [ebp+arg_C], 1
		jz	short loc_633D30
		push	ebx
		lea	edx, [ebp+var_30]
		mov	ecx, esi
		call	_MiDbgReleaseAddress@12	; MiDbgReleaseAddress(x,x,x)

loc_633D30:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+124j
		test	bl, 2
		jz	short loc_633D3D
		lea	ecx, [ebp+var_3C]
		call	_MiDbgUnTranslatePhysicalAddress@4 ; MiDbgUnTranslatePhysicalAddress(x)

loc_633D3D:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+134j
					; MiDbgCopyMemory(x,x,x,x,x,x)+1B0j ...
		mov	eax, edi

loc_633D3F:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+33j
					; MiDbgCopyMemory(x,x,x,x,x,x)+96j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_633D51:				; DATA XREF: .text:006A88B4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_633D5F:				; DATA XREF: .text:006A88B8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_24]
		jmp	short loc_633D3F
; 

loc_633D6E:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+C0j
		mov	[ebp+var_60], esi
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_5C], eax
		mov	[ebp+var_54], edi
		mov	ecx, [ebp+var_1C]
		mov	[ebp+var_58], ecx
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_50], eax
		mov	[ebp+var_4C], ebx
		lea	eax, [ebp+var_60]
		push	eax
		push	offset _MiDbgCopyMemoryTarget@16 ; MiDbgCopyMemoryTarget(x,x,x,x)
		call	_KeGenericCallDpc@8 ; KeGenericCallDpc(x,x)
		mov	eax, [ebp+var_48]
		jmp	short loc_633D3F
; 

loc_633D9C:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+9Dj
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	MmIsAddressValidEx
		test	al, al
		jnz	short loc_633DB1
		mov	edi, 0C00000EFh
		jmp	short loc_633D3D
; 

loc_633DB1:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+1A9j
		cmp	[ebp+var_20], 0
		jz	short loc_633DDC
		push	esi
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		push	edx
		push	eax
		lea	edx, [ebp+var_3C]
		mov	ecx, ebx
		call	_MiDbgTranslatePhysicalAddress@16 ; MiDbgTranslatePhysicalAddress(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_633DD9
		mov	edi, 0C0000001h
		jmp	loc_633D3D
; 

loc_633DD9:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+1CEj
		or	ebx, 2

loc_633DDC:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+8Bj
					; MiDbgCopyMemory(x,x,x,x,x,x)+1B6j
		test	bl, 1
		jz	loc_633D0F
		push	ecx
		lea	edx, [ebp+var_30]
		mov	ecx, esi
		call	_MiDbgWriteCheck@12 ; MiDbgWriteCheck(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_633E00
		mov	edi, 0C00000EFh
		jmp	loc_633D1F
; 

loc_633E00:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+1F5j
		mov	[ebp+arg_C], 3

loc_633E07:				; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+10Aj
		push	[ebp+arg_8]	; int
		push	edi		; size_t
		mov	edx, [ebp+var_1C]
		mov	ecx, esi
		call	_MiCopyToUntrustedMemory@16 ; MiCopyToUntrustedMemory(x,x,x,x)
		jmp	loc_633D1D
_MiDbgCopyMemory@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDbgCopyMemoryTarget(x, x,	x, x)
_MiDbgCopyMemoryTarget@16 proc near	; DATA XREF: MiDbgCopyMemory(x,x,x,x,x,x)+18Eo

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_18], 0
		and	[ebp+var_14], 0
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		or	ebx, 0FFFFFFFFh
		push	edi
		mov	edi, [ebp+arg_C]
		mov	eax, ebx
		lock xadd [edi], eax
		dec	eax
		mov	esi, eax
		mov	ecx, 80000000h
		not	esi
		and	esi, ecx
		test	eax, 7FFFFFFFh
		jnz	loc_633F86
		mov	eax, [edi+4]
		lea	edx, [ebp+var_18]
		or	eax, esi
		xor	ebx, ebx
		mov	esi, [ebp+arg_4]
		mov	[edi], eax
		mov	eax, [esi]
		mov	ecx, eax
		mov	[ebp+arg_C], eax
		call	_MiFillPteHierarchy@8 ;	MiFillPteHierarchy(x,x)
		xor	ecx, ecx
		inc	ecx

loc_633E72:				; CODE XREF: MiDbgCopyMemoryTarget(x,x,x,x)+89j
		mov	edx, [ebp+ecx*4+var_18]
		mov	[ebp+var_4], edx
		mov	eax, [edx]
		mov	[ebp+arg_4], eax
		nop
		mov	edx, [edx+4]
		mov	[ebp+var_8], edx
		mov	edx, eax
		and	edx, 1
		mov	eax, edx
		or	eax, 0
		jz	short loc_633EA5
		mov	eax, [ebp+arg_4]
		and	eax, 80h
		or	eax, 0
		jnz	short loc_633EAA
		test	ecx, ecx
		jz	short loc_633EAA
		dec	ecx
		jmp	short loc_633E72
; 

loc_633EA5:				; CODE XREF: MiDbgCopyMemoryTarget(x,x,x,x)+75j
		mov	ebx, 0C0000005h

loc_633EAA:				; CODE XREF: MiDbgCopyMemoryTarget(x,x,x,x)+82j
					; MiDbgCopyMemoryTarget(x,x,x,x)+86j
		or	edx, 0
		jz	loc_633F6C
		test	byte ptr [esi+14h], 1
		jz	loc_633F3F
		mov	ecx, [ebp+arg_4]
		mov	eax, ecx
		and	eax, 800h
		or	eax, 0
		jnz	short loc_633ED6
		mov	ebx, 0C0000005h
		jmp	loc_633F6C
; 

loc_633ED6:				; CODE XREF: MiDbgCopyMemoryTarget(x,x,x,x)+B0j
		mov	eax, ecx
		and	eax, 42h
		or	eax, 0
		jnz	short loc_633F3F
		or	ecx, 42h
		nop
		mov	eax, [ebp+var_4]
		mov	edx, 0C0000000h
		mov	[eax], ecx
		mov	ecx, [ebp+var_8]
		mov	[eax+4], ecx
		mov	eax, [ebp+arg_C]
		jmp	short loc_633F03
; 

loc_633EF9:				; CODE XREF: MiDbgCopyMemoryTarget(x,x,x,x)+EBj
		cmp	eax, 0C07FFFFFh
		ja	short loc_633F07
		shl	eax, 9

loc_633F03:				; CODE XREF: MiDbgCopyMemoryTarget(x,x,x,x)+DDj
		cmp	eax, edx
		jnb	short loc_633EF9

loc_633F07:				; CODE XREF: MiDbgCopyMemoryTarget(x,x,x,x)+E4j
		push	2
		pop	ecx
		cmp	eax, ds:dword_6D07D0
		jb	short loc_633F32
		shr	eax, 15h
		mov	al, byte ptr ds:dword_6D3994[eax]
		cmp	al, 1
		jz	short loc_633F2E
		cmp	al, 0Bh
		jz	short loc_633F2E
		cmp	al, cl
		jnz	short loc_633F32
		xor	eax, eax
		xor	ecx, ecx
		inc	eax
		jmp	short loc_633F34
; 

loc_633F2E:				; CODE XREF: MiDbgCopyMemoryTarget(x,x,x,x)+103j
					; MiDbgCopyMemoryTarget(x,x,x,x)+107j
		mov	eax, ecx
		jmp	short loc_633F34
; 

loc_633F32:				; CODE XREF: MiDbgCopyMemoryTarget(x,x,x,x)+F6j
					; MiDbgCopyMemoryTarget(x,x,x,x)+10Bj
		xor	eax, eax

loc_633F34:				; CODE XREF: MiDbgCopyMemoryTarget(x,x,x,x)+112j
					; MiDbgCopyMemoryTarget(x,x,x,x)+116j
		push	ecx
		mov	ecx, [ebp+arg_C]
		mov	edx, eax
		call	KeFlushSingleTb

loc_633F3F:				; CODE XREF: MiDbgCopyMemoryTarget(x,x,x,x)+9Dj
					; MiDbgCopyMemoryTarget(x,x,x,x)+C4j
		test	ebx, ebx
		js	short loc_633F6C
		test	byte ptr [esi+14h], 1
		mov	eax, [esi+10h]
		mov	ecx, [esi+0Ch]
		mov	ebx, [esi+8]
		push	eax		; int
		push	ecx		; size_t
		jz	short loc_633F60
		mov	ecx, [ebp+arg_C]
		mov	edx, ebx
		call	_MiCopyToUntrustedMemory@16 ; MiCopyToUntrustedMemory(x,x,x,x)
		jmp	short loc_633F6A ; size_t
; 

loc_633F60:				; CODE XREF: MiDbgCopyMemoryTarget(x,x,x,x)+138j
		mov	edx, [ebp+arg_C]
		mov	ecx, ebx
		call	_MiCopyFromUntrustedMemory@16 ;	MiCopyFromUntrustedMemory(x,x,x,x)

loc_633F6A:				; CODE XREF: MiDbgCopyMemoryTarget(x,x,x,x)+144j
		mov	ebx, eax

loc_633F6C:				; CODE XREF: MiDbgCopyMemoryTarget(x,x,x,x)+93j
					; MiDbgCopyMemoryTarget(x,x,x,x)+B7j ...
		mov	[esi+18h], ebx
		mov	ecx, 80000000h
		or	ebx, 0FFFFFFFFh
		jmp	short loc_633F8E
; 

loc_633F79:				; CODE XREF: MiDbgCopyMemoryTarget(x,x,x,x)+172j
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		mov	ecx, 80000000h

loc_633F86:				; CODE XREF: MiDbgCopyMemoryTarget(x,x,x,x)+34j
		mov	eax, [edi]
		and	eax, ecx
		cmp	eax, esi
		jnz	short loc_633F79

loc_633F8E:				; CODE XREF: MiDbgCopyMemoryTarget(x,x,x,x)+15Dj
		lock xadd [edi], ebx
		dec	ebx
		mov	esi, ebx
		not	esi
		and	esi, ecx
		test	ebx, 7FFFFFFFh
		jnz	short loc_633FAA
		mov	eax, [edi+4]
		or	eax, esi
		mov	[edi], eax
		jmp	short loc_633FC7
; 

loc_633FAA:				; CODE XREF: MiDbgCopyMemoryTarget(x,x,x,x)+185j
		mov	eax, [edi]
		and	[ebp+var_10], 0
		and	eax, ecx
		jmp	short loc_633FC3
; 

loc_633FB4:				; CODE XREF: MiDbgCopyMemoryTarget(x,x,x,x)+1ABj
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		and	eax, 80000000h

loc_633FC3:				; CODE XREF: MiDbgCopyMemoryTarget(x,x,x,x)+198j
		cmp	eax, esi
		jnz	short loc_633FB4

loc_633FC7:				; CODE XREF: MiDbgCopyMemoryTarget(x,x,x,x)+18Ej
		mov	eax, [ebp+arg_8]
		lock dec dword ptr [eax]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_MiDbgCopyMemoryTarget@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDbgMarkPfnModified(x, x, x)
_MiDbgMarkPfnModified@12 proc near	; CODE XREF: MiDbgWriteCheck(x,x,x)+181p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		mov	esi, [ebx+8]
		push	edi
		mov	[ebp+var_14], ecx
		nop
		mov	eax, [ebx+0Ch]
		shrd	esi, eax, 0Ch
		and	esi, 1FFFFFFh
		test	ds:_MiFlags, 8000000h
		jz	loc_63420E
		cmp	esi, ds:dword_6D07B0
		ja	loc_63420E
		mov	eax, ds:dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_63420E
		imul	esi, 1Ch
		add	esi, ds:_MmPfnDatabase
		test	byte ptr [esi+16h], 10h
		jnz	loc_63420E
		xor	edi, edi
		mov	byte ptr [ebp+var_4+3],	21h
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		ja	short loc_63406D
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	byte ptr [ebp+var_4+3],	al
		jmp	short loc_634070
; 

loc_63406D:				; CODE XREF: MiDbgMarkPfnModified(x,x,x)+8Aj
		mov	al, byte ptr [ebp+var_4+3]

loc_634070:				; CODE XREF: MiDbgMarkPfnModified(x,x,x)+97j
		lea	ecx, [esi+10h]
		mov	[ebp+var_18], ecx
		lock bts dword ptr [ecx], 1Fh
		jnb	short loc_634090
		cmp	al, 21h
		jz	short loc_634089
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_634089:				; CODE XREF: MiDbgMarkPfnModified(x,x,x)+ABj
		xor	eax, eax
		jmp	loc_634211
; 

loc_634090:				; CODE XREF: MiDbgMarkPfnModified(x,x,x)+A7j
		mov	eax, [esi+8]
		mov	ecx, [esi+0Ch]
		mov	dl, [esi+16h]
		mov	[ebp+var_8], eax
		and	eax, 400h
		or	eax, edi
		mov	[ebp+var_10], ecx
		jz	loc_63418A
		test	dl, 10h
		jnz	loc_634166
		mov	eax, ds:dword_6D0704
		mov	edx, ds:dword_6D0700
		mov	[ebp+var_C], eax
		mov	eax, edx
		or	eax, [ebp+var_C]
		jz	short loc_6340E3
		mov	eax, [ebp+var_8]
		and	eax, 10h
		or	eax, edi
		jnz	short loc_6340E3
		mov	eax, [ebp+var_C]
		not	edx
		and	[ebp+var_8], edx
		not	eax
		and	ecx, eax
		mov	[ebp+var_10], ecx

loc_6340E3:				; CODE XREF: MiDbgMarkPfnModified(x,x,x)+F4j
					; MiDbgMarkPfnModified(x,x,x)+FEj
		mov	ecx, [ecx]
		mov	[ebp+var_C], ecx
		mov	eax, [ecx+1Ch]
		test	al, 20h
		jz	short loc_634162
		test	eax, 40000h
		jnz	short loc_634120
		mov	eax, [ecx+38h]
		cmp	[eax+10h], edi
		jz	short loc_634120
		lea	eax, [ecx+24h]
		push	eax
		mov	[ebp+var_8], eax
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		test	eax, eax
		jz	short loc_634169
		mov	eax, [ebp+var_C]
		push	[ebp+var_8]
		or	dword ptr [eax+1Ch], 40000h
		call	ExReleaseSpinLockExclusiveFromDpcLevel

loc_634120:				; CODE XREF: MiDbgMarkPfnModified(x,x,x)+120j
					; MiDbgMarkPfnModified(x,x,x)+128j
		mov	eax, [ebp+var_10]
		mov	al, [eax+10h]
		and	al, 3Eh
		cmp	al, 8
		jnb	short loc_63415B
		mov	edx, [ebp+var_14]
		mov	eax, edx
		mov	ecx, ds:dword_6D07D0
		shr	eax, 15h
		cmp	edx, ecx
		jb	short loc_63415B
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_634154
		cmp	edx, ecx
		jb	short loc_63415B
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_63415B

loc_634154:				; CODE XREF: MiDbgMarkPfnModified(x,x,x)+171j
		mov	ds:byte_6CF5B8,	1

loc_63415B:				; CODE XREF: MiDbgMarkPfnModified(x,x,x)+156j
					; MiDbgMarkPfnModified(x,x,x)+168j ...
		mov	ds:byte_6D31C1,	1

loc_634162:				; CODE XREF: MiDbgMarkPfnModified(x,x,x)+119j
					; MiDbgMarkPfnModified(x,x,x)+1B9j ...
		or	byte ptr [esi+16h], 10h

loc_634166:				; CODE XREF: MiDbgMarkPfnModified(x,x,x)+DBj
					; MiDbgMarkPfnModified(x,x,x)+1EFj ...
		xor	edi, edi
		inc	edi

loc_634169:				; CODE XREF: MiDbgMarkPfnModified(x,x,x)+138j
					; MiDbgMarkPfnModified(x,x,x)+201j
		mov	eax, [ebp+var_18]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	al, byte ptr [ebp+var_4+3]
		cmp	al, 21h
		jz	short loc_634183
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_634183:				; CODE XREF: MiDbgMarkPfnModified(x,x,x)+1A5j
		mov	eax, edi
		jmp	loc_634211
; 

loc_63418A:				; CODE XREF: MiDbgMarkPfnModified(x,x,x)+D2j
		test	dl, 8
		jnz	short loc_634162
		lea	ecx, [esi+8]
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		test	eax, eax
		jz	short loc_634162
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], offset unk_6D31D0

loc_6341A5:				; CODE XREF: MiDbgMarkPfnModified(x,x,x)+1FCj
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		xor	eax, eax
		lock cmpxchg [edx], ecx
		mov	edx, [ebp+var_C]
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_6341D2
		mov	eax, esi
		or	ecx, 1
		or	eax, 1
		cmp	ecx, eax
		jz	short loc_634166
		add	[ebp+var_8], 4
		inc	edx
		mov	[ebp+var_C], edx
		cmp	edx, 20h
		jb	short loc_6341A5

loc_6341D2:				; CODE XREF: MiDbgMarkPfnModified(x,x,x)+1E3j
		cmp	edx, 20h
		jz	short loc_634169
		xor	edx, edx
		mov	ecx, esi
		cmp	byte ptr [ebp+var_4+3],	21h
		setz	dl
		lea	edx, ds:1[edx*4]
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		mov	ecx, [ebp+var_C]
		lea	eax, unk_6D31D0[ecx*4]
		lock inc dword ptr [eax]
		xor	ecx, ecx
		mov	edx, offset _ExpDebuggerWork
		inc	ecx
		xor	eax, eax
		lock cmpxchg [edx], ecx
		jmp	loc_634166
; 

loc_63420E:				; CODE XREF: MiDbgMarkPfnModified(x,x,x)+3Aj
					; MiDbgMarkPfnModified(x,x,x)+46j ...
		xor	eax, eax
		inc	eax

loc_634211:				; CODE XREF: MiDbgMarkPfnModified(x,x,x)+B7j
					; MiDbgMarkPfnModified(x,x,x)+1B1j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
_MiDbgMarkPfnModified@12 endp ;	sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDbgReleaseAddress(x, x, x)
_MiDbgReleaseAddress@12	proc near	; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+12Cp

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	esi, ecx
		mov	eax, [ebx]
		or	eax, [ebx+4]
		jz	loc_634305
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		mov	ecx, esi
		test	eax, eax
		jz	short loc_63424F
		shr	ecx, 12h
		and	ecx, 3FF8h
		sub	ecx, 3FA00000h
		jmp	short loc_63425E
; 

loc_63424F:				; CODE XREF: MiDbgReleaseAddress(x,x,x)+20j
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h

loc_63425E:				; CODE XREF: MiDbgReleaseAddress(x,x,x)+31j
		mov	edi, [ebx]
		mov	edx, [ebx+4]
		lock inc ds:dword_6D31CC
		xor	ebx, ebx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_6342B6
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_63428E
		inc	ebx
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	short loc_6342B6
		mov	eax, edi
		and	eax, ebx
		jmp	short loc_6342AB
; 

loc_63428E:				; CODE XREF: MiDbgReleaseAddress(x,x,x)+60j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_6342B6
		mov	eax, edi
		and	eax, 1

loc_6342AB:				; CODE XREF: MiDbgReleaseAddress(x,x,x)+70j
		or	eax, 0
		jz	short loc_6342B6
		or	edx, 80000000h

loc_6342B6:				; CODE XREF: MiDbgReleaseAddress(x,x,x)+57j
					; MiDbgReleaseAddress(x,x,x)+6Aj ...
		mov	[ecx+4], edx
		nop
		mov	[ecx], edi
		test	ebx, ebx
		jz	short loc_6342C7
		push	edx
		push	edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_6342C7:				; CODE XREF: MiDbgReleaseAddress(x,x,x)+A2j
		lock dec ds:dword_6D31CC
		mov	eax, 0C0000000h
		mov	ecx, esi
		cmp	esi, eax
		jb	short loc_6342E8

loc_6342D9:				; CODE XREF: MiDbgReleaseAddress(x,x,x)+CAj
		cmp	ecx, 0C07FFFFFh
		ja	short loc_6342E8
		shl	ecx, 9
		cmp	ecx, eax
		jnb	short loc_6342D9

loc_6342E8:				; CODE XREF: MiDbgReleaseAddress(x,x,x)+BBj
					; MiDbgReleaseAddress(x,x,x)+C3j
		call	MiRealVaToFlushType
		test	[ebp+arg_0], 4
		mov	edx, eax
		mov	ecx, esi
		jnz	short loc_634300
		push	2
		call	KeFlushSingleTb
		jmp	short loc_634305
; 

loc_634300:				; CODE XREF: MiDbgReleaseAddress(x,x,x)+D9j
		call	KeFlushSingleCurrentTb

loc_634305:				; CODE XREF: MiDbgReleaseAddress(x,x,x)+11j
					; MiDbgReleaseAddress(x,x,x)+E2j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_MiDbgReleaseAddress@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDbgTranslatePhysicalAddress(x, x,	x, x)
_MiDbgTranslatePhysicalAddress@16 proc near ; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+82p
					; MiDbgCopyMemory(x,x,x,x,x,x)+1C5p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ds:dword_6D31C4
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], eax
		push	esi
		push	edi
		mov	edi, edx
		test	eax, eax
		jz	loc_63461D
		mov	esi, [ebx+0Ch]
		xor	ecx, ecx
		mov	eax, [ebx+8]
		inc	ecx
		push	esi
		push	eax
		mov	[ebp+var_20], eax
		call	_MiCheckPhysicalAddressRange@12	; MiCheckPhysicalAddressRange(x,x,x)
		test	eax, eax
		jz	loc_63461D
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+var_20]
		and	al, 1
		shl	[ebp+var_10], 9
		shrd	edx, esi, 0Ch
		movzx	esi, al
		mov	eax, [ebp+var_C]
		neg	esi
		mov	[ebp+var_8], edx
		sbb	esi, esi
		and	dword ptr [edi], 0
		and	esi, 3
		inc	esi
		and	eax, 4
		mov	[ebp+var_14], esi
		mov	[ebp+var_18], eax
		jz	short loc_63438B
		mov	al, 21h
		jmp	short loc_634396
; 

loc_63438B:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+79j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edx, [ebp+var_8]

loc_634396:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+7Dj
		mov	[edi+4], al
		cmp	edx, ds:dword_6D07B0
		ja	loc_634456
		mov	eax, ds:dword_6D35B8
		mov	ecx, [ebp+var_8]
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		xor	ecx, ecx
		inc	ecx
		and	eax, ecx
		jz	loc_634456
		imul	edx, [ebp+var_8], 1Ch
		add	edx, ds:_MmPfnDatabase
		cmp	[ebp+var_18], 0
		mov	[ebp+var_4], edx
		lea	eax, [edx+10h]
		jz	short loc_634407
		mov	[edi], ecx
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_634435
		test	byte ptr [ebp+var_C], 41h
		jnz	loc_63461D
		mov	eax, ds:_KiBugCheckActive
		test	al, 3
		jz	loc_63461D
		inc	ds:dword_6D31C8
		mov	dword ptr [edi], 4
		jmp	short loc_634435
; 

loc_634407:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+CBj
		and	[ebp+var_24], 0
		mov	dword ptr [edi], 2
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_634435
		mov	esi, eax

loc_63441A:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+11Aj
					; MiDbgTranslatePhysicalAddress(x,x,x,x)+121j
		lea	ecx, [ebp+var_24]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_63441A
		lock bts dword ptr [esi], 1Fh
		jb	short loc_63441A
		mov	esi, [ebp+var_14]
		mov	edx, [ebp+var_4]

loc_634435:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+D4j
					; MiDbgTranslatePhysicalAddress(x,x,x,x)+F9j ...
		mov	ecx, esi
		mov	[edi+8], edx
		call	_MiMakeProtectionPfnCompatible@8 ; MiMakeProtectionPfnCompatible(x,x)
		mov	esi, eax
		mov	al, [edx+16h]
		and	al, 0C0h
		cmp	al, 0C0h
		jnz	loc_6345AE
		or	esi, 8
		jmp	loc_6345AE
; 

loc_634456:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+93j
					; MiDbgTranslatePhysicalAddress(x,x,x,x)+B1j
		cmp	[ebp+var_18], 0
		push	offset unk_6D3440
		jz	short loc_634475
		mov	dword ptr [edi], 8
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		test	eax, eax
		jnz	short loc_634480
		jmp	loc_63461D
; 

loc_634475:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+153j
		mov	dword ptr [edi], 10h
		call	ExAcquireSpinLockExclusiveAtDpcLevel

loc_634480:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+162j
		mov	edx, ds:dword_6D3448
		push	3
		pop	ecx
		mov	[ebp+var_4], ecx
		test	edx, edx
		jz	short loc_6344EA
		mov	eax, [ebp+var_8]

loc_634493:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+1A9j
		mov	esi, [edx+14h]
		mov	[ebp+var_24], esi
		cmp	eax, esi
		jb	short loc_6344B1
		mov	eax, esi
		add	eax, 200h
		cmp	[ebp+var_8], eax
		jb	short loc_6344B7
		mov	edx, [edx+4]
		mov	eax, [ebp+var_8]
		jmp	short loc_6344B3
; 

loc_6344B1:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+18Fj
		mov	edx, [edx]

loc_6344B3:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+1A3j
		test	edx, edx
		jnz	short loc_634493

loc_6344B7:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+19Bj
		mov	esi, [ebp+var_14]
		test	edx, edx
		jz	short loc_6344EA
		mov	ecx, [ebp+var_8]
		mov	eax, [edx+18h]
		and	ecx, 1FFFFFFh
		sub	ecx, [edx+14h]
		mov	ax, [eax+ecx*2]
		mov	word ptr [ebp+var_4], ax
		movzx	ecx, word ptr [ebp+var_4]
		shr	ecx, 0Eh
		mov	[ebp+var_4], ecx
		lea	eax, [ecx-3]
		neg	eax
		sbb	eax, eax
		test	eax, edx
		jnz	short loc_634546

loc_6344EA:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+182j
					; MiDbgTranslatePhysicalAddress(x,x,x,x)+1B0j
		mov	edx, ds:dword_6D344C
		test	edx, edx
		jz	short loc_634546
		mov	eax, [ebp+var_8]

loc_6344F7:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+211j
		mov	esi, [edx+14h]
		cmp	eax, esi
		mov	[ebp+var_1C], esi
		mov	esi, [ebp+var_14]
		jb	short loc_634519
		mov	eax, [ebp+var_1C]
		add	eax, 200h
		cmp	[ebp+var_8], eax
		jb	short loc_634521
		mov	edx, [edx+4]
		mov	eax, [ebp+var_8]
		jmp	short loc_63451B
; 

loc_634519:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+1F6j
		mov	edx, [edx]

loc_63451B:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+20Bj
		test	edx, edx
		jnz	short loc_6344F7
		jmp	short loc_634546
; 

loc_634521:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+203j
		test	edx, edx
		jz	short loc_634546
		mov	ecx, [ebp+var_8]
		mov	eax, [edx+18h]
		and	ecx, 1FFFFFFh
		sub	ecx, [ebp+var_1C]
		mov	ax, [eax+ecx*2]
		mov	word ptr [ebp+var_4], ax
		movzx	ecx, word ptr [ebp+var_4]
		shr	ecx, 0Eh
		mov	[ebp+var_4], ecx

loc_634546:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+1DCj
					; MiDbgTranslatePhysicalAddress(x,x,x,x)+1E6j ...
		cmp	ecx, 3
		jnz	short loc_63457B
		mov	eax, [ebp+var_18]
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, ecx
		mov	[ebp+var_4], eax
		mov	eax, [ebp+var_C]
		test	al, 28h
		jz	short loc_634569
		and	eax, 0FFFFFFD7h

loc_634563:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+278j
		or	eax, 10h

loc_634566:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+283j
					; MiDbgTranslatePhysicalAddress(x,x,x,x)+288j
		mov	[ebp+var_C], eax

loc_634569:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+252j
		test	al, 8
		jnz	short loc_6345A2
		test	al, 10h
		jz	short loc_634596
		call	_KeFlushCurrentTb@0 ; KeFlushCurrentTb()
		or	esi, 8
		jmp	short loc_6345A2
; 

loc_63457B:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+23Dj
		mov	eax, [ebp+var_C]
		and	eax, 0FFFFFFC7h
		sub	ecx, 0
		jz	short loc_634563
		dec	ecx
		sub	ecx, 1
		jz	short loc_634591
		or	eax, 8
		jmp	short loc_634566
; 

loc_634591:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+27Ej
		or	eax, 20h
		jmp	short loc_634566
; 

loc_634596:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+263j
		test	al, 20h
		jz	short loc_634616
		call	_KeFlushCurrentTb@0 ; KeFlushCurrentTb()
		or	esi, 18h

loc_6345A2:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+25Fj
					; MiDbgTranslatePhysicalAddress(x,x,x,x)+26Dj
		cmp	[ebp+var_4], 3
		jnz	short loc_6345AE
		inc	ds:dword_6D31C8

loc_6345AE:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+13Cj
					; MiDbgTranslatePhysicalAddress(x,x,x,x)+145j ...
		mov	edx, [ebp+var_8]
		or	esi, 0A0000000h
		push	esi
		mov	esi, ds:dword_6D31C4
		mov	ecx, esi
		call	MiMakeValidPte
		test	byte ptr [ebp+var_C], 41h
		mov	ecx, eax
		mov	[ebp+var_24], edx
		jz	short loc_6345D7
		mov	ds:byte_6D31C0,	1

loc_6345D7:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+2C2j
		xor	eax, eax
		xor	edx, edx
		nop
		push	ebx
		mov	ebx, ecx
		mov	ecx, [ebp+var_24]
		lock cmpxchg8b qword ptr [esi]
		pop	ebx
		nop
		or	eax, edx
		jnz	short loc_634616
		or	dword ptr [edi], 20h
		xor	edx, edx
		mov	eax, [edi]
		mov	esi, [ebp+var_10]
		mov	ecx, esi
		test	al, 12h
		jz	short loc_634605
		push	1
		call	KeFlushSingleTb
		jmp	short loc_63460A
; 

loc_634605:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+2EEj
		call	KeFlushSingleCurrentTb

loc_63460A:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+2F7j
		mov	eax, [ebp+var_20]
		and	eax, 0FFFh
		add	eax, esi
		jmp	short loc_63461F
; 

loc_634616:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+28Cj
					; MiDbgTranslatePhysicalAddress(x,x,x,x)+2DEj
		mov	ecx, edi
		call	_MiDbgUnTranslatePhysicalAddress@4 ; MiDbgUnTranslatePhysicalAddress(x)

loc_63461D:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+2Bj
					; MiDbgTranslatePhysicalAddress(x,x,x,x)+46j ...
		xor	eax, eax

loc_63461F:				; CODE XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+308j
		pop	edi
		xor	edx, edx
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
_MiDbgTranslatePhysicalAddress@16 endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDbgUnTranslatePhysicalAddress(x)
_MiDbgUnTranslatePhysicalAddress@4 proc	near ; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+139p
					; MiDbgTranslatePhysicalAddress(x,x,x,x)+30Cp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_14], edi
		test	byte ptr [edi],	20h
		jz	short loc_63469B
		mov	edi, ds:dword_6D31C4
		mov	eax, edi
		mov	ebx, ds:_ZeroPte
		shl	eax, 9
		mov	[ebp+var_8], eax
		mov	eax, ds:dword_40F9FC
		mov	[ebp+var_4], ebx
		mov	[ebp+var_C], eax

loc_634660:				; CODE XREF: MiDbgUnTranslatePhysicalAddress(x)+4Dj
					; MiDbgUnTranslatePhysicalAddress(x)+52j
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp+var_10], ecx
		nop
		mov	ecx, [ebp+var_C]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [ebp+var_4]
		cmp	eax, esi
		jnz	short loc_634660
		cmp	edx, [ebp+var_10]
		jnz	short loc_634660
		mov	edi, [ebp+var_14]
		xor	edx, edx
		mov	ecx, [ebp+var_8]
		test	byte ptr [edi],	12h
		jz	short loc_634696
		push	1
		call	KeFlushSingleTb
		jmp	short loc_63469B
; 

loc_634696:				; CODE XREF: MiDbgUnTranslatePhysicalAddress(x)+5Fj
		call	KeFlushSingleCurrentTb

loc_63469B:				; CODE XREF: MiDbgUnTranslatePhysicalAddress(x)+13j
					; MiDbgUnTranslatePhysicalAddress(x)+68j
		mov	eax, [edi]
		test	al, 4
		jnz	short loc_6346C7
		test	al, 1
		jnz	short loc_6346A9
		test	al, 2
		jz	short loc_6346B9

loc_6346A9:				; CODE XREF: MiDbgUnTranslatePhysicalAddress(x)+77j
		mov	eax, [edi+8]
		mov	ecx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	ecx
		jmp	short loc_6346C7
; 

loc_6346B9:				; CODE XREF: MiDbgUnTranslatePhysicalAddress(x)+7Bj
		test	al, 18h
		jz	short loc_6346C7
		push	offset unk_6D3440
		call	ExReleaseSpinLockExclusiveFromDpcLevel

loc_6346C7:				; CODE XREF: MiDbgUnTranslatePhysicalAddress(x)+73j
					; MiDbgUnTranslatePhysicalAddress(x)+8Bj ...
		mov	cl, [edi+4]
		cmp	cl, 21h
		jz	short loc_6346D5
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_6346D5:				; CODE XREF: MiDbgUnTranslatePhysicalAddress(x)+A1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiDbgUnTranslatePhysicalAddress@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDbgWriteCheck(x, x, x)
_MiDbgWriteCheck@12 proc near		; CODE XREF: MiDbgCopyMemory(x,x,x,x,x,x)+1ECp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		mov	eax, edx
		xor	ebx, ebx
		push	esi
		push	edi
		mov	[ebp+var_10], eax
		mov	esi, ecx
		mov	[eax], ebx
		mov	[eax+4], ebx
		call	MmIsAddressValidEx
		test	al, al
		jz	loc_634930
		mov	ecx, esi
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_634786
		cmp	eax, 1
		jnz	loc_63492C
		mov	eax, ds:_PsNtosImageBase
		test	eax, eax
		jz	short loc_63474A
		mov	ecx, ds:_PsHalImageBase
		test	ecx, ecx
		jz	short loc_63474A
		cmp	esi, eax
		jb	short loc_634736
		cmp	esi, ds:_PsNtosImageEnd
		jb	short loc_63474A

loc_634736:				; CODE XREF: MiDbgWriteCheck(x,x,x)+52j
		cmp	esi, ecx
		jb	loc_63492C
		cmp	esi, ds:_PsHalImageEnd
		jnb	loc_63492C

loc_63474A:				; CODE XREF: MiDbgWriteCheck(x,x,x)+44j
					; MiDbgWriteCheck(x,x,x)+4Ej ...
		mov	edi, esi
		mov	[ebp+var_20], ebx
		shr	edi, 12h
		and	edi, 3FF8h
		mov	[ebp+var_1C], ebx
		sub	edi, 3FA00000h
		mov	eax, [edi]
		mov	[ebp+var_4], eax
		nop
		mov	ebx, [edi+4]
		mov	ecx, eax
		mov	eax, ebx
		shrd	ecx, eax, 0Ch
		mov	eax, esi
		shr	eax, 0Ch
		and	ecx, 1FFFFFFh
		and	eax, 1FFh
		add	ecx, eax
		jmp	short loc_6347B4
; 

loc_634786:				; CODE XREF: MiDbgWriteCheck(x,x,x)+32j
		mov	edi, esi
		mov	[ebp+var_20], ebx
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		mov	[ebp+var_1C], ebx
		sub	edi, 40000000h
		mov	eax, [edi]
		mov	[ebp+var_4], eax
		nop
		mov	ebx, [edi+4]
		mov	ecx, eax
		mov	eax, ebx
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh

loc_6347B4:				; CODE XREF: MiDbgWriteCheck(x,x,x)+AAj
		mov	[ebp+var_8], ecx
		nop
		test	byte ptr ds:_MiFlags+2,	1
		jz	short loc_634834
		and	[ebp+var_20], 0
		and	[ebp+var_1C], 0
		test	ds:_MiFlags, 1000h
		jz	short loc_634831
		cmp	ecx, ds:dword_6D07B0
		ja	short loc_634834
		mov	eax, ds:dword_6D35B8
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_634834
		imul	ecx, [ebp+var_8], 1Ch
		add	ecx, ds:_MmPfnDatabase
		lea	eax, [ecx+10h]
		mov	[ebp+var_8], eax
		lock bts dword ptr [eax], 1Fh
		jb	loc_634930
		test	byte ptr ds:_MiFlags+2,	1
		jz	short loc_634827
		lea	eax, [ebp+var_20]
		xor	edx, edx
		push	eax
		inc	edx
		call	_MiGetPagePrivilege@12 ; MiGetPagePrivilege(x,x,x)
		mov	eax, [ebp+var_8]

loc_634827:				; CODE XREF: MiDbgWriteCheck(x,x,x)+13Cj
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		jmp	short loc_634834
; 

loc_634831:				; CODE XREF: MiDbgWriteCheck(x,x,x)+F9j
		mov	[ebp+var_20], esi

loc_634834:				; CODE XREF: MiDbgWriteCheck(x,x,x)+E5j
					; MiDbgWriteCheck(x,x,x)+101j ...
		mov	edx, [ebp+var_4]
		mov	eax, edx
		and	eax, 800h
		or	eax, 0
		jz	short loc_634851
		mov	eax, edx
		and	eax, 42h
		or	eax, 0
		jnz	loc_6348F8

loc_634851:				; CODE XREF: MiDbgWriteCheck(x,x,x)+167j
		cmp	[ebp+var_C], 0
		jnz	short loc_63486B
		push	ebx
		push	edx
		mov	ecx, esi
		call	_MiDbgMarkPfnModified@12 ; MiDbgMarkPfnModified(x,x,x)
		test	eax, eax
		jz	loc_634930
		mov	edx, [ebp+var_4]

loc_63486B:				; CODE XREF: MiDbgWriteCheck(x,x,x)+17Bj
		mov	eax, [ebp+var_10]
		mov	[ebp+var_14], ebx
		mov	[eax], edx
		or	edx, 862h
		mov	[eax+4], ebx
		mov	[ebp+var_18], edx
		lock inc ds:dword_6D31CC
		and	[ebp+var_4], 0
		mov	ecx, edi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_6348D9
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_6348BC
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	short loc_6348DC

loc_6348AA:				; CODE XREF: MiDbgWriteCheck(x,x,x)+1FBj
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jz	short loc_6348DC
		or	ebx, 80000000h
		jmp	short loc_6348DC
; 

loc_6348BC:				; CODE XREF: MiDbgWriteCheck(x,x,x)+1C2j
		mov	eax, large fs:124h
		mov	ecx, [ebp+var_4]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_6348AA
		jmp	short loc_6348DC
; 

loc_6348D9:				; CODE XREF: MiDbgWriteCheck(x,x,x)+1B9j
		mov	ecx, [ebp+var_4]

loc_6348DC:				; CODE XREF: MiDbgWriteCheck(x,x,x)+1CEj
					; MiDbgWriteCheck(x,x,x)+1D8j ...
		mov	eax, edi
		mov	[eax+4], ebx
		nop
		mov	[edi], edx
		test	ecx, ecx
		jz	short loc_6348F1
		push	ebx
		push	edx
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_6348F1:				; CODE XREF: MiDbgWriteCheck(x,x,x)+20Cj
		lock dec ds:dword_6D31CC

loc_6348F8:				; CODE XREF: MiDbgWriteCheck(x,x,x)+171j
		test	ds:_MiFlags, 100h
		jnz	short loc_63492C
		mov	eax, 0C0000000h
		mov	ecx, esi
		cmp	esi, eax
		jb	short loc_63491E

loc_63490F:				; CODE XREF: MiDbgWriteCheck(x,x,x)+242j
		cmp	ecx, 0C07FFFFFh
		ja	short loc_63491E
		shl	ecx, 9
		cmp	ecx, eax
		jnb	short loc_63490F

loc_63491E:				; CODE XREF: MiDbgWriteCheck(x,x,x)+233j
					; MiDbgWriteCheck(x,x,x)+23Bj
		call	MiRealVaToFlushType
		mov	edx, eax
		mov	ecx, esi
		call	KeFlushSingleCurrentTb

loc_63492C:				; CODE XREF: MiDbgWriteCheck(x,x,x)+37j
					; MiDbgWriteCheck(x,x,x)+5Ej ...
		mov	eax, esi
		jmp	short loc_634932
; 

loc_634930:				; CODE XREF: MiDbgWriteCheck(x,x,x)+20j
					; MiDbgWriteCheck(x,x,x)+12Fj ...
		xor	eax, eax

loc_634932:				; CODE XREF: MiDbgWriteCheck(x,x,x)+254j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiDbgWriteCheck@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmDbgCopyMemory(x, x, x, x,	x, x)
_MmDbgCopyMemory@24 proc near		; CODE XREF: KdpReadPhysicalMemory(x,x,x,x)+8Bp
					; KdpSearchMemory(x,x,x)+C4p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10h
		cmp	[ebp+arg_8], 2
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[esp+18h+var_C], ecx
		jbe	short loc_634965
		cmp	[ebp+arg_8], 4
		jz	short loc_634965
		cmp	[ebp+arg_8], 8
		jz	short loc_634965
		mov	eax, 80000002h
		jmp	short loc_6349C1
; 

loc_634965:				; CODE XREF: MmDbgCopyMemory(x,x,x,x,x,x)+17j
					; MmDbgCopyMemory(x,x,x,x,x,x)+1Dj ...
		xor	eax, eax
		test	ebx, ebx
		jz	short loc_6349C1
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	[esp+18h+var_4], edx
		mov	[esp+18h+var_8], ecx

loc_634979:				; CODE XREF: MmDbgCopyMemory(x,x,x,x,x,x)+86j
		mov	eax, ecx
		mov	esi, 1000h
		and	eax, 0FFFh
		sub	esi, eax
		cmp	esi, ebx
		jbe	short loc_63498D
		mov	esi, ebx

loc_63498D:				; CODE XREF: MmDbgCopyMemory(x,x,x,x,x,x)+50j
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	edx
		push	ecx
		mov	ecx, [esp+28h+var_C]
		mov	edx, esi
		call	_MiDbgCopyMemory@24 ; MiDbgCopyMemory(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_6349C1
		mov	ecx, [esp+18h+var_8]
		mov	edx, [esp+18h+var_4]
		add	ecx, esi
		mov	[esp+18h+var_8], ecx
		adc	edx, 0
		add	[esp+18h+var_C], esi
		mov	[esp+18h+var_4], edx
		sub	ebx, esi
		jnz	short loc_634979

loc_6349C1:				; CODE XREF: MmDbgCopyMemory(x,x,x,x,x,x)+2Aj
					; MmDbgCopyMemory(x,x,x,x,x,x)+30j ...
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_MmDbgCopyMemory@24 endp


;  S U B	R O U T	I N E 


; __stdcall MiPteHasShadow(x)
_MiPteHasShadow@4 proc near		; CODE XREF: MiIssueHardFault(x,x)+47Bp
					; MiCopyToUserVa(x,x,x,x)+2C5p	...
		test	ds:_MiFlags, 0C00000h
		jz	short loc_6349EB
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	byte ptr [eax+74h], 1
		jz	short loc_6349EB
		xor	eax, eax
		inc	eax
		retn
; 

loc_6349EB:				; CODE XREF: MiPteHasShadow(x)+Aj
					; MiPteHasShadow(x)+1Cj
		xor	eax, eax
		retn
_MiPteHasShadow@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReadPteShadow(x, x, x)
_MiReadPteShadow@12 proc near		; CODE XREF: KiCalibrateTimeAdjustment+2E5p
					; MmMarkHiberPhase()+48p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		pop	ebp
		retn	8
_MiReadPteShadow@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWritePteShadow(x,	x, x)
_MiWritePteShadow@12 proc near		; CODE XREF: MiUpdateSystemPdes+A9p
					; MiIssueHardFault(x,x)+4C8p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_634A53
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+304h]
		test	eax, eax
		jz	short loc_634A53
		mov	edx, [ebp+arg_0]
		shr	ecx, 3
		and	ecx, 1FFh
		push	esi
		lea	esi, [eax+ecx*8]
		mov	eax, edx
		and	eax, 1
		xor	ecx, ecx
		or	eax, ecx
		jz	short loc_634A47
		mov	ecx, [ebp+arg_4]
		and	ecx, 7FFFFFFFh
		jmp	short loc_634A49
; 

loc_634A47:				; CODE XREF: MiWritePteShadow(x,x,x)+3Dj
		mov	edx, ecx

loc_634A49:				; CODE XREF: MiWritePteShadow(x,x,x)+48j
		push	ecx
		push	edx
		mov	ecx, esi
		call	MI_INTERLOCKED_EXCHANGE_PTE
		pop	esi

loc_634A53:				; CODE XREF: MiWritePteShadow(x,x,x)+Cj
					; MiWritePteShadow(x,x,x)+22j
		pop	ebp
		retn	8
_MiWritePteShadow@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogKernelStackEvent(x, x,	x)
_MiLogKernelStackEvent@12 proc near	; CODE XREF: MmDeleteKernelStack(x,x)+3Cp
					; MmCreateKernelStack+10E88Fp ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		and	[ebp+var_28], 0
		xor	eax, eax
		and	[ebp+var_18], 0
		and	eax, 0FFFFFFFBh
		and	[ebp+var_10], 0
		or	eax, 0Bh
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_20], edx
		xor	edx, edx
		mov	[ebp+var_1C], eax
		inc	edx
		xor	eax, eax
		mov	[ebp+var_24], ecx
		cmp	[ebp+arg_0], edx
		lea	ecx, [ebp+var_1C]
		push	11401B02h
		setnz	al
		mov	[ebp+var_14], 10h
		add	eax, 278h
		push	eax
		push	20000001h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_MiLogKernelStackEvent@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiSearchChannelTable(x)
_MiSearchChannelTable@4	proc near	; CODE XREF: MiRestrictRangeToNode+5D7D1p
					; MxPageAlwaysHot:loc_AE1873p
		mov	edx, ds:dword_6D0694
		push	esi
		mov	esi, ds:dword_6D0690
		cmp	esi, edx
		ja	short loc_634AEB
		imul	eax, esi, 0Ch
		add	eax, ds:dword_6D06B4
		cmp	ecx, [eax]
		jb	short loc_634AEB
		cmp	esi, edx
		jz	short loc_634B45
		cmp	ecx, [eax+0Ch]
		jb	short loc_634B45

loc_634AEB:				; CODE XREF: MiSearchChannelTable(x)+Fj
					; MiSearchChannelTable(x)+1Cj
		push	edi
		xor	edi, edi
		test	edx, edx
		js	short loc_634B21

loc_634AF2:				; CODE XREF: MiSearchChannelTable(x)+5Bj
		lea	eax, [edi+edx]
		sar	eax, 1
		imul	esi, eax, 0Ch
		add	esi, ds:dword_6D06B4
		cmp	ecx, [esi]
		jnb	short loc_634B0D
		test	eax, eax
		jz	short loc_634B2D
		lea	edx, [eax-1]
		jmp	short loc_634B1D
; 

loc_634B0D:				; CODE XREF: MiSearchChannelTable(x)+3Ej
		cmp	eax, ds:dword_6D0694
		jz	short loc_634B3D
		cmp	ecx, [esi+0Ch]
		jb	short loc_634B3D
		lea	edi, [eax+1]

loc_634B1D:				; CODE XREF: MiSearchChannelTable(x)+47j
		cmp	edx, edi
		jge	short loc_634AF2

loc_634B21:				; CODE XREF: MiSearchChannelTable(x)+2Cj
		push	0
		push	0
		push	ecx
		push	6202h
		jmp	short loc_634B36
; 

loc_634B2D:				; CODE XREF: MiSearchChannelTable(x)+42j
		push	0
		push	esi
		push	ecx
		push	6200h

loc_634B36:				; CODE XREF: MiSearchChannelTable(x)+67j
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_634B3D:				; CODE XREF: MiSearchChannelTable(x)+4Fj
					; MiSearchChannelTable(x)+54j
		mov	ds:dword_6D0690, eax
		mov	eax, esi
		pop	edi

loc_634B45:				; CODE XREF: MiSearchChannelTable(x)+20j
					; MiSearchChannelTable(x)+25j
		pop	esi
		retn
_MiSearchChannelTable@4	endp ; sp = -14h


;  S U B	R O U T	I N E 


; __stdcall MI_NODE_FROM_PFN(x)
_MI_NODE_FROM_PFN@4 proc near		; CODE XREF: .text:004B5A6Cp
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, ecx
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, eax
		call	MiSearchNumaNodeTable
		mov	eax, [eax+4]
		retn
_MI_NODE_FROM_PFN@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiComputePreferredNode(x)
_MiComputePreferredNode@4 proc near	; CODE XREF: MiCreateLargePfnList(x,x,x,x,x)+35p
		mov	edx, [ecx+1Ch]
		mov	eax, edx
		shr	eax, 0Ch
		and	eax, 3Fh
		jnz	short loc_634B85
		test	edx, 100000h
		jnz	short loc_634B87
		mov	eax, [ecx+2Ch]
		mov	eax, [eax]
		mov	eax, [eax+1Ch]
		shr	eax, 14h
		and	eax, 3Fh
		jz	short loc_634B87

loc_634B85:				; CODE XREF: MiComputePreferredNode(x)+Bj
		dec	eax
		retn
; 

loc_634B87:				; CODE XREF: MiComputePreferredNode(x)+13j
					; MiComputePreferredNode(x)+23j
		mov	eax, large fs:124h
		mov	eax, [eax+16Ch]
		mov	eax, ds:_KiProcessorBlock[eax*4]
		movzx	eax, byte ptr [eax+4C1h]
		retn
_MiComputePreferredNode@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmFillEtwNodeInformation(x,	x, x, x)
_MmFillEtwNodeInformation@16 proc near	; CODE XREF: EtwpLogMemNodeInfo()+AEp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ecx]
		mov	[ebp+var_8], eax
		movzx	eax, ds:_KeNumberNodes
		push	ebx
		mov	ebx, [ebp+arg_0]
		cmp	ebx, eax
		jbe	short loc_634BBF
		mov	ebx, eax

loc_634BBF:				; CODE XREF: MmFillEtwNodeInformation(x,x,x,x)+19j
		xor	eax, eax
		mov	[ebp+var_4], eax
		test	ebx, ebx
		jz	loc_634C56
		and	[ebp+arg_0], eax
		push	esi
		push	edi
		lea	edi, [edx+14h]

loc_634BD4:				; CODE XREF: MmFillEtwNodeInformation(x,x,x,x)+AEj
		push	4Ch		; size_t
		lea	esi, [edi-14h]
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		mov	edx, [ebp+var_4]
		mov	ecx, [eax+10h]
		add	ecx, [ebp+arg_0]
		inc	edx
		add	[ebp+arg_0], 280h
		mov	[esi], edx
		xor	esi, esi
		mov	[ebp+var_4], edx
		mov	eax, [ecx+1DCh]
		mov	[edi-10h], eax
		mov	[edi-0Ch], esi
		mov	eax, [ecx+1D0h]
		mov	[edi], eax
		lea	edi, [edi+4Ch]
		mov	[edi-48h], esi
		mov	eax, [ecx+1D4h]
		mov	[edi-54h], eax
		mov	[edi-50h], esi
		mov	eax, [ecx+98h]
		mov	[edi-3Ch], eax
		mov	[edi-38h], esi
		mov	eax, [ecx+9Ch]
		mov	[edi-44h], eax
		mov	[edi-40h], esi
		mov	eax, [ecx]
		mov	[edi-2Ch], eax
		mov	[edi-28h], esi
		mov	eax, [ecx+4]
		mov	[edi-34h], eax
		mov	[edi-30h], esi
		cmp	edx, ebx
		jb	short loc_634BD4
		pop	edi
		mov	eax, edx
		pop	esi

loc_634C56:				; CODE XREF: MmFillEtwNodeInformation(x,x,x,x)+24j
		mov	ecx, [ebp+var_8]
		pop	ebx
		movzx	edx, word ptr [ecx]
		mov	ecx, [ebp+arg_4]
		mov	[ecx], edx
		leave
		retn	8
_MmFillEtwNodeInformation@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmGetNodeFastLargePageCounts(x, x, x)
_MmGetNodeFastLargePageCounts@12 proc near
					; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+153p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		movzx	eax, ds:_KeNumberNodes
		push	ebx
		push	esi
		mov	esi, edx
		xor	ebx, ebx
		mov	[ebp+var_1], bl
		push	edi
		cmp	esi, eax
		jnb	short loc_634D00

loc_634C81:				; CODE XREF: MmGetNodeFastLargePageCounts(x,x,x)+2Cj
		cmp	ds:_MiLargePageSizes[ebx*4], 200h
		jz	short loc_634C94
		inc	ebx
		cmp	ebx, 2
		jb	short loc_634C81

loc_634C94:				; CODE XREF: MmGetNodeFastLargePageCounts(x,x,x)+26j
		cmp	ebx, 2
		jz	short loc_634D00
		lea	eax, [ebp-1]
		or	ecx, 0FFFFFFFFh
		push	eax
		call	MiPartitionObjectToPartition
		mov	edi, eax
		test	edi, edi
		jz	short loc_634D00
		imul	edx, esi, 280h
		mov	esi, ds:_MiLargePageSizes[ebx*4]
		imul	ecx, ebx, 98h
		shr	esi, 9
		add	edx, [edi+10h]
		add	edx, ecx
		mov	eax, [edx+4]
		add	eax, [edx]
		imul	esi, eax
		jmp	short loc_634CEB
; 

loc_634CD0:				; CODE XREF: MmGetNodeFastLargePageCounts(x,x,x)+87j
		mov	ecx, ds:dword_4102F0[ebx*4]
		lea	edx, [edx-98h]
		mov	eax, [edx+4]
		dec	ebx
		add	eax, [edx]
		shr	ecx, 9
		imul	ecx, eax
		add	esi, ecx

loc_634CEB:				; CODE XREF: MmGetNodeFastLargePageCounts(x,x,x)+68j
		test	ebx, ebx
		jnz	short loc_634CD0
		cmp	[ebp+var_1], bl
		jz	short loc_634CFC
		mov	ecx, [edi+64h]
		call	PsDereferencePartition

loc_634CFC:				; CODE XREF: MmGetNodeFastLargePageCounts(x,x,x)+8Cj
		mov	eax, esi
		jmp	short loc_634D02
; 

loc_634D00:				; CODE XREF: MmGetNodeFastLargePageCounts(x,x,x)+19j
					; MmGetNodeFastLargePageCounts(x,x,x)+31j ...
		xor	eax, eax

loc_634D02:				; CODE XREF: MmGetNodeFastLargePageCounts(x,x,x)+98j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MmGetNodeFastLargePageCounts@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiCanGrantExecute(x, x)
_MiCanGrantExecute@8 proc near		; CODE XREF: .text:00465FE2p
					; MiLargePageFault(x,x)+145p
		mov	edi, edi
		push	esi
		mov	esi, ds:_KeFeatureBits
		mov	eax, esi
		and	eax, 40000000h
		or	eax, 0
		jnz	short loc_634D34
		mov	al, [ecx+6Bh]
		test	al, 2
		jnz	short loc_634D34
		and	esi, 80000000h
		or	esi, 0
		jnz	short loc_634D79
		test	al, 1
		jnz	short loc_634D79

loc_634D34:				; CODE XREF: MiCanGrantExecute(x,x)+13j
					; MiCanGrantExecute(x,x)+1Aj
		mov	eax, edx
		and	eax, 0FFFFF000h
		cmp	eax, 7FFE0000h
		jnz	short loc_634D4B
		test	byte ptr [ecx+3A8h], 1
		jz	short loc_634D74

loc_634D4B:				; CODE XREF: MiCanGrantExecute(x,x)+37j
		mov	ecx, edx
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		test	eax, eax
		jz	short loc_634D79
		mov	eax, [eax+1Ch]
		mov	ecx, eax
		and	ecx, 70h
		cmp	ecx, 30h
		jz	short loc_634D79
		cmp	ecx, 20h
		jnz	short loc_634D74
		and	eax, 0F80h
		cmp	eax, 80h
		jz	short loc_634D79

loc_634D74:				; CODE XREF: MiCanGrantExecute(x,x)+40j
					; MiCanGrantExecute(x,x)+5Dj
		xor	eax, eax
		inc	eax
		pop	esi
		retn
; 

loc_634D79:				; CODE XREF: MiCanGrantExecute(x,x)+25j
					; MiCanGrantExecute(x,x)+29j ...
		xor	eax, eax
		pop	esi
		retn
_MiCanGrantExecute@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFillVirtualFaultInfo(x, x, x, x)
_MiFillVirtualFaultInfo@16 proc	near	; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+8BFp
					; MiValidVirtualizationFault(x,x,x)+58p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	ecx, [ebp+arg_0]
		push	edi
		xor	edi, edi
		mov	eax, ecx
		or	edi, edx
		and	eax, 42h
		mov	esi, [ebx+4]
		xor	edx, edx
		and	esi, 0FFF00000h
		mov	[ebx], edi
		or	esi, edx
		or	esi, 100000h
		or	eax, edx
		mov	[ebx+4], esi
		jz	short loc_634DBA
		or	esi, 200000h
		mov	[ebx], edi
		mov	[ebx+4], esi

loc_634DBA:				; CODE XREF: MiFillVirtualFaultInfo(x,x,x,x)+30j
		cmp	[ebp+arg_4], edx
		jl	short loc_634DD0
		jg	short loc_634DC5
		cmp	ecx, edx
		jb	short loc_634DD0

loc_634DC5:				; CODE XREF: MiFillVirtualFaultInfo(x,x,x,x)+42j
		or	esi, 400000h
		mov	[ebx], edi
		mov	[ebx+4], esi

loc_634DD0:				; CODE XREF: MiFillVirtualFaultInfo(x,x,x,x)+40j
					; MiFillVirtualFaultInfo(x,x,x,x)+46j
		and	ecx, 18h
		or	ecx, edx
		jz	short loc_634DE2
		or	esi, 800000h
		mov	[ebx], edi
		mov	[ebx+4], esi

loc_634DE2:				; CODE XREF: MiFillVirtualFaultInfo(x,x,x,x)+58j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_MiFillVirtualFaultInfo@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGenerateAccessViolation(x)
_MiGenerateAccessViolation@4 proc near	; CODE XREF: .text:004B0132p
					; .text:004B022Ep ...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ecx]
		mov	ecx, ebx
		call	_MiDeterminePoolType@4 ; MiDeterminePoolType(x)
		cmp	eax, 20h
		jz	short loc_634E7D
		push	esi
		push	edi
		push	offset unk_6CF35C
		mov	edi, offset unk_6CF360
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	[ebp+var_1], al

loc_634E12:				; CODE XREF: MiGenerateAccessViolation(x)+74j
		mov	esi, [edi]
		jmp	short loc_634E27
; 

loc_634E16:				; CODE XREF: MiGenerateAccessViolation(x)+40j
		cmp	ebx, [esi+10h]
		ja	short loc_634E24
		cmp	ebx, [esi+0Ch]
		jnb	short loc_634E2D
		mov	esi, [esi]
		jmp	short loc_634E27
; 

loc_634E24:				; CODE XREF: MiGenerateAccessViolation(x)+30j
		mov	esi, [esi+4]

loc_634E27:				; CODE XREF: MiGenerateAccessViolation(x)+2Bj
					; MiGenerateAccessViolation(x)+39j
		test	esi, esi
		jnz	short loc_634E16
		jmp	short loc_634E31
; 

loc_634E2D:				; CODE XREF: MiGenerateAccessViolation(x)+35j
		test	esi, esi
		jnz	short loc_634E5F

loc_634E31:				; CODE XREF: MiGenerateAccessViolation(x)+42j
		cmp	edi, offset unk_6CF360
		jnz	short loc_634E5F
		mov	eax, large fs:124h
		mov	edi, [eax+80h]
		test	dword ptr [edi+0FCh], 10000h
		jz	short loc_634E5F
		mov	edi, [edi+180h]
		add	edi, 2434h
		jmp	short loc_634E12
; 

loc_634E5F:				; CODE XREF: MiGenerateAccessViolation(x)+46j
					; MiGenerateAccessViolation(x)+4Ej ...
		push	offset unk_6CF35C
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		test	esi, esi
		pop	esi
		jz	short loc_634E7D
		xor	eax, eax
		inc	eax
		jmp	short loc_634E7F
; 

loc_634E7D:				; CODE XREF: MiGenerateAccessViolation(x)+13j
					; MiGenerateAccessViolation(x)+8Dj
		xor	eax, eax

loc_634E7F:				; CODE XREF: MiGenerateAccessViolation(x)+92j
		pop	ebx
		leave
		retn
_MiGenerateAccessViolation@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetVirtualFaultPageInfo(x, x)
_MiGetVirtualFaultPageInfo@8 proc near	; CODE XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+78Ep
					; MiLargePageFault(x,x)+21Ap ...
		mov	eax, [ecx+4]
		push	esi
		mov	esi, [eax]
		cmp	edx, esi
		jb	short loc_634EA2
		mov	eax, [eax+4]
		add	eax, esi
		cmp	edx, eax
		jnb	short loc_634EA2
		mov	eax, [ecx+14h]
		sub	edx, esi
		shr	edx, 0Ch
		pop	esi
		lea	eax, [eax+edx*8]
		retn
; 

loc_634EA2:				; CODE XREF: MiGetVirtualFaultPageInfo(x,x)+8j
					; MiGetVirtualFaultPageInfo(x,x)+11j
		xor	eax, eax
		pop	esi
		retn
_MiGetVirtualFaultPageInfo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertLargeVadMapping(x, x, x, x,	x)
_MiInsertLargeVadMapping@20 proc near	; CODE XREF: MiInPagePageTable+14B819p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		xor	edx, edx
		mov	ecx, esi
		call	MiLockProtoPoolPage
		test	eax, eax
		jz	loc_634F6D
		mov	edi, [esi]
		nop
		mov	esi, [esi+4]
		mov	dl, 21h
		mov	ecx, eax
		call	MiUnlockProtoPoolPage
		nop
		mov	eax, [ebp+arg_8]
		shr	ebx, 9
		or	eax, 84000000h
		shrd	edi, esi, 0Ch
		and	ebx, offset loc_7FFFF8
		and	edi, 1FFFE00h
		push	eax
		mov	edx, edi
		lea	ecx, [ebx-40000000h]
		call	MiMakeValidPte
		mov	ecx, [ebp+arg_4]
		mov	esi, eax
		mov	[ebp+var_4], edx
		xor	edi, edi
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], edx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		xor	ebx, ebx
		inc	ebx
		test	eax, eax
		jz	short loc_634F5A
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_634F33
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	edi, ebx
		jnz	short loc_634F5A
		jmp	short loc_634F4B
; 

loc_634F33:				; CODE XREF: MiInsertLargeVadMapping(x,x,x,x,x)+7Ej
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_634F5A

loc_634F4B:				; CODE XREF: MiInsertLargeVadMapping(x,x,x,x,x)+8Bj
		mov	eax, esi
		and	eax, ebx
		or	eax, 0
		jz	short loc_634F5A
		or	edx, 80000000h

loc_634F5A:				; CODE XREF: MiInsertLargeVadMapping(x,x,x,x,x)+75j
					; MiInsertLargeVadMapping(x,x,x,x,x)+89j ...
		mov	[ecx+4], edx
		nop
		mov	[ecx], esi
		test	edi, edi
		jz	short loc_634F6B
		push	edx
		push	esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_634F6B:				; CODE XREF: MiInsertLargeVadMapping(x,x,x,x,x)+BCj
		mov	eax, ebx

loc_634F6D:				; CODE XREF: MiInsertLargeVadMapping(x,x,x,x,x)+19j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MiInsertLargeVadMapping@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiKernelWriteToExecutableMemory(x, x, x, x)
_MiKernelWriteToExecutableMemory@16 proc near ;	CODE XREF: .text:00465FB0p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, [edx+24Ch]
		mov	eax, ecx
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		xor	esi, esi
		mov	ecx, [ebx+0F90h]
		mov	dl, 21h
		mov	edi, [eax]
		mov	[ebp+var_10], ecx
		mov	ecx, [ebx+0F94h]
		mov	[ebp+var_14], ecx
		lea	ecx, [eax+14h]
		shr	edi, 9
		push	esi
		mov	[ebp+var_4], eax
		and	edi, offset loc_7FFFF8
		call	_MiReleaseFaultState@12	; MiReleaseFaultState(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		call	_PsNotifyWriteToExecutableMemory@8 ; PsNotifyWriteToExecutableMemory(x,x)
		test	eax, eax
		jns	short loc_634FE2
		mov	ecx, [ebp+var_8]
		call	_MiForceCrashForInvalidAccess@8	; MiForceCrashForInvalidAccess(x,x)
		mov	ecx, [ebp+var_4]
		mov	esi, 0C0000723h
		mov	edx, [ebp+var_C]
		lea	ecx, [ecx+14h]
		call	MiRelockFaultState
		jmp	short loc_63503C
; 

loc_634FE2:				; CODE XREF: MiKernelWriteToExecutableMemory(x,x,x,x)+4Fj
		mov	edx, ecx
		mov	ecx, [ebp+var_4]
		lea	ecx, [ecx+14h]
		call	MiRelockFaultState
		mov	eax, [ebx+0F90h]
		mov	ecx, [ebx+0F94h]
		cmp	[ebp+var_10], eax
		jnz	short loc_635037
		cmp	[ebp+var_14], ecx
		jnz	short loc_635037
		mov	eax, [ebp+var_4]
		test	byte ptr [eax+1Dh], 1
		jz	short loc_63501D
		lea	ecx, [edi-40000000h]
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_635037

loc_63501D:				; CODE XREF: MiKernelWriteToExecutableMemory(x,x,x,x)+98j
		mov	eax, [edi-40000000h]
		nop
		xor	eax, [ebp+arg_0]
		mov	ecx, [edi-3FFFFFFCh]
		and	eax, 0FFFFFFDFh
		xor	ecx, [ebp+arg_4]
		or	eax, ecx
		jz	short loc_63503C

loc_635037:				; CODE XREF: MiKernelWriteToExecutableMemory(x,x,x,x)+8Aj
					; MiKernelWriteToExecutableMemory(x,x,x,x)+8Fj	...
		mov	esi, 0C0000434h

loc_63503C:				; CODE XREF: MiKernelWriteToExecutableMemory(x,x,x,x)+6Cj
					; MiKernelWriteToExecutableMemory(x,x,x,x)+C1j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiKernelWriteToExecutableMemory@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLargePageFault(x,	x)
_MiLargePageFault@8 proc near		; CODE XREF: MiInPagePageTable+14B8A2p
					; .text:005B2619p

var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0BCh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [ebp+var_A0]
		mov	ebx, edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_A8], ebx
		mov	edi, ecx
		call	_memset
		xor	edx, edx
		mov	eax, ebx
		inc	edx
		shl	eax, 12h
		mov	esi, 0C0000000h
		mov	[ebp+var_AC], edx
		add	esp, 0Ch
		mov	ecx, 200000h
		mov	[ebp+var_A4], ecx
		cmp	eax, esi
		jb	short loc_6350BD

loc_63509F:				; CODE XREF: MiLargePageFault(x,x)+6Aj
		cmp	eax, 0C07FFFFFh
		ja	short loc_6350B1
		shl	eax, 9
		inc	edx
		shl	ecx, 9
		cmp	eax, esi
		jnb	short loc_63509F

loc_6350B1:				; CODE XREF: MiLargePageFault(x,x)+5Fj
		mov	[ebp+var_AC], edx
		mov	[ebp+var_A4], ecx

loc_6350BD:				; CODE XREF: MiLargePageFault(x,x)+58j
		mov	esi, [ebx]
		nop
		mov	ecx, [edi+8]
		mov	ebx, [ebx+4]
		test	cl, 1
		jz	short loc_6350D9
		mov	eax, ecx
		and	eax, 0FFFFFFFEh
		cmp	byte ptr [eax],	1
		jz	loc_6352B1

loc_6350D9:				; CODE XREF: MiLargePageFault(x,x)+84j
		test	byte ptr [edi+24h], 20h
		jnz	loc_6352B5
		test	byte ptr [edi+4], 2
		jz	short loc_635160
		mov	eax, esi
		and	eax, 800h
		or	eax, 0
		jz	loc_6352B5
		mov	edx, [ebp+var_A8]
		push	ebx
		push	esi
		push	0
		push	ecx
		push	dword ptr [edi]
		mov	ecx, edi
		call	MiNoFaultFound
		test	eax, eax
		jz	short loc_635160
		push	[ebp+var_AC]
		mov	edx, [ebp+var_A4]
		xor	ecx, ecx
		xor	eax, eax
		mov	[ebp+var_9C], cx
		inc	eax
		mov	[ebp+var_90], ecx
		neg	edx
		mov	[ebp+var_8C], ecx
		and	edx, [edi]
		lea	ecx, [ebp+var_A0]
		push	eax
		mov	[ebp+var_A0], eax
		mov	[ebp+var_98], 21h
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList

loc_635160:				; CODE XREF: MiLargePageFault(x,x)+A2j
					; MiLargePageFault(x,x)+CAj
		test	byte ptr [edi+4], 10h
		jz	loc_63522E
		mov	ecx, ebx
		xor	eax, eax
		and	ecx, 80000000h
		or	eax, ecx
		jz	loc_63521C
		mov	eax, large fs:124h
		mov	edx, [edi]
		mov	ecx, [eax+80h]
		call	_MiCanGrantExecute@8 ; MiCanGrantExecute(x,x)
		test	eax, eax
		jz	loc_6352B5
		nop
		mov	ecx, esi
		mov	eax, ebx
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		cmp	ecx, ds:dword_6D07B0
		ja	loc_6352B5
		mov	eax, ds:dword_6D35B8
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		xor	edx, edx
		shr	eax, cl
		inc	edx
		and	eax, edx
		jz	loc_6352B5
		and	ebx, 7FFFFFFFh
		mov	[ebp+var_B8], esi
		mov	eax, 300h
		mov	[ebp+var_B4], ebx
		test	ds:_MiFlags, eax
		jz	short loc_6351FD
		or	esi, 20h
		mov	[ebp+var_B4], ebx
		mov	[ebp+var_B8], esi

loc_6351FD:				; CODE XREF: MiLargePageFault(x,x)+1A7j
		nop
		mov	ecx, [ebp+var_A8]
		mov	[ecx], esi
		mov	[ecx+4], ebx
		test	ds:_MiFlags, eax
		jnz	short loc_635234
		mov	ecx, [edi]
		push	0
		call	KeFlushSingleTb
		jmp	short loc_63522E
; 

loc_63521C:				; CODE XREF: MiLargePageFault(x,x)+131j
		test	byte ptr [edi+24h], 40h
		jnz	short loc_63522E
		push	ebx
		push	esi
		push	7
		pop	edx
		mov	ecx, edi
		call	MiCheckSystemNxFault

loc_63522E:				; CODE XREF: MiLargePageFault(x,x)+11Fj
					; MiLargePageFault(x,x)+1D5j ...
		mov	ecx, [ebp+var_A8]

loc_635234:				; CODE XREF: MiLargePageFault(x,x)+1CAj
		mov	eax, [edi+8]
		test	al, 1
		jz	short loc_6352B1
		and	eax, 0FFFFFFFEh
		mov	[ebp+var_A4], eax
		cmp	byte ptr [eax],	5
		jnz	short loc_6352B1
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	_MiValidVirtualizationFault@12 ; MiValidVirtualizationFault(x,x,x)
		test	eax, eax
		jz	short loc_6352B1
		mov	edx, [edi]
		mov	ecx, [ebp+var_A4]
		call	_MiGetVirtualFaultPageInfo@8 ; MiGetVirtualFaultPageInfo(x,x)
		mov	[ebp+var_A4], eax
		nop
		mov	edx, [edi]
		shrd	esi, ebx, 0Ch
		mov	ebx, [ebp+var_AC]
		and	esi, 1FFFFFFh
		shr	edx, 0Ch
		test	ebx, ebx
		jz	short loc_63529E
		xor	ecx, ecx
		inc	ecx

loc_635287:				; CODE XREF: MiLargePageFault(x,x)+257j
		mov	eax, edx
		shr	edx, 9
		and	eax, 1FFh
		imul	eax, ecx
		shl	ecx, 9
		add	esi, eax
		sub	ebx, 1
		jnz	short loc_635287

loc_63529E:				; CODE XREF: MiLargePageFault(x,x)+23Dj
		mov	edx, [ebp+var_A4]
		xor	eax, eax
		and	dword ptr [edx+4], 0FFF00000h
		or	eax, esi
		mov	[edx], eax

loc_6352B1:				; CODE XREF: MiLargePageFault(x,x)+8Ej
					; MiLargePageFault(x,x)+1F4j ...
		xor	eax, eax
		jmp	short loc_6352BA
; 

loc_6352B5:				; CODE XREF: MiLargePageFault(x,x)+98j
					; MiLargePageFault(x,x)+AEj ...
		mov	eax, 0C0000005h

loc_6352BA:				; CODE XREF: MiLargePageFault(x,x)+26Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiLargePageFault@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReleaseFaultSynchronization(x)
_MiReleaseFaultSynchronization@4 proc near ; CODE XREF:	MmAccessFault+14B2A5p

var_50		= dword	ptr -50h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		test	byte ptr [ebx+24h], 10h
		lea	esi, [ebx+14h]
		jz	short loc_635309
		push	50h		; size_t
		lea	eax, [ebp+var_50]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebx]
		lea	edi, [ebp+var_38]
		movsd
		lea	ecx, [ebp+var_50]
		add	esp, 0Ch
		movsd
		movsd
		movsd
		mov	[ebp+var_3C], eax
		call	_MiUnlockSystemVa@4 ; MiUnlockSystemVa(x)
		and	dword ptr [ebx+24h], 0FFFFFFEFh
		jmp	short loc_635314
; 

loc_635309:				; CODE XREF: MiReleaseFaultSynchronization(x)+14j
		push	0
		mov	dl, 21h
		mov	ecx, esi
		call	_MiReleaseFaultState@12	; MiReleaseFaultState(x,x,x)

loc_635314:				; CODE XREF: MiReleaseFaultSynchronization(x)+3Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiReleaseFaultSynchronization@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiValidVirtualizationFault(x, x, x)
_MiValidVirtualizationFault@12 proc near ; CODE	XREF: .text:004662A4p
					; MiLargePageFault(x,x)+209p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		mov	edx, [ecx]
		push	edi
		mov	ecx, esi
		call	_MiGetVirtualFaultPageInfo@8 ; MiGetVirtualFaultPageInfo(x,x)
		mov	edi, [ebp+arg_0]
		mov	ebx, eax
		mov	edx, [edi]
		nop
		test	byte ptr [esi+1Ch], 1
		mov	ecx, [edi+4]
		jz	short loc_635347
		mov	eax, edx
		and	eax, 42h
		or	eax, 0
		jz	short loc_635379

loc_635347:				; CODE XREF: MiValidVirtualizationFault(x,x,x)+22j
		mov	eax, edx
		and	eax, 20h
		or	eax, 0
		jnz	short loc_635362
		push	ecx
		push	edx
		push	1
		mov	edx, edi
		call	MiPerformSafePdeWrite
		mov	edx, [edi]
		nop
		mov	ecx, [edi+4]

loc_635362:				; CODE XREF: MiValidVirtualizationFault(x,x,x)+36j
		nop
		push	ecx
		push	edx
		shrd	edx, ecx, 0Ch
		mov	ecx, ebx
		and	edx, 1FFFFFFh
		call	_MiFillVirtualFaultInfo@16 ; MiFillVirtualFaultInfo(x,x,x,x)
		xor	eax, eax
		inc	eax

loc_635379:				; CODE XREF: MiValidVirtualizationFault(x,x,x)+2Cj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_MiValidVirtualizationFault@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAddPagesToEnclave(x, x, x, x, x)
_MiAddPagesToEnclave@20	proc near	; CODE XREF: MiCommitEnclavePages(x,x,x,x,x,x)+16Fp

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_2C], esi
		mov	[ebp+var_18], edi
		test	byte ptr [esi+28h], 2
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], ecx
		jz	short loc_6353BC
		test	byte ptr [esi+2Ch], 1
		jnz	short loc_6353BC
		mov	eax, 0C0000018h
		jmp	loc_6356EC
; 

loc_6353BC:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+2Aj
					; MiAddPagesToEnclave(x,x,x,x,x)+30j
		mov	eax, large fs:124h
		mov	[ebp+var_14], ecx
		mov	eax, [eax+80h]
		add	eax, 240h
		mov	[ebp+var_8], eax
		mov	eax, [esi+3Ch]
		cmp	eax, edi
		jnb	short loc_6353F8
		mov	ebx, edi
		mov	edx, offset _MiSystemPartition
		sub	ebx, eax
		mov	ecx, esi
		push	ebx
		mov	[ebp+var_14], ebx
		call	_MiReserveEnclavePages@12 ; MiReserveEnclavePages(x,x,x)
		test	eax, eax
		js	loc_6356EC
		xor	ecx, ecx

loc_6353F8:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+58j
		test	byte ptr [esi+28h], 2
		jnz	loc_6354AC
		xor	edx, edx
		mov	ecx, offset dword_6D35E0
		inc	edx
		call	MiReservePtes
		mov	ebx, eax
		mov	[ebp+var_28], ebx
		test	ebx, ebx
		jnz	short loc_635422
		mov	esi, 0C000009Ah
		jmp	loc_6356D9
; 

loc_635422:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+96j
		mov	edx, ds:dword_6D34F0
		mov	ecx, ebx
		push	20000001h
		call	MiMakeValidPte
		and	[ebp+var_C], 0
		mov	ecx, ebx
		mov	edi, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_635489
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_63546C
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	short loc_63548C

loc_63545A:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+105j
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	short loc_63548C
		or	edx, 80000000h
		jmp	short loc_63548C
; 

loc_63546C:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+CCj
		mov	eax, large fs:124h
		mov	ecx, [ebp+var_C]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_63545A
		jmp	short loc_63548C
; 

loc_635489:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+C3j
		mov	ecx, [ebp+var_C]

loc_63548C:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+D8j
					; MiAddPagesToEnclave(x,x,x,x,x)+E2j ...
		mov	[ebx+4], edx
		nop
		mov	[ebx], edi
		test	ecx, ecx
		jz	short loc_63549F
		push	edx
		push	edi
		mov	ecx, ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_63549F:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+114j
		mov	edi, [ebp+var_18]
		mov	eax, ebx
		shl	eax, 9
		mov	[ebp+var_24], eax
		jmp	short loc_6354B2
; 

loc_6354AC:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+7Cj
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx

loc_6354B2:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+12Aj
		mov	ecx, edi
		cmp	edi, 21h
		jbe	short loc_6354BC
		push	21h
		pop	ecx

loc_6354BC:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+137j
		inc	ecx
		lea	eax, [ebp+var_4C]
		push	eax
		mov	edx, ecx
		call	MiCreatePteCopyList
		cmp	[ebp+var_48], 0
		jnz	short loc_6354D8
		mov	esi, 0C000009Ah
		jmp	loc_6356C4
; 

loc_6354D8:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+14Cj
		mov	eax, [ebp+arg_8]
		mov	ebx, eax
		shr	ebx, 1
		and	bl, 2
		or	bl, 31h
		test	al, 2
		jz	short loc_6354EC
		or	bl, 4

loc_6354EC:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+167j
		test	byte ptr [esi+28h], 2
		jz	short loc_6354FC
		or	bl, 40h
		mov	[ebp+arg_8], 4

loc_6354FC:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+170j
		mov	eax, [esi+30h]
		xor	edi, edi
		mov	ecx, [ebp+var_8]
		shl	eax, 9
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_0]
		shl	eax, 9
		mov	[ebp+var_1C], eax
		call	MiLockWorkingSetShared
		mov	ecx, [ebp+arg_4]
		mov	byte ptr [ebp+var_10], al
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C], eax
		cmp	eax, ecx
		ja	loc_63569F

loc_63552C:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+30Bj
		test	al, 78h
		jnz	short loc_635582
		cmp	eax, [ebp+arg_0]
		jz	short loc_635582
		mov	ecx, [ebp+var_8]
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_63555F
		call	KeShouldYieldProcessor
		test	eax, eax
		jnz	short loc_63555C
		test	edi, edi
		jz	short loc_635597
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_MiPageTableLockIsContended@8 ;	MiPageTableLockIsContended(x,x)
		test	eax, eax
		jz	short loc_63557F

loc_63555C:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+1C8j
		mov	ecx, [ebp+var_8]

loc_63555F:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+1BFj
		test	edi, edi
		jz	short loc_63556C
		mov	edx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		xor	edi, edi

loc_63556C:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+1E1j
		mov	dl, byte ptr [ebp+var_10]
		mov	ecx, [ebp+var_8]
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_8]
		call	MiLockWorkingSetShared

loc_63557F:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+1DAj
		mov	eax, [ebp+var_C]

loc_635582:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+1AEj
					; MiAddPagesToEnclave(x,x,x,x,x)+1B3j
		test	edi, edi
		jz	short loc_635597
		test	eax, 0FFFh
		jnz	short loc_6355C4
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_635597:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+1CCj
					; MiAddPagesToEnclave(x,x,x,x,x)+204j
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		mov	eax, [esi+1Ch]
		mov	edi, ecx
		push	0
		push	[ebp+var_10]
		shr	edi, 9
		shr	eax, 0Ch
		and	edi, offset loc_7FFFF8
		and	eax, 3Fh
		sub	edi, 40000000h
		push	eax
		call	MiMakeSystemAddressValid
		mov	eax, [ebp+var_C]

loc_6355C4:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+20Bj
		mov	ecx, [eax]
		nop
		mov	eax, [eax+4]
		and	ecx, 1
		or	ecx, 0
		mov	[ebp+var_38], eax
		jnz	loc_635678
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+var_18]
		cmp	eax, ecx
		jnz	short loc_6355E7
		dec	eax
		mov	[ebp+var_14], eax

loc_6355E7:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+261j
		dec	ecx
		mov	edx, offset _MiSystemPartition
		mov	[ebp+var_18], ecx
		mov	ecx, esi
		call	_MiGetPageForEnclave@8 ; MiGetPageForEnclave(x,x)
		push	0FFFFFFFFh
		mov	edx, eax
		mov	[ebp+var_20], eax
		lea	ecx, [ebp+var_4C]
		call	MiGetPteFromCopyList
		mov	edx, [ebp+var_24]
		mov	esi, eax
		lea	eax, [ebp+var_30]
		movzx	ecx, bl
		push	eax
		push	ecx
		push	[ebp+var_1C]
		mov	ecx, esi
		shl	ecx, 9
		push	ecx
		mov	ecx, [ebp+var_34]
		call	_KeAddEnclavePage@24 ; KeAddEnclavePage(x,x,x,x,x,x)
		mov	ecx, ds:_ZeroPte
		mov	[ebp+var_38], eax
		mov	[esi], ecx
		nop
		mov	ecx, ds:dword_40F9FC
		mov	[esi+4], ecx
		mov	esi, eax
		mov	ecx, [ebp+var_20]
		test	esi, esi
		js	loc_6356F3
		push	[ebp+arg_8]
		mov	edx, [ebp+var_C]
		call	_MiInitializeEnclavePfn@12 ; MiInitializeEnclavePfn(x,x,x)
		mov	eax, [ebp+arg_8]
		mov	edx, [ebp+var_20]
		or	eax, 80000000h
		mov	ecx, [ebp+var_C]
		push	eax
		call	MiMakeValidPte
		mov	esi, [ebp+var_2C]
		mov	ecx, [ebp+var_C]
		push	edx
		push	eax
		push	0
		push	0
		mov	edx, esi
		call	_MiWriteEnclavePte@24 ;	MiWriteEnclavePte(x,x,x,x,x,x)

loc_635678:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+253j
		mov	eax, [ebp+var_C]
		add	[ebp+var_1C], 1000h
		add	eax, 8
		mov	[ebp+var_C], eax
		cmp	eax, [ebp+arg_4]
		jbe	loc_63552C
		test	edi, edi
		jz	short loc_63569F
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_63569F:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+1A6j
					; MiAddPagesToEnclave(x,x,x,x,x)+313j
		xor	esi, esi

loc_6356A1:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+387j
					; MiAddPagesToEnclave(x,x,x,x,x)+393j
		mov	al, byte ptr [ebp+var_10]
		mov	ecx, [ebp+var_8]
		mov	dl, al
		call	MiUnlockWorkingSetShared
		cmp	[ebp+var_48], 0
		jz	short loc_6356C4
		push	[ebp+var_48]
		mov	edx, [ebp+var_40]
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_6356C4:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+153j
					; MiAddPagesToEnclave(x,x,x,x,x)+332j
		mov	eax, [ebp+var_28]
		test	eax, eax
		jz	short loc_6356D9
		push	1
		mov	edx, eax
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_6356D9:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+9Dj
					; MiAddPagesToEnclave(x,x,x,x,x)+349j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_6356EA
		mov	ecx, [ebp+var_2C]
		mov	edx, eax
		call	_MiReturnReservedEnclavePages@8	; MiReturnReservedEnclavePages(x,x)

loc_6356EA:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+35Ej
		mov	eax, esi

loc_6356EC:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+37j
					; MiAddPagesToEnclave(x,x,x,x,x)+70j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_6356F3:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+2C0j
		call	_MiReturnEnclavePage@4 ; MiReturnEnclavePage(x)
		cmp	esi, 0C000048Fh
		jnz	short loc_635705
		mov	esi, 0C0000001h

loc_635705:				; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+37Ej
		test	edi, edi
		jz	short loc_6356A1
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		jmp	short loc_6356A1
_MiAddPagesToEnclave@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCommitEnclavePages(x, x, x, x, x,	x)
_MiCommitEnclavePages@24 proc near	; CODE XREF: MiAllocateVirtualMemory+160382p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		cmp	[ebp+arg_8], 1000h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		jz	short loc_635736
		mov	eax, 0C00000F3h
		jmp	loc_635894
; 

loc_635736:				; CODE XREF: MiCommitEnclavePages(x,x,x,x,x,x)+15j
		test	[ebp+arg_C], 7
		jz	loc_63588F
		cmp	dword ptr [ebp+arg_C], 7
		ja	loc_63588F
		mov	eax, dword ptr [ebp+arg_C]
		and	eax, 5
		cmp	al, 5
		jz	loc_63588F
		mov	eax, [ebp+arg_0]
		mov	edx, offset loc_7FFFF8
		mov	ecx, [ebp+arg_4]
		mov	ebx, 40000000h
		shr	eax, 9
		shr	ecx, 9
		and	eax, edx
		sub	eax, ebx
		and	ecx, edx
		sub	ecx, ebx
		mov	[ebp+arg_0], eax
		mov	ebx, eax
		mov	[ebp+arg_4], ecx
		xor	eax, eax
		mov	[ebp+var_4], eax
		mov	esi, eax
		mov	eax, large fs:124h
		mov	edi, [eax+80h]
		add	edi, 240h
		mov	ecx, edi
		call	MiLockWorkingSetShared
		mov	byte ptr [ebp+arg_8], al
		mov	eax, ebx
		cmp	eax, [ebp+arg_4]
		ja	loc_635865

loc_6357AC:				; CODE XREF: MiCommitEnclavePages(x,x,x,x,x,x)+13Dj
		test	bl, 78h
		jnz	short loc_6357FA
		cmp	ebx, eax
		jz	short loc_6357FA
		mov	ecx, edi
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_6357DA
		call	KeShouldYieldProcessor
		test	eax, eax
		jnz	short loc_6357DA
		test	esi, esi
		jz	short loc_63580F
		mov	edx, esi
		mov	ecx, edi
		call	_MiPageTableLockIsContended@8 ;	MiPageTableLockIsContended(x,x)
		test	eax, eax
		jz	short loc_6357FA

loc_6357DA:				; CODE XREF: MiCommitEnclavePages(x,x,x,x,x,x)+A9j
					; MiCommitEnclavePages(x,x,x,x,x,x)+B2j
		test	esi, esi
		jz	short loc_6357E9
		mov	edx, esi
		mov	ecx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		xor	esi, esi

loc_6357E9:				; CODE XREF: MiCommitEnclavePages(x,x,x,x,x,x)+C7j
		mov	dl, byte ptr [ebp+arg_8]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		mov	ecx, edi
		call	MiLockWorkingSetShared

loc_6357FA:				; CODE XREF: MiCommitEnclavePages(x,x,x,x,x,x)+9Aj
					; MiCommitEnclavePages(x,x,x,x,x,x)+9Ej ...
		test	esi, esi
		jz	short loc_63580F
		test	ebx, 0FFFh
		jnz	short loc_63583B
		mov	edx, esi
		mov	ecx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_63580F:				; CODE XREF: MiCommitEnclavePages(x,x,x,x,x,x)+B6j
					; MiCommitEnclavePages(x,x,x,x,x,x)+E7j
		mov	eax, [ebp+var_8]
		mov	esi, ebx
		push	0
		push	[ebp+arg_8]
		shr	esi, 9
		xor	edx, edx
		mov	eax, [eax+1Ch]
		and	esi, offset loc_7FFFF8
		shr	eax, 0Ch
		mov	ecx, ebx
		and	eax, 3Fh
		sub	esi, 40000000h
		push	eax
		call	MiMakeSystemAddressValid

loc_63583B:				; CODE XREF: MiCommitEnclavePages(x,x,x,x,x,x)+EFj
		mov	ecx, [ebx]
		nop
		and	ecx, 1
		or	ecx, 0
		jnz	short loc_635849
		inc	[ebp+var_4]

loc_635849:				; CODE XREF: MiCommitEnclavePages(x,x,x,x,x,x)+12Fj
		mov	eax, [ebp+arg_0]
		add	ebx, 8
		cmp	ebx, [ebp+arg_4]
		jbe	loc_6357AC
		test	esi, esi
		jz	short loc_635865
		mov	edx, esi
		mov	ecx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_635865:				; CODE XREF: MiCommitEnclavePages(x,x,x,x,x,x)+91j
					; MiCommitEnclavePages(x,x,x,x,x,x)+145j
		mov	dl, byte ptr [ebp+arg_8]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_63588B
		push	dword ptr [ebp+arg_C]
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_MiAddPagesToEnclave@20	; MiAddPagesToEnclave(x,x,x,x,x)
		jmp	short loc_635894
; 

loc_63588B:				; CODE XREF: MiCommitEnclavePages(x,x,x,x,x,x)+15Fj
		xor	eax, eax
		jmp	short loc_635894
; 

loc_63588F:				; CODE XREF: MiCommitEnclavePages(x,x,x,x,x,x)+25j
					; MiCommitEnclavePages(x,x,x,x,x,x)+2Fj ...
		mov	eax, 0C00000F2h

loc_635894:				; CODE XREF: MiCommitEnclavePages(x,x,x,x,x,x)+1Cj
					; MiCommitEnclavePages(x,x,x,x,x,x)+174j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_MiCommitEnclavePages@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDecommitHardwareEnclavePages(x, x, x, x, x)
_MiDecommitHardwareEnclavePages@20 proc	near
					; CODE XREF: MiTerminateHardwareEnclave(x,x)+2Bp
					; MiDecommitEnclavePages(x,x,x,x,x)+42p

var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D1		= byte ptr -0D1h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= word ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A8A10
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		push	ecx
		push	ecx
		push	ebx
		sub	esp, 118h
		mov	eax, ds:___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_24], eax
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	edi, edx
		mov	[ebp+var_F4], edi
		mov	esi, ecx
		mov	[ebp+var_EC], edi
		mov	eax, [ebx+8]
		mov	[ebp+var_E0], eax
		xor	eax, eax
		mov	[ebp+var_128], eax
		mov	[ebp+var_124], eax
		push	98h		; size_t
		push	eax		; int
		lea	eax, [ebp+var_C0]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_110], edi
		mov	eax, large fs:124h
		mov	[ebp+var_120], eax
		lea	edx, [esi+240h]
		mov	[ebp+var_D0], edx
		xor	eax, eax
		mov	[ebp+var_C4], eax
		mov	edi, eax
		mov	[ebp+var_F0], edi
		mov	[ebp+var_E8], eax
		mov	[ebp+var_11C], eax
		mov	[ebp+var_118], eax
		mov	[ebp+var_C0], 1
		mov	[ebp+var_BC], ax
		mov	[ebp+var_B0], eax
		mov	[ebp+var_B8], 21h
		mov	[ebp+var_AC], eax
		mov	[ebp+var_114], 2
		mov	ecx, edx
		call	MiLockWorkingSetShared
		mov	byte ptr [ebp+var_E4], al
		xor	eax, eax
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_FC], ecx
		xor	esi, esi
		inc	esi

loc_6359B2:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+665j
		mov	[ebp+var_F8], eax
		cmp	eax, [ebp+var_114]
		jnb	loc_635F05
		cmp	eax, 2
		jnz	short loc_6359FC
		mov	ecx, [ebp+var_F4]
		mov	ecx, [ecx+30h]
		shl	ecx, 9
		call	_KeTrackEnclaveTbFlush@4 ; KeTrackEnclaveTbFlush(x)
		push	0
		push	esi
		mov	edx, [ebp+var_E0]
		shl	edx, 9
		lea	ecx, [ebp+var_C0]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		lea	ecx, [ebp+var_C0]
		call	MiFlushTbList

loc_6359FC:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+12Cj
		mov	eax, [ebp+var_E0]
		mov	ecx, eax

loc_635A04:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+62Fj
		mov	[ebp+var_CC], ecx
		cmp	ecx, [ebx+0Ch]
		ja	loc_635ECF
		test	cl, 78h
		jnz	loc_635AC4
		cmp	ecx, eax
		jz	loc_635AC4
		and	[ebp+var_C8], 0
		mov	ecx, [ebp+var_D0]
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_635A66
		call	KeShouldYieldProcessor
		test	eax, eax
		jnz	short loc_635A66
		mov	eax, [ebp+var_C4]
		test	eax, eax
		jz	short loc_635A72
		mov	edx, eax
		mov	ecx, [ebp+var_D0]
		call	_MiPageTableLockIsContended@8 ;	MiPageTableLockIsContended(x,x)
		test	eax, eax
		mov	eax, [ebp+var_C4]
		jz	short loc_635A72
		jmp	short loc_635A6C
; 

loc_635A66:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+19Dj
					; MiDecommitHardwareEnclavePages(x,x,x,x,x)+1A6j
		mov	eax, [ebp+var_C4]

loc_635A6C:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+1C9j
		mov	[ebp+var_C8], esi

loc_635A72:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+1B0j
					; MiDecommitHardwareEnclavePages(x,x,x,x,x)+1C7j
		cmp	[ebp+var_C8], esi
		jnz	short loc_635ABE
		test	eax, eax
		jz	short loc_635AA2
		lea	ecx, [ebp+var_C0]
		call	MiFlushTbList
		mov	edx, [ebp+var_C4]
		mov	ecx, [ebp+var_D0]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		xor	eax, eax
		mov	[ebp+var_C4], eax

loc_635AA2:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+1E1j
		mov	dl, byte ptr [ebp+var_E4]
		mov	ecx, [ebp+var_D0]
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_D0]
		call	MiLockWorkingSetShared

loc_635ABE:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+1DDj
		mov	ecx, [ebp+var_CC]

loc_635AC4:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+17Bj
					; MiDecommitHardwareEnclavePages(x,x,x,x,x)+183j
		mov	eax, [ebp+var_C4]
		test	eax, eax
		jz	short loc_635AF6
		test	ecx, 0FFFh
		jnz	short loc_635B36
		test	eax, eax
		jz	short loc_635AF6
		lea	ecx, [ebp+var_C0]
		call	MiFlushTbList
		mov	edx, [ebp+var_C4]
		mov	ecx, [ebp+var_D0]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_635AF6:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+231j
					; MiDecommitHardwareEnclavePages(x,x,x,x,x)+23Dj
		mov	ecx, [ebp+var_CC]
		mov	eax, ecx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_C4], eax
		mov	eax, [ebp+var_110]
		mov	eax, [eax+1Ch]
		shr	eax, 0Ch
		and	eax, 3Fh
		push	0
		push	[ebp+var_E4]
		push	eax
		xor	edx, edx
		call	MiMakeSystemAddressValid
		mov	ecx, [ebp+var_CC]

loc_635B36:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+239j
		mov	edx, [ecx]
		nop
		mov	eax, [ecx+4]
		mov	[ebp+var_DC], eax
		mov	[ebp+var_128], edx
		mov	[ebp+var_124], eax
		mov	eax, edx
		or	eax, [ebp+var_DC]
		jz	loc_635EC1
		mov	eax, ecx
		shl	eax, 9
		mov	[ebp+var_C8], eax
		cmp	[ebp+var_F8], 0
		jnz	short loc_635BA8
		nop
		push	0C0000004h
		mov	eax, [ebp+var_DC]
		shrd	edx, eax, 0Ch
		and	edx, 1FFFFFFh
		call	MiMakeValidPte
		mov	[ebp+var_128], eax
		mov	[ebp+var_124], edx
		nop
		mov	ecx, [ebp+var_CC]
		mov	[ecx], eax
		mov	[ecx+4], edx
		jmp	loc_635EA7
; 

loc_635BA8:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+2D3j
		cmp	[ebp+var_F8], esi
		jnz	loc_635D28
		push	eax
		call	_KeRemoveEnclavePage@4 ; KeRemoveEnclavePage(x)
		mov	[ebp+var_D8], eax
		test	eax, eax
		jns	loc_635D16
		cmp	eax, 0C0000043h
		jnz	loc_635D06
		cmp	dword ptr [ebx+10h], 0
		jnz	loc_635D06
		cmp	[ebp+var_E8], 0
		jnz	loc_635CF3
		or	esi, 0FFFFFFFFh

loc_635BED:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+3C3j
		mov	eax, ds:dword_6D3588
		mov	ecx, [eax]
		lea	edx, [ecx-1]
		mov	edi, [eax+4]
		and	[ebp+var_12C], 0
		cmp	ecx, 1
		jb	short loc_635C42
		mov	eax, edx
		shr	eax, 5
		mov	ecx, edi
		lea	eax, [ecx+eax*4]
		mov	[ebp+var_DC], eax
		jmp	short loc_635C23
; 

loc_635C18:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+38Cj
		add	edi, 4
		cmp	edi, [ebp+var_DC]
		ja	short loc_635C42

loc_635C23:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+37Bj
		mov	eax, [edi]
		cmp	eax, esi
		jz	short loc_635C18
		not	eax
		bsf	eax, eax
		mov	[ebp+var_12C], eax
		sub	edi, ecx
		sar	edi, 2
		shl	edi, 5
		add	edi, eax
		cmp	edi, edx
		jbe	short loc_635C44

loc_635C42:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+369j
					; MiDecommitHardwareEnclavePages(x,x,x,x,x)+386j
		mov	edi, esi

loc_635C44:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+3A5j
		mov	[ebp+var_F0], edi
		cmp	edi, esi
		jz	short loc_635C64
		push	1
		push	edi
		push	ds:dword_6D3588
		call	RtlInterlockedSetClearRun
		test	eax, eax
		jz	short loc_635BED
		cmp	edi, esi
		jnz	short loc_635CDC

loc_635C64:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+3B1j
		lea	ecx, [ebp+var_C0]
		call	MiFlushTbList
		mov	edx, [ebp+var_C4]
		mov	esi, [ebp+var_D0]
		mov	ecx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [ebp+var_E4]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		mov	eax, [ebp+var_120]
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset dword_6D358C
		call	ExAcquirePushLockExclusiveEx
		xor	edi, edi
		mov	[ebp+var_F0], edi
		mov	ecx, esi
		call	MiLockWorkingSetShared
		mov	ecx, [ebp+var_110]
		mov	eax, [ecx+1Ch]
		shr	eax, 0Ch
		and	eax, 3Fh
		push	edi
		push	[ebp+var_E4]
		push	eax
		xor	edx, edx
		mov	ecx, [ebp+var_CC]
		call	MiMakeSystemAddressValid

loc_635CDC:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+3C7j
		mov	eax, ds:dword_6D3584
		lea	eax, [eax+edi*8]
		mov	[ebp+var_E8], eax
		inc	[ebp+var_114]
		xor	esi, esi
		inc	esi

loc_635CF3:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+349j
		mov	ecx, [ebp+var_C8]
		call	_KeBlockEnclavePage@4 ;	KeBlockEnclavePage(x)
		mov	eax, [ebp+var_D8]
		jmp	short loc_635D0E
; 

loc_635D06:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+332j
					; MiDecommitHardwareEnclavePages(x,x,x,x,x)+33Cj
		xor	eax, eax
		mov	[ebp+var_D8], eax

loc_635D0E:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+469j
		test	eax, eax
		js	loc_635EA7

loc_635D16:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+327j
		mov	edx, esi
		mov	ecx, [ebp+var_CC]
		call	_MiDeleteEnclavePage@8 ; MiDeleteEnclavePage(x,x)
		jmp	loc_635EA7
; 

loc_635D28:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+313j
					; MiDecommitHardwareEnclavePages(x,x,x,x,x)+5E4j
		push	offset dword_6D3590
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		and	[ebp+var_4], 0
		push	[ebp+var_E8]
		mov	eax, [ebp+var_F4]
		mov	edx, [eax+34h]
		mov	ecx, [ebp+var_C8]
		call	_KeOutPageEnclavePage@12 ; KeOutPageEnclavePage(x,x,x)
		mov	esi, eax
		mov	[ebp+var_D8], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_635E66
; 

loc_635D64:				; DATA XREF: .text:006A8A24o
		mov	ebx, [ebp+var_1C]
		mov	ecx, [ebp+var_14]
		mov	eax, [ecx]
		mov	eax, [eax]
		mov	[ebp+var_130], eax
		lea	eax, [ebp+var_11C]
		push	eax
		lea	edx, [ebp+var_118]
		call	_MiGetExceptionInfo@12 ; MiGetExceptionInfo(x,x,x)
		retn
; 

loc_635D87:				; DATA XREF: .text:006A8A28o
		mov	ebx, [ebp+var_1C]
		mov	esp, [ebp+var_18]
		cmp	[ebp+var_118], 0
		jz	loc_635E38
		mov	esi, [ebp+var_11C]
		cmp	esi, [ebp+var_E8]
		jnz	short loc_635E26
		mov	esi, offset dword_6D3590
		push	esi
		call	ExReleaseSpinLockSharedFromDpcLevel
		push	esi
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		push	ds:dword_6D3584
		call	_KeRemoveEnclavePage@4 ; KeRemoveEnclavePage(x)
		mov	ecx, ds:dword_6D3584
		call	_KeCreateEnclaveMetadataPage@4 ; KeCreateEnclaveMetadataPage(x)
		mov	[ebp+var_D8], eax
		test	eax, eax
		jns	short loc_635DEE
		push	0
		push	eax
		push	ds:dword_6D3584
		push	18012150h

loc_635DE7:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+5F7j
		push	1Ah

loc_635DE9:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+776j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_635DEE:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+53Cj
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	esi, 0C0000016h
		mov	[ebp+var_D8], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		xor	eax, eax
		inc	eax
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_FC], ecx
		mov	edi, [ebp+var_F0]
		mov	edx, [ebp+var_EC]
		mov	[ebp+var_F4], edx
		jmp	short loc_635E73
; 

loc_635E26:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+50Bj
		sub	esi, [ebp+var_C8]
		neg	esi
		sbb	esi, esi
		and	esi, 0C0000005h
		jmp	short loc_635E3E
; 

loc_635E38:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+4F9j
		mov	esi, [ebp+var_130]

loc_635E3E:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+59Bj
		mov	[ebp+var_D8], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_FC], ecx
		mov	edi, [ebp+var_F0]
		mov	eax, [ebp+var_EC]
		mov	[ebp+var_F4], eax

loc_635E66:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+4C4j
		push	offset dword_6D3590
		call	ExReleaseSpinLockSharedFromDpcLevel
		xor	eax, eax
		inc	eax

loc_635E73:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+589j
		mov	ecx, [ebp+var_C8]
		cmp	esi, 0C0000016h
		jz	loc_635D28
		test	esi, esi
		jns	short loc_635E97
		push	0
		push	esi
		push	ecx
		push	18011713h
		jmp	loc_635DE7
; 

loc_635E97:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+5ECj
		mov	edx, eax
		mov	ecx, [ebp+var_CC]
		call	_MiDeleteEnclavePage@8 ; MiDeleteEnclavePage(x,x)
		xor	esi, esi
		inc	esi

loc_635EA7:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+308j
					; MiDecommitHardwareEnclavePages(x,x,x,x,x)+475j ...
		push	0
		push	esi
		mov	edx, [ebp+var_C8]
		lea	ecx, [ebp+var_C0]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	ecx, [ebp+var_CC]

loc_635EC1:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+2BBj
		add	ecx, 8
		mov	eax, [ebp+var_E0]
		jmp	loc_635A04
; 

loc_635ECF:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+172j
		lea	ecx, [ebp+var_C0]
		call	MiFlushTbList
		mov	eax, [ebp+var_C4]
		test	eax, eax
		jz	short loc_635EF9
		mov	edx, eax
		mov	ecx, [ebp+var_D0]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		xor	eax, eax
		mov	[ebp+var_C4], eax

loc_635EF9:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+647j
		mov	eax, [ebp+var_F8]
		inc	eax
		jmp	loc_6359B2
; 

loc_635F05:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+123j
		mov	dl, byte ptr [ebp+var_E4]
		mov	ecx, [ebp+var_D0]
		call	MiUnlockWorkingSetShared
		cmp	[ebp+var_E8], 0
		jz	loc_63618D
		test	edi, edi
		jnz	loc_63611C
		or	ecx, 0FFFFFFFFh
		mov	eax, ecx
		mov	edx, offset dword_6D358C
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_635F4B
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, offset dword_6D358C

loc_635F4B:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+6A2j
		and	[ebp+var_100], 0
		test	edx, 7FFFFFFCh
		jz	loc_63610F
		mov	edi, large fs:124h
		mov	eax, edx
		shr	eax, 15h
		mov	ecx, ds:dword_6D07D0
		mov	[ebp+var_110], ecx
		cmp	ecx, edx
		push	0FFFFFFFFh
		pop	ecx
		jbe	short loc_635F86
		and	[ebp+var_EC], 0
		jmp	short loc_635F93
; 

loc_635F86:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+6E0j
		movzx	ecx, byte ptr ds:dword_6D3994[eax]
		mov	[ebp+var_EC], ecx

loc_635F93:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+6E9j
		or	ecx, 0FFFFFFFFh
		cmp	[ebp+var_EC], esi
		jz	short loc_635FAF
		cmp	[ebp+var_110], edx
		ja	short loc_635FC7
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_635FC7

loc_635FAF:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+701j
		mov	ecx, [edi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_FC], ecx
		mov	edx, offset dword_6D358C

loc_635FC7:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+709j
					; MiDecommitHardwareEnclavePages(x,x,x,x,x)+712j
		dec	word ptr [edi+13Eh]
		nop
		inc	byte ptr [edi+1E6h]
		nop
		mov	al, [edi+1E6h]
		mov	[ebp+var_D1], al
		push	ecx
		mov	ecx, edi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_636016
		mov	eax, [edi+5Ch]
		test	eax, 10000h
		jnz	loc_63608B
		push	esi
		mov	ecx, [ebp+var_FC]
		push	ecx
		push	offset dword_6D358C
		push	edi
		push	162h
		jmp	loc_635DE9
; 

loc_636016:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+753j
		mov	al, [esi+10h]
		or	al, 2
		mov	[esi+10h], al
		nop
		cmp	dword ptr [esi+10h], 0
		jge	short loc_63602C
		mov	ecx, esi
		call	KiAbEntryRemoveFromTree

loc_63602C:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+788j
		mov	ecx, [esi+2Ch]
		mov	eax, ecx
		and	eax, 1FFFFh
		mov	[ebp+var_100], eax
		and	ecx, 0FFFE0000h
		mov	[esi+2Ch], ecx
		and	byte ptr [esi+0Dh], 0FEh
		nop
		mov	dword ptr [esi+10h], 0
		sub	esi, [edi+1E8h]
		mov	eax, esi
		cdq
		push	30h
		pop	ecx
		idiv	ecx
		mov	edx, eax
		cmp	[ebp+var_D1], 1
		jnz	short loc_63607C
		movzx	ecx, byte ptr [edi+1E4h]
		bts	ecx, edx
		mov	[edi+1E4h], cl
		jmp	short loc_63608B
; 

loc_63607C:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+7CDj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		lea	esi, [edi+222h]
		lock or	[esi], al

loc_63608B:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+75Dj
					; MiDecommitHardwareEnclavePages(x,x,x,x,x)+7DFj
		nop
		dec	byte ptr [edi+1E6h]
		mov	edx, [ebp+var_100]
		mov	esi, edx
		and	esi, 1FFFFh
		jz	short loc_6360F7
		test	edx, 8000h
		jz	short loc_6360B3
		xor	edx, edx
		mov	ecx, edi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_6360B3:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+80Dj
		test	byte ptr [ebp+var_100+2], 1
		jz	short loc_6360C6
		xor	edx, edx
		inc	edx
		mov	ecx, edi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_6360C6:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+81Fj
		mov	eax, 7FFFh
		mov	edx, [ebp+var_100]
		test	edx, eax
		jz	short loc_6360DE
		and	edx, eax
		mov	ecx, edi
		call	KiAbThreadUnboostCpuPriority

loc_6360DE:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+838j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_6360F7
		push	esi
		mov	edx, offset dword_6D358C
		mov	ecx, edi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_6360F7:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+805j
					; MiDecommitHardwareEnclavePages(x,x,x,x,x)+84Dj
		nop
		add	word ptr [edi+13Eh], 1
		jnz	short loc_63610F
		nop
		lea	eax, [edi+70h]
		cmp	[eax], eax
		jz	short loc_63610F
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_63610F:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+6BDj
					; MiDecommitHardwareEnclavePages(x,x,x,x,x)+865j ...
		mov	ecx, [ebp+var_120]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	short loc_63618D
; 

loc_63611C:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+68Aj
		mov	ecx, edi
		shr	ecx, 5
		mov	eax, ds:dword_6D3588
		mov	eax, [eax+4]
		lea	esi, [eax+ecx*4]
		and	edi, 1Fh
		lea	eax, [edi+1]
		cmp	eax, 20h
		ja	short loc_636142
		mov	ecx, edi
		xor	eax, eax
		inc	eax
		shl	eax, cl
		not	eax
		jmp	short loc_63618A
; 

loc_636142:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+89Aj
		xor	eax, eax
		inc	eax
		test	edi, edi
		jz	short loc_636164
		push	20h
		pop	edx
		sub	edx, edi
		mov	ecx, edx
		shl	eax, cl
		dec	eax
		mov	ecx, edi
		shl	eax, cl
		not	eax
		lock and [esi],	eax
		xor	eax, eax
		inc	eax
		sub	eax, edx
		add	esi, 4

loc_636164:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+8ACj
		cmp	eax, 20h
		jb	short loc_63617F
		mov	ecx, eax
		shr	ecx, 5

loc_63616E:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+8E2j
		mov	dword ptr [esi], 0
		add	esi, 4
		sub	eax, 20h
		sub	ecx, 1
		jnz	short loc_63616E

loc_63617F:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+8CCj
		test	eax, eax
		jz	short loc_63618D
		mov	ecx, eax
		or	eax, 0FFFFFFFFh
		shl	eax, cl

loc_63618A:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+8A5j
		lock and [esi],	eax

loc_63618D:				; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+682j
					; MiDecommitHardwareEnclavePages(x,x,x,x,x)+87Fj ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		mov	ecx, [ebp+var_24]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	0Ch
_MiDecommitHardwareEnclavePages@20 endp	; sp =	4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteEnclavePage(x, x)
_MiDeleteEnclavePage@8 proc near	; CODE XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+483p
					; MiDecommitHardwareEnclavePages(x,x,x,x,x)+604p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ecx]
		push	esi
		push	edi
		nop
		mov	eax, [ecx+4]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], eax
		nop
		shrd	ebx, eax, 0Ch
		mov	eax, ds:_ZeroPte
		and	ebx, 1FFFFFFh
		mov	[ecx], eax
		mov	[ebp+var_4], ebx
		nop
		mov	eax, ds:dword_40F9FC
		mov	[ecx+4], eax
		test	edx, edx
		jz	short loc_6361FF
		shr	ecx, 9
		or	edx, 0FFFFFFFFh
		and	ecx, offset loc_7FFFF8
		push	0FFFFFFFFh
		sub	ecx, 40000000h
		call	_MiUpdateAwePageTable@12 ; MiUpdateAwePageTable(x,x,x)

loc_6361FF:				; CODE XREF: MiDeleteEnclavePage(x,x)+37j
		imul	esi, ebx, 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		lea	edi, [esi+10h]
		or	edx, 0FFFFFFFFh
		or	dword ptr [edi], 40000000h
		mov	ecx, esi
		and	byte ptr [esi+16h], 0EFh
		mov	bl, al
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		mov	edx, 100h
		mov	[esi+14h], ax
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiDeleteEnclavePage@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFlushEnclaveTb(x,	x, x)
_MiFlushEnclaveTb@12 proc near		; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+21Bp
					; MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+26Bp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		cmp	edx, 0FFFFFFFFh
		jz	short loc_63627C
		test	[ebp+arg_0], 20000000h
		jnz	short loc_636275
		cmp	dword ptr [esi+0Ch], 0
		jnz	short loc_636275
		push	0
		push	1
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)

loc_636275:				; CODE XREF: MiFlushEnclaveTb(x,x,x)+14j
					; MiFlushEnclaveTb(x,x,x)+1Aj
		mov	ecx, esi
		call	MiFlushTbList

loc_63627C:				; CODE XREF: MiFlushEnclaveTb(x,x,x)+Bj
		pop	esi
		pop	ebp
		retn	4
_MiFlushEnclaveTb@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetEnclavePage(x,	x)
_MiGetEnclavePage@8 proc near		; CODE XREF: KiExpandKernelStackAndCalloutOnStackSegment+10ECCFp
					; MiGetPageForEnclave(x,x)+2Dj	...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_18], 0
		push	ebx
		push	esi
		mov	ebx, edx
		push	edi
		mov	[ebp+var_8], ebx
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[ebp+var_20], 0
		lea	esi, [edi+950h]
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_1], al
		mov	[ebp+var_1C], esi
		jz	short loc_6362C2
		mov	edx, esi
		lea	ecx, [ebp+var_20]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6362D3
; 

loc_6362C2:				; CODE XREF: MiGetEnclavePage(x,x)+33j
		lea	edx, [ebp+var_20]
		xchg	edx, [esi]
		test	edx, edx
		jz	short loc_6362D3
		lea	ecx, [ebp+var_20]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_6362D3:				; CODE XREF: MiGetEnclavePage(x,x)+3Fj
					; MiGetEnclavePage(x,x)+48j ...
		test	ebx, ebx
		jnz	short loc_6362E3
		cmp	[edi+940h], ebx
		jz	loc_6363BC

loc_6362E3:				; CODE XREF: MiGetEnclavePage(x,x)+54j
		mov	eax, [edi+948h]
		imul	ebx, eax, 1Ch
		mov	[ebp+var_14], eax
		add	ebx, ds:_MmPfnDatabase
		lea	eax, [ebx+10h]
		mov	[ebp+var_10], eax
		lock bts dword ptr [eax], 1Fh
		jnb	loc_636409
		test	ds:byte_70EFC6,	1
		jz	short loc_63631C
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_20]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63634B
; 

loc_63631C:				; CODE XREF: MiGetEnclavePage(x,x)+8Cj
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	short loc_63633B
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_20]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_20]
		cmp	eax, ecx
		jz	short loc_63634B
		call	KxWaitForLockChainValid

loc_63633B:				; CODE XREF: MiGetEnclavePage(x,x)+A0j
		xor	ecx, ecx
		mov	[ebp+var_20], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_63634B:				; CODE XREF: MiGetEnclavePage(x,x)+99j
					; MiGetEnclavePage(x,x)+B3j
		and	[ebp+var_C], 0
		lea	eax, [ebx+10h]
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_636376
		lea	esi, [ebx+10h]

loc_63635C:				; CODE XREF: MiGetEnclavePage(x,x)+E6j
					; MiGetEnclavePage(x,x)+EDj
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_63635C
		lock bts dword ptr [esi], 1Fh
		jb	short loc_63635C
		lea	esi, [edi+950h]

loc_636376:				; CODE XREF: MiGetEnclavePage(x,x)+D6j
		and	[ebp+var_20], 0
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_1C], esi
		jz	short loc_636392
		mov	edx, esi
		lea	ecx, [ebp+var_20]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6363A3
; 

loc_636392:				; CODE XREF: MiGetEnclavePage(x,x)+103j
		lea	edx, [ebp+var_20]
		xchg	edx, [esi]
		test	edx, edx
		jz	short loc_6363A3
		lea	ecx, [ebp+var_20]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_6363A3:				; CODE XREF: MiGetEnclavePage(x,x)+10Fj
					; MiGetEnclavePage(x,x)+118j
		test	byte ptr [ebx+17h], 10h
		jnz	short loc_636409
		mov	eax, [ebp+var_10]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	ebx, [ebp+var_8]
		jmp	loc_6362D3
; 

loc_6363BC:				; CODE XREF: MiGetEnclavePage(x,x)+5Cj
		test	ds:byte_70EFC6,	1
		jz	short loc_6363D2
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_20]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_636401
; 

loc_6363D2:				; CODE XREF: MiGetEnclavePage(x,x)+142j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	short loc_6363F1
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_20]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_20]
		cmp	eax, ecx
		jz	short loc_636401
		call	KxWaitForLockChainValid

loc_6363F1:				; CODE XREF: MiGetEnclavePage(x,x)+156j
		xor	ecx, ecx
		mov	[ebp+var_20], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_636401:				; CODE XREF: MiGetEnclavePage(x,x)+14Fj
					; MiGetEnclavePage(x,x)+169j
		or	esi, 0FFFFFFFFh
		jmp	loc_6364B8
; 

loc_636409:				; CODE XREF: MiGetEnclavePage(x,x)+7Fj
					; MiGetEnclavePage(x,x)+126j
		mov	esi, [ebx+10h]
		mov	eax, offset loc_7FFFFF
		mov	ecx, [ebx]
		and	esi, eax
		mov	[ebp+var_10], ecx
		cmp	ecx, eax
		jz	short loc_636438
		imul	ecx, 1Ch
		mov	edx, esi
		push	0
		add	ecx, ds:_MmPfnDatabase
		call	_MiSetPfnBlink@12 ; MiSetPfnBlink(x,x,x)
		mov	ecx, [ebp+var_10]
		mov	eax, offset loc_7FFFFF
		jmp	short loc_63643E
; 

loc_636438:				; CODE XREF: MiGetEnclavePage(x,x)+199j
		mov	[edi+94Ch], esi

loc_63643E:				; CODE XREF: MiGetEnclavePage(x,x)+1B5j
		cmp	esi, eax
		jz	short loc_63644F
		imul	eax, esi, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[eax], ecx
		jmp	short loc_636455
; 

loc_63644F:				; CODE XREF: MiGetEnclavePage(x,x)+1BFj
		mov	[edi+948h], ecx

loc_636455:				; CODE XREF: MiGetEnclavePage(x,x)+1CCj
		cmp	[ebp+var_8], 0
		jnz	short loc_636461
		dec	dword ptr [edi+940h]

loc_636461:				; CODE XREF: MiGetEnclavePage(x,x)+1D8j
		test	ds:byte_70EFC6,	1
		jz	short loc_636477
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_20]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6364A6
; 

loc_636477:				; CODE XREF: MiGetEnclavePage(x,x)+1E7j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	short loc_636496
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_20]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_20]
		cmp	eax, ecx
		jz	short loc_6364A6
		call	KxWaitForLockChainValid

loc_636496:				; CODE XREF: MiGetEnclavePage(x,x)+1FBj
		xor	ecx, ecx
		mov	[ebp+var_20], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_6364A6:				; CODE XREF: MiGetEnclavePage(x,x)+1F4j
					; MiGetEnclavePage(x,x)+20Ej
		and	byte ptr [ebx+17h], 0EFh
		lea	ecx, [ebx+10h]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	esi, [ebp+var_14]

loc_6364B8:				; CODE XREF: MiGetEnclavePage(x,x)+183j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_MiGetEnclavePage@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetPageForEnclave(x, x)
_MiGetPageForEnclave@8 proc near	; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+272p
					; MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+401p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, edx
		mov	ecx, [esi+3Ch]
		test	ecx, ecx
		jz	short loc_6364F0
		mov	eax, [esi+38h]
		dec	ecx
		push	1Ch
		mov	edx, [eax]
		mov	[esi+38h], edx
		mov	[esi+3Ch], ecx
		sub	eax, ds:_MmPfnDatabase
		cdq
		pop	ecx
		idiv	ecx
		pop	esi
		retn
; 

loc_6364F0:				; CODE XREF: MiGetPageForEnclave(x,x)+Cj
		xor	edx, edx
		mov	ecx, eax
		pop	esi
		jmp	_MiGetEnclavePage@8 ; MiGetEnclavePage(x,x)
_MiGetPageForEnclave@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeEnclavePfn(x, x, x)
_MiInitializeEnclavePfn@12 proc	near	; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+2CCp
					; MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+47Bp ...

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		imul	ebx, ecx, 1Ch
		push	esi
		push	edi
		mov	esi, edx
		add	ebx, ds:_MmPfnDatabase
		mov	ecx, ebx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	cl, [ebx+16h]
		lea	edi, [ebx+10h]
		and	cl, 0FEh
		mov	[ebp+var_1], al
		or	cl, 6
		mov	[ebx+4], esi
		mov	[ebx+16h], cl
		xor	eax, eax
		mov	ecx, [edi]
		inc	eax
		and	ecx, 0C0000001h
		mov	[ebx+14h], ax
		or	ecx, eax
		xor	eax, eax
		mov	[edi], ecx
		mov	ecx, [ebp+arg_0]
		or	byte ptr [ebx+16h], 10h
		and	ecx, 1Fh
		shld	eax, ecx, 5
		shl	ecx, 5
		push	eax
		push	ecx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[ebx+8], eax
		mov	eax, 7FFFFFFFh
		mov	[ebx+0Ch], edx
		lock and [edi],	eax
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiInitializeEnclavePfn@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiProtectEnclavePages(x, x,	x, x, x, x, x, x, x, x,	x)
_MiProtectEnclavePages@44 proc near	; CODE XREF: MmProtectVirtualMemory+372p

var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0FCh
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+0FCh+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[esp+100h+var_DC], eax
		mov	eax, [ebp+arg_18]
		push	esi
		mov	esi, [ebp+arg_4]
		mov	[esp+104h+var_AC], eax
		mov	eax, [ebp+arg_1C]
		push	edi
		mov	[esp+108h+var_A8], eax
		mov	eax, [ebp+arg_20]
		push	98h		; size_t
		mov	[esp+10Ch+var_A4], eax
		lea	eax, [esp+10Ch+var_A0]
		push	0		; int
		push	eax		; void *
		mov	[esp+114h+var_D8], esi
		call	_memset
		mov	eax, [ebp+arg_14]
		add	esp, 0Ch
		mov	ebx, [ebp+arg_10]
		mov	ecx, eax
		xor	edi, edi
		and	ecx, 20000000h
		jnz	short loc_636622
		mov	edx, [esp+108h+var_DC]
		test	byte ptr [edx+28h], 2
		jz	short loc_63661B
		test	byte ptr [edx+2Ch], 1
		jz	short loc_63661B
		test	eax, eax
		jns	short loc_636602
		cmp	eax, 80000000h
		jnz	short loc_636645
		cmp	[ebp+arg_C], edi
		jnz	short loc_636645
		push	8
		pop	edi
		jmp	short loc_636673
; 

loc_636602:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+7Aj
		mov	edx, 10000000h
		test	eax, edx
		jz	short loc_636629
		cmp	eax, edx
		jnz	short loc_636645
		cmp	[ebp+arg_C], edi
		jnz	short loc_636645
		mov	edi, 80h
		jmp	short loc_636673
; 

loc_63661B:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+70j
					; MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+76j
		mov	eax, 0C0000018h
		jmp	short loc_63664A
; 

loc_636622:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+66j
		test	eax, 90000000h
		jnz	short loc_636645

loc_636629:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+94j
		cmp	ebx, 7
		jbe	short loc_636633
		cmp	ebx, 18h
		jnz	short loc_636645

loc_636633:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+B7j
		mov	eax, ebx
		and	eax, 5
		cmp	al, 5
		jz	short loc_636645
		cmp	ebx, 18h
		jnz	short loc_636661
		test	ecx, ecx
		jz	short loc_636673

loc_636645:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+81j
					; MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+86j ...
		mov	eax, 0C0000045h

loc_63664A:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+ABj
					; MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+4CDj
		mov	ecx, [esp+108h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_636661:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+CAj
		mov	edi, ebx
		and	edi, 4
		or	edi, 2
		shr	edi, 1
		test	bl, 2
		jz	short loc_636673
		or	edi, 4

loc_636673:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+8Bj
					; MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+A4j ...
		or	[esp+108h+var_EC], 0FFFFFFFFh
		mov	eax, esi
		shr	eax, 9
		mov	edx, offset loc_7FFFF8
		and	eax, edx
		mov	esi, 40000000h
		sub	eax, esi
		mov	[esp+108h+var_F0], eax
		mov	eax, [ebp+arg_8]
		shr	eax, 9
		and	eax, edx
		xor	edx, edx
		sub	eax, esi
		mov	[esp+108h+var_E8], edx
		mov	[esp+108h+var_C4], eax
		mov	esi, edx
		or	eax, 0FFFFFFFFh
		mov	[esp+108h+var_E0], esi
		mov	[esp+108h+var_BC], eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		add	eax, 240h
		mov	[esp+108h+var_F4], eax
		test	ecx, ecx
		jnz	short loc_6366CF
		and	ebx, 2
		or	ebx, 4

loc_6366CF:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+152j
		xor	eax, eax
		mov	[esp+108h+var_9C], dx
		test	ecx, ecx
		mov	[esp+108h+var_90], edx
		mov	ecx, [esp+108h+var_F0]
		setz	al
		mov	[esp+108h+var_8C], edx
		or	edx, 0FFFFFFFFh
		mov	[esp+108h+var_A0], 1
		mov	[esp+108h+var_98], 21h
		lea	eax, ds:2[eax*2]
		mov	[esp+108h+var_C0], eax
		mov	eax, ebx
		or	eax, 80000000h
		push	eax
		call	MiMakeValidPte
		mov	ecx, [esp+108h+var_F4]
		mov	[esp+108h+var_C8], eax
		mov	[esp+108h+var_D4], edx
		call	MiLockWorkingSetShared
		mov	edx, [esp+108h+var_D8]
		mov	ecx, esi
		and	[esp+108h+var_D0], esi
		and	edx, 0FFFFF000h
		mov	byte ptr [esp+108h+var_CC], al
		mov	eax, [esp+108h+var_F0]
		mov	[esp+108h+var_D8], edx

loc_63673F:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+457j
		mov	[esp+108h+var_E4], edx
		mov	edx, eax
		mov	[esp+108h+var_F8], edx
		cmp	eax, [esp+108h+var_C4]
		ja	loc_6369B1

loc_636753:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+42Bj
		test	dl, 78h
		jnz	short loc_6367C9
		cmp	edx, eax
		jz	short loc_6367C9
		mov	ecx, [esp+108h+var_F4]
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_636785
		call	KeShouldYieldProcessor
		test	eax, eax
		jnz	short loc_636785
		test	esi, esi
		jz	short loc_6367D5
		mov	ecx, [esp+108h+var_F4]
		mov	edx, esi
		call	_MiPageTableLockIsContended@8 ;	MiPageTableLockIsContended(x,x)
		test	eax, eax
		jz	short loc_6367C5

loc_636785:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+1F2j
					; MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+1FBj
		push	[ebp+arg_14]
		mov	edx, [esp+10Ch+var_EC]
		lea	ecx, [esp+10Ch+var_A0]
		call	_MiFlushEnclaveTb@12 ; MiFlushEnclaveTb(x,x,x)
		or	[esp+108h+var_EC], 0FFFFFFFFh
		test	esi, esi
		jz	short loc_6367AF
		mov	ecx, [esp+108h+var_F4]
		mov	edx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		xor	esi, esi
		mov	[esp+108h+var_E0], esi

loc_6367AF:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+227j
		mov	dl, byte ptr [esp+108h+var_CC]
		mov	ecx, [esp+108h+var_F4]
		call	MiUnlockWorkingSetShared
		mov	ecx, [esp+108h+var_F4]
		call	MiLockWorkingSetShared

loc_6367C5:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+20Ej
		mov	edx, [esp+108h+var_F8]

loc_6367C9:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+1E1j
					; MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+1E5j
		test	esi, esi
		jz	short loc_6367D5
		test	edx, 0FFFh
		jnz	short loc_636833

loc_6367D5:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+1FFj
					; MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+256j
		push	[ebp+arg_14]
		mov	edx, [esp+10Ch+var_EC]
		lea	ecx, [esp+10Ch+var_A0]
		call	_MiFlushEnclaveTb@12 ; MiFlushEnclaveTb(x,x,x)
		or	[esp+108h+var_EC], 0FFFFFFFFh
		test	esi, esi
		jz	short loc_6367F9
		mov	ecx, [esp+108h+var_F4]
		mov	edx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_6367F9:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+277j
		mov	ecx, [esp+108h+var_F8]
		xor	edx, edx
		mov	esi, ecx
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		mov	[esp+108h+var_E0], esi
		mov	esi, [esp+108h+var_DC]
		push	0
		push	[esp+10Ch+var_CC]
		mov	eax, [esi+1Ch]
		shr	eax, 0Ch
		and	eax, 3Fh
		push	eax
		call	MiMakeSystemAddressValid
		mov	edx, [esp+108h+var_F8]
		jmp	short loc_636837
; 

loc_636833:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+25Ej
		mov	esi, [esp+108h+var_DC]

loc_636837:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+2BCj
		mov	ecx, [esp+108h+var_D0]
		test	ecx, ecx
		jnz	short loc_636892
		and	[esp+108h+var_B8], ecx
		and	[esp+108h+var_B4], ecx
		mov	ecx, [edx]
		nop
		mov	esi, [edx+4]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_6369D1
		mov	eax, [esp+108h+var_F0]
		cmp	edx, eax
		jnz	loc_636987
		nop
		mov	eax, ds:_MmPfnDatabase
		shrd	ecx, esi, 0Ch
		and	ecx, 1FFFFFFh
		imul	ecx, 1Ch
		mov	esi, [ecx+eax+8]
		mov	eax, [ecx+eax+0Ch]
		shrd	esi, eax, 5
		and	esi, 1Fh
		mov	[esp+108h+var_BC], esi
		jmp	loc_636983
; 

loc_636892:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+2C8j
		mov	eax, [esp+108h+var_C0]
		dec	eax
		cmp	ecx, eax
		jnz	loc_63694D
		and	[esp+108h+var_B8], 0
		mov	eax, [edx]
		and	[esp+108h+var_B4], 0
		mov	[esp+108h+var_B8], eax
		nop
		mov	ecx, [edx+4]
		mov	[esp+108h+var_EC], ecx
		nop
		mov	esi, eax
		mov	edx, ebx
		mov	eax, ecx
		shrd	esi, eax, 0Ch
		and	esi, 1FFFFFFh
		imul	ecx, esi, 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	_MiUpdateEnclavePfnProtection@8	; MiUpdateEnclavePfnProtection(x,x)
		mov	edx, [esp+108h+var_D4]
		xor	eax, eax
		mov	ecx, [esp+108h+var_C8]
		and	edx, 0FFFFFFE0h
		shld	eax, esi, 0Ch
		and	ecx, 0FFFh
		or	eax, edx
		shl	esi, 0Ch
		mov	edx, [esp+108h+var_DC]
		or	esi, ecx
		mov	ecx, [esp+108h+var_F8]
		push	eax
		push	esi
		push	0
		push	1
		mov	[esp+118h+var_C8], esi
		mov	[esp+118h+var_D4], eax
		call	_MiWriteEnclavePte@24 ;	MiWriteEnclavePte(x,x,x,x,x,x)
		test	ds:_MiFlags, 300h
		jz	short loc_636932
		mov	edx, [esp+108h+var_D4]
		push	edx
		push	esi
		push	[esp+110h+var_EC]
		push	[esp+114h+var_B8]
		call	_MI_TIGHTER_PERMISSIONS@16 ; MI_TIGHTER_PERMISSIONS(x,x,x,x)
		test	eax, eax
		jz	short loc_636943

loc_636932:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+3A4j
		mov	edx, [esp+108h+var_E4]
		lea	ecx, [esp+108h+var_A0]
		push	0
		push	1
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)

loc_636943:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+3BBj
		mov	eax, [esp+108h+var_E4]
		mov	[esp+108h+var_EC], eax
		jmp	short loc_63697F
; 

loc_63694D:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+324j
		cmp	ecx, 1
		mov	edx, edi
		mov	ecx, [esp+108h+var_E4]
		jnz	short loc_63696F
		call	_KeCanChangeEnclavePageProtection@8 ; KeCanChangeEnclavePageProtection(x,x)
		mov	[esp+108h+var_E8], eax
		test	eax, eax
		mov	eax, [esp+108h+var_F0]
		js	short loc_6369A5
		mov	edx, [esp+108h+var_F8]
		jmp	short loc_636987
; 

loc_63696F:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+3E1j
		call	_KeChangeEnclavePageProtection@8 ; KeChangeEnclavePageProtection(x,x)
		mov	ecx, [esi+30h]
		shl	ecx, 9
		call	_KeTrackEnclaveTbFlush@4 ; KeTrackEnclaveTbFlush(x)

loc_63697F:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+3D6j
		mov	edx, [esp+108h+var_F8]

loc_636983:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+318j
		mov	eax, [esp+108h+var_F0]

loc_636987:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+2ECj
					; MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+3F8j
		add	[esp+108h+var_E4], 1000h
		add	edx, 8
		mov	[esp+108h+var_F8], edx
		cmp	edx, [esp+108h+var_C4]
		ja	short loc_6369AD
		mov	esi, [esp+108h+var_E0]
		jmp	loc_636753
; 

loc_6369A5:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+3F2j
		mov	[esp+108h+var_E8], 0C0000018h

loc_6369AD:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+425j
		mov	ecx, [esp+108h+var_E8]

loc_6369B1:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+1D8j
		test	ecx, ecx
		js	short loc_6369D8
		mov	edx, [esp+108h+var_D0]
		inc	edx
		mov	[esp+108h+var_D0], edx
		cmp	edx, [esp+108h+var_C0]
		jnb	short loc_6369D8
		mov	esi, [esp+108h+var_E0]
		mov	edx, [esp+108h+var_D8]
		jmp	loc_63673F
; 

loc_6369D1:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+2E0j
		mov	ebx, 0C0000018h
		jmp	short loc_6369DC
; 

loc_6369D8:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+43Ej
					; MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+44Dj
		mov	ebx, [esp+108h+var_E8]

loc_6369DC:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+461j
		push	[ebp+arg_14]
		mov	edx, [esp+10Ch+var_EC]
		lea	ecx, [esp+10Ch+var_A0]
		call	_MiFlushEnclaveTb@12 ; MiFlushEnclaveTb(x,x,x)
		mov	edx, [esp+108h+var_E0]
		test	edx, edx
		jz	short loc_6369FD
		mov	ecx, [esp+108h+var_F4]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_6369FD:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+47Dj
		mov	dl, byte ptr [esp+108h+var_CC]
		mov	ecx, [esp+108h+var_F4]
		call	MiUnlockWorkingSetShared
		test	ebx, ebx
		js	short loc_636A40
		mov	eax, [esp+108h+var_BC]
		mov	ecx, [esp+108h+var_AC]
		mov	esi, [esp+108h+var_D8]
		mov	eax, ds:_MmProtectToValue[eax*4]
		mov	[ecx], eax
		mov	eax, [esp+108h+var_A8]
		mov	ecx, [esp+108h+var_A4]
		mov	[eax], esi
		mov	eax, [ebp+arg_8]
		and	eax, 0FFFFF000h
		sub	eax, esi
		add	eax, 1000h
		xor	ebx, ebx
		mov	[ecx], eax

loc_636A40:				; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+497j
		mov	eax, ebx
		jmp	loc_63664A
_MiProtectEnclavePages@44 endp


;  S U B	R O U T	I N E 


; __stdcall MiRemoveEnclavePagesFromDump(x)
_MiRemoveEnclavePagesFromDump@4	proc near ; CODE XREF: MmGetDumpRange(x,x,x)+27Dp
		mov	eax, ds:dword_6D3580
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		jmp	short loc_636A58
; 

loc_636A54:				; CODE XREF: MiRemoveEnclavePagesFromDump(x)+13j
		mov	esi, eax
		mov	eax, [eax]

loc_636A58:				; CODE XREF: MiRemoveEnclavePagesFromDump(x)+Bj
		test	eax, eax
		jnz	short loc_636A54
		jmp	short loc_636A95
; 

loc_636A5E:				; CODE XREF: MiRemoveEnclavePagesFromDump(x)+50j
		push	2
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	edi
		call	dword ptr [edi+4]
		mov	eax, [esi+4]
		mov	ecx, esi
		test	eax, eax
		jz	short loc_636A8D
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_636A95

loc_636A7B:				; CODE XREF: MiRemoveEnclavePagesFromDump(x)+3Cj
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_636A7B
		jmp	short loc_636A95
; 

loc_636A87:				; CODE XREF: MiRemoveEnclavePagesFromDump(x)+4Cj
		cmp	[esi], ecx
		jz	short loc_636A95
		mov	ecx, esi

loc_636A8D:				; CODE XREF: MiRemoveEnclavePagesFromDump(x)+2Aj
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_636A87

loc_636A95:				; CODE XREF: MiRemoveEnclavePagesFromDump(x)+15j
					; MiRemoveEnclavePagesFromDump(x)+32j ...
		test	esi, esi
		jnz	short loc_636A5E
		pop	edi
		pop	esi
		retn
_MiRemoveEnclavePagesFromDump@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReserveEnclavePages(x, x,	x)
_MiReserveEnclavePages@12 proc near	; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+69p
					; MiCreateHardwareEnclave(x,x,x,x,x)+78p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		mov	esi, edx
		mov	ebx, ecx
		mov	[ebp+var_4], esi
		lea	edx, [ebp+var_10]
		stosd
		lea	ecx, [esi+950h]
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [esi+940h]
		mov	esi, [ebp+arg_0]
		cmp	eax, esi
		jb	short loc_636AE0
		mov	ecx, [ebp+var_4]
		sub	eax, esi
		xor	edi, edi
		mov	[ecx+940h], eax
		jmp	short loc_636AE5
; 

loc_636AE0:				; CODE XREF: MiReserveEnclavePages(x,x,x)+33j
		mov	edi, 0C0000017h

loc_636AE5:				; CODE XREF: MiReserveEnclavePages(x,x,x)+42j
		test	ds:byte_70EFC6,	1
		jz	short loc_636AFB
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_636B2A
; 

loc_636AFB:				; CODE XREF: MiReserveEnclavePages(x,x,x)+50j
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_636B1A
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jz	short loc_636B2A
		call	KxWaitForLockChainValid

loc_636B1A:				; CODE XREF: MiReserveEnclavePages(x,x,x)+64j
		lea	ecx, [eax+4]
		mov	[ebp+var_10], 0
		xor	eax, eax
		inc	eax
		lock xor [ecx],	eax

loc_636B2A:				; CODE XREF: MiReserveEnclavePages(x,x,x)+5Dj
					; MiReserveEnclavePages(x,x,x)+77j
		mov	cl, [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jns	short loc_636B3B
		mov	eax, edi
		jmp	short loc_636B67
; 

loc_636B3B:				; CODE XREF: MiReserveEnclavePages(x,x,x)+99j
		add	[ebx+3Ch], esi
		test	esi, esi
		jz	short loc_636B65

loc_636B42:				; CODE XREF: MiReserveEnclavePages(x,x,x)+C7j
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		lea	edx, [eax+1]
		call	_MiGetEnclavePage@8 ; MiGetEnclavePage(x,x)
		imul	ecx, eax, 1Ch
		mov	eax, [ebx+38h]
		add	ecx, ds:_MmPfnDatabase
		mov	[ecx], eax
		mov	[ebx+38h], ecx
		sub	esi, 1
		jnz	short loc_636B42

loc_636B65:				; CODE XREF: MiReserveEnclavePages(x,x,x)+A4j
		xor	eax, eax

loc_636B67:				; CODE XREF: MiReserveEnclavePages(x,x,x)+9Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiReserveEnclavePages@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiReturnEnclavePage(x)
_MiReturnEnclavePage@4 proc near	; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x):loc_6356F3p
					; MiReturnReservedEnclavePages(x,x)+28p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		imul	esi, edi, 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		add	esi, 10h
		mov	edx, 100h
		mov	ecx, edi
		mov	bl, al
		and	dword ptr [esi], 0FF800000h
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	cl, bl
		pop	edi
		pop	esi
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_MiReturnEnclavePage@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiUpdateEnclavePfnProtection(x, x)
_MiUpdateEnclavePfnProtection@8	proc near
					; CODE XREF: MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+35Cp
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		and	esi, 1Fh
		xor	edx, edx
		shld	edx, esi, 5
		mov	cl, al
		mov	eax, [edi+8]
		or	[edi+0Ch], edx
		and	eax, 0FFFFFC1Fh
		shl	esi, 5
		mov	edx, 7FFFFFFFh
		or	esi, eax
		lea	eax, [edi+10h]
		mov	[edi+8], esi
		lock and [eax],	edx
		pop	edi
		pop	esi
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_MiUpdateEnclavePfnProtection@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWriteEnclavePte(x, x, x, x, x, x)
_MiWriteEnclavePte@24 proc near		; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+2F3p
					; MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)+395p ...

var_16		= byte ptr -16h
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax+80h]
		mov	edi, ecx
		mov	ebx, edi
		mov	[esp+28h+var_C], edx
		shr	ebx, 9
		add	eax, 240h
		xor	esi, esi
		mov	[esp+28h+var_4], eax
		and	ebx, offset loc_7FFFF8
		cmp	[ebp+arg_4], esi
		jz	short loc_636C55
		mov	ecx, eax
		call	MiLockWorkingSetShared
		mov	ecx, [esp+28h+var_C]
		xor	edx, edx
		push	esi
		mov	byte ptr [esp+2Ch+var_10], al
		push	[esp+2Ch+var_10]
		mov	ecx, [ecx+1Ch]
		shr	ecx, 0Ch
		and	ecx, 3Fh
		mov	[esp+30h+var_15], al
		push	ecx
		mov	ecx, edi
		call	MiMakeSystemAddressValid
		jmp	short loc_636C5A
; 

loc_636C55:				; CODE XREF: MiWriteEnclavePte(x,x,x,x,x,x)+39j
		mov	[esp+28h+var_15], 21h

loc_636C5A:				; CODE XREF: MiWriteEnclavePte(x,x,x,x,x,x)+66j
		cmp	[ebp+arg_0], esi
		jz	short loc_636C70
		nop
		mov	eax, [ebp+arg_8]
		mov	[edi], eax
		mov	eax, [ebp+arg_C]
		mov	[edi+4], eax
		jmp	loc_636D40
; 

loc_636C70:				; CODE XREF: MiWriteEnclavePte(x,x,x,x,x,x)+70j
		mov	edx, [edi]
		mov	[esp+28h+var_C], edx
		nop
		mov	eax, [edi+4]
		mov	ecx, edi
		mov	[esp+28h+var_8], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+28h+var_14], eax
		mov	[esp+28h+var_10], esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		xor	ecx, ecx
		inc	ecx
		test	eax, eax
		jz	short loc_636CDF
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_636CC7
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	[esp+28h+var_10], ecx
		jnz	short loc_636CDF

loc_636CAD:				; CODE XREF: MiWriteEnclavePte(x,x,x,x,x,x)+F0j
		mov	eax, [ebp+arg_8]
		and	eax, ecx
		or	eax, esi
		jz	short loc_636CDF
		mov	eax, [ebp+arg_8]
		mov	[esp+28h+var_14], eax
		mov	eax, [ebp+arg_C]
		or	eax, 80000000h
		jmp	short loc_636CE2
; 

loc_636CC7:				; CODE XREF: MiWriteEnclavePte(x,x,x,x,x,x)+B1j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_636CAD

loc_636CDF:				; CODE XREF: MiWriteEnclavePte(x,x,x,x,x,x)+A8j
					; MiWriteEnclavePte(x,x,x,x,x,x)+BEj ...
		mov	eax, [ebp+arg_C]

loc_636CE2:				; CODE XREF: MiWriteEnclavePte(x,x,x,x,x,x)+D8j
		mov	[edi+4], eax
		nop
		mov	edx, [esp+28h+var_14]
		mov	[edi], edx
		mov	edx, [esp+28h+var_C]
		cmp	[esp+28h+var_10], esi
		jz	short loc_636D09
		push	eax
		push	[esp+2Ch+var_14]
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		mov	edx, [esp+28h+var_C]
		xor	ecx, ecx
		inc	ecx

loc_636D09:				; CODE XREF: MiWriteEnclavePte(x,x,x,x,x,x)+107j
		mov	eax, edx
		or	eax, [esp+28h+var_8]
		jnz	short loc_636D15
		mov	esi, ecx
		jmp	short loc_636D2C
; 

loc_636D15:				; CODE XREF: MiWriteEnclavePte(x,x,x,x,x,x)+122j
		mov	eax, edx
		and	eax, 400h
		or	eax, esi
		jnz	short loc_636D2C
		and	edx, 800h
		or	edx, esi
		jz	short loc_636D2C
		mov	ecx, esi

loc_636D2C:				; CODE XREF: MiWriteEnclavePte(x,x,x,x,x,x)+126j
					; MiWriteEnclavePte(x,x,x,x,x,x)+131j ...
		mov	eax, esi
		or	eax, ecx
		jz	short loc_636D40
		mov	edx, ecx
		lea	ecx, [ebx-40000000h]
		push	esi
		call	_MiUpdateAwePageTable@12 ; MiUpdateAwePageTable(x,x,x)

loc_636D40:				; CODE XREF: MiWriteEnclavePte(x,x,x,x,x,x)+7Ej
					; MiWriteEnclavePte(x,x,x,x,x,x)+143j
		cmp	[ebp+arg_4], 0
		jz	short loc_636D62
		mov	ecx, [esp+28h+var_4]
		lea	edx, [ebx-40000000h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [esp+28h+var_15]
		mov	ecx, [esp+28h+var_4]
		call	MiUnlockWorkingSetShared

loc_636D62:				; CODE XREF: MiWriteEnclavePte(x,x,x,x,x,x)+157j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_MiWriteEnclavePte@24 endp


;  S U B	R O U T	I N E 


; __stdcall MiCloneWriteWatch(x, x)
_MiCloneWriteWatch@8 proc near		; CODE XREF: MiCloneVads+5CFp
		mov	edi, edi
		push	esi
		mov	esi, [ecx+24h]
		jmp	short loc_636D7B
; 

loc_636D73:				; CODE XREF: MiCloneWriteWatch(x,x)+12j
		test	byte ptr [esi+24h], 4
		jnz	short loc_636D7F
		mov	esi, [esi]

loc_636D7B:				; CODE XREF: MiCloneWriteWatch(x,x)+6j
		test	esi, esi
		jnz	short loc_636D73

loc_636D7F:				; CODE XREF: MiCloneWriteWatch(x,x)+Cj
		mov	ecx, [edx+24h]
		jmp	short loc_636D8C
; 

loc_636D84:				; CODE XREF: MiCloneWriteWatch(x,x)+23j
		test	byte ptr [ecx+24h], 4
		jnz	short loc_636D90
		mov	ecx, [ecx]

loc_636D8C:				; CODE XREF: MiCloneWriteWatch(x,x)+17j
		test	ecx, ecx
		jnz	short loc_636D84

loc_636D90:				; CODE XREF: MiCloneWriteWatch(x,x)+1Dj
		mov	eax, [ecx+4]
		add	eax, 7
		shr	eax, 3
		push	eax		; size_t
		push	dword ptr [esi+8] ; void *
		push	dword ptr [ecx+8] ; void *
		call	_memcpy
		add	esp, 0Ch
		pop	esi
		retn
_MiCloneWriteWatch@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiCheckContiguityTradeEligible(x)
_MiCheckContiguityTradeEligible@4 proc near
					; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x):loc_63702Dp
					; MiMakeVaRangePhysicallyContiguous(x,x,x,x)+105p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_636DE2
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jnz	short loc_636DE2
		cmp	[esi+17h], al
		jl	short loc_636DE2
		mov	al, [esi+16h]
		and	al, 7
		cmp	al, 6
		jnz	short loc_636DE6
		push	ecx
		push	0
		mov	edx, esi
		mov	ecx, offset _MiSystemPartition
		call	_MiActivePageClaimCandidate@16 ; MiActivePageClaimCandidate(x,x,x,x)
		test	eax, eax
		jz	short loc_636DED

loc_636DE2:				; CODE XREF: MiCheckContiguityTradeEligible(x)+Cj
					; MiCheckContiguityTradeEligible(x)+15j ...
		xor	eax, eax
		pop	esi
		retn
; 

loc_636DE6:				; CODE XREF: MiCheckContiguityTradeEligible(x)+23j
		cmp	word ptr [esi+14h], 0
		jnz	short loc_636DE2

loc_636DED:				; CODE XREF: MiCheckContiguityTradeEligible(x)+36j
		xor	eax, eax
		inc	eax
		pop	esi
		retn
_MiCheckContiguityTradeEligible@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiQueryVaPhysicalContiguity(x, x, x, x)
_MiQueryVaPhysicalContiguity@16	proc near
					; CODE XREF: MiProcessVaContiguityInformation(x,x,x)+176p
					; MiQueryMemoryPhysicalContiguity(x,x,x,x)+311p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		or	[esp+40h+var_8], 0FFFFFFFFh
		push	esi
		mov	ebx, ds:_MiLargePageSizes[eax*4]
		mov	esi, offset loc_7FFFF8
		mov	eax, edx
		mov	[esp+44h+var_4], ebx
		shr	eax, 9
		dec	edx
		and	eax, esi
		mov	[esp+44h+var_34], ecx
		sub	eax, 40000000h
		mov	[esp+44h+var_3C], eax
		mov	eax, ebx
		shl	eax, 0Ch
		xor	ebx, ebx
		add	eax, edx
		inc	ebx
		shr	eax, 9
		and	eax, esi
		sub	eax, 40000000h
		mov	[esp+44h+var_24], eax
		mov	eax, [ebp+arg_4]
		push	edi
		xor	edi, edi
		and	eax, ebx
		mov	[esp+48h+var_18], edi
		mov	esi, edi
		mov	[esp+48h+var_1C], edi
		mov	[esp+48h+var_2C], edi
		mov	[esp+48h+var_C], eax
		mov	[esp+48h+var_30], edi
		call	MiLockWorkingSetShared
		mov	edx, [esp+48h+var_3C]
		mov	byte ptr [esp+48h+var_20], al
		mov	eax, [esp+48h+var_24]
		cmp	edx, eax
		ja	loc_6370F3

loc_636E7B:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+2E8j
		mov	[esp+48h+var_38], ebx
		test	esi, esi
		jz	short loc_636EA8
		test	edx, 0FFFh
		jnz	short loc_636EA0
		mov	ecx, [esp+48h+var_34]
		mov	edx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	edx, [esp+48h+var_3C]
		mov	esi, edi
		mov	eax, [esp+48h+var_24]

loc_636EA0:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+97j
		test	esi, esi
		jnz	loc_636FA2

loc_636EA8:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+8Fj
		lea	ecx, [esp+48h+var_18]
		mov	edx, eax
		push	ecx
		mov	ecx, [esp+4Ch+var_3C]
		push	ebx
		push	[esp+50h+var_20]
		push	edi
		call	MiGetNextPageTable
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_6370E2
		mov	eax, [esp+48h+var_18]
		mov	esi, ecx
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		mov	[esp+48h+var_28], eax
		sub	esi, 40000000h
		test	eax, eax
		jz	short loc_636F2A
		mov	[esp+48h+var_30], esi
		cmp	eax, ebx
		jbe	short loc_636F1B
		lea	edx, [eax-1]
		mov	edi, esi

loc_636EF2:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+121j
		shr	esi, 9
		shr	edi, 9
		and	esi, offset loc_7FFFF8
		and	edi, offset loc_7FFFF8
		sub	esi, 40000000h
		sub	edi, 40000000h
		sub	edx, 1
		jnz	short loc_636EF2
		mov	[esp+48h+var_30], edi
		xor	edi, edi

loc_636F1B:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+F9j
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h

loc_636F2A:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+F1j
		mov	edx, [esp+48h+var_3C]
		cmp	ecx, edx
		jnz	loc_6370E2
		test	eax, eax
		jz	short loc_636FA2
		mov	eax, [esp+48h+var_30]
		mov	ecx, [eax]
		nop
		mov	eax, [eax+4]
		nop
		shrd	ecx, eax, 0Ch
		mov	eax, edx
		shr	eax, 3
		and	ecx, 1FFFFFFh
		and	eax, 0FFFFFh
		cmp	[esp+48h+var_28], 0
		jbe	short loc_636F8E
		mov	edx, [esp+48h+var_28]
		mov	edi, eax
		mov	ebx, [esp+48h+var_38]

loc_636F6A:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+18Dj
		mov	eax, edi
		shr	edi, 9
		and	eax, 1FFh
		imul	eax, ebx
		shl	ebx, 9
		add	ecx, eax
		sub	edx, 1
		jnz	short loc_636F6A
		mov	edx, [esp+48h+var_3C]
		mov	[esp+48h+var_38], ebx
		xor	ebx, ebx
		inc	ebx
		xor	edi, edi

loc_636F8E:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+16Cj
		mov	eax, [esp+48h+var_38]
		dec	eax
		mov	[esp+48h+var_2C], ebx
		and	eax, ecx
		sub	[esp+48h+var_38], eax
		jmp	loc_637058
; 

loc_636FA2:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+B0j
					; MiQueryVaPhysicalContiguity(x,x,x,x)+146j
		mov	ecx, [edx]
		mov	[esp+48h+var_14], edi
		nop
		mov	edx, [edx+4]
		mov	eax, ecx
		and	eax, ebx
		or	eax, edi
		jz	short loc_636FD2
		nop
		shrd	ecx, edx, 0Ch
		and	ecx, 1FFFFFFh
		mov	[esp+48h+var_28], ecx
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		mov	[esp+48h+var_10], ecx
		jmp	short loc_63702D
; 

loc_636FD2:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+1C0j
		mov	eax, ecx
		and	eax, 400h
		or	eax, edi
		jnz	loc_6370E2
		and	ecx, 800h
		or	ecx, edi
		jz	loc_6370E2
		test	byte ptr [ebp+arg_4], 2
		jnz	loc_6370E2
		mov	ecx, [esp+48h+var_3C]
		xor	edx, edx
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		mov	ecx, eax
		mov	[esp+48h+var_10], ecx
		test	ecx, ecx
		jz	loc_6370E2
		sub	eax, ds:_MmPfnDatabase
		cdq
		mov	[esp+48h+var_28], 1Ch
		idiv	[esp+48h+var_28]
		mov	[esp+48h+var_14], ebx
		mov	[esp+48h+var_28], eax

loc_63702D:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+1DEj
		call	_MiCheckContiguityTradeEligible@4 ; MiCheckContiguityTradeEligible(x)
		test	eax, eax
		jnz	short loc_63703A
		mov	[esp+48h+var_2C], ebx

loc_63703A:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+242j
		cmp	[esp+48h+var_14], 0
		jz	short loc_637050
		mov	eax, [esp+48h+var_10]
		mov	ecx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	ecx

loc_637050:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+24Dj
		mov	edx, [esp+48h+var_3C]
		mov	ecx, [esp+48h+var_28]

loc_637058:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+1ABj
		mov	eax, [esp+48h+var_8]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_63706A
		mov	eax, [esp+48h+var_4]
		dec	eax
		test	eax, ecx
		jmp	short loc_63706C
; 

loc_63706A:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+26Dj
		cmp	eax, ecx

loc_63706C:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+276j
		jz	short loc_637079
		cmp	[esp+48h+var_C], 0
		mov	[esp+48h+var_1C], ebx
		jz	short loc_6370E4

loc_637079:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x):loc_63706Cj
		mov	eax, [esp+48h+var_38]
		add	eax, ecx
		mov	[esp+48h+var_8], eax
		test	dl, 78h
		jnz	short loc_637095
		mov	ecx, [esp+48h+var_34]
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_6370A2

loc_637095:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+294j
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	short loc_6370C5
		mov	ecx, [esp+48h+var_34]

loc_6370A2:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+2A1j
		test	esi, esi
		jz	short loc_6370AF
		mov	edx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	esi, edi

loc_6370AF:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+2B2j
		mov	dl, byte ptr [esp+48h+var_20]
		mov	ecx, [esp+48h+var_34]
		call	MiUnlockWorkingSetShared
		mov	ecx, [esp+48h+var_34]
		call	MiLockWorkingSetShared

loc_6370C5:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+2AAj
		mov	edx, [esp+48h+var_3C]
		mov	eax, [esp+48h+var_38]
		lea	edx, [edx+eax*8]
		mov	eax, [esp+48h+var_24]
		mov	[esp+48h+var_3C], edx
		cmp	edx, eax
		jbe	loc_636E7B
		jmp	short loc_6370E4
; 

loc_6370E2:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+D0j
					; MiQueryVaPhysicalContiguity(x,x,x,x)+13Ej ...
		mov	edi, ebx

loc_6370E4:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+285j
					; MiQueryVaPhysicalContiguity(x,x,x,x)+2EEj
		test	esi, esi
		jz	short loc_6370F3
		mov	ecx, [esp+48h+var_34]
		mov	edx, esi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_6370F3:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+83j
					; MiQueryVaPhysicalContiguity(x,x,x,x)+2F4j
		mov	dl, byte ptr [esp+48h+var_20]
		mov	ecx, [esp+48h+var_34]
		call	MiUnlockWorkingSetShared
		test	edi, edi
		jz	short loc_637112
		xor	ebx, ebx
		cmp	[esp+48h+var_2C], ebx
		setnz	bl
		add	ebx, 2
		jmp	short loc_637124
; 

loc_637112:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+310j
		cmp	[esp+48h+var_1C], 0
		jz	short loc_637124
		mov	ebx, [esp+48h+var_2C]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 3

loc_637124:				; CODE XREF: MiQueryVaPhysicalContiguity(x,x,x,x)+31Ej
					; MiQueryVaPhysicalContiguity(x,x,x,x)+325j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_MiQueryVaPhysicalContiguity@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWorkingSetInfoCheckPageTable(x, x, x, x, x)
_MiWorkingSetInfoCheckPageTable@20 proc	near
					; CODE XREF: MiGetWorkingSetInfoList(x,x,x,x)+7A3p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, [ebx]
		nop
		mov	eax, [ebx+4]
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], edi
		shrd	edi, eax, 0Bh
		and	edi, 1
		mov	eax, edi
		or	eax, esi
		jnz	short loc_637169
		lea	ecx, [ebp+var_10]
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		test	eax, eax
		jz	short loc_6371D3
		mov	ecx, [ebp+var_4]

loc_637169:				; CODE XREF: MiWorkingSetInfoCheckPageTable(x,x,x,x,x)+29j
		test	[ebp+arg_4], 1
		jz	short loc_637199
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+4]
		or	eax, 200000h
		or	edi, esi
		jz	short loc_63718A
		and	eax, 0FF7FFFFFh
		or	eax, 400000h
		jmp	short loc_637194
; 

loc_63718A:				; CODE XREF: MiWorkingSetInfoCheckPageTable(x,x,x,x,x)+4Dj
		and	eax, 0FFBFFFFFh
		or	eax, 800000h

loc_637194:				; CODE XREF: MiWorkingSetInfoCheckPageTable(x,x,x,x,x)+59j
		mov	[ecx+4], eax
		jmp	short loc_6371D3
; 

loc_637199:				; CODE XREF: MiWorkingSetInfoCheckPageTable(x,x,x,x,x)+3Ej
		test	[ebp+arg_4], 2
		jz	short loc_6371D3
		mov	edx, ebx
		shr	edx, 9
		and	edx, offset loc_7FFFF8
		sub	edx, 40000000h
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		push	esi
		push	[ebp+arg_8]
		mov	ecx, ebx
		xor	edx, edx
		push	esi
		shl	ecx, 9
		call	MiMakeSystemAddressValid
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		xor	esi, esi
		inc	esi

loc_6371D3:				; CODE XREF: MiWorkingSetInfoCheckPageTable(x,x,x,x,x)+35j
					; MiWorkingSetInfoCheckPageTable(x,x,x,x,x)+68j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MiWorkingSetInfoCheckPageTable@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCaptureProtectionFromLockedProto(x)
_MiCaptureProtectionFromLockedProto@4 proc near	; CODE XREF: .text:00455A90p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	eax, ecx
		push	edi
		mov	[ebp+var_4], eax

loc_6371EC:				; CODE XREF: MiCaptureProtectionFromLockedProto(x)+4Fj
					; MiCaptureProtectionFromLockedProto(x)+6Bj ...
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		mov	edi, [eax]
		nop
		mov	esi, [eax+4]
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	short loc_637209
		xor	eax, eax
		inc	eax
		jmp	short loc_63720B
; 

loc_637209:				; CODE XREF: MiCaptureProtectionFromLockedProto(x)+26j
		xor	eax, eax

loc_63720B:				; CODE XREF: MiCaptureProtectionFromLockedProto(x)+2Bj
		nop
		test	eax, eax
		jz	loc_6372A0
		mov	ebx, edi
		mov	eax, esi
		shrd	ebx, eax, 0Ch
		mov	eax, [ebp+var_4]
		and	ebx, 1FFFFFFh
		cmp	ebx, ds:dword_6D07B0
		ja	short loc_6371EC
		mov	eax, ds:dword_6D35B8
		mov	edx, ebx
		shr	edx, 5
		mov	ecx, ebx
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		mov	eax, [ebp+var_4]
		jz	short loc_6371EC
		imul	ebx, 1Ch
		add	ebx, ds:_MmPfnDatabase
		mov	ecx, ebx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	edx, [ebp+var_4]
		mov	ecx, [edx]
		nop
		mov	edx, [edx+4]
		mov	[ebp+var_C], edx
		lea	edx, [ebx+10h]
		cmp	edi, ecx
		jnz	short loc_637271
		cmp	esi, [ebp+var_C]
		jz	short loc_637289

loc_637271:				; CODE XREF: MiCaptureProtectionFromLockedProto(x)+8Ej
		mov	ecx, 7FFFFFFFh
		lock and [edx],	ecx
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_4]
		jmp	loc_6371EC
; 

loc_637289:				; CODE XREF: MiCaptureProtectionFromLockedProto(x)+93j
		mov	edi, [ebx+8]
		nop
		mov	esi, [ebx+0Ch]
		mov	ecx, 7FFFFFFFh
		lock and [edx],	ecx
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_6372A0:				; CODE XREF: MiCaptureProtectionFromLockedProto(x)+32j
		shrd	edi, esi, 5
		and	edi, 1Fh
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiCaptureProtectionFromLockedProto@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakeProtoPrivate(x, x, x)
_MiMakeProtoPrivate@12 proc near	; CODE XREF: .text:0045133Cp

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		mov	[ebp+var_1], dl
		mov	[ebp+var_8], ecx
		mov	esi, [edi]
		nop
		mov	eax, [edi+4]
		nop
		shrd	esi, eax, 0Ch
		and	esi, 1FFFFFFh
		imul	edx, esi, 1Ch
		add	edx, ds:_MmPfnDatabase
		test	dword ptr [edx+18h], 800000h
		jnz	short loc_6372EF
		mov	eax, [edx+4]
		test	eax, eax
		js	short loc_6372EF
		jnz	short loc_63732E

loc_6372EF:				; CODE XREF: MiMakeProtoPrivate(x,x,x)+36j
					; MiMakeProtoPrivate(x,x,x)+3Dj
		mov	eax, large fs:124h
		mov	edx, [edx+4]
		or	edx, 80000000h
		mov	ecx, [eax+80h]
		call	_MiLocateCloneAddress@8	; MiLocateCloneAddress(x,x)
		mov	edx, eax
		mov	eax, [ecx+24Ch]
		mov	ecx, edx
		push	dword ptr [eax+8Ch]
		push	dword ptr [eax+88h]
		call	_MI_IS_CLONE_COMMIT_CHARGED@12 ; MI_IS_CLONE_COMMIT_CHARGED(x,x,x)
		mov	ebx, eax
		neg	ebx
		sbb	ebx, ebx
		not	ebx
		and	ebx, edx

loc_63732E:				; CODE XREF: MiMakeProtoPrivate(x,x,x)+3Fj
		push	0
		mov	ecx, edi
		mov	edx, edi
		push	0FFFFFFFFh
		shl	ecx, 9
		call	_MiCopyOnWrite@16 ; MiCopyOnWrite(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_637375
		mov	ebx, [ebp+var_8]
		mov	ecx, ebx
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		lea	edx, [edi-40000000h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [ebp+var_1]
		mov	ecx, ebx
		call	MiUnlockWorkingSetShared
		mov	edx, esi
		mov	ecx, ebx
		call	MiCopyOnWriteCheckConditions
		push	2
		pop	eax
		jmp	short loc_63737C
; 

loc_637375:				; CODE XREF: MiMakeProtoPrivate(x,x,x)+94j
		xor	eax, eax
		test	ebx, ebx
		setnz	al

loc_63737C:				; CODE XREF: MiMakeProtoPrivate(x,x,x)+C5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiMakeProtoPrivate@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetProtectionOnTransitionPte(x, x, x, x)
_MiSetProtectionOnTransitionPte@16 proc	near ; CODE XREF: .text:00453BBBp
					; MiSetReadOnlyOnSectionView(x,x,x,x)+454p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ecx
		mov	[ebp+var_4], edx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_8], eax
		mov	ecx, offset loc_500000
		mov	edx, [eax+1Ch]
		mov	eax, edx
		and	eax, ecx
		push	esi
		push	edi
		cmp	eax, ecx
		jnz	loc_637554
		shr	edx, 12h
		xor	eax, eax
		and	edx, 3
		mov	ecx, ds:_MiVadPageSizes[edx*4]
		cmp	ecx, 10h
		mov	[ebp+var_14], ecx
		setz	al
		dec	eax
		and	eax, 0FFFFFFF1h
		add	eax, 10h
		cmp	[ebp+arg_0], 18h
		mov	[ebp+var_18], eax
		jz	loc_63754D
		xor	edx, edx
		mov	eax, edx
		mov	[ebp+var_10], edx
		mov	esi, edx
		mov	[ebp+arg_4], eax
		mov	ecx, edx

loc_6373E6:				; CODE XREF: MiSetProtectionOnTransitionPte(x,x,x,x)+1C4j
		test	ecx, ecx
		jnz	loc_6374B5
		mov	ecx, [ebx]
		nop
		mov	eax, ds:dword_6D0700
		mov	edi, ecx
		mov	edx, ds:dword_6D0704
		mov	esi, [ebx+4]
		mov	ebx, esi
		mov	[ebp+arg_4], eax
		or	eax, edx
		push	0
		mov	[ebp+var_C], edx
		pop	edx
		jz	short loc_63742D
		mov	eax, edi
		and	eax, 10h
		or	eax, edx
		jnz	short loc_637429
		mov	ecx, [ebp+arg_4]
		mov	esi, [ebp+var_C]
		not	ecx
		not	esi
		and	ecx, edi
		and	esi, ebx
		jmp	short loc_63742D
; 

loc_637429:				; CODE XREF: MiSetProtectionOnTransitionPte(x,x,x,x)+94j
		mov	ecx, edi
		mov	esi, ebx

loc_63742D:				; CODE XREF: MiSetProtectionOnTransitionPte(x,x,x,x)+8Bj
					; MiSetProtectionOnTransitionPte(x,x,x,x)+A4j
		push	[ebp+arg_0]
		shrd	ecx, esi, 0Ch
		and	ecx, 3FFFFFFh
		imul	ebx, ecx, 1Ch
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+var_8]
		add	ebx, ds:_MmPfnDatabase
		mov	edi, [ebx+8]
		mov	edx, edi
		mov	esi, [ebx+0Ch]
		mov	eax, esi
		shrd	edx, eax, 5
		and	edx, 1Fh
		call	MiSanitizePfnProtection
		mov	edx, eax
		mov	[ebp+arg_4], eax
		and	edx, 1Fh
		xor	ecx, ecx
		shld	ecx, edx, 5
		and	edi, 0FFFFFC1Fh
		shl	edx, 5
		or	ecx, esi
		or	edx, edi
		mov	[ebx+0Ch], ecx
		cmp	[ebp+var_14], 200h
		mov	[ebx+8], edx
		jb	short loc_637491
		or	eax, 4000000h
		mov	[ebp+arg_4], eax

loc_637491:				; CODE XREF: MiSetProtectionOnTransitionPte(x,x,x,x)+104j
		mov	eax, [ebp+var_8]
		mov	ecx, 300000h
		mov	ebx, [ebp+var_4]
		mov	esi, [ebp+var_C]
		mov	eax, [eax+1Ch]
		and	eax, ecx
		cmp	eax, ecx
		mov	eax, [ebp+arg_4]
		jz	short loc_6374B6
		or	eax, 80000000h
		mov	[ebp+arg_4], eax
		jmp	short loc_6374B6
; 

loc_6374B5:				; CODE XREF: MiSetProtectionOnTransitionPte(x,x,x,x)+65j
		inc	esi

loc_6374B6:				; CODE XREF: MiSetProtectionOnTransitionPte(x,x,x,x)+126j
					; MiSetProtectionOnTransitionPte(x,x,x,x)+130j
		push	eax
		mov	edx, esi
		mov	ecx, ebx
		call	MiMakeValidPte
		mov	edi, edx
		mov	[ebp+var_4], eax
		xor	edx, edx
		mov	ecx, ebx
		mov	[ebp+var_C], edx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_63751B
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		mov	ecx, [ebp+var_4]
		test	eax, eax
		jz	short loc_637501
		mov	[ebp+var_C], 1
		cmp	byte ptr ds:word_6D07B8+1, dl
		jnz	short loc_63751E

loc_6374F0:				; CODE XREF: MiSetProtectionOnTransitionPte(x,x,x,x)+196j
		mov	eax, ecx
		and	eax, 1
		or	eax, edx
		jz	short loc_63751E
		or	edi, 80000000h
		jmp	short loc_63751E
; 

loc_637501:				; CODE XREF: MiSetProtectionOnTransitionPte(x,x,x,x)+15Cj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_63751E
		jmp	short loc_6374F0
; 

loc_63751B:				; CODE XREF: MiSetProtectionOnTransitionPte(x,x,x,x)+150j
		mov	ecx, [ebp+var_4]

loc_63751E:				; CODE XREF: MiSetProtectionOnTransitionPte(x,x,x,x)+16Bj
					; MiSetProtectionOnTransitionPte(x,x,x,x)+174j	...
		mov	[ebx+4], edi
		nop
		mov	[ebx], ecx
		cmp	[ebp+var_C], edx
		jz	short loc_637534
		push	edi
		push	ecx
		mov	ecx, ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		xor	edx, edx

loc_637534:				; CODE XREF: MiSetProtectionOnTransitionPte(x,x,x,x)+1A4j
		mov	ecx, [ebp+var_10]
		add	ebx, 8
		mov	eax, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_10], ecx
		cmp	ecx, [ebp+var_18]
		jb	loc_6373E6

loc_63754D:				; CODE XREF: MiSetProtectionOnTransitionPte(x,x,x,x)+4Fj
		xor	eax, eax
		jmp	loc_6375E7
; 

loc_637554:				; CODE XREF: MiSetProtectionOnTransitionPte(x,x,x,x)+23j
		xor	edx, edx
		mov	ecx, ebx
		xor	esi, esi
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		mov	edx, eax
		mov	[ebp+var_18], edx
		test	edx, edx
		jnz	short loc_63756D
		push	2
		pop	eax
		jmp	short loc_6375E7
; 

loc_63756D:				; CODE XREF: MiSetProtectionOnTransitionPte(x,x,x,x)+1E3j
		mov	eax, [ebx]
		mov	[ebp+var_14], eax
		nop
		mov	eax, [ebx+4]
		mov	[ebp+var_10], eax
		cmp	[ebp+arg_4], esi
		jnz	short loc_637589
		cmp	[edx+14h], si
		jz	short loc_637589
		xor	eax, eax
		inc	eax
		jmp	short loc_6375DC
; 

loc_637589:				; CODE XREF: MiSetProtectionOnTransitionPte(x,x,x,x)+1F9j
					; MiSetProtectionOnTransitionPte(x,x,x,x)+1FFj
		mov	esi, [edx+0Ch]
		mov	eax, esi
		mov	edi, [edx+8]
		mov	edx, edi
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_8]
		shrd	edx, eax, 5
		and	edx, 1Fh
		call	MiSanitizePfnProtection
		mov	edx, [ebp+var_18]
		and	eax, 1Fh
		xor	ecx, ecx
		and	edi, 0FFFFFC1Fh
		shld	ecx, eax, 5
		or	esi, ecx
		shl	eax, 5
		mov	[edx+0Ch], esi
		or	edi, eax
		mov	esi, [ebp+var_14]
		and	esi, 0FFFFFC1Fh
		mov	[edx+8], edi
		or	esi, eax
		mov	eax, [ebp+var_10]
		or	eax, ecx
		mov	[ebx], esi
		nop
		mov	[ebx+4], eax
		xor	eax, eax

loc_6375DC:				; CODE XREF: MiSetProtectionOnTransitionPte(x,x,x,x)+204j
		mov	esi, 7FFFFFFFh
		lea	ecx, [edx+10h]
		lock and [ecx],	esi

loc_6375E7:				; CODE XREF: MiSetProtectionOnTransitionPte(x,x,x,x)+1CCj
					; MiSetProtectionOnTransitionPte(x,x,x,x)+1E8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiSetProtectionOnTransitionPte@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiChangeAwePageAttributes(x, x, x)
_MiChangeAwePageAttributes@12 proc near	; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+324p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ecx+4]
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], eax
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		push	2
		pop	ecx
		lea	esi, [edi+10h]
		mov	edx, [esi]
		cmp	[edi+14h], cx
		ja	short loc_63768D
		mov	ecx, edx
		and	ecx, 3FFFFFFFh
		cmp	ecx, 1
		jnz	short loc_63768D
		test	edx, 40000000h
		jnz	short loc_63768D
		mov	ebx, [edi+8]
		mov	ecx, 7FFFFFFFh
		mov	edi, [edi+0Ch]
		lock and [esi],	ecx
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		xor	ecx, ecx
		cmp	[ebp+var_4], eax
		jz	short loc_63766F

loc_637649:				; CODE XREF: MiChangeAwePageAttributes(x,x,x)+7Fj
		push	2
		pop	edx
		cmp	[esi+4], dx
		mov	edx, [ebp+var_4]
		ja	short loc_637687
		test	dword ptr [esi], 40000000h
		jnz	short loc_637687
		and	dword ptr [esi-4], 0
		mov	[esi-8], ecx
		lea	ecx, [esi-10h]
		add	esi, 1Ch
		inc	eax
		cmp	eax, edx
		jb	short loc_637649

loc_63766F:				; CODE XREF: MiChangeAwePageAttributes(x,x,x)+59j
		mov	edx, [ebp+arg_0]
		push	edi
		push	ebx
		call	MiChangePageAttributeBatch
		xor	eax, eax
		jmp	short loc_6376A2
; 

loc_63767D:				; CODE XREF: MiChangeAwePageAttributes(x,x,x)+9Bj
		lea	eax, [ecx+8]
		mov	ecx, [eax]
		mov	[eax], ebx
		mov	[eax+4], edi

loc_637687:				; CODE XREF: MiChangeAwePageAttributes(x,x,x)+65j
					; MiChangeAwePageAttributes(x,x,x)+6Dj
		test	ecx, ecx
		jnz	short loc_63767D
		jmp	short loc_63769D
; 

loc_63768D:				; CODE XREF: MiChangeAwePageAttributes(x,x,x)+25j
					; MiChangeAwePageAttributes(x,x,x)+32j	...
		mov	ecx, 7FFFFFFFh
		lock and [esi],	ecx
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_63769D:				; CODE XREF: MiChangeAwePageAttributes(x,x,x)+9Dj
		mov	eax, 0C0000018h

loc_6376A2:				; CODE XREF: MiChangeAwePageAttributes(x,x,x)+8Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiChangeAwePageAttributes@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDecrementAweMapCount(x, x, x, x)
_MiDecrementAweMapCount@16 proc	near	; CODE XREF: MiFreePhysicalPages(x,x)+246p
					; MiFreePhysicalPages(x,x)+259p ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		or	edx, 0FFFFFFFFh
		mov	ecx, esi
		mov	bl, al
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		test	[ebp+arg_4], 1
		mov	edi, eax
		jz	short loc_6376D7
		or	dword ptr [esi+10h], 40000000h
		jmp	short loc_6376F8
; 

loc_6376D7:				; CODE XREF: MiDecrementAweMapCount(x,x,x,x)+23j
		test	edi, edi
		jnz	short loc_6376F8
		mov	al, [esi+16h]
		test	al, 8
		jz	short loc_6376E5
		inc	edi
		jmp	short loc_6376F8
; 

loc_6376E5:				; CODE XREF: MiDecrementAweMapCount(x,x,x,x)+37j
		mov	ecx, [ebp+arg_0]
		or	al, 8
		mov	[esi+16h], al
		mov	eax, [ecx]
		and	dword ptr [esi+0Ch], 0
		mov	[esi+8], eax
		mov	[ecx], esi

loc_6376F8:				; CODE XREF: MiDecrementAweMapCount(x,x,x,x)+2Cj
					; MiDecrementAweMapCount(x,x,x,x)+30j ...
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_MiDecrementAweMapCount@16 endp


;  S U B	R O U T	I N E 


; __stdcall MiDeleteSectionAwe(x)
_MiDeleteSectionAwe@4 proc near		; CODE XREF: MiDeletePageFileSectionNodes(x):loc_78A36Ap
					; MiCreatePagingFileMap(x)+5ACp ...
		mov	edi, edi
		push	esi
		mov	esi, [ecx+4]
		mov	ecx, esi
		call	_MiDeleteAweInfoPages@4	; MiDeleteAweInfoPages(x)
		mov	edx, esi
		xor	ecx, ecx
		pop	esi
		jmp	_MiDeleteAweInfo@8 ; MiDeleteAweInfo(x,x)
_MiDeleteSectionAwe@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteVadAwePtes(x, x, x)
_MiDeleteVadAwePtes@12 proc near	; CODE XREF: .text:00458840p
					; .text:004597A8p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	ebx, ebx
		mov	esi, [edi]
		nop
		and	esi, 1
		or	esi, ebx
		jz	short loc_63775E
		mov	eax, [ecx+10h]
		inc	ebx
		mov	edx, [eax+4]
		call	_MiGetAweViewPageSize@4	; MiGetAweViewPageSize(x)
		test	eax, eax
		jnz	short loc_637755
		mov	eax, edx

loc_637755:				; CODE XREF: MiDeleteVadAwePtes(x,x,x)+26j
		cmp	eax, 200h
		jz	short loc_63775E
		mov	ebx, edx

loc_63775E:				; CODE XREF: MiDeleteVadAwePtes(x,x,x)+16j
					; MiDeleteVadAwePtes(x,x,x)+2Fj
		push	0
		push	edi
		push	0
		push	1
		xor	edx, edx
		call	_MiWriteAwePtes@24 ; MiWriteAwePtes(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_637792
		mov	esi, edi
		lea	ecx, [edi+8]
		jmp	short loc_63777E
; 

loc_637779:				; CODE XREF: MiDeleteVadAwePtes(x,x,x)+58j
		mov	esi, [ecx]
		lea	ecx, [esi+8]

loc_63777E:				; CODE XREF: MiDeleteVadAwePtes(x,x,x)+4Cj
		mov	eax, [ecx]
		or	eax, [ecx+4]
		jnz	short loc_637779
		mov	edx, [ebp+arg_0]
		mov	ecx, [edx]
		and	[esi+0Ch], eax
		mov	[esi+8], ecx
		mov	[edx], edi

loc_637792:				; CODE XREF: MiDeleteVadAwePtes(x,x,x)+45j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
_MiDeleteVadAwePtes@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreePhysicalPageChain(x, x, x)
_MiFreePhysicalPageChain@12 proc near	; CODE XREF: MiDeletePagablePteRange(x,x,x,x,x,x,x)+411p
					; NtMapUserPhysicalPages(x,x,x)+12Cp ...

var_85C		= dword	ptr -85Ch
var_858		= dword	ptr -858h
var_854		= dword	ptr -854h
var_850		= dword	ptr -850h
var_84C		= dword	ptr -84Ch
var_848		= dword	ptr -848h
var_844		= dword	ptr -844h
var_840		= dword	ptr -840h
var_83C		= dword	ptr -83Ch
var_838		= dword	ptr -838h
var_834		= dword	ptr -834h
var_830		= dword	ptr -830h
var_829		= byte ptr -829h
var_828		= dword	ptr -828h
var_824		= word ptr -824h
var_822		= word ptr -822h
var_818		= dword	ptr -818h
var_814		= dword	ptr -814h
var_810		= dword	ptr -810h
var_80C		= dword	ptr -80Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 860h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ecx+10h]
		mov	eax, 81Ch
		push	esi
		push	edi
		push	eax		; size_t
		lea	eax, [ebp+var_828]
		mov	[ebp+var_840], edx
		push	0		; int
		push	eax		; void *
		call	_memset
		lea	eax, [ebp+var_80C]
		mov	[ebp+var_850], ebx
		xor	edi, edi
		mov	[ebp+var_848], eax
		mov	eax, large fs:124h
		xor	esi, esi
		mov	ecx, [ebx+4]
		add	esp, 0Ch
		mov	[ebp+var_834], edi
		mov	[ebp+var_830], eax
		mov	[ebp+var_84C], ecx
		cmp	[ebp+arg_0], esi
		jnz	short loc_637821
		dec	word ptr [eax+13Eh]
		nop
		lea	ecx, [ebx+1Ch]
		xor	edx, edx
		call	ExAcquireAutoExpandPushLockExclusive
		mov	ecx, [ebp+var_84C]

loc_637821:				; CODE XREF: MiFreePhysicalPageChain(x,x,x)+6Cj
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_85C], eax
		mov	eax, [ebp+var_840]
		test	eax, eax
		jz	loc_637A68
		mov	[ebp+var_854], 1Ch

loc_637842:				; CODE XREF: MiFreePhysicalPageChain(x,x,x)+243j
		mov	ebx, eax
		mov	eax, [eax+8]
		mov	[ebp+var_840], eax
		mov	eax, ebx
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	[ebp+var_854]
		xor	edx, edx
		mov	[ebp+var_83C], eax
		div	ecx
		xor	edx, edx
		mov	[ebp+var_858], eax
		mov	[ebp+var_844], edx
		mov	[ebp+var_838], edx
		test	ecx, ecx
		jz	loc_6379D6
		add	ebx, 10h

loc_637885:				; CODE XREF: MiFreePhysicalPageChain(x,x,x)+233j
		lea	ecx, [ebx-10h]
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	edi, [ebx]
		mov	[ebp+var_829], al
		mov	eax, 40000000h
		test	edi, eax
		jnz	short loc_6378A2
		or	edi, eax
		mov	[ebx], edi

loc_6378A2:				; CODE XREF: MiFreePhysicalPageChain(x,x,x)+101j
		mov	al, [ebx+6]
		test	al, 8
		jz	short loc_6378B0
		mov	edi, [ebx]
		and	al, 0F7h
		mov	[ebx+6], al

loc_6378B0:				; CODE XREF: MiFreePhysicalPageChain(x,x,x)+10Cj
		and	edi, 3FFFFFFFh
		jnz	short loc_6378C9
		xor	edx, edx
		lea	ecx, [ebx-10h]
		inc	edx
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		and	[ebx-8], edi
		and	[ebx-4], edi

loc_6378C9:				; CODE XREF: MiFreePhysicalPageChain(x,x,x)+11Bj
		mov	eax, 7FFFFFFFh
		lock and [ebx],	eax
		mov	cl, [ebp+var_829]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_838]
		test	eax, eax
		jnz	short loc_6378F1
		mov	ecx, edi
		mov	[ebp+var_844], ecx
		jmp	short loc_6378F7
; 

loc_6378F1:				; CODE XREF: MiFreePhysicalPageChain(x,x,x)+14Aj
		mov	ecx, [ebp+var_844]

loc_6378F7:				; CODE XREF: MiFreePhysicalPageChain(x,x,x)+154j
		test	ecx, ecx
		jnz	loc_6379A7
		test	eax, eax
		jnz	short loc_637924
		mov	edx, [ebp+var_858]
		mov	edi, [ebp+var_85C]
		mov	ecx, [ebp+var_858]
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [edi+edx*4]
		btr	eax, ecx
		mov	[edi+edx*4], eax

loc_637924:				; CODE XREF: MiFreePhysicalPageChain(x,x,x)+166j
		mov	edi, [ebp+var_834]
		cmp	edi, 200h
		jnz	short loc_637981
		mov	eax, 81Ch
		mov	[ebp+var_814], 200000h
		push	2
		xor	edi, edi
		mov	[ebp+var_824], ax
		pop	eax
		xor	edx, edx
		mov	[ebp+var_828], edi
		lea	ecx, [ebp+var_828]
		mov	[ebp+var_818], edi
		mov	[ebp+var_810], edi
		mov	[ebp+var_822], ax
		call	_MiFreePagesFromMdl@8 ;	MiFreePagesFromMdl(x,x)
		add	esi, 200h
		lea	eax, [ebp+var_80C]
		jmp	short loc_637987
; 

loc_637981:				; CODE XREF: MiFreePhysicalPageChain(x,x,x)+195j
		mov	eax, [ebp+var_848]

loc_637987:				; CODE XREF: MiFreePhysicalPageChain(x,x,x)+1E4j
		mov	ecx, [ebp+var_83C]
		mov	[eax], ecx
		add	eax, 4
		inc	edi
		mov	[ebp+var_848], eax
		mov	eax, [ebp+var_838]
		mov	[ebp+var_834], edi
		jmp	short loc_6379B3
; 

loc_6379A7:				; CODE XREF: MiFreePhysicalPageChain(x,x,x)+15Ej
		mov	edi, [ebp+var_834]
		mov	ecx, [ebp+var_83C]

loc_6379B3:				; CODE XREF: MiFreePhysicalPageChain(x,x,x)+20Aj
		push	1Ch
		inc	eax
		pop	edx
		add	ebx, edx
		mov	[ebp+var_838], eax
		inc	ecx
		mov	[ebp+var_83C], ecx
		mov	ecx, [ebp+var_84C]
		cmp	eax, ecx
		jb	loc_637885
		xor	edx, edx

loc_6379D6:				; CODE XREF: MiFreePhysicalPageChain(x,x,x)+E1j
		mov	eax, [ebp+var_840]
		test	eax, eax
		jnz	loc_637842
		test	edi, edi
		jz	short loc_637A31
		mov	ecx, edi
		mov	[ebp+var_828], edx
		shl	ecx, 0Ch
		mov	eax, ecx
		mov	[ebp+var_818], edx
		shr	eax, 0Ch
		push	2
		mov	[ebp+var_810], edx
		xor	edx, edx
		mov	[ebp+var_814], ecx
		lea	ecx, [ebp+var_828]
		lea	eax, ds:1Ch[eax*4]
		mov	[ebp+var_824], ax
		pop	eax
		mov	[ebp+var_822], ax
		call	_MiFreePagesFromMdl@8 ;	MiFreePagesFromMdl(x,x)
		add	esi, edi

loc_637A31:				; CODE XREF: MiFreePhysicalPageChain(x,x,x)+24Bj
		test	esi, esi
		jz	short loc_637A62
		mov	eax, esi
		mov	ecx, offset unk_6D5F5C
		neg	eax
		lock xadd [ecx], eax
		mov	ebx, [ebp+var_850]
		test	byte ptr [ebx],	1
		jz	short loc_637A68
		mov	edx, esi
		mov	esi, [ebp+var_830]
		mov	ecx, [esi+80h]
		call	_MiReturnProcessPhysicalPages@8	; MiReturnProcessPhysicalPages(x,x)
		jmp	short loc_637A6E
; 

loc_637A62:				; CODE XREF: MiFreePhysicalPageChain(x,x,x)+298j
		mov	ebx, [ebp+var_850]

loc_637A68:				; CODE XREF: MiFreePhysicalPageChain(x,x,x)+97j
					; MiFreePhysicalPageChain(x,x,x)+2B0j
		mov	esi, [ebp+var_830]

loc_637A6E:				; CODE XREF: MiFreePhysicalPageChain(x,x,x)+2C5j
		cmp	[ebp+arg_0], 0
		jnz	short loc_637A85
		lea	ecx, [ebx+1Ch]
		xor	edx, edx
		call	ExReleaseAutoExpandPushLockExclusive
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_637A85:				; CODE XREF: MiFreePhysicalPageChain(x,x,x)+2D7j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_MiFreePhysicalPageChain@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreePhysicalPages(x, x)
_MiFreePhysicalPages@8 proc near	; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+2E1p

var_EA		= byte ptr -0EAh
var_E9		= byte ptr -0E9h
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0ECh
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+0ECh+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		xor	ebx, ebx
		mov	[esp+0FCh+var_E0], ecx
		lea	eax, [esp+0FCh+var_A0]
		mov	edi, edx
		push	ebx		; int
		push	eax		; void *
		mov	[esp+104h+var_A4], edi
		call	_memset
		mov	eax, [edi+14h]
		lea	esi, [edi+1Ch]
		mov	edx, large fs:124h
		add	esp, 0Ch
		shr	eax, 0Ch
		mov	edi, esi
		mov	[esp+0F8h+var_A0], 1
		mov	[esp+0F8h+var_9C], bx
		mov	[esp+0F8h+var_90], ebx
		lea	eax, [esi+eax*4]
		mov	[esp+0F8h+var_98], 21h
		mov	[esp+0F8h+var_C0], eax
		mov	eax, [esp+0F8h+var_E0]
		mov	[esp+0F8h+var_8C], ebx
		mov	ecx, [edx+80h]
		mov	[esp+0F8h+var_DC], edx
		test	byte ptr [eax],	1
		mov	edx, [eax+4]
		mov	[esp+0F8h+var_D4], edx
		mov	edx, [esp+0F8h+var_DC]
		mov	[esp+0F8h+var_C4], ebx
		mov	[esp+0F8h+var_E8], ebx
		mov	[esp+0F8h+var_E9], 21h
		mov	[esp+0F8h+var_E4], ecx
		jz	short loc_637B66
		mov	ecx, [ecx+24Ch]
		dec	word ptr [edx+13Eh]
		mov	[esp+0F8h+var_BC], 1
		nop
		add	ecx, 0A4h
		xor	edx, edx
		call	ExAcquireAutoExpandPushLockExclusive
		mov	edx, [esp+0F8h+var_DC]
		mov	eax, [esp+0F8h+var_E0]
		jmp	short loc_637B6A
; 

loc_637B66:				; CODE XREF: MiFreePhysicalPages(x,x)+A1j
		mov	[esp+0F8h+var_BC], ebx

loc_637B6A:				; CODE XREF: MiFreePhysicalPages(x,x)+CEj
		dec	word ptr [edx+13Eh]
		nop
		add	eax, 1Ch
		xor	edx, edx
		mov	ecx, eax
		mov	[esp+0F8h+var_A8], eax
		call	ExAcquireAutoExpandPushLockExclusive
		mov	eax, [esp+0F8h+var_E0]
		mov	ecx, [eax+8]
		mov	eax, [eax+0Ch]
		mov	[esp+0F8h+var_B8], ecx
		mov	[esp+0F8h+var_D8], eax
		cmp	esi, [esp+0F8h+var_C0]
		jnb	loc_637DD9

loc_637B9E:				; CODE XREF: MiFreePhysicalPages(x,x)+300j
		mov	ecx, [esi]
		xor	edx, edx
		mov	eax, ecx
		mov	[esp+0F8h+var_C8], ecx
		div	[esp+0F8h+var_D4]
		test	edx, edx
		jnz	loc_637D9E
		mov	eax, ecx
		div	[esp+0F8h+var_D4]
		mov	ecx, eax
		cmp	ecx, [esp+0F8h+var_B8]
		jnb	loc_637D9E
		mov	edx, [esp+0F8h+var_D8]
		and	ecx, 1Fh
		shr	eax, 5
		mov	[esp+0F8h+var_B0], eax
		mov	[esp+0F8h+var_AC], ecx
		mov	eax, [edx+eax*4]
		shr	eax, cl
		test	al, 1
		jz	loc_637D9E
		imul	ecx, [esp+0F8h+var_C8],	1Ch
		add	ecx, ds:_MmPfnDatabase
		mov	[esp+0F8h+var_CC], ecx
		mov	eax, [ecx+10h]
		test	eax, 40000000h
		jnz	loc_637D9E
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jz	loc_637CE5
		mov	eax, [esp+0F8h+var_E0]
		test	byte ptr [eax],	1
		jz	loc_637CE5
		mov	edx, [ecx+4]
		mov	eax, edx
		mov	ecx, [esp+0F8h+var_E8]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[esp+0F8h+var_D0], edx
		mov	[esp+0F8h+var_B4], eax
		add	eax, 0C0000000h
		cmp	ecx, eax
		jz	short loc_637CA4
		test	ecx, ecx
		jz	short loc_637C5F
		lea	ecx, [esp+0F8h+var_A0]
		call	MiFlushTbList
		mov	ecx, [esp+0F8h+var_E4]
		mov	edx, [esp+0F8h+var_E8]
		lea	ecx, [ecx+240h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_637C5F:				; CODE XREF: MiFreePhysicalPages(x,x)+1ABj
		mov	eax, [esp+0F8h+var_B4]
		add	eax, 0C0000000h
		cmp	[esp+0F8h+var_E9], 21h
		mov	[esp+0F8h+var_E8], eax
		jnz	short loc_637C8A
		mov	ecx, [esp+0F8h+var_E4]
		lea	ecx, [ecx+240h]
		call	MiLockWorkingSetShared
		mov	[esp+0F8h+var_E9], al
		mov	eax, [esp+0F8h+var_E8]

loc_637C8A:				; CODE XREF: MiFreePhysicalPages(x,x)+1DBj
		mov	ecx, [esp+0F8h+var_E4]
		mov	edx, eax
		push	ebx
		lea	ecx, [ecx+240h]
		call	MiLockPageTableInternal
		mov	ecx, [esp+0F8h+var_E8]
		mov	edx, [esp+0F8h+var_D0]

loc_637CA4:				; CODE XREF: MiFreePhysicalPages(x,x)+1A7j
		mov	eax, ds:_ZeroPte
		mov	[edx], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[edx+4], eax
		or	edx, 0FFFFFFFFh
		push	0FFFFFFFFh
		call	_MiUpdateAwePageTable@12 ; MiUpdateAwePageTable(x,x,x)
		mov	edx, [esp+0F8h+var_D0]
		lea	ecx, [esp+0F8h+var_A0]
		push	ebx
		push	1
		shl	edx, 9
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	edx, [esp+0F8h+var_CC]
		push	ebx
		push	ds:_MmBadPointer
		call	_MiDecrementAweMapCount@16 ; MiDecrementAweMapCount(x,x,x,x)
		mov	ecx, [esp+0F8h+var_CC]

loc_637CE5:				; CODE XREF: MiFreePhysicalPages(x,x)+174j
					; MiFreePhysicalPages(x,x)+181j
		push	1
		push	ds:_MmBadPointer
		mov	edx, ecx
		call	_MiDecrementAweMapCount@16 ; MiDecrementAweMapCount(x,x,x,x)
		test	eax, eax
		jnz	short loc_637D1A
		mov	eax, [esp+0F8h+var_C8]
		mov	edx, [esp+0F8h+var_B0]
		mov	ecx, [esp+0F8h+var_AC]
		mov	[edi], eax
		add	edi, 4
		mov	eax, [esp+0F8h+var_D8]
		mov	eax, [eax+edx*4]
		btr	eax, ecx
		mov	ecx, [esp+0F8h+var_D8]
		mov	[ecx+edx*4], eax

loc_637D1A:				; CODE XREF: MiFreePhysicalPages(x,x)+260j
		mov	eax, [esp+0F8h+var_C4]
		inc	eax
		cmp	[esp+0F8h+var_E9], 21h
		mov	[esp+0F8h+var_C4], eax
		jz	short loc_637D8F
		test	al, 3Fh
		jnz	short loc_637D8F
		mov	ecx, [esp+0F8h+var_E4]
		add	ecx, 240h
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_637D57
		mov	edx, [esp+0F8h+var_E8]
		call	_MiPageTableLockIsContended@8 ;	MiPageTableLockIsContended(x,x)
		test	eax, eax
		jnz	short loc_637D57
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	short loc_637D8F

loc_637D57:				; CODE XREF: MiFreePhysicalPages(x,x)+2A9j
					; MiFreePhysicalPages(x,x)+2B6j
		lea	ecx, [esp+0F8h+var_A0]
		call	MiFlushTbList
		mov	ecx, [esp+0F8h+var_E4]
		mov	edx, [esp+0F8h+var_E8]
		lea	ecx, [ecx+240h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	ecx, [esp+0F8h+var_E4]
		mov	dl, [esp+0F8h+var_E9]
		lea	ecx, [ecx+240h]
		call	MiUnlockWorkingSetShared
		mov	[esp+0F8h+var_E8], ebx
		mov	[esp+0F8h+var_E9], 21h

loc_637D8F:				; CODE XREF: MiFreePhysicalPages(x,x)+292j
					; MiFreePhysicalPages(x,x)+296j ...
		add	esi, 4
		cmp	esi, [esp+0F8h+var_C0]
		jb	loc_637B9E
		jmp	short loc_637DA3
; 

loc_637D9E:				; CODE XREF: MiFreePhysicalPages(x,x)+118j
					; MiFreePhysicalPages(x,x)+12Aj ...
		mov	ebx, 0C0000018h

loc_637DA3:				; CODE XREF: MiFreePhysicalPages(x,x)+306j
		cmp	[esp+0F8h+var_E8], 0
		jz	short loc_637DD9
		lea	ecx, [esp+0F8h+var_A0]
		call	MiFlushTbList
		mov	ecx, [esp+0F8h+var_E4]
		mov	edx, [esp+0F8h+var_E8]
		lea	ecx, [ecx+240h]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	ecx, [esp+0F8h+var_E4]
		mov	dl, [esp+0F8h+var_E9]
		lea	ecx, [ecx+240h]
		call	MiUnlockWorkingSetShared

loc_637DD9:				; CODE XREF: MiFreePhysicalPages(x,x)+102j
					; MiFreePhysicalPages(x,x)+312j
		mov	ecx, [esp+0F8h+var_A8]
		xor	edx, edx
		call	ExReleaseAutoExpandPushLockExclusive
		mov	ecx, [esp+0F8h+var_DC]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		cmp	[esp+0F8h+var_BC], 0
		jz	short loc_637DFD
		mov	ecx, [esp+0F8h+var_DC]
		call	_MiUnlockAweVadsExclusive@4 ; MiUnlockAweVadsExclusive(x)

loc_637DFD:				; CODE XREF: MiFreePhysicalPages(x,x)+35Cj
		mov	eax, [esp+0F8h+var_A4]
		sub	edi, eax
		mov	ecx, [esp+0F8h+var_4]
		sub	esi, eax
		sub	edi, 1Ch
		sub	esi, 1Ch
		sar	edi, 2
		sar	esi, 2
		mov	[eax+14h], edi
		pop	edi
		mov	[eax+18h], esi
		mov	eax, ebx
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_MiFreePhysicalPages@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetAweNode(x)
_MiGetAweNode@4	proc near		; CODE XREF: MiGetAwePageSizeFromVa(x)p
					; MiProtectAweRegion(x,x,x,x,x)+C6p ...
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		mov	eax, [eax+0A0h]
		test	eax, eax
		jz	short loc_637E69
		shr	ecx, 0Ch

loc_637E4D:				; CODE XREF: MiGetAweNode(x)+35j
		mov	edx, [eax+0Ch]
		cmp	ecx, [edx+10h]
		ja	short loc_637E5E
		cmp	ecx, [edx+0Ch]
		jnb	short loc_637E65
		mov	eax, [eax]
		jmp	short loc_637E61
; 

loc_637E5E:				; CODE XREF: MiGetAweNode(x)+25j
		mov	eax, [eax+4]

loc_637E61:				; CODE XREF: MiGetAweNode(x)+2Ej
		test	eax, eax
		jnz	short loc_637E4D

loc_637E65:				; CODE XREF: MiGetAweNode(x)+2Aj
		test	eax, eax
		jnz	short locret_637E6B

loc_637E69:				; CODE XREF: MiGetAweNode(x)+1Aj
		xor	eax, eax

locret_637E6B:				; CODE XREF: MiGetAweNode(x)+39j
		retn
_MiGetAweNode@4	endp


;  S U B	R O U T	I N E 


; __stdcall MiGetAwePageSize(x)
_MiGetAwePageSize@4 proc near		; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x):loc_99D176p
					; MiComputeAweCharges(x,x)+1Fp	...
		mov	eax, [ecx+4]
		retn
_MiGetAwePageSize@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetAwePageSizeFromVa(x)
_MiGetAwePageSizeFromVa@4 proc near	; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+BBp
		call	_MiGetAweNode@4	; MiGetAweNode(x)
		test	eax, eax
		jnz	short loc_637E7A
		retn
; 

loc_637E7A:				; CODE XREF: MiGetAwePageSizeFromVa(x)+7j
		mov	eax, [eax+10h]
		mov	eax, [eax+4]
		retn
_MiGetAwePageSizeFromVa@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetAweVadPartition(x)
_MiGetAweVadPartition@4	proc near	; CODE XREF: MiQueryAddressState(x,x,x,x,x,x,x,x,x,x)+AEDp
					; MmQueryVirtualMemory+FCD76p
		mov	eax, [ecx+1Ch]
		and	eax, 3100000h
		cmp	eax, 2100000h
		jz	short loc_637EA4
		mov	eax, [ecx+24h]
		jmp	short loc_637EA0
; 

loc_637E95:				; CODE XREF: MiGetAweVadPartition(x)+21j
		test	dword ptr [eax+24h], 100h
		jnz	short loc_637EA4
		mov	eax, [eax]

loc_637EA0:				; CODE XREF: MiGetAweVadPartition(x)+12j
		test	eax, eax
		jnz	short loc_637E95

loc_637EA4:				; CODE XREF: MiGetAweVadPartition(x)+Dj
					; MiGetAweVadPartition(x)+1Bj
		mov	eax, offset _MiSystemPartition
		retn
_MiGetAweVadPartition@4	endp


;  S U B	R O U T	I N E 


; __stdcall MiGetAweViewPageSize(x)
_MiGetAweViewPageSize@4	proc near	; CODE XREF: MiDeleteVadAwePtes(x,x,x)+1Fp
					; MiProtectAweRegion(x,x,x,x,x)+248p ...
		mov	eax, [ecx+14h]
		and	eax, 3
		cmp	eax, 1
		jnz	short loc_637EB9
		push	10h
		pop	eax
		retn
; 

loc_637EB9:				; CODE XREF: MiGetAweViewPageSize(x)+9j
		cmp	eax, 2
		jnz	short loc_637EC4
		mov	eax, 200h
		retn
; 

loc_637EC4:				; CODE XREF: MiGetAweViewPageSize(x)+12j
		xor	eax, eax
		retn
_MiGetAweViewPageSize@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetValidAwePartitionId(x,	x)
_MiGetValidAwePartitionId@8 proc near	; CODE XREF: .text:00455669p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		and	eax, 1
		or	eax, 0
		jz	short loc_637ED8
		nop

loc_637ED8:				; CODE XREF: MiGetValidAwePartitionId(x,x)+Ej
		xor	eax, eax
		pop	ebp
		retn	8
_MiGetValidAwePartitionId@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetValidAweProtection(x, x, x)
_MiGetValidAweProtection@12 proc near	; CODE XREF: .text:00455678p
					; MiGetWorkingSetInfoList(x,x,x,x)+F0Fp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jz	short loc_637F2A
		and	edx, 800h
		or	edx, 0
		jz	short loc_637F00
		push	4
		pop	eax
		jmp	short loc_637F03
; 

loc_637F00:				; CODE XREF: MiGetValidAweProtection(x,x,x)+1Bj
		xor	eax, eax
		inc	eax

loc_637F03:				; CODE XREF: MiGetValidAweProtection(x,x,x)+20j
		mov	ecx, [ecx+1Ch]
		shr	ecx, 7
		and	ecx, 1Fh
		mov	edx, ecx
		shr	edx, 3
		cmp	edx, 3
		jnz	short loc_637F20
		test	cl, 7
		jz	short loc_637F2D
		or	eax, 18h
		jmp	short loc_637F2D
; 

loc_637F20:				; CODE XREF: MiGetValidAweProtection(x,x,x)+36j
		cmp	edx, 1
		jnz	short loc_637F2D
		or	eax, 8
		jmp	short loc_637F2D
; 

loc_637F2A:				; CODE XREF: MiGetValidAweProtection(x,x,x)+10j
		push	18h
		pop	eax

loc_637F2D:				; CODE XREF: MiGetValidAweProtection(x,x,x)+3Bj
					; MiGetValidAweProtection(x,x,x)+40j ...
		pop	ebp
		retn	8
_MiGetValidAweProtection@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIncrementAweMapCount(x, x, x, x)
_MiIncrementAweMapCount@16 proc	near	; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+1EDp

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 78h
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_C], edx
		push	6
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_8], esi
		lea	edi, [ebp+var_6C]
		rep stosd

loc_637F5F:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+2A2j
					; MiIncrementAweMapCount(x,x,x,x)+2B4j	...
		mov	edi, [ebp+var_C]
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		test	byte ptr [esi],	1
		mov	cl, al
		mov	byte ptr [ebp+var_4+3],	cl
		jz	short loc_637F82
		lea	eax, [edi+10h]
		test	dword ptr [eax], 40000000h
		jnz	loc_63849B

loc_637F82:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+40j
		mov	dl, [edi+16h]
		lea	esi, [edi+10h]
		test	dl, 20h
		jz	loc_6381EA
		mov	edx, 7FFFFFFFh
		lock and [esi],	edx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_5C]
		and	[ebp+var_60], 0
		mov	[ebp+var_68], edi
		mov	word ptr [ebp+var_64], 107h
		mov	byte ptr [ebp+var_64+2], 4
		mov	[ebp+var_58], ecx
		mov	[ebp+var_5C], ecx
		dec	word ptr [eax+13Eh]
		mov	[ebp+var_50], eax
		nop
		mov	eax, [ebp+var_8]
		xor	edx, edx
		add	eax, 14h
		mov	ecx, eax
		mov	[ebp+var_10], eax
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		test	byte ptr [edi+16h], 20h
		jz	short loc_638001
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_18], 1
		mov	eax, [ecx+18h]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_6C]
		mov	[ecx+18h], eax
		jmp	short loc_638005
; 

loc_638001:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+B6j
		and	[ebp+var_18], 0

loc_638005:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+CEj
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [ebp+var_10]
		or	eax, 0FFFFFFFFh
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_638030
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp+var_10]

loc_638030:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+F3j
		xor	edi, edi
		mov	[ebp+var_14], edi
		test	edx, 7FFFFFFCh
		jz	loc_6381C4
		mov	esi, large fs:124h
		mov	ecx, edx
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_38], esi
		mov	[ebp+var_30], eax
		cmp	edx, eax
		jb	short loc_638077
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_63807C
		mov	eax, [ebp+var_30]
		cmp	edx, eax
		jb	short loc_638077
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jz	short loc_63807C

loc_638077:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+129j
					; MiIncrementAweMapCount(x,x,x,x)+13Bj
		or	eax, 0FFFFFFFFh
		jmp	short loc_638087
; 

loc_63807C:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+134j
					; MiIncrementAweMapCount(x,x,x,x)+144j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)

loc_638087:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+149j
		dec	word ptr [esi+13Eh]
		mov	[ebp+var_30], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_34], ecx
		test	ecx, ecx
		jnz	short loc_6380D1
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_638137

loc_6380BD:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+43Ej
		mov	eax, [ebp+var_10]
		push	0
		push	[ebp+var_30]
		push	eax
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_6380D1:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+180j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_6380E7
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_34]

loc_6380E7:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+1ACj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_14], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	short loc_63812B
		or	[esi+1E4h], dl
		jmp	short loc_638137
; 

loc_63812B:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+1F0j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_38]

loc_638137:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+18Aj
					; MiIncrementAweMapCount(x,x,x,x)+1F8j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_38], eax
		jz	short loc_63819E
		test	edi, 8000h
		jz	short loc_63815B
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_63815B:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+21Fj
		test	byte ptr [ebp+var_14+2], 1
		jz	short loc_638171
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_638171:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+22Ej
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_638185
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_638185:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+247j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_63819E
		push	[ebp+var_38]
		mov	edx, [ebp+var_10]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_63819E:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+217j
					; MiIncrementAweMapCount(x,x,x,x)+25Ej
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_6381C4
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_6381C4
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_6381C4:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+10Aj
					; MiIncrementAweMapCount(x,x,x,x)+284j	...
		mov	ecx, [ebp+var_50]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		cmp	[ebp+var_18], 0
		mov	esi, [ebp+var_8]
		jz	loc_637F5F
		push	ecx
		push	12h
		pop	edx
		lea	ecx, [ebp+var_64]
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		jmp	loc_637F5F
; 

loc_6381EA:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+5Aj
		mov	edi, [esi]
		movzx	eax, dl
		shr	eax, 6
		mov	[ebp+var_50], edi
		and	edi, 3FFFFFFFh
		cmp	eax, [ebx+8]
		jz	loc_6384C0
		mov	eax, [ebp+var_C]
		cmp	word ptr [eax+14h], 2
		ja	loc_6384CD
		cmp	edi, 1
		jnz	loc_6384CD
		test	[ebp+var_50], 40000000h
		jnz	loc_6384CD
		mov	eax, [ebp+var_8]
		mov	eax, [eax+4]
		cmp	eax, edi
		jz	loc_6384B0
		mov	edi, [ebp+var_C]
		or	dl, 20h
		mov	eax, 7FFFFFFFh
		mov	[edi+16h], dl
		lock and [esi],	eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	dword ptr [ebx+8]
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_MiChangeAwePageAttributes@12 ;	MiChangeAwePageAttributes(x,x,x)
		mov	ecx, edi
		mov	[ebp+var_54], eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	cl, [edi+16h]
		mov	eax, 7FFFFFFFh
		and	cl, 0DFh
		mov	[edi+16h], cl
		lock and [esi],	eax
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, large fs:124h
		mov	eax, [ebp+var_8]
		and	[ebp+var_14], 0
		mov	[ebp+var_34], ecx
		dec	word ptr [ecx+13Eh]
		lea	esi, [eax+18h]
		nop
		add	eax, 14h
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_10], eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_6382CA

loc_6382AF:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+397j
		mov	ecx, [eax]
		cmp	[eax+4], edi
		jnz	short loc_6382C2
		mov	edx, [ebp+var_14]
		mov	[eax], edx
		mov	[ebp+var_14], eax
		mov	[esi], ecx
		jmp	short loc_6382C4
; 

loc_6382C2:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+383j
		mov	esi, eax

loc_6382C4:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+38Fj
		mov	eax, ecx
		test	ecx, ecx
		jnz	short loc_6382AF

loc_6382CA:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+37Cj
		mov	edx, [ebp+var_10]
		or	eax, 0FFFFFFFFh
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_6382E4
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp+var_10]

loc_6382E4:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+3A7j
		xor	edi, edi
		mov	[ebp+var_18], edi
		test	edx, 7FFFFFFCh
		jz	loc_63846A
		mov	esi, large fs:124h
		mov	ecx, edx
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_38], esi
		mov	[ebp+var_50], eax
		cmp	edx, eax
		jb	short loc_63832B
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_638330
		mov	eax, [ebp+var_50]
		cmp	edx, eax
		jb	short loc_63832B
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jz	short loc_638330

loc_63832B:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+3DDj
					; MiIncrementAweMapCount(x,x,x,x)+3EFj
		or	eax, 0FFFFFFFFh
		jmp	short loc_63833B
; 

loc_638330:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+3E8j
					; MiIncrementAweMapCount(x,x,x,x)+3F8j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)

loc_63833B:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+3FDj
		dec	word ptr [esi+13Eh]
		mov	[ebp+var_30], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_50], ecx
		test	ecx, ecx
		jnz	short loc_638377
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jz	loc_6380BD
		jmp	short loc_6383DD
; 

loc_638377:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+434j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_63838D
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_50]

loc_63838D:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+452j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_18], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	short loc_6383D1
		or	[esi+1E4h], dl
		jmp	short loc_6383DD
; 

loc_6383D1:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+496j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_38]

loc_6383DD:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+444j
					; MiIncrementAweMapCount(x,x,x,x)+49Ej
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_50], eax
		jz	short loc_638444
		test	edi, 8000h
		jz	short loc_638401
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_638401:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+4C5j
		test	byte ptr [ebp+var_18+2], 1
		jz	short loc_638417
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_638417:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+4D4j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_63842B
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_63842B:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+4EDj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_638444
		push	[ebp+var_50]
		mov	edx, [ebp+var_10]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_638444:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+4BDj
					; MiIncrementAweMapCount(x,x,x,x)+504j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_63846A
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_63846A
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_63846A:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+3BEj
					; MiIncrementAweMapCount(x,x,x,x)+52Aj	...
		mov	ecx, [ebp+var_34]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_63848C

loc_638479:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+559j
		mov	esi, [eax]
		lea	ecx, [eax+8]
		xor	edx, edx
		inc	edx
		call	KeSignalGate
		mov	eax, esi
		test	esi, esi
		jnz	short loc_638479

loc_63848C:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+546j
		mov	eax, [ebp+var_54]
		test	eax, eax
		js	short loc_638503
		mov	esi, [ebp+var_8]
		jmp	loc_637F5F
; 

loc_63849B:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+4Bj
		mov	edx, 7FFFFFFFh
		lock and [eax],	edx

loc_6384A3:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+5A4j
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, 0C0000018h
		jmp	short loc_638503
; 

loc_6384B0:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+2FFj
		mov	edx, [ebx+8]
		mov	ecx, [ebp+var_C]
		push	1
		call	MiChangePageAttribute
		mov	cl, byte ptr [ebp+var_4+3]

loc_6384C0:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+2CDj
		cmp	edi, 1
		jbe	short loc_6384D7
		mov	eax, [ebp+var_8]
		test	byte ptr [eax],	1
		jz	short loc_6384D7

loc_6384CD:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+2DBj
					; MiIncrementAweMapCount(x,x,x,x)+2E4j	...
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		jmp	short loc_6384A3
; 

loc_6384D7:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+592j
					; MiIncrementAweMapCount(x,x,x,x)+59Aj
		cmp	edi, 3FFFFFFFh
		jnb	short loc_6384CD
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		inc	edx
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	eax, [ebx+0Ch]
		mov	[ecx+4], eax
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax

loc_638503:				; CODE XREF: MiIncrementAweMapCount(x,x,x,x)+560j
					; MiIncrementAweMapCount(x,x,x,x)+57Dj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
_MiIncrementAweMapCount@16 endp	; sp =	4


;  S U B	R O U T	I N E 


; __stdcall MiLocatePhysicalViewInTree(x, x)
_MiLocatePhysicalViewInTree@8 proc near	; CODE XREF: MiRemoveUserPhysicalPagesView(x)+3Fp
		mov	eax, [edx]
		jmp	short loc_638526
; 

loc_638512:				; CODE XREF: MiLocatePhysicalViewInTree(x,x)+1Aj
		mov	edx, [eax+0Ch]
		cmp	ecx, [edx+10h]
		ja	short loc_638523
		cmp	ecx, [edx+0Ch]
		jnb	short locret_63852A
		mov	eax, [eax]
		jmp	short loc_638526
; 

loc_638523:				; CODE XREF: MiLocatePhysicalViewInTree(x,x)+Aj
		mov	eax, [eax+4]

loc_638526:				; CODE XREF: MiLocatePhysicalViewInTree(x,x)+2j
					; MiLocatePhysicalViewInTree(x,x)+13j
		test	eax, eax
		jnz	short loc_638512

locret_63852A:				; CODE XREF: MiLocatePhysicalViewInTree(x,x)+Fj
		retn
_MiLocatePhysicalViewInTree@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiLockAwePagesExclusive(x, x)
_MiLockAwePagesExclusive@8 proc	near	; CODE XREF: MiDeleteAweInfoPages(x)+30p
					; MiResizeAweBitMap(x)+7Dp ...
		mov	edi, edi
		push	ecx
		dec	word ptr [edx+13Eh]
		nop
		add	ecx, 1Ch
		xor	edx, edx
		call	ExAcquireAutoExpandPushLockExclusive
		pop	ecx
		retn
_MiLockAwePagesExclusive@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiLockAwePagesShared(x, x)
_MiLockAwePagesShared@8	proc near	; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+480p
					; NtMapUserPhysicalPages(x,x,x)+234p ...
		dec	word ptr [edx+13Eh]
		nop
		add	ecx, 1Ch
		xor	edx, edx
		jmp	ExAcquireAutoExpandPushLockShared
_MiLockAwePagesShared@8	endp


;  S U B	R O U T	I N E 


; __stdcall MiLockAweVadsExclusive(x)
_MiLockAweVadsExclusive@4 proc near	; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+B4p
					; MiAweViewInserter(x,x)+1Ep ...
		mov	edx, ecx
		push	ecx
		mov	eax, [edx+80h]
		mov	ecx, [eax+24Ch]
		dec	word ptr [edx+13Eh]
		nop
		add	ecx, 0A4h
		xor	edx, edx
		call	ExAcquireAutoExpandPushLockExclusive
		pop	ecx
		retn
_MiLockAweVadsExclusive@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiLockAweVadsShared(x)
_MiLockAweVadsShared@4 proc near	; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+BBp
					; NtMapUserPhysicalPages(x,x,x)+DBp ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	ebx, [esi+80h]
		mov	edi, [ebx+24Ch]

loc_63858D:				; CODE XREF: MiLockAweVadsShared(x)+51j
		dec	word ptr [esi+13Eh]
		nop
		xor	edx, edx
		lea	ecx, [edi+0A4h]
		call	ExAcquireAutoExpandPushLockShared
		cmp	dword ptr [ebx+140h], 0
		jz	short loc_6385CD
		xor	edx, edx
		mov	ecx, eax
		call	ExReleaseAutoExpandPushLockShared
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		lea	ecx, [ebx+240h]
		mov	edx, 0C0000434h
		call	MiCopyOnWriteCheckConditions
		jmp	short loc_63858D
; 

loc_6385CD:				; CODE XREF: MiLockAweVadsShared(x)+2Fj
		pop	edi
		pop	esi
		pop	ebx
		retn
_MiLockAweVadsShared@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPreparePhysicalPagesMdlForFree(x,	x)
_MiPreparePhysicalPagesMdlForFree@8 proc near
					; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+36Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], edi
		and	dword ptr [edi+18h], 0
		lea	ebx, [edi+1Ch]
		mov	esi, [edi+14h]
		mov	[ebp+var_8], ebx
		cmp	edx, 1
		jz	short loc_63863C
		mov	edi, [ebp+var_8]
		mov	ecx, edx
		shr	esi, 0Ch
		mov	eax, esi
		shl	ecx, 2
		imul	eax, edx
		lea	ebx, [ebx+eax*4]

loc_638606:				; CODE XREF: MiPreparePhysicalPagesMdlForFree(x,x)+5Aj
		sub	ebx, ecx
		dec	esi
		xor	ecx, ecx
		inc	ecx
		mov	eax, [edi+esi*4]
		mov	[ebx], eax
		cmp	edx, ecx
		jbe	short loc_638622

loc_638615:				; CODE XREF: MiPreparePhysicalPagesMdlForFree(x,x)+4Fj
		mov	eax, [ebx+ecx*4-4]
		inc	eax
		mov	[ebx+ecx*4], eax
		inc	ecx
		cmp	ecx, edx
		jb	short loc_638615

loc_638622:				; CODE XREF: MiPreparePhysicalPagesMdlForFree(x,x)+42j
		lea	ecx, ds:0[edx*4]
		test	esi, esi
		jnz	short loc_638606
		mov	edi, [ebp+var_C]
		mov	ebx, [ebp+var_8]
		mov	esi, [edi+14h]
		imul	esi, edx
		mov	[edi+14h], esi

loc_63863C:				; CODE XREF: MiPreparePhysicalPagesMdlForFree(x,x)+20j
		and	[ebp+var_8], 0
		mov	cl, 2
		shr	esi, 0Ch
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_1], al
		test	esi, esi
		jz	short loc_6386C2

loc_638652:				; CODE XREF: MiPreparePhysicalPagesMdlForFree(x,x)+EFj
		imul	edi, [ebx], 1Ch
		and	[ebp+var_C], 0
		add	edi, 10h
		add	edi, ds:_MmPfnDatabase
		jmp	short loc_638672
; 

loc_638664:				; CODE XREF: MiPreparePhysicalPagesMdlForFree(x,x)+9Fj
					; MiPreparePhysicalPagesMdlForFree(x,x)+A6j
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_638664

loc_638672:				; CODE XREF: MiPreparePhysicalPagesMdlForFree(x,x)+91j
		lock bts dword ptr [edi], 1Fh
		jb	short loc_638664
		mov	eax, [edi]
		and	eax, 80000001h
		or	eax, 1
		mov	[edi], eax
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	eax, [ebp+var_8]
		inc	eax
		mov	[ebp+var_8], eax
		test	al, 3Fh
		jnz	short loc_6386B7
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	short loc_6386B7
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_1], al
		jmp	short loc_6386BA
; 

loc_6386B7:				; CODE XREF: MiPreparePhysicalPagesMdlForFree(x,x)+C5j
					; MiPreparePhysicalPagesMdlForFree(x,x)+CEj
		mov	al, [ebp+var_1]

loc_6386BA:				; CODE XREF: MiPreparePhysicalPagesMdlForFree(x,x)+E4j
		add	ebx, 4
		sub	esi, 1
		jnz	short loc_638652

loc_6386C2:				; CODE XREF: MiPreparePhysicalPagesMdlForFree(x,x)+7Fj
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiPreparePhysicalPagesMdlForFree@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiProcessHasAwePrivatePages(x)
_MiProcessHasAwePrivatePages@4 proc near ; CODE	XREF: MiScrubProcesses(x,x)+6Dp
		mov	ecx, [ecx+24Ch]
		xor	eax, eax
		cmp	[ecx+9Ch], eax
		setnz	al
		retn
_MiProcessHasAwePrivatePages@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiProtectAweRegion(x, x, x,	x, x)
_MiProtectAweRegion@20 proc near	; CODE XREF: MmProtectVirtualMemory+16089Ap

var_100		= dword	ptr -100h
var_F9		= byte ptr -0F9h
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 104h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+104h+var_4], eax
		mov	eax, [ebp+arg_8]
		and	[esp+104h+var_B0], 0
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		mov	[esp+114h+var_A4], eax
		mov	esi, ecx
		lea	eax, [esp+114h+var_A0]
		mov	[esp+114h+var_F8], edx
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ebx, large fs:124h
		xor	edx, edx
		mov	[esp+11Ch+var_E0], edx
		mov	edi, esi
		mov	edx, 40000000h
		shr	edi, 9
		add	esp, 0Ch
		mov	[esp+110h+var_F0], 1
		mov	eax, [ebx+80h]
		mov	[esp+110h+var_AC], eax
		mov	[esp+110h+var_A0], 1
		mov	[esp+110h+var_98], 21h
		lea	ecx, [eax+240h]
		mov	eax, [esp+110h+var_F8]
		mov	[esp+110h+var_F4], ecx
		mov	ecx, offset loc_7FFFF8
		shr	eax, 9
		and	edi, ecx
		and	eax, ecx
		sub	edi, edx
		sub	eax, edx
		mov	[esp+110h+var_C4], edi
		mov	[esp+110h+var_F8], eax
		mov	ecx, ebx
		xor	eax, eax
		mov	[esp+110h+var_9C], ax
		mov	[esp+110h+var_90], eax
		mov	[esp+110h+var_8C], eax
		call	_MiLockAweVadsShared@4 ; MiLockAweVadsShared(x)
		mov	ecx, esi
		mov	[esp+110h+var_100], eax
		call	_MiGetAweNode@4	; MiGetAweNode(x)
		mov	edx, [ebp+arg_0]
		mov	[esp+110h+var_D4], eax
		push	4
		mov	ecx, [eax+0Ch]
		mov	eax, [eax+10h]
		mov	[esp+114h+var_CC], ecx
		mov	[esp+114h+var_EC], eax
		pop	esi
		cmp	edx, 18h
		jz	short loc_63881B
		and	edx, 7
		mov	[ebp+arg_0], edx
		cmp	edx, 1
		jz	short loc_6387F4
		cmp	edx, esi
		jz	short loc_6387F4

loc_6387D8:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+161j
					; MiProtectAweRegion(x,x,x,x,x)+186j ...
		mov	ecx, [esp+110h+var_100]
		xor	edx, edx
		call	ExReleaseAutoExpandPushLockShared
		mov	ecx, ebx
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_6387EA:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+2A2j
					; MiProtectAweRegion(x,x,x,x,x)+2B8j
		mov	eax, 0C0000018h
		jmp	loc_638C98
; 

loc_6387F4:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+F1j
					; MiProtectAweRegion(x,x,x,x,x)+F5j
		call	_MiGetVadCacheAttribute@4 ; MiGetVadCacheAttribute(x)
		xor	ecx, ecx
		test	eax, eax
		jnz	short loc_638803
		push	8
		jmp	short loc_63880A
; 

loc_638803:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+11Cj
		cmp	eax, 2
		jnz	short loc_63880B
		push	18h

loc_63880A:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+120j
		pop	ecx

loc_63880B:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+125j
		mov	edx, [ebp+arg_0]
		mov	eax, [esp+110h+var_EC]
		or	edx, ecx
		mov	ecx, [esp+110h+var_CC]
		mov	[ebp+arg_0], edx

loc_63881B:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+E6j
		test	byte ptr [eax],	1
		jz	short loc_638829
		mov	[esp+110h+var_BC], esi
		jmp	loc_6388E4
; 

loc_638829:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+13Dj
		mov	eax, [ecx+1Ch]
		shr	eax, 7
		and	eax, 1Fh
		mov	[esp+110h+var_BC], eax
		and	al, 7
		cmp	al, 1
		jnz	short loc_638844
		mov	eax, edx
		and	al, 7
		cmp	al, 1
		jnz	short loc_6387D8

loc_638844:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+159j
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	loc_6388E4
		call	MI_GET_GRAPHICS_PROTECTION_FROM_VAD
		mov	edx, eax
		mov	ecx, 20000h
		mov	eax, esi
		and	eax, ecx
		test	edx, ecx
		jz	short loc_63886C
		test	eax, eax
		jnz	short loc_638874
		jmp	loc_6387D8
; 

loc_63886C:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+180j
		test	eax, eax
		jnz	loc_6387D8

loc_638874:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+184j
		mov	ecx, 40000h
		mov	eax, esi
		and	eax, ecx
		test	edx, ecx
		jz	short loc_63888A
		test	eax, eax
		jnz	short loc_638892
		jmp	loc_6387D8
; 

loc_63888A:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+19Ej
		test	eax, eax
		jnz	loc_6387D8

loc_638892:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+1A2j
		and	edx, 0FFF9FFFFh
		mov	eax, 1C000h
		mov	ecx, edx
		and	ecx, eax
		neg	ecx
		sbb	cl, cl
		inc	cl
		test	esi, eax
		setnz	al
		test	cl, al
		jnz	loc_6387D8
		mov	eax, 12000h
		mov	ecx, edx
		and	ecx, eax
		neg	ecx
		sbb	cl, cl
		inc	cl
		test	esi, eax
		setnz	al
		test	cl, al
		jnz	loc_6387D8
		cmp	edx, 800h
		jnz	short loc_6388E4
		test	esi, 0FFF9F7FFh
		jnz	loc_6387D8

loc_6388E4:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+143j
					; MiProtectAweRegion(x,x,x,x,x)+168j ...
		mov	ecx, [esp+110h+var_100]
		xor	edx, edx
		call	ExReleaseAutoExpandPushLockShared
		mov	ecx, ebx
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [esp+110h+var_CC]
		mov	eax, [ecx+1Ch]
		mov	ecx, 300000h
		and	eax, ecx
		mov	[esp+110h+var_C8], eax
		sub	eax, ecx
		mov	ecx, [esp+110h+var_D4]
		neg	eax
		sbb	edx, edx
		xor	eax, eax
		mov	[esp+110h+var_DC], eax
		and	edx, 80000000h
		mov	eax, [esp+110h+var_EC]
		mov	ebx, [eax+4]
		mov	[esp+110h+var_D0], ebx
		call	_MiGetAweViewPageSize@4	; MiGetAweViewPageSize(x)
		mov	ecx, eax
		mov	[esp+110h+var_D8], ecx
		test	ecx, ecx
		jnz	short loc_63893E
		mov	ecx, ebx
		mov	[esp+110h+var_D8], ebx

loc_63893E:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+255j
		mov	esi, 200h
		cmp	ecx, esi
		jnz	short loc_638957
		mov	[esp+110h+var_C0], 1
		or	edx, 4000000h
		jmp	short loc_63895B
; 

loc_638957:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+264j
		mov	[esp+110h+var_C0], ebx

loc_63895B:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+274j
		xor	eax, eax
		mov	[esp+110h+var_EC], edx
		cmp	ecx, esi
		setz	al
		mov	[esp+110h+var_B8], eax
		cmp	ebx, 1
		jz	loc_638A65
		mov	eax, edi
		xor	edx, edx
		shr	eax, 3
		and	eax, 1FFh
		div	ecx
		test	edx, edx
		jnz	loc_6387EA
		mov	esi, [esp+110h+var_F8]
		mov	eax, esi
		sub	eax, edi
		sar	eax, 3
		inc	eax
		div	ecx
		test	edx, edx
		jnz	loc_6387EA
		mov	eax, [esp+110h+var_B8]

loc_6389A3:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+388j
		cmp	ecx, 200h
		jnz	short loc_6389D0
		mov	ecx, offset loc_7FFFF8
		mov	edx, 40000000h

loc_6389B5:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+2E5j
		shr	edi, 9
		shr	esi, 9
		and	edi, ecx
		and	esi, ecx
		sub	edi, edx
		sub	esi, edx
		sub	eax, 1
		jnz	short loc_6389B5
		mov	[esp+110h+var_F8], esi
		mov	[esp+110h+var_C4], edi

loc_6389D0:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+2C8j
		mov	ebx, [esp+110h+var_F4]
		mov	ecx, ebx
		and	[esp+110h+var_100], 0
		mov	[esp+110h+var_B4], edi
		call	MiLockWorkingSetShared
		mov	[esp+110h+var_F9], al
		cmp	edi, esi
		ja	loc_638C67
		mov	ecx, [esp+110h+var_E0]

loc_6389F4:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+580j
		test	ecx, ecx
		jz	short loc_638A00
		test	edi, 0FFFh
		jnz	short loc_638A6E

loc_638A00:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+315j
		lea	ecx, [esp+110h+var_A0]
		call	MiFlushTbList
		mov	edx, [esp+110h+var_E0]
		test	edx, edx
		jz	short loc_638A30
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [esp+110h+var_F9]
		mov	ecx, ebx
		call	MiUnlockWorkingSetShared
		mov	ecx, ebx
		call	MiLockWorkingSetShared
		xor	eax, eax
		mov	[esp+110h+var_100], eax

loc_638A30:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+32Ej
		lea	eax, [esp+110h+var_B0]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	MiLockLowestValidPageTable
		mov	ecx, eax
		mov	eax, edi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[esp+110h+var_E0], ecx
		sub	eax, 40000000h
		cmp	ecx, eax
		jz	short loc_638A6E
		and	edi, 0FFFFFFF8h
		or	edi, 0FF8h
		jmp	loc_638C58
; 

loc_638A65:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+28Cj
		mov	esi, [esp+110h+var_F8]
		jmp	loc_6389A3
; 

loc_638A6E:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+31Dj
					; MiProtectAweRegion(x,x,x,x,x)+374j
		cmp	[esp+110h+var_C8], 300000h
		jnz	short loc_638A99
		cmp	[esp+110h+var_C0], 1
		jz	short loc_638A93
		mov	eax, edi
		xor	edx, edx
		shr	eax, 3
		and	eax, 1FFh
		div	[esp+110h+var_D0]
		test	edx, edx
		jnz	short loc_638A99

loc_638A93:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+39Cj
		xor	eax, eax
		mov	[esp+110h+var_DC], eax

loc_638A99:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+395j
					; MiProtectAweRegion(x,x,x,x,x)+3B0j
		mov	ebx, [edi]
		mov	[esp+110h+var_A8], ebx
		nop
		mov	ecx, [edi+4]
		mov	eax, ebx
		or	eax, ecx
		mov	[esp+110h+var_D4], ecx
		jz	loc_638C50
		xor	edx, edx
		mov	eax, ebx
		inc	edx
		and	eax, edx
		or	eax, 0
		jz	loc_638CAF
		cmp	[esp+110h+var_100], 0
		jnz	short loc_638ACC
		mov	[esp+110h+var_100], edi

loc_638ACC:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+3E5j
		cmp	edi, [esp+110h+var_B4]
		jnz	short loc_638B13
		mov	eax, ebx
		and	eax, 800h
		or	eax, 0
		jz	short loc_638AE2
		push	4
		jmp	short loc_638AE4
; 

loc_638AE2:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+3FBj
		push	2

loc_638AE4:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+3FFj
		mov	edx, [esp+114h+var_BC]
		mov	eax, edx
		shr	eax, 3
		pop	esi
		mov	[esp+110h+var_F0], esi
		cmp	eax, 1
		jnz	short loc_638AFF
		or	esi, 200h
		jmp	short loc_638B0F
; 

loc_638AFF:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+414j
		cmp	eax, 3
		jnz	short loc_638B13
		test	dl, 7
		jz	short loc_638B13
		or	esi, 400h

loc_638B0F:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+41Cj
		mov	[esp+110h+var_F0], esi

loc_638B13:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+3EFj
					; MiProtectAweRegion(x,x,x,x,x)+421j ...
		cmp	[esp+110h+var_C8], 300000h
		jnz	short loc_638B8C
		cmp	[esp+110h+var_DC], 0
		jnz	short loc_638B8C
		mov	eax, ebx
		and	eax, 42h
		or	eax, 0
		jz	short loc_638B8C
		mov	eax, 0C0000000h
		mov	esi, edi
		cmp	edi, eax
		jb	short loc_638B48

loc_638B39:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+465j
		cmp	esi, 0C07FFFFFh
		ja	short loc_638B48
		shl	esi, 9
		cmp	esi, eax
		jnb	short loc_638B39

loc_638B48:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+456j
					; MiProtectAweRegion(x,x,x,x,x)+45Ej
		mov	eax, [esp+110h+var_D8]
		xor	edx, edx
		div	[esp+110h+var_D0]
		mov	[esp+110h+var_DC], eax
		test	eax, eax
		jz	short loc_638B85
		mov	ebx, [esp+110h+var_D0]
		mov	edi, eax
		shl	ebx, 0Ch

loc_638B63:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+496j
		push	[esp+110h+var_CC]
		mov	ecx, [esp+114h+var_AC]
		mov	edx, esi
		call	_MiCaptureWriteWatchDirtyBit@12	; MiCaptureWriteWatchDirtyBit(x,x,x)
		add	esi, ebx
		sub	edi, 1
		jnz	short loc_638B63
		mov	edi, [esp+110h+var_C4]
		mov	ebx, [esp+110h+var_A8]
		mov	ecx, [esp+110h+var_D4]

loc_638B85:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+477j
		xor	eax, eax
		inc	eax
		mov	[esp+110h+var_DC], eax

loc_638B8C:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+43Aj
					; MiProtectAweRegion(x,x,x,x,x)+441j ...
		nop
		shrd	ebx, ecx, 0Ch
		mov	ecx, [ebp+arg_0]
		and	ebx, 1FFFFFFh
		cmp	ecx, 18h
		jnz	short loc_638BC6
		push	ecx
		pop	edx
		mov	ecx, ebx
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		mov	esi, eax
		mov	ecx, 200h
		mov	eax, [esp+110h+var_D8]
		mov	ebx, edx
		mov	[esp+110h+var_E8], esi
		mov	[esp+110h+var_E4], ebx
		cmp	eax, ecx
		jz	short loc_638BF5
		mov	[edi], esi
		nop
		jmp	short loc_638BF2
; 

loc_638BC6:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+4BCj
		mov	eax, [esp+110h+var_EC]
		mov	edx, ebx
		or	eax, ecx
		mov	ecx, edi
		push	eax
		call	MiMakeValidPte
		mov	esi, eax
		mov	ecx, 200h
		mov	eax, [esp+110h+var_D8]
		mov	ebx, edx
		mov	[esp+110h+var_E8], esi
		mov	[esp+110h+var_E4], ebx
		cmp	eax, ecx
		jz	short loc_638BF5
		nop
		mov	[edi], esi

loc_638BF2:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+4E3j
		mov	[edi+4], ebx

loc_638BF5:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+4DEj
					; MiProtectAweRegion(x,x,x,x,x)+50Cj
		test	byte ptr [ebp+arg_0], 4
		jz	short loc_638C08
		cmp	[esp+110h+var_C8], 300000h
		jz	short loc_638C08
		or	esi, 42h

loc_638C08:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+518j
					; MiProtectAweRegion(x,x,x,x,x)+522j
		mov	edx, edi
		push	0
		cmp	eax, ecx
		jnz	short loc_638C3E
		mov	ecx, [esp+114h+var_F4]
		call	MiLockPageTableInternal
		push	ebx
		mov	ebx, [esp+114h+var_F4]
		mov	edx, edi
		push	esi
		push	0
		mov	ecx, ebx
		call	MiUnlockNestedPageTableWritePte
		mov	edx, [esp+110h+var_B8]
		lea	ecx, [esp+110h+var_A0]
		push	edi
		call	_MiInsertLargeTbFlushEntry@12 ;	MiInsertLargeTbFlushEntry(x,x,x)
		mov	esi, [esp+110h+var_F8]
		jmp	short loc_638C54
; 

loc_638C3E:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+52Dj
		push	1
		shl	edx, 9
		lea	ecx, [esp+118h+var_A0]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	esi, [esp+110h+var_F8]

loc_638C50:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+3CAj
					; MiProtectAweRegion(x,x,x,x,x)+5DEj
		mov	ebx, [esp+110h+var_F4]

loc_638C54:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+55Bj
					; MiProtectAweRegion(x,x,x,x,x)+6AFj ...
		mov	ecx, [esp+110h+var_E0]

loc_638C58:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+37Fj
		add	edi, 8
		mov	[esp+110h+var_C4], edi
		cmp	edi, esi
		jbe	loc_6389F4

loc_638C67:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+309j
		lea	ecx, [esp+110h+var_A0]
		call	MiFlushTbList
		mov	eax, [esp+110h+var_E0]
		test	eax, eax
		jz	short loc_638C81
		mov	edx, eax
		mov	ecx, ebx
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_638C81:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+595j
		mov	dl, [esp+110h+var_F9]
		mov	ecx, ebx
		call	MiUnlockWorkingSetShared
		mov	ecx, [esp+110h+var_A4]
		mov	eax, [esp+110h+var_F0]
		mov	[ecx], eax
		xor	eax, eax

loc_638C98:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+10Ej
		mov	ecx, [esp+110h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_638CAF:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+3DAj
		cmp	edi, [esp+110h+var_B4]
		jnz	short loc_638CB9
		mov	[esp+110h+var_F0], edx

loc_638CB9:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+5D2j
		mov	eax, [ebp+arg_0]
		cmp	eax, 18h
		jz	short loc_638C50
		mov	ecx, eax
		and	ebx, 0FFFFFC1Fh
		and	ecx, 1Fh
		xor	eax, eax
		shld	eax, ecx, 5
		or	eax, [esp+110h+var_D4]
		shl	ecx, 5
		or	ecx, ebx
		mov	[esp+110h+var_E4], eax
		mov	[esp+110h+var_E8], ecx
		mov	[edi], ecx
		nop
		mov	ecx, edi
		mov	[edi+4], eax
		call	_MiMakeTransitionPteValid@4 ; MiMakeTransitionPteValid(x)
		test	[esp+110h+var_EC], 4000000h
		mov	esi, eax
		mov	[esp+110h+var_E8], esi
		mov	[esp+110h+var_E4], edx
		jz	short loc_638D12
		or	esi, 80h
		mov	[esp+110h+var_E4], edx
		mov	[esp+110h+var_E8], esi

loc_638D12:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+621j
		mov	ecx, edi
		xor	ebx, ebx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_638D70
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_638D3E
		inc	ebx
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	short loc_638D70
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	short loc_638D70
		jmp	short loc_638D6A
; 

loc_638D3E:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+645j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_638D70
		mov	eax, [esp+110h+var_E8]
		and	eax, 1
		or	eax, 0
		jz	short loc_638D70
		mov	esi, [esp+110h+var_E8]
		mov	edx, [esp+110h+var_E4]

loc_638D6A:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+65Bj
		or	edx, 80000000h

loc_638D70:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+63Cj
					; MiProtectAweRegion(x,x,x,x,x)+64Fj ...
		mov	[edi+4], edx
		nop
		mov	[edi], esi
		test	ebx, ebx
		jz	short loc_638D83
		push	edx
		push	esi
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_638D83:				; CODE XREF: MiProtectAweRegion(x,x,x,x,x)+697j
		cmp	[esp+110h+var_100], 0
		mov	esi, [esp+110h+var_F8]
		mov	ebx, [esp+110h+var_F4]
		jnz	loc_638C54
		mov	[esp+110h+var_100], edi
		jmp	loc_638C54
_MiProtectAweRegion@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReferenceAweHandle(x, x, x, x, x)
_MiReferenceAweHandle@20 proc near	; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+168p
					; MiCreateUserPhysicalView(x,x,x,x)+5Dp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_8]
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	[edi], eax
		mov	[ebx], eax
		cmp	esi, 0FFFFFFFFh
		jz	short loc_638E35
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	68506D4Dh
		push	[ebp+arg_0]
		push	ds:_MmSectionObjectType
		push	edx
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_638E10
		mov	esi, [ebp+var_4]
		mov	ecx, esi
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	ecx, eax
		call	_MiAweControlArea@4 ; MiAweControlArea(x)
		test	eax, eax
		jnz	short loc_638E0A
		mov	edx, 68506D4Dh
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, 0C0000008h
		jmp	short loc_638E35
; 

loc_638E0A:				; CODE XREF: MiReferenceAweHandle(x,x,x,x,x)+56j
		mov	[ebx], esi
		mov	eax, edx
		jmp	short loc_638E35
; 

loc_638E10:				; CODE XREF: MiReferenceAweHandle(x,x,x,x,x)+41j
		push	0
		lea	eax, [ebp+var_8]
		push	eax
		push	68506D4Dh
		push	[ebp+arg_0]
		push	ds:_PsProcessType
		push	8
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_638E35
		mov	ecx, [ebp+var_8]
		mov	[edi], ecx

loc_638E35:				; CODE XREF: MiReferenceAweHandle(x,x,x,x,x)+21j
					; MiReferenceAweHandle(x,x,x,x,x)+69j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MiReferenceAweHandle@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiScrubAwePage(x, x, x)
_MiScrubAwePage@12 proc	near		; CODE XREF: MiScrubProcessPhysicalPages(x)+B6p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		imul	esi, edx, 1Ch
		push	edi
		mov	[ebp+var_8], ecx
		add	esi, ds:_MmPfnDatabase
		mov	[ebp+var_4], esi
		mov	ebx, [esi+4]
		test	ebx, ebx
		jnz	short loc_638E6D

loc_638E5D:				; CODE XREF: MiScrubAwePage(x,x,x)+5Aj
		push	1
		push	0
		mov	edx, esi
		call	_MiScrubPage@16	; MiScrubPage(x,x,x,x)
		jmp	loc_638FA2
; 

loc_638E6D:				; CODE XREF: MiScrubAwePage(x,x,x)+1Fj
		mov	eax, large fs:124h
		mov	edx, [eax+80h]
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_14], edx
		test	byte ptr [eax],	1
		jnz	short loc_638E8B
		xor	eax, eax
		jmp	loc_638FA2
; 

loc_638E8B:				; CODE XREF: MiScrubAwePage(x,x,x)+46j
		mov	eax, [esi+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jz	short loc_638E5D
		lea	edi, [edx+240h]
		mov	ecx, edi
		call	MiLockWorkingSetShared
		cmp	word ptr [esi+14h], 2
		mov	byte ptr [ebp+arg_0+3],	al
		jnz	loc_638F92
		mov	eax, ebx
		mov	ecx, edi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		push	0
		mov	edx, eax
		mov	[ebp+var_10], eax
		call	MiLockPageTableInternal
		mov	edi, [ebx]
		nop
		mov	esi, [ebx+4]
		mov	eax, edi
		and	eax, 1
		mov	[ebp+var_C], eax
		or	eax, 0
		jz	short loc_638F02
		mov	eax, ds:_ZeroPte
		mov	[ebx], eax
		nop
		mov	eax, ds:dword_40F9FC
		xor	edx, edx
		mov	ecx, ebx
		mov	[ebx+4], eax
		push	0
		shl	ecx, 9
		inc	edx
		call	KeFlushSingleTb

loc_638F02:				; CODE XREF: MiScrubAwePage(x,x,x)+A5j
		mov	edx, [ebp+var_4]

loc_638F05:				; CODE XREF: .text:0042B440j
		mov	ecx, [ebp+var_8]
		push	1
		push	0
		call	_MiScrubPage@16	; MiScrubPage(x,x,x,x)
		mov	ecx, [ebp+var_C]
		or	ecx, 0
		mov	[ebp+var_4], eax
		jz	short loc_638F7A
		mov	ecx, ebx
		or	edi, 20h
		xor	edx, edx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_638F69
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_638F41
		inc	edx
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	short loc_638F69
		jmp	short loc_638F59
; 

loc_638F41:				; CODE XREF: MiScrubAwePage(x,x,x)+F7j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_638F69

loc_638F59:				; CODE XREF: MiScrubAwePage(x,x,x)+103j
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	short loc_638F69
		or	esi, 80000000h

loc_638F69:				; CODE XREF: MiScrubAwePage(x,x,x)+EEj
					; MiScrubAwePage(x,x,x)+101j ...
		mov	[ebx+4], esi
		nop
		mov	[ebx], edi
		test	edx, edx
		jz	short loc_638F7A
		push	esi
		push	edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_638F7A:				; CODE XREF: MiScrubAwePage(x,x,x)+DEj
					; MiScrubAwePage(x,x,x)+135j
		mov	edi, [ebp+var_14]
		mov	edx, [ebp+var_10]
		add	edi, 240h
		mov	ecx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	al, byte ptr [ebp+arg_0+3]
		jmp	short loc_638F96
; 

loc_638F92:				; CODE XREF: MiScrubAwePage(x,x,x)+71j
		and	[ebp+var_4], 0

loc_638F96:				; CODE XREF: MiScrubAwePage(x,x,x)+154j
		mov	dl, al
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		mov	eax, [ebp+var_4]

loc_638FA2:				; CODE XREF: MiScrubAwePage(x,x,x)+2Cj
					; MiScrubAwePage(x,x,x)+4Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiScrubAwePage@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiUnlockAwePagesExclusive(x, x)
_MiUnlockAwePagesExclusive@8 proc near	; CODE XREF: MiDeleteAweInfoPages(x)+174p
					; MiResizeAweBitMap(x)+90p ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		add	ecx, 1Ch
		xor	edx, edx
		call	ExReleaseAutoExpandPushLockExclusive
		mov	ecx, esi
		pop	esi
		jmp	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
_MiUnlockAwePagesExclusive@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiUnlockAwePagesShared(x, x)
_MiUnlockAwePagesShared@8 proc near	; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+49Cp
					; MiAllocateUserPhysicalPages(x,x,x,x,x)+568p ...
		mov	eax, edx
		xor	edx, edx
		push	esi
		mov	esi, ecx
		mov	ecx, eax
		call	ExReleaseAutoExpandPushLockShared
		mov	ecx, esi
		pop	esi
		jmp	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
_MiUnlockAwePagesShared@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdateAwePageTable(x, x, x)
_MiUpdateAwePageTable@12 proc near	; CODE XREF: MiDeleteEnclavePage(x,x)+4Dp
					; MiWriteEnclavePte(x,x,x,x,x,x)+14Ep ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	eax, edx
		mov	edi, esi
		mov	[ebp+var_C], eax
		shl	edi, 12h
		xor	ebx, ebx
		test	eax, eax
		jz	short loc_63904E
		mov	edx, [esi]
		nop
		mov	eax, [esi+4]
		shrd	edx, eax, 0Ch
		mov	[ebp+var_8], ebx
		and	edx, 1FFFFFFh
		imul	eax, edx, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_10], eax
		add	eax, 10h
		mov	[ebp+var_4], eax
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_639038
		mov	ebx, eax

loc_639021:				; CODE XREF: MiUpdateAwePageTable(x,x,x)+57j
					; MiUpdateAwePageTable(x,x,x)+5Ej
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		js	short loc_639021
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_639021
		xor	ebx, ebx

loc_639038:				; CODE XREF: MiUpdateAwePageTable(x,x,x)+47j
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	eax, [ebp+var_4]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_63904E:				; CODE XREF: MiUpdateAwePageTable(x,x,x)+1Bj
		cmp	esi, 0C0603018h
		jz	short loc_6390AC
		cmp	ds:dword_6D07D0, 0C0000000h
		jnb	short loc_63906A
		cmp	esi, 0C0603010h
		jz	short loc_6390AC

loc_63906A:				; CODE XREF: MiUpdateAwePageTable(x,x,x)+8Aj
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	short loc_6390AC
		mov	eax, large fs:124h
		shr	edi, 15h
		mov	eax, [eax+80h]
		mov	ecx, [eax+24Ch]
		add	ecx, 190h
		lea	ecx, [ecx+edi*2]
		test	edx, edx
		jle	short loc_63909A
		call	_MiIncreaseUsedPtesCount@8 ; MiIncreaseUsedPtesCount(x,x)
		jmp	short loc_6390A8
; 

loc_63909A:				; CODE XREF: MiUpdateAwePageTable(x,x,x)+BBj
		neg	edx
		call	MiDecreaseUsedPtesCount
		test	eax, eax
		jnz	short loc_6390A8
		xor	ebx, ebx
		inc	ebx

loc_6390A8:				; CODE XREF: MiUpdateAwePageTable(x,x,x)+C2j
					; MiUpdateAwePageTable(x,x,x)+CDj
		mov	eax, ebx
		jmp	short loc_6390AE
; 

loc_6390AC:				; CODE XREF: MiUpdateAwePageTable(x,x,x)+7Ej
					; MiUpdateAwePageTable(x,x,x)+92j ...
		xor	eax, eax

loc_6390AE:				; CODE XREF: MiUpdateAwePageTable(x,x,x)+D4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiUpdateAwePageTable@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWriteAweClusterPte(x, x, x, x, x,	x)
_MiWriteAweClusterPte@24 proc near	; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+4D4p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	[ebp+arg_0], 0
		mov	eax, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], eax
		jz	loc_6391E9
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	loc_6391E9
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+arg_8]

loc_6390E0:				; CODE XREF: MiWriteAweClusterPte(x,x,x,x,x,x)+12Cj
		cmp	[ebp+arg_0], 1
		jnz	short loc_6390F4
		push	ebx
		push	esi
		mov	ecx, edi
		call	MI_INTERLOCKED_EXCHANGE_PTE
		jmp	loc_6391A4
; 

loc_6390F4:				; CODE XREF: MiWriteAweClusterPte(x,x,x,x,x,x)+2Fj
		cmp	[ebp+arg_0], 2
		jz	loc_63918B
		cmp	[ebp+arg_0], 3
		jz	loc_63918B
		cmp	[ebp+arg_0], 5
		jnz	short loc_639183
		and	[ebp+arg_C], 0
		mov	ecx, edi
		mov	edx, ebx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_63916A
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_63914E
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	eax, esi
		mov	[ebp+arg_C], 1
		jnz	short loc_63916C

loc_63913A:				; CODE XREF: MiWriteAweClusterPte(x,x,x,x,x,x)+B3j
		and	eax, 1
		or	eax, 0
		mov	eax, esi
		jz	short loc_63916C
		mov	edx, ebx
		or	edx, 80000000h
		jmp	short loc_63916C
; 

loc_63914E:				; CODE XREF: MiWriteAweClusterPte(x,x,x,x,x,x)+71j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		mov	eax, esi
		jz	short loc_63916C
		jmp	short loc_63913A
; 

loc_63916A:				; CODE XREF: MiWriteAweClusterPte(x,x,x,x,x,x)+68j
		mov	eax, esi

loc_63916C:				; CODE XREF: MiWriteAweClusterPte(x,x,x,x,x,x)+83j
					; MiWriteAweClusterPte(x,x,x,x,x,x)+8Dj ...
		mov	[edi+4], edx
		nop
		cmp	[ebp+arg_C], 0
		mov	[edi], eax
		jz	short loc_6391A4
		push	edx
		push	eax
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	short loc_6391A4
; 

loc_639183:				; CODE XREF: MiWriteAweClusterPte(x,x,x,x,x,x)+57j
		mov	[edi], esi
		nop
		mov	[edi+4], ebx
		jmp	short loc_6391A7
; 

loc_63918B:				; CODE XREF: MiWriteAweClusterPte(x,x,x,x,x,x)+43j
					; MiWriteAweClusterPte(x,x,x,x,x,x)+4Dj
		push	0
		mov	edx, edi
		mov	ecx, eax
		call	MiLockPageTableInternal
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		push	ebx
		push	esi
		push	0
		call	MiUnlockNestedPageTableWritePte

loc_6391A4:				; CODE XREF: MiWriteAweClusterPte(x,x,x,x,x,x)+3Aj
					; MiWriteAweClusterPte(x,x,x,x,x,x)+C1j ...
		mov	edx, [ebp+arg_4]

loc_6391A7:				; CODE XREF: MiWriteAweClusterPte(x,x,x,x,x,x)+D4j
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	short loc_6391D5
		mov	ecx, esi
		mov	eax, ebx
		and	ecx, 0FFFFF000h
		add	ecx, 1000h
		adc	eax, 0
		xor	ecx, esi
		xor	eax, ebx
		and	ecx, 0FFFFF000h
		and	eax, 1Fh
		xor	esi, ecx
		xor	ebx, eax

loc_6391D5:				; CODE XREF: MiWriteAweClusterPte(x,x,x,x,x,x)+FAj
		mov	eax, [ebp+var_4]
		add	edi, 8
		sub	edx, 1
		mov	[ebp+arg_4], edx
		jnz	loc_6390E0
		pop	esi
		pop	ebx

loc_6391E9:				; CODE XREF: MiWriteAweClusterPte(x,x,x,x,x,x)+12j
					; MiWriteAweClusterPte(x,x,x,x,x,x)+1Dj
		pop	edi
		leave
		retn	10h
_MiWriteAweClusterPte@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWriteAwePtes(x, x, x, x, x, x)
_MiWriteAwePtes@24 proc	near		; CODE XREF: MiDeleteVadAwePtes(x,x,x)+3Cp
					; NtMapUserPhysicalPages(x,x,x)+27Ap ...

var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 114h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+114h+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	[esp+120h+var_A8], eax
		xor	ebx, ebx
		mov	eax, [ebp+arg_8]
		mov	esi, ecx
		push	98h		; size_t
		mov	[esp+124h+var_10C], eax
		lea	eax, [esp+124h+var_A0]
		push	ebx		; int
		push	eax		; void *
		mov	[esp+12Ch+var_BC], edx
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		mov	ecx, esi
		mov	eax, [eax+80h]
		add	eax, 240h
		mov	[esp+120h+var_108], eax
		mov	eax, [esi+10h]
		mov	[esp+120h+var_B4], eax
		mov	edi, [eax+4]
		mov	[esp+120h+var_C8], edi
		call	_MiGetAweViewPageSize@4	; MiGetAweViewPageSize(x)
		mov	[esp+120h+var_100], eax
		test	eax, eax
		jnz	short loc_639271
		mov	eax, edi
		mov	[esp+120h+var_100], edi

loc_639271:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+7Bj
		xor	ecx, ecx
		cmp	eax, 200h
		setz	cl
		mov	edx, ecx
		mov	[esp+120h+var_B0], ecx
		xor	ecx, ecx
		shl	edx, 1Ah
		inc	ecx
		mov	[esp+120h+var_C0], edx
		mov	[esp+120h+var_FC], ecx
		cmp	eax, 200h
		jz	short loc_63929A
		mov	[esp+120h+var_FC], edi

loc_63929A:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+A6j
		test	[ebp+arg_C], 1
		mov	edi, ebx
		push	21h
		pop	eax
		mov	[esp+120h+var_E8], ebx
		mov	[esp+120h+var_110], edi
		mov	[esp+120h+var_C4], ebx
		mov	[esp+120h+var_F4], ebx
		mov	[esp+120h+var_F8], ebx
		mov	[esp+120h+var_AC], ebx
		mov	[esp+120h+var_A0], ecx
		mov	[esp+120h+var_9C], bx
		mov	[esp+120h+var_90], ebx
		mov	[esp+120h+var_DC], eax
		mov	[esp+120h+var_98], eax
		mov	[esp+120h+var_8C], ebx
		jz	loc_63937E
		mov	eax, [esi+0Ch]
		mov	ecx, 300000h
		mov	[esp+120h+var_EC], eax
		mov	esi, [eax+1Ch]
		mov	eax, esi
		and	eax, ecx
		mov	[esp+120h+var_E8], esi
		cmp	eax, ecx
		jz	short loc_63930E
		or	edx, 80000000h
		mov	[esp+120h+var_C0], edx

loc_63930E:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+114j
		mov	eax, [esp+120h+var_B4]
		test	byte ptr [eax],	1
		jz	short loc_63931C
		push	4
		pop	ecx
		jmp	short loc_639324
; 

loc_63931C:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+127j
		mov	ecx, esi
		shr	ecx, 7
		and	ecx, 1Fh

loc_639324:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+12Cj
		or	edx, ecx
		mov	ecx, ds:_MmHighestUserAddress
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		push	edx
		sub	ecx, 40000000h
		xor	edx, edx
		call	MiMakeValidPte
		mov	ecx, [esp+120h+var_108]
		shr	esi, 0Ch
		and	esi, 3Fh
		mov	[esp+120h+var_D0], eax
		mov	[esp+120h+var_CC], edx
		mov	[esp+120h+var_E0], esi
		call	MiLockWorkingSetShared
		mov	[esp+120h+var_DC], eax
		mov	ecx, 1100000h
		mov	byte ptr [esp+120h+var_B8], al
		mov	eax, [esp+120h+var_E8]
		and	eax, ecx
		sub	eax, ecx
		neg	eax
		sbb	eax, eax
		inc	eax
		mov	[esp+120h+var_E8], eax
		jmp	short loc_6393C4
; 

loc_63937E:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+F5j
		mov	ecx, [esp+120h+var_10C]
		mov	esi, ebx
		or	edx, 80000000h
		mov	[esp+120h+var_EC], ebx
		mov	[esp+120h+var_D0], ebx
		mov	[esp+120h+var_CC], ebx
		mov	[esp+120h+var_E0], esi
		mov	byte ptr [esp+120h+var_B8], al
		mov	[esp+120h+var_C0], edx
		call	_MiGetLeafVa@4	; MiGetLeafVa(x)
		mov	ecx, eax
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	ecx, 1100000h
		mov	eax, [eax+1Ch]
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_6393C4
		mov	[esp+120h+var_E8], 1

loc_6393C4:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+18Ej
					; MiWriteAwePtes(x,x,x,x,x,x)+1CCj
		mov	ecx, ebx
		mov	[esp+120h+var_E4], ecx
		cmp	[ebp+arg_0], ecx
		jbe	loc_63998B
		mov	eax, [esp+120h+var_FC]
		shl	eax, 3
		mov	[esp+120h+var_A4], eax

loc_6393DE:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+761j
		mov	eax, [esp+120h+var_A8]
		test	eax, eax
		jz	loc_6394BD
		mov	ecx, [eax+ecx*4]
		mov	edi, offset loc_7FFFF8
		mov	eax, [esp+120h+var_B0]
		mov	edx, ecx
		shr	edx, 9
		and	edx, edi
		sub	edx, 40000000h
		cmp	[esp+120h+var_100], 200h
		mov	[esp+120h+var_10C], edx
		jnz	short loc_639425

loc_639411:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+231j
		shr	edx, 9
		and	edx, edi
		sub	edx, 40000000h
		sub	eax, 1
		jnz	short loc_639411
		mov	[esp+120h+var_10C], edx

loc_639425:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+221j
		mov	edi, [esp+120h+var_EC]
		mov	eax, [edi+0Ch]
		shl	eax, 0Ch
		cmp	ecx, eax
		jb	short loc_639442
		mov	eax, [edi+10h]
		shl	eax, 0Ch
		or	eax, 0FFFh
		cmp	ecx, eax
		jbe	short loc_6394A0

loc_639442:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+243j
		call	_MiGetAweNode@4	; MiGetAweNode(x)
		mov	edi, [eax+0Ch]
		mov	eax, [esp+120h+var_B4]
		mov	[esp+120h+var_EC], edi
		mov	esi, [edi+1Ch]
		test	byte ptr [eax],	1
		jz	short loc_63945F
		push	4
		pop	ecx
		jmp	short loc_639467
; 

loc_63945F:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+26Aj
		mov	ecx, esi
		shr	ecx, 7
		and	ecx, 1Fh

loc_639467:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+26Fj
		mov	eax, [esp+120h+var_C0]
		xor	edx, edx
		or	eax, ecx
		mov	ecx, ds:_MmHighestUserAddress
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		push	eax
		sub	ecx, 40000000h
		call	MiMakeValidPte
		shr	esi, 0Ch
		mov	edi, edx
		and	esi, 3Fh
		mov	[esp+120h+var_D0], eax
		mov	[esp+120h+var_CC], edi
		mov	[esp+120h+var_E0], esi
		jmp	short loc_6394A8
; 

loc_6394A0:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+252j
		mov	eax, [esp+120h+var_D0]
		mov	edi, [esp+120h+var_CC]

loc_6394A8:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+2B0j
		mov	edx, [esp+120h+var_BC]
		mov	ecx, [esp+120h+var_E4]
		test	edx, edx
		jz	short loc_6394CE
		cmp	[edx+ecx*4], ebx
		jz	short loc_6394CE
		mov	edx, eax
		jmp	short loc_6394DA
; 

loc_6394BD:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+1F6j
		cmp	[esp+120h+var_BC], 0
		jz	short loc_6394CE
		mov	edx, [esp+120h+var_D0]
		mov	edi, [esp+120h+var_CC]
		jmp	short loc_6394DA
; 

loc_6394CE:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+2C4j
					; MiWriteAwePtes(x,x,x,x,x,x)+2C9j ...
		mov	edi, ds:dword_40F9FC
		mov	edx, ds:_ZeroPte

loc_6394DA:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+2CDj
					; MiWriteAwePtes(x,x,x,x,x,x)+2DEj
		mov	eax, edx
		mov	[esp+120h+var_114], edi
		and	eax, 1
		mov	[esp+120h+var_104], edx
		or	eax, ebx
		jz	short loc_639516
		mov	eax, [esp+120h+var_BC]
		and	edx, 0FFFh
		and	edi, 0FFFFFFE0h
		mov	ecx, [eax+ecx*4]
		xor	eax, eax
		and	ecx, 1FFFFFFh
		shld	eax, ecx, 0Ch
		shl	ecx, 0Ch
		or	ecx, edx
		or	eax, edi
		mov	[esp+120h+var_104], ecx
		mov	[esp+120h+var_114], eax

loc_639516:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+2FBj
		mov	edx, [esp+120h+var_10C]
		mov	edi, edx
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		cmp	[esp+120h+var_EC], 0
		lea	eax, [edi-40000000h]
		jz	loc_6395E8
		mov	ecx, [esp+120h+var_110]
		cmp	ecx, eax
		jz	loc_6395EC
		test	ecx, ecx
		jz	loc_6395CD
		push	[esp+120h+var_F8]
		mov	edx, [esp+124h+var_F4]
		call	_MiUpdateAwePageTable@12 ; MiUpdateAwePageTable(x,x,x)
		lea	ecx, [esp+120h+var_A0]
		mov	[esp+120h+var_F0], eax
		call	MiFlushTbList
		cmp	[esp+120h+var_E8], 0
		jz	short loc_639572
		mov	[esp+120h+var_C4], ebx

loc_639572:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+37Ej
		mov	edx, [esp+120h+var_110]
		mov	ecx, [esp+120h+var_108]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		cmp	[esp+120h+var_F0], 0
		jz	short loc_6395C5
		mov	dl, byte ptr [esp+120h+var_DC]
		mov	ecx, [esp+120h+var_108]
		call	MiUnlockWorkingSetShared
		mov	ecx, [esp+120h+var_110]
		push	1
		lea	ecx, [ecx+8]
		call	_MiGetLeafVa@4	; MiGetLeafVa(x)
		mov	ecx, [esp+124h+var_110]
		lea	edx, [eax-1]
		call	_MiGetLeafVa@4	; MiGetLeafVa(x)
		mov	ecx, eax
		call	_MiDeleteEmptyPageTables@12 ; MiDeleteEmptyPageTables(x,x,x)
		mov	ecx, [esp+120h+var_108]
		call	MiLockWorkingSetShared
		mov	[esp+120h+var_DC], eax
		mov	byte ptr [esp+120h+var_B8], al

loc_6395C5:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+396j
		mov	[esp+120h+var_F4], ebx
		mov	[esp+120h+var_F8], ebx

loc_6395CD:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+356j
		mov	ecx, [esp+120h+var_10C]
		xor	edx, edx
		push	ebx
		push	[esp+124h+var_B8]
		push	esi
		call	MiMakeSystemAddressValid
		mov	edx, [esp+120h+var_10C]
		lea	eax, [edi-40000000h]

loc_6395E8:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+342j
		mov	[esp+120h+var_110], eax

loc_6395EC:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+34Ej
		cmp	[esp+120h+var_C4], 0
		mov	ecx, ebx
		jnz	short loc_6395F9
		mov	[esp+120h+var_C4], edx

loc_6395F9:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+405j
		mov	edi, [edx]
		mov	[esp+120h+var_D8], edi
		nop
		mov	eax, [edx+4]
		mov	edx, [esp+120h+var_104]
		mov	[esp+120h+var_F0], eax
		mov	eax, edx
		and	eax, 1
		or	eax, ebx
		mov	eax, edi
		jz	short loc_639679
		and	eax, 1
		or	eax, ebx
		jz	short loc_63963F
		mov	eax, [esp+120h+var_114]
		cmp	edx, edi
		jnz	short loc_63962F
		cmp	eax, [esp+120h+var_F0]
		jz	loc_6396B3

loc_63962F:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+435j
		xor	ecx, ecx
		cmp	[esp+120h+var_100], 200h
		setz	cl
		inc	ecx
		jmp	short loc_6396B3
; 

loc_63963F:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+42Dj
		mov	eax, edi
		and	eax, 800h
		or	eax, ebx
		push	5
		pop	ecx
		jnz	short loc_6396AF
		mov	eax, [esp+120h+var_F4]
		add	eax, [esp+120h+var_FC]
		mov	[esp+120h+var_F4], eax
		mov	eax, edi
		or	eax, [esp+120h+var_F0]
		jnz	short loc_6396AF
		cmp	[esp+120h+var_100], 200h
		jz	short loc_6396AF
		mov	eax, [esp+120h+var_F8]
		add	eax, [esp+120h+var_FC]
		mov	[esp+120h+var_F8], eax
		jmp	short loc_6396AF
; 

loc_639679:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+426j
		or	eax, [esp+120h+var_F0]
		jz	short loc_6396AF
		mov	ecx, [esp+120h+var_100]
		mov	eax, [esp+120h+var_FC]
		cmp	ecx, 200h
		jz	short loc_639693
		sub	[esp+120h+var_F8], eax

loc_639693:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+49Fj
		sub	[esp+120h+var_F4], eax
		mov	eax, edi
		and	eax, 1
		or	eax, ebx
		jz	short loc_6396AC
		cmp	ecx, 200h
		jnz	short loc_6396AC
		push	3
		jmp	short loc_6396AE
; 

loc_6396AC:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+4B0j
					; MiWriteAwePtes(x,x,x,x,x,x)+4B8j
		push	4

loc_6396AE:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+4BCj
		pop	ecx

loc_6396AF:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+45Dj
					; MiWriteAwePtes(x,x,x,x,x,x)+471j ...
		mov	eax, [esp+120h+var_114]

loc_6396B3:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+43Bj
					; MiWriteAwePtes(x,x,x,x,x,x)+44Fj
		push	eax
		push	edx
		push	[esp+128h+var_FC]
		mov	edx, [esp+12Ch+var_10C]
		push	ecx
		mov	ecx, [esp+130h+var_108]
		call	_MiWriteAweClusterPte@24 ; MiWriteAweClusterPte(x,x,x,x,x,x)
		mov	eax, edi
		or	eax, [esp+120h+var_F0]
		jz	loc_63979D
		mov	eax, edi
		and	eax, 1
		or	eax, ebx
		jz	short loc_63974D
		cmp	[esp+120h+var_EC], 0
		jz	short loc_63973A
		cmp	[esp+120h+var_100], 200h
		jz	short loc_639707
		mov	edx, [esp+120h+var_10C]
		lea	ecx, [esp+120h+var_A0]
		push	ebx
		push	[esp+124h+var_FC]
		shl	edx, 9
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		jmp	short loc_63973A
; 

loc_639707:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+4FDj
		mov	eax, [esp+120h+var_FC]
		test	eax, eax
		jz	short loc_63973A
		mov	ebx, [esp+120h+var_10C]
		mov	esi, eax
		mov	edi, [esp+120h+var_B0]

loc_639719:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+540j
		push	ebx
		mov	edx, edi
		lea	ecx, [esp+124h+var_A0]
		call	_MiInsertLargeTbFlushEntry@12 ;	MiInsertLargeTbFlushEntry(x,x,x)
		add	ebx, 8
		sub	esi, 1
		jnz	short loc_639719
		mov	esi, [esp+120h+var_E0]
		xor	ebx, ebx
		mov	edi, [esp+120h+var_D8]

loc_63973A:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+4F3j
					; MiWriteAwePtes(x,x,x,x,x,x)+517j ...
		nop
		mov	eax, [esp+120h+var_F0]
		mov	ecx, edi
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		jmp	short loc_6397A0
; 

loc_63974D:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+4ECj
		mov	eax, ds:dword_6D0700
		mov	ecx, edi
		mov	esi, ds:dword_6D0704
		mov	edx, [esp+120h+var_F0]
		mov	[esp+120h+var_D8], eax
		or	eax, esi
		mov	[esp+120h+var_D4], esi
		mov	esi, [esp+120h+var_E0]
		mov	[esp+120h+var_104], ecx
		mov	[esp+120h+var_114], edx
		jz	short loc_639791
		mov	eax, ecx
		and	eax, 10h
		or	eax, ebx
		jnz	short loc_639791
		mov	ecx, [esp+120h+var_D8]
		mov	edx, [esp+120h+var_D4]
		not	ecx
		not	edx
		and	ecx, edi
		and	edx, [esp+120h+var_114]

loc_639791:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+586j
					; MiWriteAwePtes(x,x,x,x,x,x)+58Fj
		shrd	ecx, edx, 0Ch
		and	ecx, 3FFFFFFh
		jmp	short loc_6397A0
; 

loc_63979D:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+4DFj
		or	ecx, 0FFFFFFFFh

loc_6397A0:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+55Dj
					; MiWriteAwePtes(x,x,x,x,x,x)+5ADj
		or	edi, [esp+120h+var_F0]
		jz	loc_63985D
		imul	eax, ecx, 1Ch
		mov	ecx, [esp+120h+var_100]
		mov	[esp+120h+var_104], ebx
		add	eax, ds:_MmPfnDatabase
		mov	[esp+120h+var_D4], eax
		test	ecx, ecx
		jz	loc_639861
		imul	eax, [esp+120h+var_C8],	1Ch
		mov	esi, [esp+120h+var_D4]
		mov	[esp+120h+var_D8], eax

loc_6397D4:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+663j
		lea	edi, [esi+10h]
		mov	eax, [edi]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jz	short loc_63982E
		mov	[esp+120h+var_D4], ebx
		jmp	short loc_6397F8
; 

loc_6397E9:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+608j
					; MiWriteAwePtes(x,x,x,x,x,x)+60Fj
		lea	ecx, [esp+120h+var_D4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_6397E9

loc_6397F8:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+5F9j
		lock bts dword ptr [edi], 1Fh
		jb	short loc_6397E9
		mov	edx, [edi]
		mov	ecx, edx
		and	ecx, 3FFFFFFFh
		cmp	ecx, 1
		jz	short loc_63981E
		lea	eax, [ecx-1]
		xor	eax, edx
		and	eax, 3FFFFFFFh
		xor	eax, edx
		mov	[edi], eax
		jmp	short loc_639821
; 

loc_63981E:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+61Ej
		xor	ecx, ecx
		inc	ecx

loc_639821:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+62Ej
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		cmp	ecx, 1
		jnz	short loc_63983B

loc_63982E:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+5F3j
		push	ebx
		lea	eax, [esp+124h+var_AC]
		mov	edx, esi
		push	eax
		call	_MiDecrementAweMapCount@16 ; MiDecrementAweMapCount(x,x,x,x)

loc_63983B:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+63Ej
		mov	ecx, [esp+120h+var_104]
		mov	edx, [esp+120h+var_C8]
		add	ecx, edx
		add	esi, [esp+120h+var_D8]
		mov	[esp+120h+var_104], ecx
		cmp	ecx, [esp+120h+var_100]
		jb	short loc_6397D4
		mov	esi, [esp+120h+var_E0]
		mov	ecx, [esp+120h+var_100]
		jmp	short loc_639865
; 

loc_63985D:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+5B6j
		mov	ecx, [esp+120h+var_100]

loc_639861:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+5D3j
		mov	edx, [esp+120h+var_C8]

loc_639865:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+66Dj
		mov	eax, [esp+120h+var_A4]
		add	[esp+120h+var_10C], eax
		mov	edi, [esp+120h+var_E4]
		mov	eax, [esp+120h+var_FC]
		inc	edi
		imul	eax, edi
		mov	[esp+120h+var_E4], edi
		test	al, 3Fh
		jz	short loc_639889
		cmp	ecx, edx
		jz	loc_639944

loc_639889:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+691j
		mov	ecx, [esp+120h+var_108]
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		mov	edi, [esp+120h+var_110]
		test	eax, eax
		jnz	short loc_6398B2
		mov	edx, edi
		call	_MiPageTableLockIsContended@8 ;	MiPageTableLockIsContended(x,x)
		test	eax, eax
		jnz	short loc_6398B2
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	loc_639948

loc_6398B2:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+6AAj
					; MiWriteAwePtes(x,x,x,x,x,x)+6B5j
		mov	eax, [ebp+arg_0]
		cmp	[esp+120h+var_E4], eax
		jz	loc_639955
		push	[esp+120h+var_F8]
		mov	edx, [esp+124h+var_F4]
		mov	ecx, edi
		call	_MiUpdateAwePageTable@12 ; MiUpdateAwePageTable(x,x,x)
		lea	ecx, [esp+120h+var_A0]
		mov	edi, eax
		call	MiFlushTbList
		cmp	[esp+120h+var_E8], 0
		jz	short loc_6398E7
		mov	[esp+120h+var_C4], ebx

loc_6398E7:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+6F3j
		mov	edx, [esp+120h+var_110]
		mov	ecx, [esp+120h+var_108]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, byte ptr [esp+120h+var_DC]
		mov	ecx, [esp+120h+var_108]
		call	MiUnlockWorkingSetShared
		test	edi, edi
		jz	short loc_63992B
		cmp	[esp+120h+var_EC], 0
		jz	short loc_63992B
		mov	edi, [esp+120h+var_110]
		push	1
		lea	ecx, [edi+8]
		call	_MiGetLeafVa@4	; MiGetLeafVa(x)
		mov	ecx, edi
		lea	edx, [eax-1]
		call	_MiGetLeafVa@4	; MiGetLeafVa(x)
		mov	ecx, eax
		call	_MiDeleteEmptyPageTables@12 ; MiDeleteEmptyPageTables(x,x,x)

loc_63992B:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+715j
					; MiWriteAwePtes(x,x,x,x,x,x)+71Cj
		mov	ecx, [esp+120h+var_108]
		mov	edi, ebx
		mov	[esp+120h+var_110], edi
		mov	[esp+120h+var_F4], ebx
		mov	[esp+120h+var_F8], ebx
		call	MiLockWorkingSetShared
		jmp	short loc_639948
; 

loc_639944:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+695j
		mov	edi, [esp+120h+var_110]

loc_639948:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+6BEj
					; MiWriteAwePtes(x,x,x,x,x,x)+754j
		mov	ecx, [esp+120h+var_E4]
		cmp	ecx, [ebp+arg_0]
		jb	loc_6393DE

loc_639955:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+6CBj
		test	edi, edi
		jz	short loc_63998B
		push	[esp+120h+var_F8]
		mov	edx, [esp+124h+var_F4]
		mov	ecx, edi
		call	_MiUpdateAwePageTable@12 ; MiUpdateAwePageTable(x,x,x)
		mov	esi, [esp+120h+var_EC]
		mov	ebx, eax
		test	esi, esi
		jz	short loc_6399BF
		lea	ecx, [esp+120h+var_A0]
		call	MiFlushTbList
		mov	ecx, [esp+120h+var_108]
		mov	edx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		jmp	short loc_63998F
; 

loc_63998B:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+1DFj
					; MiWriteAwePtes(x,x,x,x,x,x)+769j
		mov	esi, [esp+120h+var_EC]

loc_63998F:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+79Bj
		mov	dl, byte ptr [esp+120h+var_DC]
		mov	ecx, [esp+120h+var_108]
		call	MiUnlockWorkingSetShared
		test	ebx, ebx
		jz	short loc_6399BF
		test	esi, esi
		jz	short loc_6399BF
		push	1
		lea	ecx, [edi+8]
		call	_MiGetLeafVa@4	; MiGetLeafVa(x)
		mov	ecx, edi
		lea	edx, [eax-1]
		call	_MiGetLeafVa@4	; MiGetLeafVa(x)
		mov	ecx, eax
		call	_MiDeleteEmptyPageTables@12 ; MiDeleteEmptyPageTables(x,x,x)

loc_6399BF:				; CODE XREF: MiWriteAwePtes(x,x,x,x,x,x)+782j
					; MiWriteAwePtes(x,x,x,x,x,x)+7B0j ...
		mov	ecx, [esp+120h+var_4]
		mov	eax, [esp+120h+var_AC]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_MiWriteAwePtes@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmReadProcessPageTables(x)
_MmReadProcessPageTables@4 proc	near	; CODE XREF: KiMonitorCacheErrata(x,x)+E7p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	[esp+38h+var_C], ecx
		xor	edx, edx
		push	0A0000004h
		xor	ecx, ecx
		call	MiMakeValidPte
		mov	ebx, large fs:20h
		push	offset unk_6D4EB0
		mov	[esp+3Ch+var_2C], eax
		mov	[esp+3Ch+var_24], edx
		mov	[esp+3Ch+var_8], ebx
		wbinvd
		call	_ExTryAcquireSpinLockSharedAtDpcLevel@4	; ExTryAcquireSpinLockSharedAtDpcLevel(x)
		test	eax, eax
		jz	loc_639C27
		mov	esi, [ebx+3D34h]
		mov	ecx, ds:dword_40F9FC
		and	esi, 0FFFFF000h
		mov	edi, esi
		mov	[esp+38h+var_20], esi
		mov	esi, ds:_ZeroPte
		shr	edi, 9
		sub	edi, 40000000h

loc_639A48:				; CODE XREF: MmReadProcessPageTables(x)+88j
					; MmReadProcessPageTables(x)+8Ej
		mov	eax, [edi]
		mov	edx, [edi+4]
		mov	[esp+38h+var_28], eax
		mov	[esp+38h+var_14], edx
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [esp+38h+var_28]
		cmp	eax, ebx
		jnz	short loc_639A48
		cmp	edx, [esp+38h+var_14]
		jnz	short loc_639A48
		mov	ecx, [esp+38h+var_20]
		xor	edx, edx
		call	KeFlushSingleCurrentTb
		mov	ecx, ds:_MmPhysicalMemoryBlock
		xor	edx, edx
		mov	[esp+38h+var_18], edx
		cmp	[ecx], edx
		jbe	loc_639BEB
		mov	esi, offset loc_7FFFFF

loc_639A8E:				; CODE XREF: MmReadProcessPageTables(x)+207j
		mov	eax, [ecx+edx*8+8]
		mov	ecx, [ecx+edx*8+0Ch]
		add	ecx, eax
		imul	edx, eax, 1Ch
		imul	ebx, ecx, 1Ch
		add	edx, ds:_MmPfnDatabase
		add	ebx, ds:_MmPfnDatabase
		mov	[esp+38h+var_4], ebx
		cmp	edx, ebx
		jmp	loc_639BC6
; 

loc_639AB5:				; CODE XREF: MmReadProcessPageTables(x)+1F0j
		mov	bl, [edx+16h]
		mov	al, bl
		and	al, 7
		cmp	al, 6
		jnz	loc_639BBD
		mov	ecx, [edx+4]
		or	ecx, 80000000h
		lea	eax, [ecx+40000000h]
		cmp	eax, esi
		ja	loc_639BBD
		shl	ecx, 9
		lea	eax, [ecx+40000000h]
		cmp	eax, esi
		ja	loc_639BBD
		mov	ecx, [edx+18h]
		mov	eax, ecx
		and	eax, 70000000h
		cmp	eax, 10000000h
		jz	loc_639BBD
		test	ecx, 800000h
		jnz	loc_639BBD
		and	ecx, esi
		cmp	ecx, 7FFFFDh
		jz	loc_639BBD
		and	bl, 0C0h
		cmp	bl, 40h
		jnz	loc_639BBD
		mov	eax, edx
		mov	ebx, [esp+38h+var_24]
		sub	eax, ds:_MmPfnDatabase
		and	ebx, 0FFFFFFE0h
		cdq
		push	1Ch
		pop	ecx
		idiv	ecx
		mov	edx, [esp+38h+var_2C]
		xor	ecx, ecx
		and	eax, 1FFFFFFh
		and	edx, 0FFFh
		shld	ecx, eax, 0Ch
		shl	eax, 0Ch
		or	eax, edx
		or	ecx, ebx
		mov	ebx, eax
		mov	[esp+38h+var_24], ecx
		mov	[esp+38h+var_2C], ebx

loc_639B62:				; CODE XREF: MmReadProcessPageTables(x)+1A4j
					; MmReadProcessPageTables(x)+1AAj
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[esp+38h+var_10], ecx
		nop
		mov	ecx, [esp+38h+var_24]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [esp+38h+var_2C]
		cmp	eax, esi
		jnz	short loc_639B62
		cmp	edx, [esp+38h+var_10]
		jnz	short loc_639B62
		mov	esi, [esp+38h+var_20]
		xor	edx, edx
		mov	ecx, esi
		call	KeFlushSingleCurrentTb
		xor	ecx, ecx

loc_639B95:				; CODE XREF: MmReadProcessPageTables(x)+1C7j
		mov	al, [esi+ecx]
		add	ecx, 40h
		cmp	ecx, 1000h
		jb	short loc_639B95
		mov	edx, [esp+38h+var_C]
		mov	ecx, [esp+38h+var_8]
		call	_KeKeepProcessorAlive@8	; KeKeepProcessorAlive(x,x)
		test	al, al
		jnz	short loc_639BE7
		mov	edx, [esp+38h+var_1C]
		mov	esi, offset loc_7FFFFF

loc_639BBD:				; CODE XREF: MmReadProcessPageTables(x)+E4j
					; MmReadProcessPageTables(x)+FBj ...
		push	1Ch
		pop	eax
		add	edx, eax
		cmp	edx, [esp+38h+var_4]

loc_639BC6:				; CODE XREF: MmReadProcessPageTables(x)+D6j
		mov	[esp+38h+var_1C], edx
		jb	loc_639AB5
		mov	edx, [esp+38h+var_18]
		mov	ecx, ds:_MmPhysicalMemoryBlock
		inc	edx
		mov	[esp+38h+var_18], edx
		cmp	edx, [ecx]
		jb	loc_639A8E

loc_639BE7:				; CODE XREF: MmReadProcessPageTables(x)+1D8j
		mov	ebx, [esp+38h+var_28]

loc_639BEB:				; CODE XREF: MmReadProcessPageTables(x)+A9j
					; MmReadProcessPageTables(x)+22Dj ...
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[esp+38h+var_4], ecx
		nop
		mov	ecx, [esp+38h+var_14]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [esp+38h+var_28]
		cmp	eax, esi
		jnz	short loc_639BEB
		cmp	edx, [esp+38h+var_4]
		jnz	short loc_639BEB
		mov	ecx, [esp+38h+var_20]
		xor	edx, edx
		call	KeFlushSingleCurrentTb
		push	offset unk_6D4EB0
		call	ExReleaseSpinLockSharedFromDpcLevel
		xor	eax, eax
		inc	eax

loc_639C27:				; CODE XREF: MmReadProcessPageTables(x)+41j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MmReadProcessPageTables@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetSubsectionFromPte(x, x)
_MiGetSubsectionFromPte@8 proc near	; CODE XREF: MiRelocateImage+14E05Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	edx, ds:dword_6D0700
		mov	eax, edx
		mov	ecx, [ebp+arg_4]
		push	esi
		mov	esi, ds:dword_6D0704
		or	eax, esi
		push	edi
		mov	edi, [ebp+arg_0]
		jz	short loc_639C5D
		mov	eax, edi
		and	eax, 10h
		or	eax, 0
		jnz	short loc_639C5D
		not	esi
		and	ecx, esi

loc_639C5D:				; CODE XREF: MiGetSubsectionFromPte(x,x)+1Fj
					; MiGetSubsectionFromPte(x,x)+29j
		pop	edi
		mov	eax, ecx
		pop	esi
		leave
		retn	8
_MiGetSubsectionFromPte@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteZeroThreadContext(x)
_MiDeleteZeroThreadContext@4 proc near	; CODE XREF: MiCreateZeroThreadContext(x,x)+91p
					; MiZeroNodePages+5E928p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, offset dword_6D35E0
		mov	edx, [esi+30h]
		test	edx, edx
		jz	short loc_639C89
		push	200h
		mov	ecx, edi
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_639C89:				; CODE XREF: MiDeleteZeroThreadContext(x)+16j
		mov	edx, [esi+34h]
		test	edx, edx
		jz	short loc_639C9C
		push	100h
		mov	ecx, edi
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_639C9C:				; CODE XREF: MiDeleteZeroThreadContext(x)+29j
		mov	ecx, esi
		call	_MiSignalZeroingPassComplete@4 ; MiSignalZeroingPassComplete(x)
		mov	ecx, [esi+3Ch]
		test	ecx, ecx
		jz	short loc_639CB2
		xor	edx, edx
		inc	edx
		call	MiDereferencePageRunsEx

loc_639CB2:				; CODE XREF: MiDeleteZeroThreadContext(x)+43j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_MiDeleteZeroThreadContext@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetPagesToZero(x,	x, x)
_MiGetPagesToZero@12 proc near		; CODE XREF: MiZeroPageThread+7F273p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	edi, ecx
		mov	cl, ds:byte_6D068C
		mov	eax, [ebx+48h]
		and	dword ptr [ebx+10h], 0
		shr	eax, cl
		cmp	[ebp+arg_0], 2
		mov	byte ptr [ebx+25h], 0
		jnb	short loc_639D06
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebx+40h]
		push	ebx
		push	40h
		push	ecx
		push	1
		push	1
		push	eax
		push	1
		mov	ecx, edi
		call	_MiUnlinkNodeLargePages@36 ; MiUnlinkNodeLargePages(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_4], esi
		jmp	short loc_639D12
; 

loc_639D06:				; CODE XREF: MiGetPagesToZero(x,x,x)+25j
		mov	ecx, edi
		call	_MiGetSinglePageToZero@8 ; MiGetSinglePageToZero(x,x)
		mov	esi, eax
		mov	[ebp+var_4], eax

loc_639D12:				; CODE XREF: MiGetPagesToZero(x,x,x)+44j
		test	esi, esi
		jnz	short loc_639D1A
		xor	eax, eax
		jmp	short loc_639D6D
; 

loc_639D1A:				; CODE XREF: MiGetPagesToZero(x,x,x)+54j
		cmp	byte ptr [ebx+2Ch], 0
		jnz	short loc_639D61
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, eax
		call	MiSearchNumaNodeTable
		mov	eax, [eax+4]
		cmp	[ebx+50h], eax
		jz	short loc_639D61
		mov	[ebx+50h], eax
		sub	esp, 0Ch
		mov	esi, [edi+10h]
		mov	edi, esp
		imul	ecx, eax, 280h
		add	esi, 264h
		add	esi, ecx
		movsd
		movsd
		movsd
		call	_MiSetIdealProcessorThread@12 ;	MiSetIdealProcessorThread(x,x,x)
		mov	esi, [ebp+var_4]

loc_639D61:				; CODE XREF: MiGetPagesToZero(x,x,x)+5Ej
					; MiGetPagesToZero(x,x,x)+7Bj
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, ebx
		call	_MiMapPagesToZero@12 ; MiMapPagesToZero(x,x,x)

loc_639D6D:				; CODE XREF: MiGetPagesToZero(x,x,x)+58j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiGetPagesToZero@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetSmallZeroPtes(x, x)
_MiGetSmallZeroPtes@8 proc near		; CODE XREF: MiMapPagesToZero(x,x,x)+39p

var_B4		= dword	ptr -0B4h
var_AC		= dword	ptr -0ACh
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B4h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+34h]
		lea	eax, [ebp+var_A0]
		push	98h		; size_t
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_A4], edx
		call	_memset
		mov	ebx, [edi]
		add	esp, 0Ch
		nop
		mov	eax, [edi+4]
		mov	esi, eax
		mov	ecx, ds:dword_6D0700
		mov	edx, esi
		mov	[ebp+var_B4], eax
		mov	eax, ds:dword_6D0704
		mov	[ebp+var_AC], eax
		mov	eax, ecx
		or	eax, [ebp+var_AC]
		jz	short loc_639DEA
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_639DEA
		mov	esi, [ebp+var_AC]
		not	esi
		and	esi, edx

loc_639DEA:				; CODE XREF: MiGetSmallZeroPtes(x,x)+60j
					; MiGetSmallZeroPtes(x,x)+6Aj
		mov	eax, [ebp+var_A4]
		cmp	eax, esi
		jbe	short loc_639E36
		and	[ebp+var_8C], 0
		lea	edx, [edi+esi*8]
		mov	eax, 100h
		shl	edx, 9
		push	0
		sub	eax, esi
		mov	[ebp+var_98], 21h
		push	eax
		lea	ecx, [ebp+var_A0]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList
		mov	eax, [ebp+var_A4]
		mov	esi, 100h

loc_639E36:				; CODE XREF: MiGetSmallZeroPtes(x,x)+7Ej
		push	[ebp+var_B4]
		sub	esi, eax
		push	ebx
		push	0
		push	esi
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		mov	[edi], eax
		nop
		mov	[edi+4], edx
		lea	eax, [edi+esi*8]
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiGetSmallZeroPtes@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetZeroPageThreadPriority(x, x, x)
_MiSetZeroPageThreadPriority@12	proc near ; CODE XREF: MiZeroPage(x,x)+105p
					; MiZeroPage(x,x)+41Dp	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		mov	ebx, edx
		lea	edx, [ebp+var_C]
		lea	ecx, [esi+0A80h]
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	byte ptr [esi+0DB4h], 0
		jnz	short loc_639E9A
		push	[ebp+arg_0]
		push	ebx
		call	KeSetActualBasePriorityThread
		mov	esi, eax
		jmp	short loc_639E9D
; 

loc_639E9A:				; CODE XREF: MiSetZeroPageThreadPriority(x,x,x)+2Cj
		push	20h
		pop	esi

loc_639E9D:				; CODE XREF: MiSetZeroPageThreadPriority(x,x,x)+39j
		test	ds:byte_70EFC6,	1
		jz	short loc_639EB3
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_639EE2
; 

loc_639EB3:				; CODE XREF: MiSetZeroPageThreadPriority(x,x,x)+45j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_639ED2
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_639EE2
		call	KxWaitForLockChainValid

loc_639ED2:				; CODE XREF: MiSetZeroPageThreadPriority(x,x,x)+59j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_639EE2:				; CODE XREF: MiSetZeroPageThreadPriority(x,x,x)+52j
					; MiSetZeroPageThreadPriority(x,x,x)+6Cj
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiSetZeroPageThreadPriority@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWaitForFreePagesToZero(x,	x, x)
_MiWaitForFreePagesToZero@12 proc near	; CODE XREF: MiZeroPageThread+7F24Ap

var_50		= dword	ptr -50h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= byte ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		lea	edi, [ebp+var_20]
		mov	[ebp+var_8], edx
		stosd
		mov	ebx, ecx
		stosd
		stosd
		lea	eax, [ebx+3Ch]
		mov	[ebp+var_14], eax
		lea	eax, [ebx+0DA4h]
		mov	[ebp+var_10], eax
		mov	eax, [ebx+10h]
		mov	[ebp+var_C], eax

loc_639F24:				; CODE XREF: MiWaitForFreePagesToZero(x,x,x)+1A5j
		mov	ecx, [edx]
		xor	eax, eax
		inc	eax
		test	ecx, ecx
		jz	short loc_639F3C
		mov	edx, eax
		call	MiDereferencePageRunsEx
		mov	edi, [ebp+var_8]
		and	dword ptr [edi], 0
		jmp	short loc_639F3F
; 

loc_639F3C:				; CODE XREF: MiWaitForFreePagesToZero(x,x,x)+37j
		mov	edi, [ebp+var_8]

loc_639F3F:				; CODE XREF: MiWaitForFreePagesToZero(x,x,x)+46j
		lea	eax, [ebp+var_50]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	8
		inc	eax
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		push	2
		call	KeWaitForMultipleObjects
		test	eax, eax
		jnz	loc_639FE1
		or	eax, 0FFFFFFFFh

loc_639F62:				; CODE XREF: MiWaitForFreePagesToZero(x,x,x)+1B7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_639F69:				; CODE XREF: MiWaitForFreePagesToZero(x,x,x)+F5j
		mov	eax, [ebx+0DD0h]
		test	eax, eax
		jnz	loc_63A04A
		cmp	ds:dword_6D35AC, ecx
		jnz	loc_63A04A
		inc	eax
		cmp	ds:_KeNumberNodes, ax
		jbe	loc_63A09E
		mov	esi, [ebp+arg_0]

loc_639F94:				; CODE XREF: MiWaitForFreePagesToZero(x,x,x)+EBj
		mov	edx, [ebp+var_C]
		imul	ecx, esi, 280h
		cmp	dword ptr [ecx+edx+1D4h], 0
		jnz	loc_63A09E
		add	ecx, 4
		xor	eax, eax
		add	ecx, edx

loc_639FB2:				; CODE XREF: MiWaitForFreePagesToZero(x,x,x)+CDj
		cmp	dword ptr [ecx], 0
		jnz	short loc_639FC3
		inc	eax
		add	ecx, 98h
		cmp	eax, 2
		jb	short loc_639FB2

loc_639FC3:				; CODE XREF: MiWaitForFreePagesToZero(x,x,x)+C1j
		cmp	eax, 2
		jnz	loc_63A09E
		movzx	ecx, ds:_KeNumberNodes
		lea	eax, [esi+1]
		xor	edx, edx
		div	ecx
		mov	esi, edx
		cmp	esi, [ebp+arg_0]
		jnz	short loc_639F94

loc_639FE1:				; CODE XREF: MiWaitForFreePagesToZero(x,x,x)+65j
		xor	ecx, ecx
		cmp	[ebx+5C0h], ecx
		jnz	loc_639F69
		lea	ecx, [ebx+0A80h]
		lea	edx, [ebp+var_20]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	dword ptr [ebx+5C0h], 0
		jnz	short loc_63A034
		movzx	eax, ds:_KeNumberNodes
		test	eax, eax
		jz	short loc_63A028
		mov	ecx, [ebp+var_C]
		add	ecx, 272h

loc_63A01A:				; CODE XREF: MiWaitForFreePagesToZero(x,x,x)+132j
		mov	byte ptr [ecx],	0
		lea	ecx, [ecx+280h]
		sub	eax, 1
		jnz	short loc_63A01A

loc_63A028:				; CODE XREF: MiWaitForFreePagesToZero(x,x,x)+11Bj
		lea	eax, [ebx+0DA4h]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_63A034:				; CODE XREF: MiWaitForFreePagesToZero(x,x,x)+110j
		test	ds:byte_70EFC6,	1
		jz	short loc_63A05E
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_20]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63A08D
; 

loc_63A04A:				; CODE XREF: MiWaitForFreePagesToZero(x,x,x)+7Dj
					; MiWaitForFreePagesToZero(x,x,x)+89j
		push	offset _MiFiveSeconds
		push	ecx
		push	ecx
		push	8
		lea	eax, [ebx+3Ch]
		push	eax
		call	KeWaitForSingleObject
		jmp	short loc_63A096
; 

loc_63A05E:				; CODE XREF: MiWaitForFreePagesToZero(x,x,x)+147j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	short loc_63A07D
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_20]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_20]
		cmp	eax, ecx
		jz	short loc_63A08D
		call	KxWaitForLockChainValid

loc_63A07D:				; CODE XREF: MiWaitForFreePagesToZero(x,x,x)+16Fj
		xor	ecx, ecx
		mov	[ebp+var_20], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_63A08D:				; CODE XREF: MiWaitForFreePagesToZero(x,x,x)+154j
					; MiWaitForFreePagesToZero(x,x,x)+182j
		mov	cl, [ebp+var_18]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_63A096:				; CODE XREF: MiWaitForFreePagesToZero(x,x,x)+168j
		mov	edx, [ebp+var_8]
		jmp	loc_639F24
; 

loc_63A09E:				; CODE XREF: MiWaitForFreePagesToZero(x,x,x)+97j
					; MiWaitForFreePagesToZero(x,x,x)+B1j ...
		xor	edx, edx
		mov	ecx, ebx
		call	MiReferencePageRuns
		mov	[edi], eax
		mov	eax, esi
		jmp	loc_639F62
_MiWaitForFreePagesToZero@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetAggregateWorkingSetSize(x)
_MiGetAggregateWorkingSetSize@4	proc near ; CODE XREF: MmLogSystemShareablePfnInfo(x,x)+4Dp
		mov	eax, [ecx+48h]
		retn
_MiGetAggregateWorkingSetSize@4	endp


;  S U B	R O U T	I N E 


; __stdcall MiLockWorkingSetExclusive(x)
_MiLockWorkingSetExclusive@4 proc near	; CODE XREF: MiDeleteEmptyPageTableCommit(x)+175p
		mov	al, [ecx+60h]
		and	al, 7
		push	esi
		mov	esi, offset unk_6D3C40
		cmp	al, 2
		jz	short loc_63A0C9
		lea	esi, [ecx+80h]

loc_63A0C9:				; CODE XREF: MiLockWorkingSetExclusive(x)+Dj
		push	esi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [esi+4], 0
		pop	esi
		retn
_MiLockWorkingSetExclusive@4 endp

; [00000005 BYTES: COLLAPSED FUNCTION MiUnlockPageTable(x,x). PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 


; __stdcall MiUnlockWorkingSetExclusiveUnorderedAtDpc(x)
_MiUnlockWorkingSetExclusiveUnorderedAtDpc@4 proc near
					; CODE XREF: MmRemoveSystemCacheFromDump(x)+7Dp
		mov	edi, edi
		push	esi
		push	2
		pop	edx
		mov	esi, ecx
		call	MiCheckProcessShadow
		mov	al, [esi+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short loc_63A0FB
		lea	eax, [esi+80h]

loc_63A0FB:				; CODE XREF: MiUnlockWorkingSetExclusiveUnorderedAtDpc(x)+19j
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		pop	esi
		retn
_MiUnlockWorkingSetExclusiveUnorderedAtDpc@4 endp

; [00000005 BYTES: COLLAPSED FUNCTION MiLockPage(x). PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLockPageAtDpc(x)
_MiLockPageAtDpc@4 proc	near		; CODE XREF: NtLockVirtualMemory(x,x,x,x)+678p
					; MiInitializeMdlBatchPages(x)+B9p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		lea	esi, [ecx+10h]
		jmp	short loc_63A126
; 

loc_63A118:				; CODE XREF: MiLockPageAtDpc(x)+1Cj
					; MiLockPageAtDpc(x)+23j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_63A118

loc_63A126:				; CODE XREF: MiLockPageAtDpc(x)+Ej
		lock bts dword ptr [esi], 1Fh
		jb	short loc_63A118
		pop	esi
		leave
		retn
_MiLockPageAtDpc@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiArePageContentsZero(x, x)
_MiArePageContentsZero@8 proc near	; CODE XREF: .text:004703D8p
					; MiInsertLargePageInNodeList(x)+ADp ...

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], ecx
		imul	esi, edi, 1Ch
		mov	cl, 2
		mov	ebx, edx
		add	esi, ds:_MmPfnDatabase
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, large fs:20h
		mov	dl, al
		mov	[ebp+var_1], dl
		cmp	dword ptr [ecx+3D34h], 0
		jz	loc_63A21E

loc_63A16C:				; CODE XREF: MiArePageContentsZero(x,x)+E8j
		movzx	eax, byte ptr [esi+16h]
		shr	eax, 6
		cmp	eax, 3
		jnz	short loc_63A17C
		xor	ebx, ebx
		jmp	short loc_63A189
; 

loc_63A17C:				; CODE XREF: MiArePageContentsZero(x,x)+46j
		cmp	eax, 1
		jz	short loc_63A189
		cmp	ebx, 10h
		jbe	short loc_63A189
		push	10h
		pop	ebx

loc_63A189:				; CODE XREF: MiArePageContentsZero(x,x)+4Aj
					; MiArePageContentsZero(x,x)+4Fj ...
		test	ebx, ebx
		jz	loc_63A21E
		test	byte ptr [esi+17h], 40h
		jnz	short loc_63A1D8
		mov	ecx, esi
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jnz	short loc_63A1D8
		push	20000000h
		xor	edx, edx
		mov	ecx, edi
		call	MiMapPageInHyperSpaceWorker
		mov	edi, eax
		mov	ecx, edi
		call	@KeCheckForZeroPage@4 ;	KeCheckForZeroPage(x)
		test	eax, eax
		jz	short loc_63A1C7
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		call	_MiPageNotZero@8 ; MiPageNotZero(x,x)

loc_63A1C7:				; CODE XREF: MiArePageContentsZero(x,x)+8Bj
		push	0
		mov	dl, 21h
		mov	ecx, edi
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		mov	edi, [ebp+var_8]
		mov	dl, [ebp+var_1]

loc_63A1D8:				; CODE XREF: MiArePageContentsZero(x,x)+65j
					; MiArePageContentsZero(x,x)+70j
		add	esi, 1Ch
		inc	edi
		dec	ebx
		mov	[ebp+var_8], edi
		test	bl, 3Fh
		jnz	short loc_63A189
		cmp	dl, 2
		jnb	short loc_63A189
		call	KeShouldYieldProcessor
		mov	dl, [ebp+var_1]
		test	eax, eax
		jz	short loc_63A189
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	dl, al
		mov	[ebp+var_1], al
		mov	eax, large fs:20h
		cmp	dword ptr [eax+3D34h], 0
		jnz	loc_63A16C

loc_63A21E:				; CODE XREF: MiArePageContentsZero(x,x)+36j
					; MiArePageContentsZero(x,x)+5Bj
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiArePageContentsZero@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeListPageContentsChanged(x)
_MiFreeListPageContentsChanged@4 proc near ; CODE XREF:	MiZeroPage(x,x)+304p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		and	[ebp+var_4], 0
		imul	eax, ebx, 1Ch
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, eax
		call	MiSearchNumaNodeTable
		mov	cl, ds:byte_6D068C
		mov	edx, [eax+4]
		mov	eax, ds:dword_6D06D0
		and	[ebp+var_C], 0
		and	eax, ebx
		shl	edx, cl
		or	edx, eax
		imul	eax, edx, 14h
		add	eax, 10h
		add	eax, ds:dword_6D5384
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_8], eax
		jz	short loc_63A286
		mov	edx, eax
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63A297
; 

loc_63A286:				; CODE XREF: MiFreeListPageContentsChanged(x)+4Dj
		lea	edx, [ebp+var_C]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_63A297
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_63A297:				; CODE XREF: MiFreeListPageContentsChanged(x)+59j
					; MiFreeListPageContentsChanged(x)+62j
		xor	edx, edx
		inc	edx
		push	esi
		push	edi
		cmp	ds:dword_6D3034, edx
		jnz	short loc_63A314
		mov	eax, ds:dword_6D3068
		mov	ecx, ebx
		shr	ecx, 5
		and	ebx, 1Fh
		mov	esi, edx
		lea	edi, [eax+ecx*4]
		lea	eax, [ebx+1]
		cmp	eax, 20h
		ja	short loc_63A2C6
		mov	eax, edx
		mov	ecx, ebx
		shl	eax, cl
		jmp	short loc_63A311
; 

loc_63A2C6:				; CODE XREF: MiFreeListPageContentsChanged(x)+91j
		test	ebx, ebx
		jz	short loc_63A30A
		push	20h
		xor	eax, eax
		pop	edx
		sub	edx, ebx
		inc	eax
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, ebx
		dec	eax
		shl	eax, cl
		lock or	[edi], eax
		xor	ebx, ebx
		add	edi, 4
		inc	ebx
		mov	esi, ebx
		sub	esi, edx
		cmp	esi, 20h
		jb	short loc_63A303
		mov	eax, esi
		shr	eax, 5

loc_63A2F2:				; CODE XREF: MiFreeListPageContentsChanged(x)+D6j
		mov	dword ptr [edi], 0FFFFFFFFh
		sub	esi, 20h
		add	edi, 4
		sub	eax, 1
		jnz	short loc_63A2F2

loc_63A303:				; CODE XREF: MiFreeListPageContentsChanged(x)+C0j
		test	esi, esi
		jz	short loc_63A317
		xor	edx, edx
		inc	edx

loc_63A30A:				; CODE XREF: MiFreeListPageContentsChanged(x)+9Dj
		mov	eax, edx
		mov	ecx, esi
		shl	eax, cl
		dec	eax

loc_63A311:				; CODE XREF: MiFreeListPageContentsChanged(x)+99j
		lock or	[edi], eax

loc_63A314:				; CODE XREF: MiFreeListPageContentsChanged(x)+77j
		xor	ebx, ebx
		inc	ebx

loc_63A317:				; CODE XREF: MiFreeListPageContentsChanged(x)+DAj
		test	ds:byte_70EFC6,	1
		pop	edi
		pop	esi
		jz	short loc_63A32F
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63A35B
; 

loc_63A32F:				; CODE XREF: MiFreeListPageContentsChanged(x)+F5j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_63A34E
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_63A35B
		call	KxWaitForLockChainValid

loc_63A34E:				; CODE XREF: MiFreeListPageContentsChanged(x)+109j
		mov	[ebp+var_C], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_63A35B:				; CODE XREF: MiFreeListPageContentsChanged(x)+102j
					; MiFreeListPageContentsChanged(x)+11Cj
		pop	ebx
		leave
		retn
_MiFreeListPageContentsChanged@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetPageSlist(x, x, x)
_MiGetPageSlist@12 proc	near		; CODE XREF: MiGetPage+144C51p
					; MiGetPage+144CEEp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, edx
		and	esi, 4000h
		mov	[ebp+var_4], eax
		neg	esi
		mov	[ebp+var_8], ecx
		push	edi
		sbb	esi, esi
		mov	ebx, offset _MiZeroThenZero
		and	esi, 0Fh
		inc	esi
		test	byte ptr [ebp+arg_0], 2
		jnz	short loc_63A391
		mov	ebx, offset _MiFreeThenFree

loc_63A391:				; CODE XREF: MiGetPageSlist(x,x,x)+2Cj
		mov	edi, eax
		mov	eax, ds:dword_6D06D0
		mov	[ebp+arg_0], eax

loc_63A39B:				; CODE XREF: MiGetPageSlist(x,x,x)+5Dj
		push	edi
		mov	edx, ebx
		call	MiSlistGetFreePage
		test	eax, eax
		jnz	short loc_63A3BF
		mov	eax, [ebp+arg_0]
		lea	ecx, [esi+edi]
		and	ecx, eax
		not	eax
		and	edi, eax
		or	edi, ecx
		mov	ecx, [ebp+var_8]
		cmp	edi, [ebp+var_4]
		jnz	short loc_63A39B
		xor	eax, eax

loc_63A3BF:				; CODE XREF: MiGetPageSlist(x,x,x)+47j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiGetPageSlist@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMoveBadPageCrossPartition(x, x, x)
_MiMoveBadPageCrossPartition@12	proc near ; CODE XREF: MiMoveLargeFreePage(x,x,x,x)+BDp
					; MiActOnPartitionNodePages(x,x,x)+380p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		sub	ecx, ds:_MmPfnDatabase
		push	ebx
		push	esi
		push	edi
		mov	eax, ecx
		and	[ebp+var_8], 0
		mov	edi, edx
		cdq
		push	1Ch
		pop	ecx
		idiv	ecx
		mov	ecx, eax
		call	MiSearchNumaNodeTable
		mov	esi, [edi+10h]
		mov	eax, [eax+4]
		and	[ebp+var_10], 0
		imul	eax, 280h
		add	esi, eax
		mov	[ebp+var_4], eax
		test	ds:byte_70EFC6,	21h
		lea	eax, [esi+204h]
		mov	[ebp+var_C], eax
		jz	short loc_63A41F
		mov	edx, eax
		lea	ecx, [ebp+var_10]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63A430
; 

loc_63A41F:				; CODE XREF: MiMoveBadPageCrossPartition(x,x,x)+4Bj
		lea	edx, [ebp+var_10]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_63A430
		lea	ecx, [ebp+var_10]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_63A430:				; CODE XREF: MiMoveBadPageCrossPartition(x,x,x)+57j
					; MiMoveBadPageCrossPartition(x,x,x)+60j
		dec	dword ptr [esi+214h]
		xor	ebx, ebx
		inc	ebx
		test	ds:byte_70EFC6,	bl
		jz	short loc_63A44E
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63A47A
; 

loc_63A44E:				; CODE XREF: MiMoveBadPageCrossPartition(x,x,x)+79j
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_63A46D
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jz	short loc_63A47A
		call	KxWaitForLockChainValid

loc_63A46D:				; CODE XREF: MiMoveBadPageCrossPartition(x,x,x)+8Dj
		mov	[ebp+var_10], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_63A47A:				; CODE XREF: MiMoveBadPageCrossPartition(x,x,x)+86j
					; MiMoveBadPageCrossPartition(x,x,x)+A0j
		mov	ebx, [ebp+arg_0]
		and	[ebp+var_10], 0
		mov	esi, [ebx+10h]
		add	esi, [ebp+var_4]
		test	ds:byte_70EFC6,	21h
		lea	eax, [esi+204h]
		mov	[ebp+var_C], eax
		jz	short loc_63A4A5
		mov	edx, eax
		lea	ecx, [ebp+var_10]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63A4B6
; 

loc_63A4A5:				; CODE XREF: MiMoveBadPageCrossPartition(x,x,x)+D1j
		lea	edx, [ebp+var_10]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_63A4B6
		lea	ecx, [ebp+var_10]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_63A4B6:				; CODE XREF: MiMoveBadPageCrossPartition(x,x,x)+DDj
					; MiMoveBadPageCrossPartition(x,x,x)+E6j
		inc	dword ptr [esi+214h]
		test	ds:byte_70EFC6,	1
		jz	short loc_63A506
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_63A4D0:				; CODE XREF: MiMoveBadPageCrossPartition(x,x,x)+158j
		xor	esi, esi
		inc	esi

loc_63A4D3:				; CODE XREF: MiMoveBadPageCrossPartition(x,x,x)+16Fj
		push	esi
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	MiAcquireNonPagedResources
		mov	edx, esi
		mov	ecx, edi
		call	MiReturnCommit
		mov	edx, esi
		mov	ecx, edi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_63A4FF
		lea	ecx, [edi+1000h]
		lock xadd [ecx], eax

loc_63A4FF:				; CODE XREF: MiMoveBadPageCrossPartition(x,x,x)+12Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_63A506:				; CODE XREF: MiMoveBadPageCrossPartition(x,x,x)+FDj
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_63A525
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jz	short loc_63A4D0
		call	KxWaitForLockChainValid

loc_63A525:				; CODE XREF: MiMoveBadPageCrossPartition(x,x,x)+145j
		xor	esi, esi
		mov	[ebp+var_10], 0
		add	eax, 4
		inc	esi
		lock xor [eax],	esi
		jmp	short loc_63A4D3
_MiMoveBadPageCrossPartition@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPageNotZero(x, x)
_MiPageNotZero@8 proc near		; CODE XREF: MiArePageContentsZero(x,x)+92p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], edx
		mov	edi, ecx
		lock inc ds:dword_6D30F8
		xor	esi, esi
		lea	edx, [edi+1000h]
		and	[ebp+var_8], esi
		mov	ebx, 1000h
		and	[ebp+var_C], esi
		mov	eax, ebx
		mov	[ebp+var_4], eax
		cmp	edi, edx
		jnb	short loc_63A5B3
		xor	ebx, ebx

loc_63A56C:				; CODE XREF: MiPageNotZero(x,x)+70j
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_63A599
		cmp	eax, 1000h
		jnz	short loc_63A57C
		mov	[ebp+var_4], ebx

loc_63A57C:				; CODE XREF: MiPageNotZero(x,x)+40j
		inc	esi
		cmp	esi, 1
		jnz	short loc_63A5AE
		mov	eax, ecx
		mov	[ebp+var_C], edx
		and	eax, 0FFFh
		mov	[ebp+var_8], eax
		lea	eax, [edx-1]
		test	eax, edx
		jnz	short loc_63A5AB
		mov	eax, [ebp+var_4]

loc_63A599:				; CODE XREF: MiPageNotZero(x,x)+39j
		add	ecx, 4
		lea	edx, [edi+1000h]
		add	ebx, 4
		cmp	ecx, edx
		jb	short loc_63A56C
		jmp	short loc_63A5AE
; 

loc_63A5AB:				; CODE XREF: MiPageNotZero(x,x)+5Dj
		push	2
		pop	esi

loc_63A5AE:				; CODE XREF: MiPageNotZero(x,x)+49j
					; MiPageNotZero(x,x)+72j
		mov	ebx, 1000h

loc_63A5B3:				; CODE XREF: MiPageNotZero(x,x)+31j
		cmp	esi, 1
		jnz	short loc_63A5BF
		lock inc ds:dword_6D30F4

loc_63A5BF:				; CODE XREF: MiPageNotZero(x,x)+7Fj
		lea	eax, [esi-1]
		neg	eax
		lea	ecx, [esi-1]
		sbb	eax, eax
		and	eax, ebx
		neg	ecx
		sbb	ecx, ecx
		xor	ebx, ebx
		and	ecx, [ebp+var_4]
		cmp	esi, 1
		setz	bl
		test	ds:_MmPageValidationAction, 1
		lea	ebx, ds:127h[ebx*4]
		jnz	loc_63A67A
		xor	esi, esi
		push	esi
		push	esi
		push	ds:dword_6D4EF4
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	eax, ds:_MiFlags
		and	al, 30h
		cmp	al, 20h
		jnz	short loc_63A668
		xor	ecx, ecx
		mov	edx, offset unk_6D3074
		inc	ecx
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	short loc_63A668
		mov	eax, [ebp+var_10]
		mov	ecx, 1000h
		mul	ecx
		push	1
		add	eax, [ebp+var_8]
		mov	ds:dword_6D3080, eax
		mov	eax, [ebp+var_C]
		adc	edx, esi
		push	offset dword_6D3088
		mov	ds:dword_6D3084, edx
		mov	ds:dword_6D3078, eax
		mov	ds:dword_6D3070, ebx
		mov	ds:dword_6D3090, offset	_MiBadMemoryLogger@4 ; MiBadMemoryLogger(x)
		mov	ds:dword_6D3094, offset	dword_6D3070
		mov	ds:dword_6D3088, esi
		call	ExQueueWorkItem

loc_63A668:				; CODE XREF: MiPageNotZero(x,x)+CFj
					; MiPageNotZero(x,x)+E1j
		mov	edx, 1000h
		mov	ecx, edi
		call	ds:_KeZeroPages	; KiZeroPages(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_63A67A:				; CODE XREF: MiPageNotZero(x,x)+B1j
		push	eax
		push	ecx
		push	[ebp+var_10]
		push	edi
		push	ebx
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

; __stdcall MiPerformFinalZeroing(x, x,	x)
_MiPerformFinalZeroing@12:		; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+441p
					; MiGetPageChain(x,x,x,x,x,x,x)+68Bp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		xor	ecx, ecx
		xor	esi, esi
		test	edi, edi
		jz	short loc_63A6B5

loc_63A69D:				; CODE XREF: MiPageNotZero(x,x)+17Cj
		imul	eax, [ebx+esi*4], 1Ch
		add	eax, ds:_MmPfnDatabase
		and	dword ptr [eax+0Ch], 0
		inc	esi
		mov	[eax+8], ecx
		mov	ecx, eax
		cmp	esi, edi
		jb	short loc_63A69D

loc_63A6B5:				; CODE XREF: MiPageNotZero(x,x)+164j
		push	ds:dword_40F9FC
		mov	edx, [ebp+arg_0]
		push	ds:_ZeroPte
		call	MiChangePageAttributeBatch
		xor	eax, eax
		mov	[ebp+var_4], eax
		test	edi, edi
		jz	short loc_63A70E

loc_63A6D2:				; CODE XREF: MiPageNotZero(x,x)+1D5j
		mov	esi, [ebx+eax*4]
		xor	edx, edx
		push	[ebp+arg_0]
		inc	edx
		mov	ecx, esi
		call	MiZeroPhysicalPage
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		imul	ecx, esi, 1Ch
		xor	edx, edx
		add	ecx, ds:_MmPfnDatabase
		lock or	[eax], edx
		push	edx
		mov	edx, ds:_KiTbFlushTimeStamp
		call	_MiSetPfnTbFlushStamp@12 ; MiSetPfnTbFlushStamp(x,x,x)
		mov	eax, [ebp+var_4]
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, edi
		jb	short loc_63A6D2

loc_63A70E:				; CODE XREF: MiPageNotZero(x,x)+199j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiPageNotZero@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiSetLeafPfnBuddy(x, x)
_MiSetLeafPfnBuddy@8 proc near		; CODE XREF: MiRelocateImage+14E06Ap
					; MiRelocateImage+14E082p
		shr	edx, 2
		xor	edx, [ecx]
		and	edx, 1FFFFFFEh
		xor	edx, [ecx]
		mov	[ecx], edx
		retn
_MiSetLeafPfnBuddy@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetPfnOriginalPte(x, x, x)
_MiSetPfnOriginalPte@12	proc near	; CODE XREF: MmFreeNonCachedMemory(x,x)+7Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	[ecx+8], eax
		mov	eax, [ebp+arg_4]
		mov	[ecx+0Ch], eax
		pop	ebp
		retn	8
_MiSetPfnOriginalPte@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetPfnRemovalRequested(x,	x)
_MiSetPfnRemovalRequested@8 proc near	; CODE XREF: MiInsertPageInList(x,x)+61Dp
					; MiInitializeDynamicPfns(x,x,x,x,x,x)+327p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		lea	esi, [ecx+17h]
		mov	ebx, edx
		mov	al, [esi]
		xor	edx, edx
		mov	[ebp+var_1], al
		inc	edx
		movzx	eax, al
		shr	eax, 6
		and	eax, edx
		cmp	eax, ebx
		jz	loc_63A823
		sub	ecx, ds:_MmPfnDatabase
		push	edi
		mov	eax, ecx
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, eax
		call	MiSearchNumaNodeTable
		mov	eax, [eax+4]
		and	[ebp+var_10], 0
		imul	edi, eax, 280h
		add	edi, ds:dword_6D4E50
		test	ds:byte_70EFC6,	21h
		lea	eax, [edi+204h]
		mov	[ebp+var_C], eax
		jz	short loc_63A7AC
		mov	edx, eax
		lea	ecx, [ebp+var_10]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63A7BD
; 

loc_63A7AC:				; CODE XREF: MiSetPfnRemovalRequested(x,x)+64j
		lea	edx, [ebp+var_10]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_63A7BD
		lea	ecx, [ebp+var_10]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_63A7BD:				; CODE XREF: MiSetPfnRemovalRequested(x,x)+70j
					; MiSetPfnRemovalRequested(x,x)+79j
		lea	eax, [edi+214h]
		mov	ecx, [eax]
		pop	edi
		test	ebx, ebx
		jz	short loc_63A7CD
		inc	ecx
		jmp	short loc_63A7CE
; 

loc_63A7CD:				; CODE XREF: MiSetPfnRemovalRequested(x,x)+8Ej
		dec	ecx

loc_63A7CE:				; CODE XREF: MiSetPfnRemovalRequested(x,x)+91j
		shl	bl, 6
		mov	[eax], ecx
		xor	bl, [ebp+var_1]
		and	bl, 40h
		xor	bl, [ebp+var_1]
		mov	[esi], bl
		test	ds:byte_70EFC6,	1
		jz	short loc_63A7F4
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63A823
; 

loc_63A7F4:				; CODE XREF: MiSetPfnRemovalRequested(x,x)+ABj
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_63A813
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jz	short loc_63A823
		call	KxWaitForLockChainValid

loc_63A813:				; CODE XREF: MiSetPfnRemovalRequested(x,x)+BFj
		xor	ecx, ecx
		mov	[ebp+var_10], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_63A823:				; CODE XREF: MiSetPfnRemovalRequested(x,x)+25j
					; MiSetPfnRemovalRequested(x,x)+B8j ...
		pop	esi
		pop	ebx
		leave
		retn
_MiSetPfnRemovalRequested@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUnlinkPageFromBadList(x, x)
_MiUnlinkPageFromBadList@8 proc	near	; CODE XREF: .text:0045EE00p
					; MiRemoveBadPages(x,x,x)+93p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		mov	ebx, ecx
		mov	esi, edx
		push	1Ch
		pop	ecx
		stosd
		stosd
		mov	eax, ebx
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	ecx
		and	esi, 80h
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], esi
		jnz	short loc_63A88C
		and	[ebp+var_14], 0
		mov	eax, offset unk_6D5750
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_10], eax
		jz	short loc_63A87B
		mov	edx, eax
		lea	ecx, [ebp+var_14]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63A88C
; 

loc_63A87B:				; CODE XREF: MiUnlinkPageFromBadList(x,x)+46j
		lea	edx, [ebp+var_14]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_63A88C
		lea	ecx, [ebp+var_14]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_63A88C:				; CODE XREF: MiUnlinkPageFromBadList(x,x)+31j
					; MiUnlinkPageFromBadList(x,x)+52j ...
		mov	esi, [ebx+10h]
		mov	eax, offset loc_7FFFFF
		mov	edi, [ebx]
		and	esi, eax
		cmp	edi, eax
		jz	short loc_63A8B5
		imul	ecx, edi, 1Ch
		mov	edx, esi
		push	0
		add	ecx, ds:_MmPfnDatabase
		call	_MiSetPfnBlink@12 ; MiSetPfnBlink(x,x,x)
		mov	eax, offset loc_7FFFFF
		jmp	short loc_63A8BB
; 

loc_63A8B5:				; CODE XREF: MiUnlinkPageFromBadList(x,x)+73j
		mov	ds:dword_6D574C, esi

loc_63A8BB:				; CODE XREF: MiUnlinkPageFromBadList(x,x)+8Cj
		cmp	esi, eax
		jz	short loc_63A8CC
		imul	eax, esi, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[eax], edi
		jmp	short loc_63A8D2
; 

loc_63A8CC:				; CODE XREF: MiUnlinkPageFromBadList(x,x)+96j
		mov	ds:dword_6D5748, edi

loc_63A8D2:				; CODE XREF: MiUnlinkPageFromBadList(x,x)+A3j
		xor	edx, edx
		mov	esi, offset dword_6D5740
		inc	edx
		cmp	esi, offset dword_6CF480
		jz	loc_63A966
		cmp	ds:dword_6D3034, edx
		jnz	short loc_63A966
		mov	ecx, [ebp+var_4]
		mov	esi, edx
		mov	eax, ds:dword_6D3068
		shr	ecx, 5
		lea	edi, [eax+ecx*4]
		mov	ecx, [ebp+var_4]
		and	ecx, 1Fh
		mov	[ebp+var_4], ecx
		lea	eax, [ecx+1]
		cmp	eax, 20h
		ja	short loc_63A915
		mov	eax, edx
		shl	eax, cl
		jmp	short loc_63A95E
; 

loc_63A915:				; CODE XREF: MiUnlinkPageFromBadList(x,x)+E6j
		test	ecx, ecx
		jz	short loc_63A957
		push	20h
		xor	esi, esi
		pop	edx
		sub	edx, ecx
		inc	esi
		mov	ecx, edx
		mov	eax, esi
		shl	eax, cl
		mov	ecx, [ebp+var_4]
		dec	eax
		shl	eax, cl
		lock or	[edi], eax
		sub	esi, edx
		add	edi, 4
		cmp	esi, 20h
		jb	short loc_63A950
		mov	eax, esi
		shr	eax, 5

loc_63A93F:				; CODE XREF: MiUnlinkPageFromBadList(x,x)+127j
		mov	dword ptr [edi], 0FFFFFFFFh
		sub	esi, 20h
		add	edi, 4
		sub	eax, 1
		jnz	short loc_63A93F

loc_63A950:				; CODE XREF: MiUnlinkPageFromBadList(x,x)+111j
		test	esi, esi
		jz	short loc_63A961
		xor	edx, edx
		inc	edx

loc_63A957:				; CODE XREF: MiUnlinkPageFromBadList(x,x)+F0j
		mov	eax, edx
		mov	ecx, esi
		shl	eax, cl
		dec	eax

loc_63A95E:				; CODE XREF: MiUnlinkPageFromBadList(x,x)+ECj
		lock or	[edi], eax

loc_63A961:				; CODE XREF: MiUnlinkPageFromBadList(x,x)+12Bj
		mov	esi, offset dword_6D5740

loc_63A966:				; CODE XREF: MiUnlinkPageFromBadList(x,x)+B9j
					; MiUnlinkPageFromBadList(x,x)+C5j
		dec	ds:dword_6D5740
		cmp	[ebp+var_8], 0
		jnz	short loc_63A9B7
		test	ds:byte_70EFC6,	1
		jz	short loc_63A988
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63A9B7
; 

loc_63A988:				; CODE XREF: MiUnlinkPageFromBadList(x,x)+152j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_63A9A7
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_63A9B7
		call	KxWaitForLockChainValid

loc_63A9A7:				; CODE XREF: MiUnlinkPageFromBadList(x,x)+166j
		xor	ecx, ecx
		mov	[ebp+var_14], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_63A9B7:				; CODE XREF: MiUnlinkPageFromBadList(x,x)+149j
					; MiUnlinkPageFromBadList(x,x)+15Fj ...
		and	dword ptr [ebx], 0
		and	dword ptr [ebx+10h], 0FF800000h
		cmp	esi, offset dword_6CF480
		jz	short loc_63A9CD
		and	dword ptr [ebx+4], 0

loc_63A9CD:				; CODE XREF: MiUnlinkPageFromBadList(x,x)+1A0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiUnlinkPageFromBadList@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiApplyCommitDelay(x, x, x)
_MiApplyCommitDelay@12 proc near	; CODE XREF: MiChargeCommit+14DB36p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		test	dl, 4
		jnz	loc_63AAB5
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	loc_63AAB5
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_63AAB5
		mov	eax, [ebp+arg_0]
		cmp	eax, [edi+0D84h]
		jz	loc_63AAB5
		xor	esi, esi
		cmp	[edi+488h], esi
		jz	loc_63AAB5
		lea	ebx, [edi+340h]
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	ecx, [edi+484h]
		mov	byte ptr [ebp+arg_0+3],	al
		lea	eax, [edi+48Ch]
		test	ecx, ecx
		jnz	short loc_63AA5A
		push	esi
		push	esi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_63AA5B
; 

loc_63AA5A:				; CODE XREF: MiApplyCommitDelay(x,x,x)+79j
		inc	ecx

loc_63AA5B:				; CODE XREF: MiApplyCommitDelay(x,x,x)+86j
		push	ebx
		mov	[edi+484h], ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	esi
		mov	eax, ds:_Mi10Milliseconds
		mov	[ebp+var_8], eax
		mov	eax, ds:dword_4057CC
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_8]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [edi+48Ch]
		push	eax
		call	KeWaitForSingleObject
		push	ebx
		call	ExAcquireSpinLockExclusive
		dec	dword ptr [edi+484h]
		mov	bl, al
		lea	eax, [edi+340h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	esi

loc_63AAB5:				; CODE XREF: MiApplyCommitDelay(x,x,x)+Fj
					; MiApplyCommitDelay(x,x,x)+2Bj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiApplyCommitDelay@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiCauseOverCommitPopup(x)
_MiCauseOverCommitPopup@4 proc near	; CODE XREF: MiChargeCommit+14DB51p
					; MiChargeCommit+14DB77p ...
		mov	edi, edi
		push	ecx
		mov	eax, [ecx+1114h]
		cmp	eax, [ecx+0D84h]
		jnz	short loc_63AAEC
		xor	eax, eax
		add	ecx, 0D88h
		inc	eax
		lock xadd [ecx], eax
		inc	eax
		cmp	eax, 1
		jle	short loc_63AAE5

loc_63AAE0:				; CODE XREF: MiCauseOverCommitPopup(x)+41j
		lock dec dword ptr [ecx]
		pop	ecx
		retn
; 

loc_63AAE5:				; CODE XREF: MiCauseOverCommitPopup(x)+22j
		mov	eax, 0C000012Dh
		jmp	short loc_63AB04
; 

loc_63AAEC:				; CODE XREF: MiCauseOverCommitPopup(x)+Fj
		xor	eax, eax
		add	ecx, 0D8Ch
		inc	eax
		lock xadd [ecx], eax
		inc	eax
		cmp	eax, 1
		jg	short loc_63AAE0
		mov	eax, 0C00002C8h

loc_63AB04:				; CODE XREF: MiCauseOverCommitPopup(x)+2Ej
		push	0
		push	0
		push	eax
		call	_IoRaiseInformationalHardError@12 ; IoRaiseInformationalHardError(x,x,x)
		pop	ecx
		retn
_MiCauseOverCommitPopup@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiConsumeOverCommit(x, x, x)
_MiConsumeOverCommit@12	proc near	; CODE XREF: MiChargeCommit+14DAC4p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		mov	ebx, edx
		lea	edx, [ebp+var_C]
		lea	ecx, [esi+0D98h]
		stosd
		stosd
		xor	edi, edi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [esi+10BCh]
		lea	edx, [eax+ebx]
		cmp	edx, eax
		jbe	short loc_63AB57
		mov	ecx, [ebp+arg_0]
		add	ecx, edx
		cmp	ecx, edx
		jb	short loc_63AB57
		mov	eax, [esi+1114h]
		cmp	ecx, eax
		jbe	short loc_63AB64

loc_63AB57:				; CODE XREF: MiConsumeOverCommit(x,x,x)+32j
					; MiConsumeOverCommit(x,x,x)+3Bj
		add	[esi+0DA0h], ebx
		xor	ebx, ebx
		inc	ebx
		mov	edi, ebx
		jmp	short loc_63AB67
; 

loc_63AB64:				; CODE XREF: MiConsumeOverCommit(x,x,x)+45j
		xor	ebx, ebx
		inc	ebx

loc_63AB67:				; CODE XREF: MiConsumeOverCommit(x,x,x)+52j
		test	ds:byte_70EFC6,	1
		jz	short loc_63AB7D
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63ABA9
; 

loc_63AB7D:				; CODE XREF: MiConsumeOverCommit(x,x,x)+5Ej
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_63AB9C
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_63ABA9
		call	KxWaitForLockChainValid

loc_63AB9C:				; CODE XREF: MiConsumeOverCommit(x,x,x)+72j
		mov	[ebp+var_C], 0
		lea	ecx, [eax+4]
		lock xor [ecx],	ebx

loc_63ABA9:				; CODE XREF: MiConsumeOverCommit(x,x,x)+6Bj
					; MiConsumeOverCommit(x,x,x)+85j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiConsumeOverCommit@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPulseCommitSignal(x)
_MiPulseCommitSignal@4 proc near	; CODE XREF: MiChargeCommit+14DA3Fp
					; MiChargeCommit+14DBD8p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		lea	ecx, [esi+0D98h]
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [esi+0ACh]
		xor	edi, edi
		cmp	[ecx+4], edi
		jnz	short loc_63ABF2
		push	edi
		push	edi
		push	ecx
		call	KePulseEvent

loc_63ABF2:				; CODE XREF: MiPulseCommitSignal(x)+2Dj
		mov	eax, [esi+0B0h]
		mov	eax, [eax+4]
		test	eax, eax
		jnz	short loc_63AC1A
		mov	eax, [esi+1114h]
		cmp	eax, [esi+0D84h]
		jnz	short loc_63AC1A
		push	edi
		push	edi
		push	dword ptr [esi+0B0h]
		call	KePulseEvent

loc_63AC1A:				; CODE XREF: MiPulseCommitSignal(x)+42j
					; MiPulseCommitSignal(x)+50j
		test	ds:byte_70EFC6,	1
		jz	short loc_63AC30
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63AC5B
; 

loc_63AC30:				; CODE XREF: MiPulseCommitSignal(x)+66j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_63AC4F
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_63AC5B
		call	KxWaitForLockChainValid

loc_63AC4F:				; CODE XREF: MiPulseCommitSignal(x)+7Aj
		xor	ecx, ecx
		mov	[ebp+var_C], edi
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_63AC5B:				; CODE XREF: MiPulseCommitSignal(x)+73j
					; MiPulseCommitSignal(x)+8Dj
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		leave
		retn
_MiPulseCommitSignal@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReduceCommitLimits(x, x, x)
_MiReduceCommitLimits@12 proc near	; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+D1p
					; MiAttemptPageFileReductionApc(x,x,x)+2F3p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		mov	ebx, edx
		lea	edx, [ebp+var_C]
		lea	ecx, [esi+0D98h]
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_63AC9A
		sub	[esi+0D84h], eax

loc_63AC9A:				; CODE XREF: MiReduceCommitLimits(x,x,x)+2Aj
		test	ebx, ebx
		jz	short loc_63ACA4
		sub	[esi+1114h], ebx

loc_63ACA4:				; CODE XREF: MiReduceCommitLimits(x,x,x)+34j
		mov	ecx, esi
		call	_MiComputeCommitThresholds@4 ; MiComputeCommitThresholds(x)
		test	ds:byte_70EFC6,	1
		pop	edi
		pop	esi
		pop	ebx
		jz	short loc_63ACC4
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63ACF3
; 

loc_63ACC4:				; CODE XREF: MiReduceCommitLimits(x,x,x)+4Dj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_63ACE3
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_63ACF3
		call	KxWaitForLockChainValid

loc_63ACE3:				; CODE XREF: MiReduceCommitLimits(x,x,x)+61j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_63ACF3:				; CODE XREF: MiReduceCommitLimits(x,x,x)+5Aj
					; MiReduceCommitLimits(x,x,x)+74j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn	4
_MiReduceCommitLimits@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiRestockOverCommit(x, x)
_MiRestockOverCommit@8 proc near	; CODE XREF: .text:004594B7p
					; .text:00479930p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+0DA0h]
		test	eax, eax
		jz	short loc_63AD21
		mov	ecx, eax
		cmp	edx, eax
		ja	short loc_63AD17
		mov	ecx, edx

loc_63AD17:				; CODE XREF: MiRestockOverCommit(x,x)+13j
		sub	eax, ecx
		sub	edx, ecx
		mov	[esi+0DA0h], eax

loc_63AD21:				; CODE XREF: MiRestockOverCommit(x,x)+Dj
		mov	eax, edx
		pop	esi
		retn
_MiRestockOverCommit@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiReturnProcessCommitment(x, x)
_MiReturnProcessCommitment@8 proc near	; CODE XREF: MiChargeFullProcessCommitment+15FFDCp
					; MmCleanProcessAddressSpace+F89DEp ...
		neg	edx
		lea	eax, [ecx+224h]
		lock xadd [eax], edx
		retn
_MiReturnProcessCommitment@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiOutSwapPageDirectoryPtes(x, x)
_MiOutSwapPageDirectoryPtes@8 proc near	; CODE XREF: MmOutSwapProcess+16272Fp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	ebx, edx
		mov	edx, ecx
		mov	esi, ebx
		shr	esi, 3
		push	edi
		mov	edi, [edx+194h]
		and	esi, 1FFh
		mov	eax, [ebx]
		nop
		mov	ecx, [ebx+4]
		mov	[edi+esi*8], eax
		nop
		xor	eax, eax
		mov	[edi+esi*8+4], ecx
		cmp	[edx+304h], eax
		jz	short loc_63AD72
		mov	[edi+esi*8+20h], eax
		mov	[edi+esi*8+24h], eax

loc_63AD72:				; CODE XREF: MiOutSwapPageDirectoryPtes(x,x)+36j
		add	edi, 20h
		lea	esi, [edi+esi*8]
		mov	edi, edx

loc_63AD7A:				; CODE XREF: MiOutSwapPageDirectoryPtes(x,x)+8Fj
		sub	ebx, 8
		lea	esi, [esi-8]
		mov	ecx, [ebx]
		nop
		mov	eax, [ebx+4]
		nop
		shrd	ecx, eax, 0Ch
		push	4
		and	ecx, 1FFFFFFh
		pop	edx
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], edx
		mov	[ebx], eax
		nop
		mov	[ebx+4], edx
		mov	[esi-20h], eax
		nop
		xor	eax, eax
		mov	[esi-1Ch], edx
		cmp	[edi+304h], eax
		jz	short loc_63ADBB
		mov	[esi], eax
		mov	[esi+4], eax

loc_63ADBB:				; CODE XREF: MiOutSwapPageDirectoryPtes(x,x)+82j
		test	ebx, 0FFFh
		jnz	short loc_63AD7A
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiOutSwapPageDirectoryPtes@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiNoPagesLastChance(x, x)
_MiNoPagesLastChance@8 proc near	; CODE XREF: MiWaitForFreePage(x,x)+F6p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= byte ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_28], edx
		lea	edi, [ebp+var_48]
		mov	esi, ecx
		stosd
		xor	ecx, ecx
		mov	[ebp+var_10], esi
		mov	[ebp+var_14], ecx
		mov	ebx, [esi+17Ch]
		stosd
		stosd
		mov	eax, [esi+1118h]
		mov	[ebp+var_1C], eax
		test	ebx, ebx
		jns	short loc_63ADFE
		mov	[ebp+var_14], ebx

loc_63ADFE:				; CODE XREF: MiNoPagesLastChance(x,x)+31j
		mov	eax, [esi+178h]
		shr	ebx, 1Fh
		mov	[ebp+var_8], ebx
		test	eax, eax
		jns	short loc_63AE17
		or	ebx, 2
		mov	[ebp+var_14], eax
		mov	[ebp+var_8], ebx

loc_63AE17:				; CODE XREF: MiNoPagesLastChance(x,x)+44j
		mov	edi, [esi+0F4Ch]
		mov	dword ptr [ebp+var_18],	ecx
		push	4
		pop	eax
		mov	[ebp+var_24], eax
		test	edi, edi
		jz	short loc_63AE60
		lea	edx, [esi+0F54h]
		mov	esi, ecx

loc_63AE32:				; CODE XREF: MiNoPagesLastChance(x,x)+85j
		mov	ecx, [edx]
		movzx	eax, word ptr [ecx+74h]
		test	al, 50h
		jnz	short loc_63AE47
		mov	eax, [ecx+4]
		sub	eax, [ecx]
		add	dword ptr [ebp+var_18],	eax
		add	esi, [ecx+0Ch]

loc_63AE47:				; CODE XREF: MiNoPagesLastChance(x,x)+72j
		add	edx, 4
		sub	edi, 1
		jnz	short loc_63AE32
		mov	ebx, [ebp+var_8]
		cmp	esi, 400h
		mov	esi, [ebp+var_10]
		jnb	short loc_63AE65
		push	4
		pop	eax

loc_63AE60:				; CODE XREF: MiNoPagesLastChance(x,x)+60j
		or	ebx, eax
		mov	[ebp+var_8], ebx

loc_63AE65:				; CODE XREF: MiNoPagesLastChance(x,x)+93j
		cmp	dword ptr [ebp+var_18],	400h
		jnb	short loc_63AE74
		or	ebx, 8
		mov	[ebp+var_8], ebx

loc_63AE74:				; CODE XREF: MiNoPagesLastChance(x,x)+A4j
		cmp	ds:dword_6D302C, 0
		jz	short loc_63AE86
		mov	dword ptr [ebp+var_18],	0F3h
		jmp	short loc_63AEB9
; 

loc_63AE86:				; CODE XREF: MiNoPagesLastChance(x,x)+B3j
		mov	eax, [esi+10C0h]
		mov	ecx, [esi+1100h]
		shr	eax, 2
		cmp	ecx, eax
		jb	short loc_63AEA5
		mov	dword ptr [ebp+var_18],	0FDh
		mov	[ebp+var_1C], ecx
		jmp	short loc_63AEB9
; 

loc_63AEA5:				; CODE XREF: MiNoPagesLastChance(x,x)+CFj
		cmp	[esi+1118h], eax
		sbb	ecx, ecx
		and	ecx, 9Eh
		add	ecx, 4Dh
		mov	dword ptr [ebp+var_18],	ecx

loc_63AEB9:				; CODE XREF: MiNoPagesLastChance(x,x)+BCj
					; MiNoPagesLastChance(x,x)+DBj
		mov	eax, [esi+64h]
		mov	ecx, [eax+34h]
		cmp	dword ptr [ecx+158h], 0
		jz	short loc_63AF0D
		mov	ecx, [ecx+158h]
		call	_PsGetJobLastThrottledIoTime@4 ; PsGetJobLastThrottledIoTime(x)
		mov	esi, eax
		mov	edi, edx
		xor	eax, eax
		lea	ecx, [eax+1]
		call	KiQueryUnbiasedInterruptTime
		mov	ecx, ds:dword_4282A4
		sub	eax, esi
		mov	esi, ds:_MiNoPagesTimeout
		sbb	edx, edi
		neg	esi
		adc	ecx, 0
		neg	ecx
		cmp	edx, ecx
		jb	loc_63B1C4
		ja	short loc_63AF0A
		cmp	eax, esi
		jb	loc_63B1C4

loc_63AF0A:				; CODE XREF: MiNoPagesLastChance(x,x)+138j
		mov	esi, [ebp+var_10]

loc_63AF0D:				; CODE XREF: MiNoPagesLastChance(x,x)+FEj
		cmp	ds:_KdPitchDebugger, 0
		jnz	short loc_63AF52
		cmp	ds:_KdDebuggerNotPresent, 0
		jnz	short loc_63AF52
		push	[ebp+var_14]
		push	ebx
		push	[ebp+var_1C]
		push	dword ptr [esi+10C0h]
		push	dword ptr [ebp+var_18] ; char
		push	offset ??_C@_0FL@NHFNIKD@Without?5a?5debugger?5attached?0?5th@FNODOBFM@	; char *
		push	0		; int
		push	66h		; int
		call	_DbgPrintEx
		add	esp, 20h
		test	byte ptr ds:_MiFlags, 8
		jz	short loc_63AF4A
		int	3		; Trap to Debugger

loc_63AF4A:				; CODE XREF: MiNoPagesLastChance(x,x)+17Fj
		xor	eax, eax
		inc	eax
		mov	[ebp+var_2C], eax
		jmp	short loc_63AF56
; 

loc_63AF52:				; CODE XREF: MiNoPagesLastChance(x,x)+14Cj
					; MiNoPagesLastChance(x,x)+155j
		and	[ebp+var_2C], 0

loc_63AF56:				; CODE XREF: MiNoPagesLastChance(x,x)+188j
		mov	edx, [ebp+var_28]
		mov	ecx, esi
		call	MiSufficientAvailablePages
		test	eax, eax
		jnz	loc_63B1C4
		lea	edx, [esi+0A58h]
		lea	ecx, [eax+1]
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	loc_63B1C4
		mov	[ebp+var_28], eax
		xor	ebx, ebx
		lea	eax, [esi+890h]
		mov	[ebp+var_20], eax
		mov	esi, eax
		jmp	loc_63B0E8
; 

loc_63AF92:				; CODE XREF: MiNoPagesLastChance(x,x)+361j
		mov	edi, ds:dword_6D0704
		imul	ecx, edx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		mov	[ebp+var_20], ecx
		mov	eax, [ecx+8]
		mov	edx, [ecx]
		mov	ecx, [ecx+0Ch]
		mov	[ebp+var_C], eax
		mov	eax, ds:dword_6D0700
		mov	[ebp+var_34], eax
		or	eax, edi
		mov	[ebp+var_3C], edx
		jz	short loc_63AFD5
		mov	eax, [ebp+var_C]
		and	eax, 10h
		or	eax, 0
		jnz	short loc_63AFD5
		mov	eax, [ebp+var_34]
		not	edi
		not	eax
		and	[ebp+var_C], eax
		and	ecx, edi

loc_63AFD5:				; CODE XREF: MiNoPagesLastChance(x,x)+1F4j
					; MiNoPagesLastChance(x,x)+1FFj
		mov	ecx, [ecx]
		mov	[ebp+var_C], ecx
		mov	eax, [ecx+1Ch]
		test	al, 28h
		jnz	loc_63B123
		test	ebx, ebx
		jz	short loc_63AFF1
		cmp	ebx, ecx
		jnz	loc_63B123

loc_63AFF1:				; CODE XREF: MiNoPagesLastChance(x,x)+21Fj
		mov	eax, [ebp+var_20]
		add	eax, 10h
		mov	[ebp+var_34], eax
		lock bts dword ptr [eax], 1Fh
		jb	loc_63B123
		lea	edi, [ecx+24h]
		push	edi
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	eax, [ebp+var_C]
		test	byte ptr [eax+1Ch], 8
		jz	short loc_63B030
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	eax, [ebp+var_34]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	edx, [ebp+var_3C]
		jmp	loc_63B123
; 

loc_63B030:				; CODE XREF: MiNoPagesLastChance(x,x)+24Dj
		test	ebx, ebx
		jnz	short loc_63B04E
		mov	ecx, [eax+20h]
		and	ecx, 0FFFFFFF8h
		mov	[ebp+var_28], ecx
		jz	short loc_63B04C
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+var_C]

loc_63B04C:				; CODE XREF: MiNoPagesLastChance(x,x)+275j
		mov	ebx, eax

loc_63B04E:				; CODE XREF: MiNoPagesLastChance(x,x)+26Aj
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	edi, [ebp+var_20]
		xor	eax, eax
		mov	ecx, edi
		lea	edx, [eax+1]
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		test	ds:byte_70EFC6,	1
		jz	short loc_63B079
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_48]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63B0A8
; 

loc_63B079:				; CODE XREF: MiNoPagesLastChance(x,x)+2A2j
		mov	eax, [ebp+var_48]
		test	eax, eax
		jnz	short loc_63B098
		mov	edx, [ebp+var_44]
		lea	eax, [ebp+var_48]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_48]
		cmp	eax, ecx
		jz	short loc_63B0A8
		call	KxWaitForLockChainValid

loc_63B098:				; CODE XREF: MiNoPagesLastChance(x,x)+2B6j
		xor	ecx, ecx
		mov	[ebp+var_48], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_63B0A8:				; CODE XREF: MiNoPagesLastChance(x,x)+2AFj
					; MiNoPagesLastChance(x,x)+2C9j
		mov	al, [edi+16h]
		and	dword ptr [edi+10h], 0C0000000h
		and	al, 0EFh
		mov	[edi+16h], al
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, edi
		mov	edx, eax
		call	MiPfnReferenceCountIsZero
		lea	eax, [edi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	ds:dword_6CF4F0

loc_63B0E8:				; CODE XREF: MiNoPagesLastChance(x,x)+1C5j
					; MiNoPagesLastChance(x,x)+3BCj
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		and	[ebp+var_48], 0
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_44], esi
		mov	[ebp+var_1], al
		jz	short loc_63B10F
		mov	edx, esi
		lea	ecx, [ebp+var_48]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63B120
; 

loc_63B10F:				; CODE XREF: MiNoPagesLastChance(x,x)+339j
		lea	edx, [ebp+var_48]
		xchg	edx, [esi]
		test	edx, edx
		jz	short loc_63B120
		lea	ecx, [ebp+var_48]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_63B120:				; CODE XREF: MiNoPagesLastChance(x,x)+345j
					; MiNoPagesLastChance(x,x)+34Ej
		mov	edx, [esi-8]

loc_63B123:				; CODE XREF: MiNoPagesLastChance(x,x)+217j
					; MiNoPagesLastChance(x,x)+223j ...
		cmp	edx, offset loc_7FFFFF
		jnz	loc_63AF92
		test	ds:byte_70EFC6,	1
		jz	short loc_63B145
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_48]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63B174
; 

loc_63B145:				; CODE XREF: MiNoPagesLastChance(x,x)+36Ej
		mov	eax, [ebp+var_48]
		test	eax, eax
		jnz	short loc_63B164
		mov	edx, [ebp+var_44]
		lea	eax, [ebp+var_48]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_48]
		cmp	eax, ecx
		jz	short loc_63B174
		call	KxWaitForLockChainValid

loc_63B164:				; CODE XREF: MiNoPagesLastChance(x,x)+382j
		xor	ecx, ecx
		mov	[ebp+var_48], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_63B174:				; CODE XREF: MiNoPagesLastChance(x,x)+37Bj
					; MiNoPagesLastChance(x,x)+395j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		add	esi, 14h
		sub	[ebp+var_24], 1
		jnz	loc_63B0E8
		mov	esi, [ebp+var_10]
		test	ebx, ebx
		mov	ebx, [ebp+var_8]
		lea	edi, [esi+0A40h]
		jz	short loc_63B1C9
		mov	eax, [ebp+var_28]
		and	dword ptr [edi], 0
		mov	[edi+10h], eax
		xor	eax, eax
		inc	eax
		mov	dword ptr [edi+14h], 0C0000102h
		push	eax
		push	edi
		mov	dword ptr [edi+8], offset _MiLdwPopupWorker@4 ;	MiLdwPopupWorker(x)
		mov	[edi+0Ch], edi
		call	ExQueueWorkItem
		inc	ds:dword_6CF4EC

loc_63B1C4:				; CODE XREF: MiNoPagesLastChance(x,x)+132j
					; MiNoPagesLastChance(x,x)+13Cj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_63B1C9:				; CODE XREF: MiNoPagesLastChance(x,x)+3D0j
		xor	ecx, ecx
		lea	eax, [edi+18h]
		lock and [eax],	ecx
		cmp	[ebp+var_2C], ecx
		jnz	short loc_63B1C4
		push	[ebp+var_14]
		push	ebx
		push	[ebp+var_1C]
		push	dword ptr [esi+10C0h]
		push	dword ptr [ebp+var_18]
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

; __stdcall MiReuseStandbyPage(x)
_MiReuseStandbyPage@4:			; CODE XREF: MiTradePage(x,x)+65Fp
		mov	edi, edi
		push	esi
		push	edi
		xor	edx, edx
		mov	esi, ecx
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		xor	edx, edx
		mov	ecx, esi
		mov	edi, eax
		call	_MiRestoreTransitionPte@8 ; MiRestoreTransitionPte(x,x)
		mov	cl, [esi+16h]
		and	dword ptr [esi+18h], 7FFFFFFFh
		and	cl, 0FDh
		mov	eax, ds:_ZeroPte
		or	cl, 5
		mov	[esi+16h], cl
		lea	ecx, [esi+8]
		and	byte ptr [esi+16h], 0C7h
		and	byte ptr [esi+17h], 0DFh
		mov	[ecx], eax
		mov	eax, ds:dword_40F9FC
		mov	[ecx+4], eax
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		mov	eax, edi
		pop	edi
		pop	esi
		retn
_MiNoPagesLastChance@8 endp ; sp = -18h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFindRebuildCandidate(x, x, x, x, x, x)
_MiFindRebuildCandidate@24 proc	near	; CODE XREF: MiRebuildLargePage(x,x,x,x)+8Dp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= byte ptr -14h
var_13		= word ptr -13h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		xor	eax, eax
		and	[ebp+var_24], eax
		mov	[ebp+var_C], ecx
		xor	ecx, ecx
		mov	[ebp+var_2C], ecx
		mov	ebx, [esi]
		mov	[ebp+var_28], ecx
		mov	[ebp+var_13], ax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_11], cl
		lea	ecx, [esi+8]
		mov	[ebp+var_20], eax
		lea	ecx, [ecx+ebx*8]
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], 0
		mov	[ebp+arg_C], 800000h
		push	edi
		cmp	eax, 200h
		jnz	short loc_63B298
		mov	[ebp+arg_C], 2800000h
		jmp	short loc_63B2A4
; 

loc_63B298:				; CODE XREF: MiFindRebuildCandidate(x,x,x,x,x,x)+52j
		cmp	eax, 10h
		jnz	short loc_63B2A4
		mov	[ebp+arg_C], 1800000h

loc_63B2A4:				; CODE XREF: MiFindRebuildCandidate(x,x,x,x,x,x)+5Bj
					; MiFindRebuildCandidate(x,x,x,x,x,x)+60j
		test	ebx, ebx
		jz	loc_63B344
		lea	eax, [esi+0Ch]
		mov	esi, [ebp+arg_0]
		lea	eax, [eax+ebx*8]

loc_63B2B5:				; CODE XREF: MiFindRebuildCandidate(x,x,x,x,x,x)+103j
		dec	ebx
		sub	eax, 8
		mov	[ebp+arg_8], eax
		cmp	[ecx+ebx*8], esi
		jnz	short loc_63B33C
		cmp	[ecx+ebx*8+4], edx
		jnz	short loc_63B33C
		mov	ecx, [eax-4]
		mov	eax, [eax]
		add	eax, ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], eax

loc_63B2D4:				; CODE XREF: MiFindRebuildCandidate(x,x,x,x,x,x)+F0j
		lea	ecx, [ebp+var_2C]
		call	MiCollapseRunTopDown
		test	eax, eax
		jz	short loc_63B333
		mov	ecx, [ebp+var_18]
		mov	edi, [ebp+var_28]
		mov	eax, edi
		and	[ebp+arg_0], 0
		sub	eax, ecx
		imul	edx, eax, 1Ch
		mov	[ebp+arg_4], eax
		lea	eax, [ebp+arg_0]
		push	eax
		push	[ebp+arg_C]
		mov	[ebp+var_10], ecx
		add	edx, ds:_MmPfnDatabase
		push	ecx
		mov	ecx, [ebp+var_C]
		call	_MiPfnsWorthTrying@20 ;	MiPfnsWorthTrying(x,x,x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_63B347
		sub	eax, [ebp+var_2C]
		cmp	ecx, eax
		ja	short loc_63B32D
		mov	eax, [ebp+var_10]
		cmp	ecx, eax
		jbe	short loc_63B326
		mov	eax, ecx

loc_63B326:				; CODE XREF: MiFindRebuildCandidate(x,x,x,x,x,x)+E7j
		sub	edi, eax
		mov	[ebp+var_28], edi
		jmp	short loc_63B2D4
; 

loc_63B32D:				; CODE XREF: MiFindRebuildCandidate(x,x,x,x,x,x)+E0j
		sub	edi, ecx
		dec	edi
		mov	[ebp+var_20], edi

loc_63B333:				; CODE XREF: MiFindRebuildCandidate(x,x,x,x,x,x)+A3j
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+arg_8]

loc_63B33C:				; CODE XREF: MiFindRebuildCandidate(x,x,x,x,x,x)+84j
					; MiFindRebuildCandidate(x,x,x,x,x,x)+8Aj
		test	ebx, ebx
		jnz	loc_63B2B5

loc_63B344:				; CODE XREF: MiFindRebuildCandidate(x,x,x,x,x,x)+6Bj
		or	eax, 0FFFFFFFFh

loc_63B347:				; CODE XREF: MiFindRebuildCandidate(x,x,x,x,x,x)+D9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_MiFindRebuildCandidate@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakeVaRangePhysicallyContiguous(x, x, x, x)
_MiMakeVaRangePhysicallyContiguous@16 proc near
					; CODE XREF: MiProcessVaContiguityInformation(x,x,x)+1E1p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_18], 0
		mov	eax, ecx
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_4], eax
		lea	esi, [edx+1FFFFFh]
		shr	ebx, 9
		mov	ecx, offset loc_7FFFF8
		shr	esi, 9
		push	edi
		and	ebx, ecx
		mov	edi, 40000000h
		and	esi, ecx
		sub	ebx, edi
		sub	esi, edi
		mov	[ebp+var_14], ebx
		mov	ecx, eax
		mov	[ebp+var_10], esi
		xor	edi, edi
		call	MiLockWorkingSetShared
		cmp	ebx, esi
		mov	byte ptr [ebp+var_8], al
		mov	esi, [ebp+arg_4]
		ja	loc_63B560
		mov	eax, [ebp+var_10]

loc_63B3A2:				; CODE XREF: MiMakeVaRangePhysicallyContiguous(x,x,x,x)+1FBj
		test	edi, edi
		jz	short loc_63B3C1
		test	ebx, 0FFFh
		jnz	short loc_63B3BA
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		xor	edi, edi

loc_63B3BA:				; CODE XREF: MiMakeVaRangePhysicallyContiguous(x,x,x,x)+5Ej
		test	edi, edi
		jnz	short loc_63B3F6
		mov	eax, [ebp+var_10]

loc_63B3C1:				; CODE XREF: MiMakeVaRangePhysicallyContiguous(x,x,x,x)+56j
		lea	ecx, [ebp+var_18]
		mov	edx, eax
		push	ecx
		push	1
		push	[ebp+var_8]
		mov	ecx, ebx
		push	0
		call	MiGetNextPageTable
		test	eax, eax
		jz	loc_63B54F
		mov	edi, eax
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h
		cmp	eax, ebx
		jnz	loc_63B54F

loc_63B3F6:				; CODE XREF: MiMakeVaRangePhysicallyContiguous(x,x,x,x)+6Ej
		mov	ecx, [ebx]
		nop
		mov	edx, [ebx+4]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_63B41F
		nop
		shrd	ecx, edx, 0Ch
		and	ecx, 1FFFFFFh
		imul	eax, ecx, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+arg_4], eax
		jmp	short loc_63B451
; 

loc_63B41F:				; CODE XREF: MiMakeVaRangePhysicallyContiguous(x,x,x,x)+B6j
		mov	eax, ecx
		and	eax, 400h
		or	eax, 0
		jnz	loc_63B54F
		and	ecx, 800h
		or	ecx, eax
		jz	loc_63B54F
		xor	edx, edx
		mov	ecx, ebx
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	loc_63B54F

loc_63B451:				; CODE XREF: MiMakeVaRangePhysicallyContiguous(x,x,x,x)+CFj
		mov	ecx, eax
		call	_MiCheckContiguityTradeEligible@4 ; MiCheckContiguityTradeEligible(x)
		test	eax, eax
		jz	loc_63B54F
		mov	eax, [esi+10h]
		mov	ecx, offset loc_7FFFFF
		and	eax, ecx
		mov	edx, esi
		cmp	eax, ecx
		jnz	short loc_63B474
		xor	esi, esi
		jmp	short loc_63B47D
; 

loc_63B474:				; CODE XREF: MiMakeVaRangePhysicallyContiguous(x,x,x,x)+120j
		imul	esi, eax, 1Ch
		add	esi, ds:_MmPfnDatabase

loc_63B47D:				; CODE XREF: MiMakeVaRangePhysicallyContiguous(x,x,x,x)+124j
		mov	ecx, [ebp+arg_4]
		lea	eax, [ecx+10h]
		mov	[ebp+var_C], eax
		mov	al, [ecx+16h]
		and	al, 7
		cmp	al, 6
		jnz	short loc_63B4C9
		push	ecx
		push	0
		mov	eax, ebx
		push	1
		shl	eax, 9
		push	eax
		call	_MiTradeActivePage@24 ;	MiTradeActivePage(x,x,x,x,x,x)
		and	[ebp+var_1C], 0
		mov	eax, [ebp+var_C]
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_63B4D2
		mov	ebx, eax

loc_63B4AF:				; CODE XREF: MiMakeVaRangePhysicallyContiguous(x,x,x,x)+16Dj
					; MiMakeVaRangePhysicallyContiguous(x,x,x,x)+174j
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [ebx]
		test	eax, eax
		js	short loc_63B4AF
		lock bts dword ptr [ebx], 1Fh
		jb	short loc_63B4AF
		mov	ebx, [ebp+var_14]
		jmp	short loc_63B4D2
; 

loc_63B4C9:				; CODE XREF: MiMakeVaRangePhysicallyContiguous(x,x,x,x)+13Fj
		push	0
		push	0
		call	_MiReplaceTransitionPage@16 ; MiReplaceTransitionPage(x,x,x,x)

loc_63B4D2:				; CODE XREF: MiMakeVaRangePhysicallyContiguous(x,x,x,x)+15Dj
					; MiMakeVaRangePhysicallyContiguous(x,x,x,x)+179j
		mov	ecx, [ebp+arg_4]
		mov	eax, ds:_ZeroPte
		add	ecx, 8
		mov	[ecx], eax
		mov	eax, ds:dword_40F9FC
		mov	[ecx+4], eax
		call	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		call	_MiReturnFreeZeroPage@8	; MiReturnFreeZeroPage(x,x)
		mov	eax, [ebp+var_C]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		test	bl, 78h
		jnz	short loc_63B512
		mov	ecx, [ebp+var_4]
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_63B51E

loc_63B512:				; CODE XREF: MiMakeVaRangePhysicallyContiguous(x,x,x,x)+1B6j
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	short loc_63B53E
		mov	ecx, [ebp+var_4]

loc_63B51E:				; CODE XREF: MiMakeVaRangePhysicallyContiguous(x,x,x,x)+1C2j
		test	edi, edi
		jz	short loc_63B52B
		mov	edx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		xor	edi, edi

loc_63B52B:				; CODE XREF: MiMakeVaRangePhysicallyContiguous(x,x,x,x)+1D2j
		mov	dl, byte ptr [ebp+var_8]
		mov	ecx, [ebp+var_4]
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_4]
		call	MiLockWorkingSetShared

loc_63B53E:				; CODE XREF: MiMakeVaRangePhysicallyContiguous(x,x,x,x)+1CBj
		mov	eax, [ebp+var_10]
		add	ebx, 8
		mov	[ebp+var_14], ebx
		cmp	ebx, eax
		jbe	loc_63B3A2

loc_63B54F:				; CODE XREF: MiMakeVaRangePhysicallyContiguous(x,x,x,x)+89j
					; MiMakeVaRangePhysicallyContiguous(x,x,x,x)+A2j ...
		test	edi, edi
		jz	short loc_63B55D
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_63B55D:				; CODE XREF: MiMakeVaRangePhysicallyContiguous(x,x,x,x)+203j
		mov	al, byte ptr [ebp+var_8]

loc_63B560:				; CODE XREF: MiMakeVaRangePhysicallyContiguous(x,x,x,x)+4Bj
		mov	ecx, [ebp+var_4]
		mov	dl, al
		call	MiUnlockWorkingSetShared
		test	esi, esi
		jz	short loc_63B575
		mov	ecx, esi
		call	_MiFreePageChain@4 ; MiFreePageChain(x)

loc_63B575:				; CODE XREF: MiMakeVaRangePhysicallyContiguous(x,x,x,x)+21Ej
		neg	esi
		pop	edi
		sbb	esi, esi
		and	esi, 0C0000001h
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiMakeVaRangePhysicallyContiguous@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiProcessVaContiguityInformation(x,	x, x)
_MiProcessVaContiguityInformation@12 proc near
					; CODE XREF: NtSetInformationVirtualMemory+12FBB8p

var_2A		= byte ptr -2Ah
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+38h+var_20], edx
		lea	edi, [esp+38h+var_C]
		mov	[esp+38h+var_28], ecx
		stosd
		xor	ebx, ebx
		push	6
		push	400h
		mov	edx, 200h
		mov	[esp+40h+var_1C], ebx
		stosd
		mov	ecx, offset _MiSystemPartition
		mov	esi, ebx
		stosd
		mov	eax, large fs:124h
		mov	edi, ebx
		mov	[esp+40h+var_24], edi
		mov	eax, [eax+80h]
		add	eax, 240h
		mov	[esp+40h+var_18], eax
		call	MiAcquireNonPagedResources
		test	eax, eax
		jns	short loc_63B5EE
		mov	ebx, 0C000009Ah
		jmp	loc_63B7F9
; 

loc_63B5EE:				; CODE XREF: MiProcessVaContiguityInformation(x,x,x)+5Aj
		mov	ecx, [esp+38h+var_28]
		mov	eax, [esp+38h+var_20]
		lea	eax, [ecx+eax*8]
		mov	[esp+38h+var_10], eax
		cmp	ecx, eax
		jnb	loc_63B7C3

loc_63B605:				; CODE XREF: MiProcessVaContiguityInformation(x,x,x)+216j
		test	dword ptr [ecx+4], 1FFFFFh
		jnz	loc_63B7BE
		mov	edx, [ecx]
		mov	eax, edx
		and	eax, 0FFE00000h
		cmp	eax, edx
		jnz	loc_63B7BE
		test	edi, edi
		jz	short loc_63B655
		mov	eax, [edi+0Ch]
		shl	eax, 0Ch
		cmp	edx, eax
		jb	short loc_63B640
		mov	eax, [edi+10h]
		shl	eax, 0Ch
		or	eax, 0FFFh
		cmp	edx, eax
		jbe	short loc_63B651

loc_63B640:				; CODE XREF: MiProcessVaContiguityInformation(x,x,x)+A7j
		mov	ecx, edi
		call	MiUnlockAndDereferenceVadShared
		mov	ecx, [esp+38h+var_28]
		mov	edi, ebx
		mov	[esp+38h+var_24], edi

loc_63B651:				; CODE XREF: MiProcessVaContiguityInformation(x,x,x)+B6j
		test	edi, edi
		jnz	short loc_63B6CC

loc_63B655:				; CODE XREF: MiProcessVaContiguityInformation(x,x,x)+9Dj
		mov	ecx, [ecx]
		lea	eax, [esp+38h+var_1C]
		push	eax
		push	2
		pop	edx
		call	MiObtainReferencedVadEx
		mov	edi, eax
		mov	[esp+38h+var_24], edi
		test	edi, edi
		jz	loc_63B7B8
		mov	eax, [esp+38h+var_28]
		mov	ecx, [eax+4]
		mov	eax, [eax]
		dec	eax
		add	ecx, eax
		mov	eax, [edi+10h]
		shl	eax, 0Ch
		or	eax, 0FFFh
		cmp	ecx, eax
		ja	loc_63B7B1
		mov	ecx, edi
		call	_MiVadSupportsPhysicalContiguityQuery@4	; MiVadSupportsPhysicalContiguityQuery(x)
		test	eax, eax
		jz	loc_63B7AA
		mov	ecx, edi
		call	_MiVadPagesTradable@4 ;	MiVadPagesTradable(x)
		test	eax, eax
		jz	loc_63B7AA
		call	_MiGetVadCacheAttribute@4 ; MiGetVadCacheAttribute(x)
		cmp	eax, 1
		jnz	loc_63B7AA
		mov	esi, [edi+1Ch]
		shr	esi, 0Ch
		and	esi, 3Fh
		jz	loc_63B7AA

loc_63B6CC:				; CODE XREF: MiProcessVaContiguityInformation(x,x,x)+CBj
		mov	edi, [esp+38h+var_18]
		lea	edx, [esp+38h+var_C]
		push	esi
		mov	ecx, edi
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		mov	ecx, [esp+38h+var_28]
		mov	eax, [ecx]
		mov	edx, [ecx+4]
		add	edx, eax
		mov	[esp+38h+var_20], eax
		mov	[esp+38h+var_14], edx
		cmp	eax, edx
		jnb	loc_63B78D

loc_63B6F7:				; CODE XREF: MiProcessVaContiguityInformation(x,x,x)+1FBj
		push	1
		push	ebx
		mov	edx, eax
		mov	ecx, edi
		call	_MiQueryVaPhysicalContiguity@16	; MiQueryVaPhysicalContiguity(x,x,x,x)
		test	eax, eax
		jnz	short loc_63B772
		mov	eax, [esp+38h+var_C]
		xor	edi, edi
		inc	edi
		lock xadd [eax], edi
		inc	edi
		dec	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[esp+38h+var_29], al
		xor	edx, edx
		mov	eax, [esp+38h+var_8]
		mov	ecx, offset _MiSystemPartition
		push	ebx
		and	eax, edi
		or	eax, [esp+3Ch+var_4]
		push	4
		push	eax
		push	1
		call	_MiGetLargePage@24 ; MiGetLargePage(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_63B74F
		push	ebx
		push	ebx
		push	1
		push	2
		xor	edx, edx
		mov	ecx, edi
		call	_MiConvertEntireLargePageToSmall@24 ; MiConvertEntireLargePageToSmall(x,x,x,x,x,x)

loc_63B74F:				; CODE XREF: MiProcessVaContiguityInformation(x,x,x)+1B6j
		mov	cl, [esp+38h+var_29]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	short loc_63B7A3
		mov	edx, [esp+38h+var_20]
		push	edi
		mov	edi, [esp+3Ch+var_18]
		push	ecx
		mov	ecx, edi
		call	_MiMakeVaRangePhysicallyContiguous@16 ;	MiMakeVaRangePhysicallyContiguous(x,x,x,x)
		mov	[esp+38h+var_1C], eax

loc_63B772:				; CODE XREF: MiProcessVaContiguityInformation(x,x,x)+17Dj
		mov	eax, [esp+38h+var_20]
		add	eax, 200000h
		mov	[esp+38h+var_20], eax
		cmp	eax, [esp+38h+var_14]
		jb	loc_63B6F7
		mov	ecx, [esp+38h+var_28]

loc_63B78D:				; CODE XREF: MiProcessVaContiguityInformation(x,x,x)+169j
		add	ecx, 8
		mov	[esp+38h+var_28], ecx
		cmp	ecx, [esp+38h+var_10]
		jnb	short loc_63B7C3
		mov	edi, [esp+38h+var_24]
		jmp	loc_63B605
; 

loc_63B7A3:				; CODE XREF: MiProcessVaContiguityInformation(x,x,x)+1D3j
		mov	ebx, 0C0000017h
		jmp	short loc_63B7C3
; 

loc_63B7AA:				; CODE XREF: MiProcessVaContiguityInformation(x,x,x)+112j
					; MiProcessVaContiguityInformation(x,x,x)+121j	...
		mov	ebx, 0C00000BBh
		jmp	short loc_63B7C3
; 

loc_63B7B1:				; CODE XREF: MiProcessVaContiguityInformation(x,x,x)+103j
		mov	ebx, 0C0000018h
		jmp	short loc_63B7C3
; 

loc_63B7B8:				; CODE XREF: MiProcessVaContiguityInformation(x,x,x)+E4j
		mov	ebx, [esp+38h+var_1C]
		jmp	short loc_63B7D0
; 

loc_63B7BE:				; CODE XREF: MiProcessVaContiguityInformation(x,x,x)+84j
					; MiProcessVaContiguityInformation(x,x,x)+95j
		mov	ebx, 0C000000Dh

loc_63B7C3:				; CODE XREF: MiProcessVaContiguityInformation(x,x,x)+77j
					; MiProcessVaContiguityInformation(x,x,x)+210j	...
		mov	ecx, [esp+38h+var_24]
		test	ecx, ecx
		jz	short loc_63B7D0
		call	MiUnlockAndDereferenceVadShared

loc_63B7D0:				; CODE XREF: MiProcessVaContiguityInformation(x,x,x)+234j
					; MiProcessVaContiguityInformation(x,x,x)+241j
		mov	edi, 200h
		mov	esi, offset _MiSystemPartition
		mov	edx, edi
		mov	ecx, esi
		call	MiReturnCommit
		mov	edx, edi
		mov	ecx, esi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_63B7F9
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_63B7F9:				; CODE XREF: MiProcessVaContiguityInformation(x,x,x)+61j
					; MiProcessVaContiguityInformation(x,x,x)+266j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MiProcessVaContiguityInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRebuildLargePage(x, x, x,	x)
_MiRebuildLargePage@16 proc near	; CODE XREF: MiRebuildLargePages+8CCC8p
					; MmBuildLargePages(x,x,x,x)+5Ep ...

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+48h+var_34], ecx
		lea	edi, [esp+48h+var_10]
		xor	ecx, ecx
		stosd
		mov	ebx, edx
		xor	edx, edx
		mov	[esp+48h+var_3C], ecx
		mov	[esp+48h+var_38], ecx
		inc	edx
		mov	[esp+48h+var_20], ecx
		stosd
		mov	[esp+48h+var_28], ebx
		stosd
		stosd
		mov	eax, large fs:124h
		mov	edi, [esp+48h+var_34]
		mov	ecx, edi
		mov	[esp+48h+var_18], eax
		call	MiReferencePageRuns
		mov	esi, [ebp+arg_0]
		mov	edx, eax
		mov	ebx, ds:_MiLargePageSizes[ebx*4]
		mov	ecx, ds:dword_6D5D84
		imul	eax, esi, 280h
		mov	[esp+48h+var_2C], edx
		mov	[esp+48h+var_14], ebx
		add	eax, [edi+10h]
		mov	[esp+48h+var_24], eax

loc_63B873:				; CODE XREF: MiRebuildLargePage(x,x,x,x)+202j
		mov	[esp+48h+var_1C], ecx

loc_63B877:				; CODE XREF: MiRebuildLargePage(x,x,x,x)+21Bj
		mov	eax, [esp+48h+var_18]
		mov	eax, [eax+2FCh]
		test	al, 1
		jnz	loc_63BA25
		push	edx
		push	ecx
		push	ebx
		push	esi
		xor	edx, edx
		mov	ecx, edi
		call	_MiFindRebuildCandidate@24 ; MiFindRebuildCandidate(x,x,x,x,x,x)
		mov	edx, eax
		mov	[esp+48h+var_3C], edx
		cmp	edx, 0FFFFFFFFh
		jz	loc_63BA0B
		mov	eax, 40800000h
		cmp	ebx, 200h
		jnz	short loc_63B8B9
		mov	eax, 42800000h
		jmp	short loc_63B8C3
; 

loc_63B8B9:				; CODE XREF: MiRebuildLargePage(x,x,x,x)+ACj
		cmp	ebx, 10h
		jnz	short loc_63B8C3
		mov	eax, 41800000h

loc_63B8C3:				; CODE XREF: MiRebuildLargePage(x,x,x,x)+B3j
					; MiRebuildLargePage(x,x,x,x)+B8j
		lea	ecx, [esp+48h+var_3C]
		push	ecx
		push	0
		push	eax
		push	0
		push	esi
		push	1
		push	ebx
		lea	eax, [ebx-1]
		mov	ecx, edi
		push	ebx
		add	eax, edx
		push	eax
		call	_MiFindContiguousPages@44 ; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_63B99E
		cmp	ebx, 200h
		jb	short loc_63B8FF
		mov	edx, [esp+48h+var_3C]
		mov	ecx, edi
		push	1
		push	0
		push	ebx
		call	MiUpdateLargePageBitMap

loc_63B8FF:				; CODE XREF: MiRebuildLargePage(x,x,x,x)+E9j
		mov	edx, [esp+48h+var_28]
		mov	ecx, [esp+48h+var_3C]
		call	_MiConvertSmallPageRangeToLarge@8 ; MiConvertSmallPageRangeToLarge(x,x)
		imul	edi, [esp+48h+var_3C], 1Ch
		mov	cl, 2
		add	edi, ds:_MmPfnDatabase
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, edi
		mov	bl, al
		call	_MiLockPageAtDpc@4 ; MiLockPageAtDpc(x)
		xor	eax, eax
		lea	edi, [esp+48h+var_10]
		stosd
		lea	ecx, [esp+48h+var_10]
		stosd
		stosd
		stosd
		mov	eax, [esp+48h+var_3C]
		and	[esp+48h+var_8], 0
		mov	[esp+48h+var_10], eax
		mov	[esp+48h+var_C], 1
		mov	[esp+48h+var_4], 2
		call	_MiInsertLargePageInNodeList@4 ; MiInsertLargePageInNodeList(x)
		mov	cl, bl
		mov	edi, eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [esp+48h+var_34]
		mov	edx, edi
		call	MiReturnCommit
		mov	edx, edi
		mov	edi, [esp+48h+var_34]
		mov	ecx, edi
		call	MiReturnResavailToPrcb
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_63B987
		lea	eax, [edi+1000h]
		lock xadd [eax], ecx

loc_63B987:				; CODE XREF: MiRebuildLargePage(x,x,x,x)+177j
		mov	eax, [esp+48h+var_38]
		mov	ebx, [esp+48h+var_14]
		add	eax, ebx
		mov	[esp+48h+var_38], eax
		cmp	eax, [ebp+arg_4]
		jnb	loc_63BA25

loc_63B99E:				; CODE XREF: MiRebuildLargePage(x,x,x,x)+DDj
		mov	ecx, [esp+48h+var_24]
		xor	edx, edx
		push	0
		call	_MiNodeFreeZeroPages@12	; MiNodeFreeZeroPages(x,x,x)
		mov	ecx, eax
		mov	[esp+48h+var_30], ecx
		cmp	ebx, 10h
		jbe	short loc_63B9CF
		mov	eax, [esp+48h+var_28]
		mov	ecx, [esp+48h+var_24]
		inc	eax
		push	eax
		call	_MiNodeLargeFreeZeroPagesRange@12 ; MiNodeLargeFreeZeroPagesRange(x,x,x)
		mov	ecx, [esp+48h+var_30]
		add	ecx, eax
		mov	[esp+48h+var_30], ecx

loc_63B9CF:				; CODE XREF: MiRebuildLargePage(x,x,x,x)+1B0j
		cmp	ecx, 1000h
		jnb	short loc_63B9F7
		push	6
		pop	edx
		mov	ecx, edi
		call	_MiGetAvailablePagesBelowPriority@8 ; MiGetAvailablePagesBelowPriority(x,x)
		mov	ecx, eax
		mov	eax, [ebp+arg_4]
		sub	eax, [esp+48h+var_38]
		add	ecx, [esp+48h+var_30]
		add	eax, 8000h
		cmp	ecx, eax
		jb	short loc_63BA25

loc_63B9F7:				; CODE XREF: MiRebuildLargePage(x,x,x,x)+1D1j
		mov	eax, [esp+48h+var_3C]
		test	eax, eax
		jz	short loc_63BA0B
		mov	edx, [esp+48h+var_2C]
		lea	ecx, [eax-1]
		jmp	loc_63B873
; 

loc_63BA0B:				; CODE XREF: MiRebuildLargePage(x,x,x,x)+9Bj
					; MiRebuildLargePage(x,x,x,x)+1F9j
		mov	eax, [esp+48h+var_20]
		mov	edx, [esp+48h+var_2C]
		inc	eax
		mov	ecx, [esp+48h+var_1C]
		mov	[esp+48h+var_20], eax
		cmp	eax, 1
		jnz	loc_63B877

loc_63BA25:				; CODE XREF: MiRebuildLargePage(x,x,x,x)+7Fj
					; MiRebuildLargePage(x,x,x,x)+194j ...
		mov	ecx, [esp+48h+var_2C]
		xor	edx, edx
		inc	edx
		call	MiDereferencePageRunsEx
		mov	eax, [esp+48h+var_38]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_MiRebuildLargePage@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAllocateSlabEntry(x, x, x)
_MiAllocateSlabEntry@12	proc near	; CODE XREF: MiReplenishSlabAllocator(x,x,x,x)+19p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		push	edi
		mov	[ebp+var_4], ebx
		call	_MiSlabAllocatorRecentFailure@4	; MiSlabAllocatorRecentFailure(x)
		test	eax, eax
		jnz	loc_63BB1E
		push	eax
		push	40h
		push	70h
		mov	edx, 6553694Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_63BAEE
		mov	edi, [ebp+arg_0]
		lea	eax, [esi+20h]
		mov	[esi+14h], ebx
		mov	edx, 200h
		mov	[esi+1Ch], eax
		mov	eax, edi
		and	eax, 40h
		mov	[esi+18h], edx
		mov	[esi+64h], edx
		mov	[ebp+arg_0], eax
		jnz	short loc_63BA98
		or	edi, 40h

loc_63BA98:				; CODE XREF: MiAllocateSlabEntry(x,x,x)+55j
		xor	ebx, ebx
		lea	ecx, [esi+0Ch]
		test	eax, eax
		setnz	bl

loc_63BAA2:				; CODE XREF: MiAllocateSlabEntry(x,x,x)+9Dj
		push	ecx
		mov	ecx, [ebp+var_8]
		mov	eax, edi
		push	0
		or	eax, 40000001h
		push	eax
		mov	eax, 80000000h
		push	eax
		push	eax
		push	1
		push	edx
		push	edx
		push	ds:dword_6D07B0
		xor	edx, edx
		call	_MiFindContiguousPages@44 ; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_63BB27
		and	edi, 0FFFFFFBFh
		lea	ecx, [esi+0Ch]
		inc	ebx
		mov	edx, 200h
		cmp	ebx, 2
		jb	short loc_63BAA2
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[ebp+arg_0], 0
		jnz	short loc_63BB1E
		mov	ebx, [ebp+var_4]

loc_63BAEE:				; CODE XREF: MiAllocateSlabEntry(x,x,x)+34j
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		mov	[ebp+arg_0], eax
		lea	edi, [ebx+40h]
		mov	[ebp+var_8], edx

loc_63BAFE:				; CODE XREF: MiAllocateSlabEntry(x,x,x)+D9j
					; MiAllocateSlabEntry(x,x,x)+DEj
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp+var_C], ecx
		nop
		mov	ebx, [ebp+arg_0]
		mov	ecx, [ebp+var_8]
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_63BAFE
		cmp	edx, [ebp+var_C]
		jnz	short loc_63BAFE

loc_63BB1E:				; CODE XREF: MiAllocateSlabEntry(x,x,x)+1Aj
					; MiAllocateSlabEntry(x,x,x)+ABj
		xor	eax, eax

loc_63BB20:				; CODE XREF: MiAllocateSlabEntry(x,x,x)+1D9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_63BB27:				; CODE XREF: MiAllocateSlabEntry(x,x,x)+8Cj
		mov	ecx, [esi+0Ch]
		push	1
		lea	eax, [ecx+1FFh]
		shr	ecx, 9
		push	ecx
		push	offset unk_6D5BB8
		mov	[esi+10h], eax
		call	RtlInterlockedSetClearRun
		imul	edi, [esi+0Ch],	1Ch
		imul	ebx, [esi+10h],	1Ch
		mov	eax, ds:_MmPfnDatabase
		add	edi, eax
		mov	[ebp+var_8], edi
		add	ebx, eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+arg_0+3],	al
		cmp	edi, ebx
		ja	loc_63BBF9
		sub	ebx, [ebp+var_8]
		xor	edx, edx
		push	1Ch
		mov	eax, ebx
		add	edi, 10h
		pop	ecx
		div	ecx
		mov	ebx, [ebp+var_4]
		inc	eax
		mov	[ebp+var_8], eax

loc_63BB7E:				; CODE XREF: MiAllocateSlabEntry(x,x,x)+1B4j
		and	[ebp+var_4], 0
		jmp	short loc_63BB92
; 

loc_63BB84:				; CODE XREF: MiAllocateSlabEntry(x,x,x)+152j
					; MiAllocateSlabEntry(x,x,x)+159j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_63BB84

loc_63BB92:				; CODE XREF: MiAllocateSlabEntry(x,x,x)+144j
		lock bts dword ptr [edi], 1Fh
		jb	short loc_63BB84
		and	[ebp+var_C], 0
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	edx, ds:_KiTbFlushTimeStamp
		lea	ecx, [edi-10h]
		push	1
		call	_MiSetPfnTbFlushStamp@12 ; MiSetPfnTbFlushStamp(x,x,x)
		xor	eax, eax
		lea	ecx, [edi-10h]
		mov	edx, ebx
		mov	[edi+4], ax
		call	_MiReInitializeFreeSlabPfn@8 ; MiReInitializeFreeSlabPfn(x,x)
		cmp	dword ptr [ebx+18h], 0
		jnz	short loc_63BBE3
		mov	eax, [edi+8]
		lea	ecx, [edi-10h]
		and	eax, 0BFFFFFFFh
		or	eax, 30000000h
		mov	[edi+8], eax
		call	MiAbortCombineScan

loc_63BBE3:				; CODE XREF: MiAllocateSlabEntry(x,x,x)+18Bj
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		add	edi, 1Ch
		sub	[ebp+var_8], 1
		jnz	short loc_63BB7E
		mov	al, byte ptr [ebp+arg_0+3]
		jmp	short loc_63BBFC
; 

loc_63BBF9:				; CODE XREF: MiAllocateSlabEntry(x,x,x)+124j
		mov	ebx, [ebp+var_4]

loc_63BBFC:				; CODE XREF: MiAllocateSlabEntry(x,x,x)+1B9j
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [esi+0Ch]
		mov	ecx, ebx
		push	1
		push	200h
		call	_MiUpdateSlabPagePlaceholderState@16 ; MiUpdateSlabPagePlaceholderState(x,x,x,x)
		mov	eax, esi
		jmp	loc_63BB20
_MiAllocateSlabEntry@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCheckSlabPage(x, x, x)
_MiCheckSlabPage@12 proc near		; CODE XREF: .text:004789CDp
					; MiMakeDriverPagesPrivate(x,x,x,x)+2D0p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		sub	ecx, ds:_MmPfnDatabase
		push	ebx
		push	esi
		push	edi
		mov	eax, ecx
		mov	esi, edx
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		push	[ebp+arg_0]
		mov	edx, esi
		mov	[ebp+var_4], eax
		mov	ecx, offset _MiSystemPartition
		call	_MiGetSlabAllocator@12 ; MiGetSlabAllocator(x,x,x)
		mov	edi, eax
		lea	ebx, [edi+8]
		push	ebx
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		test	byte ptr [edi+4], 1
		mov	esi, [edi]
		mov	byte ptr [ebp+arg_0+3],	al
		jz	short loc_63BC67
		test	esi, esi
		jz	short loc_63BC65
		xor	esi, edi
		jmp	short loc_63BC67
; 

loc_63BC65:				; CODE XREF: MiCheckSlabPage(x,x,x)+43j
		xor	esi, esi

loc_63BC67:				; CODE XREF: MiCheckSlabPage(x,x,x)+3Fj
					; MiCheckSlabPage(x,x,x)+47j
		movzx	edi, byte ptr [edi+4]
		and	edi, 1
		jmp	short loc_63BC95
; 

loc_63BC70:				; CODE XREF: MiCheckSlabPage(x,x,x)+7Bj
		push	esi
		lea	eax, [ebp+var_4]
		push	eax
		call	_MiCompareSlabEntry@8 ;	MiCompareSlabEntry(x,x)
		test	eax, eax
		jns	short loc_63BC82
		mov	eax, [esi]
		jmp	short loc_63BC87
; 

loc_63BC82:				; CODE XREF: MiCheckSlabPage(x,x,x)+60j
		jle	short loc_63BC99
		mov	eax, [esi+4]

loc_63BC87:				; CODE XREF: MiCheckSlabPage(x,x,x)+64j
		test	edi, edi
		jz	short loc_63BC93
		test	eax, eax
		jz	short loc_63BC93
		xor	esi, eax
		jmp	short loc_63BC95
; 

loc_63BC93:				; CODE XREF: MiCheckSlabPage(x,x,x)+6Dj
					; MiCheckSlabPage(x,x,x)+71j
		mov	esi, eax

loc_63BC95:				; CODE XREF: MiCheckSlabPage(x,x,x)+52j
					; MiCheckSlabPage(x,x,x)+75j
		test	esi, esi
		jnz	short loc_63BC70

loc_63BC99:				; CODE XREF: MiCheckSlabPage(x,x,x):loc_63BC82j
		push	ebx
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		test	esi, esi
		pop	edi
		pop	esi
		setnz	al
		pop	ebx
		leave
		retn	4
_MiCheckSlabPage@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCompareSlabEntry(x, x)
_MiCompareSlabEntry@8 proc near		; CODE XREF: MiCheckSlabPage(x,x,x)+59p
					; MiFreePageToSlabAllocator(x,x,x)+65p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	eax, [eax]
		cmp	eax, [ecx+10h]
		jbe	short loc_63BCCD
		xor	eax, eax
		inc	eax
		jmp	short loc_63BCD2
; 

loc_63BCCD:				; CODE XREF: MiCompareSlabEntry(x,x)+10j
		cmp	eax, [ecx+0Ch]
		sbb	eax, eax

loc_63BCD2:				; CODE XREF: MiCompareSlabEntry(x,x)+15j
		pop	ebp
		retn	8
_MiCompareSlabEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteSlabAllocator(x, x,	x)
_MiDeleteSlabAllocator@12 proc near	; DATA XREF: MiDeletePartitionResources(x)+178o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	1
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_MiFreeSlabEntries@12 ;	MiFreeSlabEntries(x,x,x)
		xor	eax, eax
		pop	ebp
		retn	0Ch
_MiDeleteSlabAllocator@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiEnumerateSlabAllocators(x, x, x)
_MiEnumerateSlabAllocators@12 proc near	; CODE XREF: .text:00470504p
					; .text:00478900p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	eax, edx
		push	esi
		push	edi
		mov	[ebp+var_4], eax
		lea	esi, [ebx+0B38h]
		lea	edi, [esi+240h]
		jmp	short loc_63BD1D
; 

loc_63BD0C:				; CODE XREF: MiEnumerateSlabAllocators(x,x,x)+31j
		push	[ebp+arg_0]
		push	esi
		push	ebx
		call	eax
		test	eax, eax
		jnz	short loc_63BD2A
		mov	eax, [ebp+var_4]
		add	esi, 48h

loc_63BD1D:				; CODE XREF: MiEnumerateSlabAllocators(x,x,x)+1Cj
		cmp	esi, edi
		jb	short loc_63BD0C
		xor	eax, eax

loc_63BD23:				; CODE XREF: MiEnumerateSlabAllocators(x,x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_63BD2A:				; CODE XREF: MiEnumerateSlabAllocators(x,x,x)+27j
		xor	eax, eax
		inc	eax
		jmp	short loc_63BD23
_MiEnumerateSlabAllocators@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreePageToSlabAllocator(x, x, x)
_MiFreePageToSlabAllocator@12 proc near	; DATA XREF: .text:004704FAo
					; .text:004788EFo ...

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	edi
		mov	edi, [ebp+arg_4]
		test	byte ptr [edi+4], 1
		mov	eax, [edi]
		jz	short loc_63BD47
		test	eax, eax
		jz	short loc_63BD4B
		xor	eax, edi

loc_63BD47:				; CODE XREF: MiFreePageToSlabAllocator(x,x,x)+10j
		test	eax, eax
		jnz	short loc_63BD52

loc_63BD4B:				; CODE XREF: MiFreePageToSlabAllocator(x,x,x)+14j
		xor	eax, eax
		jmp	loc_63BDFA
; 

loc_63BD52:				; CODE XREF: MiFreePageToSlabAllocator(x,x,x)+1Aj
		mov	eax, [ebp+arg_8]
		sub	eax, ds:_MmPfnDatabase
		push	ebx
		push	esi
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		mov	[ebp+var_4], eax
		lea	eax, [edi+8]
		push	eax
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		test	byte ptr [edi+4], 1
		mov	esi, [edi]
		mov	byte ptr [ebp+arg_4+3],	al
		jz	short loc_63BD84
		test	esi, esi
		jz	short loc_63BD82
		xor	esi, edi
		jmp	short loc_63BD84
; 

loc_63BD82:				; CODE XREF: MiFreePageToSlabAllocator(x,x,x)+4Dj
		xor	esi, esi

loc_63BD84:				; CODE XREF: MiFreePageToSlabAllocator(x,x,x)+49j
					; MiFreePageToSlabAllocator(x,x,x)+51j
		movzx	ebx, byte ptr [edi+4]
		and	ebx, 1
		test	esi, esi
		jz	short loc_63BDDF

loc_63BD8F:				; CODE XREF: MiFreePageToSlabAllocator(x,x,x)+87j
		push	esi
		lea	eax, [ebp+var_4]
		push	eax
		call	_MiCompareSlabEntry@8 ;	MiCompareSlabEntry(x,x)
		test	eax, eax
		jns	short loc_63BDA1
		mov	eax, [esi]
		jmp	short loc_63BDA6
; 

loc_63BDA1:				; CODE XREF: MiFreePageToSlabAllocator(x,x,x)+6Cj
		jle	short loc_63BDB8
		mov	eax, [esi+4]

loc_63BDA6:				; CODE XREF: MiFreePageToSlabAllocator(x,x,x)+70j
		test	ebx, ebx
		jz	short loc_63BDB2
		test	eax, eax
		jz	short loc_63BDB2
		xor	esi, eax
		jmp	short loc_63BDB4
; 

loc_63BDB2:				; CODE XREF: MiFreePageToSlabAllocator(x,x,x)+79j
					; MiFreePageToSlabAllocator(x,x,x)+7Dj
		mov	esi, eax

loc_63BDB4:				; CODE XREF: MiFreePageToSlabAllocator(x,x,x)+81j
		test	esi, esi
		jnz	short loc_63BD8F

loc_63BDB8:				; CODE XREF: MiFreePageToSlabAllocator(x,x,x):loc_63BDA1j
		test	esi, esi
		jz	short loc_63BDDF
		mov	ecx, [ebp+arg_8]
		mov	edx, edi
		call	_MiReInitializeFreeSlabPfn@8 ; MiReInitializeFreeSlabPfn(x,x)
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		push	1
		push	1
		call	_MiUpdateSlabPagePlaceholderState@16 ; MiUpdateSlabPagePlaceholderState(x,x,x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		push	edi
		call	_MiFreePageToSlabEntry@12 ; MiFreePageToSlabEntry(x,x,x)

loc_63BDDF:				; CODE XREF: MiFreePageToSlabAllocator(x,x,x)+5Ej
					; MiFreePageToSlabAllocator(x,x,x)+8Bj
		lea	eax, [edi+8]
		push	eax
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		test	esi, esi
		pop	esi
		setnz	al
		pop	ebx

loc_63BDFA:				; CODE XREF: MiFreePageToSlabAllocator(x,x,x)+1Ej
		pop	edi
		leave
		retn	0Ch
_MiFreePageToSlabAllocator@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreePageToSlabEntry(x, x,	x)
_MiFreePageToSlabEntry@12 proc near	; CODE XREF: MiFreePageToSlabAllocator(x,x,x)+ABp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		sub	ecx, ds:_MmPfnDatabase
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	eax, ecx
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		mov	[ebp+var_4], edi
		mov	ebx, eax
		lea	eax, [edi+64h]
		sub	ebx, [edi+0Ch]
		mov	[ebp+var_8], eax
		lock inc dword ptr [eax]
		mov	eax, [ebp+arg_0]
		lock inc dword ptr [eax+10h]
		mov	eax, [edi+1Ch]
		mov	ecx, ebx
		shr	ecx, 5
		and	ebx, 1Fh
		xor	edx, edx
		lea	edi, [eax+ecx*4]
		lea	eax, [ebx+1]
		lea	esi, [edx+1]
		cmp	eax, 20h
		ja	short loc_63BE57
		lea	eax, [edx+1]
		mov	ecx, ebx
		shl	eax, cl
		not	eax
		jmp	short loc_63BE9E
; 

loc_63BE57:				; CODE XREF: MiFreePageToSlabEntry(x,x,x)+4Bj
		test	ebx, ebx
		jz	short loc_63BE97
		push	20h
		xor	esi, esi
		pop	edx
		sub	edx, ebx
		inc	esi
		mov	ecx, edx
		mov	eax, esi
		shl	eax, cl
		mov	ecx, ebx
		dec	eax
		shl	eax, cl
		not	eax
		lock and [edi],	eax
		sub	esi, edx
		add	edi, 4
		cmp	esi, 20h
		jb	short loc_63BE93
		mov	eax, esi
		shr	eax, 5

loc_63BE82:				; CODE XREF: MiFreePageToSlabEntry(x,x,x)+92j
		mov	dword ptr [edi], 0
		sub	esi, 20h
		add	edi, 4
		sub	eax, 1
		jnz	short loc_63BE82

loc_63BE93:				; CODE XREF: MiFreePageToSlabEntry(x,x,x)+7Cj
		test	esi, esi
		jz	short loc_63BEA1

loc_63BE97:				; CODE XREF: MiFreePageToSlabEntry(x,x,x)+5Aj
		or	eax, 0FFFFFFFFh
		mov	ecx, esi
		shl	eax, cl

loc_63BE9E:				; CODE XREF: MiFreePageToSlabEntry(x,x,x)+56j
		lock and [edi],	eax

loc_63BEA1:				; CODE XREF: MiFreePageToSlabEntry(x,x,x)+96j
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		mov	eax, [eax+68h]
		add	eax, [ecx]
		pop	ebx
		cmp	eax, 200h
		jb	short locret_63BEC2
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		add	eax, 20h
		inc	ecx
		lock or	[eax], ecx

locret_63BEC2:				; CODE XREF: MiFreePageToSlabEntry(x,x,x)+B5j
		leave
		retn	4
_MiFreePageToSlabEntry@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeSlabEntries(x, x, x)
_MiFreeSlabEntries@12 proc near		; CODE XREF: MiDeleteSlabAllocator(x,x,x)+Dp
					; DATA XREF: MiWorkingSetManager(x,x)+178o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		test	byte ptr [ebx+20h], 1
		jz	loc_63BFCA
		cmp	[ebp+arg_8], 0
		jnz	short loc_63BEFE
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		sub	eax, [ebx+38h]
		sbb	edx, [ebx+3Ch]
		mov	[ebp+var_4], edx
		jnz	short loc_63BEFE
		cmp	eax, 2FAF080h
		jb	loc_63BFCA

loc_63BEFE:				; CODE XREF: MiFreeSlabEntries(x,x,x)+19j
					; MiFreeSlabEntries(x,x,x)+2Bj
		push	esi
		push	edi
		mov	ecx, ebx
		call	_MiPurgeSlabEntries@4 ;	MiPurgeSlabEntries(x)
		lea	eax, [ebx+8]
		xor	esi, esi
		push	eax
		call	ExAcquireSpinLockExclusive
		and	dword ptr [ebx+20h], 0FFFFFFFEh
		mov	ecx, [ebx+4]
		mov	byte ptr [ebp+arg_4+3],	al
		test	cl, 1
		jz	short loc_63BF2F
		cmp	ecx, 1
		jz	short loc_63BFA5
		mov	edi, ebx
		or	edi, 1
		xor	edi, ecx
		jmp	short loc_63BFA1
; 

loc_63BF2F:				; CODE XREF: MiFreeSlabEntries(x,x,x)+59j
		mov	edi, ecx
		jmp	short loc_63BFA1
; 

loc_63BF33:				; CODE XREF: MiFreeSlabEntries(x,x,x)+DDj
		mov	ecx, [edi+4]
		mov	eax, edi
		mov	[ebp+arg_8], eax
		mov	edx, edi
		test	ecx, ecx
		jz	short loc_63BF55
		mov	edi, ecx
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_63BF6E

loc_63BF49:				; CODE XREF: MiFreeSlabEntries(x,x,x)+8Bj
		mov	eax, [ecx]
		mov	edi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_63BF49
		jmp	short loc_63BF6B
; 

loc_63BF55:				; CODE XREF: MiFreeSlabEntries(x,x,x)+79j
		mov	edi, [edi+8]
		and	edi, 0FFFFFFFCh
		jz	short loc_63BF6E

loc_63BF5D:				; CODE XREF: MiFreeSlabEntries(x,x,x)+A3j
		cmp	[edi], edx
		jz	short loc_63BF6B
		mov	edx, edi
		mov	edi, [edi+8]
		and	edi, 0FFFFFFFCh
		jnz	short loc_63BF5D

loc_63BF6B:				; CODE XREF: MiFreeSlabEntries(x,x,x)+8Dj
					; MiFreeSlabEntries(x,x,x)+99j
		mov	eax, [ebp+arg_8]

loc_63BF6E:				; CODE XREF: MiFreeSlabEntries(x,x,x)+81j
					; MiFreeSlabEntries(x,x,x)+95j
		test	byte ptr [eax+6Ch], 1
		jnz	short loc_63BFA1
		mov	ecx, [eax+64h]
		mov	edx, 200h
		cmp	ecx, edx
		jnz	short loc_63BF94
		mov	ecx, [ebp+arg_0]
		mov	edx, ebx
		push	eax
		call	_MiRemoveSlabEntry@12 ;	MiRemoveSlabEntry(x,x,x)
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		mov	esi, eax
		jmp	short loc_63BFA1
; 

loc_63BF94:				; CODE XREF: MiFreeSlabEntries(x,x,x)+B8j
		mov	eax, [eax+68h]
		add	eax, ecx
		cmp	eax, edx
		jb	short loc_63BFA1
		or	dword ptr [ebx+20h], 1

loc_63BFA1:				; CODE XREF: MiFreeSlabEntries(x,x,x)+67j
					; MiFreeSlabEntries(x,x,x)+6Bj	...
		test	edi, edi
		jnz	short loc_63BF33

loc_63BFA5:				; CODE XREF: MiFreeSlabEntries(x,x,x)+5Ej
		lea	eax, [ebx+8]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_63BFB7:				; CODE XREF: MiFreeSlabEntries(x,x,x)+100j
		mov	edx, esi
		test	esi, esi
		jz	short loc_63BFC8
		mov	esi, [esi]
		mov	ecx, ebx
		call	_MiFreeSlabEntry@8 ; MiFreeSlabEntry(x,x)
		jmp	short loc_63BFB7
; 

loc_63BFC8:				; CODE XREF: MiFreeSlabEntries(x,x,x)+F5j
		pop	edi
		pop	esi

loc_63BFCA:				; CODE XREF: MiFreeSlabEntries(x,x,x)+Fj
					; MiFreeSlabEntries(x,x,x)+32j
		xor	eax, eax
		pop	ebx
		leave
		retn	0Ch
_MiFreeSlabEntries@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeSlabEntry(x, x)
_MiFreeSlabEntry@8 proc	near		; CODE XREF: MiFreeSlabEntries(x,x,x)+FBp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		imul	ebx, [edx+10h],	1Ch
		xor	eax, eax
		push	esi
		push	edi
		imul	edi, [edx+0Ch],	1Ch
		mov	[ebp+var_8], eax
		mov	eax, ds:_MmPfnDatabase
		add	ebx, eax
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		add	edi, eax
		mov	[ebp+var_C], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		xor	esi, esi
		mov	[ebp+var_1], al
		inc	esi
		cmp	edi, ebx
		ja	loc_63C09A
		sub	ebx, [ebp+var_C]
		xor	edx, edx
		push	1Ch
		mov	eax, ebx
		add	edi, 10h
		pop	ecx
		div	ecx
		mov	ebx, [ebp+var_10]
		lea	ecx, [eax+1]
		mov	[ebp+var_C], ecx

loc_63C02A:				; CODE XREF: MiFreeSlabEntry(x,x)+C1j
		and	[ebp+var_18], 0
		lock bts dword ptr [edi], 1Fh
		jnb	short loc_63C04D

loc_63C035:				; CODE XREF: MiFreeSlabEntry(x,x)+6Dj
					; MiFreeSlabEntry(x,x)+74j
		lea	ecx, [ebp+var_18]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_63C035
		lock bts dword ptr [edi], 1Fh
		jb	short loc_63C035
		mov	ecx, [ebp+var_C]

loc_63C04D:				; CODE XREF: MiFreeSlabEntry(x,x)+5Fj
		cmp	[ebp+var_8], 0
		jnz	short loc_63C05B
		mov	eax, offset _MiSystemPartition
		mov	[ebp+var_8], eax

loc_63C05B:				; CODE XREF: MiFreeSlabEntry(x,x)+7Dj
		cmp	dword ptr [ebx+18h], 0
		jnz	short loc_63C068
		and	dword ptr [edi+8], 8FFFFFFFh

loc_63C068:				; CODE XREF: MiFreeSlabEntry(x,x)+8Bj
		push	2
		pop	eax
		mov	[edi+4], ax
		mov	eax, [edi]
		and	eax, 0C0000001h
		or	eax, esi
		mov	[edi], eax
		mov	al, [edi+6]
		and	al, 0FEh
		or	al, 6
		mov	[edi+6], al
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		add	edi, 1Ch
		sub	ecx, 1
		mov	[ebp+var_C], ecx
		jnz	short loc_63C02A
		mov	al, [ebp+var_1]

loc_63C09A:				; CODE XREF: MiFreeSlabEntry(x,x)+38j
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [ebp+var_14]
		mov	ecx, [ebp+var_10]
		push	0
		push	200h
		mov	edx, [ebx+0Ch]
		call	_MiUpdateSlabPagePlaceholderState@16 ; MiUpdateSlabPagePlaceholderState(x,x,x,x)
		mov	ebx, [ebx+0Ch]
		mov	eax, ds:dword_6D5BBC
		shr	ebx, 9
		mov	ecx, ebx
		and	ebx, 1Fh
		shr	ecx, 5
		lea	edi, [eax+ecx*4]
		lea	eax, [ebx+1]
		cmp	eax, 20h
		ja	short loc_63C0E0
		mov	ecx, ebx
		shl	esi, cl
		not	esi
		lock and [edi],	esi
		jmp	short loc_63C127
; 

loc_63C0E0:				; CODE XREF: MiFreeSlabEntry(x,x)+FFj
		test	ebx, ebx
		jz	short loc_63C11D
		push	20h
		pop	edx
		sub	edx, ebx
		mov	eax, esi
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, ebx
		dec	eax
		shl	eax, cl
		not	eax
		lock and [edi],	eax
		sub	esi, edx
		add	edi, 4
		cmp	esi, 20h
		jb	short loc_63C119
		mov	eax, esi
		shr	eax, 5

loc_63C108:				; CODE XREF: MiFreeSlabEntry(x,x)+143j
		mov	dword ptr [edi], 0
		sub	esi, 20h
		add	edi, 4
		sub	eax, 1
		jnz	short loc_63C108

loc_63C119:				; CODE XREF: MiFreeSlabEntry(x,x)+12Dj
		test	esi, esi
		jz	short loc_63C127

loc_63C11D:				; CODE XREF: MiFreeSlabEntry(x,x)+10Ej
		or	eax, 0FFFFFFFFh
		mov	ecx, esi
		shl	eax, cl
		lock and [edi],	eax

loc_63C127:				; CODE XREF: MiFreeSlabEntry(x,x)+10Aj
					; MiFreeSlabEntry(x,x)+147j
		mov	ebx, [ebp+var_14]
		xor	edx, edx
		push	6
		mov	ecx, [ebx+0Ch]
		call	_MiFreeLargePageMemory@12 ; MiFreeLargePageMemory(x,x,x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiFreeSlabEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetPageFromSlabAllocator(x)
_MiGetPageFromSlabAllocator@4 proc near	; CODE XREF: MiGetSlabPage(x,x,x,x,x)+2Bp

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, [edi+24h]
		add	eax, [edi+10h]
		jnz	short loc_63C160
		or	eax, 0FFFFFFFFh
		jmp	loc_63C24B
; 

loc_63C160:				; CODE XREF: MiGetPageFromSlabAllocator(x)+13j
		lea	eax, [edi+8]
		push	eax
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	ecx, [edi+0Ch]
		mov	[ebp+var_1], al
		test	ecx, ecx
		jz	short loc_63C18B
		mov	edx, edi
		call	_MiGetPageFromSlabEntry@8 ; MiGetPageFromSlabEntry(x,x)
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		cmp	ebx, 0FFFFFFFFh
		jnz	short loc_63C1F0
		mov	dword ptr [edi+0Ch], 0

loc_63C18B:				; CODE XREF: MiGetPageFromSlabAllocator(x)+2Ej
		mov	eax, [edi+4]
		test	al, 1
		jz	short loc_63C1A0
		cmp	eax, 1
		jz	short loc_63C1EA
		mov	esi, edi
		or	esi, 1
		xor	esi, eax
		jmp	short loc_63C1E6
; 

loc_63C1A0:				; CODE XREF: MiGetPageFromSlabAllocator(x)+4Dj
		mov	esi, eax
		jmp	short loc_63C1E6
; 

loc_63C1A4:				; CODE XREF: MiGetPageFromSlabAllocator(x)+A5j
		mov	edx, edi
		mov	ecx, esi
		call	_MiGetPageFromSlabEntry@8 ; MiGetPageFromSlabEntry(x,x)
		mov	ebx, eax
		mov	[ebp+var_8], eax
		cmp	ebx, 0FFFFFFFFh
		jnz	loc_63C23F
		mov	eax, [esi+4]
		mov	ecx, esi
		test	eax, eax
		jz	short loc_63C1DE
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_63C1E6

loc_63C1CC:				; CODE XREF: MiGetPageFromSlabAllocator(x)+91j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_63C1CC
		jmp	short loc_63C1E6
; 

loc_63C1D8:				; CODE XREF: MiGetPageFromSlabAllocator(x)+A1j
		cmp	[esi], ecx
		jz	short loc_63C1E6
		mov	ecx, esi

loc_63C1DE:				; CODE XREF: MiGetPageFromSlabAllocator(x)+7Fj
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_63C1D8

loc_63C1E6:				; CODE XREF: MiGetPageFromSlabAllocator(x)+5Bj
					; MiGetPageFromSlabAllocator(x)+5Fj ...
		test	esi, esi
		jnz	short loc_63C1A4

loc_63C1EA:				; CODE XREF: MiGetPageFromSlabAllocator(x)+52j
		or	ebx, 0FFFFFFFFh
		mov	[ebp+var_8], ebx

loc_63C1F0:				; CODE XREF: MiGetPageFromSlabAllocator(x)+3Fj
					; MiGetPageFromSlabAllocator(x)+FFj
		lea	eax, [edi+8]
		push	eax
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_63C244
		imul	esi, ebx, 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		push	0
		push	1
		mov	bl, al
		call	_MiUpdateSlabPagePlaceholderState@16 ; MiUpdateSlabPagePlaceholderState(x,x,x,x)
		mov	eax, 7FFFFFFFh
		lea	ecx, [esi+10h]
		lock and [ecx],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_8]
		jmp	short loc_63C24B
; 

loc_63C23F:				; CODE XREF: MiGetPageFromSlabAllocator(x)+72j
		mov	[edi+0Ch], esi
		jmp	short loc_63C1F0
; 

loc_63C244:				; CODE XREF: MiGetPageFromSlabAllocator(x)+C2j
		mov	ecx, edi
		call	_MiGetSlabStandbyPage@4	; MiGetSlabStandbyPage(x)

loc_63C24B:				; CODE XREF: MiGetPageFromSlabAllocator(x)+18j
					; MiGetPageFromSlabAllocator(x)+FAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiGetPageFromSlabAllocator@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetPageFromSlabEntry(x, x)
_MiGetPageFromSlabEntry@8 proc near	; CODE XREF: MiGetPageFromSlabAllocator(x)+32p
					; MiGetPageFromSlabAllocator(x)+65p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_14], edi
		cmp	dword ptr [edi+64h], 0
		jz	loc_63C381
		mov	eax, [edi+60h]
		cmp	eax, 200h
		sbb	esi, esi
		and	esi, eax
		mov	eax, [edi+1Ch]
		mov	edx, esi
		mov	ecx, esi
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		sar	eax, cl
		test	al, 1
		jnz	short loc_63C2A3
		push	1
		push	esi
		lea	eax, [edi+18h]
		push	eax
		call	RtlInterlockedSetClearRun
		test	eax, eax
		jnz	loc_63C367

loc_63C2A3:				; CODE XREF: MiGetPageFromSlabEntry(x,x)+3Dj
		lea	eax, [edi+18h]
		mov	[ebp+var_18], eax

loc_63C2A9:				; CODE XREF: MiGetPageFromSlabEntry(x,x)+112j
		mov	ecx, [eax]
		lea	edx, [esi+1]
		mov	esi, [eax+4]
		cmp	edx, ecx
		mov	[ebp+var_8], edx
		sbb	edi, edi
		mov	[ebp+var_4], ecx
		and	edi, edx
		mov	[ebp+var_C], esi
		lea	ebx, [ecx-1]

loc_63C2C3:				; CODE XREF: MiGetPageFromSlabEntry(x,x)+F0j
		and	[ebp+var_10], 0
		mov	eax, ebx
		sub	eax, edi
		inc	eax
		cmp	eax, 1
		jnb	short loc_63C2D6
		or	esi, 0FFFFFFFFh
		jmp	short loc_63C32D
; 

loc_63C2D6:				; CODE XREF: MiGetPageFromSlabEntry(x,x)+7Fj
		mov	eax, ebx
		xor	edx, edx
		shr	eax, 5
		mov	ecx, edi
		and	ecx, 1Fh
		inc	edx
		shl	edx, cl
		dec	edx
		lea	eax, [esi+eax*4]
		mov	[ebp+var_10], eax
		mov	eax, edi
		shr	eax, 5
		lea	esi, [esi+eax*4]
		mov	eax, [esi]
		or	eax, edx
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_63C30E
		mov	ecx, [ebp+var_10]

loc_63C300:				; CODE XREF: MiGetPageFromSlabEntry(x,x)+BCj
		add	esi, 4
		cmp	esi, ecx
		ja	short loc_63C342
		mov	eax, [esi]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_63C300

loc_63C30E:				; CODE XREF: MiGetPageFromSlabEntry(x,x)+ABj
		sub	esi, [ebp+var_C]
		not	eax
		bsf	eax, eax
		sar	esi, 2
		shl	esi, 5
		add	esi, eax
		cmp	esi, ebx
		ja	short loc_63C342
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_63C34A

loc_63C327:				; CODE XREF: MiGetPageFromSlabEntry(x,x)+F5j
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_8]

loc_63C32D:				; CODE XREF: MiGetPageFromSlabEntry(x,x)+84j
		test	edi, edi
		jz	short loc_63C347
		lea	ebx, [edx+1]
		cmp	ebx, ecx
		jbe	short loc_63C33A
		mov	ebx, ecx

loc_63C33A:				; CODE XREF: MiGetPageFromSlabEntry(x,x)+E6j
		mov	esi, [ebp+var_C]
		dec	ebx
		xor	edi, edi
		jmp	short loc_63C2C3
; 

loc_63C342:				; CODE XREF: MiGetPageFromSlabEntry(x,x)+B5j
					; MiGetPageFromSlabEntry(x,x)+D0j
		or	esi, 0FFFFFFFFh
		jmp	short loc_63C327
; 

loc_63C347:				; CODE XREF: MiGetPageFromSlabEntry(x,x)+DFj
		cmp	esi, 0FFFFFFFFh

loc_63C34A:				; CODE XREF: MiGetPageFromSlabEntry(x,x)+D5j
		mov	edi, [ebp+var_14]
		jz	short loc_63C381
		push	1
		push	esi
		lea	eax, [edi+18h]
		push	eax
		call	RtlInterlockedSetClearRun
		test	eax, eax
		jnz	short loc_63C367
		mov	eax, [ebp+var_18]
		jmp	loc_63C2A9
; 

loc_63C367:				; CODE XREF: MiGetPageFromSlabEntry(x,x)+4Dj
					; MiGetPageFromSlabEntry(x,x)+10Dj
		lea	eax, [edi+64h]
		lock dec dword ptr [eax]
		mov	eax, [ebp+var_1C]
		lock dec dword ptr [eax+10h]
		lea	eax, [esi+1]
		mov	[edi+60h], eax
		mov	eax, [edi+0Ch]
		add	eax, esi
		jmp	short loc_63C384
; 

loc_63C381:				; CODE XREF: MiGetPageFromSlabEntry(x,x)+17j
					; MiGetPageFromSlabEntry(x,x)+FDj
		or	eax, 0FFFFFFFFh

loc_63C384:				; CODE XREF: MiGetPageFromSlabEntry(x,x)+12Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiGetPageFromSlabEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetSlabAllocator(x, x, x)
_MiGetSlabAllocator@12 proc near	; CODE XREF: MiPfPutPagesInTransition+13708Fp
					; MiCheckSlabPage(x,x,x)+26p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		and	eax, 5
		cmp	eax, 4
		jnz	short loc_63C39D

loc_63C399:				; CODE XREF: MiGetSlabAllocator(x,x,x)+1Bj
		push	3
		jmp	short loc_63C3CA
; 

loc_63C39D:				; CODE XREF: MiGetSlabAllocator(x,x,x)+Ej
		test	edx, edx
		jz	short loc_63C3A6
		cmp	eax, 5
		jz	short loc_63C399

loc_63C3A6:				; CODE XREF: MiGetSlabAllocator(x,x,x)+16j
		test	byte ptr [ebp+arg_0], 2
		jz	short loc_63C3B0

loc_63C3AC:				; CODE XREF: MiGetSlabAllocator(x,x,x)+38j
		xor	eax, eax
		jmp	short loc_63C3CB
; 

loc_63C3B0:				; CODE XREF: MiGetSlabAllocator(x,x,x)+21j
		test	byte ptr [ebp+arg_0], 1
		jz	short loc_63C3C8
		test	edx, edx
		jnz	short loc_63C3C3
		test	byte ptr ds:_MiFlags+2,	1
		jz	short loc_63C3AC

loc_63C3C3:				; CODE XREF: MiGetSlabAllocator(x,x,x)+2Fj
		xor	eax, eax
		inc	eax
		jmp	short loc_63C3CB
; 

loc_63C3C8:				; CODE XREF: MiGetSlabAllocator(x,x,x)+2Bj
		push	2

loc_63C3CA:				; CODE XREF: MiGetSlabAllocator(x,x,x)+12j
		pop	eax

loc_63C3CB:				; CODE XREF: MiGetSlabAllocator(x,x,x)+25j
					; MiGetSlabAllocator(x,x,x)+3Dj
		lea	eax, [eax+edx*4]
		imul	eax, 48h
		add	eax, 0B38h
		add	eax, ecx
		pop	ebp
		retn	4
_MiGetSlabAllocator@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetSlabPage(x, x,	x, x, x)
_MiGetSlabPage@20 proc near		; CODE XREF: .text:00478B8Fp
					; MiPfPutPagesInTransition+137155p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	eax, ecx
		push	edx
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_4], eax
		call	_MiGetSlabAllocator@12 ; MiGetSlabAllocator(x,x,x)
		mov	esi, [ebp+arg_4]
		mov	edi, eax
		test	esi, esi
		jz	short loc_63C405
		cmp	esi, 0FFFFFFFFh
		jz	short loc_63C405
		and	dword ptr [esi], 0

loc_63C405:				; CODE XREF: MiGetSlabPage(x,x,x,x,x)+1Fj
					; MiGetSlabPage(x,x,x,x,x)+24j	...
		mov	ecx, edi
		call	_MiGetPageFromSlabAllocator@4 ;	MiGetPageFromSlabAllocator(x)
		mov	ebx, eax
		cmp	ebx, 0FFFFFFFFh
		jnz	short loc_63C446
		cmp	dword ptr [edi+18h], 1
		jz	short loc_63C43B
		mov	ecx, edi
		call	_MiSlabAllocatorRecentFailure@4	; MiSlabAllocatorRecentFailure(x)
		test	eax, eax
		jnz	short loc_63C43B
		cmp	esi, ebx
		jnz	short loc_63C440
		push	[ebp+arg_8]
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		push	1
		call	_MiReplenishSlabAllocator@16 ; MiReplenishSlabAllocator(x,x,x,x)
		test	eax, eax
		jnz	short loc_63C405

loc_63C43B:				; CODE XREF: MiGetSlabPage(x,x,x,x,x)+3Bj
					; MiGetSlabPage(x,x,x,x,x)+46j
		or	eax, 0FFFFFFFFh
		jmp	short loc_63C448
; 

loc_63C440:				; CODE XREF: MiGetSlabPage(x,x,x,x,x)+4Aj
		test	esi, esi
		jz	short loc_63C446
		mov	[esi], edi

loc_63C446:				; CODE XREF: MiGetSlabPage(x,x,x,x,x)+35j
					; MiGetSlabPage(x,x,x,x,x)+66j
		mov	eax, ebx

loc_63C448:				; CODE XREF: MiGetSlabPage(x,x,x,x,x)+62j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MiGetSlabPage@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetSlabStandbyPage(x)
_MiGetSlabStandbyPage@4	proc near	; CODE XREF: MiGetPageFromSlabAllocator(x)+103p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_14], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		cmp	dword ptr [ebx+2Ch], offset loc_7FFFFF
		jnz	short loc_63C471
		or	eax, 0FFFFFFFFh
		jmp	loc_63C65B
; 

loc_63C471:				; CODE XREF: MiGetSlabStandbyPage(x)+18j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[ebp+var_1C], 0
		lea	edi, [ebx+34h]
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_1], al
		mov	[ebp+var_18], edi
		jz	short loc_63C49C
		mov	edx, edi
		lea	ecx, [ebp+var_1C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	loc_63C57C
; 

loc_63C49C:				; CODE XREF: MiGetSlabStandbyPage(x)+3Cj
		lea	edx, [ebp+var_1C]
		xchg	edx, [edi]
		test	edx, edx
		jz	loc_63C57C
		lea	ecx, [ebp+var_1C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
		jmp	loc_63C57C
; 

loc_63C4B6:				; CODE XREF: MiGetSlabStandbyPage(x)+136j
		imul	eax, esi, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_10], eax
		add	eax, 10h
		mov	[ebp+var_8], eax
		lock bts dword ptr [eax], 1Fh
		jnb	loc_63C5A8
		test	ds:byte_70EFC6,	1
		jz	short loc_63C4E9
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63C518
; 

loc_63C4E9:				; CODE XREF: MiGetSlabStandbyPage(x)+8Bj
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_63C508
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jz	short loc_63C518
		call	KxWaitForLockChainValid

loc_63C508:				; CODE XREF: MiGetSlabStandbyPage(x)+9Fj
		xor	ecx, ecx
		mov	[ebp+var_1C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_63C518:				; CODE XREF: MiGetSlabStandbyPage(x)+98j
					; MiGetSlabStandbyPage(x)+B2j
		and	[ebp+var_C], 0
		mov	eax, [ebp+var_8]
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_63C53F
		mov	edi, eax

loc_63C528:				; CODE XREF: MiGetSlabStandbyPage(x)+E4j
					; MiGetSlabStandbyPage(x)+EBj
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_63C528
		lock bts dword ptr [edi], 1Fh
		jb	short loc_63C528
		lea	edi, [ebx+34h]

loc_63C53F:				; CODE XREF: MiGetSlabStandbyPage(x)+D5j
		and	[ebp+var_1C], 0
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_18], edi
		jz	short loc_63C55B
		mov	edx, edi
		lea	ecx, [ebp+var_1C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63C56C
; 

loc_63C55B:				; CODE XREF: MiGetSlabStandbyPage(x)+FEj
		lea	edx, [ebp+var_1C]
		xchg	edx, [edi]
		test	edx, edx
		jz	short loc_63C56C
		lea	ecx, [ebp+var_1C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_63C56C:				; CODE XREF: MiGetSlabStandbyPage(x)+10Aj
					; MiGetSlabStandbyPage(x)+113j
		cmp	esi, [ebx+2Ch]
		jz	short loc_63C5A8
		mov	eax, [ebp+var_8]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx

loc_63C57C:				; CODE XREF: MiGetSlabStandbyPage(x)+48j
					; MiGetSlabStandbyPage(x)+54j ...
		mov	esi, [ebx+2Ch]
		cmp	esi, offset loc_7FFFFF
		jnz	loc_63C4B6
		test	ds:byte_70EFC6,	1
		jz	loc_63C61E
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_63C64D
; 

loc_63C5A8:				; CODE XREF: MiGetSlabStandbyPage(x)+7Ej
					; MiGetSlabStandbyPage(x)+120j
		mov	edi, [ebp+var_10]
		xor	eax, eax
		mov	ecx, edi
		lea	edx, [eax+1]
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		test	ds:byte_70EFC6,	1
		jz	short loc_63C5CD
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63C5FC
; 

loc_63C5CD:				; CODE XREF: MiGetSlabStandbyPage(x)+16Fj
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_63C5EC
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jz	short loc_63C5FC
		call	KxWaitForLockChainValid

loc_63C5EC:				; CODE XREF: MiGetSlabStandbyPage(x)+183j
		xor	ecx, ecx
		mov	[ebp+var_1C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_63C5FC:				; CODE XREF: MiGetSlabStandbyPage(x)+17Cj
					; MiGetSlabStandbyPage(x)+196j
		mov	edx, 800h
		mov	ecx, edi
		call	_MiDiscardTransitionPteEx@8 ; MiDiscardTransitionPteEx(x,x)
		mov	edx, ebx
		mov	ecx, edi
		call	_MiReInitializeFreeSlabPfn@8 ; MiReInitializeFreeSlabPfn(x,x)
		mov	eax, [ebp+var_8]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		jmp	short loc_63C650
; 

loc_63C61E:				; CODE XREF: MiGetSlabStandbyPage(x)+143j
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_63C63D
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jz	short loc_63C64D
		call	KxWaitForLockChainValid

loc_63C63D:				; CODE XREF: MiGetSlabStandbyPage(x)+1D4j
		xor	ecx, ecx
		mov	[ebp+var_1C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_63C64D:				; CODE XREF: MiGetSlabStandbyPage(x)+154j
					; MiGetSlabStandbyPage(x)+1E7j
		or	esi, 0FFFFFFFFh

loc_63C650:				; CODE XREF: MiGetSlabStandbyPage(x)+1CDj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi

loc_63C65B:				; CODE XREF: MiGetSlabStandbyPage(x)+1Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiGetSlabStandbyPage@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertSlabEntry(x, x, x)
_MiInsertSlabEntry@12 proc near		; CODE XREF: MiReplenishSlabAllocator(x,x,x,x)+27p
					; MiCreateBootSlabEntries(x,x,x,x)+E3p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= dword	ptr -5
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_14], edi
		lea	eax, [edi+8]
		push	eax
		call	ExAcquireSpinLockExclusive
		test	byte ptr [edi+4], 1
		mov	esi, [edi]
		mov	[ebp+var_1], al
		jz	short loc_63C691
		test	esi, esi
		jz	short loc_63C68F
		xor	esi, edi
		jmp	short loc_63C691
; 

loc_63C68F:				; CODE XREF: MiInsertSlabEntry(x,x,x)+29j
		xor	esi, esi

loc_63C691:				; CODE XREF: MiInsertSlabEntry(x,x,x)+25j
					; MiInsertSlabEntry(x,x,x)+2Dj
		movzx	eax, byte ptr [edi+4]
		mov	ebx, [ebp+arg_0]
		and	eax, 1
		mov	[ebp+var_C], eax
		mov	byte ptr [ebp+var_5], 0
		test	esi, esi
		jz	short loc_63C6E7

loc_63C6A6:				; CODE XREF: MiInsertSlabEntry(x,x,x)+81j
		lea	eax, [ebx+0Ch]
		push	esi
		push	eax
		call	_MiCompareSlabEntry@8 ;	MiCompareSlabEntry(x,x)
		test	eax, eax
		js	short loc_63C6CD
		cmp	[ebp+var_C], 0
		mov	eax, [esi+4]
		jz	short loc_63C6C3
		test	eax, eax
		jz	short loc_63C6C7
		xor	eax, esi

loc_63C6C3:				; CODE XREF: MiInsertSlabEntry(x,x,x)+5Bj
		test	eax, eax
		jnz	short loc_63C6DF

loc_63C6C7:				; CODE XREF: MiInsertSlabEntry(x,x,x)+5Fj
		mov	byte ptr [ebp+var_5], 1
		jmp	short loc_63C6E7
; 

loc_63C6CD:				; CODE XREF: MiInsertSlabEntry(x,x,x)+52j
		cmp	[ebp+var_C], 0
		mov	eax, [esi]
		jz	short loc_63C6DB
		test	eax, eax
		jz	short loc_63C6E3
		xor	eax, esi

loc_63C6DB:				; CODE XREF: MiInsertSlabEntry(x,x,x)+73j
		test	eax, eax
		jz	short loc_63C6E3

loc_63C6DF:				; CODE XREF: MiInsertSlabEntry(x,x,x)+65j
		mov	esi, eax
		jmp	short loc_63C6A6
; 

loc_63C6E3:				; CODE XREF: MiInsertSlabEntry(x,x,x)+77j
					; MiInsertSlabEntry(x,x,x)+7Dj
		mov	byte ptr [ebp+var_5], 0

loc_63C6E7:				; CODE XREF: MiInsertSlabEntry(x,x,x)+44j
					; MiInsertSlabEntry(x,x,x)+6Bj
		push	ebx
		push	[ebp+var_5]
		push	esi
		push	edi
		call	RtlRbInsertNodeEx
		mov	ecx, [edi+0Ch]
		test	ecx, ecx
		jz	short loc_63C705
		mov	eax, [ebx+64h]
		cmp	[ecx+64h], eax
		jbe	short loc_63C708
		test	eax, eax
		jz	short loc_63C708

loc_63C705:				; CODE XREF: MiInsertSlabEntry(x,x,x)+97j
		mov	[edi+0Ch], ebx

loc_63C708:				; CODE XREF: MiInsertSlabEntry(x,x,x)+9Fj
					; MiInsertSlabEntry(x,x,x)+A3j
		mov	eax, [ebx+64h]
		mov	edx, 200h
		add	[edi+10h], eax
		mov	ecx, edx
		mov	eax, [ebp+var_10]
		inc	dword ptr [edi+14h]
		add	eax, 1128h
		lock xadd [eax], ecx
		cmp	[ebx+64h], edx
		jnz	short loc_63C764
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		mov	ebx, eax
		mov	[ebp+var_C], edx
		lea	ecx, [edi+38h]
		mov	[ebp+arg_0], ebx
		mov	edi, ecx

loc_63C73D:				; CODE XREF: MiInsertSlabEntry(x,x,x)+F6j
					; MiInsertSlabEntry(x,x,x)+FBj
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp+var_10], ecx
		nop
		mov	ecx, [ebp+var_C]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [ebp+arg_0]
		cmp	eax, esi
		jnz	short loc_63C73D
		cmp	edx, [ebp+var_10]
		jnz	short loc_63C73D
		mov	edi, [ebp+var_14]
		or	dword ptr [edi+20h], 1

loc_63C764:				; CODE XREF: MiInsertSlabEntry(x,x,x)+C7j
		lea	eax, [edi+8]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiInsertSlabEntry@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPurgeSlabEntries(x)
_MiPurgeSlabEntries@4 proc near		; CODE XREF: MiFreeSlabEntries(x,x,x)+3Cp

var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+28h+var_4], ebx
		cmp	[ebx+24h], edi
		jz	loc_63C98B
		lea	esi, [ebx+8]
		mov	[esp+28h+var_C], edi
		mov	[esp+28h+var_14], edi
		mov	[esp+28h+var_10], edi
		mov	[esp+28h+var_18], edi
		mov	[esp+28h+var_8], esi

loc_63C7B3:				; CODE XREF: MiPurgeSlabEntries(x)+1F6j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		push	esi
		mov	[esp+2Ch+var_19], al
		call	ExAcquireSpinLockSharedAtDpcLevel
		test	byte ptr [ebx+4], 1
		mov	esi, [ebx]
		jz	short loc_63C7D5
		test	esi, esi
		jz	short loc_63C7D3
		xor	esi, ebx
		jmp	short loc_63C7D5
; 

loc_63C7D3:				; CODE XREF: MiPurgeSlabEntries(x)+50j
		mov	esi, edi

loc_63C7D5:				; CODE XREF: MiPurgeSlabEntries(x)+4Cj
					; MiPurgeSlabEntries(x)+54j
		movzx	edi, byte ptr [ebx+4]
		and	edi, 1
		xor	ebx, ebx
		jmp	short loc_63C808
; 

loc_63C7E0:				; CODE XREF: MiPurgeSlabEntries(x)+8Dj
		push	esi
		lea	eax, [esp+2Ch+var_C]
		push	eax
		call	_MiCompareSlabEntry@8 ;	MiCompareSlabEntry(x,x)
		test	eax, eax
		jz	short loc_63C80E
		jns	short loc_63C7F7
		mov	eax, [esi]
		mov	ebx, esi
		jmp	short loc_63C7FA
; 

loc_63C7F7:				; CODE XREF: MiPurgeSlabEntries(x)+72j
		mov	eax, [esi+4]

loc_63C7FA:				; CODE XREF: MiPurgeSlabEntries(x)+78j
		test	edi, edi
		jz	short loc_63C806
		test	eax, eax
		jz	short loc_63C806
		xor	esi, eax
		jmp	short loc_63C808
; 

loc_63C806:				; CODE XREF: MiPurgeSlabEntries(x)+7Fj
					; MiPurgeSlabEntries(x)+83j
		mov	esi, eax

loc_63C808:				; CODE XREF: MiPurgeSlabEntries(x)+61j
					; MiPurgeSlabEntries(x)+87j
		test	esi, esi
		jnz	short loc_63C7E0
		mov	esi, ebx

loc_63C80E:				; CODE XREF: MiPurgeSlabEntries(x)+70j
		test	esi, esi
		jz	short loc_63C87E

loc_63C812:				; CODE XREF: MiPurgeSlabEntries(x)+DFj
		mov	ebx, [esi+68h]
		mov	[esp+28h+var_18], ebx
		test	ebx, ebx
		jz	short loc_63C82F
		mov	eax, [esi+64h]
		add	eax, ebx
		cmp	eax, 200h
		jb	short loc_63C82F
		test	byte ptr [esi+6Ch], 1
		jz	short loc_63C860

loc_63C82F:				; CODE XREF: MiPurgeSlabEntries(x)+9Ej
					; MiPurgeSlabEntries(x)+AAj
		mov	eax, [esi+4]
		mov	ecx, esi
		test	eax, eax
		jz	short loc_63C852
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_63C85A

loc_63C840:				; CODE XREF: MiPurgeSlabEntries(x)+CBj
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_63C840
		jmp	short loc_63C85A
; 

loc_63C84C:				; CODE XREF: MiPurgeSlabEntries(x)+DBj
		cmp	[esi], ecx
		jz	short loc_63C85A
		mov	ecx, esi

loc_63C852:				; CODE XREF: MiPurgeSlabEntries(x)+B9j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_63C84C

loc_63C85A:				; CODE XREF: MiPurgeSlabEntries(x)+C1j
					; MiPurgeSlabEntries(x)+CDj ...
		test	esi, esi
		jnz	short loc_63C812
		jmp	short loc_63C882
; 

loc_63C860:				; CODE XREF: MiPurgeSlabEntries(x)+B0j
		imul	edi, [esi+0Ch],	1Ch
		imul	ecx, [esi+10h],	1Ch
		add	edi, ds:_MmPfnDatabase
		add	ecx, ds:_MmPfnDatabase
		mov	[esp+28h+var_14], edi
		mov	[esp+28h+var_10], ecx
		jmp	short loc_63C886
; 

loc_63C87E:				; CODE XREF: MiPurgeSlabEntries(x)+93j
		mov	ebx, [esp+28h+var_18]

loc_63C882:				; CODE XREF: MiPurgeSlabEntries(x)+E1j
		mov	edi, [esp+28h+var_14]

loc_63C886:				; CODE XREF: MiPurgeSlabEntries(x)+FFj
		push	[esp+28h+var_8]
		call	ExReleaseSpinLockSharedFromDpcLevel
		test	esi, esi
		jz	loc_63C97B
		test	ebx, ebx
		jz	loc_63C946
		lea	esi, [edi+10h]

loc_63C8A2:				; CODE XREF: MiPurgeSlabEntries(x)+1BBj
		cmp	edi, [esp+28h+var_10]
		ja	loc_63C93E
		and	[esp+28h+var_14], 0
		jmp	short loc_63C8C2
; 

loc_63C8B3:				; CODE XREF: MiPurgeSlabEntries(x)+143j
					; MiPurgeSlabEntries(x)+14Aj
		lea	ecx, [esp+28h+var_14]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_63C8B3

loc_63C8C2:				; CODE XREF: MiPurgeSlabEntries(x)+134j
		lock bts dword ptr [esi], 1Fh
		jb	short loc_63C8B3
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		cmp	eax, ds:dword_6D07B0
		ja	short loc_63C925
		mov	ecx, ds:dword_6D35B8
		mov	edx, eax
		shr	edx, 5
		and	eax, 1Fh
		mov	edx, [ecx+edx*4]
		mov	ecx, eax
		shr	edx, cl
		and	edx, 1
		jz	short loc_63C925
		mov	ecx, edi
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jz	short loc_63C925
		mov	ecx, edi
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jz	short loc_63C925
		mov	al, [esi+6]
		and	al, 7
		cmp	al, 5
		jnz	short loc_63C925
		mov	eax, [esi-0Ch]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_63C927
		cmp	eax, 0FFFFFFFEh
		jz	short loc_63C927

loc_63C925:				; CODE XREF: MiPurgeSlabEntries(x)+160j
					; MiPurgeSlabEntries(x)+17Aj ...
		xor	ebx, ebx

loc_63C927:				; CODE XREF: MiPurgeSlabEntries(x)+1A1j
					; MiPurgeSlabEntries(x)+1A6j
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		push	1Ch
		pop	eax
		add	edi, eax
		add	esi, eax
		test	ebx, ebx
		jnz	loc_63C8A2

loc_63C93E:				; CODE XREF: MiPurgeSlabEntries(x)+129j
		mov	[esp+28h+var_18], ebx
		mov	[esp+28h+var_14], edi

loc_63C946:				; CODE XREF: MiPurgeSlabEntries(x)+11Cj
		mov	eax, [esp+28h+var_10]
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		mov	cl, [esp+28h+var_19]
		inc	eax
		mov	[esp+28h+var_C], eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [esp+28h+var_4]
		xor	edi, edi
		mov	al, 21h
		lea	esi, [ebx+8]
		cmp	[ebx+24h], edi
		jnz	loc_63C7B3
		jmp	short loc_63C97F
; 

loc_63C97B:				; CODE XREF: MiPurgeSlabEntries(x)+114j
		mov	al, [esp+28h+var_19]

loc_63C97F:				; CODE XREF: MiPurgeSlabEntries(x)+1FCj
		cmp	al, 21h
		jz	short loc_63C98B
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_63C98B:				; CODE XREF: MiPurgeSlabEntries(x)+19j
					; MiPurgeSlabEntries(x)+204j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiPurgeSlabEntries@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiReInitializeFreeSlabPfn(x, x)
_MiReInitializeFreeSlabPfn@8 proc near	; CODE XREF: MiAllocateSlabEntry(x,x,x)+182p
					; MiFreePageToSlabAllocator(x,x,x)+92p	...
		cmp	dword ptr [edx+18h], 0
		jnz	short loc_63C9A3
		cmp	dword ptr [edx+1Ch], 2
		jnz	short loc_63C9A3
		push	0FFFFFFFEh
		pop	eax
		jmp	short loc_63C9A6
; 

loc_63C9A3:				; CODE XREF: MiReInitializeFreeSlabPfn(x,x)+4j
					; MiReInitializeFreeSlabPfn(x,x)+Aj
		or	eax, 0FFFFFFFFh

loc_63C9A6:				; CODE XREF: MiReInitializeFreeSlabPfn(x,x)+Fj
		mov	[ecx+4], eax
		mov	al, [ecx+16h]
		and	dword ptr [ecx], 0
		and	al, 0FDh
		and	dword ptr [ecx+10h], 0FF800000h
		or	al, 5
		mov	[ecx+16h], al
		add	ecx, 8
		mov	eax, ds:_ZeroPte
		mov	[ecx], eax
		mov	eax, ds:dword_40F9FC
		mov	[ecx+4], eax
		jmp	_MiSetOriginalPtePfnFromFreeList@4 ; MiSetOriginalPtePfnFromFreeList(x)
_MiReInitializeFreeSlabPfn@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRemoveSlabEntry(x, x, x)
_MiRemoveSlabEntry@12 proc near		; CODE XREF: MiFreeSlabEntries(x,x,x)+C0p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, edx
		push	edi
		push	esi
		mov	ebx, ecx
		call	RtlRbRemoveNode
		cmp	[esi+0Ch], edi
		jnz	short loc_63C9F3
		and	dword ptr [esi+0Ch], 0

loc_63C9F3:				; CODE XREF: MiRemoveSlabEntry(x,x,x)+19j
		mov	eax, [edi+64h]
		mov	ecx, 0FFFFFE00h
		sub	[esi+10h], eax
		lea	eax, [ebx+1128h]
		dec	dword ptr [esi+14h]
		lock xadd [eax], ecx
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_MiRemoveSlabEntry@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReplenishSlabAllocator(x,	x, x, x)
_MiReplenishSlabAllocator@16 proc near	; CODE XREF: MmAccessFault+14B372p
					; MmAccessFault+14B39Bp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	eax, [esi+24h]
		add	eax, [esi+10h]
		cmp	eax, [ebp+arg_0]
		jnb	short loc_63CA3E
		push	[ebp+arg_4]
		call	_MiAllocateSlabEntry@12	; MiAllocateSlabEntry(x,x,x)
		test	eax, eax
		jz	short loc_63CA41
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	_MiInsertSlabEntry@12 ;	MiInsertSlabEntry(x,x,x)

loc_63CA3E:				; CODE XREF: MiReplenishSlabAllocator(x,x,x,x)+14j
		xor	eax, eax
		inc	eax

loc_63CA41:				; CODE XREF: MiReplenishSlabAllocator(x,x,x,x)+20j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_MiReplenishSlabAllocator@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSlabAllocatorRecentFailure(x)
_MiSlabAllocatorRecentFailure@4	proc near ; CODE XREF: MiAllocateSlabEntry(x,x,x)+13p
					; MiGetSlabPage(x,x,x,x,x)+3Fp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	edi
		lea	edi, [ecx+40h]
		mov	eax, [edi]
		or	eax, [edi+4]
		jz	short loc_63CA98
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		sub	eax, [edi]
		sbb	edx, [edi+4]
		test	edx, edx
		ja	short loc_63CA76
		jb	short loc_63CA71
		cmp	eax, 11E1A300h
		jnb	short loc_63CA76

loc_63CA71:				; CODE XREF: MiSlabAllocatorRecentFailure(x)+21j
		xor	eax, eax
		inc	eax
		jmp	short loc_63CA9A
; 

loc_63CA76:				; CODE XREF: MiSlabAllocatorRecentFailure(x)+1Fj
					; MiSlabAllocatorRecentFailure(x)+28j
		push	ebx
		push	esi

loc_63CA78:				; CODE XREF: MiSlabAllocatorRecentFailure(x)+48j
					; MiSlabAllocatorRecentFailure(x)+4Dj
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp+var_4], ecx
		nop
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_63CA78
		cmp	edx, [ebp+var_4]
		jnz	short loc_63CA78
		pop	esi
		pop	ebx

loc_63CA98:				; CODE XREF: MiSlabAllocatorRecentFailure(x)+Fj
		xor	eax, eax

loc_63CA9A:				; CODE XREF: MiSlabAllocatorRecentFailure(x)+2Dj
		pop	edi
		leave
		retn
_MiSlabAllocatorRecentFailure@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdateSlabPagePlaceholderState(x,	x, x, x)
_MiUpdateSlabPagePlaceholderState@16 proc near ; CODE XREF: MiAllocateSlabEntry(x,x,x)+1D2p
					; MiFreePageToSlabAllocator(x,x,x)+A0p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dword ptr [ecx+18h], 0
		jnz	short loc_63CAE4
		cmp	[ebp+arg_0], 1
		jnz	short loc_63CAE4
		cmp	[ebp+arg_4], 0
		jz	short loc_63CAD4
		imul	ecx, edx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		mov	eax, [ecx+18h]
		and	eax, 0BFFFFFFFh
		or	eax, 30000000h
		mov	[ecx+18h], eax
		call	MiAbortCombineScan
		jmp	short loc_63CAE4
; 

loc_63CAD4:				; CODE XREF: MiUpdateSlabPagePlaceholderState(x,x,x,x)+15j
		imul	eax, edx, 1Ch
		add	eax, ds:_MmPfnDatabase
		and	dword ptr [eax+18h], 8FFFFFFFh

loc_63CAE4:				; CODE XREF: MiUpdateSlabPagePlaceholderState(x,x,x,x)+9j
					; MiUpdateSlabPagePlaceholderState(x,x,x,x)+Fj	...
		pop	ebp
		retn	8
_MiUpdateSlabPagePlaceholderState@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCheckPteRelease(x, x)
_MiCheckPteRelease@8 proc near		; CODE XREF: .text:0047AA67p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	edx, esi
		mov	[ebp+var_18], edi
		shl	edx, 9
		mov	[ebp+var_14], edx
		test	edi, edi
		jnz	short loc_63CB29
		push	edi
		push	edi
		push	edx
		push	300h

loc_63CB1F:				; CODE XREF: MiCheckPteRelease(x,x)+92j
					; MiCheckPteRelease(x,x)+BCj ...
		push	0DAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_63CB29:				; CODE XREF: MiCheckPteRelease(x,x)+2Dj
		cmp	edx, ds:dword_6D07D0
		jb	loc_63CD6D
		mov	eax, edx
		shr	eax, 15h
		cmp	byte ptr ds:dword_6D3994[eax], 9
		jnz	loc_63CD6D
		sub	esi, ds:dword_6D35E8
		mov	edi, ds:dword_6D3390
		sar	esi, 3
		add	esi, esi
		mov	[ebp+var_10], edi
		mov	eax, esi
		mov	ecx, esi
		shr	eax, 5
		and	ecx, 1Fh
		mov	eax, [edi+eax*4]
		mov	edi, [ebp+var_18]
		sar	eax, cl
		test	al, 1
		jz	short loc_63CB7C
		push	0
		push	edi
		push	edx
		push	303h
		jmp	short loc_63CB1F
; 

loc_63CB7C:				; CODE XREF: MiCheckPteRelease(x,x)+87j
		test	esi, esi
		jz	short loc_63CBA9
		mov	edx, [ebp+var_10]
		lea	ecx, [esi-2]
		mov	eax, ecx
		and	ecx, 1Fh
		shr	eax, 5
		mov	eax, [edx+eax*4]
		mov	edx, [ebp+var_14]
		shr	eax, cl
		cmp	eax, 2
		jnz	short loc_63CBA9
		push	0
		push	edi
		push	edx
		push	304h
		jmp	loc_63CB1F
; 

loc_63CBA9:				; CODE XREF: MiCheckPteRelease(x,x)+96j
					; MiCheckPteRelease(x,x)+B1j
		mov	edx, [ebp+var_10]
		lea	edi, [esi+1]
		mov	eax, edi
		mov	ecx, edi
		shr	eax, 5
		and	ecx, 1Fh
		mov	eax, [edx+eax*4]
		mov	edx, [ebp+var_14]
		shr	eax, cl
		test	al, 1
		jz	short loc_63CBE1
		mov	edx, [ebp+var_10]

loc_63CBC8:				; CODE XREF: MiCheckPteRelease(x,x)+F4j
		add	edi, 2
		mov	eax, edi
		mov	ecx, edi
		shr	eax, 5
		and	ecx, 1Fh
		mov	eax, [edx+eax*4]
		shr	eax, cl
		test	al, 1
		jnz	short loc_63CBC8
		mov	edx, [ebp+var_14]

loc_63CBE1:				; CODE XREF: MiCheckPteRelease(x,x)+DBj
		mov	eax, [ebp+var_18]
		sub	edi, esi
		shr	edi, 1
		inc	edi
		mov	[ebp+var_1C], edi
		cmp	edi, eax
		jz	short loc_63CBFD
		push	edi
		push	eax
		push	edx
		push	305h
		jmp	loc_63CB1F
; 

loc_63CBFD:				; CODE XREF: MiCheckPteRelease(x,x)+106j
		lea	ecx, [esi+edi*2]
		mov	edx, esi
		cmp	esi, ecx
		jnb	short loc_63CC2C

loc_63CC06:				; CODE XREF: MiCheckPteRelease(x,x)+13Fj
		mov	edi, [ebp+var_10]
		mov	eax, edx
		shr	eax, 5
		mov	ecx, edx
		and	ecx, 1Fh
		mov	eax, [edi+eax*4]
		mov	edi, [ebp+var_1C]
		shr	eax, cl
		test	al, 1
		jnz	short loc_63CC6C
		add	edx, 2
		lea	eax, [esi+edi*2]
		cmp	edx, eax
		jb	short loc_63CC06
		mov	eax, [ebp+var_18]

loc_63CC2C:				; CODE XREF: MiCheckPteRelease(x,x)+11Cj
		lea	eax, [eax-1]
		xor	edx, edx
		lea	eax, [esi+eax*2]
		inc	edx
		mov	[ebp+var_14], eax
		push	2
		pop	edi
		cmp	esi, eax
		jnb	loc_63CCF4

loc_63CC43:				; CODE XREF: MiCheckPteRelease(x,x)+206j
		mov	eax, ds:dword_6D3390
		mov	ecx, esi
		shr	ecx, 5
		mov	[ebp+var_18], edx
		lea	eax, [eax+ecx*4]
		mov	ecx, esi
		and	ecx, 1Fh
		mov	[ebp+var_10], eax
		mov	[ebp+var_1C], ecx
		lea	eax, [ecx+1]
		cmp	eax, 20h
		ja	short loc_63CC89
		mov	eax, edx
		shl	eax, cl
		jmp	short loc_63CCE3
; 

loc_63CC6C:				; CODE XREF: MiCheckPteRelease(x,x)+135j
		mov	eax, [ebp+var_14]
		sub	edx, esi
		shl	edx, 0Bh
		push	edi
		and	edx, 0FFFFF000h
		add	edx, eax
		push	edx
		push	eax
		push	306h
		jmp	loc_63CB1F
; 

loc_63CC89:				; CODE XREF: MiCheckPteRelease(x,x)+17Cj
		test	ecx, ecx
		jz	short loc_63CCDB
		push	20h
		xor	eax, eax
		pop	edx
		sub	edx, ecx
		inc	eax
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, [ebp+var_1C]
		dec	eax
		shl	eax, cl
		mov	ecx, [ebp+var_10]
		lock or	[ecx], eax
		xor	eax, eax
		add	ecx, 4
		inc	eax
		mov	[ebp+var_10], ecx
		sub	eax, edx
		mov	[ebp+var_18], eax
		cmp	eax, 20h
		jb	short loc_63CCD4
		mov	edx, eax
		shr	edx, 5

loc_63CCBD:				; CODE XREF: MiCheckPteRelease(x,x)+1E4j
		mov	dword ptr [ecx], 0FFFFFFFFh
		sub	eax, 20h
		add	ecx, 4
		sub	edx, 1
		jnz	short loc_63CCBD
		mov	[ebp+var_10], ecx
		mov	[ebp+var_18], eax

loc_63CCD4:				; CODE XREF: MiCheckPteRelease(x,x)+1CEj
		xor	edx, edx
		inc	edx
		test	eax, eax
		jz	short loc_63CCE9

loc_63CCDB:				; CODE XREF: MiCheckPteRelease(x,x)+1A3j
		mov	ecx, [ebp+var_18]
		mov	eax, edx
		shl	eax, cl
		dec	eax

loc_63CCE3:				; CODE XREF: MiCheckPteRelease(x,x)+182j
		mov	ecx, [ebp+var_10]
		lock or	[ecx], eax

loc_63CCE9:				; CODE XREF: MiCheckPteRelease(x,x)+1F1j
		add	esi, edi
		cmp	esi, [ebp+var_14]
		jb	loc_63CC43

loc_63CCF4:				; CODE XREF: MiCheckPteRelease(x,x)+155j
		mov	eax, ds:dword_6D3390
		mov	ecx, esi
		shr	ecx, 5
		and	esi, 1Fh
		lea	edx, [eax+ecx*4]
		lea	eax, [esi+2]
		mov	[ebp+var_18], edx
		cmp	eax, 20h
		ja	short loc_63CD22
		push	3
		pop	eax
		mov	ecx, esi
		shl	eax, cl

loc_63CD16:				; CODE XREF: MiCheckPteRelease(x,x)+283j
		lock or	[edx], eax

loc_63CD19:				; CODE XREF: MiCheckPteRelease(x,x)+279j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_63CD22:				; CODE XREF: MiCheckPteRelease(x,x)+225j
		test	esi, esi
		jz	short loc_63CD63
		push	20h
		xor	eax, eax
		pop	edx
		sub	edx, esi
		inc	eax
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, esi
		dec	eax
		shl	eax, cl
		mov	ecx, [ebp+var_18]
		lock or	[ecx], eax
		sub	edi, edx
		mov	edx, ecx
		add	edx, 4
		cmp	edi, 20h
		jb	short loc_63CD5F
		mov	eax, edi
		shr	eax, 5

loc_63CD4E:				; CODE XREF: MiCheckPteRelease(x,x)+275j
		mov	dword ptr [edx], 0FFFFFFFFh
		sub	edi, 20h
		add	edx, 4
		sub	eax, 1
		jnz	short loc_63CD4E

loc_63CD5F:				; CODE XREF: MiCheckPteRelease(x,x)+25Fj
		test	edi, edi
		jz	short loc_63CD19

loc_63CD63:				; CODE XREF: MiCheckPteRelease(x,x)+23Cj
		xor	eax, eax
		mov	ecx, edi
		inc	eax
		shl	eax, cl
		dec	eax
		jmp	short loc_63CD16
; 

loc_63CD6D:				; CODE XREF: MiCheckPteRelease(x,x)+47j
					; MiCheckPteRelease(x,x)+59j
		push	0
		push	0
		push	edx
		push	301h
		jmp	loc_63CB1F
_MiCheckPteRelease@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCheckPteReserve(x, x)
_MiCheckPteReserve@8 proc near		; CODE XREF: MiReservePtes+134869p
					; MiReservePtes+1348ACp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	eax, edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10], eax
		mov	edx, edi
		shl	edx, 9
		mov	[ebp+var_14], edx
		test	eax, eax
		jnz	short loc_63CDAC
		push	eax
		push	eax
		push	edx
		push	200h

loc_63CDA2:				; CODE XREF: MiCheckPteReserve(x,x)+133j
		push	0DAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_63CDAC:				; CODE XREF: MiCheckPteReserve(x,x)+1Cj
		sub	edi, ds:dword_6D35E8
		dec	eax
		sar	edi, 3
		xor	edx, edx
		add	edi, edi
		inc	edx
		push	2
		mov	esi, edi
		pop	ebx
		lea	eax, [edi+eax*2]
		mov	[ebp+var_C], eax
		cmp	edi, eax
		jnb	loc_63CE72

loc_63CDCE:				; CODE XREF: MiCheckPteReserve(x,x)+F0j
		mov	eax, ds:dword_6D3390
		mov	ecx, esi
		shr	ecx, 5
		lea	eax, [eax+ecx*4]
		mov	ecx, esi
		mov	[ebp+var_4], eax
		and	ecx, 1Fh
		mov	eax, [eax]
		sar	eax, cl
		mov	[ebp+var_8], ecx
		test	al, 1
		jz	loc_63CE95
		mov	eax, [ebp+var_8]
		mov	ecx, edx
		inc	eax
		cmp	eax, 20h
		ja	short loc_63CE08
		mov	ecx, [ebp+var_8]
		mov	eax, edx
		shl	eax, cl
		not	eax
		jmp	short loc_63CE5E
; 

loc_63CE08:				; CODE XREF: MiCheckPteReserve(x,x)+7Fj
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_63CE59
		push	20h
		pop	edx
		sub	edx, eax
		xor	eax, eax
		inc	eax
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, [ebp+var_8]
		dec	eax
		shl	eax, cl
		mov	ecx, [ebp+var_4]
		not	eax
		lock and [ecx],	eax
		mov	eax, [ebp+var_4]
		xor	ecx, ecx
		inc	ecx
		add	eax, 4
		sub	ecx, edx
		mov	[ebp+var_4], eax
		cmp	ecx, 20h
		jb	short loc_63CE55
		mov	edx, ecx
		shr	edx, 5

loc_63CE41:				; CODE XREF: MiCheckPteReserve(x,x)+D4j
		mov	dword ptr [eax], 0
		sub	ecx, 20h
		add	eax, 4
		sub	edx, 1
		jnz	short loc_63CE41
		mov	[ebp+var_4], eax

loc_63CE55:				; CODE XREF: MiCheckPteReserve(x,x)+BEj
		test	ecx, ecx
		jz	short loc_63CE64

loc_63CE59:				; CODE XREF: MiCheckPteReserve(x,x)+91j
		or	eax, 0FFFFFFFFh
		shl	eax, cl

loc_63CE5E:				; CODE XREF: MiCheckPteReserve(x,x)+8Aj
		mov	ecx, [ebp+var_4]
		lock and [ecx],	eax

loc_63CE64:				; CODE XREF: MiCheckPteReserve(x,x)+DBj
		add	esi, ebx
		push	1
		pop	edx
		cmp	esi, [ebp+var_C]
		jb	loc_63CDCE

loc_63CE72:				; CODE XREF: MiCheckPteReserve(x,x)+4Cj
		mov	eax, ds:dword_6D3390
		mov	edx, esi
		shr	edx, 5
		and	esi, 1Fh
		lea	edx, [eax+edx*4]
		lea	eax, [esi+2]
		cmp	eax, 20h
		ja	short loc_63CEB4
		push	3
		pop	eax
		mov	ecx, esi
		shl	eax, cl
		not	eax
		jmp	short loc_63CEF9
; 

loc_63CE95:				; CODE XREF: MiCheckPteReserve(x,x)+70j
		push	[ebp+var_10]
		mov	eax, [ebp+var_14]
		sub	esi, edi
		shl	esi, 0Bh
		and	esi, 0FFFFF000h
		add	esi, eax
		push	esi
		push	eax
		push	201h
		jmp	loc_63CDA2
; 

loc_63CEB4:				; CODE XREF: MiCheckPteReserve(x,x)+10Cj
		test	esi, esi
		jz	short loc_63CEF2
		push	20h
		xor	edi, edi
		pop	eax
		sub	eax, esi
		inc	edi
		mov	ecx, eax
		shl	edi, cl
		mov	ecx, esi
		dec	edi
		shl	edi, cl
		not	edi
		lock and [edx],	edi
		sub	ebx, eax
		add	edx, 4
		cmp	ebx, 20h
		jb	short loc_63CEEE
		mov	eax, ebx
		shr	eax, 5

loc_63CEDD:				; CODE XREF: MiCheckPteReserve(x,x)+170j
		mov	dword ptr [edx], 0
		sub	ebx, 20h
		add	edx, 4
		sub	eax, 1
		jnz	short loc_63CEDD

loc_63CEEE:				; CODE XREF: MiCheckPteReserve(x,x)+15Aj
		test	ebx, ebx
		jz	short loc_63CEFC

loc_63CEF2:				; CODE XREF: MiCheckPteReserve(x,x)+13Aj
		mov	ecx, ebx
		or	eax, 0FFFFFFFFh
		shl	eax, cl

loc_63CEF9:				; CODE XREF: MiCheckPteReserve(x,x)+117j
		lock and [edx],	eax

loc_63CEFC:				; CODE XREF: MiCheckPteReserve(x,x)+174j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiCheckPteReserve@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiDeleteDirectMapFixupPfn(x)
_MiDeleteDirectMapFixupPfn@4 proc near	; CODE XREF: MiFreeRelocations+AD1FAp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	dl, [esi+16h]
		lea	edi, [esi+10h]
		or	dword ptr [edi], 40000000h
		and	dl, 0FEh
		or	dl, 6
		mov	ecx, esi
		mov	bl, al
		mov	[esi+16h], dl
		call	_MiRemoveLockedPageCharge@4 ; MiRemoveLockedPageCharge(x)
		test	eax, eax
		jz	short loc_63CF47
		sub	esi, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		mov	eax, esi
		cdq
		idiv	ecx
		push	2
		pop	edx
		mov	ecx, eax
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)

loc_63CF47:				; CODE XREF: MiDeleteDirectMapFixupPfn(x)+2Cj
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	cl, bl
		pop	edi
		pop	esi
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_MiDeleteDirectMapFixupPfn@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakeUnusedImageExtentsCold(x)
_MiMakeUnusedImageExtentsCold@4	proc near ; CODE XREF: MiRelocateImage+14E1B0p

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 9Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	84h		; size_t
		lea	eax, [ebp+var_8C]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [esi+38h]
		add	esp, 0Ch
		mov	eax, [eax+10h]
		mov	esi, [eax+3Ch]
		and	[ebp+var_98], 0
		and	[ebp+var_94], 0
		mov	[ebp+var_90], 10h
		test	esi, esi
		jz	short loc_63CFF6

loc_63CFAD:				; CODE XREF: MiMakeUnusedImageExtentsCold(x)+86j
		push	2
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		lea	ecx, [ebp+var_98]
		mov	edx, eax
		call	_MiAddPageToHeatList@12	; MiAddPageToHeatList(x,x,x)
		mov	esi, [esi]
		test	esi, 1FFFFFFEh
		jz	short loc_63CFE2
		and	esi, 0FFFFFFFEh
		or	esi, 0E0000000h
		shl	esi, 2
		jmp	short loc_63CFAD
; 

loc_63CFE2:				; CODE XREF: MiMakeUnusedImageExtentsCold(x)+78j
		cmp	[ebp+var_94], 0
		jz	short loc_63CFF6
		lea	ecx, [ebp+var_98]
		call	_MiNotifyPageHeat@4 ; MiNotifyPageHeat(x)

loc_63CFF6:				; CODE XREF: MiMakeUnusedImageExtentsCold(x)+51j
					; MiMakeUnusedImageExtentsCold(x)+8Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiMakeUnusedImageExtentsCold@4	endp


;  S U B	R O U T	I N E 


; __stdcall MiFlushCacheRange(x, x, x)
_MiFlushCacheRange@12 proc near		; CODE XREF: MiRemovePhysicalMemory(x,x,x)+280p
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		cmp	esi, ds:dword_6D06E4
		jb	short loc_63D025
		inc	ds:dword_6D06DC
		call	KeInvalidateAllCaches
		xor	eax, eax
		inc	eax
		jmp	short loc_63D044
; 

loc_63D025:				; CODE XREF: MiFlushCacheRange(x,x,x)+10j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	3
		mov	edx, esi
		mov	ecx, edi
		mov	bl, al
		call	_MiFlushCacheForAttributeChange@12 ; MiFlushCacheForAttributeChange(x,x,x)
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax

loc_63D044:				; CODE XREF: MiFlushCacheRange(x,x,x)+20j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		retn	4
_MiFlushCacheRange@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiStoreFreeWriteSupport(x, x)
_MiStoreFreeWriteSupport@8 proc	near	; CODE XREF: MiStoreWriteModifiedPages+133D55p
		mov	eax, ecx
		mov	ecx, 100h
		cmp	[edx+2F4h], cx
		jnb	short loc_63D068
		lea	ecx, [edx+2F0h]
		mov	edx, eax
		jmp	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
; 

loc_63D068:				; CODE XREF: MiStoreFreeWriteSupport(x,x)+Ej
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
_MiStoreFreeWriteSupport@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiStoreLogFullPagefile()
_MiStoreLogFullPagefile@0 proc near	; CODE XREF: MiStoreWriteModifiedPages:loc_5B48F2p

var_28		= dword	ptr -28h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ds:dword_6D35BC
		test	esi, esi
		jz	short loc_63D0BA
		cmp	dword ptr [esi], 5
		jbe	short loc_63D0BA
		push	0
		push	2
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_63D0BA
		lea	eax, [ebp+var_28]
		mov	edx, offset loc_41D29C
		push	eax
		push	2
		push	ecx
		push	ecx
		push	1
		push	ecx
		push	ecx
		mov	ecx, esi
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)

loc_63D0BA:				; CODE XREF: MiStoreLogFullPagefile()+1Bj
					; MiStoreLogFullPagefile()+20j	...
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiStoreLogFullPagefile@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiStoreLogWriteIssueFailure(x, x, x, x, x, x)
_MiStoreLogWriteIssueFailure@24	proc near ; CODE XREF: MiStoreWriteModifiedPages+133D33p

var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0BCh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ds:dword_6D35BC
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	loc_63D1F0
		cmp	dword ptr [esi], 5
		jbe	loc_63D1F0
		push	0
		push	2
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_63D1F0
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_78], eax
		xor	edx, edx
		mov	eax, [edi]
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_68], eax
		mov	eax, [edi+4]
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_A8], eax
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_AC], eax
		lea	eax, [ebp+var_AC]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_B0], eax
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_98]
		push	eax
		push	9
		push	ecx
		push	ecx
		push	1
		push	ecx
		mov	[ebp+var_74], edx
		mov	[ebp+var_70], ecx
		mov	[ebp+var_6C], edx
		mov	[ebp+var_B4], edx
		mov	[ebp+var_64], edx
		mov	[ebp+var_5C], edx
		mov	[ebp+var_54], edx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edx
		mov	edx, offset loc_41D341
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_60], 8
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)

loc_63D1F0:				; CODE XREF: MiStoreLogWriteIssueFailure(x,x,x,x,x,x)+24j
					; MiStoreLogWriteIssueFailure(x,x,x,x,x,x)+2Dj	...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_MiStoreLogWriteIssueFailure@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiStoreLogWriteIssueRetry(x, x, x, x, x)
_MiStoreLogWriteIssueRetry@20 proc near	; CODE XREF: MiStoreWriteModifiedPages+133CF2p

var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B0h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, ds:dword_6D35BC
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		test	esi, esi
		jz	loc_63D30F
		cmp	dword ptr [esi], 5
		jbe	loc_63D30F
		push	0
		push	2
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_63D30F
		mov	eax, [edi]
		xor	ecx, ecx
		mov	[ebp+var_AC], eax
		lea	eax, [ebp+var_AC]
		mov	[ebp+var_6C], eax
		mov	eax, [edi+4]
		xor	edi, edi
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_90]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_94]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_98]
		push	8
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_4]
		pop	edx
		mov	[ebp+var_9C], eax
		lea	eax, [ebp+var_9C]
		push	4
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_A8], ecx
		mov	[ebp+var_68], ecx
		mov	[ebp+var_60], ecx
		pop	ecx
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_8C]
		push	eax
		push	edx
		push	ecx
		push	ecx
		push	1
		push	ecx
		mov	[ebp+var_64], edx
		mov	edx, offset loc_41D3D0
		mov	[ebp+var_54], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_14], ecx
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_58], edi
		mov	[ebp+var_50], edi
		mov	[ebp+var_94], ebx
		mov	[ebp+var_48], edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)

loc_63D30F:				; CODE XREF: MiStoreLogWriteIssueRetry(x,x,x,x,x)+24j
					; MiStoreLogWriteIssueRetry(x,x,x,x,x)+2Dj ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_MiStoreLogWriteIssueRetry@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmStoreLogCorruptionFixed(x, x, x)
_MmStoreLogCorruptionFixed@12 proc near	; CODE XREF: ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+216p

var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B0h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	ds:dword_6D35BC, 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		jz	loc_63D492
		push	esi
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		push	0
		mov	edi, 1000h
		push	edi
		push	edx
		push	eax
		call	__alldiv
		mov	ecx, esi
		mov	[ebp+var_94], eax
		and	ecx, 0FFFh
		add	ecx, 0FFFh
		add	ecx, ebx
		and	ecx, 0FFFFF000h
		cmp	ecx, edi
		jz	short loc_63D39B
		lea	ecx, [esi-1]
		add	ecx, ebx
		push	ecx
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		push	0
		push	edi
		push	edx
		push	eax
		call	__alldiv
		mov	[ebp+var_90], eax
		jmp	short loc_63D3A2
; 

loc_63D39B:				; CODE XREF: MmStoreLogCorruptionFixed(x,x,x)+5Cj
		or	[ebp+var_90], 0FFFFFFFFh

loc_63D3A2:				; CODE XREF: MmStoreLogCorruptionFixed(x,x,x)+79j
		mov	edi, ds:dword_6D35BC
		cmp	dword ptr [edi], 5
		jbe	loc_63D492
		push	4000h
		push	2
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_63D492
		lea	eax, [ebp+var_98]
		mov	[ebp+var_98], esi
		mov	[ebp+var_6C], eax
		xor	edx, edx
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_68], edx
		mov	[ebp+var_5C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+var_94]
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_94]
		push	4
		pop	ecx
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+var_90]
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_90]
		push	8
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_AC]
		mov	[ebp+var_64], ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_24], ecx
		pop	ecx
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_8C]
		push	eax
		push	ecx
		push	edx
		push	edx
		push	1
		push	edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_58], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_A8], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], ecx
		mov	ecx, edi
		mov	[ebp+var_10], edx
		push	edx
		mov	edx, offset loc_41D218
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_AC], 1000000h
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)

loc_63D492:				; CODE XREF: MmStoreLogCorruptionFixed(x,x,x)+23j
					; MmStoreLogCorruptionFixed(x,x,x)+8Bj	...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_MmStoreLogCorruptionFixed@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDereferenceDataSubsections(x, x, x, x, x)
_MiDereferenceDataSubsections@20 proc near ; CODE XREF:	MiInsertInSystemSpace+11E8C3p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		push	dword ptr [edx+4]
		and	[esp+0Ch+var_8], 0
		push	dword ptr [edx]
		and	[esp+10h+var_4], 0
		lea	edx, [esp+10h+var_8]
		call	MiOffsetToProtos
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		add	edx, [esp+8+var_8]
		adc	ecx, [esp+8+var_4]
		push	ecx
		push	edx
		mov	ecx, eax
		call	_MiRemoveViewsFromSectionWithPfn@16 ; MiRemoveViewsFromSectionWithPfn(x,x,x,x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_MiDereferenceDataSubsections@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeProtoPfn(x, x, x, x)
_MiInitializeProtoPfn@16 proc near	; CODE XREF: MiFillPerSessionProtos(x,x,x,x,x,x,x,x,x)+D7p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	eax, ecx
		mov	byte ptr [ebp+var_1], 0
		push	edi
		imul	edi, eax, 1Ch
		mov	ebx, edx
		mov	[ebp+var_C], eax
		add	edi, ds:_MmPfnDatabase
		xor	esi, esi

loc_63D501:				; CODE XREF: MiInitializeProtoPfn(x,x,x,x)+3Cj
		lea	edx, [ebp+var_1]
		mov	ecx, ebx
		call	MiLockProtoPoolPage
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	short loc_63D51E
		push	esi
		push	esi
		push	ebx
		push	2
		call	MmAccessFault
		jmp	short loc_63D501
; 

loc_63D51E:				; CODE XREF: MiInitializeProtoPfn(x,x,x,x)+30j
		mov	[ebp+var_8], esi
		lea	esi, [edi+10h]
		jmp	short loc_63D534
; 

loc_63D526:				; CODE XREF: MiInitializeProtoPfn(x,x,x,x)+52j
					; MiInitializeProtoPfn(x,x,x,x)+59j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_63D526

loc_63D534:				; CODE XREF: MiInitializeProtoPfn(x,x,x,x)+44j
		lock bts dword ptr [esi], 1Fh
		jb	short loc_63D526
		mov	esi, [ebp+arg_0]
		mov	edx, ebx
		push	117h
		push	esi
		mov	ecx, edi
		call	_MiInitializePfn@16 ; MiInitializePfn(x,x,x,x)
		mov	edx, [ebp+var_C]
		or	esi, 80000000h
		push	esi
		xor	ecx, ecx
		call	MiMakeValidPte
		and	[ebp+arg_0], 0
		mov	esi, eax
		mov	ecx, ebx
		and	esi, 0FFFFFEFFh
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_63D5BD
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_63D59B
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	short loc_63D5C0
		mov	eax, esi
		and	eax, ecx

loc_63D58E:				; CODE XREF: MiInitializeProtoPfn(x,x,x,x)+DBj
		or	eax, 0
		jz	short loc_63D5C0
		or	edx, 80000000h
		jmp	short loc_63D5C0
; 

loc_63D59B:				; CODE XREF: MiInitializeProtoPfn(x,x,x,x)+9Cj
		mov	eax, large fs:124h
		mov	ecx, [ebp+arg_0]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_63D5C0
		mov	eax, esi
		and	eax, 1
		jmp	short loc_63D58E
; 

loc_63D5BD:				; CODE XREF: MiInitializeProtoPfn(x,x,x,x)+93j
		mov	ecx, [ebp+arg_0]

loc_63D5C0:				; CODE XREF: MiInitializeProtoPfn(x,x,x,x)+A8j
					; MiInitializeProtoPfn(x,x,x,x)+B1j ...
		mov	[ebx+4], edx
		nop
		mov	[ebx], esi
		test	ecx, ecx
		jz	short loc_63D5D3
		push	edx
		push	esi
		mov	ecx, ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_63D5D3:				; CODE XREF: MiInitializeProtoPfn(x,x,x,x)+E8j
		inc	word ptr [edi+14h]
		mov	ecx, edi
		call	MiDecrementShareCount
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	dl, byte ptr [ebp+var_1]
		mov	ecx, [ebp+var_10]
		call	MiUnlockProtoPoolPage
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiInitializeProtoPfn@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFindPlaceholderVadToReplace(x, x,	x, x)
_MiFindPlaceholderVadToReplace@16 proc near ; CODE XREF: MiReserveUserMemory+15FCE2p
					; MiMapViewOfDataSection+F913Cp

var_30		= dword	ptr -30h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		push	esi
		mov	esi, large fs:124h
		mov	eax, ecx
		push	edi
		mov	[ebp+var_C], edx
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], esi
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_63DA4F
		dec	word ptr [esi+13Eh]
		nop
		lea	esi, [edi+18h]
		xor	edx, edx
		mov	ecx, esi
		mov	[ebp+var_8], esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_10]
		or	byte ptr [ecx+304h], 80h
		nop
		mov	eax, [edi+1Ch]
		mov	[ebp+var_18], eax
		test	al, 4
		jnz	loc_63D8A5
		mov	eax, [edi+20h]
		and	eax, 7FFFFFFFh
		cmp	eax, 0FFFFDh
		jnz	loc_63D8A5
		mov	eax, [edi+0Ch]
		mov	[ebp+var_1C], eax
		shl	eax, 0Ch
		mov	[ebp+var_30], eax
		cmp	eax, [ebp+var_14]
		jnz	loc_63D8A5
		mov	edx, [edi+10h]
		mov	eax, edx
		shl	eax, 0Ch
		or	eax, 0FFFh
		cmp	eax, [ebp+var_C]
		jnz	loc_63D8A5
		test	byte ptr [ebp+var_18], 8
		jz	loc_63D898
		sub	edx, [ebp+var_1C]
		mov	ecx, edi
		push	dword ptr [ebx+8]
		inc	edx
		shl	edx, 0Ch
		push	55h
		push	edx
		mov	edx, [ebp+var_30]
		call	MiCheckSecuredVad
		mov	ecx, [ebx+0Ch]
		mov	[ecx], eax
		test	eax, eax
		jns	loc_63D898
		mov	eax, [ebp+var_10]
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_C], ecx
		and	byte ptr [eax+304h], 7Fh
		mov	eax, ecx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_63D6F7
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_63D6F7:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+F3j
		xor	edi, edi
		mov	[ebp+var_14], edi
		test	esi, 7FFFFFFCh
		jz	loc_63D88B
		mov	eax, [ebp+var_8]
		mov	edx, eax
		mov	esi, large fs:124h
		mov	ecx, ds:dword_6D07D0
		shr	edx, 15h
		cmp	eax, ecx
		push	0FFFFFFFFh
		mov	[ebp+var_30], ecx
		mov	[ebp+var_1C], esi
		pop	ecx
		jb	short loc_63D733
		cmp	byte ptr ds:dword_6D3994[edx], 1
		jz	short loc_63D741

loc_63D733:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+12Dj
		cmp	eax, [ebp+var_30]
		jb	short loc_63D754
		cmp	byte ptr ds:dword_6D3994[edx], 0Bh
		jnz	short loc_63D754

loc_63D741:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+136j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_8]

loc_63D754:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+13Bj
					; MiFindPlaceholderVadToReplace(x,x,x,x)+144j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	dl
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_63D7A0
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_63D812

loc_63D78D:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+35Cj
		push	0
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_63D7A0:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+182j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_63D7B6
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_63D7B6:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+1B1j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_14], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_63D800
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_63D812
; 

loc_63D800:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+1F1j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_1C]

loc_63D812:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+18Cj
					; MiFindPlaceholderVadToReplace(x,x,x,x)+203j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_30], eax
		jz	short loc_63D873
		test	edi, 8000h
		jz	short loc_63D836
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_63D836:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+230j
		test	byte ptr [ebp+var_14+2], 1
		jz	short loc_63D846
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_63D846:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+23Fj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_63D85A
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_63D85A:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+252j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_63D873
		push	[ebp+var_30]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_63D873:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+228j
					; MiFindPlaceholderVadToReplace(x,x,x,x)+269j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_63D88B
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_63D88B
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_63D88B:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+107j
					; MiFindPlaceholderVadToReplace(x,x,x,x)+281j ...
		mov	ecx, [ebp+var_10]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_63DA58
; 

loc_63D898:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+AFj
					; MiFindPlaceholderVadToReplace(x,x,x,x)+D3j
		mov	eax, [ebx+0Ch]
		and	dword ptr [eax], 0
		mov	eax, edi
		jmp	loc_63DA5A
; 

loc_63D8A5:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+67j
					; MiFindPlaceholderVadToReplace(x,x,x,x)+7Aj ...
		and	byte ptr [ecx+304h], 7Fh
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_C], ecx
		mov	eax, ecx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_63D8C5
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_63D8C5:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+2C1j
		xor	edi, edi
		mov	[ebp+var_14], edi
		test	esi, 7FFFFFFCh
		jz	loc_63DA47
		mov	eax, [ebp+var_8]
		mov	edx, eax
		mov	esi, large fs:124h
		mov	ecx, ds:dword_6D07D0
		shr	edx, 15h
		cmp	eax, ecx
		push	0FFFFFFFFh
		mov	[ebp+var_30], ecx
		mov	[ebp+var_1C], esi
		pop	ecx
		jb	short loc_63D901
		cmp	byte ptr ds:dword_6D3994[edx], 1
		jz	short loc_63D90F

loc_63D901:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+2FBj
		cmp	eax, [ebp+var_30]
		jb	short loc_63D922
		cmp	byte ptr ds:dword_6D3994[edx], 0Bh
		jnz	short loc_63D922

loc_63D90F:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+304j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_8]

loc_63D922:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+309j
					; MiFindPlaceholderVadToReplace(x,x,x,x)+312j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	dl
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_63D95C
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_63D9CE
		jmp	loc_63D78D
; 

loc_63D95C:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+350j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_63D972
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_63D972:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+36Dj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_14], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_63D9BC
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_63D9CE
; 

loc_63D9BC:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+3ADj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_1C]

loc_63D9CE:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+35Aj
					; MiFindPlaceholderVadToReplace(x,x,x,x)+3BFj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_30], eax
		jz	short loc_63DA2F
		test	edi, 8000h
		jz	short loc_63D9F2
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_63D9F2:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+3ECj
		test	byte ptr [ebp+var_14+2], 1
		jz	short loc_63DA02
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_63DA02:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+3FBj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_63DA16
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_63DA16:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+40Ej
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_63DA2F
		push	[ebp+var_30]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_63DA2F:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+3E4j
					; MiFindPlaceholderVadToReplace(x,x,x,x)+425j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_63DA47
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_63DA47
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_63DA47:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+2D5j
					; MiFindPlaceholderVadToReplace(x,x,x,x)+43Dj ...
		mov	ecx, [ebp+var_10]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_63DA4F:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+37j
		mov	eax, [ebx+0Ch]
		mov	dword ptr [eax], 0C0000018h

loc_63DA58:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+298j
		xor	eax, eax

loc_63DA5A:				; CODE XREF: MiFindPlaceholderVadToReplace(x,x,x,x)+2A5j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
_MiFindPlaceholderVadToReplace@16 endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiHonorRangeStraddleRequirement(x, x, x, x)
_MiHonorRangeStraddleRequirement@16 proc near
					; CODE XREF: MiFindEmptyAddressRangeInTree+13B18Bp
					; MiFindEmptyAddressRangeInTree+13B1BEp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		dec	eax
		lea	esi, [edx-1]
		not	eax
		add	esi, ecx
		and	esi, eax
		and	eax, ecx
		cmp	esi, eax
		jz	short loc_63DA8C
		cmp	[ebp+arg_4], 0
		jnz	short loc_63DA88

loc_63DA84:				; CODE XREF: MiHonorRangeStraddleRequirement(x,x,x,x)+25j
		mov	eax, esi
		jmp	short loc_63DA8E
; 

loc_63DA88:				; CODE XREF: MiHonorRangeStraddleRequirement(x,x,x,x)+1Dj
		sub	esi, edx
		jmp	short loc_63DA84
; 

loc_63DA8C:				; CODE XREF: MiHonorRangeStraddleRequirement(x,x,x,x)+17j
		mov	eax, ecx

loc_63DA8E:				; CODE XREF: MiHonorRangeStraddleRequirement(x,x,x,x)+21j
		pop	esi
		pop	ebp
		retn	8
_MiHonorRangeStraddleRequirement@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRemovePlaceholderVad(x)
_MiRemovePlaceholderVad@4 proc near	; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+152p
					; MiPreparePlaceholderVadReplacement(x,x,x)+1Ap

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, large fs:124h
		mov	[ebp+var_20], ecx
		push	esi
		push	edi
		mov	ecx, [eax+80h]
		dec	word ptr [eax+13Eh]
		mov	[ebp+var_28], eax
		mov	[ebp+var_10], ecx
		lea	edi, [ecx+240h]
		nop
		lea	esi, [ecx+138h]
		xor	edx, edx
		mov	ecx, esi
		mov	[ebp+var_8], esi
		call	ExAcquirePushLockExclusiveEx
		mov	al, [edi+60h]
		and	al, 7
		cmp	al, 2
		mov	eax, offset unk_6D3C40
		jz	short loc_63DAF8
		lea	eax, [edi+80h]

loc_63DAF8:				; CODE XREF: MiRemovePlaceholderVad(x)+5Dj
		push	eax
		mov	[ebp+var_C], eax
		call	ExAcquireSpinLockExclusive
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_20]
		mov	byte ptr [ebp+var_4+3],	al
		mov	eax, [ebp+var_C]
		and	dword ptr [eax+4], 0
		call	_MiRemoveVad@8	; MiRemoveVad(x,x)
		mov	dl, byte ptr [ebp+var_4+3]
		mov	ecx, edi
		call	MiUnlockWorkingSetExclusive
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_C], edx
		mov	eax, edx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_63DB39
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_63DB39:				; CODE XREF: MiRemovePlaceholderVad(x)+9Dj
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	esi, 7FFFFFFCh
		jz	loc_63DCCC
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		cmp	eax, edx
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], esi
		pop	edx
		jb	short loc_63DB75
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_63DB83

loc_63DB75:				; CODE XREF: MiRemovePlaceholderVad(x)+D7j
		cmp	eax, [ebp+var_20]
		jb	short loc_63DB96
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_63DB96

loc_63DB83:				; CODE XREF: MiRemovePlaceholderVad(x)+E0j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_8]

loc_63DB96:				; CODE XREF: MiRemovePlaceholderVad(x)+E5j
					; MiRemovePlaceholderVad(x)+EEj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_63DBE1
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_63DC53
		push	ecx
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_63DBE1:				; CODE XREF: MiRemovePlaceholderVad(x)+12Cj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_63DBF7
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_63DBF7:				; CODE XREF: MiRemovePlaceholderVad(x)+15Aj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_63DC41
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_63DC53
; 

loc_63DC41:				; CODE XREF: MiRemovePlaceholderVad(x)+19Aj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]

loc_63DC53:				; CODE XREF: MiRemovePlaceholderVad(x)+136j
					; MiRemovePlaceholderVad(x)+1ACj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jz	short loc_63DCB4
		test	edi, 8000h
		jz	short loc_63DC77
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_63DC77:				; CODE XREF: MiRemovePlaceholderVad(x)+1D9j
		test	byte ptr [ebp+var_10+2], 1
		jz	short loc_63DC87
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_63DC87:				; CODE XREF: MiRemovePlaceholderVad(x)+1E8j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_63DC9B
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_63DC9B:				; CODE XREF: MiRemovePlaceholderVad(x)+1FBj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_63DCB4
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_63DCB4:				; CODE XREF: MiRemovePlaceholderVad(x)+1D1j
					; MiRemovePlaceholderVad(x)+212j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_63DCCC
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_63DCCC
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_63DCCC:				; CODE XREF: MiRemovePlaceholderVad(x)+B1j
					; MiRemovePlaceholderVad(x)+22Aj ...
		mov	ecx, [ebp+var_28]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_MiRemovePlaceholderVad@4 endp ; sp =  4


;  S U B	R O U T	I N E 


; __stdcall MiRemoveVad(x, x)
_MiRemoveVad@8	proc near		; CODE XREF: MiRemovePlaceholderVad(x)+7Ep
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		push	edi
		lea	ebx, [esi+350h]
		push	ebx
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		cmp	[esi+354h], edi
		jnz	short loc_63DD03
		mov	eax, [ebx]
		mov	[esi+354h], eax

loc_63DD03:				; CODE XREF: MiRemoveVad(x,x)+1Cj
		dec	dword ptr [esi+358h]
		mov	ecx, edi
		mov	dword ptr [edi+8], 0FFFFFFFEh
		call	_MiIsVadLargePrivate@4 ; MiIsVadLargePrivate(x)
		test	eax, eax
		jz	short loc_63DD37
		mov	eax, [edi+1Ch]
		shr	eax, 12h
		and	eax, 3
		cmp	ds:_MiVadPageSizes[eax*4], 200h
		jb	short loc_63DD37
		dec	dword ptr [esi+394h]

loc_63DD37:				; CODE XREF: MiRemoveVad(x,x)+3Cj
					; MiRemoveVad(x,x)+52j
		pop	edi
		pop	esi
		pop	ebx
		retn
_MiRemoveVad@8	endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall UNLOCK_ADDRESS_SPACE_SHARED_UNORDERED(x, x)
_UNLOCK_ADDRESS_SPACE_SHARED_UNORDERED@8 proc near ; CODE XREF:	MiLockVadRange:loc_8DDFEAp
		mov	edi, edi
		push	esi
		push	edi
		push	11h
		lea	edi, [edx+134h]
		mov	esi, ecx
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_63DD5C
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_63DD5C:				; CODE XREF: UNLOCK_ADDRESS_SPACE_SHARED_UNORDERED(x,x)+18j
		mov	ecx, edi
		call	KeAbPostRelease
		and	byte ptr [esi+304h], 0FDh
		mov	ecx, esi
		pop	edi
		pop	esi
		jmp	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
_UNLOCK_ADDRESS_SPACE_SHARED_UNORDERED@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiClusterVadActive(x, x, x)
_MiClusterVadActive@12 proc near	; CODE XREF: MiLockStealUserVm(x,x,x,x,x)+2FDp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		sub	esp, 10h
		or	dword ptr [eax], 0FFFFFFFFh
		push	ebx
		push	esi
		mov	esi, [edx+4]
		shl	esi, 9
		mov	edx, esi
		and	edx, 0FFFF0000h
		mov	eax, edx
		shr	eax, 0Ch
		push	edi
		cmp	eax, [ecx+0Ch]
		jb	short loc_63DE12
		lea	eax, [edx+0FFFFh]
		shr	eax, 0Ch
		cmp	eax, [ecx+10h]
		ja	short loc_63DE12
		and	[ebp+var_4], 0
		or	edi, 0FFFFFFFFh
		shr	edx, 9
		sub	edx, 40000000h
		xor	ecx, ecx

loc_63DDBC:				; CODE XREF: MiClusterVadActive(x,x,x)+8Ej
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		mov	ebx, [edx]
		nop
		mov	eax, [edx+4]
		mov	[ebp+var_C], eax
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	short loc_63DDF7
		nop
		mov	eax, [ebp+var_C]
		shrd	ebx, eax, 0Ch
		and	ebx, 1FFFFFFh
		mov	eax, ebx
		and	eax, 0Fh
		cmp	eax, ecx
		jnz	short loc_63DE12
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_63DE1B
		mov	edi, ebx
		sub	edi, ecx

loc_63DDF7:				; CODE XREF: MiClusterVadActive(x,x,x)+62j
		mov	eax, [ebp+var_4]

loc_63DDFA:				; CODE XREF: MiClusterVadActive(x,x,x)+B5j
		inc	ecx
		add	edx, 8
		cmp	ecx, 10h
		jb	short loc_63DDBC
		test	eax, eax
		jnz	short loc_63DE2A
		mov	eax, [ebp+arg_0]
		shr	esi, 0Ch
		and	esi, 0Fh
		mov	[eax], esi

loc_63DE12:				; CODE XREF: MiClusterVadActive(x,x,x)+27j
					; MiClusterVadActive(x,x,x)+35j ...
		xor	eax, eax

loc_63DE14:				; CODE XREF: MiClusterVadActive(x,x,x)+BAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_63DE1B:				; CODE XREF: MiClusterVadActive(x,x,x)+7Ej
		lea	eax, [edi+ecx]
		cmp	ebx, eax
		jnz	short loc_63DE12
		xor	eax, eax
		inc	eax
		mov	[ebp+var_4], eax
		jmp	short loc_63DDFA
; 

loc_63DE2A:				; CODE XREF: MiClusterVadActive(x,x,x)+92j
		xor	eax, eax
		inc	eax
		jmp	short loc_63DE14
_MiClusterVadActive@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiClusterVadFull(x,	x)
_MiClusterVadFull@8 proc near		; CODE XREF: MiPfnsWorthTrying(x,x,x,x,x)+378p
					; MiTrimSharedPage+E1A8Bp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		mov	eax, ecx
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ebx
		cdq
		idiv	ebx
		mov	edx, [ecx+4]
		or	edx, 80000000h
		mov	ebx, eax
		test	edi, edi
		jz	short loc_63DE82
		mov	esi, [edi+4]
		cmp	edx, esi
		jb	short loc_63DEC9
		mov	ecx, [edi+24h]
		mov	eax, [edi+1Ch]
		and	ecx, 3FFFFFFFh
		sub	eax, ecx
		lea	eax, [esi+eax*8]
		cmp	edx, eax
		jnb	short loc_63DEC9
		mov	ecx, [ebp+var_4]
		mov	eax, edx
		sub	eax, esi
		sar	eax, 3
		jmp	short loc_63DE87
; 

loc_63DE82:				; CODE XREF: MiClusterVadFull(x,x)+29j
		mov	eax, edx
		shr	eax, 3

loc_63DE87:				; CODE XREF: MiClusterVadFull(x,x)+51j
		xor	ebx, eax
		test	bl, 0Fh
		jnz	short loc_63DEC9
		mov	ebx, [ecx+18h]
		lea	esi, [ecx+34h]
		xor	edi, edi
		and	ebx, offset loc_7FFFFF
		add	edx, 8
		inc	edi

loc_63DEA0:				; CODE XREF: MiClusterVadFull(x,x)+93j
		mov	eax, [esi-14h]
		or	eax, 80000000h
		cmp	eax, edx
		jnz	short loc_63DEC9
		mov	ecx, [esi]
		and	ecx, offset loc_7FFFFF
		cmp	ecx, ebx
		jnz	short loc_63DEC9
		add	edx, 8
		add	esi, 1Ch
		inc	edi
		cmp	edi, 10h
		jb	short loc_63DEA0
		xor	eax, eax
		inc	eax
		jmp	short loc_63DECB
; 

loc_63DEC9:				; CODE XREF: MiClusterVadFull(x,x)+30j
					; MiClusterVadFull(x,x)+45j ...
		xor	eax, eax

loc_63DECB:				; CODE XREF: MiClusterVadFull(x,x)+98j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiClusterVadFull@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetClusterPage(x,	x, x, x, x, x)
_MiGetClusterPage@24 proc near		; CODE XREF: MiResolvePrivateZeroFault(x)+1A9p
					; MiCreateSharedZeroPages+106A19p

var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0FCh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	[ebp+var_BC], eax
		mov	ebx, edx
		mov	eax, [ebp+arg_C]
		push	esi
		push	edi
		mov	[ebp+var_A8], eax
		lea	edi, [ebp+var_CC]
		xor	eax, eax
		mov	[ebp+var_8C], ebx
		stosd
		mov	esi, ecx
		push	30h		; size_t
		push	0		; int
		mov	[ebp+var_B8], esi
		stosd
		stosd
		lea	eax, [ebp+var_FC]
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_A8]
		mov	ecx, ebx
		and	[ebp+var_90], 0
		and	ecx, 0FFFF0000h
		add	esp, 0Ch
		mov	byte ptr [eax],	0
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		add	eax, 240h
		mov	[ebp+var_B0], ecx
		mov	[ebp+var_A4], eax
		mov	eax, ecx
		shr	eax, 0Ch
		mov	[ebp+var_AC], 10000h
		cmp	eax, [esi+0Ch]
		jb	loc_63E323
		lea	eax, [ecx+0FFFFh]
		shr	eax, 0Ch
		cmp	eax, [esi+10h]
		ja	loc_63E323
		mov	edi, [esi+1Ch]
		lea	edx, [ebp+var_CC]
		mov	ecx, [ebp+var_A4]
		shr	edi, 0Ch
		and	edi, 3Fh
		push	edi
		mov	[ebp+var_B4], edi
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		mov	cl, ds:byte_6D068C
		lea	eax, [ebp+var_B0]
		mov	esi, [ebp+var_C4]
		mov	[ebp+var_F8], eax
		mov	eax, [ebp+var_B8]
		shr	esi, cl
		xor	ecx, ecx
		mov	word ptr [ebp+var_FC], 2
		mov	[ebp+var_F4], 1
		test	dword ptr [eax+1Ch], 100000h
		mov	[ebp+var_F0], ecx
		mov	[ebp+var_EC], ecx
		jz	short loc_63E012
		mov	edx, [ebp+var_B0]
		shr	edx, 9
		and	edx, offset loc_7FFFF8
		mov	[ebp+var_9C], ecx
		sub	edx, 40000000h
		jmp	loc_63E100
; 

loc_63E012:				; CODE XREF: MiGetClusterPage(x,x,x,x,x,x)+120j
		lea	ecx, [ebp+var_90]
		mov	edx, ebx
		push	ecx
		push	0
		shr	edx, 0Ch
		mov	ecx, eax
		call	MiGetProtoPteAddress
		mov	[ebp+var_A0], eax
		mov	edi, 0FFFFF000h
		mov	eax, [ebp+var_B0]
		mov	ecx, ebx
		and	ecx, edi
		mov	[ebp+var_9C], eax
		sub	ecx, eax
		mov	eax, [ebp+var_90]
		shr	ecx, 0Ch
		mov	[ebp+var_98], ecx
		mov	edx, [eax+4]
		mov	ecx, [eax+24h]
		mov	eax, [eax+1Ch]
		and	ecx, 3FFFFFFFh
		sub	eax, ecx
		mov	[ebp+var_90], edx
		mov	ecx, [ebp+var_A0]
		lea	edx, [edx+eax*8]
		mov	eax, ecx
		and	eax, edi
		mov	[ebp+var_94], edx
		mov	[ebp+var_A0], eax
		mov	eax, ecx
		and	eax, edi
		mov	edi, [ebp+var_A0]
		mov	[ebp+var_C0], eax
		cmp	edi, [ebp+var_90]
		jbe	short loc_63E0A1
		mov	[ebp+var_90], eax

loc_63E0A1:				; CODE XREF: MiGetClusterPage(x,x,x,x,x,x)+1C9j
		mov	eax, edi
		add	eax, 1000h
		cmp	edx, eax
		jbe	short loc_63E0BD
		mov	eax, [ebp+var_C0]
		add	eax, 1000h
		mov	[ebp+var_94], eax

loc_63E0BD:				; CODE XREF: MiGetClusterPage(x,x,x,x,x,x)+1DAj
		mov	eax, [ebp+var_98]
		mov	edx, ecx
		shl	eax, 3
		sub	edx, eax
		cmp	edx, [ebp+var_90]
		jb	loc_63E323
		sub	ecx, eax
		sub	ecx, 0FFFFFF80h
		cmp	ecx, [ebp+var_94]
		ja	loc_63E323
		mov	eax, [ebp+var_9C]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[ebp+var_9C], eax

loc_63E100:				; CODE XREF: MiGetClusterPage(x,x,x,x,x,x)+13Dj
		mov	eax, ds:dword_6D4E50
		imul	ecx, esi, 280h
		lea	esi, [ebp+var_88]
		push	10h
		sub	esi, edx
		pop	ebx
		mov	byte ptr [ecx+eax+143h], 1

loc_63E11E:				; CODE XREF: MiGetClusterPage(x,x,x,x,x,x)+261j
		mov	eax, [edx]
		nop
		mov	ecx, [edx+4]
		mov	[esi+edx], eax
		lea	edx, [edx+8]
		mov	[esi+edx-4], ecx
		sub	ebx, 1
		jnz	short loc_63E11E
		mov	ebx, [ebp+var_8C]
		xor	esi, esi
		mov	edi, [ebp+var_9C]

loc_63E141:				; CODE XREF: MiGetClusterPage(x,x,x,x,x,x)+2D3j
		cmp	[ebp+arg_8], 0
		mov	eax, [ebp+esi*8+var_88]
		mov	ecx, [ebp+esi*8+var_84]
		mov	[ebp+var_8C], eax
		mov	[ebp+var_98], ecx
		jnz	short loc_63E165
		or	eax, ecx
		jmp	short loc_63E186
; 

loc_63E165:				; CODE XREF: MiGetClusterPage(x,x,x,x,x,x)+28Fj
		push	ecx
		push	eax
		call	_IS_PTE_NOT_DEMAND_ZERO@8 ; IS_PTE_NOT_DEMAND_ZERO(x,x)
		test	eax, eax
		jnz	short loc_63E1A5
		mov	eax, [ebp+var_8C]
		mov	ecx, [ebp+var_98]
		shrd	eax, ecx, 5
		and	eax, 1Fh
		cmp	eax, [ebp+arg_8]

loc_63E186:				; CODE XREF: MiGetClusterPage(x,x,x,x,x,x)+293j
		jnz	short loc_63E1A5
		test	edi, edi
		jz	short loc_63E19A
		mov	edx, [ebp+arg_8]
		mov	ecx, edi
		call	_MiIsPteEvaluated@8 ; MiIsPteEvaluated(x,x)
		test	eax, eax
		jnz	short loc_63E1A5

loc_63E19A:				; CODE XREF: MiGetClusterPage(x,x,x,x,x,x)+2BAj
		inc	esi
		cmp	esi, [ebp+arg_0]
		jz	short loc_63E1A5
		cmp	esi, 10h
		jb	short loc_63E141

loc_63E1A5:				; CODE XREF: MiGetClusterPage(x,x,x,x,x,x)+29Ej
					; MiGetClusterPage(x,x,x,x,x,x):loc_63E186j ...
		or	[ebp+var_94], 0FFFFFFFFh
		mov	edi, [ebp+var_B4]
		cmp	esi, 10h
		jnz	loc_63E23D
		push	[ebp+var_B8]
		mov	edx, [ebp+var_A4]
		lea	ecx, [ebp+var_FC]
		call	MiComputeZeroClusterMaximum
		cmp	eax, 10h
		jnz	loc_63E323
		mov	eax, [ebp+var_CC]
		xor	ecx, ecx
		inc	ecx
		lock xadd [eax], ecx
		inc	ecx
		mov	eax, [ebp+var_C8]
		dec	ecx
		push	0
		and	eax, ecx
		mov	ecx, [ebp+var_BC]
		or	eax, [ebp+var_C4]
		push	4
		push	eax
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		push	eax
		inc	edx
		call	_MiGetLargePage@24 ; MiGetLargePage(x,x,x,x,x,x)
		mov	[ebp+var_8C], eax
		test	eax, eax
		jz	short loc_63E27C
		push	0
		push	0
		push	1
		xor	edx, edx
		mov	ecx, eax
		push	2
		inc	edx
		call	_MiConvertEntireLargePageToSmall@24 ; MiConvertEntireLargePageToSmall(x,x,x,x,x,x)
		mov	eax, [ebp+var_8C]
		jmp	loc_63E325
; 

loc_63E23D:				; CODE XREF: MiGetClusterPage(x,x,x,x,x,x)+2E5j
		xor	esi, esi

loc_63E23F:				; CODE XREF: MiGetClusterPage(x,x,x,x,x,x)+38Bj
		mov	edx, [ebp+esi*8+var_88]
		mov	eax, edx
		mov	ecx, [ebp+esi*8+var_84]
		and	eax, 1
		or	eax, 0
		jnz	short loc_63E25F
		inc	esi
		cmp	esi, 10h
		jb	short loc_63E23F
		jmp	short loc_63E27C
; 

loc_63E25F:				; CODE XREF: MiGetClusterPage(x,x,x,x,x,x)+385j
		mov	eax, edx
		nop
		shrd	eax, ecx, 0Ch
		and	eax, 1FFFFFFh
		mov	[ebp+var_94], eax
		and	eax, 0Fh
		cmp	eax, esi
		jnz	loc_63E323

loc_63E27C:				; CODE XREF: MiGetClusterPage(x,x,x,x,x,x)+34Ej
					; MiGetClusterPage(x,x,x,x,x,x)+38Dj
		mov	eax, [ebp+var_B0]
		shr	eax, 9
		shr	ebx, 9
		and	eax, offset loc_7FFFF8
		mov	ecx, ebx
		mov	[ebp+var_98], 1
		sub	ecx, eax
		lea	eax, [ebp+var_98]
		sar	ecx, 3
		and	ecx, 0Fh
		push	eax
		push	ecx
		mov	[ebp+var_8C], ecx
		mov	ecx, [ebp+var_BC]
		push	102h
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		mov	edx, [ebp+var_A4]
		mov	ecx, offset _MiSystemPartition
		push	eax
		push	edi
		call	_MiGetPageChain@28 ; MiGetPageChain(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_63E323
		sub	eax, ds:_MmPfnDatabase
		cdq
		push	1Ch
		cmp	esi, 10h
		jz	short loc_63E308
		mov	ecx, [ebp+var_B0]
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ebx, ecx
		pop	ecx
		idiv	ecx
		sar	ebx, 3
		sub	ebx, esi
		add	ebx, [ebp+var_94]
		cmp	ebx, eax
		jmp	short loc_63E314
; 

loc_63E308:				; CODE XREF: MiGetClusterPage(x,x,x,x,x,x)+413j
		pop	ecx
		idiv	ecx
		and	eax, 0Fh
		cmp	eax, [ebp+var_8C]

loc_63E314:				; CODE XREF: MiGetClusterPage(x,x,x,x,x,x)+436j
		jz	short loc_63E31F
		mov	eax, [ebp+var_A8]
		mov	byte ptr [eax],	1

loc_63E31F:				; CODE XREF: MiGetClusterPage(x,x,x,x,x,x):loc_63E314j
		mov	eax, edi
		jmp	short loc_63E325
; 

loc_63E323:				; CODE XREF: MiGetClusterPage(x,x,x,x,x,x)+9Fj
					; MiGetClusterPage(x,x,x,x,x,x)+B1j ...
		xor	eax, eax

loc_63E325:				; CODE XREF: MiGetClusterPage(x,x,x,x,x,x)+368j
					; MiGetClusterPage(x,x,x,x,x,x)+451j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_MiGetClusterPage@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIdealClusterPage(x, x, x,	x, x, x, x, x)
_MiIdealClusterPage@32 proc near	; CODE XREF: .text:0045ECD3p

var_11C		= dword	ptr -11Ch
var_100		= dword	ptr -100h
var_F0		= dword	ptr -0F0h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_89		= byte ptr -89h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 120h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_98], esi
		mov	edx, ecx
		mov	[ebp+var_C4], edx
		mov	eax, [ebx+8]
		mov	[ebp+var_AC], eax
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_94], eax
		mov	eax, [ebx+10h]
		mov	[ebp+var_A8], eax
		mov	eax, [ebx+14h]
		mov	[ebp+var_C8], eax
		mov	eax, [ebx+18h]
		mov	[ebp+var_D8], eax
		mov	eax, [ebx+1Ch]
		mov	[ebp+var_CC], eax
		lea	edi, [ebp+var_100]
		mov	[ebp+var_D4], eax
		and	[ebp+var_B8], 0
		xor	eax, eax
		and	[ebp+var_A4], 0
		push	7
		pop	ecx
		rep stosd
		mov	ecx, [edx+24h]
		lea	edi, [ebp+var_E4]
		stosd
		shr	ecx, 6
		stosd
		mov	[ebp+var_90], ecx
		stosd
		mov	eax, [edx+14h]
		mov	edx, [edx]
		mov	edi, edx
		mov	[ebp+var_BC], eax
		and	edi, 0FFFFF000h
		mov	eax, [ebp+var_C8]
		mov	byte ptr [eax],	0
		mov	eax, edx
		and	eax, 0FFFF0000h
		sub	edi, eax
		shr	edi, 0Ch
		test	dword ptr [esi+1Ch], 100000h
		mov	[ebp+var_B0], edi
		jnz	loc_63E4B8
		lea	eax, [ebp+var_B8]
		shr	edx, 0Ch
		push	eax
		push	4
		mov	ecx, esi
		call	MiGetProtoPteAddress
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_63E49D
		mov	eax, [ebp+var_B8]
		test	eax, eax
		jz	short loc_63E49D
		mov	esi, [ebp+var_AC]
		cmp	ecx, esi
		jnz	short loc_63E49D
		mov	edx, [eax+4]
		mov	ecx, [eax+24h]
		mov	eax, [eax+1Ch]
		and	ecx, 3FFFFFFFh
		sub	eax, ecx
		lea	ecx, [edx+eax*8]
		mov	eax, esi
		and	eax, 0FFFFF000h
		and	esi, 0FFFFF000h
		cmp	eax, edx
		jbe	short loc_63E46A
		mov	edx, esi

loc_63E46A:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+130j
		add	eax, 1000h
		cmp	ecx, eax
		jbe	short loc_63E479
		lea	ecx, [esi+1000h]

loc_63E479:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+13Bj
		cmp	edx, ecx
		jnb	short loc_63E49D
		mov	eax, [ebp+var_AC]
		mov	esi, edi
		shl	esi, 3
		sub	eax, esi
		cmp	eax, edx
		jb	short loc_63E49D
		mov	eax, [ebp+var_AC]
		sub	eax, esi
		sub	eax, 0FFFFFF80h
		cmp	eax, ecx
		jbe	short loc_63E4D8

loc_63E49D:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+F7j
					; MiIdealClusterPage(x,x,x,x,x,x,x,x)+101j ...
		mov	eax, [ebp+var_94]

loc_63E4A3:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+337j
					; MiIdealClusterPage(x,x,x,x,x,x,x,x)+7E8j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	18h
; 

loc_63E4B8:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+DAj
		mov	edi, [ebp+var_94]
		mov	eax, [edi+4]
		or	eax, 80000000h
		add	eax, 40000000h
		cmp	eax, offset loc_7FFFFF
		ja	short loc_63E49D
		mov	edi, [ebp+var_B0]

loc_63E4D8:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+165j
		mov	edx, [ebp+var_AC]
		lea	esi, [ebp+var_88]
		mov	eax, edi
		shl	eax, 3
		sub	edx, eax
		push	10h
		sub	esi, edx
		pop	edi

loc_63E4F0:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+1CDj
		mov	eax, [edx]
		nop
		mov	ecx, [edx+4]
		mov	[esi+edx], eax
		lea	edx, [edx+8]
		mov	[esi+edx-4], ecx
		sub	edi, 1
		jnz	short loc_63E4F0
		mov	edi, [ebp+var_94]
		or	esi, 0FFFFFFFFh
		mov	eax, edi
		mov	[ebp+var_9C], esi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		xor	ecx, ecx
		mov	[ebp+var_D0], eax

loc_63E52A:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+214j
		mov	eax, [ebp+ecx*8+var_88]
		mov	edx, [ebp+ecx*8+var_84]
		mov	[ebp+var_A0], eax
		and	eax, 1
		or	eax, 0
		jnz	short loc_63E54E
		inc	ecx
		cmp	ecx, 10h
		jb	short loc_63E52A
		jmp	short loc_63E572
; 

loc_63E54E:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+20Ej
		mov	esi, [ebp+var_A0]
		nop
		shrd	esi, edx, 0Ch
		and	esi, 1FFFFFFh
		mov	eax, esi
		mov	[ebp+var_9C], esi
		and	eax, 0Fh
		cmp	eax, ecx
		jnz	loc_63E49D

loc_63E572:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+216j
		xor	edx, edx
		mov	[ebp+var_B4], edx
		mov	[ebp+var_89], dl
		cmp	ecx, 10h
		jnz	loc_63E616
		mov	eax, [ebp+var_D0]
		and	eax, 0Fh
		cmp	eax, [ebp+var_B0]
		jz	loc_63E662
		push	edx
		push	edx
		mov	esi, offset _MiSystemPartition
		inc	edx
		mov	ecx, esi
		call	MiAcquireNonPagedResources
		test	eax, eax
		js	loc_63E49D
		mov	eax, [ebp+var_98]
		lea	edx, [ebp+var_E4]
		mov	ecx, [ebp+var_BC]
		mov	[ebp+var_89], 1
		mov	eax, [eax+1Ch]
		shr	eax, 0Ch
		and	eax, 3Fh
		push	eax
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		mov	cl, ds:byte_6D068C
		xor	edx, edx
		mov	eax, [ebp+var_DC]
		inc	edx
		shr	eax, cl
		mov	ecx, [ebp+var_E4]
		mov	[ebp+var_A0], eax
		lock xadd [ecx], edx
		inc	edx
		mov	edi, [ebp+var_E0]
		dec	edx
		and	edi, edx
		or	edi, [ebp+var_DC]
		mov	[ebp+var_98], edi
		jmp	short loc_63E695
; 

loc_63E616:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+24Dj
		mov	eax, [ebp+var_B0]
		sub	eax, ecx
		add	esi, eax
		mov	[ebp+var_9C], esi
		cmp	esi, ds:dword_6D07B0
		ja	loc_63E49D
		mov	eax, ds:dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	loc_63E49D
		imul	eax, esi, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_B4], eax
		cmp	eax, edi
		jnz	short loc_63E672

loc_63E662:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+262j
		mov	eax, [ebp+var_C8]
		mov	byte ptr [eax],	1
		mov	eax, edi
		jmp	loc_63E4A3
; 

loc_63E672:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+32Aj
		mov	ecx, esi
		call	MiSearchNumaNodeTable
		mov	ecx, ds:dword_6D06D0
		and	ecx, esi
		mov	esi, offset _MiSystemPartition
		mov	[ebp+var_98], ecx
		mov	eax, [eax+4]
		mov	[ebp+var_A0], eax

loc_63E695:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+2DEj
		imul	ecx, eax, 280h
		xor	edx, edx
		mov	eax, ds:dword_6D4E50
		mov	byte ptr [ecx+eax+143h], 1
		mov	ecx, [ebp+var_94]
		and	dword ptr [ecx+10h], 0C0000000h
		lea	eax, [ecx+10h]
		mov	[ebp+var_B8], eax
		call	_MiAddLockedPageCharge@8 ; MiAddLockedPageCharge(x,x)
		test	eax, eax
		jnz	short loc_63E700
		cmp	[ebp+var_89], 1
		jnz	loc_63E49D
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	MiReturnCommit
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	loc_63E49D
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax
		jmp	loc_63E49D
; 

loc_63E700:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+391j
		mov	esi, [ebp+var_94]
		lea	edi, [ebp+var_11C]
		push	7
		pop	ecx
		rep movsd
		mov	esi, [ebp+var_B8]
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	edi, [ebp+var_A8]
		test	edi, edi
		jz	short loc_63E752
		xor	edx, edx
		mov	ecx, edi
		call	_MiObtainProtoReference@8 ; MiObtainProtoReference(x,x)
		push	7
		mov	esi, edi
		mov	dl, 21h
		pop	ecx
		lea	edi, [ebp+var_100]
		rep movsd
		mov	ecx, [ebp+var_A8]
		call	MiUnlockProtoPoolPage
		mov	esi, [ebp+var_B8]

loc_63E752:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+3F1j
		mov	ecx, [ebp+var_C4]
		lea	eax, [ebp-0BDh]
		push	eax
		mov	dl, 1
		lea	ecx, [ecx+14h]
		call	_MiReleaseFaultState@12	; MiReleaseFaultState(x,x,x)
		cmp	[ebp+var_89], 1
		mov	[ebp+var_BC], eax
		jnz	loc_63E8DA
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [ebp+var_D8]
		mov	[ebp+var_89], al
		mov	eax, [ebp+var_CC]
		push	0
		push	4
		push	[ebp+var_98]
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		push	eax
		inc	edx
		call	_MiGetLargePage@24 ; MiGetLargePage(x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_90], edi
		test	edi, edi
		jnz	short loc_63E80D
		mov	cl, [ebp+var_89]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	edx, edx
		mov	edi, offset _MiSystemPartition
		inc	edx
		mov	ecx, edi
		call	MiReturnCommit
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_63E7F8
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_63E7F8:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+4B7j
		mov	edi, [ebp+var_9C]
		mov	[ebp+var_90], 0C0000017h
		jmp	loc_63E960
; 

loc_63E80D:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+48Ej
		push	0
		push	0
		push	1
		xor	edx, edx
		mov	ecx, edi
		push	2
		inc	edx
		call	_MiConvertEntireLargePageToSmall@24 ; MiConvertEntireLargePageToSmall(x,x,x,x,x,x)
		mov	eax, edi
		mov	[ebp+var_98], 10h
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		mov	edi, [ebp+var_9C]
		mov	[ebp+var_A4], eax

loc_63E843:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+584j
		test	byte ptr ds:_MiFlags, 80h
		jz	short loc_63E871
		mov	ecx, ds:dword_6D30F0
		inc	ecx
		mov	ds:dword_6D30F0, ecx
		test	ds:_MmPageValidationFrequency, ecx
		jnz	short loc_63E871
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	_MiArePageContentsZero@8 ; MiArePageContentsZero(x,x)
		mov	eax, [ebp+var_A4]

loc_63E871:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+514j
					; MiIdealClusterPage(x,x,x,x,x,x,x,x)+529j
		mov	ecx, [ebp+var_90]
		and	eax, 0Fh
		cmp	eax, [ebp+var_B0]
		jnz	short loc_63E892
		mov	eax, [ebp+var_A4]
		mov	edi, eax
		mov	[ebp+var_B4], ecx
		jmp	short loc_63E8A3
; 

loc_63E892:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+54Aj
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		mov	eax, [ebp+var_A4]
		mov	ecx, [ebp+var_90]

loc_63E8A3:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+55Aj
		inc	eax
		add	ecx, 1Ch
		sub	[ebp+var_98], 1
		mov	[ebp+var_A4], eax
		mov	[ebp+var_90], ecx
		jnz	short loc_63E843
		mov	cl, [ebp+var_89]
		mov	[ebp+var_9C], edi
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		and	[ebp+var_90], 0
		jmp	loc_63E960
; 

loc_63E8DA:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+440j
		mov	edi, [ebp+var_9C]
		xor	edx, edx
		mov	ecx, large fs:124h
		imul	eax, edi, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_B4], eax
		mov	eax, [ebp+var_90]
		not	eax
		and	eax, 1
		add	eax, 2000h
		shl	eax, 11h
		mov	[ebp+var_90], eax
		call	_PsQueryThreadStartAddress@8 ; PsQueryThreadStartAddress(x,x)
		mov	ecx, [ebp+var_90]
		cmp	eax, offset _KeSwapProcessOrStack@4 ; KeSwapProcessOrStack(x)
		jnz	short loc_63E926
		or	ecx, 8

loc_63E926:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+5EBj
		mov	eax, [ebp+var_94]
		lea	edx, [ebp+var_A4]
		push	edx
		push	0
		push	ecx
		movzx	eax, byte ptr [eax+16h]
		mov	edx, edi
		push	80000000h
		push	[ebp+var_A0]
		shr	eax, 6
		mov	ecx, offset _MiSystemPartition
		push	eax
		push	1
		push	0
		push	edi
		call	_MiFindContiguousPages@44 ; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_90], eax

loc_63E960:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+4D2j
					; MiIdealClusterPage(x,x,x,x,x,x,x,x)+59Fj
		mov	edx, [ebp+var_BC]
		xor	cl, cl
		mov	[ebp+var_89], cl
		mov	ecx, [ebp+var_C4]
		lea	ecx, [ecx+14h]
		call	MiRelockFaultState
		mov	eax, [ebp+var_A8]
		test	eax, eax
		jz	loc_63EA14
		or	[ebp+var_F0], 80000000h
		xor	edx, edx
		mov	ecx, eax
		call	_MiRelockProtoPoolPage@8 ; MiRelockProtoPoolPage(x,x)
		mov	edx, [ebp+var_A8]
		and	[ebp+var_CC], 0
		add	edx, 10h
		lock bts dword ptr [edx], 1Fh
		jnb	short loc_63E9D0
		mov	edi, edx

loc_63E9B6:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+68Fj
					; MiIdealClusterPage(x,x,x,x,x,x,x,x)+696j
		lea	ecx, [ebp+var_CC]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_63E9B6
		lock bts dword ptr [edi], 1Fh
		jb	short loc_63E9B6
		mov	edx, edi

loc_63E9D0:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+67Cj
		lea	eax, [ebp+var_100]
		xor	ecx, ecx

loc_63E9D8:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+6C0j
		mov	edi, [ebp+var_A8]
		mov	eax, [eax+ecx*4]
		cmp	eax, [edi+ecx*4]
		mov	edi, [ebp+var_9C]
		jnz	short loc_63E9FA
		inc	ecx
		lea	eax, [ebp+var_100]
		cmp	ecx, 7
		jnz	short loc_63E9D8
		jmp	short loc_63EA01
; 

loc_63E9FA:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+6B4j
		mov	[ebp+var_89], 1

loc_63EA01:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+6C2j
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		mov	ecx, [ebp+var_A8]
		call	_MiReturnPfnReferenceCount@4 ; MiReturnPfnReferenceCount(x)

loc_63EA14:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+64Ej
		and	[ebp+var_98], 0
		jmp	short loc_63EA2E
; 

loc_63EA1D:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+6F6j
					; MiIdealClusterPage(x,x,x,x,x,x,x,x)+6FDj
		lea	ecx, [ebp+var_98]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_63EA1D

loc_63EA2E:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+6E5j
		lock bts dword ptr [esi], 1Fh
		jb	short loc_63EA1D
		mov	al, [ebp+var_89]
		test	al, al
		jnz	short loc_63EA65
		mov	edx, [ebp+var_94]
		lea	eax, [ebp+var_11C]
		xor	ecx, ecx

loc_63EA4D:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+729j
		mov	eax, [eax+ecx*4]
		cmp	eax, [edx+ecx*4]
		jnz	short loc_63EA63
		inc	ecx
		lea	eax, [ebp+var_11C]
		cmp	ecx, 7
		jnz	short loc_63EA4D
		jmp	short loc_63EA6D
; 

loc_63EA63:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+71Dj
		mov	al, 1

loc_63EA65:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+707j
		cmp	al, 1
		jz	loc_63EB23

loc_63EA6D:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+72Bj
		test	dword ptr [esi], 40000000h
		jnz	loc_63EB23
		lea	eax, [ebp+var_D8]
		push	eax
		mov	eax, [ebp+var_C4]
		mov	ecx, eax
		push	[ebp+var_AC]
		mov	edx, [eax]
		call	_MiIsFaultPteIntact@16 ; MiIsFaultPteIntact(x,x,x,x)
		test	eax, eax
		jz	loc_63EB23
		cmp	[ebp+var_90], 0
		jge	short loc_63EAB6
		mov	ecx, [ebp+var_94]
		call	_MiRemoveLockedPageCharge@4 ; MiRemoveLockedPageCharge(x)
		jmp	loc_63E49D
; 

loc_63EAB6:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+76Ej
		mov	eax, [ebp+var_D8]
		and	eax, 40h
		or	eax, 0
		jz	short loc_63EAC8
		push	10h
		jmp	short loc_63EACA
; 

loc_63EAC8:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+78Cj
		push	8

loc_63EACA:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+790j
		mov	edx, [ebp+var_D0]
		mov	ecx, edi
		pop	eax
		push	eax
		push	0
		call	_MiCopyPage@16	; MiCopyPage(x,x,x,x)
		mov	esi, [ebp+var_B4]
		mov	edx, [ebp+var_94]
		mov	ecx, [ebp+var_AC]
		push	esi
		call	_MiSwapHardFaultPage@12	; MiSwapHardFaultPage(x,x,x)
		xor	edx, edx
		xor	eax, eax
		inc	edx
		mov	[esi+14h], ax
		mov	ecx, offset _MiSystemPartition
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_63EB13
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_63EB13:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+7D2j
		mov	eax, [ebp+var_C8]
		mov	byte ptr [eax],	1
		mov	eax, esi
		jmp	loc_63E4A3
; 

loc_63EB23:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+731j
					; MiIdealClusterPage(x,x,x,x,x,x,x,x)+73Dj ...
		cmp	[ebp+var_90], 0
		jl	short loc_63EB86
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		mov	ecx, [ebp+var_B4]
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		xor	edx, edx
		mov	edi, offset _MiSystemPartition
		inc	edx
		mov	ecx, edi
		call	MiReturnCommit
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_63EB65
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_63EB65:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+824j
		and	[ebp+var_B0], 0
		jmp	short loc_63EB7F
; 

loc_63EB6E:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+847j
					; MiIdealClusterPage(x,x,x,x,x,x,x,x)+84Ej
		lea	ecx, [ebp+var_B0]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_63EB6E

loc_63EB7F:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+836j
		lock bts dword ptr [esi], 1Fh
		jb	short loc_63EB6E

loc_63EB86:				; CODE XREF: MiIdealClusterPage(x,x,x,x,x,x,x,x)+7F4j
		mov	ecx, [ebp+var_94]
		call	_MiRemoveLockedPageChargeAndDecRef@4 ; MiRemoveLockedPageChargeAndDecRef(x)
		xor	eax, eax
		jmp	loc_63E4A3
_MiIdealClusterPage@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteLargeUserPde(x, x, x)
_MiDeleteLargeUserPde@12 proc near	; CODE XREF: .text:00458812p
					; .text:00459776p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		mov	eax, ecx
		xor	ebx, ebx
		push	esi
		mov	[ebp+var_8], eax
		push	edi
		mov	eax, [eax+48h]
		mov	edi, edx
		mov	[ebp+var_10], eax
		mov	[ebp+var_4], edi
		mov	[ebp+var_24], ebx
		mov	eax, [eax+54h]
		mov	esi, [edi]
		mov	[ebp+var_14], eax
		nop
		mov	ecx, [edi+4]
		mov	edx, esi
		and	edx, 1
		mov	[ebp+var_30], esi
		mov	eax, edx
		mov	[ebp+var_2C], ecx
		or	eax, ebx
		mov	[ebp+var_24], edx
		jz	short loc_63EBE5
		nop
		shrd	esi, ecx, 0Ch
		and	esi, 1FFFFFFh
		jmp	short loc_63EC25
; 

loc_63EBE5:				; CODE XREF: MiDeleteLargeUserPde(x,x,x)+3Ej
		mov	eax, ds:dword_6D0700
		mov	ebx, esi
		mov	edi, ds:dword_6D0704
		mov	[ebp+var_18], eax
		or	eax, edi
		mov	[ebp+var_1C], edi
		mov	edi, [ebp+var_4]
		mov	[ebp+var_C], ecx
		jz	short loc_63EC1B
		mov	eax, ebx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_63EC1B
		mov	esi, [ebp+var_18]
		mov	ecx, [ebp+var_1C]
		not	esi
		not	ecx
		and	esi, ebx
		and	ecx, [ebp+var_C]

loc_63EC1B:				; CODE XREF: MiDeleteLargeUserPde(x,x,x)+68j
					; MiDeleteLargeUserPde(x,x,x)+72j
		shrd	esi, ecx, 0Ch
		and	esi, 3FFFFFFh

loc_63EC25:				; CODE XREF: MiDeleteLargeUserPde(x,x,x)+4Bj
		mov	ebx, [ebp+arg_0]
		mov	eax, [ebp+var_14]
		neg	ebx
		mov	[ebp+var_C], esi
		sbb	ebx, ebx
		and	ebx, 0FFFFFFF1h
		add	ebx, 10h
		and	eax, 10h
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], eax
		jz	short loc_63EC5C
		mov	ecx, [ebp+var_10]
		mov	edx, edi
		lea	eax, [ecx+5Ch]
		mov	ecx, [ecx+8]
		push	eax
		mov	ecx, [ecx+10h]
		call	_MiDeleteVadAwePtes@12 ; MiDeleteVadAwePtes(x,x,x)
		jmp	loc_63ECFD
; 

loc_63EC5C:				; CODE XREF: MiDeleteLargeUserPde(x,x,x)+A9j
		cmp	[ebp+arg_0], 0
		jnz	short loc_63EC7D
		xor	ecx, ecx

loc_63EC64:				; CODE XREF: MiDeleteLargeUserPde(x,x,x)+E1j
		mov	eax, ds:_ZeroPte
		mov	[edi+ecx*8], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[edi+ecx*8+4], eax
		inc	ecx
		cmp	ecx, ebx
		jb	short loc_63EC64
		jmp	short loc_63ECD1
; 

loc_63EC7D:				; CODE XREF: MiDeleteLargeUserPde(x,x,x)+C8j
		mov	eax, edx
		or	eax, 0
		jz	short loc_63ECBB
		mov	edi, [ebp+var_8]
		mov	edx, [ebp+var_4]
		mov	ebx, ds:_ZeroPte
		mov	esi, ds:dword_40F9FC
		mov	edi, [edi+10h]
		mov	ecx, edi
		push	0
		call	MiLockPageTableInternal
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		push	esi
		push	ebx
		push	0
		call	MiUnlockNestedPageTableWritePte
		mov	ebx, [ebp+var_1C]
		mov	esi, [ebp+var_C]
		mov	edi, [ebp+var_4]
		jmp	short loc_63ECCB
; 

loc_63ECBB:				; CODE XREF: MiDeleteLargeUserPde(x,x,x)+EAj
		mov	eax, ds:_ZeroPte
		mov	[edi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[edi+4], eax

loc_63ECCB:				; CODE XREF: MiDeleteLargeUserPde(x,x,x)+121j
		cmp	[ebp+arg_0], 1
		jz	short loc_63ED03

loc_63ECD1:				; CODE XREF: MiDeleteLargeUserPde(x,x,x)+E3j
		mov	eax, large fs:124h
		mov	ecx, edi
		shr	ecx, 0Ch
		mov	edx, ebx
		and	ecx, 7FFh
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		add	eax, 190h
		lea	ecx, [eax+ecx*2]
		call	MiDecreaseUsedPtesCount

loc_63ECFD:				; CODE XREF: MiDeleteLargeUserPde(x,x,x)+BFj
		cmp	[ebp+arg_0], 1
		jnz	short loc_63ED21

loc_63ED03:				; CODE XREF: MiDeleteLargeUserPde(x,x,x)+137j
		cmp	[ebp+arg_0], 0
		mov	edx, edi
		jle	short loc_63ED16
		mov	eax, [ebp+arg_0]

loc_63ED0E:				; CODE XREF: MiDeleteLargeUserPde(x,x,x)+17Cj
		shl	edx, 9
		sub	eax, 1
		jnz	short loc_63ED0E

loc_63ED16:				; CODE XREF: MiDeleteLargeUserPde(x,x,x)+171j
		mov	eax, [ebp+var_8]
		mov	ecx, [eax+10h]
		call	_MiPruneSoftwareWsles@8	; MiPruneSoftwareWsles(x,x)

loc_63ED21:				; CODE XREF: MiDeleteLargeUserPde(x,x,x)+169j
		mov	eax, [ebp+var_24]
		imul	esi, 1Ch
		add	esi, ds:_MmPfnDatabase
		or	eax, 0
		jz	short loc_63ED56
		cmp	[ebp+arg_0], 0
		mov	eax, [ebp+var_8]
		mov	ecx, [eax+0Ch]
		jnz	short loc_63ED4D
		push	0
		shl	edi, 9
		push	ebx
		mov	edx, edi
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		jmp	short loc_63ED56
; 

loc_63ED4D:				; CODE XREF: MiDeleteLargeUserPde(x,x,x)+1A4j
		mov	edx, [ebp+arg_0]
		push	edi
		call	_MiInsertLargeTbFlushEntry@12 ;	MiInsertLargeTbFlushEntry(x,x,x)

loc_63ED56:				; CODE XREF: MiDeleteLargeUserPde(x,x,x)+198j
					; MiDeleteLargeUserPde(x,x,x)+1B3j
		cmp	[ebp+var_18], 0
		jnz	short loc_63EDC2
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_63EDC2
		and	[ebp+var_1C], eax
		lea	edi, [esi+10h]
		jmp	short loc_63ED7D
; 

loc_63ED6F:				; CODE XREF: MiDeleteLargeUserPde(x,x,x)+1E3j
					; MiDeleteLargeUserPde(x,x,x)+1EAj
		lea	ecx, [ebp+var_1C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_63ED6F

loc_63ED7D:				; CODE XREF: MiDeleteLargeUserPde(x,x,x)+1D5j
		lock bts dword ptr [edi], 1Fh
		jb	short loc_63ED6F
		mov	cl, [esi+16h]
		mov	edx, [ebp+var_10]
		mov	al, cl
		and	al, 0FDh
		or	al, 5
		mov	[esi+16h], al
		mov	eax, [edx+8]
		mov	eax, [eax+14h]
		shr	eax, 2
		xor	eax, [esi]
		and	eax, 1FFFFFFEh
		xor	eax, [esi]
		mov	[esi], eax
		mov	eax, [edx+8]
		mov	[eax+14h], esi
		mov	al, [esi+16h]
		xor	al, cl
		and	al, 7
		xor	al, [esi+16h]
		mov	[esi+16h], al
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax

loc_63EDC2:				; CODE XREF: MiDeleteLargeUserPde(x,x,x)+1C2j
					; MiDeleteLargeUserPde(x,x,x)+1CDj
		test	[ebp+var_14], 800h
		jz	short loc_63EDD9
		cmp	[ebp+arg_0], 0
		jnz	short loc_63EDD9
		mov	eax, [ebp+var_8]
		dec	bl
		mov	[eax+3], bl

loc_63EDD9:				; CODE XREF: MiDeleteLargeUserPde(x,x,x)+231j
					; MiDeleteLargeUserPde(x,x,x)+237j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiDeleteLargeUserPde@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiAnyPagesRemovalPending(x,	x)
_MiAnyPagesRemovalPending@8 proc near	; CODE XREF: MiInsertLargePageInNodeList(x)+183p
		imul	eax, ecx, 1Ch
		imul	ecx, ds:_MiLargePageSizes[edx*4], 1Ch
		add	eax, ds:_MmPfnDatabase
		add	ecx, eax
		jmp	short loc_63EDFE
; 

loc_63EDF5:				; CODE XREF: MiAnyPagesRemovalPending(x,x)+20j
		test	byte ptr [eax+17h], 40h
		jnz	short loc_63EE05
		add	eax, 1Ch

loc_63EDFE:				; CODE XREF: MiAnyPagesRemovalPending(x,x)+13j
		cmp	eax, ecx
		jb	short loc_63EDF5
		xor	eax, eax
		retn
; 

loc_63EE05:				; CODE XREF: MiAnyPagesRemovalPending(x,x)+19j
		xor	eax, eax
		inc	eax
		retn
_MiAnyPagesRemovalPending@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeLargePageChain(x)
_MiFreeLargePageChain@4	proc near	; CODE XREF: MiTimeSingleLargePageZeroWorker(x,x)+107p
					; MiReturnExcessPoolCommit+11361Cp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	[ebp+var_4], ecx
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	short loc_63EE65

loc_63EE1B:				; CODE XREF: MiFreeLargePageChain(x)+5Aj
		mov	eax, ecx
		mov	ebx, [ecx]
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	esi
		cdq
		idiv	esi
		mov	esi, eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	dl, al
		lea	edi, [ebp+var_14]
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ebp+var_4]
		and	[ebp+var_C], 0
		mov	[ebp+var_14], esi
		mov	[ebp+var_8], dl
		movzx	ecx, byte ptr [eax+16h]
		and	ecx, 7
		mov	[ebp+var_10], ecx
		lea	ecx, [ebp+var_14]
		call	_MiInsertLargePageInNodeList@4 ; MiInsertLargePageInNodeList(x)
		mov	[ebp+var_4], ebx
		mov	ecx, ebx
		test	ebx, ebx
		jnz	short loc_63EE1B

loc_63EE65:				; CODE XREF: MiFreeLargePageChain(x)+10j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiFreeLargePageChain@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetLargePageChain(x, x, x)
_MiGetLargePageChain@12	proc near	; CODE XREF: MiInitializePoolCommitPacket+113958p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ds:dword_6D4E50
		mov	edx, ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		imul	ecx, edi, 280h
		cmp	dword ptr [ecx+eax+1DCh], 0
		jnz	short loc_63EE9B
		test	byte ptr ds:_MiFlags, 30h
		jz	short loc_63EE9B

loc_63EE97:				; CODE XREF: MiGetLargePageChain(x,x,x)+8Dj
		xor	eax, eax
		jmp	short loc_63EEE9
; 

loc_63EE9B:				; CODE XREF: MiGetLargePageChain(x,x,x)+22j
					; MiGetLargePageChain(x,x,x)+2Bj
		shr	edx, 9
		xor	ebx, ebx
		xor	esi, esi
		mov	[ebp+var_4], edx
		cmp	ds:dword_6D5D84, 110000h
		jbe	short loc_63EEB2
		inc	esi

loc_63EEB2:				; CODE XREF: MiGetLargePageChain(x,x,x)+45j
		and	[ebp+arg_0], ebx
		test	edx, edx
		jz	short loc_63EEE7

loc_63EEB9:				; CODE XREF: MiGetLargePageChain(x,x,x)+7Bj
		push	1
		push	esi
		push	0
		push	200h
		push	edi
		mov	edx, 200h
		mov	ecx, offset _MiSystemPartition
		call	_MiGetLargePagesDemoteAsNeeded@28 ; MiGetLargePagesDemoteAsNeeded(x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_63EEF0
		mov	[eax], ebx
		mov	ebx, eax
		mov	eax, [ebp+arg_0]
		inc	eax
		mov	[ebp+arg_0], eax
		cmp	eax, [ebp+var_4]
		jb	short loc_63EEB9

loc_63EEE7:				; CODE XREF: MiGetLargePageChain(x,x,x)+4Dj
		mov	eax, ebx

loc_63EEE9:				; CODE XREF: MiGetLargePageChain(x,x,x)+2Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_63EEF0:				; CODE XREF: MiGetLargePageChain(x,x,x)+6Bj
		mov	ecx, ebx
		call	_MiFreeLargePageChain@4	; MiFreeLargePageChain(x)
		jmp	short loc_63EE97
_MiGetLargePageChain@12	endp


;  S U B	R O U T	I N E 


; __stdcall MiLargePageMovesInProgress(x)
_MiLargePageMovesInProgress@4 proc near	; CODE XREF: MiTradePage(x,x)+303p
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, ecx
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, eax
		call	MiSearchNumaNodeTable
		mov	ecx, ds:dword_6D4E50
		imul	edx, [eax+4], 280h
		xor	eax, eax
		cmp	[edx+ecx+1F4h],	eax
		setnz	al
		retn
_MiLargePageMovesInProgress@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMoveLargeFreePage(x, x, x, x)
_MiMoveLargeFreePage@16	proc near	; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+2A6p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:_MiLargePageSizes[edx*4]
		push	ebx
		push	esi
		push	edi
		mov	ebx, eax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_4]
		neg	ebx
		push	eax
		and	ebx, ecx
		xor	esi, esi
		mov	ecx, [ebp+arg_0]
		push	8
		push	edx
		mov	edx, ebx
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], ebx
		call	_MiTryUnlinkNodeLargePage@20 ; MiTryUnlinkNodeLargePage(x,x,x,x,x)
		test	eax, eax
		jz	loc_63F00D
		xor	eax, eax
		imul	ebx, 1Ch
		lea	edi, [ebp+var_1C]
		stosd
		add	ebx, ds:_MmPfnDatabase
		stosd
		mov	ecx, ebx
		stosd
		stosd
		mov	eax, [ebp+var_8]
		mov	[ebp+var_1C], eax
		call	_MiIsFreshPfnFromZeroedList@4 ;	MiIsFreshPfnFromZeroedList(x)
		neg	eax
		mov	[ebp+var_14], esi
		mov	ecx, ebx
		sbb	eax, eax
		inc	eax
		mov	[ebp+var_18], eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		cmp	[ebp+arg_0], offset _MiSystemPartition
		mov	[ebp+var_10], al
		jnz	short loc_63F003
		mov	ecx, 7FFFFFFFh
		lea	eax, [ebx+10h]
		lock and [eax],	ecx
		imul	edi, [ebp+var_C], 1Ch
		add	edi, 0FFFFFFE4h
		add	edi, ebx
		cmp	edi, ebx
		jb	short loc_63F000
		lea	esi, [edi+10h]

loc_63EFBC:				; CODE XREF: MiMoveLargeFreePage(x,x,x,x)+D6j
		and	[ebp+var_C], 0
		jmp	short loc_63EFD0
; 

loc_63EFC2:				; CODE XREF: MiMoveLargeFreePage(x,x,x,x)+A6j
					; MiMoveLargeFreePage(x,x,x,x)+ADj
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_63EFC2

loc_63EFD0:				; CODE XREF: MiMoveLargeFreePage(x,x,x,x)+98j
		lock bts dword ptr [esi], 1Fh
		jb	short loc_63EFC2
		test	byte ptr [esi+7], 40h
		jz	short loc_63EFEA
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_MiMoveBadPageCrossPartition@12	; MiMoveBadPageCrossPartition(x,x,x)

loc_63EFEA:				; CODE XREF: MiMoveLargeFreePage(x,x,x,x)+B3j
		cmp	edi, ebx
		jz	short loc_63EFF6
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax

loc_63EFF6:				; CODE XREF: MiMoveLargeFreePage(x,x,x,x)+C4j
		sub	edi, 1Ch
		sub	esi, 1Ch
		cmp	edi, ebx
		jnb	short loc_63EFBC

loc_63F000:				; CODE XREF: MiMoveLargeFreePage(x,x,x,x)+8Fj
		xor	esi, esi
		inc	esi

loc_63F003:				; CODE XREF: MiMoveLargeFreePage(x,x,x,x)+77j
		lea	ecx, [ebp+var_1C]
		call	_MiInsertLargePageInNodeList@4 ; MiInsertLargePageInNodeList(x)
		mov	eax, esi

loc_63F00D:				; CODE XREF: MiMoveLargeFreePage(x,x,x,x)+36j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiMoveLargeFreePage@16	endp


;  S U B	R O U T	I N E 


; __stdcall MiNodeLargeFreeZeroPages2(x, x)
_MiNodeLargeFreeZeroPages2@8 proc near	; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+192p
					; MiAddPhysicalMemoryChunks(x,x,x,x)+1CBp
		mov	edi, edi
		push	esi
		push	edi
		shl	edx, 5
		add	ecx, 18h
		push	2
		xor	eax, eax
		add	edx, ecx
		pop	edi

loc_63F025:				; CODE XREF: MiNodeLargeFreeZeroPages2(x,x)+26j
		push	4
		mov	ecx, edx
		pop	esi

loc_63F02A:				; CODE XREF: MiNodeLargeFreeZeroPages2(x,x)+1Ej
		add	eax, [ecx]
		lea	ecx, [ecx+4]
		sub	esi, 1
		jnz	short loc_63F02A
		add	edx, 10h
		sub	edi, 1
		jnz	short loc_63F025
		pop	edi
		shl	eax, 9
		pop	esi
		retn
_MiNodeLargeFreeZeroPages2@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiNodeLargeFreeZeroPagesRange(x, x,	x)
_MiNodeLargeFreeZeroPagesRange@12 proc near ; CODE XREF: MiRebuildLargePage(x,x,x,x)+1BCp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		cmp	edx, 1
		ja	short loc_63F076
		push	esi
		imul	esi, edx, 98h
		add	esi, ecx

loc_63F05A:				; CODE XREF: MiNodeLargeFreeZeroPagesRange(x,x,x)+31j
		mov	ecx, [esi+4]
		add	ecx, [esi]
		lea	esi, [esi+98h]
		imul	ecx, ds:_MiLargePageSizes[edx*4]
		add	eax, ecx
		inc	edx
		cmp	edx, 1
		jbe	short loc_63F05A
		pop	esi

loc_63F076:				; CODE XREF: MiNodeLargeFreeZeroPagesRange(x,x,x)+Dj
		pop	ebp
		retn	4
_MiNodeLargeFreeZeroPagesRange@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiTransientPageListWriter(x, x)
_MiTransientPageListWriter@8 proc near	; CODE XREF: .text:004AFED1p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	offset unk_6D2FA0
		mov	ebx, edx
		mov	edi, ecx
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	esi, ds:dword_6D2FA4
		mov	[ebp+var_1], al
		jmp	short loc_63F0AA
; 

loc_63F09C:				; CODE XREF: MiTransientPageListWriter(x,x)+32j
		cmp	edi, [esi+1Ch]
		ja	short loc_63F0A7
		jnb	short loc_63F0AE
		mov	esi, [esi]
		jmp	short loc_63F0AA
; 

loc_63F0A7:				; CODE XREF: MiTransientPageListWriter(x,x)+25j
		mov	esi, [esi+4]

loc_63F0AA:				; CODE XREF: MiTransientPageListWriter(x,x)+20j
					; MiTransientPageListWriter(x,x)+2Bj
		test	esi, esi
		jnz	short loc_63F09C

loc_63F0AE:				; CODE XREF: MiTransientPageListWriter(x,x)+27j
		test	esi, esi
		jz	short loc_63F0C4
		cmp	dword ptr [esi+10h], 0
		jz	short loc_63F0C2
		cmp	ebx, [esi+14h]
		jb	short loc_63F0C2
		cmp	ebx, [esi+18h]
		jbe	short loc_63F0C4

loc_63F0C2:				; CODE XREF: MiTransientPageListWriter(x,x)+3Cj
					; MiTransientPageListWriter(x,x)+41j
		xor	esi, esi

loc_63F0C4:				; CODE XREF: MiTransientPageListWriter(x,x)+36j
					; MiTransientPageListWriter(x,x)+46j
		push	offset unk_6D2FA0
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		test	esi, esi
		pop	edi
		pop	esi
		setnz	al
		pop	ebx
		leave
		retn
_MiTransientPageListWriter@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiWakeLargePageWaiters(x)
_MiWakeLargePageWaiters@4 proc near	; CODE XREF: MiInsertLargePageInNodeList(x)+3FCp
					; MiInsertLargePageChain(x,x,x,x,x)+353p ...
		test	ecx, ecx
		jz	short locret_63F0FC
		push	esi

loc_63F0E8:				; CODE XREF: MiWakeLargePageWaiters(x)+16j
		mov	esi, [ecx]
		xor	edx, edx
		add	ecx, 4
		inc	edx
		call	KeSignalGate
		mov	ecx, esi
		test	esi, esi
		jnz	short loc_63F0E8
		pop	esi

locret_63F0FC:				; CODE XREF: MiWakeLargePageWaiters(x)+2j
		retn
_MiWakeLargePageWaiters@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReplaceSystemProtoPtesNode(x, x)
_MiReplaceSystemProtoPtesNode@8	proc near ; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+519p

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		lea	edx, [ebp+var_8]
		call	MiObtainProtoBaseFromNode
		push	offset unk_6CF4C4
		mov	ebx, eax
		call	ExAcquireSpinLockExclusive
		push	esi
		push	offset dword_6CF4C0
		mov	[ebp+var_1], al
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		and	dword ptr [esi+0Ch], 0FFFFFFF7h
		mov	ecx, ds:dword_6CF4C0
		mov	byte ptr [ebp+var_8], 0
		test	ecx, ecx
		jz	short loc_63F1A6

loc_63F13F:				; CODE XREF: MiReplaceSystemProtoPtesNode(x,x)+A3j
		mov	eax, [ecx+0Ch]
		and	eax, 7
		sub	eax, 0
		jz	short loc_63F184
		sub	eax, 1
		jz	short loc_63F17F
		sub	eax, 1
		jz	short loc_63F168
		sub	eax, 1
		jz	short loc_63F163
		sub	eax, 1
		jnz	short loc_63F18B
		mov	edx, [ecx+10h]
		jmp	short loc_63F187
; 

loc_63F163:				; CODE XREF: MiReplaceSystemProtoPtesNode(x,x)+5Aj
		mov	edx, [ecx+18h]
		jmp	short loc_63F187
; 

loc_63F168:				; CODE XREF: MiReplaceSystemProtoPtesNode(x,x)+55j
		mov	eax, [ecx-28h]
		add	eax, 50h
		xor	esi, esi
		mov	edx, [eax+4]

loc_63F173:				; CODE XREF: MiReplaceSystemProtoPtesNode(x,x)+7Ej
		add	esi, [eax+1Ch]
		mov	eax, [eax+8]
		test	eax, eax
		jnz	short loc_63F173
		jmp	short loc_63F187
; 

loc_63F17F:				; CODE XREF: MiReplaceSystemProtoPtesNode(x,x)+50j
		mov	edx, [ecx-24h]
		jmp	short loc_63F187
; 

loc_63F184:				; CODE XREF: MiReplaceSystemProtoPtesNode(x,x)+4Bj
		mov	edx, [ecx-40h]

loc_63F187:				; CODE XREF: MiReplaceSystemProtoPtesNode(x,x)+64j
					; MiReplaceSystemProtoPtesNode(x,x)+69j ...
		cmp	ebx, edx
		jb	short loc_63F198

loc_63F18B:				; CODE XREF: MiReplaceSystemProtoPtesNode(x,x)+5Fj
		mov	eax, [ecx+4]
		test	eax, eax
		jnz	short loc_63F19E
		mov	byte ptr [ebp+var_8], 1
		jmp	short loc_63F1A6
; 

loc_63F198:				; CODE XREF: MiReplaceSystemProtoPtesNode(x,x)+8Cj
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_63F1A2

loc_63F19E:				; CODE XREF: MiReplaceSystemProtoPtesNode(x,x)+93j
		mov	ecx, eax
		jmp	short loc_63F13F
; 

loc_63F1A2:				; CODE XREF: MiReplaceSystemProtoPtesNode(x,x)+9Fj
		mov	byte ptr [ebp+var_8], 0

loc_63F1A6:				; CODE XREF: MiReplaceSystemProtoPtesNode(x,x)+40j
					; MiReplaceSystemProtoPtesNode(x,x)+99j
		push	edi
		push	[ebp+var_8]
		push	ecx
		push	offset dword_6CF4C0
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		or	dword ptr [edi+0Ch], 8
		push	offset unk_6CF4C4
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiReplaceSystemProtoPtesNode@8	endp


;  S U B	R O U T	I N E 


; __stdcall MiImageCantMove(x)
_MiImageCantMove@4 proc	near		; CODE XREF: PAGE:0079389Ap
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	esi, [edi+24h]
		push	esi
		call	ExAcquireSpinLockExclusive
		or	dword ptr [edi+34h], 20000h
		mov	bl, al
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_MiImageCantMove@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiStrongCodeImage(x, x)
_MiStrongCodeImage@8 proc near		; CODE XREF: PAGE:007938CFp
					; PAGE:00793AFBp

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		lea	eax, [ebx+24h]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	edx, [ebx+34h]
		mov	esi, edx
		shr	esi, 12h
		and	esi, 3
		mov	[ebp+var_1], al
		cmp	esi, edi
		jnb	short loc_63F233
		shl	edi, 12h
		xor	edi, edx
		and	edi, 0C0000h
		xor	edi, edx
		mov	[ebx+34h], edi

loc_63F233:				; CODE XREF: MiStrongCodeImage(x,x)+26j
		lea	eax, [ebx+24h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiStrongCodeImage@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakePerSessionProtoPte(x,	x, x, x)
_MiMakePerSessionProtoPte@16 proc near	; CODE XREF: .text:00543D9Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ebx, eax
		mov	ecx, edx
		mov	[ebp+var_4], ebx
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_8], eax
		cmp	ebx, eax
		jz	short loc_63F2D7
		mov	esi, [ebp+arg_4]
		mov	ecx, [esi+2Ch]
		mov	[ebp+arg_4], ecx
		mov	ebx, [ecx]
		test	dword ptr [ebx+1Ch], 4000000h
		jz	short loc_63F2D7
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+arg_4]
		push	eax
		shr	edx, 3
		mov	ecx, esi
		push	0
		and	edx, 0FFFFFh
		call	MiGetProtoPteAddress
		mov	esi, eax
		test	esi, esi
		jz	short loc_63F2D7
		mov	edi, [ebp+arg_4]
		test	byte ptr [edi+12h], 2
		jz	short loc_63F2D7
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		push	edi
		call	_MiGetSharedProtos@12 ;	MiGetSharedProtos(x,x,x)
		mov	edx, [ebp+var_8]
		mov	ecx, ebx
		push	edi
		sub	esi, [eax+24h]
		call	_MiGetSharedProtos@12 ;	MiGetSharedProtos(x,x,x)
		and	esi, 0FFFFFFF8h
		add	esi, [eax+24h]
		xor	eax, eax
		or	eax, 400h
		push	esi
		push	eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		jmp	short loc_63F2E2
; 

loc_63F2D7:				; CODE XREF: MiMakePerSessionProtoPte(x,x,x,x)+20j
					; MiMakePerSessionProtoPte(x,x,x,x)+34j ...
		mov	eax, ds:_ZeroPte
		mov	edx, ds:dword_40F9FC

loc_63F2E2:				; CODE XREF: MiMakePerSessionProtoPte(x,x,x,x)+8Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiMakePerSessionProtoPte@16 endp


;  S U B	R O U T	I N E 


; __stdcall MiDereferenceVadUnsafe(x)
_MiDereferenceVadUnsafe@4 proc near	; CODE XREF: MiDeprioritizeVad+90719p
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+14h], eax
		dec	eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_63F2FC
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_63F2FC:				; CODE XREF: MiDereferenceVadUnsafe(x)+Cj
		test	eax, eax
		jnz	short loc_63F308
		test	byte ptr [ecx+1Ch], 4
		jz	short loc_63F308
		inc	eax
		retn
; 

loc_63F308:				; CODE XREF: MiDereferenceVadUnsafe(x)+15j
					; MiDereferenceVadUnsafe(x)+1Bj
		xor	eax, eax
		retn
_MiDereferenceVadUnsafe@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetVadCacheAttribute(x)
_MiGetVadCacheAttribute@4 proc near	; CODE XREF: MiProtectAweRegion(x,x,x,x,x):loc_6387F4p
					; MiProcessVaContiguityInformation(x,x,x)+127p	...
		mov	ecx, [ecx+1Ch]
		xor	eax, eax
		shr	ecx, 7
		inc	eax
		and	ecx, 1Fh
		mov	edx, ecx
		shr	edx, 3
		cmp	edx, 3
		jnz	short loc_63F32A
		test	cl, 7
		jz	short locret_63F330
		push	2
		pop	eax
		retn
; 

loc_63F32A:				; CODE XREF: MiGetVadCacheAttribute(x)+14j
		cmp	edx, eax
		jnz	short locret_63F330
		xor	eax, eax

locret_63F330:				; CODE XREF: MiGetVadCacheAttribute(x)+19j
					; MiGetVadCacheAttribute(x)+21j
		retn
_MiGetVadCacheAttribute@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetVadPageSize(x)
_MiGetVadPageSize@4 proc near		; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+521p
					; MiCheckSecuredVad+164BE2p ...
		mov	eax, [ecx+1Ch]
		shr	eax, 12h
		and	eax, 3
		mov	eax, ds:_MiVadPageSizes[eax*4]
		retn
_MiGetVadPageSize@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetVadPtesInCluster(x)
_MiGetVadPtesInCluster@4 proc near	; CODE XREF: MiMakeVaRangeNoAccess(x,x,x,x,x,x)+8Ap
					; MiDecommitLargePte(x,x,x,x,x,x)+25p
		mov	ecx, [ecx+1Ch]
		xor	eax, eax
		shr	ecx, 12h
		and	ecx, 3
		cmp	ds:_MiVadPageSizes[ecx*4], 10h
		setnz	al
		dec	eax
		and	eax, 0Fh
		inc	eax
		retn
_MiGetVadPtesInCluster@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiUnlockAndDereferenceNestedVad(x)
_MiUnlockAndDereferenceNestedVad@4 proc	near ; CODE XREF: MiFinishVadDeletion+14FBE4p
					; MiReserveUserMemory:loc_8DC650p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		call	_MiDereferenceVad@4 ; MiDereferenceVad(x)
		mov	ecx, edi
		mov	esi, eax
		call	_MiUnlockNestedVad@4 ; MiUnlockNestedVad(x)
		cmp	esi, 1
		jnz	short loc_63F37F
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_63F37F:				; CODE XREF: MiUnlockAndDereferenceNestedVad(x)+17j
		pop	edi
		pop	esi
		retn
_MiUnlockAndDereferenceNestedVad@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWaitForVadDeletion(x)
_MiWaitForVadDeletion@4	proc near	; CODE XREF: MiObtainReferencedVadEx+14B440p
					; MiObtainReferencedSecureVad+131083p ...

var_56		= byte ptr -56h
var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_42		= byte ptr -42h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= byte ptr -24h
var_22		= byte ptr -22h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 48h
		mov	eax, ecx
		xor	ecx, ecx
		push	esi
		or	esi, 0FFFFFFFFh
		mov	[esp+4Ch+var_38], eax
		push	edi
		mov	[esp+50h+var_28], ecx
		mov	[esp+50h+var_21], cl
		mov	[esp+50h+var_14], ecx
		mov	[esp+50h+var_10], ecx
		mov	[esp+50h+var_C], ecx
		mov	[esp+50h+var_8], ecx
		mov	[esp+50h+var_3C], esi
		cmp	[eax+8], esi
		jz	loc_63F5FE
		mov	edi, large fs:124h
		xor	edx, edx
		inc	edx
		mov	[esp+50h+var_20], ecx
		lea	ecx, [esp+50h+var_1C]
		mov	[esp+50h+var_4], edx
		mov	[esp+2Dh], dl
		mov	[esp+50h+var_18], ecx
		mov	[esp+50h+var_1C], ecx
		mov	ecx, eax
		push	edx
		lea	edx, [esp+54h+var_28]
		mov	[esp+54h+var_2C], edi
		mov	[esp+54h+var_24], 7
		mov	[esp+54h+var_22], 4
		call	_MiInsertVadEvent@12 ; MiInsertVadEvent(x,x,x)
		mov	ecx, [esp+50h+var_38]
		mov	eax, esi
		and	byte ptr [edi+304h], 7Fh
		add	ecx, 18h
		mov	[esp+50h+var_40], ecx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_63F422
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [esp+50h+var_40]

loc_63F422:				; CODE XREF: MiWaitForVadDeletion(x)+95j
		xor	edi, edi
		mov	[esp+50h+var_38], edi
		test	ecx, 7FFFFFFCh
		jz	loc_63F5C9
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, ds:dword_6D07D0
		shr	eax, 15h
		mov	[esp+50h+var_30], esi
		cmp	ecx, edx
		jb	short loc_63F479
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_63F464
		cmp	ecx, edx
		jb	short loc_63F479
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_63F479

loc_63F464:				; CODE XREF: MiWaitForVadDeletion(x)+D3j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [esp+50h+var_40]
		mov	[esp+50h+var_3C], eax
		jmp	short loc_63F47C
; 

loc_63F479:				; CODE XREF: MiWaitForVadDeletion(x)+CAj
					; MiWaitForVadDeletion(x)+D7j ...
		or	eax, 0FFFFFFFFh

loc_63F47C:				; CODE XREF: MiWaitForVadDeletion(x)+F5j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	[esp+0Fh], dl
		mov	edx, ecx
		push	eax
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[esp+50h+var_34], ecx
		test	ecx, ecx
		jnz	short loc_63F4CC
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_63F542
		mov	edi, [esp+50h+var_40]
		push	ecx
		push	[esp+54h+var_3C]
		push	edi
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_63F4CC:				; CODE XREF: MiWaitForVadDeletion(x)+125j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_63F4E3
		call	KiAbEntryRemoveFromTree
		mov	ecx, [esp+64h+var_48]

loc_63F4E3:				; CODE XREF: MiWaitForVadDeletion(x)+156j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+64h+var_4C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [esp+0Fh], 1
		mov	edx, eax
		jnz	short loc_63F52F
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_63F542
; 

loc_63F52F:				; CODE XREF: MiWaitForVadDeletion(x)+199j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [esp+20h]

loc_63F542:				; CODE XREF: MiWaitForVadDeletion(x)+12Fj
					; MiWaitForVadDeletion(x)+1ABj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+20h], eax
		jz	short loc_63F5AB
		test	edi, 8000h
		jz	short loc_63F567
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_63F567:				; CODE XREF: MiWaitForVadDeletion(x)+1DAj
		test	byte ptr [esp+64h+var_4C+2], 1
		jz	short loc_63F578
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_63F578:				; CODE XREF: MiWaitForVadDeletion(x)+1EAj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_63F58C
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_63F58C:				; CODE XREF: MiWaitForVadDeletion(x)+1FDj
		test	dword ptr ds:byte_70EFC4, 200h
		mov	edi, [esp+64h+var_54]
		jz	short loc_63F5AF
		push	dword ptr [esp+20h]
		mov	edx, edi
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	short loc_63F5AF
; 

loc_63F5AB:				; CODE XREF: MiWaitForVadDeletion(x)+1D2j
		mov	edi, [esp+64h+var_54]

loc_63F5AF:				; CODE XREF: MiWaitForVadDeletion(x)+218j
					; MiWaitForVadDeletion(x)+227j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_63F5CD
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_63F5CD
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_63F5CD
; 

loc_63F5C9:				; CODE XREF: MiWaitForVadDeletion(x)+ACj
		mov	edi, [esp+50h+var_40]

loc_63F5CD:				; CODE XREF: MiWaitForVadDeletion(x)+236j
					; MiWaitForVadDeletion(x)+23Ej	...
		mov	esi, [esp+50h+var_2C]
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		push	ecx
		push	12h
		pop	edx
		lea	ecx, [esp+54h+var_24]
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		dec	word ptr [esi+13Eh]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [esi+304h], 80h
		nop

loc_63F5FE:				; CODE XREF: MiWaitForVadDeletion(x)+37j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_MiWaitForVadDeletion@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRoundUpToPowerOf2SizeT(x)
_MiRoundUpToPowerOf2SizeT@4 proc near	; CODE XREF: MiMapSystemImageWithLargePage(x,x,x,x)+6Cp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, ecx
		bsr	ecx, edx
		mov	eax, edx
		jz	short loc_63F618
		xor	eax, eax
		inc	eax
		shl	eax, cl

loc_63F618:				; CODE XREF: MiRoundUpToPowerOf2SizeT(x)+Dj
		cmp	eax, edx
		jz	short locret_63F61E
		add	eax, eax

locret_63F61E:				; CODE XREF: MiRoundUpToPowerOf2SizeT(x)+16j
		leave
		retn
_MiRoundUpToPowerOf2SizeT@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWaitForAvailablePages(x, x)
_MiWaitForAvailablePages@8 proc	near	; CODE XREF: MiDelayFaultingThread+8820Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		mov	ebx, edx
		lea	edx, [ebp+var_C]
		lea	ecx, [esi+0A80h]
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	dword ptr [esi+0FC0h], 420h
		jb	short loc_63F6A1
		test	ds:byte_70EFC6,	1
		jz	short loc_63F667
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63F696
; 

loc_63F667:				; CODE XREF: MiWaitForAvailablePages(x,x)+38j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_63F686
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_63F696
		call	KxWaitForLockChainValid

loc_63F686:				; CODE XREF: MiWaitForAvailablePages(x,x)+4Cj
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_63F696:				; CODE XREF: MiWaitForAvailablePages(x,x)+45j
					; MiWaitForAvailablePages(x,x)+5Fj
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_63F704
; 

loc_63F6A1:				; CODE XREF: MiWaitForAvailablePages(x,x)+2Fj
		add	esi, 0AACh
		push	esi
		call	_KeResetEvent@4	; KeResetEvent(x)
		xor	edi, edi
		test	ds:byte_70EFC6,	1
		jz	short loc_63F6C5
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63F6F0
; 

loc_63F6C5:				; CODE XREF: MiWaitForAvailablePages(x,x)+96j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_63F6E4
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_63F6F0
		call	KxWaitForLockChainValid

loc_63F6E4:				; CODE XREF: MiWaitForAvailablePages(x,x)+AAj
		xor	ecx, ecx
		mov	[ebp+var_C], edi
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_63F6F0:				; CODE XREF: MiWaitForAvailablePages(x,x)+A3j
					; MiWaitForAvailablePages(x,x)+BDj
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	ebx
		push	edi
		push	edi
		push	8
		push	esi
		call	KeWaitForSingleObject

loc_63F704:				; CODE XREF: MiWaitForAvailablePages(x,x)+7Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiWaitForAvailablePages@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiWaitForFreePage(x, x)
_MiWaitForFreePage@8 proc near		; CODE XREF: MiWalkPageTablesRecursively(x,x,x)+A77p
					; MiMakePageAvoidRead(x,x,x,x,x,x,x)+17Ap ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+20h+var_C]
		stosd
		lea	edx, [esp+20h+var_C]
		mov	ebx, ecx
		stosd
		lea	ecx, [ebx+0A80h]
		stosd
		mov	eax, large fs:124h
		mov	esi, [eax+300h]
		and	esi, 2
		mov	edi, esi
		neg	edi
		sbb	edi, edi
		and	edi, 0FFFFFF82h
		neg	esi
		sbb	esi, esi
		and	esi, 0FFFFFFECh
		add	esi, 0A98h
		add	esi, ebx
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, [esi+10h]
		mov	[esp+20h+var_10], eax

loc_63F75F:				; CODE XREF: MiWaitForFreePage(x,x)+111j
		lea	edx, [edi+0A0h]
		mov	ecx, ebx
		call	MiSufficientAvailablePages
		test	eax, eax
		jnz	loc_63F81F
		push	esi
		call	_KeResetEvent@4	; KeResetEvent(x)
		test	ds:byte_70EFC6,	1
		jz	short loc_63F791
		mov	edx, [ebp+4]
		lea	ecx, [esp+20h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63F7C5
; 

loc_63F791:				; CODE XREF: MiWaitForFreePage(x,x)+78j
		mov	eax, [esp+20h+var_C]
		test	eax, eax
		jnz	short loc_63F7B4
		mov	edx, [esp+20h+var_8]
		lea	eax, [esp+20h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+20h+var_C]
		cmp	eax, ecx
		jz	short loc_63F7C5
		call	KxWaitForLockChainValid

loc_63F7B4:				; CODE XREF: MiWaitForFreePage(x,x)+8Ej
		xor	ecx, ecx
		mov	[esp+20h+var_C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_63F7C5:				; CODE XREF: MiWaitForFreePage(x,x)+86j
					; MiWaitForFreePage(x,x)+A4j
		mov	cl, [esp+20h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, ebx
		call	_MiObtainFreePages@4 ; MiObtainFreePages(x)
		push	offset _MiNoPagesTimeout
		push	0
		push	0
		push	8
		push	esi
		call	KeWaitForSingleObject
		cmp	eax, 102h
		jnz	short loc_63F804
		mov	eax, [esp+20h+var_10]
		cmp	eax, [esi+10h]
		jnz	short loc_63F804
		lea	edx, [edi+0A0h]
		mov	ecx, ebx
		call	_MiNoPagesLastChance@8 ; MiNoPagesLastChance(x,x)

loc_63F804:				; CODE XREF: MiWaitForFreePage(x,x)+E3j
					; MiWaitForFreePage(x,x)+ECj
		mov	eax, [esi+10h]
		lea	edx, [esp+20h+var_C]
		lea	ecx, [ebx+0A80h]
		mov	[esp+20h+var_10], eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		jmp	loc_63F75F
; 

loc_63F81F:				; CODE XREF: MiWaitForFreePage(x,x)+65j
		test	ds:byte_70EFC6,	1
		jz	short loc_63F836
		mov	edx, [ebp+4]
		lea	ecx, [esp+20h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63F86A
; 

loc_63F836:				; CODE XREF: MiWaitForFreePage(x,x)+11Dj
		mov	eax, [esp+20h+var_C]
		test	eax, eax
		jnz	short loc_63F859
		mov	edx, [esp+20h+var_8]
		lea	eax, [esp+20h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+20h+var_C]
		cmp	eax, ecx
		jz	short loc_63F86A
		call	KxWaitForLockChainValid

loc_63F859:				; CODE XREF: MiWaitForFreePage(x,x)+133j
		xor	ecx, ecx
		mov	[esp+20h+var_C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_63F86A:				; CODE XREF: MiWaitForFreePage(x,x)+12Bj
					; MiWaitForFreePage(x,x)+149j
		mov	cl, [esp+20h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiWaitForFreePage@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteUnusedSoftwareWsle(x, x, x)
_MiDeleteUnusedSoftwareWsle@12 proc near ; CODE	XREF: MiCreateSoftwareWsle+109F28p

var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0B4h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+0B4h+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		xor	ebx, ebx
		lea	eax, [esp+0C4h+var_A0]
		mov	edi, ecx
		mov	esi, edx
		push	ebx		; int
		push	eax		; void *
		mov	[esp+0CCh+var_A4], edi
		call	_memset
		add	esp, 0Ch
		mov	ecx, edi
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		mov	[esp+0C0h+var_A0], eax
		mov	[esp+0C0h+var_9C], bx
		mov	[esp+0C0h+var_90], ebx
		mov	[esp+0C0h+var_98], 21h
		mov	[esp+0C0h+var_8C], ebx
		cmp	[ebp+arg_0], ebx
		jz	loc_63FA0B

loc_63F8E0:				; CODE XREF: MiDeleteUnusedSoftwareWsle(x,x,x)+18Aj
		mov	ecx, [esi]
		nop
		mov	eax, [esi+4]
		shrd	ecx, eax, 0Ch
		mov	eax, ds:_ZeroPte
		and	ecx, 1FFFFFFh
		imul	ebx, ecx, 1Ch
		add	ebx, ds:_MmPfnDatabase
		mov	[esi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[esi+4], eax
		test	byte ptr [edi+60h], 7
		jz	short loc_63F949
		lea	eax, [esi+3FA00000h]
		cmp	eax, 3FFFh
		ja	short loc_63F949
		jmp	short loc_63F929
; 

loc_63F91E:				; CODE XREF: MiDeleteUnusedSoftwareWsle(x,x,x)+B4j
		cmp	esi, 0C07FFFFFh
		ja	short loc_63F931
		shl	esi, 9

loc_63F929:				; CODE XREF: MiDeleteUnusedSoftwareWsle(x,x,x)+A1j
		cmp	esi, 0C0000000h
		jnb	short loc_63F91E

loc_63F931:				; CODE XREF: MiDeleteUnusedSoftwareWsle(x,x,x)+A9j
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		mov	edx, esi
		mov	ecx, esi
		call	MiReplicatePteChange

loc_63F949:				; CODE XREF: MiDeleteUnusedSoftwareWsle(x,x,x)+92j
					; MiDeleteUnusedSoftwareWsle(x,x,x)+9Fj
		push	0
		mov	edx, esi
		lea	ecx, [esp+0C4h+var_A0]
		push	1
		shl	edx, 9
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		lea	ecx, [esp+0C0h+var_A0]
		call	MiFlushTbList
		mov	eax, [ebx+18h]
		lea	edi, [ebx+10h]
		and	eax, offset loc_7FFFFF
		and	[esp+0C0h+var_B0], 0
		mov	[esp+0C0h+var_AC], eax
		jmp	short loc_63F989
; 

loc_63F97A:				; CODE XREF: MiDeleteUnusedSoftwareWsle(x,x,x)+10Cj
					; MiDeleteUnusedSoftwareWsle(x,x,x)+113j
		lea	ecx, [esp+0C0h+var_B0]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_63F97A

loc_63F989:				; CODE XREF: MiDeleteUnusedSoftwareWsle(x,x,x)+FDj
		lock bts dword ptr [edi], 1Fh
		jb	short loc_63F97A
		or	dword ptr [edi], 40000000h
		or	edx, 0FFFFFFFFh
		mov	ecx, ebx
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		xor	edx, edx
		call	_MiPfnShareCountIsZero@8 ; MiPfnShareCountIsZero(x,x)
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		imul	ebx, [esp+0C0h+var_AC],	1Ch
		add	ebx, ds:_MmPfnDatabase
		and	[esp+0C0h+var_A8], 0
		lea	edi, [ebx+10h]
		jmp	short loc_63F9D3
; 

loc_63F9C4:				; CODE XREF: MiDeleteUnusedSoftwareWsle(x,x,x)+156j
					; MiDeleteUnusedSoftwareWsle(x,x,x)+15Dj
		lea	ecx, [esp+0C0h+var_A8]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_63F9C4

loc_63F9D3:				; CODE XREF: MiDeleteUnusedSoftwareWsle(x,x,x)+147j
		lock bts dword ptr [edi], 1Fh
		jb	short loc_63F9C4
		mov	ecx, ebx
		call	MiDecrementShareCount
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	eax, [ebp+arg_0]
		mov	edi, [esp+0C0h+var_A4]
		dec	eax
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		mov	[ebp+arg_0], eax
		sub	esi, 40000000h
		test	eax, eax
		jnz	loc_63F8E0

loc_63FA0B:				; CODE XREF: MiDeleteUnusedSoftwareWsle(x,x,x)+5Fj
		mov	ecx, [esp+0C0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_MiDeleteUnusedSoftwareWsle@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiVaInWsleSpace(x)
_MiVaInWsleSpace@4 proc	near		; CODE XREF: MiTranslatePageForCopy(x,x,x,x,x)+ADp
		xor	edx, edx

loc_63FA24:				; CODE XREF: MiVaInWsleSpace(x)+1Ej
		mov	eax, ds:dword_6D2E68[edx*4]
		test	eax, eax
		jz	short loc_63FA3C
		cmp	ecx, eax
		jb	short loc_63FA3C
		add	eax, 100000h
		cmp	ecx, eax
		jb	short loc_63FA46

loc_63FA3C:				; CODE XREF: MiVaInWsleSpace(x)+Bj
					; MiVaInWsleSpace(x)+Fj
		inc	edx
		cmp	edx, 2
		jle	short loc_63FA24
		push	8
		pop	eax
		retn
; 

loc_63FA46:				; CODE XREF: MiVaInWsleSpace(x)+18j
		mov	eax, edx
		retn
_MiVaInWsleSpace@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiContractWsSwapPageFileWorker(x)
_MiContractWsSwapPageFileWorker@4 proc near ; DATA XREF: MiInitializeWsSwapping(x)+Eo
					; MiInitializePartition+381o

var_50		= dword	ptr -50h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_24		= byte ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		call	_MiWsSwapPageFileNumber@4 ; MiWsSwapPageFileNumber(x)
		mov	ecx, large fs:124h
		push	34h		; size_t
		push	0		; int
		mov	esi, [edi+eax*4+0F54h]
		lea	eax, [ebp+var_50]
		push	eax		; void *
		mov	[ebp+var_14], ecx
		call	_memset
		mov	[ebp+var_44], edi
		add	esp, 0Ch
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_40], edi
		mov	al, [esi+74h]
		and	al, 0Fh
		mov	[ebp+var_C], edi
		push	0
		mov	[ebp+var_24], al
		lea	eax, [ebp+var_38]
		push	0
		push	eax
		mov	[ebp+var_3C], 10000h
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [ebp+var_14]
		dec	word ptr [eax+13Eh]
		nop
		mov	esi, [ebp+arg_0]
		xor	edx, edx
		add	esi, 2ACh
		mov	ecx, esi
		mov	[ebp+var_8], esi
		call	ExAcquirePushLockExclusiveEx
		xor	edx, edx
		lea	ecx, [ebp+var_50]
		push	21h
		inc	edx
		call	_MiQueuePageFileExtension@12 ; MiQueuePageFileExtension(x,x,x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, edi
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_63FAF5
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_63FAF5:				; CODE XREF: MiContractWsSwapPageFileWorker(x)+A3j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	esi, 7FFFFFFCh
		jz	loc_63FC81
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_1C], esi
		cmp	eax, edx
		jb	short loc_63FB49
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_63FB38
		cmp	eax, edx
		jb	short loc_63FB49
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_63FB49

loc_63FB38:				; CODE XREF: MiContractWsSwapPageFileWorker(x)+E0j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_8]

loc_63FB49:				; CODE XREF: MiContractWsSwapPageFileWorker(x)+D7j
					; MiContractWsSwapPageFileWorker(x)+E4j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	edx, eax
		push	[ebp+var_C]
		mov	[ebp+var_1], cl
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_18], ecx
		test	ecx, ecx
		jnz	short loc_63FB96
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_63FC08
		push	ecx
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_63FB96:				; CODE XREF: MiContractWsSwapPageFileWorker(x)+12Bj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_63FBAC
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_18]

loc_63FBAC:				; CODE XREF: MiContractWsSwapPageFileWorker(x)+159j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_1], 1
		mov	edx, eax
		jnz	short loc_63FBF6
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_63FC08
; 

loc_63FBF6:				; CODE XREF: MiContractWsSwapPageFileWorker(x)+199j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_1C]

loc_63FC08:				; CODE XREF: MiContractWsSwapPageFileWorker(x)+135j
					; MiContractWsSwapPageFileWorker(x)+1ABj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_1C], eax
		jz	short loc_63FC69
		test	edi, 8000h
		jz	short loc_63FC2C
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_63FC2C:				; CODE XREF: MiContractWsSwapPageFileWorker(x)+1D8j
		test	byte ptr [ebp+var_10+2], 1
		jz	short loc_63FC3C
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_63FC3C:				; CODE XREF: MiContractWsSwapPageFileWorker(x)+1E7j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_63FC50
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_63FC50:				; CODE XREF: MiContractWsSwapPageFileWorker(x)+1FAj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_63FC69
		push	[ebp+var_1C]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_63FC69:				; CODE XREF: MiContractWsSwapPageFileWorker(x)+1D0j
					; MiContractWsSwapPageFileWorker(x)+211j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_63FC81
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_63FC81
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_63FC81:				; CODE XREF: MiContractWsSwapPageFileWorker(x)+B7j
					; MiContractWsSwapPageFileWorker(x)+229j ...
		mov	ecx, [ebp+var_14]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		lea	eax, [ecx+2A8h]
		xchg	edx, [eax]
		mov	ecx, [ecx+64h]
		call	PsDereferencePartition
		pop	edi
		pop	esi
		leave
		retn	4
_MiContractWsSwapPageFileWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAllocateCombineProto(x, x, x, x, x, x)
_MiAllocateCombineProto@24 proc	near	; CODE XREF: MiSharePages(x,x,x,x,x)+997p
					; MiSharePages(x,x,x,x,x)+C4Cp	...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= byte ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_10], edx
		lea	edi, [ebp+var_1C]
		mov	ebx, ecx
		stosd
		mov	[ebp+var_8], ebx
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		or	eax, [ebp+arg_4]
		jz	loc_63FE24
		mov	eax, [ebp+arg_0]
		xor	esi, esi
		and	eax, 0Fh
		lea	eax, ds:34h[eax*8]
		add	eax, ebx
		push	eax
		mov	[ebp+var_C], eax
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		push	[ebp+arg_8]
		mov	edx, [ebp+var_10]
		mov	ecx, ebx
		push	[ebp+arg_4]
		mov	[ebp+var_1], al
		push	[ebp+arg_0]
		call	_MiLocateCombineBlock@20 ; MiLocateCombineBlock(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_63FD4A
		mov	edx, [edi+18h]
		test	edx, edx
		jz	short loc_63FD21

loc_63FD08:				; CODE XREF: MiAllocateCombineProto(x,x,x,x,x,x)+7Bj
		lea	ecx, [edx+1]
		mov	eax, edx
		lea	ebx, [edi+18h]
		lock cmpxchg [ebx], ecx
		mov	ebx, [ebp+var_8]
		cmp	eax, edx
		jz	short loc_63FD25
		mov	edx, eax
		test	eax, eax
		jnz	short loc_63FD08

loc_63FD21:				; CODE XREF: MiAllocateCombineProto(x,x,x,x,x,x)+62j
		xor	edi, edi
		jmp	short loc_63FD4D
; 

loc_63FD25:				; CODE XREF: MiAllocateCombineProto(x,x,x,x,x,x)+75j
		push	[ebp+var_C]
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	ecx, ecx
		lea	eax, [ebx+0D8h]
		inc	ecx
		lock xadd [eax], ecx
		mov	eax, edi
		jmp	loc_63FE26
; 

loc_63FD4A:				; CODE XREF: MiAllocateCombineProto(x,x,x,x,x,x)+5Bj
		mov	edi, [ebp+arg_C]

loc_63FD4D:				; CODE XREF: MiAllocateCombineProto(x,x,x,x,x,x)+7Fj
		push	[ebp+var_C]
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	loc_63FE24
		lea	ecx, [ebx+2Ch]
		lea	edx, [ebp+var_1C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		lea	eax, [ebx+24h]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_63FD97
		mov	esi, ecx
		mov	ecx, [esi]
		cmp	[esi+4], eax
		jnz	short loc_63FDAF
		cmp	[ecx+4], esi
		jnz	short loc_63FDAF
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	eax, esi
		and	eax, 0FFFFF000h
		inc	dword ptr [eax+4]

loc_63FD97:				; CODE XREF: MiAllocateCombineProto(x,x,x,x,x,x)+D4j
		xor	ebx, ebx
		inc	ebx
		test	ds:byte_70EFC6,	bl
		jz	short loc_63FDB4
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_63FDE0
; 

loc_63FDAF:				; CODE XREF: MiAllocateCombineProto(x,x,x,x,x,x)+DDj
					; MiAllocateCombineProto(x,x,x,x,x,x)+E2j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_63FDB4:				; CODE XREF: MiAllocateCombineProto(x,x,x,x,x,x)+FCj
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_63FDD3
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jz	short loc_63FDE0
		call	KxWaitForLockChainValid

loc_63FDD3:				; CODE XREF: MiAllocateCombineProto(x,x,x,x,x,x)+115j
		mov	[ebp+var_1C], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_63FDE0:				; CODE XREF: MiAllocateCombineProto(x,x,x,x,x,x)+109j
					; MiAllocateCombineProto(x,x,x,x,x,x)+128j
		mov	cl, [ebp+var_14]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jnz	short loc_63FE2D
		push	esi
		push	112h
		mov	edx, 6D75534Dh
		mov	ecx, 1000h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_63FE24
		push	ecx
		mov	ecx, [ebp+var_8]
		lea	edx, [edi+30h]
		mov	[edi+4], ebx
		call	_MiInsertNewCombineBlocks@12 ; MiInsertNewCombineBlocks(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_63FE2D
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_63FE24:				; CODE XREF: MiAllocateCombineProto(x,x,x,x,x,x)+21j
					; MiAllocateCombineProto(x,x,x,x,x,x)+BCj ...
		xor	eax, eax

loc_63FE26:				; CODE XREF: MiAllocateCombineProto(x,x,x,x,x,x)+A1j
					; MiAllocateCombineProto(x,x,x,x,x,x)+1C1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_63FE2D:				; CODE XREF: MiAllocateCombineProto(x,x,x,x,x,x)+147j
					; MiAllocateCombineProto(x,x,x,x,x,x)+177j
		mov	edx, [ebp+var_8]
		mov	ecx, ebx
		lea	eax, [edx+0D4h]
		lock xadd [eax], ecx
		mov	eax, [esi+1Ch]
		xor	eax, [ebp+var_10]
		mov	ecx, [ebp+arg_8]
		and	eax, 1Fh
		xor	[esi+1Ch], eax
		mov	[esi+18h], ebx
		mov	eax, [ecx]
		mov	[esi+28h], eax
		mov	eax, [ecx+4]
		mov	[esi+2Ch], eax
		lea	eax, [edx+0D8h]
		lock xadd [eax], ebx
		mov	eax, esi
		jmp	short loc_63FE26
_MiAllocateCombineProto@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCapturePfnVm(x, x, x, x, x, x, x,	x, x)
_MiCapturePfnVm@36 proc	near		; CODE XREF: MiProcessCrcList(x,x,x,x)+19Fp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_10]
		and	dword ptr [eax], 0
		mov	eax, [ebp+arg_14]
		push	edi
		push	[ebp+arg_8]
		and	dword ptr [esi], 0
		mov	edi, edx
		push	[ebp+arg_4]
		mov	dword ptr [eax], 18h
		xor	edx, edx
		mov	eax, [ecx]
		mov	[ebp+var_4], eax
		call	_MiHashIsCommon@16 ; MiHashIsCommon(x,x,x,x)
		xor	ebx, ebx
		test	eax, eax
		jz	short loc_63FEB3
		mov	ecx, [ebp+arg_18]
		inc	ebx
		mov	eax, ds:dword_6D2F90
		mov	[ecx], eax
		mov	eax, ds:dword_6D2F94
		mov	[ecx+4], eax

loc_63FEB3:				; CODE XREF: MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+37j
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		push	edi
		mov	byte ptr [ebp+arg_10+3], al
		call	_MiCombineCandidate@12 ; MiCombineCandidate(x,x,x)
		mov	edx, eax
		mov	[ebp+arg_0], edx
		test	edx, edx
		jnz	short loc_63FEED
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	cl, byte ptr [ebp+arg_10+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		jmp	loc_64000C
; 

loc_63FEED:				; CODE XREF: MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+69j
		mov	eax, [edi+4]
		mov	ecx, [edi+8]
		or	eax, 80000000h
		mov	[esi], eax
		mov	eax, [edi+0Ch]
		shrd	ecx, eax, 5
		mov	eax, [ebp+arg_14]
		and	ecx, 1Fh
		mov	[eax], ecx
		cmp	edx, 1
		jnz	short loc_63FF86
		mov	ecx, edi
		call	MiGetTopLevelPfn
		mov	[ebp+arg_8], eax
		mov	edx, [eax]
		shr	edx, 1
		and	edx, 0FFFFFFF8h
		or	edx, 80000000h
		mov	ecx, edx
		mov	[ebp+arg_14], edx
		call	_MiIsStoreProcess@4 ; MiIsStoreProcess(x)
		mov	esi, eax
		lea	ecx, [edx+240h]
		neg	esi
		sbb	esi, esi
		not	esi
		and	esi, ecx
		test	dword ptr [edx+494h], 1000h
		jz	short loc_63FF55
		mov	eax, esi
		mov	esi, ebx
		neg	esi
		sbb	esi, esi
		and	esi, eax

loc_63FF55:				; CODE XREF: MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+E2j
		mov	ecx, [ebp+arg_14]
		mov	edx, 746C6644h
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jz	short loc_63FF70
		mov	ecx, [ebp+arg_C]
		mov	eax, [ebp+arg_14]
		mov	[ecx], eax
		jmp	short loc_63FF72
; 

loc_63FF70:				; CODE XREF: MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+FDj
		xor	esi, esi

loc_63FF72:				; CODE XREF: MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+107j
		mov	eax, [ebp+arg_8]
		mov	ecx, 7FFFFFFFh
		cmp	eax, edi
		jz	short loc_63FFBF
		add	eax, 10h
		lock and [eax],	ecx
		jmp	short loc_63FFBF
; 

loc_63FF86:				; CODE XREF: MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+A5j
		test	ebx, ebx
		jz	short loc_63FFB8
		push	2
		pop	ecx
		cmp	edx, ecx
		jnz	short loc_63FF9A
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	esi, eax
		jmp	short loc_63FFBA
; 

loc_63FF9A:				; CODE XREF: MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+128j
		mov	ecx, edi
		call	MiReferenceOwningSession
		test	eax, eax
		jz	short loc_63FFB8
		mov	ecx, [ebp+arg_C]
		mov	esi, [eax+180h]
		add	esi, 0C0h
		mov	[ecx], eax
		jmp	short loc_63FFBA
; 

loc_63FFB8:				; CODE XREF: MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+121j
					; MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+13Cj
		xor	esi, esi

loc_63FFBA:				; CODE XREF: MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+131j
					; MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+14Fj
		mov	ecx, 7FFFFFFFh

loc_63FFBF:				; CODE XREF: MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+115j
					; MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+11Dj
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	cl, byte ptr [ebp+arg_10+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_64000A
		mov	edi, [ebp+arg_0]
		test	ebx, ebx
		jnz	short loc_63FFEA
		mov	edx, esi
		mov	ecx, edi
		call	_MiGetCombineDomain@8 ;	MiGetCombineDomain(x,x)
		mov	ecx, [ebp+arg_18]
		mov	[ecx], eax
		mov	[ecx+4], edx

loc_63FFEA:				; CODE XREF: MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+170j
		cmp	edi, 1
		jnz	short loc_64000A
		mov	eax, [ebp+arg_C]
		mov	ecx, [eax]
		cmp	dword ptr [ecx+3E4h], 0
		jz	short loc_64000A
		mov	edx, ebx
		call	_VmCheckPageCombine@8 ;	VmCheckPageCombine(x,x)

loc_640004:				; DATA XREF: SymCryptInit()o
					; SymCryptInitEnvCommon(x)+7o ...
		neg	eax
		sbb	eax, eax
		and	esi, eax

loc_64000A:				; CODE XREF: MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+169j
					; MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+186j ...
		mov	eax, esi

loc_64000C:				; CODE XREF: MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+81j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_MiCapturePfnVm@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl MiCombineActiveCrcSortByHash(const void *,const void *)
_MiCombineActiveCrcSortByHash proc near	; DATA XREF: MiProcessCrcList(x,x,x,x)+3DCo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	edx, [edx]
		mov	ecx, [ecx]
		pop	ebp
		jmp	_MiCompareActiveCrcEntries@8 ; MiCompareActiveCrcEntries(x,x)
_MiCombineActiveCrcSortByHash endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl MiCombineActiveCrcSortByVa(const void *,const void *)
_MiCombineActiveCrcSortByVa proc near	; DATA XREF: MiProcessCrcList(x,x,x,x):loc_9A0F08o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		mov	ecx, [eax+8]
		mov	eax, [ebp+arg_4]
		mov	eax, [eax]
		mov	eax, [eax+8]
		cmp	eax, ecx
		jbe	short loc_640046
		or	eax, 0FFFFFFFFh
		pop	ebp
		retn
; 

loc_640046:				; CODE XREF: _MiCombineActiveCrcSortByVa+17j
		sbb	eax, eax
		neg	eax
		pop	ebp
		retn
_MiCombineActiveCrcSortByVa endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCombineCandidate(x, x, x)
_MiCombineCandidate@12 proc near	; CODE XREF: MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+5Dp
					; MiCombinePte(x,x,x)+CDp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	[ebp+var_4], ecx
		lea	edi, [ebp+var_20]
		push	7
		pop	ecx

loc_640063:				; DATA XREF: .text:005A7B5Ao
		rep movsd

loc_640065:				; DATA XREF: .text:005A6E6Co
		mov	ebx, [ebp+var_C]

loc_640068:				; DATA XREF: .text:004085B8o
					; .text:004085ECo
		mov	eax, ebx
		shr	eax, 10h

loc_64006D:				; DATA XREF: .text:005A7D62o
		and	al, 7
		cmp	al, 1
		jbe	loc_6401CD
		mov	eax, [ebp+var_4]
		mov	edi, [ebp+var_1C]
		cmp	dword ptr [eax], offset	_MiSystemPartition
		jz	short loc_64008E
		test	dl, 1
		jz	loc_6401CD

loc_64008E:				; CODE XREF: MiCombineCandidate(x,x,x)+37j
		lea	ecx, [ebp+var_20]
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	loc_6401CD
		mov	edx, [ebp+var_8]
		test	edx, (offset loc_7FFFFF+1)
		jnz	loc_6401CD
		shr	ebx, 18h
		test	bl, 8
		jnz	loc_6401CD
		lea	eax, [edi+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	loc_6401CD
		mov	eax, 40000000h
		test	[ebp+var_10], eax
		jnz	loc_6401CD
		and	edx, 70000000h
		cmp	edx, eax
		jz	loc_6401CD
		call	_MiIsPfnCommitNotCharged@4 ; MiIsPfnCommitNotCharged(x)
		test	eax, eax
		jnz	loc_6401CD
		mov	ecx, [ebp+arg_0]
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jnz	loc_6401CD
		mov	ebx, [ebp+var_18]
		nop
		mov	esi, [ebp+var_14]
		push	esi
		push	ebx
		mov	[ebp+arg_0], esi
		call	_MiInvalidPteConforms@12 ; MiInvalidPteConforms(x,x,x)
		test	eax, eax
		jz	loc_6401CD
		mov	ecx, ebx
		mov	eax, esi
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		call	_MiValidCombineProtection@4 ; MiValidCombineProtection(x)
		test	eax, eax
		jz	loc_6401CD
		xor	esi, esi
		lea	ecx, [ebp+var_20]
		push	esi
		xor	edx, edx
		call	_MiGetPagePrivilege@12 ; MiGetPagePrivilege(x,x,x)
		test	eax, eax
		jnz	loc_6401CD
		mov	ecx, edi
		shl	ecx, 9
		cmp	ecx, ds:dword_6D07D0
		jb	short loc_640162
		mov	eax, ecx
		shr	eax, 15h
		movzx	esi, byte ptr ds:dword_6D3994[eax]

loc_640162:				; CODE XREF: MiCombineCandidate(x,x,x)+108j
		mov	eax, ds:_MmHighestUserAddress
		xor	edx, edx
		shr	eax, 9
		inc	edx
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		cmp	edi, eax
		ja	short loc_640187
		cmp	edi, 0C0000000h
		jb	short loc_640187
		mov	esi, edx
		jmp	short loc_6401A8
; 

loc_640187:				; CODE XREF: MiCombineCandidate(x,x,x)+12Dj
					; MiCombineCandidate(x,x,x)+135j
		cmp	esi, 6
		jnz	short loc_640190
		push	2
		jmp	short loc_6401A7
; 

loc_640190:				; CODE XREF: MiCombineCandidate(x,x,x)+13Ej
		cmp	esi, edx
		jz	short loc_640199
		cmp	esi, 0Bh
		jnz	short loc_6401CD

loc_640199:				; CODE XREF: MiCombineCandidate(x,x,x)+146j
		call	_MiIsSessionMetadata@4 ; MiIsSessionMetadata(x)
		test	eax, eax
		jnz	short loc_6401CD
		xor	edx, edx
		push	3
		inc	edx

loc_6401A7:				; CODE XREF: MiCombineCandidate(x,x,x)+142j
		pop	esi

loc_6401A8:				; CODE XREF: MiCombineCandidate(x,x,x)+139j
		mov	al, byte ptr [ebp+var_C+2]
		and	al, 7
		cmp	al, 2
		jb	short loc_6401D6
		cmp	al, 3
		ja	short loc_6401D6
		cmp	word ptr [ebp+var_C], 0
		jnz	short loc_6401D6

loc_6401BC:				; CODE XREF: MiCombineCandidate(x,x,x)+1B5j
		cmp	esi, edx
		jnz	short loc_640203
		push	[ebp+arg_0]
		push	ebx
		call	_MI_IS_RESET_PTE@8 ; MI_IS_RESET_PTE(x,x)
		test	eax, eax
		jz	short loc_640203

loc_6401CD:				; CODE XREF: MiCombineCandidate(x,x,x)+25j
					; MiCombineCandidate(x,x,x)+3Cj ...
		xor	eax, eax

loc_6401CF:				; CODE XREF: MiCombineCandidate(x,x,x)+1B9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_6401D6:				; CODE XREF: MiCombineCandidate(x,x,x)+163j
					; MiCombineCandidate(x,x,x)+167j ...
		cmp	al, 6
		jnz	short loc_6401CD
		test	byte ptr [ebp+var_20], 1
		jz	short loc_6401CD
		mov	eax, [ebp+var_8]
		and	eax, offset loc_7FFFFF
		cmp	eax, (offset loc_7FFFFA+3)
		jz	short loc_6401CD
		cmp	word ptr [ebp+var_C], dx
		jnz	short loc_6401CD
		mov	eax, [ebp+var_10]
		and	eax, 3FFFFFFFh
		cmp	eax, edx
		jnz	short loc_6401CD
		jmp	short loc_6401BC
; 

loc_640203:				; CODE XREF: MiCombineCandidate(x,x,x)+172j
					; MiCombineCandidate(x,x,x)+17Fj
		mov	eax, esi
		jmp	short loc_6401CF
_MiCombineCandidate@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCombinePte(x, x, x)
_MiCombinePte@12 proc near		; DATA XREF: MiCombineWorkingSet(x)+109o

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	ecx, [ebp+arg_0]
		sub	esp, 1Ch
		mov	eax, [ecx+10h]
		push	ebx
		push	esi
		push	edi
		cmp	dword ptr [eax+38h], 0
		jnz	loc_6403B7
		mov	edx, large fs:124h
		test	byte ptr [eax+60h], 7
		mov	ebx, [ecx+48h]
		mov	edi, [ebx+0Ch]
		mov	[esp+28h+var_14], edi
		mov	ecx, [edi]
		mov	[esp+28h+var_18], ecx
		jnz	short loc_64026A
		lea	ecx, [eax-240h]
		mov	esi, 0C00h
		mov	eax, [ecx+0FCh]
		and	eax, esi
		cmp	eax, esi
		jb	loc_6403B7
		call	_MiIsStoreProcess@4 ; MiIsStoreProcess(x)
		test	eax, eax
		jnz	loc_6403B7

loc_64026A:				; CODE XREF: MiCombinePte(x,x,x)+39j
		cmp	[ebp+arg_8], 1
		jge	loc_640361
		mov	esi, [ebp+arg_4]
		and	[esp+28h+var_8], 0
		mov	ecx, [esi]
		mov	[esp+28h+var_10], ecx
		nop
		mov	eax, [esi+4]
		nop
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		mov	[esp+28h+var_8], ecx
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		mov	[esp+28h+var_C], ecx
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	loc_640361
		mov	eax, [edi+4]
		test	eax, eax
		jz	short loc_6402BC
		cmp	dword ptr [eax+4], 0
		jnz	short loc_6402C6

loc_6402BC:				; CODE XREF: MiCombinePte(x,x,x)+ADj
		mov	eax, [edx+2FCh]
		test	al, 1
		jz	short loc_6402CD

loc_6402C6:				; CODE XREF: MiCombinePte(x,x,x)+B3j
		push	4
		jmp	loc_6403B9
; 

loc_6402CD:				; CODE XREF: MiCombinePte(x,x,x)+BDj
		push	ecx
		mov	ecx, [esp+2Ch+var_18]
		xor	edx, edx
		call	_MiCombineCandidate@12 ; MiCombineCandidate(x,x,x)
		test	eax, eax
		jz	loc_640361
		mov	eax, [edi+0Ch]
		inc	dword ptr [eax+8]
		mov	edi, [ebx+4]
		mov	eax, [esp+28h+var_10]
		shl	edi, 5
		and	eax, 20h
		add	edi, [ebx+10h]
		or	eax, 0
		jz	short loc_640313
		and	esi, 0FFFFFFF8h
		shl	esi, 9
		mov	ecx, esi
		call	_MiComputeHash64@4 ; MiComputeHash64(x)
		mov	[edi], eax
		mov	[edi+4], edx
		jmp	loc_640393
; 

loc_640313:				; CODE XREF: MiCombinePte(x,x,x)+F3j
		xor	edx, edx
		mov	ecx, offset dword_6D35E0
		inc	edx
		call	MiReservePtes
		mov	[esp+28h+var_10], eax
		test	eax, eax
		jz	short loc_640361
		mov	esi, [esp+28h+var_14]
		mov	ecx, [esi+8]
		mov	edx, ecx
		mov	[esp+28h+var_14], ecx
		mov	[ecx+24h], eax
		mov	eax, [esp+28h+var_C]
		mov	[ecx+20h], eax
		xor	eax, eax
		mov	ecx, [esp+28h+var_18]
		push	eax
		push	eax
		push	eax
		call	_MiMapArbitraryPage@20 ; MiMapArbitraryPage(x,x,x,x,x)
		test	eax, eax
		jnz	short loc_640365
		mov	edx, [esp+28h+var_10]
		mov	ecx, offset dword_6D35E0
		push	1
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_640361:				; CODE XREF: MiCombinePte(x,x,x)+67j
					; MiCombinePte(x,x,x)+A2j ...
		xor	eax, eax
		jmp	short loc_6403BA
; 

loc_640365:				; CODE XREF: MiCombinePte(x,x,x)+148j
		mov	edx, [esp+28h+var_14]
		mov	ecx, esi
		push	edi
		push	0
		call	_MiPerformCombineScan@16 ; MiPerformCombineScan(x,x,x,x)
		mov	ecx, [esp+28h+var_14]
		mov	esi, eax
		call	_MiReleaseArbitraryPage@4 ; MiReleaseArbitraryPage(x)
		mov	edx, [esp+28h+var_10]
		mov	ecx, offset dword_6D35E0
		push	1
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		cmp	esi, 1
		jnz	short loc_640361

loc_640393:				; CODE XREF: MiCombinePte(x,x,x)+107j
		mov	eax, [esp+2Ch+var_C]
		and	dword ptr [edi+0Ch], 0
		and	dword ptr [edi+18h], 0
		mov	[edi+8], eax
		inc	dword ptr [ebx+4]
		mov	eax, [ebx+4]
		cmp	eax, [ebx+8]
		jnz	short loc_640361
		push	[ebp+arg_0]
		call	_MiCombineWorkingSetTail@4 ; MiCombineWorkingSetTail(x)
		jmp	short loc_6403BA
; 

loc_6403B7:				; CODE XREF: MiCombinePte(x,x,x)+18j
					; MiCombinePte(x,x,x)+50j ...
		push	3

loc_6403B9:				; CODE XREF: MiCombinePte(x,x,x)+C1j
		pop	eax

loc_6403BA:				; CODE XREF: MiCombinePte(x,x,x)+15Cj
					; MiCombinePte(x,x,x)+1AEj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_MiCombinePte@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCombineWorkingSet(x)
_MiCombineWorkingSet@4 proc near	; CODE XREF: MiCombineIdenticalPages(x,x,x,x,x,x)+1F3p

var_74		= dword	ptr -74h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_53		= byte ptr -53h
var_52		= byte ptr -52h
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_74]
		stosd
		mov	ebx, ecx
		push	4Ch		; size_t
		push	0		; int
		mov	[ebp+var_5C], ebx
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_58]
		push	eax		; void *
		call	_memset
		mov	edi, [ebx+10h]
		add	esp, 0Ch
		mov	eax, [ebx+20h]
		mov	[ebp+var_60], eax
		test	byte ptr [edi+60h], 7
		jnz	short loc_64040E
		lea	esi, [edi-240h]
		jmp	short loc_640410
; 

loc_64040E:				; CODE XREF: MiCombineWorkingSet(x)+41j
		xor	esi, esi

loc_640410:				; CODE XREF: MiCombineWorkingSet(x)+49j
		mov	ecx, edi
		xor	ebx, ebx
		call	MiLockWorkingSetShared
		mov	[ebp+var_52], al
		test	esi, esi
		jz	short loc_640441
		mov	eax, [esi+0FCh]
		mov	ecx, 0C00h
		and	eax, ecx
		cmp	eax, ecx
		jb	short loc_640477
		cmp	[edi+38h], ebx
		jnz	short loc_640477
		mov	ecx, esi
		call	_MiIsStoreProcess@4 ; MiIsStoreProcess(x)
		test	eax, eax
		jnz	short loc_640477

loc_640441:				; CODE XREF: MiCombineWorkingSet(x)+5Bj
		mov	esi, [edi+4Ch]
		test	esi, esi
		jz	short loc_640477
		shl	esi, 5
		add	esi, 0FFFh
		and	esi, 0FFFFF000h

loc_640457:				; CODE XREF: MiCombineWorkingSet(x)+B2j
		push	0
		push	40h
		mov	edx, 6D75534Dh
		mov	ecx, esi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_6404A4
		shr	esi, 1
		cmp	esi, 10000h
		jnb	short loc_640457

loc_640477:				; CODE XREF: MiCombineWorkingSet(x)+6Cj
					; MiCombineWorkingSet(x)+71j ...
		push	3
		pop	esi

loc_64047A:				; CODE XREF: MiCombineWorkingSet(x)+126j
		mov	dl, [ebp+var_52]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_5C]
		call	_MiFreeCombineMdls@4 ; MiFreeCombineMdls(x)
		test	ebx, ebx
		jz	short loc_640498
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_640498:				; CODE XREF: MiCombineWorkingSet(x)+CBj
		cmp	esi, 4
		jnz	short loc_6404EB
		mov	eax, 0C0000240h
		jmp	short loc_6404ED
; 

loc_6404A4:				; CODE XREF: MiCombineWorkingSet(x)+A8j
		mov	eax, [ebp+var_5C]
		lea	ecx, [ebp+var_58]
		or	[ebp+var_40], 0FFFFFFFFh
		mov	[ebp+var_68], eax
		mov	eax, [ebp+var_60]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_74]
		push	6
		mov	[ebp+var_10], eax
		shr	esi, 5
		pop	eax
		mov	[ebp+var_6C], esi
		mov	[ebp+var_64], ebx
		mov	[ebp+var_48], edi
		mov	[ebp+var_18], offset _MiCombinePte@12 ;	MiCombinePte(x,x,x)
		mov	[ebp+var_14], offset _MiCombineWorkingSetTail@4	; MiCombineWorkingSetTail(x)
		mov	word ptr [ebp+var_58], ax
		mov	[ebp+var_53], 7
		call	MiWalkPageTables
		mov	esi, eax
		jmp	short loc_64047A
; 

loc_6404EB:				; CODE XREF: MiCombineWorkingSet(x)+D8j
		xor	eax, eax

loc_6404ED:				; CODE XREF: MiCombineWorkingSet(x)+DFj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiCombineWorkingSet@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCombineWorkingSetTail(x)
_MiCombineWorkingSetTail@4 proc	near	; CODE XREF: MiCombinePte(x,x,x)+1A9p
					; DATA XREF: MiCombineWorkingSet(x)+110o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	esi
		mov	esi, [ecx+48h]
		cmp	dword ptr [esi+4], 0
		jz	short loc_640546
		call	MiReleaseWalkLocks
		mov	eax, large fs:124h
		mov	edx, [esi+10h]	; void *
		mov	ecx, [esi+0Ch]	; int
		mov	eax, [eax+16Ch]
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		push	eax		; int
		push	dword ptr [esi+4] ; size_t
		call	_MiProcessCrcList@16 ; MiProcessCrcList(x,x,x,x)
		and	dword ptr [esi+4], 0

loc_640546:				; CODE XREF: MiCombineWorkingSetTail(x)+10j
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	4
_MiCombineWorkingSetTail@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCombiningInProgress(x, x,	x)
_MiCombiningInProgress@12 proc near	; CODE XREF: MiCombineIdenticalPages(x,x,x,x,x,x)+164p
					; MiCombineIdenticalPages(x,x,x,x,x,x)+255p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		push	offset unk_6D2F80
		mov	[ebp+var_8], esi
		mov	eax, [edi]
		mov	[ebp+var_C], eax
		call	ExAcquireSpinLockExclusive
		cmp	[ebp+arg_0], 1
		mov	bl, al
		mov	[ebp+var_1], bl
		jnz	loc_64064E
		inc	dword ptr [edi+20h]
		inc	ds:dword_6D2F84
		cmp	ds:dword_6D2F98, 0
		jnz	short loc_6405DD

loc_64058F:				; CODE XREF: MiCombiningInProgress(x,x,x)+6Bj
					; MiCombiningInProgress(x,x,x)+6Fj
		mov	eax, ds:_PsNextSecurityDomain
		mov	esi, offset _PsNextSecurityDomain
		mov	edi, ds:dword_6B5BC4
		mov	ebx, eax
		add	ebx, 1
		mov	[ebp+arg_0], eax
		mov	ecx, edi
		mov	edx, edi
		adc	ecx, 0
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [ebp+arg_0]
		cmp	eax, ecx
		jnz	short loc_64058F
		cmp	edx, edi
		jnz	short loc_64058F
		mov	esi, [ebp+var_8]
		xor	eax, eax
		mov	bl, [ebp+var_1]
		inc	eax
		add	ecx, eax
		mov	ds:dword_6D2F98, eax
		mov	ds:dword_6D2F90, ecx
		adc	edi, 0
		mov	ds:dword_6D2F94, edi

loc_6405DD:				; CODE XREF: MiCombiningInProgress(x,x,x)+40j
		mov	edx, large fs:124h
		xor	eax, eax
		push	0Ah
		pop	ecx
		mov	edi, esi
		rep stosd
		mov	eax, [ebp+var_C]
		add	eax, 0E24h
		mov	[esi+14h], edx
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_6406AB
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[ecx+4], esi
		mov	[eax], esi
		mov	ecx, ds:dword_6D2F88
		mov	byte ptr [ebp+arg_0], 0
		test	ecx, ecx
		jz	short loc_64063A

loc_64061B:				; CODE XREF: MiCombiningInProgress(x,x,x)+E7j
		cmp	edx, [ecx+0Ch]
		jnb	short loc_64062B
		mov	eax, [ecx]
		test	eax, eax
		jnz	short loc_640632
		mov	byte ptr [ebp+arg_0], al
		jmp	short loc_64063A
; 

loc_64062B:				; CODE XREF: MiCombiningInProgress(x,x,x)+D1j
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_640636

loc_640632:				; CODE XREF: MiCombiningInProgress(x,x,x)+D7j
		mov	ecx, eax
		jmp	short loc_64061B
; 

loc_640636:				; CODE XREF: MiCombiningInProgress(x,x,x)+E3j
		mov	byte ptr [ebp+arg_0], 1

loc_64063A:				; CODE XREF: MiCombiningInProgress(x,x,x)+CCj
					; MiCombiningInProgress(x,x,x)+DCj
		lea	eax, [esi+8]
		push	eax
		push	[ebp+arg_0]
		push	ecx
		push	offset dword_6D2F88
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		jmp	short loc_640692
; 

loc_64064E:				; CODE XREF: MiCombiningInProgress(x,x,x)+2Aj
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_6406AB
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_6406AB
		mov	[ecx], eax
		mov	[eax+4], ecx
		lea	eax, [esi+8]
		push	eax
		push	offset dword_6D2F88
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		dec	dword ptr [edi+20h]
		cmp	ds:dword_6D2F84, 1
		jnz	short loc_64068C
		inc	ds:dword_6D06D8
		push	2
		pop	edx
		push	4
		pop	ecx
		call	KeFlushTb

loc_64068C:				; CODE XREF: MiCombiningInProgress(x,x,x)+12Cj
		dec	ds:dword_6D2F84

loc_640692:				; CODE XREF: MiCombiningInProgress(x,x,x)+FFj
		push	offset unk_6D2F80
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_6406AB:				; CODE XREF: MiCombiningInProgress(x,x,x)+B0j
					; MiCombiningInProgress(x,x,x)+106j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_MiCombiningInProgress@12 endp		; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall MiCompareActiveCrcEntries(x, x)
_MiCompareActiveCrcEntries@8 proc near	; CODE XREF: _MiCombineActiveCrcSortByHash+10j
					; MiProcessCrcList(x,x,x,x)+425p ...
		mov	eax, [edx]
		push	ebx
		mov	ebx, [ecx+4]
		push	esi
		mov	esi, [ecx]
		push	edi
		mov	edi, [edx+4]
		cmp	ebx, edi
		ja	short loc_64071F
		jb	short loc_64071A
		cmp	esi, eax
		ja	short loc_64071F
		cmp	ebx, edi
		jb	short loc_64071A
		ja	short loc_6406D1
		cmp	esi, eax
		jb	short loc_64071A

loc_6406D1:				; CODE XREF: MiCompareActiveCrcEntries(x,x)+1Bj
		mov	ebx, [ecx+14h]
		mov	edi, [edx+14h]
		mov	esi, [ecx+10h]
		mov	eax, [edx+10h]
		cmp	ebx, edi
		ja	short loc_64071F
		jb	short loc_64071A
		cmp	esi, eax
		ja	short loc_64071F
		cmp	ebx, edi
		jb	short loc_64071A
		ja	short loc_6406F1
		cmp	esi, eax
		jb	short loc_64071A

loc_6406F1:				; CODE XREF: MiCompareActiveCrcEntries(x,x)+3Bj
		mov	ecx, [ecx+18h]
		mov	esi, 100h
		cmp	ecx, esi
		jb	short loc_640703
		mov	ecx, [ecx+1Ch]
		and	ecx, 1Fh

loc_640703:				; CODE XREF: MiCompareActiveCrcEntries(x,x)+4Bj
		mov	eax, [edx+18h]
		cmp	eax, esi
		jb	short loc_640710
		mov	eax, [eax+1Ch]
		and	eax, 1Fh

loc_640710:				; CODE XREF: MiCompareActiveCrcEntries(x,x)+58j
		cmp	ecx, eax
		ja	short loc_64071F
		jb	short loc_64071A
		xor	eax, eax
		jmp	short loc_640722
; 

loc_64071A:				; CODE XREF: MiCompareActiveCrcEntries(x,x)+11j
					; MiCompareActiveCrcEntries(x,x)+19j ...
		or	eax, 0FFFFFFFFh
		jmp	short loc_640722
; 

loc_64071F:				; CODE XREF: MiCompareActiveCrcEntries(x,x)+Fj
					; MiCompareActiveCrcEntries(x,x)+15j ...
		xor	eax, eax
		inc	eax

loc_640722:				; CODE XREF: MiCompareActiveCrcEntries(x,x)+68j
					; MiCompareActiveCrcEntries(x,x)+6Dj
		pop	edi
		pop	esi
		pop	ebx
		retn
_MiCompareActiveCrcEntries@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiComparePages(x, x)
_MiComparePages@8 proc near		; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+509p
					; MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+498p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ecx
		mov	[ebp+var_4], 200h
		push	ebx
		push	esi
		push	edi
		lea	ebx, [eax+0FC8h]
		sub	eax, edx
		lea	edi, [edx+0FC0h]
		mov	[ebp+var_8], eax

loc_64074A:				; CODE XREF: MiComparePages(x,x)+B7j
		mov	edx, [edi+3Ch]
		xor	edx, [ebx+34h]
		mov	eax, [edi+34h]
		xor	eax, [ebx+2Ch]
		mov	esi, [edi+38h]
		or	edx, eax
		xor	esi, [ebx+30h]
		mov	ecx, [edi+30h]
		xor	ecx, [ebx+28h]
		mov	eax, [edi+2Ch]
		or	esi, ecx
		xor	eax, [ebx+24h]
		mov	ecx, [edi+28h]
		or	edx, eax
		xor	ecx, [ebx+20h]
		mov	eax, [edi+24h]
		or	esi, ecx
		xor	eax, [ebx+1Ch]
		mov	ecx, [edi+20h]
		or	edx, eax
		xor	ecx, [ebx+18h]
		mov	eax, [edi+1Ch]
		or	esi, ecx
		xor	eax, [ebx+14h]
		mov	ecx, [edi+18h]
		or	edx, eax
		xor	ecx, [ebx+10h]
		mov	eax, [edi+14h]
		or	esi, ecx
		xor	eax, [ebx+0Ch]
		mov	ecx, [edi+10h]
		or	edx, eax
		xor	ecx, [ebx+8]
		mov	eax, [ebp+var_8]
		or	esi, ecx
		mov	ecx, [eax+edi]
		mov	eax, [eax+edi+4]
		xor	ecx, [edi]
		xor	eax, [edi+4]
		or	esi, ecx
		mov	ecx, [edi+8]
		or	edx, eax
		mov	eax, [edi+0Ch]
		xor	ecx, [ebx]
		xor	eax, [ebx+4]
		or	esi, ecx
		or	edx, eax
		or	esi, edx
		jnz	short loc_6407E7
		mov	eax, [ebp+var_4]
		sub	edi, 40h
		sub	eax, 8
		sub	ebx, 40h
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	loc_64074A
		mov	al, 1
		jmp	short loc_6407E9
; 

loc_6407E7:				; CODE XREF: MiComparePages(x,x)+A4j
		xor	al, al

loc_6407E9:				; CODE XREF: MiComparePages(x,x)+BFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiComparePages@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiConvertPrivateToProto(x, x, x, x,	x, x, x)
_MiConvertPrivateToProto@28 proc near	; CODE XREF: MiSharePages(x,x,x,x,x)+A6Cp

var_AC		= dword	ptr -0ACh
var_9C		= dword	ptr -9Ch
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B0h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_C]
		and	[ebp+var_58], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ebx, edx
		mov	edx, [ebp+arg_0]
		push	edi
		mov	[ebp+var_4C], eax
		lea	edi, [ebp+var_AC]
		xor	eax, eax
		mov	[ebp+var_30], ecx
		push	6
		pop	ecx
		rep stosd
		mov	eax, large fs:124h
		lea	edi, [edx+20h]
		mov	ecx, [ebx]
		mov	[ebp+var_24], ebx
		mov	[ebp+var_60], edi
		mov	eax, [eax+80h]
		mov	[ebp+var_90], eax
		mov	eax, dword ptr ds:byte_70EFC4
		and	eax, 8000001h
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], eax
		nop
		mov	edx, [ebx+4]
		mov	eax, ecx
		mov	[ebp+var_64], eax
		mov	[ebp+var_3C], eax
		mov	eax, edx
		mov	[ebp+var_70], edx
		mov	[ebp+var_34], eax
		mov	[ebp+var_38], eax
		nop
		mov	edx, [ebp+var_24]
		shrd	ecx, eax, 0Ch
		mov	eax, [esi]
		and	ecx, 1FFFFFFh
		shl	edx, 9
		imul	ebx, ecx, 1Ch
		mov	ecx, ds:_MmPfnDatabase
		mov	[ebp+var_48], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_2C], edx
		add	ebx, ecx
		mov	[ebp+var_58], ebx
		cmp	eax, 0FFFFFFFFh
		jz	loc_640C71
		imul	eax, 1Ch
		push	edx		; void *
		push	ebx		; void *
		add	eax, ecx
		mov	edx, eax
		mov	[ebp+var_28], eax
		call	_MiFillCombinePage@16 ;	MiFillCombinePage(x,x,x,x)
		test	eax, eax
		jz	loc_640F10
		mov	eax, edi
		mov	edx, 7FFFFFFFh
		and	eax, edx
		xor	esi, esi
		mov	ecx, edi
		mov	[ebp+var_84], eax
		mov	[ebp+var_40], esi
		mov	[ebp+var_44], esi
		call	_MiGetContainingPageTable@4 ; MiGetContainingPageTable(x)
		mov	[ebp+var_50], eax
		imul	eax, 1Ch
		mov	[ebp+var_80], esi
		lea	esi, [ebx+10h]
		mov	[ebp+var_74], esi
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_7C], eax
		lock bts dword ptr [esi], 1Fh
		jnb	short loc_64091B

loc_6408F5:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+113j
					; MiConvertPrivateToProto(x,x,x,x,x,x,x)+11Aj
		lea	ecx, [ebp+var_80]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_6408F5
		lock bts dword ptr [esi], 1Fh
		jb	short loc_6408F5
		mov	eax, [ebp+var_38]
		mov	edx, 7FFFFFFFh
		mov	[ebp+var_34], eax
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_64], eax

loc_64091B:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+105j
		mov	eax, [esi]
		xor	edi, edi
		and	eax, 3FFFFFFFh
		inc	edi
		cmp	eax, edi
		jnz	loc_640C69
		cmp	[ebx+14h], di
		jnz	loc_640C69
		cmp	[ebp+var_68], 0
		jz	short loc_64094A
		lea	edx, [ebp+var_AC]
		mov	ecx, ebx
		call	_MiIdentifyPfn@8 ; MiIdentifyPfn(x,x)

loc_64094A:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+14Dj
		mov	ecx, [ebp+var_6C]
		mov	eax, ecx
		and	eax, 42h
		or	eax, 0
		jz	short loc_64096B
		mov	eax, ecx
		mov	ecx, [ebp+var_70]
		and	eax, 0FFFFFFBDh
		mov	[ebp+var_34], ecx
		mov	[ebp+var_64], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], ecx

loc_64096B:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+167j
		mov	al, [ebx+16h]
		mov	[ebp+var_1D], al
		test	al, 10h
		jnz	short loc_64098C
		push	dword ptr [ebx+0Ch]
		push	dword ptr [ebx+8]
		call	_IS_PTE_NOT_DEMAND_ZERO@8 ; IS_PTE_NOT_DEMAND_ZERO(x,x)
		test	eax, eax
		jnz	short loc_64098C
		mov	al, [ebp+var_1D]
		or	al, 10h
		mov	[ebx+16h], al

loc_64098C:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+185j
					; MiConvertPrivateToProto(x,x,x,x,x,x,x)+194j
		lea	esi, [ebx+8]
		mov	eax, [esi]
		mov	ecx, eax
		mov	edx, [esi+4]
		mov	[ebp+var_70], eax
		mov	eax, edx
		shrd	ecx, eax, 1
		mov	[ebp+var_6C], edx
		test	cl, 1
		jz	short loc_6409E2
		mov	edx, esi
		mov	ecx, offset _MiSystemPartition
		call	_MI_IS_PTE_IN_WS_SWAP_SET@8 ; MI_IS_PTE_IN_WS_SWAP_SET(x,x)
		test	eax, eax
		jz	short loc_6409CD
		push	edi
		mov	edx, edi
		mov	ecx, esi
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		or	byte ptr [ebx+16h], 10h
		mov	[ebp+var_40], eax
		mov	[ebp+var_44], edx
		jmp	short loc_6409D9
; 

loc_6409CD:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+1C7j
		mov	eax, [ebp+var_70]
		mov	[ebp+var_40], eax
		mov	eax, [ebp+var_6C]
		mov	[ebp+var_44], eax

loc_6409D9:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+1DDj
		mov	eax, [esi+4]
		and	dword ptr [esi], 0FFFFFFFDh
		mov	[esi+4], eax

loc_6409E2:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+1B7j
		mov	ecx, [ebp+var_28]
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		movzx	edx, byte ptr [ebx+16h]
		mov	ecx, [ebp+var_28]
		push	edi
		shr	edx, 6
		call	_MiFinalizePageAttribute@12 ; MiFinalizePageAttribute(x,x,x)
		mov	edx, ebx
		mov	ebx, [ebp+var_28]
		push	ecx
		mov	ecx, ebx
		call	_MiCopyPfnEntryEx@12 ; MiCopyPfnEntryEx(x,x,x)
		mov	ecx, ebx
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		cmp	eax, 5
		jnb	short loc_640A1D
		mov	al, [ebx+17h]
		and	al, 0FDh
		or	al, 5
		mov	[ebx+17h], al

loc_640A1D:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+223j
		mov	eax, [ebp+var_84]
		mov	ecx, [ebp+var_50]
		mov	[ebx+4], eax
		and	ecx, offset loc_7FFFFF
		mov	eax, [ebx+18h]
		and	eax, 0FF800000h
		or	eax, ecx
		lea	ecx, [ebx+8]
		or	eax, 80000000h
		mov	[ebx+18h], eax
		call	_MI_MAKE_PROTECT_WRITE_COPY@4 ;	MI_MAKE_PROTECT_WRITE_COPY(x)
		lea	eax, [ebx+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	edx, [esi]
		mov	ecx, edx
		mov	ebx, [esi+4]
		mov	eax, ebx
		shrd	ecx, eax, 2
		test	cl, 1
		jz	short loc_640A83
		mov	ecx, [ebp+var_40]
		and	edx, 0FFFFFFFBh
		mov	[esi], edx
		mov	eax, ecx
		mov	edx, [ebp+var_44]
		or	eax, edx
		mov	[esi+4], ebx
		jz	short loc_640A83
		and	ecx, 0FFFFFFFBh
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], ecx

loc_640A83:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+276j
					; MiConvertPrivateToProto(x,x,x,x,x,x,x)+28Aj
		mov	ecx, [ebp+arg_10]
		xor	edx, edx
		mov	eax, [ebp+var_64]
		and	ecx, 1FFFFFFh
		mov	ebx, [ebp+var_34]
		and	eax, 0FFFh
		shld	edx, ecx, 0Ch
		and	ebx, 0FFFFFFE0h
		shl	ecx, 0Ch
		or	edx, ebx
		or	ecx, eax
		mov	[ebp+var_38], edx
		mov	eax, ecx
		mov	[ebp+var_3C], ecx
		and	eax, 800h
		or	eax, 0
		jz	short loc_640ACB
		and	ecx, 0FFFFF7FFh
		mov	[ebp+var_38], edx
		or	ecx, 200h
		mov	[ebp+var_3C], ecx

loc_640ACB:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+2C9j
		nop
		mov	edi, [ebp+var_24]

loc_640ACF:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+302j
					; MiConvertPrivateToProto(x,x,x,x,x,x,x)+307j
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp+var_50], ecx
		nop
		mov	ecx, [ebp+var_3C]
		mov	ebx, ecx
		mov	[ebp+var_24], ecx
		mov	ecx, [ebp+var_38]
		mov	[ebp+var_28], ecx
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_640ACF
		cmp	edx, [ebp+var_50]
		jnz	short loc_640ACF
		mov	esi, [ebp+var_60]
		xor	ebx, ebx
		mov	ecx, esi
		mov	edx, ebx
		mov	[esi], ebx
		mov	[esi+4], ebx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		push	1
		pop	edi
		test	eax, eax
		jz	short loc_640B61
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_640B39
		mov	edx, edi
		mov	ecx, [ebp+var_24]
		cmp	byte ptr ds:word_6D07B8+1, bl
		jnz	short loc_640B64
		mov	eax, ecx
		and	eax, edi
		or	eax, ebx
		mov	eax, [ebp+var_28]
		jz	short loc_640B67

loc_640B32:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+371j
		or	eax, 80000000h
		jmp	short loc_640B67
; 

loc_640B39:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+32Aj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_640B61
		mov	ecx, [ebp+var_3C]
		mov	eax, ecx
		and	eax, edi
		or	eax, ebx
		jz	short loc_640B61
		mov	eax, [ebp+var_38]
		jmp	short loc_640B32
; 

loc_640B61:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+321j
					; MiConvertPrivateToProto(x,x,x,x,x,x,x)+361j ...
		mov	ecx, [ebp+var_24]

loc_640B64:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+337j
		mov	eax, [ebp+var_28]

loc_640B67:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+342j
					; MiConvertPrivateToProto(x,x,x,x,x,x,x)+349j
		mov	[esi+4], eax
		nop
		mov	[esi], ecx
		test	edx, edx
		jz	short loc_640B7A
		push	eax
		push	ecx
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_640B7A:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+381j
		mov	eax, [ebp+var_74]
		mov	ecx, 7FFFFFFFh
		mov	ebx, [ebp+var_58]
		or	dword ptr [eax], 40000000h
		or	byte ptr [ebx+16h], 7
		lock and [eax],	ecx
		mov	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_4C]
		push	0
		push	edi
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	ecx, [ebp+var_40]
		mov	eax, ecx
		mov	edx, [ebp+var_44]
		or	eax, edx
		jz	short loc_640BBA
		push	edx
		push	ecx
		mov	edx, edi
		mov	ecx, offset _MiSystemPartition
		call	MiReleasePageFileInfo

loc_640BBA:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+3BCj
		mov	eax, [ebp+var_7C]
		and	[ebp+var_88], 0
		add	eax, 10h
		mov	[ebp+var_34], eax
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_640BEE
		mov	esi, eax

loc_640BD3:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+3F4j
					; MiConvertPrivateToProto(x,x,x,x,x,x,x)+3FBj
		lea	ecx, [ebp+var_88]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_640BD3
		lock bts dword ptr [esi], 1Fh
		jb	short loc_640BD3
		mov	esi, [ebp+var_60]

loc_640BEE:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+3E1j
		mov	ecx, [ebp+var_7C]
		mov	edx, edi
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	eax, [ebp+var_34]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	ecx, [ebp+var_48]
		mov	edx, edi
		call	MiReturnCommit
		mov	ecx, [ebp+var_48]
		mov	edx, edi
		call	MiReturnResavailToPrcb
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_640C29
		mov	eax, [ebp+var_48]
		add	eax, 1000h
		lock xadd [eax], ecx

loc_640C29:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+42Dj
		cmp	[ebp+var_48], offset _MiSystemPartition
		jnz	short loc_640C3E
		or	eax, 0FFFFFFFFh
		mov	ecx, offset dword_6D3620
		lock xadd [ecx], eax

loc_640C3E:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+442j
		mov	eax, [ebp+var_30]
		test	byte ptr [eax+60h], 7
		jnz	short loc_640C56
		mov	edx, [ebp+var_2C]
		mov	ecx, eax
		push	0
		call	_MiSetWsleProtection@12	; MiSetWsleProtection(x,x,x)
		mov	eax, [ebp+var_30]

loc_640C56:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+457j
		mov	edx, [ebp+var_2C]
		mov	ecx, eax
		push	0
		push	0FFFFFFFFh
		call	_MiUpdateWorkingSetPrivateSize@16 ; MiUpdateWorkingSetPrivateSize(x,x,x,x)
		jmp	loc_640E86
; 

loc_640C69:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+139j
					; MiConvertPrivateToProto(x,x,x,x,x,x,x)+143j
		lock and [esi],	edx
		jmp	loc_640F10
; 

loc_640C71:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+ABj
		xor	edx, edx
		mov	ecx, edi
		call	MiLockProtoPoolPage
		mov	esi, eax
		mov	[ebp+var_58], esi
		test	esi, esi
		jz	loc_640F10
		xor	edx, edx
		mov	ecx, edi
		call	MiLockLeafPage
		mov	edi, eax
		test	edi, edi
		jz	loc_640F07
		test	byte ptr [edi+17h], 40h
		jnz	loc_640EFC
		mov	ecx, edi
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jnz	loc_640EFC
		cmp	[ebp+var_48], offset _MiSystemPartition
		jnz	loc_640EFC
		mov	cl, [edi+16h]
		mov	al, cl
		and	al, 7
		cmp	al, 6
		jz	short loc_640CD4
		test	cl, 20h
		jnz	loc_640EFC

loc_640CD4:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+4DBj
		push	80000000h
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		xor	edx, edx
		mov	ecx, eax
		call	MiMapPageInHyperSpaceWorker
		mov	edx, [ebp+var_2C]
		mov	esi, eax
		mov	ecx, esi
		call	_MiComparePages@8 ; MiComparePages(x,x)
		push	80000000h
		mov	dl, 21h
		mov	[ebp+var_1D], al
		mov	ecx, esi
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		cmp	[ebp+var_1D], 1
		jnz	short loc_640D25
		push	0
		mov	ecx, ebx
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		mov	edx, eax
		mov	ecx, edi
		call	_MiUpdatePfnPriority@12	; MiUpdatePfnPriority(x,x,x)

loc_640D25:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+523j
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	ecx, [ebp+var_58]
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		cmp	[ebp+var_1D], 0
		jz	loc_640F10
		cmp	ds:dword_6D3154, 0
		mov	edi, [ebp+var_30]
		jz	short loc_640D5A
		mov	edx, [ebp+var_24]
		mov	ecx, edi
		call	MI_WSLE_LOG_ACCESS

loc_640D5A:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+560j
		mov	esi, [ebp+var_60]
		xor	eax, eax
		or	eax, 400h
		push	esi
		push	eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		or	eax, 800h
		mov	[ebp+var_58], edx
		mov	edx, [ebp+var_2C]
		mov	ecx, edi
		mov	[ebp+var_74], eax
		call	MiLocateWsle
		and	[ebp+var_78], 0
		lea	edi, [ebx+10h]
		mov	al, [eax]
		mov	byte ptr [ebp+var_50], al
		jmp	short loc_640D9C
; 

loc_640D8E:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+5ACj
					; MiConvertPrivateToProto(x,x,x,x,x,x,x)+5B3j
		lea	ecx, [ebp+var_78]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_640D8E

loc_640D9C:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+59Ej
		lock bts dword ptr [edi], 1Fh
		jb	short loc_640D8E
		mov	eax, [edi]
		xor	edi, edi
		and	eax, 3FFFFFFFh
		inc	edi
		cmp	eax, edi
		jnz	loc_640EEF
		cmp	[ebx+14h], di
		jnz	loc_640EEF
		push	[ebp+var_58]
		mov	ecx, [ebp+var_24]
		push	[ebp+var_74]
		call	_MI_WRITE_INVALID_PTE_TB_FLUSH_NEEDED@12 ; MI_WRITE_INVALID_PTE_TB_FLUSH_NEEDED(x,x,x)
		cmp	[ebp+var_68], 0
		mov	[ebp+var_58], eax
		jz	short loc_640DE3
		lea	edx, [ebp+var_AC]
		mov	ecx, ebx
		call	_MiIdentifyPfn@8 ; MiIdentifyPfn(x,x)

loc_640DE3:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+5E6j
		mov	ecx, [ebx+18h]
		lea	eax, [ebx+10h]
		or	dword ptr [eax], 40000000h
		and	ecx, offset loc_7FFFFF
		or	byte ptr [ebx+16h], 7
		mov	[ebp+var_78], ecx
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		cmp	[ebp+var_58], edi
		jnz	short loc_640E17
		mov	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_4C]
		push	0
		push	edi
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)

loc_640E17:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+619j
		mov	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_30]
		push	edi
		push	0Ah
		push	[ebp+var_50]
		push	edi
		call	MiRemoveWsle
		imul	eax, [ebp+var_78], 1Ch
		and	[ebp+var_8C], 0
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_58], eax
		add	eax, 10h
		mov	[ebp+var_4C], eax
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_640E67
		mov	esi, eax

loc_640E4C:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+66Dj
					; MiConvertPrivateToProto(x,x,x,x,x,x,x)+674j
		lea	ecx, [ebp+var_8C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_640E4C
		lock bts dword ptr [esi], 1Fh
		jb	short loc_640E4C
		mov	esi, [ebp+var_60]

loc_640E67:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+65Aj
		mov	ecx, [ebp+var_58]
		call	MiDecrementShareCount
		mov	eax, [ebp+var_4C]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	edx, [ebp+var_30]
		mov	ecx, [ebp+var_24]
		push	esi
		call	_MiResolveProtoCombine@12 ; MiResolveProtoCombine(x,x,x)

loc_640E86:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+476j
		mov	eax, [ebp+var_30]
		test	byte ptr [eax+60h], 7
		jnz	short loc_640EA1
		mov	eax, [ebp+var_90]
		or	ecx, 0FFFFFFFFh
		add	eax, 14Ch
		lock xadd [eax], ecx

loc_640EA1:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+69Fj
		cmp	[ebp+var_68], 0
		jz	short loc_640EEB
		cmp	[ebp+arg_10], 0FFFFFFFFh
		jz	short loc_640EB1
		or	esi, edi
		jmp	short loc_640EB4
; 

loc_640EB1:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+6BDj
		and	esi, 0FFFFFFFEh

loc_640EB4:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+6C1j
		and	[ebp+var_18], 0
		lea	eax, [ebp+var_AC]
		and	[ebp+var_10], 0
		lea	ecx, [ebp+var_1C]
		push	11401B02h
		push	27Ah
		push	28000001h
		mov	edx, edi
		mov	[ebp+var_9C], esi
		mov	[ebp+var_1C], eax
		mov	[ebp+var_14], 18h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_640EEB:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+6B7j
		mov	eax, ebx
		jmp	short loc_640F12
; 

loc_640EEF:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+5C1j
					; MiConvertPrivateToProto(x,x,x,x,x,x,x)+5CBj
		lea	eax, [ebx+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		jmp	short loc_640F10
; 

loc_640EFC:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+4B0j
					; MiConvertPrivateToProto(x,x,x,x,x,x,x)+4BFj ...
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx

loc_640F07:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+4A6j
		mov	dl, 21h
		mov	ecx, esi
		call	MiUnlockProtoPoolPage

loc_640F10:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+C4j
					; MiConvertPrivateToProto(x,x,x,x,x,x,x)+47Ej ...
		xor	eax, eax

loc_640F12:				; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+6FFj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_MiConvertPrivateToProto@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiConvertStandbyToProto(x, x, x, x,	x, x, x, x)
_MiConvertStandbyToProto@32 proc near	; CODE XREF: MiSharePages(x,x,x,x,x)+D19p

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		push	50h
		push	offset dword_6A8B20
		call	__SEH_prolog4
		mov	[ebp+var_24], edx
		mov	[ebp+var_28], ecx
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	eax, [ebp+arg_8]
		lea	esi, [eax+20h]
		mov	[ebp+var_34], esi
		mov	edi, [eax+1Ch]
		and	edi, 1Fh
		mov	[ebp+var_3C], edi
		mov	ecx, esi
		call	_MiMakePrototypePteDirect@4 ; MiMakePrototypePteDirect(x)
		or	eax, 800h
		mov	[ebp+var_60], eax
		mov	[ebp+var_5C], edx
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+1Ch]
		shl	eax, 9
		mov	[ebp+arg_8], eax
		mov	ecx, [ebp+var_24]
		mov	ecx, [ecx]
		mov	[ebp+var_38], ecx
		mov	ecx, [ebp+arg_14]
		cmp	ecx, 0FFFFFFFFh
		jz	loc_6412E6
		imul	edx, ecx, 1Ch
		add	edx, ds:_MmPfnDatabase
		mov	[ebp+var_2C], edx
		mov	[ebp+var_20], edx
		push	eax		; void *
		mov	esi, [ebp+arg_C]
		push	esi		; void *
		call	_MiFillCombinePage@16 ;	MiFillCombinePage(x,x,x,x)
		test	eax, eax
		jz	loc_641588
		mov	edx, edi
		mov	ecx, [ebp+arg_14]
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		mov	[ebp+var_48], eax
		mov	[ebp+var_4C], edx
		mov	ecx, [ebp+var_34]
		mov	eax, ecx
		mov	edi, 7FFFFFFFh
		and	eax, edi
		mov	[ebp+var_44], eax
		mov	[ebp+var_58], ebx
		mov	[ebp+var_54], ebx
		call	_MiGetContainingPageTable@4 ; MiGetContainingPageTable(x)
		mov	[ebp+var_30], eax
		mov	[ebp+var_40], ebx
		lea	eax, [esi+10h]
		mov	[ebp+arg_8], eax
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_640FFC
		mov	esi, eax

loc_640FDE:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+C7j
					; MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+CEj
		lea	ecx, [ebp+var_40]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_640FDE
		lock bts dword ptr [esi], 1Fh
		jb	short loc_640FDE
		mov	edx, [ebp+var_20]
		mov	[ebp+var_2C], edx
		mov	esi, [ebp+arg_C]

loc_640FFC:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+B7j
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+1Ch]
		mov	eax, [eax]
		and	eax, 1
		or	eax, ebx
		jz	loc_6412DB
		mov	al, [esi+16h]
		and	al, 7
		sub	al, 2
		cmp	al, 1
		ja	loc_6412DB
		mov	eax, [esi+4]
		or	eax, 80000000h
		cmp	[ebp+arg_10], eax
		jnz	loc_6412DB
		push	[ebp+var_28]
		push	esi
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_24]
		call	_MiRecheckCombineVm@16 ; MiRecheckCombineVm(x,x,x,x)
		test	eax, eax
		jz	loc_6412DB
		lea	ebx, [esi+8]
		mov	ecx, [ebx]
		mov	eax, [ebx+4]
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		cmp	ecx, [ebp+var_3C]
		jnz	loc_6412DB
		xor	edx, edx
		mov	ecx, esi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		test	eax, eax
		jnz	short loc_64107C
		xor	edx, edx
		mov	ecx, esi
		call	_MiDiscardTransitionPteEx@8 ; MiDiscardTransitionPteEx(x,x)
		lea	eax, [esi+10h]
		jmp	loc_6412DE
; 

loc_64107C:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+146j
		mov	al, [esi+16h]
		mov	byte ptr [ebp+arg_0+3],	al
		test	al, 10h
		jnz	short loc_64109C
		push	dword ptr [ebx+4]
		push	dword ptr [ebx]
		call	_IS_PTE_NOT_DEMAND_ZERO@8 ; IS_PTE_NOT_DEMAND_ZERO(x,x)
		test	eax, eax
		jnz	short loc_64109C
		mov	al, byte ptr [ebp+arg_0+3]
		or	al, 10h
		mov	[esi+16h], al

loc_64109C:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+161j
					; MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+16Fj
		xor	dl, dl
		mov	byte ptr [ebp+arg_0+3],	dl
		mov	eax, [ebx]
		mov	[ebp+arg_4], eax
		mov	ecx, [ebx+4]
		mov	[ebp+arg_10], ecx
		mov	ecx, eax
		mov	eax, [ebp+arg_10]
		shrd	ecx, eax, 1
		test	cl, 1
		jz	short loc_6410DF
		mov	edx, ebx
		mov	ecx, offset _MiSystemPartition
		call	_MI_IS_PTE_IN_WS_SWAP_SET@8 ; MI_IS_PTE_IN_WS_SWAP_SET(x,x)
		test	eax, eax
		jnz	short loc_6410D6
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_58], ecx
		mov	ecx, [ebp+arg_10]
		mov	[ebp+var_54], ecx

loc_6410D6:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+1A5j
		mov	byte ptr [ebp+arg_0+3],	1
		test	eax, eax
		setnz	dl

loc_6410DF:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+195j
		test	dl, dl
		jz	short loc_6410F9
		push	1
		xor	edx, edx
		inc	edx
		mov	ecx, ebx
		call	_MiCapturePageFileInfoInline@12	; MiCapturePageFileInfoInline(x,x,x)
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], edx
		or	byte ptr [esi+16h], 10h

loc_6410F9:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+1BEj
		cmp	byte ptr [ebp+arg_0+3],	0
		jz	short loc_641108
		and	dword ptr [ebx], 0FFFFFFFDh
		mov	eax, [ebx+4]
		mov	[ebx+4], eax

loc_641108:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+1DAj
		imul	esi, [ebp+var_30], arg_14
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		xor	edx, edx
		inc	edx
		mov	ecx, esi
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		lea	eax, [esi+10h]
		lock and [eax],	edi
		mov	ebx, [ebp+var_2C]
		mov	ecx, ebx
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		push	1
		mov	esi, [ebp+arg_C]
		movzx	edx, byte ptr [esi+16h]
		shr	edx, 6
		mov	ecx, ebx
		call	_MiFinalizePageAttribute@12 ; MiFinalizePageAttribute(x,x,x)
		push	ecx
		mov	edx, esi
		mov	ecx, ebx
		call	_MiCopyPfnEntryEx@12 ; MiCopyPfnEntryEx(x,x,x)
		mov	ecx, ebx
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		cmp	eax, 5
		jnb	short loc_641166
		mov	al, [ebx+17h]
		and	al, 0FDh
		or	al, 5
		mov	[ebx+17h], al

loc_641166:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+237j
		mov	eax, [ebp+var_44]
		mov	[ebx+4], eax
		mov	eax, [ebx+18h]
		and	eax, 0FF800000h
		mov	edi, offset loc_7FFFFF
		mov	ecx, [ebp+var_30]
		and	ecx, edi
		or	eax, ecx
		or	eax, 80000000h
		mov	[ebx+18h], eax
		lea	eax, [ebx+10h]
		mov	[ebp+arg_10], eax
		and	dword ptr [eax], 0C0000000h
		lea	ecx, [ebx+8]
		call	_MI_MAKE_PROTECT_WRITE_COPY@4 ;	MI_MAKE_PROTECT_WRITE_COPY(x)
		mov	eax, [ebp+var_34]
		and	dword ptr [eax], 0
		and	dword ptr [eax+4], 0
		mov	ecx, [ebp+var_48]
		mov	[eax], ecx
		nop
		mov	ecx, [ebp+var_4C]
		mov	[eax+4], ecx
		mov	eax, [esi+18h]
		and	eax, edi
		mov	[ebp+arg_4], eax
		push	80000000h
		xor	edx, edx
		mov	ecx, eax
		call	MiMapPageInHyperSpaceWorker
		mov	edi, [esi+4]
		and	edi, 0FFFh
		add	edi, eax
		nop

loc_6411D4:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+2CAj
					; MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+2CFj
		mov	esi, [edi]
		mov	ecx, [edi+4]
		mov	[ebp+arg_0], ecx
		mov	eax, esi
		mov	edx, ecx
		nop
		mov	ebx, [ebp+var_60]
		mov	ecx, [ebp+var_5C]
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_6411D4
		cmp	edx, [ebp+arg_0]
		jnz	short loc_6411D4
		push	80000000h
		mov	dl, 21h
		mov	ecx, edi
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		mov	esi, [ebp+arg_8]
		or	dword ptr [esi], 40000000h
		mov	edx, [ebp+arg_14]
		mov	ecx, [ebp+var_20]
		call	MiPfnReferenceCountIsZero
		mov	edi, 7FFFFFFFh
		mov	eax, [ebp+arg_10]
		lock and [eax],	edi
		mov	ebx, [ebp+arg_C]
		mov	edx, [ebx+8]
		mov	eax, [ebx+0Ch]
		mov	[ebp+arg_C], eax
		mov	ecx, edx
		shrd	ecx, eax, 2
		test	cl, 1
		jz	short loc_641252
		and	edx, 0FFFFFFFBh
		mov	[ebx+8], edx
		mov	[ebx+0Ch], eax
		mov	ecx, [ebp+var_58]
		mov	edx, [ebp+var_54]
		or	ecx, edx
		jz	short loc_641252
		and	[ebp+var_58], 0FFFFFFFBh
		mov	[ebp+var_54], edx

loc_641252:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+313j
					; MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+326j
		and	dword ptr [esi], 0C0000000h
		mov	eax, ebx
		sub	eax, ds:_MmPfnDatabase
		cdq
		push	1Ch
		pop	ecx
		idiv	ecx
		mov	edx, eax
		mov	ecx, ebx
		call	MiPfnReferenceCountIsZero
		lock and [esi],	edi
		xor	edx, edx
		inc	edx
		mov	ebx, offset _MiSystemPartition
		mov	ecx, ebx
		call	MiReturnCommit
		xor	edx, edx
		inc	edx
		mov	ecx, ebx
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_641298
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_641298:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+36Aj
		cmp	[ebp+var_38], ebx
		jnz	short loc_6412A9
		or	eax, 0FFFFFFFFh
		mov	ecx, offset dword_6D3620
		lock xadd [ecx], eax

loc_6412A9:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+378j
		imul	ecx, [ebp+arg_4], arg_14
		add	ecx, ds:_MmPfnDatabase
		xor	edx, edx
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		mov	ecx, [ebp+var_58]
		mov	eax, ecx
		mov	edx, [ebp+var_54]
		or	eax, edx
		jz	loc_641533
		push	edx
		push	ecx
		xor	edx, edx
		inc	edx
		mov	ecx, ebx
		call	MiReleasePageFileInfo
		jmp	loc_641533
; 

loc_6412DB:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+E6j
					; MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+F5j	...
		mov	eax, [ebp+arg_8]

loc_6412DE:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+154j
					; MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+64Ej
		lock and [eax],	edi
		jmp	loc_641588
; 

loc_6412E6:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+55j
		xor	edx, edx
		mov	ecx, esi
		call	MiLockProtoPoolPage
		mov	edi, eax
		mov	[ebp+arg_14], edi
		test	edi, edi
		jz	loc_641588
		mov	ebx, [ebp+arg_C]
		lea	eax, [ebx+10h]
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_641317
		mov	dl, 21h
		mov	ecx, edi
		call	MiUnlockProtoPoolPage
		jmp	loc_641588
; 

loc_641317:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+3E4j
		mov	eax, [ebx+4]
		or	eax, 80000000h
		cmp	[ebp+arg_10], eax
		jnz	loc_641576
		push	[ebp+var_28]
		push	ebx
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_24]
		call	_MiRecheckCombineVm@16 ; MiRecheckCombineVm(x,x,x,x)
		test	eax, eax
		jz	loc_641576
		lea	eax, [ebp+var_20]
		push	eax
		mov	ecx, esi
		call	MiTryLockLeafPage
		mov	esi, [ebp+var_20]
		test	esi, esi
		jz	loc_641576
		test	byte ptr [esi+17h], 40h
		jnz	loc_64155B
		mov	ecx, esi
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jnz	loc_64155B
		cmp	[ebp+var_38], offset _MiSystemPartition
		jnz	loc_64155B
		mov	cl, [esi+16h]
		mov	al, cl
		and	al, 7
		cmp	al, 6
		jz	short loc_64138F
		test	cl, 20h
		jnz	loc_64155B

loc_64138F:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+461j
		push	80000000h
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		cdq
		push	1Ch
		pop	edi
		idiv	edi
		xor	edx, edx
		mov	ecx, eax
		call	MiMapPageInHyperSpaceWorker
		mov	[ebp+arg_10], eax
		mov	[ebp+var_19], 0
		and	[ebp+ms_exc.disabled], 0
		mov	edx, [ebp+arg_8]
		mov	ecx, eax
		call	_MiComparePages@8 ; MiComparePages(x,x)
		mov	[ebp+var_19], al
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_6413E0
; 

loc_6413CC:				; DATA XREF: .text:006A8B34o
		xor	eax, eax
		inc	eax
		retn
; 

loc_6413D0:				; DATA XREF: .text:006A8B38o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+var_20]
		mov	ebx, [ebp+arg_C]

loc_6413E0:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+4A7j
		push	80000000h
		mov	dl, 21h
		mov	ecx, [ebp+arg_10]
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		cmp	[ebp+var_19], 0
		jz	loc_64155B
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+1Ch]
		mov	eax, [eax]
		and	eax, 1
		or	eax, 0
		jz	loc_64155B
		lea	edi, [ebx+10h]
		mov	[ebp+arg_0], edi
		mov	ecx, [ebx+8]
		mov	eax, [ebx+0Ch]
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		cmp	ecx, [ebp+var_3C]
		jz	short loc_641443
		mov	edi, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	edi
		mov	ecx, [ebp+arg_14]
		call	_MiUnlockNestedProtoPoolPage@4 ; MiUnlockNestedProtoPoolPage(x)

loc_641438:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+549j
		mov	ebx, [ebp+arg_0]
		lock and [ebx],	edi
		jmp	loc_641588
; 

loc_641443:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+500j
		xor	edx, edx
		mov	ecx, ebx
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		test	eax, eax
		jnz	short loc_64146E
		mov	edi, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	edi
		mov	ecx, [ebp+arg_14]
		call	_MiUnlockNestedProtoPoolPage@4 ; MiUnlockNestedProtoPoolPage(x)
		xor	edx, edx
		mov	ecx, ebx
		call	_MiDiscardTransitionPteEx@8 ; MiDiscardTransitionPteEx(x,x)
		jmp	short loc_641438
; 

loc_64146E:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+52Bj
		and	dword ptr [edi], 0C0000000h
		mov	ecx, ebx
		call	_MiGetPfnPriority@4 ; MiGetPfnPriority(x)
		push	0
		mov	edx, eax
		mov	ecx, esi
		call	_MiUpdatePfnPriority@12	; MiUpdatePfnPriority(x,x,x)
		mov	edi, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	edi
		mov	ecx, [ebp+arg_14]
		call	_MiUnlockNestedProtoPoolPage@4 ; MiUnlockNestedProtoPoolPage(x)
		mov	eax, [ebx+18h]
		and	eax, offset loc_7FFFFF
		mov	[ebp+arg_10], eax
		push	80000000h
		xor	edx, edx
		mov	ecx, eax
		call	MiMapPageInHyperSpaceWorker
		mov	edi, [ebx+4]
		and	edi, 0FFFh
		add	edi, eax
		nop

loc_6414BE:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+5B4j
					; MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+5B9j
		mov	esi, [edi]
		mov	ecx, [edi+4]
		mov	[ebp+arg_14], ecx
		mov	eax, esi
		mov	edx, ecx
		nop
		mov	ebx, [ebp+var_60]
		mov	ecx, [ebp+var_5C]
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_6414BE
		cmp	edx, [ebp+arg_14]
		jnz	short loc_6414BE
		push	80000000h
		mov	dl, 21h
		mov	ecx, edi
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		mov	ebx, [ebp+arg_0]
		or	dword ptr [ebx], 40000000h
		mov	ecx, [ebp+arg_C]
		mov	eax, ecx
		sub	eax, ds:_MmPfnDatabase
		cdq
		push	1Ch
		pop	esi
		idiv	esi
		mov	edx, eax
		call	MiPfnReferenceCountIsZero
		imul	esi, [ebp+arg_10], arg_14
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		mov	ecx, esi
		call	MiDecrementShareCount
		lea	eax, [esi+10h]
		mov	edi, 7FFFFFFFh
		lock and [eax],	edi
		lock and [ebx],	edi

loc_641533:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+3A1j
					; MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+3B3j
		mov	eax, [ebp+var_28]
		test	byte ptr [eax+60h], 7
		jnz	short loc_641556
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		add	ecx, 14Ch
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax

loc_641556:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+617j
		xor	eax, eax
		inc	eax
		jmp	short loc_64158A
; 

loc_64155B:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+436j
					; MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+445j ...
		mov	edi, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	edi
		mov	ecx, [ebp+arg_14]
		call	_MiUnlockNestedProtoPoolPage@4 ; MiUnlockNestedProtoPoolPage(x)
		lea	eax, [ebx+10h]
		jmp	loc_6412DE
; 

loc_641576:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+3FFj
					; MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+416j ...
		mov	ecx, edi
		call	_MiUnlockNestedProtoPoolPage@4 ; MiUnlockNestedProtoPoolPage(x)
		mov	ecx, 7FFFFFFFh
		lea	eax, [ebx+10h]
		lock and [eax],	ecx

loc_641588:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+76j
					; MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+3BEj ...
		xor	eax, eax

loc_64158A:				; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+636j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_MiConvertStandbyToProto@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCrcStillIntact(x,	x, x, x, x)
_MiCrcStillIntact@20 proc near		; CODE XREF: MiSharePages(x,x,x,x,x)+F14p

var_C0		= dword	ptr -0C0h
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= word ptr -0A0h
var_9C		= dword	ptr -9Ch
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C8h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		lea	eax, [ebp+var_A4]
		push	edi
		push	98h		; size_t
		mov	ebx, edx
		mov	[ebp+var_A8], ecx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_B0], ebx
		call	_memset
		mov	eax, [esi+8]
		add	esp, 0Ch
		mov	edi, eax
		mov	[ebp+var_AC], eax
		shr	edi, 9
		mov	edx, eax
		and	edi, offset loc_7FFFF8
		mov	ecx, ebx
		sub	edi, 40000000h
		mov	[ebp+var_B8], edi
		call	_MiRecheckVaVm@8 ; MiRecheckVaVm(x,x)
		test	eax, eax
		jz	loc_641698
		mov	ebx, [edi]
		xor	edx, edx
		mov	[ebp+var_C0], edx
		nop
		mov	ecx, [edi+4]
		xor	esi, esi
		inc	esi
		mov	eax, ebx
		and	eax, esi
		or	eax, edx
		jz	short loc_641698
		nop
		mov	eax, ebx
		mov	[ebp+var_B4], edx
		shrd	eax, ecx, 0Ch
		and	eax, 1FFFFFFh
		imul	esi, eax, 1Ch
		add	esi, ds:_MmPfnDatabase
		lea	eax, [esi+10h]
		mov	[ebp+var_C0], eax
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_641671
		lea	edi, [esi+10h]

loc_641653:				; CODE XREF: MiCrcStillIntact(x,x,x,x,x)+C6j
					; MiCrcStillIntact(x,x,x,x,x)+CDj
		lea	ecx, [ebp+var_B4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		js	short loc_641653
		lock bts dword ptr [edi], 1Fh
		jb	short loc_641653
		mov	edi, [ebp+var_B8]

loc_641671:				; CODE XREF: MiCrcStillIntact(x,x,x,x,x)+B2j
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_A8]
		push	esi
		call	_MiCombineCandidate@12 ; MiCombineCandidate(x,x,x)
		mov	[ebp+var_A8], eax
		test	eax, eax
		jnz	short loc_6416AB
		mov	ecx, [ebp+var_C0]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax

loc_641698:				; CODE XREF: MiCrcStillIntact(x,x,x,x,x)+6Aj
					; MiCrcStillIntact(x,x,x,x,x)+87j ...
		xor	eax, eax

loc_64169A:				; CODE XREF: MiCrcStillIntact(x,x,x,x,x)+21Bj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_6416AB:				; CODE XREF: MiCrcStillIntact(x,x,x,x,x)+ECj
		mov	al, [esi+16h]
		lea	ecx, [esi+10h]
		mov	edx, 7FFFFFFFh
		lock and [ecx],	edx
		and	al, 7
		cmp	al, 6
		jnz	short loc_641698
		mov	eax, [esi+4]
		or	eax, 80000000h
		cmp	edi, eax
		jnz	short loc_641698
		mov	ecx, esi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_641698
		mov	eax, [esi+18h]
		test	eax, 800000h
		jnz	short loc_641698
		test	byte ptr [esi+17h], 8
		jnz	short loc_641698
		and	eax, offset loc_7FFFFF
		cmp	eax, 7FFFFDh
		jz	short loc_641698
		mov	edx, [ebp+var_AC]
		mov	ecx, [ebp+var_B0]
		call	MiLocateWsle
		mov	al, [eax]
		and	al, 0Fh
		cmp	al, 8
		jz	short loc_641698
		xor	eax, eax
		inc	eax
		cmp	[esi+14h], ax
		jnz	short loc_641698
		xor	edx, edx
		mov	ecx, edx
		cmp	[ebp+var_A8], eax
		jnz	short loc_641744
		mov	ecx, [ebp+var_AC]
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_641698
		call	_MiVadSupportsPrivateCommit@4 ;	MiVadSupportsPrivateCommit(x)
		test	eax, eax
		jz	loc_641698
		xor	edx, edx

loc_641744:				; CODE XREF: MiCrcStillIntact(x,x,x,x,x)+182j
		cmp	[ebp+arg_8], 2
		jnz	short loc_641760
		and	ebx, 42h
		or	ebx, edx
		jz	loc_641698
		mov	edx, ecx
		mov	ecx, edi
		call	_MiMakeCombineCandidateClean@8 ; MiMakeCombineCandidateClean(x,x)
		jmp	short loc_6417B4
; 

loc_641760:				; CODE XREF: MiCrcStillIntact(x,x,x,x,x)+1ACj
		cmp	[ebp+arg_8], 3
		jnz	short loc_6417B4
		mov	ecx, [ebp+var_B0]
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		push	edx
		push	ds:dword_6D3154
		mov	[ebp+var_94], edx
		mov	[ebp+var_90], edx
		lea	edx, [ebp+var_A4]
		push	edx
		push	edi
		mov	edx, esi
		mov	[ebp+var_A4], eax
		mov	[ebp+var_A0], 0
		mov	[ebp+var_9C], 21h
		call	_MiClearPteAccessed@24 ; MiClearPteAccessed(x,x,x,x,x,x)
		test	eax, eax
		jz	loc_641698

loc_6417B4:				; CODE XREF: MiCrcStillIntact(x,x,x,x,x)+1C2j
					; MiCrcStillIntact(x,x,x,x,x)+1C8j
		xor	eax, eax
		inc	eax
		jmp	loc_64169A
_MiCrcStillIntact@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDecrementCombinedPte(x, x)
_MiDecrementCombinedPte@8 proc near	; CODE XREF: .text:0044A86Ap
					; MiCopyOnWrite(x,x,x,x)+A91p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		or	ecx, 0FFFFFFFFh
		mov	ebx, edx
		push	edi
		mov	edi, ds:dword_6D5C60
		mov	eax, ecx
		mov	edx, offset dword_6D5D38
		lock xadd [edx], eax
		lock xadd [ebx-8], ecx
		dec	ecx
		jz	short loc_6417E8
		push	2
		pop	eax
		jmp	short loc_641819
; 

loc_6417E8:				; CODE XREF: MiDecrementCombinedPte(x,x)+25j
		mov	eax, [ebx-10h]
		or	eax, [ebx-0Ch]
		jz	short loc_64180D
		mov	edx, ebx
		mov	ecx, edi
		call	MiDeleteMergedPte
		test	ds:byte_70EFC4,	1
		mov	edi, eax
		jz	short loc_64180F
		mov	ecx, ebx
		call	_MiLogCombinedPteDelete@4 ; MiLogCombinedPteDelete(x)
		jmp	short loc_64180F
; 

loc_64180D:				; CODE XREF: MiDecrementCombinedPte(x,x)+32j
		xor	edi, edi

loc_64180F:				; CODE XREF: MiDecrementCombinedPte(x,x)+46j
					; MiDecrementCombinedPte(x,x)+4Fj
		lea	ecx, [ebx-20h]
		call	_MiFreeCombineBlock@4 ;	MiFreeCombineBlock(x)
		mov	eax, edi

loc_641819:				; CODE XREF: MiDecrementCombinedPte(x,x)+2Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiDecrementCombinedPte@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDemoteCombinedPte(x, x, x)
_MiDemoteCombinedPte@12	proc near	; CODE XREF: MiAgePte(x,x,x)+239p
					; .text:0045ADCCp ...

var_5E		= byte ptr -5Eh
var_5D		= byte ptr -5Dh
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+64h+var_4], eax
		and	[esp+64h+var_40], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+70h+var_28]
		mov	ebx, edx
		stosd
		mov	edx, ecx
		mov	ecx, [ebp+arg_0]
		mov	[esp+70h+var_50], edx
		mov	[esp+70h+var_5C], ecx
		stosd
		stosd
		stosd
		mov	edi, [ebx]
		mov	[esp+70h+var_38], edi
		nop
		mov	eax, [ebx+4]
		xor	esi, esi
		inc	esi
		mov	[esp+70h+var_44], eax
		cmp	[ecx-8], esi
		ja	loc_641941
		nop
		and	[esp+70h+var_4C], 0
		mov	ecx, edi
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	esi, ecx, 1Ch
		mov	ecx, ebx
		shl	ecx, 9
		mov	[esp+70h+var_40], ecx
		add	esi, ds:_MmPfnDatabase
		test	byte ptr [edx+60h], 7
		jnz	short loc_6418B6
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[esp+70h+var_4C], eax
		cmp	dword ptr [eax+140h], 0
		jnz	loc_641941

loc_6418B6:				; CODE XREF: MiDemoteCombinedPte(x,x,x)+79j
		mov	edx, ecx
		mov	ecx, [esp+70h+var_50]
		call	MiLocateWsle
		mov	al, [eax]
		mov	[esp+70h+var_5D], al
		mov	eax, ebx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	ecx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		shrd	ecx, eax, 0Ch
		mov	eax, dword ptr ds:byte_70EFC4
		mov	[esp+70h+var_54], ecx
		and	eax, 8000001h
		mov	ecx, esi
		mov	[esp+70h+var_48], eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		movzx	ecx, word ptr [esi+14h]
		mov	[esp+70h+var_5E], al
		xor	eax, eax
		inc	eax
		cmp	cx, ax
		jz	short loc_641916
		cmp	ecx, 2
		jnz	short loc_64192C
		test	byte ptr [esi+16h], 8
		jz	short loc_64192C

loc_641916:				; CODE XREF: MiDemoteCombinedPte(x,x,x)+EBj
		mov	edx, [esp+70h+var_5C]
		xor	ecx, ecx
		add	edx, 0FFFFFFF8h
		lock cmpxchg [edx], ecx
		mov	edi, [esp+70h+var_38]
		cmp	eax, 1
		jz	short loc_641957

loc_64192C:				; CODE XREF: MiDemoteCombinedPte(x,x,x)+F0j
					; MiDemoteCombinedPte(x,x,x)+F6j
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	cl, [esp+70h+var_5E]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_641941:				; CODE XREF: MiDemoteCombinedPte(x,x,x)+4Bj
					; MiDemoteCombinedPte(x,x,x)+92j
		xor	eax, eax

loc_641943:				; CODE XREF: MiDemoteCombinedPte(x,x,x)+298j
		mov	ecx, [esp+70h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_641957:				; CODE XREF: MiDemoteCombinedPte(x,x,x)+10Cj
		or	eax, 0FFFFFFFFh
		mov	ecx, offset dword_6D5D38
		lock xadd [ecx], eax
		mov	ecx, [esi+18h]
		mov	eax, 7FFFFFFFh
		and	ecx, eax
		mov	[esi+4], ebx
		mov	eax, ecx
		mov	edx, offset loc_7FFFFF
		and	eax, edx
		mov	[esp+70h+var_58], eax
		mov	eax, ecx
		xor	eax, [esp+70h+var_54]
		and	eax, edx
		mov	edx, [esi+8]
		xor	eax, ecx
		mov	ecx, edx
		mov	[esi+18h], eax
		mov	eax, [esi+0Ch]
		mov	[esp+70h+var_54], eax
		shrd	ecx, eax, 5
		shr	eax, 5
		mov	[esp+70h+var_34], eax
		mov	eax, ecx
		and	eax, 5
		cmp	al, 5
		jnz	short loc_6419C8
		and	ecx, 1Eh
		xor	eax, eax
		shld	eax, ecx, 5
		and	edx, 0FFFFFC1Fh
		shl	ecx, 5
		or	ecx, edx
		or	eax, [esp+70h+var_54]
		mov	[esi+8], ecx
		mov	[esi+0Ch], eax

loc_6419C8:				; CODE XREF: MiDemoteCombinedPte(x,x,x)+18Aj
		cmp	[esp+70h+var_48], 0
		jz	short loc_6419DA
		lea	edx, [esp+70h+var_28]
		mov	ecx, esi
		call	_MiIdentifyPfn@8 ; MiIdentifyPfn(x,x)

loc_6419DA:				; CODE XREF: MiDemoteCombinedPte(x,x,x)+1AFj
		lea	eax, [esi+10h]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		mov	cl, [esp+70h+var_5E]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		and	eax, 200h
		or	eax, 0
		jz	short loc_641A19
		mov	eax, [esp+70h+var_44]
		and	edi, 0FFFFFDFFh
		or	edi, 820h
		mov	[esp+70h+var_2C], eax
		mov	[esp+70h+var_30], edi
		nop
		mov	[ebx], edi
		mov	[ebx+4], eax

loc_641A19:				; CODE XREF: MiDemoteCombinedPte(x,x,x)+1DBj
		imul	esi, [esp+70h+var_58], 1Ch
		xor	ebx, ebx
		mov	al, [esp+70h+var_5D]
		inc	ebx
		and	al, 0Fh
		add	esi, ds:_MmPfnDatabase
		cmp	al, 8
		jnz	short loc_641A3A
		mov	edx, ebx
		mov	ecx, esi
		call	_MiUnlockPageTableCharges@8 ; MiUnlockPageTableCharges(x,x)

loc_641A3A:				; CODE XREF: MiDemoteCombinedPte(x,x,x)+211j
		xor	edx, edx
		mov	ecx, esi
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		mov	edx, [esp+70h+var_40]
		xor	esi, esi
		mov	ecx, [esp+70h+var_50]
		push	esi
		push	ebx
		call	_MiUpdateWorkingSetPrivateSize@16 ; MiUpdateWorkingSetPrivateSize(x,x,x,x)
		mov	eax, [esp+70h+var_4C]
		test	eax, eax
		jz	short loc_641A67
		mov	edx, ebx
		add	eax, 14Ch
		lock xadd [eax], edx

loc_641A67:				; CODE XREF: MiDemoteCombinedPte(x,x,x)+23Cj
		cmp	[esp+70h+var_48], esi
		jz	short loc_641AA8
		mov	ecx, [esp+70h+var_5C]
		call	_MiLogCombinedPteDelete@4 ; MiLogCombinedPteDelete(x)
		push	11401B02h
		push	276h
		lea	eax, [esp+78h+var_28]
		mov	[esp+78h+var_14], esi
		push	28000001h
		mov	edx, ebx
		mov	[esp+7Ch+var_18], eax
		lea	ecx, [esp+7Ch+var_18]
		mov	[esp+7Ch+var_10], 10h
		mov	[esp+7Ch+var_C], esi
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_641AA8:				; CODE XREF: MiDemoteCombinedPte(x,x,x)+24Dj
		mov	ecx, [esp+70h+var_5C]
		lea	ecx, [ecx-20h]
		call	_MiFreeCombineBlock@4 ;	MiFreeCombineBlock(x)
		mov	eax, ebx
		jmp	loc_641943
_MiDemoteCombinedPte@12	endp


;  S U B	R O U T	I N E 


; __stdcall MiDereferenceCombineBlock(x, x)
_MiDereferenceCombineBlock@8 proc near	; CODE XREF: MiSharePages(x,x,x,x,x)+413p
					; MiSharePages(x,x,x,x,x)+F35p	...
		mov	edi, edi
		push	ecx
		test	edx, edx
		jz	short loc_641AEA
		mov	eax, [edx+10h]
		or	eax, [edx+14h]
		jz	short loc_641AD4
		add	edx, 20h
		call	_MiDecrementCombinedPte@8 ; MiDecrementCombinedPte(x,x)
		pop	ecx
		retn
; 

loc_641AD4:				; CODE XREF: MiDereferenceCombineBlock(x,x)+Dj
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jz	short loc_641AE0
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_641AE0:				; CODE XREF: MiDereferenceCombineBlock(x,x)+1Ej
		mov	[edx], eax
		mov	[edx+4], ecx
		mov	[eax+4], edx
		mov	[ecx], edx

loc_641AEA:				; CODE XREF: MiDereferenceCombineBlock(x,x)+5j
		pop	ecx
		retn
_MiDereferenceCombineBlock@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	MiFillCombinePage(void *,void *)
_MiFillCombinePage@16 proc near		; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+BDp
					; MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+6Fp

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	8
		push	offset dword_6A8B40
		call	__SEH_prolog4
		mov	esi, edx
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		cdq
		push	1Ch
		pop	ecx
		idiv	ecx
		mov	edi, eax
		mov	ecx, [ebp+arg_0]
		mov	dl, [ecx+16h]
		mov	cl, [esi+16h]
		xor	cl, dl
		test	cl, 0C0h
		jz	short loc_641B29
		push	2
		movzx	edx, dl
		shr	edx, 6
		mov	ecx, esi
		call	MiChangePageAttribute

loc_641B29:				; CODE XREF: MiFillCombinePage(x,x,x,x)+2Cj
		push	0
		push	40000010h
		mov	edx, edi
		xor	ecx, ecx
		call	MiMapSinglePage
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_641B8C
		xor	esi, esi
		inc	esi
		and	[ebp+ms_exc.disabled], 0
		push	1000h		; size_t
		push	[ebp+arg_4]	; void *
		push	[ebp+arg_0]	; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_641B65
; 

loc_641B5C:				; DATA XREF: .text:006A8B54o
		xor	eax, eax
		inc	eax
		retn
; 

loc_641B60:				; DATA XREF: .text:006A8B58o
		mov	esp, [ebp+ms_exc.old_esp]
		xor	esi, esi

loc_641B65:				; CODE XREF: MiFillCombinePage(x,x,x,x)+6Ej
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	1
		mov	edx, [ebp+arg_0]
		shr	edx, 9
		and	edx, offset loc_7FFFF8
		sub	edx, 40000000h
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		mov	eax, esi

loc_641B8C:				; CODE XREF: MiFillCombinePage(x,x,x,x)+52j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiFillCombinePage@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeCombineBlock(x)
_MiFreeCombineBlock@4 proc near		; CODE XREF: MiDecrementCombinedPte(x,x)+56p
					; MiDemoteCombinedPte(x,x,x)+291p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		mov	edi, ecx
		mov	ebx, edi
		and	ebx, 0FFFFF000h
		mov	[ebp+var_8], ebx
		mov	edx, [edi+10h]
		mov	eax, edx
		or	eax, [edi+14h]
		jz	short loc_641C07
		and	edx, 0Fh
		mov	[ebp+var_4], edx
		lea	esi, unk_6D5C94[edx*8]
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	bl, al
		mov	eax, [ebp+var_4]
		push	edi
		lea	ecx, unk_6D5C90[eax*8]
		push	ecx
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		and	dword ptr [edi+10h], 0
		and	dword ptr [edi+14h], 0
		mov	ebx, [ebp+var_8]

loc_641C07:				; CODE XREF: MiFreeCombineBlock(x)+28j
		and	dword ptr [edi+1Ch], 0FFFFFFE0h
		lea	edx, [ebp+var_14]
		mov	ecx, offset unk_6D5C8C
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		sub	dword ptr [ebx+4], 1
		push	1
		pop	esi
		jnz	short loc_641C83
		lea	eax, [ebx+30h]
		xor	ecx, ecx

loc_641C26:				; CODE XREF: MiFreeCombineBlock(x)+A6j
		cmp	eax, edi
		jz	short loc_641C3D
		mov	esi, [eax]
		mov	edx, [eax+4]
		cmp	[esi+4], eax
		jnz	short loc_641C92
		cmp	[edx], eax
		jnz	short loc_641C92
		mov	[edx], esi
		mov	[esi+4], edx

loc_641C3D:				; CODE XREF: MiFreeCombineBlock(x)+8Aj
		add	eax, 30h
		inc	ecx
		cmp	ecx, 54h
		jb	short loc_641C26
		mov	eax, ds:dword_6D5C6C
		xor	esi, esi
		mov	[ebx], eax
		inc	esi
		mov	ds:dword_6D5C6C, ebx
		cmp	dword ptr [ebx], 0
		jnz	short loc_641CA5
		and	ds:dword_6D5C70, 0
		push	esi
		push	offset dword_6D5C70
		mov	ds:dword_6D5C78, offset	_MiFreeCombinePool@4 ; MiFreeCombinePool(x)
		mov	ds:dword_6D5C7C, offset	dword_6D5C60
		call	ExQueueWorkItem
		jmp	short loc_641CA5
; 

loc_641C83:				; CODE XREF: MiFreeCombineBlock(x)+81j
		mov	eax, ds:dword_6D5C84
		mov	ecx, offset dword_6D5C84
		cmp	[eax+4], ecx
		jz	short loc_641C97

loc_641C92:				; CODE XREF: MiFreeCombineBlock(x)+94j
					; MiFreeCombineBlock(x)+98j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_641C97:				; CODE XREF: MiFreeCombineBlock(x)+F2j
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[eax+4], edi
		mov	ds:dword_6D5C84, edi

loc_641CA5:				; CODE XREF: MiFreeCombineBlock(x)+BBj
					; MiFreeCombineBlock(x)+E3j
		test	ds:byte_70EFC6,	1
		jz	short loc_641CBB
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_641CE7
; 

loc_641CBB:				; CODE XREF: MiFreeCombineBlock(x)+10Ej
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_641CDA
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_641CE7
		call	KxWaitForLockChainValid

loc_641CDA:				; CODE XREF: MiFreeCombineBlock(x)+122j
		mov	[ebp+var_14], 0
		add	eax, 4
		lock xor [eax],	esi

loc_641CE7:				; CODE XREF: MiFreeCombineBlock(x)+11Bj
					; MiFreeCombineBlock(x)+135j
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		or	eax, 0FFFFFFFFh
		mov	ecx, offset dword_6D5D34
		lock xadd [ecx], eax
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiFreeCombineBlock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeCombinePool(x)
_MiFreeCombinePool@4 proc near		; DATA XREF: MiFreeCombineBlock(x)+CAo

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		lea	ecx, [esi+2Ch]
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edi, [esi+0Ch]
		and	dword ptr [esi+0Ch], 0
		test	ds:byte_70EFC6,	1
		jz	short loc_641D3E
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_641D6D
; 

loc_641D3E:				; CODE XREF: MiFreeCombinePool(x)+2Ej
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_641D5D
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_641D6D
		call	KxWaitForLockChainValid

loc_641D5D:				; CODE XREF: MiFreeCombinePool(x)+42j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_641D6D:				; CODE XREF: MiFreeCombinePool(x)+3Bj
					; MiFreeCombinePool(x)+55j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_641D76:				; CODE XREF: MiFreeCombinePool(x)+8Aj
		mov	esi, [edi]
		mov	ecx, edi
		call	_MiUnlockPagedAddress@4	; MiUnlockPagedAddress(x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, esi
		test	esi, esi
		jnz	short loc_641D76
		pop	edi
		pop	esi
		leave
		retn	4
_MiFreeCombinePool@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetCombineDomain(x, x)
_MiGetCombineDomain@8 proc near		; CODE XREF: MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+176p
					; MiSharePages(x,x,x,x,x)+8D8p	...
		cmp	ecx, 1
		jnz	short loc_641DB0
		push	ebx
		push	esi
		lea	esi, [edx+260h]
		xor	eax, eax
		xor	edx, edx
		nop
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [esi]
		pop	esi
		pop	ebx
		retn
; 

loc_641DB0:				; CODE XREF: MiGetCombineDomain(x,x)+3j
		cmp	ecx, 2
		jnz	short loc_641DBA
		xor	eax, eax
		mov	edx, eax
		retn
; 

loc_641DBA:				; CODE XREF: MiGetCombineDomain(x,x)+20j
		mov	eax, [edx-38h]
		mov	edx, [edx-34h]
		retn
_MiGetCombineDomain@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiHashIsCommon(x, x, x, x)
_MiHashIsCommon@16 proc	near		; CODE XREF: MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+2Ep
					; MiPerformCombineScan(x,x,x,x)+3Bp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+18h]
		push	ebx
		push	esi
		mov	esi, [ecx+14h]
		push	edi
		mov	edi, [ecx+1Ch]
		mov	[ebp+var_4], eax
		xor	eax, eax
		test	edi, edi
		jz	short loc_641DF2
		mov	ecx, [ebp+arg_4]
		mov	ebx, [ebp+arg_0]

loc_641DE2:				; CODE XREF: MiHashIsCommon(x,x,x,x)+2Fj
		cmp	ebx, [esi+eax*8]
		jnz	short loc_641DED
		cmp	ecx, [esi+eax*8+4]
		jz	short loc_641DFB

loc_641DED:				; CODE XREF: MiHashIsCommon(x,x,x,x)+24j
		inc	eax
		cmp	eax, edi
		jb	short loc_641DE2

loc_641DF2:				; CODE XREF: MiHashIsCommon(x,x,x,x)+19j
					; MiHashIsCommon(x,x,x,x)+52j
		xor	eax, eax

loc_641DF4:				; CODE XREF: MiHashIsCommon(x,x,x,x)+57j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_641DFB:				; CODE XREF: MiHashIsCommon(x,x,x,x)+2Aj
		test	edx, edx
		jz	short loc_641E15
		mov	ecx, [ebp+var_4]
		mov	esi, 1000h
		push	dword ptr [ecx+eax*4]
		push	esi
		push	edx
		call	_RtlCompareMemoryUlong@12 ; RtlCompareMemoryUlong(x,x,x)
		cmp	eax, esi
		jnz	short loc_641DF2

loc_641E15:				; CODE XREF: MiHashIsCommon(x,x,x,x)+3Cj
		xor	eax, eax
		inc	eax
		jmp	short loc_641DF4
_MiHashIsCommon@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIncrementCombineMdl(x, x)
_MiIncrementCombineMdl@8 proc near	; CODE XREF: MiSharePages(x,x,x,x,x)+A99p
					; MiSharePages(x,x,x,x,x)+D40p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], eax
		push	edi
		mov	edi, [eax+ebx*4+24h]
		dec	dword ptr [eax+ebx*4+30h]
		add	dword ptr [edi+18h], 1000h
		mov	eax, [edi+18h]
		cmp	eax, [edi+14h]
		jnz	short loc_641E55
		push	esi
		mov	esi, [edi]
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_4]
		mov	edi, esi
		mov	[eax+ebx*4+24h], esi
		pop	esi

loc_641E55:				; CODE XREF: MiIncrementCombineMdl(x,x)+24j
		mov	eax, edi
		pop	edi
		pop	ebx
		leave
		retn
_MiIncrementCombineMdl@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertNewCombineBlocks(x,	x, x)
_MiInsertNewCombineBlocks@12 proc near	; CODE XREF: MiAllocateCombineProto(x,x,x,x,x,x)+16Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, edx
		stosd
		mov	ebx, ecx
		mov	ecx, esi
		stosd
		stosd
		mov	edi, 0FC0h
		mov	edx, edi
		call	MiLockPagedRange
		test	eax, eax
		jnz	short loc_641E8B

loc_641E84:				; CODE XREF: MiInsertNewCombineBlocks(x,x,x)+BCj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_641E8B:				; CODE XREF: MiInsertNewCombineBlocks(x,x,x)+27j
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [ebx+2Ch]
		lea	edx, [ebp+var_C]
		push	53h
		pop	edi
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		lea	ecx, [ebx+24h]
		mov	eax, [ecx]

loc_641EAA:				; CODE XREF: MiInsertNewCombineBlocks(x,x,x)+6Aj
		mov	edx, esi
		cmp	[eax+4], ecx
		jnz	short loc_641F1C
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[eax+4], esi
		mov	[ecx], esi
		add	esi, 30h
		sub	edi, 1
		jz	short loc_641EC7
		mov	eax, edx
		jmp	short loc_641EAA
; 

loc_641EC7:				; CODE XREF: MiInsertNewCombineBlocks(x,x,x)+66j
		test	ds:byte_70EFC6,	1
		jz	short loc_641EDD
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_641F0C
; 

loc_641EDD:				; CODE XREF: MiInsertNewCombineBlocks(x,x,x)+73j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_641EFC
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_641F0C
		call	KxWaitForLockChainValid

loc_641EFC:				; CODE XREF: MiInsertNewCombineBlocks(x,x,x)+87j
		xor	ecx, ecx
		mov	[ebp+var_C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_641F0C:				; CODE XREF: MiInsertNewCombineBlocks(x,x,x)+80j
					; MiInsertNewCombineBlocks(x,x,x)+9Aj
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi
		jmp	loc_641E84
; 

loc_641F1C:				; CODE XREF: MiInsertNewCombineBlocks(x,x,x)+54j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_MiInsertNewCombineBlocks@12 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLocateCombineBlock(x, x, x, x, x)
_MiLocateCombineBlock@20 proc near	; CODE XREF: MiAllocateCombineProto(x,x,x,x,x,x)+52p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		and	eax, 0Fh
		push	ebx
		push	esi
		push	edi
		mov	eax, [ecx+eax*8+30h]
		mov	edi, edx
		test	eax, eax
		jz	short loc_641FA2
		mov	esi, [ebp+arg_8]

loc_641F3D:				; CODE XREF: MiLocateCombineBlock(x,x,x,x,x)+79j
		mov	edx, [eax+14h]
		mov	ecx, [eax+10h]
		cmp	[ebp+arg_4], edx
		ja	short loc_641F95
		jb	short loc_641F91
		cmp	[ebp+arg_0], ecx
		ja	short loc_641F95
		cmp	[ebp+arg_4], edx
		jb	short loc_641F91
		ja	short loc_641F5B
		cmp	[ebp+arg_0], ecx
		jb	short loc_641F91

loc_641F5B:				; CODE XREF: MiLocateCombineBlock(x,x,x,x,x)+33j
		mov	ecx, [eax+1Ch]
		and	ecx, 1Fh
		cmp	edi, ecx
		ja	short loc_641F95
		jb	short loc_641F91
		test	esi, esi
		jz	short loc_641F9E
		mov	ebx, [esi+4]
		mov	ecx, [esi]
		mov	esi, [eax+2Ch]
		cmp	ebx, esi
		mov	edx, [eax+28h]
		mov	[ebp+var_4], esi
		mov	esi, [ebp+arg_8]
		ja	short loc_641F95
		jb	short loc_641F86
		cmp	ecx, edx
		ja	short loc_641F95

loc_641F86:				; CODE XREF: MiLocateCombineBlock(x,x,x,x,x)+5Fj
		cmp	ebx, [ebp+var_4]
		ja	short loc_641F9E
		jb	short loc_641F91
		cmp	ecx, edx
		jnb	short loc_641F9E

loc_641F91:				; CODE XREF: MiLocateCombineBlock(x,x,x,x,x)+27j
					; MiLocateCombineBlock(x,x,x,x,x)+31j ...
		mov	eax, [eax]
		jmp	short loc_641F98
; 

loc_641F95:				; CODE XREF: MiLocateCombineBlock(x,x,x,x,x)+25j
					; MiLocateCombineBlock(x,x,x,x,x)+2Cj ...
		mov	eax, [eax+4]

loc_641F98:				; CODE XREF: MiLocateCombineBlock(x,x,x,x,x)+72j
		test	eax, eax
		jnz	short loc_641F3D
		jmp	short loc_641FA2
; 

loc_641F9E:				; CODE XREF: MiLocateCombineBlock(x,x,x,x,x)+48j
					; MiLocateCombineBlock(x,x,x,x,x)+68j ...
		test	eax, eax
		jnz	short loc_641FA4

loc_641FA2:				; CODE XREF: MiLocateCombineBlock(x,x,x,x,x)+17j
					; MiLocateCombineBlock(x,x,x,x,x)+7Bj
		xor	eax, eax

loc_641FA4:				; CODE XREF: MiLocateCombineBlock(x,x,x,x,x)+7Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MiLocateCombineBlock@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogCombinedPteDelete(x)
_MiLogCombinedPteDelete@4 proc near	; CODE XREF: MiDecrementCombinedPte(x,x)+4Ap
					; MiDemoteCombinedPte(x,x,x)+253p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		or	[ebp+var_18], 0FFFFFFFFh
		lea	eax, [ebp+var_20]
		and	[ebp+var_10], 0
		xor	edx, edx
		and	[ebp+var_8], 0
		inc	edx
		push	11401B02h
		push	24Fh
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ecx
		lea	ecx, [ebp+var_14]
		push	28000001h
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], 0Ch
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiLogCombinedPteDelete@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakeCombineCandidateClean(x, x)
_MiMakeCombineCandidateClean@8 proc near ; CODE	XREF: MiCrcStillIntact(x,x,x,x,x)+1BDp
					; MiSharePages(x,x,x,x,x)+6DDp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		mov	edi, [ebx]
		nop
		mov	esi, [ebx+4]
		nop
		mov	ecx, edi
		mov	[ebp+var_C], esi
		mov	eax, esi
		and	edi, 0FFFFFFBDh
		shrd	ecx, eax, 0Ch
		mov	[ebp+var_10], edi
		and	ecx, 1FFFFFFh
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		nop
		xor	edx, edx
		mov	[ebx], edi
		inc	edx
		mov	[ebx+4], esi
		call	MiLockPageAndSetDirty
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_64207C
		mov	eax, [ecx+1Ch]
		mov	edx, 300000h
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_64207C
		push	ecx
		mov	ecx, large fs:124h
		shl	ebx, 9
		mov	edx, ebx
		mov	ecx, [ecx+80h]
		call	_MiCaptureWriteWatchDirtyBit@12	; MiCaptureWriteWatchDirtyBit(x,x,x)

loc_64207C:				; CODE XREF: MiMakeCombineCandidateClean(x,x)+52j
					; MiMakeCombineCandidateClean(x,x)+60j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiMakeCombineCandidateClean@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMapArbitraryPage(x, x, x,	x, x)
_MiMapArbitraryPage@20 proc near	; CODE XREF: MiCombinePte(x,x,x)+141p
					; MiSharePages(x,x,x,x,x)+B7Fp	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, edx
		push	ebx
		mov	[ebp+var_10], eax
		push	esi
		mov	ebx, [eax+20h]
		mov	esi, ecx
		mov	eax, [eax+24h]
		mov	[ebp+var_8], eax
		mov	eax, ebx
		sub	eax, ds:_MmPfnDatabase
		push	edi
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, ebx
		mov	[ebp+var_C], eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	ebx
		mov	[ebp+var_1], al
		call	_MiCombineCandidate@12 ; MiCombineCandidate(x,x,x)
		cmp	[ebp+arg_4], 0
		jnz	short loc_6420EB
		test	eax, eax
		jnz	short loc_6420F0

loc_6420CC:				; CODE XREF: MiMapArbitraryPage(x,x,x,x,x)+6Dj
					; MiMapArbitraryPage(x,x,x,x,x)+7Ej ...
		xor	edi, edi

loc_6420CE:				; CODE XREF: MiMapArbitraryPage(x,x,x,x,x)+118j
					; MiMapArbitraryPage(x,x,x,x,x)+125j
		mov	eax, 7FFFFFFFh
		lea	ecx, [ebx+10h]
		lock and [ecx],	eax
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_6420EB:				; CODE XREF: MiMapArbitraryPage(x,x,x,x,x)+45j
		cmp	eax, [ebp+arg_4]
		jnz	short loc_6420CC

loc_6420F0:				; CODE XREF: MiMapArbitraryPage(x,x,x,x,x)+49j
		xor	edi, edi
		inc	edi
		cmp	[ebp+arg_8], edi
		jnz	short loc_642105
		mov	al, [ebx+16h]
		and	al, 7
		cmp	al, 2
		jb	short loc_6420CC
		cmp	al, 3
		ja	short loc_6420CC

loc_642105:				; CODE XREF: MiMapArbitraryPage(x,x,x,x,x)+75j
		mov	al, [ebx+16h]
		and	al, 0C0h
		cmp	al, 0C0h
		jz	short loc_6420CC
		mov	edx, ebx
		mov	ecx, edi
		call	_MiMakeProtectionPfnCompatible@8 ; MiMakeProtectionPfnCompatible(x,x)
		mov	edx, [ebp+var_C]
		or	eax, 20000000h
		mov	ecx, [ebp+var_8]
		push	eax
		call	MiMakeValidPte
		mov	ecx, [ebp+var_8]
		mov	esi, eax
		mov	eax, [ebp+var_10]
		and	[ebp+arg_4], 0
		mov	[eax+1Ch], ecx
		mov	[eax+18h], ebx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_64218E
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_64216A
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	eax, edi
		jnz	short loc_642191
		mov	eax, esi
		and	eax, edi
		or	eax, 0
		mov	eax, edi

loc_642160:				; CODE XREF: MiMapArbitraryPage(x,x,x,x,x)+10Bj
		jz	short loc_642191
		or	edx, 80000000h
		jmp	short loc_642191
; 

loc_64216A:				; CODE XREF: MiMapArbitraryPage(x,x,x,x,x)+C9j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_64218E
		mov	eax, esi
		and	eax, edi
		or	eax, 0
		mov	eax, [ebp+arg_4]
		jmp	short loc_642160
; 

loc_64218E:				; CODE XREF: MiMapArbitraryPage(x,x,x,x,x)+C0j
					; MiMapArbitraryPage(x,x,x,x,x)+FFj
		mov	eax, [ebp+arg_4]

loc_642191:				; CODE XREF: MiMapArbitraryPage(x,x,x,x,x)+D4j
					; MiMapArbitraryPage(x,x,x,x,x):loc_642160j ...
		mov	[ecx+4], edx
		nop
		mov	[ecx], esi
		test	eax, eax
		jz	loc_6420CE
		push	edx
		push	esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_6420CE
_MiMapArbitraryPage@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPerformCombineScan(x, x, x, x)
_MiPerformCombineScan@16 proc near	; CODE XREF: MiCombinePte(x,x,x)+167p
					; MiSharePages(x,x,x,x,x)+C04p	...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	14h
		push	offset dword_6A8B00
		call	__SEH_prolog4
		mov	ebx, ecx
		mov	edi, [edx+1Ch]
		shl	edi, 9
		xor	esi, esi
		inc	esi
		xor	eax, eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+ms_exc.disabled], eax
		mov	ecx, edi
		call	_MiComputeHash64@4 ; MiComputeHash64(x)
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], edx
		cmp	[ebp+arg_0], 0
		jz	short loc_6421FF
		push	edx
		push	eax
		mov	edx, edi
		mov	ecx, ebx
		call	_MiHashIsCommon@16 ; MiHashIsCommon(x,x,x,x)
		neg	eax
		sbb	eax, eax
		and	esi, eax
		jmp	short loc_6421FC
; 

loc_6421F3:				; DATA XREF: .text:006A8B14o
		xor	eax, eax
		inc	eax
		retn
; 

loc_6421F7:				; DATA XREF: .text:006A8B18o
		mov	esp, [ebp+ms_exc.old_esp]
		xor	esi, esi

loc_6421FC:				; CODE XREF: MiPerformCombineScan(x,x,x,x)+46j
		mov	[ebp+var_1C], esi

loc_6421FF:				; CODE XREF: MiPerformCombineScan(x,x,x,x)+33j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_24]
		mov	edx, [ebp+arg_4]
		mov	[edx], ecx
		mov	ecx, [ebp+var_20]
		mov	[edx+4], ecx
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiPerformCombineScan@16 endp


;  S U B	R O U T	I N E 


; __stdcall MiPushCombineBlock(x, x)
_MiPushCombineBlock@8 proc near		; CODE XREF: MiProcessCrcList(x,x,x,x)+4ADp
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jz	short loc_642234
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_642234:				; CODE XREF: MiPushCombineBlock(x,x)+5j
		mov	[edx], eax
		mov	[edx+4], ecx
		mov	[eax+4], edx
		mov	[ecx], edx
		retn
_MiPushCombineBlock@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRecheckCombineVm(x, x, x,	x)
_MiRecheckCombineVm@16 proc near	; CODE XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+116p
					; MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+40Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	[ebp+arg_0]
		call	_MiCombineCandidate@12 ; MiCombineCandidate(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_64229F
		push	2
		pop	ecx
		cmp	esi, ecx
		jnz	short loc_642262
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		jmp	short loc_64229A
; 

loc_642262:				; CODE XREF: MiRecheckCombineVm(x,x,x,x)+1Aj
		mov	ecx, [ebp+arg_0]
		call	MiGetTopLevelPfn
		mov	ecx, [eax]
		lea	edi, [eax+10h]
		mov	edx, [edi]
		shr	ecx, 1
		and	edx, 40000000h
		and	ecx, 0FFFFFFF8h
		or	ecx, 80000000h
		cmp	eax, [ebp+arg_0]
		jz	short loc_64228F
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax

loc_64228F:				; CODE XREF: MiRecheckCombineVm(x,x,x,x)+46j
		cmp	esi, 1
		jnz	short loc_6422A7
		lea	eax, [ecx+240h]

loc_64229A:				; CODE XREF: MiRecheckCombineVm(x,x,x,x)+21j
		cmp	[ebp+arg_4], eax
		jz	short loc_6422B6

loc_64229F:				; CODE XREF: MiRecheckCombineVm(x,x,x,x)+13j
					; MiRecheckCombineVm(x,x,x,x)+6Aj ...
		xor	eax, eax

loc_6422A1:				; CODE XREF: MiRecheckCombineVm(x,x,x,x)+7Aj
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_6422A7:				; CODE XREF: MiRecheckCombineVm(x,x,x,x)+53j
		test	edx, edx
		jnz	short loc_64229F
		add	ecx, 0C0h
		cmp	[ebp+arg_4], ecx
		jnz	short loc_64229F

loc_6422B6:				; CODE XREF: MiRecheckCombineVm(x,x,x,x)+5Ej
		xor	eax, eax
		inc	eax
		jmp	short loc_6422A1
_MiRecheckCombineVm@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRecheckVaVm(x, x)
_MiRecheckVaVm@8 proc near		; CODE XREF: MiCrcStillIntact(x,x,x,x,x)+63p
					; MiSharePages(x,x,x,x,x)+440p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		inc	ebx
		mov	esi, edx
		test	byte ptr [edi+60h], 7
		jz	loc_64238C
		cmp	esi, ds:dword_6D07D0
		jb	loc_642394
		push	offset dword_6D2E64
		call	ExAcquireSpinLockSharedAtDpcLevel
		cmp	esi, ds:dword_6D07D0
		jnb	short loc_6422F9
		xor	ecx, ecx
		jmp	short loc_642305
; 

loc_6422F9:				; CODE XREF: MiRecheckVaVm(x,x)+38j
		mov	eax, esi
		shr	eax, 15h
		movzx	ecx, byte ptr ds:dword_6D3994[eax]

loc_642305:				; CODE XREF: MiRecheckVaVm(x,x)+3Cj
		mov	al, [edi+60h]
		and	al, 7
		cmp	al, 1
		jnz	short loc_64231C
		cmp	ecx, 1
		jz	short loc_642343
		cmp	ecx, 0Bh
		jz	short loc_642343
		xor	ebx, ebx
		jmp	short loc_642375
; 

loc_64231C:				; CODE XREF: MiRecheckVaVm(x,x)+51j
		cmp	al, 2
		jnz	short loc_642327
		xor	ebx, ebx
		cmp	ecx, 8
		jmp	short loc_64233B
; 

loc_642327:				; CODE XREF: MiRecheckVaVm(x,x)+63j
		cmp	al, 3
		jnz	short loc_642332
		xor	ebx, ebx
		cmp	ecx, 6
		jmp	short loc_64233B
; 

loc_642332:				; CODE XREF: MiRecheckVaVm(x,x)+6Ej
		cmp	al, 4
		jnz	short loc_642343
		xor	ebx, ebx
		cmp	ecx, 0Ch

loc_64233B:				; CODE XREF: MiRecheckVaVm(x,x)+6Aj
					; MiRecheckVaVm(x,x)+75j
		setz	bl
		cmp	ebx, 1
		jnz	short loc_642375

loc_642343:				; CODE XREF: MiRecheckVaVm(x,x)+56j
					; MiRecheckVaVm(x,x)+5Bj ...
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		mov	ecx, [esi-40000000h]
		nop
		mov	eax, ecx
		xor	esi, esi
		and	eax, 1
		or	eax, esi
		jnz	short loc_642375
		mov	eax, ecx
		and	eax, 400h
		or	eax, esi
		jnz	short loc_642373
		and	ecx, 800h
		or	ecx, esi
		jnz	short loc_642375

loc_642373:				; CODE XREF: MiRecheckVaVm(x,x)+ACj
		mov	ebx, esi

loc_642375:				; CODE XREF: MiRecheckVaVm(x,x)+5Fj
					; MiRecheckVaVm(x,x)+86j ...
		test	byte ptr [edi+60h], 7
		jz	short loc_642385
		push	offset dword_6D2E64
		call	ExReleaseSpinLockSharedFromDpcLevel

loc_642385:				; CODE XREF: MiRecheckVaVm(x,x)+BEj
		mov	eax, ebx

loc_642387:				; CODE XREF: MiRecheckVaVm(x,x)+DBj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_64238C:				; CODE XREF: MiRecheckVaVm(x,x)+16j
		cmp	esi, ds:dword_6D07D0
		jb	short loc_642343

loc_642394:				; CODE XREF: MiRecheckVaVm(x,x)+22j
		xor	eax, eax
		jmp	short loc_642387
_MiRecheckVaVm@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiReleaseArbitraryPage(x)
_MiReleaseArbitraryPage@4 proc near	; CODE XREF: MiCombinePte(x,x,x)+172p
					; MiSharePages(x,x,x,x,x)+D67p	...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+18h]
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	edx, [edi+1Ch]
		mov	bl, al
		and	dword ptr [edi+18h], 0
		mov	ecx, ds:_ZeroPte
		mov	[edx], ecx
		nop
		mov	edx, [edi+1Ch]
		lea	eax, [esi+10h]
		mov	ecx, ds:dword_40F9FC
		mov	[edx+4], ecx
		mov	ecx, 7FFFFFFFh
		and	dword ptr [edi+1Ch], 0
		lock and [eax],	ecx
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_MiReleaseArbitraryPage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiResolveProtoCombine(x, x,	x)
_MiResolveProtoCombine@12 proc near	; CODE XREF: MiConvertPrivateToProto(x,x,x,x,x,x,x)+693p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		and	[ebp+var_20], 0
		and	[ebp+var_1C], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	[ebp+var_18], edx
		xor	edx, edx
		mov	[ebp+var_10], ecx
		mov	ecx, ebx
		push	edi
		call	MiLockProtoPoolPage
		test	eax, eax
		jnz	short loc_642411

loc_64240A:				; CODE XREF: MiResolveProtoCombine(x,x,x)+5Bj
					; MiResolveProtoCombine(x,x,x)+2E2j
		xor	eax, eax
		jmp	loc_6426CB
; 

loc_642411:				; CODE XREF: MiResolveProtoCombine(x,x,x)+27j
		mov	ecx, ebx
		call	_MiGetContainingPageTable@4 ; MiGetContainingPageTable(x)
		imul	esi, eax, 1Ch
		xor	edx, edx
		mov	ecx, ebx
		add	esi, ds:_MmPfnDatabase
		mov	[ebp+var_8], esi
		call	MiLockLeafPage
		mov	edi, eax
		test	edi, edi
		jnz	short loc_64243E
		mov	ecx, esi

loc_642435:				; CODE XREF: MiResolveProtoCombine(x,x,x)+ACj
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		jmp	short loc_64240A
; 

loc_64243E:				; CODE XREF: MiResolveProtoCombine(x,x,x)+50j
		mov	esi, [ebx]
		nop
		mov	eax, [ebx+4]
		xor	ecx, ecx
		mov	[ebp+var_4], eax
		mov	[ebp+var_24], eax
		mov	eax, esi
		and	eax, 1
		mov	[ebp+var_28], esi
		or	eax, ecx
		jnz	loc_64259A
		mov	eax, esi
		and	eax, 400h
		or	eax, ecx
		jnz	loc_642677
		and	esi, 800h
		or	esi, ecx
		jz	loc_642677
		test	byte ptr [edi+16h], 20h
		lea	esi, [edi+10h]
		jz	short loc_64248F

loc_642482:				; CODE XREF: MiResolveProtoCombine(x,x,x)+C4j
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax

loc_64248A:				; CODE XREF: MiResolveProtoCombine(x,x,x)+2A1j
		mov	ecx, [ebp+var_8]
		jmp	short loc_642435
; 

loc_64248F:				; CODE XREF: MiResolveProtoCombine(x,x,x)+9Fj
		xor	edx, edx
		mov	ecx, edi
		call	_MiUnlinkPageFromList@8	; MiUnlinkPageFromList(x,x)
		test	eax, eax
		jnz	short loc_6424A7
		xor	edx, edx
		mov	ecx, edi
		call	_MiDiscardTransitionPteEx@8 ; MiDiscardTransitionPteEx(x,x)
		jmp	short loc_642482
; 

loc_6424A7:				; CODE XREF: MiResolveProtoCombine(x,x,x)+B9j
		inc	large dword ptr	fs:3E20h
		mov	ecx, ebx
		mov	al, [edi+16h]
		and	dword ptr [esi], 0C0000000h
		and	al, 0FEh
		inc	word ptr [edi+14h]
		or	al, 6
		mov	[edi+16h], al
		call	_MiMakeTransitionPteValid@4 ; MiMakeTransitionPteValid(x)
		mov	esi, eax
		mov	eax, edx
		mov	[ebp+var_4], eax
		mov	[ebp+var_24], eax
		mov	eax, [edi+8]
		and	eax, 400h
		mov	[ebp+var_28], esi
		or	eax, 0
		jnz	short loc_642504
		push	dword ptr [edi+0Ch]
		mov	ecx, offset _MiSystemPartition
		push	dword ptr [edi+8]
		call	_MiIsPteInStore@16 ; MiIsPteInStore(x,x,x,x)
		test	eax, eax
		jz	short loc_642504
		mov	ecx, edi
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)

loc_6424FE:				; DATA XREF: .text:off_5A59CFo
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], edx

loc_642504:				; CODE XREF: MiResolveProtoCombine(x,x,x)+100j
					; MiResolveProtoCombine(x,x,x)+114j
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		and	[ebp+var_C], 0
		mov	[ebp+arg_0], esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_642582
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_642544
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	[ebp+var_C], ecx
		jnz	short loc_642582
		mov	eax, esi
		and	eax, ecx
		or	eax, 0
		jz	short loc_642582
		mov	eax, esi
		or	edx, 80000000h
		jmp	short loc_642585
; 

loc_642544:				; CODE XREF: MiResolveProtoCombine(x,x,x)+13Fj
		mov	eax, large fs:124h
		mov	esi, [ebp+var_28]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_64257C
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		mov	eax, [ebp+var_24]
		mov	[ebp+var_4], eax
		jz	short loc_642582
		mov	edx, eax
		mov	[ebp+arg_0], esi
		or	edx, 80000000h
		jmp	short loc_642582
; 

loc_64257C:				; CODE XREF: MiResolveProtoCombine(x,x,x)+17Cj
		mov	eax, [ebp+var_24]
		mov	[ebp+var_4], eax

loc_642582:				; CODE XREF: MiResolveProtoCombine(x,x,x)+136j
					; MiResolveProtoCombine(x,x,x)+14Ej ...
		mov	eax, [ebp+arg_0]

loc_642585:				; CODE XREF: MiResolveProtoCombine(x,x,x)+161j
		mov	[ebx+4], edx
		nop
		cmp	[ebp+var_C], 0
		mov	[ebx], eax
		jz	short loc_64259A
		push	edx
		push	eax
		mov	ecx, ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_64259A:				; CODE XREF: MiResolveProtoCombine(x,x,x)+75j
					; MiResolveProtoCombine(x,x,x)+1AEj
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	ecx, [ebp+var_8]
		mov	dl, 21h
		call	MiUnlockProtoPoolPage
		mov	eax, [ebp+var_20]
		or	eax, [ebp+var_1C]
		jz	short loc_6425D4
		push	[ebp+var_1C]
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		push	[ebp+var_20]
		inc	edx
		call	MiReleasePageFileInfo

loc_6425D4:				; CODE XREF: MiResolveProtoCombine(x,x,x)+1DEj
		nop
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_10]
		shrd	esi, eax, 0Ch
		and	esi, 1FFFFFFh
		imul	eax, esi, 1Ch
		mov	[ebp+var_8], esi
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_4], eax
		mov	edi, [eax+8]
		mov	ebx, [eax+0Ch]
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], ebx
		call	_MiGetContainingPageTable@4 ; MiGetContainingPageTable(x)
		and	[ebp+var_14], 0
		imul	eax, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_C], eax
		add	eax, 10h
		mov	[ebp+arg_0], eax
		lock bts dword ptr [eax], 1Fh
		jnb	short loc_642642
		mov	esi, eax

loc_642624:				; CODE XREF: MiResolveProtoCombine(x,x,x)+24Fj
					; MiResolveProtoCombine(x,x,x)+256j
		lea	ecx, [ebp+var_14]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_642624
		lock bts dword ptr [esi], 1Fh
		jb	short loc_642624
		mov	ebx, [ebp+var_1C]
		mov	edi, [ebp+var_20]
		mov	esi, [ebp+var_8]

loc_642642:				; CODE XREF: MiResolveProtoCombine(x,x,x)+23Fj
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		inc	edx
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	eax, [ebp+arg_0]
		mov	ecx, 7FFFFFFFh
		lock and [eax],	ecx
		nop
		nop
		shrd	edi, ebx, 5
		mov	ebx, [ebp+var_4]
		and	edi, 7
		mov	al, [ebx+16h]
		shr	al, 6
		cmp	al, 1
		jz	short loc_64268E
		test	al, al
		jnz	short loc_642687
		or	edi, 8
		jmp	short loc_64268E
; 

loc_642677:				; CODE XREF: MiResolveProtoCombine(x,x,x)+84j
					; MiResolveProtoCombine(x,x,x)+92j
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		jmp	loc_64248A
; 

loc_642687:				; CODE XREF: MiResolveProtoCombine(x,x,x)+28Fj
		cmp	al, 2
		jnz	short loc_64268E
		or	edi, 18h

loc_64268E:				; CODE XREF: MiResolveProtoCombine(x,x,x)+28Bj
					; MiResolveProtoCombine(x,x,x)+294j ...
		mov	ecx, [ebp+var_10]
		mov	edx, esi
		push	edi
		call	MiMakeValidPte
		mov	ecx, [ebp+var_18]
		push	edx
		mov	edx, [ebp+var_10]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	ebx
		call	_MiAllocateWsle@32 ; MiAllocateWsle(x,x,x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_6426C8
		xor	edx, edx
		mov	ecx, ebx
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		jmp	loc_64240A
; 

loc_6426C8:				; CODE XREF: MiResolveProtoCombine(x,x,x)+2CDj
		xor	eax, eax
		inc	eax

loc_6426CB:				; CODE XREF: MiResolveProtoCombine(x,x,x)+2Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiResolveProtoCombine@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSharePages(x, x, x, x, x)
_MiSharePages@20 proc near		; CODE XREF: MiProcessCrcList(x,x,x,x)+595p

var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_294		= dword	ptr -294h
var_290		= dword	ptr -290h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_280		= dword	ptr -280h
var_27C		= dword	ptr -27Ch
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= byte ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F1		= byte ptr -1F1h
var_1F0		= dword	ptr -1F0h
var_1E9		= byte ptr -1E9h
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1DD		= byte ptr -1DDh
var_1DC		= dword	ptr -1DCh
var_1D6		= byte ptr -1D6h
var_1D5		= byte ptr -1D5h
var_1D4		= dword	ptr -1D4h
var_13C		= dword	ptr -13Ch
var_124		= dword	ptr -124h
var_120		= word ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_80		= dword	ptr -80h
var_40		= dword	ptr -40h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2C0h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	8
		mov	[ebp+var_1E8], eax
		lea	edi, [ebp+var_2BC]
		xor	eax, eax
		mov	[ebp+var_234], ecx
		and	[ebp+var_278], eax
		mov	ebx, edx
		pop	ecx
		rep stosd
		push	6
		pop	ecx
		mov	esi, [ebp+arg_4]
		lea	edi, [ebp+var_13C]
		rep stosd
		lea	edi, [ebp+var_294]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_124]
		mov	edi, 98h
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_1D4]
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		lea	edi, [ebp+var_26C]
		stosd
		xor	edx, edx
		add	esp, 0Ch
		mov	[ebp+var_20C], edx
		mov	[ebp+var_208], edx
		mov	[ebp+var_24C], edx
		stosd
		mov	[ebp+var_22C], edx
		stosd
		mov	eax, [ebp+var_234]
		mov	ecx, [eax+8]
		mov	[ebp+var_248], ecx
		mov	ecx, [eax+20h]
		mov	eax, [eax+0Ch]
		mov	[ebp+var_254], eax
		mov	eax, [esi]
		mov	[ebp+var_214], eax
		mov	eax, [ebx+10h]
		mov	[ebp+var_244], ecx
		mov	ecx, eax
		mov	[ebp+var_1E4], eax
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		mov	ecx, [ebx+0Ch]
		mov	edi, [ebx+18h]
		mov	[ebp+var_25C], eax
		lea	eax, [ebp+var_1D4]
		mov	[ebp+var_250], edx
		mov	[ebp+var_274], edx
		mov	[ebp+var_230], eax
		cmp	ecx, 21h
		jbe	short loc_642812
		mov	esi, 3FBh
		cmp	ecx, esi
		jnb	short loc_6427E1
		mov	esi, ecx

loc_6427E1:				; CODE XREF: MiSharePages(x,x,x,x,x)+10Bj
		push	edx
		lea	ecx, ds:14h[esi*4]
		mov	edx, 73576D4Dh
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		xor	edx, edx
		mov	[ebp+var_230], eax
		test	eax, eax
		jnz	short loc_642814
		lea	eax, [ebp+var_1D4]
		push	21h
		mov	[ebp+var_230], eax
		pop	esi
		jmp	short loc_642814
; 

loc_642812:				; CODE XREF: MiSharePages(x,x,x,x,x)+102j
		mov	esi, ecx

loc_642814:				; CODE XREF: MiSharePages(x,x,x,x,x)+12Dj
					; MiSharePages(x,x,x,x,x)+13Ej
		mov	ecx, [ebp+var_25C]
		mov	[eax+0Ch], edx
		mov	[eax], ecx
		mov	word ptr [eax+4], 0
		mov	[eax+10h], edx
		mov	[eax+8], esi
		mov	[eax+14h], edx
		mov	ebx, [ebx+14h]
		mov	[ebp+var_23C], ebx
		test	ebx, ebx
		jz	loc_6428F6
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	ebx, eax
		jz	loc_6428F6
		lea	edx, [ebp+var_26C]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		lea	edx, [ebx+240h]
		mov	ecx, ebx
		call	_MiPrepareAttachThread@8 ; MiPrepareAttachThread(x,x)
		mov	esi, eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_274], esi
		test	ds:byte_70EFC6,	al
		jz	short loc_642893
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_26C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6428D1
; 

loc_642893:				; CODE XREF: MiSharePages(x,x,x,x,x)+1AFj
		mov	eax, [ebp+var_26C]
		test	eax, eax
		jnz	short loc_6428BE
		mov	edx, [ebp+var_268]
		lea	eax, [ebp+var_26C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_26C]
		cmp	eax, ecx
		jz	short loc_6428D1
		call	KxWaitForLockChainValid

loc_6428BE:				; CODE XREF: MiSharePages(x,x,x,x,x)+1C9j
		xor	ecx, ecx
		mov	[ebp+var_26C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_6428D1:				; CODE XREF: MiSharePages(x,x,x,x,x)+1BFj
					; MiSharePages(x,x,x,x,x)+1E5j
		mov	cl, [ebp+var_264]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	loc_643703
		push	0
		lea	edx, [ebp+var_13C]
		mov	ecx, ebx
		call	KeForceAttachProcess
		xor	edx, edx

loc_6428F6:				; CODE XREF: MiSharePages(x,x,x,x,x)+167j
					; MiSharePages(x,x,x,x,x)+17Bj
		mov	eax, large fs:124h
		mov	[ebp+var_270], eax
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+arg_8]

loc_64290D:				; CODE XREF: MiSharePages(x,x,x,x,x)+100Aj
		push	4
		lea	eax, [ebp+var_80]
		pop	ecx

loc_642913:				; CODE XREF: MiSharePages(x,x,x,x,x)+249j
		mov	[eax], edx
		lea	eax, [eax+20h]
		sub	ecx, 1
		jnz	short loc_642913
		mov	ecx, [ebp+var_1E4]
		mov	bh, dl
		mov	bl, dl
		mov	[ebp+var_240], edx
		mov	[ebp+var_1D6], bh
		call	MiLockWorkingSetShared
		mov	[ebp+var_1F1], al
		mov	eax, [ebp+var_23C]
		test	eax, eax
		jz	short loc_64297C
		mov	ecx, [eax+0FCh]
		mov	edx, 0C00h
		and	ecx, edx
		cmp	ecx, edx
		jb	loc_6436E1
		mov	edx, [ebp+var_1E4]
		cmp	dword ptr [edx+38h], 0
		jnz	loc_6436E1
		mov	ecx, eax
		call	_MiIsStoreProcess@4 ; MiIsStoreProcess(x)
		test	eax, eax
		jnz	loc_6436E1

loc_64297C:				; CODE XREF: MiSharePages(x,x,x,x,x)+274j
		xor	edx, edx
		inc	edx

loc_64297F:				; CODE XREF: MiSharePages(x,x,x,x,x)+42Fj
		mov	cl, bl
		mov	[ebp+var_1F8], edi
		xor	bl, bl
		cmp	cl, dl
		setz	al
		dec	al
		and	al, cl
		mov	[ebp+var_1D5], al
		mov	eax, [ebp+var_250]
		inc	eax
		dec	cl
		movzx	ecx, cl
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	[ebp+var_250], ecx
		test	bh, bh
		jz	short loc_6429BC
		mov	[ebp+var_1D6], bl
		jmp	short loc_642A0C
; 

loc_6429BC:				; CODE XREF: MiSharePages(x,x,x,x,x)+2E0j
		test	cl, 7
		jnz	short loc_6429EE
		mov	ecx, [ebp+var_1E4]
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jz	short loc_6429D4
		mov	bl, dl
		jmp	short loc_642A14
; 

loc_6429D4:				; CODE XREF: MiSharePages(x,x,x,x,x)+2FCj
		mov	eax, [ebp+var_240]
		test	eax, eax
		jz	short loc_6429EE
		mov	edx, eax
		call	_MiPageTableLockIsContended@8 ;	MiPageTableLockIsContended(x,x)
		test	eax, eax
		jz	short loc_6429EE

loc_6429E9:				; CODE XREF: MiSharePages(x,x,x,x,x)+323j
		xor	edx, edx
		inc	edx
		jmp	short loc_642A0C
; 

loc_6429EE:				; CODE XREF: MiSharePages(x,x,x,x,x)+2EDj
					; MiSharePages(x,x,x,x,x)+30Aj	...
		call	KeShouldYieldProcessor
		test	eax, eax
		jnz	short loc_6429E9
		mov	ecx, [ebp+var_230]
		push	2
		pop	edx
		call	_MiFlushTbListEarly@8 ;	MiFlushTbListEarly(x,x)
		xor	edx, edx
		inc	edx
		test	eax, eax
		jz	short loc_642A0E

loc_642A0C:				; CODE XREF: MiSharePages(x,x,x,x,x)+2E8j
					; MiSharePages(x,x,x,x,x)+31Aj
		mov	bl, dl

loc_642A0E:				; CODE XREF: MiSharePages(x,x,x,x,x)+338j
		mov	ecx, [ebp+var_1E4]

loc_642A14:				; CODE XREF: MiSharePages(x,x,x,x,x)+300j
		test	edi, edi
		jz	loc_6435AF
		test	bl, bl
		jnz	loc_6435B5
		mov	eax, [edi+0Ch]
		mov	ecx, [edi]
		mov	ebx, [edi+18h]
		mov	[ebp+var_1DC], eax
		mov	eax, [edi+8]
		mov	[ebp+var_224], ecx
		mov	ecx, [edi+4]
		mov	[ebp+var_228], eax
		mov	[ebp+var_210], ecx
		cmp	ebx, 100h
		jnb	short loc_642A5C
		mov	[ebp+var_258], ebx
		xor	ebx, ebx
		jmp	short loc_642A68
; 

loc_642A5C:				; CODE XREF: MiSharePages(x,x,x,x,x)+37Ej
		mov	ecx, [ebx+1Ch]
		and	ecx, 1Fh
		mov	[ebp+var_258], ecx

loc_642A68:				; CODE XREF: MiSharePages(x,x,x,x,x)+388j
		mov	ecx, eax
		mov	edi, offset loc_7FFFF8
		shr	ecx, 9
		and	ecx, edi
		sub	ecx, 40000000h
		mov	eax, ecx
		mov	[ebp+var_220], ecx
		shr	eax, 9
		and	edi, eax
		mov	eax, [ebp+var_240]
		add	edi, 0C0000000h
		cmp	eax, edi
		jz	short loc_642B06
		test	eax, eax
		jz	short loc_642AAB
		mov	eax, [ebp+var_1F8]
		mov	bh, dl
		mov	[ebp+var_1D6], bh
		jmp	short loc_642AF9
; 

loc_642AAB:				; CODE XREF: MiSharePages(x,x,x,x,x)+3C7j
		lea	eax, [ebp+var_278]
		mov	edx, ecx
		mov	ecx, [ebp+var_1E4]
		push	eax
		call	MiLockLowestValidPageTable
		mov	[ebp+var_240], eax
		cmp	eax, edi
		jz	short loc_642B06
		mov	ecx, [ebp+var_1E4]
		mov	edx, eax
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)
		and	[ebp+var_240], 0

loc_642ADD:				; CODE XREF: MiSharePages(x,x,x,x,x)+447j
					; MiSharePages(x,x,x,x,x)+488j	...
		mov	ecx, [ebp+var_1E8]
		mov	edx, ebx
		call	_MiDereferenceCombineBlock@8 ; MiDereferenceCombineBlock(x,x)

loc_642AEA:				; CODE XREF: MiSharePages(x,x,x,x,x)+7A3j
					; MiSharePages(x,x,x,x,x)+931j	...
		xor	edx, edx
		inc	edx

loc_642AED:				; CODE XREF: MiSharePages(x,x,x,x,x)+D98j
		mov	eax, [ebp+var_1DC]
		mov	bh, [ebp+var_1D6]

loc_642AF9:				; CODE XREF: MiSharePages(x,x,x,x,x)+3D7j
		mov	bl, [ebp+var_1D5]
		mov	edi, eax
		jmp	loc_64297F
; 

loc_642B06:				; CODE XREF: MiSharePages(x,x,x,x,x)+3C3j
					; MiSharePages(x,x,x,x,x)+3F5j
		mov	edx, [ebp+var_228]
		mov	ecx, [ebp+var_1E4]
		call	_MiRecheckVaVm@8 ; MiRecheckVaVm(x,x)
		test	eax, eax
		jz	short loc_642ADD
		mov	edi, [ebp+var_220]
		mov	edx, [edi]
		mov	[ebp+var_218], edx
		nop
		mov	ecx, [edi+4]
		mov	eax, edx
		and	eax, 1
		mov	[ebp+var_29C], edx
		or	eax, 0
		mov	[ebp+var_298], ecx
		jz	loc_642BE7
		nop
		mov	edi, edx
		shrd	edi, ecx, 0Ch
		and	edi, 1FFFFFFh
		cmp	edi, ds:dword_6D07B0
		ja	short loc_642ADD
		mov	eax, ds:dword_6D35B8
		mov	edx, edi
		shr	edx, 5
		mov	ecx, edi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		xor	ecx, ecx
		inc	ecx
		and	eax, ecx
		jz	loc_642ADD
		imul	eax, edi, 1Ch
		add	eax, ds:_MmPfnDatabase
		and	[ebp+var_27C], 0
		mov	[ebp+var_1FC], eax
		lea	edi, [eax+10h]
		jmp	short loc_642BA6
; 

loc_642B96:				; CODE XREF: MiSharePages(x,x,x,x,x)+4D2j
					; MiSharePages(x,x,x,x,x)+4D9j
		lea	ecx, [ebp+var_27C]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_642B96

loc_642BA6:				; CODE XREF: MiSharePages(x,x,x,x,x)+4C2j
		lock bts dword ptr [edi], 1Fh
		jb	short loc_642B96
		mov	edi, [ebp+var_1FC]

loc_642BB3:				; CODE XREF: MiSharePages(x,x,x,x,x)+548j
		mov	edx, [ebp+var_244]
		mov	ecx, [ebp+var_214]
		push	edi
		call	_MiCombineCandidate@12 ; MiCombineCandidate(x,x,x)
		mov	ecx, eax
		lea	eax, [edi+10h]
		mov	[ebp+var_21C], ecx
		mov	[ebp+var_1F0], eax
		test	ecx, ecx
		jnz	short loc_642C21
		mov	ecx, 7FFFFFFFh

loc_642BDF:				; CODE XREF: MiSharePages(x,x,x,x,x)+5B4j
		lock and [eax],	ecx
		jmp	loc_642ADD
; 

loc_642BE7:				; CODE XREF: MiSharePages(x,x,x,x,x)+46Fj
		mov	eax, edx
		and	eax, 400h
		or	eax, 0
		jnz	loc_642ADD
		mov	eax, edx
		and	eax, 800h
		or	eax, 0
		jz	loc_642ADD
		xor	edx, edx
		mov	ecx, edi
		call	_MiLockTransitionLeafPage@8 ; MiLockTransitionLeafPage(x,x)
		mov	edi, eax
		mov	[ebp+var_1FC], edi
		test	edi, edi
		jnz	short loc_642BB3
		jmp	loc_642ADD
; 

loc_642C21:				; CODE XREF: MiSharePages(x,x,x,x,x)+506j
		mov	al, [edi+16h]
		mov	ecx, [edi+8]
		and	al, 7
		mov	[ebp+var_1DD], al
		mov	eax, [edi+0Ch]
		shrd	ecx, eax, 5
		push	1Ch
		and	ecx, 1Fh
		mov	[ebp+var_238], 3
		mov	[ebp+var_200], ecx
		mov	ecx, [ebp+var_1F8]
		mov	eax, [ecx+10h]
		mov	[ebp+var_20C], eax
		mov	eax, [ecx+14h]
		mov	[ebp+var_208], eax
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, eax
		call	MiSearchNumaNodeTable
		mov	ecx, 7FFFFFFFh
		cmp	[eax+4], esi
		jz	short loc_642C8B
		mov	eax, [ebp+var_1F0]
		jmp	loc_642BDF
; 

loc_642C8B:				; CODE XREF: MiSharePages(x,x,x,x,x)+5ACj
		mov	[ebp+var_1E9], 0
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		cmp	[ebp+var_1DD], 6
		jnz	loc_64319D
		mov	eax, [edi+4]
		or	eax, 80000000h
		cmp	[ebp+var_220], eax
		jnz	loc_642ADD
		mov	ecx, edi
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	loc_642ADD
		mov	eax, [edi+18h]
		test	eax, (offset loc_7FFFFF+1)
		jnz	loc_642ADD
		test	byte ptr [edi+17h], 8
		jnz	loc_642ADD
		and	eax, offset loc_7FFFFF
		cmp	eax, (offset loc_7FFFFA+3)
		jz	loc_642ADD
		mov	edx, [ebp+var_228]
		mov	ecx, [ebp+var_1E4]
		call	MiLocateWsle
		mov	al, [eax]
		and	al, 0Fh
		cmp	al, 8
		jz	loc_642ADD
		xor	eax, eax
		inc	eax
		cmp	[edi+14h], ax
		jnz	loc_642ADD
		xor	edi, edi
		cmp	[ebp+var_21C], eax
		jnz	short loc_642D5F
		mov	ecx, [ebp+var_228]
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_642ADD
		mov	ecx, [edi+1Ch]
		shr	ecx, 12h
		and	ecx, 3
		cmp	ds:_MiVadPageSizes[ecx*4], 10h
		jz	loc_642ADD
		mov	ecx, edi
		call	_MiVadSupportsPrivateCommit@4 ;	MiVadSupportsPrivateCommit(x)
		test	eax, eax
		jz	loc_642ADD

loc_642D5F:				; CODE XREF: MiSharePages(x,x,x,x,x)+650j
		mov	ecx, [ebp+var_1FC]
		mov	edx, [ecx+8]
		mov	eax, [ecx+0Ch]
		shrd	edx, eax, 5
		and	edx, 1Fh
		mov	[ebp+var_200], edx
		cmp	edx, [ebp+var_258]
		jnz	loc_642ADD
		mov	edx, [ebp+var_218]
		mov	eax, edx
		and	eax, 42h
		or	eax, 0
		jz	short loc_642E10
		cmp	[ebp+var_24C], 8
		jnb	short loc_642DA5
		lea	edi, [ebp+var_40]
		jmp	loc_642E51
; 

loc_642DA5:				; CODE XREF: MiSharePages(x,x,x,x,x)+6C9j
		mov	edx, edi
		mov	edi, [ebp+var_220]
		mov	ecx, edi
		call	_MiMakeCombineCandidateClean@8 ; MiMakeCombineCandidateClean(x,x)
		mov	eax, [ebp+var_25C]
		xor	ecx, ecx
		mov	edx, [ebp+var_228]
		mov	[ebp+var_124], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_118], ecx
		push	ecx
		mov	[ebp+var_120], cx
		mov	[ebp+var_114], ecx
		mov	[ebp+var_110], ecx
		lea	ecx, [ebp+var_124]
		push	eax
		mov	[ebp+var_11C], eax
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		lea	ecx, [ebp+var_124]
		call	MiFlushTbList
		mov	ecx, [ebp+var_1FC]
		mov	eax, [ebp+var_224]
		jmp	short loc_642E80
; 

loc_642E10:				; CODE XREF: MiSharePages(x,x,x,x,x)+6C0j
		mov	eax, [ebp+var_224]
		cmp	eax, ds:dword_6D3500
		jnz	loc_642F5D
		mov	edi, [ebp+var_210]
		cmp	edi, ds:dword_6D3504
		jnz	loc_642F5D
		test	byte ptr [ebp+var_200],	18h
		jnz	short loc_642E7A
		and	edx, 20h
		or	edx, 0
		jz	short loc_642E7A
		cmp	[ebp+var_24C], 3
		jnb	short loc_642E7A
		lea	edi, [ebp+var_20]

loc_642E51:				; CODE XREF: MiSharePages(x,x,x,x,x)+6CEj
		mov	edx, [ebp+var_228]
		xor	eax, eax
		mov	ecx, [ebp+var_230]
		inc	eax
		push	0
		push	eax
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	ecx, [ebp+var_1F8]
		mov	eax, [edi]
		mov	[edi], ecx
		mov	[ecx+0Ch], eax
		jmp	loc_642AEA
; 

loc_642E7A:				; CODE XREF: MiSharePages(x,x,x,x,x)+769j
					; MiSharePages(x,x,x,x,x)+771j	...
		mov	edi, [ebp+var_220]

loc_642E80:				; CODE XREF: MiSharePages(x,x,x,x,x)+73Cj
		cmp	eax, ds:dword_6D3500
		jnz	loc_642F5D
		mov	eax, [ebp+var_210]
		cmp	eax, ds:dword_6D3504
		jnz	loc_642F5D
		mov	edx, ecx
		mov	ecx, [ebp+var_1E4]
		push	edi
		call	_MiPageMightBeZero@12 ;	MiPageMightBeZero(x,x,x)
		test	eax, eax
		jz	loc_642F5D
		and	[ebp+var_280], 0
		mov	edi, [ebp+var_1F0]
		jmp	short loc_642ED3
; 

loc_642EC3:				; CODE XREF: MiSharePages(x,x,x,x,x)+7FFj
					; MiSharePages(x,x,x,x,x)+806j
		lea	ecx, [ebp+var_280]
		call	KeYieldProcessorEx
		cmp	dword ptr [edi], 0
		jl	short loc_642EC3

loc_642ED3:				; CODE XREF: MiSharePages(x,x,x,x,x)+7EFj
		lock bts dword ptr [edi], 1Fh
		jb	short loc_642EC3
		mov	ecx, [ebp+var_1FC]
		call	_MiConfirmPageIsZero@4 ; MiConfirmPageIsZero(x)
		mov	ecx, 7FFFFFFFh
		lock and [edi],	ecx
		test	eax, eax
		jz	short loc_642F5D
		mov	eax, [ebp+var_25C]
		xor	ecx, ecx
		mov	edx, [ebp+var_228]
		mov	[ebp+var_124], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_118], ecx
		push	ecx
		mov	[ebp+var_114], ecx
		mov	[ebp+var_110], ecx
		lea	ecx, [ebp+var_124]
		push	eax
		mov	[ebp+var_120], 4
		mov	[ebp+var_11C], eax
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	ecx, [ebp+var_1E4]
		lea	edx, [ebp+var_124]
		push	0
		call	MiFreeWsleList
		mov	eax, [ebp+var_254]
		inc	[ebp+var_22C]
		inc	dword ptr [eax+4]
		jmp	loc_642ADD
; 

loc_642F5D:				; CODE XREF: MiSharePages(x,x,x,x,x)+74Aj
					; MiSharePages(x,x,x,x,x)+75Cj	...
		test	byte ptr [ebp+var_200],	18h
		mov	al, [ebp+var_1D5]
		mov	[ebp+var_1D5], al
		jz	short loc_642F7B
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1D5], al

loc_642F7B:				; CODE XREF: MiSharePages(x,x,x,x,x)+89Ej
		mov	ecx, [ebp+var_20C]
		mov	edi, [ebp+var_208]
		cmp	ecx, ds:dword_6D2F90
		jnz	short loc_642F97
		cmp	edi, ds:dword_6D2F94
		jz	short loc_642FDF

loc_642F97:				; CODE XREF: MiSharePages(x,x,x,x,x)+8BBj
		xor	eax, eax
		inc	eax
		cmp	[ebp+var_21C], eax
		jnz	short loc_642FDF
		mov	edx, [ebp+var_1E4]
		mov	ecx, eax
		call	_MiGetCombineDomain@8 ;	MiGetCombineDomain(x,x)
		cmp	[ebp+var_20C], eax
		jnz	loc_642ADD
		mov	edi, [ebp+var_208]
		cmp	edi, edx
		jnz	loc_642ADD
		mov	eax, [ebp+var_23C]
		test	dword ptr [eax+494h], 1000h
		jnz	loc_642ADD

loc_642FDF:				; CODE XREF: MiSharePages(x,x,x,x,x)+8C3j
					; MiSharePages(x,x,x,x,x)+8CEj
		or	[ebp+var_1F0], 0FFFFFFFFh
		test	ebx, ebx
		jnz	loc_643118
		mov	ebx, [ebp+var_228]
		mov	ecx, ebx
		call	_MiComputeHash64@4 ; MiComputeHash64(x)
		mov	ecx, [ebp+var_224]
		cmp	eax, ecx
		jnz	loc_642AEA
		cmp	edx, [ebp+var_210]
		jnz	loc_642AEA
		mov	eax, [ebp+var_20C]
		cmp	eax, ds:dword_6D2F90
		jnz	short loc_64304D
		cmp	edi, ds:dword_6D2F94
		jnz	short loc_64304D
		push	[ebp+var_210]
		mov	edx, ebx
		push	ecx
		mov	ecx, [ebp+var_234]
		call	_MiHashIsCommon@16 ; MiHashIsCommon(x,x,x,x)
		test	eax, eax
		jz	loc_642AEA
		mov	ecx, [ebp+var_224]

loc_64304D:				; CODE XREF: MiSharePages(x,x,x,x,x)+94Fj
					; MiSharePages(x,x,x,x,x)+957j
		mov	edx, [ebp+var_200]
		lea	eax, [ebp+var_20C]
		push	0
		push	eax
		push	[ebp+var_210]
		push	ecx
		mov	ecx, [ebp+var_214]
		call	_MiAllocateCombineProto@24 ; MiAllocateCombineProto(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_64310F
		mov	edi, [ebp+var_1E8]
		mov	ebx, [edi]
		cmp	ebx, edi
		jz	loc_642AEA
		mov	eax, [ebx]
		cmp	[ebx+4], edi
		jnz	loc_643780
		cmp	[eax+4], ebx
		jnz	loc_643780
		mov	ecx, [ebp+var_200]
		mov	[edi], eax
		mov	[eax+4], edi
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		mov	ecx, [ebp+var_234]
		mov	[ebp+var_238], eax
		mov	edx, [ecx+eax*4+24h]
		test	edx, edx
		jz	short loc_6430F5
		mov	ecx, [edx+18h]
		cmp	ecx, [edx+14h]
		jnb	short loc_6430F5
		mov	eax, [ebx+1Ch]
		and	eax, 0FFFFFFE0h
		or	eax, [ebp+var_200]
		mov	[ebx+1Ch], eax
		mov	eax, [ebp+var_20C]
		mov	[ebx+28h], eax
		mov	eax, [ebp+var_208]
		mov	[ebx+2Ch], eax
		mov	eax, [edx+18h]
		shr	eax, 0Ch
		mov	edi, [edx+eax*4+1Ch]
		jmp	short loc_64311E
; 

loc_6430F5:				; CODE XREF: MiSharePages(x,x,x,x,x)+9ECj
					; MiSharePages(x,x,x,x,x)+9F4j
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	loc_643780
		mov	[ebx], eax
		mov	[ebx+4], edi
		mov	[eax+4], ebx
		mov	[edi], ebx
		jmp	loc_642AEA
; 

loc_64310F:				; CODE XREF: MiSharePages(x,x,x,x,x)+9A0j
		mov	eax, [ebp+var_1F8]
		mov	[eax+18h], ebx

loc_643118:				; CODE XREF: MiSharePages(x,x,x,x,x)+916j
		mov	edi, [ebp+var_1F0]

loc_64311E:				; CODE XREF: MiSharePages(x,x,x,x,x)+A21j
		mov	edx, [ebp+var_220]
		mov	ecx, [ebp+var_1E4]
		push	edi
		push	[ebp+var_230]
		push	[ebp+var_214]
		push	[ebp+var_244]
		push	ebx
		call	_MiConvertPrivateToProto@28 ; MiConvertPrivateToProto(x,x,x,x,x,x,x)
		mov	[ebp+var_218], eax
		test	eax, eax
		jz	loc_642ADD
		mov	ecx, [ebp+var_254]
		inc	dword ptr [ecx+4]
		cmp	edi, 0FFFFFFFFh
		jz	short loc_643178
		mov	edx, [ebp+var_238]
		mov	ecx, [ebp+var_234]
		call	_MiIncrementCombineMdl@8 ; MiIncrementCombineMdl(x,x)
		mov	eax, [ebp+var_218]
		jmp	short loc_643180
; 

loc_643178:				; CODE XREF: MiSharePages(x,x,x,x,x)+A8Bj
		xor	ebx, ebx
		inc	[ebp+var_22C]

loc_643180:				; CODE XREF: MiSharePages(x,x,x,x,x)+AA4j
		mov	ecx, [ebp+var_1F8]
		cmp	edi, 0FFFFFFFFh
		mov	[ecx+8], eax
		mov	eax, [ebp+var_80]
		mov	[ecx+0Ch], eax
		setnz	al
		mov	[ebp+var_80], ecx
		jmp	loc_643465
; 

loc_64319D:				; CODE XREF: MiSharePages(x,x,x,x,x)+5CDj
		xor	eax, eax
		mov	[ebp+var_1DD], 0
		mov	ecx, offset dword_6D35E0
		lea	edx, [eax+1]
		call	MiReservePtes
		mov	ecx, [ebp+var_20C]
		mov	[ebp+var_1FC], eax
		cmp	ecx, ds:dword_6D2F90
		jnz	short loc_6431D5
		mov	ecx, [ebp+var_208]
		cmp	ecx, ds:dword_6D2F94
		jz	short loc_643226

loc_6431D5:				; CODE XREF: MiSharePages(x,x,x,x,x)+AF3j
		mov	ecx, [ebp+var_21C]
		xor	edx, edx
		inc	edx
		cmp	ecx, edx
		jnz	short loc_64322C
		mov	edx, [ebp+var_1E4]
		xor	eax, eax
		lea	ecx, [eax+1]
		call	_MiGetCombineDomain@8 ;	MiGetCombineDomain(x,x)
		cmp	[ebp+var_20C], eax
		jnz	loc_642ADD
		cmp	[ebp+var_208], edx
		jnz	loc_642ADD
		mov	eax, [ebp+var_23C]
		test	dword ptr [eax+494h], 1000h
		jnz	loc_642ADD
		mov	eax, [ebp+var_1FC]

loc_643226:				; CODE XREF: MiSharePages(x,x,x,x,x)+B01j
		mov	ecx, [ebp+var_21C]

loc_64322C:				; CODE XREF: MiSharePages(x,x,x,x,x)+B0Ej
		test	eax, eax
		jz	loc_642ADD
		mov	edx, [ebp+var_248]
		mov	[edx+24h], eax
		xor	eax, eax
		inc	eax
		mov	[edx+20h], edi
		push	eax
		push	ecx
		push	[ebp+var_244]
		mov	ecx, [ebp+var_214]
		call	_MiMapArbitraryPage@20 ; MiMapArbitraryPage(x,x,x,x,x)
		test	eax, eax
		jnz	short loc_643271
		mov	edx, [ebp+var_1FC]
		inc	eax
		push	eax
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		jmp	loc_642ADD
; 

loc_643271:				; CODE XREF: MiSharePages(x,x,x,x,x)+B86j
		mov	al, [ebp+var_1D5]
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_1D5], al
		test	byte ptr [ebp+var_200],	18h
		jz	short loc_64328F
		mov	[ebp+var_1D5], cl

loc_64328F:				; CODE XREF: MiSharePages(x,x,x,x,x)+BB5j
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_21C], eax
		test	ebx, ebx
		jnz	loc_6433CA
		mov	eax, [ebp+var_20C]
		cmp	eax, ds:dword_6D2F90
		jnz	short loc_6432C0
		mov	eax, [ebp+var_208]
		cmp	eax, ds:dword_6D2F94
		jnz	short loc_6432C0
		mov	eax, ecx
		jmp	short loc_6432C2
; 

loc_6432C0:				; CODE XREF: MiSharePages(x,x,x,x,x)+BDAj
					; MiSharePages(x,x,x,x,x)+BE8j
		xor	eax, eax

loc_6432C2:				; CODE XREF: MiSharePages(x,x,x,x,x)+BECj
		mov	edx, [ebp+var_248]
		lea	ecx, [ebp+var_2BC]
		push	ecx
		mov	ecx, [ebp+var_234]
		push	eax
		call	_MiPerformCombineScan@16 ; MiPerformCombineScan(x,x,x,x)
		test	eax, eax
		jz	loc_643433
		mov	eax, [ebp+var_224]
		cmp	[ebp+var_2BC], eax
		jnz	loc_643433
		mov	ecx, [ebp+var_210]
		cmp	[ebp+var_2B8], ecx
		jnz	loc_643433
		push	0
		lea	edx, [ebp+var_20C]
		push	edx
		mov	edx, [ebp+var_200]
		push	ecx
		mov	ecx, [ebp+var_214]
		push	eax
		call	_MiAllocateCombineProto@24 ; MiAllocateCombineProto(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_6433BB
		mov	ecx, [ebp+var_1E8]
		mov	ebx, [ecx]
		cmp	ebx, ecx
		jnz	short loc_643340
		xor	ebx, ebx
		jmp	loc_643433
; 

loc_643340:				; CODE XREF: MiSharePages(x,x,x,x,x)+C65j
		mov	eax, [ebx]
		cmp	[ebx+4], ecx
		jnz	loc_643780
		cmp	[eax+4], ebx
		jnz	loc_643780
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	ecx, [ebp+var_200]
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		mov	ecx, [ebp+var_234]
		mov	[ebp+var_238], eax
		mov	ecx, [ecx+eax*4+24h]
		test	ecx, ecx
		jz	loc_643433
		mov	eax, [ecx+18h]
		cmp	eax, [ecx+14h]
		jnb	loc_643433
		mov	eax, [ebx+1Ch]
		and	eax, 0FFFFFFE0h
		or	eax, [ebp+var_200]
		mov	[ebx+1Ch], eax
		mov	eax, [ebp+var_20C]
		mov	[ebx+28h], eax
		mov	eax, [ebp+var_208]
		mov	[ebx+2Ch], eax
		mov	eax, [ecx+18h]
		shr	eax, 0Ch
		mov	eax, [ecx+eax*4+1Ch]
		mov	[ebp+var_21C], eax
		jmp	short loc_6433CA
; 

loc_6433BB:				; CODE XREF: MiSharePages(x,x,x,x,x)+C55j
		mov	eax, [ebp+var_1F8]
		mov	[eax+18h], ebx
		mov	eax, [ebp+var_21C]

loc_6433CA:				; CODE XREF: MiSharePages(x,x,x,x,x)+BC8j
					; MiSharePages(x,x,x,x,x)+CE7j
		mov	edx, [ebp+var_214]
		mov	ecx, [ebp+var_1E4]
		push	eax
		push	[ebp+var_220]
		push	edi
		push	ebx
		push	[ebp+var_244]
		push	[ebp+var_248]
		call	_MiConvertStandbyToProto@32 ; MiConvertStandbyToProto(x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_643433
		mov	eax, [ebp+var_254]
		inc	dword ptr [eax+4]
		cmp	[ebp+var_21C], 0FFFFFFFFh
		jz	short loc_643422
		mov	edx, [ebp+var_238]
		mov	ecx, [ebp+var_234]
		call	_MiIncrementCombineMdl@8 ; MiIncrementCombineMdl(x,x)
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1E9], al
		jmp	short loc_64342D
; 

loc_643422:				; CODE XREF: MiSharePages(x,x,x,x,x)+D32j
		xor	eax, eax
		xor	ebx, ebx
		inc	eax
		inc	[ebp+var_22C]

loc_64342D:				; CODE XREF: MiSharePages(x,x,x,x,x)+D4Ej
		mov	[ebp+var_1DD], al

loc_643433:				; CODE XREF: MiSharePages(x,x,x,x,x)+C0Bj
					; MiSharePages(x,x,x,x,x)+C1Dj	...
		mov	ecx, [ebp+var_248]
		call	_MiReleaseArbitraryPage@4 ; MiReleaseArbitraryPage(x)
		mov	edx, [ebp+var_1FC]
		xor	eax, eax
		inc	eax
		mov	ecx, offset dword_6D35E0
		push	eax
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		cmp	[ebp+var_1DD], 0
		jz	loc_642ADD
		mov	al, [ebp+var_1E9]

loc_643465:				; CODE XREF: MiSharePages(x,x,x,x,x)+AC6j
		xor	edx, edx
		inc	edx
		cmp	al, dl
		jnz	loc_642AED
		mov	eax, [ebp+var_224]
		mov	edi, eax
		mov	ecx, [ebp+var_210]
		and	edi, 0Fh
		mov	[ebx+10h], eax
		mov	[ebp+var_294], eax
		mov	eax, [ebx+1Ch]
		and	eax, 1Fh
		mov	[ebx+14h], ecx
		mov	[ebp+var_218], eax
		mov	[ebp+var_28C], eax
		lea	eax, [ebx+28h]
		mov	[ebp+var_288], eax
		mov	eax, [ebp+var_214]
		mov	[ebp+var_290], ecx
		lea	eax, [eax+edi*8]
		add	eax, 34h
		push	eax
		mov	[ebp+var_238], eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+var_214]
		add	ecx, 30h
		mov	[ebp+var_1E9], al
		mov	byte ptr [ebp+var_260],	0
		lea	ecx, [ecx+edi*8]
		mov	[ebp+var_258], ecx
		mov	ecx, [ecx]
		test	ecx, ecx
		jz	loc_643580

loc_6434EF:				; CODE XREF: MiSharePages(x,x,x,x,x)+EA0j
		mov	eax, [ecx+14h]
		mov	edx, [ecx+10h]
		cmp	[ebp+var_210], eax
		ja	short loc_643569
		mov	edi, [ebp+var_224]
		jb	short loc_64355B
		cmp	edi, edx
		ja	short loc_643569
		cmp	[ebp+var_210], eax
		jb	short loc_64355B
		ja	short loc_643517
		cmp	edi, edx
		jb	short loc_64355B

loc_643517:				; CODE XREF: MiSharePages(x,x,x,x,x)+E3Fj
		mov	eax, [ecx+1Ch]
		and	eax, 1Fh
		cmp	[ebp+var_218], eax
		ja	short loc_643569
		jb	short loc_64355B
		lea	eax, [ebx+28h]
		test	eax, eax
		jz	short loc_643569
		mov	edx, [ecx+28h]
		mov	edi, [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_1F0], edx
		mov	edx, [ecx+2Ch]
		cmp	eax, edx
		ja	short loc_643569
		jb	short loc_64355B
		cmp	edi, [ebp+var_1F0]
		ja	short loc_643569
		cmp	eax, edx
		ja	short loc_643569
		jb	short loc_64355B
		cmp	edi, [ebp+var_1F0]
		jnb	short loc_643569

loc_64355B:				; CODE XREF: MiSharePages(x,x,x,x,x)+E31j
					; MiSharePages(x,x,x,x,x)+E3Dj	...
		mov	eax, [ecx]
		test	eax, eax
		jnz	short loc_643570
		mov	byte ptr [ebp+var_260],	al
		jmp	short loc_643580
; 

loc_643569:				; CODE XREF: MiSharePages(x,x,x,x,x)+E29j
					; MiSharePages(x,x,x,x,x)+E35j	...
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_643577

loc_643570:				; CODE XREF: MiSharePages(x,x,x,x,x)+E8Dj
		mov	ecx, eax
		jmp	loc_6434EF
; 

loc_643577:				; CODE XREF: MiSharePages(x,x,x,x,x)+E9Cj
		xor	eax, eax
		inc	eax
		mov	byte ptr [ebp+var_260],	al

loc_643580:				; CODE XREF: MiSharePages(x,x,x,x,x)+E17j
					; MiSharePages(x,x,x,x,x)+E95j
		push	ebx
		push	[ebp+var_260]
		push	ecx
		push	[ebp+var_258]
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		push	[ebp+var_238]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1E9]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_642AEA
; 

loc_6435AF:				; CODE XREF: MiSharePages(x,x,x,x,x)+344j
		inc	[ebp+var_24C]

loc_6435B5:				; CODE XREF: MiSharePages(x,x,x,x,x)+34Cj
		push	2
		lea	ebx, [ebp+var_40]
		pop	esi
		mov	[ebp+var_1F0], ebx

loc_6435C1:				; CODE XREF: MiSharePages(x,x,x,x,x)+F6Ej
		mov	edi, [ebx]
		test	edi, edi
		jz	short loc_64362A
		mov	ebx, [ebp+var_1F8]

loc_6435CD:				; CODE XREF: MiSharePages(x,x,x,x,x)+F4Aj
		mov	eax, [edi+0Ch]
		mov	edx, ecx
		mov	ecx, [ebp+var_214]
		push	esi
		push	edi
		push	[ebp+var_244]
		mov	[ebp+var_218], eax
		call	_MiCrcStillIntact@20 ; MiCrcStillIntact(x,x,x,x,x)
		test	eax, eax
		jz	short loc_6435F6
		mov	[edi+0Ch], ebx
		mov	ebx, edi
		jmp	short loc_64360C
; 

loc_6435F6:				; CODE XREF: MiSharePages(x,x,x,x,x)+F1Bj
		mov	edx, [edi+18h]
		cmp	edx, 100h
		jb	short loc_64360C
		mov	ecx, [ebp+var_1E8]
		call	_MiDereferenceCombineBlock@8 ; MiDereferenceCombineBlock(x,x)

loc_64360C:				; CODE XREF: MiSharePages(x,x,x,x,x)+F22j
					; MiSharePages(x,x,x,x,x)+F2Dj
		mov	eax, [ebp+var_218]
		mov	edi, eax
		mov	ecx, [ebp+var_1E4]
		test	eax, eax
		jnz	short loc_6435CD
		mov	[ebp+var_1F8], ebx
		mov	ebx, [ebp+var_1F0]

loc_64362A:				; CODE XREF: MiSharePages(x,x,x,x,x)+EF3j
		and	dword ptr [ebx], 0
		inc	esi
		mov	ecx, [ebp+var_1E4]
		add	ebx, 20h
		mov	[ebp+var_1F0], ebx
		cmp	esi, 3
		jle	loc_6435C1
		mov	ecx, [ebp+var_230]
		mov	esi, [ebp+arg_8]
		call	MiFlushTbList
		mov	eax, [ebp+var_240]
		test	eax, eax
		jz	short loc_64366B
		mov	ecx, [ebp+var_1E4]
		mov	edx, eax
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)

loc_64366B:				; CODE XREF: MiSharePages(x,x,x,x,x)+F8Aj
		mov	dl, [ebp+var_1F1]
		mov	ecx, [ebp+var_1E4]
		call	MiUnlockWorkingSetShared
		mov	eax, [ebp+var_80]
		test	eax, eax
		jz	short loc_6436C1
		mov	esi, eax

loc_643685:				; CODE XREF: MiSharePages(x,x,x,x,x)+FEAj
		mov	edi, [esi+8]
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	cl, [edi+16h]
		mov	bl, al
		and	cl, 0FEh
		or	cl, 6
		mov	[edi+16h], cl
		mov	ecx, edi
		call	MiDecrementShareCount
		lea	ecx, [edi+10h]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [esi+0Ch]
		test	esi, esi
		jnz	short loc_643685
		mov	esi, [ebp+arg_8]

loc_6436C1:				; CODE XREF: MiSharePages(x,x,x,x,x)+FAFj
		mov	edi, [ebp+var_1F8]
		test	edi, edi
		jz	short loc_6436F2
		mov	eax, [ebp+var_250]
		xor	edx, edx
		mov	[ebp+var_80], edx
		mov	[ebp+var_250], eax
		jmp	loc_64290D
; 

loc_6436E1:				; CODE XREF: MiSharePages(x,x,x,x,x)+285j
					; MiSharePages(x,x,x,x,x)+295j	...
		mov	dl, [ebp+var_1F1]
		mov	ecx, [ebp+var_1E4]
		call	MiUnlockWorkingSetShared

loc_6436F2:				; CODE XREF: MiSharePages(x,x,x,x,x)+FF7j
		mov	ecx, [ebp+var_270]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ebx, [ebp+var_23C]

loc_643703:				; CODE XREF: MiSharePages(x,x,x,x,x)+20Dj
		test	edi, edi
		jz	short loc_643726

loc_643707:				; CODE XREF: MiSharePages(x,x,x,x,x)+1052j
		mov	edx, [edi+18h]
		mov	esi, [edi+0Ch]
		cmp	edx, 100h
		jb	short loc_643720
		mov	ecx, [ebp+var_1E8]
		call	_MiDereferenceCombineBlock@8 ; MiDereferenceCombineBlock(x,x)

loc_643720:				; CODE XREF: MiSharePages(x,x,x,x,x)+1041j
		mov	edi, esi
		test	esi, esi
		jnz	short loc_643707

loc_643726:				; CODE XREF: MiSharePages(x,x,x,x,x)+1033j
		xor	eax, eax
		inc	eax
		cmp	[ebp+var_274], eax
		jnz	short loc_643749
		xor	edx, edx
		lea	ecx, [ebp+var_13C]
		call	_KeForceDetachProcess@8	; KeForceDetachProcess(x,x)
		lea	ecx, [ebx+240h]
		call	MiAttachThreadDone

loc_643749:				; CODE XREF: MiSharePages(x,x,x,x,x)+105Dj
		mov	eax, [ebp+var_230]
		lea	ecx, [ebp+var_1D4]
		cmp	eax, ecx
		jz	short loc_643761
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_643761:				; CODE XREF: MiSharePages(x,x,x,x,x)+1085j
		mov	eax, [ebp+var_254]
		mov	ecx, [ebp+var_22C]
		pop	edi
		pop	esi
		add	[eax], ecx
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_643780:				; CODE XREF: MiSharePages(x,x,x,x,x)+9BBj
					; MiSharePages(x,x,x,x,x)+9C4j	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall MiValidCombineProtection(x)
_MiValidCombineProtection@4:		; CODE XREF: MiCombineCandidate(x,x,x)+DBp
					; MiProcessCrcList(x,x,x,x)+FCp
		cmp	ecx, 18h
		jz	short loc_6437A2
		cmp	ecx, 1Fh
		jz	short loc_6437A2
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	eax, 10h
		jz	short loc_6437A2
		cmp	ecx, 1Eh
		jnb	short loc_6437A2
		xor	eax, eax
		inc	eax
		retn
; 

loc_6437A2:				; CODE XREF: MiSharePages(x,x,x,x,x)+10B6j
					; MiSharePages(x,x,x,x,x)+10BBj ...
		xor	eax, eax
		retn
_MiSharePages@20 endp ;	sp = -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiComparePageHash(x, x, x)
_MiComparePageHash@12 proc near		; CODE XREF: MiValidatePagefilePageHash+8FAE3p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, edx
		lea	eax, [esi+88h]
		push	eax
		mov	[ebp+var_8], eax
		call	ExAcquireSpinLockExclusive
		mov	[ebp+var_1], al
		mov	eax, [esi+80h]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		lea	esi, [eax+edi*4]
		mov	eax, esi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	ecx, [eax-40000000h]
		nop
		mov	edi, [eax-3FFFFFFCh]
		mov	eax, ecx
		and	eax, 1
		mov	[ebp+var_10], ecx
		or	eax, ebx
		mov	[ebp+var_C], edi
		jz	short loc_64382F
		mov	edx, [ebp+arg_0]
		cmp	[esi], edx
		jz	short loc_64382F
		nop
		mov	eax, ds:_MmPfnDatabase
		shrd	ecx, edi, 0Ch
		and	ecx, 1FFFFFFh
		imul	ecx, 1Ch
		test	byte ptr [ecx+eax+16h],	10h
		jnz	short loc_643822
		mov	[esi], edx
		jmp	short loc_64382F
; 

loc_643822:				; CODE XREF: MiComparePageHash(x,x,x)+77j
		cmp	ds:byte_6D31C0,	bl
		jnz	short loc_64382F
		mov	ebx, 0C000003Fh

loc_64382F:				; CODE XREF: MiComparePageHash(x,x,x)+56j
					; MiComparePageHash(x,x,x)+5Dj	...
		push	[ebp+var_8]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
_MiComparePageHash@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiReleasePageHash(x, x)
_MiReleasePageHash@8 proc near		; CODE XREF: MiDeletePagefile(x,x)+4Bp
		mov	edi, edi
		push	esi
		push	edi
		mov	eax, edx
		xor	edi, edi
		push	4
		pop	edx
		mul	edx
		mov	esi, eax
		and	esi, 0FFFh
		or	esi, edi
		jz	short loc_643863
		inc	edi

loc_643863:				; CODE XREF: MiReleasePageHash(x,x)+17j
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		shrd	eax, edx, 0Ch
		add	eax, edi
		lea	edx, [ecx-40000000h]
		mov	ecx, offset dword_6D35E0
		push	eax
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		pop	edi
		pop	esi
		retn
_MiReleasePageHash@8 endp ; sp = -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreateLargePfnList(x, x, x, x, x)
_MiCreateLargePfnList@20 proc near	; CODE XREF: .text:00463206p
					; MiMapUserLargePages(x,x,x)+5Fp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edx
		mov	[ebp+var_10], ecx
		test	esi, esi
		jz	short loc_6438A9
		mov	eax, [esi]
		mov	ebx, eax
		mov	[ebp+var_8], eax
		jmp	short loc_6438B1
; 

loc_6438A9:				; CODE XREF: MiCreateLargePfnList(x,x,x,x,x)+18j
		mov	[ebp+var_8], edi
		mov	ebx, offset _MiSystemPartition

loc_6438B1:				; CODE XREF: MiCreateLargePfnList(x,x,x,x,x)+21j
		xor	eax, eax
		test	esi, esi
		setnz	al
		mov	[ebp+arg_4], eax
		call	_MiComputePreferredNode@4 ; MiComputePreferredNode(x)
		mov	esi, eax
		cmp	[ebp+var_8], edi
		jz	short loc_6438EA
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		push	edi
		call	MiChargeCommit
		test	eax, eax
		jnz	short loc_6438E6
		mov	eax, [ebp+arg_4]
		mov	edi, 0C000012Dh
		mov	esi, [ebp+var_4]
		jmp	loc_643A13
; 

loc_6438E6:				; CODE XREF: MiCreateLargePfnList(x,x,x,x,x)+4Ej
		or	[ebp+arg_4], 2

loc_6438EA:				; CODE XREF: MiCreateLargePfnList(x,x,x,x,x)+3Fj
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		push	edi
		call	_MiChargeResident@12 ; MiChargeResident(x,x,x)
		test	eax, eax
		jnz	short loc_643909
		mov	eax, [ebp+arg_4]
		mov	edi, 0C000009Ah
		mov	esi, [ebp+var_4]
		jmp	loc_643A16
; 

loc_643909:				; CODE XREF: MiCreateLargePfnList(x,x,x,x,x)+71j
		mov	eax, [ebp+var_10]
		movzx	edx, ds:_KeNumberNodes
		or	[ebp+arg_4], 4
		mov	ecx, edx
		imul	ecx, esi
		mov	eax, [eax+1Ch]
		mov	[ebp+var_8], eax
		shr	eax, 7
		and	eax, 1Fh
		mov	eax, ds:_MmMakeProtectNotWriteCopy[eax*4]
		mov	[ebp+var_10], eax
		mov	eax, ds:dword_6D0698
		lea	eax, [eax+ecx*4]
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_C], eax
		lea	eax, [eax+edx*4]
		mov	edx, ecx
		mov	[ebp+var_18], eax
		shr	edx, 12h
		and	edx, 3
		cmp	ds:_MiVadPageSizes[edx*4], 10h
		jnz	short loc_64395D
		xor	eax, eax
		inc	eax
		jmp	short loc_643976
; 

loc_64395D:				; CODE XREF: MiCreateLargePfnList(x,x,x,x,x)+D0j
		mov	eax, ecx
		and	eax, offset loc_500000
		cmp	eax, offset loc_500000
		jnz	short loc_643974
		mov	eax, ds:_MiVadPageIndices[edx*4]
		jmp	short loc_643976
; 

loc_643974:				; CODE XREF: MiCreateLargePfnList(x,x,x,x,x)+E3j
		mov	eax, edi

loc_643976:				; CODE XREF: MiCreateLargePfnList(x,x,x,x,x)+D5j
					; MiCreateLargePfnList(x,x,x,x,x)+ECj
		mov	edx, ds:_MiLargePageSizes[eax*4]
		and	ecx, 0D00000h
		mov	[ebp+var_1C], edx
		mov	eax, edi
		mov	[ebp+var_8], edi
		cmp	ecx, 0D00000h
		jnz	short loc_643999
		push	2
		pop	eax
		mov	[ebp+var_8], eax

loc_643999:				; CODE XREF: MiCreateLargePfnList(x,x,x,x,x)+10Bj
		push	eax
		push	[ebp+arg_8]
		mov	ecx, ebx
		push	[ebp+var_10]
		push	esi
		mov	esi, [ebp+var_4]
		push	edx
		mov	edx, esi
		call	_MiAllocateLargeZeroPages@28 ; MiAllocateLargeZeroPages(x,x,x,x,x,x,x)
		mov	ecx, esi
		sub	ecx, eax
		mov	[ebp+var_14], ecx
		jz	short loc_643A11
		mov	edi, [ebp+var_8]
		mov	esi, ecx

loc_6439BC:				; CODE XREF: MiCreateLargePfnList(x,x,x,x,x)+162j
		cmp	[ebp+arg_0], 0
		jnz	short loc_6439EA
		mov	eax, [ebp+var_C]
		add	eax, 4
		mov	[ebp+var_C], eax
		cmp	eax, [ebp+var_18]
		jz	short loc_6439EA
		mov	eax, [eax]
		mov	edx, esi
		push	edi
		push	[ebp+arg_8]
		mov	ecx, ebx
		push	[ebp+var_10]
		push	eax
		push	[ebp+var_1C]
		call	_MiAllocateLargeZeroPages@28 ; MiAllocateLargeZeroPages(x,x,x,x,x,x,x)
		sub	esi, eax
		jnz	short loc_6439BC

loc_6439EA:				; CODE XREF: MiCreateLargePfnList(x,x,x,x,x)+13Aj
					; MiCreateLargePfnList(x,x,x,x,x)+148j
		push	0
		test	esi, esi
		mov	esi, [ebp+var_4]
		pop	edi
		jz	short loc_643A11
		mov	edx, [ebp+arg_8]
		xor	eax, eax
		cmp	[ebp+var_8], eax
		mov	ecx, ebx
		setnz	al
		push	eax
		call	_MiFreeLargeZeroPages@12 ; MiFreeLargeZeroPages(x,x,x)
		mov	eax, [ebp+arg_4]
		mov	edi, 0C000009Ah
		jmp	short loc_643A16
; 

loc_643A11:				; CODE XREF: MiCreateLargePfnList(x,x,x,x,x)+12Fj
					; MiCreateLargePfnList(x,x,x,x,x)+16Cj
		mov	eax, edi

loc_643A13:				; CODE XREF: MiCreateLargePfnList(x,x,x,x,x)+5Bj
		mov	[ebp+arg_4], eax

loc_643A16:				; CODE XREF: MiCreateLargePfnList(x,x,x,x,x)+7Ej
					; MiCreateLargePfnList(x,x,x,x,x)+189j
		cmp	eax, 4
		jb	short loc_643A35
		mov	edx, esi
		mov	ecx, ebx
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_643A32
		lea	edx, [ebx+1000h]
		lock xadd [edx], eax

loc_643A32:				; CODE XREF: MiCreateLargePfnList(x,x,x,x,x)+1A0j
		mov	eax, [ebp+arg_4]

loc_643A35:				; CODE XREF: MiCreateLargePfnList(x,x,x,x,x)+193j
		test	al, 2
		jz	short loc_643A42
		mov	edx, esi
		mov	ecx, ebx
		call	MiReturnCommit

loc_643A42:				; CODE XREF: MiCreateLargePfnList(x,x,x,x,x)+1B1j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MiCreateLargePfnList@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDemotePfnListChain(x, x)
_MiDemotePfnListChain@8	proc near	; CODE XREF: .text:0046393Ep
					; MiMapUserLargePages(x,x,x)+12Ap

var_5C		= dword	ptr -5Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, edx
		mov	[ebp+var_14], ecx
		push	ebx
		mov	[ebp+var_20], eax
		dec	eax
		push	esi
		mov	[ebp+var_24], eax
		push	edi

loc_643A62:				; CODE XREF: MiDemotePfnListChain(x,x)+13Ej
		mov	esi, eax
		jmp	short loc_643A6F
; 

loc_643A66:				; CODE XREF: MiDemotePfnListChain(x,x)+2Cj
		test	esi, esi
		jz	loc_643B8F
		dec	esi

loc_643A6F:				; CODE XREF: MiDemotePfnListChain(x,x)+19j
		mov	edi, [ecx+esi*4]
		mov	[ebp+var_C], edi
		test	edi, edi
		jz	short loc_643A66
		mov	eax, [edi]
		mov	ebx, ds:_MiLargePageSizes[esi*4]
		mov	[ecx+esi*4], eax
		mov	eax, ebx
		test	esi, esi
		jnz	short loc_643AB0
		push	1
		push	esi
		push	ebx
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, offset _MiSystemPartition
		mov	edx, eax
		call	MiUpdateLargePageBitMap
		mov	eax, ds:_MiLargePageSizes[esi*4]

loc_643AB0:				; CODE XREF: MiDemotePfnListChain(x,x)+3Ej
		xor	ecx, ecx
		imul	ebx, 1Ch
		inc	ecx
		xor	edx, edx
		sub	ecx, esi
		mov	[ebp+var_18], ecx
		mov	ecx, ds:dword_4102F8[esi*4]
		div	ecx
		mov	[ebp+var_10], ecx
		add	ebx, edi
		mov	cl, 2
		mov	[ebp+var_8], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		cmp	[ebp+var_8], 0
		mov	[ebp+var_1], al
		jbe	loc_643B75
		mov	edi, [ebp+var_10]
		imul	eax, edi, 1Ch
		mov	[ebp+var_1C], eax

loc_643AEC:				; CODE XREF: MiDemotePfnListChain(x,x)+121j
		sub	ebx, eax
		mov	ecx, ebx
		call	_MiLockPageAtDpc@4 ; MiLockPageAtDpc(x)
		push	7
		xor	eax, eax
		pop	ecx
		cmp	edi, 1
		jnz	short loc_643B11
		lea	edi, [ebp+var_40]
		rep stosd
		mov	eax, [ebx+18h]
		and	eax, 0FF7FFFFFh
		mov	[ebp+var_28], eax
		jmp	short loc_643B2A
; 

loc_643B11:				; CODE XREF: MiDemotePfnListChain(x,x)+B2j
		lea	edi, [ebp+var_5C]
		rep stosd
		mov	eax, [ebp+var_18]
		shl	eax, 18h
		xor	eax, [ebx+18h]
		and	eax, 3000000h
		xor	eax, [ebx+18h]
		mov	[ebp+var_44], eax

loc_643B2A:				; CODE XREF: MiDemotePfnListChain(x,x)+C4j
		mov	edi, [ebp+var_C]
		mov	[ebx+18h], eax
		cmp	ebx, edi
		jz	short loc_643B4A
		mov	al, [ebx+16h]
		and	al, 0FDh
		or	al, 5
		mov	[ebx+16h], al
		mov	eax, [edi+8]
		mov	[ebx+8], eax
		mov	eax, [edi+0Ch]
		mov	[ebx+0Ch], eax

loc_643B4A:				; CODE XREF: MiDemotePfnListChain(x,x)+E7j
		mov	ecx, 7FFFFFFFh
		lea	eax, [ebx+10h]
		lock and [eax],	ecx
		sub	[ebp+var_8], 1
		mov	ecx, [ebp+var_14]
		mov	edi, [ebp+var_10]
		mov	eax, [ecx+esi*4+4]
		mov	[ebx], eax
		mov	eax, [ebp+var_1C]
		mov	[ecx+esi*4+4], ebx
		jnz	loc_643AEC
		mov	al, [ebp+var_1]

loc_643B75:				; CODE XREF: MiDemotePfnListChain(x,x)+92j
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_14]
		lea	eax, [esi+1]
		cmp	eax, [ebp+var_20]
		mov	eax, [ebp+var_24]
		jnz	loc_643A62

loc_643B8F:				; CODE XREF: MiDemotePfnListChain(x,x)+1Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiDemotePfnListChain@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMapUserLargePages(x, x, x)
_MiMapUserLargePages@12	proc near	; CODE XREF: MiReserveUserMemory+15FDB9p
					; MiCopyLargeVad(x,x,x)+6Ep

var_4C		= dword	ptr -4Ch
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_4C]
		stosd
		mov	ebx, ecx
		mov	[ebp+var_38], ebx
		stosd
		stosd
		mov	eax, large fs:124h
		mov	esi, [ebx+10h]
		shl	esi, 0Ch
		or	esi, 0FFFh
		mov	eax, [eax+80h]
		mov	[ebp+var_24], eax
		lea	ecx, [eax+240h]
		mov	eax, [ebx+0Ch]
		shl	eax, 0Ch
		inc	esi
		mov	[ebp+var_4], ecx
		mov	ecx, esi
		sub	ecx, eax
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_4C]
		shr	ecx, 0Ch
		push	eax
		push	[ebp+arg_0]
		mov	[ebp+var_40], ecx
		push	edx
		mov	edx, ecx
		mov	[ebp+var_20], esi
		mov	ecx, ebx
		call	_MiCreateLargePfnList@20 ; MiCreateLargePfnList(x,x,x,x,x)
		test	eax, eax
		js	loc_643E2A
		mov	edx, [ebx+1Ch]
		mov	ecx, edx
		shr	ecx, 12h
		and	ecx, 3
		cmp	ds:_MiVadPageSizes[ecx*4], 10h
		jnz	short loc_643C1A
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_643C32
; 

loc_643C1A:				; CODE XREF: MiMapUserLargePages(x,x,x)+7Fj
		mov	edi, offset loc_500000
		mov	eax, edx
		and	eax, edi
		cmp	eax, edi
		jnz	short loc_643C30
		mov	ebx, ds:_MiVadPageIndices[ecx*4]
		jmp	short loc_643C32
; 

loc_643C30:				; CODE XREF: MiMapUserLargePages(x,x,x)+91j
		xor	ebx, ebx

loc_643C32:				; CODE XREF: MiMapUserLargePages(x,x,x)+84j
					; MiMapUserLargePages(x,x,x)+9Aj
		mov	ecx, [ebp+var_28]
		shr	edx, 7
		and	edx, 1Fh
		mov	[ebp+var_18], ebx
		mov	byte ptr [ebp+arg_0+3],	21h
		mov	eax, ds:_MmMakeProtectNotWriteCopy[edx*4]
		mov	edx, ecx
		mov	[ebp+var_30], eax
		xor	eax, eax
		mov	[ebp+var_1C], eax
		mov	edi, eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], eax
		mov	eax, ecx
		shr	eax, 9
		sub	eax, 40000000h
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], eax
		cmp	ecx, esi
		jnb	loc_643E05

loc_643C73:				; CODE XREF: MiMapUserLargePages(x,x,x)+24Ej
		mov	esi, ebx

loc_643C75:				; CODE XREF: MiMapUserLargePages(x,x,x)+104j
		mov	ecx, ds:_MiLargePageSizes[esi*4]
		mov	eax, edx
		xor	edx, edx
		shl	ecx, 0Ch
		div	ecx
		test	edx, edx
		mov	edx, [ebp+var_8]
		jnz	short loc_643C95
		mov	eax, [ebp+var_20]
		sub	eax, edx
		cmp	eax, ecx
		jnb	short loc_643C9C

loc_643C95:				; CODE XREF: MiMapUserLargePages(x,x,x)+F6j
		inc	esi
		cmp	esi, ebx
		jbe	short loc_643C75
		jmp	short loc_643CC3
; 

loc_643C9C:				; CODE XREF: MiMapUserLargePages(x,x,x)+FFj
		cmp	[ebp+esi*4+var_4C], 0
		mov	eax, esi
		jnz	short loc_643CB1

loc_643CA5:				; CODE XREF: MiMapUserLargePages(x,x,x)+11Bj
		inc	eax
		cmp	eax, ebx
		ja	short loc_643CB9
		cmp	[ebp+eax*4+var_4C], 0
		jz	short loc_643CA5

loc_643CB1:				; CODE XREF: MiMapUserLargePages(x,x,x)+10Fj
		cmp	eax, ebx
		ja	short loc_643CB9
		mov	esi, eax
		jmp	short loc_643CC3
; 

loc_643CB9:				; CODE XREF: MiMapUserLargePages(x,x,x)+114j
					; MiMapUserLargePages(x,x,x)+11Fj
		mov	edx, esi
		lea	ecx, [ebp+var_4C]
		call	_MiDemotePfnListChain@8	; MiDemotePfnListChain(x,x)

loc_643CC3:				; CODE XREF: MiMapUserLargePages(x,x,x)+106j
					; MiMapUserLargePages(x,x,x)+123j
		mov	ecx, [ebp+esi*4+var_4C]
		mov	[ebp+var_2C], ecx
		push	1Ch
		mov	ebx, [ebp+var_C]
		mov	eax, [ecx]
		mov	[ebp+esi*4+var_4C], eax
		mov	eax, ecx
		sub	eax, ds:_MmPfnDatabase
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, ds:_MiLargePageSizes[esi*4]
		mov	[ebp+var_34], eax
		mov	[ebp+var_3C], ecx
		cmp	esi, 1
		jnb	short loc_643D0C
		xor	ecx, ecx
		inc	ecx
		sub	ecx, esi

loc_643CF8:				; CODE XREF: MiMapUserLargePages(x,x,x)+176j
		shr	ebx, 9
		and	ebx, offset loc_7FFFF8
		sub	ebx, 40000000h
		sub	ecx, 1
		jnz	short loc_643CF8

loc_643D0C:				; CODE XREF: MiMapUserLargePages(x,x,x)+15Dj
		mov	eax, [ebp+var_14]
		xor	eax, ebx
		test	eax, 0FFFFF000h
		jz	short loc_643D75
		test	edi, edi
		jz	short loc_643D2A
		mov	edx, edi
		mov	edi, [ebp+var_4]
		mov	ecx, edi
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)
		jmp	short loc_643D2D
; 

loc_643D2A:				; CODE XREF: MiMapUserLargePages(x,x,x)+186j
		mov	edi, [ebp+var_4]

loc_643D2D:				; CODE XREF: MiMapUserLargePages(x,x,x)+194j
		cmp	[ebp+var_10], 0
		mov	al, byte ptr [ebp+arg_0+3]
		jz	short loc_643D4C
		and	[ebp+var_10], 0
		cmp	al, 21h
		jz	short loc_643D50
		mov	dl, al
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		mov	al, 21h
		mov	byte ptr [ebp+arg_0+3],	al

loc_643D4C:				; CODE XREF: MiMapUserLargePages(x,x,x)+1A0j
		cmp	al, 21h
		jnz	short loc_643D5A

loc_643D50:				; CODE XREF: MiMapUserLargePages(x,x,x)+1A8j
		mov	ecx, edi
		call	MiLockWorkingSetShared
		mov	byte ptr [ebp+arg_0+3],	al

loc_643D5A:				; CODE XREF: MiMapUserLargePages(x,x,x)+1BAj
		mov	ecx, [ebp+var_4]
		mov	edi, ebx
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h
		mov	edx, edi
		call	_MiLockPageTable@8 ; MiLockPageTable(x,x)

loc_643D75:				; CODE XREF: MiMapUserLargePages(x,x,x)+182j
		push	[ebp+var_24]
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_2C]
		call	_MiInitializeLargeUserBasePfn@12 ; MiInitializeLargeUserBasePfn(x,x,x)
		push	ecx
		push	[ebp+var_30]
		mov	ecx, [ebp+var_38]
		push	esi
		push	[ebp+var_34]
		mov	esi, [ebp+var_C]
		mov	edx, esi
		call	_MiInsertLargeUserMapping@24 ; MiInsertLargeUserMapping(x,x,x,x,x,x)
		mov	eax, [ebp+var_3C]
		lea	esi, [esi+eax*8]
		shl	eax, 0Ch
		add	[ebp+var_8], eax
		mov	eax, [ebp+var_1C]
		inc	eax
		mov	[ebp+var_C], esi
		mov	esi, [ebp+var_4]
		mov	[ebp+var_1C], eax
		test	al, 0Fh
		jnz	short loc_643DC0
		mov	ecx, esi
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_643DC9

loc_643DC0:				; CODE XREF: MiMapUserLargePages(x,x,x)+21Fj
		call	_MiShouldYieldProcessor@0 ; MiShouldYieldProcessor()
		test	eax, eax
		jz	short loc_643DD6

loc_643DC9:				; CODE XREF: MiMapUserLargePages(x,x,x)+22Aj
		and	[ebp+var_14], 0
		mov	[ebp+var_10], 1
		jmp	short loc_643DD9
; 

loc_643DD6:				; CODE XREF: MiMapUserLargePages(x,x,x)+233j
		mov	[ebp+var_14], ebx

loc_643DD9:				; CODE XREF: MiMapUserLargePages(x,x,x)+240j
		mov	edx, [ebp+var_8]
		mov	ebx, [ebp+var_18]
		cmp	edx, [ebp+var_20]
		jb	loc_643C73
		test	edi, edi
		jz	short loc_643DF5
		mov	edx, edi
		mov	ecx, esi
		call	_MiUnlockPageTable@8 ; MiUnlockPageTable(x,x)

loc_643DF5:				; CODE XREF: MiMapUserLargePages(x,x,x)+256j
		mov	al, byte ptr [ebp+arg_0+3]
		cmp	al, 21h
		jz	short loc_643E05
		mov	dl, al
		mov	ecx, esi
		call	MiUnlockWorkingSetShared

loc_643E05:				; CODE XREF: MiMapUserLargePages(x,x,x)+D9j
					; MiMapUserLargePages(x,x,x)+266j
		test	ds:byte_70EFC4,	1
		jz	short loc_643E28
		push	0Dh
		xor	ecx, ecx
		pop	edx
		inc	ecx
		call	_MiInitPerfMemoryFlags@8 ; MiInitPerfMemoryFlags(x,x)
		push	[ebp+var_40]
		mov	edx, [ebp+var_24]
		mov	ecx, [ebp+var_28]
		push	eax
		call	_MiLogPerfMemoryRangeEvent@16 ;	MiLogPerfMemoryRangeEvent(x,x,x,x)

loc_643E28:				; CODE XREF: MiMapUserLargePages(x,x,x)+278j
		xor	eax, eax

loc_643E2A:				; CODE XREF: MiMapUserLargePages(x,x,x)+66j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiMapUserLargePages@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetHighestPteConsumer(x)
_MiGetHighestPteConsumer@4 proc	near	; CODE XREF: MiIssueNoPtesBugcheck(x)+13p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ecx
		mov	[ebp+var_1C], eax
		and	dword ptr [eax], 0
		test	byte ptr ds:dword_7051B4, 1
		jz	loc_643F47
		cmp	ds:byte_6D3409,	1
		jz	loc_643F47
		xor	ecx, ecx
		mov	eax, offset unk_6D3CC8
		xor	edx, edx

loc_643E64:				; CODE XREF: MiGetHighestPteConsumer(x)+44j
		cmp	[eax], eax
		jnz	short loc_643E77
		add	edx, 8
		inc	ecx
		add	eax, 8
		cmp	edx, 80h
		jb	short loc_643E64

loc_643E77:				; CODE XREF: MiGetHighestPteConsumer(x)+35j
		cmp	ecx, 10h
		jz	loc_643F47
		cmp	ds:_PsLoadedModuleList,	0
		jz	loc_643F47
		mov	edx, ds:dword_6C6E3C
		xor	eax, eax
		and	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], edx
		cmp	edx, offset _PsLoadedModuleList
		jz	loc_643F3D
		push	ebx
		push	esi
		push	edi

loc_643EAD:				; CODE XREF: MiGetHighestPteConsumer(x)+103j
		xor	edi, edi
		mov	esi, offset unk_6D3CC8

loc_643EB4:				; CODE XREF: MiGetHighestPteConsumer(x)+E6j
		mov	ecx, [esi]
		jmp	short loc_643F0A
; 

loc_643EB8:				; CODE XREF: MiGetHighestPteConsumer(x)+DBj
		mov	ebx, [ecx+24h]
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_C], eax
		test	bl, 2
		jnz	short loc_643F08
		mov	eax, [edx+18h]
		mov	edx, [ecx+2Ch]
		cmp	edx, eax
		mov	[ebp+var_18], edx
		mov	edx, [ebp+var_8]
		mov	[ebp+var_4], eax
		jb	short loc_643EE7
		mov	eax, [edx+20h]
		add	eax, [ebp+var_4]
		cmp	[ebp+var_18], eax
		jb	short loc_643EFF
		mov	eax, [ebp+var_4]

loc_643EE7:				; CODE XREF: MiGetHighestPteConsumer(x)+A6j
		mov	edx, [ecx+30h]
		cmp	edx, eax
		mov	[ebp+var_18], edx
		mov	edx, [ebp+var_8]
		jb	short loc_643F08
		mov	eax, [edx+20h]
		add	eax, [ebp+var_4]
		cmp	[ebp+var_18], eax
		jnb	short loc_643F08

loc_643EFF:				; CODE XREF: MiGetHighestPteConsumer(x)+B1j
		add	edi, [ebp+var_C]
		or	ebx, 2
		mov	[ecx+24h], ebx

loc_643F08:				; CODE XREF: MiGetHighestPteConsumer(x)+93j
					; MiGetHighestPteConsumer(x)+C1j ...
		mov	ecx, [ecx]

loc_643F0A:				; CODE XREF: MiGetHighestPteConsumer(x)+85j
		cmp	ecx, esi
		jnz	short loc_643EB8
		add	esi, 8
		cmp	esi, offset dword_6D3D48
		jb	short loc_643EB4
		mov	eax, [ebp+var_10]
		cmp	edi, eax
		jbe	short loc_643F28
		mov	eax, edi
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], eax

loc_643F28:				; CODE XREF: MiGetHighestPteConsumer(x)+EDj
		mov	edx, [edx+4]
		mov	[ebp+var_8], edx
		cmp	edx, offset _PsLoadedModuleList
		jnz	loc_643EAD
		pop	edi
		pop	esi
		pop	ebx

loc_643F3D:				; CODE XREF: MiGetHighestPteConsumer(x)+73j
		mov	ecx, [ebp+var_1C]
		mov	[ecx], eax
		mov	eax, [ebp+var_14]
		leave
		retn
; 

loc_643F47:				; CODE XREF: MiGetHighestPteConsumer(x)+17j
					; MiGetHighestPteConsumer(x)+24j ...
		xor	eax, eax
		leave
		retn
_MiGetHighestPteConsumer@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertPteTracker(x, x, x,	x)
_MiInsertPteTracker@16 proc near	; CODE XREF: MmMapLockedPagesSpecifyCache+134EE7p
					; MiMapContiguousMemory+DF0EEp	...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_C], 0
		xor	eax, eax
		cmp	word ptr ds:dword_6D3384, 0Ah
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	[ebp+var_8], edx
		stosd
		mov	esi, ecx
		mov	[ebp+var_4], esi
		mov	ecx, offset dword_6D3380
		stosd
		stosd
		jnb	short loc_643F81
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edi, eax
		jmp	short loc_643FA5
; 

loc_643F81:				; CODE XREF: MiInsertPteTracker(x,x,x,x)+2Bj
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_643FA9
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_643FA5

loc_643F92:				; CODE XREF: MiInsertPteTracker(x,x,x,x)+55j
		mov	esi, [eax]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		test	esi, esi
		jnz	short loc_643F92
		mov	esi, [ebp+var_4]

loc_643FA5:				; CODE XREF: MiInsertPteTracker(x,x,x,x)+34j
					; MiInsertPteTracker(x,x,x,x)+45j
		test	edi, edi
		jnz	short loc_643FCC

loc_643FA9:				; CODE XREF: MiInsertPteTracker(x,x,x,x)+3Fj
		push	0
		push	40h
		push	44h
		mov	edx, 79536D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_643FCC
		mov	ds:byte_6D3409,	1
		jmp	loc_644143
; 

loc_643FCC:				; CODE XREF: MiInsertPteTracker(x,x,x,x)+5Cj
					; MiInsertPteTracker(x,x,x,x)+73j
		mov	eax, [ebp+var_8]
		push	1
		pop	edx
		sub	eax, 0
		jz	short loc_644001
		sub	eax, edx
		jz	short loc_643FE7
		mov	ecx, [esi+8]
		shr	ecx, 0Ch
		and	dword ptr [edi+8], 0
		jmp	short loc_64402F
; 

loc_643FE7:				; CODE XREF: MiInsertPteTracker(x,x,x,x)+8Ej
		mov	ecx, [esi+18h]
		add	ecx, [esi+10h]
		and	ecx, 0FFFh
		add	ecx, 0FFFh
		add	ecx, [esi+8]
		mov	[edi+8], edx
		jmp	short loc_64402C
; 

loc_644001:				; CODE XREF: MiInsertPteTracker(x,x,x,x)+8Aj
		mov	ecx, [esi+10h]
		add	ecx, [esi+18h]
		mov	eax, [esi+14h]
		and	ecx, 0FFFh
		add	eax, 0FFFh
		mov	[edi+8], esi
		add	ecx, eax
		mov	eax, [esi+10h]
		mov	[edi+14h], eax
		mov	eax, [esi+18h]
		mov	[edi+18h], eax
		mov	eax, [esi+14h]
		mov	[edi+1Ch], eax

loc_64402C:				; CODE XREF: MiInsertPteTracker(x,x,x,x)+B4j
		shr	ecx, 0Ch

loc_64402F:				; CODE XREF: MiInsertPteTracker(x,x,x,x)+9Aj
		mov	eax, [ebp+arg_0]
		and	eax, 2
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], eax
		jz	short loc_644041
		inc	ecx
		mov	[ebp+var_4], ecx

loc_644041:				; CODE XREF: MiInsertPteTracker(x,x,x,x)+F0j
		lea	eax, [ebp+var_C]
		mov	[edi+0Ch], ecx
		push	eax
		lea	eax, [edi+28h]
		push	eax
		push	7
		push	edx
		call	RtlCaptureStackBackTrace
		mov	ecx, [esi+0Ch]
		mov	edx, [ebp+var_8]
		neg	edx
		mov	[edi+10h], ecx
		mov	eax, [esi+1Ch]
		sbb	edx, edx
		mov	[edi+20h], eax
		mov	eax, [edi+24h]
		and	edx, 10h
		and	eax, 0FFFFFFE2h
		shr	ecx, 0Ch
		or	edx, eax
		mov	eax, [ebp+arg_0]
		and	eax, 1
		or	edx, eax
		mov	eax, [ebp+arg_4]
		and	eax, 3
		and	edx, 0FFFFFFFDh
		shl	eax, 2
		or	edx, eax
		mov	eax, ecx
		shr	eax, 8
		movzx	eax, al
		shr	ecx, 10h
		shl	eax, 2
		xor	eax, ecx
		mov	[edi+24h], edx
		imul	esi, eax, 2797Ch
		lea	edx, [ebp+var_18]
		mov	ecx, offset dword_6D3388
		sar	esi, 2
		and	esi, 0Fh
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		lea	eax, unk_6D3CC8[esi*8]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jz	short loc_6440CA
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_6440CA:				; CODE XREF: MiInsertPteTracker(x,x,x,x)+178j
		mov	[edi+4], eax
		mov	[edi], edx
		mov	[edx+4], edi
		mov	[eax], edi
		mov	eax, [ebp+var_4]
		add	ds:dword_6D3D48, eax
		mov	eax, ds:dword_6D3D4C
		inc	eax
		mov	ds:dword_6D3D4C, eax
		cmp	eax, ds:dword_6D3D50
		jbe	short loc_6440F5
		mov	ds:dword_6D3D50, eax

loc_6440F5:				; CODE XREF: MiInsertPteTracker(x,x,x,x)+1A3j
		test	ds:byte_70EFC6,	1
		jz	short loc_64410B
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_64413A
; 

loc_64410B:				; CODE XREF: MiInsertPteTracker(x,x,x,x)+1B1j
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	short loc_64412A
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jz	short loc_64413A
		call	KxWaitForLockChainValid

loc_64412A:				; CODE XREF: MiInsertPteTracker(x,x,x,x)+1C5j
		xor	ecx, ecx
		mov	[ebp+var_18], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_64413A:				; CODE XREF: MiInsertPteTracker(x,x,x,x)+1BEj
					; MiInsertPteTracker(x,x,x,x)+1D8j
		mov	cl, [ebp+var_10]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_644143:				; CODE XREF: MiInsertPteTracker(x,x,x,x)+7Cj
		pop	edi
		pop	esi
		leave
		retn	8
_MiInsertPteTracker@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRemovePteTracker(x, x, x)
_MiRemovePteTracker@12 proc near	; CODE XREF: MmUnmapLockedPages+138FFEp
					; sub_5C3683+5p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		xor	eax, eax
		mov	ebx, ecx
		push	edi
		lea	edi, [ebp+var_14]
		mov	ecx, edx
		stosd
		and	ecx, 0FFFFF000h
		shr	edx, 0Ch
		mov	[ebp+var_4], ecx
		mov	ecx, offset dword_6D3388
		stosd
		stosd
		mov	eax, edx
		shr	eax, 8
		xor	edi, edi
		movzx	eax, al
		shr	edx, 10h
		shl	eax, 2
		xor	eax, edx
		lea	edx, [ebp+var_14]
		imul	esi, eax, 2797Ch
		sar	esi, 2
		and	esi, 0Fh
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edx, [ebp+arg_0]
		lea	eax, unk_6D3CC8[esi*8]
		mov	ecx, [eax]
		mov	[ebp+var_8], eax
		cmp	ecx, eax
		jz	short loc_64421F

loc_6441AA:				; CODE XREF: MiRemovePteTracker(x,x,x)+D0j
		mov	esi, [ecx+10h]
		mov	eax, esi
		and	eax, 0FFFFF000h
		cmp	[ebp+var_4], eax
		jnz	short loc_644214
		test	edi, edi
		jnz	loc_64425A
		mov	eax, [ecx+0Ch]
		cmp	eax, edx
		jnz	loc_644253
		test	ebx, ebx
		jz	short loc_6441FF
		mov	eax, 200h
		test	[ebx+6], ax
		jnz	short loc_6441FF
		mov	eax, [ecx+20h]
		mov	edi, [ebx+1Ch]
		cmp	eax, edi
		jnz	short loc_644247
		cmp	ds:byte_6D34D8,	0
		jnz	short loc_6441FF
		mov	eax, [ebx+0Ch]
		cmp	esi, eax
		jnz	short loc_644240
		mov	eax, [ecx+14h]
		mov	esi, [ebx+10h]
		cmp	eax, esi
		jnz	short loc_644231

loc_6441FF:				; CODE XREF: MiRemovePteTracker(x,x,x)+85j
					; MiRemovePteTracker(x,x,x)+90j ...
		mov	esi, [ecx]
		mov	eax, [ecx+4]
		cmp	[esi+4], ecx
		jnz	short loc_64424E
		cmp	[eax], ecx
		jnz	short loc_64424E
		mov	[eax], esi
		mov	edi, ecx
		mov	[esi+4], eax

loc_644214:				; CODE XREF: MiRemovePteTracker(x,x,x)+6Ej
		mov	ecx, [ecx]
		cmp	ecx, [ebp+var_8]
		jnz	short loc_6441AA
		test	edi, edi
		jnz	short loc_644261

loc_64421F:				; CODE XREF: MiRemovePteTracker(x,x,x)+5Fj
		cmp	ds:byte_6D3409,	0
		jnz	short loc_644261
		push	edx
		push	[ebp+var_4]
		push	ebx
		push	6
		jmp	short loc_644236
; 

loc_644231:				; CODE XREF: MiRemovePteTracker(x,x,x)+B4j
		push	esi
		push	eax
		push	ecx
		push	5

loc_644236:				; CODE XREF: MiRemovePteTracker(x,x,x)+E6j
					; MiRemovePteTracker(x,x,x)+FCj ...
		push	0DAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_644240:				; CODE XREF: MiRemovePteTracker(x,x,x)+AAj
		push	eax
		push	esi
		push	ecx
		push	3
		jmp	short loc_644236
; 

loc_644247:				; CODE XREF: MiRemovePteTracker(x,x,x)+9Aj
		push	edi
		push	eax
		push	ecx
		push	4
		jmp	short loc_644236
; 

loc_64424E:				; CODE XREF: MiRemovePteTracker(x,x,x)+BEj
					; MiRemovePteTracker(x,x,x)+C2j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_644253:				; CODE XREF: MiRemovePteTracker(x,x,x)+7Dj
		push	edx
		push	eax
		push	ecx
		push	2
		jmp	short loc_644236
; 

loc_64425A:				; CODE XREF: MiRemovePteTracker(x,x,x)+72j
		push	edi
		push	ebx
		push	ecx
		push	1
		jmp	short loc_644236
; 

loc_644261:				; CODE XREF: MiRemovePteTracker(x,x,x)+D4j
					; MiRemovePteTracker(x,x,x)+DDj
		sub	ds:dword_6D3D48, edx
		dec	ds:dword_6D3D4C
		test	ds:byte_70EFC6,	1
		jz	short loc_644283
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6442B2
; 

loc_644283:				; CODE XREF: MiRemovePteTracker(x,x,x)+12Bj
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_6442A2
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_6442B2
		call	KxWaitForLockChainValid

loc_6442A2:				; CODE XREF: MiRemovePteTracker(x,x,x)+13Fj
		xor	ecx, ecx
		mov	[ebp+var_14], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_6442B2:				; CODE XREF: MiRemovePteTracker(x,x,x)+138j
					; MiRemovePteTracker(x,x,x)+152j
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	short loc_6442CB
		mov	edx, edi
		mov	ecx, offset dword_6D3380
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_6442CB:				; CODE XREF: MiRemovePteTracker(x,x,x)+174j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiRemovePteTracker@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiFreeTransitionPageHeatList(x)
_MiFreeTransitionPageHeatList@4	proc near ; CODE XREF: MmAccessFault+14B33Ep
		cmp	word ptr ds:dword_6D328C, 40h
		jnb	short loc_6442E8
		mov	edx, ecx
		mov	ecx, offset dword_6D3288
		jmp	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
; 

loc_6442E8:				; CODE XREF: MiFreeTransitionPageHeatList(x)+8j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
_MiFreeTransitionPageHeatList@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogNotifyPageHeat(x)
_MiLogNotifyPageHeat@4 proc near	; CODE XREF: MiNotifyPageHeat(x)+5p

var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_99		= byte ptr -99h
var_98		= dword	ptr -98h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 0C0h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, ds:dword_6D35BC
		mov	[ebp+var_A8], edi
		test	ecx, ecx
		jz	loc_644625
		cmp	dword ptr [ecx], 0
		jbe	loc_644625
		push	0
		push	40h
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_644625
		mov	eax, [edi+4]
		lea	ecx, [edi+10h]
		xor	esi, esi
		lea	eax, [ecx+eax*8]
		mov	[ebp+var_A4], eax
		cmp	ecx, eax
		jnb	short loc_64439F
		mov	edi, esi

loc_644361:				; CODE XREF: MiLogNotifyPageHeat(x)+9Aj
		mov	edx, [ecx]
		mov	esi, [ecx]
		and	edx, 3FFh
		mov	eax, [ecx+4]
		inc	edx
		shrd	esi, eax, 0Ah
		and	esi, 3
		jz	short loc_644380

loc_644378:				; CODE XREF: MiLogNotifyPageHeat(x)+8Dj
		shl	edx, 9
		sub	esi, 1
		jnz	short loc_644378

loc_644380:				; CODE XREF: MiLogNotifyPageHeat(x)+85j
		add	ecx, 8
		add	edi, edx
		cmp	ecx, [ebp+var_A4]
		jb	short loc_644361
		mov	[ebp+var_A0], edi
		mov	edi, [ebp+var_A8]
		mov	esi, [ebp+var_A0]

loc_64439F:				; CODE XREF: MiLogNotifyPageHeat(x)+6Cj
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		xor	ecx, ecx
		mov	[ebp+var_99], al
		mov	eax, ds:dword_6D35BC
		cmp	[edi], ecx
		jnz	loc_6444E7
		cmp	dword ptr [eax], 5
		mov	[ebp+var_B0], eax
		jbe	loc_644619
		push	ecx
		push	40h
		mov	ecx, eax
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_644619
		mov	eax, [edi+4]
		xor	ecx, ecx
		mov	edx, [edi+14h]
		mov	[ebp+var_A8], eax
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_68], eax
		mov	[ebp+var_74], ecx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_B4], ecx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_5C], ecx
		mov	ecx, edx
		mov	[ebp+var_B8], esi
		mov	esi, [edi+10h]
		mov	eax, esi
		shrd	eax, ecx, 0Ch
		push	4
		mov	[ebp+var_C0], eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_58], eax
		mov	eax, esi
		shr	ecx, 0Ch
		and	eax, 3FFh
		mov	[ebp+var_BC], ecx
		xor	ecx, ecx
		inc	eax
		mov	[ebp+var_54], ecx
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_48], eax
		pop	eax
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_3C], ecx
		lea	ecx, [ebp+var_A0]
		mov	[ebp+var_40], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_38], ecx
		movzx	ecx, word ptr [edi+4]
		mov	eax, ecx
		mov	[ebp+var_70], 4
		mov	[ebp+var_AC], eax
		lea	eax, [ebp+var_AC]
		mov	[ebp+var_28], eax
		lea	eax, [edi+10h]
		shrd	esi, edx, 0Ah
		xor	edx, edx
		mov	[ebp+var_18], eax
		mov	eax, ecx
		mov	[ebp+var_34], edx
		mov	ecx, [ebp+var_B0]
		and	esi, 3
		shl	eax, 3
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_98]
		push	eax
		push	9
		push	edx
		push	edx
		push	1
		push	edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_C], edx
		push	edx
		mov	[ebp+var_60], 8
		mov	edx, offset loc_41D4D8
		mov	[ebp+var_50], 8
		mov	[ebp+var_A0], esi
		jmp	loc_64460D
; 

loc_6444E7:				; CODE XREF: MiLogNotifyPageHeat(x)+C5j
		cmp	dword ptr [eax], 5
		mov	[ebp+var_A0], eax
		jbe	loc_644619
		push	ecx
		push	40h
		mov	ecx, eax
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_644619
		mov	eax, [edi+4]
		xor	ecx, ecx
		mov	edx, [edi+14h]
		mov	[ebp+var_B0], eax
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_68], eax
		mov	[ebp+var_74], ecx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_BC], ecx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_5C], ecx
		mov	ecx, edx
		mov	[ebp+var_C0], esi
		mov	esi, [edi+10h]
		mov	eax, esi
		shrd	eax, ecx, 0Ch
		push	4
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_58], eax
		mov	eax, esi
		shr	ecx, 0Ch
		and	eax, 3FFh
		mov	[ebp+var_B4], ecx
		xor	ecx, ecx
		inc	eax
		mov	[ebp+var_54], ecx
		mov	[ebp+var_AC], eax
		lea	eax, [ebp+var_AC]
		mov	[ebp+var_48], eax
		pop	eax
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_3C], ecx
		lea	ecx, [ebp+var_A8]
		mov	[ebp+var_40], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_38], ecx
		movzx	ecx, word ptr [edi+4]
		mov	eax, ecx
		mov	[ebp+var_70], 4
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_28], eax
		lea	eax, [edi+10h]
		shrd	esi, edx, 0Ah
		xor	edx, edx
		mov	[ebp+var_18], eax
		mov	eax, ecx
		mov	[ebp+var_34], edx
		mov	ecx, [ebp+var_A0]
		and	esi, 3
		shl	eax, 3
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_98]
		push	eax
		push	9
		push	edx
		push	edx
		push	1
		push	edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_C], edx
		push	edx
		mov	[ebp+var_60], 8
		mov	edx, offset loc_41D55F
		mov	[ebp+var_50], 8
		mov	[ebp+var_A8], esi

loc_64460D:				; CODE XREF: MiLogNotifyPageHeat(x)+1F1j
		mov	[ebp+var_20], 2
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)

loc_644619:				; CODE XREF: MiLogNotifyPageHeat(x)+D4j
					; MiLogNotifyPageHeat(x)+E6j ...
		mov	cl, [ebp+var_99]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_644625:				; CODE XREF: MiLogNotifyPageHeat(x)+39j
					; MiLogNotifyPageHeat(x)+42j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_MiLogNotifyPageHeat@4 endp ; sp =  4


;  S U B	R O U T	I N E 


; __stdcall MiNotifyPageHeat(x)
_MiNotifyPageHeat@4 proc near		; CODE XREF: MiGetPageChain(x,x,x,x,x,x,x)+2ECp
					; MmSetPfnListInfo(x,x,x)+240p	...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_MiLogNotifyPageHeat@4 ; MiLogNotifyPageHeat(x)
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, [esi]
		cmp	al, 2
		lea	eax, [esi+10h]
		push	eax
		push	dword ptr [esi+4]
		setb	dl
		call	_HvlNotifyPageHeat@16 ;	HvlNotifyPageHeat(x,x,x,x)
		and	dword ptr [esi+4], 0
		pop	esi
		retn
_MiNotifyPageHeat@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiProcessTransitionHeatBatch(x)
_MiProcessTransitionHeatBatch@4	proc near ; CODE XREF: MmAccessFault:loc_5B2142p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, large fs:124h
		push	esi
		mov	esi, ecx
		mov	[ebp+var_18], eax
		push	edi
		dec	word ptr [eax+13Eh]
		mov	[ebp+var_4], esi
		nop
		mov	edx, offset unk_6D4EAC
		xor	edi, edi
		mov	eax, edx
		mov	[ebp+var_14], edi
		and	eax, 7FFFFFFCh
		mov	[ebp+var_10], eax
		jz	loc_6447BA
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jz	short loc_6446D9

loc_6446CC:				; CODE XREF: MiProcessTransitionHeatBatch(x)+BBj
					; MiProcessTransitionHeatBatch(x)+104j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	loc_644783
; 

loc_6446D9:				; CODE XREF: MiProcessTransitionHeatBatch(x)+69j
		mov	cl, [esi+1E4h]
		mov	[ebp+var_C], edi
		test	cl, cl
		jnz	short loc_6446FD
		lea	ecx, [esi+222h]
		cmp	byte ptr [ecx],	0
		jz	short loc_64475B
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [esi+1E4h]
		or	cl, al

loc_6446FD:				; CODE XREF: MiProcessTransitionHeatBatch(x)+83j
		movzx	ecx, cl
		bsf	eax, ecx
		imul	edx, eax, 30h
		btr	ecx, eax
		mov	[ebp+var_C], eax
		mov	[esi+1E4h], cl
		add	edx, [esi+1E8h]

loc_644718:				; CODE XREF: MiProcessTransitionHeatBatch(x)+113j
		mov	edi, edx
		test	edx, edx
		jz	short loc_6446CC
		mov	ecx, ds:dword_6D07D0
		mov	eax, offset unk_6D4EAC
		shr	eax, 15h
		cmp	ecx, offset unk_6D4EAC
		ja	short loc_644776
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_64474E
		cmp	ecx, offset unk_6D4EAC
		ja	short loc_644776
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_644776

loc_64474E:				; CODE XREF: MiProcessTransitionHeatBatch(x)+DAj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	short loc_644779
; 

loc_64475B:				; CODE XREF: MiProcessTransitionHeatBatch(x)+8Ej
		test	dword ptr ds:byte_70EFC4, 200h
		jz	loc_6446CC
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		mov	edx, edi
		jmp	short loc_644718
; 

loc_644776:				; CODE XREF: MiProcessTransitionHeatBatch(x)+D1j
					; MiProcessTransitionHeatBatch(x)+E2j ...
		or	eax, 0FFFFFFFFh

loc_644779:				; CODE XREF: MiProcessTransitionHeatBatch(x)+F8j
		mov	[edx+14h], eax
		nop
		mov	eax, [ebp+var_10]
		mov	[edx+10h], eax

loc_644783:				; CODE XREF: MiProcessTransitionHeatBatch(x)+73j
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp+var_14]
		push	eax
		mov	edx, offset unk_6D4EAC
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_6447B2
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_6447B2
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_6447B2:				; CODE XREF: MiProcessTransitionHeatBatch(x)+142j
					; MiProcessTransitionHeatBatch(x)+14Aj
		mov	esi, [ebp+var_4]
		mov	edx, offset unk_6D4EAC

loc_6447BA:				; CODE XREF: MiProcessTransitionHeatBatch(x)+46j
		push	11h
		pop	ecx
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	short loc_6447EB
		mov	ecx, edx
		call	@ExfTryAcquirePushLockShared@4 ; ExfTryAcquirePushLockShared(x)
		test	al, al
		jnz	short loc_6447EB
		test	edi, edi
		jz	loc_644895
		mov	edx, edi
		mov	ecx, offset unk_6D4EAC
		call	KeAbPostReleaseEx
		jmp	loc_644895
; 

loc_6447EB:				; CODE XREF: MiProcessTransitionHeatBatch(x)+164j
					; MiProcessTransitionHeatBatch(x)+16Fj
		test	edi, edi
		jz	short loc_6447F3
		or	byte ptr [edi+0Eh], 1

loc_6447F3:				; CODE XREF: MiProcessTransitionHeatBatch(x)+18Cj
		mov	eax, [esi+4]
		lea	edi, [esi+10h]
		lea	eax, [edi+eax*8]
		mov	[ebp+var_10], eax
		cmp	edi, eax
		jnb	short loc_64486D

loc_644803:				; CODE XREF: MiProcessTransitionHeatBatch(x)+207j
		mov	ecx, [edi+4]
		mov	eax, ecx
		mov	esi, [edi]
		mov	edx, [edi]
		mov	[ebp+var_14], esi
		and	edx, 3FFh
		shrd	esi, eax, 0Ch
		mov	eax, [ebp+var_14]
		inc	edx
		shrd	eax, ecx, 0Ah
		and	eax, 3
		jz	short loc_644831

loc_644826:				; CODE XREF: MiProcessTransitionHeatBatch(x)+1CEj
		shl	edx, 9
		shr	esi, 9
		sub	eax, 1
		jnz	short loc_644826

loc_644831:				; CODE XREF: MiProcessTransitionHeatBatch(x)+1C3j
		lea	eax, [edx+esi]
		mov	[ebp+var_14], eax
		cmp	esi, eax
		jnb	short loc_644862

loc_64483B:				; CODE XREF: MiProcessTransitionHeatBatch(x)+1FFj
		cmp	esi, ds:dword_6D07B0
		ja	short loc_644874
		mov	eax, ds:dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_644874
		inc	esi
		cmp	esi, [ebp+var_14]
		jb	short loc_64483B

loc_644862:				; CODE XREF: MiProcessTransitionHeatBatch(x)+1D8j
		add	edi, 8
		cmp	edi, [ebp+var_10]
		jb	short loc_644803
		mov	esi, [ebp+var_4]

loc_64486D:				; CODE XREF: MiProcessTransitionHeatBatch(x)+1A0j
		mov	ecx, esi
		call	_MiNotifyPageHeat@4 ; MiNotifyPageHeat(x)

loc_644874:				; CODE XREF: MiProcessTransitionHeatBatch(x)+1E0j
					; MiProcessTransitionHeatBatch(x)+1F9j
		push	11h
		xor	ecx, ecx
		mov	esi, offset unk_6D4EAC
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_64488E
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_64488E:				; CODE XREF: MiProcessTransitionHeatBatch(x)+224j
		mov	ecx, esi
		call	KeAbPostRelease

loc_644895:				; CODE XREF: MiProcessTransitionHeatBatch(x)+173j
					; MiProcessTransitionHeatBatch(x)+185j
		mov	ecx, [ebp+var_18]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_MiProcessTransitionHeatBatch@4	endp ; sp =  4


;  S U B	R O U T	I N E 


; __stdcall MiReplenishTransitionPageHeatList()
_MiReplenishTransitionPageHeatList@0 proc near ; CODE XREF: MmAccessFault+14B32Bp
		mov	edi, edi
		push	esi
		push	40h
		pop	esi
		jmp	short loc_6448D7
; 

loc_6448AE:				; CODE XREF: MiReplenishTransitionPageHeatList()+38j
		push	0
		push	esi
		mov	edx, 6C486D4Dh
		mov	ecx, 90h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		test	eax, eax
		jz	short loc_6448E2
		mov	edx, eax
		mov	dword ptr [eax+8], 10h
		mov	ecx, offset dword_6D3288
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_6448D7:				; CODE XREF: MiReplenishTransitionPageHeatList()+6j
		cmp	word ptr ds:dword_6D328C, si
		jb	short loc_6448AE
		pop	esi
		retn
; 

loc_6448E2:				; CODE XREF: MiReplenishTransitionPageHeatList()+1Cj
		push	20h
		pop	eax
		mov	ecx, offset unk_6D3290
		xchg	eax, [ecx]
		pop	esi
		retn
_MiReplenishTransitionPageHeatList@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiComputeIdealDpcGang(x, x)
_MiComputeIdealDpcGang@8 proc near	; CODE XREF: MiInitializeDpcGang(x,x,x)+2Bp

var_C		= dword	ptr -0Ch
var_8		= word ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_0]
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		stosd
		stosd
		call	MiGetClosestNodeWithProcessors
		movzx	ecx, ds:_KeNumberNodes
		cmp	eax, ecx
		sbb	ecx, ecx
		and	ecx, eax
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [ebp+var_C]
		mov	[esi+68h], ecx
		push	eax
		push	ecx
		call	_KeQueryNodeActiveAffinity@12 ;	KeQueryNodeActiveAffinity(x,x,x)
		lea	edi, [esi+70h]
		xor	ebx, ebx
		lea	esi, [ebp+var_C]
		mov	edx, ebx
		movsd
		movsd
		movsd
		cmp	ds:_KeNumberProcessors,	ebx
		jbe	short loc_644972

loc_64493E:				; CODE XREF: MiComputeIdealDpcGang(x,x)+82j
		mov	ecx, ds:_KiProcessorBlock[edx*4]
		movzx	eax, byte ptr [ecx+3C5h]
		cmp	ax, [ebp+var_8]
		jnz	short loc_644969
		mov	ecx, [ecx+402Ch]
		mov	eax, [ebp+var_C]
		test	ecx, eax
		jz	short loc_644969
		not	ecx
		inc	ebx
		and	eax, ecx
		mov	[ebp+var_C], eax
		jz	short loc_644972

loc_644969:				; CODE XREF: MiComputeIdealDpcGang(x,x)+62j
					; MiComputeIdealDpcGang(x,x)+6Fj
		inc	edx
		cmp	edx, ds:_KeNumberProcessors
		jb	short loc_64493E

loc_644972:				; CODE XREF: MiComputeIdealDpcGang(x,x)+4Ej
					; MiComputeIdealDpcGang(x,x)+79j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
_MiComputeIdealDpcGang@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDoGangAssignment(x, x)
_MiDoGangAssignment@8 proc near		; CODE XREF: MiDpcGangTarget(x,x,x,x)+B8p
					; MiStartDpcGang(x)+C6p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, [edx]
		mov	eax, [ebx+60h]
		test	al, 1
		jnz	short loc_6449B5
		cmp	dword ptr [edi], 0
		jz	short loc_6449AE
		mov	edx, [ebx]
		mov	ecx, edi
		call	_MiInitializeLargeMdlLeafPfns@8	; MiInitializeLargeMdlLeafPfns(x,x)
		cmp	dword ptr [edi], 0
		jz	short loc_6449AE

loc_6449A7:				; CODE XREF: MiDoGangAssignment(x,x)+F7j
		mov	dword ptr [ebx+6Ch], 1

loc_6449AE:				; CODE XREF: MiDoGangAssignment(x,x)+1Cj
					; MiDoGangAssignment(x,x)+2Aj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_6449B5:				; CODE XREF: MiDoGangAssignment(x,x)+17j
		test	al, 38h
		jnz	short loc_6449C2
		xor	esi, esi
		mov	edx, 4000h
		jmp	short loc_6449D1
; 

loc_6449C2:				; CODE XREF: MiDoGangAssignment(x,x)+3Cj
		mov	esi, [edi]
		mov	edx, 200h
		sub	esi, [ebx]
		shl	esi, 0Ch
		add	esi, [ebx+50h]

loc_6449D1:				; CODE XREF: MiDoGangAssignment(x,x)+45j
		mov	ecx, [edi+4]
		mov	[esp+18h+var_8], edx
		test	ecx, ecx
		jz	short loc_6449AE

loc_6449DC:				; CODE XREF: MiDoGangAssignment(x,x)+119j
		mov	eax, edx
		mov	[esp+18h+var_C], eax
		cmp	edx, ecx
		jbe	short loc_6449EC
		mov	eax, ecx
		mov	[esp+18h+var_C], ecx

loc_6449EC:				; CODE XREF: MiDoGangAssignment(x,x)+69j
		test	esi, esi
		jz	short loc_644A3A
		mov	ecx, [ebx+60h]
		test	cl, 8
		jz	short loc_644A07
		mov	edx, eax
		mov	ecx, esi
		shl	edx, 0Ch
		call	ds:_KeZeroPages	; KiZeroPages(x,x)
		jmp	short loc_644A3A
; 

loc_644A07:				; CODE XREF: MiDoGangAssignment(x,x)+7Bj
		test	cl, 10h
		jz	short loc_644A1D
		shl	eax, 0Ch
		push	eax		; size_t
		push	0FFFFFFFFh	; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_644A3A
; 

loc_644A1D:				; CODE XREF: MiDoGangAssignment(x,x)+8Fj
		test	cl, 20h
		jz	short loc_644A3A
		shl	eax, 0Ch
		push	0
		push	eax
		push	esi
		mov	[esp+24h+var_4], eax
		call	_RtlCompareMemoryUlong@12 ; RtlCompareMemoryUlong(x,x,x)
		mov	ecx, [esp+18h+var_4]
		cmp	eax, ecx
		jnz	short loc_644A99

loc_644A3A:				; CODE XREF: MiDoGangAssignment(x,x)+73j
					; MiDoGangAssignment(x,x)+8Aj ...
		test	byte ptr [ebx+60h], 4
		jz	short loc_644A5C
		mov	edx, [esp+18h+var_C]
		push	0
		push	0
		push	0
		push	dword ptr [ebx+5Ch]
		push	ecx
		imul	ecx, [edi], 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	_MiInitializeUnusablePfns@28 ; MiInitializeUnusablePfns(x,x,x,x,x,x,x)

loc_644A5C:				; CODE XREF: MiDoGangAssignment(x,x)+C3j
		mov	eax, [esp+18h+var_C]
		sub	[edi+4], eax
		jz	loc_6449AE
		add	[edi], eax
		call	KeShouldYieldProcessor
		test	eax, eax
		jnz	loc_6449A7
		test	esi, esi
		jz	short loc_644A85
		mov	eax, [esp+18h+var_C]
		shl	eax, 0Ch
		add	esi, eax

loc_644A85:				; CODE XREF: MiDoGangAssignment(x,x)+FFj
		mov	ecx, [edi+4]
		test	ecx, ecx
		jz	loc_6449AE
		mov	edx, [esp+18h+var_8]
		jmp	loc_6449DC
; 

loc_644A99:				; CODE XREF: MiDoGangAssignment(x,x)+BDj
		push	ecx
		push	eax
		push	dword ptr [edi]
		push	esi
		push	127h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_MiDoGangAssignment@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDpcGangTarget(x, x, x, x)
_MiDpcGangTarget@16 proc near		; DATA XREF: MiStartDpcGang(x)+A2o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:20h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	eax, [eax+338h]
		push	edi
		mov	edi, [ebp+arg_4]
		movzx	eax, word ptr [eax+8Ah]
		cmp	eax, [edi+68h]
		jnz	short loc_644B1F
		mov	edx, large fs:20h
		movzx	eax, byte ptr [edx+3C5h]
		cmp	ax, [edi+74h]
		jnz	short loc_644B1F
		mov	esi, [edx+402Ch]
		lea	ebx, [edi+70h]
		test	[ebx], esi
		jz	short loc_644B0A
		not	esi
		mov	eax, [ebx]

loc_644AF8:				; CODE XREF: MiDpcGangTarget(x,x,x,x)+57j
		mov	ecx, eax
		and	ecx, esi
		lock cmpxchg [ebx], ecx
		jnz	short loc_644AF8
		test	[edx+402Ch], eax
		jnz	short loc_644B0C

loc_644B0A:				; CODE XREF: MiDpcGangTarget(x,x,x,x)+49j
		xor	edx, edx

loc_644B0C:				; CODE XREF: MiDpcGangTarget(x,x,x,x)+5Fj
		test	edx, edx
		jz	short loc_644B1F
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	_MiGetGangAssignment@8 ; MiGetGangAssignment(x,x)
		mov	[ebp+arg_4], eax
		jmp	short loc_644B23
; 

loc_644B1F:				; CODE XREF: MiDpcGangTarget(x,x,x,x)+28j
					; MiDpcGangTarget(x,x,x,x)+3Cj	...
		and	[ebp+arg_4], 0

loc_644B23:				; CODE XREF: MiDpcGangTarget(x,x,x,x)+74j
		mov	esi, [ebp+arg_C]
		or	ebx, 0FFFFFFFFh
		test	byte ptr [edi+60h], 2
		mov	ecx, 80000000h
		jz	short loc_644B56
		and	[ebp+var_8], 0
		mov	eax, ebx
		lock xadd [esi], eax
		dec	eax
		mov	ebx, eax
		not	ebx
		and	ebx, ecx
		test	eax, 7FFFFFFFh
		jnz	short loc_644B8D
		mov	eax, [esi+4]
		or	eax, ebx
		mov	[esi], eax

loc_644B53:				; CODE XREF: MiDpcGangTarget(x,x,x,x)+EAj
		or	ebx, 0FFFFFFFFh

loc_644B56:				; CODE XREF: MiDpcGangTarget(x,x,x,x)+89j
		cmp	[ebp+arg_4], 0
		jz	short loc_644B66
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	_MiDoGangAssignment@8 ;	MiDoGangAssignment(x,x)

loc_644B66:				; CODE XREF: MiDpcGangTarget(x,x,x,x)+B1j
		test	byte ptr [edi+60h], 2
		jz	short loc_644BC3
		lock xadd [esi], ebx
		dec	ebx
		mov	edi, ebx
		mov	ecx, 80000000h
		not	edi
		and	edi, ecx
		test	ebx, 7FFFFFFFh
		jnz	short loc_644BA6
		mov	eax, [esi+4]
		or	eax, edi
		mov	[esi], eax
		jmp	short loc_644BC3
; 

loc_644B8D:				; CODE XREF: MiDpcGangTarget(x,x,x,x)+A1j
		mov	eax, [esi]
		and	eax, ecx

loc_644B91:				; CODE XREF: MiDpcGangTarget(x,x,x,x)+FBj
		cmp	eax, ebx
		jz	short loc_644B53
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		and	eax, 80000000h
		jmp	short loc_644B91
; 

loc_644BA6:				; CODE XREF: MiDpcGangTarget(x,x,x,x)+D9j
		mov	eax, [esi]
		and	[ebp+var_C], 0
		and	eax, ecx
		jmp	short loc_644BBF
; 

loc_644BB0:				; CODE XREF: MiDpcGangTarget(x,x,x,x)+118j
		lea	ecx, [ebp+var_C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		and	eax, 80000000h

loc_644BBF:				; CODE XREF: MiDpcGangTarget(x,x,x,x)+105j
		cmp	eax, edi
		jnz	short loc_644BB0

loc_644BC3:				; CODE XREF: MiDpcGangTarget(x,x,x,x)+C1j
					; MiDpcGangTarget(x,x,x,x)+E2j
		mov	eax, [ebp+arg_8]
		lock dec dword ptr [eax]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_MiDpcGangTarget@16 endp


;  S U B	R O U T	I N E 


; __stdcall MiEndDpcGang(x)
_MiEndDpcGang@4	proc near		; CODE XREF: MiAllocateFastLargePagesForMdl(x,x,x)+1A2p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		test	byte ptr [esi+60h], 1
		lea	edi, [esi+8]
		jz	short loc_644BF5
		mov	ecx, [edi]
		lea	eax, [esi+0Ch]
		cmp	ecx, eax
		jz	short loc_644C08
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi], 0
		jmp	short loc_644C08
; 

loc_644BF5:				; CODE XREF: MiEndDpcGang(x)+Dj
		mov	eax, [esi+4]
		cmp	eax, edi
		jz	short loc_644C08
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+4], 0

loc_644C08:				; CODE XREF: MiEndDpcGang(x)+16j
					; MiEndDpcGang(x)+23j ...
		pop	edi
		pop	esi
		retn
_MiEndDpcGang@4	endp


;  S U B	R O U T	I N E 


; __stdcall MiGetGangAssignment(x, x)
_MiGetGangAssignment@8 proc near	; CODE XREF: MiDpcGangTarget(x,x,x,x)+6Cp
					; MiStartDpcGang(x)+B1p
		mov	edi, edi
		push	esi
		xor	esi, esi
		inc	esi
		lock xadd [ecx+58h], esi
		inc	esi
		dec	esi
		cmp	esi, [ecx+64h]
		jnb	short loc_644C41
		test	byte ptr [ecx+60h], 1
		jnz	short loc_644C2E
		mov	eax, [ecx+4]
		lea	eax, [eax+esi*4]
		cmp	dword ptr [eax], 0
		jmp	short loc_644C38
; 

loc_644C2E:				; CODE XREF: MiGetGangAssignment(x,x)+16j
		mov	ecx, [ecx+8]
		lea	eax, [ecx+esi*8]
		cmp	dword ptr [eax+4], 0

loc_644C38:				; CODE XREF: MiGetGangAssignment(x,x)+21j
		jz	short loc_644C41
		mov	[edx], eax
		xor	eax, eax
		inc	eax
		pop	esi
		retn
; 

loc_644C41:				; CODE XREF: MiGetGangAssignment(x,x)+10j
					; MiGetGangAssignment(x,x):loc_644C38j
		xor	eax, eax
		pop	esi
		retn
_MiGetGangAssignment@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall MiInitializeDpcGang(void *,int,int)
_MiInitializeDpcGang@12	proc near	; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+22Bp
					; MiAllocateFastLargePagesForMdl(x,x,x)+D8p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	88h		; size_t
		mov	esi, ecx
		mov	ebx, edx
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		test	bl, 2
		jz	short loc_644C6B
		xor	edi, edi
		inc	edi
		jmp	short loc_644C77
; 

loc_644C6B:				; CODE XREF: MiInitializeDpcGang(x,x,x)+1Fj
		push	[ebp+arg_0]
		mov	ecx, esi
		call	_MiComputeIdealDpcGang@8 ; MiComputeIdealDpcGang(x,x)
		mov	edi, eax

loc_644C77:				; CODE XREF: MiInitializeDpcGang(x,x,x)+24j
		test	bl, 1
		jz	short loc_644CB1
		or	dword ptr [esi+60h], 1
		cmp	edi, 8
		jbe	short loc_644C9B
		push	0
		mov	ecx, edi
		mov	edx, 6544694Dh
		shl	ecx, 3
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[esi+8], eax

loc_644C9B:				; CODE XREF: MiInitializeDpcGang(x,x,x)+3Ej
		cmp	dword ptr [esi+8], 0
		jnz	short loc_644CE0
		cmp	edi, 8
		jbe	short loc_644CA9
		push	8
		pop	edi

loc_644CA9:				; CODE XREF: MiInitializeDpcGang(x,x,x)+5Fj
		lea	eax, [esi+0Ch]
		mov	[esi+8], eax
		jmp	short loc_644CE0
; 

loc_644CB1:				; CODE XREF: MiInitializeDpcGang(x,x,x)+35j
		cmp	edi, 8
		jbe	short loc_644CCC
		push	0
		mov	ecx, edi
		mov	edx, 6544694Dh
		shl	ecx, 2
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[esi+4], eax

loc_644CCC:				; CODE XREF: MiInitializeDpcGang(x,x,x)+6Fj
		cmp	dword ptr [esi+4], 0
		jnz	short loc_644CE0
		cmp	edi, 8
		jbe	short loc_644CDA
		push	8
		pop	edi

loc_644CDA:				; CODE XREF: MiInitializeDpcGang(x,x,x)+90j
		lea	eax, [esi+8]
		mov	[esi+4], eax

loc_644CE0:				; CODE XREF: MiInitializeDpcGang(x,x,x)+5Aj
					; MiInitializeDpcGang(x,x,x)+6Aj ...
		mov	[esi+64h], edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_MiInitializeDpcGang@12	endp


;  S U B	R O U T	I N E 


; __stdcall MiInsertDpcGang(x, x)
_MiInsertDpcGang@8 proc	near		; CODE XREF: MiAllocateFastLargePagesForMdl(x,x,x)+15Ap
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		cmp	dword ptr [esi+54h], 0
		jnz	short loc_644CFF
		mov	dword ptr [esi+54h], offset _MiSystemPartition

loc_644CFF:				; CODE XREF: MiInsertDpcGang(x,x)+Cj
		movzx	ecx, word ptr [esi+4Ch]
		xor	edx, edx
		lea	eax, [ecx+1]
		mov	[esi+4Ch], ax
		mov	eax, ecx
		div	dword ptr [esi+64h]
		mov	eax, [esi+4]
		lea	ecx, [eax+edx*4]
		mov	eax, [ecx]
		test	eax, eax
		jnz	short loc_644D23
		inc	word ptr [esi+4Eh]
		mov	eax, [ecx]

loc_644D23:				; CODE XREF: MiInsertDpcGang(x,x)+31j
		shr	eax, 2
		xor	eax, [edi]
		and	eax, 1FFFFFFEh
		xor	eax, [edi]
		mov	[edi], eax
		mov	[ecx], edi
		pop	edi
		pop	esi
		retn
_MiInsertDpcGang@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiStartDpcGang(x)
_MiStartDpcGang@4 proc near		; CODE XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+270p
					; MiAllocateFastLargePagesForMdl(x,x,x)+197p

var_20		= dword	ptr -20h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		and	[ebp+var_4], 0
		and	dword ptr [ecx+6Ch], 0
		and	dword ptr [ecx+58h], 0
		mov	eax, [ecx+60h]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_C], ecx
		inc	ebx
		mov	[ebp+var_8], ebx
		push	esi
		push	edi
		mov	edi, [ecx+64h]
		test	al, bl
		jz	short loc_644DA2
		mov	eax, [ecx]
		xor	edx, edx
		mov	[ebp+var_10], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_14], eax
		div	edi
		xor	edx, edx
		mov	esi, eax
		test	edi, edi
		jz	short loc_644D91
		mov	ebx, [ebp+var_10]

loc_644D7A:				; CODE XREF: MiStartDpcGang(x)+56j
		mov	eax, [ecx+8]
		mov	[eax+edx*8], ebx
		add	ebx, esi
		mov	eax, [ecx+8]
		mov	[eax+edx*8+4], esi
		inc	edx
		cmp	edx, edi
		jb	short loc_644D7A
		xor	ebx, ebx
		inc	ebx

loc_644D91:				; CODE XREF: MiStartDpcGang(x)+3Fj
		mov	eax, [ecx+8]
		imul	esi, edi
		mov	edi, [ebp+var_14]
		sub	edi, esi
		add	[eax+edx*8-4], edi
		jmp	short loc_644DBE
; 

loc_644DA2:				; CODE XREF: MiStartDpcGang(x)+28j
		movzx	edx, word ptr [ecx+4Eh]
		test	dx, dx
		jz	short loc_644E26
		cmp	dx, bx
		jnz	short loc_644DBE
		and	al, 2
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	ebx, eax
		mov	[ebp+var_8], ebx

loc_644DBE:				; CODE XREF: MiStartDpcGang(x)+6Aj
					; MiStartDpcGang(x)+78j
		lea	eax, [ecx+70h]
		mov	[ebp+var_14], eax

loc_644DC4:				; CODE XREF: MiStartDpcGang(x)+EEj
		mov	dword ptr [ecx+58h], 0
		mov	esi, eax
		lea	edi, [ebp+var_20]
		movsd
		movsd
		movsd
		test	ebx, ebx
		jz	short loc_644DE4
		push	ecx
		push	offset _MiDpcGangTarget@16 ; MiDpcGangTarget(x,x,x,x)
		call	_KeGenericCallDpc@8 ; KeGenericCallDpc(x,x)
		jmp	short loc_644E0C
; 

loc_644DE4:				; CODE XREF: MiStartDpcGang(x)+9Fj
		lea	edx, [ebp+var_4]
		call	_MiGetGangAssignment@8 ; MiGetGangAssignment(x,x)
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [ebp+var_C]
		lea	edx, [ebp+var_4]
		mov	bl, al
		call	_MiDoGangAssignment@8 ;	MiDoGangAssignment(x,x)
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [ebp+var_8]

loc_644E0C:				; CODE XREF: MiStartDpcGang(x)+ACj
		mov	eax, [ebp+var_14]
		lea	esi, [ebp+var_20]
		mov	ecx, [ebp+var_C]
		mov	edi, eax
		cmp	dword ptr [ecx+6Ch], 0
		movsd
		movsd
		movsd
		jz	short loc_644E26
		and	dword ptr [ecx+6Ch], 0
		jmp	short loc_644DC4
; 

loc_644E26:				; CODE XREF: MiStartDpcGang(x)+73j
					; MiStartDpcGang(x)+E8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiStartDpcGang@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiActOnPartitionNodePages(x, x, x)
_MiActOnPartitionNodePages@12 proc near	; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+97p
					; MiInsertPartitionPages(x,x,x,x,x)+1C7p ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		and	[ebp+var_1C], 0
		mov	eax, edx
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	edx, edx
		push	esi
		inc	edx
		mov	[ebp+var_24], eax
		push	edi
		and	dword ptr [ebx+0Ch], 0
		mov	esi, 7FFFFFFFh
		mov	[ebp+var_8], ecx
		test	eax, eax
		jz	short loc_644E59
		cmp	eax, edx
		jnz	short loc_644E68

loc_644E59:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+28j
		mov	eax, [ecx+0Ch]
		test	eax, eax
		jns	short loc_644E68
		and	eax, esi
		mov	[ebp+var_1C], edx
		mov	[ecx+0Ch], eax

loc_644E68:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+2Cj
					; MiActOnPartitionNodePages(x,x,x)+33j
		xor	eax, eax
		lea	edx, [ecx+10h]
		mov	[ebp+var_10], eax

loc_644E70:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+5ADj
		mov	ecx, [edx]
		cmp	eax, ecx
		mov	edx, [edx+4]
		sbb	ebx, ebx
		mov	[ebp+var_14], ecx
		and	ebx, eax
		mov	[ebp+var_C], edx
		lea	edi, [ecx-1]

loc_644E84:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+E7j
		and	[ebp+var_28], 0
		mov	eax, edi
		sub	eax, ebx
		inc	eax
		cmp	eax, 1
		jnb	short loc_644E97
		or	esi, 0FFFFFFFFh
		jmp	short loc_644F01
; 

loc_644E97:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+65j
		mov	eax, edi
		mov	ecx, ebx
		shr	eax, 5
		and	ecx, 1Fh
		lea	eax, [edx+eax*4]
		xor	edx, edx
		mov	[ebp+var_20], eax
		inc	edx
		shl	edx, cl
		mov	eax, ebx
		mov	ecx, [ebp+var_C]
		dec	edx
		shr	eax, 5
		lea	esi, [ecx+eax*4]
		mov	eax, [esi]
		not	eax
		or	eax, edx
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_644ED6
		mov	ecx, [ebp+var_20]

loc_644EC6:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+A9j
		add	esi, 4
		cmp	esi, ecx
		ja	short loc_644EF1
		mov	eax, [esi]
		not	eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_644EC6

loc_644ED6:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+96j
		mov	edx, [ebp+var_C]
		not	eax
		bsf	eax, eax
		sub	esi, edx
		sar	esi, 2
		shl	esi, 5
		add	esi, eax
		cmp	esi, edi
		jbe	short loc_644EF9
		or	esi, 0FFFFFFFFh
		jmp	short loc_644EFE
; 

loc_644EF1:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+A0j
		mov	edx, [ebp+var_C]
		or	esi, 0FFFFFFFFh
		jmp	short loc_644EFE
; 

loc_644EF9:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+BFj
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_644F17

loc_644EFE:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+C4j
					; MiActOnPartitionNodePages(x,x,x)+CCj
		mov	ecx, [ebp+var_14]

loc_644F01:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+6Aj
		test	ebx, ebx
		jz	short loc_644F17
		mov	edi, [ebp+var_10]
		inc	edi
		cmp	edi, ecx
		jbe	short loc_644F0F
		mov	edi, ecx

loc_644F0F:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+E0j
		dec	edi
		xor	ebx, ebx
		jmp	loc_644E84
; 

loc_644F17:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+D1j
					; MiActOnPartitionNodePages(x,x,x)+D8j
		mov	ebx, [ebp+arg_0]
		cmp	esi, [ebp+var_10]
		jb	loc_6452AF
		cmp	esi, 0FFFFFFFFh
		jz	loc_6452AF
		mov	eax, [ebp+var_8]
		mov	eax, [eax+10h]
		mov	[ebp+var_14], eax
		cmp	eax, esi
		ja	short loc_644F88
		xor	ecx, ecx

loc_644F3B:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+235j
		mov	edx, [ebp+var_8]
		mov	edi, [edx+10h]

loc_644F41:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+23Ej
		lea	eax, [ecx+esi]
		sub	edi, esi
		mov	ecx, [edx+0Ch]
		add	eax, edi
		mov	[ebp+var_10], eax
		mov	eax, 7FFFFFFFh
		and	ecx, eax
		mov	[ebp+var_14], edi
		mov	eax, [ebp+var_24]
		add	ecx, esi
		mov	[ebp+var_C], ecx
		cmp	eax, 5
		jz	loc_6453C7
		cmp	eax, 6
		jnz	loc_64506E
		mov	ecx, [ebx+14h]
		mov	eax, [ebx+1Ch]
		mov	edx, [ebp+var_C]
		mov	[eax+ecx*8+8], edx
		mov	[eax+ecx*8+0Ch], edi
		jmp	loc_6453C7
; 

loc_644F88:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+10Cj
		dec	eax
		mov	edi, esi
		shr	eax, 5
		lea	ecx, [edx+eax*4]
		mov	eax, esi
		shr	eax, 5
		mov	[ebp+var_10], ecx
		lea	edx, [edx+eax*4]
		cmp	edx, ecx
		jz	short loc_644FD0
		mov	eax, esi
		and	eax, 1Fh
		mov	[ebp+var_20], eax
		mov	eax, ds:dword_40BA68[eax*4]
		or	eax, [edx]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_644FD0
		sub	edi, [ebp+var_20]
		add	edi, 20h
		add	edx, 4
		jmp	short loc_644FCC
; 

loc_644FC1:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+1A3j
		cmp	dword ptr [edx], 0FFFFFFFFh
		jnz	short loc_644FD0
		add	edx, 4
		add	edi, 20h

loc_644FCC:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+194j
		cmp	edx, ecx
		jb	short loc_644FC1

loc_644FD0:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+173j
					; MiActOnPartitionNodePages(x,x,x)+189j ...
		mov	eax, [ebp+var_14]
		cmp	edi, eax
		jnb	short loc_644FE4
		mov	ecx, [ebp+var_C]

loc_644FDA:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+1B7j
		bt	[ecx], edi
		jnb	short loc_644FE4
		inc	edi
		cmp	edi, eax
		jb	short loc_644FDA

loc_644FE4:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+1AAj
					; MiActOnPartitionNodePages(x,x,x)+1B2j
		xor	ecx, ecx
		mov	[ebp+var_14], ecx
		cmp	edx, [ebp+var_10]
		jz	short loc_64502F
		mov	ecx, [edx]
		mov	eax, edi
		and	eax, 1Fh
		mov	[ebp+var_20], eax
		mov	eax, ds:dword_40BA68[eax*4]
		not	eax
		and	eax, ecx
		jnz	short loc_64502C
		push	20h
		pop	ecx
		sub	ecx, [ebp+var_20]
		cmp	ecx, 0FFFFFFFFh
		jnb	short loc_645059
		add	edx, 4
		jmp	short loc_645025
; 

loc_645015:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+1FDj
		cmp	dword ptr [edx], 0
		jnz	short loc_64502F
		add	ecx, 20h
		add	edx, 4
		cmp	ecx, 0FFFFFFFFh
		jnb	short loc_645059

loc_645025:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+1E8j
		cmp	edx, [ebp+var_10]
		jb	short loc_645015
		jmp	short loc_64502F
; 

loc_64502C:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+1D8j
		mov	ecx, [ebp+var_14]

loc_64502F:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+1C1j
					; MiActOnPartitionNodePages(x,x,x)+1EDj ...
		mov	edx, [ebp+var_8]
		lea	eax, [ecx+edi]
		mov	edx, [edx+10h]
		mov	[ebp+var_20], edx
		cmp	eax, edx
		jnb	short loc_645056
		mov	edx, [ebp+var_8]
		mov	edx, [edx+14h]

loc_645045:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+229j
		bt	[edx], eax
		jb	short loc_645056
		cmp	ecx, 0FFFFFFFFh
		jnb	short loc_645059
		inc	eax
		inc	ecx
		cmp	eax, [ebp+var_20]
		jb	short loc_645045

loc_645056:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+212j
					; MiActOnPartitionNodePages(x,x,x)+21Dj
		cmp	ecx, 0FFFFFFFFh

loc_645059:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+1E3j
					; MiActOnPartitionNodePages(x,x,x)+1F8j ...
		jbe	short loc_64505E
		or	ecx, 0FFFFFFFFh

loc_64505E:				; CODE XREF: MiActOnPartitionNodePages(x,x,x):loc_645059j
		test	ecx, ecx
		jz	loc_644F3B
		mov	edx, [ebp+var_8]
		jmp	loc_644F41
; 

loc_64506E:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+141j
		test	eax, eax
		jnz	short loc_645084
		push	[ebp+var_1C]
		mov	edx, ecx
		mov	ecx, [ebx]
		push	edi
		call	_MiFreePartitionPageRun@16 ; MiFreePartitionPageRun(x,x,x,x)
		jmp	loc_6453C7
; 

loc_645084:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+245j
		cmp	eax, 1
		jnz	short loc_6450AE
		mov	edx, edi
		call	_MiHotRemovePartitionPageRun@8 ; MiHotRemovePartitionPageRun(x,x)
		mov	[ebx+0Ch], eax
		test	eax, eax
		js	loc_6452AF
		mov	eax, [ebp+var_8]
		push	edi
		push	esi
		add	eax, 10h
		push	eax
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		jmp	loc_6453C7
; 

loc_6450AE:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+25Cj
		cmp	eax, 2
		jnz	short loc_6450E0
		mov	esi, 0FFFFFE00h
		lea	edx, [ecx+1FFh]
		and	edx, esi
		lea	eax, [edx+edi]
		and	eax, esi
		cmp	edx, eax
		jnb	loc_6453C7
		mov	ecx, [ebx]
		sub	eax, edx
		push	0
		push	1
		push	eax
		call	MiUpdateLargePageBitMap
		jmp	loc_6453C7
; 

loc_6450E0:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+286j
		cmp	eax, 3
		jnz	short loc_645103
		mov	edx, ecx
		mov	ecx, [ebx]
		push	edi
		call	_MiSplitPfnBitMaps@12 ;	MiSplitPfnBitMaps(x,x,x)
		test	eax, eax
		jnz	loc_6453C7
		mov	dword ptr [ebx+0Ch], 0C000009Ah
		jmp	loc_6453C7
; 

loc_645103:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+2B8j
		cmp	eax, 4
		jnz	short loc_64513B
		mov	esi, [ebx]
		cmp	esi, offset _MiSystemPartition
		jnz	short loc_645125
		push	0
		push	0
		mov	edx, ecx
		mov	ecx, esi
		push	edi
		call	MiUpdateLargePageBitMap
		mov	esi, [ebx]
		mov	ecx, [ebp+var_C]

loc_645125:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+2E5j
		movzx	eax, byte ptr [ebx+8]
		mov	edx, esi
		push	eax
		push	edi
		push	ecx
		mov	ecx, [ebx+4]
		call	_MiTransferPartitionPageRun@20 ; MiTransferPartitionPageRun(x,x,x,x,x)
		jmp	loc_6453C7
; 

loc_64513B:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+2DBj
		cmp	eax, 8
		jnz	loc_6451CF
		mov	eax, [ebx+4]
		cmp	eax, offset _MiSystemPartition
		jz	short loc_64515F
		push	0
		push	0
		mov	edx, ecx
		mov	ecx, eax
		push	edi
		call	MiUpdateLargePageBitMap
		mov	ecx, [ebp+var_C]

loc_64515F:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+321j
		imul	esi, ecx, 1Ch
		mov	cl, 2
		imul	eax, edi, 1Ch
		add	esi, ds:_MmPfnDatabase
		add	eax, esi
		mov	[ebp+var_C], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_1], al
		add	esi, 10h
		mov	edi, 7FFFFFFFh

loc_645183:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+391j
		and	[ebp+var_20], 0
		jmp	short loc_645196
; 

loc_645189:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+369j
					; MiActOnPartitionNodePages(x,x,x)+370j
		lea	ecx, [ebp+var_20]
		call	KeYieldProcessorEx
		cmp	dword ptr [esi], 0
		jl	short loc_645189

loc_645196:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+35Cj
		lock bts dword ptr [esi], 1Fh
		jb	short loc_645189
		test	byte ptr [esi+7], 40h
		jz	short loc_6451B0
		push	dword ptr [ebx]
		mov	edx, [ebx+4]
		lea	ecx, [esi-10h]
		call	_MiMoveBadPageCrossPartition@12	; MiMoveBadPageCrossPartition(x,x,x)

loc_6451B0:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+376j
		lock and [esi],	edi
		add	esi, 1Ch
		lea	eax, [esi-10h]
		cmp	eax, [ebp+var_C]
		jnz	short loc_645183
		mov	cl, [ebp+var_1]
		mov	edi, [ebp+var_14]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_6453C7
; 

loc_6451CF:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+313j
		cmp	eax, 9
		jnz	loc_6452B6
		mov	ecx, 1000h
		mov	eax, edi
		mul	ecx
		mov	cl, [ebx+0Ah]
		mov	[ebp+var_1], cl
		test	cl, cl
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], edx
		jnz	short loc_64522B
		mov	eax, ecx
		mov	ecx, 1000h
		mul	ecx
		mov	ecx, [ebx]
		mov	[ebp+var_38], eax
		movzx	eax, byte ptr [ebx+9]
		neg	eax
		mov	[ebp+var_34], edx
		lea	edx, [ebp+var_38]
		sbb	eax, eax
		and	eax, 200h
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		call	_MiAddPhysicalMemoryChunks@16 ;	MiAddPhysicalMemoryChunks(x,x,x,x)
		mov	al, [ebx+0Ah]
		mov	edx, [ebp+var_2C]
		mov	[ebp+var_1], al
		mov	eax, [ebp+var_30]

loc_64522B:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+3C7j
		push	0
		mov	ecx, 1000h
		push	ecx
		push	edx
		push	eax
		call	__alldiv
		cmp	[ebp+var_1], 0
		mov	ecx, eax
		mov	[ebp+var_14], ecx
		jnz	short loc_64527C
		cmp	dword ptr [ebx], offset	_MiSystemPartition
		jz	short loc_64527C
		mov	edx, [ebp+var_C]
		add	edx, 1FFh
		and	edx, 0FFFFFE00h
		lea	eax, [edx+ecx]
		and	eax, 0FFFFFE00h
		cmp	edx, eax
		jnb	short loc_64527C
		push	0
		push	1
		sub	eax, edx
		mov	ecx, offset _MiSystemPartition
		push	eax
		call	MiUpdateLargePageBitMap
		mov	ecx, [ebp+var_14]

loc_64527C:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+418j
					; MiActOnPartitionNodePages(x,x,x)+420j ...
		cmp	ecx, edi
		jz	loc_6453C7
		mov	edx, [ebp+var_8]
		add	edx, 10h
		mov	dword ptr [ebx+0Ch], 0C0000001h
		mov	eax, [edx]
		sub	eax, esi
		sub	eax, ecx
		push	eax
		lea	eax, [esi+ecx]
		push	eax
		push	edx
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_6452AC
		inc	dword ptr [ebx+14h]

loc_6452AC:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+47Cj
		add	[ebx+18h], eax

loc_6452AF:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+F2j
					; MiActOnPartitionNodePages(x,x,x)+FBj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_6452B6:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+3A7j
		mov	eax, [ebx]
		sub	[eax+0F48h], edi
		mov	eax, [ebx]
		mov	byte ptr [eax+0Ch], 1
		mov	eax, [ebx]
		mov	eax, [eax+14h]
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	short loc_6452F6
		mov	edx, [edx+0Ch]
		and	edx, 7FFFFFFFh

loc_6452D9:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+4C6j
		mov	ecx, [eax+0Ch]
		and	ecx, 7FFFFFFFh
		cmp	edx, ecx
		jb	short loc_6452ED
		jbe	short loc_6452F3
		mov	eax, [eax+4]
		jmp	short loc_6452EF
; 

loc_6452ED:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+4B9j
		mov	eax, [eax]

loc_6452EF:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+4C0j
		test	eax, eax
		jnz	short loc_6452D9

loc_6452F3:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+4BBj
		mov	[ebp+var_14], eax

loc_6452F6:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+4A3j
		push	edi
		add	eax, 10h
		push	esi
		mov	esi, eax
		mov	[ebp+var_C], eax
		push	esi
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		mov	ecx, [esi]
		mov	eax, [esi]
		mov	[ebp+var_C], eax
		test	ecx, ecx
		jz	loc_6453C7
		cmp	eax, 1
		ja	short loc_645328
		mov	eax, [esi+4]
		bt	dword ptr [eax], 0
		jnb	short loc_64536E
		jmp	loc_6453C7
; 

loc_645328:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+4EDj
		cmp	ecx, eax
		jb	loc_6453C7
		mov	edx, [esi+4]
		lea	ecx, [eax-1]
		mov	eax, ecx
		shr	eax, 5
		mov	esi, [edx]
		lea	eax, [edx+eax*4]
		cmp	edx, eax
		jnz	short loc_645353
		push	20h
		pop	ecx
		sub	ecx, [ebp+var_C]
		or	eax, 0FFFFFFFFh
		shr	eax, cl
		test	eax, esi
		jmp	short loc_64536C
; 

loc_645353:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+517j
		test	esi, esi
		jmp	short loc_64535A
; 

loc_645357:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+536j
		cmp	dword ptr [edx], 0

loc_64535A:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+52Aj
		jnz	short loc_6453C7
		add	edx, 4
		cmp	edx, eax
		jnz	short loc_645357
		or	eax, 0FFFFFFFFh
		not	ecx
		shr	eax, cl
		test	[edx], eax

loc_64536C:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+526j
		jnz	short loc_6453C7

loc_64536E:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+4F6j
		mov	eax, [ebx]
		mov	esi, [ebp+var_14]
		add	eax, 14h
		push	esi
		push	eax
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		mov	ecx, [ebx+10h]
		mov	byte ptr [ebp+var_18], 0
		test	ecx, ecx
		jz	short loc_6453B9
		mov	edx, [esi+0Ch]
		mov	eax, 7FFFFFFFh
		and	edx, eax

loc_645392:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+588j
		mov	eax, [ecx+0Ch]
		and	eax, 7FFFFFFFh
		cmp	edx, eax
		jb	short loc_6453AB
		mov	eax, [ecx+4]
		test	eax, eax
		jnz	short loc_6453B1
		mov	byte ptr [ebp+var_18], 1
		jmp	short loc_6453B9
; 

loc_6453AB:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+571j
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_6453B5

loc_6453B1:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+578j
		mov	ecx, eax
		jmp	short loc_645392
; 

loc_6453B5:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+584j
		mov	byte ptr [ebp+var_18], 0

loc_6453B9:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+55Bj
					; MiActOnPartitionNodePages(x,x,x)+57Ej
		push	esi
		push	[ebp+var_18]
		lea	eax, [ebx+10h]
		push	ecx
		push	eax
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)

loc_6453C7:				; CODE XREF: MiActOnPartitionNodePages(x,x,x)+138j
					; MiActOnPartitionNodePages(x,x,x)+158j ...
		mov	edx, [ebp+var_8]
		inc	dword ptr [ebx+14h]
		add	edx, 10h
		add	[ebx+18h], edi
		mov	eax, [ebp+var_10]
		cmp	eax, [edx]
		jb	loc_644E70
		jmp	loc_6452AF
_MiActOnPartitionNodePages@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAddMdlToPartitionTree(x, x, x)
_MiAddMdlToPartitionTree@12 proc near	; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+23Ep

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, edx
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	ebx
		push	esi
		mov	ebx, [eax+14h]
		not	ecx
		mov	[ebp+var_10], eax
		and	ecx, 1
		inc	edx
		shr	ebx, 0Ch
		or	eax, 0FFFFFFFFh
		mov	[ebp+arg_0], ecx
		push	edi
		xor	esi, esi
		mov	[ebp+var_8], edx
		xor	edi, edi
		mov	[ebp+var_4], eax
		cmp	esi, ebx

loc_645419:				; CODE XREF: MiAddMdlToPartitionTree(x,x,x)+85j
		jnz	short loc_645421
		test	edi, edi
		jz	short loc_64546A
		jmp	short loc_645446
; 

loc_645421:				; CODE XREF: MiAddMdlToPartitionTree(x,x,x):loc_645419j
		mov	eax, [ebp+var_10]
		mov	ecx, [eax+esi*4+1Ch]
		test	edi, edi
		jnz	short loc_645434
		mov	eax, ecx
		inc	edi
		mov	[ebp+var_4], eax
		jmp	short loc_645462
; 

loc_645434:				; CODE XREF: MiAddMdlToPartitionTree(x,x,x)+47j
		mov	eax, [eax+esi*4+18h]
		inc	eax
		cmp	eax, ecx
		mov	eax, [ebp+var_4]
		jnz	short loc_645443
		inc	edi
		jmp	short loc_645462
; 

loc_645443:				; CODE XREF: MiAddMdlToPartitionTree(x,x,x)+5Bj
		mov	ecx, [ebp+arg_0]

loc_645446:				; CODE XREF: MiAddMdlToPartitionTree(x,x,x)+3Cj
		test	edx, edx
		mov	edx, eax
		jnz	short loc_645474
		mov	ecx, [ebp+var_C]
		push	edi
		call	_MiClearRangeInPartitionTree@12	; MiClearRangeInPartitionTree(x,x,x)

loc_645455:				; CODE XREF: MiAddMdlToPartitionTree(x,x,x)+9Dj
		cmp	esi, ebx
		jz	short loc_64546A
		mov	edx, [ebp+var_8]
		xor	edi, edi
		dec	esi

loc_64545F:				; CODE XREF: MiAddMdlToPartitionTree(x,x,x)+ADj
		mov	eax, [ebp+var_4]

loc_645462:				; CODE XREF: MiAddMdlToPartitionTree(x,x,x)+4Fj
					; MiAddMdlToPartitionTree(x,x,x)+5Ej
		mov	ecx, [ebp+arg_0]
		inc	esi
		cmp	esi, ebx
		jbe	short loc_645419

loc_64546A:				; CODE XREF: MiAddMdlToPartitionTree(x,x,x)+3Aj
					; MiAddMdlToPartitionTree(x,x,x)+74j
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_645474:				; CODE XREF: MiAddMdlToPartitionTree(x,x,x)+67j
		push	ecx
		mov	ecx, [ebp+var_C]
		push	edi
		call	_MiAddRangeToPartitionTree@16 ;	MiAddRangeToPartitionTree(x,x,x,x)
		test	eax, eax
		jnz	short loc_645455
		mov	ebx, esi
		or	esi, 0FFFFFFFFh
		sub	ebx, edi
		xor	edi, edi
		xor	edx, edx
		mov	[ebp+var_8], edx
		jmp	short loc_64545F
_MiAddMdlToPartitionTree@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAddRangeToPartitionTree(x, x, x, x)
_MiAddRangeToPartitionTree@16 proc near	; CODE XREF: MiAddMdlToPartitionTree(x,x,x)+96p
					; MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+116p ...

var_3C		= dword	ptr -3Ch
var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		lea	edi, [ebp+var_3C]
		mov	edx, ecx
		mov	[ebp+var_1C], esi
		xor	eax, eax
		mov	[ebp+var_4], edx
		and	[ebp+var_C], eax
		and	[ebp+var_8], eax
		lea	ebx, [esi+1FFh]
		push	6
		pop	ecx
		rep stosd
		mov	edi, [ebp+var_30]
		mov	eax, esi
		mov	ecx, [ebp+arg_0]
		and	eax, 7FFFFE00h
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], ebx

loc_6454D0:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+1D5j
		and	edi, 80000000h
		mov	[ebp+var_18], esi
		or	edi, eax
		mov	eax, edi
		and	eax, 7FFFFFFFh
		sub	ebx, eax
		add	ebx, ecx
		shr	ebx, 9

loc_6454E9:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+1A9j
		test	ebx, ebx
		jz	loc_64566C
		mov	eax, [edx]
		test	eax, eax
		jz	short loc_64551F
		mov	esi, edi
		and	esi, 7FFFFFFFh

loc_6454FF:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+8Bj
		mov	ecx, [eax+0Ch]
		mov	edx, ecx
		and	edx, 7FFFFFFFh
		cmp	esi, edx
		jb	short loc_645519
		jbe	loc_6455AB
		mov	eax, [eax+4]
		jmp	short loc_64551B
; 

loc_645519:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+7Aj
		mov	eax, [eax]

loc_64551B:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+85j
		test	eax, eax
		jnz	short loc_6454FF

loc_64551F:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+63j
					; MiAddRangeToPartitionTree(x,x,x,x)+11Bj
		push	0
		push	40h
		push	18h
		mov	edx, 7070694Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_645648
		push	0
		push	40h
		push	40h
		mov	edx, 6270694Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		test	eax, eax
		jz	loc_645640
		lea	ecx, [esi+10h]
		mov	[ecx+4], eax
		mov	eax, 7FFFFFFFh
		mov	dword ptr [ecx], 200h
		mov	[ebp+var_14], ecx
		mov	ecx, [esi+0Ch]
		xor	ecx, edi
		and	ecx, eax
		xor	ecx, [esi+0Ch]
		cmp	[ebp+arg_4], 1
		mov	[esi+0Ch], ecx
		jnz	short loc_645583
		or	ecx, 80000000h
		mov	[esi+0Ch], ecx

loc_645583:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+E6j
		mov	edx, [ebp+var_4]
		mov	byte ptr [ebp+var_10], 0
		mov	edx, [edx]
		test	edx, edx
		jz	short loc_6455D8
		and	ecx, eax

loc_645592:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+140j
		mov	eax, [edx+0Ch]
		and	eax, 7FFFFFFFh
		cmp	ecx, eax
		jb	short loc_6455CA
		mov	eax, [edx+4]
		test	eax, eax
		jnz	short loc_6455D0
		mov	byte ptr [ebp+var_10], 1
		jmp	short loc_6455D8
; 

loc_6455AB:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+7Cj
		test	eax, eax
		jz	loc_64551F
		lea	esi, [eax+10h]
		mov	[ebp+var_14], esi
		test	ecx, ecx
		jns	short loc_6455C3
		cmp	[ebp+arg_4], 1
		jz	short loc_6455E8

loc_6455C3:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+129j
		mov	[eax+0Ch], edx
		mov	ecx, edx
		jmp	short loc_6455E8
; 

loc_6455CA:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+10Aj
		mov	eax, [edx]
		test	eax, eax
		jz	short loc_6455D4

loc_6455D0:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+111j
		mov	edx, eax
		jmp	short loc_645592
; 

loc_6455D4:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+13Cj
		mov	byte ptr [ebp+var_10], 0

loc_6455D8:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+FCj
					; MiAddRangeToPartitionTree(x,x,x,x)+117j
		push	esi
		push	[ebp+var_10]
		push	edx
		push	[ebp+var_4]
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		mov	ecx, [esi+0Ch]

loc_6455E8:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+12Fj
					; MiAddRangeToPartitionTree(x,x,x,x)+136j
		mov	edx, [ebp+var_18]
		and	ecx, 7FFFFFFFh
		mov	eax, [ebp+arg_0]
		mov	esi, ecx
		sub	esi, edx
		add	esi, 200h
		cmp	esi, eax
		jbe	short loc_645604
		mov	esi, eax

loc_645604:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+16Ej
		mov	eax, edx
		sub	eax, ecx
		cmp	[ebp+var_C], 0
		push	esi
		push	eax
		push	[ebp+var_14]
		jnz	short loc_64561D
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		add	[ebp+var_8], esi
		jmp	short loc_645622
; 

loc_64561D:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+17Fj
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)

loc_645622:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+189j
		add	[ebp+var_18], esi
		lea	eax, [edi+200h]
		sub	[ebp+arg_0], esi
		xor	eax, edi
		mov	edx, [ebp+var_4]
		and	eax, 7FFFFFFFh
		dec	ebx
		xor	edi, eax
		jmp	loc_6454E9
; 

loc_645640:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+BBj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_645648:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+A2j
		mov	edx, [ebp+var_8]
		mov	[ebp+var_C], 1
		test	edx, edx
		jz	short loc_645672
		mov	esi, [ebp+var_1C]
		mov	ecx, edx
		mov	edx, [ebp+var_4]
		mov	eax, [ebp+var_20]
		mov	ebx, [ebp+var_24]
		mov	[ebp+arg_0], ecx
		jmp	loc_6454D0
; 

loc_64566C:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+59j
		cmp	[ebp+var_C], 1
		jnz	short loc_645676

loc_645672:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+1C2j
		xor	eax, eax
		jmp	short loc_645679
; 

loc_645676:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+1DEj
		xor	eax, eax
		inc	eax

loc_645679:				; CODE XREF: MiAddRangeToPartitionTree(x,x,x,x)+1E2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiAddRangeToPartitionTree@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiClearPartitionPageBitMap(x, x)
_MiClearPartitionPageBitMap@8 proc near	; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+C6p

var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 48h
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_48]
		mov	esi, edx
		mov	edx, ecx
		push	8
		pop	ecx
		rep stosd
		and	[ebp+var_38], eax
		mov	eax, large fs:124h
		mov	[ebp+var_C], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_28], eax
		dec	word ptr [eax+13Eh]
		nop
		lea	eax, [edx+6Ch]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_C]
		add	eax, 70h
		push	eax
		mov	[ebp+var_10], eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [esi]
		xor	edi, edi
		mov	byte ptr [ebp+var_4+3],	al
		jmp	short loc_6456EF
; 

loc_6456EB:				; CODE XREF: MiClearPartitionPageBitMap(x,x)+71j
		mov	edi, ecx
		mov	ecx, [ecx]

loc_6456EF:				; CODE XREF: MiClearPartitionPageBitMap(x,x)+69j
		test	ecx, ecx
		jnz	short loc_6456EB
		jmp	short loc_645730
; 

loc_6456F5:				; CODE XREF: MiClearPartitionPageBitMap(x,x)+B2j
		mov	eax, [edi+4]
		mov	esi, edi
		mov	ecx, edi
		test	eax, eax
		jz	short loc_64571A
		mov	edi, eax
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_645722

loc_645708:				; CODE XREF: MiClearPartitionPageBitMap(x,x)+90j
		mov	eax, [ecx]
		mov	edi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_645708
		jmp	short loc_645722
; 

loc_645714:				; CODE XREF: MiClearPartitionPageBitMap(x,x)+A0j
		cmp	[edi], ecx
		jz	short loc_645722
		mov	ecx, edi

loc_64571A:				; CODE XREF: MiClearPartitionPageBitMap(x,x)+7Ej
		mov	edi, [edi+8]
		and	edi, 0FFFFFFFCh
		jnz	short loc_645714

loc_645722:				; CODE XREF: MiClearPartitionPageBitMap(x,x)+86j
					; MiClearPartitionPageBitMap(x,x)+92j ...
		lea	eax, [ebp+var_48]
		mov	ecx, esi
		push	eax
		push	7
		pop	edx
		call	_MiActOnPartitionNodePages@12 ;	MiActOnPartitionNodePages(x,x,x)

loc_645730:				; CODE XREF: MiClearPartitionPageBitMap(x,x)+73j
		test	edi, edi
		jnz	short loc_6456F5
		push	[ebp+var_10]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_C]
		lea	edx, [ebp+var_38]
		push	1
		push	edi
		call	_MiFreePartitionTree@16	; MiFreePartitionTree(x,x,x,x)
		mov	ecx, [ebp+var_8]
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_C], edx
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_645770
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]

loc_645770:				; CODE XREF: MiClearPartitionPageBitMap(x,x)+E6j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	loc_645901
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, ds:dword_6D07D0
		shr	eax, 15h
		cmp	ecx, edx
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], esi
		pop	edx
		jb	short loc_6457A9
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_6457B7

loc_6457A9:				; CODE XREF: MiClearPartitionPageBitMap(x,x)+11Ej
		cmp	ecx, [ebp+var_20]
		jb	short loc_6457CA
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_6457CA

loc_6457B7:				; CODE XREF: MiClearPartitionPageBitMap(x,x)+127j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_C], eax

loc_6457CA:				; CODE XREF: MiClearPartitionPageBitMap(x,x)+12Cj
					; MiClearPartitionPageBitMap(x,x)+135j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_645816
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_645888
		mov	eax, [ebp+var_8]
		push	ecx
		push	[ebp+var_C]
		push	eax
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_645816:				; CODE XREF: MiClearPartitionPageBitMap(x,x)+173j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_64582C
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_64582C:				; CODE XREF: MiClearPartitionPageBitMap(x,x)+1A2j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_645876
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_645888
; 

loc_645876:				; CODE XREF: MiClearPartitionPageBitMap(x,x)+1E2j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]

loc_645888:				; CODE XREF: MiClearPartitionPageBitMap(x,x)+17Dj
					; MiClearPartitionPageBitMap(x,x)+1F4j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jz	short loc_6458E9
		test	edi, 8000h
		jz	short loc_6458AC
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_6458AC:				; CODE XREF: MiClearPartitionPageBitMap(x,x)+221j
		test	byte ptr [ebp+var_10+2], 1
		jz	short loc_6458BC
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_6458BC:				; CODE XREF: MiClearPartitionPageBitMap(x,x)+230j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_6458D0
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_6458D0:				; CODE XREF: MiClearPartitionPageBitMap(x,x)+243j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_6458E9
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_6458E9:				; CODE XREF: MiClearPartitionPageBitMap(x,x)+219j
					; MiClearPartitionPageBitMap(x,x)+25Aj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_645901
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_645901
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_645901:				; CODE XREF: MiClearPartitionPageBitMap(x,x)+FBj
					; MiClearPartitionPageBitMap(x,x)+272j	...
		mov	ecx, [ebp+var_28]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_MiClearPartitionPageBitMap@8 endp ; sp	=  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiClearRangeInPartitionTree(x, x, x)
_MiClearRangeInPartitionTree@12	proc near ; CODE XREF: MiAddMdlToPartitionTree(x,x,x)+6Dp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		mov	ecx, [ebp+arg_0]
		mov	ebx, edx
		and	ebx, 7FFFFE00h
		mov	[ebp+var_10], esi
		mov	eax, edx
		add	ecx, 1FFh
		sub	eax, ebx
		add	ecx, eax
		shr	ecx, 9
		mov	[ebp+var_C], ecx
		push	edi
		test	ecx, ecx
		jz	loc_645A60
		mov	edi, 7FFFFFFFh

loc_64594F:				; CODE XREF: MiClearRangeInPartitionTree(x,x,x)+148j
		mov	esi, [esi]
		test	esi, esi
		jz	short loc_64596F
		mov	ecx, ebx
		and	ecx, edi

loc_645959:				; CODE XREF: MiClearRangeInPartitionTree(x,x,x)+5Bj
		mov	eax, [esi+0Ch]
		and	eax, edi
		cmp	ecx, eax
		jb	short loc_645969
		jbe	short loc_64596F
		mov	esi, [esi+4]
		jmp	short loc_64596B
; 

loc_645969:				; CODE XREF: MiClearRangeInPartitionTree(x,x,x)+4Ej
		mov	esi, [esi]

loc_64596B:				; CODE XREF: MiClearRangeInPartitionTree(x,x,x)+55j
		test	esi, esi
		jnz	short loc_645959

loc_64596F:				; CODE XREF: MiClearRangeInPartitionTree(x,x,x)+41j
					; MiClearRangeInPartitionTree(x,x,x)+50j
		mov	ecx, [esi+0Ch]
		lea	edi, [esi+10h]
		and	ecx, 7FFFFFFFh
		mov	eax, ecx
		sub	eax, edx
		add	eax, 200h
		mov	[ebp+var_4], eax
		cmp	eax, [ebp+arg_0]
		jbe	short loc_645992
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4], eax

loc_645992:				; CODE XREF: MiClearRangeInPartitionTree(x,x,x)+78j
		push	eax
		sub	edx, ecx
		push	edx
		push	edi
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		mov	ecx, [edi]
		mov	eax, [edi]
		mov	[ebp+var_14], eax
		test	ecx, ecx
		jz	loc_645A2F
		cmp	eax, 1
		ja	short loc_6459C2
		mov	eax, [edi+4]
		bt	dword ptr [eax], 0
		setb	dl
		neg	dl
		sbb	dl, dl

loc_6459BE:				; CODE XREF: MiClearRangeInPartitionTree(x,x,x)+D9j
		inc	dl
		jmp	short loc_645A0F
; 

loc_6459C2:				; CODE XREF: MiClearRangeInPartitionTree(x,x,x)+9Cj
		cmp	ecx, eax
		jb	short loc_645A2F
		mov	edi, [edi+4]
		lea	ecx, [eax-1]
		mov	eax, ecx
		shr	eax, 5
		mov	edx, [edi]
		lea	eax, [edi+eax*4]
		cmp	edi, eax
		jnz	short loc_6459ED
		push	20h
		pop	ecx
		sub	ecx, [ebp+var_14]
		or	eax, 0FFFFFFFFh
		shr	eax, cl
		and	edx, eax
		neg	edx
		sbb	dl, dl
		jmp	short loc_6459BE
; 

loc_6459ED:				; CODE XREF: MiClearRangeInPartitionTree(x,x,x)+C6j
		test	edx, edx
		jmp	short loc_6459F4
; 

loc_6459F1:				; CODE XREF: MiClearRangeInPartitionTree(x,x,x)+E9j
		cmp	dword ptr [edi], 0

loc_6459F4:				; CODE XREF: MiClearRangeInPartitionTree(x,x,x)+DDj
		jnz	short loc_645A2F
		add	edi, 4
		cmp	edi, eax
		jnz	short loc_6459F1
		not	ecx
		or	eax, 0FFFFFFFFh
		shr	eax, cl
		mov	ecx, [edi]
		and	ecx, eax
		neg	ecx
		sbb	cl, cl
		lea	edx, [ecx+1]

loc_645A0F:				; CODE XREF: MiClearRangeInPartitionTree(x,x,x)+AEj
		cmp	dl, 1
		jnz	short loc_645A2F
		push	esi
		push	[ebp+var_10]
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		push	0
		push	dword ptr [esi+14h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_645A2F:				; CODE XREF: MiClearRangeInPartitionTree(x,x,x)+93j
					; MiClearRangeInPartitionTree(x,x,x)+B2j ...
		mov	eax, [ebp+var_4]
		mov	edi, 7FFFFFFFh
		sub	[ebp+arg_0], eax
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		add	edx, eax
		mov	esi, [ebp+var_10]
		lea	eax, [ebx+200h]
		xor	eax, ebx
		mov	[ebp+var_8], edx
		and	eax, edi
		dec	ecx
		xor	ebx, eax
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jnz	loc_64594F

loc_645A60:				; CODE XREF: MiClearRangeInPartitionTree(x,x,x)+32j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiClearRangeInPartitionTree@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeletePartitionResources(x)
_MiDeletePartitionResources@4 proc near	; CODE XREF: MiDeletePartition(x)+11p

var_6E		= byte ptr -6Eh
var_6D		= byte ptr -6Dh
var_6C		= dword	ptr -6Ch
var_64		= dword	ptr -64h
var_5A		= byte ptr -5Ah
var_59		= byte ptr -59h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		sub	esp, 58h
		and	[esp+58h+var_48], 0
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [esp+60h+var_C]
		mov	[esp+60h+var_4C], ecx
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	edi, ecx
		lea	edx, [eax+1]
		mov	ecx, [edi+64h]
		call	_CcExitPartition@8 ; CcExitPartition(x,x)
		xor	eax, eax
		push	0
		inc	eax
		push	eax
		lea	eax, [edi+3Ch]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		xor	eax, eax
		inc	eax
		cmp	[edi+0F50h], al
		jnz	short loc_645AD6
		lea	esi, [edi+1040h]
		xor	edx, edx
		mov	ecx, esi
		call	MiUnlinkWorkingSet
		mov	edx, [esi+3Ch]
		mov	ecx, edi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_645AD6
		lea	ecx, [edi+1000h]
		lock xadd [ecx], eax

loc_645AD6:				; CODE XREF: MiDeletePartitionResources(x)+46j
					; MiDeletePartitionResources(x)+63j
		lea	esi, [edi+4Ch]
		mov	eax, [esi]
		test	eax, eax
		jz	loc_645B89
		xor	edx, edx
		lea	ecx, [esp+60h+var_44]
		push	edx
		push	ecx
		push	edx
		push	ds:_PsThreadType
		mov	[esp+70h+var_44], edx
		push	1FFFFFh
		push	eax
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		lea	ecx, [edi+0A80h]
		lea	edx, [esp+60h+var_C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		xor	eax, eax
		push	0Ch
		push	[esp+64h+var_44]
		inc	eax
		mov	[edi+0DB4h], al
		call	KeSetActualBasePriorityThread
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_645B3D
		mov	edx, [ebp+4]
		lea	ecx, [esp+60h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_645B71
; 

loc_645B3D:				; CODE XREF: MiDeletePartitionResources(x)+C6j
		mov	eax, [esp+60h+var_C]
		test	eax, eax
		jnz	short loc_645B60
		mov	edx, [esp+60h+var_8]
		lea	eax, [esp+60h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+60h+var_C]
		cmp	eax, ecx
		jz	short loc_645B71
		call	KxWaitForLockChainValid

loc_645B60:				; CODE XREF: MiDeletePartitionResources(x)+DCj
		xor	ecx, ecx
		mov	[esp+60h+var_C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_645B71:				; CODE XREF: MiDeletePartitionResources(x)+D4j
					; MiDeletePartitionResources(x)+F2j
		mov	cl, [esp+60h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [esp+60h+var_44]
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag

loc_645B89:				; CODE XREF: MiDeletePartitionResources(x)+76j
		push	6
		pop	ecx
		mov	[esp+60h+var_3C], ecx

loc_645B90:				; CODE XREF: MiDeletePartitionResources(x)+156j
		mov	eax, [esi]
		mov	[esp+60h+var_34], eax
		test	eax, eax
		jz	short loc_645BB3
		push	0
		push	0
		push	eax
		call	_ZwWaitForSingleObject@12 ; ZwWaitForSingleObject(x,x,x)
		push	0
		push	[esp+64h+var_34]
		call	ObCloseHandle
		mov	ecx, [esp+60h+var_3C]

loc_645BB3:				; CODE XREF: MiDeletePartitionResources(x)+131j
		add	esi, 4
		sub	ecx, 1
		mov	[esp+60h+var_3C], ecx
		jnz	short loc_645B90
		mov	ecx, edi
		call	_MiFreeClonePool@4 ; MiFreeClonePool(x)
		mov	eax, [edi+64h]
		mov	ecx, edi
		mov	eax, [eax+1Ch]
		mov	esi, [eax]
		mov	[esp+60h+var_34], esi
		call	_MiDeletePagingFiles@4 ; MiDeletePagingFiles(x)
		sub	[edi+1114h], eax
		mov	edx, offset _MiDeleteSlabAllocator@12 ;	MiDeleteSlabAllocator(x,x,x)
		push	0
		mov	ecx, edi
		call	_MiEnumerateSlabAllocators@12 ;	MiEnumerateSlabAllocators(x,x,x)
		mov	eax, large fs:124h
		mov	[esp+60h+var_10], eax
		dec	word ptr [eax+13Eh]
		nop
		lea	eax, [edi+6Ch]
		xor	edx, edx
		mov	ecx, eax
		mov	[esp+60h+var_50], eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+64h]
		xor	edx, edx
		mov	eax, [eax+1Ch]
		mov	ecx, [eax]
		lea	ecx, [ecx+6Ch]
		call	ExAcquirePushLockExclusiveEx
		mov	edx, esi
		mov	ecx, edi
		call	_MiFreePartitionPhysicalPages@8	; MiFreePartitionPhysicalPages(x,x)
		lea	eax, [edi+14h]
		mov	[esp+60h+var_38], eax
		cmp	esi, offset _MiSystemPartition
		jnz	short loc_645CA5
		xor	esi, esi
		jmp	short loc_645C3F
; 

loc_645C3D:				; CODE XREF: MiDeletePartitionResources(x)+1DCj
		mov	esi, eax

loc_645C3F:				; CODE XREF: MiDeletePartitionResources(x)+1D4j
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_645C3D
		test	esi, esi
		jz	loc_645D92
		mov	edi, [esp+60h+var_38]

loc_645C51:				; CODE XREF: MiDeletePartitionResources(x)+233j
		mov	eax, [esi+4]
		mov	ecx, esi
		mov	[esp+60h+var_3C], ecx
		mov	edx, esi
		test	eax, eax
		jz	short loc_645C70

loc_645C60:				; CODE XREF: MiDeletePartitionResources(x)+1FFj
		mov	esi, eax
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_645C60
		jmp	short loc_645C78
; 

loc_645C6A:				; CODE XREF: MiDeletePartitionResources(x)+20Fj
		cmp	[esi], edx
		jz	short loc_645C78
		mov	edx, esi

loc_645C70:				; CODE XREF: MiDeletePartitionResources(x)+1F7j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_645C6A

loc_645C78:				; CODE XREF: MiDeletePartitionResources(x)+201j
					; MiDeletePartitionResources(x)+205j
		push	ecx
		push	edi
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		mov	eax, [esp+68h+var_44]
		push	0
		push	dword ptr [eax+14h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	[esp+6Ch+var_44]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jnz	short loc_645C51
		mov	edi, [esp+68h+var_54]
		jmp	loc_645D92
; 

loc_645CA5:				; CODE XREF: MiDeletePartitionResources(x)+1D0j
		lea	eax, [esi+70h]
		push	eax
		mov	[esp+64h+var_30], eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [edi+14h]
		xor	esi, esi
		mov	byte ptr [esp+60h+var_54+3], al
		jmp	short loc_645CC1
; 

loc_645CBD:				; CODE XREF: MiDeletePartitionResources(x)+25Cj
		mov	esi, ecx
		mov	ecx, [ecx]

loc_645CC1:				; CODE XREF: MiDeletePartitionResources(x)+254j
		test	ecx, ecx
		jnz	short loc_645CBD
		test	esi, esi
		jz	loc_645D76
		mov	edi, [esp+60h+var_34]

loc_645CD1:				; CODE XREF: MiDeletePartitionResources(x)+305j
		mov	eax, [esi+4]
		mov	ecx, esi
		mov	[esp+60h+var_40], ecx
		mov	edx, esi
		test	eax, eax
		jz	short loc_645CF0

loc_645CE0:				; CODE XREF: MiDeletePartitionResources(x)+27Fj
		mov	esi, eax
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_645CE0
		jmp	short loc_645CF8
; 

loc_645CEA:				; CODE XREF: MiDeletePartitionResources(x)+28Fj
		cmp	[esi], edx
		jz	short loc_645CF8
		mov	edx, esi

loc_645CF0:				; CODE XREF: MiDeletePartitionResources(x)+277j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_645CEA

loc_645CF8:				; CODE XREF: MiDeletePartitionResources(x)+281j
					; MiDeletePartitionResources(x)+285j
		push	ecx
		push	[esp+64h+var_38]
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		mov	edx, [esp+68h+var_48]
		mov	ecx, edi
		call	_MiMergePageNodes@8 ; MiMergePageNodes(x,x)
		xor	ecx, ecx
		inc	ecx
		cmp	eax, ecx
		jnz	short loc_645D6A
		mov	ecx, [esp+68h+var_50]
		mov	byte ptr [esp+68h+var_44], 0
		test	ecx, ecx
		jz	short loc_645D57
		mov	eax, [esp+68h+var_48]
		mov	edx, [eax+0Ch]
		and	edx, 7FFFFFFFh

loc_645D2E:				; CODE XREF: MiDeletePartitionResources(x)+2E9j
		mov	eax, [ecx+0Ch]
		and	eax, 7FFFFFFFh
		cmp	edx, eax
		jb	short loc_645D48
		mov	eax, [ecx+4]
		test	eax, eax
		jnz	short loc_645D4E
		inc	eax
		mov	byte ptr [esp+68h+var_44], al
		jmp	short loc_645D57
; 

loc_645D48:				; CODE XREF: MiDeletePartitionResources(x)+2D1j
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_645D52

loc_645D4E:				; CODE XREF: MiDeletePartitionResources(x)+2D8j
		mov	ecx, eax
		jmp	short loc_645D2E
; 

loc_645D52:				; CODE XREF: MiDeletePartitionResources(x)+2E5j
		mov	byte ptr [esp+68h+var_44], 0

loc_645D57:				; CODE XREF: MiDeletePartitionResources(x)+2B8j
					; MiDeletePartitionResources(x)+2DFj
		push	[esp+68h+var_48]
		lea	eax, [esp+6Ch+var_50]
		push	[esp+6Ch+var_44]
		push	ecx
		push	eax
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)

loc_645D6A:				; CODE XREF: MiDeletePartitionResources(x)+2ABj
		test	esi, esi
		jnz	loc_645CD1
		mov	edi, [esp+68h+var_54]

loc_645D76:				; CODE XREF: MiDeletePartitionResources(x)+260j
		push	[esp+68h+var_38]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+68h+var_59]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [esp+68h+var_3C]
		call	_MiMakePartitionMemoryBlock@4 ;	MiMakePartitionMemoryBlock(x)

loc_645D92:				; CODE XREF: MiDeletePartitionResources(x)+1E0j
					; MiDeletePartitionResources(x)+239j
		mov	eax, [edi+64h]
		mov	eax, [eax+1Ch]
		mov	edx, [eax]
		or	eax, 0FFFFFFFFh
		add	edx, 6Ch
		mov	[esp+68h+var_48], eax
		mov	[esp+68h+var_44], edx
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_645DBD
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [esp+68h+var_44]

loc_645DBD:				; CODE XREF: MiDeletePartitionResources(x)+349j
		xor	edi, edi
		mov	[esp+68h+var_40], edi
		test	edx, 7FFFFFFCh
		jz	loc_645F6B
		mov	esi, large fs:124h
		mov	ecx, edx
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[esp+68h+var_28], esi
		mov	[esp+68h+var_38], eax
		cmp	edx, eax
		jb	short loc_645E08
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_645E0D
		mov	eax, [esp+68h+var_38]
		cmp	edx, eax
		jb	short loc_645E08
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jz	short loc_645E0D

loc_645E08:				; CODE XREF: MiDeletePartitionResources(x)+383j
					; MiDeletePartitionResources(x)+396j
		or	eax, 0FFFFFFFFh
		jmp	short loc_645E18
; 

loc_645E0D:				; CODE XREF: MiDeletePartitionResources(x)+38Ej
					; MiDeletePartitionResources(x)+39Fj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)

loc_645E18:				; CODE XREF: MiDeletePartitionResources(x)+3A4j
		dec	word ptr [esi+13Eh]
		mov	[esp+68h+var_3C], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	[esp+68h+var_59], cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[esp+68h+var_38], ecx
		test	ecx, ecx
		jnz	short loc_645E69
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_645ED8
		push	ecx
		push	[esp+6Ch+var_3C]
		push	[esp+70h+var_44]

loc_645E5E:				; CODE XREF: MiDeletePartitionResources(x)+5C4j
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_645E69:				; CODE XREF: MiDeletePartitionResources(x)+3DEj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_645E80
		call	KiAbEntryRemoveFromTree
		mov	ecx, [esp+7Ch+var_4C]

loc_645E80:				; CODE XREF: MiDeletePartitionResources(x)+40Ej
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+7Ch+var_54], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		cdq
		push	30h
		pop	ecx
		idiv	ecx
		xor	ecx, ecx
		lea	edx, [ecx+1]
		mov	ecx, eax
		xor	eax, eax
		shl	dl, cl
		inc	eax
		cmp	[esp+7Ch+var_6D], al
		jnz	short loc_645ECB
		or	[esi+1E4h], dl
		jmp	short loc_645ED8
; 

loc_645ECB:				; CODE XREF: MiDeletePartitionResources(x)+45Aj
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [esp+7Ch+var_3C]

loc_645ED8:				; CODE XREF: MiDeletePartitionResources(x)+3E8j
					; MiDeletePartitionResources(x)+462j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+7Ch+var_3C], eax
		jz	short loc_645F45
		test	edi, 8000h
		jz	short loc_645EFD
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_645EFD:				; CODE XREF: MiDeletePartitionResources(x)+48Bj
		xor	eax, eax
		inc	eax
		test	byte ptr [esp+7Ch+var_54+2], al
		jz	short loc_645F16
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_645F16:				; CODE XREF: MiDeletePartitionResources(x)+49Dj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_645F2A
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_645F2A:				; CODE XREF: MiDeletePartitionResources(x)+4B6j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_645F45
		push	[esp+7Ch+var_3C]
		mov	edx, [esp+80h+var_58]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_645F45:				; CODE XREF: MiDeletePartitionResources(x)+483j
					; MiDeletePartitionResources(x)+4CDj
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_645F6B
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_645F6B
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_645F6B:				; CODE XREF: MiDeletePartitionResources(x)+362j
					; MiDeletePartitionResources(x)+4F5j ...
		mov	ecx, [esp+7Ch+var_6C]
		or	edx, 0FFFFFFFFh
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_645F8A
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [esp+7Ch+var_6C]
		or	edx, 0FFFFFFFFh

loc_645F8A:				; CODE XREF: MiDeletePartitionResources(x)+515j
		xor	edi, edi
		mov	[esp+7Ch+var_50], edi
		test	ecx, 7FFFFFFCh
		jz	loc_646132
		mov	esi, large fs:124h
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[esp+7Ch+var_4C], esi
		mov	[esp+7Ch+var_3C], eax
		cmp	[esp+7Ch+var_6C], eax
		jb	short loc_645FE8
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_645FD7
		mov	eax, [esp+7Ch+var_3C]
		cmp	[esp+7Ch+var_6C], eax
		jb	short loc_645FE8
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_645FE8

loc_645FD7:				; CODE XREF: MiDeletePartitionResources(x)+55Bj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[esp+20h], edx

loc_645FE8:				; CODE XREF: MiDeletePartitionResources(x)+550j
					; MiDeletePartitionResources(x)+565j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, [esp+80h+var_6C]
		mov	[esp+80h+var_6D], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[esp+7Ch+var_3C], ecx
		test	ecx, ecx
		jnz	short loc_646030
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_64609F
		mov	eax, [esp+20h]
		push	ecx
		push	eax
		push	[esp+84h+var_6C]
		jmp	loc_645E5E
; 

loc_646030:				; CODE XREF: MiDeletePartitionResources(x)+5AEj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_646047
		call	KiAbEntryRemoveFromTree
		mov	ecx, [esp+7Ch+var_3C]

loc_646047:				; CODE XREF: MiDeletePartitionResources(x)+5D5j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+7Ch+var_50], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		cdq
		push	30h
		pop	ecx
		idiv	ecx
		xor	ecx, ecx
		lea	edx, [ecx+1]
		mov	ecx, eax
		xor	eax, eax
		shl	dl, cl
		inc	eax
		cmp	[esp+7Ch+var_6D], al
		jnz	short loc_646092
		or	[esi+1E4h], dl
		jmp	short loc_64609F
; 

loc_646092:				; CODE XREF: MiDeletePartitionResources(x)+621j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [esp+7Ch+var_4C]

loc_64609F:				; CODE XREF: MiDeletePartitionResources(x)+5B8j
					; MiDeletePartitionResources(x)+629j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+7Ch+var_3C], eax
		jz	short loc_64610C
		test	edi, 8000h
		jz	short loc_6460C4
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_6460C4:				; CODE XREF: MiDeletePartitionResources(x)+652j
		xor	eax, eax
		inc	eax
		test	byte ptr [esp+7Ch+var_50+2], al
		jz	short loc_6460DD
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_6460DD:				; CODE XREF: MiDeletePartitionResources(x)+664j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_6460F1
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_6460F1:				; CODE XREF: MiDeletePartitionResources(x)+67Dj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_64610C
		push	[esp+7Ch+var_3C]
		mov	edx, [esp+80h+var_6C]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_64610C:				; CODE XREF: MiDeletePartitionResources(x)+64Aj
					; MiDeletePartitionResources(x)+694j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_646132
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_646132
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_646132:				; CODE XREF: MiDeletePartitionResources(x)+52Fj
					; MiDeletePartitionResources(x)+6BCj ...
		mov	ecx, [esp+7Ch+var_2C]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [esp+7Ch+var_64]
		xor	esi, esi
		jmp	short loc_646147
; 

loc_646143:				; CODE XREF: MiDeletePartitionResources(x)+6E2j
		mov	esi, eax
		mov	eax, [eax]

loc_646147:				; CODE XREF: MiDeletePartitionResources(x)+6DAj
		test	eax, eax
		jnz	short loc_646143
		jmp	short loc_64618D
; 

loc_64614D:				; CODE XREF: MiDeletePartitionResources(x)+728j
		mov	eax, [esi+4]
		mov	edi, esi
		mov	ecx, esi
		test	eax, eax
		jz	short loc_646168

loc_646158:				; CODE XREF: MiDeletePartitionResources(x)+6F7j
		mov	esi, eax
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_646158
		jmp	short loc_646170
; 

loc_646162:				; CODE XREF: MiDeletePartitionResources(x)+707j
		cmp	[esi], ecx
		jz	short loc_646170
		mov	ecx, esi

loc_646168:				; CODE XREF: MiDeletePartitionResources(x)+6EFj
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_646162

loc_646170:				; CODE XREF: MiDeletePartitionResources(x)+6F9j
					; MiDeletePartitionResources(x)+6FDj
		push	edi
		lea	eax, [esp+80h+var_64]
		push	eax
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		push	0
		push	dword ptr [edi+14h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_64618D:				; CODE XREF: MiDeletePartitionResources(x)+6E4j
		test	esi, esi
		jnz	short loc_64614D
		mov	esi, [esp+14h]
		mov	eax, [esi+0F00h]
		test	eax, eax
		jz	short loc_6461AE
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+0F00h], 0

loc_6461AE:				; CODE XREF: MiDeletePartitionResources(x)+736j
		mov	ecx, [esi+38h]
		test	ecx, ecx
		jz	short loc_6461BC
		xor	edx, edx
		call	MiDereferencePageRunsEx

loc_6461BC:				; CODE XREF: MiDeletePartitionResources(x)+74Cj
		mov	ecx, [esi+18h]
		test	ecx, ecx
		jz	short loc_6461CA
		xor	edx, edx
		call	MiDereferencePageRunsEx

loc_6461CA:				; CODE XREF: MiDeletePartitionResources(x)+75Aj
		mov	ecx, esi
		call	_MiDeletePfnBitMaps@4 ;	MiDeletePfnBitMaps(x)
		lea	eax, [esi+78h]
		mov	[esp+84h+var_58], 0Bh
		lea	edi, [esi+90h]
		mov	esi, eax

loc_6461E4:				; CODE XREF: MiDeletePartitionResources(x)+7A4j
		mov	eax, [edi+2Ch]
		test	eax, eax
		jz	short loc_6461F3
		push	0
		push	eax
		call	ObCloseHandle

loc_6461F3:				; CODE XREF: MiDeletePartitionResources(x)+782j
		mov	ecx, [edi]
		cmp	ecx, esi
		jz	short loc_646203
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag

loc_646203:				; CODE XREF: MiDeletePartitionResources(x)+790j
		add	edi, 4
		sub	[esp+84h+var_58], 1
		jnz	short loc_6461E4
		mov	esi, [esp+14h]
		mov	eax, [esi+518h]
		test	eax, eax
		jz	short loc_646221
		push	eax
		call	_ExFreeCacheAwareRundownProtection@4 ; ExFreeCacheAwareRundownProtection(x)

loc_646221:				; CODE XREF: MiDeletePartitionResources(x)+7B2j
		mov	eax, [esi+8Ch]
		test	eax, eax
		jz	short loc_646233
		push	0
		push	eax
		call	ObCloseHandle

loc_646233:				; CODE XREF: MiDeletePartitionResources(x)+7C2j
		mov	eax, [esi+88h]
		test	eax, eax
		jz	short loc_646245
		push	0
		push	eax
		call	ObCloseHandle

loc_646245:				; CODE XREF: MiDeletePartitionResources(x)+7D4j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_MiDeletePartitionResources@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDrainCrossPartitionUsage(x)
_MiDrainCrossPartitionUsage@4 proc near	; CODE XREF: MiDeletePartition(x)+Ap

var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= byte ptr -14h
var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+30h+var_1C]
		mov	esi, ecx
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+30h+var_10]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esp+30h+var_10]
		xor	edi, edi
		push	edi
		push	edi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	edx, [esp+30h+var_1C]
		mov	ecx, offset dword_6D2FF0
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		lea	ebx, [esi+340h]
		push	ebx
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		xor	eax, eax
		inc	eax
		or	[esi+4], eax
		lea	eax, [esp+30h+var_10]
		push	ebx
		mov	[esi+510h], eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		test	ds:byte_70EFC6,	1
		jz	short loc_6462C3
		mov	edx, [ebp+4]
		lea	ecx, [esp+30h+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6462F3
; 

loc_6462C3:				; CODE XREF: MiDrainCrossPartitionUsage(x)+68j
		mov	eax, [esp+30h+var_1C]
		test	eax, eax
		jnz	short loc_6462E6
		mov	edx, [esp+30h+var_18]
		lea	eax, [esp+30h+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+30h+var_1C]
		cmp	eax, ecx
		jz	short loc_6462F3
		call	KxWaitForLockChainValid

loc_6462E6:				; CODE XREF: MiDrainCrossPartitionUsage(x)+7Ej
		xor	ecx, ecx
		mov	[esp+30h+var_1C], edi
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_6462F3:				; CODE XREF: MiDrainCrossPartitionUsage(x)+76j
					; MiDrainCrossPartitionUsage(x)+94j
		mov	cl, [esp+30h+var_14]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	edi
		lea	edx, [esi+350h]
		mov	ecx, esi
		call	MiDecrementControlAreaCount
		lea	edx, [esi+348h]
		mov	ecx, esi
		call	MiDecrementControlAreaCount
		mov	ecx, esi
		call	_MiMakeUnusedSegmentDeleteOnClose@4 ; MiMakeUnusedSegmentDeleteOnClose(x)
		mov	ecx, [esi+64h]
		xor	edx, edx
		call	_CcExitPartition@8 ; CcExitPartition(x,x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+40h+var_10]
		push	eax
		call	KeWaitForSingleObject
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	[esp+30h+var_1D], al
		lea	ecx, [esi+49Ch]
		xor	edx, edx

loc_64634C:				; CODE XREF: MiDrainCrossPartitionUsage(x)+10Dj
		cmp	dword ptr [ecx], 0
		jnz	short loc_64635C
		inc	edx
		add	ecx, 10h
		cmp	edx, 7
		jl	short loc_64634C
		jmp	short loc_646370
; 

loc_64635C:				; CODE XREF: MiDrainCrossPartitionUsage(x)+104j
		lea	eax, [esp+30h+var_10]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		lea	eax, [esp+30h+var_10]
		mov	[esi+50Ch], eax

loc_646370:				; CODE XREF: MiDrainCrossPartitionUsage(x)+10Fj
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+30h+var_1D]
		call	edi
		xor	ebx, ebx
		lea	eax, [esp+30h+var_10]
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	eax
		call	KeWaitForSingleObject
		lea	eax, [esp+30h+var_10]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		lea	eax, [esp+30h+var_10]
		mov	ecx, esi
		mov	[esi+514h], eax
		call	MiDecrementCloneHeaderCount
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esp+40h+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	ecx, [esi+518h]
		test	ecx, ecx
		jz	short loc_6463C4
		call	@ExWaitForRundownProtectionReleaseCacheAware@4 ; ExWaitForRundownProtectionReleaseCacheAware(x)

loc_6463C4:				; CODE XREF: MiDrainCrossPartitionUsage(x)+172j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiDrainCrossPartitionUsage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreePartitionNodePages(x,	x, x)
_MiFreePartitionNodePages@12 proc near	; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+2BEp
					; MiFreePartitionTree(x,x,x,x)+27p

var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_24]
		push	8
		xor	eax, eax
		mov	ebx, edx
		pop	ecx
		rep stosd
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_24], esi
		test	al, 4
		jz	short loc_6463F3
		xor	edx, edx
		inc	edx
		jmp	short loc_6463FD
; 

loc_6463F3:				; CODE XREF: MiFreePartitionNodePages(x,x,x)+21j
		not	al
		movzx	edx, al
		and	edx, 1
		add	edx, edx

loc_6463FD:				; CODE XREF: MiFreePartitionNodePages(x,x,x)+26j
		lea	eax, [ebp+var_24]
		mov	ecx, ebx
		push	eax
		call	_MiActOnPartitionNodePages@12 ;	MiActOnPartitionNodePages(x,x,x)
		mov	eax, [ebp+var_18]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiFreePartitionNodePages@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreePartitionTree(x, x, x, x)
_MiFreePartitionTree@16	proc near	; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+127p
					; MiClearPartitionPageBitMap(x,x)+CEp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		xor	ebx, ebx
		jmp	short loc_646456
; 

loc_646424:				; CODE XREF: MiFreePartitionTree(x,x,x,x)+48j
		push	esi
		push	edi
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		cmp	[ebp+arg_4], 1
		jnz	short loc_646444
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		call	_MiFreePartitionNodePages@12 ; MiFreePartitionNodePages(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_64645E

loc_646444:				; CODE XREF: MiFreePartitionTree(x,x,x,x)+1Dj
		push	0
		push	dword ptr [esi+14h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_646456:				; CODE XREF: MiFreePartitionTree(x,x,x,x)+10j
		mov	esi, [edi]
		test	esi, esi
		jnz	short loc_646424
		jmp	short loc_6464A3
; 

loc_64645E:				; CODE XREF: MiFreePartitionTree(x,x,x,x)+30j
		mov	ecx, [edi]
		mov	byte ptr [ebp+arg_4], 0
		test	ecx, ecx
		jz	short loc_646498
		mov	edx, [esi+0Ch]
		and	edx, 7FFFFFFFh

loc_646471:				; CODE XREF: MiFreePartitionTree(x,x,x,x)+80j
		mov	eax, [ecx+0Ch]
		and	eax, 7FFFFFFFh
		cmp	edx, eax
		jb	short loc_64648A
		mov	eax, [ecx+4]
		test	eax, eax
		jnz	short loc_646490
		mov	byte ptr [ebp+arg_4], 1
		jmp	short loc_646498
; 

loc_64648A:				; CODE XREF: MiFreePartitionTree(x,x,x,x)+69j
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_646494

loc_646490:				; CODE XREF: MiFreePartitionTree(x,x,x,x)+70j
		mov	ecx, eax
		jmp	short loc_646471
; 

loc_646494:				; CODE XREF: MiFreePartitionTree(x,x,x,x)+7Cj
		mov	byte ptr [ebp+arg_4], 0

loc_646498:				; CODE XREF: MiFreePartitionTree(x,x,x,x)+54j
					; MiFreePartitionTree(x,x,x,x)+76j
		push	esi
		push	[ebp+arg_4]
		push	ecx
		push	edi
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)

loc_6464A3:				; CODE XREF: MiFreePartitionTree(x,x,x,x)+4Aj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_MiFreePartitionTree@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMergePageNodes(x,	x)
_MiMergePageNodes@8 proc near		; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+276p
					; MiDeletePartitionResources(x)+2A1p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	ebx, ebx
		lea	edx, [ecx+14h]
		mov	byte ptr [ebp+var_4], bl
		mov	esi, [edx]
		test	esi, esi
		jz	short loc_646517
		mov	ecx, [edi+0Ch]
		and	ecx, 7FFFFFFFh

loc_6464CE:				; CODE XREF: MiMergePageNodes(x,x)+45j
		mov	eax, [esi+0Ch]
		and	eax, 7FFFFFFFh
		cmp	ecx, eax
		jb	short loc_6464E9
		jbe	short loc_6464F3
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_6464EF
		mov	byte ptr [ebp+var_4], 1
		jmp	short loc_646517
; 

loc_6464E9:				; CODE XREF: MiMergePageNodes(x,x)+2Cj
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_646514

loc_6464EF:				; CODE XREF: MiMergePageNodes(x,x)+35j
		mov	esi, eax
		jmp	short loc_6464CE
; 

loc_6464F3:				; CODE XREF: MiMergePageNodes(x,x)+2Ej
		lea	edx, [edi+10h]
		lea	ecx, [esi+10h]
		call	_RtlMergeBitMaps@8 ; RtlMergeBitMaps(x,x)
		cmp	[edi+0Ch], ebx
		jge	short loc_646508
		cmp	[esi+0Ch], ebx
		jl	short loc_64650F

loc_646508:				; CODE XREF: MiMergePageNodes(x,x)+55j
		and	dword ptr [esi+0Ch], 7FFFFFFFh

loc_64650F:				; CODE XREF: MiMergePageNodes(x,x)+5Aj
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_646522
; 

loc_646514:				; CODE XREF: MiMergePageNodes(x,x)+41j
		mov	byte ptr [ebp+var_4], bl

loc_646517:				; CODE XREF: MiMergePageNodes(x,x)+17j
					; MiMergePageNodes(x,x)+3Bj
		push	edi
		push	[ebp+var_4]
		push	esi
		push	edx
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)

loc_646522:				; CODE XREF: MiMergePageNodes(x,x)+66j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_MiMergePageNodes@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReturnPartitionPagesToParent(x)
_MiReturnPartitionPagesToParent@4 proc near
					; CODE XREF: MiFreePartitionPhysicalPages(x,x)+13p

var_22		= byte ptr -22h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= byte ptr -18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [esp+30h+var_20]
		push	8
		pop	ecx
		xor	eax, eax
		xor	edx, edx
		rep stosd
		mov	eax, [ebx+64h]
		xor	edi, edi
		push	edi
		push	edi
		mov	ecx, ebx
		mov	eax, [eax+1Ch]
		mov	esi, [eax]
		call	_MiDrainZeroLookasides@16 ; MiDrainZeroLookasides(x,x,x,x)
		lea	eax, [ebx+70h]
		mov	[esp+30h+var_20], esi
		push	eax
		mov	[esp+34h+var_1C], ebx
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebx+14h]
		mov	[esp+30h+var_21], al
		mov	[esp+30h+var_18], al
		jmp	short loc_64657B
; 

loc_646577:				; CODE XREF: MiReturnPartitionPagesToParent(x)+54j
		mov	edi, ecx
		mov	ecx, [ecx]

loc_64657B:				; CODE XREF: MiReturnPartitionPagesToParent(x)+4Cj
		test	ecx, ecx
		jnz	short loc_646577
		jmp	short loc_6465BD
; 

loc_646581:				; CODE XREF: MiReturnPartitionPagesToParent(x)+96j
		mov	eax, [edi+4]
		mov	esi, edi
		mov	ecx, edi
		test	eax, eax
		jz	short loc_6465A6
		mov	edi, eax
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_6465AE

loc_646594:				; CODE XREF: MiReturnPartitionPagesToParent(x)+73j
		mov	eax, [ecx]
		mov	edi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_646594
		jmp	short loc_6465AE
; 

loc_6465A0:				; CODE XREF: MiReturnPartitionPagesToParent(x)+83j
		cmp	[edi], ecx
		jz	short loc_6465AE
		mov	ecx, edi

loc_6465A6:				; CODE XREF: MiReturnPartitionPagesToParent(x)+61j
		mov	edi, [edi+8]
		and	edi, 0FFFFFFFCh
		jnz	short loc_6465A0

loc_6465AE:				; CODE XREF: MiReturnPartitionPagesToParent(x)+69j
					; MiReturnPartitionPagesToParent(x)+75j ...
		lea	eax, [esp+30h+var_20]
		mov	ecx, esi
		push	eax
		push	4
		pop	edx
		call	_MiActOnPartitionNodePages@12 ;	MiActOnPartitionNodePages(x,x,x)

loc_6465BD:				; CODE XREF: MiReturnPartitionPagesToParent(x)+56j
		test	edi, edi
		jnz	short loc_646581
		lea	eax, [ebx+70h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+30h+var_21]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiReturnPartitionPagesToParent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiTransferPartitionPageRun(x, x, x,	x, x)
_MiTransferPartitionPageRun@20 proc near ; CODE	XREF: MiActOnPartitionNodePages(x,x,x)+306p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_4], edi
		cmp	esi, offset _MiSystemPartition
		jnz	short loc_646605
		mov	eax, ecx
		mov	edx, offset dword_6D301C
		neg	eax
		lock xadd [edx], eax

loc_646605:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+1Bj
		mov	ebx, [ebp+arg_0]
		xor	edx, edx
		movzx	eax, word ptr [edi]
		mov	[ebp+var_14], eax
		lea	eax, [ebx+ecx]
		mov	ecx, edx
		mov	[ebp+var_24], eax
		mov	[ebp+arg_0], ecx
		cmp	ebx, eax
		jz	loc_6468CA

loc_646623:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+2E9j
		inc	edx
		mov	[ebp+var_28], edx
		test	dl, 0Fh
		jnz	short loc_646636
		mov	eax, [edi+70h]
		test	eax, 40000000h
		jnz	short loc_64663F

loc_646636:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+4Fj
		call	KeShouldYieldProcessor
		test	eax, eax
		jz	short loc_646666

loc_64663F:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+59j
		lea	eax, [edi+70h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+arg_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	eax, [edi+70h]
		dec	ebx
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	[ebp+arg_8], al

loc_64665E:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+B2j
		mov	ecx, [ebp+arg_0]
		jmp	loc_6468BD
; 

loc_646666:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+62j
		imul	edi, ebx, 1Ch
		add	edi, ds:_MmPfnDatabase
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		xor	ecx, ecx
		mov	byte ptr [ebp+arg_4+3],	al
		cmp	cx, word ptr [ebp+var_14]
		jz	short loc_64668F
		mov	dl, al

loc_646683:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+1BDj
		mov	ecx, edi
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		mov	edi, [ebp+var_4]
		jmp	short loc_64665E
; 

loc_64668F:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+A4j
		movzx	eax, byte ptr [edi+16h]
		and	eax, 7
		mov	[ebp+var_10], eax
		cmp	eax, 5
		jnz	loc_64679D
		mov	ecx, edi
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jnz	short loc_64672B
		mov	ecx, [edi+8]
		mov	[ebp+var_18], ecx
		nop
		mov	eax, [edi+0Ch]
		push	eax
		push	ecx
		mov	[ebp+var_C], eax
		call	_MiInvalidPteConforms@12 ; MiInvalidPteConforms(x,x,x)
		test	eax, eax
		jz	loc_6468D3
		mov	eax, [ebp+var_C]
		mov	ecx, ds:dword_6D0700
		mov	edx, ds:dword_6D0704
		mov	[ebp+var_8], eax
		mov	eax, ecx
		or	eax, edx
		mov	[ebp+var_1C], edx
		jz	short loc_646700
		mov	edx, [ebp+var_18]
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_6466FB
		mov	eax, [ebp+var_1C]
		not	eax
		and	eax, [ebp+var_8]
		jmp	short loc_646703
; 

loc_6466FB:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+114j
		mov	eax, [ebp+var_8]
		jmp	short loc_646703
; 

loc_646700:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+107j
		mov	eax, [ebp+var_C]

loc_646703:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+11Ej
					; MiTransferPartitionPageRun(x,x,x,x,x)+123j
		cmp	eax, 0FFFFFFFEh
		jnz	loc_6468D3
		mov	dl, byte ptr [ebp+arg_4+3]
		mov	ecx, edi
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		mov	edi, [ebp+var_4]
		xor	eax, eax
		push	eax
		push	eax
		xor	edx, edx
		mov	ecx, edi
		call	_MiDrainZeroLookasides@16 ; MiDrainZeroLookasides(x,x,x,x)
		jmp	loc_6468B9
; 

loc_64672B:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+D0j
		xor	edx, edx
		mov	ecx, edi
		call	_MiUnlinkPageFromBadList@8 ; MiUnlinkPageFromBadList(x,x)
		push	1
		xor	eax, eax
		xor	edx, edx
		push	eax
		inc	edx
		mov	ecx, esi
		call	MiAcquireNonPagedResources
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		inc	edx
		call	MiReturnCommit
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		inc	edx
		call	MiReturnResavailToPrcb
		mov	ecx, [ebp+var_4]
		mov	edx, eax
		test	edx, edx
		jz	short loc_64676C
		lea	eax, [ecx+1000h]
		lock xadd [eax], edx

loc_64676C:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+185j
		cmp	esi, offset _MiSystemPartition
		jz	short loc_64677E
		inc	dword ptr [esi+0F48h]
		mov	byte ptr [esi+0Ch], 1

loc_64677E:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+197j
		dec	dword ptr [ecx+0F48h]
		push	20h
		mov	byte ptr [ecx+0Ch], 1
		mov	ecx, edi
		pop	edx
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)
		inc	[ebp+arg_0]
		mov	dl, byte ptr [ebp+arg_4+3]
		jmp	loc_646683
; 

loc_64679D:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+C1j
		test	dword ptr [edi+18h], 800000h
		jnz	short loc_646818
		cmp	eax, 1
		ja	loc_6468D3
		xor	eax, eax
		xor	edx, edx
		push	eax
		mov	ecx, ebx
		call	MiUnlinkFreeOrZeroedPage
		cmp	esi, offset _MiSystemPartition
		jz	short loc_6467CD
		inc	dword ptr [esi+0F48h]
		mov	byte ptr [esi+0Ch], 1

loc_6467CD:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+1E6j
		mov	eax, [ebp+var_4]
		dec	dword ptr [eax+0F48h]
		mov	byte ptr [eax+0Ch], 1
		test	byte ptr [edi+17h], 40h
		jz	short loc_6467EA
		push	esi
		mov	edx, eax
		mov	ecx, edi
		call	_MiMoveBadPageCrossPartition@12	; MiMoveBadPageCrossPartition(x,x,x)

loc_6467EA:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+203j
		mov	ecx, edi
		call	_MiIsFreshPfnFromZeroedList@4 ;	MiIsFreshPfnFromZeroedList(x)
		neg	eax
		mov	ecx, ebx
		sbb	eax, eax
		lea	edx, [eax+2]
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		mov	dl, byte ptr [ebp+arg_4+3]
		mov	ecx, edi
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		mov	ecx, [ebp+arg_0]
		mov	edi, [ebp+var_4]
		inc	ecx
		mov	[ebp+arg_0], ecx
		jmp	loc_6468BD
; 

loc_646818:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+1C9j
		mov	ecx, edi
		call	_MiGetBaseResidentPage@4 ; MiGetBaseResidentPage(x)
		mov	ecx, eax
		mov	[ebp+var_1C], eax
		movzx	edx, byte ptr [eax+16h]
		and	edx, 7
		mov	[ebp+var_10], edx
		call	_MiGetPfnPageSizeIndex@4 ; MiGetPfnPageSizeIndex(x)
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_1C]
		cmp	eax, edi
		jz	short loc_646848
		mov	ecx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	ecx

loc_646848:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+260j
		cmp	edx, 1
		ja	loc_6468D3
		mov	dl, byte ptr [ebp+arg_4+3]
		mov	ecx, edi
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		mov	edx, [ebp+var_18]
		mov	eax, ds:_MiLargePageSizes[edx*4]
		mov	[ebp+arg_4], eax
		cmp	esi, offset _MiSystemPartition
		jz	short loc_64687A
		add	[esi+0F48h], eax
		mov	byte ptr [esi+0Ch], 1

loc_64687A:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+293j
		mov	edi, [ebp+var_4]
		mov	ecx, ebx
		push	esi
		push	edi
		call	_MiMoveLargeFreePage@16	; MiMoveLargeFreePage(x,x,x,x)
		cmp	eax, 1
		jnz	short loc_6468A4
		mov	eax, [ebp+arg_4]
		add	ebx, eax
		mov	ecx, [ebp+arg_0]
		add	ecx, eax
		mov	byte ptr [edi+0Ch], 1
		sub	[edi+0F48h], eax
		mov	[ebp+arg_0], ecx
		jmp	short loc_6468BC
; 

loc_6468A4:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+2AEj
		cmp	esi, offset _MiSystemPartition
		jz	short loc_6468B9
		mov	eax, [ebp+arg_4]
		sub	[esi+0F48h], eax
		mov	byte ptr [esi+0Ch], 1

loc_6468B9:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+14Bj
					; MiTransferPartitionPageRun(x,x,x,x,x)+2CFj
		mov	ecx, [ebp+arg_0]

loc_6468BC:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+2C7j
		dec	ebx

loc_6468BD:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+86j
					; MiTransferPartitionPageRun(x,x,x,x,x)+238j
		mov	edx, [ebp+var_28]
		inc	ebx
		cmp	ebx, [ebp+var_24]
		jnz	loc_646623

loc_6468CA:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+42j
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	0Ch
; 

loc_6468D3:				; CODE XREF: MiTransferPartitionPageRun(x,x,x,x,x)+E8j
					; MiTransferPartitionPageRun(x,x,x,x,x)+12Bj ...
		mov	dl, byte ptr [ebp+arg_4+3]
		mov	ecx, edi
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		xor	eax, eax
		push	eax
		push	[ebp+var_10]
		push	ebx
		push	41000h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_MiTransferPartitionPageRun@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdatePartitionMemory(x, x, x)
_MiUpdatePartitionMemory@12 proc near	; CODE XREF: MiMakePartitionMemoryBlock(x)+16Ep

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		mov	ebx, ecx
		mov	esi, edx
		mov	[ebp+var_8], ebx
		stosd
		stosd
		lea	eax, [ebx+70h]
		push	eax
		mov	[ebp+var_C], eax
		call	ExAcquireSpinLockExclusive
		mov	edx, [ebp+var_8]
		mov	edi, [ebx+38h]
		mov	ecx, [esi+4]
		mov	[ebx+38h], ecx
		mov	ecx, [esi+8]
		mov	ebx, [ebx+18h]
		mov	[edx+18h], ecx
		lea	edx, [ebp+var_18]
		mov	ecx, offset dword_6D2FF0
		mov	[ebp+var_1], al
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		test	ds:byte_70EFC6,	1
		jz	short loc_646952
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_18]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_646950:				; DATA XREF: .text:0041CA25o
		jmp	short loc_646981
; 

loc_646952:				; CODE XREF: MiUpdatePartitionMemory(x,x,x)+52j
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	short loc_646971
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jz	short loc_646981
		call	KxWaitForLockChainValid

loc_646971:				; CODE XREF: MiUpdatePartitionMemory(x,x,x)+66j
		xor	ecx, ecx
		mov	[ebp+var_18], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_646981:				; CODE XREF: MiUpdatePartitionMemory(x,x,x):loc_646950j
					; MiUpdatePartitionMemory(x,x,x)+79j
		mov	cl, [ebp+var_10]
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	esi
		push	[ebp+var_C]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	esi
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_8]
		call	MiComputeNodeMemory
		test	ebx, ebx
		jz	short loc_6469B1
		xor	edx, edx
		mov	ecx, ebx
		call	MiDereferencePageRunsEx

loc_6469B1:				; CODE XREF: MiUpdatePartitionMemory(x,x,x)+B5j
		test	edi, edi
		jz	short loc_6469BE
		xor	edx, edx
		mov	ecx, edi
		call	MiDereferencePageRunsEx

loc_6469BE:				; CODE XREF: MiUpdatePartitionMemory(x,x,x)+C2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiUpdatePartitionMemory@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReplicatePteChangeToProcess(x, x,	x)
_MiReplicatePteChangeToProcess@12 proc near ; CODE XREF: MiReplicatePteChange+12416Cp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, ecx
		push	esi
		mov	esi, edx
		mov	[esp+34h+var_4], eax
		sub	ebx, esi
		sar	ebx, 3
		inc	ebx
		mov	[esp+34h+var_14], ebx
		push	edi
		test	eax, eax
		jz	short loc_646A04
		mov	eax, [eax+194h]
		lea	ecx, [esi+3FA00000h]
		shr	ecx, 0Ch
		mov	edi, [eax+ecx*8]
		mov	eax, [eax+ecx*8+4]
		jmp	short loc_646A1B
; 

loc_646A04:				; CODE XREF: MiReplicatePteChangeToProcess(x,x,x)+25j
		mov	eax, esi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	edi, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]

loc_646A1B:				; CODE XREF: MiReplicatePteChangeToProcess(x,x,x)+3Dj
		shrd	edi, eax, 0Ch
		push	80000000h
		and	edi, 1FFFFFFh
		xor	edx, edx
		mov	ecx, edi
		call	MiMapPageInHyperSpaceWorker
		mov	ecx, esi
		mov	[esp+38h+var_10], eax
		shr	ecx, 3
		and	ecx, 1FFh
		lea	edi, [eax+ecx*8]
		cmp	esi, [ebp+arg_0]
		ja	loc_646B21

loc_646A4E:				; CODE XREF: MiReplicatePteChangeToProcess(x,x,x)+14Ej
		mov	ecx, [esi]
		and	[esp+38h+var_20], 0
		and	[esp+38h+var_1C], 0
		mov	[esp+38h+var_28], ecx
		nop
		mov	eax, [edi]
		mov	edx, [esi+4]
		mov	[esp+38h+var_20], eax
		nop
		mov	ebx, [edi+4]
		mov	[esp+38h+var_24], ebx
		cmp	ecx, eax
		jnz	short loc_646A7C
		cmp	edx, ebx
		jz	loc_646B0A

loc_646A7C:				; CODE XREF: MiReplicatePteChangeToProcess(x,x,x)+ADj
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_646B04
		mov	eax, [esp+38h+var_20]
		and	eax, 1
		or	eax, 0
		jz	short loc_646AA1
		push	edx
		push	ecx
		push	1
		mov	edx, esi
		mov	ecx, edi
		call	MiTransformValidPteInPlace
		jmp	short loc_646B0A
; 

loc_646AA1:				; CODE XREF: MiReplicatePteChangeToProcess(x,x,x)+CBj
		mov	ecx, edi
		xor	ebx, ebx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_646AEB
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_646ACD
		mov	eax, [esp+38h+var_28]
		inc	ebx
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	short loc_646AEF

loc_646AC5:				; CODE XREF: MiReplicatePteChangeToProcess(x,x,x)+124j
		or	edx, 80000000h
		jmp	short loc_646AEF
; 

loc_646ACD:				; CODE XREF: MiReplicatePteChangeToProcess(x,x,x)+F0j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		mov	eax, [esp+38h+var_28]
		jz	short loc_646AEF
		jmp	short loc_646AC5
; 

loc_646AEB:				; CODE XREF: MiReplicatePteChangeToProcess(x,x,x)+E7j
		mov	eax, [esp+38h+var_28]

loc_646AEF:				; CODE XREF: MiReplicatePteChangeToProcess(x,x,x)+FEj
					; MiReplicatePteChangeToProcess(x,x,x)+106j ...
		mov	[edi+4], edx
		nop
		mov	[edi], eax
		test	ebx, ebx
		jz	short loc_646B0A
		push	edx
		push	eax
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	short loc_646B0A
; 

loc_646B04:				; CODE XREF: MiReplicatePteChangeToProcess(x,x,x)+BFj
		mov	[edi], ecx
		nop
		mov	[edi+4], edx

loc_646B0A:				; CODE XREF: MiReplicatePteChangeToProcess(x,x,x)+B1j
					; MiReplicatePteChangeToProcess(x,x,x)+DAj ...
		add	esi, 8
		add	edi, 8
		cmp	esi, [ebp+arg_0]
		jbe	loc_646A4E
		mov	ebx, [esp+38h+var_14]
		mov	eax, [esp+38h+var_10]

loc_646B21:				; CODE XREF: MiReplicatePteChangeToProcess(x,x,x)+83j
		push	80000000h
		mov	dl, 21h
		mov	ecx, eax
		call	_MiUnmapPageInHyperSpaceWorker@12 ; MiUnmapPageInHyperSpaceWorker(x,x,x)
		mov	ecx, [esp+38h+var_4]
		mov	eax, ebx
		shl	eax, 3
		sub	esi, eax
		push	ebx
		mov	edx, esi
		call	MiShadowTopLevelPxes
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MiReplicatePteChangeToProcess@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiVaToSessionPdeMaster(x)
_MiVaToSessionPdeMaster@4 proc near	; CODE XREF: MiUpdateSessionPdeMaster(x,x,x)+5p
		mov	eax, large fs:124h
		shr	ecx, 15h
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		lea	eax, [eax+ecx*8]
		add	eax, 0FFFFE3E0h
		retn
_MiVaToSessionPdeMaster@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetPteMappingPair(x, x)
_MiGetPteMappingPair@8 proc near	; CODE XREF: MiSlowRotateCopy(x,x,x)+75p
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		push	2
		pop	ebx
		cmp	ecx, 1
		jnz	short loc_646B88
		push	esi
		mov	edx, ebx
		mov	ecx, ebx
		call	MiCreatePteCopyList
		cmp	dword ptr [esi+4], 0
		jnz	short loc_646BB2

loc_646B88:				; CODE XREF: MiGetPteMappingPair(x,x)+Dj
		mov	cl, bl
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esi+8], al
		call	_MiAllocateHyperSpace@4	; MiAllocateHyperSpace(x)
		and	dword ptr [esi], 0
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[esi+4], ebx
		sub	eax, 40000000h
		mov	byte ptr [esi+9], 1
		mov	[esi+0Ch], eax

loc_646BB2:				; CODE XREF: MiGetPteMappingPair(x,x)+1Dj
		pop	esi
		pop	ebx
		pop	ecx
		retn
_MiGetPteMappingPair@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiReleasePteCopyList(x)
_MiReleasePteCopyList@4	proc near	; CODE XREF: MmRelocatePfnList(x,x,x,x)+1A3p
					; MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+2E0p ...
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short locret_646BCB
		mov	edx, [ecx+0Ch]
		mov	ecx, offset dword_6D35E0
		push	eax
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

locret_646BCB:				; CODE XREF: MiReleasePteCopyList(x)+5j
		retn
_MiReleasePteCopyList@4	endp ; sp = -4


;  S U B	R O U T	I N E 


; __stdcall MiReturnPteMappingPair(x)
_MiReturnPteMappingPair@4 proc near	; CODE XREF: MiSlowRotateCopy(x,x,x)+E0p
		mov	edx, ecx
		mov	cl, [edx+8]
		cmp	cl, 21h
		jnz	short loc_646BE6
		mov	edx, [edx+0Ch]
		mov	ecx, offset dword_6D35E0
		push	2
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		retn
; 

loc_646BE6:				; CODE XREF: MiReturnPteMappingPair(x)+8j
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_MiReturnPteMappingPair@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSwapHardFaultPage(x, x, x)
_MiSwapHardFaultPage@12	proc near	; CODE XREF: MiFinishHardFault(x,x,x,x)+4FAp
					; MiIdealClusterPage(x,x,x,x,x,x,x,x)+7B8p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10], edx
		mov	esi, [edi]
		nop
		mov	eax, [edi+4]
		push	eax
		mov	eax, [ebp+arg_0]
		sub	eax, ds:_MmPfnDatabase
		push	esi
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, eax
		call	_MiUpdateTransitionPteFrame@12 ; MiUpdateTransitionPteFrame(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], ebx

loc_646C22:				; CODE XREF: MiSwapHardFaultPage(x,x,x)+4Fj
					; MiSwapHardFaultPage(x,x,x)+54j
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp+var_C], ecx
		nop
		mov	ecx, [ebp+var_8]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [ebp+var_4]
		cmp	eax, esi
		jnz	short loc_646C22
		cmp	edx, [ebp+var_C]
		jnz	short loc_646C22
		mov	ebx, [ebp+arg_0]
		mov	ecx, ebx
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		mov	edi, [ebp+var_10]
		mov	edx, edi
		push	ecx
		mov	ecx, ebx
		call	_MiCopyPfnEntryEx@12 ; MiCopyPfnEntryEx(x,x,x)
		mov	eax, [edi+18h]
		mov	ecx, 30000000h
		and	eax, 70000000h
		cmp	eax, ecx
		jnz	short loc_646C77
					; DATA XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+2F7o
		mov	eax, [ebx+18h]
		and	eax, 0BFFFFFFFh
		or	eax, ecx
		mov	[ebx+18h], eax

loc_646C77:				; CODE XREF: MiSwapHardFaultPage(x,x,x)+7Cj
		and	dword ptr [ebx+10h], 0C0000000h
		mov	edx, [edi+8]
		mov	ecx, edx
		mov	esi, [edi+0Ch]
		mov	eax, esi
		or	dword ptr [edi+10h], 40000000h
		shrd	ecx, eax, 2
		test	cl, 1
		jz	short loc_646CA1
		and	edx, 0FFFFFFFBh
		mov	[edi+0Ch], esi
		mov	[edi+8], edx

loc_646CA1:				; CODE XREF: MiSwapHardFaultPage(x,x,x)+AAj
		mov	ecx, edx
		mov	eax, esi
		shrd	ecx, eax, 1
		test	cl, 1
		jz	short loc_646CB7
		and	edx, 0FFFFFFFDh
		mov	[edi+0Ch], esi
		mov	[edi+8], edx

loc_646CB7:				; CODE XREF: MiSwapHardFaultPage(x,x,x)+C0j
		mov	ecx, edi
		call	_MiRemoveLockedPageCharge@4 ; MiRemoveLockedPageCharge(x)
		test	eax, eax
		jz	short loc_646CDB
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, edi
		mov	edx, eax
		call	MiPfnReferenceCountIsZero
		jmp	short loc_646CE2
; 

loc_646CDB:				; CODE XREF: MiSwapHardFaultPage(x,x,x)+D4j
		xor	eax, eax
		inc	eax
		mov	[ebx+14h], ax

loc_646CE2:				; CODE XREF: MiSwapHardFaultPage(x,x,x)+EDj
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiSwapHardFaultPage@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakePageBad(x, x)
_MiMakePageBad@8 proc near		; CODE XREF: MiScrubLargeMappedPage(x,x,x)+2F4p
					; MiScrubNode(x)+153p ...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		mov	edi, ebx
		and	edi, 1
		jz	short loc_646D12
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	[ebp+var_1], al
		jmp	short loc_646D16
; 

loc_646D12:				; CODE XREF: MiMakePageBad(x,x)+12j
		mov	[ebp+var_1], 21h

loc_646D16:				; CODE XREF: MiMakePageBad(x,x)+1Cj
		mov	ecx, esi
		call	_MiIsPageOnBadList@4 ; MiIsPageOnBadList(x)
		test	eax, eax
		jnz	short loc_646D6F
		test	byte ptr [esi+17h], 40h
		jnz	short loc_646D41
		push	1
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		push	eax
		inc	edx
		call	MiAcquireNonPagedResources
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_MiSetPfnRemovalRequested@8 ; MiSetPfnRemovalRequested(x,x)

loc_646D41:				; CODE XREF: MiMakePageBad(x,x)+31j
		test	bl, 2
		jz	short loc_646D50
		push	20h
		pop	edx
		mov	ecx, esi
		call	_MiInsertPageInList@8 ;	MiInsertPageInList(x,x)

loc_646D50:				; CODE XREF: MiMakePageBad(x,x)+50j
		test	edi, edi
		jz	short loc_646D68
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_646D68:				; CODE XREF: MiMakePageBad(x,x)+5Ej
		lock inc ds:dword_6D3100

loc_646D6F:				; CODE XREF: MiMakePageBad(x,x)+2Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiMakePageBad@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiScrubInterrupted(x)
_MiScrubInterrupted@4 proc near		; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+18Dp
					; MiScrubLargeMappedPage(x,x,x)+322p ...
		mov	ecx, [ecx]
		mov	eax, [ecx+20h]
		mov	eax, [eax+2FCh]
		test	al, 1
		jnz	short loc_646D8F
		mov	eax, [ecx+14h]
		cmp	dword ptr [eax+4], 0
		jnz	short loc_646D8F
		xor	eax, eax
		retn
; 

loc_646D8F:				; CODE XREF: MiScrubInterrupted(x)+Dj
					; MiScrubInterrupted(x)+16j
		xor	eax, eax
		inc	eax
		retn
_MiScrubInterrupted@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiScrubLargeMappedPage(x, x, x)
_MiScrubLargeMappedPage@12 proc	near	; CODE XREF: MiScrubProcessLargePages(x)+1E7p

var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_BE		= byte ptr -0BEh
var_BD		= byte ptr -0BDh
var_BC		= dword	ptr -0BCh
var_B8		= word ptr -0B8h
var_B4		= dword	ptr -0B4h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	0FCh
		push	offset dword_6A8C00
		call	__SEH_prolog4_GS
		mov	edi, edx
		mov	[ebp+var_F8], ecx
		mov	esi, [ebp+arg_0]
		push	98h		; size_t
		xor	ebx, ebx
		push	ebx		; int
		lea	eax, [ebp+var_BC]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		inc	eax
		mov	[ebp+var_FC], eax
		mov	[ebp+var_BC], eax
		mov	[ebp+var_B8], bx
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_B4], 21h
		mov	[ebp+var_A8], ebx
		mov	[ebp+var_BE], bl
		mov	[ebp+var_C8], ebx
		mov	eax, [esi+10h]
		shl	eax, 0Ch
		or	eax, 0FFFh
		mov	ebx, [esi+0Ch]
		shr	ebx, 6
		mov	ecx, 3FF8h
		and	ebx, ecx
		mov	edx, 3FA00000h
		sub	ebx, edx
		mov	[ebp+var_E8], ebx
		shr	eax, 12h
		and	eax, ecx
		sub	eax, edx
		mov	[ebp+var_100], eax
		lea	eax, [edi+240h]
		mov	[ebp+var_CC], eax
		mov	ecx, eax
		call	MiLockWorkingSetShared
		mov	[ebp+var_BD], al
		xor	esi, esi

loc_646E49:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+1BEj
					; MiScrubLargeMappedPage(x,x,x)+45Cj ...
		mov	edi, [ebp+var_100]
		mov	[ebp+var_D8], edi
		cmp	ebx, edi
		ja	loc_64726F
		mov	[ebp+var_DC], ebx
		mov	eax, ebx
		shl	eax, 12h
		mov	[ebp+var_E0], eax
		lea	eax, [ebp+var_DC]
		push	eax
		mov	edx, ebx
		mov	ecx, [ebp+var_CC]
		call	MiLockLowestValidPageTable
		mov	[ebp+var_E4], eax
		mov	edx, [ebp+var_DC]
		mov	[ebp+var_EC], edx
		cmp	edx, ebx
		jz	short loc_646EAD
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h
		mov	[ebp+var_D8], edi

loc_646EAD:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+103j
		mov	ecx, [ebp+var_D8]

loc_646EB3:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+163j
		mov	[ebp+var_F4], esi
		mov	[ebp+var_F0], esi
		mov	eax, [edx]
		mov	[ebp+var_F0], eax
		nop
		mov	edi, [edx+4]
		mov	[ebp+var_C4], edi
		mov	edi, edx
		or	eax, [ebp+var_C4]
		jnz	short loc_646EF8
		mov	[ebp+var_C8], esi
		lea	edx, [edi+8]
		mov	edi, edx
		mov	[ebp+var_DC], edx
		test	edi, 0FFFh
		jz	short loc_646EF8
		cmp	edx, ecx
		jbe	short loc_646EB3

loc_646EF8:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+146j
					; MiScrubLargeMappedPage(x,x,x)+15Fj
		mov	[ebp+var_EC], edx
		mov	ecx, [ebp+var_F0]
		mov	eax, ecx
		or	eax, [ebp+var_C4]
		jnz	short loc_646F56
		mov	edx, [ebp+var_E4]
		mov	ecx, [ebp+var_CC]
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	ebx, edi
		cmp	edi, 0C0000000h
		jb	short loc_646F3C

loc_646F29:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+1A7j
		cmp	ebx, 0C07FFFFFh
		ja	short loc_646F3C
		shl	ebx, 9
		cmp	ebx, 0C0000000h
		jnb	short loc_646F29

loc_646F3C:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+194j
					; MiScrubLargeMappedPage(x,x,x)+19Cj
		shr	ebx, 12h
		and	ebx, 3FF8h
		sub	ebx, 3FA00000h
		mov	[ebp+var_E8], ebx
		jmp	loc_646E49
; 

loc_646F56:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+179j
		mov	eax, ecx
		and	eax, 1
		or	eax, esi
		jz	loc_647204
		mov	eax, ecx
		and	eax, 80h
		or	eax, esi
		jz	loc_647204
		nop
		mov	eax, [ebp+var_C4]
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		mov	[ebp+var_D0], ecx
		xor	esi, esi
		inc	esi
		mov	ecx, 200h
		shl	edi, 12h

loc_646F94:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+215j
		lea	eax, [edi+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	short loc_646FAA
		shl	edi, 9
		shl	ecx, 9
		inc	esi
		jmp	short loc_646F94
; 

loc_646FAA:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+20Cj
		mov	[ebp+var_D4], esi
		mov	[ebp+var_D8], ecx
		mov	edi, ds:_ZeroPte
		mov	esi, ds:dword_40F9FC
		push	0
		mov	ecx, [ebp+var_CC]
		call	MiLockPageTableInternal
		push	esi
		push	edi
		xor	esi, esi
		push	esi
		mov	edx, [ebp+var_EC]
		mov	edi, [ebp+var_CC]
		mov	ecx, edi
		call	MiUnlockNestedPageTableWritePte
		push	[ebp+var_D4]
		push	1
		mov	edx, [ebp+var_E0]
		lea	ecx, [ebp+var_BC]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		lea	ecx, [ebp+var_BC]
		call	MiFlushTbList
		mov	edx, [ebp+var_D8]
		cmp	[ebp+var_C8], edx
		sbb	eax, eax
		and	[ebp+var_C8], eax
		mov	[ebp+var_E0], esi
		imul	ecx, [ebp+var_D0], 1Ch
		add	ecx, ds:_MmPfnDatabase
		imul	eax, edx, 1Ch
		add	eax, ecx
		mov	[ebp+var_D4], eax
		mov	edx, [ebp+var_C8]
		imul	eax, edx, 1Ch
		add	ecx, eax
		mov	eax, [ebp+var_D4]

loc_64704E:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+340j
		mov	[ebp+var_D0], ecx
		cmp	ecx, eax
		jnb	loc_6470EB
		inc	edx
		mov	[ebp+var_C8], edx
		cmp	word ptr [ecx+14h], 2
		jnz	short loc_6470D0
		push	1
		push	esi
		mov	edx, ecx
		mov	ecx, [ebp+var_F8]
		call	_MiScrubPage@16	; MiScrubPage(x,x,x,x)
		test	eax, eax
		jns	short loc_64708C
		xor	edx, edx
		inc	edx
		mov	ecx, [ebp+var_D0]
		call	_MiMakePageBad@8 ; MiMakePageBad(x,x)

loc_64708C:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+2E9j
		mov	ecx, edi
		call	_MiWorkingSetIsContended@4 ; MiWorkingSetIsContended(x)
		test	eax, eax
		jnz	short loc_6470E1
		mov	edx, [ebp+var_E4]
		call	_MiPageTableLockIsContended@8 ;	MiPageTableLockIsContended(x,x)
		test	eax, eax
		jnz	short loc_6470E1
		call	KeShouldYieldProcessor
		test	eax, eax
		jnz	short loc_6470E1
		mov	ecx, [ebp+var_F8]
		call	_MiScrubInterrupted@4 ;	MiScrubInterrupted(x)
		test	eax, eax
		jnz	short loc_6470D8
		mov	ecx, [ebp+var_D0]
		mov	edx, [ebp+var_C8]
		mov	eax, [ebp+var_D4]

loc_6470D0:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+2D5j
		add	ecx, 1Ch
		jmp	loc_64704E
; 

loc_6470D8:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+329j
		mov	[ebp+var_BE], 1
		jmp	short loc_6470EB
; 

loc_6470E1:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+302j
					; MiScrubLargeMappedPage(x,x,x)+311j ...
		mov	[ebp+var_E0], 1

loc_6470EB:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+2C3j
					; MiScrubLargeMappedPage(x,x,x)+34Cj
		mov	edx, [ebp+var_F0]
		or	edx, 20h
		mov	[ebp+var_10C], edx
		mov	eax, [ebp+var_C4]
		mov	[ebp+var_108], eax
		mov	[ebp+var_F0], esi
		mov	ecx, [ebp+var_EC]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_647187
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_64714D
		mov	[ebp+var_F0], 1
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	short loc_647187
		mov	eax, edx
		and	eax, 1
		or	eax, esi
		mov	eax, [ebp+var_C4]
		jz	short loc_64718D
		or	eax, 80000000h
		jmp	short loc_64718D
; 

loc_64714D:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+38Fj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_647181
		mov	eax, edx
		and	eax, 1
		or	eax, esi
		jz	short loc_647181
		mov	eax, [ebp+var_C4]
		or	eax, 80000000h
		mov	ecx, [ebp+var_DC]
		jmp	short loc_64718D
; 

loc_647181:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+3D0j
					; MiScrubLargeMappedPage(x,x,x)+3D9j
		mov	ecx, [ebp+var_DC]

loc_647187:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+386j
					; MiScrubLargeMappedPage(x,x,x)+3A2j
		mov	eax, [ebp+var_C4]

loc_64718D:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+3B1j
					; MiScrubLargeMappedPage(x,x,x)+3B8j ...
		mov	[ecx+4], eax
		nop
		mov	[ecx], edx
		cmp	[ebp+var_F0], esi
		jz	short loc_6471A2
		push	eax
		push	edx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_6471A2:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+406j
		mov	edx, [ebp+var_E4]
		mov	ecx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	eax, [ebp+var_D4]
		cmp	[ebp+var_D0], eax
		jnz	short loc_6471D5
		mov	eax, [ebp+var_D8]
		shr	eax, 9
		lea	ebx, [ebx+eax*8]
		mov	[ebp+var_E8], ebx
		mov	[ebp+var_C8], esi

loc_6471D5:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+428j
		cmp	[ebp+var_BE], 1
		jnz	short loc_6471E9
		mov	[ebp+var_FC], esi
		jmp	loc_647275
; 

loc_6471E9:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+449j
		cmp	[ebp+var_E0], esi
		jz	loc_646E49
		mov	dl, [ebp+var_BD]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		jmp	short loc_647263
; 

loc_647204:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+1CAj
					; MiScrubLargeMappedPage(x,x,x)+1D9j
		mov	edx, [ebp+var_E4]
		mov	edi, [ebp+var_CC]
		mov	ecx, edi
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		mov	dl, [ebp+var_BD]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		mov	[ebp+ms_exc.disabled], esi
		mov	eax, [ebp+var_E0]
		mov	al, [eax]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_647263
; 

loc_647238:				; DATA XREF: .text:006A8C14o
		xor	eax, eax
		inc	eax
		retn
; 

loc_64723C:				; DATA XREF: .text:006A8C18o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_E8]
		add	ebx, 8
		mov	[ebp+var_E8], ebx
		xor	esi, esi
		mov	[ebp+var_C8], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_CC]

loc_647263:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+46Fj
					; MiScrubLargeMappedPage(x,x,x)+4A3j
		mov	ecx, edi
		call	MiLockWorkingSetShared
		jmp	loc_646E49
; 

loc_64726F:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+C4j
		mov	edi, [ebp+var_CC]

loc_647275:				; CODE XREF: MiScrubLargeMappedPage(x,x,x)+451j
		mov	dl, [ebp+var_BD]
		mov	ecx, edi
		call	MiUnlockWorkingSetShared
		mov	eax, [ebp+var_FC]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiScrubLargeMappedPage@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiScrubNode(x)
_MiScrubNode@4	proc near		; CODE XREF: MiScrubMemoryWorker(x)+1Cp

var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	eax, [ebx]
		mov	edx, [ebx+34h]
		push	dword ptr [ebx+4]
		mov	ecx, [eax+1Ch]
		mov	eax, [edx]
		add	edx, 8
		mov	[esp+2Ch+var_10], ecx
		lea	esi, [edx+eax*8]
		mov	edx, ecx
		mov	ecx, ebx
		mov	[esp+2Ch+var_18], esi
		call	_MiScrubNodeLargePages@12 ; MiScrubNodeLargePages(x,x,x)
		mov	ecx, [ebx+34h]
		xor	edx, edx
		mov	[esp+28h+var_14], edx
		cmp	[ecx], edx
		jbe	loc_647437

loc_6472DF:				; CODE XREF: MiScrubNode(x)+197j
		mov	eax, [esi+edx*8]
		cmp	eax, [ebx+4]
		jnz	loc_647427
		mov	eax, [ecx+edx*8+8]
		mov	[esp+28h+var_8], eax
		mov	eax, [ecx+edx*8+0Ch]
		mov	ecx, [esp+28h+var_8]
		lea	esi, [ecx-1]
		add	esi, eax
		imul	edi, esi, 1Ch
		mov	[esp+28h+var_C], esi
		add	edi, ds:_MmPfnDatabase
		cmp	esi, ecx
		jb	loc_647423

loc_647315:				; CODE XREF: MiScrubNode(x)+17Fj
		test	ecx, ecx
		jz	loc_64741F
		mov	ecx, ebx
		call	_MiScrubInterrupted@4 ;	MiScrubInterrupted(x)
		test	eax, eax
		jnz	loc_647437
		and	[esp+28h+var_4], eax
		mov	edx, edi
		mov	ecx, [esp+28h+var_10]
		lea	eax, [esp+28h+var_4]
		push	eax
		push	7000000h
		push	1
		call	_MiPfnsWorthTrying@20 ;	MiPfnsWorthTrying(x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_647372
		mov	ecx, esi
		sub	ecx, [esp+28h+var_8]
		inc	ecx
		cmp	edx, ecx
		jnb	loc_64741F
		imul	eax, edx, 1Ch
		push	1Ch
		pop	ecx
		sub	ecx, eax
		xor	eax, eax
		inc	eax
		add	edi, ecx
		sub	eax, edx
		add	esi, eax
		jmp	loc_64740B
; 

loc_647372:				; CODE XREF: MiScrubNode(x)+B1j
		cmp	[esp+28h+var_4], 1
		jnz	short loc_64737E
		call	MiEmptyKernelStackCache

loc_64737E:				; CODE XREF: MiScrubNode(x)+DDj
		movzx	eax, byte ptr [edi+16h]
		mov	edx, esi
		mov	ecx, [esp+28h+var_10]
		push	0
		shr	eax, 6
		push	eax
		push	0
		push	0FFFFFFFFh
		push	7000000h
		lea	eax, [ebx+1Ch]
		push	eax
		push	ds:dword_6D07B0
		push	1
		call	MiClaimPhysicalRun
		test	eax, eax
		jnz	short loc_64740B
		push	eax
		push	eax
		mov	edx, edi
		mov	ecx, ebx
		call	_MiScrubPage@16	; MiScrubPage(x,x,x,x)
		mov	ecx, edi
		mov	esi, eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	[esp+28h+var_19], al
		test	esi, esi
		js	short loc_6473CE
		test	byte ptr [edi+17h], 40h
		jz	short loc_6473D8

loc_6473CE:				; CODE XREF: MiScrubNode(x)+12Cj
		cmp	[esp+28h+var_10], offset _MiSystemPartition
		jz	short loc_6473E8

loc_6473D8:				; CODE XREF: MiScrubNode(x)+132j
		mov	esi, [esp+28h+var_C]
		mov	ecx, esi
		push	2
		pop	edx
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		jmp	short loc_6473F6
; 

loc_6473E8:				; CODE XREF: MiScrubNode(x)+13Cj
		push	2
		pop	edx
		mov	ecx, edi
		call	_MiMakePageBad@8 ; MiMakePageBad(x,x)
		mov	esi, [esp+28h+var_C]

loc_6473F6:				; CODE XREF: MiScrubNode(x)+14Cj
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	cl, [esp+28h+var_19]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_64740B:				; CODE XREF: MiScrubNode(x)+D3j
					; MiScrubNode(x)+110j
		mov	ecx, [esp+28h+var_8]
		dec	esi
		sub	edi, 1Ch
		mov	[esp+28h+var_C], esi
		cmp	esi, ecx
		jnb	loc_647315

loc_64741F:				; CODE XREF: MiScrubNode(x)+7Dj
					; MiScrubNode(x)+BCj
		mov	edx, [esp+28h+var_14]

loc_647423:				; CODE XREF: MiScrubNode(x)+75j
		mov	esi, [esp+28h+var_18]

loc_647427:				; CODE XREF: MiScrubNode(x)+4Bj
		mov	ecx, [ebx+34h]
		inc	edx
		mov	[esp+28h+var_14], edx
		cmp	edx, [ecx]
		jb	loc_6472DF

loc_647437:				; CODE XREF: MiScrubNode(x)+3Fj
					; MiScrubNode(x)+8Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiScrubNode@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiScrubPage(x, x, x, x)
_MiScrubPage@16	proc near		; CODE XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+449p
					; MiScrubAwePage(x,x,x)+27p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		sub	edx, ds:_MmPfnDatabase
		push	ebx
		push	esi
		push	edi
		mov	eax, edx
		mov	[ebp+var_4], ecx
		push	1Ch
		cdq
		xor	edi, edi
		pop	esi
		idiv	esi
		cmp	[ebp+arg_0], edi
		jz	short loc_647466
		mov	esi, [ebp+arg_0]
		mov	ebx, edi
		jmp	short loc_64747C
; 

loc_647466:				; CODE XREF: MiScrubPage(x,x,x,x)+1Fj
		push	0FFFFFFFFh
		add	ecx, 1Ch
		mov	edx, eax
		call	MiGetPteFromCopyList
		mov	ecx, [ebp+var_4]
		mov	ebx, eax
		mov	esi, ebx
		shl	esi, 9

loc_64747C:				; CODE XREF: MiScrubPage(x,x,x,x)+26j
		test	[ebp+arg_4], 1
		jz	short loc_647494
		mov	edi, [ecx+2Ch]
		push	1000h		; size_t
		push	esi		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_647494:				; CODE XREF: MiScrubPage(x,x,x,x)+42j
		mov	ecx, esi
		call	_RtlScrubMemory@8 ; RtlScrubMemory(x,x)
		mov	ecx, eax
		mov	dword ptr [ebp+arg_4], ecx
		test	edi, edi
		jz	short loc_6474B6
		push	1000h		; size_t
		push	edi		; void *
		push	esi		; void *
		call	_memcpy
		mov	ecx, dword ptr [ebp+arg_4]
		add	esp, 0Ch

loc_6474B6:				; CODE XREF: MiScrubPage(x,x,x,x)+64j
		cmp	[ebp+arg_0], 0
		jnz	short loc_6474CC
		mov	eax, ds:_ZeroPte
		mov	[ebx], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[ebx+4], eax

loc_6474CC:				; CODE XREF: MiScrubPage(x,x,x,x)+7Cj
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		inc	dword ptr [eax+30h]
		mov	eax, ecx
		leave
		retn	8
_MiScrubPage@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiScrubProcessLargePages(x)
_MiScrubProcessLargePages@4 proc near	; CODE XREF: MiScrubProcesses(x,x)+8Ep

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, large fs:124h
		push	edi
		mov	[ebp+var_24], ecx
		mov	edi, [esi+80h]
		dec	word ptr [esi+13Ch]
		mov	[ebp+var_20], edi
		nop
		dec	word ptr [esi+13Eh]
		nop
		lea	ebx, [edi+134h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		or	byte ptr [esi+304h], 2
		nop
		test	byte ptr [edi+0FCh], 20h
		jz	short loc_647558
		and	byte ptr [esi+304h], 0FDh
		xor	ecx, ecx
		push	11h
		pop	eax
		lock cmpxchg [ebx], ecx
		cmp	eax, 11h
		jz	short loc_647545
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_647545:				; CODE XREF: MiScrubProcessLargePages(x)+61j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_6476F7
; 

loc_647558:				; CODE XREF: MiScrubProcessLargePages(x)+4Cj
		and	[ebp+var_18], 0
		xor	eax, eax
		and	[ebp+var_14], 0
		mov	[ebp+var_8], eax
		mov	eax, [edi+394h]
		xor	edi, edi
		mov	[ebp+var_4], eax
		mov	eax, [ebp+var_20]
		mov	[ebp+var_1C], 0Dh
		mov	eax, [eax+350h]
		jmp	short loc_647586
; 

loc_647582:				; CODE XREF: MiScrubProcessLargePages(x)+ADj
		mov	edi, eax
		mov	eax, [eax]

loc_647586:				; CODE XREF: MiScrubProcessLargePages(x)+A5j
		test	eax, eax
		jnz	short loc_647582
		cmp	[ebp+var_4], eax
		jz	loc_64764B

loc_647593:				; CODE XREF: MiScrubProcessLargePages(x)+16Aj
		test	edi, edi
		jz	loc_64764B
		mov	eax, [edi+4]
		mov	edx, edi
		mov	[ebp+var_10], edx
		mov	ecx, edi
		test	eax, eax
		jz	short loc_6475C3
		mov	edi, eax
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_6475CB

loc_6475B1:				; CODE XREF: MiScrubProcessLargePages(x)+DEj
		mov	eax, [ecx]
		mov	edi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_6475B1
		jmp	short loc_6475CB
; 

loc_6475BD:				; CODE XREF: MiScrubProcessLargePages(x)+EEj
		cmp	[edi], ecx
		jz	short loc_6475CB
		mov	ecx, edi

loc_6475C3:				; CODE XREF: MiScrubProcessLargePages(x)+CCj
		mov	edi, [edi+8]
		and	edi, 0FFFFFFFCh
		jnz	short loc_6475BD

loc_6475CB:				; CODE XREF: MiScrubProcessLargePages(x)+D4j
					; MiScrubProcessLargePages(x)+E0j ...
		mov	ecx, edx
		call	_MiIsVadLargePrivate@4 ; MiIsVadLargePrivate(x)
		test	eax, eax
		jz	short loc_647640
		mov	eax, [edx+1Ch]
		mov	ecx, offset loc_500000
		and	eax, ecx
		cmp	eax, ecx
		jz	short loc_647640
		dec	word ptr [esi+13Eh]
		nop
		lea	eax, [edx+18h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	ExAcquirePushLockSharedEx
		or	byte ptr [esi+305h], 40h
		nop
		mov	ecx, [ebp+var_10]
		test	byte ptr [ecx+1Ch], 4
		jz	loc_647703
		and	byte ptr [esi+305h], 0BFh
		xor	ecx, ecx
		mov	edx, [ebp+var_C]
		push	11h
		pop	eax
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jz	short loc_647632
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	edx, [ebp+var_C]

loc_647632:				; CODE XREF: MiScrubProcessLargePages(x)+14Bj
		mov	ecx, edx
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_647640:				; CODE XREF: MiScrubProcessLargePages(x)+F9j
					; MiScrubProcessLargePages(x)+107j
		mov	eax, [ebp+var_4]

loc_647643:				; CODE XREF: MiScrubProcessLargePages(x)+2ACj
		test	eax, eax
		jnz	loc_647593

loc_64764B:				; CODE XREF: MiScrubProcessLargePages(x)+B2j
					; MiScrubProcessLargePages(x)+BAj ...
		and	byte ptr [esi+304h], 0FDh
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_647667
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_647667:				; CODE XREF: MiScrubProcessLargePages(x)+183j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_1C], 1
		test	ecx, ecx
		jz	short loc_6476F7

loc_647683:				; CODE XREF: MiScrubProcessLargePages(x)+21Aj
		mov	eax, [ecx]
		lea	ebx, [ecx+4]
		and	[ebp+var_18], 0
		mov	[ebp+var_14], eax

loc_64768F:				; CODE XREF: MiScrubProcessLargePages(x)+203j
		mov	edi, [ebx]
		test	edi, edi
		jz	short loc_6476E0
		dec	word ptr [esi+13Eh]
		nop
		lea	ecx, [edi+18h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [esi+304h], 80h
		nop
		test	byte ptr [edi+1Ch], 4
		jnz	short loc_6476CA
		cmp	[ebp+var_1C], 1
		jnz	short loc_6476CA
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_24]
		push	edi
		call	_MiScrubLargeMappedPage@12 ; MiScrubLargeMappedPage(x,x,x)
		mov	[ebp+var_1C], eax

loc_6476CA:				; CODE XREF: MiScrubProcessLargePages(x)+1D8j
					; MiScrubProcessLargePages(x)+1DEj
		mov	ecx, edi
		call	MiUnlockAndDereferenceVad
		mov	eax, [ebp+var_18]
		add	ebx, 4
		inc	eax
		mov	[ebp+var_18], eax
		cmp	eax, 0Dh
		jb	short loc_64768F

loc_6476E0:				; CODE XREF: MiScrubProcessLargePages(x)+1B8j
		mov	eax, [ebp+var_8]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_14]
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		test	eax, eax
		jnz	short loc_647683

loc_6476F7:				; CODE XREF: MiScrubProcessLargePages(x)+78j
					; MiScrubProcessLargePages(x)+1A6j
		mov	ecx, esi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_647703:				; CODE XREF: MiScrubProcessLargePages(x)+12Fj
		mov	edx, [ebp+var_1C]
		cmp	edx, 0Dh
		jb	short loc_64773F
		push	0
		push	100h
		push	38h
		mov	edx, 7356694Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		xor	edx, edx
		mov	[ebp+var_18], ecx
		test	ecx, ecx
		jz	short loc_64778C
		cmp	[ebp+var_8], edx
		jnz	short loc_647734
		mov	[ebp+var_8], ecx
		jmp	short loc_647739
; 

loc_647734:				; CODE XREF: MiScrubProcessLargePages(x)+252j
		mov	eax, [ebp+var_14]
		mov	[eax], ecx

loc_647739:				; CODE XREF: MiScrubProcessLargePages(x)+257j
		mov	[ebp+var_14], ecx
		mov	ecx, [ebp+var_10]

loc_64773F:				; CODE XREF: MiScrubProcessLargePages(x)+22Ej
		mov	eax, [ebp+var_18]
		mov	[eax+edx*4+4], ecx
		inc	edx
		xor	eax, eax
		mov	[ebp+var_1C], edx
		inc	eax
		lock xadd [ecx+14h], eax
		jz	short loc_6477BF
		and	byte ptr [esi+305h], 0BFh
		xor	edx, edx
		mov	ecx, [ebp+var_C]
		push	11h
		pop	eax
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_647774
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp+var_C]

loc_647774:				; CODE XREF: MiScrubProcessLargePages(x)+28Fj
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+var_4]
		dec	eax
		mov	[ebp+var_4], eax
		jmp	loc_647643
; 

loc_64778C:				; CODE XREF: MiScrubProcessLargePages(x)+24Dj
		mov	edi, [ebp+var_10]
		and	byte ptr [esi+305h], 0BFh
		add	edi, 18h
		push	11h
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_6477AC
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_6477AC:				; CODE XREF: MiScrubProcessLargePages(x)+2C8j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_64764B
; 

loc_6477BF:				; CODE XREF: MiScrubProcessLargePages(x)+277j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_MiScrubProcessLargePages@4 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmEnumerateBadPages(x)
_MmEnumerateBadPages@4 proc near	; CODE XREF: PAGE:007815BCp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10h
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+18h+var_10], ecx
		and	dword ptr [ecx], 0
		lea	edi, [esp+18h+var_C]
		stosd
		stosd
		stosd
		jmp	loc_64787F
; 

loc_6477E6:				; CODE XREF: MmEnumerateBadPages(x)+C3j
		add	esi, 10h
		mov	edx, 61426D4Dh
		push	0
		mov	ecx, esi
		shl	ecx, 2
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_64791B
		lea	edx, [esp+18h+var_C]
		mov	ecx, offset unk_6D5750
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, ds:dword_6D5740
		cmp	ecx, esi
		jnb	short loc_647822
		test	ecx, ecx
		jnz	short loc_647895

loc_647822:				; CODE XREF: MmEnumerateBadPages(x)+58j
		test	ds:byte_70EFC6,	1
		jz	short loc_647839
		mov	edx, [ebp+4]
		lea	ecx, [esp+18h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_64786D
; 

loc_647839:				; CODE XREF: MmEnumerateBadPages(x)+65j
		mov	eax, [esp+18h+var_C]
		test	eax, eax
		jnz	short loc_64785C
		mov	edx, [esp+18h+var_8]
		lea	eax, [esp+18h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+18h+var_C]
		cmp	eax, ecx
		jz	short loc_64786D
		call	KxWaitForLockChainValid

loc_64785C:				; CODE XREF: MmEnumerateBadPages(x)+7Bj
		xor	ecx, ecx
		mov	[esp+18h+var_C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_64786D:				; CODE XREF: MmEnumerateBadPages(x)+73j
					; MmEnumerateBadPages(x)+91j
		mov	cl, [esp+18h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_64787F:				; CODE XREF: MmEnumerateBadPages(x)+1Dj
		mov	esi, ds:dword_6D5740
		test	esi, esi
		jnz	loc_6477E6

loc_64788D:				; CODE XREF: MmEnumerateBadPages(x)+152j
		xor	eax, eax

loc_64788F:				; CODE XREF: MmEnumerateBadPages(x)+15Cj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_647895:				; CODE XREF: MmEnumerateBadPages(x)+5Cj
		mov	[edi], ecx
		mov	edx, offset loc_7FFFFF
		mov	eax, ds:dword_6D5748
		cmp	eax, edx
		jz	short loc_6478BB
		mov	ecx, edi

loc_6478A7:				; CODE XREF: MmEnumerateBadPages(x)+F5j
		lea	ecx, [ecx+4]
		mov	[ecx], eax
		imul	eax, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	eax, [eax]
		cmp	eax, edx
		jnz	short loc_6478A7

loc_6478BB:				; CODE XREF: MmEnumerateBadPages(x)+DFj
		test	ds:byte_70EFC6,	1
		jz	short loc_6478D2
		mov	edx, [ebp+4]
		lea	ecx, [esp+18h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_647906
; 

loc_6478D2:				; CODE XREF: MmEnumerateBadPages(x)+FEj
		mov	eax, [esp+18h+var_C]
		test	eax, eax
		jnz	short loc_6478F5
		mov	edx, [esp+18h+var_8]
		lea	eax, [esp+18h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+18h+var_C]
		cmp	eax, ecx
		jz	short loc_647906
		call	KxWaitForLockChainValid

loc_6478F5:				; CODE XREF: MmEnumerateBadPages(x)+114j
		xor	ecx, ecx
		mov	[esp+18h+var_C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_647906:				; CODE XREF: MmEnumerateBadPages(x)+10Cj
					; MmEnumerateBadPages(x)+12Aj
		mov	cl, [esp+18h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esp+18h+var_10]
		mov	[eax], edi
		jmp	loc_64788D
; 

loc_64791B:				; CODE XREF: MmEnumerateBadPages(x)+3Cj
		mov	eax, 0C000009Ah
		jmp	loc_64788F
_MmEnumerateBadPages@4 endp


;  S U B	R O U T	I N E 


; __stdcall ObpProcessRemoveObjectDpcWorker(x, x, x, x)
_ObpProcessRemoveObjectDpcWorker@16 proc near ;	DATA XREF: ObInitSystem+16Co
		push	0
		push	offset _ObpRemoveObjectWorkItem
		call	ExQueueWorkItem
		retn	10h
_ObpProcessRemoveObjectDpcWorker@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSignalAndWaitForSingleObject(x, x, x, x)
_NtSignalAndWaitForSingleObject@16 proc	near ; DATA XREF: .text:00580C3Co

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	3Ch
		push	offset dword_6A8C48
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_28], edx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		mov	byte ptr [ebp+var_24], al
		mov	edi, [ebp+arg_C]
		test	edi, edi
		jz	short loc_6479B9
		test	al, al
		jz	short loc_6479B9
		mov	[ebp+ms_exc.disabled], edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jb	short loc_64797F
		mov	edi, eax

loc_64797F:				; CODE XREF: NtSignalAndWaitForSingleObject(x,x,x,x)+47j
		nop
		mov	eax, [edi]
		mov	ecx, [edi+4]
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], ecx
		lea	edi, [ebp+var_44]
		mov	[ebp+arg_C], edi
		push	0FFFFFFFEh
		pop	ebx
		mov	[ebp+ms_exc.disabled], ebx
		jmp	short loc_6479BC
; 

loc_647999:				; DATA XREF: .text:006A8C5Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_6479A7:				; DATA XREF: .text:006A8C60o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_2C]
		jmp	loc_647B6B
; 

loc_6479B9:				; CODE XREF: NtSignalAndWaitForSingleObject(x,x,x,x)+37j
					; NtSignalAndWaitForSingleObject(x,x,x,x)+3Bj
		push	0FFFFFFFEh
		pop	ebx

loc_6479BC:				; CODE XREF: NtSignalAndWaitForSingleObject(x,x,x,x)+63j
		lea	eax, [ebp+var_4C]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	7457624Fh
		push	[ebp+var_24]
		push	edx
		push	edx
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_647B69
		push	0
		lea	eax, [ebp+var_28]
		push	eax
		push	7457624Fh
		push	[ebp+var_24]
		push	0
		push	100000h
		push	[ebp+arg_4]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_647B5C
		mov	ecx, [ebp+var_28]
		lea	ecx, [ecx-18h]
		call	ObpGetWaitObject
		mov	[ebp+arg_0], eax
		mov	edx, [ebp+var_20]
		lea	ecx, [edx-18h]
		shr	ecx, 8
		movzx	esi, cl
		movzx	ecx, byte ptr [edx-0Ch]
		xor	esi, ecx
		movzx	ecx, byte ptr ds:_ObHeaderCookie
		xor	esi, ecx
		mov	eax, ds:_ObTypeIndexTable[esi*4]
		mov	esi, 0C0000022h
		cmp	eax, ds:_ExEventObjectType
		jnz	short loc_647A69
		cmp	[ebp+var_19], 0
		jz	short loc_647A57
		mov	eax, [ebp+var_48]
		not	eax
		test	al, 2
		jnz	loc_647B4F

loc_647A57:				; CODE XREF: NtSignalAndWaitForSingleObject(x,x,x,x)+114j
		xor	eax, eax
		inc	eax
		push	eax
		push	eax
		push	[ebp+var_20]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_647AE9
; 

loc_647A69:				; CODE XREF: NtSignalAndWaitForSingleObject(x,x,x,x)+10Ej
		cmp	eax, ds:_ExMutantObjectType
		jnz	short loc_647AB6
		xor	eax, eax
		inc	eax
		mov	[ebp+ms_exc.disabled], eax
		push	eax
		push	0
		push	eax
		push	[ebp+var_20]
		call	KeReleaseMutant
		jmp	short loc_647AE6
; 

loc_647A85:				; DATA XREF: .text:006A8C68o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		cmp	eax, 80h
		jz	short loc_647AA0
		cmp	eax, 0C0000046h
		jz	short loc_647AA0
		xor	eax, eax
		retn
; 

loc_647AA0:				; CODE XREF: NtSignalAndWaitForSingleObject(x,x,x,x)+160j
					; NtSignalAndWaitForSingleObject(x,x,x,x)+167j
		xor	eax, eax
		inc	eax
		retn
; 

loc_647AA4:				; DATA XREF: .text:006A8C6Co
		mov	esi, [ebp+var_30]

loc_647AA7:				; CODE XREF: NtSignalAndWaitForSingleObject(x,x,x,x)+1F3j
					; NtSignalAndWaitForSingleObject(x,x,x,x)+211j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_647B4F
; 

loc_647AB6:				; CODE XREF: NtSignalAndWaitForSingleObject(x,x,x,x)+13Bj
		cmp	eax, ds:_ExSemaphoreObjectType
		jnz	loc_647B4A
		cmp	[ebp+var_19], 0
		jz	short loc_647AD1
		mov	eax, [ebp+var_48]
		not	eax
		test	al, 2
		jnz	short loc_647B4F

loc_647AD1:				; CODE XREF: NtSignalAndWaitForSingleObject(x,x,x,x)+192j
		mov	[ebp+ms_exc.disabled], 2
		xor	eax, eax
		inc	eax
		push	eax
		push	eax
		push	eax
		push	[ebp+var_20]
		call	KeReleaseSemaphore

loc_647AE6:				; CODE XREF: NtSignalAndWaitForSingleObject(x,x,x,x)+14Fj
		mov	[ebp+ms_exc.disabled], ebx

loc_647AE9:				; CODE XREF: NtSignalAndWaitForSingleObject(x,x,x,x)+130j
		mov	[ebp+ms_exc.disabled], 3
		push	edi
		push	[ebp+arg_8]
		push	[ebp+var_24]
		push	6
		push	[ebp+arg_0]
		call	KeWaitForSingleObject
		mov	esi, eax
		mov	[ebp+var_38], esi
		mov	[ebp+ms_exc.disabled], ebx
		jmp	short loc_647B4F
; 

loc_647B0B:				; DATA XREF: .text:006A8C80o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	ecx, [eax]
		mov	[ebp+var_34], ecx
		xor	eax, eax
		cmp	ecx, 0C0000191h
		setz	al
		retn
; 

loc_647B21:				; DATA XREF: .text:006A8C84o
		mov	esi, [ebp+var_34]
		mov	[ebp+var_38], esi
		jmp	loc_647AA7
; 

loc_647B2C:				; DATA XREF: .text:006A8C74o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	ecx, [eax]
		mov	[ebp+var_3C], ecx
		xor	eax, eax
		cmp	ecx, 0C0000047h
		setz	al
		retn
; 

loc_647B42:				; DATA XREF: .text:006A8C78o
		mov	esi, [ebp+var_3C]
		jmp	loc_647AA7
; 

loc_647B4A:				; CODE XREF: NtSignalAndWaitForSingleObject(x,x,x,x)+188j
		mov	esi, 0C0000024h

loc_647B4F:				; CODE XREF: NtSignalAndWaitForSingleObject(x,x,x,x)+11Dj
					; NtSignalAndWaitForSingleObject(x,x,x,x)+17Dj	...
		mov	edx, 7457624Fh
		mov	ecx, [ebp+var_28]
		call	ObfDereferenceObjectWithTag

loc_647B5C:				; CODE XREF: NtSignalAndWaitForSingleObject(x,x,x,x)+CDj
		mov	edx, 7457624Fh
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObjectWithTag

loc_647B69:				; CODE XREF: NtSignalAndWaitForSingleObject(x,x,x,x)+A6j
		mov	eax, esi

loc_647B6B:				; CODE XREF: NtSignalAndWaitForSingleObject(x,x,x,x)+80j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_NtSignalAndWaitForSingleObject@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpDeferPushRefDerefInfo(x,	x, x, x, x, x)
_ObpDeferPushRefDerefInfo@24 proc near	; CODE XREF: ObpPushStackInfo(x,x,x,x):loc_647CCFp

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1], dl
		mov	ecx, offset _ObpWorkItemFreeList
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jz	short loc_647BF4
		push	ebx
		lea	ebx, [eax+4]
		mov	al, [ebp+var_1]
		mov	[ebx+8], al
		mov	ax, [ebp+arg_0]
		push	edi
		mov	[ebx+0Ah], ax
		lea	edi, [ebx+14h]
		mov	eax, [ebp+arg_4]
		mov	[ebx+4], esi
		mov	esi, [ebp+arg_8]
		mov	[ebx+10h], eax
		mov	eax, [ebp+arg_C]
		push	10h
		mov	[ebx+0Ch], eax
		pop	ecx
		rep movsd
		mov	edx, ds:_ObpPushStackInfoList
		mov	esi, offset _ObpPushStackInfoList
		mov	[ebx], edx
		mov	eax, edx
		jmp	short loc_647BD9
; 

loc_647BD5:				; CODE XREF: ObpDeferPushRefDerefInfo(x,x,x,x,x,x)+64j
		mov	edx, eax
		mov	[ebx], eax

loc_647BD9:				; CODE XREF: ObpDeferPushRefDerefInfo(x,x,x,x,x,x)+56j
		mov	ecx, ebx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_647BD5
		pop	edi
		pop	ebx
		test	edx, edx
		jnz	short loc_647BF4
		push	edx
		push	offset _ObpPushStackInfoWorkItem
		call	ExQueueWorkItem

loc_647BF4:				; CODE XREF: ObpDeferPushRefDerefInfo(x,x,x,x,x,x)+18j
					; ObpDeferPushRefDerefInfo(x,x,x,x,x,x)+6Aj
		pop	esi
		leave
		retn	10h
_ObpDeferPushRefDerefInfo@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpPushStackInfo(x,	x, x, x)
_ObpPushStackInfo@16 proc near		; CODE XREF: .text:00522E7Cp
					; ObfDereferenceObject+88E86p ...

var_42		= byte ptr -42h
Source2		= dword	ptr -41h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		push	40h		; size_t
		lea	eax, [esp+54h+Source2+1]
		mov	byte ptr [esp+54h+Source2], dl
		push	0		; int
		push	eax		; void *
		mov	ebx, ecx
		call	_memset
		add	esp, 0Ch
		test	byte ptr ds:dword_70EFD0, 80h
		jz	short loc_647C43
		push	[ebp+arg_4]
		xor	ecx, ecx
		mov	edx, ebx
		cmp	byte ptr [esp+54h+Source2], cl
		push	[ebp+arg_0]
		setz	cl
		add	ecx, 1132h
		call	_EtwTraceObjectOperation@16 ; EtwTraceObjectOperation(x,x,x,x)

loc_647C43:				; CODE XREF: ObpPushStackInfo(x,x,x,x)+2Cj
		test	byte ptr ds:_ObpTraceFlags, 73h
		jz	loc_647CD4
		test	byte ptr [ebx+0Dh], 1
		jz	short loc_647CD4
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_647CD4
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		ja	short loc_647CD4
		push	0
		lea	eax, [esp+54h+Source2+1]
		xor	edi, edi
		push	eax
		push	10h
		pop	esi
		push	esi
		inc	edi
		push	edi
		call	RtlCaptureStackBackTrace
		movzx	eax, ax
		cmp	eax, edi
		jb	short loc_647CD4
		cmp	eax, esi
		jnb	short loc_647CA0
		sub	esi, eax
		lea	ecx, [esp+50h+Source2+1]
		shl	esi, 2
		lea	eax, [ecx+eax*4]
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_647CA0:				; CODE XREF: ObpPushStackInfo(x,x,x,x)+8Dj
		lock xadd ds:_ObpStackSequence,	edi
		inc	edi
		mov	eax, [ebp+arg_0]
		movzx	esi, ax
		call	_MmCanThreadFault@0 ; MmCanThreadFault()
		push	[ebp+arg_4]	; int
		mov	dl, byte ptr [esp+54h+Source2] ; int
		test	eax, eax
		lea	eax, [esp+54h+Source2+1]
		mov	ecx, ebx	; int
		push	eax		; Source2
		push	edi		; int
		push	esi		; __int16
		jz	short loc_647CCF
		call	_ObpPushRefDerefInfo@24	; ObpPushRefDerefInfo(x,x,x,x,x,x)
		jmp	short loc_647CD4
; 

loc_647CCF:				; CODE XREF: ObpPushStackInfo(x,x,x,x)+CDj
		call	_ObpDeferPushRefDerefInfo@24 ; ObpDeferPushRefDerefInfo(x,x,x,x,x,x)

loc_647CD4:				; CODE XREF: ObpPushStackInfo(x,x,x,x)+51j
					; ObpPushStackInfo(x,x,x,x)+5Bj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_ObpPushStackInfo@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfLogFileDataAccess(x, x, x, x, x, x)
_PfLogFileDataAccess@24	proc near	; CODE XREF: MiLogRelocationRva+14FF8Ep

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, edx
		call	_PsGetPagePriorityThread@4 ; PsGetPagePriorityThread(x)
		cmp	eax, ds:dword_6D3158
		jnb	short loc_647CFC
		xor	eax, eax
		jmp	short loc_647D6E
; 

loc_647CFC:				; CODE XREF: PfLogFileDataAccess(x,x,x,x,x,x)+19j
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		mov	esi, [edx+150h]
		shrd	ecx, eax, 0Ch
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_14], ecx
		and	eax, 7FFFFFFFh
		mov	ecx, [ebp+arg_C]
		mov	edx, [esi+0E4h]
		shl	ecx, 1Fh
		or	ecx, eax
		mov	[ebp+var_18], edi
		mov	eax, [esi+104h]
		xor	eax, edx
		mov	[ebp+var_10], ecx
		mov	ecx, [esi+100h]
		xor	eax, ecx
		and	eax, 1FFFFFFFh
		shr	ecx, 3
		and	ecx, 1C000000h
		mov	[ebp+var_4], edx
		xor	eax, ecx
		mov	[ebp+var_C], eax
		mov	eax, ds:dword_6FB628
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_18]
		push	18h		; size_t
		push	eax		; void *
		call	_PFP_GET_CURRENT_TIME@0	; PFP_GET_CURRENT_TIME()
		push	0Ah
		mov	edx, eax
		pop	ecx
		call	PfLogEvent

loc_647D6E:				; CODE XREF: PfLogFileDataAccess(x,x,x,x,x,x)+1Dj
		pop	edi
		pop	esi
		leave
		retn	10h
_PfLogFileDataAccess@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnPowerBoostDpc(x, x, x, x)
_PfSnPowerBoostDpc@16 proc near		; DATA XREF: PfSnPowerBoostInitialize(x)+24o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	0
		add	eax, 50h
		push	eax
		call	ExQueueWorkItem
		pop	ebp
		retn	10h
_PfSnPowerBoostDpc@16 endp


;  S U B	R O U T	I N E 


; __stdcall PfFbBufferListShutdown(x)
_PfFbBufferListShutdown@4 proc near	; CODE XREF: PfTCleanup(x,x)+F1p
					; PfTCleanup(x,x)+F8p
		jmp	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
_PfFbBufferListShutdown@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PopInternalAddToDumpFile(x, x, x)
@PopInternalAddToDumpFile@12 proc near	; CODE XREF: PopSetRange+8B445p
					; PopSetRange+8B45Dp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ecx, ecx
		jz	short loc_647DC3
		push	esi
		mov	esi, 0FFFFF000h
		test	edx, edx
		jz	short loc_647DB6
		mov	eax, ecx
		add	edx, 0FFFh
		and	eax, 0FFFh
		add	edx, eax
		and	edx, esi
		jmp	short loc_647DBB
; 

loc_647DB6:				; CODE XREF: PopInternalAddToDumpFile(x,x,x)+11j
		mov	edx, 1000h

loc_647DBB:				; CODE XREF: PopInternalAddToDumpFile(x,x,x)+24j
		and	ecx, esi
		call	IoAddTriageDumpDataBlock
		pop	esi

loc_647DC3:				; CODE XREF: PopInternalAddToDumpFile(x,x,x)+7j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_647DCF
		call	@PopInternalSaveStackToDumpFile@4 ; PopInternalSaveStackToDumpFile(x)

loc_647DCF:				; CODE XREF: PopInternalAddToDumpFile(x,x,x)+38j
		mov	edx, 80h
		mov	ecx, offset _PopHiberInfo
		call	IoAddTriageDumpDataBlock
		mov	edx, 178h
		mov	ecx, offset _PopAction
		call	IoAddTriageDumpDataBlock
		mov	ecx, ds:dword_6C26F4
		test	ecx, ecx
		jz	short loc_647E01
		mov	edx, 108h
		call	IoAddTriageDumpDataBlock

loc_647E01:				; CODE XREF: PopInternalAddToDumpFile(x,x,x)+65j
		mov	ecx, ds:dword_6C26F8
		test	ecx, ecx
		jz	short loc_647E15
		mov	edx, 138h
		call	IoAddTriageDumpDataBlock

loc_647E15:				; CODE XREF: PopInternalAddToDumpFile(x,x,x)+79j
		mov	edx, 188h
		mov	ecx, offset _PopCB
		call	IoAddTriageDumpDataBlock
		pop	ebp
		retn	4
@PopInternalAddToDumpFile@12 endp


;  S U B	R O U T	I N E 


; __fastcall PopInternalSaveStackToDumpFile(x)
@PopInternalSaveStackToDumpFile@4 proc near ; CODE XREF: PopInternalAddToDumpFile(x,x,x)+3Ap
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	loc_647F36
		push	ebx
		push	edi

loc_647E37:				; CODE XREF: PopInternalSaveStackToDumpFile(x)+106j
		mov	edx, 0B8h
		mov	ecx, esi
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	loc_647F34
		movzx	edx, word ptr [esi+2]
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		mov	edi, [esi+8]
		test	edi, edi
		jz	short loc_647E88
		mov	edx, 0A8h
		mov	ecx, edi
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_647E88
		movsx	edx, word ptr [edi+2]
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+20h]
		test	ecx, ecx
		jz	short loc_647E88
		movzx	edx, word ptr [edi+1Ch]
		call	IoAddTriageDumpDataBlock

loc_647E88:				; CODE XREF: PopInternalSaveStackToDumpFile(x)+33j
					; PopInternalSaveStackToDumpFile(x)+43j ...
		mov	edi, [esi+0B0h]
		test	edi, edi
		jz	loc_647F29
		push	4
		pop	edx
		mov	ecx, edi
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	loc_647F29
		movzx	edx, word ptr [edi+2]
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+14h]
		test	ecx, ecx
		jz	short loc_647ED9
		mov	edx, ecx
		and	ecx, 0FFFFF000h
		and	edx, 0FFFh
		add	edx, 11FFh
		and	edx, 0FFFFF000h
		call	IoAddTriageDumpDataBlock

loc_647ED9:				; CODE XREF: PopInternalSaveStackToDumpFile(x)+90j
		mov	ebx, [edi+18h]
		test	ebx, ebx
		jz	short loc_647EFB
		mov	edx, 0B8h
		mov	ecx, ebx
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_647EFB
		movzx	edx, word ptr [ebx+2]
		mov	ecx, ebx
		call	IoAddTriageDumpDataBlock

loc_647EFB:				; CODE XREF: PopInternalSaveStackToDumpFile(x)+B6j
					; PopInternalSaveStackToDumpFile(x)+C6j
		mov	ecx, [edi+28h]
		test	ecx, ecx
		jz	short loc_647F1A
		push	58h
		pop	edx
		call	_IopIsAddressRangeValid@8 ; IopIsAddressRangeValid(x,x)
		test	al, al
		jz	short loc_647F1A
		mov	ecx, [edi+28h]
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock

loc_647F1A:				; CODE XREF: PopInternalSaveStackToDumpFile(x)+D8j
					; PopInternalSaveStackToDumpFile(x)+E4j
		mov	ecx, [edi+0Ch]
		test	ecx, ecx
		jz	short loc_647F29
		push	44h
		pop	edx
		call	IoAddTriageDumpDataBlock

loc_647F29:				; CODE XREF: PopInternalSaveStackToDumpFile(x)+68j
					; PopInternalSaveStackToDumpFile(x)+7Aj ...
		mov	esi, [esi+10h]
		test	esi, esi
		jnz	loc_647E37

loc_647F34:				; CODE XREF: PopInternalSaveStackToDumpFile(x)+1Dj
		pop	edi
		pop	ebx

loc_647F36:				; CODE XREF: PopInternalSaveStackToDumpFile(x)+7j
		pop	esi
		retn
@PopInternalSaveStackToDumpFile@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall _PopInternalError(x)
@_PopInternalError@4 proc near		; CODE XREF: PopWriteHiberPages+CF38p
					; PopCreateDumpMdl+C7DEp ...

var_C		= dword	ptr -0Ch
arg_8		= dword	ptr  0Ch

		push	0
		push	0
		push	ecx
		push	2
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

; __stdcall PopIrpWatchdog(x, x, x, x)
_PopIrpWatchdog@16:			; DATA XREF: PopEnableIrpWatchdog(x)+25o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		mov	ecx, offset _PopIrpLock
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [ebp+arg_8]
		call	_PopIrpWatchdogBugcheck@4 ; PopIrpWatchdogBugcheck(x)
		int	3		; Trap to Debugger
@_PopInternalError@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIrpWatchdogBugcheck(x)
_PopIrpWatchdogBugcheck@4 proc near	; CODE XREF: PopDequeueQuerySetIrp+85828p
					; _PopInternalError(x)+33p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, ecx
		cmp	[edi+6Ch], eax
		jnz	short loc_647FB5
		mov	ecx, [edi+0Ch]
		test	ecx, ecx
		jz	short loc_647F94
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]

loc_647F94:				; CODE XREF: PopIrpWatchdogBugcheck(x)+18j
		mov	ecx, [eax+98h]
		test	ecx, ecx
		jz	short loc_647FB5
		movsx	eax, byte ptr [ecx+22h]
		add	eax, 3
		imul	eax, 24h
		mov	ecx, [eax+ecx]
		mov	al, [ecx+68h]
		cmp	al, [edi+68h]
		jnz	short loc_647FB5
		mov	edi, ecx

loc_647FB5:				; CODE XREF: PopIrpWatchdogBugcheck(x)+11j
					; PopIrpWatchdogBugcheck(x)+2Bj ...
		push	dword ptr [edi+0Ch]
		mov	esi, [edi+8]
		xor	edx, edx
		xor	ecx, ecx
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		movzx	edx, word ptr [esi+2]
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		mov	edx, 98h
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		push	2
		mov	eax, 8000h
		mov	[ebp+var_10], offset _PopIrpList
		mov	word ptr [ebp+var_14], ax
		pop	eax
		mov	word ptr [ebp+var_14+2], ax
		mov	eax, ds:_ExWorkerQueue
		mov	[ebp+var_8], eax
		mov	eax, ds:_IoWorkerQueue
		push	esi
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_14]
		push	eax
		mov	[ebp+var_C], offset _PopIrpThreadList
		push	dword ptr [edi+0Ch]
		push	3
		push	9Fh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_PopIrpWatchdogBugcheck@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopReadShutdownPolicy()
_PopReadShutdownPolicy@0 proc near	; CODE XREF: PAGELK:0071EB95p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= byte ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		xor	esi, esi
		push	offset _PopShutdownPowerOffPolicyRegKey
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], esi
		stosd
		mov	[ebp+var_1C], esi
		mov	[ebp+var_28], esi
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_24]
		mov	[ebp+var_40], 18h
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_40]
		push	eax
		push	20019h
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_3C], esi
		push	eax
		mov	[ebp+var_34], 240h
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_6480CE
		push	offset _PopShutdownPowerOffPolicyRegName
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_28]
		push	eax
		push	14h
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_1C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_6480C6
		cmp	[ebp+var_14], 4
		jnz	short loc_6480C6
		cmp	[ebp+var_C], 1
		setz	ds:_PopShutdownPowerOffPolicy

loc_6480C6:				; CODE XREF: PopReadShutdownPolicy()+95j
					; PopReadShutdownPolicy()+9Bj
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_6480CE:				; CODE XREF: PopReadShutdownPolicy()+6Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopReadShutdownPolicy@0 endp


;  S U B	R O U T	I N E 


; __fastcall PpmPerfControlActionCallback()
@PpmPerfControlActionCallback@0	proc near ; DATA XREF: PpmPerfReadFeedback:loc_5B5EC8o
					; PpmPerfControlExecuteAction:loc_5E6F8Bo
		jmp	PpmCheckContinueExecution
@PpmPerfControlActionCallback@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoSetProcessorQoS(x, x)
_PoSetProcessorQoS@8 proc near		; CODE XREF: sub_5B68A6+38p
					; KeCheckAndApplyBamQos(x,x)+7Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_3], 1
		mov	ebx, edx
		mov	[ebp+var_2], 0
		mov	[ebp+var_1], 0
		cmp	ebx, [esi+3F08h]
		jz	loc_648237
		push	edi
		mov	edi, [esi+3EA4h]
		test	edi, edi
		jz	short loc_64812C
		cmp	byte ptr [edi+6Dh], 0
		jz	short loc_64812C
		mov	[ebp+var_1], 1
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		lea	ecx, [edi+70h]
		mov	[ebp+var_2], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)

loc_64812C:				; CODE XREF: PoSetProcessorQoS(x,x)+2Fj
					; PoSetProcessorQoS(x,x)+35j
		movzx	edx, word ptr [esi+3F10h]
		xor	eax, eax
		inc	eax
		mov	ecx, ebx
		shl	eax, cl
		test	edx, eax
		jnz	loc_6481E5
		rdtsc
		mov	[ebp+var_C], eax
		mov	ecx, edx
		sub	eax, [esi+3EF8h]
		mov	[ebp+var_8], eax
		sbb	edx, [esi+3EFCh]
		mov	eax, [esi+3F08h]
		mov	[ebp+var_10], ecx
		cmp	ebx, 3
		jz	short loc_64816F
		cmp	eax, 3
		jz	short loc_64816F
		xor	cl, cl
		jmp	short loc_648171
; 

loc_64816F:				; CODE XREF: PoSetProcessorQoS(x,x)+83j
					; PoSetProcessorQoS(x,x)+88j
		mov	cl, 1

loc_648171:				; CODE XREF: PoSetProcessorQoS(x,x)+8Cj
		cmp	ebx, 4
		jnz	short loc_64817A
		test	eax, eax
		jnz	short loc_6481AA

loc_64817A:				; CODE XREF: PoSetProcessorQoS(x,x)+93j
		test	ebx, ebx
		jz	short loc_6481AA
		cmp	ebx, eax
		jg	short loc_648186
		test	cl, cl
		jz	short loc_6481AA

loc_648186:				; CODE XREF: PoSetProcessorQoS(x,x)+9Fj
		cmp	edx, [esi+3F04h]
		ja	short loc_6481AA
		jb	short loc_64819B
		mov	eax, [ebp+var_8]
		cmp	eax, [esi+3F00h]
		jnb	short loc_6481AA

loc_64819B:				; CODE XREF: PoSetProcessorQoS(x,x)+ADj
		cmp	byte ptr [esi+3ED5h], 0
		jnz	short loc_6481AA
		mov	[ebp+var_3], 0
		jmp	short loc_64820C
; 

loc_6481AA:				; CODE XREF: PoSetProcessorQoS(x,x)+97j
					; PoSetProcessorQoS(x,x)+9Bj ...
		mov	ecx, [esi+3F00h]
		mov	eax, [esi+3F04h]
		shld	eax, ecx, 1
		add	ecx, ecx
		cmp	edx, eax
		jb	short loc_6481CB
		ja	short loc_6481C7
		cmp	[ebp+var_8], ecx
		jb	short loc_6481CB

loc_6481C7:				; CODE XREF: PoSetProcessorQoS(x,x)+DFj
		mov	al, 1
		jmp	short loc_6481CD
; 

loc_6481CB:				; CODE XREF: PoSetProcessorQoS(x,x)+DDj
					; PoSetProcessorQoS(x,x)+E4j
		xor	al, al

loc_6481CD:				; CODE XREF: PoSetProcessorQoS(x,x)+E8j
		mov	[esi+3ED5h], al
		mov	eax, [ebp+var_C]
		mov	[esi+3EF8h], eax
		mov	eax, [ebp+var_10]
		mov	[esi+3EFCh], eax

loc_6481E5:				; CODE XREF: PoSetProcessorQoS(x,x)+5Bj
		cmp	ds:_PpmPerfVmQosSupported, 0
		mov	ecx, esi
		mov	[esi+3F08h], ebx
		jz	short loc_6481FD
		call	_PpmHvSetVirtualProcessorQos@4 ; PpmHvSetVirtualProcessorQos(x)
		jmp	short loc_648206
; 

loc_6481FD:				; CODE XREF: PoSetProcessorQoS(x,x)+113j
		push	0
		mov	dl, 1
		call	PpmPerfArbitratorApplyProcessorState

loc_648206:				; CODE XREF: PoSetProcessorQoS(x,x)+11Aj
		mov	[esi+4D8h], bl

loc_64820C:				; CODE XREF: PoSetProcessorQoS(x,x)+C7j
		cmp	[ebp+var_1], 0
		jz	short loc_648236
		test	ds:byte_70EFC6,	1
		lea	eax, [edi+70h]
		jz	short loc_64822A
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64822F
; 

loc_64822A:				; CODE XREF: PoSetProcessorQoS(x,x)+13Bj
		xor	ecx, ecx
		lock and [eax],	ecx

loc_64822F:				; CODE XREF: PoSetProcessorQoS(x,x)+147j
		cmp	[ebp+var_2], 0
		jz	short loc_648236
		sti

loc_648236:				; CODE XREF: PoSetProcessorQoS(x,x)+12Fj
					; PoSetProcessorQoS(x,x)+152j
		pop	edi

loc_648237:				; CODE XREF: PoSetProcessorQoS(x,x)+20j
		mov	al, [ebp+var_3]
		pop	esi
		pop	ebx
		leave
		retn
_PoSetProcessorQoS@8 endp


;  S U B	R O U T	I N E 


; __stdcall PpmPerfComputePerfReductionTolerance(x)
_PpmPerfComputePerfReductionTolerance@4	proc near ; CODE XREF: PpmInfoAdjustSetting+170908p
		xor	edx, edx
		cmp	ecx, 5Fh
		jnb	short loc_648251

loc_648245:				; CODE XREF: PpmPerfComputePerfReductionTolerance(x)+11j
		movzx	eax, ds:byte_4282DD[edx]
		inc	edx
		cmp	ecx, eax
		jb	short loc_648245

loc_648251:				; CODE XREF: PpmPerfComputePerfReductionTolerance(x)+5j
		movzx	eax, ds:_PpmPerfReductionOffsetPercent[edx]
		retn
_PpmPerfComputePerfReductionTolerance@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmPerfFeedbackCounterUpdate(x)
_PpmPerfFeedbackCounterUpdate@4	proc near
					; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+EAEp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		cmp	byte ptr [esi+21h], 0
		mov	ecx, [esi+24h]
		mov	[ebp+var_4], eax
		mov	eax, [esi]
		jnz	short loc_648287
		lea	edx, [ebp+var_4]
		call	eax
		jmp	short loc_6482AB
; 

loc_648287:				; CODE XREF: PpmPerfFeedbackCounterUpdate(x)+25j
		lea	edx, [ebp+var_14]
		push	edx
		lea	edx, [ebp+var_C]
		push	edx
		xor	dl, dl
		call	eax
		mov	eax, [ebp+var_C]
		mov	[esi+10h], eax
		mov	eax, [ebp+var_8]
		mov	[esi+14h], eax
		mov	eax, [ebp+var_14]
		mov	[esi+8], eax
		mov	eax, [ebp+var_10]
		mov	[esi+0Ch], eax

loc_6482AB:				; CODE XREF: PpmPerfFeedbackCounterUpdate(x)+2Cj
		pop	esi
		leave
		retn
_PpmPerfFeedbackCounterUpdate@4	endp


;  S U B	R O U T	I N E 


; __stdcall PpmPerfLatencySensitivityHintWorker(x)
_PpmPerfLatencySensitivityHintWorker@4 proc near ; DATA	XREF: PpmPerfInitialize+AFo
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		push	3
		pop	ecx
		mov	ds:_PpmPerfLatencyBoostQueued, 0
		call	_PpmCheckCustomRun@4 ; PpmCheckCustomRun(x)
		retn	4
_PpmPerfLatencySensitivityHintWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmPerfQueryPackageId(x)
_PpmPerfQueryPackageId@4 proc near	; DATA XREF: PAGE:00A40240o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	eax, [eax+4068h]
		pop	ebp
		retn	4
_PpmPerfQueryPackageId@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmPerfQueryPackageProcessorCount(x)
_PpmPerfQueryPackageProcessorCount@4 proc near ; DATA XREF: PAGE:00A40244o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, esi
		cmp	ds:_KeNumberProcessors,	esi
		jbe	short loc_648315
		push	ebx
		mov	ebx, [ebp+arg_0]

loc_6482FB:				; CODE XREF: PpmPerfQueryPackageProcessorCount(x)+2Ej
		mov	ecx, edi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		cmp	ebx, [eax+4068h]
		jnz	short loc_64830B
		inc	esi

loc_64830B:				; CODE XREF: PpmPerfQueryPackageProcessorCount(x)+24j
		inc	edi
		cmp	edi, ds:_KeNumberProcessors
		jb	short loc_6482FB
		pop	ebx

loc_648315:				; CODE XREF: PpmPerfQueryPackageProcessorCount(x)+11j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_PpmPerfQueryPackageProcessorCount@4 endp


;  S U B	R O U T	I N E 


; __stdcall PpmPerfTelemetryCallback(x,	x)
_PpmPerfTelemetryCallback@8 proc near	; DATA XREF: PpmPerfInitialize+EFo
		xor	edx, edx
		mov	ecx, offset unk_6C3CB8
		inc	edx
		call	_PopQueueWorkItem@8 ; PopQueueWorkItem(x,x)
		retn	8
_PpmPerfTelemetryCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmRegisterPerfCap(x)
_PpmRegisterPerfCap@4 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	ebx, offset _PpmPerfPolicyLock
		push	edi
		mov	ecx, ebx
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		mov	edi, [ebp+arg_0]
		mov	eax, [edi+4]
		mov	[ebp+arg_0], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_648414
		mov	ecx, eax
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	esi, [eax+3EA4h]
		mov	eax, [eax+3EA0h]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_648414
		test	esi, esi
		jz	loc_648414
		mov	ebx, [edi+8]
		mov	ecx, [edi+0Ch]
		mov	eax, [edi+10h]
		xor	edi, edi
		mov	[esi+10h], eax
		mov	eax, [esi+8]
		mov	[ebp+var_4], ecx
		cmp	eax, ebx
		jz	short loc_6483F0
		push	64h
		pop	edi
		cmp	eax, edi
		jnz	short loc_6483A4
		call	KeQueryInterruptTime
		mov	[esi+1Ch], edx
		jmp	short loc_6483D0
; 

loc_6483A4:				; CODE XREF: PpmRegisterPerfCap(x)+6Bj
		cmp	ebx, edi
		jnz	short loc_6483D3
		call	KeQueryInterruptTime
		sub	eax, [esi+18h]
		push	0
		sbb	edx, [esi+1Ch]
		push	2710h
		push	edx
		push	eax
		call	__aulldiv
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		call	_PopDiagTraceProcessorThrottleDurationPerfTrack@8 ; PopDiagTraceProcessorThrottleDurationPerfTrack(x,x)
		xor	eax, eax
		mov	[esi+1Ch], eax

loc_6483D0:				; CODE XREF: PpmRegisterPerfCap(x)+75j
		mov	[esi+18h], eax

loc_6483D3:				; CODE XREF: PpmRegisterPerfCap(x)+79j
		mov	ecx, [esi]
		mov	edx, ebx
		mov	[esi+8], ebx
		call	_PpmEventBiosCapChange@8 ; PpmEventBiosCapChange(x,x)
		mov	edx, [ebp+arg_0]
		sub	edi, ebx
		mov	ecx, edi
		call	_PopDiagTraceProcessorThrottlePerfTrack@8 ; PopDiagTraceProcessorThrottlePerfTrack(x,x)
		mov	ecx, [ebp+var_4]
		xor	edi, edi

loc_6483F0:				; CODE XREF: PpmRegisterPerfCap(x)+64j
		cmp	[esi+0Ch], ecx
		jz	short loc_648401
		mov	[esi+0Ch], ecx
		mov	edx, ecx
		mov	ecx, [esi]
		call	_PpmEventThermalCapChange@8 ; PpmEventThermalCapChange(x,x)

loc_648401:				; CODE XREF: PpmRegisterPerfCap(x)+C6j
		mov	eax, [ebp+var_8]
		xor	cl, cl
		mov	byte ptr [eax+215h], 1
		call	_PpmCheckApplyPerfConstraints@4	; PpmCheckApplyPerfConstraints(x)
		jmp	short loc_648420
; 

loc_648414:				; CODE XREF: PpmRegisterPerfCap(x)+22j
					; PpmRegisterPerfCap(x)+40j ...
		mov	ecx, ebx
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		mov	edi, 0C000000Dh

loc_648420:				; CODE XREF: PpmRegisterPerfCap(x)+E5j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PpmRegisterPerfCap@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1677. PoFxCompleteDirectedPowerDown

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoFxCompleteDirectedPowerDown(x)
		public _PoFxCompleteDirectedPowerDown@4
_PoFxCompleteDirectedPowerDown@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		call	_PopFxDerefAndCompleteDirectedPowerTransition@8	; PopFxDerefAndCompleteDirectedPowerTransition(x,x)
		pop	ebp
		retn	4
_PoFxCompleteDirectedPowerDown@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1682. PoFxIssueComponentPerfStateChange

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoFxIssueComponentPerfStateChange(x, x, x, x, x)
		public _PoFxIssueComponentPerfStateChange@20
_PoFxIssueComponentPerfStateChange@20 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	1
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PoFxIssueComponentPerfStateChangeMultiple@24 ;	PoFxIssueComponentPerfStateChangeMultiple(x,x,x,x,x,x)
		pop	ebp
		retn	14h
_PoFxIssueComponentPerfStateChange@20 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1683. PoFxIssueComponentPerfStateChangeMultiple

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoFxIssueComponentPerfStateChangeMultiple(x, x, x, x, x, x)
		public _PoFxIssueComponentPerfStateChangeMultiple@24
_PoFxIssueComponentPerfStateChangeMultiple@24 proc near
					; CODE XREF: PoFxIssueComponentPerfStateChange(x,x,x,x,x)+16p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr [ebp+arg_4], 1
		jz	short loc_64847F
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_648489

loc_64847F:				; CODE XREF: PoFxIssueComponentPerfStateChangeMultiple(x,x,x,x,x,x)+9j
		mov	eax, [ebp+arg_4]
		and	eax, 3
		cmp	al, 3
		jnz	short loc_64849B

loc_648489:				; CODE XREF: PoFxIssueComponentPerfStateChangeMultiple(x,x,x,x,x,x)+13j
		mov	edx, [ebp+arg_0]
		push	1
		push	[ebp+arg_8]

loc_648491:				; CODE XREF: PoFxIssueComponentPerfStateChangeMultiple(x,x,x,x,x,x)+44j
		mov	ecx, 614h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_64849B:				; CODE XREF: PoFxIssueComponentPerfStateChangeMultiple(x,x,x,x,x,x)+1Dj
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_8]
		cmp	eax, [ecx+23Ch]
		jb	short loc_6484B0
		push	2
		push	eax
		mov	edx, ecx
		jmp	short loc_648491
; 

loc_6484B0:				; CODE XREF: PoFxIssueComponentPerfStateChangeMultiple(x,x,x,x,x,x)+3Dj
		push	[ebp+arg_14]	; int
		mov	edx, [ecx+240h]
		push	[ebp+arg_10]	; void *
		push	[ebp+arg_C]	; int
		mov	edx, [edx+eax*4]
		push	[ebp+arg_4]	; int
		call	_PopFxIssueComponentPerfStateChanges@24	; PopFxIssueComponentPerfStateChanges(x,x,x,x,x,x)
		pop	ebp
		retn	18h
_PoFxIssueComponentPerfStateChangeMultiple@24 endp ; sp	= -8

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 1686. PoFxPowerOnCrashdumpDevice

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoFxPowerOnCrashdumpDevice(x, x)
		public _PoFxPowerOnCrashdumpDevice@8
_PoFxPowerOnCrashdumpDevice@8 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		push	esi
		xor	esi, esi
		test	eax, eax
		jnz	short loc_6484EB
		mov	esi, 0C000000Dh
		jmp	short loc_648510
; 

loc_6484EB:				; CODE XREF: PoFxPowerOnCrashdumpDevice(x,x)+Fj
		mov	ecx, [eax+158h]
		test	ecx, ecx
		jz	short loc_64850B
		mov	eax, [eax+28h]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_8]
		push	eax
		call	ecx
		test	al, al
		jnz	short loc_648510

loc_64850B:				; CODE XREF: PoFxPowerOnCrashdumpDevice(x,x)+20j
		mov	esi, 0C0000001h

loc_648510:				; CODE XREF: PoFxPowerOnCrashdumpDevice(x,x)+16j
					; PoFxPowerOnCrashdumpDevice(x,x)+36j
		mov	eax, esi
		pop	esi
		leave
		retn	8
_PoFxPowerOnCrashdumpDevice@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1688. PoFxQueryCurrentComponentPerfState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoFxQueryCurrentComponentPerfState(x, x, x,	x, x)
		public _PoFxQueryCurrentComponentPerfState@20
_PoFxQueryCurrentComponentPerfState@20 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		jnz	short loc_64855C
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_8]
		cmp	edx, [ecx+23Ch]
		jnb	short loc_64855C
		lfence	eax
		mov	eax, [ecx+240h]
		mov	edx, [eax+edx*4]
		xor	eax, eax
		cmp	[edx+168h], eax
		jz	short loc_64855C
		push	eax
		push	[ebp+arg_10]
		push	eax
		push	[ebp+arg_C]
		call	_PopFxQueryCurrentComponentPerfState@24	; PopFxQueryCurrentComponentPerfState(x,x,x,x,x,x)
		xor	eax, eax
		jmp	short loc_648561
; 

loc_64855C:				; CODE XREF: PoFxQueryCurrentComponentPerfState(x,x,x,x,x)+9j
					; PoFxQueryCurrentComponentPerfState(x,x,x,x,x)+17j ...
		mov	eax, 0C000000Dh

loc_648561:				; CODE XREF: PoFxQueryCurrentComponentPerfState(x,x,x,x,x)+3Ej
		pop	ebp
		retn	14h
_PoFxQueryCurrentComponentPerfState@20 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1695. PoFxRegisterPluginEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoFxRegisterPluginEx(x, x, x, x)
		public _PoFxRegisterPluginEx@16
_PoFxRegisterPluginEx@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_C]
		push	[ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	_PopFxRegisterPluginEx@16 ; PopFxRegisterPluginEx(x,x,x,x)
		pop	ebp
		retn	10h
_PoFxRegisterPluginEx@16 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1700. PoFxSetComponentWake

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoFxSetComponentWake(x, x, x)
		public _PoFxSetComponentWake@12
_PoFxSetComponentWake@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		push	[ebp+arg_8]
		mov	ecx, [esi+1Ch]
		call	_PopDiagTraceFxComponentWake@12	; PopDiagTraceFxComponentWake(x,x,x)
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, [esi+20h]
		call	_PopPepComponentSetWakeHint@12 ; PopPepComponentSetWakeHint(x,x,x)
		pop	esi
		pop	ebp
		retn	0Ch
_PoFxSetComponentWake@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxAccumulateDeviceIRPhaseAccounting(x, x)
_PopFxAccumulateDeviceIRPhaseAccounting@8 proc near
					; CODE XREF: PopFxEndDeviceIRPhaseAccounting(x,x)+2Fp
					; PopFxUpdateDeviceIRPhaseAccounting(x)+41p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		sub	eax, ds:dword_6C23D0
		mov	ecx, [ebp+arg_4]
		sbb	ecx, ds:dword_6C23D4
		add	ds:dword_6C23F0, eax
		adc	ds:dword_6C23F4, ecx
		cmp	ecx, ds:dword_6C23E4
		jb	short loc_6485F3
		ja	short loc_6485E8
		cmp	eax, ds:dword_6C23E0
		jbe	short loc_6485F3

loc_6485E8:				; CODE XREF: PopFxAccumulateDeviceIRPhaseAccounting(x,x)+2Bj
		mov	ds:dword_6C23E0, eax
		mov	ds:dword_6C23E4, ecx

loc_6485F3:				; CODE XREF: PopFxAccumulateDeviceIRPhaseAccounting(x,x)+29j
					; PopFxAccumulateDeviceIRPhaseAccounting(x,x)+33j
		cmp	ecx, ds:dword_6C23EC
		ja	short loc_648610
		jb	short loc_648605
		cmp	eax, ds:dword_6C23E8
		jnb	short loc_648610

loc_648605:				; CODE XREF: PopFxAccumulateDeviceIRPhaseAccounting(x,x)+48j
		mov	ds:dword_6C23E8, eax
		mov	ds:dword_6C23EC, ecx

loc_648610:				; CODE XREF: PopFxAccumulateDeviceIRPhaseAccounting(x,x)+46j
					; PopFxAccumulateDeviceIRPhaseAccounting(x,x)+50j
		inc	ds:dword_6C23F8
		and	ds:dword_6C23D0, 0
		and	ds:dword_6C23D4, 0
		pop	ebp
		retn	8
_PopFxAccumulateDeviceIRPhaseAccounting@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxBeginDeviceIRPhaseAccounting(x, x)
_PopFxBeginDeviceIRPhaseAccounting@8 proc near
					; CODE XREF: PopPdcIdleResiliencyCallback(x,x)+8Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _PopFxGlobalDeviceAccountingLock
		mov	bl, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edi, offset _PopCsResiliencyStatsLock
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	ds:_PopFxGlobalDeviceAccountingInfo, 0
		mov	ds:byte_6C23D8,	1
		jz	short loc_648670
		mov	eax, [ebp+arg_0]
		mov	ds:dword_6C23D0, eax
		mov	eax, [ebp+arg_4]
		mov	ds:dword_6C23D4, eax

loc_648670:				; CODE XREF: PopFxBeginDeviceIRPhaseAccounting(x,x)+36j
		test	ds:byte_70EFC6,	1
		jz	short loc_648685
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64868A
; 

loc_648685:				; CODE XREF: PopFxBeginDeviceIRPhaseAccounting(x,x)+4Fj
		xor	eax, eax
		lock and [edi],	eax

loc_64868A:				; CODE XREF: PopFxBeginDeviceIRPhaseAccounting(x,x)+5Bj
		test	ds:byte_70EFC6,	1
		jz	short loc_64869F
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6486A4
; 

loc_64869F:				; CODE XREF: PopFxBeginDeviceIRPhaseAccounting(x,x)+69j
		xor	eax, eax
		lock and [esi],	eax

loc_6486A4:				; CODE XREF: PopFxBeginDeviceIRPhaseAccounting(x,x)+75j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_PopFxBeginDeviceIRPhaseAccounting@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxBugCheck(x, x,	x, x)
_PopFxBugCheck@16 proc near		; CODE XREF: PoFxActivateComponent(x,x,x)+51p
					; PopFxIdleComponent+E0p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		push	ecx
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_PopFxBugCheck@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxBuildDirectedDripsCandidateDeviceList(x)
_PopFxBuildDirectedDripsCandidateDeviceList@4 proc near
					; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+B1p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		sub	esp, 28h
		push	esi
		mov	esi, ecx
		push	edi
		mov	[esi+4], esi
		mov	[esi], esi
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopFxBlockingDeviceListLock
		call	ExAcquirePushLockExclusiveEx
		xor	edx, edx
		mov	ecx, offset _PopFxDeviceListLock
		call	ExAcquirePushLockExclusiveEx
		mov	edi, ds:_PopFxDeviceList
		jmp	short loc_648753
; 

loc_64871C:				; CODE XREF: PopFxBuildDirectedDripsCandidateDeviceList(x)+8Ej
		xor	edx, edx
		lea	ecx, [edi+238h]
		xor	eax, eax
		lock cmpxchg [ecx], edx
		and	eax, 40h
		jz	short loc_648751
		mov	ecx, edi
		call	PopFxAddRefDevice
		mov	ecx, [esi+4]
		lea	eax, [edi+254h]
		cmp	[ecx], esi
		jnz	loc_648826
		mov	[eax], esi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[esi+4], eax

loc_648751:				; CODE XREF: PopFxBuildDirectedDripsCandidateDeviceList(x)+62j
		mov	edi, [edi]

loc_648753:				; CODE XREF: PopFxBuildDirectedDripsCandidateDeviceList(x)+4Fj
		cmp	edi, offset _PopFxDeviceList
		jnz	short loc_64871C
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _PopFxDeviceListLock
		mov	[ebp+var_8], edx
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_64877F
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _PopFxDeviceListLock

loc_64877F:				; CODE XREF: PopFxBuildDirectedDripsCandidateDeviceList(x)+A5j
		xor	edi, edi
		mov	[ebp+var_C], edi
		test	ecx, 7FFFFFFCh
		jz	loc_648920
		mov	esi, large fs:124h
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], eax
		cmp	eax, offset _PopFxDeviceListLock
		ja	short loc_6487DA
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_6487CA
		mov	eax, [ebp+var_20]
		cmp	eax, offset _PopFxDeviceListLock
		ja	short loc_6487DA
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_6487DA

loc_6487CA:				; CODE XREF: PopFxBuildDirectedDripsCandidateDeviceList(x)+EAj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_8], eax

loc_6487DA:				; CODE XREF: PopFxBuildDirectedDripsCandidateDeviceList(x)+DFj
					; PopFxBuildDirectedDripsCandidateDeviceList(x)+F4j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _PopFxDeviceListLock
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_64882B
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_648891
		push	ecx
		push	[ebp+var_8]
		push	offset _PopFxDeviceListLock
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_648826:				; CODE XREF: PopFxBuildDirectedDripsCandidateDeviceList(x)+76j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_64882B:				; CODE XREF: PopFxBuildDirectedDripsCandidateDeviceList(x)+13Bj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_648841
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_648841:				; CODE XREF: PopFxBuildDirectedDripsCandidateDeviceList(x)+16Cj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	short loc_648885
		or	[esi+1E4h], dl
		jmp	short loc_648891
; 

loc_648885:				; CODE XREF: PopFxBuildDirectedDripsCandidateDeviceList(x)+1B0j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_24]

loc_648891:				; CODE XREF: PopFxBuildDirectedDripsCandidateDeviceList(x)+145j
					; PopFxBuildDirectedDripsCandidateDeviceList(x)+1B8j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jz	short loc_6488FA
		test	edi, 8000h
		jz	short loc_6488B5
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_6488B5:				; CODE XREF: PopFxBuildDirectedDripsCandidateDeviceList(x)+1DFj
		test	byte ptr [ebp+var_C+2],	1
		jz	short loc_6488CB
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_6488CB:				; CODE XREF: PopFxBuildDirectedDripsCandidateDeviceList(x)+1EEj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_6488DF
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_6488DF:				; CODE XREF: PopFxBuildDirectedDripsCandidateDeviceList(x)+207j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_6488FA
		push	[ebp+var_24]
		mov	edx, offset _PopFxDeviceListLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_6488FA:				; CODE XREF: PopFxBuildDirectedDripsCandidateDeviceList(x)+1D7j
					; PopFxBuildDirectedDripsCandidateDeviceList(x)+21Ej
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_648920
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_648920
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_648920:				; CODE XREF: PopFxBuildDirectedDripsCandidateDeviceList(x)+BFj
					; PopFxBuildDirectedDripsCandidateDeviceList(x)+246j ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_PopFxBuildDirectedDripsCandidateDeviceList@4 endp ; sp	=  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxBuildDripsBlockingDeviceList(x, x, x)
_PopFxBuildDripsBlockingDeviceList@12 proc near
					; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+9Bp
					; PopDripsWatchdogTakeAction(x,x,x)+29p

var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F1		= byte ptr -0F1h
var_F0		= dword	ptr -0F0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_C0		= dword	ptr -0C0h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 148h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_F8], ecx
		lea	edi, [ebp+var_D0]
		mov	esi, offset ??_C@_19KLPPDPHB@?$AAP?$AAC?$AAI?$AA?2@FNODOBFM@
		stosd
		xor	edx, edx
		push	8
		mov	[ebp+var_104], edx
		mov	[ebp+var_D8], edx
		stosd
		mov	[ebp+var_114], edx
		mov	[ebp+var_110], edx
		mov	[ebp+var_118], edx
		stosd
		mov	[ebp+var_D4], edx
		stosd
		lea	edi, [ebp+var_10]
		movsd
		pop	eax
		push	0Ah
		pop	ecx
		movsd
		mov	word ptr [ebp+var_138],	ax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_134], eax
		push	8
		movsw
		mov	esi, (offset loc_5A509F+1)
		mov	word ptr [ebp+var_138+2], cx
		lea	edi, [ebp+var_1C]
		mov	word ptr [ebp+var_130+2], cx
		pop	eax
		mov	word ptr [ebp+var_130],	ax
		mov	cl, 1
		movsd
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_12C], eax
		movsd
		movsw
		call	_IoLockUnlockPnpDeviceTree@4 ; IoLockUnlockPnpDeviceTree(x)
		and	[ebp+var_11C], 0
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_10C], eax
		mov	[ebp+var_DC], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopFxBlockingDeviceListLock
		call	ExAcquirePushLockExclusiveEx
		mov	edi, offset _PopFxDeviceListLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_F8]
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		mov	esi, ds:_PopFxDeviceList
		cmp	esi, offset _PopFxDeviceList
		jz	short loc_648A88

loc_648A37:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+158j
		cmp	dword ptr [esi+1Ch], 0
		lea	edi, [esi+254h]
		jz	short loc_648A79
		push	dword ptr [ebx+0Ch]
		lea	edx, [edi+8]
		mov	ecx, esi
		push	dword ptr [ebx+8]
		call	_PopFxIsDripsBlockingDevice@16 ; PopFxIsDripsBlockingDevice(x,x,x,x)
		test	al, al
		jz	short loc_648A79
		mov	ecx, esi
		call	PopFxAddRefDevice
		mov	ecx, [ebp+var_F8]
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	loc_648B6A
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	[ecx+4], edi

loc_648A79:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+118j
					; PopFxBuildDripsBlockingDeviceList(x,x,x)+12Cj
		mov	esi, [esi]
		cmp	esi, offset _PopFxDeviceList
		jnz	short loc_648A37
		mov	edi, offset _PopFxDeviceListLock

loc_648A88:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+10Cj
		or	edx, 0FFFFFFFFh
		mov	eax, edx
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_648AA1
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh

loc_648AA1:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+16Cj
		xor	edi, edi
		mov	eax, offset _PopFxDeviceListLock
		mov	[ebp+var_FC], edi
		test	eax, 7FFFFFFCh
		jz	loc_648C79
		mov	esi, large fs:124h
		mov	ecx, eax
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_100], esi
		mov	[ebp+var_F0], eax
		cmp	eax, offset _PopFxDeviceListLock
		ja	short loc_648B11
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_648AFE
		mov	eax, [ebp+var_F0]
		cmp	eax, offset _PopFxDeviceListLock
		ja	short loc_648B11
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_648B11

loc_648AFE:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+1BDj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_DC], edx

loc_648B11:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+1B2j
					; PopFxBuildDripsBlockingDeviceList(x,x,x)+1CAj ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _PopFxDeviceListLock
		mov	[ebp+var_F1], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_F0], ecx
		test	ecx, ecx
		jnz	short loc_648B6F
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_648BE1
		push	ecx
		push	[ebp+var_DC]
		push	offset _PopFxDeviceListLock
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_648B6A:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+140j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_648B6F:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+21Aj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_648B88
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_F0]

loc_648B88:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+252j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_FC], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	[ebp+var_F1], 1
		jnz	short loc_648BD2
		or	[esi+1E4h], dl
		jmp	short loc_648BE1
; 

loc_648BD2:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+29Fj
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_100]

loc_648BE1:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+224j
					; PopFxBuildDripsBlockingDeviceList(x,x,x)+2A7j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_F0], eax
		jz	short loc_648C53
		test	edi, 8000h
		jz	short loc_648C08
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_648C08:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+2D4j
		test	byte ptr [ebp+var_FC+2], 1
		jz	short loc_648C21
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_648C21:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+2E6j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_648C35
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_648C35:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+2FFj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_648C53
		push	[ebp+var_F0]
		mov	edx, offset _PopFxDeviceListLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_648C53:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+2CCj
					; PopFxBuildDripsBlockingDeviceList(x,x,x)+316j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_648C79
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_648C79
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_648C79:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+18Aj
					; PopFxBuildDripsBlockingDeviceList(x,x,x)+341j ...
		mov	ecx, [ebp+var_F8]
		mov	eax, [ecx]
		mov	[ebp+var_DC], eax
		cmp	eax, ecx
		jz	loc_6490B4

loc_648C8F:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+76Cj
		mov	edi, [eax-238h]
		lea	eax, [ebp+var_118]
		push	4
		pop	ecx
		push	eax
		lea	eax, [ebp+var_11C]
		mov	[ebp+var_108], edi
		push	eax
		lea	eax, [ebp+var_10C]
		push	eax
		push	ecx
		push	0
		push	0
		push	offset _DEVPKEY_PciDevice_DeviceType
		push	dword ptr [edi+10h]
		call	IoGetDevicePropertyData
		mov	[ebp+var_D4], eax
		test	eax, eax
		js	short loc_648CDA
		push	8
		pop	eax
		cmp	[ebp+var_10C], eax
		jz	short loc_648D48

loc_648CDA:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+3A4j
		lea	eax, [ebp+var_110]
		push	eax
		lea	eax, [ebp+var_114]
		push	eax
		lea	eax, [ebp+var_D0]
		push	eax
		push	10h
		push	0
		push	0
		push	offset _DEVPKEY_Device_ClassGuid
		push	dword ptr [edi+10h]
		call	IoGetDevicePropertyData
		mov	[ebp+var_D4], eax
		test	eax, eax
		js	loc_649069
		cmp	[ebp+var_110], 0Dh
		jnz	loc_649069
		cmp	[ebp+var_114], 10h
		jnz	loc_649069
		push	10h		; size_t
		lea	eax, [ebp+var_D0]
		push	eax		; void *
		push	offset _GUID_DEVICE_CLASS_USB_CONTROLLER ; void	*
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_649069

loc_648D48:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+3AFj
		xor	eax, eax
		mov	esi, edi
		mov	[ebp+var_D8], eax
		mov	eax, [edi+4]
		jmp	short loc_648D5C
; 

loc_648D57:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+435j
		mov	esi, eax
		mov	eax, [esi+4]

loc_648D5C:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+42Cj
		test	eax, eax
		jnz	short loc_648D57
		cmp	esi, edi
		jz	loc_649079

loc_648D68:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+4D5j
		cmp	dword ptr [esi+58h], 1
		jnz	short loc_648DE8
		push	0FFFFFFDFh
		lea	eax, [esi+0A8h]
		pop	ecx
		lock and [eax],	ecx
		push	0
		lea	eax, [esi+14h]
		push	eax
		lea	eax, [ebp+var_130]
		push	eax
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_648DA6
		push	0
		lea	eax, [esi+14h]
		push	eax
		lea	eax, [ebp+var_138]
		push	eax
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_648DE8

loc_648DA6:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+465j
		mov	eax, esi
		cmp	esi, edi
		jz	short loc_648DB9

loc_648DAC:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+48Ej
		cmp	dword ptr [eax+58h], 1
		jnz	short loc_648DE8
		mov	eax, [eax+8]
		cmp	eax, edi
		jnz	short loc_648DAC

loc_648DB9:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+481j
		push	20h
		pop	ecx
		lea	eax, [esi+0A8h]
		lock or	[eax], ecx
		mov	ecx, [ebp+var_D8]
		lea	eax, [ebp+var_D8]
		xor	edx, edx
		push	eax
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	[ebp+var_D4], eax
		test	eax, eax
		js	loc_6490A9

loc_648DE8:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+443j
					; PopFxBuildDripsBlockingDeviceList(x,x,x)+47Bj ...
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_648DF9

loc_648DEE:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+4CCj
		mov	esi, eax
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_648DEE
		jmp	short loc_648DFC
; 

loc_648DF9:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+4C3j
		mov	esi, [esi+8]

loc_648DFC:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+4CEj
		cmp	esi, edi
		jnz	loc_648D68
		mov	eax, [ebp+var_D8]
		test	eax, eax
		jz	loc_649079
		push	4
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_104]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		mov	[ebp+var_D4], esi
		test	esi, esi
		js	loc_6490A9
		push	4D584650h
		push	[ebp+var_104]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_F0], eax
		test	eax, eax
		jz	loc_64909A
		push	[ebp+var_104]	; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [edi+4]
		add	esp, 0Ch
		xor	esi, esi
		mov	edx, edi
		mov	[ebp+var_100], esi
		jmp	short loc_648E79
; 

loc_648E74:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+552j
		mov	edx, eax
		mov	eax, [edx+4]

loc_648E79:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+549j
		test	eax, eax
		jnz	short loc_648E74
		jmp	short loc_648EE7
; 

loc_648E7F:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+5C0j
		lea	eax, [edx+0A8h]
		xor	esi, esi
		mov	[ebp+var_FC], eax
		mov	edi, eax
		mov	eax, [edi]

loc_648E91:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+570j
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edi], ecx
		jnz	short loc_648E91
		mov	edi, [ebp+var_108]
		mov	esi, [ebp+var_100]
		test	al, 20h
		jz	short loc_648ED3
		cmp	esi, [ebp+var_D8]
		jnb	loc_648FC5
		mov	eax, [ebp+var_FC]
		push	0FFFFFFDFh
		pop	ecx
		lock and [eax],	ecx
		mov	eax, [ebp+var_F0]
		mov	[eax+esi*4], edx
		inc	esi
		mov	[ebp+var_100], esi

loc_648ED3:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+580j
		mov	eax, [edx]
		test	eax, eax
		jz	short loc_648EE4

loc_648ED9:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+5B7j
		mov	edx, eax
		mov	eax, [edx+4]
		test	eax, eax
		jnz	short loc_648ED9
		jmp	short loc_648EE7
; 

loc_648EE4:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+5AEj
		mov	edx, [edx+8]

loc_648EE7:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+554j
					; PopFxBuildDripsBlockingDeviceList(x,x,x)+5B9j
		cmp	edx, edi
		jnz	short loc_648E7F
		xor	edi, edi

loc_648EED:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+6A5j
					; PopFxBuildDripsBlockingDeviceList(x,x,x)+6BDj ...
		cmp	esi, [ebp+var_D8]
		jz	loc_648FAE
		cmp	ds:dword_6B23F8, 5
		jbe	loc_648FAE
		push	4000h
		push	edi
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_648FAE
		push	4
		pop	ecx
		lea	eax, [ebp+var_124]
		mov	[ebp+var_124], esi
		mov	[ebp+var_A0], eax
		mov	eax, [ebp+var_D8]
		mov	[ebp+var_128], eax
		lea	eax, [ebp+var_128]
		push	8
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_148]
		mov	[ebp+var_80], eax
		pop	eax
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_C0]
		push	eax
		push	5
		push	edi
		push	edi
		push	offset loc_41D754
		push	offset dword_6B23F8
		mov	[ebp+var_9C], edi
		mov	[ebp+var_98], ecx
		mov	[ebp+var_94], edi
		mov	[ebp+var_8C], edi
		mov	[ebp+var_88], ecx
		mov	[ebp+var_84], edi
		mov	[ebp+var_148], 1000000h
		mov	[ebp+var_144], edi
		mov	[ebp+var_7C], edi
		mov	[ebp+var_74], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_648FAE:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+5CAj
					; PopFxBuildDripsBlockingDeviceList(x,x,x)+5D7j ...
		mov	eax, [ebp+var_DC]
		mov	ecx, [ebp+var_F0]
		mov	[eax+0Ch], ecx
		mov	[eax+10h], esi
		jmp	loc_64907F
; 

loc_648FC5:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+588j
		xor	edi, edi
		cmp	ds:dword_6B23F8, 5
		jbe	loc_648EED
		push	4000h
		push	edi
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_648EED
		lea	eax, [esi+1]
		mov	[ebp+var_4C], edi
		mov	[ebp+var_108], eax
		lea	eax, [ebp+var_108]
		push	4
		mov	[ebp+var_50], eax
		mov	eax, [ebp+var_D8]
		pop	ecx
		mov	[ebp+var_120], eax
		lea	eax, [ebp+var_120]
		push	8
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_140]
		mov	[ebp+var_30], eax
		pop	eax
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_70]
		push	eax
		push	5
		push	edi
		push	edi
		push	offset loc_41D7B3
		push	offset dword_6B23F8
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], edi
		mov	[ebp+var_3C], edi
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], edi
		mov	[ebp+var_140], 1000000h
		mov	[ebp+var_13C], edi
		mov	[ebp+var_2C], edi
		mov	[ebp+var_24], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_648EED
; 

loc_649069:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+3E1j
					; PopFxBuildDripsBlockingDeviceList(x,x,x)+3EEj ...
		mov	eax, [ebp+var_DC]
		xor	esi, esi
		mov	[ebp+var_D4], esi
		jmp	short loc_649085
; 

loc_649079:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+439j
					; PopFxBuildDripsBlockingDeviceList(x,x,x)+4E3j
		mov	eax, [ebp+var_DC]

loc_64907F:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+697j
		mov	esi, [ebp+var_D4]

loc_649085:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+74Ej
		mov	eax, [eax]
		mov	[ebp+var_DC], eax
		cmp	eax, [ebp+var_F8]
		jz	short loc_6490A5
		jmp	loc_648C8F
; 

loc_64909A:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+525j
		mov	esi, 0C000009Ah
		mov	[ebp+var_D4], esi

loc_6490A5:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+76Aj
		test	esi, esi
		jns	short loc_6490B4

loc_6490A9:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+4B9j
					; PopFxBuildDripsBlockingDeviceList(x,x,x)+505j
		mov	ecx, [ebp+var_F8]
		call	_PopFxDestroyDripsBlockingDeviceList@4 ; PopFxDestroyDripsBlockingDeviceList(x)

loc_6490B4:				; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+360j
					; PopFxBuildDripsBlockingDeviceList(x,x,x)+77Ej
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_D4]
		xor	ecx, ebp
		pop	edi
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
_PopFxBuildDripsBlockingDeviceList@12 endp ; sp	=  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxClearDeviceConstraints(x)
_PopFxClearDeviceConstraints@4 proc near ; CODE	XREF: PopPowerInformationInternal+171B6Cp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	_PpmGetDeepSleepPlatformStateIndex@0 ; PpmGetDeepSleepPlatformStateIndex()
		or	ebx, 0FFFFFFFFh
		cmp	eax, ebx
		jnz	short loc_6490F2

loc_6490E8:				; CODE XREF: PopFxClearDeviceConstraints(x)+44j
		mov	edi, 0C0000001h
		jmp	loc_6492CC
; 

loc_6490F2:				; CODE XREF: PopFxClearDeviceConstraints(x)+17j
		test	esi, esi
		jnz	short loc_649100
		mov	edi, 0C000000Dh
		jmp	loc_6492CC
; 

loc_649100:				; CODE XREF: PopFxClearDeviceConstraints(x)+25j
		mov	eax, [esi+24h]
		xor	edi, edi
		test	eax, eax
		jz	short loc_649115
		mov	eax, [eax+10h]
		and	eax, 8000000h
		or	eax, edi
		jz	short loc_6490E8

loc_649115:				; CODE XREF: PopFxClearDeviceConstraints(x)+38j
		call	PopFxAddRefDevice
		lea	edx, [esi+238h]
		xor	ecx, ecx
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	al, 10h
		jnz	short loc_649136

loc_64912C:				; CODE XREF: PopFxClearDeviceConstraints(x)+6Aj
		mov	edi, 0C0000001h
		jmp	loc_649299
; 

loc_649136:				; CODE XREF: PopFxClearDeviceConstraints(x)+5Bj
		cmp	[esi+20h], edi
		jz	short loc_64912C
		mov	eax, [esi+1Ch]
		xor	dl, dl
		push	edi
		mov	eax, [eax+10h]
		mov	ecx, eax
		mov	[ebp+var_14], eax
		call	PopFxActivateDevice
		mov	ecx, [esi+20h]
		call	_PopPepClearDripsDeviceVetoMask@4 ; PopPepClearDripsDeviceVetoMask(x)
		mov	edi, eax
		mov	[ebp+var_10], edi
		test	edi, edi
		js	loc_649291
		xor	ecx, ecx
		mov	edx, offset _PopFxDeviceAccountingLevel
		xor	eax, eax
		lock cmpxchg [edx], ecx
		mov	[ebp+var_C], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [esi+160h]
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [ebp+var_C]
		lea	eax, [esi+160h]
		push	0C0h		; size_t
		mov	[eax+0Ch], ecx
		lea	ecx, [eax+18h]
		push	0		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esi+160h]
		xor	ecx, ecx
		mov	dword ptr [eax+8], 5
		mov	[eax+4], cl
		mov	[eax+10h], ecx
		push	0FFFFFFEFh
		mov	[eax+14h], ecx
		lea	ecx, [esi+238h]
		pop	edx
		lock and [ecx],	edx
		test	ds:byte_70EFC6,	1
		jz	short loc_6491DF
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6491E4
; 

loc_6491DF:				; CODE XREF: PopFxClearDeviceConstraints(x)+102j
		xor	ecx, ecx
		lock and [eax],	ecx

loc_6491E4:				; CODE XREF: PopFxClearDeviceConstraints(x)+10Ej
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		and	[ebp+var_8], 0
		cmp	dword ptr [esi+23Ch], 0
		jbe	loc_649291
		mov	edi, [ebp+var_8]

loc_649201:				; CODE XREF: PopFxClearDeviceConstraints(x)+1B9j
		mov	eax, [esi+240h]
		mov	eax, [eax+edi*4]
		add	eax, 90h
		mov	[ebp+var_8], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		push	0C0h		; size_t
		push	0		; int
		mov	[eax+0Ch], ecx
		lea	ecx, [eax+18h]
		push	ecx		; void *
		call	_memset
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		add	esp, 0Ch
		mov	edx, 0FFFFFEFFh
		mov	[eax+4], cl
		mov	[eax+10h], ecx
		mov	[eax+14h], ecx
		lea	ecx, [esi+238h]
		mov	[eax+8], ebx
		lock and [ecx],	edx
		test	ds:byte_70EFC6,	1
		jz	short loc_649273
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_649278
; 

loc_649273:				; CODE XREF: PopFxClearDeviceConstraints(x)+196j
		xor	ecx, ecx
		lock and [eax],	ecx

loc_649278:				; CODE XREF: PopFxClearDeviceConstraints(x)+1A2j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	edi
		cmp	edi, [esi+23Ch]
		jb	loc_649201
		mov	edi, [ebp+var_10]

loc_649291:				; CODE XREF: PopFxClearDeviceConstraints(x)+8Ej
					; PopFxClearDeviceConstraints(x)+129j
		mov	ecx, [ebp+var_14]
		call	PoFxIdleDevice

loc_649299:				; CODE XREF: PopFxClearDeviceConstraints(x)+62j
		lock xadd [esi+80h], ebx
		dec	ebx
		jnz	short loc_6492B6
		xor	ebx, ebx
		lea	eax, [esi+84h]
		push	ebx
		push	ebx
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_6492B8
; 

loc_6492B6:				; CODE XREF: PopFxClearDeviceConstraints(x)+1D3j
		xor	ebx, ebx

loc_6492B8:				; CODE XREF: PopFxClearDeviceConstraints(x)+1E5j
		test	edi, edi
		jnz	short loc_6492CC
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _WNF_PO_DRIPS_DEVICE_CONSTRAINTS_UPDATED
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)

loc_6492CC:				; CODE XREF: PopFxClearDeviceConstraints(x)+1Ej
					; PopFxClearDeviceConstraints(x)+2Cj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopFxClearDeviceConstraints@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxClearDirectedDripsCandidateDeviceList()
_PopFxClearDirectedDripsCandidateDeviceList@0 proc near
					; CODE XREF: PopDirectedDripsEngage(x,x)+7p
					; PopDirectedDripsResumeDevices(x,x)+62p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		sub	esp, 18h
		dec	word ptr [eax+13Ch]
		push	esi
		push	edi
		nop
		xor	edx, edx
		mov	ecx, offset _PopFxBlockingDeviceListLock
		call	ExAcquirePushLockExclusiveEx
		mov	esi, offset _PopFxDeviceListLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, ds:_PopFxDeviceList
		mov	edi, offset _PopFxDeviceList
		jmp	short loc_649320
; 

loc_649312:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+4Fj
		push	0FFFFFFBFh
		pop	edx
		lea	eax, [ecx+238h]
		lock and [eax],	edx
		mov	ecx, [ecx]

loc_649320:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+3Dj
		cmp	ecx, edi
		jnz	short loc_649312
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_10], ecx
		mov	eax, ecx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_649340
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	ecx, 0FFFFFFFFh

loc_649340:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+61j
		xor	edi, edi
		mov	[ebp+var_C], edi
		test	esi, 7FFFFFFCh
		jz	loc_6494DD
		mov	esi, large fs:124h
		mov	eax, offset _PopFxDeviceListLock
		mov	edx, ds:dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_18], esi
		cmp	edx, offset _PopFxDeviceListLock
		ja	short loc_64939B
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_64938B
		cmp	edx, offset _PopFxDeviceListLock
		ja	short loc_64939B
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_64939B

loc_64938B:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+A5j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_8], eax
		jmp	short loc_6493A0
; 

loc_64939B:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+9Cj
					; PopFxClearDirectedDripsCandidateDeviceList()+ADj ...
		mov	eax, ecx
		mov	[ebp+var_8], ecx

loc_6493A0:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+C6j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	edx, offset _PopFxDeviceListLock
		mov	[ebp+var_1], cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jnz	short loc_6493F0
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_649462
		push	ecx
		push	[ebp+var_8]
		push	offset _PopFxDeviceListLock

loc_6493E5:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+2CAj
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_6493F0:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+F9j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_649406
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_14]

loc_649406:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+129j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_1], 1
		mov	edx, eax
		jnz	short loc_649450
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_649462
; 

loc_649450:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+169j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_18]

loc_649462:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+103j
					; PopFxClearDirectedDripsCandidateDeviceList()+17Bj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_18], eax
		jz	short loc_6494C5
		test	edi, 8000h
		jz	short loc_649486
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_649486:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+1A8j
		test	byte ptr [ebp+var_C+2],	1
		jz	short loc_649496
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_649496:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+1B7j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_6494AA
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_6494AA:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+1CAj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_6494C5
		push	[ebp+var_18]
		mov	edx, offset _PopFxDeviceListLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_6494C5:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+1A0j
					; PopFxClearDirectedDripsCandidateDeviceList()+1E1j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_6494DD
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_6494DD
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_6494DD:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+78j
					; PopFxClearDirectedDripsCandidateDeviceList()+1FBj ...
		or	ecx, 0FFFFFFFFh
		mov	edx, offset _PopFxBlockingDeviceListLock
		mov	eax, ecx
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_649500
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	ecx, 0FFFFFFFFh
		mov	edx, offset _PopFxBlockingDeviceListLock

loc_649500:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+21Cj
		xor	edi, edi
		mov	[ebp+var_C], edi
		test	edx, 7FFFFFFCh
		jz	loc_64968F
		mov	esi, large fs:124h
		mov	eax, edx
		mov	edx, ds:dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_14], esi
		cmp	edx, offset _PopFxBlockingDeviceListLock
		ja	short loc_649558
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_649548
		cmp	edx, offset _PopFxBlockingDeviceListLock
		ja	short loc_649558
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_649558

loc_649548:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+262j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_10], eax

loc_649558:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+259j
					; PopFxClearDirectedDripsCandidateDeviceList()+26Aj ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	edx, offset _PopFxBlockingDeviceListLock
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_1], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_18], ecx
		test	ecx, ecx
		jnz	short loc_6495A2
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_649614
		push	ecx
		push	[ebp+var_10]
		push	offset _PopFxBlockingDeviceListLock
		jmp	loc_6493E5
; 

loc_6495A2:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+2B1j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_6495B8
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_18]

loc_6495B8:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+2DBj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_1], 1
		mov	edx, eax
		jnz	short loc_649602
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_649614
; 

loc_649602:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+31Bj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_14]

loc_649614:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+2BBj
					; PopFxClearDirectedDripsCandidateDeviceList()+32Dj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_18], eax
		jz	short loc_649677
		test	edi, 8000h
		jz	short loc_649638
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_649638:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+35Aj
		test	byte ptr [ebp+var_C+2],	1
		jz	short loc_649648
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_649648:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+369j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_64965C
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_64965C:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+37Cj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_649677
		push	[ebp+var_18]
		mov	edx, offset _PopFxBlockingDeviceListLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_649677:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+352j
					; PopFxClearDirectedDripsCandidateDeviceList()+393j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_64968F
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_64968F
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_64968F:				; CODE XREF: PopFxClearDirectedDripsCandidateDeviceList()+238j
					; PopFxClearDirectedDripsCandidateDeviceList()+3ADj ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		leave
		retn
_PopFxClearDirectedDripsCandidateDeviceList@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxCompleteComponentPerfState(x, x, x, x)
_PopFxCompleteComponentPerfState@16 proc near ;	CODE XREF: PopFxProcessWork+F0A39p
					; PopFxCompleteDirectedPowerTransition(x,x)+19Bp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], ecx
		lea	ebx, [edi+18h]
		lock xadd [ebx], esi
		dec	esi
		mov	eax, [edi+34h]
		and	[ebp+arg_0], 0
		cmp	dword ptr [edi+20h], 0
		mov	[ebp+var_C], esi
		mov	[ebp+var_10], eax
		jbe	short loc_649712
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx

loc_6496D6:				; CODE XREF: PopFxCompleteComponentPerfState(x,x,x,x)+6Bj
		mov	eax, [edi+1Ch]
		mov	edx, [ebx+eax]
		lea	ebx, [ebx+10h]
		mov	eax, [edi+28h]
		shl	edx, 5
		add	edx, [edi+58h]
		inc	esi
		mov	[edx+10h], eax
		mov	eax, [edi+2Ch]
		mov	[edx+14h], eax
		mov	byte ptr [edx+18h], 0
		mov	ecx, [edi+1Ch]
		mov	eax, [ebx+ecx-8]
		mov	[edx+8], eax
		mov	eax, [ebx+ecx-4]
		mov	[edx+0Ch], eax
		cmp	esi, [edi+20h]
		jb	short loc_6496D6
		mov	esi, [ebp+var_C]
		lea	ebx, [edi+18h]

loc_649712:				; CODE XREF: PopFxCompleteComponentPerfState(x,x,x,x)+30j
		mov	edx, esi
		mov	ecx, edi
		and	edx, 7
		call	_PopDiagTraceFxPerfRequestProgress@8 ; PopDiagTraceFxPerfRequestProgress(x,x)
		test	esi, esi
		js	short loc_649746
		or	esi, 0FFFFFFFFh
		lock xadd [ebx], esi
		dec	esi
		test	esi, 8000000h
		jnz	short loc_649746
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_4]
		push	0
		push	1
		mov	ecx, [ecx+1Ch]
		push	0Fh
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)

loc_649746:				; CODE XREF: PopFxCompleteComponentPerfState(x,x,x,x)+81j
					; PopFxCompleteComponentPerfState(x,x,x,x)+91j
		push	[ebp+var_10]
		mov	eax, [ebp+var_8]
		push	[ebp+arg_4]
		push	[ebp+var_4]
		push	dword ptr [eax+64h]
		call	dword ptr [edi+14h]
		test	esi, esi
		jns	short loc_64976C
		lock dec dword ptr [ebx]
		push	0
		push	0
		lea	eax, [edi+4]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_64976C:				; CODE XREF: PopFxCompleteComponentPerfState(x,x,x,x)+BBj
		mov	dl, byte ptr [ebp+arg_4]
		mov	ecx, edi
		call	_PopDiagTraceFxPerfRequestComplete@8 ; PopDiagTraceFxPerfRequestComplete(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PopFxCompleteComponentPerfState@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxCompleteDirectedPowerTransition(x, x)
_PopFxCompleteDirectedPowerTransition@8	proc near
					; CODE XREF: PopFxDerefAndCompleteDirectedPowerTransition(x,x)+37p
					; PopFxHandleDirectedPowerTransition(x)+82j

var_C		= dword	ptr -0Ch
var_6		= byte ptr -6
var_5		= byte ptr -5
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		xor	edx, edx
		lea	ecx, [edi+10h]
		mov	eax, [ecx]

loc_649796:				; CODE XREF: PopFxCompleteDirectedPowerTransition(x,x)+21j
		mov	esi, eax
		or	esi, edx
		lock cmpxchg [ecx], esi
		jnz	short loc_649796
		test	eax, 2000h
		jz	loc_6498BF
		xor	esi, esi
		lea	edx, [edi+2F4h]
		mov	eax, [edx]

loc_6497B5:				; CODE XREF: PopFxCompleteDirectedPowerTransition(x,x)+40j
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_6497B5
		test	eax, eax
		jnz	loc_6498BF
		lea	ecx, [edi+288h]
		call	PopFxDisableWorkOrderWatchdog
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [edi+2F0h]
		mov	[esp+18h+var_5], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [edi+1Ch]
		xor	edx, edx
		push	esi
		push	1
		push	18h
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		mov	eax, 0FFFFDFFFh
		lea	edx, [edi+10h]
		lock and [edx],	eax
		mov	eax, [edx]

loc_649803:				; CODE XREF: PopFxCompleteDirectedPowerTransition(x,x)+8Ej
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_649803
		shr	eax, 0Ch
		and	eax, 1
		cmp	al, bl
		jnz	loc_6498BF
		mov	eax, [edi+2F8h]
		and	[edi+2F8h], esi
		mov	esi, [edi+2FCh]
		and	dword ptr [edi+2FCh], 0
		and	dword ptr [edi+300h], 0FFFFFFFDh
		test	ds:byte_70EFC6,	1
		mov	[esp+18h+var_4], eax
		jz	short loc_649858
		mov	edx, [ebp+4]
		lea	ecx, [edi+2F0h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_649863
; 

loc_649858:				; CODE XREF: PopFxCompleteDirectedPowerTransition(x,x)+C9j
		xor	ecx, ecx
		lea	eax, [edi+2F0h]
		lock and [eax],	ecx

loc_649863:				; CODE XREF: PopFxCompleteDirectedPowerTransition(x,x)+D9j
		mov	cl, [esp+18h+var_5]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [edi+1Ch]
		mov	dl, bl
		call	_PopDiagTraceFxDeviceDirectedCompletion@8 ; PopDiagTraceFxDeviceDirectedCompletion(x,x)
		cmp	ds:byte_6C3840,	0
		jnz	short loc_64988C
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	_PopFxEnforceDirectedPowerTransition@12	; PopFxEnforceDirectedPowerTransition(x,x,x)
		jmp	short loc_64988E
; 

loc_64988C:				; CODE XREF: PopFxCompleteDirectedPowerTransition(x,x)+101j
		xor	esi, esi

loc_64988E:				; CODE XREF: PopFxCompleteDirectedPowerTransition(x,x)+10Dj
		mov	edx, [esp+18h+var_4]
		mov	ecx, edi
		push	esi
		call	_PopCompleteDirectedPowerTransitionCallback@12 ; PopCompleteDirectedPowerTransitionCallback(x,x,x)
		or	eax, 0FFFFFFFFh
		lock xadd [edi+80h], eax
		dec	eax
		jnz	short loc_6498B8
		push	0
		push	0
		lea	eax, [edi+84h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_6498B8:				; CODE XREF: PopFxCompleteDirectedPowerTransition(x,x)+129j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_6498BF:				; CODE XREF: PopFxCompleteDirectedPowerTransition(x,x)+28j
					; PopFxCompleteDirectedPowerTransition(x,x)+44j ...
		push	0
		push	edi
		push	2
		pop	edx
		mov	ecx, 910h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)
		int	3		; Trap to Debugger

; __stdcall PopFxComponentPerfWork(x)
_PopFxComponentPerfWork@4:		; DATA XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+3D0o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		or	esi, 0FFFFFFFFh
		mov	ebx, [edi]
		lea	edx, [edi+18h]
		mov	[ebp+var_C], ebx
		mov	eax, [ebx+10h]
		mov	[ebp+var_4], eax
		mov	eax, [ebx+30h]
		mov	ebx, [ebp+var_4]
		mov	[ebp-8], eax

loc_6498F8:				; CODE XREF: PopFxCompleteDirectedPowerTransition(x,x)+1ACj
		xor	edi, edi
		mov	eax, [edx]

loc_6498FC:				; CODE XREF: PopFxCompleteDirectedPowerTransition(x,x)+187j
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_6498FC
		mov	edi, [ebp+arg_0]
		mov	edx, ebx
		mov	ecx, [ebp-8]
		shr	eax, 1Eh
		and	al, 1
		movzx	eax, al
		push	eax
		push	edi
		call	_PopFxCompleteComponentPerfState@16 ; PopFxCompleteComponentPerfState(x,x,x,x)
		mov	eax, esi
		lea	ecx, [edi+48h]
		lock xadd [ecx], eax
		lea	edx, [edi+18h]
		jnz	short loc_6498F8
		mov	ebx, [ebp+var_C]
		mov	eax, [ebx+30h]
		lock xadd [eax+80h], esi
		dec	esi
		pop	edi
		pop	esi
		pop	ebx
		jnz	short locret_64994E
		push	0
		push	0
		add	eax, 84h
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

locret_64994E:				; CODE XREF: PopFxCompleteDirectedPowerTransition(x,x)+1C0j
		leave
		retn	4
_PopFxCompleteDirectedPowerTransition@8	endp


;  S U B	R O U T	I N E 


; __stdcall PopFxDerefAndCompleteDirectedPowerTransition(x, x)
_PopFxDerefAndCompleteDirectedPowerTransition@8	proc near
					; CODE XREF: PoFxReportDevicePoweredOn+14Ap
					; sub_5E2028+70p ...
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		xor	eax, eax
		push	esi
		push	edi
		xor	edi, edi
		lea	esi, [ebx+238h]
		lock cmpxchg [esi], edi
		test	al, 20h
		jnz	short loc_64997B
		push	0
		xor	edx, edx
		push	ebx
		inc	edx

loc_649971:				; CODE XREF: PopFxDerefAndCompleteDirectedPowerTransition(x,x)+46j
		mov	ecx, 910h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_64997B:				; CODE XREF: PopFxDerefAndCompleteDirectedPowerTransition(x,x)+17j
		or	esi, 0FFFFFFFFh
		lock xadd [ebx+2F4h], esi
		dec	esi
		jnz	short loc_64998E
		call	_PopFxCompleteDirectedPowerTransition@8	; PopFxCompleteDirectedPowerTransition(x,x)

loc_64998E:				; CODE XREF: PopFxDerefAndCompleteDirectedPowerTransition(x,x)+35j
		test	esi, esi
		jns	short loc_64999A
		push	0
		push	ebx
		push	2
		pop	edx
		jmp	short loc_649971
; 

loc_64999A:				; CODE XREF: PopFxDerefAndCompleteDirectedPowerTransition(x,x)+3Ej
		pop	edi
		pop	esi
		pop	ebx
		retn
_PopFxDerefAndCompleteDirectedPowerTransition@8	endp ; sp = -8


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxDestroyDeviceDpm(x, x)
_PopFxDestroyDeviceDpm@8 proc near	; CODE XREF: PoFxUnregisterDevice(x)+25p
					; PopFxUnregisterDevice(x)+EAj

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, 78466F50h
		push	edi
		mov	edi, ecx
		mov	ecx, [esi+38h]
		test	ecx, ecx
		jz	short loc_6499BE
		mov	edx, ebx
		call	ObfDereferenceObjectWithTag

loc_6499BE:				; CODE XREF: PopFxDestroyDeviceDpm(x,x)+17j
		mov	ecx, [esi+34h]
		test	ecx, ecx
		jz	short loc_6499CC
		mov	edx, ebx
		call	ObfDereferenceObjectWithTag

loc_6499CC:				; CODE XREF: PopFxDestroyDeviceDpm(x,x)+25j
		test	edi, edi
		jz	short loc_6499DA
		mov	ecx, [edi+10h]
		mov	edx, ebx
		call	ObfDereferenceObjectWithTag

loc_6499DA:				; CODE XREF: PopFxDestroyDeviceDpm(x,x)+30j
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_6499E7
		push	eax
		call	_IoFreeIrp@4	; IoFreeIrp(x)

loc_6499E7:				; CODE XREF: PopFxDestroyDeviceDpm(x,x)+41j
		mov	eax, [esi+30Ch]
		test	eax, eax
		jz	short loc_6499FC
		push	4D584650h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_6499FC:				; CODE XREF: PopFxDestroyDeviceDpm(x,x)+51j
		mov	eax, [esi+240h]
		xor	ecx, ecx
		test	eax, eax
		jz	short loc_649A5F
		mov	ebx, ecx
		cmp	[esi+23Ch], ecx
		jbe	short loc_649A4C

loc_649A12:				; CODE XREF: PopFxDestroyDeviceDpm(x,x)+A6j
		mov	eax, [esi+240h]
		mov	eax, [eax+ebx*4]
		mov	[ebp+var_4], eax
		mov	eax, [eax+168h]
		test	eax, eax
		jz	short loc_649A3D
		push	4D584650h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_4]
		and	dword ptr [eax+168h], 0

loc_649A3D:				; CODE XREF: PopFxDestroyDeviceDpm(x,x)+88j
		inc	ebx
		cmp	ebx, [esi+23Ch]
		jb	short loc_649A12
		mov	eax, [esi+240h]

loc_649A4C:				; CODE XREF: PopFxDestroyDeviceDpm(x,x)+72j
		push	4D584650h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ecx, ecx
		mov	[esi+240h], ecx

loc_649A5F:				; CODE XREF: PopFxDestroyDeviceDpm(x,x)+68j
		mov	[esi+20h], ecx
		mov	[esi+24h], ecx
		mov	[esi+28h], ecx
		test	edi, edi
		jz	short loc_649A78
		push	0FFFFFFBFh
		pop	ecx
		lea	eax, [edi+0A8h]
		lock and [eax],	ecx

loc_649A78:				; CODE XREF: PopFxDestroyDeviceDpm(x,x)+CCj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_PopFxDestroyDeviceCommon@8 ; PopFxDestroyDeviceCommon(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopFxDestroyDeviceDpm@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxDestroyDirectedDripsCandidateDeviceList(x)
_PopFxDestroyDirectedDripsCandidateDeviceList@4	proc near
					; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+1B1p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx

loc_649A90:				; CODE XREF: PopFxDestroyDirectedDripsCandidateDeviceList(x)+31j
					; PopFxDestroyDirectedDripsCandidateDeviceList(x)+43j
		mov	edx, [esi]
		cmp	edx, esi
		jz	short loc_649AD1
		mov	eax, [edx]
		cmp	[edx+4], esi
		jnz	short loc_649ACC
		cmp	[eax+4], edx
		jnz	short loc_649ACC
		mov	[esi], eax
		mov	[eax+4], esi
		or	eax, 0FFFFFFFFh
		mov	[edx+4], edx
		mov	[edx], edx
		lock xadd [edx-1D4h], eax
		dec	eax
		jnz	short loc_649A90
		push	0
		push	0
		lea	eax, [edx-1D0h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_649A90
; 

loc_649ACC:				; CODE XREF: PopFxDestroyDirectedDripsCandidateDeviceList(x)+14j
					; PopFxDestroyDirectedDripsCandidateDeviceList(x)+19j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_649AD1:				; CODE XREF: PopFxDestroyDirectedDripsCandidateDeviceList(x)+Dj
		xor	edx, edx
		mov	ecx, offset _PopFxBlockingDeviceListLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	esi
		leave
		retn
_PopFxDestroyDirectedDripsCandidateDeviceList@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxDeviceWork(x)
_PopFxDeviceWork@4 proc	near		; DATA XREF: PopFxCreateDeviceCommon(x,x,x,x,x)+AAo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		or	edi, 0FFFFFFFFh
		lea	ebx, [esi+0C8h]

loc_649B00:				; CODE XREF: PopFxDeviceWork(x)+5Cj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, ebx
		mov	byte ptr [ebp+arg_0+3],	al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		xor	edx, edx
		mov	ecx, esi
		call	_PopFxDeliverDevicePowerRequired@8 ; PopFxDeliverDevicePowerRequired(x,x)
		test	ds:byte_70EFC6,	1
		jz	short loc_649B2E
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_649B33
; 

loc_649B2E:				; CODE XREF: PopFxDeviceWork(x)+34j
		xor	eax, eax
		lock and [ebx],	eax

loc_649B33:				; CODE XREF: PopFxDeviceWork(x)+40j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		lea	ecx, [esi+0BCh]
		lock xadd [ecx], eax
		jnz	short loc_649B00
		lock xadd [esi+80h], edi
		dec	edi
		jnz	short loc_649B65
		push	0
		push	0
		lea	eax, [esi+84h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_649B65:				; CODE XREF: PopFxDeviceWork(x)+67j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PopFxDeviceWork@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxDirectedPowerTransitionWorker(x)
_PopFxDirectedPowerTransitionWorker@4 proc near
					; DATA XREF: PopFxCreateDeviceCommon(x,x,x,x,x)+CEo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		or	esi, 0FFFFFFFFh
		lea	ebx, [edi+27Ch]

loc_649B80:				; CODE XREF: PopFxDirectedPowerTransitionWorker(x)+21j
		mov	ecx, edi
		call	_PopFxHandleDirectedPowerTransition@4 ;	PopFxHandleDirectedPowerTransition(x)
		mov	eax, esi
		lock xadd [ebx], eax
		jnz	short loc_649B80
		lock xadd [edi+80h], esi
		dec	esi
		jnz	short loc_649BAA
		push	0
		push	0
		lea	eax, [edi+84h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_649BAA:				; CODE XREF: PopFxDirectedPowerTransitionWorker(x)+2Cj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PopFxDirectedPowerTransitionWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxDirectedWorkOrderWatchdog(x, x, x, x)
_PopFxDirectedWorkOrderWatchdog@16 proc	near
					; DATA XREF: PopFxCreateDeviceCommon(x,x,x,x,x)+E6o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	0
		add	eax, 0FFFFFD78h
		push	eax
		push	dword ptr [eax+34h]
		push	5
		push	9Fh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_PopFxDirectedWorkOrderWatchdog@16 endp


;  S U B	R O U T	I N E 


; __stdcall PopFxEnablePlatformStates(x)
_PopFxEnablePlatformStates@4 proc near	; CODE XREF: PpmInstallCoordinatedIdleStates(x)+554p
					; PpmInstallPlatformIdleStates(x)+5B8p
		test	ecx, ecx
		jz	short locret_649C00
		push	esi
		call	_PopPepPlatformStateRegistered@4 ; PopPepPlatformStateRegistered(x)
		call	_PpmGetDeepSleepPlatformStateIndex@0 ; PpmGetDeepSleepPlatformStateIndex()
		mov	esi, eax
		cmp	esi, 0FFFFFFFFh
		jz	short loc_649BFF
		mov	ecx, esi
		mov	eax, offset dword_6D4640
		xchg	ecx, [eax]
		mov	ecx, esi
		call	_PopFxSetDeviceAccountingCsPlatformState@4 ; PopFxSetDeviceAccountingCsPlatformState(x)
		mov	ecx, esi
		pop	esi
		jmp	_PopFxInitializeSocSubsystemStaticInfo@8 ; PopFxInitializeSocSubsystemStaticInfo(x,x)
; 

loc_649BFF:				; CODE XREF: PopFxEnablePlatformStates(x)+14j
		pop	esi

locret_649C00:				; CODE XREF: PopFxEnablePlatformStates(x)+2j
		retn
_PopFxEnablePlatformStates@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxEndDeviceIRPhaseAccounting(x, x)
_PopFxEndDeviceIRPhaseAccounting@8 proc	near
					; CODE XREF: PopPdcIdleResiliencyCallback(x,x)+B1p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _PopCsResiliencyStatsLock
		mov	bl, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:dword_6C23D0
		or	ecx, ds:dword_6C23D4
		jz	short loc_649C35
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PopFxAccumulateDeviceIRPhaseAccounting@8 ; PopFxAccumulateDeviceIRPhaseAccounting(x,x)

loc_649C35:				; CODE XREF: PopFxEndDeviceIRPhaseAccounting(x,x)+27j
		test	ds:byte_70EFC6,	1
		mov	ds:byte_6C23D8,	0
		jz	short loc_649C51
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_649C56
; 

loc_649C51:				; CODE XREF: PopFxEndDeviceIRPhaseAccounting(x,x)+42j
		xor	eax, eax
		lock and [esi],	eax

loc_649C56:				; CODE XREF: PopFxEndDeviceIRPhaseAccounting(x,x)+4Ej
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_PopFxEndDeviceIRPhaseAccounting@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopFxFindAndReferenceAcpiDevice(x)
_PopFxFindAndReferenceAcpiDevice@4 proc	near
					; CODE XREF: PopFxAcpiForwardPepAcpiNotifyRequest(x,x)+Fp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	edi, ecx
		mov	esi, 0C000000Eh
		nop
		mov	ebx, offset _PopFxDeviceListLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	eax, ds:_PopFxAcpiDeviceList
		mov	edx, offset _PopFxAcpiDeviceList
		jmp	short loc_649C9F
; 

loc_649C96:				; CODE XREF: PopFxFindAndReferenceAcpiDevice(x)+3Dj
		lea	ecx, [eax-68h]
		cmp	ecx, edi
		jz	short loc_649CA5
		mov	eax, [eax]

loc_649C9F:				; CODE XREF: PopFxFindAndReferenceAcpiDevice(x)+30j
		cmp	eax, edx
		jnz	short loc_649C96
		jmp	short loc_649CD9
; 

loc_649CA5:				; CODE XREF: PopFxFindAndReferenceAcpiDevice(x)+37j
		lea	edx, [ecx+98h]
		lock inc dword ptr [edx]
		cmp	byte ptr [ecx+94h], 0
		jnz	short loc_649CBB
		xor	esi, esi
		jmp	short loc_649CD9
; 

loc_649CBB:				; CODE XREF: PopFxFindAndReferenceAcpiDevice(x)+51j
		or	eax, 0FFFFFFFFh
		lock xadd [edx], eax
		jnz	short loc_649CD4
		push	0
		push	0
		lea	eax, [ecx+9Ch]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_649CD4:				; CODE XREF: PopFxFindAndReferenceAcpiDevice(x)+5Ej
		mov	esi, 0C0000056h

loc_649CD9:				; CODE XREF: PopFxFindAndReferenceAcpiDevice(x)+3Fj
					; PopFxFindAndReferenceAcpiDevice(x)+55j
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_649CEE
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_649CEE:				; CODE XREF: PopFxFindAndReferenceAcpiDevice(x)+81j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_PopFxFindAndReferenceAcpiDevice@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopFxHandleDirectedPowerTransition(x)
_PopFxHandleDirectedPowerTransition@4 proc near
					; CODE XREF: PopFxDirectedPowerTransitionWorker(x)+16p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		lea	esi, [edi+10h]
		mov	eax, [esi]

loc_649D15:				; CODE XREF: PopFxHandleDirectedPowerTransition(x)+16j
		mov	edx, eax
		or	edx, ecx
		lock cmpxchg [esi], edx
		jnz	short loc_649D15
		mov	esi, eax
		mov	ecx, [edi+1Ch]
		and	esi, 1000h
		setnz	bl
		mov	dl, bl
		call	_PopDiagTraceFxDeviceDirectedTransition@8 ; PopDiagTraceFxDeviceDirectedTransition(x,x)
		mov	edx, ds:_PopFxDirectedPowerUpTimeoutMs
		test	esi, esi
		jz	short loc_649D44
		mov	edx, ds:_PopFxDirectedPowerDownTimeoutMs

loc_649D44:				; CODE XREF: PopFxHandleDirectedPowerTransition(x)+35j
		lea	ecx, [edi+26Ch]
		call	PopFxEnableWorkOrderWatchdog
		mov	eax, [edi+64h]
		push	0
		push	eax
		test	esi, esi
		jnz	short loc_649D5E
		call	dword ptr [edi+5Ch]
		jmp	short loc_649D61
; 

loc_649D5E:				; CODE XREF: PopFxHandleDirectedPowerTransition(x)+50j
		call	dword ptr [edi+60h]

loc_649D61:				; CODE XREF: PopFxHandleDirectedPowerTransition(x)+55j
		or	eax, 0FFFFFFFFh
		lock xadd [edi+2F4h], eax
		jz	short loc_649D82
		mov	ecx, [edi+1Ch]
		xor	edx, edx
		push	0
		push	0
		push	18h
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_649D82:				; CODE XREF: PopFxHandleDirectedPowerTransition(x)+65j
		mov	ecx, edi
		mov	dl, bl
		pop	edi
		pop	esi
		pop	ebx
		jmp	_PopFxCompleteDirectedPowerTransition@8	; PopFxCompleteDirectedPowerTransition(x,x)
_PopFxHandleDirectedPowerTransition@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxInsertAcpiDevice(x, x,	x)
_PopFxInsertAcpiDevice@12 proc near	; CODE XREF: PopFxAcpiRegisterDevice(x,x,x,x,x)+5Ap

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		sub	esp, 28h
		dec	word ptr [eax+13Ch]
		push	esi
		push	edi
		nop
		mov	esi, offset _PopFxDeviceListLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, ds:dword_6C3984
		mov	edx, offset _PopFxAcpiDeviceList
		mov	eax, [ebx+8]
		add	eax, 68h
		cmp	[ecx], edx
		jz	short loc_649DE0
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_649DE0:				; CODE XREF: PopFxInsertAcpiDevice(x,x,x)+4Bj
		mov	[eax], edx
		or	edx, 0FFFFFFFFh
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	ds:dword_6C3984, eax
		mov	eax, edx
		mov	[ebp+var_8], edx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_649E08
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh

loc_649E08:				; CODE XREF: PopFxInsertAcpiDevice(x,x,x)+6Ej
		xor	edi, edi
		mov	[ebp+var_C], edi
		test	esi, 7FFFFFFCh
		jz	loc_649FA9
		mov	esi, large fs:124h
		mov	ecx, offset _PopFxDeviceListLock
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], eax
		cmp	eax, offset _PopFxDeviceListLock
		ja	short loc_649E68
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_649E58
		mov	eax, [ebp+var_20]
		cmp	eax, offset _PopFxDeviceListLock
		ja	short loc_649E68
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_649E68

loc_649E58:				; CODE XREF: PopFxInsertAcpiDevice(x,x,x)+B5j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_8], eax

loc_649E68:				; CODE XREF: PopFxInsertAcpiDevice(x,x,x)+AAj
					; PopFxInsertAcpiDevice(x,x,x)+BFj ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _PopFxDeviceListLock
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_649EB4
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_649F1A
		push	ecx
		push	[ebp+var_8]
		push	offset _PopFxDeviceListLock
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_649EB4:				; CODE XREF: PopFxInsertAcpiDevice(x,x,x)+106j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_649ECA
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_649ECA:				; CODE XREF: PopFxInsertAcpiDevice(x,x,x)+132j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	short loc_649F0E
		or	[esi+1E4h], dl
		jmp	short loc_649F1A
; 

loc_649F0E:				; CODE XREF: PopFxInsertAcpiDevice(x,x,x)+176j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_24]

loc_649F1A:				; CODE XREF: PopFxInsertAcpiDevice(x,x,x)+110j
					; PopFxInsertAcpiDevice(x,x,x)+17Ej
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jz	short loc_649F83
		test	edi, 8000h
		jz	short loc_649F3E
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_649F3E:				; CODE XREF: PopFxInsertAcpiDevice(x,x,x)+1A5j
		test	byte ptr [ebp+var_C+2],	1
		jz	short loc_649F54
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_649F54:				; CODE XREF: PopFxInsertAcpiDevice(x,x,x)+1B4j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_649F68
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_649F68:				; CODE XREF: PopFxInsertAcpiDevice(x,x,x)+1CDj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_649F83
		push	[ebp+var_24]
		mov	edx, offset _PopFxDeviceListLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_649F83:				; CODE XREF: PopFxInsertAcpiDevice(x,x,x)+19Dj
					; PopFxInsertAcpiDevice(x,x,x)+1E4j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_649FA9
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_649FA9
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_649FA9:				; CODE XREF: PopFxInsertAcpiDevice(x,x,x)+85j
					; PopFxInsertAcpiDevice(x,x,x)+20Cj ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
_PopFxInsertAcpiDevice@12 endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxIsDevicePotentialDripsConstraint(x)
_PopFxIsDevicePotentialDripsConstraint@4 proc near ; CODE XREF:	NtPowerInformation+172722p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_D		= byte ptr -0Dh
var_C		= word ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	edx, 78466F50h
		push	esi
		push	edi
		mov	edi, ecx
		mov	dword ptr [ebp+var_C], eax
		mov	[ebp+var_1C], edi
		mov	bl, al
		mov	[ebp+var_8], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		call	ObfReferenceObjectWithTag
		test	edi, edi
		jz	short loc_64A003
		mov	eax, [edi+0B0h]
		mov	esi, [eax+14h]
		jmp	short loc_64A007
; 

loc_64A003:				; CODE XREF: PopFxIsDevicePotentialDripsConstraint(x)+36j
		xor	ecx, ecx
		mov	esi, ecx

loc_64A007:				; CODE XREF: PopFxIsDevicePotentialDripsConstraint(x)+41j
		test	esi, esi
		jz	loc_64A0BA
		lea	eax, [esi+2Ch]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	[ebp+var_D], al
		lea	edx, [esi+0A8h]
		xor	edi, edi
		mov	eax, [edx]

loc_64A025:				; CODE XREF: PopFxIsDevicePotentialDripsConstraint(x)+6Dj
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_64A025
		mov	ecx, eax
		mov	edi, [ebp+var_1C]
		test	cl, 4
		jz	short loc_64A052
		mov	ecx, [esi+28h]
		xor	edx, edx
		add	ecx, 238h
		xor	eax, eax
		lock cmpxchg [ecx], edx
		mov	ebx, eax
		shr	ebx, 4
		and	bl, 1

loc_64A052:				; CODE XREF: PopFxIsDevicePotentialDripsConstraint(x)+77j
		lea	eax, [esi+2Ch]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bl, bl
		jnz	short loc_64A0BA
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	8
		xor	eax, eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_EnumeratorName
		push	dword ptr [esi+10h]
		call	IoGetDevicePropertyData
		test	eax, eax
		js	short loc_64A0BA
		cmp	[ebp+var_14], 12h
		jnz	short loc_64A0BA
		mov	eax, [ebp+var_18]
		cmp	eax, 2
		jbe	short loc_64A0BA
		shr	eax, 1
		xor	ecx, ecx
		cmp	[ebp+eax*2-0Eh], cx
		jnz	short loc_64A0BA
		lea	eax, [ebp+var_C]
		push	offset ??_C@_17DMBMDHNL@?$AAU?$AAS?$AAB@FNODOBFM@ ; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_64A0BA
		inc	bl

loc_64A0BA:				; CODE XREF: PopFxIsDevicePotentialDripsConstraint(x)+49j
					; PopFxIsDevicePotentialDripsConstraint(x)+A6j	...
		mov	edx, 78466F50h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	ecx, [ebp+var_4]
		mov	al, bl
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopFxIsDevicePotentialDripsConstraint@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopFxIsDirectedPowerTransitionSupported(x, x)
_PopFxIsDirectedPowerTransitionSupported@8 proc	near
					; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+F8p
					; PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+F1p
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, edx
		lea	edi, [ecx+238h]
		xor	edx, edx
		xor	ecx, ecx
		xor	eax, eax
		lock cmpxchg [edi], ecx
		test	eax, 100h
		jz	short loc_64A0FB
		push	2
		mov	al, dl
		pop	edx
		jmp	short loc_64A110
; 

loc_64A0FB:				; CODE XREF: PopFxIsDirectedPowerTransitionSupported(x,x)+1Bj
		xor	ecx, ecx
		xor	eax, eax
		lock cmpxchg [edi], ecx
		test	al, 20h
		jnz	short loc_64A10E
		mov	al, dl
		xor	edx, edx
		inc	edx
		jmp	short loc_64A110
; 

loc_64A10E:				; CODE XREF: PopFxIsDirectedPowerTransitionSupported(x,x)+2Ej
		mov	al, 1

loc_64A110:				; CODE XREF: PopFxIsDirectedPowerTransitionSupported(x,x)+22j
					; PopFxIsDirectedPowerTransitionSupported(x,x)+35j
		test	esi, esi
		jz	short loc_64A116
		mov	[esi], edx

loc_64A116:				; CODE XREF: PopFxIsDirectedPowerTransitionSupported(x,x)+3Bj
		pop	edi
		pop	esi
		retn
_PopFxIsDirectedPowerTransitionSupported@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxIsDripsBlockingDevice(x, x, x,	x)
_PopFxIsDripsBlockingDevice@16 proc near
					; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+125p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], edx
		mov	edi, ecx
		call	KeQueryInterruptTime
		mov	esi, ds:_PopFxDeviceAccountingLevel
		xor	ebx, ebx
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], edx
		mov	[ebp+var_1], bl
		test	esi, esi
		jns	short loc_64A1B6
		lea	esi, [edi+160h]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	[ebp+var_2], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:_PopFxDeviceAccountingLevel
		test	cl, 1
		jnz	short loc_64A16C
		cmp	ds:_PopFxDeviceAccountingPaused, bl
		jnz	short loc_64A193

loc_64A16C:				; CODE XREF: PopFxIsDripsBlockingDevice(x,x,x,x)+49j
		cmp	[esi+4], bl
		jz	short loc_64A193
		mov	ecx, [ebp+var_8]
		sub	ecx, [esi+10h]
		mov	eax, [ebp+var_C]
		sbb	eax, [esi+14h]
		cmp	eax, [ebp+arg_4]
		jb	short loc_64A193
		ja	short loc_64A189
		cmp	ecx, [ebp+arg_0]
		jb	short loc_64A193

loc_64A189:				; CODE XREF: PopFxIsDripsBlockingDevice(x,x,x,x)+69j
		mov	eax, [ebp+var_10]
		mov	[ebp+var_1], 1
		or	dword ptr [eax], 0FFFFFFFFh

loc_64A193:				; CODE XREF: PopFxIsDripsBlockingDevice(x,x,x,x)+51j
					; PopFxIsDripsBlockingDevice(x,x,x,x)+56j ...
		test	ds:byte_70EFC6,	1
		jz	short loc_64A1A8
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64A1AD
; 

loc_64A1A8:				; CODE XREF: PopFxIsDripsBlockingDevice(x,x,x,x)+81j
		xor	eax, eax
		lock and [esi],	eax

loc_64A1AD:				; CODE XREF: PopFxIsDripsBlockingDevice(x,x,x,x)+8Dj
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_64A1B6:				; CODE XREF: PopFxIsDripsBlockingDevice(x,x,x,x)+28j
		cmp	[edi+23Ch], ebx
		jbe	loc_64A24C

loc_64A1C2:				; CODE XREF: PopFxIsDripsBlockingDevice(x,x,x,x)+12Dj
		mov	eax, [edi+240h]
		mov	esi, [eax+ebx*4]
		add	esi, 90h
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	[ebp+var_2], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:_PopFxDeviceAccountingLevel
		test	cl, 1
		jnz	short loc_64A1F5
		cmp	ds:_PopFxDeviceAccountingPaused, 0
		jnz	short loc_64A21C

loc_64A1F5:				; CODE XREF: PopFxIsDripsBlockingDevice(x,x,x,x)+D1j
		cmp	byte ptr [esi+4], 0
		jz	short loc_64A21C
		mov	ecx, [ebp+var_8]
		sub	ecx, [esi+10h]
		mov	eax, [ebp+var_C]
		sbb	eax, [esi+14h]
		cmp	eax, [ebp+arg_4]
		jb	short loc_64A21C
		ja	short loc_64A213
		cmp	ecx, [ebp+arg_0]
		jb	short loc_64A21C

loc_64A213:				; CODE XREF: PopFxIsDripsBlockingDevice(x,x,x,x)+F3j
		mov	eax, [ebp+var_10]
		mov	[ebp+var_1], 1
		mov	[eax], ebx

loc_64A21C:				; CODE XREF: PopFxIsDripsBlockingDevice(x,x,x,x)+DAj
					; PopFxIsDripsBlockingDevice(x,x,x,x)+E0j ...
		test	ds:byte_70EFC6,	1
		jz	short loc_64A231
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64A236
; 

loc_64A231:				; CODE XREF: PopFxIsDripsBlockingDevice(x,x,x,x)+10Aj
		xor	eax, eax
		lock and [esi],	eax

loc_64A236:				; CODE XREF: PopFxIsDripsBlockingDevice(x,x,x,x)+116j
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	ebx
		cmp	ebx, [edi+23Ch]
		jb	loc_64A1C2

loc_64A24C:				; CODE XREF: PopFxIsDripsBlockingDevice(x,x,x,x)+A3j
		mov	al, [ebp+var_1]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PopFxIsDripsBlockingDevice@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopFxIssueComponentPerfStateChanges(int,int,void *,int)
_PopFxIssueComponentPerfStateChanges@24	proc near
					; CODE XREF: PoFxIssueComponentPerfStateChangeMultiple(x,x,x,x,x,x)+5Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	esi, [ebx+168h]
		test	esi, esi
		jnz	short loc_64A286
		push	dword ptr [ebx+10h]
		mov	edx, [edi+24h]
		mov	ecx, 61Bh
		push	edi

loc_64A281:				; CODE XREF: PopFxIssueComponentPerfStateChanges(x,x,x,x,x,x)+4Fj
					; PopFxIssueComponentPerfStateChanges(x,x,x,x,x,x)+66j
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_64A286:				; CODE XREF: PopFxIssueComponentPerfStateChanges(x,x,x,x,x,x)+1Dj
		mov	eax, [esi]
		lea	ecx, [esi+18h]
		mov	edx, [ebp+arg_4]
		mov	eax, [eax+10h]
		mov	[ebp+var_8], eax
		cmp	edx, [esi+54h]
		jbe	short loc_64A2A7
		push	0
		push	dword ptr [ebx+10h]
		mov	edx, edi
		mov	ecx, 61Ch
		jmp	short loc_64A281
; 

loc_64A2A7:				; CODE XREF: PopFxIssueComponentPerfStateChanges(x,x,x,x,x,x)+41j
		xor	eax, eax
		xchg	eax, [ecx]
		test	al, 7
		jz	short loc_64A2BE
		push	dword ptr [esi+34h]
		mov	edx, edi
		mov	ecx, 61Dh
		push	dword ptr [ebx+10h]
		jmp	short loc_64A281
; 

loc_64A2BE:				; CODE XREF: PopFxIssueComponentPerfStateChanges(x,x,x,x,x,x)+57j
		cmp	byte ptr [esi+32h], 0
		jz	short loc_64A2ED
		mov	eax, edx
		shl	eax, 4
		push	eax		; size_t
		push	[ebp+arg_8]	; void *
		push	dword ptr [esi+1Ch] ; void *
		call	_memcpy
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		mov	[esi+20h], eax
		mov	byte ptr [esi+30h], 0
		call	KeQueryInterruptTime
		mov	[esi+28h], eax
		mov	[esi+2Ch], edx

loc_64A2ED:				; CODE XREF: PopFxIssueComponentPerfStateChanges(x,x,x,x,x,x)+6Cj
		mov	eax, [ebp+arg_C]
		mov	[esi+34h], eax
		lea	eax, [esi+4]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		call	_PopDiagTraceFxPerfRequest@12 ;	PopDiagTraceFxPerfRequest(x,x,x)
		mov	eax, [ebp+arg_0]
		lea	ecx, [esi+18h]
		xor	edx, edx
		inc	edx
		and	eax, edx
		mov	[ebp+arg_C], edx
		mov	[ebp+var_10], eax
		jz	short loc_64A323
		mov	eax, 88000000h
		jmp	short loc_64A32E
; 

loc_64A323:				; CODE XREF: PopFxIssueComponentPerfStateChanges(x,x,x,x,x,x)+C4j
		test	byte ptr [ebp+arg_0], 2
		jz	short loc_64A331
		mov	eax, 10000000h

loc_64A32E:				; CODE XREF: PopFxIssueComponentPerfStateChanges(x,x,x,x,x,x)+CBj
		lock or	[ecx], eax

loc_64A331:				; CODE XREF: PopFxIssueComponentPerfStateChanges(x,x,x,x,x,x)+D1j
		push	4
		pop	eax
		lock xadd [ecx], eax
		and	[ebp+var_C], 0
		lea	eax, [ebp+var_C]
		xor	edx, edx
		lock or	[eax], edx
		cmp	[esi+31h], dl
		push	1
		pop	edx
		jz	short loc_64A36E
		mov	edx, [ebx+10h]
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_8]
		mov	ecx, edi
		mov	byte ptr [ebp+var_4], 0
		push	[ebp+arg_4]
		call	_PopPluginRequestComponentPerfState@20 ; PopPluginRequestComponentPerfState(x,x,x,x,x)
		mov	dl, al
		lea	ecx, [esi+18h]
		mov	[ebp+arg_C], edx
		jmp	short loc_64A371
; 

loc_64A36E:				; CODE XREF: PopFxIssueComponentPerfStateChanges(x,x,x,x,x,x)+F4j
		mov	byte ptr [ebp+var_4], dl

loc_64A371:				; CODE XREF: PopFxIssueComponentPerfStateChanges(x,x,x,x,x,x)+116j
		test	dl, dl
		jz	short loc_64A38E
		xor	eax, eax
		cmp	byte ptr [ebp+var_4], al
		setz	al
		dec	eax
		and	eax, 40000000h
		add	eax, 20000000h
		lock or	[ecx], eax
		lock dec dword ptr [ecx]

loc_64A38E:				; CODE XREF: PopFxIssueComponentPerfStateChanges(x,x,x,x,x,x)+11Dj
		or	edx, 0FFFFFFFFh
		lock xadd [ecx], edx
		dec	edx
		and	edx, 7
		mov	ecx, esi
		call	_PopDiagTraceFxPerfRequestProgress@8 ; PopDiagTraceFxPerfRequestProgress(x,x)
		cmp	byte ptr [ebp+arg_C], 0
		jz	short loc_64A3E4
		test	byte ptr [ebp+arg_0], 2
		jz	short loc_64A3C9
		mov	edx, [ebp+var_8]
		mov	ecx, [edi+1Ch]
		push	0
		push	0
		push	0Fh
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		push	ecx
		push	edi
		lea	edx, [esi+38h]
		call	PopFxQueueWorkOrder
		jmp	short loc_64A41D
; 

loc_64A3C9:				; CODE XREF: PopFxIssueComponentPerfStateChanges(x,x,x,x,x,x)+154j
		mov	eax, 80000000h
		lea	ecx, [esi+18h]
		lock or	[ecx], eax
		push	[ebp+var_4]
		mov	edx, [ebx+10h]
		mov	ecx, edi
		push	esi
		call	_PopFxCompleteComponentPerfState@16 ; PopFxCompleteComponentPerfState(x,x,x,x)
		jmp	short loc_64A41D
; 

loc_64A3E4:				; CODE XREF: PopFxIssueComponentPerfStateChanges(x,x,x,x,x,x)+14Ej
		cmp	[ebp+var_10], 0
		jz	short loc_64A3FB
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esi+4]
		push	eax
		call	KeWaitForSingleObject
		jmp	short loc_64A41D
; 

loc_64A3FB:				; CODE XREF: PopFxIssueComponentPerfStateChanges(x,x,x,x,x,x)+192j
		mov	edx, [ebp+var_8]
		mov	ecx, [edi+1Ch]
		push	0
		push	0
		push	0Fh
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		mov	edx, [ebp+var_8]
		mov	ecx, [edi+1Ch]
		push	0
		push	0
		push	14h
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)

loc_64A41D:				; CODE XREF: PopFxIssueComponentPerfStateChanges(x,x,x,x,x,x)+171j
					; PopFxIssueComponentPerfStateChanges(x,x,x,x,x,x)+18Cj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PopFxIssueComponentPerfStateChanges@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxIssueDirectedPowerTransition(x, x, x)
_PopFxIssueDirectedPowerTransition@12 proc near
					; CODE XREF: PopIssueDirectedPowerTransition(x,x)+36p

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_1], dl
		push	esi
		push	edi
		xor	edi, edi
		xor	eax, eax
		lea	esi, [ebx+238h]
		lock cmpxchg [esi], edi
		test	al, 20h
		jnz	short loc_64A454
		push	0
		xor	edx, edx
		push	ebx
		inc	edx

loc_64A44A:				; CODE XREF: PopFxIssueDirectedPowerTransition(x,x,x)+80j
					; PopFxIssueDirectedPowerTransition(x,x,x)+103j
		mov	ecx, 910h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_64A454:				; CODE XREF: PopFxIssueDirectedPowerTransition(x,x,x)+1Ej
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	esi, [ebx+2F0h]
		mov	[ebp+var_2], al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	edx, [ebx+10h]
		mov	ecx, [edx]
		mov	eax, [ebx+2F4h]
		test	eax, eax
		jnz	loc_64A521
		mov	edi, 2000h
		test	ecx, edi
		jnz	loc_64A521
		mov	al, [ebp+var_1]
		shr	ecx, 0Ch
		and	ecx, 1
		cmp	cl, al
		jnz	short loc_64A4A6
		xor	edx, edx
		test	al, al
		push	0
		setnz	dl
		push	ebx
		add	edx, 4
		jmp	short loc_64A44A
; 

loc_64A4A6:				; CODE XREF: PopFxIssueDirectedPowerTransition(x,x,x)+71j
		mov	dword ptr [ebx+2F4h], 2
		lock or	[edx], edi
		test	al, al
		jz	short loc_64A4C1
		mov	eax, 1000h
		lock or	[edx], eax
		jmp	short loc_64A4C9
; 

loc_64A4C1:				; CODE XREF: PopFxIssueDirectedPowerTransition(x,x,x)+91j
		mov	eax, 0FFFFEFFFh
		lock and [edx],	eax

loc_64A4C9:				; CODE XREF: PopFxIssueDirectedPowerTransition(x,x,x)+9Bj
		mov	ecx, ebx
		call	PopFxAddRefDevice
		mov	eax, [ebp+arg_0]
		lea	edx, [ebx+26Ch]
		and	dword ptr [ebx+300h], 0FFFFFFFCh
		push	ecx
		push	ebx
		mov	[ebx+2F8h], eax
		mov	dword ptr [ebx+2FCh], 0C0000184h
		call	PopFxQueueWorkOrder
		test	ds:byte_70EFC6,	1
		jz	short loc_64A50C
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64A511
; 

loc_64A50C:				; CODE XREF: PopFxIssueDirectedPowerTransition(x,x,x)+DAj
		xor	eax, eax
		lock and [esi],	eax

loc_64A511:				; CODE XREF: PopFxIssueDirectedPowerTransition(x,x,x)+E6j
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_64A521:				; CODE XREF: PopFxIssueDirectedPowerTransition(x,x,x)+53j
					; PopFxIssueDirectedPowerTransition(x,x,x)+60j
		push	0
		push	ebx
		push	3
		pop	edx
		jmp	loc_64A44A
_PopFxIssueDirectedPowerTransition@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopFxMergeActiveTimeAccounting(x)
_PopFxMergeActiveTimeAccounting@4 proc near ; CODE XREF: PopFxPauseDeviceAccounting()+80p
					; PopFxPauseDeviceAccounting()+E4p ...
		mov	eax, [ecx+78h]
		lea	edx, [ecx+0B0h]
		add	[ecx+18h], eax
		mov	eax, [ecx+7Ch]
		adc	[ecx+1Ch], eax
		mov	eax, [ecx+80h]
		add	[ecx+20h], eax
		mov	eax, [ecx+84h]
		adc	[ecx+24h], eax
		add	ecx, 28h
		push	esi
		push	5
		pop	esi

loc_64A557:				; CODE XREF: PopFxMergeActiveTimeAccounting(x)+4Aj
		mov	eax, [ecx+60h]
		add	[ecx], eax
		mov	eax, [ecx+64h]
		adc	[ecx+4], eax
		mov	eax, [edx]
		lea	edx, [edx+8]
		add	[ecx+28h], eax
		mov	eax, [edx-4]
		adc	[ecx+2Ch], eax
		lea	ecx, [ecx+8]
		sub	esi, 1
		jnz	short loc_64A557
		pop	esi
		retn
_PopFxMergeActiveTimeAccounting@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxPauseDeviceAccounting()
_PopFxPauseDeviceAccounting@0 proc near	; CODE XREF: PdcPoCurrentPdcPhase(x,x,x)+92p
					; PopPdcIdleResiliencyCallback(x,x)+BFp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _PopFxDeviceListLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		call	KeQueryInterruptTime
		mov	esi, ds:_PopFxDeviceList
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], edx
		cmp	esi, offset _PopFxDeviceList
		jz	loc_64A6A3
		push	edi

loc_64A5BE:				; CODE XREF: PopFxPauseDeviceAccounting()+11Dj
					; DATA XREF: .text:00430344o
		cmp	dword ptr [esi+1Ch], 0
		jz	loc_64A68F
		mov	eax, ds:_PopFxDeviceAccountingLevel
		test	eax, eax
		jns	short loc_64A621
		lea	edi, [esi+160h]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		push	0
		push	47868C00h
		push	[ebp+var_8]
		mov	ecx, edi
		push	[ebp+var_C]
		call	PopFxUpdateAccountingActiveTime
		call	_PopFxMergeActiveTimeAccounting@4 ; PopFxMergeActiveTimeAccounting(x)
		test	ds:byte_70EFC6,	1
		jz	short loc_64A614
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64A619
; 

loc_64A614:				; CODE XREF: PopFxPauseDeviceAccounting()+8Cj
		xor	eax, eax
		lock and [edi],	eax

loc_64A619:				; CODE XREF: PopFxPauseDeviceAccounting()+98j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_64A621:				; CODE XREF: PopFxPauseDeviceAccounting()+55j
		xor	edi, edi
		cmp	[esi+23Ch], edi
		jbe	short loc_64A68F

loc_64A62B:				; CODE XREF: PopFxPauseDeviceAccounting()+113j
		mov	eax, [esi+240h]
		mov	ebx, [eax+edi*4]
		add	ebx, 90h
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, ebx
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		push	0
		push	47868C00h
		push	[ebp+var_8]
		mov	ecx, ebx
		push	[ebp+var_C]
		call	PopFxUpdateAccountingActiveTime
		call	_PopFxMergeActiveTimeAccounting@4 ; PopFxMergeActiveTimeAccounting(x)
		test	ds:byte_70EFC6,	1
		jz	short loc_64A678
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64A67D
; 

loc_64A678:				; CODE XREF: PopFxPauseDeviceAccounting()+F0j
		xor	eax, eax
		lock and [ebx],	eax

loc_64A67D:				; CODE XREF: PopFxPauseDeviceAccounting()+FCj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	edi
		cmp	edi, [esi+23Ch]
		jb	short loc_64A62B

loc_64A68F:				; CODE XREF: PopFxPauseDeviceAccounting()+48j
					; PopFxPauseDeviceAccounting()+AFj
		mov	esi, [esi]
		cmp	esi, offset _PopFxDeviceList
		jnz	loc_64A5BE
		mov	ebx, offset _PopFxDeviceListLock
		pop	edi

loc_64A6A3:				; CODE XREF: PopFxPauseDeviceAccounting()+3Dj
		xor	cl, cl
		call	_PopFxSetGlobalDeviceAccountingEnabled@4 ; PopFxSetGlobalDeviceAccountingEnabled(x)
		push	11h
		mov	ds:_PopFxDeviceAccountingPaused, 1
		xor	edx, edx
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_64A6C6
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_64A6C6:				; CODE XREF: PopFxPauseDeviceAccounting()+143j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	esi
		pop	ebx
		leave
		retn
_PopFxPauseDeviceAccounting@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxPlatformIdleVeto(x, x,	x, x)
_PopFxPlatformIdleVeto@16 proc near	; DATA XREF: PopFxRegisterPluginEx(x,x,x,x)+386o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		lea	edi, [ebp+var_10]
		xor	ecx, ecx
		stosd
		stosd
		stosd
		mov	edi, 0C0000002h
		cmp	[esi+50h], ecx
		jz	short loc_64A77E
		push	ebx
		lea	ebx, [esi+80h]
		lock inc dword ptr [ebx]
		cmp	[esi+7Ch], cl
		jz	short loc_64A735
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		jnz	short loc_64A72E
		push	ecx
		push	ecx
		lea	eax, [esi+84h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_64A72E:				; CODE XREF: PopFxPlatformIdleVeto(x,x,x,x)+41j
		mov	edi, 0C0000056h
		jmp	short loc_64A77D
; 

loc_64A735:				; CODE XREF: PopFxPlatformIdleVeto(x,x,x,x)+38j
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_C], eax
		mov	al, [ebp+arg_C]
		mov	[ebp+var_8], al
		lea	eax, [ebp+var_14]
		push	eax
		push	ecx
		push	ecx
		push	0Ch
		lea	eax, [ebp+var_10]
		mov	[ebp+var_14], ecx
		push	eax
		push	offset _GUID_PLATFORM_IDLE_VETO
		push	dword ptr [esi+64h]
		call	dword ptr [esi+50h]
		mov	edi, eax
		or	ecx, 0FFFFFFFFh
		lock xadd [ebx], ecx
		dec	ecx
		jnz	short loc_64A77D
		push	0
		push	0
		lea	ecx, [esi+84h]
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_64A77D:				; CODE XREF: PopFxPlatformIdleVeto(x,x,x,x)+56j
					; PopFxPlatformIdleVeto(x,x,x,x)+8Ej
		pop	ebx

loc_64A77E:				; CODE XREF: PopFxPlatformIdleVeto(x,x,x,x)+29j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_PopFxPlatformIdleVeto@16 endp


;  S U B	R O U T	I N E 


; __stdcall PopFxPlatformStateAvailable(x, x)
_PopFxPlatformStateAvailable@8 proc near ; CODE	XREF: PopPepUpdateIdleStateRefCount+849BBp
					; PopPepUpdateIdleStateRefCount+84ACBp
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		mov	bl, dl
		mov	esi, ecx
		call	_PpmIdleCsVetoAccountingDeviceUpdate@8 ; PpmIdleCsVetoAccountingDeviceUpdate(x,x)
		mov	eax, ds:_PpmPlatformStates
		mov	eax, [eax]
		dec	eax
		cmp	esi, eax
		jnz	short loc_64A7EA
		test	bl, bl
		jnz	short loc_64A7CD
		mov	cl, 1
		call	_PopFxSetDripsBlockedByDeviceActivity@4	; PopFxSetDripsBlockedByDeviceActivity(x)
		mov	cl, 1
		call	_PopIdleWakeNotifyDevicesActive@4 ; PopIdleWakeNotifyDevicesActive(x)
		mov	cl, 1
		call	_PopUpdateNonAttributedCpuTimeReference@4 ; PopUpdateNonAttributedCpuTimeReference(x)
		push	6
		pop	ecx
		call	PopDeepSleepSetDisengageReason
		jmp	short loc_64A7EA
; 

loc_64A7CD:				; CODE XREF: PopFxPlatformStateAvailable(x,x)+1Cj
		xor	cl, cl
		call	_PopFxSetDripsBlockedByDeviceActivity@4	; PopFxSetDripsBlockedByDeviceActivity(x)
		xor	cl, cl
		call	_PopIdleWakeNotifyDevicesActive@4 ; PopIdleWakeNotifyDevicesActive(x)
		xor	cl, cl
		call	_PopUpdateNonAttributedCpuTimeReference@4 ; PopUpdateNonAttributedCpuTimeReference(x)
		push	6
		pop	ecx
		call	PopDeepSleepClearDisengageReason

loc_64A7EA:				; CODE XREF: PopFxPlatformStateAvailable(x,x)+18j
					; PopFxPlatformStateAvailable(x,x)+3Bj
		pop	esi
		pop	ebx
		pop	ecx
		retn
_PopFxPlatformStateAvailable@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxPrepareDevicesForShutdown()
_PopFxPrepareDevicesForShutdown@0 proc near ; CODE XREF: PAGELK:loc_71F99Bp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopFxDeviceListLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		or	edx, 0FFFFFFFFh
		mov	ds:_PopFxEnableShutdownActiveBias, 1
		mov	[ebp+var_8], edx
		mov	eax, edx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_64A849
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh

loc_64A849:				; CODE XREF: PopFxPrepareDevicesForShutdown()+4Fj
		xor	edi, edi
		mov	[ebp+var_C], edi
		test	esi, 7FFFFFFCh
		jz	loc_64A9EA
		mov	esi, large fs:124h
		mov	ecx, offset _PopFxDeviceListLock
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], eax
		cmp	eax, offset _PopFxDeviceListLock
		ja	short loc_64A8A9
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_64A899
		mov	eax, [ebp+var_20]
		cmp	eax, offset _PopFxDeviceListLock
		ja	short loc_64A8A9
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_64A8A9

loc_64A899:				; CODE XREF: PopFxPrepareDevicesForShutdown()+96j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_8], eax

loc_64A8A9:				; CODE XREF: PopFxPrepareDevicesForShutdown()+8Bj
					; PopFxPrepareDevicesForShutdown()+A0j	...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _PopFxDeviceListLock
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_64A8F5
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_64A95B
		push	ecx
		push	[ebp+var_8]
		push	offset _PopFxDeviceListLock
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_64A8F5:				; CODE XREF: PopFxPrepareDevicesForShutdown()+E7j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_64A90B
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_64A90B:				; CODE XREF: PopFxPrepareDevicesForShutdown()+113j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	short loc_64A94F
		or	[esi+1E4h], dl
		jmp	short loc_64A95B
; 

loc_64A94F:				; CODE XREF: PopFxPrepareDevicesForShutdown()+157j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_24]

loc_64A95B:				; CODE XREF: PopFxPrepareDevicesForShutdown()+F1j
					; PopFxPrepareDevicesForShutdown()+15Fj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jz	short loc_64A9C4
		test	edi, 8000h
		jz	short loc_64A97F
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_64A97F:				; CODE XREF: PopFxPrepareDevicesForShutdown()+186j
		test	byte ptr [ebp+var_C+2],	1
		jz	short loc_64A995
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_64A995:				; CODE XREF: PopFxPrepareDevicesForShutdown()+195j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_64A9A9
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_64A9A9:				; CODE XREF: PopFxPrepareDevicesForShutdown()+1AEj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_64A9C4
		push	[ebp+var_24]
		mov	edx, offset _PopFxDeviceListLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_64A9C4:				; CODE XREF: PopFxPrepareDevicesForShutdown()+17Ej
					; PopFxPrepareDevicesForShutdown()+1C5j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_64A9EA
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_64A9EA
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_64A9EA:				; CODE XREF: PopFxPrepareDevicesForShutdown()+66j
					; PopFxPrepareDevicesForShutdown()+1EDj ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	4
		pop	ecx
		call	_PopFxActivateDevicesForSx@4 ; PopFxActivateDevicesForSx(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_PopFxPrepareDevicesForShutdown@0 endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxProcessorIdleVeto(x, x, x, x)
_PopFxProcessorIdleVeto@16 proc	near	; DATA XREF: PopFxRegisterPluginEx(x,x,x,x)+37Fo

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		lea	edi, [ebp+var_10]
		xor	ecx, ecx
		stosd
		stosd
		stosd
		mov	edi, 0C0000002h
		cmp	[esi+50h], ecx
		jz	short loc_64AAA8
		push	ebx
		lea	ebx, [esi+80h]
		lock inc dword ptr [ebx]
		cmp	[esi+7Ch], cl
		jz	short loc_64AA5F
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		jnz	short loc_64AA58
		push	ecx
		push	ecx
		lea	eax, [esi+84h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_64AA58:				; CODE XREF: PopFxProcessorIdleVeto(x,x,x,x)+41j
		mov	edi, 0C0000056h
		jmp	short loc_64AAA7
; 

loc_64AA5F:				; CODE XREF: PopFxProcessorIdleVeto(x,x,x,x)+38j
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_C], eax
		mov	al, [ebp+arg_C]
		mov	[ebp+var_8], al
		lea	eax, [ebp+var_14]
		push	eax
		push	ecx
		push	ecx
		push	0Ch
		lea	eax, [ebp+var_10]
		mov	[ebp+var_14], ecx
		push	eax
		push	(offset	loc_42E085+3)
		push	dword ptr [esi+64h]
		call	dword ptr [esi+50h]
		mov	edi, eax
		or	ecx, 0FFFFFFFFh
		lock xadd [ebx], ecx
		dec	ecx
		jnz	short loc_64AAA7
		push	0
		push	0
		lea	ecx, [esi+84h]
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_64AAA7:				; CODE XREF: PopFxProcessorIdleVeto(x,x,x,x)+56j
					; PopFxProcessorIdleVeto(x,x,x,x)+8Ej
		pop	ebx

loc_64AAA8:				; CODE XREF: PopFxProcessorIdleVeto(x,x,x,x)+29j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_PopFxProcessorIdleVeto@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxQueryCurrentComponentPerfState(x, x, x, x, x, x)
_PopFxQueryCurrentComponentPerfState@24	proc near
					; CODE XREF: PoFxQueryCurrentComponentPerfState(x,x,x,x,x)+37p
					; PopFxUpdateComponentPerfStateNominalChange(x,x,x,x)+4Ep

var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [edx+168h]
		xor	eax, eax
		push	edi
		lea	edi, [ebp+var_10]
		xor	ebx, ebx
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		mov	edi, eax
		shl	edi, 5
		add	edi, [esi+58h]
		mov	[ebp+var_10], eax
		cmp	[esi+31h], bl
		jz	short loc_64AB48
		cmp	[ecx+24h], ebx
		jz	short loc_64AB48
		mov	edx, [edx+10h]
		lea	eax, [ebp+var_10]
		push	eax
		call	_PopPluginQueryCurrentComponentPerfState@12 ; PopPluginQueryCurrentComponentPerfState(x,x,x)
		mov	eax, [edi]
		mov	esi, [ebp+arg_8]
		cmp	[eax+14h], ebx
		mov	eax, [ebp+var_8]
		mov	[esi], eax
		jnz	short loc_64AB10
		mov	[esi+4], ebx
		mov	ecx, ebx
		jmp	short loc_64AB16
; 

loc_64AB10:				; CODE XREF: PopFxQueryCurrentComponentPerfState(x,x,x,x,x,x)+4Dj
		mov	ecx, [ebp+var_4]
		mov	[esi+4], ecx

loc_64AB16:				; CODE XREF: PopFxQueryCurrentComponentPerfState(x,x,x,x,x,x)+54j
		cmp	eax, [edi+8]
		jnz	short loc_64AB20
		cmp	ecx, [edi+0Ch]
		jz	short loc_64AB56

loc_64AB20:				; CODE XREF: PopFxQueryCurrentComponentPerfState(x,x,x,x,x,x)+5Fj
		call	KeQueryInterruptTime
		mov	[edi+10h], eax
		mov	al, [ebp+arg_4]
		mov	[edi+18h], al
		mov	[edi+14h], edx
		mov	eax, [esi]
		mov	[edi+8], eax
		mov	eax, [esi+4]
		mov	[edi+0Ch], eax
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_64AB5F
		mov	byte ptr [eax],	1
		jmp	short loc_64AB5F
; 

loc_64AB48:				; CODE XREF: PopFxQueryCurrentComponentPerfState(x,x,x,x,x,x)+2Dj
					; PopFxQueryCurrentComponentPerfState(x,x,x,x,x,x)+32j
		mov	ecx, [ebp+arg_8]
		mov	eax, [edi+8]
		mov	[ecx], eax
		mov	eax, [edi+0Ch]
		mov	[ecx+4], eax

loc_64AB56:				; CODE XREF: PopFxQueryCurrentComponentPerfState(x,x,x,x,x,x)+64j
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_64AB5F
		mov	[eax], bl

loc_64AB5F:				; CODE XREF: PopFxQueryCurrentComponentPerfState(x,x,x,x,x,x)+87j
					; PopFxQueryCurrentComponentPerfState(x,x,x,x,x,x)+8Cj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PopFxQueryCurrentComponentPerfState@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxRegisterPluginEx(x, x,	x, x)
_PopFxRegisterPluginEx@16 proc near	; CODE XREF: PoFxRegisterPluginEx(x,x,x,x)+11p
					; PoFxRegisterPlugin(x,x)+Fp

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 48h
		push	esi
		push	edi
		mov	eax, ecx
		mov	[ebp+var_3C], edx
		movzx	ecx, word ptr [edx]
		push	3
		pop	esi
		mov	[ebp+var_14], eax
		mov	[ebp+var_40], esi
		cmp	cx, si
		jbe	short loc_64AB9F
		mov	esi, 0C000A004h
		jmp	short loc_64ABF6
; 

loc_64AB9F:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+30j
		push	30h
		pop	edi
		jnz	short loc_64ABAA
		cmp	[edx+2], di
		jb	short loc_64ABF1

loc_64ABAA:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+3Cj
		push	2
		pop	edi
		cmp	cx, di
		jnz	short loc_64ABB9
		cmp	word ptr [edx+2], 2Ch
		jb	short loc_64ABF1

loc_64ABB9:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+4Aj
		mov	[ebp+var_8], 1
		cmp	cx, word ptr [ebp+var_8]
		jb	short loc_64ABF1
		cmp	word ptr [edx+2], 1Ch
		jb	short loc_64ABF1
		movzx	ecx, word ptr [eax]
		cmp	cx, si
		jbe	short loc_64ABDC
		mov	esi, 0C000A005h
		jmp	short loc_64ABF6
; 

loc_64ABDC:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+6Dj
		jnz	short loc_64AC03
		cmp	word ptr [eax+2], 10h
		jb	short loc_64ABF1
		cmp	dword ptr [eax+4], 0
		jnz	short loc_64AC15
		cmp	dword ptr [eax+0Ch], 0
		jnz	short loc_64AC15

loc_64ABF1:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+42j
					; PopFxRegisterPluginEx(x,x,x,x)+51j ...
		mov	esi, 0C000000Dh

loc_64ABF6:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+37j
					; PopFxRegisterPluginEx(x,x,x,x)+74j ...
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_64AC03:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x):loc_64ABDCj
		cmp	cx, di
		jnz	short loc_64ABF1
		cmp	word ptr [eax+2], 0Ch
		jb	short loc_64ABF1
		cmp	dword ptr [eax+4], 0
		jz	short loc_64ABF1

loc_64AC15:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+83j
					; PopFxRegisterPluginEx(x,x,x,x)+89j
		push	4D584650h
		mov	esi, 0F0h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_38], edi
		test	edi, edi
		jnz	short loc_64AC3A
		mov	esi, 0C000009Ah
		jmp	short loc_64ABF6
; 

loc_64AC3A:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+CBj
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [edi+4Ch]
		mov	edx, edi
		call	_PopFxInitializeWorkPool@8 ; PopFxInitializeWorkPool(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_64AC63
		push	4D584650h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_64ABF6
; 

loc_64AC63:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+EEj
		mov	ecx, [ebp+var_14]
		mov	esi, [ebx+8]
		push	3
		movzx	eax, word ptr [ecx]
		mov	[edi+8], eax
		mov	eax, [ebx+0Ch]
		mov	[edi+14h], eax
		mov	[edi+10h], esi
		mov	eax, [ecx+4]
		mov	[edi+40h], eax
		mov	eax, [ecx+8]
		mov	[edi+44h], eax
		pop	eax
		cmp	[ecx], ax
		jb	short loc_64AC92
		mov	eax, [ecx+0Ch]
		mov	[edi+48h], eax

loc_64AC92:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+124j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopFxPluginLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, ds:_PopFxDeviceRegisterHead
		mov	edx, [eax]
		cmp	[edx+4], eax
		jz	short loc_64ACBF
		push	3
		pop	eax
		mov	ecx, eax
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_64ACBF:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+150j
		mov	[edi+4], eax
		mov	[edi], edx
		mov	[edx+4], edi
		mov	[eax], edi
		mov	eax, esi
		and	eax, 80000000h
		or	eax, 0
		jz	short loc_64ACDB
		mov	ds:_PopFxDeviceRegisterHead, edi

loc_64ACDB:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+16Dj
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _PopFxPluginLock
		mov	[ebp+var_C], edx
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_64ACFF
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _PopFxPluginLock

loc_64ACFF:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+18Aj
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	loc_64AEA0
		mov	esi, large fs:124h
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], eax
		cmp	eax, offset _PopFxPluginLock
		ja	short loc_64AD5A
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_64AD4A
		mov	eax, [ebp+var_30]
		cmp	eax, offset _PopFxPluginLock
		ja	short loc_64AD5A
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_64AD5A

loc_64AD4A:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+1CFj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_C], eax

loc_64AD5A:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+1C4j
					; PopFxRegisterPluginEx(x,x,x,x)+1D9j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _PopFxPluginLock
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_64ADA6
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_64AE0F
		push	ecx
		push	[ebp+var_C]
		push	offset _PopFxPluginLock
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_64ADA6:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+220j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_64ADBC
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_64ADBC:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+24Cj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		mov	dl, byte ptr [ebp+var_8]
		mov	ecx, eax
		mov	eax, [ebp+var_8]
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	al
		jnz	short loc_64AE03
		or	[esi+1E4h], dl
		jmp	short loc_64AE0F
; 

loc_64AE03:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+293j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_34]

loc_64AE0F:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+22Aj
					; PopFxRegisterPluginEx(x,x,x,x)+29Bj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_34], eax
		jz	short loc_64AE7A
		test	edi, 8000h
		jz	short loc_64AE33
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_64AE33:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+2C2j
		mov	eax, [ebp+var_8]
		test	byte ptr [ebp+var_10+2], al
		jz	short loc_64AE4B
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_64AE4B:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+2D3j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_64AE5F
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_64AE5F:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+2ECj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_64AE7A
		push	[ebp+var_34]
		mov	edx, offset _PopFxPluginLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_64AE7A:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+2BAj
					; PopFxRegisterPluginEx(x,x,x,x)+303j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_64AEA0
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_64AEA0
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_64AEA0:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+1A4j
					; PopFxRegisterPluginEx(x,x,x,x)+32Bj ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	dword ptr [ebx+0Ch]
		mov	esi, [ebp+var_38]
		xor	dl, dl
		push	dword ptr [ebx+8]
		mov	ecx, esi
		call	_PopDiagTraceFxPluginRegistration@16 ; PopDiagTraceFxPluginRegistration(x,x,x,x)
		mov	ecx, [ebp+var_3C]
		xor	edx, edx
		push	2
		pop	eax
		mov	[ecx+4], esi
		mov	dword ptr [ecx+8], offset PopFxRequestWorker
		mov	dword ptr [ecx+18h], offset _PopFxTransitionCriticalResource@12	; PopFxTransitionCriticalResource(x,x,x)
		mov	[ecx+10h], edx
		mov	[ecx+14h], edx
		mov	[ecx+0Ch], edx
		cmp	[ecx], ax
		jb	short loc_64AF01
		mov	dword ptr [ecx+1Ch], offset _PopFxProcessorIdleVeto@16 ; PopFxProcessorIdleVeto(x,x,x,x)
		mov	dword ptr [ecx+20h], offset _PopFxPlatformIdleVeto@16 ;	PopFxPlatformIdleVeto(x,x,x,x)
		mov	dword ptr [ecx+24h], offset _PopFxUpdateProcessorIdleState@12 ;	PopFxUpdateProcessorIdleState(x,x,x)
		mov	dword ptr [ecx+28h], offset _PopFxUpdatePlatformIdleState@12 ; PopFxUpdatePlatformIdleState(x,x,x)

loc_64AF01:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+37Dj
		mov	esi, [ebp+var_14]
		movzx	eax, word ptr [esi]
		mov	edi, eax
		cmp	ax, word ptr [ebp+var_40]
		jb	short loc_64AF19
		mov	dword ptr [ecx+2Ch], offset _PopFxRequestCommon@8 ; PopFxRequestCommon(x,x)
		movzx	edi, word ptr [esi]

loc_64AF19:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+3A7j
		push	3
		pop	eax
		cmp	di, ax
		jnz	short loc_64AF2E
		cmp	[esi+0Ch], edx
		jz	short loc_64AF2E
		mov	eax, [ebp+var_8]
		mov	ds:_PopFxAcpiPepRegistered, al

loc_64AF2E:				; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+3B9j
					; PopFxRegisterPluginEx(x,x,x,x)+3BEj
		mov	esi, edx
		jmp	loc_64ABF6
_PopFxRegisterPluginEx@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxReleaseAcpiRefDevice(x, x)
_PopFxReleaseAcpiRefDevice@8 proc near	; CODE XREF: PAGE:0089B349p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+98h], eax
		dec	eax
		jnz	short locret_64AF59
		push	0
		push	0
		lea	eax, [ecx+9Ch]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

locret_64AF59:				; CODE XREF: PopFxReleaseAcpiRefDevice(x,x)+12j
		leave
		retn
_PopFxReleaseAcpiRefDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxReleaseDevice(x)
_PopFxReleaseDevice@4 proc near		; CODE XREF: PoFxSetTargetDripsDevicePowerState(x,x)+D6p
					; PopFxDestroyDripsBlockingDeviceList(x)+3Ep ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+80h], eax
		dec	eax
		jnz	short locret_64AF7F
		push	0
		push	0
		lea	eax, [ecx+84h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

locret_64AF7F:				; CODE XREF: PopFxReleaseDevice(x)+12j
		leave
		retn
_PopFxReleaseDevice@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxRemoveAcpiDevice(x, x)
_PopFxRemoveAcpiDevice@8 proc near	; CODE XREF: PopFxAcpiUnregisterDevice(x,x)+33p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		sub	esp, 28h
		dec	word ptr [eax+13Ch]
		push	esi
		push	edi
		mov	esi, edx
		nop
		mov	edi, offset _PopFxDeviceListLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+6Ch]
		add	esi, 68h
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	loc_64B1AC
		cmp	[eax], esi
		jnz	loc_64B1AC
		mov	[eax], ecx
		or	edx, 0FFFFFFFFh
		mov	[ecx+4], eax
		mov	eax, edx
		mov	[ebp+var_8], edx
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_64AFF5
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh

loc_64AFF5:				; CODE XREF: PopFxRemoveAcpiDevice(x,x)+68j
		xor	edi, edi
		mov	eax, offset _PopFxDeviceListLock
		mov	[ebp+var_C], edi
		test	eax, 7FFFFFFCh
		jz	loc_64B197
		mov	esi, large fs:124h
		mov	ecx, eax
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], eax
		cmp	eax, offset _PopFxDeviceListLock
		ja	short loc_64B056
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_64B046
		mov	eax, [ebp+var_20]
		cmp	eax, offset _PopFxDeviceListLock
		ja	short loc_64B056
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_64B056

loc_64B046:				; CODE XREF: PopFxRemoveAcpiDevice(x,x)+B0j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_8], eax

loc_64B056:				; CODE XREF: PopFxRemoveAcpiDevice(x,x)+A5j
					; PopFxRemoveAcpiDevice(x,x)+BAj ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _PopFxDeviceListLock
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_64B0A2
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_64B108
		push	ecx
		push	[ebp+var_8]
		push	offset _PopFxDeviceListLock
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_64B0A2:				; CODE XREF: PopFxRemoveAcpiDevice(x,x)+101j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_64B0B8
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_64B0B8:				; CODE XREF: PopFxRemoveAcpiDevice(x,x)+12Dj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	short loc_64B0FC
		or	[esi+1E4h], dl
		jmp	short loc_64B108
; 

loc_64B0FC:				; CODE XREF: PopFxRemoveAcpiDevice(x,x)+171j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_24]

loc_64B108:				; CODE XREF: PopFxRemoveAcpiDevice(x,x)+10Bj
					; PopFxRemoveAcpiDevice(x,x)+179j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jz	short loc_64B171
		test	edi, 8000h
		jz	short loc_64B12C
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_64B12C:				; CODE XREF: PopFxRemoveAcpiDevice(x,x)+1A0j
		test	byte ptr [ebp+var_C+2],	1
		jz	short loc_64B142
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_64B142:				; CODE XREF: PopFxRemoveAcpiDevice(x,x)+1AFj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_64B156
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_64B156:				; CODE XREF: PopFxRemoveAcpiDevice(x,x)+1C8j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_64B171
		push	[ebp+var_24]
		mov	edx, offset _PopFxDeviceListLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_64B171:				; CODE XREF: PopFxRemoveAcpiDevice(x,x)+198j
					; PopFxRemoveAcpiDevice(x,x)+1DFj
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_64B197
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_64B197
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_64B197:				; CODE XREF: PopFxRemoveAcpiDevice(x,x)+83j
					; PopFxRemoveAcpiDevice(x,x)+207j ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_64B1AC:				; CODE XREF: PopFxRemoveAcpiDevice(x,x)+45j
					; PopFxRemoveAcpiDevice(x,x)+4Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PopFxRemoveAcpiDevice@8 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxRemoveDevice(x, x)
_PopFxRemoveDevice@8 proc near		; CODE XREF: PopFxUnregisterDevice(x)+61p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		sub	esp, 14h
		dec	word ptr [eax+13Ch]
		push	esi
		push	edi
		mov	esi, edx
		nop
		mov	edi, offset _PopFxDeviceListLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	loc_64B3B7
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	loc_64B3B7
		mov	[eax], ecx
		mov	[ecx+4], eax
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_8], ecx
		mov	eax, ecx
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_64B210
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	ecx, 0FFFFFFFFh

loc_64B210:				; CODE XREF: PopFxRemoveDevice(x,x)+53j
		xor	edi, edi
		mov	eax, offset _PopFxDeviceListLock
		mov	[ebp+var_C], edi
		test	eax, 7FFFFFFCh
		jz	loc_64B3A7
		mov	esi, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_14], esi
		cmp	edx, offset _PopFxDeviceListLock
		ja	short loc_64B26A
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_64B25A
		cmp	edx, offset _PopFxDeviceListLock
		ja	short loc_64B26A
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_64B26A

loc_64B25A:				; CODE XREF: PopFxRemoveDevice(x,x)+96j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_8], eax

loc_64B26A:				; CODE XREF: PopFxRemoveDevice(x,x)+8Dj
					; PopFxRemoveDevice(x,x)+9Ej ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	edx, offset _PopFxDeviceListLock
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_1], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jnz	short loc_64B2BA
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_64B32C
		push	ecx
		push	[ebp+var_8]
		push	offset _PopFxDeviceListLock
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_64B2BA:				; CODE XREF: PopFxRemoveDevice(x,x)+E5j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_64B2D0
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_10]

loc_64B2D0:				; CODE XREF: PopFxRemoveDevice(x,x)+115j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_1], 1
		mov	edx, eax
		jnz	short loc_64B31A
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_64B32C
; 

loc_64B31A:				; CODE XREF: PopFxRemoveDevice(x,x)+155j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_14]

loc_64B32C:				; CODE XREF: PopFxRemoveDevice(x,x)+EFj
					; PopFxRemoveDevice(x,x)+167j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_14], eax
		jz	short loc_64B38F
		test	edi, 8000h
		jz	short loc_64B350
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_64B350:				; CODE XREF: PopFxRemoveDevice(x,x)+194j
		test	byte ptr [ebp+var_C+2],	1
		jz	short loc_64B360
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_64B360:				; CODE XREF: PopFxRemoveDevice(x,x)+1A3j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_64B374
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_64B374:				; CODE XREF: PopFxRemoveDevice(x,x)+1B6j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_64B38F
		push	[ebp+var_14]
		mov	edx, offset _PopFxDeviceListLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_64B38F:				; CODE XREF: PopFxRemoveDevice(x,x)+18Cj
					; PopFxRemoveDevice(x,x)+1CDj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_64B3A7
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_64B3A7
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_64B3A7:				; CODE XREF: PopFxRemoveDevice(x,x)+6Ej
					; PopFxRemoveDevice(x,x)+1E7j ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		leave
		retn
; 

loc_64B3B7:				; CODE XREF: PopFxRemoveDevice(x,x)+2Dj
					; PopFxRemoveDevice(x,x)+38j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PopFxRemoveDevice@8 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxRequestCommon(x, x)
_PopFxRequestCommon@8 proc near		; DATA XREF: PopFxRegisterPluginEx(x,x,x,x)+3A9o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	[ebp+arg_0], 1
		jz	short loc_64B3CE
		mov	eax, 0C00000BBh
		jmp	short loc_64B3D9
; 

loc_64B3CE:				; CODE XREF: PopFxRequestCommon(x,x)+9j
		mov	edx, [ebp+arg_4]
		xor	ecx, ecx
		inc	ecx
		call	_PopFxAcpiForwardRequestCommon@8 ; PopFxAcpiForwardRequestCommon(x,x)

loc_64B3D9:				; CODE XREF: PopFxRequestCommon(x,x)+10j
		pop	ebp
		retn	8
_PopFxRequestCommon@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxResumeDeviceAccounting()
_PopFxResumeDeviceAccounting@0 proc near ; CODE	XREF: PdcPoCurrentPdcPhase(x,x,x)+6Ap
					; PopPdcIdleResiliencyCallback(x,x)+6Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _PopFxDeviceListLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		call	KeQueryInterruptTime
		mov	esi, ds:_PopFxDeviceList
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], edx
		cmp	esi, offset _PopFxDeviceList
		jz	loc_64B518
		push	edi

loc_64B421:				; CODE XREF: PopFxResumeDeviceAccounting()+12Fj
		cmp	dword ptr [esi+1Ch], 0
		jz	loc_64B504
		mov	eax, ds:_PopFxDeviceAccountingLevel
		test	eax, eax
		jns	short loc_64B48D
		lea	edi, [esi+160h]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		push	60h		; size_t
		lea	ecx, [edi+78h]
		push	0		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		cmp	byte ptr [edi+4], 0
		jz	short loc_64B46B
		mov	eax, [ebp+var_8]
		mov	[edi+10h], eax
		mov	eax, [ebp+var_C]
		mov	[edi+14h], eax

loc_64B46B:				; CODE XREF: PopFxResumeDeviceAccounting()+80j
		test	ds:byte_70EFC6,	1
		jz	short loc_64B480
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64B485
; 

loc_64B480:				; CODE XREF: PopFxResumeDeviceAccounting()+95j
		xor	eax, eax
		lock and [edi],	eax

loc_64B485:				; CODE XREF: PopFxResumeDeviceAccounting()+A1j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_64B48D:				; CODE XREF: PopFxResumeDeviceAccounting()+55j
		xor	ebx, ebx
		cmp	[esi+23Ch], ebx
		jbe	short loc_64B504

loc_64B497:				; CODE XREF: PopFxResumeDeviceAccounting()+125j
		mov	eax, [esi+240h]
		mov	edi, [eax+ebx*4]
		add	edi, 90h
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		push	60h		; size_t
		lea	ecx, [edi+78h]
		push	0		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		cmp	byte ptr [edi+4], 0
		jz	short loc_64B4D8
		mov	eax, [ebp+var_8]
		mov	[edi+10h], eax
		mov	eax, [ebp+var_C]
		mov	[edi+14h], eax

loc_64B4D8:				; CODE XREF: PopFxResumeDeviceAccounting()+EDj
		test	ds:byte_70EFC6,	1
		jz	short loc_64B4ED
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64B4F2
; 

loc_64B4ED:				; CODE XREF: PopFxResumeDeviceAccounting()+102j
		xor	eax, eax
		lock and [edi],	eax

loc_64B4F2:				; CODE XREF: PopFxResumeDeviceAccounting()+10Ej
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	ebx
		cmp	ebx, [esi+23Ch]
		jb	short loc_64B497

loc_64B504:				; CODE XREF: PopFxResumeDeviceAccounting()+48j
					; PopFxResumeDeviceAccounting()+B8j
		mov	esi, [esi]
		cmp	esi, offset _PopFxDeviceList
		jnz	loc_64B421
		mov	ebx, offset _PopFxDeviceListLock
		pop	edi

loc_64B518:				; CODE XREF: PopFxResumeDeviceAccounting()+3Dj
		mov	cl, 1
		call	_PopFxSetGlobalDeviceAccountingEnabled@4 ; PopFxSetGlobalDeviceAccountingEnabled(x)
		push	11h
		mov	ds:_PopFxDeviceAccountingPaused, 0
		xor	edx, edx
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_64B53B
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_64B53B:				; CODE XREF: PopFxResumeDeviceAccounting()+155j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	esi
		pop	ebx
		leave
		retn
_PopFxResumeDeviceAccounting@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxSetDeviceAccountingCsPlatformState(x)
_PopFxSetDeviceAccountingCsPlatformState@4 proc	near
					; CODE XREF: PopFxEnablePlatformStates(x)+21p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_8], 0
		xor	edx, edx
		push	ebx
		mov	ebx, ecx
		xor	eax, eax
		mov	[ebp+var_14], ebx
		mov	ecx, offset _PopFxDeviceAccountingLevel
		lock cmpxchg [ecx], edx
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_64B57E
		jns	loc_64B7B5

loc_64B57E:				; CODE XREF: PopFxSetDeviceAccountingCsPlatformState(x)+24j
		mov	ecx, large fs:124h
		push	esi
		push	edi
		dec	word ptr [ecx+13Ch]
		nop
		mov	esi, offset _PopFxDeviceListLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	edi, ds:_PopFxDeviceList
		cmp	edi, offset _PopFxDeviceList
		jz	loc_64B771

loc_64B5AF:				; CODE XREF: PopFxSetDeviceAccountingCsPlatformState(x)+214j
		mov	eax, [edi+1Ch]
		test	eax, eax
		jz	loc_64B75E
		mov	eax, [eax+10h]
		xor	dl, dl
		push	0
		mov	ecx, eax
		mov	[ebp+var_18], eax
		call	PopFxActivateDevice
		mov	ecx, [edi+20h]
		lea	eax, [ebp+var_8]
		push	0
		push	eax
		push	1
		mov	edx, ebx
		call	_PopPepGetMinimumDevicePowerState@20 ; PopPepGetMinimumDevicePowerState(x,x,x,x,x)
		mov	bl, al
		lea	esi, [edi+160h]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	bh, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebp+var_C]
		lea	ecx, [esi+18h]
		push	0C0h		; size_t
		push	0		; int
		push	ecx		; void *
		mov	[esi+0Ch], eax
		call	_memset
		add	esp, 0Ch
		test	bl, bl
		jz	short loc_64B639
		mov	eax, [ebp+var_8]
		cmp	eax, 1
		jle	short loc_64B639
		mov	[esi+8], eax
		mov	byte ptr [esi+4], 1
		call	KeQueryInterruptTime
		push	10h
		mov	[esi+10h], eax
		lea	eax, [edi+238h]
		mov	[esi+14h], edx
		pop	ecx
		lock or	[eax], ecx
		jmp	short loc_64B644
; 

loc_64B639:				; CODE XREF: PopFxSetDeviceAccountingCsPlatformState(x)+BDj
					; PopFxSetDeviceAccountingCsPlatformState(x)+C5j
		xor	eax, eax
		mov	[esi+4], al
		mov	[esi+10h], eax
		mov	[esi+14h], eax

loc_64B644:				; CODE XREF: PopFxSetDeviceAccountingCsPlatformState(x)+E5j
		test	ds:byte_70EFC6,	1
		jz	short loc_64B659
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64B65E
; 

loc_64B659:				; CODE XREF: PopFxSetDeviceAccountingCsPlatformState(x)+F9j
		xor	eax, eax
		lock and [esi],	eax

loc_64B65E:				; CODE XREF: PopFxSetDeviceAccountingCsPlatformState(x)+105j
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	ecx, ecx
		xor	bh, bh
		mov	[ebp+var_10], ecx
		cmp	[edi+23Ch], ecx
		jbe	loc_64B745

loc_64B679:				; CODE XREF: PopFxSetDeviceAccountingCsPlatformState(x)+1D9j
		mov	eax, [edi+240h]
		mov	edx, ecx
		mov	esi, [eax+ecx*4]
		lea	eax, [ebp+var_8]
		mov	ecx, [edi+20h]
		push	eax
		push	[ebp+var_14]
		call	_PopPepGetMinimumComponentIdleState@16 ; PopPepGetMinimumComponentIdleState(x,x,x,x)
		mov	bl, al
		add	esi, 90h
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	[ebp-1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebp+var_C]
		lea	ecx, [esi+18h]
		push	0C0h		; size_t
		push	0		; int
		push	ecx		; void *
		mov	[esi+0Ch], eax
		call	_memset
		add	esp, 0Ch
		test	bl, bl
		jz	short loc_64B6F0
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_64B6F0
		mov	bh, 1
		mov	[esi+8], eax
		mov	[esi+4], bh
		call	KeQueryInterruptTime
		push	10h
		mov	[esi+10h], eax
		lea	eax, [edi+238h]
		mov	[esi+14h], edx
		pop	ecx
		lock or	[eax], ecx
		jmp	short loc_64B6FB
; 

loc_64B6F0:				; CODE XREF: PopFxSetDeviceAccountingCsPlatformState(x)+174j
					; PopFxSetDeviceAccountingCsPlatformState(x)+17Bj
		xor	eax, eax
		mov	[esi+4], al
		mov	[esi+10h], eax
		mov	[esi+14h], eax

loc_64B6FB:				; CODE XREF: PopFxSetDeviceAccountingCsPlatformState(x)+19Cj
		test	ds:byte_70EFC6,	1
		jz	short loc_64B710
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64B715
; 

loc_64B710:				; CODE XREF: PopFxSetDeviceAccountingCsPlatformState(x)+1B0j
		xor	eax, eax
		lock and [esi],	eax

loc_64B715:				; CODE XREF: PopFxSetDeviceAccountingCsPlatformState(x)+1BCj
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_10]
		inc	ecx
		mov	[ebp+var_10], ecx
		cmp	ecx, [edi+23Ch]
		jb	loc_64B679
		test	bh, bh
		jz	short loc_64B745
		mov	ecx, 100h
		lea	eax, [edi+238h]
		lock or	[eax], ecx
		jmp	short loc_64B753
; 

loc_64B745:				; CODE XREF: PopFxSetDeviceAccountingCsPlatformState(x)+121j
					; PopFxSetDeviceAccountingCsPlatformState(x)+1E1j
		mov	ecx, 0FFFFFEFFh
		lea	eax, [edi+238h]
		lock and [eax],	ecx

loc_64B753:				; CODE XREF: PopFxSetDeviceAccountingCsPlatformState(x)+1F1j
		mov	ecx, [ebp+var_18]
		call	PoFxIdleDevice
		mov	ebx, [ebp+var_14]

loc_64B75E:				; CODE XREF: PopFxSetDeviceAccountingCsPlatformState(x)+62j
		mov	edi, [edi]
		cmp	edi, offset _PopFxDeviceList
		jnz	loc_64B5AF
		mov	esi, offset _PopFxDeviceListLock

loc_64B771:				; CODE XREF: PopFxSetDeviceAccountingCsPlatformState(x)+57j
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_64B786
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_64B786:				; CODE XREF: PopFxSetDeviceAccountingCsPlatformState(x)+22Bj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	eax, eax
		mov	[ebp+var_2], 1
		push	eax
		push	eax
		push	eax
		push	eax
		push	1
		lea	eax, [ebp+var_2]
		push	eax
		push	offset _WNF_PO_DRIPS_DEVICE_CONSTRAINTS_REGISTERED
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		pop	edi
		pop	esi

loc_64B7B5:				; CODE XREF: PopFxSetDeviceAccountingCsPlatformState(x)+26j
		pop	ebx
		leave
		retn
_PopFxSetDeviceAccountingCsPlatformState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxSetDripsBlockedByDeviceActivity(x)
_PopFxSetDripsBlockedByDeviceActivity@4	proc near
					; CODE XREF: PopFxPlatformStateAvailable(x,x)+20p
					; PopFxPlatformStateAvailable(x,x)+3Fp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	bl, cl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _PopFxGlobalDeviceAccountingLock
		mov	bh, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	ds:byte_6C3AA1,	0
		jz	short loc_64B807
		cmp	ds:_PopFxGlobalDeviceAccountingInfo, bl
		jz	short loc_64B81C
		call	KeQueryInterruptTime
		test	bl, bl
		jz	short loc_64B7FC
		mov	ds:dword_6C3AA8, eax
		mov	ds:dword_6C3AAC, edx
		jmp	short loc_64B807
; 

loc_64B7FC:				; CODE XREF: PopFxSetDripsBlockedByDeviceActivity(x)+35j
		push	0
		push	0
		push	edx
		push	eax
		call	_PopFxUpdateGlobalDeviceAccountingInfo@16 ; PopFxUpdateGlobalDeviceAccountingInfo(x,x,x,x)

loc_64B807:				; CODE XREF: PopFxSetDripsBlockedByDeviceActivity(x)+24j
					; PopFxSetDripsBlockedByDeviceActivity(x)+42j
		cmp	ds:_PopFxGlobalDeviceAccountingInfo, bl
		jz	short loc_64B81C
		mov	cl, bl
		mov	ds:_PopFxGlobalDeviceAccountingInfo, bl
		call	_PopFxUpdateDeviceIRPhaseAccounting@4 ;	PopFxUpdateDeviceIRPhaseAccounting(x)

loc_64B81C:				; CODE XREF: PopFxSetDripsBlockedByDeviceActivity(x)+2Cj
					; PopFxSetDripsBlockedByDeviceActivity(x)+55j
		test	ds:byte_70EFC6,	1
		jz	short loc_64B831
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64B836
; 

loc_64B831:				; CODE XREF: PopFxSetDripsBlockedByDeviceActivity(x)+6Bj
		xor	eax, eax
		lock and [esi],	eax

loc_64B836:				; CODE XREF: PopFxSetDripsBlockedByDeviceActivity(x)+77j
		pop	esi
		mov	cl, bh
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_PopFxSetDripsBlockedByDeviceActivity@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxSetGlobalDeviceAccountingEnabled(x)
_PopFxSetGlobalDeviceAccountingEnabled@4 proc near
					; CODE XREF: PopFxPauseDeviceAccounting()+12Bp
					; PopFxResumeDeviceAccounting()+13Dp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	bl, cl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _PopFxGlobalDeviceAccountingLock
		mov	bh, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		call	KeQueryInterruptTime
		test	bl, bl
		jz	short loc_64B88D
		cmp	ds:_PopFxGlobalDeviceAccountingInfo, 0
		jz	short loc_64B87D
		mov	ds:dword_6C3AA8, eax
		mov	ds:dword_6C3AAC, edx
		jmp	short loc_64B8A4
; 

loc_64B87D:				; CODE XREF: PopFxSetGlobalDeviceAccountingEnabled(x)+2Dj
		add	ds:dword_6C3AC0, 1
		adc	ds:dword_6C3AC4, 0
		jmp	short loc_64B8A4
; 

loc_64B88D:				; CODE XREF: PopFxSetGlobalDeviceAccountingEnabled(x)+24j
		cmp	ds:_PopFxGlobalDeviceAccountingInfo, 0
		jz	short loc_64B8A4
		push	0
		push	47868C00h
		push	edx
		push	eax
		call	_PopFxUpdateGlobalDeviceAccountingInfo@16 ; PopFxUpdateGlobalDeviceAccountingInfo(x,x,x,x)

loc_64B8A4:				; CODE XREF: PopFxSetGlobalDeviceAccountingEnabled(x)+3Aj
					; PopFxSetGlobalDeviceAccountingEnabled(x)+4Aj	...
		test	ds:byte_70EFC6,	1
		mov	ds:byte_6C3AA1,	bl
		jz	short loc_64B8BF
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64B8C4
; 

loc_64B8BF:				; CODE XREF: PopFxSetGlobalDeviceAccountingEnabled(x)+70j
		xor	eax, eax
		lock and [esi],	eax

loc_64B8C4:				; CODE XREF: PopFxSetGlobalDeviceAccountingEnabled(x)+7Cj
		pop	esi
		mov	cl, bh
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_PopFxSetGlobalDeviceAccountingEnabled@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxStartDeviceAccounting()
_PopFxStartDeviceAccounting@0 proc near	; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x):loc_6514B4p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		cmp	ds:_PopFxDeviceAccountingLevel,	edi
		jz	loc_64BA9E
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopFxDeviceListLock
		call	ExAcquirePushLockSharedEx
		call	KeQueryInterruptTime
		mov	esi, ds:_PopFxDeviceList
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], edx
		jmp	loc_64BA07
; 

loc_64B918:				; CODE XREF: PopFxStartDeviceAccounting()+13Ej
		cmp	dword ptr [esi+1Ch], 0
		jz	loc_64BA05
		mov	eax, ds:_PopFxDeviceAccountingLevel
		test	eax, eax
		jns	short loc_64B989
		lea	edi, [esi+160h]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		push	0C0h		; size_t
		lea	ecx, [edi+18h]
		push	0		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		cmp	byte ptr [edi+4], 0
		jz	short loc_64B965
		mov	eax, [ebp+var_8]
		mov	[edi+10h], eax
		mov	eax, [ebp+var_C]
		mov	[edi+14h], eax

loc_64B965:				; CODE XREF: PopFxStartDeviceAccounting()+88j
		test	ds:byte_70EFC6,	1
		jz	short loc_64B97A
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64B97F
; 

loc_64B97A:				; CODE XREF: PopFxStartDeviceAccounting()+9Dj
		xor	eax, eax
		lock and [edi],	eax

loc_64B97F:				; CODE XREF: PopFxStartDeviceAccounting()+A9j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	edi, edi

loc_64B989:				; CODE XREF: PopFxStartDeviceAccounting()+5Aj
		mov	ebx, edi
		cmp	[esi+23Ch], edi
		jbe	short loc_64BA05

loc_64B993:				; CODE XREF: PopFxStartDeviceAccounting()+132j
		mov	eax, [esi+240h]
		mov	edi, [eax+ebx*4]
		add	edi, 90h
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		push	0C0h		; size_t
		lea	ecx, [edi+18h]
		push	0		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		cmp	byte ptr [edi+4], 0
		jz	short loc_64B9D7
		mov	eax, [ebp+var_8]
		mov	[edi+10h], eax
		mov	eax, [ebp+var_C]
		mov	[edi+14h], eax

loc_64B9D7:				; CODE XREF: PopFxStartDeviceAccounting()+FAj
		test	ds:byte_70EFC6,	1
		jz	short loc_64B9EC
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64B9F1
; 

loc_64B9EC:				; CODE XREF: PopFxStartDeviceAccounting()+10Fj
		xor	eax, eax
		lock and [edi],	eax

loc_64B9F1:				; CODE XREF: PopFxStartDeviceAccounting()+11Bj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		inc	ebx
		cmp	ebx, [esi+23Ch]
		jb	short loc_64B993
		xor	edi, edi

loc_64BA05:				; CODE XREF: PopFxStartDeviceAccounting()+4Dj
					; PopFxStartDeviceAccounting()+C2j
		mov	esi, [esi]

loc_64BA07:				; CODE XREF: PopFxStartDeviceAccounting()+44j
		cmp	esi, offset _PopFxDeviceList
		jnz	loc_64B918
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _PopFxGlobalDeviceAccountingLock
		mov	bl, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		push	50h		; size_t
		push	edi		; int
		push	offset dword_6C3AC0 ; void *
		mov	ds:dword_6C3AB0, edi
		mov	ds:dword_6C3AB4, edi
		mov	ds:dword_6C3AB8, edi
		mov	ds:dword_6C3ABC, edi
		call	_memset
		add	esp, 0Ch
		test	ds:byte_70EFC6,	1
		jz	short loc_64BA64
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64BA69
; 

loc_64BA64:				; CODE XREF: PopFxStartDeviceAccounting()+187j
		xor	eax, eax
		lock and [esi],	eax

loc_64BA69:				; CODE XREF: PopFxStartDeviceAccounting()+193j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	11h
		xor	edx, edx
		mov	esi, offset _PopFxDeviceListLock
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_64BA8B
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_64BA8B:				; CODE XREF: PopFxStartDeviceAccounting()+1B3j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_64BA9E:				; CODE XREF: PopFxStartDeviceAccounting()+13j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopFxStartDeviceAccounting@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxStopDeviceAccounting()
_PopFxStopDeviceAccounting@0 proc near	; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+518p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_59		= byte ptr -59h
var_58		= dword	ptr -58h
var_30		= dword	ptr -30h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_78], 0
		and	[ebp+var_74], 0
		cmp	ds:_PopFxDeviceAccountingLevel,	0
		push	ebx
		push	esi
		push	edi
		jz	loc_64BD0C
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopFxDeviceListLock
		call	ExAcquirePushLockSharedEx
		call	KeQueryInterruptTime
		mov	esi, ds:_PopFxDeviceList
		mov	[ebp+var_60], eax
		mov	[ebp+var_70], edx
		jmp	loc_64BC4B
; 

loc_64BAFD:				; CODE XREF: PopFxStopDeviceAccounting()+1AEj
		mov	eax, [esi+1Ch]
		mov	[ebp+var_68], eax
		test	eax, eax
		jz	loc_64BC49
		cmp	dword ptr [esi+30Ch], 0
		jnz	short loc_64BB27
		push	offset ??_C@_11LOCGONAA@@FNODOBFM@
		lea	eax, [ebp+var_78]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	ebx, [ebp+var_78]
		jmp	short loc_64BB2D
; 

loc_64BB27:				; CODE XREF: PopFxStopDeviceAccounting()+6Fj
		lea	ebx, [esi+308h]

loc_64BB2D:				; CODE XREF: PopFxStopDeviceAccounting()+82j
		mov	eax, ds:_PopFxDeviceAccountingLevel
		mov	[ebp+var_64], ebx
		test	eax, eax
		jns	short loc_64BBAA
		lea	edi, [esi+160h]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	[ebp+var_59], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:_PopFxDeviceAccountingLevel
		test	cl, 1
		jz	short loc_64BB73
		push	0
		push	47868C00h
		push	[ebp+var_70]
		mov	ecx, edi
		push	[ebp+var_60]
		call	PopFxUpdateAccountingActiveTime
		call	_PopFxMergeActiveTimeAccounting@4 ; PopFxMergeActiveTimeAccounting(x)

loc_64BB73:				; CODE XREF: PopFxStopDeviceAccounting()+B5j
		test	ds:byte_70EFC6,	1
		jz	short loc_64BB88
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64BB8D
; 

loc_64BB88:				; CODE XREF: PopFxStopDeviceAccounting()+D7j
		xor	eax, eax
		lock and [edi],	eax

loc_64BB8D:				; CODE XREF: PopFxStopDeviceAccounting()+E3j
		mov	cl, [ebp+var_59]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [edi+18h]
		mov	edx, edi
		mov	eax, [edi+1Ch]
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_68]
		push	ebx
		call	_PopDiagTraceFxDeviceAccounting@24 ; PopDiagTraceFxDeviceAccounting(x,x,x,x,x,x)

loc_64BBAA:				; CODE XREF: PopFxStopDeviceAccounting()+94j
		xor	ebx, ebx
		cmp	[esi+23Ch], ebx
		jbe	loc_64BC49

loc_64BBB8:				; CODE XREF: PopFxStopDeviceAccounting()+1A0j
		mov	eax, [esi+240h]
		mov	eax, [eax+ebx*4]
		mov	[ebp+var_6C], eax
		lea	edi, [eax+90h]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	[ebp+var_59], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:_PopFxDeviceAccountingLevel
		test	cl, 1
		jz	short loc_64BBFE
		push	0
		push	47868C00h
		push	[ebp+var_70]
		mov	ecx, edi
		push	[ebp+var_60]
		call	PopFxUpdateAccountingActiveTime
		call	_PopFxMergeActiveTimeAccounting@4 ; PopFxMergeActiveTimeAccounting(x)

loc_64BBFE:				; CODE XREF: PopFxStopDeviceAccounting()+140j
		test	ds:byte_70EFC6,	1
		jz	short loc_64BC13
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64BC18
; 

loc_64BC13:				; CODE XREF: PopFxStopDeviceAccounting()+162j
		xor	eax, eax
		lock and [edi],	eax

loc_64BC18:				; CODE XREF: PopFxStopDeviceAccounting()+16Ej
		mov	cl, [ebp+var_59]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [edi+18h]
		mov	eax, [edi+1Ch]
		mov	edx, [ebp+var_6C]
		push	ecx
		push	eax
		push	ecx
		push	[ebp+var_64]
		mov	edx, [edx+10h]
		mov	ecx, [ebp+var_68]
		push	edi
		call	_PopDiagTraceFxComponentAccounting@28 ;	PopDiagTraceFxComponentAccounting(x,x,x,x,x,x,x)
		inc	ebx
		cmp	ebx, [esi+23Ch]
		jb	loc_64BBB8

loc_64BC49:				; CODE XREF: PopFxStopDeviceAccounting()+62j
					; PopFxStopDeviceAccounting()+10Fj
		mov	esi, [esi]

loc_64BC4B:				; CODE XREF: PopFxStopDeviceAccounting()+55j
		cmp	esi, offset _PopFxDeviceList
		jnz	loc_64BAFD
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopFxGlobalDeviceAccountingLock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	ds:byte_70EFC6,	1
		lea	edi, [ebp+var_58]
		mov	eax, ds:dword_6C3AB0
		mov	esi, offset dword_6C3AC0
		push	0Ah
		pop	ecx
		rep movsd
		mov	[ebp+var_60], eax
		lea	edi, [ebp+var_30]
		mov	eax, ds:dword_6C3AB4
		mov	esi, offset dword_6C3AE8
		push	0Ah
		mov	[ebp+var_64], eax
		mov	eax, ds:dword_6C3AB8
		pop	ecx
		mov	[ebp+var_68], eax
		mov	eax, ds:dword_6C3ABC
		rep movsd
		mov	[ebp+var_6C], eax
		mov	ecx, offset _PopFxGlobalDeviceAccountingLock
		jz	short loc_64BCBB
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64BCC0
; 

loc_64BCBB:				; CODE XREF: PopFxStopDeviceAccounting()+20Cj
		xor	eax, eax
		lock and [ecx],	eax

loc_64BCC0:				; CODE XREF: PopFxStopDeviceAccounting()+216j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	[ebp+var_6C]
		lea	edx, [ebp+var_30]
		push	[ebp+var_68]
		lea	ecx, [ebp+var_58]
		push	[ebp+var_64]
		push	[ebp+var_60]
		call	_PopDiagTraceFxGlobalDeviceAccounting@24 ; PopDiagTraceFxGlobalDeviceAccounting(x,x,x,x,x,x)
		push	11h
		xor	edx, edx
		mov	esi, offset _PopFxDeviceListLock
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_64BCF9
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_64BCF9:				; CODE XREF: PopFxStopDeviceAccounting()+24Dj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_64BD0C:				; CODE XREF: PopFxStopDeviceAccounting()+24j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopFxStopDeviceAccounting@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxTransitionCriticalResource(x, x, x)
_PopFxTransitionCriticalResource@12 proc near
					; DATA XREF: PopFxRegisterPluginEx(x,x,x,x)+36Ao

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	ecx, ecx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, [edi+240h]
		mov	esi, [eax+esi*4]
		lea	eax, [esi+34h]
		mov	[ebp+var_4], eax
		lea	edx, [eax+4]
		xor	eax, eax
		lock cmpxchg [edx], ecx
		mov	ebx, eax
		mov	eax, [ebp+arg_8]
		test	al, al
		jz	short loc_64BD6D
		test	bl, 1
		jnz	short loc_64BD66
		mov	ecx, [edx]
		movzx	eax, al
		push	eax
		push	ecx

loc_64BD5A:				; CODE XREF: PopFxTransitionCriticalResource(x,x,x)+5Cj
		mov	edx, esi
		mov	ecx, 606h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_64BD66:				; CODE XREF: PopFxTransitionCriticalResource(x,x,x)+36j
		mov	edx, ebx
		and	edx, 0FFFFFFFEh
		jmp	short loc_64BD7E
; 

loc_64BD6D:				; CODE XREF: PopFxTransitionCriticalResource(x,x,x)+31j
		test	bl, 1
		jz	short loc_64BD79
		mov	eax, [edx]
		push	0

loc_64BD76:				; CODE XREF: PopFxTransitionCriticalResource(x,x,x)+7Cj
		push	eax
		jmp	short loc_64BD5A
; 

loc_64BD79:				; CODE XREF: PopFxTransitionCriticalResource(x,x,x)+55j
		mov	edx, ebx
		or	edx, 1

loc_64BD7E:				; CODE XREF: PopFxTransitionCriticalResource(x,x,x)+50j
		mov	edi, [ebp+var_4]
		mov	ecx, edx
		mov	eax, ebx
		add	edi, 4
		lock cmpxchg [edi], ecx
		mov	edi, [ebp+arg_0]
		cmp	eax, ebx
		jz	short loc_64BD99
		push	edx
		lea	eax, [esi+34h]
		jmp	short loc_64BD76
; 

loc_64BD99:				; CODE XREF: PopFxTransitionCriticalResource(x,x,x)+76j
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	dword ptr [edi+64h]
		call	dword ptr [edi+54h]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PopFxTransitionCriticalResource@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxUpdateComponentPerfStateNominalChange(x, x, x,	x)
_PopFxUpdateComponentPerfStateNominalChange@16 proc near
					; CODE XREF: PopPepDeviceDState+84BABp
					; IopfCallDriver+849FFp

var_16		= byte ptr -16h
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, [ecx+240h]
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[esp+24h+var_10], ecx
		mov	edx, [eax+edx*4]
		push	edi
		mov	[esp+28h+var_8], ebx
		mov	edi, ebx
		mov	[esp+28h+var_4], ebx
		mov	esi, [edx+168h]
		mov	[esp+28h+var_15], bl
		mov	[esp+28h+var_C], edx
		mov	eax, [esi+1Ch]
		mov	[esp+28h+var_14], eax
		cmp	[esi+54h], ebx
		jbe	short loc_64BE57

loc_64BDED:				; CODE XREF: PopFxUpdateComponentPerfStateNominalChange(x,x,x,x)+82j
		lea	eax, [esp+13h]
		push	eax
		lea	eax, [esp+2Ch+var_8]
		push	eax
		push	1
		push	edi
		call	_PopFxQueryCurrentComponentPerfState@24	; PopFxQueryCurrentComponentPerfState(x,x,x,x,x,x)
		cmp	[esp+28h+var_15], 0
		jz	short loc_64BE22
		mov	ecx, [esp+28h+var_14]
		inc	ebx
		mov	eax, [esp+28h+var_8]
		mov	[ecx+8], eax
		mov	eax, [esp+28h+var_4]
		mov	[ecx], edi
		mov	[ecx+0Ch], eax
		add	ecx, 10h
		mov	[esp+28h+var_14], ecx

loc_64BE22:				; CODE XREF: PopFxUpdateComponentPerfStateNominalChange(x,x,x,x)+58j
		mov	ecx, [esp+28h+var_10]
		inc	edi
		mov	edx, [esp+28h+var_C]
		cmp	edi, [esi+54h]
		jb	short loc_64BDED
		test	ebx, ebx
		jz	short loc_64BE57
		mov	[esi+20h], ebx
		call	KeQueryInterruptTime
		push	dword ptr [esi+1Ch]
		mov	[esi+2Ch], edx
		mov	ecx, esi
		mov	dl, [ebp+arg_0]
		push	ebx
		push	[ebp+arg_4]
		mov	[esi+28h], eax
		mov	byte ptr [esi+30h], 1
		call	_PopDiagTraceFxPerfNominalChange@20 ; PopDiagTraceFxPerfNominalChange(x,x,x,x,x)

loc_64BE57:				; CODE XREF: PopFxUpdateComponentPerfStateNominalChange(x,x,x,x)+3Fj
					; PopFxUpdateComponentPerfStateNominalChange(x,x,x,x)+86j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_PopFxUpdateComponentPerfStateNominalChange@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxUpdateDeviceIRPhaseAccounting(x)
_PopFxUpdateDeviceIRPhaseAccounting@4 proc near
					; CODE XREF: PopFxSetDripsBlockedByDeviceActivity(x)+5Fp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	bh, cl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _PopCsResiliencyStatsLock
		mov	bl, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	ds:byte_6C23D8,	0
		jz	short loc_64BEA6
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		test	bh, bh
		jz	short loc_64BE9F
		mov	ds:dword_6C23D0, eax
		mov	ds:dword_6C23D4, edx
		jmp	short loc_64BEA6
; 

loc_64BE9F:				; CODE XREF: PopFxUpdateDeviceIRPhaseAccounting(x)+30j
		push	edx
		push	eax
		call	_PopFxAccumulateDeviceIRPhaseAccounting@8 ; PopFxAccumulateDeviceIRPhaseAccounting(x,x)

loc_64BEA6:				; CODE XREF: PopFxUpdateDeviceIRPhaseAccounting(x)+24j
					; PopFxUpdateDeviceIRPhaseAccounting(x)+3Dj
		test	ds:byte_70EFC6,	1
		jz	short loc_64BEBB
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64BEC0
; 

loc_64BEBB:				; CODE XREF: PopFxUpdateDeviceIRPhaseAccounting(x)+4Dj
		xor	eax, eax
		lock and [esi],	eax

loc_64BEC0:				; CODE XREF: PopFxUpdateDeviceIRPhaseAccounting(x)+59j
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_PopFxUpdateDeviceIRPhaseAccounting@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxUpdateGlobalDeviceAccountingInfo(x, x,	x, x)
_PopFxUpdateGlobalDeviceAccountingInfo@16 proc near
					; CODE XREF: PopFxSetDripsBlockedByDeviceActivity(x)+4Ap
					; PopFxSetGlobalDeviceAccountingEnabled(x)+5Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	eax, ds:dword_6C3AA8
		push	esi
		mov	esi, ds:dword_6C3AAC
		cmp	esi, edx
		ja	loc_64BF6A
		mov	ecx, [ebp+arg_0]
		jb	short loc_64BEF0
		cmp	eax, ecx
		jnb	short loc_64BF6A

loc_64BEF0:				; CODE XREF: PopFxUpdateGlobalDeviceAccountingInfo(x,x,x,x)+1Fj
		sub	ecx, eax
		sbb	edx, esi
		add	ds:dword_6C3AB0, ecx
		adc	ds:dword_6C3AB4, edx
		cmp	edx, [ebp+arg_C]
		jb	short loc_64BF5E
		ja	short loc_64BF0C
		cmp	ecx, [ebp+arg_8]
		jb	short loc_64BF5E

loc_64BF0C:				; CODE XREF: PopFxUpdateGlobalDeviceAccountingInfo(x,x,x,x)+3Aj
		xor	eax, eax

loc_64BF0E:				; CODE XREF: PopFxUpdateGlobalDeviceAccountingInfo(x,x,x,x)+6Fj
		cmp	edx, ds:dword_40B74C[eax*8]
		jb	short loc_64BF36
		ja	short loc_64BF22
		cmp	ecx, ds:_PopFxAccountingBucketLimits[eax*8]
		jb	short loc_64BF36

loc_64BF22:				; CODE XREF: PopFxUpdateGlobalDeviceAccountingInfo(x,x,x,x)+4Cj
		cmp	edx, ds:dword_40B754[eax*8]
		jb	short loc_64BF3E
		ja	short loc_64BF36
		cmp	ecx, ds:dword_40B750[eax*8]
		jb	short loc_64BF3E

loc_64BF36:				; CODE XREF: PopFxUpdateGlobalDeviceAccountingInfo(x,x,x,x)+4Aj
					; PopFxUpdateGlobalDeviceAccountingInfo(x,x,x,x)+55j ...
		inc	eax
		cmp	eax, 5
		jb	short loc_64BF0E
		jmp	short loc_64BF6A
; 

loc_64BF3E:				; CODE XREF: PopFxUpdateGlobalDeviceAccountingInfo(x,x,x,x)+5Ej
					; PopFxUpdateGlobalDeviceAccountingInfo(x,x,x,x)+69j
		add	ds:dword_6C3AC0[eax*8],	1
		adc	ds:dword_6C3AC4[eax*8],	0
		add	ds:dword_6C3AE8[eax*8],	ecx
		adc	ds:dword_6C3AEC[eax*8],	edx
		jmp	short loc_64BF6A
; 

loc_64BF5E:				; CODE XREF: PopFxUpdateGlobalDeviceAccountingInfo(x,x,x,x)+38j
					; PopFxUpdateGlobalDeviceAccountingInfo(x,x,x,x)+3Fj
		add	ds:dword_6C3AB8, ecx
		adc	ds:dword_6C3ABC, edx

loc_64BF6A:				; CODE XREF: PopFxUpdateGlobalDeviceAccountingInfo(x,x,x,x)+16j
					; PopFxUpdateGlobalDeviceAccountingInfo(x,x,x,x)+23j ...
		pop	esi
		pop	ebp
		retn	10h
_PopFxUpdateGlobalDeviceAccountingInfo@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxUpdatePlatformIdleState(x, x, x)
_PopFxUpdatePlatformIdleState@12 proc near ; DATA XREF:	PopFxRegisterPluginEx(x,x,x,x)+394o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		cmp	dword ptr [ecx], 1
		jnb	short loc_64BF98
		mov	edi, 0C00000BBh
		jmp	loc_64C01A
; 

loc_64BF98:				; CODE XREF: PopFxUpdatePlatformIdleState(x,x,x)+1Dj
		xor	edx, edx
		mov	edi, 0C0000002h
		cmp	[esi+50h], edx
		jz	short loc_64C01A
		push	ebx
		lea	ebx, [esi+80h]
		lock inc dword ptr [ebx]
		cmp	[esi+7Ch], dl
		jz	short loc_64BFD1
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		jnz	short loc_64BFCA
		push	edx
		push	edx
		lea	eax, [esi+84h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_64BFCA:				; CODE XREF: PopFxUpdatePlatformIdleState(x,x,x)+4Bj
		mov	edi, 0C0000056h
		jmp	short loc_64C019
; 

loc_64BFD1:				; CODE XREF: PopFxUpdatePlatformIdleState(x,x,x)+42j
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_C], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	edx
		push	edx
		push	0Ch
		lea	eax, [ebp+var_10]
		mov	[ebp+var_14], edx
		push	eax
		push	(offset	loc_42E057+1)
		push	dword ptr [esi+64h]
		call	dword ptr [esi+50h]
		mov	edi, eax
		or	ecx, 0FFFFFFFFh
		lock xadd [ebx], ecx
		dec	ecx
		jnz	short loc_64C019
		push	0
		push	0
		lea	ecx, [esi+84h]
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_64C019:				; CODE XREF: PopFxUpdatePlatformIdleState(x,x,x)+60j
					; PopFxUpdatePlatformIdleState(x,x,x)+98j
		pop	ebx

loc_64C01A:				; CODE XREF: PopFxUpdatePlatformIdleState(x,x,x)+24j
					; PopFxUpdatePlatformIdleState(x,x,x)+33j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_PopFxUpdatePlatformIdleState@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxUpdateProcessorIdleState(x, x,	x)
_PopFxUpdateProcessorIdleState@12 proc near ; DATA XREF: PopFxRegisterPluginEx(x,x,x,x)+38Do

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		cmp	dword ptr [ecx], 1
		jnb	short loc_64C055
		mov	edi, 0C00000BBh
		jmp	loc_64C0D7
; 

loc_64C055:				; CODE XREF: PopFxUpdateProcessorIdleState(x,x,x)+1Dj
		xor	edx, edx
		mov	edi, 0C0000002h
		cmp	[esi+50h], edx
		jz	short loc_64C0D7
		push	ebx
		lea	ebx, [esi+80h]
		lock inc dword ptr [ebx]
		cmp	[esi+7Ch], dl
		jz	short loc_64C08E
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		jnz	short loc_64C087
		push	edx
		push	edx
		lea	eax, [esi+84h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_64C087:				; CODE XREF: PopFxUpdateProcessorIdleState(x,x,x)+4Bj
		mov	edi, 0C0000056h
		jmp	short loc_64C0D6
; 

loc_64C08E:				; CODE XREF: PopFxUpdateProcessorIdleState(x,x,x)+42j
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_C], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	edx
		push	edx
		push	0Ch
		lea	eax, [ebp+var_10]
		mov	[ebp+var_14], edx
		push	eax
		push	offset _GUID_PROCESSOR_IDLE_UPDATE
		push	dword ptr [esi+64h]
		call	dword ptr [esi+50h]
		mov	edi, eax
		or	ecx, 0FFFFFFFFh
		lock xadd [ebx], ecx
		dec	ecx
		jnz	short loc_64C0D6
		push	0
		push	0
		lea	ecx, [esi+84h]
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_64C0D6:				; CODE XREF: PopFxUpdateProcessorIdleState(x,x,x)+60j
					; PopFxUpdateProcessorIdleState(x,x,x)+98j
		pop	ebx

loc_64C0D7:				; CODE XREF: PopFxUpdateProcessorIdleState(x,x,x)+24j
					; PopFxUpdateProcessorIdleState(x,x,x)+33j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_PopFxUpdateProcessorIdleState@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxWorkOrderWatchdog(x, x, x, x)
_PopFxWorkOrderWatchdog@16 proc	near	; DATA XREF: PopFxDispatchPluginWorkOnce+59o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		test	edx, edx
		jz	short loc_64C0FA
		mov	eax, [edx+60h]

loc_64C0FA:				; CODE XREF: PopFxWorkOrderWatchdog(x,x,x,x)+Cj
		push	0
		push	eax
		mov	ecx, 618h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)
		int	3		; Trap to Debugger
_PopFxWorkOrderWatchdog@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginAbandonDevice(x, x)
_PopPluginAbandonDevice@8 proc near	; CODE XREF: PoFxAbandonDevice(x)+39p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_8]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		push	eax
		push	2
		call	dword ptr [esi+40h]
		test	al, al
		jz	short loc_64C12C
		mov	al, byte ptr [ebp+var_4]
		pop	esi
		leave
		retn
; 

loc_64C12C:				; CODE XREF: PopPluginAbandonDevice(x,x)+1Cj
		push	0
		push	esi
		push	2
		pop	edx
		mov	ecx, 605h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)
		int	3		; Trap to Debugger
_PopPluginAbandonDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginNotifyActive(x, x,	x)
_PopPluginNotifyActive@12 proc near	; CODE XREF: PopPluginDevicePower+EFE6Fp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	esi, [ecx+24h]
		lea	edi, [ebp+var_14]
		xor	ebx, ebx
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ecx+28h]
		mov	[ebp+var_14], eax
		mov	al, [ebp+arg_0]
		mov	[ebp+var_C], al
		lea	eax, [ebp+var_14]
		push	eax
		push	7
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], bl
		call	dword ptr [esi+40h]
		test	al, al
		jz	short loc_64C18C
		cmp	[ebp+var_4], bl
		jz	short loc_64C18C
		push	ebx
		push	ebx
		mov	edx, esi
		mov	ecx, 612h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_64C18C:				; CODE XREF: PopPluginNotifyActive(x,x,x)+3Aj
					; PopPluginNotifyActive(x,x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopPluginNotifyActive@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginNotifyIdleState(x,	x, x, x)
_PopPluginNotifyIdleState@16 proc near	; CODE XREF: PopPepNotifyIdleState+81E34p
					; PopPepStartComponentIdleStateChangeActivity+81E4Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= word ptr -2
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_3], 0
		mov	edi, ecx
		mov	[ebp+var_2], ax
		mov	ebx, edx
		mov	[ebp+var_C], ebx
		mov	eax, [edi+28h]
		mov	esi, [edi+24h]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_8], eax
		mov	al, [ebp+arg_4]
		mov	[ebp+var_4], al
		lea	eax, [ebp+var_10]
		push	eax
		push	13h
		call	dword ptr [esi+40h]
		test	al, al
		jnz	short loc_64C1D8
		inc	al
		mov	[ebp+var_3], al
		jmp	short loc_64C1DB
; 

loc_64C1D8:				; CODE XREF: PopPluginNotifyIdleState(x,x,x,x)+3Cj
		mov	al, [ebp+var_3]

loc_64C1DB:				; CODE XREF: PopPluginNotifyIdleState(x,x,x,x)+43j
		test	al, al
		jnz	short loc_64C1F2
		mov	ecx, [edi+1Ch]
		mov	edx, ebx
		push	0
		push	0
		push	12h
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		mov	al, [ebp+var_3]

loc_64C1F2:				; CODE XREF: PopPluginNotifyIdleState(x,x,x,x)+4Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PopPluginNotifyIdleState@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginPrepareDevice(x, x)
_PopPluginPrepareDevice@8 proc near	; CODE XREF: PoFxPrepareDevice(x,x)+95p

var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_20]
		stosd
		mov	esi, ecx
		xor	ebx, ebx
		mov	[ebp+var_8], esi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		stosd
		stosd
		stosd
		mov	eax, [esi+40h]
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_64C264
		mov	eax, [esi+10h]
		lea	ecx, [edx+48h]
		and	eax, 8000000h
		or	eax, ebx
		jz	short loc_64C24F
		mov	eax, [edx+10h]
		lea	esi, [ebp+var_20]
		mov	[ebp+var_18], eax
		mov	edi, 90h
		mov	eax, [edx+8]
		mov	[ebp+var_20], ecx
		mov	eax, [eax+10h]
		mov	[ebp+var_14], eax
		jmp	short loc_64C258
; 

loc_64C24F:				; CODE XREF: PopPluginPrepareDevice(x,x)+38j
		xor	edi, edi
		mov	[ebp+var_10], ecx
		lea	esi, [ebp+var_10]
		inc	edi

loc_64C258:				; CODE XREF: PopPluginPrepareDevice(x,x)+54j
		push	esi
		push	edi
		call	[ebp+var_4]
		test	al, al
		jz	short loc_64C26B
		mov	bl, [esi+4]

loc_64C264:				; CODE XREF: PopPluginPrepareDevice(x,x)+29j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_64C26B:				; CODE XREF: PopPluginPrepareDevice(x,x)+66j
		push	ebx
		push	[ebp+var_8]
		mov	edx, edi
		mov	ecx, 605h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)
		int	3		; Trap to Debugger

; __stdcall PopPluginQueryComponentPerfCapabilities(x, x, x)
_PopPluginQueryComponentPerfCapabilities@12: ; CODE XREF: PopFxPepPerfInfoQuery(x,x,x)+2Dp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, [ecx+24h]
		xor	eax, eax
		mov	[ebp+var_4], eax
		test	esi, esi
		jz	short loc_64C2AF
		mov	eax, [ecx+28h]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_C]
		push	eax
		push	1Ch
		mov	[ebp+var_8], edx
		call	dword ptr [esi+40h]
		test	al, al
		jz	short loc_64C2AF
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		mov	[edx], ecx

loc_64C2AF:				; CODE XREF: PopPluginPrepareDevice(x,x)+96j
					; PopPluginPrepareDevice(x,x)+ACj
		pop	esi
		leave
		retn	4
_PopPluginPrepareDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginQueryComponentPerfSet(x, x, x, x, x, x, x,	x)
_PopPluginQueryComponentPerfSet@32 proc	near ; CODE XREF: PopFxPepPerfInfoQuery(x,x,x)+9Fp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, [ecx+28h]
		push	esi
		mov	esi, [ecx+24h]
		mov	[ebp+var_30], eax
		mov	eax, [ebp+arg_0]
		push	edi
		xor	edi, edi
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_30]
		mov	[ebp+var_24], edi
		push	eax
		push	1Dh
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		mov	[ebp+var_2C], edx
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edi
		call	dword ptr [esi+40h]
		test	al, al
		jnz	short loc_64C309
		push	edi
		push	esi
		push	1Dh
		pop	edx
		mov	ecx, 605h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_64C309:				; CODE XREF: PopPluginQueryComponentPerfSet(x,x,x,x,x,x,x,x)+44j
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_18]
		mov	edx, [ebp+var_10]
		pop	edi
		mov	[ecx], eax
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+var_14]
		pop	esi
		mov	[ecx], eax
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+arg_10]
		mov	[eax], edx
		mov	eax, [ebp+var_C]
		mov	[ecx+4], eax
		mov	eax, [ebp+var_8]
		mov	[ecx], edx
		mov	ecx, [ebp+arg_14]
		mov	[ecx], eax
		mov	eax, [ebp+var_4]
		mov	[ecx+4], eax
		leave
		retn	18h
_PopPluginQueryComponentPerfSet@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginQueryComponentPerfSetName(x, x, x,	x, x)
_PopPluginQueryComponentPerfSetName@20 proc near
					; CODE XREF: PopFxPepPerfInfoQuery(x,x,x)+105p
					; PopFxPepPerfInfoQuery(x,x,x)+14Ap

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_6		= word ptr -6
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		mov	[ebp+var_10], edx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_6], ax
		mov	eax, [ecx+28h]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C], eax
		mov	ax, [esi]
		mov	[ebp+var_8], ax
		mov	eax, [ebp+arg_8]
		push	edi
		mov	edi, [ecx+24h]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	1Eh
		call	dword ptr [edi+40h]
		test	al, al
		jnz	short loc_64C38F
		push	0
		push	edi
		push	1Eh
		pop	edx
		mov	ecx, 605h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_64C38F:				; CODE XREF: PopPluginQueryComponentPerfSetName(x,x,x,x,x)+3Dj
		mov	ax, [ebp+var_8]
		pop	edi
		mov	[esi], ax
		pop	esi
		leave
		retn	0Ch
_PopPluginQueryComponentPerfSetName@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginQueryComponentPerfStates(x, x, x, x)
_PopPluginQueryComponentPerfStates@16 proc near
					; CODE XREF: PopFxPepPerfInfoQuery(x,x,x)+EEp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ecx+28h]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, [ecx+24h]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_10]
		push	eax
		push	1Fh
		mov	[ebp+var_C], edx
		call	dword ptr [esi+40h]
		test	al, al
		jnz	short loc_64C3DA
		push	0
		push	esi
		push	1Fh
		pop	edx
		mov	ecx, 605h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_64C3DA:				; CODE XREF: PopPluginQueryComponentPerfStates(x,x,x,x)+2Cj
		pop	esi
		leave
		retn	8
_PopPluginQueryComponentPerfStates@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginQueryCurrentComponentPerfState(x, x, x)
_PopPluginQueryCurrentComponentPerfState@12 proc near
					; CODE XREF: PopFxQueryCurrentComponentPerfState(x,x,x,x,x,x)+3Bp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, [ecx+28h]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		mov	[ebp+var_1C], eax
		push	edi
		mov	edi, [ecx+24h]
		mov	eax, [esi]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	22h
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_18], edx
		call	dword ptr [edi+40h]
		test	al, al
		jnz	short loc_64C425
		push	ebx
		push	edi
		push	22h
		pop	edx
		mov	ecx, 605h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_64C425:				; CODE XREF: PopPluginQueryCurrentComponentPerfState(x,x,x)+35j
		mov	eax, [ebp+var_C]
		mov	[esi+8], eax
		mov	eax, [ebp+var_8]
		pop	edi
		mov	[esi+0Ch], eax
		pop	esi
		pop	ebx
		leave
		retn	4
_PopPluginQueryCurrentComponentPerfState@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginRegisterComponentPerfStates(x, x, x)
_PopPluginRegisterComponentPerfStates@12 proc near
					; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+6Dp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ecx
		xor	ecx, ecx
		push	esi
		mov	[ebp+var_4], ecx
		mov	esi, [eax+24h]
		test	esi, esi
		jz	short loc_64C46F
		mov	eax, [eax+28h]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	20h
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		call	dword ptr [esi+40h]
		mov	cl, al

loc_64C46F:				; CODE XREF: PopPluginRegisterComponentPerfStates(x,x,x)+15j
		mov	al, cl
		pop	esi
		leave
		retn	4
_PopPluginRegisterComponentPerfStates@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginRegisterCrashdumpDevice(x,	x, x)
_PopPluginRegisterCrashdumpDevice@12 proc near
					; CODE XREF: PoFxRegisterCrashdumpDevice+9B636p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], edx
		push	eax
		xor	esi, esi
		push	19h
		mov	[ebp+var_8], esi
		call	dword ptr [ecx+40h]
		test	al, al
		jz	short loc_64C4A5
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_64C4A5
		mov	eax, [ebp+arg_0]
		mov	[eax+158h], ecx
		jmp	short loc_64C4AA
; 

loc_64C4A5:				; CODE XREF: PopPluginRegisterCrashdumpDevice(x,x,x)+1Bj
					; PopPluginRegisterCrashdumpDevice(x,x,x)+22j
		mov	esi, 0C00000BBh

loc_64C4AA:				; CODE XREF: PopPluginRegisterCrashdumpDevice(x,x,x)+2Dj
		mov	eax, esi
		pop	esi
		leave
		retn	4
_PopPluginRegisterCrashdumpDevice@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginRegisterDevice(x, x, x, x,	x, x)
_PopPluginRegisterDevice@24 proc near	; CODE XREF: PopFxRegisterDeviceWithPep+84E29p
					; PopFxRegisterDeviceWithPep+84E46p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, edx
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	[ebx], esi
		mov	edx, [edi+40h]
		test	edx, edx
		jz	short loc_64C506
		cmp	dword ptr [edi+8], 2
		jb	short loc_64C506
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_64C506
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	3
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		call	edx
		test	al, al
		jz	short loc_64C50F
		cmp	[ebp+var_4], esi
		jz	short loc_64C506
		mov	eax, [ebp+var_8]
		mov	esi, [ebp+var_4]
		mov	[ebx], eax

loc_64C506:				; CODE XREF: PopPluginRegisterDevice(x,x,x,x,x,x)+1Bj
					; PopPluginRegisterDevice(x,x,x,x,x,x)+21j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_64C50F:				; CODE XREF: PopPluginRegisterDevice(x,x,x,x,x,x)+46j
		push	esi
		push	edi
		push	3
		pop	edx
		mov	ecx, 605h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)
		int	3		; Trap to Debugger
_PopPluginRegisterDevice@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginRequestComponentIdleConstraints(x,	x, x, x)
_PopPluginRequestComponentIdleConstraints@16 proc near
					; CODE XREF: PopPepInitializeVetoMasks(x,x)+3A5p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		xor	bl, bl
		mov	esi, [edi+24h]
		cmp	esi, ds:_PopFxProcessorPlugin
		jnz	short loc_64C574
		test	esi, esi
		jz	short loc_64C574
		mov	eax, [edi+28h]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	1Bh
		mov	[ebp+var_10], edx
		call	dword ptr [esi+40h]
		mov	bl, al
		test	bl, bl
		jz	short loc_64C574
		push	[ebp+arg_4]
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		push	[ebp+arg_0]
		call	_PopDiagTraceFxComponentIdleConstraints@16 ; PopDiagTraceFxComponentIdleConstraints(x,x,x,x)

loc_64C574:				; CODE XREF: PopPluginRequestComponentIdleConstraints(x,x,x,x)+1Bj
					; PopPluginRequestComponentIdleConstraints(x,x,x,x)+1Fj ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	8
_PopPluginRequestComponentIdleConstraints@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginRequestComponentPerfState(x, x, x,	x, x)
_PopPluginRequestComponentPerfState@20 proc near
					; CODE XREF: PopFxIssueComponentPerfStateChanges(x,x,x,x,x,x)+109p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ecx+28h]
		and	[ebp+var_C], 0
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, [ecx+24h]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_10], edx
		mov	[ebp+var_4], eax
		test	esi, esi
		jz	short loc_64C5CB
		lea	eax, [ebp+var_14]
		push	eax
		push	21h
		call	dword ptr [esi+40h]
		test	al, al
		jnz	short loc_64C5C3
		push	0
		push	esi
		push	21h
		pop	edx
		mov	ecx, 605h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_64C5C3:				; CODE XREF: PopPluginRequestComponentPerfState(x,x,x,x,x)+34j
		mov	dl, byte ptr [ebp+var_C+1]
		mov	al, byte ptr [ebp+var_C]
		jmp	short loc_64C5D0
; 

loc_64C5CB:				; CODE XREF: PopPluginRequestComponentPerfState(x,x,x,x,x)+27j
		xor	edx, edx
		inc	edx
		mov	al, dl

loc_64C5D0:				; CODE XREF: PopPluginRequestComponentPerfState(x,x,x,x,x)+4Cj
		pop	esi
		test	al, al
		jz	short locret_64C5DA
		mov	ecx, [ebp+arg_8]
		mov	[ecx], dl

locret_64C5DA:				; CODE XREF: PopPluginRequestComponentPerfState(x,x,x,x,x)+56j
		leave
		retn	0Ch
_PopPluginRequestComponentPerfState@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginRequestDebuggerTransitionRequirements(x, x, x)
_PopPluginRequestDebuggerTransitionRequirements@12 proc	near
					; CODE XREF: PopPepInitializeDebuggerMasks(x,x)+35p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	al, al
		push	esi
		mov	esi, [ecx+24h]
		cmp	esi, ds:_PopFxProcessorPlugin
		jnz	short loc_64C610
		test	esi, esi
		jz	short loc_64C610
		mov	eax, [ecx+28h]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_C]
		push	eax
		push	23h
		mov	[ebp+var_8], edx
		call	dword ptr [esi+40h]

loc_64C610:				; CODE XREF: PopPluginRequestDebuggerTransitionRequirements(x,x,x)+14j
					; PopPluginRequestDebuggerTransitionRequirements(x,x,x)+18j
		pop	esi
		leave
		retn	4
_PopPluginRequestDebuggerTransitionRequirements@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginRequestDeviceIdleConstraints(x, x,	x)
_PopPluginRequestDeviceIdleConstraints@12 proc near
					; CODE XREF: PopPepInitializeVetoMasks(x,x)+1AFp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		xor	bl, bl
		mov	esi, [edi+24h]
		cmp	esi, ds:_PopFxProcessorPlugin
		jnz	short loc_64C661
		test	esi, esi
		jz	short loc_64C661
		mov	eax, [edi+28h]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_10]
		push	eax
		push	1Ah
		mov	[ebp+var_C], edx
		call	dword ptr [esi+40h]
		mov	bl, al
		test	bl, bl
		jz	short loc_64C661
		push	[ebp+arg_0]
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		call	_PopDiagTraceFxDeviceIdleConstraints@12	; PopDiagTraceFxDeviceIdleConstraints(x,x,x)

loc_64C661:				; CODE XREF: PopPluginRequestDeviceIdleConstraints(x,x,x)+1Bj
					; PopPluginRequestDeviceIdleConstraints(x,x,x)+1Fj ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
_PopPluginRequestDeviceIdleConstraints@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginRequestPowerControl(x, x, x, x, x,	x, x)
_PopPluginRequestPowerControl@28 proc near ; CODE XREF:	PoFxPowerControl+886DBp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, [ecx+28h]
		and	[ebp+var_4], 0
		and	[ebp+var_8], 0
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_8]
		push	esi
		mov	esi, [ecx+24h]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_C]
		push	edi
		mov	[ebp+var_C], eax
		mov	edi, 0C0000002h
		lea	eax, [ebp+var_20]
		mov	[ebp+var_1C], edx
		push	eax
		push	0Eh
		call	dword ptr [esi+40h]
		cmp	al, 1
		jnz	short loc_64C6C1
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	short loc_64C6BE
		mov	eax, [ebp+var_8]
		mov	[ecx], eax

loc_64C6BE:				; CODE XREF: PopPluginRequestPowerControl(x,x,x,x,x,x,x)+4Dj
		mov	edi, [ebp+var_4]

loc_64C6C1:				; CODE XREF: PopPluginRequestPowerControl(x,x,x,x,x,x,x)+46j
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn	14h
_PopPluginRequestPowerControl@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginUnregisterDevice(x, x)
_PopPluginUnregisterDevice@8 proc near	; CODE XREF: PopFxUnregisterDevice(x)+BEp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], edx
		mov	esi, ecx
		push	eax
		push	4
		call	dword ptr [esi+40h]
		test	al, al
		jnz	short loc_64C6F2
		push	0
		push	esi
		push	4
		pop	edx
		mov	ecx, 605h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_64C6F2:				; CODE XREF: PopPluginUnregisterDevice(x,x)+17j
		pop	esi
		leave
		retn
_PopPluginUnregisterDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopProcessorIdleSelectNotification(x, x)
_PopProcessorIdleSelectNotification@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	eax, [ecx+24h]
		test	eax, eax
		jz	short loc_64C747
		mov	eax, [eax+44h]
		test	eax, eax
		jz	short loc_64C747
		mov	esi, [ebp+arg_4]
		mov	edi, [ecx+28h]
		push	esi
		push	3
		mov	edx, [esi+14h]
		mov	ebx, [esi+10h]
		push	edi
		mov	[ebp+arg_0], edx
		call	eax
		test	al, al
		jnz	short loc_64C72E
		mov	eax, 0C00000BBh
		jmp	short loc_64C74C
; 

loc_64C72E:				; CODE XREF: PopProcessorIdleSelectNotification(x,x)+30j
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, edi
		push	dword ptr [esi+0Ch]
		push	ebx
		push	700h
		call	_PopTranslateDependencyArray@24	; PopTranslateDependencyArray(x,x,x,x,x,x)
		xor	eax, eax
		jmp	short loc_64C74C
; 

loc_64C747:				; CODE XREF: PopProcessorIdleSelectNotification(x,x)+10j
					; PopProcessorIdleSelectNotification(x,x)+17j
		mov	eax, 0C0000002h

loc_64C74C:				; CODE XREF: PopProcessorIdleSelectNotification(x,x)+37j
					; PopProcessorIdleSelectNotification(x,x)+50j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_PopProcessorIdleSelectNotification@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopProcessorNotifyLpiCoordinatedStatesNotification(x, x)
_PopProcessorNotifyLpiCoordinatedStatesNotification@8 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, [eax+24h]
		mov	eax, [eax+28h]
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], eax
		test	esi, esi
		jz	short loc_64C7E0
		mov	eax, [esi+44h]
		test	eax, eax
		jz	short loc_64C7E0
		mov	edx, [ebp+arg_4]
		push	edi
		xor	edi, edi
		cmp	[edx], edi
		jbe	short loc_64C7C4
		lea	ecx, [edx+54h]
		push	ebx

loc_64C784:				; CODE XREF: PopProcessorNotifyLpiCoordinatedStatesNotification(x,x)+68j
		xor	ebx, ebx
		cmp	[ecx], ebx
		jbe	short loc_64C7B5
		xor	eax, eax
		mov	[ebp+arg_0], eax

loc_64C78F:				; CODE XREF: PopProcessorNotifyLpiCoordinatedStatesNotification(x,x)+5Dj
		mov	edx, [ecx+4]
		add	edx, eax
		mov	esi, [edx]
		mov	[ebp+var_4], esi
		test	esi, esi
		jz	short loc_64C7A7
		mov	eax, esi
		mov	eax, [eax+28h]
		mov	[edx], eax
		mov	eax, [ebp+arg_0]

loc_64C7A7:				; CODE XREF: PopProcessorNotifyLpiCoordinatedStatesNotification(x,x)+48j
		inc	ebx
		add	eax, 0Ch
		mov	[ebp+arg_0], eax
		cmp	ebx, [ecx]
		jb	short loc_64C78F
		mov	edx, [ebp+arg_4]

loc_64C7B5:				; CODE XREF: PopProcessorNotifyLpiCoordinatedStatesNotification(x,x)+35j
		inc	edi
		add	ecx, 58h
		cmp	edi, [edx]
		jb	short loc_64C784
		mov	esi, [ebp+var_8]
		pop	ebx
		mov	eax, [esi+44h]

loc_64C7C4:				; CODE XREF: PopProcessorNotifyLpiCoordinatedStatesNotification(x,x)+2Bj
		push	edx
		push	24h
		push	[ebp+var_C]
		call	eax
		movzx	eax, al
		neg	eax
		pop	edi
		sbb	eax, eax
		and	eax, 3FFFFF45h
		add	eax, 0C00000BBh
		jmp	short loc_64C7E5
; 

loc_64C7E0:				; CODE XREF: PopProcessorNotifyLpiCoordinatedStatesNotification(x,x)+1Aj
					; PopProcessorNotifyLpiCoordinatedStatesNotification(x,x)+21j
		mov	eax, 0C0000002h

loc_64C7E5:				; CODE XREF: PopProcessorNotifyLpiCoordinatedStatesNotification(x,x)+8Bj
		pop	esi
		leave
		retn	8
_PopProcessorNotifyLpiCoordinatedStatesNotification@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopProcessorParkMaskNotification(x,	x)
_PopProcessorParkMaskNotification@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [eax+24h]
		mov	ebx, [eax+28h]
		test	esi, esi
		jz	short loc_64C83D
		mov	eax, [esi+44h]
		test	eax, eax
		jz	short loc_64C83D
		push	edi
		mov	edi, [ebp+arg_4]
		xor	edx, edx
		cmp	[edi], edx
		jbe	short loc_64C823

loc_64C80F:				; CODE XREF: PopProcessorParkMaskNotification(x,x)+34j
		mov	ecx, [edi+10h]
		mov	eax, [ecx+edx*8]
		mov	eax, [eax+28h]
		mov	[ecx+edx*8], eax
		inc	edx
		cmp	edx, [edi]
		jb	short loc_64C80F
		mov	eax, [esi+44h]

loc_64C823:				; CODE XREF: PopProcessorParkMaskNotification(x,x)+23j
		push	edi
		push	20h
		push	ebx
		call	eax
		movzx	eax, al
		neg	eax
		pop	edi
		sbb	eax, eax
		and	eax, 3FFFFF45h
		add	eax, 0C00000BBh
		jmp	short loc_64C842
; 

loc_64C83D:				; CODE XREF: PopProcessorParkMaskNotification(x,x)+12j
					; PopProcessorParkMaskNotification(x,x)+19j
		mov	eax, 0C0000002h

loc_64C842:				; CODE XREF: PopProcessorParkMaskNotification(x,x)+51j
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_PopProcessorParkMaskNotification@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopProcessorParkNotification(x, x)
_PopProcessorParkNotification@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, [eax+24h]
		mov	eax, [eax+28h]
		mov	[ebp+arg_0], eax
		test	edi, edi
		jz	short loc_64C8BF
		xor	esi, esi
		cmp	[edi+44h], esi
		jz	short loc_64C8BF
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	edx, esi
		cmp	[ebx+4], esi
		jbe	short loc_64C886

loc_64C871:				; CODE XREF: PopProcessorParkNotification(x,x)+39j
		mov	ecx, [ebx+8]
		mov	eax, [ecx+edx*8]
		mov	eax, [eax+28h]
		mov	[ecx+edx*8], eax
		inc	edx
		cmp	edx, [ebx+4]
		jb	short loc_64C871
		mov	eax, [ebp+arg_0]

loc_64C886:				; CODE XREF: PopProcessorParkNotification(x,x)+27j
		cmp	ds:_PopFxParkingFallback, 0
		jnz	short loc_64C8AA
		push	ebx
		push	1Fh
		push	eax
		call	dword ptr [edi+44h]
		test	al, al
		jnz	short loc_64C8A1
		mov	ds:_PopFxParkingFallback, 1

loc_64C8A1:				; CODE XREF: PopProcessorParkNotification(x,x)+50j
		cmp	ds:_PopFxParkingFallback, 0
		jz	short loc_64C8B3

loc_64C8AA:				; CODE XREF: PopProcessorParkNotification(x,x)+45j
		push	ebx
		push	0Eh
		push	[ebp+arg_0]
		call	dword ptr [edi+44h]

loc_64C8B3:				; CODE XREF: PopProcessorParkNotification(x,x)+60j
		pop	ebx
		test	al, al
		jnz	short loc_64C8C4
		mov	esi, 0C00000BBh
		jmp	short loc_64C8C4
; 

loc_64C8BF:				; CODE XREF: PopProcessorParkNotification(x,x)+15j
					; PopProcessorParkNotification(x,x)+1Cj
		mov	esi, 0C0000002h

loc_64C8C4:				; CODE XREF: PopProcessorParkNotification(x,x)+6Ej
					; PopProcessorParkNotification(x,x)+75j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_PopProcessorParkNotification@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopProcessorQueryCoordinatedDependencyNotification(x, x)
_PopProcessorQueryCoordinatedDependencyNotification@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	esi
		mov	eax, [ecx+24h]
		test	eax, eax
		jz	short loc_64C90B
		mov	edx, [eax+44h]
		test	edx, edx
		jz	short loc_64C90B
		mov	esi, [ebp+arg_4]
		mov	eax, [ecx+28h]
		push	esi
		push	1Eh
		push	eax
		call	edx
		test	al, al
		jnz	short loc_64C8FA
		mov	eax, 0C00000BBh
		jmp	short loc_64C910
; 

loc_64C8FA:				; CODE XREF: PopProcessorQueryCoordinatedDependencyNotification(x,x)+25j
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_64C907
		mov	eax, [eax+64h]
		mov	[esi+10h], eax

loc_64C907:				; CODE XREF: PopProcessorQueryCoordinatedDependencyNotification(x,x)+33j
		xor	eax, eax
		jmp	short loc_64C910
; 

loc_64C90B:				; CODE XREF: PopProcessorQueryCoordinatedDependencyNotification(x,x)+Ej
					; PopProcessorQueryCoordinatedDependencyNotification(x,x)+15j
		mov	eax, 0C0000002h

loc_64C910:				; CODE XREF: PopProcessorQueryCoordinatedDependencyNotification(x,x)+2Cj
					; PopProcessorQueryCoordinatedDependencyNotification(x,x)+3Dj
		pop	esi
		pop	ebp
		retn	8
_PopProcessorQueryCoordinatedDependencyNotification@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopProcessorQueryPlatformStateNotification(x, x, x)
_PopProcessorQueryPlatformStateNotification@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	ecx, [eax+24h]
		mov	edi, [eax+28h]
		test	ecx, ecx
		jz	short loc_64C97D
		mov	ecx, [ecx+44h]
		test	ecx, ecx
		jz	short loc_64C97D
		mov	esi, [ebp+arg_4]
		xor	eax, eax
		cmp	[ebp+arg_8], al
		push	esi
		setz	al
		mov	ebx, [esi+18h]
		dec	eax
		and	eax, 3
		add	eax, 13h
		push	eax
		push	edi
		call	ecx
		test	al, al
		jnz	short loc_64C956
		mov	eax, 0C00000BBh
		jmp	short loc_64C982
; 

loc_64C956:				; CODE XREF: PopProcessorQueryPlatformStateNotification(x,x,x)+38j
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_64C963
		mov	eax, [eax+64h]
		mov	[esi+4], eax

loc_64C963:				; CODE XREF: PopProcessorQueryPlatformStateNotification(x,x,x)+46j
		lea	eax, [esi+1Ch]
		mov	edx, esi
		push	eax
		push	dword ptr [esi+14h]
		mov	ecx, edi
		push	ebx
		push	703h
		call	_PopTranslateDependencyArray@24	; PopTranslateDependencyArray(x,x,x,x,x,x)
		xor	eax, eax
		jmp	short loc_64C982
; 

loc_64C97D:				; CODE XREF: PopProcessorQueryPlatformStateNotification(x,x,x)+13j
					; PopProcessorQueryPlatformStateNotification(x,x,x)+1Aj
		mov	eax, 0C0000002h

loc_64C982:				; CODE XREF: PopProcessorQueryPlatformStateNotification(x,x,x)+3Fj
					; PopProcessorQueryPlatformStateNotification(x,x,x)+66j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_PopProcessorQueryPlatformStateNotification@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTranslateDependencyArray(x, x, x, x, x, x)
_PopTranslateDependencyArray@24	proc near
					; CODE XREF: PopProcessorIdleSelectNotification(x,x)+49p
					; PopProcessorQueryPlatformStateNotification(x,x,x)+5Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	ebx, ecx
		cmp	edi, [ebp+arg_4]
		ja	short loc_64C9BD
		xor	esi, esi
		test	edi, edi
		jz	short loc_64C9B6
		mov	ecx, [ebp+arg_C]

loc_64C9A4:				; CODE XREF: PopTranslateDependencyArray(x,x,x,x,x,x)+2Bj
		mov	eax, [ecx+esi*8]
		test	eax, eax
		jz	short loc_64C9BD
		mov	eax, [eax+64h]
		mov	[ecx+esi*8], eax
		inc	esi
		cmp	esi, edi
		jb	short loc_64C9A4

loc_64C9B6:				; CODE XREF: PopTranslateDependencyArray(x,x,x,x,x,x)+16j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_64C9BD:				; CODE XREF: PopTranslateDependencyArray(x,x,x,x,x,x)+10j
					; PopTranslateDependencyArray(x,x,x,x,x,x)+20j
		mov	ecx, [ebp+arg_0]
		push	0
		push	edx
		mov	edx, ebx
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)
		int	3		; Trap to Debugger
_PopTranslateDependencyArray@24	endp


;  S U B	R O U T	I N E 


; __stdcall PpmGetDeepSleepPlatformStateIndex()
_PpmGetDeepSleepPlatformStateIndex@0 proc near
					; CODE XREF: PopFxClearDeviceConstraints(x)+Dp
					; PopFxEnablePlatformStates(x)+Ap ...
		mov	eax, ds:_PpmPlatformStates
		test	eax, eax
		jz	short loc_64C9DC
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_64C9DC
		dec	eax
		retn
; 

loc_64C9DC:				; CODE XREF: PpmGetDeepSleepPlatformStateIndex()+7j
					; PpmGetDeepSleepPlatformStateIndex()+Dj
		or	eax, 0FFFFFFFFh
		retn
_PpmGetDeepSleepPlatformStateIndex@0 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1727. PoSetSystemWake

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoSetSystemWake(x)
		public _PoSetSystemWake@4
_PoSetSystemWake@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		movsx	eax, byte ptr [ecx+22h]
		add	eax, 3
		imul	eax, 24h
		mov	eax, [eax+ecx]
		cmp	byte ptr [eax+68h], 0
		jnz	short loc_64CA07
		mov	byte ptr [eax+90h], 1

loc_64CA07:				; CODE XREF: PoSetSystemWake(x)+19j
		pop	ebp
		retn	4
_PoSetSystemWake@4 endp

; 
		align 10h
; Exported entry 1728. PoSetSystemWakeDevice

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoSetSystemWakeDevice(x)
		public _PoSetSystemWakeDevice@4
_PoSetSystemWakeDevice@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, 72496F50h
		push	esi
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	esi, eax
		test	esi, esi
		jz	short loc_64CA3C
		mov	ecx, esi
		call	_PopUpdateWakeSource@4 ; PopUpdateWakeSource(x)
		mov	edx, 72496F50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_64CA3C:				; CODE XREF: PoSetSystemWakeDevice(x)+17j
		pop	esi
		pop	ebp
		retn	4
_PoSetSystemWakeDevice@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopExecutionRequiredTimeoutCallback(x, x, x, x)
_PopExecutionRequiredTimeoutCallback@16	proc near ; DATA XREF: PopPowerRequestInit()+120o
		xor	eax, eax
		inc	eax
		lock xadd ds:_PopExecutionRequiredWorkRequested, eax
		inc	eax
		cmp	eax, 1
		jnz	short locret_64CA5D
		push	eax
		push	offset _PopExecutionRequiredTimeoutWorker
		call	ExQueueWorkItem

locret_64CA5D:				; CODE XREF: PopExecutionRequiredTimeoutCallback(x,x,x,x)+Fj
		retn	10h
_PopExecutionRequiredTimeoutCallback@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopReleasePowerRequestSpinLock(x)
_PopReleasePowerRequestSpinLock@4 proc near
					; CODE XREF: PopPowerRequestCallbackWorker(x)+6Ep
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ds:byte_70EFC6,	1
		push	esi
		mov	esi, ecx
		jz	short loc_64CA7B
		mov	edx, [ebp+4]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_64CAA6
; 

loc_64CA7B:				; CODE XREF: PopReleasePowerRequestSpinLock(x)+Fj
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_64CA97
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_64CAA6
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_64CA97:				; CODE XREF: PopReleasePowerRequestSpinLock(x)+1Fj
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_64CAA6:				; CODE XREF: PopReleasePowerRequestSpinLock(x)+19j
					; PopReleasePowerRequestSpinLock(x)+2Ej
		mov	cl, [esi+8]
		pop	esi
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_PopReleasePowerRequestSpinLock@4 endp


;  S U B	R O U T	I N E 


; __fastcall PpmCancelExitLatencyTrace(x)
@PpmCancelExitLatencyTrace@4 proc near	; CODE XREF: KdPowerTransitionEx(x,x)+AFp
					; PpmIdleCompleteExitLatencyTrace(x,x,x,x,x,x,x,x,x):loc_64D8D2p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, [esi+3D70h]
		test	edx, edx
		jz	short loc_64CAE6
		cmp	byte ptr [edx+3], 0
		jz	short loc_64CAE6
		mov	eax, ds:_PpmExitLatencySamplingPercentage
		xor	ecx, ecx
		test	eax, eax
		setnz	cl
		mov	[edx+0Ch], ecx
		xor	ecx, ecx
		mov	eax, [esi+3D70h]
		mov	[eax+3], cl
		mov	[eax+38h], ecx
		mov	[eax+3Ch], ecx

loc_64CAE6:				; CODE XREF: PpmCancelExitLatencyTrace(x)+Dj
					; PpmCancelExitLatencyTrace(x)+13j
		pop	esi
		retn
@PpmCancelExitLatencyTrace@4 endp


;  S U B	R O U T	I N E 


; __fastcall PpmPrepareExitLatencyTrace(x)
@PpmPrepareExitLatencyTrace@4 proc near	; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+73Dp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	bl, bl
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_64CAFF
		dec	eax
		mov	[esi+0Ch], eax
		test	eax, eax
		jnz	short loc_64CB0D

loc_64CAFF:				; CODE XREF: PpmPrepareExitLatencyTrace(x)+Dj
		call	@PpmGetExitSamplingCountdown@0 ; PpmGetExitSamplingCountdown()
		mov	[esi+0Ch], eax
		test	eax, eax
		jz	short loc_64CB0D
		mov	bl, 1

loc_64CB0D:				; CODE XREF: PpmPrepareExitLatencyTrace(x)+15j
					; PpmPrepareExitLatencyTrace(x)+21j
		pop	esi
		mov	al, bl
		pop	ebx
		retn
@PpmPrepareExitLatencyTrace@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1705. PoGetProcessorIdleAccounting

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoGetProcessorIdleAccounting(x)
		public _PoGetProcessorIdleAccounting@4
_PoGetProcessorIdleAccounting@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:20h
		mov	ecx, [ebp+arg_0]
		mov	eax, [eax+3D74h]
		test	ecx, ecx
		jz	short loc_64CB40
		test	eax, eax
		jnz	short loc_64CB37
		and	[ecx], eax
		jmp	short loc_64CB3C
; 

loc_64CB37:				; CODE XREF: PoGetProcessorIdleAccounting(x)+1Aj
		mov	eax, [eax+4]
		mov	[ecx], eax

loc_64CB3C:				; CODE XREF: PoGetProcessorIdleAccounting(x)+1Ej
		and	dword ptr [ecx+4], 0

loc_64CB40:				; CODE XREF: PoGetProcessorIdleAccounting(x)+16j
		pop	ebp
		retn	4
_PoGetProcessorIdleAccounting@4	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1708. PoInitiateProcessorWake

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoInitiateProcessorWake(x)
		public _PoInitiateProcessorWake@4
_PoInitiateProcessorWake@4 proc	near

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+44h+var_4], eax
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+50h+var_10]
		stosd
		stosd
		stosd
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	[esp+50h+var_3C], eax
		mov	edi, [eax+3D70h]
		lea	esi, [eax+3DA8h]
		mov	eax, [esi]
		shr	eax, 18h
		xor	ebx, ebx
		mov	[esp+50h+var_34], edi
		mov	ecx, [edi+88h]
		mov	[esp+50h+var_38], ecx
		mov	[esp+50h+var_40], eax
		mov	byte ptr [esp+50h+var_44], al
		jmp	loc_64CC2D
; 

loc_64CBA5:				; CODE XREF: PoInitiateProcessorWake(x)+E6j
		test	al, al
		jz	loc_64CCF2
		cmp	al, 8
		jz	loc_64CCF2
		cmp	al, 7
		jz	loc_64CCF2
		cmp	al, 2
		jnz	short loc_64CBC8
		mov	eax, [esi]
		shr	eax, 18h
		jmp	short loc_64CC23
; 

loc_64CBC8:				; CODE XREF: PoInitiateProcessorWake(x)+76j
		cmp	al, 4
		jz	short loc_64CC10
		cmp	al, 6
		jz	short loc_64CC10
		cmp	al, 5
		jnz	short loc_64CC2B
		push	5
		mov	dl, 7
		mov	ecx, esi
		call	_PpmIdleUpdateSynchronizationState@12 ;	PpmIdleUpdateSynchronizationState(x,x,x)
		mov	[esp+50h+var_40], eax
		mov	byte ptr [esp+50h+var_44], al
		cmp	al, 5
		jnz	short loc_64CC2B
		lea	esi, [edi+48h]
		lea	edi, [esp+50h+var_10]
		movsd
		movsd
		movsd
		cmp	[esp+50h+var_8], ebx
		jz	loc_64CCF2
		lea	eax, [esp+50h+var_10]
		push	eax
		push	ebx
		call	ds:__imp__HalRequestIpi@8 ; HalRequestIpi(x,x)
		jmp	loc_64CCF2
; 

loc_64CC10:				; CODE XREF: PoInitiateProcessorWake(x)+81j
					; PoInitiateProcessorWake(x)+85j
		push	[esp+50h+var_44]
		mov	dl, 8
		mov	ecx, esi
		call	_PpmIdleUpdateSynchronizationState@12 ;	PpmIdleUpdateSynchronizationState(x,x,x)
		cmp	al, byte ptr [esp+50h+var_40]
		jz	short loc_64CC3A

loc_64CC23:				; CODE XREF: PoInitiateProcessorWake(x)+7Dj
		mov	byte ptr [esp+50h+var_44], al
		mov	[esp+50h+var_40], eax

loc_64CC2B:				; CODE XREF: PoInitiateProcessorWake(x)+89j
					; PoInitiateProcessorWake(x)+A0j
		pause

loc_64CC2D:				; CODE XREF: PoInitiateProcessorWake(x)+57j
		cmp	al, 1
		jnz	loc_64CBA5
		jmp	loc_64CCF2
; 

loc_64CC3A:				; CODE XREF: PoInitiateProcessorWake(x)+D8j
		mov	edx, [esp+50h+var_3C]
		cmp	[edx+3D99h], bl
		jnz	short loc_64CC4D
		mov	bl, 1
		jmp	loc_64CCF2
; 

loc_64CC4D:				; CODE XREF: PoInitiateProcessorWake(x)+FBj
		xor	eax, eax
		lea	edi, [esp+50h+var_30]
		push	8
		pop	ecx
		rep stosd
		mov	eax, ds:_PopIdleTransitionTimeout
		mov	edi, [esp+50h+var_34]
		mov	[esp+50h+var_28], eax
		mov	eax, ds:dword_70ED0C
		mov	[esp+50h+var_24], eax
		lea	eax, [edi+80h]
		mov	[esp+50h+var_20], edx
		mov	[esp+50h+var_3C], eax

loc_64CC7C:				; CODE XREF: PoInitiateProcessorWake(x)+153j
		mov	ecx, [esp+50h+var_38]
		call	dword ptr [eax]
		test	al, al
		jnz	short loc_64CC9E
		mov	eax, [esi]
		shr	eax, 18h
		cmp	al, 8
		jnz	short loc_64CCF2
		lea	ecx, [esp+50h+var_30]
		call	_PpmIdleTransitionStall@4 ; PpmIdleTransitionStall(x)
		mov	eax, [esp+50h+var_3C]
		jmp	short loc_64CC7C
; 

loc_64CC9E:				; CODE XREF: PoInitiateProcessorWake(x)+13Bj
		add	edi, 38h
		mov	ecx, [edi]
		mov	eax, [edi+4]
		and	ecx, eax
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_64CCE2
		push	ebx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ebx, eax
		mov	[esp+54h+var_40], edx
		mov	[esp+54h+var_48], ebx

loc_64CCBE:				; CODE XREF: PoInitiateProcessorWake(x)+191j
					; PoInitiateProcessorWake(x)+197j
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[esp+54h+var_44], ecx
		nop
		mov	ecx, [esp+54h+var_40]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [esp+54h+var_48]
		cmp	eax, esi
		jnz	short loc_64CCBE
		cmp	edx, [esp+54h+var_44]
		jnz	short loc_64CCBE

loc_64CCE2:				; CODE XREF: PoInitiateProcessorWake(x)+162j
		mov	eax, [esp+54h+var_38]
		mov	ecx, [esp+54h+var_3C]
		call	dword ptr [eax+84h]
		mov	bl, al

loc_64CCF2:				; CODE XREF: PoInitiateProcessorWake(x)+5Ej
					; PoInitiateProcessorWake(x)+66j ...
		mov	ecx, [esp+54h+var_8]
		mov	al, bl
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_PoInitiateProcessorWake@4 endp


;  S U B	R O U T	I N E 


; __stdcall PpmAbortCoordinatedIdleState(x)
_PpmAbortCoordinatedIdleState@4	proc near ; CODE XREF: PpmExitCoordinatedIdle+12BCA2p
		mov	eax, [ecx]
		mov	edx, eax
		and	edx, 3000000h
		cmp	edx, 1000000h
		jnz	short locret_64CD34
		mov	edx, eax
		and	eax, 0FE000FFFh
		and	edx, 0FFFh
		or	edx, 2000h
		shl	edx, 0Ch
		or	edx, eax
		mov	[ecx], edx

locret_64CD34:				; CODE XREF: PpmAbortCoordinatedIdleState(x)+10j
		retn
_PpmAbortCoordinatedIdleState@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmApplyIdlePolicyChanges(x, x, x)
_PpmApplyIdlePolicyChanges@12 proc near	; DATA XREF: PpmInfoApplySettingUpdate+1707F1o
					; PpmCompareAndApplyPolicySettings(x,x,x)+146o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		lea	ecx, [ecx+3D70h]
		call	_PpmResetIdlePolicy@4 ;	PpmResetIdlePolicy(x)
		xor	eax, eax
		pop	ebp
		retn	0Ch
_PpmApplyIdlePolicyChanges@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmCheckCoordinatedIdleState(x, x)
_PpmCheckCoordinatedIdleState@8	proc near
					; CODE XREF: PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+DFp

var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= byte ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	edx, [esi]
		test	edx, 4000000h
		jnz	short loc_64CDAD
		xor	eax, eax
		lea	edi, [ebp+var_20]
		push	8
		pop	ecx
		rep stosd
		and	[ebp+var_10], eax
		mov	edi, 3000000h
		mov	eax, ds:_PopIdleTransitionTimeout
		mov	[ebp+var_18], eax
		mov	eax, ds:dword_70ED0C
		mov	[ebp+var_8], 1
		mov	[ebp+var_14], eax
		jmp	short loc_64CDA2
; 

loc_64CD8F:				; CODE XREF: PpmCheckCoordinatedIdleState(x,x)+5Dj
		mov	eax, edx
		shr	eax, 1Bh
		cmp	eax, ebx
		ja	short loc_64CDAD
		lea	ecx, [ebp+var_20]
		call	_PpmIdleTransitionStall@4 ; PpmIdleTransitionStall(x)
		mov	edx, [esi]

loc_64CDA2:				; CODE XREF: PpmCheckCoordinatedIdleState(x,x)+3Fj
		mov	eax, edx
		and	eax, edi
		cmp	eax, 1000000h
		jz	short loc_64CD8F

loc_64CDAD:				; CODE XREF: PpmCheckCoordinatedIdleState(x,x)+17j
					; PpmCheckCoordinatedIdleState(x,x)+48j
		pop	edi
		shr	edx, 1Ah
		and	dl, 1
		pop	esi
		mov	al, dl
		pop	ebx
		leave
		retn
_PpmCheckCoordinatedIdleState@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmCheckCoordinatedStateInitiator(x, x, x)
_PpmCheckCoordinatedStateInitiator@12 proc near
					; CODE XREF: PpmCheckCoordinatedStateInitiator(x,x,x)+56p
					; PpmInstallCoordinatedIdleStates(x)+4FAp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	eax, edx
		mov	[ebp+var_8], ecx
		push	edi
		xor	bl, bl
		mov	[ebp+var_C], eax
		xor	edi, edi
		test	eax, eax
		jz	short loc_64CE40
		push	esi
		mov	esi, [ebp+arg_0]
		add	esi, 4

loc_64CDDB:				; CODE XREF: PpmCheckCoordinatedStateInitiator(x,x,x)+7Fj
		mov	eax, [esi-4]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_64CDE7
		cmp	eax, ecx
		jnz	short loc_64CE32

loc_64CDE7:				; CODE XREF: PpmCheckCoordinatedStateInitiator(x,x,x)+27j
		xor	eax, eax
		mov	[ebp+arg_0], eax
		cmp	[esi], eax
		jbe	short loc_64CE32
		xor	ecx, ecx
		mov	[ebp+var_4], ecx

loc_64CDF5:				; CODE XREF: PpmCheckCoordinatedStateInitiator(x,x,x)+73j
		mov	edx, [esi+4]
		cmp	byte ptr [edx+ecx+1], 0
		jz	short loc_64CE21
		cmp	dword ptr [esi-4], 0FFFFFFFFh
		jnz	short loc_64CE3D
		push	dword ptr [edx+ecx+0Ch]
		mov	edx, [edx+ecx+8]
		mov	ecx, [ebp+var_8]
		call	_PpmCheckCoordinatedStateInitiator@12 ;	PpmCheckCoordinatedStateInitiator(x,x,x)
		mov	bl, al
		test	bl, bl
		jnz	short loc_64CE3F
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_4]

loc_64CE21:				; CODE XREF: PpmCheckCoordinatedStateInitiator(x,x,x)+43j
		inc	eax
		add	ecx, 10h
		mov	[ebp+arg_0], eax
		mov	[ebp+var_4], ecx
		cmp	eax, [esi]
		jb	short loc_64CDF5
		mov	ecx, [ebp+var_8]

loc_64CE32:				; CODE XREF: PpmCheckCoordinatedStateInitiator(x,x,x)+2Bj
					; PpmCheckCoordinatedStateInitiator(x,x,x)+34j
		inc	edi
		add	esi, 0Ch
		cmp	edi, [ebp+var_C]
		jb	short loc_64CDDB
		jmp	short loc_64CE3F
; 

loc_64CE3D:				; CODE XREF: PpmCheckCoordinatedStateInitiator(x,x,x)+49j
		mov	bl, 1

loc_64CE3F:				; CODE XREF: PpmCheckCoordinatedStateInitiator(x,x,x)+5Fj
					; PpmCheckCoordinatedStateInitiator(x,x,x)+81j
		pop	esi

loc_64CE40:				; CODE XREF: PpmCheckCoordinatedStateInitiator(x,x,x)+18j
		pop	edi
		mov	al, bl
		pop	ebx
		leave
		retn	4
_PpmCheckCoordinatedStateInitiator@12 endp


;  S U B	R O U T	I N E 


; __stdcall PpmCheckIdleVeto(x)
_PpmCheckIdleVeto@4 proc near		; CODE XREF: PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)+BCp
					; PpmIdleCheckProcessorStateEligibility(x,x,x,x,x,x,x)+7Cp
		mov	eax, [ecx]
		test	eax, eax
		jnz	short loc_64CE4F
		retn
; 

loc_64CE4F:				; CODE XREF: PpmCheckIdleVeto(x)+4j
		jns	short loc_64CE57
		mov	eax, 8000000Dh
		retn
; 

loc_64CE57:				; CODE XREF: PpmCheckIdleVeto(x):loc_64CE4Fj
		cmp	dword ptr [ecx+14h], 0
		jnz	short loc_64CE63
		mov	eax, 80000000h
		retn
; 

loc_64CE63:				; CODE XREF: PpmCheckIdleVeto(x)+13j
		lea	eax, [ecx+4]
		mov	ecx, [eax]
		cmp	ecx, eax
		mov	eax, 80000000h
		jz	short locret_64CE74
		mov	eax, [ecx+8]

locret_64CE74:				; CODE XREF: PpmCheckIdleVeto(x)+27j
		retn
_PpmCheckIdleVeto@4 endp


;  S U B	R O U T	I N E 


; __stdcall PpmCheckPreConditionsForDeepSleep(x)
_PpmCheckPreConditionsForDeepSleep@4 proc near ; CODE XREF: PpmIdleSelectStates+8AFA0p
					; PpmIdleSelectStates:loc_5F3EAFp
		cmp	byte ptr [ecx+3D0h], 0
		jz	short loc_64CE8A
		call	_PopCheckForDeepSleep@0	; PopCheckForDeepSleep()
		test	al, al
		jz	short loc_64CE8A
		mov	al, 1
		retn
; 

loc_64CE8A:				; CODE XREF: PpmCheckPreConditionsForDeepSleep(x)+7j
					; PpmCheckPreConditionsForDeepSleep(x)+10j
		xor	al, al
		retn
_PpmCheckPreConditionsForDeepSleep@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmClearExitLatencySamplingPercentage()
_PpmClearExitLatencySamplingPercentage@0 proc near
					; CODE XREF: NtPowerInformation:loc_8D68A2p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, offset _PopFxSystemLatencyLock
		mov	ecx, esi
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		mov	eax, ds:_PpmExitLatencySamplingPercentage
		xor	edx, edx
		xor	eax, eax
		mov	ds:_PpmExitLatencySamplingPercentageSet, al
		mov	ds:_PpmExitLatencySamplingPercentage, eax
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		lock or	[eax], edx
		mov	cl, 1
		call	_KeFlushProcessWriteBuffers@4 ;	KeFlushProcessWriteBuffers(x)
		mov	ecx, esi
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		pop	esi
		leave
		retn
_PpmClearExitLatencySamplingPercentage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmClearSimulatedIdle(x)
_PpmClearSimulatedIdle@4 proc near	; CODE XREF: NtPowerInformation+17240Cp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		push	ecx
		stosd
		stosd
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		mov	ecx, eax
		pop	edi
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_64CEFD
		mov	eax, 0C000000Dh
		jmp	short loc_64CF5C
; 

loc_64CEFD:				; CODE XREF: PpmClearSimulatedIdle(x)+27j
		xor	eax, eax
		inc	eax
		push	ebx
		shl	eax, cl
		xor	ebx, ebx
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_10]
		push	esi
		push	eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_18], ebx
		push	eax
		mov	[ebp+var_14], ebx
		call	KeSetSystemGroupAffinityThread
		mov	esi, large fs:20h
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [esi+3D70h]
		test	ecx, ecx
		jnz	short loc_64CF3C
		mov	ebx, 0C00000BBh
		jmp	short loc_64CF47
; 

loc_64CF3C:				; CODE XREF: PpmClearSimulatedIdle(x)+66j
		cmp	[ecx+1], bl
		jz	short loc_64CF47
		mov	[ecx+1], bl
		mov	[ecx+1Ch], ebx

loc_64CF47:				; CODE XREF: PpmClearSimulatedIdle(x)+6Dj
					; PpmClearSimulatedIdle(x)+72j
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	eax, [ebp+var_10]
		push	eax
		call	KeRevertToUserGroupAffinityThread
		pop	esi
		mov	eax, ebx
		pop	ebx

loc_64CF5C:				; CODE XREF: PpmClearSimulatedIdle(x)+2Ej
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmClearSimulatedIdle@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmExitCoordinatedIdleState(x, x)
_PpmExitCoordinatedIdleState@8 proc near ; CODE	XREF: PpmExitCoordinatedIdle+12BD2Cp

var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= byte ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		lea	edi, [ebp+var_28]
		mov	edx, ecx
		xor	eax, eax
		push	8
		pop	ecx
		rep stosd
		mov	eax, ds:_PopCoordinatedIdleExitTimeout
		xor	ebx, ebx
		mov	[ebp+var_4], edx
		mov	edx, [edx]
		mov	[ebp+var_20], eax
		mov	eax, ds:dword_70ED04
		mov	[esi], bl
		mov	[ebp+var_10], 1
		mov	[ebp+var_18], ebx
		mov	[ebp+var_1C], eax
		test	edx, edx
		jz	loc_64D02A
		mov	edi, [ebp+var_4]

loc_64CFAC:				; CODE XREF: PpmExitCoordinatedIdleState(x,x)+A1j
		mov	eax, edx
		test	edx, 4000000h
		jz	short loc_64CFDC
		movzx	ecx, large byte	ptr fs:51h
		and	eax, 0FA000FFFh
		or	ecx, 2000h
		shl	ecx, 0Ch
		or	ecx, eax
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_64D00D
		mov	edx, eax
		jmp	short loc_64D007
; 

loc_64CFDC:				; CODE XREF: PpmExitCoordinatedIdleState(x,x)+4Cj
		and	eax, 3000000h
		cmp	eax, 2000000h
		jnz	short loc_64CFFD
		movzx	eax, large byte	ptr fs:51h
		shr	edx, 0Ch
		and	edx, 0FFFh
		cmp	edx, eax
		jz	short loc_64D026

loc_64CFFD:				; CODE XREF: PpmExitCoordinatedIdleState(x,x)+7Ej
		lea	ecx, [ebp+var_28]
		call	_PpmIdleTransitionStall@4 ; PpmIdleTransitionStall(x)
		mov	edx, [edi]

loc_64D007:				; CODE XREF: PpmExitCoordinatedIdleState(x,x)+72j
		test	edx, edx
		jnz	short loc_64CFAC
		jmp	short loc_64D02A
; 

loc_64D00D:				; CODE XREF: PpmExitCoordinatedIdleState(x,x)+6Ej
		movzx	eax, large byte	ptr fs:51h
		and	edx, 0FFFh
		cmp	edx, eax
		mov	bl, 1
		setz	al
		mov	[esi], al
		jmp	short loc_64D02A
; 

loc_64D026:				; CODE XREF: PpmExitCoordinatedIdleState(x,x)+93j
		mov	bl, 1
		mov	[esi], bl

loc_64D02A:				; CODE XREF: PpmExitCoordinatedIdleState(x,x)+3Bj
					; PpmExitCoordinatedIdleState(x,x)+A3j	...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_PpmExitCoordinatedIdleState@8 endp


;  S U B	R O U T	I N E 


; __stdcall PpmGetIdleConstrainedMask(x)
_PpmGetIdleConstrainedMask@4 proc near	; CODE XREF: PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+147p
					; PoExecuteIdleCheck+12EE25p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		inc	eax
		xor	bl, bl
		push	edi
		movzx	edi, ds:_KeNumberNodes
		xor	ecx, ecx
		and	dword ptr [esi+4], 0
		mov	[esi], ax
		mov	[esi+2], ax
		and	dword ptr [esi+8], 0
		test	edi, edi
		jz	short loc_64D075
		xor	edx, edx

loc_64D05B:				; CODE XREF: PpmGetIdleConstrainedMask(x)+42j
		mov	eax, ds:_KeNodeBlock[ecx*4]
		or	edx, [eax+44h]
		mov	[esi+8], edx
		cmp	dword ptr [eax+44h], 0
		jz	short loc_64D070
		mov	bl, 1

loc_64D070:				; CODE XREF: PpmGetIdleConstrainedMask(x)+3Bj
		inc	ecx
		cmp	ecx, edi
		jb	short loc_64D05B

loc_64D075:				; CODE XREF: PpmGetIdleConstrainedMask(x)+26j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		retn
_PpmGetIdleConstrainedMask@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmGetIdleGenerationCounter(x)
_PpmGetIdleGenerationCounter@4 proc near ; CODE	XREF: PpmPerfApplyProcessorState+81A7Cp
					; PpmPerfApplyProcessorState+81AACp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], edi
		lea	eax, [edi+3D88h]
		mov	edi, eax

loc_64D093:				; CODE XREF: PpmGetIdleGenerationCounter(x)+2Aj
					; PpmGetIdleGenerationCounter(x)+2Ej
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		nop
		mov	ebx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_64D093
		cmp	edx, ecx
		jnz	short loc_64D093
		mov	edi, [ebp+var_C]
		mov	eax, esi
		or	eax, ecx
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], ecx
		jz	short loc_64D0DD
		cmp	dword ptr [edi+3E38h], 3
		jnz	short loc_64D0DD
		lea	edx, [ebp+var_8]
		mov	ecx, edi
		call	_HvlGetIdleGenerationCounter@8 ; HvlGetIdleGenerationCounter(x,x)
		test	al, al
		jnz	short loc_64D0D7
		xor	esi, esi
		mov	ecx, esi
		jmp	short loc_64D0DD
; 

loc_64D0D7:				; CODE XREF: PpmGetIdleGenerationCounter(x)+54j
		mov	ecx, [ebp+var_4]
		mov	esi, [ebp+var_8]

loc_64D0DD:				; CODE XREF: PpmGetIdleGenerationCounter(x)+3Dj
					; PpmGetIdleGenerationCounter(x)+46j ...
		pop	edi
		mov	eax, esi
		mov	edx, ecx
		pop	esi
		pop	ebx
		leave
		retn
_PpmGetIdleGenerationCounter@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmGetPlatformSelectionVetoCounts(x, x, x)
_PpmGetPlatformSelectionVetoCounts@12 proc near	; CODE XREF: PopCalculateCsSummary(x,x)+36Bp
					; PopCaptureSleepStudyStatistics(x,x,x,x)+FEp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, edx
		mov	eax, ecx
		xor	ecx, ecx
		mov	[esi], ecx
		mov	[esi+4], ecx
		mov	[edi], ecx
		mov	[edi+4], ecx
		mov	ecx, ds:_PpmPlatformStates
		test	ecx, ecx
		jz	short loc_64D131
		cmp	eax, [ecx]
		jnb	short loc_64D131
		mov	ecx, [ecx+20h]
		imul	edx, eax, 3F0h
		mov	eax, [edx+ecx+58h]
		mov	[esi], eax
		mov	eax, [edx+ecx+5Ch]
		mov	[esi+4], eax
		mov	eax, [edx+ecx+50h]
		mov	[edi], eax
		mov	eax, [edx+ecx+54h]
		mov	[edi+4], eax

loc_64D131:				; CODE XREF: PpmGetPlatformSelectionVetoCounts(x,x,x)+22j
					; PpmGetPlatformSelectionVetoCounts(x,x,x)+26j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_PpmGetPlatformSelectionVetoCounts@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleCaptureCsVetoAccounting(x, x, x, x)
_PpmIdleCaptureCsVetoAccounting@16 proc	near
					; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+50Ep

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8A		= byte ptr -8Ah
var_89		= dword	ptr -89h
var_84		= word ptr -84h
var_80		= dword	ptr -80h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 9Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ds:_PopWnfCsEnterScenarioId
		mov	[ebp+var_98], eax
		mov	eax, ds:dword_6C1D84
		push	ebx
		mov	[ebp+var_94], eax
		mov	ebx, ecx
		xor	eax, eax
		xor	ecx, ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_89+1]
		mov	byte ptr [ebp+var_89], cl
		stosd
		mov	[ebp+var_90], ecx
		stosd
		stosd
		stosd
		mov	eax, ds:_PpmPlatformStates
		test	eax, eax
		jz	loc_64D309
		cmp	[eax+4], ecx
		jz	loc_64D309
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PpmIdleVetoLock
		mov	[ebp+var_8A], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:_PpmPlatformStates
		xor	edi, edi
		cmp	[ecx], edi
		jbe	short loc_64D1DA
		xor	esi, esi

loc_64D1BB:				; CODE XREF: PpmIdleCaptureCsVetoAccounting(x,x,x,x)+A1j
		add	ecx, 50h
		mov	dl, 4
		add	ecx, esi
		push	0
		call	_PpmIdleCsVetoAccountingUpdateBlock@12 ; PpmIdleCsVetoAccountingUpdateBlock(x,x,x)
		mov	ecx, ds:_PpmPlatformStates
		inc	edi
		add	esi, 0C0h
		cmp	edi, [ecx]
		jb	short loc_64D1BB

loc_64D1DA:				; CODE XREF: PpmIdleCaptureCsVetoAccounting(x,x,x,x)+80j
		cmp	ebx, 0FFFFFFFFh
		jz	loc_64D2E0
		mov	al, byte ptr [ebp+var_98]
		xor	esi, esi
		and	[ebp+var_74], 0
		and	[ebp+var_6C], 0
		and	[ebp+var_64], 0
		imul	edi, ebx, 0C0h
		mov	byte ptr [ebp+var_89], al
		lea	eax, [ebp+var_89]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_89+1]
		push	10h
		pop	edx
		add	edi, ecx
		mov	[ebp+var_89+1],	0AACCAACCh
		xor	ecx, ecx
		mov	[ebp+var_84], bx
		mov	[ebp+var_70], 1
		mov	[ebp+var_68], offset _GUID_SLEEPSTUDY_BLOCKER_PARENT_PREVETO
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], esi
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], esi
		cmp	[edi+60h], ecx
		jbe	loc_64D2E0

loc_64D253:				; CODE XREF: PpmIdleCaptureCsVetoAccounting(x,x,x,x)+1A3j
		imul	eax, esi, 38h
		add	eax, [edi+64h]
		lea	ebx, [eax+30h]
		cmp	[ebx+4], ecx
		ja	short loc_64D265
		cmp	[ebx], ecx
		jbe	short loc_64D2D6

loc_64D265:				; CODE XREF: PpmIdleCaptureCsVetoAccounting(x,x,x,x)+128j
		mov	eax, [eax+8]
		mov	edx, ds:_PpmIdleVetoList
		mov	[ebp+var_80], eax
		push	8
		movzx	eax, word ptr [edx+esi*8+4]
		shr	eax, 1
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_90]
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_50], 4
		movzx	ecx, word ptr [edx+esi*8+4]
		mov	eax, [edx+esi*8+8]
		xor	edx, edx
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_98]
		mov	[ebp+var_40], ecx
		pop	ecx
		mov	[ebp+var_44], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_C], edx
		lea	edx, [ebp+var_78]
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], ecx
		call	_PopDiagTraceSleepStudyBlocker@8 ; PopDiagTraceSleepStudyBlocker(x,x)
		xor	ecx, ecx

loc_64D2D6:				; CODE XREF: PpmIdleCaptureCsVetoAccounting(x,x,x,x)+12Cj
		inc	esi
		cmp	esi, [edi+60h]
		jb	loc_64D253

loc_64D2E0:				; CODE XREF: PpmIdleCaptureCsVetoAccounting(x,x,x,x)+A6j
					; PpmIdleCaptureCsVetoAccounting(x,x,x,x)+116j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PpmIdleVetoLock
		jz	short loc_64D2F8
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64D2FD
; 

loc_64D2F8:				; CODE XREF: PpmIdleCaptureCsVetoAccounting(x,x,x,x)+1B5j
		xor	eax, eax
		lock and [ecx],	eax

loc_64D2FD:				; CODE XREF: PpmIdleCaptureCsVetoAccounting(x,x,x,x)+1BFj
		mov	cl, [ebp+var_8A]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_64D309:				; CODE XREF: PpmIdleCaptureCsVetoAccounting(x,x,x,x)+51j
					; PpmIdleCaptureCsVetoAccounting(x,x,x,x)+5Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PpmIdleCaptureCsVetoAccounting@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleCheckCoordinatedDependencies(x, x, x, x, x, x, x, x,	x, x, x)
_PpmIdleCheckCoordinatedDependencies@44	proc near
					; CODE XREF: PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+12Ap
					; PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)+141p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+10h+var_4], edx
		mov	ebx, ecx
		cmp	[ebp+arg_10], edi
		jbe	short loc_64D3A4
		mov	esi, [ebp+arg_14]
		add	esi, 4

loc_64D339:				; CODE XREF: PpmIdleCheckCoordinatedDependencies(x,x,x,x,x,x,x,x,x,x,x)+88j
		mov	ecx, [esi-4]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_64D360
		push	[ebp+arg_20]
		mov	ecx, ebx
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	esi
		push	[ebp+arg_0]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_PpmIdleCheckCoordinatedDependency@40 ;	PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)
		jmp	short loc_64D391
; 

loc_64D360:				; CODE XREF: PpmIdleCheckCoordinatedDependencies(x,x,x,x,x,x,x,x,x,x,x)+25j
		cmp	ecx, [ebx+3CCh]
		jnz	short loc_64D37E
		push	[ebp+arg_18]
		mov	ecx, ebx
		push	esi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_PpmIdleSelectCoordinatedProcessorDependency@28	; PpmIdleSelectCoordinatedProcessorDependency(x,x,x,x,x,x,x)
		jmp	short loc_64D391
; 

loc_64D37E:				; CODE XREF: PpmIdleCheckCoordinatedDependencies(x,x,x,x,x,x,x,x,x,x,x)+4Cj
		push	[ebp+arg_20]
		push	esi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	edx, [ebp+arg_4]
		mov	ecx, eax
		call	_PpmIdleCheckCoordinatedProcessorDependency@16 ; PpmIdleCheckCoordinatedProcessorDependency(x,x,x,x)

loc_64D391:				; CODE XREF: PpmIdleCheckCoordinatedDependencies(x,x,x,x,x,x,x,x,x,x,x)+44j
					; PpmIdleCheckCoordinatedDependencies(x,x,x,x,x,x,x,x,x,x,x)+62j
		mov	ecx, eax
		or	eax, edx
		jnz	short loc_64D3A8
		mov	edx, [esp+10h+var_4]
		inc	edi
		add	esi, 0Ch
		cmp	edi, [ebp+arg_10]
		jb	short loc_64D339

loc_64D3A4:				; CODE XREF: PpmIdleCheckCoordinatedDependencies(x,x,x,x,x,x,x,x,x,x,x)+17j
		xor	ecx, ecx
		xor	edx, edx

loc_64D3A8:				; CODE XREF: PpmIdleCheckCoordinatedDependencies(x,x,x,x,x,x,x,x,x,x,x)+7Bj
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
_PpmIdleCheckCoordinatedDependencies@44	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleCheckCoordinatedDependency(x, x, x, x, x, x,	x, x, x, x)
_PpmIdleCheckCoordinatedDependency@40 proc near
					; CODE XREF: PpmIdleCheckCoordinatedDependencies(x,x,x,x,x,x,x,x,x,x,x)+3Fp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= word ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		or	[ebp+var_10], 0FFFFFFFFh
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		and	[ebp+var_20], 0
		lea	edi, [ebp+var_38]
		stosd
		mov	ebx, ecx
		and	[ebp+var_C], 0
		mov	esi, 80000001h
		mov	[ebp+var_14], edx
		mov	edx, [ebp+arg_10]
		stosd
		mov	[ebp+var_8], ebx
		stosd
		mov	eax, [edx+4]
		xor	edi, edi
		and	[ebp+var_24], edi
		imul	ecx, [eax+4], 0C0h
		mov	eax, ds:_PpmPlatformStates
		mov	eax, [ecx+eax+78h]
		mov	ecx, [ebx+3CCh]
		shr	eax, cl
		and	eax, 0FFFFFF01h
		mov	[ebp+var_4], eax
		cmp	[edx], edi
		jbe	loc_64D589
		xor	ecx, ecx
		mov	[ebp+var_28], ecx

loc_64D417:				; CODE XREF: PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+1C3j
		mov	ebx, [edx+4]
		mov	edx, ds:_PpmPlatformStates
		add	ebx, ecx
		mov	[ebp+var_1C], edx
		mov	ecx, [ebx+4]
		mov	[ebp+var_2C], ecx
		imul	ecx, 0C0h
		mov	[ebp+var_18], ecx
		test	al, al
		jz	short loc_64D47D
		cmp	byte ptr [ebx+1], 0
		mov	ecx, [ebp+arg_18]
		mov	edx, [ecx+4]
		mov	[ebp+var_C], edx
		jz	loc_64D55D
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_10]
		or	[ebp+var_10], 0FFFFFFFFh
		push	ecx
		mov	ecx, [ebp+var_8]
		push	eax
		push	[ebp+arg_C]
		push	[ebp+var_2C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PpmIdleCheckCoordinatedStateEligibility@36 ; PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	edi, edx
		mov	ecx, esi
		or	ecx, edi
		jz	short loc_64D4EA
		jmp	loc_64D54F
; 

loc_64D47D:				; CODE XREF: PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+83j
		cmp	byte ptr [ebx+2], 0
		jz	loc_64D55D
		add	edx, 88h
		add	ecx, edx
		mov	edx, [ebp+arg_C]
		call	_PpmCheckCoordinatedIdleState@8	; PpmCheckCoordinatedIdleState(x,x)
		test	al, al
		jnz	short loc_64D4A7
		mov	esi, 8000000Bh

loc_64D4A0:				; CODE XREF: PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+108j
		xor	edi, edi
		jmp	loc_64D55A
; 

loc_64D4A7:				; CODE XREF: PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+E6j
		mov	eax, [ebp+var_18]
		mov	ecx, [ebp+var_1C]
		mov	eax, [eax+ecx+48h]
		cmp	eax, [ebp+arg_0]
		jbe	short loc_64D4BD
		mov	esi, 80000002h
		jmp	short loc_64D4A0
; 

loc_64D4BD:				; CODE XREF: PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+101j
		push	[ebp+arg_1C]
		sub	eax, [ebp+arg_0]
		mov	edx, [ebp+var_14]
		mov	ecx, [ebp+var_8]
		push	0
		push	0
		push	dword ptr [ebx+0Ch]
		push	dword ptr [ebx+8]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	eax
		push	[ebp+arg_C]
		call	_PpmIdleCheckCoordinatedDependencies@44	; PpmIdleCheckCoordinatedDependencies(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, edx
		mov	esi, eax
		or	eax, edi
		jnz	short loc_64D55A

loc_64D4EA:				; CODE XREF: PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+C3j
		cmp	byte ptr [ebx],	0
		jz	loc_64D57B
		mov	eax, [ebp+var_18]
		xor	esi, esi
		mov	ecx, [ebp+var_1C]
		add	eax, 70h
		mov	ebx, [ebp+var_8]
		add	ecx, eax
		xor	edi, edi
		xor	eax, eax
		mov	[ebp+var_30], ax
		mov	eax, [ecx+8]
		mov	[ebp+var_34], eax
		mov	[ebp+var_38], ecx

loc_64D514:				; CODE XREF: PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+17Cj
					; PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+18Cj
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_64D57B
		mov	ecx, [ebp+var_20]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		cmp	ebx, eax
		jz	short loc_64D514
		mov	edx, [ebp+arg_1C]
		mov	ecx, eax
		push	0
		call	_PpmTestAndLockProcessor@12 ; PpmTestAndLockProcessor(x,x,x)
		test	eax, eax
		jns	short loc_64D514
		mov	eax, [ebp+var_4]
		xor	edi, edi
		mov	esi, 80000005h
		test	al, al
		jz	short loc_64D55D

loc_64D54F:				; CODE XREF: PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+C5j
		mov	ecx, [ebp+arg_18]
		mov	edx, [ebp+var_C]
		call	_PpmIdleRollbackCoordinatedSelection@8 ; PpmIdleRollbackCoordinatedSelection(x,x)

loc_64D55A:				; CODE XREF: PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+EFj
					; PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+135j
		mov	eax, [ebp+var_4]

loc_64D55D:				; CODE XREF: PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+92j
					; PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+CEj ...
		mov	edx, [ebp+var_24]
		mov	ebx, [ebp+arg_10]
		inc	edx
		mov	ecx, [ebp+var_28]
		add	ecx, 10h
		mov	[ebp+var_24], edx
		mov	[ebp+var_28], ecx
		cmp	edx, [ebx]
		jnb	short loc_64D589
		mov	edx, ebx
		jmp	loc_64D417
; 

loc_64D57B:				; CODE XREF: PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+13Aj
					; PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+170j
		cmp	byte ptr [ebp+var_4], 0
		jz	short loc_64D589
		mov	ecx, [ebp+arg_14]
		mov	eax, [ebp+var_10]
		mov	[ecx], eax

loc_64D589:				; CODE XREF: PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+59j
					; PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+1BFj ...
		mov	edx, edi
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
_PpmIdleCheckCoordinatedDependency@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleCheckCoordinatedProcessorDependency(x, x, x,	x)
_PpmIdleCheckCoordinatedProcessorDependency@16 proc near
					; CODE XREF: PpmIdleCheckCoordinatedDependencies(x,x,x,x,x,x,x,x,x,x,x)+72p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	[ebp+arg_0]
		mov	edi, edx
		mov	esi, ecx
		mov	edx, [ebp+arg_4]
		call	_PpmTestAndLockProcessor@12 ; PpmTestAndLockProcessor(x,x,x)
		test	eax, eax
		jns	short loc_64D5B7
		mov	eax, 80000005h

loc_64D5B3:				; CODE XREF: PpmIdleCheckCoordinatedProcessorDependency(x,x,x,x)+49j
		xor	edx, edx
		jmp	short loc_64D5E3
; 

loc_64D5B7:				; CODE XREF: PpmIdleCheckCoordinatedProcessorDependency(x,x,x,x)+18j
		mov	eax, ds:_PpmPlatformStates
		cmp	byte ptr [eax+0Ch], 0
		jz	short loc_64D5DF
		imul	ecx, [esi+3D9Ch], 44h
		mov	eax, [esi+3D70h]
		cmp	[ecx+eax+120h],	edi
		jbe	short loc_64D5DF
		mov	eax, 80000002h
		jmp	short loc_64D5B3
; 

loc_64D5DF:				; CODE XREF: PpmIdleCheckCoordinatedProcessorDependency(x,x,x,x)+2Cj
					; PpmIdleCheckCoordinatedProcessorDependency(x,x,x,x)+42j
		xor	eax, eax
		mov	edx, eax

loc_64D5E3:				; CODE XREF: PpmIdleCheckCoordinatedProcessorDependency(x,x,x,x)+21j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_PpmIdleCheckCoordinatedProcessorDependency@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleCheckCoordinatedStateEligibility(x, x, x, x,	x, x, x, x, x)
_PpmIdleCheckCoordinatedStateEligibility@36 proc near
					; CODE XREF: PpmIdleSelectStates+8B029p
					; PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+B6p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, [ecx+3D70h]
		push	ebx
		imul	ebx, [ebp+arg_C], 0C0h
		push	esi
		mov	esi, ds:_PpmPlatformStates
		push	edi
		mov	edi, [ebp+arg_18]
		mov	[esp+20h+var_C], edx
		lea	edx, [eax+54h]
		mov	[esp+20h+var_14], edx
		mov	[esp+20h+var_8], ecx
		cmp	byte ptr [ebx+esi+69h],	0
		mov	edx, [edi+4]
		mov	[esp+20h+var_10], esi
		mov	[esp+20h+var_4], edx
		jz	short loc_64D652
		cmp	byte ptr [eax+0BCh], 0
		jnz	short loc_64D667
		cmp	byte ptr [ecx+3D0h], 0
		jz	short loc_64D648

loc_64D640:				; CODE XREF: PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)+7Cj
					; PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)+A4j
		or	edi, 0FFFFFFFFh
		jmp	loc_64D770
; 

loc_64D648:				; CODE XREF: PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)+55j
		mov	edi, 8000000Ch
		jmp	loc_64D770
; 

loc_64D652:				; CODE XREF: PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)+43j
		add	eax, 0D8h
		push	eax
		lea	eax, [esi+70h]
		add	eax, ebx
		push	eax
		call	_KeIsSubsetAffinityEx@8	; KeIsSubsetAffinityEx(x,x)
		test	eax, eax
		jz	short loc_64D640

loc_64D667:				; CODE XREF: PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)+4Cj
		mov	eax, [ebp+arg_10]
		lea	edx, [esi+88h]
		movzx	ecx, large byte	ptr fs:51h
		add	edx, ebx
		shl	eax, 1Bh
		or	ecx, eax
		xor	eax, eax
		or	ecx, 1000000h
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	short loc_64D640
		mov	ecx, [edi+4]
		mov	eax, [edi+0Ch]
		mov	edx, [ebp+arg_C]
		mov	[eax+ecx*4], edx
		mov	edx, esi
		inc	dword ptr [edi+4]
		lea	ecx, [edx+50h]
		add	ecx, ebx
		call	_PpmCheckIdleVeto@4 ; PpmCheckIdleVeto(x)
		mov	edi, eax
		xor	eax, eax
		mov	esi, eax
		mov	eax, edi
		or	eax, esi
		jz	short loc_64D6BE
		or	esi, 1
		jmp	loc_64D772
; 

loc_64D6BE:				; CODE XREF: PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)+CBj
		mov	ecx, [ebp+arg_0]
		cmp	[ebx+edx+48h], ecx
		jbe	short loc_64D6D1
		mov	edi, 80000002h
		jmp	loc_64D770
; 

loc_64D6D1:				; CODE XREF: PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)+DCj
		mov	eax, [ebx+edx+0C0h]
		xor	esi, esi
		test	eax, eax
		jz	short loc_64D6E8
		mov	edi, 80000004h
		jmp	loc_64D772
; 

loc_64D6E8:				; CODE XREF: PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)+F3j
		mov	eax, [ebx+edx+4Ch]
		cmp	esi, [ebp+arg_8]
		jb	short loc_64D6FF
		ja	short loc_64D6F8
		cmp	eax, [ebp+arg_4]
		jbe	short loc_64D6FF

loc_64D6F8:				; CODE XREF: PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)+108j
		mov	edi, 80000003h
		jmp	short loc_64D772
; 

loc_64D6FF:				; CODE XREF: PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)+106j
					; PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)+10Dj
		push	[esp+20h+var_14]
		sub	ecx, [ebx+edx+48h]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	dword ptr [ebx+edx+84h]
		push	dword ptr [ebx+edx+6Ch]
		mov	edx, [esp+34h+var_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	ecx
		push	[ebp+arg_10]
		mov	ecx, [esp+44h+var_8]
		call	_PpmIdleCheckCoordinatedDependencies@44	; PpmIdleCheckCoordinatedDependencies(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		mov	esi, edx
		mov	ecx, edi
		or	ecx, esi
		jnz	short loc_64D772
		mov	eax, [ebp+arg_14]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_64D748
		mov	edi, 80000001h
		jmp	short loc_64D770
; 

loc_64D748:				; CODE XREF: PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)+156j
		mov	ecx, [esp+20h+var_14]
		call	_PpmIdleWaitForDependentTransitions@4 ;	PpmIdleWaitForDependentTransitions(x)
		test	eax, eax
		jns	short loc_64D75C
		mov	edi, 80000005h
		jmp	short loc_64D770
; 

loc_64D75C:				; CODE XREF: PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)+16Aj
		mov	eax, [esp+20h+var_10]
		mov	eax, [ebx+eax+0C0h]
		test	eax, eax
		jz	short loc_64D77E
		mov	edi, 80000004h

loc_64D770:				; CODE XREF: PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)+5Aj
					; PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)+64j ...
		xor	esi, esi

loc_64D772:				; CODE XREF: PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)+D0j
					; PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)+FAj ...
		mov	ecx, [ebp+arg_18]
		mov	edx, [esp+20h+var_4]
		call	_PpmIdleRollbackCoordinatedSelection@8 ; PpmIdleRollbackCoordinatedSelection(x,x)

loc_64D77E:				; CODE XREF: PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)+180j
		mov	eax, edi
		mov	edx, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_PpmIdleCheckCoordinatedStateEligibility@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleCheckProcessorStateEligibility(x, x,	x, x, x, x, x)
_PpmIdleCheckProcessorStateEligibility@28 proc near ; CODE XREF: PpmIdleSelectStates+8B1D5p
					; PpmIdleSelectCoordinatedProcessorDependency(x,x,x,x,x,x,x)+51p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ecx+3D70h]
		mov	eax, edx
		cmp	dword ptr [edi+24h], 3
		jnz	short loc_64D7B3
		cmp	ds:_PpmIdleVetoBias, 0
		jz	short loc_64D7B3
		push	0FFFFFFFEh
		pop	ecx
		xor	esi, esi
		jmp	loc_64D85C
; 

loc_64D7B3:				; CODE XREF: PpmIdleCheckProcessorStateEligibility(x,x,x,x,x,x,x)+13j
					; PpmIdleCheckProcessorStateEligibility(x,x,x,x,x,x,x)+1Cj
		push	ebx
		mov	ebx, [ebp+arg_C]
		imul	edx, ebx, 44h
		cmp	byte ptr [edx+edi+14Fh], 0
		jz	short loc_64D7CB
		mov	ecx, 8000000Ah
		jmp	short loc_64D7F3
; 

loc_64D7CB:				; CODE XREF: PpmIdleCheckProcessorStateEligibility(x,x,x,x,x,x,x)+37j
		cmp	eax, 0FFFFFFFFh
		jz	short loc_64D7DB
		cmp	ebx, eax
		jbe	short loc_64D7DB
		mov	ecx, 80000008h
		jmp	short loc_64D7F3
; 

loc_64D7DB:				; CODE XREF: PpmIdleCheckProcessorStateEligibility(x,x,x,x,x,x,x)+43j
					; PpmIdleCheckProcessorStateEligibility(x,x,x,x,x,x,x)+47j
		cmp	byte ptr [edx+edi+14Ah], 0
		jnz	short loc_64D7F7
		cmp	byte ptr [edi+0BBh], 0
		jz	short loc_64D7F7
		mov	ecx, 80000007h

loc_64D7F3:				; CODE XREF: PpmIdleCheckProcessorStateEligibility(x,x,x,x,x,x,x)+3Ej
					; PpmIdleCheckProcessorStateEligibility(x,x,x,x,x,x,x)+4Ej
		xor	esi, esi
		jmp	short loc_64D85B
; 

loc_64D7F7:				; CODE XREF: PpmIdleCheckProcessorStateEligibility(x,x,x,x,x,x,x)+58j
					; PpmIdleCheckProcessorStateEligibility(x,x,x,x,x,x,x)+61j
		xor	esi, esi
		cmp	[ebp+arg_10], 0
		jnz	short loc_64D844
		lea	ecx, [edi+130h]
		add	ecx, edx
		call	_PpmCheckIdleVeto@4 ; PpmCheckIdleVeto(x)
		mov	ecx, eax
		or	eax, esi
		jz	short loc_64D817
		or	esi, 1
		jmp	short loc_64D85B
; 

loc_64D817:				; CODE XREF: PpmIdleCheckProcessorStateEligibility(x,x,x,x,x,x,x)+85j
		mov	eax, [edx+edi+120h]
		cmp	eax, [ebp+arg_0]
		jbe	short loc_64D82A
		mov	ecx, 80000002h
		jmp	short loc_64D85B
; 

loc_64D82A:				; CODE XREF: PpmIdleCheckProcessorStateEligibility(x,x,x,x,x,x,x)+96j
		mov	eax, [edx+edi+124h]
		cmp	esi, [ebp+arg_8]
		jb	short loc_64D844
		ja	short loc_64D83D
		cmp	eax, [ebp+arg_4]
		jbe	short loc_64D844

loc_64D83D:				; CODE XREF: PpmIdleCheckProcessorStateEligibility(x,x,x,x,x,x,x)+ABj
		mov	ecx, 80000003h
		jmp	short loc_64D85B
; 

loc_64D844:				; CODE XREF: PpmIdleCheckProcessorStateEligibility(x,x,x,x,x,x,x)+72j
					; PpmIdleCheckProcessorStateEligibility(x,x,x,x,x,x,x)+A9j ...
		mov	eax, [edi+74h]
		test	eax, eax
		jz	short loc_64D859
		mov	ecx, [edi+88h]
		mov	edx, ebx
		call	eax
		mov	ecx, eax
		jmp	short loc_64D85B
; 

loc_64D859:				; CODE XREF: PpmIdleCheckProcessorStateEligibility(x,x,x,x,x,x,x)+BEj
		mov	ecx, esi

loc_64D85B:				; CODE XREF: PpmIdleCheckProcessorStateEligibility(x,x,x,x,x,x,x)+6Aj
					; PpmIdleCheckProcessorStateEligibility(x,x,x,x,x,x,x)+8Aj ...
		pop	ebx

loc_64D85C:				; CODE XREF: PpmIdleCheckProcessorStateEligibility(x,x,x,x,x,x,x)+23j
		pop	edi
		mov	edx, esi
		mov	eax, ecx
		pop	esi
		pop	ebp
		retn	14h
_PpmIdleCheckProcessorStateEligibility@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleCompleteExitLatencyTrace(x, x, x, x,	x, x, x, x, x)
_PpmIdleCompleteExitLatencyTrace@36 proc near
					; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+128Bp

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	edx, edx
		js	short loc_64D8D2
		xor	ebx, ebx
		cmp	[ebp+arg_0], bl
		jz	short loc_64D8B6
		mov	eax, [esi+3D70h]
		mov	edx, [eax+38h]
		mov	edi, [eax+3Ch]
		mov	ecx, [ebp+arg_8]
		cmp	ecx, edi
		jb	short loc_64D8B6
		mov	eax, [ebp+arg_4]
		ja	short loc_64D897
		cmp	eax, edx
		jbe	short loc_64D8B6

loc_64D897:				; CODE XREF: PpmIdleCompleteExitLatencyTrace(x,x,x,x,x,x,x,x,x)+2Bj
		push	ebx
		push	989680h
		push	ds:dword_70ED2C
		sub	eax, edx
		push	ds:_PopQpcFrequency
		sbb	ecx, edi
		push	ecx
		push	eax
		call	PpmConvertTime
		jmp	short loc_64D8B9
; 

loc_64D8B6:				; CODE XREF: PpmIdleCompleteExitLatencyTrace(x,x,x,x,x,x,x,x,x)+13j
					; PpmIdleCompleteExitLatencyTrace(x,x,x,x,x,x,x,x,x)+26j ...
		mov	eax, [ebp+arg_C]

loc_64D8B9:				; CODE XREF: PpmIdleCompleteExitLatencyTrace(x,x,x,x,x,x,x,x,x)+4Ej
		mov	edx, [ebp+arg_14]
		lea	ecx, [ebp+arg_4]
		push	ecx
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_18]
		call	_PpmTraceExitLatency@24	; PpmTraceExitLatency(x,x,x,x,x,x)
		test	al, al
		jnz	short loc_64D8DE
		mov	ecx, esi

loc_64D8D2:				; CODE XREF: PpmIdleCompleteExitLatencyTrace(x,x,x,x,x,x,x,x,x)+Cj
		call	@PpmCancelExitLatencyTrace@4 ; PpmCancelExitLatencyTrace(x)

loc_64D8D7:				; CODE XREF: PpmIdleCompleteExitLatencyTrace(x,x,x,x,x,x,x,x,x)+87j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	1Ch
; 

loc_64D8DE:				; CODE XREF: PpmIdleCompleteExitLatencyTrace(x,x,x,x,x,x,x,x,x)+68j
		mov	eax, [esi+3D70h]
		mov	[eax+3], bl
		mov	[eax+38h], ebx
		mov	[eax+3Ch], ebx
		jmp	short loc_64D8D7
_PpmIdleCompleteExitLatencyTrace@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleCsVetoAccountingDeviceUpdate(x, x)
_PpmIdleCsVetoAccountingDeviceUpdate@8 proc near
					; CODE XREF: PopFxPlatformStateAvailable(x,x)+9p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:_PpmPlatformStates
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		cmp	dword ptr [eax+4], 0
		jz	short loc_64D95A
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PpmIdleVetoLock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:_PpmPlatformStates
		imul	edx, edi, 0C0h
		add	ecx, 50h
		push	esi
		add	ecx, edx
		mov	dl, 1
		call	_PpmIdleCsVetoAccountingUpdateBlock@12 ; PpmIdleCsVetoAccountingUpdateBlock(x,x,x)
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PpmIdleVetoLock
		jz	short loc_64D949
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64D94E
; 

loc_64D949:				; CODE XREF: PpmIdleCsVetoAccountingDeviceUpdate(x,x)+4Ej
		xor	eax, eax
		lock and [ecx],	eax

loc_64D94E:				; CODE XREF: PpmIdleCsVetoAccountingDeviceUpdate(x,x)+58j
		mov	cl, bl
		pop	ebx
		pop	edi
		pop	esi
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_64D95A:				; CODE XREF: PpmIdleCsVetoAccountingDeviceUpdate(x,x)+14j
		pop	edi
		pop	esi
		pop	ebp
		retn
_PpmIdleCsVetoAccountingDeviceUpdate@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleCsVetoAccountingResiliencyUpdate(x)
_PpmIdleCsVetoAccountingResiliencyUpdate@4 proc	near
					; CODE XREF: PopPdcIdleResiliencyCallback(x,x)+72p
					; PopPdcIdleResiliencyCallback(x,x)+C6p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_PpmPlatformStates
		mov	[ebp+var_4], ecx
		test	eax, eax
		jz	short locret_64D9E4
		push	esi
		xor	esi, esi
		cmp	[eax+4], esi
		jz	short loc_64D9E3
		push	ebx
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _PpmIdleVetoLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:_PpmPlatformStates
		cmp	[ecx], esi
		jbe	short loc_64D9BF
		mov	edi, esi

loc_64D99A:				; CODE XREF: PpmIdleCsVetoAccountingResiliencyUpdate(x)+5Aj
		push	[ebp+var_4]
		add	ecx, 50h
		mov	dl, 2
		add	ecx, edi
		call	_PpmIdleCsVetoAccountingUpdateBlock@12 ; PpmIdleCsVetoAccountingUpdateBlock(x,x,x)
		mov	ecx, ds:_PpmPlatformStates
		inc	esi
		add	edi, 0C0h
		cmp	esi, [ecx]
		jb	short loc_64D99A
		mov	edi, offset _PpmIdleVetoLock

loc_64D9BF:				; CODE XREF: PpmIdleCsVetoAccountingResiliencyUpdate(x)+38j
		test	ds:byte_70EFC6,	1
		jz	short loc_64D9D4
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64D9D9
; 

loc_64D9D4:				; CODE XREF: PpmIdleCsVetoAccountingResiliencyUpdate(x)+68j
		xor	eax, eax
		lock and [edi],	eax

loc_64D9D9:				; CODE XREF: PpmIdleCsVetoAccountingResiliencyUpdate(x)+74j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	ebx

loc_64D9E3:				; CODE XREF: PpmIdleCsVetoAccountingResiliencyUpdate(x)+18j
		pop	esi

locret_64D9E4:				; CODE XREF: PpmIdleCsVetoAccountingResiliencyUpdate(x)+10j
		leave
		retn
_PpmIdleCsVetoAccountingResiliencyUpdate@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleCsVetoAccountingUpdateBlock(x, x, x)
_PpmIdleCsVetoAccountingUpdateBlock@12 proc near
					; CODE XREF: PpmIdleCaptureCsVetoAccounting(x,x,x,x)+8Dp
					; PpmIdleCsVetoAccountingDeviceUpdate(x,x)+3Dp	...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		cmp	[ebp+arg_0], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	al, [edi+0Ch]
		jnz	short loc_64DA67
		or	al, dl
		mov	[edi+0Ch], al
		cmp	al, dl
		jnz	loc_64DAA5
		lea	ecx, [ebp+var_14]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		xor	esi, esi
		mov	[ebp+var_4], eax
		mov	ebx, esi
		mov	[ebp+var_C], edx
		cmp	[edi+10h], esi
		jbe	loc_64DAA5
		mov	eax, esi
		mov	dword ptr [ebp+arg_0], esi

loc_64DA29:				; CODE XREF: PpmIdleCsVetoAccountingUpdateBlock(x,x,x)+7Dj
		mov	edx, [edi+14h]
		add	edx, eax
		mov	eax, [edx+28h]
		mov	ecx, [edx+2Ch]
		mov	[ebp+var_8], eax
		or	eax, ecx
		mov	[ebp+var_10], ecx
		jz	short loc_64DA56
		mov	ecx, [ebp+var_4]
		sub	ecx, [ebp+var_8]
		mov	eax, [ebp+var_C]
		sbb	eax, [ebp+var_10]
		add	[edx+30h], ecx
		mov	[edx+28h], esi
		adc	[edx+34h], eax
		mov	[edx+2Ch], esi

loc_64DA56:				; CODE XREF: PpmIdleCsVetoAccountingUpdateBlock(x,x,x)+56j
		mov	eax, dword ptr [ebp+arg_0]
		inc	ebx
		add	eax, 38h
		mov	dword ptr [ebp+arg_0], eax
		cmp	ebx, [edi+10h]
		jb	short loc_64DA29
		jmp	short loc_64DAA5
; 

loc_64DA67:				; CODE XREF: PpmIdleCsVetoAccountingUpdateBlock(x,x,x)+14j
		not	dl
		and	dl, al
		mov	[edi+0Ch], dl
		jnz	short loc_64DAA5
		lea	ecx, [ebp+var_14]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		xor	esi, esi
		mov	dword ptr [ebp+arg_0], edx
		mov	ebx, eax
		cmp	[edi+10h], esi
		jbe	short loc_64DAA5
		mov	edx, esi

loc_64DA86:				; CODE XREF: PpmIdleCsVetoAccountingUpdateBlock(x,x,x)+BDj
		mov	ecx, [edi+14h]
		add	ecx, edx
		mov	eax, [ecx+18h]
		or	eax, [ecx+1Ch]
		jz	short loc_64DA9C
		mov	eax, dword ptr [ebp+arg_0]
		mov	[ecx+28h], ebx
		mov	[ecx+2Ch], eax

loc_64DA9C:				; CODE XREF: PpmIdleCsVetoAccountingUpdateBlock(x,x,x)+ABj
		inc	esi
		add	edx, 38h
		cmp	esi, [edi+10h]
		jb	short loc_64DA86

loc_64DAA5:				; CODE XREF: PpmIdleCsVetoAccountingUpdateBlock(x,x,x)+1Dj
					; PpmIdleCsVetoAccountingUpdateBlock(x,x,x)+38j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PpmIdleCsVetoAccountingUpdateBlock@12 endp


;  S U B	R O U T	I N E 


; __stdcall PpmIdleEnableIdleDurationExpirationTimeout()
_PpmIdleEnableIdleDurationExpirationTimeout@0 proc near
					; CODE XREF: PopInitializeHeteroProcessors(x)+29Cp
		imul	eax, ds:_PpmIdleDurationExpirationTimeoutMs, 2710h
		and	ds:dword_70EE3C, 0
		mov	ds:_PpmIdleDurationExpirationTimeout, eax
		retn
_PpmIdleEnableIdleDurationExpirationTimeout@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleInstallConcurrency(x, x, x)
_PpmIdleInstallConcurrency@12 proc near	; DATA XREF: PpmParkUpdateConcurrencyTracking+8F3C4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	esi, [ebp+arg_4]
		mov	ebx, edx
		push	0
		mov	edi, eax
		xor	dl, dl
		push	ebx
		push	edi
		mov	ecx, esi
		call	_PpmIdleUpdateConcurrency@20 ; PpmIdleUpdateConcurrency(x,x,x,x,x)
		mov	eax, [ebp+arg_0]
		mov	[eax+3EC8h], esi
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jz	short loc_64DB0D
		push	0
		push	ebx
		push	edi
		xor	dl, dl
		mov	ecx, esi
		call	_PpmIdleUpdateConcurrency@20 ; PpmIdleUpdateConcurrency(x,x,x,x,x)
		mov	eax, [ebp+arg_0]
		mov	[eax+3ECCh], esi

loc_64DB0D:				; CODE XREF: PpmIdleInstallConcurrency(x,x,x)+32j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	0Ch
_PpmIdleInstallConcurrency@12 endp


;  S U B	R O U T	I N E 


; __stdcall PpmIdleLockProcessor(x)
_PpmIdleLockProcessor@4	proc near	; CODE XREF: PpmTestAndLockProcessor(x,x,x)+102p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, 0C000002Ah
		mov	eax, [ebx]

loc_64DB24:				; CODE XREF: PpmIdleLockProcessor(x)+40j
		mov	edx, eax
		shr	edx, 18h
		cmp	edx, 4
		jz	short loc_64DB33
		cmp	edx, 5
		jnz	short loc_64DB5A

loc_64DB33:				; CODE XREF: PpmIdleLockProcessor(x)+16j
		mov	ecx, eax
		mov	esi, eax
		and	ecx, 0FFFFFFh
		or	ecx, 5000000h
		lea	edx, [ecx+1]
		xor	edx, ecx
		and	edx, 0FFFFFFh
		xor	ecx, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, esi
		jnz	short loc_64DB24
		xor	edi, edi

loc_64DB5A:				; CODE XREF: PpmIdleLockProcessor(x)+1Bj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_PpmIdleLockProcessor@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdlePrevetoWatchdog(x, x, x, x)
_PpmIdlePrevetoWatchdog@16 proc	near	; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+FCp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:_PpmPlatformStates
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		xor	esi, esi
		mov	[ebx], esi
		mov	[edi], esi
		test	eax, eax
		jz	loc_64DC44
		cmp	[eax+4], esi
		jz	loc_64DC44
		mov	eax, ds:dword_6D4640
		cmp	ds:dword_6D4640, 0FFFFFFFFh
		mov	[ebp+var_8], eax
		jz	loc_64DC44
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PpmIdleVetoLock
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	ecx, [ebp+var_1C]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		imul	ecx, [ebp+var_8], 0C0h
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], edx
		add	ecx, ds:_PpmPlatformStates
		mov	eax, [ecx+60h]
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	short loc_64DC1E
		mov	ecx, [ecx+64h]

loc_64DBDB:				; CODE XREF: PpmIdlePrevetoWatchdog(x,x,x,x)+AAj
		mov	eax, [ecx+18h]
		mov	edx, [ecx+1Ch]
		mov	[ebp+var_8], eax
		or	eax, edx
		mov	[ebp+var_14], edx
		jz	short loc_64DC03
		mov	edx, [ebp+var_C]
		sub	edx, [ebp+var_8]
		mov	eax, [ebp+var_10]
		sbb	eax, [ebp+var_14]
		cmp	eax, [ebp+arg_4]
		ja	short loc_64DC0E
		jb	short loc_64DC03
		cmp	edx, [ebp+arg_0]
		jnb	short loc_64DC0E

loc_64DC03:				; CODE XREF: PpmIdlePrevetoWatchdog(x,x,x,x)+89j
					; PpmIdlePrevetoWatchdog(x,x,x,x)+9Cj
		inc	esi
		add	ecx, 38h
		cmp	esi, [ebp+var_18]
		jb	short loc_64DBDB
		jmp	short loc_64DC1E
; 

loc_64DC0E:				; CODE XREF: PpmIdlePrevetoWatchdog(x,x,x,x)+9Aj
					; PpmIdlePrevetoWatchdog(x,x,x,x)+A1j
		mov	eax, [ecx+8]
		mov	[ebx], eax
		mov	eax, ds:_PpmIdleVetoList
		mov	eax, [eax+esi*8+8]
		mov	[edi], eax

loc_64DC1E:				; CODE XREF: PpmIdlePrevetoWatchdog(x,x,x,x)+76j
					; PpmIdlePrevetoWatchdog(x,x,x,x)+ACj
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PpmIdleVetoLock
		jz	short loc_64DC36
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64DC3B
; 

loc_64DC36:				; CODE XREF: PpmIdlePrevetoWatchdog(x,x,x,x)+CAj
		xor	eax, eax
		lock and [ecx],	eax

loc_64DC3B:				; CODE XREF: PpmIdlePrevetoWatchdog(x,x,x,x)+D4j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_64DC44:				; CODE XREF: PpmIdlePrevetoWatchdog(x,x,x,x)+1Cj
					; PpmIdlePrevetoWatchdog(x,x,x,x)+25j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PpmIdlePrevetoWatchdog@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleRecheckCoordinatedIdleMask(x, x, x)
_PpmIdleRecheckCoordinatedIdleMask@12 proc near
					; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+7D1p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	edx, ds:_PpmPlatformStates
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], edx
		test	edx, edx
		jz	short loc_64DCDC
		xor	eax, eax
		mov	[ebp+var_14], ebx
		inc	eax
		push	esi
		mov	esi, [ecx+0E8h]
		mov	word ptr [ebp+var_18], ax
		mov	word ptr [ebp+var_18+2], ax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_10], eax
		mov	eax, [esi+4]
		mov	[ebp+var_C], eax
		push	edi
		mov	edi, ebx
		test	eax, eax
		jz	short loc_64DCDA
		mov	ecx, ebx
		add	esi, 8
		mov	[ebp+arg_0], ecx

loc_64DC96:				; CODE XREF: PpmIdleRecheckCoordinatedIdleMask(x,x,x)+89j
		cmp	dword ptr [esi], 0FFFFFFFFh
		jnz	short loc_64DCC8
		lea	eax, [ebp+var_18]
		add	edx, 70h
		push	eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+0F8h]
		imul	eax, [ecx+eax+4], 0C0h
		add	eax, edx
		push	eax
		call	_KeIsSubsetAffinityEx@8	; KeIsSubsetAffinityEx(x,x)
		test	eax, eax
		jnz	short loc_64DCD8
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+var_8]
		mov	eax, [ebp+var_C]

loc_64DCC8:				; CODE XREF: PpmIdleRecheckCoordinatedIdleMask(x,x,x)+4Ej
		inc	edi
		add	ecx, 10h
		add	esi, 4
		mov	[ebp+arg_0], ecx
		cmp	edi, eax
		jb	short loc_64DC96
		jmp	short loc_64DCDA
; 

loc_64DCD8:				; CODE XREF: PpmIdleRecheckCoordinatedIdleMask(x,x,x)+72j
		mov	bl, 1

loc_64DCDA:				; CODE XREF: PpmIdleRecheckCoordinatedIdleMask(x,x,x)+41j
					; PpmIdleRecheckCoordinatedIdleMask(x,x,x)+8Bj
		pop	edi
		pop	esi

loc_64DCDC:				; CODE XREF: PpmIdleRecheckCoordinatedIdleMask(x,x,x)+19j
		mov	al, bl
		pop	ebx
		leave
		retn	4
_PpmIdleRecheckCoordinatedIdleMask@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleRemoveConcurrency(x,	x, x)
_PpmIdleRemoveConcurrency@12 proc near	; DATA XREF: PpmParkRegisterParking+83BBBo
					; PpmParkUpdateConcurrencyTracking+8F37Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [esi+3EC8h]
		test	edi, edi
		jz	short loc_64DD39
		push	ebx
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ebx, eax
		mov	ecx, edi
		mov	eax, edx
		mov	dl, 1
		push	0
		push	eax
		push	ebx
		mov	[ebp+arg_0], eax
		call	_PpmIdleUpdateConcurrency@20 ; PpmIdleUpdateConcurrency(x,x,x,x,x)
		mov	ecx, [esi+3ECCh]
		xor	edi, edi
		mov	[esi+3EC8h], edi
		test	ecx, ecx
		jz	short loc_64DD38
		push	edi
		push	[ebp+arg_0]
		mov	dl, 1
		push	ebx
		call	_PpmIdleUpdateConcurrency@20 ; PpmIdleUpdateConcurrency(x,x,x,x,x)
		mov	[esi+3ECCh], edi

loc_64DD38:				; CODE XREF: PpmIdleRemoveConcurrency(x,x,x)+41j
		pop	ebx

loc_64DD39:				; CODE XREF: PpmIdleRemoveConcurrency(x,x,x)+12j
		pop	edi
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	0Ch
_PpmIdleRemoveConcurrency@12 endp


;  S U B	R O U T	I N E 


; __stdcall PpmIdleRollbackCoordinatedSelection(x, x)
_PpmIdleRollbackCoordinatedSelection@8 proc near ; CODE	XREF: PpmIdleSelectStates+8B0EEp
					; PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+1A2p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+4]
		jmp	short loc_64DD68
; 

loc_64DD4C:				; CODE XREF: PpmIdleRollbackCoordinatedSelection(x,x)+29j
		mov	eax, [edi+0Ch]
		imul	ecx, [eax+esi*4-4], 0C0h
		dec	esi
		mov	eax, ds:_PpmPlatformStates
		mov	dword ptr [ecx+eax+88h], 0

loc_64DD68:				; CODE XREF: PpmIdleRollbackCoordinatedSelection(x,x)+9j
		cmp	esi, edx
		ja	short loc_64DD4C
		mov	[edi+4], edx
		pop	edi
		pop	esi
		retn
_PpmIdleRollbackCoordinatedSelection@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleSelectCoordinatedProcessorDependency(x, x, x, x, x, x, x)
_PpmIdleSelectCoordinatedProcessorDependency@28	proc near
					; CODE XREF: PpmIdleCheckCoordinatedDependencies(x,x,x,x,x,x,x,x,x,x,x)+5Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	edi
		mov	edi, [ebp+arg_C]
		mov	eax, 80000001h
		mov	[ebp+var_C], edx
		xor	edx, edx
		mov	[ebp+var_10], ecx
		mov	ebx, edx
		mov	[ebp+var_4], eax
		cmp	[edi], edx
		jbe	short loc_64DDF0
		mov	eax, edx
		mov	[ebp+arg_C], eax
		push	esi

loc_64DD9B:				; CODE XREF: PpmIdleSelectCoordinatedProcessorDependency(x,x,x,x,x,x,x)+6Ej
		mov	esi, [edi+4]
		add	esi, eax
		cmp	byte ptr [esi+1], 0
		jz	short loc_64DDD7
		cmp	ds:_PpmIdleCoordinatedMode, 0
		mov	edx, [ebp+var_C]
		setz	byte ptr [ebp+var_8]
		push	[ebp+var_8]
		push	dword ptr [esi+4]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PpmIdleCheckProcessorStateEligibility@28 ; PpmIdleCheckProcessorStateEligibility(x,x,x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_4], eax
		or	ecx, edx
		jz	short loc_64DDE4
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+var_10]

loc_64DDD7:				; CODE XREF: PpmIdleSelectCoordinatedProcessorDependency(x,x,x,x,x,x,x)+32j
		inc	ebx
		add	eax, 10h
		mov	[ebp+arg_C], eax
		cmp	ebx, [edi]
		jb	short loc_64DD9B
		jmp	short loc_64DDEC
; 

loc_64DDE4:				; CODE XREF: PpmIdleSelectCoordinatedProcessorDependency(x,x,x,x,x,x,x)+5Dj
		mov	eax, [ebp+arg_10]
		mov	ecx, [esi+4]
		mov	[eax], ecx

loc_64DDEC:				; CODE XREF: PpmIdleSelectCoordinatedProcessorDependency(x,x,x,x,x,x,x)+70j
		mov	eax, [ebp+var_4]
		pop	esi

loc_64DDF0:				; CODE XREF: PpmIdleSelectCoordinatedProcessorDependency(x,x,x,x,x,x,x)+21j
		pop	edi
		pop	ebx
		leave
		retn	14h
_PpmIdleSelectCoordinatedProcessorDependency@28	endp


;  S U B	R O U T	I N E 


; __stdcall PpmIdleSetSynchronizationState(x, x)
_PpmIdleSetSynchronizationState@8 proc near
					; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+131p
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+351p	...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		movzx	esi, dl
		shl	esi, 18h
		mov	eax, [edi]

loc_64DE04:				; CODE XREF: PpmIdleSetSynchronizationState(x,x)+20j
		mov	ecx, eax
		mov	edx, eax
		and	ecx, 0FFFFFFh
		or	ecx, esi
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_64DE04
		pop	edi
		shr	eax, 18h
		pop	esi
		retn
_PpmIdleSetSynchronizationState@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleSnapConcurrencyIdleTime(x, x, x)
_PpmIdleSnapConcurrencyIdleTime@12 proc	near ; CODE XREF: PpmParkSnapNodeIdleTime(x,x,x)+59p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		push	0
		mov	edi, edx
		mov	esi, ecx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ebx, eax
		mov	[ebp+var_8], edx
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	ecx, esi
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [esi+14h]
		mov	eax, [esi+10h]
		mov	[ebp+var_C], ecx
		cmp	[ebp+var_8], ecx
		jb	short loc_64DE80
		ja	short loc_64DE5D
		cmp	ebx, eax
		jbe	short loc_64DE80

loc_64DE5D:				; CODE XREF: PpmIdleSnapConcurrencyIdleTime(x,x,x)+39j
		mov	ecx, ebx
		mov	[esi+10h], ebx
		sub	ecx, eax
		mov	eax, [ebp+var_8]
		mov	edx, eax
		mov	[esi+14h], eax
		sbb	edx, [ebp+var_C]
		add	[esi+18h], ecx
		mov	eax, [esi+8]
		adc	[esi+1Ch], edx
		add	[esi+eax*8+20h], ecx
		adc	[esi+eax*8+24h], edx

loc_64DE80:				; CODE XREF: PpmIdleSnapConcurrencyIdleTime(x,x,x)+37j
					; PpmIdleSnapConcurrencyIdleTime(x,x,x)+3Dj
		test	ds:byte_70EFC6,	1
		mov	eax, [esi+18h]
		mov	ecx, [ebp+arg_0]
		mov	[edi], eax
		mov	eax, [esi+1Ch]
		mov	[edi+4], eax
		mov	eax, [esi+20h]
		mov	[ecx], eax
		mov	eax, [esi+24h]
		mov	[ecx+4], eax
		jz	short loc_64DEAE
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64DEB3
; 

loc_64DEAE:				; CODE XREF: PpmIdleSnapConcurrencyIdleTime(x,x,x)+82j
		xor	eax, eax
		lock and [esi],	eax

loc_64DEB3:				; CODE XREF: PpmIdleSnapConcurrencyIdleTime(x,x,x)+8Ej
		cmp	[ebp+var_1], 0
		pop	edi
		pop	esi
		pop	ebx
		jz	short locret_64DEBD
		sti

locret_64DEBD:				; CODE XREF: PpmIdleSnapConcurrencyIdleTime(x,x,x)+9Cj
		leave
		retn	4
_PpmIdleSnapConcurrencyIdleTime@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleStartCsVetoAccounting()
_PpmIdleStartCsVetoAccounting@0	proc near
					; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+463p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_PpmPlatformStates
		test	eax, eax
		jz	locret_64DF71
		cmp	dword ptr [eax+4], 0
		jz	locret_64DF71
		push	ebx
		push	esi
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bl, al
		mov	esi, offset _PpmIdleVetoLock
		mov	ecx, esi
		mov	[ebp+var_1], bl
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:_PpmPlatformStates
		xor	edi, edi
		cmp	[ecx], edi
		jbe	short loc_64DF4C
		xor	esi, esi

loc_64DF06:				; CODE XREF: PpmIdleStartCsVetoAccounting()+81j
		add	ecx, 50h
		xor	ebx, ebx
		add	ecx, esi
		cmp	[ecx+10h], ebx
		jbe	short loc_64DF2A
		xor	edx, edx

loc_64DF14:				; CODE XREF: PpmIdleStartCsVetoAccounting()+67j
		mov	eax, [ecx+14h]
		add	eax, edx
		add	edx, 38h
		and	dword ptr [eax+30h], 0
		and	dword ptr [eax+34h], 0
		inc	ebx
		cmp	ebx, [ecx+10h]
		jb	short loc_64DF14

loc_64DF2A:				; CODE XREF: PpmIdleStartCsVetoAccounting()+4Fj
		push	1
		mov	dl, 4
		call	_PpmIdleCsVetoAccountingUpdateBlock@12 ; PpmIdleCsVetoAccountingUpdateBlock(x,x,x)
		mov	ecx, ds:_PpmPlatformStates
		inc	edi
		add	esi, 0C0h
		cmp	edi, [ecx]
		jb	short loc_64DF06
		mov	bl, [ebp+var_1]
		mov	esi, offset _PpmIdleVetoLock

loc_64DF4C:				; CODE XREF: PpmIdleStartCsVetoAccounting()+41j
		test	ds:byte_70EFC6,	1
		jz	short loc_64DF61
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64DF66
; 

loc_64DF61:				; CODE XREF: PpmIdleStartCsVetoAccounting()+92j
		xor	eax, eax
		lock and [esi],	eax

loc_64DF66:				; CODE XREF: PpmIdleStartCsVetoAccounting()+9Ej
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx

locret_64DF71:				; CODE XREF: PpmIdleStartCsVetoAccounting()+Dj
					; PpmIdleStartCsVetoAccounting()+17j
		leave
		retn
_PpmIdleStartCsVetoAccounting@0	endp


;  S U B	R O U T	I N E 


; __stdcall PpmIdleTransitionStall(x)
_PpmIdleTransitionStall@4 proc near	; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+308p
					; PoInitiateProcessorWake(x)+14Ap ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi]
		or	eax, [esi+4]
		jnz	short loc_64DF8D
		push	eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	[esi], eax
		mov	[esi+4], edx
		jmp	short loc_64DFE5
; 

loc_64DF8D:				; CODE XREF: PpmIdleTransitionStall(x)+Aj
		inc	dword ptr [esi+14h]
		cmp	dword ptr [esi+14h], 3E8h
		jnz	short loc_64DFE5
		push	edi
		xor	edi, edi
		push	edi
		mov	[esi+14h], edi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		sub	eax, [esi]
		sbb	edx, [esi+4]
		cmp	edx, [esi+0Ch]
		jb	short loc_64DFE4
		ja	short loc_64DFB7
		cmp	eax, [esi+8]
		jbe	short loc_64DFE4

loc_64DFB7:				; CODE XREF: PpmIdleTransitionStall(x)+3Dj
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_64DFDA
		push	dword ptr [eax+3CCh]
		push	eax
		push	dword ptr [eax+3D9Ch]
		push	701h

loc_64DFD0:				; CODE XREF: PpmIdleTransitionStall(x)+6Fj
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_64DFDA:				; CODE XREF: PpmIdleTransitionStall(x)+49j
		push	edi
		push	edi
		push	edi
		push	704h
		jmp	short loc_64DFD0
; 

loc_64DFE4:				; CODE XREF: PpmIdleTransitionStall(x)+3Bj
					; PpmIdleTransitionStall(x)+42j
		pop	edi

loc_64DFE5:				; CODE XREF: PpmIdleTransitionStall(x)+18j
					; PpmIdleTransitionStall(x)+24j
		cmp	byte ptr [esi+18h], 0
		jz	short loc_64DFF0
		call	KiPollFreezeExecution

loc_64DFF0:				; CODE XREF: PpmIdleTransitionStall(x)+76j
		pause
		pop	esi
		retn
_PpmIdleTransitionStall@4 endp ; sp = -4


;  S U B	R O U T	I N E 


; __stdcall PpmIdleUnlockProcessor(x)
_PpmIdleUnlockProcessor@4 proc near	; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+120Bp
					; PpmUnlockProcessors(x,x)+72p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, 0FFFFFFh
		push	edi
		mov	eax, [esi]

loc_64E002:				; CODE XREF: PpmIdleUnlockProcessor(x)+47j
		lea	edx, [eax-1]
		mov	edi, eax
		xor	edx, eax
		and	edx, ebx
		xor	edx, eax
		test	edx, ebx
		jnz	short loc_64E033
		mov	ecx, eax
		shr	ecx, 18h
		sub	ecx, 5
		jz	short loc_64E02B
		dec	ecx
		sub	ecx, 1
		jnz	short loc_64E033
		and	edx, ebx
		or	edx, 6000000h
		jmp	short loc_64E033
; 

loc_64E02B:				; CODE XREF: PpmIdleUnlockProcessor(x)+25j
		and	edx, ebx
		or	edx, 4000000h

loc_64E033:				; CODE XREF: PpmIdleUnlockProcessor(x)+1Bj
					; PpmIdleUnlockProcessor(x)+2Bj ...
		mov	ecx, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edi
		jnz	short loc_64E002
		pop	edi
		shr	edx, 18h
		pop	esi
		mov	al, dl
		pop	ebx
		retn
_PpmIdleUnlockProcessor@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleUpdateConcurrency(x,	x, x, x, x)
_PpmIdleUpdateConcurrency@20 proc near	; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+898p
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+8AFp	...

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_1], dl
		mov	esi, ecx
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	ecx, esi
		mov	[ebp+var_2], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [esi+14h]
		mov	ebx, [ebp+arg_4]
		mov	ecx, [esi+8]
		mov	edi, [esi+10h]
		mov	[ebp+var_8], eax
		cmp	ebx, eax
		jb	short loc_64E0A3
		mov	eax, [ebp+arg_0]
		ja	short loc_64E080
		cmp	eax, edi
		jbe	short loc_64E0A3

loc_64E080:				; CODE XREF: PpmIdleUpdateConcurrency(x,x,x,x,x)+34j
		mov	edx, eax
		mov	[esi+10h], eax
		sub	edx, edi
		mov	[esi+14h], ebx
		mov	edi, ebx
		sbb	edi, [ebp+var_8]
		cmp	[ebp+arg_8], 0
		jz	short loc_64E0A3
		add	[esi+18h], edx
		adc	[esi+1Ch], edi
		add	[esi+ecx*8+20h], edx
		adc	[esi+ecx*8+24h], edi

loc_64E0A3:				; CODE XREF: PpmIdleUpdateConcurrency(x,x,x,x,x)+2Fj
					; PpmIdleUpdateConcurrency(x,x,x,x,x)+38j ...
		cmp	[ebp+var_1], 0
		jnz	short loc_64E0AC
		inc	ecx
		jmp	short loc_64E0AD
; 

loc_64E0AC:				; CODE XREF: PpmIdleUpdateConcurrency(x,x,x,x,x)+61j
		dec	ecx

loc_64E0AD:				; CODE XREF: PpmIdleUpdateConcurrency(x,x,x,x,x)+64j
		mov	[esi+8], ecx
		test	ds:byte_70EFC6,	1
		jz	short loc_64E0C5
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64E0CA
; 

loc_64E0C5:				; CODE XREF: PpmIdleUpdateConcurrency(x,x,x,x,x)+71j
		xor	eax, eax
		lock and [esi],	eax

loc_64E0CA:				; CODE XREF: PpmIdleUpdateConcurrency(x,x,x,x,x)+7Dj
		cmp	[ebp+var_2], 0
		pop	edi
		pop	esi
		pop	ebx
		jz	short locret_64E0D4
		sti

locret_64E0D4:				; CODE XREF: PpmIdleUpdateConcurrency(x,x,x,x,x)+8Bj
		leave
		retn	0Ch
_PpmIdleUpdateConcurrency@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleUpdateSynchronizationState(x, x, x)
_PpmIdleUpdateSynchronizationState@12 proc near	; CODE XREF: PoInitiateProcessorWake(x)+91p
					; PoInitiateProcessorWake(x)+CFp

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		movzx	edi, [ebp+arg_0]
		mov	eax, [ebx]
		mov	esi, eax
		shr	esi, 18h
		cmp	esi, edi
		jnz	short loc_64E114
		movzx	esi, dl
		shl	esi, 18h

loc_64E0F7:				; CODE XREF: PpmIdleUpdateSynchronizationState(x,x,x)+3Aj
		mov	ecx, eax
		mov	edx, eax
		and	ecx, 0FFFFFFh
		or	ecx, esi
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jz	short loc_64E114
		mov	ecx, eax
		shr	ecx, 18h
		cmp	ecx, edi
		jz	short loc_64E0F7

loc_64E114:				; CODE XREF: PpmIdleUpdateSynchronizationState(x,x,x)+17j
					; PpmIdleUpdateSynchronizationState(x,x,x)+31j
		pop	edi
		pop	esi
		shr	eax, 18h
		pop	ebx
		pop	ebp
		retn	4
_PpmIdleUpdateSynchronizationState@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleWaitForDependentTransitions(x)
_PpmIdleWaitForDependentTransitions@4 proc near
					; CODE XREF: PpmIdleCheckCoordinatedStateEligibility(x,x,x,x,x,x,x,x,x)+163p

var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= byte ptr -20h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		xor	eax, eax
		push	esi
		mov	[ebp+var_C], eax
		xor	esi, esi
		mov	eax, [ecx+8]
		push	edi
		mov	[ebp+var_4], esi
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], ecx

loc_64E13C:				; CODE XREF: PpmIdleWaitForDependentTransitions(x)+73j
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_64E1B7
		mov	ecx, [ebp+var_4]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ebx, eax
		lea	edi, [ebp+var_38]
		push	8
		xor	eax, eax
		pop	ecx
		mov	edx, [ebx+3D70h]
		rep stosd
		mov	eax, ds:_PopIdleTransitionTimeout
		lea	edi, [edx+80h]
		mov	[ebp+var_30], eax
		mov	eax, ds:dword_70ED0C
		mov	[ebp+var_8], edx
		mov	[ebp+var_20], 1
		mov	[ebp+var_28], ebx
		mov	[ebp+var_2C], eax

loc_64E187:				; CODE XREF: PpmIdleWaitForDependentTransitions(x)+92j
		mov	ecx, [edx+88h]
		call	dword ptr [edi]
		test	al, al
		jnz	short loc_64E13C
		mov	eax, [ebx+3DA8h]
		and	eax, 0FF000000h
		cmp	eax, 5000000h
		jnz	short loc_64E1B2
		lea	ecx, [ebp+var_38]
		call	_PpmIdleTransitionStall@4 ; PpmIdleTransitionStall(x)
		mov	edx, [ebp+var_8]
		jmp	short loc_64E187
; 

loc_64E1B2:				; CODE XREF: PpmIdleWaitForDependentTransitions(x)+85j
		mov	esi, 0C000002Ah

loc_64E1B7:				; CODE XREF: PpmIdleWaitForDependentTransitions(x)+2Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PpmIdleWaitForDependentTransitions@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmInstallNewIdleDomains(x,	x, x)
_PpmInstallNewIdleDomains@12 proc near	; DATA XREF: PpmUpdateIdleDomains(x)+51o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	eax, [eax+3D70h]
		test	eax, eax
		jz	short loc_64E208
		mov	esi, [ebp+arg_4]
		mov	edx, [eax+20h]
		cmp	edx, [esi+4]
		jnz	short loc_64E208
		xor	ecx, ecx
		push	ebx
		mov	ebx, ecx
		test	edx, edx
		jz	short loc_64E205
		lea	edx, [eax+10Ch]
		lea	ecx, [esi+14h]
		push	edi

loc_64E1EF:				; CODE XREF: PpmInstallNewIdleDomains(x,x,x)+42j
		mov	esi, ecx
		mov	edi, edx
		inc	ebx
		add	ecx, 0Ch
		add	edx, 44h
		movsd
		movsd
		movsd
		cmp	ebx, [eax+20h]
		jb	short loc_64E1EF
		xor	ecx, ecx
		pop	edi

loc_64E205:				; CODE XREF: PpmInstallNewIdleDomains(x,x,x)+25j
		pop	ebx
		jmp	short loc_64E20D
; 

loc_64E208:				; CODE XREF: PpmInstallNewIdleDomains(x,x,x)+11j
					; PpmInstallNewIdleDomains(x,x,x)+1Cj
		mov	ecx, 0C000000Dh

loc_64E20D:				; CODE XREF: PpmInstallNewIdleDomains(x,x,x)+48j
		mov	eax, ecx
		pop	esi
		pop	ebp
		retn	0Ch
_PpmInstallNewIdleDomains@12 endp


;  S U B	R O U T	I N E 


; __stdcall PpmInternalPlatformIdleVeto(x, x)
_PpmInternalPlatformIdleVeto@8 proc near ; CODE	XREF: PopPowerInformationInternal+1719B4p
		mov	edi, edi
		push	esi
		mov	esi, ds:_PpmPlatformStates
		mov	eax, ecx
		test	esi, esi
		jnz	short loc_64E22A
		mov	ecx, 0C00000ABh
		jmp	short loc_64E258
; 

loc_64E22A:				; CODE XREF: PpmInternalPlatformIdleVeto(x,x)+Dj
		cmp	eax, [esi]
		jb	short loc_64E235
		mov	ecx, 0C00000EFh
		jmp	short loc_64E258
; 

loc_64E235:				; CODE XREF: PpmInternalPlatformIdleVeto(x,x)+18j
		imul	eax, 0C0h
		xor	ecx, ecx
		add	eax, 50h
		add	eax, esi
		test	dl, dl
		jz	short loc_64E250
		mov	edx, 80000000h
		lock or	[eax], edx
		jmp	short loc_64E258
; 

loc_64E250:				; CODE XREF: PpmInternalPlatformIdleVeto(x,x)+30j
		mov	edx, 7FFFFFFFh
		lock and [eax],	edx

loc_64E258:				; CODE XREF: PpmInternalPlatformIdleVeto(x,x)+14j
					; PpmInternalPlatformIdleVeto(x,x)+1Fj	...
		mov	eax, ecx
		pop	esi
		retn
_PpmInternalPlatformIdleVeto@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmInternalProcessorIdleVeto(x, x, x)
_PpmInternalProcessorIdleVeto@12 proc near ; CODE XREF:	PopPowerInformationInternal+171984p

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		cmp	ecx, ds:_KeNumberProcessors
		jb	short loc_64E273
		mov	ecx, 0C00000EFh
		jmp	short loc_64E2B8
; 

loc_64E273:				; CODE XREF: PpmInternalProcessorIdleVeto(x,x,x)+Ej
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	edx, [eax+3D70h]
		test	edx, edx
		jnz	short loc_64E289
		mov	ecx, 0C00000ABh
		jmp	short loc_64E2B8
; 

loc_64E289:				; CODE XREF: PpmInternalProcessorIdleVeto(x,x,x)+24j
		cmp	esi, [edx+20h]
		jb	short loc_64E295
		mov	ecx, 0C00000F0h
		jmp	short loc_64E2B8
; 

loc_64E295:				; CODE XREF: PpmInternalProcessorIdleVeto(x,x,x)+30j
		imul	eax, esi, 44h
		xor	ecx, ecx
		add	eax, 130h
		add	eax, edx
		cmp	[ebp+arg_0], cl
		jz	short loc_64E2B0
		mov	edx, 80000000h
		lock or	[eax], edx
		jmp	short loc_64E2B8
; 

loc_64E2B0:				; CODE XREF: PpmInternalProcessorIdleVeto(x,x,x)+48j
		mov	edx, 7FFFFFFFh
		lock and [eax],	edx

loc_64E2B8:				; CODE XREF: PpmInternalProcessorIdleVeto(x,x,x)+15j
					; PpmInternalProcessorIdleVeto(x,x,x)+2Bj ...
		mov	eax, ecx
		pop	esi
		pop	ebp
		retn	4
_PpmInternalProcessorIdleVeto@12 endp


;  S U B	R O U T	I N E 


; __stdcall PpmQueryDripsResidency()
_PpmQueryDripsResidency@0 proc near	; DATA XREF: PopPdcRegister+A0o
		mov	ecx, ds:dword_6D4640
		jmp	$+5
_PpmQueryDripsResidency@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmQueryPlatformStateResidency(x, x)
_PpmQueryPlatformStateResidency@8 proc near
					; CODE XREF: PopQueryBootSessionStandbyActivationInfo(x)+27p
					; PopCalculateIdleInformation(x)+43p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ds:_PpmPlatformStates
		push	ebx
		or	ebx, 0FFFFFFFFh
		mov	[ebp+var_4], ebx
		push	esi
		mov	esi, ecx
		test	eax, eax
		jz	loc_64E3BD
		cmp	dword ptr [eax+1Ch], 0
		jz	loc_64E3BD
		mov	eax, [eax]
		mov	[ebp+var_8], eax
		cmp	esi, ebx
		jz	loc_64E3BD
		cmp	esi, eax
		jnb	loc_64E3BD
		push	edi
		mov	ebx, eax
		shl	ebx, 4
		push	694D5050h
		add	ebx, 8
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_64E3B9
		push	ebx		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		mov	[edi], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExAcquirePushLockSharedEx
		mov	eax, large fs:20h
		mov	ecx, [eax+3D70h]
		test	ecx, ecx
		jz	short loc_64E388
		mov	eax, ds:_PpmPlatformStates
		mov	edx, edi
		mov	ecx, [ecx+88h]
		call	dword ptr [eax+1Ch]
		test	eax, eax
		js	short loc_64E388
		add	esi, esi
		mov	eax, [edi+esi*8+0Ch]
		mov	ebx, [edi+esi*8+8]
		mov	[ebp+var_4], eax
		jmp	short loc_64E38B
; 

loc_64E388:				; CODE XREF: PpmQueryPlatformStateResidency(x,x)+99j
					; PpmQueryPlatformStateResidency(x,x)+ADj
		or	ebx, 0FFFFFFFFh

loc_64E38B:				; CODE XREF: PpmQueryPlatformStateResidency(x,x)+BCj
		cmp	ds:dword_6C2ADC, 0
		jz	short loc_64E39B
		and	ds:dword_6C2ADC, 0

loc_64E39B:				; CODE XREF: PpmQueryPlatformStateResidency(x,x)+C8j
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	694D5050h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_64E3BC
; 

loc_64E3B9:				; CODE XREF: PpmQueryPlatformStateResidency(x,x)+5Aj
		or	ebx, 0FFFFFFFFh

loc_64E3BC:				; CODE XREF: PpmQueryPlatformStateResidency(x,x)+EDj
		pop	edi

loc_64E3BD:				; CODE XREF: PpmQueryPlatformStateResidency(x,x)+18j
					; PpmQueryPlatformStateResidency(x,x)+22j ...
		mov	edx, [ebp+var_4]
		mov	eax, ebx
		pop	esi
		pop	ebx
		leave
		retn
_PpmQueryPlatformStateResidency@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmRemoveIdleStates(x, x, x)
_PpmRemoveIdleStates@12	proc near	; DATA XREF: PpmUpdateIdleStates+F0o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [esi+3D70h]
		test	edi, edi
		jz	short loc_64E450
		mov	eax, [esi+3CCh]
		xor	ecx, ecx
		and	[ebp+var_C], 0
		bts	ecx, eax
		push	ebx
		xor	edx, edx
		mov	[ebp+var_8], ecx
		inc	edx
		lea	eax, [ebp+var_10]
		push	eax
		push	edx
		mov	word ptr [ebp+var_10], dx
		mov	word ptr [ebp+var_10+2], dx
		call	ds:off_6B129C	; RtlEndStrongEnumerationHashTable(x,x)
		mov	ebx, offset _PpmIdleVetoLock
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		and	dword ptr [esi+3D70h], 0
		test	ds:byte_70EFC6,	1
		jz	short loc_64E438
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64E43D
; 

loc_64E438:				; CODE XREF: PpmRemoveIdleStates(x,x,x)+64j
		xor	eax, eax
		lock and [ebx],	eax

loc_64E43D:				; CODE XREF: PpmRemoveIdleStates(x,x,x)+70j
		and	dword ptr [esi+3D74h], 0
		push	694D5050h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebx

loc_64E450:				; CODE XREF: PpmRemoveIdleStates(x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_PpmRemoveIdleStates@12	endp


;  S U B	R O U T	I N E 


; __stdcall PpmResetDripsAccountingSnapshot()
_PpmResetDripsAccountingSnapshot@0 proc	near
					; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+481p
		mov	eax, ds:dword_6D4640
		mov	edx, ds:_PpmPlatformStates
		test	edx, edx
		jz	short locret_64E4A8
		cmp	eax, 0FFFFFFFFh
		jz	short locret_64E4A8
		mov	edx, [edx+20h]
		imul	ecx, eax, 3F0h
		add	ecx, 0C8h
		add	edx, ecx
		xor	ecx, ecx

loc_64E489:				; CODE XREF: PpmResetDripsAccountingSnapshot()+44j
		mov	eax, [edx]
		lea	edx, [edx+20h]
		mov	ds:_PpmDripsAccountingSnapshot[ecx], eax
		mov	eax, [edx-1Ch]
		mov	ds:dword_6C21C4[ecx], eax
		add	ecx, 8
		cmp	ecx, 0D0h
		jb	short loc_64E489

locret_64E4A8:				; CODE XREF: PpmResetDripsAccountingSnapshot()+Dj
					; PpmResetDripsAccountingSnapshot()+12j
		retn
_PpmResetDripsAccountingSnapshot@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PpmResetPlatformIdleAccounting(void *)
_PpmResetPlatformIdleAccounting@4 proc near
					; CODE XREF: PpmInstallCoordinatedIdleStates(x)+1AFp
					; PpmInstallPlatformIdleStates(x)+1B4p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, [esi]
		mov	edi, [esi+4]
		mov	[ebp+var_4], eax
		imul	eax, edi, 3F0h
		add	eax, 18h
		push	eax		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		test	edi, edi
		jz	short loc_64E50A
		lea	eax, [esi+0D0h]
		mov	edx, edi
		push	ebx

loc_64E4DD:				; CODE XREF: PpmResetPlatformIdleAccounting(x)+5Ej
		or	dword ptr [eax-0A0h], 0FFFFFFFFh
		mov	ecx, eax
		or	dword ptr [eax-9Ch], 0FFFFFFFFh
		push	1Ah
		pop	ebx

loc_64E4F0:				; CODE XREF: PpmResetPlatformIdleAccounting(x)+54j
		or	dword ptr [ecx], 0FFFFFFFFh
		lea	ecx, [ecx+20h]
		or	dword ptr [ecx-1Ch], 0FFFFFFFFh
		sub	ebx, 1
		jnz	short loc_64E4F0
		add	eax, 3F0h
		sub	edx, 1
		jnz	short loc_64E4DD
		pop	ebx

loc_64E50A:				; CODE XREF: PpmResetPlatformIdleAccounting(x)+29j
		mov	eax, [ebp+var_4]
		inc	eax
		mov	[esi+4], edi
		mov	[esi], eax
		call	KeQueryInterruptTime
		and	dword ptr [esi+0Ch], 0
		pop	edi
		mov	[esi+10h], eax
		mov	[esi+14h], edx
		pop	esi
		leave
		retn
_PpmResetPlatformIdleAccounting@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmSetExitLatencySamplingPercentage(x)
_PpmSetExitLatencySamplingPercentage@4 proc near ; CODE	XREF: NtPowerInformation+172556p

var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, offset _PopFxSystemLatencyLock
		mov	ecx, edi
		xor	ebx, ebx
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		cmp	ds:_PpmExitLatencySamplingPercentageSet, bl
		jz	short loc_64E54F
		mov	ebx, 0C0000001h
		jmp	short loc_64E58F
; 

loc_64E54F:				; CODE XREF: PpmSetExitLatencySamplingPercentage(x)+20j
		mov	eax, [esi]
		cmp	eax, 64h
		jbe	short loc_64E559
		push	64h
		pop	eax

loc_64E559:				; CODE XREF: PpmSetExitLatencySamplingPercentage(x)+2Ej
		mov	ecx, ds:_PpmExitLatencySamplingPercentage
		test	eax, eax
		jz	short loc_64E567
		test	ecx, ecx
		jnz	short loc_64E56B

loc_64E567:				; CODE XREF: PpmSetExitLatencySamplingPercentage(x)+3Bj
		mov	dl, 1
		jmp	short loc_64E56D
; 

loc_64E56B:				; CODE XREF: PpmSetExitLatencySamplingPercentage(x)+3Fj
		mov	dl, bl

loc_64E56D:				; CODE XREF: PpmSetExitLatencySamplingPercentage(x)+43j
		mov	ds:_PpmExitLatencySamplingPercentageSet, 1
		mov	ds:_PpmExitLatencySamplingPercentage, eax
		test	dl, dl
		jz	short loc_64E58F
		mov	[ebp+var_8], ebx
		lea	eax, [ebp+var_8]
		xor	edx, edx
		lock or	[eax], edx
		mov	cl, 1
		call	_KeFlushProcessWriteBuffers@4 ;	KeFlushProcessWriteBuffers(x)

loc_64E58F:				; CODE XREF: PpmSetExitLatencySamplingPercentage(x)+27j
					; PpmSetExitLatencySamplingPercentage(x)+55j
		mov	ecx, edi
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_PpmSetExitLatencySamplingPercentage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmSetPlatformIdleDurationHint(x, x)
_PpmSetPlatformIdleDurationHint@8 proc near ; CODE XREF: PoIdle(x)+48Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, 0FFFFh
		push	esi
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		cmp	eax, 1
		jz	short loc_64E61B
		mov	edx, [ebp+arg_4]
		cmp	edx, esi
		jb	short loc_64E5CD
		ja	short loc_64E5C6
		mov	ecx, [ebp+arg_0]
		cmp	ecx, 0FFFFFFFFh
		jbe	short loc_64E5D0

loc_64E5C6:				; CODE XREF: PpmSetPlatformIdleDurationHint(x,x)+1Fj
		or	ecx, 0FFFFFFFFh
		mov	edx, esi
		jmp	short loc_64E5D0
; 

loc_64E5CD:				; CODE XREF: PpmSetPlatformIdleDurationHint(x,x)+1Dj
		mov	ecx, [ebp+arg_0]

loc_64E5D0:				; CODE XREF: PpmSetPlatformIdleDurationHint(x,x)+27j
					; PpmSetPlatformIdleDurationHint(x,x)+2Ej
		shld	edx, ecx, 10h
		dec	eax
		push	ebx
		push	edi
		movzx	edi, ax
		xor	eax, eax
		shl	ecx, 10h
		or	edi, ecx
		or	eax, edx
		mov	[ebp+var_4], edi
		mov	ecx, eax
		mov	[ebp+arg_4], eax

loc_64E5EB:				; CODE XREF: PpmSetPlatformIdleDurationHint(x,x)+75j
					; PpmSetPlatformIdleDurationHint(x,x)+7Aj
		mov	esi, ds:_PpmPlatformIdleHint
		mov	eax, esi
		mov	edx, ds:dword_6FD5DC
		mov	[ebp+var_8], edx
		mov	[ebp+arg_4], offset _PpmPlatformIdleHint
		nop
		mov	ebx, edi
		mov	edi, [ebp+arg_4]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_4]
		cmp	eax, esi
		jnz	short loc_64E5EB
		cmp	edx, [ebp+var_8]
		jnz	short loc_64E5EB
		pop	edi
		pop	ebx

loc_64E61B:				; CODE XREF: PpmSetPlatformIdleDurationHint(x,x)+16j
		pop	esi
		leave
		retn	8
_PpmSetPlatformIdleDurationHint@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmSetSimulatedIdle(x)
_PpmSetSimulatedIdle@4 proc near	; CODE XREF: NtPowerInformation+1723F7p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		mov	ebx, ecx
		stosd
		stosd
		lea	eax, [ebx+4]
		push	eax
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		mov	ecx, eax
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_64E655
		mov	eax, 0C000000Dh
		jmp	short loc_64E6BE
; 

loc_64E655:				; CODE XREF: PpmSetSimulatedIdle(x)+2Cj
		xor	eax, eax
		xor	edi, edi
		inc	eax
		mov	[ebp+var_18], edi
		shl	eax, cl
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_10]
		push	esi
		push	eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_14], edi
		push	eax
		call	KeSetSystemGroupAffinityThread
		mov	esi, large fs:20h
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [esi+3D70h]
		mov	dl, al
		pop	esi
		test	ecx, ecx
		jnz	short loc_64E696
		mov	edi, 0C00000BBh
		jmp	short loc_64E6AB
; 

loc_64E696:				; CODE XREF: PpmSetSimulatedIdle(x)+6Dj
		mov	eax, [ebx]
		cmp	eax, [ecx+20h]
		jb	short loc_64E6A4
		mov	edi, 0C000000Dh
		jmp	short loc_64E6AB
; 

loc_64E6A4:				; CODE XREF: PpmSetSimulatedIdle(x)+7Bj
		mov	byte ptr [ecx+1], 1
		mov	[ecx+1Ch], eax

loc_64E6AB:				; CODE XREF: PpmSetSimulatedIdle(x)+74j
					; PpmSetSimulatedIdle(x)+82j
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	eax, [ebp+var_10]
		push	eax
		call	KeRevertToUserGroupAffinityThread
		mov	eax, edi

loc_64E6BE:				; CODE XREF: PpmSetSimulatedIdle(x)+33j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmSetSimulatedIdle@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmSnapDripsAccountingSnapshot(x, x, x, x, x, x)
_PpmSnapDripsAccountingSnapshot@24 proc	near
					; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+54Bp

var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0DCh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ds:dword_6C1D84
		push	ebx
		mov	ebx, ds:_PopWnfCsEnterScenarioId
		mov	[ebp+var_DC], eax
		mov	eax, ds:dword_6D4640
		mov	edx, ds:_PpmPlatformStates
		push	esi
		push	edi
		test	edx, edx
		jz	loc_64E794
		cmp	eax, 0FFFFFFFFh
		jz	loc_64E794
		mov	edi, [edx+20h]
		imul	ecx, eax, 3F0h
		add	edi, 0C8h
		add	edi, ecx
		xor	esi, esi

loc_64E724:				; CODE XREF: PpmSnapDripsAccountingSnapshot(x,x,x,x,x,x)+9Dj
		mov	ecx, [edi]
		sub	ecx, ds:_PpmDripsAccountingSnapshot[esi]
		mov	eax, [edi+4]
		sbb	eax, ds:dword_6C21C4[esi]
		push	0
		push	(offset	loc_98967E+2)
		push	ds:dword_70ED2C
		push	ds:_PopQpcFrequency
		push	eax
		push	ecx
		call	PpmConvertTime
		mov	[ebp+esi+var_D8], eax
		lea	edi, [edi+20h]
		mov	[ebp+esi+var_D4], edx
		add	esi, 8
		cmp	esi, 0D0h
		jb	short loc_64E724
		lea	edx, [ebp+var_D8]
		call	_PpmEventTraceDripsAccountingSnapshot@8	; PpmEventTraceDripsAccountingSnapshot(x,x)
		push	[ebp+arg_14]
		lea	edx, [ebp+var_D8]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+var_DC]
		push	ebx
		call	_PopDiagTraceDripsHistogram@32 ; PopDiagTraceDripsHistogram(x,x,x,x,x,x,x,x)

loc_64E794:				; CODE XREF: PpmSnapDripsAccountingSnapshot(x,x,x,x,x,x)+36j
					; PpmSnapDripsAccountingSnapshot(x,x,x,x,x,x)+3Fj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_PpmSnapDripsAccountingSnapshot@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmTestAndLockProcessor(x, x, x)
_PpmTestAndLockProcessor@12 proc near	; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+1D9p
					; PpmIdleCheckCoordinatedDependency(x,x,x,x,x,x,x,x,x,x)+185p ...

var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= byte ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_10], edx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		push	8
		pop	ecx
		mov	esi, [ebx+3DA8h]
		xor	edx, edx
		rep stosd
		mov	eax, ds:_PopIdleTransitionTimeout
		mov	edi, 0FF000000h
		mov	[ebp+var_2C], eax
		mov	eax, ds:dword_70ED0C
		mov	[ebp+var_28], eax
		mov	eax, esi
		and	eax, edi
		mov	[ebp+var_8], edx
		mov	[ebp+var_1C], 1
		mov	[ebp+var_24], ebx
		cmp	eax, 2000000h
		jnz	short loc_64E80D

loc_64E7F1:				; CODE XREF: PpmTestAndLockProcessor(x,x,x)+63j
		lea	ecx, [ebp+var_34]
		call	_PpmIdleTransitionStall@4 ; PpmIdleTransitionStall(x)
		mov	esi, [ebx+3DA8h]
		mov	eax, esi
		and	eax, edi
		cmp	eax, 2000000h
		jz	short loc_64E7F1
		mov	edx, [ebp+var_8]

loc_64E80D:				; CODE XREF: PpmTestAndLockProcessor(x,x,x)+4Aj
		shr	esi, 18h
		mov	edi, 0C000002Ah
		cmp	esi, 3
		jz	short loc_64E828
		cmp	esi, 4
		jz	short loc_64E828
		cmp	esi, 5
		jnz	loc_64E8E5

loc_64E828:				; CODE XREF: PpmTestAndLockProcessor(x,x,x)+73j
					; PpmTestAndLockProcessor(x,x,x)+78j
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_64E871
		mov	eax, [esi]
		xor	ecx, ecx
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_64E862
		mov	eax, [ebx+3D9Ch]
		mov	[ebp+var_8], eax
		mov	eax, [esi+4]
		mov	esi, [ebp+var_8]

loc_64E849:				; CODE XREF: PpmTestAndLockProcessor(x,x,x)+B5j
		mov	edx, eax
		mov	[ebp+var_8], edx
		cmp	[eax+4], esi
		jz	short loc_64E85C
		inc	ecx
		add	eax, 10h
		cmp	ecx, [ebp+var_C]
		jb	short loc_64E849

loc_64E85C:				; CODE XREF: PpmTestAndLockProcessor(x,x,x)+ACj
		mov	esi, [ebp+arg_0]
		mov	eax, [ebp+var_C]

loc_64E862:				; CODE XREF: PpmTestAndLockProcessor(x,x,x)+93j
		cmp	ecx, eax
		jz	short loc_64E8E5
		cmp	byte ptr [edx+2], 0
		jz	short loc_64E8E5
		cmp	byte ptr [edx],	0
		jz	short loc_64E8E3

loc_64E871:				; CODE XREF: PpmTestAndLockProcessor(x,x,x)+88j
		mov	eax, [ebp+var_10]
		mov	ecx, [ebx+3CCh]
		mov	eax, [eax+8]
		shr	eax, cl
		test	al, 1
		jnz	short loc_64E8E3
		movzx	ecx, large byte	ptr fs:51h
		mov	eax, [ebx+3D70h]
		add	eax, 48h
		mov	[ebp+arg_0], ecx
		push	ecx
		push	eax
		mov	[ebp+var_C], eax
		call	_KeInterlockedSetProcessorAffinityEx@8 ; KeInterlockedSetProcessorAffinityEx(x,x)
		lea	ecx, [ebx+3DA8h]
		call	_PpmIdleLockProcessor@4	; PpmIdleLockProcessor(x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_64E8BF
		push	[ebp+arg_0]
		push	[ebp+var_C]
		call	_KeInterlockedClearProcessorAffinityEx@8 ; KeInterlockedClearProcessorAffinityEx(x,x)
		jmp	short loc_64E8E5
; 

loc_64E8BF:				; CODE XREF: PpmTestAndLockProcessor(x,x,x)+10Bj
		mov	edx, [ebp+var_10]
		mov	eax, [ebx+3CCh]
		mov	ecx, [edx+8]
		bts	ecx, eax
		mov	[edx+8], ecx
		test	esi, esi
		jz	short loc_64E8E3
		mov	eax, [ebp+var_8]
		mov	eax, [eax+4]
		cmp	eax, [ebx+3D9Ch]
		jnz	short loc_64E8E5

loc_64E8E3:				; CODE XREF: PpmTestAndLockProcessor(x,x,x)+CAj
					; PpmTestAndLockProcessor(x,x,x)+DCj ...
		xor	edi, edi

loc_64E8E5:				; CODE XREF: PpmTestAndLockProcessor(x,x,x)+7Dj
					; PpmTestAndLockProcessor(x,x,x)+BFj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PpmTestAndLockProcessor@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmTraceExitLatency(x, x, x, x, x, x)
_PpmTraceExitLatency@24	proc near	; CODE XREF: PpmIdleCompleteExitLatencyTrace(x,x,x,x,x,x,x,x,x)+61p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ds:_PopFxSystemLatencyLimit
		or	ecx, 0FFFFFFFFh
		push	esi
		push	edi
		mov	edi, edx
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_64E918
		xor	al, al
		jmp	loc_64E9A9
; 

loc_64E918:				; CODE XREF: PpmTraceExitLatency(x,x,x,x,x,x)+21j
		mov	esi, [ebp+arg_8]
		cmp	esi, 0FFFFFFFFh
		jz	short loc_64E94F
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		push	0
		mov	ecx, eax
		mov	eax, [ebp+arg_C]
		push	(offset	loc_98967E+2)
		push	ds:dword_70ED2C
		sub	ecx, [eax]
		push	ds:_PopQpcFrequency
		sbb	edx, [eax+4]
		push	edx
		push	ecx
		call	PpmConvertTime
		lea	ecx, [esi+eax]

loc_64E94F:				; CODE XREF: PpmTraceExitLatency(x,x,x,x,x,x)+30j
		test	ds:dword_70EFC8, 4000000h
		jz	short loc_64E9A7
		mov	eax, [ebp+arg_4]
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_64E966
		or	eax, 4

loc_64E966:				; CODE XREF: PpmTraceExitLatency(x,x,x,x,x,x)+73j
		and	[ebp+var_14], 0
		xor	edx, edx
		and	[ebp+var_C], 0
		inc	edx
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_0]
		push	602h
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_2C]
		push	123Ch
		mov	[ebp+var_1C], ecx
		lea	ecx, [ebp+var_18]
		push	44000000h
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], 14h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_64E9A7:				; CODE XREF: PpmTraceExitLatency(x,x,x,x,x,x)+6Bj
		mov	al, 1

loc_64E9A9:				; CODE XREF: PpmTraceExitLatency(x,x,x,x,x,x)+25j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_PpmTraceExitLatency@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmUnlockProcessors(x, x)
_PpmUnlockProcessors@8 proc near	; CODE XREF: PpmIdleSelectStates+8B14Ep
					; PpmIdleSelectStates+8B193p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_1A		= word ptr -1Ah
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_1A], ax
		inc	eax
		mov	word ptr [ebp+var_10], ax
		mov	word ptr [ebp+var_10+2], ax
		movzx	eax, large byte	ptr fs:51h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_18], eax
		xor	eax, eax
		mov	[ebp+var_14], ebx
		push	esi
		mov	[ebp+var_1C], ax
		mov	eax, [edx+8]
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], edx

loc_64EA04:				; CODE XREF: PpmUnlockProcessors(x,x)+99j
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_64EA54
		mov	esi, [ebp+var_14]
		mov	ecx, esi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ebx, [eax+3D70h]
		lea	ecx, [eax+3DA8h]
		call	_PpmIdleUnlockProcessor@4 ; PpmIdleUnlockProcessor(x)
		cmp	al, 6
		jnz	short loc_64EA3D
		mov	eax, [ebp+var_8]
		bts	eax, esi
		mov	[ebp+var_8], eax

loc_64EA3D:				; CODE XREF: PpmUnlockProcessors(x,x)+79j
		push	[ebp+var_18]
		lea	eax, [ebx+48h]
		push	eax
		call	_KeInterlockedClearProcessorAffinityEx@8 ; KeInterlockedClearProcessorAffinityEx(x,x)
		mov	eax, [edi+8]
		btr	eax, esi
		mov	[edi+8], eax
		jmp	short loc_64EA04
; 

loc_64EA54:				; CODE XREF: PpmUnlockProcessors(x,x)+5Aj
		cmp	[ebp+var_8], 0
		pop	edi
		pop	esi
		pop	ebx
		jz	short loc_64EA69
		lea	eax, [ebp+var_10]
		push	eax
		push	0
		call	ds:__imp__HalRequestIpi@8 ; HalRequestIpi(x,x)

loc_64EA69:				; CODE XREF: PpmUnlockProcessors(x,x)+A2j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmUnlockProcessors@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmUpdateIdleDomains(x)
_PpmUpdateIdleDomains@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _PpmIdlePolicyLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	edi, [ebp+arg_0]
		mov	eax, large fs:124h
		mov	ds:dword_6C2ADC, eax
		test	edi, edi
		jnz	short loc_64EAB2

loc_64EAAB:				; CODE XREF: PpmUpdateIdleDomains(x)+4Dj
		mov	esi, 0C000000Dh
		jmp	short loc_64EADA
; 

loc_64EAB2:				; CODE XREF: PpmUpdateIdleDomains(x)+34j
		push	offset _KeActiveProcessors
		lea	esi, [edi+8]
		push	esi
		call	_KeIsSubsetAffinityEx@8	; KeIsSubsetAffinityEx(x,x)
		test	eax, eax
		jz	short loc_64EAAB
		push	esi
		push	edi
		mov	edx, offset _PpmInstallNewIdleDomains@12 ; PpmInstallNewIdleDomains(x,x,x)
		mov	ecx, esi
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_64EADA
		xor	esi, esi

loc_64EADA:				; CODE XREF: PpmUpdateIdleDomains(x)+3Bj
					; PpmUpdateIdleDomains(x)+61j
		cmp	ds:dword_6C2ADC, 0
		jz	short loc_64EAEA
		and	ds:dword_6C2ADC, 0

loc_64EAEA:				; CODE XREF: PpmUpdateIdleDomains(x)+6Cj
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PpmUpdateIdleDomains@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmUpdateIdleStatesInplace(x, x, x)
_PpmUpdateIdleStatesInplace@12 proc near ; DATA	XREF: PpmUpdateIdleStates+E7o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+3D70h]
		test	ecx, ecx
		jnz	short loc_64EB1A
		mov	eax, 0C00000BBh
		jmp	short loc_64EB7C
; 

loc_64EB1A:				; CODE XREF: PpmUpdateIdleStatesInplace(x,x,x)+10j
		push	esi
		mov	esi, [ebp+arg_4]
		mov	edx, [esi+44h]
		cmp	edx, [ecx+20h]
		jz	short loc_64EB2D
		mov	eax, 0C000000Dh
		jmp	short loc_64EB7B
; 

loc_64EB2D:				; CODE XREF: PpmUpdateIdleStatesInplace(x,x,x)+23j
		mov	eax, [esi+8]
		mov	[ecx+88h], eax
		test	edx, edx
		jz	short loc_64EB79
		add	ecx, 120h
		add	esi, 48h

loc_64EB43:				; CODE XREF: PpmUpdateIdleStatesInplace(x,x,x)+76j
		mov	eax, [esi]
		shr	eax, 1Eh
		and	al, 1
		mov	[ecx+2Fh], al
		mov	eax, [esi+4]
		mov	[ecx], eax
		lea	ecx, [ecx+44h]
		mov	eax, [esi+0Ch]
		mov	[ecx-3Ch], eax
		mov	eax, [esi+8]
		mov	[ecx-40h], eax
		mov	eax, [esi]
		shr	eax, 1Fh
		mov	[ecx-1Bh], al
		mov	eax, [esi]
		lea	esi, [esi+18h]
		shr	eax, 1Fh
		mov	[ecx-38h], eax
		sub	edx, 1
		jnz	short loc_64EB43

loc_64EB79:				; CODE XREF: PpmUpdateIdleStatesInplace(x,x,x)+37j
		xor	eax, eax

loc_64EB7B:				; CODE XREF: PpmUpdateIdleStatesInplace(x,x,x)+2Aj
		pop	esi

loc_64EB7C:				; CODE XREF: PpmUpdateIdleStatesInplace(x,x,x)+17j
		pop	ebp
		retn	0Ch
_PpmUpdateIdleStatesInplace@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmUpdateIdleVeto(x, x, x, x)
_PpmUpdateIdleVeto@16 proc near		; CODE XREF: PpmUpdatePlatformIdleVeto(x)+6Cp
					; PpmUpdateProcessorIdleVeto(x)+A7p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_4]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_10], edx
		mov	[ebp+var_1], cl
		mov	[eax], bl
		test	edx, edx
		jnz	short loc_64EBA4
		mov	ebx, 0C000000Dh
		jmp	loc_64ED48
; 

loc_64EBA4:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+18j
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		lea	edi, [eax+4]
		mov	ecx, [eax+14h]
		mov	esi, [edi]
		mov	[ebp+var_8], ecx
		cmp	[ebp+var_1], bl
		jnz	loc_64EC88
		jmp	short loc_64EBC6
; 

loc_64EBBF:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+48j
		cmp	[esi+8], edx
		jz	short loc_64EBCF
		mov	esi, [esi]

loc_64EBC6:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+3Dj
		cmp	esi, edi
		jnz	short loc_64EBBF
		jmp	loc_64ECDC
; 

loc_64EBCF:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+42j
		sub	dword ptr [esi+0Ch], 1
		jnz	loc_64ED46
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_64ED37
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_64ED37
		mov	[ecx], eax
		mov	[eax+4], ecx
		cmp	[ebp+var_8], ebx
		jnz	short loc_64EC09
		push	694D5050h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+arg_0]
		jmp	short loc_64EC68
; 

loc_64EC09:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+77j
		mov	[esi], ebx
		lea	ecx, [ebp+var_C]
		mov	[esi+4], ebx
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	[ebp+var_8], eax
		mov	eax, edx
		mov	edx, [ebp+var_8]
		mov	ecx, edx
		sub	ecx, [esi+18h]
		mov	[ebp+var_10], eax
		sbb	eax, [esi+1Ch]
		add	[esi+20h], ecx
		mov	ecx, [esi+28h]
		adc	[esi+24h], eax
		mov	eax, [esi+2Ch]
		mov	[ebp+var_8], eax
		mov	eax, ecx
		or	eax, [ebp+var_8]
		mov	[esi+18h], ebx
		mov	[esi+1Ch], ebx
		jz	short loc_64EC59
		mov	eax, [ebp+var_10]
		sub	edx, ecx
		mov	[esi+28h], ebx
		sbb	eax, [ebp+var_8]
		add	[esi+30h], edx
		mov	[esi+2Ch], ebx
		adc	[esi+34h], eax

loc_64EC59:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+C3j
		mov	esi, [ebp+arg_0]
		cmp	[esi+0Dh], bl
		jz	short loc_64EC68
		xor	cl, cl
		call	_PopUpdateNonAttributedCpuTimeReference@4 ; PopUpdateNonAttributedCpuTimeReference(x)

loc_64EC68:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+87j
					; PpmUpdateIdleVeto(x,x,x,x)+DFj
		cmp	[edi], edi
		jnz	loc_64ED46
		push	0FFFFFFFEh
		pop	eax
		lock and [esi],	eax
		mov	eax, [ebp+arg_4]
		mov	byte ptr [eax],	1
		jmp	loc_64ED46
; 

loc_64EC81:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+10Aj
		cmp	[esi+8], edx
		jz	short loc_64ECB1
		mov	esi, [esi]

loc_64EC88:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+37j
		cmp	esi, edi
		jnz	short loc_64EC81
		test	ecx, ecx
		jnz	short loc_64ECD7
		push	694D5050h
		push	38h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_64ECC9
		mov	ebx, 0C000009Ah
		jmp	loc_64ED46
; 

loc_64ECB1:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+104j
		mov	eax, [esi+0Ch]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_64ECC3
		mov	ebx, 0C0000095h
		jmp	loc_64ED46
; 

loc_64ECC3:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+137j
		inc	eax
		mov	[esi+0Ch], eax
		jmp	short loc_64ED46
; 

loc_64ECC9:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+125j
		push	38h		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_64ED15
; 

loc_64ECD7:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+10Ej
		cmp	edx, [eax+10h]
		jbe	short loc_64ECE3

loc_64ECDC:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+4Aj
		mov	ebx, 0C000000Dh
		jmp	short loc_64ED46
; 

loc_64ECE3:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+15Aj
		imul	eax, edx, 38h
		lea	esi, [ecx-38h]
		lea	ecx, [ebp+var_C]
		add	esi, eax
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	ecx, [ebp+arg_0]
		mov	[esi+18h], eax
		mov	[esi+1Ch], edx
		cmp	[ecx+0Ch], bl
		jnz	short loc_64ED09
		mov	[esi+28h], eax
		mov	eax, edx
		mov	[esi+2Ch], eax

loc_64ED09:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+17Fj
		cmp	[ecx+0Dh], bl
		jz	short loc_64ED18
		mov	cl, 1
		call	_PopUpdateNonAttributedCpuTimeReference@4 ; PopUpdateNonAttributedCpuTimeReference(x)

loc_64ED15:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+155j
		mov	ecx, [ebp+arg_0]

loc_64ED18:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+18Cj
		mov	eax, [ebp+var_10]
		xor	edx, edx
		inc	edx
		mov	[esi+8], eax
		mov	[esi+0Ch], edx
		cmp	[edi], edi
		jnz	short loc_64ED30
		lock or	[ecx], edx
		mov	eax, [ebp+arg_4]
		mov	[eax], dl

loc_64ED30:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+1A6j
		mov	eax, [edi+4]
		cmp	[eax], edi
		jz	short loc_64ED3C

loc_64ED37:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+5Ej
					; PpmUpdateIdleVeto(x,x,x,x)+69j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_64ED3C:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+1B5j
		mov	[esi], edi
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[edi+4], esi

loc_64ED46:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+53j
					; PpmUpdateIdleVeto(x,x,x,x)+EAj ...
		pop	edi
		pop	esi

loc_64ED48:				; CODE XREF: PpmUpdateIdleVeto(x,x,x,x)+1Fj
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_PpmUpdateIdleVeto@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmUpdatePlatformIdleAccounting(x, x, x)
_PpmUpdatePlatformIdleAccounting@12 proc near ;	CODE XREF: PpmExitCoordinatedIdle+12BE9Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, eax

loc_64ED60:				; CODE XREF: PpmUpdatePlatformIdleAccounting(x,x,x)+2Dj
		cmp	esi, ds:dword_705204[edi]
		jb	short loc_64ED7E
		ja	short loc_64ED72
		cmp	edx, ds:_PpmIdleIntervalLimits[edi]
		jb	short loc_64ED7E

loc_64ED72:				; CODE XREF: PpmUpdatePlatformIdleAccounting(x,x,x)+19j
		add	edi, 18h
		inc	eax
		cmp	edi, 270h
		jb	short loc_64ED60

loc_64ED7E:				; CODE XREF: PpmUpdatePlatformIdleAccounting(x,x,x)+17j
					; PpmUpdatePlatformIdleAccounting(x,x,x)+21j
		cmp	eax, 1Ah
		jnb	short loc_64EDE1
		shl	eax, 5
		add	[eax+ecx+0B0h],	edx
		adc	[eax+ecx+0B4h],	esi
		inc	dword ptr [eax+ecx+0C8h]
		cmp	esi, [eax+ecx+0BCh]
		ja	short loc_64EDBD
		jb	short loc_64EDAF
		cmp	edx, [eax+ecx+0B8h]
		jnb	short loc_64EDBD

loc_64EDAF:				; CODE XREF: PpmUpdatePlatformIdleAccounting(x,x,x)+55j
		mov	[eax+ecx+0B8h],	edx
		mov	[eax+ecx+0BCh],	esi

loc_64EDBD:				; CODE XREF: PpmUpdatePlatformIdleAccounting(x,x,x)+53j
					; PpmUpdatePlatformIdleAccounting(x,x,x)+5Ej
		cmp	esi, [eax+ecx+0C4h]
		jb	short loc_64EDE4
		ja	short loc_64EDD1
		cmp	edx, [eax+ecx+0C0h]
		jbe	short loc_64EDE4

loc_64EDD1:				; CODE XREF: PpmUpdatePlatformIdleAccounting(x,x,x)+77j
		mov	[eax+ecx+0C0h],	edx
		mov	[eax+ecx+0C4h],	esi
		jmp	short loc_64EDE4
; 

loc_64EDE1:				; CODE XREF: PpmUpdatePlatformIdleAccounting(x,x,x)+32j
		inc	dword ptr [ecx+28h]

loc_64EDE4:				; CODE XREF: PpmUpdatePlatformIdleAccounting(x,x,x)+75j
					; PpmUpdatePlatformIdleAccounting(x,x,x)+80j ...
		cmp	esi, [ecx+1Ch]
		ja	short loc_64EDF6
		jb	short loc_64EDF0
		cmp	edx, [ecx+18h]
		jnb	short loc_64EDF6

loc_64EDF0:				; CODE XREF: PpmUpdatePlatformIdleAccounting(x,x,x)+9Aj
		mov	[ecx+18h], edx
		mov	[ecx+1Ch], esi

loc_64EDF6:				; CODE XREF: PpmUpdatePlatformIdleAccounting(x,x,x)+98j
					; PpmUpdatePlatformIdleAccounting(x,x,x)+9Fj
		cmp	esi, [ecx+14h]
		jb	short loc_64EE08
		ja	short loc_64EE02
		cmp	edx, [ecx+10h]
		jbe	short loc_64EE08

loc_64EE02:				; CODE XREF: PpmUpdatePlatformIdleAccounting(x,x,x)+ACj
		mov	[ecx+10h], edx
		mov	[ecx+14h], esi

loc_64EE08:				; CODE XREF: PpmUpdatePlatformIdleAccounting(x,x,x)+AAj
					; PpmUpdatePlatformIdleAccounting(x,x,x)+B1j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_PpmUpdatePlatformIdleAccounting@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmUpdatePlatformIdleVeto(x)
_PpmUpdatePlatformIdleVeto@4 proc near

var_18		= dword	ptr -18h
var_12		= byte ptr -12h
var_11		= dword	ptr -11h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ds:_PpmPlatformStates
		mov	byte ptr [ebp+var_11], 0
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	eax, eax
		jnz	short loc_64EE3C
		mov	edi, 0C00000BBh
		jmp	loc_64EF69
; 

loc_64EE3C:				; CODE XREF: PpmUpdatePlatformIdleVeto(x)+22j
		mov	ecx, [esi+4]
		cmp	ecx, [eax]
		jb	short loc_64EE4D
		mov	edi, 0C000000Dh
		jmp	loc_64EF69
; 

loc_64EE4D:				; CODE XREF: PpmUpdatePlatformIdleVeto(x)+33j
		push	ebx
		imul	ebx, ecx, 0C0h
		add	ebx, eax
		mov	[ebp+var_18], ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PpmIdleVetoLock
		mov	[ebp+var_12], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, [esi+8]
		lea	eax, [ebp+var_11]
		mov	cl, [esi+0Ch]
		push	eax
		lea	eax, [ebx+50h]
		push	eax
		call	_PpmUpdateIdleVeto@16 ;	PpmUpdateIdleVeto(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_64EF42
		movzx	ecx, byte ptr [esi+0Ch]
		mov	edx, [esi+8]
		push	ecx
		mov	ecx, [esi+4]
		call	_PpmEventPlatformVetoRequest@12	; PpmEventPlatformVetoRequest(x,x,x)
		mov	ecx, ds:_PpmPlatformStates
		mov	bl, byte ptr [ebp+var_11]
		mov	eax, [ecx]
		dec	eax
		cmp	[esi+4], eax
		jnz	short loc_64EEC7
		test	bl, bl
		jz	loc_64EF42
		cmp	byte ptr [esi+0Ch], 0
		push	9
		pop	ecx
		jnz	short loc_64EEC2
		call	PopDeepSleepClearDisengageReason
		jmp	short loc_64EEC7
; 

loc_64EEC2:				; CODE XREF: PpmUpdatePlatformIdleVeto(x)+ABj
		call	PopDeepSleepSetDisengageReason

loc_64EEC7:				; CODE XREF: PpmUpdatePlatformIdleVeto(x)+9Aj
					; PpmUpdatePlatformIdleVeto(x)+B2j
		test	bl, bl
		jz	short loc_64EF42
		mov	ecx, large fs:20h
		mov	esi, [ebp+var_18]
		mov	ecx, [ecx+3CCh]
		mov	eax, [esi+78h]
		shr	eax, cl
		test	al, 1
		jnz	short loc_64EF42
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PpmIdleVetoLock
		jz	short loc_64EEFC
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64EF01
; 

loc_64EEFC:				; CODE XREF: PpmUpdatePlatformIdleVeto(x)+E2j
		xor	eax, eax
		lock and [ecx],	eax

loc_64EF01:				; CODE XREF: PpmUpdatePlatformIdleVeto(x)+ECj
		mov	cl, [ebp+var_12]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		xor	edx, edx
		inc	eax
		mov	[ebp+var_C], edx
		mov	word ptr [ebp+var_11+1], ax
		mov	word ptr [ebp+var_11+3], ax
		mov	eax, [esi+78h]
		test	eax, eax
		jz	short loc_64EF26
		bsr	ecx, eax
		jmp	short loc_64EF29
; 

loc_64EF26:				; CODE XREF: PpmUpdatePlatformIdleVeto(x)+111j
		or	ecx, 0FFFFFFFFh

loc_64EF29:				; CODE XREF: PpmUpdatePlatformIdleVeto(x)+116j
		push	edx
		xor	eax, eax
		bts	eax, ecx
		push	edx
		mov	edx, offset ?SmpStoreMgrCallback@@YGJPAU_SMKM_STORE_LIST@@PAXW4_SMKM_CALLBACK_TYPE@@@Z ; SmpStoreMgrCallback(_SMKM_STORE_LIST *,void *,_SMKM_CALLBACK_TYPE)
		mov	[ebp+var_8], eax
		lea	ecx, [ebp+var_11+1]
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)
		jmp	short loc_64EF68
; 

loc_64EF42:				; CODE XREF: PpmUpdatePlatformIdleVeto(x)+75j
					; PpmUpdatePlatformIdleVeto(x)+9Ej ...
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PpmIdleVetoLock
		jz	short loc_64EF5A
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64EF5F
; 

loc_64EF5A:				; CODE XREF: PpmUpdatePlatformIdleVeto(x)+140j
		xor	eax, eax
		lock and [ecx],	eax

loc_64EF5F:				; CODE XREF: PpmUpdatePlatformIdleVeto(x)+14Aj
		mov	cl, [ebp+var_12]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_64EF68:				; CODE XREF: PpmUpdatePlatformIdleVeto(x)+132j
		pop	ebx

loc_64EF69:				; CODE XREF: PpmUpdatePlatformIdleVeto(x)+29j
					; PpmUpdatePlatformIdleVeto(x)+3Aj
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PpmUpdatePlatformIdleVeto@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmUpdateProcessorIdleVeto(x)
_PpmUpdateProcessorIdleVeto@4 proc near

var_18		= dword	ptr -18h
var_12		= byte ptr -12h
var_11		= dword	ptr -11h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	byte ptr [ebp+var_11], 0
		lea	eax, [edi+4]
		push	eax
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		mov	esi, eax
		mov	ecx, esi
		mov	[ebp+var_18], esi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ebx, eax
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_64EFBD
		mov	esi, 0C000000Dh
		jmp	loc_64F0AF
; 

loc_64EFBD:				; CODE XREF: PpmUpdateProcessorIdleVeto(x)+36j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PpmIdleVetoLock
		mov	[ebp+var_12], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [ebx+3D70h]
		test	ecx, ecx
		jnz	short loc_64EFFE
		mov	esi, 0C00000BBh

loc_64EFDF:				; CODE XREF: PpmUpdateProcessorIdleVeto(x)+90j
					; PpmUpdateProcessorIdleVeto(x)+B0j ...
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PpmIdleVetoLock
		jz	loc_64F0A1
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_64F0A6
; 

loc_64EFFE:				; CODE XREF: PpmUpdateProcessorIdleVeto(x)+5Dj
		mov	eax, [edi+8]
		cmp	eax, [ecx+20h]
		jb	short loc_64F00D
		mov	esi, 0C000000Dh
		jmp	short loc_64EFDF
; 

loc_64F00D:				; CODE XREF: PpmUpdateProcessorIdleVeto(x)+89j
		imul	eax, 44h
		lea	edx, [ebp+var_11]
		push	edx
		mov	edx, [edi+0Ch]
		add	eax, 130h
		add	eax, ecx
		mov	cl, [edi+10h]
		push	eax
		call	_PpmUpdateIdleVeto@16 ;	PpmUpdateIdleVeto(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_64EFDF
		movzx	ecx, byte ptr [edi+10h]
		mov	edx, [edi+8]
		push	ecx
		push	dword ptr [edi+0Ch]
		mov	ecx, ebx
		call	_PpmEventProcessorVetoRequest@16 ; PpmEventProcessorVetoRequest(x,x,x,x)
		cmp	byte ptr [ebp+var_11], 0
		jz	short loc_64EFDF
		mov	eax, large fs:20h
		cmp	ebx, eax
		jz	short loc_64EFDF
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PpmIdleVetoLock
		jz	short loc_64F067
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64F06C
; 

loc_64F067:				; CODE XREF: PpmUpdateProcessorIdleVeto(x)+E0j
		xor	eax, eax
		lock and [ecx],	eax

loc_64F06C:				; CODE XREF: PpmUpdateProcessorIdleVeto(x)+EAj
		mov	cl, [ebp+var_12]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_18]
		xor	eax, eax
		inc	eax
		xor	edx, edx
		mov	word ptr [ebp+var_11+1], ax
		mov	word ptr [ebp+var_11+3], ax
		xor	eax, eax
		push	edx
		bts	eax, ecx
		mov	[ebp+var_C], edx
		push	edx
		mov	edx, offset ?SmpStoreMgrCallback@@YGJPAU_SMKM_STORE_LIST@@PAXW4_SMKM_CALLBACK_TYPE@@@Z ; SmpStoreMgrCallback(_SMKM_STORE_LIST *,void *,_SMKM_CALLBACK_TYPE)
		mov	[ebp+var_8], eax
		lea	ecx, [ebp+var_11+1]
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)
		jmp	short loc_64F0AF
; 

loc_64F0A1:				; CODE XREF: PpmUpdateProcessorIdleVeto(x)+70j
		xor	eax, eax
		lock and [ecx],	eax

loc_64F0A6:				; CODE XREF: PpmUpdateProcessorIdleVeto(x)+7Ej
		mov	cl, [ebp+var_12]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_64F0AF:				; CODE XREF: PpmUpdateProcessorIdleVeto(x)+3Dj
					; PpmUpdateProcessorIdleVeto(x)+124j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PpmUpdateProcessorIdleVeto@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopCoolingTelemetryWorker()
_PopCoolingTelemetryWorker@0 proc near	; CODE XREF: PopThermalTelemetryWorker(x)+D2p
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopCoolingExtensionLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	esi, ds:_PopCoolingExtensionList
		mov	ds:dword_6C21A4, eax
		jmp	loc_64F188
; 

loc_64F0F5:				; CODE XREF: PopCoolingTelemetryWorker()+CCj
		cmp	byte ptr [esi+20h], 0
		jz	loc_64F186
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [esi+10h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+14h], eax
		lea	eax, [esi+8]
		mov	edi, [eax]
		jmp	short loc_64F169
; 

loc_64F127:				; CODE XREF: PopCoolingTelemetryWorker()+A9j
		cmp	byte ptr [edi+0Ah], 0
		jz	short loc_64F167
		cmp	dword ptr [esi+44h], 0
		jz	short loc_64F148
		mov	dl, [edi+8]
		lea	ecx, [edi+18h]
		call	_PopThermalUpdatePassiveTimeTracking@8 ; PopThermalUpdatePassiveTimeTracking(x,x)
		mov	ecx, edi
		call	PopTraceThermalRequestPassiveHistogram
		lea	eax, [esi+8]

loc_64F148:				; CODE XREF: PopCoolingTelemetryWorker()+6Fj
		cmp	dword ptr [esi+40h], 0
		jz	short loc_64F167
		cmp	byte ptr [edi+9], 0
		lea	ecx, [edi+18h]
		setz	dl
		call	_PopThermalUpdateActiveTimeTracking@8 ;	PopThermalUpdateActiveTimeTracking(x,x)
		mov	ecx, edi
		call	_PopTraceThermalRequestActiveActivity@4	; PopTraceThermalRequestActiveActivity(x)
		lea	eax, [esi+8]

loc_64F167:				; CODE XREF: PopCoolingTelemetryWorker()+69j
					; PopCoolingTelemetryWorker()+8Aj
		mov	edi, [edi]

loc_64F169:				; CODE XREF: PopCoolingTelemetryWorker()+63j
		cmp	edi, eax
		jnz	short loc_64F127
		cmp	dword ptr [esi+14h], 0
		jz	short loc_64F177
		and	dword ptr [esi+14h], 0

loc_64F177:				; CODE XREF: PopCoolingTelemetryWorker()+AFj
		xor	edx, edx
		lea	ecx, [esi+10h]
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_64F186:				; CODE XREF: PopCoolingTelemetryWorker()+37j
		mov	esi, [esi]

loc_64F188:				; CODE XREF: PopCoolingTelemetryWorker()+2Ej
		cmp	esi, offset _PopCoolingExtensionList
		jnz	loc_64F0F5
		cmp	ds:dword_6C21A4, 0
		jz	short loc_64F1A4
		and	ds:dword_6C21A4, 0

loc_64F1A4:				; CODE XREF: PopCoolingTelemetryWorker()+D9j
		xor	edx, edx
		mov	ecx, offset _PopCoolingExtensionLock
		call	ExReleasePushLockEx
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopCoolingTelemetryWorker@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPropogateCoolingChange(x)
_PopPropogateCoolingChange@4 proc near	; CODE XREF: PoSetThermalActiveCooling(x,x)+78p
					; PoSetThermalPassiveCooling(x,x)+7Bp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		cmp	byte ptr [esi+23h], 0
		jz	short loc_64F1D0
		mov	byte ptr [esi+23h], 0
		jmp	loc_64F2F4
; 

loc_64F1D0:				; CODE XREF: PopPropogateCoolingChange(x)+Dj
		push	ebx
		push	edi

loc_64F1D2:				; CODE XREF: PopPropogateCoolingChange(x)+AAj
					; PopPropogateCoolingChange(x)+10Ej
		xor	bl, bl
		mov	bh, 64h
		mov	byte ptr [ebp+var_4], bl
		cmp	[esi+20h], bl
		jz	short loc_64F207
		lea	ecx, [esi+8]
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	short loc_64F207

loc_64F1E7:				; CODE XREF: PopPropogateCoolingChange(x)+4Aj
		cmp	byte ptr [eax+0Ah], 0
		jz	short loc_64F1FE
		mov	dl, [eax+8]
		cmp	dl, bh
		jnb	short loc_64F1F6
		mov	bh, dl

loc_64F1F6:				; CODE XREF: PopPropogateCoolingChange(x)+3Aj
		cmp	byte ptr [eax+9], 0
		jz	short loc_64F1FE
		mov	bl, 1

loc_64F1FE:				; CODE XREF: PopPropogateCoolingChange(x)+33j
					; PopPropogateCoolingChange(x)+42j
		mov	eax, [eax]
		cmp	eax, ecx
		jnz	short loc_64F1E7
		mov	byte ptr [ebp+var_4], bl

loc_64F207:				; CODE XREF: PopPropogateCoolingChange(x)+24j
					; PopPropogateCoolingChange(x)+2Dj
		cmp	bh, [esi+22h]
		jz	short loc_64F26C
		mov	[esi+22h], bh
		mov	byte ptr [esi+23h], 1
		cmp	dword ptr [esi+14h], 0
		jz	short loc_64F21D
		and	dword ptr [esi+14h], 0

loc_64F21D:				; CODE XREF: PopPropogateCoolingChange(x)+5Fj
		xor	edx, edx
		lea	ecx, [esi+10h]
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	_PopDiagTraceCoolingExtensionPassiveUpdate@4 ; PopDiagTraceCoolingExtensionPassiveUpdate(x)
		movzx	eax, bh
		push	eax
		push	dword ptr [esi+30h]
		call	dword ptr [esi+44h]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [esi+10h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+14h], eax
		cmp	byte ptr [esi+23h], 0
		jz	loc_64F1D2
		mov	byte ptr [esi+23h], 0

loc_64F26C:				; CODE XREF: PopPropogateCoolingChange(x)+52j
		cmp	bl, [esi+21h]
		jz	short loc_64F2D0
		mov	[esi+21h], bl
		mov	byte ptr [esi+23h], 1
		cmp	dword ptr [esi+14h], 0
		jz	short loc_64F282
		and	dword ptr [esi+14h], 0

loc_64F282:				; CODE XREF: PopPropogateCoolingChange(x)+C4j
		xor	edx, edx
		lea	ecx, [esi+10h]
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	_PopDiagTraceCoolingExtensionActiveUpdate@4 ; PopDiagTraceCoolingExtensionActiveUpdate(x)
		push	[ebp+var_4]
		push	dword ptr [esi+30h]
		call	dword ptr [esi+40h]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [esi+10h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+14h], eax
		cmp	byte ptr [esi+23h], 0
		jz	loc_64F1D2
		mov	byte ptr [esi+23h], 0

loc_64F2D0:				; CODE XREF: PopPropogateCoolingChange(x)+B7j
		mov	eax, [esi+28h]
		pop	edi
		pop	ebx
		test	eax, eax
		jz	short loc_64F2E3
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_64F2E3:				; CODE XREF: PopPropogateCoolingChange(x)+11Fj
		mov	eax, [esi+24h]
		test	eax, eax
		jz	short loc_64F2F4
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_64F2F4:				; CODE XREF: PopPropogateCoolingChange(x)+13j
					; PopPropogateCoolingChange(x)+130j
		pop	esi
		leave
		retn
_PopPropogateCoolingChange@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1670. PoDirectedDripsClearDeviceFlags

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoDirectedDripsClearDeviceFlags(x, x)
		public _PoDirectedDripsClearDeviceFlags@8
_PoDirectedDripsClearDeviceFlags@8 proc	near
					; CODE XREF: PopPowerInformationInternal+171A72p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		test	eax, eax
		jz	short loc_64F315
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_64F317
; 

loc_64F315:				; CODE XREF: PoDirectedDripsClearDeviceFlags(x,x)+Cj
		mov	eax, edx

loc_64F317:				; CODE XREF: PoDirectedDripsClearDeviceFlags(x,x)+17j
		test	eax, eax
		jnz	short loc_64F322
		mov	edx, 0C000000Dh
		jmp	short loc_64F346
; 

loc_64F322:				; CODE XREF: PoDirectedDripsClearDeviceFlags(x,x)+1Dj
		push	esi
		mov	esi, [ebp+arg_4]
		test	esi, 0FFFFFFC0h
		jz	short loc_64F335
		mov	edx, 0C000000Dh
		jmp	short loc_64F345
; 

loc_64F335:				; CODE XREF: PoDirectedDripsClearDeviceFlags(x,x)+30j
		mov	ecx, [eax+1E4h]
		not	esi
		and	ecx, esi
		mov	[eax+1E4h], ecx

loc_64F345:				; CODE XREF: PoDirectedDripsClearDeviceFlags(x,x)+37j
		pop	esi

loc_64F346:				; CODE XREF: PoDirectedDripsClearDeviceFlags(x,x)+24j
		mov	eax, edx
		pop	ebp
		retn	8
_PoDirectedDripsClearDeviceFlags@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsDisengageTimerCallback(x, x)
_PopDirectedDripsDisengageTimerCallback@8 proc near
					; DATA XREF: PopDirectedDripsInitializeDisengageTimer(x,x,x)+1Co

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, [ebp+arg_4]
		mov	bl, al
		lea	edi, [esi+8]
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		sub	dword ptr [esi+10h], 1
		jnz	short loc_64F376
		mov	ecx, [esi]
		call	_PopDirectedDripsClearDisengageReason@4	; PopDirectedDripsClearDisengageReason(x)

loc_64F376:				; CODE XREF: PopDirectedDripsDisengageTimerCallback(x,x)+21j
		test	ds:byte_70EFC6,	1
		jz	short loc_64F38B
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64F390
; 

loc_64F38B:				; CODE XREF: PopDirectedDripsDisengageTimerCallback(x,x)+31j
		xor	eax, eax
		lock and [edi],	eax

loc_64F390:				; CODE XREF: PopDirectedDripsDisengageTimerCallback(x,x)+3Dj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_PopDirectedDripsDisengageTimerCallback@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsEngage(x, x)
_PopDirectedDripsEngage@8 proc near	; CODE XREF: PopDirectedDripsNotify+9C309p
		mov	edi, edi
		push	ecx
		test	dl, dl
		jnz	short loc_64F3CF
		call	_PopFxClearDirectedDripsCandidateDeviceList@0 ;	PopFxClearDirectedDripsCandidateDeviceList()
		and	ds:dword_6C3830, 0
		mov	eax, 0FFFFC1C7h
		mov	ecx, offset _PopDirectedDripsState
		lock and [ecx],	eax
		test	byte ptr ds:dword_6C36C4, 4
		jz	short loc_64F3E8
		call	_PopDirectedDripsQueryEnabledMitigations@4 ; PopDirectedDripsQueryEnabledMitigations(x)
		pop	ecx
		retn
; 

loc_64F3CF:				; CODE XREF: PopDirectedDripsEngage(x,x)+5j
		mov	eax, 0A00h
		mov	ecx, offset _PopDirectedDripsState
		lock or	[ecx], eax
		push	1
		mov	edx, offset dword_6C36CC
		call	_PopDirectedDripsNotifyAppsAndServices@12 ; PopDirectedDripsNotifyAppsAndServices(x,x,x)

loc_64F3E8:				; CODE XREF: PopDirectedDripsEngage(x,x)+27j
		pop	ecx
		retn
_PopDirectedDripsEngage@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsNotifyResiliencyCompletionWorker(x)
_PopDirectedDripsNotifyResiliencyCompletionWorker@4 proc near
					; DATA XREF: PopDirectedDripsInitializePhase0(x)+1Fo

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		and	[ebp+var_14], 0
		xor	edx, edx
		push	esi
		mov	esi, [ebx+8]
		push	edi
		lea	eax, [esi+7Ch]
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	ExAcquirePushLockExclusiveEx
		cmp	byte ptr [esi+88h], 0
		jz	short loc_64F43C
		mov	eax, [esi+84h]
		and	dword ptr [esi+84h], 0
		mov	[ebp+var_14], eax
		mov	byte ptr [esi+88h], 0

loc_64F43C:				; CODE XREF: PopDirectedDripsNotifyResiliencyCompletionWorker(x)+39j
		xor	ecx, ecx
		lea	eax, [esi+9Ch]
		xchg	ecx, [eax]
		mov	edx, [ebp+var_8]
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_C], eax
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_64F463
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp+var_8]

loc_64F463:				; CODE XREF: PopDirectedDripsNotifyResiliencyCompletionWorker(x)+6Dj
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	edx, 7FFFFFFCh
		jz	loc_64F5F6
		mov	esi, large fs:124h
		mov	ecx, edx
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], eax
		cmp	edx, eax
		jb	short loc_64F4AA
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_64F4AF
		mov	eax, [ebp+var_30]
		cmp	edx, eax
		jb	short loc_64F4AA
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jz	short loc_64F4AF

loc_64F4AA:				; CODE XREF: PopDirectedDripsNotifyResiliencyCompletionWorker(x)+A3j
					; PopDirectedDripsNotifyResiliencyCompletionWorker(x)+B5j
		or	eax, 0FFFFFFFFh
		jmp	short loc_64F4BD
; 

loc_64F4AF:				; CODE XREF: PopDirectedDripsNotifyResiliencyCompletionWorker(x)+AEj
					; PopDirectedDripsNotifyResiliencyCompletionWorker(x)+BEj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_C], eax

loc_64F4BD:				; CODE XREF: PopDirectedDripsNotifyResiliencyCompletionWorker(x)+C3j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_64F503
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_64F569
		mov	eax, [ebp+var_8]
		push	ecx
		push	[ebp+var_C]
		push	eax
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_64F503:				; CODE XREF: PopDirectedDripsNotifyResiliencyCompletionWorker(x)+FAj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_64F519
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_64F519:				; CODE XREF: PopDirectedDripsNotifyResiliencyCompletionWorker(x)+125j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	short loc_64F55D
		or	[esi+1E4h], dl
		jmp	short loc_64F569
; 

loc_64F55D:				; CODE XREF: PopDirectedDripsNotifyResiliencyCompletionWorker(x)+169j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_34]

loc_64F569:				; CODE XREF: PopDirectedDripsNotifyResiliencyCompletionWorker(x)+104j
					; PopDirectedDripsNotifyResiliencyCompletionWorker(x)+171j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_34], eax
		jz	short loc_64F5D0
		test	edi, 8000h
		jz	short loc_64F58D
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_64F58D:				; CODE XREF: PopDirectedDripsNotifyResiliencyCompletionWorker(x)+198j
		test	byte ptr [ebp+var_10+2], 1
		jz	short loc_64F5A3
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_64F5A3:				; CODE XREF: PopDirectedDripsNotifyResiliencyCompletionWorker(x)+1A7j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_64F5B7
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_64F5B7:				; CODE XREF: PopDirectedDripsNotifyResiliencyCompletionWorker(x)+1C0j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_64F5D0
		push	[ebp+var_34]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_64F5D0:				; CODE XREF: PopDirectedDripsNotifyResiliencyCompletionWorker(x)+190j
					; PopDirectedDripsNotifyResiliencyCompletionWorker(x)+1D7j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_64F5F6
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_64F5F6
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_64F5F6:				; CODE XREF: PopDirectedDripsNotifyResiliencyCompletionWorker(x)+84j
					; PopDirectedDripsNotifyResiliencyCompletionWorker(x)+1FDj ...
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_64F604
		mov	edx, eax
		call	_PopPdcCompleteResiliencyCallback@8 ; PopPdcCompleteResiliencyCallback(x,x)

loc_64F604:				; CODE XREF: PopDirectedDripsNotifyResiliencyCompletionWorker(x)+211j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
_PopDirectedDripsNotifyResiliencyCompletionWorker@4 endp ; sp =	 4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsStartDisengageTimer(x)
_PopDirectedDripsStartDisengageTimer@4 proc near
					; CODE XREF: PopDirectedDripsNotifyFxSurprisePoweredOn(x)+26j
					; PopDirectedDripsNotifyWaitWakeIrpCompletion(x)+25j

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		imul	esi, ecx, 70h
		push	edi
		add	esi, offset unk_6C3748
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	edi, [esi+8]
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		or	[esp+20h+var_8], 0FFFFFFFFh
		lea	eax, [esi+18h]
		or	[esp+20h+var_4], 0FFFFFFFFh
		xor	ecx, ecx
		push	ecx
		push	eax
		mov	[esp+28h+var_10], ecx
		mov	[esp+28h+var_C], ecx
		call	KeCancelTimer2
		test	al, al
		jnz	short loc_64F66A
		inc	dword ptr [esi+10h]
		cmp	dword ptr [esi+10h], 1
		jnz	short loc_64F66A
		mov	ecx, [esi]
		call	_PopDirectedDripsSetDisengageReason@4 ;	PopDirectedDripsSetDisengageReason(x)

loc_64F66A:				; CODE XREF: PopDirectedDripsStartDisengageTimer(x)+49j
					; PopDirectedDripsStartDisengageTimer(x)+52j
		push	0FFFFFFFFh
		push	0FF676980h
		push	0
		push	dword ptr [esi+4]
		call	__allmul
		lea	ecx, [esp+20h+var_10]
		push	ecx
		push	0
		push	0
		push	edx
		push	eax
		lea	eax, [esi+18h]
		push	eax
		call	KeSetTimer2
		inc	dword ptr [esi+0Ch]
		test	ds:byte_70EFC6,	1
		jz	short loc_64F6A7
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64F6AC
; 

loc_64F6A7:				; CODE XREF: PopDirectedDripsStartDisengageTimer(x)+8Aj
		xor	eax, eax
		lock and [edi],	eax

loc_64F6AC:				; CODE XREF: PopDirectedDripsStartDisengageTimer(x)+96j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PopDirectedDripsStartDisengageTimer@4 endp

; 
		align 10h
; Exported entry 1723. PoSetPowerButtonHoldState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoSetPowerButtonHoldState(x)
		public _PoSetPowerButtonHoldState@4
_PoSetPowerButtonHoldState@4 proc near

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	cl, [ebp+arg_0]
		call	_PopUpdatePowerButtonHoldState@4 ; PopUpdatePowerButtonHoldState(x)
		pop	ebp
		retn	4
_PoSetPowerButtonHoldState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCapabilityCheck(x)
_PopCapabilityCheck@4 proc near		; CODE XREF: NtPowerInformation+171A56p
					; NtPowerInformation+172680p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	byte ptr [ebp+var_1], bl
		test	ecx, ecx
		jz	short loc_64F711
		push	ecx
		push	ecx
		mov	edx, ecx
		lea	ecx, [ebp+var_C]
		call	RtlUnicodeStringInitWorker
		test	eax, eax
		js	short loc_64F711
		lea	eax, [ebp+var_1]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	ebx
		call	_RtlCapabilityCheck@12 ; RtlCapabilityCheck(x,x,x)
		test	eax, eax
		sets	bl
		dec	bl
		and	bl, byte ptr [ebp+var_1]

loc_64F711:				; CODE XREF: PopCapabilityCheck(x)+16j
					; PopCapabilityCheck(x)+26j
		mov	al, bl
		pop	ebx
		leave
		retn
_PopCapabilityCheck@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIsRunningInVm()
_PopIsRunningInVm@0 proc near		; CODE XREF: PopPowerInformationInternal:loc_8D70C0p

var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_28]
		stosd
		stosd
		stosd
		stosd
		call	HviIsAnyHypervisorPresent
		test	al, al
		jz	short loc_64F770
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_18]
		push	eax
		call	HviGetHypervisorFeatures
		mov	ecx, [ebp+var_14]
		mov	esi, 1000h
		and	ecx, esi
		xor	eax, eax
		or	eax, ecx
		jz	short loc_64F76C
		lea	eax, [ebp+var_28]
		push	eax
		call	HviGetEnlightenmentInformation
		test	[ebp+var_28], esi
		jz	short loc_64F770

loc_64F76C:				; CODE XREF: PopIsRunningInVm()+46j
		mov	al, 1
		jmp	short loc_64F772
; 

loc_64F770:				; CODE XREF: PopIsRunningInVm()+24j
					; PopIsRunningInVm()+54j
		xor	al, al

loc_64F772:				; CODE XREF: PopIsRunningInVm()+58j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopIsRunningInVm@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopQueryBootSessionStandbyActivationInfo(x)
_PopQueryBootSessionStandbyActivationInfo@4 proc near
					; CODE XREF: PopPowerInformationInternal+1713B6p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, ds:dword_6D6FD4
		test	ecx, ecx
		jnz	short loc_64F796
		mov	eax, 0C0000002h
		pop	esi
		retn
; 

loc_64F796:				; CODE XREF: PopQueryBootSessionStandbyActivationInfo(x)+Dj
		push	esi
		lea	eax, [esi+10h]
		push	eax
		lea	eax, [esi+18h]
		push	eax
		call	ecx
		mov	ecx, ds:dword_6D4640
		call	_PpmQueryPlatformStateResidency@8 ; PpmQueryPlatformStateResidency(x,x)
		mov	[esi+8], eax
		xor	eax, eax
		mov	[esi+0Ch], edx
		pop	esi
		retn
_PopQueryBootSessionStandbyActivationInfo@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopWnfBluetoothChargingCallback(x, x, x, x,	x, x)
_PopWnfBluetoothChargingCallback@24 proc near
					; DATA XREF: PopSetupBluetoothChargingNotification()+9o

var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		lea	eax, [ebp+var_8]
		mov	byte ptr [ebp+var_1], 0
		push	eax		; int
		lea	eax, [ebp+var_1]
		xor	ebx, ebx
		push	eax		; void *
		lea	eax, [ebp+arg_C]
		inc	ebx
		push	eax		; int
		push	[ebp+arg_0]	; int
		mov	[ebp+var_8], ebx
		call	_ExQueryWnfStateData@16	; ExQueryWnfStateData(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_64F84A
		cmp	[ebp+var_8], ebx
		jnb	short loc_64F7EC
		xor	esi, esi
		jmp	short loc_64F84A
; 

loc_64F7EC:				; CODE XREF: PopWnfBluetoothChargingCallback(x,x,x,x,x,x)+30j
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _PopCsResiliencyStatsLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	ds:_PopCsResiliencyStats, 0
		mov	cl, byte ptr [ebp+var_1]
		mov	ds:byte_6C2D65,	cl
		jz	short loc_64F827
		test	cl, cl
		jz	short loc_64F827
		cmp	ds:byte_6C2363,	0
		jnz	short loc_64F827
		mov	ds:byte_6C2363,	1

loc_64F827:				; CODE XREF: PopWnfBluetoothChargingCallback(x,x,x,x,x,x)+5Bj
					; PopWnfBluetoothChargingCallback(x,x,x,x,x,x)+5Fj ...
		test	ds:byte_70EFC6,	1
		jz	short loc_64F83C
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64F841
; 

loc_64F83C:				; CODE XREF: PopWnfBluetoothChargingCallback(x,x,x,x,x,x)+78j
		xor	eax, eax
		lock and [edi],	eax

loc_64F841:				; CODE XREF: PopWnfBluetoothChargingCallback(x,x,x,x,x,x)+84j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi

loc_64F84A:				; CODE XREF: PopWnfBluetoothChargingCallback(x,x,x,x,x,x)+2Bj
					; PopWnfBluetoothChargingCallback(x,x,x,x,x,x)+34j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
_PopWnfBluetoothChargingCallback@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopWnfMobileHotspotCallback(x, x, x, x, x, x)
_PopWnfMobileHotspotCallback@24	proc near
					; DATA XREF: PopSetupMobileHotspotNotification()+9o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_10]
		push	esi
		push	ecx		; int
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_10], 8
		push	ecx		; void *
		lea	ecx, [ebp+arg_C]
		push	ecx		; int
		push	eax		; int
		call	_ExQueryWnfStateData@16	; ExQueryWnfStateData(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_64F89E
		cmp	[ebp+var_10], 8
		jnb	short loc_64F891
		xor	esi, esi
		jmp	short loc_64F89E
; 

loc_64F891:				; CODE XREF: PopWnfMobileHotspotCallback(x,x,x,x,x,x)+39j
		mov	ecx, [ebp+var_C]
		shr	ecx, 1
		and	cl, 1
		call	_PopPowerRequestNotifyMobileHotspotChanged@4 ; PopPowerRequestNotifyMobileHotspotChanged(x)

loc_64F89E:				; CODE XREF: PopWnfMobileHotspotCallback(x,x,x,x,x,x)+33j
					; PopWnfMobileHotspotCallback(x,x,x,x,x,x)+3Dj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_PopWnfMobileHotspotCallback@24	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1673. PoEndDeviceBusy

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoEndDeviceBusy(x)
		public _PoEndDeviceBusy@4
_PoEndDeviceBusy@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		lock dec dword ptr [eax+8]
		pop	ebp
		retn	4
_PoEndDeviceBusy@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1720. PoSetDeviceBusyEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoSetDeviceBusyEx(x)
		public _PoSetDeviceBusyEx@4
_PoSetDeviceBusyEx@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		lock inc dword ptr [eax+4]
		pop	ebp
		retn	4
_PoSetDeviceBusyEx@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1733. PoStartDeviceBusy

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoStartDeviceBusy(x)
		public _PoStartDeviceBusy@4
_PoStartDeviceBusy@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		lock inc dword ptr [eax+4]
		lock inc dword ptr [eax+8]
		pop	ebp
		retn	4
_PoStartDeviceBusy@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDeviceIdleCompletion(x, x, x, x,	x)
_PopDeviceIdleCompletion@20 proc near	; DATA XREF: PopScanIdleList(x,x,x)+173o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _PopDopeGlobalLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		sub	ds:dword_6D4A4C, 1
		jnz	short loc_64F931
		mov	edx, ds:_PopDeviceIdleSync
		test	edx, edx
		jz	short loc_64F931
		push	0
		push	0
		push	edx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		and	ds:_PopDeviceIdleSync, 0

loc_64F931:				; CODE XREF: PopDeviceIdleCompletion(x,x,x,x,x)+22j
					; PopDeviceIdleCompletion(x,x,x,x,x)+2Cj
		test	ds:byte_70EFC6,	1
		jz	short loc_64F946
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64F94B
; 

loc_64F946:				; CODE XREF: PopDeviceIdleCompletion(x,x,x,x,x)+46j
		xor	eax, eax
		lock and [edi],	eax

loc_64F94B:				; CODE XREF: PopDeviceIdleCompletion(x,x,x,x,x)+52j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	ebx
		pop	ebp
		retn	14h
_PopDeviceIdleCompletion@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoIssueCoalescingNotification(x, x,	x)
_PoIssueCoalescingNotification@12 proc near ; CODE XREF: CmpIssueNewDirtyCallback+185424p
					; PopCoalescingCallbackWorker(x)+5Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		mov	al, [ecx+10h]
		and	[ebp+var_4], 0
		mov	byte ptr [ebp+var_C], al
		mov	eax, large fs:124h
		mov	[ebp+var_8], edx
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopCoalRegistrationListLock
		call	ExAcquirePushLockSharedEx
		mov	edi, ds:_PopCoalRegistrationList
		jmp	short loc_64F9E3
; 

loc_64F99B:				; CODE XREF: PoIssueCoalescingNotification(x,x,x)+90j
		lea	ebx, [edi+8]
		mov	ecx, ebx
		call	ExReferenceCallBackBlock
		mov	esi, eax
		test	esi, esi
		jz	short loc_64F9E1
		mov	cl, [edi-8]
		cmp	cl, byte ptr [ebp+var_C]
		jz	short loc_64F9BE
		push	[ebp+var_4]
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		call	dword ptr [esi+4]

loc_64F9BE:				; CODE XREF: PoIssueCoalescingNotification(x,x,x)+58j
		mov	ecx, [ebx]
		mov	eax, ecx
		jmp	short loc_64F9D3
; 

loc_64F9C4:				; CODE XREF: PoIssueCoalescingNotification(x,x,x)+7Fj
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [ebx], edx
		cmp	eax, ecx
		jz	short loc_64F9E1
		mov	ecx, eax

loc_64F9D3:				; CODE XREF: PoIssueCoalescingNotification(x,x,x)+69j
		xor	eax, esi
		cmp	eax, 7
		jb	short loc_64F9C4
		mov	ecx, esi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_64F9E1:				; CODE XREF: PoIssueCoalescingNotification(x,x,x)+50j
					; PoIssueCoalescingNotification(x,x,x)+76j
		mov	edi, [edi]

loc_64F9E3:				; CODE XREF: PoIssueCoalescingNotification(x,x,x)+40j
		cmp	edi, offset _PopCoalRegistrationList
		jnz	short loc_64F99B
		cmp	ds:dword_6C3544, 0
		jz	short loc_64F9FB
		and	ds:dword_6C3544, 0

loc_64F9FB:				; CODE XREF: PoIssueCoalescingNotification(x,x,x)+99j
		xor	edx, edx
		mov	ecx, offset _PopCoalRegistrationListLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PoIssueCoalescingNotification@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCoalescingCheck(x, x, x,	x)
_PopCoalescingCheck@16 proc near	; CODE XREF: PopScanIdleList(x,x,x)+ECp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	edi
		mov	edi, edx
		test	ecx, ecx
		jz	short loc_64FA85
		cmp	[ebp+arg_0], 0
		jnz	short loc_64FA73
		mov	eax, ds:_PopCoalescingFlushInterval
		mov	ecx, 3E8h
		mul	ecx
		mov	ebx, 2710h
		mov	ecx, eax
		mov	eax, edx
		mul	ebx
		push	esi
		mov	esi, eax
		mov	eax, ecx
		mul	ebx
		add	esi, edx
		mov	ebx, eax
		call	KeQueryInterruptTime
		sub	eax, ds:_PopCoalescingLastFlushTime
		sbb	edx, ds:dword_6C3534
		cmp	edx, esi
		pop	esi
		jb	short loc_64FA85
		ja	short loc_64FA64
		cmp	eax, ebx
		jb	short loc_64FA85

loc_64FA64:				; CODE XREF: PopCoalescingCheck(x,x,x,x)+4Bj
		push	20h
		pop	ecx
		call	PopGetPolicyWorker
		call	PopCheckForWork
		jmp	short loc_64FA85
; 

loc_64FA73:				; CODE XREF: PopCoalescingCheck(x,x,x,x)+11j
		cmp	edi, ecx
		jbe	short loc_64FA85
		mov	eax, ecx
		xor	edx, edx
		mov	ecx, 3E8h
		div	ecx
		lea	edi, [eax+1]

loc_64FA85:				; CODE XREF: PopCoalescingCheck(x,x,x,x)+Bj
					; PopCoalescingCheck(x,x,x,x)+49j ...
		mov	eax, edi
		pop	edi
		pop	ebx
		pop	ebp
		retn	8
_PopCoalescingCheck@16 endp


;  S U B	R O U T	I N E 


; __stdcall PopCoalescingSetActiveState(x)
_PopCoalescingSetActiveState@4 proc near ; CODE	XREF: PopCoalescingCallbackWorker(x)+16p
					; PopCoalescingCallbackWorker(x)+32p
		mov	edi, edi
		push	ebx
		mov	bl, cl
		test	bl, bl
		jz	short loc_64FACC
		cmp	ds:_PopCoalescingEnforced, 0
		mov	eax, ds:_PopEnforcedCoalescingSpindownTimeout
		jnz	short loc_64FAA9
		mov	eax, ds:_PopDppeCoalescingSpindownTimeout

loc_64FAA9:				; CODE XREF: PopCoalescingSetActiveState(x)+15j
		or	ds:_PopCoalescingState,	1
		mov	ds:_PopCurrentCoalescingSpindownTimeout, eax
		call	KeQueryInterruptTime
		mov	ds:_PopCoalescingLastFlushTime,	eax
		mov	ds:dword_6C3534, edx
		call	_PopCoalescingSetTimer@0 ; PopCoalescingSetTimer()
		jmp	short loc_64FAE9
; 

loc_64FACC:				; CODE XREF: PopCoalescingSetActiveState(x)+7j
		and	ds:_PopCoalescingState,	0FEh
		and	ds:_PopCurrentCoalescingSpindownTimeout, 0
		push	offset _PopCoalescingTimer
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		call	PopCheckResiliencyScenarios

loc_64FAE9:				; CODE XREF: PopCoalescingSetActiveState(x)+3Dj
		call	PopUpdateDiskIdleTimeoutSetting
		test	bl, bl
		pop	ebx
		jz	short loc_64FB06
		xor	eax, eax
		cmp	ds:_PopCoalescingEnforced, al
		setz	al
		push	eax
		push	ecx
		call	_PopDiagTraceIoCoalescingOn@16 ; PopDiagTraceIoCoalescingOn(x,x,x,x)
		retn
; 

loc_64FB06:				; CODE XREF: PopCoalescingSetActiveState(x)+64j
		jmp	_PopDiagTraceIoCoalescingOff@0 ; PopDiagTraceIoCoalescingOff()
_PopCoalescingSetActiveState@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopCoalescingSetTimer()
_PopCoalescingSetTimer@0 proc near	; CODE XREF: PopCoalescingSetActiveState(x)+38p
					; PopCoalescingNotify()+39p
		test	ds:_PopCoalescingState,	1
		jz	short locret_64FB4C
		push	esi
		push	offset ??_C@_0CL@EMNGOHPB@PopCoalescing?3?5Coalescing?5timer@FNODOBFM@ ; "PopCoalescing: Coalescing timer activat"...
		push	3
		call	_PopPrintEx
		mov	eax, ds:_PopCoalescingTimerInterval
		mov	esi, offset _PopCoalescingTimer
		pop	ecx
		pop	ecx
		mov	ecx, 0FF676980h
		imul	ecx
		mov	ecx, esi
		push	edx
		push	eax
		push	offset _PopCoalescingTimerDpc
		push	0
		xor	edx, edx
		call	KiSetTimerEx
		lock bts dword ptr [esi], 9
		pop	esi

locret_64FB4C:				; CODE XREF: PopCoalescingSetTimer()+7j
		retn
_PopCoalescingSetTimer@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopCoalesingTimerDpcCallback(x, x, x, x)
_PopCoalesingTimerDpcCallback@16 proc near ; DATA XREF:	PopCoalescingInitialize()+41o
		push	20h
		pop	ecx
		call	PopGetPolicyWorker
		call	PopCheckForWork
		retn	10h
_PopCoalesingTimerDpcCallback@16 endp


;  S U B	R O U T	I N E 


; __stdcall PopEnsureCoalescingWorkerWillRun()
_PopEnsureCoalescingWorkerWillRun@0 proc near
					; CODE XREF: PopCheckResiliencyScenarios+172159p
					; PopEnforceResiliencyScenarios:loc_905C6Fp ...
		mov	al, ds:_PopCoalescingState
		test	al, 8
		jnz	short locret_64FB79
		push	1
		or	al, 8
		push	offset _PopCoalescingCallbackWorkItem
		mov	ds:_PopCoalescingState,	al
		call	ExQueueWorkItem

locret_64FB79:				; CODE XREF: PopEnsureCoalescingWorkerWillRun()+7j
		retn
_PopEnsureCoalescingWorkerWillRun@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEnsureErratumSubscribed(x)
_PopEnsureErratumSubscribed@4 proc near	; CODE XREF: PoRegisterPowerSettingCallback+126323p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	eax, eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		lea	ebx, [edi+4]
		cmp	[ebx], eax
		jnz	short loc_64FBF4
		mov	esi, [edi]
		lea	eax, [ebp+var_8]
		push	eax
		call	KeQuerySystemTime
		push	offset _Crc64Ctrl
		push	0
		push	0
		push	8
		pop	edx
		lea	ecx, [ebp+var_8]
		call	RtlpComputeCrcInternal
		push	offset _Crc64Ctrl
		push	edx
		push	eax
		push	8
		pop	edx
		mov	ecx, esi
		call	RtlpComputeCrcInternal
		push	offset _Crc64Ctrl
		push	edx
		push	eax
		push	8
		mov	[edi+0Ch], edx
		mov	ecx, esi
		pop	edx
		mov	[edi+8], eax
		call	RtlpComputeCrcInternal
		push	edi
		push	offset _PopErratumUpdateCallback@24 ; PopErratumUpdateCallback(x,x,x,x,x,x)
		push	0
		push	1
		push	esi
		push	ebx
		mov	[edi+10h], eax
		mov	[edi+14h], edx
		call	_ExSubscribeWnfStateChange@24 ;	ExSubscribeWnfStateChange(x,x,x,x,x,x)

loc_64FBF4:				; CODE XREF: PopEnsureErratumSubscribed(x)+1Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopEnsureErratumSubscribed@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopErratumUpdateCallback(x,	x, x, x, x, x)
_PopErratumUpdateCallback@24 proc near	; DATA XREF: PopEnsureErratumSubscribed(x)+64o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
Length		= dword	ptr -4
arg_0		= dword	ptr  8
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	eax, [ebp+Length]
		mov	[ebp+Length], 4
		push	eax		; int
		lea	eax, [ebp+var_8]
		push	eax		; void *
		lea	eax, [ebp+var_C]
		push	eax		; int
		push	[ebp+arg_0]	; int
		call	_ExQueryWnfStateData@16	; ExQueryWnfStateData(x,x,x,x)
		test	eax, eax
		js	short loc_64FC32
		mov	ecx, [ebp+arg_14]
		lea	eax, [ebp+var_8]
		mov	edx, [ebp+Length] ; Length
		push	eax		; void *
		lea	ecx, [ecx+8]	; int
		call	_PopSetPowerSettingValueAcDc@12	; PopSetPowerSettingValueAcDc(x,x,x)

loc_64FC32:				; CODE XREF: PopErratumUpdateCallback(x,x,x,x,x,x)+25j
		xor	eax, eax
		leave
		retn	18h
_PopErratumUpdateCallback@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerSettingPendingUpdateWatchdog(x, x)
_PopPowerSettingPendingUpdateWatchdog@8	proc near
					; CODE XREF: PopDeepSleepWatchdogTakeAction(x,x)+18p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		xor	bl, bl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _PopPendingPowerSettingUpdateLock
		mov	bh, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, ds:_PopPendingPowerSettingUpdateTime
		or	eax, ds:dword_6C2174
		jz	short loc_64FC81
		call	KeQueryInterruptTime
		sub	eax, ds:_PopPendingPowerSettingUpdateTime
		sbb	edx, ds:dword_6C2174
		cmp	edx, [ebp+arg_4]
		jb	short loc_64FC81
		ja	short loc_64FC7F
		cmp	eax, [ebp+arg_0]
		jb	short loc_64FC81

loc_64FC7F:				; CODE XREF: PopPowerSettingPendingUpdateWatchdog(x,x)+40j
		mov	bl, 1

loc_64FC81:				; CODE XREF: PopPowerSettingPendingUpdateWatchdog(x,x)+28j
					; PopPowerSettingPendingUpdateWatchdog(x,x)+3Ej ...
		test	ds:byte_70EFC6,	1
		jz	short loc_64FC96
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_64FC9B
; 

loc_64FC96:				; CODE XREF: PopPowerSettingPendingUpdateWatchdog(x,x)+50j
		xor	eax, eax
		lock and [esi],	eax

loc_64FC9B:				; CODE XREF: PopPowerSettingPendingUpdateWatchdog(x,x)+5Cj
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	8
_PopPowerSettingPendingUpdateWatchdog@8	endp

; 
		align 10h
; Exported entry 1717. PoRegisterSystemState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoRegisterSystemState(x, x)
		public _PoRegisterSystemState@8
_PoRegisterSystemState@8 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		xor	esi, esi
		and	[ebp+var_8], esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edi
		test	ebx, 7FFFFFF8h
		jnz	short loc_64FD3E
		test	ebx, ebx
		jz	short loc_64FCDD
		js	short loc_64FCDD
		push	ebx
		call	_PoSetSystemState@4 ; PoSetSystemState(x)
		jmp	short loc_64FD3E
; 

loc_64FCDD:				; CODE XREF: PoRegisterSystemState(x,x)+21j
					; PoRegisterSystemState(x,x)+23j
		mov	esi, [ebp+arg_0]
		mov	ecx, ebx
		mov	edx, esi
		call	_PopDiagTraceRegisterSystemState@8 ; PopDiagTraceRegisterSystemState(x,x)
		mov	[ebp+arg_4], esi
		test	esi, esi
		jnz	short loc_64FD1C
		lea	eax, [ebp+var_4]
		xor	dl, dl
		push	eax
		push	esi
		push	1
		push	esi
		xor	ecx, ecx
		call	_PoCaptureReasonContext@24 ; PoCaptureReasonContext(x,x,x,x,x,x)
		mov	edi, [ebp+var_4]
		test	eax, eax
		js	short loc_64FD33
		mov	edx, edi
		lea	ecx, [ebp+arg_4]
		call	_PopCreateKernelPowerRequest@8 ; PopCreateKernelPowerRequest(x,x)
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_8], eax
		test	eax, eax
		js	short loc_64FD33

loc_64FD1C:				; CODE XREF: PoRegisterSystemState(x,x)+3Ej
		push	0
		mov	edx, ebx
		mov	ecx, esi
		call	_PopGetLegacyPowerRequestFlags@12 ; PopGetLegacyPowerRequestFlags(x,x,x)
		push	eax
		call	PopApplyLegacyPowerRequestFlags
		cmp	[ebp+var_8], 0
		jge	short loc_64FD3E

loc_64FD33:				; CODE XREF: PoRegisterSystemState(x,x)+56j
					; PoRegisterSystemState(x,x)+6Aj
		test	edi, edi
		jz	short loc_64FD3E
		mov	ecx, edi
		call	_PoDestroyReasonContext@4 ; PoDestroyReasonContext(x)

loc_64FD3E:				; CODE XREF: PoRegisterSystemState(x,x)+1Dj
					; PoRegisterSystemState(x,x)+2Bj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_PoRegisterSystemState@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1726. PoSetSystemState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoSetSystemState(x)
		public _PoSetSystemState@4
_PoSetSystemState@4 proc near		; CODE XREF: PoRegisterSystemState(x,x)+26p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		xor	bl, bl
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_64FD65
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		inc	bl

loc_64FD65:				; CODE XREF: PoSetSystemState(x)+10j
		mov	ecx, [ebp+arg_0]
		push	7
		pop	edx
		call	PopSetSystemState
		test	bl, bl
		pop	ebx
		jz	short loc_64FD7A
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_64FD7A:				; CODE XREF: PoSetSystemState(x)+27j
		pop	ebp
		retn	4
_PoSetSystemState@4 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 1737. PoUnregisterSystemState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoUnregisterSystemState(x)
		public _PoUnregisterSystemState@4
_PoUnregisterSystemState@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jz	short loc_64FD94
		pop	ebp
		jmp	_PoDeletePowerRequest@4	; PoDeletePowerRequest(x)
; 

loc_64FD94:				; CODE XREF: PoUnregisterSystemState(x)+9j
		pop	ebp
		retn	4
_PoUnregisterSystemState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUpdateWakeSource(x)
_PopUpdateWakeSource@4 proc near	; CODE XREF: PopRequestCompletion+8585Ap
					; PoSetSystemWakeDevice(x)+1Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	ebx, ecx
		stosd
		push	206D654Dh
		push	14h
		push	200h
		stosd
		stosd
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_64FDCE
		mov	edi, 0C000009Ah
		jmp	loc_64FEA3
; 

loc_64FDCE:				; CODE XREF: PopUpdateWakeSource(x)+2Aj
		xor	eax, eax
		lea	edx, [ebp+var_C]
		mov	edi, esi
		mov	ecx, offset _PopWakeSourceLock
		stosd
		stosd
		stosd
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		xor	edi, edi
		cmp	ds:_PopCurrentWakeInfo,	edi
		jz	short loc_64FE4A
		mov	edx, 67446F50h
		mov	ecx, ebx
		call	ObfReferenceObjectWithTag
		mov	eax, ds:_PopCurrentWakeInfo
		mov	[esi+8], ebx
		mov	[esi+0Ch], eax
		lock inc dword ptr [eax+8]
		mov	eax, ds:dword_6C342C
		mov	ecx, offset _PopWakeSourceWorkList
		cmp	[eax], ecx
		jz	short loc_64FE1C
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_64FE1C:				; CODE XREF: PopUpdateWakeSource(x)+7Dj
		mov	[esi], ecx
		xor	ebx, ebx
		mov	[esi+4], eax
		inc	ebx
		cmp	ds:_PopWakeSourceWorkInProgress, 0
		mov	[eax], esi
		mov	ds:dword_6C342C, esi
		mov	esi, edi
		jnz	short loc_64FE4D
		push	ebx
		push	offset _PopWakeSourceWorkItem
		mov	ds:_PopWakeSourceWorkInProgress, bl
		call	ExQueueWorkItem
		jmp	short loc_64FE4D
; 

loc_64FE4A:				; CODE XREF: PopUpdateWakeSource(x)+54j
		xor	ebx, ebx
		inc	ebx

loc_64FE4D:				; CODE XREF: PopUpdateWakeSource(x)+9Dj
					; PopUpdateWakeSource(x)+B0j
		test	ds:byte_70EFC6,	1
		jz	short loc_64FE63
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_64FE8B
; 

loc_64FE63:				; CODE XREF: PopUpdateWakeSource(x)+BCj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_64FE82
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_64FE8B
		call	KxWaitForLockChainValid

loc_64FE82:				; CODE XREF: PopUpdateWakeSource(x)+D0j
		mov	[ebp+var_C], edi
		add	eax, 4
		lock xor [eax],	ebx

loc_64FE8B:				; CODE XREF: PopUpdateWakeSource(x)+C9j
					; PopUpdateWakeSource(x)+E3j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_64FEA3
		push	206D654Dh
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_64FEA3:				; CODE XREF: PopUpdateWakeSource(x)+31j
					; PopUpdateWakeSource(x)+FEj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopUpdateWakeSource@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUpdateWakeSourceWorker(x)
_PopUpdateWakeSourceWorker@4 proc near	; DATA XREF: PopWakeSourceInit()+5Ao

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		and	[esp+1Ch+var_18], 0
		lea	edx, [esp+1Ch+var_C]
		and	[esp+1Ch+var_1C], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+28h+var_C]
		mov	ecx, offset _PopWakeSourceLock
		stosd
		stosd
		stosd
		lea	eax, [esp+28h+var_14]
		mov	[esp+28h+var_10], eax
		mov	[esp+28h+var_14], eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)

loc_64FEE4:				; CODE XREF: PopUpdateWakeSourceWorker(x)+14Aj
		mov	esi, ds:_PopWakeSourceWorkList
		lea	ecx, [esp+28h+var_C]
		cmp	esi, offset _PopWakeSourceWorkList
		jz	loc_64FFF9
		call	PopReleaseWakeSourceSpinLock
		mov	edi, [esi+0Ch]
		mov	cl, 1
		call	_IoControlPnpDeviceActionQueue@4 ; IoControlPnpDeviceActionQueue(x)
		lea	eax, [esp+28h+var_18]
		mov	ecx, esi
		push	eax
		lea	edx, [esp+2Ch+var_1C]
		call	_PopProcessWakeSourceWork@12 ; PopProcessWakeSourceWork(x,x,x)
		mov	ebx, eax
		call	PnpUnlockDeviceActionQueue
		mov	ecx, [esi+8]
		mov	edx, 67446F50h
		call	ObfDereferenceObjectWithTag
		lea	edx, [esp+28h+var_C]
		mov	ecx, offset _PopWakeSourceLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	edi, ds:_PopCurrentWakeInfo
		jz	short loc_64FF4B
		cmp	edi, ds:_PopPendingWakeInfo
		jnz	short loc_64FF9F

loc_64FF4B:				; CODE XREF: PopUpdateWakeSourceWorker(x)+97j
		test	ebx, ebx
		js	short loc_64FF9F
		lea	ecx, [edi+0Ch]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_65002F
		mov	eax, [esp+28h+var_1C]
		and	[esp+28h+var_1C], 0
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		inc	dword ptr [edi+14h]
		mov	eax, [esp+28h+var_18]
		test	eax, eax
		jz	short loc_64FFBE
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_65002F
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_65002F
		mov	[edx], ecx
		mov	[ecx+4], edx
		dec	dword ptr [edi+14h]
		mov	[esp+28h+var_1C], eax
		jmp	short loc_64FFA3
; 

loc_64FF9F:				; CODE XREF: PopUpdateWakeSourceWorker(x)+9Fj
					; PopUpdateWakeSourceWorker(x)+A3j
		mov	eax, [esp+28h+var_1C]

loc_64FFA3:				; CODE XREF: PopUpdateWakeSourceWorker(x)+F3j
		test	eax, eax
		jz	short loc_64FFBE
		mov	ecx, [esp+28h+var_10]
		lea	edx, [esp+28h+var_14]
		cmp	[ecx], edx
		jnz	short loc_65002F
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[esp+28h+var_10], eax

loc_64FFBE:				; CODE XREF: PopUpdateWakeSourceWorker(x)+CFj
					; PopUpdateWakeSourceWorker(x)+FBj
		mov	ecx, edi
		call	PopWakeInfoDereference
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_64FFD6
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_64FFD6:				; CODE XREF: PopUpdateWakeSourceWorker(x)+120j
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_65002F
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_65002F
		push	206D654Dh
		mov	[ecx], eax
		push	esi
		mov	[eax+4], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_64FEE4
; 

loc_64FFF9:				; CODE XREF: PopUpdateWakeSourceWorker(x)+4Aj
		mov	ds:_PopWakeSourceWorkInProgress, 0
		call	PopReleaseWakeSourceSpinLock

loc_650005:				; CODE XREF: PopUpdateWakeSourceWorker(x)+183j
		mov	ecx, [esp+28h+var_14]
		lea	eax, [esp+28h+var_14]
		cmp	ecx, eax
		jz	short loc_650034
		cmp	[ecx+4], eax
		jnz	short loc_65002F
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_65002F
		lea	edx, [esp+28h+var_14]
		mov	[esp+28h+var_14], eax
		mov	[eax+4], edx
		call	_PopFreeWakeSource@4 ; PopFreeWakeSource(x)
		jmp	short loc_650005
; 

loc_65002F:				; CODE XREF: PopUpdateWakeSourceWorker(x)+ADj
					; PopUpdateWakeSourceWorker(x)+D6j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_650034:				; CODE XREF: PopUpdateWakeSourceWorker(x)+165j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp

locret_65003A:				; DATA XREF: .text:??_C@_1BA@CIBIBIEE@?$AA?$DM?$AAe?$AAr?$AAr?$AAo?$AAr?$AA?$DO@FNODOBFM@o
		retn	4
_PopUpdateWakeSourceWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlLongLongAdd(x, x, x, x, x)
_RtlLongLongAdd@20 proc	near		; CODE XREF: PopReadPagesFromHiberFile(x,x,x)+C6p
					; RtlParseLeapSecondData(x,x,x,x)+BEp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx

loc_650043:				; DATA XREF: .text:??_C@_1BG@NKLOKCD@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAD?$AAe?$AAs?$AAc@FNODOBFM@o
					; .text:005A7A24o ...
		mov	edx, [ebp+arg_0]
		add	edx, [ebp+arg_8]
		push	ebx
		push	esi

loc_65004B:				; DATA XREF: .text:??_C@_1DO@NJNPPJHL@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAM?$AAU?$AAI?$AA?9?$AAL?$AAa?$AAn?$AAg@FNODOBFM@o
					; .text:??_C@_1DE@JIOMGOFI@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAM?$AAU?$AAI?$AA?9?$AAN?$AAu?$AAm?$AAb@FNODOBFM@o ...
		push	edi

loc_65004C:				; DATA XREF: .text:??_C@_1CG@ONBEMBCH@?$AAM?$AAe?$AAs?$AAs?$AAa?$AAg?$AAe?$AAB?$AAl?$AAo?$AAc?$AAk?$AAL?$AAe?$AAn@FNODOBFM@o
		mov	edi, [ebp+arg_4]
		adc	edi, [ebp+arg_C]

loc_650052:				; DATA XREF: .text:005A374Ao
					; .text:005A428Co ...
		xor	eax, eax

loc_650054:				; DATA XREF: .text:??_C@_1BA@LIACFDLB@?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@FNODOBFM@o
		mov	[ebp+var_4], ecx
		xor	ecx, ecx
		inc	ecx
		cmp	[ebp+arg_4], eax
		jg	short loc_65006A
		jl	short loc_650066

loc_650061:				; DATA XREF: .text:004067B4o
					; .text:005A7A20o ...
		cmp	[ebp+arg_0], eax
		jnb	short loc_65006A

loc_650066:				; CODE XREF: RtlLongLongAdd(x,x,x,x,x)+22j
		mov	ebx, ecx
		jmp	short loc_65006C
; 

loc_65006A:				; CODE XREF: RtlLongLongAdd(x,x,x,x,x)+20j
					; RtlLongLongAdd(x,x,x,x,x)+27j
		mov	ebx, eax

loc_65006C:				; CODE XREF: RtlLongLongAdd(x,x,x,x,x)+2Bj
					; DATA XREF: .text:005A7474o ...
		cmp	[ebp+arg_C], eax
		jg	short loc_65007C

loc_650071:				; DATA XREF: .text:005A7B5Eo
		jl	short loc_650078

loc_650073:				; DATA XREF: .text:005A3C78o
					; .text:005A3CB8o
		cmp	[ebp+arg_8], eax
		jnb	short loc_65007C

loc_650078:				; CODE XREF: RtlLongLongAdd(x,x,x,x,x):loc_650071j
		mov	esi, ecx

loc_65007A:				; DATA XREF: .text:005A3CC0o
		jmp	short loc_65007E
; 

loc_65007C:				; CODE XREF: RtlLongLongAdd(x,x,x,x,x)+32j
					; RtlLongLongAdd(x,x,x,x,x)+39j
		mov	esi, eax

loc_65007E:				; CODE XREF: RtlLongLongAdd(x,x,x,x,x):loc_65007Aj
		cmp	ebx, esi
		jnz	short loc_6500AE
		cmp	[ebp+arg_4], eax
		jg	short loc_650092
		jl	short loc_65008E
		cmp	[ebp+arg_0], eax
		jnb	short loc_650092

loc_65008E:				; CODE XREF: RtlLongLongAdd(x,x,x,x,x)+4Aj
		mov	esi, ecx
		jmp	short loc_650094
; 

loc_650092:				; CODE XREF: RtlLongLongAdd(x,x,x,x,x)+48j
					; RtlLongLongAdd(x,x,x,x,x)+4Fj
		mov	esi, eax

loc_650094:				; CODE XREF: RtlLongLongAdd(x,x,x,x,x)+53j
		cmp	edi, eax
		jg	short loc_65009E
		jl	short loc_6500A0
		cmp	edx, eax
		jb	short loc_6500A0

loc_65009E:				; CODE XREF: RtlLongLongAdd(x,x,x,x,x)+59j
		mov	ecx, eax

loc_6500A0:				; CODE XREF: RtlLongLongAdd(x,x,x,x,x)+5Bj
					; RtlLongLongAdd(x,x,x,x,x)+5Fj
		cmp	esi, ecx
		jz	short loc_6500AE
		or	edx, 0FFFFFFFFh
		mov	eax, 0C0000095h
		mov	edi, edx

loc_6500AE:				; CODE XREF: RtlLongLongAdd(x,x,x,x,x)+43j
					; RtlLongLongAdd(x,x,x,x,x)+65j
		mov	ecx, [ebp+var_4]
		mov	[ecx], edx
		mov	[ecx+4], edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_RtlLongLongAdd@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlLongLongMult(x, x, x, x,	x)
_RtlLongLongMult@20 proc near		; CODE XREF: PopReadPagesFromHiberFile(x,x,x)+AAp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	edx, edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [ebp+arg_0]
		cmp	ebx, edx
		jg	short loc_6500ED
		jl	short loc_6500E1
		cmp	edi, edx
		jnb	short loc_6500ED

loc_6500E1:				; CODE XREF: RtlLongLongMult(x,x,x,x,x)+1Ej
		mov	ecx, edi
		mov	eax, ebx
		neg	ecx
		adc	eax, edx
		neg	eax
		jmp	short loc_6500F1
; 

loc_6500ED:				; CODE XREF: RtlLongLongMult(x,x,x,x,x)+1Cj
					; RtlLongLongMult(x,x,x,x,x)+22j
		mov	ecx, edi
		mov	eax, ebx

loc_6500F1:				; CODE XREF: RtlLongLongMult(x,x,x,x,x)+2Ej
		push	edx
		push	1000h
		push	eax
		push	ecx
		lea	ecx, [ebp+var_8]
		call	_RtlULongLongMult@20 ; RtlULongLongMult(x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_650161
		test	ebx, ebx
		jg	short loc_65013C
		jl	short loc_650111
		test	edi, edi
		jnb	short loc_65013C

loc_650111:				; CODE XREF: RtlLongLongMult(x,x,x,x,x)+4Ej
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_8]
		cmp	ecx, 80000000h
		jb	short loc_650131
		ja	short loc_650125
		test	eax, eax
		jz	short loc_650131

loc_650125:				; CODE XREF: RtlLongLongMult(x,x,x,x,x)+62j
		or	eax, 0FFFFFFFFh
		mov	edx, 0C0000095h
		mov	ecx, eax
		jmp	short loc_650138
; 

loc_650131:				; CODE XREF: RtlLongLongMult(x,x,x,x,x)+60j
					; RtlLongLongMult(x,x,x,x,x)+66j
		neg	eax
		adc	ecx, 0
		neg	ecx

loc_650138:				; CODE XREF: RtlLongLongMult(x,x,x,x,x)+72j
		mov	[esi], eax
		jmp	short loc_65015C
; 

loc_65013C:				; CODE XREF: RtlLongLongMult(x,x,x,x,x)+4Cj
					; RtlLongLongMult(x,x,x,x,x)+52j
		mov	ecx, [ebp+var_4]
		mov	edi, [ebp+var_8]
		cmp	ecx, 7FFFFFFFh
		jb	short loc_65015A
		push	0FFFFFFFFh
		pop	eax
		ja	short loc_650153
		cmp	edi, eax
		jbe	short loc_65015A

loc_650153:				; CODE XREF: RtlLongLongMult(x,x,x,x,x)+90j
		mov	edx, 0C0000095h
		jmp	short loc_650164
; 

loc_65015A:				; CODE XREF: RtlLongLongMult(x,x,x,x,x)+8Bj
					; RtlLongLongMult(x,x,x,x,x)+94j
		mov	[esi], edi

loc_65015C:				; CODE XREF: RtlLongLongMult(x,x,x,x,x)+7Dj
		mov	[esi+4], ecx
		jmp	short loc_650169
; 

loc_650161:				; CODE XREF: RtlLongLongMult(x,x,x,x,x)+48j
		or	eax, 0FFFFFFFFh

loc_650164:				; CODE XREF: RtlLongLongMult(x,x,x,x,x)+9Bj
		mov	[esi+4], eax
		mov	[esi], eax

loc_650169:				; CODE XREF: RtlLongLongMult(x,x,x,x,x)+A2j
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	10h
_RtlLongLongMult@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopLockGetDoDevicePowerState(x)
_PopLockGetDoDevicePowerState@4	proc near
					; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+87p
					; NtGetDevicePowerState(x,x)+8Cp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _PopIrpSerialLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, [esi+8]
		shr	esi, 4
		and	esi, 0Fh
		test	ds:byte_70EFC6,	1
		jz	short loc_6501AE
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6501B3
; 

loc_6501AE:				; CODE XREF: PopLockGetDoDevicePowerState(x)+2Ej
		xor	eax, eax
		lock and [edi],	eax

loc_6501B3:				; CODE XREF: PopLockGetDoDevicePowerState(x)+3Aj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn
_PopLockGetDoDevicePowerState@4	endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerActionWatchdog(x, x, x, x)
_PopPowerActionWatchdog@16 proc	near	; CODE XREF: PopSetPowerActionWatchdogState+8BA50p
					; DATA XREF: PopWatchdogInit()+37o
		mov	eax, ds:dword_6C281C
		push	ebx
		cmp	eax, 1
		jnz	short loc_6501D4
		mov	ebx, 0F0h
		jmp	short loc_6501E6
; 

loc_6501D4:				; CODE XREF: PopPowerActionWatchdog(x,x,x,x)+9j
		xor	ebx, ebx
		cmp	eax, 2
		setnz	bl
		dec	ebx
		and	ebx, 0E2h
		add	ebx, 0Fh

loc_6501E6:				; CODE XREF: PopPowerActionWatchdog(x,x,x,x)+10j
		push	0
		xor	edx, edx
		xor	ecx, ecx
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		mov	eax, ds:dword_6C251C
		test	eax, eax
		jnz	short loc_65022D
		mov	eax, ds:dword_6C2828
		test	eax, eax
		jnz	short loc_65022D
		mov	eax, ds:dword_6C282C
		test	eax, eax
		jnz	short loc_65022D
		mov	eax, ds:dword_6C2830
		test	eax, eax
		jnz	short loc_65022D
		mov	eax, ds:_PopTransitionLockOwnerThread
		test	eax, eax
		jnz	short loc_65022D
		mov	eax, ds:_PopPolicyLockThread
		test	eax, eax
		jnz	short loc_65022D
		mov	eax, large fs:124h

loc_65022D:				; CODE XREF: PopPowerActionWatchdog(x,x,x,x)+36j
					; PopPowerActionWatchdog(x,x,x,x)+3Fj ...
		push	eax
		push	ds:_PopSleepCheckpoint
		push	ds:dword_6C26E0
		push	ebx
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

; __stdcall PopUserShutdownDelayDpcCallback(x, x, x, x)
_PopUserShutdownDelayDpcCallback@16:	; DATA XREF: PoUserShutdownInitiated+85o
		xor	eax, eax
		mov	ecx, offset _PopUserShutdown
		inc	eax
		xchg	eax, [ecx]
		test	eax, eax
		jnz	short locret_650260
		push	1
		push	offset _PopUserShutdownDelayWorker
		call	ExQueueWorkItem

locret_650260:				; CODE XREF: PopPowerActionWatchdog(x,x,x,x)+90j
		retn	10h
_PopPowerActionWatchdog@16 endp	; sp = -18h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFireThermalWmiEvent(x)
_PopFireThermalWmiEvent@4 proc near	; CODE XREF: PopThermalWorker+8AC69p

var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		stosd
		mov	byte ptr [ebp+var_10], cl
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, large fs:20h
		mov	bl, al
		lea	eax, [ebp+var_10]
		add	ecx, 3E40h
		push	eax		; void *
		push	10h		; size_t
		mov	edx, (offset loc_42E0E4+4)
		call	_PpmFireWmiEvent@16 ; PpmFireWmiEvent(x,x,x,x)
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	ebx
		leave
		retn
_PopFireThermalWmiEvent@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopThermalCsEntry(x)
_PopThermalCsEntry@4 proc near		; CODE XREF: PopPowerAggregatorActiveToScreenOffStateHandler(x)+75p
		mov	edi, edi
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	bl, cl
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopSystemThermalInfo
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ds:dword_6C1F84, eax
		mov	byte ptr ds:word_6C1F88, 0
		test	bl, bl
		jz	short loc_650307
		mov	ds:byte_6C1F95,	1
		call	KeQueryInterruptTime
		mov	cl, ds:byte_6C1F94
		mov	ds:dword_6C1F98, eax
		mov	ds:dword_6C1F9C, edx
		call	_PopTraceThermalStandbyInitiated@4 ; PopTraceThermalStandbyInitiated(x)

loc_650307:				; CODE XREF: PopThermalCsEntry(x)+37j
		cmp	ds:dword_6C1F8C, 0
		jnz	short loc_650317
		xor	ecx, ecx
		call	PopThermalStandbyEndTracking

loc_650317:				; CODE XREF: PopThermalCsEntry(x)+62j
		cmp	ds:dword_6C1F84, 0
		jz	short loc_650327
		and	ds:dword_6C1F84, 0

loc_650327:				; CODE XREF: PopThermalCsEntry(x)+72j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	edx, edx
		mov	ecx, offset unk_6C2018
		inc	edx
		call	_PopQueueWorkItem@8 ; PopQueueWorkItem(x,x)
		pop	esi
		pop	ebx
		pop	ecx
		retn
_PopThermalCsEntry@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopThermalCsExit()
_PopThermalCsExit@0 proc near		; CODE XREF: PopPowerAggregatorDisplayPoweringOnStateHandler(x)+6Bp
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopSystemThermalInfo
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	ecx, ecx
		inc	ecx
		mov	ds:dword_6C1F84, eax
		call	PopThermalStandbyEndTracking
		cmp	ds:dword_6C1F8C, 0
		mov	byte ptr ds:word_6C1F88, 1
		jbe	short loc_650398
		mov	cl, 1
		call	_PopThermalStandbyNotify@4 ; PopThermalStandbyNotify(x)
		mov	ds:word_6C1F88,	100h
		jmp	short loc_6503AF
; 

loc_650398:				; CODE XREF: PopThermalCsExit()+3Ej
		cmp	byte ptr ds:word_6C1F88+1, 0
		jz	short loc_6503AF
		xor	cl, cl
		call	_PopThermalStandbyNotify@4 ; PopThermalStandbyNotify(x)
		mov	byte ptr ds:word_6C1F88+1, 0

loc_6503AF:				; CODE XREF: PopThermalCsExit()+50j
					; PopThermalCsExit()+59j
		cmp	ds:dword_6C1F84, 0
		jz	short loc_6503BF
		and	ds:dword_6C1F84, 0

loc_6503BF:				; CODE XREF: PopThermalCsExit()+70j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	edx, edx
		mov	ecx, offset unk_6C2018
		inc	edx
		pop	esi
		jmp	_PopQueueWorkItem@8 ; PopQueueWorkItem(x,x)
_PopThermalCsExit@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopThermalStandbyNotify(x)
_PopThermalStandbyNotify@4 proc	near	; CODE XREF: PopCheckAndHandleThermalConditions+82B74p
					; PopCheckAndHandleThermalConditions+82BACp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		xor	esi, esi
		test	cl, cl
		jz	short loc_6503FB
		mov	ecx, offset _POP_ETW_EVENT_THERMAL_STANDBY_NOTIFICATION
		mov	[ebp+var_4], 1
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		jmp	short loc_6503FE
; 

loc_6503FB:				; CODE XREF: PopThermalStandbyNotify(x)+Bj
		mov	[ebp+var_4], esi

loc_6503FE:				; CODE XREF: PopThermalStandbyNotify(x)+1Ej
		push	esi
		push	esi
		push	esi
		push	esi
		push	4
		lea	eax, [ebp+var_4]
		push	eax
		push	offset _WNF_PO_THERMAL_STANDBY
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		pop	esi
		leave
		retn
_PopThermalStandbyNotify@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopThermalTelemetryCallback(x, x)
_PopThermalTelemetryCallback@8 proc near ; DATA	XREF: PopThermalInit()+15o
		xor	edx, edx
		mov	ecx, offset unk_6C2018
		inc	edx
		call	_PopQueueWorkItem@8 ; PopQueueWorkItem(x,x)
		retn	8
_PopThermalTelemetryCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopThermalTelemetryWorker(x)
_PopThermalTelemetryWorker@4 proc near	; DATA XREF: PopThermalInit()+Fo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopPolicyDeviceLock
		call	ExAcquirePushLockSharedEx
		mov	esi, ds:_PopThermal
		jmp	short loc_6504CA
; 

loc_650451:				; CODE XREF: PopThermalTelemetryWorker(x)+ABj
		mov	eax, large fs:124h
		lea	edi, [esi+150h]
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[edi+4], eax
		cmp	byte ptr [esi+71h], 0
		jz	short loc_650492
		mov	dl, [esi+30h]
		lea	ecx, [esi+180h]
		call	_PopThermalUpdatePassiveTimeTracking@8 ; PopThermalUpdatePassiveTimeTracking(x,x)
		mov	ecx, esi
		call	PopTraceThermalZonePassiveHistogram

loc_650492:				; CODE XREF: PopThermalTelemetryWorker(x)+56j
		cmp	byte ptr [esi+181h], 0
		jbe	short loc_6504B0
		mov	dl, [esi+25h]
		lea	ecx, [esi+180h]
		call	_PopThermalUpdateActiveTimeTracking@8 ;	PopThermalUpdateActiveTimeTracking(x,x)
		mov	ecx, esi
		call	PopTraceThermalZoneActiveActivity

loc_6504B0:				; CODE XREF: PopThermalTelemetryWorker(x)+74j
		cmp	dword ptr [edi+4], 0
		jz	short loc_6504BA
		and	dword ptr [edi+4], 0

loc_6504BA:				; CODE XREF: PopThermalTelemetryWorker(x)+8Fj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	esi, [esi]

loc_6504CA:				; CODE XREF: PopThermalTelemetryWorker(x)+2Aj
		cmp	esi, offset _PopThermal
		jnz	loc_650451
		cmp	ds:dword_6C2044, 0
		jz	short loc_6504E6
		and	ds:dword_6C2044, 0

loc_6504E6:				; CODE XREF: PopThermalTelemetryWorker(x)+B8j
		xor	edx, edx
		mov	ecx, offset _PopPolicyDeviceLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		call	_PopCoolingTelemetryWorker@0 ; PopCoolingTelemetryWorker()
		xor	eax, eax
		mov	ecx, offset unk_6C2028
		xchg	eax, [ecx]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
_PopThermalTelemetryWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopThermalWriteShutdownToRegistry(x, x)
_PopThermalWriteShutdownToRegistry@8 proc near
					; CODE XREF: PopCheckAndHandleThermalConditions:loc_5F8710p
					; PopThermalProcessUsermodeEvent(x)+5Dp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], esi
		lea	edx, [ebp+var_4]
		mov	[ebp+var_10], esi
		xor	cl, cl
		mov	[ebp+var_C], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		call	PopOpenThermalLoggingKey
		test	eax, eax
		js	loc_6505D5
		push	offset _PopThermalShutdownOccurredName
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	(offset	loc_408B0F+1)
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset _PopThermalShutdownTemperatureName
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], 1
		push	eax
		push	4
		push	esi
		mov	esi, [ebp+var_4]
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		cmp	ds:_PopThermalCriticalShutdownReported,	0
		jnz	short loc_6505C4
		test	edi, edi
		jz	short loc_6505AF
		movzx	eax, word ptr [edi+2]
		push	eax
		push	dword ptr [edi+4]
		lea	eax, [ebp+var_18]
		push	1
		push	0
		push	eax
		push	esi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_6505AF:				; CODE XREF: PopThermalWriteShutdownToRegistry(x,x)+8Aj
		test	ebx, ebx
		jz	short loc_6505C4
		push	4
		push	ebx
		push	4
		push	0
		lea	eax, [ebp+var_20]
		push	eax
		push	esi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_6505C4:				; CODE XREF: PopThermalWriteShutdownToRegistry(x,x)+86j
					; PopThermalWriteShutdownToRegistry(x,x)+A4j
		mov	ds:_PopThermalCriticalShutdownReported,	1
		test	esi, esi
		jz	short loc_6505D5
		push	esi
		call	_ZwClose@4	; ZwClose(x)

loc_6505D5:				; CODE XREF: PopThermalWriteShutdownToRegistry(x,x)+32j
					; PopThermalWriteShutdownToRegistry(x,x)+C0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopThermalWriteShutdownToRegistry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopThermalZoneTimerCallback(x, x)
_PopThermalZoneTimerCallback@8 proc near ; DATA	XREF: PopThermalZoneAdd+21o
					; PopThermalZoneAdd+A2355o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	dword ptr [eax+1Ch]
		call	IoCancelIrp
		pop	ebp
		retn	8
_PopThermalZoneTimerCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoDiagTraceIRTimerSleepStudyRundown(x, x, x)
_PoDiagTraceIRTimerSleepStudyRundown@12	proc near
					; CODE XREF: ExStopRecordingIRTimerExpiries()+39p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		xor	edi, edi
		mov	word ptr [ebp+var_38], dx
		cmp	ds:_PopDiagHandleRegistered, 0
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], edi
		jz	short loc_650696
		push	ebx
		mov	ebx, offset _POP_ETW_DEEP_SLEEP_IR_TIMER_DATA
		push	ebx
		push	ds:dword_6C1D74
		push	ds:_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_650695
		push	esi
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_44]
		mov	[ebp+var_30], edi
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_14], eax
		movzx	eax, word ptr [ebp+var_40]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edi
		push	ebx
		push	ds:dword_6C1D74
		mov	[ebp+var_2C], 4
		push	ds:_PopDiagHandle
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], 2
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_650695:				; CODE XREF: PoDiagTraceIRTimerSleepStudyRundown(x,x,x)+49j
		pop	ebx

loc_650696:				; CODE XREF: PoDiagTraceIRTimerSleepStudyRundown(x,x,x)+2Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PoDiagTraceIRTimerSleepStudyRundown@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoTraceDynamicTickDisabled()
_PoTraceDynamicTickDisabled@0 proc near	; CODE XREF: KeInitializeClock:loc_AE67EDp

var_19		= dword	ptr -19h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		mov	al, byte ptr ds:_KiDynamicTickDisableReason
		push	ebx
		push	esi
		push	edi
		mov	byte ptr [ebp+var_19], al
		jz	short loc_65070F
		mov	esi, ds:dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_DYNAMIC_TICK_DISABLED
		mov	edi, ds:_PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_65070F
		lea	eax, [ebp+var_19]
		xor	edx, edx
		mov	[ebp+var_19+1],	eax
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_14], edx
		lea	eax, [ebp+var_19+1]
		mov	[ebp+var_10], ecx
		push	eax
		push	ecx
		push	edx
		push	edx
		push	ecx
		push	edx
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_C], edx
		call	EtwWriteEx

loc_65070F:				; CODE XREF: PoTraceDynamicTickDisabled()+24j
					; PoTraceDynamicTickDisabled()+41j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PoTraceDynamicTickDisabled@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoTraceForceIdleReset(x)
_PoTraceForceIdleReset@4 proc near	; CODE XREF: KiResetForceIdle(x,x)+C8p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		cmp	ds:dword_6B23F8, 5
		push	edi
		mov	[ebp+var_50], esi
		jbe	short loc_650782
		push	4000h
		mov	edi, offset dword_6B23F8
		push	ebx
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_650782
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_4C], esi
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	3
		push	ebx
		push	ebx
		push	offset loc_41E4B1
		push	edi
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], 4
		mov	[ebp+var_1C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_650782:				; CODE XREF: PoTraceForceIdleReset(x)+23j
					; PoTraceForceIdleReset(x)+39j
		cmp	ds:_PopDiagHandleRegistered, bl
		jz	short loc_6507CC
		mov	esi, ds:dword_6C1D74
		mov	edi, ds:_PopDiagHandle
		push	offset _POP_ETW_FORCEIDLE_RESET
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_6507CC
		lea	eax, [ebp+var_50]
		mov	[ebp+var_14], ebx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	1
		push	ebx
		push	offset _POP_ETW_FORCEIDLE_RESET
		push	esi
		push	edi
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_6507CC:				; CODE XREF: PoTraceForceIdleReset(x)+6Aj
					; PoTraceForceIdleReset(x)+86j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PoTraceForceIdleReset@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoTraceForceIdleStateChange(x, x)
_PoTraceForceIdleStateChange@8 proc near ; CODE	XREF: KiUpdateTime+12ED96p
					; KiCheckAndRearmForceIdle+CCC3Cp ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], ecx
		jz	short loc_650851
		push	ebx
		push	esi
		mov	esi, ds:dword_6C1D74
		mov	ebx, offset _POP_ETW_FORCEIDLE_STATE_CHANGE
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_65084E
		push	4
		pop	ecx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_24], eax
		xor	edx, edx
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_20], edx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_65084E:				; CODE XREF: PoTraceForceIdleStateChange(x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebx

loc_650851:				; CODE XREF: PoTraceForceIdleStateChange(x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PoTraceForceIdleStateChange@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCalculateCsSummary(x, x)
_PopCalculateCsSummary@8 proc near	; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+4F3p

var_F8		= dword	ptr -0F8h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_D8		= dword	ptr -0D8h
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 0FCh
		push	esi
		push	edi
		mov	[ebp+var_40], ecx
		lea	edi, [ebp+var_F8]
		push	8
		xor	eax, eax
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_D8]
		stosd
		push	8
		pop	ecx
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_C8]
		mov	[ebp+var_38], eax
		rep stosd
		lea	ecx, [ebp+var_C8]
		mov	[ebp+var_34], eax
		mov	byte ptr [ebp+var_4+2],	al
		call	_PopCalculateIdleInformation@4 ; PopCalculateIdleInformation(x)
		lea	ecx, [ebp+var_A8]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	esi, eax
		mov	edi, edx
		mov	ecx, esi
		mov	[ebp+var_C], esi
		sub	ecx, ds:dword_6D44C8
		mov	eax, edi
		push	0
		sbb	eax, ds:dword_6D44CC
		push	0Ah
		push	eax
		push	ecx
		mov	[ebp+var_10], edi
		call	__aulldiv
		mov	[ebp+var_18], edx
		xor	cl, cl
		lea	edx, [ebp+var_38]
		mov	[ebp+var_14], eax
		call	_PopGetModernStandbyTransitionReason@8 ; PopGetModernStandbyTransitionReason(x,x)
		mov	edx, [ebp+var_34]
		cmp	edx, ds:dword_6D44CC
		jb	short loc_65092A
		mov	eax, [ebp+var_38]
		ja	short loc_65090F
		cmp	eax, ds:dword_6D44C8
		jbe	short loc_65092A

loc_65090F:				; CODE XREF: PopCalculateCsSummary(x,x)+A8j
		mov	ecx, esi
		sub	ecx, eax
		mov	eax, edi
		push	0
		push	0Ah
		sbb	eax, edx
		push	eax
		push	ecx
		call	__aulldiv
		mov	[ebp+var_48], eax
		mov	[ebp+var_4C], edx
		jmp	short loc_650932
; 

loc_65092A:				; CODE XREF: PopCalculateCsSummary(x,x)+A3j
					; PopCalculateCsSummary(x,x)+B0j
		and	[ebp+var_48], 0
		and	[ebp+var_4C], 0

loc_650932:				; CODE XREF: PopCalculateCsSummary(x,x)+CBj
		lea	ecx, [ebp+var_F8]
		call	_PopCurrentPowerState@4	; PopCurrentPowerState(x)
		mov	esi, [ebp+var_14]
		mov	eax, esi
		mov	edi, [ebp+var_18]
		or	eax, edi
		jz	short loc_650968
		mov	edx, [ebp+var_EC]
		mov	ecx, ds:_PopCsConsumption
		push	edi
		push	esi
		call	_PopBatteryGetEnergyDrainFromDischage@8	; PopBatteryGetEnergyDrainFromDischage(x,x)
		mov	ecx, eax
		call	_PopBatteryCapacityToRate@12 ; PopBatteryCapacityToRate(x,x,x)
		mov	[ebp+var_3C], eax
		jmp	short loc_65096C
; 

loc_650968:				; CODE XREF: PopCalculateCsSummary(x,x)+EAj
		and	[ebp+var_3C], 0

loc_65096C:				; CODE XREF: PopCalculateCsSummary(x,x)+109j
		mov	edx, offset _CsSessionEnergyCounter
		lea	ecx, [ebp+var_D8]
		call	PopMeasureEnergyChange
		mov	ecx, ds:dword_6C2564
		mov	[ebp+var_94], ecx
		test	ecx, ecx
		jz	short loc_650999
		imul	eax, ds:dword_6C2568, 64h
		xor	edx, edx
		div	ecx
		jmp	short loc_65099B
; 

loc_650999:				; CODE XREF: PopCalculateCsSummary(x,x)+12Dj
		xor	al, al

loc_65099B:				; CODE XREF: PopCalculateCsSummary(x,x)+13Aj
		mov	byte ptr [ebp+var_4+3],	al
		mov	eax, ds:dword_6C2558
		and	eax, 40000000h
		neg	eax
		push	edi
		sbb	eax, eax
		not	eax
		and	eax, ds:dword_6C2568
		mov	[ebp+var_98], eax
		mov	eax, [ebp+var_C0]
		sub	eax, ds:dword_6D44D0
		push	esi
		push	[ebp+var_B4]
		mov	[ebp+var_A0], eax
		push	[ebp+var_B8]
		mov	eax, [ebp+var_BC]
		sbb	eax, ds:dword_6D44D4
		push	ds:dword_6D455C
		mov	[ebp+var_5C], eax
		mov	eax, [ebp+var_B0]
		sub	eax, ds:dword_6D44E0
		push	ds:dword_6D4558
		mov	[ebp+var_68], eax
		call	_PopCalculateTotalHwDripsResidency@24 ;	PopCalculateTotalHwDripsResidency(x,x,x,x,x,x)
		mov	ecx, ds:dword_6D44DC
		mov	[ebp+var_88], eax
		mov	eax, ds:dword_6D44D8
		sub	eax, [ebp+var_C8]
		mov	[ebp+var_8C], edx
		sbb	ecx, [ebp+var_C4]
		add	eax, esi
		mov	[ebp+var_60], eax
		adc	ecx, edi
		mov	[ebp+var_64], ecx

loc_650A36:				; CODE XREF: PopCalculateCsSummary(x,x)+209j
					; PopCalculateCsSummary(x,x)+20Dj
		mov	edi, ds:dword_6D4600
		mov	eax, edi
		mov	esi, ds:dword_6D4604
		mov	edx, esi
		mov	[ebp+var_44], edi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_8], offset dword_6D4600
		nop
		push	ebx
		mov	ecx, esi
		mov	ebx, edi
		mov	esi, [ebp+var_8]
		lock cmpxchg8b qword ptr [esi]
		pop	ebx
		nop
		mov	esi, ecx
		cmp	eax, edi
		jnz	short loc_650A36
		cmp	edx, esi
		jnz	short loc_650A36
		mov	eax, edi
		or	eax, esi
		jz	short loc_650A8F
		sub	edi, ds:dword_6D44C8
		push	0
		sbb	esi, ds:dword_6D44CC
		push	0Ah
		push	esi
		push	edi
		call	__aulldiv
		mov	[ebp+var_44], eax
		mov	[ebp+var_1C], edx

loc_650A8F:				; CODE XREF: PopCalculateCsSummary(x,x)+213j
		mov	eax, ds:dword_70ED2C
		push	0
		push	0F4240h
		push	eax
		mov	[ebp+var_20], eax
		mov	eax, ds:_PopQpcFrequency
		push	eax
		push	ds:dword_6D4504
		mov	[ebp+var_24], eax
		push	ds:dword_6D4500
		call	PpmConvertTime
		mov	esi, ds:dword_6D4510
		mov	ecx, [ebp+var_18]
		sub	esi, eax
		mov	edi, ds:dword_6D451C
		mov	[ebp+var_6C], esi
		mov	esi, ds:dword_6D4514
		sbb	esi, edx
		mov	edx, [ebp+var_14]
		sub	edx, ds:dword_6D4510
		mov	[ebp+var_70], esi
		sbb	ecx, ds:dword_6D4514
		mov	esi, ds:dword_6D4524
		mov	[ebp+var_80], ecx
		mov	ecx, ds:dword_6D4518
		mov	eax, ecx
		or	eax, edi
		mov	[ebp+var_7C], edx
		mov	edx, ds:dword_6D4520
		jz	short loc_650B3A
		mov	eax, ds:dword_6D44CC
		mov	[ebp+var_8], eax
		cmp	eax, edi
		jb	short loc_650B2C
		ja	short loc_650B1B
		cmp	ds:dword_6D44C8, ecx
		jbe	short loc_650B2C

loc_650B1B:				; CODE XREF: PopCalculateCsSummary(x,x)+2B4j
		mov	eax, [ebp+var_C]
		sub	eax, ds:dword_6D44C8
		mov	ecx, [ebp+var_10]
		sbb	ecx, [ebp+var_8]
		jmp	short loc_650B36
; 

loc_650B2C:				; CODE XREF: PopCalculateCsSummary(x,x)+2B2j
					; PopCalculateCsSummary(x,x)+2BCj
		mov	eax, [ebp+var_C]
		sub	eax, ecx
		mov	ecx, [ebp+var_10]
		sbb	ecx, edi

loc_650B36:				; CODE XREF: PopCalculateCsSummary(x,x)+2CDj
		add	edx, eax
		adc	esi, ecx

loc_650B3A:				; CODE XREF: PopCalculateCsSummary(x,x)+2A6j
		push	0
		push	0Ah
		push	esi
		push	edx
		call	__aulldiv
		mov	esi, [ebp+var_20]
		mov	edi, [ebp+var_24]
		push	0
		push	0F4240h
		push	esi
		push	edi
		push	ds:dword_6D4534
		mov	[ebp+var_10], eax
		push	ds:dword_6D4530
		mov	[ebp+var_C], edx
		call	PpmConvertTime
		push	0
		push	0F4240h
		push	esi
		push	edi
		push	ds:dword_6D4544
		mov	[ebp+var_24], eax
		push	ds:dword_6D4540
		mov	[ebp+var_20], edx
		call	PpmConvertTime
		mov	[ebp+var_78], edx
		xor	cl, cl
		xor	edx, edx
		mov	[ebp+var_74], eax
		call	_PopGetModernStandbyTransitionReason@8 ; PopGetModernStandbyTransitionReason(x,x)
		movzx	ecx, ds:byte_6D4580
		lea	edx, [ebp+var_30]
		mov	[ebp+var_84], eax
		xor	eax, eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_9C], ecx
		mov	ecx, ds:dword_6D4640
		push	eax
		call	_PpmGetPlatformSelectionVetoCounts@12 ;	PpmGetPlatformSelectionVetoCounts(x,x,x)
		mov	ecx, [ebp+var_30]
		sub	ecx, ds:dword_6D4560
		mov	esi, ds:dword_6D44E8
		mov	eax, esi
		mov	edi, ds:dword_6D44EC
		mov	[ebp+var_90], ecx
		mov	ecx, [ebp+var_2C]
		sbb	ecx, ds:dword_6D4564
		mov	[ebp+var_A4], ecx
		mov	ecx, [ebp+var_58]
		sub	ecx, ds:dword_6D4568
		mov	[ebp+var_2C], ecx
		mov	ecx, [ebp+var_54]
		sbb	ecx, ds:dword_6D456C
		or	eax, edi
		mov	[ebp+var_34], ecx
		jz	short loc_650C39
		mov	eax, ds:dword_6D44F4
		push	64h
		pop	ecx
		mul	ecx
		push	64h
		pop	edx
		mov	ecx, eax
		mov	eax, ds:dword_6D44F0
		mul	edx
		push	edi
		push	esi
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		mov	byte ptr [ebp+var_4+2],	al

loc_650C39:				; CODE XREF: PopCalculateCsSummary(x,x)+3B6j
		and	[ebp+var_8], 0
		lea	ecx, [ebp+var_8]
		call	_PopQueryInputSuppressionCount@4 ; PopQueryInputSuppressionCount(x)
		mov	eax, [ebp+var_40]
		lea	esi, [ebp+var_D8]
		mov	edx, [ebp+var_8]
		sub	edx, ds:dword_6D45B8
		mov	ecx, [ebp+var_3C]
		lea	edi, [eax+8]
		mov	[eax], ecx
		movsd
		mov	ecx, [ebp+var_9C]
		and	cl, 1
		movsd
		movsd
		movsd
		mov	esi, eax
		mov	eax, [ebp+var_94]
		mov	[esi+18h], eax
		mov	eax, [ebp+var_98]
		mov	[esi+1Ch], eax
		mov	eax, [ebp+var_14]
		mov	[esi+20h], eax
		mov	eax, [ebp+var_18]
		mov	[esi+24h], eax
		mov	eax, [ebp+var_A0]
		mov	[esi+28h], eax
		mov	eax, [ebp+var_5C]
		mov	[esi+2Ch], eax
		mov	eax, [ebp+var_60]
		mov	[esi+30h], eax
		mov	eax, [ebp+var_64]
		mov	[esi+34h], eax
		mov	eax, [ebp+var_68]
		mov	[esi+38h], eax
		mov	eax, [ebp+var_44]
		mov	[esi+40h], eax
		mov	eax, [ebp+var_1C]
		mov	[esi+44h], eax
		mov	eax, [ebp+var_6C]
		mov	[esi+48h], eax
		mov	eax, [ebp+var_70]
		mov	[esi+4Ch], eax
		mov	eax, [ebp+var_10]
		mov	[esi+58h], eax
		mov	eax, [ebp+var_C]
		mov	[esi+5Ch], eax
		mov	eax, [ebp+var_24]
		mov	[esi+60h], eax
		mov	eax, [ebp+var_20]
		mov	[esi+64h], eax
		mov	eax, [ebp+var_74]
		mov	[esi+68h], eax
		mov	eax, [ebp+var_78]
		mov	[esi+6Ch], eax
		mov	eax, [ebp+var_7C]
		mov	[esi+50h], eax
		mov	eax, [ebp+var_80]
		mov	[esi+54h], eax
		mov	eax, [ebp+var_84]
		mov	[esi+74h], eax
		mov	eax, [ebx+8]
		mov	[esi+78h], eax
		mov	eax, [ebp+var_88]
		mov	[esi+80h], eax
		mov	eax, [ebp+var_8C]
		mov	[esi+84h], eax
		mov	eax, [ebp+var_90]
		mov	[esi+88h], eax
		mov	eax, [ebp+var_A4]
		mov	[esi+8Ch], eax
		mov	eax, [ebp+var_2C]
		mov	[esi+90h], eax
		mov	eax, [ebp+var_34]
		mov	[esi+94h], eax
		mov	al, byte ptr [ebp+var_4+2]
		mov	[esi+0A0h], al
		mov	al, byte ptr [ebp+var_4+3]
		add	al, al
		xor	al, cl
		mov	[esi+7Ch], al
		mov	eax, [ebp+var_48]
		mov	[esi+98h], eax
		mov	eax, [ebp+var_4C]
		mov	[esi+9Ch], eax
		mov	al, [esi+7Dh]
		xor	al, ds:byte_6D4581
		and	al, 1
		xor	[esi+7Dh], al
		mov	al, [esi+7Dh]
		mov	cl, al
		xor	cl, ds:byte_6D4581
		and	cl, 2
		xor	cl, al
		mov	[esi+7Dh], cl
		mov	al, cl
		xor	al, ds:byte_6D4581
		and	al, 4
		xor	al, cl
		mov	[esi+7Dh], al
		mov	eax, ds:dword_6D4570
		mov	[esi+0A4h], eax
		mov	eax, ds:dword_6D4574
		mov	[esi+0A8h], eax
		mov	al, ds:byte_6D4578
		mov	[esi+0ACh], al
		mov	eax, ds:dword_6D457C
		mov	[esi+0B0h], eax
		mov	eax, ds:dword_6D4584
		mov	[esi+0B4h], eax
		mov	eax, ds:dword_6D4588
		mov	[esi+0B8h], eax
		mov	al, ds:byte_6D458C
		mov	[esi+0BCh], al
		mov	eax, [ebp+var_EC]
		mov	[esi+0C0h], eax
		mov	eax, [ebp+var_F0]
		mov	[esi+0C4h], eax
		mov	al, ds:byte_6D4594
		mov	[esi+0CCh], al
		mov	al, ds:byte_6D4595
		mov	[esi+0CDh], al
		mov	eax, ds:dword_6D4598
		mov	[esi+0D0h], eax
		mov	eax, ds:dword_6D459C
		mov	[esi+0D4h], eax
		mov	[esi+0D8h], edx
		mov	eax, ds:dword_6D4548
		mov	[esi+0E0h], eax
		mov	eax, ds:dword_6D454C
		mov	[esi+0E4h], eax
		mov	eax, ds:dword_6D4550
		mov	[esi+0E8h], eax
		mov	eax, ds:dword_6D4554
		mov	[esi+0ECh], eax
		mov	eax, ds:dword_6D45BC
		mov	[esi+108h], eax
		mov	eax, ds:dword_6D45C0
		mov	[esi+10Ch], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset dword_6C20F8
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:dword_6C20E8
		mov	[esi+0F8h], ecx
		mov	ecx, ds:dword_6C20EC
		mov	[esi+0FCh], ecx
		mov	ecx, ds:dword_6C20F0
		mov	[esi+0F0h], ecx
		mov	eax, ds:dword_6C20F4
		mov	[esi+0F4h], eax
		mov	eax, ds:_PopDisplayOnPerformance
		mov	[esi+100h], eax
		mov	eax, ds:dword_6C20E4
		mov	[esi+104h], eax
		test	ds:byte_70EFC6,	1
		jz	short loc_650EE3
		mov	edx, [ebx+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_650EE8
; 

loc_650EE3:				; CODE XREF: PopCalculateCsSummary(x,x)+678j
		xor	eax, eax
		lock and [edi],	eax

loc_650EE8:				; CODE XREF: PopCalculateCsSummary(x,x)+684j
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
_PopCalculateCsSummary@8 endp ;	sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCalculateIdleInformation(x)
_PopCalculateIdleInformation@4 proc near ; CODE	XREF: PopCalculateCsSummary(x,x)+55p
					; PopCaptureSleepStudyStatistics(x,x,x,x)+ECp ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		push	edi
		mov	edi, ds:_PpmPlatformStates
		mov	[ebp+var_2C], esi
		test	edi, edi
		jnz	short loc_650F21
		mov	edi, ecx
		mov	[ebp+var_20], ecx
		mov	ebx, ecx
		jmp	short loc_650F2D
; 

loc_650F21:				; CODE XREF: PopCalculateIdleInformation(x)+1Aj
		mov	edi, [edi+20h]
		mov	eax, [edi+8]
		mov	ebx, [edi+4]
		mov	[ebp+var_20], eax

loc_650F2D:				; CODE XREF: PopCalculateIdleInformation(x)+23j
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_14], ecx
		mov	ecx, ds:dword_6D4640
		call	_PpmQueryPlatformStateResidency@8 ; PpmQueryPlatformStateResidency(x,x)
		mov	ecx, eax
		mov	[ebp+var_18], eax
		and	ecx, edx
		mov	[ebp+var_1C], edx
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_650F64
		push	0
		push	0Ah
		push	edx
		push	eax
		call	__aulldiv
		mov	[ebp+var_18], eax
		mov	[ebp+var_1C], edx

loc_650F64:				; CODE XREF: PopCalculateIdleInformation(x)+55j
		mov	eax, ds:dword_6D4640
		xor	ecx, ecx
		and	[ebp+var_24], ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_28], eax
		test	ebx, ebx
		jz	short loc_650FCE
		mov	esi, [ebp+var_24]
		add	edi, 20h

loc_650F7E:				; CODE XREF: PopCalculateIdleInformation(x)+CDj
		push	0
		push	0F4240h
		push	ds:dword_70ED2C
		push	ds:_PopQpcFrequency
		push	dword ptr [edi+1Ch]
		push	dword ptr [edi+18h]
		call	PpmConvertTime
		mov	ecx, eax
		mov	eax, [ebp+var_28]
		add	[ebp+var_8], ecx
		adc	[ebp+var_C], edx
		cmp	eax, 0FFFFFFFFh
		jz	short loc_650FBD
		cmp	esi, eax
		jnz	short loc_650FBD
		mov	[ebp+var_10], ecx
		mov	ecx, [edi]
		mov	[ebp+var_14], edx
		mov	[ebp+var_4], ecx
		jmp	short loc_650FC0
; 

loc_650FBD:				; CODE XREF: PopCalculateIdleInformation(x)+AEj
					; PopCalculateIdleInformation(x)+B2j
		mov	ecx, [ebp+var_4]

loc_650FC0:				; CODE XREF: PopCalculateIdleInformation(x)+BFj
		inc	esi
		add	edi, 3F0h
		cmp	esi, ebx
		jb	short loc_650F7E
		mov	esi, [ebp+var_2C]

loc_650FCE:				; CODE XREF: PopCalculateIdleInformation(x)+7Aj
		mov	eax, [ebp+var_8]
		mov	[esi], eax
		mov	eax, [ebp+var_C]
		mov	[esi+4], eax
		mov	eax, [ebp+var_10]
		mov	[esi+8], eax
		mov	eax, [ebp+var_14]
		mov	[esi+0Ch], eax
		mov	eax, [ebp+var_18]
		mov	[esi+10h], eax
		mov	eax, [ebp+var_1C]
		mov	[esi+14h], eax
		mov	eax, [ebp+var_20]
		pop	edi
		mov	[esi+18h], ecx
		mov	[esi+1Ch], eax
		pop	esi
		pop	ebx
		leave
		retn
_PopCalculateIdleInformation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCalculateTotalHwDripsResidency(x, x, x, x, x, x)
_PopCalculateTotalHwDripsResidency@24 proc near	; CODE XREF: PopCalculateCsSummary(x,x)+1A7p
					; PopSleepstudyCaptureResiliencyStatistics(x,x,x,x)+90p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		and	eax, [ebp+arg_4]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_65104A
		mov	ecx, [ebp+arg_8]
		mov	eax, ecx
		mov	edx, [ebp+arg_C]
		and	eax, edx
		cmp	eax, 0FFFFFFFFh
		jz	short loc_65104A
		cmp	edx, [ebp+arg_4]
		jb	short loc_651044
		ja	short loc_65102A
		cmp	ecx, [ebp+arg_0]
		jb	short loc_651044

loc_65102A:				; CODE XREF: PopCalculateTotalHwDripsResidency(x,x,x,x,x,x)+24j
		sub	ecx, [ebp+arg_0]
		sbb	edx, [ebp+arg_4]
		cmp	edx, [ebp+arg_14]
		jb	short loc_651050
		ja	short loc_65103C
		cmp	ecx, [ebp+arg_10]
		jbe	short loc_651050

loc_65103C:				; CODE XREF: PopCalculateTotalHwDripsResidency(x,x,x,x,x,x)+36j
		mov	ecx, [ebp+arg_10]
		mov	edx, [ebp+arg_14]
		jmp	short loc_651050
; 

loc_651044:				; CODE XREF: PopCalculateTotalHwDripsResidency(x,x,x,x,x,x)+22j
					; PopCalculateTotalHwDripsResidency(x,x,x,x,x,x)+29j
		xor	ecx, ecx
		mov	edx, ecx
		jmp	short loc_651050
; 

loc_65104A:				; CODE XREF: PopCalculateTotalHwDripsResidency(x,x,x,x,x,x)+Ej
					; PopCalculateTotalHwDripsResidency(x,x,x,x,x,x)+1Dj
		or	ecx, 0FFFFFFFFh
		or	edx, 0FFFFFFFFh

loc_651050:				; CODE XREF: PopCalculateTotalHwDripsResidency(x,x,x,x,x,x)+34j
					; PopCalculateTotalHwDripsResidency(x,x,x,x,x,x)+3Bj ...
		mov	eax, ecx
		pop	ebp
		retn	18h
_PopCalculateTotalHwDripsResidency@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCaptureSleepStudyStatistics(x, x, x, x)
_PopCaptureSleepStudyStatistics@16 proc	near
					; CODE XREF: PopSleepstudyCaptureSessionStatistics(x,x,x,x,x)+12Bp

var_E0		= dword	ptr -0E0h
var_90		= dword	ptr -90h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 0E4h
		push	esi
		push	edi
		push	8
		mov	[ebp+var_C], ecx
		lea	edi, [ebp+var_90]
		pop	ecx
		xor	eax, eax
		mov	esi, edx
		xor	edx, edx
		rep stosd
		push	8
		pop	ecx
		lea	edi, [ebp+var_70]
		mov	[ebp+var_20], edx
		push	4Ch		; size_t
		rep stosd
		push	edx		; int
		lea	eax, [ebp+var_E0]
		mov	[ebp+var_1C], edx
		push	eax		; void *
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_44], edx
		call	_memset
		xor	eax, eax
		lea	ecx, [ebp+var_90]
		add	esp, 0Ch
		mov	[ebp+var_24], eax
		xor	edx, edx
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	edi, eax
		mov	byte ptr [ebp+var_4+3],	al
		mov	byte ptr [ebp+var_4+2],	al
		mov	[ebp+var_2C], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_28], eax
		call	_PopCurrentPowerStatePrecise@8 ; PopCurrentPowerStatePrecise(x,x)
		push	10h		; size_t
		mov	eax, offset _GUID_SPM_LOW_POWER_CS
		push	eax		; void *
		push	[ebp+var_C]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_651103
		call	_PopIsLockConsoleTimeoutActive@0 ; PopIsLockConsoleTimeoutActive()
		mov	byte ptr [ebp+var_4+2],	al

loc_651103:				; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+A3j
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		call	KeQueryInterruptTime
		mov	[ebp+var_18], edx
		xor	ecx, ecx
		mov	[ebp+var_14], eax
		mov	edx, offset _GUID_SPM_LOW_POWER_CS

loc_65111A:				; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+D7j
		mov	eax, [ebp+var_C]
		mov	eax, [eax+ecx*4]
		cmp	eax, [edx+ecx*4]
		jnz	loc_65153A
		inc	ecx
		cmp	ecx, 4
		jnz	short loc_65111A
		mov	eax, [ebx+8]
		lea	ecx, [ebp+var_70]
		mov	ds:_PopWnfCsEnterScenarioId, eax
		mov	eax, [ebx+0Ch]
		mov	ds:dword_6C1D84, eax
		call	_PopCalculateIdleInformation@4 ; PopCalculateIdleInformation(x)
		mov	ecx, ds:dword_6D4640
		lea	eax, [ebp+var_48]
		push	eax
		lea	edx, [ebp+var_40]
		call	_PpmGetPlatformSelectionVetoCounts@12 ;	PpmGetPlatformSelectionVetoCounts(x,x,x)
		mov	eax, [ebp+var_14]
		xor	ecx, ecx
		mov	ds:dword_6D44C8, eax
		mov	eax, [ebp+var_18]
		mov	ds:dword_6D44CC, eax
		mov	eax, [ebp+var_84]
		mov	ds:_PopCsConsumption, eax
		mov	eax, [ebp+var_68]
		mov	ds:dword_6D44D0, eax
		mov	eax, [ebp+var_64]
		mov	ds:dword_6D44D4, eax
		mov	eax, [ebp+var_58]
		mov	ds:dword_6D44E0, eax
		mov	eax, [ebp+var_70]
		mov	ds:dword_6D44D8, eax
		mov	eax, [ebp+var_6C]
		mov	ds:dword_6D44DC, eax
		mov	eax, [ebp+var_60]
		mov	ds:dword_6D4558, eax
		mov	eax, [ebp+var_5C]
		mov	ds:dword_6D455C, eax
		mov	eax, [ebp+var_40]
		mov	ds:dword_6D4560, eax
		mov	eax, [ebp+var_3C]
		mov	ds:dword_6D4564, eax
		mov	eax, [ebp+var_48]
		mov	ds:dword_6D4568, eax
		mov	eax, [ebp+var_44]
		mov	ds:dword_6D456C, eax
		mov	eax, [ebp+var_88]
		mov	ds:dword_6D4500, ecx
		mov	ds:dword_6D4504, ecx
		mov	ds:dword_6D44E8, ecx
		mov	ds:dword_6D44EC, ecx
		mov	ds:dword_6D44F0, ecx
		mov	ds:dword_6D44F4, ecx
		mov	ds:dword_6D4510, ecx
		mov	ds:dword_6D4514, ecx
		mov	ds:dword_6D4548, ecx
		mov	ds:dword_6D454C, ecx
		mov	ds:dword_6D4550, ecx
		mov	ds:dword_6D4554, ecx
		mov	ds:dword_6D4520, ecx
		mov	ds:dword_6D4524, ecx
		mov	ds:dword_6D4530, ecx
		mov	ds:dword_6D4534, ecx
		mov	ds:dword_6D4540, ecx
		mov	ds:dword_6D4544, ecx
		mov	ds:dword_6D45A0, ecx
		mov	ds:dword_6D45A4, ecx
		mov	ds:dword_6D45A8, ecx
		mov	ds:dword_6D45AC, ecx
		mov	ds:dword_6D45B0, ecx
		mov	ds:dword_6D45B4, ecx
		mov	ds:byte_6D458C,	cl
		lea	ecx, [ebp+var_10]
		mov	ds:dword_6D4590, eax
		call	_PopNetIsDisconnectStandbyActive@4 ; PopNetIsDisconnectStandbyActive(x)
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset dword_6C20F8
		mov	byte ptr [ebp+var_4+1],	al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		xor	edi, edi
		mov	ds:dword_6C20E8, edi
		mov	ds:dword_6C20EC, edi
		mov	ds:dword_6C20F0, edi
		mov	ds:dword_6C20F4, edi
		mov	ds:_PopDisplayOnPerformance, edi
		mov	ds:dword_6C20E4, edi
		xor	eax, eax
		inc	eax
		mov	ds:dword_6C20FC, eax
		test	ds:byte_70EFC6,	al
		jz	short loc_6512CE
		mov	edx, [ebx+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6512D3
; 

loc_6512CE:				; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+26Aj
		xor	eax, eax
		lock and [esi],	eax

loc_6512D3:				; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+276j
		mov	cl, byte ptr [ebp+var_4+1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, offset _CsSessionEnergyCounter
		call	_PopGetEnergyCounter@4 ; PopGetEnergyCounter(x)
		cmp	ds:dword_6C2D0C, edi
		mov	al, ds:byte_6D4580
		setz	cl
		and	al, 0FEh
		or	al, cl
		mov	ds:byte_6D4580,	al
		call	_PopNetIsCompliantNicPresent@0 ; PopNetIsCompliantNicPresent()
		mov	cl, al
		mov	al, ds:byte_6D4581
		xor	cl, al
		and	cl, 1
		push	3
		xor	al, cl
		pop	esi
		mov	ds:byte_6D4581,	al
		cmp	[ebp+var_10], esi
		jz	short loc_651344
		cmp	[ebp+var_10], 4
		jz	short loc_651344
		cmp	[ebp+var_10], 1
		jz	short loc_651344
		call	_PopNetCheckUserConnectivityPolicy@0 ; PopNetCheckUserConnectivityPolicy()
		test	al, al
		jz	short loc_651344
		call	PopNetCheckOpportunisticDs
		test	al, al
		jnz	short loc_651344
		and	ds:byte_6D4581,	0FDh
		jmp	short loc_65134B
; 

loc_651344:				; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+2C5j
					; PopCaptureSleepStudyStatistics(x,x,x,x)+2CBj	...
		or	ds:byte_6D4581,	2

loc_65134B:				; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+2ECj
		mov	eax, ds:_PopDiagCachedAggregatorIntent
		test	eax, eax
		jz	short loc_65136C
		push	6
		mov	ds:dword_6D45BC, eax
		pop	eax
		mov	ds:dword_6D45C0, eax
		mov	ds:_PopDiagCachedAggregatorIntent, edi
		mov	ds:_PopDiagCachedAggregatorAction, eax

loc_65136C:				; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+2FCj
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	ecx		; int
		lea	eax, [ebp+var_24]
		mov	ecx, offset _GUID_ENERGY_SAVER_POLICY
		push	eax		; void *
		push	esi		; int
		call	_PopGetPowerSettingValue@24 ; PopGetPowerSettingValue(x,x,x,x,x,x)
		mov	cl, byte ptr [ebp+var_24]
		mov	al, ds:byte_6D4581
		shl	cl, 2
		xor	cl, al
		and	cl, 4
		xor	al, cl
		mov	ds:byte_6D4581,	al
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	ecx		; int
		lea	eax, [ebp+var_28]
		mov	ecx, offset _GUID_VIDEO_POWERDOWN_TIMEOUT
		push	eax		; void *
		push	esi		; int
		call	_PopGetPowerSettingValue@24 ; PopGetPowerSettingValue(x,x,x,x,x,x)
		mov	eax, [ebp+var_28]
		mov	ds:dword_6D4570, eax
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	ecx		; int
		lea	eax, [ebp+var_2C]
		mov	ecx, offset _GUID_VIDEO_CONSOLE_LOCK_TIMEOUT
		push	eax		; void *
		push	esi		; int
		call	_PopGetPowerSettingValue@24 ; PopGetPowerSettingValue(x,x,x,x,x,x)
		mov	eax, [ebp+var_2C]
		mov	ds:dword_6D4574, eax
		mov	al, byte ptr [ebp+var_4+2]
		mov	ds:byte_6D4578,	al
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	ecx		; int
		lea	eax, [ebp+var_30]
		mov	ecx, offset _GUID_STANDBY_TIMEOUT
		push	eax		; void *
		push	esi		; int
		call	_PopGetPowerSettingValue@24 ; PopGetPowerSettingValue(x,x,x,x,x,x)
		mov	eax, [ebp+var_30]
		lea	edx, [ebp+var_E0]
		mov	ds:dword_6D457C, eax
		mov	ecx, offset _PopCapabilities
		mov	al, ds:_KdDebuggerEnabled
		mov	ds:byte_6D4595,	al
		call	PopFilterCapabilities
		mov	edi, eax
		mov	[ebp+var_4C], edi
		test	edi, edi
		js	short loc_651423
		lea	ecx, [ebp+var_E0]
		call	_PopIsHibernateSupported@4 ; PopIsHibernateSupported(x)
		jmp	short loc_651426
; 

loc_651423:				; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+3BEj
		mov	al, byte ptr [ebp+var_4+3]

loc_651426:				; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+3CBj
		mov	ds:byte_6D4594,	al
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	ecx		; int
		lea	eax, [ebp+var_34]
		mov	ecx, (offset loc_405617+1)
		push	eax		; void *
		push	esi		; int
		call	_PopGetPowerSettingValue@24 ; PopGetPowerSettingValue(x,x,x,x,x,x)
		mov	eax, [ebp+var_34]
		mov	ds:dword_6D4598, eax
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	ecx		; int
		lea	eax, [ebp+var_38]
		mov	ecx, offset _GUID_STANDBY_BUDGET_PERCENT
		push	eax		; void *
		push	esi		; int
		call	_PopGetPowerSettingValue@24 ; PopGetPowerSettingValue(x,x,x,x,x,x)
		mov	eax, [ebp+var_38]
		mov	ds:dword_6D459C, eax

loc_651463:				; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+438j
					; PopCaptureSleepStudyStatistics(x,x,x,x)+43Dj
		mov	esi, ds:dword_6D4600
		mov	eax, esi
		mov	ecx, ds:dword_6D4604
		mov	edx, ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_18], offset dword_6D4600
		nop
		mov	edi, [ebp+var_18]
		xor	ecx, ecx
		push	ebx
		xor	ebx, ebx
		lock cmpxchg8b qword ptr [edi]
		pop	ebx
		nop
		cmp	eax, esi
		jnz	short loc_651463
		cmp	edx, [ebp+var_14]
		jnz	short loc_651463
		mov	ecx, ds:dword_6D4640
		call	_PopFxLookupSocSubsystemsByPlatformIdleState@4 ; PopFxLookupSocSubsystemsByPlatformIdleState(x)
		mov	edi, [ebp+var_4C]
		test	eax, eax
		jz	short loc_6514B4
		mov	ecx, ds:dword_6D4640
		call	_PopFxResetSocSubsystemAccounting@8 ; PopFxResetSocSubsystemAccounting(x,x)
		mov	edi, eax

loc_6514B4:				; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+44Fj
		call	_PopFxStartDeviceAccounting@0 ;	PopFxStartDeviceAccounting()
		call	_PpmIdleStartCsVetoAccounting@0	; PpmIdleStartCsVetoAccounting()
		mov	eax, ds:_PopAggressiveStandbyEnabledActions
		mov	ds:dword_6D4584, eax
		mov	eax, ds:_PopAggressiveStandbyAppliedActions
		mov	ds:dword_6D4588, eax
		call	_ExStartRecordingIRTimerExpiries@0 ; ExStartRecordingIRTimerExpiries()
		call	_PpmResetDripsAccountingSnapshot@0 ; PpmResetDripsAccountingSnapshot()
		xor	edx, edx
		mov	cl, 1
		call	_PopGetModernStandbyTransitionReason@8 ; PopGetModernStandbyTransitionReason(x,x)
		push	ecx
		mov	esi, eax
		push	ecx
		mov	ecx, esi
		call	_PopDiagTraceCsEnterReason@12 ;	PopDiagTraceCsEnterReason(x,x,x)
		push	ecx
		push	ecx
		mov	ecx, esi
		call	_PopSetConnectedStandbyMarker@12 ; PopSetConnectedStandbyMarker(x,x,x)
		push	ecx
		push	ecx
		mov	cl, 1
		call	_PopStatsNotifyPowerRequestCsState@12 ;	PopStatsNotifyPowerRequestCsState(x,x,x)
		mov	eax, ds:_PopWdiCurrentScenarioInstanceId
		lea	edx, [ebp+var_20]
		mov	[ebp+var_20], eax
		xor	ecx, ecx
		mov	eax, ds:dword_6C1F7C
		mov	[ebp+var_1C], eax
		call	PopDirectedDripsNotify
		call	_PopIdleWakeNotifyModernStandbyEnter@0 ; PopIdleWakeNotifyModernStandbyEnter()
		and	[ebp+var_C], 0
		lea	ecx, [ebp+var_C]
		call	_PopQueryInputSuppressionCount@4 ; PopQueryInputSuppressionCount(x)
		mov	eax, [ebp+var_C]
		mov	ds:dword_6D45B8, eax
		jmp	loc_65164B
; 

loc_65153A:				; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+CDj
		push	ecx
		push	ecx
		call	_PopIdleWakeNotifyModernStandbyExit@8 ;	PopIdleWakeNotifyModernStandbyExit(x,x)
		push	ds:_PopSleepstudyStopReason
		mov	ecx, esi
		call	_PopCalculateCsSummary@8 ; PopCalculateCsSummary(x,x)
		xor	ecx, ecx
		mov	[ebp+var_20], esi
		lea	edx, [ebp+var_20]
		inc	ecx
		call	PopDirectedDripsNotify
		push	ecx
		push	ecx
		mov	ecx, ds:dword_6D4640
		call	_PpmIdleCaptureCsVetoAccounting@16 ; PpmIdleCaptureCsVetoAccounting(x,x,x,x)
		call	_ExStopRecordingIRTimerExpiries@0 ; ExStopRecordingIRTimerExpiries()
		call	_PopFxStopDeviceAccounting@0 ; PopFxStopDeviceAccounting()
		mov	eax, [esi+2Ch]
		push	0Ah
		pop	ecx
		mul	ecx
		push	0Ah
		pop	edx
		mov	ecx, eax
		mov	eax, [esi+28h]
		mul	edx
		add	ecx, edx
		push	ecx
		push	eax
		mov	eax, [esi+24h]
		push	0Ah
		pop	ecx
		mul	ecx
		push	0Ah
		pop	edx
		mov	ecx, eax
		mov	eax, [esi+20h]
		mul	edx
		add	ecx, edx
		push	ecx
		push	eax
		push	ecx
		push	ecx
		call	_PpmSnapDripsAccountingSnapshot@24 ; PpmSnapDripsAccountingSnapshot(x,x,x,x,x,x)
		mov	ecx, esi
		call	_PopDiagTraceCsConsumption@4 ; PopDiagTraceCsConsumption(x)
		push	dword ptr [ebx+0Ch]
		mov	ecx, esi
		push	dword ptr [ebx+8]
		call	_PopDiagTraceCsExitReason@12 ; PopDiagTraceCsExitReason(x,x,x)
		mov	ecx, ds:dword_6D4640
		call	_PopFxLookupSocSubsystemsByPlatformIdleState@4 ; PopFxLookupSocSubsystemsByPlatformIdleState(x)
		test	eax, eax
		jz	short loc_6515E5
		push	ecx
		push	ecx
		mov	ecx, ds:dword_6D4640
		call	_PopFxLogSocSubsystemBlockingTimes@16 ;	PopFxLogSocSubsystemBlockingTimes(x,x,x,x)
		push	ecx
		push	ecx
		mov	ecx, ds:dword_6D4640
		call	_PopFxLogSocSubsystemMetadata@16 ; PopFxLogSocSubsystemMetadata(x,x,x,x)
		mov	edi, eax

loc_6515E5:				; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+571j
		push	ecx
		push	ecx
		xor	cl, cl
		call	_PopStatsNotifyPowerRequestCsState@12 ;	PopStatsNotifyPowerRequestCsState(x,x,x)
		xor	edx, edx
		xor	cl, cl
		call	_PopGetModernStandbyTransitionReason@8 ; PopGetModernStandbyTransitionReason(x,x)
		mov	ecx, eax
		call	_PopClearConnectedStandbyMarker@4 ; PopClearConnectedStandbyMarker(x)
		and	ds:dword_6D44C8, 0
		and	ds:dword_6D44CC, 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset dword_6C20F8
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		and	ds:dword_6C20FC, 0
		test	ds:byte_70EFC6,	1
		jz	short loc_65163D
		mov	edx, [ebx+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_651642
; 

loc_65163D:				; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+5D9j
		xor	eax, eax
		lock and [esi],	eax

loc_651642:				; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+5E5j
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_65164B:				; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+4DFj
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		mov	eax, edi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
_PopCaptureSleepStudyStatistics@16 endp	; sp =	4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagGetTimeBrokerExpirationReason(x, x)
_PopDiagGetTimeBrokerExpirationReason@8	proc near
					; CODE XREF: PopIdleWakeFinalizeWakeSource(x,x)+2Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, ds:_PopTimeBrokerExpirationDueTime
		mov	eax, ecx
		mov	edx, ds:dword_6C359C
		push	esi
		xor	esi, esi
		or	eax, edx
		jz	short loc_65169C
		cmp	[ebp+arg_4], edx
		jb	short loc_65169C
		ja	short loc_651683
		cmp	[ebp+arg_0], ecx
		jb	short loc_65169C

loc_651683:				; CODE XREF: PopDiagGetTimeBrokerExpirationReason(x,x)+1Fj
		add	ecx, 1312D00h
		adc	edx, esi
		cmp	edx, [ebp+arg_4]
		jb	short loc_65169C
		ja	short loc_651697
		cmp	ecx, [ebp+arg_0]
		jb	short loc_65169C

loc_651697:				; CODE XREF: PopDiagGetTimeBrokerExpirationReason(x,x)+33j
		mov	esi, offset _PopTimeBrokerExpirationReason

loc_65169C:				; CODE XREF: PopDiagGetTimeBrokerExpirationReason(x,x)+18j
					; PopDiagGetTimeBrokerExpirationReason(x,x)+1Dj ...
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_PopDiagGetTimeBrokerExpirationReason@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceAbnormalReset(x)
_PopDiagTraceAbnormalReset@4 proc near	; CODE XREF: PopCheckForAbnormalReset+7DD02j

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		mov	[ebp+var_18], ecx
		jz	short loc_651708
		push	ebx
		push	esi
		mov	esi, ds:dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_ABNORMAL_RESET
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_651705
		lea	eax, [ebp+var_18]
		mov	[ebp+var_C], 4
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], ecx
		push	eax
		push	1
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_651705:				; CODE XREF: PopDiagTraceAbnormalReset(x)+3Cj
		pop	edi
		pop	esi
		pop	ebx

loc_651708:				; CODE XREF: PopDiagTraceAbnormalReset(x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceAbnormalReset@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceCsDeepSleepWatchdog(x, x, x, x,	x, x)
_PopDiagTraceCsDeepSleepWatchdog@24 proc near
					; CODE XREF: PopDeepSleepWatchdogTakeAction(x,x)+38p

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		mov	[ebp+var_6C], edx
		mov	[ebp+var_68], ecx
		jz	loc_6517D8
		push	ebx
		push	esi
		mov	esi, ds:dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_CS_DEEP_SLEEP_WATCHDOG
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_6517D5
		movzx	eax, [ebp+arg_4]
		xor	edx, edx
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_24], eax
		movzx	eax, [ebp+arg_C]
		push	4
		pop	ecx
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_74]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	6
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_6517D5:				; CODE XREF: PopDiagTraceCsDeepSleepWatchdog(x,x,x,x,x,x)+43j
		pop	edi
		pop	esi
		pop	ebx

loc_6517D8:				; CODE XREF: PopDiagTraceCsDeepSleepWatchdog(x,x,x,x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_PopDiagTraceCsDeepSleepWatchdog@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceCsDripsDivergence(x, x,	x, x, x, x)
_PopDiagTraceCsDripsDivergence@24 proc near
					; CODE XREF: PopDripsWatchdogDiagnosticWorker(x)+194p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		mov	eax, ds:_PopDripsSwHwDivergenceThreshold
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], eax
		jz	short loc_651884
		push	esi
		mov	esi, ds:dword_6C1D74
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	offset _POP_ETW_EVENT_CS_DRIPS_DIVERGENCE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_651882
		push	ebx
		push	4
		pop	edx
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_3C], edx
		mov	[ebp+var_44], eax
		xor	ebx, ebx
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_40], ebx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_8]
		push	8
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	edx
		push	ebx
		push	offset _POP_ETW_EVENT_CS_DRIPS_DIVERGENCE
		push	esi
		push	edi
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	ebx

loc_651882:				; CODE XREF: PopDiagTraceCsDripsDivergence(x,x,x,x,x,x)+42j
		pop	edi
		pop	esi

loc_651884:				; CODE XREF: PopDiagTraceCsDripsDivergence(x,x,x,x,x,x)+24j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_PopDiagTraceCsDripsDivergence@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceCsDripsWatchdog(x, x, x, x, x, x, x, x,	x, x, x)
_PopDiagTraceCsDripsWatchdog@44	proc near ; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+83p
					; PopDripsWatchdogTakeAction(x,x,x)+BFp ...

var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ECh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		mov	[ebp+var_E0], edx
		mov	[ebp+var_DC], ecx
		jz	loc_651A84
		push	esi
		mov	esi, ds:dword_6C1D74
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	offset _POP_ETW_EVENT_CS_DRIPS_WATCHDOG
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	loc_651A82
		movzx	eax, [ebp+arg_C]
		lea	edx, [ebp+var_EC]
		mov	[ebp+var_E8], eax
		movzx	eax, [ebp+arg_4]
		mov	[ebp+var_E4], eax
		lea	eax, [ebp+var_DC]
		mov	[ebp+var_D4], eax
		lea	eax, [ebp+var_E0]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_E4]
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+arg_8]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_94], eax
		push	4
		pop	ecx
		lea	eax, [ebp+var_E8]
		mov	[ebp+var_64], edx
		mov	[ebp+var_84], eax
		lea	eax, [ebp+arg_10]
		push	2
		mov	[ebp+var_74], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_D0], ebx
		mov	[ebp+var_CC], ecx
		mov	[ebp+var_C8], ebx
		mov	[ebp+var_C0], ebx
		mov	[ebp+var_BC], ecx
		mov	[ebp+var_B8], ebx
		mov	[ebp+var_B0], ebx
		mov	[ebp+var_AC], ecx
		mov	[ebp+var_A8], ebx
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_98], ebx
		mov	[ebp+var_90], ebx
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_88], ebx
		mov	[ebp+var_80], ebx
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_78], ebx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_48], ebx
		pop	edx
		mov	[ebp+var_5C], edx
		test	eax, eax
		jz	short loc_6519E8
		movzx	ecx, word ptr [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_54], eax
		mov	eax, ecx
		shr	cx, 1
		mov	[ebp+var_4C], eax
		movzx	eax, cx
		jmp	short loc_6519F0
; 

loc_6519E8:				; CODE XREF: PopDiagTraceCsDripsWatchdog(x,x,x,x,x,x,x,x,x,x,x)+13Ej
		mov	[ebp+var_54], ebx
		mov	eax, ebx
		mov	[ebp+var_4C], ebx

loc_6519F0:				; CODE XREF: PopDiagTraceCsDripsWatchdog(x,x,x,x,x,x,x,x,x,x,x)+154j
		movzx	eax, ax
		lea	ecx, [ebp+var_D8]
		mov	[ebp+var_EC], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_3C], edx
		test	eax, eax
		jz	short loc_651A2A
		movzx	ecx, word ptr [eax]
		lea	ebx, [ebp+var_D8]
		mov	eax, [eax+4]
		mov	[ebp+var_34], eax
		mov	eax, ecx
		mov	[ebp+var_44], ebx
		xor	ebx, ebx
		shr	cx, 1
		mov	[ebp+var_2C], eax
		movzx	eax, cx
		jmp	short loc_651A35
; 

loc_651A2A:				; CODE XREF: PopDiagTraceCsDripsWatchdog(x,x,x,x,x,x,x,x,x,x,x)+175j
		mov	[ebp+var_44], ecx
		mov	eax, ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_2C], ebx

loc_651A35:				; CODE XREF: PopDiagTraceCsDripsWatchdog(x,x,x,x,x,x,x,x,x,x,x)+196j
		movzx	eax, ax
		mov	[ebp+var_D8], eax
		lea	eax, [ebp+arg_1C]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_20]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_D4]
		push	eax
		push	0Dh
		push	ebx
		push	offset _POP_ETW_EVENT_CS_DRIPS_WATCHDOG
		push	esi
		push	edi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	ebx

loc_651A82:				; CODE XREF: PopDiagTraceCsDripsWatchdog(x,x,x,x,x,x,x,x,x,x,x)+4Aj
		pop	edi
		pop	esi

loc_651A84:				; CODE XREF: PopDiagTraceCsDripsWatchdog(x,x,x,x,x,x,x,x,x,x,x)+28j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	24h
_PopDiagTraceCsDripsWatchdog@44	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceCsDripsWatchdogPerfTrack(x, x, x, x, x,	x, x)
_PopDiagTraceCsDripsWatchdogPerfTrack@28 proc near
					; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+14Fp

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_40		= dword	ptr -40h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_50], ebx
		cmp	ds:_PopDiagHandleRegistered, bl
		jz	loc_651B7E
		push	offset _POP_ETW_EVENT_CS_DRIPS_WATCHDOG_PERFTRACK
		push	ds:dword_6C1D74
		push	ds:_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_651B7E
		mov	eax, [ebp+arg_0]
		mov	ecx, ebx
		mov	[ebp+var_5C], edi
		mov	[ebp+var_58], esi
		mov	[ebp+var_54], eax
		cmp	[ebp+arg_4], ecx
		jnz	short loc_651AF2
		and	ecx, 0FFFFFFFEh
		jmp	short loc_651AF5
; 

loc_651AF2:				; CODE XREF: PopDiagTraceCsDripsWatchdogPerfTrack(x,x,x,x,x,x,x)+59j
		or	ecx, 1

loc_651AF5:				; CODE XREF: PopDiagTraceCsDripsWatchdogPerfTrack(x,x,x,x,x,x,x)+5Ej
		cmp	[ebp+arg_C], bl
		jnz	short loc_651B02
		and	ecx, 0FFFFFDFFh
		jmp	short loc_651B08
; 

loc_651B02:				; CODE XREF: PopDiagTraceCsDripsWatchdogPerfTrack(x,x,x,x,x,x,x)+66j
		or	ecx, 200h

loc_651B08:				; CODE XREF: PopDiagTraceCsDripsWatchdogPerfTrack(x,x,x,x,x,x,x)+6Ej
		mov	eax, [ebp+arg_10]
		and	ecx, 0FFFFFE01h
		movzx	edx, al
		and	eax, 100h
		add	edx, edx
		shl	eax, 2
		or	edx, ecx
		mov	ecx, [ebp+arg_8]
		and	edx, 0FFFF03FFh
		or	edx, eax
		mov	eax, 0FFFFh
		cmp	ecx, eax
		jbe	short loc_651B36
		mov	ecx, eax

loc_651B36:				; CODE XREF: PopDiagTraceCsDripsWatchdogPerfTrack(x,x,x,x,x,x,x)+A0j
		movzx	eax, dx
		mov	edx, ebx
		shl	ecx, 10h
		or	eax, ecx
		lea	ecx, [ebp+var_40]
		push	4
		mov	[ebp+var_50], eax
		pop	esi

loc_651B49:				; CODE XREF: PopDiagTraceCsDripsWatchdogPerfTrack(x,x,x,x,x,x,x)+CEj
		lea	eax, [ebp+var_5C]
		mov	[ecx-8], ebx
		lea	eax, [eax+edx*4]
		mov	[ecx-4], esi
		inc	edx
		mov	[ecx-0Ch], eax
		mov	[ecx], ebx
		lea	ecx, [ecx+10h]
		cmp	edx, esi
		jb	short loc_651B49
		lea	eax, [ebp+var_4C]
		push	eax
		push	esi
		push	ebx
		push	offset _POP_ETW_EVENT_CS_DRIPS_WATCHDOG_PERFTRACK
		push	ds:dword_6C1D74
		push	ds:_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_651B7E:				; CODE XREF: PopDiagTraceCsDripsWatchdogPerfTrack(x,x,x,x,x,x,x)+24j
					; PopDiagTraceCsDripsWatchdogPerfTrack(x,x,x,x,x,x,x)+42j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_PopDiagTraceCsDripsWatchdogPerfTrack@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceCsFanPerfTrack(x, x)
_PopDiagTraceCsFanPerfTrack@8 proc near	; CODE XREF: PopFanEndCsFanPeriod()+7Bp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], ecx
		jz	short loc_651C05
		push	ebx
		push	esi
		mov	esi, ds:dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_CS_FAN_PERFTRACK
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_651C02
		push	4
		pop	ecx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_24], eax
		xor	edx, edx
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_20], edx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_651C02:				; CODE XREF: PopDiagTraceCsFanPerfTrack(x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebx

loc_651C05:				; CODE XREF: PopDiagTraceCsFanPerfTrack(x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceCsFanPerfTrack@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceCsResiliencyEnter(x, x,	x)
_PopDiagTraceCsResiliencyEnter@12 proc near
					; CODE XREF: PopSleepstudyCaptureResiliencyStatistics(x,x,x,x)+53p

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	bh, dl
		mov	esi, ecx
		call	_PopIsRemoteDesktopEnabled@0 ; PopIsRemoteDesktopEnabled()
		mov	bl, al
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopCsResiliencyStatsLock
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		push	140h		; size_t
		push	0		; int
		push	offset _PopCsResiliencyStats ; void *
		call	_memset
		mov	al, ds:byte_6C2D64
		add	esp, 0Ch
		or	ds:dword_6C23E8, 0FFFFFFFFh
		mov	edi, offset dword_6C2370
		or	ds:dword_6C23EC, 0FFFFFFFFh
		mov	ecx, offset _PopCsResiliencyStatsLock
		cmp	ds:dword_6C2D0C, 0
		mov	ds:byte_6C2362,	al
		mov	al, ds:byte_6C2D65
		setz	ds:byte_6C2361
		test	ds:byte_70EFC6,	1
		mov	ds:byte_6C2363,	al
		mov	eax, ds:_PopNetStandbyReason
		mov	ds:dword_6C238C, eax
		mov	al, ds:_PopNetBIRequestActive
		mov	ds:byte_6C2391,	al
		mov	eax, ds:_PopEsState
		mov	ds:dword_6C2380, eax
		mov	eax, ds:_PopEsReason
		mov	ds:dword_6C2384, eax
		mov	eax, [esi+0Ch]
		mov	esi, [ebp+arg_0]
		mov	ds:_PopCsResiliencyStats, 1
		mov	ds:byte_6C2390,	bl
		mov	ds:dword_6C2364, eax
		mov	ds:byte_6C2368,	bh
		movsd
		movsd
		movsd
		movsd
		jz	short loc_651CE4
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_651CE9
; 

loc_651CE4:				; CODE XREF: PopDiagTraceCsResiliencyEnter(x,x,x)+C7j
		xor	eax, eax
		lock and [ecx],	eax

loc_651CE9:				; CODE XREF: PopDiagTraceCsResiliencyEnter(x,x,x)+D1j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopDiagTraceCsResiliencyEnter@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceCsResiliencyExit(x, x, x, x, x,	x, x, x, x, x, x)
_PopDiagTraceCsResiliencyExit@44 proc near
					; CODE XREF: PopSleepstudyCaptureResiliencyStatistics(x,x,x,x)+12Fp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_6		= byte ptr -6
var_5		= byte ptr -5
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		and	[ebp+var_20], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], edx
		xor	ebx, ebx
		mov	[ebp+var_C], ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopCsResiliencyStatsLock
		mov	[ebp+var_6], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	dl, ds:byte_6C2368
		mov	edi, offset unk_6C23A8
		mov	esi, [ebp+arg_20]
		push	0Ah
		pop	ecx
		rep movsd
		mov	esi, [ebp+arg_8]
		mov	eax, esi
		or	eax, [ebp+arg_C]
		mov	[ebp+var_5], dl
		jz	short loc_651D84
		mov	edx, [ebp+var_10]
		mov	ecx, ds:dword_6C2364
		mov	edx, [edx+0Ch]
		call	_PopBatteryGetEnergyDrainFromDischage@8	; PopBatteryGetEnergyDrainFromDischage(x,x)
		mov	esi, [ebp+arg_4]
		mov	edi, eax
		mov	edx, ds:dword_6C2378
		mov	ecx, [esi]
		or	ecx, ds:dword_6C2370
		sub	edx, [esi+8]
		mov	[ebp+var_24], ecx
		mov	ecx, ds:dword_6C237C
		sbb	ecx, [esi+0Ch]
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_1C], edx
		mov	dl, [ebp+var_5]
		mov	[ebp+var_18], ecx
		jmp	short loc_651D94
; 

loc_651D84:				; CODE XREF: PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+48j
		and	[ebp+var_1C], ebx
		xor	edi, edi
		mov	eax, ds:dword_6C2370
		and	[ebp+var_18], ebx
		mov	[ebp+var_24], eax

loc_651D94:				; CODE XREF: PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+89j
		cmp	ds:byte_6C2362,	bl
		jz	short loc_651D9F
		push	2
		pop	ebx

loc_651D9F:				; CODE XREF: PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+A1j
		cmp	ds:byte_6C2361,	0
		jz	short loc_651DAB
		or	ebx, 1

loc_651DAB:				; CODE XREF: PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+ADj
		test	dl, dl
		jz	short loc_651DB5
		cmp	byte ptr [ebp+arg_0], 0
		jnz	short loc_651DB8

loc_651DB5:				; CODE XREF: PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+B4j
		or	ebx, 4

loc_651DB8:				; CODE XREF: PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+BAj
		cmp	ds:byte_6C2363,	0
		jz	short loc_651DC4
		or	ebx, 8

loc_651DC4:				; CODE XREF: PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+C6j
		cmp	ds:byte_6C2391,	0
		jz	short loc_651DD0
		or	ebx, 10h

loc_651DD0:				; CODE XREF: PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+D2j
		cmp	ds:byte_6C2390,	0
		jz	short loc_651DDC
		or	ebx, 20h

loc_651DDC:				; CODE XREF: PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+DEj
		mov	eax, ds:dword_6C238C
		mov	ecx, [ebp+var_C]
		push	0
		push	0F4240h
		mov	[ecx+44h], eax
		mov	eax, ds:dword_6C2388
		mov	[ecx+40h], eax
		mov	eax, ds:dword_6C2380
		mov	[ecx+38h], eax
		mov	eax, ds:dword_6C2384
		mov	[ecx+3Ch], eax
		mov	eax, ds:dword_6C23A0
		mov	[ecx+48h], eax
		mov	eax, ds:dword_6C23A4
		mov	[ecx], ebx
		mov	ebx, ecx
		mov	[ecx+4Ch], eax
		mov	eax, [ebp+arg_C]
		mov	[ebx+8], esi
		lea	esi, [ebp+var_24]
		mov	[ebx+20h], edi
		lea	edi, [ebx+28h]
		movsd
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+arg_10]
		mov	[ebx+10h], eax
		mov	eax, [ebp+arg_14]
		movsd
		mov	[ebx+14h], eax
		mov	eax, [ebp+arg_18]
		mov	[ebx+18h], eax
		mov	eax, [ebp+arg_1C]
		movsd
		mov	[ebx+1Ch], eax
		movsd
		mov	esi, ds:dword_70ED2C
		mov	edi, ds:_PopQpcFrequency
		push	esi
		push	edi
		push	ds:dword_6C23E4
		mov	[ebp+arg_0], esi
		push	ds:dword_6C23E0
		mov	[ebp+arg_20], edi
		call	PpmConvertTime
		push	0
		push	0F4240h
		push	esi
		push	edi
		mov	[ebx+78h], eax
		mov	[ebx+7Ch], edx
		push	ds:dword_6C23EC
		push	ds:dword_6C23E8
		call	PpmConvertTime
		push	0
		push	0F4240h
		push	esi
		push	edi
		mov	[ebx+80h], eax
		mov	[ebx+84h], edx
		push	ds:dword_6C23F4
		push	ds:dword_6C23F0
		call	PpmConvertTime
		mov	[ebx+88h], eax
		lea	edi, [ebx+50h]
		mov	[ebx+8Ch], edx
		mov	esi, offset unk_6C23A8
		mov	eax, ds:dword_6C23F8
		push	0Ah
		mov	[ebx+90h], eax
		pop	ecx
		rep movsd
		lea	edi, [ebx+98h]
		xor	esi, esi
		mov	ebx, [ebp+arg_0]

loc_651EE2:				; CODE XREF: PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+213j
		push	0
		push	0F4240h
		push	ebx
		push	[ebp+arg_20]
		push	ds:dword_6C2454[esi]
		push	ds:dword_6C2450[esi]
		call	PpmConvertTime
		add	esi, 8
		mov	[edi], eax
		mov	[edi+4], edx
		lea	edi, [edi+8]
		cmp	esi, 50h
		jb	short loc_651EE2
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopCsResiliencyStatsLock
		mov	ds:_PopCsResiliencyStats, 0
		jz	short loc_651F2D
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_651F32
; 

loc_651F2D:				; CODE XREF: PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+228j
		xor	eax, eax
		lock and [ecx],	eax

loc_651F32:				; CODE XREF: PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+232j
		mov	cl, [ebp+var_6]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
_PopDiagTraceCsResiliencyExit@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceDebuggerTransitionRequirements(x, x, x)
_PopDiagTraceDebuggerTransitionRequirements@12 proc near
					; CODE XREF: PopPepInitializeDebuggerMasks(x,x)+73p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_38], ecx
		jz	short loc_651FC8
		push	esi
		mov	esi, ds:dword_6C1D74
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	offset _POP_ETW_EVENT_DEBUGGER_TRANSITION_REQUIREMENTS
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_651FC6
		lea	eax, [ebp+var_38]
		mov	[ebp+var_14], ebx
		mov	[ebp+var_34], eax
		xor	edx, edx
		push	4
		pop	ecx
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_30], edx
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	offset _POP_ETW_EVENT_DEBUGGER_TRANSITION_REQUIREMENTS
		push	esi
		push	edi
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_651FC6:				; CODE XREF: PopDiagTraceDebuggerTransitionRequirements(x,x,x)+3Dj
		pop	edi
		pop	esi

loc_651FC8:				; CODE XREF: PopDiagTraceDebuggerTransitionRequirements(x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDiagTraceDebuggerTransitionRequirements@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceDeviceComplianceUpdate(x, x)
_PopDiagTraceDeviceComplianceUpdate@8 proc near
					; CODE XREF: PopPdcUpdateDeviceCompliance()+59p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], ecx
		jz	short loc_65204D
		push	ebx
		push	esi
		mov	esi, ds:dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_CS_COMPLIANCE_UPDATE
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_65204A
		push	4
		pop	ecx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_24], eax
		xor	edx, edx
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_20], edx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_65204A:				; CODE XREF: PopDiagTraceDeviceComplianceUpdate(x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebx

loc_65204D:				; CODE XREF: PopDiagTraceDeviceComplianceUpdate(x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceDeviceComplianceUpdate@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceDeviceIdleCheck(x, x, x)
_PopDiagTraceDeviceIdleCheck@12	proc near ; CODE XREF: PopScanIdleList(x,x,x)+1A9p

var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_BE		= dword	ptr -0BEh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D0h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_CC], edx
		push	esi
		mov	esi, ecx
		mov	byte ptr [ebp+var_BE], bl
		push	edi
		mov	byte ptr [ebp+var_BE+1], bl
		mov	[ebp+var_C4], ebx
		cmp	ds:_PopDiagHandleRegistered, bl
		jz	loc_65222F
		push	offset _POP_ETW_EVENT_DEVICE_IDLE_CHECK
		push	ds:dword_6C1D74
		push	ds:_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_65222F
		lea	edi, [esi+18h]
		mov	edx, 67446F50h
		mov	ecx, [edi]
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	[ebp+var_C8], eax
		test	eax, eax
		jz	loc_65222F
		mov	ecx, [eax+0B0h]
		mov	edx, [ecx+14h]
		test	edx, edx
		jz	loc_65221F
		mov	ax, [edx+14h]
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_C4], eax
		mov	al, [esi+28h]
		dec	al
		mov	[ebp+var_BE+2],	edi
		mov	byte ptr [ebp+var_BE+1], al
		mov	al, [esi+2Ch]
		dec	al
		mov	[ebp+var_B8], ebx
		mov	byte ptr [ebp+var_BE], al
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_AC], eax
		lea	eax, [ebp+var_C4]
		push	4
		pop	edi
		mov	[ebp+var_9C], eax
		mov	[ebp+var_B4], edi
		mov	[ebp+var_B0], ebx
		mov	[ebp+var_A8], ebx
		mov	[ebp+var_A4], edi
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_98], ebx
		mov	[ebp+var_94], 2
		mov	[ebp+var_90], ebx
		movzx	ecx, word ptr [edx+14h]
		mov	eax, [edx+18h]
		mov	[ebp+var_8C], eax
		mov	eax, ecx
		mov	[ebp+var_84], eax
		xor	ecx, ecx
		lea	eax, [esi+10h]
		mov	[ebp+var_88], ebx
		mov	[ebp+var_7C], eax
		inc	ecx
		lea	eax, [esi+14h]
		mov	[ebp+var_80], ebx
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_CC]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_4C], eax
		lea	eax, [esi+0Ch]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_BE+1]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_BE]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_BE+2]
		push	eax
		push	0Bh
		push	ebx
		push	offset _POP_ETW_EVENT_DEVICE_IDLE_CHECK
		push	ds:dword_6C1D74
		mov	[ebp+var_78], ebx
		push	ds:_PopDiagHandle
		mov	[ebp+var_74], edi
		mov	[ebp+var_70], ebx
		mov	[ebp+var_68], ebx
		mov	[ebp+var_64], edi
		mov	[ebp+var_60], ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	eax, [ebp+var_C8]

loc_65221F:				; CODE XREF: PopDiagTraceDeviceIdleCheck(x,x,x)+86j
		test	eax, eax
		jz	short loc_65222F
		mov	edx, 67446F50h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag

loc_65222F:				; CODE XREF: PopDiagTraceDeviceIdleCheck(x,x,x)+3Aj
					; PopDiagTraceDeviceIdleCheck(x,x,x)+58j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDiagTraceDeviceIdleCheck@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceDiskIdleCheck(x, x, x)
_PopDiagTraceDiskIdleCheck@12 proc near	; CODE XREF: PopScanIdleList(x,x,x)+1BDp

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		push	ebx
		mov	[ebp+var_58], edx
		mov	ebx, ecx
		jz	loc_6522E8
		push	esi
		mov	esi, ds:dword_6C1D74
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	offset _POP_ETW_EVENT_DISK_IDLE_CHECK
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_6522E6
		lea	eax, [ebx+18h]
		xor	edx, edx
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_34], eax
		lea	eax, [ebx+3Ch]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebx+40h]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		push	edx
		push	offset _POP_ETW_EVENT_DISK_IDLE_CHECK
		push	esi
		push	edi
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_6522E6:				; CODE XREF: PopDiagTraceDiskIdleCheck(x,x,x)+41j
		pop	edi
		pop	esi

loc_6522E8:				; CODE XREF: PopDiagTraceDiskIdleCheck(x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDiagTraceDiskIdleCheck@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceDripsHistogram(x, x, x,	x, x, x, x, x)
_PopDiagTraceDripsHistogram@32 proc near
					; CODE XREF: PpmSnapDripsAccountingSnapshot(x,x,x,x,x,x)+C3p

var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_104		= dword	ptr -104h
var_FD		= dword	ptr -0FDh
var_F8		= dword	ptr -0F8h
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= byte ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= byte ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 114h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		or	[ebp+var_20], 0FFFFFFFFh
		xor	ecx, ecx
		or	[ebp+var_1C], 0FFFFFFFFh
		mov	eax, 23C34600h
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		push	ecx
		push	eax
		push	ebx
		push	[ebp+arg_8]
		mov	edi, edx
		mov	[ebp+var_68], 1312D00h
		mov	[ebp+var_64], ecx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], ecx
		mov	byte ptr [ebp+var_58], cl
		mov	[ebp+var_50], 9896800h
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], cl
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], cl
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], cl
		call	__aulldiv
		movzx	eax, ax
		mov	[ebp+var_114], eax
		test	ax, ax
		jz	loc_6525C2
		mov	eax, [ebp+arg_14]
		push	64h
		pop	esi
		mul	esi
		push	ebx
		push	[ebp+arg_8]
		mov	ecx, eax
		mov	eax, [ebp+arg_10]
		mul	esi
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		mov	[ebp-0F9h], al
		test	al, al
		jz	loc_6525C2
		xor	edx, edx
		xor	esi, esi

loc_6523AC:				; CODE XREF: PopDiagTraceDripsHistogram(x,x,x,x,x,x,x,x)+10Aj
		cmp	edx, 3
		jnb	short loc_6523E5
		mov	eax, ds:dword_705208[esi]
		lea	ebx, [ebp+var_68]
		mov	ecx, ds:dword_70520C[esi]
		mov	[ebp+var_10C], eax
		imul	eax, edx, 18h
		add	eax, ebx
		mov	ebx, [ebp+var_10C]

loc_6523D1:				; CODE XREF: PopDiagTraceDripsHistogram(x,x,x,x,x,x,x,x)+ECj
		cmp	ecx, [eax+4]
		jb	short loc_6523E5
		ja	short loc_6523DC
		cmp	ebx, [eax]
		jbe	short loc_6523E5

loc_6523DC:				; CODE XREF: PopDiagTraceDripsHistogram(x,x,x,x,x,x,x,x)+DFj
		inc	edx
		add	eax, 18h
		cmp	edx, 3
		jb	short loc_6523D1

loc_6523E5:				; CODE XREF: PopDiagTraceDripsHistogram(x,x,x,x,x,x,x,x)+B8j
					; PopDiagTraceDripsHistogram(x,x,x,x,x,x,x,x)+DDj ...
		mov	eax, [edi]
		imul	ecx, edx, 18h
		add	[ebp+ecx+var_60], eax
		mov	eax, [edi+4]
		adc	[ebp+ecx+var_5C], eax
		add	esi, 18h
		add	edi, 8
		cmp	esi, 270h
		jb	short loc_6523AC
		mov	ebx, [ebp+arg_C]
		lea	ecx, [ebp+var_58]
		mov	edi, [ebp+arg_8]
		mov	esi, ebx
		shrd	edi, esi, 1
		mov	[ebp+var_104], ecx
		shr	esi, 1
		mov	[ebp+var_10C], 4

loc_652424:				; CODE XREF: PopDiagTraceDripsHistogram(x,x,x,x,x,x,x,x)+16Ej
		mov	eax, [ecx-4]
		push	64h
		pop	ecx
		mul	ecx
		push	64h
		mov	ecx, eax
		mov	eax, [ebp+var_104]
		pop	edx
		push	ebx
		push	[ebp+arg_8]
		mov	eax, [eax-8]
		mul	edx
		add	ecx, edx
		add	eax, edi
		adc	ecx, esi
		push	ecx
		push	eax
		call	__aulldiv
		mov	ecx, [ebp+var_104]
		mov	[ecx], al
		add	ecx, 18h
		sub	[ebp+var_10C], 1
		mov	[ebp+var_104], ecx
		jnz	short loc_652424
		cmp	ds:dword_6B23F8, 5
		jbe	loc_6525C2
		push	4000h
		xor	ebx, ebx
		mov	esi, offset dword_6B23F8
		push	ebx
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_6525C2
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	[ebp+var_110], eax
		inc	ecx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_10C], eax
		lea	eax, [ebp+var_110]
		mov	[ebp+var_D8], eax
		mov	eax, [ebp+var_114]
		movzx	eax, ax
		mov	[ebp+var_114], eax
		lea	eax, [ebp+var_114]
		mov	[ebp+var_C8], eax
		mov	al, [ebp-0F9h]
		mov	[ebp-0F9h], al
		lea	eax, [ebp-0F9h]
		mov	[ebp+var_B8], eax
		mov	al, byte ptr [ebp+var_58]
		mov	byte ptr [ebp+var_FD+3], al
		lea	eax, [ebp+var_FD+3]
		mov	[ebp+var_A8], eax
		mov	al, [ebp+var_40]
		mov	byte ptr [ebp+var_FD+2], al
		lea	eax, [ebp+var_FD+2]
		mov	[ebp+var_98], eax
		mov	al, [ebp+var_28]
		mov	byte ptr [ebp+var_FD+1], al
		lea	eax, [ebp+var_FD+1]
		mov	[ebp+var_88], eax
		mov	al, [ebp+var_10]
		mov	byte ptr [ebp+var_FD], al
		lea	eax, [ebp+var_FD]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_F8]
		push	eax
		push	9
		push	ebx
		push	ebx
		push	offset loc_41F29F
		push	esi
		mov	[ebp+var_D4], ebx
		mov	[ebp+var_D0], 8
		mov	[ebp+var_CC], ebx
		mov	[ebp+var_C4], ebx
		mov	[ebp+var_C0], 2
		mov	[ebp+var_BC], ebx
		mov	[ebp+var_B4], ebx
		mov	[ebp+var_B0], ecx
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_A4], ebx
		mov	[ebp+var_A0], ecx
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_94], ebx
		mov	[ebp+var_90], ecx
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_84], ebx
		mov	[ebp+var_80], ecx
		mov	[ebp+var_7C], ebx
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], ecx
		mov	[ebp+var_6C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_6525C2:				; CODE XREF: PopDiagTraceDripsHistogram(x,x,x,x,x,x,x,x)+81j
					; PopDiagTraceDripsHistogram(x,x,x,x,x,x,x,x)+ABj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_PopDiagTraceDripsHistogram@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceEsState(x, x)
_PopDiagTraceEsState@8 proc near	; CODE XREF: PopEsUpdateState:loc_5E4DD7p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		mov	eax, ds:_PopEsReason
		mov	[ebp+var_28], eax
		jz	short loc_65264C
		push	ebx
		push	esi
		mov	esi, ds:dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_ENERGY_SAVER_STATE
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_652649
		push	4
		pop	ecx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_24], offset _PopEsState
		mov	[ebp+var_14], eax
		xor	edx, edx
		lea	eax, [ebp+var_24]
		mov	[ebp+var_20], edx
		push	eax
		push	2
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_652649:				; CODE XREF: PopDiagTraceEsState(x,x)+41j
		pop	edi
		pop	esi
		pop	ebx

loc_65264C:				; CODE XREF: PopDiagTraceEsState(x,x)+21j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceEsState@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceFxComponentIdleConstraints(x, x, x, x)
_PopDiagTraceFxComponentIdleConstraints@16 proc	near
					; CODE XREF: PopPluginRequestComponentIdleConstraints(x,x,x,x)+50p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], ecx
		jz	short loc_6526F1
		push	ebx
		push	esi
		mov	esi, ds:dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_COMPONENT_IDLE_CONSTRAINTS
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_6526EE
		lea	eax, [ebp+var_48]
		xor	edx, edx
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_0]
		push	4
		pop	ecx
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_4]
		shl	eax, 2
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_6526EE:				; CODE XREF: PopDiagTraceFxComponentIdleConstraints(x,x,x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebx

loc_6526F1:				; CODE XREF: PopDiagTraceFxComponentIdleConstraints(x,x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopDiagTraceFxComponentIdleConstraints@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceFxComponentWake(x, x, x)
_PopDiagTraceFxComponentWake@12	proc near ; CODE XREF: PoFxSetComponentWake(x,x,x)+12p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	bl, [ebp+arg_0]
		push	esi
		mov	esi, edx
		movzx	eax, bl
		cdq
		push	edx
		push	eax
		push	0Bh
		mov	edx, esi
		mov	[ebp+var_3C], esi
		mov	[ebp+var_38], ecx
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		cmp	ds:_PopDiagHandleRegistered, 0
		jz	short loc_65279F
		mov	esi, ds:dword_6C1D74
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	offset _POP_ETW_EVENT_COMPONENT_WAKE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_65279E
		movzx	eax, bl
		xor	edx, edx
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_3C]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	offset _POP_ETW_EVENT_COMPONENT_WAKE
		push	esi
		push	edi
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_65279E:				; CODE XREF: PopDiagTraceFxComponentWake(x,x,x)+52j
		pop	edi

loc_65279F:				; CODE XREF: PopDiagTraceFxComponentWake(x,x,x)+35j
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDiagTraceFxComponentWake@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceFxDeviceAccounting(x, x, x, x, x, x)
_PopDiagTraceFxDeviceAccounting@24 proc	near ; CODE XREF: PopFxStopDeviceAccounting()+102p

var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_139		= dword	ptr -139h
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 16Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_154], edx
		mov	esi, offset ??_C@_11LOCGONAA@@FNODOBFM@
		mov	[ebp+var_140], ecx
		push	esi
		lea	eax, [ebp+var_148]
		mov	[ebp+var_148], ebx
		push	eax
		mov	[ebp+var_144], ebx
		mov	[ebp+var_150], ebx
		mov	[ebp+var_14C], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_150]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	bh, bl
		xor	bl, bl
		cmp	ds:_PopDiagHandleRegistered, bl
		jz	loc_652B1B
		mov	esi, ds:dword_6C1D74
		mov	edi, ds:_PopDiagHandle
		push	offset _POP_ETW_EVENT_DEVICE_ACCOUNTING
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	loc_652B1B
		mov	al, byte ptr ds:_PopWnfCsEnterScenarioId
		xor	edx, edx
		mov	byte ptr [ebp+var_139],	al
		lea	eax, [ebp+var_139]
		push	4
		pop	ecx
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_140]
		push	8
		mov	[ebp+var_38], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_28], eax
		pop	eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	ecx
		push	edx
		push	offset _POP_ETW_EVENT_DEVICE_ACCOUNTING
		push	esi
		push	edi
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], 1
		mov	[ebp+var_3C], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], offset _PopWnfCsEnterScenarioId
		mov	[ebp+var_14], edx
		mov	[ebp+var_C], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	edi, [ebp+var_154]
		cmp	dword ptr [edi+8], 5
		jnb	loc_652B1B
		cmp	ds:_PopDiagFxAccountingTelemetryDisabled, 0
		jnz	loc_652B1B
		mov	eax, [ebp+var_140]
		mov	esi, [eax+10h]
		lea	eax, [ebp+var_148]
		push	eax
		push	5
		pop	edx
		mov	ecx, esi
		call	_PopDiagQueryDevicePropertyString@12 ; PopDiagQueryDevicePropertyString(x,x,x)
		test	eax, eax
		js	short loc_6528E5
		mov	bh, 1

loc_6528E5:				; CODE XREF: PopDiagTraceFxDeviceAccounting(x,x,x,x,x,x)+132j
		lea	eax, [ebp+var_150]
		mov	ecx, esi
		push	eax
		push	6
		pop	edx
		call	_PopDiagQueryDevicePropertyString@12 ; PopDiagQueryDevicePropertyString(x,x,x)
		test	eax, eax
		js	short loc_6528FC
		mov	bl, 1

loc_6528FC:				; CODE XREF: PopDiagTraceFxDeviceAccounting(x,x,x,x,x,x)+149j
		cmp	ds:dword_6B23F8, 5
		jbe	loc_652AF6
		push	4000h
		push	0
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_652AF6
		mov	eax, ds:_PopWnfCsEnterScenarioId
		lea	edx, [ebp+var_F0]
		and	[ebp+var_114], 0
		and	[ebp+var_10C], 0
		mov	[ebp+var_158], eax
		mov	eax, ds:dword_6C1D84
		mov	[ebp+var_154], eax
		lea	eax, [ebp+var_158]
		mov	[ebp+var_118], eax
		mov	eax, [ebp+var_140]
		push	8
		pop	esi
		mov	[ebp+var_110], esi
		movzx	ecx, word ptr [eax+14h]
		mov	eax, [eax+18h]
		mov	[ebp+var_F8], eax
		mov	eax, ecx
		mov	[ebp+var_F0], eax
		xor	ecx, ecx
		mov	eax, [edi+18h]
		mov	[ebp+var_160], eax
		mov	eax, [edi+1Ch]
		mov	[ebp+var_15C], eax
		lea	eax, [ebp+var_160]
		mov	[ebp+var_E8], eax
		lea	eax, [edi+28h]
		mov	[ebp+var_D8], eax
		lea	eax, [edi+50h]
		and	[ebp+var_104], 0
		and	[ebp+var_FC], 0
		and	[ebp+var_F4], 0
		and	[ebp+var_CC], 0
		and	[ebp+var_C4], 0
		mov	[ebp+var_C8], eax
		mov	eax, [edi+20h]
		mov	[ebp+var_168], eax
		mov	eax, [edi+24h]
		mov	[ebp+var_164], eax
		lea	eax, [ebp+var_168]
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_90]
		mov	[ebp+var_A8], eax
		mov	eax, [ebp+var_144]
		mov	[ebp+var_98], eax
		movzx	eax, word ptr [ebp+var_148]
		push	2
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_108], edx
		pop	edx
		mov	[ebp+var_88], eax
		mov	eax, [ebp+var_14C]
		mov	[ebp+var_EC], ecx
		mov	[ebp+var_E4], ecx
		mov	[ebp+var_DC], ecx
		mov	[ebp+var_D4], ecx
		push	28h
		pop	ecx
		mov	[ebp+var_78], eax
		movzx	eax, word ptr [ebp+var_150]
		mov	[ebp+var_D0], ecx
		mov	[ebp+var_C0], ecx
		xor	ecx, ecx
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_100], edx
		mov	[ebp+var_E0], esi
		mov	[ebp+var_BC], ecx
		mov	[ebp+var_B4], ecx
		mov	[ebp+var_B0], esi
		mov	[ebp+var_AC], ecx
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_A0], edx
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_94], ecx
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_84], ecx
		mov	[ebp+var_80], edx
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_5C], ecx
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_68], eax
		mov	[ebp+var_60], edx
		xor	edx, edx
		mov	[ebp+var_54], edx
		mov	eax, [ecx+4]
		mov	[ebp+var_58], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_139+1]
		push	eax
		push	0Fh
		push	edx
		push	edx
		push	(offset	loc_41F0F3+6)
		push	offset dword_6B23F8
		mov	[ebp+var_4C], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_652AF6:				; CODE XREF: PopDiagTraceFxDeviceAccounting(x,x,x,x,x,x)+154j
					; PopDiagTraceFxDeviceAccounting(x,x,x,x,x,x)+16Dj
		mov	esi, 67696450h
		test	bh, bh
		jz	short loc_652B0B
		push	esi
		push	[ebp+var_144]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_652B0B:				; CODE XREF: PopDiagTraceFxDeviceAccounting(x,x,x,x,x,x)+34Ej
		test	bl, bl
		jz	short loc_652B1B
		push	esi
		push	[ebp+var_14C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_652B1B:				; CODE XREF: PopDiagTraceFxDeviceAccounting(x,x,x,x,x,x)+67j
					; PopDiagTraceFxDeviceAccounting(x,x,x,x,x,x)+87j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_PopDiagTraceFxDeviceAccounting@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceFxDeviceDirectedCompletion(x, x)
_PopDiagTraceFxDeviceDirectedCompletion@8 proc near
					; CODE XREF: PopFxCompleteDirectedPowerTransition(x,x)+F5p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	bl, dl
		mov	[ebp+var_38], ecx
		movzx	eax, bl
		cdq
		push	edx
		push	eax
		push	1Ah
		xor	edx, edx
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		cmp	ds:_PopDiagHandleRegistered, 0
		jz	short loc_652BD0
		push	esi
		mov	esi, ds:dword_6C1D74
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	offset _POP_ETW_EVENT_DIRECTED_POWER_TRANSITION_END
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_652BCE
		mov	eax, [ebp+var_38]
		xor	edx, edx
		push	4
		pop	ecx
		mov	eax, [eax+58h]
		mov	[ebp+var_40], eax
		movzx	eax, bl
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	offset _POP_ETW_EVENT_DIRECTED_POWER_TRANSITION_END
		push	esi
		push	edi
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_652BCE:				; CODE XREF: PopDiagTraceFxDeviceDirectedCompletion(x,x)+4Cj
		pop	edi
		pop	esi

loc_652BD0:				; CODE XREF: PopDiagTraceFxDeviceDirectedCompletion(x,x)+2Ej
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceFxDeviceDirectedCompletion@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceFxDeviceDirectedTransition(x, x)
_PopDiagTraceFxDeviceDirectedTransition@8 proc near
					; CODE XREF: PopFxHandleDirectedPowerTransition(x)+28p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	bl, dl
		mov	[ebp+var_28], ecx
		movzx	eax, bl
		cdq
		push	edx
		push	eax
		push	19h
		xor	edx, edx
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		cmp	ds:_PopDiagHandleRegistered, 0
		jz	short loc_652C69
		push	esi
		mov	esi, ds:dword_6C1D74
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	offset _POP_ETW_EVENT_DIRECTED_POWER_TRANSITION_START
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_652C67
		movzx	eax, bl
		xor	edx, edx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_28]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	offset _POP_ETW_EVENT_DIRECTED_POWER_TRANSITION_START
		push	esi
		push	edi
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_652C67:				; CODE XREF: PopDiagTraceFxDeviceDirectedTransition(x,x)+4Cj
		pop	edi
		pop	esi

loc_652C69:				; CODE XREF: PopDiagTraceFxDeviceDirectedTransition(x,x)+2Ej
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceFxDeviceDirectedTransition@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceFxDeviceIdleConstraints(x, x, x)
_PopDiagTraceFxDeviceIdleConstraints@12	proc near
					; CODE XREF: PopPluginRequestDeviceIdleConstraints(x,x,x)+47p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_38], ecx
		jz	short loc_652CFF
		push	esi
		mov	esi, ds:dword_6C1D74
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	offset _POP_ETW_EVENT_DEVICE_IDLE_CONSTRAINTS
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_652CFD
		lea	eax, [ebp+var_38]
		mov	[ebp+var_14], ebx
		mov	[ebp+var_34], eax
		xor	edx, edx
		push	4
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_30], edx
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_0]
		pop	ecx
		shl	eax, 2
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	offset _POP_ETW_EVENT_DEVICE_IDLE_CONSTRAINTS
		push	esi
		push	edi
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_652CFD:				; CODE XREF: PopDiagTraceFxDeviceIdleConstraints(x,x,x)+3Dj
		pop	edi
		pop	esi

loc_652CFF:				; CODE XREF: PopDiagTraceFxDeviceIdleConstraints(x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDiagTraceFxDeviceIdleConstraints@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceFxGlobalDeviceAccounting(x, x, x, x, x,	x)
_PopDiagTraceFxGlobalDeviceAccounting@24 proc near
					; CODE XREF: PopFxStopDeviceAccounting()+237p

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 94h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagFxAccountingTelemetryDisabled, 0
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jnz	loc_652DFA
		cmp	ds:dword_6B23F8, 5
		jbe	loc_652DFA
		push	4000h
		xor	ebx, ebx
		mov	ecx, offset dword_6B23F8
		push	ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_652DFA
		mov	eax, ds:_PopWnfCsEnterScenarioId
		mov	[ebp+var_80], eax
		mov	eax, ds:dword_6C1D84
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+arg_0]
		push	8
		pop	ecx
		mov	[ebp+var_88], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_88]
		push	28h
		mov	[ebp+var_48], eax
		pop	eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_90], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_90]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	7
		push	ebx
		push	ebx
		push	offset loc_41F06B
		push	offset dword_6B23F8
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_652DFA:				; CODE XREF: PopDiagTraceFxGlobalDeviceAccounting(x,x,x,x,x,x)+23j
					; PopDiagTraceFxGlobalDeviceAccounting(x,x,x,x,x,x)+30j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_PopDiagTraceFxGlobalDeviceAccounting@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceFxPerfNominalChange(x, x, x, x,	x)
_PopDiagTraceFxPerfNominalChange@20 proc near
					; CODE XREF: PopFxUpdateComponentPerfStateNominalChange(x,x,x,x)+A6p

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_6C], 0
		cmp	ds:_PopDiagHandleRegistered, 0
		push	ebx
		mov	bl, dl
		mov	[ebp+var_68], ecx
		jz	loc_652EF5
		push	esi
		mov	esi, ds:dword_6C1D74
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	offset _POP_ETW_EVENT_COMPONENT_PERFORMANCE_STATE_NOMINAL_CHANGE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	loc_652EF3
		mov	ecx, [ebp+var_68]
		push	4
		pop	edx
		push	10h
		mov	ecx, [ecx]
		mov	eax, [ecx+30h]
		add	eax, 1Ch
		and	[ebp+var_60], 0
		mov	[ebp+var_64], eax
		lea	eax, [ecx+10h]
		and	[ebp+var_58], 0
		and	[ebp+var_50], 0
		and	[ebp+var_48], 0
		mov	[ebp+var_54], eax
		movzx	eax, bl
		xor	ebx, ebx
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_4]
		pop	ecx
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_5C], edx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_1C], edx
		mul	ecx
		lea	ecx, [ebp+var_6C]
		mov	[ebp+var_40], ebx
		push	edx
		push	eax
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_652EF3
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_6C]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	6
		push	ebx
		push	offset _POP_ETW_EVENT_COMPONENT_PERFORMANCE_STATE_NOMINAL_CHANGE
		push	esi
		push	edi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_652EF3:				; CODE XREF: PopDiagTraceFxPerfNominalChange(x,x,x,x,x)+45j
					; PopDiagTraceFxPerfNominalChange(x,x,x,x,x)+C1j
		pop	edi
		pop	esi

loc_652EF5:				; CODE XREF: PopDiagTraceFxPerfNominalChange(x,x,x,x,x)+23j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_PopDiagTraceFxPerfNominalChange@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceFxPerfRequest(x, x, x)
_PopDiagTraceFxPerfRequest@12 proc near	; CODE XREF: PopFxIssueComponentPerfStateChanges(x,x,x,x,x,x)+AEp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_48], 0
		cmp	ds:_PopDiagHandleRegistered, 0
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_50], ebx
		jz	loc_652FCB
		push	esi
		mov	esi, ds:dword_6C1D74
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	offset _POP_ETW_EVENT_COMPONENT_PERFORMANCE_STATE_INITIATING
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_652FC9
		mov	ecx, [ebp+var_4C]
		xor	edx, edx
		push	4
		mov	ecx, [ecx]
		mov	eax, [ecx+30h]
		add	eax, 1Ch
		mov	[ebp+var_40], edx
		mov	[ebp+var_44], eax
		lea	eax, [ecx+10h]
		pop	ecx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_50]
		push	10h
		mov	[ebp+var_24], eax
		mov	eax, ebx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_1C], ecx
		pop	ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], edx
		mul	ecx
		lea	ecx, [ebp+var_48]
		mov	[ebp+var_3C], 4
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_652FC9
		mov	eax, [ebp+arg_0]
		and	[ebp+var_10], 0
		and	[ebp+var_8], 0
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_48]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	4
		push	0
		push	offset _POP_ETW_EVENT_COMPONENT_PERFORMANCE_STATE_INITIATING
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_652FC9:				; CODE XREF: PopDiagTraceFxPerfRequest(x,x,x)+48j
					; PopDiagTraceFxPerfRequest(x,x,x)+9Bj
		pop	edi
		pop	esi

loc_652FCB:				; CODE XREF: PopDiagTraceFxPerfRequest(x,x,x)+26j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDiagTraceFxPerfRequest@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceFxPerfRequestComplete(x, x)
_PopDiagTraceFxPerfRequestComplete@8 proc near
					; CODE XREF: PopFxCompleteComponentPerfState(x,x,x,x)+D2p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		push	ebx
		mov	bl, dl
		mov	[ebp+var_38], ecx
		jz	short loc_653072
		push	esi
		mov	esi, ds:dword_6C1D74
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	offset _POP_ETW_EVENT_COMPONENT_PERFORMANCE_STATE_COMPLETED
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_653070
		mov	ecx, [ebp+var_38]
		push	4
		pop	edx
		mov	ecx, [ecx]
		mov	eax, [ecx+30h]
		and	[ebp+var_30], 0
		add	eax, 1Ch
		and	[ebp+var_28], 0
		mov	[ebp+var_34], eax
		lea	eax, [ecx+10h]
		mov	[ebp+var_24], eax
		xor	ecx, ecx
		movzx	eax, bl
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	ecx
		push	offset _POP_ETW_EVENT_COMPONENT_PERFORMANCE_STATE_COMPLETED
		push	esi
		push	edi
		mov	[ebp+var_2C], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_653070:				; CODE XREF: PopDiagTraceFxPerfRequestComplete(x,x)+3Dj
		pop	edi
		pop	esi

loc_653072:				; CODE XREF: PopDiagTraceFxPerfRequestComplete(x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceFxPerfRequestComplete@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceFxPerfRequestProgress(x, x)
_PopDiagTraceFxPerfRequestProgress@8 proc near ; CODE XREF: PopFxProcessWork+F0A20p
					; PopFxCompleteComponentPerfState(x,x,x,x)+7Ap	...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		push	ebx
		mov	[ebp+var_38], edx
		mov	ebx, ecx
		jz	short loc_65310A
		push	esi
		mov	esi, ds:dword_6C1D74
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	offset _POP_ETW_EVENT_COMPONENT_PERFORMANCE_STATE_PROCESSING
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_653108
		mov	ecx, [ebx]
		xor	ebx, ebx
		push	4
		pop	edx
		mov	eax, [ecx+30h]
		add	eax, 1Ch
		mov	[ebp+var_30], ebx
		mov	[ebp+var_34], eax
		lea	eax, [ecx+10h]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	ebx
		push	offset _POP_ETW_EVENT_COMPONENT_PERFORMANCE_STATE_PROCESSING
		push	esi
		push	edi
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_653108:				; CODE XREF: PopDiagTraceFxPerfRequestProgress(x,x)+3Dj
		pop	edi
		pop	esi

loc_65310A:				; CODE XREF: PopDiagTraceFxPerfRequestProgress(x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceFxPerfRequestProgress@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceIdleResiliencyEnd(x, x,	x)
_PopDiagTraceIdleResiliencyEnd@12 proc near ; CODE XREF: PopDeepSleepEvaluateCallback(x)+57p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		mov	[ebp+var_38], ecx
		jz	short loc_65318D
		lea	eax, [ebp+var_44]
		xor	edx, edx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_38]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	offset _POP_ETW_IDLE_RESILIENCY_END
		push	ds:dword_6C1D74
		mov	[ebp+var_44], edx
		push	ds:_PopDiagHandle
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_65318D:				; CODE XREF: PopDiagTraceIdleResiliencyEnd(x,x,x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopDiagTraceIdleResiliencyEnd@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceIdleResiliencyStart(x, x, x, x,	x)
_PopDiagTraceIdleResiliencyStart@20 proc near
					; CODE XREF: PopDeepSleepEvaluateCallback(x)+4Ep

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		mov	[ebp+var_38], ecx
		jz	short loc_653220
		xor	edx, edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], edx
		cmp	[ebp+arg_C], edx
		ja	short loc_6531CC
		cmp	[ebp+arg_8], 0FFFFFFFFh
		jb	short loc_6531D3

loc_6531CC:				; CODE XREF: PopDiagTraceIdleResiliencyStart(x,x,x,x,x)+29j
		or	[ebp+arg_8], 0FFFFFFFFh
		mov	[ebp+arg_C], edx

loc_6531D3:				; CODE XREF: PopDiagTraceIdleResiliencyStart(x,x,x,x,x)+2Fj
		lea	eax, [ebp+var_40]
		mov	[ebp+var_30], edx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_38]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	offset _POP_ETW_IDLE_RESILIENCY_START
		push	ds:dword_6C1D74
		mov	[ebp+var_2C], ecx
		push	ds:_PopDiagHandle
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_653220:				; CODE XREF: PopDiagTraceIdleResiliencyStart(x,x,x,x,x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_PopDiagTraceIdleResiliencyStart@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceIllegalProcessorThrottle(x, x, x, x)
_PopDiagTraceIllegalProcessorThrottle@16 proc near
					; CODE XREF: PpmPerfSnapDeliveredPerformance+12DCC5p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_46		= byte ptr -46h
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	al, ds:_PopDiagHandleRegistered
		and	[ebp+var_54], 0
		and	[ebp+var_50], 0
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_58], ecx
		inc	ebx
		mov	[ebp+var_46], al
		mov	[ebp+var_45], bl
		push	esi
		mov	esi, edx
		test	al, al
		jz	short loc_65327B
		push	offset _POP_ETW_EVENT_ILLEGAL_PROCESSOR_THROTTLE_DIAGNOSTIC
		push	ds:dword_6C1D74
		push	ds:_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jnz	short loc_65327D

loc_65327B:				; CODE XREF: PopDiagTraceIllegalProcessorThrottle(x,x,x,x)+31j
		xor	bl, bl

loc_65327D:				; CODE XREF: PopDiagTraceIllegalProcessorThrottle(x,x,x,x)+4Bj
		cmp	[ebp+var_46], 0
		jz	short loc_65329D
		push	offset _POP_ETW_EVENT_ILLEGAL_PROCESSOR_THROTTLE_OPERATIONAL
		push	ds:dword_6C1D74
		push	ds:_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jnz	short loc_6532A4

loc_65329D:				; CODE XREF: PopDiagTraceIllegalProcessorThrottle(x,x,x,x)+53j
		xor	al, al
		mov	[ebp+var_45], al
		jmp	short loc_6532A7
; 

loc_6532A4:				; CODE XREF: PopDiagTraceIllegalProcessorThrottle(x,x,x,x)+6Dj
		mov	al, [ebp+var_45]

loc_6532A7:				; CODE XREF: PopDiagTraceIllegalProcessorThrottle(x,x,x,x)+74j
		test	bl, bl
		jnz	short loc_6532B3
		test	al, al
		jz	loc_65339C

loc_6532B3:				; CODE XREF: PopDiagTraceIllegalProcessorThrottle(x,x,x,x)+7Bj
		and	[ebp+var_40], 0
		lea	eax, [ebp+var_58]
		and	[ebp+var_38], 0
		and	[ebp+var_30], 0
		and	[ebp+var_28], 0
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_54]
		push	edi
		push	eax
		mov	[ebp+var_3C], 4
		mov	[ebp+var_2C], 8
		call	KeQueryTickCount
		mov	edx, [esi]
		mov	eax, edx
		mov	ecx, [esi+4]
		or	eax, ecx
		mov	edi, [ebp+var_50]
		mov	[ebp+var_4C], ecx
		jnz	short loc_6532FC
		xor	eax, eax
		jmp	short loc_653323
; 

loc_6532FC:				; CODE XREF: PopDiagTraceIllegalProcessorThrottle(x,x,x,x)+C8j
		mov	ecx, [ebp+var_54]
		mov	eax, edi
		push	0
		push	ds:_KeMaximumIncrement
		sub	ecx, edx
		sbb	eax, [ebp+var_4C]
		push	eax
		push	ecx
		call	__allmul
		push	0
		push	989680h
		push	edx
		push	eax
		call	__alldiv

loc_653323:				; CODE XREF: PopDiagTraceIllegalProcessorThrottle(x,x,x,x)+CCj
		and	[ebp+var_20], 0
		and	[ebp+var_18], 0
		and	[ebp+var_10], 0
		and	[ebp+var_8], 0
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+var_54]
		mov	[esi], eax
		lea	eax, [ebp+var_4C]
		mov	[esi+4], edi
		mov	[ebp+var_24], eax
		mov	[ebp+var_14], offset _PopProcessorThrottleLogInterval
		push	4
		pop	ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_C], ecx
		pop	edi
		test	bl, bl
		jz	short loc_653379
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	0
		push	offset _POP_ETW_EVENT_ILLEGAL_PROCESSOR_THROTTLE_DIAGNOSTIC
		push	ds:dword_6C1D74
		push	ds:_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		push	4
		pop	ecx

loc_653379:				; CODE XREF: PopDiagTraceIllegalProcessorThrottle(x,x,x,x)+129j
		cmp	[ebp+var_45], 0
		jz	short loc_65339C
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	0
		push	offset _POP_ETW_EVENT_ILLEGAL_PROCESSOR_THROTTLE_OPERATIONAL
		push	ds:dword_6C1D74
		push	ds:_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_65339C:				; CODE XREF: PopDiagTraceIllegalProcessorThrottle(x,x,x,x)+7Fj
					; PopDiagTraceIllegalProcessorThrottle(x,x,x,x)+14Fj
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopDiagTraceIllegalProcessorThrottle@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceIoCoalescingDiskIdle(x)
_PopDiagTraceIoCoalescingDiskIdle@4 proc near ;	CODE XREF: PopScanIdleList(x,x,x)+163p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		mov	[ebp+var_18], ecx
		jz	short loc_653411
		push	ebx
		push	esi
		mov	esi, ds:dword_6C1D74
		mov	ebx, offset _POP_ETW_IO_COALESCING_DSK_IDLE
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_65340E
		lea	eax, [ebp+var_18]
		mov	[ebp+var_C], 4
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], ecx
		push	eax
		push	1
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_65340E:				; CODE XREF: PopDiagTraceIoCoalescingDiskIdle(x)+3Cj
		pop	edi
		pop	esi
		pop	ebx

loc_653411:				; CODE XREF: PopDiagTraceIoCoalescingDiskIdle(x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceIoCoalescingDiskIdle@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceIrpPended(x)
_PopDiagTraceIrpPended@4 proc near	; CODE XREF: PopSystemIrpCompletion+7B45p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		mov	[ebp+var_18], ecx
		jz	short loc_653482
		push	ebx
		push	esi
		mov	esi, ds:dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_IRPPENDED
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_65347F
		lea	eax, [ebp+var_18]
		mov	[ebp+var_C], 4
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], ecx
		push	eax
		push	1
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_65347F:				; CODE XREF: PopDiagTraceIrpPended(x)+3Cj
		pop	edi
		pop	esi
		pop	ebx

loc_653482:				; CODE XREF: PopDiagTraceIrpPended(x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceIrpPended@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceProcessorThrottleDurationPerfTrack(x, x)
_PopDiagTraceProcessorThrottleDurationPerfTrack@8 proc near
					; CODE XREF: PpmRegisterPerfCap(x)+99p

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		and	[ebp+var_64], 0
		lea	edi, [ebp+var_30]
		cmp	ds:_PopDiagHandleRegistered, 0
		mov	esi, offset ??_C@_1CK@OFEPLJJL@?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo?$AAr?$AA?5?$AA9?$AA9?$AA9?$AA9?$AA9@FNODOBFM@
		mov	[ebp+var_68], ecx
		mov	ebx, edx
		push	0Ah
		pop	ecx
		rep movsd
		movsw
		jz	loc_653561
		mov	edi, offset _POP_ETW_EVENT_THERMAL_DURATION_PERFTRACK
		push	edi
		push	ds:dword_6C1D74
		push	ds:_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_653561
		push	ebx		; char
		push	offset ??_C@_1BK@GHDKOGJL@?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo?$AAr?$AA?5?$AA?$CF?$AAu@FNODOBFM@ ; "Processor %u"
		xor	ebx, ebx
		lea	eax, [ebp+var_64]
		push	ebx		; int
		push	eax		; int
		push	ebx		; int
		push	15h
		pop	esi
		lea	eax, [ebp+var_30]
		push	esi		; int
		push	eax		; void *
		call	RtlStringCchPrintfExW
		add	esp, 1Ch
		test	eax, eax
		js	short loc_653561
		sub	esi, [ebp+var_64]
		movzx	eax, si
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_30]
		mov	[ebp+var_40], eax
		movzx	eax, si
		add	eax, eax
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_60]
		push	eax
		push	3
		push	ebx
		push	edi
		push	ds:dword_6C1D74
		mov	[ebp+var_58], 4
		push	ds:_PopDiagHandle
		mov	[ebp+var_54], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_48], 2
		mov	[ebp+var_44], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_653561:				; CODE XREF: PopDiagTraceProcessorThrottleDurationPerfTrack(x,x)+34j
					; PopDiagTraceProcessorThrottleDurationPerfTrack(x,x)+53j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceProcessorThrottleDurationPerfTrack@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceProcessorThrottlePerfTrack(x, x)
_PopDiagTraceProcessorThrottlePerfTrack@8 proc near ; CODE XREF: PpmRegisterPerfCap(x)+B9p
					; PpmRegisterPerfStates+8FD13p

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		and	[ebp+var_74], 0
		lea	edi, [ebp+var_30]
		cmp	ds:_PopDiagHandleRegistered, 0
		mov	esi, offset ??_C@_1CK@OFEPLJJL@?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo?$AAr?$AA?5?$AA9?$AA9?$AA9?$AA9?$AA9@FNODOBFM@
		mov	[ebp+var_78], ecx
		mov	ebx, edx
		push	0Ah
		pop	ecx
		rep movsd
		movsw
		jz	loc_65365A
		mov	edi, offset _POP_ETW_EVENT_THERMAL_PERFTRACK
		push	edi
		push	ds:dword_6C1D74
		push	ds:_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_65365A
		push	ebx		; char
		push	offset ??_C@_1BK@GHDKOGJL@?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo?$AAr?$AA?5?$AA?$CF?$AAu@FNODOBFM@ ; "Processor %u"
		xor	ebx, ebx
		lea	eax, [ebp+var_74]
		push	ebx		; int
		push	eax		; int
		push	ebx		; int
		push	15h
		pop	esi
		lea	eax, [ebp+var_30]
		push	esi		; int
		push	eax		; void *
		call	RtlStringCchPrintfExW
		add	esp, 1Ch
		test	eax, eax
		js	short loc_65365A
		sub	esi, [ebp+var_74]
		movzx	eax, si
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_30]
		push	4
		mov	[ebp+var_40], eax
		pop	ecx
		movzx	eax, si
		add	eax, eax
		mov	[ebp+var_7C], ebx
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_70]
		push	eax
		push	ecx
		push	ebx
		push	edi
		push	ds:dword_6C1D74
		mov	[ebp+var_6C], ebx
		push	ds:_PopDiagHandle
		mov	[ebp+var_68], ecx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], ecx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_48], 2
		mov	[ebp+var_44], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_65365A:				; CODE XREF: PopDiagTraceProcessorThrottlePerfTrack(x,x)+37j
					; PopDiagTraceProcessorThrottlePerfTrack(x,x)+56j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceProcessorThrottlePerfTrack@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceRegisterSystemState(x, x)
_PopDiagTraceRegisterSystemState@8 proc	near ; CODE XREF: PoRegisterSystemState(x,x)+34p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], ecx
		jz	short loc_6536DF
		push	ebx
		push	esi
		mov	esi, ds:dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_REGISTERSYSTEMSTATE
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_6536DC
		push	4
		pop	ecx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_24], eax
		xor	edx, edx
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_20], edx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_6536DC:				; CODE XREF: PopDiagTraceRegisterSystemState(x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebx

loc_6536DF:				; CODE XREF: PopDiagTraceRegisterSystemState(x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceRegisterSystemState@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceShutdownAction(x, x, x)
_PopDiagTraceShutdownAction@12 proc near ; CODE	XREF: PopExecutePowerAction+A6C7Ep

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		push	ebx
		mov	[ebp+var_3C], edx
		mov	ebx, ecx
		jz	short loc_65377A
		push	esi
		mov	esi, ds:dword_6C1D74
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	offset _POP_ETW_EVENT_SHUTDOWN_ACTION
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_653778
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_3C]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	offset _POP_ETW_EVENT_SHUTDOWN_ACTION
		push	esi
		push	edi
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_653778:				; CODE XREF: PopDiagTraceShutdownAction(x,x,x)+3Dj
		pop	edi
		pop	esi

loc_65377A:				; CODE XREF: PopDiagTraceShutdownAction(x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDiagTraceShutdownAction@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopDiagTraceSleepStudyBlocker(x, x)
_PopDiagTraceSleepStudyBlocker@8 proc near
					; CODE XREF: PpmIdleCaptureCsVetoAccounting(x,x,x,x)+198p
					; PopFxLogSocSubsystemBlockingTimes(x,x,x,x)+187p ...
		cmp	ds:_PopDiagSleepStudyHandleRegistered, 0
		push	ebx
		mov	ebx, edx
		jz	short loc_6537C6
		push	esi
		mov	esi, ds:dword_6C1F6C
		push	edi
		mov	edi, ds:_PopDiagSleepStudyHandle
		push	offset _SLEEPSTUDY_EVT_SCENARIO_BLOCKER
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_6537C4
		push	ebx
		push	7
		push	0
		push	offset _SLEEPSTUDY_EVT_SCENARIO_BLOCKER
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_6537C4:				; CODE XREF: PopDiagTraceSleepStudyBlocker(x,x)+28j
		pop	edi
		pop	esi

loc_6537C6:				; CODE XREF: PopDiagTraceSleepStudyBlocker(x,x)+Aj
		pop	ebx
		retn
_PopDiagTraceSleepStudyBlocker@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopDiagTraceThermalOverthrottleState(x, x)
_PopDiagTraceThermalOverthrottleState@8	proc near
					; CODE XREF: PopUpdateOverThrottledCount(x,x)+16p
		mov	edi, edi
		push	ecx
		push	offset _POP_ETW_EVENT_THERMAL_ZONE_OVERTHROTTLED_UPDATE
		call	_PopDiagTraceThermalStateChange@12 ; PopDiagTraceThermalStateChange(x,x,x)
		pop	ecx
		retn
_PopDiagTraceThermalOverthrottleState@8	endp


;  S U B	R O U T	I N E 


; __stdcall PopDiagTraceThermalStandbyState(x, x)
_PopDiagTraceThermalStandbyState@8 proc	near ; CODE XREF: PopThermalZoneRemove(x)+6Cp
		mov	edi, edi
		push	ecx
		push	offset _POP_ETW_EVENT_THERMAL_ZONE_THERMAL_STANDBY_UPDATE
		call	_PopDiagTraceThermalStateChange@12 ; PopDiagTraceThermalStateChange(x,x,x)
		pop	ecx
		retn
_PopDiagTraceThermalStandbyState@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceThermalStateChange(x, x, x)
_PopDiagTraceThermalStateChange@12 proc	near
					; CODE XREF: PopCheckAndHandleThermalConditions+82AE8p
					; PopDiagTraceThermalOverthrottleState(x,x)+8p	...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_44], edx
		mov	esi, ecx
		mov	[ebp+var_40], ebx
		push	edi
		mov	edi, [ebp+arg_0]
		cmp	ds:_PopDiagHandleRegistered, bl
		jz	loc_6538C1
		push	edi
		push	ds:dword_6C1D74
		push	ds:_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_6538C1
		mov	edx, 67446F50h
		mov	ecx, esi
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	esi, eax
		test	esi, esi
		jz	short loc_65384B
		mov	ecx, [esi+0B0h]
		mov	edx, [ecx+14h]
		jmp	short loc_65384D
; 

loc_65384B:				; CODE XREF: PopDiagTraceThermalStateChange(x,x,x)+58j
		mov	edx, ebx

loc_65384D:				; CODE XREF: PopDiagTraceThermalStateChange(x,x,x)+63j
		test	edx, edx
		jz	short loc_6538B1
		mov	cx, [edx+48h]
		shr	cx, 1
		movzx	eax, cx
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], 2
		mov	[ebp+var_30], ebx
		mov	eax, [edx+4Ch]
		mov	[ebp+var_2C], eax
		movzx	eax, cx
		add	eax, eax
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_44]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_3C]
		push	eax
		push	3
		push	ebx
		push	edi
		push	ds:dword_6C1D74
		mov	[ebp+var_20], ebx
		push	ds:_PopDiagHandle
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], 4
		mov	[ebp+var_10], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_6538B1:				; CODE XREF: PopDiagTraceThermalStateChange(x,x,x)+69j
		test	esi, esi
		jz	short loc_6538C1
		mov	edx, 67446F50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_6538C1:				; CODE XREF: PopDiagTraceThermalStateChange(x,x,x)+28j
					; PopDiagTraceThermalStateChange(x,x,x)+42j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDiagTraceThermalStateChange@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceThermalZoneThrottleDurationPerfTrack(x,	x)
_PopDiagTraceThermalZoneThrottleDurationPerfTrack@8 proc near
					; CODE XREF: PopThermalWorker+8AC48p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_40], ecx
		cmp	ds:_PopDiagHandleRegistered, 0
		mov	esi, edx
		mov	[ebp+var_3C], edi
		jz	loc_6539B2
		push	offset _POP_ETW_EVENT_THERMAL_DURATION_PERFTRACK
		push	ds:dword_6C1D74
		push	ds:_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_6539B2
		mov	edx, 67446F50h
		mov	ecx, esi
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	esi, eax
		test	esi, esi
		jz	short loc_653938
		mov	ecx, [esi+0B0h]
		mov	edx, [ecx+14h]
		jmp	short loc_65393A
; 

loc_653938:				; CODE XREF: PopDiagTraceThermalZoneThrottleDurationPerfTrack(x,x)+59j
		mov	edx, edi

loc_65393A:				; CODE XREF: PopDiagTraceThermalZoneThrottleDurationPerfTrack(x,x)+64j
		test	edx, edx
		jz	short loc_6539A2
		mov	cx, [edx+48h]
		shr	cx, 1
		movzx	eax, cx
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_28], eax
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], 4
		mov	[ebp+var_2C], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], 2
		mov	[ebp+var_1C], edi
		mov	eax, [edx+4Ch]
		mov	[ebp+var_18], eax
		movzx	eax, cx
		add	eax, eax
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	3
		push	edi
		push	offset _POP_ETW_EVENT_THERMAL_DURATION_PERFTRACK
		push	ds:dword_6C1D74
		mov	[ebp+var_C], edi
		push	ds:_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_6539A2:				; CODE XREF: PopDiagTraceThermalZoneThrottleDurationPerfTrack(x,x)+6Aj
		test	esi, esi
		jz	short loc_6539B2
		mov	edx, 67446F50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_6539B2:				; CODE XREF: PopDiagTraceThermalZoneThrottleDurationPerfTrack(x,x)+25j
					; PopDiagTraceThermalZoneThrottleDurationPerfTrack(x,x)+43j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceThermalZoneThrottleDurationPerfTrack@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceThermalZoneThrottlePerfTrack(x,	x, x)
_PopDiagTraceThermalZoneThrottlePerfTrack@12 proc near ; CODE XREF: PopThermalWorker+8ABFEp

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_54], edx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	[ebp+var_58], ecx
		mov	[ebp+var_50], ebx
		cmp	ds:_PopDiagHandleRegistered, bl
		jz	loc_653AB1
		push	offset _POP_ETW_EVENT_THERMAL_PERFTRACK
		push	ds:dword_6C1D74
		push	ds:_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_653AB1
		mov	edx, 67446F50h
		mov	ecx, esi
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	esi, eax
		test	esi, esi
		jz	short loc_653A2A
		mov	ecx, [esi+0B0h]
		mov	edx, [ecx+14h]
		jmp	short loc_653A2C
; 

loc_653A2A:				; CODE XREF: PopDiagTraceThermalZoneThrottlePerfTrack(x,x,x)+5Dj
		mov	edx, ebx

loc_653A2C:				; CODE XREF: PopDiagTraceThermalZoneThrottlePerfTrack(x,x,x)+68j
		test	edx, edx
		jz	short loc_653AA1
		mov	cx, [edx+48h]
		shr	cx, 1
		movzx	eax, cx
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_54]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_58]
		push	4
		pop	edi
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], 2
		mov	[ebp+var_20], ebx
		mov	eax, [edx+4Ch]
		mov	[ebp+var_1C], eax
		movzx	eax, cx
		add	eax, eax
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	edi
		push	ebx
		push	offset _POP_ETW_EVENT_THERMAL_PERFTRACK
		push	ds:dword_6C1D74
		mov	[ebp+var_10], ebx
		push	ds:_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_653AA1:				; CODE XREF: PopDiagTraceThermalZoneThrottlePerfTrack(x,x,x)+6Ej
		test	esi, esi
		jz	short loc_653AB1
		mov	edx, 67446F50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_653AB1:				; CODE XREF: PopDiagTraceThermalZoneThrottlePerfTrack(x,x,x)+29j
					; PopDiagTraceThermalZoneThrottlePerfTrack(x,x,x)+47j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDiagTraceThermalZoneThrottlePerfTrack@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceBootError(x)
_PopTraceBootError@4 proc near		; CODE XREF: PopCheckAndClearBootError+2727Ep

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 94h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_6B23F8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jbe	loc_653BA0
		push	8000h
		xor	edi, edi
		mov	ebx, offset dword_6B23F8
		push	edi
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_653BA0
		mov	eax, [esi]
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_58], eax
		mov	eax, [esi+4]
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_48], eax
		mov	eax, [esi+8]
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_38], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_88], eax
		lea	eax, [ebp+var_88]
		mov	[ebp+var_28], eax
		mov	eax, [esi+10h]
		cdq
		push	4
		pop	ecx
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_90]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	7
		push	edi
		push	edi
		push	(offset	loc_41E448+4)
		push	ebx
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], edi
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_8C], edx
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], 8
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_653BA0:				; CODE XREF: PopTraceBootError(x)+21j
					; PopTraceBootError(x)+3Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopTraceBootError@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceCr3Mitigated(x)
_PopTraceCr3Mitigated@4	proc near	; CODE XREF: PopCheckAndHandleThermalConditions+82B9Dp
					; PopThermalZoneRemove(x)+9Ep

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_6B23F8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jbe	short loc_653C10
		push	4000h
		xor	edi, edi
		mov	ebx, offset dword_6B23F8
		push	edi
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_653C10
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_3C], esi
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	3
		push	edi
		push	edi
		push	offset loc_41EBCC
		push	ebx
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_653C10:				; CODE XREF: PopTraceCr3Mitigated(x)+1Ej
					; PopTraceCr3Mitigated(x)+36j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopTraceCr3Mitigated@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceCr3Tripped(x)
_PopTraceCr3Tripped@4 proc near		; CODE XREF: PopCheckAndHandleThermalConditions+82B28p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_6B23F8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jbe	short loc_653C80
		push	4000h
		xor	edi, edi
		mov	ebx, offset dword_6B23F8
		push	edi
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_653C80
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_3C], esi
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	3
		push	edi
		push	edi
		push	offset loc_41EBF7
		push	ebx
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_653C80:				; CODE XREF: PopTraceCr3Tripped(x)+1Ej
					; PopTraceCr3Tripped(x)+36j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopTraceCr3Tripped@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTracePowerReconfig()
_PopTracePowerReconfig@0 proc near	; CODE XREF: PopBatteryApplyCompositeState:loc_90971Dp

var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0E4h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, ds:dword_6C2568
		push	ebx
		push	esi
		mov	esi, ds:dword_6C2544
		xor	ebx, ebx
		and	esi, 1
		mov	[ebp+var_C0], ebx
		mov	[ebp+var_BC], ebx
		push	edi
		mov	edi, ebx
		test	ecx, ecx
		jz	short loc_653CD7
		imul	eax, ds:dword_6C2548, 64h
		xor	edx, edx
		div	ecx
		mov	edi, eax

loc_653CD7:				; CODE XREF: PopTracePowerReconfig()+39j
		lea	eax, [ebp+var_C0]
		push	eax
		call	KeQuerySystemTime
		cmp	ds:dword_6B23F8, 5
		mov	ecx, [ebp+var_BC]
		mov	[ebp+var_E0], ecx
		mov	ecx, [ebp+var_C0]
		mov	[ebp+var_E4], ecx
		jbe	loc_653E49
		push	4000h
		push	ebx
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_653E49
		lea	eax, [ebp+var_E4]
		mov	[ebp+var_94], ebx
		mov	[ebp+var_98], eax
		mov	eax, ds:dword_6C252C
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_C4]
		mov	[ebp+var_88], eax
		mov	eax, ds:dword_6C2568
		mov	[ebp+var_C8], eax
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_CC]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_58], eax
		movzx	eax, ds:byte_6C2644
		mov	[ebp+var_D4], eax
		lea	eax, [ebp+var_D4]
		mov	[ebp+var_48], eax
		movzx	eax, ds:byte_6C2630
		mov	[ebp+var_D8], eax
		lea	eax, [ebp+var_D8]
		mov	[ebp+var_38], eax
		movzx	eax, ds:byte_6C264C
		mov	[ebp+var_DC], eax
		lea	eax, [ebp+var_DC]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		mov	eax, ds:dword_6C2648
		mov	[ebp+var_BC], eax
		lea	eax, [ebp+var_BC]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_B8]
		push	eax
		push	0Bh
		push	ebx
		push	ebx
		push	offset loc_41E839
		push	offset dword_6B23F8
		mov	[ebp+var_90], 8
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_84], ebx
		mov	[ebp+var_80], ecx
		mov	[ebp+var_7C], ebx
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], ecx
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_CC], edi
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_D0], esi
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_653E49:				; CODE XREF: PopTracePowerReconfig()+73j
					; PopTracePowerReconfig()+8Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopTracePowerReconfig@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceSmbiosChange(x, x, x, x, x,	x)
_PopTraceSmbiosChange@24 proc near	; CODE XREF: PopUpdateSmbiosData(x,x,x,x,x)+59p

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_6B23F8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	loc_653F0E
		push	4000h
		xor	ebx, ebx
		mov	ecx, offset dword_6B23F8
		push	ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_653F0E
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_78], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_8]
		push	8
		pop	edx
		mov	[ebp+var_80], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_80]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	6
		push	ebx
		push	ebx
		push	(offset	loc_41EB77+2)
		push	offset dword_6B23F8
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_6C], edi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_70], esi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_653F0E:				; CODE XREF: PopTraceSmbiosChange(x,x,x,x,x,x)+23j
					; PopTraceSmbiosChange(x,x,x,x,x,x)+3Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_PopTraceSmbiosChange@24 endp

; 
		align 10h
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceThermalRequestActiveActivity(x)
_PopTraceThermalRequestActiveActivity@4	proc near ; CODE XREF: PopCoolingSxTransition+898F7p
					; PopCoolingTelemetryWorker()+9Dp ...

var_C1		= dword	ptr -0C1h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_88		= dword	ptr -88h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_BC], 0
		mov	edx, 67446F50h
		and	[ebp+var_B4], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		xor	esi, esi
		mov	ecx, [ebx+10h]
		mov	ecx, [ecx+18h]
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	edi, eax
		test	edi, edi
		jz	short loc_653F6D
		mov	eax, [edi+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_653F6F
; 

loc_653F6D:				; CODE XREF: PopTraceThermalRequestActiveActivity(x)+3Ej
		xor	eax, eax

loc_653F6F:				; CODE XREF: PopTraceThermalRequestActiveActivity(x)+49j
		mov	[ebp+var_B8], eax
		test	eax, eax
		jz	loc_6540E6
		push	ecx
		mov	ecx, [ebx+0Ch]
		lea	eax, [ebp+var_BC]
		push	eax
		xor	edx, edx
		call	PoStoreDiagnosticContext
		push	50455654h
		push	[ebp+var_BC]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_6540E6
		push	ecx
		mov	ecx, [ebx+0Ch]
		lea	eax, [ebp+var_BC]
		push	eax
		mov	edx, esi
		call	PoStoreDiagnosticContext
		test	eax, eax
		js	loc_6540E6
		mov	eax, [esi+8]
		lea	ecx, [ebx+18h]
		add	eax, esi
		lea	edx, [ebp+var_B4]
		mov	[ebp+var_BC], eax
		lea	eax, [ebp+var_B0]
		push	eax
		lea	eax, [ebp+var_C1]
		push	eax
		call	_PopDiagSnapActiveActivity@16 ;	PopDiagSnapActiveActivity(x,x,x,x)
		mov	ebx, [ebp+var_B4]
		test	ebx, ebx
		jz	loc_6540E6
		test	al, al
		jnz	short loc_65400B
		cmp	ds:_PopThermalTelemetryVerbosity, 0
		jz	loc_6540E6

loc_65400B:				; CODE XREF: PopTraceThermalRequestActiveActivity(x)+DAj
		cmp	ds:dword_6B23F8, 5
		jbe	loc_6540E6
		push	4000h
		push	0
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_6540E6
		mov	ecx, [ebp+var_B8]
		lea	eax, [ebp+var_50]
		xor	edx, edx
		mov	[ebp+var_68], eax
		mov	[ebp+var_64], edx
		mov	[ebp+var_5C], edx
		mov	eax, [ecx+4Ch]
		mov	[ebp+var_58], eax
		movzx	eax, word ptr [ecx+48h]
		lea	ecx, [ebp+var_48]
		mov	[ebp+var_54], edx
		mov	[ebp+var_4C], edx
		mov	edx, [ebp+var_BC]
		mov	[ebp+var_60], 2
		mov	[ebp+var_50], eax
		call	_tlgCreate1Sz_wchar_t
		push	4
		pop	ecx
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_30], ecx
		mov	[ebp+var_38], eax
		xor	edx, edx
		mov	eax, [ebp+var_B0]
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_B4]
		push	8
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_C1+1]
		mov	[ebp+var_20], ecx
		pop	ecx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_88]
		push	eax
		push	ecx
		push	edx
		push	edx
		push	(offset	loc_41E555+6)
		push	offset dword_6B23F8
		mov	[ebp+var_B8], ebx
		mov	[ebp+var_34], edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_C1+1],	1000000h
		mov	[ebp+var_BC], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_6540E6:				; CODE XREF: PopTraceThermalRequestActiveActivity(x)+55j
					; PopTraceThermalRequestActiveActivity(x)+83j ...
		test	edi, edi
		jz	short loc_6540F6
		mov	edx, 67446F50h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_6540F6:				; CODE XREF: PopTraceThermalRequestActiveActivity(x)+1C6j
		test	esi, esi
		jz	short loc_654105
		push	50455654h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_654105:				; CODE XREF: PopTraceThermalRequestActiveActivity(x)+1D6j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopTraceThermalRequestActiveActivity@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceThermalStandbyComplete(x, x, x)
_PopTraceThermalStandbyComplete@12 proc	near
					; CODE XREF: PopThermalStandbyEndTracking+89698p

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	ds:dword_6B23F8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	short loc_6541A0
		push	4000h
		xor	ebx, ebx
		mov	ecx, offset dword_6B23F8
		push	ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_6541A0
		lea	eax, [ebp+var_60]
		mov	[ebp+var_60], edi
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_2C], eax
		movzx	eax, [ebp+arg_0]
		push	4
		pop	ecx
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	5
		push	ebx
		push	ebx
		push	offset loc_41EA00
		push	offset dword_6B23F8
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_64], esi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_6541A0:				; CODE XREF: PopTraceThermalStandbyComplete(x,x,x)+20j
					; PopTraceThermalStandbyComplete(x,x,x)+36j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopTraceThermalStandbyComplete@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceThermalStandbyInitiated(x)
_PopTraceThermalStandbyInitiated@4 proc	near ; CODE XREF: PopThermalCsEntry(x)+56p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_6B23F8, 5
		push	ebx
		push	esi
		push	edi
		mov	bl, cl
		jbe	short loc_654215
		push	4000h
		xor	esi, esi
		mov	edi, offset dword_6B23F8
		push	esi
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_654215
		movzx	eax, bl
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	3
		push	esi
		push	esi
		push	(offset	loc_41EB36+6)
		push	edi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_654215:				; CODE XREF: PopTraceThermalStandbyInitiated(x)+1Ej
					; PopTraceThermalStandbyInitiated(x)+36j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopTraceThermalStandbyInitiated@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceZoneCr3Mitigated(x,	x)
_PopTraceZoneCr3Mitigated@8 proc near	; CODE XREF: PopCheckAndHandleThermalConditions+82B44p
					; PopThermalZoneRemove(x)+8Bp

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_5C], ecx
		push	esi
		push	edi
		mov	edx, 67446F50h
		mov	ecx, [ebx+18h]
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	esi, eax
		test	esi, esi
		jz	short loc_65425C
		mov	ecx, [esi+0B0h]
		mov	edi, [ecx+14h]
		jmp	short loc_65425E
; 

loc_65425C:				; CODE XREF: PopTraceZoneCr3Mitigated(x,x)+2Bj
		xor	edi, edi

loc_65425E:				; CODE XREF: PopTraceZoneCr3Mitigated(x,x)+36j
		test	edi, edi
		jz	short loc_6542D3
		cmp	ds:dword_6B23F8, 5
		jbe	short loc_6542D3
		push	4000h
		push	0
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_6542D3
		mov	eax, [ebp+var_5C]
		xor	edx, edx
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_38], eax
		mov	eax, [ebx+60h]
		push	4
		pop	ecx
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_1C], edx
		mov	edx, [edi+4Ch]
		mov	[ebp+var_28], eax
		call	_tlgCreate1Sz_wchar_t
		lea	eax, [ebp+var_58]
		push	eax
		push	5
		push	0
		push	0
		push	(offset	loc_41EA59+2)
		push	offset dword_6B23F8
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_6542D3:				; CODE XREF: PopTraceZoneCr3Mitigated(x,x)+3Cj
					; PopTraceZoneCr3Mitigated(x,x)+45j ...
		test	esi, esi
		jz	short loc_6542E3
		mov	edx, 67446F50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_6542E3:				; CODE XREF: PopTraceZoneCr3Mitigated(x,x)+B1j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopTraceZoneCr3Mitigated@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceZoneCr3Tripped(x, x)
_PopTraceZoneCr3Tripped@8 proc near	; CODE XREF: PopCheckAndHandleThermalConditions+82B35p

var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AB		= byte ptr -0ABh
var_AA		= dword	ptr -0AAh
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0BCh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_B0], ecx
		mov	edx, 67446F50h
		mov	ecx, [edi+18h]
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	esi, eax
		test	esi, esi
		jz	short loc_654330
		mov	ecx, [esi+0B0h]
		mov	ebx, [ecx+14h]
		jmp	short loc_654332
; 

loc_654330:				; CODE XREF: PopTraceZoneCr3Tripped(x,x)+31j
		xor	ebx, ebx

loc_654332:				; CODE XREF: PopTraceZoneCr3Tripped(x,x)+3Cj
		test	ebx, ebx
		jz	loc_654481
		mov	eax, [edi+60h]
		mov	[ebp+var_B4], eax
		mov	eax, [edi+39Ch]
		mov	[ebp+var_B8], eax
		test	eax, eax
		jnz	short loc_65435D
		mov	[ebp+var_B8], offset ??_C@_11LOCGONAA@@FNODOBFM@

loc_65435D:				; CODE XREF: PopTraceZoneCr3Tripped(x,x)+5Fj
		cmp	ds:dword_6B23F8, 5
		jbe	loc_654481
		push	4000h
		push	0
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_654481
		mov	eax, [ebp+var_B0]
		xor	ecx, ecx
		cmp	[edi+0C4h], cl
		mov	[ebp+var_B0], eax
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_88], eax
		setnz	byte ptr [ebp+var_AA+1]
		and	[ebp+var_64], 0
		lea	eax, [ebp+var_AA+1]
		and	[ebp+var_5C], 0
		xor	edx, edx
		and	[ebp+var_54], 0
		inc	edx
		mov	[ebp+var_78], eax
		mov	[ebp+var_84], ecx
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_6C], ecx
		mov	cl, [edi+21h]
		mov	al, cl
		mov	[ebp+var_70], edx
		and	al, dl
		shr	cl, 2
		mov	byte ptr [ebp+var_AA], al
		and	cl, dl
		lea	eax, [ebp+var_AA]
		mov	[ebp+var_60], edx
		mov	[ebp+var_68], eax
		lea	eax, [ebp-0ABh]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+var_B4]
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_B4]
		mov	[ebp+var_AB], cl
		mov	[ebp+var_50], edx
		xor	edx, edx
		mov	[ebp+var_48], eax
		mov	eax, [edi+68h]
		push	4
		pop	ecx
		mov	[ebp+var_BC], eax
		lea	eax, [ebp+var_BC]
		mov	[ebp+var_4C], edx
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], ecx
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_2C], edx
		mov	edx, [ebx+4Ch]
		mov	[ebp+var_80], 4
		mov	[ebp+var_38], eax
		call	_tlgCreate1Sz_wchar_t
		mov	edx, [ebp+var_B8]
		lea	ecx, [ebp+var_18]
		call	_tlgCreate1Sz_wchar_t
		lea	eax, [ebp+var_AA+2]
		push	eax
		push	0Ah
		push	0
		push	0
		push	offset loc_41EAA1
		push	offset dword_6B23F8
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_654481:				; CODE XREF: PopTraceZoneCr3Tripped(x,x)+42j
					; PopTraceZoneCr3Tripped(x,x)+72j ...
		test	esi, esi
		jz	short loc_654491
		mov	edx, 67446F50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_654491:				; CODE XREF: PopTraceZoneCr3Tripped(x,x)+191j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopTraceZoneCr3Tripped@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBatteryCapacityToRate(x,	x, x)
_PopBatteryCapacityToRate@12 proc near	; CODE XREF: PopCalculateCsSummary(x,x)+101p
					; PopDripsWatchdogUpdateMetrics(x,x,x,x,x,x,x)+D3p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		or	eax, [ebp+arg_4]
		jz	short loc_6544C3
		push	[ebp+arg_4]
		mov	eax, ecx
		mov	ecx, 0D693A400h
		push	[ebp+arg_0]
		mul	ecx
		push	edx
		push	eax
		call	__aulldiv

loc_6544C3:				; CODE XREF: PopBatteryCapacityToRate(x,x,x)+Bj
		pop	ebp
		retn	8
_PopBatteryCapacityToRate@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopBatteryGetEnergyDrainFromDischage(x, x)
_PopBatteryGetEnergyDrainFromDischage@8	proc near
					; CODE XREF: PopCalculateCsSummary(x,x)+FAp
					; PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+56p
		xor	eax, eax
		test	ds:dword_6C2558, 40000000h
		jnz	short locret_6544E1
		cmp	edx, ecx
		jnb	short locret_6544E1
		test	edx, edx
		jz	short locret_6544E1
		mov	eax, ecx
		sub	eax, edx

locret_6544E1:				; CODE XREF: PopBatteryGetEnergyDrainFromDischage(x,x)+Cj
					; PopBatteryGetEnergyDrainFromDischage(x,x)+10j ...
		retn
_PopBatteryGetEnergyDrainFromDischage@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBatteryIrpComplete(x, x,	x)
_PopBatteryIrpComplete@12 proc near	; DATA XREF: PopBatteryQueryStatus(x,x)+101o
					; PopBatteryWaitTag(x)+29o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		push	ebx
		mov	eax, [eax+18h]
		cmp	eax, 0C0000120h
		jnz	short loc_6544FC
		xor	bl, bl
		jmp	short loc_65452E
; 

loc_6544FC:				; CODE XREF: PopBatteryIrpComplete(x,x,x)+14j
		mov	edx, [ecx+38h]
		mov	bl, 1
		test	eax, eax
		jns	short loc_65451D
		xor	eax, eax
		test	edx, edx
		setz	al
		test	edx, edx
		setnz	bl
		lea	eax, ds:2[eax*2]
		mov	[ecx+38h], eax
		jmp	short loc_65452E
; 

loc_65451D:				; CODE XREF: PopBatteryIrpComplete(x,x,x)+21j
		test	edx, edx
		jnz	short loc_65452E
		mov	eax, [ecx+78h]
		mov	[ecx+3Ch], eax
		mov	dword ptr [ecx+38h], 1

loc_65452E:				; CODE XREF: PopBatteryIrpComplete(x,x,x)+18j
					; PopBatteryIrpComplete(x,x,x)+39j ...
		push	0
		push	0
		lea	eax, [ecx+28h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		test	bl, bl
		pop	ebx
		jz	short loc_654548
		xor	ecx, ecx
		inc	ecx
		call	_PopBatteryQueueWork@4 ; PopBatteryQueueWork(x)

loc_654548:				; CODE XREF: PopBatteryIrpComplete(x,x,x)+5Cj
		mov	eax, 0C0000016h
		pop	ebp
		retn	0Ch
_PopBatteryIrpComplete@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerAggregatorSessionSwitchTimerCallback(x, x)
_PopPowerAggregatorSessionSwitchTimerCallback@8	proc near
					; DATA XREF: PopPowerAggregatorInitialize(x)+36o
		push	1
		push	offset dword_6C0A2C
		call	ExQueueWorkItem
		retn	8
_PopPowerAggregatorSessionSwitchTimerCallback@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEmUpdateDeviceConstraintCallback(x, x, x, x, x, x, x)
_PopEmUpdateDeviceConstraintCallback@28	proc near ; DATA XREF: .text:00404D48o

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	ecx, [ebp+arg_8]
		push	esi
		xor	esi, esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		test	ecx, ecx
		jz	loc_654603
		cmp	[ebp+arg_C], 1
		jnz	short loc_654603
		push	edi
		mov	edi, [ebp+arg_10]
		test	edi, edi
		jz	short loc_654602
		cmp	[ebp+arg_14], 2
		jnz	short loc_654602
		cmp	[ebp+arg_4], 1
		jnz	short loc_654602
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [eax]
		cmp	dword ptr [ebx+4], 4
		jnz	short loc_654601
		mov	ebx, [ebx]
		push	dword ptr [ecx]
		mov	eax, [ebx+4]
		mov	[ebp+var_18], eax
		mov	eax, [ebx+8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	short loc_654601
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_6545F8
		mov	ecx, [ebx]
		cmp	ecx, [edi]
		jnz	short loc_6545F8
		mov	eax, [edi+4]
		inc	eax
		push	2
		mov	[ebx+ecx*4+0Ch], eax
		pop	esi

loc_6545F8:				; CODE XREF: PopEmUpdateDeviceConstraintCallback(x,x,x,x,x,x,x)+85j
					; PopEmUpdateDeviceConstraintCallback(x,x,x,x,x,x,x)+8Bj
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_654601:				; CODE XREF: PopEmUpdateDeviceConstraintCallback(x,x,x,x,x,x,x)+46j
					; PopEmUpdateDeviceConstraintCallback(x,x,x,x,x,x,x)+72j
		pop	ebx

loc_654602:				; CODE XREF: PopEmUpdateDeviceConstraintCallback(x,x,x,x,x,x,x)+2Ej
					; PopEmUpdateDeviceConstraintCallback(x,x,x,x,x,x,x)+34j ...
		pop	edi

loc_654603:				; CODE XREF: PopEmUpdateDeviceConstraintCallback(x,x,x,x,x,x,x)+1Cj
					; PopEmUpdateDeviceConstraintCallback(x,x,x,x,x,x,x)+26j
		mov	eax, esi
		pop	esi
		leave
		retn	1Ch
_PopEmUpdateDeviceConstraintCallback@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxEnableEnhancedAccounting(x)
_PopFxEnableEnhancedAccounting@4 proc near ; CODE XREF:	PopPepInitializeVetoMasks(x,x)+1CAp
					; PopPepInitializeVetoMasks(x,x)+3B8p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		mov	edi, ecx
		xor	bl, bl
		mov	[ebp+var_4], edi
		xor	edx, edx
		mov	ecx, offset _PopFxDeviceAccountingLevel
		xor	eax, eax
		lock cmpxchg [ecx], edx
		mov	edx, eax
		test	edx, edx
		jz	short loc_65464E
		js	short loc_65464E
		push	esi
		mov	esi, edx
		mov	edi, offset _PopFxDeviceAccountingLevel
		or	esi, 80000000h
		mov	ecx, esi
		lock cmpxchg [edi], ecx
		mov	edi, [ebp+var_4]
		cmp	eax, edx
		jnz	short loc_65464B
		inc	bl

loc_65464B:				; CODE XREF: PopFxEnableEnhancedAccounting(x)+3Dj
		mov	edx, esi
		pop	esi

loc_65464E:				; CODE XREF: PopFxEnableEnhancedAccounting(x)+20j
					; PopFxEnableEnhancedAccounting(x)+22j
		mov	[edi], edx
		mov	al, bl
		pop	edi
		pop	ebx
		leave
		retn
_PopFxEnableEnhancedAccounting@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopPepArmIdleTimer(x)
_PopPepArmIdleTimer@4 proc near		; CODE XREF: PopPepCompleteActivity+EF986p
					; PopPepIdleTimeoutDpcRoutine(x,x,x,x)+15p ...
		cmp	ds:_PopPepIdleStateTimeout, 0
		push	ebx
		mov	bl, cl
		jz	short loc_6546CF
		push	edi
		mov	edi, offset _PopPepIdleTimerLock
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	bh, al
		test	bl, bl
		jz	short loc_65467B
		mov	ds:_PopPepIdleTimerArmed, 0

loc_65467B:				; CODE XREF: PopPepArmIdleTimer(x)+1Cj
		cmp	ds:_PopPepIdleTimerArmed, 0
		jnz	short loc_6546BF
		mov	eax, ds:_PopPepPoweredIdleComponentCount
		test	eax, eax
		jle	short loc_6546BF
		push	esi
		mov	esi, ds:_PopPepIdleStateTimeout
		push	0FFFFFFFFh
		push	0FFFFD8F0h
		push	0
		push	esi
		mov	ds:_PopPepIdleTimerArmed, 1
		call	__allmul
		push	offset _PopPepIdleDpc
		push	esi
		push	0
		push	edx
		push	eax
		push	offset _PopPepIdleTimer
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)
		pop	esi

loc_6546BF:				; CODE XREF: PopPepArmIdleTimer(x)+2Cj
					; PopPepArmIdleTimer(x)+35j
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		pop	edi
		mov	cl, bh
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_6546CF:				; CODE XREF: PopPepArmIdleTimer(x)+Aj
		pop	ebx
		retn
_PopPepArmIdleTimer@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepClearDripsDeviceVetoMask(x)
_PopPepClearDripsDeviceVetoMask@4 proc near ; CODE XREF: PopFxClearDeviceConstraints(x)+82p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, 0C0000001h
		cmp	dword ptr [edi+7Ch], 2
		jnz	short loc_654752
		mov	ecx, [edi+60h]
		xor	esi, esi
		push	esi
		xor	edx, edx
		call	PopPepUpdateIdleStateRefCount
		push	3
		lea	eax, [edi+6Ch]
		pop	ecx

loc_6546FA:				; CODE XREF: PopPepClearDripsDeviceVetoMask(x)+34j
		mov	[eax-0Ch], esi
		mov	[eax], esi
		lea	eax, [eax+4]
		sub	ecx, 1
		jnz	short loc_6546FA
		mov	[ebp+var_4], esi
		cmp	[edi+84h], esi
		jbe	short loc_654752
		lea	ebx, [edi+124h]

loc_654718:				; CODE XREF: PopPepClearDripsDeviceVetoMask(x)+7Fj
		mov	ecx, [ebx+4]
		xor	edx, edx
		push	esi
		mov	ecx, [ecx+10h]
		call	PopPepUpdateIdleStateRefCount
		mov	edx, esi
		cmp	[ebx], esi
		jbe	short loc_65473D
		mov	ecx, esi

loc_65472E:				; CODE XREF: PopPepClearDripsDeviceVetoMask(x)+6Aj
		mov	eax, [ebx+4]
		lea	ecx, [ecx+18h]
		inc	edx
		mov	[ecx+eax-8], esi
		cmp	edx, [ebx]
		jb	short loc_65472E

loc_65473D:				; CODE XREF: PopPepClearDripsDeviceVetoMask(x)+59j
		mov	eax, [ebp+var_4]
		add	ebx, 0A8h
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, [edi+84h]
		jb	short loc_654718

loc_654752:				; CODE XREF: PopPepClearDripsDeviceVetoMask(x)+14j
					; PopPepClearDripsDeviceVetoMask(x)+3Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PopPepClearDripsDeviceVetoMask@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepCompleteComponentIdleState(x,	x)
_PopPepCompleteComponentIdleState@8 proc near ;	CODE XREF: PopFxProcessWork+F09B7p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	byte ptr [ebp+var_4], 0
		push	edi
		mov	ebx, ecx
		imul	eax, esi, 0A8h
		lea	edi, [ebx+88h]
		add	edi, eax
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		push	6
		mov	edx, edi
		call	PopPepLockActivityLink
		mov	byte ptr [ebp+var_8], al
		mov	edx, edi
		mov	eax, [edi+34h]
		cmp	dword ptr [eax+0Ch], 1
		jnz	short loc_6547D6
		push	2
		pop	ecx
		mov	[eax+0Ch], ecx
		push	ecx
		mov	ecx, ebx
		call	_PopPepCountReadyActivities@12 ; PopPepCountReadyActivities(x,x,x)
		mov	ecx, [edi+34h]
		mov	esi, eax
		or	dword ptr [ecx], 8
		lock inc dword ptr [edi+48h]
		push	2
		mov	edx, edi
		mov	ecx, ebx
		call	_PopPepCountReadyActivities@12 ; PopPepCountReadyActivities(x,x,x)
		mov	edx, eax
		mov	ecx, esi
		call	_PopPepRequestWork@8 ; PopPepRequestWork(x,x)
		push	[ebp+var_4]
		mov	edx, edi
		mov	ecx, ebx
		push	[ebp+var_8]
		call	PopPepReleaseActivityLink
		jmp	short loc_65480B
; 

loc_6547D6:				; CODE XREF: PopPepCompleteComponentIdleState(x,x)+3Cj
		push	[ebp+var_4]
		mov	ecx, ebx
		push	[ebp+var_8]
		call	PopPepReleaseActivityLink
		push	0
		push	ecx
		push	6
		push	1
		mov	edx, edi
		mov	ecx, ebx
		call	_PopPepProcessEvent@24 ; PopPepProcessEvent(x,x,x,x,x,x)
		mov	ecx, [ebx+18h]
		mov	edx, esi
		push	1
		push	dword ptr [edi+90h]
		push	dword ptr [edi+94h]
		call	PopPlNotifyDeviceFState

loc_65480B:				; CODE XREF: PopPepCompleteComponentIdleState(x,x)+7Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopPepCompleteComponentIdleState@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepComponentSetWakeHint(x, x, x)
_PopPepComponentSetWakeHint@12 proc near ; CODE	XREF: PoFxSetComponentWake(x,x,x)+20p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		imul	eax, edx, 0A8h
		push	esi
		push	edi
		mov	byte ptr [ebp+var_4], 0
		lea	edi, [ebx+88h]
		add	edi, eax
		cmp	[ebp+arg_0], 0
		jz	short loc_654839
		mov	esi, [edi+74h]
		jmp	short loc_654840
; 

loc_654839:				; CODE XREF: PopPepComponentSetWakeHint(x,x,x)+22j
		mov	esi, [edi+9Ch]
		dec	esi

loc_654840:				; CODE XREF: PopPepComponentSetWakeHint(x,x,x)+27j
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		push	1
		push	6
		call	PopPepLockActivityLink
		mov	byte ptr [ebp+var_8], al
		mov	al, [ebp+arg_0]
		mov	[edi+70h], al
		cmp	[edi+84h], esi
		jz	short loc_65489D
		push	2
		mov	edx, edi
		mov	[edi+84h], esi
		mov	ecx, ebx
		call	_PopPepCountReadyActivities@12 ; PopPepCountReadyActivities(x,x,x)
		push	1
		mov	edx, edi
		mov	ecx, ebx
		mov	esi, eax
		call	_PopPepUpdateIdleState@12 ; PopPepUpdateIdleState(x,x,x)
		push	2
		mov	edx, edi
		mov	ecx, ebx
		call	PopPepPromoteActivities
		push	2
		mov	edx, edi
		mov	ecx, ebx
		call	_PopPepCountReadyActivities@12 ; PopPepCountReadyActivities(x,x,x)
		mov	edx, eax
		mov	ecx, esi
		call	_PopPepRequestWork@8 ; PopPepRequestWork(x,x)

loc_65489D:				; CODE XREF: PopPepComponentSetWakeHint(x,x,x)+4Ej
		push	[ebp+var_4]
		mov	edx, edi
		mov	ecx, ebx
		push	[ebp+var_8]
		call	PopPepReleaseActivityLink
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopPepComponentSetWakeHint@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepGetComponentVetoMasks(x, x, x, x)
_PopPepGetComponentVetoMasks@16	proc near ; CODE XREF: PopFxTraceDeviceRegistration+E6110p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		imul	eax, edx, 0A8h
		mov	[ebp+var_4], edi
		lea	esi, [edi+2Ch]
		push	esi
		mov	[ebp+var_8], eax
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	edi, [edi+7Ch]
		mov	bl, al
		push	esi
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	edi, 2
		jnz	short loc_654921
		mov	edx, [ebp+var_4]
		xor	ecx, ecx
		mov	ebx, [ebp+var_8]
		cmp	[ebx+edx+124h],	ecx
		jbe	short loc_65491D
		mov	edi, [ebp+arg_0]
		mov	esi, ecx

loc_654902:				; CODE XREF: PopPepGetComponentVetoMasks(x,x,x,x)+68j
		mov	eax, [ebx+edx+128h]
		lea	esi, [esi+18h]
		mov	eax, [eax+esi-8]
		mov	[edi+ecx*4], eax
		inc	ecx
		cmp	ecx, [ebx+edx+124h]
		jb	short loc_654902

loc_65491D:				; CODE XREF: PopPepGetComponentVetoMasks(x,x,x,x)+48j
		mov	al, 1
		jmp	short loc_654923
; 

loc_654921:				; CODE XREF: PopPepGetComponentVetoMasks(x,x,x,x)+37j
		xor	eax, eax

loc_654923:				; CODE XREF: PopPepGetComponentVetoMasks(x,x,x,x)+6Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PopPepGetComponentVetoMasks@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepGetDeviceVetoMasks(x,	x)
_PopPepGetDeviceVetoMasks@8 proc near	; CODE XREF: PopFxTraceDeviceRegistration+E602Bp

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1], 0
		push	edi
		mov	edi, edx
		lea	ebx, [esi+2Ch]
		push	ebx
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		cmp	dword ptr [esi+7Ch], 2
		mov	[ebp+var_2], al
		jnz	short loc_654957
		add	esi, 60h
		mov	[ebp+var_1], 1
		movsd
		movsd
		movsd

loc_654957:				; CODE XREF: PopPepGetDeviceVetoMasks(x,x)+21j
		push	ebx
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, [ebp+var_1]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopPepGetDeviceVetoMasks@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepGetMinimumComponentIdleState(x, x, x,	x)
_PopPepGetMinimumComponentIdleState@16 proc near
					; CODE XREF: PopFxSetDeviceAccountingCsPlatformState(x)+13Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		inc	eax
		mov	[ebp+var_8], edi
		shl	eax, cl
		lea	esi, [edi+2Ch]
		mov	[ebp+arg_0], eax
		push	esi
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	edi, [edi+7Ch]
		mov	bl, al
		push	esi
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		cmp	edi, 2
		jnz	short loc_6549E9
		imul	edi, [ebp+var_4], 0A8h
		mov	ecx, eax
		mov	edx, [ebp+var_8]
		mov	esi, [edi+edx+124h]
		test	esi, esi
		jz	short loc_6549DE
		mov	edx, [edi+edx+128h]
		mov	edi, [ebp+arg_0]
		add	edx, 10h

loc_6549D2:				; CODE XREF: PopPepGetMinimumComponentIdleState(x,x,x,x)+6Ej
		test	[edx], edi
		jz	short loc_6549DE
		inc	ecx
		add	edx, 18h
		cmp	ecx, esi
		jb	short loc_6549D2

loc_6549DE:				; CODE XREF: PopPepGetMinimumComponentIdleState(x,x,x,x)+55j
					; PopPepGetMinimumComponentIdleState(x,x,x,x)+66j
		cmp	ecx, esi
		jnb	short loc_6549E9
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		mov	al, 1

loc_6549E9:				; CODE XREF: PopPepGetMinimumComponentIdleState(x,x,x,x)+3Ej
					; PopPepGetMinimumComponentIdleState(x,x,x,x)+72j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PopPepGetMinimumComponentIdleState@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepGetMinimumDevicePowerState(x,	x, x, x, x)
_PopPepGetMinimumDevicePowerState@20 proc near
					; CODE XREF: PopFxSetDeviceAccountingCsPlatformState(x)+86p
					; PopPepUpdateDripsDeviceVetoMask(x,x)+88p ...

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		mov	ecx, edx
		inc	edi
		xor	ebx, ebx
		shl	edi, cl
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	dl, [ebp+arg_0]
		mov	[ebp+var_1], al
		test	dl, dl
		jz	short loc_654A23
		lea	eax, [esi+2Ch]
		push	eax
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	dl, [ebp+arg_0]
		mov	[ebp+var_1], al

loc_654A23:				; CODE XREF: PopPepGetMinimumDevicePowerState(x,x,x,x,x)+22j
		cmp	dword ptr [esi+7Ch], 2
		jnz	short loc_654A5F
		mov	ecx, ebx
		lea	eax, [esi+60h]

loc_654A2E:				; CODE XREF: PopPepGetMinimumDevicePowerState(x,x,x,x,x)+49j
		test	[eax], edi
		jz	short loc_654A3B
		inc	ecx
		add	eax, 4
		cmp	ecx, 3
		jb	short loc_654A2E

loc_654A3B:				; CODE XREF: PopPepGetMinimumDevicePowerState(x,x,x,x,x)+40j
		mov	eax, [ebp+arg_4]
		inc	ecx
		mov	[eax], ecx
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_654A5D
		lea	eax, [esi+6Ch]

loc_654A4B:				; CODE XREF: PopPepGetMinimumDevicePowerState(x,x,x,x,x)+66j
		test	[eax], edi
		jz	short loc_654A58
		inc	ebx
		add	eax, 4
		cmp	ebx, 3
		jb	short loc_654A4B

loc_654A58:				; CODE XREF: PopPepGetMinimumDevicePowerState(x,x,x,x,x)+5Dj
		lea	eax, [ebx+1]
		mov	[ecx], eax

loc_654A5D:				; CODE XREF: PopPepGetMinimumDevicePowerState(x,x,x,x,x)+56j
		mov	bl, 1

loc_654A5F:				; CODE XREF: PopPepGetMinimumDevicePowerState(x,x,x,x,x)+37j
		test	dl, dl
		jz	short loc_654A75
		lea	ecx, [esi+2Ch]
		push	ecx
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_654A75:				; CODE XREF: PopPepGetMinimumDevicePowerState(x,x,x,x,x)+71j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	0Ch
_PopPepGetMinimumDevicePowerState@20 endp


;  S U B	R O U T	I N E 


; __stdcall PopPepIdleTimeoutDpcRoutine(x, x, x, x)
_PopPepIdleTimeoutDpcRoutine@16	proc near ; DATA XREF: PopPepEntry()+1Bo
		xor	edx, edx
		mov	ecx, offset _PopPepIdleWorkItem
		push	0FFFFFFFFh
		inc	edx
		call	_ExQueueWorkItemEx@12 ;	ExQueueWorkItemEx(x,x,x)
		test	al, al
		jnz	short locret_654A98
		mov	cl, 1
		call	_PopPepArmIdleTimer@4 ;	PopPepArmIdleTimer(x)

locret_654A98:				; CODE XREF: PopPepIdleTimeoutDpcRoutine(x,x,x,x)+11j
		retn	10h
_PopPepIdleTimeoutDpcRoutine@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepIdleTimeoutRoutine(x)
_PopPepIdleTimeoutRoutine@4 proc near	; DATA XREF: PopPepEntry()+5o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		call	KeQueryInterruptTime
		mov	ecx, large fs:124h
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], edx
		dec	word ptr [ecx+13Ch]
		nop
		mov	ebx, offset _PopPepDeviceListLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	esi, ds:_PopPepDeviceList
		mov	edi, offset _PopPepDeviceList
		cmp	esi, edi
		jz	loc_654BE8

loc_654AE1:				; CODE XREF: PopPepIdleTimeoutRoutine(x)+142j
		mov	eax, [esi+8]
		and	eax, 1
		or	eax, 0
		jnz	loc_654BD9
		lea	ebx, [esi+2Ch]
		push	ebx
		call	ExAcquireSpinLockExclusive
		cmp	byte ptr [esi+58h], 0
		mov	[ebp+var_1], al
		jnz	short loc_654B08
		push	ebx
		jmp	loc_654BCB
; 

loc_654B08:				; CODE XREF: PopPepIdleTimeoutRoutine(x)+65j
		push	3
		xor	edx, edx
		mov	ecx, esi
		call	_PopPepCountReadyActivities@12 ; PopPepCountReadyActivities(x,x,x)
		xor	ebx, ebx
		mov	[ebp+var_10], eax
		cmp	[esi+84h], ebx
		jbe	loc_654BA7
		lea	edi, [esi+118h]

loc_654B2A:				; CODE XREF: PopPepIdleTimeoutRoutine(x)+105j
		mov	eax, [edi+0Ch]
		dec	eax
		cmp	[edi], eax
		jz	short loc_654B93
		mov	eax, [edi-58h]
		cmp	dword ptr [eax], 0
		jnz	short loc_654B93
		mov	eax, [edi-54h]
		cmp	dword ptr [eax], 0
		jnz	short loc_654B93
		mov	edx, [edi-24h]
		mov	ecx, [edi-28h]
		cmp	[ebp+var_C], edx
		jl	short loc_654B93
		mov	eax, [ebp+var_8]
		jg	short loc_654B56
		cmp	eax, ecx
		jbe	short loc_654B93

loc_654B56:				; CODE XREF: PopPepIdleTimeoutRoutine(x)+B5j
		sub	eax, ecx
		mov	ecx, [ebp+var_C]
		sbb	ecx, edx
		cmp	ecx, [edi-34h]
		jb	short loc_654B93
		ja	short loc_654B69
		cmp	eax, [edi-38h]
		jbe	short loc_654B93

loc_654B69:				; CODE XREF: PopPepIdleTimeoutRoutine(x)+C7j
		push	ecx
		mov	[edi-34h], ecx
		lea	ecx, [edi-90h]
		push	eax
		mov	[edi-38h], eax
		call	_PopPepComponentGetResidencyIdleState@12 ; PopPepComponentGetResidencyIdleState(x,x,x)
		cmp	[edi-10h], eax
		jz	short loc_654B93
		push	1
		lea	edx, [edi-90h]
		mov	[edi-10h], eax
		mov	ecx, esi
		call	_PopPepUpdateIdleState@12 ; PopPepUpdateIdleState(x,x,x)

loc_654B93:				; CODE XREF: PopPepIdleTimeoutRoutine(x)+95j
					; PopPepIdleTimeoutRoutine(x)+9Dj ...
		inc	ebx
		add	edi, 0A8h
		cmp	ebx, [esi+84h]
		jb	short loc_654B2A
		mov	edi, offset _PopPepDeviceList

loc_654BA7:				; CODE XREF: PopPepIdleTimeoutRoutine(x)+83j
		push	3
		xor	edx, edx
		mov	ecx, esi
		call	PopPepPromoteActivities
		push	3
		xor	edx, edx
		mov	ecx, esi
		call	_PopPepCountReadyActivities@12 ; PopPepCountReadyActivities(x,x,x)
		mov	ecx, [ebp+var_10]
		mov	edx, eax
		call	_PopPepRequestWork@8 ; PopPepRequestWork(x,x)
		lea	eax, [esi+2Ch]
		push	eax

loc_654BCB:				; CODE XREF: PopPepIdleTimeoutRoutine(x)+68j
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_654BD9:				; CODE XREF: PopPepIdleTimeoutRoutine(x)+4Fj
		mov	esi, [esi]
		cmp	esi, edi
		jnz	loc_654AE1
		mov	ebx, offset _PopPepDeviceListLock

loc_654BE8:				; CODE XREF: PopPepIdleTimeoutRoutine(x)+40j
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [ebx], ecx
		cmp	eax, 11h
		jz	short loc_654BFD
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_654BFD:				; CODE XREF: PopPepIdleTimeoutRoutine(x)+159j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	cl, 1
		call	_PopPepArmIdleTimer@4 ;	PopPepArmIdleTimer(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopPepIdleTimeoutRoutine@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepInitializeDebuggerMasks(x, x)
_PopPepInitializeDebuggerMasks@8 proc near ; CODE XREF:	PopPepInitializeVetoMasks(x,x)+73p

var_24		= dword	ptr -24h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ds:_PpmPlatformStates
		push	esi
		mov	esi, edx
		cmp	dword ptr [eax+4], 0
		jz	short loc_654C98
		push	ebx
		mov	ebx, [ecx+18h]
		xor	eax, eax
		push	edi
		push	8
		pop	ecx
		lea	edi, [ebp+var_24]
		rep stosd
		lea	eax, [ebp+var_24]
		mov	ecx, ebx
		push	eax
		call	_PopPluginRequestDebuggerTransitionRequirements@12 ; PopPluginRequestDebuggerTransitionRequirements(x,x,x)
		test	al, al
		jz	short loc_654C96
		xor	ecx, ecx
		test	esi, esi
		jz	short loc_654C8B
		mov	eax, ds:_PopPepPlatformState
		add	eax, 28h

loc_654C6A:				; CODE XREF: PopPepInitializeDebuggerMasks(x,x)+6Bj
		cmp	byte ptr [ebp+ecx+var_24], 0
		jz	short loc_654C81
		cmp	byte ptr [eax+1], 0
		jz	short loc_654CA5
		mov	byte ptr [eax],	1
		mov	ds:_PopAutomaticDebuggerTransitions, 1

loc_654C81:				; CODE XREF: PopPepInitializeDebuggerMasks(x,x)+51j
		inc	ecx
		add	eax, 0C0h
		cmp	ecx, esi
		jb	short loc_654C6A

loc_654C8B:				; CODE XREF: PopPepInitializeDebuggerMasks(x,x)+42j
		push	esi
		lea	edx, [ebp+var_24]
		mov	ecx, ebx
		call	_PopDiagTraceDebuggerTransitionRequirements@12 ; PopDiagTraceDebuggerTransitionRequirements(x,x,x)

loc_654C96:				; CODE XREF: PopPepInitializeDebuggerMasks(x,x)+3Cj
		pop	edi
		pop	ebx

loc_654C98:				; CODE XREF: PopPepInitializeDebuggerMasks(x,x)+1Ej
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_654CA5:				; CODE XREF: PopPepInitializeDebuggerMasks(x,x)+57j
		push	0
		push	ecx
		mov	edx, ebx
		mov	ecx, 61Fh
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)
		int	3		; Trap to Debugger
_PopPepInitializeDebuggerMasks@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepInitializeVetoMasks(x, x)
_PopPepInitializeVetoMasks@8 proc near	; CODE XREF: PopPepDeviceStarted+8299Ep
					; PopPepPlatformStateRegistered(x)+62Bp

var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11A		= byte ptr -11Ah
var_119		= byte ptr -119h
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_88		= dword	ptr -88h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 164h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	eax, eax
		mov	esi, edx
		push	edi
		push	8Ch		; size_t
		push	eax		; int
		mov	[ebp+var_120], eax
		mov	ebx, ecx
		mov	[ebp+var_154], eax
		mov	[ebp+var_150], eax
		lea	eax, [ebp+var_118]
		push	eax		; void *
		mov	[ebp+var_124], esi
		call	_memset
		mov	edi, [ebx+18h]
		xor	eax, eax
		add	esp, 0Ch
		mov	[ebp+var_144], eax
		mov	[ebp+var_134], edi
		cmp	[edi+1Ch], eax
		jnz	short loc_654D32
		mov	eax, [edi+238h]
		test	al, 2
		jz	loc_655269
		mov	edx, esi
		mov	ecx, ebx
		call	_PopPepInitializeDebuggerMasks@8 ; PopPepInitializeDebuggerMasks(x,x)
		jmp	loc_655269
; 

loc_654D32:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+5Fj
		mov	[ebx+130h], al
		mov	eax, [edi+70h]
		mov	[ebp+var_114], eax
		mov	eax, [edi+74h]
		push	1
		mov	[ebp+var_110], eax
		lea	eax, [ebp+var_10C]
		push	80h
		push	eax
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		xor	esi, esi
		cmp	[ebp+var_124], esi
		jbe	short loc_654DCA
		mov	edi, [ebp+var_124]

loc_654D6D:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+10Dj
		lea	eax, [ebp+var_118]
		mov	[ebp+var_118], esi
		mov	[ebp+var_154], eax
		lea	eax, [ebp+var_154]
		mov	[ebp+var_144], eax
		lea	eax, [ebp+var_120]
		push	eax		; int
		push	1		; int
		lea	eax, [ebp+var_144]
		mov	[ebp+var_150], 4
		push	eax		; int
		push	offset _GUID_EM_PEP_UPADTE_DEVICE_CONTRAINT ; void *
		call	EmClientRuleEvaluate
		cmp	[ebp+var_120], 2
		jnz	short loc_654DBF
		mov	byte ptr [ebx+130h], 1

loc_654DBF:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+101j
		inc	esi
		cmp	esi, edi
		jb	short loc_654D6D
		mov	edi, [ebp+var_134]

loc_654DCA:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+B0j
		mov	eax, [edi+1Ch]
		mov	eax, [eax+10h]
		mov	ecx, eax
		mov	[ebp+var_160], eax
		call	_PoFxActivateDevice@4 ;	PoFxActivateDevice(x)
		push	1
		push	80h
		lea	eax, [ebp+var_88]
		push	eax
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		lea	eax, [ebx+2Ch]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	byte ptr [ebp+var_15C],	al
		call	_PpmGetDeepSleepPlatformStateIndex@0 ; PpmGetDeepSleepPlatformStateIndex()
		mov	[ebp+var_148], eax
		xor	ecx, ecx
		mov	[ebp+var_119], 0
		mov	edx, offset _PopFxDeviceAccountingLevel
		xor	eax, eax
		lock cmpxchg [edx], ecx
		mov	esi, eax
		lea	ecx, [edi+160h]
		mov	[ebp+var_130], esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	eax, [edi+160h]
		push	0C0h		; size_t
		mov	[eax+0Ch], esi
		add	eax, 18h
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	esi, [ebp+var_124]
		lea	edx, [ebp+var_88]
		add	esp, 0Ch
		mov	byte ptr [edi+164h], 0
		mov	ecx, [ebx+18h]
		push	esi
		call	_PopPluginRequestDeviceIdleConstraints@12 ; PopPluginRequestDeviceIdleConstraints(x,x,x)
		test	al, al
		jnz	short loc_654E79
		cmp	[ebx+130h], al
		jz	loc_654F9C

loc_654E79:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+1B6j
		lea	ecx, [ebp+var_130]
		call	_PopFxEnableEnhancedAccounting@4 ; PopFxEnableEnhancedAccounting(x)
		cmp	byte ptr [ebx+130h], 0
		mov	[ebp+var_119], al
		jz	short loc_654EB5
		xor	ecx, ecx
		test	esi, esi
		jz	short loc_654EB5

loc_654E99:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+1FEj
		mov	eax, [ebp+ecx*4+var_10C]
		cmp	[ebp+ecx*4+var_88], eax
		jnb	short loc_654EB0
		mov	[ebp+ecx*4+var_88], eax

loc_654EB0:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+1F2j
		inc	ecx
		cmp	ecx, esi
		jb	short loc_654E99

loc_654EB5:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+1DCj
					; PopPepInitializeVetoMasks(x,x)+1E2j
		xor	esi, esi
		mov	[ebp+var_128], 1
		lea	edx, [ebp+var_88]
		mov	[ebp+var_120], edx
		cmp	[ebp+var_124], esi
		jbe	loc_654F8D
		xor	ecx, ecx
		mov	[ebp+var_12C], ecx

loc_654EE1:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+2D2j
		mov	eax, ds:_PopPepPlatformState
		cmp	byte ptr [ecx+eax+29h],	0
		jnz	short loc_654EFB
		cmp	[ebp+esi*4+var_88], 1
		jnz	loc_6551EE

loc_654EFB:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+236j
		mov	edx, [edx]
		lea	ecx, [ebx+60h]
		mov	edi, [ebp+var_128]
		xor	eax, eax
		inc	eax

loc_654F09:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+261j
		cmp	eax, edx
		jnb	short loc_654F18
		or	[ecx], edi
		inc	eax
		add	ecx, 4
		cmp	eax, 3
		jbe	short loc_654F09

loc_654F18:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+256j
		mov	eax, [ebp+var_148]
		mov	edi, [ebp+var_134]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_654F59
		cmp	esi, eax
		jnz	short loc_654F59
		cmp	edx, 1
		jbe	short loc_654F59
		mov	[edi+168h], edx
		call	KeQueryInterruptTime
		lea	ecx, [edi+160h]
		mov	[ecx+10h], eax
		lea	eax, [edi+238h]
		push	10h
		mov	[ecx+14h], edx
		mov	byte ptr [ecx+4], 1
		pop	ecx
		lock or	[eax], ecx

loc_654F59:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+272j
					; PopPepInitializeVetoMasks(x,x)+276j ...
		mov	edx, [ebp+var_120]
		shl	[ebp+var_128], 1
		add	edx, 4
		mov	ecx, [ebp+var_12C]
		inc	esi
		add	ecx, 0C0h
		mov	[ebp+var_120], edx
		mov	[ebp+var_12C], ecx
		cmp	esi, [ebp+var_124]
		jb	loc_654EE1

loc_654F8D:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+21Ej
		lea	esi, [ebx+60h]
		lea	edi, [ebx+6Ch]
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_134]

loc_654F9C:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+1BEj
		mov	eax, [ebp+var_130]
		lea	ecx, [edi+160h]
		mov	[ecx+0Ch], eax
		call	@KefReleaseSpinLockFromDpcLevel@4 ; KefReleaseSpinLockFromDpcLevel(x)
		mov	edx, [ebx+78h]
		cmp	edx, 4
		jz	short loc_654FC5
		mov	edx, [ebx+edx*4+5Ch]
		xor	ecx, ecx
		push	1
		call	PopPepUpdateIdleStateRefCount

loc_654FC5:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+301j
		mov	al, [ebx+4Ch]
		test	al, al
		jz	loc_655231
		xor	ecx, ecx
		mov	[ebp+var_11A], 0
		mov	[ebp+var_128], ecx
		cmp	[ebx+84h], ecx
		jbe	loc_65522D
		mov	[ebp+var_13C], ebx

loc_654FF1:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+56Fj
		mov	eax, [edi+240h]
		push	80h		; size_t
		push	0		; int
		mov	esi, [eax+ecx*4]
		lea	eax, [ebp+var_88]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		add	esi, 90h
		mov	ecx, esi
		mov	[ebp+var_120], esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebp+var_130]
		push	0C0h		; size_t
		mov	[esi+0Ch], eax
		lea	eax, [esi+18h]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+var_128]
		lea	eax, [ebp+var_88]
		add	esp, 0Ch
		mov	byte ptr [esi+4], 0
		mov	esi, [ebp+var_124]
		mov	ecx, [ebx+18h]
		push	esi
		push	eax
		call	_PopPluginRequestComponentIdleConstraints@16 ; PopPluginRequestComponentIdleConstraints(x,x,x,x)
		test	al, al
		jz	loc_6551A1
		lea	ecx, [ebp+var_130]
		call	_PopFxEnableEnhancedAccounting@4 ; PopFxEnableEnhancedAccounting(x)
		mov	[ebp+var_119], al
		xor	ecx, ecx
		mov	[ebp+var_140], 1
		lea	eax, [ebp+var_88]
		mov	[ebp+var_138], eax
		mov	[ebp+var_12C], ecx
		test	esi, esi
		jz	loc_6551A1
		xor	edx, edx
		mov	[ebp+var_14C], edx

loc_6550A6:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+4E6j
		mov	eax, ds:_PopPepPlatformState
		cmp	byte ptr [edx+eax+29h],	0
		jnz	short loc_6550C0
		cmp	[ebp+ecx*4+var_88], 0
		jnz	loc_655278

loc_6550C0:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+3FBj
		mov	edx, [ebp+var_13C]
		xor	eax, eax
		mov	esi, [edx+128h]
		mov	[ebp+var_158], esi
		mov	esi, [ebp+var_124]
		cmp	[edx+124h], eax
		jbe	short loc_655121
		mov	edx, [ebp+var_158]
		mov	edi, [ebp+var_13C]
		add	edx, 10h
		mov	esi, [ebp+var_138]
		mov	ecx, [ebp+var_140]

loc_6550FD:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+458j
		cmp	eax, [esi]
		jnb	short loc_65510F
		or	[edx], ecx
		inc	eax
		add	edx, 18h
		cmp	eax, [edi+124h]
		jb	short loc_6550FD

loc_65510F:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+44Aj
		mov	edi, [ebp+var_134]
		mov	esi, [ebp+var_124]
		mov	ecx, [ebp+var_12C]

loc_655121:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+42Bj
		mov	eax, [ebp+var_148]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_655173
		cmp	ecx, eax
		jnz	short loc_655173
		mov	eax, [ebp+var_138]
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_655173
		mov	ecx, [ebp+var_120]
		mov	[ecx+8], eax
		call	KeQueryInterruptTime
		mov	ecx, [ebp+var_120]
		push	10h
		mov	[ebp+var_11A], 1
		mov	[ecx+10h], eax
		lea	eax, [edi+238h]
		mov	[ecx+14h], edx
		mov	byte ptr [ecx+4], 1
		pop	ecx
		lock or	[eax], ecx
		mov	ecx, [ebp+var_12C]

loc_655173:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+475j
					; PopPepInitializeVetoMasks(x,x)+479j ...
		add	[ebp+var_138], 4
		shl	[ebp+var_140], 1
		inc	ecx
		mov	edx, [ebp+var_14C]
		add	edx, 0C0h
		mov	[ebp+var_12C], ecx
		mov	[ebp+var_14C], edx
		cmp	ecx, esi
		jb	loc_6550A6

loc_6551A1:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+3ACj
					; PopPepInitializeVetoMasks(x,x)+3E3j
		mov	ecx, [ebp+var_120]
		mov	eax, [ebp+var_130]
		mov	[ecx+0Ch], eax
		call	@KefReleaseSpinLockFromDpcLevel@4 ; KefReleaseSpinLockFromDpcLevel(x)
		mov	esi, [ebp+var_13C]
		xor	ecx, ecx
		push	1
		imul	eax, [esi+118h], 18h
		mov	edx, [esi+128h]
		mov	edx, [eax+edx+10h]
		call	PopPepUpdateIdleStateRefCount
		cmp	[ebp+var_11A], 0
		lea	eax, [edi+238h]
		jnz	short loc_6551FD
		mov	ecx, 0FFFFFEFFh
		lock and [eax],	ecx
		jmp	short loc_655205
; 

loc_6551EE:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+240j
		push	0
		push	esi
		mov	edx, edi
		mov	ecx, 620h

loc_6551F8:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+5D1j
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_6551FD:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+52Dj
		mov	ecx, 100h
		lock or	[eax], ecx

loc_655205:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+537j
		mov	ecx, [ebp+var_128]
		add	esi, 0A8h
		inc	ecx
		mov	[ebp+var_13C], esi
		mov	[ebp+var_128], ecx
		cmp	ecx, [ebx+84h]
		jb	loc_654FF1
		mov	al, [ebx+4Ch]

loc_65522D:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+330j
		test	al, al
		jnz	short loc_65523A

loc_655231:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+315j
		cmp	byte ptr [ebx+130h], 0
		jz	short loc_655241

loc_65523A:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+57Aj
		mov	dword ptr [ebx+7Ch], 2

loc_655241:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+583j
		push	[ebp+var_15C]
		lea	eax, [ebx+2Ch]
		push	eax
		call	ExReleaseSpinLockExclusive
		mov	ecx, [ebp+var_160]
		call	PoFxIdleDevice
		cmp	[ebp+var_119], 0
		jz	short loc_655269
		call	_PopPepResetDeviceAccountingLevel@0 ; PopPepResetDeviceAccountingLevel()

loc_655269:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+69j
					; PopPepInitializeVetoMasks(x,x)+78j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_655278:				; CODE XREF: PopPepInitializeVetoMasks(x,x)+405j
		push	ecx
		push	[ebp+var_128]
		mov	edx, edi
		mov	ecx, 621h
		jmp	loc_6551F8
_PopPepInitializeVetoMasks@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepIterateDeviceList(x, x, x, x,	x, x, x)
_PopPepIterateDeviceList@28 proc near	; CODE XREF: PopPlRegisterPowerPlane(x,x)+8Bp
					; PopPlRegisterPowerPlane(x,x)+A6p ...

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	byte ptr [ebp+arg_8], 0
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, edx
		mov	ecx, offset _PopPepDeviceListLock
		jz	short loc_6552B7
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockSharedEx

loc_6552B7:				; CODE XREF: PopPepIterateDeviceList(x,x,x,x,x,x,x)+15j
		test	esi, esi
		jz	short loc_6552C0
		push	[ebp+arg_10]
		call	esi

loc_6552C0:				; CODE XREF: PopPepIterateDeviceList(x,x,x,x,x,x,x)+2Ej
		mov	esi, ds:_PopPepDeviceList
		xor	ebx, ebx
		inc	ebx
		mov	eax, offset _PopPepDeviceList
		mov	byte ptr [ebp+arg_8], bl
		cmp	esi, eax
		jz	short loc_6552F6

loc_6552D5:				; CODE XREF: PopPepIterateDeviceList(x,x,x,x,x,x,x)+5Cj
		push	[ebp+arg_10]
		push	esi
		call	edi
		test	al, al
		jz	short loc_6552E9
		mov	esi, [esi]
		cmp	esi, offset _PopPepDeviceList
		jnz	short loc_6552D5

loc_6552E9:				; CODE XREF: PopPepIterateDeviceList(x,x,x,x,x,x,x)+52j
		cmp	esi, offset _PopPepDeviceList
		jz	short loc_6552F3
		xor	bl, bl

loc_6552F3:				; CODE XREF: PopPepIterateDeviceList(x,x,x,x,x,x,x)+64j
		mov	byte ptr [ebp+arg_8], bl

loc_6552F6:				; CODE XREF: PopPepIterateDeviceList(x,x,x,x,x,x,x)+48j
		cmp	[ebp+arg_0], 0
		jz	short loc_655305
		push	[ebp+arg_10]
		push	[ebp+arg_8]
		call	[ebp+arg_0]

loc_655305:				; CODE XREF: PopPepIterateDeviceList(x,x,x,x,x,x,x)+6Fj
		cmp	[ebp+arg_C], 0
		jz	short loc_655338
		push	11h
		xor	edx, edx
		mov	esi, offset _PopPepDeviceListLock
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_655325
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_655325:				; CODE XREF: PopPepIterateDeviceList(x,x,x,x,x,x,x)+91j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_655338:				; CODE XREF: PopPepIterateDeviceList(x,x,x,x,x,x,x)+7Ej
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	14h
_PopPepIterateDeviceList@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepPlatformStateRegistered(x)
_PopPepPlatformStateRegistered@4 proc near ; CODE XREF:	PopFxEnablePlatformStates(x)+5p

var_52		= byte ptr -52h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3E		= byte ptr -3Eh
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		sub	esp, 48h
		push	esi
		push	edi
		mov	[esp+50h+var_34], ecx
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	edx, edx
		mov	ecx, offset _PopPepVetoMaskReadyLock
		call	ExAcquirePushLockExclusiveEx
		mov	esi, offset _PopPepDeviceListLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		or	ecx, 0FFFFFFFFh
		cmp	ds:_PopPepPlatformState, 0
		mov	[esp+50h+var_3C], ecx
		jz	loc_655732
		mov	eax, ecx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_65539B
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	ecx, 0FFFFFFFFh

loc_65539B:				; CODE XREF: PopPepPlatformStateRegistered(x)+4Ej
		xor	edi, edi
		mov	[esp+50h+var_38], edi
		test	esi, 7FFFFFFCh
		jz	loc_655558
		mov	esi, large fs:124h
		mov	edx, offset _PopPepDeviceListLock
		mov	eax, ds:dword_6D07D0
		shr	edx, 15h
		mov	[esp+50h+var_20], esi
		mov	[esp+50h+var_30], eax
		cmp	eax, offset _PopPepDeviceListLock
		ja	short loc_6553EF
		mov	eax, edx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_6553F7
		mov	eax, [esp+50h+var_30]
		cmp	eax, offset _PopPepDeviceListLock
		ja	short loc_6553EF
		cmp	byte ptr ds:dword_6D3994[edx], 0Bh
		jz	short loc_6553F7

loc_6553EF:				; CODE XREF: PopPepPlatformStateRegistered(x)+8Dj
					; PopPepPlatformStateRegistered(x)+A3j
		mov	eax, ecx
		mov	[esp+50h+var_34], ecx
		jmp	short loc_655406
; 

loc_6553F7:				; CODE XREF: PopPepPlatformStateRegistered(x)+98j
					; PopPepPlatformStateRegistered(x)+ACj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[esp+50h+var_34], eax

loc_655406:				; CODE XREF: PopPepPlatformStateRegistered(x)+B4j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	edx, offset _PopPepDeviceListLock
		mov	[esp+13h], cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[esp+50h+var_30], ecx
		test	ecx, ecx
		jnz	short loc_65545A
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_6554C6
		push	ecx
		push	[esp+54h+var_34]

loc_655449:				; CODE XREF: PopPepPlatformStateRegistered(x)+4BEj
		mov	eax, offset _PopPepDeviceListLock

loc_65544E:				; CODE XREF: PopPepPlatformStateRegistered(x)+2E4j
		push	eax
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_65545A:				; CODE XREF: PopPepPlatformStateRegistered(x)+F3j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_655471
		call	KiAbEntryRemoveFromTree
		mov	ecx, [esp+64h+var_44]

loc_655471:				; CODE XREF: PopPepPlatformStateRegistered(x)+125j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+64h+var_4C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		cdq
		push	30h
		pop	ecx
		idiv	ecx
		xor	edx, edx
		inc	edx
		mov	ecx, eax
		mov	al, dl
		shl	al, cl
		cmp	[esp+13h], dl
		jnz	short loc_6554B9
		or	[esi+1E4h], al
		jmp	short loc_6554C6
; 

loc_6554B9:				; CODE XREF: PopPepPlatformStateRegistered(x)+16Ej
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [esp+64h+var_34]

loc_6554C6:				; CODE XREF: PopPepPlatformStateRegistered(x)+FDj
					; PopPepPlatformStateRegistered(x)+176j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+64h+var_34], eax
		jz	short loc_655532
		test	edi, 8000h
		jz	short loc_6554EB
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_6554EB:				; CODE XREF: PopPepPlatformStateRegistered(x)+19Fj
		test	byte ptr [esp+64h+var_4C+2], 1
		jz	short loc_655502
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_655502:				; CODE XREF: PopPepPlatformStateRegistered(x)+1AFj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_655516
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_655516:				; CODE XREF: PopPepPlatformStateRegistered(x)+1C8j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_655532
		push	[esp+64h+var_34]
		mov	edx, offset _PopPepDeviceListLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_655532:				; CODE XREF: PopPepPlatformStateRegistered(x)+197j
					; PopPepPlatformStateRegistered(x)+1DFj
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_655558
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_655558
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_655558:				; CODE XREF: PopPepPlatformStateRegistered(x)+66j
					; PopPepPlatformStateRegistered(x)+208j ...
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _PopPepVetoMaskReadyLock
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_655579
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _PopPepVetoMaskReadyLock

loc_655579:				; CODE XREF: PopPepPlatformStateRegistered(x)+229j
		xor	edi, edi
		mov	[esp+64h+var_48], edi
		test	ecx, 7FFFFFFCh
		jz	loc_655728
		mov	esi, large fs:124h
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[esp+64h+var_4C], esi
		mov	[esp+64h+var_44], eax
		cmp	eax, offset _PopPepVetoMaskReadyLock
		ja	short loc_6555E1
		mov	eax, ecx
		xor	ecx, ecx
		inc	ecx
		mov	[esp+64h+var_34], eax
		cmp	byte ptr ds:dword_6D3994[eax], cl
		jz	short loc_6555D0
		mov	ecx, eax
		mov	eax, [esp+64h+var_44]
		cmp	eax, offset _PopPepVetoMaskReadyLock
		ja	short loc_6555E1
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_6555E1

loc_6555D0:				; CODE XREF: PopPepPlatformStateRegistered(x)+277j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[esp+64h+var_50], edx

loc_6555E1:				; CODE XREF: PopPepPlatformStateRegistered(x)+266j
					; PopPepPlatformStateRegistered(x)+284j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _PopPepVetoMaskReadyLock
		mov	[esp+68h+var_52], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[esp+64h+var_34], ecx
		test	ecx, ecx
		jnz	short loc_65562A
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_655696
		push	ecx
		push	[esp+68h+var_50]

loc_655620:				; CODE XREF: PopPepPlatformStateRegistered(x)+727j
		mov	eax, offset _PopPepVetoMaskReadyLock
		jmp	loc_65544E
; 

loc_65562A:				; CODE XREF: PopPepPlatformStateRegistered(x)+2CEj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_655641
		call	KiAbEntryRemoveFromTree
		mov	ecx, [esp+64h+var_34]

loc_655641:				; CODE XREF: PopPepPlatformStateRegistered(x)+2F5j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+64h+var_48], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		cdq
		push	30h
		pop	ecx
		idiv	ecx
		xor	edx, edx
		inc	edx
		mov	ecx, eax
		mov	al, dl
		shl	al, cl
		cmp	[esp+64h+var_52], dl
		jnz	short loc_655689
		or	[esi+1E4h], al
		jmp	short loc_655696
; 

loc_655689:				; CODE XREF: PopPepPlatformStateRegistered(x)+33Ej
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [esp+64h+var_4C]

loc_655696:				; CODE XREF: PopPepPlatformStateRegistered(x)+2D8j
					; PopPepPlatformStateRegistered(x)+346j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+64h+var_34], eax
		jz	short loc_655702
		test	edi, 8000h
		jz	short loc_6556BB
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_6556BB:				; CODE XREF: PopPepPlatformStateRegistered(x)+36Fj
		test	byte ptr [esp+64h+var_48+2], 1
		jz	short loc_6556D2
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_6556D2:				; CODE XREF: PopPepPlatformStateRegistered(x)+37Fj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_6556E6
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_6556E6:				; CODE XREF: PopPepPlatformStateRegistered(x)+398j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_655702
		push	[esp+64h+var_34]
		mov	edx, offset _PopPepVetoMaskReadyLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_655702:				; CODE XREF: PopPepPlatformStateRegistered(x)+367j
					; PopPepPlatformStateRegistered(x)+3AFj
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_655728
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_655728
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_655728:				; CODE XREF: PopPepPlatformStateRegistered(x)+244j
					; PopPepPlatformStateRegistered(x)+3D8j ...
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_655B85
; 

loc_655732:				; CODE XREF: PopPepPlatformStateRegistered(x)+3Ej
		mov	eax, ds:_PpmPlatformStates
		add	eax, 40h
		mov	ds:_PopPepPlatformState, eax
		mov	eax, ecx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_655755
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	ecx, 0FFFFFFFFh

loc_655755:				; CODE XREF: PopPepPlatformStateRegistered(x)+408j
		xor	edi, edi
		mov	[esp+50h+var_30], edi
		test	esi, 7FFFFFFCh
		jz	loc_655907
		mov	esi, large fs:124h
		mov	edx, offset _PopPepDeviceListLock
		mov	eax, ds:dword_6D07D0
		shr	edx, 15h
		mov	[esp+50h+var_4], esi
		mov	[esp+50h+var_20], eax
		cmp	eax, offset _PopPepDeviceListLock
		ja	short loc_6557A9
		mov	eax, edx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_6557B1
		mov	eax, [esp+50h+var_20]
		cmp	eax, offset _PopPepDeviceListLock
		ja	short loc_6557A9
		cmp	byte ptr ds:dword_6D3994[edx], 0Bh
		jz	short loc_6557B1

loc_6557A9:				; CODE XREF: PopPepPlatformStateRegistered(x)+447j
					; PopPepPlatformStateRegistered(x)+45Dj
		mov	eax, ecx
		mov	[esp+50h+var_38], ecx
		jmp	short loc_6557C0
; 

loc_6557B1:				; CODE XREF: PopPepPlatformStateRegistered(x)+452j
					; PopPepPlatformStateRegistered(x)+466j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[esp+50h+var_38], eax

loc_6557C0:				; CODE XREF: PopPepPlatformStateRegistered(x)+46Ej
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	edx, offset _PopPepDeviceListLock
		mov	[esp+50h+var_3E], cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[esp+50h+var_20], ecx
		test	ecx, ecx
		jnz	short loc_655804
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_655870
		push	ecx
		push	[esp+54h+var_38]
		jmp	loc_655449
; 

loc_655804:				; CODE XREF: PopPepPlatformStateRegistered(x)+4ADj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_65581B
		call	KiAbEntryRemoveFromTree
		mov	ecx, [esp+50h+var_20]

loc_65581B:				; CODE XREF: PopPepPlatformStateRegistered(x)+4CFj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+50h+var_30], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		cdq
		push	30h
		pop	ecx
		idiv	ecx
		xor	edx, edx
		inc	edx
		mov	ecx, eax
		mov	al, dl
		shl	al, cl
		cmp	[esp+50h+var_3E], dl
		jnz	short loc_655863
		or	[esi+1E4h], al
		jmp	short loc_655870
; 

loc_655863:				; CODE XREF: PopPepPlatformStateRegistered(x)+518j
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [esp+50h+var_4]

loc_655870:				; CODE XREF: PopPepPlatformStateRegistered(x)+4B7j
					; PopPepPlatformStateRegistered(x)+520j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+50h+var_4], eax
		jz	short loc_6558DC
		test	edi, 8000h
		jz	short loc_655895
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_655895:				; CODE XREF: PopPepPlatformStateRegistered(x)+549j
		test	byte ptr [esp+50h+var_30+2], 1
		jz	short loc_6558AC
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_6558AC:				; CODE XREF: PopPepPlatformStateRegistered(x)+559j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_6558C0
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_6558C0:				; CODE XREF: PopPepPlatformStateRegistered(x)+572j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_6558DC
		push	[esp+50h+var_4]
		mov	edx, offset _PopPepDeviceListLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_6558DC:				; CODE XREF: PopPepPlatformStateRegistered(x)+541j
					; PopPepPlatformStateRegistered(x)+589j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_655902
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_655902
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_655902:				; CODE XREF: PopPepPlatformStateRegistered(x)+5B2j
					; PopPepPlatformStateRegistered(x)+5BAj
		mov	esi, offset _PopPepDeviceListLock

loc_655907:				; CODE XREF: PopPepPlatformStateRegistered(x)+420j
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	eax, [esp+50h+var_34]
		test	eax, eax
		jz	short loc_655934
		xor	ecx, ecx
		mov	edx, eax

loc_65591C:				; CODE XREF: PopPepPlatformStateRegistered(x)+5F1j
		mov	eax, ds:_PopPepPlatformState
		lea	ecx, [ecx+0C0h]
		mov	dword ptr [ecx+eax-40h], 40000001h
		sub	edx, 1
		jnz	short loc_65591C

loc_655934:				; CODE XREF: PopPepPlatformStateRegistered(x)+5D5j
		mov	esi, ds:_PopPepDeviceList
		mov	eax, offset _PopPepDeviceList
		cmp	esi, eax
		jmp	short loc_655979
; 

loc_655943:				; CODE XREF: PopPepPlatformStateRegistered(x)+63Cj
		lea	edi, [esi+2Ch]
		push	edi
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	esi, [esi+7Ch]
		mov	byte ptr [esp+50h+var_4], al
		push	[esp+50h+var_4]
		push	edi
		call	ExReleaseSpinLockShared
		cmp	esi, 1
		mov	esi, [esp+50h+var_38]
		jnz	short loc_655971
		mov	edx, [esp+50h+var_34]
		mov	ecx, esi
		call	_PopPepInitializeVetoMasks@8 ; PopPepInitializeVetoMasks(x,x)

loc_655971:				; CODE XREF: PopPepPlatformStateRegistered(x)+623j
		mov	esi, [esi]
		cmp	esi, offset _PopPepDeviceList

loc_655979:				; CODE XREF: PopPepPlatformStateRegistered(x)+600j
		mov	[esp+50h+var_38], esi
		jnz	short loc_655943
		push	11h
		xor	ecx, ecx
		mov	esi, offset _PopPepDeviceListLock
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_655999
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_655999:				; CODE XREF: PopPepPlatformStateRegistered(x)+64Fj
		mov	ecx, esi
		call	KeAbPostRelease
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _PopPepVetoMaskReadyLock
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_6559C1
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _PopPepVetoMaskReadyLock

loc_6559C1:				; CODE XREF: PopPepPlatformStateRegistered(x)+671j
		xor	edi, edi
		mov	[esp+50h+var_30], edi
		test	ecx, 7FFFFFFCh
		jz	loc_655B6B
		mov	esi, large fs:124h
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[esp+50h+var_38], esi
		mov	[esp+50h+var_20], eax
		cmp	eax, offset _PopPepVetoMaskReadyLock
		ja	short loc_655A29
		mov	eax, ecx
		xor	ecx, ecx
		inc	ecx
		mov	[esp+50h+var_4], eax
		cmp	byte ptr ds:dword_6D3994[eax], cl
		jz	short loc_655A18
		mov	ecx, eax
		mov	eax, [esp+50h+var_20]
		cmp	eax, offset _PopPepVetoMaskReadyLock
		ja	short loc_655A29
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_655A29

loc_655A18:				; CODE XREF: PopPepPlatformStateRegistered(x)+6BFj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[esp+50h+var_3C], edx

loc_655A29:				; CODE XREF: PopPepPlatformStateRegistered(x)+6AEj
					; PopPepPlatformStateRegistered(x)+6CCj ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _PopPepVetoMaskReadyLock
		mov	[esp+54h+var_3E], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[esp+50h+var_4], ecx
		test	ecx, ecx
		jnz	short loc_655A6D
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_655AD9
		push	ecx
		push	[esp+54h+var_3C]
		jmp	loc_655620
; 

loc_655A6D:				; CODE XREF: PopPepPlatformStateRegistered(x)+716j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_655A84
		call	KiAbEntryRemoveFromTree
		mov	ecx, [esp+50h+var_4]

loc_655A84:				; CODE XREF: PopPepPlatformStateRegistered(x)+738j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+50h+var_30], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		cdq
		push	30h
		pop	ecx
		idiv	ecx
		xor	edx, edx
		inc	edx
		mov	ecx, eax
		mov	al, dl
		shl	al, cl
		cmp	[esp+50h+var_3E], dl
		jnz	short loc_655ACC
		or	[esi+1E4h], al
		jmp	short loc_655AD9
; 

loc_655ACC:				; CODE XREF: PopPepPlatformStateRegistered(x)+781j
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [esp+50h+var_38]

loc_655AD9:				; CODE XREF: PopPepPlatformStateRegistered(x)+720j
					; PopPepPlatformStateRegistered(x)+789j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+50h+var_4], eax
		jz	short loc_655B45
		test	edi, 8000h
		jz	short loc_655AFE
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_655AFE:				; CODE XREF: PopPepPlatformStateRegistered(x)+7B2j
		test	byte ptr [esp+50h+var_30+2], 1
		jz	short loc_655B15
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_655B15:				; CODE XREF: PopPepPlatformStateRegistered(x)+7C2j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_655B29
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_655B29:				; CODE XREF: PopPepPlatformStateRegistered(x)+7DBj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_655B45
		push	[esp+50h+var_4]
		mov	edx, offset _PopPepVetoMaskReadyLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_655B45:				; CODE XREF: PopPepPlatformStateRegistered(x)+7AAj
					; PopPepPlatformStateRegistered(x)+7F2j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_655B6B
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_655B6B
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_655B6B:				; CODE XREF: PopPepPlatformStateRegistered(x)+68Cj
					; PopPepPlatformStateRegistered(x)+81Bj ...
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [esp+50h+var_34]
		xor	eax, eax
		inc	eax
		xor	edx, edx
		shl	eax, cl
		push	0
		lea	ecx, [eax-1]
		call	PopPepUpdateIdleStateRefCount

loc_655B85:				; CODE XREF: PopPepPlatformStateRegistered(x)+3ECj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_PopPepPlatformStateRegistered@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepRegisterComponentPerfStates(x, x, x, x)
_PopPepRegisterComponentPerfStates@16 proc near
					; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+3F1p

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		imul	esi, edx, 0A8h
		lea	ebx, [edi+2Ch]
		push	ebx
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	[esi+edi+0A4h],	ecx
		mov	ecx, edx
		and	ecx, 2
		mov	[ebp+var_1], al
		or	ecx, 0
		mov	byte ptr [esi+edi+120h], 1
		mov	[esi+edi+0A0h],	edx
		jz	short loc_655BD5
		mov	byte ptr [edi+80h], 1

loc_655BD5:				; CODE XREF: PopPepRegisterComponentPerfStates(x,x,x,x)+41j
		and	edx, 4
		or	edx, 0
		jz	short loc_655BE4
		mov	byte ptr [edi+81h], 1

loc_655BE4:				; CODE XREF: PopPepRegisterComponentPerfStates(x,x,x,x)+50j
		push	ebx
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PopPepRegisterComponentPerfStates@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepRemoveDevice(x)
_PopPepRemoveDevice@4 proc near		; CODE XREF: PopPepUnregisterDevice(x)+43p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		sub	esp, 14h
		dec	word ptr [eax+13Ch]
		push	esi
		push	edi
		mov	esi, ecx
		nop
		xor	edx, edx
		mov	ecx, offset _PopPepVetoMaskReadyLock
		call	ExAcquirePushLockSharedEx
		mov	edi, offset _PopPepDeviceListLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		cmp	ds:_PopPepLastCheckedDevice, esi
		jnz	short loc_655C3D
		mov	eax, [esi]
		mov	ds:_PopPepLastCheckedDevice, eax

loc_655C3D:				; CODE XREF: PopPepRemoveDevice(x)+3Aj
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_655E3C
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_655E3C
		mov	[ecx], eax
		mov	[eax+4], ecx
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_8], ecx
		mov	eax, ecx
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_655C74
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	ecx, 0FFFFFFFFh

loc_655C74:				; CODE XREF: PopPepRemoveDevice(x)+6Ej
		xor	edi, edi
		mov	eax, offset _PopPepDeviceListLock
		mov	[ebp+var_C], edi
		test	eax, 7FFFFFFCh
		jz	loc_655E0B
		mov	esi, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_14], esi
		cmp	edx, offset _PopPepDeviceListLock
		ja	short loc_655CCE
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_655CBE
		cmp	edx, offset _PopPepDeviceListLock
		ja	short loc_655CCE
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_655CCE

loc_655CBE:				; CODE XREF: PopPepRemoveDevice(x)+B1j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_8], eax

loc_655CCE:				; CODE XREF: PopPepRemoveDevice(x)+A8j
					; PopPepRemoveDevice(x)+B9j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	edx, offset _PopPepDeviceListLock
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_1], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jnz	short loc_655D1E
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_655D90
		push	ecx
		push	[ebp+var_8]
		push	offset _PopPepDeviceListLock
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_655D1E:				; CODE XREF: PopPepRemoveDevice(x)+100j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_655D34
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_10]

loc_655D34:				; CODE XREF: PopPepRemoveDevice(x)+130j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_1], 1
		mov	edx, eax
		jnz	short loc_655D7E
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_655D90
; 

loc_655D7E:				; CODE XREF: PopPepRemoveDevice(x)+170j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_14]

loc_655D90:				; CODE XREF: PopPepRemoveDevice(x)+10Aj
					; PopPepRemoveDevice(x)+182j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_14], eax
		jz	short loc_655DF3
		test	edi, 8000h
		jz	short loc_655DB4
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_655DB4:				; CODE XREF: PopPepRemoveDevice(x)+1AFj
		test	byte ptr [ebp+var_C+2],	1
		jz	short loc_655DC4
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_655DC4:				; CODE XREF: PopPepRemoveDevice(x)+1BEj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_655DD8
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_655DD8:				; CODE XREF: PopPepRemoveDevice(x)+1D1j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_655DF3
		push	[ebp+var_14]
		mov	edx, offset _PopPepDeviceListLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_655DF3:				; CODE XREF: PopPepRemoveDevice(x)+1A7j
					; PopPepRemoveDevice(x)+1E8j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_655E0B
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_655E0B
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_655E0B:				; CODE XREF: PopPepRemoveDevice(x)+89j
					; PopPepRemoveDevice(x)+202j ...
		push	11h
		xor	edx, edx
		mov	esi, offset _PopPepVetoMaskReadyLock
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_655E25
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_655E25:				; CODE XREF: PopPepRemoveDevice(x)+222j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		leave
		retn
; 

loc_655E3C:				; CODE XREF: PopPepRemoveDevice(x)+48j
					; PopPepRemoveDevice(x)+53j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PopPepRemoveDevice@4 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepResetDeviceAccountingLevel()
_PopPepResetDeviceAccountingLevel@0 proc near
					; CODE XREF: PopPepInitializeVetoMasks(x,x)+5AFp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	ecx, ecx
		mov	edx, offset _PopFxDeviceAccountingLevel
		xor	eax, eax
		lock cmpxchg [edx], ecx
		mov	ecx, large fs:124h
		mov	[ebp+var_C], eax
		dec	word ptr [ecx+13Ch]
		nop
		mov	ebx, offset _PopPepDeviceListLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	esi, ds:_PopPepDeviceList
		cmp	esi, offset _PopPepDeviceList
		jz	loc_655FCF
		mov	eax, ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_8], eax
		mov	eax, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[ebp+var_10], eax

loc_655E9B:				; CODE XREF: PopPepResetDeviceAccountingLevel()+183j
		mov	ebx, [esi+18h]
		mov	[ebp+var_14], ebx
		mov	eax, [ebx+1Ch]
		test	eax, eax
		jz	loc_655FBC
		mov	eax, [eax+10h]
		xor	dl, dl
		push	0
		mov	ecx, eax
		mov	[ebp+var_18], eax
		call	PopFxActivateDevice
		lea	edi, [ebx+160h]
		call	[ebp+var_8]
		mov	ecx, edi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebp+var_C]
		lea	ecx, [edi+18h]
		push	0C0h		; size_t
		push	0		; int
		push	ecx		; void *
		mov	[edi+0Ch], eax
		call	_memset
		add	esp, 0Ch
		cmp	dword ptr [edi+8], 5
		jnz	short loc_655EF8
		xor	eax, eax
		mov	byte ptr [edi+4], 0
		xor	edx, edx
		jmp	short loc_655F01
; 

loc_655EF8:				; CODE XREF: PopPepResetDeviceAccountingLevel()+ABj
		mov	byte ptr [edi+4], 1
		call	KeQueryInterruptTime

loc_655F01:				; CODE XREF: PopPepResetDeviceAccountingLevel()+B5j
		mov	[edi+10h], eax
		mov	[edi+14h], edx
		test	ds:byte_70EFC6,	1
		jz	short loc_655F1C
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_655F21
; 

loc_655F1C:				; CODE XREF: PopPepResetDeviceAccountingLevel()+CDj
		xor	eax, eax
		lock and [edi],	eax

loc_655F21:				; CODE XREF: PopPepResetDeviceAccountingLevel()+D9j
		mov	cl, bl
		call	[ebp+var_10]
		xor	ebx, ebx
		cmp	[esi+84h], ebx
		jbe	loc_655FB4

loc_655F34:				; CODE XREF: PopPepResetDeviceAccountingLevel()+171j
		mov	eax, [ebp+var_14]
		mov	eax, [eax+240h]
		mov	edi, [eax+ebx*4]
		add	edi, 90h
		call	[ebp+var_8]
		mov	ecx, edi
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebp+var_C]
		lea	ecx, [edi+18h]
		push	0C0h		; size_t
		push	0		; int
		push	ecx		; void *
		mov	[edi+0Ch], eax
		call	_memset
		add	esp, 0Ch
		cmp	dword ptr [edi+8], 0FFFFFFFFh
		jnz	short loc_655F7C
		xor	eax, eax
		mov	byte ptr [edi+4], 0
		xor	edx, edx
		jmp	short loc_655F85
; 

loc_655F7C:				; CODE XREF: PopPepResetDeviceAccountingLevel()+12Fj
		mov	byte ptr [edi+4], 1
		call	KeQueryInterruptTime

loc_655F85:				; CODE XREF: PopPepResetDeviceAccountingLevel()+139j
		mov	[edi+10h], eax
		mov	[edi+14h], edx
		test	ds:byte_70EFC6,	1
		jz	short loc_655FA0
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_655FA5
; 

loc_655FA0:				; CODE XREF: PopPepResetDeviceAccountingLevel()+151j
		xor	eax, eax
		lock and [edi],	eax

loc_655FA5:				; CODE XREF: PopPepResetDeviceAccountingLevel()+15Dj
		mov	cl, [ebp+var_1]
		call	[ebp+var_10]
		inc	ebx
		cmp	ebx, [esi+84h]
		jb	short loc_655F34

loc_655FB4:				; CODE XREF: PopPepResetDeviceAccountingLevel()+EDj
		mov	ecx, [ebp+var_18]
		call	PoFxIdleDevice

loc_655FBC:				; CODE XREF: PopPepResetDeviceAccountingLevel()+65j
		mov	esi, [esi]
		cmp	esi, offset _PopPepDeviceList
		jnz	loc_655E9B
		mov	ebx, offset _PopPepDeviceListLock

loc_655FCF:				; CODE XREF: PopPepResetDeviceAccountingLevel()+44j
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_655FE4
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_655FE4:				; CODE XREF: PopPepResetDeviceAccountingLevel()+19Aj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopPepResetDeviceAccountingLevel@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepStartDeviceUnregisterActivity(x, x, x)
_PopPepStartDeviceUnregisterActivity@12	proc near ; DATA XREF: .text:004014E8o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	0
		push	0
		add	eax, 1Ch
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		xor	al, al
		pop	ebp
		retn	0Ch
_PopPepStartDeviceUnregisterActivity@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPepUpdateDripsDeviceVetoMask(x, x)
_PopPepUpdateDripsDeviceVetoMask@8 proc	near ; CODE XREF: PopFxUpdateVetoMaskWork(x)+8Bp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, [ecx+20h]
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ebx
		lea	eax, [esi+2Ch]
		mov	[ebp+var_18], esi
		push	eax
		mov	[ebp+var_1C], eax
		call	ExAcquireSpinLockExclusive
		lea	ecx, [esi+60h]
		mov	[ebp+var_1], al
		mov	eax, [ecx]
		add	esi, 6Ch
		mov	edi, ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_8], eax
		movsd
		movsd
		movsd
		call	_PpmGetDeepSleepPlatformStateIndex@0 ; PpmGetDeepSleepPlatformStateIndex()
		mov	edi, eax
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_656079
		lea	edx, [eax-1]
		test	edx, edx
		jz	short loc_656079

loc_656067:				; CODE XREF: PopPepUpdateDripsDeviceVetoMask(x,x)+5Dj
		mov	eax, [ecx]
		bts	eax, edi
		mov	[ecx], eax
		lea	ecx, [ecx+4]
		sub	edx, 1
		jnz	short loc_656067
		mov	ecx, [ebp+var_14]

loc_656079:				; CODE XREF: PopPepUpdateDripsDeviceVetoMask(x,x)+47j
					; PopPepUpdateDripsDeviceVetoMask(x,x)+4Ej
		mov	esi, [ecx]
		mov	edx, esi
		mov	ecx, [ebp+var_8]
		push	1
		call	PopPepUpdateIdleStateRefCount
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		push	ebx
		call	PopPepUpdateIdleStateRefCount
		mov	esi, [ebp+var_18]
		lea	eax, [ebp+var_C]
		push	ebx
		push	eax
		push	ebx
		mov	edx, edi
		mov	ecx, esi
		call	_PopPepGetMinimumDevicePowerState@20 ; PopPepGetMinimumDevicePowerState(x,x,x,x,x)
		mov	esi, [esi+18h]
		add	esi, 160h
		call	KeQueryInterruptTime
		mov	ecx, esi
		mov	edi, eax
		mov	ebx, edx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebp+var_C]
		mov	dl, [esi+4]
		cmp	eax, 1
		jnz	short loc_6560FD
		mov	eax, [esi+10h]
		mov	ecx, [esi+14h]
		test	dl, dl
		jz	short loc_6560F2
		cmp	ebx, ecx
		jb	short loc_6560F2
		ja	short loc_6560DC
		cmp	edi, eax
		jbe	short loc_6560F2

loc_6560DC:				; CODE XREF: PopPepUpdateDripsDeviceVetoMask(x,x)+BFj
		sub	edi, eax
		sbb	ebx, ecx
		add	[esi+78h], edi
		adc	[esi+7Ch], ebx
		add	[esi+80h], edi
		adc	[esi+84h], ebx

loc_6560F2:				; CODE XREF: PopPepUpdateDripsDeviceVetoMask(x,x)+B9j
					; PopPepUpdateDripsDeviceVetoMask(x,x)+BDj ...
		mov	dword ptr [esi+8], 5
		xor	eax, eax
		jmp	short loc_65610C
; 

loc_6560FD:				; CODE XREF: PopPepUpdateDripsDeviceVetoMask(x,x)+AFj
		test	dl, dl
		jnz	short loc_656107
		mov	[esi+10h], edi
		mov	[esi+14h], ebx

loc_656107:				; CODE XREF: PopPepUpdateDripsDeviceVetoMask(x,x)+E8j
		mov	[esi+8], eax
		mov	al, 1

loc_65610C:				; CODE XREF: PopPepUpdateDripsDeviceVetoMask(x,x)+E4j
		mov	[esi+4], al
		test	ds:byte_70EFC6,	1
		jz	short loc_656124
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_656129
; 

loc_656124:				; CODE XREF: PopPepUpdateDripsDeviceVetoMask(x,x)+FFj
		xor	eax, eax
		lock and [esi],	eax

loc_656129:				; CODE XREF: PopPepUpdateDripsDeviceVetoMask(x,x)+10Bj
		push	[ebp+var_1C]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopPepUpdateDripsDeviceVetoMask@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopPepWaitForDeviceRelease(x)
_PopPepWaitForDeviceRelease@4 proc near	; CODE XREF: PopPepUnregisterDevice(x)+3Cp
		mov	edi, edi
		push	ebx
		push	esi
		lea	esi, [ecx+2Ch]
		push	esi
		call	ExAcquireSpinLockExclusive
		push	esi
		mov	bl, al
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		pop	esi
		mov	cl, bl
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_PopPepWaitForDeviceRelease@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDripsWatchdogGetDeviceActiveTime(x)
_PopDripsWatchdogGetDeviceActiveTime@4 proc near
					; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+D7p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [ebx+160h]
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		xor	esi, esi
		cmp	byte ptr [ebx+164h], 0
		mov	edi, esi
		jz	short loc_65619F
		call	KeQueryInterruptTime
		mov	esi, eax
		mov	edi, edx
		sub	esi, [ebx+170h]
		sbb	edi, [ebx+174h]

loc_65619F:				; CODE XREF: PopDripsWatchdogGetDeviceActiveTime(x)+2Aj
		test	ds:byte_70EFC6,	1
		jz	short loc_6561B8
		mov	edx, [ebp+4]
		lea	ecx, [ebx+160h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6561C3
; 

loc_6561B8:				; CODE XREF: PopDripsWatchdogGetDeviceActiveTime(x)+48j
		xor	ecx, ecx
		lea	eax, [ebx+160h]
		lock and [eax],	ecx

loc_6561C3:				; CODE XREF: PopDripsWatchdogGetDeviceActiveTime(x)+58j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, edi
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopDripsWatchdogGetDeviceActiveTime@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDripsWatchdogTimerCallback(x, x)
_PopDripsWatchdogTimerCallback@8 proc near
					; DATA XREF: PopDripsWatchdogInitializeCallbackTimer(x)+2Ao
					; PopDripsWatchdogInitializeDiagnosticTimer(x)+Fo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		lea	eax, [ecx+40h]
		cmp	[ebp+arg_0], eax
		jnz	short loc_6561EC
		mov	eax, 98h
		jmp	short loc_6561FC
; 

loc_6561EC:				; CODE XREF: PopDripsWatchdogTimerCallback(x,x)+Ej
		lea	eax, [ecx+108h]
		cmp	[ebp+arg_0], eax
		jnz	short loc_656206
		mov	eax, 160h

loc_6561FC:				; CODE XREF: PopDripsWatchdogTimerCallback(x,x)+15j
		xor	edx, edx
		add	ecx, eax
		inc	edx
		call	_PopQueueWorkItem@8 ; PopQueueWorkItem(x,x)

loc_656206:				; CODE XREF: PopDripsWatchdogTimerCallback(x,x)+20j
		pop	ebp
		retn	8
_PopDripsWatchdogTimerCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PdcPoCurrentPdcPhase(x, x, x)
_PdcPoCurrentPdcPhase@12 proc near	; DATA XREF: PopPdcRegister+76o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	ds:_PopBsdCurrentCsPhase, eax
		xor	esi, esi
		sub	eax, 1
		jz	loc_6562CA
		sub	eax, 1
		jz	loc_6562BC
		sub	eax, 4
		jz	short loc_6562AD
		sub	eax, 1
		jz	short loc_656249
		sub	eax, 1
		jnz	loc_6562CF
		call	_PopPowerAggregatorNotifyResiliencyReached@0 ; PopPowerAggregatorNotifyResiliencyReached()
		jmp	loc_6562CF
; 

loc_656249:				; CODE XREF: PdcPoCurrentPdcPhase(x,x,x)+2Aj
		push	esi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		cmp	[ebp+arg_4], 0
		jz	short loc_65627B
		push	3
		mov	ds:dword_6D450C, edx
		xor	dl, dl
		pop	ecx
		mov	ds:dword_6D4508, eax
		call	_PopDeepSleepResiliencyPhaseAccountingBegin@8 ;	PopDeepSleepResiliencyPhaseAccountingBegin(x,x)
		mov	eax, ds:_PopFxDeviceAccountingLevel
		test	al, 2
		jz	short loc_6562CF
		call	_PopFxResumeDeviceAccounting@0 ; PopFxResumeDeviceAccounting()
		jmp	short loc_6562CF
; 

loc_65627B:				; CODE XREF: PdcPoCurrentPdcPhase(x,x,x)+4Aj
		sub	eax, ds:dword_6D4508
		sbb	edx, ds:dword_6D450C
		add	ds:dword_6D4510, eax
		mov	eax, ds:_PopFxDeviceAccountingLevel
		adc	ds:dword_6D4514, edx
		test	al, 2
		jz	short loc_6562A1
		call	_PopFxPauseDeviceAccounting@0 ;	PopFxPauseDeviceAccounting()

loc_6562A1:				; CODE XREF: PdcPoCurrentPdcPhase(x,x,x)+90j
		push	3
		xor	dl, dl
		pop	ecx
		call	_PopDeepSleepResiliencyPhaseAccountingEnd@8 ; PopDeepSleepResiliencyPhaseAccountingEnd(x,x)
		jmp	short loc_6562CF
; 

loc_6562AD:				; CODE XREF: PdcPoCurrentPdcPhase(x,x,x)+25j
		mov	edx, [ebp+arg_8]
		mov	cl, [ebp+arg_4]
		call	_PopPowerAggregatorNotifyPdcSleepTransition@8 ;	PopPowerAggregatorNotifyPdcSleepTransition(x,x)
		mov	esi, eax
		jmp	short loc_6562CF
; 

loc_6562BC:				; CODE XREF: PdcPoCurrentPdcPhase(x,x,x)+1Cj
		cmp	[ebp+arg_4], 0
		setnz	cl
		call	_PopIdleCsStateChanged@4 ; PopIdleCsStateChanged(x)
		jmp	short loc_6562CF
; 

loc_6562CA:				; CODE XREF: PdcPoCurrentPdcPhase(x,x,x)+13j
		call	_PopDisarmIdlePhaseWatchdog@0 ;	PopDisarmIdlePhaseWatchdog()

loc_6562CF:				; CODE XREF: PdcPoCurrentPdcPhase(x,x,x)+2Fj
					; PdcPoCurrentPdcPhase(x,x,x)+3Aj ...
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	0Ch
_PdcPoCurrentPdcPhase@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopAccumulateNonActivatedCpuTime(x,	x, x)
_PopAccumulateNonActivatedCpuTime@12 proc near
					; CODE XREF: PopUpdateNonAttributedCpuTimeReference(x)+50p
					; PopDripsWatchdogUpdateMetrics(x,x,x,x,x,x,x)+145p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_4], edx
		push	esi
		mov	[ebp+var_C], eax
		mov	bl, cl
		mov	[ebp+var_8], eax
		xor	ecx, ecx
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_C]
		push	edi
		push	eax
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		lea	edx, [ebp+var_14]
		mov	ecx, eax
		call	_PpmParkSnapNodeIdleTime@12 ; PpmParkSnapNodeIdleTime(x,x,x)
		mov	esi, [ebp+var_10]
		test	bl, bl
		mov	edi, [ebp+var_14]
		mov	ebx, [ebp+var_4]
		jnz	short loc_65632D
		mov	eax, [ebp+arg_0]
		mov	edx, edi
		sub	edx, [ebx]
		mov	ecx, esi
		sbb	ecx, [ebx+4]
		sub	edx, [ebp+var_C]
		sbb	ecx, [ebp+var_8]
		add	[eax], edx
		adc	[eax+4], ecx

loc_65632D:				; CODE XREF: PopAccumulateNonActivatedCpuTime(x,x,x)+3Ej
		sub	edi, [ebp+var_C]
		mov	[ebx], edi
		sbb	esi, [ebp+var_8]
		pop	edi
		mov	[ebx+4], esi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopAccumulateNonActivatedCpuTime@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopGetModernStandbyTransitionReason(x, x)
_PopGetModernStandbyTransitionReason@8 proc near ; CODE	XREF: PopCalculateCsSummary(x,x)+95p
					; PopCalculateCsSummary(x,x)+338p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	bl, cl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopModernStandbyTransitionInfo
		mov	bh, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	bl, bl
		jz	short loc_65636D
		mov	edi, ds:dword_6B5C98
		xor	ecx, ecx
		mov	eax, ecx
		jmp	short loc_65637E
; 

loc_65636D:				; CODE XREF: PopGetModernStandbyTransitionReason(x,x)+20j
		mov	edi, ds:dword_6B5C9C
		mov	ecx, ds:dword_6B5CA0
		mov	eax, ds:dword_6B5CA4

loc_65637E:				; CODE XREF: PopGetModernStandbyTransitionReason(x,x)+2Cj
		test	esi, esi
		jz	short loc_656387
		mov	[esi], ecx
		mov	[esi+4], eax

loc_656387:				; CODE XREF: PopGetModernStandbyTransitionReason(x,x)+41j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopModernStandbyTransitionInfo
		jz	short loc_65639F
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6563A4
; 

loc_65639F:				; CODE XREF: PopGetModernStandbyTransitionReason(x,x)+54j
		xor	eax, eax
		lock and [ecx],	eax

loc_6563A4:				; CODE XREF: PopGetModernStandbyTransitionReason(x,x)+5Ej
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
_PopGetModernStandbyTransitionReason@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdlePhaseWatchdogCallback(x, x, x, x, x,	x)
_PopIdlePhaseWatchdogCallback@24 proc near ; DATA XREF:	PopArmIdlePhaseWatchdog(x)+DDo

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+48h+var_3C]
		stosd
		lea	edx, [esp+48h+var_1C]
		push	0Ah
		pop	ecx
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+48h+var_28]
		rep stosd
		lea	ecx, [esp+48h+var_20]
		call	_PopSnapSystemIdleContext@8 ; PopSnapSystemIdleContext(x,x)
		lea	ecx, [esp+48h+var_3C]
		call	_PopPdcSnapDiagnosticContext@4 ; PopPdcSnapDiagnosticContext(x)
		mov	edi, offset unk_6C06C4
		mov	ecx, edi
		call	_PopAcquireRwLockExclusive@4 ; PopAcquireRwLockExclusive(x)
		mov	eax, ds:dword_6C06CC
		xor	esi, esi
		mov	ecx, edi
		mov	[esp+48h+var_28], eax
		mov	ds:dword_6C06CC, esi
		mov	ds:dword_6C06D0, esi
		call	_PopReleaseRwLock@4 ; PopReleaseRwLock(x)
		mov	eax, [esp+48h+var_3C]
		lea	ecx, [esp+48h+var_4]
		mov	[esp+48h+var_18], eax
		mov	eax, [esp+48h+var_38]
		mov	[esp+48h+var_14], eax
		mov	eax, [esp+48h+var_34]
		mov	[esp+48h+var_10], eax
		mov	eax, [esp+48h+var_30]
		mov	[esp+48h+var_C], eax
		mov	eax, [esp+48h+var_2C]
		mov	[esp+48h+var_8], eax
		call	_PopPowerAggregatorSnapDiagnosticContext@4 ; PopPowerAggregatorSnapDiagnosticContext(x)
		push	esi		; int
		push	esi		; int
		push	esi		; int
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		push	[ebp+arg_4]	; int
		push	offset ??_C@_1CE@IFGNEOBB@?$AAI?$AAd?$AAl?$AAe?$AAP?$AAh?$AAa?$AAs?$AAe?$AAW?$AAa?$AAt?$AAc?$AAh?$AAd@FNODOBFM@	; int
		call	_DbgkWerCaptureLiveKernelDump@36 ; DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)
		cmp	[esp+48h+var_28], 0
		mov	esi, eax
		mov	ebx, 67696450h
		jz	short loc_65647C
		push	ebx
		push	[esp+4Ch+var_28]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_65647C:				; CODE XREF: PopIdlePhaseWatchdogCallback(x,x,x,x,x,x)+BDj
		cmp	[esp+48h+var_20], 0
		jz	short loc_65648D
		push	ebx
		push	[esp+4Ch+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_65648D:				; CODE XREF: PopIdlePhaseWatchdogCallback(x,x,x,x,x,x)+CEj
		cmp	[esp+48h+var_18], 0
		mov	edi, 54445050h
		jz	short loc_6564A3
		push	edi
		push	[esp+4Ch+var_18]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_6564A3:				; CODE XREF: PopIdlePhaseWatchdogCallback(x,x,x,x,x,x)+E4j
		cmp	[esp+48h+var_14], 0
		jz	short loc_6564B4
		push	edi
		push	[esp+4Ch+var_14]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_6564B4:				; CODE XREF: PopIdlePhaseWatchdogCallback(x,x,x,x,x,x)+F5j
		cmp	[esp+48h+var_10], 0
		jz	short loc_6564C5
		push	edi
		push	[esp+4Ch+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_6564C5:				; CODE XREF: PopIdlePhaseWatchdogCallback(x,x,x,x,x,x)+106j
		cmp	[esp+48h+var_C], 0
		jz	short loc_6564D6
		push	edi
		push	[esp+4Ch+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_6564D6:				; CODE XREF: PopIdlePhaseWatchdogCallback(x,x,x,x,x,x)+117j
		cmp	[esp+48h+var_8], 0
		jz	short loc_6564E7
		push	edi
		push	[esp+4Ch+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_6564E7:				; CODE XREF: PopIdlePhaseWatchdogCallback(x,x,x,x,x,x)+128j
		cmp	[esp+48h+var_4], 0
		jz	short loc_6564F8
		push	ebx
		push	[esp+4Ch+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_6564F8:				; CODE XREF: PopIdlePhaseWatchdogCallback(x,x,x,x,x,x)+139j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
_PopIdlePhaseWatchdogCallback@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetModernStandbyTransitionReason(x, x)
_PopSetModernStandbyTransitionReason@8 proc near
					; CODE XREF: PopSleepstudyStartNextSession+A6CA9p
					; PopSleepstudyStartNextSession+A6DA0p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	bl, cl
		mov	esi, edx
		push	edi
		lea	ecx, [ebp+var_8]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	edi, eax
		mov	[ebp+var_4], edx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopModernStandbyTransitionInfo
		mov	bh, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	ds:byte_6B5C94,	bl
		jz	short loc_65655E
		mov	ds:byte_6B5C94,	bl
		test	bl, bl
		jz	short loc_65654A
		mov	ds:dword_6B5C98, esi
		jmp	short loc_65655E
; 

loc_65654A:				; CODE XREF: PopSetModernStandbyTransitionReason(x,x)+3Dj
		mov	eax, [ebp+var_4]
		mov	ds:dword_6B5C9C, esi
		mov	ds:dword_6B5CA0, edi
		mov	ds:dword_6B5CA4, eax

loc_65655E:				; CODE XREF: PopSetModernStandbyTransitionReason(x,x)+33j
					; PopSetModernStandbyTransitionReason(x,x)+45j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopModernStandbyTransitionInfo
		jz	short loc_656576
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65657B
; 

loc_656576:				; CODE XREF: PopSetModernStandbyTransitionReason(x,x)+67j
		xor	eax, eax
		lock and [ecx],	eax

loc_65657B:				; CODE XREF: PopSetModernStandbyTransitionReason(x,x)+71j
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopSetModernStandbyTransitionReason@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUpdateNonAttributedCpuTimeReference(x)
_PopUpdateNonAttributedCpuTimeReference@4 proc near
					; CODE XREF: PopFxPlatformStateAvailable(x,x)+2Ep
					; PopFxPlatformStateAvailable(x,x)+4Dp	...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	[ebp+var_1], cl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset dword_6D4648
		mov	[ebp+var_2], al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	[ebp+var_1], 0
		jz	short loc_6565C3
		mov	ecx, ds:dword_6D4644
		inc	ecx
		mov	ds:dword_6D4644, ecx
		cmp	ecx, 1
		jnz	short loc_6565DD
		xor	cl, cl
		jmp	short loc_6565CE
; 

loc_6565C3:				; CODE XREF: PopUpdateNonAttributedCpuTimeReference(x)+23j
		sub	ds:dword_6D4644, 1
		jnz	short loc_6565DD
		mov	cl, 1

loc_6565CE:				; CODE XREF: PopUpdateNonAttributedCpuTimeReference(x)+39j
		push	offset dword_6D4540
		mov	edx, offset unk_6D4538
		call	_PopAccumulateNonActivatedCpuTime@12 ; PopAccumulateNonActivatedCpuTime(x,x,x)

loc_6565DD:				; CODE XREF: PopUpdateNonAttributedCpuTimeReference(x)+35j
					; PopUpdateNonAttributedCpuTimeReference(x)+42j
		test	ds:byte_70EFC6,	1
		jz	short loc_6565F2
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6565F7
; 

loc_6565F2:				; CODE XREF: PopUpdateNonAttributedCpuTimeReference(x)+5Cj
		xor	eax, eax
		lock and [esi],	eax

loc_6565F7:				; CODE XREF: PopUpdateNonAttributedCpuTimeReference(x)+68j
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		leave
		retn
_PopUpdateNonAttributedCpuTimeReference@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFlushAndHold(x, x)
_PopFlushAndHold@8 proc	near		; CODE XREF: PopFlushVolumeWorker+7224p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie

loc_656610:				; DATA XREF: .text:00430380o
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], 1
		push	esi
		push	esi
		push	18h
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_1C], esi
		push	eax
		push	53C000h
		push	edx
		push	esi
		push	esi
		push	esi
		push	ecx
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_8], 0FFFFFFFFh
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopFlushAndHold@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCheckPowerSourceAfterRtcWakeSet()
_PopCheckPowerSourceAfterRtcWakeSet@0 proc near	; CODE XREF: PAGELK:0071FAB5p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	offset _PopCheckPowerSourceAfterRtcWakeCompleted
		call	_KeResetEvent@4	; KeResetEvent(x)
		or	[ebp+var_8], 0FFFFFFFFh
		lea	eax, [ebp+var_10]
		or	[ebp+var_4], 0FFFFFFFFh
		xor	ecx, ecx
		push	eax
		push	ecx
		push	ecx
		push	0FFFFFFFFh
		push	0FF676980h
		push	ecx
		push	ds:_PopCheckPowerSourceAfterRtcWakeTime
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		call	__allmul
		push	edx
		push	eax
		push	offset _PopCheckPowerSourceAfterRtcWakeTimer
		call	KeSetTimer2
		leave
		retn
_PopCheckPowerSourceAfterRtcWakeSet@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopCheckPowerSourceAfterRtcWakeTimerCallback(x, x)
_PopCheckPowerSourceAfterRtcWakeTimerCallback@8	proc near
					; DATA XREF: PopCheckPowerSourceAfterRtcWakeInitialize()+Co
		xor	edx, edx
		mov	ecx, offset unk_6C0518
		inc	edx
		call	_PopQueueWorkItem@8 ; PopQueueWorkItem(x,x)
		retn	8
_PopCheckPowerSourceAfterRtcWakeTimerCallback@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCompleteDirectedPowerTransitionCallback(x, x, x)
_PopCompleteDirectedPowerTransitionCallback@12 proc near
					; CODE XREF: PopFxCompleteDirectedPowerTransition(x,x)+118p
					; PopIssueDirectedPowerTransition(x,x)+15p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		xor	eax, eax
		mov	edx, [edi+1Ch]
		mov	ebx, [esi+4]
		add	edx, 5Ch
		cmp	[ebp+arg_0], eax
		jge	short loc_6566CE
		mov	eax, [edi+34h]

loc_6566CE:				; CODE XREF: PopCompleteDirectedPowerTransitionCallback(x,x,x)+1Aj
		push	eax
		push	[ebp+arg_0]
		mov	ecx, esi
		call	PopCompleteNotifyTransitionCommon
		cmp	byte ptr [esi],	2
		jnz	short loc_6566EE
		cmp	ebx, 1
		jnz	short loc_6566EE
		mov	ecx, [edi+1Ch]
		mov	ecx, [ecx+10h]
		call	PoFxIdleDevice

loc_6566EE:				; CODE XREF: PopCompleteDirectedPowerTransitionCallback(x,x,x)+2Dj
					; PopCompleteDirectedPowerTransitionCallback(x,x,x)+32j
		push	0
		push	1
		push	0
		push	dword ptr [esi+18h]
		call	KeReleaseSemaphore
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PopCompleteDirectedPowerTransitionCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopKsrCallback(x, x, x)
_PopKsrCallback@12 proc	near		; DATA XREF: PopSetupKsrCallbacks+F52Do

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		sub	eax, 0
		jz	short loc_656729
		sub	eax, 1
		jz	short loc_656720
		dec	eax
		sub	eax, 1
		jz	short loc_656729
		sub	eax, 1
		jnz	short loc_656730

loc_656720:				; CODE XREF: PopKsrCallback(x,x,x)+10j
		mov	ds:_PopKsrPrepared, 0
		jmp	short loc_656730
; 

loc_656729:				; CODE XREF: PopKsrCallback(x,x,x)+Bj
					; PopKsrCallback(x,x,x)+16j
		mov	ds:_PopKsrPrepared, 1

loc_656730:				; CODE XREF: PopKsrCallback(x,x,x)+1Bj
					; PopKsrCallback(x,x,x)+24j
		pop	ebp
		retn	0Ch
_PopKsrCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopLogNotifyDevice(x, x, x)
_PopLogNotifyDevice@12 proc near	; CODE XREF: PopRequestPowerIrp+85736p
					; PopNotifyDevice+AE27p

var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= byte ptr -114h
var_113		= byte ptr -113h
var_112		= byte ptr -112h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_104		= dword	ptr -104h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 120h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	eax, eax
		push	100h		; size_t
		push	eax		; int
		lea	eax, [ebp+var_11C]
		mov	esi, edx
		push	eax		; void *
		mov	ebx, ecx
		call	_memset
		add	esp, 0Ch
		test	ds:dword_70EFD0, 8000h
		jz	loc_656841
		mov	ecx, [edi+60h]
		mov	eax, [ebx+8]
		xor	ebx, ebx
		mov	[ebp+var_11C], edi
		mov	eax, [eax+0Ch]
		mov	[ebp+var_118], eax
		mov	al, [ecx-24h]
		mov	[ebp+var_113], al
		mov	al, [ecx-23h]
		mov	[ebp+var_112], al
		mov	eax, [ecx-1Ch]
		mov	[ebp+var_110], eax
		mov	eax, [ecx-18h]
		mov	[ebp+var_10C], eax
		test	esi, esi
		jz	short loc_6567FD
		mov	al, [esi+1Ch]
		mov	edx, [esi+24h]
		mov	[ebp+var_114], al
		test	edx, edx
		jz	short loc_656803
		mov	ecx, edx
		lea	esi, [ecx+2]

loc_6567CE:				; CODE XREF: PopLogNotifyDevice(x,x,x)+A3j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_6567CE
		sub	ecx, esi
		sar	ecx, 1
		mov	esi, ecx
		cmp	ecx, 72h
		jbe	short loc_6567E7
		push	72h
		pop	esi

loc_6567E7:				; CODE XREF: PopLogNotifyDevice(x,x,x)+AEj
		sub	ecx, esi
		lea	eax, [edx+ecx*2]
		push	eax
		push	73h
		pop	edx
		lea	ecx, [ebp+var_104]
		call	RtlStringCchCopyW
		jmp	short loc_65680E
; 

loc_6567FD:				; CODE XREF: PopLogNotifyDevice(x,x,x)+83j
		mov	[ebp+var_114], bl

loc_656803:				; CODE XREF: PopLogNotifyDevice(x,x,x)+93j
		xor	eax, eax
		mov	esi, ebx
		mov	word ptr [ebp+var_104],	ax

loc_65680E:				; CODE XREF: PopLogNotifyDevice(x,x,x)+C7j
		push	offset byte_401802
		lea	eax, [ebp+var_11C]
		mov	[ebp+var_18], ebx
		mov	[ebp+var_1C], eax
		lea	ecx, [ebp+var_1C]
		push	1226h
		xor	edx, edx
		mov	[ebp+var_10], ebx
		lea	eax, ds:1Ch[esi*2]
		inc	edx
		push	80008000h
		mov	[ebp+var_14], eax
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_656841:				; CODE XREF: PopLogNotifyDevice(x,x,x)+40j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopLogNotifyDevice@12 endp


;  S U B	R O U T	I N E 


; __stdcall PpmCheckApplyResetNotification()
_PpmCheckApplyResetNotification@0 proc near ; CODE XREF: PpmPostProcessMediaBuffering()+23p
		push	5
		pop	ecx
		jmp	_PpmCheckCustomRun@4 ; PpmCheckCustomRun(x)
_PpmCheckApplyResetNotification@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmCapturePerformanceDistribution(x, x, x, x, x)
_PpmCapturePerformanceDistribution@20 proc near	; CODE XREF: PAGE:0077E3A1p
					; PAGE:0077E41Cp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_12		= word ptr -12h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[esp+40h+var_38], eax
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [esp+48h+var_10]
		mov	[esp+48h+var_2C], ecx
		mov	ecx, [ebp+arg_4]
		mov	esi, edx
		stosd
		mov	[esp+48h+var_34], esi
		mov	[esp+48h+var_30], ebx
		mov	[esp+48h+var_28], esi
		stosd
		stosd
		xor	eax, eax
		and	[esp+48h+var_3C], eax
		and	[esp+48h+var_20], eax
		and	[esp+48h+var_1C], 0
		mov	[esp+48h+var_12], ax
		lea	eax, ds:4[ebx*4]
		mov	[esp+48h+var_24], eax
		mov	ax, [ecx+4]
		mov	[esp+48h+var_14], ax
		mov	eax, [ecx]
		mov	[esp+48h+var_18], eax

loc_6568C9:				; CODE XREF: PpmCapturePerformanceDistribution(x,x,x,x,x)+B0j
					; PpmCapturePerformanceDistribution(x,x,x,x,x)+EAj
		lea	eax, [esp+48h+var_1C]
		push	eax
		lea	eax, [esp+4Ch+var_3C]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_656948
		mov	ecx, [esp+48h+var_3C]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	cl, 2
		mov	edi, eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		lea	eax, [esp+48h+var_2C]
		push	0
		push	eax
		push	edi
		call	_PpmCapturePerformanceDistributionCallback@12 ;	PpmCapturePerformanceDistributionCallback(x,x,x)
		mov	cl, bl
		mov	esi, eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jns	short loc_6568C9
		and	[esp+48h+var_C], 0
		xor	ebx, ebx
		inc	ebx
		xor	ecx, ecx
		mov	word ptr [esp+48h+var_10], bx
		mov	edx, offset _PpmCapturePerformanceDistributionCallback@12 ; PpmCapturePerformanceDistributionCallback(x,x,x)
		mov	word ptr [esp+48h+var_10+2], bx
		mov	eax, [edi+3CCh]
		bts	ecx, eax
		push	0
		lea	eax, [esp+4Ch+var_2C]
		mov	[esp+4Ch+var_8], ecx
		push	eax
		lea	ecx, [esp+50h+var_10]
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)
		test	eax, eax
		jns	short loc_6568C9
		jmp	short loc_65696B
; 

loc_656948:				; CODE XREF: PpmCapturePerformanceDistribution(x,x,x,x,x)+80j
		mov	ecx, [esp+48h+var_38]
		mov	eax, [esp+48h+var_24]
		mov	[ecx], eax
		cmp	eax, [esp+48h+var_34]
		jbe	short loc_65695F
		mov	eax, 0C0000004h
		jmp	short loc_65696B
; 

loc_65695F:				; CODE XREF: PpmCapturePerformanceDistribution(x,x,x,x,x)+FCj
		mov	eax, [esp+48h+var_2C]
		mov	ecx, [esp+48h+var_30]
		mov	[eax], ecx
		xor	eax, eax

loc_65696B:				; CODE XREF: PpmCapturePerformanceDistribution(x,x,x,x,x)+ECj
					; PpmCapturePerformanceDistribution(x,x,x,x,x)+103j
		mov	ecx, [esp+48h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PpmCapturePerformanceDistribution@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmCapturePerformanceDistributionCallback(x, x, x)
_PpmCapturePerformanceDistributionCallback@12 proc near
					; CODE XREF: PpmCapturePerformanceDistribution(x,x,x,x,x)+9Fp
					; DATA XREF: PpmCapturePerformanceDistribution(x,x,x,x,x)+C1o

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+7Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[esp+88h+var_78], eax
		mov	esi, [edi+8]
		lea	ecx, [esi+7]
		cmp	ecx, esi
		jb	short loc_6569B1
		mov	esi, ecx
		and	esi, 0FFFFFFF8h

loc_6569B1:				; CODE XREF: PpmCapturePerformanceDistributionCallback(x,x,x)+2Bj
		mov	eax, [eax+3EA4h]
		mov	[esp+88h+var_74], eax
		neg	eax
		sbb	ebx, ebx
		xor	eax, eax
		and	ebx, 2
		mov	ecx, ebx
		shl	ecx, 4
		add	ecx, 8
		add	ecx, esi
		mov	[esp+88h+var_6C], ecx
		cmp	ecx, [edi+4]
		ja	loc_656AD3
		mov	ecx, [edi]
		lea	edx, [ecx+esi]
		mov	[esp+88h+var_70], edx
		cmp	[esp+88h+var_74], eax
		jz	loc_656AB6
		push	60h		; size_t
		push	eax		; int
		lea	eax, [esp+90h+var_68]
		push	eax		; void *
		call	_memset
		mov	eax, large fs:20h
		add	esp, 0Ch
		mov	ecx, [esp+88h+var_78]
		cmp	ecx, eax
		lea	eax, [esp+88h+var_68]
		setnz	byte ptr [esp+88h+var_74]
		xor	dl, dl
		push	eax
		push	0
		push	[esp+90h+var_74]
		call	PpmSnapPerformanceAccumulation
		test	al, al
		jnz	short loc_656A2F
		mov	eax, 0C0000001h
		jmp	loc_656AD6
; 

loc_656A2F:				; CODE XREF: PpmCapturePerformanceDistributionCallback(x,x,x)+A4j
		mov	eax, [esp+88h+var_5C]
		mov	ecx, 0FFh
		mul	ecx
		mov	edx, 0FFh
		mov	ecx, eax
		mov	eax, [esp+88h+var_60]
		mul	edx
		add	ecx, edx
		mov	edx, eax
		sub	edx, [esp+88h+var_50]
		mov	eax, [esp+88h+var_78]
		sbb	ecx, [esp+88h+var_4C]
		mov	[esp+88h+var_74], ecx
		mov	ecx, ds:_PpmHvPerformanceDistributionShift
		cmp	dword ptr [eax+3E38h], 3
		jz	short loc_656A70
		mov	ecx, ds:_PpmPerformanceDistributionShift

loc_656A70:				; CODE XREF: PpmCapturePerformanceDistributionCallback(x,x,x)+E9j
		mov	eax, edx
		mov	[esp+88h+var_78], ecx
		mov	edx, [esp+88h+var_74]
		call	__aullshr
		mov	ecx, [esp+88h+var_70]
		mov	[ecx+8], eax
		mov	eax, [esp+88h+var_50]
		mov	[ecx+0Ch], edx
		mov	edx, [esp+88h+var_4C]
		mov	byte ptr [ecx+10h], 0
		mov	ecx, [esp+88h+var_78]
		call	__aullshr
		mov	ecx, [esp+88h+var_70]
		mov	[ecx+18h], eax
		mov	eax, 0FFh
		mov	[ecx+1Ch], edx
		mov	edx, [esp+88h+var_70]
		mov	[ecx+20h], al
		mov	ecx, [edi]

loc_656AB6:				; CODE XREF: PpmCapturePerformanceDistributionCallback(x,x,x)+69j
		mov	eax, [edi+0Ch]
		mov	[ecx+eax*4+4], esi
		movzx	ecx, large byte	ptr fs:51h
		inc	dword ptr [edi+0Ch]
		xor	eax, eax
		mov	[edx], ecx
		mov	ecx, [esp+88h+var_6C]
		mov	[edx+4], ebx

loc_656AD3:				; CODE XREF: PpmCapturePerformanceDistributionCallback(x,x,x)+56j
		mov	[edi+8], ecx

loc_656AD6:				; CODE XREF: PpmCapturePerformanceDistributionCallback(x,x,x)+ABj
		mov	ecx, [esp+88h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PpmCapturePerformanceDistributionCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmConvertTimeTo(x,	x, x, x)
_PpmConvertTimeTo@16 proc near		; CODE XREF: PopDripsWatchdogUpdateMetrics(x,x,x,x,x,x,x)+157p
					; PopIdleWakeConvertIntervalBucketsTo(x,x,x,x,x)+22p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	ds:dword_70ED2C
		push	ds:_PopQpcFrequency
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PpmConvertTime
		pop	ebp
		retn	10h
_PpmConvertTimeTo@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmDisableHighPerfRequestDeferredExpiration(x)
_PpmDisableHighPerfRequestDeferredExpiration@4 proc near
					; CODE XREF: PopPowerAggregatorScreenOffExitStateHandler(x)+60p
					; PdcPoPerfOverride()+Ap ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	bl, cl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _PpmHighPerfRequestLock
		mov	bh, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	bl, bl
		jz	short loc_656B86
		push	offset _PpmHighPerfEndTimer
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		xor	edi, edi
		mov	esi, edi
		mov	ds:_PpmHighPerfDeferredEndTime,	edi
		mov	ds:dword_6C206C, edi
		cmp	ds:_PpmHighPerfDeferredEndCount, esi
		jbe	short loc_656B6F

loc_656B58:				; CODE XREF: PpmDisableHighPerfRequestDeferredExpiration(x)+5Aj
		mov	ecx, ds:_PpmHighPerfPowerRequest
		push	4
		pop	edx
		call	PoClearPowerRequestInternal
		inc	esi
		cmp	esi, ds:_PpmHighPerfDeferredEndCount
		jb	short loc_656B58

loc_656B6F:				; CODE XREF: PpmDisableHighPerfRequestDeferredExpiration(x)+43j
		mov	ds:_PpmHighPerfDeferredEndCount, edi
		mov	esi, offset _PpmHighPerfRequestLock
		mov	ds:_PpmHighPerfDeferredEndTime,	edi
		mov	ds:dword_6C206C, edi

loc_656B86:				; CODE XREF: PpmDisableHighPerfRequestDeferredExpiration(x)+21j
		test	ds:byte_70EFC6,	1
		mov	ds:_PpmHighPerfDeferredEndDisabled, bl
		jz	short loc_656BA1
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_656BA6
; 

loc_656BA1:				; CODE XREF: PpmDisableHighPerfRequestDeferredExpiration(x)+80j
		xor	eax, eax
		lock and [esi],	eax

loc_656BA6:				; CODE XREF: PpmDisableHighPerfRequestDeferredExpiration(x)+8Cj
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn
_PpmDisableHighPerfRequestDeferredExpiration@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmGetThroughputInfoCallback(x, x, x)
_PpmGetThroughputInfoCallback@12 proc near ; CODE XREF:	PoGetPerfStateAndParkingInfo+16DC6Ep
					; DATA XREF: PoGetPerfStateAndParkingInfo+16DCA9o

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+6Ch+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		lea	eax, [esp+70h+var_68]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		push	60h		; size_t
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	eax, large fs:20h
		add	esp, 0Ch
		cmp	edi, eax
		mov	ecx, edi
		lea	eax, [esp+78h+var_68]
		setnz	byte ptr [esp+78h+var_6C]
		xor	dl, dl
		push	eax
		push	esi
		push	[esp+80h+var_6C]
		call	PpmSnapPerformanceAccumulation
		test	al, al
		jnz	short loc_656C13
		mov	esi, 0C0000001h
		jmp	loc_656C96
; 

loc_656C13:				; CODE XREF: PpmGetThroughputInfoCallback(x,x,x)+53j
		cmp	dword ptr [edi+3E38h], 3
		mov	edi, ds:_PpmHvPerformanceCounterShift
		jz	short loc_656C28
		mov	edi, ds:_PpmPerformanceCounterShift

loc_656C28:				; CODE XREF: PpmGetThroughputInfoCallback(x,x,x)+6Cj
		mov	eax, [esp+78h+var_48]
		mov	ecx, edi
		mov	edx, [esp+78h+var_44]
		call	__aullshr
		push	esi
		push	[ebp+arg_8]
		mov	[ebx+8], eax
		push	esi
		push	64h
		push	[esp+88h+var_4C]
		mov	[ebx+0Ch], edx
		push	[esp+8Ch+var_50]
		call	PpmConvertTime
		mov	ecx, edi
		call	__aullshr
		mov	[ebx+18h], eax
		mov	ecx, edi
		mov	eax, [esp+78h+var_40]
		mov	[ebx+1Ch], edx
		mov	edx, [esp+78h+var_3C]
		call	__aullshr
		mov	[ebx+10h], eax
		mov	ecx, edi
		mov	eax, [esp+78h+var_68]
		mov	[ebx+14h], edx
		mov	edx, [esp+78h+var_64]
		call	__aullshr
		mov	edx, [esp+78h+var_5C]
		mov	ecx, edi
		mov	[ebx], eax
		mov	eax, [esp+78h+var_60]
		call	__aullshr
		mov	[ebx+4], eax

loc_656C96:				; CODE XREF: PpmGetThroughputInfoCallback(x,x,x)+5Aj
		mov	ecx, [esp+78h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PpmGetThroughputInfoCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmTracePerfIdleRundown(x, x, x)
_PpmTracePerfIdleRundown@12 proc near	; DATA XREF: EtwpKernelTraceRundown+12A049o

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		push	6
		pop	ecx
		lea	edi, [ebp+var_1C]
		rep stosd
		xor	edi, edi
		cmp	[esi+3EA0h], edi
		jz	short loc_656D27
		push	edi
		lea	eax, [ebp+var_1C]
		mov	ecx, esi
		push	eax
		push	edi
		push	edi
		lea	edx, [ebp+var_18]
		call	PpmPerfGetCurrentState
		mov	eax, [ebp+var_18]
		lea	ecx, [ebp+var_2C]
		mov	[ebp+var_14], eax
		xor	edx, edx
		mov	eax, [esi+3C8h]
		inc	edx
		push	offset byte_401802
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_1C]
		push	1233h
		push	80008000h
		mov	[ebp+var_8], edi
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], 18h
		mov	[ebp+var_20], edi
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_656D27:				; CODE XREF: PpmTracePerfIdleRundown(x,x,x)+29j
		mov	ecx, [esi+3D70h]
		pop	edi
		pop	esi
		test	ecx, ecx
		jz	short loc_656D3D
		mov	ecx, [ecx+10h]
		mov	edx, ecx
		call	PpmEventIdleStateChange

loc_656D3D:				; CODE XREF: PpmTracePerfIdleRundown(x,x,x)+85j
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_PpmTracePerfIdleRundown@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmTranslateIdleAccounting(x, x, x)
_PpmTranslateIdleAccounting@12 proc near
					; CODE XREF: PpmWmiFireIdleAccountingEvent(x,x,x)+5Cp
					; PpmEventTraceProcessorIdleAccounting(x,x,x)+1C1p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		call	PpmUpdateProcessorIdleAccounting
		mov	ecx, [esi+4]
		mov	edx, [ecx]
		mov	[ebx], edx
		mov	eax, [ecx+4]
		mov	[ebx+4], eax
		mov	eax, [ecx+8]
		mov	[ebx+8], eax
		mov	eax, [ecx+0Ch]
		mov	[ebx+0Ch], eax
		mov	eax, [ecx+10h]
		mov	[ebx+10h], eax
		mov	eax, [ecx+14h]
		mov	[ebx+14h], eax
		mov	eax, [ecx+1Ch]
		mov	edi, [ecx+18h]
		mov	[ebp+var_18], edx
		mov	[ebp+var_C], eax
		test	edx, edx
		jz	loc_656FA4
		add	ebx, 20h
		lea	esi, [ecx+368h]
		mov	[ebp+var_14], ebx
		mov	[ebp+var_8], esi

loc_656DA9:				; CODE XREF: PpmTranslateIdleAccounting(x,x,x)+24Ej
		add	edi, [esi-340h]
		mov	eax, [esi-33Ch]
		adc	[ebp+var_C], eax
		mov	eax, [esi-330h]
		add	eax, [esi-334h]
		add	eax, [esi-338h]
		mov	[ebx], eax
		mov	eax, [esi-334h]
		mov	[ebx+4], eax
		mov	eax, [esi-338h]
		push	0
		mov	[ebx+14h], eax
		mov	eax, [esi-32Ch]
		push	0F4240h
		mov	[ebx+8], eax
		mov	eax, ds:_PopQpcFrequency
		mov	[ebp+var_1C], edi
		mov	edi, ds:dword_70ED2C
		push	edi
		push	eax
		push	dword ptr [esi-33Ch]
		mov	[ebp+var_24], edi
		push	dword ptr [esi-340h]
		mov	[ebp+var_4], eax
		call	PpmConvertTime
		push	0
		push	0F4240h
		push	edi
		push	[ebp+var_4]
		mov	[ebx-8], eax
		mov	[ebx-4], edx
		push	dword ptr [esi-324h]
		push	dword ptr [esi-328h]
		call	PpmConvertTime
		push	0
		push	0F4240h
		push	edi
		push	[ebp+var_4]
		mov	[ebx+0Ch], eax
		push	dword ptr [esi-31Ch]
		push	dword ptr [esi-320h]
		call	PpmConvertTime
		mov	[ebx+10h], eax
		lea	edi, [esi-208h]
		lea	eax, [ebx+24h]
		mov	[ebp+var_10], 10h
		mov	ebx, [ebp+var_24]
		mov	esi, eax
		mov	[ebp+var_20], eax

loc_656E71:				; CODE XREF: PpmTranslateIdleAccounting(x,x,x)+180j
		push	0
		push	0F4240h
		push	ebx
		push	[ebp+var_4]
		push	dword ptr [edi-0Ch]
		push	dword ptr [edi-10h]
		call	PpmConvertTime
		push	0
		push	0F4240h
		push	ebx
		push	[ebp+var_4]
		mov	[esi-0Ch], eax
		mov	[esi-8], edx
		push	dword ptr [edi-4]
		push	dword ptr [edi-8]
		call	PpmConvertTime
		push	0
		push	0F4240h
		push	ebx
		push	[ebp+var_4]
		mov	[esi-4], eax
		push	dword ptr [edi+4]
		push	dword ptr [edi]
		call	PpmConvertTime
		sub	[ebp+var_10], 1
		lea	edi, [edi+20h]
		mov	[esi], eax
		lea	esi, [esi+18h]
		mov	eax, [edi-18h]
		mov	[esi-14h], eax
		jnz	short loc_656E71
		mov	eax, [ebp+var_8]
		mov	ebx, [ebp+var_14]
		add	eax, 0FFFFFD70h
		mov	[ebp+var_4], eax
		mov	[ebp+var_10], 4

loc_656EE4:				; CODE XREF: PpmTranslateIdleAccounting(x,x,x)+217j
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jz	short loc_656F5A
		mov	edi, ds:dword_70ED2C
		add	[ebx+28h], ecx
		mov	esi, ds:_PopQpcFrequency
		push	0
		push	0F4240h
		push	edi
		push	esi
		push	dword ptr [eax-4]
		push	dword ptr [eax-8]
		call	PpmConvertTime
		add	[ebx+18h], eax
		mov	eax, [ebp+var_4]
		adc	[ebx+1Ch], edx
		push	0
		push	0F4240h
		push	edi
		push	esi
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		call	PpmConvertTime
		push	0
		push	0F4240h
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_4]
		push	edi
		push	esi
		push	dword ptr [eax+0Ch]
		push	dword ptr [eax+8]
		call	PpmConvertTime
		mov	ecx, [ebp+var_24]
		cmp	[ebx+20h], ecx
		jbe	short loc_656F4F
		mov	[ebx+20h], ecx

loc_656F4F:				; CODE XREF: PpmTranslateIdleAccounting(x,x,x)+1FDj
		cmp	[ebx+24h], eax
		jnb	short loc_656F57
		mov	[ebx+24h], eax

loc_656F57:				; CODE XREF: PpmTranslateIdleAccounting(x,x,x)+205j
		mov	eax, [ebp+var_4]

loc_656F5A:				; CODE XREF: PpmTranslateIdleAccounting(x,x,x)+19Cj
		add	eax, 20h
		sub	[ebp+var_10], 1
		mov	[ebp+var_4], eax
		jnz	loc_656EE4
		mov	esi, [ebp+var_8]
		mov	ecx, esi
		mov	eax, [ebx+8]
		push	6
		pop	edx

loc_656F75:				; CODE XREF: PpmTranslateIdleAccounting(x,x,x)+233j
		add	eax, [ecx]
		lea	ecx, [ecx+20h]
		mov	[ebx+8], eax
		sub	edx, 1
		jnz	short loc_656F75
		mov	edi, [ebp+var_1C]
		add	ebx, 1A0h
		add	esi, 3E8h
		mov	[ebp+var_14], ebx
		sub	[ebp+var_18], 1
		mov	[ebp+var_8], esi
		jnz	loc_656DA9
		mov	eax, [ebp+var_C]

loc_656FA4:				; CODE XREF: PpmTranslateIdleAccounting(x,x,x)+47j
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_656FCA
		push	0
		push	0F4240h
		push	ds:dword_70ED2C
		push	ds:_PopQpcFrequency
		push	eax
		push	edi
		call	PpmConvertTime
		mov	[esi], eax
		mov	[esi+4], edx

loc_656FCA:				; CODE XREF: PpmTranslateIdleAccounting(x,x,x)+25Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PpmTranslateIdleAccounting@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmTranslatePlatformIdleAccounting(x, x)
_PpmTranslatePlatformIdleAccounting@8 proc near
					; CODE XREF: PpmEventTracePlatformIdleAccounting()+1A2p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		mov	esi, edx
		xor	ebx, ebx
		mov	edx, [ecx+4]
		and	[ebp+var_C], ebx
		mov	[ebp+var_28], esi
		mov	[esi], edx
		mov	eax, [ecx]
		mov	[esi+4], eax
		mov	eax, [ecx+10h]
		mov	[esi+10h], eax
		mov	eax, [ecx+14h]
		mov	[ebp+var_18], edx
		mov	[esi+14h], eax
		test	edx, edx
		jz	loc_657135
		push	edi
		lea	eax, [esi+28h]
		lea	edi, [ecx+1Ch]
		mov	[ebp+var_8], eax
		mov	[ebp+var_14], edi
		mov	esi, eax

loc_657015:				; CODE XREF: PpmTranslatePlatformIdleAccounting(x,x)+15Aj
		mov	eax, [edi+4]
		add	eax, [edi]
		add	eax, [edi-4]
		add	ebx, eax
		mov	[esi-8], eax
		mov	eax, [edi]
		adc	[ebp+var_C], 0
		mov	[esi-4], eax
		mov	eax, [edi-4]
		push	0
		mov	[esi], eax
		mov	eax, [edi+24h]
		push	0F4240h
		mov	[esi+0Ch], eax
		mov	eax, ds:_PopQpcFrequency
		mov	[ebp+var_1C], ebx
		mov	ebx, ds:dword_70ED2C
		push	ebx
		push	eax
		push	dword ptr [edi+20h]
		mov	[ebp+var_24], ebx
		push	dword ptr [edi+1Ch]
		mov	[ebp+var_4], eax
		call	PpmConvertTime
		push	0
		push	0F4240h
		push	ebx
		push	[ebp+var_4]
		mov	[esi+10h], eax
		mov	[esi+14h], edx
		push	dword ptr [edi+18h]
		push	dword ptr [edi+14h]

loc_657075:				; DATA XREF: .text:0041A7FCo
		call	PpmConvertTime
		push	0
		push	0F4240h
		push	ebx
		push	[ebp+var_4]
		mov	[esi+8], eax
		push	dword ptr [edi+10h]
		push	dword ptr [edi+0Ch]
		call	PpmConvertTime
		mov	[esi+4], eax
		lea	ebx, [edi+0BCh]
		mov	edi, [ebp+var_24]
		lea	eax, [esi+2Ch]
		mov	[ebp+var_20], eax
		mov	esi, eax
		mov	[ebp+var_10], 1Ah

loc_6570AE:				; CODE XREF: PpmTranslatePlatformIdleAccounting(x,x)+139j
		push	0
		push	0F4240h
		push	edi
		push	[ebp+var_4]
		push	dword ptr [ebx-0Ch]
		push	dword ptr [ebx-10h]
		call	PpmConvertTime
		push	0
		push	0F4240h
		push	edi
		push	[ebp+var_4]
		mov	[esi-0Ch], eax
		mov	[esi-8], edx
		push	dword ptr [ebx-4]
		push	dword ptr [ebx-8]
		call	PpmConvertTime
		push	0
		push	0F4240h
		push	edi
		push	[ebp+var_4]
		mov	[esi-4], eax
		push	dword ptr [ebx+4]
		push	dword ptr [ebx]
		call	PpmConvertTime
		sub	[ebp+var_10], 1
		lea	ebx, [ebx+20h]
		mov	[esi], eax
		lea	esi, [esi+18h]
		mov	eax, [ebx-18h]
		mov	[esi-14h], eax
		jnz	short loc_6570AE
		mov	esi, [ebp+var_8]
		mov	edi, [ebp+var_14]
		add	esi, 298h
		mov	ebx, [ebp+var_1C]
		add	edi, 3F0h
		sub	[ebp+var_18], 1
		mov	[ebp+var_8], esi
		mov	[ebp+var_14], edi
		jnz	loc_657015
		mov	esi, [ebp+var_28]
		pop	edi

loc_657135:				; CODE XREF: PpmTranslatePlatformIdleAccounting(x,x)+2Fj
		mov	eax, [ebp+var_C]
		mov	[esi+8], ebx
		mov	[esi+0Ch], eax
		pop	esi
		pop	ebx
		leave
		retn
_PpmTranslatePlatformIdleAccounting@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopHandleSystemIdleReset(x)
_PopHandleSystemIdleReset@4 proc near	; CODE XREF: PopResetIdleTime(x)+15j
		cmp	ds:_PopPlatformAoAc, 0
		jnz	short loc_657160
		push	0
		push	0
		push	102h
		push	0Ah
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_657160:				; CODE XREF: PopHandleSystemIdleReset(x)+7j
		cmp	ecx, 2
		jnz	short locret_65717D
		push	4
		pop	ecx
		mov	eax, offset _PopPendingSystemIdleResetMask
		lock or	[eax], ecx
		add	ecx, 7Ch
		call	PopGetPolicyWorker
		jmp	PopCheckForWork
; 

locret_65717D:				; CODE XREF: PopHandleSystemIdleReset(x)+21j
		retn
_PopHandleSystemIdleReset@4 endp ; sp =	-14h


;  S U B	R O U T	I N E 


; __stdcall PopCheckForDeepSleep()
_PopCheckForDeepSleep@0	proc near	; CODE XREF: PpmCheckPreConditionsForDeepSleep(x)+9p
		cmp	ds:_PopDeepSleepIsEnabled, 0
		jz	short loc_65719C
		mov	al, ds:_PopDeepSleepIsEngaged
		test	al, al
		jz	short loc_65719C
		mov	al, ds:_PopDeepSleepEvaluateWorkItemQueued
		test	al, al
		jnz	short loc_65719C
		inc	al
		retn
; 

loc_65719C:				; CODE XREF: PopCheckForDeepSleep()+7j
					; PopCheckForDeepSleep()+10j ...
		xor	al, al
		retn
_PopCheckForDeepSleep@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDeepSleepEvaluateCallback(x)
_PopDeepSleepEvaluateCallback@4	proc near ; DATA XREF: PopDeepSleepInitialize(x)+1Ao
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx

loc_6571A5:				; CODE XREF: PopDeepSleepEvaluateCallback(x)+9Fj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopDeepSleepDisengageReasonLock
		mov	bh, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	al, ds:_PopDeepSleepIsEngaged
		xor	ecx, ecx
		cmp	ds:_PopDeepSleepEnforced, cl
		setnz	cl
		add	ecx, 2
		cmp	ds:_PopDeepSleepDisengageReasonMask, 0
		setz	bl
		cmp	al, bl
		jz	short loc_657243
		test	bl, bl
		jz	short loc_6571F4
		push	1Eh
		pop	eax
		xor	edx, edx
		div	ds:_KeMaximumIncrement
		push	0
		inc	eax
		push	eax
		push	ecx
		push	ecx
		call	_PopDiagTraceIdleResiliencyStart@20 ; PopDiagTraceIdleResiliencyStart(x,x,x,x,x)
		jmp	short loc_6571FB
; 

loc_6571F4:				; CODE XREF: PopDeepSleepEvaluateCallback(x)+3Bj
		push	ecx
		push	ecx
		call	_PopDiagTraceIdleResiliencyEnd@12 ; PopDiagTraceIdleResiliencyEnd(x,x,x)

loc_6571FB:				; CODE XREF: PopDeepSleepEvaluateCallback(x)+53j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopDeepSleepDisengageReasonLock
		mov	ds:_PopDeepSleepIsEngaged, bl
		jz	short loc_657219
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65721E
; 

loc_657219:				; CODE XREF: PopDeepSleepEvaluateCallback(x)+6Ej
		xor	eax, eax
		lock and [ecx],	eax

loc_65721E:				; CODE XREF: PopDeepSleepEvaluateCallback(x)+78j
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, offset _PopFxSystemLatencyLock
		mov	ecx, ebx
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		call	PoFxSendSystemLatencyUpdate
		mov	ecx, ebx
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		jmp	loc_6571A5
; 

loc_657243:				; CODE XREF: PopDeepSleepEvaluateCallback(x)+37j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopDeepSleepDisengageReasonLock
		mov	ds:_PopDeepSleepEvaluateWorkItemQueued,	0
		jz	short loc_657262
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_657267
; 

loc_657262:				; CODE XREF: PopDeepSleepEvaluateCallback(x)+B7j
		xor	eax, eax
		lock and [ecx],	eax

loc_657267:				; CODE XREF: PopDeepSleepEvaluateCallback(x)+C1j
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx
		pop	ebp
		retn	4
_PopDeepSleepEvaluateCallback@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDeepSleepResiliencyPhaseAccountingBegin(x, x)
_PopDeepSleepResiliencyPhaseAccountingBegin@8 proc near
					; CODE XREF: PopDeepSleepResiliencyPhaseAccountingUpdate+16E164p
					; PdcPoCurrentPdcPhase(x,x,x)+5Cp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	bl, dl
		xor	bh, bh
		mov	esi, ecx
		push	edi
		mov	edi, offset _PopDeepSleepDisengageReasonLock
		test	bl, bl
		jnz	short loc_6572A5
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	bh, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, offset _PopCsResiliencyStatsLock
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)

loc_6572A5:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingBegin(x,x)+16j
		or	ds:dword_6C23FC, esi
		jmp	short loc_6572D7
; 

loc_6572AD:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingBegin(x,x)+66j
		xor	edx, edx
		lea	eax, [esi-1]
		inc	edx
		mov	ecx, edi
		shl	edx, cl
		and	esi, eax
		test	ds:_PopDeepSleepDisengageReasonMask, edx
		jz	short loc_6572D7
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ds:dword_6C2400[edi*8],	eax
		mov	ds:dword_6C2404[edi*8],	edx

loc_6572D7:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingBegin(x,x)+37j
					; PopDeepSleepResiliencyPhaseAccountingBegin(x,x)+4Bj
		bsf	edi, esi
		jnz	short loc_6572AD
		test	bl, bl
		jnz	short loc_657322
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopCsResiliencyStatsLock
		jz	short loc_6572F8
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6572FD
; 

loc_6572F8:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingBegin(x,x)+78j
		xor	eax, eax
		lock and [ecx],	eax

loc_6572FD:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingBegin(x,x)+82j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopDeepSleepDisengageReasonLock
		jz	short loc_657315
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65731A
; 

loc_657315:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingBegin(x,x)+95j
		xor	eax, eax
		lock and [ecx],	eax

loc_65731A:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingBegin(x,x)+9Fj
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_657322:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingBegin(x,x)+6Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopDeepSleepResiliencyPhaseAccountingBegin@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDeepSleepResiliencyPhaseAccountingEnd(x,	x)
_PopDeepSleepResiliencyPhaseAccountingEnd@8 proc near
					; CODE XREF: PopDeepSleepResiliencyPhaseAccountingUpdate+16E19Fp
					; PdcPoCurrentPdcPhase(x,x,x)+9Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		mov	bl, dl
		xor	bh, bh
		mov	[ebp+var_1], bh
		push	edi
		mov	edi, ecx
		test	bl, bl
		jnz	short loc_657366
		mov	esi, ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		call	esi
		mov	ecx, offset _PopDeepSleepDisengageReasonLock
		mov	bh, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		call	esi
		mov	ecx, offset _PopCsResiliencyStatsLock
		mov	[ebp+var_1], al

loc_657361:				; DATA XREF: .text:loc_41D1D3o
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)

loc_657366:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingEnd(x,x)+1Aj
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, edi
		mov	[ebp+var_8], eax
		not	ecx
		mov	[ebp+var_C], edx
		and	ds:dword_6C23FC, ecx
		jmp	short loc_6573C6
; 

loc_657380:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingEnd(x,x)+A2j
		xor	edx, edx
		lea	eax, [edi-1]
		inc	edx
		mov	ecx, esi
		shl	edx, cl
		and	edi, eax
		test	ds:_PopDeepSleepDisengageReasonMask, edx
		jz	short loc_6573C6
		mov	eax, [ebp+var_8]
		sub	eax, ds:dword_6C2400[esi*8]
		mov	ecx, [ebp+var_C]
		sbb	ecx, ds:dword_6C2404[esi*8]
		add	ds:dword_6C2450[esi*8],	eax
		adc	ds:dword_6C2454[esi*8],	ecx
		and	ds:dword_6C2400[esi*8],	0
		and	ds:dword_6C2404[esi*8],	0

loc_6573C6:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingEnd(x,x)+57j
					; PopDeepSleepResiliencyPhaseAccountingEnd(x,x)+6Bj
		bsf	esi, edi
		jnz	short loc_657380
		test	bl, bl
		jnz	short loc_657418
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopCsResiliencyStatsLock
		jz	short loc_6573E7
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6573EC
; 

loc_6573E7:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingEnd(x,x)+B4j
		xor	eax, eax
		lock and [ecx],	eax

loc_6573EC:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingEnd(x,x)+BEj
		mov	cl, [ebp+var_1]
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	esi
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopDeepSleepDisengageReasonLock
		jz	short loc_65740F
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_657414
; 

loc_65740F:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingEnd(x,x)+DCj
		xor	eax, eax
		lock and [ecx],	eax

loc_657414:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingEnd(x,x)+E6j
		mov	cl, bh
		call	esi

loc_657418:				; CODE XREF: PopDeepSleepResiliencyPhaseAccountingEnd(x,x)+A6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopDeepSleepResiliencyPhaseAccountingEnd@8 endp


;  S U B	R O U T	I N E 


; __stdcall PpmHeteroDispatchHgsInterrupt()
_PpmHeteroDispatchHgsInterrupt@0 proc near ; DATA XREF:	PAGE:00A4023Co
		call	_PpmEventHgsUpdate@0 ; PpmEventHgsUpdate()
		xor	eax, eax
		mov	ecx, offset _PpmHeteroHgsUpdateQueued
		inc	eax
		xchg	eax, [ecx]
		test	eax, eax
		jnz	short locret_65743F
		push	eax
		push	eax
		push	eax
		xor	edx, edx
		mov	ecx, offset _PpmHeteroHgsUpdateDpc
		call	KiInsertQueueDpc

locret_65743F:				; CODE XREF: PpmHeteroDispatchHgsInterrupt()+11j
		retn
_PpmHeteroDispatchHgsInterrupt@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmHeteroHgsBackupProcessorInit(x, x, x)
_PpmHeteroHgsBackupProcessorInit@12 proc near ;	DATA XREF: PpmHeteroHgsBackupInit+7E85Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	PpmHeteroHgsProcessorInit
		xor	eax, eax
		pop	ebp
		retn	0Ch
_PpmHeteroHgsBackupProcessorInit@12 endp


;  S U B	R O U T	I N E 


; __stdcall PpmHeteroHgsUpdateDpcRoutine(x, x, x, x)
_PpmHeteroHgsUpdateDpcRoutine@16 proc near ; DATA XREF:	PpmHeteroInitializeHgsSupport+7E8C2o
		push	0
		push	offset _PpmHeteroHgsUpdateWorkItem
		call	ExQueueWorkItem
		retn	10h
_PpmHeteroHgsUpdateDpcRoutine@16 endp


;  S U B	R O U T	I N E 


; __stdcall PpmHeteroHgsUpdateWorker(x)
_PpmHeteroHgsUpdateWorker@4 proc near	; DATA XREF: PpmHeteroInitializeHgsSupport+7E8E5o
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		mov	cl, 1
		mov	ds:_PpmHeteroHgsUpdateQueued, 0
		call	_PpmReinitializeHeteroEngine@4 ; PpmReinitializeHeteroEngine(x)
		retn	4
_PpmHeteroHgsUpdateWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmCheckComputeHeteroResponse()
_PpmCheckComputeHeteroResponse@0 proc near

var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= word ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_84		= dword	ptr -84h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1CCh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_1CC]
		stosd
		stosd
		stosd
		mov	eax, ds:_PpmCurrentProfile
		imul	ecx, ds:dword_6C2D0C, 0F0h
		add	ecx, eax
		cmp	ds:_PpmHeteroPolicy, 4
		mov	[ebp+var_194], ecx
		jnz	loc_657849
		xor	ecx, ecx
		xor	edx, edx
		mov	[ebp+var_198], ecx
		mov	[ebp+var_1BC], edx
		cmp	ds:_PpmParkNumNodes, ecx
		jz	loc_65784E
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	[ebp+var_1C0], ebx

loc_6574EB:				; CODE XREF: PpmCheckComputeHeteroResponse()+3BDj
		mov	esi, ds:_PpmParkNodes
		xor	edi, edi
		add	esi, ebx
		mov	[ebp+var_1B0], edi
		mov	[ebp+var_1AC], esi
		cmp	byte ptr [esi+59h], 0
		jnz	short loc_657515
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_198], ecx
		jmp	loc_657824
; 

loc_657515:				; CODE XREF: PpmCheckComputeHeteroResponse()+85j
		movzx	eax, word ptr [esi+4]
		xor	ebx, ebx
		movzx	edx, byte ptr [esi+63h]
		mov	ecx, [esi+8]
		mov	esi, ebx
		mov	[ebp+var_1B4], edx
		mov	[ebp+var_1C4], ax
		mov	[ebp+var_1C8], ecx
		mov	[ebp+var_1CC], ebx

loc_65753D:				; CODE XREF: PpmCheckComputeHeteroResponse()+119j
		lea	eax, [ebp+var_1CC]
		mov	[ebp+var_188], ebx
		push	eax
		lea	eax, [ebp+var_188]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_65759B
		mov	ebx, [ebp+var_188]
		mov	ecx, ebx
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		cmp	ds:_PpmCheckCurrentPipelineId, 5
		mov	ecx, [eax+3EB4h]
		jz	short loc_65757C
		sub	ecx, [eax+3EBCh]

loc_65757C:				; CODE XREF: PpmCheckComputeHeteroResponse()+F4j
		mov	eax, [eax+3EC4h]
		test	eax, eax
		jz	short loc_65758C
		imul	ecx, eax
		shr	ecx, 10h

loc_65758C:				; CODE XREF: PpmCheckComputeHeteroResponse()+104j
		add	esi, ecx
		mov	[ebp+ebx*4+var_84], ecx
		adc	edi, 0
		inc	ebx
		jmp	short loc_65753D
; 

loc_65759B:				; CODE XREF: PpmCheckComputeHeteroResponse()+D8j
		push	offset _PpmUtilityComparer ; int __cdecl (*)(const void	*,const	void *)
		push	4		; size_t
		push	[ebp+var_188]	; size_t
		lea	eax, [ebp+var_84]
		mov	[ebp+var_1B8], edi
		push	eax		; void *
		mov	[ebp+var_19C], esi
		call	_qsort
		mov	esi, [ebp+var_1AC]
		xor	edx, edx
		and	[ebp+var_190], edx
		xor	ecx, ecx
		and	[ebp+var_18C], edx
		add	esp, 10h
		mov	[ebp+var_1A0], ecx
		mov	edi, edx
		movzx	ebx, byte ptr [esi+6]
		mov	ecx, [esi+38h]
		mov	[ebp+var_188], edx
		mov	[ebp+var_1A8], ecx
		test	ebx, ebx
		jz	loc_657695
		mov	esi, [ebp+var_19C]
		lea	eax, [ebp+ebx*8+var_18C]
		mov	edi, [ebp+var_1B8]
		mov	[ebp+var_1A4], eax

loc_657615:				; CODE XREF: PpmCheckComputeHeteroResponse()+207j
		push	dword ptr [ecx+ebx*8+4]
		push	dword ptr [ecx+ebx*8]
		push	edi
		push	esi
		call	__allmul
		mov	ecx, [ebp+var_18C]
		add	ecx, eax
		mov	eax, [ebp+var_1A4]
		mov	[ebp+var_18C], ecx
		adc	[ebp+var_1A0], edx
		mov	[eax], ecx
		mov	ecx, [ebp+var_1A0]
		mov	[eax+4], ecx
		mov	eax, [ebp+var_1A8]
		mov	eax, [eax+ebx*8+4]
		mul	ebx
		mov	ecx, eax
		mov	eax, [ebp+var_1A8]
		mov	eax, [eax+ebx*8]
		mul	ebx
		add	ecx, edx
		mov	edx, [ebp+var_188]
		add	edx, eax
		mov	[ebp+var_188], edx
		adc	[ebp+var_190], ecx
		sub	[ebp+var_1A4], 8
		mov	ecx, [ebp+var_1A8]
		sub	ebx, 1
		jnz	short loc_657615
		mov	esi, [ebp+var_1AC]
		mov	edi, [ebp+var_1B0]

loc_657695:				; CODE XREF: PpmCheckComputeHeteroResponse()+176j
		movzx	eax, byte ptr [esi+59h]
		mov	ebx, [ebp+var_1B4]
		mov	[ebp+var_18C], eax
		cmp	ebx, eax
		jnb	loc_657749
		mov	esi, [ebp+var_194]
		mov	edi, eax

loc_6576B5:				; CODE XREF: PpmCheckComputeHeteroResponse()+26Dj
		push	[ebp+ebx*8+var_180]
		movzx	ecx, byte ptr [esi+ebx+0E1h]
		push	[ebp+ebx*8+var_184]
		push	0
		push	[ebp+ebx*4+var_84]
		push	[ebp+var_190]
		push	edx
		call	_PpmHeteroUtilityGreaterThanOrEqualThreshold@28	; PpmHeteroUtilityGreaterThanOrEqualThreshold(x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_6576EF
		mov	edx, [ebp+var_188]
		inc	ebx
		cmp	ebx, edi
		jb	short loc_6576B5

loc_6576EF:				; CODE XREF: PpmCheckComputeHeteroResponse()+262j
		mov	esi, [ebp+var_1AC]
		mov	edi, [ebp+var_1B0]
		cmp	ebx, [ebp+var_1B4]
		jbe	short loc_657749
		push	2
		pop	ecx
		jmp	short loc_65775F
; 

loc_657708:				; CODE XREF: PpmCheckComputeHeteroResponse()+2CBj
		push	[ebp+ebx*8+var_188]
		mov	eax, [ebp+var_194]
		push	[ebp+ebx*8+var_18C]
		mov	[ebp+var_18C], ebx
		dec	ebx
		push	0
		push	[ebp+ebx*4+var_84]
		movzx	ecx, byte ptr [eax+ebx+0C1h]
		push	[ebp+var_190]
		push	[ebp+var_188]
		call	_PpmHeteroUtilityGreaterThanOrEqualThreshold@28	; PpmHeteroUtilityGreaterThanOrEqualThreshold(x,x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_65774F

loc_657749:				; CODE XREF: PpmCheckComputeHeteroResponse()+227j
					; PpmCheckComputeHeteroResponse()+281j
		test	ebx, ebx
		jnz	short loc_657708
		jmp	short loc_657755
; 

loc_65774F:				; CODE XREF: PpmCheckComputeHeteroResponse()+2C7j
		mov	ebx, [ebp+var_18C]

loc_657755:				; CODE XREF: PpmCheckComputeHeteroResponse()+2CDj
		cmp	ebx, [ebp+var_1B4]
		sbb	ecx, ecx
		neg	ecx

loc_65775F:				; CODE XREF: PpmCheckComputeHeteroResponse()+286j
		movsx	eax, byte ptr [esi+6Ch]
		cmp	eax, ecx
		jnz	short loc_657770
		inc	byte ptr [esi+6Bh]
		movzx	edx, byte ptr [esi+6Bh]
		jmp	short loc_65777D
; 

loc_657770:				; CODE XREF: PpmCheckComputeHeteroResponse()+2E5j
		xor	edx, edx
		mov	[esi+6Ch], cl
		push	4
		mov	byte ptr [esi+6Bh], 1
		inc	edx
		pop	edi

loc_65777D:				; CODE XREF: PpmCheckComputeHeteroResponse()+2EEj
		cmp	ds:_PpmCheckCurrentPipelineId, 5
		jnz	short loc_65778B
		or	edi, 10h
		jmp	short loc_6577BF
; 

loc_65778B:				; CODE XREF: PpmCheckComputeHeteroResponse()+304j
		cmp	ecx, 2
		jnz	short loc_6577A6
		mov	eax, [ebp+var_194]
		movzx	eax, byte ptr [eax+0C0h]
		cmp	edx, eax
		jb	short loc_6577C2
		or	edi, 20h
		jmp	short loc_6577BF
; 

loc_6577A6:				; CODE XREF: PpmCheckComputeHeteroResponse()+30Ej
		cmp	ecx, 1
		jnz	short loc_6577C2
		mov	eax, [ebp+var_194]
		movzx	eax, byte ptr [eax+0BFh]
		cmp	edx, eax
		jb	short loc_6577C2
		or	edi, 40h

loc_6577BF:				; CODE XREF: PpmCheckComputeHeteroResponse()+309j
					; PpmCheckComputeHeteroResponse()+324j
		mov	[esi+63h], bl

loc_6577C2:				; CODE XREF: PpmCheckComputeHeteroResponse()+31Fj
					; PpmCheckComputeHeteroResponse()+329j	...
		mov	al, [esi+6Ah]
		or	al, 6
		cmp	byte ptr [esi+63h], 0
		mov	[esi+6Ah], al
		jnz	short loc_6577E0
		and	al, 0FDh
		xor	ecx, ecx
		inc	ecx
		mov	[esi+6Ah], al
		mov	[ebp+var_198], ecx
		jmp	short loc_6577E6
; 

loc_6577E0:				; CODE XREF: PpmCheckComputeHeteroResponse()+34Ej
		mov	ecx, [ebp+var_198]

loc_6577E6:				; CODE XREF: PpmCheckComputeHeteroResponse()+35Ej
		xor	eax, eax
		lea	edx, [ebp+var_84]
		test	ecx, ecx
		mov	ecx, esi
		setz	al
		inc	eax
		or	eax, edi
		push	eax
		push	ebx
		push	[ebp+var_190]
		lea	eax, [ebp+var_184]
		push	[ebp+var_188]
		push	eax
		call	_PpmEventTraceHeteroResponse@28	; PpmEventTraceHeteroResponse(x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_198]
		mov	edx, [ebp+var_1BC]
		mov	ebx, [ebp+var_1C0]

loc_657824:				; CODE XREF: PpmCheckComputeHeteroResponse()+90j
		inc	edx
		add	ebx, 0D0h
		mov	[ebp+var_1BC], edx
		mov	[ebp+var_1C0], ebx
		cmp	edx, ds:_PpmParkNumNodes
		jb	loc_6574EB
		pop	esi
		pop	ebx
		test	ecx, ecx
		jz	short loc_65784E

loc_657849:				; CODE XREF: PpmCheckComputeHeteroResponse()+3Fj
		call	PpmParkCalculateUnparkCount

loc_65784E:				; CODE XREF: PpmCheckComputeHeteroResponse()+5Bj
					; PpmCheckComputeHeteroResponse()+3C7j
		mov	ecx, [ebp+var_4]
		mov	al, 1
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmCheckComputeHeteroResponse@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmHeteroDistributeUtility()
_PpmHeteroDistributeUtility@0 proc near

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= word ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		and	[ebp+var_10], 0
		xor	eax, eax
		push	ebx
		push	edi
		lea	edi, [ebp+var_3C]
		stosd
		stosd
		stosd
		mov	eax, ds:_PpmCurrentProfile
		imul	ecx, ds:dword_6C2D0C, 0F0h
		mov	[ebp+var_18], eax
		mov	[ebp+var_1C], ecx
		cmp	byte ptr [ecx+eax+9Bh],	0
		setnz	bl
		xor	edx, edx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_C], edx
		cmp	ds:_PpmParkNumNodes, edx
		jz	loc_657B54
		xor	ecx, ecx
		mov	[ebp+var_2C], ecx
		push	esi

loc_6578AD:				; CODE XREF: PpmHeteroDistributeUtility()+2F0j
		mov	esi, ds:_PpmParkNodes
		add	esi, ecx
		cmp	ds:_PpmHeteroPolicy, 4
		mov	[ebp+var_20], esi
		jz	short loc_6578E3
		movzx	eax, byte ptr [esi+66h]
		mov	edx, [esi+14h]
		mov	ecx, [esi+8]
		push	0
		push	0
		push	ebx
		push	eax
		movzx	eax, word ptr [esi+4]
		push	eax
		call	PpmParkDistributeUtility
		mov	edx, [ebp+var_C]
		jmp	loc_657B37
; 

loc_6578E3:				; CODE XREF: PpmHeteroDistributeUtility()+62j
		cmp	byte ptr [esi+67h], 0
		jz	loc_6579AB
		cmp	byte ptr [esi+68h], 0
		jz	loc_6579AB
		cmp	ds:_PpmHeteroImplementationGeneration, 0
		jbe	loc_6579C8
		mov	eax, ds:_PpmHeteroParkBias
		xor	edx, edx
		sub	eax, edx
		jz	short loc_657988
		dec	eax
		sub	eax, 1
		jz	short loc_657957
		sub	eax, 1
		jz	short loc_657921
		push	edx
		push	edx
		jmp	loc_6579AF
; 

loc_657921:				; CODE XREF: PpmHeteroDistributeUtility()+BBj
		mov	ecx, [esi+0Ch]
		lea	eax, [ebp+var_10]
		push	eax
		movzx	eax, byte ptr [esi+0C8h]
		push	edx
		mov	edx, [esi+14h]
		push	ebx
		push	eax
		movzx	eax, word ptr [esi+4]
		and	edx, ecx
		push	eax
		call	PpmParkDistributeUtility
		push	0
		push	[ebp+var_10]

loc_657946:				; CODE XREF: PpmHeteroDistributeUtility()+14Cj
		mov	ecx, [esi+10h]
		movzx	eax, byte ptr [esi+0C9h]

loc_657950:				; CODE XREF: PpmHeteroDistributeUtility()+129j
		mov	edx, [esi+14h]
		and	edx, ecx
		jmp	short loc_6579B9
; 

loc_657957:				; CODE XREF: PpmHeteroDistributeUtility()+B6j
		mov	ecx, [esi+10h]
		lea	eax, [ebp+var_10]
		push	eax
		movzx	eax, byte ptr [esi+0C9h]
		push	edx
		mov	edx, [esi+14h]
		push	ebx
		push	eax
		movzx	eax, word ptr [esi+4]
		and	edx, ecx
		push	eax
		call	PpmParkDistributeUtility
		mov	ecx, [esi+0Ch]
		movzx	eax, byte ptr [esi+0C8h]
		push	0
		push	[ebp+var_10]
		jmp	short loc_657950
; 

loc_657988:				; CODE XREF: PpmHeteroDistributeUtility()+B0j
		movzx	eax, byte ptr [esi+0C8h]
		mov	ecx, [esi+0Ch]
		push	edx
		push	edx
		mov	edx, [esi+14h]
		push	ebx
		push	eax
		movzx	eax, word ptr [esi+4]
		and	edx, ecx
		push	eax
		call	PpmParkDistributeUtility
		push	0
		push	0
		jmp	short loc_657946
; 

loc_6579AB:				; CODE XREF: PpmHeteroDistributeUtility()+8Aj
					; PpmHeteroDistributeUtility()+94j
		push	0
		push	0

loc_6579AF:				; CODE XREF: PpmHeteroDistributeUtility()+BFj
		movzx	eax, byte ptr [esi+66h]
		mov	edx, [esi+14h]
		mov	ecx, [esi+8]

loc_6579B9:				; CODE XREF: PpmHeteroDistributeUtility()+F8j
		push	ebx
		push	eax
		movzx	eax, word ptr [esi+4]
		push	eax
		call	PpmParkDistributeUtility
		mov	edx, [ebp+var_C]

loc_6579C8:				; CODE XREF: PpmHeteroDistributeUtility()+A1j
		mov	ebx, [esi+14h]
		mov	ecx, [esi+10h]
		not	ebx
		mov	[ebp+var_30], ebx
		test	ecx, ebx
		jz	loc_657B34
		mov	edi, [esi+18h]
		xor	edx, edx
		movzx	eax, word ptr [esi+4]
		and	edi, ecx
		mov	esi, [ebp+var_1C]
		and	edi, ebx
		mov	ebx, [ebp+var_18]
		mov	[ebp+var_14], eax
		mov	byte ptr [ebp+var_24], dl
		mov	[ebp+var_8], edx
		mov	[ebp+var_34], ax
		mov	[ebp+var_38], edi
		mov	[ebp+var_3C], edx

loc_657A01:				; CODE XREF: PpmHeteroDistributeUtility()+1C5j
					; PpmHeteroDistributeUtility()+1D7j
		lea	eax, [ebp+var_3C]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_657A36
		mov	ecx, [ebp+var_8]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, [eax+3EA8h]
		test	ecx, ecx
		jz	short loc_657A01
		mov	al, [esi+ebx+102h]
		mov	byte ptr [ebp+var_24], al
		mov	[ecx+14Ch], al
		jmp	short loc_657A01
; 

loc_657A36:				; CODE XREF: PpmHeteroDistributeUtility()+1B3j
		mov	esi, [ebp+var_20]
		mov	eax, [ebp+var_14]
		mov	ebx, [ebp+var_30]
		mov	[ebp+var_34], ax
		mov	eax, [esi+10h]
		xor	eax, edi
		and	[ebp+var_3C], 0
		mov	[ebp+var_38], eax

loc_657A4F:				; CODE XREF: PpmHeteroDistributeUtility()+213j
					; PpmHeteroDistributeUtility()+21Cj
		lea	eax, [ebp+var_3C]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_657A7B
		mov	ecx, [ebp+var_8]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	eax, [eax+3EA8h]
		test	eax, eax
		jz	short loc_657A4F
		mov	byte ptr [eax+14Ch], 0
		jmp	short loc_657A4F
; 

loc_657A7B:				; CODE XREF: PpmHeteroDistributeUtility()+201j
		xor	dl, dl
		mov	[ebp+var_1], dl
		cmp	ds:_PpmPerfQosEnabled, dl
		jnz	loc_657B27
		mov	edi, [esi+0Ch]
		and	[ebp+var_8], 0
		and	edi, ebx
		mov	ebx, [ebp+var_14]
		and	[ebp+var_3C], 0
		mov	esi, [ebp+var_18]
		mov	[ebp+var_30], edi
		mov	[ebp+var_38], edi
		mov	edi, [ebp+var_1C]
		mov	[ebp+var_34], bx

loc_657AAC:				; CODE XREF: PpmHeteroDistributeUtility()+270j
					; PpmHeteroDistributeUtility()+282j
		lea	eax, [ebp+var_3C]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_657AE1
		mov	ecx, [ebp+var_8]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	eax, [eax+3EA8h]
		test	eax, eax
		jz	short loc_657AAC
		mov	bl, [edi+esi+101h]
		mov	[ebp+var_1], bl
		mov	[eax+14Bh], bl
		jmp	short loc_657AAC
; 

loc_657AE1:				; CODE XREF: PpmHeteroDistributeUtility()+25Ej
		mov	esi, [ebp+var_20]
		mov	ebx, [ebp+var_14]
		mov	[ebp+var_34], bx
		mov	eax, [esi+0Ch]
		xor	eax, [ebp+var_30]
		and	[ebp+var_3C], 0
		mov	[ebp+var_38], eax

loc_657AF8:				; CODE XREF: PpmHeteroDistributeUtility()+2BCj
					; PpmHeteroDistributeUtility()+2C5j
		lea	eax, [ebp+var_3C]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_657B24
		mov	ecx, [ebp+var_8]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	eax, [eax+3EA8h]
		test	eax, eax
		jz	short loc_657AF8
		mov	byte ptr [eax+14Bh], 0
		jmp	short loc_657AF8
; 

loc_657B24:				; CODE XREF: PpmHeteroDistributeUtility()+2AAj
		mov	dl, [ebp+var_1]

loc_657B27:				; CODE XREF: PpmHeteroDistributeUtility()+229j
		push	[ebp+var_24]
		mov	ecx, esi
		call	_PpmEventTraceHeteroDistributeUtility@12 ; PpmEventTraceHeteroDistributeUtility(x,x,x)
		mov	edx, [ebp+var_C]

loc_657B34:				; CODE XREF: PpmHeteroDistributeUtility()+178j
		mov	ebx, [ebp+var_28]

loc_657B37:				; CODE XREF: PpmHeteroDistributeUtility()+81j
		mov	ecx, [ebp+var_2C]
		inc	edx
		add	ecx, 0D0h
		mov	[ebp+var_C], edx
		mov	[ebp+var_2C], ecx
		cmp	edx, ds:_PpmParkNumNodes
		jb	loc_6578AD
		pop	esi

loc_657B54:				; CODE XREF: PpmHeteroDistributeUtility()+44j
		pop	edi
		mov	al, 1
		pop	ebx
		leave
		retn
_PpmHeteroDistributeUtility@0 endp


;  S U B	R O U T	I N E 


; __stdcall PpmHeteroNormalizedUtilityToUtility(x, x)
_PpmHeteroNormalizedUtilityToUtility@8 proc near
					; CODE XREF: PpmParkDistributeUtility+12FCC6p
		mov	ecx, [ecx+24h]
		test	ecx, ecx
		jz	short loc_657B6C
		shl	edx, 10h
		mov	eax, edx
		xor	edx, edx
		div	ecx
		mov	edx, eax

loc_657B6C:				; CODE XREF: PpmHeteroNormalizedUtilityToUtility(x,x)+5j
		mov	eax, edx
		retn
_PpmHeteroNormalizedUtilityToUtility@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmHeteroRestrictToFavoredClass(x, x)
_PpmHeteroRestrictToFavoredClass@8 proc	near
					; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+2ADp

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1], 0
		push	edi
		xor	edi, edi
		mov	ebx, esi
		test	esi, esi
		jz	short loc_657BDD

loc_657B87:				; CODE XREF: PpmHeteroRestrictToFavoredClass(x,x)+40j
		and	[ebp+var_8], edi
		bsf	ecx, ebx
		and	ecx, 1Fh
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, eax
		mov	al, [ecx+3ED1h]
		cmp	[ebp+var_1], al
		ja	short loc_657BA5
		mov	[ebp+var_1], al

loc_657BA5:				; CODE XREF: PpmHeteroRestrictToFavoredClass(x,x)+31j
		mov	eax, [ecx+3C8h]
		not	eax
		and	ebx, eax
		jnz	short loc_657B87
		test	esi, esi
		jz	short loc_657BDD
		mov	bl, [ebp+var_1]

loc_657BB8:				; CODE XREF: PpmHeteroRestrictToFavoredClass(x,x)+6Cj
		and	[ebp+var_8], 0
		bsf	ecx, esi
		and	ecx, 1Fh
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, [eax+3C8h]
		cmp	[eax+3ED1h], bl
		jnz	short loc_657BD7
		or	edi, ecx

loc_657BD7:				; CODE XREF: PpmHeteroRestrictToFavoredClass(x,x)+64j
		not	ecx
		and	esi, ecx
		jnz	short loc_657BB8

loc_657BDD:				; CODE XREF: PpmHeteroRestrictToFavoredClass(x,x)+16j
					; PpmHeteroRestrictToFavoredClass(x,x)+44j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PpmHeteroRestrictToFavoredClass@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmHeteroUtilityGreaterThanOrEqualThreshold(x, x, x, x, x, x, x)
_PpmHeteroUtilityGreaterThanOrEqualThreshold@28	proc near
					; CODE XREF: PpmCheckComputeHeteroResponse()+25Bp
					; PpmCheckComputeHeteroResponse()+2C0p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_PpmHeteroMinRelativePerformance
		mul	ecx
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_C]
		mov	ecx, eax
		mov	edi, 2710h
		push	[ebp+arg_8]
		mov	eax, edx
		push	[ebp+arg_4]
		mul	edi
		mov	esi, eax
		mov	eax, ecx
		mul	edi
		mov	edi, [ebp+arg_0]
		add	esi, edx
		shrd	eax, esi, 10h
		push	edi
		mov	[ebp+var_4], eax
		shr	esi, 10h
		call	__allmul
		mov	ecx, [ebp+arg_14]
		mov	ebx, eax
		mov	eax, edx
		mov	[ebp+arg_C], eax
		cmp	eax, ecx
		jb	short loc_657C38
		ja	short loc_657C3E
		cmp	ebx, [ebp+arg_10]
		ja	short loc_657C3E

loc_657C38:				; CODE XREF: PpmHeteroUtilityGreaterThanOrEqualThreshold(x,x,x,x,x,x,x)+4Bj
		mov	ebx, [ebp+arg_10]
		mov	[ebp+arg_C], ecx

loc_657C3E:				; CODE XREF: PpmHeteroUtilityGreaterThanOrEqualThreshold(x,x,x,x,x,x,x)+4Dj
					; PpmHeteroUtilityGreaterThanOrEqualThreshold(x,x,x,x,x,x,x)+52j
		push	[ebp+arg_4]
		push	edi
		push	esi
		push	[ebp+var_4]
		call	__allmul
		mov	[ebp+arg_14], eax
		mov	esi, edx
		mov	eax, [ebp+arg_C]
		push	64h
		pop	ecx
		mul	ecx
		push	64h
		mov	ecx, eax
		mov	eax, ebx
		pop	edx
		mul	edx
		add	ecx, edx
		cmp	ecx, esi
		jb	short loc_657C78
		ja	short loc_657C6E
		cmp	eax, [ebp+arg_14]
		jb	short loc_657C78

loc_657C6E:				; CODE XREF: PpmHeteroUtilityGreaterThanOrEqualThreshold(x,x,x,x,x,x,x)+83j
		or	edi, [ebp+arg_4]
		jz	short loc_657C78
		xor	eax, eax
		inc	eax
		jmp	short loc_657C7A
; 

loc_657C78:				; CODE XREF: PpmHeteroUtilityGreaterThanOrEqualThreshold(x,x,x,x,x,x,x)+81j
					; PpmHeteroUtilityGreaterThanOrEqualThreshold(x,x,x,x,x,x,x)+88j ...
		xor	eax, eax

loc_657C7A:				; CODE XREF: PpmHeteroUtilityGreaterThanOrEqualThreshold(x,x,x,x,x,x,x)+92j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_PpmHeteroUtilityGreaterThanOrEqualThreshold@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl PpmUtilityComparer(const void *,const void *)
_PpmUtilityComparer proc near		; DATA XREF: PpmCheckComputeHeteroResponse():loc_65759Bo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		mov	eax, [ebp+arg_4]
		mov	eax, [eax]
		cmp	ecx, eax
		jbe	short loc_657C99
		or	eax, 0FFFFFFFFh
		pop	ebp
		retn
; 

loc_657C99:				; CODE XREF: _PpmUtilityComparer+11j
		sbb	eax, eax
		neg	eax
		pop	ebp
		retn
_PpmUtilityComparer endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFanIrpComplete(x, x, x)
_PopFanIrpComplete@12 proc near		; DATA XREF: PopFanWorker(x)+B7o

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		push	1
		add	eax, 2Ch
		push	eax
		call	ExQueueWorkItem
		mov	eax, 0C0000016h
		pop	ebp
		retn	0Ch
_PopFanIrpComplete@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmAllocWmiEvent(x,	x, x)
_PpmAllocWmiEvent@12 proc near		; CODE XREF: PpmFireWmiEvent(x,x,x,x)+17p
					; PpmWmiFireIdleAccountingEvent(x,x,x)+3Dp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	774D5050h
		add	esi, 40h
		mov	[ebp+var_4], edx
		push	esi
		push	200h
		mov	edi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_657D1D
		push	esi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [ebx+10h]
		push	ecx
		call	KeQuerySystemTime
		mov	eax, [ebp+arg_0]
		mov	[ebx], esi
		mov	esi, [ebp+var_4]
		mov	[ebx+4], edi
		lea	edi, [ebx+18h]
		movsd
		movsd
		movsd
		movsd
		mov	dword ptr [ebx+2Ch], 8Ah
		mov	dword ptr [ebx+38h], 40h
		mov	[ebx+3Ch], eax

loc_657D1D:				; CODE XREF: PpmAllocWmiEvent(x,x,x)+28j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
_PpmAllocWmiEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PpmFireWmiEvent(size_t,void *)
_PpmFireWmiEvent@16 proc near		; CODE XREF: PpmEventLegacyProcessorPerfStateChange+81C35p
					; PpmEventDomainPerfStateChange+81799p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dword ptr [ecx+4], 0
		push	esi
		push	edi
		jnz	short loc_657D3A
		mov	esi, 0C0000001h
		jmp	short loc_657D84
; 

loc_657D3A:				; CODE XREF: PpmFireWmiEvent(x,x,x,x)+Bj
		push	[ebp+arg_0]
		call	_PpmAllocWmiEvent@12 ; PpmAllocWmiEvent(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_657D4F
		mov	esi, 0C000009Ah
		jmp	short loc_657D84
; 

loc_657D4F:				; CODE XREF: PpmFireWmiEvent(x,x,x,x)+20j
		cmp	[ebp+arg_4], 0
		jz	short loc_657D69
		push	[ebp+arg_0]	; size_t
		mov	eax, [edi+38h]
		push	[ebp+arg_4]	; void *
		add	eax, edi
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_657D69:				; CODE XREF: PpmFireWmiEvent(x,x,x,x)+2Dj
		push	edi
		call	IoWMIWriteEvent
		mov	esi, eax
		test	esi, esi
		jns	short loc_657D82
		push	774D5050h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_657D84
; 

loc_657D82:				; CODE XREF: PpmFireWmiEvent(x,x,x,x)+4Dj
		xor	esi, esi

loc_657D84:				; CODE XREF: PpmFireWmiEvent(x,x,x,x)+12j
					; PpmFireWmiEvent(x,x,x,x)+27j	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_PpmFireWmiEvent@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmWmiFireIdleAccountingEvent(x, x,	x)
_PpmWmiFireIdleAccountingEvent@12 proc near ; DATA XREF: PpmWmiIdleAccountingWork(x)+16o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		cmp	dword ptr [esi+3D70h], 0
		jz	short loc_657E0A
		mov	eax, [esi+3D74h]
		test	eax, eax
		jz	short loc_657E0A
		cmp	dword ptr [esi+3E44h], 0
		jz	short loc_657E0A
		mov	eax, [eax]
		lea	ecx, [esi+3E40h]
		imul	eax, 1A0h
		mov	edx, offset _PPM_IDLE_ACCOUNTING_EX_GUID
		add	eax, 18h
		push	eax
		call	_PpmAllocWmiEvent@12 ; PpmAllocWmiEvent(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_657DDB
		mov	esi, 0C000009Ah
		jmp	short loc_657E0F
; 

loc_657DDB:				; CODE XREF: PpmWmiFireIdleAccountingEvent(x,x,x)+46j
		mov	edx, [edi+38h]
		lea	ecx, [esi+3D70h]
		push	0
		add	edx, edi
		call	_PpmTranslateIdleAccounting@12 ; PpmTranslateIdleAccounting(x,x,x)
		push	edi
		call	IoWMIWriteEvent
		mov	esi, eax
		test	esi, esi
		jns	short loc_657E06
		push	774D5050h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_657E0F
; 

loc_657E06:				; CODE XREF: PpmWmiFireIdleAccountingEvent(x,x,x)+6Bj
		xor	esi, esi
		jmp	short loc_657E0F
; 

loc_657E0A:				; CODE XREF: PpmWmiFireIdleAccountingEvent(x,x,x)+11j
					; PpmWmiFireIdleAccountingEvent(x,x,x)+1Bj ...
		mov	esi, 0C0000001h

loc_657E0F:				; CODE XREF: PpmWmiFireIdleAccountingEvent(x,x,x)+4Dj
					; PpmWmiFireIdleAccountingEvent(x,x,x)+78j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	0Ch
_PpmWmiFireIdleAccountingEvent@12 endp


;  S U B	R O U T	I N E 


; __stdcall PpmWmiIdleAccountingProcedure(x, x,	x, x)
_PpmWmiIdleAccountingProcedure@16 proc near ; DATA XREF: PpmWmiInit()+Eo
		push	656C6469h
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short locret_657E41
		and	dword ptr [eax], 0
		push	1
		push	eax
		mov	dword ptr [eax+8], offset _PpmWmiIdleAccountingWork@4 ;	PpmWmiIdleAccountingWork(x)
		mov	[eax+0Ch], eax
		call	ExQueueWorkItem

locret_657E41:				; CODE XREF: PpmWmiIdleAccountingProcedure(x,x,x,x)+13j
		retn	10h
_PpmWmiIdleAccountingProcedure@16 endp


;  S U B	R O U T	I N E 


; __stdcall PopNetEvaluationTimerCallback(x, x)
_PopNetEvaluationTimerCallback@8 proc near ; DATA XREF:	PopNetInitialize+CFo
		mov	edi, edi
		push	esi
		xor	edx, edx
		mov	esi, offset _PopNetGracePeriodState
		push	2
		inc	edx
		pop	ecx
		mov	eax, edx
		lock cmpxchg [esi], ecx
		pop	esi
		cmp	eax, edx
		jnz	short locret_657E67
		mov	ecx, offset unk_6BFEF8
		call	_PopQueueWorkItem@8 ; PopQueueWorkItem(x,x)

locret_657E67:				; CODE XREF: PopNetEvaluationTimerCallback(x,x)+17j
		retn	8
_PopNetEvaluationTimerCallback@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopNetRefreshTimerCallback(x, x)
_PopNetRefreshTimerCallback@8 proc near	; DATA XREF: PopNetInitialize+118o
		mov	edi, edi
		push	esi
		xor	edx, edx
		mov	esi, offset _PopNetRefreshTimerState
		push	2
		inc	edx
		pop	ecx
		mov	eax, edx
		lock cmpxchg [esi], ecx
		pop	esi
		cmp	eax, edx
		jnz	short locret_657E8D
		mov	ecx, offset unk_6BFF98
		call	_PopQueueWorkItem@8 ; PopQueueWorkItem(x,x)

locret_657E8D:				; CODE XREF: PopNetRefreshTimerCallback(x,x)+17j
		retn	8
_PopNetRefreshTimerCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopNetUpdateDsAccounting(x)
_PopNetUpdateDsAccounting@4 proc near	; CODE XREF: PopNetResiliencyStateChanged(x)+Cp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	edi
		mov	bl, cl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _PopCsResiliencyStatsLock
		mov	bh, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	bl, bl
		jz	short loc_657ECC
		cmp	ds:_PopNetStandbyState,	2
		jnz	short loc_657F0F
		call	KeQueryInterruptTime
		mov	ds:dword_6C2398, eax
		mov	ds:dword_6C239C, edx
		jmp	short loc_657F0F
; 

loc_657ECC:				; CODE XREF: PopNetUpdateDsAccounting(x)+1Fj
		mov	eax, ds:dword_6C2398
		or	eax, ds:dword_6C239C
		jz	short loc_657F0F
		call	KeQueryInterruptTime
		sub	eax, ds:dword_6C2398
		push	0
		sbb	edx, ds:dword_6C239C
		push	0Ah
		push	edx
		push	eax
		call	__aulldiv
		add	ds:dword_6C23A0, eax
		adc	ds:dword_6C23A4, edx
		and	ds:dword_6C2398, 0
		and	ds:dword_6C239C, 0

loc_657F0F:				; CODE XREF: PopNetUpdateDsAccounting(x)+28j
					; PopNetUpdateDsAccounting(x)+3Aj ...
		test	ds:byte_70EFC6,	1
		jz	short loc_657F24
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_657F29
; 

loc_657F24:				; CODE XREF: PopNetUpdateDsAccounting(x)+86j
		xor	eax, eax
		lock and [edi],	eax

loc_657F29:				; CODE XREF: PopNetUpdateDsAccounting(x)+92j
		pop	edi
		mov	cl, bh
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_PopNetUpdateDsAccounting@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerButtonTimerCallback(x, x)
_PopPowerButtonTimerCallback@8 proc near ; DATA	XREF: PopPowerButtonWorkCallback(x)+F7o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, offset _PopPowerButtonHold
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:dword_6BFE74
		mov	edx, ecx
		and	edx, 1
		jz	short loc_657F7A
		mov	eax, ds:dword_6BFE78
		cmp	eax, [ebp+arg_4]
		jnz	short loc_657F7A
		and	ecx, 0FFFFFFFEh
		add	ecx, 7D0h
		or	ecx, edx
		xor	edx, edx
		mov	ds:dword_6BFE74, ecx
		mov	ecx, offset unk_6BFE60
		call	_PopQueueWorkItem@8 ; PopQueueWorkItem(x,x)

loc_657F7A:				; CODE XREF: PopPowerButtonTimerCallback(x,x)+1Dj
					; PopPowerButtonTimerCallback(x,x)+27j
		test	ds:byte_70EFC6,	1
		jz	short loc_657F8F
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_657F94
; 

loc_657F8F:				; CODE XREF: PopPowerButtonTimerCallback(x,x)+4Dj
		xor	eax, eax
		lock and [esi],	eax

loc_657F94:				; CODE XREF: PopPowerButtonTimerCallback(x,x)+59j
		pop	esi
		pop	ebp
		retn	8
_PopPowerButtonTimerCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerButtonWorkCallback(x)
_PopPowerButtonWorkCallback@4 proc near	; DATA XREF: PopInitializePowerButtonHold(x)+12Eo

var_3A		= byte ptr -3Ah
var_26		= byte ptr -26h
var_22		= byte ptr -22h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		and	[esp+24h+var_20], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+30h+var_1C]
		rep stosd
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _PopPowerButtonHold
		mov	[esp+30h+var_21], al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)

loc_657FD8:				; CODE XREF: PopPowerButtonWorkCallback(x)+187j
		xor	eax, eax

loc_657FDA:				; CODE XREF: PopPowerButtonWorkCallback(x)+195j
		mov	ebx, ds:dword_6BFE74
		inc	eax
		mov	edi, ds:dword_6BFE78
		test	ds:byte_70EFC6,	al
		jz	short loc_657FFB
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_658000
; 

loc_657FFB:				; CODE XREF: PopPowerButtonWorkCallback(x)+54j
		xor	eax, eax
		lock and [esi],	eax

loc_658000:				; CODE XREF: PopPowerButtonWorkCallback(x)+60j
		mov	cl, [esp+30h+var_21]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		inc	eax
		test	byte ptr ds:dword_6BFE7C, al
		jz	short loc_658055
		test	bl, al
		jz	short loc_658021
		cmp	edi, ds:dword_6BFE80
		jz	short loc_658055

loc_658021:				; CODE XREF: PopPowerButtonWorkCallback(x)+7Ej
		xor	cl, cl
		call	_PopRecordPhysicalPowerButton@4	; PopRecordPhysicalPowerButton(x)
		and	ds:dword_6BFE7C, 0
		mov	ecx, offset dword_6BFE7C
		mov	ds:byte_6BFDA8,	0
		call	_PopPublishPowerButtonState@4 ;	PopPublishPowerButtonState(x)
		xor	eax, eax
		mov	ecx, offset unk_6BFE08
		inc	eax
		push	0
		push	eax
		mov	dl, al
		call	KeDisableTimer2
		xor	eax, eax
		inc	eax

loc_658055:				; CODE XREF: PopPowerButtonWorkCallback(x)+7Aj
					; PopPowerButtonWorkCallback(x)+86j
		test	bl, al
		jnz	short loc_658064
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		jmp	loc_65810F
; 

loc_658064:				; CODE XREF: PopPowerButtonWorkCallback(x)+BEj
		test	byte ptr ds:dword_6BFE7C, al
		jnz	short loc_6580C2
		mov	cl, al
		call	_PopRecordPhysicalPowerButton@4	; PopRecordPhysicalPowerButton(x)
		mov	ds:dword_6BFE80, edi
		call	_PopQueryPowerButtonBugcheckEnabled@0 ;	PopQueryPowerButtonBugcheckEnabled()
		push	8
		mov	ds:dword_6BFE84, eax
		mov	esi, offset unk_6BFE08
		pop	eax
		mov	word ptr [esp+30h+var_20], ax
		mov	edx, offset _PopPowerButtonTimerCallback@8 ; PopPowerButtonTimerCallback(x,x)
		xor	eax, eax
		mov	ecx, esi
		inc	eax
		mov	word ptr [esp+30h+var_20+2], ax
		lea	eax, [esp+30h+var_20]
		push	2
		push	eax
		push	edi
		call	_KeInitializeIRTimer@20	; KeInitializeIRTimer(x,x,x,x,x)
		push	0
		push	0
		push	(offset	loc_98967E+2)
		push	0FFFFFFFFh
		push	0FF676980h
		push	esi
		call	KeSetTimer2

loc_6580C2:				; CODE XREF: PopPowerButtonWorkCallback(x)+D1j
		mov	ecx, offset dword_6BFE7C
		mov	ds:dword_6BFE7C, ebx
		call	_PopPublishPowerButtonState@4 ;	PopPublishPowerButtonState(x)
		mov	esi, ebx
		shr	esi, 1
		cmp	esi, 1B58h
		jb	short loc_658104
		cmp	ds:_PopAcpiPdttSupportEnabled, 0
		jz	short loc_6580EF
		push	0		; char
		call	ds:dword_6B1444

loc_6580EF:				; CODE XREF: PopPowerButtonWorkCallback(x)+14Cj
		mov	ecx, esi
		call	_PopDiagTracePowerButtonBugcheck@4 ; PopDiagTracePowerButtonBugcheck(x)
		call	_PopRecordPoBlackboxInformation@0 ; PopRecordPoBlackboxInformation()
		cmp	ds:dword_6BFE84, 0
		jnz	short loc_658152

loc_658104:				; CODE XREF: PopPowerButtonWorkCallback(x)+143j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _PopPowerButtonHold

loc_65810F:				; CODE XREF: PopPowerButtonWorkCallback(x)+C6j
		mov	ecx, esi
		mov	[esp+0Fh], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	ebx, ds:dword_6BFE74
		jnz	loc_657FD8
		xor	eax, eax
		cmp	edi, ds:dword_6BFE78
		jnz	loc_657FDA
		mov	edx, offset unk_6BFE70
		xchg	eax, [edx]
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_65819B
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6581A0
; 

loc_658152:				; CODE XREF: PopPowerButtonWorkCallback(x)+169j
		call	_RtlGetActiveConsoleId@0 ; RtlGetActiveConsoleId()
		mov	ecx, eax
		call	_MmGetSessionById@4 ; MmGetSessionById(x)
		test	eax, eax
		jz	short loc_658185
		lea	edx, [esp+34h+var_20]
		mov	ecx, eax
		call	MmAttachSession
		test	eax, eax
		jns	short loc_658185
		push	(offset	loc_5A5325+1) ;	char *
		push	3		; int
		push	92h		; int
		call	_DbgPrintEx
		add	esp, 0Ch

loc_658185:				; CODE XREF: PopPowerButtonWorkCallback(x)+1C7j
					; PopPowerButtonWorkCallback(x)+1D6j
		push	0
		push	0
		push	offset _PopPowerButtonTriageBlock
		shr	ebx, 1
		push	ebx
		push	1C8h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_65819B:				; CODE XREF: PopPowerButtonWorkCallback(x)+1ABj
		xor	eax, eax
		lock and [esi],	eax

loc_6581A0:				; CODE XREF: PopPowerButtonWorkCallback(x)+1B7j
		mov	cl, [esp+0Fh]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [esp+48h+var_1C]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_PopPowerButtonWorkCallback@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUpdatePowerButtonHoldState(x)
_PopUpdatePowerButtonHoldState@4 proc near ; CODE XREF:	PoSetPowerButtonHoldState(x)+8p
					; NtPowerInformation+1726F0p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_1], cl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopPowerButtonHold
		mov	[ebp+var_2], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edi, ds:dword_6BFD64
		xor	eax, eax
		mov	esi, ds:dword_6BFD68
		inc	eax
		xor	edx, edx
		xor	ebx, ebx
		lea	ecx, [edi+esi]
		and	ecx, 3Fh
		call	__allshl
		cmp	[ebp+var_1], bl
		jz	short loc_658216
		or	ds:dword_6BFD70, eax
		inc	ebx
		or	ds:dword_6BFD74, edx
		inc	esi
		mov	ds:dword_6BFD68, esi
		jmp	short loc_65822D
; 

loc_658216:				; CODE XREF: PopUpdatePowerButtonHoldState(x)+40j
		not	eax
		not	edx
		and	ds:dword_6BFD70, eax
		and	ds:dword_6BFD74, edx
		inc	edi
		mov	ds:dword_6BFD64, edi

loc_65822D:				; CODE XREF: PopUpdatePowerButtonHoldState(x)+56j
		mov	ecx, ds:dword_6BFE74
		mov	eax, ecx
		pop	edi
		and	eax, 1
		pop	esi
		cmp	ebx, eax
		pop	ebx
		jz	short loc_658268
		xor	edx, edx
		cmp	[ebp+var_1], dl
		jz	short loc_658257
		or	ecx, 1
		inc	ds:dword_6BFE78
		mov	ds:dword_6BFE74, ecx
		jmp	short loc_65825E
; 

loc_658257:				; CODE XREF: PopUpdatePowerButtonHoldState(x)+86j
		and	ds:dword_6BFE74, 0

loc_65825E:				; CODE XREF: PopUpdatePowerButtonHoldState(x)+97j
		mov	ecx, offset unk_6BFE60
		call	_PopQueueWorkItem@8 ; PopQueueWorkItem(x,x)

loc_658268:				; CODE XREF: PopUpdatePowerButtonHoldState(x)+7Fj
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopPowerButtonHold
		jz	short loc_658280
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_658285
; 

loc_658280:				; CODE XREF: PopUpdatePowerButtonHoldState(x)+B6j
		xor	eax, eax
		lock and [ecx],	eax

loc_658285:				; CODE XREF: PopUpdatePowerButtonHoldState(x)+C0j
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn
_PopUpdatePowerButtonHoldState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBlackBoxBugcheckCallback(x, x, x, x)
_PopBlackBoxBugcheckCallback@16	proc near ; DATA XREF: PopRecorderInit()+26o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+arg_8]
		push	esi
		push	edi
		mov	esi, [ecx-0Ch]
		lea	edi, [edx+0Ch]
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ecx+28h]
		mov	[edx+20h], eax
		xor	eax, eax
		pop	edi
		pop	esi
		cmp	[ecx+28h], eax
		jbe	short loc_6582B9
		mov	eax, [ecx+24h]

loc_6582B9:				; CODE XREF: PopBlackBoxBugcheckCallback(x,x,x,x)+24j
		mov	[edx+1Ch], eax
		pop	ebp
		retn	10h
_PopBlackBoxBugcheckCallback@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCacheDisplayOnPhaseDuration(x, x, x)
_PopCacheDisplayOnPhaseDuration@12 proc	near ; CODE XREF: PopSetWatchdog+16E5E1p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset dword_6C20F8
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	ds:dword_6C20FC, 0
		jz	short loc_65832A
		cmp	esi, 50h
		jnz	short loc_6582FE
		mov	eax, [ebp+arg_0]
		mov	ds:_PopDisplayOnPerformance, eax
		mov	eax, [ebp+arg_4]
		mov	ds:dword_6C20E4, eax
		jmp	short loc_65832A
; 

loc_6582FE:				; CODE XREF: PopCacheDisplayOnPhaseDuration(x,x,x)+2Aj
		cmp	esi, 40h
		jnz	short loc_658315
		mov	eax, [ebp+arg_0]
		mov	ds:dword_6C20E8, eax
		mov	eax, [ebp+arg_4]
		mov	ds:dword_6C20EC, eax
		jmp	short loc_65832A
; 

loc_658315:				; CODE XREF: PopCacheDisplayOnPhaseDuration(x,x,x)+41j
		cmp	esi, 30h
		jnz	short loc_65832A
		mov	eax, [ebp+arg_0]
		mov	ds:dword_6C20F0, eax
		mov	eax, [ebp+arg_4]
		mov	ds:dword_6C20F4, eax

loc_65832A:				; CODE XREF: PopCacheDisplayOnPhaseDuration(x,x,x)+25j
					; PopCacheDisplayOnPhaseDuration(x,x,x)+3Cj ...
		test	ds:byte_70EFC6,	1
		jz	short loc_65833F
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_658344
; 

loc_65833F:				; CODE XREF: PopCacheDisplayOnPhaseDuration(x,x,x)+71j
		xor	eax, eax
		lock and [edi],	eax

loc_658344:				; CODE XREF: PopCacheDisplayOnPhaseDuration(x,x,x)+7Dj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_PopCacheDisplayOnPhaseDuration@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopResolveWatchdogParam(x, x)
_PopResolveWatchdogParam@8 proc	near	; CODE XREF: PopWatchdogWorker(x)+D3p
					; PopWatchdogWorker(x)+E4p ...

ms_exc		= CPPEH_RECORD ptr -18h

		push	8
		push	offset dword_6A8E50
		call	__SEH_prolog4
		test	dl, dl
		jnz	short loc_658367
		mov	eax, ecx
		jmp	short loc_658387
; 

loc_658367:				; CODE XREF: PopResolveWatchdogParam(x,x)+Ej
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [ecx]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_658387
; 

loc_658376:				; DATA XREF: .text:006A8E64o
		xor	eax, eax
		inc	eax
		retn
; 

loc_65837A:				; DATA XREF: .text:006A8E68o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		or	eax, 0FFFFFFFFh

loc_658387:				; CODE XREF: PopResolveWatchdogParam(x,x)+12j
					; PopResolveWatchdogParam(x,x)+21j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopResolveWatchdogParam@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopWatchdogDpc(x, x, x, x)
_PopWatchdogDpc@16 proc	near		; DATA XREF: PopSetWatchdog+1ADo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		cmp	dword ptr [esi+8], 44574F50h
		jz	short loc_6583B0
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_6583B0:				; CODE XREF: PopWatchdogDpc(x,x,x,x)+12j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _PopWatchdogLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	byte ptr [esi+80h], 0
		jz	short loc_6583E2
		cmp	byte ptr [esi+0Dh], 0
		jnz	short loc_6583E2
		push	1
		lea	eax, [esi+68h]
		mov	byte ptr [esi+0Dh], 1
		push	eax
		call	ExQueueWorkItem

loc_6583E2:				; CODE XREF: PopWatchdogDpc(x,x,x,x)+34j
					; PopWatchdogDpc(x,x,x,x)+3Aj
		mov	ecx, esi
		mov	byte ptr [esi+0Ch], 0
		call	_PopUpdateWatchdogNoWorkersEvent@4 ; PopUpdateWatchdogNoWorkersEvent(x)
		test	ds:byte_70EFC6,	1
		jz	short loc_658402
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_658407
; 

loc_658402:				; CODE XREF: PopWatchdogDpc(x,x,x,x)+5Dj
		xor	eax, eax
		lock and [edi],	eax

loc_658407:				; CODE XREF: PopWatchdogDpc(x,x,x,x)+69j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
_PopWatchdogDpc@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopWatchdogWorker(x)
_PopWatchdogWorker@4 proc near		; DATA XREF: PopSetWatchdog+1C1o

var_6A		= byte ptr -6Ah
var_69		= byte ptr -69h
var_66		= byte ptr -66h
var_52		= byte ptr -52h
var_51		= byte ptr -51h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= byte ptr -28h
var_27		= byte ptr -27h
var_26		= byte ptr -26h
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+60h+var_1C]
		mov	[esp+60h+var_51], al
		rep stosd
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _PopWatchdogLock
		mov	[esp+60h+var_52], al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	byte ptr [ebx+80h], 0
		jz	loc_6585A3
		call	KeQueryInterruptTime
		cmp	edx, [ebx+7Ch]
		jb	loc_6585A3
		ja	short loc_65847D
		cmp	eax, [ebx+78h]
		jb	loc_6585A3

loc_65847D:				; CODE XREF: PopWatchdogWorker(x)+5Cj
		test	ds:byte_70EFC6,	1
		lea	esi, [ebx+84h]
		push	0Ah
		pop	ecx
		lea	edi, [esp+60h+var_44]
		rep movsd
		mov	ecx, offset _PopWatchdogLock
		jz	short loc_6584A4
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6584A9
; 

loc_6584A4:				; CODE XREF: PopWatchdogWorker(x)+82j
		xor	eax, eax
		lock and [ecx],	eax

loc_6584A9:				; CODE XREF: PopWatchdogWorker(x)+8Cj
		mov	cl, [esp+60h+var_52]
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	edi
		mov	ecx, [esp+60h+var_40]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_6584C7
		call	_MmGetSessionById@4 ; MmGetSessionById(x)
		mov	esi, eax
		jmp	short loc_6584C9
; 

loc_6584C7:				; CODE XREF: PopWatchdogWorker(x)+A6j
		xor	esi, esi

loc_6584C9:				; CODE XREF: PopWatchdogWorker(x)+AFj
		test	esi, esi
		jz	short loc_6584E1
		lea	edx, [esp+60h+var_1C]
		mov	ecx, esi
		call	MmAttachSession
		test	eax, eax
		js	short loc_6584E1
		mov	[esp+60h+var_51], 1

loc_6584E1:				; CODE XREF: PopWatchdogWorker(x)+B5j
					; PopWatchdogWorker(x)+C4j
		mov	dl, [esp+60h+var_28]
		mov	ecx, [esp+60h+var_38]
		call	_PopResolveWatchdogParam@8 ; PopResolveWatchdogParam(x,x)
		mov	dl, [esp+60h+var_27]
		mov	ecx, [esp+60h+var_34]
		mov	[esp+60h+var_48], eax
		call	_PopResolveWatchdogParam@8 ; PopResolveWatchdogParam(x,x)
		mov	dl, [esp+60h+var_26]
		mov	ecx, [esp+60h+var_30]
		mov	[esp+60h+var_4C], eax
		call	_PopResolveWatchdogParam@8 ; PopResolveWatchdogParam(x,x)
		mov	dl, [esp+60h+var_25]
		mov	ecx, [esp+60h+var_2C]
		mov	[esp+60h+var_50], eax
		call	_PopResolveWatchdogParam@8 ; PopResolveWatchdogParam(x,x)
		cmp	[esp+60h+var_24], 0
		push	eax
		push	[esp+64h+var_50]
		push	[esp+68h+var_4C]
		push	[esp+6Ch+var_48]
		push	[esp+70h+var_3C]
		jz	short loc_65859E
		push	[esp+74h+var_20]
		call	[esp+78h+var_24]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopWatchdogLock
		mov	[esp+78h+var_6A], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ebx
		mov	byte ptr [ebx+0Dh], 0
		call	_PopUpdateWatchdogNoWorkersEvent@4 ; PopUpdateWatchdogNoWorkersEvent(x)
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopWatchdogLock
		jz	short loc_658578
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65857D
; 

loc_658578:				; CODE XREF: PopWatchdogWorker(x)+156j
		xor	eax, eax
		lock and [ecx],	eax

loc_65857D:				; CODE XREF: PopWatchdogWorker(x)+160j
		mov	cl, [esp+78h+var_6A]
		call	edi
		cmp	[esp+78h+var_69], 0
		jz	short loc_6585D2
		lea	edx, [esp+78h+var_34]
		mov	ecx, esi
		call	MmDetachSession
		mov	ecx, esi
		call	_MmQuitNextSession@4 ; MmQuitNextSession(x)
		jmp	short loc_6585D2
; 

loc_65859E:				; CODE XREF: PopWatchdogWorker(x)+121j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_6585A3:				; CODE XREF: PopWatchdogWorker(x)+48j
					; PopWatchdogWorker(x)+56j ...
		mov	ecx, ebx
		mov	byte ptr [ebx+0Dh], 0
		call	_PopUpdateWatchdogNoWorkersEvent@4 ; PopUpdateWatchdogNoWorkersEvent(x)
		test	ds:byte_70EFC6,	1
		jz	short loc_6585C3
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6585C8
; 

loc_6585C3:				; CODE XREF: PopWatchdogWorker(x)+19Fj
		xor	eax, eax
		lock and [esi],	eax

loc_6585C8:				; CODE XREF: PopWatchdogWorker(x)+1ABj
		mov	cl, [esp+74h+var_66]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_6585D2:				; CODE XREF: PopWatchdogWorker(x)+172j
					; PopWatchdogWorker(x)+186j
		mov	ecx, [esp+74h+var_18]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_PopWatchdogWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEmModuleAddressMatchCallback(x, x, x, x,	x, x, x)
_PopEmModuleAddressMatchCallback@28 proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		xor	edx, edx
		xor	esi, esi
		inc	esi
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edx
		cmp	[ebp+arg_4], esi
		jnz	short loc_658667
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_658667
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_658667
		cmp	[ebp+arg_14], edx
		jnz	short loc_658667
		cmp	[ebp+arg_C], esi
		jnz	short loc_658667
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_658667
		mov	ecx, [ecx]
		test	ecx, ecx
		jz	short loc_658667
		cmp	[eax+4], edx
		jz	short loc_658667
		push	edi
		mov	edi, [eax]
		test	edi, edi
		jz	short loc_658666
		push	ecx
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitString@8 ; RtlInitString(x,x)
		push	esi
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	short loc_658666
		push	esi
		push	edi
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 2

loc_658666:				; CODE XREF: PopEmModuleAddressMatchCallback(x,x,x,x,x,x,x)+4Dj
					; PopEmModuleAddressMatchCallback(x,x,x,x,x,x,x)+69j
		pop	edi

loc_658667:				; CODE XREF: PopEmModuleAddressMatchCallback(x,x,x,x,x,x,x)+1Dj
					; PopEmModuleAddressMatchCallback(x,x,x,x,x,x,x)+24j ...
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, esi
		pop	esi
		leave
		retn	1Ch
_PopEmModuleAddressMatchCallback@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxDebuggerPowerCriticalTransitionCallback(x, x, x)
_PopFxDebuggerPowerCriticalTransitionCallback@12 proc near
					; DATA XREF: PoFxRegisterDebugger+F748o

arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_PopAutomaticDebuggerTransitions, 0
		jz	short loc_658699
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	61Eh
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_658699:				; CODE XREF: PopFxDebuggerPowerCriticalTransitionCallback(x,x,x)+Cj
		cmp	[ebp+arg_8], 0
		jz	short loc_6586B5
		xor	ecx, ecx
		inc	ecx
		call	_KdCallPowerHandlers@4 ; KdCallPowerHandlers(x)
		push	1
		push	80000001h
		call	_KdPowerTransitionEx@8 ; KdPowerTransitionEx(x,x)
		jmp	short loc_6586C9
; 

loc_6586B5:				; CODE XREF: PopFxDebuggerPowerCriticalTransitionCallback(x,x,x)+26j
		push	1
		push	80000004h
		call	_KdPowerTransitionEx@8 ; KdPowerTransitionEx(x,x)
		push	4
		pop	ecx
		call	_KdCallPowerHandlers@4 ; KdCallPowerHandlers(x)

loc_6586C9:				; CODE XREF: PopFxDebuggerPowerCriticalTransitionCallback(x,x,x)+3Cj
		pop	ebp
		retn	0Ch
_PopFxDebuggerPowerCriticalTransitionCallback@12 endp ;	sp = -14h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventAutonomousModeChange(x, x)
_PpmEventAutonomousModeChange@8	proc near ; CODE XREF: PpmUpdateTargetProcessorPolicy+81DB3p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		movzx	eax, byte ptr [ecx-3ADBh]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], ebx
		mov	word ptr [ebp+var_28], ax
		mov	al, [ecx-3ADCh]
		mov	byte ptr [ebp+var_28+2], al
		lea	eax, [ebp+var_28]
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], 3
		mov	[ebp+var_18], ebx
		cmp	ds:_PpmEtwRegistered, bl
		jz	short loc_65875D
		push	esi
		mov	esi, ds:dword_6BFD04
		push	edi
		mov	edi, ds:_PpmEtwHandle
		push	offset _PPM_ETW_AUTONOMOUS_MODE_CHANGE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_65875B
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	ebx
		push	offset _PPM_ETW_AUTONOMOUS_MODE_CHANGE
		push	esi
		push	edi
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_65875B:				; CODE XREF: PpmEventAutonomousModeChange(x,x)+66j
		pop	edi
		pop	esi

loc_65875D:				; CODE XREF: PpmEventAutonomousModeChange(x,x)+48j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventAutonomousModeChange@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventBiosCapChange(x, x)
_PpmEventBiosCapChange@8 proc near	; CODE XREF: PpmRegisterPerfCap(x)+ADp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		movzx	eax, byte ptr [ecx-3ADBh]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], ebx
		mov	word ptr [ebp+var_28], ax
		mov	al, [ecx-3ADCh]
		mov	byte ptr [ebp+var_28+2], al
		lea	eax, [ebp+var_28]
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], 3
		mov	[ebp+var_18], ebx
		cmp	ds:_PpmEtwRegistered, bl
		jz	short loc_6587FA
		push	esi
		mov	esi, ds:dword_6BFD04
		push	edi
		mov	edi, ds:_PpmEtwHandle
		push	offset _PPM_ETW_BIOS_CAP_CHANGE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_6587F8
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	ebx
		push	offset _PPM_ETW_BIOS_CAP_CHANGE
		push	esi
		push	edi
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_6587F8:				; CODE XREF: PpmEventBiosCapChange(x,x)+66j
		pop	edi
		pop	esi

loc_6587FA:				; CODE XREF: PpmEventBiosCapChange(x,x)+48j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventBiosCapChange@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventCoordinatedIdleTransition(x, x, x)
_PpmEventCoordinatedIdleTransition@12 proc near	; CODE XREF: PpmExitCoordinatedIdle+12BEDEp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		test	edx, edx
		jz	short loc_65886C
		mov	eax, ds:_PpmPlatformStates
		cmp	byte ptr [eax+0Ch], 0
		jz	short loc_65886C
		test	ds:dword_70EFC8, 8000h
		jz	short loc_65886C
		mov	eax, [ebp+arg_0]
		and	[ebp+var_18], 0
		and	[ebp+var_10], 0
		mov	[ebp+var_1C], eax
		mov	eax, edx
		shl	eax, 2
		mov	[ebp+var_14], eax
		xor	eax, eax
		test	cl, cl
		lea	ecx, [ebp+var_1C]
		push	602h
		setz	al
		xor	edx, edx
		add	eax, 123Fh
		inc	edx
		push	eax
		push	40008000h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_65886C:				; CODE XREF: PpmEventCoordinatedIdleTransition(x,x,x)+14j
					; PpmEventCoordinatedIdleTransition(x,x,x)+1Fj	...
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PpmEventCoordinatedIdleTransition@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventCoreParkingSoftParkedStateChange(x,	x)
_PpmEventCoreParkingSoftParkedStateChange@8 proc near
					; CODE XREF: PpmParkReportSoftParkChange(x)+48p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PpmEtwRegistered, 0
		push	ebx
		mov	[ebp+var_45], dl
		mov	ebx, ecx
		jz	loc_658937
		push	esi
		mov	esi, ds:dword_6BFD04
		push	edi
		mov	edi, ds:_PpmEtwHandle
		push	offset _PPM_ETW_SOFT_PARK_STATE_CHANGE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_658935
		movzx	eax, byte ptr [ebx+3C5h]
		xor	edx, edx
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_34], eax
		lea	eax, [ebx+3C4h]
		mov	[ebp+var_24], eax
		xor	eax, eax
		cmp	[ebp+var_45], al
		push	4
		setnz	al
		mov	[ebp+var_44], offset _PpmCheckTime
		pop	ecx
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	edx
		push	offset _PPM_ETW_SOFT_PARK_STATE_CHANGE
		push	esi
		push	edi
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], 8
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], 2
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], 1
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_658935:				; CODE XREF: PpmEventCoreParkingSoftParkedStateChange(x,x)+41j
		pop	edi
		pop	esi

loc_658937:				; CODE XREF: PpmEventCoreParkingSoftParkedStateChange(x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventCoreParkingSoftParkedStateChange@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventCoreParkingStateChange(x, x)
_PpmEventCoreParkingStateChange@8 proc near ; CODE XREF: PpmParkReportUnparkedCore(x)+45p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PpmEtwRegistered, 0
		push	ebx
		mov	ebx, ecx
		jz	short loc_6589DE
		push	esi
		mov	esi, ds:dword_6BFD04
		push	edi
		mov	edi, ds:_PpmEtwHandle
		push	offset _PPM_ETW_UNPARK_CORE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_6589DC
		movzx	eax, byte ptr [ebx+3C5h]
		xor	ecx, ecx
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_24], eax
		lea	eax, [ebx+3C4h]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	ecx
		push	offset _PPM_ETW_UNPARK_CORE
		push	esi
		push	edi
		mov	[ebp+var_34], offset _PpmCheckTime
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], 8
		mov	[ebp+var_28], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], 2
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], 1
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_6589DC:				; CODE XREF: PpmEventCoreParkingStateChange(x,x)+3Aj
		pop	edi
		pop	esi

loc_6589DE:				; CODE XREF: PpmEventCoreParkingStateChange(x,x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventCoreParkingStateChange@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventCoreParkingStateChangeEx(x,	x)
_PpmEventCoreParkingStateChangeEx@8 proc near ;	CODE XREF: PpmParkReportParkedCore(x)+75p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PpmEtwRegistered, 0
		push	ebx
		mov	[ebp+var_45], dl
		mov	ebx, ecx
		jz	loc_658AA8
		push	esi
		mov	esi, ds:dword_6BFD04
		push	edi
		mov	edi, ds:_PpmEtwHandle
		push	offset _PPM_ETW_PARK_CORE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_658AA6
		movzx	eax, byte ptr [ebx+3C5h]
		xor	edx, edx
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_34], eax
		lea	eax, [ebx+3C4h]
		mov	[ebp+var_24], eax
		xor	eax, eax
		cmp	[ebp+var_45], al
		push	4
		setnz	al
		mov	[ebp+var_44], offset _PpmCheckTime
		pop	ecx
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	edx
		push	offset _PPM_ETW_PARK_CORE
		push	esi
		push	edi
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], 8
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], 2
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], 1
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_658AA6:				; CODE XREF: PpmEventCoreParkingStateChangeEx(x,x)+41j
		pop	edi
		pop	esi

loc_658AA8:				; CODE XREF: PpmEventCoreParkingStateChangeEx(x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventCoreParkingStateChangeEx@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventEnterPlatformIdleState(x)
_PpmEventEnterPlatformIdleState@4 proc near
					; CODE XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+B2Fp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		test	ds:dword_70EFC8, 8000h
		mov	[ebp+var_1C], ecx
		jz	short loc_658B05
		and	[ebp+var_14], 0
		lea	eax, [ebp+var_1C]
		and	[ebp+var_C], 0
		lea	ecx, [ebp+var_18]
		push	602h
		push	123Bh
		xor	edx, edx
		mov	[ebp+var_18], eax
		push	40008000h
		inc	edx
		mov	[ebp+var_10], 4
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_658B05:				; CODE XREF: PpmEventEnterPlatformIdleState(x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventEnterPlatformIdleState@4 endp


;  S U B	R O U T	I N E 


; __stdcall PpmEventHgsUpdate()
_PpmEventHgsUpdate@0 proc near		; CODE XREF: PpmHeteroDispatchHgsInterrupt()p
		cmp	ds:_PpmEtwRegistered, 0
		jz	short locret_658B4A
		push	ebx
		push	esi
		mov	esi, ds:dword_6BFD04
		mov	ebx, offset _PPM_ETW_HGS_UPDATE
		push	edi
		mov	edi, ds:_PpmEtwHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_658B47
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	ebx
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_658B47:				; CODE XREF: PpmEventHgsUpdate()+27j
		pop	edi
		pop	esi
		pop	ebx

locret_658B4A:				; CODE XREF: PpmEventHgsUpdate()+7j
		retn
_PpmEventHgsUpdate@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventIdleDurationExpiration(x)
_PpmEventIdleDurationExpiration@4 proc near ; CODE XREF: PoExecuteIdleCheck+12EEB3p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PpmEtwRegistered, 0
		push	ebx
		mov	ebx, ecx
		jz	loc_658C4C
		push	offset _PPM_ETW_IDLE_DURATION_EXPIRATION
		push	ds:dword_6BFD04
		push	ds:_PpmEtwHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_658C4C
		push	esi
		xor	ecx, ecx
		xor	esi, esi
		xor	edx, edx
		mov	[ebp+var_44], ecx
		push	edi
		inc	esi

loc_658B97:				; CODE XREF: PpmEventIdleDurationExpiration(x)+7Dj
		movzx	eax, cx
		lea	edi, [ebp+var_10]
		imul	eax, 0Ch
		add	edi, eax
		xor	eax, eax
		mov	[ebp+var_44], edi
		stosd
		stosd
		stosd
		mov	edi, [ebp+var_44]
		mov	[edi+4], dx
		test	dx, dx
		jnz	short loc_658BBB
		mov	eax, [ebx+8]
		jmp	short loc_658BBD
; 

loc_658BBB:				; CODE XREF: PpmEventIdleDurationExpiration(x)+69j
		xor	eax, eax

loc_658BBD:				; CODE XREF: PpmEventIdleDurationExpiration(x)+6Ej
		mov	[edi], eax
		test	eax, eax
		jz	short loc_658BC4
		inc	ecx

loc_658BC4:				; CODE XREF: PpmEventIdleDurationExpiration(x)+76j
		inc	edx
		cmp	dx, si
		jb	short loc_658B97
		and	[ebp+var_3C], 0
		lea	eax, [ebp+var_44]
		and	[ebp+var_34], 0
		mov	[ebp+var_40], eax
		xor	eax, eax
		mov	[ebp+var_44], ecx
		mov	[ebp+var_38], 2
		cmp	ax, cx
		jnb	short loc_658C2D
		movzx	edi, cx
		lea	edx, [ebp+var_24]
		xor	ebx, ebx
		lea	esi, ds:1[edi*2]

loc_658BF8:				; CODE XREF: PpmEventIdleDurationExpiration(x)+E0j
		imul	eax, ebx, 0Ch
		lea	ecx, [ebp+var_10]
		mov	dword ptr [edx-4], 2
		add	ecx, eax
		lea	eax, [ecx+4]
		mov	[edx-0Ch], eax
		xor	eax, eax
		mov	[edx-8], eax
		inc	ebx
		mov	[edx], eax
		lea	edx, [edx+20h]
		mov	[edx-1Ch], ecx
		mov	[edx-18h], eax
		mov	dword ptr [edx-14h], 4
		mov	[edx-10h], eax
		sub	edi, 1
		jnz	short loc_658BF8

loc_658C2D:				; CODE XREF: PpmEventIdleDurationExpiration(x)+9Cj
		lea	eax, [ebp+var_40]
		push	eax
		push	esi
		push	0
		push	offset _PPM_ETW_IDLE_DURATION_EXPIRATION
		push	ds:dword_6BFD04
		push	ds:_PpmEtwHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	edi
		pop	esi

loc_658C4C:				; CODE XREF: PpmEventIdleDurationExpiration(x)+1Cj
					; PpmEventIdleDurationExpiration(x)+3Aj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventIdleDurationExpiration@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventLPICoreParking(x, x)
_PpmEventLPICoreParking@8 proc near	; CODE XREF: PpmParkCalculateCoreParkingMask+12A412p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PpmEtwRegistered, 0
		mov	eax, ds:_PpmParkLpiCap
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], eax
		jz	short loc_658CD4
		push	ebx
		push	esi
		mov	esi, ds:dword_6BFD04
		mov	ebx, offset _PPM_ETW_LPI_CORE_PARK
		push	edi
		mov	edi, ds:_PpmEtwHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_658CD1
		push	4
		pop	ecx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_24], eax
		xor	edx, edx
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_20], edx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_658CD1:				; CODE XREF: PpmEventLPICoreParking(x,x)+44j
		pop	edi
		pop	esi
		pop	ebx

loc_658CD4:				; CODE XREF: PpmEventLPICoreParking(x,x)+24j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventLPICoreParking@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventParkNodeCapChange(x, x, x, x)
_PpmEventParkNodeCapChange@16 proc near	; CODE XREF: PpmParkApplyPolicy+8385Fp

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PpmEtwRegistered, 0
		mov	[ebp+var_4C], edx
		mov	word ptr [ebp+var_48], cx
		jz	short loc_658D7E
		push	esi
		mov	esi, ds:dword_6BFD04
		push	edi
		mov	edi, ds:_PpmEtwHandle
		push	offset _PPM_ETW_PARK_NODE_CAP_CHANGE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_658D7C
		push	ebx
		lea	eax, [ebp+var_48]
		mov	[ebp+var_3C], 2
		mov	[ebp+var_44], eax
		xor	ebx, ebx
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_40], ebx
		mov	[ebp+var_34], eax
		xor	ecx, ecx
		push	4
		pop	edx
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_38], ebx
		mov	[ebp+var_24], eax
		inc	ecx
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_30], ebx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	edx
		push	ebx
		push	offset _PPM_ETW_PARK_NODE_CAP_CHANGE
		push	esi
		push	edi
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	ebx

loc_658D7C:				; CODE XREF: PpmEventParkNodeCapChange(x,x,x,x)+3Ej
		pop	edi
		pop	esi

loc_658D7E:				; CODE XREF: PpmEventParkNodeCapChange(x,x,x,x)+20j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PpmEventParkNodeCapChange@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventParkNodeClassRecordedStats(x, x, x,	x, x)
_PpmEventParkNodeClassRecordedStats@20 proc near
					; CODE XREF: PpmParkRecordNodeStatistics+129FA0p

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PpmEtwRegistered, 0
		mov	[ebp+var_6C], edx
		mov	word ptr [ebp+var_68], cx
		jz	loc_658E59
		push	esi
		mov	esi, ds:dword_6BFD04
		push	edi
		mov	edi, ds:_PpmEtwHandle
		push	offset _PPM_ETW_PARK_NODE_CLASS_STATS
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	loc_658E57
		lea	eax, [ebp+var_68]
		mov	[ebp+var_5C], 2
		mov	[ebp+var_64], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_6C]
		inc	ecx
		mov	[ebp+var_54], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	[ebp+var_3C], ecx
		xor	ebx, ebx
		mov	[ebp+var_2C], ecx
		lea	ecx, [eax+20h]
		mov	[ebp+var_60], ebx
		mov	eax, [eax+4]
		push	4
		mov	[ebp+var_14], eax
		mov	eax, [ecx]
		pop	edx
		shl	eax, 3
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	6
		push	ebx
		push	offset _PPM_ETW_PARK_NODE_CLASS_STATS
		push	esi
		push	edi
		mov	[ebp+var_58], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	ebx

loc_658E57:				; CODE XREF: PpmEventParkNodeClassRecordedStats(x,x,x,x,x)+42j
		pop	edi
		pop	esi

loc_658E59:				; CODE XREF: PpmEventParkNodeClassRecordedStats(x,x,x,x,x)+20j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_PpmEventParkNodeClassRecordedStats@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventParkNodeParkHintChanged(x, x, x)
_PpmEventParkNodeParkHintChanged@12 proc near ;	CODE XREF: PpmParkApplyPolicy+8370Cp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PpmEtwRegistered, 0
		mov	[ebp+var_3C], edx
		mov	word ptr [ebp+var_38], cx
		jz	short loc_658EF1
		push	ebx
		push	esi
		mov	esi, ds:dword_6BFD04
		mov	ebx, offset _PPM_ETW_PARK_NODE_PARK_HINT_CHANGE
		push	edi
		mov	edi, ds:_PpmEtwHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_658EEE
		lea	eax, [ebp+var_38]
		mov	[ebp+var_2C], 2
		mov	[ebp+var_34], eax
		xor	edx, edx
		push	4
		pop	ecx
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_30], edx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_658EEE:				; CODE XREF: PpmEventParkNodeParkHintChanged(x,x,x)+40j
		pop	edi
		pop	esi
		pop	ebx

loc_658EF1:				; CODE XREF: PpmEventParkNodeParkHintChanged(x,x,x)+20j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PpmEventParkNodeParkHintChanged@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventParkNodePreference(x, x, x,	x, x, x, x)
_PpmEventParkNodePreference@28 proc near
					; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+1FBp

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PpmEtwRegistered, 0
		mov	[ebp+var_7C], edx
		mov	word ptr [ebp+var_78], cx
		jz	loc_658FD1
		push	ebx
		push	esi
		mov	esi, ds:dword_6BFD04
		mov	ebx, offset _PPM_ETW_PLATFORM_PARKING_PREFERENCE
		push	edi
		mov	edi, ds:_PpmEtwHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	loc_658FCE
		lea	eax, [ebp+var_78]
		mov	[ebp+var_6C], 2
		mov	[ebp+var_74], eax
		xor	edx, edx
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_70], edx
		mov	[ebp+var_64], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_C]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_10]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	7
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_68], edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], 1
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_658FCE:				; CODE XREF: PpmEventParkNodePreference(x,x,x,x,x,x,x)+44j
		pop	edi
		pop	esi
		pop	ebx

loc_658FD1:				; CODE XREF: PpmEventParkNodePreference(x,x,x,x,x,x,x)+20j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_PpmEventParkNodePreference@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventPlatformVetoRequest(x, x, x)
_PpmEventPlatformVetoRequest@12	proc near ; CODE XREF: PpmUpdatePlatformIdleVeto(x)+86p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	[ebp+arg_0], 0
		push	esi
		mov	[ebp+var_2C], edx
		mov	esi, offset _PPM_ETW_PLATFORM_IDLE_VETO_DECREMENT
		mov	[ebp+var_28], ecx
		jz	short loc_659008
		mov	esi, offset _PPM_ETW_PLATFORM_IDLE_VETO_INCREMENT

loc_659008:				; CODE XREF: PpmEventPlatformVetoRequest(x,x,x)+22j
		cmp	ds:_PpmEtwRegistered, 0
		jz	short loc_65905F
		push	ebx
		mov	ebx, ds:_PpmEtwHandle
		push	edi
		mov	edi, ds:dword_6BFD04
		push	esi
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jz	short loc_65905D
		push	4
		pop	ecx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_24], eax
		xor	edx, edx
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_20], edx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	esi
		push	edi
		push	ebx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_65905D:				; CODE XREF: PpmEventPlatformVetoRequest(x,x,x)+4Aj
		pop	edi
		pop	ebx

loc_65905F:				; CODE XREF: PpmEventPlatformVetoRequest(x,x,x)+30j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PpmEventPlatformVetoRequest@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventPlatformVetoRundown()
_PpmEventPlatformVetoRundown@0 proc near ; CODE	XREF: PpmEventTraceControlCallback+82F6Dp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, ds:_PpmPlatformStates
		test	ecx, ecx
		jz	loc_6591D6
		push	esi
		xor	esi, esi
		mov	eax, esi
		mov	[ebp+var_38], eax
		push	edi
		cmp	[ecx], esi
		jbe	short loc_6590D8
		lea	edi, [ebp+var_38]

loc_65909E:				; CODE XREF: PpmEventPlatformVetoRundown()+68j
		imul	eax, 0C0h
		lea	edx, [ebp+var_34]
		add	ecx, 50h
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], 4
		mov	[ebp+var_28], esi
		add	eax, ecx
		mov	ecx, offset _PPM_ETW_PLATFORM_PRE_VETO_ACCOUNTING_RUNDOWN
		push	eax
		call	_PpmEventTracePreVetoAccounting@12 ; PpmEventTracePreVetoAccounting(x,x,x)
		mov	eax, [ebp+var_38]
		mov	ecx, ds:_PpmPlatformStates
		inc	eax
		mov	[ebp+var_38], eax
		cmp	eax, [ecx]
		jb	short loc_65909E

loc_6590D8:				; CODE XREF: PpmEventPlatformVetoRundown()+2Bj
		cmp	ds:_PpmEtwRegistered, 0
		jz	loc_6591D4
		push	offset _PPM_ETW_PLATFORM_IDLE_VETO_RUNDOWN
		push	ds:dword_6BFD04
		push	ds:_PpmEtwHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_6591D4
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _PpmIdleVetoLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, ds:_PpmPlatformStates
		mov	ecx, esi
		mov	[ebp+var_38], ecx
		cmp	[edx], esi
		jbe	loc_6591B1
		lea	eax, [ebp+var_38]

loc_65912E:				; CODE XREF: PpmEventPlatformVetoRundown()+13Cj
		mov	[ebp+var_34], eax
		lea	edi, [edx+54h]
		imul	eax, ecx, 0C0h
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], 4
		mov	[ebp+var_28], esi
		add	edi, eax
		mov	esi, [edi]
		cmp	esi, edi
		jz	short loc_659198

loc_65914F:				; CODE XREF: PpmEventPlatformVetoRundown()+125j
		push	4
		pop	edx
		lea	eax, [esi+8]
		mov	[ebp+var_1C], edx
		mov	[ebp+var_24], eax
		xor	ecx, ecx
		lea	eax, [esi+0Ch]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	ecx
		push	offset _PPM_ETW_PLATFORM_IDLE_VETO_RUNDOWN
		push	ds:dword_6BFD04
		mov	[ebp+var_18], ecx
		push	ds:_PpmEtwHandle
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	esi, [esi]
		cmp	esi, edi
		jnz	short loc_65914F
		mov	ecx, [ebp+var_38]

loc_659198:				; CODE XREF: PpmEventPlatformVetoRundown()+DFj
		mov	edx, ds:_PpmPlatformStates
		lea	eax, [ebp+var_38]
		inc	ecx
		mov	[ebp+var_38], ecx
		push	0
		pop	esi
		cmp	ecx, [edx]
		jb	short loc_65912E
		mov	edi, offset _PpmIdleVetoLock

loc_6591B1:				; CODE XREF: PpmEventPlatformVetoRundown()+B7j
		test	ds:byte_70EFC6,	1
		jz	short loc_6591C6
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6591CB
; 

loc_6591C6:				; CODE XREF: PpmEventPlatformVetoRundown()+14Aj
		xor	eax, eax
		lock and [edi],	eax

loc_6591CB:				; CODE XREF: PpmEventPlatformVetoRundown()+156j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx

loc_6591D4:				; CODE XREF: PpmEventPlatformVetoRundown()+71j
					; PpmEventPlatformVetoRundown()+8Fj
		pop	edi
		pop	esi

loc_6591D6:				; CODE XREF: PpmEventPlatformVetoRundown()+1Aj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventPlatformVetoRundown@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventProcessorVetoRequest(x, x, x, x)
_PpmEventProcessorVetoRequest@16 proc near ; CODE XREF:	PpmUpdateProcessorIdleVeto(x)+BFp

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	[ebp+arg_4], 0
		push	esi
		mov	[ebp+var_4C], edx
		mov	esi, offset _PPM_ETW_PROCESSOR_IDLE_VETO_DECREMENT
		mov	[ebp+var_48], ecx
		jz	short loc_65920B
		mov	esi, offset _PPM_ETW_PROCESSOR_IDLE_VETO_INCREMENT

loc_65920B:				; CODE XREF: PpmEventProcessorVetoRequest(x,x,x,x)+22j
		cmp	ds:_PpmEtwRegistered, 0
		jz	loc_65929B
		push	ebx
		mov	ebx, ds:_PpmEtwHandle
		push	edi
		mov	edi, ds:dword_6BFD04
		push	esi
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jz	short loc_659299
		mov	ecx, [ebp+var_48]
		xor	edx, edx
		push	4
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], 2
		movzx	eax, byte ptr [ecx+3C5h]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_44], eax
		lea	eax, [ecx+3C4h]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_4C]
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	edx
		push	esi
		push	edi
		push	ebx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], 1
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_659299:				; CODE XREF: PpmEventProcessorVetoRequest(x,x,x,x)+4Ej
		pop	edi
		pop	ebx

loc_65929B:				; CODE XREF: PpmEventProcessorVetoRequest(x,x,x,x)+30j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PpmEventProcessorVetoRequest@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventProcessorVetoRundown(x)
_PpmEventProcessorVetoRundown@4	proc near ; CODE XREF: PpmEventTraceControlCallback+82FABp

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5C		= dword	ptr -5Ch
var_55		= byte ptr -55h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_64]
		stosd
		mov	ebx, ecx
		mov	esi, [ebx+3D70h]
		stosw
		stosb
		test	esi, esi
		jz	loc_659460
		xor	ecx, ecx
		xor	edi, edi
		inc	ecx
		mov	[ebp+var_5C], ecx
		cmp	[esi+20h], ecx
		jbe	short loc_659336
		lea	edx, [ebp+var_64]

loc_6592E8:				; CODE XREF: PpmEventProcessorVetoRundown(x)+8Aj
		movzx	eax, byte ptr [ebx+3C5h]
		mov	word ptr [ebp+var_64], ax
		mov	al, [ebx+3C4h]
		mov	byte ptr [ebp+var_64+2], al
		imul	eax, ecx, 44h
		mov	[ebp+var_64+3],	ecx
		mov	ecx, offset _PPM_ETW_PROCESSOR_PRE_VETO_ACCOUNTING_RUNDOWN
		mov	[ebp+var_54], edx
		lea	edx, [ebp+var_54]
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], 7
		add	eax, 130h
		mov	[ebp+var_48], edi
		add	eax, esi
		push	eax
		call	_PpmEventTracePreVetoAccounting@12 ; PpmEventTracePreVetoAccounting(x,x,x)
		mov	ecx, [ebp+var_5C]
		lea	edx, [ebp+var_64]
		inc	ecx
		mov	[ebp+var_5C], ecx
		cmp	ecx, [esi+20h]
		jb	short loc_6592E8

loc_659336:				; CODE XREF: PpmEventProcessorVetoRundown(x)+39j
		cmp	ds:_PpmEtwRegistered, 0
		jz	loc_659460
		push	offset _PPM_ETW_PROCESSOR_IDLE_VETO_RUNDOWN
		push	ds:dword_6BFD04
		push	ds:_PpmEtwHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_659460
		movzx	eax, byte ptr [ebx+3C5h]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_54], eax
		lea	eax, [ebx+3C4h]
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], 2
		mov	[ebp+var_48], edi
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], 1
		mov	[ebp+var_38], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bl, al
		mov	ecx, offset _PpmIdleVetoLock
		mov	[ebp+var_55], bl
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, edi
		mov	[ebp+var_5C], ecx
		cmp	[esi+20h], edi
		jbe	loc_65943B
		lea	eax, [ebp+var_5C]

loc_6593BA:				; CODE XREF: PpmEventProcessorVetoRundown(x)+18Cj
		mov	[ebp+var_34], eax
		lea	ebx, [esi+134h]
		imul	eax, ecx, 44h
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], 4
		mov	[ebp+var_28], edi
		add	ebx, eax
		mov	edi, [ebx]
		cmp	edi, ebx
		jz	short loc_659429

loc_6593DB:				; CODE XREF: PpmEventProcessorVetoRundown(x)+17Aj
		lea	eax, [edi+8]
		mov	[ebp+var_1C], 4
		mov	[ebp+var_24], eax
		xor	ecx, ecx
		lea	eax, [edi+0Ch]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		push	ecx
		push	offset _PPM_ETW_PROCESSOR_IDLE_VETO_RUNDOWN
		push	ds:dword_6BFD04
		mov	[ebp+var_18], ecx
		push	ds:_PpmEtwHandle
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	edi, [edi]
		cmp	edi, ebx
		jnz	short loc_6593DB
		mov	ecx, [ebp+var_5C]

loc_659429:				; CODE XREF: PpmEventProcessorVetoRundown(x)+12Fj
		inc	ecx
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_5C], ecx
		push	0
		pop	edi
		cmp	ecx, [esi+20h]
		jb	short loc_6593BA
		mov	bl, [ebp+var_55]

loc_65943B:				; CODE XREF: PpmEventProcessorVetoRundown(x)+107j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PpmIdleVetoLock
		jz	short loc_659453
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_659458
; 

loc_659453:				; CODE XREF: PpmEventProcessorVetoRundown(x)+19Dj
		xor	eax, eax
		lock and [ecx],	eax

loc_659458:				; CODE XREF: PpmEventProcessorVetoRundown(x)+1A7j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_659460:				; CODE XREF: PpmEventProcessorVetoRundown(x)+28j
					; PpmEventProcessorVetoRundown(x)+93j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventProcessorVetoRundown@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventThermalCapChange(x,	x)
_PpmEventThermalCapChange@8 proc near	; CODE XREF: PpmRegisterPerfCap(x)+CFp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[esp+5Ch+var_4C], edx
		push	edi
		xor	ebx, ebx
		mov	[esp+60h+var_48], edx
		test	ds:dword_70EFD0, 8000h
		mov	eax, [esi-3AD8h]
		push	10h
		mov	[esp+64h+var_50], ebx
		mov	[esp+64h+var_44], ebx
		mov	[esp+64h+var_40], eax
		mov	[esp+64h+var_3C], ebx
		pop	edi
		jz	short loc_6594E8
		push	offset byte_401802
		push	1236h
		xor	edx, edx
		mov	[esp+68h+var_34], ebx
		lea	eax, [esp+68h+var_48]
		mov	[esp+68h+var_30], edi
		push	80008000h
		inc	edx
		mov	[esp+6Ch+var_38], eax
		lea	ecx, [esp+6Ch+var_38]
		mov	[esp+6Ch+var_2C], ebx
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_6594E8:				; CODE XREF: PpmEventThermalCapChange(x,x)+48j
		mov	eax, ds:_WmiThermalEventEnabled
		test	eax, eax
		jz	short loc_659504
		lea	eax, [esp+60h+var_48]
		mov	edx, offset _PPM_THERMALCONSTRAINT_GUID
		push	eax		; void *
		push	edi		; size_t
		lea	ecx, [esi-60h]
		call	_PpmFireWmiEvent@16 ; PpmFireWmiEvent(x,x,x,x)

loc_659504:				; CODE XREF: PpmEventThermalCapChange(x,x)+80j
		movzx	eax, byte ptr [esi-3ADBh]
		mov	word ptr [esp+60h+var_50], ax
		mov	al, [esi-3ADCh]
		mov	byte ptr [esp+60h+var_50+2], al
		lea	eax, [esp+60h+var_50]
		mov	[esp+60h+var_28], eax
		mov	[esp+60h+var_24], ebx
		mov	[esp+60h+var_20], 3
		mov	[esp+60h+var_1C], ebx
		cmp	ds:_PpmEtwRegistered, bl
		jz	short loc_659582
		mov	esi, ds:dword_6BFD04
		mov	edi, ds:_PpmEtwHandle
		push	offset _PPM_ETW_THERMAL_CAP_CHANGE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_659582
		lea	eax, [esp+60h+var_4C]
		mov	[esp+60h+var_14], ebx
		mov	[esp+60h+var_18], eax
		lea	eax, [esp+60h+var_28]
		push	eax
		push	2
		push	ebx
		push	offset _PPM_ETW_THERMAL_CAP_CHANGE
		push	esi
		push	edi
		mov	[esp+78h+var_10], 4
		mov	[esp+78h+var_C], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_659582:				; CODE XREF: PpmEventThermalCapChange(x,x)+C9j
					; PpmEventThermalCapChange(x,x)+E5j
		mov	ecx, [esp+60h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_PpmEventThermalCapChange@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventTraceHeteroDistributeUtility(x, x, x)
_PpmEventTraceHeteroDistributeUtility@12 proc near
					; CODE XREF: PpmHeteroDistributeUtility()+2CFp

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PpmEtwRegistered, 0
		push	ebx
		mov	byte ptr [ebp+var_48], dl
		mov	ebx, ecx
		jz	short loc_65962F
		push	esi
		mov	esi, ds:dword_6BFD04
		push	edi
		mov	edi, ds:_PpmEtwHandle
		push	offset _PPM_ETW_HETERO_DISTRIBUTE_UTILITY
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_65962D
		lea	eax, [ebx+4]
		mov	[ebp+var_3C], 2
		mov	[ebp+var_44], eax
		xor	ecx, ecx
		lea	eax, [ebx+8]
		mov	[ebp+var_40], ecx
		mov	[ebp+var_34], eax
		xor	ebx, ebx
		push	4
		pop	edx
		lea	eax, [ebp+var_48]
		mov	[ebp+var_38], ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	edx
		push	ebx
		push	offset _PPM_ETW_HETERO_DISTRIBUTE_UTILITY
		mov	[ebp+var_30], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_20], ecx
		inc	ecx
		push	esi
		push	edi
		mov	[ebp+var_2C], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_65962D:				; CODE XREF: PpmEventTraceHeteroDistributeUtility(x,x,x)+3Dj
		pop	edi
		pop	esi

loc_65962F:				; CODE XREF: PpmEventTraceHeteroDistributeUtility(x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PpmEventTraceHeteroDistributeUtility@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventTraceHeteroResponse(x, x, x, x, x, x, x)
_PpmEventTraceHeteroResponse@28	proc near ; CODE XREF: PpmCheckComputeHeteroResponse()+38Dp

var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_B7		= byte ptr -0B7h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PpmEtwRegistered, 0
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_C4], edx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_C0], ebx
		jz	loc_6597FE
		push	offset _PPM_ETW_HETERO_RESPONSE
		push	ds:dword_6BFD04
		push	ds:_PpmEtwHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_6597FE
		mov	cl, [ebx+6]
		mov	al, [ebx+6Ch]
		push	esi
		xor	esi, esi
		mov	[ebp-0B5h], cl
		mov	[ebp-0B6h], cl
		mov	[ebp+var_B7], al
		cmp	[ebp+arg_8], esi
		ja	short loc_6596B7
		cmp	[ebp+arg_4], 1
		jbe	short loc_6596EC

loc_6596B7:				; CODE XREF: PpmEventTraceHeteroResponse(x,x,x,x,x,x,x)+71j
		movzx	eax, cl
		test	cl, cl
		jz	short loc_6596EA
		mov	ebx, eax

loc_6596C0:				; CODE XREF: PpmEventTraceHeteroResponse(x,x,x,x,x,x,x)+9Ej
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	dword ptr [edi+esi*8+4]
		push	dword ptr [edi+esi*8]
		call	__aulldiv
		mov	[edi+esi*8], eax
		mov	[edi+esi*8+4], edx
		inc	esi
		cmp	esi, ebx
		jb	short loc_6596C0
		mov	ebx, [ebp+var_C0]
		mov	cl, [ebp-0B5h]

loc_6596EA:				; CODE XREF: PpmEventTraceHeteroResponse(x,x,x,x,x,x,x)+7Ej
		xor	esi, esi

loc_6596EC:				; CODE XREF: PpmEventTraceHeteroResponse(x,x,x,x,x,x,x)+77j
		lea	eax, [ebx+4]
		movzx	ecx, cl
		mov	[ebp+var_B4], eax
		lea	eax, [ebx+8]
		mov	[ebp+var_A4], eax
		lea	eax, [ebp-0B6h]
		mov	[ebp+var_94], eax
		mov	eax, [ebp+var_C4]
		mov	[ebp+var_84], eax
		mov	eax, ecx
		shl	eax, 2
		mov	[ebp+var_7C], eax
		mov	eax, ecx
		shl	eax, 3
		xor	ecx, ecx
		mov	[ebp+var_6C], eax
		inc	ecx
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_B0], esi
		mov	[ebp+var_64], eax
		lea	eax, [ebx+6Bh]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_B7]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_C]
		mov	[ebp+var_34], eax
		lea	eax, [ebx+63h]
		push	4
		pop	edx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_10]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_B4]
		push	eax
		push	0Bh
		push	esi
		push	offset _PPM_ETW_HETERO_RESPONSE
		push	ds:dword_6BFD04
		mov	[ebp+var_AC], 2
		push	ds:_PpmEtwHandle
		mov	[ebp+var_A8], esi
		mov	[ebp+var_A0], esi
		mov	[ebp+var_9C], edx
		mov	[ebp+var_98], esi
		mov	[ebp+var_90], esi
		mov	[ebp+var_8C], 1
		mov	[ebp+var_88], esi
		mov	[ebp+var_80], esi
		mov	[ebp+var_78], esi
		mov	[ebp+var_74], edi
		mov	[ebp+var_70], esi
		mov	[ebp+var_68], esi
		mov	[ebp+var_60], esi
		mov	[ebp+var_5C], 8
		mov	[ebp+var_58], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	esi

loc_6597FE:				; CODE XREF: PpmEventTraceHeteroResponse(x,x,x,x,x,x,x)+2Fj
					; PpmEventTraceHeteroResponse(x,x,x,x,x,x,x)+4Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_PpmEventTraceHeteroResponse@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventTraceLPIState()
_PpmEventTraceLPIState@0 proc near	; CODE XREF: PpmEventTraceControlCallback+82E76p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PpmEtwRegistered, 0
		jz	short loc_65988E
		push	ebx
		push	esi
		mov	esi, ds:dword_6BFD04
		mov	ebx, offset _PPM_ETW_LPI_RUNDOWN
		push	edi
		mov	edi, ds:_PpmEtwHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_65988B
		mov	eax, ds:_PpmParkLpiCap
		xor	edx, edx
		mov	[ebp+var_28], eax
		mov	eax, ds:_PpmParkLpiEngaged
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_28]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_65988B:				; CODE XREF: PpmEventTraceLPIState()+39j
		pop	edi
		pop	esi
		pop	ebx

loc_65988E:				; CODE XREF: PpmEventTraceLPIState()+19j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventTraceLPIState@0 endp


;  S U B	R O U T	I N E 


; __stdcall PpmEventTraceMakeupPerfCheck()
_PpmEventTraceMakeupPerfCheck@0	proc near
					; CODE XREF: PpmCheckMakeupSkippedChecks:loc_5B9965p
		cmp	ds:_PpmEtwRegistered, 0
		jz	short locret_6598D3
		push	ebx
		push	esi
		mov	esi, ds:dword_6BFD04
		mov	ebx, offset _PPM_ETW_PERF_CHECK_MAKEUP
		push	edi
		mov	edi, ds:_PpmEtwHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_6598D0
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	ebx
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_6598D0:				; CODE XREF: PpmEventTraceMakeupPerfCheck()+27j
		pop	edi
		pop	esi
		pop	ebx

locret_6598D3:				; CODE XREF: PpmEventTraceMakeupPerfCheck()+7j
		retn
_PpmEventTraceMakeupPerfCheck@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventTracePreVetoAccounting(x, x, x)
_PpmEventTracePreVetoAccounting@12 proc	near ; CODE XREF: PpmEventPlatformVetoRundown()+54p
					; PpmEventProcessorVetoRundown(x)+78p

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PpmEtwRegistered, 0
		mov	eax, ecx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_50], edx
		mov	[ebp+var_54], eax
		jz	loc_659A77
		push	eax
		push	ds:dword_6BFD04
		push	ds:_PpmEtwHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_659A77
		test	edi, edi
		jz	loc_659A77
		push	esi
		mov	esi, [edi+10h]
		test	esi, esi
		jz	loc_659A76
		push	ebx
		imul	eax, esi, 14h
		push	654D5050h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_659A75
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PpmIdleVetoLock
		mov	[ebp+var_35], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	ecx, [ebp+var_5C]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		xor	ecx, ecx
		mov	[ebp+var_48], eax
		mov	[ebp+var_4C], edx
		mov	[ebp+var_3C], ecx
		test	esi, esi
		jz	loc_6599FA
		xor	eax, eax
		mov	[ebp+var_40], eax

loc_65997E:				; CODE XREF: PpmEventTracePreVetoAccounting(x,x,x)+124j
		mov	edx, [edi+14h]
		add	edx, eax
		mov	eax, [edx+8]
		test	eax, eax
		mov	[ebp+var_44], eax
		mov	eax, [ebp+var_40]
		jz	short loc_6599EF
		imul	eax, ecx, 14h
		mov	ecx, [ebp+var_44]
		mov	[eax+ebx], ecx
		imul	ecx, [ebp+var_3C], 14h
		mov	eax, [edx+10h]
		mov	[ecx+ebx+4], eax
		mov	eax, [edx+14h]
		mov	[ecx+ebx+8], eax
		imul	ecx, [ebp+var_3C], 14h
		mov	eax, [edx+20h]
		mov	[ecx+ebx+0Ch], eax
		mov	eax, [edx+24h]
		mov	[ecx+ebx+10h], eax
		mov	eax, [edx+18h]
		mov	ecx, [edx+1Ch]
		mov	[ebp+var_44], eax
		or	eax, ecx
		mov	[ebp+var_58], ecx
		jz	short loc_6599E5
		imul	edx, [ebp+var_3C], 14h
		mov	ecx, [ebp+var_48]
		sub	ecx, [ebp+var_44]
		mov	eax, [ebp+var_4C]
		sbb	eax, [ebp+var_58]
		add	[edx+ebx+0Ch], ecx
		adc	[edx+ebx+10h], eax

loc_6599E5:				; CODE XREF: PpmEventTracePreVetoAccounting(x,x,x)+F7j
		mov	ecx, [ebp+var_3C]
		mov	eax, [ebp+var_40]
		inc	ecx
		mov	[ebp+var_3C], ecx

loc_6599EF:				; CODE XREF: PpmEventTracePreVetoAccounting(x,x,x)+BAj
		add	eax, 38h
		mov	[ebp+var_40], eax
		sub	esi, 1
		jnz	short loc_65997E

loc_6599FA:				; CODE XREF: PpmEventTracePreVetoAccounting(x,x,x)+9Fj
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PpmIdleVetoLock
		jz	short loc_659A12
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_659A17
; 

loc_659A12:				; CODE XREF: PpmEventTracePreVetoAccounting(x,x,x)+132j
		xor	eax, eax
		lock and [ecx],	eax

loc_659A17:				; CODE XREF: PpmEventTracePreVetoAccounting(x,x,x)+13Cj
		mov	cl, [ebp+var_35]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp+var_50]
		lea	edi, [ebp+var_34]
		lea	eax, [ebp+var_3C]
		xor	ecx, ecx
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+var_24], eax
		imul	eax, [ebp+var_3C], 14h
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], 4
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	ecx
		push	[ebp+var_54]
		mov	[ebp+var_10], ecx
		push	ds:dword_6BFD04
		mov	[ebp+var_8], ecx
		push	ds:_PpmEtwHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		push	654D5050h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_659A75:				; CODE XREF: PpmEventTracePreVetoAccounting(x,x,x)+71j
		pop	ebx

loc_659A76:				; CODE XREF: PpmEventTracePreVetoAccounting(x,x,x)+53j
		pop	esi

loc_659A77:				; CODE XREF: PpmEventTracePreVetoAccounting(x,x,x)+25j
					; PpmEventTracePreVetoAccounting(x,x,x)+3Fj ...
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PpmEventTracePreVetoAccounting@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventTraceProcessorIdleAccounting(x, x, x)
_PpmEventTraceProcessorIdleAccounting@12 proc near
					; DATA XREF: PpmEventTraceControlCallback+82FBBo

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, eax
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_70], eax
		mov	[ebp+var_78], eax
		mov	[ebp+var_80], eax
		mov	[ebp+var_7C], eax
		cmp	ds:_PpmEtwRegistered, al
		jz	loc_659D12
		push	offset _PPM_ETW_IDLE_ACCOUNTING_RUNDOWN
		push	ds:dword_6BFD04
		push	ds:_PpmEtwHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_659D12
		lea	eax, [ebx+3D70h]
		mov	ecx, [eax]
		test	ecx, ecx
		jz	loc_659D12
		mov	eax, [eax+4]
		mov	[ebp+var_68], eax
		test	eax, eax
		jz	loc_659D12
		and	[ebp+var_74], esi
		cmp	byte ptr [ecx],	1
		push	edi
		mov	edi, [eax]
		jnz	loc_659C07
		imul	ebx, edi, 50h
		push	654D5050h
		push	ebx
		push	200h
		mov	[ebp+var_74], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_659D11
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		test	edi, edi
		jz	loc_659C07
		mov	edx, [ebp+var_68]
		lea	ecx, [esi+18h]
		add	edx, 98h
		mov	ebx, edi

loc_659B4C:				; CODE XREF: PpmEventTraceProcessorIdleAccounting(x,x,x)+17Bj
		mov	eax, [edx-8]
		mov	[ecx-18h], eax
		mov	eax, [edx-4]
		mov	[ecx-14h], eax
		mov	eax, [edx]
		lea	edx, [edx+3E8h]
		mov	[ecx-8], eax
		mov	eax, [edx-3E4h]
		mov	[ecx-4], eax
		mov	eax, [edx-410h]
		mov	[ecx], eax
		lea	ecx, [ecx+50h]
		mov	eax, [edx-40Ch]
		mov	[ecx-4Ch], eax
		mov	eax, [edx-408h]
		mov	[ecx-48h], eax
		mov	eax, [edx-404h]
		mov	[ecx-44h], eax
		mov	eax, [edx-420h]
		mov	[ecx-30h], eax
		mov	eax, [edx-41Ch]
		mov	[ecx-2Ch], eax
		mov	eax, [edx-428h]
		mov	[ecx-28h], eax
		mov	eax, [edx-424h]
		mov	[ecx-24h], eax
		mov	eax, [edx-430h]
		mov	[ecx-20h], eax
		mov	eax, [edx-42Ch]
		mov	[ecx-1Ch], eax
		mov	eax, [edx-3E0h]
		mov	[ecx-60h], eax
		mov	eax, [edx-3DCh]
		mov	[ecx-5Ch], eax
		mov	eax, [edx-3D0h]
		mov	[ecx-40h], eax
		mov	eax, [edx-3CCh]
		mov	[ecx-3Ch], eax
		mov	eax, [edx-3D8h]
		mov	[ecx-38h], eax
		mov	eax, [edx-3D4h]
		mov	[ecx-34h], eax
		sub	ebx, 1
		jnz	loc_659B4C

loc_659C07:				; CODE XREF: PpmEventTraceProcessorIdleAccounting(x,x,x)+7Ej
					; PpmEventTraceProcessorIdleAccounting(x,x,x)+B2j
		imul	ebx, edi, 1A0h
		push	654D5050h
		add	ebx, 18h
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_68], eax
		test	eax, eax
		jz	loc_659D02
		push	ebx		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+var_6C]
		lea	eax, [ebp+var_80]
		mov	edx, [ebp+var_68]
		add	esp, 0Ch
		lea	ecx, [ecx+3D70h]
		push	eax
		call	_PpmTranslateIdleAccounting@12 ; PpmTranslateIdleAccounting(x,x,x)
		mov	ecx, [ebp+var_6C]
		xor	edx, edx
		mov	eax, [ebp+var_68]
		mov	[ebp+var_64], eax
		mov	[ebp+var_60], edx
		movzx	eax, byte ptr [ecx+3C5h]
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_54], eax
		lea	eax, [ecx+3C4h]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], 2
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], 1
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], 8
		mov	[ebp+var_28], edx
		push	5
		pop	ecx
		test	esi, esi
		jz	short loc_659CC1
		mov	eax, [ebp+var_74]
		push	6
		pop	ecx
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], edx
		jmp	short loc_659CC3
; 

loc_659CC1:				; CODE XREF: PpmEventTraceProcessorIdleAccounting(x,x,x)+225j
		mov	edi, edx

loc_659CC3:				; CODE XREF: PpmEventTraceProcessorIdleAccounting(x,x,x)+239j
		lea	eax, [ebp+var_78]
		mov	[ebp+var_78], edi
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	ecx
		push	edx
		push	offset _PPM_ETW_IDLE_ACCOUNTING_RUNDOWN
		push	ds:dword_6BFD04
		mov	[ebp+var_20], edx
		push	ds:_PpmEtwHandle
		mov	[ebp+var_1C], 4
		mov	[ebp+var_18], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		push	654D5050h
		push	[ebp+var_68]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_659D02:				; CODE XREF: PpmEventTraceProcessorIdleAccounting(x,x,x)+19Fj
		test	esi, esi
		jz	short loc_659D11
		push	654D5050h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_659D11:				; CODE XREF: PpmEventTraceProcessorIdleAccounting(x,x,x)+9Ej
					; PpmEventTraceProcessorIdleAccounting(x,x,x)+27Ej
		pop	edi

loc_659D12:				; CODE XREF: PpmEventTraceProcessorIdleAccounting(x,x,x)+33j
					; PpmEventTraceProcessorIdleAccounting(x,x,x)+51j ...
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_PpmEventTraceProcessorIdleAccounting@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventTraceSoftCoreParkingSelection(x, x,	x, x, x, x, x, x, x, x)
_PpmEventTraceSoftCoreParkingSelection@40 proc near
					; CODE XREF: PpmParkCalculateCoreParkingMask+12A39Cp

var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0F4h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PpmEtwRegistered, 0
		push	ebx
		mov	[ebp+var_E8], edx
		mov	ebx, ecx
		jz	loc_659EFD
		push	esi
		mov	esi, ds:dword_6BFD04
		push	edi
		mov	edi, ds:_PpmEtwHandle
		push	offset _PPM_ETW_SOFT_PARKING_SELECTION
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	loc_659EFB
		mov	eax, [ebp+var_E8]
		add	eax, 3
		and	[ebp+var_88], 0
		and	[ebp+var_80], 0
		and	[ebp+var_78], 0
		and	[ebp+var_70], 0
		lea	edx, [ebx+eax*4]
		and	[ebp+var_68], 0
		mov	ecx, [edx]
		mov	eax, [ebx+18h]
		and	eax, ecx
		and	[ebp+arg_14], ecx
		mov	[ebp+var_EC], eax
		mov	eax, [ebx+14h]
		and	eax, ecx
		and	[ebp+var_60], 0
		mov	[ebp+var_F0], eax
		mov	eax, [ebx+1Ch]
		and	eax, ecx
		and	[ebp+var_58], 0
		mov	[ebp+var_F4], eax
		xor	ecx, ecx
		lea	eax, [ebx+4]
		and	[ebp+var_50], 0
		mov	[ebp+var_E4], eax
		lea	eax, [ebp+var_EC]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_F0]
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_F4]
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+arg_4]
		and	[ebp+var_48], 0
		and	[ebp+var_40], 0
		and	[ebp+var_38], 0
		mov	[ebp+var_94], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_84], eax
		lea	eax, [ebp+arg_C]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+arg_10]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+arg_14]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+arg_18]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+var_E8]
		add	eax, 62h
		mov	[ebp+var_E0], ecx
		add	eax, ebx
		mov	[ebp+var_D8], ecx
		mov	[ebp+var_D0], ecx
		push	4
		mov	[ebp+var_C8], ecx
		mov	[ebp+var_C0], ecx
		mov	[ebp+var_B8], ecx
		mov	[ebp+var_B0], ecx
		mov	[ebp+var_A8], ecx
		mov	[ebp+var_A0], ecx
		mov	[ebp+var_98], ecx
		mov	[ebp+var_90], ecx
		inc	ecx
		mov	[ebp+var_D4], edx
		xor	ebx, ebx
		pop	edx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_DC], 2
		mov	[ebp+var_CC], edx
		mov	[ebp+var_BC], edx
		mov	[ebp+var_AC], edx
		mov	[ebp+var_9C], edx
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_6C], edx
		mov	[ebp+var_5C], edx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_1C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_E4]
		push	eax
		push	0Eh
		push	ebx
		push	offset _PPM_ETW_SOFT_PARKING_SELECTION
		push	esi
		push	edi
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_659EFB:				; CODE XREF: PpmEventTraceSoftCoreParkingSelection(x,x,x,x,x,x,x,x,x,x)+47j
		pop	edi
		pop	esi

loc_659EFD:				; CODE XREF: PpmEventTraceSoftCoreParkingSelection(x,x,x,x,x,x,x,x,x,x)+25j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	20h
_PpmEventTraceSoftCoreParkingSelection@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventVpQosChange(x)
_PpmEventVpQosChange@4 proc near	; CODE XREF: PpmHvSetVirtualProcessorQos(x)+34j

var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0E0h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_E0], 64h
		cmp	ds:_PpmEtwRegistered, 0
		mov	esi, ecx
		mov	[ebp+var_D8], edi
		mov	ebx, offset _PPM_ETW_PROCESSOR_PERF_STATE_CHANGE
		jnz	short loc_659F60
		push	ebx
		push	ds:dword_6BFD04
		push	ds:_PpmEtwHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_65A093

loc_659F60:				; CODE XREF: PpmEventVpQosChange(x)+38j
		movzx	eax, byte ptr [esi+3C5h]
		lea	ecx, [ebp+var_D8]
		mov	[ebp+var_DC], eax
		lea	eax, [esi+3C0h]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_DC]
		mov	[ebp+var_B4], eax
		lea	eax, [esi+3C4h]
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_E0]
		push	4
		pop	edx
		mov	[ebp+var_94], eax
		mov	[ebp+var_84], eax
		mov	[ebp+var_74], eax
		mov	[ebp+var_64], eax
		lea	eax, [esi+3F0Ch]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_D4]
		push	eax
		push	0Dh
		push	edi
		push	ebx
		push	ds:dword_6BFD04
		mov	[ebp+var_D4], ecx
		push	ds:_PpmEtwHandle
		mov	[ebp+var_D0], edi
		mov	[ebp+var_CC], edx
		mov	[ebp+var_C8], edi
		mov	[ebp+var_C0], edi
		mov	[ebp+var_BC], edx
		mov	[ebp+var_B8], edi
		mov	[ebp+var_B0], edi
		mov	[ebp+var_AC], 2
		mov	[ebp+var_A8], edi
		mov	[ebp+var_A0], edi
		mov	[ebp+var_9C], 1
		mov	[ebp+var_98], edi
		mov	[ebp+var_90], edi
		mov	[ebp+var_8C], edx
		mov	[ebp+var_88], edi
		mov	[ebp+var_80], edi
		mov	[ebp+var_7C], edx
		mov	[ebp+var_78], edi
		mov	[ebp+var_70], edi
		mov	[ebp+var_6C], edx
		mov	[ebp+var_68], edi
		mov	[ebp+var_60], edi
		mov	[ebp+var_5C], edx
		mov	[ebp+var_58], edi
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], edi
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_65A093:				; CODE XREF: PpmEventVpQosChange(x)+4Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventVpQosChange@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleWakeAreIdenticalWakeSources(x, x, x)
_PopIdleWakeAreIdenticalWakeSources@12 proc near
					; CODE XREF: PopIdleWakeFindOrAllocateWakeSource(x,x,x,x)+55p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		xor	eax, eax
		mov	[ebp+var_4], eax
		push	ebx
		mov	bl, al
		push	esi
		cmp	ecx, 5
		jnz	short loc_65A0D7
		mov	ecx, [ebp+arg_0]
		mov	bl, 1
		mov	esi, eax
		sub	edx, ecx

loc_65A0BF:				; CODE XREF: PopIdleWakeAreIdenticalWakeSources(x,x,x)+2Bj
		mov	eax, [edx+ecx]
		cmp	eax, [ecx]
		jnz	short loc_65A0D1
		inc	esi
		add	ecx, 4
		cmp	esi, 3
		jb	short loc_65A0BF
		jmp	short loc_65A11D
; 

loc_65A0D1:				; CODE XREF: PopIdleWakeAreIdenticalWakeSources(x,x,x)+22j
		xor	eax, eax
		mov	bl, al
		jmp	short loc_65A11D
; 

loc_65A0D7:				; CODE XREF: PopIdleWakeAreIdenticalWakeSources(x,x,x)+12j
		cmp	ecx, 6
		jnz	short loc_65A11D
		mov	ecx, [ebp+arg_0]
		mov	al, [edx]
		cmp	al, [ecx]
		jnz	short loc_65A11D
		add	edx, 2
		lea	esi, [ecx+2]
		cmp	al, 3
		jnz	short loc_65A115
		mov	ecx, edx
		push	edi
		lea	edi, [ecx+2]

loc_65A0F5:				; CODE XREF: PopIdleWakeAreIdenticalWakeSources(x,x,x)+5Dj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_4]
		jnz	short loc_65A0F5
		sub	ecx, edi
		sar	ecx, 1
		push	ecx		; size_t
		push	edx		; wchar_t *
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		pop	edi
		jmp	short loc_65A119
; 

loc_65A115:				; CODE XREF: PopIdleWakeAreIdenticalWakeSources(x,x,x)+4Bj
		mov	al, [edx]
		cmp	al, [esi]

loc_65A119:				; CODE XREF: PopIdleWakeAreIdenticalWakeSources(x,x,x)+71j
		jnz	short loc_65A11D
		mov	bl, 1

loc_65A11D:				; CODE XREF: PopIdleWakeAreIdenticalWakeSources(x,x,x)+2Dj
					; PopIdleWakeAreIdenticalWakeSources(x,x,x)+33j ...
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
_PopIdleWakeAreIdenticalWakeSources@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleWakeFinalizeWakeSource(x, x)
_PopIdleWakeFinalizeWakeSource@8 proc near
					; CODE XREF: PopIdleWakeNotifyWakeSource(x,x,x,x,x,x,x)+27p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		mov	esi, edx
		cmp	ecx, 6
		jnz	short loc_65A16C
		cmp	byte ptr [esi],	3
		jnz	short loc_65A16C
		lea	eax, [ebp+var_8]
		push	eax
		call	KeQuerySystemTime
		push	[ebp+var_4]
		push	[ebp+var_8]
		call	_PopDiagGetTimeBrokerExpirationReason@8	; PopDiagGetTimeBrokerExpirationReason(x,x)
		test	eax, eax
		jnz	short loc_65A15E
		mov	eax, offset ??_C@_1BA@LEPJIIOK@?$AAU?$AAn?$AAk?$AAn?$AAo?$AAw?$AAn@FNODOBFM@

loc_65A15E:				; CODE XREF: PopIdleWakeFinalizeWakeSource(x,x)+32j
		push	eax
		lea	ecx, [esi+2]
		mov	edx, 80h
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)

loc_65A16C:				; CODE XREF: PopIdleWakeFinalizeWakeSource(x,x)+15j
					; PopIdleWakeFinalizeWakeSource(x,x)+1Aj
		pop	esi
		leave
		retn
_PopIdleWakeFinalizeWakeSource@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleWakeFindOrAllocateWakeSource(x, x, x, x)
_PopIdleWakeFindOrAllocateWakeSource@16	proc near
					; CODE XREF: PopIdleWakeStopActiveIntervalAccounting(x,x,x)+5Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ecx
		cmp	edi, 4
		ja	short loc_65A192
		imul	eax, edi, 218h
		lea	ebx, [ecx+110h]
		add	ebx, eax
		jmp	short loc_65A20B
; 

loc_65A192:				; CODE XREF: PopIdleWakeFindOrAllocateWakeSource(x,x,x,x)+11j
		push	esi
		push	5
		pop	edx
		mov	[ebp+var_4], edx
		lea	esi, [ecx+0C20h]

loc_65A19F:				; CODE XREF: PopIdleWakeFindOrAllocateWakeSource(x,x,x,x)+6Ej
		cmp	dword ptr [esi-4], 0
		lea	ebx, [esi-98h]
		jz	short loc_65A1EA
		cmp	edi, [ebx]
		jnz	short loc_65A1D0
		mov	eax, [esi]
		and	eax, 1
		cmp	[ebp+arg_4], al
		jnz	short loc_65A1D0
		push	[ebp+arg_0]
		lea	edx, [esi-94h]
		mov	ecx, edi
		call	_PopIdleWakeAreIdenticalWakeSources@12 ; PopIdleWakeAreIdenticalWakeSources(x,x,x)
		test	al, al
		jnz	short loc_65A20A
		mov	edx, [ebp+var_4]

loc_65A1D0:				; CODE XREF: PopIdleWakeFindOrAllocateWakeSource(x,x,x,x)+3Ej
					; PopIdleWakeFindOrAllocateWakeSource(x,x,x,x)+48j
		inc	edx
		add	esi, 218h
		mov	[ebp+var_4], edx
		cmp	edx, 19h
		jb	short loc_65A19F
		mov	ebx, [ebp+var_8]
		add	ebx, 970h
		jmp	short loc_65A20A
; 

loc_65A1EA:				; CODE XREF: PopIdleWakeFindOrAllocateWakeSource(x,x,x,x)+3Aj
		mov	esi, [ebp+arg_0]
		mov	[ebx], edi
		lea	edi, [ebx+4]
		push	21h
		pop	ecx
		rep movsd
		movzx	ecx, [ebp+arg_4]
		xor	ecx, [ebx+98h]
		and	ecx, 1
		xor	[ebx+98h], ecx

loc_65A20A:				; CODE XREF: PopIdleWakeFindOrAllocateWakeSource(x,x,x,x)+5Cj
					; PopIdleWakeFindOrAllocateWakeSource(x,x,x,x)+79j
		pop	esi

loc_65A20B:				; CODE XREF: PopIdleWakeFindOrAllocateWakeSource(x,x,x,x)+21j
		pop	edi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_PopIdleWakeFindOrAllocateWakeSource@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleWakeInsertTimeInterval(x, x,	x, x, x, x)
_PopIdleWakeInsertTimeInterval@24 proc near
					; CODE XREF: PopIdleWakeNotifyIdleResiliencyState(x)+D0p
					; PopIdleWakeStopActiveIntervalAccounting(x,x,x)+F2p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		push	ebx
		mov	ebx, edx
		test	ecx, ecx
		jz	short loc_65A261
		mov	edx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		mov	edi, [ebp+arg_4]

loc_65A22C:				; CODE XREF: PopIdleWakeInsertTimeInterval(x,x,x,x,x,x)+37j
		cmp	edi, [esi+eax*8+4]
		jb	short loc_65A247
		ja	short loc_65A239
		cmp	edx, [esi+eax*8]
		jb	short loc_65A247

loc_65A239:				; CODE XREF: PopIdleWakeInsertTimeInterval(x,x,x,x,x,x)+1Fj
		cmp	edi, [esi+eax*8+0Ch]
		jb	short loc_65A24E
		ja	short loc_65A247
		cmp	edx, [esi+eax*8+8]
		jb	short loc_65A24E

loc_65A247:				; CODE XREF: PopIdleWakeInsertTimeInterval(x,x,x,x,x,x)+1Dj
					; PopIdleWakeInsertTimeInterval(x,x,x,x,x,x)+24j ...
		inc	eax
		cmp	eax, ecx
		jb	short loc_65A22C
		jmp	short loc_65A25F
; 

loc_65A24E:				; CODE XREF: PopIdleWakeInsertTimeInterval(x,x,x,x,x,x)+2Aj
					; PopIdleWakeInsertTimeInterval(x,x,x,x,x,x)+32j
		inc	dword ptr [ebx+eax*4]
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_65A25F
		add	[ecx+eax*8], edx
		adc	[ecx+eax*8+4], edi

loc_65A25F:				; CODE XREF: PopIdleWakeInsertTimeInterval(x,x,x,x,x,x)+39j
					; PopIdleWakeInsertTimeInterval(x,x,x,x,x,x)+43j
		pop	edi
		pop	esi

loc_65A261:				; CODE XREF: PopIdleWakeInsertTimeInterval(x,x,x,x,x,x)+Cj
		pop	ebx
		pop	ebp
		retn	10h
_PopIdleWakeInsertTimeInterval@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleWakeNotifyDevicesActive(x)
_PopIdleWakeNotifyDevicesActive@4 proc near
					; CODE XREF: PopFxPlatformStateAvailable(x,x)+27p
					; PopFxPlatformStateAvailable(x,x)+46p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	bl, cl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _PopIdleWakeContextLock
		mov	bh, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, ds:_PopIdleWakeContext
		test	esi, esi
		jz	short loc_65A2EE
		mov	edx, [esi]
		test	dl, 10h
		jz	short loc_65A2EE
		mov	eax, edx
		movzx	ecx, bl
		and	eax, 1
		cmp	eax, ecx
		jz	short loc_65A2EE
		xor	ecx, edx
		and	ecx, 1
		xor	ecx, edx
		mov	[esi], ecx
		test	cl, 2
		jnz	short loc_65A2EE
		lea	ecx, [ebp+var_8]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	edx, [ebp+var_8]
		mov	eax, edx
		sub	eax, [esi+8]
		mov	edi, [ebp+var_4]
		mov	ecx, edi
		sbb	ecx, [esi+0Ch]
		test	bl, bl
		jnz	short loc_65A2DD
		add	[esi+18h], eax
		adc	[esi+1Ch], ecx
		jmp	short loc_65A2E3
; 

loc_65A2DD:				; CODE XREF: PopIdleWakeNotifyDevicesActive(x)+6Dj
		add	[esi+20h], eax
		adc	[esi+24h], ecx

loc_65A2E3:				; CODE XREF: PopIdleWakeNotifyDevicesActive(x)+75j
		mov	[esi+0Ch], edi
		mov	edi, offset _PopIdleWakeContextLock
		mov	[esi+8], edx

loc_65A2EE:				; CODE XREF: PopIdleWakeNotifyDevicesActive(x)+30j
					; PopIdleWakeNotifyDevicesActive(x)+37j ...
		test	ds:byte_70EFC6,	1
		jz	short loc_65A303
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65A308
; 

loc_65A303:				; CODE XREF: PopIdleWakeNotifyDevicesActive(x)+8Fj
		xor	eax, eax
		lock and [edi],	eax

loc_65A308:				; CODE XREF: PopIdleWakeNotifyDevicesActive(x)+9Bj
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopIdleWakeNotifyDevicesActive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleWakeNotifyIdleResiliencyState(x)
_PopIdleWakeNotifyIdleResiliencyState@4	proc near
					; CODE XREF: PopPdcIdleResiliencyCallback(x,x)+E5p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_14], 0
		and	[ebp+var_10], 0
		push	ebx
		push	esi
		mov	bl, cl
		push	edi
		mov	[ebp+var_1], bl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bh, al
		mov	edi, offset _PopIdleWakeContextLock
		mov	ecx, edi
		mov	[ebp+var_2], bh
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, ds:_PopIdleWakeContext
		test	esi, esi
		jz	loc_65A423
		mov	ecx, [esi]
		test	cl, 10h
		jz	loc_65A423
		xor	edx, edx
		mov	eax, ecx
		test	bl, bl
		setz	dl
		shr	eax, 1
		and	eax, 1
		cmp	eax, edx
		jz	loc_65A423
		and	ecx, 0FFFFFFFDh
		lea	eax, [edx+edx]
		or	ecx, eax
		mov	[esi], ecx
		lea	ecx, [ebp+var_14]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	ecx, [ebp+var_14]
		mov	edi, ecx
		sub	edi, [esi+8]
		mov	edx, [ebp+var_10]
		mov	ebx, edx
		sbb	ebx, [esi+0Ch]
		mov	eax, [esi]
		test	al, 8
		jnz	short loc_65A3F5
		sub	ecx, [esi+0B0h]
		mov	[ebp+var_C], ecx
		sbb	edx, [esi+0B4h]
		mov	[ebp+var_8], edx
		cmp	edx, ds:dword_6BFC2C
		jb	short loc_65A3C4
		ja	short loc_65A3BF
		cmp	ecx, ds:_PopIdleWakeSourceSpuriousThresholdQpc
		jbe	short loc_65A3C4

loc_65A3BF:				; CODE XREF: PopIdleWakeNotifyIdleResiliencyState(x)+A0j
		or	eax, 4
		mov	[esi], eax

loc_65A3C4:				; CODE XREF: PopIdleWakeNotifyIdleResiliencyState(x)+9Ej
					; PopIdleWakeNotifyIdleResiliencyState(x)+A8j
		mov	ecx, ds:_PopIdleWakeContext
		push	offset _PopIdleSpuriousWakeBucketLimitsQpc
		lea	eax, [ecx+0E0h]
		push	eax
		push	[ebp+var_8]
		lea	edx, [ecx+0C8h]
		push	[ebp+var_C]
		push	6
		pop	ecx
		call	_PopIdleWakeInsertTimeInterval@24 ; PopIdleWakeInsertTimeInterval(x,x,x,x,x,x)
		or	dword ptr [esi], 8
		mov	eax, [esi]
		mov	ecx, [ebp+var_14]
		mov	edx, [ebp+var_10]

loc_65A3F5:				; CODE XREF: PopIdleWakeNotifyIdleResiliencyState(x)+84j
		cmp	[ebp+var_1], 0
		jz	short loc_65A403
		add	[esi+10h], edi
		adc	[esi+14h], ebx
		jmp	short loc_65A415
; 

loc_65A403:				; CODE XREF: PopIdleWakeNotifyIdleResiliencyState(x)+E4j
		test	al, 1
		jnz	short loc_65A40F
		add	[esi+20h], edi
		adc	[esi+24h], ebx
		jmp	short loc_65A415
; 

loc_65A40F:				; CODE XREF: PopIdleWakeNotifyIdleResiliencyState(x)+F0j
		add	[esi+18h], edi
		adc	[esi+1Ch], ebx

loc_65A415:				; CODE XREF: PopIdleWakeNotifyIdleResiliencyState(x)+ECj
					; PopIdleWakeNotifyIdleResiliencyState(x)+F8j
		mov	bh, [ebp+var_2]
		mov	edi, offset _PopIdleWakeContextLock
		mov	[esi+8], ecx
		mov	[esi+0Ch], edx

loc_65A423:				; CODE XREF: PopIdleWakeNotifyIdleResiliencyState(x)+37j
					; PopIdleWakeNotifyIdleResiliencyState(x)+42j ...
		test	ds:byte_70EFC6,	1
		jz	short loc_65A438
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65A43D
; 

loc_65A438:				; CODE XREF: PopIdleWakeNotifyIdleResiliencyState(x)+115j
		xor	eax, eax
		lock and [edi],	eax

loc_65A43D:				; CODE XREF: PopIdleWakeNotifyIdleResiliencyState(x)+121j
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopIdleWakeNotifyIdleResiliencyState@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleWakeNotifyModernStandbyEnter()
_PopIdleWakeNotifyModernStandbyEnter@0 proc near
					; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+4C6p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		push	67696450h
		mov	edi, 3568h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_4], esi
		test	esi, esi
		jz	loc_65A510
		push	ebx
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		lea	edi, [esi+19Ch]
		add	esp, 0Ch
		xor	esi, esi
		xor	ebx, ebx
		inc	esi

loc_65A48C:				; CODE XREF: PopIdleWakeNotifyModernStandbyEnter()+84j
		push	218h		; size_t
		lea	eax, [edi-8Ch]
		push	0		; int
		push	eax		; void *
		call	_memset
		or	dword ptr [edi+14h], 0FFFFFFFFh
		add	esp, 0Ch
		or	dword ptr [edi+18h], 0FFFFFFFFh
		mov	[edi-4], si
		mov	[edi-2], si
		cmp	ebx, 4
		ja	short loc_65A4BB
		mov	eax, ebx
		jmp	short loc_65A4BE
; 

loc_65A4BB:				; CODE XREF: PopIdleWakeNotifyModernStandbyEnter()+6Bj
		push	7
		pop	eax

loc_65A4BE:				; CODE XREF: PopIdleWakeNotifyModernStandbyEnter()+6Fj
		mov	[edi-8Ch], eax
		inc	ebx
		add	edi, 218h
		cmp	ebx, 19h
		jb	short loc_65A48C
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _PopIdleWakeContextLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	ds:byte_70EFC6,	1
		mov	esi, [ebp+var_4]
		mov	ds:_PopIdleWakeContext,	esi
		jz	short loc_65A502
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65A507
; 

loc_65A502:				; CODE XREF: PopIdleWakeNotifyModernStandbyEnter()+AAj
		xor	eax, eax
		lock and [edi],	eax

loc_65A507:				; CODE XREF: PopIdleWakeNotifyModernStandbyEnter()+B6j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx

loc_65A510:				; CODE XREF: PopIdleWakeNotifyModernStandbyEnter()+24j
		pop	edi
		pop	esi
		leave
		retn
_PopIdleWakeNotifyModernStandbyEnter@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleWakeNotifyModernStandbyExit(x, x)
_PopIdleWakeNotifyModernStandbyExit@8 proc near
					; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+4E6p

var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_294		= dword	ptr -294h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_27C		= dword	ptr -27Ch
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_F0		= byte ptr -0F0h
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_DC		= dword	ptr -0DCh
var_B8		= dword	ptr -0B8h
var_88		= dword	ptr -88h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2A4h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ds:dword_6C1D84
		push	ebx
		push	esi
		push	edi
		mov	edi, ds:_PopWnfCsEnterScenarioId
		mov	[ebp+var_278], eax
		xor	eax, eax
		push	1B8h		; size_t
		push	eax		; int
		mov	[ebp+var_280], eax
		mov	[ebp+var_27C], eax
		lea	eax, [ebp+var_270]
		push	eax		; void *
		mov	[ebp+var_288], edi
		call	_memset
		add	esp, 0Ch
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopIdleWakeContextLock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, ds:_PopIdleWakeContext
		mov	ecx, offset _PopIdleWakeContextLock
		and	ds:_PopIdleWakeContext,	0
		test	ds:byte_70EFC6,	1
		mov	[ebp+var_28C], esi
		jz	short loc_65A5A3
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65A5A8
; 

loc_65A5A3:				; CODE XREF: PopIdleWakeNotifyModernStandbyExit(x,x)+83j
		xor	eax, eax
		lock and [ecx],	eax

loc_65A5A8:				; CODE XREF: PopIdleWakeNotifyModernStandbyExit(x,x)+8Dj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	loc_65A7A9
		lea	ecx, [ebp+var_280]
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		push	[ebp+var_27C]
		mov	ecx, esi
		push	[ebp+var_280]
		call	_PopIdleWakeStopActiveIntervalAccounting@12 ; PopIdleWakeStopActiveIntervalAccounting(x,x,x)
		xor	ebx, ebx
		lea	eax, [ebp+var_B8]
		push	ebx
		push	3E8h
		push	eax
		push	6
		lea	edx, [esi+0E0h]
		pop	ecx
		call	_PopIdleWakeConvertIntervalBucketsTo@20	; PopIdleWakeConvertIntervalBucketsTo(x,x,x,x,x)
		cmp	ds:dword_6B23F8, 5
		jbe	loc_65A6DC
		push	4000h
		push	ebx
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_65A6DC
		mov	eax, [ebp+var_278]
		mov	[ebp+var_294], eax
		lea	eax, [ebp+var_298]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_274]
		push	8
		pop	edx
		mov	[ebp+var_58], eax
		lea	eax, [esi+0C8h]
		push	6
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_284]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_298], edi
		pop	edi
		push	2
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_2A0]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_88]
		push	eax
		push	edx
		push	ebx
		push	ebx
		push	(offset	loc_4201A9+4)
		push	offset dword_6B23F8
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_274], edi
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], 18h
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_284], edi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], 30h
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_2A0], 1000000h
		mov	[ebp+var_29C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_65A6DC:				; CODE XREF: PopIdleWakeNotifyModernStandbyExit(x,x)+E6j
					; PopIdleWakeNotifyModernStandbyExit(x,x)+FEj
		push	19h
		pop	edi
		lea	ebx, [esi+110h]
		mov	[ebp+var_274], edi
		mov	esi, [ebp+var_288]

loc_65A6F1:				; CODE XREF: PopIdleWakeNotifyModernStandbyExit(x,x)+27Ej
		cmp	dword ptr [ebx+94h], 0
		jz	loc_65A783
		push	1B8h		; size_t
		lea	eax, [ebp+var_270]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	edx, [ebp+var_270]
		mov	ecx, ebx
		call	_PopIdleWakeSourceAccountingToDiagnostic@8 ; PopIdleWakeSourceAccountingToDiagnostic(x,x)
		test	eax, eax
		js	short loc_65A737
		push	[ebp+var_278]
		lea	ecx, [ebp+var_270]
		push	esi
		call	_PopIdleWakeTraceWakeSourceDiagnostic@12 ; PopIdleWakeTraceWakeSourceDiagnostic(x,x,x)

loc_65A737:				; CODE XREF: PopIdleWakeNotifyModernStandbyExit(x,x)+20Fj
		cmp	[ebp+var_F0], 0
		jz	short loc_65A750
		push	67696450h
		push	[ebp+var_E8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_65A750:				; CODE XREF: PopIdleWakeNotifyModernStandbyExit(x,x)+22Aj
		cmp	[ebp+var_270], 5
		jnz	short loc_65A783
		xor	edi, edi
		cmp	[ebp+var_E4], edi
		jbe	short loc_65A77D

loc_65A763:				; CODE XREF: PopIdleWakeNotifyModernStandbyExit(x,x)+267j
		push	67696450h
		push	[ebp+edi*8+var_DC]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		inc	edi
		cmp	edi, [ebp+var_E4]
		jb	short loc_65A763

loc_65A77D:				; CODE XREF: PopIdleWakeNotifyModernStandbyExit(x,x)+24Dj
		mov	edi, [ebp+var_274]

loc_65A783:				; CODE XREF: PopIdleWakeNotifyModernStandbyExit(x,x)+1E4j
					; PopIdleWakeNotifyModernStandbyExit(x,x)+243j
		add	ebx, 218h
		sub	edi, 1
		mov	[ebp+var_274], edi
		jnz	loc_65A6F1
		mov	esi, [ebp+var_28C]
		push	67696450h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_65A7A9:				; CODE XREF: PopIdleWakeNotifyModernStandbyExit(x,x)+9Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopIdleWakeNotifyModernStandbyExit@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleWakeNotifyWakeSource(x, x, x, x, x, x, x)
_PopIdleWakeNotifyWakeSource@28	proc near ; CODE XREF: PpmExitCoordinatedIdle+12BE72p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ds:_PopIdleWakeContext
		push	edi
		mov	edi, edx
		test	ebx, ebx
		jz	short loc_65A83D
		cmp	ecx, ds:_PpmDripsStateIndex
		jnz	short loc_65A83D
		test	edi, edi
		js	short loc_65A83D
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, edi
		mov	edx, esi
		call	_PopIdleWakeFinalizeWakeSource@8 ; PopIdleWakeFinalizeWakeSource(x,x)
		push	[ebp+arg_8]
		mov	ecx, ebx
		push	[ebp+arg_4]
		call	_PopIdleWakeStopActiveIntervalAccounting@12 ; PopIdleWakeStopActiveIntervalAccounting(x,x,x)
		mov	edx, [ebp+arg_10]
		mov	eax, edx
		push	21h
		mov	[ebx+28h], edi
		lea	edi, [ebx+2Ch]
		pop	ecx
		rep movsd
		mov	esi, [ebp+arg_C]
		mov	ecx, esi
		sub	ecx, [ebp+arg_4]
		push	0
		sbb	eax, [ebp+arg_8]
		mov	[ebx+0B0h], esi
		mov	[ebx+0B4h], edx
		mov	[ebx+0B8h], ecx
		mov	[ebx+0BCh], eax
		mov	[ebx+8], esi
		mov	[ebx+0Ch], edx
		call	_KeGetCurrentProcessorNumberEx@4 ; KeGetCurrentProcessorNumberEx(x)
		or	dword ptr [ebx], 10h
		mov	[ebx+0C0h], eax
		pop	esi

loc_65A83D:				; CODE XREF: PopIdleWakeNotifyWakeSource(x,x,x,x,x,x,x)+11j
					; PopIdleWakeNotifyWakeSource(x,x,x,x,x,x,x)+19j ...
		pop	edi
		pop	ebx
		pop	ebp
		retn	14h
_PopIdleWakeNotifyWakeSource@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleWakeStopActiveIntervalAccounting(x, x, x)
_PopIdleWakeStopActiveIntervalAccounting@12 proc near
					; CODE XREF: PopIdleWakeNotifyModernStandbyExit(x,x)+BDp
					; PopIdleWakeNotifyWakeSource(x,x,x,x,x,x,x)+34p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, ecx
		mov	eax, [edi]
		test	al, 10h
		jz	loc_65AA6E
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		sub	ecx, [edi+8]
		sbb	edx, [edi+0Ch]
		test	al, 2
		jz	short loc_65A871
		add	[edi+10h], ecx
		adc	[edi+14h], edx
		jmp	short loc_65A883
; 

loc_65A871:				; CODE XREF: PopIdleWakeStopActiveIntervalAccounting(x,x,x)+24j
		test	al, 1
		jz	short loc_65A87D
		add	[edi+18h], ecx
		adc	[edi+1Ch], edx
		jmp	short loc_65A883
; 

loc_65A87D:				; CODE XREF: PopIdleWakeStopActiveIntervalAccounting(x,x,x)+30j
		add	[edi+20h], ecx
		adc	[edi+24h], edx

loc_65A883:				; CODE XREF: PopIdleWakeStopActiveIntervalAccounting(x,x,x)+2Cj
					; PopIdleWakeStopActiveIntervalAccounting(x,x,x)+38j
		test	al, 8
		jnz	short loc_65A88C
		or	eax, 4
		mov	[edi], eax

loc_65A88C:				; CODE XREF: PopIdleWakeStopActiveIntervalAccounting(x,x,x)+42j
		mov	edx, [edi+28h]
		mov	ecx, edi
		shr	eax, 2
		and	al, 1
		movzx	eax, al
		push	eax
		lea	eax, [edi+2Ch]
		push	eax
		call	_PopIdleWakeFindOrAllocateWakeSource@16	; PopIdleWakeFindOrAllocateWakeSource(x,x,x,x)
		mov	ebx, eax
		inc	dword ptr [ebx+94h]
		mov	ecx, [edi+0B8h]
		add	[ebx+0B0h], ecx
		mov	ecx, [edi+0BCh]
		adc	[ebx+0B4h], ecx
		mov	ecx, [edi+0BCh]
		mov	eax, [edi+0B8h]
		cmp	ecx, [ebx+0A4h]
		ja	short loc_65A8F9
		jb	short loc_65A8E1
		cmp	eax, [ebx+0A0h]
		jnb	short loc_65A8F9

loc_65A8E1:				; CODE XREF: PopIdleWakeStopActiveIntervalAccounting(x,x,x)+94j
		mov	[ebx+0A0h], eax
		mov	[ebx+0A4h], ecx
		mov	eax, [edi+0B8h]
		mov	ecx, [edi+0BCh]

loc_65A8F9:				; CODE XREF: PopIdleWakeStopActiveIntervalAccounting(x,x,x)+92j
					; PopIdleWakeStopActiveIntervalAccounting(x,x,x)+9Cj
		cmp	ecx, [ebx+0ACh]
		jb	short loc_65A923
		ja	short loc_65A90B
		cmp	eax, [ebx+0A8h]
		jbe	short loc_65A923

loc_65A90B:				; CODE XREF: PopIdleWakeStopActiveIntervalAccounting(x,x,x)+BEj
		mov	[ebx+0A8h], eax
		mov	[ebx+0ACh], ecx
		mov	eax, [edi+0B8h]
		mov	ecx, [edi+0BCh]

loc_65A923:				; CODE XREF: PopIdleWakeStopActiveIntervalAccounting(x,x,x)+BCj
					; PopIdleWakeStopActiveIntervalAccounting(x,x,x)+C6j
		push	offset _PopIdleWakeIdleAccountingBucketLimitsQpc
		push	0
		push	ecx
		push	eax
		push	9
		lea	edx, [ebx+0B8h]
		pop	ecx
		call	_PopIdleWakeInsertTimeInterval@24 ; PopIdleWakeInsertTimeInterval(x,x,x,x,x,x)
		cmp	dword ptr [ebx+94h], 1
		jbe	short loc_65A96B
		mov	eax, [ebp+arg_4]
		lea	edx, [ebx+0DCh]
		push	offset _PopIdleWakePeriodAccountingBucketLimitsQpc
		mov	ecx, esi
		sub	ecx, [ebx+108h]
		push	0
		sbb	eax, [ebx+10Ch]
		push	eax
		push	ecx
		push	0Bh
		pop	ecx
		call	_PopIdleWakeInsertTimeInterval@24 ; PopIdleWakeInsertTimeInterval(x,x,x,x,x,x)

loc_65A96B:				; CODE XREF: PopIdleWakeStopActiveIntervalAccounting(x,x,x)+FEj
		mov	eax, [ebp+arg_4]
		lea	edx, [ebx+118h]
		mov	[ebx+10Ch], eax
		mov	[ebx+108h], esi
		mov	ecx, [ebx+90h]
		mov	eax, [edi+0C0h]
		bts	ecx, eax
		mov	[ebx+90h], ecx
		lea	eax, [ebx+130h]
		mov	esi, [edi+10h]
		add	esi, [edi+20h]
		mov	ecx, [edi+14h]
		adc	ecx, [edi+24h]
		add	esi, [edi+18h]
		push	offset _PopIdleWakeSourceActiveBucketLimitsQpc
		adc	ecx, [edi+1Ch]
		add	[ebx+110h], esi
		push	eax
		adc	[ebx+114h], ecx
		push	ecx
		push	esi
		push	5
		pop	ecx
		call	_PopIdleWakeInsertTimeInterval@24 ; PopIdleWakeInsertTimeInterval(x,x,x,x,x,x)
		mov	eax, [edi+10h]
		lea	edx, [ebx+160h]
		add	[ebx+158h], eax
		mov	eax, [edi+14h]
		adc	[ebx+15Ch], eax
		lea	eax, [ebx+178h]
		push	offset _PopIdleWakeSourceActivatorBucketLimitsQpc
		push	eax
		push	dword ptr [edi+14h]
		push	dword ptr [edi+10h]
		push	5
		pop	ecx
		call	_PopIdleWakeInsertTimeInterval@24 ; PopIdleWakeInsertTimeInterval(x,x,x,x,x,x)
		mov	eax, [edi+18h]
		lea	edx, [ebx+1A8h]
		add	[ebx+1A0h], eax
		mov	esi, offset _PopIdleWakeSourceDeviceBucketLimitsQpc
		mov	eax, [edi+1Ch]
		adc	[ebx+1A4h], eax
		lea	eax, [ebx+1C0h]
		push	esi
		push	eax
		push	dword ptr [edi+1Ch]
		push	dword ptr [edi+18h]
		push	5
		pop	ecx
		call	_PopIdleWakeInsertTimeInterval@24 ; PopIdleWakeInsertTimeInterval(x,x,x,x,x,x)
		mov	eax, [edi+20h]
		lea	edx, [ebx+1F0h]
		add	[ebx+1E8h], eax
		mov	eax, [edi+24h]
		adc	[ebx+1ECh], eax
		lea	eax, [ebx+200h]
		push	esi
		push	eax
		push	dword ptr [edi+24h]
		push	dword ptr [edi+20h]
		push	5
		pop	ecx
		call	_PopIdleWakeInsertTimeInterval@24 ; PopIdleWakeInsertTimeInterval(x,x,x,x,x,x)
		push	0C8h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		pop	esi
		pop	ebx

loc_65AA6E:				; CODE XREF: PopIdleWakeStopActiveIntervalAccounting(x,x,x)+Cj
		pop	edi
		pop	ebp
		retn	8
_PopIdleWakeStopActiveIntervalAccounting@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoSessionBuiltinPanelState(x, x)
_PoSessionBuiltinPanelState@8 proc near	; CODE XREF: TtmpCallSetBuiltinPanelState(x,x,x)+3Cp
					; DATA XREF: TtmpCallSetBuiltinPanelState(x,x,x)+23o

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		xor	eax, eax
		push	ebx
		mov	[esp+28h+var_14+1], ax
		xor	ebx, ebx
		lea	eax, [esp+28h+var_20]
		mov	[esp+28h+var_20], ebx
		push	eax
		push	1
		mov	[esp+30h+var_11], bl
		call	_PopBlockSessionSwitch@8 ; PopBlockSessionSwitch(x,x)
		mov	eax, [ebp+arg_0]
		lea	edx, [esp+28h+var_18]
		mov	[esp+28h+var_1C], eax
		xor	eax, eax
		mov	[esp+28h+var_14+1], ax
		lea	eax, [esp+28h+var_1C]
		mov	[esp+28h+var_C], eax
		lea	eax, [ebp+arg_4]
		push	eax
		push	1
		push	5
		pop	ecx
		mov	[esp+30h+var_11], bl
		mov	[esp+30h+var_18], 7
		mov	byte ptr [esp+30h+var_14], bl
		mov	[esp+30h+var_10], 4
		mov	[esp+30h+var_8], ebx
		mov	[esp+30h+var_4], ebx
		call	PopInvokeWin32Callout
		lea	eax, [esp+28h+var_20]
		push	eax
		push	ebx
		call	_PopBlockSessionSwitch@8 ; PopBlockSessionSwitch(x,x)
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_PoSessionBuiltinPanelState@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoSessionEngagementUpdate(x, x)
_PoSessionEngagementUpdate@8 proc near	; CODE XREF: TtmNotifySessionDisplayRequiredChange(x,x,x)+DBp

var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_1B		= word ptr -1Bh
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		and	[ebp+var_8], 0
		xor	eax, eax
		push	ebx
		push	esi
		mov	[ebp+var_1B], ax
		xor	esi, esi
		mov	[ebp+var_19], al
		inc	esi
		lea	eax, [ebp+var_8]
		mov	bl, cl
		push	eax
		push	esi
		call	_PopBlockSessionSwitch@8 ; PopBlockSessionSwitch(x,x)
		xor	eax, eax
		mov	byte ptr [ebp+var_1], bl
		mov	[ebp+var_1B], ax
		lea	edx, [ebp+var_20]
		lea	eax, [ebp+var_1]
		mov	[ebp+var_20], 8
		mov	[ebp+var_14], eax
		xor	ebx, ebx
		lea	eax, [ebp+var_8]
		mov	[ebp+var_19], bl
		push	eax
		push	esi
		push	5
		pop	ecx
		mov	[ebp+var_1C], bl
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		call	PopInvokeWin32Callout
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		call	_PopBlockSessionSwitch@8 ; PopBlockSessionSwitch(x,x)
		pop	esi
		pop	ebx
		leave
		retn
_PoSessionEngagementUpdate@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleAoAcDozeS4TimerCallback(x, x)
_PopIdleAoAcDozeS4TimerCallback@8 proc near ; DATA XREF: PopIdleInitAoAcDozeS4Timer()+18o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _PopIdleAoAcDozeS4Lock
		mov	bl, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	ds:byte_70EFC6,	1
		mov	ds:byte_6C22E4,	0
		jz	short loc_65AB98
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65AB9D
; 

loc_65AB98:				; CODE XREF: PopIdleAoAcDozeS4TimerCallback(x,x)+29j
		xor	eax, eax
		lock and [esi],	eax

loc_65AB9D:				; CODE XREF: PopIdleAoAcDozeS4TimerCallback(x,x)+35j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	esi, esi
		mov	edx, offset unk_6C22EC
		inc	esi
		mov	eax, [edx]

loc_65ABAF:				; CODE XREF: PopIdleAoAcDozeS4TimerCallback(x,x)+56j
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_65ABAF
		test	eax, eax
		jnz	short loc_65ABD0
		push	4
		pop	ecx
		call	PopDeepSleepSetDisengageReason
		push	esi
		push	offset _PopIdleAoAcDozeS4WorkItem
		call	ExQueueWorkItem

loc_65ABD0:				; CODE XREF: PopIdleAoAcDozeS4TimerCallback(x,x)+5Aj
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_PopIdleAoAcDozeS4TimerCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleArmAoAcDozeS4Timer()
_PopIdleArmAoAcDozeS4Timer@0 proc near	; CODE XREF: PopUpdateSystemIdleContext(x)+E7p
					; PopIdleCsStateChanged(x):loc_9B9FCDp	...

var_5E		= byte ptr -5Eh
var_5D		= byte ptr -5Dh
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [esp+70h+var_50]
		push	4Ch		; size_t
		push	ebx		; int
		push	eax		; void *
		mov	[esp+7Ch+var_58], ebx
		mov	[esp+7Ch+var_54], ebx
		mov	[esp+7Ch+var_5C], ebx
		call	_memset
		add	esp, 0Ch
		lea	edx, [esp+70h+var_50]
		mov	ecx, offset _PopCapabilities
		call	PopFilterCapabilities
		lea	ecx, [esp+70h+var_50]
		call	PopIsDozeSupported
		test	al, al
		jz	loc_65ACB9
		lea	edx, [esp+70h+var_5C]
		lea	ecx, [esp+70h+var_58]
		call	_PopIdleChooseDozeS4Time@8 ; PopIdleChooseDozeS4Time(x,x)
		test	al, al
		jz	loc_65ACB9
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopIdleAoAcDozeS4Lock
		mov	[esp+70h+var_5D], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, [esp+70h+var_54]
		mov	edi, [esp+70h+var_58]
		cmp	ds:byte_6C22E4,	bl
		jnz	short loc_65AC7B
		push	ebx
		push	ebx
		push	ebx
		push	esi
		push	edi
		push	offset _PopIdleAoAcDozeS4Timer
		call	KeSetTimer2
		mov	eax, [esp+70h+var_5C]
		mov	bl, 1
		mov	ds:byte_6C22E4,	1
		mov	ds:dword_6C22E8, eax

loc_65AC7B:				; CODE XREF: PopIdleArmAoAcDozeS4Timer()+82j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopIdleAoAcDozeS4Lock
		jz	short loc_65AC9B
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	esi, [esp+70h+var_54]
		mov	edi, [esp+70h+var_58]
		jmp	short loc_65ACA0
; 

loc_65AC9B:				; CODE XREF: PopIdleArmAoAcDozeS4Timer()+B1j
		xor	eax, eax
		lock and [ecx],	eax

loc_65ACA0:				; CODE XREF: PopIdleArmAoAcDozeS4Timer()+C3j
		mov	cl, [esp+70h+var_5D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bl, bl
		jz	short loc_65ACB9
		mov	ecx, [esp+70h+var_5C]
		push	esi
		push	edi
		call	_PopTraceSystemIdleS0LowPowerDozeTimerArmed@12 ; PopTraceSystemIdleS0LowPowerDozeTimerArmed(x,x,x)

loc_65ACB9:				; CODE XREF: PopIdleArmAoAcDozeS4Timer()+45j
					; PopIdleArmAoAcDozeS4Timer()+5Aj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PopIdleArmAoAcDozeS4Timer@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleChooseDozeS4Time(x, x)
_PopIdleChooseDozeS4Time@8 proc	near	; CODE XREF: PopIdleArmAoAcDozeS4Timer()+53p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		and	[ebp+var_20], 0
		lea	eax, [ebp+var_20]
		and	[ebp+var_1C], 0
		push	ebx
		push	esi
		push	edi
		push	eax
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], ecx
		call	KeQuerySystemTime
		mov	eax, ds:_PopPolicy
		mov	edx, 989680h
		xor	edi, edi
		xor	esi, esi
		xor	cl, cl
		xor	ebx, ebx
		mov	eax, [eax+58h]
		mul	edx
		mov	[ebp+var_C], eax
		mov	eax, ds:dword_6C22D0
		mov	[ebp+var_8], edx
		test	eax, eax
		jz	short loc_65AD18
		inc	cl
		cmp	eax, 1
		setnz	bl
		add	ebx, 3
		jmp	loc_65ADF2
; 

loc_65AD18:				; CODE XREF: PopIdleChooseDozeS4Time(x,x)+46j
		mov	eax, ds:dword_6C22CC
		cmp	eax, [ebp+var_1C]
		jl	loc_65ADF2
		jg	short loc_65AD36
		mov	eax, ds:dword_6C22C8
		cmp	eax, [ebp+var_20]
		jbe	loc_65ADF2

loc_65AD36:				; CODE XREF: PopIdleChooseDozeS4Time(x,x)+66j
		cmp	ds:_PopSmartUserPresenceAction,	1
		jnz	loc_65ADF2
		call	KeQueryInterruptTime
		mov	ecx, eax
		mov	eax, edx
		sub	ecx, ds:dword_6C22F8
		mov	edx, 989680h
		sbb	eax, ds:dword_6C22FC
		mov	[ebp+var_10], eax
		mov	eax, ds:_PopSmartUserPresenceGracePeriod
		mul	edx
		mov	edi, eax
		mov	esi, edx
		mov	eax, [ebp+var_10]
		cmp	eax, esi
		jb	short loc_65AD7E
		ja	short loc_65AD78
		cmp	ecx, edi
		jbe	short loc_65AD7E

loc_65AD78:				; CODE XREF: PopIdleChooseDozeS4Time(x,x)+B2j
		xor	edi, edi
		xor	esi, esi
		jmp	short loc_65AD82
; 

loc_65AD7E:				; CODE XREF: PopIdleChooseDozeS4Time(x,x)+B0j
					; PopIdleChooseDozeS4Time(x,x)+B6j
		sub	edi, ecx
		sbb	esi, eax

loc_65AD82:				; CODE XREF: PopIdleChooseDozeS4Time(x,x)+BCj
		mov	ecx, ds:_PopSmartUserPresenceWakeOffset
		xor	eax, eax
		add	ecx, 3Ch
		mov	edx, 989680h
		push	0
		push	edx
		adc	eax, eax
		push	eax
		push	ecx
		call	__allmul
		mov	ecx, ds:dword_6C22C8
		sub	ecx, eax
		mov	eax, esi
		mov	[ebp+var_10], ecx
		mov	ecx, ds:dword_6C22CC
		sbb	ecx, edx
		mov	edx, edi
		add	edx, [ebp+var_20]
		adc	eax, [ebp+var_1C]
		cmp	eax, ecx
		jg	short loc_65ADE9
		jl	short loc_65ADC6
		cmp	edx, [ebp+var_10]
		jnb	short loc_65ADE9

loc_65ADC6:				; CODE XREF: PopIdleChooseDozeS4Time(x,x)+FFj
		mov	eax, edi
		or	eax, esi
		jz	short loc_65ADE2
		mov	ecx, [ebp+var_C]
		mov	eax, ecx
		mov	edx, [ebp+var_8]
		or	eax, edx
		jz	short loc_65ADE2
		cmp	esi, edx
		ja	short loc_65ADE9
		jb	short loc_65ADE2
		cmp	edi, ecx
		jnb	short loc_65ADE9

loc_65ADE2:				; CODE XREF: PopIdleChooseDozeS4Time(x,x)+10Aj
					; PopIdleChooseDozeS4Time(x,x)+116j ...
		push	2
		mov	cl, 1
		pop	ebx
		jmp	short loc_65ADEB
; 

loc_65ADE9:				; CODE XREF: PopIdleChooseDozeS4Time(x,x)+FDj
					; PopIdleChooseDozeS4Time(x,x)+104j ...
		mov	cl, bl

loc_65ADEB:				; CODE XREF: PopIdleChooseDozeS4Time(x,x)+127j
		neg	edi
		adc	esi, 0
		neg	esi

loc_65ADF2:				; CODE XREF: PopIdleChooseDozeS4Time(x,x)+53j
					; PopIdleChooseDozeS4Time(x,x)+60j ...
		mov	edx, [ebp+var_C]
		mov	eax, edx
		or	eax, [ebp+var_8]
		jz	short loc_65AE0E
		test	ebx, ebx
		jnz	short loc_65AE0E
		mov	esi, [ebp+var_8]
		mov	edi, edx
		neg	edi
		mov	cl, 1
		adc	esi, ebx
		neg	esi
		inc	ebx

loc_65AE0E:				; CODE XREF: PopIdleChooseDozeS4Time(x,x)+13Aj
					; PopIdleChooseDozeS4Time(x,x)+13Ej
		mov	eax, [ebp+var_14]
		mov	[eax], edi
		mov	[eax+4], esi
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	short loc_65AE1F
		mov	[eax], ebx

loc_65AE1F:				; CODE XREF: PopIdleChooseDozeS4Time(x,x)+15Bj
		pop	edi
		pop	esi
		mov	al, cl
		pop	ebx
		leave
		retn
_PopIdleChooseDozeS4Time@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmResetInterruptRate(x, x,	x)
_PpmResetInterruptRate@12 proc near	; DATA XREF: PpmPostProcessMediaBuffering()+54o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cli
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+4A0h]
		and	dword ptr [ecx+21D4h], 0
		mov	[ecx+21D0h], eax
		sti
		xor	eax, eax
		pop	ebp
		retn	0Ch
_PpmResetInterruptRate@12 endp


;  S U B	R O U T	I N E 


; __stdcall PpmParkComputeDiff()
_PpmParkComputeDiff@0 proc near		; CODE XREF: PpmParkCalculateCoreParkingMask:loc_5B9626p
		xor	ecx, ecx
		xor	eax, eax
		inc	eax
		mov	ds:dword_6B6648, ecx
		push	esi
		mov	esi, ds:_PpmParkNumNodes
		mov	edx, ecx
		mov	ds:_PpmPerfNewCoreParkingMask, ax
		mov	ds:word_6B6646,	ax
		mov	ds:dword_6B664C, ecx
		mov	ds:_PpmParkNewSoftParkingMask, ax
		mov	ds:word_6B660A,	ax
		mov	ds:dword_6B660C, ecx
		mov	ds:dword_6B6610, edx
		test	esi, esi
		jz	short loc_65AEAF
		mov	eax, ds:_PpmParkNodes
		add	eax, 1Ch

loc_65AE93:				; CODE XREF: PpmParkComputeDiff()+64j
		or	ecx, [eax-8]
		mov	ds:dword_6B664C, ecx
		or	edx, [eax]
		lea	eax, [eax+0D0h]
		mov	ds:dword_6B6610, edx
		sub	esi, 1
		jnz	short loc_65AE93

loc_65AEAF:				; CODE XREF: PpmParkComputeDiff()+40j
		push	offset _PpmPerfChangedCoreParkingMask
		mov	edx, offset _PpmPerfNewCoreParkingMask
		mov	ecx, offset _PpmPerfCoreParkingMask
		call	_KeXorAffinityEx@12 ; KeXorAffinityEx(x,x,x)
		pop	esi
		retn
_PpmParkComputeDiff@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmParkComputeUnparkMask(x,	x, x, x, x, x, x, x, x,	x, x)
_PpmParkComputeUnparkMask@44 proc near	; CODE XREF: PpmParkCalculateCoreParkingMask+12A363p

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_20]
		mov	[ebp+var_44], eax
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_34]
		mov	esi, [ebp+arg_18]
		stosd
		mov	[ebp+var_4C], ecx
		mov	ecx, [ebp+arg_1C]
		and	dword ptr [esi], 0
		stosd
		mov	[ebp+var_5C], esi
		and	dword ptr [ecx], 0
		mov	[ebp+var_58], ecx
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_28]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_40]
		stosd
		stosd
		stosd
		xor	eax, eax
		cmp	[ebp+arg_C], 0
		lea	edi, [ebp+var_1C]
		stosd
		stosd
		stosd
		jnz	short loc_65AF29
		mov	[esi], edx
		jmp	loc_65B2BD
; 

loc_65AF29:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+5Bj
		push	ebx
		mov	edi, edx
		mov	ebx, edi
		not	ebx
		mov	al, bl
		shr	ebx, 8
		mov	dl, bl
		movzx	eax, al
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, dl
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		add	cl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, cl
		mov	ecx, [ebp+arg_8]
		cmp	[ebp+arg_C], eax
		jnz	short loc_65AF79
		test	ecx, ecx
		jnz	short loc_65AF79
		mov	eax, [ebp+var_58]
		mov	[eax], edi
		jmp	loc_65B2BC
; 

loc_65AF79:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+A4j
					; PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+A8j
		cmp	ecx, eax
		jnz	loc_65B00D
		mov	edx, ds:_PpmParkPreferenceHandler
		test	edx, edx
		jz	loc_65B2BC
		cmp	[ebp+arg_0], 0
		jz	loc_65B2BC
		xor	eax, eax
		mov	[ebp+var_38], edi
		inc	eax
		xor	ebx, ebx
		mov	word ptr [ebp+var_40], ax
		mov	word ptr [ebp+var_40+2], ax
		mov	word ptr [ebp+var_34], ax
		mov	word ptr [ebp+var_34+2], ax
		mov	word ptr [ebp+var_28], ax
		mov	word ptr [ebp+var_28+2], ax
		mov	word ptr [ebp+var_10], ax
		mov	word ptr [ebp+var_10+2], ax
		mov	word ptr [ebp+var_1C], ax
		mov	word ptr [ebp+var_1C+2], ax
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_3C], ebx
		push	eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_30], ebx
		push	eax
		lea	eax, [ebp+var_34]
		mov	[ebp+var_2C], ebx
		push	eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_24], ebx
		push	eax
		push	ecx
		push	ds:dword_6C0464
		mov	[ebp+var_20], ebx
		push	ds:_PpmCheckTime
		mov	[ebp+var_C], ebx
		push	ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		call	edx
		jmp	loc_65B2BC
; 

loc_65B00D:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+B6j
		test	ecx, ecx
		jz	loc_65B0D3
		mov	edx, ds:_PpmParkPreferenceHandler
		test	edx, edx
		jz	loc_65B0D3
		xor	eax, eax
		mov	[ebp+var_38], edi
		inc	eax
		xor	ebx, ebx
		mov	word ptr [ebp+var_40], ax
		mov	word ptr [ebp+var_40+2], ax
		mov	word ptr [ebp+var_34], ax
		mov	word ptr [ebp+var_34+2], ax
		mov	word ptr [ebp+var_28], ax
		mov	word ptr [ebp+var_28+2], ax
		mov	word ptr [ebp+var_10], ax
		mov	word ptr [ebp+var_10+2], ax
		mov	word ptr [ebp+var_1C], ax
		mov	word ptr [ebp+var_1C+2], ax
		mov	eax, [ebp+arg_10]
		or	eax, [ebp+arg_14]
		mov	[ebp+var_48], eax
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_3C], ebx
		push	eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_30], ebx
		push	eax
		lea	eax, [ebp+var_34]
		mov	[ebp+var_2C], ebx
		push	eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_24], ebx
		push	eax
		push	ecx
		push	ds:dword_6C0464
		mov	[ebp+var_C], ebx
		push	ds:_PpmCheckTime
		mov	[ebp+var_8], ebx
		push	ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		call	edx
		mov	ecx, [ebp+var_4C]
		test	cx, cx
		jnz	short loc_65B0AE
		mov	eax, [ebp+var_8]
		mov	ebx, [ebp+var_14]
		mov	[ebp+var_50], eax
		jmp	short loc_65B0B3
; 

loc_65B0AE:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+1DCj
		mov	eax, ebx
		mov	[ebp+var_50], ebx

loc_65B0B3:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+1E7j
		push	ebx
		push	eax
		push	[ebp+arg_14]
		mov	edx, edi
		push	[ebp+arg_10]
		push	[ebp+arg_8]
		call	_PpmEventParkNodePreference@28 ; PpmEventParkNodePreference(x,x,x,x,x,x,x)
		mov	eax, [ebp+var_48]
		mov	ecx, [ebp+var_50]
		not	eax
		and	ecx, eax
		and	ebx, eax
		jmp	short loc_65B0D7
; 

loc_65B0D3:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+14Aj
					; PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+158j
		xor	ecx, ecx
		xor	ebx, ebx

loc_65B0D7:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+20Cj
		mov	edx, [ebp+arg_14]
		mov	eax, ebx
		or	eax, ecx
		mov	[ebp+var_48], ebx
		or	eax, [ebp+arg_10]
		or	eax, edx
		mov	[ebp+var_50], ecx
		not	eax
		mov	[esi], edi
		and	eax, edi
		mov	[ebp+var_68], eax
		test	edi, edx
		jz	short loc_65B105
		mov	ebx, [ebp+var_44]
		or	dword ptr [ebx], 200h
		mov	esi, [esi]
		and	esi, edx
		jmp	short loc_65B139
; 

loc_65B105:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+22Fj
		test	ebx, edi
		mov	ebx, [ebp+var_44]
		jz	short loc_65B119
		or	dword ptr [ebx], 400h
		mov	esi, [esi]
		and	esi, [ebp+var_48]
		jmp	short loc_65B139
; 

loc_65B119:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+245j
		test	eax, edi
		jz	short loc_65B129
		or	dword ptr [ebx], 800h
		mov	esi, [esi]
		and	esi, eax
		jmp	short loc_65B139
; 

loc_65B129:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+256j
		mov	esi, ecx
		and	esi, edi
		jz	short loc_65B137
		or	dword ptr [ebx], 80000h
		jmp	short loc_65B139
; 

loc_65B137:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+268j
		xor	esi, esi

loc_65B139:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+23Ej
					; PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+252j	...
		xor	edi, [ebp+arg_0]
		mov	ecx, esi
		and	edi, [ebp+arg_4]
		and	[ebp+var_4C], 0
		cmp	[ebp+arg_C], 0
		mov	[ebp+var_54], esi
		mov	[ebp+var_44], ecx
		jbe	loc_65B2BC

loc_65B155:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+3F1j
		test	ecx, ecx
		jz	loc_65B2BC
		mov	eax, ds:_PopHeteroSystem
		cmp	eax, 3
		jz	short loc_65B16C
		cmp	eax, 5
		jnz	short loc_65B17C

loc_65B16C:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+2A0j
		or	dword ptr [ebx], 8000h
		call	_PpmHeteroRestrictToFavoredClass@8 ; PpmHeteroRestrictToFavoredClass(x,x)
		mov	ecx, eax
		mov	[ebp+var_44], ecx

loc_65B17C:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+2A5j
		mov	eax, ecx
		and	eax, edi
		jz	short loc_65B18D
		or	dword ptr [ebx], 1000h
		mov	ecx, eax
		mov	[ebp+var_44], ecx

loc_65B18D:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+2BBj
		mov	eax, [ebp+arg_0]
		not	eax
		and	eax, ecx
		jz	short loc_65B1A1
		or	dword ptr [ebx], 2000h
		mov	ecx, eax
		mov	[ebp+var_44], ecx

loc_65B1A1:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+2CFj
		and	[ebp+var_60], 0
		bsf	ecx, ecx
		and	ecx, 1Fh
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		cmp	ds:_PpmParkCoreMask, 0
		mov	[ebp+var_60], eax
		jz	short loc_65B1C4
		mov	edx, [eax+402Ch]
		jmp	short loc_65B1CA
; 

loc_65B1C4:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+2F5j
		mov	edx, [eax+3C8h]

loc_65B1CA:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+2FDj
		mov	eax, [ebp+var_5C]
		mov	ecx, edx
		not	ecx
		and	[eax], ecx
		mov	eax, [ebp+var_4C]
		cmp	eax, [ebp+arg_8]
		jb	short loc_65B1E0
		mov	eax, [ebp+var_58]
		or	[eax], edx

loc_65B1E0:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+314j
		movzx	eax, cl
		shr	ecx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, cl
		shr	ecx, 8
		mov	[ebp+var_64], ecx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, [ebp+var_64]
		movzx	eax, al
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		mov	edx, [ebp+var_60]
		movzx	eax, cl
		add	[ebp+var_4C], eax
		mov	ecx, [ebp+var_44]
		mov	eax, [edx+338h]
		mov	eax, [eax+84h]
		not	eax
		and	ecx, eax
		movzx	eax, byte ptr [edx+3C5h]
		mov	[ebp+var_44], ecx
		mov	eax, [edx+eax*4+401Ch]
		not	eax
		and	[ebp+var_54], eax
		mov	eax, [edx+402Ch]
		not	eax
		and	esi, eax
		test	ecx, ecx
		jnz	short loc_65B2B0
		mov	eax, [ebp+var_54]
		test	eax, eax
		jnz	short loc_65B2AB
		test	esi, esi
		jnz	short loc_65B2A6
		mov	ecx, [ebp+var_5C]
		mov	edx, [ebp+arg_14]
		mov	esi, [ecx]
		test	esi, edx
		jz	short loc_65B271
		or	dword ptr [ebx], 200h
		jmp	short loc_65B27C
; 

loc_65B271:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+3A2j
		test	[ebp+var_48], esi
		jz	short loc_65B282
		or	dword ptr [ebx], 400h

loc_65B27C:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+3AAj
		mov	esi, [ecx]
		and	esi, edx
		jmp	short loc_65B2A6
; 

loc_65B282:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+3AFj
		mov	eax, [ebp+var_68]
		test	esi, eax
		jz	short loc_65B291
		or	dword ptr [ebx], 800h
		jmp	short loc_65B29E
; 

loc_65B291:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+3C2j
		mov	eax, [ebp+var_50]
		test	esi, eax
		jz	short loc_65B2A4
		or	dword ptr [ebx], 80000h

loc_65B29E:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+3CAj
		mov	esi, [ecx]
		and	esi, eax
		jmp	short loc_65B2A6
; 

loc_65B2A4:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+3D1j
		xor	esi, esi

loc_65B2A6:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+396j
					; PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+3BBj	...
		mov	eax, esi
		mov	[ebp+var_54], eax

loc_65B2AB:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+392j
		mov	ecx, eax
		mov	[ebp+var_44], eax

loc_65B2B0:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+38Bj
		mov	eax, [ebp+arg_C]
		cmp	[ebp+var_4C], eax
		jb	loc_65B155

loc_65B2BC:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+AFj
					; PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+C4j ...
		pop	ebx

loc_65B2BD:				; CODE XREF: PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+5Fj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	24h
_PpmParkComputeUnparkMask@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmParkFindOverUtilizedProcessors(x, x)
_PpmParkFindOverUtilizedProcessors@8 proc near
					; CODE XREF: PpmParkCalculateCoreParkingMask+129E92p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_6		= word ptr -6
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		mov	[ebp+var_6], ax
		mov	ax, [ecx+4]
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], ax
		mov	eax, [ecx+8]
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], esi
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], esi

loc_65B2F5:				; CODE XREF: PpmParkFindOverUtilizedProcessors(x,x)+47j
					; PpmParkFindOverUtilizedProcessors(x,x)+4Fj
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_65B31E
		mov	ecx, [ebp+var_4]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		cmp	[eax+3EB8h], edi
		jb	short loc_65B2F5
		or	esi, [eax+3C8h]
		jmp	short loc_65B2F5
; 

loc_65B31E:				; CODE XREF: PpmParkFindOverUtilizedProcessors(x,x)+37j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_PpmParkFindOverUtilizedProcessors@8 endp


;  S U B	R O U T	I N E 


; __stdcall PpmParkReportParkedCore(x)
_PpmParkReportParkedCore@4 proc	near	; CODE XREF: PpmPerfAction(x,x,x,x)+89p
		mov	edi, edi
		push	ecx
		push	ebx
		mov	ebx, ds:dword_6B6610
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+3CCh]
		shr	ebx, cl
		mov	ecx, esi
		and	ebx, 1
		lea	edx, [ebx+1]
		call	_KeTransitionProcessorParkState@8 ; KeTransitionProcessorParkState(x,x)
		push	dword ptr [esi+3CCh]
		mov	byte ptr [esi+3ED4h], 1
		push	offset _PpmPerfCoreParkingMask
		call	_KeInterlockedSetProcessorAffinityEx@8 ; KeInterlockedSetProcessorAffinityEx(x,x)
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		and	dword ptr [esi+21D4h], 0
		mov	ecx, [esi+4A0h]
		mov	[esi+21D0h], ecx
		test	al, al
		jz	short loc_65B37A
		sti

loc_65B37A:				; CODE XREF: PpmParkReportParkedCore(x)+53j
		test	bl, bl
		jz	short loc_65B395
		push	dword ptr [esi+3CCh]
		push	offset _PpmParkSoftParkingMask
		call	_KeInterlockedSetProcessorAffinityEx@8 ; KeInterlockedSetProcessorAffinityEx(x,x)
		mov	byte ptr [esi+3D9Bh], 1

loc_65B395:				; CODE XREF: PpmParkReportParkedCore(x)+58j
		mov	dl, bl
		mov	ecx, esi
		call	_PpmEventCoreParkingStateChangeEx@8 ; PpmEventCoreParkingStateChangeEx(x,x)
		pop	esi
		pop	ebx
		pop	ecx
		retn
_PpmParkReportParkedCore@4 endp


;  S U B	R O U T	I N E 


; __stdcall PpmParkReportSoftParkChange(x)
_PpmParkReportSoftParkChange@4 proc near ; CODE	XREF: PpmPerfAction(x,x,x,x)+92p
		mov	edi, edi
		push	ecx
		push	ebx
		mov	ebx, ds:dword_6B6610
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+3CCh]
		shr	ebx, cl
		mov	ecx, esi
		and	ebx, 1
		lea	edx, [ebx+1]
		call	_KeTransitionProcessorParkState@8 ; KeTransitionProcessorParkState(x,x)
		mov	eax, [esi+3CCh]
		push	eax
		push	offset _PpmParkSoftParkingMask
		test	bl, bl
		jz	short loc_65B3DB
		call	_KeInterlockedSetProcessorAffinityEx@8 ; KeInterlockedSetProcessorAffinityEx(x,x)
		jmp	short loc_65B3E0
; 

loc_65B3DB:				; CODE XREF: PpmParkReportSoftParkChange(x)+30j
		call	_KeInterlockedClearProcessorAffinityEx@8 ; KeInterlockedClearProcessorAffinityEx(x,x)

loc_65B3E0:				; CODE XREF: PpmParkReportSoftParkChange(x)+37j
		mov	dl, bl
		mov	[esi+3D9Bh], bl
		mov	ecx, esi
		call	_PpmEventCoreParkingSoftParkedStateChange@8 ; PpmEventCoreParkingSoftParkedStateChange(x,x)
		pop	esi
		pop	ebx
		pop	ecx
		retn
_PpmParkReportSoftParkChange@4 endp


;  S U B	R O U T	I N E 


; __stdcall PpmParkReportUnparkedCore(x)
_PpmParkReportUnparkedCore@4 proc near	; CODE XREF: PpmPerfAction(x,x,x,x)+80p
		mov	edi, edi
		push	esi
		xor	edx, edx
		mov	esi, ecx
		call	_KeTransitionProcessorParkState@8 ; KeTransitionProcessorParkState(x,x)
		push	dword ptr [esi+3CCh]
		mov	byte ptr [esi+3ED4h], 0
		push	offset _PpmPerfCoreParkingMask
		call	_KeInterlockedClearProcessorAffinityEx@8 ; KeInterlockedClearProcessorAffinityEx(x,x)
		cmp	byte ptr [esi+3D9Bh], 0
		jz	short loc_65B436
		push	dword ptr [esi+3CCh]
		push	offset _PpmParkSoftParkingMask
		call	_KeInterlockedClearProcessorAffinityEx@8 ; KeInterlockedClearProcessorAffinityEx(x,x)
		mov	byte ptr [esi+3D9Bh], 0

loc_65B436:				; CODE XREF: PpmParkReportUnparkedCore(x)+2Aj
		mov	ecx, esi
		call	_PpmEventCoreParkingStateChange@8 ; PpmEventCoreParkingStateChange(x,x)
		mov	eax, [esi+3D70h]
		test	eax, eax
		jz	short loc_65B453
		cmp	byte ptr [eax],	1
		jnz	short loc_65B453
		mov	byte ptr [esi+3DA5h], 1

loc_65B453:				; CODE XREF: PpmParkReportUnparkedCore(x)+52j
					; PpmParkReportUnparkedCore(x)+57j
		pop	esi
		retn
_PpmParkReportUnparkedCore@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmParkSetLpiCap(x,	x, x)
_PpmParkSetLpiCap@12 proc near		; CODE XREF: NtPowerInformation+172451p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, large fs:20h
		push	esi
		mov	[ebp+var_C], edx
		mov	esi, ecx
		cmp	dword ptr [eax+3E38h], 2
		jl	short loc_65B488
		test	ds:_HvlEnlightenments, 40000h
		jnz	short loc_65B488
		mov	eax, 0C0000001h
		jmp	loc_65B59E
; 

loc_65B488:				; CODE XREF: PpmParkSetLpiCap(x,x,x)+1Bj
					; PpmParkSetLpiCap(x,x,x)+27j
		push	ebx
		push	edi
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		mov	al, ds:_PpmParkGranularity
		dec	esi
		movzx	edi, al
		xor	edx, edx
		add	esi, edi
		mov	[ebp+var_1], al
		mov	eax, esi
		mov	[ebp+var_8], edi
		div	edi
		push	0
		pop	ebx
		sub	esi, edx
		jz	short loc_65B4EE
		mov	edx, ds:_PpmParkNumNodes
		mov	ecx, ebx
		test	edx, edx
		jz	short loc_65B4E8
		mov	eax, ds:_PpmParkNodes
		lea	edi, [eax+6]
		mov	ah, [ebp+var_1]

loc_65B4C9:				; CODE XREF: PpmParkSetLpiCap(x,x,x)+8Ej
		mov	al, [edi]
		cmp	al, ah
		jbe	short loc_65B4DA
		movzx	eax, al
		sub	eax, [ebp+var_8]
		add	ecx, eax
		mov	ah, [ebp+var_1]

loc_65B4DA:				; CODE XREF: PpmParkSetLpiCap(x,x,x)+78j
		add	edi, 0D0h
		sub	edx, 1
		jnz	short loc_65B4C9
		mov	edi, [ebp+var_8]

loc_65B4E8:				; CODE XREF: PpmParkSetLpiCap(x,x,x)+67j
		cmp	esi, ecx
		jbe	short loc_65B4EE
		mov	esi, ecx

loc_65B4EE:				; CODE XREF: PpmParkSetLpiCap(x,x,x)+5Bj
					; PpmParkSetLpiCap(x,x,x)+95j
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		dec	ecx
		add	ecx, edi
		mov	eax, ecx
		div	edi
		sub	ecx, edx
		mov	[ebp+var_10], ecx
		jz	short loc_65B549
		mov	edi, ds:_PpmParkNumNodes
		mov	edx, ebx
		test	edi, edi
		jz	short loc_65B543
		mov	eax, ds:_PpmParkNodes
		mov	ecx, [ebp+var_8]
		add	eax, 6
		mov	bh, [ebp+var_1]
		mov	[ebp+var_C], eax

loc_65B51E:				; CODE XREF: PpmParkSetLpiCap(x,x,x)+E7j
		mov	bl, [eax]
		mov	[ebp+var_1], bl
		cmp	bl, bh
		jbe	short loc_65B531
		movzx	eax, bl
		sub	eax, ecx
		add	edx, eax
		mov	eax, [ebp+var_C]

loc_65B531:				; CODE XREF: PpmParkSetLpiCap(x,x,x)+D0j
		add	eax, 0D0h
		mov	[ebp+var_C], eax
		sub	edi, 1
		jnz	short loc_65B51E
		mov	ecx, [ebp+var_10]
		xor	ebx, ebx

loc_65B543:				; CODE XREF: PpmParkSetLpiCap(x,x,x)+B6j
		cmp	ecx, edx
		jbe	short loc_65B549
		mov	ecx, edx

loc_65B549:				; CODE XREF: PpmParkSetLpiCap(x,x,x)+AAj
					; PpmParkSetLpiCap(x,x,x)+F0j
		cmp	esi, ds:_PpmParkLpiCap
		jz	short loc_65B563
		mov	ds:_PpmParkLpiCap, esi
		mov	bl, 1
		mov	ds:_PpmParkLpiCapChanged, 1

loc_65B563:				; CODE XREF: PpmParkSetLpiCap(x,x,x)+FAj
		cmp	ecx, ds:_PpmParkThermalCap
		jz	short loc_65B573
		mov	ds:_PpmParkThermalCap, ecx
		mov	bl, 1

loc_65B573:				; CODE XREF: PpmParkSetLpiCap(x,x,x)+114j
		pop	edi
		test	bl, bl
		pop	ebx
		jz	short loc_65B58D
		call	PpmParkApplyPolicy
		call	_PpmCheckReInit@0 ; PpmCheckReInit()
		push	4
		pop	ecx
		call	_PpmCheckCustomRun@4 ; PpmCheckCustomRun(x)
		jmp	short loc_65B597
; 

loc_65B58D:				; CODE XREF: PpmParkSetLpiCap(x,x,x)+122j
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)

loc_65B597:				; CODE XREF: PpmParkSetLpiCap(x,x,x)+136j
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		xor	eax, eax

loc_65B59E:				; CODE XREF: PpmParkSetLpiCap(x,x,x)+2Ej
		pop	esi
		leave
		retn	4
_PpmParkSetLpiCap@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmParkSnapNodeIdleTime(x, x, x)
_PpmParkSnapNodeIdleTime@12 proc near	; CODE XREF: PopAccumulateNonActivatedCpuTime(x,x,x)+2Ep

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	[ebx], eax
		mov	[ebx+4], eax
		mov	[edi], eax
		mov	[edi+4], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PpmParkStateLock
		mov	byte ptr [ebp+arg_0+3],	al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [esi+338h]
		movzx	ecx, word ptr [ecx+8Ah]
		cmp	ecx, ds:_PpmParkNumNodes
		jnb	short loc_65B601
		imul	eax, ecx, 0D0h
		add	eax, ds:_PpmParkNodes
		mov	ecx, [eax+28h]
		test	ecx, ecx
		jz	short loc_65B601
		push	ebx
		mov	edx, edi
		call	_PpmIdleSnapConcurrencyIdleTime@12 ; PpmIdleSnapConcurrencyIdleTime(x,x,x)

loc_65B601:				; CODE XREF: PpmParkSnapNodeIdleTime(x,x,x)+41j
					; PpmParkSnapNodeIdleTime(x,x,x)+54j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PpmParkStateLock
		pop	edi
		pop	esi
		pop	ebx
		jz	short loc_65B61C
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65B621
; 

loc_65B61C:				; CODE XREF: PpmParkSnapNodeIdleTime(x,x,x)+6Dj
		xor	eax, eax
		lock and [ecx],	eax

loc_65B621:				; CODE XREF: PpmParkSnapNodeIdleTime(x,x,x)+77j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebp
		retn	4
_PpmParkSnapNodeIdleTime@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PpmIdleGuestComplete(x, x,	x, x, x)
@PpmIdleGuestComplete@20 proc near	; DATA XREF: PpmIdleRegisterDefaultStates+9F29Ao

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		or	edx, 0FFFFFFFFh
		cmp	esi, edx
		jz	short loc_65B66B
		push	[ebp+arg_8]
		mov	eax, ds:_PpmPlatformStates
		push	[ebp+arg_4]
		push	esi
		call	dword ptr [eax+18h]
		mov	eax, large fs:20h
		cmp	dword ptr [eax+3E38h], 2
		jl	short loc_65B66B
		cmp	esi, ds:_PpmDripsStateIndex
		jnz	short loc_65B66B
		xor	ecx, ecx
		call	_HvlSetPlatformIdleState@4 ; HvlSetPlatformIdleState(x)

loc_65B66B:				; CODE XREF: PpmIdleGuestComplete(x,x,x,x,x)+Ej
					; PpmIdleGuestComplete(x,x,x,x,x)+2Cj ...
		pop	esi
		pop	ebp
		retn	0Ch
@PpmIdleGuestComplete@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PpmIdleGuestExecute(x, x, x, x, x,	x, x, x)
@PpmIdleGuestExecute@32	proc near	; DATA XREF: PpmIdleRegisterDefaultStates+9F293o

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		test	edx, edx
		jnz	short loc_65B686
		call	ds:__imp__HalProcessorIdle@0 ; HalProcessorIdle()
		jmp	short loc_65B694
; 

loc_65B686:				; CODE XREF: PpmIdleGuestExecute(x,x,x,x,x,x,x,x)+Cj
		mov	ecx, 400000F0h
		rdmsr
		mov	[esp+8+var_8], eax
		mov	[esp+8+var_4], edx

loc_65B694:				; CODE XREF: PpmIdleGuestExecute(x,x,x,x,x,x,x,x)+14j
		xor	eax, eax
		mov	esp, ebp
		pop	ebp
		retn	18h
@PpmIdleGuestExecute@32	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PpmIdleGuestPreExecute(x, x, x, x,	x)
@PpmIdleGuestPreExecute@20 proc	near	; DATA XREF: PpmIdleRegisterDefaultStates+9F28Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		or	edx, 0FFFFFFFFh
		cmp	edi, edx
		jz	short loc_65B6ED
		mov	eax, ds:_PpmPlatformStates
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_65B6C6
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	edi
		call	eax
		mov	esi, eax
		jmp	short loc_65B6C8
; 

loc_65B6C6:				; CODE XREF: PpmIdleGuestPreExecute(x,x,x,x,x)+1Bj
		xor	esi, esi

loc_65B6C8:				; CODE XREF: PpmIdleGuestPreExecute(x,x,x,x,x)+28j
		test	esi, esi
		js	short loc_65B6EF
		mov	eax, large fs:20h
		cmp	dword ptr [eax+3E38h], 2
		jl	short loc_65B6EF
		cmp	edi, ds:_PpmDripsStateIndex
		jnz	short loc_65B6EF
		xor	ecx, ecx
		inc	ecx
		call	_HvlSetPlatformIdleState@4 ; HvlSetPlatformIdleState(x)
		jmp	short loc_65B6EF
; 

loc_65B6ED:				; CODE XREF: PpmIdleGuestPreExecute(x,x,x,x,x)+Fj
		xor	esi, esi

loc_65B6EF:				; CODE XREF: PpmIdleGuestPreExecute(x,x,x,x,x)+2Ej
					; PpmIdleGuestPreExecute(x,x,x,x,x)+3Dj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	0Ch
@PpmIdleGuestPreExecute@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PpmIdleGuestPreselect(x, x)
@PpmIdleGuestPreselect@8 proc near	; DATA XREF: PpmIdleRegisterDefaultStates+9F272o

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	esi, large fs:20h
		xor	eax, eax
		push	edi
		mov	edi, edx
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		cmp	dword ptr [esi+3E38h], 2
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		jl	short loc_65B743
		lea	eax, [ebp+var_2C]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_24]
		call	_HvlGetLogicalProcessorRunTime@12 ; HvlGetLogicalProcessorRunTime(x,x,x)
		mov	edx, [ebp+var_2C]
		mov	eax, edx
		sub	eax, [ebp+var_24]
		mov	ecx, [ebp+var_28]
		mov	[ebp+var_C], ecx
		sbb	ecx, [ebp+var_20]
		jmp	short loc_65B751
; 

loc_65B743:				; CODE XREF: PpmIdleGuestPreselect(x,x)+29j
		mov	eax, [edi+4]
		mov	edx, [edi]
		mov	ecx, [edi+0Ch]
		mov	[ebp+var_C], eax
		mov	eax, [edi+8]

loc_65B751:				; CODE XREF: PpmIdleGuestPreselect(x,x)+4Aj
		mov	ebx, [edi+20h]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], edx
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_65B79B
		cmp	ebx, 2
		jb	short loc_65B76A

loc_65B767:				; CODE XREF: PpmIdleGuestPreselect(x,x)+B1j
					; PpmIdleGuestPreselect(x,x)+BBj ...
		xor	ebx, ebx
		inc	ebx

loc_65B76A:				; CODE XREF: PpmIdleGuestPreselect(x,x)+6Ej
					; PpmIdleGuestPreselect(x,x)+15Dj ...
		mov	eax, [ebp+var_18]
		mov	[esi+3E90h], eax
		mov	eax, [ebp+var_C]
		mov	[esi+3E94h], eax
		mov	eax, [ebp+var_1C]
		mov	[esi+3E98h], eax
		mov	eax, [ebp+var_10]
		mov	[esi+3E9Ch], eax

loc_65B78E:				; CODE XREF: PpmIdleGuestPreselect(x,x)+F1j
					; PpmIdleGuestPreselect(x,x)+F8j
		pop	edi
		mov	[esi+3D9Ah], bl
		mov	eax, ebx
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_65B79B:				; CODE XREF: PpmIdleGuestPreselect(x,x)+69j
		cmp	byte ptr [edi+2Ah], 0
		jz	short loc_65B7AA
		cmp	dword ptr [esi+3E38h], 2
		jl	short loc_65B767

loc_65B7AA:				; CODE XREF: PpmIdleGuestPreselect(x,x)+A8j
		mov	bl, [edi+29h]
		mov	[ebp+var_2], bl
		test	bl, bl
		jz	short loc_65B767
		mov	bl, [edi+28h]
		mov	[ebp+var_1], bl
		test	bl, bl
		jz	short loc_65B767
		sub	edx, [esi+3E90h]
		mov	ecx, [ebp+var_C]
		sbb	ecx, [esi+3E94h]
		movzx	ebx, byte ptr [esi+3D9Ah]
		mov	[ebp+var_14], ecx
		mov	ecx, [edi+24h]
		mov	edi, [ebp+var_14]
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_20], edx
		test	edi, edi
		jb	short loc_65B78E
		ja	short loc_65B7F1
		cmp	edx, [ebp+var_8]
		jb	short loc_65B78E

loc_65B7F1:				; CODE XREF: PpmIdleGuestPreselect(x,x)+F3j
		sub	eax, [esi+3E98h]
		push	edi
		mov	edi, [ebp+var_20]
		sbb	ecx, [esi+3E9Ch]
		mov	[ebp+var_8], eax
		movzx	eax, [ebp+var_1]
		cdq
		push	edi
		push	edx
		push	eax
		mov	[ebp+var_28], ecx
		call	__allmul
		push	0
		push	64h
		push	edx
		push	eax
		call	__aulldiv
		push	[ebp+var_14]
		mov	[ebp+var_20], eax
		movzx	eax, [ebp+var_2]
		cdq
		push	edi
		push	edx
		push	eax
		call	__allmul
		push	0
		push	64h
		push	edx
		push	eax
		call	__aulldiv
		mov	ecx, [ebp+var_28]
		mov	edx, eax
		mov	eax, [ebp+var_8]
		test	ecx, ecx
		ja	short loc_65B86C
		jb	short loc_65B84F
		cmp	eax, edx
		jnb	short loc_65B859

loc_65B84F:				; CODE XREF: PpmIdleGuestPreselect(x,x)+152j
		test	ebx, ebx
		jz	short loc_65B859
		dec	ebx
		jmp	loc_65B76A
; 

loc_65B859:				; CODE XREF: PpmIdleGuestPreselect(x,x)+156j
					; PpmIdleGuestPreselect(x,x)+15Aj
		test	ecx, ecx
		jb	loc_65B76A
		ja	short loc_65B86C
		cmp	eax, [ebp+var_20]
		jb	loc_65B76A

loc_65B86C:				; CODE XREF: PpmIdleGuestPreselect(x,x)+150j
					; PpmIdleGuestPreselect(x,x)+16Aj
		lea	eax, [ebx+1]
		cmp	eax, 2
		jnb	loc_65B76A
		mov	ebx, eax
		jmp	loc_65B76A
@PpmIdleGuestPreselect@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PpmIdleGuestTest(x, x, x)
@PpmIdleGuestTest@12 proc near		; DATA XREF: PpmIdleRegisterDefaultStates+9F285o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0FFFFFFFFh
		jz	short loc_65B89B
		mov	eax, ds:_PpmPlatformStates
		mov	eax, [eax+10h]
		test	eax, eax
		jz	short loc_65B89B
		xor	edx, edx
		pop	ebp
		jmp	eax
; 

loc_65B89B:				; CODE XREF: PpmIdleGuestTest(x,x,x)+9j
					; PpmIdleGuestTest(x,x,x)+15j
		xor	eax, eax
		pop	ebp
		retn	4
@PpmIdleGuestTest@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmHvGetRuntimesForProcessor(x, x, x)
_PpmHvGetRuntimesForProcessor@12 proc near ; CODE XREF:	PpmUpdatePerformanceFeedback+12BEE6p
					; PpmUpdatePerformanceFeedback+12BF4Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_8], 0
		and	[esp+0Ch+var_4], 0
		push	esi
		push	[ebp+arg_0]
		mov	esi, edx
		lea	edx, [esp+14h+var_8]
		call	_HvlGetPpmStatsForProcessor@12 ; HvlGetPpmStatsForProcessor(x,x,x)
		mov	ecx, [esp+10h+var_8]
		mov	[esi], ecx
		mov	ecx, [esp+10h+var_4]
		mov	[esi+4], ecx
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
_PpmHvGetRuntimesForProcessor@12 endp


;  S U B	R O U T	I N E 


; __stdcall PpmHvSetVirtualProcessorQos(x)
_PpmHvSetVirtualProcessorQos@4 proc near ; CODE	XREF: PoSetProcessorQoS(x,x)+115p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+4DCh]
		mov	ecx, [esi+3F08h]
		mov	[esi+3F0Ch], ecx
		test	eax, eax
		jz	short loc_65B90A
		mov	[eax+4], ecx
		xor	edx, edx
		mov	dword ptr [eax+0Ch], 1
		mov	ecx, 400000C2h
		push	0FFFFFFFEh
		pop	eax
		wrmsr

loc_65B90A:				; CODE XREF: PpmHvSetVirtualProcessorQos(x)+19j
		mov	ecx, esi
		pop	esi
		jmp	_PpmEventVpQosChange@4 ; PpmEventVpQosChange(x)
_PpmHvSetVirtualProcessorQos@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxAcpiDispatchNotification(x)
_PopFxAcpiDispatchNotification@4 proc near ; CODE XREF:	PoFxPlatformRequestHandler+80DD8p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= dword	ptr -2

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], ebx
		mov	byte ptr [ebp+var_2], bl
		mov	byte ptr [ebp+var_2+1],	bl
		call	_PopFxAcpiValidateParameters@4 ; PopFxAcpiValidateParameters(x)
		test	al, al
		jnz	short loc_65B942
		mov	ecx, 0C0000001h
		jmp	loc_65B9DB
; 

loc_65B942:				; CODE XREF: PopFxAcpiDispatchNotification(x)+24j
		mov	edx, [esi]
		mov	eax, edx
		push	edi
		mov	edi, [esi+8]
		sub	eax, 1
		jz	short loc_65B9B5
		sub	eax, 1
		jz	short loc_65B9A5
		sub	eax, 1
		jz	short loc_65B97E
		mov	ecx, [esi+4]
		sub	eax, 1
		jz	short loc_65B973
		lea	eax, [ebp+var_2+1]
		push	eax
		push	ecx
		push	edi
		call	_PopFxAcpiForwardNotification@20 ; PopFxAcpiForwardNotification(x,x,x,x,x)
		mov	bl, byte ptr [ebp+var_2+1]
		mov	ecx, eax
		jmp	short loc_65B9DA
; 

loc_65B973:				; CODE XREF: PopFxAcpiDispatchNotification(x)+4Dj
		mov	edx, edi
		call	_PopFxAcpiUnregisterDevice@8 ; PopFxAcpiUnregisterDevice(x,x)
		mov	ecx, eax
		jmp	short loc_65B9D8
; 

loc_65B97E:				; CODE XREF: PopFxAcpiDispatchNotification(x)+45j
		mov	ecx, [edi]
		lea	eax, [ebp+var_C]
		mov	edx, [esi+14h]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		call	_PopFxAcpiRegisterDevice@20 ; PopFxAcpiRegisterDevice(x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_65B9D8
		mov	eax, [ebp+var_8]
		mov	[esi+18h], eax
		mov	eax, [ebp+var_C]
		mov	[esi+1Ch], eax
		jmp	short loc_65B9D8
; 

loc_65B9A5:				; CODE XREF: PopFxAcpiDispatchNotification(x)+40j
		mov	ecx, [esi+14h]
		push	edi
		push	2
		pop	edx
		call	_PopPluginAcpiNotificationStrict@12 ; PopPluginAcpiNotificationStrict(x,x,x)
		mov	ecx, ebx
		jmp	short loc_65B9D8
; 

loc_65B9B5:				; CODE XREF: PopFxAcpiDispatchNotification(x)+3Bj
		mov	ecx, [edi]
		lea	eax, [ebp+var_2]
		push	eax
		lea	eax, [ebp+var_10]
		mov	edx, edi
		push	eax
		call	_PopFxAcpiPrepareDevice@16 ; PopFxAcpiPrepareDevice(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_65B9D8
		mov	eax, [ebp+var_10]
		mov	[esi+14h], eax
		mov	al, byte ptr [ebp+var_2]
		mov	[esi+18h], al

loc_65B9D8:				; CODE XREF: PopFxAcpiDispatchNotification(x)+6Aj
					; PopFxAcpiDispatchNotification(x)+83j	...
		mov	bl, 1

loc_65B9DA:				; CODE XREF: PopFxAcpiDispatchNotification(x)+5Fj
		pop	edi

loc_65B9DB:				; CODE XREF: PopFxAcpiDispatchNotification(x)+2Bj
		mov	[esi+10h], bl
		mov	eax, ecx
		pop	esi
		pop	ebx
		leave
		retn
_PopFxAcpiDispatchNotification@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxAcpiForwardNotification(x, x, x, x, x)
_PopFxAcpiForwardNotification@20 proc near ; CODE XREF:	PopFxAcpiDispatchNotification(x)+55p

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	ebx, [edi+98h]
		lock inc dword ptr [ebx]
		cmp	byte ptr [edi+94h], 0
		jnz	short loc_65BA32
		push	[ebp+arg_0]
		mov	eax, [edi+2Ch]
		xor	esi, esi
		push	edx
		call	dword ptr [eax+48h]
		mov	byte ptr [ebp+arg_0+3],	al
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		dec	eax
		jnz	short loc_65BA28
		push	esi
		push	esi
		lea	eax, [edi+9Ch]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_65BA28:				; CODE XREF: PopFxAcpiForwardNotification(x,x,x,x,x)+34j
		mov	eax, [ebp+arg_8]
		mov	cl, byte ptr [ebp+arg_0+3]
		mov	[eax], cl
		jmp	short loc_65BA50
; 

loc_65BA32:				; CODE XREF: PopFxAcpiForwardNotification(x,x,x,x,x)+1Bj
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		jnz	short loc_65BA4B
		xor	esi, esi
		lea	eax, [edi+9Ch]
		push	esi
		push	esi
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_65BA4B:				; CODE XREF: PopFxAcpiForwardNotification(x,x,x,x,x)+55j
		mov	esi, 0C0000056h

loc_65BA50:				; CODE XREF: PopFxAcpiForwardNotification(x,x,x,x,x)+4Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PopFxAcpiForwardNotification@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxAcpiForwardPepAcpiNotifyRequest(x, x)
_PopFxAcpiForwardPepAcpiNotifyRequest@8	proc near ; CODE XREF: PopFxProcessWork+F0A4Ep

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_PopFxFindAndReferenceAcpiDevice@4 ; PopFxFindAndReferenceAcpiDevice(x)
		test	eax, eax
		js	short loc_65BABE
		xor	ebx, ebx
		cmp	[esi+2Ch], ebx
		jnz	short loc_65BA87
		push	ebx
		push	dword ptr [edi]
		mov	edx, esi
		mov	ecx, 668h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_65BA87:				; CODE XREF: PopFxAcpiForwardPepAcpiNotifyRequest(x,x)+1Dj
		mov	eax, ds:dword_6BF844
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_14]
		push	eax
		mov	[ebp+var_C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_8], edi
		call	ds:_PopFxPlatformInterface
		or	eax, 0FFFFFFFFh
		lock xadd [esi+98h], eax
		dec	eax
		jnz	short loc_65BABE
		push	ebx
		push	ebx
		lea	eax, [esi+9Ch]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_65BABE:				; CODE XREF: PopFxAcpiForwardPepAcpiNotifyRequest(x,x)+16j
					; PopFxAcpiForwardPepAcpiNotifyRequest(x,x)+55j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopFxAcpiForwardPepAcpiNotifyRequest@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxAcpiForwardPepWorkRequest(x, x)
_PopFxAcpiForwardPepWorkRequest@8 proc near ; CODE XREF: PopFxProcessWork+F07F2p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		cmp	[esi+2Ch], ebx
		jnz	short loc_65BAE6
		push	ebx
		push	dword ptr [edx]
		mov	edx, esi
		mov	ecx, 668h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_65BAE6:				; CODE XREF: PopFxAcpiForwardPepWorkRequest(x,x)+12j
		lea	edi, [esi+98h]
		lock inc dword ptr [edi]
		cmp	[esi+94h], bl
		jz	short loc_65BB00
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		jmp	short loc_65BB23
; 

loc_65BB00:				; CODE XREF: PopFxAcpiForwardPepWorkRequest(x,x)+32j
		mov	eax, ds:dword_6BF844
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_14]
		push	eax
		mov	[ebp+var_C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_8], edx
		call	ds:_PopFxPlatformInterface
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		dec	eax

loc_65BB23:				; CODE XREF: PopFxAcpiForwardPepWorkRequest(x,x)+3Bj
		jnz	short loc_65BB33
		push	ebx
		push	ebx
		lea	eax, [esi+9Ch]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_65BB33:				; CODE XREF: PopFxAcpiForwardPepWorkRequest(x,x):loc_65BB23j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopFxAcpiForwardPepWorkRequest@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxAcpiForwardRequestCommon(x, x)
_PopFxAcpiForwardRequestCommon@8 proc near ; CODE XREF:	PopFxRequestCommon(x,x)+18p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_C], 0
		mov	[ebp+var_8], ecx
		mov	[ebp+var_10], 1
		sub	ecx, 1
		jz	short loc_65BB5A
		mov	eax, 0C00000BBh
		leave
		retn
; 

loc_65BB5A:				; CODE XREF: PopFxAcpiForwardRequestCommon(x,x)+19j
		lea	eax, [ebp+var_10]
		mov	[ebp+var_4], edx
		push	eax
		call	ds:_PopFxPlatformInterface
		leave
		retn
_PopFxAcpiForwardRequestCommon@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxAcpiPrepareDevice(x, x, x, x)
_PopFxAcpiPrepareDevice@16 proc	near	; CODE XREF: PopFxAcpiDispatchNotification(x)+AFp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	[ebp+var_4], edx
		xor	edx, edx
		push	edi
		call	PopFxFindAcpiDeviceByUniqueId
		mov	edi, eax
		test	edi, edi
		js	short loc_65BB8A
		mov	edi, 0C0000001h
		jmp	loc_65BC22
; 

loc_65BB8A:				; CODE XREF: PopFxAcpiPrepareDevice(x,x,x,x)+15j
		mov	eax, large fs:124h
		push	ebx
		xor	ebx, ebx
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopFxPluginLock
		call	ExAcquirePushLockSharedEx
		mov	esi, ds:_PopFxPluginList
		jmp	short loc_65BBD6
; 

loc_65BBB0:				; CODE XREF: PopFxAcpiPrepareDevice(x,x,x,x)+73j
		cmp	dword ptr [esi+8], 3
		jb	short loc_65BBD4
		cmp	[esi+48h], ebx
		jz	short loc_65BBD4
		push	[ebp+var_4]
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_PopPluginAcpiNotificationStrict@12 ; PopPluginAcpiNotificationStrict(x,x,x)
		test	al, al
		jz	short loc_65BBD4
		mov	eax, [ebp+var_4]
		cmp	[eax+8], bl
		jnz	short loc_65BBE0

loc_65BBD4:				; CODE XREF: PopFxAcpiPrepareDevice(x,x,x,x)+4Bj
					; PopFxAcpiPrepareDevice(x,x,x,x)+50j ...
		mov	esi, [esi]

loc_65BBD6:				; CODE XREF: PopFxAcpiPrepareDevice(x,x,x,x)+45j
		cmp	esi, offset _PopFxPluginList
		jnz	short loc_65BBB0
		jmp	short loc_65BBE2
; 

loc_65BBE0:				; CODE XREF: PopFxAcpiPrepareDevice(x,x,x,x)+69j
		mov	ebx, esi

loc_65BBE2:				; CODE XREF: PopFxAcpiPrepareDevice(x,x,x,x)+75j
		push	11h
		xor	edx, edx
		mov	esi, offset _PopFxPluginLock
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_65BBFC
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_65BBFC:				; CODE XREF: PopFxAcpiPrepareDevice(x,x,x,x)+8Aj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	ebx, ebx
		jz	short loc_65BC20
		mov	eax, [ebp+arg_0]
		xor	edi, edi
		mov	[eax], ebx
		mov	eax, [ebp+arg_4]
		mov	byte ptr [eax],	1

loc_65BC20:				; CODE XREF: PopFxAcpiPrepareDevice(x,x,x,x)+A8j
		pop	esi
		pop	ebx

loc_65BC22:				; CODE XREF: PopFxAcpiPrepareDevice(x,x,x,x)+1Cj
		mov	eax, edi
		pop	edi
		leave
		retn	8
_PopFxAcpiPrepareDevice@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxAcpiRegisterDevice(x, x, x, x,	x)
_PopFxAcpiRegisterDevice@20 proc near	; CODE XREF: PopFxAcpiDispatchNotification(x)+7Ap

var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		and	[ebp+var_4], 0
		lea	edi, [ebp+var_20]
		mov	[ebp+var_8], edx
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		push	ecx
		call	_PopFxCreateDeviceCommon@20 ; PopFxCreateDeviceCommon(x,x,x,x,x)
		mov	ebx, [ebp+var_4]
		mov	esi, eax
		mov	[ebp+var_C], esi
		test	esi, esi
		js	short loc_65BCBE
		mov	esi, [ebp+arg_0]
		lea	eax, [ebp+var_20]
		push	5
		pop	ecx
		push	eax
		lea	edi, [ebp+var_20]
		rep movsd
		mov	esi, [ebp+var_8]
		mov	ecx, esi
		push	3
		pop	edx
		mov	[ebp+var_18], ebx
		call	_PopPluginAcpiNotificationStrict@12 ; PopPluginAcpiNotificationStrict(x,x,x)
		cmp	[ebp+var_14], 0
		jz	short loc_65BCA9
		push	ebx
		call	_PopFxInsertAcpiDevice@12 ; PopFxInsertAcpiDevice(x,x,x)
		cmp	[ebp+var_14], 0
		jz	short loc_65BCA9
		mov	ecx, [ebp+arg_8]
		mov	[ebx+2Ch], esi
		mov	eax, [ebp+var_14]
		mov	esi, [ebp+var_C]
		mov	[ebx+30h], eax
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx
		mov	eax, [ebp+var_14]
		mov	[ecx], eax
		jmp	short loc_65BCBA
; 

loc_65BCA9:				; CODE XREF: PopFxAcpiRegisterDevice(x,x,x,x,x)+57j
					; PopFxAcpiRegisterDevice(x,x,x,x,x)+63j
		mov	eax, [ebp+arg_4]
		mov	esi, 0C0000001h
		and	dword ptr [eax], 0
		mov	eax, [ebp+arg_8]
		and	dword ptr [eax], 0

loc_65BCBA:				; CODE XREF: PopFxAcpiRegisterDevice(x,x,x,x,x)+7Ej
		test	esi, esi
		jns	short loc_65BCD4

loc_65BCBE:				; CODE XREF: PopFxAcpiRegisterDevice(x,x,x,x,x)+32j
		test	ebx, ebx
		jz	short loc_65BCD4
		and	dword ptr [ebx+2Ch], 0
		mov	ecx, ebx
		and	dword ptr [ebx+30h], 0
		push	2
		pop	edx
		call	_PopFxDestroyDeviceCommon@8 ; PopFxDestroyDeviceCommon(x,x)

loc_65BCD4:				; CODE XREF: PopFxAcpiRegisterDevice(x,x,x,x,x)+93j
					; PopFxAcpiRegisterDevice(x,x,x,x,x)+97j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PopFxAcpiRegisterDevice@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxAcpiUnregisterDevice(x, x)
_PopFxAcpiUnregisterDevice@8 proc near	; CODE XREF: PopFxAcpiDispatchNotification(x)+63p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	18h
		push	1
		mov	esi, ecx
		mov	ebx, edx
		push	offset ??_C@_00CNPNBAHC@@FNODOBFM@
		push	72466F50h
		lea	edi, [esi+94h]
		push	edi
		call	IoAcquireRemoveLockEx
		lea	ecx, [esi+68h]
		mov	[ebp+var_4], eax
		cmp	[ecx], ecx
		jz	short loc_65BD15
		mov	edx, esi
		call	_PopFxRemoveAcpiDevice@8 ; PopFxRemoveAcpiDevice(x,x)

loc_65BD15:				; CODE XREF: PopFxAcpiUnregisterDevice(x,x)+2Fj
		push	18h
		push	72466F50h
		push	edi
		call	_IoReleaseRemoveLockAndWaitEx@12 ; IoReleaseRemoveLockAndWaitEx(x,x,x)
		mov	ecx, [esi+2Ch]
		push	ebx
		push	4
		pop	edx
		call	_PopPluginAcpiNotificationStrict@12 ; PopPluginAcpiNotificationStrict(x,x,x)
		push	0FFFFFFFBh
		pop	ecx
		lea	eax, [esi+238h]
		lock and [eax],	ecx
		and	dword ptr [esi+2Ch], 0
		mov	ecx, esi
		and	dword ptr [esi+30h], 0
		push	2
		pop	edx
		call	_PopFxDestroyDeviceCommon@8 ; PopFxDestroyDeviceCommon(x,x)
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopFxAcpiUnregisterDevice@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopFxAcpiValidateParameters(x)
_PopFxAcpiValidateParameters@4 proc near ; CODE	XREF: PopFxAcpiDispatchNotification(x)+1Dp
		xor	edx, edx
		test	ecx, ecx
		jz	short loc_65BDC5
		push	esi
		mov	esi, [ecx+0Ch]
		push	edi
		mov	edi, [ecx+8]
		test	edi, edi
		jz	short loc_65BDC3
		test	esi, esi
		jz	short loc_65BDC3
		mov	eax, [ecx]
		sub	eax, 1
		jz	short loc_65BD9E
		sub	eax, 1
		jz	short loc_65BD99
		sub	eax, 1
		jz	short loc_65BD94
		sub	eax, 1
		jz	short loc_65BD8F
		mov	eax, [ecx+4]
		mov	eax, [eax+238h]
		test	al, 4
		jz	short loc_65BDC3
		jmp	short loc_65BDC1
; 

loc_65BD8F:				; CODE XREF: PopFxAcpiValidateParameters(x)+2Aj
		cmp	esi, 8
		jmp	short loc_65BDBF
; 

loc_65BD94:				; CODE XREF: PopFxAcpiValidateParameters(x)+25j
		cmp	esi, 14h
		jmp	short loc_65BDA1
; 

loc_65BD99:				; CODE XREF: PopFxAcpiValidateParameters(x)+20j
		cmp	esi, 8
		jmp	short loc_65BDA1
; 

loc_65BD9E:				; CODE XREF: PopFxAcpiValidateParameters(x)+1Bj
		cmp	esi, 10h

loc_65BDA1:				; CODE XREF: PopFxAcpiValidateParameters(x)+43j
					; PopFxAcpiValidateParameters(x)+48j
		jb	short loc_65BDC3
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_65BDC3
		cmp	[eax+4], edx
		jz	short loc_65BDC3
		movzx	ecx, word ptr [eax]
		cmp	ecx, 4
		jb	short loc_65BDC3
		movzx	eax, word ptr [eax+2]
		add	ecx, 2
		cmp	eax, ecx

loc_65BDBF:				; CODE XREF: PopFxAcpiValidateParameters(x)+3Ej
		jb	short loc_65BDC3

loc_65BDC1:				; CODE XREF: PopFxAcpiValidateParameters(x)+39j
		mov	dl, 1

loc_65BDC3:				; CODE XREF: PopFxAcpiValidateParameters(x)+10j
					; PopFxAcpiValidateParameters(x)+14j ...
		pop	edi
		pop	esi

loc_65BDC5:				; CODE XREF: PopFxAcpiValidateParameters(x)+4j
		mov	al, dl
		retn
_PopFxAcpiValidateParameters@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsDiagGetDeviceActiveStamp(x)
_PopDirectedDripsDiagGetDeviceActiveStamp@4 proc near
					; CODE XREF: PopDirectedDripsDiagBroadcastTreeBegin(x,x,x)+CEp

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		mov	[ebp+var_8], edi
		test	esi, esi
		jz	short loc_65BE2F
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ebx, [esi+160h]
		mov	[ebp+var_1], al
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	byte ptr [esi+164h], 0
		jz	short loc_65BE0B
		mov	eax, [esi+174h]
		mov	edi, [esi+170h]
		mov	[ebp+var_8], eax

loc_65BE0B:				; CODE XREF: PopDirectedDripsDiagGetDeviceActiveStamp(x)+32j
		test	ds:byte_70EFC6,	1
		jz	short loc_65BE20
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65BE25
; 

loc_65BE20:				; CODE XREF: PopDirectedDripsDiagGetDeviceActiveStamp(x)+4Aj
		xor	eax, eax
		lock and [ebx],	eax

loc_65BE25:				; CODE XREF: PopDirectedDripsDiagGetDeviceActiveStamp(x)+56j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx

loc_65BE2F:				; CODE XREF: PopDirectedDripsDiagGetDeviceActiveStamp(x)+12j
		mov	edx, [ebp+var_8]
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn
_PopDirectedDripsDiagGetDeviceActiveStamp@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsDiagPnpActionQueueAccountingUpdate(x, x)
_PopDirectedDripsDiagPnpActionQueueAccountingUpdate@8 proc near
					; CODE XREF: PopDirectedDripsHandleResiliencyNotification(x)+4Bp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	bl, dl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset dword_6BF65C
		mov	bh, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	ds:byte_6BF6D0,	bl
		jz	short loc_65BE64
		mov	dl, bl
		call	_PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe@8 ; PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe(x,x)

loc_65BE64:				; CODE XREF: PopDirectedDripsDiagPnpActionQueueAccountingUpdate(x,x)+23j
		test	ds:byte_70EFC6,	1
		jz	short loc_65BE79
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65BE7E
; 

loc_65BE79:				; CODE XREF: PopDirectedDripsDiagPnpActionQueueAccountingUpdate(x,x)+33j
		xor	eax, eax
		lock and [esi],	eax

loc_65BE7E:				; CODE XREF: PopDirectedDripsDiagPnpActionQueueAccountingUpdate(x,x)+3Fj
		pop	esi
		mov	cl, bh
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_PopDirectedDripsDiagPnpActionQueueAccountingUpdate@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe(x,	x)
_PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe@8 proc near
					; CODE XREF: PopDirectedDripsDiagPnpActionQueueAccountingUpdate(x,x)+27p
					; PopDirectedDripsDiagQueryAndResetPnpAccounting(x,x,x,x)+27p ...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	bl, dl
		push	edi
		mov	[ebp+var_1], bl
		call	KeQueryInterruptTime
		mov	edi, eax
		test	bl, bl
		jnz	short loc_65BF1F
		mov	ebx, ds:dword_6BF664
		push	esi
		xor	esi, esi
		cmp	ebx, 1Ah
		jz	short loc_65BED9
		mov	ecx, edi
		mov	eax, edx
		sub	ecx, ds:dword_6BF6E8
		sbb	eax, ds:dword_6BF6EC
		add	ds:dword_6BF6F0[ebx*8],	ecx
		adc	ds:dword_6BF6F4[ebx*8],	eax
		mov	ds:dword_6BF6E8, esi
		mov	ds:dword_6BF6EC, esi

loc_65BED9:				; CODE XREF: PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe(x,x)+24j
		cmp	ds:dword_6BF660, esi
		jz	short loc_65BF05
		sub	edi, ds:dword_6BF6E0
		mov	ds:dword_6BF6E0, esi
		sbb	edx, ds:dword_6BF6E4
		add	ds:dword_6BF6D8, edi
		mov	ds:dword_6BF6E4, esi
		adc	ds:dword_6BF6DC, edx

loc_65BF05:				; CODE XREF: PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe(x,x)+56j
					; PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe(x,x)+8Ej
		mov	eax, ds:dword_6BF668[esi]
		sub	ds:dword_6BF7C0[esi], eax
		add	esi, 4
		cmp	esi, 68h
		jb	short loc_65BF05
		mov	bl, [ebp+var_1]
		pop	esi
		jmp	short loc_65BF5F
; 

loc_65BF1F:				; CODE XREF: PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe(x,x)+16j
		cmp	ds:dword_6BF664, 1Ah
		jz	short loc_65BF34
		mov	ds:dword_6BF6E8, edi
		mov	ds:dword_6BF6EC, edx

loc_65BF34:				; CODE XREF: PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe(x,x)+9Dj
		cmp	ds:dword_6BF660, 0
		jz	short loc_65BF49
		mov	ds:dword_6BF6E0, edi
		mov	ds:dword_6BF6E4, edx

loc_65BF49:				; CODE XREF: PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe(x,x)+B2j
		xor	ecx, ecx

loc_65BF4B:				; CODE XREF: PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe(x,x)+D4j
		mov	eax, ds:dword_6BF668[ecx]
		add	ds:dword_6BF7C0[ecx], eax
		add	ecx, 4
		cmp	ecx, 68h
		jb	short loc_65BF4B

loc_65BF5F:				; CODE XREF: PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe(x,x)+94j
		pop	edi
		mov	ds:byte_6BF6D0,	bl
		pop	ebx
		leave
		retn
_PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsDiagQueryAndResetPnpAccounting(x, x, x, x)
_PopDirectedDripsDiagQueryAndResetPnpAccounting@16 proc	near
					; CODE XREF: PopDirectedDripsDiagNotifySessionStop(x,x,x)+4Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset dword_6BF65C
		mov	bh, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	bl, ds:byte_6BF6D0
		test	bl, bl
		jz	short loc_65BF96
		xor	dl, dl
		call	_PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe@8 ; PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe(x,x)

loc_65BF96:				; CODE XREF: PopDirectedDripsDiagQueryAndResetPnpAccounting(x,x,x,x)+23j
		mov	eax, ds:dword_6BF6D8
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[esi], eax
		mov	eax, ds:dword_6BF6DC
		mov	[esi+4], eax
		mov	eax, offset dword_6BF7C0
		push	1Ah
		pop	ecx
		mov	esi, eax
		rep movsd
		mov	edi, [ebp+arg_4]
		mov	esi, offset dword_6BF6F0
		push	34h
		pop	ecx
		rep movsd
		xor	esi, esi
		push	68h		; size_t
		push	esi		; int
		push	eax		; void *
		mov	ds:dword_6BF6D8, esi
		mov	ds:dword_6BF6DC, esi
		call	_memset
		push	0D0h		; size_t
		push	esi		; int
		push	offset dword_6BF6F0 ; void *
		call	_memset
		add	esp, 18h
		pop	edi
		test	bl, bl
		jz	short loc_65BFF8
		mov	dl, 1
		call	_PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe@8 ; PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe(x,x)

loc_65BFF8:				; CODE XREF: PopDirectedDripsDiagQueryAndResetPnpAccounting(x,x,x,x)+85j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset dword_6BF65C
		jz	short loc_65C010
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65C015
; 

loc_65C010:				; CODE XREF: PopDirectedDripsDiagQueryAndResetPnpAccounting(x,x,x,x)+9Aj
		xor	eax, eax
		lock and [ecx],	eax

loc_65C015:				; CODE XREF: PopDirectedDripsDiagQueryAndResetPnpAccounting(x,x,x,x)+A4j
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_PopDirectedDripsDiagQueryAndResetPnpAccounting@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsDiagTraceDfxPowerStateFailure(x)
_PopDirectedDripsDiagTraceDfxPowerStateFailure@4 proc near
					; CODE XREF: PopFxEnforceDirectedPowerTransition(x,x,x)+19p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		push	esi
		mov	esi, ecx
		mov	[ebp+var_48], esi
		jz	loc_65C0D0
		push	ebx
		mov	ebx, ds:_PopDiagHandle
		push	edi
		mov	edi, ds:dword_6C1D74
		push	offset _POP_ETW_EVENT_DIRECTED_FX_POWER_STATE_FAILURE
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jz	short loc_65C0CE
		lea	ecx, [esi+1Ch]
		mov	edx, [ecx]
		push	4
		pop	esi
		movzx	eax, word ptr [edx+14h]
		and	[ebp+var_20], 0
		and	[ebp+var_18], 0
		shr	eax, 1
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_44], eax
		xor	eax, eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_24], eax
		mov	[ebp+var_3C], esi
		mov	[ebp+var_34], ecx
		mov	[ebp+var_2C], esi
		mov	[ebp+var_1C], esi
		movzx	ecx, word ptr [edx+14h]
		mov	eax, [edx+18h]
		xor	edx, edx
		mov	[ebp+var_14], eax
		mov	eax, ecx
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	esi
		push	edx
		push	offset _POP_ETW_EVENT_DIRECTED_FX_POWER_STATE_FAILURE
		push	edi
		push	ebx
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_65C0CE:				; CODE XREF: PopDirectedDripsDiagTraceDfxPowerStateFailure(x)+41j
		pop	edi
		pop	ebx

loc_65C0D0:				; CODE XREF: PopDirectedDripsDiagTraceDfxPowerStateFailure(x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDirectedDripsDiagTraceDfxPowerStateFailure@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsDiagTraceNotifyDevices(x, x, x, x)
_PopDirectedDripsDiagTraceNotifyDevices@16 proc	near
					; CODE XREF: PopDirectedDripsResumeDevices(x,x)+9Bp
					; PopDirectedDripsSuspendDevices(x)+13Dp

var_86		= byte ptr -86h
var_84		= dword	ptr -84h
var_72		= byte ptr -72h
var_71		= byte ptr -71h
var_70		= dword	ptr -70h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		sub	esp, 78h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+78h+var_4], eax
		mov	[esp+78h+var_50], edx
		mov	al, cl
		mov	[esp+78h+var_72], al
		push	esi
		push	edi
		test	edx, edx
		js	loc_65C3FC
		test	al, al
		jz	short loc_65C114
		call	_IoDiagTraceDirectedDripsCandidateDevices@0 ; IoDiagTraceDirectedDripsCandidateDevices()
		mov	edx, [esp+80h+var_50]

loc_65C114:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+2Cj
		test	edx, edx
		js	loc_65C3FC
		mov	esi, offset _PopDirectedDripsDiagLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		call	KeQueryInterruptTime
		mov	ecx, ds:_PopDirectedDripsDiagSessionContext
		mov	[esp+80h+var_54], eax
		mov	[esp+80h+var_5C], edx
		mov	[esp+80h+var_58], ecx
		cmp	ecx, offset _PopDirectedDripsDiagSessionContext
		jz	loc_65C22F
		mov	al, [esp+80h+var_72]

loc_65C151:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+147j
		test	al, al
		jz	short loc_65C16B
		mov	esi, [ecx+20h]
		mov	edi, [ecx+24h]
		and	dword ptr [ecx+20h], 0
		and	dword ptr [ecx+24h], 0
		push	28h
		pop	eax
		push	40h
		pop	edx
		jmp	short loc_65C17F
; 

loc_65C16B:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+76j
		mov	esi, [ecx+68h]
		mov	edi, [ecx+6Ch]
		and	dword ptr [ecx+68h], 0
		and	dword ptr [ecx+6Ch], 0
		push	70h
		pop	eax
		lea	edx, [eax+18h]

loc_65C17F:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+8Cj
		add	eax, ecx
		mov	[esp+80h+var_60], edi
		mov	[esp+80h+var_70], eax
		add	edx, ecx
		mov	eax, [ecx+14h]
		cmp	eax, ds:dword_6BF830
		jnz	short loc_65C214
		mov	eax, esi
		or	eax, edi
		jz	short loc_65C214
		test	dword ptr [ecx+18h], 100h
		jnz	short loc_65C214
		mov	edi, [esp+80h+var_54]
		mov	eax, [esp+80h+var_5C]
		sub	edi, esi
		sbb	eax, [esp+80h+var_60]
		xor	esi, esi
		mov	[esp+80h+var_60], eax
		mov	eax, offset dword_40B750
		mov	ecx, [esp+80h+var_60]
		sub	eax, edx

loc_65C1C4:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+119j
		cmp	ecx, [edx+eax-4]
		jb	short loc_65C1EF
		ja	short loc_65C1D2
		cmp	edi, [edx+eax-8]
		jb	short loc_65C1EF

loc_65C1D2:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+EDj
		cmp	ecx, [edx+eax+4]
		ja	short loc_65C1EF
		jb	short loc_65C1DF
		cmp	edi, [edx+eax]
		jnb	short loc_65C1EF

loc_65C1DF:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+FBj
		mov	ecx, [esp+80h+var_70]
		inc	dword ptr [ecx+esi*4]
		add	[edx], edi
		mov	ecx, [esp+80h+var_60]
		adc	[edx+4], ecx

loc_65C1EF:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+EBj
					; PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+F3j ...
		inc	esi
		add	edx, 8
		cmp	esi, 5
		jb	short loc_65C1C4
		mov	al, [esp+80h+var_72]
		mov	ecx, [esp+80h+var_58]
		test	al, al
		jz	short loc_65C218
		mov	edx, [esp+80h+var_54]
		mov	[ecx+68h], edx
		mov	edx, [esp+80h+var_5C]
		mov	[ecx+6Ch], edx
		jmp	short loc_65C218
; 

loc_65C214:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+B7j
					; PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+BDj ...
		mov	al, [esp+80h+var_72]

loc_65C218:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+125j
					; PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+135j
		mov	ecx, [ecx]
		mov	[esp+80h+var_58], ecx
		cmp	ecx, offset _PopDirectedDripsDiagSessionContext
		jnz	loc_65C151
		mov	esi, offset _PopDirectedDripsDiagLock

loc_65C22F:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+6Aj
		or	edx, 0FFFFFFFFh
		mov	[esp+80h+var_58], edx
		mov	eax, edx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_65C24C
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh

loc_65C24C:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+163j
		xor	edi, edi
		mov	[esp+80h+var_5C], edi
		test	esi, 7FFFFFFCh
		jz	loc_65C3FC
		mov	esi, large fs:124h
		mov	ecx, offset _PopDirectedDripsDiagLock
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[esp+80h+var_54], esi
		mov	[esp+80h+var_70], eax
		cmp	eax, offset _PopDirectedDripsDiagLock
		ja	short loc_65C2B1
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_65C2A0
		mov	eax, [esp+80h+var_70]
		cmp	eax, offset _PopDirectedDripsDiagLock
		ja	short loc_65C2B1
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_65C2B1

loc_65C2A0:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+1ADj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[esp+80h+var_58], eax

loc_65C2B1:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+1A2j
					; PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+1B8j	...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _PopDirectedDripsDiagLock
		mov	[esp+84h+var_71], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[esp+80h+var_70], ecx
		test	ecx, ecx
		jnz	short loc_65C300
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_65C36A
		push	ecx
		push	[esp+84h+var_58]
		push	offset _PopDirectedDripsDiagLock
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_65C300:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+202j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_65C317
		call	KiAbEntryRemoveFromTree
		mov	ecx, [esp+94h+var_84]

loc_65C317:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+22Fj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+94h+var_70], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [esp+0Fh], 1
		jnz	short loc_65C35D
		or	[esi+1E4h], dl
		jmp	short loc_65C36A
; 

loc_65C35D:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+276j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [esp+94h+var_68]

loc_65C36A:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+20Cj
					; PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+27Ej
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+94h+var_84], eax
		jz	short loc_65C3D6
		test	edi, 8000h
		jz	short loc_65C38F
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_65C38F:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+2A7j
		test	byte ptr [esp+94h+var_70+2], 1
		jz	short loc_65C3A6
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_65C3A6:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+2B7j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_65C3BA
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_65C3BA:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+2D0j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_65C3D6
		push	[esp+94h+var_84]
		mov	edx, offset _PopDirectedDripsDiagLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_65C3D6:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+29Fj
					; PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+2E7j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_65C3FC
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_65C3FC
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_65C3FC:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+24j
					; PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+39j ...
		cmp	ds:_PopDiagHandleRegistered, 0
		jz	loc_65C4AA
		mov	esi, ds:dword_6C1D74
		mov	edi, ds:_PopDiagHandle
		push	offset _POP_ETW_EVENT_DIRECTED_DRIPS_NOTIFY_DEVICES
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	loc_65C4AA
		movzx	eax, [esp+94h+var_86]
		xor	edx, edx
		mov	[esp+94h+var_60], eax
		lea	eax, [esp+94h+var_60]
		mov	[esp+94h+var_4C], eax
		lea	eax, [esp+94h+var_64]
		push	4
		pop	ecx
		mov	[esp+94h+var_3C], eax
		lea	eax, [ebp+arg_0]
		mov	[esp+94h+var_2C], eax
		lea	eax, [esp+94h+var_5C]
		push	eax
		push	ecx
		push	edx
		push	offset _POP_ETW_EVENT_DIRECTED_DRIPS_NOTIFY_DEVICES
		push	esi
		push	edi
		mov	[esp+0ACh+var_5C], offset _PopWnfCsEnterScenarioId
		mov	[esp+0ACh+var_58], edx
		mov	[esp+0ACh+var_54], 1
		mov	[esp+0ACh+var_50], edx
		mov	[esp+0ACh+var_48], edx
		mov	[esp+0ACh+var_44], ecx
		mov	[esp+0ACh+var_40], edx
		mov	[esp+0ACh+var_38], edx
		mov	[esp+0ACh+var_34], ecx
		mov	[esp+0ACh+var_30], edx
		mov	[esp+0ACh+var_28], edx
		mov	[esp+0ACh+var_24], 8
		mov	[esp+0ACh+var_20], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_65C4AA:				; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+326j
					; PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+346j
		mov	ecx, [esp+94h+var_18]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_PopDirectedDripsDiagTraceNotifyDevices@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPlActivateDeviceIterator(x, x)
_PopPlActivateDeviceIterator@8 proc near ; DATA	XREF: PopPlRegisterPowerPlane(x,x)+70o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		push	esi
		mov	esi, [eax+18h]
		mov	ecx, [ecx+4]
		lea	edx, [esi+70h]
		call	_PopPlLookupDevicePowerProfile@8 ; PopPlLookupDevicePowerProfile(x,x)
		test	eax, eax
		jz	short loc_65C4EA
		mov	ecx, [esi+1Ch]
		xor	dl, dl
		push	0
		mov	ecx, [ecx+10h]
		call	PopFxActivateDevice

loc_65C4EA:				; CODE XREF: PopPlActivateDeviceIterator(x,x)+1Cj
		mov	al, 1
		pop	esi
		pop	ebp
		retn	8
_PopPlActivateDeviceIterator@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPlCalculateDevicePowerDraw(x, x,	x, x)
_PopPlCalculateDevicePowerDraw@16 proc near ; CODE XREF: PopPlNotifyDeviceDState+84A07p
					; PopPlNotifyDeviceFState+81E22p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ecx+304h]
		test	esi, esi
		jnz	short loc_65C505
		xor	edx, edx
		jmp	short loc_65C573
; 

loc_65C505:				; CODE XREF: PopPlCalculateDevicePowerDraw(x,x,x,x)+Ej
		test	edx, edx
		jnz	short loc_65C50F
		mov	edx, [ecx+1Ch]
		add	edx, 58h

loc_65C50F:				; CODE XREF: PopPlCalculateDevicePowerDraw(x,x,x,x)+16j
		mov	eax, [edx]
		mov	edx, [esi+eax*8+10h]
		cmp	eax, 1
		jg	short loc_65C573
		xor	esi, esi
		cmp	[ecx+23Ch], esi
		jbe	short loc_65C573
		push	ebx
		push	edi

loc_65C526:				; CODE XREF: PopPlCalculateDevicePowerDraw(x,x,x,x)+7Ej
		mov	eax, [ecx+240h]
		mov	eax, [eax+esi*4]
		mov	edi, [eax+16Ch]
		test	edi, edi
		jz	short loc_65C568
		cmp	dword ptr [edi+14h], 0
		jz	short loc_65C568
		cmp	[ebp+arg_0], 0
		jnz	short loc_65C54A

loc_65C545:				; CODE XREF: PopPlCalculateDevicePowerDraw(x,x,x,x)+62j
		mov	eax, [eax+68h]
		jmp	short loc_65C55A
; 

loc_65C54A:				; CODE XREF: PopPlCalculateDevicePowerDraw(x,x,x,x)+52j
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_65C555
		cmp	[ebx], esi
		jnz	short loc_65C545

loc_65C555:				; CODE XREF: PopPlCalculateDevicePowerDraw(x,x,x,x)+5Ej
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]

loc_65C55A:				; CODE XREF: PopPlCalculateDevicePowerDraw(x,x,x,x)+57j
		mov	ebx, [edi+14h]
		cmp	eax, ebx
		jb	short loc_65C564
		lea	eax, [ebx-1]

loc_65C564:				; CODE XREF: PopPlCalculateDevicePowerDraw(x,x,x,x)+6Ej
		sub	edx, [edi+eax*8+1Ch]

loc_65C568:				; CODE XREF: PopPlCalculateDevicePowerDraw(x,x,x,x)+46j
					; PopPlCalculateDevicePowerDraw(x,x,x,x)+4Cj
		inc	esi
		cmp	esi, [ecx+23Ch]
		jb	short loc_65C526
		pop	edi
		pop	ebx

loc_65C573:				; CODE XREF: PopPlCalculateDevicePowerDraw(x,x,x,x)+12j
					; PopPlCalculateDevicePowerDraw(x,x,x,x)+27j ...
		mov	eax, edx
		pop	esi
		pop	ebp
		retn	8
_PopPlCalculateDevicePowerDraw@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPlCommitPowerPlaneRegistration(x)
_PopPlCommitPowerPlaneRegistration@4 proc near ; DATA XREF: PopPlRegisterPowerPlane(x,x)+A1o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, [edi+4]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [esi+8]
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	[esi+0Ch], bl
		mov	eax, [edi+4]
		pop	edi
		pop	esi
		mov	ds:_PopPowerPlane, eax
		pop	ebx
		pop	ebp
		retn	4
_PopPlCommitPowerPlaneRegistration@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPlIdleDeviceIterator(x, x)
_PopPlIdleDeviceIterator@8 proc	near	; DATA XREF: PopPlRegisterPowerPlane(x,x)+BDo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		push	esi
		mov	esi, [eax+18h]
		mov	ecx, [ecx+4]
		lea	edx, [esi+70h]
		call	_PopPlLookupDevicePowerProfile@8 ; PopPlLookupDevicePowerProfile(x,x)
		test	eax, eax
		jz	short loc_65C5D3
		mov	ecx, [esi+1Ch]
		mov	ecx, [ecx+10h]
		call	PoFxIdleDevice

loc_65C5D3:				; CODE XREF: PopPlIdleDeviceIterator(x,x)+1Cj
		mov	al, 1
		pop	esi
		pop	ebp
		retn	8
_PopPlIdleDeviceIterator@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopPlLockPowerPlane(x)
_PopPlLockPowerPlane@4 proc near	; CODE XREF: PopPlUnregisterDevice(x)+38p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [esi+8]
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	[esi+0Ch], bl
		pop	esi
		pop	ebx
		retn
_PopPlLockPowerPlane@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPlLookupComponentPowerProfile(x,	x)
_PopPlLookupComponentPowerProfile@8 proc near ;	CODE XREF: PopPlRegisterComponent+84FC1p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ecx+34h]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], eax
		mov	ebx, esi
		test	eax, eax
		jz	short loc_65C63C
		push	edi
		mov	edi, [ecx+38h]

loc_65C615:				; CODE XREF: PopPlLookupComponentPowerProfile(x,x)+40j
		mov	eax, [edi]
		push	10h		; size_t
		push	eax		; void *
		push	edx		; void *
		mov	[ebp+var_C], eax
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_65C638
		inc	ebx
		add	edi, 4
		cmp	ebx, [ebp+var_4]
		jnb	short loc_65C63B
		mov	edx, [ebp+var_8]
		jmp	short loc_65C615
; 

loc_65C638:				; CODE XREF: PopPlLookupComponentPowerProfile(x,x)+32j
		mov	esi, [ebp+var_C]

loc_65C63B:				; CODE XREF: PopPlLookupComponentPowerProfile(x,x)+3Bj
		pop	edi

loc_65C63C:				; CODE XREF: PopPlLookupComponentPowerProfile(x,x)+19j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PopPlLookupComponentPowerProfile@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPlLookupDevicePowerProfile(x, x)
_PopPlLookupDevicePowerProfile@8 proc near ; CODE XREF:	PopPlRegisterDevice+84EE0p
					; PopPlActivateDeviceIterator(x,x)+15p	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ecx+1Ch]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], eax
		mov	ebx, esi
		test	eax, eax
		jz	short loc_65C685
		push	edi
		mov	edi, [ecx+20h]

loc_65C661:				; CODE XREF: PopPlLookupDevicePowerProfile(x,x)+3Bj
		mov	eax, [edi]
		push	1
		push	eax
		push	edx
		mov	[ebp+var_C], eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_65C681
		mov	edx, [ebp+var_8]
		inc	ebx
		add	edi, 4
		cmp	ebx, [ebp+var_4]
		jb	short loc_65C661
		jmp	short loc_65C684
; 

loc_65C681:				; CODE XREF: PopPlLookupDevicePowerProfile(x,x)+2Fj
		mov	esi, [ebp+var_C]

loc_65C684:				; CODE XREF: PopPlLookupDevicePowerProfile(x,x)+3Dj
		pop	edi

loc_65C685:				; CODE XREF: PopPlLookupDevicePowerProfile(x,x)+19j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PopPlLookupDevicePowerProfile@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPlPublishInitialPowerDraw(x, x)
_PopPlPublishInitialPowerDraw@8	proc near ; DATA XREF: PopPlRegisterPowerPlane(x,x)+9Co

var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0B4h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+0B4h+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	esi, [eax+4]
		xor	edi, edi
		mov	ebx, [eax]
		mov	[esp+0C0h+var_9C], esi
		cmp	[esi+1Ch], edi
		jbe	loc_65C7FD

loc_65C6C1:				; CODE XREF: PopPlPublishInitialPowerDraw(x,x)+16Cj
		mov	eax, [esi+20h]
		mov	edx, [eax+edi*4]
		cmp	dword ptr [edx+0Ch], 0
		jnz	loc_65C7F3
		mov	eax, [edx+18h]
		add	ebx, eax
		mov	[edx+10h], eax
		cmp	ds:dword_6B23F8, 5
		mov	[esp+0C0h+var_B0], eax
		jbe	loc_65C7F3
		movzx	ecx, word ptr [edx]
		lea	eax, [esp+0C0h+var_AC]
		and	[esp+0C0h+var_74], 0
		lea	esi, [esp+0C0h+var_50]
		and	[esp+0C0h+var_6C], 0
		mov	[esp+0C0h+var_78], eax
		mov	eax, [edx+4]
		mov	[esp+0C0h+var_58], eax
		lea	eax, [esp+0C0h+var_A8]
		mov	[esp+0C0h+var_48], eax
		mov	eax, [esp+0C0h+var_B0]
		mov	[esp+0C0h+var_B0], eax
		lea	eax, [esp+0C0h+var_B0]
		mov	[esp+0C0h+var_38], eax
		lea	eax, [esp+0C0h+var_A4]
		push	4
		mov	[esp+0C4h+var_28], eax
		mov	eax, [edx+8]
		mov	edx, offset loc_420B88
		mov	[esp+0C4h+var_50], ecx
		pop	ecx
		mov	[esp+0C0h+var_68], esi
		xor	esi, esi
		mov	[esp+0C0h+var_40], ecx
		mov	[esp+0C0h+var_30], ecx
		mov	[esp+0C0h+var_20], ecx
		mov	[esp+0C0h+var_AC], 1
		mov	[esp+0C0h+var_70], 2
		mov	[esp+0C0h+var_64], esi
		mov	[esp+0C0h+var_60], 2
		mov	[esp+0C0h+var_5C], esi
		mov	[esp+0C0h+var_54], esi
		mov	[esp+0C0h+var_4C], esi
		mov	[esp+0C0h+var_A8], esi
		mov	[esp+0C0h+var_44], esi
		mov	[esp+0C0h+var_3C], esi
		mov	[esp+0C0h+var_34], esi
		mov	[esp+0C0h+var_2C], esi
		mov	[esp+0C0h+var_A4], esi
		mov	[esp+0C0h+var_24], esi
		mov	[esp+0C0h+var_1C], esi
		mov	eax, [eax+10h]
		mov	[esp+0C0h+var_A0], eax
		lea	eax, [esp+0C0h+var_A0]
		mov	[esp+0C0h+var_18], eax
		lea	eax, [esp+0C0h+var_98]
		push	eax
		push	9
		push	ecx
		push	ecx
		push	1
		push	ecx
		mov	[esp+0D8h+var_10], ecx
		push	ecx
		mov	ecx, offset dword_6B23F8
		mov	[esp+0DCh+var_14], esi
		mov	[esp+0DCh+var_C], esi
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)
		mov	esi, [esp+0C0h+var_9C]

loc_65C7F3:				; CODE XREF: PopPlPublishInitialPowerDraw(x,x)+40j
					; PopPlPublishInitialPowerDraw(x,x)+59j
		inc	edi
		cmp	edi, [esi+1Ch]
		jb	loc_65C6C1

loc_65C7FD:				; CODE XREF: PopPlPublishInitialPowerDraw(x,x)+30j
		mov	edx, ebx
		mov	ecx, esi
		call	_PopPlPublishSystemPowerChange@8 ; PopPlPublishSystemPowerChange(x,x)
		mov	bl, [esi+0Ch]
		add	esi, 8
		test	ds:byte_70EFC6,	1
		jz	short loc_65C821
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65C826
; 

loc_65C821:				; CODE XREF: PopPlPublishInitialPowerDraw(x,x)+188j
		xor	eax, eax
		lock and [esi],	eax

loc_65C826:				; CODE XREF: PopPlPublishInitialPowerDraw(x,x)+194j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [esp+0C0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_PopPlPublishInitialPowerDraw@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPlPublishSystemPowerChange(x, x)
_PopPlPublishSystemPowerChange@8 proc near ; CODE XREF:	PopPlNotifyDeviceDState+84B99p
					; PopPlNotifyDeviceFState+81F95p ...

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		test	edi, edi
		jz	loc_65C90A
		cmp	ds:dword_6B23F8, 5
		jbe	loc_65C8FE
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_7C], 1
		mov	[ebp+var_58], eax
		xor	edx, edx
		lea	eax, [ebp+var_30]
		mov	[ebp+var_54], edx
		mov	[ebp+var_48], eax
		mov	eax, [esi+4]
		mov	[ebp+var_38], eax
		movzx	eax, word ptr [esi]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_80]
		push	2
		pop	ecx
		mov	[ebp+var_28], eax
		mov	eax, [esi+10h]
		push	4
		add	eax, edi
		mov	[ebp+var_50], ecx
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_40], ecx
		pop	ecx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	7
		push	edx
		push	edx
		push	1
		push	edx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_44], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		mov	ecx, offset dword_6B23F8
		mov	[ebp+var_C], edx
		push	edx
		mov	edx, (offset loc_420C5E+4)
		mov	[ebp+var_80], edi
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)

loc_65C8FE:				; CODE XREF: PopPlPublishSystemPowerChange(x,x)+2Aj
		add	[esi+10h], edi
		push	dword ptr [esi+10h]
		push	dword ptr [esi+14h]
		call	dword ptr [esi+18h]

loc_65C90A:				; CODE XREF: PopPlPublishSystemPowerChange(x,x)+1Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopPlPublishSystemPowerChange@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPlRegisterDeviceIterator(x, x)
_PopPlRegisterDeviceIterator@8 proc near ; DATA	XREF: PopPlRegisterPowerPlane(x,x)+93o

var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0B4h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+0B4h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, [eax+18h]
		mov	ecx, esi
		push	edi
		call	PopPlRegisterDevice
		test	al, al
		jz	loc_65CAAC
		xor	edi, edi
		cmp	[esi+23Ch], edi
		jbe	short loc_65C970

loc_65C959:				; CODE XREF: PopPlRegisterDeviceIterator(x,x)+56j
		mov	ecx, [esi+240h]
		mov	ecx, [ecx+edi*4]
		call	PopPlRegisterComponent
		inc	edi
		cmp	edi, [esi+23Ch]
		jb	short loc_65C959

loc_65C970:				; CODE XREF: PopPlRegisterDeviceIterator(x,x)+3Fj
		and	[esp+0C0h+var_B4], 0
		lea	eax, [esp+0C0h+var_B4]
		mov	edi, [esi+304h]
		lea	edx, [esp+0C0h+var_B0]
		push	0
		push	eax
		mov	ecx, esi
		mov	[esp+0C8h+var_B0], 1
		call	_PopPlCalculateDevicePowerDraw@16 ; PopPlCalculateDevicePowerDraw(x,x,x,x)
		mov	ecx, eax
		mov	[edi+10h], ecx
		cmp	ds:dword_6B23F8, 5
		jbe	loc_65CAA7
		and	[esp+0C0h+var_74], 0
		lea	eax, [esp+0C0h+var_AC]
		and	[esp+0C0h+var_6C], 0
		and	[esp+0C0h+var_64], 0
		and	[esp+0C0h+var_5C], 0
		and	[esp+0C0h+var_54], 0
		mov	[esp+0C0h+var_78], eax
		lea	eax, [esp+0C0h+var_50]
		mov	[esp+0C0h+var_68], eax
		mov	eax, [esi+74h]
		mov	[esp+0C0h+var_58], eax
		movzx	eax, word ptr [esi+70h]
		xor	esi, esi
		mov	[esp+0C0h+var_50], eax
		lea	eax, [esp+0C0h+var_A8]
		push	2
		pop	edx
		mov	[esp+0C0h+var_48], eax
		lea	eax, [esp+0C0h+var_A4]
		mov	[esp+0C0h+var_38], eax
		lea	eax, [esp+0C0h+var_A0]
		push	4
		mov	[esp+0C4h+var_28], eax
		mov	eax, [edi+8]
		mov	[esp+0C4h+var_70], edx
		mov	[esp+0C4h+var_60], edx
		pop	edx
		mov	[esp+0C0h+var_40], edx
		mov	[esp+0C0h+var_A4], ecx
		mov	[esp+0C0h+var_30], edx
		mov	[esp+0C0h+var_20], edx
		mov	[esp+0C0h+var_AC], 1
		mov	[esp+0C0h+var_4C], esi
		mov	[esp+0C0h+var_A8], esi
		mov	[esp+0C0h+var_44], esi
		mov	[esp+0C0h+var_3C], esi
		mov	[esp+0C0h+var_34], esi
		mov	[esp+0C0h+var_2C], esi
		mov	[esp+0C0h+var_A0], esi
		mov	[esp+0C0h+var_24], esi
		mov	[esp+0C0h+var_1C], esi
		mov	eax, [eax+10h]
		mov	[esp+0C0h+var_9C], eax
		lea	eax, [esp+0C0h+var_9C]
		mov	[esp+0C0h+var_18], eax
		lea	eax, [esp+0C0h+var_98]
		push	eax
		push	9
		push	ecx
		push	ecx
		push	1
		push	ecx
		mov	[esp+0D8h+var_10], edx
		mov	edx, offset loc_420B05
		push	ecx
		mov	ecx, offset dword_6B23F8
		mov	[esp+0DCh+var_14], esi
		mov	[esp+0DCh+var_C], esi
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)

loc_65CAA7:				; CODE XREF: PopPlRegisterDeviceIterator(x,x)+89j
		mov	ecx, [edi+10h]
		add	[ebx], ecx

loc_65CAAC:				; CODE XREF: PopPlRegisterDeviceIterator(x,x)+31j
		mov	ecx, [esp+0C0h+var_4]
		mov	al, 1
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_PopPlRegisterDeviceIterator@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPlRegisterPowerPlane(x, x)
_PopPlRegisterPowerPlane@8 proc	near	; CODE XREF: PopPowerInformationInternal+171A8Bp

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_4C], esi
		mov	[ebp+var_54], esi
		mov	[ebp+var_50], esi
		cmp	ds:_PopPowerPlane, esi
		jz	short loc_65CAF9
		mov	edi, 0C0000038h
		jmp	loc_65CB8E
; 

loc_65CAF9:				; CODE XREF: PopPlRegisterPowerPlane(x,x)+28j
		cmp	[ebx+4], esi
		jz	short loc_65CB08
		mov	edi, 0C0000059h
		jmp	loc_65CB8E
; 

loc_65CB08:				; CODE XREF: PopPlRegisterPowerPlane(x,x)+37j
		cmp	[ebx+0Ch], esi
		jnz	short loc_65CB14
		mov	edi, 0C000000Dh
		jmp	short loc_65CB8E
; 

loc_65CB14:				; CODE XREF: PopPlRegisterPowerPlane(x,x)+46j
		lea	eax, [ebp+var_4C]
		push	eax
		lea	eax, [ebx+edx]
		mov	edx, ebx
		push	eax
		lea	ecx, [ebx+10h]
		call	_PopPlInitPowerPlane@16	; PopPlInitPowerPlane(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_65CB8E
		mov	esi, [ebp+var_4C]
		lea	eax, [ebp+var_54]
		mov	ecx, [ebx+8]
		mov	edx, offset _PopPlActivateDeviceIterator@8 ; PopPlActivateDeviceIterator(x,x)
		push	eax
		mov	[esi+14h], ecx
		mov	ecx, [ebx+0Ch]
		xor	ebx, ebx
		push	ebx
		push	1
		push	ecx
		mov	[esi+18h], ecx
		xor	ecx, ecx
		push	ebx
		mov	[ebp+var_50], esi
		call	_PopPepIterateDeviceList@28 ; PopPepIterateDeviceList(x,x,x,x,x,x,x)
		lea	eax, [ebp+var_54]
		mov	edx, offset _PopPlRegisterDeviceIterator@8 ; PopPlRegisterDeviceIterator(x,x)
		push	eax
		push	ebx
		push	ebx
		push	ecx
		push	offset _PopPlPublishInitialPowerDraw@8 ; PopPlPublishInitialPowerDraw(x,x)
		mov	ecx, offset _PopPlCommitPowerPlaneRegistration@4 ; PopPlCommitPowerPlaneRegistration(x)
		call	_PopPepIterateDeviceList@28 ; PopPepIterateDeviceList(x,x,x,x,x,x,x)
		mov	ecx, esi
		call	_PopPlTraceLogPowerPlane@4 ; PopPlTraceLogPowerPlane(x)
		lea	eax, [ebp+var_54]
		xor	esi, esi
		push	eax
		push	1
		push	esi
		push	ecx
		push	esi
		mov	edx, offset _PopPlIdleDeviceIterator@8 ; PopPlIdleDeviceIterator(x,x)
		xor	ecx, ecx
		call	_PopPepIterateDeviceList@28 ; PopPepIterateDeviceList(x,x,x,x,x,x,x)

loc_65CB8E:				; CODE XREF: PopPlRegisterPowerPlane(x,x)+2Fj
					; PopPlRegisterPowerPlane(x,x)+3Ej ...
		cmp	ds:dword_6B23F8, 5
		jbe	short loc_65CBE0
		push	4
		pop	ecx
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_28], eax
		mov	edx, offset loc_420C17
		lea	eax, [ebp+var_58]
		mov	[ebp+var_4C], 1
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	ecx
		push	esi
		push	esi
		push	1
		push	esi
		push	esi
		mov	ecx, offset dword_6B23F8
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], 2
		mov	[ebp+var_1C], esi
		mov	[ebp+var_58], edi
		mov	[ebp+var_14], esi
		mov	[ebp+var_C], esi
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)

loc_65CBE0:				; CODE XREF: PopPlRegisterPowerPlane(x,x)+D0j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopPlRegisterPowerPlane@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPlTraceLogPowerPlane(x)
_PopPlTraceLogPowerPlane@4 proc	near	; CODE XREF: PopPlRegisterPowerPlane(x,x)+ADp
					; PopDiagTraceControlCallback+E5084p

var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1ECh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	2
		mov	esi, ecx
		xor	edi, edi
		pop	ecx
		xor	edx, edx
		inc	edi
		cmp	ds:dword_6B23F8, 5
		push	4
		mov	[ebp+var_1CC], edx
		pop	ebx
		jbe	loc_65CCF6
		lea	eax, [ebp+var_1D0]
		mov	[ebp+var_1A4], edx
		mov	[ebp+var_1A8], eax
		lea	eax, [ebp+var_180]
		mov	[ebp+var_198], eax
		mov	eax, [esi+4]
		mov	[ebp+var_188], eax
		movzx	eax, word ptr [esi]
		mov	[ebp+var_180], eax
		mov	eax, [esi+1Ch]
		mov	[ebp+var_1D8], eax
		lea	eax, [ebp+var_1D8]
		mov	[ebp+var_178], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_1DC], eax
		lea	eax, [ebp+var_1DC]
		mov	[ebp+var_168], eax
		lea	eax, [ebp+var_1C8]
		push	eax
		push	7
		push	edx
		push	edx
		push	edi
		push	edx
		mov	[ebp+var_1A0], ecx
		mov	[ebp+var_19C], edx
		mov	[ebp+var_194], edx
		mov	[ebp+var_190], ecx
		mov	ecx, offset dword_6B23F8
		mov	[ebp+var_18C], edx
		mov	[ebp+var_184], edx
		mov	[ebp+var_17C], edx
		mov	[ebp+var_174], edx
		mov	[ebp+var_16C], edx
		mov	[ebp+var_164], edx
		mov	[ebp+var_15C], edx
		push	edx
		mov	edx, offset loc_420907
		mov	[ebp+var_1D0], edi
		mov	[ebp+var_170], ebx
		mov	[ebp+var_160], ebx
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)
		xor	edx, edx

loc_65CCF6:				; CODE XREF: PopPlTraceLogPowerPlane(x)+32j
		mov	eax, [esi+1Ch]
		mov	edi, edx
		test	eax, eax
		jz	loc_65CE23

loc_65CD03:				; CODE XREF: PopPlTraceLogPowerPlane(x)+22Cj
		cmp	ds:dword_6B23F8, 5
		mov	eax, [esi+20h]
		mov	ecx, [eax+edi*4]
		mov	[ebp+var_1CC], ebx
		jbe	loc_65CE17
		lea	eax, [ebp+var_1E0]
		mov	[ebp+var_94], edx
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_88], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_78], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_68], eax
		mov	eax, [esi+4]
		mov	[ebp+var_58], eax
		movzx	eax, word ptr [esi]
		mov	[ebp+var_50], eax
		mov	eax, [ecx+34h]
		mov	[ebp+var_1E4], eax
		lea	eax, [ebp+var_1E4]
		mov	[ebp+var_48], eax
		mov	eax, [ecx+10h]
		mov	[ebp+var_1D4], eax
		lea	eax, [ebp+var_1D4]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_1CC]
		mov	[ebp+var_28], eax
		lea	eax, [ecx+14h]
		mov	[ebp+var_18], eax
		mov	ecx, offset dword_6B23F8
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_8C], edx
		push	eax
		push	0Bh
		push	edx
		push	edx
		push	1
		push	edx
		mov	[ebp+var_84], edx
		mov	[ebp+var_7C], edx
		mov	[ebp+var_74], edx
		mov	[ebp+var_6C], edx
		mov	[ebp+var_64], edx
		mov	[ebp+var_5C], edx
		mov	[ebp+var_54], edx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_44], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_C], edx
		push	edx
		mov	edx, offset loc_4207E2
		mov	[ebp+var_1E0], 1
		mov	[ebp+var_90], 2
		mov	[ebp+var_80], 2
		mov	[ebp+var_60], 2
		mov	[ebp+var_40], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_20], 2
		mov	[ebp+var_10], 20h
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)
		xor	edx, edx

loc_65CE17:				; CODE XREF: PopPlTraceLogPowerPlane(x)+125j
		mov	eax, [esi+1Ch]
		inc	edi
		cmp	edi, eax
		jb	loc_65CD03

loc_65CE23:				; CODE XREF: PopPlTraceLogPowerPlane(x)+10Cj
		mov	edi, edx
		mov	[ebp+var_1D0], edi
		test	eax, eax
		jz	loc_65CFC3

loc_65CE33:				; CODE XREF: PopPlTraceLogPowerPlane(x)+3CCj
		mov	eax, [esi+20h]
		mov	ebx, edx
		mov	eax, [eax+edi*4]
		mov	[ebp+var_1D4], eax
		cmp	[eax+34h], edx
		jbe	loc_65CFB3
		mov	edi, eax

loc_65CE4C:				; CODE XREF: PopPlTraceLogPowerPlane(x)+3B4j
		cmp	ds:dword_6B23F8, 5
		mov	eax, [edi+38h]
		mov	ecx, [eax+ebx*4]
		movzx	eax, word ptr [ecx+14h]
		mov	edx, eax
		mov	[ebp+var_1CC], eax
		jbe	loc_65CFA1
		lea	eax, [ebp+var_1E8]
		and	[ebp+var_114], 0
		mov	[ebp+var_138], eax
		xor	eax, eax
		mov	[ebp+var_134], eax
		mov	[ebp+var_12C], eax
		mov	[ebp+var_124], eax
		mov	[ebp+var_11C], eax
		lea	eax, [ebp+var_100]
		mov	[ebp+var_118], eax
		mov	eax, [edi+4]
		mov	[ebp+var_108], eax
		movzx	eax, word ptr [edi]
		mov	[ebp+var_100], eax
		lea	eax, [ebp+var_E0]
		mov	[ebp+var_F8], eax
		mov	eax, [esi+4]
		mov	[ebp+var_E8], eax
		movzx	eax, word ptr [esi]
		mov	[ebp+var_E0], eax
		lea	eax, [ebp+var_1CC]
		and	[ebp+var_10C], 0
		and	[ebp+var_104], 0
		and	[ebp+var_FC], 0
		and	[ebp+var_F4], 0
		and	[ebp+var_EC], 0
		and	[ebp+var_E4], 0
		and	[ebp+var_DC], 0
		and	[ebp+var_D4], 0
		and	[ebp+var_CC], 0
		mov	[ebp+var_D8], eax
		lea	eax, [ecx+18h]
		mov	[ebp+var_C8], eax
		mov	eax, edx
		shl	eax, 3
		mov	edx, offset loc_42087A
		mov	[ebp+var_C0], eax
		lea	eax, [ebp+var_158]
		push	eax
		push	0Ah
		mov	[ebp+var_128], ecx
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	1
		push	ecx
		mov	[ebp+var_C4], ecx
		mov	[ebp+var_BC], ecx
		push	ecx
		mov	ecx, offset dword_6B23F8
		mov	[ebp+var_1E8], 1
		mov	[ebp+var_130], 2
		mov	[ebp+var_120], 10h
		mov	[ebp+var_110], 2
		mov	[ebp+var_F0], 2
		mov	[ebp+var_D0], 2
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)

loc_65CFA1:				; CODE XREF: PopPlTraceLogPowerPlane(x)+274j
		inc	ebx
		cmp	ebx, [edi+34h]
		jb	loc_65CE4C
		mov	edi, [ebp+var_1D0]
		xor	edx, edx

loc_65CFB3:				; CODE XREF: PopPlTraceLogPowerPlane(x)+253j
		inc	edi
		mov	[ebp+var_1D0], edi
		cmp	edi, [esi+1Ch]
		jb	loc_65CE33

loc_65CFC3:				; CODE XREF: PopPlTraceLogPowerPlane(x)+23Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopPlTraceLogPowerPlane@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPlUnlockPowerPlane(x)
_PopPlUnlockPowerPlane@4 proc near	; CODE XREF: PopPlUnregisterDevice(x)+1C0p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	bl, [ecx+0Ch]
		add	ecx, 8
		test	ds:byte_70EFC6,	1
		jz	short loc_65CFF1
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65CFF6
; 

loc_65CFF1:				; CODE XREF: PopPlUnlockPowerPlane(x)+13j
		xor	eax, eax
		lock and [ecx],	eax

loc_65CFF6:				; CODE XREF: PopPlUnlockPowerPlane(x)+1Dj
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_PopPlUnlockPowerPlane@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlUnicodeStringCchCopyStringN(x, x, x)
_RtlUnicodeStringCchCopyStringN@12 proc	near ; CODE XREF: PopPlInitWString(x,x,x,x)+74p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edx
		push	ecx
		mov	esi, ecx
		mov	ebx, edi
		call	sub_65D066
		test	eax, eax
		js	short loc_65D02C
		test	esi, esi
		jz	short loc_65D02C
		movzx	ebx, word ptr [esi+2]
		mov	ecx, [esi+4]
		shr	ebx, 1
		jmp	short loc_65D02E
; 

loc_65D02C:				; CODE XREF: RtlUnicodeStringCchCopyStringN(x,x,x)+1Bj
					; RtlUnicodeStringCchCopyStringN(x,x,x)+1Fj
		mov	ecx, edi

loc_65D02E:				; CODE XREF: RtlUnicodeStringCchCopyStringN(x,x,x)+2Aj
		test	eax, eax
		js	short loc_65D05F
		cmp	[ebp+arg_0], 7FFFh
		mov	[ebp+var_4], edi
		jbe	short loc_65D045
		mov	eax, 0C000000Dh
		jmp	short loc_65D059
; 

loc_65D045:				; CODE XREF: RtlUnicodeStringCchCopyStringN(x,x,x)+3Cj
		push	[ebp+arg_0]
		lea	eax, [ebp+var_4]
		mov	edx, ebx
		push	[ebp+var_8]
		push	eax
		call	sub_65D0A7
		mov	edi, [ebp+var_4]

loc_65D059:				; CODE XREF: RtlUnicodeStringCchCopyStringN(x,x,x)+43j
		lea	ecx, [edi+edi]
		mov	[esi], cx

loc_65D05F:				; CODE XREF: RtlUnicodeStringCchCopyStringN(x,x,x)+30j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_RtlUnicodeStringCchCopyStringN@12 endp


;  S U B	R O U T	I N E 


sub_65D066	proc near		; CODE XREF: RtlUnicodeStringCchCopyStringN(x,x,x)+14p
					; RtlStringCbCopyUnicodeString(ushort *,uint,_UNICODE_STRING const *)+30p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	eax, eax
		movzx	ecx, word ptr [esi]
		test	cl, 1
		jnz	short loc_65D09E
		movzx	edx, word ptr [esi+2]
		test	dl, 1
		jnz	short loc_65D09E
		cmp	cx, dx
		ja	short loc_65D09E
		push	edi
		mov	edi, 0FFFEh
		cmp	dx, di
		pop	edi
		ja	short loc_65D09E
		cmp	[esi+4], eax
		jnz	short loc_65D0A3
		test	cx, cx
		jnz	short loc_65D09E
		test	dx, dx
		jz	short loc_65D0A3

loc_65D09E:				; CODE XREF: sub_65D066+Dj
					; sub_65D066+16j ...
		mov	eax, 0C000000Dh

loc_65D0A3:				; CODE XREF: sub_65D066+2Cj
					; sub_65D066+36j
		pop	esi
		retn	4
sub_65D066	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_65D0A7	proc near		; CODE XREF: RtlUnicodeStringCchCopyStringN(x,x,x)+51p
					; RtlUnicodeStringCbCatStringN(x,x,x)+62p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, esi
		push	edi
		mov	edi, ecx
		mov	ecx, [ebp+arg_8]
		test	edx, edx
		jz	short loc_65D0E2
		sub	edi, eax

loc_65D0C1:				; CODE XREF: sub_65D0A7+32j
		test	ecx, ecx
		jz	short loc_65D0DB
		movzx	esi, word ptr [eax]
		test	si, si
		jz	short loc_65D0DB
		mov	[edi+eax], si
		add	eax, 2
		dec	ecx
		inc	ebx
		sub	edx, 1
		jnz	short loc_65D0C1

loc_65D0DB:				; CODE XREF: sub_65D0A7+1Cj
					; sub_65D0A7+24j
		push	0
		pop	esi
		test	edx, edx
		jnz	short loc_65D0F0

loc_65D0E2:				; CODE XREF: sub_65D0A7+16j
		test	ecx, ecx
		jz	short loc_65D0F0
		cmp	[eax], si
		jz	short loc_65D0F0
		mov	esi, 80000005h

loc_65D0F0:				; CODE XREF: sub_65D0A7+39j
					; sub_65D0A7+3Dj ...
		mov	ecx, [ebp+arg_0]
		mov	eax, esi
		pop	edi
		pop	esi
		mov	[ecx], ebx
		pop	ebx
		pop	ebp
		retn	0Ch
sub_65D0A7	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSqmAddToStream(x, x, x, x)
_PopSqmAddToStream@16 proc near		; CODE XREF: PopSqmBatteryUpdate(x,x,x,x)+51p

var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1A8		= dword	ptr -1A8h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 208h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	4
		pop	esi
		push	1B0h		; size_t
		xor	ebx, ebx
		mov	[ebp+var_204], esi
		lea	eax, [ebp+var_1B4]
		mov	[ebp+var_200], 2B7Bh
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_208], ebx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_1FC], 0Bh
		cmp	ds:_PopDiagHandleRegistered, bl
		jz	loc_65D29C
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	loc_65D29C
		lea	ecx, [ebp+var_1FC]
		mov	[ebp+var_1F0], ebx
		mov	[ebp+var_1F4], ecx
		lea	ecx, [ebp+var_200]
		push	edi
		mov	[ebp+var_1D4], ecx
		mov	edi, ebx
		lea	ecx, [ebp+var_204]
		mov	[ebp+var_1EC], esi
		push	esi
		mov	[ebp+var_1C4], ecx
		lea	ecx, [ebp+var_1A8]
		mov	[ebp+var_1E8], ebx
		mov	[ebp+var_1E4], offset dword_428F2C
		mov	[ebp+var_1E0], ebx
		mov	[ebp+var_1DC], 10h
		mov	[ebp+var_1D8], ebx
		mov	[ebp+var_1D0], ebx
		mov	[ebp+var_1CC], esi
		mov	[ebp+var_1C8], ebx
		mov	[ebp+var_1C0], ebx
		mov	[ebp+var_1BC], esi
		mov	[ebp+var_1B8], ebx
		pop	edx

loc_65D1EB:				; CODE XREF: PopSqmAddToStream(x,x,x,x)+177j
		lea	esi, [eax+edi*8]
		mov	[ecx-8], ebx
		mov	[ecx], ebx
		lea	eax, [esi+4]
		mov	ebx, [esi]
		mov	[ecx-0Ch], esi
		mov	[ecx-4], edx
		cmp	ebx, 1
		jz	short loc_65D208
		mov	eax, offset dword_428F28

loc_65D208:				; CODE XREF: PopSqmAddToStream(x,x,x,x)+103j
		mov	[ecx+4], eax
		xor	eax, eax
		mov	[ecx+8], eax
		mov	[ecx+0Ch], edx
		mov	[ecx+10h], eax
		cmp	ebx, 2
		jnz	short loc_65D220
		mov	edx, [esi+4]
		jmp	short loc_65D225
; 

loc_65D220:				; CODE XREF: PopSqmAddToStream(x,x,x,x)+11Bj
		mov	edx, offset a0	; "0"

loc_65D225:				; CODE XREF: PopSqmAddToStream(x,x,x,x)+120j
		lea	eax, [edx+2]
		mov	[ebp+var_1F8], eax

loc_65D22E:				; CODE XREF: PopSqmAddToStream(x,x,x,x)+13Dj
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [ebp+var_208]
		jnz	short loc_65D22E
		sub	edx, [ebp+var_1F8]
		sar	edx, 1
		cmp	ebx, 2
		jnz	short loc_65D24F
		mov	eax, [esi+4]
		jmp	short loc_65D254
; 

loc_65D24F:				; CODE XREF: PopSqmAddToStream(x,x,x,x)+14Aj
		mov	eax, offset a0	; "0"

loc_65D254:				; CODE XREF: PopSqmAddToStream(x,x,x,x)+14Fj
		mov	[ecx+14h], eax
		xor	ebx, ebx
		lea	eax, ds:2[edx*2]
		mov	[ecx+18h], ebx
		push	4
		mov	[ecx+1Ch], eax
		inc	edi
		mov	eax, [ebp+arg_4]
		mov	[ecx+20h], ebx
		add	ecx, 30h
		pop	edx
		cmp	edi, edx
		jb	loc_65D1EB
		lea	eax, [ebp+var_1F4]
		push	eax
		push	1Fh
		push	ebx
		push	offset _PopSqm_Add_StreamRow
		push	ds:dword_6C1D74
		push	ds:_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	edi

loc_65D29C:				; CODE XREF: PopSqmAddToStream(x,x,x,x)+57j
					; PopSqmAddToStream(x,x,x,x)+62j
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopSqmAddToStream@16 endp


;  S U B	R O U T	I N E 


; __stdcall PopSqmCreateDwordStreamEntry(x, x)
_PopSqmCreateDwordStreamEntry@8	proc near ; CODE XREF: PopSqmBatteryUpdate(x,x,x,x)+22p
					; PopSqmBatteryUpdate(x,x,x,x)+2Cp ...
		mov	[ecx+4], edx
		mov	dword ptr [ecx], 1
		retn
_PopSqmCreateDwordStreamEntry@8	endp


;  S U B	R O U T	I N E 


; __stdcall PopSleepstudyScenarioStopTimerCallback(x, x)
_PopSleepstudyScenarioStopTimerCallback@8 proc near
					; DATA XREF: PopSleepstudyInitialize()+40o
		push	1
		push	offset dword_6BF0A0
		call	ExQueueWorkItem
		retn	8
_PopSleepstudyScenarioStopTimerCallback@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopDeviceConstraintsEnforced()
_PopDeviceConstraintsEnforced@0	proc near
					; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x):loc_9B4595p
					; PopDripsWatchdogTakeAction(x,x,x):loc_9BEC4Ap
		mov	edi, edi
		push	ebx
		mov	cl, 2
		xor	bl, bl
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	cl, al
		mov	eax, large fs:20h
		mov	eax, [eax+3D70h]
		test	eax, eax
		jz	short loc_65D2F4
		cmp	byte ptr [eax],	1
		jnz	short loc_65D2F4
		cmp	ds:_PpmPlatformStates, 0
		jz	short loc_65D2F4
		inc	bl

loc_65D2F4:				; CODE XREF: PopDeviceConstraintsEnforced()+1Dj
					; PopDeviceConstraintsEnforced()+22j ...
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, bl
		pop	ebx
		retn
_PopDeviceConstraintsEnforced@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopRecordPepWorkorderBlackboxInformation()
_PopRecordPepWorkorderBlackboxInformation@0 proc near
					; CODE XREF: PopRecordPoBlackboxInformation()+8p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_20]
		stosd
		xor	ebx, ebx
		xor	esi, esi
		stosd
		stosd
		stosd
		stosd
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopWorkOrderLock
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, ds:_PopWorkOrderList
		mov	edx, offset _PopWorkOrderList
		cmp	eax, edx
		jz	loc_65D406

loc_65D33C:				; CODE XREF: PopRecordPepWorkorderBlackboxInformation()+45j
		mov	eax, [eax]
		mov	ecx, ebx
		inc	ebx
		cmp	eax, edx
		jnz	short loc_65D33C
		test	ebx, ebx
		jz	loc_65D406
		imul	edi, ecx, 30h
		push	42424F50h
		add	edi, 40h
		push	edi
		push	200h
		mov	[ebp+var_C], edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_65D408
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	[esi+8], ebx
		add	esp, 0Ch
		mov	dword ptr [esi], 1
		lea	ebx, [esi+10h]
		mov	[esi+4], edi
		mov	eax, ds:_PopWorkOrderList
		cmp	eax, offset _PopWorkOrderList
		jz	short loc_65D408
		mov	edi, eax

loc_65D399:				; CODE XREF: PopRecordPepWorkorderBlackboxInformation()+101j
		call	KeQueryInterruptTime
		sub	eax, [edi+58h]
		push	0
		sbb	edx, [edi+5Ch]
		push	2710h
		push	edx
		push	eax
		call	__aulldiv
		xor	edx, edx
		mov	[ebx], eax
		mov	[ebx+8], edi
		mov	[ebx+0Ch], edx
		mov	eax, [edi+50h]
		mov	[ebx+10h], eax
		mov	[ebx+14h], edx
		mov	ecx, [edi+54h]
		mov	[ebx+18h], ecx
		mov	[ebx+1Ch], edx
		test	ecx, ecx
		jz	short loc_65D3F4
		mov	eax, [ecx]
		mov	[ebx+20h], eax
		lea	eax, [ecx+4]
		test	eax, eax
		jz	short loc_65D3F4
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_65D3F4
		mov	eax, [eax+24h]
		test	eax, eax
		jz	short loc_65D3F4
		mov	eax, [eax+40h]
		mov	[ebx+28h], eax
		mov	[ebx+2Ch], edx

loc_65D3F4:				; CODE XREF: PopRecordPepWorkorderBlackboxInformation()+D2j
					; PopRecordPepWorkorderBlackboxInformation()+DEj ...
		mov	edi, [edi]
		add	ebx, 30h
		cmp	edi, offset _PopWorkOrderList
		jnz	short loc_65D399
		mov	edi, [ebp+var_C]
		jmp	short loc_65D408
; 

loc_65D406:				; CODE XREF: PopRecordPepWorkorderBlackboxInformation()+38j
					; PopRecordPepWorkorderBlackboxInformation()+49j
		xor	edi, edi

loc_65D408:				; CODE XREF: PopRecordPepWorkorderBlackboxInformation()+6Cj
					; PopRecordPepWorkorderBlackboxInformation()+97j ...
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopWorkOrderLock
		jz	short loc_65D420
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65D425
; 

loc_65D420:				; CODE XREF: PopRecordPepWorkorderBlackboxInformation()+116j
		xor	eax, eax
		lock and [ecx],	eax

loc_65D425:				; CODE XREF: PopRecordPepWorkorderBlackboxInformation()+120j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	short loc_65D458
		and	[ebp+var_18], 0
		lea	eax, [ebp+var_20]
		and	[ebp+var_10], 0
		push	0
		push	0
		push	14h
		push	eax
		push	5Eh
		mov	[ebp+var_14], 7
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], edi
		call	NtPowerInformation

loc_65D458:				; CODE XREF: PopRecordPepWorkorderBlackboxInformation()+132j
		test	esi, esi
		jz	short loc_65D467
		push	42424F50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_65D467:				; CODE XREF: PopRecordPepWorkorderBlackboxInformation()+15Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopRecordPepWorkorderBlackboxInformation@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopRecordPoIrpBlackboxInformation()
_PopRecordPoIrpBlackboxInformation@0 proc near
					; CODE XREF: PopRecordPoBlackboxInformation()+3p

var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= byte ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0BCh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		lea	edx, [ebp+var_A4]
		push	esi
		push	edi
		lea	edi, [ebp+var_BC]
		mov	ecx, offset _PopIrpLock
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_A4]
		stosd
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ebx, ds:_PopIrpList
		xor	ecx, ecx
		mov	[ebp+var_98], ecx
		mov	edi, ecx
		mov	[ebp+var_94], ecx
		mov	[ebp+var_90], ecx
		push	40h
		pop	esi
		mov	[ebp+var_A8], esi
		mov	[ebp+var_8C], esi
		cmp	ebx, offset _PopIrpList
		jz	loc_65D6EA

loc_65D4E3:				; CODE XREF: PopRecordPoIrpBlackboxInformation()+10Ej
		cmp	byte ptr [ebx+74h], 0
		jz	loc_65D572
		push	ecx
		mov	ecx, [ebx+10h]
		lea	edx, [ebp+var_88]
		mov	[ebp+var_90], 18h
		call	_PopDiagGetDriverName@12 ; PopDiagGetDriverName(x,x,x)
		test	eax, eax
		js	short loc_65D544
		lea	edx, [ebp+var_88]
		lea	ecx, [edx+2]

loc_65D513:				; CODE XREF: PopRecordPoIrpBlackboxInformation()+B4j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [ebp+var_98]
		jnz	short loc_65D513
		sub	edx, ecx
		lea	eax, [ebp+var_90]
		sar	edx, 1
		push	eax
		push	18h
		pop	ecx
		lea	edx, ds:2[edx*2]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_65D6B5

loc_65D544:				; CODE XREF: PopRecordPoIrpBlackboxInformation()+9Cj
		mov	edx, [ebp+var_90]
		lea	eax, [ebp+var_8C]
		inc	[ebp+var_94]
		mov	ecx, esi
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_65D6B5
		mov	esi, [ebp+var_8C]
		mov	[ebp+var_A8], esi

loc_65D572:				; CODE XREF: PopRecordPoIrpBlackboxInformation()+7Bj
		mov	ebx, [ebx]
		cmp	ebx, offset _PopIrpList
		jnz	loc_65D4E3
		mov	ebx, [ebp+var_94]
		test	ebx, ebx
		jz	loc_65D6E8
		push	42424F50h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_94], edi
		test	edi, edi
		jz	loc_65D6F2
		push	esi		; size_t
		xor	eax, eax
		push	eax		; int
		push	edi		; void *
		call	_memset
		xor	eax, eax
		mov	[edi], esi
		inc	eax
		mov	[edi+8], ebx
		xor	ecx, ecx
		mov	[edi+4], eax
		mov	eax, ds:_ExWorkerQueue
		mov	edx, offset _PopIrpList
		mov	[edi+20h], eax
		add	esp, 0Ch
		mov	[edi+10h], edx
		lea	eax, [edi+28h]
		mov	[edi+14h], ecx
		mov	dword ptr [edi+18h], offset _PopIrpThreadList
		mov	[edi+1Ch], ecx
		mov	[edi+24h], ecx
		mov	ebx, ds:_PopIrpList
		mov	[ebp+var_98], eax
		cmp	ebx, edx
		jz	loc_65D6F2
		mov	edi, eax
		xor	esi, esi

loc_65D603:				; CODE XREF: PopRecordPoIrpBlackboxInformation()+268j
		cmp	byte ptr [ebx+74h], 0
		jz	loc_65D6D0
		movzx	eax, byte ptr [ebx+68h]
		mov	[edi+8], eax
		mov	eax, [ebx+6Ch]
		mov	[edi+0Ch], eax
		mov	eax, [ebx+70h]
		mov	[edi+10h], eax
		xor	eax, eax
		lea	ecx, [eax+1]
		call	KiQueryUnbiasedInterruptTime
		sub	eax, [ebx+18h]
		push	esi
		sbb	edx, [ebx+1Ch]
		push	2710h
		push	edx
		push	eax
		call	__aulldiv
		mov	[edi+4], eax
		lea	edx, [ebp+var_88]
		push	ecx
		mov	ecx, [ebx+10h]
		mov	[ebp+var_90], 18h
		call	_PopDiagGetDriverName@12 ; PopDiagGetDriverName(x,x,x)
		push	18h
		pop	ecx
		test	eax, eax
		js	short loc_65D6C1
		lea	ecx, [ebp+var_88]
		lea	edx, [ecx+2]

loc_65D669:				; CODE XREF: PopRecordPoIrpBlackboxInformation()+206j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_65D669
		sub	ecx, edx
		sar	ecx, 1
		mov	[ebp+var_98], ecx
		lea	eax, [ecx+ecx]
		push	eax		; size_t
		lea	ecx, [eax+1Ah]
		lea	eax, [ebp+var_88]
		mov	[ebp+var_90], ecx
		push	eax		; void *
		lea	eax, [edi+14h]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_98]
		add	esp, 0Ch
		xor	ecx, ecx
		mov	[edi+eax*2+14h], cx
		mov	eax, [ebp+var_90]
		mov	ecx, eax
		jmp	short loc_65D6C7
; 

loc_65D6B5:				; CODE XREF: PopRecordPoIrpBlackboxInformation()+D2j
					; PopRecordPoIrpBlackboxInformation()+F4j
		xor	ebx, ebx
		mov	esi, ebx
		mov	[ebp+var_8C], esi
		jmp	short loc_65D6F4
; 

loc_65D6C1:				; CODE XREF: PopRecordPoIrpBlackboxInformation()+1F2j
		mov	eax, [ebp+var_90]

loc_65D6C7:				; CODE XREF: PopRecordPoIrpBlackboxInformation()+247j
		mov	[edi], eax
		mov	edx, offset _PopIrpList
		add	edi, ecx

loc_65D6D0:				; CODE XREF: PopRecordPoIrpBlackboxInformation()+19Bj
		mov	ebx, [ebx]
		cmp	ebx, edx
		jnz	loc_65D603
		mov	esi, [ebp+var_A8]
		mov	edi, [ebp+var_94]
		jmp	short loc_65D6F2
; 

loc_65D6E8:				; CODE XREF: PopRecordPoIrpBlackboxInformation()+11Cj
		xor	ecx, ecx

loc_65D6EA:				; CODE XREF: PopRecordPoIrpBlackboxInformation()+71j
		mov	esi, ecx
		mov	[ebp+var_8C], esi

loc_65D6F2:				; CODE XREF: PopRecordPoIrpBlackboxInformation()+13Cj
					; PopRecordPoIrpBlackboxInformation()+18Dj ...
		xor	ebx, ebx

loc_65D6F4:				; CODE XREF: PopRecordPoIrpBlackboxInformation()+253j
		test	ds:byte_70EFC6,	1
		jz	short loc_65D713
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_A4]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_65D70B:				; CODE XREF: PopRecordPoIrpBlackboxInformation()+2CBj
		mov	esi, [ebp+var_8C]
		jmp	short loc_65D753
; 

loc_65D713:				; CODE XREF: PopRecordPoIrpBlackboxInformation()+28Fj
		mov	eax, [ebp+var_A4]
		test	eax, eax
		jnz	short loc_65D744
		mov	edx, [ebp+var_A0]
		lea	eax, [ebp+var_A4]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_A4]
		cmp	eax, ecx
		jz	short loc_65D70B
		call	KxWaitForLockChainValid
		mov	esi, [ebp+var_8C]

loc_65D744:				; CODE XREF: PopRecordPoIrpBlackboxInformation()+2AFj
		xor	ecx, ecx
		mov	[ebp+var_A4], ebx
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_65D753:				; CODE XREF: PopRecordPoIrpBlackboxInformation()+2A5j
		mov	cl, [ebp+var_9C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_65D797
		push	ebx
		push	ebx
		push	14h
		lea	eax, [ebp+var_BC]
		mov	[ebp+var_B4], ebx
		push	eax
		push	5Eh
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_B0], 4
		mov	[ebp+var_BC], edi
		mov	[ebp+var_B8], esi
		call	NtPowerInformation

loc_65D797:				; CODE XREF: PopRecordPoIrpBlackboxInformation()+2F5j
		test	edi, edi
		jz	short loc_65D7A6
		push	42424F50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_65D7A6:				; CODE XREF: PopRecordPoIrpBlackboxInformation()+32Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopRecordPoIrpBlackboxInformation@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopRecordPowerWatchdogBlackboxInformation()
_PopRecordPowerWatchdogBlackboxInformation@0 proc near
					; CODE XREF: PopRecordPoBlackboxInformation()+Dp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		stosd
		stosd
		stosd
		stosd
		stosd
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _PopWatchdogLock
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:_PopWatchdogList
		xor	edx, edx
		mov	eax, offset _PopWatchdogList
		mov	ebx, edx
		mov	esi, edx
		cmp	ecx, eax
		jz	loc_65D918

loc_65D7F6:				; CODE XREF: PopRecordPowerWatchdogBlackboxInformation()+4Ej
		cmp	[ecx+80h], dl
		jz	short loc_65D7FF
		inc	ebx

loc_65D7FF:				; CODE XREF: PopRecordPowerWatchdogBlackboxInformation()+47j
		mov	ecx, [ecx]
		cmp	ecx, eax
		jnz	short loc_65D7F6
		test	ebx, ebx
		jz	loc_65D918
		imul	edi, ebx, 50h
		push	42424F50h
		add	edi, 10h
		push	edi
		push	200h
		mov	[ebp+var_8], edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_65D91A
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	dword ptr [esi], 1
		add	esp, 0Ch
		mov	[esi+4], edi
		mov	[esi+8], ebx
		mov	ebx, ds:_PopWatchdogList
		cmp	ebx, offset _PopWatchdogList
		jz	loc_65D91A
		lea	edi, [esi+10h]

loc_65D85D:				; CODE XREF: PopRecordPowerWatchdogBlackboxInformation()+158j
		cmp	byte ptr [ebx+80h], 0
		jz	loc_65D905
		mov	eax, [ebx+8]
		mov	[edi], eax
		mov	eax, [ebx+0B8h]
		and	dword ptr [edi+4Ch], 0
		mov	[edi+48h], eax
		call	KeQueryInterruptTime
		sub	eax, [ebx+0B0h]
		push	0
		sbb	edx, [ebx+0B4h]
		push	2710h
		push	edx
		push	eax
		call	__aulldiv
		mov	[edi+4], eax
		lea	ecx, [ebx+84h]
		mov	eax, [ecx]
		xor	edx, edx
		mov	[edi+8], eax
		mov	eax, [ebx+8Ch]
		mov	[edi+0Ch], eax
		mov	eax, [ebx+90h]
		mov	[edi+10h], eax
		mov	[edi+14h], edx
		mov	eax, [ebx+94h]
		mov	[edi+18h], eax
		mov	[edi+1Ch], edx
		mov	eax, [ebx+98h]
		mov	[edi+20h], eax
		mov	[edi+24h], edx
		mov	eax, [ebx+9Ch]
		mov	[edi+28h], eax
		mov	[edi+2Ch], edx
		mov	[edi+40h], ecx
		mov	[edi+44h], edx
		mov	eax, [ebx+0A4h]
		mov	[edi+30h], eax
		mov	[edi+34h], edx
		mov	eax, [ebx+0A8h]
		mov	[edi+38h], eax
		mov	[edi+3Ch], edx
		add	edi, 50h

loc_65D905:				; CODE XREF: PopRecordPowerWatchdogBlackboxInformation()+AFj
		mov	ebx, [ebx]
		cmp	ebx, offset _PopWatchdogList
		jnz	loc_65D85D
		mov	edi, [ebp+var_8]
		jmp	short loc_65D91A
; 

loc_65D918:				; CODE XREF: PopRecordPowerWatchdogBlackboxInformation()+3Bj
					; PopRecordPowerWatchdogBlackboxInformation()+52j
		mov	edi, edx

loc_65D91A:				; CODE XREF: PopRecordPowerWatchdogBlackboxInformation()+75j
					; PopRecordPowerWatchdogBlackboxInformation()+9Fj ...
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _PopWatchdogLock
		jz	short loc_65D932
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65D937
; 

loc_65D932:				; CODE XREF: PopRecordPowerWatchdogBlackboxInformation()+171j
		xor	eax, eax
		lock and [ecx],	eax

loc_65D937:				; CODE XREF: PopRecordPowerWatchdogBlackboxInformation()+17Bj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	short loc_65D968
		xor	eax, eax
		mov	[ebp+var_10], 8
		push	eax
		push	eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_1C]
		push	14h
		push	eax
		push	5Eh
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], edi
		call	NtPowerInformation

loc_65D968:				; CODE XREF: PopRecordPowerWatchdogBlackboxInformation()+18Dj
		test	esi, esi
		jz	short loc_65D977
		push	42424F50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_65D977:				; CODE XREF: PopRecordPowerWatchdogBlackboxInformation()+1B5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopRecordPowerWatchdogBlackboxInformation@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginAcpiNotificationStrict(x, x, x)
_PopPluginAcpiNotificationStrict@12 proc near
					; CODE XREF: PopFxAcpiDispatchNotification(x)+9Ap
					; PopFxAcpiPrepareDevice(x,x,x,x)+5Ap ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	[ebp+arg_0]
		mov	esi, edx
		mov	edi, ecx
		push	esi
		call	dword ptr [edi+48h]
		test	al, al
		jnz	short loc_65D9A2
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, 668h
		push	edi
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_65D9A2:				; CODE XREF: PopPluginAcpiNotificationStrict(x,x,x)+14j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_PopPluginAcpiNotificationStrict@12 endp ; sp =	-8


;  S U B	R O U T	I N E 


; __stdcall PoResetStopWatch(x)
_PoResetStopWatch@4 proc near		; CODE XREF: PopPublishAndPurgePowerRequestStats(x,x,x)+132p
		xor	eax, eax
		mov	[ecx+10h], eax
		mov	[ecx+14h], eax
		mov	[ecx+18h], eax
		mov	[ecx+1Ch], eax
		add	ecx, 24h
		mov	eax, [ecx]
		neg	eax
		lock xadd [ecx], eax
		retn
_PoResetStopWatch@4 endp


;  S U B	R O U T	I N E 


; __stdcall PoUninitializeStopWatch(x)
_PoUninitializeStopWatch@4 proc	near	; CODE XREF: PopAvlDeleteStatsForPowerRequest(x)+47p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		and	dword ptr [esi], 0
		lea	eax, [esi+4]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_65D9E9
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_65D9E9
		mov	[ecx], edx
		mov	[edx+4], ecx
		and	dword ptr [esi+8], 0
		and	dword ptr [eax], 0
		pop	esi
		retn
; 

loc_65D9E9:				; CODE XREF: PoUninitializeStopWatch(x)+10j
					; PoUninitializeStopWatch(x)+17j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PoUninitializeStopWatch@4 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SshpCopyDataEntry(x, x, x)
_SshpCopyDataEntry@12 proc near		; CODE XREF: SleepstudyHelperCreateBlockerData(x,x,x,x,x)+F2p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	eax, ecx
		push	esi
		mov	edx, eax
		mov	[ebp+var_4], eax
		movzx	esi, word ptr [ebx]
		mov	ecx, esi
		call	_SSHSupportAllocatePaged@8 ; SSHSupportAllocatePaged(x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	short loc_65DA18
		mov	esi, 0C000009Ah
		jmp	short loc_65DA53
; 

loc_65DA18:				; CODE XREF: SshpCopyDataEntry(x,x,x)+21j
		push	edi
		mov	edi, [ebp+arg_0]
		mov	edx, ebx
		mov	ecx, edi
		mov	[edi+4], eax
		xor	eax, eax
		mov	[edi], ax
		mov	[edi+2], si
		call	_RtlUnicodeStringCopy@8	; RtlUnicodeStringCopy(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_65DA47
		mov	eax, [ebx+8]
		xor	esi, esi
		mov	[edi+8], eax
		mov	eax, [ebx+0Ch]
		mov	[edi+0Ch], eax
		jmp	short loc_65DA52
; 

loc_65DA47:				; CODE XREF: SshpCopyDataEntry(x,x,x)+47j
		push	[ebp+var_4]
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_65DA52:				; CODE XREF: SshpCopyDataEntry(x,x,x)+57j
		pop	edi

loc_65DA53:				; CODE XREF: SshpCopyDataEntry(x,x,x)+28j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_SshpCopyDataEntry@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SshpFreeBlockerEntry(x)
_SshpFreeBlockerEntry@4	proc near	; CODE XREF: SshpDereferenceBlocker:loc_8F651Bp

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, [ebx+11Ch]
		mov	esi, [ebx+118h]
		mov	ecx, [edi+10h]
		mov	[ebp+var_8], ecx
		test	esi, esi
		jz	short loc_65DAD4

loc_65DA7D:				; CODE XREF: SshpFreeBlockerEntry(x)+6Ej
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [ebx+8]
		sub	[esi+8], ecx
		jnz	short loc_65DA9E
		xor	dl, dl
		mov	ecx, esi
		call	SshpSetBlockerActive

loc_65DA9E:				; CODE XREF: SshpFreeBlockerEntry(x)+38j
		test	ds:byte_70EFC6,	1
		jz	short loc_65DAB3
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65DAB8
; 

loc_65DAB3:				; CODE XREF: SshpFreeBlockerEntry(x)+4Aj
		xor	eax, eax
		lock and [esi],	eax

loc_65DAB8:				; CODE XREF: SshpFreeBlockerEntry(x)+56j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [esi+118h]
		test	esi, esi
		jnz	short loc_65DA7D
		mov	edi, [ebx+11Ch]
		mov	ecx, [ebp+var_8]

loc_65DAD4:				; CODE XREF: SshpFreeBlockerEntry(x)+20j
		mov	eax, [edi+3Ch]
		test	eax, eax
		jz	short loc_65DAE4
		push	dword ptr [ecx+0Ch]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_65DAE4:				; CODE XREF: SshpFreeBlockerEntry(x)+7Ej
		mov	esi, [ebp+var_8]
		push	dword ptr [esi+0Ch]
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	dword ptr [esi+0Ch]
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SshpFreeBlockerEntry@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SshpQueryBlockerPendingDelete(x)
_SshpQueryBlockerPendingDelete@4 proc near ; CODE XREF:	SshpSendSessionData()+A9p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ebx, [esi+4]
		shr	ebx, 3
		and	bl, 1
		test	ds:byte_70EFC6,	1
		jz	short loc_65DB36
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65DB3B
; 

loc_65DB36:				; CODE XREF: SshpQueryBlockerPendingDelete(x)+2Aj
		xor	eax, eax
		lock and [esi],	eax

loc_65DB3B:				; CODE XREF: SshpQueryBlockerPendingDelete(x)+36j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_SshpQueryBlockerPendingDelete@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SshpSetCollectionActive(x, x)
_SshpSetCollectionActive@8 proc	near	; CODE XREF: SshSetPdcPhaseActive:loc_8B6229j
					; SshpPowerSettingCallback(x,x,x,x)+34p

var_30		= dword	ptr -30h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		push	esi
		mov	esi, ecx
		mov	byte ptr [ebp+var_4+3],	dl
		push	edi
		mov	[ebp+var_8], esi
		call	_CmSiRWLockAcquireExclusive@4 ;	CmSiRWLockAcquireExclusive(x)
		mov	al, byte ptr [ebp+var_4+3]
		cmp	[esi+4], al
		jz	loc_65DC20
		call	KeQueryInterruptTime
		mov	[ebp+var_C], eax
		lea	eax, [esi+8]
		mov	ecx, [eax]
		mov	[ebp+var_10], edx
		mov	[ebp+var_30], eax
		cmp	ecx, eax
		jz	loc_65DC1A
		mov	esi, ecx

loc_65DB9C:				; CODE XREF: SshpSetCollectionActive(x,x)+CBj
		mov	edi, [esi+3Ch]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	byte ptr [ebp+var_4+2],	al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	byte ptr [ebp+var_4+3],	0
		mov	ecx, [edi+4]
		jnz	short loc_65DBD3
		test	cl, 2
		jz	short loc_65DBED
		push	[ebp+var_10]
		xor	edx, edx
		mov	ecx, edi
		push	[ebp+var_C]
		inc	edx
		call	_SshpStopBlockerAccounting@16 ;	SshpStopBlockerAccounting(x,x,x,x)
		and	dword ptr [edi+4], 0FFFFFFFDh
		jmp	short loc_65DBED
; 

loc_65DBD3:				; CODE XREF: SshpSetCollectionActive(x,x)+6Cj
		or	ecx, 2
		mov	[edi+4], ecx
		test	cl, 1
		jnz	short loc_65DBE1
		inc	dword ptr [edi+70h]

loc_65DBE1:				; CODE XREF: SshpSetCollectionActive(x,x)+92j
		mov	eax, [ebp+var_C]
		mov	[edi+10h], eax
		mov	eax, [ebp+var_10]
		mov	[edi+14h], eax

loc_65DBED:				; CODE XREF: SshpSetCollectionActive(x,x)+71j
					; SshpSetCollectionActive(x,x)+87j
		test	ds:byte_70EFC6,	1
		jz	short loc_65DC02
		mov	edx, [ebx+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65DC07
; 

loc_65DC02:				; CODE XREF: SshpSetCollectionActive(x,x)+AAj
		xor	eax, eax
		lock and [edi],	eax

loc_65DC07:				; CODE XREF: SshpSetCollectionActive(x,x)+B6j
		mov	cl, byte ptr [ebp+var_4+2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [esi]
		cmp	esi, [ebp+var_30]
		jnz	short loc_65DB9C
		mov	esi, [ebp+var_8]

loc_65DC1A:				; CODE XREF: SshpSetCollectionActive(x,x)+4Aj
		mov	al, byte ptr [ebp+var_4+3]
		mov	[esi+4], al

loc_65DC20:				; CODE XREF: SshpSetCollectionActive(x,x)+2Fj
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_10], eax
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_65DC37
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_65DC37:				; CODE XREF: SshpSetCollectionActive(x,x)+E4j
		xor	edi, edi
		mov	[ebp+var_C], edi
		test	esi, 7FFFFFFCh
		jz	loc_65DDCC
		mov	edx, [ebp+var_8]
		mov	ecx, edx
		mov	esi, large fs:124h
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_14], esi
		mov	[ebp+var_30], eax
		cmp	edx, eax
		jb	short loc_65DC81
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_65DC86
		mov	eax, [ebp+var_30]
		cmp	edx, eax
		jb	short loc_65DC81
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jz	short loc_65DC86

loc_65DC81:				; CODE XREF: SshpSetCollectionActive(x,x)+11Aj
					; SshpSetCollectionActive(x,x)+12Cj
		or	eax, 0FFFFFFFFh
		jmp	short loc_65DC94
; 

loc_65DC86:				; CODE XREF: SshpSetCollectionActive(x,x)+125j
					; SshpSetCollectionActive(x,x)+135j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_10], eax

loc_65DC94:				; CODE XREF: SshpSetCollectionActive(x,x)+13Aj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+2],	cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_65DCD9
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_65DD3F
		push	ecx
		push	[ebp+var_10]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_65DCD9:				; CODE XREF: SshpSetCollectionActive(x,x)+171j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_65DCEF
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_65DCEF:				; CODE XREF: SshpSetCollectionActive(x,x)+19Bj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+2],	1
		jnz	short loc_65DD33
		or	[esi+1E4h], dl
		jmp	short loc_65DD3F
; 

loc_65DD33:				; CODE XREF: SshpSetCollectionActive(x,x)+1DFj
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_14]

loc_65DD3F:				; CODE XREF: SshpSetCollectionActive(x,x)+17Bj
					; SshpSetCollectionActive(x,x)+1E7j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_30], eax
		jz	short loc_65DDA6
		test	edi, 8000h
		jz	short loc_65DD63
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_65DD63:				; CODE XREF: SshpSetCollectionActive(x,x)+20Ej
		test	byte ptr [ebp+var_C+2],	1
		jz	short loc_65DD79
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_65DD79:				; CODE XREF: SshpSetCollectionActive(x,x)+21Dj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_65DD8D
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_65DD8D:				; CODE XREF: SshpSetCollectionActive(x,x)+236j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_65DDA6
		push	[ebp+var_30]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_65DDA6:				; CODE XREF: SshpSetCollectionActive(x,x)+206j
					; SshpSetCollectionActive(x,x)+24Dj
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_65DDCC
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_65DDCC
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_65DDCC:				; CODE XREF: SshpSetCollectionActive(x,x)+F8j
					; SshpSetCollectionActive(x,x)+273j ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_SshpSetCollectionActive@8 endp	; sp =	4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SshpStopBlockerAccounting(x, x, x, x)
_SshpStopBlockerAccounting@16 proc near	; CODE XREF: SshpSetBlockerActive+D5ED3p
					; SshpSetCollectionActive(x,x)+7Ep ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, [ebx+4]
		mov	ecx, [ebx+14h]
		not	esi
		mov	edx, [ebx+10h]
		and	esi, 1
		shl	esi, 7
		add	esi, ebx
		mov	[ebp+var_8], ecx
		cmp	eax, ecx
		jb	short loc_65DE6E
		ja	short loc_65DE0A
		cmp	edi, edx
		jb	short loc_65DE6E

loc_65DE0A:				; CODE XREF: SshpStopBlockerAccounting(x,x,x,x)+2Fj
		mov	ecx, edi
		sub	ecx, edx
		mov	edx, eax
		sbb	edx, [ebp+var_8]
		add	[esi+18h], ecx
		adc	[esi+1Ch], edx
		xor	eax, eax

loc_65DE1B:				; CODE XREF: SshpStopBlockerAccounting(x,x,x,x)+72j
		cmp	edx, ds:dword_428F44[eax*8]
		jb	short loc_65DE43
		ja	short loc_65DE2F
		cmp	ecx, ds:_SshpAccountingBucketLimits[eax*8]
		jb	short loc_65DE43

loc_65DE2F:				; CODE XREF: SshpStopBlockerAccounting(x,x,x,x)+4Fj
		cmp	edx, ds:dword_428F4C[eax*8]
		jb	short loc_65DE4B
		ja	short loc_65DE43
		cmp	ecx, ds:dword_428F48[eax*8]
		jb	short loc_65DE4B

loc_65DE43:				; CODE XREF: SshpStopBlockerAccounting(x,x,x,x)+4Dj
					; SshpStopBlockerAccounting(x,x,x,x)+58j ...
		inc	eax
		cmp	eax, 5
		jb	short loc_65DE1B
		jmp	short loc_65DE6E
; 

loc_65DE4B:				; CODE XREF: SshpStopBlockerAccounting(x,x,x,x)+61j
					; SshpStopBlockerAccounting(x,x,x,x)+6Cj
		cmp	[ebp+var_4], 0
		jnz	short loc_65DE5F
		inc	dword ptr [esi+eax*4+70h]
		add	[esi+eax*8+20h], ecx
		adc	[esi+eax*8+24h], edx
		jmp	short loc_65DE74
; 

loc_65DE5F:				; CODE XREF: SshpStopBlockerAccounting(x,x,x,x)+7Aj
		inc	dword ptr [esi+eax*4+84h]
		add	[esi+eax*8+48h], ecx
		adc	[esi+eax*8+4Ch], edx

loc_65DE6E:				; CODE XREF: SshpStopBlockerAccounting(x,x,x,x)+2Dj
					; SshpStopBlockerAccounting(x,x,x,x)+33j ...
		cmp	[ebp+var_4], 1
		jz	short loc_65DE79

loc_65DE74:				; CODE XREF: SshpStopBlockerAccounting(x,x,x,x)+88j
		mov	eax, [ebp+arg_4]
		jmp	short loc_65DE7D
; 

loc_65DE79:				; CODE XREF: SshpStopBlockerAccounting(x,x,x,x)+9Dj
		xor	edi, edi
		xor	eax, eax

loc_65DE7D:				; CODE XREF: SshpStopBlockerAccounting(x,x,x,x)+A2j
		mov	[ebx+10h], edi
		pop	edi
		pop	esi
		mov	[ebx+14h], eax
		pop	ebx
		leave
		retn	8
_SshpStopBlockerAccounting@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SshpWriteBlocker(x,	x, x)
_SshpWriteBlocker@12 proc near		; CODE XREF: SshpSendSessionData()+A1p

var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_2CC		= dword	ptr -2CCh
var_2C8		= dword	ptr -2C8h
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AA		= byte ptr -2AAh
var_2A9		= dword	ptr -2A9h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_278		= dword	ptr -278h
var_250		= dword	ptr -250h
var_23C		= dword	ptr -23Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_1F8		= dword	ptr -1F8h
var_1D0		= dword	ptr -1D0h
var_1BC		= dword	ptr -1BCh
var_1A8		= dword	ptr -1A8h
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2DCh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_2B8], 0
		push	ebx
		mov	ebx, ecx
		mov	byte ptr [ebp+var_2A9],	0
		push	esi
		push	edi
		mov	[ebp+var_2B4], ebx
		mov	eax, [ebx+11Ch]
		mov	[ebp+var_2B0], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, ebx
		mov	[ebp+var_2AA], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	byte ptr [ebx+4], 2
		jz	short loc_65DEEE
		call	KeQueryInterruptTime
		push	edx
		push	eax
		push	2
		pop	edx
		mov	ecx, ebx
		call	_SshpStopBlockerAccounting@16 ;	SshpStopBlockerAccounting(x,x,x,x)

loc_65DEEE:				; CODE XREF: SshpWriteBlocker(x,x,x)+51j
		push	20h
		lea	eax, [ebx+18h]
		add	ebx, 98h
		pop	ecx
		mov	esi, eax
		lea	edi, [ebp+var_228]
		rep movsd
		push	20h
		pop	ecx
		mov	esi, ebx
		lea	edi, [ebp+var_2A9+1]
		rep movsd
		mov	esi, 80h
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		push	esi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [ebp+var_2B4]
		add	esp, 18h
		mov	esi, [eax+4]
		and	esi, 4
		test	ds:byte_70EFC6,	1
		jz	short loc_65DF4C
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65DF51
; 

loc_65DF4C:				; CODE XREF: SshpWriteBlocker(x,x,x)+B4j
		xor	ecx, ecx
		lock and [eax],	ecx

loc_65DF51:				; CODE XREF: SshpWriteBlocker(x,x,x)+C0j
		mov	cl, [ebp+var_2AA]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	10h
		pop	edi
		push	edi		; size_t
		push	offset _GUID_SPM_LOW_POWER_CS ;	void *
		push	offset _SshpSessionGuid	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_65E369
		mov	ebx, [ebp+var_2B0]
		cmp	ds:_SshpTraceHandleRegistered, al
		jz	loc_65E04D
		test	esi, esi
		jz	loc_65E04D
		movzx	eax, word ptr [ebx+38h]
		xor	edx, edx
		shr	eax, 1
		mov	[ebp+var_2B8], eax
		mov	al, byte ptr ds:_SshpSessionId
		mov	byte ptr [ebp+var_2A9],	al
		lea	eax, [ebp+var_2A9]
		mov	[ebp+var_78], eax
		lea	eax, [ebx+18h]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_2B8]
		mov	[ebp+var_58], eax
		mov	[ebp+var_74], edx
		mov	[ebp+var_70], 1
		mov	[ebp+var_6C], edx
		mov	[ebp+var_64], edx
		mov	[ebp+var_60], edi
		mov	[ebp+var_5C], edx
		mov	[ebp+var_54], edx
		mov	[ebp+var_50], 4
		mov	[ebp+var_4C], edx
		mov	eax, [ebx+3Ch]
		movzx	ecx, word ptr [ebx+38h]
		mov	[ebp+var_48], eax
		lea	eax, [ebx+28h]
		push	8
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_228]
		mov	[ebp+var_28], eax
		pop	eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	7
		push	edx
		push	offset _SLEEPSTUDY_EVT_SCENARIO_BLOCKER
		push	ds:dword_6BEFAC
		mov	[ebp+var_44], edx
		push	ds:_SshpTraceHandle
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], offset _SshpSessionId
		mov	[ebp+var_14], edx
		mov	[ebp+var_C], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_65E04D:				; CODE XREF: SshpWriteBlocker(x,x,x)+FDj
					; SshpWriteBlocker(x,x,x)+105j
		mov	edi, [ebp+arg_0]
		mov	eax, edi
		mov	esi, [ebp+arg_4]
		or	eax, esi
		jz	short loc_65E07E
		mov	eax, [ebp+var_224]
		push	64h
		pop	ecx
		mul	ecx
		push	64h
		pop	edx
		mov	ecx, eax
		mov	eax, [ebp+var_228]
		mul	edx
		push	esi
		push	edi
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		jmp	short loc_65E082
; 

loc_65E07E:				; CODE XREF: SshpWriteBlocker(x,x,x)+1CDj
		xor	eax, eax
		xor	edx, edx

loc_65E082:				; CODE XREF: SshpWriteBlocker(x,x,x)+1F2j
		cmp	esi, ds:dword_6BEF94
		jb	loc_65E369
		ja	short loc_65E09C
		cmp	edi, ds:_SshpSessionThresholdHns
		jb	loc_65E369

loc_65E09C:				; CODE XREF: SshpWriteBlocker(x,x,x)+204j
		mov	ecx, ds:_SshpActiveThresholdPercent
		test	edx, edx
		jb	loc_65E369
		ja	short loc_65E0B4
		cmp	eax, ecx
		jb	loc_65E369

loc_65E0B4:				; CODE XREF: SshpWriteBlocker(x,x,x)+220j
		cmp	ds:_SshpTelemetryHandleRegistered, 0
		jz	loc_65E369
		cmp	ds:dword_6B2FD0, 5
		jbe	loc_65E369
		push	4000h
		mov	edi, offset dword_6B2FD0
		push	0
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_65E369
		mov	eax, ds:_SshpSessionId
		xor	ecx, ecx
		mov	[ebp+var_2C0], eax
		mov	eax, ds:dword_6BEF84
		mov	[ebp+var_2BC], eax
		lea	eax, [ebp+var_2C0]
		mov	[ebp+var_188], eax
		lea	eax, [ebx+18h]
		mov	[ebp+var_178], eax
		lea	eax, [ebx+28h]
		mov	[ebp+var_168], eax
		lea	eax, [ebp+var_140]
		mov	[ebp+var_158], eax
		mov	eax, [ebx+3Ch]
		mov	[ebp+var_148], eax
		movzx	eax, word ptr [ebx+38h]
		mov	[ebp+var_140], eax
		mov	eax, [ebx+14h]
		xor	ebx, ebx
		mov	[ebp+var_2B4], eax
		lea	eax, [ebp+var_2B4]
		mov	[ebp+var_138], eax
		mov	eax, [ebp+var_228]
		mov	[ebp+var_2C8], eax
		mov	eax, [ebp+var_224]
		mov	[ebp+var_2C4], eax
		lea	eax, [ebp+var_2C8]
		mov	[ebp+var_128], eax
		lea	eax, [ebp+var_1D0]
		push	8
		pop	esi
		mov	[ebp+var_118], eax
		lea	eax, [ebp+var_220]
		push	10h
		pop	edx
		mov	[ebp+var_108], eax
		lea	eax, [ebp+var_1BC]
		mov	[ebp+var_F8], eax
		lea	eax, [ebp+var_1F8]
		push	14h
		mov	[ebp+var_170], edx
		mov	[ebp+var_160], edx
		pop	edx
		mov	[ebp+var_E8], eax
		mov	eax, [ebp+var_2A9+1]
		push	28h
		mov	[ebp+var_2D0], eax
		mov	eax, [ebp+var_2A4]
		mov	[ebp+var_184], ecx
		mov	[ebp+var_17C], ecx
		mov	[ebp+var_174], ecx
		mov	[ebp+var_16C], ecx
		mov	[ebp+var_164], ecx
		mov	[ebp+var_15C], ecx
		mov	[ebp+var_154], ecx
		mov	[ebp+var_14C], ecx
		mov	[ebp+var_144], ecx
		mov	[ebp+var_13C], ecx
		pop	ecx
		mov	[ebp+var_2CC], eax
		lea	eax, [ebp+var_2D0]
		mov	[ebp+var_180], esi
		mov	[ebp+var_150], 2
		mov	[ebp+var_134], ebx
		mov	[ebp+var_130], 4
		mov	[ebp+var_12C], ebx
		mov	[ebp+var_124], ebx
		mov	[ebp+var_120], esi
		mov	[ebp+var_11C], ebx
		mov	[ebp+var_114], ebx
		mov	[ebp+var_110], edx
		mov	[ebp+var_10C], ebx
		mov	[ebp+var_104], ebx
		mov	[ebp+var_100], ecx
		mov	[ebp+var_FC], ebx
		mov	[ebp+var_F4], ebx
		mov	[ebp+var_F0], edx
		mov	[ebp+var_EC], ebx
		mov	[ebp+var_E4], ebx
		mov	[ebp+var_E0], ecx
		mov	[ebp+var_DC], ebx
		mov	[ebp+var_D8], eax
		lea	eax, [ebp+var_250]
		mov	[ebp+var_C8], eax
		lea	eax, [ebp+var_2A0]
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_23C]
		mov	[ebp+var_A8], eax
		lea	eax, [ebp+var_278]
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_2D8]
		mov	[ebp+var_88], eax
		lea	eax, [ebp+var_1A8]
		push	eax
		push	13h
		push	ebx
		push	ebx
		push	offset loc_421128
		push	edi
		mov	[ebp+var_D4], ebx
		mov	[ebp+var_D0], esi
		mov	[ebp+var_CC], ebx
		mov	[ebp+var_C4], ebx
		mov	[ebp+var_C0], edx
		mov	[ebp+var_BC], ebx
		mov	[ebp+var_B4], ebx
		mov	[ebp+var_B0], ecx
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_A4], ebx
		mov	[ebp+var_A0], edx
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_94], ebx
		mov	[ebp+var_90], ecx
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_2D8], 1000000h
		mov	[ebp+var_2D4], ebx
		mov	[ebp+var_84], ebx
		mov	[ebp+var_80], esi
		mov	[ebp+var_7C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_65E369:				; CODE XREF: SshpWriteBlocker(x,x,x)+EBj
					; SshpWriteBlocker(x,x,x)+1FEj	...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_SshpWriteBlocker@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelper_AcquireComponentLock(x, x)
_SleepstudyHelper_AcquireComponentLock@8 proc near ; DATA XREF:	.data:006B3630o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	esi
		jz	short loc_65E3A5
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_65E3A5
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, [ebp+arg_0]
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	[esi], bl
		xor	eax, eax
		pop	ebx
		jmp	short loc_65E3AA
; 

loc_65E3A5:				; CODE XREF: SleepstudyHelper_AcquireComponentLock(x,x)+Aj
					; SleepstudyHelper_AcquireComponentLock(x,x)+11j
		mov	eax, 0C000000Dh

loc_65E3AA:				; CODE XREF: SleepstudyHelper_AcquireComponentLock(x,x)+29j
		pop	esi
		pop	ebp
		retn	8
_SleepstudyHelper_AcquireComponentLock@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelper_ComponentActive(x)
_SleepstudyHelper_ComponentActive@4 proc near ;	DATA XREF: .data:006B3620o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	esi, esi
		jnz	short loc_65E3C4
		mov	edi, 0C000000Dh
		jmp	short loc_65E3FF
; 

loc_65E3C4:				; CODE XREF: SleepstudyHelper_ComponentActive(x)+Cj
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		push	esi
		call	_SleepstudyHelper_ComponentActiveLocked@4 ; SleepstudyHelper_ComponentActiveLocked(x)
		test	ds:byte_70EFC6,	1
		mov	edi, eax
		jz	short loc_65E3F1
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65E3F6
; 

loc_65E3F1:				; CODE XREF: SleepstudyHelper_ComponentActive(x)+34j
		xor	eax, eax
		lock and [esi],	eax

loc_65E3F6:				; CODE XREF: SleepstudyHelper_ComponentActive(x)+40j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx

loc_65E3FF:				; CODE XREF: SleepstudyHelper_ComponentActive(x)+13j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_SleepstudyHelper_ComponentActive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelper_ComponentActiveLocked(x)
_SleepstudyHelper_ComponentActiveLocked@4 proc near
					; CODE XREF: SleepstudyHelper_ComponentActive(x)+26p
					; DATA XREF: .data:006B3628o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_65E41A
		mov	eax, 0C000000Dh
		jmp	short loc_65E439
; 

loc_65E41A:				; CODE XREF: SleepstudyHelper_ComponentActiveLocked(x)+Aj
		mov	eax, [ecx+4]
		test	al, 10h
		jnz	short loc_65E437
		or	eax, 10h
		inc	dword ptr [ecx+8]
		cmp	dword ptr [ecx+8], 1
		mov	[ecx+4], eax
		jnz	short loc_65E437
		mov	dl, 1
		call	SshpSetBlockerActive

loc_65E437:				; CODE XREF: SleepstudyHelper_ComponentActiveLocked(x)+18j
					; SleepstudyHelper_ComponentActiveLocked(x)+27j
		xor	eax, eax

loc_65E439:				; CODE XREF: SleepstudyHelper_ComponentActiveLocked(x)+11j
		pop	ebp
		retn	4
_SleepstudyHelper_ComponentActiveLocked@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelper_ComponentInactive(x)
_SleepstudyHelper_ComponentInactive@4 proc near	; DATA XREF: .data:006B3624o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jnz	short loc_65E451
		mov	eax, 0C000000Dh
		jmp	short loc_65E4A2
; 

loc_65E451:				; CODE XREF: SleepstudyHelper_ComponentInactive(x)+Bj
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [esi+4]
		test	al, 10h
		jz	short loc_65E47D
		and	eax, 0FFFFFFEFh
		sub	dword ptr [esi+8], 1
		mov	[esi+4], eax
		jnz	short loc_65E47D
		xor	dl, dl
		mov	ecx, esi
		call	SshpSetBlockerActive

loc_65E47D:				; CODE XREF: SleepstudyHelper_ComponentInactive(x)+29j
					; SleepstudyHelper_ComponentInactive(x)+35j
		test	ds:byte_70EFC6,	1
		jz	short loc_65E492
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65E497
; 

loc_65E492:				; CODE XREF: SleepstudyHelper_ComponentInactive(x)+47j
		xor	eax, eax
		lock and [esi],	eax

loc_65E497:				; CODE XREF: SleepstudyHelper_ComponentInactive(x)+53j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		pop	ebx

loc_65E4A2:				; CODE XREF: SleepstudyHelper_ComponentInactive(x)+12j
		pop	esi
		pop	ebp
		retn	4
_SleepstudyHelper_ComponentInactive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelper_GenerateGuid(x, x,	x, x)
_SleepstudyHelper_GenerateGuid@16 proc near ; DATA XREF: .data:006B3608o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		cmp	[ebp+arg_C], 0
		jnz	short loc_65E4BF
		mov	ecx, 0C000000Dh
		jmp	loc_65E558
; 

loc_65E4BF:				; CODE XREF: SleepstudyHelper_GenerateGuid(x,x,x,x)+Cj
		push	edi
		mov	edi, [ebp+arg_C]
		xor	eax, eax
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		stosd
		mov	eax, edx
		sub	eax, ecx
		jz	short loc_65E53E
		sub	eax, 1
		jz	short loc_65E52E
		sub	eax, 4
		jz	short loc_65E519
		sub	eax, 1
		mov	eax, [ebp+arg_4]
		jz	short loc_65E501
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], 0CCCCh
		mov	[ebp+var_4], edx
		jmp	short loc_65E54B
; 

loc_65E501:				; CODE XREF: SleepstudyHelper_GenerateGuid(x,x,x,x)+46j
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+var_C]
		shr	eax, 18h
		and	al, 0FEh
		or	al, 2

loc_65E514:				; CODE XREF: SleepstudyHelper_GenerateGuid(x,x,x,x)+85j
		mov	byte ptr [ebp+var_C+3],	al
		jmp	short loc_65E54B
; 

loc_65E519:				; CODE XREF: SleepstudyHelper_GenerateGuid(x,x,x,x)+3Ej
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_4], eax
		mov	al, byte ptr [ebp+var_C+3]
		and	al, 0FDh
		or	al, 1
		jmp	short loc_65E514
; 

loc_65E52E:				; CODE XREF: SleepstudyHelper_GenerateGuid(x,x,x,x)+39j
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+arg_4]
		call	_SleepstudyHelperGetBlockerGuid@8 ; SleepstudyHelperGetBlockerGuid(x,x)
		mov	ecx, eax
		jmp	short loc_65E547
; 

loc_65E53E:				; CODE XREF: SleepstudyHelper_GenerateGuid(x,x,x,x)+34j
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], ecx

loc_65E547:				; CODE XREF: SleepstudyHelper_GenerateGuid(x,x,x,x)+95j
		test	ecx, ecx
		js	short loc_65E557

loc_65E54B:				; CODE XREF: SleepstudyHelper_GenerateGuid(x,x,x,x)+58j
					; SleepstudyHelper_GenerateGuid(x,x,x,x)+70j
		mov	edi, [ebp+arg_C]
		push	esi
		lea	esi, [ebp+var_10]
		movsd
		movsd
		movsd
		movsd
		pop	esi

loc_65E557:				; CODE XREF: SleepstudyHelper_GenerateGuid(x,x,x,x)+A2j
		pop	edi

loc_65E558:				; CODE XREF: SleepstudyHelper_GenerateGuid(x,x,x,x)+13j
		mov	eax, ecx
		leave
		retn	10h
_SleepstudyHelper_GenerateGuid@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelper_ReleaseComponentLock(x, x)
_SleepstudyHelper_ReleaseComponentLock@8 proc near ; DATA XREF:	.data:006B3634o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_65E571
		mov	eax, 0C000000Dh
		jmp	short loc_65E596
; 

loc_65E571:				; CODE XREF: SleepstudyHelper_ReleaseComponentLock(x,x)+Aj
		test	ds:byte_70EFC6,	1
		jz	short loc_65E586
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65E58B
; 

loc_65E586:				; CODE XREF: SleepstudyHelper_ReleaseComponentLock(x,x)+1Aj
		xor	ecx, ecx
		lock and [eax],	ecx

loc_65E58B:				; CODE XREF: SleepstudyHelper_ReleaseComponentLock(x,x)+26j
		mov	cl, [ebp+arg_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax

loc_65E596:				; CODE XREF: SleepstudyHelper_ReleaseComponentLock(x,x)+11j
		pop	ebp
		retn	8
_SleepstudyHelper_ReleaseComponentLock@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelper_ResetComponentsStartTime(x)
_SleepstudyHelper_ResetComponentsStartTime@4 proc near ; DATA XREF: .data:006B362Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jnz	short loc_65E5AE
		mov	eax, 0C000000Dh
		jmp	short loc_65E5F8
; 

loc_65E5AE:				; CODE XREF: SleepstudyHelper_ResetComponentsStartTime(x)+Bj
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [esi+4]
		and	eax, 3
		cmp	al, 3
		jnz	short loc_65E5D3
		call	KeQueryInterruptTime
		mov	[esi+10h], eax
		mov	[esi+14h], edx

loc_65E5D3:				; CODE XREF: SleepstudyHelper_ResetComponentsStartTime(x)+2Cj
		test	ds:byte_70EFC6,	1
		jz	short loc_65E5E8
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65E5ED
; 

loc_65E5E8:				; CODE XREF: SleepstudyHelper_ResetComponentsStartTime(x)+40j
		xor	eax, eax
		lock and [esi],	eax

loc_65E5ED:				; CODE XREF: SleepstudyHelper_ResetComponentsStartTime(x)+4Cj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		pop	ebx

loc_65E5F8:				; CODE XREF: SleepstudyHelper_ResetComponentsStartTime(x)+12j
		pop	esi
		pop	ebp
		retn	4
_SleepstudyHelper_ResetComponentsStartTime@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelper_UnregisterComponent(x)
_SleepstudyHelper_UnregisterComponent@4	proc near ; DATA XREF: .data:006B361Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	$+5
_SleepstudyHelper_UnregisterComponent@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelperDestroyBlocker(x)
_SleepstudyHelperDestroyBlocker@4 proc near
					; CODE XREF: SleepstudyHelper_RegisterComponentEx(x,x,x,x,x,x,x,x,x,x,x)+9Ap
					; SleepstudyHelper_RegisterPdoWithParentGuid(x,x,x,x,x,x,x)+89p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	esi, esi
		jnz	short loc_65E61D
		mov	edi, 0C000000Dh
		jmp	short loc_65E666
; 

loc_65E61D:				; CODE XREF: SleepstudyHelperDestroyBlocker(x)+Cj
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [esi+4]
		test	al, 8
		jnz	short loc_65E63E
		or	eax, 8
		xor	edi, edi
		mov	[esi+4], eax
		jmp	short loc_65E643
; 

loc_65E63E:				; CODE XREF: SleepstudyHelperDestroyBlocker(x)+2Aj
		mov	edi, 0C000000Dh

loc_65E643:				; CODE XREF: SleepstudyHelperDestroyBlocker(x)+34j
		test	ds:byte_70EFC6,	1
		jz	short loc_65E658
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65E65D
; 

loc_65E658:				; CODE XREF: SleepstudyHelperDestroyBlocker(x)+42j
		xor	eax, eax
		lock and [esi],	eax

loc_65E65D:				; CODE XREF: SleepstudyHelperDestroyBlocker(x)+4Ej
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx

loc_65E666:				; CODE XREF: SleepstudyHelperDestroyBlocker(x)+13j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_SleepstudyHelperDestroyBlocker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelperQueryBlockerStatistics(x, x, x)
_SleepstudyHelperQueryBlockerStatistics@12 proc	near ; DATA XREF: .data:006B35F0o

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jnz	short loc_65E685
		mov	ebx, 0C000000Dh
		jmp	short loc_65E701
; 

loc_65E685:				; CODE XREF: SleepstudyHelperQueryBlockerStatistics(x,x,x)+Ej
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [esi+4]
		xor	ebx, ebx
		and	eax, 3
		cmp	al, 3
		jnz	short loc_65E6BA
		mov	byte ptr [ebp+arg_0+3],	1
		call	KeQueryInterruptTime
		mov	edi, eax
		mov	eax, edx
		sub	edi, [esi+10h]
		sbb	eax, [esi+14h]
		mov	[ebp+var_8], eax
		jmp	short loc_65E6C2
; 

loc_65E6BA:				; CODE XREF: SleepstudyHelperQueryBlockerStatistics(x,x,x)+32j
		mov	byte ptr [ebp+arg_0+3],	bl
		mov	edi, ebx
		mov	[ebp+var_8], ebx

loc_65E6C2:				; CODE XREF: SleepstudyHelperQueryBlockerStatistics(x,x,x)+4Aj
		test	ds:byte_70EFC6,	1
		jz	short loc_65E6D7
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65E6DC
; 

loc_65E6D7:				; CODE XREF: SleepstudyHelperQueryBlockerStatistics(x,x,x)+5Bj
		xor	eax, eax
		lock and [esi],	eax

loc_65E6DC:				; CODE XREF: SleepstudyHelperQueryBlockerStatistics(x,x,x)+67j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_65E6F1
		mov	cl, byte ptr [ebp+arg_0+3]
		mov	[eax], cl

loc_65E6F1:				; CODE XREF: SleepstudyHelperQueryBlockerStatistics(x,x,x)+7Cj
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_65E700
		mov	edx, [ebp+var_8]
		mov	[ecx], edi
		mov	[ecx+4], edx

loc_65E700:				; CODE XREF: SleepstudyHelperQueryBlockerStatistics(x,x,x)+88j
		pop	edi

loc_65E701:				; CODE XREF: SleepstudyHelperQueryBlockerStatistics(x,x,x)+15j
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
_SleepstudyHelperQueryBlockerStatistics@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SSHSupportEtwWrite(x, x, x,	x, x, x)
_SSHSupportEtwWrite@24 proc near	; CODE XREF: SshpFlushBlockerDataCache(x)+1E1p

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		mov	eax, ds:dword_6BEFAC
		push	[ebp+arg_8]
		mov	edx, ds:_SshpTraceHandle
		push	0
		push	ecx
		push	eax
		push	edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	ebp
		retn	10h
_SSHSupportEtwWrite@24 endp


;  S U B	R O U T	I N E 


; __stdcall SSHSupportQueryInterruptTime()
_SSHSupportQueryInterruptTime@0	proc near ; CODE XREF: SleepstudyHelperBuildBlocker+11D739p
					; SshpSendSessionData()+4Cp ...
		jmp	KeQueryInterruptTime
_SSHSupportQueryInterruptTime@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpScheduledEvaluationDpc(x, x, x,	x)
_TtmpScheduledEvaluationDpc@16 proc near ; DATA	XREF: TtmiCreateTerminal(x,x,x,x,x,x)+148o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	ecx, ecx
		inc	ecx
		lea	eax, [esi+0A0h]
		xchg	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_65E75E
		push	1
		lea	eax, [esi+90h]
		push	eax
		call	ExQueueWorkItem
		jmp	short loc_65E76A
; 

loc_65E75E:				; CODE XREF: TtmpScheduledEvaluationDpc(x,x,x,x)+1Aj
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_65E76A:				; CODE XREF: TtmpScheduledEvaluationDpc(x,x,x,x)+2Aj
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	10h
_TtmpScheduledEvaluationDpc@16 endp


;  S U B	R O U T	I N E 


; __stdcall PspInitializeProcessLock(x)
_PspInitializeProcessLock@4 proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+371p
		and	dword ptr [ecx+0E0h], 0
		retn
_PspInitializeProcessLock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspReadDfssConfigurationValues()
_PspReadDfssConfigurationValues@0 proc near ; CODE XREF: PspIsDfssEnabled:loc_890E56p
					; PspDfssConfigurationChangeHandler(x)p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		push	6
		xor	eax, eax
		lea	edi, [esp+2Ch+var_18]
		pop	ecx
		rep stosd
		mov	ecx, ds:_PspDfssConfigurationKey
		xor	ebx, ebx
		mov	[esp+28h+var_1C], ebx
		test	ecx, ecx
		jnz	short loc_65E7D9
		lea	eax, [esp+28h+var_18]
		mov	[esp+28h+var_18], 18h
		push	eax
		push	11h
		lea	eax, [esp+30h+var_1C]
		mov	[esp+30h+var_14], ebx
		push	eax
		mov	[esp+34h+var_C], 240h
		mov	[esp+34h+var_10], offset _PspQuotaKeyNames
		mov	[esp+34h+var_8], ebx
		mov	[esp+34h+var_4], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		jmp	short loc_65E7DD
; 

loc_65E7D9:				; CODE XREF: PspReadDfssConfigurationValues()+27j
		mov	[esp+28h+var_1C], ecx

loc_65E7DD:				; CODE XREF: PspReadDfssConfigurationValues()+5Ej
		test	eax, eax
		js	loc_65E8B7
		xor	edi, edi
		mov	esi, ebx
		inc	edi

loc_65E7EA:				; CODE XREF: PspReadDfssConfigurationValues()+ABj
		push	ebx
		push	4
		push	ds:_PspDfssConfigValues[esi]
		push	4
		push	ds:off_705EF8[esi]
		push	[esp+3Ch+var_1C]
		call	RtlQueryImageFileKeyOption
		mov	ecx, ds:_PspDfssConfigValues[esi]
		test	eax, eax
		jns	short loc_65E818
		mov	eax, ds:dword_705EFC[esi]
		mov	[ecx], eax
		jmp	short loc_65E81E
; 

loc_65E818:				; CODE XREF: PspReadDfssConfigurationValues()+93j
		cmp	[ecx], ebx
		jnz	short loc_65E81E
		mov	[ecx], edi

loc_65E81E:				; CODE XREF: PspReadDfssConfigurationValues()+9Dj
					; PspReadDfssConfigurationValues()+A1j
		add	esi, 0Ch
		cmp	esi, 30h
		jb	short loc_65E7EA
		mov	esi, 73736644h
		cmp	ds:_PspDfssConfigurationNotify,	ebx
		jnz	short loc_65E85F
		push	esi
		push	18h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ds:_PspDfssConfigurationNotify,	eax
		test	eax, eax
		jnz	short loc_65E854
		push	[esp+28h+var_1C]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_65E8B7
; 

loc_65E854:				; CODE XREF: PspReadDfssConfigurationValues()+CEj
		mov	eax, [esp+28h+var_1C]
		mov	ds:_PspDfssConfigurationKey, eax
		jmp	short loc_65E866
; 

loc_65E85F:				; CODE XREF: PspReadDfssConfigurationValues()+B8j
		xor	cl, cl
		call	KeUpdateGroupSchedulingConstants

loc_65E866:				; CODE XREF: PspReadDfssConfigurationValues()+E4j
		mov	ecx, ds:_PspDfssConfigurationNotify
		push	edi
		push	ebx
		push	ebx
		push	ebx
		push	4
		lea	eax, [ecx+10h]
		mov	dword ptr [ecx+8], offset _PspDfssConfigurationChangeHandler@4 ; PspDfssConfigurationChangeHandler(x)
		push	eax
		push	edi
		push	ecx
		push	ebx
		push	ds:_PspDfssConfigurationKey
		mov	[ecx+0Ch], ebx
		mov	[ecx], ebx
		call	_ZwNotifyChangeKey@40 ;	ZwNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_65E8B7
		push	ds:_PspDfssConfigurationKey
		call	_ZwClose@4	; ZwClose(x)
		push	esi
		push	ds:_PspDfssConfigurationNotify
		mov	ds:_PspDfssConfigurationKey, ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ds:_PspDfssConfigurationNotify,	ebx

loc_65E8B7:				; CODE XREF: PspReadDfssConfigurationValues()+66j
					; PspReadDfssConfigurationValues()+D9j	...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PspReadDfssConfigurationValues@0 endp


;  S U B	R O U T	I N E 


; __stdcall PsGetServerSiloActiveConsoleId(x)
_PsGetServerSiloActiveConsoleId@4 proc near ; CODE XREF: IopGetThreadActiveConsoleId(x)+Aj
		mov	eax, offset _PspHostSiloGlobals
		test	ecx, ecx
		jz	short loc_65E8CD
		mov	eax, [ecx+2F8h]

loc_65E8CD:				; CODE XREF: PsGetServerSiloActiveConsoleId(x)+7j
		mov	eax, [eax+28Ch]
		mov	eax, [eax+4]
		retn
_PsGetServerSiloActiveConsoleId@4 endp


;  S U B	R O U T	I N E 


; __stdcall PspGetHostSiloStorage()
_PspGetHostSiloStorage@0 proc near	; CODE XREF: PsUnregisterSiloMonitor(x)+108p
		mov	eax, ds:dword_717F7C
		retn
_PspGetHostSiloStorage@0 endp


;  S U B	R O U T	I N E 


; __stdcall PspGetServerSiloStatePointer(x)
_PspGetServerSiloStatePointer@4	proc near ; CODE XREF: PsIsSiloStartedAndNotTerminated(x)p
					; PspMarkServerSiloAsTerminating(x)+7p	...
		mov	eax, [ecx+2F8h]
		add	eax, 280h
		retn
_PspGetServerSiloStatePointer@4	endp


;  S U B	R O U T	I N E 


; __stdcall PspIsSiloInServerSilo(x)
_PspIsSiloInServerSilo@4 proc near	; CODE XREF: PAGE:008D29ACp
		mov	edi, edi
		push	ecx
		call	_PsGetEffectiveServerSilo@4 ; PsGetEffectiveServerSilo(x)
		test	eax, eax
		setnz	al
		retn
_PspIsSiloInServerSilo@4 endp


;  S U B	R O U T	I N E 


; __stdcall PspJobIsAppSilo(x)
_PspJobIsAppSilo@4 proc	near		; CODE XREF: sub_8D400A+1Dp
		test	dword ptr [ecx+310h], 40000000h
		jz	short loc_65E90F
		call	_PsIsServerSilo@4 ; PsIsServerSilo(x)
		test	al, al
		jnz	short loc_65E90F
		inc	al
		retn
; 

loc_65E90F:				; CODE XREF: PspJobIsAppSilo(x)+Aj
					; PspJobIsAppSilo(x)+13j
		xor	al, al
		retn
_PspJobIsAppSilo@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSetCpuQuotaInformation(x,	x, x)
_PsSetCpuQuotaInformation@12 proc near	; CODE XREF: PAGE:007B4378p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8

		push	30h
		push	offset dword_6A8EB8
		call	__SEH_prolog4
		mov	ebx, edx
		mov	edx, ecx
		mov	[ebp+var_20], edx
		cmp	ds:_PsCpuFairShareEnabled, 0
		jnz	short loc_65E938
		mov	eax, 0C0000001h
		jmp	loc_65EB41
; 

loc_65E938:				; CODE XREF: PsSetCpuQuotaInformation(x,x,x)+1Aj
		push	10h
		pop	esi
		cmp	ebx, esi
		jb	loc_65EB3C
		test	bl, 0Fh
		jnz	loc_65EB3C
		cmp	[ebp+arg_0], 0
		jz	short loc_65E9C6
		push	dword ptr [ebp+arg_0]
		push	ds:dword_A94A1C
		push	ds:_SeIncreaseQuotaPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_65E974
		mov	eax, 0C0000061h
		jmp	loc_65EB41
; 

loc_65E974:				; CODE XREF: PsSetCpuQuotaInformation(x,x,x)+56j
		mov	edx, [ebp+var_20]
		cmp	[ebp+arg_0], 0
		jz	short loc_65E9C6
		and	[ebp+ms_exc.disabled], 0
		test	dl, 7
		jz	short loc_65E98B
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_65E98B:				; CODE XREF: PsSetCpuQuotaInformation(x,x,x)+72j
		lea	ecx, [edx+ebx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_65E99B
		cmp	ecx, edx
		jnb	short loc_65E99E

loc_65E99B:				; CODE XREF: PsSetCpuQuotaInformation(x,x,x)+83j
		mov	byte ptr [eax],	0

loc_65E99E:				; CODE XREF: PsSetCpuQuotaInformation(x,x,x)+87j
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi
		jmp	short loc_65E9C9
; 

loc_65E9A6:				; DATA XREF: .text:006A8ECCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_65E9B4:				; DATA XREF: .text:006A8ED0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_30]
		jmp	loc_65EB41
; 

loc_65E9C6:				; CODE XREF: PsSetCpuQuotaInformation(x,x,x)+3Ej
					; PsSetCpuQuotaInformation(x,x,x)+69j
		push	0FFFFFFFEh
		pop	edi

loc_65E9C9:				; CODE XREF: PsSetCpuQuotaInformation(x,x,x)+92j
		shr	ebx, 4
		mov	eax, ebx
		mul	esi
		test	edx, edx
		jnz	loc_65EB35
		cmp	eax, 0FFFFFFFFh
		ja	loc_65EB35
		push	63537350h
		push	eax
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	[ebp+var_1C], eax
		test	eax, eax
		jnz	short loc_65EA02
		mov	eax, 0C000009Ah
		jmp	loc_65EB41
; 

loc_65EA02:				; CODE XREF: PsSetCpuQuotaInformation(x,x,x)+E4j
		lea	ecx, [eax+ebx*4]
		mov	[ebp+var_40], ecx
		lea	ecx, [ecx+ebx*4]
		mov	[ebp+var_24], ecx
		xor	esi, esi
		xor	eax, eax
		inc	eax
		mov	[ebp+var_2C], eax
		mov	edx, [ebp+var_1C]

loc_65EA19:				; CODE XREF: PsSetCpuQuotaInformation(x,x,x)+145j
		cmp	esi, ebx
		jnb	short loc_65EA92
		mov	[ebp+ms_exc.disabled], eax
		mov	ecx, esi
		add	ecx, ecx
		mov	eax, [ebp+var_20]
		mov	eax, [eax+ecx*8]
		mov	[edx+esi*4], eax
		mov	eax, [ebp+var_24]
		and	dword ptr [eax+esi*8+4], 0
		mov	eax, [ebp+var_20]
		mov	eax, [eax+ecx*8+8]
		mov	ecx, [ebp+var_24]
		mov	[ecx+esi*8], eax
		movzx	eax, ax
		cmp	ax, word ptr [ebp+var_2C]
		jb	short loc_65EA59
		cmp	eax, 9
		ja	short loc_65EA59
		mov	[ebp+ms_exc.disabled], edi
		inc	esi
		xor	eax, eax
		inc	eax
		jmp	short loc_65EA19
; 

loc_65EA59:				; CODE XREF: PsSetCpuQuotaInformation(x,x,x)+137j
					; PsSetCpuQuotaInformation(x,x,x)+13Cj
		mov	esi, 0C0000458h
		mov	[ebp+var_38], esi
		mov	[ebp+ms_exc.disabled], edi
		jmp	loc_65EB1A
; 

loc_65EA69:				; DATA XREF: .text:006A8ED8o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		xor	eax, eax
		cmp	[ebp+arg_0], 1
		setz	al
		retn
; 

loc_65EA7D:				; DATA XREF: .text:006A8EDCo
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_34]
		mov	[ebp+var_38], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_65EB1A
; 

loc_65EA92:				; CODE XREF: PsSetCpuQuotaInformation(x,x,x)+109j
		xor	esi, esi
		mov	[ebp+var_20], esi
		xor	edi, edi
		test	ebx, ebx
		jz	short loc_65EAF8
		mov	eax, [ebp+var_1C]
		mov	edx, eax
		mov	[ebp+var_2C], edx
		lea	ecx, [eax+ebx*4]
		sub	ecx, eax
		mov	[ebp+var_3C], ecx

loc_65EAAD:				; CODE XREF: PsSetCpuQuotaInformation(x,x,x)+1E1j
		mov	eax, ds:_MmSessionObjectType
		mov	ecx, [edx]
		and	[ebp+var_28], 0
		push	0
		lea	edx, [ebp+var_28]
		push	edx
		push	dword ptr [ebp+arg_0]
		push	eax
		push	2
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		mov	ecx, [ebp+var_28]
		mov	edx, [ebp+var_2C]
		mov	[edx], ecx
		test	esi, esi
		js	short loc_65EB03
		call	_MmGetSessionSchedulingGroup@4 ; MmGetSessionSchedulingGroup(x)
		mov	ecx, [ebp+var_3C]
		mov	[ecx+edx], eax
		test	eax, eax
		jz	short loc_65EB2B
		inc	edi
		add	edx, 4
		mov	[ebp+var_2C], edx
		cmp	edi, ebx
		jb	short loc_65EAAD
		mov	ecx, [ebp+var_24]

loc_65EAF8:				; CODE XREF: PsSetCpuQuotaInformation(x,x,x)+189j
		push	ecx
		mov	edx, [ebp+var_40]
		mov	ecx, ebx
		call	KeSetSchedulingGroupWeights

loc_65EB03:				; CODE XREF: PsSetCpuQuotaInformation(x,x,x)+1C7j
					; PsSetCpuQuotaInformation(x,x,x)+221j
		test	edi, edi
		jz	short loc_65EB1A
		mov	esi, [ebp+var_1C]

loc_65EB0A:				; CODE XREF: PsSetCpuQuotaInformation(x,x,x)+203j
		dec	edi
		mov	ecx, [esi+edi*4]
		call	ObfDereferenceObject
		test	edi, edi
		jnz	short loc_65EB0A
		mov	esi, [ebp+var_20]

loc_65EB1A:				; CODE XREF: PsSetCpuQuotaInformation(x,x,x)+152j
					; PsSetCpuQuotaInformation(x,x,x)+17Bj	...
		push	63537350h
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		jmp	short loc_65EB41
; 

loc_65EB2B:				; CODE XREF: PsSetCpuQuotaInformation(x,x,x)+1D6j
		mov	esi, 0C0000455h
		mov	[ebp+var_20], esi
		jmp	short loc_65EB03
; 

loc_65EB35:				; CODE XREF: PsSetCpuQuotaInformation(x,x,x)+C0j
					; PsSetCpuQuotaInformation(x,x,x)+C9j
		mov	eax, 0C0000095h
		jmp	short loc_65EB41
; 

loc_65EB3C:				; CODE XREF: PsSetCpuQuotaInformation(x,x,x)+2Bj
					; PsSetCpuQuotaInformation(x,x,x)+34j
		mov	eax, 0C0000004h

loc_65EB41:				; CODE XREF: PsSetCpuQuotaInformation(x,x,x)+21j
					; PsSetCpuQuotaInformation(x,x,x)+5Dj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PsSetCpuQuotaInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspExpandLimit(x, x, x, x)
_PspExpandLimit@16 proc	near		; CODE XREF: PspInitializeQuotaBlock+850AEp

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1], 0
		push	edi
		imul	edi, esi, 1Ch
		lea	edx, [ebp-1]
		add	edi, offset _PspQuotaExpansionDescriptors
		mov	ecx, edi
		call	@PspLockQuotaExpansion@8 ; PspLockQuotaExpansion(x,x)
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	0
		push	esi
		call	dword ptr [edi+0Ch]
		mov	dl, [ebp+var_1]
		mov	ecx, edi
		mov	bl, al
		call	PspUnlockQuotaExpansion
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	8
_PspExpandLimit@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspReleaseReturnedQuota(x, x)
_PspReleaseReturnedQuota@8 proc	near	; CODE XREF: PspReturnResourceQuota+D5A10p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	[ebp+var_8], edx
		mov	eax, ecx
		add	edx, 14h
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, [edx]
		cmp	edi, edx
		jz	short loc_65EBEA
		push	ebx
		shl	eax, 7
		mov	ebx, 1B8h
		sub	ebx, eax

loc_65EBBD:				; CODE XREF: PspReleaseReturnedQuota(x,x)+43j
		xor	ecx, ecx
		lea	eax, [edi-4]
		xchg	ecx, [eax]
		add	esi, ecx
		cmp	dword ptr [ebx+edi], 0
		jnz	short loc_65EBD5
		xor	ecx, ecx
		lea	eax, [edi-8]
		xchg	ecx, [eax]
		add	esi, ecx

loc_65EBD5:				; CODE XREF: PspReleaseReturnedQuota(x,x)+34j
		mov	edi, [edi]
		cmp	edi, edx
		jnz	short loc_65EBBD
		pop	ebx
		test	esi, esi
		jz	short loc_65EBEA
		mov	eax, [ebp+var_8]
		push	esi
		push	[ebp+var_4]
		call	dword ptr [eax+10h]

loc_65EBEA:				; CODE XREF: PspReleaseReturnedQuota(x,x)+1Aj
					; PspReleaseReturnedQuota(x,x)+48j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_PspReleaseReturnedQuota@8 endp


;  S U B	R O U T	I N E 


; __stdcall PsGetBaseTrapFrame(x, x)
_PsGetBaseTrapFrame@8 proc near		; CODE XREF: PsPicoWalkUserStack(x,x)+19p
		jmp	_PspGetBaseTrapFrame@8 ; PspGetBaseTrapFrame(x,x)
_PsGetBaseTrapFrame@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1778. PsGetCurrentThreadStackBase

;  S U B	R O U T	I N E 


; __stdcall PsGetCurrentThreadStackBase()
		public _PsGetCurrentThreadStackBase@0
_PsGetCurrentThreadStackBase@0 proc near
		mov	eax, large fs:124h
		mov	eax, [eax+28h]
		retn
_PsGetCurrentThreadStackBase@0 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1779. PsGetCurrentThreadStackLimit

;  S U B	R O U T	I N E 


; __stdcall PsGetCurrentThreadStackLimit()
		public _PsGetCurrentThreadStackLimit@0
_PsGetCurrentThreadStackLimit@0	proc near
		mov	eax, large fs:124h
		mov	eax, [eax+24h]
		retn
_PsGetCurrentThreadStackLimit@0	endp


;  S U B	R O U T	I N E 


; __stdcall PsGetJobEffectiveFreezeCount(x)
_PsGetJobEffectiveFreezeCount@4	proc near ; CODE XREF: AlpcpDispatchNewMessage(x)+135p
					; AlpcpDispatchConnectionRequest+14B1AAp
		mov	eax, [ecx+194h]
		retn
_PsGetJobEffectiveFreezeCount@4	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1794. PsGetProcessCommonJob

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessCommonJob(x, x)
		public _PsGetProcessCommonJob@8
_PsGetProcessCommonJob@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+158h]
		test	ecx, ecx
		jz	short loc_65EC54
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+158h]
		test	eax, eax
		jz	short loc_65EC54
		mov	eax, [eax+248h]
		cmp	[ecx+248h], eax
		jnz	short loc_65EC54
		mov	eax, [ecx+248h]
		jmp	short loc_65EC56
; 

loc_65EC54:				; CODE XREF: PsGetProcessCommonJob(x,x)+10j
					; PsGetProcessCommonJob(x,x)+1Dj ...
		xor	eax, eax

loc_65EC56:				; CODE XREF: PsGetProcessCommonJob(x,x)+33j
		pop	ebp
		retn	8
_PsGetProcessCommonJob@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1806. PsGetProcessPriorityClass

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessPriorityClass(x)
		public _PsGetProcessPriorityClass@4
_PsGetProcessPriorityClass@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	al, [eax+1BBh]
		pop	ebp
		retn	4
_PsGetProcessPriorityClass@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1815. PsGetProcessSilo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessSilo(x)
		public _PsGetProcessSilo@4
_PsGetProcessSilo@4 proc near		; CODE XREF: NtSetInformationThread+104B7Ep
					; PsIsProcessInAppSilo(x)+8p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	ecx, [ecx+158h]
		call	_PspGetJobSilo@4 ; PspGetJobSilo(x)
		pop	ebp
		retn	4
_PsGetProcessSilo@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1824. PsGetThreadCreateTime

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetThreadCreateTime(x)
		public _PsGetThreadCreateTime@4
_PsGetThreadCreateTime@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, [edx+280h]
		mov	edx, [edx+284h]
		pop	ebp
		retn	4
_PsGetThreadCreateTime@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1857. PsIsWin32KFilterAuditEnabledForProcess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsIsWin32KFilterAuditEnabledForProcess(x)
		public _PsIsWin32KFilterAuditEnabledForProcess@4
_PsIsWin32KFilterAuditEnabledForProcess@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+490h]
		shr	eax, 0Fh
		and	al, 1
		pop	ebp
		retn	4
_PsIsWin32KFilterAuditEnabledForProcess@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1859. PsIsWin32KFilterEnabledForProcess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsIsWin32KFilterEnabledForProcess(x)
		public _PsIsWin32KFilterEnabledForProcess@4
_PsIsWin32KFilterEnabledForProcess@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+490h]
		shr	eax, 0Eh
		and	al, 1
		pop	ebp
		retn	4
_PsIsWin32KFilterEnabledForProcess@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsQueryActivityModerationUserSettings(x)
_PsQueryActivityModerationUserSettings@4 proc near ; CODE XREF:	PAGE:00781FACp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, ds:_PspBamExtensionHost
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jnz	short loc_65ED06
		mov	esi, 0C0000002h
		jmp	short loc_65ED26
; 

loc_65ED06:				; CODE XREF: PsQueryActivityModerationUserSettings(x)+1Bj
		lea	ecx, [ebp+var_4]
		push	ecx
		call	dword ptr [eax+10h]
		mov	esi, eax
		test	esi, esi
		js	short loc_65ED18
		mov	ecx, [ebp+var_4]
		mov	[edi], ecx

loc_65ED18:				; CODE XREF: PsQueryActivityModerationUserSettings(x)+2Fj
		mov	ecx, ds:_PspBamExtensionHost
		add	ecx, 24h
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_65ED26:				; CODE XREF: PsQueryActivityModerationUserSettings(x)+22j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_PsQueryActivityModerationUserSettings@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSetExeModerationState(x, x, x)
_PsSetExeModerationState@12 proc near	; CODE XREF: PAGE:007B4A4Ep

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	ecx, ds:_PspBamExtensionHost
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jnz	short loc_65ED4D
		mov	esi, 0C0000002h
		jmp	short loc_65ED65
; 

loc_65ED4D:				; CODE XREF: PsSetExeModerationState(x,x,x)+18j
		push	[ebp+arg_0]
		push	esi
		push	edi
		call	dword ptr [eax+0Ch]
		mov	esi, eax
		mov	ecx, ds:_PspBamExtensionHost
		add	ecx, 24h
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_65ED65:				; CODE XREF: PsSetExeModerationState(x,x,x)+1Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_PsSetExeModerationState@12 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1903. PsSetJobProperty

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSetJobProperty(x,	x, x)
		public _PsSetJobProperty@12
_PsSetJobProperty@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	esi, [ebp+arg_0]
		cmp	al, 2
		jnb	short loc_65EDB3
		lea	eax, [esi-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		cmp	eax, ds:_PsJobType
		jz	short loc_65EDB3
		mov	eax, 0C000000Dh
		jmp	short loc_65EDD3
; 

loc_65EDB3:				; CODE XREF: PsSetJobProperty(x,x,x)+11j
					; PsSetJobProperty(x,x,x)+38j
		cmp	[ebp+arg_8], 0
		lea	ecx, [esi+2FCh]
		mov	edx, [ebp+arg_4]
		jz	short loc_65EDCC
		push	[ebp+arg_8]
		call	PspInsertProperty
		jmp	short loc_65EDD3
; 

loc_65EDCC:				; CODE XREF: PsSetJobProperty(x,x,x)+4Ej
		push	0
		call	PspRemoveProperty

loc_65EDD3:				; CODE XREF: PsSetJobProperty(x,x,x)+3Fj
					; PsSetJobProperty(x,x,x)+58j
		pop	esi
		pop	ebp
		retn	0Ch
_PsSetJobProperty@12 endp ; sp = -4

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1910. PsSetProcessPriorityClass

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSetProcessPriorityClass(x, x)
		public _PsSetProcessPriorityClass@8
_PsSetProcessPriorityClass@8 proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	cl, [ebp+arg_4]
		mov	[eax+1BBh], cl
		pop	ebp
		retn	8
_PsSetProcessPriorityClass@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspGetFreezeState(x)
_PspGetFreezeState@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+64h]
		shr	eax, 3
		and	al, 1
		pop	ebp
		retn	4
_PspGetFreezeState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsWatchWorkingSet(x, x, x)
_PsWatchWorkingSet@12 proc near		; CODE XREF: Dr_kite_a+38Ap

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	[ebp+var_10], edi
		mov	eax, [edi+80h]
		mov	esi, [eax+168h]
		test	esi, esi
		jz	loc_65EF6D
		cmp	[ebp+arg_0], 114h
		mov	[ebp+var_8], 40000000h
		jl	short loc_65EE45
		mov	[ebp+var_8], 80000000h

loc_65EE45:				; CODE XREF: PsWatchWorkingSet(x,x,x)+36j
		mov	eax, [esi]
		push	ebx
		mov	[ebp+var_C], eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		xor	ebx, ebx
		mov	[ebp+var_1], al
		inc	ebx
		cmp	al, bl
		jnb	short loc_65EE63
		dec	word ptr [edi+13Ch]
		nop

loc_65EE63:				; CODE XREF: PsWatchWorkingSet(x,x,x)+53j
		mov	edx, [ebp+var_C]
		jmp	short loc_65EE9F
; 

loc_65EE68:				; CODE XREF: PsWatchWorkingSet(x,x,x)+9Bj
		mov	eax, edx
		and	eax, 0FFFEh
		cmp	eax, 800h
		jnb	short loc_65EEA3
		lea	eax, [edx+2]
		mov	ecx, edx
		xor	eax, edx
		and	eax, 0FFFEh
		xor	edx, eax
		lea	eax, [edx+10000h]
		xor	eax, edx
		and	eax, 7FFF0000h
		xor	edx, eax
		mov	eax, ecx
		lock cmpxchg [esi], edx
		mov	edx, eax
		cmp	edx, ecx
		jz	short loc_65EEA3

loc_65EE9F:				; CODE XREF: PsWatchWorkingSet(x,x,x)+60j
		test	dl, bl
		jz	short loc_65EE68

loc_65EEA3:				; CODE XREF: PsWatchWorkingSet(x,x,x)+6Ej
					; PsWatchWorkingSet(x,x,x)+97j
		test	dl, bl
		jnz	loc_65EF45
		shr	edx, 1
		and	edx, 7FFFh
		cmp	edx, 400h
		jnb	loc_65EF45
		lea	eax, [edx+2]
		imul	ecx, eax, 0Ch
		cmp	[ebp+arg_0], 114h
		mov	eax, [ebp+arg_4]
		mov	[ecx+esi], eax
		mov	eax, [ebp+arg_8]
		jge	short loc_65EEDB
		or	eax, ebx
		jmp	short loc_65EEDE
; 

loc_65EEDB:				; CODE XREF: PsWatchWorkingSet(x,x,x)+CFj
		and	eax, 0FFFFFFFEh

loc_65EEDE:				; CODE XREF: PsWatchWorkingSet(x,x,x)+D3j
		imul	ecx, edx, 0Ch
		mov	[ecx+esi+1Ch], eax
		mov	eax, [edi+2B0h]
		mov	[ecx+esi+20h], eax
		mov	eax, 0FFFF0000h
		lock xadd [esi], eax
		test	al, bl
		jz	short loc_65EF12
		and	eax, 7FFF0000h
		cmp	eax, 10000h
		jnz	short loc_65EF12
		lea	ecx, [esi+8]
		xor	edx, edx
		call	KeSignalGate

loc_65EF12:				; CODE XREF: PsWatchWorkingSet(x,x,x)+F4j
					; PsWatchWorkingSet(x,x,x)+100j
		mov	eax, [edi+0F4h]
		test	eax, eax
		jz	short loc_65EF60
		mov	edi, eax

loc_65EF1E:				; CODE XREF: PsWatchWorkingSet(x,x,x)+130j
					; PsWatchWorkingSet(x,x,x)+135j
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		mov	eax, esi
		mov	ecx, edx
		mov	[ebp+arg_0], edx
		or	ecx, [ebp+var_8]
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_65EF1E
		cmp	edx, [ebp+arg_0]
		jnz	short loc_65EF1E
		mov	edi, [ebp+var_10]
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_65EF60
; 

loc_65EF45:				; CODE XREF: PsWatchWorkingSet(x,x,x)+9Fj
					; PsWatchWorkingSet(x,x,x)+B3j
		add	esi, 4
		mov	edx, [esi]
		jmp	short loc_65EF5B
; 

loc_65EF4C:				; CODE XREF: PsWatchWorkingSet(x,x,x)+158j
		mov	ecx, edx
		inc	edx
		mov	eax, ecx
		lock cmpxchg [esi], edx
		mov	edx, eax
		cmp	edx, ecx
		jz	short loc_65EF60

loc_65EF5B:				; CODE XREF: PsWatchWorkingSet(x,x,x)+144j
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_65EF4C

loc_65EF60:				; CODE XREF: PsWatchWorkingSet(x,x,x)+114j
					; PsWatchWorkingSet(x,x,x)+13Dj ...
		cmp	[ebp+var_1], bl
		pop	ebx
		jnb	short loc_65EF6D
		mov	ecx, edi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_65EF6D:				; CODE XREF: PsWatchWorkingSet(x,x,x)+22j
					; PsWatchWorkingSet(x,x,x)+15Ej
		pop	edi
		pop	esi
		leave
		retn	0Ch
_PsWatchWorkingSet@12 endp


;  S U B	R O U T	I N E 


; __stdcall PspLockProcessSharedUnsafe(x)
_PspLockProcessSharedUnsafe@4 proc near	; CODE XREF: PAGE:007A7D75p
		add	ecx, 0E0h
		xor	edx, edx
		jmp	ExAcquirePushLockSharedEx
_PspLockProcessSharedUnsafe@4 endp


;  S U B	R O U T	I N E 


; __stdcall PspUnlockProcessSharedUnsafe(x)
_PspUnlockProcessSharedUnsafe@4	proc near ; CODE XREF: PAGE:007A7D97p
		mov	edi, edi
		push	esi
		push	11h
		lea	esi, [ecx+0E0h]
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_65EF9E
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_65EF9E:				; CODE XREF: PspUnlockProcessSharedUnsafe(x)+15j
		mov	ecx, esi
		pop	esi
		jmp	KeAbPostRelease
_PspUnlockProcessSharedUnsafe@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspUnlockWorkingSetChangeExclusiveUnsafe()
_PspUnlockWorkingSetChangeExclusiveUnsafe@0 proc near ;	CODE XREF: PspSetQuotaLimits+20Bp
					; PspApplyWorkingSetLimits(x,x)+B9p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		or	ecx, 0FFFFFFFFh
		mov	edx, offset dword_6BEF18
		mov	[ebp+var_8], ecx
		mov	eax, ecx
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_65EFD6
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	ecx, 0FFFFFFFFh
		mov	edx, offset dword_6BEF18

loc_65EFD6:				; CODE XREF: PspUnlockWorkingSetChangeExclusiveUnsafe()+1Dj
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], edi
		test	edx, 7FFFFFFCh
		jz	loc_65F16E
		mov	eax, edx
		push	esi
		mov	esi, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_14], esi
		cmp	edx, offset dword_6BEF18
		ja	short loc_65F030
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_65F020
		cmp	edx, offset dword_6BEF18
		ja	short loc_65F030
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_65F030

loc_65F020:				; CODE XREF: PspUnlockWorkingSetChangeExclusiveUnsafe()+65j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_8], eax

loc_65F030:				; CODE XREF: PspUnlockWorkingSetChangeExclusiveUnsafe()+5Cj
					; PspUnlockWorkingSetChangeExclusiveUnsafe()+6Dj ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	edx, offset dword_6BEF18
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_1], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jnz	short loc_65F080
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_65F0F2
		push	ecx
		push	[ebp+var_8]
		push	offset dword_6BEF18
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_65F080:				; CODE XREF: PspUnlockWorkingSetChangeExclusiveUnsafe()+B4j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_65F096
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_10]

loc_65F096:				; CODE XREF: PspUnlockWorkingSetChangeExclusiveUnsafe()+E4j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_1], 1
		mov	edx, eax
		jnz	short loc_65F0E0
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_65F0F2
; 

loc_65F0E0:				; CODE XREF: PspUnlockWorkingSetChangeExclusiveUnsafe()+124j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_14]

loc_65F0F2:				; CODE XREF: PspUnlockWorkingSetChangeExclusiveUnsafe()+BEj
					; PspUnlockWorkingSetChangeExclusiveUnsafe()+136j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_14], eax
		jz	short loc_65F155
		test	edi, 8000h
		jz	short loc_65F116
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_65F116:				; CODE XREF: PspUnlockWorkingSetChangeExclusiveUnsafe()+163j
		test	byte ptr [ebp+var_C+2],	1
		jz	short loc_65F126
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_65F126:				; CODE XREF: PspUnlockWorkingSetChangeExclusiveUnsafe()+172j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_65F13A
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_65F13A:				; CODE XREF: PspUnlockWorkingSetChangeExclusiveUnsafe()+185j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_65F155
		push	[ebp+var_14]
		mov	edx, offset dword_6BEF18
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_65F155:				; CODE XREF: PspUnlockWorkingSetChangeExclusiveUnsafe()+15Bj
					; PspUnlockWorkingSetChangeExclusiveUnsafe()+19Cj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_65F16D
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_65F16D
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_65F16D:				; CODE XREF: PspUnlockWorkingSetChangeExclusiveUnsafe()+1B6j
					; PspUnlockWorkingSetChangeExclusiveUnsafe()+1BEj
		pop	esi

loc_65F16E:				; CODE XREF: PspUnlockWorkingSetChangeExclusiveUnsafe()+3Aj
		pop	edi
		leave
		retn
_PspUnlockWorkingSetChangeExclusiveUnsafe@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSynchronizeWithProcessInsertion(x, x)
_PspSynchronizeWithProcessInsertion@8 proc near	; CODE XREF: PspAssignPrimaryToken+122p
					; NtGetNextProcess+A0171p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, edx
		dec	word ptr [esi+13Ch]
		nop
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		add	ecx, 0E0h
		xor	edx, edx
		lock or	[eax], edx
		mov	eax, [ecx]
		test	al, 1
		jz	short loc_65F19F
		call	@ExfAcquireReleasePushLockExclusive@4 ;	ExfAcquireReleasePushLockExclusive(x)

loc_65F19F:				; CODE XREF: PspSynchronizeWithProcessInsertion(x,x)+27j
		mov	ecx, esi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	esi
		leave
		retn
_PspSynchronizeWithProcessInsertion@8 endp


;  S U B	R O U T	I N E 


; __stdcall PspUnlockProcessSecurityShared(x, x)
_PspUnlockProcessSecurityShared@8 proc near ; CODE XREF: PspAssignPrimaryToken+114p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	11h
		mov	ebx, edx
		lea	edi, [ecx+0E0h]
		xor	esi, esi
		pop	eax
		lock cmpxchg [edi], esi
		cmp	eax, 11h
		jz	short loc_65F1CB
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_65F1CB:				; CODE XREF: PspUnlockProcessSecurityShared(x,x)+19j
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		mov	ecx, ebx
		pop	ebx
		jmp	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
_PspUnlockProcessSecurityShared@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetJobLastThrottledIoTime(x)
_PsGetJobLastThrottledIoTime@4 proc near ; CODE	XREF: MiNoPagesLastChance(x,x)+106p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [esi+35Ch]
		push	edi
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	bl, al
		mov	eax, [esi+380h]
		mov	esi, [esi+384h]
		push	edi
		mov	[ebp+var_4], eax
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_4]
		mov	edx, esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PsGetJobLastThrottledIoTime@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsIoRateControlOverQuotaNotify(x, x, x, x, x)
_PsIoRateControlOverQuotaNotify@20 proc	near ; CODE XREF: IoNotifyQuotaState(x,x,x,x,x)+56p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_10], edx
		push	edi
		xor	edi, edi
		inc	ebx
		mov	esi, ecx
		cmp	[ebp+arg_8], edi
		jz	short loc_65F245
		mov	cl, bl
		call	KiQueryUnbiasedInterruptTime
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], edx
		jmp	short loc_65F24B
; 

loc_65F245:				; CODE XREF: PsIoRateControlOverQuotaNotify(x,x,x,x,x)+18j
		mov	[ebp+var_8], edi
		mov	[ebp+var_C], edi

loc_65F24B:				; CODE XREF: PsIoRateControlOverQuotaNotify(x,x,x,x,x)+27j
		lea	eax, [esi+35Ch]
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebp+arg_4]
		mov	edx, [esi+368h]
		mov	[ebp+var_1], al
		mov	eax, [esi+36Ch]
		cmp	ecx, [esi+37Ch]
		jz	short loc_65F27D
		inc	dword ptr [esi+370h]
		shld	eax, edx, 1
		add	edx, edx

loc_65F27D:				; CODE XREF: PsIoRateControlOverQuotaNotify(x,x,x,x,x)+53j
		mov	[ebp+arg_4], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+378h], eax
		cmp	[ebp+var_10], edi
		jnz	short loc_65F290
		mov	ebx, edi

loc_65F290:				; CODE XREF: PsIoRateControlOverQuotaNotify(x,x,x,x,x)+70j
		or	edi, [ebp+arg_4]
		or	ebx, edx
		cmp	[ebp+arg_8], 0
		mov	[esi+368h], ebx
		mov	[esi+36Ch], edi
		jz	short loc_65F2B9
		mov	eax, [ebp+var_8]
		mov	[esi+380h], eax
		mov	eax, [ebp+var_C]
		mov	[esi+384h], eax

loc_65F2B9:				; CODE XREF: PsIoRateControlOverQuotaNotify(x,x,x,x,x)+89j
		lea	eax, [esi+35Ch]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PsIoRateControlOverQuotaNotify@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspApplyTimerDelayProcess(x, x)
_PspApplyTimerDelayProcess@8 proc near	; CODE XREF: PspTimerDelayProcess(x,x)+36p
					; PspTimerDelayWorkerRoutine(x)+22p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, large fs:124h
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_20], eax
		mov	edx, ecx
		xor	ecx, ecx
		dec	word ptr [eax+13Eh]
		push	esi
		push	edi
		mov	[ebp+var_14], edx
		mov	[ebp+var_1C], ecx
		nop
		lea	eax, [edx+64h]
		lock bts dword ptr [eax], 4
		mov	[ebp+var_8], ecx
		mov	edi, ecx
		test	ebx, ebx
		jz	short loc_65F34D
		mov	eax, [ebx+4]
		xor	edx, edx
		mov	[ebp+var_1], cl
		xor	esi, esi
		mov	ecx, 2710h
		div	ecx
		xor	edx, edx
		mov	edi, eax
		mov	eax, [ebx]
		div	ecx
		mov	edx, [ebp+var_14]
		and	edi, 3FFFFFFFh
		shld	esi, edi, 1Eh
		xor	ecx, ecx
		and	eax, 3FFFFFFFh
		shl	edi, 1Eh
		and	ecx, 0F0000000h
		or	edi, eax
		or	esi, ecx
		mov	[ebp+var_8], esi
		jmp	short loc_65F351
; 

loc_65F34D:				; CODE XREF: PspApplyTimerDelayProcess(x,x)+37j
		mov	[ebp+var_1], 1

loc_65F351:				; CODE XREF: PspApplyTimerDelayProcess(x,x)+76j
		lea	eax, [edx+440h]
		xor	edx, edx
		mov	[ebp+var_10], eax
		xor	eax, eax
		nop
		mov	esi, [ebp+var_10]
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [ebp+var_8]
		mov	[ebp+var_C], eax
		cmp	[ebp+var_1], cl
		jnz	short loc_65F3B5
		mov	ecx, eax
		xor	ebx, ebx
		xor	ecx, edi
		and	ecx, 3FFFFFFFh
		or	ecx, ebx
		jnz	short loc_65F3DE
		mov	ecx, edi
		mov	[ebp+var_8], edx
		and	[ebp+var_8], 0FFFFFFFh
		and	ecx, 0C0000000h
		and	eax, 0C0000000h
		cmp	eax, ecx
		jnz	short loc_65F3DE
		cmp	[ebp+var_8], esi
		jnz	short loc_65F3DE

loc_65F3A5:				; CODE XREF: PspApplyTimerDelayProcess(x,x)+FFj
					; PspApplyTimerDelayProcess(x,x)+18Cj ...
		mov	ecx, [ebp+var_20]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+var_1C]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_65F3B5:				; CODE XREF: PspApplyTimerDelayProcess(x,x)+9Ej
		mov	edi, [ebp+var_C]
		and	eax, 3FFFFFFFh
		xor	ebx, ebx
		or	eax, ebx
		jnz	short loc_65F3D6
		mov	ecx, edi
		mov	eax, edx
		and	ecx, 0C0000000h
		and	eax, 0FFFFFFFh
		or	ecx, eax
		jz	short loc_65F3A5

loc_65F3D6:				; CODE XREF: PspApplyTimerDelayProcess(x,x)+ECj
		mov	esi, edx
		and	esi, 0FFFFFFFh

loc_65F3DE:				; CODE XREF: PspApplyTimerDelayProcess(x,x)+AEj
					; PspApplyTimerDelayProcess(x,x)+C9j ...
		movzx	eax, [ebp+var_1]
		and	edx, 7FFFFFFFh
		mov	[ebp+var_18], edx
		or	edi, ebx
		cdq
		mov	edx, [ebp+var_18]
		shl	eax, 1Dh
		or	eax, 80000000h
		or	esi, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_8], esi
		nop
		mov	ecx, esi
		mov	ebx, edi
		mov	esi, [ebp+var_10]
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, eax
		mov	esi, ecx
		cmp	ebx, [ebp+var_C]
		jnz	short loc_65F41F
		cmp	edx, [ebp+var_18]
		jz	loc_65F4A6

loc_65F41F:				; CODE XREF: PspApplyTimerDelayProcess(x,x)+13Fj
					; PspApplyTimerDelayProcess(x,x)+1C6j ...
		xor	eax, eax
		mov	[ebp+var_18], ebx
		mov	[ebp+var_C], edx
		cmp	edx, eax
		jl	short loc_65F452
		jg	short loc_65F431
		cmp	ebx, eax
		jb	short loc_65F452

loc_65F431:				; CODE XREF: PspApplyTimerDelayProcess(x,x)+156j
		and	esi, 0BFFFFFFFh
		mov	[ebp+var_8], esi
		cmp	[ebp+var_1], al
		jz	short loc_65F485
		mov	eax, esi
		mov	ecx, edi
		xor	eax, edx
		xor	ecx, ebx
		and	eax, 0FFFFFFFh
		xor	edi, ecx
		xor	esi, eax
		jmp	short loc_65F482
; 

loc_65F452:				; CODE XREF: PspApplyTimerDelayProcess(x,x)+154j
					; PspApplyTimerDelayProcess(x,x)+15Aj
		cmp	[ebp+var_1], al
		jnz	short loc_65F469
		mov	ecx, edx
		and	ecx, 20000000h
		or	eax, ecx
		jz	loc_65F3A5
		jmp	short loc_65F47C
; 

loc_65F469:				; CODE XREF: PspApplyTimerDelayProcess(x,x)+180j
		xor	edi, edi
		mov	eax, edx
		and	esi, 0F0000000h
		and	eax, 0FFFFFFFh
		or	edi, ebx
		or	esi, eax

loc_65F47C:				; CODE XREF: PspApplyTimerDelayProcess(x,x)+192j
		or	esi, 40000000h

loc_65F482:				; CODE XREF: PspApplyTimerDelayProcess(x,x)+17Bj
		mov	[ebp+var_8], esi

loc_65F485:				; CODE XREF: PspApplyTimerDelayProcess(x,x)+168j
		mov	eax, ebx
		nop
		mov	ecx, esi
		mov	ebx, edi
		mov	esi, [ebp+var_10]
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [ebp+var_8]
		mov	ebx, eax
		cmp	ebx, [ebp+var_18]
		jnz	short loc_65F41F
		cmp	edx, [ebp+var_C]
		jnz	loc_65F41F

loc_65F4A6:				; CODE XREF: PspApplyTimerDelayProcess(x,x)+144j
		mov	ecx, esi
		xor	eax, eax
		and	ecx, 40000000h
		or	eax, ecx
		jnz	loc_65F3A5
		mov	ebx, esi
		mov	[ebp+var_C], edi
		mov	[ebp+var_18], ebx

loc_65F4C0:				; CODE XREF: PspApplyTimerDelayProcess(x,x)+22Fj
		mov	ecx, [ebp+var_14]
		call	_PspSetProcessTimerDelayForKTimers@4 ; PspSetProcessTimerDelayForKTimers(x)
		mov	ecx, [ebp+var_14]
		call	_PspSetProcessTimerDelayForWin32@4 ; PspSetProcessTimerDelayForWin32(x)
		mov	[ebp+var_1C], eax
		and	esi, 1FFFFFFFh
		mov	eax, [ebp+var_C]
		mov	edx, ebx
		nop
		mov	ecx, esi
		mov	ebx, edi
		mov	esi, [ebp+var_10]
		lock cmpxchg8b qword ptr [esi]
		mov	edi, eax
		mov	esi, edx
		cmp	[ebp+var_C], edi
		jnz	short loc_65F4FC
		cmp	[ebp+var_18], esi
		jz	loc_65F3A5

loc_65F4FC:				; CODE XREF: PspApplyTimerDelayProcess(x,x)+21Cj
		mov	[ebp+var_C], eax
		mov	ebx, edx
		mov	[ebp+var_18], esi
		jmp	short loc_65F4C0
_PspApplyTimerDelayProcess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspIoRateEntryVolumeDelete(x, x)
_PspIoRateEntryVolumeDelete@8 proc near	; CODE XREF: PspJobIoRateVolumeEntryRemoveAll(x,x)+7Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jz	short loc_65F51A
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_65F51A:				; CODE XREF: PspIoRateEntryVolumeDelete(x,x)+Dj
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		or	dword ptr [eax+8], 0FFFFFFFFh
		pop	ebp
		retn	8
_PspIoRateEntryVolumeDelete@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspJobIoRateVolumeEntryInsert(x, x)
_PspJobIoRateVolumeEntryInsert@8 proc near
					; CODE XREF: PspSetJobIoRateControlForVolume(x,x,x,x,x)+A2p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= dword	ptr -5
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	[ebp+var_10], ebx
		lea	eax, [esi+35Ch]
		push	eax
		mov	[ebp+var_14], eax
		call	ExAcquireSpinLockExclusive
		lea	edi, [esi+360h]
		mov	[ebp+var_1], al
		test	byte ptr [edi+4], 1
		mov	eax, [ebx+0Ch]
		mov	esi, [edi]
		mov	[ebp+var_C], eax
		jz	short loc_65F571
		test	esi, esi
		jz	short loc_65F56F
		xor	esi, edi
		jmp	short loc_65F571
; 

loc_65F56F:				; CODE XREF: PspJobIoRateVolumeEntryInsert(x,x)+3Aj
		xor	esi, esi

loc_65F571:				; CODE XREF: PspJobIoRateVolumeEntryInsert(x,x)+36j
					; PspJobIoRateVolumeEntryInsert(x,x)+3Ej
		movzx	ebx, byte ptr [edi+4]
		and	ebx, 1
		mov	byte ptr [ebp+var_5], 0
		test	esi, esi
		jz	short loc_65F5BD

loc_65F580:				; CODE XREF: PspJobIoRateVolumeEntryInsert(x,x)+88j
		push	esi
		push	eax
		call	_MiLockTrackerCompare@8	; MiLockTrackerCompare(x,x)
		test	eax, eax
		js	short loc_65F5A2
		mov	eax, [esi+4]
		test	ebx, ebx
		jz	short loc_65F598
		test	eax, eax
		jz	short loc_65F59C
		xor	eax, esi

loc_65F598:				; CODE XREF: PspJobIoRateVolumeEntryInsert(x,x)+61j
		test	eax, eax
		jnz	short loc_65F5B2

loc_65F59C:				; CODE XREF: PspJobIoRateVolumeEntryInsert(x,x)+65j
		mov	byte ptr [ebp+var_5], 1
		jmp	short loc_65F5BD
; 

loc_65F5A2:				; CODE XREF: PspJobIoRateVolumeEntryInsert(x,x)+5Aj
		mov	eax, [esi]
		test	ebx, ebx
		jz	short loc_65F5AE
		test	eax, eax
		jz	short loc_65F5B9
		xor	eax, esi

loc_65F5AE:				; CODE XREF: PspJobIoRateVolumeEntryInsert(x,x)+77j
		test	eax, eax
		jz	short loc_65F5B9

loc_65F5B2:				; CODE XREF: PspJobIoRateVolumeEntryInsert(x,x)+6Bj
		mov	esi, eax
		mov	eax, [ebp+var_C]
		jmp	short loc_65F580
; 

loc_65F5B9:				; CODE XREF: PspJobIoRateVolumeEntryInsert(x,x)+7Bj
					; PspJobIoRateVolumeEntryInsert(x,x)+81j
		mov	byte ptr [ebp+var_5], 0

loc_65F5BD:				; CODE XREF: PspJobIoRateVolumeEntryInsert(x,x)+4Fj
					; PspJobIoRateVolumeEntryInsert(x,x)+71j
		push	[ebp+var_10]
		push	[ebp+var_5]
		push	esi
		push	edi
		call	RtlRbInsertNodeEx
		push	[ebp+var_14]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PspJobIoRateVolumeEntryInsert@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspJobIoRateVolumeEntryReference(x,	x)
_PspJobIoRateVolumeEntryReference@8 proc near ;	CODE XREF: PsIoRateControlReference+D61E7p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		lea	ebx, [esi+35Ch]
		push	ebx
		mov	[ebp+var_C], ebx
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		lea	ecx, [esi+360h]
		mov	[ebp+var_1], al
		test	byte ptr [ecx+4], 1
		mov	esi, [ecx]
		jz	short loc_65F619
		test	esi, esi
		jz	short loc_65F617
		xor	esi, ecx
		jmp	short loc_65F619
; 

loc_65F617:				; CODE XREF: PspJobIoRateVolumeEntryReference(x,x)+31j
		xor	esi, esi

loc_65F619:				; CODE XREF: PspJobIoRateVolumeEntryReference(x,x)+2Dj
					; PspJobIoRateVolumeEntryReference(x,x)+35j
		push	edi
		movzx	edi, byte ptr [ecx+4]
		and	edi, 1
		test	esi, esi
		jz	short loc_65F653
		mov	ebx, [ebp+var_8]

loc_65F628:				; CODE XREF: PspJobIoRateVolumeEntryReference(x,x)+6Cj
		push	esi
		push	ebx
		call	_MiLockTrackerCompare@8	; MiLockTrackerCompare(x,x)
		test	eax, eax
		jns	short loc_65F637
		mov	eax, [esi]
		jmp	short loc_65F63C
; 

loc_65F637:				; CODE XREF: PspJobIoRateVolumeEntryReference(x,x)+51j
		jle	short loc_65F64E
		mov	eax, [esi+4]

loc_65F63C:				; CODE XREF: PspJobIoRateVolumeEntryReference(x,x)+55j
		test	edi, edi
		jz	short loc_65F648
		test	eax, eax
		jz	short loc_65F648
		xor	esi, eax
		jmp	short loc_65F64A
; 

loc_65F648:				; CODE XREF: PspJobIoRateVolumeEntryReference(x,x)+5Ej
					; PspJobIoRateVolumeEntryReference(x,x)+62j
		mov	esi, eax

loc_65F64A:				; CODE XREF: PspJobIoRateVolumeEntryReference(x,x)+66j
		test	esi, esi
		jnz	short loc_65F628

loc_65F64E:				; CODE XREF: PspJobIoRateVolumeEntryReference(x,x):loc_65F637j
		mov	ebx, [ebp+var_C]
		test	esi, esi

loc_65F653:				; CODE XREF: PspJobIoRateVolumeEntryReference(x,x)+43j
		pop	edi
		jz	short loc_65F65D
		mov	ecx, esi
		call	_PspIoRateEntryIoControlReference@4 ; PspIoRateEntryIoControlReference(x)

loc_65F65D:				; CODE XREF: PspJobIoRateVolumeEntryReference(x,x)+74j
		push	ebx
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PspJobIoRateVolumeEntryReference@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspJobIoRateVolumeEntryRemove(x, x)
_PspJobIoRateVolumeEntryRemove@8 proc near
					; CODE XREF: PspSetJobIoRateControlForVolume(x,x,x,x,x)+6Ap

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		push	edi
		lea	eax, [esi+35Ch]
		push	eax
		mov	[ebp+var_10], eax
		call	ExAcquireSpinLockExclusive
		lea	edi, [esi+360h]
		mov	[ebp+var_1], al
		test	byte ptr [edi+4], 1
		mov	esi, [edi]
		mov	[ebp+var_C], edi
		jz	short loc_65F6AF
		test	esi, esi
		jz	short loc_65F6AD
		xor	esi, edi
		jmp	short loc_65F6AF
; 

loc_65F6AD:				; CODE XREF: PspJobIoRateVolumeEntryRemove(x,x)+35j
		xor	esi, esi

loc_65F6AF:				; CODE XREF: PspJobIoRateVolumeEntryRemove(x,x)+31j
					; PspJobIoRateVolumeEntryRemove(x,x)+39j
		movzx	ebx, byte ptr [edi+4]
		and	ebx, 1
		test	esi, esi
		jz	short loc_65F6F9
		mov	edi, [ebp+var_8]

loc_65F6BD:				; CODE XREF: PspJobIoRateVolumeEntryRemove(x,x)+6Fj
		push	esi
		push	edi
		call	_MiLockTrackerCompare@8	; MiLockTrackerCompare(x,x)
		test	eax, eax
		jns	short loc_65F6CC
		mov	eax, [esi]
		jmp	short loc_65F6D1
; 

loc_65F6CC:				; CODE XREF: PspJobIoRateVolumeEntryRemove(x,x)+54j
		jle	short loc_65F6E3
		mov	eax, [esi+4]

loc_65F6D1:				; CODE XREF: PspJobIoRateVolumeEntryRemove(x,x)+58j
		test	ebx, ebx
		jz	short loc_65F6DD
		test	eax, eax
		jz	short loc_65F6DD
		xor	esi, eax
		jmp	short loc_65F6DF
; 

loc_65F6DD:				; CODE XREF: PspJobIoRateVolumeEntryRemove(x,x)+61j
					; PspJobIoRateVolumeEntryRemove(x,x)+65j
		mov	esi, eax

loc_65F6DF:				; CODE XREF: PspJobIoRateVolumeEntryRemove(x,x)+69j
		test	esi, esi
		jnz	short loc_65F6BD

loc_65F6E3:				; CODE XREF: PspJobIoRateVolumeEntryRemove(x,x):loc_65F6CCj
		mov	edi, [ebp+var_C]
		test	esi, esi
		jz	short loc_65F6F9
		push	esi
		push	edi
		call	RtlRbRemoveNode
		or	dword ptr [esi+8], 0FFFFFFFFh
		mov	edi, esi
		jmp	short loc_65F6FB
; 

loc_65F6F9:				; CODE XREF: PspJobIoRateVolumeEntryRemove(x,x)+46j
					; PspJobIoRateVolumeEntryRemove(x,x)+76j
		xor	edi, edi

loc_65F6FB:				; CODE XREF: PspJobIoRateVolumeEntryRemove(x,x)+85j
		push	[ebp+var_10]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PspJobIoRateVolumeEntryRemove@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspLockUnlockWorkingSetChangeExclusiveUnsafe()
_PspLockUnlockWorkingSetChangeExclusiveUnsafe@0	proc near ; CODE XREF: sub_759647+179E66p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, ds:dword_6BEF18
		test	al, 1
		jz	short locret_65F738
		mov	ecx, offset dword_6BEF18
		call	@ExfAcquireReleasePushLockExclusive@4 ;	ExfAcquireReleasePushLockExclusive(x)

locret_65F738:				; CODE XREF: PspLockUnlockWorkingSetChangeExclusiveUnsafe()+19j
		leave
		retn
_PspLockUnlockWorkingSetChangeExclusiveUnsafe@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetProcessTimerDelayForKTimers(x)
_PspSetProcessTimerDelayForKTimers@4 proc near
					; CODE XREF: PspApplyTimerDelayProcess(x,x)+1EEp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	[ebp+var_10], edi
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], esi
		mov	edx, [edi+440h]
		mov	eax, [edi+444h]
		and	edx, 3FFFFFFFh
		mov	[ebp+var_2C], eax
		imul	eax, edx, 2710h
		mov	[ebp+var_20], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_8], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ebx, [edi+454h]
		mov	[ebp+var_1], al
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [ebp+var_8]
		cmp	ecx, [edi+0ACh]
		jnz	short loc_65F7B1
		test	ds:byte_70EFC6,	1
		jz	short loc_65F7A7
		mov	ecx, ebx
		jmp	loc_65F8E6
; 

loc_65F7A7:				; CODE XREF: PspSetProcessTimerDelayForKTimers(x)+64j
		xor	eax, eax
		lock and [ebx],	eax
		jmp	loc_65F8FB
; 

loc_65F7B1:				; CODE XREF: PspSetProcessTimerDelayForKTimers(x)+5Bj
		call	KeQueryInterruptTime
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_38]
		push	eax
		mov	[ebp+var_18], edx
		call	KeQuerySystemTime
		mov	ebx, [ebp+var_10]
		mov	edi, esi
		mov	edx, [ebp+var_8]
		mov	ecx, [ebx+0ACh]
		cmp	edx, ecx
		jbe	short loc_65F7E0
		mov	edi, edx
		sub	edi, ecx
		jmp	loc_65F897
; 

loc_65F7E0:				; CODE XREF: PspSetProcessTimerDelayForKTimers(x)+9Bj
		jnb	loc_65F897
		or	eax, 0FFFFFFFFh
		mov	edi, ecx
		mov	[ebp+var_14], eax
		lea	ecx, [ebx+458h]
		mov	[ebp+var_C], eax
		lea	eax, [ebx+458h]
		mov	[ebp+var_2C], eax
		mov	eax, [eax]
		cmp	eax, ecx
		jz	short loc_65F865
		mov	ebx, eax

loc_65F808:				; CODE XREF: PspSetProcessTimerDelayForKTimers(x)+11Bj
		lea	edi, [ebx-0A0h]
		mov	ecx, edi
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		mov	al, [edi+3]
		and	al, 40h
		jz	short loc_65F82A
		mov	ecx, [edi+10h]
		mov	edx, [edi+14h]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_24], edx
		jmp	short loc_65F830
; 

loc_65F82A:				; CODE XREF: PspSetProcessTimerDelayForKTimers(x)+E0j
		mov	ecx, [ebp+var_20]
		mov	edx, [ebp+var_24]

loc_65F830:				; CODE XREF: PspSetProcessTimerDelayForKTimers(x)+EEj
		mov	esi, 0FFFFFF7Fh
		lock and [edi],	esi
		mov	esi, [ebp+var_14]
		test	al, al
		jz	short loc_65F850
		cmp	edx, [ebp+var_C]
		ja	short loc_65F850
		jb	short loc_65F84A
		cmp	ecx, esi
		jnb	short loc_65F850

loc_65F84A:				; CODE XREF: PspSetProcessTimerDelayForKTimers(x)+10Aj
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], edx

loc_65F850:				; CODE XREF: PspSetProcessTimerDelayForKTimers(x)+103j
					; PspSetProcessTimerDelayForKTimers(x)+108j ...
		mov	ebx, [ebx]
		cmp	ebx, [ebp+var_2C]
		jnz	short loc_65F808
		mov	ebx, [ebp+var_10]
		xor	esi, esi
		mov	edx, [ebp+var_8]
		mov	edi, [ebx+0ACh]

loc_65F865:				; CODE XREF: PspSetProcessTimerDelayForKTimers(x)+CAj
		mov	ecx, [ebp+var_14]
		sub	edi, edx
		mov	eax, ecx
		sub	eax, edi
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+var_C]
		sbb	eax, esi
		cmp	eax, [ebp+var_18]
		ja	short loc_65F891
		mov	eax, [ebp+var_1C]
		jb	short loc_65F885
		cmp	[ebp+var_2C], eax
		jnb	short loc_65F891

loc_65F885:				; CODE XREF: PspSetProcessTimerDelayForKTimers(x)+144j
		mov	esi, [ebp+var_18]
		mov	edi, eax
		sub	edi, ecx
		sbb	esi, [ebp+var_C]
		jmp	short loc_65F897
; 

loc_65F891:				; CODE XREF: PspSetProcessTimerDelayForKTimers(x)+13Fj
					; PspSetProcessTimerDelayForKTimers(x)+149j
		neg	edi
		adc	esi, esi
		neg	esi

loc_65F897:				; CODE XREF: PspSetProcessTimerDelayForKTimers(x)+A1j
					; PspSetProcessTimerDelayForKTimers(x):loc_65F7E0j ...
		lea	eax, [ebx+458h]
		mov	ebx, [eax]
		jmp	short loc_65F8C7
; 

loc_65F8A1:				; CODE XREF: PspSetProcessTimerDelayForKTimers(x)+18Fj
		push	[ebp+var_18]
		lea	ecx, [ebx-0A0h]
		push	[ebp+var_1C]
		push	[ebp+var_34]
		push	[ebp+var_38]
		push	esi
		push	edi
		call	_ExpTimerAdjust@32 ; ExpTimerAdjust(x,x,x,x,x,x,x,x)
		mov	eax, [ebp+var_10]
		mov	ebx, [ebx]
		add	eax, 458h
		mov	edx, [ebp+var_8]

loc_65F8C7:				; CODE XREF: PspSetProcessTimerDelayForKTimers(x)+165j
		cmp	ebx, eax
		jnz	short loc_65F8A1
		mov	ebx, [ebp+var_10]
		mov	ecx, ebx
		push	esi
		push	edi
		call	_KeAdjustTimerDelayProcess@16 ;	KeAdjustTimerDelayProcess(x,x,x,x)
		test	ds:byte_70EFC6,	1
		jz	short loc_65F8F0
		lea	ecx, [ebx+454h]

loc_65F8E6:				; CODE XREF: PspSetProcessTimerDelayForKTimers(x)+68j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_65F8FB
; 

loc_65F8F0:				; CODE XREF: PspSetProcessTimerDelayForKTimers(x)+1A4j
		xor	ecx, ecx
		lea	eax, [ebx+454h]
		lock and [eax],	ecx

loc_65F8FB:				; CODE XREF: PspSetProcessTimerDelayForKTimers(x)+72j
					; PspSetProcessTimerDelayForKTimers(x)+1B4j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
_PspSetProcessTimerDelayForKTimers@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetProcessTimerDelayForWin32(x)
_PspSetProcessTimerDelayForWin32@4 proc	near
					; CODE XREF: PspApplyTimerDelayProcess(x,x)+1F6p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	edx, edx
		push	esi
		push	edi
		mov	edi, ecx
		lea	esi, [edi+0E0h]
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		cmp	dword ptr [edi+154h], 0
		push	11h
		pop	eax
		jnz	short loc_65F94F
		xor	ecx, ecx
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_65F944
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_65F944:				; CODE XREF: PspSetProcessTimerDelayForWin32(x)+30j
		mov	ecx, esi
		call	KeAbPostRelease
		xor	eax, eax
		jmp	short loc_65F9A7
; 

loc_65F94F:				; CODE XREF: PspSetProcessTimerDelayForWin32(x)+25j
		xor	edx, edx
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_65F961
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_65F961:				; CODE XREF: PspSetProcessTimerDelayForWin32(x)+4Dj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	esi, [edi+440h]
		mov	ecx, edi
		mov	edx, [edi+444h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_4], eax
		mov	ecx, 3FFFFFFFh
		mov	eax, esi
		mov	[ebp+var_10], edi
		and	eax, ecx
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		shrd	esi, edx, 1Eh
		lea	eax, [ebp+var_10]
		push	eax
		and	esi, ecx
		push	29h
		mov	[ebp+var_8], esi
		call	PsInvokeWin32Callout

loc_65F9A7:				; CODE XREF: PspSetProcessTimerDelayForWin32(x)+42j
		pop	edi
		pop	esi
		leave
		retn
_PspSetProcessTimerDelayForWin32@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspTimerDelayProcess(x, x)
_PspTimerDelayProcess@8	proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	edi
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	ecx
		push	eax
		mov	edi, 624A7350h
		mov	[ebp+var_4], ecx
		push	edi
		push	ecx
		push	ds:_PsProcessType
		push	1FFFFFh
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_65F9F5
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_4]
		push	esi
		call	_PspApplyTimerDelayProcess@8 ; PspApplyTimerDelayProcess(x,x)
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		mov	esi, eax
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		pop	esi

loc_65F9F5:				; CODE XREF: PspTimerDelayProcess(x,x)+2Dj
		pop	edi
		leave
		retn	8
_PspTimerDelayProcess@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspTimerDelayWorkerRoutine(x)
_PspTimerDelayWorkerRoutine@4 proc near	; DATA XREF: MmLockPagableDataSection+124D9Fo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, 0F0h
		mov	ecx, [esi+10h]
		add	ecx, edi
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_65FA2B
		mov	ecx, [esi+10h]
		xor	edx, edx
		call	_PspApplyTimerDelayProcess@8 ; PspApplyTimerDelayProcess(x,x)
		mov	ecx, [esi+10h]
		add	ecx, edi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_65FA2B:				; CODE XREF: PspTimerDelayWorkerRoutine(x)+1Bj
		mov	ecx, [esi+10h]
		mov	edx, 624A7350h
		call	ObfDereferenceObjectWithTag
		push	65446954h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_PspTimerDelayWorkerRoutine@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspUnlockProcessExclusiveUnsafe(x)
_PspUnlockProcessExclusiveUnsafe@4 proc	near ; CODE XREF: NtTerminateProcess+123p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		or	edx, 0FFFFFFFFh
		add	ecx, 0E0h
		push	esi
		push	edi
		mov	[ebp+var_8], ecx
		mov	eax, edx
		mov	[ebp+var_C], edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_65FA88
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]

loc_65FA88:				; CODE XREF: PspUnlockProcessExclusiveUnsafe(x)+35j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	loc_65FC18
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, ds:dword_6D07D0
		shr	eax, 15h
		cmp	ecx, edx
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], esi
		pop	edx
		jb	short loc_65FAC1
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_65FACF

loc_65FAC1:				; CODE XREF: PspUnlockProcessExclusiveUnsafe(x)+6Dj
		cmp	ecx, [ebp+var_20]
		jb	short loc_65FAE2
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_65FAE2

loc_65FACF:				; CODE XREF: PspUnlockProcessExclusiveUnsafe(x)+76j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_C], eax

loc_65FAE2:				; CODE XREF: PspUnlockProcessExclusiveUnsafe(x)+7Bj
					; PspUnlockProcessExclusiveUnsafe(x)+84j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_65FB2D
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_65FB9F
		push	ecx
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_65FB2D:				; CODE XREF: PspUnlockProcessExclusiveUnsafe(x)+C2j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_65FB43
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_65FB43:				; CODE XREF: PspUnlockProcessExclusiveUnsafe(x)+F0j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_65FB8D
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_65FB9F
; 

loc_65FB8D:				; CODE XREF: PspUnlockProcessExclusiveUnsafe(x)+130j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]

loc_65FB9F:				; CODE XREF: PspUnlockProcessExclusiveUnsafe(x)+CCj
					; PspUnlockProcessExclusiveUnsafe(x)+142j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jz	short loc_65FC00
		test	edi, 8000h
		jz	short loc_65FBC3
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_65FBC3:				; CODE XREF: PspUnlockProcessExclusiveUnsafe(x)+16Fj
		test	byte ptr [ebp+var_10+2], 1
		jz	short loc_65FBD3
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_65FBD3:				; CODE XREF: PspUnlockProcessExclusiveUnsafe(x)+17Ej
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_65FBE7
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_65FBE7:				; CODE XREF: PspUnlockProcessExclusiveUnsafe(x)+191j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_65FC00
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_65FC00:				; CODE XREF: PspUnlockProcessExclusiveUnsafe(x)+167j
					; PspUnlockProcessExclusiveUnsafe(x)+1A8j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_65FC18
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_65FC18
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_65FC18:				; CODE XREF: PspUnlockProcessExclusiveUnsafe(x)+4Aj
					; PspUnlockProcessExclusiveUnsafe(x)+1C0j ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_PspUnlockProcessExclusiveUnsafe@4 endp	; sp =	4


;  S U B	R O U T	I N E 


; __fastcall PsPicoAltSystemCallDispatch(x)
@PsPicoAltSystemCallDispatch@4 proc near ; DATA	XREF: INIT:00AC2EB7o
		call	@PsPicoSystemCallDispatch@4 ; PsPicoSystemCallDispatch(x)
		xor	eax, eax
		retn
@PsPicoAltSystemCallDispatch@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetPicoThreadDescriptorBase(x, x)
_PspSetPicoThreadDescriptorBase@8 proc near ; DATA XREF: PsRegisterPicoProvider(x,x)+8Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, large fs:124h
		mov	cl, 2
		push	edi
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		cmp	[ebp+arg_0], 0
		mov	bl, al
		mov	edx, [ebp+arg_4]
		jz	short loc_65FC66
		mov	ecx, large fs:1Ch
		mov	[esi+384h], edx
		mov	ecx, [ecx+3Ch]
		lea	esi, [ecx+62h]
		lea	edi, [ecx+64h]
		add	ecx, 67h
		jmp	short loc_65FC7E
; 

loc_65FC66:				; CODE XREF: PspSetPicoThreadDescriptorBase(x,x)+20j
		mov	eax, large fs:1Ch
		mov	[esi+380h], edx
		mov	eax, [eax+3Ch]
		lea	esi, [eax+3Ah]
		lea	edi, [eax+3Ch]
		lea	ecx, [eax+3Fh]

loc_65FC7E:				; CODE XREF: PspSetPicoThreadDescriptorBase(x,x)+3Bj
		mov	eax, edx
		mov	[esi], dx
		shr	edx, 18h
		shr	eax, 10h
		mov	[ecx], dl
		mov	cl, bl
		mov	[edi], al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_PspSetPicoThreadDescriptorBase@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2528. SkAcquirePushLockExclusive
; Exported entry 2529. SkAllocatePool
; Exported entry 2530. SkFreePool
; Exported entry 2531. SkInitializePushLock
; Exported entry 2533. SkQuerySecureKernelInformation
; Exported entry 2534. SkReleasePushLockExclusive

;  S U B	R O U T	I N E 


; __stdcall NtosSecureKernelImportBugcheck()
		public _NtosSecureKernelImportBugcheck@0
_NtosSecureKernelImportBugcheck@0 proc near
		xor	eax, eax	; SkAcquirePushLockExclusive
					; SkAllocatePool
					; SkFreePool
					; SkInitializePushLock
					; SkQuerySecureKernelInformation
		push	eax
		push	eax
		push	eax
		push	eax
		push	123h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_NtosSecureKernelImportBugcheck@0 endp


;  S U B	R O U T	I N E 


; __stdcall PsQuitNextPartition(x)
_PsQuitNextPartition@4 proc near	; CODE XREF: MiMirrorBrownPhase(x)+E5p
					; MiMirrorBrownPhase(x)+EEp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	PsDereferencePartition
		mov	ecx, esi
		mov	edx, 6E457350h
		pop	esi
		jmp	ObfDereferenceObjectWithTag
_PsQuitNextPartition@4 endp


;  S U B	R O U T	I N E 


; __stdcall PspRemovePartitionFromGlobalList(x)
_PspRemovePartitionFromGlobalList@4 proc near ;	CODE XREF: PspDeletePartition(x)+25p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, offset _PspActivePartitionListLock
		mov	esi, ecx
		push	edi
		call	ExAcquireSpinLockExclusive
		add	esi, 14h
		mov	bl, al
		mov	edx, [esi]
		cmp	[edx+4], esi
		jnz	short loc_65FD04
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_65FD04
		mov	[ecx], edx
		push	edi
		mov	[edx+4], ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_65FD04:				; CODE XREF: PspRemovePartitionFromGlobalList(x)+1Cj
					; PspRemovePartitionFromGlobalList(x)+23j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PspRemovePartitionFromGlobalList@4 endp ; AL =	character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RawCheckForDeleteVolume(x)
_RawCheckForDeleteVolume@4 proc	near	; CODE XREF: RawScanDeletedList+121D2Dp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		cmp	[esi+50h], ebx
		jnz	short loc_65FD78
		push	9
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	byte ptr [ebp+var_4], al
		mov	eax, [esi+8Ch]
		push	[ebp+var_4]
		cmp	[eax+14h], ebx
		jnz	short loc_65FD73
		call	IoReleaseVpbSpinLock
		lea	eax, [esi+80h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_65FD6E
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_65FD6E
		mov	[ecx], edx
		mov	[edx+4], ecx
		lea	ecx, [esi+0A0h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, esi
		call	RawCleanupVcb
		mov	ecx, esi
		call	_RawDeleteVcb@4	; RawDeleteVcb(x)
		mov	bl, 1
		jmp	short loc_65FD78
; 

loc_65FD6E:				; CODE XREF: RawCheckForDeleteVolume(x)+3Aj
					; RawCheckForDeleteVolume(x)+41j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_65FD73:				; CODE XREF: RawCheckForDeleteVolume(x)+28j
		call	IoReleaseVpbSpinLock

loc_65FD78:				; CODE XREF: RawCheckForDeleteVolume(x)+Fj
					; RawCheckForDeleteVolume(x)+63j
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_RawCheckForDeleteVolume@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RawVerifyVolume(x, x)
_RawVerifyVolume@8 proc	near		; CODE XREF: RawFileSystemControl:loc_910371p

var_8		= dword	ptr -8
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	9
		mov	esi, ecx
		mov	[ebp+var_1], 0
		pop	ecx
		mov	ebx, edx
		mov	[ebp+var_2], 0
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[ebp+var_3], al
		xor	ecx, ecx
		mov	eax, [esi+4]
		inc	ecx
		mov	[ebp+var_8], eax
		test	[eax+4], cl
		jz	short loc_65FDB2
		inc	dword ptr [eax+14h]
		mov	[ebp+var_1], cl

loc_65FDB2:				; CODE XREF: RawVerifyVolume(x,x)+2Cj
		mov	eax, large fs:20h
		lea	esi, [eax+460h]
		test	ds:byte_70EFC6,	cl
		jz	short loc_65FDD2
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_65FDFD
; 

loc_65FDD2:				; CODE XREF: RawVerifyVolume(x,x)+46j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_65FDF1
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_65FDFD
		mov	ecx, esi
		call	KxWaitForLockChainValid
		xor	ecx, ecx
		inc	ecx

loc_65FDF1:				; CODE XREF: RawVerifyVolume(x,x)+58j
		mov	dword ptr [esi], 0
		add	eax, 4
		lock xor [eax],	ecx

loc_65FDFD:				; CODE XREF: RawVerifyVolume(x,x)+52j
					; RawVerifyVolume(x,x)+67j
		mov	cl, [ebp+var_3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_1], 0
		jz	loc_65FEE0
		push	edi
		lea	edi, [ebx+0A0h]
		mov	ecx, edi
		call	ExAcquireFastMutex
		mov	eax, [ebx+48h]
		test	al, 2
		jnz	short loc_65FE31
		or	eax, 2
		xor	ecx, ecx
		inc	ecx
		mov	[ebx+48h], eax
		mov	[ebp+var_2], cl

loc_65FE31:				; CODE XREF: RawVerifyVolume(x,x)+A5j
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		cmp	[ebp+var_2], 0
		jz	short loc_65FE49
		mov	ecx, [ebx+9Ch]
		call	@ExWaitForRundownProtectionReleaseCacheAware@4 ; ExWaitForRundownProtectionReleaseCacheAware(x)

loc_65FE49:				; CODE XREF: RawVerifyVolume(x,x)+BEj
		mov	ecx, edi
		call	ExAcquireFastMutex
		push	9
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_3], al
		xor	eax, eax
		inc	eax
		dec	dword ptr [ecx+14h]
		mov	ecx, large fs:20h
		lea	esi, [ecx+460h]
		test	ds:byte_70EFC6,	al
		jz	short loc_65FE85
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_65FEB0
; 

loc_65FE85:				; CODE XREF: RawVerifyVolume(x,x)+F9j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_65FEA1
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_65FEB0
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_65FEA1:				; CODE XREF: RawVerifyVolume(x,x)+10Bj
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_65FEB0:				; CODE XREF: RawVerifyVolume(x,x)+105j
					; RawVerifyVolume(x,x)+11Aj
		mov	cl, [ebp+var_3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebx+8Ch]
		mov	ecx, ebx
		push	0
		mov	eax, [eax+0Ch]
		and	dword ptr [eax+1Ch], 0FFFFFFFDh
		xor	eax, eax
		lea	edx, [eax+1]
		call	RawInitiateDeleteVolume
		test	al, al
		jnz	short loc_65FEDF
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_65FEDF:				; CODE XREF: RawVerifyVolume(x,x)+158j
		pop	edi

loc_65FEE0:				; CODE XREF: RawVerifyVolume(x,x)+8Cj
		pop	esi
		mov	eax, 0C0000012h
		pop	ebx
		leave
		retn
_RawVerifyVolume@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpLogExceptionDispatch(x,	x)
_RtlpLogExceptionDispatch@8 proc near	; CODE XREF: RtlDispatchException+10D790p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	ds:_RtlpExceptionLog2, 0
		push	ebx
		mov	ebx, edx
		push	edi
		mov	[ebp+var_8], ebx
		mov	edi, ecx
		jz	loc_65FF8A
		push	esi
		mov	esi, ds:_RtlpExceptionLogCount
		xor	edx, edx
		push	32h
		pop	ecx
		mov	[ebp+var_4], ecx
		lea	eax, [esi+1]
		div	ecx
		mov	ecx, offset _RtlpExceptionLogCount
		mov	eax, esi
		lock cmpxchg [ecx], edx
		mov	ecx, eax
		cmp	ecx, esi
		jz	short loc_65FF49
		mov	ebx, offset _RtlpExceptionLogCount

loc_65FF30:				; CODE XREF: RtlpLogExceptionDispatch(x,x)+5Bj
		lea	eax, [ecx+1]
		xor	edx, edx
		div	[ebp+var_4]
		mov	esi, ecx
		mov	eax, ecx
		lock cmpxchg [ebx], edx
		mov	ecx, eax
		cmp	ecx, esi
		jnz	short loc_65FF30
		mov	ebx, [ebp+var_8]

loc_65FF49:				; CODE XREF: RtlpLogExceptionDispatch(x,x)+40j
		mov	eax, large fs:124h
		imul	edx, esi, 330h
		add	edx, ds:_RtlpExceptionLog2
		mov	[edx+324h], eax
		jz	short loc_65FF89
		mov	esi, edi
		mov	dword ptr [edx+31Ch], 1
		push	14h
		pop	ecx
		mov	edi, edx
		rep movsd
		mov	ecx, 0B3h
		lea	edi, [edx+50h]
		mov	esi, ebx
		rep movsd
		and	dword ptr [edx+50h], 1003Fh

loc_65FF89:				; CODE XREF: RtlpLogExceptionDispatch(x,x)+78j
		pop	esi

loc_65FF8A:				; CODE XREF: RtlpLogExceptionDispatch(x,x)+17j
		pop	edi
		pop	ebx
		leave
		retn
_RtlpLogExceptionDispatch@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpLogExceptionHandler(x, x, x, x)
_RtlpLogExceptionHandler@16 proc near	; CODE XREF: RtlDispatchException+10D7D4p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	ds:_RtlpExceptionLog2, 0
		push	ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edi
		jnz	short loc_65FFAF
		xor	ebx, ebx
		jmp	loc_660047
; 

loc_65FFAF:				; CODE XREF: RtlpLogExceptionHandler(x,x,x,x)+18j
		mov	ecx, ds:_RtlpExceptionLogCount
		xor	edx, edx
		push	esi
		push	32h
		pop	ebx
		lea	eax, [ecx+1]
		mov	esi, offset _RtlpExceptionLogCount
		div	ebx
		mov	eax, ecx
		lock cmpxchg [esi], edx
		mov	esi, eax
		cmp	esi, ecx
		jz	short loc_65FFEE
		mov	edi, offset _RtlpExceptionLogCount

loc_65FFD6:				; CODE XREF: RtlpLogExceptionHandler(x,x,x,x)+5Bj
		lea	eax, [esi+1]
		xor	edx, edx
		div	ebx
		mov	ecx, esi
		mov	eax, esi
		lock cmpxchg [edi], edx
		mov	esi, eax
		cmp	esi, ecx
		jnz	short loc_65FFD6
		mov	edi, [ebp+var_4]

loc_65FFEE:				; CODE XREF: RtlpLogExceptionHandler(x,x,x,x)+41j
		mov	eax, large fs:124h
		imul	ebx, ecx, 330h
		add	ebx, ds:_RtlpExceptionLog2
		mov	[ebx+324h], eax
		jz	short loc_660046
		or	dword ptr [ebx+320h], 0FFFFFFFFh
		mov	esi, edi
		push	14h
		mov	dword ptr [ebx+31Ch], 2	; DATA XREF: FsRtlBalanceReads+3Fo
		mov	edi, ebx
		pop	ecx
		rep movsd
		mov	esi, [ebp+var_8]
		lea	edi, [ebx+50h]
		mov	ecx, 0B3h
		rep movsd
		and	dword ptr [ebx+50h], 1003Fh
		mov	ecx, [ebp+arg_4]
		and	dword ptr [ebx+328h], 0
		mov	[ebx+32Ch], ecx

loc_660046:				; CODE XREF: RtlpLogExceptionHandler(x,x,x,x)+78j
		pop	esi

loc_660047:				; CODE XREF: RtlpLogExceptionHandler(x,x,x,x)+1Cj
		pop	edi
		mov	eax, ebx
		pop	ebx
		leave

locret_66004C:				; DATA XREF: .text:??_C@_17FABJNEFH@?$AAM?$AAf?$AAg@FNODOBFM@o
		retn	8
_RtlpLogExceptionHandler@16 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2323. RtlSecondsSince1980ToTime

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSecondsSince1980ToTime(x, x)
		public _RtlSecondsSince1980ToTime@8
_RtlSecondsSince1980ToTime@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		add	ecx, dword ptr ds:_SecondsToStartOf1980
		push	989680h
		adc	eax, dword ptr ds:loc_4292BC
		push	eax
		push	ecx
		call	_RtlExtendedIntegerMultiply@12 ; RtlExtendedIntegerMultiply(x,x,x)
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		mov	[ecx+4], edx
		pop	ebp
		retn	8
_RtlSecondsSince1980ToTime@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2359. RtlTimeToSecondsSince1970

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlTimeToSecondsSince1970(x, x)
		public _RtlTimeToSecondsSince1970@8
_RtlTimeToSecondsSince1970@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	17h
		push	dword ptr ds:_Magic10000000+4
		push	dword ptr ds:_Magic10000000
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		call	_RtlExtendedMagicDivide@20 ; RtlExtendedMagicDivide(x,x,x,x,x)
		mov	ecx, eax
		sub	ecx, dword ptr ds:_SecondsToStartOf1970
		sbb	edx, dword ptr ds:_SecondsToStartOf1970+4
		jz	short loc_6600BB
		xor	al, al
		jmp	short loc_6600C2
; 

loc_6600BB:				; CODE XREF: RtlTimeToSecondsSince1970(x,x)+2Ej
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		mov	al, 1

loc_6600C2:				; CODE XREF: RtlTimeToSecondsSince1970(x,x)+32j
		pop	ebp
		retn	8
_RtlTimeToSecondsSince1970@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2360. RtlTimeToSecondsSince1980

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlTimeToSecondsSince1980(x, x)
		public _RtlTimeToSecondsSince1980@8
_RtlTimeToSecondsSince1980@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	17h
		push	dword ptr ds:_Magic10000000+4
		push	dword ptr ds:_Magic10000000
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		call	_RtlExtendedMagicDivide@20 ; RtlExtendedMagicDivide(x,x,x,x,x)
		mov	ecx, eax
		sub	ecx, dword ptr ds:_SecondsToStartOf1980
		sbb	edx, dword ptr ds:loc_4292BC
		jz	short loc_6600FF
		xor	al, al
		jmp	short loc_660106
; 

loc_6600FF:				; CODE XREF: RtlTimeToSecondsSince1980(x,x)+2Ej
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		mov	al, 1

loc_660106:				; CODE XREF: RtlTimeToSecondsSince1980(x,x)+32j
		pop	ebp
		retn	8
_RtlTimeToSecondsSince1980@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2022. RtlDecompressBuffer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlDecompressBuffer(x, x, x, x, x, x)
		public _RtlDecompressBuffer@24
_RtlDecompressBuffer@24	proc near	; CODE XREF: RtlDecompressChunks(x,x,x,x,x,x,x)+166p

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, [ebp+arg_0]
		test	ax, ax
		jz	short loc_66014A
		cmp	eax, 1
		jz	short loc_66014A
		cmp	eax, 4
		jbe	short loc_66012E
		mov	eax, 0C000025Fh
		jmp	short loc_66014F
; 

loc_66012E:				; CODE XREF: RtlDecompressBuffer(x,x,x,x,x,x)+16j
		push	0
		push	[ebp+arg_14]
		push	0
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	ds:_RtlDecompressBufferProcs[eax*4]
		jmp	short loc_66014F
; 

loc_66014A:				; CODE XREF: RtlDecompressBuffer(x,x,x,x,x,x)+Cj
					; RtlDecompressBuffer(x,x,x,x,x,x)+11j
		mov	eax, 0C000000Dh

loc_66014F:				; CODE XREF: RtlDecompressBuffer(x,x,x,x,x,x)+1Dj
					; RtlDecompressBuffer(x,x,x,x,x,x)+39j
		pop	ebp
		retn	18h
_RtlDecompressBuffer@24	endp


;  S U B	R O U T	I N E 


; __stdcall RtlInitializeCompression()
_RtlInitializeCompression@0 proc near	; CODE XREF: Phase1InitializationDiscard(x):loc_AC0F95p
		xor	eax, eax
		push	eax
		push	eax
		push	63647A6Ch
		push	2Ch
		push	200h
		push	eax
		push	eax
		push	offset _RtlLznt1DecompressChunkLookaside
		call	ExInitializeNPagedLookasideListInternal
		retn
_RtlInitializeCompression@0 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 265. DbgCommandString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgCommandString(x,	x)
		public _DbgCommandString@8
_DbgCommandString@8 proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], ecx
		lea	edx, [ecx+1]

loc_660191:				; CODE XREF: DbgCommandString(x,x)+21j
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_660191
		sub	ecx, edx
		mov	word ptr [ebp+var_10], cx
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_4], ecx
		lea	edx, [ecx+1]

loc_6601A7:				; CODE XREF: DbgCommandString(x,x)+37j
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_6601A7
		lea	eax, [ebp+var_8]
		sub	ecx, edx
		mov	[ebp+arg_4], eax
		lea	eax, [ebp+var_10]
		mov	word ptr [ebp+var_8], cx
		mov	[ebp+arg_0], eax
		mov	eax, 5
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		int	2Dh		; Internal routine for MSDOS (IRET)
		int	3		; Trap to Debugger
		leave
		retn	8
_DbgCommandString@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 269. DbgPrintReturnControlC

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl DbgPrintReturnControlC(char *,char)
		public _DbgPrintReturnControlC
_DbgPrintReturnControlC	proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0		; char
		lea	eax, [ebp+arg_4]
		mov	ecx, offset ??_C@_00CNPNBAHC@@FNODOBFM@
		push	eax		; va_list
		push	[ebp+arg_0]	; char *
		push	0		; int
		push	65h
		pop	edx
		call	vDbgPrintExWithPrefixInternal
		pop	ebp
		retn
_DbgPrintReturnControlC	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 270. DbgPrompt

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgPrompt(x, x, x)
		public _DbgPrompt@12
_DbgPrompt@12	proc near		; CODE XREF: RtlAssert(x,x,x,x)+6Ep
					; VfReportIssueWithOptions(x,x,x,x,x,x)+64p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		mov	[ebp+var_8], eax
		mov	ecx, edx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	ax, [ebp+arg_8]
		mov	word ptr [ebp+var_8+2],	ax
		mov	eax, [ebp+arg_4]
		push	esi
		mov	[ebp+var_4], eax
		lea	esi, [ecx+1]

loc_660225:				; CODE XREF: DbgPrompt(x,x,x)+2Fj
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_660225
		sub	ecx, esi
		mov	[ebp+var_C], edx
		mov	word ptr [ebp+var_10], cx
		lea	edx, [ebp+var_8]
		lea	ecx, [ebp+var_10]
		call	_DebugPrompt@8	; DebugPrompt(x,x)
		pop	esi
		leave
		retn	0Ch
_DbgPrompt@12	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 271. DbgQueryDebugFilterState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgQueryDebugFilterState(x,	x)
		public _DbgQueryDebugFilterState@8
_DbgQueryDebugFilterState@8 proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	_NtQueryDebugFilterState@8 ; NtQueryDebugFilterState(x,x)
_DbgQueryDebugFilterState@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 273. DbgSetDebugPrintCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgSetDebugPrintCallback(x,	x)
		public _DbgSetDebugPrintCallback@8
_DbgSetDebugPrintCallback@8 proc near	; CODE XREF: EtwpEnableKernelTrace+129AE9p
					; EtwpDisableKernelTrace+129A27p

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_66026D
		mov	eax, 0C000000Dh
		jmp	short loc_66027F
; 

loc_66026D:				; CODE XREF: DbgSetDebugPrintCallback(x,x)+Aj
		cmp	[ebp+arg_4], 1
		jnz	short loc_66027A
		call	_DbgpInsertDebugPrintCallback@4	; DbgpInsertDebugPrintCallback(x)
		jmp	short loc_66027F
; 

loc_66027A:				; CODE XREF: DbgSetDebugPrintCallback(x,x)+17j
		call	_DbgpRemoveDebugPrintCallback@4	; DbgpRemoveDebugPrintCallback(x)

loc_66027F:				; CODE XREF: DbgSetDebugPrintCallback(x,x)+11j
					; DbgSetDebugPrintCallback(x,x)+1Ej
		pop	ebp
		retn	8
_DbgSetDebugPrintCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgUnLoadImageSymbols(x, x,	x)
_DbgUnLoadImageSymbols@12 proc near	; CODE XREF: PopSaveHiberContext+BB81p
					; PopShutdownSystem(x)+2Ap

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [ebp+arg_0]
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_8], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+arg_0], eax
		mov	eax, 4
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+arg_0]
		int	2Dh		; Internal routine for MSDOS (IRET)
		int	3		; Trap to Debugger
		leave
		retn	4
_DbgUnLoadImageSymbols@12 endp


;  S U B	R O U T	I N E 


; __stdcall DbgpInsertDebugPrintCallback(x)
_DbgpInsertDebugPrintCallback@4	proc near ; CODE XREF: DbgSetDebugPrintCallback(x,x)+19p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	62436244h
		push	14h
		push	200h
		mov	edi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_6602DC
		mov	eax, 0C000009Ah
		jmp	short loc_66033A
; 

loc_6602DC:				; CODE XREF: DbgpInsertDebugPrintCallback(x)+1Cj
		lea	ecx, [esi+4]
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		and	dword ptr [esi], 0
		mov	cl, 1Bh
		mov	[esi+8], edi
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edi, offset _RtlpDebugPrintCallbackLock
		mov	bl, al
		push	edi
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	ecx, ds:off_6B1F7C
		mov	eax, offset _RtlpDebugPrintCallbackList
		add	esi, 0Ch
		cmp	[ecx], eax
		jz	short loc_660316
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_660316:				; CODE XREF: DbgpInsertDebugPrintCallback(x)+58j
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		push	edi
		mov	ds:off_6B1F7C, esi
		mov	ds:_RtlpDebugPrintCallbacksActive, 1
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax

loc_66033A:				; CODE XREF: DbgpInsertDebugPrintCallback(x)+23j
		pop	edi
		pop	esi
		pop	ebx
		retn
_DbgpInsertDebugPrintCallback@4	endp

; 

; __stdcall DbgpRemoveDebugPrintCallback(x)
_DbgpRemoveDebugPrintCallback@4:	; CODE XREF: DbgSetDebugPrintCallback(x,x):loc_66027Ap
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	cl, 1Bh
		mov	[ebp-8], edi
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		push	offset _RtlpDebugPrintCallbackLock
		mov	[ebp-1], bl
		call	ExAcquireSpinLockSharedAtDpcLevel
		mov	edx, ds:_RtlpDebugPrintCallbackList
		jmp	short loc_66038D
; 

loc_66036D:				; CODE XREF: .text:00660393j
		lea	esi, [edx-0Ch]
		cmp	[esi+8], edi
		jnz	short loc_66038B
		xor	edi, edi
		inc	edi
		mov	eax, [esi]

loc_66037A:				; CODE XREF: .text:00660382j
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [esi], ecx
		jnz	short loc_66037A
		mov	edi, [ebp-8]
		test	al, 1
		jz	short loc_6603B4

loc_66038B:				; CODE XREF: .text:00660373j
		mov	edx, [edx]

loc_66038D:				; CODE XREF: .text:0066036Bj
		cmp	edx, offset _RtlpDebugPrintCallbackList
		jnz	short loc_66036D
		mov	edi, offset _RtlpDebugPrintCallbackLock
		push	edi
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, 0C0000225h

loc_6603AD:				; CODE XREF: .text:00660405j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_6603B4:				; CODE XREF: .text:00660389j
		mov	edi, offset _RtlpDebugPrintCallbackLock
		push	edi
		call	ExReleaseSpinLockSharedFromDpcLevel
		lea	ecx, [esi+4]
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		push	edi
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		lea	edx, [esi+0Ch]
		mov	ecx, [edx]
		mov	eax, [edx+4]
		cmp	[ecx+4], edx
		jnz	short loc_660407
		cmp	[eax], edx
		jnz	short loc_660407
		xor	ebx, ebx
		mov	[eax], ecx
		mov	[ecx+4], eax
		cmp	eax, ecx
		jnz	short loc_6603EF
		mov	ds:_RtlpDebugPrintCallbacksActive, bl

loc_6603EF:				; CODE XREF: .text:006603E7j
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_6603AD
; 

loc_660407:				; CODE XREF: .text:006603D8j
					; .text:006603DCj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 3021. vDbgPrintExWithPrefix

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	vDbgPrintExWithPrefix(int,int,int,char *,va_list)
		public _vDbgPrintExWithPrefix@20
_vDbgPrintExWithPrefix@20 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	1		; char
		push	[ebp+arg_10]	; va_list
		push	[ebp+arg_C]	; char *
		push	[ebp+arg_8]	; int
		call	vDbgPrintExWithPrefixInternal
		pop	ecx
		pop	ebp
		retn	14h
_vDbgPrintExWithPrefix@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall UpcaseUnicodeToMultiByteNHelper(x, x, x, x,	x)
_UpcaseUnicodeToMultiByteNHelper@20 proc near ;	CODE XREF: RtlUpcaseUnicodeToOemN+185D7Ep
					; RtlUpcaseUnicodeToMultiByteN+185A3Ap

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	[ebp+var_4], ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	ebx, ebx
		jz	short loc_6604C1

loc_660449:				; CODE XREF: UpcaseUnicodeToMultiByteNHelper(x,x,x,x,x)+8Aj
		test	edi, edi
		jz	short loc_6604BE
		mov	edx, [ebp+arg_4]
		mov	ecx, ds:_NlsUnicodeToMbAnsiData
		mov	[ebp+arg_8], ecx
		movzx	eax, word ptr [edx]
		add	edx, 2
		mov	[ebp+arg_4], edx
		movzx	ecx, word ptr [ecx+eax*2]
		mov	eax, ecx
		movzx	edx, cl
		shr	eax, 8
		movzx	eax, ds:_NlsLeadByteInfoTable[eax*2]
		test	ax, ax
		jz	short loc_660489
		lea	ecx, [edx+eax]
		mov	eax, ds:_NlsMbAnsiCodePageTables
		movzx	ecx, word ptr [eax+ecx*2]
		jmp	short loc_660492
; 

loc_660489:				; CODE XREF: UpcaseUnicodeToMultiByteNHelper(x,x,x,x,x)+47j
		mov	eax, ds:_NlsAnsiToUnicodeData
		movzx	ecx, word ptr [eax+edx*2]

loc_660492:				; CODE XREF: UpcaseUnicodeToMultiByteNHelper(x,x,x,x,x)+55j
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	ecx, [ebp+arg_8]
		movzx	eax, ax
		movzx	edx, word ptr [ecx+eax*2]
		mov	ecx, edx
		shr	ecx, 8
		test	cl, cl
		jz	short loc_6604B5
		mov	eax, edi
		dec	edi
		cmp	eax, 2
		jb	short loc_6604BE
		mov	[esi], cl
		inc	esi

loc_6604B5:				; CODE XREF: UpcaseUnicodeToMultiByteNHelper(x,x,x,x,x)+76j
		mov	[esi], dl
		inc	esi
		dec	edi
		sub	ebx, 1
		jnz	short loc_660449

loc_6604BE:				; CODE XREF: UpcaseUnicodeToMultiByteNHelper(x,x,x,x,x)+19j
					; UpcaseUnicodeToMultiByteNHelper(x,x,x,x,x)+7Ej
		mov	ecx, [ebp+var_4]

loc_6604C1:				; CODE XREF: UpcaseUnicodeToMultiByteNHelper(x,x,x,x,x)+15j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_6604CC
		sub	esi, ecx
		mov	[eax], esi

loc_6604CC:				; CODE XREF: UpcaseUnicodeToMultiByteNHelper(x,x,x,x,x)+94j
		cmp	edi, ebx
		pop	edi
		sbb	eax, eax
		pop	esi
		and	eax, 80000005h
		pop	ebx
		leave
		retn	0Ch
_UpcaseUnicodeToMultiByteNHelper@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall UpcaseUnicodeToUTF8NHelper(x, x, x,	x, x)
_UpcaseUnicodeToUTF8NHelper@20 proc near ; CODE	XREF: RtlUpcaseUnicodeToOemN+185D6Dp
					; RtlUpcaseUnicodeToMultiByteN+185A29p

var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A0h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	eax, edx
		mov	edx, [ebp+arg_0]
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_94], eax
		mov	[ebp+var_90], ecx
		mov	esi, edi
		mov	[ebp+var_A0], edx
		mov	[ebp+var_98], edi
		test	ebx, ebx
		jz	loc_660612
		mov	ecx, [ebp+arg_4]

loc_660523:				; CODE XREF: UpcaseUnicodeToUTF8NHelper(x,x,x,x,x)+129j
		test	eax, eax
		jz	loc_660612
		mov	[ebp+var_8C], edi
		cmp	ebx, 40h
		jnb	short loc_66053A
		mov	eax, ebx
		jmp	short loc_660558
; 

loc_66053A:				; CODE XREF: UpcaseUnicodeToUTF8NHelper(x,x,x,x,x)+58j
		push	40h
		pop	eax
		mov	[ebp+var_88], eax
		jz	short loc_66055E
		movzx	eax, word ptr [ecx+7Eh]
		sub	eax, 0D800h
		cmp	eax, 3FFh
		ja	short loc_660562
		push	3Fh
		pop	eax

loc_660558:				; CODE XREF: UpcaseUnicodeToUTF8NHelper(x,x,x,x,x)+5Cj
		mov	[ebp+var_88], eax

loc_66055E:				; CODE XREF: UpcaseUnicodeToUTF8NHelper(x,x,x,x,x)+67j
		test	eax, eax
		jz	short loc_660594

loc_660562:				; CODE XREF: UpcaseUnicodeToUTF8NHelper(x,x,x,x,x)+77j
		mov	esi, [ebp+arg_4]
		mov	ebx, edi
		mov	edi, [ebp+var_88]

loc_66056D:				; CODE XREF: UpcaseUnicodeToUTF8NHelper(x,x,x,x,x)+A5j
		mov	cx, [esi+ebx*2]
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	word ptr [ebp+ebx*2+var_84], ax
		inc	ebx
		cmp	ebx, edi
		jb	short loc_66056D
		mov	esi, [ebp+var_98]
		xor	edi, edi
		mov	ebx, [ebp+arg_8]
		mov	eax, [ebp+var_88]

loc_660594:				; CODE XREF: UpcaseUnicodeToUTF8NHelper(x,x,x,x,x)+84j
		add	eax, eax
		push	eax
		mov	[ebp+var_9C], eax
		lea	eax, [ebp+var_84]
		push	eax
		lea	eax, [ebp+var_8C]
		push	eax
		push	[ebp+var_94]
		push	[ebp+var_90]
		call	RtlUnicodeToUTF8N
		add	esi, [ebp+var_8C]
		test	eax, eax
		js	short loc_66060D
		mov	eax, [ebp+var_90]
		add	eax, [ebp+var_8C]
		mov	ecx, [ebp+arg_4]
		add	ecx, [ebp+var_9C]
		mov	[ebp+var_90], eax
		mov	eax, [ebp+var_94]
		sub	eax, [ebp+var_8C]
		sub	ebx, [ebp+var_88]
		mov	[ebp+var_94], eax
		mov	[ebp+var_98], esi
		mov	[ebp+arg_4], ecx
		mov	[ebp+arg_8], ebx
		jnz	loc_660523
		jmp	short loc_660612
; 

loc_66060D:				; CODE XREF: UpcaseUnicodeToUTF8NHelper(x,x,x,x,x)+E8j
		mov	edi, 80000005h

loc_660612:				; CODE XREF: UpcaseUnicodeToUTF8NHelper(x,x,x,x,x)+3Ej
					; UpcaseUnicodeToUTF8NHelper(x,x,x,x,x)+49j ...
		mov	eax, [ebp+var_A0]
		test	eax, eax
		jz	short loc_66061E
		mov	[eax], esi

loc_66061E:				; CODE XREF: UpcaseUnicodeToUTF8NHelper(x,x,x,x,x)+13Ej
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_UpcaseUnicodeToUTF8NHelper@20 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2004. RtlCopyString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCopyString(x, x)
		public _RtlCopyString@8
_RtlCopyString@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	edx, [ebp+arg_4]
		mov	[eax], cx
		test	edx, edx
		jz	short loc_66066B
		movzx	ecx, word ptr [edx]
		push	esi
		movzx	esi, word ptr [eax+2]
		cmp	ecx, esi
		jbe	short loc_660658
		mov	ecx, esi

loc_660658:				; CODE XREF: RtlCopyString(x,x)+1Ej
		push	ecx		; size_t
		mov	[eax], cx
		push	dword ptr [edx+4] ; void *
		push	dword ptr [eax+4] ; void *
		call	_memcpy
		add	esp, 0Ch
		pop	esi

loc_66066B:				; CODE XREF: RtlCopyString(x,x)+12j
		pop	ebp
		retn	8
_RtlCopyString@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2159. RtlInitStringEx
; Exported entry 2162. RtlInitUTF8StringEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlInitUTF8StringEx(x, x)
		public _RtlInitUTF8StringEx@8
_RtlInitUTF8StringEx@8 proc near
		mov	edi, edi	; RtlInitStringEx
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	_RtlInitAnsiStringEx@8 ; RtlInitAnsiStringEx(x,x)
_RtlInitUTF8StringEx@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2161. RtlInitUTF8String

;  S U B	R O U T	I N E 


; __stdcall RtlInitUTF8String(x, x)
		public _RtlInitUTF8String@8
_RtlInitUTF8String@8 proc near		; CODE XREF: PiGetDefaultMessageString+8DE54p
		jmp	_RtlInitString@8 ; RtlInitString(x,x)
_RtlInitUTF8String@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlControlStackTraceDataBase(x, x, x)
_RtlControlStackTraceDataBase@12 proc near ; CODE XREF:	INIT:00ACD88Cp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_66069D
		mov	eax, 0C00000F1h
		jmp	short loc_6606AA
; 

loc_66069D:				; CODE XREF: RtlControlStackTraceDataBase(x,x,x)+Bj
		push	dword ptr [ecx+8]
		mov	edx, [ecx+4]
		mov	ecx, [ecx]
		call	_RtlpInitializeStackTraceDatabase@12 ; RtlpInitializeStackTraceDatabase(x,x,x)

loc_6606AA:				; CODE XREF: RtlControlStackTraceDataBase(x,x,x)+12j
		pop	ecx
		pop	ebp
		retn	4
_RtlControlStackTraceDataBase@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlEnoughStackSpaceForStackCapture()
_RtlEnoughStackSpaceForStackCapture@0 proc near	; CODE XREF: IovpLogStackTrace(x)+4Ep
					; ViPoolLogStackTrace(x,x)+4Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	edx, [ebp+var_8]
		and	[ebp+var_4], 0
		lea	ecx, [ebp+var_4]
		call	_RtlpGetStackLimits@8 ;	RtlpGetStackLimits(x,x)
		test	al, al
		jz	short loc_6606DF
		call	_KeGetCurrentStackPointer@0 ; KeGetCurrentStackPointer()
		sub	eax, [ebp+var_4]
		cmp	eax, 218h
		sbb	eax, eax
		inc	eax
		leave
		retn
; 

loc_6606DF:				; CODE XREF: RtlEnoughStackSpaceForStackCapture()+1Cj
		xor	eax, eax
		leave
		retn
_RtlEnoughStackSpaceForStackCapture@0 endp


;  S U B	R O U T	I N E 


; __stdcall RtlLogStackBackTraceEx(x)
_RtlLogStackBackTraceEx@4 proc near	; CODE XREF: ExInitializeResourceLite:loc_5F050Fp
					; ExInitializeFastResource:loc_5FAC1Ap
		mov	edi, edi
		push	esi
		mov	esi, ds:_RtlpStackTraceDatabase
		test	esi, esi
		jnz	short loc_6606F4
		xor	eax, eax
		pop	esi
		retn
; 

loc_6606F4:				; CODE XREF: RtlLogStackBackTraceEx(x)+Bj
		push	ebx
		xor	edx, edx
		mov	ecx, esi
		push	edi
		inc	edx
		call	_RtlStdLogStackTrace@8 ; RtlStdLogStackTrace(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_660720
		mov	edx, ebx
		mov	ecx, esi
		call	_RtlpStdGetRecordedStackTraceIndex@8 ; RtlpStdGetRecordedStackTraceIndex(x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_660722
		mov	edx, ebx
		mov	ecx, esi
		call	_RtlStdReleaseStackTrace@8 ; RtlStdReleaseStackTrace(x,x)
		jmp	short loc_660722
; 

loc_660720:				; CODE XREF: RtlLogStackBackTraceEx(x)+21j
		xor	edi, edi

loc_660722:				; CODE XREF: RtlLogStackBackTraceEx(x)+30j
					; RtlLogStackBackTraceEx(x)+3Bj
		mov	eax, edi
		pop	edi
		pop	ebx
		pop	esi
		retn
_RtlLogStackBackTraceEx@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStdLogStackTrace(x, x)
_RtlStdLogStackTrace@8 proc near	; CODE XREF: RtlLogStackBackTraceEx(x)+18p

var_90		= dword	ptr -90h
var_86		= word ptr -86h
var_84		= dword	ptr -84h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 90h
		push	esi
		push	edi
		push	8Ch		; size_t
		lea	eax, [ebp+var_90]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		add	esp, 0Ch
		push	eax
		lea	eax, [ebp+var_84]
		push	eax
		push	20h
		lea	eax, [esi+1]
		push	eax
		call	RtlCaptureStackBackTrace
		mov	[ebp+var_86], ax
		test	ax, ax
		jnz	short loc_660779
		xor	eax, eax
		jmp	short loc_660789
; 

loc_660779:				; CODE XREF: RtlStdLogStackTrace(x,x)+4Bj
		push	[ebp+var_4]
		lea	edx, [ebp+var_90]
		mov	ecx, edi
		call	_RtlpStdLogCapturedStackTrace@12 ; RtlpStdLogCapturedStackTrace(x,x,x)

loc_660789:				; CODE XREF: RtlStdLogStackTrace(x,x)+4Fj
		pop	edi
		pop	esi
		leave
		retn
_RtlStdLogStackTrace@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStdReleaseStackTrace(x, x)
_RtlStdReleaseStackTrace@8 proc	near	; CODE XREF: RtlLogStackBackTraceEx(x)+36p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, edx
		mov	[ebp+var_C], ecx
		push	edi
		xor	eax, eax
		movzx	edi, word ptr [esi+0Ah]
		test	edi, edi
		jz	short loc_6607B3
		lea	edx, [esi+0Ch]

loc_6607A9:				; CODE XREF: RtlStdReleaseStackTrace(x,x)+24j
		add	eax, [edx]
		lea	edx, [edx+4]
		sub	edi, 1
		jnz	short loc_6607A9

loc_6607B3:				; CODE XREF: RtlStdReleaseStackTrace(x,x)+17j
		xor	edx, edx
		div	dword ptr [ecx+178h]
		add	ecx, 17Ch
		imul	eax, edx, 0Ch
		push	ebx
		add	eax, ecx
		mov	[ebp+var_8], eax
		lea	edi, [eax+4]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	[edi+4], bl
		mov	ecx, 7FFh
		movzx	edx, word ptr [esi+4]
		mov	eax, edx
		and	eax, ecx
		cmp	ax, cx
		jz	short loc_660811
		lea	eax, [edx-1]
		xor	eax, edx
		and	eax, ecx
		xor	eax, edx
		mov	[esi+4], ax
		test	eax, ecx
		jnz	short loc_660811
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	_RtlpStdListRemove@8 ; RtlpStdListRemove(x,x)
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_660813
; 

loc_660811:				; CODE XREF: RtlStdReleaseStackTrace(x,x)+62j
					; RtlStdReleaseStackTrace(x,x)+73j
		xor	ebx, ebx

loc_660813:				; CODE XREF: RtlStdReleaseStackTrace(x,x)+82j
		test	ds:byte_70EFC6,	1
		mov	al, [edi+4]
		mov	[ebp+var_1], al
		jz	short loc_660831
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	al, [ebp+var_1]
		jmp	short loc_660836
; 

loc_660831:				; CODE XREF: RtlStdReleaseStackTrace(x,x)+93j
		xor	ecx, ecx
		lock and [edi],	ecx

loc_660836:				; CODE XREF: RtlStdReleaseStackTrace(x,x)+A2j
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		pop	ebx
		jz	short loc_66085F
		movzx	eax, word ptr [esi+4]
		lea	edx, [esi+0Ch]
		mov	esi, [ebp+var_C]
		shr	eax, 0Bh
		add	eax, 0Fh
		lea	ecx, [esi+eax*8]
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		lock inc dword ptr [esi+6Ch]

loc_66085F:				; CODE XREF: RtlStdReleaseStackTrace(x,x)+B4j
		pop	edi
		pop	esi
		leave
		retn
_RtlStdReleaseStackTrace@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpStdExtendLowerWatermark(x, x)
_RtlpStdExtendLowerWatermark@8 proc near ; CODE	XREF: RtlpStdGetSpaceForTrace(x,x)+4Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], edx
		mov	esi, ecx
		mov	[ebp+var_8], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, [ebp+var_10]
		mov	[esi+4], bl
		mov	al, [esi+44h]
		mov	ebx, [esi+54h]
		mov	ecx, [esi+4Ch]
		mov	[ebp+var_1], al
		cmp	[ebp+var_1], 0
		mov	[ebp+var_C], ecx
		lea	eax, [ebx+edx]
		jz	short loc_6608B0
		cmp	eax, [esi+58h]
		ja	short loc_6608FB
		cmp	[ebp+var_1], 0
		jnz	short loc_6608F0

loc_6608B0:				; CODE XREF: RtlpStdExtendLowerWatermark(x,x)+40j
		cmp	eax, ecx
		jbe	short loc_6608F0
		lea	eax, [edx+0FFFh]
		and	eax, 0FFFFF000h
		mov	[ebp+var_8], eax
		add	eax, ecx
		cmp	eax, [esi+50h]
		jnb	short loc_6608FB
		push	4
		push	1000h
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		lea	eax, [ebp+var_C]
		push	eax
		push	0FFFFFFFFh
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_6608FB
		mov	eax, [ebp+var_8]
		add	eax, [ebp+var_C]
		mov	edx, [ebp+var_10]
		mov	[esi+4Ch], eax

loc_6608F0:				; CODE XREF: RtlpStdExtendLowerWatermark(x,x)+4Bj
					; RtlpStdExtendLowerWatermark(x,x)+4Fj
		inc	dword ptr [esi+68h]
		lea	eax, [ebx+edx]
		mov	[esi+54h], eax
		mov	edi, ebx

loc_6608FB:				; CODE XREF: RtlpStdExtendLowerWatermark(x,x)+45j
					; RtlpStdExtendLowerWatermark(x,x)+64j	...
		test	ds:byte_70EFC6,	1
		mov	bl, [esi+4]
		jz	short loc_660913
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_660918
; 

loc_660913:				; CODE XREF: RtlpStdExtendLowerWatermark(x,x)+A2j
		xor	eax, eax
		lock and [esi],	eax

loc_660918:				; CODE XREF: RtlpStdExtendLowerWatermark(x,x)+AEj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_RtlpStdExtendLowerWatermark@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpStdExtendUpperWatermark(x, x)
_RtlpStdExtendUpperWatermark@8 proc near
					; CODE XREF: RtlpStdGetRecordedStackTraceIndex(x,x)+69p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		mov	[ebp+var_8], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	[esi+4], bl
		mov	ebx, [esi+58h]
		mov	dl, [esi+44h]
		mov	ecx, [esi+50h]
		mov	[ebp+var_4], ecx
		lea	eax, [ebx-4]
		test	dl, dl
		jz	short loc_660966
		cmp	eax, [esi+54h]
		jb	short loc_6609AC
		test	dl, dl
		jnz	short loc_6609A3

loc_660966:				; CODE XREF: RtlpStdExtendUpperWatermark(x,x)+34j
		cmp	eax, ecx
		jnb	short loc_6609A3
		lea	eax, [ecx-1000h]
		mov	edx, 1000h
		mov	[ebp+var_8], edx
		cmp	eax, [esi+4Ch]
		jbe	short loc_6609AC
		push	4
		lea	eax, [ecx-1000h]
		push	edx
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		lea	eax, [ebp+var_4]
		push	eax
		push	0FFFFFFFFh
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_6609AC
		mov	eax, [ebp+var_4]
		mov	[esi+50h], eax

loc_6609A3:				; CODE XREF: RtlpStdExtendUpperWatermark(x,x)+3Dj
					; RtlpStdExtendUpperWatermark(x,x)+41j
		inc	dword ptr [esi+60h]
		lea	edi, [ebx-4]
		mov	[esi+58h], edi

loc_6609AC:				; CODE XREF: RtlpStdExtendUpperWatermark(x,x)+39j
					; RtlpStdExtendUpperWatermark(x,x)+54j	...
		test	ds:byte_70EFC6,	1
		mov	bl, [esi+4]
		jz	short loc_6609C4
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6609C9
; 

loc_6609C4:				; CODE XREF: RtlpStdExtendUpperWatermark(x,x)+8Fj
		xor	eax, eax
		lock and [esi],	eax

loc_6609C9:				; CODE XREF: RtlpStdExtendUpperWatermark(x,x)+9Bj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_RtlpStdExtendUpperWatermark@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpStdGetRecordedStackTraceIndex(x, x)
_RtlpStdGetRecordedStackTraceIndex@8 proc near ; CODE XREF: RtlLogStackBackTraceEx(x)+27p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		xor	esi, esi
		mov	[ebp+var_8], ebx
		mov	ecx, esi
		movzx	eax, word ptr [edi+0Ah]
		test	eax, eax
		jz	short loc_660A02
		lea	edx, [edi+0Ch]

loc_6609F8:				; CODE XREF: RtlpStdGetRecordedStackTraceIndex(x,x)+28j
		add	ecx, [edx]
		lea	edx, [edx+4]
		sub	eax, 1
		jnz	short loc_6609F8

loc_660A02:				; CODE XREF: RtlpStdGetRecordedStackTraceIndex(x,x)+1Bj
		xor	edx, edx
		mov	eax, ecx
		div	dword ptr [ebx+178h]
		add	edx, 20h
		imul	eax, edx, 0Ch
		add	eax, ebx
		mov	[ebp+var_4], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, [ebp+var_4]
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebp+var_4]
		mov	[eax+4], bl
		movzx	eax, word ptr [edi+8]
		test	ax, ax
		jnz	short loc_660A63
		cmp	[edi+6], si
		jnz	short loc_660A63
		mov	ebx, [ebp+var_8]
		mov	ecx, ebx
		call	_RtlpStdExtendUpperWatermark@8 ; RtlpStdExtendUpperWatermark(x,x)
		test	eax, eax
		jz	short loc_660A6C
		mov	[eax], edi
		mov	esi, [ebx+64h]
		sub	esi, eax
		sar	esi, 2
		mov	eax, esi
		mov	[edi+8], si
		sar	eax, 10h
		mov	[edi+6], ax
		jmp	short loc_660A6C
; 

loc_660A63:				; CODE XREF: RtlpStdGetRecordedStackTraceIndex(x,x)+5Cj
					; RtlpStdGetRecordedStackTraceIndex(x,x)+62j
		movzx	esi, word ptr [edi+6]
		shl	esi, 10h
		add	esi, eax

loc_660A6C:				; CODE XREF: RtlpStdGetRecordedStackTraceIndex(x,x)+70j
					; RtlpStdGetRecordedStackTraceIndex(x,x)+89j
		test	ds:byte_70EFC6,	1
		mov	eax, [ebp+var_4]
		mov	bl, [eax+4]
		jz	short loc_660A87
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_660A8C
; 

loc_660A87:				; CODE XREF: RtlpStdGetRecordedStackTraceIndex(x,x)+A1j
		xor	ecx, ecx
		lock and [eax],	ecx

loc_660A8C:				; CODE XREF: RtlpStdGetRecordedStackTraceIndex(x,x)+ADj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_RtlpStdGetRecordedStackTraceIndex@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpStdGetSpaceForTrace(x, x)
_RtlpStdGetSpaceForTrace@8 proc	near	; CODE XREF: RtlpStdLogCapturedStackTrace(x,x,x)+8Cp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		test	dx, dx
		jnz	short loc_660AAD
		xor	eax, eax
		jmp	short loc_660B1C
; 

loc_660AAD:				; CODE XREF: RtlpStdGetSpaceForTrace(x,x)+Cj
		movzx	eax, dx
		push	esi
		push	edi
		mov	[ebp+var_4], eax
		lea	esi, [eax-1]
		cmp	esi, 20h
		jnb	short loc_660ADA
		lea	edi, [ebx+78h]
		lea	edi, [edi+esi*8]

loc_660AC3:				; CODE XREF: RtlpStdGetSpaceForTrace(x,x)+3Aj
		mov	ecx, edi
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jnz	short loc_660B1F
		inc	esi
		add	edi, 8
		cmp	esi, 20h
		jb	short loc_660AC3
		mov	eax, [ebp+var_4]

loc_660ADA:				; CODE XREF: RtlpStdGetSpaceForTrace(x,x)+20j
		lea	esi, ds:13h[eax*4]
		mov	ecx, ebx
		and	esi, 0FFFFFFF8h
		mov	edx, esi
		call	_RtlpStdExtendLowerWatermark@8 ; RtlpStdExtendLowerWatermark(x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_660B18
		lea	ecx, [esi-0Ch]
		shr	ecx, 2
		dec	ecx
		cmp	ecx, 1Fh
		jbe	short loc_660B02
		push	1Fh
		pop	ecx

loc_660B02:				; CODE XREF: RtlpStdGetSpaceForTrace(x,x)+62j
		mov	ax, [edx+4]
		mov	esi, 7FFh
		and	ax, si
		shl	ecx, 0Bh
		or	ax, cx
		mov	[edx+4], ax

loc_660B18:				; CODE XREF: RtlpStdGetSpaceForTrace(x,x)+56j
					; RtlpStdGetSpaceForTrace(x,x)+8Bj
		pop	edi
		mov	eax, edx
		pop	esi

loc_660B1C:				; CODE XREF: RtlpStdGetSpaceForTrace(x,x)+10j
		pop	ebx
		leave
		retn
; 

loc_660B1F:				; CODE XREF: RtlpStdGetSpaceForTrace(x,x)+31j
		lea	edx, [eax-0Ch]
		lock dec dword ptr [ebx+6Ch]
		jmp	short loc_660B18
_RtlpStdGetSpaceForTrace@8 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpStdListRemove(x, x)
_RtlpStdListRemove@8 proc near		; CODE XREF: RtlStdReleaseStackTrace(x,x)+7Ap
		mov	edi, edi
		push	esi
		mov	esi, [ecx]
		test	esi, esi
		jz	short loc_660B3F

loc_660B31:				; CODE XREF: RtlpStdListRemove(x,x)+15j
		cmp	esi, edx
		jz	short loc_660B42
		mov	eax, [esi]
		mov	ecx, esi
		mov	esi, eax
		test	eax, eax
		jnz	short loc_660B31

loc_660B3F:				; CODE XREF: RtlpStdListRemove(x,x)+7j
		int	3		; Trap to Debugger
		pop	esi
		retn
; 

loc_660B42:				; CODE XREF: RtlpStdListRemove(x,x)+Bj
		mov	eax, [edx]
		mov	[ecx], eax
		pop	esi
		retn
_RtlpStdListRemove@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpStdLogCapturedStackTrace(x, x, x)
_RtlpStdLogCapturedStackTrace@12 proc near ; CODE XREF:	RtlStdLogStackTrace(x,x)+5Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
Length		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		movzx	eax, word ptr [edx+0Ah]
		push	ebx
		push	esi
		shl	eax, 2
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		mov	[ebp+Length], eax
		xor	edx, edx
		mov	eax, [ebp+arg_0]
		div	dword ptr [edi+178h]
		imul	esi, edx, 0Ch
		lock inc dword ptr [edi+5Ch]
		lea	eax, [edi+180h]
		add	eax, esi
		mov	[ebp+var_C], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [edi+180h]
		mov	bl, al
		add	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	eax, [esi+edi]
		mov	[eax+184h], bl
		mov	esi, [esi+edi+17Ch]
		mov	ebx, [ebp+var_8]

loc_660BA7:				; CODE XREF: RtlpStdLogCapturedStackTrace(x,x,x)+84j
		test	esi, esi
		jz	short loc_660BCE
		mov	ax, [esi+0Ah]
		cmp	ax, [ebx+0Ah]
		jnz	short loc_660BCA
		push	[ebp+Length]	; Length
		lea	eax, [ebx+0Ch]
		push	eax		; Source2
		lea	eax, [esi+0Ch]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, [ebp+Length]
		jz	short loc_660C21

loc_660BCA:				; CODE XREF: RtlpStdLogCapturedStackTrace(x,x,x)+6Bj
		mov	esi, [esi]
		jmp	short loc_660BA7
; 

loc_660BCE:				; CODE XREF: RtlpStdLogCapturedStackTrace(x,x,x)+61j
		mov	dx, [ebx+0Ah]
		mov	ecx, edi
		call	_RtlpStdGetSpaceForTrace@8 ; RtlpStdGetSpaceForTrace(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_660C42
		push	[ebp+Length]	; size_t
		lea	eax, [ebx+0Ch]
		push	eax		; void *
		lea	ecx, [esi+0Ch]
		push	ecx		; void *
		call	_memcpy
		mov	cx, [ebx+0Ah]
		mov	eax, 0F800h
		and	[esi+4], ax
		xor	edx, edx
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	[esi+0Ah], cx
		div	dword ptr [edi+178h]
		imul	ecx, edx, 0Ch
		mov	eax, [ecx+edi+17Ch]
		mov	[esi], eax
		mov	[ecx+edi+17Ch],	esi

loc_660C21:				; CODE XREF: RtlpStdLogCapturedStackTrace(x,x,x)+80j
		movzx	ecx, word ptr [esi+4]
		mov	edx, 7FFh
		mov	eax, ecx
		and	eax, edx
		cmp	ax, dx
		jz	short loc_660C46
		lea	eax, [ecx+1]
		xor	eax, ecx
		and	eax, edx
		xor	eax, ecx
		mov	[esi+4], ax
		jmp	short loc_660C46
; 

loc_660C42:				; CODE XREF: RtlpStdLogCapturedStackTrace(x,x,x)+95j
		lock inc dword ptr [edi+70h]

loc_660C46:				; CODE XREF: RtlpStdLogCapturedStackTrace(x,x,x)+E9j
					; RtlpStdLogCapturedStackTrace(x,x,x)+F8j
		test	ds:byte_70EFC6,	1
		mov	eax, [ebp+var_C]
		mov	bl, [eax+4]
		jz	short loc_660C61
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_660C66
; 

loc_660C61:				; CODE XREF: RtlpStdLogCapturedStackTrace(x,x,x)+10Bj
		xor	ecx, ecx
		lock and [eax],	ecx

loc_660C66:				; CODE XREF: RtlpStdLogCapturedStackTrace(x,x,x)+117j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_RtlpStdLogCapturedStackTrace@12 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 168. RtlUlongByteSwap

;  S U B	R O U T	I N E 


; __fastcall RtlUlongByteSwap(x)
		public @RtlUlongByteSwap@4
@RtlUlongByteSwap@4 proc near
		bswap	ecx
		mov	eax, ecx
		retn
@RtlUlongByteSwap@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 169. RtlUlonglongByteSwap

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall RtlUlonglongByteSwap(x, x)
		public @RtlUlonglongByteSwap@8
@RtlUlonglongByteSwap@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		bswap	edx
		bswap	eax
		pop	ebp
		retn	8
@RtlUlonglongByteSwap@8	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 170. RtlUshortByteSwap

;  S U B	R O U T	I N E 


; __fastcall RtlUshortByteSwap(x)
		public @RtlUshortByteSwap@4
@RtlUshortByteSwap@4 proc near
		mov	ah, cl
		mov	al, ch
		retn
@RtlUshortByteSwap@4 endp


;  S U B	R O U T	I N E 


; __stdcall CheckOneBitValidFlag(x, x)
_CheckOneBitValidFlag@8	proc near	; CODE XREF: LdrResGetRCConfig+9E679p
					; LdrResGetRCConfig+9E694p ...
		mov	eax, edx
		not	eax
		test	eax, ecx
		jnz	short loc_660CAF
		and	ecx, edx
		jnz	short loc_660CB4

loc_660CAF:				; CODE XREF: CheckOneBitValidFlag(x,x)+6j
					; CheckOneBitValidFlag(x,x)+19j
		xor	al, al
		retn
; 

loc_660CB2:				; CODE XREF: CheckOneBitValidFlag(x,x)+14j
		sar	ecx, 1

loc_660CB4:				; CODE XREF: CheckOneBitValidFlag(x,x)+Aj
		test	cl, 1
		jz	short loc_660CB2
		cmp	ecx, 1
		jg	short loc_660CAF
		mov	al, 1
		retn
_CheckOneBitValidFlag@8	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2346. RtlSizeHeap

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSizeHeap(x, x, x)
		public _RtlSizeHeap@12
_RtlSizeHeap@12	proc near

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jnz	short loc_660CE3
		xor	eax, eax
		xor	edx, edx
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_8]
		push	13h
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_660CE3:				; CODE XREF: RtlSizeHeap(x,x,x)+9j
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		call	_RtlpSizeHeapInternal@12 ; RtlpSizeHeapInternal(x,x,x)
		pop	ebp
		retn	0Ch
_RtlSizeHeap@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpAllocWithExceptionProtection(x, x, x)
_RtlpHpAllocWithExceptionProtection@12 proc near ; CODE	XREF: RtlAllocateHeap+DB6E2p

var_2C		= dword	ptr -2Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	20h
		push	offset dword_6A91D8
		call	__SEH_prolog4
		and	[ebp+ms_exc.disabled], 0
		push	ecx
		push	[ebp+arg_0]
		call	RtlpAllocateHeapInternal
		jmp	short loc_660D4C
; 
byte_660D0D	db 8Bh,	4Dh, 0ECh	; DATA XREF: .text:006A91ECo
		dd 8B018Bh, 89D04589h, 4589E04Dh, 0E445C7DCh, 0
dword_660D24	dd 8BE0558Bh, 53E8DC4Dh, 8900008Ch, 7D83E445h, 57501E4h
		dd 0CD59236Ah, 0E4458B29h, 8BD84589h, 8BC3D845h, 0C033E865h
; 

loc_660D4C:				; CODE XREF: RtlpHpAllocWithExceptionProtection(x,x,x)+19j
		mov	[ebp+var_2C], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_RtlpHpAllocWithExceptionProtection@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpFreeWithExceptionProtection(x, x, x)
_RtlpHpFreeWithExceptionProtection@12 proc near	; CODE XREF: RtlFreeHeap+DB5F6p

var_2C		= dword	ptr -2Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	20h
		push	offset dword_6A91B8
		call	__SEH_prolog4
		and	[ebp+ms_exc.disabled], 0
		push	ecx
		push	ecx
		push	[ebp+arg_0]
		call	RtlpFreeHeapInternal
		jmp	short loc_660DC3
; 
dword_660D84	dd 8BEC4D8Bh, 89008B01h, 4D89D045h, 0DC4589E0h,	0E445C7h
					; DATA XREF: .text:006A91CCo
		dd 8B000000h, 4D8BE055h, 8BDCE8DCh, 45890000h, 0E47D83E4h
		dd 6A057501h, 29CD5923h, 89E4458Bh, 458BD845h, 658BC3D8h
		db 0E8h, 33h, 0C0h
; 

loc_660DC3:				; CODE XREF: RtlpHpFreeWithExceptionProtection(x,x,x)+1Aj
		mov	[ebp+var_2C], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_RtlpHpFreeWithExceptionProtection@12 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1975. RtlCheckTokenCapability

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCheckTokenCapability(x, x, x)
		public _RtlCheckTokenCapability@12
_RtlCheckTokenCapability@12 proc near	; CODE XREF: RtlCapabilityCheck(x,x,x)+1FBp

var_1EE		= byte ptr -1EEh
var_1ED		= byte ptr -1EDh
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= word ptr -134h
var_130		= dword	ptr -130h
var_90		= dword	ptr -90h
var_58		= dword	ptr -58h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1F4h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+1F4h+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	[esp+200h+var_1EC], eax
		xor	eax, eax
		push	0A0h		; size_t
		push	eax		; int
		mov	[esp+208h+var_1D4], eax
		mov	[esp+208h+var_1E4], eax
		lea	eax, [esp+208h+var_130]
		push	eax		; void *
		mov	[esp+20Ch+var_1C0], esi
		call	_memset
		xor	eax, eax
		lea	edi, [esp+20Ch+var_1BC]
		push	6
		pop	ecx
		rep stosd
		lea	edi, [esp+20Ch+var_13C]
		xor	edx, edx
		stosd
		push	4Ch		; size_t
		push	edx		; int
		mov	[esp+214h+var_1E8], edx
		stosd
		mov	[esp+214h+var_1D8], edx
		stosd
		xor	eax, eax
		lea	edi, [esp+214h+var_1A4]
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esp+214h+var_190]
		push	eax		; void *
		call	_memset
		xor	eax, eax
		lea	edi, [esp+218h+var_1D0]
		stosd
		xor	ecx, ecx
		add	esp, 18h
		mov	[esp+200h+var_1E0], ecx
		mov	[esp+200h+var_1ED], cl
		mov	[esi], cl
		stosd
		stosd
		stosd
		lea	eax, [esp+200h+var_58]
		mov	edi, [esp+200h+var_1EC]
		mov	ecx, edi
		mov	[esp+200h+var_1DC], eax
		call	_RtlIsCapabilitySid@4 ;	RtlIsCapabilitySid(x)
		test	al, al
		jnz	short loc_660EA8
		mov	esi, 0C000000Dh
		jmp	loc_6610D1
; 

loc_660EA8:				; CODE XREF: RtlCheckTokenCapability(x,x,x)+B8j
		push	2
		pop	edx
		test	ebx, ebx
		jz	loc_660F3B
		lea	eax, [esp+200h+var_13C]
		mov	[esp+200h+var_1BC], 18h
		mov	[esp+200h+var_1A8], eax
		xor	ecx, ecx
		lea	eax, [esp+200h+var_1E8]
		mov	[esp+200h+var_1B8], ecx
		push	eax
		push	edx
		push	ecx
		lea	eax, [esp+20Ch+var_1BC]
		mov	[esp+20Ch+var_1B0], 200h
		push	eax
		push	8
		push	ebx
		mov	[esp+218h+var_1B4], ecx
		mov	[esp+218h+var_1AC], ecx
		mov	[esp+218h+var_13C], 0Ch
		mov	[esp+218h+var_138], edx
		mov	[esp+218h+var_134], 1
		call	_ZwDuplicateToken@24 ; ZwDuplicateToken(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6610D1
		push	4Ch
		pop	ecx
		lea	eax, [esp+200h+var_1E0]
		mov	[esp+200h+var_1E0], ecx
		push	eax
		push	ecx
		lea	eax, [esp+208h+var_190]
		xor	ebx, ebx
		push	eax
		push	1
		push	[esp+210h+var_1E8]
		call	_ZwQueryInformationToken@20 ; ZwQueryInformationToken(x,x,x,x,x)
		mov	esi, [esp+200h+var_190]
		jmp	short loc_660F74
; 

loc_660F3B:				; CODE XREF: RtlCheckTokenCapability(x,x,x)+C9j
		lea	eax, [esp+200h+var_1D0]
		push	eax
		call	SeCaptureSubjectContext
		mov	eax, [esp+200h+var_1D0]
		mov	[esp+200h+var_1ED], 1
		test	eax, eax
		jnz	short loc_660F56
		mov	eax, [esp+200h+var_1C8]

loc_660F56:				; CODE XREF: RtlCheckTokenCapability(x,x,x)+16Cj
		lea	ecx, [esp+200h+var_1DC]
		push	ecx
		push	1
		push	eax
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	eax, [esp+200h+var_1DC]
		mov	esi, [eax]
		mov	[esp+200h+var_190], esi
		mov	eax, [eax+4]
		mov	[esp+200h+var_18C], eax

loc_660F74:				; CODE XREF: RtlCheckTokenCapability(x,x,x)+155j
		push	1
		lea	eax, [esp+204h+var_1A4]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	0
		push	esi
		lea	eax, [esp+208h+var_1A4]
		push	eax
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		xor	esi, esi
		lea	eax, [esp+200h+var_1A4]
		push	esi
		push	[esp+204h+var_190]
		push	eax
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		push	2		; int
		push	0A0h		; size_t
		lea	eax, [esp+208h+var_130]
		push	eax		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		push	[esp+200h+var_190]
		lea	eax, [esp+204h+var_130]
		push	10001h
		push	2
		push	eax
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	edi
		mov	edi, 10001h
		lea	eax, [esp+204h+var_130]
		push	edi
		push	2
		push	eax
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	esi
		lea	eax, [esp+204h+var_130]
		push	eax
		push	1
		lea	eax, [esp+20Ch+var_1A4]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		cmp	[esp+200h+var_1ED], 0
		lea	eax, [esp+200h+var_90]
		mov	[esp+200h+var_1D8], eax
		jnz	short loc_661044
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		push	esi
		lea	ecx, [esp+204h+var_1EC]
		mov	[esp+204h+var_1EC], esi
		push	ecx
		mov	eax, [eax+0E4h]
		push	esi
		mov	[esp+20Ch+var_1C4], eax
		mov	eax, ds:_SeTokenObjectType
		push	eax
		push	8
		push	[esp+214h+var_1E8]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [esp+200h+var_1EC]
		mov	[esp+200h+var_1C8], eax
		test	esi, esi
		js	loc_6610D5

loc_661044:				; CODE XREF: RtlCheckTokenCapability(x,x,x)+221j
		mov	eax, large fs:124h
		xor	ecx, ecx
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+200h+var_1EC], al
		lea	eax, [esp+200h+var_1E4]
		push	eax
		lea	eax, [esp+204h+var_1D4]
		push	eax
		push	[esp+208h+var_1EC]
		lea	eax, [esp+20Ch+var_1D8]
		push	offset _RtlpCheckTokenCapabilityGenericMapping
		push	eax
		push	ecx
		push	edi
		push	ecx
		lea	eax, [esp+220h+var_1D0]
		push	eax
		push	ecx
		lea	eax, [esp+228h+var_1A4]
		push	eax
		call	_SeAccessCheckWithHint@44 ; SeAccessCheckWithHint(x,x,x,x,x,x,x,x,x,x,x)
		test	al, al
		mov	esi, 0C0000022h
		mov	eax, [esp+200h+var_1E4]
		jz	short loc_661093
		mov	esi, eax

loc_661093:				; CODE XREF: RtlCheckTokenCapability(x,x,x)+2ABj
		mov	cl, [esp+200h+var_1ED]
		test	cl, cl
		jnz	short loc_6610AC
		mov	ecx, [esp+200h+var_1C8]
		call	ObfDereferenceObject
		mov	eax, [esp+200h+var_1E4]
		mov	cl, [esp+200h+var_1ED]

loc_6610AC:				; CODE XREF: RtlCheckTokenCapability(x,x,x)+2B5j
		test	esi, esi
		js	short loc_6610C3
		test	eax, eax
		jnz	short loc_6610C1
		cmp	[esp+200h+var_1D4], edi
		jnz	short loc_6610C1
		mov	eax, [esp+200h+var_1C0]
		mov	byte ptr [eax],	1

loc_6610C1:				; CODE XREF: RtlCheckTokenCapability(x,x,x)+2CEj
					; RtlCheckTokenCapability(x,x,x)+2D4j
		xor	esi, esi

loc_6610C3:				; CODE XREF: RtlCheckTokenCapability(x,x,x)+2CAj
		test	cl, cl
		jz	short loc_6610D5
		lea	eax, [esp+200h+var_1D0]
		push	eax
		call	SeReleaseSubjectContext

loc_6610D1:				; CODE XREF: RtlCheckTokenCapability(x,x,x)+BFj
					; RtlCheckTokenCapability(x,x,x)+12Cj
		test	ebx, ebx
		jnz	short loc_6610E5

loc_6610D5:				; CODE XREF: RtlCheckTokenCapability(x,x,x)+25Aj
					; RtlCheckTokenCapability(x,x,x)+2E1j
		cmp	[esp+200h+var_1E8], 0
		jz	short loc_6610E5
		push	[esp+200h+var_1E8]
		call	_ZwClose@4	; ZwClose(x)

loc_6610E5:				; CODE XREF: RtlCheckTokenCapability(x,x,x)+2EFj
					; RtlCheckTokenCapability(x,x,x)+2F6j
		mov	ecx, [esp+200h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_RtlCheckTokenCapability@12 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 2110. RtlGetAppContainerNamedObjectPath

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetAppContainerNamedObjectPath(x, x, x, x)
		public _RtlGetAppContainerNamedObjectPath@16
_RtlGetAppContainerNamedObjectPath@16 proc near

var_B2		= byte ptr -0B2h
var_B1		= byte ptr -0B1h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_50		= dword	ptr -50h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0B4h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [esp+0C0h+var_A0]
		push	4Ch		; size_t
		push	ebx		; int
		push	eax		; void *
		mov	[esp+0CCh+var_AC], ebx
		mov	[esp+0CCh+var_B0], ebx
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+0C0h+var_50]
		push	4Ch		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	edi, [ebp+arg_C]
		add	esp, 0Ch
		test	edi, edi
		jnz	short loc_66114F
		mov	eax, 0C000000Dh
		jmp	loc_66128E
; 

loc_66114F:				; CODE XREF: RtlGetAppContainerNamedObjectPath(x,x,x,x)+40j
		mov	esi, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		test	esi, esi
		jz	short loc_661167
		test	eax, eax
		jz	short loc_661167
		mov	eax, 0C0000030h
		jmp	loc_66128E
; 

loc_661167:				; CODE XREF: RtlGetAppContainerNamedObjectPath(x,x,x,x)+54j
					; RtlGetAppContainerNamedObjectPath(x,x,x,x)+58j
		mov	[esp+0C0h+var_A4], ebx
		mov	[esp+0C0h+var_A8], ebx
		mov	[esp+0C0h+var_B1], bl
		xor	ebx, ebx
		cmp	[ebp+arg_8], bl
		setnz	bl
		dec	ebx
		and	ebx, 0FFFFFFFBh
		add	ebx, 0Dh
		test	eax, eax
		jz	short loc_66118F
		push	0FFFFFFFCh
		mov	[esp+0C4h+var_B2], 0
		jmp	short loc_66119A
; 

loc_66118F:				; CODE XREF: RtlGetAppContainerNamedObjectPath(x,x,x,x)+81j
		mov	[esp+0C0h+var_B2], 1
		test	esi, esi
		jnz	short loc_66119F
		push	0FFFFFFFAh

loc_66119A:				; CODE XREF: RtlGetAppContainerNamedObjectPath(x,x,x,x)+8Aj
		pop	esi
		test	eax, eax
		jnz	short loc_6611D0

loc_66119F:				; CODE XREF: RtlGetAppContainerNamedObjectPath(x,x,x,x)+93j
		lea	eax, [esp+0C0h+var_B0]
		push	eax
		push	4
		lea	eax, [esp+0C8h+var_AC]
		push	eax
		push	1Dh
		push	esi
		call	_NtQueryInformationToken@20 ; NtQueryInformationToken(x,x,x,x,x)
		test	eax, eax
		js	loc_66128E
		cmp	[esp+0C0h+var_AC], 0
		jnz	short loc_6611D0
		and	dword ptr [edi], 0
		and	dword ptr [edi+4], 0
		xor	eax, eax
		jmp	loc_66128E
; 

loc_6611D0:				; CODE XREF: RtlGetAppContainerNamedObjectPath(x,x,x,x)+9Aj
					; RtlGetAppContainerNamedObjectPath(x,x,x,x)+BDj
		cmp	[ebp+arg_8], 0
		jz	loc_661277
		cmp	[esp+0C0h+var_B2], 0
		mov	al, 1
		jz	loc_66127B
		lea	eax, [esp+0C0h+var_B0]
		push	eax
		push	4
		lea	eax, [esp+0C8h+var_A8]
		push	eax
		push	2Ah
		push	0FFFFFFFCh
		call	_NtQueryInformationToken@20 ; NtQueryInformationToken(x,x,x,x,x)
		test	eax, eax
		js	loc_66128E
		cmp	[esp+0C0h+var_A8], 0
		jz	short loc_661273
		lea	eax, [esp+0C0h+var_B0]
		push	eax
		push	4
		lea	eax, [esp+0C8h+var_A4]
		push	eax
		push	2Ah
		push	esi
		call	_NtQueryInformationToken@20 ; NtQueryInformationToken(x,x,x,x,x)
		test	eax, eax
		js	short loc_66128E
		cmp	[esp+0C0h+var_A4], 0
		jz	short loc_66126C
		lea	eax, [esp+0C0h+var_B0]
		push	eax
		push	4Ch
		lea	eax, [esp+0C8h+var_A0]
		push	eax
		push	1
		push	0FFFFFFFCh
		call	_NtQueryInformationToken@20 ; NtQueryInformationToken(x,x,x,x,x)
		test	eax, eax
		js	short loc_66128E
		lea	eax, [esp+0C0h+var_B0]
		push	eax
		push	4Ch
		lea	eax, [esp+0C8h+var_50]
		push	eax
		push	1
		push	esi
		call	_NtQueryInformationToken@20 ; NtQueryInformationToken(x,x,x,x,x)
		test	eax, eax
		js	short loc_66128E
		push	[esp+0C0h+var_A0]
		push	[esp+0C4h+var_50]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	short loc_66127F

loc_66126C:				; CODE XREF: RtlGetAppContainerNamedObjectPath(x,x,x,x)+125j
		mov	eax, 0C00000BBh
		jmp	short loc_66128E
; 

loc_661273:				; CODE XREF: RtlGetAppContainerNamedObjectPath(x,x,x,x)+106j
		xor	al, al
		jmp	short loc_66127B
; 

loc_661277:				; CODE XREF: RtlGetAppContainerNamedObjectPath(x,x,x,x)+D1j
		mov	al, [esp+0C0h+var_B1]

loc_66127B:				; CODE XREF: RtlGetAppContainerNamedObjectPath(x,x,x,x)+DEj
					; RtlGetAppContainerNamedObjectPath(x,x,x,x)+172j
		test	al, al
		jz	short loc_661282

loc_66127F:				; CODE XREF: RtlGetAppContainerNamedObjectPath(x,x,x,x)+167j
		or	ebx, 2

loc_661282:				; CODE XREF: RtlGetAppContainerNamedObjectPath(x,x,x,x)+17Aj
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		push	edi
		push	ebx
		call	_RtlpGetTokenNamedObjectPath@16	; RtlpGetTokenNamedObjectPath(x,x,x,x)

loc_66128E:				; CODE XREF: RtlGetAppContainerNamedObjectPath(x,x,x,x)+47j
					; RtlGetAppContainerNamedObjectPath(x,x,x,x)+5Fj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_RtlGetAppContainerNamedObjectPath@16 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2073. RtlExtractBitMap

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlExtractBitMap(x,	x, x, x)
		public _RtlExtractBitMap@16
_RtlExtractBitMap@16 proc near		; CODE XREF: RtlShiftLeftBitMap(x,x)+25p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, [eax]
		sub	edi, ecx
		cmp	[ebp+arg_C], edi
		ja	short loc_6612B7
		mov	edi, [ebp+arg_C]

loc_6612B7:				; CODE XREF: RtlExtractBitMap(x,x,x,x)+16j
		mov	esi, [ebp+arg_4]
		mov	edx, [esi]
		cmp	edi, edx
		jbe	short loc_6612C2
		mov	edi, edx

loc_6612C2:				; CODE XREF: RtlExtractBitMap(x,x,x,x)+22j
		test	edi, edi
		jz	loc_66140A
		mov	edx, ecx
		shr	edx, 3
		mov	[ebp+arg_C], edx
		push	ebx
		test	cl, 7
		jnz	short loc_66132A
		mov	ebx, edi
		and	edi, 7
		shr	ebx, 3
		test	ebx, ebx
		jz	short loc_6612FC
		mov	eax, [eax+4]
		push	ebx		; size_t
		add	eax, edx
		push	eax		; void *
		push	dword ptr [esi+4] ; void *
		call	_memcpy
		mov	edx, [ebp+arg_C]
		add	esp, 0Ch
		mov	eax, [ebp+arg_0]

loc_6612FC:				; CODE XREF: RtlExtractBitMap(x,x,x,x)+46j
		test	edi, edi
		jz	loc_661409
		mov	eax, [eax+4]
		mov	ecx, edi
		mov	esi, [esi+4]
		add	eax, edx
		add	esi, ebx
		mov	dl, [eax+ebx]
		mov	bl, 1
		shl	bl, cl
		dec	bl
		mov	al, bl
		and	bl, dl
		not	al
		and	al, [esi]
		or	al, bl
		mov	[esi], al
		jmp	loc_661409
; 

loc_66132A:				; CODE XREF: RtlExtractBitMap(x,x,x,x)+3Aj
		mov	eax, [eax+4]
		mov	ebx, ecx
		shr	ecx, 5
		and	ebx, 1Fh
		push	20h
		lea	edx, [eax+ecx*4]
		mov	eax, [esi+4]
		mov	[ebp+arg_0], eax
		mov	ecx, ebx
		xor	eax, eax
		mov	[ebp+arg_C], edx
		inc	eax
		mov	esi, eax
		shl	esi, cl
		pop	ecx
		mov	[ebp+var_8], esi
		cmp	edi, ecx
		jb	short loc_6613AF
		mov	eax, ecx
		sub	eax, ebx
		mov	[ebp+arg_4], eax
		lea	eax, [esi-1]
		mov	[ebp+arg_8], eax
		mov	esi, edi
		not	eax
		shr	esi, 5
		mov	[ebp+var_4], eax

loc_66136B:				; CODE XREF: RtlExtractBitMap(x,x,x,x)+108j
		mov	edx, [edx]
		mov	ecx, ebx
		and	edx, eax
		sub	edi, 20h
		shr	edx, cl
		mov	ecx, [ebp+arg_0]
		mov	[ecx], edx
		mov	ecx, [ebp+arg_C]
		add	ecx, 4
		mov	[ebp+arg_C], ecx
		mov	eax, [ecx]
		and	eax, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		shl	eax, cl
		or	eax, edx
		mov	edx, [ebp+arg_0]
		mov	[edx], eax
		add	edx, 4
		mov	eax, [ebp+var_4]
		mov	[ebp+arg_0], edx
		mov	edx, [ebp+arg_C]
		sub	esi, 1
		jnz	short loc_66136B
		mov	esi, [ebp+var_8]
		xor	eax, eax
		push	20h
		inc	eax
		pop	ecx

loc_6613AF:				; CODE XREF: RtlExtractBitMap(x,x,x,x)+B6j
		test	edi, edi
		jz	short loc_661409
		sub	ecx, ebx
		mov	[ebp+arg_8], ecx
		mov	ecx, [edx]
		mov	[ebp+arg_4], ecx
		mov	ecx, edi
		shl	eax, cl
		dec	eax
		mov	edx, eax
		not	edx
		cmp	edi, [ebp+arg_8]
		ja	short loc_6613DF
		mov	ecx, ebx
		shl	eax, cl
		and	eax, [ebp+arg_4]
		shr	eax, cl
		mov	ecx, [ebp+arg_0]
		and	edx, [ecx]
		or	eax, edx
		mov	[ecx], eax
		jmp	short loc_661409
; 

loc_6613DF:				; CODE XREF: RtlExtractBitMap(x,x,x,x)+12Dj
		xor	eax, eax
		lea	ecx, [ebx-20h]
		add	ecx, edi
		inc	eax
		shl	eax, cl
		neg	esi
		mov	ecx, [ebp+arg_C]
		dec	eax
		and	esi, [ebp+arg_4]
		and	eax, [ecx+4]
		mov	ecx, [ebp+arg_8]
		shl	eax, cl
		mov	ecx, ebx
		shr	esi, cl
		mov	ecx, [ebp+arg_0]
		or	eax, esi
		and	edx, [ecx]
		or	edx, eax
		mov	[ecx], edx

loc_661409:				; CODE XREF: RtlExtractBitMap(x,x,x,x)+62j
					; RtlExtractBitMap(x,x,x,x)+89j ...
		pop	ebx

loc_66140A:				; CODE XREF: RtlExtractBitMap(x,x,x,x)+28j
		pop	edi
		pop	esi
		leave
		retn	10h
_RtlExtractBitMap@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlFindLongestRunClearCapped(x, x, x)
_RtlFindLongestRunClearCapped@12 proc near ; CODE XREF:	MiFindPageFileWriteCluster+E81C4p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		push	esi
		mov	[ebp+var_8], edx
		mov	edx, ecx
		push	edi
		push	0
		pop	ecx
		mov	esi, [edx]
		mov	eax, esi
		and	eax, 7
		mov	[ebp+var_34], edx
		mov	[ebp+var_18], eax
		mov	eax, esi
		setnz	cl
		shr	eax, 3
		add	ecx, eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C], ecx
		mov	ecx, [edx+4]
		mov	eax, [eax]
		cmp	eax, esi
		sbb	ebx, ebx
		xor	esi, esi
		and	[ebp+var_10], esi
		and	ebx, eax
		and	[ebp+var_20], esi
		and	ebx, 0FFFFFFF8h
		mov	eax, ebx
		mov	[ebp+var_1C], ebx
		shr	eax, 3
		xor	edx, edx
		add	ecx, eax
		mov	[ebp+var_4], eax
		mov	edi, ebx
		mov	bl, [ecx]
		inc	ecx
		mov	[ebp+var_14], ecx
		mov	ecx, [ebp+var_C]
		lea	esi, [ecx-1]
		mov	[ebp+var_38], esi
		cmp	eax, esi
		mov	esi, edx
		jnz	short loc_66148C
		mov	ecx, [ebp+var_18]
		test	ecx, ecx
		jz	short loc_661489
		or	bl, ds:byte_40AA48[ecx]

loc_661489:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+71j
		mov	ecx, [ebp+var_C]

loc_66148C:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+6Aj
		and	[ebp+var_28], edx
		test	ecx, ecx
		jz	loc_6615EB

loc_661497:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+1A1j
		test	bl, bl
		jz	loc_661572
		movzx	ecx, bl
		mov	[ebp+var_24], ecx
		movzx	eax, ds:_RtlpBitsClearLow[ecx]
		mov	[ebp+var_2C], eax
		add	edx, eax
		mov	eax, [ebp+var_4]
		jz	short loc_6614CD
		mov	ecx, [ebp+var_8]
		cmp	edx, ecx
		jnb	loc_66157C
		mov	ecx, [ebp+var_24]
		cmp	edx, esi
		jbe	short loc_6614CD
		mov	esi, edx
		mov	[ebp+var_10], edi

loc_6614CD:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+A4j
					; RtlFindLongestRunClearCapped(x,x,x)+B6j
		cmp	edi, [ebp+var_1C]
		jnz	short loc_6614D5
		mov	[ebp+var_20], edx

loc_6614D5:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+C0j
		movzx	edx, ds:_RtlpBitsClearHigh[ecx]
		mov	ecx, offset dword_40AA50
		shl	eax, 3
		sub	ecx, edx
		mov	edi, eax
		mov	[ebp+var_30], eax
		mov	eax, [ebp+var_2C]
		sub	edi, edx
		add	edi, 8
		mov	al, ds:byte_40BA58[eax]
		or	al, [ecx]
		or	bl, al
		jmp	short loc_66153A
; 

loc_6614FF:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+12Dj
		movzx	eax, bl
		movzx	eax, ds:_RtlpBitsClearAnywhere[eax]
		mov	[ebp+var_24], eax
		cmp	esi, eax
		jnb	short loc_66153F
		mov	cl, ds:byte_40BA58[eax]
		xor	eax, eax
		jmp	short loc_66151D
; 

loc_66151A:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+10Fj
		add	cl, cl
		inc	eax

loc_66151D:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+108j
		test	cl, bl
		jnz	short loc_66151A
		mov	esi, [ebp+var_30]
		add	esi, eax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_10], esi
		cmp	[ebp+var_24], eax
		jnb	loc_6615CE
		mov	esi, [ebp+var_24]
		or	bl, cl

loc_66153A:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+EDj
		cmp	bl, 0FFh
		jnz	short loc_6614FF

loc_66153F:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+FEj
		mov	eax, [ebp+var_4]

loc_661542:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+16Aj
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, [ebp+var_C]
		jb	short loc_661585
		test	edx, edx
		jz	short loc_661562
		cmp	edi, [ebp+var_1C]
		jnz	short loc_661557
		mov	[ebp+var_20], edx

loc_661557:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+142j
		cmp	edx, esi
		jbe	short loc_661560
		mov	esi, edx
		mov	[ebp+var_10], edi

loc_661560:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+149j
		xor	edx, edx

loc_661562:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+13Dj
		mov	ebx, [ebp+var_34]
		xor	eax, eax
		mov	[ebp+var_4], eax
		mov	ebx, [ebx+4]
		mov	[ebp+var_14], ebx
		jmp	short loc_661588
; 

loc_661572:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+89j
		mov	ecx, [ebp+var_8]
		add	edx, 8
		cmp	edx, ecx
		jb	short loc_661542

loc_66157C:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+ABj
		mov	eax, [ebp+arg_0]
		mov	[eax], edi
		mov	eax, ecx
		jmp	short loc_6615F3
; 

loc_661585:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+139j
		mov	ebx, [ebp+var_14]

loc_661588:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+160j
		inc	[ebp+var_14]
		mov	bl, [ebx]
		cmp	eax, [ebp+var_38]
		jnz	short loc_6615A4
		cmp	[ebp+var_18], 0
		jz	short loc_6615A4
		mov	eax, [ebp+var_18]
		or	bl, ds:byte_40AA48[eax]
		mov	eax, [ebp+var_4]

loc_6615A4:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+180j
					; RtlFindLongestRunClearCapped(x,x,x)+186j
		mov	ecx, [ebp+var_28]
		inc	ecx
		cmp	ecx, [ebp+var_C]
		mov	[ebp+var_28], ecx
		mov	ecx, [ebp+var_8]
		jb	loc_661497
		test	edx, edx
		jz	short loc_6615D5
		lea	eax, [edi+edx]
		cmp	eax, [ebp+var_1C]
		jnz	short loc_6615C6
		add	edx, [ebp+var_20]

loc_6615C6:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+1B1j
		cmp	edx, esi
		jbe	short loc_6615D9
		mov	esi, edx
		jmp	short loc_6615DC
; 

loc_6615CE:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+11Fj
		mov	ecx, [ebp+arg_0]
		mov	[ecx], esi
		jmp	short loc_6615F3
; 

loc_6615D5:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+1A9j
		test	esi, esi
		jz	short loc_6615EB

loc_6615D9:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+1B8j
		mov	edi, [ebp+var_10]

loc_6615DC:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+1BCj
		mov	eax, [ebp+arg_0]
		mov	[eax], edi
		cmp	esi, ecx
		jbe	short loc_6615E7
		mov	esi, ecx

loc_6615E7:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+1D3j
		mov	eax, esi
		jmp	short loc_6615F3
; 

loc_6615EB:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+81j
					; RtlFindLongestRunClearCapped(x,x,x)+1C7j
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax], 0
		xor	eax, eax

loc_6615F3:				; CODE XREF: RtlFindLongestRunClearCapped(x,x,x)+173j
					; RtlFindLongestRunClearCapped(x,x,x)+1C3j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_RtlFindLongestRunClearCapped@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2090. RtlFindNextForwardRunClearCapped

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlFindNextForwardRunClearCapped(x,	x, x, x)
		public _RtlFindNextForwardRunClearCapped@16
_RtlFindNextForwardRunClearCapped@16 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, [edx]
		cmp	ebx, esi
		ja	short loc_66161F
		mov	eax, [ebp+arg_C]
		xor	edx, edx
		mov	[eax], esi
		jmp	loc_6616EE
; 

loc_66161F:				; CODE XREF: RtlFindNextForwardRunClearCapped(x,x,x,x)+12j
		mov	ecx, [edx+4]
		lea	eax, [ebx-1]
		shr	eax, 5
		push	edi
		lea	eax, [ecx+eax*4]
		mov	[ebp+arg_4], eax
		mov	eax, esi
		shr	eax, 5
		lea	edi, [ecx+eax*4]
		mov	eax, [ebp+arg_4]
		cmp	edi, eax
		jz	short loc_66166E
		mov	ecx, esi
		and	ecx, 1Fh
		mov	[ebp+var_4], ecx
		mov	ecx, ds:dword_40BA68[ecx*4]
		or	ecx, [edi]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_66166E
		sub	esi, [ebp+var_4]
		add	esi, 20h
		add	edi, 4
		jmp	short loc_66166A
; 

loc_66165F:				; CODE XREF: RtlFindNextForwardRunClearCapped(x,x,x,x)+6Dj
		cmp	dword ptr [edi], 0FFFFFFFFh
		jnz	short loc_66166E
		add	edi, 4
		add	esi, 20h

loc_66166A:				; CODE XREF: RtlFindNextForwardRunClearCapped(x,x,x,x)+5Ej
		cmp	edi, eax
		jb	short loc_66165F

loc_66166E:				; CODE XREF: RtlFindNextForwardRunClearCapped(x,x,x,x)+3Dj
					; RtlFindNextForwardRunClearCapped(x,x,x,x)+53j ...
		cmp	esi, ebx
		jnb	short loc_66167F
		mov	ecx, [edx+4]

loc_661675:				; CODE XREF: RtlFindNextForwardRunClearCapped(x,x,x,x)+7Ej
		bt	[ecx], esi
		jnb	short loc_66167F
		inc	esi
		cmp	esi, ebx
		jb	short loc_661675

loc_66167F:				; CODE XREF: RtlFindNextForwardRunClearCapped(x,x,x,x)+71j
					; RtlFindNextForwardRunClearCapped(x,x,x,x)+79j
		mov	ebx, [ebp+arg_8]
		xor	edx, edx
		cmp	edi, eax
		jz	short loc_6616C4
		mov	ecx, [edi]
		mov	eax, esi
		and	eax, 1Fh
		mov	[ebp+arg_8], eax
		mov	eax, ds:dword_40BA68[eax*4]
		not	eax
		and	eax, ecx
		jnz	short loc_6616C4
		push	20h
		pop	edx
		sub	edx, [ebp+arg_8]
		cmp	edx, ebx
		jnb	short loc_6616E2
		mov	ecx, [ebp+arg_4]
		add	edi, 4
		jmp	short loc_6616C0
; 

loc_6616B1:				; CODE XREF: RtlFindNextForwardRunClearCapped(x,x,x,x)+C3j
		cmp	dword ptr [edi], 0
		jnz	short loc_6616C4
		add	edx, 20h
		add	edi, 4
		cmp	edx, ebx
		jnb	short loc_6616E2

loc_6616C0:				; CODE XREF: RtlFindNextForwardRunClearCapped(x,x,x,x)+B0j
		cmp	edi, ecx
		jb	short loc_6616B1

loc_6616C4:				; CODE XREF: RtlFindNextForwardRunClearCapped(x,x,x,x)+87j
					; RtlFindNextForwardRunClearCapped(x,x,x,x)+9Ej ...
		mov	ecx, [ebp+arg_0]
		lea	eax, [edx+esi]
		mov	edi, [ecx]
		cmp	eax, edi
		jnb	short loc_6616E2
		mov	ecx, [ecx+4]

loc_6616D3:				; CODE XREF: RtlFindNextForwardRunClearCapped(x,x,x,x)+E1j
		bt	[ecx], eax
		jb	short loc_6616E2
		cmp	edx, ebx
		jnb	short loc_6616E2
		inc	eax
		inc	edx
		cmp	eax, edi
		jb	short loc_6616D3

loc_6616E2:				; CODE XREF: RtlFindNextForwardRunClearCapped(x,x,x,x)+A8j
					; RtlFindNextForwardRunClearCapped(x,x,x,x)+BFj ...
		mov	eax, [ebp+arg_C]
		pop	edi
		mov	[eax], esi
		cmp	edx, ebx
		jbe	short loc_6616EE
		mov	edx, ebx

loc_6616EE:				; CODE XREF: RtlFindNextForwardRunClearCapped(x,x,x,x)+1Bj
					; RtlFindNextForwardRunClearCapped(x,x,x,x)+EBj
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	10h
_RtlFindNextForwardRunClearCapped@16 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2093. RtlFindSetBitsAndClear

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlFindSetBitsAndClear(x, x, x)
		public _RtlFindSetBitsAndClear@12
_RtlFindSetBitsAndClear@12 proc	near

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax]
		cmp	[ebp+arg_8], edi
		mov	esi, [eax+4]
		sbb	ecx, ecx
		mov	[ebp+var_8], edi
		and	ecx, [ebp+arg_8]
		lea	ebx, [edi-1]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], esi
		test	edx, edx
		jnz	short loc_661731
		and	ecx, 0FFFFFFF8h
		jmp	loc_6619C8
; 

loc_661731:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+2Cj
					; RtlFindSetBitsAndClear(x,x,x)+14Cj
		and	[ebp+var_18], 0
		mov	eax, ebx
		sub	eax, ecx
		inc	eax
		cmp	eax, edx
		jnb	short loc_661746
		or	ecx, 0FFFFFFFFh
		jmp	loc_66182C
; 

loc_661746:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+41j
		mov	eax, ebx
		and	ecx, 1Fh
		sub	eax, edx
		xor	edx, edx
		inc	eax
		inc	edx
		mov	[ebp+var_14], eax
		shr	eax, 5
		shl	edx, cl
		dec	edx
		lea	eax, [esi+eax*4]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_C]
		shr	eax, 5
		lea	esi, [esi+eax*4]
		mov	edi, [esi]
		not	edi
		or	edi, edx
		mov	edx, [ebp+arg_4]
		cmp	edx, 3Fh
		jbe	loc_66184C
		test	byte ptr [ebp+var_14], 1Fh
		mov	ebx, [ebp+var_10]
		jz	short loc_661787
		add	ebx, 4

loc_661787:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+87j
		test	edi, edi
		jnz	short loc_66178F
		xor	eax, eax
		jmp	short loc_6617D0
; 

loc_66178F:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+8Ej
		add	esi, 4
		mov	eax, [esi]
		not	eax
		test	eax, eax
		jnz	short loc_6617A5
		and	[ebp+var_10], eax
		bsr	ecx, edi
		jmp	short loc_6617C4
; 

loc_6617A2:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+FDj
					; RtlFindSetBitsAndClear(x,x,x)+11Dj
		mov	edx, [ebp+arg_4]

loc_6617A5:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+9Dj
					; RtlFindSetBitsAndClear(x,x,x)+BBj
		cmp	esi, ebx
		ja	loc_6618D0
		add	esi, 4
		mov	eax, [esi]
		not	eax
		test	eax, eax
		jnz	short loc_6617A5
		mov	eax, [esi-4]
		and	[ebp+var_1C], 0
		not	eax
		bsr	ecx, eax

loc_6617C4:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+A5j
		jnz	short loc_6617CB
		push	20h
		pop	eax
		jmp	short loc_6617D0
; 

loc_6617CB:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x):loc_6617C4j
		push	1Fh
		pop	eax
		sub	eax, ecx

loc_6617D0:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+92j
					; RtlFindSetBitsAndClear(x,x,x)+CEj
		mov	ecx, esi
		sub	ecx, [ebp+var_4]
		sar	ecx, 2
		shl	ecx, 5
		sub	ecx, eax
		cmp	ecx, [ebp+var_14]
		ja	loc_6618D0
		sub	edx, eax
		mov	eax, edx
		shr	eax, 5
		lea	edi, [esi+eax*4]
		jmp	short loc_6617FA
; 

loc_6617F2:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+104j
		mov	eax, [esi]
		not	eax
		test	eax, eax
		jnz	short loc_6617A2

loc_6617FA:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+F5j
		add	esi, 4
		cmp	esi, edi
		jnz	short loc_6617F2
		and	edx, 1Fh
		jz	short loc_66181A
		mov	eax, [esi]
		and	[ebp+var_20], 0
		not	eax
		bsf	eax, eax
		jnz	short loc_661816
		push	20h
		pop	eax

loc_661816:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+116j
		cmp	eax, edx
		jb	short loc_6617A2

loc_66181A:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+109j
					; RtlFindSetBitsAndClear(x,x,x)+19Cj ...
		mov	esi, [ebp+var_4]

loc_66181D:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+287j
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_6619C2

loc_661826:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+26Fj
		mov	edx, [ebp+arg_4]

loc_661829:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+1DBj
					; RtlFindSetBitsAndClear(x,x,x)+290j
		mov	edi, [ebp+var_8]

loc_66182C:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+46j
		cmp	[ebp+var_C], 0
		jz	loc_6619C2
		mov	ebx, [ebp+arg_8]
		add	ebx, edx
		cmp	ebx, edi
		jbe	short loc_661841
		mov	ebx, edi

loc_661841:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+142j
		dec	ebx
		xor	ecx, ecx
		mov	[ebp+var_C], ecx
		jmp	loc_661731
; 

loc_66184C:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+7Aj
		cmp	edx, 20h
		jb	loc_6618DB
		mov	ebx, edx

loc_661857:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+1CCj
		test	edi, edi

loc_661859:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+1ACj
		jns	short loc_66186D
		mov	eax, [ebp+var_10]

loc_66185E:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+170j
		add	esi, 4
		cmp	esi, eax
		ja	short loc_6618CE
		mov	edi, [esi]
		not	edi
		test	edi, edi
		js	short loc_66185E

loc_66186D:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x):loc_661859j
		and	[ebp+var_24], 0
		bsr	eax, edi
		jnz	short loc_66187B
		push	20h
		pop	edx
		jmp	short loc_661880
; 

loc_66187B:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+179j
		push	1Fh
		pop	edx
		sub	edx, eax

loc_661880:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+17Ej
		mov	ecx, esi
		sub	ecx, [ebp+var_4]
		sar	ecx, 2
		inc	ecx
		shl	ecx, 5
		sub	ecx, edx
		cmp	ecx, [ebp+var_14]
		ja	short loc_6618CE
		mov	eax, ebx
		sub	eax, edx
		jz	short loc_66181A
		add	esi, 4
		mov	edi, [esi]
		not	edi
		cmp	eax, 20h
		jb	short loc_6618B9
		test	edi, edi
		jnz	short loc_661859
		sub	eax, 20h
		jz	loc_66181A
		add	esi, 4
		mov	edi, [esi]
		not	edi

loc_6618B9:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+1A8j
		and	[ebp+var_28], 0
		bsf	edx, edi
		jnz	short loc_6618C5
		push	20h
		pop	edx

loc_6618C5:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+1C5j
		cmp	edx, eax
		jb	short loc_661857
		jmp	loc_66181A
; 

loc_6618CE:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+168j
					; RtlFindSetBitsAndClear(x,x,x)+196j
		mov	edx, ebx

loc_6618D0:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+ACj
					; RtlFindSetBitsAndClear(x,x,x)+E5j ...
		mov	esi, [ebp+var_4]
		or	ecx, 0FFFFFFFFh
		jmp	loc_661829
; 

loc_6618DB:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+154j
		cmp	edx, 1
		jbe	loc_661990
		mov	eax, [ebp+var_4]
		xor	ecx, ecx
		shr	ebx, 5
		lea	eax, [eax+ebx*4]
		mov	[ebp+var_18], eax

loc_6618F2:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+267j
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_66190C
		mov	eax, [ebp+var_10]

loc_6618FA:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+20Dj
		add	esi, 4
		cmp	esi, eax
		ja	short loc_6618D0
		mov	edi, [esi]
		not	edi
		cmp	edi, 0FFFFFFFFh
		jz	short loc_6618FA
		xor	ecx, ecx

loc_66190C:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+1FAj
		and	[ebp+var_2C], 0
		bsf	eax, edi
		jnz	short loc_661918
		push	20h
		pop	eax

loc_661918:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+218j
		add	eax, ecx
		cmp	eax, edx
		jnb	short loc_66196F
		mov	ebx, [ebp+arg_4]
		mov	edx, edi
		not	edx

loc_661925:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+23Bj
		mov	ecx, ebx
		mov	eax, edx
		shr	ecx, 1
		shr	eax, cl
		and	edx, eax
		jz	short loc_661940
		sub	ebx, ecx
		cmp	ebx, 1
		ja	short loc_661925
		bsf	ecx, edx
		mov	edx, [ebp+arg_4]
		jmp	short loc_661971
; 

loc_661940:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+234j
		cmp	esi, [ebp+var_18]
		jz	short loc_661964
		and	[ebp+var_30], 0
		bsr	eax, edi
		jnz	short loc_661953
		push	20h
		pop	ecx
		jmp	short loc_661958
; 

loc_661953:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+251j
		push	1Fh
		pop	ecx
		sub	ecx, eax

loc_661958:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+256j
		mov	edx, [ebp+arg_4]
		add	esi, 4
		mov	edi, [esi]
		not	edi
		jmp	short loc_6618F2
; 

loc_661964:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+248j
		mov	esi, [ebp+var_4]
		or	ecx, 0FFFFFFFFh
		jmp	loc_661826
; 

loc_66196F:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+221j
		neg	ecx

loc_661971:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+243j
		sub	esi, [ebp+var_4]
		sar	esi, 2
		shl	esi, 5
		add	ecx, esi
		mov	esi, [ebp+var_4]

loc_66197F:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+2C5j
		cmp	ecx, [ebp+var_14]
		jbe	loc_66181D
		or	ecx, 0FFFFFFFFh
		jmp	loc_661829
; 

loc_661990:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+1E3j
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_6619AC
		mov	eax, [ebp+var_10]

loc_661998:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+2AFj
		add	esi, 4
		cmp	esi, eax
		ja	loc_6618D0
		mov	edi, [esi]
		not	edi
		cmp	edi, 0FFFFFFFFh
		jz	short loc_661998

loc_6619AC:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+298j
		not	edi
		mov	ecx, esi
		mov	esi, [ebp+var_4]
		sub	ecx, esi
		bsf	eax, edi
		sar	ecx, 2
		shl	ecx, 5
		add	ecx, eax
		jmp	short loc_66197F
; 

loc_6619C2:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+125j
					; RtlFindSetBitsAndClear(x,x,x)+135j
		mov	edx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]

loc_6619C8:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+31j
		mov	[ebp+var_C], ecx
		pop	edi
		pop	esi
		pop	ebx
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_6619DE
		push	edx
		push	ecx
		push	eax
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		mov	ecx, [ebp+var_C]

loc_6619DE:				; CODE XREF: RtlFindSetBitsAndClear(x,x,x)+2D6j
		mov	eax, ecx
		leave
		retn	0Ch
_RtlFindSetBitsAndClear@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2185. RtlInterlockedSetBitRun

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlInterlockedSetBitRun(x, x, x)
		public _RtlInterlockedSetBitRun@12
_RtlInterlockedSetBitRun@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	ecx, ebx
		push	esi
		mov	eax, [eax+4]
		and	ebx, 1Fh
		mov	esi, [ebp+arg_8]
		shr	ecx, 5
		push	edi
		lea	edi, [eax+ecx*4]
		lea	eax, [ebx+esi]
		cmp	eax, 20h
		ja	short loc_661A2B
		cmp	esi, 20h
		jnz	short loc_661A1D
		mov	dword ptr [edi], 0FFFFFFFFh
		jmp	short loc_661A72
; 

loc_661A1D:				; CODE XREF: RtlInterlockedSetBitRun(x,x,x)+2Aj
		xor	eax, eax
		mov	ecx, esi
		inc	eax
		shl	eax, cl
		mov	ecx, ebx
		dec	eax
		shl	eax, cl
		jmp	short loc_661A6F
; 

loc_661A2B:				; CODE XREF: RtlInterlockedSetBitRun(x,x,x)+25j
		xor	eax, eax
		inc	eax
		test	ebx, ebx
		jz	short loc_661A4B
		push	20h
		pop	edx
		sub	edx, ebx
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, ebx
		dec	eax
		shl	eax, cl
		lock or	[edi], eax
		xor	eax, eax
		sub	esi, edx
		add	edi, 4
		inc	eax

loc_661A4B:				; CODE XREF: RtlInterlockedSetBitRun(x,x,x)+47j
		cmp	esi, 20h
		jb	short loc_661A66
		mov	ecx, esi
		shr	ecx, 5

loc_661A55:				; CODE XREF: RtlInterlockedSetBitRun(x,x,x)+7Bj
		mov	dword ptr [edi], 0FFFFFFFFh
		sub	esi, 20h
		add	edi, 4
		sub	ecx, 1
		jnz	short loc_661A55

loc_661A66:				; CODE XREF: RtlInterlockedSetBitRun(x,x,x)+65j
		test	esi, esi
		jz	short loc_661A72
		mov	ecx, esi
		shl	eax, cl
		dec	eax

loc_661A6F:				; CODE XREF: RtlInterlockedSetBitRun(x,x,x)+40j
		lock or	[edi], eax

loc_661A72:				; CODE XREF: RtlInterlockedSetBitRun(x,x,x)+32j
					; RtlInterlockedSetBitRun(x,x,x)+7Fj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_RtlInterlockedSetBitRun@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2266. RtlNumberOfClearBitsInRange

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlNumberOfClearBitsInRange(x, x, x)
		public _RtlNumberOfClearBitsInRange@12
_RtlNumberOfClearBitsInRange@12	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_8]
		push	esi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_RtlNumberOfSetBitsInRange@12 ;	RtlNumberOfSetBitsInRange(x,x,x)
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_661A9C
		or	eax, eax
		jmp	short loc_661AA0
; 

loc_661A9C:				; CODE XREF: RtlNumberOfClearBitsInRange(x,x,x)+18j
		sub	esi, eax
		mov	eax, esi

loc_661AA0:				; CODE XREF: RtlNumberOfClearBitsInRange(x,x,x)+1Cj
		pop	esi
		pop	ebp
		retn	0Ch
_RtlNumberOfClearBitsInRange@12	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2268. RtlNumberOfSetBitsInRange

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlNumberOfSetBitsInRange(x, x, x)
		public _RtlNumberOfSetBitsInRange@12
_RtlNumberOfSetBitsInRange@12 proc near	; CODE XREF: RtlNumberOfClearBitsInRange(x,x,x)+10p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	ecx, [esi]
		cmp	eax, ecx
		jnb	loc_661C85
		mov	edx, [ebp+arg_8]
		sub	ecx, eax
		cmp	ecx, edx
		jb	loc_661C85
		test	edx, edx
		jz	loc_661C85
		mov	esi, [esi+4]
		lea	ecx, [edx-1]
		add	ecx, eax
		mov	ebx, eax
		and	ebx, 7
		mov	[ebp+arg_4], ecx
		and	[ebp+arg_4], 7
		mov	edi, eax
		shr	edi, 3
		shr	ecx, 3
		add	esi, edi
		mov	[ebp+arg_8], ebx
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		mov	[ebp+arg_0], ebx
		cmp	edi, ecx
		jnz	short loc_661B33
		mov	cl, [esi]
		mov	edx, [ebp+arg_8]
		mov	esi, [ebp+arg_4]
		movzx	edx, ds:byte_40AA48[edx]
		movzx	eax, ds:byte_40BA59[esi]
		and	edx, eax
		movzx	eax, cl
		and	edx, eax
		not	edx
		movzx	eax, dl
		movzx	eax, ds:_RtlpBitsClearTotal[eax]
		jmp	loc_661C88
; 

loc_661B33:				; CODE XREF: RtlNumberOfSetBitsInRange(x,x,x)+59j
		or	eax, edx
		test	al, 1Fh
		jnz	short loc_661B90
		test	edx, edx
		jz	short loc_661B89
		lea	edi, [edx-1]
		shr	edi, 5
		inc	edi

loc_661B44:				; CODE XREF: RtlNumberOfSetBitsInRange(x,x,x)+DDj
		mov	ecx, [esi]
		lea	esi, [esi+4]
		not	ecx
		movzx	eax, cl
		shr	ecx, 8
		mov	bl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, cl
		shr	ecx, 8
		add	bl, ds:_RtlpBitsClearTotal[eax]
		mov	eax, ecx
		shr	eax, 8
		movzx	ecx, cl
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		add	dl, ds:_RtlpBitsClearTotal[ecx]
		add	dl, bl
		mov	ebx, [ebp+arg_0]
		movzx	ecx, dl
		add	ebx, ecx
		mov	[ebp+arg_0], ebx
		sub	edi, 1
		jnz	short loc_661B44

loc_661B89:				; CODE XREF: RtlNumberOfSetBitsInRange(x,x,x)+91j
		mov	eax, ebx
		jmp	loc_661C88
; 

loc_661B90:				; CODE XREF: RtlNumberOfSetBitsInRange(x,x,x)+8Dj
		mov	edx, [ebp+arg_8]
		test	edx, edx
		jz	short loc_661BB9
		mov	al, [esi]
		inc	esi
		movzx	ecx, ds:byte_40AA48[edx]
		movzx	eax, al
		and	ecx, eax
		inc	edi
		not	ecx
		movzx	eax, cl
		mov	ecx, [ebp+var_4]
		movzx	ebx, ds:_RtlpBitsClearTotal[eax]
		mov	[ebp+arg_0], ebx

loc_661BB9:				; CODE XREF: RtlNumberOfSetBitsInRange(x,x,x)+EBj
		mov	eax, edi
		push	4
		and	eax, 3
		pop	edx
		sub	edx, eax
		cmp	edx, 4
		jz	short loc_661BED
		test	edx, edx
		jz	short loc_661BED

loc_661BCC:				; CODE XREF: RtlNumberOfSetBitsInRange(x,x,x)+13Ej
		cmp	edi, ecx
		jnb	short loc_661BEA
		mov	al, [esi]
		inc	esi
		movzx	eax, al
		not	eax
		movzx	eax, al
		movzx	eax, ds:_RtlpBitsClearTotal[eax]
		add	ebx, eax
		inc	edi
		sub	edx, 1
		jnz	short loc_661BCC

loc_661BEA:				; CODE XREF: RtlNumberOfSetBitsInRange(x,x,x)+124j
		mov	[ebp+arg_0], ebx

loc_661BED:				; CODE XREF: RtlNumberOfSetBitsInRange(x,x,x)+11Cj
					; RtlNumberOfSetBitsInRange(x,x,x)+120j
		lea	eax, [edi+4]
		jmp	short loc_661C3E
; 

loc_661BF2:				; CODE XREF: RtlNumberOfSetBitsInRange(x,x,x)+199j
		mov	ebx, [esi]
		add	edi, 4
		not	ebx
		add	esi, 4
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	ebx, [ebp+arg_0]
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		movzx	eax, cl
		mov	ecx, [ebp+var_4]
		add	ebx, eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+arg_0], ebx
		add	eax, 4

loc_661C3E:				; CODE XREF: RtlNumberOfSetBitsInRange(x,x,x)+146j
		mov	[ebp+arg_8], eax
		cmp	eax, ecx
		jbe	short loc_661BF2
		cmp	edi, ecx
		jnb	short loc_661C64
		sub	ecx, edi

loc_661C4B:				; CODE XREF: RtlNumberOfSetBitsInRange(x,x,x)+1B8j
		mov	al, [esi]
		inc	esi
		movzx	eax, al
		not	eax
		movzx	eax, al
		movzx	eax, ds:_RtlpBitsClearTotal[eax]
		add	ebx, eax
		sub	ecx, 1
		jnz	short loc_661C4B

loc_661C64:				; CODE XREF: RtlNumberOfSetBitsInRange(x,x,x)+19Dj
		mov	al, [esi]
		mov	esi, [ebp+arg_4]
		movzx	eax, al
		movzx	ecx, ds:byte_40BA59[esi]
		and	ecx, eax
		not	ecx
		movzx	eax, cl
		movzx	eax, ds:_RtlpBitsClearTotal[eax]
		add	eax, ebx
		jmp	short loc_661C88
; 

loc_661C85:				; CODE XREF: RtlNumberOfSetBitsInRange(x,x,x)+13j
					; RtlNumberOfSetBitsInRange(x,x,x)+20j	...
		or	eax, 0FFFFFFFFh

loc_661C88:				; CODE XREF: RtlNumberOfSetBitsInRange(x,x,x)+84j
					; RtlNumberOfSetBitsInRange(x,x,x)+E1j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_RtlNumberOfSetBitsInRange@12 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2343. RtlShiftLeftBitMap

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlShiftLeftBitMap(x, x)
		public _RtlShiftLeftBitMap@8
_RtlShiftLeftBitMap@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_661CCB
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, [edi]
		cmp	esi, eax
		jb	short loc_661CB3
		push	edi
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		jmp	short loc_661CCA
; 

loc_661CB3:				; CODE XREF: RtlShiftLeftBitMap(x,x)+15j
		sub	eax, esi
		push	eax
		push	esi
		push	edi
		push	edi
		call	_RtlExtractBitMap@16 ; RtlExtractBitMap(x,x,x,x)
		mov	eax, [edi]
		push	esi
		sub	eax, esi
		push	eax
		push	edi
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)

loc_661CCA:				; CODE XREF: RtlShiftLeftBitMap(x,x)+1Dj
		pop	edi

loc_661CCB:				; CODE XREF: RtlShiftLeftBitMap(x,x)+Bj
		pop	esi
		pop	ebp
		retn	8
_RtlShiftLeftBitMap@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1964. RtlAssert

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlAssert(x, x, x, x)
		public _RtlAssert@16
_RtlAssert@16	proc near		; CODE XREF: KsepStringDuplicate+6C188p
					; KsepStringTransform+6B7E0p ...

var_2DC		= dword	ptr -2DCh
var_2D8		= byte ptr -2D8h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2DCh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		lea	eax, [ebp+var_2D8]
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		mov	edi, [ebp+arg_0]
		push	eax
		call	_RtlCaptureContext@4 ; RtlCaptureContext(x)

loc_661D02:				; CODE XREF: RtlAssert(x,x,x,x)+A1j
					; RtlAssert(x,x,x,x)+AFj ...
		mov	eax, esi
		test	esi, esi
		jnz	short loc_661D0D
		mov	eax, offset ??_C@_00CNPNBAHC@@FNODOBFM@

loc_661D0D:				; CODE XREF: RtlAssert(x,x,x,x)+31j
		push	[ebp+arg_8]
		push	ebx
		push	edi
		push	eax		; char
		push	offset ??_C@_0DO@CDJIIIPD@?6?$CK?$CK?$CK?5Assertion?5failed?3?5?$CFs?$CFs?6?$CK?$CK?$CK@FNODOBFM@ ; "\n*** Assertion failed: %s%s\n***	 Sourc"...
		push	0		; int
		push	65h		; int
		call	_DbgPrintEx
		mov	eax, 0FFDF02D4h
		add	esp, 1Ch
		mov	al, [eax]
		and	al, 3
		cmp	al, 3
		jnz	loc_661DC0
		push	2
		lea	eax, [ebp+var_2DC]
		push	eax
		push	offset ??_C@_0FH@DEPJAKLD@Break?5repeatedly?0?5break?5Once?0?5I@FNODOBFM@ ; "Break repeatedly, break Once, Ignore, t"...
		call	_DbgPrompt@12	; DbgPrompt(x,x,x)
		test	eax, eax
		jz	short loc_661DBA
		movsx	eax, byte ptr [ebp+var_2DC]
		cmp	eax, 62h
		jg	short loc_661D64
		jz	short loc_661D89
		sub	eax, 42h
		jz	short loc_661D89
		sub	eax, 7
		jmp	short loc_661D67
; 

loc_661D64:				; CODE XREF: RtlAssert(x,x,x,x)+81j
		sub	eax, 69h

loc_661D67:				; CODE XREF: RtlAssert(x,x,x,x)+8Dj
		jz	short loc_661DC0
		sub	eax, 6
		jz	short loc_661D89
		sub	eax, 1
		jz	short loc_661DBB
		sub	eax, 4
		jnz	short loc_661D02
		push	0C0000001h
		push	0FFFFFFFEh
		call	_ZwTerminateThread@8 ; ZwTerminateThread(x,x)
		jmp	loc_661D02
; 

loc_661D89:				; CODE XREF: RtlAssert(x,x,x,x)+83j
					; RtlAssert(x,x,x,x)+88j ...
		lea	eax, [ebp+var_2D8]
		push	eax		; char
		push	offset ??_C@_0CD@KCPGJLCO@Execute?5?8?4cxr?5?$CFp?8?5to?5dump?5conte@FNODOBFM@ ; char *
		push	0		; int
		push	65h		; int
		call	_DbgPrintEx
		add	esp, 10h
		int	3		; Trap to Debugger
		cmp	byte ptr [ebp+var_2DC],	6Fh
		jz	short loc_661DC0
		cmp	byte ptr [ebp+var_2DC],	4Fh
		jnz	loc_661D02
		jmp	short loc_661DC0
; 

loc_661DBA:				; CODE XREF: RtlAssert(x,x,x,x)+75j
		int	3		; Trap to Debugger

loc_661DBB:				; CODE XREF: RtlAssert(x,x,x,x)+9Cj
		call	_RtlpTerminateCurrentProcess@4 ; RtlpTerminateCurrentProcess(x)

loc_661DC0:				; CODE XREF: RtlAssert(x,x,x,x)+5Aj
					; RtlAssert(x,x,x,x):loc_661D67j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_RtlAssert@16	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2336. RtlSetPortableOperatingSystem

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSetPortableOperatingSystem(x)
		public _RtlSetPortableOperatingSystem@4
_RtlSetPortableOperatingSystem@4 proc near

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		cmp	[ebp+arg_0], al
		push	4
		setnz	al
		mov	dword ptr [ebp+arg_0], eax
		lea	eax, [ebp+arg_0]
		push	eax
		push	4
		push	offset ??_C@_1DA@IFMDNCPF@?$AAP?$AAo?$AAr?$AAt?$AAa?$AAb?$AAl?$AAe?$AAO?$AAp?$AAe?$AAr?$AAa?$AAt?$AAi@FNODOBFM@	; "PortableOperatingSystem"
		push	0
		push	2
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)
		pop	ebp
		retn	4
_RtlSetPortableOperatingSystem@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2081. RtlFindClosestEncodableLength

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlFindClosestEncodableLength(x, x,	x)
		public _RtlFindClosestEncodableLength@12
_RtlFindClosestEncodableLength@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		mov	edx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		cmp	ecx, eax
		ja	short loc_661E1E
		cmp	edx, 0FFFFFFFFh
		jbe	short loc_661E3C

loc_661E1E:				; CODE XREF: RtlFindClosestEncodableLength(x,x,x)+12j
		mov	esi, [ebp+arg_8]
		cmp	ecx, 0FFh
		ja	short loc_661E63
		mov	ebx, 0FFFFFF00h
		jb	short loc_661E34
		cmp	edx, ebx
		ja	short loc_661E63

loc_661E34:				; CODE XREF: RtlFindClosestEncodableLength(x,x,x)+29j
		mov	edi, edx
		and	edi, ebx
		cmp	edx, edi
		jnz	short loc_661E46

loc_661E3C:				; CODE XREF: RtlFindClosestEncodableLength(x,x,x)+17j
		mov	eax, [ebp+arg_8]
		mov	[eax], edx
		mov	[eax+4], ecx
		jmp	short loc_661E83
; 

loc_661E46:				; CODE XREF: RtlFindClosestEncodableLength(x,x,x)+35j
		mov	edx, edi
		add	edx, 100h
		mov	[esi], edx
		adc	ecx, eax
		mov	[esi+4], ecx
		cmp	ecx, 0FFh
		jb	short loc_661E83
		ja	short loc_661E63
		cmp	edx, ebx
		jbe	short loc_661E83

loc_661E63:				; CODE XREF: RtlFindClosestEncodableLength(x,x,x)+22j
					; RtlFindClosestEncodableLength(x,x,x)+2Dj ...
		cmp	ecx, 0FFFFh
		ja	short loc_661EA4
		mov	ebx, 0FFFF0000h
		jb	short loc_661E76
		cmp	edx, ebx
		ja	short loc_661EA4

loc_661E76:				; CODE XREF: RtlFindClosestEncodableLength(x,x,x)+6Bj
		mov	edi, edx
		and	edi, ebx
		cmp	edx, edi
		jnz	short loc_661E87

loc_661E7E:				; CODE XREF: RtlFindClosestEncodableLength(x,x,x)+ACj
		mov	[esi], edx

loc_661E80:				; CODE XREF: RtlFindClosestEncodableLength(x,x,x)+B5j
		mov	[esi+4], ecx

loc_661E83:				; CODE XREF: RtlFindClosestEncodableLength(x,x,x)+3Fj
					; RtlFindClosestEncodableLength(x,x,x)+56j ...
		xor	eax, eax
		jmp	short loc_661EC6
; 

loc_661E87:				; CODE XREF: RtlFindClosestEncodableLength(x,x,x)+77j
		mov	edx, edi
		add	edx, 10000h
		mov	[esi], edx
		adc	ecx, eax
		mov	[esi+4], ecx
		cmp	ecx, 0FFFFh
		ja	short loc_661EA4
		jb	short loc_661E83
		cmp	edx, ebx
		jbe	short loc_661E83

loc_661EA4:				; CODE XREF: RtlFindClosestEncodableLength(x,x,x)+64j
					; RtlFindClosestEncodableLength(x,x,x)+6Fj ...
		cmp	ecx, 0FFFFFFFFh
		ja	short loc_661EBC
		jb	short loc_661EAF
		cmp	edx, eax
		ja	short loc_661EBC

loc_661EAF:				; CODE XREF: RtlFindClosestEncodableLength(x,x,x)+A4j
		cmp	edx, eax
		jz	short loc_661E7E
		add	eax, eax
		mov	[esi], eax
		adc	ecx, 1
		jmp	short loc_661E80
; 

loc_661EBC:				; CODE XREF: RtlFindClosestEncodableLength(x,x,x)+A2j
					; RtlFindClosestEncodableLength(x,x,x)+A8j
		mov	[esi], eax
		mov	[esi+4], eax
		mov	eax, 0C0000001h

loc_661EC6:				; CODE XREF: RtlFindClosestEncodableLength(x,x,x)+80j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_RtlFindClosestEncodableLength@12 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2049. RtlEndWeakEnumerationHashTable

;  S U B	R O U T	I N E 


; __stdcall RtlEndWeakEnumerationHashTable(x, x)
		public _RtlEndWeakEnumerationHashTable@8
_RtlEndWeakEnumerationHashTable@8 proc near
		jmp	_RtlEndEnumerationHashTable@8 ;	RtlEndEnumerationHashTable(x,x)
_RtlEndWeakEnumerationHashTable@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2160. RtlInitStrongEnumerationHashTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlInitStrongEnumerationHashTable(x, x)
		public _RtlInitStrongEnumerationHashTable@8
_RtlInitStrongEnumerationHashTable@8 proc near

var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_C]
		push	esi
		mov	esi, [ebp+arg_4]
		xor	eax, eax
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		xor	edi, edi
		push	edi
		call	_RtlpPopulateContext@12	; RtlpPopulateContext(x,x,x)
		mov	[esi+4], edi
		mov	[esi+8], edi
		mov	[esi+10h], edi
		mov	eax, [ebp+var_C]
		mov	[esi+0Ch], eax
		mov	[esi], eax
		mov	al, 1
		pop	edi
		pop	esi
		leave
		retn	8
_RtlInitStrongEnumerationHashTable@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2165. RtlInitWeakEnumerationHashTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlInitWeakEnumerationHashTable(x, x)
		public _RtlInitWeakEnumerationHashTable@8
_RtlInitWeakEnumerationHashTable@8 proc	near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	_RtlInitEnumerationHashTable@8 ; RtlInitEnumerationHashTable(x,x)
_RtlInitWeakEnumerationHashTable@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2349. RtlStronglyEnumerateEntryHashTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStronglyEnumerateEntryHashTable(x, x)
		public _RtlStronglyEnumerateEntryHashTable@8
_RtlStronglyEnumerateEntryHashTable@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, [edi+10h]
		jmp	short loc_661F6E
; 

loc_661F40:				; CODE XREF: RtlStronglyEnumerateEntryHashTable(x,x)+44j
		cmp	esi, [edi+10h]
		jnz	short loc_661F4C
		mov	ecx, [edi]
		mov	edx, [edi+0Ch]
		jmp	short loc_661F59
; 

loc_661F4C:				; CODE XREF: RtlStronglyEnumerateEntryHashTable(x,x)+16j
		mov	edx, esi
		mov	ecx, ebx
		call	_RtlpGetChainHead@8 ; RtlpGetChainHead(x,x)
		mov	edx, eax
		mov	ecx, edx

loc_661F59:				; CODE XREF: RtlStronglyEnumerateEntryHashTable(x,x)+1Dj
		mov	ecx, [ecx]
		cmp	ecx, edx
		jz	short loc_661F6D

loc_661F5F:				; CODE XREF: RtlStronglyEnumerateEntryHashTable(x,x)+3Ej
		cmp	dword ptr [ecx+8], 0
		jnz	short loc_661F7C
		mov	eax, [ecx]
		mov	ecx, eax
		cmp	eax, edx
		jnz	short loc_661F5F

loc_661F6D:				; CODE XREF: RtlStronglyEnumerateEntryHashTable(x,x)+30j
		inc	esi

loc_661F6E:				; CODE XREF: RtlStronglyEnumerateEntryHashTable(x,x)+11j
		cmp	esi, [ebx+8]
		jb	short loc_661F40
		xor	eax, eax

loc_661F75:				; CODE XREF: RtlStronglyEnumerateEntryHashTable(x,x)+59j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_661F7C:				; CODE XREF: RtlStronglyEnumerateEntryHashTable(x,x)+36j
		mov	[edi+10h], esi
		mov	eax, ecx
		mov	[edi+0Ch], edx
		mov	[edi], ecx
		jmp	short loc_661F75
_RtlStronglyEnumerateEntryHashTable@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2409. RtlWeaklyEnumerateEntryHashTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlWeaklyEnumerateEntryHashTable(x,	x)
		public _RtlWeaklyEnumerateEntryHashTable@8
_RtlWeaklyEnumerateEntryHashTable@8 proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	RtlEnumerateEntryHashTable
_RtlWeaklyEnumerateEntryHashTable@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2006. RtlCrc32

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCrc32(x,	x, x)
		public _RtlCrc32@12
_RtlCrc32@12	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	offset _Crc32Ctrl
		push	0
		push	[ebp+arg_8]
		call	RtlpComputeCrcInternal
		pop	ebp
		retn	0Ch
_RtlCrc32@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall RtlpAllocateHeap(x, x, x, x, x, x)
@RtlpAllocateHeap@24 proc near		; CODE XREF: RtlpAllocateHeapInternal+DB779p

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		push	74h
		push	offset dword_6A9238
		call	__SEH_prolog4
		mov	[ebp+var_20], edx
		mov	edi, ecx
		mov	[ebp+var_58], edi
		xor	ebx, ebx
		mov	[ebp+var_68], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_50], ebx
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_6C], ebx
		mov	al, bl
		mov	[ebp+var_19], al
		mov	[ebp+var_1A], al
		mov	eax, ebx
		mov	[ebp+var_34], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_40], ebx
		mov	[ebp+var_7C], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_78], ebx
		test	edx, 3C010F60h
		jnz	short loc_66203D
		cmp	[ebp+arg_0], 80000000h
		jnb	short loc_66203D
		mov	byte ptr [ebp+var_24], cl
		mov	ebx, [ebp+arg_4]
		mov	esi, ebx
		shr	esi, 3
		mov	[ebp+var_2C], esi
		cmp	esi, 2
		jnb	short loc_662032
		add	ebx, 8
		mov	[ebp+arg_4], ebx
		push	2
		pop	esi
		mov	[ebp+var_2C], esi

loc_662032:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+69j
		mov	eax, [ebp+arg_C]
		mov	dword ptr [eax], 3
		jmp	short loc_6620AF
; 

loc_66203D:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+4Dj
					; RtlpAllocateHeap(x,x,x,x,x,x)+56j
		mov	[ebp+var_30], ebx
		mov	eax, [ebp+arg_C]
		mov	dword ptr [eax], 4
		mov	eax, [ebp+arg_0]
		cmp	eax, 7FFFFFFFh
		jbe	short loc_66205A
		xor	eax, eax
		jmp	loc_6621E8
; 

loc_66205A:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+96j
		test	eax, eax
		jnz	short loc_662060
		mov	eax, ecx

loc_662060:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+A1j
		mov	ebx, [edi+94h]
		add	ebx, eax
		and	ebx, [edi+98h]
		cmp	ebx, 10h
		jnb	short loc_662076
		push	10h
		pop	ebx

loc_662076:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+B6j
		mov	[ebp+arg_4], ebx
		shr	edx, 4
		and	dl, 0E1h
		or	dl, cl
		mov	[ebp+var_24], edx
		test	[ebp+var_20], 3C000100h
		jnz	short loc_662098
		mov	esi, ebx
		cmp	dword ptr [edi+0BCh], 0
		jz	short loc_6620A6

loc_662098:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+D0j
		or	edx, 2
		mov	[ebp+var_24], edx
		lea	esi, [ebx+8]
		mov	ebx, esi
		mov	[ebp+arg_4], ebx

loc_6620A6:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+DBj
		shr	esi, 3
		mov	[ebp+var_2C], esi
		mov	edx, [ebp+var_20]

loc_6620AF:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+80j
		test	edx, 800000h
		jz	short loc_6620CD
		call	_RtlGetNtGlobalFlags@0 ; RtlGetNtGlobalFlags()
		xor	ecx, ecx
		mov	edx, [ebp+var_20]
		test	eax, 800h
		jnz	short loc_6620CC
		or	byte ptr [ebp+var_24], 8

loc_6620CC:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+10Bj
		inc	ecx

loc_6620CD:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+FAj
		and	[ebp+ms_exc.disabled], 0
		test	dl, cl
		jnz	short loc_6620ED
		push	ecx
		push	dword ptr [edi+0C8h]
		call	ExAcquireResourceExclusiveLite
		and	[ebp+var_5C], 0
		mov	al, 1
		mov	[ebp+var_19], al
		mov	[ebp+var_1A], al

loc_6620ED:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+118j
		cmp	esi, [edi+5Ch]
		ja	loc_662505
		lea	esi, [edi+0C0h]
		mov	[ebp+var_80], esi
		mov	edx, [ebp+var_2C]
		mov	ecx, edi
		call	_RtlpFindEntry@8 ; RtlpFindEntry(x,x)
		mov	[ebp+var_84], eax
		cmp	esi, eax
		jz	loc_662210
		lea	esi, [eax-8]
		mov	[ebp+var_60], esi
		cmp	dword ptr [edi+4Ch], 0
		jz	short loc_66213F
		mov	eax, [edi+50h]
		xor	[esi], eax
		mov	al, [esi+2]
		xor	al, [esi+1]
		xor	al, [esi]
		cmp	[esi+3], al
		jz	short loc_66213F
		push	ecx
		mov	edx, esi
		mov	ecx, edi
		call	_RtlpAnalyzeHeapFailure@12 ; RtlpAnalyzeHeapFailure(x,x,x)

loc_66213F:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+166j
					; RtlpAllocateHeap(x,x,x,x,x,x)+178j
		movzx	edx, word ptr [esi]
		cmp	edx, [ebp+var_2C]
		jb	loc_6621FA
		mov	ecx, [esi+8]
		mov	[ebp+var_4C], ecx
		mov	eax, [esi+0Ch]
		mov	[ebp+var_48], eax
		mov	eax, [eax]
		mov	ecx, [ecx+4]
		cmp	eax, ecx
		jnz	short loc_6621BE
		lea	edi, [esi+8]
		cmp	eax, edi
		mov	edi, [ebp+var_58]
		jnz	short loc_6621BE
		sub	[edi+74h], edx
		mov	edx, [edi+0B4h]
		test	edx, edx
		jz	short loc_6621A6
		and	[ebp+var_44], 0
		movzx	ecx, word ptr [esi]

loc_66217E:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+201j
		mov	eax, [edx+4]
		mov	[ebp+arg_C], eax
		cmp	ecx, eax
		jb	short loc_662192
		mov	eax, [edx]
		test	eax, eax
		jnz	short loc_6621BA
		mov	ecx, [ebp+arg_C]
		dec	ecx

loc_662192:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+1CBj
		mov	[ebp+var_44], ecx
		movzx	eax, word ptr [esi]
		push	eax
		push	ecx
		lea	eax, [esi+8]
		push	eax
		push	ecx
		mov	ecx, edi
		call	_RtlpHeapRemoveListEntry@24 ; RtlpHeapRemoveListEntry(x,x,x,x,x,x)

loc_6621A6:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+1BAj
		mov	eax, [ebp+var_4C]
		mov	ecx, [ebp+var_48]
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	byte ptr [ebp+arg_C+3],	1
		jmp	loc_6622A1
; 

loc_6621BA:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+1D1j
		mov	edx, eax
		jmp	short loc_66217E
; 

loc_6621BE:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+1A3j
					; RtlpAllocateHeap(x,x,x,x,x,x)+1ADj
		push	0
		push	eax
		push	ecx
		lea	eax, [esi+8]
		push	eax
		mov	edx, edi
		push	0Dh
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	byte ptr [ebp+arg_C+3],	0

loc_6621D4:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+365j
					; RtlpAllocateHeap(x,x,x,x,x,x)+41Dj ...
		mov	ebx, [ebp+var_34]

loc_6621D7:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+481j
					; RtlpAllocateHeap(x,x,x,x,x,x)+496j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	al, [ebp+var_19]
		call	sub_662618
		mov	eax, ebx

loc_6621E8:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+9Aj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_6621FA:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+18Aj
		cmp	dword ptr [edi+4Ch], 0
		jz	short loc_662210
		mov	al, [esi+2]
		xor	al, [esi+1]
		xor	al, [esi]
		mov	[esi+3], al
		mov	eax, [edi+50h]
		xor	[esi], eax

loc_662210:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+156j
					; RtlpAllocateHeap(x,x,x,x,x,x)+243j
		mov	edx, ebx
		mov	ecx, edi
		call	_RtlpExtendHeap@8 ; RtlpExtendHeap(x,x)
		mov	esi, eax
		mov	[ebp+var_60], esi
		test	esi, esi
		jz	loc_6624F9
		lea	edx, [esi+8]
		mov	ecx, [edx]
		mov	[ebp+var_44], ecx
		mov	eax, [esi+0Ch]
		mov	[ebp+var_64], eax
		mov	eax, [eax]
		mov	ecx, [ecx+4]
		cmp	eax, ecx
		jnz	loc_6624E1
		cmp	eax, edx
		jnz	loc_6624E1
		movzx	eax, word ptr [esi]
		sub	[edi+74h], eax
		mov	eax, [edi+0B4h]
		mov	[ebp+arg_C], eax
		test	eax, eax
		jz	short loc_662292
		and	[ebp+var_48], 0
		movzx	ecx, word ptr [esi]

loc_662263:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+36Dj
		mov	edx, [eax+4]
		mov	[ebp+var_4C], edx
		cmp	ecx, edx
		lea	edx, [esi+8]
		jb	short loc_66227E
		mov	eax, [eax]
		test	eax, eax
		jnz	loc_662325
		mov	ecx, [ebp+var_4C]
		dec	ecx

loc_66227E:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+2B3j
		mov	[ebp+var_48], ecx
		movzx	eax, word ptr [esi]
		push	eax
		push	ecx
		push	edx
		push	ecx
		mov	edx, [ebp+arg_C]
		mov	ecx, edi
		call	_RtlpHeapRemoveListEntry@24 ; RtlpHeapRemoveListEntry(x,x,x,x,x,x)

loc_662292:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+29Fj
		mov	eax, [ebp+var_44]
		mov	ecx, [ebp+var_64]
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	[ebp+var_1B], 1

loc_6622A1:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+1FAj
		mov	cl, [esi+2]
		mov	byte ptr [ebp+var_4C], cl
		cmp	[ebp+var_30], 0
		jnz	short loc_662305
		test	cl, 4
		jz	short loc_662305
		and	[ebp+var_38], 0
		movzx	eax, word ptr [esi]
		lea	eax, ds:0FFFFFFF0h[eax*8]
		mov	[ebp+var_38], eax
		test	cl, 2
		jz	short loc_6622D3
		cmp	eax, 4
		jbe	short loc_6622D3
		sub	eax, 4
		mov	[ebp+var_38], eax

loc_6622D3:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+30Bj
					; RtlpAllocateHeap(x,x,x,x,x,x)+310j
		push	0FEEEFEEEh
		push	eax
		lea	eax, [esi+10h]
		push	eax
		call	_RtlCompareMemoryUlong@12 ; RtlCompareMemoryUlong(x,x,x)
		cmp	eax, [ebp+var_38]
		jz	short loc_662305
		add	eax, 10h
		add	eax, esi
		push	eax
		push	esi
		push	(offset	loc_5A56D8+4)
		call	_DbgPrint
		add	esp, 0Ch
		cmp	ds:_KdDebuggerEnabled, 0
		jz	short loc_662305
		int	3		; Trap to Debugger

loc_662305:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+2F0j
					; RtlpAllocateHeap(x,x,x,x,x,x)+2F5j ...
		mov	[ebp+var_68], esi
		xor	ecx, ecx
		inc	ecx
		test	[esi+2], cl
		jz	short loc_66232D
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	esi
		mov	edx, edi
		push	3
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		jmp	loc_6621D4
; 

loc_662325:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+2B9j
		mov	[ebp+arg_C], eax
		jmp	loc_662263
; 

loc_66232D:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+353j
		mov	eax, [ebp+var_24]
		mov	[esi+2], al
		movzx	edx, word ptr [esi]
		mov	eax, [ebp+var_2C]
		sub	edx, eax
		mov	[ebp+var_2C], edx
		mov	[ebp+var_6C], edx
		movzx	edx, ax
		mov	[ebp+var_70], edx
		mov	[esi], dx
		sub	ebx, [ebp+arg_0]
		mov	[ebp+var_24], ebx
		mov	edx, eax
		shl	edx, 3
		mov	[ebp+var_24], edx
		cmp	ebx, 3Fh
		jnb	short loc_662362
		mov	[esi+7], bl
		jmp	short loc_66236D
; 

loc_662362:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+3A0j
		mov	[esi+eax*8-4], ebx
		mov	byte ptr [esi+7], 3Fh
		mov	[ebp+var_24], edx

loc_66236D:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+3A5j
		mov	byte ptr [esi+3], 0
		mov	edx, [ebp+var_2C]
		test	edx, edx
		jz	short loc_6623E2
		cmp	edx, ecx
		jnz	short loc_662399
		inc	word ptr [esi]
		add	ebx, 8
		mov	[ebp+var_70], ebx
		cmp	ebx, 3Fh
		jnb	short loc_66238F
		mov	[esi+7], bl
		jmp	short loc_6623E2
; 

loc_66238F:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+3CDj
		mov	[esi+eax*8+4], ebx
		mov	byte ptr [esi+7], 3Fh
		jmp	short loc_6623E2
; 

loc_662399:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+3BFj
		mov	edx, [ebp+var_30]
		xor	edx, ecx
		mov	al, [esi+6]
		test	al, al
		jz	short loc_6623B8
		movzx	eax, al
		sub	ecx, eax
		shl	ecx, 10h
		mov	eax, esi
		and	eax, 0FFFF0000h
		add	ecx, eax
		jmp	short loc_6623BA
; 

loc_6623B8:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+3E8j
		mov	ecx, edi

loc_6623BA:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+3FBj
		mov	[ebp+var_64], ecx
		push	[ebp+var_2C]
		push	[ebp+var_70]
		push	edx
		push	[ebp+var_4C]
		mov	eax, [ebp+var_24]
		add	eax, esi
		push	eax
		mov	edx, ecx
		mov	ecx, edi
		call	@RtlpCreateSplitBlock@28 ; RtlpCreateSplitBlock(x,x,x,x,x,x,x)
		test	al, al
		jz	loc_6621D4
		mov	byte ptr [ebp+var_4C], 0

loc_6623E2:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+3BBj
					; RtlpAllocateHeap(x,x,x,x,x,x)+3D2j ...
		lea	ebx, [esi+8]
		mov	[ebp+var_28], ebx
		movzx	ecx, word ptr [esi]
		shl	ecx, 3
		mov	[ebp+var_3C], ecx
		mov	al, [esi+7]
		and	al, 3Fh
		cmp	al, 3Fh
		jnz	short loc_662400
		add	ecx, 0FFFFFFFCh
		mov	[ebp+var_3C], ecx

loc_662400:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+43Dj
		cmp	[ebp+var_30], 0
		jz	short loc_662456
		cmp	dword ptr [edi+4Ch], 0
		jz	short loc_66241C
		mov	al, [esi+1]
		xor	al, [esi]
		xor	al, [esi+2]
		mov	[esi+3], al
		mov	eax, [edi+50h]
		xor	[esi], eax

loc_66241C:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+44Fj
		cmp	[ebp+var_19], 0
		jz	short loc_662438
		mov	ecx, [edi+0C8h]
		call	ExReleaseResourceLite
		xor	al, al
		mov	[ebp+var_19], al
		mov	[ebp+var_1A], al
		mov	ecx, [ebp+var_3C]

loc_662438:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+465j
		test	byte ptr [ebp+var_20], 8
		jz	loc_6621D7
		lea	eax, [ecx-8]
		push	eax		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_6621D7
; 

loc_662456:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+449j
		test	byte ptr [ebp+var_20], 8
		jz	short loc_66246D
		lea	eax, [ecx-8]
		push	eax		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_662485
; 

loc_66246D:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+49Fj
		test	byte ptr [edi+40h], 40h
		jz	short loc_662485
		push	0BAADF00Dh
		mov	eax, [ebp+arg_0]
		and	eax, 0FFFFFFFCh
		push	eax
		push	ebx
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)

loc_662485:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+4B0j
					; RtlpAllocateHeap(x,x,x,x,x,x)+4B6j
		test	byte ptr [edi+40h], 20h
		jz	short loc_66249E
		mov	ecx, 0ABABABABh
		mov	eax, [ebp+arg_0]
		mov	[eax+ebx], ecx
		mov	[eax+ebx+4], ecx
		or	byte ptr [esi+2], 4

loc_66249E:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+4CEj
		xor	ecx, ecx
		mov	[esi+3], cl
		test	byte ptr [esi+2], 2
		jz	short loc_6624C3
		cmp	byte ptr [esi+7], 4
		jnz	short loc_6624B4
		lea	eax, [esi-10h]
		jmp	short loc_6624BB
; 

loc_6624B4:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+4F2j
		movzx	eax, word ptr [esi]
		dec	eax
		lea	eax, [esi+eax*8]

loc_6624BB:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+4F7j
		mov	[ebp+var_50], eax
		mov	[eax], ecx
		mov	[eax+4], ecx

loc_6624C3:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+4ECj
		cmp	[edi+4Ch], ecx
		jz	loc_6621D7
		mov	al, [esi+1]
		xor	al, [esi]
		xor	al, [esi+2]
		mov	[esi+3], al
		mov	eax, [edi+50h]
		xor	[esi], eax
		jmp	loc_6621D7
; 

loc_6624E1:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+280j
					; RtlpAllocateHeap(x,x,x,x,x,x)+288j
		push	0
		push	eax
		push	ecx
		push	edx
		mov	edx, edi
		push	0Dh
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	[ebp+var_1B], 0
		jmp	loc_6621D4
; 

loc_6624F9:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+265j
		mov	[ebp+var_40], 0C0000017h
		jmp	loc_662608
; 

loc_662505:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+135j
		test	byte ptr [edi+40h], 2
		jz	loc_662601
		add	ebx, 18h
		mov	[ebp+arg_4], ebx
		mov	[ebp+arg_4], ebx
		lea	ecx, [ebx+0FFFh]
		and	ecx, 0FFFFF000h
		mov	edx, [edi+1F8h]
		sub	edx, [edi+244h]
		lea	eax, [edi+0D4h]
		push	eax
		push	edi
		call	RtlpHpHeapCheckCommitLimit
		xor	ebx, ebx
		test	eax, eax
		jnz	short loc_662552
		mov	[ebp+var_40], 0C000012Dh

loc_66254A:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+641j
					; RtlpAllocateHeap(x,x,x,x,x,x)+64Fj
		mov	[ebp+var_28], ebx
		jmp	loc_6621D7
; 

loc_662552:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+586j
		mov	[ebp+var_74], ebx
		xor	ecx, ecx
		inc	ecx
		call	ExGenRandom
		and	eax, 7FFFFFFFh
		mov	[ebp+var_74], eax
		and	eax, 0Fh
		shl	eax, 0Ch
		mov	[ebp+var_78], eax
		lea	ecx, [ebp+var_54]
		push	ecx
		push	eax
		lea	edx, [ebp+arg_4]
		call	_RtlpHpAllocVirtBlockCommitFirst@16 ; RtlpHpAllocVirtBlockCommitFirst(x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_7C], esi
		test	esi, esi
		jnz	short loc_662592
		mov	[ebp+var_28], ebx
		inc	dword ptr [edi+224h]
		jmp	loc_6621D7
; 

loc_662592:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+5C7j
		mov	ecx, [ebp+arg_4]
		mov	eax, ecx
		sub	eax, [ebp+arg_0]
		mov	[esi+18h], ax
		mov	eax, [ebp+var_24]
		or	al, 2
		mov	[esi+1Ah], al
		mov	[esi+10h], ecx
		mov	eax, [ebp+var_54]
		mov	[esi+14h], eax
		mov	byte ptr [esi+1Fh], 4
		add	[edi+200h], ecx
		cmp	[edi+4Ch], ebx
		jz	short loc_6625D0
		mov	al, [esi+1Ah]
		xor	al, [esi+19h]
		xor	al, [esi+18h]
		mov	[esi+1Bh], al
		mov	eax, [edi+50h]
		xor	[esi+18h], eax

loc_6625D0:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+601j
		lea	eax, [edi+9Ch]
		mov	ecx, [eax+4]
		mov	edx, [ecx]
		cmp	edx, eax
		jnz	short loc_6625EB
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		jmp	short loc_6625F9
; 

loc_6625EB:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+622j
		push	ebx
		push	edx
		push	ebx
		push	eax
		xor	edx, edx
		push	0Dh
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_6625F9:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+62Ej
		lea	ebx, [esi+20h]
		jmp	loc_66254A
; 

loc_662601:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+54Ej
		mov	[ebp+var_40], 0C0000023h

loc_662608:				; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+545j
		xor	ebx, ebx
		jmp	loc_66254A
@RtlpAllocateHeap@24 endp


;  S U B	R O U T	I N E 


sub_66260F	proc near		; DATA XREF: .text:006A9250o
		mov	edi, [ebp-58h]
		mov	al, [ebp-1Ah]
		mov	ebx, [ebp-28h]
sub_66260F	endp


;  S U B	R O U T	I N E 


sub_662618	proc near		; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+226p
		test	al, al
		jz	short locret_662627
		mov	ecx, [edi+0C8h]
		call	ExReleaseResourceLite

locret_662627:				; CODE XREF: sub_662618+2j
		retn
sub_662618	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall RtlpCreateSplitBlock(x, x,	x, x, x, x, x)
@RtlpCreateSplitBlock@28 proc near	; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+416p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	al, byte ptr [ebp+arg_4]
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		mov	[esi+2], al
		mov	byte ptr [esi+7], 0
		mov	ax, [edi+54h]
		xor	ax, word ptr [ebp+arg_C]
		mov	[esi+4], ax
		mov	ecx, [edx+18h]
		cmp	ecx, edx
		jnz	short loc_66265B
		xor	bl, bl
		jmp	short loc_66267B
; 

loc_66265B:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+2Dj
		mov	ebx, esi
		sub	ebx, edx
		shr	ebx, 10h
		inc	ebx
		cmp	ebx, 0FEh
		jb	short loc_66267B
		push	0
		push	0
		push	edx
		push	esi
		push	3
		mov	edx, ecx
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_66267B:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+31j
					; RtlpCreateSplitBlock(x,x,x,x,x,x,x)+41j
		mov	eax, [ebp+arg_10]
		movzx	edx, ax
		mov	[esi+6], bl
		mov	byte ptr [esi+3], 0
		mov	[ebp+arg_0], edx
		lea	ebx, [esi+eax*8]
		mov	[esi], dx

loc_662691:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+DAj
		mov	ecx, [edi+4Ch]
		mov	eax, ecx
		shr	eax, 14h
		and	al, [edi+52h]
		xor	al, [ebx+2]
		test	al, 1
		jnz	loc_66299B
		test	ecx, ecx
		jz	short loc_6626C7
		mov	eax, [edi+50h]
		xor	[ebx], eax
		mov	al, [ebx+1]
		xor	al, [ebx+2]
		xor	al, [ebx]
		cmp	[ebx+3], al
		jz	short loc_6626C7
		push	ecx
		mov	edx, ebx
		mov	ecx, edi
		call	_RtlpAnalyzeHeapFailure@12 ; RtlpAnalyzeHeapFailure(x,x,x)

loc_6626C7:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+81j
					; RtlpCreateSplitBlock(x,x,x,x,x,x,x)+93j
		mov	eax, [ebx+0Ch]
		lea	edx, [ebx+8]
		mov	ecx, [edx]
		mov	[ebp+arg_4], ecx
		mov	[ebp+arg_C], eax
		mov	eax, [eax]
		mov	ecx, [ecx+4]
		cmp	eax, ecx
		jnz	short loc_6626E2
		cmp	eax, edx
		jz	short loc_662704

loc_6626E2:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+B4j
		push	0
		push	eax
		push	ecx
		push	edx
		push	0Dh
		mov	edx, edi
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		cmp	[ebp+var_4], 0
		jnz	loc_662994
		mov	[ebp+var_4], 1
		jmp	short loc_662691
; 

loc_662704:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+B8j
		movzx	eax, word ptr [ebx]
		sub	[edi+74h], eax
		mov	edx, [edi+0B4h]
		test	edx, edx
		jz	short loc_66273A
		movzx	ecx, word ptr [ebx]
		jmp	short loc_662725
; 

loc_662719:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+100j
		mov	eax, [edx]
		test	eax, eax
		jz	loc_662801
		mov	edx, eax

loc_662725:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+EFj
		cmp	ecx, [edx+4]
		jnb	short loc_662719
		mov	eax, ecx

loc_66272C:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+1DDj
		push	ecx
		push	eax
		lea	eax, [ebx+8]
		push	eax
		push	ecx
		mov	ecx, edi
		call	_RtlpHeapRemoveListEntry@24 ; RtlpHeapRemoveListEntry(x,x,x,x,x,x)

loc_66273A:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+EAj
		cmp	[ebp+arg_8], 0
		mov	ecx, [ebp+arg_C]
		mov	eax, [ebp+arg_4]
		mov	[ecx], eax
		mov	[eax+4], ecx
		jz	short loc_6627A2
		mov	cl, [ebx+2]
		test	cl, 4
		jz	short loc_6627A2
		movzx	eax, word ptr [ebx]
		lea	eax, ds:0FFFFFFF0h[eax*8]
		mov	[ebp+arg_4], eax
		test	cl, 2
		jz	short loc_662770
		cmp	eax, 4
		jbe	short loc_662770
		sub	eax, 4
		mov	[ebp+arg_4], eax

loc_662770:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+13Bj
					; RtlpCreateSplitBlock(x,x,x,x,x,x,x)+140j
		push	0FEEEFEEEh
		push	eax
		lea	eax, [ebx+10h]
		push	eax
		call	_RtlCompareMemoryUlong@12 ; RtlCompareMemoryUlong(x,x,x)
		cmp	eax, [ebp+arg_4]
		jz	short loc_6627A2
		add	eax, 10h
		add	eax, ebx
		push	eax
		push	ebx
		push	(offset	loc_5A56D8+4)
		call	_DbgPrint
		add	esp, 0Ch
		cmp	ds:_KdDebuggerEnabled, 0
		jz	short loc_6627A2
		int	3		; Trap to Debugger

loc_6627A2:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+121j
					; RtlpCreateSplitBlock(x,x,x,x,x,x,x)+129j ...
		mov	al, [ebx+2]
		mov	edx, [ebp+arg_10]
		mov	[esi+2], al
		movzx	eax, word ptr [ebx]
		add	edx, eax
		cmp	edx, 0FE00h
		ja	loc_662985
		movzx	ecx, dx
		mov	[esi], cx
		mov	ax, [edi+54h]
		xor	ax, cx
		cmp	[ebp+arg_8], 0
		mov	[esi+edx*8+4], ax
		mov	eax, ecx
		mov	[ebp+arg_4], eax
		mov	byte ptr [esi+7], 0
		jnz	loc_6628B5
		mov	byte ptr [esi+2], 0
		lea	ebx, [edi+0C0h]
		cmp	dword ptr [edi+0B4h], 0
		jz	short loc_66280A
		mov	edx, eax
		mov	ecx, edi
		call	_RtlpFindEntry@8 ; RtlpFindEntry(x,x)
		mov	ecx, eax
		jmp	short loc_66280C
; 

loc_662801:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+F5j
		mov	eax, [edx+4]
		dec	eax
		jmp	loc_66272C
; 

loc_66280A:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+1CAj
		mov	ecx, [ebx]

loc_66280C:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+1D7j
		cmp	ebx, ecx
		jz	short loc_66283B
		mov	edx, [edi+4Ch]

loc_662813:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+211j
		test	edx, edx
		jz	short loc_662829
		mov	eax, [ecx-8]
		mov	edx, [edi+4Ch]
		test	eax, edx
		jz	short loc_662824
		xor	eax, [edi+50h]

loc_662824:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+1F7j
		movzx	eax, ax
		jmp	short loc_66282D
; 

loc_662829:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+1EDj
		movzx	eax, word ptr [ecx-8]

loc_66282D:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+1FFj
		movzx	eax, ax
		cmp	[ebp+arg_4], eax
		jbe	short loc_66283B
		mov	ecx, [ecx]
		cmp	ebx, ecx
		jnz	short loc_662813

loc_66283B:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+1E6j
					; RtlpCreateSplitBlock(x,x,x,x,x,x,x)+20Bj
		mov	eax, [ecx+4]
		lea	ebx, [esi+8]
		mov	edx, [eax]
		cmp	edx, ecx
		jnz	short loc_662853
		mov	[ebx], ecx
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	[ecx+4], ebx
		jmp	short loc_662863
; 

loc_662853:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+21Dj
		push	0
		push	edx
		push	0
		push	ecx
		push	0Dh
		xor	edx, edx
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_662863:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+229j
		movzx	eax, word ptr [esi]
		add	[edi+74h], eax
		mov	edx, [edi+0B4h]
		test	edx, edx
		jz	short loc_662896
		movzx	ecx, word ptr [esi]
		jmp	short loc_662884
; 

loc_662878:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+25Fj
		mov	eax, [edx]
		test	eax, eax
		jz	loc_66297C
		mov	edx, eax

loc_662884:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+24Ej
		cmp	ecx, [edx+4]
		jnb	short loc_662878

loc_662889:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+34Fj
					; RtlpCreateSplitBlock(x,x,x,x,x,x,x)+438j
		mov	eax, ecx

loc_66288B:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+358j
		push	ecx
		push	eax
		push	ebx
		push	ecx
		mov	ecx, edi
		call	_RtlpHeapAddListEntry@24 ; RtlpHeapAddListEntry(x,x,x,x,x,x)

loc_662896:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+249j
					; RtlpCreateSplitBlock(x,x,x,x,x,x,x)+337j ...
		cmp	dword ptr [edi+4Ch], 0
		jz	loc_662B46
		mov	al, [esi+1]
		xor	al, [esi]
		xor	al, [esi+2]
		mov	[esi+3], al
		mov	eax, [edi+50h]
		xor	[esi], eax
		jmp	loc_662B46
; 

loc_6628B5:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+1B3j
		and	byte ptr [esi+2], 0F0h
		test	byte ptr [edi+40h], 40h
		jz	short loc_6628DC
		push	0FEEEFEEEh
		lea	eax, ds:0FFFFFFF0h[eax*8]
		push	eax
		lea	eax, [esi+10h]
		push	eax
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		or	byte ptr [esi+2], 4
		mov	eax, [ebp+arg_4]

loc_6628DC:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+295j
		cmp	dword ptr [edi+0B4h], 0
		lea	ebx, [edi+0C0h]
		jz	short loc_6628F8
		mov	edx, eax
		mov	ecx, edi
		call	_RtlpFindEntry@8 ; RtlpFindEntry(x,x)
		mov	ecx, eax
		jmp	short loc_6628FA
; 

loc_6628F8:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+2C1j
		mov	ecx, [ebx]

loc_6628FA:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+2CEj
		cmp	ebx, ecx
		jz	short loc_662929
		mov	edx, [edi+4Ch]

loc_662901:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+2FFj
		test	edx, edx
		jz	short loc_662917
		mov	eax, [ecx-8]
		mov	edx, [edi+4Ch]
		test	eax, edx
		jz	short loc_662912
		xor	eax, [edi+50h]

loc_662912:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+2E5j
		movzx	eax, ax
		jmp	short loc_66291B
; 

loc_662917:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+2DBj
		movzx	eax, word ptr [ecx-8]

loc_66291B:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+2EDj
		movzx	eax, ax
		cmp	[ebp+arg_4], eax
		jbe	short loc_662929
		mov	ecx, [ecx]
		cmp	ebx, ecx
		jnz	short loc_662901

loc_662929:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+2D4j
					; RtlpCreateSplitBlock(x,x,x,x,x,x,x)+2F9j
		mov	eax, [ecx+4]
		lea	ebx, [esi+8]
		mov	edx, [eax]
		cmp	edx, ecx
		jnz	short loc_662941
		mov	[ebx], ecx
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	[ecx+4], ebx
		jmp	short loc_662951
; 

loc_662941:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+30Bj
		push	0
		push	edx
		push	0
		push	ecx
		push	0Dh
		xor	edx, edx
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_662951:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+317j
		movzx	eax, word ptr [esi]
		add	[edi+74h], eax
		mov	edx, [edi+0B4h]
		test	edx, edx
		jz	loc_662896
		movzx	ecx, word ptr [esi]
		jmp	short loc_662972
; 

loc_66296A:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+34Dj
		mov	eax, [edx]
		test	eax, eax
		jz	short loc_66297C
		mov	edx, eax

loc_662972:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+340j
		cmp	ecx, [edx+4]
		jnb	short loc_66296A
		jmp	loc_662889
; 

loc_66297C:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+254j
					; RtlpCreateSplitBlock(x,x,x,x,x,x,x)+346j ...
		mov	eax, [edx+4]
		dec	eax
		jmp	loc_66288B
; 

loc_662985:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+18Ej
		push	edx
		mov	edx, esi
		mov	ecx, edi
		call	_RtlpInsertFreeBlock@12	; RtlpInsertFreeBlock(x,x,x)
		jmp	loc_662B46
; 

loc_662994:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+CDj
		xor	al, al
		jmp	loc_662B48
; 

loc_66299B:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+79j
		mov	ax, [edi+54h]
		mov	ecx, [ebp+arg_0]
		xor	ax, cx
		cmp	[ebp+arg_8], 0
		mov	[ebx+4], ax
		movzx	eax, cx
		mov	[ebp+arg_4], eax
		mov	byte ptr [esi+7], 0
		jnz	loc_662A65
		mov	byte ptr [esi+2], 0
		lea	ebx, [edi+0C0h]
		cmp	dword ptr [edi+0B4h], 0
		jz	short loc_6629DD
		mov	edx, eax
		mov	ecx, edi
		call	_RtlpFindEntry@8 ; RtlpFindEntry(x,x)
		mov	ecx, eax
		jmp	short loc_6629DF
; 

loc_6629DD:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+3A6j
		mov	ecx, [ebx]

loc_6629DF:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+3B3j
		cmp	ebx, ecx
		jz	short loc_662A0E
		mov	edx, [edi+4Ch]

loc_6629E6:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+3E4j
		test	edx, edx
		jz	short loc_6629FC
		mov	eax, [ecx-8]
		mov	edx, [edi+4Ch]
		test	edx, eax
		jz	short loc_6629F7
		xor	eax, [edi+50h]

loc_6629F7:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+3CAj
		movzx	eax, ax
		jmp	short loc_662A00
; 

loc_6629FC:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+3C0j
		movzx	eax, word ptr [ecx-8]

loc_662A00:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+3D2j
		movzx	eax, ax
		cmp	[ebp+arg_4], eax
		jbe	short loc_662A0E
		mov	ecx, [ecx]
		cmp	ebx, ecx
		jnz	short loc_6629E6

loc_662A0E:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+3B9j
					; RtlpCreateSplitBlock(x,x,x,x,x,x,x)+3DEj
		mov	eax, [ecx+4]
		lea	ebx, [esi+8]
		mov	edx, [eax]
		cmp	edx, ecx
		jnz	short loc_662A26
		mov	[ebx], ecx
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	[ecx+4], ebx
		jmp	short loc_662A36
; 

loc_662A26:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+3F0j
		push	0
		push	edx
		push	0
		push	ecx
		push	0Dh
		xor	edx, edx
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_662A36:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+3FCj
		movzx	eax, word ptr [esi]
		add	[edi+74h], eax
		mov	edx, [edi+0B4h]
		test	edx, edx
		jz	loc_662896
		movzx	ecx, word ptr [esi]
		jmp	short loc_662A5B
; 

loc_662A4F:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+436j
		mov	eax, [edx]
		test	eax, eax
		jz	loc_66297C
		mov	edx, eax

loc_662A5B:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+425j
		cmp	ecx, [edx+4]
		jnb	short loc_662A4F
		jmp	loc_662889
; 

loc_662A65:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+38Fj
		and	byte ptr [esi+2], 0F0h
		test	byte ptr [edi+40h], 40h
		jz	short loc_662A8C
		push	0FEEEFEEEh
		lea	eax, ds:0FFFFFFF0h[eax*8]
		push	eax
		lea	eax, [esi+10h]
		push	eax
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		or	byte ptr [esi+2], 4
		mov	eax, [ebp+arg_4]

loc_662A8C:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+445j
		cmp	dword ptr [edi+0B4h], 0
		lea	ebx, [edi+0C0h]
		jz	short loc_662AA8
		mov	edx, eax
		mov	ecx, edi
		call	_RtlpFindEntry@8 ; RtlpFindEntry(x,x)
		mov	ecx, eax
		jmp	short loc_662AAA
; 

loc_662AA8:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+471j
		mov	ecx, [ebx]

loc_662AAA:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+47Ej
		cmp	ebx, ecx
		jz	short loc_662AD9
		mov	edx, [edi+4Ch]

loc_662AB1:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+4AFj
		test	edx, edx
		jz	short loc_662AC7
		mov	eax, [ecx-8]
		mov	edx, [edi+4Ch]
		test	eax, edx
		jz	short loc_662AC2
		xor	eax, [edi+50h]

loc_662AC2:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+495j
		movzx	eax, ax
		jmp	short loc_662ACB
; 

loc_662AC7:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+48Bj
		movzx	eax, word ptr [ecx-8]

loc_662ACB:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+49Dj
		movzx	eax, ax
		cmp	[ebp+arg_4], eax
		jbe	short loc_662AD9
		mov	ecx, [ecx]
		cmp	ebx, ecx
		jnz	short loc_662AB1

loc_662AD9:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+484j
					; RtlpCreateSplitBlock(x,x,x,x,x,x,x)+4A9j
		mov	eax, [ecx+4]
		lea	ebx, [esi+8]
		mov	edx, [eax]
		cmp	edx, ecx
		jnz	short loc_662AF1
		mov	[ebx], ecx
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	[ecx+4], ebx
		jmp	short loc_662B01
; 

loc_662AF1:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+4BBj
		push	0
		push	edx
		push	0
		push	ecx
		push	0Dh
		xor	edx, edx
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_662B01:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+4C7j
		movzx	eax, word ptr [esi]
		add	[edi+74h], eax
		mov	edx, [edi+0B4h]
		test	edx, edx
		jz	short loc_662B30
		movzx	ecx, word ptr [esi]
		jmp	short loc_662B1E
; 

loc_662B16:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+4F9j
		mov	eax, [edx]
		test	eax, eax
		jz	short loc_662B4F
		mov	edx, eax

loc_662B1E:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+4ECj
		cmp	ecx, [edx+4]
		jnb	short loc_662B16
		mov	eax, ecx

loc_662B25:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+52Bj
		push	ecx
		push	eax
		push	ebx
		push	ecx
		mov	ecx, edi
		call	_RtlpHeapAddListEntry@24 ; RtlpHeapAddListEntry(x,x,x,x,x,x)

loc_662B30:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+4E7j
		cmp	dword ptr [edi+4Ch], 0
		jz	short loc_662B46
		mov	cl, [esi+1]
		xor	cl, [esi]
		xor	cl, [esi+2]
		mov	[esi+3], cl
		mov	ecx, [edi+50h]
		xor	[esi], ecx

loc_662B46:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+272j
					; RtlpCreateSplitBlock(x,x,x,x,x,x,x)+288j ...
		mov	al, 1

loc_662B48:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+36Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_662B4F:				; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+4F2j
		mov	eax, [edx+4]
		dec	eax
		jmp	short loc_662B25
@RtlpCreateSplitBlock@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall RtlpFreeHeap(x, x,	x, x)
@RtlpFreeHeap@16 proc near		; CODE XREF: RtlpFreeHeapInternal+DB708p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	2Ch
		push	offset dword_6A9218
		call	__SEH_prolog4
		mov	esi, ecx
		mov	[ebp+var_2C], esi
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_19], bl
		mov	[ebp+var_28], ebx
		mov	edi, [ebp+arg_0]
		cmp	esi, edi
		jnz	short loc_662B8D
		push	ebx
		push	ebx
		push	ebx
		push	edi
		mov	edx, esi
		push	9
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		xor	eax, eax
		jmp	loc_662EEE
; 

loc_662B8D:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+21j
		or	edx, [esi+44h]
		mov	eax, edx
		and	eax, 3C010F60h
		mov	[ebp+var_24], eax
		mov	[ebp+ms_exc.disabled], ebx
		test	dl, 1
		jnz	short loc_662BEA
		push	1
		push	dword ptr [esi+0C8h]
		call	ExAcquireResourceExclusiveLite
		mov	[ebp+var_19], 1
		cmp	[esi+4Ch], ebx
		jz	short loc_662BD4
		mov	eax, [esi+50h]
		xor	[edi], eax
		mov	al, [edi+2]
		xor	al, [edi+1]
		xor	al, [edi]
		cmp	[edi+3], al
		jz	short loc_662BD4
		push	ecx
		mov	edx, edi
		mov	ecx, esi
		call	_RtlpAnalyzeHeapFailure@12 ; RtlpAnalyzeHeapFailure(x,x,x)

loc_662BD4:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+61j
					; RtlpFreeHeap(x,x,x,x)+73j
		movzx	ecx, word ptr [edi]
		mov	eax, [esi+0B4h]

loc_662BDD:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+93j
		cmp	ecx, [eax+4]
		jb	short loc_662C0B
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_662C0B
		jmp	short loc_662BDD
; 

loc_662BEA:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+4Bj
		cmp	[esi+4Ch], ebx
		jz	short loc_662C0B
		mov	eax, [esi+50h]
		xor	[edi], eax
		mov	al, [edi+2]
		xor	al, [edi+1]
		xor	al, [edi]
		cmp	[edi+3], al
		jz	short loc_662C0B
		push	ecx
		mov	edx, edi
		mov	ecx, esi
		call	_RtlpAnalyzeHeapFailure@12 ; RtlpAnalyzeHeapFailure(x,x,x)

loc_662C0B:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+8Bj
					; RtlpFreeHeap(x,x,x,x)+91j ...
		mov	al, [edi+2]
		test	al, 8
		jz	short loc_662C17
		and	al, 0F7h
		mov	[edi+2], al

loc_662C17:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+BBj
		cmp	byte ptr [edi+7], 4
		jz	loc_662E6A
		movzx	eax, word ptr [edi]
		mov	[ebp+var_20], eax
		push	ecx
		lea	eax, [ebp+var_20]
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	_RtlpCoalesceFreeBlocks@16 ; RtlpCoalesceFreeBlocks(x,x,x,x)
		mov	edi, eax
		mov	[ebp+arg_0], edi
		mov	ecx, [ebp+var_20]
		cmp	ecx, [esi+6Ch]
		jb	short loc_662C5C
		mov	eax, [esi+74h]
		add	eax, ecx
		cmp	eax, [esi+70h]
		jb	short loc_662C5C
		push	ecx
		push	ecx
		mov	edx, edi
		mov	ecx, esi
		call	_RtlpDeCommitFreeBlock@16 ; RtlpDeCommitFreeBlock(x,x,x,x)
		jmp	loc_662E63
; 

loc_662C5C:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+EBj
					; RtlpFreeHeap(x,x,x,x)+F5j
		cmp	ecx, 0FE00h
		ja	loc_662E59
		movzx	ecx, cx
		cmp	[ebp+var_24], 0
		mov	[ebp+var_24], ecx
		jnz	loc_662D46
		mov	[edi+2], bl
		mov	[edi+7], bl
		lea	eax, [esi+0C0h]
		cmp	[esi+0B4h], ebx
		jz	short loc_662C9F
		mov	edx, ecx
		mov	ecx, esi
		call	_RtlpFindEntry@8 ; RtlpFindEntry(x,x)
		mov	ecx, eax
		lea	eax, [esi+0C0h]
		jmp	short loc_662CA1
; 

loc_662C9F:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+135j
		mov	ecx, [eax]

loc_662CA1:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+148j
		mov	edx, [ebp+var_24]

loc_662CA4:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+18Dj
		cmp	eax, ecx
		jz	short loc_662CE4
		cmp	[esi+4Ch], ebx
		jz	short loc_662CCF
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		mov	edx, [ecx-8]
		mov	[ebp+var_34], edx
		test	[esi+4Ch], edx
		jz	short loc_662CC4
		xor	edx, [esi+50h]
		mov	[ebp+var_34], edx

loc_662CC4:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+167j
		movzx	eax, dx
		mov	edi, [ebp+arg_0]
		mov	edx, [ebp+var_24]
		jmp	short loc_662CD3
; 

loc_662CCF:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+156j
		movzx	eax, word ptr [ecx-8]

loc_662CD3:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+178j
		movzx	eax, ax
		cmp	edx, eax
		jbe	short loc_662CE4
		mov	ecx, [ecx]
		lea	eax, [esi+0C0h]
		jmp	short loc_662CA4
; 

loc_662CE4:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+151j
					; RtlpFreeHeap(x,x,x,x)+183j
		mov	edx, [ecx+4]
		mov	eax, [edx]
		mov	[ebp+var_24], eax
		cmp	eax, ecx
		lea	eax, [edi+8]
		jnz	short loc_662CFF
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		jmp	short loc_662D0F
; 

loc_662CFF:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+19Cj
		push	ebx
		push	[ebp+var_24]
		push	ebx
		push	ecx
		xor	edx, edx
		push	0Dh
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_662D0F:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+1A8j
		movzx	eax, word ptr [edi]
		add	[esi+74h], eax
		mov	edx, [esi+0B4h]
		test	edx, edx
		jz	loc_662E3E
		movzx	eax, word ptr [edi]

loc_662D26:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+1EFj
		mov	ecx, [edx+4]
		mov	[ebp+var_24], ecx
		cmp	eax, ecx
		jb	loc_662E22
		mov	ecx, [edx]
		test	ecx, ecx
		jnz	short loc_662D42
		mov	ecx, [ebp+var_24]
		jmp	loc_662E2F
; 

loc_662D42:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+1E3j
		mov	edx, ecx
		jmp	short loc_662D26
; 

loc_662D46:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+11Dj
		mov	al, [edi+2]
		and	al, 0F0h
		mov	[edi+2], al
		mov	[edi+7], bl
		test	byte ptr [esi+40h], 40h
		jz	short loc_662D74
		push	0FEEEFEEEh
		lea	eax, ds:0FFFFFFF0h[ecx*8]
		push	eax
		lea	eax, [edi+10h]
		push	eax
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		or	byte ptr [edi+2], 4
		mov	ecx, [ebp+var_24]

loc_662D74:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+200j
		lea	eax, [esi+0C0h]
		cmp	[esi+0B4h], ebx
		jz	short loc_662D95
		mov	edx, ecx
		mov	ecx, esi
		call	_RtlpFindEntry@8 ; RtlpFindEntry(x,x)
		mov	ecx, eax
		lea	eax, [esi+0C0h]
		jmp	short loc_662D97
; 

loc_662D95:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+22Bj
		mov	ecx, [eax]

loc_662D97:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+23Ej
		mov	edx, [ebp+var_24]

loc_662D9A:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+283j
		cmp	eax, ecx
		jz	short loc_662DDA
		cmp	[esi+4Ch], ebx
		jz	short loc_662DC5
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		mov	edx, [ecx-8]
		mov	[ebp+var_3C], edx
		test	[esi+4Ch], edx
		jz	short loc_662DBA
		xor	edx, [esi+50h]
		mov	[ebp+var_3C], edx

loc_662DBA:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+25Dj
		movzx	eax, dx
		mov	edi, [ebp+arg_0]
		mov	edx, [ebp+var_24]
		jmp	short loc_662DC9
; 

loc_662DC5:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+24Cj
		movzx	eax, word ptr [ecx-8]

loc_662DC9:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+26Ej
		movzx	eax, ax
		cmp	edx, eax
		jbe	short loc_662DDA
		mov	ecx, [ecx]
		lea	eax, [esi+0C0h]
		jmp	short loc_662D9A
; 

loc_662DDA:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+247j
					; RtlpFreeHeap(x,x,x,x)+279j
		mov	edx, [ecx+4]
		mov	eax, [edx]
		mov	[ebp+var_24], eax
		cmp	eax, ecx
		lea	eax, [edi+8]
		jnz	short loc_662DF5
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		jmp	short loc_662E05
; 

loc_662DF5:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+292j
		push	ebx
		push	[ebp+var_24]
		push	ebx
		push	ecx
		xor	edx, edx
		push	0Dh
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_662E05:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+29Ej
		movzx	eax, word ptr [edi]
		add	[esi+74h], eax
		mov	edx, [esi+0B4h]
		test	edx, edx
		jz	short loc_662E3E
		movzx	eax, word ptr [edi]

loc_662E18:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+302j
		mov	ecx, [edx+4]
		mov	[ebp+var_24], ecx
		cmp	eax, ecx
		jnb	short loc_662E26

loc_662E22:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+1D9j
		mov	ecx, eax
		jmp	short loc_662E30
; 

loc_662E26:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+2CBj
		mov	ecx, [edx]
		test	ecx, ecx
		jnz	short loc_662E55
		mov	ecx, [ebp+var_24]

loc_662E2F:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+1E8j
		dec	ecx

loc_662E30:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+2CFj
		push	eax
		push	ecx
		lea	eax, [edi+8]
		push	eax
		push	ecx
		mov	ecx, esi
		call	_RtlpHeapAddListEntry@24 ; RtlpHeapAddListEntry(x,x,x,x,x,x)

loc_662E3E:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+1C8j
					; RtlpFreeHeap(x,x,x,x)+2BEj
		cmp	[esi+4Ch], ebx
		jz	short loc_662E63
		mov	al, [edi+2]
		xor	al, [edi+1]
		xor	al, [edi]
		mov	[edi+3], al
		mov	eax, [esi+50h]
		xor	[edi], eax
		jmp	short loc_662E63
; 

loc_662E55:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+2D5j
		mov	edx, ecx
		jmp	short loc_662E18
; 

loc_662E59:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+10Dj
		push	ecx
		mov	edx, edi
		mov	ecx, esi
		call	_RtlpInsertFreeBlock@12	; RtlpInsertFreeBlock(x,x,x)

loc_662E63:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+102j
					; RtlpFreeHeap(x,x,x,x)+2ECj ...
		mov	edi, ebx
		mov	[ebp+arg_0], edi
		jmp	short loc_662EDF
; 

loc_662E6A:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+C6j
		add	edi, 0FFFFFFE8h
		mov	ecx, [edi+10h]
		mov	eax, edi
		and	eax, 0FFFF0000h
		mov	[ebp+var_28], eax
		sub	[esi+200h], ecx
		mov	eax, [edi]
		mov	ecx, [edi+4]
		mov	edx, [ecx]
		mov	esi, [eax+4]
		mov	[ebp+var_24], esi
		cmp	edx, esi
		mov	esi, [ebp+var_2C]
		jnz	short loc_662E9F
		cmp	edx, edi
		jnz	short loc_662E9F
		mov	[ecx], eax
		mov	[eax+4], ecx
		jmp	short loc_662EAF
; 

loc_662E9F:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+33Dj
					; RtlpFreeHeap(x,x,x,x)+341j
		push	ebx
		push	edx
		push	[ebp+var_24]
		push	edi
		xor	edx, edx
		push	0Dh
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_662EAF:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+348j
		mov	edi, ebx
		mov	[ebp+arg_0], edi
		cmp	[ebp+var_19], 0
		jz	short loc_662EC8
		mov	ecx, [esi+0C8h]
		call	ExReleaseResourceLite
		mov	[ebp+var_19], bl

loc_662EC8:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+363j
		mov	[ebp+var_20], ebx
		push	8000h
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		push	0FFFFFFFFh
		call	_ZwFreeVirtualMemory@16	; ZwFreeVirtualMemory(x,x,x,x)

loc_662EDF:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+313j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_662F08
		xor	eax, eax
		inc	eax

loc_662EEE:				; CODE XREF: RtlpFreeHeap(x,x,x,x)+33j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
@RtlpFreeHeap@16 endp


;  S U B	R O U T	I N E 


sub_662F00	proc near		; DATA XREF: .text:006A9230o
		xor	ebx, ebx
		mov	edi, [ebp+8]
		mov	esi, [ebp-2Ch]
sub_662F00	endp


;  S U B	R O U T	I N E 


sub_662F08	proc near		; CODE XREF: RtlpFreeHeap(x,x,x,x)+391p
		test	edi, edi
		jz	short loc_662F21
		cmp	[esi+4Ch], ebx
		jz	short loc_662F21
		mov	al, [edi+2]
		xor	al, [edi+1]
		xor	al, [edi]
		mov	[edi+3], al
		mov	eax, [esi+50h]
		xor	[edi], eax

loc_662F21:				; CODE XREF: sub_662F08+2j
					; sub_662F08+7j
		cmp	byte ptr [ebp-19h], 0
		jz	short locret_662F32
		mov	ecx, [esi+0C8h]
		call	ExReleaseResourceLite

locret_662F32:				; CODE XREF: sub_662F08+1Dj
		retn
sub_662F08	endp


;  S U B	R O U T	I N E 


; __fastcall RtlpInsertUCRBlock(x, x)
@RtlpInsertUCRBlock@8 proc near		; CODE XREF: RtlpCreateUCREntry(x,x,x,x,x,x)+A7p
					; RtlpDeCommitFreeBlock(x,x,x,x)+317p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, edx
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	edx, [esi+14h]
		test	edx, edx
		jz	short loc_662F6D
		call	@RtlpFindUCREntry@8 ; RtlpFindUCREntry(x,x)
		mov	ecx, [eax+4]
		mov	edx, [ecx]
		cmp	edx, eax
		jnz	short loc_662F5F
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		jmp	short loc_662F6D
; 

loc_662F5F:				; CODE XREF: RtlpInsertUCRBlock(x,x)+1Ej
		push	ebx
		push	edx
		push	ebx
		push	eax
		push	0Dh
		xor	edx, edx
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_662F6D:				; CODE XREF: RtlpInsertUCRBlock(x,x)+10j
					; RtlpInsertUCRBlock(x,x)+2Aj
		lea	ecx, [esi-8]
		mov	al, [ecx+6]
		test	al, al
		jz	short loc_662F8D
		movzx	eax, al
		and	ecx, 0FFFF0000h
		shl	eax, 10h
		sub	ecx, eax
		add	ecx, 10000h
		jmp	short loc_662F8F
; 

loc_662F8D:				; CODE XREF: RtlpInsertUCRBlock(x,x)+42j
		mov	ecx, edi

loc_662F8F:				; CODE XREF: RtlpInsertUCRBlock(x,x)+58j
		add	ecx, 38h
		add	esi, 8
		mov	eax, [ecx]
		mov	edx, [eax+4]
		cmp	edx, ecx
		jnz	short loc_662FAA
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[eax+4], esi
		mov	[ecx], esi
		jmp	short loc_662FB8
; 

loc_662FAA:				; CODE XREF: RtlpInsertUCRBlock(x,x)+69j
		push	ebx
		push	ebx
		push	edx
		push	ecx
		push	0Dh
		xor	edx, edx
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_662FB8:				; CODE XREF: RtlpInsertUCRBlock(x,x)+75j
		pop	edi
		pop	esi
		pop	ebx
		retn
@RtlpInsertUCRBlock@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall RtlpProbeUserBufferSafe(x,	x)
@RtlpProbeUserBufferSafe@8 proc	near	; CODE XREF: RtlpFreeHeapInternal+DB5C9p
					; RtlpSizeHeapInternal(x,x,x)+49p

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	0Ch
		push	offset dword_6A9280
		call	__SEH_prolog4
		mov	esi, ecx
		xor	edi, edi
		mov	[ebp+ms_exc.disabled], edi
		test	dl, 7
		jnz	short loc_662FF4
		lea	ecx, [edx-8]
		cmp	byte ptr [ecx+7], 5
		jnz	short loc_662FE6
		movzx	eax, byte ptr [ecx+6]
		shl	eax, 3
		sub	ecx, eax

loc_662FE6:				; CODE XREF: RtlpProbeUserBufferSafe(x,x)+1Fj
		test	byte ptr [ecx+7], 3Fh
		jnz	short loc_663018
		push	edi
		push	edi
		push	edi
		push	ecx
		push	8
		jmp	short loc_662FFA
; 

loc_662FF4:				; CODE XREF: RtlpProbeUserBufferSafe(x,x)+16j
		push	edi
		push	edi
		push	edi
		push	edx
		push	9

loc_662FFA:				; CODE XREF: RtlpProbeUserBufferSafe(x,x)+36j
		mov	edx, esi
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	ecx, edi
		jmp	short loc_663018
; 

loc_663006:				; DATA XREF: .text:006A9294o
		mov	edx, [ebp+ms_exc.exc_ptr]
		mov	eax, [edx]
		mov	ecx, [eax]
		call	_RtlpHeapExceptionFilter@8 ; RtlpHeapExceptionFilter(x,x)
		retn
; 

loc_663013:				; DATA XREF: .text:006A9298o
		mov	esp, [ebp+ms_exc.old_esp]
		xor	ecx, ecx

loc_663018:				; CODE XREF: RtlpProbeUserBufferSafe(x,x)+2Ej
					; RtlpProbeUserBufferSafe(x,x)+48j
		mov	[ebp+var_1C], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, ecx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
@RtlpProbeUserBufferSafe@8 endp


;  S U B	R O U T	I N E 


; __fastcall RtlpSearchUCRBlock(x, x)
@RtlpSearchUCRBlock@8 proc near		; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+1A6p
		mov	edi, edi
		push	esi
		lea	esi, [ecx+38h]
		mov	ecx, [esi]
		push	edi
		mov	edi, edx
		jmp	short loc_66304D
; 

loc_663041:				; CODE XREF: RtlpSearchUCRBlock(x,x)+1Bj
		mov	eax, [ecx+0Ch]
		add	eax, [ecx+8]
		cmp	eax, edi
		jz	short loc_663056
		mov	ecx, [ecx]

loc_66304D:				; CODE XREF: RtlpSearchUCRBlock(x,x)+Bj
		cmp	esi, ecx
		jnz	short loc_663041
		xor	eax, eax

loc_663053:				; CODE XREF: RtlpSearchUCRBlock(x,x)+25j
		pop	edi
		pop	esi
		retn
; 

loc_663056:				; CODE XREF: RtlpSearchUCRBlock(x,x)+15j
		lea	eax, [ecx-8]
		jmp	short loc_663053
@RtlpSearchUCRBlock@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall RtlpSetupExtendedBlock(x, x, x, x,	x, x)
@RtlpSetupExtendedBlock@24 proc	near	; CODE XREF: RtlpAllocateHeapInternal+DB7A0p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, ecx
		movzx	eax, ax
		add	eax, edi
		mov	byte ptr [ebp+var_4], 0
		mov	[ebp+arg_0], eax
		mov	cl, [edi-1]
		lea	ebx, [edi-8]
		cmp	cl, 4
		jnz	short loc_6630ED
		mov	eax, [esi+44h]
		or	eax, edx
		test	al, 1
		jnz	short loc_66309E
		xor	eax, eax
		inc	eax
		push	eax
		push	dword ptr [esi+0C8h]
		mov	[ebp+var_4], eax
		call	ExAcquireResourceExclusiveLite

loc_66309E:				; CODE XREF: RtlpSetupExtendedBlock(x,x,x,x,x,x)+2Fj
		cmp	dword ptr [esi+4Ch], 0
		jz	short loc_6630C0
		mov	eax, [esi+50h]
		xor	[ebx], eax
		mov	al, [edi-7]
		xor	al, [edi-6]
		xor	al, [ebx]
		cmp	[edi-5], al
		jz	short loc_6630C0
		push	ecx
		mov	edx, ebx
		mov	ecx, esi
		call	_RtlpAnalyzeHeapFailure@12 ; RtlpAnalyzeHeapFailure(x,x,x)

loc_6630C0:				; CODE XREF: RtlpSetupExtendedBlock(x,x,x,x,x,x)+47j
					; RtlpSetupExtendedBlock(x,x,x,x,x,x)+59j
		mov	ecx, [ebp+arg_8]
		add	[ebx], cx
		movzx	edx, word ptr [ebx]
		shr	ecx, 3
		mov	[edi-2], cl
		cmp	dword ptr [esi+4Ch], 0
		jz	short loc_6630E5
		mov	al, [edi-7]
		xor	al, [edi-6]
		xor	al, [ebx]
		mov	[edi-5], al
		mov	eax, [esi+50h]
		xor	[ebx], eax

loc_6630E5:				; CODE XREF: RtlpSetupExtendedBlock(x,x,x,x,x,x)+78j
		mov	ebx, [ebp+arg_0]
		mov	[ebx-2], cl
		jmp	short loc_663157
; 

loc_6630ED:				; CODE XREF: RtlpSetupExtendedBlock(x,x,x,x,x,x)+26j
		cmp	cl, 5
		jnz	short loc_6630FE
		movzx	edx, word ptr [esi+54h]
		movzx	eax, word ptr [edi-4]
		xor	edx, eax
		jmp	short loc_66313F
; 

loc_6630FE:				; CODE XREF: RtlpSetupExtendedBlock(x,x,x,x,x,x)+95j
		test	cl, 40h
		jz	short loc_663110
		movzx	eax, cl
		and	eax, 3Fh
		movzx	edx, word ptr [edi+eax*8-4]
		jmp	short loc_66313F
; 

loc_663110:				; CODE XREF: RtlpSetupExtendedBlock(x,x,x,x,x,x)+A6j
		mov	al, cl
		and	al, 3Fh
		cmp	al, 3Fh
		jz	short loc_663120
		movzx	edx, cl
		and	edx, 3Fh
		jmp	short loc_66313F
; 

loc_663120:				; CODE XREF: RtlpSetupExtendedBlock(x,x,x,x,x,x)+BBj
		cmp	dword ptr [esi+4Ch], 0
		jz	short loc_663135
		mov	eax, [ebx]
		test	[esi+4Ch], eax
		jz	short loc_663130
		xor	eax, [esi+50h]

loc_663130:				; CODE XREF: RtlpSetupExtendedBlock(x,x,x,x,x,x)+D0j
		movzx	eax, ax
		jmp	short loc_663138
; 

loc_663135:				; CODE XREF: RtlpSetupExtendedBlock(x,x,x,x,x,x)+C9j
		movzx	eax, word ptr [ebx]

loc_663138:				; CODE XREF: RtlpSetupExtendedBlock(x,x,x,x,x,x)+D8j
		movzx	eax, ax
		mov	edx, [edi+eax*8-0Ch]

loc_66313F:				; CODE XREF: RtlpSetupExtendedBlock(x,x,x,x,x,x)+A1j
					; RtlpSetupExtendedBlock(x,x,x,x,x,x)+B3j ...
		mov	ebx, [ebp+arg_0]
		mov	ecx, [ebp+arg_8]
		shr	ecx, 3
		mov	[ebx-2], cl
		mov	al, [edi-1]
		and	al, 0C0h
		or	al, cl
		or	al, 40h
		mov	[edi-1], al

loc_663157:				; CODE XREF: RtlpSetupExtendedBlock(x,x,x,x,x,x)+90j
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+arg_C]
		add	eax, edx
		cmp	byte ptr [ebp+var_4], 0
		mov	byte ptr [ebx-1], 5
		mov	[ebx-4], ax
		mov	[ebx-8], ecx
		jz	short loc_66317B
		mov	ecx, [esi+0C8h]
		call	ExReleaseResourceLite

loc_66317B:				; CODE XREF: RtlpSetupExtendedBlock(x,x,x,x,x,x)+113j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
@RtlpSetupExtendedBlock@24 endp


;  S U B	R O U T	I N E 


; __fastcall RtlpUpdateHeapRates(x, x)
@RtlpUpdateHeapRates@8 proc near	; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+246p
					; RtlpDeCommitFreeBlock(x,x,x,x)+49Dp ...
		sub	edx, 1
		jz	short loc_6631A1
		sub	edx, 1
		jz	short loc_66319A
		sub	edx, 1
		jnz	short locret_6631AD
		inc	dword ptr [ecx+220h]
		retn
; 

loc_66319A:				; CODE XREF: RtlpUpdateHeapRates(x,x)+8j
		inc	dword ptr [ecx+21Ch]
		retn
; 

loc_6631A1:				; CODE XREF: RtlpUpdateHeapRates(x,x)+3j
		inc	dword ptr [ecx+214h]
		inc	dword ptr [ecx+218h]

locret_6631AD:				; CODE XREF: RtlpUpdateHeapRates(x,x)+Dj
		retn
@RtlpUpdateHeapRates@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpAllocateHeapRaiseException(x)
_RtlpAllocateHeapRaiseException@4 proc near ; CODE XREF: RtlpAllocateHeapInternal+DB7F6p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	50h		; size_t
		lea	eax, [ebp+var_54]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		and	[ebp+var_4C], 0
		lea	eax, [ebp+var_54]
		and	[ebp+var_50], 0
		add	esp, 0Ch
		mov	[ebp+var_54], 0C0000017h
		mov	[ebp+var_44], 1
		mov	[ebp+var_40], esi
		push	eax
		mov	[ebp+var_48], offset _RtlRaiseException@4 ; RtlRaiseException(x)
		call	_RtlRaiseException@4 ; RtlRaiseException(x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_RtlpAllocateHeapRaiseException@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpCoalesceFreeBlocks(x, x, x, x)
_RtlpCoalesceFreeBlocks@16 proc	near	; CODE XREF: RtlpFreeHeap(x,x,x,x)+DBp
					; RtlpDeCommitFreeBlock(x,x,x,x)+73p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		movzx	esi, word ptr [edx+4]
		push	edi
		movzx	eax, word ptr [ebx+54h]
		mov	edi, edx
		xor	esi, eax
		shl	esi, 3
		sub	edi, esi
		cmp	edi, edx
		jz	loc_663360
		mov	ecx, [ebx+4Ch]
		mov	eax, ecx
		shr	eax, 14h
		and	al, [ebx+52h]
		xor	al, [edi+2]
		test	al, 1
		jnz	loc_663360
		test	ecx, ecx
		jz	short loc_663268
		mov	eax, [ebx+50h]
		xor	[edi], eax
		mov	al, [edi+1]
		xor	al, [edi]
		xor	al, [edi+2]
		cmp	[edi+3], al
		jz	short loc_663268
		push	ecx
		mov	edx, edi
		mov	ecx, ebx
		call	_RtlpAnalyzeHeapFailure@12 ; RtlpAnalyzeHeapFailure(x,x,x)

loc_663268:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+41j
					; RtlpCoalesceFreeBlocks(x,x,x,x)+53j
		mov	eax, [edi+0Ch]
		lea	esi, [edi+8]
		mov	ecx, [esi]
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], eax
		mov	eax, [eax]
		mov	ecx, [ecx+4]
		cmp	eax, ecx
		jnz	loc_66334E
		cmp	eax, esi
		jnz	loc_66334E
		movzx	eax, word ptr [edi]
		sub	[ebx+74h], eax
		mov	edx, [ebx+0B4h]
		test	edx, edx
		jz	short loc_6632BF
		movzx	ecx, word ptr [edi]
		jmp	short loc_6632AC
; 

loc_6632A0:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+A6j
		mov	eax, [edx]
		test	eax, eax
		jz	loc_663345
		mov	edx, eax

loc_6632AC:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+95j
		cmp	ecx, [edx+4]
		jnb	short loc_6632A0
		mov	eax, ecx

loc_6632B3:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+140j
		push	ecx
		push	eax
		push	esi
		push	1
		mov	ecx, ebx
		call	_RtlpHeapRemoveListEntry@24 ; RtlpHeapRemoveListEntry(x,x,x,x,x,x)

loc_6632BF:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+90j
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_8]
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	cl, [edi+2]
		test	cl, 4
		jz	short loc_66331A
		movzx	eax, word ptr [edi]
		lea	esi, ds:0FFFFFFF0h[eax*8]
		test	cl, 2
		jz	short loc_6632E9
		cmp	esi, 4
		jbe	short loc_6632E9
		sub	esi, 4

loc_6632E9:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+D6j
					; RtlpCoalesceFreeBlocks(x,x,x,x)+DBj
		push	0FEEEFEEEh
		push	esi
		lea	eax, [edi+10h]
		push	eax
		call	_RtlCompareMemoryUlong@12 ; RtlCompareMemoryUlong(x,x,x)
		cmp	eax, esi
		jz	short loc_66331A
		add	eax, 10h
		add	eax, edi
		push	eax
		push	edi
		push	(offset	loc_5A56D8+4)
		call	_DbgPrint
		add	esp, 0Ch
		cmp	ds:_KdDebuggerEnabled, 0
		jz	short loc_66331A
		int	3		; Trap to Debugger

loc_66331A:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+C7j
					; RtlpCoalesceFreeBlocks(x,x,x,x)+F1j ...
		mov	esi, [ebp+arg_0]
		mov	edx, edi
		movzx	eax, word ptr [edi]
		mov	byte ptr [edi+2], 0
		mov	byte ptr [edi+7], 0
		add	[esi], eax
		mov	ax, [esi]
		mov	[edi], ax
		mov	cx, [esi]
		mov	eax, [esi]
		xor	cx, [ebx+54h]
		mov	[ebp+var_4], edx
		mov	[edi+eax*8+4], cx
		jmp	short loc_663363
; 

loc_663345:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+9Bj
		mov	eax, [edx+4]
		dec	eax
		jmp	loc_6632B3
; 

loc_66334E:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+74j
					; RtlpCoalesceFreeBlocks(x,x,x,x)+7Cj
		push	0
		push	eax
		push	ecx
		push	esi
		push	0Dh
		mov	edx, ebx
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	edx, [ebp+var_4]

loc_663360:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+23j
					; RtlpCoalesceFreeBlocks(x,x,x,x)+39j
		mov	esi, [ebp+arg_0]

loc_663363:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+13Aj
		mov	eax, [esi]
		lea	esi, [edx+eax*8]
		xor	eax, eax
		cmp	[ebx+4Ch], eax
		jz	short loc_6633A1
		mov	[ebp+var_C], eax
		mov	eax, [esi]
		mov	edx, [ebx+50h]
		xor	edx, eax
		mov	[ebp+var_10], eax
		mov	ecx, edx
		mov	eax, edx
		shr	ecx, 10h
		shr	eax, 8
		xor	cl, al
		xor	cl, dl
		shr	edx, 18h
		cmp	dl, cl
		jz	short loc_6633A1
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	esi
		push	3

loc_663399:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+1EDj
		mov	edx, ebx
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_6633A1:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+164j
					; RtlpCoalesceFreeBlocks(x,x,x,x)+186j
		mov	ecx, [ebx+4Ch]
		mov	eax, ecx
		shr	eax, 14h
		and	al, [ebx+52h]
		xor	al, [esi+2]
		test	al, 1
		jnz	loc_6634B9
		test	ecx, ecx
		jz	short loc_6633D7
		mov	eax, [ebx+50h]
		xor	[esi], eax
		mov	al, [esi+1]
		xor	al, [esi]
		xor	al, [esi+2]
		cmp	[esi+3], al
		jz	short loc_6633D7
		push	ecx
		mov	edx, esi
		mov	ecx, ebx
		call	_RtlpAnalyzeHeapFailure@12 ; RtlpAnalyzeHeapFailure(x,x,x)

loc_6633D7:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+1B0j
					; RtlpCoalesceFreeBlocks(x,x,x,x)+1C2j
		mov	eax, [esi+0Ch]
		lea	edx, [esi+8]
		mov	edi, [edx]
		mov	[ebp+var_C], eax
		mov	eax, [eax]
		mov	ecx, [edi+4]
		cmp	eax, ecx
		jnz	short loc_6633EF
		cmp	eax, edx
		jz	short loc_6633F8

loc_6633EF:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+1E0j
		push	0
		push	eax
		push	ecx
		push	edx
		push	0Dh
		jmp	short loc_663399
; 

loc_6633F8:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+1E4j
		movzx	eax, word ptr [esi]
		sub	[ebx+74h], eax
		mov	edx, [ebx+0B4h]
		test	edx, edx
		jz	short loc_66342F
		movzx	ecx, word ptr [esi]
		jmp	short loc_663419
; 

loc_66340D:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+213j
		mov	eax, [edx]
		test	eax, eax
		jz	loc_6634B0
		mov	edx, eax

loc_663419:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+202j
		cmp	ecx, [edx+4]
		jnb	short loc_66340D
		mov	eax, ecx

loc_663420:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+2ABj
		push	ecx
		push	eax
		lea	eax, [esi+8]
		mov	ecx, ebx
		push	eax
		push	1
		call	_RtlpHeapRemoveListEntry@24 ; RtlpHeapRemoveListEntry(x,x,x,x,x,x)

loc_66342F:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+1FDj
		mov	eax, [ebp+var_C]
		mov	[eax], edi
		mov	[edi+4], eax
		mov	cl, [esi+2]
		test	cl, 4
		jz	short loc_663487
		movzx	eax, word ptr [esi]
		lea	edi, ds:0FFFFFFF0h[eax*8]
		test	cl, 2
		jz	short loc_663456
		cmp	edi, 4
		jbe	short loc_663456
		sub	edi, 4

loc_663456:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+243j
					; RtlpCoalesceFreeBlocks(x,x,x,x)+248j
		push	0FEEEFEEEh
		lea	eax, [esi+10h]
		push	edi
		push	eax
		call	_RtlCompareMemoryUlong@12 ; RtlCompareMemoryUlong(x,x,x)
		cmp	eax, edi
		jz	short loc_663487
		add	eax, 10h
		add	eax, esi
		push	eax
		push	esi
		push	(offset	loc_5A56D8+4)
		call	_DbgPrint
		add	esp, 0Ch
		cmp	ds:_KdDebuggerEnabled, 0
		jz	short loc_663487
		int	3		; Trap to Debugger

loc_663487:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+234j
					; RtlpCoalesceFreeBlocks(x,x,x,x)+25Ej	...
		mov	edx, [ebp+var_4]
		mov	byte ptr [edx+2], 0
		mov	byte ptr [edx+7], 0
		movzx	eax, word ptr [esi]
		mov	esi, [ebp+arg_0]
		add	[esi], eax
		mov	ax, [esi]
		mov	[edx], ax
		mov	cx, [esi]
		mov	eax, [esi]
		xor	cx, [ebx+54h]
		mov	[edx+eax*8+4], cx
		jmp	short loc_6634BC
; 

loc_6634B0:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+208j
		mov	eax, [edx+4]
		dec	eax
		jmp	loc_663420
; 

loc_6634B9:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+1A8j
		mov	edx, [ebp+var_4]

loc_6634BC:				; CODE XREF: RtlpCoalesceFreeBlocks(x,x,x,x)+2A5j
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	8
_RtlpCoalesceFreeBlocks@16 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpCreateHeapEncoding(x)
_RtlpCreateHeapEncoding@4 proc near	; CODE XREF: RtlCreateHeap+11B42Ap
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	byte ptr [esi+48h], 2
		jnz	short loc_663504
		test	dword ptr [esi+40h], 4000000h
		jnz	short loc_663504
		and	dword ptr [esi+50h], 0
		xor	ecx, ecx
		mov	byte ptr [esi+52h], 10h
		inc	ecx
		mov	eax, [esi+50h]
		mov	[esi+4Ch], eax
		call	ExGenRandom
		or	[esi+50h], eax
		xor	ecx, ecx
		inc	ecx
		call	ExGenRandom
		mov	[esi+54h], ax
		mov	word ptr [esi+56h], 0

loc_663504:				; CODE XREF: RtlpCreateHeapEncoding(x)+9j
					; RtlpCreateHeapEncoding(x)+12j
		pop	esi
		retn
_RtlpCreateHeapEncoding@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpCreateUCREntry(x, x, x,	x, x, x)
_RtlpCreateUCREntry@24 proc near	; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+264p
					; RtlpDeCommitFreeBlock(x,x,x,x)+597p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	ecx, [ebp+arg_0]
		push	4
		lea	eax, [ecx+18h]
		mov	[ecx+10h], eax
		lea	esi, [ecx-8]
		mov	eax, [ebp+arg_4]
		mov	[ecx+14h], eax
		pop	eax
		mov	word ptr [esi+2], 1
		mov	[esi], ax
		mov	byte ptr [esi+7], 3
		mov	edx, [ebx+18h]
		cmp	edx, ebx
		jnz	short loc_66353F
		xor	al, al
		jmp	short loc_663565
; 

loc_66353F:				; CODE XREF: RtlpCreateUCREntry(x,x,x,x,x,x)+33j
		mov	eax, esi
		sub	eax, ebx
		shr	eax, 10h
		inc	eax
		mov	[ebp+arg_4], eax
		cmp	eax, 0FEh
		jb	short loc_663565
		push	0
		push	0
		push	ebx
		push	esi
		push	3
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]

loc_663565:				; CODE XREF: RtlpCreateUCREntry(x,x,x,x,x,x)+37j
					; RtlpCreateUCREntry(x,x,x,x,x,x)+49j
		cmp	ds:_RtlpHeapErrorHandlerThreshold, 1
		mov	[esi+6], al
		jl	short loc_663586
		cmp	[ebp+arg_8], esi
		jbe	short loc_663589
		push	(offset	loc_5A5771+1)
		call	_DbgPrint
		pop	ecx
		call	_RtlpHeapHandleError@4 ; RtlpHeapHandleError(x)

loc_663586:				; CODE XREF: RtlpCreateUCREntry(x,x,x,x,x,x)+69j
		cmp	[ebp+arg_8], esi

loc_663589:				; CODE XREF: RtlpCreateUCREntry(x,x,x,x,x,x)+6Ej
		jz	short loc_663593
		mov	ax, [edi+54h]
		mov	[esi+4], ax

loc_663593:				; CODE XREF: RtlpCreateUCREntry(x,x,x,x,x,x):loc_663589j
		cmp	dword ptr [edi+4Ch], 0
		jz	short loc_6635A9
		mov	al, [esi+1]
		xor	al, [esi]
		xor	al, [esi+2]
		mov	[esi+3], al
		mov	eax, [edi+50h]
		xor	[esi], eax

loc_6635A9:				; CODE XREF: RtlpCreateUCREntry(x,x,x,x,x,x)+91j
		mov	edx, ecx
		mov	ecx, edi
		call	@RtlpInsertUCRBlock@8 ;	RtlpInsertUCRBlock(x,x)
		mov	ecx, [ebp+arg_0]
		inc	dword ptr [ebx+30h]
		mov	eax, [ecx+14h]
		shr	eax, 0Ch
		add	[ebx+2Ch], eax
		mov	eax, [ecx+14h]
		sub	[edi+1F8h], eax
		inc	dword ptr [edi+208h]
		mov	eax, [ecx+14h]
		cmp	eax, 7F000h
		jb	short loc_6635E0
		add	[edi+1FCh], eax

loc_6635E0:				; CODE XREF: RtlpCreateUCREntry(x,x,x,x,x,x)+D2j
		sub	esi, [ebp+arg_8]
		mov	eax, [ebp+arg_C]
		sar	esi, 3
		pop	edi
		mov	[eax], esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
_RtlpCreateUCREntry@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpDeCommitFreeBlock(x, x,	x, x)
_RtlpDeCommitFreeBlock@16 proc near	; CODE XREF: RtlpFreeHeap(x,x,x,x)+FDp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, edx
		mov	[ebp+var_14], esi
		mov	[ebp+var_2C], ebx
		mov	eax, [esi+0CCh]
		xor	eax, ds:_RtlpHeapKey
		mov	[ebp+var_24], ebx
		mov	[ebp+var_1], bl
		jz	short loc_663625
		push	[ebp+arg_0]
		jmp	loc_663BB8
; 

loc_663625:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+29j
		mov	edx, [ebp+arg_0]
		cmp	edx, [esi+6Ch]
		jb	loc_663BB5
		mov	eax, [esi+74h]
		add	eax, edx
		mov	[ebp+var_28], eax
		cmp	eax, [esi+70h]
		jb	loc_663BB3
		mov	ecx, [esi+250h]
		mov	eax, [esi+1F8h]
		add	ecx, 3
		shr	eax, cl
		cmp	[ebp+var_28], eax
		jb	loc_663BB3
		push	ecx
		lea	eax, [ebp+arg_0]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	_RtlpCoalesceFreeBlocks@16 ; RtlpCoalesceFreeBlocks(x,x,x,x)
		mov	edx, eax
		mov	al, [edi+6]
		mov	[ebp+var_C], edx
		test	al, al
		jz	short loc_66368C
		movzx	ecx, al
		and	edi, 0FFFF0000h
		shl	ecx, 10h
		sub	edi, ecx
		add	edi, 10000h
		jmp	short loc_66368E
; 

loc_66368C:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+82j
		mov	edi, esi

loc_66368E:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+98j
		mov	ecx, [ebp+arg_0]
		lea	eax, ds:7[ecx*8]
		add	eax, edx
		mov	[ebp+var_30], eax
		cmp	byte ptr [eax],	3
		jnz	loc_663782
		inc	ecx
		lea	ecx, [edx+ecx*8]
		lea	eax, [ecx+8]
		mov	[ebp+var_18], ecx
		mov	ecx, [eax+4]
		mov	edx, [eax]
		mov	[ebp+var_28], ecx
		mov	ecx, [ecx]
		mov	esi, [edx+4]
		cmp	ecx, esi
		mov	[ebp+var_24], ecx
		mov	ecx, [ebp+var_18]
		mov	[ebp+var_20], esi
		mov	esi, [ebp+var_14]
		jnz	short loc_6636DC
		cmp	[ebp+var_24], eax
		jnz	short loc_6636DC
		mov	eax, [ebp+var_28]
		mov	[eax], edx
		mov	[edx+4], eax
		jmp	short loc_6636F1
; 

loc_6636DC:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+D9j
					; RtlpDeCommitFreeBlock(x,x,x,x)+DEj
		push	ebx
		push	[ebp+var_24]
		xor	edx, edx
		push	[ebp+var_20]
		push	eax
		push	0Dh
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	ecx, [ebp+var_18]

loc_6636F1:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+E8j
		cmp	[ecx+14h], ebx
		jz	short loc_663731
		mov	eax, [ecx]
		mov	edx, [ecx+4]
		mov	esi, [eax+4]
		mov	ecx, [edx]
		cmp	ecx, esi
		mov	[ebp+var_24], ecx
		mov	ecx, [ebp+var_18]
		mov	[ebp+var_28], esi
		mov	esi, [ebp+var_14]
		jnz	short loc_66371C
		cmp	[ebp+var_24], ecx
		jnz	short loc_66371C
		mov	[edx], eax
		mov	[eax+4], edx
		jmp	short loc_663731
; 

loc_66371C:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+11Cj
					; RtlpDeCommitFreeBlock(x,x,x,x)+121j
		push	ebx
		push	[ebp+var_24]
		xor	edx, edx
		push	[ebp+var_28]
		push	ecx
		push	0Dh
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	ecx, [ebp+var_18]

loc_663731:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+102j
					; RtlpDeCommitFreeBlock(x,x,x,x)+128j
		mov	eax, [ecx+10h]
		mov	[ebp+var_24], eax
		mov	eax, [ecx+14h]
		dec	dword ptr [edi+30h]
		mov	[ebp+var_20], eax
		mov	eax, [ecx+14h]
		shr	eax, 0Ch
		sub	[edi+2Ch], eax
		mov	eax, [ecx+14h]
		add	[esi+1F8h], eax
		dec	dword ptr [esi+208h]
		mov	eax, [ecx+14h]
		cmp	eax, 7F000h
		jb	short loc_66376B
		sub	[esi+1FCh], eax
		mov	eax, [ecx+14h]

loc_66376B:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+16Ej
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+var_C]
		add	ecx, 20h
		shr	eax, 3
		add	ecx, eax
		mov	[ebp+var_1], 1
		mov	[ebp+arg_0], ecx
		jmp	short loc_663785
; 

loc_663782:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+AEj
		mov	[ebp+var_20], ebx

loc_663785:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+18Ej
		mov	ax, [edx+4]
		cmp	ax, [esi+54h]
		jnz	loc_6639FE
		mov	ecx, edi
		mov	[ebp+var_10], edx
		call	@RtlpSearchUCRBlock@8 ;	RtlpSearchUCRBlock(x,x)
		mov	ecx, ds:_RtlpHeapErrorHandlerThreshold
		mov	[ebp+var_18], eax
		mov	[ebp+var_2C], ecx
		cmp	ecx, 1
		jl	short loc_6637C2
		test	eax, eax
		jnz	short loc_6637C2
		push	offset ??_C@_0BD@NIMLHKID@?$CIUCRBlock?5?$CB?$DN?5NULL?$CJ@FNODOBFM@

loc_6637B7:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+21Fj
					; RtlpDeCommitFreeBlock(x,x,x,x)+39Bj ...
		call	_DbgPrint
		pop	ecx
		call	_RtlpHeapHandleError@4 ; RtlpHeapHandleError(x)

loc_6637C2:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+1BAj
					; RtlpDeCommitFreeBlock(x,x,x,x)+1BEj
		mov	eax, [ebp+arg_0]
		mov	edx, eax
		mov	cl, [ebp+var_1]
		shl	edx, 3
		mov	[ebp+var_28], edx
		mov	edx, [ebp+var_C]
		lea	esi, [edx+eax*8]
		mov	[ebp+var_1C], esi
		test	cl, cl
		jnz	short loc_6637E8
		lea	edx, [esi-10h]
		mov	[ebp+var_8], edx
		mov	edx, [ebp+var_C]
		jmp	short loc_6637ED
; 

loc_6637E8:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+1E9j
		mov	eax, esi
		mov	[ebp+var_8], eax

loc_6637ED:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+1F4j
		mov	eax, [ebp+var_8]
		mov	esi, [ebp+var_14]
		and	eax, 0FFFFF000h
		sub	eax, edx
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		jnz	short loc_66381B
		cmp	[ebp+var_2C], 1
		jl	short loc_663813
		test	cl, cl
		jz	short loc_663813

loc_66380C:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+5BCj
		push	offset ??_C@_0P@GLEGKAEG@?$CI?$CBTrailingUCR?$CJ@FNODOBFM@
		jmp	short loc_6637B7
; 

loc_663813:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+214j
					; RtlpDeCommitFreeBlock(x,x,x,x)+218j ...
		push	eax

loc_663814:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+26Ej
					; RtlpDeCommitFreeBlock(x,x,x,x)+471j
		mov	ecx, esi
		jmp	loc_663BB8
; 

loc_66381B:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+20Ej
		push	4000h
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	0FFFFFFFFh
		call	_ZwFreeVirtualMemory@16	; ZwFreeVirtualMemory(x,x,x,x)
		test	eax, eax
		jns	short loc_663862
		push	3
		pop	edx
		mov	ecx, esi
		call	@RtlpUpdateHeapRates@8 ; RtlpUpdateHeapRates(x,x)
		cmp	[ebp+var_1], bl
		mov	ebx, [ebp+var_C]
		jz	short loc_66385B

loc_663845:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+4AEj
		lea	eax, [ebp+arg_0]
		mov	edx, edi
		push	eax
		mov	eax, [ebp+var_24]
		push	ebx
		push	[ebp+var_20]
		add	eax, 0FFFFFFE8h
		push	eax
		call	_RtlpCreateUCREntry@24 ; RtlpCreateUCREntry(x,x,x,x,x,x)

loc_66385B:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+251j
					; RtlpDeCommitFreeBlock(x,x,x,x)+4A8j
		push	[ebp+arg_0]

loc_66385E:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+59Fj
		mov	edx, ebx
		jmp	short loc_663814
; 

loc_663862:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+23Fj
		mov	ecx, [ebp+var_18]
		inc	dword ptr [esi+210h]
		mov	eax, [ecx+14h]
		cmp	eax, 7F000h
		jb	short loc_66387B
		sub	[esi+1FCh], eax

loc_66387B:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+281j
		lea	eax, [ecx+8]
		mov	ecx, [eax+4]
		mov	edx, [eax]
		mov	[ebp+var_2C], ecx
		mov	ecx, [ecx]
		mov	esi, [edx+4]
		cmp	ecx, esi
		mov	[ebp+arg_0], ecx
		mov	ecx, [ebp+var_18]
		mov	[ebp+var_24], esi
		mov	esi, [ebp+var_14]
		jnz	short loc_6638AA
		cmp	[ebp+arg_0], eax
		jnz	short loc_6638AA
		mov	eax, [ebp+var_2C]
		mov	[eax], edx
		mov	[edx+4], eax
		jmp	short loc_6638BF
; 

loc_6638AA:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+2A7j
					; RtlpDeCommitFreeBlock(x,x,x,x)+2ACj
		push	ebx
		push	[ebp+arg_0]
		xor	edx, edx
		push	[ebp+var_24]
		push	eax
		push	0Dh
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	ecx, [ebp+var_18]

loc_6638BF:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+2B6j
		cmp	[ecx+14h], ebx
		jz	short loc_6638FF
		mov	eax, [ecx]
		mov	edx, [ecx+4]
		mov	esi, [eax+4]
		mov	ecx, [edx]
		cmp	ecx, esi
		mov	[ebp+arg_0], ecx
		mov	ecx, [ebp+var_18]
		mov	[ebp+var_2C], esi
		mov	esi, [ebp+var_14]
		jnz	short loc_6638EA
		cmp	[ebp+arg_0], ecx
		jnz	short loc_6638EA
		mov	[edx], eax
		mov	[eax+4], edx
		jmp	short loc_6638FF
; 

loc_6638EA:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+2EAj
					; RtlpDeCommitFreeBlock(x,x,x,x)+2EFj
		push	ebx
		push	[ebp+arg_0]
		xor	edx, edx
		push	[ebp+var_2C]
		push	ecx
		push	0Dh
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	ecx, [ebp+var_18]

loc_6638FF:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+2D0j
					; RtlpDeCommitFreeBlock(x,x,x,x)+2F6j
		mov	eax, [ebp+var_8]
		mov	edx, ecx
		add	[ecx+14h], eax
		mov	ecx, esi
		call	@RtlpInsertUCRBlock@8 ;	RtlpInsertUCRBlock(x,x)
		mov	eax, [ebp+var_8]
		shr	eax, 0Ch
		add	[edi+2Ch], eax
		mov	eax, [ebp+var_18]
		mov	ecx, [ebp+var_8]
		sub	[esi+1F8h], ecx
		mov	eax, [eax+14h]
		cmp	eax, 7F000h
		jb	short loc_663933
		add	[esi+1FCh], eax

loc_663933:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+339j
		cmp	[ebp+var_1], bl
		jnz	loc_663BBD
		mov	edx, [ebp+var_10]
		mov	ax, [esi+54h]
		add	edx, ecx
		mov	[ebp+var_24], edx
		mov	[edx+4], ax
		mov	eax, [ebp+var_8]
		add	eax, [ebp+var_10]
		cmp	[ebp+var_1C], eax
		jz	loc_6639E0
		mov	eax, [ebp+var_28]
		mov	[edx+7], bl
		mov	[edx+2], bl
		sub	eax, [ebp+var_8]
		shr	eax, 3
		movzx	eax, ax
		mov	ecx, eax
		mov	[edx], ax
		xor	eax, eax
		mov	[ebp+var_2C], ecx
		inc	eax
		mov	[ebp+arg_0], ecx
		cmp	ds:_RtlpHeapErrorHandlerThreshold, eax
		jl	short loc_663992
		cmp	cx, ax
		ja	short loc_663992
		push	offset ??_C@_0BM@PABNNLLD@?$CI?$CILONG?$CJFreeEntry?9?$DOSize?5?$DO?51?$CJ@FNODOBFM@
		jmp	loc_6637B7
; 

loc_663992:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+38Fj
					; RtlpDeCommitFreeBlock(x,x,x,x)+394j
		mov	[edx+3], bl
		mov	ecx, [edi+18h]
		cmp	ecx, edi
		jnz	short loc_6639A1
		mov	eax, [ebp+arg_0]
		jmp	short loc_6639D2
; 

loc_6639A1:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+3A8j
		mov	eax, edx
		sub	eax, edi
		shr	eax, 10h
		inc	eax
		mov	[ebp+var_28], eax
		cmp	[ebp+var_28], 0FEh
		mov	eax, [ebp+arg_0]
		movzx	eax, ax
		jb	short loc_6639CF
		push	ebx
		push	ebx
		push	edi
		push	edx
		push	3
		mov	edx, ecx
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	edx, [ebp+var_24]
		movzx	eax, word ptr [edx]

loc_6639CF:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+3C7j
		mov	bl, byte ptr [ebp+var_28]

loc_6639D2:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+3ADj
		movzx	eax, ax
		mov	[edx+6], bl
		movzx	eax, ax
		jmp	loc_663813
; 

loc_6639E0:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+363j
		cmp	[esi+4Ch], ebx
		jz	loc_663BBD
		mov	al, [edx+2]
		xor	al, [edx+1]
		xor	al, [edx]
		mov	[edx+3], al
		mov	eax, [esi+50h]
		xor	[edx], eax
		jmp	loc_663BBD
; 

loc_6639FE:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+19Bj
		lea	eax, [edx+101Fh]
		and	eax, 0FFFFF000h
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], eax
		lea	eax, [edx+28h]
		cmp	[ebp+var_18], eax
		jnz	short loc_663A25
		mov	eax, [ebp+var_18]
		add	eax, 1000h
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], eax

loc_663A25:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+423j
		mov	eax, ecx
		shl	eax, 3
		mov	[ebp+var_1C], eax
		add	eax, edx
		mov	[ebp+var_28], eax
		cmp	[ebp+var_1], bl
		jnz	short loc_663A3A
		add	eax, 0FFFFFFF0h

loc_663A3A:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+443j
		and	eax, 0FFFFF000h
		cmp	eax, [ebp+var_18]
		jb	loc_663B96
		mov	esi, [ebp+var_30]
		sub	eax, [ebp+var_18]
		mov	[ebp+var_8], eax
		cmp	byte ptr [esi],	3
		mov	esi, [ebp+var_14]
		jz	short loc_663A68
		test	eax, eax
		jz	short loc_663A62
		cmp	eax, [esi+6Ch]
		jnb	short loc_663A68

loc_663A62:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+469j
					; RtlpDeCommitFreeBlock(x,x,x,x)+5ADj ...
		push	ecx
		jmp	loc_663814
; 

loc_663A68:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+465j
					; RtlpDeCommitFreeBlock(x,x,x,x)+46Ej
		test	eax, eax
		jz	short loc_663AA5
		inc	dword ptr [esi+210h]
		lea	eax, [ebp+var_8]
		push	4000h
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	0FFFFFFFFh
		call	_ZwFreeVirtualMemory@16	; ZwFreeVirtualMemory(x,x,x,x)
		test	eax, eax
		jns	short loc_663AA5
		push	3
		pop	edx
		mov	ecx, esi
		call	@RtlpUpdateHeapRates@8 ; RtlpUpdateHeapRates(x,x)
		cmp	[ebp+var_1], bl
		mov	ebx, [ebp+var_C]
		jz	loc_66385B
		jmp	loc_663845
; 

loc_663AA5:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+478j
					; RtlpDeCommitFreeBlock(x,x,x,x)+496j
		cmp	[ebp+var_1], bl
		jnz	loc_663B73
		mov	edx, [ebp+var_8]
		add	edx, [ebp+var_10]
		mov	ax, [esi+54h]
		mov	[ebp+var_24], edx
		mov	[edx+4], ax
		mov	eax, [ebp+var_8]
		add	eax, [ebp+var_10]
		cmp	[ebp+var_28], eax
		jz	loc_663B5E
		mov	eax, [ebp+var_1C]
		mov	[edx+7], bl
		mov	[edx+2], bl
		sub	eax, [ebp+var_8]
		sub	eax, [ebp+var_10]
		add	eax, [ebp+var_C]
		shr	eax, 3
		movzx	eax, ax
		mov	ecx, eax
		mov	[edx], ax
		xor	eax, eax
		mov	[ebp+var_30], ecx
		inc	eax
		mov	[ebp+arg_0], ecx
		cmp	ds:_RtlpHeapErrorHandlerThreshold, eax
		jl	short loc_663B0B
		cmp	cx, ax
		ja	short loc_663B0B
		push	offset ??_C@_0BK@JLAHADFN@?$CILONG?$CJFreeEntry?9?$DOSize?5?$DO?51@FNODOBFM@
		jmp	loc_6637B7
; 

loc_663B0B:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+508j
					; RtlpDeCommitFreeBlock(x,x,x,x)+50Dj
		mov	[edx+3], bl
		mov	ecx, [edi+18h]
		cmp	ecx, edi
		jnz	short loc_663B1A
		mov	eax, [ebp+arg_0]
		jmp	short loc_663B4B
; 

loc_663B1A:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+521j
		mov	eax, edx
		sub	eax, edi
		shr	eax, 10h
		inc	eax
		mov	[ebp+var_28], eax
		cmp	[ebp+var_28], 0FEh
		mov	eax, [ebp+arg_0]
		movzx	eax, ax
		jb	short loc_663B48
		push	ebx
		push	ebx
		push	edi
		push	edx
		push	3
		mov	edx, ecx
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	edx, [ebp+var_24]
		movzx	eax, word ptr [edx]

loc_663B48:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+540j
		mov	bl, byte ptr [ebp+var_28]

loc_663B4B:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+526j
		movzx	eax, ax
		mov	ecx, esi
		movzx	eax, ax
		push	eax
		mov	[edx+6], bl
		call	_RtlpInsertFreeBlock@12	; RtlpInsertFreeBlock(x,x,x)
		jmp	short loc_663B73
; 

loc_663B5E:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+4D6j
		cmp	[esi+4Ch], ebx
		jz	short loc_663B73
		mov	al, [edx+2]
		xor	al, [edx+1]
		xor	al, [edx]
		mov	[edx+3], al
		mov	eax, [esi+50h]
		xor	[edx], eax

loc_663B73:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+4B6j
					; RtlpDeCommitFreeBlock(x,x,x,x)+56Aj ...
		mov	ebx, [ebp+var_C]
		lea	eax, [ebp+var_2C]
		push	eax
		mov	eax, [ebp+var_10]
		mov	edx, edi
		push	ebx
		push	[ebp+var_8]
		add	eax, 0FFFFFFE8h
		mov	ecx, esi
		push	eax
		call	_RtlpCreateUCREntry@24 ; RtlpCreateUCREntry(x,x,x,x,x,x)
		push	[ebp+var_2C]
		jmp	loc_66385E
; 

loc_663B96:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+450j
		xor	eax, eax
		inc	eax
		cmp	ds:_RtlpHeapErrorHandlerThreshold, eax
		jl	loc_663A62
		cmp	[ebp+var_1], bl
		jz	loc_663A62
		jmp	loc_66380C
; 

loc_663BB3:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+4Aj
					; RtlpDeCommitFreeBlock(x,x,x,x)+64j
		mov	ecx, esi

loc_663BB5:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+39j
		push	edx
		mov	edx, edi

loc_663BB8:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+2Ej
					; RtlpDeCommitFreeBlock(x,x,x,x)+224j
		call	_RtlpInsertFreeBlock@12	; RtlpInsertFreeBlock(x,x,x)

loc_663BBD:				; CODE XREF: RtlpDeCommitFreeBlock(x,x,x,x)+344j
					; RtlpDeCommitFreeBlock(x,x,x,x)+3F1j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_RtlpDeCommitFreeBlock@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpExtendHeap(x, x)
_RtlpExtendHeap@8 proc near		; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+259p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, edx
		lea	edx, [ebp+var_C]
		push	esi
		push	edi
		mov	[ebp+var_14], ebx
		mov	esi, ecx
		lea	eax, [ebx+0FFFh]
		and	eax, 0FFFFF000h
		mov	[ebp+var_C], eax
		call	_RtlpFindAndCommitPages@8 ; RtlpFindAndCommitPages(x,x)
		test	eax, eax
		jz	short loc_663C3F
		shr	[ebp+var_C], 3
		mov	edx, eax
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		mov	ecx, esi
		call	_RtlpCoalesceFreeBlocks@16 ; RtlpCoalesceFreeBlocks(x,x,x,x)
		push	[ebp+var_C]
		mov	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	_RtlpInsertFreeBlock@12	; RtlpInsertFreeBlock(x,x,x)
		cmp	dword ptr [esi+4Ch], 0
		jz	loc_663D96
		mov	ecx, [esi+50h]
		xor	[edi], ecx
		mov	al, [edi+2]
		xor	al, [edi+1]
		xor	al, [edi]
		cmp	[edi+3], al
		jz	loc_663D96
		push	ecx
		mov	edx, edi
		mov	ecx, esi
		call	_RtlpAnalyzeHeapFailure@12 ; RtlpAnalyzeHeapFailure(x,x,x)
		jmp	loc_663D96
; 

loc_663C3F:				; CODE XREF: RtlpExtendHeap(x,x)+2Aj
		xor	edi, edi
		test	byte ptr [esi+40h], 2
		jz	loc_663D96
		mov	eax, [esi+64h]
		add	ebx, 2000h
		mov	[ebp+var_8], edi
		cmp	ebx, eax
		jbe	short loc_663C5D
		mov	eax, ebx

loc_663C5D:				; CODE XREF: RtlpExtendHeap(x,x)+95j
		add	eax, 0FFFFh
		mov	ecx, 0FD0000h
		and	eax, 0FFFF0000h
		mov	[ebp+var_4], eax
		cmp	eax, ecx
		jb	short loc_663C76
		mov	[ebp+var_4], ecx

loc_663C76:				; CODE XREF: RtlpExtendHeap(x,x)+ADj
		push	4
		push	2000h
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		lea	eax, [ebp+var_8]
		push	eax
		push	0FFFFFFFFh
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_663CD1

loc_663C91:				; CODE XREF: RtlpExtendHeap(x,x)+F9j
		mov	ecx, [ebp+var_4]
		cmp	ecx, ebx
		jz	short loc_663CC2
		shr	ecx, 1
		mov	[ebp+var_4], ecx
		cmp	ecx, ebx
		jnb	short loc_663CA4
		mov	[ebp+var_4], ebx

loc_663CA4:				; CODE XREF: RtlpExtendHeap(x,x)+DBj
		push	4
		push	2000h
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		lea	eax, [ebp+var_8]
		push	eax
		push	0FFFFFFFFh
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_663C91
		mov	ecx, [ebp+var_4]

loc_663CC2:				; CODE XREF: RtlpExtendHeap(x,x)+D2j
		test	eax, eax
		jns	short loc_663CD4
		inc	dword ptr [esi+224h]
		jmp	loc_663D96
; 

loc_663CD1:				; CODE XREF: RtlpExtendHeap(x,x)+CBj
		mov	ecx, [ebp+var_4]

loc_663CD4:				; CODE XREF: RtlpExtendHeap(x,x)+100j
		add	[esi+64h], ecx
		mov	ecx, [ebp+var_14]
		mov	eax, [esi+68h]
		add	ecx, 1000h
		cmp	ecx, eax
		ja	short loc_663CE9
		mov	ecx, eax

loc_663CE9:				; CODE XREF: RtlpExtendHeap(x,x)+121j
		mov	edx, [esi+1F8h]
		lea	eax, [esi+0D4h]
		sub	edx, [esi+244h]
		push	eax
		push	esi
		mov	[ebp+var_10], ecx
		call	RtlpHpHeapCheckCommitLimit
		test	eax, eax
		jz	short loc_663D82
		push	4
		push	1000h
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		lea	eax, [ebp+var_8]
		push	eax
		push	0FFFFFFFFh
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_663D82
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_8]
		add	ecx, 0FFFFF000h
		add	ecx, edx
		push	ecx
		mov	ecx, [ebp+var_10]
		add	ecx, edx
		push	ecx
		push	edx
		push	2
		push	ecx
		push	40h
		mov	ecx, esi
		call	_RtlpInitializeHeapSegment@32 ;	RtlpInitializeHeapSegment(x,x,x,x,x,x,x,x)
		test	al, al
		jnz	short loc_663D51
		mov	ebx, 0C0000017h

loc_663D51:				; CODE XREF: RtlpExtendHeap(x,x)+186j
		test	ebx, ebx
		js	short loc_663D82
		mov	eax, [ebp+var_8]
		mov	edx, [eax+24h]
		cmp	[esi+4Ch], edi
		jz	short loc_663D7A
		mov	eax, [esi+50h]
		xor	[edx], eax
		mov	al, [edx+2]
		xor	al, [edx+1]
		xor	al, [edx]
		cmp	[edx+3], al
		jz	short loc_663D7A
		push	ecx
		mov	ecx, esi
		call	_RtlpAnalyzeHeapFailure@12 ; RtlpAnalyzeHeapFailure(x,x,x)

loc_663D7A:				; CODE XREF: RtlpExtendHeap(x,x)+19Aj
					; RtlpExtendHeap(x,x)+1ACj
		mov	eax, [ebp+var_8]
		mov	edi, [eax+24h]
		jmp	short loc_663D96
; 

loc_663D82:				; CODE XREF: RtlpExtendHeap(x,x)+143j
					; RtlpExtendHeap(x,x)+160j ...
		push	8000h
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	0FFFFFFFFh
		call	_ZwFreeVirtualMemory@16	; ZwFreeVirtualMemory(x,x,x,x)

loc_663D96:				; CODE XREF: RtlpExtendHeap(x,x)+50j
					; RtlpExtendHeap(x,x)+66j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_RtlpExtendHeap@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFindAndCommitPages(x, x)
_RtlpFindAndCommitPages@8 proc near	; CODE XREF: RtlpExtendHeap(x,x)+23p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	[ebp+var_8], ebx
		mov	edi, ecx
		mov	edx, [ebx]
		call	@RtlpFindUCREntry@8 ; RtlpFindUCREntry(x,x)
		mov	edx, eax
		lea	esi, [edi+8Ch]
		mov	[ebp+var_4], edx
		cmp	edx, esi
		jz	loc_663E7F
		cmp	ds:_RtlpHeapErrorHandlerThreshold, 1
		jl	short loc_663DE9
		mov	ecx, [edx+14h]
		cmp	ecx, [ebx]
		jnb	short loc_663DE9
		push	offset ??_C@_0BK@FMFPHHEG@?$CIUCRBlock?9?$DOSize?5?$DO?$DN?5?$CKSize?$CJ@FNODOBFM@
		call	_DbgPrint
		pop	ecx
		call	_RtlpHeapHandleError@4 ; RtlpHeapHandleError(x)

loc_663DE9:				; CODE XREF: RtlpFindAndCommitPages(x,x)+33j
					; RtlpFindAndCommitPages(x,x)+3Aj
		lea	esi, [edx-8]
		mov	al, [esi+6]
		test	al, al
		jz	short loc_663E0B
		movzx	eax, al
		mov	ebx, esi
		shl	eax, 10h
		and	ebx, 0FFFF0000h
		sub	ebx, eax
		add	ebx, 10000h
		jmp	short loc_663E0D
; 

loc_663E0B:				; CODE XREF: RtlpFindAndCommitPages(x,x)+54j
		mov	ebx, edi

loc_663E0D:				; CODE XREF: RtlpFindAndCommitPages(x,x)+6Cj
		mov	eax, [edx+10h]
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_10], eax
		mov	eax, [edi+0CCh]
		xor	eax, ds:_RtlpHeapKey
		jz	short loc_663E2E
		push	ecx
		lea	ecx, [ebp+var_10]
		push	ecx
		push	edi
		call	eax
		jmp	short loc_663E75
; 

loc_663E2E:				; CODE XREF: RtlpFindAndCommitPages(x,x)+85j
		mov	edx, [edi+1F8h]
		lea	eax, [edi+0D4h]
		mov	ecx, [ecx]
		sub	edx, [edi+244h]
		push	eax
		push	edi
		call	RtlpHpHeapCheckCommitLimit
		test	eax, eax
		jnz	short loc_663E54
		mov	eax, 0C000012Dh
		jmp	short loc_663E6B
; 

loc_663E54:				; CODE XREF: RtlpFindAndCommitPages(x,x)+AEj
		push	4
		push	1000h
		push	[ebp+var_8]
		lea	eax, [ebp+var_10]
		push	0
		push	eax
		push	0FFFFFFFFh
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)

loc_663E6B:				; CODE XREF: RtlpFindAndCommitPages(x,x)+B5j
		push	2
		pop	edx
		mov	ecx, edi
		call	@RtlpUpdateHeapRates@8 ; RtlpUpdateHeapRates(x,x)

loc_663E75:				; CODE XREF: RtlpFindAndCommitPages(x,x)+8Fj
		test	eax, eax
		jns	short loc_663E86
		inc	dword ptr [edi+224h]

loc_663E7F:				; CODE XREF: RtlpFindAndCommitPages(x,x)+26j
		xor	eax, eax

loc_663E81:				; CODE XREF: RtlpFindAndCommitPages(x,x)+264j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_663E86:				; CODE XREF: RtlpFindAndCommitPages(x,x)+DAj
		xor	edx, edx
		cmp	[edi+4Ch], edx
		jz	short loc_663EAB
		mov	eax, [edi+50h]
		xor	[esi], eax
		mov	al, [esi+2]
		xor	al, [esi+1]
		xor	al, [esi]
		cmp	[esi+3], al
		jz	short loc_663EAB
		push	ecx
		mov	edx, esi
		mov	ecx, edi
		call	_RtlpAnalyzeHeapFailure@12 ; RtlpAnalyzeHeapFailure(x,x,x)
		xor	edx, edx

loc_663EAB:				; CODE XREF: RtlpFindAndCommitPages(x,x)+EEj
					; RtlpFindAndCommitPages(x,x)+100j
		mov	eax, [ebp+var_4]
		add	eax, 8
		mov	[esi+2], dl
		mov	[esi+7], dl
		mov	esi, [eax]
		mov	ecx, [eax+4]
		mov	[ebp+var_14], esi
		mov	[ebp+var_18], ecx
		mov	esi, [esi+4]
		mov	ecx, [ecx]
		cmp	ecx, esi
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_1C], esi
		lea	esi, [ecx-8]
		jnz	short loc_663EEC
		cmp	[ebp+var_C], eax
		jnz	short loc_663EEC
		mov	esi, [ebp+var_18]
		mov	eax, [ebp+var_14]
		mov	[esi], eax
		mov	[eax+4], esi
		lea	esi, [ecx-8]
		jmp	short loc_663F03
; 

loc_663EEC:				; CODE XREF: RtlpFindAndCommitPages(x,x)+138j
					; RtlpFindAndCommitPages(x,x)+13Dj
		push	edx
		push	[ebp+var_C]
		xor	edx, edx
		push	[ebp+var_1C]
		push	eax
		push	0Dh
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	edx, edx

loc_663F03:				; CODE XREF: RtlpFindAndCommitPages(x,x)+14Dj
		cmp	[ecx+14h], edx
		jz	short loc_663F49
		mov	esi, [ecx+4]
		mov	eax, [ecx]
		mov	[ebp+var_1C], esi
		mov	esi, [esi]
		mov	ecx, [eax+4]
		cmp	esi, ecx
		mov	[ebp+var_18], ecx
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_C], esi
		lea	esi, [ecx-8]
		jnz	short loc_663F34
		cmp	[ebp+var_C], ecx
		jnz	short loc_663F34
		mov	edx, [ebp+var_1C]
		mov	[edx], eax
		mov	[eax+4], edx
		jmp	short loc_663F49
; 

loc_663F34:				; CODE XREF: RtlpFindAndCommitPages(x,x)+186j
					; RtlpFindAndCommitPages(x,x)+18Bj
		push	edx
		push	[ebp+var_C]
		xor	edx, edx
		push	[ebp+var_18]
		push	ecx
		push	0Dh
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]

loc_663F49:				; CODE XREF: RtlpFindAndCommitPages(x,x)+169j
					; RtlpFindAndCommitPages(x,x)+195j
		dec	dword ptr [ebx+30h]
		mov	eax, [ecx+14h]
		shr	eax, 0Ch
		sub	[ebx+2Ch], eax
		mov	eax, [ecx+14h]
		add	[edi+1F8h], eax
		inc	dword ptr [edi+20Ch]
		dec	dword ptr [edi+208h]
		mov	eax, [ecx+14h]
		mov	[ebp+var_C], eax
		cmp	eax, 7F000h
		jb	short loc_663F83
		sub	[edi+1FCh], eax
		mov	eax, [ecx+14h]
		mov	[ebp+var_C], eax

loc_663F83:				; CODE XREF: RtlpFindAndCommitPages(x,x)+1D8j
		mov	edx, [ebp+var_8]
		mov	ecx, [edx]
		cmp	eax, ecx
		mov	[ebp+var_14], ecx
		mov	ecx, [ebp+var_4]
		ja	short loc_663FAD
		mov	eax, [ecx+10h]
		add	eax, [ebp+var_C]
		cmp	eax, [ebx+28h]
		jz	short loc_663FAA
		movzx	eax, word ptr [esi]
		mov	ecx, [ebp+var_14]
		lea	eax, [ecx+eax*8]
		mov	[edx], eax
		jmp	short loc_663FCD
; 

loc_663FAA:				; CODE XREF: RtlpFindAndCommitPages(x,x)+1FEj
		mov	eax, [ebp+var_C]

loc_663FAD:				; CODE XREF: RtlpFindAndCommitPages(x,x)+1F3j
		push	edx
		mov	edx, [ebp+var_14]
		sub	eax, edx
		push	esi
		push	eax
		mov	eax, [ecx+10h]
		add	edx, 0FFFFFFE8h
		add	eax, edx
		mov	ecx, edi
		push	eax
		mov	edx, ebx
		call	_RtlpCreateUCREntry@24 ; RtlpCreateUCREntry(x,x,x,x,x,x)
		mov	eax, [ebp+var_8]
		shl	dword ptr [eax], 3

loc_663FCD:				; CODE XREF: RtlpFindAndCommitPages(x,x)+20Bj
		xor	ecx, ecx
		mov	[esi+3], cl
		mov	edx, [ebx+18h]
		cmp	edx, ebx
		jz	short loc_663FFC
		mov	eax, esi
		sub	eax, ebx
		shr	eax, 10h
		inc	eax
		mov	[ebp+var_1C], eax
		cmp	eax, 0FEh
		jb	short loc_663FFA
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	3
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	eax, [ebp+var_1C]

loc_663FFA:				; CODE XREF: RtlpFindAndCommitPages(x,x)+24Cj
		mov	cl, al

loc_663FFC:				; CODE XREF: RtlpFindAndCommitPages(x,x)+23Aj
		mov	[esi+6], cl
		mov	eax, esi
		jmp	loc_663E81
_RtlpFindAndCommitPages@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpInitializeHeapSegment(x, x, x, x, x, x,	x, x)
_RtlpInitializeHeapSegment@32 proc near	; CODE XREF: RtlpExtendHeap(x,x)+17Fp
					; RtlCreateHeap+11B4E6p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ecx, [ebp+arg_14]
		mov	eax, ecx
		sub	eax, [ebp+arg_C]
		push	edi
		mov	edi, edx
		cmp	eax, 0FFFFF000h
		ja	loc_66414A
		cdq
		mov	ebx, 1000h
		idiv	ebx
		mov	ebx, [ebp+arg_10]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		add	eax, 7
		and	eax, 0FFFFFFF8h
		lea	edx, [eax+edi]
		sar	eax, 3
		movzx	eax, ax
		mov	[ebp+var_C], eax
		lea	eax, [edx+28h]
		mov	[ebp+arg_0], edx
		cmp	eax, ebx
		jb	short loc_6640B9
		cmp	eax, ecx
		jnb	loc_66414A
		mov	ecx, edx
		lea	eax, [esi+0D4h]
		mov	edx, [esi+1F8h]
		sub	ecx, ebx
		sub	edx, [esi+244h]
		add	ecx, 8
		push	eax
		push	esi
		mov	[ebp+var_4], ecx
		call	RtlpHpHeapCheckCommitLimit
		test	eax, eax
		jz	loc_664144
		push	4
		mov	eax, 1000h
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		lea	eax, [ebp+arg_10]
		push	eax
		push	0FFFFFFFFh
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		test	eax, eax
		js	loc_664144
		mov	ebx, [ebp+arg_10]
		add	ebx, [ebp+var_4]
		mov	ecx, [ebp+arg_14]
		mov	[ebp+arg_10], ebx

loc_6640B9:				; CODE XREF: RtlpInitializeHeapSegment(x,x,x,x,x,x,x,x)+51j
		sub	ecx, ebx
		mov	word ptr [edi+2], 1
		mov	eax, ecx
		mov	byte ptr [edi+7], 1
		cdq
		mov	ecx, 1000h
		idiv	ecx
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_C]
		mov	[edi], ax
		mov	cx, [esi+54h]
		mov	eax, [ebp+arg_8]
		and	dword ptr [edi+2Ch], 0
		mov	[edi+4], cx
		mov	ecx, [ebp+var_8]
		mov	[edi+0Ch], eax
		mov	eax, [ebp+arg_C]
		mov	[edi+1Ch], eax
		shl	ecx, 0Ch
		add	eax, ecx
		mov	[edi+18h], esi
		mov	[edi+28h], eax
		mov	eax, [ebp+var_8]
		mov	[edi+20h], eax
		lea	eax, [edi+38h]
		mov	dword ptr [edi+8], 0FFEEFFEEh
		mov	[edi+24h], edx
		add	[esi+1F8h], ecx
		add	[esi+1F4h], ecx
		mov	[eax+4], eax
		mov	[eax], eax
		cmp	[edi+18h], edi
		setnz	al
		mov	[edi+6], al
		mov	ax, [edi]
		xor	ax, [esi+54h]
		mov	[edx+4], ax
		mov	ecx, [edi+18h]
		cmp	ecx, edi
		jnz	short loc_664153
		xor	al, al
		jmp	short loc_66417E
; 

loc_664144:				; CODE XREF: RtlpInitializeHeapSegment(x,x,x,x,x,x,x,x)+80j
					; RtlpInitializeHeapSegment(x,x,x,x,x,x,x,x)+A1j
		inc	dword ptr [esi+224h]

loc_66414A:				; CODE XREF: RtlpInitializeHeapSegment(x,x,x,x,x,x,x,x)+20j
					; RtlpInitializeHeapSegment(x,x,x,x,x,x,x,x)+55j
		xor	al, al

loc_66414C:				; CODE XREF: RtlpInitializeHeapSegment(x,x,x,x,x,x,x,x)+1F1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_664153:				; CODE XREF: RtlpInitializeHeapSegment(x,x,x,x,x,x,x,x)+138j
		mov	eax, edx
		sub	eax, edi
		shr	eax, 10h
		inc	eax
		mov	[ebp+arg_14], eax
		cmp	eax, 0FEh
		jb	short loc_66417E
		push	0
		push	0
		push	edi
		push	edx
		push	3
		mov	edx, ecx
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	ebx, [ebp+arg_10]
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+arg_14]

loc_66417E:				; CODE XREF: RtlpInitializeHeapSegment(x,x,x,x,x,x,x,x)+13Cj
					; RtlpInitializeHeapSegment(x,x,x,x,x,x,x,x)+15Dj
		mov	[edx+6], al
		mov	ecx, esi
		lea	eax, [ebp+var_4]
		push	eax
		mov	eax, [ebp+var_10]
		push	edx
		shl	eax, 0Ch
		mov	edx, edi
		push	eax
		lea	eax, [ebx-18h]
		push	eax
		call	_RtlpCreateUCREntry@24 ; RtlpCreateUCREntry(x,x,x,x,x,x)
		xor	ebx, ebx
		cmp	[esi+4Ch], ebx
		jz	short loc_6641B1
		mov	al, [edi+1]
		xor	al, [edi]
		xor	al, [edi+2]
		mov	[edi+3], al
		mov	eax, [esi+50h]
		xor	[edi], eax

loc_6641B1:				; CODE XREF: RtlpInitializeHeapSegment(x,x,x,x,x,x,x,x)+199j
		cmp	[ebp+var_4], ebx
		jz	short loc_6641C3
		push	[ebp+var_4]
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_RtlpInsertFreeBlock@12	; RtlpInsertFreeBlock(x,x,x)

loc_6641C3:				; CODE XREF: RtlpInitializeHeapSegment(x,x,x,x,x,x,x,x)+1AEj
		lea	eax, [esi+0A4h]
		add	edi, 10h
		mov	ecx, [eax+4]
		mov	edx, [ecx]
		cmp	edx, eax
		jnz	short loc_6641E1
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi
		jmp	short loc_6641EF
; 

loc_6641E1:				; CODE XREF: RtlpInitializeHeapSegment(x,x,x,x,x,x,x,x)+1CDj
		push	ebx
		push	edx
		push	ebx
		push	eax
		push	0Dh
		xor	edx, edx
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_6641EF:				; CODE XREF: RtlpInitializeHeapSegment(x,x,x,x,x,x,x,x)+1D9j
		inc	dword ptr [esi+204h]
		mov	al, 1
		jmp	loc_66414C
_RtlpInitializeHeapSegment@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpInsertFreeBlock(x, x, x)
_RtlpInsertFreeBlock@12	proc near	; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+362p
					; RtlpFreeHeap(x,x,x,x)+309p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, edx
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_C], edx
		push	edi
		mov	edi, ecx
		test	edx, edx
		jz	loc_66445F
		mov	ax, [esi+4]
		xor	ax, [edi+54h]
		movzx	ecx, ax
		test	cx, cx
		jnz	short loc_664256
		cmp	ds:_RtlpHeapErrorHandlerThreshold, 1
		jl	short loc_664256
		test	byte ptr [esi+2], 8
		jnz	short loc_664256
		lea	eax, [esi+0FFFh]
		and	eax, 0FFFFF000h
		cmp	eax, esi
		jz	short loc_664256
		push	offset ??_C@_0HE@LDFLNCMG@?$CI?$CIFreeBlock?9?$DOFlags?5?$CG?5HEAP_ENTRY@FNODOBFM@

loc_66424B:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+254j
		call	_DbgPrint
		pop	ecx
		call	_RtlpHeapHandleError@4 ; RtlpHeapHandleError(x)

loc_664256:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+2Aj
					; RtlpInsertFreeBlock(x,x,x)+33j ...
		mov	al, [esi+6]
		push	ebx
		test	al, al
		jz	short loc_664276
		movzx	eax, al
		mov	ebx, esi
		shl	eax, 10h
		and	ebx, 0FFFF0000h
		sub	ebx, eax
		add	ebx, 10000h
		jmp	short loc_664278
; 

loc_664276:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+60j
		mov	ebx, edi

loc_664278:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+78j
		mov	al, [esi+2]
		mov	byte ptr [ebp+arg_0+3],	al
		mov	eax, 0FE00h

loc_664283:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+21Fj
		cmp	edx, eax
		jbe	short loc_6642A0
		xor	eax, eax
		cmp	edx, 0FE01h
		setz	al
		dec	eax
		and	eax, 10h
		add	eax, 0FDF0h
		movzx	eax, ax
		jmp	short loc_6642A3
; 

loc_6642A0:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+89j
		movzx	eax, dx

loc_6642A3:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+A2j
		mov	[ebp+var_4], eax
		mov	eax, 0FE00h
		cmp	eax, edx
		sbb	al, al
		not	al
		and	al, byte ptr [ebp+arg_0+3]
		mov	[esi+2], al
		mov	ax, [edi+54h]
		xor	ax, cx
		mov	[esi+4], ax
		mov	edx, [ebx+18h]
		cmp	edx, ebx
		jnz	short loc_6642CD
		xor	al, al
		jmp	short loc_6642F0
; 

loc_6642CD:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+CBj
		mov	eax, esi
		sub	eax, ebx
		shr	eax, 10h
		inc	eax
		mov	[ebp+var_8], eax
		cmp	eax, 0FEh
		jb	short loc_6642F0
		push	0
		push	0
		push	ebx
		push	esi
		push	3
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	eax, [ebp+var_8]

loc_6642F0:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+CFj
					; RtlpInsertFreeBlock(x,x,x)+E1j
		and	byte ptr [esi+2], 0F0h
		mov	[esi+6], al
		mov	eax, [ebp+var_4]
		mov	[esi], ax
		mov	byte ptr [esi+3], 0
		movzx	eax, ax
		mov	byte ptr [esi+7], 0
		test	byte ptr [edi+40h], 40h
		mov	[ebp+var_8], eax
		jz	short loc_66432E
		push	0FEEEFEEEh
		lea	eax, ds:0FFFFFFF0h[eax*8]
		push	eax
		lea	eax, [esi+10h]
		push	eax
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		or	byte ptr [esi+2], 4
		mov	eax, [ebp+var_8]

loc_66432E:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+113j
		cmp	dword ptr [edi+0B4h], 0
		jz	short loc_66434A
		mov	edx, eax
		mov	ecx, edi
		call	_RtlpFindEntry@8 ; RtlpFindEntry(x,x)
		mov	ecx, eax
		lea	eax, [edi+0C0h]
		jmp	short loc_664352
; 

loc_66434A:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+139j
		lea	eax, [edi+0C0h]
		mov	ecx, [eax]

loc_664352:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+14Cj
		cmp	eax, ecx
		jz	short loc_664387
		mov	edx, [edi+4Ch]

loc_664359:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+189j
		test	edx, edx
		jz	short loc_66436F
		mov	eax, [ecx-8]
		mov	edx, [edi+4Ch]
		test	edx, eax
		jz	short loc_66436A
		xor	eax, [edi+50h]

loc_66436A:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+169j
		movzx	eax, ax
		jmp	short loc_664373
; 

loc_66436F:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+15Fj
		movzx	eax, word ptr [ecx-8]

loc_664373:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+171j
		movzx	eax, ax
		cmp	[ebp+var_8], eax
		jbe	short loc_664387
		mov	ecx, [ecx]
		lea	eax, [edi+0C0h]
		cmp	eax, ecx
		jnz	short loc_664359

loc_664387:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+158j
					; RtlpInsertFreeBlock(x,x,x)+17Dj
		mov	eax, [ecx+4]
		mov	edx, [eax]
		cmp	edx, ecx
		jnz	short loc_66439F
		lea	edx, [esi+8]
		mov	[edx], ecx
		mov	[edx+4], eax
		mov	[eax], edx
		mov	[ecx+4], edx
		jmp	short loc_6643AF
; 

loc_66439F:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+192j
		push	0
		push	edx
		push	0
		push	ecx
		push	0Dh
		xor	edx, edx
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_6643AF:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+1A1j
		movzx	eax, word ptr [esi]
		add	[edi+74h], eax
		mov	edx, [edi+0B4h]
		test	edx, edx
		jz	short loc_6643E5
		movzx	ecx, word ptr [esi]
		jmp	short loc_6643D0
; 

loc_6643C4:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+1D7j
		mov	eax, [edx]
		test	eax, eax
		jz	loc_664455
		mov	edx, eax

loc_6643D0:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+1C6j
		cmp	ecx, [edx+4]
		jnb	short loc_6643C4
		mov	eax, ecx

loc_6643D7:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+25Dj
		push	ecx
		push	eax
		lea	eax, [esi+8]
		push	eax
		push	ecx
		mov	ecx, edi
		call	_RtlpHeapAddListEntry@24 ; RtlpHeapAddListEntry(x,x,x,x,x,x)

loc_6643E5:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+1C1j
		cmp	dword ptr [edi+4Ch], 0
		jz	short loc_6643FB
		mov	al, [esi+1]
		xor	al, [esi+2]
		xor	al, [esi]
		mov	[esi+3], al
		mov	eax, [edi+50h]
		xor	[esi], eax

loc_6643FB:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+1EDj
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+var_C]
		movzx	ecx, ax
		mov	eax, [ebp+var_8]
		sub	edx, eax
		mov	[ebp+var_C], edx
		lea	esi, [esi+eax*8]
		cmp	esi, [ebx+28h]
		jnb	short loc_66445E
		mov	eax, 0FE00h
		test	edx, edx
		jnz	loc_664283
		movzx	eax, word ptr [edi+54h]
		mov	ecx, [ebp+var_4]
		xor	eax, ecx
		mov	[esi+4], ax
		test	cx, cx
		jnz	short loc_66445E
		cmp	ds:_RtlpHeapErrorHandlerThreshold, 1
		jl	short loc_66445E
		lea	eax, [esi+0FFFh]
		and	eax, 0FFFFF000h
		cmp	eax, esi
		jz	short loc_66445E
		push	offset ??_C@_0EB@EODAOBJI@ROUND_UP_TO_POWER2?$CIFreeBlock?0?5P@FNODOBFM@
		jmp	loc_66424B
; 

loc_664455:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+1CCj
		mov	eax, [edx+4]
		dec	eax
		jmp	loc_6643D7
; 

loc_66445E:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+216j
					; RtlpInsertFreeBlock(x,x,x)+235j ...
		pop	ebx

loc_66445F:				; CODE XREF: RtlpInsertFreeBlock(x,x,x)+16j
		pop	edi
		pop	esi
		leave
		retn	4
_RtlpInsertFreeBlock@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpSizeHeapInternal(x, x, x)
_RtlpSizeHeapInternal@12 proc near	; CODE XREF: RtlSizeHeap(x,x,x)+23p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		cmp	dword ptr [esi+8], 0CCDDCCDDh
		jnz	short loc_6644A5
		mov	edx, [ebp+arg_0]
		xor	edi, edi
		push	edi
		push	ecx
		lea	ecx, [esi+40h]
		call	_RtlpHpVsChunkSize@16 ;	RtlpHpVsChunkSize(x,x,x,x)
		mov	ebx, eax
		cmp	ebx, 0FFFFFFFFh
		jnz	short loc_66449E
		push	edi
		push	edi
		push	edi
		push	[ebp+arg_0]
		mov	edx, esi
		push	9
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_66449E:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+27j
		mov	eax, ebx
		jmp	loc_66459E
; 

loc_6644A5:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+11j
		test	byte ptr [esi+48h], 1
		jz	short loc_6644B7
		mov	edx, [ebp+arg_0]
		call	@RtlpProbeUserBufferSafe@8 ; RtlpProbeUserBufferSafe(x,x)
		mov	ecx, eax
		jmp	short loc_6644F2
; 

loc_6644B7:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+44j
		mov	eax, [ebp+arg_0]
		test	al, 7
		jnz	short loc_6644E0
		lea	ecx, [eax-8]
		cmp	byte ptr [ecx+7], 5
		jnz	short loc_6644D0
		movzx	eax, byte ptr [ecx+6]
		shl	eax, 3
		sub	ecx, eax

loc_6644D0:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+60j
		test	byte ptr [ecx+7], 3Fh
		jnz	short loc_6644F2
		xor	edi, edi
		push	edi
		push	edi
		push	edi
		push	ecx
		push	8
		jmp	short loc_6644E8
; 

loc_6644E0:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+57j
		xor	edi, edi
		push	edi
		push	edi
		push	edi
		push	eax
		push	9

loc_6644E8:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+79j
		mov	edx, esi
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	ecx, edi

loc_6644F2:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+50j
					; RtlpSizeHeapInternal(x,x,x)+6Fj
		test	ecx, ecx
		jnz	short loc_6644FE
		or	eax, 0FFFFFFFFh
		jmp	loc_66459E
; 

loc_6644FE:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+8Fj
		mov	dl, [ecx+7]
		mov	edi, [esi+4Ch]
		cmp	dl, 4
		jnz	short loc_664529
		test	edi, edi
		jz	short loc_66451C
		mov	eax, [ecx]
		test	[esi+4Ch], eax
		jz	short loc_664517
		xor	eax, [esi+50h]

loc_664517:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+ADj
		movzx	eax, ax
		jmp	short loc_66451F
; 

loc_66451C:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+A6j
		movzx	eax, word ptr [ecx]

loc_66451F:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+B5j
		mov	ecx, [ecx-8]
		movzx	eax, ax
		sub	ecx, eax
		jmp	short loc_66459C
; 

loc_664529:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+A2j
		test	edi, edi
		jz	short loc_664541
		mov	eax, [ecx]
		mov	edi, [esi+4Ch]
		test	edi, eax
		jz	short loc_664539
		xor	eax, [esi+50h]

loc_664539:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+CFj
		mov	dl, [ecx+7]
		movzx	ebx, ax
		jmp	short loc_664544
; 

loc_664541:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+C6j
		movzx	ebx, word ptr [ecx]

loc_664544:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+DAj
		cmp	dl, 5
		jnz	short loc_664555
		movzx	edx, word ptr [esi+54h]
		movzx	eax, word ptr [ecx+4]
		xor	edx, eax
		jmp	short loc_664594
; 

loc_664555:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+E2j
		test	dl, 40h
		jz	short loc_664567
		movzx	eax, dl
		and	eax, 3Fh
		movzx	edx, word ptr [ecx+eax*8+4]
		jmp	short loc_664594
; 

loc_664567:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+F3j
		mov	al, dl
		and	al, 3Fh
		cmp	al, 3Fh
		jz	short loc_664577
		movzx	edx, dl
		and	edx, 3Fh
		jmp	short loc_664594
; 

loc_664577:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+108j
		test	edi, edi
		jz	short loc_66458A
		mov	eax, [ecx]
		test	[esi+4Ch], eax
		jz	short loc_664585
		xor	eax, [esi+50h]

loc_664585:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+11Bj
		movzx	eax, ax
		jmp	short loc_66458D
; 

loc_66458A:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+114j
		movzx	eax, word ptr [ecx]

loc_66458D:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+123j
		movzx	eax, ax
		mov	edx, [ecx+eax*8-4]

loc_664594:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+EEj
					; RtlpSizeHeapInternal(x,x,x)+100j ...
		movzx	ecx, bx
		shl	ecx, 3
		sub	ecx, edx

loc_66459C:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+C2j
		mov	eax, ecx

loc_66459E:				; CODE XREF: RtlpSizeHeapInternal(x,x,x)+3Bj
					; RtlpSizeHeapInternal(x,x,x)+94j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_RtlpSizeHeapInternal@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2310. RtlRealPredecessor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlRealPredecessor(x)
		public _RtlRealPredecessor@4
_RtlRealPredecessor@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, [edx+4]
		test	eax, eax
		jnz	short loc_6645BF
		mov	ecx, [edx]
		jmp	short loc_6645CC
; 

loc_6645BD:				; CODE XREF: RtlRealPredecessor(x)+1Aj
		mov	eax, ecx

loc_6645BF:				; CODE XREF: RtlRealPredecessor(x)+Dj
		mov	ecx, [eax+8]
		test	ecx, ecx
		jnz	short loc_6645BD
		jmp	short loc_6645DE
; 

loc_6645C8:				; CODE XREF: RtlRealPredecessor(x)+25j
		mov	edx, ecx
		mov	ecx, [ecx]

loc_6645CC:				; CODE XREF: RtlRealPredecessor(x)+11j
		cmp	[ecx+4], edx
		jz	short loc_6645C8
		mov	eax, [ecx+8]
		sub	eax, edx
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, ecx

loc_6645DE:				; CODE XREF: RtlRealPredecessor(x)+1Cj
		pop	ebp
		retn	4
_RtlRealPredecessor@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2353. RtlSubtreeSuccessor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSubtreeSuccessor(x)
		public _RtlSubtreeSuccessor@4
_RtlSubtreeSuccessor@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+8]
		test	eax, eax
		jnz	short loc_6645FC

loc_6645F6:				; CODE XREF: RtlSubtreeSuccessor(x)+1Cj
		pop	ebp
		retn	4
; 

loc_6645FA:				; CODE XREF: RtlSubtreeSuccessor(x)+1Aj
		mov	eax, ecx

loc_6645FC:				; CODE XREF: RtlSubtreeSuccessor(x)+Dj
		mov	ecx, [eax+4]
		test	ecx, ecx
		jnz	short loc_6645FA
		jmp	short loc_6645F6
_RtlSubtreeSuccessor@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2210. RtlIsGenericTableEmpty

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIsGenericTableEmpty(x)
		public _RtlIsGenericTableEmpty@4
_RtlIsGenericTableEmpty@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	dword ptr [eax], 0
		setz	al
		pop	ebp
		retn	4
_RtlIsGenericTableEmpty@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2247. RtlLookupElementGenericTableFull

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlLookupElementGenericTableFull(x,	x, x, x)
		public _RtlLookupElementGenericTableFull@16
_RtlLookupElementGenericTableFull@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		push	esi
		call	FindNodeOrParent
		mov	ecx, [ebp+arg_C]
		mov	[ecx], eax
		test	eax, eax
		jz	short loc_664657
		cmp	eax, 1
		jnz	short loc_664657
		push	dword ptr [esi]
		call	_RtlSplay@4	; RtlSplay(x)
		mov	[edi], eax
		mov	eax, [esi]
		add	eax, 18h
		jmp	short loc_664659
; 

loc_664657:				; CODE XREF: RtlLookupElementGenericTableFull(x,x,x,x)+1Fj
					; RtlLookupElementGenericTableFull(x,x,x,x)+24j
		xor	eax, eax

loc_664659:				; CODE XREF: RtlLookupElementGenericTableFull(x,x,x,x)+34j
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
_RtlLookupElementGenericTableFull@16 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2121. RtlGetElementGenericTableAvl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetElementGenericTableAvl(x, x)
		public _RtlGetElementGenericTableAvl@8
_RtlGetElementGenericTableAvl@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_0]
		mov	edx, [edi+14h]
		cmp	esi, 0FFFFFFFFh
		jz	loc_664742
		mov	ecx, [edi+18h]
		lea	eax, [esi+1]
		mov	[ebp+arg_0], ecx
		cmp	eax, ecx
		ja	loc_664742
		mov	ecx, [edi+10h]
		test	ecx, ecx
		jnz	short loc_6646AB
		mov	ecx, [edi+8]
		jmp	short loc_66469C
; 

loc_66469A:				; CODE XREF: RtlGetElementGenericTableAvl(x,x)+3Dj
		mov	ecx, eax

loc_66469C:				; CODE XREF: RtlGetElementGenericTableAvl(x,x)+34j
		mov	eax, [ecx+4]
		test	eax, eax
		jnz	short loc_66469A
		xor	edx, edx
		mov	[edi+10h], ecx
		mov	[edi+14h], edx

loc_6646AB:				; CODE XREF: RtlGetElementGenericTableAvl(x,x)+2Fj
		cmp	esi, edx
		jnz	short loc_6646B7
		lea	eax, [ecx+10h]
		jmp	loc_664744
; 

loc_6646B7:				; CODE XREF: RtlGetElementGenericTableAvl(x,x)+49j
		push	ebx
		jnb	short loc_6646F6
		mov	eax, edx
		shr	eax, 1
		cmp	esi, eax
		jb	short loc_6646D4
		sub	edx, esi
		jz	short loc_664736

loc_6646C6:				; CODE XREF: RtlGetElementGenericTableAvl(x,x)+6Cj
		call	RealPredecessor
		mov	ecx, eax
		sub	edx, 1
		jnz	short loc_6646C6
		jmp	short loc_664736
; 

loc_6646D4:				; CODE XREF: RtlGetElementGenericTableAvl(x,x)+5Cj
		mov	ecx, [edi+8]
		jmp	short loc_6646DB
; 

loc_6646D9:				; CODE XREF: RtlGetElementGenericTableAvl(x,x)+7Cj
		mov	ecx, eax

loc_6646DB:				; CODE XREF: RtlGetElementGenericTableAvl(x,x)+73j
		mov	eax, [ecx+4]
		test	eax, eax
		jnz	short loc_6646D9
		mov	ebx, esi
		test	esi, esi
		jz	short loc_664736

loc_6646E8:				; CODE XREF: RtlGetElementGenericTableAvl(x,x)+8Ej
		call	_RealSuccessor@4 ; RealSuccessor(x)
		mov	ecx, eax
		sub	ebx, 1
		jnz	short loc_6646E8
		jmp	short loc_664736
; 

loc_6646F6:				; CODE XREF: RtlGetElementGenericTableAvl(x,x)+54j
		mov	eax, [ebp+arg_0]
		mov	ebx, esi
		sub	eax, esi
		sub	ebx, edx
		lea	edx, [eax-1]
		cmp	ebx, eax
		ja	short loc_664718
		test	ebx, ebx
		jz	short loc_664736

loc_66470A:				; CODE XREF: RtlGetElementGenericTableAvl(x,x)+B0j
		call	_RealSuccessor@4 ; RealSuccessor(x)
		mov	ecx, eax
		sub	ebx, 1
		jnz	short loc_66470A
		jmp	short loc_664736
; 

loc_664718:				; CODE XREF: RtlGetElementGenericTableAvl(x,x)+A0j
		mov	ecx, [edi+8]
		jmp	short loc_66471F
; 

loc_66471D:				; CODE XREF: RtlGetElementGenericTableAvl(x,x)+C0j
		mov	ecx, eax

loc_66471F:				; CODE XREF: RtlGetElementGenericTableAvl(x,x)+B7j
		mov	eax, [ecx+8]
		test	eax, eax
		jnz	short loc_66471D
		test	edx, edx
		jz	short loc_664736

loc_66472A:				; CODE XREF: RtlGetElementGenericTableAvl(x,x)+D0j
		call	RealPredecessor
		mov	ecx, eax
		sub	edx, 1
		jnz	short loc_66472A

loc_664736:				; CODE XREF: RtlGetElementGenericTableAvl(x,x)+60j
					; RtlGetElementGenericTableAvl(x,x)+6Ej ...
		mov	[edi+10h], ecx
		lea	eax, [ecx+10h]
		mov	[edi+14h], esi
		pop	ebx
		jmp	short loc_664744
; 

loc_664742:				; CODE XREF: RtlGetElementGenericTableAvl(x,x)+13j
					; RtlGetElementGenericTableAvl(x,x)+24j
		xor	eax, eax

loc_664744:				; CODE XREF: RtlGetElementGenericTableAvl(x,x)+4Ej
					; RtlGetElementGenericTableAvl(x,x)+DCj
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_RtlGetElementGenericTableAvl@8	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2250. RtlLookupFirstMatchingElementGenericTableAvl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlLookupFirstMatchingElementGenericTableAvl(x, x, x)
		public _RtlLookupFirstMatchingElementGenericTableAvl@12
_RtlLookupFirstMatchingElementGenericTableAvl@12 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		push	eax
		and	dword ptr [ebx], 0
		call	_FindNodeOrParent@12 ; FindNodeOrParent(x,x,x)
		cmp	eax, 1
		jz	short loc_66477B
		xor	eax, eax
		jmp	short loc_6647AE
; 

loc_66477B:				; CODE XREF: RtlLookupFirstMatchingElementGenericTableAvl(x,x,x)+26j
		push	esi
		mov	esi, [ebp+var_4]

loc_66477F:				; CODE XREF: RtlLookupFirstMatchingElementGenericTableAvl(x,x,x)+51j
		mov	ecx, esi
		mov	[ebp+arg_0], esi
		mov	[ebp+arg_8], esi
		call	RealPredecessor
		mov	esi, eax
		test	esi, esi
		jz	short loc_6647A2
		lea	eax, [esi+10h]
		push	eax
		push	[ebp+arg_4]
		push	edi
		call	dword ptr [edi+28h]
		cmp	eax, 2
		jz	short loc_66477F

loc_6647A2:				; CODE XREF: RtlLookupFirstMatchingElementGenericTableAvl(x,x,x)+41j
		mov	eax, [ebp+arg_8]
		mov	[ebx], eax
		mov	eax, [ebp+arg_0]
		add	eax, 10h
		pop	esi

loc_6647AE:				; CODE XREF: RtlLookupFirstMatchingElementGenericTableAvl(x,x,x)+2Aj
		pop	edi
		pop	ebx
		leave
		retn	0Ch
_RtlLookupFirstMatchingElementGenericTableAvl@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2064. RtlEthernetAddressToStringA

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlEthernetAddressToStringA(x, x)
		public _RtlEthernetAddressToStringA@8
_RtlEthernetAddressToStringA@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		movzx	eax, byte ptr [ecx+5]
		push	eax
		movzx	eax, byte ptr [ecx+4]
		push	eax
		movzx	eax, byte ptr [ecx+3]
		push	eax
		movzx	eax, byte ptr [ecx+2]
		push	eax
		movzx	eax, byte ptr [ecx+1]
		push	eax
		movzx	eax, byte ptr [ecx]
		push	eax
		push	offset ??_C@_0BO@GHBLPFMO@?$CF02X?9?$CF02X?9?$CF02X?9?$CF02X?9?$CF02X?9?$CF02X@FNODOBFM@
		push	12h
		push	[ebp+arg_4]
		call	_sprintf_s
		add	esp, 24h
		add	eax, [ebp+arg_4]
		pop	ebp
		retn	8
_RtlEthernetAddressToStringA@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2192. RtlIpv4AddressToStringA

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIpv4AddressToStringA(x, x)
		public _RtlIpv4AddressToStringA@8
_RtlIpv4AddressToStringA@8 proc	near	; CODE XREF: RtlIpv4AddressToStringExA(x,x,x,x)+3Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		movzx	eax, byte ptr [ecx+3]
		push	eax
		movzx	eax, byte ptr [ecx+2]
		push	eax
		movzx	eax, byte ptr [ecx+1]
		push	eax
		movzx	eax, byte ptr [ecx]
		push	eax
		push	(offset	loc_5A5897+5)
		push	10h
		push	[ebp+arg_4]
		call	_sprintf_s
		add	esp, 1Ch
		add	eax, [ebp+arg_4]
		pop	ebp
		retn	8
_RtlIpv4AddressToStringA@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2193. RtlIpv4AddressToStringExA

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIpv4AddressToStringExA(x, x, x, x)
		public _RtlIpv4AddressToStringExA@16
_RtlIpv4AddressToStringExA@16 proc near

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_20], ecx
		push	ebx
		movzx	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_C]
		test	eax, eax
		jz	short loc_6648A5
		test	edi, edi
		jz	short loc_6648A5
		test	ecx, ecx
		jnz	short loc_66486A
		cmp	[edi], ecx
		jnz	short loc_6648A5

loc_66486A:				; CODE XREF: RtlIpv4AddressToStringExA(x,x,x,x)+2Fj
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	eax
		call	_RtlIpv4AddressToStringA@8 ; RtlIpv4AddressToStringA(x,x)
		mov	esi, eax
		test	bx, bx
		jz	short loc_664899
		mov	ch, bl
		lea	eax, [ebp-6]
		mov	cl, bh
		sub	eax, esi
		movzx	ecx, cx
		push	ecx
		push	(offset	??_C@_02NJNOFBBI@?$CFx@FNODOBFM@+4)
		push	eax
		push	esi
		call	_sprintf_s
		add	esp, 10h
		add	esi, eax

loc_664899:				; CODE XREF: RtlIpv4AddressToStringExA(x,x,x,x)+44j
		lea	eax, [ebp+var_1C]
		sub	esi, eax
		inc	esi
		cmp	[edi], esi
		jnb	short loc_6648BB
		mov	[edi], esi

loc_6648A5:				; CODE XREF: RtlIpv4AddressToStringExA(x,x,x,x)+27j
					; RtlIpv4AddressToStringExA(x,x,x,x)+2Bj ...
		mov	eax, 0C000000Dh

loc_6648AA:				; CODE XREF: RtlIpv4AddressToStringExA(x,x,x,x)+9Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_6648BB:				; CODE XREF: RtlIpv4AddressToStringExA(x,x,x,x)+6Cj
		push	esi		; size_t
		lea	eax, [ebp+var_1C]
		push	eax		; void *
		push	[ebp+var_20]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[edi], esi
		xor	eax, eax
		jmp	short loc_6648AA
_RtlIpv4AddressToStringExA@16 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2200. RtlIpv6AddressToStringA

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIpv6AddressToStringA(x, x)
		public _RtlIpv6AddressToStringA@8
_RtlIpv6AddressToStringA@8 proc	near	; CODE XREF: RtlIpv6AddressToStringExA(x,x,x,x,x)+54p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		lea	ecx, [ebx+2Eh]
		mov	[ebp+var_10], 8
		mov	[ebp+var_8], ecx
		cmp	[edi], si
		jnz	loc_6649B3
		cmp	[edi+2], si
		jnz	loc_6649B3
		cmp	[edi+4], si
		jnz	loc_6649B3
		cmp	[edi+6], si
		jnz	loc_6649B3
		cmp	[edi+0Ch], si
		jz	loc_6649B3
		movzx	eax, word ptr [edi+8]
		test	ax, ax
		jnz	short loc_66497C
		movzx	eax, word ptr [edi+0Ah]
		test	ax, ax
		jz	short loc_66494A
		mov	edx, 0FFFFh
		cmp	ax, dx
		jnz	short loc_6649B3
		mov	edx, offset ??_C@_05PBFMPBMC@ffff?3@FNODOBFM@
		jmp	short loc_66494F
; 

loc_66494A:				; CODE XREF: RtlIpv6AddressToStringA(x,x)+61j
		mov	edx, offset ??_C@_00CNPNBAHC@@FNODOBFM@

loc_66494F:				; CODE XREF: RtlIpv6AddressToStringA(x,x)+72j
		movzx	eax, byte ptr [edi+0Fh]
		sub	ecx, ebx
		push	eax
		movzx	eax, byte ptr [edi+0Eh]
		push	eax
		movzx	eax, byte ptr [edi+0Dh]
		push	eax
		movzx	eax, byte ptr [edi+0Ch]
		push	eax
		push	edx
		push	offset ??_C@_0BB@JMMKNFHP@?3?3?$CFhs?$CFu?4?$CFu?4?$CFu?4?$CFu@FNODOBFM@
		push	ecx
		push	ebx
		call	_sprintf_s
		add	esp, 20h

loc_664975:				; CODE XREF: RtlIpv6AddressToStringA(x,x)+DBj
		add	eax, ebx
		jmp	loc_664AD1
; 

loc_66497C:				; CODE XREF: RtlIpv6AddressToStringA(x,x)+58j
		mov	edx, 0FFFFh
		cmp	ax, dx
		jnz	short loc_6649B3
		cmp	[edi+0Ah], si
		jnz	short loc_6649B3
		movzx	eax, byte ptr [edi+0Fh]
		sub	ecx, ebx
		push	eax
		movzx	eax, byte ptr [edi+0Eh]
		push	eax
		movzx	eax, byte ptr [edi+0Dh]
		push	eax
		movzx	eax, byte ptr [edi+0Ch]
		push	eax
		push	(offset	loc_5A58A4+4)
		push	ecx
		push	ebx
		call	_sprintf_s
		add	esp, 1Ch
		jmp	short loc_664975
; 

loc_6649B3:				; CODE XREF: RtlIpv6AddressToStringA(x,x)+23j
					; RtlIpv6AddressToStringA(x,x)+2Dj ...
		mov	edx, 0FFFDh
		mov	ecx, esi
		mov	eax, esi
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_C], eax
		test	[edi+8], dx
		jnz	short loc_6649DA
		mov	edx, 0FE5Eh
		cmp	[edi+0Ah], dx
		jnz	short loc_6649DA
		mov	[ebp+var_10], 6

loc_6649DA:				; CODE XREF: RtlIpv6AddressToStringA(x,x)+F0j
					; RtlIpv6AddressToStringA(x,x)+FBj
		mov	edx, esi
		mov	ebx, eax

loc_6649DE:				; CODE XREF: RtlIpv6AddressToStringA(x,x)+138j
		cmp	[edi+edx*2], si
		jnz	short loc_6649FF
		mov	ecx, edx
		sub	ecx, eax
		mov	eax, [ebp+arg_0]
		sub	eax, ebx
		inc	ecx
		cmp	ecx, eax
		mov	eax, [ebp+var_C]
		jle	short loc_664A07
		lea	ecx, [edx+1]
		mov	ebx, eax
		mov	[ebp+arg_0], ecx
		jmp	short loc_664A0A
; 

loc_6649FF:				; CODE XREF: RtlIpv6AddressToStringA(x,x)+10Cj
		lea	eax, [edx+1]
		mov	[ebp+var_C], eax
		jmp	short loc_664A0A
; 

loc_664A07:				; CODE XREF: RtlIpv6AddressToStringA(x,x)+11Dj
		mov	ecx, [ebp+arg_0]

loc_664A0A:				; CODE XREF: RtlIpv6AddressToStringA(x,x)+127j
					; RtlIpv6AddressToStringA(x,x)+12Fj
		inc	edx
		cmp	edx, [ebp+var_10]
		jl	short loc_6649DE
		mov	eax, ecx
		mov	[ebp+var_4], ebx
		sub	eax, ebx
		mov	ebx, [ebp+arg_4]
		cmp	eax, 1
		jg	short loc_664A2B
		mov	ecx, esi
		mov	eax, esi
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_4], eax
		jmp	short loc_664A2E
; 

loc_664A2B:				; CODE XREF: RtlIpv6AddressToStringA(x,x)+147j
		mov	eax, [ebp+var_4]

loc_664A2E:				; CODE XREF: RtlIpv6AddressToStringA(x,x)+153j
					; RtlIpv6AddressToStringA(x,x)+1C8j
		cmp	eax, esi
		jg	short loc_664A52
		cmp	esi, ecx
		jge	short loc_664A52
		mov	eax, [ebp+var_8]
		push	offset ??_C@_02MOLJINC@?3?3@FNODOBFM@
		sub	eax, ebx
		push	eax
		push	ebx
		call	_sprintf_s
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		lea	esi, [ecx-1]
		jmp	short loc_664A93
; 

loc_664A52:				; CODE XREF: RtlIpv6AddressToStringA(x,x)+15Aj
					; RtlIpv6AddressToStringA(x,x)+15Ej
		test	esi, esi
		jz	short loc_664A70
		cmp	esi, ecx
		jz	short loc_664A70
		mov	eax, [ebp+var_8]
		push	offset ??_C@_01JLIPDDHJ@?3@FNODOBFM@
		sub	eax, ebx
		push	eax
		push	ebx
		call	_sprintf_s
		add	esp, 0Ch
		add	ebx, eax

loc_664A70:				; CODE XREF: RtlIpv6AddressToStringA(x,x)+17Ej
					; RtlIpv6AddressToStringA(x,x)+182j
		mov	ax, [edi+esi*2]
		mov	ch, al
		mov	cl, ah
		movzx	eax, cx
		push	eax
		mov	eax, [ebp+var_8]
		push	offset ??_C@_02NJNOFBBI@?$CFx@FNODOBFM@
		sub	eax, ebx
		push	eax
		push	ebx
		call	_sprintf_s
		mov	ecx, [ebp+arg_0]
		add	esp, 10h

loc_664A93:				; CODE XREF: RtlIpv6AddressToStringA(x,x)+17Aj
		mov	edx, [ebp+var_10]
		add	ebx, eax
		mov	eax, [ebp+var_4]
		inc	esi
		cmp	esi, edx
		jl	short loc_664A2E
		cmp	edx, 8
		jnb	short loc_664ACF
		movzx	eax, byte ptr [edi+0Fh]
		push	eax
		movzx	eax, byte ptr [edi+0Eh]
		push	eax
		movzx	eax, byte ptr [edi+0Dh]
		push	eax
		movzx	eax, byte ptr [edi+0Ch]
		push	eax
		mov	eax, [ebp+var_8]
		push	(offset	loc_5A587D+5)
		sub	eax, ebx
		push	eax
		push	ebx
		call	_sprintf_s
		add	esp, 1Ch
		add	ebx, eax

loc_664ACF:				; CODE XREF: RtlIpv6AddressToStringA(x,x)+1CDj
		mov	eax, ebx

loc_664AD1:				; CODE XREF: RtlIpv6AddressToStringA(x,x)+A1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_RtlIpv6AddressToStringA@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2201. RtlIpv6AddressToStringExA

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIpv6AddressToStringExA(x, x, x, x, x)
		public _RtlIpv6AddressToStringExA@20
_RtlIpv6AddressToStringExA@20 proc near

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_50], eax
		push	ebx
		movzx	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, [ebp+arg_10]
		test	ecx, ecx
		jz	loc_664B9B
		test	edi, edi
		jz	loc_664B9B
		test	eax, eax
		jnz	short loc_664B20
		cmp	[edi], eax
		jnz	short loc_664B9B

loc_664B20:				; CODE XREF: RtlIpv6AddressToStringExA(x,x,x,x,x)+3Dj
		lea	eax, [ebp+var_48]
		test	bx, bx
		jz	short loc_664B2F
		mov	byte ptr [ebp+var_48], 5Bh
		lea	eax, [ebp+var_48+1]

loc_664B2F:				; CODE XREF: RtlIpv6AddressToStringExA(x,x,x,x,x)+49j
		push	eax
		push	ecx
		call	_RtlIpv6AddressToStringA@8 ; RtlIpv6AddressToStringA(x,x)
		mov	esi, eax
		mov	eax, [ebp+var_4C]
		test	eax, eax
		jz	short loc_664B56
		push	eax
		lea	ecx, [ebp-7]
		push	offset ??_C@_04MLNOPOCC@?$CF?$CF?$CFu@FNODOBFM@
		sub	ecx, esi
		push	ecx
		push	esi
		call	_sprintf_s
		add	esp, 10h
		add	esi, eax

loc_664B56:				; CODE XREF: RtlIpv6AddressToStringExA(x,x,x,x,x)+60j
		test	bx, bx
		jz	short loc_664B79
		mov	ah, bl
		mov	al, bh
		movzx	eax, ax
		push	eax
		lea	eax, [ebp-7]
		push	offset ??_C@_04KAGBCOF@?$FN?3?$CFu@FNODOBFM@
		sub	eax, esi
		push	eax
		push	esi
		call	_sprintf_s
		add	esp, 10h
		add	esi, eax

loc_664B79:				; CODE XREF: RtlIpv6AddressToStringExA(x,x,x,x,x)+7Cj
		lea	eax, [ebp+var_48]
		sub	esi, eax
		mov	eax, [edi]
		inc	esi
		mov	[edi], esi
		cmp	eax, esi
		jb	short loc_664B9B
		push	esi		; size_t
		lea	eax, [ebp+var_48]
		push	eax		; void *
		push	[ebp+var_50]	; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax
		jmp	short loc_664BA0
; 

loc_664B9B:				; CODE XREF: RtlIpv6AddressToStringExA(x,x,x,x,x)+2Dj
					; RtlIpv6AddressToStringExA(x,x,x,x,x)+35j ...
		mov	eax, 0C000000Dh

loc_664BA0:				; CODE XREF: RtlIpv6AddressToStringExA(x,x,x,x,x)+BCj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_RtlIpv6AddressToStringExA@20 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2065. RtlEthernetAddressToStringW

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlEthernetAddressToStringW(x, x)
		public _RtlEthernetAddressToStringW@8
_RtlEthernetAddressToStringW@8 proc near ; CODE	XREF: AdtpBuildMacStrings(x,x,x)+66p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		movzx	eax, byte ptr [ecx+5]
		push	eax
		movzx	eax, byte ptr [ecx+4]
		push	eax
		movzx	eax, byte ptr [ecx+3]
		push	eax
		movzx	eax, byte ptr [ecx+2]
		push	eax
		movzx	eax, byte ptr [ecx+1]
		push	eax
		movzx	eax, byte ptr [ecx]
		push	eax
		push	(offset	loc_5A595F+1)
		push	12h
		push	esi
		call	_swprintf_s
		add	esp, 24h
		lea	eax, [esi+eax*2]
		pop	esi
		pop	ebp
		retn	8
_RtlEthernetAddressToStringW@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2066. RtlEthernetStringToAddressA

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlEthernetStringToAddressA(x, x, x)
		public _RtlEthernetStringToAddressA@12
_RtlEthernetStringToAddressA@12	proc near

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_8]
		push	edi
		mov	[ebp+var_1C], eax
		lea	edi, [ebp+var_C]

loc_664C23:				; CODE XREF: RtlEthernetStringToAddressA(x,x,x)+C5j
		xor	ecx, ecx
		xor	bl, bl
		jmp	short loc_664C9B
; 

loc_664C29:				; CODE XREF: RtlEthernetStringToAddressA(x,x,x)+A6j
		movsx	eax, bh
		push	eax		; int
		mov	[ebp+var_10], eax
		call	___isascii
		pop	ecx
		test	eax, eax
		jz	short loc_664C4F
		push	[ebp+var_10]	; int
		call	_isdigit
		pop	ecx
		test	eax, eax
		jz	short loc_664C4F
		add	bl, 0Dh
		shl	bl, 4
		jmp	short loc_664C8F
; 

loc_664C4F:				; CODE XREF: RtlEthernetStringToAddressA(x,x,x)+3Cj
					; RtlEthernetStringToAddressA(x,x,x)+49j
		push	[ebp+var_10]	; int
		call	___isascii
		pop	ecx
		test	eax, eax
		jz	short loc_664CA6
		push	[ebp+var_10]	; int
		call	_isxdigit
		pop	ecx
		test	eax, eax
		jz	short loc_664CA6
		push	[ebp+var_10]	; int
		call	___isascii
		pop	ecx
		test	eax, eax
		jz	short loc_664C85
		push	[ebp+var_10]	; int
		call	_islower
		test	eax, eax
		mov	al, 61h
		pop	ecx
		jnz	short loc_664C87

loc_664C85:				; CODE XREF: RtlEthernetStringToAddressA(x,x,x)+78j
		mov	al, 41h

loc_664C87:				; CODE XREF: RtlEthernetStringToAddressA(x,x,x)+87j
		shl	bl, 4
		sub	bl, al
		add	bl, 0Ah

loc_664C8F:				; CODE XREF: RtlEthernetStringToAddressA(x,x,x)+51j
		mov	ecx, [ebp+var_14]
		add	bl, bh
		cmp	ecx, 2
		jz	short loc_664CC7
		inc	esi
		inc	ecx

loc_664C9B:				; CODE XREF: RtlEthernetStringToAddressA(x,x,x)+2Bj
		mov	bh, [esi]
		mov	[ebp+var_14], ecx
		test	bh, bh
		jnz	short loc_664C29
		jmp	short loc_664CA9
; 

loc_664CA6:				; CODE XREF: RtlEthernetStringToAddressA(x,x,x)+5Ej
					; RtlEthernetStringToAddressA(x,x,x)+6Bj
		mov	ecx, [ebp+var_14]

loc_664CA9:				; CODE XREF: RtlEthernetStringToAddressA(x,x,x)+A8j
		mov	al, [esi]
		cmp	al, 2Dh
		jz	short loc_664CB3
		cmp	al, 3Ah
		jnz	short loc_664CE2

loc_664CB3:				; CODE XREF: RtlEthernetStringToAddressA(x,x,x)+B1j
		lea	eax, [ebp-7]
		cmp	edi, eax
		jnb	short loc_664CC7
		mov	[edi], bl
		inc	edi
		inc	esi
		cmp	ecx, 2
		jz	loc_664C23

loc_664CC7:				; CODE XREF: RtlEthernetStringToAddressA(x,x,x)+9Bj
					; RtlEthernetStringToAddressA(x,x,x)+BCj
		mov	eax, [ebp+var_18]
		mov	[eax], esi

loc_664CCC:				; CODE XREF: RtlEthernetStringToAddressA(x,x,x)+EEj
					; RtlEthernetStringToAddressA(x,x,x)+FAj
		mov	eax, 0C000000Dh

loc_664CD1:				; CODE XREF: RtlEthernetStringToAddressA(x,x,x)+10Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_664CE2:				; CODE XREF: RtlEthernetStringToAddressA(x,x,x)+B5j
		mov	eax, [ebp+var_18]
		mov	[eax], esi
		cmp	ecx, 2
		jnz	short loc_664CCC
		lea	eax, [edi+1]
		mov	[edi], bl
		lea	ecx, [ebp-6]
		cmp	eax, ecx
		jnz	short loc_664CCC
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+var_C]
		mov	[ecx], eax
		mov	ax, [ebp+var_8]
		mov	[ecx+4], ax
		xor	eax, eax
		jmp	short loc_664CD1
_RtlEthernetStringToAddressA@12	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2196. RtlIpv4StringToAddressA

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIpv4StringToAddressA(x, x, x, x)
		public _RtlIpv4StringToAddressA@16
_RtlIpv4StringToAddressA@16 proc near	; CODE XREF: RtlIpv4StringToAddressExA(x,x,x,x)+39p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	esi, [ebp+var_14]
		mov	[ebp+var_24], ebx
		mov	[ebp+var_28], eax

loc_664D38:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+146j
		xor	al, al
		xor	ebx, ebx
		cmp	byte ptr [edi],	30h
		push	0Ah
		mov	[ebp+var_15], al
		pop	eax
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_20], eax
		jnz	short loc_664D88
		inc	edi
		movsx	eax, byte ptr [edi]
		push	eax		; int
		call	___isascii
		pop	ecx
		test	eax, eax
		jz	short loc_664D6E
		movsx	eax, byte ptr [edi]
		push	eax		; int
		call	_isdigit
		pop	ecx
		test	eax, eax
		jz	short loc_664D6E
		push	8
		jmp	short loc_664D84
; 

loc_664D6E:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+49j
					; RtlIpv4StringToAddressA(x,x,x,x)+57j
		mov	al, [edi]
		cmp	al, 78h
		jz	short loc_664D81
		cmp	al, 58h
		jz	short loc_664D81
		mov	eax, [ebp+var_20]
		mov	[ebp+var_15], 1
		jmp	short loc_664D88
; 

loc_664D81:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+61j
					; RtlIpv4StringToAddressA(x,x,x,x)+65j
		push	10h
		inc	edi

loc_664D84:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+5Bj
		pop	eax
		mov	[ebp+var_20], eax

loc_664D88:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+3Aj
					; RtlIpv4StringToAddressA(x,x,x,x)+6Ej
		mov	dl, [ebp+arg_4]
		test	dl, dl
		jz	short loc_664D98
		cmp	eax, 0Ah
		jnz	loc_664E5D

loc_664D98:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+7Cj
		mov	al, [edi]
		test	al, al
		jz	loc_664E35

loc_664DA2:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+11Cj
		movsx	ebx, al
		push	ebx		; int
		call	___isascii
		pop	ecx
		test	eax, eax
		jz	short loc_664DD2
		push	ebx		; int
		call	_isdigit
		pop	ecx
		test	eax, eax
		jz	short loc_664DD2
		mov	ecx, [ebp+var_20]
		lea	eax, [ebx-30h]
		cmp	eax, ecx
		jge	short loc_664DD2
		mov	edx, [ebp+var_1C]
		mov	eax, ecx
		imul	eax, edx
		add	eax, 0FFFFFFD0h
		jmp	short loc_664E18
; 

loc_664DD2:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+9Dj
					; RtlIpv4StringToAddressA(x,x,x,x)+A8j	...
		cmp	[ebp+var_20], 10h
		jnz	short loc_664E3A
		push	ebx		; int
		call	___isascii
		pop	ecx
		test	eax, eax
		jz	short loc_664E3A
		push	ebx		; int
		call	_isxdigit
		pop	ecx
		test	eax, eax
		jz	short loc_664E3A
		push	ebx		; int
		call	___isascii
		pop	ecx
		test	eax, eax
		jz	short loc_664E08
		push	ebx		; int
		call	_islower
		pop	ecx
		test	eax, eax
		jz	short loc_664E08
		push	61h
		jmp	short loc_664E0A
; 

loc_664E08:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+E6j
					; RtlIpv4StringToAddressA(x,x,x,x)+F1j
		push	41h

loc_664E0A:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+F5j
		mov	edx, [ebp+var_1C]
		mov	eax, edx
		shl	eax, 4
		pop	ecx
		sub	eax, ecx
		add	eax, 0Ah

loc_664E18:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+BFj
		add	eax, ebx
		cmp	eax, edx
		jb	short loc_664E5D
		inc	edi
		mov	ebx, eax
		mov	cl, 1
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_15], cl
		mov	al, [edi]
		test	al, al
		jnz	loc_664DA2
		jmp	short loc_664E40
; 

loc_664E35:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+8Bj
		mov	cl, [ebp+var_15]
		jmp	short loc_664E43
; 

loc_664E3A:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+C5j
					; RtlIpv4StringToAddressA(x,x,x,x)+D0j	...
		mov	ebx, [ebp+var_1C]
		mov	cl, [ebp+var_15]

loc_664E40:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+122j
		mov	dl, [ebp+arg_4]

loc_664E43:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+127j
		cmp	byte ptr [edi],	2Eh
		jnz	short loc_664E78
		lea	eax, [ebp+var_8]
		cmp	esi, eax
		jnb	short loc_664E5D
		mov	[esi], ebx
		add	esi, 4
		inc	edi
		test	cl, cl
		jnz	loc_664D38

loc_664E5D:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+81j
					; RtlIpv4StringToAddressA(x,x,x,x)+10Bj ...
		mov	eax, [ebp+var_24]
		mov	[eax], edi
		mov	eax, 0C000000Dh

loc_664E67:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+245j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_664E78:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+135j
		test	cl, cl
		jz	short loc_664E5D
		mov	[esi], ebx
		lea	eax, [ebp+var_14]
		sub	esi, eax
		add	esi, 4
		sar	esi, 2
		test	dl, dl
		jz	short loc_664E92
		cmp	esi, 4
		jnz	short loc_664E5D

loc_664E92:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+17Aj
		sub	esi, 1
		jz	loc_664F45
		sub	esi, 1
		jz	short loc_664F1D
		sub	esi, 1
		jz	short loc_664EE4
		sub	esi, 1
		jnz	short loc_664E5D
		mov	edx, [ebp+var_14]
		mov	eax, 0FFh
		cmp	edx, eax
		ja	short loc_664E5D
		mov	ecx, [ebp+var_10]
		cmp	ecx, eax
		ja	short loc_664E5D
		mov	ebx, [ebp+var_C]
		cmp	ebx, eax
		ja	short loc_664E5D
		cmp	[ebp+var_8], eax
		ja	short loc_664E5D
		movzx	ecx, cl
		shl	edx, 8
		or	ecx, edx
		movzx	eax, bl
		shl	ecx, 8
		or	ecx, eax
		mov	eax, [ebp+var_8]
		shl	ecx, 8
		movzx	eax, al
		jmp	short loc_664F41
; 

loc_664EE4:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+192j
		mov	edx, [ebp+var_14]
		mov	eax, 0FFh
		cmp	edx, eax
		ja	loc_664E5D
		mov	ecx, [ebp+var_10]
		cmp	ecx, eax
		ja	loc_664E5D
		mov	eax, [ebp+var_C]
		cmp	eax, 0FFFFh
		ja	loc_664E5D
		movzx	ecx, cl
		shl	edx, 8
		or	ecx, edx
		movzx	eax, ax
		shl	ecx, 10h
		jmp	short loc_664F41
; 

loc_664F1D:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+18Dj
		mov	ecx, [ebp+var_14]
		cmp	ecx, 0FFh
		ja	loc_664E5D
		mov	eax, [ebp+var_10]
		mov	edx, 0FFFFFFh
		cmp	eax, edx
		ja	loc_664E5D
		shl	ecx, 18h
		and	eax, edx

loc_664F41:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+1D1j
					; RtlIpv4StringToAddressA(x,x,x,x)+20Aj
		or	ecx, eax
		jmp	short loc_664F48
; 

loc_664F45:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+184j
		mov	ecx, [ebp+var_14]

loc_664F48:				; CODE XREF: RtlIpv4StringToAddressA(x,x,x,x)+232j
		mov	eax, [ebp+var_24]
		bswap	ecx
		mov	[eax], edi
		mov	eax, [ebp+var_28]
		mov	[eax], ecx
		xor	eax, eax
		jmp	loc_664E67
_RtlIpv4StringToAddressA@16 endp

; 
		align 10h
; Exported entry 2197. RtlIpv4StringToAddressExA

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIpv4StringToAddressExA(x, x, x, x)
		public _RtlIpv4StringToAddressExA@16
_RtlIpv4StringToAddressExA@16 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		mov	[ebp+var_4], esi
		cmp	[ebp+arg_0], esi
		jz	loc_6650FD
		cmp	[ebp+arg_8], esi
		jz	loc_6650FD
		mov	ebx, [ebp+arg_C]
		test	ebx, ebx
		jz	loc_6650FD
		push	[ebp+arg_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_RtlIpv4StringToAddressA@16 ; RtlIpv4StringToAddressA(x,x,x,x)
		test	eax, eax
		js	loc_6650FD
		mov	edi, [ebp+var_4]
		mov	al, [edi]
		cmp	al, 3Ah
		jnz	loc_665109
		push	0Ah
		inc	edi
		mov	[ebp+arg_4], esi
		pop	eax
		push	10h
		mov	[ebp+var_4], eax
		cmp	byte ptr [edi],	30h
		pop	edx
		jnz	short loc_664FE1
		lea	ecx, [edi+1]
		mov	[ebp+var_4], 8
		mov	edi, ecx
		mov	al, [edi]
		cmp	al, 78h
		jz	short loc_664FDB
		cmp	al, 58h
		jnz	short loc_664FE1

loc_664FDB:				; CODE XREF: RtlIpv4StringToAddressExA(x,x,x,x)+75j
		mov	[ebp+var_4], edx
		lea	edi, [ecx+1]

loc_664FE1:				; CODE XREF: RtlIpv4StringToAddressExA(x,x,x,x)+63j
					; RtlIpv4StringToAddressExA(x,x,x,x)+79j
		mov	al, [edi]
		mov	byte ptr [ebp+arg_0+3],	al
		mov	byte ptr [ebp+arg_8+3],	al
		test	al, al
		jz	loc_6650F7

loc_664FF1:				; CODE XREF: RtlIpv4StringToAddressExA(x,x,x,x)+18Ej
		movsx	ebx, al
		inc	edi
		push	ebx		; int
		call	___isascii
		pop	ecx
		test	eax, eax
		jz	short loc_665050
		push	ebx		; int
		call	_isdigit
		mov	edx, [ebp+var_4]
		pop	ecx
		test	eax, eax
		jz	short loc_665053
		mov	al, byte ptr [ebp+arg_8+3]
		cbw
		mov	[ebp+var_8], eax
		add	eax, 0FFFFFFD0h
		cmp	ax, dx
		jnb	short loc_665053
		movzx	eax, word ptr [ebp+arg_4]
		movzx	ecx, dx
		imul	eax, ecx
		add	eax, 0FFFFFFD0h
		add	eax, ebx
		cmp	eax, 0FFFFh
		ja	loc_6650FD
		mov	ecx, [ebp+var_8]
		mov	eax, edx
		imul	eax, esi
		add	eax, 0FFFFFFD0h
		add	eax, ecx
		movzx	esi, ax
		mov	[ebp+arg_4], esi
		jmp	loc_6650E7
; 

loc_665050:				; CODE XREF: RtlIpv4StringToAddressExA(x,x,x,x)+9Ej
		mov	edx, [ebp+var_4]

loc_665053:				; CODE XREF: RtlIpv4StringToAddressExA(x,x,x,x)+ACj
					; RtlIpv4StringToAddressExA(x,x,x,x)+BCj
		push	10h
		pop	eax
		cmp	dx, ax
		jnz	loc_6650FD
		push	ebx		; int
		call	___isascii
		pop	ecx
		test	eax, eax
		jz	loc_6650FD
		push	ebx		; int
		call	_isxdigit
		pop	ecx
		test	eax, eax
		jz	loc_6650FD
		push	ebx		; int
		call	___isascii
		pop	ecx
		test	eax, eax
		jz	short loc_665097
		push	ebx		; int
		call	_islower
		pop	ecx
		test	eax, eax
		jz	short loc_665097
		push	61h
		jmp	short loc_665099
; 

loc_665097:				; CODE XREF: RtlIpv4StringToAddressExA(x,x,x,x)+126j
					; RtlIpv4StringToAddressExA(x,x,x,x)+131j
		push	41h

loc_665099:				; CODE XREF: RtlIpv4StringToAddressExA(x,x,x,x)+135j
		movzx	eax, word ptr [ebp+arg_4]
		shl	eax, 4
		pop	ecx
		sub	eax, ecx
		add	eax, 0Ah
		add	eax, ebx
		cmp	eax, 0FFFFh
		ja	short loc_6650FD
		shl	esi, 4
		push	ebx		; int
		mov	[ebp+arg_4], esi
		call	___isascii
		pop	ecx
		test	eax, eax
		jz	short loc_6650CF
		push	ebx		; int
		call	_islower
		pop	ecx
		test	eax, eax
		jz	short loc_6650CF
		push	61h
		jmp	short loc_6650D1
; 

loc_6650CF:				; CODE XREF: RtlIpv4StringToAddressExA(x,x,x,x)+15Ej
					; RtlIpv4StringToAddressExA(x,x,x,x)+169j
		push	41h

loc_6650D1:				; CODE XREF: RtlIpv4StringToAddressExA(x,x,x,x)+16Dj
		mov	al, byte ptr [ebp+arg_8+3]
		pop	ecx
		cbw
		push	0Ah
		sub	ax, cx
		pop	ecx
		add	ax, cx
		add	word ptr [ebp+arg_4], ax
		mov	esi, [ebp+arg_4]

loc_6650E7:				; CODE XREF: RtlIpv4StringToAddressExA(x,x,x,x)+EBj
		mov	al, [edi]
		mov	byte ptr [ebp+arg_8+3],	al
		test	al, al
		jnz	loc_664FF1
		mov	ebx, [ebp+arg_C]

loc_6650F7:				; CODE XREF: RtlIpv4StringToAddressExA(x,x,x,x)+8Bj
		cmp	byte ptr [ebp+arg_0+3],	0
		jnz	short loc_665110

loc_6650FD:				; CODE XREF: RtlIpv4StringToAddressExA(x,x,x,x)+12j
					; RtlIpv4StringToAddressExA(x,x,x,x)+1Bj ...
		mov	eax, 0C000000Dh

loc_665102:				; CODE XREF: RtlIpv4StringToAddressExA(x,x,x,x)+1BDj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_665109:				; CODE XREF: RtlIpv4StringToAddressExA(x,x,x,x)+4Dj
		test	al, al
		jnz	short loc_6650FD
		mov	[ebp+arg_4], esi

loc_665110:				; CODE XREF: RtlIpv4StringToAddressExA(x,x,x,x)+19Bj
		mov	ax, word ptr [ebp+arg_4]
		mov	ch, al
		mov	cl, ah
		xor	eax, eax
		mov	[ebx], cx
		jmp	short loc_665102
_RtlIpv4StringToAddressExA@16 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2204. RtlIpv6StringToAddressA

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIpv6StringToAddressA(x, x, x)
		public _RtlIpv6StringToAddressA@12
_RtlIpv6StringToAddressA@12 proc near	; CODE XREF: RtlIpv6StringToAddressExA(x,x,x,x)+58p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	eax, ebx
		mov	[ebp+var_1C], ebx
		mov	edx, ebx
		mov	[ebp+var_1], bl
		mov	esi, ebx
		mov	[ebp+var_18], ebx
		mov	ecx, ebx
		mov	[ebp+var_14], eax
		push	edi
		mov	edi, ebx
		mov	[ebp+var_C], edx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_8], esi
		mov	[ebp+var_10], ecx
		mov	bl, [ebx]
		jmp	short loc_6651AB
; 

loc_665157:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+89j
		sub	eax, 0
		jz	loc_665265
		sub	eax, 1
		jz	short loc_665179
		sub	eax, 1
		jz	loc_665265
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+var_14]
		jmp	loc_66532C
; 

loc_665179:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+3Fj
		movsx	esi, bl
		push	esi		; int
		call	___isascii
		pop	ecx
		test	eax, eax
		jz	short loc_6651B4
		push	esi		; int
		call	_isdigit
		pop	ecx
		test	eax, eax
		jz	short loc_6651B4
		mov	esi, [ebp+var_8]
		inc	esi
		mov	[ebp+var_8], esi

loc_665199:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+20Bj
					; RtlIpv6StringToAddressA(x,x,x)+21Cj ...
		mov	edx, [ebp+var_C]

loc_66519C:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+BCj
					; RtlIpv6StringToAddressA(x,x,x)+27Dj
		mov	eax, [ebp+var_14]

loc_66519F:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+1C4j
		mov	ecx, [ebp+arg_0]
		inc	ecx
		mov	[ebp+arg_0], ecx
		mov	bl, [ecx]
		mov	ecx, [ebp+var_10]

loc_6651AB:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+31j
		test	bl, bl
		jnz	short loc_665157
		jmp	loc_6653B1
; 

loc_6651B4:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+61j
					; RtlIpv6StringToAddressA(x,x,x)+6Cj
		push	esi		; int
		call	___isascii
		pop	ecx
		test	eax, eax
		jz	short loc_6651E2
		push	esi		; int
		call	_isxdigit
		pop	ecx
		test	eax, eax
		jz	short loc_6651E2
		mov	esi, [ebp+var_8]
		mov	edx, [ebp+var_C]
		inc	esi
		mov	[ebp+var_8], esi
		test	edx, edx
		jnz	loc_6653A6
		mov	[ebp+var_1], 1
		jmp	short loc_66519C
; 

loc_6651E2:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+99j
					; RtlIpv6StringToAddressA(x,x,x)+A4j
		cmp	bl, 3Ah
		jnz	short loc_66522F
		cmp	[ebp+var_C], 0
		jnz	loc_6653AB
		cmp	edi, 6
		ja	loc_6653AB
		mov	eax, [ebp+arg_0]
		inc	eax
		cmp	[eax], bl
		jnz	short loc_66521D
		mov	ecx, [ebp+var_10]
		test	ecx, ecx
		jnz	loc_6653AE
		push	2
		pop	edx
		lea	ecx, [edi+1]
		mov	[ebp+arg_0], eax
		push	edx
		mov	[ebp+var_10], ecx
		pop	eax
		jmp	short loc_665222
; 

loc_66521D:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+DCj
		xor	eax, eax
		xor	edx, edx
		inc	eax

loc_665222:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+F7j
		mov	esi, [ebp+var_8]
		add	edi, eax
		mov	eax, [ebp+var_C]
		jmp	loc_665329
; 

loc_66522F:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+C1j
		cmp	bl, 2Eh
		jnz	loc_6653AB
		cmp	[ebp+var_1], 0
		jnz	loc_6653AB
		mov	eax, [ebp+var_C]
		cmp	eax, 2
		ja	loc_6653AB
		cmp	edi, 6
		ja	loc_6653AB
		inc	eax
		xor	edx, edx
		mov	[ebp+var_C], eax
		mov	[ebp+var_14], edx
		jmp	loc_665335
; 

loc_665265:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+36j
					; RtlIpv6StringToAddressA(x,x,x)+44j
		cmp	bl, 3Ah
		jnz	short loc_6652AD
		test	edx, edx
		jnz	loc_6653B1
		test	edi, edi
		jnz	loc_6653B1
		mov	eax, [ebp+arg_0]
		inc	eax
		cmp	[eax], bl
		jnz	loc_6653B1
		mov	ebx, [ebp+arg_8]
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_10], ecx
		mov	ecx, [ebp+var_18]
		push	2
		pop	edi
		push	edi
		mov	[ebx+ecx*2], dx
		inc	ecx
		pop	edx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], edx
		jmp	loc_665338
; 

loc_6652AD:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+144j
		cmp	edi, 7
		ja	loc_6653B1
		movsx	esi, bl
		push	esi		; int
		call	___isascii
		pop	ecx
		test	eax, eax
		jz	short loc_6652ED
		push	esi		; int
		call	_isdigit
		pop	ecx
		test	eax, eax
		jz	short loc_6652ED
		mov	eax, [ebp+arg_0]
		xor	esi, esi
		mov	edx, [ebp+var_C]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1], 0
		inc	esi
		mov	[ebp+var_14], eax
		mov	[ebp+var_8], esi
		jmp	loc_66519F
; 

loc_6652ED:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+19Ej
					; RtlIpv6StringToAddressA(x,x,x)+1A9j
		push	esi		; int
		call	___isascii
		pop	ecx
		test	eax, eax
		jz	loc_6653AB
		push	esi		; int
		call	_isxdigit
		pop	ecx
		test	eax, eax
		jz	loc_6653AB
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_6653AB
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		xor	esi, esi
		mov	[ebp+var_1], 1
		inc	edx
		mov	[ebp+var_1C], ecx
		inc	esi
		mov	[ebp+var_8], esi

loc_665329:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+106j
		mov	[ebp+var_14], edx

loc_66532C:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+50j
		cmp	edx, 1
		jz	loc_665199

loc_665335:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+13Cj
		mov	ebx, [ebp+arg_8]

loc_665338:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+184j
		mov	ecx, [ebp+var_1C]
		mov	esi, [ebp+var_8]
		test	ecx, ecx
		jz	loc_665199
		test	eax, eax
		jnz	short loc_665373
		cmp	esi, 4
		ja	loc_66547E
		push	10h		; int
		push	eax		; char **
		push	ecx		; char *
		call	_strtol
		mov	ch, al
		add	esp, 0Ch
		mov	cl, ah
		mov	eax, [ebp+var_18]
		mov	[ebx+eax*2], cx
		inc	eax
		mov	[ebp+var_18], eax
		jmp	loc_665199
; 

loc_665373:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+224j
		cmp	esi, 3
		ja	loc_66547E
		push	0Ah		; int
		push	0		; char **
		push	ecx		; char *
		call	_strtol
		add	esp, 0Ch
		cmp	eax, 0FFh
		ja	loc_66547E
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_18]
		lea	ecx, [edx+ecx*2]
		mov	[ecx+ebx-1], al
		jmp	loc_66519C
; 

loc_6653A6:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+B2j
		mov	ecx, [ebp+var_10]
		jmp	short loc_6653B1
; 

loc_6653AB:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+C7j
					; RtlIpv6StringToAddressA(x,x,x)+D0j ...
		mov	ecx, [ebp+var_10]

loc_6653AE:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+E3j
		mov	esi, [ebp+var_8]

loc_6653B1:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+8Bj
					; RtlIpv6StringToAddressA(x,x,x)+148j ...
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	[eax], edx
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_6653CA
		cmp	eax, 3
		jnz	loc_66547E
		inc	edi

loc_6653CA:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+29Aj
		test	ecx, ecx
		jnz	short loc_6653D7
		cmp	edi, 7
		jnz	loc_66547E

loc_6653D7:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+2A8j
		mov	edx, [ebp+var_14]
		cmp	edx, 1
		jnz	short loc_665439
		test	eax, eax
		jnz	short loc_66540A
		cmp	esi, 4
		ja	loc_66547E
		push	10h		; int
		push	eax		; char **
		push	[ebp+var_1C]	; char *
		call	_strtol
		mov	edx, [ebp+arg_8]
		mov	ch, al
		mov	cl, ah
		add	esp, 0Ch
		mov	eax, [ebp+var_18]
		mov	[edx+eax*2], cx
		jmp	short loc_665434
; 

loc_66540A:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+2BDj
		cmp	esi, 3
		ja	short loc_66547E
		push	0Ah		; int
		push	0		; char **
		push	[ebp+var_1C]	; char *
		call	_strtol
		add	esp, 0Ch
		cmp	eax, 0FFh
		ja	short loc_66547E
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_C]
		lea	ecx, [ecx+edx*2]
		mov	edx, [ebp+arg_8]
		mov	[ecx+edx], al

loc_665434:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+2E4j
		mov	ecx, [ebp+var_10]
		jmp	short loc_66544A
; 

loc_665439:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+2B9j
		cmp	edx, 2
		jnz	short loc_66547E
		mov	edx, [ebp+arg_8]
		xor	esi, esi
		mov	eax, [ebp+var_18]
		mov	[edx+eax*2], si

loc_66544A:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+313j
		test	ecx, ecx
		jz	short loc_66547A
		lea	esi, [edx+ecx*2]
		mov	eax, edi
		sub	eax, ecx
		sub	ecx, edi
		add	eax, eax
		add	ecx, 8
		push	eax		; size_t
		push	esi		; void *
		lea	eax, [edx+ecx*2]
		push	eax		; void *
		call	_memmove
		push	8
		pop	eax
		sub	eax, edi
		add	eax, eax
		push	eax		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 18h

loc_66547A:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+328j
		xor	eax, eax
		jmp	short loc_665483
; 

loc_66547E:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+229j
					; RtlIpv6StringToAddressA(x,x,x)+252j ...
		mov	eax, 0C000000Dh

loc_665483:				; CODE XREF: RtlIpv6StringToAddressA(x,x,x)+358j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_RtlIpv6StringToAddressA@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2205. RtlIpv6StringToAddressExA

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIpv6StringToAddressExA(x, x, x, x)
		public _RtlIpv6StringToAddressExA@16
_RtlIpv6StringToAddressExA@16 proc near

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		push	esi
		push	edi
		test	eax, eax
		jz	loc_665724
		cmp	[ebp+arg_4], ebx
		jz	loc_665724
		cmp	[ebp+arg_8], ebx
		jz	loc_665724
		cmp	[ebp+arg_C], ebx
		jz	loc_665724
		mov	cl, [eax]
		mov	[ebp+var_8], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_1], cl
		cmp	cl, 5Bh
		jnz	short loc_6654DB
		inc	eax
		cmp	cl, cl

loc_6654DB:				; CODE XREF: RtlIpv6StringToAddressExA(x,x,x,x)+47j
		push	[ebp+arg_4]
		lea	ecx, [ebp+var_C]
		setz	byte ptr [ebp+arg_0+3]
		push	ecx
		push	eax
		call	_RtlIpv6StringToAddressA@12 ; RtlIpv6StringToAddressA(x,x,x)
		test	eax, eax
		js	loc_665724
		mov	esi, [ebp+var_C]
		push	0Ah
		pop	eax
		cmp	byte ptr [esi],	25h
		jnz	loc_66559B
		inc	esi
		mov	al, [esi]
		movsx	edi, al
		push	edi		; int
		mov	byte ptr [ebp+arg_4+3],	al
		call	___isascii
		pop	ecx
		test	eax, eax
		jz	loc_665724
		push	edi		; int
		call	_isdigit
		pop	ecx
		test	eax, eax
		jz	loc_665724
		mov	al, byte ptr [ebp+arg_4+3]

loc_66552D:				; CODE XREF: RtlIpv6StringToAddressExA(x,x,x,x)+107j
		test	al, al
		jz	short loc_665598
		cmp	al, 5Dh
		jz	short loc_665598
		movsx	edi, al
		push	edi		; int
		call	___isascii
		pop	ecx
		test	eax, eax
		jz	loc_665724
		push	edi		; int
		call	_isdigit
		pop	ecx
		test	eax, eax
		jz	loc_665724
		mov	eax, [ebp+var_14]
		push	0Ah
		pop	ecx
		mul	ecx
		mov	[ebp+arg_4], eax
		mov	ecx, edx
		mov	eax, edi
		cdq
		add	[ebp+arg_4], eax
		mov	eax, [ebp+arg_4]
		adc	ecx, edx
		add	eax, 0FFFFFFD0h
		adc	ecx, 0FFFFFFFFh
		cmp	ecx, ebx
		ja	loc_665724
		jb	short loc_665587
		cmp	eax, 0FFFFFFFFh
		ja	loc_665724

loc_665587:				; CODE XREF: RtlIpv6StringToAddressExA(x,x,x,x)+EDj
		imul	eax, [ebp+var_14], arg_0+2
		add	eax, 0FFFFFFD0h
		add	eax, edi
		inc	esi
		mov	[ebp+var_14], eax
		mov	al, [esi]
		jmp	short loc_66552D
; 

loc_665598:				; CODE XREF: RtlIpv6StringToAddressExA(x,x,x,x)+A0j
					; RtlIpv6StringToAddressExA(x,x,x,x)+A4j
		push	0Ah
		pop	eax

loc_66559B:				; CODE XREF: RtlIpv6StringToAddressExA(x,x,x,x)+6Ej
		cmp	byte ptr [esi],	5Dh
		jnz	loc_6656FF
		cmp	[ebp+var_1], 5Bh
		jnz	loc_665724
		inc	esi
		mov	byte ptr [ebp+arg_0+3],	bl
		cmp	byte ptr [esi],	3Ah
		jnz	loc_6656FF
		inc	esi
		mov	[ebp+var_C], eax
		push	10h
		pop	edx
		cmp	byte ptr [esi],	30h
		jnz	short loc_6655E3
		lea	ecx, [esi+1]
		mov	[ebp+var_C], 8
		mov	esi, ecx
		mov	al, [esi]
		cmp	al, 78h
		jz	short loc_6655DD
		cmp	al, 58h
		jnz	short loc_6655E3

loc_6655DD:				; CODE XREF: RtlIpv6StringToAddressExA(x,x,x,x)+148j
		mov	[ebp+var_C], edx
		lea	esi, [ecx+1]

loc_6655E3:				; CODE XREF: RtlIpv6StringToAddressExA(x,x,x,x)+136j
					; RtlIpv6StringToAddressExA(x,x,x,x)+14Cj
		mov	al, [esi]
		mov	byte ptr [ebp+arg_4+3],	al
		test	al, al
		jz	loc_6656FF
		mov	bx, word ptr [ebp+var_8]

loc_6655F4:				; CODE XREF: RtlIpv6StringToAddressExA(x,x,x,x)+268j
		movsx	edi, al
		push	edi		; int
		call	___isascii
		pop	ecx
		test	eax, eax
		jz	short loc_66564E
		push	edi		; int
		call	_isdigit
		pop	ecx
		test	eax, eax
		jz	short loc_66564E
		mov	ecx, [ebp+var_C]
		lea	eax, [edi-30h]
		movzx	edx, cx
		cmp	eax, edx
		jge	short loc_66564E
		movzx	eax, bx
		imul	eax, edx
		add	eax, 0FFFFFFD0h
		add	eax, edi
		cmp	eax, 0FFFFh
		ja	loc_665724
		mov	al, byte ptr [ebp+arg_4+3]
		imul	ecx, [ebp+var_10]
		cbw
		sub	ax, 30h
		add	cx, ax
		movzx	eax, cx
		mov	[ebp+var_8], eax
		mov	bx, ax
		jmp	loc_6656EC
; 

loc_66564E:				; CODE XREF: RtlIpv6StringToAddressExA(x,x,x,x)+171j
					; RtlIpv6StringToAddressExA(x,x,x,x)+17Cj ...
		push	10h
		pop	eax
		cmp	word ptr [ebp+var_C], ax
		jnz	loc_665724
		push	edi		; int
		call	___isascii
		pop	ecx
		test	eax, eax
		jz	loc_665724
		push	edi		; int
		call	_isxdigit
		pop	ecx
		test	eax, eax
		jz	loc_665724
		push	edi		; int
		call	___isascii
		pop	ecx
		test	eax, eax
		jz	short loc_665693
		push	edi		; int
		call	_islower
		pop	ecx
		test	eax, eax
		jz	short loc_665693
		push	61h
		jmp	short loc_665695
; 

loc_665693:				; CODE XREF: RtlIpv6StringToAddressExA(x,x,x,x)+1F3j
					; RtlIpv6StringToAddressExA(x,x,x,x)+1FEj
		push	41h

loc_665695:				; CODE XREF: RtlIpv6StringToAddressExA(x,x,x,x)+202j
		movzx	eax, bx
		shl	eax, 4
		pop	ecx
		sub	eax, ecx
		add	eax, 0Ah
		add	eax, edi
		cmp	eax, 0FFFFh
		ja	short loc_665724
		mov	eax, [ebp+var_10]
		shl	eax, 4
		push	edi		; int
		mov	[ebp+var_8], eax
		call	___isascii
		pop	ecx
		test	eax, eax
		jz	short loc_6656CD
		push	edi		; int
		call	_islower
		pop	ecx
		test	eax, eax
		jz	short loc_6656CD
		push	61h
		jmp	short loc_6656CF
; 

loc_6656CD:				; CODE XREF: RtlIpv6StringToAddressExA(x,x,x,x)+22Dj
					; RtlIpv6StringToAddressExA(x,x,x,x)+238j
		push	41h

loc_6656CF:				; CODE XREF: RtlIpv6StringToAddressExA(x,x,x,x)+23Cj
		mov	al, byte ptr [ebp+arg_4+3]
		mov	bx, word ptr [ebp+var_8]
		pop	ecx
		cbw
		push	0Ah
		sub	ax, cx
		pop	ecx
		add	ax, cx
		add	bx, ax
		mov	word ptr [ebp+var_8], bx
		mov	eax, [ebp+var_8]

loc_6656EC:				; CODE XREF: RtlIpv6StringToAddressExA(x,x,x,x)+1BAj
		inc	esi
		mov	[ebp+var_10], eax
		mov	al, [esi]
		mov	byte ptr [ebp+arg_4+3],	al
		test	al, al
		jnz	loc_6655F4
		jmp	short loc_665703
; 

loc_6656FF:				; CODE XREF: RtlIpv6StringToAddressExA(x,x,x,x)+10Fj
					; RtlIpv6StringToAddressExA(x,x,x,x)+126j ...
		mov	bx, word ptr [ebp+var_8]

loc_665703:				; CODE XREF: RtlIpv6StringToAddressExA(x,x,x,x)+26Ej
		cmp	byte ptr [esi],	0
		jnz	short loc_665724
		cmp	byte ptr [ebp+arg_0+3],	0
		jnz	short loc_665724
		mov	ecx, [ebp+arg_C]
		mov	ah, bl
		mov	al, bh
		mov	[ecx], ax
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+var_14]
		mov	[ecx], eax
		xor	eax, eax
		jmp	short loc_665729
; 

loc_665724:				; CODE XREF: RtlIpv6StringToAddressExA(x,x,x,x)+18j
					; RtlIpv6StringToAddressExA(x,x,x,x)+21j ...
		mov	eax, 0C000000Dh

loc_665729:				; CODE XREF: RtlIpv6StringToAddressExA(x,x,x,x)+293j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_RtlIpv6StringToAddressExA@16 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2067. RtlEthernetStringToAddressW

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlEthernetStringToAddressW(int,int,wint_t)
		public _RtlEthernetStringToAddressW@12
_RtlEthernetStringToAddressW@12	proc near

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= word ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		mov	edx, 80h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_14], eax
		mov	eax, dword ptr [ebp+arg_8]
		push	edi
		mov	[ebp+var_1C], eax
		lea	edi, [ebp+var_C]

loc_665761:				; CODE XREF: RtlEthernetStringToAddressW(x,x,x)+C5j
		xor	ecx, ecx
		xor	bl, bl
		jmp	short loc_6657C5
; 

loc_665767:				; CODE XREF: RtlEthernetStringToAddressW(x,x,x)+9Cj
		cmp	ax, dx
		jnb	short loc_6657DD
		push	4		; wctype_t
		push	eax		; wint_t
		call	_iswctype
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_665782
		add	bl, 0Dh
		shl	bl, 4
		jmp	short loc_6657B1
; 

loc_665782:				; CODE XREF: RtlEthernetStringToAddressW(x,x,x)+43j
		push	80h		; wctype_t
		push	dword ptr [ebp+var_10] ; wint_t
		call	_iswctype
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_6657D5
		push	2		; wctype_t
		push	dword ptr [ebp+var_10] ; wint_t
		call	_iswctype
		neg	eax
		pop	ecx
		sbb	al, al
		shl	bl, 4
		and	al, 20h
		add	al, 41h
		sub	bl, al
		pop	ecx
		add	bl, 0Ah

loc_6657B1:				; CODE XREF: RtlEthernetStringToAddressW(x,x,x)+4Bj
		add	bl, byte ptr [ebp+var_10]
		mov	ecx, [ebp+var_18]
		cmp	ecx, 2
		jz	short loc_665800
		add	esi, 2
		mov	edx, 80h
		inc	ecx

loc_6657C5:				; CODE XREF: RtlEthernetStringToAddressW(x,x,x)+30j
		movzx	eax, word ptr [esi]
		mov	dword ptr [ebp+var_10],	eax
		mov	[ebp+var_18], ecx
		test	ax, ax
		jnz	short loc_665767
		jmp	short loc_6657DD
; 

loc_6657D5:				; CODE XREF: RtlEthernetStringToAddressW(x,x,x)+5Ej
		mov	ecx, [ebp+var_18]
		mov	edx, 80h

loc_6657DD:				; CODE XREF: RtlEthernetStringToAddressW(x,x,x)+35j
					; RtlEthernetStringToAddressW(x,x,x)+9Ej
		movzx	eax, word ptr [esi]
		cmp	eax, 2Dh
		jz	short loc_6657EA
		cmp	eax, 3Ah
		jnz	short loc_66581B

loc_6657EA:				; CODE XREF: RtlEthernetStringToAddressW(x,x,x)+AEj
		lea	eax, [ebp-7]
		cmp	edi, eax
		jnb	short loc_665800
		mov	[edi], bl
		add	esi, 2
		inc	edi
		cmp	ecx, 2
		jz	loc_665761

loc_665800:				; CODE XREF: RtlEthernetStringToAddressW(x,x,x)+85j
					; RtlEthernetStringToAddressW(x,x,x)+BAj
		mov	eax, [ebp+var_14]
		mov	[eax], esi

loc_665805:				; CODE XREF: RtlEthernetStringToAddressW(x,x,x)+EEj
					; RtlEthernetStringToAddressW(x,x,x)+FAj
		mov	eax, 0C000000Dh

loc_66580A:				; CODE XREF: RtlEthernetStringToAddressW(x,x,x)+10Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_66581B:				; CODE XREF: RtlEthernetStringToAddressW(x,x,x)+B3j
		mov	eax, [ebp+var_14]
		mov	[eax], esi
		cmp	ecx, 2
		jnz	short loc_665805
		lea	eax, [edi+1]
		mov	[edi], bl
		lea	ecx, [ebp-6]
		cmp	eax, ecx
		jnz	short loc_665805
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+var_C]
		mov	[ecx], eax
		mov	ax, [ebp+var_8]
		mov	[ecx+4], ax
		xor	eax, eax
		jmp	short loc_66580A
_RtlEthernetStringToAddressW@12	endp


;  S U B	R O U T	I N E 


RtlpGetCorrelationVectorEndPosition proc near ;	CODE XREF: RtlExtendCorrelationVector(x)+Ep
					; RtlValidateCorrelationVector(x)+25p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	edx, edx
		call	RtlpGetCorrelationVectorBufferLength
		test	eax, eax
		jle	short loc_665865

loc_665855:				; CODE XREF: RtlpGetCorrelationVectorEndPosition+1Aj
		cmp	byte ptr [esi+edx+1], 0
		jz	short loc_665861
		inc	edx
		cmp	edx, eax
		jl	short loc_665855

loc_665861:				; CODE XREF: RtlpGetCorrelationVectorEndPosition+15j
		cmp	eax, edx
		jg	short loc_665868

loc_665865:				; CODE XREF: RtlpGetCorrelationVectorEndPosition+Ej
		or	edx, 0FFFFFFFFh

loc_665868:				; CODE XREF: RtlpGetCorrelationVectorEndPosition+1Ej
		mov	eax, edx
		pop	esi
		retn
RtlpGetCorrelationVectorEndPosition endp


;  S U B	R O U T	I N E 


RtlpGetCorrelationVectorLastDotPosition	proc near
					; CODE XREF: RtlIncrementCorrelationVector(x)+34p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		or	esi, 0FFFFFFFFh
		xor	edx, edx
		call	RtlpGetCorrelationVectorBufferLength
		mov	edi, eax
		test	edi, edi
		jle	short loc_665896

loc_665883:				; CODE XREF: RtlpGetCorrelationVectorLastDotPosition+28j
		mov	al, [ebx+edx+1]
		test	al, al
		jz	short loc_665896
		cmp	al, 2Eh
		jnz	short loc_665891
		mov	esi, edx

loc_665891:				; CODE XREF: RtlpGetCorrelationVectorLastDotPosition+21j
		inc	edx
		cmp	edx, edi
		jl	short loc_665883

loc_665896:				; CODE XREF: RtlpGetCorrelationVectorLastDotPosition+15j
					; RtlpGetCorrelationVectorLastDotPosition+1Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
RtlpGetCorrelationVectorLastDotPosition	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpImageDirectoryEntryToData64(x, x, x, x,	x, x)
_RtlpImageDirectoryEntryToData64@24 proc near
					; CODE XREF: RtlpImageDirectoryEntryToDataEx+1737A6p

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1], dl
		mov	ecx, [ebp+arg_8]
		movzx	edx, [ebp+arg_0]
		cmp	edx, [ecx+84h]
		jnb	short loc_665912
		mov	esi, [ecx+edx*8+88h]
		test	esi, esi
		jnz	short loc_6658CB
		mov	eax, 0C0000002h
		jmp	short loc_665917
; 

loc_6658CB:				; CODE XREF: RtlpImageDirectoryEntryToData64(x,x,x,x,x,x)+26j
		mov	ebx, ds:_MmHighestUserAddress
		cmp	edi, ebx
		jnb	short loc_6658DC
		lea	eax, [esi+edi]
		cmp	eax, ebx
		jnb	short loc_665912

loc_6658DC:				; CODE XREF: RtlpImageDirectoryEntryToData64(x,x,x,x,x,x)+37j
		cmp	[ebp+var_1], 0
		mov	eax, [ebp+arg_4]
		mov	edx, [ecx+edx*8+8Ch]
		mov	[eax], edx
		jnz	short loc_665908
		cmp	esi, [ecx+54h]
		jb	short loc_665908
		push	esi
		mov	edx, edi
		call	_RtlAddressInSectionTable@12 ; RtlAddressInSectionTable(x,x,x)
		mov	ecx, [ebp+arg_C]
		mov	[ecx], eax
		test	eax, eax
		jz	short loc_665912

loc_665904:				; CODE XREF: RtlpImageDirectoryEntryToData64(x,x,x,x,x,x)+74j
		xor	eax, eax
		jmp	short loc_665917
; 

loc_665908:				; CODE XREF: RtlpImageDirectoryEntryToData64(x,x,x,x,x,x)+50j
					; RtlpImageDirectoryEntryToData64(x,x,x,x,x,x)+55j
		mov	eax, [ebp+arg_C]
		lea	ecx, [esi+edi]
		mov	[eax], ecx
		jmp	short loc_665904
; 

loc_665912:				; CODE XREF: RtlpImageDirectoryEntryToData64(x,x,x,x,x,x)+1Bj
					; RtlpImageDirectoryEntryToData64(x,x,x,x,x,x)+3Ej ...
		mov	eax, 0C000000Dh

loc_665917:				; CODE XREF: RtlpImageDirectoryEntryToData64(x,x,x,x,x,x)+2Dj
					; RtlpImageDirectoryEntryToData64(x,x,x,x,x,x)+6Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_RtlpImageDirectoryEntryToData64@24 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 2122. RtlGetEnabledExtendedAndSupervisorFeatures

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetEnabledExtendedAndSupervisorFeatures(x, x)
		public _RtlGetEnabledExtendedAndSupervisorFeatures@8
_RtlGetEnabledExtendedAndSupervisorFeatures@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:0FFDF03D8h
		or	eax, ds:0FFDF05F0h
		mov	edx, ds:0FFDF03DCh
		or	edx, ds:0FFDF05F4h
		and	eax, [ebp+arg_0]
		and	edx, [ebp+arg_4]
		pop	ebp
		retn	8
_RtlGetEnabledExtendedAndSupervisorFeatures@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2242. RtlLocateSupervisorFeature

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlLocateSupervisorFeature(x, x, x)
		public _RtlLocateSupervisorFeature@12
_RtlLocateSupervisorFeature@12 proc near ; CODE	XREF: KiGetSavedIptState(x,x,x)+39p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		lea	eax, [ebx-2]
		cmp	eax, 3Dh
		ja	loc_665A7F
		xor	eax, eax
		xor	edx, edx
		inc	eax
		mov	ecx, ebx
		call	__allshl
		mov	esi, ds:0FFDF05F0h
		mov	edi, eax
		mov	ecx, ds:0FFDF05F4h
		mov	eax, edx
		and	esi, edi
		mov	[ebp+var_14], edi
		and	ecx, eax
		mov	[ebp+var_10], eax
		or	esi, ecx
		jz	loc_665A7F
		test	byte ptr ds:0FFDF03ECh,	2
		jz	loc_665A7F
		mov	edx, [ebp+arg_0]
		mov	ecx, [edx+0Ch]
		mov	eax, [edx+8]
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jg	loc_665A7F
		jl	short loc_6659C4
		test	eax, eax
		jnb	loc_665A7F

loc_6659C4:				; CODE XREF: RtlLocateSupervisorFeature(x,x,x)+6Cj
		mov	ecx, [edx]
		mov	eax, [edx+4]
		and	ecx, edi
		mov	esi, [ebp+var_10]
		and	eax, esi
		or	ecx, eax
		jz	loc_665A7F
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_8]
		and	ecx, edi
		and	eax, esi
		or	ecx, eax
		jz	loc_665A7F
		push	40h
		pop	edi
		push	2
		pop	ecx
		mov	[ebp+var_C], ecx
		cmp	ebx, ecx
		jbe	short loc_665A50
		mov	[ebp+arg_4], 0FFDF060Ch

loc_6659FE:				; CODE XREF: RtlLocateSupervisorFeature(x,x,x)+FAj
		xor	eax, eax
		xor	edx, edx
		inc	eax
		call	__allshl
		mov	esi, eax
		mov	ecx, edx
		and	esi, [ebp+var_4]
		and	ecx, [ebp+var_8]
		or	esi, ecx
		jz	short loc_665A36
		mov	ecx, ds:0FFDF05F8h
		and	ecx, eax
		mov	eax, ds:0FFDF05FCh
		and	eax, edx
		or	ecx, eax
		jz	short loc_665A2F
		add	edi, 3Fh
		and	edi, 0FFFFFFC0h

loc_665A2F:				; CODE XREF: RtlLocateSupervisorFeature(x,x,x)+D9j
		mov	eax, [ebp+arg_4]
		add	edi, [eax]
		jmp	short loc_665A39
; 

loc_665A36:				; CODE XREF: RtlLocateSupervisorFeature(x,x,x)+C6j
		mov	eax, [ebp+arg_4]

loc_665A39:				; CODE XREF: RtlLocateSupervisorFeature(x,x,x)+E6j
		mov	ecx, [ebp+var_C]
		add	eax, 4
		inc	ecx
		mov	[ebp+arg_4], eax
		mov	[ebp+var_C], ecx
		cmp	ecx, ebx
		jb	short loc_6659FE
		mov	edx, [ebp+arg_0]
		mov	esi, [ebp+var_10]

loc_665A50:				; CODE XREF: RtlLocateSupervisorFeature(x,x,x)+A7j
		mov	ecx, ds:0FFDF05F8h
		mov	eax, ds:0FFDF05FCh
		and	ecx, [ebp+var_14]
		and	eax, esi
		or	ecx, eax
		jz	short loc_665A6A
		add	edi, 3Fh
		and	edi, 0FFFFFFC0h

loc_665A6A:				; CODE XREF: RtlLocateSupervisorFeature(x,x,x)+114j
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_665A7A
		mov	eax, ds:0FFDF0604h[ebx*4]
		mov	[ecx], eax

loc_665A7A:				; CODE XREF: RtlLocateSupervisorFeature(x,x,x)+121j
		lea	eax, [edi+edx]
		jmp	short loc_665A81
; 

loc_665A7F:				; CODE XREF: RtlLocateSupervisorFeature(x,x,x)+14j
					; RtlLocateSupervisorFeature(x,x,x)+42j ...
		xor	eax, eax

loc_665A81:				; CODE XREF: RtlLocateSupervisorFeature(x,x,x)+12Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_RtlLocateSupervisorFeature@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlXRestoreS(x, x, x)
_RtlXRestoreS@12 proc near		; CODE XREF: KeRestoreExtendedAndSupervisorState+E45E1p
					; KeRestoreSupervisorState(x,x,x)+4Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr ds:0FFDF03ECh,	2
		mov	edx, ecx
		jnz	short loc_665AA5
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_RtlXRestore@12	; RtlXRestore(x,x,x)
		jmp	short loc_665ABF
; 

loc_665AA5:				; CODE XREF: RtlXRestoreS(x,x,x)+Ej
		mov	eax, [edx+20Ch]
		mov	ecx, [edx+208h]
		and	eax, [ebp+arg_4]
		and	ecx, [ebp+arg_0]
		push	eax
		push	ecx
		push	edx
		call	_XRestoreSHelper@12 ; XRestoreSHelper(x,x,x)

loc_665ABF:				; CODE XREF: RtlXRestoreS(x,x,x)+1Bj
		pop	ebp
		retn	8
_RtlXRestoreS@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlXSaveS(x, x, x)
_RtlXSaveS@12	proc near		; CODE XREF: KeSaveExtendedAndSupervisorState+E5BB5p
					; KeSaveSupervisorState(x,x,x)+70p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr ds:0FFDF03ECh,	2
		mov	edx, ecx
		jnz	short loc_665AE0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	RtlXSave
		jmp	short loc_665AFA
; 

loc_665AE0:				; CODE XREF: RtlXSaveS(x,x,x)+Ej
		mov	eax, [edx+20Ch]
		mov	ecx, [edx+208h]
		and	eax, [ebp+arg_4]
		and	ecx, [ebp+arg_0]
		push	eax
		push	ecx
		push	edx
		call	_XSaveSHelper@12 ; XSaveSHelper(x,x,x)

loc_665AFA:				; CODE XREF: RtlXSaveS(x,x,x)+1Bj
		pop	ebp
		retn	8
_RtlXSaveS@12	endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 2223. RtlIsServicePackVersionInstalled

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIsServicePackVersionInstalled(x)
		public _RtlIsServicePackVersionInstalled@4
_RtlIsServicePackVersionInstalled@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, ecx
		and	eax, 0FFFF0000h
		cmp	eax, 0A000000h
		jz	short loc_665B1D
		xor	al, al
		jmp	short loc_665B2B
; 

loc_665B1D:				; CODE XREF: RtlIsServicePackVersionInstalled(x)+14j
		xor	eax, eax
		and	ecx, 0FF00h
		cmp	eax, ecx
		sbb	al, al
		inc	al

loc_665B2B:				; CODE XREF: RtlIsServicePackVersionInstalled(x)+18j
		pop	ebp
		retn	4
_RtlIsServicePackVersionInstalled@4 endp


;  S U B	R O U T	I N E 


; __stdcall FindEmailAt(x, x)
_FindEmailAt@8	proc near		; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+125p
					; RtlpValidateAsciiStd3AndLength(x,x,x,x)+24p
		lea	ecx, [ecx+edx*2]
		lea	eax, [edx-1]
		add	ecx, 0FFFFFFFEh
		test	eax, eax
		js	short loc_665B4A

loc_665B3C:				; CODE XREF: FindEmailAt(x,x)+19j
		cmp	word ptr [ecx],	40h
		jz	short loc_665B4D
		sub	ecx, 2
		sub	eax, 1
		jns	short loc_665B3C

loc_665B4A:				; CODE XREF: FindEmailAt(x,x)+Bj
		mov	eax, edx
		retn
; 

loc_665B4D:				; CODE XREF: FindEmailAt(x,x)+11j
		inc	eax
		retn
_FindEmailAt@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FindLabelEnd(x, x, x)
_FindLabelEnd@12 proc near		; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+76p
					; punycode_encode(x,x,x,x,x,x)+52p

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jz	short loc_665B7B
		lea	eax, [edx-2]
		jmp	short loc_665B68
; 

loc_665B5F:				; CODE XREF: FindLabelEnd(x,x,x)+1Bj
		cmp	word ptr [eax],	40h
		jz	short loc_665B6E
		sub	eax, 2

loc_665B68:				; CODE XREF: FindLabelEnd(x,x,x)+Ej
		cmp	eax, ecx
		jnb	short loc_665B5F

loc_665B6C:				; CODE XREF: FindLabelEnd(x,x,x)+30j
		mov	eax, edx

loc_665B6E:				; CODE XREF: FindLabelEnd(x,x,x)+14j
					; FindLabelEnd(x,x,x)+34j
		pop	ebp
		retn	4
; 

loc_665B72:				; CODE XREF: FindLabelEnd(x,x,x)+2Ej
		cmp	word ptr [ecx],	2Eh
		jz	short loc_665B81
		add	ecx, 2

loc_665B7B:				; CODE XREF: FindLabelEnd(x,x,x)+9j
		cmp	ecx, edx
		jb	short loc_665B72
		jmp	short loc_665B6C
; 

loc_665B81:				; CODE XREF: FindLabelEnd(x,x,x)+27j
		mov	eax, ecx
		jmp	short loc_665B6E
_FindLabelEnd@12 endp


;  S U B	R O U T	I N E 


; __stdcall GetUTF32(x)
_GetUTF32@4	proc near		; CODE XREF: punycode_encode(x,x,x,x,x,x)+21Dp
					; punycode_encode(x,x,x,x,x,x)+276p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		movzx	ecx, word ptr [esi]
		mov	edx, ecx
		call	_IsSurrogate@4	; IsSurrogate(x)
		test	al, al
		jnz	short loc_665B9C
		mov	eax, edx
		pop	esi
		retn
; 

loc_665B9C:				; CODE XREF: GetUTF32(x)+11j
		movzx	ecx, word ptr [esi+2]
		lea	eax, [edx-0D7F7h]
		shl	eax, 0Ah
		add	eax, ecx
		pop	esi
		retn
_GetUTF32@4	endp


;  S U B	R O U T	I N E 


; __stdcall IdnaMemAlloc(x)
_IdnaMemAlloc@4	proc near		; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+171p
					; RtlIdnToUnicode(x,x,x,x,x)+Bp ...
		mov	edi, edi
		push	esi
		push	edi
		push	456E6449h
		mov	edi, ecx
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_665BD2
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch

loc_665BD2:				; CODE XREF: IdnaMemAlloc(x)+17j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_IdnaMemAlloc@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall InsertChar(x, x, x)
_InsertChar@12	proc near		; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+3ACp
					; punycode_decode(x,x,x,x,x,x,x,x)+3C7p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, [edi]
		jmp	short loc_665BEC
; 

loc_665BE5:				; CODE XREF: InsertChar(x,x,x)+1Aj
		mov	ax, [esi]
		mov	[esi+2], ax

loc_665BEC:				; CODE XREF: InsertChar(x,x,x)+Cj
		sub	esi, 2
		cmp	esi, edx
		jnb	short loc_665BE5
		mov	[edx], cx
		add	dword ptr [edi], 2
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_InsertChar@12	endp


;  S U B	R O U T	I N E 


; __stdcall IsAnyDot(x)
_IsAnyDot@4	proc near		; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+1C7p
		cmp	cx, 2Eh
		jz	short loc_665C24
		mov	eax, 3002h
		cmp	cx, ax
		jz	short loc_665C24
		mov	eax, 0FF0Eh
		cmp	cx, ax
		jz	short loc_665C24
		add	eax, 53h
		cmp	cx, ax
		jz	short loc_665C24
		xor	al, al
		retn
; 

loc_665C24:				; CODE XREF: IsAnyDot(x)+4j
					; IsAnyDot(x)+Ej ...
		mov	al, 1
		retn
_IsAnyDot@4	endp


;  S U B	R O U T	I N E 


; __stdcall IsSurrogate(x)
_IsSurrogate@4	proc near		; CODE XREF: GetUTF32(x)+Ap
					; punycode_decode(x,x,x,x,x,x,x,x)+330p ...
		add	ecx, 2800h
		mov	eax, 7FFh
		cmp	ax, cx
		sbb	al, al
		inc	al
		retn
_IsSurrogate@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlpIdnToUnicodeWorker(int,void	*,int,void *,int)
_RtlpIdnToUnicodeWorker@28 proc	near	; CODE XREF: RtlIdnToUnicode(x,x,x,x,x)+2Fp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		mov	byte ptr [ebp+var_1], cl
		push	edi
		test	esi, esi
		jz	loc_665E84
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	loc_665E84
		mov	eax, [edi]
		test	eax, eax
		js	loc_665E84
		mov	edx, [ebp+arg_0]
		cmp	edx, 0FFFFFFFFh
		jl	loc_665E84
		test	eax, eax
		jle	short loc_665C87
		cmp	[ebp+arg_4], ecx
		jz	loc_665E84

loc_665C87:				; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+42j
		test	ebx, 0FFFFFFF0h
		jnz	loc_665E84
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_665CB7
		lea	eax, [ebp+arg_0]
		mov	[ebp+arg_0], ecx
		push	eax
		mov	edx, 203h
		mov	ecx, esi
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		test	eax, eax
		js	loc_665D67
		mov	edx, [ebp+arg_0]
		inc	edx

loc_665CB7:				; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+5Cj
		movzx	eax, word ptr [esi+edx*2-2]
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		test	ax, ax
		jnz	short loc_665CC7
		dec	edx

loc_665CC7:				; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+8Aj
		lea	eax, [ebp+var_8]
		mov	[ebp+arg_0], 1FFh
		push	eax
		lea	eax, [ebp+var_1]
		mov	ecx, ebx
		push	eax
		mov	eax, ebx
		and	ecx, 4
		shr	eax, 1
		and	al, 1
		mov	[ebp+var_14], ecx
		movzx	eax, al
		test	ecx, ecx
		push	eax
		setnz	al
		mov	ecx, esi
		movzx	eax, al
		push	eax
		lea	eax, [ebp+arg_0]
		push	eax
		push	[ebp+arg_C]
		call	_punycode_decode@32 ; punycode_decode(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_665E89
		mov	eax, [ebp+var_C]
		mov	esi, [ebp+arg_0]
		test	ax, ax
		jnz	short loc_665D26
		cmp	esi, 1FFh
		jge	short loc_665D67
		mov	ecx, [ebp+arg_C]
		xor	edx, edx
		mov	[ecx+esi*2], dx
		inc	esi
		jmp	short loc_665D29
; 

loc_665D26:				; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+D6j
		mov	ecx, [ebp+arg_C]

loc_665D29:				; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+EAj
		mov	[ebp+var_10], esi
		test	bl, 8
		jnz	loc_665E45
		cmp	byte ptr [ebp+var_1], 0
		jnz	loc_665E45
		cmp	[ebp+var_14], 0
		mov	byte ptr [ebp+arg_0+3],	0
		jz	short loc_665D74
		lea	eax, [ebp+arg_0+3]
		push	eax
		mov	eax, [ebp+var_8]
		sub	eax, ecx
		sar	eax, 1
		push	eax
		push	ecx
		push	1
		call	_RtlIsNormalizedString@16 ; RtlIsNormalizedString(x,x,x,x)
		test	eax, eax
		js	short loc_665D67
		cmp	byte ptr [ebp+arg_0+3],	0
		jnz	short loc_665D71

loc_665D67:				; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+73j
					; RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+DEj ...
		mov	eax, 0C0000716h
		jmp	loc_665E89
; 

loc_665D71:				; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+12Bj
		mov	eax, [ebp+var_C]

loc_665D74:				; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+10Dj
		mov	edx, [ebp+var_8]
		xor	ecx, ecx
		sub	edx, [ebp+arg_C]
		sar	edx, 1
		test	ax, ax
		mov	eax, esi
		setz	cl
		sub	eax, ecx
		cmp	edx, eax
		jge	loc_665E45
		xor	eax, eax
		mov	edi, esi
		cmp	word ptr [ebp+var_C], ax
		setz	al
		inc	eax
		sub	edi, eax
		mov	eax, [ebp+var_8]
		sub	edi, edx
		add	eax, 2
		mov	ecx, edi
		mov	[ebp+var_14], eax
		call	_IdnaMemAlloc@4	; IdnaMemAlloc(x)
		mov	edx, eax
		mov	[ebp+var_C], edx
		test	edx, edx
		jnz	short loc_665DC3
		mov	eax, 0C0000017h
		jmp	loc_665E89
; 

loc_665DC3:				; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+17Dj
		xor	ecx, ecx
		test	edi, edi
		jle	short loc_665DF4
		mov	esi, [ebp+var_8]

loc_665DCC:				; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+1B5j
		movzx	eax, word ptr [esi+ecx*2+2]
		mov	[ebp+var_8], eax
		add	eax, 0FFFFFFBFh
		cmp	ax, 19h
		ja	short loc_665DEC
		mov	eax, [ebp+var_8]
		add	eax, 20h
		mov	[esi+ecx*2+2], ax
		mov	byte ptr [edx+ecx], 1

loc_665DEC:				; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+1A1j
		inc	ecx
		cmp	ecx, edi
		jl	short loc_665DCC
		mov	esi, [ebp+var_10]

loc_665DF4:				; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+18Dj
		lea	eax, [ebp+arg_0+3]
		not	ebx
		push	eax
		push	edi
		push	[ebp+var_14]
		and	ebx, 1
		shl	ebx, 8
		add	ebx, 0Dh
		push	ebx
		call	_RtlIsNormalizedString@16 ; RtlIsNormalizedString(x,x,x,x)
		test	eax, eax
		js	short loc_665E5C
		cmp	byte ptr [ebp+arg_0+3],	0
		jz	short loc_665E5C
		mov	ecx, [ebp+var_C]
		xor	eax, eax
		test	edi, edi
		jle	short loc_665E3A
		mov	esi, [ebp+var_14]

loc_665E23:				; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+1FBj
		cmp	byte ptr [ecx+eax], 1
		jnz	short loc_665E32
		mov	edx, 0FFE0h
		add	[esi+eax*2], dx

loc_665E32:				; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+1EDj
		inc	eax
		cmp	eax, edi
		jl	short loc_665E23
		mov	esi, [ebp+var_10]

loc_665E3A:				; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+1E4j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [ebp+arg_8]

loc_665E45:				; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+F5j
					; RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+FFj ...
		cmp	[ebp+arg_4], 0
		jz	short loc_665E7E
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_665E7E
		cmp	esi, eax
		jle	short loc_665E6C
		mov	eax, 0C0000023h
		jmp	short loc_665E89
; 

loc_665E5C:				; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+1D5j
					; RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+1DBj
		mov	ecx, [ebp+var_C]
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_665D67
; 

loc_665E6C:				; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+219j
		lea	eax, [esi+esi]
		push	eax		; size_t
		push	[ebp+arg_C]	; void *
		push	[ebp+arg_4]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_665E7E:				; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+20Fj
					; RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+215j
		mov	[edi], esi
		xor	eax, eax
		jmp	short loc_665E89
; 

loc_665E84:				; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+19j
					; RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+24j ...
		mov	eax, 0C000000Dh

loc_665E89:				; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+C7j
					; RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+132j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_RtlpIdnToUnicodeWorker@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlpNameprepAsciiRealWorker(int,void *,int,char,void *,int,int,int)
_RtlpNameprepAsciiRealWorker@40	proc near
					; CODE XREF: RtlpNameprepAsciiWorker(x,x,x,x,x,x)+43p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	[ebp+var_4], edx
		mov	edx, ecx
		mov	ecx, [ebp+var_4]
		push	esi
		push	edi
		test	ecx, ecx
		jz	loc_666156
		mov	esi, [ebp+arg_0]
		cmp	esi, 0FFFFFFFFh
		jl	loc_666156
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		jz	loc_666156
		mov	edi, [ebx]
		mov	[ebp+var_8], edi
		test	edi, edi
		js	loc_666156
		jle	short loc_665EDB
		cmp	[ebp+arg_4], 0
		jz	loc_666156

loc_665EDB:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+3Fj
		test	edx, 0FFFFFFF8h
		jnz	loc_666156
		mov	eax, edx
		mov	byte ptr [ebp+arg_0+3],	0
		and	eax, 1
		mov	[ebp+var_18], eax
		mov	eax, edx
		and	eax, 4
		mov	[ebp+var_14], eax
		setnz	al
		shr	edx, 1
		and	dl, 1
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], edx
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_665F36
		xor	eax, eax
		mov	edx, 7FFFFFFFh
		mov	[ebp+arg_8], eax
		lea	eax, [ebp+arg_8]
		push	eax
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		test	eax, eax
		js	loc_666156
		mov	esi, [ebp+arg_8]
		mov	ecx, [ebp+var_4]
		inc	esi
		mov	eax, [ebp+var_10]
		mov	edx, [ebp+var_C]

loc_665F36:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+7Cj
		test	esi, esi
		jle	short loc_665F4B
		xor	edi, edi
		cmp	[ecx+esi*2-2], di
		mov	edi, [ebp+var_8]
		jnz	short loc_665F4B
		mov	byte ptr [ebp+arg_0+3],	1
		dec	esi

loc_665F4B:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+A8j
					; RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+B4j
		push	edx
		push	eax
		mov	edx, esi
		call	_RtlpValidateAsciiStd3AndLength@16 ; RtlpValidateAsciiStd3AndLength(x,x,x,x)
		test	al, al
		jz	short loc_665F9B
		test	esi, esi
		jnz	short loc_665F66
		mov	eax, 0C0000716h
		jmp	loc_66615B
; 

loc_665F66:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+CAj
		cmp	byte ptr [ebp+arg_0+3],	0
		jz	short loc_665F6D
		inc	esi

loc_665F6D:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+DAj
		cmp	[ebp+arg_4], 0
		jz	short loc_665F92
		test	edi, edi
		jz	short loc_665F92
		cmp	esi, edi
		jg	loc_666138
		lea	eax, [esi+esi]
		push	eax		; size_t
		mov	eax, [ebp+var_4]
		push	eax		; void *

loc_665F87:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+275j
		push	[ebp+arg_4]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_665F92:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+E1j
					; RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+E5j	...
		mov	[ebx], esi

loc_665F94:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+2C1j
		xor	eax, eax
		jmp	loc_66615B
; 

loc_665F9B:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+C6j
		xor	edx, edx
		mov	eax, 1FFh
		mov	ecx, edx
		mov	edi, edx
		mov	edx, [ebp+arg_10]
		cmp	[ebp+var_14], ecx
		jz	short loc_665FFF
		mov	edi, [ebp+var_4]
		mov	edx, esi
		mov	ecx, edi
		call	_FindEmailAt@8	; FindEmailAt(x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_6660C0
		lea	ecx, [ebp+arg_8]
		mov	[ebp+arg_8], 1FFh
		push	ecx
		push	[ebp+arg_10]
		push	eax
		push	edi
		push	1
		call	_RtlNormalizeString@20 ; RtlNormalizeString(x,x,x,x,x)
		mov	edi, [ebp+arg_8]
		test	eax, eax
		js	loc_6660AC
		test	edi, edi
		jz	loc_6660AA
		mov	eax, [ebp+arg_10]
		mov	ecx, [ebp+var_14]
		lea	edx, [eax+edi*2]
		mov	eax, 1FFh
		sub	eax, edi

loc_665FFF:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+11Cj
		cmp	ecx, esi
		jge	short loc_66603E
		mov	[ebp+arg_8], eax
		lea	eax, [ebp+arg_8]
		push	eax
		push	edx
		mov	eax, esi
		sub	eax, ecx
		push	eax
		mov	eax, [ebp+var_4]
		lea	eax, [eax+ecx*2]
		push	eax
		mov	eax, [ebp+var_18]
		xor	eax, 1
		shl	eax, 8
		add	eax, 0Dh
		push	eax
		call	_RtlNormalizeString@20 ; RtlNormalizeString(x,x,x,x,x)
		mov	ecx, [ebp+arg_8]
		test	eax, eax
		js	loc_6660D0
		test	ecx, ecx
		jz	loc_6660CE
		add	edi, ecx

loc_66603E:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+171j
		test	edi, edi
		jle	short loc_666065
		mov	eax, [ebp+arg_10]
		movzx	edx, word ptr [eax+edi*2-2]
		cmp	edx, 2Eh
		jnz	short loc_666060
		mov	eax, [ebp+var_4]
		mov	cx, [eax+esi*2-2]
		call	_IsAnyDot@4	; IsAnyDot(x)
		test	al, al
		jz	short loc_6660C0

loc_666060:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+1BDj
		test	dx, dx
		jz	short loc_6660C0

loc_666065:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+1B0j
		push	[ebp+var_C]
		mov	ecx, [ebp+arg_10]
		lea	eax, [ebp+arg_8]
		push	[ebp+var_10]
		mov	edx, edi
		mov	[ebp+arg_8], 203h
		push	eax
		push	[ebp+arg_18]
		call	_punycode_encode@24 ; punycode_encode(x,x,x,x,x,x)
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jz	short loc_6660C5
		cmp	[ebp+arg_C], 0
		jz	short loc_66610A
		cmp	byte ptr [ebp+arg_0+3],	0
		jz	short loc_6660E4
		cmp	esi, 203h
		jge	short loc_6660C0
		mov	ecx, [ebp+arg_18]
		xor	eax, eax
		mov	[ecx+esi*2], ax
		inc	esi
		jmp	short loc_6660E7
; 

loc_6660AA:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+159j
		test	eax, eax

loc_6660AC:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+151j
		jz	short loc_6660C0
		cmp	eax, 0C0000023h
		jz	short loc_6660C0
		cmp	eax, 0C0000717h
		jz	short loc_6660C0
		test	edi, edi

loc_6660BE:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+252j
		jle	short loc_6660C5

loc_6660C0:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+12Fj
					; RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+1CEj ...
		mov	eax, 0C0000716h

loc_6660C5:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+1F8j
					; RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x):loc_6660BEj	...
		xor	ecx, ecx
		mov	[ebx], ecx
		jmp	loc_66615B
; 

loc_6660CE:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+1A6j
		test	eax, eax

loc_6660D0:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+19Ej
		jz	short loc_6660C0
		cmp	eax, 0C0000023h
		jz	short loc_6660C0
		cmp	eax, 0C0000717h
		jz	short loc_6660C0
		test	ecx, ecx
		jmp	short loc_6660BE
; 

loc_6660E4:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+204j
		mov	ecx, [ebp+arg_18]

loc_6660E7:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+218j
		cmp	[ebp+arg_4], 0
		jz	loc_665F92
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	loc_665F92
		cmp	esi, eax
		jg	short loc_666138
		lea	eax, [esi+esi]
		push	eax
		push	ecx
		jmp	loc_665F87
; 

loc_66610A:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+1FEj
		cmp	byte ptr [ebp+arg_0+3],	0
		jz	short loc_666124
		cmp	edi, 1FFh
		jg	short loc_6660C0
		mov	ecx, [ebp+arg_10]
		xor	eax, eax
		mov	[ecx+edi*2], ax
		inc	edi
		jmp	short loc_666127
; 

loc_666124:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+27Ej
		mov	ecx, [ebp+arg_10]

loc_666127:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+292j
		cmp	[ebp+arg_4], 0
		jz	short loc_66614F
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_66614F
		cmp	edi, eax
		jle	short loc_66613F

loc_666138:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+E9j
					; RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+26Ej
		mov	eax, 0C0000023h
		jmp	short loc_6660C5
; 

loc_66613F:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+2A6j
		lea	eax, [edi+edi]
		push	eax		; size_t
		push	ecx		; void *
		push	[ebp+arg_4]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_66614F:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+29Bj
					; RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+2A2j
		mov	[ebx], edi
		jmp	loc_665F94
; 

loc_666156:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+15j
					; RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+21j	...
		mov	eax, 0C000000Dh

loc_66615B:				; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+D1j
					; RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+106j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
_RtlpNameprepAsciiRealWorker@40	endp


;  S U B	R O U T	I N E 


; __stdcall ValidateStd3Range(x)
_ValidateStd3Range@4 proc near		; CODE XREF: RtlpValidateAsciiStd3AndLength(x,x,x,x)+EBp
					; punycode_decode(x,x,x,x,x,x,x,x)+153p ...
		cmp	cx, 2Ch
		jbe	short loc_666195
		cmp	cx, 2Fh
		jz	short loc_666195
		cmp	cx, 3Ah
		jb	short loc_66617A
		cmp	cx, 40h
		jbe	short loc_666195

loc_66617A:				; CODE XREF: ValidateStd3Range(x)+10j
		cmp	cx, 5Bh
		jb	short loc_666186
		cmp	cx, 60h
		jbe	short loc_666195

loc_666186:				; CODE XREF: ValidateStd3Range(x)+1Cj
		cmp	cx, 7Bh
		jb	short loc_666192
		cmp	cx, 7Fh
		jbe	short loc_666195

loc_666192:				; CODE XREF: ValidateStd3Range(x)+28j
		mov	al, 1
		retn
; 

loc_666195:				; CODE XREF: ValidateStd3Range(x)+4j
					; ValidateStd3Range(x)+Aj ...
		xor	al, al
		retn
_ValidateStd3Range@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall adapt(x, x,	x)
_adapt@12	proc near		; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+2C5p
					; punycode_encode(x,x,x,x,x,x)+351p

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		cdq
		jz	short loc_6661B6
		mov	ecx, 2BCh
		idiv	ecx
		mov	esi, eax
		jmp	short loc_6661BC
; 

loc_6661B6:				; CODE XREF: adapt(x,x,x)+11j
		sub	eax, edx
		mov	esi, eax
		sar	esi, 1

loc_6661BC:				; CODE XREF: adapt(x,x,x)+1Cj
		mov	eax, esi
		mov	ebx, 1C7h
		cdq
		idiv	edi
		add	esi, eax
		xor	edi, edi
		jmp	short loc_6661D9
; 

loc_6661CC:				; CODE XREF: adapt(x,x,x)+43j
		mov	eax, esi
		push	23h
		cdq
		pop	ecx
		idiv	ecx
		add	edi, 24h
		mov	esi, eax

loc_6661D9:				; CODE XREF: adapt(x,x,x)+32j
		cmp	esi, ebx
		jg	short loc_6661CC
		imul	eax, esi, 24h
		lea	ecx, [esi+26h]
		cdq
		idiv	ecx
		add	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_adapt@12	endp


;  S U B	R O U T	I N E 


; __stdcall decode_digit(x)
_decode_digit@4	proc near		; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+226p
		lea	eax, [ecx-30h]
		cmp	ax, 9
		ja	short loc_6661FF
		movzx	eax, cx
		sub	eax, 16h
		retn
; 

loc_6661FF:				; CODE XREF: decode_digit(x)+7j
		push	19h
		lea	eax, [ecx-61h]
		pop	edx
		cmp	ax, dx
		ja	short loc_666211
		movzx	eax, cx
		sub	eax, 61h
		retn
; 

loc_666211:				; CODE XREF: decode_digit(x)+19j
		lea	eax, [ecx-41h]
		cmp	ax, dx
		ja	short loc_666220
		movzx	eax, cx
		sub	eax, 41h
		retn
; 

loc_666220:				; CODE XREF: decode_digit(x)+28j
		or	eax, 0FFFFFFFFh
		retn
_decode_digit@4	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2208. RtlIsCloudFilesPlaceholder

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIsCloudFilesPlaceholder(x, x)
		public _RtlIsCloudFilesPlaceholder@8
_RtlIsCloudFilesPlaceholder@8 proc near	; CODE XREF: CmpAdjustFileCFSafety(x,x)+EAp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_0], 400h
		jz	short loc_66624A
		mov	eax, [ebp+arg_4]
		and	eax, 0FFFF0FFFh
		cmp	eax, 9000001Ah
		jnz	short loc_66624A
		mov	al, 1
		jmp	short loc_66624C
; 

loc_66624A:				; CODE XREF: RtlIsCloudFilesPlaceholder(x,x)+Cj
					; RtlIsCloudFilesPlaceholder(x,x)+1Bj
		xor	al, al

loc_66624C:				; CODE XREF: RtlIsCloudFilesPlaceholder(x,x)+1Fj
		pop	ebp
		retn	8
_RtlIsCloudFilesPlaceholder@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2227. RtlIsZeroMemory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIsZeroMemory(x, x)
		public _RtlIsZeroMemory@8
_RtlIsZeroMemory@8 proc	near		; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+304p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]

loc_666260:				; CODE XREF: RtlIsZeroMemory(x,x)+1Aj
		test	al, 3
		jz	short loc_666271
		test	ecx, ecx
		jz	short loc_666271
		cmp	byte ptr [eax],	0
		jnz	short loc_666298
		inc	eax
		dec	ecx
		jmp	short loc_666260
; 

loc_666271:				; CODE XREF: RtlIsZeroMemory(x,x)+Dj
					; RtlIsZeroMemory(x,x)+11j
		push	4
		pop	edx
		jmp	short loc_66627F
; 

loc_666276:				; CODE XREF: RtlIsZeroMemory(x,x)+2Cj
		cmp	dword ptr [eax], 0
		jnz	short loc_666298
		add	eax, edx
		sub	ecx, edx

loc_66627F:				; CODE XREF: RtlIsZeroMemory(x,x)+1Fj
		cmp	ecx, edx
		jnb	short loc_666276
		test	ecx, ecx
		jz	short loc_666292

loc_666287:				; CODE XREF: RtlIsZeroMemory(x,x)+3Bj
		cmp	byte ptr [eax],	0
		jnz	short loc_666298
		inc	eax
		sub	ecx, 1
		jnz	short loc_666287

loc_666292:				; CODE XREF: RtlIsZeroMemory(x,x)+30j
		mov	al, 1

loc_666294:				; CODE XREF: RtlIsZeroMemory(x,x)+45j
		pop	ebp
		retn	8
; 

loc_666298:				; CODE XREF: RtlIsZeroMemory(x,x)+16j
					; RtlIsZeroMemory(x,x)+24j ...
		xor	al, al
		jmp	short loc_666294
_RtlIsZeroMemory@8 endp


;  S U B	R O U T	I N E 


; __stdcall CanComposeHangul(x,	x)
_CanComposeHangul@8 proc near		; CODE XREF: Normalization__IsNormalized(x,x,x,x)+F4p
					; Normalization__IsNormalized(x,x,x,x)+186p
		lea	eax, [ecx-1100h]
		push	esi
		mov	esi, edx
		cmp	eax, 12h
		ja	short loc_6662B5
		lea	eax, [esi-1161h]
		cmp	eax, 14h
		jbe	short loc_6662C9

loc_6662B5:				; CODE XREF: CanComposeHangul(x,x)+Cj
		call	_IsHangulLV@4	; IsHangulLV(x)
		test	al, al
		jz	short loc_6662CD
		lea	eax, [esi-11A8h]
		cmp	eax, 1Ah
		ja	short loc_6662CD

loc_6662C9:				; CODE XREF: CanComposeHangul(x,x)+17j
		mov	al, 1
		pop	esi
		retn
; 

loc_6662CD:				; CODE XREF: CanComposeHangul(x,x)+20j
					; CanComposeHangul(x,x)+2Bj
		xor	al, al
		pop	esi
		retn
_CanComposeHangul@8 endp


;  S U B	R O U T	I N E 


; __stdcall ComposeHangulLV(x, x)
_ComposeHangulLV@8 proc	near		; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+6B5p
					; Normalization__NormalizeCharacter(x,x,x,x)+6E0p
		lea	eax, [ecx-1100h]
		cmp	eax, 12h
		ja	short loc_6662F5
		lea	eax, [edx-1161h]
		cmp	eax, 14h
		ja	short loc_6662F5
		imul	eax, ecx, 15h
		add	eax, edx
		imul	eax, 1Ch
		sub	eax, 28469Ch
		retn
; 

loc_6662F5:				; CODE XREF: ComposeHangulLV(x,x)+9j
					; ComposeHangulLV(x,x)+14j
		xor	eax, eax
		retn
_ComposeHangulLV@8 endp


;  S U B	R O U T	I N E 


; __stdcall ComposeHangulLVT(x,	x)
_ComposeHangulLVT@8 proc near		; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+68Bp
					; Normalization__NormalizeCharacter(x,x,x,x)+6FFp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		lea	eax, [edi-11A8h]
		cmp	eax, 1Ah
		ja	short loc_66631E
		call	_IsHangulLV@4	; IsHangulLV(x)
		test	al, al
		jz	short loc_66631E
		lea	eax, [esi-11A7h]
		add	eax, edi
		jmp	short loc_666320
; 

loc_66631E:				; CODE XREF: ComposeHangulLVT(x,x)+11j
					; ComposeHangulLVT(x,x)+1Aj
		xor	eax, eax

loc_666320:				; CODE XREF: ComposeHangulLVT(x,x)+24j
		pop	edi
		pop	esi
		retn
_ComposeHangulLVT@8 endp


;  S U B	R O U T	I N E 


; __stdcall GetHangulT(x)
_GetHangulT@4	proc near		; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+62Dp
		lea	eax, [ecx-0AC00h]
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		movzx	eax, dx
		test	ax, ax
		jnz	short loc_66633A
		xor	eax, eax
		retn
; 

loc_66633A:				; CODE XREF: GetHangulT(x)+12j
		add	eax, 11A7h
		retn
_GetHangulT@4	endp


;  S U B	R O U T	I N E 


; __stdcall GetSurrogateLow(x)
_GetSurrogateLow@4 proc	near		; CODE XREF: NormBuffer__Append(x,x)+3Fp
					; NormBuffer__Insert(x,x,x)+23p ...
		lea	eax, [ecx-10000h]
		mov	ecx, 400h
		cdq
		idiv	ecx
		lea	eax, [edx-2400h]
		retn
_GetSurrogateLow@4 endp


;  S U B	R O U T	I N E 


; __stdcall IsHangulLV(x)
_IsHangulLV@4	proc near		; CODE XREF: CanComposeHangul(x,x):loc_6662B5p
					; ComposeHangulLVT(x,x)+13p ...
		mov	edx, ecx
		call	_IsHangulS@4	; IsHangulS(x)
		test	al, al
		jz	short loc_666373
		lea	eax, [edx-0AC00h]
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		test	edx, edx
		jnz	short loc_666373
		mov	al, 1
		retn
; 

loc_666373:				; CODE XREF: IsHangulLV(x)+9j
					; IsHangulLV(x)+19j
		xor	al, al
		retn
_IsHangulLV@4	endp


;  S U B	R O U T	I N E 


; __stdcall IsHangulS(x)
_IsHangulS@4	proc near		; CODE XREF: IsHangulLV(x)+2p
					; Normalization__IsNormalized(x,x,x,x)+BCp ...
		add	ecx, 0FFFF5400h
		mov	eax, 2BA3h
		cmp	eax, ecx
		sbb	al, al
		inc	al
		retn
_IsHangulS@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NormBuffer__Append(x, x)
_NormBuffer__Append@8 proc near		; CODE XREF: NormBuffer__AppendEx(x,x,x,x)+Bp
					; Normalization__Normalize(x,x,x,x,x,x)+B1p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	eax, edx
		mov	[ebp+var_4], eax
		push	edi
		mov	edi, [esi+14h]
		mov	ebx, [esi+10h]
		cmp	eax, 10000h
		jl	short loc_6663CC
		cmp	edi, ebx
		jnb	short loc_6663D3
		add	eax, 0FFFF0000h
		mov	ecx, 400h
		cdq
		idiv	ecx
		mov	ecx, [ebp+var_4]
		sub	eax, 2800h
		mov	[edi], ax
		add	edi, 2
		mov	[esi+14h], edi
		call	_GetSurrogateLow@4 ; GetSurrogateLow(x)

loc_6663CC:				; CODE XREF: NormBuffer__Append(x,x)+1Bj
		movzx	eax, ax
		cmp	edi, ebx
		jb	short loc_6663D7

loc_6663D3:				; CODE XREF: NormBuffer__Append(x,x)+1Fj
		xor	al, al
		jmp	short loc_6663E2
; 

loc_6663D7:				; CODE XREF: NormBuffer__Append(x,x)+49j
		mov	[edi], ax
		lea	eax, [edi+2]
		mov	[esi+14h], eax
		mov	al, 1

loc_6663E2:				; CODE XREF: NormBuffer__Append(x,x)+4Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_NormBuffer__Append@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NormBuffer__AppendAndSortDecomposed(x, x)
_NormBuffer__AppendAndSortDecomposed@8 proc near
					; CODE XREF: NormBuffer__ReplaceLastStartBase(x,x,x,x)+4Dp
					; NormBuffer__ReplaceLastStartBase(x,x,x,x)+5Fp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		mov	byte ptr [ebp+var_4], 0
		lea	eax, [ebp+var_8]
		mov	byte ptr [ebp+var_8], 0
		push	eax
		lea	eax, [ebp+var_4]
		mov	edi, edx
		mov	ecx, [esi+44h]
		push	eax
		call	_Normalization__GetCharacterInfo@16 ; Normalization__GetCharacterInfo(x,x,x,x)
		mov	dl, byte ptr [ebp+var_4]
		mov	ecx, esi
		call	_NormBuffer__SortBeforeSameClass@8 ; NormBuffer__SortBeforeSameClass(x,x)
		mov	eax, [esi+40h]
		mov	edx, edi
		mov	ecx, esi
		cmp	eax, [esi+14h]
		jnz	short loc_66642F
		push	[ebp+var_8]
		push	[ebp+var_4]
		call	_NormBuffer__AppendEx@16 ; NormBuffer__AppendEx(x,x,x,x)
		jmp	short loc_666435
; 

loc_66642F:				; CODE XREF: NormBuffer__AppendAndSortDecomposed(x,x)+39j
		push	eax
		call	_NormBuffer__Insert@12 ; NormBuffer__Insert(x,x,x)

loc_666435:				; CODE XREF: NormBuffer__AppendAndSortDecomposed(x,x)+46j
		pop	edi
		pop	esi
		leave
		retn
_NormBuffer__AppendAndSortDecomposed@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NormBuffer__AppendEx(x, x, x, x)
_NormBuffer__AppendEx@16 proc near	; CODE XREF: NormBuffer__AppendAndSortDecomposed(x,x)+41p
					; Normalization__NormalizeCharacter(x,x,x,x)+38Bp ...

arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_NormBuffer__Append@8 ;	NormBuffer__Append(x,x)
		test	al, al
		jz	short loc_666467
		mov	al, [ebp+arg_0]
		mov	[esi+28h], al
		mov	al, [ebp+arg_4]
		mov	[esi+29h], al
		mov	eax, [esi+14h]
		sub	eax, 2
		mov	[esi+20h], edi
		mov	[esi+24h], eax
		mov	al, 1

loc_666467:				; CODE XREF: NormBuffer__AppendEx(x,x,x,x)+12j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_NormBuffer__AppendEx@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NormBuffer__Construct(x, x,	x, x, x, x)
_NormBuffer__Construct@24 proc near	; CODE XREF: Normalization__Normalize(x,x,x,x,x,x)+56p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	[ecx+1Ch], eax
		push	esi
		mov	esi, [ebp+arg_4]
		lea	eax, [edx+eax*2]
		mov	[ecx+0Ch], esi
		mov	[ecx+4], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+18h], eax
		mov	[ecx+14h], esi
		mov	[ecx+2Ch], esi
		lea	eax, [esi+eax*2]
		mov	[ecx], edx
		mov	[ecx+10h], eax
		lea	eax, [esi-2]
		mov	[ecx+24h], eax
		xor	eax, eax
		mov	[ecx+20h], eax
		mov	[ecx+28h], ax
		mov	[ecx+30h], eax
		mov	[ecx+34h], ax
		mov	eax, [ebp+arg_C]
		mov	[ecx+8], edx
		mov	[ecx+44h], eax
		pop	esi
		pop	ebp
		retn	10h
_NormBuffer__Construct@24 endp


;  S U B	R O U T	I N E 


; __stdcall NormBuffer__GetCurrentOutputChar(x,	x)
_NormBuffer__GetCurrentOutputChar@8 proc near ;	CODE XREF: NormBuffer__IsBlocked(x,x)+33p
					; NormBuffer__RecheckStartCombinations(x)+33p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, [edx]
		movzx	esi, word ptr [edi]
		cmp	esi, 0D800h
		jb	short loc_666501
		cmp	esi, 0DFFFh
		ja	short loc_666501
		cmp	esi, 0DC00h
		jb	short loc_6664F0
		sub	edi, 2
		movzx	eax, word ptr [edi]
		sub	eax, 0D7F7h
		shl	eax, 0Ah
		add	esi, eax
		jmp	short loc_666501
; 

loc_6664F0:				; CODE XREF: NormBuffer__GetCurrentOutputChar(x,x)+1Fj
		add	edi, 2
		add	esi, 0FFFF2809h
		shl	esi, 0Ah
		movzx	ecx, word ptr [edi]
		add	esi, ecx

loc_666501:				; CODE XREF: NormBuffer__GetCurrentOutputChar(x,x)+Fj
					; NormBuffer__GetCurrentOutputChar(x,x)+17j ...
		mov	[edx], edi
		mov	eax, esi
		pop	edi
		pop	esi
		retn
_NormBuffer__GetCurrentOutputChar@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NormBuffer__GetLastChar(x)
_NormBuffer__GetLastChar@4 proc	near	; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+B0p
					; Normalization__NormalizeCharacter(x,x,x,x)+1CCp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+14h]
		lea	eax, [ecx-2]
		cmp	[esi+24h], eax
		jz	short loc_66657E
		add	ecx, 0FFFFFFFEh
		push	edi
		mov	[esi+24h], ecx
		movzx	eax, word ptr [ecx]
		mov	[esi+20h], eax
		mov	edi, eax
		cmp	eax, 0DC00h
		jbe	short loc_66654B
		cmp	eax, 0DFFFh
		ja	short loc_66654B
		movzx	edi, word ptr [ecx-2]
		sub	edi, 0D7F7h
		shl	edi, 0Ah
		add	edi, eax
		mov	[esi+20h], edi

loc_66654B:				; CODE XREF: NormBuffer__GetLastChar(x)+28j
					; NormBuffer__GetLastChar(x)+2Fj
		mov	ecx, [esi+44h]
		mov	edx, edi
		call	_Normalization__PageLookup@8 ; Normalization__PageLookup(x,x)
		mov	byte ptr [ebp+var_4], al
		test	al, al
		jz	short loc_666573
		cmp	al, 0FBh
		jnb	short loc_666573
		push	[ebp+var_4]
		mov	edx, edi
		call	_Normalization__TableLookup@12 ; Normalization__TableLookup(x,x,x)
		mov	cl, al
		and	cl, 0C0h
		and	al, 3Fh
		jmp	short loc_666577
; 

loc_666573:				; CODE XREF: NormBuffer__GetLastChar(x)+52j
					; NormBuffer__GetLastChar(x)+56j
		xor	ecx, ecx
		mov	al, cl

loc_666577:				; CODE XREF: NormBuffer__GetLastChar(x)+69j
		mov	[esi+28h], al
		mov	[esi+29h], cl
		pop	edi

loc_66657E:				; CODE XREF: NormBuffer__GetLastChar(x)+12j
		mov	eax, [esi+20h]
		pop	esi
		leave
		retn
_NormBuffer__GetLastChar@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NormBuffer__Insert(x, x, x)
_NormBuffer__Insert@12 proc near	; CODE XREF: NormBuffer__AppendAndSortDecomposed(x,x)+49p
					; NormBuffer__Insert(x,x,x)+2Dp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	eax, [edi+24h]
		mov	esi, [edi+14h]
		mov	[ebp+var_4], eax
		cmp	ebx, 10000h
		jl	short loc_6665E2
		push	[ebp+arg_0]
		mov	ecx, ebx
		call	_GetSurrogateLow@4 ; GetSurrogateLow(x)
		movzx	edx, ax
		mov	ecx, edi
		call	_NormBuffer__Insert@12 ; NormBuffer__Insert(x,x,x)
		test	al, al
		jz	short loc_6665DE
		lea	eax, [ebx-10000h]
		mov	ecx, 400h
		cdq
		idiv	ecx
		push	[ebp+arg_0]
		sub	eax, 2800h
		mov	ecx, edi
		movzx	edx, ax
		call	_NormBuffer__Insert@12 ; NormBuffer__Insert(x,x,x)
		test	al, al
		jnz	short loc_666612

loc_6665DE:				; CODE XREF: NormBuffer__Insert(x,x,x)+34j
					; NormBuffer__Insert(x,x,x)+61j
		xor	al, al
		jmp	short loc_666614
; 

loc_6665E2:				; CODE XREF: NormBuffer__Insert(x,x,x)+1Cj
		cmp	esi, [edi+10h]
		jnb	short loc_6665DE
		mov	ecx, [ebp+arg_0]
		movzx	edx, bx
		jmp	short loc_6665FA
; 

loc_6665EF:				; CODE XREF: NormBuffer__Insert(x,x,x)+78j
		movzx	eax, word ptr [ecx]
		mov	[ecx], dx
		mov	edx, eax
		add	ecx, 2

loc_6665FA:				; CODE XREF: NormBuffer__Insert(x,x,x)+69j
		cmp	ecx, esi
		jnz	short loc_6665EF
		lea	eax, [esi+2]
		mov	[esi], dx
		mov	[edi+14h], eax
		lea	eax, [esi-2]
		cmp	[ebp+var_4], eax
		jnz	short loc_666612
		mov	[edi+24h], esi

loc_666612:				; CODE XREF: NormBuffer__Insert(x,x,x)+58j
					; NormBuffer__Insert(x,x,x)+89j
		mov	al, 1

loc_666614:				; CODE XREF: NormBuffer__Insert(x,x,x)+5Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_NormBuffer__Insert@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NormBuffer__IsBlocked(x, x)
_NormBuffer__IsBlocked@8 proc near	; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+225p
					; Normalization__NormalizeCharacter(x,x,x,x)+507p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1], dl
		mov	eax, [edi+14h]
		mov	ecx, [edi+2Ch]
		mov	[edi+40h], eax
		cmp	eax, ecx
		jz	short loc_666684
		add	eax, 0FFFFFFFEh
		lea	ebx, [ecx-2]
		mov	[ebp+var_8], eax
		cmp	eax, ebx
		jz	short loc_666684
		mov	eax, [edi+44h]
		mov	[ebp+var_C], eax

loc_66664B:				; CODE XREF: NormBuffer__IsBlocked(x,x)+67j
		lea	edx, [ebp+var_8]
		call	_NormBuffer__GetCurrentOutputChar@8 ; NormBuffer__GetCurrentOutputChar(x,x)
		mov	ecx, [ebp+var_C]
		mov	esi, eax
		mov	edx, esi
		call	_Normalization__PageLookup@8 ; Normalization__PageLookup(x,x)
		movzx	ecx, al
		mov	edx, esi
		push	ecx
		mov	ecx, [ebp+var_C]
		call	_Normalization__TableLookup@12 ; Normalization__TableLookup(x,x,x)
		and	al, 3Fh
		cmp	al, [ebp+var_1]
		jbe	short loc_66668B
		mov	eax, [ebp+var_8]
		mov	[edi+40h], eax
		sub	eax, 2
		mov	[ebp+var_8], eax
		cmp	eax, ebx
		jnz	short loc_66664B

loc_666684:				; CODE XREF: NormBuffer__IsBlocked(x,x)+1Bj
					; NormBuffer__IsBlocked(x,x)+28j ...
		xor	al, al

loc_666686:				; CODE XREF: NormBuffer__IsBlocked(x,x)+74j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_66668B:				; CODE XREF: NormBuffer__IsBlocked(x,x)+57j
		jnz	short loc_666684
		mov	al, 1
		jmp	short loc_666686
_NormBuffer__IsBlocked@8 endp


;  S U B	R O U T	I N E 


; __stdcall NormBuffer__LastStartBase(x)
_NormBuffer__LastStartBase@4 proc near	; CODE XREF: NormBuffer__LastStartBasePair(x)+1Ap
					; Normalization__NormalizeCharacter(x,x,x,x)+30Bp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+38h]
		test	eax, eax
		jnz	short loc_6666AB
		mov	edx, [esi+30h]
		mov	ecx, [esi+44h]
		call	_Normalization__GetFirstDecomposedCharPlane0@8 ; Normalization__GetFirstDecomposedCharPlane0(x,x)
		mov	[esi+38h], eax

loc_6666AB:				; CODE XREF: NormBuffer__LastStartBase(x)+Aj
		pop	esi
		retn
_NormBuffer__LastStartBase@4 endp


;  S U B	R O U T	I N E 


; __stdcall NormBuffer__LastStartBasePair(x)
_NormBuffer__LastStartBasePair@4 proc near
					; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+2CDp
					; Normalization__NormalizeCharacter(x,x,x,x)+3F3p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+3Ch]
		test	eax, eax
		jnz	short loc_6666D9
		mov	edx, [esi+30h]
		mov	ecx, [esi+44h]
		call	_Normalization__GetSecondDecomposedCharPlane0@8	; Normalization__GetSecondDecomposedCharPlane0(x,x)
		push	eax
		mov	ecx, esi
		call	_NormBuffer__LastStartBase@4 ; NormBuffer__LastStartBase(x)
		mov	ecx, [esi+44h]
		mov	edx, eax
		call	_Normalization__CanCombinableCharactersCombine@12 ; Normalization__CanCombinableCharactersCombine(x,x,x)
		mov	[esi+3Ch], eax

loc_6666D9:				; CODE XREF: NormBuffer__LastStartBasePair(x)+Aj
		pop	esi
		retn
_NormBuffer__LastStartBasePair@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NormBuffer__RecheckStartCombinations(x)
_NormBuffer__RecheckStartCombinations@4	proc near
					; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+4AEp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		mov	esi, ecx
		cmp	byte ptr [esi+35h], 40h
		mov	eax, [esi+2Ch]
		mov	[ebp+var_8], eax
		jnz	loc_66679F
		push	ebx
		xor	bl, bl
		cmp	eax, [esi+14h]
		jz	loc_66679E
		push	edi

loc_666703:				; CODE XREF: NormBuffer__RecheckStartCombinations(x)+BCj
		lea	edx, [ebp+var_8]
		mov	[ebp+var_1], 0
		mov	[ebp+var_2], 0
		call	_NormBuffer__GetCurrentOutputChar@8 ; NormBuffer__GetCurrentOutputChar(x,x)
		mov	edi, [esi+44h]
		lea	ecx, [ebp+var_2]
		push	ecx
		lea	ecx, [ebp-1]
		mov	[ebp+var_C], eax
		push	ecx
		mov	edx, eax
		mov	[ebp+var_10], edi
		mov	ecx, edi
		call	_Normalization__GetCharacterInfo@16 ; Normalization__GetCharacterInfo(x,x,x,x)
		mov	bh, [ebp+var_1]
		cmp	bh, bl
		jz	short loc_66678B
		cmp	[ebp+var_2], 0C0h
		jnz	short loc_666789
		push	[ebp+var_C]
		mov	edx, [esi+30h]
		mov	ecx, edi
		call	_Normalization__CanCombinableCharactersCombine@12 ; Normalization__CanCombinableCharactersCombine(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_666789
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_2]
		push	eax
		lea	eax, [ebp-1]
		mov	edx, edi
		push	eax
		call	_Normalization__GetCharacterInfo@16 ; Normalization__GetCharacterInfo(x,x,x,x)
		mov	eax, [esi+2Ch]
		mov	ecx, esi
		mov	[esi+30h], edi
		mov	[eax-2], di
		mov	al, [ebp+var_1]
		mov	edi, [ebp+var_8]
		mov	edx, edi
		mov	[esi+34h], al
		mov	al, [ebp+var_2]
		mov	[esi+35h], al
		call	_NormBuffer__RemoveCharacter@8 ; NormBuffer__RemoveCharacter(x,x)
		cmp	byte ptr [esi+35h], 40h
		jnz	short loc_66679D
		jmp	short loc_666794
; 

loc_666789:				; CODE XREF: NormBuffer__RecheckStartCombinations(x)+5Dj
					; NormBuffer__RecheckStartCombinations(x)+70j
		mov	bl, bh

loc_66678B:				; CODE XREF: NormBuffer__RecheckStartCombinations(x)+57j
		mov	edi, [ebp+var_8]
		add	edi, 2
		mov	[ebp+var_8], edi

loc_666794:				; CODE XREF: NormBuffer__RecheckStartCombinations(x)+ACj
		cmp	edi, [esi+14h]
		jnz	loc_666703

loc_66679D:				; CODE XREF: NormBuffer__RecheckStartCombinations(x)+AAj
		pop	edi

loc_66679E:				; CODE XREF: NormBuffer__RecheckStartCombinations(x)+21j
		pop	ebx

loc_66679F:				; CODE XREF: NormBuffer__RecheckStartCombinations(x)+15j
		pop	esi
		leave
		retn
_NormBuffer__RecheckStartCombinations@4	endp


;  S U B	R O U T	I N E 


; __stdcall NormBuffer__RemoveCharacter(x, x)
_NormBuffer__RemoveCharacter@8 proc near
					; CODE XREF: NormBuffer__RecheckStartCombinations(x)+A1p
		add	dword ptr [ecx+14h], 0FFFFFFFEh
		mov	eax, [ecx+24h]
		push	esi
		mov	esi, [ecx+14h]
		cmp	eax, esi
		jnz	short loc_6667DB
		cmp	edx, eax
		jnb	short loc_6667BD
		add	eax, 0FFFFFFFEh
		mov	[ecx+24h], eax
		jmp	short loc_6667DB
; 

loc_6667BD:				; CODE XREF: NormBuffer__RemoveCharacter(x,x)+11j
		mov	eax, [ecx+0Ch]
		sub	eax, 2
		mov	[ecx+24h], eax
		xor	eax, eax
		mov	[ecx+20h], eax
		mov	[ecx+28h], ax
		jmp	short loc_6667DB
; 

loc_6667D1:				; CODE XREF: NormBuffer__RemoveCharacter(x,x)+3Bj
		mov	ax, [edx+2]
		mov	[edx], ax
		add	edx, 2

loc_6667DB:				; CODE XREF: NormBuffer__RemoveCharacter(x,x)+Dj
					; NormBuffer__RemoveCharacter(x,x)+19j	...
		cmp	edx, esi
		jnz	short loc_6667D1
		pop	esi
		retn
_NormBuffer__RemoveCharacter@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NormBuffer__ReplaceLastStartBase(x,	x, x, x)
_NormBuffer__ReplaceLastStartBase@16 proc near
					; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+496p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], ecx
		mov	eax, [edi+2Ch]
		mov	esi, [edi+30h]
		mov	[edi+30h], edx
		mov	[edi+3Ch], ecx
		mov	[eax-2], dx
		mov	edx, esi
		mov	al, [ebp+arg_0]
		mov	[edi+34h], al
		mov	al, [ebp+arg_4]
		mov	[edi+35h], al
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		mov	[edi+38h], ecx
		mov	ecx, [edi+44h]
		push	eax
		call	_Normalization__GetSecondAndThirdDecomposedCharPlane0@16 ; Normalization__GetSecondAndThirdDecomposedCharPlane0(x,x,x,x)
		mov	edx, [ebp+var_4]
		test	edx, edx
		jz	short loc_666837
		mov	ecx, edi
		call	_NormBuffer__AppendAndSortDecomposed@8 ; NormBuffer__AppendAndSortDecomposed(x,x)
		test	al, al
		jz	short loc_666849

loc_666837:				; CODE XREF: NormBuffer__ReplaceLastStartBase(x,x,x,x)+49j
		mov	edx, [ebp+var_8]
		test	edx, edx
		jz	short loc_666847
		mov	ecx, edi
		call	_NormBuffer__AppendAndSortDecomposed@8 ; NormBuffer__AppendAndSortDecomposed(x,x)
		jmp	short loc_666849
; 

loc_666847:				; CODE XREF: NormBuffer__ReplaceLastStartBase(x,x,x,x)+5Bj
		mov	al, 1

loc_666849:				; CODE XREF: NormBuffer__ReplaceLastStartBase(x,x,x,x)+54j
					; NormBuffer__ReplaceLastStartBase(x,x,x,x)+64j
		pop	edi
		pop	esi
		leave
		retn	8
_NormBuffer__ReplaceLastStartBase@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NormBuffer__ReplaceLastStartBasePair(x, x, x, x)
_NormBuffer__ReplaceLastStartBasePair@16 proc near
					; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+440p

arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	edx, [ebx+30h]
		mov	ecx, [ebx+44h]
		call	_Normalization__GetThirdAndLastDecomposedCharPlane0@8 ;	Normalization__GetThirdAndLastDecomposedCharPlane0(x,x)
		mov	cl, [ebp+arg_0]
		mov	esi, [ebx+2Ch]
		and	dword ptr [ebx+3Ch], 0
		and	dword ptr [ebx+38h], 0
		mov	[ebx+34h], cl
		mov	cl, [ebp+arg_4]
		mov	[esi-2], di
		mov	[ebx+30h], edi
		mov	[ebx+35h], cl
		test	eax, eax
		jnz	short loc_66688C
		mov	al, 1
		jmp	short loc_666895
; 

loc_66688C:				; CODE XREF: NormBuffer__ReplaceLastStartBasePair(x,x,x,x)+37j
		mov	edx, eax
		mov	ecx, ebx
		call	_NormBuffer__AppendAndSortDecomposed@8 ; NormBuffer__AppendAndSortDecomposed(x,x)

loc_666895:				; CODE XREF: NormBuffer__ReplaceLastStartBasePair(x,x,x,x)+3Bj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_NormBuffer__ReplaceLastStartBasePair@16 endp


;  S U B	R O U T	I N E 


; __stdcall NormBuffer__RewindOutputCharacter(x)
_NormBuffer__RewindOutputCharacter@4 proc near
					; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+CBp
					; Normalization__NormalizeCharacter(x,x,x,x)+353p ...
		add	dword ptr [ecx+14h], 0FFFFFFFEh
		mov	eax, [ecx+14h]
		push	esi
		mov	esi, 0DC00h
		movzx	edx, word ptr [eax]
		cmp	dx, si
		jbe	short loc_6668C1
		mov	esi, 0DFFFh
		cmp	dx, si
		jnb	short loc_6668C1
		add	eax, 0FFFFFFFEh
		mov	[ecx+14h], eax

loc_6668C1:				; CODE XREF: NormBuffer__RewindOutputCharacter(x)+13j
					; NormBuffer__RewindOutputCharacter(x)+1Dj
		mov	eax, [ecx+0Ch]
		sub	eax, 2
		mov	[ecx+24h], eax
		xor	eax, eax
		mov	[ecx+20h], eax
		mov	[ecx+28h], ax
		pop	esi
		retn
_NormBuffer__RewindOutputCharacter@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NormBuffer__SortBeforeSameClass(x, x)
_NormBuffer__SortBeforeSameClass@8 proc	near
					; CODE XREF: NormBuffer__AppendAndSortDecomposed(x,x)+2Ap

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1], dl
		mov	eax, [edi+14h]
		mov	esi, [edi+2Ch]
		mov	[edi+40h], eax
		cmp	eax, esi
		jz	short loc_666958
		add	eax, 0FFFFFFFEh
		lea	edx, [ebp+var_8]
		push	ebx
		mov	[ebp+var_8], eax
		call	_NormBuffer__GetCurrentOutputChar@8 ; NormBuffer__GetCurrentOutputChar(x,x)
		cmp	dword ptr [edi+30h], 0FFFFh
		lea	ebx, [esi-2]
		mov	[ebp+var_C], eax
		jle	short loc_666912
		lea	ebx, [esi-4]

loc_666912:				; CODE XREF: NormBuffer__SortBeforeSameClass(x,x)+38j
		mov	esi, [ebp+var_8]
		cmp	esi, ebx
		jz	short loc_666957
		mov	ecx, [edi+44h]
		mov	[ebp+var_10], ecx

loc_66691F:				; CODE XREF: NormBuffer__SortBeforeSameClass(x,x)+80j
		mov	edx, eax
		call	_Normalization__PageLookup@8 ; Normalization__PageLookup(x,x)
		mov	edx, [ebp+var_C]
		movzx	eax, al
		push	eax
		call	_Normalization__TableLookup@12 ; Normalization__TableLookup(x,x,x)
		and	al, 3Fh
		cmp	al, [ebp+var_1]
		jb	short loc_666957
		mov	[edi+40h], esi
		lea	edx, [ebp+var_8]
		sub	esi, 2
		mov	[ebp+var_8], esi
		call	_NormBuffer__GetCurrentOutputChar@8 ; NormBuffer__GetCurrentOutputChar(x,x)
		mov	esi, [ebp+var_8]
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_C], eax
		cmp	esi, ebx
		jnz	short loc_66691F

loc_666957:				; CODE XREF: NormBuffer__SortBeforeSameClass(x,x)+42j
					; NormBuffer__SortBeforeSameClass(x,x)+62j
		pop	ebx

loc_666958:				; CODE XREF: NormBuffer__SortBeforeSameClass(x,x)+1Aj
		pop	edi
		pop	esi
		leave
		retn
_NormBuffer__SortBeforeSameClass@8 endp


;  S U B	R O U T	I N E 


; __stdcall NormBuffer__VerifyLastStart(x)
_NormBuffer__VerifyLastStart@4 proc near
					; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+1D3p
		mov	dl, [ecx+28h]
		test	dl, dl
		jz	short loc_666973
		cmp	dl, 3Fh
		jz	short loc_666973
		mov	al, [ecx+29h]
		test	al, al
		jz	short loc_666973
		cmp	al, 40h
		jnz	short locret_666993

loc_666973:				; CODE XREF: NormBuffer__VerifyLastStart(x)+5j
					; NormBuffer__VerifyLastStart(x)+Aj ...
		mov	eax, [ecx+24h]
		and	dword ptr [ecx+3Ch], 0
		add	eax, 2
		and	dword ptr [ecx+38h], 0
		mov	[ecx+2Ch], eax
		mov	eax, [ecx+20h]
		mov	[ecx+30h], eax
		mov	al, [ecx+29h]
		mov	[ecx+34h], dl
		mov	[ecx+35h], al

locret_666993:				; CODE XREF: NormBuffer__VerifyLastStart(x)+15j
		retn
_NormBuffer__VerifyLastStart@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2231. RtlLargeIntegerDivide

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlLargeIntegerDivide(x, x,	x, x, x)
		public _RtlLargeIntegerDivide@20
_RtlLargeIntegerDivide@20 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_C]
		xor	edx, edx
		or	eax, [ebp+arg_8]
		push	esi
		push	edi
		mov	[ebp+var_4], 40h
		mov	esi, edx
		jnz	short loc_6669BE
		push	0C0000094h
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_6669BE:				; CODE XREF: RtlLargeIntegerDivide(x,x,x,x,x)+19j
		mov	eax, [ebp+arg_4]
		mov	edi, [ebp+arg_0]
		mov	[ebp+arg_4], eax

loc_6669C7:				; CODE XREF: RtlLargeIntegerDivide(x,x,x,x,x)+77j
		mov	ecx, edx
		lea	eax, [esi+esi]
		shr	ecx, 1Fh
		mov	esi, ecx
		mov	ecx, [ebp+arg_4]
		shr	ecx, 1Fh
		or	esi, eax
		lea	eax, [edx+edx]
		mov	edx, ecx
		or	edx, eax
		mov	ecx, edi
		mov	eax, [ebp+arg_4]
		add	edi, edi
		shr	ecx, 1Fh
		add	eax, eax
		or	ecx, eax
		mov	[ebp+arg_4], ecx
		cmp	esi, [ebp+arg_C]
		ja	short loc_6669FD
		jnz	short loc_666A0C
		cmp	edx, [ebp+arg_8]
		jb	short loc_666A0C

loc_6669FD:				; CODE XREF: RtlLargeIntegerDivide(x,x,x,x,x)+5Bj
		sub	esi, [ebp+arg_C]
		or	edi, 1
		cmp	edx, [ebp+arg_8]
		jnb	short loc_666A09
		dec	esi

loc_666A09:				; CODE XREF: RtlLargeIntegerDivide(x,x,x,x,x)+6Dj
		sub	edx, [ebp+arg_8]

loc_666A0C:				; CODE XREF: RtlLargeIntegerDivide(x,x,x,x,x)+5Dj
					; RtlLargeIntegerDivide(x,x,x,x,x)+62j
		sub	[ebp+var_4], 1
		jnz	short loc_6669C7
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_666A1E
		mov	[eax], edx
		mov	[eax+4], esi

loc_666A1E:				; CODE XREF: RtlLargeIntegerDivide(x,x,x,x,x)+7Ej
		mov	eax, edi
		mov	edx, ecx
		pop	edi
		pop	esi
		leave
		retn	14h
_RtlLargeIntegerDivide@20 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2260. RtlNotifyFeatureUsage

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlNotifyFeatureUsage(x)
		public _RtlNotifyFeatureUsage@4
_RtlNotifyFeatureUsage@4 proc near	; CODE XREF: wil_details_FeatureReporting_ReportUsageToServiceDirect(x,x,x,x,x)+91p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		call	_CmFcManagerNotifyFeatureUsage@8 ; CmFcManagerNotifyFeatureUsage(x,x)
		pop	ebp
		retn	4
_RtlNotifyFeatureUsage@4 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 2289. RtlQueryFeatureConfigurationChangeStamp

;  S U B	R O U T	I N E 


; __stdcall RtlQueryFeatureConfigurationChangeStamp()
		public _RtlQueryFeatureConfigurationChangeStamp@0
_RtlQueryFeatureConfigurationChangeStamp@0 proc	near
		mov	ecx, offset dword_6CE12C
		jmp	_RtlpFcReadHighLowHigh@4 ; RtlpFcReadHighLowHigh(x)
_RtlQueryFeatureConfigurationChangeStamp@0 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2312. RtlRegisterFeatureConfigurationChangeNotification

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlRegisterFeatureConfigurationChangeNotification(x, x, x, x)
		public _RtlRegisterFeatureConfigurationChangeNotification@16
_RtlRegisterFeatureConfigurationChangeNotification@16 proc near
					; CODE XREF: wil_details_RegisterFeatureStagingChangeNotification(x,x)+11p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_KeGetEffectiveIrql@0 ;	KeGetEffectiveIrql()
		mov	dl, al
		cmp	dl, 1
		jbe	short loc_666A7D
		xor	ecx, ecx
		call	KeIsBugCheckActive
		test	al, al
		jnz	short loc_666A76
		cmp	ds:_PoPowerDownActionInProgress, cl
		jz	short loc_666A92

loc_666A76:				; CODE XREF: RtlRegisterFeatureConfigurationChangeNotification(x,x,x,x)+1Aj
		mov	eax, 0C00000BBh
		jmp	short loc_666A8E
; 

loc_666A7D:				; CODE XREF: RtlRegisterFeatureConfigurationChangeNotification(x,x,x,x)+Fj
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		call	_CmFcRegisterFeatureConfigurationChangeNotification@16 ; CmFcRegisterFeatureConfigurationChangeNotification(x,x,x,x)

loc_666A8E:				; CODE XREF: RtlRegisterFeatureConfigurationChangeNotification(x,x,x,x)+29j
		pop	ebp
		retn	10h
; 

loc_666A92:				; CODE XREF: RtlRegisterFeatureConfigurationChangeNotification(x,x,x,x)+22j
		push	dword ptr [ebp+4]
		movzx	eax, dl
		push	0
		push	eax
		push	offset _RtlQueryFeatureConfiguration@16	; RtlQueryFeatureConfiguration(x,x,x,x)
		push	0Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_RtlRegisterFeatureConfigurationChangeNotification@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LdrpArmProcessRelocation(x,	x, x, x)
_LdrpArmProcessRelocation@16 proc near	; CODE XREF: LdrpThumbProcessRelocation(x,x,x,x)+13Ap
					; LdrProcessRelocationBlockLongLong(x,x,x,x,x,x)+73p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, word ptr [ecx]
		mov	ecx, 5000h
		push	ebx
		push	edi
		mov	edi, eax
		xor	ebx, ebx
		and	edi, 0FFCh
		and	eax, 0F000h
		add	edi, edx
		inc	ebx
		cmp	ax, cx
		jz	short loc_666AD5
		xor	ebx, ebx
		jmp	loc_666B55
; 

loc_666AD5:				; CODE XREF: LdrpArmProcessRelocation(x,x,x,x)+24j
		mov	edx, [edi]
		push	esi
		mov	esi, edx
		movzx	eax, dx
		shr	esi, 4
		xor	esi, eax
		mov	eax, edx
		shr	eax, 4
		and	esi, 0FFFh
		movzx	eax, ax
		xor	esi, eax
		mov	eax, [edi+4]
		shr	eax, 4
		movzx	ecx, ax
		movzx	eax, word ptr [edi+4]
		and	ecx, 0FFFFF000h
		and	eax, 0FFFh
		or	ecx, eax
		shl	ecx, 10h
		or	esi, ecx
		add	esi, [ebp+arg_0]
		movzx	eax, si
		mov	ecx, eax
		shr	esi, 10h
		and	ecx, 0F000h
		and	eax, 0FFFh
		shl	ecx, 4
		or	ecx, eax
		mov	eax, 0FFF0F000h
		and	edx, eax
		or	ecx, edx
		mov	edx, esi
		mov	[edi], ecx
		and	edx, 0F000h
		mov	ecx, [edi+4]
		and	esi, 0FFFh
		shl	edx, 4
		and	ecx, eax
		or	edx, ecx
		or	edx, esi
		mov	[edi+4], edx
		pop	esi

loc_666B55:				; CODE XREF: LdrpArmProcessRelocation(x,x,x,x)+28j
		pop	edi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	8
_LdrpArmProcessRelocation@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LdrpGenericProcessRelocation(x, x, x, x)
_LdrpGenericProcessRelocation@16 proc near
					; CODE XREF: LdrProcessRelocationBlockLongLong(x,x,x,x,x,x)+3Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		shr	eax, 0Ch
		and	ecx, 0FFFh
		lea	esi, [edx+ecx]
		xor	edx, edx
		inc	edx
		sub	eax, 0
		jz	short loc_666BE7
		sub	eax, edx
		jz	short loc_666BD8
		sub	eax, edx
		jz	short loc_666BCF
		sub	eax, edx
		jz	short loc_666BC8
		sub	eax, edx
		jz	short loc_666BA5
		sub	eax, 6
		jz	short loc_666B98
		xor	edx, edx
		jmp	short loc_666BE7
; 

loc_666B98:				; CODE XREF: LdrpGenericProcessRelocation(x,x,x,x)+35j
		mov	eax, [ebp+arg_0]
		add	[esi], eax
		mov	eax, [ebp+arg_4]
		adc	[esi+4], eax
		jmp	short loc_666BE7
; 

loc_666BA5:				; CODE XREF: LdrpGenericProcessRelocation(x,x,x,x)+30j
		push	2
		pop	edx
		test	cl, dl
		jnz	short loc_666BE7
		movzx	ecx, word ptr [esi]
		movzx	eax, word ptr [edi+2]
		shl	ecx, 10h
		add	eax, 8000h
		add	ecx, [ebp+arg_0]
		add	eax, ecx
		shr	eax, 10h
		mov	[esi], ax
		jmp	short loc_666BE7
; 

loc_666BC8:				; CODE XREF: LdrpGenericProcessRelocation(x,x,x,x)+2Cj
		mov	eax, [ebp+arg_0]
		add	[esi], eax
		jmp	short loc_666BE7
; 

loc_666BCF:				; CODE XREF: LdrpGenericProcessRelocation(x,x,x,x)+28j
		mov	ax, word ptr [ebp+arg_0]
		add	[esi], ax
		jmp	short loc_666BE7
; 

loc_666BD8:				; CODE XREF: LdrpGenericProcessRelocation(x,x,x,x)+24j
		movzx	ecx, word ptr [esi]
		shl	ecx, 10h
		add	ecx, [ebp+arg_0]
		shr	ecx, 10h
		mov	[esi], cx

loc_666BE7:				; CODE XREF: LdrpGenericProcessRelocation(x,x,x,x)+20j
					; LdrpGenericProcessRelocation(x,x,x,x)+39j ...
		pop	edi
		mov	eax, edx
		pop	esi
		pop	ebp
		retn	8
_LdrpGenericProcessRelocation@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LdrpThumbProcessRelocation(x, x, x,	x)
_LdrpThumbProcessRelocation@16 proc near
					; CODE XREF: LdrProcessRelocationBlockLongLong(x,x,x,x,x,x)+62p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		movzx	eax, word ptr [ecx]
		push	ebx
		mov	ebx, eax
		shr	eax, 0Ch
		and	ebx, 0FFEh
		add	ebx, edx
		mov	[ebp+var_8], ebx
		sub	eax, 5
		jz	loc_666D23
		dec	eax
		sub	eax, 1
		jz	short loc_666C20
		xor	eax, eax
		jmp	loc_666D2E
; 

loc_666C20:				; CODE XREF: LdrpThumbProcessRelocation(x,x,x,x)+28j
		movzx	ecx, word ptr [ebx+4]
		movzx	edx, word ptr [ebx+6]
		mov	eax, ecx
		shl	ecx, 0Bh
		and	eax, 400h
		or	eax, ecx
		add	eax, eax
		movzx	ecx, ax
		movzx	eax, dl
		and	edx, 7000h
		or	ecx, eax
		shl	ecx, 4
		or	ecx, edx
		mov	[ebp+var_4], ecx
		mov	edx, ecx
		push	esi
		movzx	esi, word ptr [ebx]
		mov	ecx, esi
		shl	edx, 0Ch
		and	ecx, 400h
		mov	eax, esi
		shl	eax, 0Bh
		or	ecx, eax
		add	ecx, ecx
		movzx	eax, cx
		or	edx, eax
		push	edi
		movzx	edi, word ptr [ebx+2]
		mov	ebx, edi
		mov	eax, edi
		shr	eax, 4
		and	eax, 700h
		or	edx, eax
		movzx	eax, bl
		or	edx, eax
		mov	ebx, 800h
		add	edx, [ebp+arg_0]
		movzx	eax, dx
		mov	ecx, eax
		mov	[ebp+var_4], edx
		and	ecx, ebx
		mov	edx, eax
		shr	ax, 0Bh
		or	cx, ax
		mov	eax, 0FBF0h
		shr	cx, 1
		and	esi, eax
		or	cx, si
		mov	eax, 8F00h
		mov	esi, [ebp+var_8]
		and	edi, eax
		movzx	eax, dl
		mov	[esi], cx
		mov	ecx, edx
		mov	edx, [ebp+var_4]
		and	ecx, 700h
		shl	ecx, 4
		or	ecx, edi
		shr	edx, 10h
		or	ecx, eax
		mov	edi, 0FBF0h
		mov	[esi+2], cx
		mov	ax, dx
		shr	ax, 0Bh
		mov	ecx, edx
		and	ecx, ebx
		or	cx, ax
		mov	ax, [esi+4]
		shr	cx, 1
		and	ax, di
		or	cx, ax
		mov	edi, 8F00h
		mov	ax, [esi+6]
		mov	[esi+4], cx
		and	ax, di
		mov	ecx, edx
		and	ecx, 700h
		shl	ecx, 4
		or	cx, ax
		movzx	eax, dl
		or	cx, ax
		xor	eax, eax
		mov	[esi+6], cx
		pop	edi
		inc	eax
		pop	esi
		jmp	short loc_666D2E
; 

loc_666D23:				; CODE XREF: LdrpThumbProcessRelocation(x,x,x,x)+1Ej
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_LdrpArmProcessRelocation@16 ; LdrpArmProcessRelocation(x,x,x,x)

loc_666D2E:				; CODE XREF: LdrpThumbProcessRelocation(x,x,x,x)+2Cj
					; LdrpThumbProcessRelocation(x,x,x,x)+132j
		pop	ebx
		leave
		retn	8
_LdrpThumbProcessRelocation@16 endp

; 
		align 8
; Exported entry 2301. RtlQueryValidationRunlevel

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlQueryValidationRunlevel(x)
		public _RtlQueryValidationRunlevel@4
_RtlQueryValidationRunlevel@4 proc near

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	[ebp+var_24], ecx
		stosd
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_20], ebx
		stosd
		stosd
		stosd
		stosd
		mov	esi, ds:0FFDF0258h
		test	ecx, ecx
		jz	short loc_666DBA
		cmp	esi, 0FFFFFFFFh
		jz	short loc_666DBA
		push	offset dword_404DA8
		push	1
		lea	eax, [ebp+var_1C]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_666DBA
		lea	eax, [ebp+var_20]
		push	eax
		push	14h
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		push	[ebp+var_24]
		push	[ebp+var_1C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_666DB2
		cmp	[ebp+var_14], 4
		jnz	short loc_666DB2
		cmp	[ebp+var_10], 4
		jnz	short loc_666DB2
		mov	ebx, [ebp+var_C]

loc_666DB2:				; CODE XREF: RtlQueryValidationRunlevel(x)+69j
					; RtlQueryValidationRunlevel(x)+6Fj ...
		push	[ebp+var_1C]
		call	NtClose

loc_666DBA:				; CODE XREF: RtlQueryValidationRunlevel(x)+35j
					; RtlQueryValidationRunlevel(x)+3Aj ...
		mov	ecx, [ebp+var_4]
		or	esi, ebx
		pop	edi
		mov	eax, esi
		xor	ecx, ebp
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_RtlQueryValidationRunlevel@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2302. RtlRaiseCustomSystemEventTrigger

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlRaiseCustomSystemEventTrigger(x)
		public _RtlRaiseCustomSystemEventTrigger@4
_RtlRaiseCustomSystemEventTrigger@4 proc near

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+44h+var_4], eax
		xor	eax, eax
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+50h+var_2C]
		xor	edx, edx
		stosd
		mov	[esp+50h+var_40], edx
		mov	[esp+50h+var_3C], edx
		mov	[esp+50h+var_38], edx
		stosd
		mov	[esp+50h+var_34], edx
		mov	[esp+50h+var_30], edx
		stosd
		stosd
		mov	eax, dword ptr ds:_WNF_SEB_DEV_MNF_CUSTOM_NOTIFICATION_RECEIVED
		lea	edi, [esp+50h+var_14]
		mov	[esp+50h+var_1C], eax
		mov	eax, dword ptr ds:loc_409AC2+2
		mov	[esp+50h+var_18], eax
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		test	ecx, ecx
		jnz	short loc_666E3A
		mov	esi, 0C000000Dh
		jmp	loc_666FC3
; 

loc_666E3A:				; CODE XREF: RtlRaiseCustomSystemEventTrigger(x)+5Aj
		push	dword ptr [ecx+4]
		lea	eax, [esp+54h+var_34]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+50h+var_14]
		push	eax
		lea	eax, [esp+54h+var_34]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_666FC3
		xor	eax, eax
		mov	ecx, offset _RtlpCtPublishInProgress
		inc	eax
		xchg	eax, [ecx]
		test	eax, eax
		jz	short loc_666E78
		mov	esi, 0C0000001h
		jmp	loc_666FC3
; 

loc_666E78:				; CODE XREF: RtlRaiseCustomSystemEventTrigger(x)+98j
		mov	eax, 1000h
		mov	ecx, eax
		mov	[esp+50h+var_44], eax
		call	_RtlpCtAllocateMemory@4	; RtlpCtAllocateMemory(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_666E98
		mov	esi, 0C000009Ah
		jmp	loc_666FAF
; 

loc_666E98:				; CODE XREF: RtlRaiseCustomSystemEventTrigger(x)+B8j
		lea	eax, [esp+50h+var_44]
		xor	edi, edi
		push	eax
		push	ebx
		lea	eax, [esp+58h+var_3C]
		push	eax
		push	edi
		push	edi
		lea	eax, [esp+64h+var_1C]
		push	eax
		call	_ZwQueryWnfStateData@24	; ZwQueryWnfStateData(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_666FAF
		push	4
		lea	eax, [esp+54h+var_40]
		push	eax
		push	edi
		push	2
		lea	eax, [esp+60h+var_1C]
		push	eax
		call	_ZwQueryWnfStateNameInformation@20 ; ZwQueryWnfStateNameInformation(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_666FAF
		cmp	[esp+50h+var_40], edi
		jnz	short loc_666EE9
		mov	esi, 0C0000001h
		jmp	loc_666FAF
; 

loc_666EE9:				; CODE XREF: RtlRaiseCustomSystemEventTrigger(x)+109j
		push	4
		lea	eax, [esp+54h+var_40]
		push	eax
		push	edi
		push	1
		lea	eax, [esp+60h+var_1C]
		push	eax
		call	_ZwQueryWnfStateNameInformation@20 ; ZwQueryWnfStateNameInformation(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_666FAF
		cmp	[esp+50h+var_40], edi
		jnz	short loc_666F17
		mov	esi, 0C00000ABh
		jmp	loc_666FAF
; 

loc_666F17:				; CODE XREF: RtlRaiseCustomSystemEventTrigger(x)+137j
		sub	esp, 10h
		mov	[esp+60h+var_44], 1000h
		mov	edi, esp
		lea	esi, [esp+60h+var_2C]
		lea	eax, [esp+60h+var_44]
		push	eax
		movsd
		lea	eax, [ebx+8]
		push	eax
		push	ecx
		lea	eax, [esp+6Ch+var_14]
		movsd
		push	eax
		movsd
		movsd
		call	_RtlpGetSebDataAndFilterBuffer@40 ; RtlpGetSebDataAndFilterBuffer(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_666FAF
		or	dword ptr [ebx+4], 0FFFFFFFFh
		lea	ecx, [esp+50h+var_38]
		xor	edi, edi
		mov	[ebx], edi
		mov	eax, [esp+50h+var_44]
		and	eax, 0FFFh
		or	eax, 100000h
		shl	eax, 2
		mov	[ebx], eax
		mov	edx, [esp+50h+var_3C]
		call	_RtlpCtContextInit@8 ; RtlpCtContextInit(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_666FA2
		mov	eax, [esp+50h+var_44]
		push	1
		push	[esp+54h+var_3C]
		add	eax, 8
		push	edi
		push	edi
		push	eax
		push	ebx
		lea	eax, [esp+68h+var_1C]
		push	eax
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_666FA2
		mov	ecx, [esp+50h+var_38]
		mov	ecx, [ecx]
		call	_RtlpCtQueueWorkItem@4 ; RtlpCtQueueWorkItem(x)
		jmp	short loc_666FB8
; 

loc_666FA2:				; CODE XREF: RtlRaiseCustomSystemEventTrigger(x)+19Ej
					; RtlRaiseCustomSystemEventTrigger(x)+1BFj
		mov	ecx, [esp+50h+var_38]
		test	ecx, ecx
		jz	short loc_666FAF
		call	_RtlpCtContextFree@4 ; RtlpCtContextFree(x)

loc_666FAF:				; CODE XREF: RtlRaiseCustomSystemEventTrigger(x)+BFj
					; RtlRaiseCustomSystemEventTrigger(x)+E1j ...
		xor	eax, eax
		mov	ecx, offset _RtlpCtPublishInProgress
		xchg	eax, [ecx]

loc_666FB8:				; CODE XREF: RtlRaiseCustomSystemEventTrigger(x)+1CCj
		test	ebx, ebx
		jz	short loc_666FC3
		mov	ecx, ebx
		call	_RtlpCtFreeMemory@4 ; RtlpCtFreeMemory(x)

loc_666FC3:				; CODE XREF: RtlRaiseCustomSystemEventTrigger(x)+61j
					; RtlRaiseCustomSystemEventTrigger(x)+86j ...
		mov	ecx, [esp+50h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_RtlRaiseCustomSystemEventTrigger@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpGetSebDataAndFilterBuffer(x, x,	x, x, x, x, x, x, x, x)
_RtlpGetSebDataAndFilterBuffer@40 proc near
					; CODE XREF: RtlRaiseCustomSystemEventTrigger(x)+167p

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_8]
		test	edx, edx
		jz	short loc_667025
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	short loc_667025
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_667025
		cmp	[ebp+arg_0], 0
		jz	short loc_667025
		cmp	eax, 24h
		jb	short loc_667025
		push	esi
		push	edi
		mov	edi, edx
		lea	esi, [ebp+arg_10]
		xor	eax, eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+arg_0]
		lea	edi, [edx+10h]
		movsd
		movsd
		movsd
		movsd
		pop	edi
		mov	dword ptr [edx+20h], 10h
		mov	dword ptr [ecx], 24h
		pop	esi
		jmp	short loc_66702A
; 

loc_667025:				; CODE XREF: RtlpGetSebDataAndFilterBuffer(x,x,x,x,x,x,x,x,x,x)+Aj
					; RtlpGetSebDataAndFilterBuffer(x,x,x,x,x,x,x,x,x,x)+11j ...
		mov	eax, 0C000000Dh

loc_66702A:				; CODE XREF: RtlpGetSebDataAndFilterBuffer(x,x,x,x,x,x,x,x,x,x)+4Aj
		pop	ebp
		retn	20h
_RtlpGetSebDataAndFilterBuffer@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpRtlpCtSelfSubscribeCallback(x, x, x, x,	x, x)
_RtlpRtlpCtSelfSubscribeCallback@24 proc near ;	DATA XREF: RtlpCtContextInit(x,x)+51o

arg_8		= dword	ptr  10h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_8], 8
		jbe	short loc_667046
		mov	ecx, [ebp+arg_14]
		call	_RtlpCtSelfSubscribe@4 ; RtlpCtSelfSubscribe(x)
		jmp	short loc_667048
; 

loc_667046:				; CODE XREF: RtlpRtlpCtSelfSubscribeCallback(x,x,x,x,x,x)+Cj
		xor	eax, eax

loc_667048:				; CODE XREF: RtlpRtlpCtSelfSubscribeCallback(x,x,x,x,x,x)+16j
		pop	ebp
		retn	18h
_RtlpRtlpCtSelfSubscribeCallback@24 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2362. RtlTraceDatabaseAdd

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlTraceDatabaseAdd(x, x, x, x)
		public _RtlTraceDatabaseAdd@16
_RtlTraceDatabaseAdd@16	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		call	_RtlpTraceDatabaseAcquireLock@4	; RtlpTraceDatabaseAcquireLock(x)
		push	[ebp+arg_C]	; int
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_8]	; void *
		mov	ecx, [ebp+arg_0]
		call	_RtlpTraceDatabaseInternalAdd@16 ; RtlpTraceDatabaseInternalAdd(x,x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	bl, al
		call	_RtlpTraceDatabaseReleaseLock@4	; RtlpTraceDatabaseReleaseLock(x)
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	10h
_RtlTraceDatabaseAdd@16	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2363. RtlTraceDatabaseCreate

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlTraceDatabaseCreate(x, x, x, x, x)
		public _RtlTraceDatabaseCreate@20
_RtlTraceDatabaseCreate@20 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		cmp	edi, 100000h
		ja	short loc_667106
		mov	ebx, [ebp+arg_C]
		lea	ecx, ds:10B0h[edi*4]
		push	ebx
		push	6
		and	ecx, 0FFFFF000h
		pop	edx
		call	_RtlpTraceDatabaseAllocate@12 ;	RtlpTraceDatabaseAllocate(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_667106
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+arg_4]
		or	ecx, 2
		mov	[esi+4], ecx
		xor	ecx, ecx
		push	40h		; size_t
		mov	[esi+10h], eax
		lea	eax, [esi+54h]
		push	ecx		; int
		push	eax		; void *
		mov	dword ptr [esi], 0ABCDCCCCh
		mov	[esi+8], ebx
		mov	[esi+0Ch], ecx
		mov	dword ptr [esi+14h], 1000h
		mov	[esi+1Ch], ecx
		mov	[esi+50h], ecx
		mov	[esi+4Ch], ecx
		call	_memset
		add	esp, 0Ch
		mov	ecx, esi
		call	_RtlpTraceDatabaseInitializeLock@4 ; RtlpTraceDatabaseInitializeLock(x)
		test	al, al
		jnz	short loc_66710F
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_667106:				; CODE XREF: RtlTraceDatabaseCreate(x,x,x,x,x)+11j
					; RtlTraceDatabaseCreate(x,x,x,x,x)+30j
		xor	eax, eax

loc_667108:				; CODE XREF: RtlTraceDatabaseCreate(x,x,x,x,x)+EAj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
; 

loc_66710F:				; CODE XREF: RtlTraceDatabaseCreate(x,x,x,x,x)+77j
		mov	eax, [ebp+arg_10]
		mov	[esi+40h], edi
		test	eax, eax
		jnz	short loc_66711E
		mov	eax, offset _RtlStackTraceHashFunction@8 ; RtlStackTraceHashFunction(x,x)

loc_66711E:				; CODE XREF: RtlTraceDatabaseCreate(x,x,x,x,x)+91j
		mov	[esi+48h], eax
		lea	ebx, [esi+94h]
		and	dword ptr [ebx+8], 0
		lea	ecx, [ebx+1Ch]
		mov	dword ptr [ebx], 0ABCDBBBBh
		mov	[ebx+4], esi
		mov	dword ptr [ebx+0Ch], 1000h
		mov	eax, [esi+40h]
		shl	eax, 2
		push	eax		; size_t
		push	0		; int
		push	ecx		; void *
		mov	[esi+0Ch], ebx
		mov	[esi+44h], ecx
		call	_memset
		lea	eax, [esi+1000h]
		mov	[ebx+10h], esi
		mov	[ebx+14h], eax
		add	esp, 0Ch
		mov	eax, [esi+40h]
		add	eax, 7
		lea	eax, [ebx+eax*4]
		mov	[ebx+18h], eax
		mov	eax, esi
		jmp	short loc_667108
_RtlTraceDatabaseCreate@20 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2364. RtlTraceDatabaseDestroy

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlTraceDatabaseDestroy(x)
		public _RtlTraceDatabaseDestroy@4
_RtlTraceDatabaseDestroy@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, [edi+0Ch]
		test	eax, eax
		jz	short loc_6671A4
		push	esi

loc_667188:				; CODE XREF: RtlTraceDatabaseDestroy(x)+2Aj
		mov	esi, [eax+8]
		test	esi, esi
		jnz	short loc_667194
		sub	eax, 94h

loc_667194:				; CODE XREF: RtlTraceDatabaseDestroy(x)+16j
		push	dword ptr [edi+8]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		test	esi, esi
		jnz	short loc_667188
		pop	esi

loc_6671A4:				; CODE XREF: RtlTraceDatabaseDestroy(x)+Ej
		mov	al, 1
		pop	edi
		pop	ebp
		retn	4
_RtlTraceDatabaseDestroy@4 endp

; 
		align 10h
; Exported entry 2365. RtlTraceDatabaseEnumerate

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlTraceDatabaseEnumerate(x, x, x)
		public _RtlTraceDatabaseEnumerate@12
_RtlTraceDatabaseEnumerate@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		call	_RtlpTraceDatabaseAcquireLock@4	; RtlpTraceDatabaseAcquireLock(x)
		mov	eax, [esi]
		xor	ebx, ebx
		test	eax, eax
		jnz	short loc_6671E0
		mov	[esi], edi
		mov	edx, ebx
		mov	[esi+4], ebx
		mov	eax, [edi+44h]
		mov	[ebp+arg_4], ebx
		mov	ecx, [eax]
		mov	eax, ebx
		jmp	short loc_667214
; 

loc_6671E0:				; CODE XREF: RtlTraceDatabaseEnumerate(x,x,x)+1Bj
		cmp	eax, edi
		jz	short loc_6671E8

loc_6671E4:				; CODE XREF: RtlTraceDatabaseEnumerate(x,x,x)+43j
		xor	bl, bl
		jmp	short loc_66723B
; 

loc_6671E8:				; CODE XREF: RtlTraceDatabaseEnumerate(x,x,x)+32j
		mov	eax, [esi+4]
		mov	edx, eax
		mov	[ebp+arg_4], eax
		cmp	eax, [edi+40h]
		jnb	short loc_6671E4
		mov	ecx, [esi+8]
		jmp	short loc_667217
; 

loc_6671FA:				; CODE XREF: RtlTraceDatabaseEnumerate(x,x,x)+69j
		lea	edx, [eax+1]
		mov	[esi+4], edx
		cmp	edx, [edi+40h]
		jnb	short loc_667220
		mov	eax, [edi+44h]
		mov	ecx, [ebp+arg_4]
		mov	ecx, [eax+ecx*4+4]
		mov	eax, edx
		mov	[ebp+arg_4], eax

loc_667214:				; CODE XREF: RtlTraceDatabaseEnumerate(x,x,x)+2Ej
		mov	[esi+8], ecx

loc_667217:				; CODE XREF: RtlTraceDatabaseEnumerate(x,x,x)+48j
		test	ecx, ecx
		jz	short loc_6671FA
		cmp	edx, [edi+40h]
		jb	short loc_66722B

loc_667220:				; CODE XREF: RtlTraceDatabaseEnumerate(x,x,x)+53j
		test	ecx, ecx
		jnz	short loc_66722B
		mov	eax, [ebp+arg_8]
		mov	[eax], ebx
		jmp	short loc_66723B
; 

loc_66722B:				; CODE XREF: RtlTraceDatabaseEnumerate(x,x,x)+6Ej
					; RtlTraceDatabaseEnumerate(x,x,x)+72j
		mov	eax, [ebp+arg_8]
		mov	bl, 1
		mov	[eax], ecx
		mov	eax, [esi+8]
		mov	eax, [eax+18h]
		mov	[esi+8], eax

loc_66723B:				; CODE XREF: RtlTraceDatabaseEnumerate(x,x,x)+36j
					; RtlTraceDatabaseEnumerate(x,x,x)+79j
		mov	ecx, edi
		call	_RtlpTraceDatabaseReleaseLock@4	; RtlpTraceDatabaseReleaseLock(x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	0Ch
_RtlTraceDatabaseEnumerate@12 endp

; 
		align 10h
; Exported entry 2366. RtlTraceDatabaseFind

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlTraceDatabaseFind(x, x, x, x)
		public _RtlTraceDatabaseFind@16
_RtlTraceDatabaseFind@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	_RtlpTraceDatabaseAcquireLock@4	; RtlpTraceDatabaseAcquireLock(x)
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		push	[ebp+arg_8]
		call	_RtlpTraceDatabaseInternalFind@16 ; RtlpTraceDatabaseInternalFind(x,x,x,x)
		mov	bl, al
		test	bl, bl
		jz	short loc_66727A
		inc	dword ptr [esi+50h]

loc_66727A:				; CODE XREF: RtlTraceDatabaseFind(x,x,x,x)+25j
		mov	ecx, esi
		call	_RtlpTraceDatabaseReleaseLock@4	; RtlpTraceDatabaseReleaseLock(x)
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	10h
_RtlTraceDatabaseFind@16 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2367. RtlTraceDatabaseLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlTraceDatabaseLock(x)
		public _RtlTraceDatabaseLock@4
_RtlTraceDatabaseLock@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_RtlpTraceDatabaseAcquireLock@4	; RtlpTraceDatabaseAcquireLock(x)
		pop	ebp
		retn	4
_RtlTraceDatabaseLock@4	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2368. RtlTraceDatabaseUnlock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlTraceDatabaseUnlock(x)
		public _RtlTraceDatabaseUnlock@4
_RtlTraceDatabaseUnlock@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_RtlpTraceDatabaseReleaseLock@4	; RtlpTraceDatabaseReleaseLock(x)
		pop	ebp
		retn	4
_RtlTraceDatabaseUnlock@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2369. RtlTraceDatabaseValidate

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlTraceDatabaseValidate(x)
		public _RtlTraceDatabaseValidate@4
_RtlTraceDatabaseValidate@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	_RtlpTraceDatabaseAcquireLock@4	; RtlpTraceDatabaseAcquireLock(x)
		mov	edx, [esi+40h]
		test	edx, edx
		jz	short loc_6672DC
		mov	ecx, [esi+44h]

loc_6672D4:				; CODE XREF: RtlTraceDatabaseValidate(x)+20j
		lea	ecx, [ecx+4]
		sub	edx, 1
		jnz	short loc_6672D4

loc_6672DC:				; CODE XREF: RtlTraceDatabaseValidate(x)+15j
		mov	ecx, esi
		call	_RtlpTraceDatabaseReleaseLock@4	; RtlpTraceDatabaseReleaseLock(x)
		mov	al, 1
		pop	esi
		pop	ebp
		retn	4
_RtlTraceDatabaseValidate@4 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpTraceDatabaseAcquireLock(x)
_RtlpTraceDatabaseAcquireLock@4	proc near ; CODE XREF: RtlTraceDatabaseAdd(x,x,x,x)+9p
					; RtlTraceDatabaseEnumerate(x,x,x)+10p	...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		test	byte ptr [esi+4], 4
		jz	short loc_66730D
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [esi+20h]
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	[esi+18h], bl
		pop	ebx
		jmp	short loc_667315
; 

loc_66730D:				; CODE XREF: RtlpTraceDatabaseAcquireLock(x)+Aj
		lea	ecx, [esi+20h]
		call	ExAcquireFastMutex

loc_667315:				; CODE XREF: RtlpTraceDatabaseAcquireLock(x)+21j
		mov	eax, large fs:124h
		mov	[esi+1Ch], eax
		mov	al, 1
		pop	edi
		pop	esi
		retn
_RtlpTraceDatabaseAcquireLock@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpTraceDatabaseAllocate(x, x, x)
_RtlpTraceDatabaseAllocate@12 proc near	; CODE XREF: RtlTraceDatabaseCreate(x,x,x,x,x)+27p
					; RtlpTraceDatabaseInternalAdd(x,x,x,x)+70p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		push	ecx
		test	dl, 4
		jz	short loc_667338
		push	200h
		jmp	short loc_66733A
; 

loc_667338:				; CODE XREF: RtlpTraceDatabaseAllocate(x,x,x)+Cj
		push	1

loc_66733A:				; CODE XREF: RtlpTraceDatabaseAllocate(x,x,x)+13j
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	4
_RtlpTraceDatabaseAllocate@12 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpTraceDatabaseInitializeLock(x)
_RtlpTraceDatabaseInitializeLock@4 proc	near
					; CODE XREF: RtlTraceDatabaseCreate(x,x,x,x,x)+70p
		test	byte ptr [ecx+4], 4
		jz	short loc_66734F
		and	dword ptr [ecx+20h], 0
		jmp	short loc_66736A
; 

loc_66734F:				; CODE XREF: RtlpTraceDatabaseInitializeLock(x)+4j
		xor	edx, edx
		mov	dword ptr [ecx+20h], 1
		push	edx
		mov	[ecx+24h], edx
		mov	[ecx+28h], edx
		add	ecx, 2Ch
		push	1
		push	ecx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)

loc_66736A:				; CODE XREF: RtlpTraceDatabaseInitializeLock(x)+Aj
		mov	al, 1
		retn
_RtlpTraceDatabaseInitializeLock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlpTraceDatabaseInternalAdd(void *,int)
_RtlpTraceDatabaseInternalAdd@16 proc near ; CODE XREF:	RtlTraceDatabaseAdd(x,x,x,x)+1Ap

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		push	edi
		mov	edi, ecx
		cmp	esi, 100h
		ja	short loc_6673F1
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_0]
		call	_RtlpTraceDatabaseInternalFind@16 ; RtlpTraceDatabaseInternalFind(x,x,x,x)
		test	al, al
		jz	short loc_6673AD
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_4]
		inc	dword ptr [eax+4]
		test	ecx, ecx
		jz	short loc_6673A6
		mov	[ecx], eax

loc_6673A6:				; CODE XREF: RtlpTraceDatabaseInternalAdd(x,x,x,x)+35j
		inc	dword ptr [edi+50h]

loc_6673A9:				; CODE XREF: RtlpTraceDatabaseInternalAdd(x,x,x,x)+156j
		mov	al, 1
		jmp	short loc_6673F3
; 

loc_6673AD:				; CODE XREF: RtlpTraceDatabaseInternalAdd(x,x,x,x)+28j
		mov	ecx, [edi+0Ch]
		mov	edx, esi
		shl	edx, 2
		add	edx, 20h
		mov	[ebp+var_4], edx
		mov	eax, [ecx+14h]
		sub	eax, [ecx+18h]
		cmp	edx, eax
		jbe	short loc_66742C
		mov	eax, [edi+10h]
		test	eax, eax
		jz	short loc_6673D1
		cmp	[edi+14h], eax
		ja	short loc_6673E8

loc_6673D1:				; CODE XREF: RtlpTraceDatabaseInternalAdd(x,x,x,x)+5Dj
		mov	eax, [edi+8]
		mov	ecx, 1000h
		mov	edx, [edi+4]
		push	eax
		call	_RtlpTraceDatabaseAllocate@12 ;	RtlpTraceDatabaseAllocate(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_6673FA

loc_6673E8:				; CODE XREF: RtlpTraceDatabaseInternalAdd(x,x,x,x)+62j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_6673F1
		mov	[eax], ebx

loc_6673F1:				; CODE XREF: RtlpTraceDatabaseInternalAdd(x,x,x,x)+18j
					; RtlpTraceDatabaseInternalAdd(x,x,x,x)+80j ...
		xor	al, al

loc_6673F3:				; CODE XREF: RtlpTraceDatabaseInternalAdd(x,x,x,x)+3Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_6673FA:				; CODE XREF: RtlpTraceDatabaseInternalAdd(x,x,x,x)+79j
		lea	eax, [ecx+1000h]
		mov	dword ptr [ecx], 0ABCDBBBBh
		mov	[ecx+14h], eax
		mov	edx, 1000h
		mov	[ecx+0Ch], edx
		lea	eax, [ecx+1Ch]
		mov	[ecx+4], edi
		mov	[ecx+10h], ecx
		mov	[ecx+18h], eax
		mov	eax, [edi+0Ch]
		mov	[ecx+8], eax
		add	[edi+14h], edx
		mov	edx, [ebp+var_4]
		mov	[edi+0Ch], ecx

loc_66742C:				; CODE XREF: RtlpTraceDatabaseInternalAdd(x,x,x,x)+56j
		mov	eax, [ecx+14h]
		mov	ebx, [ecx+18h]
		sub	eax, ebx
		cmp	edx, eax
		jbe	short loc_667451
		push	esi
		push	offset ??_C@_0EC@DNEJJGPP@Trace?5database?3?5failing?5attempt@FNODOBFM@	; "Trace database: failing attempt to save"...
		call	_DbgPrint
		mov	eax, [ebp+arg_4]
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_6673F1
		and	dword ptr [eax], 0
		jmp	short loc_6673F1
; 

loc_667451:				; CODE XREF: RtlpTraceDatabaseInternalAdd(x,x,x,x)+C9j
		lea	eax, [ebx+edx]
		mov	[ecx+18h], eax
		lea	eax, [ebx+20h]
		mov	dword ptr [ebx], 0ABCDAAAAh
		mov	[ebx+8], esi
		mov	dword ptr [ebx+4], 1
		mov	[ebx+1Ch], eax
		mov	eax, esi
		and	dword ptr [ebx+0Ch], 0
		and	dword ptr [ebx+10h], 0
		shl	eax, 2
		push	eax		; size_t
		push	[ebp+arg_0]	; void *
		push	dword ptr [ebx+1Ch] ; void *
		call	_memmove
		add	esp, 0Ch
		push	[ebp+arg_0]
		push	esi
		call	dword ptr [edi+48h]
		mov	ecx, [edi+40h]
		xor	edx, edx
		div	ecx
		shr	ecx, 4
		mov	esi, edx
		xor	edx, edx
		mov	eax, esi
		div	ecx
		mov	ecx, [ebp+arg_4]
		lea	eax, [edi+eax*4]
		inc	dword ptr [eax+54h]
		mov	eax, [edi+44h]
		mov	eax, [eax+esi*4]
		mov	[ebx+18h], eax
		mov	eax, [edi+44h]
		mov	[eax+esi*4], ebx
		test	ecx, ecx
		jz	short loc_6674C0
		mov	[ecx], ebx

loc_6674C0:				; CODE XREF: RtlpTraceDatabaseInternalAdd(x,x,x,x)+14Fj
		inc	dword ptr [edi+4Ch]
		jmp	loc_6673A9
_RtlpTraceDatabaseInternalAdd@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpTraceDatabaseInternalFind(x, x,	x, x)
_RtlpTraceDatabaseInternalFind@16 proc near ; CODE XREF: RtlTraceDatabaseFind(x,x,x,x)+1Cp
					; RtlpTraceDatabaseInternalAdd(x,x,x,x)+21p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_0]
		mov	ebx, edx
		mov	edi, ecx
		push	ebx
		call	dword ptr [edi+48h]
		mov	esi, eax
		xor	edx, edx
		and	esi, 0Fh
		inc	dword ptr [edi+esi*4+54h]
		div	dword ptr [edi+40h]
		mov	eax, [edi+44h]
		mov	ecx, [eax+edx*4]
		jmp	short loc_66751A
; 

loc_6674F1:				; CODE XREF: RtlpTraceDatabaseInternalFind(x,x,x,x)+54j
		cmp	ebx, [ecx+8]
		jnz	short loc_667517
		xor	edx, edx
		test	ebx, ebx
		jz	short loc_667513
		mov	edi, [ecx+1Ch]
		mov	esi, [ebp+arg_0]
		sub	edi, esi

loc_667504:				; CODE XREF: RtlpTraceDatabaseInternalFind(x,x,x,x)+49j
		mov	eax, [edi+esi]
		cmp	eax, [esi]
		jnz	short loc_667513
		inc	edx
		add	esi, 4
		cmp	edx, ebx
		jb	short loc_667504

loc_667513:				; CODE XREF: RtlpTraceDatabaseInternalFind(x,x,x,x)+32j
					; RtlpTraceDatabaseInternalFind(x,x,x,x)+41j
		cmp	edx, ebx
		jz	short loc_667530

loc_667517:				; CODE XREF: RtlpTraceDatabaseInternalFind(x,x,x,x)+2Cj
		mov	ecx, [ecx+18h]

loc_66751A:				; CODE XREF: RtlpTraceDatabaseInternalFind(x,x,x,x)+27j
		test	ecx, ecx
		jnz	short loc_6674F1
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_667527
		and	[eax], ecx

loc_667527:				; CODE XREF: RtlpTraceDatabaseInternalFind(x,x,x,x)+5Bj
		xor	al, al

loc_667529:				; CODE XREF: RtlpTraceDatabaseInternalFind(x,x,x,x)+73j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_667530:				; CODE XREF: RtlpTraceDatabaseInternalFind(x,x,x,x)+4Dj
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_667539
		mov	[eax], ecx

loc_667539:				; CODE XREF: RtlpTraceDatabaseInternalFind(x,x,x,x)+6Dj
		mov	al, 1
		jmp	short loc_667529
_RtlpTraceDatabaseInternalFind@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpTraceDatabaseReleaseLock(x)
_RtlpTraceDatabaseReleaseLock@4	proc near ; CODE XREF: RtlTraceDatabaseAdd(x,x,x,x)+24p
					; RtlTraceDatabaseEnumerate(x,x,x)+8Dp	...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	dword ptr [ecx+1Ch], 0
		lea	eax, [ecx+20h]
		test	byte ptr [ecx+4], 4
		jz	short loc_667578
		test	ds:byte_70EFC6,	1
		push	ebx
		mov	bl, [ecx+18h]
		jz	short loc_667568
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_66756D
; 

loc_667568:				; CODE XREF: RtlpTraceDatabaseReleaseLock(x)+1Dj
		xor	ecx, ecx
		lock and [eax],	ecx

loc_66756D:				; CODE XREF: RtlpTraceDatabaseReleaseLock(x)+29j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx
		jmp	short loc_66757F
; 

loc_667578:				; CODE XREF: RtlpTraceDatabaseReleaseLock(x)+10j
		mov	ecx, eax
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_66757F:				; CODE XREF: RtlpTraceDatabaseReleaseLock(x)+39j
		mov	al, 1
		pop	ebp
		retn
_RtlpTraceDatabaseReleaseLock@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CountUTF8ToUnicode(x, x, x)
_CountUTF8ToUnicode@12 proc near	; CODE XREF: RtlUTF8ToUnicodeN+11D6C7p
					; RtlUTF8StringToUnicodeString(x,x,x)+1Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	edx, ecx
		xor	ecx, ecx
		xor	eax, eax
		push	edi
		mov	[ebp+var_8], eax
		lea	ebx, [edx+esi]
		mov	[ebp+var_4], ebx

loc_66759E:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+47j
					; CountUTF8ToUnicode(x,x,x)+67j ...
		cmp	edx, ebx
		jnb	loc_667771
		movsx	edi, byte ptr [edx]
		inc	edx
		test	ecx, ecx
		jnz	short loc_6675B2
		mov	ecx, edi
		jmp	short loc_66762B
; 

loc_6675B2:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+29j
		mov	eax, edi
		and	al, 0C0h
		cmp	al, 80h
		jz	short loc_6675CC
		sar	ecx, 1Eh
		dec	edx
		add	esi, ecx

loc_6675C0:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+7Aj
					; CountUTF8ToUnicode(x,x,x)+83j ...
		inc	esi
		mov	[ebp+var_8], 107h
		xor	ecx, ecx
		jmp	short loc_66759E
; 

loc_6675CC:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+35j
		and	edi, 3Fh
		shl	ecx, 6
		or	ecx, edi
		test	ecx, 20000000h
		jnz	short loc_667611
		test	ecx, 10000000h
		jz	short loc_6675FF
		test	ecx, 800000h
		jnz	short loc_66759E
		mov	eax, ecx
		and	eax, 1F0h
		sub	eax, 10h
		cmp	eax, 0F0h
		jbe	short loc_66759E
		jmp	short loc_6675C0
; 

loc_6675FF:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+5Fj
		mov	eax, ecx
		and	eax, 3E0h
		jz	short loc_6675C0
		cmp	eax, 360h
		jnz	short loc_66759E
		jmp	short loc_6675C0
; 

loc_667611:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+57j
					; CountUTF8ToUnicode(x,x,x)+ABj
		mov	eax, ebx
		sub	eax, edx
		cmp	eax, 0Dh
		ja	short loc_66767B

loc_66761A:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+A6j
		cmp	edx, ebx
		jnb	loc_66776F
		movsx	ecx, byte ptr [edx]
		inc	edx
		cmp	ecx, 7Fh
		jbe	short loc_66761A

loc_66762B:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+2Dj
		cmp	ecx, 7Fh
		jbe	short loc_667611
		dec	esi
		test	cl, 40h
		jz	short loc_6675C0
		test	cl, 20h
		jz	short loc_667664
		mov	eax, ecx
		and	eax, 0Fh
		test	cl, 10h
		mov	ecx, eax
		jz	short loc_66765C
		cmp	ecx, 4
		ja	loc_6675C0
		or	ecx, 504D0C00h

loc_667656:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+DFj
		dec	esi
		jmp	loc_66759E
; 

loc_66765C:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+C2j
		or	ecx, 48228000h
		jmp	short loc_667656
; 

loc_667664:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+B6j
		and	ecx, 1Fh
		cmp	ecx, 1
		jbe	loc_6675C0
		or	ecx, 800000h
		jmp	loc_66759E
; 

loc_66767B:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+95j
		add	ebx, 0FFFFFFF9h
		jmp	loc_667758
; 

loc_667683:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+1D7j
		movsx	ecx, byte ptr [edx]
		inc	edx
		cmp	ecx, 7Fh
		ja	short loc_6676E9
		test	dl, 1
		jz	short loc_66769A
		movsx	ecx, byte ptr [edx]
		inc	edx
		cmp	ecx, 7Fh
		ja	short loc_6676E9

loc_66769A:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+10Cj
		test	dl, 2
		jz	short loc_6676AD
		movzx	ecx, word ptr [edx]
		test	ecx, 8080h
		jnz	short loc_6676E0
		add	edx, 2

loc_6676AD:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+11Aj
		mov	edi, 80808080h

loc_6676B2:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+15Bj
		cmp	edx, ebx
		jnb	loc_667765
		mov	eax, [edx+4]
		mov	ecx, [edx]
		or	eax, ecx
		test	eax, edi
		jnz	short loc_6676E0
		add	edx, 8
		cmp	edx, ebx
		jnb	loc_667765
		mov	eax, [edx+4]
		mov	ecx, [edx]
		or	eax, ecx
		test	eax, edi
		jnz	short loc_6676E0
		add	edx, 8
		jmp	short loc_6676B2
; 

loc_6676E0:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+125j
					; CountUTF8ToUnicode(x,x,x)+140j ...
		movzx	ecx, cl
		inc	edx
		cmp	ecx, 7Fh
		jbe	short loc_667758

loc_6676E9:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+107j
					; CountUTF8ToUnicode(x,x,x)+115j
		movsx	edi, byte ptr [edx]
		inc	edx
		test	cl, 40h
		jz	short loc_667762
		mov	eax, edi
		and	al, 0C0h
		cmp	al, 80h
		jnz	short loc_667762
		test	cl, 20h
		jz	short loc_667752
		mov	eax, ecx
		and	edi, 3Fh
		and	eax, 0Fh
		shl	eax, 6
		or	eax, edi
		test	cl, 10h
		jz	short loc_667734
		movsx	ecx, byte ptr [edx]
		shr	eax, 4
		dec	eax
		cmp	eax, 0Fh
		ja	short loc_667762
		and	cl, 0C0h
		cmp	cl, 80h
		jnz	short loc_667762
		mov	al, [edx+1]
		and	al, 0C0h
		cmp	al, cl
		jnz	short loc_667762
		push	2
		dec	esi
		pop	eax
		jmp	short loc_66774E
; 

loc_667734:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+18Cj
		and	eax, 3E0h
		jz	short loc_667762
		cmp	eax, 360h
		jz	short loc_667762
		mov	al, [edx]
		and	al, 0C0h
		cmp	al, 80h
		jnz	short loc_667762
		xor	eax, eax
		dec	esi
		inc	eax

loc_66774E:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+1AFj
		add	edx, eax
		jmp	short loc_667757
; 

loc_667752:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+17Aj
		test	cl, 1Eh
		jz	short loc_667762

loc_667757:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+1CDj
		dec	esi

loc_667758:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+FBj
					; CountUTF8ToUnicode(x,x,x)+164j
		cmp	edx, ebx
		jb	loc_667683
		jmp	short loc_667765
; 

loc_667762:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+16Dj
					; CountUTF8ToUnicode(x,x,x)+175j ...
		sub	edx, 2

loc_667765:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+131j
					; CountUTF8ToUnicode(x,x,x)+147j ...
		mov	ebx, [ebp+var_4]
		xor	ecx, ecx
		jmp	loc_66759E
; 

loc_66776F:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+99j
		xor	ecx, ecx

loc_667771:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+1Dj
		test	ecx, ecx
		jz	short loc_667782
		sar	ecx, 1Eh
		inc	esi
		mov	eax, 107h
		add	esi, ecx
		jmp	short loc_667785
; 

loc_667782:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+1F0j
		mov	eax, [ebp+var_8]

loc_667785:				; CODE XREF: CountUTF8ToUnicode(x,x,x)+1FDj
		mov	ecx, [ebp+arg_0]
		lea	edx, [esi+esi]
		pop	edi
		pop	esi
		pop	ebx
		mov	[ecx], edx
		leave
		retn	4
_CountUTF8ToUnicode@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFcReadHighLowHigh(x)
_RtlpFcReadHighLowHigh@4 proc near	; CODE XREF: RtlQueryFeatureConfigurationChangeStamp()+5j
					; CmFcManagerRegisterFeatureConfigurationChangeNotification(x,x,x,x,x)+8Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		mov	[ebp+var_4], eax
		push	edi
		mov	[ebp+var_8], eax
		mov	edx, [esi+4]
		mov	edi, [esi]
		mov	[ebp+var_4], eax
		mov	eax, [esi+8]
		cmp	edx, eax
		jz	short loc_6677CA

loc_6677B6:				; CODE XREF: RtlpFcReadHighLowHigh(x)+34j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	edx, [esi+4]
		mov	edi, [esi]
		mov	ecx, [esi+8]
		cmp	edx, ecx
		jnz	short loc_6677B6

loc_6677CA:				; CODE XREF: RtlpFcReadHighLowHigh(x)+20j
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn
_RtlpFcReadHighLowHigh@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFcAddDelayedUsageReportToBuffer(x, x)
_RtlpFcAddDelayedUsageReportToBuffer@8 proc near
					; CODE XREF: CmFcManagerNotifyFeatureUsage(x,x)+54p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_14], edx
		push	edi
		push	40h
		xor	edx, edx
		mov	[ebp+var_18], ebx
		pop	esi
		lea	eax, [ebx+8]
		mov	[ebp+var_4], edx
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], eax
		jmp	short loc_66780C
; 

loc_6677F6:				; CODE XREF: RtlpFcAddDelayedUsageReportToBuffer(x,x)+43j
		lea	ecx, [edi+1]
		mov	eax, edi
		lock cmpxchg [ebx], ecx
		cmp	eax, edi
		jz	short loc_667823
		lea	eax, [ebp+var_4]
		push	eax
		call	_RtlBackoff@4	; RtlBackoff(x)

loc_66780C:				; CODE XREF: RtlpFcAddDelayedUsageReportToBuffer(x,x)+24j
		mov	edi, [ebx]
		mov	[ebp+var_8], edi
		cmp	edi, esi
		jnz	short loc_6677F6
		mov	eax, 0C000009Ah
		lock inc dword ptr [ebx+4]

loc_66781E:				; CODE XREF: RtlpFcAddDelayedUsageReportToBuffer(x,x)+11Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_667823:				; CODE XREF: RtlpFcAddDelayedUsageReportToBuffer(x,x)+31j
		lea	eax, [edi+1]
		mov	[ebp+var_10], eax

loc_667829:				; CODE XREF: RtlpFcAddDelayedUsageReportToBuffer(x,x)+101j
		mov	ecx, [ebp+var_20]
		cmp	edi, ecx
		mov	[ebp+var_4], ecx
		sbb	eax, eax
		and	eax, edi
		xor	edx, edx
		mov	[ebp+var_C], eax
		lea	ebx, [ecx-1]
		mov	edi, eax

loc_66783F:				; CODE XREF: RtlpFcAddDelayedUsageReportToBuffer(x,x)+EAj
		mov	eax, ebx
		mov	[ebp+var_C], edx
		sub	eax, edi
		inc	eax
		cmp	eax, 1
		jnb	short loc_667851
		or	esi, 0FFFFFFFFh
		jmp	short loc_6678AA
; 

loc_667851:				; CODE XREF: RtlpFcAddDelayedUsageReportToBuffer(x,x)+7Aj
		mov	esi, [ebp+var_1C]
		mov	eax, ebx
		shr	eax, 5
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		and	ecx, 1Fh
		shl	edx, cl
		lea	eax, [esi+eax*4]
		dec	edx
		mov	[ebp+var_C], eax
		mov	eax, edi
		shr	eax, 5
		lea	esi, [esi+eax*4]
		mov	eax, [esi]
		or	eax, edx
		or	edx, 0FFFFFFFFh
		cmp	eax, edx
		jnz	short loc_66788D
		mov	ecx, [ebp+var_C]

loc_667880:				; CODE XREF: RtlpFcAddDelayedUsageReportToBuffer(x,x)+BBj
		add	esi, 4
		cmp	esi, ecx
		ja	short loc_6678BC
		mov	eax, [esi]
		cmp	eax, edx
		jz	short loc_667880

loc_66788D:				; CODE XREF: RtlpFcAddDelayedUsageReportToBuffer(x,x)+ABj
		sub	esi, [ebp+var_1C]
		not	eax
		bsf	eax, eax
		sar	esi, 2
		shl	esi, 5
		add	esi, eax
		cmp	esi, ebx
		ja	short loc_6678BC
		cmp	esi, edx
		jnz	short loc_6678C0

loc_6678A5:				; CODE XREF: RtlpFcAddDelayedUsageReportToBuffer(x,x)+EEj
		mov	ecx, [ebp+var_4]
		xor	edx, edx

loc_6678AA:				; CODE XREF: RtlpFcAddDelayedUsageReportToBuffer(x,x)+7Fj
		test	edi, edi
		jz	short loc_6678C0
		mov	ebx, [ebp+var_10]
		cmp	ebx, ecx
		jbe	short loc_6678B7
		mov	ebx, ecx

loc_6678B7:				; CODE XREF: RtlpFcAddDelayedUsageReportToBuffer(x,x)+E3j
		dec	ebx
		mov	edi, edx
		jmp	short loc_66783F
; 

loc_6678BC:				; CODE XREF: RtlpFcAddDelayedUsageReportToBuffer(x,x)+B5j
					; RtlpFcAddDelayedUsageReportToBuffer(x,x)+CFj
		mov	esi, edx
		jmp	short loc_6678A5
; 

loc_6678C0:				; CODE XREF: RtlpFcAddDelayedUsageReportToBuffer(x,x)+D3j
					; RtlpFcAddDelayedUsageReportToBuffer(x,x)+DCj
		push	1
		push	esi
		lea	eax, [ebp+var_20]
		push	eax
		call	RtlInterlockedSetClearRun
		mov	edi, [ebp+var_8]
		test	eax, eax
		jz	loc_667829
		mov	edx, [ebp+var_14]
		mov	ebx, [ebp+var_18]
		imul	ecx, esi, 0Ch
		mov	eax, [edx]
		mov	[ecx+ebx+14h], eax
		mov	eax, [edx+4]
		mov	[ecx+ebx+18h], eax
		xor	eax, eax
		jmp	loc_66781E
_RtlpFcAddDelayedUsageReportToBuffer@8 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpIsValidFeatureConfigurationPriority(x)
_RtlpIsValidFeatureConfigurationPriority@4 proc	near
					; CODE XREF: RtlpFcAreSortedFeatureUpdatesValid(x,x)+3Ep
		push	0Fh
		pop	eax
		cmp	eax, ecx
		sbb	al, al
		inc	al
		retn
_RtlpIsValidFeatureConfigurationPriority@4 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpIsValidFeatureEnabledState(x)
_RtlpIsValidFeatureEnabledState@4 proc near
					; CODE XREF: RtlpFcValidateFeatureConfiguration(x)+Bp
					; RtlpFcAreSortedFeatureUpdatesValid(x,x)+53p
		xor	eax, eax
		inc	eax
		test	ecx, ecx
		jz	short locret_667910
		cmp	ecx, eax
		jz	short locret_667910
		cmp	ecx, 2
		jz	short locret_667910
		xor	al, al

locret_667910:				; CODE XREF: RtlpIsValidFeatureEnabledState(x)+5j
					; RtlpIsValidFeatureEnabledState(x)+9j	...
		retn
_RtlpIsValidFeatureEnabledState@4 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpIsValidFeatureEnabledStateOptions(x)
_RtlpIsValidFeatureEnabledStateOptions@4 proc near
					; CODE XREF: RtlpFcValidateFeatureConfiguration(x)+22p
					; RtlpFcAreSortedFeatureUpdatesValid(x,x)+5Fp
		xor	eax, eax
		inc	eax
		test	ecx, ecx
		jz	short locret_66791E
		cmp	ecx, eax
		jz	short locret_66791E
		xor	al, al

locret_66791E:				; CODE XREF: RtlpIsValidFeatureEnabledStateOptions(x)+5j
					; RtlpIsValidFeatureEnabledStateOptions(x)+9j
		retn
_RtlpIsValidFeatureEnabledStateOptions@4 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpIsValidFeatureVariant(x)
_RtlpIsValidFeatureVariant@4 proc near	; CODE XREF: RtlpFcAreSortedFeatureUpdatesValid(x,x)+6Cp
		cmp	ecx, 40h
		setb	al
		retn
_RtlpIsValidFeatureVariant@4 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpIsValidFeatureVariantPayloadKind(x)
_RtlpIsValidFeatureVariantPayloadKind@4	proc near
					; CODE XREF: RtlpFcAreSortedFeatureUpdatesValid(x,x)+78p
		cmp	ecx, 4
		setb	al
		retn
_RtlpIsValidFeatureVariantPayloadKind@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlWriteTryAcquireTickLock(x)
_RtlWriteTryAcquireTickLock@4 proc near	; CODE XREF: KeFreezeExecution(x,x)+2A4p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, 0FFDF0340h
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax]
		mov	esi, [eax+4]
		mov	[ebp+var_8], eax
		mov	eax, edi
		mov	[ebp+var_4], esi
		jmp	short loc_667975
; 

loc_66794B:				; CODE XREF: RtlWriteTryAcquireTickLock(x)+4Ej
		mov	ebx, edi
		mov	ecx, esi
		add	ebx, 1
		mov	eax, edi
		mov	edx, esi
		adc	ecx, 0
		nop
		mov	esi, [ebp+var_8]
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [ebp+var_4]
		cmp	edi, eax
		jnz	short loc_66796C
		cmp	esi, edx
		jz	short loc_667984

loc_66796C:				; CODE XREF: RtlWriteTryAcquireTickLock(x)+39j
		mov	esi, edx
		mov	edi, eax
		mov	[ebp+var_4], esi
		pause

loc_667975:				; CODE XREF: RtlWriteTryAcquireTickLock(x)+1Cj
		and	eax, 1
		or	eax, 0
		jz	short loc_66794B
		xor	al, al

loc_66797F:				; CODE XREF: RtlWriteTryAcquireTickLock(x)+59j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_667984:				; CODE XREF: RtlWriteTryAcquireTickLock(x)+3Dj
		mov	al, 1
		jmp	short loc_66797F
_RtlWriteTryAcquireTickLock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpCopyLegacyContextAmd64(x, x, x,	x)
_RtlpCopyLegacyContextAmd64@16 proc near ; CODE	XREF: RtlpCopyLegacyContext+10E084p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, esi
		and	edi, 67FFFFFFh
		mov	[edx+30h], edi
		test	cl, cl
		jz	loc_667AB9
		push	ebx
		mov	ebx, [ebp+arg_4]
		test	esi, 40000000h
		jz	short loc_6679BE
		mov	eax, [ebx+30h]
		and	eax, 98000000h
		or	eax, edi
		mov	[edx+30h], eax

loc_6679BE:				; CODE XREF: RtlpCopyLegacyContextAmd64(x,x,x,x)+27j
		mov	ecx, 100001h
		mov	eax, esi
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_667A11
		mov	eax, [ebx+0F8h]
		mov	[edx+0F8h], eax
		mov	eax, [ebx+0FCh]
		mov	[edx+0FCh], eax
		mov	ax, [ebx+38h]
		mov	[edx+38h], ax
		mov	ax, [ebx+42h]
		mov	[edx+42h], ax
		mov	eax, [ebx+98h]
		mov	[edx+98h], eax
		mov	eax, [ebx+9Ch]
		mov	[edx+9Ch], eax
		mov	eax, [ebx+44h]
		mov	[edx+44h], eax

loc_667A11:				; CODE XREF: RtlpCopyLegacyContextAmd64(x,x,x,x)+41j
		mov	ecx, 100002h
		mov	eax, esi
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_667A3D
		push	8
		pop	ecx
		lea	esi, [ebx+78h]
		lea	edi, [edx+78h]
		rep movsd
		push	16h
		lea	esi, [ebx+0A0h]
		lea	edi, [edx+0A0h]
		pop	ecx
		rep movsd
		mov	esi, [ebp+arg_0]

loc_667A3D:				; CODE XREF: RtlpCopyLegacyContextAmd64(x,x,x,x)+94j
		mov	ecx, 100004h
		mov	eax, esi
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_667A6A
		mov	ax, [ebx+40h]
		mov	[edx+40h], ax
		mov	ax, [ebx+3Eh]
		mov	[edx+3Eh], ax
		mov	ax, [ebx+3Ch]
		mov	[edx+3Ch], ax
		mov	ax, [ebx+3Ah]
		mov	[edx+3Ah], ax

loc_667A6A:				; CODE XREF: RtlpCopyLegacyContextAmd64(x,x,x,x)+C0j
		mov	ecx, 100008h
		mov	eax, esi
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_667A91
		mov	eax, [ebx+34h]
		lea	esi, [ebx+100h]
		push	68h
		lea	edi, [edx+100h]
		mov	[edx+34h], eax
		pop	ecx
		rep movsd
		mov	esi, [ebp+arg_0]

loc_667A91:				; CODE XREF: RtlpCopyLegacyContextAmd64(x,x,x,x)+EDj
		mov	eax, 100010h
		and	esi, eax
		cmp	esi, eax
		jnz	short loc_667AB8
		push	0Ch
		pop	ecx
		lea	esi, [ebx+48h]
		lea	edi, [edx+48h]
		rep movsd
		push	8
		lea	esi, [ebx+4B0h]
		lea	edi, [edx+4B0h]
		pop	ecx
		rep movsd

loc_667AB8:				; CODE XREF: RtlpCopyLegacyContextAmd64(x,x,x,x)+112j
		pop	ebx

loc_667AB9:				; CODE XREF: RtlpCopyLegacyContextAmd64(x,x,x,x)+17j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_RtlpCopyLegacyContextAmd64@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpCopyLegacyContextArm64(x, x, x,	x)
_RtlpCopyLegacyContextArm64@16 proc near ; CODE	XREF: RtlpCopyLegacyContext+10E0B2p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, esi
		and	edi, 67FFFFFFh
		mov	[edx], edi
		test	cl, cl
		jz	loc_667C47
		push	ebx
		mov	ebx, [ebp+arg_4]
		test	esi, 40000000h
		jz	short loc_667AF2
		mov	eax, [ebx]
		and	eax, 98000000h
		or	eax, edi
		mov	[edx], eax

loc_667AF2:				; CODE XREF: RtlpCopyLegacyContextArm64(x,x,x,x)+26j
		mov	ecx, 400001h
		mov	eax, esi
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_667B35
		mov	eax, [ebx+108h]
		mov	[edx+108h], eax
		mov	eax, [ebx+10Ch]
		mov	[edx+10Ch], eax
		mov	eax, [ebx+100h]
		mov	[edx+100h], eax
		mov	eax, [ebx+104h]
		mov	[edx+104h], eax
		mov	eax, [ebx+4]
		mov	[edx+4], eax

loc_667B35:				; CODE XREF: RtlpCopyLegacyContextArm64(x,x,x,x)+3Ej
		mov	ecx, 400002h
		mov	eax, esi
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_667B91
		push	24h
		pop	ecx
		lea	esi, [ebx+8]
		lea	edi, [edx+8]
		rep movsd
		push	14h
		lea	esi, [ebx+0A0h]
		lea	edi, [edx+0A0h]
		pop	ecx
		rep movsd
		mov	eax, [ebx+0F0h]
		mov	esi, [ebp+arg_0]
		mov	[edx+0F0h], eax
		mov	eax, [ebx+0F4h]
		mov	[edx+0F4h], eax
		mov	eax, [ebx+0F8h]
		mov	[edx+0F8h], eax
		mov	eax, [ebx+0FCh]
		mov	[edx+0FCh], eax

loc_667B91:				; CODE XREF: RtlpCopyLegacyContextArm64(x,x,x,x)+81j
		mov	ecx, 400010h
		mov	eax, esi
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_667BB6
		mov	eax, [ebx+98h]
		mov	[edx+98h], eax
		mov	eax, [ebx+9Ch]
		mov	[edx+9Ch], eax

loc_667BB6:				; CODE XREF: RtlpCopyLegacyContextArm64(x,x,x,x)+DDj
		mov	ecx, 400004h
		mov	eax, esi
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_667BF1
		mov	eax, [ebx+310h]
		lea	esi, [ebx+110h]
		mov	[edx+310h], eax
		lea	edi, [edx+110h]
		mov	eax, [ebx+314h]
		mov	ecx, 80h
		mov	[edx+314h], eax
		rep movsd
		mov	esi, [ebp+arg_0]

loc_667BF1:				; CODE XREF: RtlpCopyLegacyContextArm64(x,x,x,x)+102j
		mov	eax, 400008h
		and	esi, eax
		cmp	esi, eax
		jnz	short loc_667C46
		push	10h
		pop	ecx
		lea	esi, [ebx+338h]
		lea	edi, [edx+338h]
		rep movsd
		push	8
		lea	esi, [ebx+318h]
		lea	edi, [edx+318h]
		pop	ecx
		rep movsd
		lea	esi, [ebx+380h]
		lea	edi, [edx+380h]
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ebx+378h]
		mov	[edx+378h], eax
		mov	eax, [ebx+37Ch]
		mov	[edx+37Ch], eax

loc_667C46:				; CODE XREF: RtlpCopyLegacyContextArm64(x,x,x,x)+13Bj
		pop	ebx

loc_667C47:				; CODE XREF: RtlpCopyLegacyContextArm64(x,x,x,x)+16j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_RtlpCopyLegacyContextArm64@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpCopyLegacyContextArm(x,	x, x, x)
_RtlpCopyLegacyContextArm@16 proc near	; CODE XREF: RtlpCopyLegacyContext+10E099p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, esi
		and	edi, 67FFFFFFh
		mov	[edx], edi
		test	cl, cl
		jz	loc_667D27
		push	ebx
		mov	ebx, [ebp+arg_4]
		test	esi, 40000000h
		jz	short loc_667C80
		mov	eax, [ebx]
		and	eax, 98000000h
		or	eax, edi
		mov	[edx], eax

loc_667C80:				; CODE XREF: RtlpCopyLegacyContextArm(x,x,x,x)+26j
		mov	ecx, 200001h
		mov	eax, esi
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_667CA5
		mov	eax, [ebx+40h]
		mov	[edx+40h], eax
		mov	eax, [ebx+38h]
		mov	[edx+38h], eax
		mov	eax, [ebx+3Ch]
		mov	[edx+3Ch], eax
		mov	eax, [ebx+44h]
		mov	[edx+44h], eax

loc_667CA5:				; CODE XREF: RtlpCopyLegacyContextArm(x,x,x,x)+3Ej
		mov	ecx, 200002h
		mov	eax, esi
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_667CC0
		push	0Dh
		lea	esi, [ebx+4]
		lea	edi, [edx+4]
		pop	ecx
		rep movsd
		mov	esi, [ebp+arg_0]

loc_667CC0:				; CODE XREF: RtlpCopyLegacyContextArm(x,x,x,x)+63j
		mov	ecx, 200004h
		mov	eax, esi
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_667CE1
		mov	eax, [ebx+48h]
		lea	esi, [ebx+50h]
		push	40h
		lea	edi, [edx+50h]
		mov	[edx+48h], eax
		pop	ecx
		rep movsd
		mov	esi, [ebp+arg_0]

loc_667CE1:				; CODE XREF: RtlpCopyLegacyContextArm(x,x,x,x)+7Ej
		mov	eax, 200008h
		and	esi, eax
		cmp	esi, eax
		jnz	short loc_667D26
		push	8
		pop	ecx
		lea	esi, [ebx+150h]
		lea	edi, [edx+150h]
		rep movsd
		push	8
		lea	esi, [ebx+170h]
		lea	edi, [edx+170h]
		pop	ecx
		rep movsd
		mov	eax, [ebx+190h]
		mov	[edx+190h], eax
		mov	eax, [ebx+194h]
		mov	[edx+194h], eax

loc_667D26:				; CODE XREF: RtlpCopyLegacyContextArm(x,x,x,x)+9Dj
		pop	ebx

loc_667D27:				; CODE XREF: RtlpCopyLegacyContextArm(x,x,x,x)+16j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_RtlpCopyLegacyContextArm@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlScrubMemory(x, x)
_RtlScrubMemory@8 proc near		; CODE XREF: MiScrubPage(x,x,x,x)+58p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		rdtsc
		mov	edi, eax
		mov	esi, ecx
		shrd	edi, edx, 4
		push	edi
		push	1000h
		push	esi
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		mov	eax, large fs:20h
		mov	edx, [eax+3B8h]
		test	edx, edx
		jz	short loc_667D81
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		xor	ecx, ecx
		lock or	[eax], ecx
		lea	ecx, [edx-1]
		not	ecx
		lea	ebx, [esi+1000h]
		and	ecx, esi
		jmp	short loc_667D7C
; 

loc_667D77:				; CODE XREF: RtlScrubMemory(x,x)+51j
		clflush	byte ptr [ecx]
		add	ecx, edx

loc_667D7C:				; CODE XREF: RtlScrubMemory(x,x)+48j
		cmp	ecx, ebx
		jb	short loc_667D77
		pop	ebx

loc_667D81:				; CODE XREF: RtlScrubMemory(x,x)+2Cj
		push	edi
		mov	edi, 1000h
		push	edi
		push	esi
		call	_RtlCompareMemoryUlong@12 ; RtlCompareMemoryUlong(x,x,x)
		cmp	eax, edi
		jnz	short loc_667DC2
		mov	ecx, esi
		call	_RtlpGenericBasicMATSPlus@8 ; RtlpGenericBasicMATSPlus(x,x)
		test	al, al
		jz	short loc_667DC2
		mov	ecx, esi
		call	_RtlpGenericBasicInverseCoupling@8 ; RtlpGenericBasicInverseCoupling(x,x)
		test	al, al
		jz	short loc_667DC2
		mov	ecx, esi
		call	_RtlpGenericBasicStride6@8 ; RtlpGenericBasicStride6(x,x)
		test	al, al
		jz	short loc_667DC2
		mov	ecx, esi
		call	_RtlpGenericRandomPatternWorker@8 ; RtlpGenericRandomPatternWorker(x,x)
		test	al, al
		jz	short loc_667DC2
		xor	eax, eax
		jmp	short loc_667DC7
; 

loc_667DC2:				; CODE XREF: RtlScrubMemory(x,x)+63j
					; RtlScrubMemory(x,x)+6Ej ...
		mov	eax, 0C0000709h

loc_667DC7:				; CODE XREF: RtlScrubMemory(x,x)+93j
		pop	edi
		pop	esi
		leave
		retn
_RtlScrubMemory@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFillMemoryRandomDown(x,	x, x, x, x)
_RtlpFillMemoryRandomDown@20 proc near	; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+1E0p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [ecx+1000h]

loc_667DE2:				; CODE XREF: RtlpFillMemoryRandomDown(x,x,x,x,x)+34j
		sub	edi, 8
		mov	eax, esi
		and	eax, 0Fh
		mov	[edi+4], edx
		mov	[edi], esi
		shrd	esi, edx, 4
		xor	esi, [ebx+eax*8]
		shr	edx, 4
		xor	edx, [ebx+eax*8+4]
		cmp	edi, ecx
		jnz	short loc_667DE2
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_RtlpFillMemoryRandomDown@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFillMemoryRandomInvertedDown(x,	x, x, x, x)
_RtlpFillMemoryRandomInvertedDown@20 proc near
					; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+196p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [ebx+1000h]

loc_667E1E:				; CODE XREF: RtlpFillMemoryRandomInvertedDown(x,x,x,x,x)+3Ej
		sub	edi, 8
		mov	eax, edx
		mov	ecx, esi
		not	eax
		not	ecx
		mov	[edi+4], eax
		mov	eax, esi
		mov	[edi], ecx
		and	eax, 0Fh
		mov	ecx, [ebp+arg_8]
		shrd	esi, edx, 4
		shr	edx, 4
		xor	esi, [ecx+eax*8]
		xor	edx, [ecx+eax*8+4]
		cmp	edi, ebx
		jnz	short loc_667E1E
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_RtlpFillMemoryRandomInvertedDown@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFillMemoryRandomInvertedUp(x, x, x, x, x)
_RtlpFillMemoryRandomInvertedUp@20 proc	near
					; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+EEp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		and	[ebp+arg_4], 0
		push	edi
		mov	edi, ecx
		lea	eax, [edi+1000h]
		cmp	eax, edi
		sbb	edx, edx
		and	edx, 0FFFFFE00h
		add	edx, 200h
		jz	short loc_667EAC

loc_667E7B:				; CODE XREF: RtlpFillMemoryRandomInvertedUp(x,x,x,x,x)+5Bj
		mov	eax, esi
		mov	ecx, ebx
		not	eax
		not	ecx
		mov	[edi+4], eax
		mov	eax, ebx
		mov	[edi], ecx
		and	eax, 0Fh
		mov	ecx, [ebp+arg_8]
		lea	edi, [edi+8]
		shrd	ebx, esi, 4
		shr	esi, 4
		xor	ebx, [ecx+eax*8]
		xor	esi, [ecx+eax*8+4]
		mov	eax, [ebp+arg_4]
		inc	eax
		mov	[ebp+arg_4], eax
		cmp	eax, edx
		jb	short loc_667E7B

loc_667EAC:				; CODE XREF: RtlpFillMemoryRandomInvertedUp(x,x,x,x,x)+2Aj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_RtlpFillMemoryRandomInvertedUp@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFillMemoryRandomUp(x, x, x, x, x)
_RtlpFillMemoryRandomUp@20 proc	near	; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+40p
					; RtlpGenericRandomPatternWorker(x,x)+138p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		and	[ebp+arg_4], 0
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, [esi+1000h]
		cmp	eax, esi
		sbb	ecx, ecx
		and	ecx, 0FFFFFE00h
		add	ecx, 200h
		jz	short loc_667F09
		push	ebx
		mov	ebx, [ebp+arg_8]

loc_667EE2:				; CODE XREF: RtlpFillMemoryRandomUp(x,x,x,x,x)+53j
		mov	[esi+4], edx
		mov	eax, edi
		mov	[esi], edi
		and	eax, 0Fh
		shrd	edi, edx, 4
		lea	esi, [esi+8]
		shr	edx, 4
		xor	edi, [ebx+eax*8]
		xor	edx, [ebx+eax*8+4]
		mov	eax, [ebp+arg_4]
		inc	eax
		mov	[ebp+arg_4], eax
		cmp	eax, ecx
		jb	short loc_667EE2
		pop	ebx

loc_667F09:				; CODE XREF: RtlpFillMemoryRandomUp(x,x,x,x,x)+29j
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
_RtlpFillMemoryRandomUp@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFillMemoryWithInverseStride(x, x, x, x,	x)
_RtlpFillMemoryWithInverseStride@20 proc near
					; CODE XREF: RtlpGenericStrideWorker(x,x,x,x,x)+67p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		lea	esi, [edx+edx]
		mov	eax, edi
		mov	[ebp+var_4], ecx
		shr	eax, 2
		xor	edx, edx
		push	0Ch
		pop	ecx
		div	ecx
		mov	eax, esi
		mov	[ebp+arg_4], ecx
		lea	ebx, [edi+1000h]
		sub	eax, edx
		mov	[ebp+var_8], ebx
		cmp	edx, esi
		jbe	short loc_667F45
		add	eax, ecx

loc_667F45:				; CODE XREF: RtlpFillMemoryWithInverseStride(x,x,x,x,x)+32j
		lea	ecx, [edi+eax*4]
		cmp	ecx, ebx
		jbe	short loc_667F4E
		mov	ecx, ebx

loc_667F4E:				; CODE XREF: RtlpFillMemoryWithInverseStride(x,x,x,x,x)+3Bj
		mov	eax, ecx
		xor	esi, esi
		sub	eax, edi
		add	eax, 3
		shr	eax, 2
		cmp	ecx, edi
		sbb	edx, edx
		not	edx
		and	edx, eax
		jbe	short loc_667F76
		mov	ebx, [ebp+var_4]
		mov	eax, esi

loc_667F69:				; CODE XREF: RtlpFillMemoryWithInverseStride(x,x,x,x,x)+62j
		mov	[edi], ebx
		add	edi, 4
		inc	eax
		cmp	eax, edx
		jb	short loc_667F69
		mov	ebx, [ebp+var_8]

loc_667F76:				; CODE XREF: RtlpFillMemoryWithInverseStride(x,x,x,x,x)+53j
		add	edi, 8
		cmp	ecx, ebx
		jnb	short loc_667FD8
		mov	eax, ebx
		xor	edx, edx
		sub	eax, ecx
		sar	eax, 2
		div	[ebp+arg_4]
		mov	eax, ebx
		shl	edx, 2
		sub	eax, edx
		mov	[ebp+arg_4], eax
		cmp	ecx, eax
		jz	short loc_667FD8
		add	ecx, 30h
		cmp	edi, eax
		jnb	short loc_667FD8
		mov	ebx, eax

loc_667FA0:				; CODE XREF: RtlpFillMemoryWithInverseStride(x,x,x,x,x)+C4j
		mov	eax, ecx
		mov	[ebp+var_C], esi
		sub	eax, edi
		add	eax, 3
		shr	eax, 2
		cmp	ecx, edi
		sbb	edx, edx
		not	edx
		and	edx, eax
		jbe	short loc_667FCB
		mov	eax, esi
		mov	esi, [ebp+var_4]

loc_667FBC:				; CODE XREF: RtlpFillMemoryWithInverseStride(x,x,x,x,x)+B5j
		mov	[edi], esi
		add	edi, 4
		inc	eax
		cmp	eax, edx
		jb	short loc_667FBC
		mov	ebx, [ebp+arg_4]
		xor	esi, esi

loc_667FCB:				; CODE XREF: RtlpFillMemoryWithInverseStride(x,x,x,x,x)+A6j
		add	edi, 8
		add	ecx, 30h
		cmp	edi, ebx
		jb	short loc_667FA0
		mov	ebx, [ebp+var_8]

loc_667FD8:				; CODE XREF: RtlpFillMemoryWithInverseStride(x,x,x,x,x)+6Cj
					; RtlpFillMemoryWithInverseStride(x,x,x,x,x)+86j ...
		mov	eax, ebx
		sub	eax, edi
		add	eax, 3
		shr	eax, 2
		cmp	ebx, edi
		sbb	ecx, ecx
		not	ecx
		and	ecx, eax
		jbe	short loc_667FF9
		mov	eax, [ebp+var_4]

loc_667FEF:				; CODE XREF: RtlpFillMemoryWithInverseStride(x,x,x,x,x)+E8j
		inc	esi
		mov	[edi], eax
		lea	edi, [edi+4]
		cmp	esi, ecx
		jb	short loc_667FEF

loc_667FF9:				; CODE XREF: RtlpFillMemoryWithInverseStride(x,x,x,x,x)+DBj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_RtlpFillMemoryWithInverseStride@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFillMemoryWithStride(x,	x, x, x, x)
_RtlpFillMemoryWithStride@20 proc near	; CODE XREF: RtlpGenericStrideWorker(x,x,x,x,x)+1Cp

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	esi, [edx+edx]
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		mov	eax, ecx
		shr	eax, 2
		push	0Ch
		pop	ebx
		div	ebx
		mov	eax, esi
		sub	eax, edx
		cmp	edx, esi
		jbe	short loc_668026
		add	eax, ebx

loc_668026:				; CODE XREF: RtlpFillMemoryWithStride(x,x,x,x,x)+22j
		lea	eax, [ecx+eax*4]
		add	ecx, 1000h
		jmp	short loc_668039
; 

loc_668031:				; CODE XREF: RtlpFillMemoryWithStride(x,x,x,x,x)+3Bj
		mov	[eax], edi
		mov	[eax+4], edi
		add	eax, 30h

loc_668039:				; CODE XREF: RtlpFillMemoryWithStride(x,x,x,x,x)+2Fj
		cmp	eax, ecx
		jb	short loc_668031
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_RtlpFillMemoryWithStride@20 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpGenericBasicInverseCoupling(x, x)
_RtlpGenericBasicInverseCoupling@8 proc	near ; CODE XREF: RtlScrubMemory(x,x)+72p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		or	edx, 0FFFFFFFFh
		push	ecx
		push	esi
		xor	ecx, ecx
		call	_RtlpGenericInverseCouplingWorker@16 ; RtlpGenericInverseCouplingWorker(x,x,x,x)
		test	al, al
		jnz	short loc_66805B
		pop	esi
		retn
; 

loc_66805B:				; CODE XREF: RtlpGenericBasicInverseCoupling(x,x)+13j
		push	ecx
		push	esi
		xor	edx, edx
		or	ecx, 0FFFFFFFFh
		call	_RtlpGenericInverseCouplingWorker@16 ; RtlpGenericInverseCouplingWorker(x,x,x,x)
		pop	esi
		retn
_RtlpGenericBasicInverseCoupling@8 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpGenericBasicMATSPlus(x,	x)
_RtlpGenericBasicMATSPlus@8 proc near	; CODE XREF: RtlScrubMemory(x,x)+67p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		or	edx, 0FFFFFFFFh
		push	ecx
		push	esi
		xor	ecx, ecx
		call	_RtlpGenericMATSPlusWorker@16 ;	RtlpGenericMATSPlusWorker(x,x,x,x)
		test	al, al
		jnz	short loc_668080
		pop	esi
		retn
; 

loc_668080:				; CODE XREF: RtlpGenericBasicMATSPlus(x,x)+13j
		push	ecx
		push	esi
		xor	edx, edx
		or	ecx, 0FFFFFFFFh
		call	_RtlpGenericMATSPlusWorker@16 ;	RtlpGenericMATSPlusWorker(x,x,x,x)
		pop	esi
		retn
_RtlpGenericBasicMATSPlus@8 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpGenericBasicStride6(x, x)
_RtlpGenericBasicStride6@8 proc	near	; CODE XREF: RtlScrubMemory(x,x)+7Dp
		mov	edi, edi
		push	esi
		push	ecx
		mov	esi, ecx
		or	edx, 0FFFFFFFFh
		push	esi
		push	ecx
		xor	ecx, ecx
		call	_RtlpGenericStrideWorker@20 ; RtlpGenericStrideWorker(x,x,x,x,x)
		test	al, al
		jnz	short loc_6680A6
		pop	esi
		retn
; 

loc_6680A6:				; CODE XREF: RtlpGenericBasicStride6(x,x)+14j
		push	ecx
		push	esi
		push	ecx
		xor	edx, edx
		or	ecx, 0FFFFFFFFh
		call	_RtlpGenericStrideWorker@20 ; RtlpGenericStrideWorker(x,x,x,x,x)
		pop	esi
		retn
_RtlpGenericBasicStride6@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpGenericInverseCouplingWorker(x,	x, x, x)
_RtlpGenericInverseCouplingWorker@16 proc near
					; CODE XREF: RtlpGenericBasicInverseCoupling(x,x)+Cp
					; RtlpGenericBasicInverseCoupling(x,x)+1Ep

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		push	edi
		push	1000h
		push	esi
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		mov	eax, large fs:20h
		mov	edx, [eax+3B8h]
		test	edx, edx
		jz	short loc_66810E
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		lea	ecx, [edx-1]
		not	ecx
		lea	eax, [esi+1000h]
		and	ecx, esi
		cmp	ecx, eax
		jnb	short loc_66810E
		mov	esi, eax

loc_668102:				; CODE XREF: RtlpGenericInverseCouplingWorker(x,x,x,x)+54j
		clflush	byte ptr [ecx]
		add	ecx, edx
		cmp	ecx, esi
		jb	short loc_668102
		mov	esi, [ebp+arg_0]

loc_66810E:				; CODE XREF: RtlpGenericInverseCouplingWorker(x,x,x,x)+2Cj
					; RtlpGenericInverseCouplingWorker(x,x,x,x)+49j
		push	ecx
		push	esi
		mov	edx, edi
		mov	ecx, edi
		call	_RtlpTestAndFillMemoryUp@16 ; RtlpTestAndFillMemoryUp(x,x,x,x)
		test	al, al
		jz	loc_6682A2
		mov	eax, large fs:20h
		mov	edx, [eax+3B8h]
		test	edx, edx
		jz	short loc_66815F
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		lock or	[eax], ecx
		lea	ecx, [edx-1]
		not	ecx
		lea	eax, [esi+1000h]
		and	ecx, esi
		mov	[ebp+var_8], eax
		cmp	ecx, eax
		jnb	short loc_66815F
		mov	esi, eax

loc_668153:				; CODE XREF: RtlpGenericInverseCouplingWorker(x,x,x,x)+A5j
		clflush	byte ptr [ecx]
		add	ecx, edx
		cmp	ecx, esi
		jb	short loc_668153
		mov	esi, [ebp+arg_0]

loc_66815F:				; CODE XREF: RtlpGenericInverseCouplingWorker(x,x,x,x)+7Aj
					; RtlpGenericInverseCouplingWorker(x,x,x,x)+9Aj
		push	ecx
		mov	edx, esi
		mov	ecx, edi
		call	_RtlpTestMemory@12 ; RtlpTestMemory(x,x,x)
		test	al, al
		jz	loc_6682A2
		push	edi
		push	1000h
		push	esi
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		mov	eax, large fs:20h
		mov	edx, [eax+3B8h]
		test	edx, edx
		jz	short loc_6681BB
		and	[ebp+var_C], 0
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock or	[eax], ecx
		lea	ecx, [edx-1]
		not	ecx
		lea	eax, [esi+1000h]
		and	ecx, esi
		mov	[ebp+var_C], eax
		cmp	ecx, eax
		jnb	short loc_6681BB
		mov	esi, eax

loc_6681AF:				; CODE XREF: RtlpGenericInverseCouplingWorker(x,x,x,x)+101j
		clflush	byte ptr [ecx]
		add	ecx, edx
		cmp	ecx, esi
		jb	short loc_6681AF
		mov	esi, [ebp+arg_0]

loc_6681BB:				; CODE XREF: RtlpGenericInverseCouplingWorker(x,x,x,x)+D6j
					; RtlpGenericInverseCouplingWorker(x,x,x,x)+F6j
		push	ebx
		push	1000h
		push	esi
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		mov	eax, large fs:20h
		mov	edx, [eax+3B8h]
		test	edx, edx
		jz	short loc_668205
		and	[ebp+var_10], 0
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock or	[eax], ecx
		lea	ecx, [edx-1]
		not	ecx
		lea	eax, [esi+1000h]
		and	ecx, esi
		mov	[ebp+var_10], eax
		cmp	ecx, eax
		jnb	short loc_668205
		mov	esi, eax

loc_6681F9:				; CODE XREF: RtlpGenericInverseCouplingWorker(x,x,x,x)+14Bj
		clflush	byte ptr [ecx]
		add	ecx, edx
		cmp	ecx, esi
		jb	short loc_6681F9
		mov	esi, [ebp+arg_0]

loc_668205:				; CODE XREF: RtlpGenericInverseCouplingWorker(x,x,x,x)+120j
					; RtlpGenericInverseCouplingWorker(x,x,x,x)+140j
		push	ecx
		mov	edx, esi
		mov	ecx, ebx
		call	_RtlpTestMemory@12 ; RtlpTestMemory(x,x,x)
		test	al, al
		jz	loc_6682A2
		push	edi
		push	1000h
		push	esi
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		mov	eax, large fs:20h
		mov	edx, [eax+3B8h]
		test	edx, edx
		jz	short loc_668257
		and	[ebp+var_14], 0
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock or	[eax], ecx
		lea	ecx, [edx-1]
		not	ecx
		lea	edi, [esi+1000h]
		and	ecx, esi
		jmp	short loc_668253
; 

loc_66824E:				; CODE XREF: RtlpGenericInverseCouplingWorker(x,x,x,x)+1A0j
		clflush	byte ptr [ecx]
		add	ecx, edx

loc_668253:				; CODE XREF: RtlpGenericInverseCouplingWorker(x,x,x,x)+197j
		cmp	ecx, edi
		jb	short loc_66824E

loc_668257:				; CODE XREF: RtlpGenericInverseCouplingWorker(x,x,x,x)+17Cj
		lea	edx, [esi+1000h]
		mov	eax, edx

loc_66825F:				; CODE XREF: RtlpGenericInverseCouplingWorker(x,x,x,x)+1B1j
		sub	eax, 4
		mov	[eax], ebx
		cmp	eax, esi
		jnz	short loc_66825F
		mov	eax, large fs:20h
		mov	edi, [eax+3B8h]
		test	edi, edi
		jz	short loc_668296
		and	[ebp+var_18], 0
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock or	[eax], ecx
		lea	ecx, [edi-1]
		not	ecx
		and	ecx, esi
		jmp	short loc_668292
; 

loc_66828D:				; CODE XREF: RtlpGenericInverseCouplingWorker(x,x,x,x)+1DFj
		clflush	byte ptr [ecx]
		add	ecx, edi

loc_668292:				; CODE XREF: RtlpGenericInverseCouplingWorker(x,x,x,x)+1D6j
		cmp	ecx, edx
		jb	short loc_66828D

loc_668296:				; CODE XREF: RtlpGenericInverseCouplingWorker(x,x,x,x)+1C1j
		push	ecx
		mov	edx, esi
		mov	ecx, ebx
		call	_RtlpTestMemory@12 ; RtlpTestMemory(x,x,x)
		jmp	short loc_6682A4
; 

loc_6682A2:				; CODE XREF: RtlpGenericInverseCouplingWorker(x,x,x,x)+66j
					; RtlpGenericInverseCouplingWorker(x,x,x,x)+B6j ...
		xor	al, al

loc_6682A4:				; CODE XREF: RtlpGenericInverseCouplingWorker(x,x,x,x)+1EBj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_RtlpGenericInverseCouplingWorker@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpGenericMATSPlusWorker(x, x, x, x)
_RtlpGenericMATSPlusWorker@16 proc near	; CODE XREF: RtlpGenericBasicMATSPlus(x,x)+Cp
					; RtlpGenericBasicMATSPlus(x,x)+1Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		push	edi
		push	1000h
		push	esi
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		mov	eax, large fs:20h
		mov	edx, [eax+3B8h]
		test	edx, edx
		jz	short loc_668303
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		lea	ecx, [edx-1]
		not	ecx
		lea	eax, [esi+1000h]
		and	ecx, esi
		cmp	ecx, eax
		jnb	short loc_668303
		mov	esi, eax

loc_6682F7:				; CODE XREF: RtlpGenericMATSPlusWorker(x,x,x,x)+53j
		clflush	byte ptr [ecx]
		add	ecx, edx
		cmp	ecx, esi
		jb	short loc_6682F7
		mov	esi, [ebp+arg_0]

loc_668303:				; CODE XREF: RtlpGenericMATSPlusWorker(x,x,x,x)+2Bj
					; RtlpGenericMATSPlusWorker(x,x,x,x)+48j
		push	ecx
		push	esi
		mov	edx, ebx
		mov	ecx, edi
		call	_RtlpTestAndFillMemoryUp@16 ; RtlpTestAndFillMemoryUp(x,x,x,x)
		test	al, al
		jz	short loc_66835B
		mov	eax, large fs:20h
		mov	edx, [eax+3B8h]
		test	edx, edx
		jz	short loc_668350
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		lock or	[eax], ecx
		lea	ecx, [edx-1]
		not	ecx
		lea	eax, [esi+1000h]
		and	ecx, esi
		mov	[ebp+var_8], eax
		cmp	ecx, eax
		jnb	short loc_668350
		mov	esi, eax

loc_668344:				; CODE XREF: RtlpGenericMATSPlusWorker(x,x,x,x)+A0j
		clflush	byte ptr [ecx]
		add	ecx, edx
		cmp	ecx, esi
		jb	short loc_668344
		mov	esi, [ebp+arg_0]

loc_668350:				; CODE XREF: RtlpGenericMATSPlusWorker(x,x,x,x)+75j
					; RtlpGenericMATSPlusWorker(x,x,x,x)+95j
		push	ecx
		push	esi
		mov	edx, edi
		mov	ecx, ebx
		call	_RtlpTestAndFillMemoryDown@16 ;	RtlpTestAndFillMemoryDown(x,x,x,x)

loc_66835B:				; CODE XREF: RtlpGenericMATSPlusWorker(x,x,x,x)+65j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_RtlpGenericMATSPlusWorker@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpGenericRandomPatternWorker(x, x)
_RtlpGenericRandomPatternWorker@8 proc near ; CODE XREF: RtlScrubMemory(x,x)+88p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	eax, eax
		mov	[ebp+var_C], edi
		mov	ecx, offset _RtlpSeedGlfsr@0 ; RtlpSeedGlfsr()
		mov	[ebp+var_10], eax

loc_66837C:				; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+244j
		mov	esi, [ecx]
		mov	ecx, [ecx+4]
		mov	ebx, dword ptr ds:_GlfsrXorLookupTables[eax]
		push	ecx
		rdtsc
		push	ecx
		mov	[ebp+var_4], edx
		mov	edx, eax
		push	esi
		call	_RtlpSpreadBits@20 ; RtlpSpreadBits(x,x,x,x,x)
		mov	esi, eax
		mov	ecx, edi
		mov	eax, edx
		push	ebx
		push	eax
		push	esi
		mov	[ebp+var_4], eax
		call	_RtlpFillMemoryRandomUp@20 ; RtlpFillMemoryRandomUp(x,x,x,x,x)
		mov	ecx, large fs:20h
		mov	eax, [ecx+3B8h]
		test	eax, eax
		jz	short loc_6683E3
		and	[ebp+var_14], 0
		lea	ecx, [ebp+var_14]
		xor	edx, edx
		lock or	[ecx], edx
		lea	ecx, [eax-1]
		not	ecx
		lea	edx, [edi+1000h]
		and	ecx, edi
		cmp	ecx, edx
		jnb	short loc_6683E3
		mov	edi, eax

loc_6683D7:				; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+7Cj
		clflush	byte ptr [ecx]
		add	ecx, edi
		cmp	ecx, edx
		jb	short loc_6683D7
		mov	edi, [ebp+var_C]

loc_6683E3:				; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+54j
					; RtlpGenericRandomPatternWorker(x,x)+71j
		push	ebx
		push	[ebp+var_4]
		mov	ecx, edi
		push	esi
		call	_RtlpTestAndFillMemoryRandomUp@20 ; RtlpTestAndFillMemoryRandomUp(x,x,x,x,x)
		test	al, al
		jz	loc_6685B0
		mov	eax, large fs:20h
		mov	edx, [eax+3B8h]
		test	edx, edx
		jz	short loc_668435
		and	[ebp+var_18], 0
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		lock or	[eax], ecx
		lea	ecx, [edx-1]
		not	ecx
		lea	eax, [edi+1000h]
		and	ecx, edi
		mov	[ebp+var_18], eax
		cmp	ecx, eax
		jnb	short loc_668435
		mov	edi, eax

loc_668429:				; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+CEj
		clflush	byte ptr [ecx]
		add	ecx, edx
		cmp	ecx, edi
		jb	short loc_668429
		mov	edi, [ebp+var_C]

loc_668435:				; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+A3j
					; RtlpGenericRandomPatternWorker(x,x)+C3j
		push	ebx
		push	[ebp+var_4]
		mov	ecx, edi
		push	esi
		call	_RtlpTestMemoryRandomUp@20 ; RtlpTestMemoryRandomUp(x,x,x,x,x)
		test	al, al
		jz	loc_6685B0
		push	ebx
		push	[ebp+var_4]
		mov	ecx, edi
		push	esi
		call	_RtlpFillMemoryRandomInvertedUp@20 ; RtlpFillMemoryRandomInvertedUp(x,x,x,x,x)
		mov	eax, large fs:20h
		mov	edx, [eax+3B8h]
		test	edx, edx
		jz	short loc_668493
		and	[ebp+var_1C], 0
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock or	[eax], ecx
		lea	ecx, [edx-1]
		not	ecx
		lea	eax, [edi+1000h]
		and	ecx, edi
		mov	[ebp+var_1C], eax
		cmp	ecx, eax
		jnb	short loc_668493
		mov	edi, eax

loc_668487:				; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+12Cj
		clflush	byte ptr [ecx]
		add	ecx, edx
		cmp	ecx, edi
		jb	short loc_668487
		mov	edi, [ebp+var_C]

loc_668493:				; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+101j
					; RtlpGenericRandomPatternWorker(x,x)+121j
		push	ebx
		push	[ebp+var_4]
		mov	ecx, edi
		push	esi
		call	_RtlpFillMemoryRandomUp@20 ; RtlpFillMemoryRandomUp(x,x,x,x,x)
		mov	eax, large fs:20h
		mov	edx, [eax+3B8h]
		test	edx, edx
		jz	short loc_6684DD
		and	[ebp+var_20], 0
		lea	eax, [ebp+var_20]
		xor	ecx, ecx
		lock or	[eax], ecx
		lea	ecx, [edx-1]
		not	ecx
		lea	eax, [edi+1000h]
		and	ecx, edi
		mov	[ebp+var_20], eax
		cmp	ecx, eax
		jnb	short loc_6684DD
		mov	edi, eax

loc_6684D1:				; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+176j
		clflush	byte ptr [ecx]
		add	ecx, edx
		cmp	ecx, edi
		jb	short loc_6684D1
		mov	edi, [ebp+var_C]

loc_6684DD:				; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+14Bj
					; RtlpGenericRandomPatternWorker(x,x)+16Bj
		push	ebx
		push	[ebp+var_4]
		mov	ecx, edi
		push	esi
		call	_RtlpTestMemoryRandomUp@20 ; RtlpTestMemoryRandomUp(x,x,x,x,x)
		test	al, al
		jz	loc_6685B0
		push	ebx
		push	[ebp+var_4]
		mov	ecx, edi
		push	esi
		call	_RtlpFillMemoryRandomInvertedDown@20 ; RtlpFillMemoryRandomInvertedDown(x,x,x,x,x)
		mov	eax, large fs:20h
		mov	edx, [eax+3B8h]
		test	edx, edx
		jz	short loc_66853B
		and	[ebp+var_24], 0
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		lock or	[eax], ecx
		lea	ecx, [edx-1]
		not	ecx
		lea	eax, [edi+1000h]
		and	ecx, edi
		mov	[ebp+var_24], eax
		cmp	ecx, eax
		jnb	short loc_66853B
		mov	edi, eax

loc_66852F:				; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+1D4j
		clflush	byte ptr [ecx]
		add	ecx, edx
		cmp	ecx, edi
		jb	short loc_66852F
		mov	edi, [ebp+var_C]

loc_66853B:				; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+1A9j
					; RtlpGenericRandomPatternWorker(x,x)+1C9j
		push	ebx
		push	[ebp+var_4]
		mov	ecx, edi
		push	esi
		call	_RtlpFillMemoryRandomDown@20 ; RtlpFillMemoryRandomDown(x,x,x,x,x)
		mov	eax, large fs:20h
		mov	edx, [eax+3B8h]
		test	edx, edx
		jz	short loc_668585
		and	[ebp+var_28], 0
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		lock or	[eax], ecx
		lea	ecx, [edx-1]
		not	ecx
		lea	eax, [edi+1000h]
		and	ecx, edi
		mov	[ebp+var_28], eax
		cmp	ecx, eax
		jnb	short loc_668585
		mov	edi, eax

loc_668579:				; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+21Ej
		clflush	byte ptr [ecx]
		add	ecx, edx
		cmp	ecx, edi
		jb	short loc_668579
		mov	edi, [ebp+var_C]

loc_668585:				; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+1F3j
					; RtlpGenericRandomPatternWorker(x,x)+213j
		push	ebx
		push	[ebp+var_4]
		mov	ecx, edi
		push	esi
		call	_RtlpTestMemoryRandomDown@20 ; RtlpTestMemoryRandomDown(x,x,x,x,x)
		test	al, al
		jz	short loc_6685B0
		mov	eax, [ebp+var_10]
		mov	ecx, offset _RtlpSeedGlfsr@0 ; RtlpSeedGlfsr()
		add	eax, 4
		mov	[ebp+var_10], eax
		cmp	eax, 14h
		jb	loc_66837C
		mov	al, 1
		jmp	short loc_6685B2
; 

loc_6685B0:				; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+8Fj
					; RtlpGenericRandomPatternWorker(x,x)+E1j ...
		xor	al, al

loc_6685B2:				; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+24Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_RtlpGenericRandomPatternWorker@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpGenericStrideWorker(x, x, x, x,	x)
_RtlpGenericStrideWorker@20 proc near	; CODE XREF: RtlpGenericBasicStride6(x,x)+Dp
					; RtlpGenericBasicStride6(x,x)+20p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		xor	esi, esi

loc_6685CC:				; CODE XREF: RtlpGenericStrideWorker(x,x,x,x,x)+BEj
		push	ecx
		push	edi
		push	ecx
		mov	edx, esi
		mov	ecx, ebx
		call	_RtlpFillMemoryWithStride@20 ; RtlpFillMemoryWithStride(x,x,x,x,x)
		mov	eax, large fs:20h
		mov	edx, [eax+3B8h]
		test	edx, edx
		jz	short loc_668616
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		lea	ecx, [edx-1]
		not	ecx
		lea	eax, [edi+1000h]
		and	ecx, edi
		mov	[ebp+var_4], eax
		cmp	ecx, eax
		jnb	short loc_668616
		mov	edi, eax

loc_66860A:				; CODE XREF: RtlpGenericStrideWorker(x,x,x,x,x)+5Aj
		clflush	byte ptr [ecx]
		add	ecx, edx
		cmp	ecx, edi
		jb	short loc_66860A
		mov	edi, [ebp+arg_4]

loc_668616:				; CODE XREF: RtlpGenericStrideWorker(x,x,x,x,x)+2Fj
					; RtlpGenericStrideWorker(x,x,x,x,x)+4Fj
		push	ecx
		push	edi
		push	ecx
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	_RtlpFillMemoryWithInverseStride@20 ; RtlpFillMemoryWithInverseStride(x,x,x,x,x)
		mov	eax, large fs:20h
		mov	edx, [eax+3B8h]
		test	edx, edx
		jz	short loc_668661
		and	[ebp+var_C], 0
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock or	[eax], ecx
		lea	ecx, [edx-1]
		not	ecx
		lea	eax, [edi+1000h]
		and	ecx, edi
		mov	[ebp+var_C], eax
		cmp	ecx, eax
		jnb	short loc_668661
		mov	edi, eax

loc_668655:				; CODE XREF: RtlpGenericStrideWorker(x,x,x,x,x)+A5j
		clflush	byte ptr [ecx]
		add	ecx, edx
		cmp	ecx, edi
		jb	short loc_668655
		mov	edi, [ebp+arg_4]

loc_668661:				; CODE XREF: RtlpGenericStrideWorker(x,x,x,x,x)+7Aj
					; RtlpGenericStrideWorker(x,x,x,x,x)+9Aj
		push	ecx
		push	edi
		push	ecx
		mov	edx, esi
		mov	ecx, ebx
		call	_RtlpTestMemoryWithStride@20 ; RtlpTestMemoryWithStride(x,x,x,x,x)
		test	al, al
		jz	short loc_66867F
		inc	esi
		cmp	esi, 6
		jb	loc_6685CC
		mov	al, 1
		jmp	short loc_668681
; 

loc_66867F:				; CODE XREF: RtlpGenericStrideWorker(x,x,x,x,x)+B8j
		xor	al, al

loc_668681:				; CODE XREF: RtlpGenericStrideWorker(x,x,x,x,x)+C6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_RtlpGenericStrideWorker@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpSeedGlfsr()
_RtlpSeedGlfsr@0 proc near		; DATA XREF: RtlpGenericRandomPatternWorker(x,x)+12o
					; RtlpGenericRandomPatternWorker(x,x)+236o ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ecx
		mov	ecx, offset _RtlpSeedGlfsr@0 ; RtlpSeedGlfsr()
		rdtsc
		mov	edx, eax
		push	dword ptr [ecx+4]
		push	dword ptr [ecx]
		call	_RtlpSpreadBits@20 ; RtlpSpreadBits(x,x,x,x,x)
		leave
		retn
_RtlpSeedGlfsr@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpSpreadBits(x, x, x, x, x)
_RtlpSpreadBits@20 proc	near		; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+2Fp
					; RtlpSeedGlfsr()+16p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], edx
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_8], esi

loc_6686BD:				; CODE XREF: RtlpSpreadBits(x,x,x,x,x)+39j
		xor	eax, eax
		xor	edx, edx
		inc	eax
		mov	ecx, esi
		call	__allshl
		and	eax, [ebp+var_4]
		mov	ecx, esi
		and	edx, [ebp+var_8]
		call	__allshl
		xor	ebx, eax
		xor	edi, edx
		inc	esi
		cmp	esi, 20h
		jb	short loc_6686BD
		mov	edx, edi
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_RtlpSpreadBits@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpTestAndFillMemoryDown(x, x, x, x)
_RtlpTestAndFillMemoryDown@16 proc near	; CODE XREF: RtlpGenericMATSPlusWorker(x,x,x,x)+ABp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [esi+1000h]

loc_6686FA:				; CODE XREF: RtlpTestAndFillMemoryDown(x,x,x,x)+1Aj
		sub	eax, 4
		cmp	[eax], ecx
		jnz	short loc_66870B
		mov	[eax], edx
		cmp	eax, esi
		jnz	short loc_6686FA
		mov	al, 1
		jmp	short loc_66870D
; 

loc_66870B:				; CODE XREF: RtlpTestAndFillMemoryDown(x,x,x,x)+14j
		xor	al, al

loc_66870D:				; CODE XREF: RtlpTestAndFillMemoryDown(x,x,x,x)+1Ej
		pop	esi
		pop	ebp
		retn	8
_RtlpTestAndFillMemoryDown@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpTestAndFillMemoryRandomUp(x, x,	x, x, x)
_RtlpTestAndFillMemoryRandomUp@20 proc near
					; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+88p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		lea	edi, [ecx+1000h]
		cmp	ecx, edi
		jnb	short loc_668755
		mov	ebx, [ebp+arg_8]

loc_66872D:				; CODE XREF: RtlpTestAndFillMemoryRandomUp(x,x,x,x,x)+41j
		cmp	[ecx], edx
		jnz	short loc_66875E
		mov	[ecx], edx
		cmp	[ecx+4], esi
		jnz	short loc_66875E
		mov	[ecx+4], esi
		mov	eax, edx
		shrd	edx, esi, 4
		and	eax, 0Fh
		add	ecx, 8
		shr	esi, 4
		xor	edx, [ebx+eax*8]
		xor	esi, [ebx+eax*8+4]
		cmp	ecx, edi
		jb	short loc_66872D

loc_668755:				; CODE XREF: RtlpTestAndFillMemoryRandomUp(x,x,x,x,x)+16j
		mov	al, 1

loc_668757:				; CODE XREF: RtlpTestAndFillMemoryRandomUp(x,x,x,x,x)+4Ej
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_66875E:				; CODE XREF: RtlpTestAndFillMemoryRandomUp(x,x,x,x,x)+1Dj
					; RtlpTestAndFillMemoryRandomUp(x,x,x,x,x)+24j
		xor	al, al
		jmp	short loc_668757
_RtlpTestAndFillMemoryRandomUp@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpTestAndFillMemoryUp(x, x, x, x)
_RtlpTestAndFillMemoryUp@16 proc near	; CODE XREF: RtlpGenericInverseCouplingWorker(x,x,x,x)+5Fp
					; RtlpGenericMATSPlusWorker(x,x,x,x)+5Ep

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		lea	esi, [eax+1000h]
		jmp	short loc_66877C
; 

loc_668773:				; CODE XREF: RtlpTestAndFillMemoryUp(x,x,x,x)+1Cj
		cmp	[eax], ecx
		jnz	short loc_668787
		mov	[eax], edx
		add	eax, 4

loc_66877C:				; CODE XREF: RtlpTestAndFillMemoryUp(x,x,x,x)+Fj
		cmp	eax, esi
		jb	short loc_668773
		mov	al, 1

loc_668782:				; CODE XREF: RtlpTestAndFillMemoryUp(x,x,x,x)+27j
		pop	esi
		pop	ebp
		retn	8
; 

loc_668787:				; CODE XREF: RtlpTestAndFillMemoryUp(x,x,x,x)+13j
		xor	al, al
		jmp	short loc_668782
_RtlpTestAndFillMemoryUp@16 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpTestMemory(x, x, x)
_RtlpTestMemory@12 proc	near		; CODE XREF: RtlpGenericInverseCouplingWorker(x,x,x,x)+AFp
					; RtlpGenericInverseCouplingWorker(x,x,x,x)+155p ...
		lea	eax, [edx+1000h]
		jmp	short loc_66879A
; 

loc_668793:				; CODE XREF: RtlpTestMemory(x,x,x)+11j
		cmp	[edx], ecx
		jnz	short loc_6687A3
		add	edx, 4

loc_66879A:				; CODE XREF: RtlpTestMemory(x,x,x)+6j
		cmp	edx, eax
		jb	short loc_668793
		mov	al, 1

locret_6687A0:				; CODE XREF: RtlpTestMemory(x,x,x)+1Aj
		retn	4
; 

loc_6687A3:				; CODE XREF: RtlpTestMemory(x,x,x)+Aj
		xor	al, al
		jmp	short locret_6687A0
_RtlpTestMemory@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpTestMemoryRandomDown(x,	x, x, x, x)
_RtlpTestMemoryRandomDown@20 proc near	; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+22Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_8]
		lea	edx, [ecx+1000h]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_0]

loc_6687BE:				; CODE XREF: RtlpTestMemoryRandomDown(x,x,x,x,x)+38j
		cmp	[edx-4], esi
		jnz	short loc_6687E5
		sub	edx, 8
		cmp	[edx], edi
		jnz	short loc_6687E5
		mov	eax, edi
		shrd	edi, esi, 4
		and	eax, 0Fh
		shr	esi, 4
		xor	edi, [ebx+eax*8]
		xor	esi, [ebx+eax*8+4]
		cmp	edx, ecx
		jnz	short loc_6687BE
		mov	al, 1
		jmp	short loc_6687E7
; 

loc_6687E5:				; CODE XREF: RtlpTestMemoryRandomDown(x,x,x,x,x)+1Aj
					; RtlpTestMemoryRandomDown(x,x,x,x,x)+21j
		xor	al, al

loc_6687E7:				; CODE XREF: RtlpTestMemoryRandomDown(x,x,x,x,x)+3Cj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_RtlpTestMemoryRandomDown@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpTestMemoryRandomUp(x, x, x, x, x)
_RtlpTestMemoryRandomUp@20 proc	near	; CODE XREF: RtlpGenericRandomPatternWorker(x,x)+DAp
					; RtlpGenericRandomPatternWorker(x,x)+182p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [ecx+1000h]
		cmp	ecx, edi
		jnb	short loc_66882C
		mov	ebx, [ebp+arg_8]

loc_668809:				; CODE XREF: RtlpTestMemoryRandomUp(x,x,x,x,x)+3Cj
		cmp	[ecx], esi
		jnz	short loc_668835
		cmp	[ecx+4], edx
		jnz	short loc_668835
		mov	eax, esi
		add	ecx, 8
		shrd	esi, edx, 4
		and	eax, 0Fh
		shr	edx, 4
		xor	esi, [ebx+eax*8]
		xor	edx, [ebx+eax*8+4]
		cmp	ecx, edi
		jb	short loc_668809

loc_66882C:				; CODE XREF: RtlpTestMemoryRandomUp(x,x,x,x,x)+16j
		mov	al, 1

loc_66882E:				; CODE XREF: RtlpTestMemoryRandomUp(x,x,x,x,x)+49j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_668835:				; CODE XREF: RtlpTestMemoryRandomUp(x,x,x,x,x)+1Dj
					; RtlpTestMemoryRandomUp(x,x,x,x,x)+22j
		xor	al, al
		jmp	short loc_66882E
_RtlpTestMemoryRandomUp@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpTestMemoryWithStride(x,	x, x, x, x)
_RtlpTestMemoryWithStride@20 proc near	; CODE XREF: RtlpGenericStrideWorker(x,x,x,x,x)+B1p

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	esi, [edx+edx]
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		mov	eax, ecx
		shr	eax, 2
		push	0Ch
		pop	ebx
		div	ebx
		mov	eax, esi
		sub	eax, edx
		cmp	edx, esi
		jbe	short loc_66885F
		add	eax, ebx

loc_66885F:				; CODE XREF: RtlpTestMemoryWithStride(x,x,x,x,x)+22j
		lea	eax, [ecx+eax*4]
		add	ecx, 1000h
		jmp	short loc_668878
; 

loc_66886A:				; CODE XREF: RtlpTestMemoryWithStride(x,x,x,x,x)+41j
		cmp	[eax], edi
		jnz	short loc_668885
		add	eax, 4
		cmp	[eax], edi
		jnz	short loc_668885
		add	eax, 2Ch

loc_668878:				; CODE XREF: RtlpTestMemoryWithStride(x,x,x,x,x)+2Fj
		cmp	eax, ecx
		jb	short loc_66886A
		mov	al, 1

loc_66887E:				; CODE XREF: RtlpTestMemoryWithStride(x,x,x,x,x)+4Ej
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_668885:				; CODE XREF: RtlpTestMemoryWithStride(x,x,x,x,x)+33j
					; RtlpTestMemoryWithStride(x,x,x,x,x)+3Aj
		xor	al, al
		jmp	short loc_66887E
_RtlpTestMemoryWithStride@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlCompressBufferXpressHuffMax(int,int,int,void	*,int,int,int)
_RtlCompressBufferXpressHuffMax@36 proc	near
					; CODE XREF: CcIncrementWriteBehindPriority+94FBFp
					; RtlCompressBufferProgress+8CA19p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ecx, [ebp+arg_0]
		add	ecx, [ebp+arg_4]
		cmp	[ebp+arg_4], 12Ch
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], esi
		mov	[ebp+var_38], ecx
		lea	eax, [esi+edi]
		mov	[ebp+var_18], eax
		jb	loc_668E59
		cmp	esi, 10001h
		ja	short loc_6688C9
		mov	eax, 0C00000BBh
		jmp	loc_668E5E
; 

loc_6688C9:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+34j
		mov	ebx, [ebp+arg_C]
		push	20000h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_10]
		mov	dword ptr [ebx+20000h],	0
		test	eax, eax
		jz	short loc_6688F8
		cmp	[ebp+arg_18], edi
		jbe	short loc_6688FD

loc_6688F8:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+68j
		mov	[ebp+arg_18], edi
		jmp	short loc_668900
; 

loc_6688FD:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+6Dj
		mov	edi, [ebp+arg_18]

loc_668900:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+72j
		mov	[ebp+var_44], eax
		lea	edx, [ebx+0A4B10h]
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], edi
		mov	[ebp+var_24], 0
		mov	[ebp+var_4], edx

loc_66891C:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+5BEj
		push	800h		; size_t
		lea	eax, [ebx+0A4210h]
		mov	[ebp+var_2C], 0
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_30], 0
		call	_memset
		mov	ecx, [ebp+var_18]
		lea	eax, [esi+10000h]
		add	esp, 0Ch
		mov	[ebp+var_28], eax
		cmp	eax, ecx
		jbe	short loc_668955
		mov	eax, ecx
		mov	[ebp+var_28], ecx

loc_668955:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+C5j
		add	eax, 0FFFFFFFBh
		lea	ecx, [esi+edi]
		mov	[ebp+var_14], eax
		mov	[ebp+var_20], ecx
		cmp	eax, ecx
		jnb	short loc_668968
		mov	[ebp+var_20], eax

loc_668968:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+DAj
		mov	ecx, [ebp+var_4]
		mov	edx, 1
		mov	eax, [ebp+var_8]
		mov	[ebp+arg_14], edx
		lea	edi, [ecx+4]
		mov	[ebp+arg_4], edi
		cmp	esi, eax
		jnz	short loc_66899E
		movzx	eax, byte ptr [esi]
		mov	edx, 2
		mov	[ebp+arg_14], edx
		inc	dword ptr [ebx+eax*4+0A4210h]
		mov	al, [esi]
		inc	esi
		mov	[edi], al
		inc	edi
		mov	eax, [ebp+var_8]
		mov	[ebp+arg_4], edi

loc_66899E:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+F5j
		cmp	esi, [ebp+var_14]
		jnb	loc_668D97
		mov	edx, esi
		mov	ebx, esi
		sub	edx, eax
		and	edx, 8001FFFFh
		jns	short loc_6689BD
		dec	edx
		or	edx, 0FFFE0000h
		inc	edx

loc_6689BD:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+12Aj
		mov	edi, [ebp+arg_C]
		jmp	short loc_6689C9
; 
		lea	esp, [esp+0]

loc_6689C9:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+137j
					; RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+181j
		movzx	eax, byte ptr [ebx+1]
		movzx	ecx, ds:word_406300[eax*2]
		movzx	eax, byte ptr [ebx+2]
		movzx	eax, ds:word_406500[eax*2]
		xor	ecx, eax
		movzx	eax, byte ptr [ebx]
		movzx	eax, ds:_XpressHashFunction[eax*2]
		xor	ecx, eax
		mov	eax, [edi+ecx*4]
		mov	[edi+ecx*4], ebx
		inc	ebx
		mov	[edi+edx*4+20000h], eax
		inc	edx
		mov	eax, [ebp+var_14]
		and	edx, 1FFFFh
		cmp	ebx, eax
		jb	short loc_6689C9
		mov	edi, [ebp+arg_4]
		mov	edx, [ebp+arg_14]
		mov	ebx, [ebp+arg_C]

loc_668A15:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+435j
		mov	ecx, [ebp+var_4]
		nop

loc_668A19:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+452j
		cmp	esi, [ebp+var_20]
		jb	short loc_668A37
		cmp	esi, eax
		jnb	loc_668D97
		push	esi
		mov	edx, eax
		lea	ecx, [ebp+var_44]
		call	_RtlpMakeXpressCallback@12 ; RtlpMakeXpressCallback(x,x,x)
		mov	edx, [ebp+arg_14]
		mov	[ebp+var_20], eax

loc_668A37:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+193j
		mov	eax, esi
		sub	eax, [ebp+var_8]
		and	eax, 8001FFFFh
		jns	short loc_668A4A
		dec	eax
		or	eax, 0FFFE0000h
		inc	eax

loc_668A4A:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+1B8j
		mov	ecx, [ebx+eax*4+20000h]
		mov	eax, [esi]
		mov	[ebp+var_1C], eax
		lea	eax, [ecx+10000h]
		cmp	eax, esi
		jbe	loc_668C9E
		mov	eax, [ecx]
		xor	eax, [ebp+var_1C]
		mov	ebx, [ebp+arg_C]
		jnz	short loc_668A8D

loc_668A6E:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+238j
					; RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+26Ej
		lea	eax, [esi-10000h]
		mov	[ebp+arg_10], 3
		mov	[ebp+var_C], eax
		mov	edx, esi
		xor	eax, eax
		mov	[ebp+arg_4], edx
		mov	[ebp+var_10], eax
		jmp	loc_668B5A
; 

loc_668A8D:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+1E3j
		test	eax, 0FFFFFFh
		jz	short loc_668B08
		sub	ecx, [ebp+var_8]
		and	ecx, 8001FFFFh
		jns	short loc_668AA7
		dec	ecx
		or	ecx, 0FFFE0000h
		inc	ecx

loc_668AA7:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+214j
		mov	ecx, [ebx+ecx*4+20000h]
		lea	eax, [ecx+10000h]
		cmp	eax, esi
		jbe	loc_668C9E
		mov	eax, [ecx]
		xor	eax, [ebp+var_1C]
		jz	short loc_668A6E
		test	eax, 0FFFFFFh
		jz	short loc_668B08
		sub	ecx, [ebp+var_8]
		and	ecx, 8001FFFFh
		jns	short loc_668ADD
		dec	ecx
		or	ecx, 0FFFE0000h
		inc	ecx

loc_668ADD:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+24Aj
		mov	ecx, [ebx+ecx*4+20000h]
		lea	eax, [ecx+10000h]
		cmp	eax, esi
		jbe	loc_668C9E
		mov	eax, [ecx]
		xor	eax, [ebp+var_1C]
		jz	loc_668A6E
		test	eax, 0FFFFFFh
		jnz	loc_668C9E

loc_668B08:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+209j
					; RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+23Fj
		lea	eax, [esi-10000h]
		mov	[ebp+var_24], ecx
		mov	[ebp+var_C], eax
		mov	edx, esi
		mov	esi, [ebp+var_C]
		xor	eax, eax
		mov	[ebp+arg_4], edx
		mov	[ebp+var_10], eax
		mov	[ebp+arg_10], 3

loc_668B28:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+3F3j
		sub	ecx, [ebp+var_8]
		and	ecx, 8001FFFFh
		jns	short loc_668B3B
		dec	ecx
		or	ecx, 0FFFE0000h
		inc	ecx

loc_668B3B:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+2A8j
		mov	ecx, [ebx+ecx*4+20000h]
		cmp	ecx, esi
		jbe	loc_668C82
		mov	ebx, [ebp+var_1C]
		cmp	ebx, [ecx]
		mov	ebx, [ebp+arg_C]
		jnz	loc_668C75
		mov	esi, edx

loc_668B5A:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+1FFj
		mov	eax, esi
		add	ecx, 4
		add	eax, 24h
		add	esi, 4
		cmp	eax, [ebp+var_18]
		jnb	short loc_668BD5

loc_668B6A:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+347j
		mov	eax, [esi]
		mov	edx, [ecx]
		cmp	eax, edx
		jnz	loc_668C24
		mov	eax, [esi+4]
		mov	edx, [ecx+4]
		cmp	eax, edx
		jnz	loc_668C1E
		mov	eax, [esi+8]
		mov	edx, [ecx+8]
		cmp	eax, edx
		jnz	loc_668C16
		mov	eax, [esi+0Ch]
		mov	edx, [ecx+0Ch]
		cmp	eax, edx
		jnz	short loc_668C0E
		mov	eax, [esi+10h]
		mov	edx, [ecx+10h]
		cmp	eax, edx
		jnz	short loc_668C06
		mov	eax, [esi+14h]
		mov	edx, [ecx+14h]
		cmp	eax, edx
		jnz	short loc_668BFE
		mov	eax, [esi+18h]
		mov	edx, [ecx+18h]
		cmp	eax, edx
		jnz	short loc_668BF6
		mov	eax, [esi+1Ch]
		mov	edx, [ecx+1Ch]
		cmp	eax, edx
		jnz	short loc_668BEE
		add	esi, 20h
		add	ecx, 20h
		lea	eax, [esi+20h]
		cmp	eax, [ebp+var_18]
		jb	short loc_668B6A
		mov	edx, [ebp+arg_4]

loc_668BD5:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+2DFj
		cmp	esi, [ebp+var_18]
		jnb	short loc_668C38
		mov	ebx, [ebp+var_18]

loc_668BDD:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+35Ej
		mov	al, [esi]
		cmp	al, [ecx]
		jnz	short loc_668BE9
		inc	esi
		inc	ecx
		cmp	esi, ebx
		jb	short loc_668BDD

loc_668BE9:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+358j
		mov	ebx, [ebp+arg_C]
		jmp	short loc_668C38
; 

loc_668BEE:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+339j
		add	esi, 1Ch
		add	ecx, 1Ch
		jmp	short loc_668C24
; 

loc_668BF6:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+32Fj
		add	esi, 18h
		add	ecx, 18h
		jmp	short loc_668C24
; 

loc_668BFE:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+325j
		add	esi, 14h
		add	ecx, 14h
		jmp	short loc_668C24
; 

loc_668C06:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+31Bj
		add	esi, 10h
		add	ecx, 10h
		jmp	short loc_668C24
; 

loc_668C0E:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+311j
		add	esi, 0Ch
		add	ecx, 0Ch
		jmp	short loc_668C24
; 

loc_668C16:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+303j
		add	esi, 8
		add	ecx, 8
		jmp	short loc_668C24
; 

loc_668C1E:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+2F5j
		add	esi, 4
		add	ecx, 4

loc_668C24:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+2E7j
					; RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+36Bj ...
		cmp	al, dl
		jnz	short loc_668C35
		mov	al, [esi+1]
		mov	ebx, [ebp+arg_C]
		cmp	al, [ecx+1]
		jz	short loc_668C52
		inc	esi
		inc	ecx

loc_668C35:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+39Dj
		mov	edx, [ebp+arg_4]

loc_668C38:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+34Fj
					; RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+363j ...
		sub	esi, edx
		mov	eax, ecx
		sub	ecx, esi
		cmp	esi, [ebp+arg_10]
		jbe	short loc_668C6D
		mov	[ebp+arg_10], esi
		mov	[ebp+var_24], ecx
		cmp	eax, edx
		ja	short loc_668C85
		mov	eax, [ebp+var_10]
		jmp	short loc_668C72
; 

loc_668C52:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+3A8j
		mov	al, [esi+2]
		mov	edx, [ebp+arg_4]
		cmp	al, [ecx+2]
		jz	short loc_668C65
		add	esi, 2
		add	ecx, 2
		jmp	short loc_668C38
; 

loc_668C65:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+3D2j
		add	esi, 3
		add	ecx, 3
		jmp	short loc_668C38
; 

loc_668C6D:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+3B8j
		mov	eax, [ebp+var_10]
		add	eax, esi

loc_668C72:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+3C7j
		mov	esi, [ebp+var_C]

loc_668C75:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+2C9j
		inc	eax
		mov	[ebp+var_10], eax
		cmp	eax, 0Ch
		jb	loc_668B28

loc_668C82:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+2BBj
		mov	esi, [ebp+arg_10]

loc_668C85:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+3C2j
		add	esi, edx
		sub	edx, [ebp+var_24]
		cmp	[ebp+arg_10], 3
		jnz	short loc_668CE0
		cmp	edx, 1000h
		jbe	short loc_668CE0
		mov	esi, [ebp+arg_4]
		mov	edx, [ebp+arg_14]

loc_668C9E:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+1D5j
					; RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+22Dj ...
		mov	ecx, [ebp+var_1C]
		inc	esi
		movzx	eax, cl
		inc	dword ptr [ebx+eax*4+0A4210h]
		lea	eax, [edx+edx]
		mov	[edi], cl
		inc	edi
		test	edx, edx

loc_668CB4:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+509j
		jle	short loc_668CC3
		mov	edx, eax
		mov	eax, [ebp+var_14]
		mov	[ebp+arg_14], edx
		jmp	loc_668A15
; 

loc_668CC3:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x):loc_668CB4j
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		mov	[ebp+var_4], ecx
		add	edi, 4
		mov	[edx], eax
		mov	edx, 1
		mov	eax, [ebp+var_14]
		mov	[ebp+arg_14], edx
		jmp	loc_668A19
; 

loc_668CE0:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+405j
					; RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+40Dj
		cmp	edx, 100h
		jb	short loc_668CF9
		mov	eax, edx
		shr	eax, 8
		movzx	ecx, ds:_XpressHighBitIndexTable[eax]
		add	ecx, 8
		jmp	short loc_668D00
; 

loc_668CF9:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+45Dj
		movzx	ecx, ds:_XpressHighBitIndexTable[edx]

loc_668D00:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+46Ej
		add	[ebp+var_2C], ecx
		lea	ebx, [edi+1]
		or	eax, 0FFFFFFFFh
		shl	eax, cl
		add	edx, eax
		shl	cl, 4
		mov	eax, [ebp+arg_10]
		add	eax, 0FFFFFFFDh
		cmp	eax, 0Fh
		jb	short loc_668D6D
		add	cl, 0Fh
		mov	[ebp+arg_4], eax
		sub	eax, 0Fh
		mov	[edi], cl
		lea	edi, [ebx+1]
		cmp	eax, 0FFh
		jnb	short loc_668D39
		mov	[ebx], al
		mov	eax, 1
		jmp	short loc_668D68
; 

loc_668D39:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+4A5j
		mov	eax, [ebp+arg_4]
		mov	byte ptr [ebx],	0FFh
		cmp	eax, 10000h
		jnb	short loc_668D53
		mov	[edi], ax
		lea	edi, [ebx+3]
		mov	eax, 3
		jmp	short loc_668D68
; 

loc_668D53:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+4BBj
		xor	eax, eax
		mov	[edi], ax
		lea	edi, [ebx+3]
		mov	eax, [ebp+arg_4]
		mov	[edi], eax
		add	edi, 4
		mov	eax, 7

loc_668D68:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+4AEj
					; RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+4C8j
		add	[ebp+var_30], eax
		jmp	short loc_668D73
; 

loc_668D6D:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+490j
		add	cl, al
		mov	[edi], cl
		mov	edi, ebx

loc_668D73:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+4E2j
		mov	ebx, [ebp+arg_C]
		movzx	eax, cl
		mov	ecx, [ebp+arg_14]
		inc	dword ptr [ebx+eax*4+0A4610h]
		mov	[edi], dx
		lea	eax, ds:1[ecx*2]
		add	edi, 2
		test	ecx, ecx
		jmp	loc_668CB4
; 

loc_668D97:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+118j
					; RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+197j
		cmp	esi, [ebp+var_28]
		jnb	short loc_668DC8

loc_668D9C:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+53Dj
		movzx	eax, byte ptr [esi]
		inc	dword ptr [ebx+eax*4+0A4210h]
		mov	al, [esi]
		inc	esi
		mov	[edi], al
		inc	edi
		lea	eax, [edx+edx]
		test	edx, edx
		jle	short loc_668DB7
		mov	edx, eax
		jmp	short loc_668DC3
; 

loc_668DB7:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+528j
		mov	[ecx], eax
		mov	edx, 1
		mov	ecx, edi
		add	edi, 4

loc_668DC3:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+52Cj
		cmp	esi, [ebp+var_28]
		jb	short loc_668D9C

loc_668DC8:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+511j
		test	edx, edx
		jle	short loc_668DD7

loc_668DCC:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+54Cj
		lea	edx, ds:1[edx*2]
		test	edx, edx
		jg	short loc_668DCC

loc_668DD7:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+541j
		lea	eax, ds:1[edx*2]
		mov	[ecx], eax
		mov	eax, [ebp+arg_C]
		cmp	esi, [ebp+var_18]
		jb	short loc_668DF5
		inc	dword ptr [eax+0A4610h]
		mov	ebx, 1
		jmp	short loc_668DF7
; 

loc_668DF5:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+55Dj
		xor	ebx, ebx

loc_668DF7:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+56Aj
		lea	ecx, [eax+0A0000h]
		call	XpressBuildHuffmanEncodings
		mov	ecx, [ebp+var_2C]
		add	ecx, 1Fh
		add	eax, ecx
		mov	ecx, [ebp+var_30]
		shr	eax, 5
		lea	eax, [ecx+eax*4]
		mov	ecx, [ebp+var_34]
		add	eax, 102h
		add	eax, ecx
		cmp	eax, [ebp+var_38]
		jnb	short loc_668E59
		mov	eax, [ebp+arg_C]
		push	ebx
		push	ecx
		push	edi
		lea	edx, [eax+0A4B10h]
		lea	ecx, [eax+0A0000h]
		mov	[ebp+var_4], edx
		call	XpressDoHuffmanPass
		mov	edi, [ebp+arg_18]
		test	ebx, ebx
		mov	ebx, [ebp+arg_C]
		mov	[ebp+var_34], eax
		jz	loc_66891C
		mov	ecx, [ebp+arg_8]
		sub	eax, [ebp+arg_0]
		mov	[ecx], eax
		xor	eax, eax
		jmp	short loc_668E5E
; 

loc_668E59:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+28j
					; RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+597j
		mov	eax, 0C0000023h

loc_668E5E:				; CODE XREF: RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+3Bj
					; RtlCompressBufferXpressHuffMax(x,x,x,x,x,x,x,x,x)+5CEj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_RtlCompressBufferXpressHuffMax@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlCompressBufferXpressLzMax(int,int,int,void *,int,int,int)
_RtlCompressBufferXpressLzMax@36 proc near ; CODE XREF:	RtlCompressBufferXpressLz+109061p
					; RtlCompressBufferProgress+8C9B9p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_14], 0
		mov	ecx, [ebp+arg_0]
		mov	esi, edx
		add	ecx, [ebp+arg_4]
		cmp	[ebp+arg_4], 40h
		mov	[ebp+var_C], edi
		lea	ebx, [edi+esi]
		mov	[ebp+var_38], ecx
		mov	[ebp+var_1C], ebx
		jb	loc_6693E2
		cmp	esi, 8
		jb	loc_6693E2
		cmp	edi, 2001h
		ja	short loc_668EB4
		mov	eax, 0C00000BBh
		jmp	loc_6693E7
; 

loc_668EB4:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+41j
		push	20000h		; size_t
		push	0		; int
		push	[ebp+arg_C]	; void *
		call	_memset
		lea	eax, [ebx-5]
		xor	ecx, ecx
		mov	[ebp+var_30], eax
		add	esp, 0Ch
		mov	eax, [ebp+var_38]
		add	eax, 0FFFFFFD7h
		mov	[ebp+var_24], ecx
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_668EE8
		mov	edx, [ebp+arg_18]
		cmp	edx, esi
		jbe	short loc_668EED

loc_668EE8:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+78j
		mov	edx, esi
		mov	[ebp+arg_18], edx

loc_668EED:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+7Fj
		mov	[ebp+var_4C], eax
		mov	ebx, 2
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+arg_0]
		lea	esi, [eax+4]
		mov	[ebp+var_8], eax
		mov	al, [edi]
		inc	edi
		mov	[esi], al
		inc	esi
		mov	eax, [ebp+var_C]
		xor	ecx, ecx
		mov	[ebp+var_44], edx
		mov	[ebp+var_4], ebx
		mov	[ebp+arg_4], esi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_34], eax
		jmp	short loc_668F27
; 
		lea	esp, [esp+0]

loc_668F27:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+B7j
					; RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+50Dj
		lea	ecx, [eax+2000h]
		mov	[ebp+var_18], ecx
		cmp	ecx, [ebp+var_30]
		jbe	short loc_668F3B
		mov	ecx, [ebp+var_30]
		mov	[ebp+var_18], ecx

loc_668F3B:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+CCj
		add	edx, edi
		mov	[ebp+var_28], edx
		cmp	ecx, edx
		jnb	short loc_668F47
		mov	[ebp+var_28], ecx

loc_668F47:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+DBj
		mov	edx, [ebp+var_20]
		and	edx, 3FFFh
		mov	[ebp+var_20], edx
		cmp	eax, ecx
		jnb	short loc_668FC7
		mov	esi, [ebp+arg_C]
		add	edx, 8000h
		mov	ebx, [ebp+var_34]
		mov	eax, ecx
		sub	eax, ebx
		add	[ebp+var_20], eax
		lea	edx, [esi+edx*4]
		jmp	short loc_668F77
; 
		lea	esp, [esp+0]
		nop

loc_668F77:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+106j
					; RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+149j
		movzx	eax, byte ptr [ebx+1]
		lea	edx, [edx+4]
		movzx	ecx, ds:word_406300[eax*2]
		movzx	eax, byte ptr [ebx+2]
		movzx	eax, ds:word_406500[eax*2]
		xor	ecx, eax
		movzx	eax, byte ptr [ebx]
		movzx	eax, ds:_XpressHashFunction[eax*2]
		xor	ecx, eax
		mov	eax, [esi+ecx*4]
		mov	[edx-4], eax
		mov	[esi+ecx*4], ebx
		inc	ebx
		mov	ecx, [ebp+var_18]
		cmp	ebx, ecx
		jb	short loc_668F77
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_34], ebx
		mov	ebx, [ebp+var_4]
		jmp	short loc_668FC7
; 
		lea	esp, [esp+0]
		lea	ecx, [ecx+0]

loc_668FC7:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+EEj
					; RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+154j	...
		mov	eax, 2000h
		lea	edx, [edi-2000h]
		sub	eax, [ebp+var_C]
		mov	[ebp+arg_14], edx
		mov	[ebp+arg_10], eax

loc_668FDB:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+238j
					; RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+264j
		cmp	edi, [ebp+var_28]
		jb	short loc_668FFC
		cmp	edi, ecx
		jnb	loc_66936B
		mov	edx, ecx
		lea	ecx, [ebp+var_4C]
		push	edi
		call	_RtlpMakeXpressCallback@12 ; RtlpMakeXpressCallback(x,x,x)
		mov	edx, [ebp+arg_14]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_10]

loc_668FFC:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+177j
		lea	ecx, [eax+edx]
		mov	eax, [ebp+arg_C]
		and	ecx, 3FFFh
		mov	ecx, [eax+ecx*4+20000h]
		mov	eax, [edi]
		mov	[ebp+var_10], eax
		cmp	ecx, edx
		jb	short loc_66907F
		mov	eax, [ecx]
		xor	eax, [ebp+var_10]
		mov	edx, [ebp+arg_14]
		jz	loc_6690F2
		test	eax, 0FFFFFFh
		jz	loc_6690D0
		sub	ecx, [ebp+var_C]
		mov	eax, [ebp+arg_C]
		and	ecx, 3FFFh
		mov	ecx, [eax+ecx*4+20000h]
		cmp	ecx, edx
		jb	short loc_66907F
		mov	eax, [ecx]
		xor	eax, [ebp+var_10]
		jz	loc_6690F2
		test	eax, 0FFFFFFh
		jz	short loc_6690D0
		sub	ecx, [ebp+var_C]
		mov	eax, [ebp+arg_C]
		and	ecx, 3FFFh
		mov	ecx, [eax+ecx*4+20000h]
		cmp	ecx, edx
		jb	short loc_66907F
		mov	eax, [ecx]
		xor	eax, [ebp+var_10]
		jz	short loc_6690F2
		test	eax, 0FFFFFFh
		jz	short loc_6690D0

loc_66907F:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+1AFj
					; RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+1DFj	...
		mov	ecx, [ebp+var_10]
		lea	eax, [ebx+ebx]
		mov	[esi], cl
		inc	edx
		inc	esi
		mov	[ebp+arg_14], edx
		inc	edi
		mov	[ebp+arg_4], esi
		test	ebx, ebx
		jle	short loc_6690A4
		mov	ecx, [ebp+var_18]
		mov	ebx, eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_4], ebx
		jmp	loc_668FDB
; 

loc_6690A4:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+22Bj
		mov	ecx, [ebp+var_8]
		mov	ebx, 1
		mov	[ebp+var_4], ebx
		mov	[ecx], eax
		mov	ecx, esi
		add	esi, 4
		mov	[ebp+var_8], ecx
		mov	[ebp+arg_4], esi
		cmp	esi, [ebp+var_3C]
		jnb	loc_66937D
		mov	eax, [ebp+arg_10]
		mov	ecx, [ebp+var_18]
		jmp	loc_668FDB
; 

loc_6690D0:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+1C4j
					; RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+1F1j	...
		mov	eax, edi
		sub	eax, ecx
		xor	edx, edx
		mov	[ebp+var_14], eax
		lea	eax, [edi-2000h]
		mov	[ebp+arg_14], eax
		mov	eax, 3
		mov	[ebp+arg_4], edx
		mov	[ebp+arg_10], eax
		jmp	loc_669283
; 

loc_6690F2:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+1B9j
					; RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+1E6j	...
		xor	edx, edx
		mov	[ebp+arg_10], 3
		mov	[ebp+arg_4], edx

loc_6690FE:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+445j
		mov	eax, edi
		mov	[ebp+var_2C], edi
		add	eax, 24h
		add	edi, 4
		add	ecx, 4
		cmp	eax, [ebp+var_1C]
		jnb	loc_669192
		mov	edi, edi

loc_669117:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+326j
		mov	eax, [edi]
		mov	edx, [ecx]
		cmp	eax, edx
		jnz	loc_669228
		mov	eax, [edi+4]
		mov	edx, [ecx+4]
		cmp	eax, edx
		jnz	loc_669222
		mov	eax, [edi+8]
		mov	edx, [ecx+8]
		cmp	eax, edx
		jnz	loc_66921A
		mov	eax, [edi+0Ch]
		mov	edx, [ecx+0Ch]
		cmp	eax, edx
		jnz	loc_669212
		mov	eax, [edi+10h]
		mov	edx, [ecx+10h]
		cmp	eax, edx
		jnz	loc_66920A
		mov	eax, [edi+14h]
		mov	edx, [ecx+14h]
		cmp	eax, edx
		jnz	loc_669202
		mov	eax, [edi+18h]
		mov	edx, [ecx+18h]
		cmp	eax, edx
		jnz	loc_6691FA
		mov	eax, [edi+1Ch]
		mov	edx, [ecx+1Ch]
		cmp	eax, edx
		jnz	short loc_6691F2
		add	edi, 20h
		add	ecx, 20h
		lea	eax, [edi+20h]
		cmp	eax, [ebp+var_1C]
		jb	short loc_669117
		mov	edx, [ebp+arg_4]

loc_669192:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+2A8j
		cmp	edi, [ebp+var_1C]
		jnb	short loc_6691A9
		mov	edx, [ebp+var_1C]

loc_66919A:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+33Dj
		mov	al, [edi]
		cmp	al, [ecx]
		jnz	short loc_6691A6
		inc	edi
		inc	ecx
		cmp	edi, edx
		jb	short loc_66919A

loc_6691A6:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+337j
					; RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+3C3j	...
		mov	edx, [ebp+arg_4]

loc_6691A9:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+32Ej
					; RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+3F5j	...
		mov	eax, edi
		sub	eax, [ebp+var_2C]
		cmp	eax, [ebp+arg_10]
		jbe	loc_66926C
		sub	edi, ecx
		mov	[ebp+arg_10], eax
		mov	[ebp+var_14], edi
		mov	edi, [ebp+var_2C]
		cmp	ecx, edi
		jbe	loc_669271

loc_6691CA:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+416j
					; RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+435j
		mov	edx, [ebp+var_14]
		add	edi, eax
		add	eax, 0FFFFFFFDh
		lea	edx, ds:0FFFFFFF8h[edx*8]
		cmp	eax, 7
		jnb	loc_6692B1
		add	edx, eax
		mov	[esi], dx
		add	esi, 2
		mov	[ebp+var_14], edx
		jmp	loc_669331
; 

loc_6691F2:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+318j
		add	edi, 1Ch
		add	ecx, 1Ch
		jmp	short loc_669228
; 

loc_6691FA:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+30Aj
		add	edi, 18h
		add	ecx, 18h
		jmp	short loc_669228
; 

loc_669202:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+2FCj
		add	edi, 14h
		add	ecx, 14h
		jmp	short loc_669228
; 

loc_66920A:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+2EEj
		add	edi, 10h
		add	ecx, 10h
		jmp	short loc_669228
; 

loc_669212:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+2E0j
		add	edi, 0Ch
		add	ecx, 0Ch
		jmp	short loc_669228
; 

loc_66921A:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+2D2j
		add	edi, 8
		add	ecx, 8
		jmp	short loc_669228
; 

loc_669222:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+2C4j
		add	edi, 4
		add	ecx, 4

loc_669228:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+2B6j
					; RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+391j	...
		cmp	al, dl
		jnz	loc_6691A6
		lea	eax, [edi+1]
		mov	[ebp+var_40], eax
		mov	al, [eax]
		cmp	al, [ecx+1]
		jz	short loc_669246
		mov	edi, [ebp+var_40]
		inc	ecx
		jmp	loc_6691A6
; 

loc_669246:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+3D4j
		mov	edx, [ebp+arg_4]
		lea	eax, [edi+2]
		mov	[ebp+var_40], eax
		mov	al, [eax]
		cmp	al, [ecx+2]
		jz	short loc_669261
		mov	edi, [ebp+var_40]
		add	ecx, 2
		jmp	loc_6691A9
; 

loc_669261:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+3EDj
		add	edi, 3
		add	ecx, 3
		jmp	loc_6691A9
; 

loc_66926C:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+34Aj
		mov	edi, [ebp+var_2C]
		add	edx, eax

loc_669271:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+35Dj
		sub	ecx, eax
		mov	eax, [ebp+arg_10]

loc_669276:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+443j
		inc	edx
		mov	[ebp+arg_4], edx
		cmp	edx, 18h
		jnb	loc_6691CA

loc_669283:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+286j
		sub	ecx, [ebp+var_C]
		mov	ebx, [ebp+arg_C]
		and	ecx, 3FFFh
		mov	ecx, [ebx+ecx*4+20000h]
		mov	ebx, [ebp+var_4]
		cmp	ecx, [ebp+arg_14]
		jb	loc_6691CA
		mov	eax, [ebp+var_10]
		cmp	eax, [ecx]
		mov	eax, [ebp+arg_10]
		jnz	short loc_669276
		jmp	loc_6690FE
; 

loc_6692B1:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+375j
		or	edx, 7
		sub	eax, 7
		mov	[esi], dx
		add	esi, 2
		mov	[ebp+var_14], edx
		mov	edx, [ebp+var_24]
		mov	[ebp+arg_4], esi
		test	edx, edx
		jnz	short loc_6692DD
		mov	[ebp+var_24], esi
		cmp	eax, 0Fh
		jnb	short loc_6692D7
		mov	[esi], al
		inc	esi
		jmp	short loc_669331
; 

loc_6692D7:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+469j
		mov	byte ptr [esi],	0Fh
		inc	esi
		jmp	short loc_6692FC
; 

loc_6692DD:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+461j
		mov	cl, [edx]
		cmp	eax, 0Fh
		jnb	short loc_6692F2
		shl	al, 4
		or	al, cl
		mov	[edx], al
		xor	edx, edx
		mov	[ebp+var_24], edx
		jmp	short loc_669334
; 

loc_6692F2:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+47Bj
		or	cl, 0F0h
		mov	[edx], cl
		xor	ecx, ecx
		mov	[ebp+var_24], ecx

loc_6692FC:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+474j
		sub	eax, 0Fh
		lea	ecx, [esi+1]
		cmp	eax, 0FFh
		jnb	short loc_66930F
		mov	[esi], al
		mov	esi, ecx
		jmp	short loc_669331
; 

loc_66930F:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+4A0j
		mov	byte ptr [esi],	0FFh
		add	eax, 16h
		lea	esi, [ecx+2]
		mov	[ebp+arg_4], esi
		cmp	eax, 10000h
		jnb	short loc_669327
		mov	[ecx], ax
		jmp	short loc_669334
; 

loc_669327:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+4B9j
		xor	edx, edx
		mov	[ecx], dx
		mov	[esi], eax
		add	esi, 4

loc_669331:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+386j
					; RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+46Ej	...
		mov	[ebp+arg_4], esi

loc_669334:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+489j
					; RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+4BEj
		mov	ecx, [ebp+var_8]
		lea	eax, ds:1[ebx*2]
		test	ebx, ebx
		jle	short loc_669349
		mov	ebx, eax
		mov	[ebp+var_4], eax
		jmp	short loc_66935E
; 

loc_669349:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+4D9j
		mov	[ecx], eax
		mov	ebx, 1
		mov	ecx, esi
		mov	[ebp+var_4], ebx
		add	esi, 4
		mov	[ebp+var_8], ecx
		mov	[ebp+arg_4], esi

loc_66935E:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+4E0j
		cmp	esi, [ebp+var_3C]
		jnb	short loc_66937D
		mov	ecx, [ebp+var_18]
		jmp	loc_668FC7
; 

loc_66936B:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+17Bj
		mov	eax, [ebp+var_34]
		mov	edx, [ebp+arg_18]
		cmp	edi, [ebp+var_30]
		jb	loc_668F27
		mov	ecx, [ebp+var_8]

loc_66937D:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+258j
					; RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+4FAj
		mov	edx, [ebp+var_1C]
		cmp	edi, edx
		jnb	short loc_6693AD
		lea	ecx, [ecx+0]

loc_669387:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+544j
		cmp	esi, [ebp+var_38]
		jnb	short loc_6693E2
		mov	al, [edi]
		inc	edi
		mov	[esi], al
		inc	esi
		lea	eax, [ebx+ebx]
		test	ebx, ebx
		jle	short loc_66939D
		mov	ebx, eax
		jmp	short loc_6693A9
; 

loc_66939D:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+530j
		mov	[ecx], eax
		mov	ebx, 1
		mov	ecx, esi
		add	esi, 4

loc_6693A9:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+534j
		cmp	edi, edx
		jb	short loc_669387

loc_6693AD:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+51Bj
		cmp	esi, [ebp+var_38]
		jnb	short loc_6693E2
		test	ebx, ebx
		jle	short loc_6693C2
		nop

loc_6693B7:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+559j
		lea	ebx, ds:1[ebx*2]
		test	ebx, ebx
		jg	short loc_6693B7

loc_6693C2:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+54Dj
		sub	esi, [ebp+arg_0]
		lea	eax, ds:1[ebx*2]
		mov	[ecx], eax
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		cmp	esi, 8
		jnb	short loc_6693DE
		mov	dword ptr [eax], 8

loc_6693DE:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+56Fj
		xor	eax, eax
		jmp	short loc_6693E7
; 

loc_6693E2:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+2Cj
					; RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+35j ...
		mov	eax, 0C0000023h

loc_6693E7:				; CODE XREF: RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+48j
					; RtlCompressBufferXpressLzMax(x,x,x,x,x,x,x,x,x)+579j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_RtlCompressBufferXpressLzMax@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlDecompressBufferXpressHuffProgress(x, x,	x, x, x, x, x, x, x)
_RtlDecompressBufferXpressHuffProgress@36 proc near
					; CODE XREF: RtlDecompressBufferProgress+8C722p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_1C], 1000h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_18], ebx
		test	eax, eax
		jnz	short loc_669416
		mov	eax, 0C00000E8h
		jmp	loc_669963
; 

loc_669416:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+1Aj
		mov	ecx, [ebp+arg_4]
		add	eax, 3
		push	esi
		and	eax, 0FFFFFFFCh
		mov	esi, ebx
		push	edi
		mov	edi, [ebp+arg_0]
		add	ebx, edx
		mov	[ebp+var_10], eax
		add	ecx, edi
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], ebx
		test	eax, eax
		jz	short loc_669442
		cmp	edx, 1000h
		jnb	short loc_669447

loc_669442:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+48j
		mov	[ebp+var_1C], edx
		jmp	short loc_66944C
; 

loc_669447:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+50j
		mov	edx, 1000h

loc_66944C:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+55j
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], edx
		jmp	short loc_669460
; 
		align 10h

loc_669460:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+68j
					; RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+556j
		mov	eax, ecx
		sub	eax, edi
		cmp	eax, 104h
		jl	loc_66994B
		mov	ecx, [ebp+var_10]
		mov	edx, edi
		call	XpressBuildHuffmanDecodingTable
		test	eax, eax
		jnz	loc_669950
		movzx	edx, word ptr [edi+100h]
		lea	ebx, [eax+10h]
		movzx	eax, word ptr [edi+102h]
		lea	ecx, [esi+10000h]
		shl	edx, 10h
		add	edi, 104h
		add	edx, eax
		mov	[ebp+arg_0], edi
		mov	eax, [ebp+var_8]
		mov	[ebp+arg_14], ecx
		cmp	ecx, eax
		jbe	short loc_6694B5
		mov	ecx, eax
		mov	[ebp+arg_14], eax

loc_6694B5:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+BEj
		lea	eax, [ecx-0BCh]
		cmp	esi, eax
		jnb	loc_669794
		mov	ecx, [ebp+var_1C]
		add	ecx, esi
		mov	[ebp+var_C], ecx
		cmp	eax, ecx
		jnb	short loc_6694D7
		mov	[ebp+var_C], eax
		jmp	short loc_6694D7
; 

loc_6694D4:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+308j
					; RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+31Fj ...
		mov	ebx, [ebp+arg_C]

loc_6694D7:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+DDj
					; RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+E2j	...
		mov	ecx, [ebp+var_10]
		mov	eax, edx
		shr	eax, 16h
		movzx	ecx, word ptr [ecx+eax*2+420h]
		mov	[ebp+arg_10], ecx
		test	cx, cx
		jg	short loc_669518
		mov	edi, [ebp+var_10]
		shl	edx, 0Ah
		sub	ebx, 0Ah

loc_6694F8:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+121j
		mov	eax, edx
		dec	ebx
		shr	eax, 1Fh
		add	edx, edx
		sub	eax, ecx
		movzx	eax, ax
		cwde
		movzx	ecx, word ptr [edi+eax*2+0C20h]
		test	cx, cx
		jle	short loc_6694F8
		mov	edi, [ebp+arg_0]
		jmp	short loc_669522
; 

loc_669518:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+FDj
		and	ecx, 0Fh
		shl	edx, cl
		sub	ebx, ecx
		mov	ecx, [ebp+arg_10]

loc_669522:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+126j
		sar	cx, 4
		mov	eax, 100h
		sub	cx, ax
		mov	[ebp+arg_C], ebx
		movzx	ecx, cx
		mov	[ebp+arg_4], edx
		mov	[ebp+arg_10], ecx
		test	ebx, ebx
		jns	short loc_66958F
		cmp	esi, [ebp+var_C]
		jb	short loc_669561
		mov	eax, [ebp+arg_14]
		add	eax, 0FFFFFF44h
		cmp	esi, eax
		jnb	loc_669806
		push	esi
		mov	edx, eax
		lea	ecx, [ebp+var_2C]
		call	_RtlpMakeXpressCallback@12 ; RtlpMakeXpressCallback(x,x,x)
		mov	[ebp+var_C], eax

loc_669561:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+151j
		mov	eax, [ebp+var_4]
		lea	ecx, [edi+1]
		cmp	ecx, eax
		jnb	loc_669950
		movzx	edx, word ptr [edi]
		mov	ecx, ebx
		neg	ecx
		add	edi, 2
		shl	edx, cl
		add	[ebp+arg_4], edx
		add	ebx, 10h
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_10]
		mov	[ebp+arg_0], edi
		mov	[ebp+arg_C], ebx
		jmp	short loc_669592
; 

loc_66958F:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+14Cj
		mov	eax, [ebp+var_4]

loc_669592:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+19Dj
		test	cx, cx
		jns	short loc_66959F
		mov	[esi], cl
		inc	esi
		jmp	loc_6694D7
; 

loc_66959F:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+1A5j
		jnz	short loc_6695AE
		cmp	edi, eax
		jb	short loc_6695AE
		cmp	esi, [ebp+var_8]
		jz	loc_669957

loc_6695AE:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x):loc_66959Fj
					; RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+1B3j
		movsx	ebx, cx
		mov	eax, ebx
		cdq
		and	edx, 0Fh
		add	eax, edx
		sar	eax, 4
		mov	[ebp+var_14], eax
		and	ebx, 8000000Fh
		jns	short loc_6695CC
		dec	ebx
		or	ebx, 0FFFFFFF0h
		inc	ebx

loc_6695CC:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+1D5j
		cmp	ebx, 0Fh
		jnz	short loc_669635
		mov	ecx, [ebp+var_4]
		cmp	edi, ecx
		jnb	loc_669950
		movzx	ebx, byte ptr [edi]
		inc	edi
		mov	[ebp+arg_0], edi
		cmp	ebx, 0FFh
		jnz	short loc_669632
		lea	eax, [edi+1]
		cmp	eax, ecx
		jnb	loc_669950
		movzx	ebx, word ptr [edi]
		add	edi, 2
		mov	[ebp+arg_0], edi
		test	ebx, ebx
		jnz	short loc_669616
		lea	eax, [edi+3]
		cmp	eax, ecx
		jnb	loc_669950
		mov	ebx, [edi]
		add	edi, 4
		mov	[ebp+arg_0], edi

loc_669616:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+211j
		cmp	ebx, 0Fh
		jb	loc_669950
		lea	eax, [esi+3]
		add	eax, ebx
		cmp	eax, esi
		jb	loc_669950
		mov	eax, [ebp+var_14]
		sub	ebx, 0Fh

loc_669632:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+1F9j
		add	ebx, 0Fh

loc_669635:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+1DFj
		mov	edx, [ebp+arg_4]
		mov	ecx, 1Fh
		sub	ecx, eax
		mov	[ebp+var_20], ebx
		mov	eax, edx
		add	ebx, 3
		shr	eax, cl
		mov	ecx, [ebp+var_14]
		shr	eax, 1
		mov	[ebp+arg_10], eax
		mov	eax, 1
		shl	eax, cl
		add	[ebp+arg_10], eax
		shl	edx, cl
		mov	ecx, [ebp+arg_C]
		sub	ecx, [ebp+var_14]
		mov	[ebp+arg_4], edx
		mov	[ebp+arg_C], ecx
		jns	short loc_6696A0
		mov	eax, [ebp+arg_14]
		mov	edi, [ebp+arg_0]
		add	eax, 0FFFFFF44h
		cmp	esi, eax
		jnb	loc_669903
		lea	eax, [edi+1]
		cmp	eax, [ebp+var_4]
		jnb	loc_669950
		movzx	eax, word ptr [edi]
		neg	ecx
		shl	eax, cl
		add	edi, 2
		add	edx, eax
		mov	[ebp+arg_0], edi
		add	[ebp+arg_C], 10h
		mov	[ebp+arg_4], edx

loc_6696A0:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+279j
		mov	eax, [ebp+arg_10]
		mov	ecx, esi
		sub	ecx, eax
		cmp	ecx, [ebp+var_18]
		jb	loc_669950
		cmp	eax, 4
		jnb	short loc_6696FE
		sub	eax, 1
		jz	short loc_6696DB
		sub	eax, 1
		movzx	eax, byte ptr [ecx]
		mov	[esi], al
		movzx	eax, byte ptr [ecx+1]
		mov	[esi+1], al
		jz	short loc_6696D1
		movzx	eax, byte ptr [ecx+2]
		jmp	short loc_6696E9
; 

loc_6696D1:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+2D9j
		sub	ebx, 2
		mov	eax, 2
		jmp	short loc_6696F4
; 

loc_6696DB:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+2C8j
		movzx	eax, byte ptr [ecx]
		mov	[esi], al
		movzx	eax, byte ptr [ecx]
		mov	[esi+1], al
		movzx	eax, byte ptr [ecx]

loc_6696E9:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+2DFj
		mov	ebx, [ebp+var_20]
		mov	[esi+2], al
		mov	eax, 3

loc_6696F4:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+2E9j
		add	esi, eax
		test	ebx, ebx
		jz	loc_6694D4

loc_6696FE:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+2C3j
		mov	eax, [ecx]
		mov	[esi], eax
		mov	eax, [ecx+4]
		mov	[esi+4], eax
		cmp	ebx, 9
		jnb	short loc_669714
		add	esi, ebx
		jmp	loc_6694D4
; 

loc_669714:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+31Bj
		add	esi, 8
		add	ecx, 8
		sub	ebx, 8

loc_66971D:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+376j
		mov	[ebp+arg_10], ecx
		cmp	esi, [ebp+var_C]
		jb	short loc_669742
		mov	eax, [ebp+arg_14]
		add	eax, 0FFFFFF44h
		cmp	esi, eax
		jnb	short loc_669772
		push	esi
		mov	edx, eax
		lea	ecx, [ebp+var_2C]
		call	_RtlpMakeXpressCallback@12 ; RtlpMakeXpressCallback(x,x,x)
		mov	ecx, [ebp+arg_10]
		mov	[ebp+var_C], eax

loc_669742:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+333j
		mov	eax, [ecx]
		mov	[esi], eax
		mov	eax, [ecx+4]
		mov	[esi+4], eax
		mov	eax, [ecx+8]
		mov	[esi+8], eax
		mov	eax, [ecx+0Ch]
		mov	[esi+0Ch], eax
		cmp	ebx, 11h
		jb	short loc_669768
		add	esi, 10h
		add	ecx, 10h
		sub	ebx, 10h
		jmp	short loc_66971D
; 

loc_669768:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+36Bj
		mov	edx, [ebp+arg_4]
		add	esi, ebx
		jmp	loc_6694D4
; 

loc_669772:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+33Fj
		lea	eax, [ebx+esi]
		cmp	eax, [ebp+var_8]
		ja	loc_669950
		mov	edx, [ebp+arg_4]
		mov	edi, esi
		mov	esi, ecx
		mov	ecx, ebx
		rep movsb
		mov	esi, eax

loc_66978B:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+54Ej
		mov	ebx, [ebp+arg_C]
		mov	edi, [ebp+arg_0]

loc_669791:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+447j
		mov	ecx, [ebp+arg_14]

loc_669794:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+CDj
		cmp	esi, ecx
		jnb	loc_669943
		mov	ecx, [ebp+var_10]
		mov	eax, edx
		shr	eax, 16h
		movzx	ecx, word ptr [ecx+eax*2+420h]
		mov	[ebp+arg_10], ecx
		test	cx, cx
		jg	short loc_6697E0
		mov	edi, [ebp+var_10]
		shl	edx, 0Ah
		sub	ebx, 0Ah
		lea	ecx, [ecx+0]

loc_6697C0:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+3E9j
		mov	eax, edx
		dec	ebx
		shr	eax, 1Fh
		add	edx, edx
		sub	eax, ecx
		movzx	eax, ax
		cwde
		movzx	ecx, word ptr [edi+eax*2+0C20h]
		test	cx, cx
		jle	short loc_6697C0
		mov	edi, [ebp+arg_0]
		jmp	short loc_6697EA
; 

loc_6697E0:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+3C2j
		and	ecx, 0Fh
		shl	edx, cl
		sub	ebx, ecx
		mov	ecx, [ebp+arg_10]

loc_6697EA:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+3EEj
		sar	cx, 4
		mov	eax, 100h
		sub	cx, ax
		mov	[ebp+arg_C], ebx
		movzx	ecx, cx
		mov	[ebp+arg_4], edx
		mov	[ebp+arg_10], ecx
		test	ebx, ebx
		jns	short loc_66982F

loc_669806:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+15Dj
		lea	eax, [edi+1]
		cmp	eax, [ebp+var_4]
		jnb	loc_669950
		movzx	eax, word ptr [edi]
		mov	ecx, ebx
		neg	ecx
		add	edi, 2
		shl	eax, cl
		mov	ecx, [ebp+arg_10]
		add	edx, eax
		add	ebx, 10h
		mov	[ebp+arg_4], edx
		mov	[ebp+arg_0], edi
		mov	[ebp+arg_C], ebx

loc_66982F:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+414j
		test	cx, cx
		jns	short loc_66983C
		mov	[esi], cl
		inc	esi
		jmp	loc_669791
; 

loc_66983C:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+442j
		jnz	short loc_66984C
		cmp	edi, [ebp+var_4]
		jb	short loc_66984C
		cmp	esi, [ebp+var_8]
		jz	loc_669957

loc_66984C:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x):loc_66983Cj
					; RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+451j
		movsx	ebx, cx
		mov	eax, ebx
		cdq
		and	edx, 0Fh
		add	eax, edx
		sar	eax, 4
		mov	[ebp+var_14], eax
		and	ebx, 8000000Fh
		jns	short loc_66986A
		dec	ebx
		or	ebx, 0FFFFFFF0h
		inc	ebx

loc_66986A:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+473j
		cmp	ebx, 0Fh
		jnz	short loc_6698D3
		mov	ecx, [ebp+var_4]
		cmp	edi, ecx
		jnb	loc_669950
		movzx	ebx, byte ptr [edi]
		inc	edi
		mov	[ebp+arg_0], edi
		cmp	ebx, 0FFh
		jnz	short loc_6698D0
		lea	eax, [edi+1]
		cmp	eax, ecx
		jnb	loc_669950
		movzx	ebx, word ptr [edi]
		add	edi, 2
		mov	[ebp+arg_0], edi
		test	ebx, ebx
		jnz	short loc_6698B4
		lea	eax, [edi+3]
		cmp	eax, ecx
		jnb	loc_669950
		mov	ebx, [edi]
		add	edi, 4
		mov	[ebp+arg_0], edi

loc_6698B4:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+4AFj
		cmp	ebx, 0Fh
		jb	loc_669950
		lea	eax, [esi+3]
		add	eax, ebx
		cmp	eax, esi
		jb	loc_669950
		mov	eax, [ebp+var_14]
		sub	ebx, 0Fh

loc_6698D0:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+497j
		add	ebx, 0Fh

loc_6698D3:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+47Dj
		mov	edx, [ebp+arg_4]
		mov	ecx, 1Fh
		sub	ecx, eax
		add	ebx, 3
		mov	eax, edx
		shr	eax, cl
		mov	ecx, [ebp+var_14]
		shr	eax, 1
		mov	[ebp+arg_10], eax
		mov	eax, 1
		shl	eax, cl
		add	[ebp+arg_10], eax
		shl	edx, cl
		mov	ecx, [ebp+arg_C]
		sub	ecx, [ebp+var_14]
		mov	[ebp+arg_C], ecx
		jns	short loc_66991E

loc_669903:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+288j
		lea	eax, [edi+1]
		cmp	eax, [ebp+var_4]
		jnb	short loc_669950
		movzx	eax, word ptr [edi]
		neg	ecx
		shl	eax, cl
		add	edi, 2
		add	edx, eax
		mov	[ebp+arg_0], edi
		add	[ebp+arg_C], 10h

loc_66991E:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+511j
		mov	eax, esi
		sub	eax, [ebp+arg_10]
		cmp	eax, [ebp+var_18]
		jb	short loc_669950
		lea	ecx, [ebx+esi]
		mov	[ebp+arg_4], ecx
		cmp	ecx, [ebp+var_8]
		ja	short loc_669950
		mov	edi, esi
		mov	ecx, ebx
		mov	esi, eax
		rep movsb
		mov	esi, [ebp+arg_4]
		jmp	loc_66978B
; 

loc_669943:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+3A6j
		mov	ecx, [ebp+var_4]
		jmp	loc_669460
; 

loc_66994B:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+79j
		cmp	esi, [ebp+var_8]
		jz	short loc_669957

loc_669950:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+8Bj
					; RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+179j ...
		mov	eax, 0C0000242h
		jmp	short loc_669961
; 

loc_669957:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+1B8j
					; RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+456j ...
		mov	eax, [ebp+arg_8]
		sub	esi, [ebp+var_18]
		mov	[eax], esi
		xor	eax, eax

loc_669961:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+565j
		pop	edi
		pop	esi

loc_669963:				; CODE XREF: RtlDecompressBufferXpressHuffProgress(x,x,x,x,x,x,x,x,x)+21j
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_RtlDecompressBufferXpressHuffProgress@36 endp


;  S U B	R O U T	I N E 


; __stdcall DebugPrompt(x, x)
_DebugPrompt@8	proc near		; CODE XREF: DbgPrompt(x,x,x)+40p
		movzx	eax, word ptr [edx+2]
		push	eax
		push	dword ptr [edx+4]
		movzx	eax, word ptr [ecx]
		mov	edx, [ecx+4]
		push	eax
		push	2
		pop	ecx
		call	_DebugService@20 ; DebugService(x,x,x,x,x)
		retn
_DebugPrompt@8	endp


;  S U B	R O U T	I N E 


; __stdcall RtlpHeapExceptionFilter(x, x)
_RtlpHeapExceptionFilter@8 proc	near	; CODE XREF: RtlpProbeUserBufferSafe(x,x)+51p
					; RtlpAnalyzeHeapFailure(x,x,x)+201p ...
		cmp	ecx, 0C00000FDh
		jz	short loc_6699BD
		cmp	ecx, 0C0000194h
		jz	short loc_6699BD
		cmp	ecx, 0C0000017h
		jz	short loc_6699BD
		push	esi
		mov	esi, [edx]
		xor	eax, eax
		push	edi
		push	14h
		pop	ecx
		mov	edi, offset unk_6B5EF4
		inc	eax
		rep movsd
		mov	esi, [edx+4]
		mov	ecx, 0B3h
		mov	edi, offset unk_6B5F44
		rep movsd
		pop	edi
		pop	esi
		retn
; 

loc_6699BD:				; CODE XREF: RtlpHeapExceptionFilter(x,x)+6j
					; RtlpHeapExceptionFilter(x,x)+Ej ...
		xor	eax, eax
		retn
_RtlpHeapExceptionFilter@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpLogHeapFailure(x, x, x,	x, x, x)
_RtlpLogHeapFailure@24 proc near	; CODE XREF: ExFreeHeapPool:loc_525D05p
					; RtlpHpFreeHeap+11FF8Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		cmp	ds:dword_6B5E4C, edx
		jz	short loc_669A01
		mov	eax, [ebp+arg_4]
		mov	esi, [ebp+arg_0]
		mov	ds:dword_6B5E54, eax
		mov	eax, [ebp+arg_8]
		mov	ds:dword_6B5E58, eax
		mov	eax, [ebp+arg_C]
		push	esi
		mov	ds:dword_6B5E48, ecx
		mov	ds:dword_6B5E4C, edx
		mov	ds:dword_6B5E50, esi
		mov	ds:dword_6B5E5C, eax
		call	_RtlpHpHeapHandleError@12 ; RtlpHpHeapHandleError(x,x,x)

loc_669A01:				; CODE XREF: RtlpLogHeapFailure(x,x,x,x,x,x)+Cj
		pop	esi
		pop	ebp
		retn	10h
_RtlpLogHeapFailure@24 endp ; sp = -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpAnalyzeHeapFailure(x, x, x)
_RtlpAnalyzeHeapFailure@12 proc	near	; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+17Fp
					; RtlpCreateSplitBlock(x,x,x,x,x,x,x)+9Ap ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	28h
		push	offset dword_6A92E0
		call	__SEH_prolog4
		mov	esi, edx
		mov	[ebp+var_38], esi
		mov	edx, ecx
		mov	[ebp+var_28], edx
		xor	edi, edi
		mov	ebx, edi
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], edi
		mov	[ebp+ms_exc.disabled], edi
		mov	eax, [edx+4Ch]
		mov	[ebp+var_2C], eax
		test	[esi], eax
		jnz	loc_669BF7
		mov	[ebp+var_1C], 0Ah
		test	dword ptr [edx+40h], 4000000h
		jnz	short loc_669A58
		mov	al, [esi+2]
		xor	al, [esi+1]
		xor	al, [esi]
		cmp	[esi+3], al
		jnz	loc_669BF7

loc_669A58:				; CODE XREF: RtlpAnalyzeHeapFailure(x,x,x)+3Fj
		xor	ebx, ebx
		inc	ebx
		mov	[ebp+var_1C], ebx
		mov	al, [esi+6]
		test	al, al
		jz	short loc_669A78
		movzx	eax, al
		sub	ebx, eax
		shl	ebx, 10h
		mov	eax, esi
		and	eax, 0FFFF0000h
		add	ebx, eax
		jmp	short loc_669A7A
; 

loc_669A78:				; CODE XREF: RtlpAnalyzeHeapFailure(x,x,x)+5Dj
		mov	ebx, edx

loc_669A7A:				; CODE XREF: RtlpAnalyzeHeapFailure(x,x,x)+70j
		mov	[ebp+var_20], ebx
		cmp	dword ptr [ebx+8], 0FFEEFFEEh
		jnz	loc_669BF7
		mov	al, [esi+7]
		cmp	al, 4
		jz	short loc_669AB3
		mov	[ebp+var_1C], 2
		cmp	esi, [ebx+1Ch]
		jb	loc_669BF7
		cmp	esi, [ebx+28h]
		jnb	loc_669BF7
		cmp	[ebx+18h], edx
		jnz	loc_669BF7

loc_669AB3:				; CODE XREF: RtlpAnalyzeHeapFailure(x,x,x)+89j
		mov	[ebp+var_1C], 3
		cmp	al, 3
		jnz	short loc_669B3D
		mov	eax, [esi+18h]
		mov	[ebp+var_24], eax
		test	eax, 0FFFh
		jnz	loc_669BF7
		cmp	eax, [ebx+1Ch]
		jb	loc_669BF7
		mov	eax, [esi+1Ch]
		add	eax, [ebp+var_24]
		cmp	eax, [ebx+28h]
		ja	loc_669BF7
		mov	[ebp+var_1C], 4
		mov	ecx, [esi+8]
		mov	eax, [esi+0Ch]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		cmp	eax, [ecx+4]
		jnz	loc_669BF7
		lea	eax, [esi+8]
		cmp	[ebp+var_24], eax
		jnz	loc_669BF7
		mov	[ebp+var_1C], 5
		add	eax, 8
		mov	[ebp+var_24], eax
		mov	ecx, [eax]
		mov	eax, [eax+4]
		mov	eax, [eax]
		cmp	eax, [ecx+4]
		jnz	loc_669BF7
		cmp	eax, [ebp+var_24]
		jnz	loc_669BF7
		movzx	eax, word ptr [edx+54h]
		mov	[ebp+var_24], eax
		jmp	short loc_669B6C
; 

loc_669B3D:				; CODE XREF: RtlpAnalyzeHeapFailure(x,x,x)+B6j
		movzx	edx, word ptr [esi]
		mov	ax, [esi+edx*8+4]
		mov	[ebp+var_1C], 6
		mov	ecx, [ebp+var_28]
		movzx	ecx, word ptr [ecx+54h]
		mov	edi, ecx
		mov	[ebp+var_24], edi
		xor	ax, cx
		cmp	ax, dx
		push	0
		pop	edi
		jnz	loc_669BF7
		mov	edx, [ebp+var_28]
		mov	eax, ecx

loc_669B6C:				; CODE XREF: RtlpAnalyzeHeapFailure(x,x,x)+135j
		mov	[ebp+var_1C], 7
		movzx	ecx, word ptr [esi+4]
		mov	[ebp+var_30], ecx
		cmp	ax, cx
		jz	short loc_669BD0
		movzx	ecx, cx
		movzx	eax, ax
		xor	ecx, eax
		shl	ecx, 3
		mov	eax, esi
		sub	eax, ecx
		cmp	[ebp+var_2C], 0
		jz	short loc_669BBA
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], edi
		mov	ecx, [eax]
		mov	[ebp+var_34], ecx
		test	[edx+4Ch], ecx
		jz	short loc_669BAA
		xor	ecx, [edx+50h]
		mov	[ebp+var_34], ecx

loc_669BAA:				; CODE XREF: RtlpAnalyzeHeapFailure(x,x,x)+19Cj
		movzx	ecx, cx
		movzx	edx, word ptr [edx+54h]
		movzx	eax, word ptr [esi+4]
		mov	ebx, [ebp+var_20]
		jmp	short loc_669BC9
; 

loc_669BBA:				; CODE XREF: RtlpAnalyzeHeapFailure(x,x,x)+18Cj
		movzx	ecx, word ptr [eax]
		mov	eax, [ebp+var_24]
		movzx	edx, ax
		mov	eax, [ebp+var_30]
		movzx	eax, ax

loc_669BC9:				; CODE XREF: RtlpAnalyzeHeapFailure(x,x,x)+1B2j
		xor	eax, edx
		cmp	cx, ax
		jnz	short loc_669BF7

loc_669BD0:				; CODE XREF: RtlpAnalyzeHeapFailure(x,x,x)+177j
		mov	[ebp+var_1C], 8
		test	byte ptr [esi+2], 1
		jnz	short loc_669BF0
		lea	edx, [esi+8]
		mov	ecx, [edx]
		mov	eax, [edx+4]
		mov	eax, [eax]
		cmp	eax, [ecx+4]
		jnz	short loc_669BF7
		cmp	eax, edx
		jnz	short loc_669BF7

loc_669BF0:				; CODE XREF: RtlpAnalyzeHeapFailure(x,x,x)+1D5j
		mov	[ebp+var_1C], 9

loc_669BF7:				; CODE XREF: RtlpAnalyzeHeapFailure(x,x,x)+2Bj
					; RtlpAnalyzeHeapFailure(x,x,x)+4Cj ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_669C1F
; 

loc_669C00:				; DATA XREF: .text:006A92F4o
		mov	edx, [ebp+ms_exc.exc_ptr]
		mov	eax, [edx]
		mov	ecx, [eax]
		call	_RtlpHeapExceptionFilter@8 ; RtlpHeapExceptionFilter(x,x)
		retn
; 

loc_669C0D:				; DATA XREF: .text:006A92F8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	edi, edi
		mov	esi, [ebp+var_38]
		mov	ebx, [ebp+var_20]

loc_669C1F:				; CODE XREF: RtlpAnalyzeHeapFailure(x,x,x)+1F8j
		mov	ecx, [ebp+var_28]
		cmp	[ecx+4Ch], edi
		jz	short loc_669C37
		mov	al, [esi+2]
		xor	al, [esi+1]
		xor	al, [esi]
		mov	[esi+3], al
		mov	eax, [ecx+50h]
		xor	[esi], eax

loc_669C37:				; CODE XREF: RtlpAnalyzeHeapFailure(x,x,x)+21Fj
		mov	eax, [ebp+var_1C]
		cmp	eax, 0Ah
		ja	short loc_669C7F
		movzx	eax, ds:byte_669CBA[eax]
		jmp	ds:off_669CA2[eax*4]

loc_669C4D:				; DATA XREF: .text:off_669CA2o
		push	edi
		push	edi
		push	[ebp+var_1C]
		push	esi
		push	3
		jmp	short loc_669C87
; 

loc_669C57:				; CODE XREF: RtlpAnalyzeHeapFailure(x,x,x)+240j
					; DATA XREF: .text:00669CA6o
		push	edi
		push	edi
		push	dword ptr [ebx+18h]
		push	esi
		push	0Ch
		jmp	short loc_669C87
; 

loc_669C61:				; CODE XREF: RtlpAnalyzeHeapFailure(x,x,x)+240j
					; DATA XREF: .text:00669CAAo
		push	edi
		push	edi
		push	3
		push	esi
		mov	edx, ecx
		xor	ecx, ecx
		jmp	short loc_669C8A
; 

loc_669C6C:				; CODE XREF: RtlpAnalyzeHeapFailure(x,x,x)+240j
					; DATA XREF: .text:00669CAEo
		push	edi
		push	edi
		push	[ebp+var_1C]
		push	esi
		push	0Eh
		jmp	short loc_669C87
; 

loc_669C76:				; CODE XREF: RtlpAnalyzeHeapFailure(x,x,x)+240j
					; DATA XREF: .text:00669CB2o
		push	edi
		push	edi
		push	8
		push	esi
		push	0Dh
		jmp	short loc_669C87
; 

loc_669C7F:				; CODE XREF: RtlpAnalyzeHeapFailure(x,x,x)+237j
					; RtlpAnalyzeHeapFailure(x,x,x)+240j
					; DATA XREF: ...
		push	edi
		push	edi
		push	[ebp+var_1C]
		push	esi
		push	2

loc_669C87:				; CODE XREF: RtlpAnalyzeHeapFailure(x,x,x)+24Fj
					; RtlpAnalyzeHeapFailure(x,x,x)+259j ...
		mov	edx, ecx
		pop	ecx

loc_669C8A:				; CODE XREF: RtlpAnalyzeHeapFailure(x,x,x)+264j
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_RtlpAnalyzeHeapFailure@12 endp

; 
		align 2
off_669CA2	dd offset loc_669C4D	; DATA XREF: RtlpAnalyzeHeapFailure(x,x,x)+240r
		dd offset loc_669C57
		dd offset loc_669C61
		dd offset loc_669C6C
		dd offset loc_669C76
		dd offset loc_669C7F
byte_669CBA	db 0			; DATA XREF: RtlpAnalyzeHeapFailure(x,x,x)+239r
		align 4
		dd 3030201h, 5040000h
		db 0

;  S U B	R O U T	I N E 


; __stdcall RtlpGetHeapInterceptorIndex(x)
_RtlpGetHeapInterceptorIndex@4 proc near ; CODE	XREF: RtlpHpHeapCreate:loc_5E308Dp
		xor	eax, eax

loc_669CC7:				; CODE XREF: RtlpGetHeapInterceptorIndex(x)+17j
		movzx	ecx, ax
		cmp	ds:_RtlpInterceptorRoutines[ecx*4], offset _ext_ms_win_ntos_ksr_l1_1_3_KsrFreePersistedMemoryBlock@16 ;	ext_ms_win_ntos_ksr_l1_1_3_KsrFreePersistedMemoryBlock(x,x,x,x)
		jz	short loc_669CE1
		inc	eax
		cmp	ax, 1
		jb	short loc_669CC7
		xor	eax, eax
		retn
; 

loc_669CE1:				; CODE XREF: RtlpGetHeapInterceptorIndex(x)+10j
		lea	eax, [ecx+1]
		retn
_RtlpGetHeapInterceptorIndex@4 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpHeapHandleError(x)
_RtlpHeapHandleError@4 proc near	; CODE XREF: RtlpCreateUCREntry(x,x,x,x,x,x)+7Bp
					; RtlpDeCommitFreeBlock(x,x,x,x)+1CBp ...
		mov	eax, ds:dword_6B5E48
		push	0
		cmp	eax, 16h
		jnz	short loc_669D05
		push	0
		push	ds:dword_6B5E4C
		push	46h
		push	0C2h

loc_669D00:				; CODE XREF: RtlpHeapHandleError(x)+32j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_669D05:				; CODE XREF: RtlpHeapHandleError(x)+Aj
		push	ds:dword_6B5E50
		push	ds:dword_6B5E4C
		push	eax
		push	13Ah
		jmp	short loc_669D00
_RtlpHeapHandleError@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpHeapHandleError(x, x,	x)
_RtlpHpHeapHandleError@12 proc near	; CODE XREF: RtlpLogHeapFailure(x,x,x,x,x,x)+3Cp

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	8
		push	offset dword_6A92C0
		call	__SEH_prolog4
		mov	edi, edx
		mov	esi, ecx
		push	80h		; size_t
		push	0		; int
		mov	ebx, offset unk_6B5E70
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		push	0
		push	ebx
		push	20h
		push	1
		call	RtlCaptureStackBackTrace
		cmp	esi, 3
		jnz	short loc_669D76
		and	[ebp+ms_exc.disabled], 0
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_RtlpLocateRelatedBlocks@8 ; RtlpLocateRelatedBlocks(x,x)
		jmp	short loc_669D6F
; 

loc_669D5F:				; DATA XREF: .text:006A92D4o
		mov	edx, [ebp+ms_exc.exc_ptr]
		mov	eax, [edx]
		mov	ecx, [eax]
		call	_RtlpHeapExceptionFilter@8 ; RtlpHeapExceptionFilter(x,x)
		retn
; 

loc_669D6C:				; DATA XREF: .text:006A92D8o
		mov	esp, [ebp+ms_exc.old_esp]

loc_669D6F:				; CODE XREF: RtlpHpHeapHandleError(x,x,x)+44j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_669D76:				; CODE XREF: RtlpHpHeapHandleError(x,x,x)+34j
		call	_RtlpHeapHandleError@4 ; RtlpHeapHandleError(x)
		int	3		; Trap to Debugger
_RtlpHpHeapHandleError@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpLocateRelatedBlocks(x, x)
_RtlpLocateRelatedBlocks@8 proc	near	; CODE XREF: RtlpHpHeapHandleError(x,x,x)+3Fp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	[ebp+var_14], esi
		lea	ecx, [esi+0A4h]
		mov	eax, [ecx]
		jmp	short loc_669DA8
; 

loc_669D96:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+2Ej
		lea	ebx, [eax-10h]
		mov	[ebp+var_18], ebx
		cmp	[eax+0Ch], edx
		ja	short loc_669DA6
		cmp	[eax+18h], edx
		ja	short loc_669DB9

loc_669DA6:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+23j
		mov	eax, [eax]

loc_669DA8:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+18j
		cmp	eax, ecx
		jnz	short loc_669D96
		lea	edi, [esi+9Ch]
		mov	ecx, [edi]
		jmp	loc_669F96
; 

loc_669DB9:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+28j
		lea	edi, [eax+28h]
		xor	ebx, ebx
		mov	eax, [edi]
		mov	ecx, ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_10], edi
		cmp	eax, edi
		jz	short loc_669E0A

loc_669DCC:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+89j
		lea	edi, [eax-8]
		mov	esi, [edi+10h]
		mov	[ebp+var_8], edi
		mov	edi, [edi+14h]
		add	edi, esi
		mov	[ebp+var_C], esi
		mov	esi, [ebp+var_4]
		cmp	edi, edx
		jnb	short loc_669DEA
		cmp	edi, ecx
		jbe	short loc_669DEA
		mov	ecx, edi

loc_669DEA:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+66j
					; RtlpLocateRelatedBlocks(x,x)+6Aj
		mov	edi, [ebp+var_C]
		cmp	edi, edx
		jbe	short loc_669E00
		test	esi, esi
		jz	short loc_669DFA
		cmp	edi, [esi+10h]
		jnb	short loc_669E00

loc_669DFA:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+77j
		mov	esi, [ebp+var_8]
		mov	[ebp+var_4], esi

loc_669E00:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+73j
					; RtlpLocateRelatedBlocks(x,x)+7Cj
		mov	eax, [eax]
		cmp	eax, [ebp+var_10]
		jnz	short loc_669DCC
		mov	esi, [ebp+var_14]

loc_669E0A:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+4Ej
		mov	[ebp+var_8], ebx
		test	ecx, ecx
		jnz	short loc_669E14
		mov	ecx, [ebp+var_18]

loc_669E14:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+93j
		mov	edi, ebx
		cmp	ecx, edx
		jnb	short loc_669E48
		mov	ebx, [esi+4Ch]

loc_669E1D:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+C8j
		mov	edi, ecx
		test	ebx, ebx
		jz	short loc_669E34
		mov	eax, [ecx]
		mov	ebx, [esi+4Ch]
		test	ebx, eax
		jz	short loc_669E2F
		xor	eax, [esi+50h]

loc_669E2F:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+AEj
		movzx	eax, ax
		jmp	short loc_669E37
; 

loc_669E34:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+A5j
		movzx	eax, word ptr [ecx]

loc_669E37:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+B6j
		test	ax, ax
		jz	short loc_669E46
		movzx	eax, ax
		lea	ecx, [ecx+eax*8]
		cmp	ecx, edx
		jb	short loc_669E1D

loc_669E46:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+BEj
		xor	ebx, ebx

loc_669E48:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+9Cj
		mov	ecx, [ebp+var_4]
		add	ecx, 0FFFFFFF8h
		cmp	ecx, edx
		jbe	short loc_669E75
		movzx	eax, word ptr [esi+54h]
		mov	[ebp+var_18], eax

loc_669E59:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+F7j
		mov	ax, [ecx+4]
		xor	ax, word ptr [ebp+var_18]
		movzx	eax, ax
		mov	[ebp+var_8], ecx
		test	ax, ax
		jz	short loc_669E75
		imul	eax, -8
		add	ecx, eax
		cmp	ecx, edx
		ja	short loc_669E59

loc_669E75:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+D4j
					; RtlpLocateRelatedBlocks(x,x)+EEj
		mov	ecx, [ebp+var_8]
		mov	ds:dword_6B5E60, edi
		mov	ds:dword_6B5E64, ecx
		test	edi, edi
		jz	short loc_669ED4
		test	ecx, ecx
		jz	short loc_669ED4
		cmp	[esi+4Ch], ebx
		jz	short loc_669EA0
		mov	eax, [edi]
		test	[esi+4Ch], eax
		jz	short loc_669E9B
		xor	eax, [esi+50h]

loc_669E9B:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+11Aj
		movzx	eax, ax
		jmp	short loc_669EA3
; 

loc_669EA0:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+113j
		movzx	eax, word ptr [edi]

loc_669EA3:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+122j
		movzx	edx, word ptr [ecx+4]
		mov	[ebp+var_4], eax
		movzx	eax, word ptr [esi+54h]
		xor	edx, eax
		mov	eax, [ebp+var_4]
		movzx	eax, ax
		shl	edx, 3
		sub	ecx, edx
		lea	eax, [edi+eax*8]
		cmp	eax, ecx
		jz	short loc_669ED1
		mov	ds:dword_6B5E48, 4
		jmp	loc_669F9A
; 

loc_669ED1:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+144j
		mov	ecx, [ebp+var_8]

loc_669ED4:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+10Aj
					; RtlpLocateRelatedBlocks(x,x)+10Ej
		cmp	[esi+4Ch], ebx
		jz	short loc_669EEA
		mov	eax, [edi]
		mov	ebx, [esi+4Ch]
		test	ebx, eax
		jz	short loc_669EE5
		xor	eax, [esi+50h]

loc_669EE5:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+164j
		movzx	eax, ax
		jmp	short loc_669EED
; 

loc_669EEA:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+15Bj
		movzx	eax, word ptr [edi]

loc_669EED:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+16Cj
		movzx	edx, ax
		test	ecx, ecx
		jz	short loc_669F07
		movzx	ecx, word ptr [ecx+4]
		movzx	eax, word ptr [esi+54h]
		xor	ecx, eax
		mov	ds:dword_6B5E68, ecx
		mov	ebx, [esi+4Ch]

loc_669F07:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+176j
		test	ebx, ebx
		jz	short loc_669F1A
		mov	eax, [edi]
		test	[esi+4Ch], eax
		jz	short loc_669F15
		xor	eax, [esi+50h]

loc_669F15:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+194j
		movzx	eax, ax
		jmp	short loc_669F1D
; 

loc_669F1A:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+18Dj
		movzx	eax, word ptr [edi]

loc_669F1D:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+19Cj
		movzx	eax, ax
		mov	ds:dword_6B5E6C, eax
		cmp	dword ptr [esi+4Ch], 0
		jz	short loc_669F3B
		mov	eax, [edi+edx*8]
		test	[esi+4Ch], eax
		jz	short loc_669F36
		xor	eax, [esi+50h]

loc_669F36:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+1B5j
		movzx	eax, ax
		jmp	short loc_669F3F
; 

loc_669F3B:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+1ADj
		movzx	eax, word ptr [edi+edx*8]

loc_669F3F:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+1BDj
		movzx	eax, ax
		cmp	ds:dword_6B5E68, eax
		jz	short loc_669F56
		mov	ds:dword_6B5E48, 6
		jmp	short loc_669F9A
; 

loc_669F56:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+1CCj
		movzx	ecx, word ptr [edi+edx*8+4]
		movzx	eax, word ptr [esi+54h]
		xor	ecx, eax
		cmp	ds:dword_6B5E6C, ecx
		jz	short loc_669F9A
		mov	ds:dword_6B5E48, 7
		jmp	short loc_669F9A
; 

loc_669F75:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+21Cj
		mov	esi, ecx
		and	esi, 0FFFF0000h
		cmp	esi, edx
		ja	short loc_669F94
		mov	eax, [ecx+14h]
		add	eax, esi
		cmp	eax, edx
		jbe	short loc_669F94
		mov	ds:dword_6B5E48, 5

loc_669F94:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+203j
					; RtlpLocateRelatedBlocks(x,x)+20Cj
		mov	ecx, [ecx]

loc_669F96:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+38j
		cmp	ecx, edi
		jnz	short loc_669F75

loc_669F9A:				; CODE XREF: RtlpLocateRelatedBlocks(x,x)+150j
					; RtlpLocateRelatedBlocks(x,x)+1D8j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_RtlpLocateRelatedBlocks@8 endp


;  S U B	R O U T	I N E 


; __fastcall RtlpFindUCREntry(x, x)
@RtlpFindUCREntry@8 proc near		; CODE XREF: RtlpInsertUCRBlock(x,x)+12p
					; RtlpFindAndCommitPages(x,x)+14p
		cmp	ds:_RtlpHeapErrorHandlerThreshold, 1
		push	esi
		mov	esi, edx
		jl	short loc_669FCA
		lea	eax, [esi+0FFFh]
		and	eax, 0FFFFF000h
		cmp	eax, esi
		jz	short loc_669FCA
		push	offset ??_C@_0CO@HBNLODKA@?$CIROUND_UP_TO_POWER2?$CISize?0?5PAGE_@FNODOBFM@ ; "(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) =="...
		call	_DbgPrint
		pop	ecx
		call	_RtlpHeapHandleError@4 ; RtlpHeapHandleError(x)

loc_669FCA:				; CODE XREF: RtlpFindUCREntry(x,x)+Aj
					; RtlpFindUCREntry(x,x)+19j
		mov	edx, [ecx+0B8h]
		test	edx, edx
		jz	short loc_669FFE
		mov	eax, esi
		shr	eax, 0Ch
		cmp	eax, [edx+4]
		jb	short loc_669FF3
		push	edi

loc_669FDF:				; CODE XREF: RtlpFindUCREntry(x,x)+4Bj
		mov	edi, [edx]
		test	edi, edi
		jz	short loc_669FEE
		mov	edx, edi
		cmp	eax, [edx+4]
		jnb	short loc_669FDF
		jmp	short loc_669FF2
; 

loc_669FEE:				; CODE XREF: RtlpFindUCREntry(x,x)+44j
		mov	eax, [edx+4]
		dec	eax

loc_669FF2:				; CODE XREF: RtlpFindUCREntry(x,x)+4Dj
		pop	edi

loc_669FF3:				; CODE XREF: RtlpFindUCREntry(x,x)+3Dj
		push	esi
		push	eax
		push	0
		call	_RtlpHeapFindListLookupEntry@20	; RtlpHeapFindListLookupEntry(x,x,x,x,x)
		pop	esi
		retn
; 

loc_669FFE:				; CODE XREF: RtlpFindUCREntry(x,x)+33j
		add	ecx, 8Ch
		mov	eax, [ecx]
		jmp	short loc_66A00F
; 

loc_66A008:				; CODE XREF: RtlpFindUCREntry(x,x)+72j
		cmp	[eax+14h], esi
		jnb	short loc_66A015
		mov	eax, [eax]

loc_66A00F:				; CODE XREF: RtlpFindUCREntry(x,x)+67j
		cmp	ecx, eax
		jnz	short loc_66A008
		mov	eax, ecx

loc_66A015:				; CODE XREF: RtlpFindUCREntry(x,x)+6Cj
		pop	esi
		retn
@RtlpFindUCREntry@8 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpFindEntry(x, x)
_RtlpFindEntry@8 proc near		; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+149p
					; RtlpCreateSplitBlock(x,x,x,x,x,x,x)+1D0p ...
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, [ebx+0B4h]
		jmp	short loc_66A030
; 

loc_66A028:				; CODE XREF: RtlpFindEntry(x,x)+1Cj
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_66A04F
		mov	esi, eax

loc_66A030:				; CODE XREF: RtlpFindEntry(x,x)+Fj
		cmp	edi, [esi+4]
		jnb	short loc_66A028
		mov	eax, edi

loc_66A037:				; CODE XREF: RtlpFindEntry(x,x)+36j
					; RtlpFindEntry(x,x)+3Cj
		push	edi
		push	eax
		push	1
		mov	edx, esi
		mov	ecx, ebx
		call	_RtlpHeapFindListLookupEntry@20	; RtlpHeapFindListLookupEntry(x,x,x,x,x)
		test	eax, eax
		jnz	short loc_66A055
		mov	esi, [esi]
		mov	eax, [esi+14h]
		jmp	short loc_66A037
; 

loc_66A04F:				; CODE XREF: RtlpFindEntry(x,x)+15j
		mov	eax, [esi+4]
		dec	eax
		jmp	short loc_66A037
; 

loc_66A055:				; CODE XREF: RtlpFindEntry(x,x)+2Fj
		pop	edi
		pop	esi
		pop	ebx
		retn
_RtlpFindEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHeapAddListEntry(x, x, x, x, x,	x)
_RtlpHeapAddListEntry@24 proc near	; CODE XREF: RtlpCreateSplitBlock(x,x,x,x,x,x,x)+269p
					; RtlpCreateSplitBlock(x,x,x,x,x,x,x)+503p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, edx
		mov	[ebp+var_8], ecx
		push	edi
		mov	edi, [ebp+arg_8]
		sub	edi, [esi+14h]
		cmp	dword ptr [esi+8], 0
		jz	short loc_66A07B
		lea	edx, [edi+edi]
		mov	[ebp+var_4], edx
		jmp	short loc_66A080
; 

loc_66A07B:				; CODE XREF: RtlpHeapAddListEntry(x,x,x,x,x,x)+18j
		mov	edx, edi
		mov	[ebp+var_4], edi

loc_66A080:				; CODE XREF: RtlpHeapAddListEntry(x,x,x,x,x,x)+20j
		mov	eax, [esi+20h]
		inc	dword ptr [esi+0Ch]
		push	ebx
		mov	ebx, [eax+edx*4]
		mov	eax, [esi+4]
		dec	eax
		cmp	[ebp+arg_8], eax
		jnz	short loc_66A096
		inc	dword ptr [esi+10h]

loc_66A096:				; CODE XREF: RtlpHeapAddListEntry(x,x,x,x,x,x)+38j
		test	ebx, ebx
		jz	short loc_66A0E8
		mov	eax, [ebx-8]
		cmp	dword ptr [ecx+4Ch], 0
		jz	short loc_66A0DC
		mov	edx, [ecx+50h]
		xor	edx, eax
		mov	ecx, edx
		mov	[ebp+arg_8], edx
		mov	eax, edx
		shr	ecx, 10h
		shr	eax, 8
		xor	cl, al
		mov	eax, edx
		xor	cl, al
		shr	edx, 18h
		cmp	dl, cl
		jz	short loc_66A0D9
		mov	edx, [ebp+var_8]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebx-8]
		push	eax
		push	3
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	eax, [ebp+arg_8]

loc_66A0D9:				; CODE XREF: RtlpHeapAddListEntry(x,x,x,x,x,x)+67j
		mov	edx, [ebp+var_4]

loc_66A0DC:				; CODE XREF: RtlpHeapAddListEntry(x,x,x,x,x,x)+48j
		mov	ecx, [ebp+arg_C]
		movzx	eax, ax
		sub	ecx, eax
		test	ecx, ecx
		jg	short loc_66A0F1

loc_66A0E8:				; CODE XREF: RtlpHeapAddListEntry(x,x,x,x,x,x)+3Fj
		mov	ecx, [esi+20h]
		mov	eax, [ebp+arg_4]
		mov	[ecx+edx*4], eax

loc_66A0F1:				; CODE XREF: RtlpHeapAddListEntry(x,x,x,x,x,x)+8Dj
		test	ebx, ebx
		pop	ebx
		jnz	short loc_66A10A
		mov	ecx, [esi+1Ch]
		mov	edx, edi
		shr	edx, 5
		and	edi, 1Fh
		mov	eax, [ecx+edx*4]
		bts	eax, edi
		mov	[ecx+edx*4], eax

loc_66A10A:				; CODE XREF: RtlpHeapAddListEntry(x,x,x,x,x,x)+9Bj
		pop	edi
		pop	esi
		leave
		retn	10h
_RtlpHeapAddListEntry@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHeapFindListLookupEntry(x, x, x, x, x)
_RtlpHeapFindListLookupEntry@20	proc near ; CODE XREF: RtlpFindUCREntry(x,x)+58p
					; RtlpFindEntry(x,x)+28p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, edx
		mov	eax, ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	esi, esi
		mov	ecx, [ebx+18h]
		sub	edi, [ebx+14h]
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], edi
		mov	edx, [ecx+4]
		mov	[ebp+var_4], ecx
		mov	[ebp+var_14], edx
		cmp	ecx, edx
		jz	short loc_66A1A5
		cmp	byte ptr [ebp+arg_0], 0
		jz	short loc_66A195
		add	edx, 0FFFFFFF8h
		mov	[ebp+var_14], edx
		mov	edx, [edx]
		mov	[ebp+var_8], edx
		cmp	[eax+4Ch], esi
		jz	short loc_66A188
		mov	edx, [eax+50h]
		xor	edx, [ebp+var_8]
		mov	ecx, edx
		mov	[ebp+var_8], edx
		mov	eax, edx
		shr	ecx, 10h
		shr	eax, 8
		xor	cl, al
		xor	cl, dl
		shr	edx, 18h
		cmp	dl, cl
		jz	short loc_66A182
		mov	edx, [ebp+var_C]
		push	esi
		push	esi
		push	esi
		push	[ebp+var_14]
		push	3
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_66A182:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+5Fj
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]

loc_66A188:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+41j
		movzx	eax, dx
		mov	edx, [ebp+arg_8]
		sub	edx, eax
		mov	eax, [ebp+var_C]
		jmp	short loc_66A1A1
; 

loc_66A195:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+31j
		mov	edi, [ebp+var_14]
		mov	edx, [ebp+arg_8]
		sub	edx, [edi+14h]
		mov	edi, [ebp+var_10]

loc_66A1A1:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+83j
		test	edx, edx
		jle	short loc_66A1AC

loc_66A1A5:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+2Bj
		mov	esi, ecx
		jmp	loc_66A352
; 

loc_66A1AC:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+93j
		cmp	byte ptr [ebp+arg_0], 0
		mov	edx, [ecx]
		mov	[ebp+var_14], edx
		jz	short loc_66A206
		add	edx, 0FFFFFFF8h
		mov	[ebp+var_14], edx
		mov	edx, [edx]
		mov	[ebp+var_8], edx
		cmp	[eax+4Ch], esi
		jz	short loc_66A1FC
		mov	edx, [eax+50h]
		xor	edx, [ebp+var_8]
		mov	ecx, edx
		mov	[ebp+var_8], edx
		mov	eax, edx
		shr	ecx, 10h
		shr	eax, 8
		xor	cl, al
		xor	cl, dl
		shr	edx, 18h
		cmp	dl, cl
		jz	short loc_66A1F6
		mov	edx, [ebp+var_C]
		push	esi
		push	esi
		push	esi
		push	[ebp+var_14]
		push	3
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_66A1F6:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+D3j
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]

loc_66A1FC:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+B5j
		movzx	eax, dx
		mov	edx, [ebp+arg_8]
		sub	edx, eax
		jmp	short loc_66A20F
; 

loc_66A206:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+A5j
		mov	eax, [ebp+var_14]
		mov	edx, [ebp+arg_8]
		sub	edx, [eax+14h]

loc_66A20F:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+F4j
		test	edx, edx
		jg	short loc_66A21A
		mov	esi, [ecx]
		jmp	loc_66A352
; 

loc_66A21A:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+101j
		cmp	[ebx], esi
		jnz	loc_66A2B5
		mov	eax, [ebx+4]
		dec	eax
		cmp	[ebp+arg_4], eax
		jnz	loc_66A2B5
		cmp	[ebx+8], esi
		jz	short loc_66A236
		add	edi, edi

loc_66A236:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+122j
		mov	eax, [ebx+20h]
		mov	edi, [eax+edi*4]
		cmp	ecx, edi
		jz	loc_66A352
		mov	al, byte ptr [ebp+arg_0]

loc_66A247:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+197j
		test	al, al
		jz	short loc_66A299
		mov	ebx, [ebp+var_C]
		mov	eax, [edi-8]
		cmp	[ebx+4Ch], esi
		jz	short loc_66A28C
		mov	edx, [ebx+50h]
		xor	edx, eax
		mov	ecx, edx
		mov	[ebp+arg_4], edx
		mov	eax, edx
		shr	ecx, 10h
		shr	eax, 8
		xor	cl, al
		mov	eax, edx
		xor	cl, al
		shr	edx, 18h
		cmp	dl, cl
		jz	short loc_66A289
		push	esi
		push	esi
		push	esi
		lea	eax, [edi-8]
		mov	edx, ebx
		push	eax
		push	3
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	eax, [ebp+arg_4]

loc_66A289:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+163j
		mov	ecx, [ebp+var_4]

loc_66A28C:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+144j
		mov	edx, [ebp+arg_8]
		movzx	eax, ax
		sub	edx, eax
		mov	al, byte ptr [ebp+arg_0]
		jmp	short loc_66A29F
; 

loc_66A299:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+139j
		mov	edx, [ebp+arg_8]
		sub	edx, [edi+14h]

loc_66A29F:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+187j
		test	edx, edx
		jle	short loc_66A2AE
		mov	edi, [edi]
		cmp	ecx, edi
		jnz	short loc_66A247
		jmp	loc_66A352
; 

loc_66A2AE:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+191j
		mov	esi, edi
		jmp	loc_66A352
; 

loc_66A2B5:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+10Cj
					; RtlpHeapFindListLookupEntry(x,x,x,x,x)+119j
		mov	eax, [ebx+4]
		or	edx, 0FFFFFFFFh
		sub	eax, [ebx+14h]
		mov	ecx, [ebp+var_10]
		shr	eax, 5
		and	ecx, 1Fh
		shr	edi, 5
		dec	eax
		mov	[ebp+arg_8], eax
		mov	eax, [ebx+1Ch]
		shl	edx, cl
		lea	eax, [eax+edi*4]
		mov	ecx, eax
		mov	[ebp+arg_0], eax
		and	edx, [ecx]
		jnz	short loc_66A2F4
		mov	eax, [ebp+arg_8]

loc_66A2E2:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+1DEj
		cmp	edi, eax
		ja	short loc_66A2F0
		add	ecx, 4
		inc	edi
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_66A2E2

loc_66A2F0:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+1D4j
		test	edx, edx
		jz	short loc_66A352

loc_66A2F4:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+1CDj
		test	dx, dx
		jz	short loc_66A31B
		movzx	eax, dl
		test	dl, dl
		jz	short loc_66A309
		movzx	eax, ds:_RtlpBitsClearLow[eax]
		jmp	short loc_66A340
; 

loc_66A309:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+1EEj
		shr	edx, 8
		movzx	eax, dl
		movzx	eax, ds:_RtlpBitsClearLow[eax]
		add	eax, 8
		jmp	short loc_66A340
; 

loc_66A31B:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+1E7j
		mov	eax, edx
		shr	eax, 10h
		movzx	eax, al
		test	eax, eax
		jz	short loc_66A333
		movzx	eax, ds:_RtlpBitsClearLow[eax]
		add	eax, 10h
		jmp	short loc_66A340
; 

loc_66A333:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+215j
		shr	edx, 18h
		movzx	eax, ds:_RtlpBitsClearLow[edx]
		add	eax, 18h

loc_66A340:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+1F7j
					; RtlpHeapFindListLookupEntry(x,x,x,x,x)+209j ...
		shl	edi, 5
		add	edi, eax
		cmp	[ebx+8], esi
		jz	short loc_66A34C
		add	edi, edi

loc_66A34C:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+238j
		mov	eax, [ebx+20h]
		mov	esi, [eax+edi*4]

loc_66A352:				; CODE XREF: RtlpHeapFindListLookupEntry(x,x,x,x,x)+97j
					; RtlpHeapFindListLookupEntry(x,x,x,x,x)+105j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_RtlpHeapFindListLookupEntry@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHeapRemoveListEntry(x, x, x, x,	x, x)
_RtlpHeapRemoveListEntry@24 proc near	; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+1E6p
					; RtlpAllocateHeap(x,x,x,x,x,x)+2D2p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_C], ecx
		push	edi
		mov	edi, [ebp+arg_8]
		sub	edi, [esi+14h]
		cmp	dword ptr [esi+8], 0
		jz	short loc_66A37F
		lea	edx, [edi+edi]
		mov	[ebp+var_4], edx
		jmp	short loc_66A384
; 

loc_66A37F:				; CODE XREF: RtlpHeapRemoveListEntry(x,x,x,x,x,x)+1Aj
		mov	edx, edi
		mov	[ebp+var_4], edi

loc_66A384:				; CODE XREF: RtlpHeapRemoveListEntry(x,x,x,x,x,x)+22j
		mov	ecx, [esi+20h]
		mov	eax, [ecx+edx*4]
		dec	dword ptr [esi+0Ch]
		mov	[ebp+var_10], eax
		mov	eax, [esi+4]
		mov	[ebp+var_8], eax
		dec	eax
		cmp	[ebp+arg_8], eax
		jnz	short loc_66A39F
		dec	dword ptr [esi+10h]

loc_66A39F:				; CODE XREF: RtlpHeapRemoveListEntry(x,x,x,x,x,x)+3Fj
		mov	ebx, [ebp+arg_4]
		cmp	[ebp+var_10], ebx
		jnz	loc_66A448
		cmp	dword ptr [esi], 0
		jnz	short loc_66A3B3
		mov	[ebp+var_8], eax

loc_66A3B3:				; CODE XREF: RtlpHeapRemoveListEntry(x,x,x,x,x,x)+53j
		mov	edx, [ebp+var_8]
		cmp	[ebp+arg_8], edx
		mov	ebx, [ebx]
		mov	eax, [esi+18h]
		mov	edx, [ebp+var_4]
		jnb	short loc_66A427
		cmp	ebx, eax
		jz	short loc_66A41E
		mov	ecx, [ebp+var_C]
		mov	eax, [ebx-8]
		cmp	dword ptr [ecx+4Ch], 0
		jz	short loc_66A40C
		mov	edx, [ecx+50h]
		xor	edx, eax
		mov	ecx, edx
		mov	[ebp+arg_8], edx
		mov	eax, edx
		shr	ecx, 10h
		shr	eax, 8
		xor	cl, al
		mov	eax, edx
		xor	cl, al
		shr	edx, 18h
		cmp	dl, cl
		jz	short loc_66A409
		mov	edx, [ebp+var_C]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebx-8]
		push	eax
		push	3
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		mov	eax, [ebp+arg_8]

loc_66A409:				; CODE XREF: RtlpHeapRemoveListEntry(x,x,x,x,x,x)+95j
		mov	edx, [ebp+var_4]

loc_66A40C:				; CODE XREF: RtlpHeapRemoveListEntry(x,x,x,x,x,x)+76j
		mov	ecx, [ebp+arg_C]
		movzx	eax, ax
		sub	ecx, eax
		jnz	short loc_66A41E
		mov	eax, [esi+20h]
		mov	[eax+edx*4], ebx
		jmp	short loc_66A448
; 

loc_66A41E:				; CODE XREF: RtlpHeapRemoveListEntry(x,x,x,x,x,x)+6Aj
					; RtlpHeapRemoveListEntry(x,x,x,x,x,x)+B9j
		mov	eax, [esi+20h]
		and	dword ptr [eax+edx*4], 0
		jmp	short loc_66A434
; 

loc_66A427:				; CODE XREF: RtlpHeapRemoveListEntry(x,x,x,x,x,x)+66j
		cmp	ebx, eax
		jz	short loc_66A430
		mov	[ecx+edx*4], ebx
		jmp	short loc_66A448
; 

loc_66A430:				; CODE XREF: RtlpHeapRemoveListEntry(x,x,x,x,x,x)+CEj
		and	dword ptr [ecx+edx*4], 0

loc_66A434:				; CODE XREF: RtlpHeapRemoveListEntry(x,x,x,x,x,x)+CAj
		mov	ecx, [esi+1Ch]
		mov	edx, edi
		shr	edx, 5
		and	edi, 1Fh
		mov	eax, [ecx+edx*4]
		btr	eax, edi
		mov	[ecx+edx*4], eax

loc_66A448:				; CODE XREF: RtlpHeapRemoveListEntry(x,x,x,x,x,x)+4Aj
					; RtlpHeapRemoveListEntry(x,x,x,x,x,x)+C1j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_RtlpHeapRemoveListEntry@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpPopulateListIndex(x, x)
_RtlpPopulateListIndex@8 proc near	; CODE XREF: RtlCreateHeap+11B52Bp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		mov	[ebp+var_10], esi
		mov	[esi+0B4h], ebx
		cmp	dword ptr [ebx], 0
		jz	short loc_66A4AA
		mov	eax, [ebx+4]
		sub	eax, [ebx+14h]
		cmp	dword ptr [ebx+8], 0
		lea	ecx, ds:0FFFFFFF8h[eax*8]
		jnz	short loc_66A485
		lea	ecx, ds:0FFFFFFFCh[eax*4]

loc_66A485:				; CODE XREF: RtlpPopulateListIndex(x,x)+2Dj
		mov	eax, [ebx+20h]
		and	dword ptr [ecx+eax], 0
		mov	esi, [ebx+4]
		sub	esi, [ebx+14h]
		mov	ecx, [ebx+1Ch]
		dec	esi
		mov	edx, esi
		and	esi, 1Fh
		shr	edx, 5
		mov	eax, [ecx+edx*4]
		btr	eax, esi
		mov	esi, [ebp+var_10]
		mov	[ecx+edx*4], eax

loc_66A4AA:				; CODE XREF: RtlpPopulateListIndex(x,x)+1Aj
		lea	ecx, [esi+0C0h]
		mov	eax, [ecx+4]
		mov	[ebp+var_4], eax
		cmp	ecx, eax
		jz	loc_66A59D
		push	edi

loc_66A4BF:				; CODE XREF: RtlpPopulateListIndex(x,x)+147j
		cmp	dword ptr [esi+4Ch], 0
		lea	edi, [eax-8]
		jz	short loc_66A4E4
		mov	eax, [esi+50h]
		xor	[edi], eax
		mov	al, [edi+2]
		xor	al, [edi+1]
		xor	al, [edi]
		cmp	[edi+3], al
		jz	short loc_66A4E4
		push	ecx
		mov	edx, edi
		mov	ecx, esi
		call	_RtlpAnalyzeHeapFailure@12 ; RtlpAnalyzeHeapFailure(x,x,x)

loc_66A4E4:				; CODE XREF: RtlpPopulateListIndex(x,x)+77j
					; RtlpPopulateListIndex(x,x)+89j
		mov	eax, [ebx+4]
		mov	ecx, ebx
		movzx	edx, word ptr [edi]
		mov	[ebp+var_14], eax
		cmp	edx, eax
		mov	eax, [ebp+var_4]
		jmp	short loc_66A50C
; 

loc_66A4F6:				; CODE XREF: RtlpPopulateListIndex(x,x)+C0j
		mov	esi, [ecx]
		test	esi, esi
		mov	[ebp+var_8], esi
		mov	esi, [ebp+var_10]
		jz	loc_66A5A1
		mov	ecx, [ebp+var_8]
		cmp	edx, [ecx+4]

loc_66A50C:				; CODE XREF: RtlpPopulateListIndex(x,x)+A5j
		mov	[ebp+var_C], ecx
		jnb	short loc_66A4F6
		mov	[ebp+var_8], edx

loc_66A514:				; CODE XREF: RtlpPopulateListIndex(x,x)+159j
		cmp	dword ptr [ebx], 0
		jz	short loc_66A530
		mov	ecx, [ebp+var_14]
		cmp	edx, ecx
		dec	ecx
		jnb	short loc_66A523
		mov	ecx, edx

loc_66A523:				; CODE XREF: RtlpPopulateListIndex(x,x)+D0j
		push	edx
		push	ecx
		push	eax
		push	ecx
		mov	edx, ebx
		mov	ecx, esi
		call	_RtlpHeapRemoveListEntry@24 ; RtlpHeapRemoveListEntry(x,x,x,x,x,x)

loc_66A530:				; CODE XREF: RtlpPopulateListIndex(x,x)+C8j
		movzx	eax, word ptr [edi]
		mov	edx, [ebp+var_C]
		push	eax
		push	[ebp+var_8]
		push	[ebp+var_4]
		push	ecx
		mov	ecx, esi
		call	_RtlpHeapAddListEntry@24 ; RtlpHeapAddListEntry(x,x,x,x,x,x)
		cmp	ds:_RtlpHeapErrorHandlerThreshold, 1
		jl	short loc_66A56F
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		sub	ecx, [eax+14h]
		mov	edx, [eax+1Ch]
		mov	esi, ecx
		xor	eax, eax
		shr	esi, 5
		and	ecx, 1Fh
		inc	eax
		shl	eax, cl
		test	[edx+esi*4], eax
		jz	short loc_66A5AD
		mov	esi, [ebp+var_10]

loc_66A56F:				; CODE XREF: RtlpPopulateListIndex(x,x)+FDj
		cmp	dword ptr [esi+4Ch], 0
		jz	short loc_66A585
		mov	al, [edi+2]
		xor	al, [edi+1]
		xor	al, [edi]
		mov	[edi+3], al
		mov	eax, [esi+50h]
		xor	[edi], eax

loc_66A585:				; CODE XREF: RtlpPopulateListIndex(x,x)+124j
		mov	eax, [ebp+var_4]
		lea	ecx, [esi+0C0h]
		mov	eax, [eax+4]
		mov	[ebp+var_4], eax
		cmp	ecx, eax
		jnz	loc_66A4BF
		pop	edi

loc_66A59D:				; CODE XREF: RtlpPopulateListIndex(x,x)+69j
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_66A5A1:				; CODE XREF: RtlpPopulateListIndex(x,x)+B1j
		mov	ecx, [ecx+4]
		dec	ecx
		mov	[ebp+var_8], ecx
		jmp	loc_66A514
; 

loc_66A5AD:				; CODE XREF: RtlpPopulateListIndex(x,x)+11Bj
		push	offset ??_C@_0EM@FJLCOGDC@RtlpGetBitState?$CILookupTable?0?5?$CIU@FNODOBFM@ ; "RtlpGetBitState(LookupTable, (ULONG)(Lo"...
		call	_DbgPrint
		pop	ecx
		call	_RtlpHeapHandleError@4 ; RtlpHeapHandleError(x)
		int	3		; Trap to Debugger
_RtlpPopulateListIndex@8 endp


;  S U B	R O U T	I N E 


; __stdcall NormalizationListEntry_Alloc()
_NormalizationListEntry_Alloc@0	proc near ; CODE XREF: RtlpGetNormalization(x,x):loc_9D7DE0p
		push	456C6F4Eh
		push	50h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		retn
_NormalizationListEntry_Alloc@0	endp


;  S U B	R O U T	I N E 


; __stdcall NormalizationList__InsertTail(x)
_NormalizationList__InsertTail@4 proc near ; CODE XREF:	RtlpGetNormalization(x,x)+BCp
		mov	eax, ds:off_6B36CC
		mov	edx, offset _NormalizationListHead
		cmp	[eax], edx
		jz	short loc_66A5E0
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_66A5E0:				; CODE XREF: NormalizationList__InsertTail(x)+Cj
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	ds:off_6B36CC, ecx
		retn
_NormalizationList__InsertTail@4 endp


;  S U B	R O U T	I N E 


; __stdcall NormalizationList__Lock()
_NormalizationList__Lock@0 proc	near	; CODE XREF: RtlpGetNormalization(x,x)+20p
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _NormalizationListLock
		jmp	ExAcquirePushLockExclusiveEx
_NormalizationList__Lock@0 endp


;  S U B	R O U T	I N E 


; __stdcall NormalizationList__Lookup(x)
_NormalizationList__Lookup@4 proc near	; CODE XREF: RtlpGetNormalization(x,x)+27p
					; RtlpGetNormalization(x,x)+42p
		mov	eax, ds:_NormalizationListHead
		xor	edx, edx
		push	esi
		mov	esi, offset _NormalizationListHead
		jmp	short loc_66A61E
; 

loc_66A617:				; CODE XREF: NormalizationList__Lookup(x)+18j
		cmp	[eax+8], ecx
		jz	short loc_66A624
		mov	eax, [eax]

loc_66A61E:				; CODE XREF: NormalizationList__Lookup(x)+Dj
		cmp	eax, esi
		jnz	short loc_66A617
		jmp	short loc_66A627
; 

loc_66A624:				; CODE XREF: NormalizationList__Lookup(x)+12j
		lea	edx, [eax+0Ch]

loc_66A627:				; CODE XREF: NormalizationList__Lookup(x)+1Aj
		mov	eax, edx
		pop	esi
		retn
_NormalizationList__Lookup@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NormalizationList__Unlock()
_NormalizationList__Unlock@0 proc near	; CODE XREF: RtlpGetNormalization(x,x):loc_9D7E15p
					; RtlpGetNormalization(x,x):loc_9D7E28p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _NormalizationListLock
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_66A66B
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _NormalizationListLock

loc_66A66B:				; CODE XREF: NormalizationList__Unlock()+31j
		xor	edi, edi
		mov	[ebp+var_C], edi
		test	ecx, 7FFFFFFCh
		jz	loc_66A807
		mov	esi, large fs:124h
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], eax
		cmp	eax, offset _NormalizationListLock
		ja	short loc_66A6C6
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_66A6B6
		mov	eax, [ebp+var_20]
		cmp	eax, offset _NormalizationListLock
		ja	short loc_66A6C6
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_66A6C6

loc_66A6B6:				; CODE XREF: NormalizationList__Unlock()+76j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_8], eax

loc_66A6C6:				; CODE XREF: NormalizationList__Unlock()+6Bj
					; NormalizationList__Unlock()+80j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _NormalizationListLock
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_66A712
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_66A778
		push	ecx
		push	[ebp+var_8]
		push	offset _NormalizationListLock
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_66A712:				; CODE XREF: NormalizationList__Unlock()+C7j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_66A728
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_66A728:				; CODE XREF: NormalizationList__Unlock()+F3j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	short loc_66A76C
		or	[esi+1E4h], dl
		jmp	short loc_66A778
; 

loc_66A76C:				; CODE XREF: NormalizationList__Unlock()+137j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_24]

loc_66A778:				; CODE XREF: NormalizationList__Unlock()+D1j
					; NormalizationList__Unlock()+13Fj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jz	short loc_66A7E1
		test	edi, 8000h
		jz	short loc_66A79C
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_66A79C:				; CODE XREF: NormalizationList__Unlock()+166j
		test	byte ptr [ebp+var_C+2],	1
		jz	short loc_66A7B2
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_66A7B2:				; CODE XREF: NormalizationList__Unlock()+175j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_66A7C6
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_66A7C6:				; CODE XREF: NormalizationList__Unlock()+18Ej
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_66A7E1
		push	[ebp+var_24]
		mov	edx, offset _NormalizationListLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_66A7E1:				; CODE XREF: NormalizationList__Unlock()+15Ej
					; NormalizationList__Unlock()+1A5j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_66A807
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_66A807
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_66A807:				; CODE XREF: NormalizationList__Unlock()+4Bj
					; NormalizationList__Unlock()+1CDj ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_NormalizationList__Unlock@0 endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HviCopyMemory(x, x,	x)
_HviCopyMemory@12 proc near		; CODE XREF: CcCopyBytesToUserBuffer+152EC5p
					; CcMapAndCopyInToCache+1385F1p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], ecx
		push	edi
		mov	edi, edx
		cmp	[ebp+arg_0], esi
		jbe	short loc_66A870
		sub	edi, ecx
		mov	edx, 100000h

loc_66A838:				; CODE XREF: HviCopyMemory(x,x,x)+52j
		mov	eax, [ebp+arg_0]
		sub	eax, esi
		cmp	eax, edx
		jbe	short loc_66A843
		mov	eax, edx

loc_66A843:				; CODE XREF: HviCopyMemory(x,x,x)+23j
		cli
		add	ecx, esi
		push	eax		; size_t
		lea	eax, [edi+ecx]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		add	esp, 0Ch
		xor	ecx, ecx
		lock or	[eax], ecx
		sti
		mov	ecx, [ebp+var_8]
		mov	edx, 100000h
		add	esi, edx
		cmp	esi, [ebp+arg_0]
		jb	short loc_66A838

loc_66A870:				; CODE XREF: HviCopyMemory(x,x,x)+13j
		pop	edi
		pop	esi
		leave
		retn	4
_HviCopyMemory@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpCheckAllocationSizeLimit(x, x, x)
_RtlpHpCheckAllocationSizeLimit@12 proc	near ; CODE XREF: RtlpAllocateHeapInternal+DB6E4p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, edx
		mov	edx, [edi+8]
		mov	eax, edx
		test	eax, eax
		jnz	short loc_66A895
		mov	eax, ds:dword_6BEC74
		test	eax, eax
		jz	short loc_66A8B2

loc_66A895:				; CODE XREF: RtlpHpCheckAllocationSizeLimit(x,x,x)+14j
		cmp	ecx, eax
		jbe	short loc_66A8B2
		mov	eax, [edi+0Ch]
		xor	esi, esi
		test	eax, eax
		jz	short loc_66A8B5
		push	edx
		push	ecx
		push	eax
		push	esi
		push	14h
		mov	edx, ebx
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)
		jmp	short loc_66A8B5
; 

loc_66A8B2:				; CODE XREF: RtlpHpCheckAllocationSizeLimit(x,x,x)+1Dj
					; RtlpHpCheckAllocationSizeLimit(x,x,x)+21j
		xor	esi, esi
		inc	esi

loc_66A8B5:				; CODE XREF: RtlpHpCheckAllocationSizeLimit(x,x,x)+2Aj
					; RtlpHpCheckAllocationSizeLimit(x,x,x)+3Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_RtlpHpCheckAllocationSizeLimit@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpExtrasAppend(x, x, x,	x, x, x, x)
_RtlpHpExtrasAppend@28 proc near	; CODE XREF: ExAllocateHeapPool+BBF69p
					; RtlpHpAllocateHeap+BA38Bp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= word ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		mov	edx, [ebp+arg_C]
		push	edi
		mov	edi, edx
		lea	eax, [ebx+eax]
		and	edi, 10000000h
		jz	short loc_66A8E9
		mov	ecx, 0ABABABABh
		mov	[eax], ecx
		mov	[eax+4], ecx

loc_66A8E9:				; CODE XREF: RtlpHpExtrasAppend(x,x,x,x,x,x,x)+1Fj
		xor	esi, esi
		test	edx, 20000F08h
		jz	short loc_66A937
		test	edi, edi
		jz	short loc_66A8FA
		add	eax, 8

loc_66A8FA:				; CODE XREF: RtlpHpExtrasAppend(x,x,x,x,x,x,x)+37j
		lea	esi, [eax+7]
		mov	ecx, edx
		and	esi, 0FFFFFFF8h
		shr	ecx, 8
		and	cl, 0FEh
		shl	cl, 4
		push	edx
		and	dword ptr [esi], 0
		mov	edx, ebx
		and	dword ptr [esi+4], 0
		mov	al, [esi+2]
		and	al, 0Fh
		or	cl, al
		mov	[esi+2], cl
		mov	ecx, [ebp+arg_8]
		shr	ecx, 3
		mov	[esi+3], cl
		mov	cx, [ebp+arg_10]
		mov	[esi], cx
		mov	ecx, [ebp+var_4]
		call	_RtlpHpExtrasSetPresent@12 ; RtlpHpExtrasSetPresent(x,x,x)

loc_66A937:				; CODE XREF: RtlpHpExtrasAppend(x,x,x,x,x,x,x)+33j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
_RtlpHpExtrasAppend@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpExtrasGet(x, x, x, x)
_RtlpHpExtrasGet@16 proc near		; CODE XREF: RtlpHpFreeHeap+11FF19p
					; ExFreeHeapPool+C760Cp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	eax
		push	[ebp+arg_0]
		mov	esi, edx
		call	_RtlpHpSizeHeapInternal@16 ; RtlpHpSizeHeapInternal(x,x,x,x)
		mov	ecx, eax
		or	eax, 0FFFFFFFFh
		cmp	ecx, eax
		jz	short loc_66A98A
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_66A96B
		mov	[eax], ecx

loc_66A96B:				; CODE XREF: RtlpHpExtrasGet(x,x,x,x)+27j
		cmp	[ebp+var_4], 0
		jnz	short loc_66A975
		xor	eax, eax
		jmp	short loc_66A98A
; 

loc_66A975:				; CODE XREF: RtlpHpExtrasGet(x,x,x,x)+2Fj
		test	[ebp+arg_0], 10000000h
		lea	eax, [ecx+esi]
		jz	short loc_66A984
		add	eax, 8

loc_66A984:				; CODE XREF: RtlpHpExtrasGet(x,x,x,x)+3Fj
		add	eax, 7
		and	eax, 0FFFFFFF8h

loc_66A98A:				; CODE XREF: RtlpHpExtrasGet(x,x,x,x)+20j
					; RtlpHpExtrasGet(x,x,x,x)+33j
		pop	esi
		leave
		retn	8
_RtlpHpExtrasGet@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpExtrasSetPresent(x, x, x)
_RtlpHpExtrasSetPresent@12 proc	near	; CODE XREF: RtlpHpExtrasAppend(x,x,x,x,x,x,x)+74p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], 1
		mov	ebx, ecx
		test	di, di
		jnz	short loc_66A9CF
		mov	eax, [ebx+4]
		push	esi
		mov	esi, [ebx]
		push	eax
		push	esi
		call	_RtlpHpEnvGetHeapManager@8 ; RtlpHpEnvGetHeapManager(x,x)
		push	ecx
		sub	edx, [eax+4]
		lea	ecx, [eax+8]
		shr	edx, 14h
		add	edx, edx
		call	RtlCSparseBitmapBitmaskRead
		pop	esi
		test	eax, eax
		jz	short loc_66A9D6
		lea	ecx, [eax-1]
		jmp	short loc_66A9D1
; 

loc_66A9CF:				; CODE XREF: RtlpHpExtrasSetPresent(x,x,x)+16j
		xor	ecx, ecx

loc_66A9D1:				; CODE XREF: RtlpHpExtrasSetPresent(x,x,x)+3Ej
		cmp	ecx, 2
		jnz	short loc_66A9E4

loc_66A9D6:				; CODE XREF: RtlpHpExtrasSetPresent(x,x,x)+39j
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, ebx
		call	_RtlpHpLargeAllocSetExtraPresent@12 ; RtlpHpLargeAllocSetExtraPresent(x,x,x)
		jmp	short loc_66A9F3
; 

loc_66A9E4:				; CODE XREF: RtlpHpExtrasSetPresent(x,x,x)+45j
		add	ecx, 2
		mov	edx, edi
		shl	ecx, 7
		add	ecx, ebx
		call	_RtlpHpSegSetExtraPresent@8 ; RtlpHpSegSetExtraPresent(x,x)

loc_66A9F3:				; CODE XREF: RtlpHpExtrasSetPresent(x,x,x)+53j
		pop	edi
		pop	ebx
		leave
		retn	4
_RtlpHpExtrasSetPresent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpSizeHeap(x, x, x)
_RtlpHpSizeHeap@12 proc	near		; CODE XREF: RtlpHpFreeHeap+11FF73p
					; ExFreeHeapPool+C7652p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, edx
		or	edi, [ecx+0Ch]
		mov	edx, [ecx+0B0h]
		test	edx, edx
		jz	short loc_66AA24
		mov	eax, large fs:124h
		cmp	edx, [eax+2B0h]
		jnz	short loc_66AA24
		or	edi, 1

loc_66AA24:				; CODE XREF: RtlpHpSizeHeap(x,x,x)+18j
					; RtlpHpSizeHeap(x,x,x)+26j
		test	ebx, ebx
		jz	short loc_66AA5B
		test	bl, 7
		jnz	short loc_66AA5B
		push	0
		push	edi
		mov	edx, ebx
		call	_RtlpHpSizeHeapInternal@16 ; RtlpHpSizeHeapInternal(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0FFFFFFFFh
		jz	short loc_66AA5E
		test	edi, 10000000h
		jz	short loc_66AA5E
		push	8		; Length
		push	offset _CheckHeapFillPattern ; Source2
		lea	eax, [esi+ebx]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 8
		jz	short loc_66AA5E

loc_66AA5B:				; CODE XREF: RtlpHpSizeHeap(x,x,x)+2Dj
					; RtlpHpSizeHeap(x,x,x)+32j
		or	esi, 0FFFFFFFFh

loc_66AA5E:				; CODE XREF: RtlpHpSizeHeap(x,x,x)+43j
					; RtlpHpSizeHeap(x,x,x)+4Bj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_RtlpHpSizeHeap@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpSizeHeapInternal(x, x, x, x)
_RtlpHpSizeHeapInternal@16 proc	near	; CODE XREF: RtlpHpExtrasGet(x,x,x,x)+14p
					; RtlpHpSizeHeap(x,x,x)+39p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		test	di, di
		jnz	short loc_66AA9F
		mov	eax, [ebx+4]
		push	esi
		mov	esi, [ebx]
		push	eax
		push	esi
		call	_RtlpHpEnvGetHeapManager@8 ; RtlpHpEnvGetHeapManager(x,x)
		push	ecx
		sub	edx, [eax+4]
		lea	ecx, [eax+8]
		shr	edx, 14h
		add	edx, edx
		call	RtlCSparseBitmapBitmaskRead
		pop	esi
		test	eax, eax
		jz	short loc_66AAA6
		lea	ecx, [eax-1]
		jmp	short loc_66AAA1
; 

loc_66AA9F:				; CODE XREF: RtlpHpSizeHeapInternal(x,x,x,x)+Ej
		xor	ecx, ecx

loc_66AAA1:				; CODE XREF: RtlpHpSizeHeapInternal(x,x,x,x)+36j
		cmp	ecx, 2
		jnz	short loc_66AAB7

loc_66AAA6:				; CODE XREF: RtlpHpSizeHeapInternal(x,x,x,x)+31j
		push	[ebp+arg_4]
		mov	edx, edi
		mov	ecx, ebx
		push	[ebp+arg_0]
		call	_RtlpHpLargeAllocSize@16 ; RtlpHpLargeAllocSize(x,x,x,x)
		jmp	short loc_66AACA
; 

loc_66AAB7:				; CODE XREF: RtlpHpSizeHeapInternal(x,x,x,x)+3Dj
		push	[ebp+arg_4]
		mov	edx, edi
		push	ecx
		add	ecx, 2
		shl	ecx, 7
		add	ecx, ebx
		call	_RtlpHpSegSize@16 ; RtlpHpSegSize(x,x,x,x)

loc_66AACA:				; CODE XREF: RtlpHpSizeHeapInternal(x,x,x,x)+4Ej
		pop	edi
		pop	ebx
		pop	ebp
		retn	8
_RtlpHpSizeHeapInternal@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpFixedHeapCommitRoutine(x, x, x)
_RtlpHpFixedHeapCommitRoutine@12 proc near ; CODE XREF:	RtlpHpFixedHeapCreate+CD63Bp
					; DATA XREF: sub_5DA088:loc_5DA0F1o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	4
		push	1000h
		push	[ebp+arg_8]
		push	0
		push	[ebp+arg_4]
		push	0FFFFFFFFh
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		pop	ebp
		retn	0Ch
_RtlpHpFixedHeapCommitRoutine@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpSegLargeRangeAllocate(x, x, x, x)
_RtlpHpSegLargeRangeAllocate@16	proc near ; CODE XREF: RtlpHpSegPageRangeAllocate+BCDAAp
					; RtlpHpSegPageRangeAllocate+BCE17p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_C], ebx
		movzx	ecx, byte ptr [ebx+4]
		mov	esi, [ebx]
		shl	[ebp+arg_0], cl
		mov	[ebp+var_10], ecx
		mov	[ebp+var_14], esi

loc_66AB10:				; CODE XREF: RtlpHpSegLargeRangeAllocate(x,x,x,x)+C4j
		mov	eax, esi
		mov	edx, edi
		and	eax, edi
		sub	edx, eax
		sar	edx, 4
		shl	edx, cl
		add	edx, eax
		movzx	eax, byte ptr [edi+0Fh]
		shl	eax, cl
		and	esi, edx
		add	eax, edx
		mov	ecx, edx
		sub	ecx, esi
		mov	[ebp+var_8], eax
		shr	ecx, 15h
		mov	eax, [esi+0Ch]
		mov	esi, edx
		lea	eax, [eax+ecx*2]
		lea	ecx, [edx+200000h]
		mov	[ebp+var_4], eax
		and	ecx, 0FFE00000h

loc_66AB4A:				; CODE XREF: RtlpHpSegLargeRangeAllocate(x,x,x,x)+8Dj
		mov	eax, [ebp+var_4]
		xor	ebx, ebx
		cmp	[eax], bx
		mov	ebx, [ebp+var_C]
		mov	eax, [ebp+var_8]
		jge	short loc_66AB6C
		cmp	ecx, eax
		jb	short loc_66AB60
		mov	ecx, eax

loc_66AB60:				; CODE XREF: RtlpHpSegLargeRangeAllocate(x,x,x,x)+6Dj
		mov	eax, ecx
		sub	eax, esi
		cmp	eax, [ebp+arg_0]
		jnb	short loc_66ABB8
		mov	eax, [ebp+var_8]

loc_66AB6C:				; CODE XREF: RtlpHpSegLargeRangeAllocate(x,x,x,x)+69j
		cmp	ecx, eax
		jnb	short loc_66AB7E
		mov	esi, ecx
		add	ecx, 200000h
		add	[ebp+var_4], 2
		jmp	short loc_66AB4A
; 

loc_66AB7E:				; CODE XREF: RtlpHpSegLargeRangeAllocate(x,x,x,x)+7Fj
		mov	eax, [edi+4]
		mov	ecx, edi
		test	eax, eax
		jz	short loc_66ABA1
		mov	edi, eax
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_66ABA9

loc_66AB8F:				; CODE XREF: RtlpHpSegLargeRangeAllocate(x,x,x,x)+A8j
		mov	eax, [ecx]
		mov	edi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_66AB8F
		jmp	short loc_66ABA9
; 

loc_66AB9B:				; CODE XREF: RtlpHpSegLargeRangeAllocate(x,x,x,x)+B8j
		cmp	[edi], ecx
		jz	short loc_66ABA9
		mov	ecx, edi

loc_66ABA1:				; CODE XREF: RtlpHpSegLargeRangeAllocate(x,x,x,x)+96j
		mov	edi, [edi+8]
		and	edi, 0FFFFFFFCh
		jnz	short loc_66AB9B

loc_66ABA9:				; CODE XREF: RtlpHpSegLargeRangeAllocate(x,x,x,x)+9Ej
					; RtlpHpSegLargeRangeAllocate(x,x,x,x)+AAj ...
		test	edi, edi
		jz	short loc_66ABEC
		mov	ecx, [ebp+var_10]
		mov	esi, [ebp+var_14]
		jmp	loc_66AB10
; 

loc_66ABB8:				; CODE XREF: RtlpHpSegLargeRangeAllocate(x,x,x,x)+78j
		sub	esi, edx
		cmp	[ebp+arg_4], 0
		jz	short loc_66ABC9
		mov	edx, edi
		mov	ecx, ebx
		call	_RtlpHpSegFreeRangeRemove@8 ; RtlpHpSegFreeRangeRemove(x,x)

loc_66ABC9:				; CODE XREF: RtlpHpSegLargeRangeAllocate(x,x,x,x)+CFj
		test	esi, esi
		jz	short loc_66ABF0
		mov	cl, [ebx+4]
		mov	edx, edi
		shr	esi, cl
		push	esi
		call	_RtlpHpSegPageRangeSplit@12 ; RtlpHpSegPageRangeSplit(x,x,x)
		mov	esi, eax
		mov	edx, edi
		xor	eax, eax
		mov	ecx, ebx
		push	eax
		call	RtlpHpSegFreeRangeInsert
		mov	edi, esi
		jmp	short loc_66ABF0
; 

loc_66ABEC:				; CODE XREF: RtlpHpSegLargeRangeAllocate(x,x,x,x)+BCj
		xor	eax, eax
		mov	edi, eax

loc_66ABF0:				; CODE XREF: RtlpHpSegLargeRangeAllocate(x,x,x,x)+DCj
					; RtlpHpSegLargeRangeAllocate(x,x,x,x)+FBj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_RtlpHpSegLargeRangeAllocate@16	endp


;  S U B	R O U T	I N E 


; __stdcall RtlpHpSegMgrApplyLargePagePolicy(x)
_RtlpHpSegMgrApplyLargePagePolicy@4 proc near
					; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+58p
		mov	edx, ecx
		push	esi
		push	edi
		movzx	eax, byte ptr [edx+9]
		and	eax, 7
		cmp	eax, 1
		jbe	short loc_66AC20
		cmp	eax, 2
		jz	short loc_66AC5B
		cmp	eax, 3
		jz	short loc_66AC56
		xor	ecx, ecx
		inc	ecx
		call	ExGenRandom
		and	eax, 1
		jmp	short loc_66AC5D
; 

loc_66AC20:				; CODE XREF: RtlpHpSegMgrApplyLargePagePolicy(x)+Ej
		movsx	ecx, word ptr [edx+12h]
		add	ecx, edx
		mov	esi, [ecx+10h]
		mov	edx, [ecx+14h]
		mov	edi, [ecx+18h]
		mov	eax, [ecx+1Ch]
		add	edx, eax
		cmp	edx, [ecx+24h]
		jnb	short loc_66AC5B
		cmp	edx, [ecx+20h]
		jb	short loc_66AC56
		movzx	eax, byte ptr [ecx+28h]
		imul	eax, edx
		xor	edx, edx
		push	64h
		pop	ecx
		shl	eax, 9
		div	ecx
		lea	ecx, [edi+esi]
		cmp	ecx, eax
		jb	short loc_66AC5B

loc_66AC56:				; CODE XREF: RtlpHpSegMgrApplyLargePagePolicy(x)+18j
					; RtlpHpSegMgrApplyLargePagePolicy(x)+43j
		xor	eax, eax
		inc	eax
		jmp	short loc_66AC5D
; 

loc_66AC5B:				; CODE XREF: RtlpHpSegMgrApplyLargePagePolicy(x)+13j
					; RtlpHpSegMgrApplyLargePagePolicy(x)+3Ej ...
		xor	eax, eax

loc_66AC5D:				; CODE XREF: RtlpHpSegMgrApplyLargePagePolicy(x)+25j
					; RtlpHpSegMgrApplyLargePagePolicy(x)+60j
		pop	edi
		pop	esi
		retn
_RtlpHpSegMgrApplyLargePagePolicy@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpSegMgrCommitComplete(x, x, x,	x, x, x)
_RtlpHpSegMgrCommitComplete@24 proc near ; CODE	XREF: RtlpHpSegMgrCommit+14Cp

var_30		= dword	ptr -30h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, edx
		mov	[ebp+var_30], ecx
		mov	edx, [ebx+8]
		push	esi
		push	edi
		mov	si, [eax]
		mov	edi, [ebx+0Ch]
		mov	[ebp+var_10], eax

loc_66AC8D:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+A3j
		mov	word ptr [ebp+var_C], si
		mov	ax, word ptr [ebp+var_C]
		mov	word ptr [ebp+var_8], ax
		mov	eax, [ebp+var_C]
		and	eax, 4000h
		mov	[ebp+var_14], eax
		jz	short loc_66ACCD
		mov	eax, 0BFFFh
		and	word ptr [ebp+var_8], ax
		test	edi, edi
		jz	short loc_66ACBE
		test	edx, edx
		jle	short loc_66ACBE
		mov	eax, 8000h
		jmp	short loc_66ACC0
; 

loc_66ACBE:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+51j
					; RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+55j
		xor	eax, eax

loc_66ACC0:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+5Cj
		mov	ecx, [ebp+var_8]
		and	ecx, 7FFFh
		or	ecx, eax
		jmp	short loc_66ACD1
; 

loc_66ACCD:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+44j
		mov	cx, word ptr [ebp+var_8]

loc_66ACD1:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+6Bj
		test	edx, edx
		jle	short loc_66ACDE
		test	edi, edi
		jnz	short loc_66ACE1
		sub	cx, dx
		jmp	short loc_66ACE1
; 

loc_66ACDE:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+73j
		add	cx, dx

loc_66ACE1:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+77j
					; RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+7Cj
		cmp	cx, si
		jz	loc_66AEE9
		mov	edi, [ebp+var_10]
		mov	ax, si
		lock cmpxchg [edi], cx
		mov	edi, [ebx+0Ch]
		movzx	eax, ax
		cmp	ax, si
		jz	short loc_66AD05
		mov	si, ax
		jmp	short loc_66AC8D
; 

loc_66AD05:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+9Ej
		cmp	word ptr [ebp+var_14], 0
		jz	loc_66AEE9
		mov	eax, [ebp+var_30]
		test	byte ptr [eax+1Ch], 1
		jnz	loc_66AED8
		mov	ecx, [ebx+10h]
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_C], edx
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_66AD3A
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebx+10h]

loc_66AD3A:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+D0j
		xor	edi, edi
		mov	[ebp+var_8], edi
		test	ecx, 7FFFFFFCh
		jz	loc_66AECA
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, ds:dword_6D07D0
		shr	eax, 15h
		cmp	ecx, edx
		push	0FFFFFFFFh
		mov	[ebp+var_30], edx
		mov	[ebp+var_14], esi
		pop	edx
		jb	short loc_66AD73
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_66AD81

loc_66AD73:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+108j
		cmp	ecx, [ebp+var_30]
		jb	short loc_66AD94
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_66AD94

loc_66AD81:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+111j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebx+10h]
		mov	edx, eax
		mov	[ebp+var_C], eax

loc_66AD94:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+116j
					; RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+11Fj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_66ADDF
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_66AE51
		push	ecx
		push	[ebp+var_C]
		push	dword ptr [ebx+10h]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_66ADDF:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+15Dj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_66ADF5
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_66ADF5:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+18Bj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_8], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_66AE3F
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_66AE51
; 

loc_66AE3F:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+1CBj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_14]

loc_66AE51:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+167j
					; RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+1DDj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_30], eax
		jz	short loc_66AEB2
		test	edi, 8000h
		jz	short loc_66AE75
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_66AE75:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+20Aj
		test	byte ptr [ebp+var_8+2],	1
		jz	short loc_66AE85
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_66AE85:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+219j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_66AE99
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_66AE99:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+22Cj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_66AEB2
		push	[ebp+var_30]
		mov	edx, [ebx+10h]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_66AEB2:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+202j
					; RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+243j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_66AECA
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_66AECA
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_66AECA:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+E5j
					; RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+25Bj	...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	short loc_66AEE9
; 

loc_66AED8:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+B7j
		push	dword ptr [ebx+10h]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebx+14h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_66AEE9:				; CODE XREF: RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+84j
					; RtlpHpSegMgrCommitComplete(x,x,x,x,x,x)+AAj ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	10h
_RtlpHpSegMgrCommitComplete@24 endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpSegMgrCommitInitiate(x, x, x,	x, x, x)
_RtlpHpSegMgrCommitInitiate@24 proc near ; CODE	XREF: RtlpHpSegMgrCommit+113B4Bp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		mov	eax, edx
		mov	[ebp+var_1], 0
		mov	edx, ecx
		mov	[ebp+var_1C], eax
		xor	esi, esi
		mov	[ebp+var_18], edx
		push	edi
		mov	[ebp+var_10], esi
		mov	ecx, 4000h

loc_66AF16:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+45j
		mov	di, [eax]

loc_66AF19:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+2D7j
		cmp	[ebp+arg_0], 0
		mov	word ptr [ebp+var_C], di
		mov	ax, word ptr [ebp+var_C]
		mov	word ptr [ebp+var_8], ax
		jle	loc_66B038
		test	[ebp+var_C], ecx
		jz	short loc_66AF3B
		pause
		mov	eax, [ebp+var_1C]
		jmp	short loc_66AF16
; 

loc_66AF3B:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+3Ej
		test	[ebp+var_C], 7FFh
		jnz	short loc_66AF69
		test	[ebp+arg_4], 3
		jnz	short loc_66AF63
		mov	ecx, edx
		call	_RtlpHpSegMgrApplyLargePagePolicy@4 ; RtlpHpSegMgrApplyLargePagePolicy(x)
		mov	ecx, 4000h
		test	eax, eax

loc_66AF58:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+73j
		jz	short loc_66AF69
		mov	si, word ptr [ebp+var_8]
		or	si, cx
		jmp	short loc_66AF6D
; 

loc_66AF63:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+54j
		test	[ebp+arg_4], 2
		jmp	short loc_66AF58
; 

loc_66AF69:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+4Ej
					; RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x):loc_66AF58j
		mov	si, word ptr [ebp+var_8]

loc_66AF6D:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+6Dj
		mov	edx, [ebp+var_18]

loc_66AF70:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+15Cj
		add	si, word ptr [ebp+arg_0]

loc_66AF74:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+165j
		mov	word ptr [ebp+var_8], si
		mov	eax, [ebp+var_8]
		and	eax, ecx
		movzx	ecx, ax
		mov	[ebp+var_20], ecx
		jz	short loc_66AF9F
		movzx	edx, byte ptr [edx+1Ch]
		xor	eax, eax
		mov	ecx, [ebp+arg_8]
		inc	eax
		and	edx, eax
		mov	[ebp+var_10], eax
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	ecx, [ebp+var_20]
		mov	[ebp+var_1], al

loc_66AF9F:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+8Fj
		mov	edx, [ebp+var_1C]
		mov	ax, di
		lock cmpxchg [edx], si
		movzx	esi, ax
		mov	[ebp+var_14], esi
		cmp	si, di
		jz	loc_66B1D0
		cmp	[ebp+var_10], 0
		jz	loc_66B1C0
		mov	eax, [ebp+var_18]
		test	byte ptr [eax+1Ch], 1
		jnz	loc_66B1AB
		mov	ecx, [ebp+arg_8]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_66AFE8
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+arg_8]

loc_66AFE8:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+EAj
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	loc_66B19D
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, ds:dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_28], esi
		cmp	ecx, edx
		jb	short loc_66B05E
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_66B028
		cmp	ecx, edx
		jb	short loc_66B05E
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_66B05E

loc_66B028:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+125j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+arg_8]
		jmp	short loc_66B061
; 

loc_66B038:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+35j
		test	di, di
		jns	loc_66B202
		mov	eax, [ebp+var_C]
		mov	si, word ptr [ebp+var_8]
		and	eax, 7FFh
		add	eax, [ebp+arg_0]
		jnz	loc_66AF70
		or	si, cx
		jmp	loc_66AF74
; 

loc_66B05E:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+11Cj
					; RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+129j	...
		or	eax, 0FFFFFFFFh

loc_66B061:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+142j
		dec	word ptr [esi+13Eh]
		mov	[ebp+var_20], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	[ebp+var_2], dl
		mov	edx, ecx
		push	eax
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jnz	short loc_66B0AF
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_66B121
		push	ecx
		push	[ebp+var_20]
		push	[ebp+arg_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_66B0AF:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+199j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_66B0C5
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_24]

loc_66B0C5:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+1C7j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_2], 1
		mov	edx, eax
		jnz	short loc_66B10F
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_66B121
; 

loc_66B10F:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+207j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_28]

loc_66B121:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+1A3j
					; RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+219j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_28], eax
		jz	short loc_66B182
		test	edi, 8000h
		jz	short loc_66B145
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_66B145:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+246j
		test	byte ptr [ebp+var_10+2], 1
		jz	short loc_66B155
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_66B155:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+255j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_66B169
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_66B169:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+268j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_66B182
		push	[ebp+var_28]
		mov	edx, [ebp+arg_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_66B182:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+23Ej
					; RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+27Fj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_66B19A
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_66B19A
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_66B19A:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+297j
					; RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+29Fj
		mov	esi, [ebp+var_14]

loc_66B19D:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+FFj
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	short loc_66B1BC
; 

loc_66B1AB:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+D6j
		push	[ebp+arg_8]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_66B1BC:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+2B5j
		and	[ebp+var_10], 0

loc_66B1C0:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+C9j
		mov	edx, [ebp+var_18]
		mov	di, si
		mov	ecx, 4000h
		jmp	loc_66AF19
; 

loc_66B1D0:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+BFj
		cmp	[ebp+arg_0], 0
		jle	short loc_66B1F1
		test	di, di
		jns	short loc_66B1E2
		mov	eax, 0C0000100h
		jmp	short loc_66B207
; 

loc_66B1E2:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+2E5j
		xor	eax, eax
		test	cx, cx
		setnz	al
		add	eax, 0C0000101h
		jmp	short loc_66B207
; 

loc_66B1F1:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+2E0j
		xor	eax, eax
		test	cx, cx
		setnz	al
		lea	eax, ds:0C0000100h[eax*2]
		jmp	short loc_66B207
; 

loc_66B202:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+147j
		mov	eax, 0C0000101h

loc_66B207:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+2ECj
					; RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+2FBj	...
		cmp	[ebp+var_10], 0
		pop	edi
		pop	esi
		jz	short locret_66B217
		mov	ecx, [ebp+arg_C]
		mov	dl, [ebp+var_1]
		mov	[ecx], dl

locret_66B217:				; CODE XREF: RtlpHpSegMgrCommitInitiate(x,x,x,x,x,x)+319j
		leave
		retn	10h
_RtlpHpSegMgrCommitInitiate@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpSegMgrVaCtxFree(x, x,	x)
_RtlpHpSegMgrVaCtxFree@12 proc near	; CODE XREF: RtlpHpSegMgrRelease+89E6Dp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		and	[ebp+var_10], 0
		mov	eax, ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], eax
		push	dword ptr [eax+20h]
		mov	ecx, edi
		lea	edx, [ebp+var_10]
		push	dword ptr [eax+1Ch]
		xor	esi, esi
		and	ecx, 0FFE00000h
		push	esi
		mov	[ebp+var_14], ecx
		call	_RtlpHpQueryVA@20 ; RtlpHpQueryVA(x,x,x,x,x)
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		sub	edi, [ebp+var_14]
		mov	eax, edi
		div	dword ptr [ecx]
		mov	edi, eax
		mov	eax, [ebp+var_8]
		movzx	edx, byte ptr [eax+1Ch]
		add	eax, 58h
		and	edx, 1
		mov	[ebp+var_C], eax
		mov	ecx, eax
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_1], al
		movzx	eax, word ptr [ecx+2]
		btc	eax, edi
		movzx	eax, ax
		mov	[ecx+2], ax
		mov	edx, eax
		movzx	edi, word ptr [ecx]
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_20], edx
		xor	edx, edx
		mov	[ebp+var_1C], eax
		mov	eax, 200000h
		shr	edi, 0Fh
		div	dword ptr [ecx]
		xor	edx, edx
		inc	edx
		mov	ecx, eax
		mov	eax, [ebp+var_1C]
		shl	edx, cl
		or	ecx, 0FFFFFFFFh
		dec	edx
		mov	[ebp+var_18], ecx
		cmp	eax, edx
		mov	edx, [ebp+var_8]
		jnz	short loc_66B2F6
		mov	eax, [ebp+var_10]
		cmp	[eax+4], ecx
		jz	short loc_66B31B

loc_66B2BF:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+C3j
		mov	ecx, [edx+edi*4+5Ch]
		test	ecx, ecx
		jz	short loc_66B2E0
		mov	eax, [ecx]
		mov	[edx+edi*4+5Ch], eax
		mov	eax, [ebp+var_10]
		mov	edx, [ebp+var_8]
		add	eax, 4
		cmp	ecx, eax
		jz	short loc_66B2E2
		mov	[ecx], esi
		mov	esi, ecx
		jmp	short loc_66B2BF
; 

loc_66B2E0:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+AAj
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_66B2E2:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+BDj
					; RtlpHpSegMgrVaCtxFree(x,x,x)+D9j
		mov	ecx, esi
		test	esi, esi
		jz	short loc_66B318
		mov	esi, [esi]
		mov	eax, [edx+edi*4+5Ch]
		mov	[ecx], eax
		mov	[edx+edi*4+5Ch], ecx
		jmp	short loc_66B2E2
; 

loc_66B2F6:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+9Aj
		lea	ecx, [eax-1]
		mov	eax, [ebp+var_20]
		movzx	eax, ax
		test	ecx, eax
		jnz	short loc_66B313
		mov	ecx, [ebp+var_10]
		mov	eax, [edx+edi*4+5Ch]
		add	ecx, 4
		mov	[ecx], eax
		mov	[edx+edi*4+5Ch], ecx

loc_66B313:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+E6j
		xor	eax, eax
		mov	[ebp+var_14], eax

loc_66B318:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+CBj
		or	ecx, 0FFFFFFFFh

loc_66B31B:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+A2j
		test	byte ptr [edx+1Ch], 1
		jnz	loc_66B4D4
		mov	eax, ecx
		mov	ecx, [ebp+var_C]
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_66B33C
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_C]

loc_66B33C:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+117j
		xor	edi, edi
		mov	[ebp+var_8], edi
		test	ecx, 7FFFFFFCh
		jz	loc_66B4C6
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, ds:dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_1C], esi
		cmp	ecx, edx
		jb	short loc_66B38F
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_66B37C
		cmp	ecx, edx
		jb	short loc_66B38F
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_66B38F

loc_66B37C:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+152j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_18], eax
		jmp	short loc_66B392
; 

loc_66B38F:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+149j
					; RtlpHpSegMgrVaCtxFree(x,x,x)+156j ...
		or	eax, 0FFFFFFFFh

loc_66B392:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+172j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	dl, [esi+1E6h]
		mov	[ebp+var_1], dl
		mov	edx, ecx
		push	eax
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_66B3DD
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_66B44D
		push	ecx
		push	[ebp+var_18]
		push	[ebp+var_C]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_66B3DD:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+1A0j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_66B3F3
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_66B3F3:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+1CEj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_8], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		cmp	[ebp+var_1], 1
		mov	ecx, eax
		jnz	short loc_66B43D
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al
		jmp	short loc_66B44D
; 

loc_66B43D:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+20Ej
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_1C]

loc_66B44D:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+1AAj
					; RtlpHpSegMgrVaCtxFree(x,x,x)+220j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_20], eax
		jz	short loc_66B4AE
		test	edi, 8000h
		jz	short loc_66B471
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_66B471:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+24Bj
		test	byte ptr [ebp+var_8+2],	1
		jz	short loc_66B481
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_66B481:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+25Aj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_66B495
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_66B495:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+26Dj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_66B4AE
		push	[ebp+var_20]
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_66B4AE:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+243j
					; RtlpHpSegMgrVaCtxFree(x,x,x)+284j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_66B4C6
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_66B4C6
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_66B4C6:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+12Cj
					; RtlpHpSegMgrVaCtxFree(x,x,x)+29Cj ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	short loc_66B4E5
; 

loc_66B4D4:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+104j
		push	[ebp+var_C]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_66B4E5:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+2B7j
		mov	eax, [ebp+var_14]
		pop	edi
		pop	esi
		test	eax, eax
		jz	short locret_66B4F7
		mov	ecx, [ebp+arg_0]
		mov	dword ptr [ecx], 200000h

locret_66B4F7:				; CODE XREF: RtlpHpSegMgrVaCtxFree(x,x,x)+2D1j
		leave
		retn	4
_RtlpHpSegMgrVaCtxFree@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpSegMgrVaCtxInitialize(x, x, x, x)
_RtlpHpSegMgrVaCtxInitialize@16	proc near ; CODE XREF: RtlpHpSegMgrReserve+DD594p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	dword ptr [ecx+20h]
		and	[ebp+var_4], 0
		mov	eax, edx
		push	dword ptr [ecx+1Ch]
		lea	ecx, [ebp+var_8]
		push	ecx
		lea	edx, [ebp+var_4]
		mov	ecx, eax
		call	_RtlpHpQueryVA@20 ; RtlpHpQueryVA(x,x,x,x,x)
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		div	[ebp+arg_0]
		xor	edx, edx
		inc	edx
		mov	ecx, eax
		mov	eax, [ebp+var_4]
		shl	dx, cl
		sub	dx, 2
		mov	[eax+2], dx
		or	dword ptr [eax+4], 0FFFFFFFFh
		leave
		retn	8
_RtlpHpSegMgrVaCtxInitialize@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpSegMgrVaCtxInsert(x, x)
_RtlpHpSegMgrVaCtxInsert@8 proc	near	; CODE XREF: RtlpHpSegMgrAllocate+DD175p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		and	[ebp+var_C], 0
		mov	eax, edx
		push	esi
		push	edi
		mov	edi, ecx
		lea	edx, [ebp+var_C]
		mov	ecx, eax
		mov	[ebp+var_14], edi
		push	dword ptr [edi+20h]
		push	dword ptr [edi+1Ch]
		push	0
		call	_RtlpHpQueryVA@20 ; RtlpHpQueryVA(x,x,x,x,x)
		mov	edx, [ebp+var_C]
		movzx	ecx, word ptr [edx]
		test	cx, cx
		jns	short loc_66B59F
		lea	eax, [ecx+1]
		xor	eax, ecx
		and	eax, 7FFh
		xor	eax, ecx
		xor	ecx, ecx
		mov	[edx], ax
		inc	ecx
		movsx	eax, word ptr [edi+10h]
		add	eax, edi
		lock xadd [eax], ecx

loc_66B59F:				; CODE XREF: RtlpHpSegMgrVaCtxInsert(x,x)+42j
		movzx	esi, word ptr [edx]
		movzx	edx, byte ptr [edi+1Ch]
		add	edi, 58h
		and	edx, 1
		shr	esi, 0Fh
		mov	ecx, edi
		mov	[ebp+var_8], edi
		call	_RtlpHpAcquireLockExclusive@8 ;	RtlpHpAcquireLockExclusive(x,x)
		mov	edx, [ebp+var_C]
		mov	byte ptr [ebp+var_4+3],	al
		add	edx, 4
		mov	eax, [ebp+var_14]
		mov	ecx, [eax+esi*4+5Ch]
		mov	[edx], ecx
		mov	[eax+esi*4+5Ch], edx
		test	byte ptr [eax+1Ch], 1
		jnz	loc_66B792
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_10], edx
		mov	eax, edx
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_66B5F2
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_66B5F2:				; CODE XREF: RtlpHpSegMgrVaCtxInsert(x,x)+AAj
		mov	eax, [ebp+var_8]
		xor	edi, edi
		mov	[ebp+var_14], edi
		test	eax, 7FFFFFFCh
		jz	loc_66B784
		mov	esi, large fs:124h
		mov	ecx, eax
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		cmp	eax, edx
		push	0FFFFFFFFh
		mov	[ebp+var_30], edx
		mov	[ebp+var_34], esi
		pop	edx
		jb	short loc_66B62D
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_66B63B

loc_66B62D:				; CODE XREF: RtlpHpSegMgrVaCtxInsert(x,x)+E3j
		cmp	eax, [ebp+var_30]
		jb	short loc_66B64E
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_66B64E

loc_66B63B:				; CODE XREF: RtlpHpSegMgrVaCtxInsert(x,x)+ECj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_8]

loc_66B64E:				; CODE XREF: RtlpHpSegMgrVaCtxInsert(x,x)+F1j
					; RtlpHpSegMgrVaCtxInsert(x,x)+FAj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_66B699
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_66B70B
		push	ecx
		push	[ebp+var_10]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_66B699:				; CODE XREF: RtlpHpSegMgrVaCtxInsert(x,x)+138j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_66B6AF
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_66B6AF:				; CODE XREF: RtlpHpSegMgrVaCtxInsert(x,x)+166j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_14], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_66B6F9
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_66B70B
; 

loc_66B6F9:				; CODE XREF: RtlpHpSegMgrVaCtxInsert(x,x)+1A6j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_34]

loc_66B70B:				; CODE XREF: RtlpHpSegMgrVaCtxInsert(x,x)+142j
					; RtlpHpSegMgrVaCtxInsert(x,x)+1B8j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_34], eax
		jz	short loc_66B76C
		test	edi, 8000h
		jz	short loc_66B72F
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_66B72F:				; CODE XREF: RtlpHpSegMgrVaCtxInsert(x,x)+1E5j
		test	byte ptr [ebp+var_14+2], 1
		jz	short loc_66B73F
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_66B73F:				; CODE XREF: RtlpHpSegMgrVaCtxInsert(x,x)+1F4j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_66B753
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_66B753:				; CODE XREF: RtlpHpSegMgrVaCtxInsert(x,x)+207j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_66B76C
		push	[ebp+var_34]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_66B76C:				; CODE XREF: RtlpHpSegMgrVaCtxInsert(x,x)+1DDj
					; RtlpHpSegMgrVaCtxInsert(x,x)+21Ej
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_66B784
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_66B784
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_66B784:				; CODE XREF: RtlpHpSegMgrVaCtxInsert(x,x)+C0j
					; RtlpHpSegMgrVaCtxInsert(x,x)+236j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	short loc_66B7A1
; 

loc_66B792:				; CODE XREF: RtlpHpSegMgrVaCtxInsert(x,x)+94j
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_66B7A1:				; CODE XREF: RtlpHpSegMgrVaCtxInsert(x,x)+251j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_RtlpHpSegMgrVaCtxInsert@8 endp	; sp =	4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpSegPageRangeComputeLargePageCost(x, x, x)
_RtlpHpSegPageRangeComputeLargePageCost@12 proc	near
					; CODE XREF: RtlpHpSegSubAllocate+120192p
					; RtlpHpSegAlloc+BCE99p

var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ecx]
		and	eax, edx
		sub	edx, eax
		push	ebx
		push	esi
		mov	ecx, [eax+0Ch]
		mov	eax, [ebp+arg_0]
		dec	eax
		add	eax, edx
		shr	edx, 15h
		shr	eax, 15h
		push	edi
		push	2
		lea	edx, [ecx+edx*2]
		lea	ebx, [ecx+eax*2]
		xor	ecx, ecx
		mov	esi, ebx
		mov	edi, ecx
		sub	esi, edx
		sar	esi, 1
		inc	esi
		mov	[ebp+var_8], esi
		pop	eax
		cmp	edx, ebx
		ja	short loc_66B803
		mov	esi, ebx

loc_66B7E6:				; CODE XREF: RtlpHpSegPageRangeComputeLargePageCost(x,x,x)+54j
		movzx	ebx, word ptr [edx]
		test	ebx, 7FFh
		jnz	short loc_66B7F4
		inc	edi
		jmp	short loc_66B7FA
; 

loc_66B7F4:				; CODE XREF: RtlpHpSegPageRangeComputeLargePageCost(x,x,x)+45j
		test	bx, bx
		jns	short loc_66B7FA
		inc	ecx

loc_66B7FA:				; CODE XREF: RtlpHpSegPageRangeComputeLargePageCost(x,x,x)+48j
					; RtlpHpSegPageRangeComputeLargePageCost(x,x,x)+4Dj
		add	edx, eax
		cmp	edx, esi
		jbe	short loc_66B7E6
		mov	esi, [ebp+var_8]

loc_66B803:				; CODE XREF: RtlpHpSegPageRangeComputeLargePageCost(x,x,x)+38j
		cmp	ecx, esi
		jnz	short loc_66B81A
		mov	eax, [ebp+arg_0]
		add	eax, 1FFFFFh
		shr	eax, 15h
		cmp	eax, esi
		sbb	eax, eax
		neg	eax
		jmp	short loc_66B827
; 

loc_66B81A:				; CODE XREF: RtlpHpSegPageRangeComputeLargePageCost(x,x,x)+5Bj
		test	ecx, ecx
		jnz	short loc_66B827
		xor	eax, eax
		cmp	eax, edi
		sbb	eax, eax
		add	eax, 4

loc_66B827:				; CODE XREF: RtlpHpSegPageRangeComputeLargePageCost(x,x,x)+6Ej
					; RtlpHpSegPageRangeComputeLargePageCost(x,x,x)+72j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_RtlpHpSegPageRangeComputeLargePageCost@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpSegPageRangeCountCommittedPages(x, x,	x)
_RtlpHpSegPageRangeCountCommittedPages@12 proc near
					; CODE XREF: RtlpHpSegPageRangeSplit(x,x,x)+3Cp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		shl	esi, 4
		add	esi, edx
		jmp	short loc_66B84C
; 

loc_66B840:				; CODE XREF: RtlpHpSegPageRangeCountCommittedPages(x,x,x)+20j
		movzx	ecx, byte ptr [edx+0Ch]
		shr	ecx, 5
		add	eax, ecx
		add	edx, 10h

loc_66B84C:				; CODE XREF: RtlpHpSegPageRangeCountCommittedPages(x,x,x)+10j
		cmp	edx, esi
		jb	short loc_66B840
		pop	esi
		pop	ebp
		retn	4
_RtlpHpSegPageRangeCountCommittedPages@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpSegPageRangeFree(x, x, x)
_RtlpHpSegPageRangeFree@12 proc	near	; CODE XREF: RtlpHpSegAlloc+BCE87p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_0]
		push	ecx
		call	RtlpHpSegPageRangeShrink
		pop	ecx
		pop	ebp
		retn	4
_RtlpHpSegPageRangeFree@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpSegPageRangeSplit(x, x, x)
_RtlpHpSegPageRangeSplit@12 proc near	; CODE XREF: RtlpHpSegLargeRangeAllocate(x,x,x,x)+E6p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, edx
		push	edi
		movzx	edx, byte ptr [ebx+0Fh]
		cmp	edx, eax
		jnz	short loc_66B881
		xor	edi, edi
		jmp	short loc_66B8F6
; 

loc_66B881:				; CODE XREF: RtlpHpSegPageRangeSplit(x,x,x)+12j
		sub	edx, eax
		add	eax, eax
		push	esi
		lea	edi, [ebx+eax*8]
		mov	al, [edi+0Ch]
		lea	ecx, [edx-1]
		or	al, 2
		mov	[edi+0Ch], al
		mov	eax, edx
		add	eax, eax
		mov	[edi+eax*8-1], cl
		movzx	eax, dl
		mov	[edi+0Fh], dl
		mov	edx, edi
		push	eax
		call	_RtlpHpSegPageRangeCountCommittedPages@12 ; RtlpHpSegPageRangeCountCommittedPages(x,x,x)
		mov	ecx, [ebp+arg_0]
		not	eax
		shl	eax, 8
		xor	eax, [edi+0Ch]
		and	eax, 0FFFF00h
		mov	dword ptr [edi], 0CCDDCCDDh
		xor	[edi+0Ch], eax
		lea	eax, [ecx-1]
		mov	[edi-1], al
		mov	[ebx+0Fh], cl
		mov	esi, [ebx+0Ch]
		mov	edx, esi
		mov	eax, [edi+0Ch]
		shr	edx, 8
		shr	eax, 8
		not	edx
		not	eax
		movzx	ecx, ax
		sub	edx, ecx
		not	edx
		shl	edx, 8
		xor	edx, esi
		and	edx, 0FFFF00h
		xor	edx, esi
		mov	[ebx+0Ch], edx
		pop	esi

loc_66B8F6:				; CODE XREF: RtlpHpSegPageRangeSplit(x,x,x)+16j
		mov	eax, edi
		pop	edi
		pop	ebx
		pop	ebp
		retn	4
_RtlpHpSegPageRangeSplit@12 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpHpSegSegmentComputeCommit(x, x)
_RtlpHpSegSegmentComputeCommit@8 proc near ; CODE XREF:	RtlpHpSegSegmentFree+89E9Ap
		movzx	eax, byte ptr [ecx+6]
		shl	eax, 4
		push	esi
		push	edi
		add	edx, eax
		xor	esi, esi
		mov	edi, edx
		sub	edi, eax
		add	edi, 1000h
		inc	esi
		jmp	short loc_66B92E
; 

loc_66B918:				; CODE XREF: RtlpHpSegSegmentComputeCommit(x,x)+32j
		mov	eax, [edx+0Ch]
		shr	eax, 8
		not	eax
		movzx	ecx, ax
		add	esi, ecx
		movzx	ecx, byte ptr [edx+0Fh]
		shl	ecx, 4
		add	edx, ecx

loc_66B92E:				; CODE XREF: RtlpHpSegSegmentComputeCommit(x,x)+18j
		cmp	edx, edi
		jb	short loc_66B918
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_RtlpHpSegSegmentComputeCommit@8 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpHpSegSetExtraPresent(x,	x)
_RtlpHpSegSetExtraPresent@8 proc near	; CODE XREF: RtlpHpExtrasSetPresent(x,x,x)+5Fp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_RtlpHpSegDescriptorValidate@8 ; RtlpHpSegDescriptorValidate(x,x)
		mov	cl, [eax+0Ch]
		and	cl, 0Ch
		cmp	cl, 8
		jb	short loc_66B979
		mov	edx, [esi]
		and	edx, eax
		cmp	cl, 8
		jnz	short loc_66B96C
		mov	cl, [esi+4]
		sub	eax, edx
		sar	eax, 4
		shl	eax, cl
		push	edi
		add	edx, eax
		call	_RtlpHpLfhSubsegmentSetExtraPresentBlock@12 ; RtlpHpLfhSubsegmentSetExtraPresentBlock(x,x,x)
		jmp	short loc_66B97E
; 

loc_66B96C:				; CODE XREF: RtlpHpSegSetExtraPresent(x,x)+1Fj
		push	ecx
		mov	ecx, [esi+18h]
		mov	edx, edi
		call	_RtlpHpVsChunkSetExtraPresent@12 ; RtlpHpVsChunkSetExtraPresent(x,x,x)
		jmp	short loc_66B97E
; 

loc_66B979:				; CODE XREF: RtlpHpSegSetExtraPresent(x,x)+16j
		or	word ptr [eax+8], 1

loc_66B97E:				; CODE XREF: RtlpHpSegSetExtraPresent(x,x)+33j
					; RtlpHpSegSetExtraPresent(x,x)+40j
		pop	edi
		pop	esi
		retn
_RtlpHpSegSetExtraPresent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpSegSize(x, x,	x, x)
_RtlpHpSegSize@16 proc near		; CODE XREF: RtlpHpSizeHeapInternal(x,x,x,x)+5Ep

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	_RtlpHpSegDescriptorValidate@8 ; RtlpHpSegDescriptorValidate(x,x)
		test	eax, eax
		jnz	short loc_66B99A
		or	eax, 0FFFFFFFFh
		jmp	short loc_66B9A8
; 

loc_66B99A:				; CODE XREF: RtlpHpSegSize(x,x,x,x)+12j
		push	[ebp+arg_4]
		mov	edx, eax
		push	ecx
		push	esi
		mov	ecx, edi
		call	_RtlpHpSegSizeInternal@20 ; RtlpHpSegSizeInternal(x,x,x,x,x)

loc_66B9A8:				; CODE XREF: RtlpHpSegSize(x,x,x,x)+17j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_RtlpHpSegSize@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpSegSizeInternal(x, x,	x, x, x)
_RtlpHpSegSizeInternal@20 proc near	; CODE XREF: RtlpHpSegSize(x,x,x,x)+22p

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	eax, [edi]
		mov	cl, [edi+4]
		and	eax, edx
		sub	esi, eax
		sar	esi, 4
		shl	esi, cl
		add	esi, eax
		cmp	[ebp+arg_0], esi
		jbe	short loc_66B9F7
		mov	al, [edx+0Ch]
		push	[ebp+arg_8]
		and	al, 0Ch
		cmp	al, 8
		jnz	short loc_66B9E9
		push	[ebp+arg_0]
		mov	ecx, [edi+14h]
		mov	edx, esi
		call	_RtlpHpLfhSubsegmentSizeBlock@16 ; RtlpHpLfhSubsegmentSizeBlock(x,x,x,x)
		jmp	short loc_66BA23
; 

loc_66B9E9:				; CODE XREF: RtlpHpSegSizeInternal(x,x,x,x,x)+2Aj
		mov	edx, [ebp+arg_0]
		push	ecx
		mov	ecx, [edi+18h]
		call	_RtlpHpVsChunkSize@16 ;	RtlpHpVsChunkSize(x,x,x,x)
		jmp	short loc_66BA23
; 

loc_66B9F7:				; CODE XREF: RtlpHpSegSizeInternal(x,x,x,x,x)+1Ej
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_66BA17
		movzx	eax, word ptr [edx+8]
		and	eax, 1
		jz	short loc_66BA15
		and	[ebp+arg_0], 0
		lea	esi, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		lock or	[esi], ebx
		pop	ebx

loc_66BA15:				; CODE XREF: RtlpHpSegSizeInternal(x,x,x,x,x)+57j
		mov	[ecx], eax

loc_66BA17:				; CODE XREF: RtlpHpSegSizeInternal(x,x,x,x,x)+4Ej
		movzx	eax, byte ptr [edx+0Fh]
		mov	cl, [edi+4]
		shl	eax, cl
		sub	eax, [edx+4]

loc_66BA23:				; CODE XREF: RtlpHpSegSizeInternal(x,x,x,x,x)+39j
					; RtlpHpSegSizeInternal(x,x,x,x,x)+47j
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
_RtlpHpSegSizeInternal@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLfhSubsegmentSetExtraPresentBlock(x, x, x)
_RtlpHpLfhSubsegmentSetExtraPresentBlock@12 proc near
					; CODE XREF: RtlpHpSegSetExtraPresent(x,x)+2Ep

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	ecx, word ptr [edx+18h]
		mov	eax, edx
		shr	eax, 0Ch
		mov	edx, 4000h
		movzx	eax, ax
		xor	ecx, eax
		movzx	eax, word ptr ds:dword_6BEC64
		xor	ecx, eax
		mov	eax, [ebp+arg_0]
		or	[ecx+eax-2], dx
		pop	ebp
		retn	4
_RtlpHpLfhSubsegmentSetExtraPresentBlock@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLfhSubsegmentSizeBlock(x, x, x, x)
_RtlpHpLfhSubsegmentSizeBlock@16 proc near ; CODE XREF:	RtlpHpSegSizeInternal(x,x,x,x,x)+34p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, edx
		mov	eax, edi
		shr	eax, 0Ch
		xor	eax, [edi+18h]
		xor	eax, ds:dword_6BEC64
		movzx	ebx, ax
		mov	[ebp+var_4], eax
		lea	eax, [ebx+7]
		shr	eax, 3
		movzx	eax, ds:_RtlpLfhBucketIndexMap[eax]
		mov	ecx, [ecx+eax*4+80h]
		movzx	eax, word ptr [ebp+var_4+2]
		sub	esi, eax
		sub	esi, edi
		mov	edx, [ecx+24h]
		movzx	ecx, byte ptr [ecx+28h]
		test	edx, edx
		jz	short loc_66BAB1
		mov	eax, esi
		mul	edx
		call	__aullshr
		mov	edx, eax
		imul	ebx, edx
		sub	esi, ebx
		jmp	short loc_66BABD
; 

loc_66BAB1:				; CODE XREF: RtlpHpLfhSubsegmentSizeBlock(x,x,x,x)+47j
		xor	eax, eax
		mov	edx, esi
		inc	eax
		shr	edx, cl
		shl	eax, cl
		dec	eax
		and	esi, eax

loc_66BABD:				; CODE XREF: RtlpHpLfhSubsegmentSizeBlock(x,x,x,x)+59j
		test	esi, esi
		jz	short loc_66BAC6

loc_66BAC1:				; CODE XREF: RtlpHpLfhSubsegmentSizeBlock(x,x,x,x)+83j
		or	eax, 0FFFFFFFFh
		jmp	short loc_66BAE9
; 

loc_66BAC6:				; CODE XREF: RtlpHpLfhSubsegmentSizeBlock(x,x,x,x)+69j
		lea	ecx, [edx+edx]
		mov	eax, ecx
		and	ecx, 1Fh
		shr	eax, 5
		mov	eax, [edi+eax*4+20h]
		shr	eax, cl
		test	al, 1
		jz	short loc_66BAC1
		push	[ebp+arg_4]
		mov	ecx, edi
		push	edx
		mov	edx, [ebp+arg_0]
		call	_RtlpHpLfhSubsegmentSizeBlockInternal@16 ; RtlpHpLfhSubsegmentSizeBlockInternal(x,x,x,x)

loc_66BAE9:				; CODE XREF: RtlpHpLfhSubsegmentSizeBlock(x,x,x,x)+6Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_RtlpHpLfhSubsegmentSizeBlock@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLfhSubsegmentSizeBlockInternal(x, x, x, x)
_RtlpHpLfhSubsegmentSizeBlockInternal@16 proc near
					; CODE XREF: RtlpHpLfhSubsegmentSizeBlock(x,x,x,x)+8Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		mov	eax, esi
		shr	eax, 0Ch
		push	edi
		movzx	edi, ax
		movzx	eax, word ptr [esi+18h]
		xor	edi, eax
		movzx	eax, word ptr ds:dword_6BEC64
		xor	edi, eax
		mov	eax, [ebp+arg_0]
		lea	ecx, [eax+eax]
		mov	eax, ecx
		and	ecx, 1Fh
		shr	eax, 5
		mov	eax, [esi+eax*4+20h]
		shr	eax, cl
		test	al, 2
		jz	short loc_66BB5F
		movzx	eax, word ptr [edi+edx-2]
		mov	ecx, eax
		test	ecx, 4000h
		jz	short loc_66BB48
		and	[ebp+arg_0], 0
		lea	eax, [ebp+arg_0]
		xor	esi, esi
		lock or	[eax], esi
		movzx	eax, word ptr [edi+edx-2]

loc_66BB48:				; CODE XREF: RtlpHpLfhSubsegmentSizeBlockInternal(x,x,x,x)+45j
		shr	ecx, 0Eh
		and	ecx, 1
		test	ax, ax
		jns	short loc_66BB56
		dec	edi
		jmp	short loc_66BB61
; 

loc_66BB56:				; CODE XREF: RtlpHpLfhSubsegmentSizeBlockInternal(x,x,x,x)+61j
		and	eax, 3FFFh
		sub	edi, eax
		jmp	short loc_66BB61
; 

loc_66BB5F:				; CODE XREF: RtlpHpLfhSubsegmentSizeBlockInternal(x,x,x,x)+36j
		xor	ecx, ecx

loc_66BB61:				; CODE XREF: RtlpHpLfhSubsegmentSizeBlockInternal(x,x,x,x)+64j
					; RtlpHpLfhSubsegmentSizeBlockInternal(x,x,x,x)+6Dj
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_66BB6A
		mov	[eax], ecx

loc_66BB6A:				; CODE XREF: RtlpHpLfhSubsegmentSizeBlockInternal(x,x,x,x)+76j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_RtlpHpLfhSubsegmentSizeBlockInternal@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSparseArrayElementFindCapped(x, x, x)
_RtlSparseArrayElementFindCapped@12 proc near ;	CODE XREF: RtlpHpVaMgrCtxFree+DDD21p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+4]
		shl	eax, cl
		shl	eax, 3
		inc	edx
		shl	edx, cl
		lea	ecx, [esi+8]
		push	eax
		lea	edx, ds:0FFFFFFFFh[edx*8]
		call	RtlCSparseBitmapFindBitSetCapped
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_66BBA1
		xor	eax, eax
		jmp	short loc_66BBAE
; 

loc_66BBA1:				; CODE XREF: RtlSparseArrayElementFindCapped(x,x,x)+29j
		mov	ecx, [esi+4]
		shr	eax, 3
		shr	eax, cl
		shl	eax, cl
		add	eax, [esi+0Ch]

loc_66BBAE:				; CODE XREF: RtlSparseArrayElementFindCapped(x,x,x)+2Dj
		pop	esi
		pop	ebp
		retn	4
_RtlSparseArrayElementFindCapped@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLargeAllocSetExtraPresent(x, x, x)
_RtlpHpLargeAllocSetExtraPresent@12 proc near ;	CODE XREF: RtlpHpExtrasSetPresent(x,x,x)+4Ep

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		and	edi, 1
		jnz	short loc_66BBDF
		movzx	edx, byte ptr [ebx]
		lea	ecx, [ebx+40h]
		and	edx, 1
		call	_RtlpHpAcquireLockShared@8 ; RtlpHpAcquireLockShared(x,x)
		mov	edx, [ebp+var_4]
		mov	byte ptr [ebp+arg_0+3],	al
		jmp	short loc_66BBE3
; 

loc_66BBDF:				; CODE XREF: RtlpHpLargeAllocSetExtraPresent(x,x,x)+14j
		mov	byte ptr [ebp+arg_0+3],	0FFh

loc_66BBE3:				; CODE XREF: RtlpHpLargeAllocSetExtraPresent(x,x,x)+2Aj
		lea	eax, [ebx+44h]
		test	byte ptr [eax+4], 1
		mov	esi, [eax]
		jz	short loc_66BBF8
		test	esi, esi
		jz	short loc_66BBF6
		xor	esi, eax
		jmp	short loc_66BBF8
; 

loc_66BBF6:				; CODE XREF: RtlpHpLargeAllocSetExtraPresent(x,x,x)+3Dj
		xor	esi, esi

loc_66BBF8:				; CODE XREF: RtlpHpLargeAllocSetExtraPresent(x,x,x)+39j
					; RtlpHpLargeAllocSetExtraPresent(x,x,x)+41j
		movzx	ecx, byte ptr [eax+4]
		and	ecx, 1
		jmp	short loc_66BC24
; 

loc_66BC01:				; CODE XREF: RtlpHpLargeAllocSetExtraPresent(x,x,x)+73j
		mov	eax, [esi+0Ch]
		and	eax, 0FFFF0000h
		cmp	edx, eax
		jb	short loc_66BC14
		jbe	short loc_66BC28
		mov	eax, [esi+4]
		jmp	short loc_66BC16
; 

loc_66BC14:				; CODE XREF: RtlpHpLargeAllocSetExtraPresent(x,x,x)+58j
		mov	eax, [esi]

loc_66BC16:				; CODE XREF: RtlpHpLargeAllocSetExtraPresent(x,x,x)+5Fj
		test	ecx, ecx
		jz	short loc_66BC22
		test	eax, eax
		jz	short loc_66BC22
		xor	esi, eax
		jmp	short loc_66BC24
; 

loc_66BC22:				; CODE XREF: RtlpHpLargeAllocSetExtraPresent(x,x,x)+65j
					; RtlpHpLargeAllocSetExtraPresent(x,x,x)+69j
		mov	esi, eax

loc_66BC24:				; CODE XREF: RtlpHpLargeAllocSetExtraPresent(x,x,x)+4Cj
					; RtlpHpLargeAllocSetExtraPresent(x,x,x)+6Dj
		test	esi, esi
		jnz	short loc_66BC01

loc_66BC28:				; CODE XREF: RtlpHpLargeAllocSetExtraPresent(x,x,x)+5Aj
		test	edi, edi
		jnz	short loc_66BC6D
		test	byte ptr [ebx],	1
		lea	edi, [ebx+40h]
		jnz	short loc_66BC5E
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_66BC49
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_66BC49:				; CODE XREF: RtlpHpLargeAllocSetExtraPresent(x,x,x)+8Dj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	short loc_66BC6D
; 

loc_66BC5E:				; CODE XREF: RtlpHpLargeAllocSetExtraPresent(x,x,x)+7Fj
		push	edi
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_66BC6D:				; CODE XREF: RtlpHpLargeAllocSetExtraPresent(x,x,x)+77j
					; RtlpHpLargeAllocSetExtraPresent(x,x,x)+A9j
		or	dword ptr [esi+10h], 1
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_RtlpHpLargeAllocSetExtraPresent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLargeAllocSize(x, x, x, x)
_RtlpHpLargeAllocSize@16 proc near	; CODE XREF: RtlpHpSizeHeapInternal(x,x,x,x)+49p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		and	esi, 1
		jnz	short loc_66BC9F
		movzx	edx, byte ptr [ebx]
		lea	ecx, [ebx+40h]
		and	edx, 1
		call	_RtlpHpAcquireLockShared@8 ; RtlpHpAcquireLockShared(x,x)
		mov	byte ptr [ebp+arg_0+3],	al
		jmp	short loc_66BCA3
; 

loc_66BC9F:				; CODE XREF: RtlpHpLargeAllocSize(x,x,x,x)+12j
		mov	byte ptr [ebp+arg_0+3],	0FFh

loc_66BCA3:				; CODE XREF: RtlpHpLargeAllocSize(x,x,x,x)+25j
		lea	eax, [ebx+44h]
		test	byte ptr [eax+4], 1
		mov	edx, [eax]
		jz	short loc_66BCB8
		test	edx, edx
		jz	short loc_66BCB6
		xor	edx, eax
		jmp	short loc_66BCB8
; 

loc_66BCB6:				; CODE XREF: RtlpHpLargeAllocSize(x,x,x,x)+38j
		xor	edx, edx

loc_66BCB8:				; CODE XREF: RtlpHpLargeAllocSize(x,x,x,x)+34j
					; RtlpHpLargeAllocSize(x,x,x,x)+3Cj
		movzx	ecx, byte ptr [eax+4]
		and	ecx, 1
		jmp	short loc_66BCE4
; 

loc_66BCC1:				; CODE XREF: RtlpHpLargeAllocSize(x,x,x,x)+6Ej
		mov	eax, [edx+0Ch]
		and	eax, 0FFFF0000h
		cmp	edi, eax
		jb	short loc_66BCD4
		jbe	short loc_66BCE8
		mov	eax, [edx+4]
		jmp	short loc_66BCD6
; 

loc_66BCD4:				; CODE XREF: RtlpHpLargeAllocSize(x,x,x,x)+53j
		mov	eax, [edx]

loc_66BCD6:				; CODE XREF: RtlpHpLargeAllocSize(x,x,x,x)+5Aj
		test	ecx, ecx
		jz	short loc_66BCE2
		test	eax, eax
		jz	short loc_66BCE2
		xor	edx, eax
		jmp	short loc_66BCE4
; 

loc_66BCE2:				; CODE XREF: RtlpHpLargeAllocSize(x,x,x,x)+60j
					; RtlpHpLargeAllocSize(x,x,x,x)+64j
		mov	edx, eax

loc_66BCE4:				; CODE XREF: RtlpHpLargeAllocSize(x,x,x,x)+47j
					; RtlpHpLargeAllocSize(x,x,x,x)+68j
		test	edx, edx
		jnz	short loc_66BCC1

loc_66BCE8:				; CODE XREF: RtlpHpLargeAllocSize(x,x,x,x)+55j
		test	edx, edx
		jnz	short loc_66BCF1
		or	edi, 0FFFFFFFFh
		jmp	short loc_66BCFB
; 

loc_66BCF1:				; CODE XREF: RtlpHpLargeAllocSize(x,x,x,x)+72j
		push	[ebp+arg_4]
		call	_RtlpHpLargeAllocSizeInternal@12 ; RtlpHpLargeAllocSizeInternal(x,x,x)
		mov	edi, eax

loc_66BCFB:				; CODE XREF: RtlpHpLargeAllocSize(x,x,x,x)+77j
		test	esi, esi
		jnz	short loc_66BD40
		test	byte ptr [ebx],	1
		lea	esi, [ebx+40h]
		jnz	short loc_66BD31
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_66BD1C
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_66BD1C:				; CODE XREF: RtlpHpLargeAllocSize(x,x,x,x)+9Bj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	short loc_66BD40
; 

loc_66BD31:				; CODE XREF: RtlpHpLargeAllocSize(x,x,x,x)+8Dj
		push	esi
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_66BD40:				; CODE XREF: RtlpHpLargeAllocSize(x,x,x,x)+85j
					; RtlpHpLargeAllocSize(x,x,x,x)+B7j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_RtlpHpLargeAllocSize@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLargeAllocSizeInternal(x, x, x)
_RtlpHpLargeAllocSizeInternal@12 proc near ; CODE XREF:	RtlpHpLargeAllocSize(x,x,x,x)+7Cp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_66BD70
		xor	ecx, ecx
		test	byte ptr [edx+10h], 1
		jz	short loc_66BD6E
		and	[ebp+arg_0], 0
		inc	ecx
		push	esi
		push	edi
		xor	edi, edi
		lea	esi, [ebp+arg_0]
		lock or	[esi], edi
		pop	edi
		pop	esi

loc_66BD6E:				; CODE XREF: RtlpHpLargeAllocSizeInternal(x,x,x)+12j
		mov	[eax], ecx

loc_66BD70:				; CODE XREF: RtlpHpLargeAllocSizeInternal(x,x,x)+Aj
		mov	eax, [edx+10h]
		movzx	ecx, word ptr [edx+0Ch]
		and	eax, 0FFFFF000h
		sub	eax, ecx
		pop	ebp
		retn	4
_RtlpHpLargeAllocSizeInternal@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpLargeAllocationDestroy(x, x)
_RtlpHpLargeAllocationDestroy@8	proc near ; CODE XREF: RtlpHpHeapDestroy+76p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, [edi+0Ch]
		and	eax, 0FFFF0000h
		mov	[ebp+var_4], eax
		mov	ecx, [edi+10h]
		xor	edx, edx
		mov	esi, ecx
		mov	eax, ecx
		shr	ecx, 2
		inc	edx
		and	ecx, 3Fh
		shr	esi, 1
		and	esi, edx
		shr	eax, 0Ch
		shl	edx, cl
		add	esi, eax
		shl	esi, 0Ch
		lea	ecx, [edx-1]
		lea	eax, [edx-1]
		add	ecx, esi
		and	ecx, eax
		lea	eax, [esi-1]
		mov	esi, [ebp+arg_4]
		sub	edx, ecx
		add	eax, edx
		lea	ecx, [ebp+var_4]
		lea	edx, [ebp+arg_0]
		mov	[ebp+arg_0], eax
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		push	8000h
		call	_RtlpHpFreeVA@20 ; RtlpHpFreeVA(x,x,x,x,x)
		push	dword ptr [esi+4]
		mov	ecx, edi
		push	dword ptr [esi]
		call	_RtlpHpMetadataFree@12 ; RtlpHpMetadataFree(x,x,x)
		pop	edi
		pop	esi
		leave
		retn	8
_RtlpHpLargeAllocationDestroy@8	endp


;  S U B	R O U T	I N E 


; __stdcall RtlpHpVsChunkSetExtraPresent(x, x, x)
_RtlpHpVsChunkSetExtraPresent@12 proc near ; CODE XREF:	RtlpHpSegSetExtraPresent(x,x)+3Bp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+98h]
		lea	esi, [edx-8]
		mov	ebx, 0FFFh
		and	edi, 1
		jz	short loc_66BE13
		test	edx, ebx
		jnz	short loc_66BE13
		sub	esi, 8

loc_66BE13:				; CODE XREF: RtlpHpVsChunkSetExtraPresent(x,x,x)+16j
					; RtlpHpVsChunkSetExtraPresent(x,x,x)+1Aj
		mov	eax, [esi]
		xor	eax, ds:_RtlpHpHeapGlobals
		xor	eax, esi
		shr	eax, 1
		and	eax, 7FFFh
		lea	ecx, ds:0FFFFFFF8h[eax*8]
		test	edi, edi
		jz	short loc_66BE39
		lea	eax, [esi+10h]
		test	eax, ebx
		jnz	short loc_66BE39
		sub	ecx, 8

loc_66BE39:				; CODE XREF: RtlpHpVsChunkSetExtraPresent(x,x,x)+39j
					; RtlpHpVsChunkSetExtraPresent(x,x,x)+40j
		pop	edi
		mov	eax, 4000h
		or	[ecx+edx-2], ax
		pop	esi
		pop	ebx
		retn	4
_RtlpHpVsChunkSetExtraPresent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpHpVsChunkSize(x, x, x, x)
_RtlpHpVsChunkSize@16 proc near		; CODE XREF: RtlpSizeHeapInternal(x,x,x)+1Dp
					; RtlpHpSegSizeInternal(x,x,x,x,x)+42p

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+98h]
		push	esi
		push	edi
		mov	edi, edx
		mov	edx, 0FFFh
		lea	esi, [edi-8]
		and	eax, 1
		jz	short loc_66BE6D
		test	edi, edx
		jnz	short loc_66BE6D
		sub	esi, 8

loc_66BE6D:				; CODE XREF: RtlpHpVsChunkSize(x,x,x,x)+1Bj
					; RtlpHpVsChunkSize(x,x,x,x)+1Fj
		mov	ecx, [esi]
		xor	ecx, ds:_RtlpHpHeapGlobals
		xor	ecx, esi
		jl	short loc_66BE7E
		or	ecx, 0FFFFFFFFh
		jmp	short loc_66BEE6
; 

loc_66BE7E:				; CODE XREF: RtlpHpVsChunkSize(x,x,x,x)+2Ej
		shr	ecx, 1
		and	ecx, 7FFFh
		lea	ecx, ds:0FFFFFFF8h[ecx*8]
		test	eax, eax
		jz	short loc_66BE9B
		lea	eax, [esi+10h]
		test	eax, edx
		jnz	short loc_66BE9B
		sub	ecx, 8

loc_66BE9B:				; CODE XREF: RtlpHpVsChunkSize(x,x,x,x)+46j
					; RtlpHpVsChunkSize(x,x,x,x)+4Dj
		test	dword ptr [esi+4], 100h
		jz	short loc_66BEDB
		movzx	eax, word ptr [ecx+edi-2]
		mov	edx, eax
		test	edx, 4000h
		jz	short loc_66BEC4
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	esi, esi
		lock or	[eax], esi
		movzx	eax, word ptr [ecx+edi-2]

loc_66BEC4:				; CODE XREF: RtlpHpVsChunkSize(x,x,x,x)+68j
		shr	edx, 0Eh
		and	edx, 1
		test	ax, ax
		jns	short loc_66BED2
		dec	ecx
		jmp	short loc_66BEDD
; 

loc_66BED2:				; CODE XREF: RtlpHpVsChunkSize(x,x,x,x)+84j
		and	eax, 1FFFh
		sub	ecx, eax
		jmp	short loc_66BEDD
; 

loc_66BEDB:				; CODE XREF: RtlpHpVsChunkSize(x,x,x,x)+59j
		xor	edx, edx

loc_66BEDD:				; CODE XREF: RtlpHpVsChunkSize(x,x,x,x)+87j
					; RtlpHpVsChunkSize(x,x,x,x)+90j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_66BEE6
		mov	[eax], edx

loc_66BEE6:				; CODE XREF: RtlpHpVsChunkSize(x,x,x,x)+33j
					; RtlpHpVsChunkSize(x,x,x,x)+99j
		pop	edi
		mov	eax, ecx
		pop	esi
		leave
		retn	8
_RtlpHpVsChunkSize@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpCSparseBitmapWaitOnAddress(x, x, x, x)
_RtlpCSparseBitmapWaitOnAddress@16 proc	near
					; CODE XREF: RtlpCSparseBitmapPageDecommit+DD74Dp
					; RtlpCSparseBitmapPageCommit+DD2E5p

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ecx
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_4], eax
		cmp	byte ptr [ecx+18h], 0
		jnz	short loc_66BF15
		push	0
		push	4
		push	edx
		add	ecx, 14h
		mov	edx, eax
		call	ExBlockOnAddressPushLock
		jmp	short locret_66BF1E
; 

loc_66BF13:				; CODE XREF: RtlpCSparseBitmapWaitOnAddress(x,x,x,x)+2Cj
		pause

loc_66BF15:				; CODE XREF: RtlpCSparseBitmapWaitOnAddress(x,x,x,x)+12j
		mov	eax, [ebp+var_4]
		cmp	eax, [edx]
		jz	short loc_66BF13
		xor	eax, eax

locret_66BF1E:				; CODE XREF: RtlpCSparseBitmapWaitOnAddress(x,x,x,x)+23j
		leave
		retn	8
_RtlpCSparseBitmapWaitOnAddress@16 endp


;  S U B	R O U T	I N E 


; __stdcall PdcPortSendMessageSynchronously(x, x, x)
_PdcPortSendMessageSynchronously@12 proc near ;	CODE XREF: PdcTaskClientRequest(x,x)+CAp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		lea	ebx, [esi+4]
		mov	ecx, ebx
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_66BF40
		mov	esi, 0C0000189h
		jmp	short loc_66BF5C
; 

loc_66BF40:				; CODE XREF: PdcPortSendMessageSynchronously(x,x,x)+15j
		push	310h
		push	edi
		mov	dword ptr [edi+1Ch], 5
		push	dword ptr [esi+10h]
		call	dword ptr [esi+18h]
		mov	ecx, ebx
		mov	esi, eax
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_66BF5C:				; CODE XREF: PdcPortSendMessageSynchronously(x,x,x)+1Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn	4
_PdcPortSendMessageSynchronously@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdtInitLsaDeadEventForNonPagedList(x)
_SepAdtInitLsaDeadEventForNonPagedList@4 proc near
					; CODE XREF: SepRmCommandServerThread+8CA53p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		mov	ecx, offset dword_6D7168
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	ds:dword_6D7128, offset	dword_6D7128
		mov	ds:dword_6D718C, esi
		setnz	bl
		test	ds:byte_70EFC6,	1
		jz	short loc_66BFAF
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_66BFDE
; 

loc_66BFAF:				; CODE XREF: SepAdtInitLsaDeadEventForNonPagedList(x)+3Cj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_66BFCE
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_66BFDE
		call	KxWaitForLockChainValid

loc_66BFCE:				; CODE XREF: SepAdtInitLsaDeadEventForNonPagedList(x)+50j
		xor	edx, edx
		mov	[ebp+var_C], 0
		inc	edx
		lea	ecx, [eax+4]
		lock xor [ecx],	edx

loc_66BFDE:				; CODE XREF: SepAdtInitLsaDeadEventForNonPagedList(x)+49j
					; SepAdtInitLsaDeadEventForNonPagedList(x)+63j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_SepAdtInitLsaDeadEventForNonPagedList@4 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 2436. SeAuditingFileEventsWithContextEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAuditingFileEventsWithContextEx(x, x, x, x)
		public _SeAuditingFileEventsWithContextEx@16
_SeAuditingFileEventsWithContextEx@16 proc near
					; CODE XREF: SeAuditingFileEventsWithContext(x,x,x)+10p

arg_0		= byte ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	cl, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		test	cl, cl
		push	esi
		mov	esi, [ebp+arg_C]
		setnz	bl
		dec	ebx
		and	ebx, 2Dh
		test	esi, esi
		jz	short loc_66C02F
		push	[ebp+arg_8]
		test	cl, cl
		mov	dl, cl
		mov	ecx, 82h
		setz	al
		movzx	eax, al
		push	eax
		call	SepAdtAuditThisEventWithContext
		mov	cl, [ebp+arg_0]
		mov	[esi], al

loc_66C02F:				; CODE XREF: SeAuditingFileEventsWithContextEx(x,x,x,x)+1Dj
		push	[ebp+arg_8]
		test	cl, cl
		mov	dl, cl
		setz	al
		movzx	eax, al
		push	eax
		push	75h
		pop	ecx
		call	SepAdtAuditThisEventWithContext
		test	al, al
		jnz	short loc_66C05B
		push	[ebp+arg_8]
		lea	edx, [ebx+3]
		push	3
		pop	ecx
		call	SepAdtAuditThisEventByCategoryWithContext
		test	al, al
		jz	short loc_66C05D

loc_66C05B:				; CODE XREF: SeAuditingFileEventsWithContextEx(x,x,x,x)+54j
		mov	al, 1

loc_66C05D:				; CODE XREF: SeAuditingFileEventsWithContextEx(x,x,x,x)+66j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_SeAuditingFileEventsWithContextEx@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdtCheckPrivilegeForSensitivity(x, x, x)
_SepAdtCheckPrivilegeForSensitivity@12 proc near
					; CODE XREF: SepAdtAuditPrivilegeUseWithContext+14A942p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	byte ptr [esi],	0
		mov	byte ptr [edi],	0
		test	ecx, ecx
		jz	short loc_66C0F4
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_66C0F4
		push	ebx
		xor	ebx, ebx
		test	edx, edx
		jz	short loc_66C0F3
		lea	eax, [ecx+8]
		mov	[ebp+var_4], eax
		lea	eax, [ecx+0Ch]
		mov	[ebp+var_8], eax

loc_66C097:				; CODE XREF: SepAdtCheckPrivilegeForSensitivity(x,x,x)+8Cj
		cmp	byte ptr [esi],	0
		jz	short loc_66C0A1
		cmp	byte ptr [edi],	0
		jnz	short loc_66C0F3

loc_66C0A1:				; CODE XREF: SepAdtCheckPrivilegeForSensitivity(x,x,x)+35j
		mov	ecx, [ebp+var_4]
		mov	eax, offset _SepSensitivePrivileges
		mov	[ebp+var_C], eax
		mov	ecx, [ecx]
		mov	[ebp+var_10], ecx
		mov	ecx, dword ptr ds:_SepSensitivePrivileges

loc_66C0B7:				; CODE XREF: SepAdtCheckPrivilegeForSensitivity(x,x,x)+73j
		mov	edi, [ebp+var_10]
		cmp	edi, [ecx]
		mov	edi, [ebp+arg_0]
		jnz	short loc_66C0CE
		mov	eax, [ebp+var_8]
		mov	eax, [eax]
		cmp	eax, [ecx+4]
		jz	short loc_66C0DA
		mov	eax, [ebp+var_C]

loc_66C0CE:				; CODE XREF: SepAdtCheckPrivilegeForSensitivity(x,x,x)+5Aj
		add	eax, 4
		mov	[ebp+var_C], eax
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_66C0B7

loc_66C0DA:				; CODE XREF: SepAdtCheckPrivilegeForSensitivity(x,x,x)+64j
		test	ecx, ecx
		jz	short loc_66C0E3
		mov	byte ptr [esi],	1
		jmp	short loc_66C0E6
; 

loc_66C0E3:				; CODE XREF: SepAdtCheckPrivilegeForSensitivity(x,x,x)+77j
		mov	byte ptr [edi],	1

loc_66C0E6:				; CODE XREF: SepAdtCheckPrivilegeForSensitivity(x,x,x)+7Cj
		add	[ebp+var_4], 0Ch
		inc	ebx
		add	[ebp+var_8], 0Ch
		cmp	ebx, edx
		jb	short loc_66C097

loc_66C0F3:				; CODE XREF: SepAdtCheckPrivilegeForSensitivity(x,x,x)+24j
					; SepAdtCheckPrivilegeForSensitivity(x,x,x)+3Aj
		pop	ebx

loc_66C0F4:				; CODE XREF: SepAdtCheckPrivilegeForSensitivity(x,x,x)+17j
					; SepAdtCheckPrivilegeForSensitivity(x,x,x)+1Dj
		pop	edi
		pop	esi
		leave
		retn	4
_SepAdtCheckPrivilegeForSensitivity@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BCryptDecrypt(x, x,	x, x, x, x, x, x, x, x)
_BCryptDecrypt@40 proc near		; CODE XREF: SmCrAuthDecrypt(x,x,x,x,x,x,x,x)+3Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	esi, 0C0000002h
		mov	ecx, ds:_SepBCryptExtensionHost
		push	edi
		mov	edi, edx
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_66C143
		xor	ecx, ecx
		push	ecx
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	ecx
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edi
		push	ebx
		call	dword ptr [eax+18h]
		mov	ecx, ds:_SepBCryptExtensionHost
		mov	esi, eax
		add	ecx, 24h
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_66C143:				; CODE XREF: BCryptDecrypt(x,x,x,x,x,x,x,x,x,x)+1Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	20h
_BCryptDecrypt@40 endp


;  S U B	R O U T	I N E 


; __stdcall BCryptDestroyKey(x)
_BCryptDestroyKey@4 proc near		; CODE XREF: SecureDump_Init+7E395p
					; SecureDump_EncryptSymmetricKeyWithPublicKey()+192p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, 0C0000002h
		mov	ecx, ds:_SepBCryptExtensionHost
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_66C17A
		push	edi
		call	dword ptr [eax+20h]
		mov	ecx, ds:_SepBCryptExtensionHost
		mov	esi, eax
		add	ecx, 24h
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_66C17A:				; CODE XREF: BCryptDestroyKey(x)+18j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_BCryptDestroyKey@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BCryptEncrypt(x, x,	x, x, x, x, x, x, x, x)
_BCryptEncrypt@40 proc near		; CODE XREF: SecureDump_EncryptSymmetricKeyWithPublicKey()+12Dp
					; SecureDump_EncryptSymmetricKeyWithPublicKey()+178p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	esi, 0C0000002h
		mov	ecx, ds:_SepBCryptExtensionHost
		push	edi
		mov	edi, edx
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_66C1C9
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edi
		push	ebx
		call	dword ptr [eax+2Ch]
		mov	ecx, ds:_SepBCryptExtensionHost
		mov	esi, eax
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_66C1C9:				; CODE XREF: BCryptEncrypt(x,x,x,x,x,x,x,x,x,x)+1Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	20h
_BCryptEncrypt@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BCryptGenRandom(x, x, x, x)
_BCryptGenRandom@16 proc near		; CODE XREF: SecureDump_SymmetricEncryptionSetup()+5Fp
					; SmCrGenRandom(x,x)+6p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, ds:_SepBCryptExtensionHost
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, 0C0000002h
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_66C20A
		push	2
		push	[ebp+arg_0]
		push	edi
		push	0
		call	dword ptr [eax+50h]
		mov	ecx, ds:_SepBCryptExtensionHost
		mov	esi, eax
		add	ecx, 24h
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_66C20A:				; CODE XREF: BCryptGenRandom(x,x,x,x)+1Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_BCryptGenRandom@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepTokenPrivilegeAttributes(x, x)
_SepTokenPrivilegeAttributes@8 proc near ; CODE	XREF: SepAdjustPrivileges+14A7E5p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		xor	edi, edi
		mov	ebx, ecx
		inc	edi
		mov	eax, edi
		xor	edx, edx
		mov	ecx, esi
		call	__allshl
		mov	esi, [ebx+48h]
		mov	ecx, [ebx+4Ch]
		and	esi, eax
		and	ecx, edx
		mov	[ebp+var_4], edx
		or	esi, ecx
		jz	short loc_66C243
		push	2
		pop	edx
		jmp	short loc_66C245
; 

loc_66C243:				; CODE XREF: SepTokenPrivilegeAttributes(x,x)+2Aj
		xor	edx, edx

loc_66C245:				; CODE XREF: SepTokenPrivilegeAttributes(x,x)+2Fj
		mov	ecx, [ebx+50h]
		and	ecx, eax
		mov	eax, [ebx+54h]
		and	eax, [ebp+var_4]
		or	ecx, eax
		jnz	short loc_66C256
		xor	edi, edi

loc_66C256:				; CODE XREF: SepTokenPrivilegeAttributes(x,x)+40j
		or	edi, edx
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SepTokenPrivilegeAttributes@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepInternalSetSecurityAttributesToken(x, x,	x, x, x)
_SepInternalSetSecurityAttributesToken@20 proc near
					; CODE XREF: SeSetSecurityAttributesTokenEx(x,x,x,x,x,x,x)+117p
					; SeSetSecurityAttributesToken(x,x,x,x)+13p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	eax, ds:_SeTokenObjectType
		and	[esp+0Ch+var_C], 0
		push	ebx
		push	esi
		push	edi
		push	0
		lea	esi, [esp+1Ch+var_C]
		xor	bl, bl
		push	esi
		push	edx
		push	eax
		push	80h
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_66C334
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	short loc_66C2A7
		mov	edi, 0C000000Dh
		jmp	loc_66C334
; 

loc_66C2A7:				; CODE XREF: SepInternalSetSecurityAttributesToken(x,x,x,x,x)+3Cj
		cmp	[ebp+arg_0], bl
		jnz	short loc_66C2BA
		mov	edx, [ebp+arg_8]
		mov	ecx, edi
		call	_SepShouldSetDelinkFlags@8 ; SepShouldSetDelinkFlags(x,x)
		test	al, al
		jz	short loc_66C2BC

loc_66C2BA:				; CODE XREF: SepInternalSetSecurityAttributesToken(x,x,x,x,x)+4Bj
		mov	bl, 1

loc_66C2BC:				; CODE XREF: SepInternalSetSecurityAttributesToken(x,x,x,x,x)+59j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [esp+18h+var_C]
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceExclusiveLite
		and	[esp+18h+var_8], 0
		lea	eax, [esp+18h+var_8]
		xor	ecx, ecx
		lock or	[eax], ecx
		push	[ebp+arg_8]
		mov	ecx, [esi+1DCh]
		mov	edx, edi
		call	AuthzBasepSetSecurityAttributesToken
		mov	edi, eax
		test	edi, edi
		js	short loc_66C312
		test	bl, bl
		jz	short loc_66C30A
		or	dword ptr [esi+0B0h], 20000h

loc_66C30A:				; CODE XREF: SepInternalSetSecurityAttributesToken(x,x,x,x,x)+9Fj
		lea	ecx, [esi+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)

loc_66C312:				; CODE XREF: SepInternalSetSecurityAttributesToken(x,x,x,x,x)+9Bj
		and	[esp+18h+var_4], 0
		lea	eax, [esp+18h+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_66C334:				; CODE XREF: SepInternalSetSecurityAttributesToken(x,x,x,x,x)+31j
					; SepInternalSetSecurityAttributesToken(x,x,x,x,x)+43j
		mov	ecx, [esp+18h+var_C]
		test	ecx, ecx
		jz	short loc_66C346
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag

loc_66C346:				; CODE XREF: SepInternalSetSecurityAttributesToken(x,x,x,x,x)+DBj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_SepInternalSetSecurityAttributesToken@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAccessCheckByTypeResultList(x, x,	x, x, x, x, x, x, x, x,	x)
_NtAccessCheckByTypeResultList@44 proc near ; DATA XREF: .text:0058129Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	1
		push	[ebp+arg_28]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_24]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_SeAccessCheckByType@48	; SeAccessCheckByType(x,x,x,x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	2Ch
_NtAccessCheckByTypeResultList@44 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2418. SeAccessCheckEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAccessCheckEx(x, x, x, x,	x, x)
		public _SeAccessCheckEx@24
_SeAccessCheckEx@24 proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	dl, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	0
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_SepCommonAccessCheckExWithAdminlessChecks@32 ;	SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)
		mov	esp, ebp
		pop	ebp
		retn	18h
_SeAccessCheckEx@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeFastTraverseCheck(x, x, x, x)
_SeFastTraverseCheck@16	proc near	; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+538p
					; ObpCheckTraverseAccess(x,x,x,x,x,x)+63p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	esi, esi
		jz	short loc_66C439
		movzx	eax, word ptr [esi+2]
		mov	ecx, eax
		test	al, 4
		jz	short loc_66C41E
		test	cx, cx
		mov	ecx, [esi+10h]
		jns	short loc_66C3D9
		lea	eax, [ecx+esi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_66C3D9:				; CODE XREF: SeFastTraverseCheck(x,x,x,x)+1Ej
		test	ecx, ecx
		jz	short loc_66C41E
		movzx	edi, word ptr [ecx+4]
		test	edi, edi
		jz	short loc_66C439
		test	dword ptr [edx+0Ch], 810h
		jnz	short loc_66C439
		xor	ebx, ebx
		lea	esi, [ecx+8]
		test	edi, edi
		jz	short loc_66C439

loc_66C3F7:				; CODE XREF: SeFastTraverseCheck(x,x,x,x)+87j
		test	byte ptr [esi+1], 8
		jnz	short loc_66C42E
		mov	al, [esi]
		test	al, al
		jnz	short loc_66C422
		mov	eax, [ebp+arg_0]
		test	[esi+4], eax
		jz	short loc_66C42E
		lea	eax, [esi+8]
		push	eax
		push	ds:_SeWorldSid
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	short loc_66C42E

loc_66C41E:				; CODE XREF: SeFastTraverseCheck(x,x,x,x)+16j
					; SeFastTraverseCheck(x,x,x,x)+2Bj
		mov	al, 1
		jmp	short loc_66C43B
; 

loc_66C422:				; CODE XREF: SeFastTraverseCheck(x,x,x,x)+51j
		cmp	al, 1
		jnz	short loc_66C42E
		mov	eax, [ebp+arg_0]
		test	[esi+4], eax
		jnz	short loc_66C439

loc_66C42E:				; CODE XREF: SeFastTraverseCheck(x,x,x,x)+4Bj
					; SeFastTraverseCheck(x,x,x,x)+59j ...
		movzx	eax, word ptr [esi+2]
		inc	ebx
		add	esi, eax
		cmp	ebx, edi
		jb	short loc_66C3F7

loc_66C439:				; CODE XREF: SeFastTraverseCheck(x,x,x,x)+Cj
					; SeFastTraverseCheck(x,x,x,x)+33j ...
		xor	al, al

loc_66C43B:				; CODE XREF: SeFastTraverseCheck(x,x,x,x)+70j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_SeFastTraverseCheck@16	endp


;  S U B	R O U T	I N E 


; __stdcall SeFreeCapturedObjectTypeList(x)
_SeFreeCapturedObjectTypeList@4	proc near
					; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks:loc_8E82E3p
		test	ecx, ecx
		jz	short locret_66C44E
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

locret_66C44E:				; CODE XREF: SeFreeCapturedObjectTypeList(x)+2j
		retn
_SeFreeCapturedObjectTypeList@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeMaximumAuditMask(x, x, x,	x)
_SeMaximumAuditMask@16 proc near	; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+12601Dp
					; SeOpenObjectAuditAlarmWithTransaction+11097Bp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_4], edx
		and	dword ptr [edi], 0
		test	ecx, ecx
		jz	short loc_66C4D2
		movzx	eax, word ptr [ecx+4]
		push	esi
		xor	esi, esi
		cmp	si, ax
		jz	short loc_66C4D1
		lea	esi, [ecx+8]
		xor	ecx, ecx
		cmp	cx, ax
		jnb	short loc_66C4D1
		mov	[ebp+arg_4], eax
		push	ebx

loc_66C47D:				; CODE XREF: SeMaximumAuditMask(x,x,x,x)+7Fj
		mov	cl, [esi+1]
		test	cl, 8
		jnz	short loc_66C4C4
		mov	al, [esi]
		cmp	al, 2
		jz	short loc_66C48F
		cmp	al, 0Dh
		jnz	short loc_66C4C4

loc_66C48F:				; CODE XREF: SeMaximumAuditMask(x,x,x,x)+3Aj
		mov	ebx, [esi+4]
		and	ebx, edx
		setnz	al
		shr	cl, 6
		and	al, cl
		test	al, 1
		jz	short loc_66C4C4
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		push	eax		; char
		push	eax		; char
		push	eax		; char
		push	1		; char
		lea	eax, [esi+8]
		xor	edx, edx
		push	eax		; void *
		lea	ecx, [ecx+0CCh]
		call	SepSidInTokenSidHash
		mov	edx, [ebp+var_4]
		test	al, al
		jz	short loc_66C4C4
		or	[edi], ebx

loc_66C4C4:				; CODE XREF: SeMaximumAuditMask(x,x,x,x)+34j
					; SeMaximumAuditMask(x,x,x,x)+3Ej ...
		movzx	eax, word ptr [esi+2]
		add	esi, eax
		sub	[ebp+arg_4], 1
		jnz	short loc_66C47D
		pop	ebx

loc_66C4D1:				; CODE XREF: SeMaximumAuditMask(x,x,x,x)+1Ej
					; SeMaximumAuditMask(x,x,x,x)+28j
		pop	esi

loc_66C4D2:				; CODE XREF: SeMaximumAuditMask(x,x,x,x)+12j
		pop	edi
		leave
		retn	8
_SeMaximumAuditMask@16 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2513. SeSrpAccessCheck

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeSrpAccessCheck(x,	x, x, x, x, x)
		public _SeSrpAccessCheck@24
_SeSrpAccessCheck@24 proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	dl, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	1
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_SepCommonAccessCheckExWithAdminlessChecks@32 ;	SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)
		mov	esp, ebp
		pop	ebp
		retn	18h
_SeSrpAccessCheck@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAccessCheckEx(x,	x, x, x, x, x, x, x, x,	x, x, x, x, x, x, x, x,	x, x, x, x, x)
_SepAccessCheckEx@88 proc near		; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+859p
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+CEAp ...

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4D		= byte ptr -4Dh
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_28		= dword	ptr -28h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_34		= dword	ptr  3Ch
arg_38		= dword	ptr  40h
arg_3C		= dword	ptr  44h
arg_40		= dword	ptr  48h
arg_44		= dword	ptr  4Ch
arg_4C		= dword	ptr  54h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4C], ecx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_60], eax
		mov	eax, [ebp+arg_20]
		mov	[ebp+var_80], eax
		mov	eax, [ebp+arg_24]
		mov	[ebp+var_78], eax
		mov	eax, [ebp+arg_28]
		mov	[ebp+var_7C], eax
		mov	eax, [ebp+arg_2C]
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_6C], eax
		mov	eax, [ebp+arg_40]
		mov	esi, [ebp+arg_C]
		mov	[ebp+var_64], eax
		mov	eax, [ebp+arg_44]
		mov	edi, [ebp+arg_3C]
		mov	[ebp+var_84], eax
		xor	eax, eax
		push	2Ch		; size_t
		push	eax		; int
		mov	[ebp+var_5C], eax
		mov	[ebp+var_4D], al
		mov	byte ptr [ebp+var_74], al
		mov	byte ptr [ebp+var_70], al
		lea	eax, [ebp+var_3C]
		push	eax		; void *
		mov	[ebp+var_68], ebx
		mov	[ebp+var_40], esi
		call	_memset
		mov	ecx, [ebp+var_44]
		add	esp, 0Ch
		test	ecx, ecx
		jnz	short loc_66C58B
		mov	ecx, ebx
		mov	[ebp+var_44], ecx

loc_66C58B:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7Fj
		cmp	[ebp+arg_10], 0
		mov	edx, [ebp+arg_8]
		mov	ebx, edx
		jnz	short loc_66C5A8
		xor	eax, eax
		lea	esi, [ebp+var_3C]
		inc	eax
		mov	[ebp+var_40], esi
		or	[ebp+var_28], 0FFFFFFFFh
		mov	[ebp+var_48], eax
		jmp	short loc_66C5B0
; 

loc_66C5A8:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8Fj
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_48], eax
		jbe	short loc_66C5C6

loc_66C5B0:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A1j
		mov	ecx, [ebp+var_6C]
		add	esi, 28h

loc_66C5B6:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+BCj
		mov	[esi], ecx
		sub	ecx, 0FFFFFF80h
		lea	esi, [esi+2Ch]
		sub	eax, 1
		jnz	short loc_66C5B6
		mov	ecx, [ebp+var_44]

loc_66C5C6:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A9j
		test	edx, 1000000h
		jz	loc_66C65C
		mov	eax, ds:_SeSecurityPrivilege
		lea	edx, [ebp+var_10]
		push	[ebp+arg_1C]
		mov	[ebp+var_10], eax
		xor	ebx, ebx
		mov	eax, ds:dword_A94A3C
		inc	ebx
		mov	[ebp+var_C], eax
		xor	eax, eax
		push	ebx
		push	ebx
		mov	[ebp+var_8], eax
		call	_SepPrivilegeCheck@20 ;	SepPrivilegeCheck(x,x,x,x,x)
		mov	ecx, 1000000h
		test	al, al
		jnz	short loc_66C621
		xor	eax, eax
		mov	edx, 100000h
		push	eax
		push	[ebp+var_48]
		mov	esi, eax
		mov	edi, 0C0000061h
		push	[ebp+var_40]
		push	8
		call	_AuthzBasepSetTypeListAccessReasons@24 ; AuthzBasepSetTypeListAccessReasons(x,x,x,x,x,x)
		jmp	loc_66C87A
; 

loc_66C621:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+F9j
		mov	esi, [ebp+arg_18]
		xor	eax, eax
		mov	ebx, [ebp+arg_8]
		mov	edx, 200000h
		push	eax
		push	[ebp+var_48]
		or	esi, 1000000h
		push	[ebp+var_40]
		push	8
		call	_AuthzBasepSetTypeListAccessReasons@24 ; AuthzBasepSetTypeListAccessReasons(x,x,x,x,x,x)
		xor	eax, eax
		inc	eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_4D], al
		and	ebx, 0FEFFFFFFh
		jz	loc_66C757
		mov	edx, [ebp+arg_8]
		jmp	short loc_66C65F
; 

loc_66C65C:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+C7j
		mov	esi, [ebp+arg_18]

loc_66C65F:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+155j
		mov	eax, [ebp+var_4C]
		movzx	eax, word ptr [eax+2]
		mov	[ebp+var_58], eax
		and	[ebp+var_58], 4
		mov	[ebp+var_6C], eax
		movzx	ecx, ax
		jnz	short loc_66C67B
		and	[ebp+var_54], 0
		jmp	short loc_66C6A8
; 

loc_66C67B:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+16Ej
		test	cx, cx
		jns	short loc_66C69C
		mov	edx, [ebp+var_4C]
		mov	eax, [edx+10h]
		mov	[ebp+var_54], eax
		add	eax, edx
		mov	edx, [ebp+var_54]
		neg	edx
		sbb	edx, edx
		and	edx, eax
		mov	[ebp+var_54], edx
		mov	edx, [ebp+arg_8]
		jmp	short loc_66C6A5
; 

loc_66C69C:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+179j
		mov	eax, [ebp+var_4C]
		mov	eax, [eax+10h]
		mov	[ebp+var_54], eax

loc_66C6A5:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+195j
		mov	eax, [ebp+var_6C]

loc_66C6A8:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+174j
		and	ecx, 8000h
		test	al, 10h
		jnz	short loc_66C6B9
		xor	ecx, ecx
		mov	[ebp+var_4C], ecx
		jmp	short loc_66C6D9
; 

loc_66C6B9:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1ABj
		mov	eax, [ebp+var_4C]
		test	cx, cx
		jz	short loc_66C6D1
		mov	ecx, [eax+0Ch]
		add	eax, ecx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	[ebp+var_4C], ecx
		jmp	short loc_66C6D7
; 

loc_66C6D1:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1BAj
		mov	eax, [eax+0Ch]
		mov	[ebp+var_4C], eax

loc_66C6D7:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1CAj
		xor	ecx, ecx

loc_66C6D9:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1B2j
		cmp	word ptr [ebp+var_58], 0
		jz	loc_66CAB4
		cmp	[ebp+var_54], 0
		jz	loc_66CAB4
		test	ebx, 80000h
		jz	loc_66C801
		mov	eax, ds:_SeTakeOwnershipPrivilege
		lea	edx, [ebp+var_10]
		push	[ebp+arg_1C]
		mov	[ebp+var_10], eax
		mov	eax, ds:dword_A94CBC
		mov	[ebp+var_C], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+var_44]
		push	eax
		push	eax
		call	_SepPrivilegeCheck@20 ;	SepPrivilegeCheck(x,x,x,x,x)
		test	al, al
		jz	loc_66C7B2
		xor	eax, eax
		mov	ecx, 80000h
		push	eax
		push	[ebp+var_48]
		mov	edx, 200000h
		or	esi, ecx
		push	[ebp+var_40]
		push	9
		call	_AuthzBasepSetTypeListAccessReasons@24 ; AuthzBasepSetTypeListAccessReasons(x,x,x,x,x,x)
		mov	byte ptr [ebp+var_74], 1

loc_66C748:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2F7j
		inc	[ebp+var_5C]
		and	ebx, 0FFF7FFFFh
		jnz	loc_66C801

loc_66C757:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+14Cj
					; SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4CAj ...
		xor	ebx, ebx

loc_66C759:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+333j
					; SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+34Aj
		test	esi, esi
		jz	loc_66CB10
		mov	edi, ebx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_66C877
		mov	eax, [ebp+var_5C]
		test	eax, eax
		jz	loc_66C877
		mov	ebx, [ebp+var_78]
		mov	ecx, eax
		mov	dl, [ebp+var_4D]
		push	ebx
		push	[ebp+var_70]
		push	[ebp+var_74]
		call	SepAssemblePrivileges
		xor	eax, eax
		mov	edi, eax
		test	ebx, ebx
		jz	loc_66C877
		cmp	[ebx], eax
		jnz	loc_66C877
		mov	bl, al
		mov	edi, 0C0000017h
		mov	esi, eax
		jmp	loc_66C87A
; 

loc_66C7B2:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+21Dj
		mov	eax, ds:_SeRelabelPrivilege
		lea	edx, [ebp+var_10]
		push	[ebp+arg_1C]
		mov	ecx, [ebp+var_44]
		mov	[ebp+var_10], eax
		mov	eax, ds:dword_A94A4C
		mov	[ebp+var_C], eax
		xor	eax, eax
		mov	[ebp+var_8], eax
		inc	eax
		push	eax
		push	eax
		call	_SepPrivilegeCheck@20 ;	SepPrivilegeCheck(x,x,x,x,x)
		test	al, al
		jz	short loc_66C801
		xor	eax, eax
		mov	ecx, 80000h
		push	eax
		push	[ebp+var_48]
		mov	edx, 200000h
		or	esi, ecx
		push	[ebp+var_40]
		push	20h
		call	_AuthzBasepSetTypeListAccessReasons@24 ; AuthzBasepSetTypeListAccessReasons(x,x,x,x,x,x)
		mov	byte ptr [ebp+var_70], 1
		jmp	loc_66C748
; 

loc_66C801:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1EFj
					; SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+24Cj ...
		mov	edx, [ebp+var_54]
		xor	eax, eax
		cmp	[edx+4], ax
		jnz	loc_66C8A8
		mov	eax, [ebp+var_44]
		mov	[edi+0Ch], ebx
		mov	ecx, [eax+0B0h]
		test	ecx, 4000h
		jz	short loc_66C82A
		mov	eax, [edi]
		not	eax
		and	esi, eax

loc_66C82A:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+31Dj
		cmp	ebx, 2000000h
		jnz	short loc_66C83D
		xor	ebx, ebx
		test	esi, esi
		jz	short loc_66C859
		jmp	loc_66C759
; 

loc_66C83D:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+32Bj
		test	ebx, ebx
		jnz	short loc_66C857
		cmp	[edi], ebx
		jz	short loc_66C859
		test	esi, esi
		jz	short loc_66C859
		test	ecx, 6000h
		jz	loc_66C759
		jmp	short loc_66C859
; 

loc_66C857:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+33Aj
		xor	ebx, ebx

loc_66C859:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+331j
					; SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+33Ej ...
		push	ebx
		push	[ebp+var_48]
		mov	edx, (offset loc_5FFFFF+1)
		mov	ecx, 0FDFFFFFFh
		push	[ebp+var_40]
		mov	esi, ebx
		mov	edi, 0C0000022h
		push	ebx
		call	_AuthzBasepSetTypeListAccessReasons@24 ; AuthzBasepSetTypeListAccessReasons(x,x,x,x,x,x)

loc_66C877:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+266j
					; SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+271j ...
		xor	ebx, ebx
		inc	ebx

loc_66C87A:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+117j
					; SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2A8j
		mov	eax, [ebp+var_7C]
		mov	[eax], edi
		mov	eax, [ebp+var_80]
		mov	[eax], esi
		mov	eax, [ebp+var_84]
		test	eax, eax
		jz	short loc_66C895
		test	edi, edi
		setns	cl
		mov	[eax], cl

loc_66C895:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+387j
		mov	ecx, [ebp+var_4]
		mov	al, bl
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	50h
; 

loc_66C8A8:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+305j
		test	[ebp+arg_8], 2000000h
		push	[ebp+arg_4C]
		push	edi
		push	[ebp+arg_38]
		push	[ebp+arg_34]
		push	eax
		jnz	loc_66C9D4
		push	[ebp+arg_10]
		mov	ecx, ebx
		push	[ebp+var_40]
		push	[ebp+var_48]
		push	eax
		push	[ebp+var_64]
		push	[ebp+var_4C]
		push	edx
		push	[ebp+var_68]
		mov	edx, [ebp+var_44]
		call	_SepNormalAccessCheckEx@60 ; SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	edx, [ebp+var_40]
		mov	eax, [edx+18h]
		mov	[edi+0Ch], eax
		xor	eax, eax
		cmp	[edx+18h], eax
		jz	short loc_66C8F7

loc_66C8EE:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4C2j
		mov	edi, 0C0000022h
		mov	esi, eax
		jmp	short loc_66C877
; 

loc_66C8F7:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3E7j
		mov	eax, [ebp+var_44]
		mov	ecx, [eax+0B0h]
		test	cl, 10h
		jnz	short loc_66C909
		xor	ecx, ecx
		jmp	short loc_66C973
; 

loc_66C909:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3FEj
		mov	eax, [ebp+var_60]
		test	cl, 8
		jz	short loc_66C923
		mov	ecx, [eax+8]
		or	ecx, [eax]
		not	ecx
		and	ecx, [eax+4]
		or	ecx, 10D0000h
		jmp	short loc_66C92C
; 

loc_66C923:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+40Aj
		mov	ecx, [eax+0Ch]
		or	ecx, 1FFFFFh

loc_66C92C:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+41Cj
		xor	eax, eax
		mov	[ebp+var_58], eax
		mov	eax, [ebp+var_44]
		test	[ebp+arg_8], ecx
		jz	short loc_66C970
		push	[ebp+arg_4C]
		and	ecx, ebx
		push	edi
		push	[ebp+arg_38]
		push	[ebp+arg_34]
		push	1
		push	[ebp+arg_10]
		push	edx
		push	[ebp+var_48]
		xor	edx, edx
		push	edx
		push	[ebp+var_64]
		mov	edx, eax
		push	[ebp+var_4C]
		push	[ebp+var_54]
		push	[ebp+var_68]
		call	_SepNormalAccessCheckEx@60 ; SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	edx, [ebp+var_40]
		mov	eax, [edx+18h]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+var_44]

loc_66C970:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+432j
		mov	ecx, [ebp+var_58]

loc_66C973:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+402j
		mov	[edi+0Ch], ecx
		xor	ecx, ecx
		cmp	[edx+18h], ecx
		jz	short loc_66C989
		mov	edi, 0C0000022h
		mov	esi, ecx
		jmp	loc_66C877
; 

loc_66C989:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+476j
		mov	eax, [eax+0B0h]
		test	eax, 2000h
		jnz	short loc_66C9CC
		or	ebx, [ebp+arg_8]
		test	eax, 4000h
		jz	short loc_66C9AE
		mov	ecx, [edi+8]
		or	ecx, [edi+4]
		mov	eax, [edi]
		not	ecx
		or	eax, ebx
		jmp	short loc_66C9BC
; 

loc_66C9AE:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+499j
		cmp	[edi+14h], cl
		jz	short loc_66C9BE
		mov	ecx, [edi]
		mov	eax, [edi+4]
		or	ecx, ebx
		not	eax

loc_66C9BC:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4A7j
		and	ecx, eax

loc_66C9BE:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4ACj
		mov	[edx+18h], ecx
		test	ecx, ecx
		jz	short loc_66C9CC

loc_66C9C5:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+5A2j
		xor	eax, eax
		jmp	loc_66C8EE
; 

loc_66C9CC:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+48Fj
					; SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4BEj
		or	esi, [ebp+arg_8]
		jmp	loc_66C757
; 

loc_66C9D4:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3B5j
		mov	ecx, [ebp+var_44]
		push	eax
		push	[ebp+arg_10]
		push	[ebp+var_40]
		push	[ebp+var_48]
		push	eax
		push	[ebp+var_64]
		push	[ebp+var_4C]
		push	edx
		mov	edx, [ebp+var_68]
		call	_SepMaximumAccessCheckEx@60 ; SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, 800000h
		push	eax
		push	[ebp+var_48]
		or	ecx, 0FFFFFFFFh
		push	[ebp+var_40]
		push	eax
		call	_AuthzBasepSetTypeListAccessReasons@24 ; AuthzBasepSetTypeListAccessReasons(x,x,x,x,x,x)
		mov	ecx, [ebp+var_44]
		mov	edx, [ecx+0B0h]
		test	dl, 10h
		jz	short loc_66CA6D
		test	dl, 8
		jz	short loc_66CA2F
		mov	edx, [ebp+var_60]
		mov	eax, [edx+8]
		or	eax, [edx]
		not	eax
		and	eax, [edx+4]
		or	eax, 10D0000h
		jmp	short loc_66CA3A
; 

loc_66CA2F:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+514j
		mov	eax, [ebp+var_60]
		mov	eax, [eax+0Ch]
		or	eax, 1FFFFFh

loc_66CA3A:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+528j
		push	[ebp+arg_4C]
		mov	edx, [ebp+var_68]
		push	edi
		push	[ebp+arg_38]
		push	[ebp+arg_34]
		push	1
		push	eax
		push	[ebp+arg_10]
		xor	eax, eax
		push	[ebp+var_40]
		push	[ebp+var_48]
		push	eax
		push	[ebp+var_64]
		push	[ebp+var_4C]
		push	[ebp+var_54]
		call	_SepMaximumAccessCheckEx@60 ; SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	eax, [ebp+var_44]
		mov	edx, [eax+0B0h]

loc_66CA6D:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+50Fj
		mov	eax, [ebp+var_40]
		mov	ecx, [eax+1Ch]
		test	edx, 2000h
		jnz	short loc_66CA9C
		test	edx, 4000h
		jz	short loc_66CA8D
		mov	eax, [edi+8]
		or	eax, [edi+4]
		and	ecx, eax
		jmp	short loc_66CA96
; 

loc_66CA8D:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+57Cj
		cmp	byte ptr [edi+14h], 0
		jz	short loc_66CA9C
		and	ecx, [edi+4]

loc_66CA96:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+586j
		mov	eax, [edi]
		not	eax
		and	esi, eax

loc_66CA9C:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+574j
					; SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+58Cj
		mov	eax, ecx
		or	eax, 2000000h
		not	eax
		test	eax, ebx
		jnz	loc_66C9C5
		or	esi, ecx
		jmp	loc_66C757
; 

loc_66CAB4:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1D9j
					; SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1E3j
		mov	ebx, [ebp+var_40]
		mov	eax, edx
		push	ecx
		push	[ebp+var_48]
		or	eax, esi
		test	edx, 2000000h
		push	ebx
		mov	esi, eax
		mov	edx, offset loc_500000
		push	ecx
		jz	short loc_66CB1A
		mov	eax, [ebp+var_60]
		and	esi, 0FDFFFFFFh
		or	esi, [eax+0Ch]
		mov	ecx, esi
		call	_AuthzBasepSetTypeListAccessReasons@24 ; AuthzBasepSetTypeListAccessReasons(x,x,x,x,x,x)
		mov	eax, [ebp+var_44]
		test	dword ptr [eax+0B0h], 4000h
		jz	loc_66C757
		push	1
		push	[ebp+var_48]
		xor	eax, eax
		xor	ecx, ecx
		push	ebx
		xor	ebx, ebx
		mov	esi, eax
		push	ebx
		call	_AuthzBasepSetTypeListAccessReasons@24 ; AuthzBasepSetTypeListAccessReasons(x,x,x,x,x,x)
		mov	[edi+15h], bl
		mov	[edi+4], ebx

loc_66CB10:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+256j
					; SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+649j
		mov	edi, 0C0000022h
		jmp	loc_66C877
; 

loc_66CB1A:				; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+5C9j
		mov	ecx, [ebp+arg_8]
		call	_AuthzBasepSetTypeListAccessReasons@24 ; AuthzBasepSetTypeListAccessReasons(x,x,x,x,x,x)
		mov	eax, [ebp+var_44]
		test	dword ptr [eax+0B0h], 4000h
		jz	loc_66C757
		xor	eax, eax
		xor	ecx, ecx
		push	eax
		push	[ebp+var_48]
		mov	esi, eax
		push	ebx
		push	eax
		call	_AuthzBasepSetTypeListAccessReasons@24 ; AuthzBasepSetTypeListAccessReasons(x,x,x,x,x,x)
		xor	eax, eax
		mov	[edi+15h], al
		mov	[edi+4], eax
		jmp	short loc_66CB10
_SepAccessCheckEx@88 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepBuildCapeSecurityDescriptor(x, x, x)
_SepBuildCapeSecurityDescriptor@12 proc	near
					; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF5FDp
					; SeAccessCheckByTypeWithAdminlessChecks+B8CAAp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		movzx	eax, byte ptr [edi]
		push	eax
		push	esi
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		test	eax, eax
		js	short loc_66CBBB
		or	word ptr [esi+2], 3
		movzx	edx, word ptr [edi+2]
		push	ebx
		mov	bl, dl
		mov	ecx, edx
		shr	bl, 3
		and	bl, 1
		and	edx, 4
		jnz	short loc_66CB86
		xor	ecx, ecx
		jmp	short loc_66CB97
; 

loc_66CB86:				; CODE XREF: SepBuildCapeSecurityDescriptor(x,x,x)+30j
		test	cx, cx
		mov	ecx, [edi+10h]
		jns	short loc_66CB97
		lea	eax, [ecx+edi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_66CB97:				; CODE XREF: SepBuildCapeSecurityDescriptor(x,x,x)+34j
					; SepBuildCapeSecurityDescriptor(x,x,x)+3Cj
		test	dx, dx
		push	ebx
		setnz	al
		push	ecx
		movzx	eax, al
		push	eax
		push	esi
		call	RtlSetDaclSecurityDescriptor
		pop	ebx
		test	eax, eax
		js	short loc_66CBBB
		push	0
		push	[ebp+arg_0]
		push	1
		push	esi
		call	_RtlSetSaclSecurityDescriptor@16 ; RtlSetSaclSecurityDescriptor(x,x,x,x)

loc_66CBBB:				; CODE XREF: SepBuildCapeSecurityDescriptor(x,x,x)+17j
					; SepBuildCapeSecurityDescriptor(x,x,x)+5Cj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_SepBuildCapeSecurityDescriptor@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepCommonAccessCheckExWithAdminlessChecks(x, x, x, x, x, x,	x, x)
_SepCommonAccessCheckExWithAdminlessChecks@32 proc near
					; CODE XREF: SeAccessCheckEx(x,x,x,x,x,x)+1Ep
					; SeSrpAccessCheck(x,x,x,x,x,x)+1Ep

var_288		= dword	ptr -288h
var_274		= dword	ptr -274h
var_260		= dword	ptr -260h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_225		= dword	ptr -225h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_207		= byte ptr -207h
var_206		= byte ptr -206h
var_205		= byte ptr -205h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1EE		= byte ptr -1EEh
var_1ED		= byte ptr -1EDh
var_1EC		= dword	ptr -1ECh
var_1E5		= byte ptr -1E5h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= byte ptr -1D4h
var_1D3		= byte ptr -1D3h
var_1D2		= byte ptr -1D2h
var_1D1		= byte ptr -1D1h
var_1D0		= dword	ptr -1D0h
var_150		= dword	ptr -150h
var_D0		= dword	ptr -0D0h
var_4C		= dword	ptr -4Ch
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_1DC], ecx
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_260]
		mov	ebx, [ebp+arg_0]
		stosd
		push	7
		pop	ecx
		mov	esi, [ebp+arg_4]
		stosd
		mov	[ebp+var_1D1], dl
		xor	edx, edx
		mov	[ebp+var_240], ebx
		mov	[ebp+var_210], esi
		stosd
		mov	[ebp+var_1D3], dl
		mov	byte ptr [ebp+var_225],	dl
		mov	[ebp+var_225+1], edx
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_20]
		mov	[ebp+var_23C], edx
		rep stosd
		lea	edi, [ebp+var_274]
		mov	[ebp+var_250], edx
		stosd
		mov	[ebp+var_1F8], edx
		mov	[ebp+var_1D2], dl
		mov	[ebp+var_200], edx
		stosd
		mov	[ebp+var_238], edx
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_288]
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_D0]
		mov	edi, 80h
		push	edi		; size_t
		push	edx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_150]
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_1D0]
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_1ED], 0
		add	esp, 0Ch
		mov	[ebp+var_1EE], 0
		mov	[ebp+var_1FC], eax
		mov	[ebp+var_24C], eax
		test	esi, esi
		jz	loc_66E0D2
		cmp	dword ptr [esi], 18h
		jnz	loc_66E0D2
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	loc_66E0D2
		cmp	[ebp+var_1DC], 0
		jz	loc_66E0CC
		test	ebx, ebx
		jz	loc_66E0CC
		cmp	dword ptr [ebx], 20h
		jnz	loc_66E0CC
		mov	edx, [esi+8]
		test	edx, edx
		jz	loc_66E0CC
		mov	eax, [ebx+4]
		test	eax, eax
		jz	short loc_66CD16
		cmp	dword ptr [eax], 0Ch
		jnz	loc_66E0CC
		test	dword ptr [eax+4], 0FFFFFFF8h
		jnz	loc_66E0CC

loc_66CD16:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+13Dj
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_66CD26
		cmp	dword ptr [eax], 38h
		jnz	loc_66E0CC

loc_66CD26:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+15Aj
		xor	ecx, ecx
		mov	[edx], ecx
		mov	edx, 0C0000022h
		mov	eax, [esi+0Ch]
		mov	[eax], edx
		mov	eax, [esi+14h]
		mov	[ebp+var_234], ecx
		mov	[ebp+var_244], edx
		test	eax, eax
		jz	short loc_66CD49
		mov	[eax], ecx

loc_66CD49:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+184j
		mov	eax, [ebx+0Ch]
		mov	ecx, [esi+10h]
		not	eax
		and	eax, [ebx+8]
		mov	edi, [ebp+var_1DC]
		and	eax, 0FDFFFFFFh
		mov	[ebp+var_1E0], ecx
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_1F4], eax
		cmp	[ebp+var_1E0], 0
		mov	edx, ecx
		jz	short loc_66CD97
		mov	esi, [ebp+var_1E0]

loc_66CD7F:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1CEj
		test	edx, edx
		jz	short loc_66CD91
		test	edx, eax
		jz	short loc_66CD8A
		and	dword ptr [esi], 0

loc_66CD8A:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1C4j
		add	esi, 4
		add	edx, edx
		jmp	short loc_66CD7F
; 

loc_66CD91:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1C0j
		mov	esi, [ebp+var_210]

loc_66CD97:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1B6j
		cmp	byte ptr [ebp+arg_C], 0
		jnz	short loc_66CDDD
		mov	eax, [ebx+8]
		mov	ecx, [esi+8]
		test	eax, 2000000h
		jz	short loc_66CDC9
		mov	eax, [ebx+14h]
		mov	eax, [eax+0Ch]
		mov	[ecx], eax
		mov	ecx, [esi+8]
		mov	eax, [ebx+8]
		and	eax, 0FDFFFFFFh
		or	[ecx], eax
		mov	ecx, [esi+8]
		mov	eax, [ebx+0Ch]
		or	[ecx], eax
		jmp	short loc_66CDD0
; 

loc_66CDC9:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1E7j
		mov	edx, [ebx+0Ch]
		or	edx, eax
		mov	[ecx], edx

loc_66CDD0:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+206j
		mov	ecx, [esi+0Ch]
		and	dword ptr [ecx], 0

loc_66CDD6:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+7F4j
		mov	al, 1
		jmp	loc_66E0D4
; 

loc_66CDDD:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1DAj
		mov	edx, [ebx+4]
		test	edx, edx
		jz	short loc_66CE0F
		xor	eax, eax
		cmp	[edx+8], eax
		jz	short loc_66CE0F
		cmp	[edi], eax
		jz	short loc_66CE03
		cmp	dword ptr [edi+4], 2
		jge	short loc_66CE03
		mov	eax, [esi+0Ch]
		mov	dword ptr [eax], 0C00000A5h
		jmp	loc_66E0D2
; 

loc_66CE03:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+22Cj
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+232j
		cmp	[ebx+8], eax
		jnz	short loc_66CE39
		mov	edx, [ebx+0Ch]
		test	edx, edx
		jnz	short loc_66CE1D

loc_66CE0F:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+221j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+228j
		mov	eax, [esi+0Ch]
		mov	dword ptr [eax], 0C0000022h
		jmp	loc_66E0D2
; 

loc_66CE1D:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+24Cj
		mov	eax, [esi+8]
		mov	[eax], edx
		mov	eax, [esi+0Ch]
		and	dword ptr [eax], 0
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_66CE32
		and	dword ptr [eax], 0

loc_66CE32:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+26Cj
		mov	al, cl
		jmp	loc_66E0D4
; 

loc_66CE39:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+245j
		mov	eax, [esi+4]
		cmp	eax, ecx
		jz	short loc_66CE53
		cmp	eax, [ebx+18h]
		jz	short loc_66CE53
		mov	eax, [esi+0Ch]
		mov	dword ptr [eax], 0C000000Dh
		jmp	loc_66E0D2
; 

loc_66CE53:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+27Dj
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+282j
		cmp	[ebp+var_1D1], 0
		jnz	short loc_66CE65
		push	edi
		call	_SeLockSubjectContext@4	; SeLockSubjectContext(x)
		mov	edx, [ebx+4]

loc_66CE65:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+299j
		mov	edx, [edx+8]
		lea	eax, [ebp+var_1FC]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	edi
		call	SepTrustLevelCheck
		mov	ecx, [esi+0Ch]
		mov	[ecx], eax
		mov	edx, [esi+0Ch]
		cmp	dword ptr [edx], 0
		jge	short loc_66CE9A
		cmp	[ebp+var_1D1], 0
		jnz	loc_66E0D2
		push	edi
		jmp	loc_66D100
; 

loc_66CE9A:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+2C4j
		mov	eax, [ebx+8]
		mov	edi, [ebp+var_1FC]
		and	eax, 0FDFFFFFFh
		mov	ecx, eax
		and	ecx, edi
		sub	ecx, eax
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 0C0000022h
		mov	[edx], ecx
		mov	edx, [ebp+var_1DC]
		mov	eax, [esi+0Ch]
		mov	ecx, [edx]
		cmp	dword ptr [eax], 0
		mov	[ebp+var_1E4], ecx
		jge	short loc_66CF4F
		test	ecx, ecx
		jnz	short loc_66CEDD
		mov	eax, [edx+8]
		mov	[ebp+var_1E4], eax

loc_66CEDD:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+311j
		mov	eax, [ebx+0Ch]
		mov	ecx, edx
		or	eax, [ebx+8]
		push	0
		push	0
		push	eax
		mov	eax, [ebx+4]
		push	dword ptr [eax+8]
		call	_SepLocateTokenTrustLevel@4 ; SepLocateTokenTrustLevel(x)
		mov	ecx, [ebp+var_1E4]
		xor	edx, edx
		push	eax
		push	0
		call	SeLogAccessFailure
		cmp	[ebp+var_1D1], 0
		jnz	short loc_66CF19
		push	[ebp+var_1DC]
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)

loc_66CF19:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+34Bj
		mov	eax, [ebp+var_1F4]
		not	edi
		mov	ecx, [esi+10h]
		and	edi, eax
		test	ecx, ecx
		jz	loc_66E0D2
		xor	eax, eax
		inc	eax

loc_66CF31:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+38Cj
		test	eax, eax
		jz	loc_66E0D2
		test	eax, edi
		jz	short loc_66CF48
		cmp	dword ptr [ecx], 0
		jnz	short loc_66CF48
		mov	dword ptr [ecx], (offset loc_8FFFFD+3)

loc_66CF48:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+37Aj
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+37Fj
		add	ecx, 4
		add	eax, eax
		jmp	short loc_66CF31
; 

loc_66CF4F:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+30Dj
		test	ecx, ecx
		jz	short loc_66CF57
		mov	eax, ecx
		jmp	short loc_66CF60
; 

loc_66CF57:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+390j
		mov	eax, [edx+8]
		mov	[ebp+var_1E4], eax

loc_66CF60:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+394j
		mov	ecx, [ebx+4]
		test	byte ptr [ecx+4], 4
		jnz	loc_66D02B
		mov	ecx, [ecx+8]
		lea	edx, [ebp+var_24C]
		push	edx
		push	0
		push	eax
		lea	edx, [ebp+var_200]
		call	SepFilterCheck
		mov	ecx, [esi+0Ch]
		mov	[ecx], eax
		mov	edx, [esi+0Ch]
		cmp	dword ptr [edx], 0
		jl	loc_66D0ED
		mov	eax, [ebx+8]
		mov	edi, [ebp+var_24C]
		and	eax, 0FDFFFFFFh
		mov	ecx, eax
		and	ecx, edi
		sub	ecx, eax
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 0C0000022h
		mov	[edx], ecx
		xor	ecx, ecx
		mov	eax, [esi+0Ch]
		cmp	[eax], ecx
		jge	short loc_66D025
		mov	eax, [ebx+0Ch]
		xor	edx, edx
		or	eax, [ebx+8]
		push	ecx
		push	ecx
		push	eax
		mov	eax, [ebx+4]
		push	dword ptr [eax+8]
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_1E4]
		call	SeLogAccessFailure
		cmp	[ebp+var_1D1], 0
		jnz	short loc_66CFF1
		push	[ebp+var_1DC]
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)

loc_66CFF1:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+423j
		mov	eax, [ebp+var_1F4]
		and	edi, eax
		mov	ecx, [esi+10h]
		test	ecx, ecx
		jz	loc_66E0D2
		xor	eax, eax
		inc	eax

loc_66D007:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+462j
		test	eax, eax
		jz	loc_66E0D2
		test	eax, edi
		jz	short loc_66D01E
		cmp	dword ptr [ecx], 0
		jnz	short loc_66D01E
		mov	dword ptr [ecx], 0A00000h

loc_66D01E:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+450j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+455j
		add	ecx, 4
		add	eax, eax
		jmp	short loc_66D007
; 

loc_66D025:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+3FCj
		mov	edx, [ebp+var_1DC]

loc_66D02B:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+3A6j
		mov	edi, [ebx+4]
		xor	ecx, ecx
		inc	ecx
		mov	eax, [edi+4]
		mov	[ebp+var_1D4], al
		and	[ebp+var_1D4], cl
		test	al, 2
		mov	eax, [ebp+var_1E4]
		jz	short loc_66D05E
		test	dword ptr [eax+0B0h], 2000h
		mov	byte ptr [ebp+var_1E0],	cl
		jz	short loc_66D065
		jmp	short loc_66D067
; 

loc_66D05E:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+487j
		mov	byte ptr [ebp+var_1E0],	0

loc_66D065:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+499j
		xor	cl, cl

loc_66D067:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+49Bj
		cmp	ds:_SepAllowAccessUponLogoff, 0
		mov	[ebp+var_206], cl
		jnz	short loc_66D0AE
		test	byte ptr [eax+0B0h], 20h
		jnz	short loc_66D0AE
		mov	eax, [eax+0C0h]
		test	eax, eax
		jz	short loc_66D0AE
		test	byte ptr [eax+18h], 20h
		jz	short loc_66D0AE
		mov	eax, [esi+8]
		and	dword ptr [eax], 0
		cmp	[ebp+var_1D1], 0
		mov	eax, [esi+0Ch]
		mov	dword ptr [eax], 0C0000022h
		jnz	loc_66E0D2
		push	edx
		jmp	short loc_66D100
; 

loc_66D0AE:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+4B3j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+4BCj ...
		mov	[ebp+var_1E5], 0
		test	cl, cl
		jnz	loc_66D1BE
		mov	edx, [edi+8]
		lea	eax, [ebp+var_260]
		mov	ecx, [ebx+14h]
		push	eax
		push	[ebp+arg_14]
		push	0
		push	[ebp+var_1E4]
		push	[ebp+var_1E0]
		call	SepMandatoryIntegrityCheck
		mov	ecx, [esi+0Ch]
		mov	[ecx], eax
		mov	edi, [esi+0Ch]
		cmp	dword ptr [edi], 0
		jge	short loc_66D10A

loc_66D0ED:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+3CFj
		cmp	[ebp+var_1D1], 0
		jnz	loc_66E0D2
		push	[ebp+var_1DC]

loc_66D100:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+2D4j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+4EBj
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)
		jmp	loc_66E0D2
; 

loc_66D10A:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+52Aj
		mov	edx, [ebx+8]
		lea	ecx, [ebp+var_260]
		call	_SepMandatoryToDiscretionary@8 ; SepMandatoryToDiscretionary(x,x)
		mov	[edi], eax
		mov	eax, [esi+0Ch]
		cmp	dword ptr [eax], 0
		jge	short loc_66D190
		mov	eax, [ebp+var_1E4]
		test	dword ptr [eax+0B0h], 4000h
		jz	short loc_66D140
		cmp	[ebp+var_254], 2000h
		jbe	short loc_66D1B7

loc_66D140:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+571j
		cmp	[ebp+var_1D1], 0
		jnz	short loc_66D154
		push	[ebp+var_1DC]
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)

loc_66D154:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+586j
		mov	edx, [ebp+var_260]
		mov	eax, [ebp+var_1F4]
		not	edx
		mov	ecx, [esi+10h]
		and	edx, eax
		test	ecx, ecx
		jz	loc_66E0D2
		xor	eax, eax
		inc	eax

loc_66D172:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+5CDj
		test	eax, eax
		jz	loc_66E0D2
		test	eax, edx
		jz	short loc_66D189
		cmp	dword ptr [ecx], 0
		jnz	short loc_66D189
		mov	dword ptr [ecx], 300000h

loc_66D189:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+5BBj
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+5C0j
		add	ecx, 4
		add	eax, eax
		jmp	short loc_66D172
; 

loc_66D190:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+55Fj
		test	dword ptr [ebx+8], 2000000h
		jz	short loc_66D1BE
		mov	eax, [ebp+var_1E4]
		test	dword ptr [eax+0B0h], 4000h
		jz	short loc_66D1BE
		cmp	[ebp+var_254], 2000h
		ja	short loc_66D1BE

loc_66D1B7:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+57Dj
		mov	[ebp+var_1E5], 1

loc_66D1BE:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+4F6j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+5D6j ...
		cmp	ds:_SepRmEnforceCap, 0
		jz	short loc_66D209
		mov	eax, [ebx+4]
		mov	eax, [eax+8]
		test	byte ptr [eax+2], 10h
		jz	short loc_66D209
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_66D209
		mov	eax, [ebx+4]
		mov	ecx, [eax+8]
		movzx	eax, word ptr [ecx+2]
		mov	edx, eax
		test	al, 10h
		jnz	short loc_66D1F7
		xor	ecx, ecx
		mov	[ebp+var_225+1], ecx
		jmp	short loc_66D20F
; 

loc_66D1F7:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+62Aj
		test	dx, dx
		jns	short loc_66D230
		mov	eax, [ecx+0Ch]
		test	eax, eax
		jnz	short loc_66D22C
		and	[ebp+var_225+1], eax

loc_66D209:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+604j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+610j ...
		mov	cl, [ebp+var_1D2]

loc_66D20F:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+634j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+6A9j
		mov	al, [ebp+var_1D4]
		test	al, al
		jz	short loc_66D26C
		mov	edi, [ebx+8]
		test	edi, 2060000h
		jnz	short loc_66D26C
		test	cl, cl
		jnz	short loc_66D26C
		xor	dl, dl
		jmp	short loc_66D28C
; 

loc_66D22C:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+640j
		add	ecx, eax
		jmp	short loc_66D233
; 

loc_66D230:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+639j
		mov	ecx, [ecx+0Ch]

loc_66D233:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+66Dj
		mov	[ebp+var_225+1], ecx
		test	ecx, ecx
		jz	short loc_66D209
		call	_SepGetScopedPolicySid@4 ; SepGetScopedPolicySid(x)
		test	eax, eax
		jz	short loc_66D209
		lea	edx, [ebp+var_1F8]
		mov	ecx, eax
		call	_SepRmReferenceFindCap@8 ; SepRmReferenceFindCap(x,x)
		test	eax, eax
		jns	short loc_66D262
		mov	eax, ds:_SepRmDefaultCap
		mov	[ebp+var_1F8], eax

loc_66D262:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+694j
		mov	cl, 1
		mov	[ebp+var_1D2], cl
		jmp	short loc_66D20F
; 

loc_66D26C:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+656j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+661j ...
		mov	edx, [ebx+4]
		push	[ebp+arg_14]
		push	ecx
		mov	edx, [edx+8]
		mov	ecx, [ebp+var_1E4]
		call	SepTokenIsOwner
		mov	edi, [ebx+8]
		mov	dl, al
		mov	al, [ebp+var_1D4]

loc_66D28C:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+669j
		mov	byte ptr [ebp+var_230],	dl
		mov	ecx, edi
		test	dl, dl
		jz	loc_66D36D
		test	edi, 2060000h
		jz	loc_66D36D
		test	al, al
		jnz	short loc_66D2DE
		mov	eax, [ebx+4]
		mov	ecx, [eax+8]
		movzx	eax, word ptr [ecx+2]
		mov	edx, eax
		test	al, 4
		jnz	short loc_66D2C0
		xor	edx, edx
		jmp	short loc_66D2D1
; 

loc_66D2C0:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+6F9j
		test	dx, dx
		mov	edx, [ecx+10h]
		jns	short loc_66D2D1
		lea	eax, [ecx+edx]
		neg	edx
		sbb	edx, edx
		and	edx, eax

loc_66D2D1:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+6FDj
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+705j
		xor	cl, cl
		call	RtlpOwnerAcesPresent
		test	al, al
		jz	short loc_66D2E8
		xor	al, al

loc_66D2DE:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+6E9j
		mov	ecx, edi
		test	al, al
		jz	loc_66D36D

loc_66D2E8:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+719j
		mov	edi, [ebx+8]
		mov	eax, edi
		mov	ecx, edi
		and	eax, 2000000h
		jz	short loc_66D2FD
		mov	edi, 60000h
		jmp	short loc_66D303
; 

loc_66D2FD:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+733j
		and	edi, 60000h

loc_66D303:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+73Aj
		or	[ebx+0Ch], edi
		test	eax, eax
		jz	short loc_66D311
		mov	eax, 60000h
		jmp	short loc_66D31C
; 

loc_66D311:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+747j
		mov	eax, [ebp+var_1F4]
		and	eax, 60000h

loc_66D31C:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+74Ej
		mov	edx, [esi+10h]
		mov	[ebp+var_1D8], 1
		test	edx, edx
		jz	short loc_66D350
		mov	ecx, [ebp+var_1D8]

loc_66D333:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+78Aj
		test	ecx, ecx
		jz	short loc_66D34D
		test	ecx, eax
		jz	short loc_66D346
		cmp	dword ptr [edx], 0
		jnz	short loc_66D346
		mov	dword ptr [edx], 400000h

loc_66D346:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+778j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+77Dj
		add	edx, 4
		add	ecx, ecx
		jmp	short loc_66D333
; 

loc_66D34D:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+774j
		mov	ecx, [ebx+8]

loc_66D350:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+76Aj
		mov	al, [ebp+var_1D2]
		and	ecx, 0FFF9FFFFh
		xor	edx, edx
		mov	[ebx+8], ecx
		test	al, al
		jnz	short loc_66D375
		mov	byte ptr [ebp+var_230],	dl
		jmp	short loc_66D375
; 

loc_66D36D:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+6D5j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+6E1j ...
		mov	al, [ebp+var_1D2]
		xor	edx, edx

loc_66D375:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+7A2j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+7AAj
		test	ecx, ecx
		jnz	short loc_66D3BA
		test	al, al
		jnz	short loc_66D3BA
		mov	eax, [ebp+var_1E4]
		test	dword ptr [eax+0B0h], 2000h
		jnz	short loc_66D393
		test	edi, edi
		jnz	short loc_66D3BA

loc_66D393:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+7CCj
		cmp	[ebp+var_1D1], 0
		jnz	short loc_66D3A7
		push	[ebp+var_1DC]
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)

loc_66D3A7:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+7D9j
		mov	ecx, [esi+8]
		mov	eax, [ebx+0Ch]
		mov	[ecx], eax
		mov	eax, [esi+0Ch]
		and	dword ptr [eax], 0
		jmp	loc_66CDD6
; 

loc_66D3BA:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+7B6j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+7BAj ...
		push	[ebp+arg_14]
		lea	eax, [ebp+var_1D3]
		mov	[ebp+var_1C], edx
		push	edx
		push	eax
		lea	eax, [ebp+var_200]
		mov	[ebp+var_18], edx
		push	eax
		lea	eax, [ebp+var_20]
		mov	[ebp+var_14], edx
		push	eax
		push	[ebp+arg_10]
		mov	eax, [ebp+var_1DC]
		push	[ebp+var_230]
		mov	[ebp+var_10], edx
		push	edx
		push	dword ptr [esi+10h]
		mov	[ebp+var_C], edx
		push	dword ptr [esi+0Ch]
		mov	[ebp+var_8], edx
		push	dword ptr [esi+14h]
		mov	[ebp+var_20], edi
		push	dword ptr [esi+8]
		push	[ebp+arg_C]
		push	dword ptr [ebx+0Ch]
		push	dword ptr [ebx+14h]
		push	edx
		push	edx
		push	ecx
		mov	ecx, [ebx+4]
		xor	edx, edx
		push	dword ptr [eax]
		push	dword ptr [eax+8]
		mov	ecx, [ecx+8]
		call	_SepAccessCheckEx@88 ; SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		cmp	ds:_SepRmEnforceCap, 0
		mov	[ebp+var_207], al
		mov	eax, [ebp+var_1F8]
		mov	[ebp+var_20C], eax
		jz	loc_66DD31
		mov	ecx, [esi+0Ch]
		mov	eax, [ecx]
		mov	[ebp+var_214], eax
		test	eax, eax
		js	loc_66DD31
		cmp	[ebp+var_1D2], 0
		jz	loc_66DD31
		mov	eax, [esi+8]
		xor	edi, edi
		and	[ebp+var_218], edi
		mov	[ebp+var_220], edi
		mov	[ebp+var_1D4], 0
		mov	ecx, [eax]
		mov	[ebp+var_22C], ecx
		mov	[ebp+var_1F4], ecx
		mov	ecx, [esi+14h]
		test	ecx, ecx
		jz	short loc_66D508
		mov	ecx, [ecx]
		test	ecx, ecx
		jz	short loc_66D508
		mov	eax, [ecx]
		mov	[ebp+var_204], eax
		test	eax, eax
		jz	short loc_66D508
		add	ecx, 0Ch

loc_66D4A0:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+945j
		cmp	[ecx+4], edi
		jge	short loc_66D4FA
		mov	edx, [ecx-4]
		cmp	edx, ds:_SeSecurityPrivilege
		jnz	short loc_66D4C6
		mov	eax, [ecx]
		cmp	eax, ds:dword_A94A3C
		jnz	short loc_66D4C6
		or	[ebp+var_218], 1000000h
		jmp	short loc_66D4F4
; 

loc_66D4C6:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+8EDj
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+8F7j
		cmp	edx, ds:_SeTakeOwnershipPrivilege
		jnz	short loc_66D4D8
		mov	eax, [ecx]
		cmp	eax, ds:dword_A94CBC
		jz	short loc_66D4EA

loc_66D4D8:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+90Bj
		cmp	edx, ds:_SeRelabelPrivilege
		jnz	short loc_66D4F4
		mov	eax, [ecx]
		cmp	eax, ds:dword_A94A4C
		jnz	short loc_66D4F4

loc_66D4EA:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+915j
		or	[ebp+var_218], 80000h

loc_66D4F4:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+903j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+91Dj ...
		mov	eax, [ebp+var_204]

loc_66D4FA:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+8E2j
		add	ecx, 0Ch
		sub	eax, 1
		mov	[ebp+var_204], eax
		jnz	short loc_66D4A0

loc_66D508:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+8C8j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+8CEj ...
		mov	eax, [ebp+var_22C]
		mov	ecx, 82h
		push	[ebp+var_1DC]
		mov	[ebp+var_21C], eax
		xor	eax, eax
		inc	eax
		push	eax
		mov	dl, al
		call	SepAdtAuditThisEventWithContext
		mov	[ebp+var_205], al
		test	al, al
		jz	loc_66D5DF
		mov	eax, [ebp+var_20C]
		push	41536553h
		mov	ecx, [eax+20h]
		shl	ecx, 3
		push	ecx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_220], edi
		test	edi, edi
		jnz	short loc_66D5C7
		cmp	[ebp+var_1D1], al
		jnz	short loc_66D573
		push	[ebp+var_1DC]
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)

loc_66D573:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+9A5j
		mov	eax, [ebp+var_20C]
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jz	short loc_66D59B
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+24h], eax
		dec	eax
		test	eax, eax
		jg	short loc_66D59B
		jz	short loc_66D596
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_66D59B
; 

loc_66D596:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+9CCj
		call	_SepRmDestroyCapTable@4	; SepRmDestroyCapTable(x)

loc_66D59B:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+9BDj
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+9CAj ...
		mov	eax, [esi+8]
		and	dword ptr [eax], 0
		mov	eax, [esi+0Ch]
		mov	dword ptr [eax], 0C0000017h
		mov	esi, [ebp+var_200]
		test	esi, esi
		jz	loc_66E0D2
		mov	ecx, esi
		call	AuthzBasepFreeSecurityAttributesList
		push	0
		push	esi
		jmp	loc_66DC18
; 

loc_66D5C7:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+99Dj
		mov	eax, [ebp+var_20C]
		mov	eax, [eax+20h]
		shl	eax, 3
		push	eax		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch

loc_66D5DF:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+971j
		mov	eax, [ebp+var_20C]
		and	[ebp+var_1F8], 0
		mov	edx, [eax+20h]
		mov	[ebp+var_1EC], edx
		test	edx, edx
		jz	loc_66DAE2
		add	eax, 24h
		mov	[ebp+var_1E0], eax

loc_66D606:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+F1Bj
		push	2Ch		; size_t
		lea	eax, [ebp+var_4C]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_1E0]
		add	esp, 0Ch
		mov	eax, [eax]
		mov	[ebp+var_204], eax
		cmp	dword ptr [eax+0Ch], 0
		jz	loc_66D7D2
		cmp	[ebp+var_200], 0
		jnz	short loc_66D653
		mov	ecx, [ebp+var_225+1]
		lea	edx, [ebp+var_200]
		call	AuthzBasepInitializeResourceClaimsFromSacl
		test	eax, eax
		jns	short loc_66D653
		mov	[ebp+var_1D4], 1

loc_66D653:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+A74j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+A89j
		mov	eax, [ebp+var_1E4]
		mov	eax, [eax+27Ch]
		test	eax, eax
		jz	short loc_66D671
		mov	ecx, [eax+12Ch]
		mov	[ebp+var_1EC], ecx
		jmp	short loc_66D678
; 

loc_66D671:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+AA0j
		and	[ebp+var_1EC], 0

loc_66D678:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+AAEj
		test	eax, eax
		jz	short loc_66D684
		mov	edx, [eax+124h]
		jmp	short loc_66D686
; 

loc_66D684:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+AB9j
		xor	edx, edx

loc_66D686:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+AC1j
		test	eax, eax
		jz	short loc_66D692
		mov	ecx, [eax+128h]
		jmp	short loc_66D694
; 

loc_66D692:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+AC7j
		xor	ecx, ecx

loc_66D694:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+ACFj
		test	eax, eax
		jz	short loc_66D6A0
		mov	eax, [eax+120h]
		jmp	short loc_66D6A2
; 

loc_66D6A0:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+AD5j
		xor	eax, eax

loc_66D6A2:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+ADDj
		lea	edi, [ebp+var_238]
		push	edi
		mov	edi, [ebp+var_204]
		push	0
		push	1
		push	dword ptr [edi+8]
		push	dword ptr [edi+0Ch]
		push	[ebp+var_1EC]
		push	edx
		push	ecx
		push	eax
		mov	eax, [ebp+var_1E4]
		mov	ecx, eax
		push	[ebp+var_200]
		mov	edx, [eax+1DCh]
		call	AuthzBasepEvaluateAceCondition
		cmp	[ebp+var_238], 1
		mov	edi, [ebp+var_220]
		mov	[ebp+var_1D8], eax
		jz	loc_66D7CC
		test	eax, eax
		js	loc_66DBA8
		push	[ebp+var_1E4]
		call	_SeTokenIsRestricted@4 ; SeTokenIsRestricted(x)
		test	al, al
		jz	loc_66D7B6
		mov	eax, [ebp+var_1E4]
		mov	eax, [eax+27Ch]
		test	eax, eax
		jz	short loc_66D72D
		mov	ecx, [eax+12Ch]
		mov	[ebp+var_1EC], ecx
		jmp	short loc_66D734
; 

loc_66D72D:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+B5Cj
		and	[ebp+var_1EC], 0

loc_66D734:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+B6Aj
		test	eax, eax
		jz	short loc_66D746
		mov	ecx, [eax+124h]
		mov	[ebp+var_1D8], ecx
		jmp	short loc_66D74D
; 

loc_66D746:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+B75j
		and	[ebp+var_1D8], 0

loc_66D74D:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+B83j
		test	eax, eax
		jz	short loc_66D759
		mov	edx, [eax+128h]
		jmp	short loc_66D75B
; 

loc_66D759:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+B8Ej
		xor	edx, edx

loc_66D75B:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+B96j
		test	eax, eax
		jz	short loc_66D767
		mov	ecx, [eax+120h]
		jmp	short loc_66D769
; 

loc_66D767:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+B9Cj
		xor	ecx, ecx

loc_66D769:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+BA4j
		lea	eax, [ebp+var_238]
		push	eax
		xor	eax, eax
		inc	eax
		push	eax
		push	eax
		mov	eax, [ebp+var_204]
		push	dword ptr [eax+8]
		push	dword ptr [eax+0Ch]
		mov	eax, [ebp+var_1E4]
		push	[ebp+var_1EC]
		push	[ebp+var_1D8]
		push	edx
		mov	edx, [eax+1DCh]
		push	ecx
		push	[ebp+var_200]
		mov	ecx, eax
		call	AuthzBasepEvaluateAceCondition
		mov	[ebp+var_1D8], eax
		test	eax, eax
		js	loc_66DBA8

loc_66D7B6:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+B48j
		cmp	[ebp+var_1D4], 0
		jnz	short loc_66D7CC
		cmp	[ebp+var_238], 1
		jnz	loc_66DAB7

loc_66D7CC:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+B2Dj
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+BFCj
		mov	eax, [ebp+var_204]

loc_66D7D2:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+A67j
		push	[ebp+var_225+1]
		mov	edx, [eax+10h]
		lea	ecx, [ebp+var_274]
		call	_SepBuildCapeSecurityDescriptor@12 ; SepBuildCapeSecurityDescriptor(x,x,x)
		mov	[ebp+var_1D8], eax
		test	eax, eax
		js	loc_66DBA8
		mov	eax, [ebp+var_204]
		mov	ecx, [ebx+8]
		mov	[ebp+var_214], ecx
		test	byte ptr [eax+18h], 1
		jz	short loc_66D823
		test	ecx, 2000000h
		jnz	short loc_66D81A
		or	ecx, [ebx+0Ch]
		mov	[ebp+var_214], ecx

loc_66D81A:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+C4Ej
		and	[ebp+var_1EC], 0
		jmp	short loc_66D832
; 

loc_66D823:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+C46j
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_1EC], eax
		mov	[ebp+var_214], ecx

loc_66D832:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+C60j
		push	2Ch		; size_t
		lea	eax, [ebp+var_4C]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_1D3]
		xor	ecx, ecx
		xor	edx, edx
		push	[ebp+arg_14]
		push	ecx
		push	eax
		lea	eax, [ebp+var_200]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+arg_10]
		lea	eax, [ebp+var_1D0]
		push	[ebp+var_230]
		push	ecx
		push	eax
		lea	eax, [ebp+var_244]
		push	eax
		push	ecx
		lea	eax, [ebp+var_234]
		push	eax
		push	[ebp+arg_C]
		lea	eax, [ebp+var_4C]
		push	[ebp+var_1EC]
		lea	ecx, [ebp+var_274]
		push	dword ptr [ebx+14h]
		push	1
		push	eax
		mov	eax, [ebp+var_214]
		or	eax, 2000000h
		push	eax
		mov	eax, [ebp+var_1DC]
		push	dword ptr [eax]
		push	dword ptr [eax+8]
		call	_SepAccessCheckEx@88 ; SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	edx, [ebp+var_30]
		or	edx, [ebp+var_218]
		mov	[ebp+var_207], al
		mov	eax, [esi+8]
		mov	ecx, [eax]
		or	ecx, [ebp+var_1EC]
		and	ecx, [ebp+var_234]
		cmp	byte ptr [ebp+var_230],	0
		mov	[ebp+var_234], ecx
		jz	short loc_66D8E8
		mov	eax, ecx
		and	eax, 60000h
		or	edx, eax

loc_66D8E8:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+D1Cj
		mov	eax, [ebp+var_2C]
		not	eax
		and	edx, eax
		and	[ebp+var_22C], ecx
		jnz	short loc_66D903
		mov	[ebp+var_214], 0C0000022h
		jmp	short loc_66D90F
; 

loc_66D903:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+D34j
		mov	eax, [ebp+var_244]
		mov	[ebp+var_214], eax

loc_66D90F:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+D40j
		mov	ecx, edx
		xor	ecx, [ebp+var_21C]
		and	ecx, [ebp+var_21C]
		jz	short loc_66D96B
		lea	edi, [ebp+var_D0]
		xor	eax, eax
		mov	esi, edi
		inc	eax
		mov	edi, [ebp+var_1F8]

loc_66D930:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+D96j
		mov	[ebp+var_1D8], eax
		test	eax, eax
		jz	short loc_66D959
		test	eax, ecx
		jz	short loc_66D952
		cmp	dword ptr [esi], 0
		jnz	short loc_66D952
		mov	eax, edi
		or	eax, 50000h
		mov	[esi], eax
		mov	eax, [ebp+var_1D8]

loc_66D952:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+D7Bj
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+D80j
		add	esi, 4
		add	eax, eax
		jmp	short loc_66D930
; 

loc_66D959:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+D77j
		and	[ebp+var_21C], edx
		mov	esi, [ebp+var_210]
		mov	edi, [ebp+var_220]

loc_66D96B:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+D5Cj
		cmp	[ebp+var_205], 0
		jz	loc_66DAB7
		mov	eax, [ebp+var_204]
		mov	edx, [eax+14h]
		test	edx, edx
		jz	loc_66DA8B
		push	[ebp+var_225+1]
		lea	ecx, [ebp+var_288]
		call	_SepBuildCapeSecurityDescriptor@12 ; SepBuildCapeSecurityDescriptor(x,x,x)
		mov	[ebp+var_1D8], eax
		test	eax, eax
		js	loc_66DBA8
		mov	eax, [ebp+var_204]
		mov	ecx, [ebx+8]
		mov	[ebp+var_1EC], ecx
		test	dword ptr [eax+18h], 100h
		jz	short loc_66D9DA
		test	ecx, 2000000h
		jnz	short loc_66D9D1
		or	ecx, [ebx+0Ch]
		mov	[ebp+var_1EC], ecx

loc_66D9D1:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+E05j
		and	[ebp+var_1D8], 0
		jmp	short loc_66D9E9
; 

loc_66D9DA:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+DFDj
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_1EC], ecx
		mov	[ebp+var_1D8], eax

loc_66D9E9:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+E17j
		push	2Ch		; size_t
		lea	eax, [ebp+var_4C]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_225]
		xor	ecx, ecx
		xor	edx, edx
		push	[ebp+arg_14]
		push	ecx
		push	eax
		lea	eax, [ebp+var_200]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+arg_10]
		lea	eax, [ebp+var_1D0]
		push	[ebp+var_230]
		push	ecx
		push	eax
		lea	eax, [ebp+var_250]
		push	eax
		push	ecx
		lea	eax, [ebp+var_23C]
		push	eax
		push	[ebp+arg_C]
		mov	eax, [ebp+var_1DC]
		push	[ebp+var_1D8]
		push	dword ptr [ebx+14h]
		push	ecx
		push	ecx
		push	[ebp+var_1EC]
		lea	ecx, [ebp+var_288]
		push	dword ptr [eax]
		push	dword ptr [eax+8]
		call	_SepAccessCheckEx@88 ; SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_1F8]
		mov	eax, [ebp+var_218]
		mov	byte ptr [edi+ecx*8+4],	1
		or	eax, [ebp+var_23C]
		mov	[edi+ecx*8], eax
		mov	ecx, [ebp+var_1F4]
		and	ecx, [ebp+var_23C]
		mov	[ebp+var_1F4], ecx
		jmp	short loc_66DAB7
; 

loc_66DA8B:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+DC2j
		mov	ecx, [ebp+var_1F8]
		mov	eax, [ebp+var_218]
		mov	byte ptr [edi+ecx*8+4],	1
		or	eax, [ebp+var_234]
		mov	[edi+ecx*8], eax
		mov	eax, [ebp+var_1F4]
		and	eax, [ebp+var_234]
		mov	[ebp+var_1F4], eax

loc_66DAB7:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+C05j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+DB1j ...
		mov	ecx, [ebp+var_20C]
		mov	eax, [ebp+var_1F8]
		add	[ebp+var_1E0], 4
		inc	eax
		mov	[ebp+var_1F8], eax
		mov	edx, [ecx+20h]
		mov	[ebp+var_1EC], edx
		cmp	eax, edx
		jb	loc_66D606

loc_66DAE2:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+A36j
		cmp	[ebp+var_205], 0
		jz	loc_66DCD5
		mov	eax, [ebp+var_1F4]
		mov	ecx, [ebp+var_22C]
		cmp	eax, ecx
		jz	loc_66DCD5
		mov	edi, eax
		xor	edi, ecx
		mov	ecx, edi
		and	edi, eax
		and	ecx, [ebp+var_22C]
		xor	eax, eax
		mov	[ebp+var_1F4], ecx
		mov	[ebp+var_21C], edi
		mov	[ebp+var_1F8], eax
		test	edx, edx
		jz	loc_66DCD5
		mov	esi, [ebp+var_220]
		xor	ebx, ebx

loc_66DB35:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1102j
		test	edi, edi
		jnz	short loc_66DB41
		test	ecx, ecx
		jz	loc_66DCC9

loc_66DB41:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+F76j
		cmp	[esi+eax*8+4], bl
		jz	loc_66DCBA
		mov	edx, [esi+eax*8]
		mov	ecx, edx
		mov	eax, [ebp+var_1F4]
		xor	ecx, eax
		and	ecx, eax
		jz	loc_66DC34
		lea	esi, [ebp+var_150]
		mov	[ebp+var_1E0], esi
		lea	eax, [ebx+1]
		mov	esi, [ebp+var_1F8]
		mov	edi, [ebp+var_1E0]

loc_66DB7B:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+FE5j
		mov	[ebp+var_1D8], eax
		test	eax, eax
		jz	loc_66DC22
		test	eax, ecx
		jz	short loc_66DBA1
		cmp	[edi], ebx
		jnz	short loc_66DBA1
		mov	eax, esi
		or	eax, 0FFFFFF80h
		shl	eax, 18h
		mov	[edi], eax
		mov	eax, [ebp+var_1D8]

loc_66DBA1:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+FCAj
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+FCEj
		add	edi, 4
		add	eax, eax
		jmp	short loc_66DB7B
; 

loc_66DBA8:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+B35j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+BEFj ...
		cmp	[ebp+var_1D1], 0
		jnz	short loc_66DBBC
		push	[ebp+var_1DC]
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)

loc_66DBBC:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+FEEj
		mov	eax, [ebp+var_20C]
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jz	short loc_66DBE4
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+24h], eax
		dec	eax
		test	eax, eax
		jg	short loc_66DBE4
		jz	short loc_66DBDF
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_66DBE4
; 

loc_66DBDF:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1015j
		call	_SepRmDestroyCapTable@4	; SepRmDestroyCapTable(x)

loc_66DBE4:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1006j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1013j ...
		mov	eax, [esi+8]
		xor	ebx, ebx
		mov	ecx, [ebp+var_1D8]
		mov	[eax], ebx
		mov	eax, [esi+0Ch]
		mov	[eax], ecx
		mov	esi, [ebp+var_200]
		test	esi, esi
		jz	short loc_66DC0E
		mov	ecx, esi
		call	AuthzBasepFreeSecurityAttributesList
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_66DC0E:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+103Dj
		test	edi, edi
		jz	loc_66E0D2
		push	ebx
		push	edi

loc_66DC18:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+A01j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_66E0D2
; 

loc_66DC22:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+FC2j
		mov	edi, [ebp+var_21C]
		mov	esi, [ebp+var_220]
		mov	eax, [ebp+var_1F4]

loc_66DC34:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+F99j
		not	ecx
		and	eax, ecx
		mov	[ebp+var_1F4], eax
		and	edx, edi
		jz	short loc_66DC88
		mov	esi, [ebp+var_1F8]
		lea	ecx, [ebx+1]
		lea	eax, [ebp+var_150]

loc_66DC51:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+10B9j
		mov	[ebp+var_1E0], eax
		test	ecx, ecx
		jz	short loc_66DC7C
		test	ecx, edx
		jz	short loc_66DC75
		cmp	[eax], ebx
		jnz	short loc_66DC75
		mov	edi, [ebp+var_1E0]
		mov	eax, esi
		or	eax, 0FFFFFF80h
		shl	eax, 18h
		mov	[edi], eax
		mov	eax, edi

loc_66DC75:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+109Cj
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+10A0j
		add	eax, 4
		add	ecx, ecx
		jmp	short loc_66DC51
; 

loc_66DC7C:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1098j
		mov	edi, [ebp+var_21C]
		mov	esi, [ebp+var_220]

loc_66DC88:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+107Fj
		not	edx
		lea	ecx, [ebp+var_D0]
		and	edi, edx
		lea	edx, [ebp+var_150]
		push	0FF000000h
		mov	[ebp+var_21C], edi
		call	_AuthzBasepMergeAccessReasons@12 ; AuthzBasepMergeAccessReasons(x,x,x)
		mov	eax, [ebp+var_1F8]
		mov	ecx, [ebp+var_1F4]
		mov	edx, [ebp+var_1EC]

loc_66DCBA:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+F84j
		inc	eax
		mov	[ebp+var_1F8], eax
		cmp	eax, edx
		jb	loc_66DB35

loc_66DCC9:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+F7Aj
		mov	esi, [ebp+var_210]
		mov	ebx, [ebp+var_240]

loc_66DCD5:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+F28j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+F3Cj ...
		mov	eax, [ebp+var_220]
		test	eax, eax
		jz	short loc_66DCE7
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_66DCE7:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+111Cj
		mov	eax, [esi+0Ch]
		lea	edx, [ebp+var_D0]
		mov	ecx, [ebp+var_214]
		push	0
		mov	[eax], ecx
		mov	eax, [esi+8]
		mov	ecx, [ebp+var_22C]
		and	[eax], ecx
		mov	eax, [esi+0Ch]
		mov	ecx, [esi+10h]
		cmp	dword ptr [eax], 0
		setl	al
		dec	al
		and	[ebp+var_1D3], al
		call	_AuthzBasepMergeAccessReasons@12 ; AuthzBasepMergeAccessReasons(x,x,x)
		mov	ecx, [esi+10h]
		lea	edx, [ebp+var_D0]
		push	0FF000000h
		call	_AuthzBasepMergeAccessReasons@12 ; AuthzBasepMergeAccessReasons(x,x,x)

loc_66DD31:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+877j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+88Aj ...
		cmp	[ebp+var_206], 0
		jnz	short loc_66DDAE
		mov	edx, [ebx+8]
		test	edx, 2000000h
		jz	short loc_66DDAE
		cmp	[ebp+var_1E5], 0
		mov	eax, [esi+8]
		mov	edi, [eax]
		jz	short loc_66DD67
		cmp	byte ptr [ebp+var_C+2],	0
		jnz	loc_66DE06
		cmp	byte ptr [ebp+var_C+1],	0
		jnz	loc_66DE06

loc_66DD67:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1190j
		push	0
		lea	ecx, [ebp+var_1D3]
		push	ecx
		push	dword ptr [esi+0Ch]
		lea	ecx, [ebp+var_260]
		push	eax
		call	SepConstrainByMandatory
		mov	eax, [esi+8]
		xor	ecx, ecx
		mov	edx, [esi+10h]
		inc	ecx
		mov	eax, [eax]
		not	eax
		and	eax, edi
		mov	edi, ecx
		test	edx, edx
		jz	short loc_66DE09

loc_66DD94:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+11EBj
		test	edi, edi
		jz	short loc_66DE09
		test	edi, eax
		jz	short loc_66DDA7
		cmp	dword ptr [edx], 0
		jnz	short loc_66DDA7
		mov	dword ptr [edx], 300000h

loc_66DDA7:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+11D9j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+11DEj
		add	edx, 4
		add	edi, edi
		jmp	short loc_66DD94
; 

loc_66DDAE:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1177j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1182j
		cmp	[ebp+var_1E5], 0
		jz	short loc_66DE06
		cmp	byte ptr [ebp+var_C+2],	0
		jnz	short loc_66DE06
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr [ebp+var_C+1],	0
		jnz	short loc_66DE09
		mov	eax, [esi+0Ch]
		mov	dword ptr [eax], 0C0000022h
		mov	eax, [esi+8]
		and	dword ptr [eax], 0
		mov	eax, [esi+8]
		mov	edx, [esi+10h]
		mov	[ebp+var_1D3], 0
		mov	edi, [eax]
		mov	eax, ecx
		not	edi
		test	edx, edx
		jz	short loc_66DE09

loc_66DDEC:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1243j
		test	eax, eax
		jz	short loc_66DE09
		test	eax, edi
		jz	short loc_66DDFF
		cmp	dword ptr [edx], 0
		jnz	short loc_66DDFF
		mov	dword ptr [edx], 300000h

loc_66DDFF:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1231j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1236j
		add	edx, 4
		add	eax, eax
		jmp	short loc_66DDEC
; 

loc_66DE06:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1196j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+11A0j ...
		xor	ecx, ecx
		inc	ecx

loc_66DE09:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+11D1j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+11D5j ...
		or	edi, 0FFFFFFFFh
		test	dword ptr [ebx+8], 2000000h
		jz	loc_66DFAE
		mov	eax, [esi+8]
		mov	[ebp+var_210], eax
		mov	[ebp+var_1ED], 0
		mov	edx, [eax]
		mov	eax, [esi+0Ch]
		mov	[ebp+var_1E0], edx
		mov	[ebp+var_1D8], eax
		cmp	[ebp+var_1FC], edi
		jz	short loc_66DE7E
		mov	eax, edx
		and	eax, [ebp+var_1FC]
		cmp	eax, edx
		jz	short loc_66DE7E
		mov	edx, [ebp+var_210]
		test	eax, eax
		mov	[ebp+var_1ED], cl
		mov	[edx], eax
		mov	eax, [ebp+var_1D8]
		jnz	short loc_66DE75
		mov	dword ptr [eax], 0C0000022h
		mov	[ebp+var_1D3], 0
		jmp	short loc_66DE7E
; 

loc_66DE75:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+12A3j
		and	dword ptr [eax], 0
		mov	[ebp+var_1D3], cl

loc_66DE7E:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+127Fj
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+128Bj ...
		mov	eax, [esi+8]
		mov	edx, [esi+10h]
		mov	[ebp+var_1FC], ecx
		mov	ebx, [eax]
		not	ebx
		and	ebx, [ebp+var_1E0]
		mov	[ebp+var_1D8], ebx
		mov	ebx, [ebp+var_240]
		test	edx, edx
		jz	short loc_66DED4
		mov	eax, [ebp+var_1D8]

loc_66DEAA:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+130Ej
		cmp	[ebp+var_1FC], 0
		jz	short loc_66DED1
		test	[ebp+var_1FC], eax
		jz	short loc_66DEC6
		cmp	dword ptr [edx], 0
		jnz	short loc_66DEC6
		mov	dword ptr [edx], (offset loc_8FFFFD+3)

loc_66DEC6:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+12F8j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+12FDj
		add	edx, 4
		shl	[ebp+var_1FC], 1
		jmp	short loc_66DEAA
; 

loc_66DED1:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+12F0j
		mov	eax, [esi+8]

loc_66DED4:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+12E1j
		mov	edx, [eax]
		mov	[ebp+var_1E0], edx
		mov	edx, [esi+0Ch]
		mov	[ebp+var_1D8], edx
		mov	edx, [ebx+8]
		mov	[ebp+var_210], edx
		mov	[ebp+var_1EE], 0
		cmp	[ebp+var_24C], edi
		jz	short loc_66DF6D
		mov	edx, [ebp+var_1E0]
		and	edx, [ebp+var_24C]
		cmp	edx, [ebp+var_1E0]
		jz	short loc_66DF6D
		and	[ebp+var_210], 2000000h
		cmp	[ebp+var_210], 0
		mov	[ebp+var_1EE], cl
		mov	[eax], edx
		jz	short loc_66DF57
		mov	ebx, [ebp+var_1D8]
		test	edx, edx
		setnz	al
		neg	edx
		sbb	edx, edx
		and	edx, 3FFFFFDEh
		add	edx, 0C0000022h
		mov	[ebx], edx
		mov	ebx, [ebp+var_240]
		mov	[ebp+var_1D3], al
		jmp	short loc_66DF6D
; 

loc_66DF57:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1369j
		mov	edx, [ebp+var_1D8]
		mov	dword ptr [edx], 0C0000022h
		cmp	dword ptr [eax], 0
		setnz	[ebp+var_1D3]

loc_66DF6D:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+133Aj
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+134Ej ...
		mov	eax, [esi+8]
		mov	edx, [esi+10h]
		mov	[ebp+var_1FC], ecx
		mov	eax, [eax]
		not	eax
		and	eax, [ebp+var_1E0]
		test	edx, edx
		jz	short loc_66DFAE

loc_66DF87:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+13EBj
		cmp	[ebp+var_1FC], 0
		jz	short loc_66DFAE
		test	[ebp+var_1FC], eax
		jz	short loc_66DFA3
		cmp	dword ptr [edx], 0
		jnz	short loc_66DFA3
		mov	dword ptr [edx], 0A00000h

loc_66DFA3:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+13D5j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+13DAj
		add	edx, 4
		shl	[ebp+var_1FC], 1
		jmp	short loc_66DF87
; 

loc_66DFAE:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1252j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+13C4j ...
		mov	eax, [ebp+var_1E4]
		test	eax, eax
		jz	loc_66E05A
		cmp	[ebp+var_1ED], 0
		jnz	short loc_66DFED
		cmp	[ebp+var_1EE], 0
		jnz	short loc_66DFED
		mov	edx, [ebp+var_14]
		test	edx, edx
		jnz	short loc_66E028
		test	dword ptr [eax+0B0h], 4000h
		jz	short loc_66E028
		mov	eax, [esi+0Ch]
		cmp	[eax], edx
		jl	short loc_66DFED
		cmp	byte ptr [ebp+var_C+3],	dl
		jz	short loc_66E028

loc_66DFED:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1402j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+140Bj ...
		mov	eax, [esi+0Ch]
		push	0
		mov	eax, [eax]
		shr	eax, 1Fh
		xor	al, cl
		mov	ecx, [ebp+var_1DC]
		movzx	eax, al
		push	eax
		mov	eax, [ebx+0Ch]
		or	eax, [ebx+8]
		push	eax
		mov	eax, [ebx+4]
		push	dword ptr [eax+8]
		call	_SepLocateTokenTrustLevel@4 ; SepLocateTokenTrustLevel(x)
		mov	ecx, [ebp+var_1E4]
		xor	edx, edx
		push	eax
		push	0
		call	SeLogAccessFailure
		mov	edx, [ebp+var_14]

loc_66E028:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1412j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+141Ej ...
		mov	eax, [esi+0Ch]
		cmp	dword ptr [eax], 0
		jge	short loc_66E05A
		test	edx, edx
		jnz	short loc_66E05A
		mov	eax, [ebp+var_1E4]
		test	dword ptr [eax+0B0h], 4000h
		jz	short loc_66E05A
		mov	edx, [ebx+8]
		lea	ecx, [ebp+var_20]
		call	SepLpacCausedAccessFailure
		test	al, al
		jz	short loc_66E05A
		call	_SepLogLpacAccessFailure@4 ; SepLogLpacAccessFailure(x)

loc_66E05A:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+13F5j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+146Dj ...
		cmp	[ebp+var_1D2], 0
		jz	short loc_66E088
		mov	eax, [ebp+var_20C]
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jz	short loc_66E088
		lock xadd [ecx+24h], edi
		dec	edi
		test	edi, edi
		jg	short loc_66E088
		jz	short loc_66E083
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_66E088
; 

loc_66E083:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+14B9j
		call	_SepRmDestroyCapTable@4	; SepRmDestroyCapTable(x)

loc_66E088:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+14A0j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+14ADj ...
		cmp	[ebp+var_1D1], 0
		jnz	short loc_66E09C
		push	[ebp+var_1DC]
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)

loc_66E09C:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+14CEj
		mov	esi, [ebp+var_200]
		test	esi, esi
		jz	short loc_66E0B5
		mov	ecx, esi
		call	AuthzBasepFreeSecurityAttributesList
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_66E0B5:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+14E3j
		cmp	[ebp+var_207], 0
		jz	short loc_66E0D2
		cmp	[ebp+var_1D3], 0
		jz	short loc_66E0D2
		xor	eax, eax
		inc	eax
		jmp	short loc_66E0D4
; 

loc_66E0CC:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+116j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+11Ej ...
		mov	dword ptr [ecx], 0C000000Dh

loc_66E0D2:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+F5j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+FEj ...
		xor	al, al

loc_66E0D4:				; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+217j
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+273j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_SepCommonAccessCheckExWithAdminlessChecks@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepCopyObjectTypeList(x, x,	x)
_SepCopyObjectTypeList@12 proc near	; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8AB9p
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A84Ap

var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		sub	esp, 0Ch
		and	dword ptr [eax], 0
		push	ebx
		mov	ebx, edx
		push	esi
		mov	esi, ecx
		test	ebx, ebx
		jz	short loc_66E178
		imul	eax, ebx, 2Ch
		push	744F6553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jnz	short loc_66E11D
		mov	eax, 0C000009Ah
		jmp	short loc_66E17A
; 

loc_66E11D:				; CODE XREF: SepCopyObjectTypeList(x,x,x)+2Fj
		test	ebx, ebx
		jz	short loc_66E173
		lea	eax, [esi+4]
		sub	esi, ecx
		lea	edx, [ecx+2]
		mov	[ebp+var_4], eax
		mov	ecx, esi
		push	edi

loc_66E12F:				; CODE XREF: SepCopyObjectTypeList(x,x,x)+88j
		mov	ax, [eax-4]
		lea	edi, [edx+2]
		mov	[edx-2], ax
		mov	ax, [ecx+edx]
		mov	[edx], ax
		lea	edx, [edx+2Ch]
		mov	eax, [ebp+var_4]
		mov	eax, [eax+10h]
		mov	[edx-1Ah], eax
		mov	eax, [ebp+var_4]
		mov	esi, eax
		add	eax, 2Ch
		mov	[ebp+var_4], eax
		movsd
		movsd
		movsd
		movsd
		xor	esi, esi
		mov	[edx-16h], esi
		mov	[edx-12h], esi
		mov	[edx-0Eh], esi
		mov	[edx-6], esi
		sub	ebx, 1
		jnz	short loc_66E12F
		mov	ecx, [ebp+var_C]
		pop	edi

loc_66E173:				; CODE XREF: SepCopyObjectTypeList(x,x,x)+3Aj
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_66E178:				; CODE XREF: SepCopyObjectTypeList(x,x,x)+16j
		xor	eax, eax

loc_66E17A:				; CODE XREF: SepCopyObjectTypeList(x,x,x)+36j
		pop	esi
		pop	ebx
		leave
		retn	4
_SepCopyObjectTypeList@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SepDeviceSidInToken(void *,char,char,int)
_SepDeviceSidInToken@24	proc near	; CODE XREF: AuthzBasepDeviceMemberOf(x,x,x,x,x,x)+78p

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+27Ch]
		test	eax, eax
		jnz	short loc_66E193
		xor	al, al
		jmp	short loc_66E1BE
; 

loc_66E193:				; CODE XREF: SepDeviceSidInToken(x,x,x,x,x,x)+Dj
		xor	ecx, ecx
		cmp	[ebp+arg_8], cl
		push	0		; char
		setnz	cl
		xor	edx, edx
		push	0		; char
		push	dword ptr [ebp+arg_8] ;	char
		dec	ecx
		push	dword ptr [ebp+arg_4] ;	char
		and	ecx, 0FFFFFF78h
		push	[ebp+arg_0]	; void *
		add	ecx, 98h
		add	ecx, eax
		call	SepSidInTokenSidHash

loc_66E1BE:				; CODE XREF: SepDeviceSidInToken(x,x,x,x,x,x)+11j
		pop	ebp
		retn	10h
_SepDeviceSidInToken@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepGetScopedPolicySid(x)
_SepGetScopedPolicySid@4 proc near	; CODE XREF: SeComputeCreatorDeniedRights(x,x,x,x)+B3p
					; SeAccessCheckWithHintWithAdminlessChecks+CF3B9p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx

loc_66E1CF:				; CODE XREF: SepGetScopedPolicySid(x)+28j
		lea	eax, [ebp+var_4]
		push	eax
		push	13h
		push	esi
		call	_RtlFindAceByType@12 ; RtlFindAceByType(x,x,x)
		test	eax, eax
		jz	short loc_66E1E5
		test	byte ptr [eax+1], 8
		jz	short loc_66E1EF

loc_66E1E5:				; CODE XREF: SepGetScopedPolicySid(x)+1Bj
		inc	[ebp+var_4]
		test	eax, eax
		jnz	short loc_66E1CF

loc_66E1EC:				; CODE XREF: SepGetScopedPolicySid(x)+30j
		pop	esi
		leave
		retn
; 

loc_66E1EF:				; CODE XREF: SepGetScopedPolicySid(x)+21j
		add	eax, 8
		jmp	short loc_66E1EC
_SepGetScopedPolicySid@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepGetStackTraceHash(x)
_SepGetStackTraceHash@4	proc near	; CODE XREF: SepLogLpacAccessFailure(x)+35p
					; NtQueryInformationToken(x,x,x,x,x)+1941p

var_5C		= dword	ptr -5Ch
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_48], 0
		lea	eax, [ebp+var_44]
		push	ebx
		push	esi
		push	edi
		push	40h		; size_t
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_50], ecx
		call	_memset
		xor	eax, eax
		lea	edi, [ebp+var_5C]
		stosd
		add	esp, 0Ch
		stosd
		stosd
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_44]
		push	eax
		push	10h
		pop	esi
		push	esi
		push	2
		call	RtlCaptureStackBackTrace
		push	1
		push	esi
		lea	eax, [ebp+var_44]
		push	eax
		call	RtlWalkFrameChain
		mov	[ebp+var_4C], eax
		cmp	eax, esi
		jbe	short loc_66E253
		mov	eax, esi
		mov	[ebp+var_4C], esi

loc_66E253:				; CODE XREF: SepGetStackTraceHash(x)+58j
		mov	edi, [ebp+var_48]
		xor	ebx, ebx
		test	eax, eax
		jz	short loc_66E28B
		xor	eax, eax

loc_66E25E:				; CODE XREF: SepGetStackTraceHash(x)+95j
		mov	esi, [ebp+eax*4+var_44]
		lea	eax, [ebp+var_5C]
		push	0
		push	0Ch
		push	eax
		push	6
		push	esi
		push	0FFFFFFFFh
		call	_ZwQueryVirtualMemory@24 ; ZwQueryVirtualMemory(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_66E280
		cmp	esi, [ebp+var_5C]
		jb	short loc_66E280
		sub	esi, [ebp+var_5C]

loc_66E280:				; CODE XREF: SepGetStackTraceHash(x)+82j
					; SepGetStackTraceHash(x)+87j
		add	edi, esi
		inc	ebx
		movzx	eax, bx
		cmp	eax, [ebp+var_4C]
		jb	short loc_66E25E

loc_66E28B:				; CODE XREF: SepGetStackTraceHash(x)+66j
		mov	eax, [ebp+var_50]
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		mov	[eax], edi
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_SepGetStackTraceHash@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepLogLpacAccessFailure(x)
_SepLogLpacAccessFailure@4 proc	near	; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks+CF807p
					; SeAccessCheckByTypeWithAdminlessChecks:loc_5F11EAp ...

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		and	[esp+54h+var_54], 0
		push	ebx
		push	esi
		push	edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_66E37A
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jnz	loc_66E37A
		lea	ecx, [esp+60h+var_54]
		call	_SepGetStackTraceHash@4	; SepGetStackTraceHash(x)
		mov	esi, [esp+60h+var_54]
		mov	ebx, esi
		shr	ebx, 10h
		mov	ecx, esi
		xor	ebx, esi
		mov	ax, bx
		shr	ax, 8
		movzx	edi, ax
		call	_EtwTraceLpacAccessFailure@4 ; EtwTraceLpacAccessFailure(x)
		cmp	ds:_SeLpacEnableWatsonReporting, 0
		jnz	short loc_66E305
		mov	eax, 0C0000356h
		jmp	short loc_66E37F
; 

loc_66E305:				; CODE XREF: SepLogLpacAccessFailure(x)+5Dj
		cmp	ds:_SeLpacEnableWatsonThrottling, 0
		jz	short loc_66E32E
		movzx	eax, bl
		mov	edx, edi
		xor	edx, eax
		mov	ecx, edx
		shr	edx, 5
		and	ecx, 1Fh
		lea	eax, unk_6FE108[edx*4]
		lock bts [eax],	ecx
		jnb	short loc_66E32E
		xor	eax, eax
		jmp	short loc_66E37F
; 

loc_66E32E:				; CODE XREF: SepLogLpacAccessFailure(x)+6Dj
					; SepLogLpacAccessFailure(x)+89j
		push	50h		; size_t
		xor	edi, edi
		lea	eax, [esp+64h+var_50]
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	ecx, large fs:124h
		lea	eax, [esp+6Ch+var_50]
		add	esp, 0Ch
		mov	[esp+60h+var_50], 0C0000409h
		mov	[esp+60h+var_4C], edi
		mov	[esp+60h+var_44], edi
		mov	[esp+60h+var_40], 2
		push	eax
		push	1Eh
		pop	edx
		mov	[esp+64h+var_3C], 2Bh
		mov	[esp+64h+var_38], esi
		call	_DbgkQueueUserExceptionReport@12 ; DbgkQueueUserExceptionReport(x,x,x)
		jmp	short loc_66E37F
; 

loc_66E37A:				; CODE XREF: SepLogLpacAccessFailure(x)+1Aj
					; SepLogLpacAccessFailure(x)+2Bj
		mov	eax, 0C00000BBh

loc_66E37F:				; CODE XREF: SepLogLpacAccessFailure(x)+64j
					; SepLogLpacAccessFailure(x)+8Dj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_SepLogLpacAccessFailure@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepMaximumAccessCheckEx(x, x, x, x,	x, x, x, x, x, x, x, x,	x, x, x)
_SepMaximumAccessCheckEx@60 proc near	; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4E7p
					; SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+55Ap

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= byte ptr  28h
arg_24		= byte ptr  2Ch
arg_28		= byte ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= byte ptr  38h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		and	[ebp+var_C], 0
		and	[ebp+var_8], 0
		push	ebx
		mov	ebx, [ebp+arg_10]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_20], edx
		mov	edx, dword ptr [ebp+arg_20]
		push	edi
		mov	[ebp+var_4], esi
		mov	ecx, [esi+0B0h]
		and	ecx, 2000h
		mov	[ebp+var_10], ecx
		test	dl, dl
		jz	short loc_66E400
		test	ebx, ebx
		jz	short loc_66E400
		mov	eax, [ebp+arg_14]
		mov	edi, ebx
		add	eax, 1Ch

loc_66E3C6:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+6Fj
		mov	edx, [eax+0Ch]
		xor	ecx, ecx
		mov	esi, [eax]
		inc	ecx
		test	edx, edx
		jz	short loc_66E3E9

loc_66E3D2:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+5Fj
		test	ecx, ecx
		jz	short loc_66E3E7
		test	ecx, esi
		jz	short loc_66E3E0
		mov	dword ptr [edx], 800000h

loc_66E3E0:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+52j
		add	edx, 4
		add	ecx, ecx
		jmp	short loc_66E3D2
; 

loc_66E3E7:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4Ej
		mov	esi, [eax]

loc_66E3E9:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4Aj
		and	dword ptr [eax], 0
		mov	[eax-4], esi
		add	eax, 2Ch
		sub	edi, 1
		jnz	short loc_66E3C6
		mov	edx, dword ptr [ebp+arg_20]
		mov	esi, [ebp+var_4]
		mov	ecx, [ebp+var_10]

loc_66E400:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+32j
					; SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+36j
		mov	eax, [ebp+arg_0]
		and	[ebp+arg_0], 0
		movzx	edi, word ptr [eax+4]
		mov	[ebp+var_1C], edi
		lea	edi, [eax+8]
		cmp	[ebp+var_1C], 0
		jbe	short loc_66E494
		jmp	short loc_66E41C
; 

loc_66E419:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+10Cj
		mov	edx, dword ptr [ebp+arg_20]

loc_66E41C:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+91j
		test	byte ptr [edi+1], 8
		jnz	short loc_66E47F
		mov	al, [edi]
		test	al, al
		jnz	loc_66E4EC
		test	ecx, ecx
		jnz	loc_66E7D8
		test	dl, dl

loc_66E436:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+44Dj
		jnz	loc_66E7D8
		lea	ebx, [edi+8]
		mov	ecx, ebx
		call	_SepIsPackageSid@4 ; SepIsPackageSid(x)
		test	al, al
		jz	short loc_66E4C1
		mov	ecx, [ebp+arg_2C]
		or	edx, 0FFFFFFFFh
		lea	eax, [ecx+18h]
		push	eax
		lea	eax, [ecx+10h]
		push	eax
		lea	eax, [ecx+14h]
		push	eax
		lea	esi, [ecx+4]
		push	esi
		lea	eax, [ecx+15h]
		mov	ecx, [ebp+var_4]
		push	eax
		push	dword ptr [edi+4]
		push	ebx
		call	SepMatchPackage

loc_66E470:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+164j
		mov	ecx, [ebp+arg_2C]
		mov	eax, [esi]
		mov	ebx, [ebp+arg_10]
		not	eax
		and	[ecx], eax

loc_66E47C:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1C1j
					; SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+204j ...
		mov	esi, [ebp+var_4]

loc_66E47F:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+9Aj
					; SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+271j ...
		mov	edx, [ebp+arg_0]
		movzx	eax, word ptr [edi+2]
		inc	edx
		mov	ecx, [ebp+var_10]
		add	edi, eax
		mov	[ebp+arg_0], edx
		cmp	edx, [ebp+var_1C]
		jb	short loc_66E419

loc_66E494:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8Fj
		cmp	[ebp+arg_20], 0
		jz	short loc_66E4BA
		test	ebx, ebx
		jz	short loc_66E4BA
		mov	edx, [ebp+arg_1C]
		mov	ecx, [ebp+arg_14]
		not	edx
		add	ecx, 1Ch

loc_66E4A9:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+132j
		mov	eax, [ecx]
		or	eax, edx
		and	eax, [ecx-4]
		mov	[ecx], eax
		lea	ecx, [ecx+2Ch]
		sub	ebx, 1
		jnz	short loc_66E4A9

loc_66E4BA:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+112j
					; SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+116j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	34h
; 

loc_66E4C1:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+C2j
		mov	ecx, ebx
		call	SepIsCapabilitySid
		test	al, al
		jz	loc_66E7D8
		mov	eax, [ebp+arg_2C]
		or	edx, 0FFFFFFFFh
		mov	ecx, [ebp+var_4]
		lea	esi, [eax+8]
		add	eax, 16h
		push	esi		; int
		push	eax		; int
		push	dword ptr [edi+4] ; int
		push	ebx		; void *
		call	_SepMatchCapability@24 ; SepMatchCapability(x,x,x,x,x,x)
		jmp	short loc_66E470
; 

loc_66E4EC:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A0j
		cmp	al, 5
		jnz	loc_66E5C0
		mov	ecx, [edi+8]
		lea	eax, [edi+0Ch]
		mov	edx, ecx
		and	edx, 1
		mov	esi, edx
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jnz	short loc_66E543
		push	dword ptr [ebp+arg_30]
		and	ecx, 2
		shl	edx, 4
		push	dword ptr [ebp+arg_24]
		shl	ecx, 3
		push	dword ptr [ebp+arg_20]
		or	ecx, 0Ch
		add	ecx, edi
		add	edx, ecx
		xor	ecx, ecx
		cmp	[ebp+arg_20], cl
		push	esi
		mov	esi, [ebp+var_4]
		setnz	cl
		dec	ecx
		and	ecx, 0FFFFFF78h
		add	ecx, 154h
		push	edx
		add	ecx, esi
		jmp	loc_66E614
; 

loc_66E543:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+181j
		cmp	[ebp+arg_18], 0
		jz	loc_66E47C
		push	dword ptr [ebp+arg_30] ; char
		and	ecx, 2
		shl	edx, 4
		push	dword ptr [ebp+arg_24] ; char
		shl	ecx, 3
		push	dword ptr [ebp+arg_20] ; char
		or	ecx, 0Ch
		add	ecx, edi
		add	edx, ecx
		xor	ecx, ecx
		cmp	[ebp+arg_20], cl
		push	0		; char
		setnz	cl
		dec	ecx
		and	ecx, 0FFFFFF78h
		add	ecx, 154h
		add	ecx, [ebp+var_4]
		push	edx		; void *
		xor	edx, edx
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_66E47C
		mov	edx, [ebp+arg_14]
		lea	eax, [ebp+var_C]
		push	eax
		push	ebx
		mov	ecx, esi
		call	_AuthzBasepObjectInTypeList@16 ; AuthzBasepObjectInTypeList(x,x,x,x)
		test	al, al
		jz	loc_66E47C
		push	1
		mov	ecx, edx

loc_66E5AB:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+37Cj
		push	dword ptr [edi+4]
		mov	edx, ebx
		push	[ebp+arg_0]
		push	[ebp+var_C]
		call	AuthzBasepAddAccessTypeList
		jmp	loc_66E47C
; 

loc_66E5C0:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+168j
		cmp	al, 4
		jnz	short loc_66E620
		movzx	eax, byte ptr [edi+0Dh]
		xor	ecx, ecx
		push	dword ptr [ebp+arg_30] ; char
		add	eax, 5
		test	dl, dl
		push	dword ptr [ebp+arg_24] ; char
		setnz	cl
		dec	ecx
		push	edx		; char
		and	ecx, 0FFFFFF78h
		lea	eax, [edi+eax*4]
		push	0		; char
		add	ecx, 154h
		xor	edx, edx
		push	eax		; void *
		add	ecx, esi
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_66E47F
		push	dword ptr [ebp+arg_30] ; char
		mov	ecx, [ebp+var_20]
		lea	eax, [edi+0Ch]
		push	dword ptr [ebp+arg_24] ; char
		push	0		; char
		push	0		; char
		push	eax		; void *
		lea	ecx, [ecx+0CCh]

loc_66E614:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1B8j
		xor	edx, edx
		call	SepSidInTokenSidHash
		jmp	loc_66E808
; 

loc_66E620:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+23Cj
		cmp	al, 1
		jnz	short loc_66E65C
		push	0		; char
		push	dword ptr [ebp+arg_24] ; char
		xor	ecx, ecx
		test	dl, dl
		push	edx		; char

loc_66E62E:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+590j
		setnz	cl
		lea	eax, [edi+8]
		dec	ecx
		xor	edx, edx
		and	ecx, 0FFFFFF78h
		push	1		; char
		add	ecx, 154h
		push	eax		; void *
		add	ecx, esi
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_66E47F

loc_66E655:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+335j
		push	2
		jmp	loc_66E812
; 

loc_66E65C:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+29Cj
		cmp	al, 6
		jnz	loc_66E707
		mov	ecx, [edi+8]
		mov	eax, ecx
		and	eax, 2
		and	ecx, 1
		push	0		; char
		push	dword ptr [ebp+arg_24] ; char
		shl	eax, 3
		shl	ecx, 4
		or	eax, 0Ch
		push	edx		; char
		add	eax, edi
		add	ecx, eax
		push	1		; char
		push	ecx		; void *
		xor	ecx, ecx
		test	dl, dl
		setnz	cl
		xor	edx, edx
		dec	ecx
		and	ecx, 0FFFFFF78h
		add	ecx, 154h
		add	ecx, esi
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_66E47F
		mov	eax, [edi+8]
		lea	ecx, [edi+0Ch]
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		jz	short loc_66E655
		cmp	[ebp+arg_18], 0
		mov	esi, [ebp+arg_14]
		jnz	short loc_66E6E8
		mov	ecx, [esi+1Ch]
		mov	edx, 20000h
		push	0
		push	dword ptr [esi+28h]
		not	ecx
		and	ecx, [edi+4]
		push	[ebp+arg_0]
		or	[esi+20h], ecx
		call	AuthzBasepSetAccessReasons
		jmp	loc_66E47C
; 

loc_66E6E8:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+33Ej
		lea	ecx, [ebp+var_C]
		mov	edx, esi
		push	ecx
		push	ebx
		mov	ecx, eax
		call	_AuthzBasepObjectInTypeList@16 ; AuthzBasepObjectInTypeList(x,x,x,x)
		test	al, al
		jz	loc_66E47C
		push	2
		mov	ecx, esi
		jmp	loc_66E5AB
; 

loc_66E707:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2D8j
		cmp	al, 9
		jnz	loc_66E829
		movzx	eax, byte ptr [edi+9]
		lea	ecx, ds:8[eax*4]
		movzx	eax, word ptr [edi+2]
		sub	eax, ecx
		mov	[ebp+var_14], ecx
		sub	eax, 8
		jz	loc_66E47F
		cmp	[ebp+arg_4], 0
		jz	short loc_66E744
		mov	eax, [ebp+arg_8]
		cmp	dword ptr [eax], 0
		jnz	short loc_66E744
		mov	ecx, [ebp+arg_4]
		mov	edx, eax
		call	AuthzBasepInitializeResourceClaimsFromSacl

loc_66E744:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3AAj
					; SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3B2j
		mov	eax, [esi+27Ch]
		test	eax, eax
		jz	short loc_66E759
		mov	ecx, [eax+12Ch]
		mov	[ebp+var_18], ecx
		jmp	short loc_66E75D
; 

loc_66E759:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3C6j
		and	[ebp+var_18], 0

loc_66E75D:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3D1j
		test	eax, eax
		jz	short loc_66E769
		mov	esi, [eax+124h]
		jmp	short loc_66E76B
; 

loc_66E769:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3D9j
		xor	esi, esi

loc_66E76B:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3E1j
		test	eax, eax
		jz	short loc_66E777
		mov	edx, [eax+128h]
		jmp	short loc_66E779
; 

loc_66E777:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3E7j
		xor	edx, edx

loc_66E779:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3EFj
		test	eax, eax
		jz	short loc_66E785
		mov	ecx, [eax+120h]
		jmp	short loc_66E787
; 

loc_66E785:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3F5j
		xor	ecx, ecx

loc_66E787:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3FDj
		lea	eax, [ebp+var_8]
		push	eax
		push	dword ptr [ebp+arg_20]
		movzx	eax, word ptr [edi+2]
		sub	eax, [ebp+var_14]
		push	0
		sub	eax, 8
		push	eax
		mov	eax, [ebp+var_14]
		add	eax, 8
		add	eax, edi
		push	eax
		push	[ebp+var_18]
		mov	eax, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+var_4]
		push	edx
		push	ecx
		push	dword ptr [eax]
		mov	edx, [esi+1DCh]
		mov	ecx, esi
		call	AuthzBasepEvaluateAceCondition
		cmp	[ebp+var_8], 1
		jnz	loc_66E47F
		cmp	[ebp+var_10], 0
		jnz	short loc_66E7D8
		cmp	[ebp+arg_20], 0
		jmp	loc_66E436
; 

loc_66E7D8:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A8j
					; SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x):loc_66E436j ...
		push	dword ptr [ebp+arg_30] ; char
		xor	ecx, ecx
		lea	eax, [edi+8]
		cmp	[ebp+arg_20], cl
		push	dword ptr [ebp+arg_24] ; char
		setnz	cl
		xor	edx, edx
		push	dword ptr [ebp+arg_20] ; char
		dec	ecx
		and	ecx, 0FFFFFF78h
		push	0		; char
		add	ecx, 154h
		push	eax		; void *
		add	ecx, esi
		call	SepSidInTokenSidHash
		mov	ebx, [ebp+arg_10]

loc_66E808:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+295j
		test	al, al
		jz	loc_66E47F
		push	1

loc_66E812:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2D1j
		push	dword ptr [edi+4]
		mov	ecx, [ebp+arg_14]
		mov	edx, ebx
		push	[ebp+arg_0]
		push	0
		call	AuthzBasepAddAccessTypeList
		jmp	loc_66E47F
; 

loc_66E829:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+383j
		cmp	[ebp+arg_28], 0
		jz	loc_66E47F
		cmp	al, 0Ah
		jnz	loc_66E47F
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_66E47F
		movzx	eax, byte ptr [edi+9]
		lea	ecx, ds:8[eax*4]
		movzx	eax, word ptr [edi+2]
		sub	eax, ecx
		mov	[ebp+var_18], ecx
		sub	eax, 8
		jz	loc_66E47F
		cmp	[ebp+arg_4], 0
		jz	short loc_66E87E
		mov	eax, [ebp+arg_8]
		cmp	dword ptr [eax], 0
		jnz	short loc_66E87E
		mov	ecx, [ebp+arg_4]
		mov	edx, eax
		call	AuthzBasepInitializeResourceClaimsFromSacl

loc_66E87E:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4E4j
					; SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4ECj
		mov	eax, [esi+27Ch]
		test	eax, eax
		jz	short loc_66E893
		mov	ecx, [eax+12Ch]
		mov	[ebp+var_14], ecx
		jmp	short loc_66E897
; 

loc_66E893:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+500j
		and	[ebp+var_14], 0

loc_66E897:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+50Bj
		test	eax, eax
		jz	short loc_66E8A3
		mov	esi, [eax+124h]
		jmp	short loc_66E8A5
; 

loc_66E8A3:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+513j
		xor	esi, esi

loc_66E8A5:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+51Bj
		test	eax, eax
		jz	short loc_66E8B1
		mov	edx, [eax+128h]
		jmp	short loc_66E8B3
; 

loc_66E8B1:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+521j
		xor	edx, edx

loc_66E8B3:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+529j
		test	eax, eax
		jz	short loc_66E8BF
		mov	ecx, [eax+120h]
		jmp	short loc_66E8C1
; 

loc_66E8BF:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+52Fj
		xor	ecx, ecx

loc_66E8C1:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+537j
		lea	eax, [ebp+var_8]
		push	eax
		push	dword ptr [ebp+arg_20]
		movzx	eax, word ptr [edi+2]
		sub	eax, [ebp+var_18]
		push	1
		sub	eax, 8
		push	eax
		mov	eax, [ebp+var_18]
		add	eax, 8
		add	eax, edi
		push	eax
		push	[ebp+var_14]
		mov	eax, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+var_4]
		push	edx
		push	ecx
		push	dword ptr [eax]
		mov	edx, [esi+1DCh]
		mov	ecx, esi
		call	AuthzBasepEvaluateAceCondition
		cmp	[ebp+var_8], 1
		jz	short loc_66E909
		cmp	[ebp+var_8], 0FFFFFFFFh
		jnz	loc_66E47F

loc_66E909:				; CODE XREF: SepMaximumAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+577j
		push	0
		push	dword ptr [ebp+arg_24]
		xor	ecx, ecx
		push	dword ptr [ebp+arg_20]
		cmp	[ebp+arg_20], cl
		jmp	loc_66E62E
_SepMaximumAccessCheckEx@60 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepMergeObjectTypeListAccesses(x, x, x)
_SepMergeObjectTypeListAccesses@12 proc	near
					; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B8D86p
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AB18p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, ecx
		test	edi, edi
		jz	short loc_66E949
		push	esi
		lea	ecx, [edx+20h]
		sub	edx, eax
		lea	esi, [eax+1Ch]

loc_66E933:				; CODE XREF: SepMergeObjectTypeListAccesses(x,x,x)+2Bj
		mov	eax, [edx+esi]
		and	[esi], eax
		lea	esi, [esi+2Ch]
		mov	eax, [ecx]
		lea	ecx, [ecx+2Ch]
		or	[esi-28h], eax
		sub	edi, 1
		jnz	short loc_66E933
		pop	esi

loc_66E949:				; CODE XREF: SepMergeObjectTypeListAccesses(x,x,x)+Dj
		pop	edi
		pop	ebp
		retn	4
_SepMergeObjectTypeListAccesses@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepNormalAccessCheckEx(x, x, x, x, x, x, x,	x, x, x, x, x, x, x, x)
_SepNormalAccessCheckEx@60 proc	near	; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3D4p
					; SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+45Ap

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= byte ptr  28h
arg_24		= byte ptr  2Ch
arg_28		= byte ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= byte ptr  38h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		mov	ebx, [ebp+arg_18]
		mov	eax, edx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, ecx
		mov	edx, [eax+0B0h]
		xor	ecx, ecx
		mov	[ebp+var_10], ecx
		and	edx, 2000h
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], ecx
		movzx	ecx, word ptr [edi+4]
		mov	[ebp+var_18], ecx
		mov	ecx, [ebp+arg_14]
		mov	[ebp+var_8], eax
		mov	[ebp+var_24], edx
		test	ecx, ecx
		jz	short loc_66E99B
		lea	eax, [ebx+18h]

loc_66E991:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4Bj
		mov	[eax], esi
		lea	eax, [eax+2Ch]
		sub	ecx, 1
		jnz	short loc_66E991

loc_66E99B:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3Ej
		test	edx, edx
		mov	edx, dword ptr [ebp+arg_20]
		jnz	short loc_66E9B2
		test	dl, dl
		jnz	short loc_66E9B2
		mov	ecx, [ebp+arg_2C]
		mov	ecx, [ecx]
		or	ecx, esi
		mov	[ebp+var_4], ecx
		jmp	short loc_66E9B5
; 

loc_66E9B2:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+52j
					; SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+56j
		mov	ecx, [ebp+var_4]

loc_66E9B5:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+62j
		xor	esi, esi
		mov	[ebp+var_14], ecx
		add	edi, 8
		mov	[ebp+arg_4], esi
		cmp	esi, [ebp+var_18]
		jnb	loc_66EF89

loc_66E9C9:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+68Cj
		mov	eax, [ebx+18h]
		test	eax, eax
		jnz	short loc_66E9D8
		test	ecx, ecx
		jz	loc_66EF86

loc_66E9D8:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+80j
		test	byte ptr [edi+1], 8
		jnz	loc_66EFC6
		test	eax, eax
		jnz	short loc_66E9F4
		mov	al, [edi]
		test	al, al
		jz	short loc_66E9FE
		cmp	al, 9
		jnz	loc_66EFC6

loc_66E9F4:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+96j
		mov	al, [edi]
		test	al, al
		jnz	loc_66EAE5

loc_66E9FE:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+9Cj
		cmp	[ebp+var_24], 0
		jnz	loc_66EA91
		test	dl, dl
		jnz	loc_66EA91
		test	ecx, ecx
		jz	short loc_66EA91
		lea	ebx, [edi+8]
		mov	ecx, ebx
		call	_SepIsPackageSid@4 ; SepIsPackageSid(x)
		test	al, al
		jz	short loc_66EA4A

loc_66EA22:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4A3j
		mov	ecx, [ebp+arg_2C]
		mov	edx, [ebp+var_14]
		lea	eax, [ecx+18h]
		push	eax
		lea	eax, [ecx+10h]
		push	eax
		lea	eax, [ecx+14h]
		push	eax
		lea	esi, [ecx+4]
		push	esi
		lea	eax, [ecx+15h]
		mov	ecx, [ebp+var_8]
		push	eax
		push	dword ptr [edi+4]
		push	ebx
		call	SepMatchPackage
		jmp	short loc_66EA6F
; 

loc_66EA4A:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+D2j
		mov	ecx, ebx
		call	SepIsCapabilitySid
		test	al, al
		jz	short loc_66EA88

loc_66EA55:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4B2j
		mov	eax, [ebp+arg_2C]
		mov	edx, [ebp+var_14]
		mov	ecx, [ebp+var_8]
		lea	esi, [eax+8]
		add	eax, 16h
		push	esi		; int
		push	eax		; int
		push	dword ptr [edi+4] ; int
		push	ebx		; void *
		call	_SepMatchCapability@24 ; SepMatchCapability(x,x,x,x,x,x)

loc_66EA6F:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+FAj
		mov	eax, [esi]
		mov	ecx, [ebp+var_4]
		not	eax
		mov	edx, [ebp+arg_2C]
		and	ecx, eax
		mov	ebx, [ebp+arg_18]
		mov	[ebp+var_4], ecx
		and	[edx], eax
		jmp	loc_66EFC6
; 

loc_66EA88:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+105j
		mov	ebx, [ebp+arg_18]
		mov	edx, dword ptr [ebp+arg_20]
		mov	ecx, [ebp+var_4]

loc_66EA91:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B4j
					; SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+BCj ...
		cmp	dword ptr [ebx+18h], 0
		jz	loc_66EFC6
		push	dword ptr [ebp+arg_30] ; char
		xor	ecx, ecx
		lea	eax, [edi+8]
		push	dword ptr [ebp+arg_24] ; char
		test	dl, dl
		push	edx		; char
		setnz	cl
		xor	edx, edx
		dec	ecx
		and	ecx, 0FFFFFF78h
		push	0		; char
		add	ecx, 154h
		add	ecx, [ebp+var_8]
		push	eax		; void *
		call	SepSidInTokenSidHash

loc_66EAC6:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2D5j
		test	al, al
		jz	loc_66EFC3
		push	0
		push	dword ptr [edi+4]
		push	esi

loc_66EAD4:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+505j
		push	0

loc_66EAD6:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1FEj
					; SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+270j
		mov	edx, [ebp+arg_14]
		mov	ecx, ebx
		call	AuthzBasepAddAccessTypeList
		jmp	loc_66EFC3
; 

loc_66EAE5:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+AAj
		cmp	al, 5
		jnz	loc_66EBC3
		mov	ecx, [edi+8]
		lea	eax, [edi+0Ch]
		mov	edx, ecx
		and	edx, 1
		mov	esi, edx
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jnz	short loc_66EB4E
		push	dword ptr [ebp+arg_30] ; char
		and	ecx, 2
		shl	edx, 4
		push	dword ptr [ebp+arg_24] ; char
		shl	ecx, 3
		push	dword ptr [ebp+arg_20] ; char
		or	ecx, 0Ch
		add	ecx, edi
		add	edx, ecx
		xor	ecx, ecx
		cmp	[ebp+arg_20], cl
		push	esi		; char
		setnz	cl
		dec	ecx
		and	ecx, 0FFFFFF78h
		add	ecx, 154h
		add	ecx, [ebp+var_8]
		push	edx		; void *
		xor	edx, edx
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_66EFC3
		push	esi
		push	dword ptr [edi+4]
		push	[ebp+arg_4]
		push	esi
		jmp	short loc_66EAD6
; 

loc_66EB4E:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1B2j
		cmp	[ebp+arg_1C], 0
		jz	loc_66EFC3
		push	dword ptr [ebp+arg_30] ; char
		and	ecx, 2
		shl	edx, 4
		push	dword ptr [ebp+arg_24] ; char
		shl	ecx, 3
		push	dword ptr [ebp+arg_20] ; char
		or	ecx, 0Ch
		add	ecx, edi
		add	edx, ecx
		xor	ecx, ecx
		cmp	[ebp+arg_20], cl
		push	0		; char
		setnz	cl
		dec	ecx
		and	ecx, 0FFFFFF78h
		add	ecx, 154h
		add	ecx, [ebp+var_8]
		push	edx		; void *
		xor	edx, edx
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_66EFC3
		lea	eax, [ebp+var_10]
		mov	edx, ebx
		push	eax
		push	[ebp+arg_14]
		mov	ecx, esi
		call	_AuthzBasepObjectInTypeList@16 ; AuthzBasepObjectInTypeList(x,x,x,x)
		test	al, al
		jz	loc_66EFC3
		push	0
		push	dword ptr [edi+4]
		push	[ebp+arg_4]
		push	[ebp+var_10]
		jmp	loc_66EAD6
; 

loc_66EBC3:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+199j
		cmp	al, 4
		jnz	short loc_66EC28
		push	dword ptr [ebp+arg_30] ; char
		movzx	eax, byte ptr [edi+0Dh]
		xor	ebx, ebx
		push	dword ptr [ebp+arg_24] ; char
		mov	ecx, [ebp+var_8]
		test	dl, dl
		push	edx		; char
		setnz	bl
		add	eax, 5
		dec	ebx
		xor	edx, edx
		and	ebx, 0FFFFFF78h
		add	ebx, 154h
		push	0		; char
		lea	eax, [edi+eax*4]
		push	eax		; void *
		lea	ecx, [ebx+ecx]
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_66EFC0
		push	dword ptr [ebp+arg_30] ; char
		mov	ecx, [ebp+arg_0]
		lea	eax, [edi+0Ch]
		push	dword ptr [ebp+arg_24] ; char
		xor	edx, edx
		push	dword ptr [ebp+arg_20] ; char
		lea	ecx, [ebx+ecx]
		push	0		; char
		push	eax		; void *
		call	SepSidInTokenSidHash
		mov	ebx, [ebp+arg_18]
		jmp	loc_66EAC6
; 

loc_66EC28:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+277j
		cmp	al, 1
		jnz	short loc_66EC6F
		xor	ecx, ecx
		lea	eax, [edi+8]
		test	dl, dl
		push	0		; char
		push	dword ptr [ebp+arg_24] ; char
		setnz	cl
		dec	ecx
		push	edx		; char
		and	ecx, 0FFFFFF78h
		xor	edx, edx
		push	1		; char
		add	ecx, 154h
		add	ecx, [ebp+var_8]
		push	eax		; void *
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_66EFC3
		mov	ecx, [edi+4]
		and	ecx, [ebx+18h]
		jnz	loc_66EF76
		jmp	loc_66EFC3
; 

loc_66EC6F:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2DCj
		cmp	al, 6
		jnz	loc_66ED0D
		mov	ecx, [edi+8]
		mov	eax, ecx
		and	eax, 2
		and	ecx, 1
		push	0		; char
		push	dword ptr [ebp+arg_24] ; char
		shl	eax, 3
		shl	ecx, 4
		or	eax, 0Ch
		push	edx		; char
		add	eax, edi
		add	ecx, eax
		push	1		; char
		push	ecx		; void *
		xor	ecx, ecx
		test	dl, dl
		setnz	cl
		xor	edx, edx
		dec	ecx
		and	ecx, 0FFFFFF78h
		add	ecx, 154h
		add	ecx, [ebp+var_8]
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_66EFC3
		mov	eax, [edi+8]
		lea	ecx, [edi+0Ch]
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		jz	short loc_66ED05
		cmp	[ebp+arg_1C], 0
		jz	short loc_66ED05
		lea	ecx, [ebp+var_10]
		mov	edx, ebx
		push	ecx
		push	[ebp+arg_14]
		mov	ecx, eax
		call	_AuthzBasepObjectInTypeList@16 ; AuthzBasepObjectInTypeList(x,x,x,x)
		test	al, al
		jz	loc_66EFC3
		imul	eax, [ebp+var_10], arg_24
		mov	eax, [eax+ebx+18h]
		test	[edi+4], eax

loc_66ECFA:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3BDj
		jnz	loc_66EF86
		jmp	loc_66EFC3
; 

loc_66ED05:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+381j
					; SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+387j
		mov	eax, [edi+4]
		test	[ebx+18h], eax
		jmp	short loc_66ECFA
; 

loc_66ED0D:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+323j
		cmp	al, 9
		jnz	loc_66EE58
		movzx	eax, byte ptr [edi+9]
		lea	ecx, ds:8[eax*4]
		movzx	eax, word ptr [edi+2]
		sub	eax, ecx
		mov	[ebp+var_1C], ecx
		sub	eax, 8
		jz	loc_66EFC3
		cmp	[ebp+arg_8], 0
		jz	short loc_66ED4A
		mov	eax, [ebp+arg_C]
		cmp	dword ptr [eax], 0
		jnz	short loc_66ED4A
		mov	ecx, [ebp+arg_8]
		mov	edx, eax
		call	AuthzBasepInitializeResourceClaimsFromSacl

loc_66ED4A:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3E8j
					; SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3F0j
		mov	eax, [ebp+var_8]
		mov	eax, [eax+27Ch]
		test	eax, eax
		jz	short loc_66ED62
		mov	ecx, [eax+12Ch]
		mov	[ebp+var_20], ecx
		jmp	short loc_66ED66
; 

loc_66ED62:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+407j
		and	[ebp+var_20], 0

loc_66ED66:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+412j
		test	eax, eax
		jz	short loc_66ED72
		mov	esi, [eax+124h]
		jmp	short loc_66ED74
; 

loc_66ED72:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+41Aj
		xor	esi, esi

loc_66ED74:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+422j
		test	eax, eax
		jz	short loc_66ED80
		mov	edx, [eax+128h]
		jmp	short loc_66ED82
; 

loc_66ED80:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+428j
		xor	edx, edx

loc_66ED82:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+430j
		test	eax, eax
		jz	short loc_66ED8E
		mov	ecx, [eax+120h]
		jmp	short loc_66ED90
; 

loc_66ED8E:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+436j
		xor	ecx, ecx

loc_66ED90:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+43Ej
		lea	eax, [ebp+var_C]
		push	eax
		push	dword ptr [ebp+arg_20]
		movzx	eax, word ptr [edi+2]
		sub	eax, [ebp+var_1C]
		push	0
		sub	eax, 8
		push	eax
		mov	eax, [ebp+var_1C]
		add	eax, 8
		add	eax, edi
		push	eax
		push	[ebp+var_20]
		mov	eax, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+var_8]
		push	edx
		push	ecx
		push	dword ptr [eax]
		mov	edx, [esi+1DCh]
		mov	ecx, esi
		call	AuthzBasepEvaluateAceCondition
		cmp	[ebp+var_C], 1
		mov	ecx, [ebp+var_4]
		jnz	loc_66EFC6
		cmp	[ebp+var_24], 0
		jnz	short loc_66EE0C
		cmp	[ebp+arg_20], 0
		jnz	short loc_66EE0C
		test	ecx, ecx
		jz	short loc_66EE0C
		lea	ebx, [edi+8]
		mov	ecx, ebx
		call	_SepIsPackageSid@4 ; SepIsPackageSid(x)
		test	al, al
		jnz	loc_66EA22
		mov	ecx, ebx
		call	SepIsCapabilitySid
		test	al, al
		jnz	loc_66EA55
		mov	ebx, [ebp+arg_18]
		mov	ecx, [ebp+var_4]

loc_66EE0C:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+48Bj
					; SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+491j ...
		cmp	dword ptr [ebx+18h], 0
		jz	loc_66EFC6
		push	dword ptr [ebp+arg_30] ; char
		xor	ecx, ecx
		lea	eax, [edi+8]
		cmp	[ebp+arg_20], cl
		push	dword ptr [ebp+arg_24] ; char
		setnz	cl
		xor	edx, edx
		push	dword ptr [ebp+arg_20] ; char
		dec	ecx
		and	ecx, 0FFFFFF78h
		push	0		; char
		add	ecx, 154h
		push	eax		; void *
		add	ecx, esi
		call	SepSidInTokenSidHash
		test	al, al
		jz	loc_66EFC3
		push	0
		push	dword ptr [edi+4]
		push	[ebp+arg_4]
		jmp	loc_66EAD4
; 

loc_66EE58:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3C1j
		cmp	[ebp+arg_28], 0
		jz	loc_66EFC6
		cmp	al, 0Ah
		jnz	loc_66EFC6
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_66EFC3
		movzx	eax, byte ptr [edi+9]
		lea	ecx, ds:8[eax*4]
		movzx	eax, word ptr [edi+2]
		sub	eax, ecx
		mov	[ebp+var_20], ecx
		sub	eax, 8
		jz	loc_66EFC3
		cmp	[ebp+arg_8], 0
		jz	short loc_66EEAD
		mov	eax, [ebp+arg_C]
		cmp	dword ptr [eax], 0
		jnz	short loc_66EEAD
		mov	ecx, [ebp+arg_8]
		mov	edx, eax
		call	AuthzBasepInitializeResourceClaimsFromSacl

loc_66EEAD:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+54Bj
					; SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+553j
		mov	eax, [ebp+var_8]
		mov	eax, [eax+27Ch]
		test	eax, eax
		jz	short loc_66EEC5
		mov	ecx, [eax+12Ch]
		mov	[ebp+var_1C], ecx
		jmp	short loc_66EEC9
; 

loc_66EEC5:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+56Aj
		and	[ebp+var_1C], 0

loc_66EEC9:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+575j
		test	eax, eax
		jz	short loc_66EED5
		mov	esi, [eax+124h]
		jmp	short loc_66EED7
; 

loc_66EED5:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+57Dj
		xor	esi, esi

loc_66EED7:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+585j
		test	eax, eax
		jz	short loc_66EEE3
		mov	edx, [eax+128h]
		jmp	short loc_66EEE5
; 

loc_66EEE3:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+58Bj
		xor	edx, edx

loc_66EEE5:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+593j
		test	eax, eax
		jz	short loc_66EEF1
		mov	ecx, [eax+120h]
		jmp	short loc_66EEF3
; 

loc_66EEF1:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+599j
		xor	ecx, ecx

loc_66EEF3:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+5A1j
		lea	eax, [ebp+var_C]
		push	eax
		push	dword ptr [ebp+arg_20]
		movzx	eax, word ptr [edi+2]
		sub	eax, [ebp+var_20]
		push	1
		sub	eax, 8
		push	eax
		mov	eax, [ebp+var_20]
		add	eax, 8
		add	eax, edi
		push	eax
		push	[ebp+var_1C]
		mov	eax, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+var_8]
		push	edx
		push	ecx
		push	dword ptr [eax]
		mov	edx, [esi+1DCh]
		mov	ecx, esi
		call	AuthzBasepEvaluateAceCondition
		cmp	[ebp+var_C], 1
		jz	short loc_66EF3B
		cmp	[ebp+var_C], 0FFFFFFFFh
		jnz	loc_66EFC3

loc_66EF3B:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+5E1j
		xor	ecx, ecx
		lea	eax, [edi+8]
		cmp	[ebp+arg_20], cl
		push	0		; char
		push	dword ptr [ebp+arg_24] ; char
		setnz	cl
		xor	edx, edx
		push	dword ptr [ebp+arg_20] ; char
		dec	ecx
		and	ecx, 0FFFFFF78h
		push	1		; char
		add	ecx, 154h
		push	eax		; void *
		add	ecx, esi
		call	SepSidInTokenSidHash
		test	al, al
		jz	short loc_66EFC3
		mov	ecx, [edi+4]
		and	ecx, [ebx+18h]
		jz	short loc_66EFC3
		mov	esi, [ebp+arg_4]

loc_66EF76:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+316j
		push	0
		push	dword ptr [ebx+28h]
		mov	edx, 20000h
		push	esi
		call	AuthzBasepSetAccessReasons

loc_66EF86:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+84j
					; SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x):loc_66ECFAj
		cmp	esi, [ebp+var_18]

loc_66EF89:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+75j
					; SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+687j
		jnz	short loc_66EFE7
		lea	eax, [ebx+18h]
		cmp	dword ptr [eax], 0
		jz	short loc_66EFE7
		mov	ebx, [ebp+arg_14]
		test	ebx, ebx
		jz	short loc_66EFE7

loc_66EF9A:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+697j
		mov	ecx, [eax+10h]
		xor	edx, edx
		mov	esi, [eax]
		inc	edx
		test	ecx, ecx
		jz	short loc_66EFDF

loc_66EFA6:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+670j
		test	edx, edx
		jz	short loc_66EFDF
		test	edx, esi
		jz	short loc_66EFB9
		cmp	dword ptr [ecx], 0
		jnz	short loc_66EFB9
		mov	dword ptr [ecx], (offset loc_7FFFFF+1)

loc_66EFB9:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+65Ej
					; SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+663j
		add	ecx, 4
		add	edx, edx
		jmp	short loc_66EFA6
; 

loc_66EFC0:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2B0j
		mov	ebx, [ebp+arg_18]

loc_66EFC3:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+17Aj
					; SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+192j ...
		mov	ecx, [ebp+var_4]

loc_66EFC6:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8Ej
					; SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A0j ...
		inc	[ebp+arg_4]
		movzx	eax, word ptr [edi+2]
		mov	esi, [ebp+arg_4]
		add	edi, eax
		cmp	esi, [ebp+var_18]
		jnb	short loc_66EF89
		mov	edx, dword ptr [ebp+arg_20]
		jmp	loc_66E9C9
; 

loc_66EFDF:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+656j
					; SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+65Aj
		add	eax, 2Ch
		sub	ebx, 1
		jnz	short loc_66EF9A

loc_66EFE7:				; CODE XREF: SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x):loc_66EF89j
					; SepNormalAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+643j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	34h
_SepNormalAccessCheckEx@60 endp


;  S U B	R O U T	I N E 


; __stdcall SepRmDereferenceCap(x)
_SepRmDereferenceCap@4 proc near	; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+B90CEp
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14B104p
		mov	ecx, [ecx+10h]
		test	ecx, ecx
		jz	short locret_66F009
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+24h], eax
		dec	eax
		test	eax, eax
		jg	short locret_66F009
		jz	short loc_66F00A
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

locret_66F009:				; CODE XREF: SepRmDereferenceCap(x)+5j
					; SepRmDereferenceCap(x)+12j
		retn
; 

loc_66F00A:				; CODE XREF: SepRmDereferenceCap(x)+14j
		jmp	_SepRmDestroyCapTable@4	; SepRmDestroyCapTable(x)
_SepRmDereferenceCap@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepDesktopAppModifyTokenBreakaway(x, x, x)
_SepDesktopAppModifyTokenBreakaway@12 proc near
					; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+114p
					; SepDesktopAppxSubProcessToken(x,x,x,x,x)+142p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= word ptr -10h
var_E		= word ptr -0Eh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	esi
		push	edi
		push	12h
		pop	eax
		mov	word ptr [ebp+var_28], ax
		lea	edi, [ebp+var_20]
		push	14h
		pop	eax
		mov	word ptr [ebp+var_28+2], ax
		xor	eax, eax
		cmp	[ebp+arg_0], 1
		mov	[ebp+var_24], offset ??_C@_1BE@BDEKEKBI@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAP?$AAK?$AAG@FNODOBFM@
		stosd
		stosd
		stosd
		stosd
		mov	eax, [edx]
		jnz	short loc_66F044
		or	eax, 20h
		jmp	short loc_66F047
; 

loc_66F044:				; CODE XREF: SepDesktopAppModifyTokenBreakaway(x,x,x)+2Ej
		and	eax, 0FFFFFFDFh

loc_66F047:				; CODE XREF: SepDesktopAppModifyTokenBreakaway(x,x,x)+33j
		mov	[edx], eax
		xor	esi, esi
		mov	ecx, [ecx+1DCh]
		inc	esi
		push	2
		pop	eax
		mov	word ptr [ebp+var_20], ax
		xor	eax, eax
		mov	[ebp+var_E], ax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_8], eax
		lea	eax, [ebp-10h]
		mov	[ebp+var_14], edx
		lea	edx, [ebp+arg_0]
		push	eax
		mov	[ebp+var_18], esi
		mov	dword ptr [ebp+arg_0], 4
		mov	[ebp+var_10], si
		mov	[ebp+var_C], esi
		call	AuthzBasepSetSecurityAttributesToken
		pop	edi
		pop	esi
		leave
		retn	4
_SepDesktopAppModifyTokenBreakaway@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepVerifyDesktopAppPolicyOverrideCaller(x)
_SepVerifyDesktopAppPolicyOverrideCaller@4 proc	near
					; CODE XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+153p

var_232		= byte ptr -232h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_108		= dword	ptr -108h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 234h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+234h+var_4], eax
		mov	eax, 100h
		push	ebx
		mov	[esp+238h+var_22C], eax
		xor	ebx, ebx
		mov	[esp+238h+var_230], eax
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		mov	[esp+240h+var_210], ebx
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+240h+var_224], al
		push	[esp+240h+var_224]
		mov	[esp+244h+var_20C], ebx
		push	ds:dword_A949B4
		mov	[esp+248h+var_228], ebx
		push	ds:_SeTcbPrivilege
		mov	[esp+1Bh], bl
		mov	[esp+24Ch+var_220], ebx
		mov	[esp+24Ch+var_21C], ebx
		mov	[esp+24Ch+var_218], ebx
		mov	[esp+24Ch+var_214], ebx
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	short loc_66F10B
		mov	bl, 1
		jmp	loc_66F205
; 

loc_66F10B:				; CODE XREF: SepVerifyDesktopAppPolicyOverrideCaller(x)+77j
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esp+254h+var_230]
		push	eax
		lea	eax, [esp+258h+var_208]
		push	eax
		push	esi
		call	RtlQueryPackageClaims
		test	eax, eax
		js	loc_66F205
		mov	ecx, large fs:124h
		lea	eax, [esp+240h+var_224]
		push	ebx
		push	eax
		lea	eax, [esp+17h]
		push	eax
		lea	edx, [esp+24Ch+var_228]
		call	PsReferenceEffectiveToken
		push	ebx
		mov	esi, eax
		lea	eax, [esp+244h+var_210]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esp+254h+var_22C]
		push	eax
		lea	eax, [esp+258h+var_108]
		push	eax
		push	esi
		call	RtlQueryPackageClaims
		test	eax, eax
		js	short loc_66F1B7
		test	byte ptr [esp+240h+var_210], 4
		jz	short loc_66F1B7
		mov	eax, [esp+240h+var_230]
		add	eax, 0FFFFFFFEh
		mov	word ptr [esp+240h+var_218], ax
		mov	word ptr [esp+240h+var_218+2], ax
		lea	eax, [esp+240h+var_208]
		mov	[esp+240h+var_214], eax
		mov	eax, [esp+240h+var_22C]
		add	eax, 0FFFFFFFEh
		mov	word ptr [esp+240h+var_220], ax
		mov	word ptr [esp+240h+var_220+2], ax
		lea	eax, [esp+240h+var_108]
		mov	[esp+240h+var_21C], eax
		lea	eax, [esp+240h+var_220]
		push	ebx
		push	eax
		lea	eax, [esp+248h+var_218]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jnz	short loc_66F1B7
		mov	bl, 1

loc_66F1B7:				; CODE XREF: SepVerifyDesktopAppPolicyOverrideCaller(x)+D8j
					; SepVerifyDesktopAppPolicyOverrideCaller(x)+DFj ...
		test	esi, esi
		jz	short loc_66F205
		cmp	[esp+240h+var_228], 1
		jnz	short loc_66F1F9
		mov	eax, large fs:124h
		mov	edi, [eax+80h]
		add	edi, 12Ch
		mov	ecx, [edi]
		mov	eax, ecx
		jmp	short loc_66F1E9
; 

loc_66F1DA:				; CODE XREF: SepVerifyDesktopAppPolicyOverrideCaller(x)+163j
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jz	short loc_66F205
		mov	ecx, eax

loc_66F1E9:				; CODE XREF: SepVerifyDesktopAppPolicyOverrideCaller(x)+14Dj
		xor	eax, esi
		cmp	eax, 7
		jb	short loc_66F1DA
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	short loc_66F205
; 

loc_66F1F9:				; CODE XREF: SepVerifyDesktopAppPolicyOverrideCaller(x)+135j
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_66F205:				; CODE XREF: SepVerifyDesktopAppPolicyOverrideCaller(x)+7Bj
					; SepVerifyDesktopAppPolicyOverrideCaller(x)+97j ...
		mov	ecx, [esp+240h+var_4]
		mov	al, bl
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_SepVerifyDesktopAppPolicyOverrideCaller@4 endp


;  S U B	R O U T	I N E 


; __stdcall RtlConvertLuidToUlonglong(x)
_RtlConvertLuidToUlonglong@4 proc near	; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+67p
					; SepLogTokenSidManagement(x,x,x,x,x)+7Bp
		mov	eax, [ecx]
		mov	edx, [ecx+4]
		retn
_RtlConvertLuidToUlonglong@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepFlattenAcl(x, x,	x, x)
_SepFlattenAcl@16 proc near		; CODE XREF: SeLogAccessFailure+D601Ep
					; SeLogAccessFailure+D62B0p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	ebx, edx
		xor	eax, eax
		mov	edx, ecx
		mov	[ebp+var_1C], ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, eax
		mov	[ebx], eax
		lea	ebx, [edx+8]
		mov	[ebp+var_10], edx
		movzx	edx, word ptr [edx+4]
		mov	[esi], eax
		mov	esi, ebx
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], ecx
		push	edi
		mov	edi, eax
		test	edx, edx
		jz	loc_66F344

loc_66F25B:				; CODE XREF: SepFlattenAcl(x,x,x,x)+62j
		mov	al, [esi]
		add	edi, 0Ch
		cmp	al, 3
		jbe	short loc_66F270
		cmp	al, 11h
		jz	short loc_66F270
		cmp	al, 14h
		jz	short loc_66F270
		cmp	al, 15h
		jnz	short loc_66F27B

loc_66F270:				; CODE XREF: SepFlattenAcl(x,x,x,x)+40j
					; SepFlattenAcl(x,x,x,x)+44j ...
		movzx	eax, byte ptr [esi+9]
		lea	edi, [edi+eax*4]
		add	edi, 8
		inc	ecx

loc_66F27B:				; CODE XREF: SepFlattenAcl(x,x,x,x)+4Cj
		movzx	eax, word ptr [esi+2]
		add	esi, eax
		sub	edx, 1
		jnz	short loc_66F25B
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edi
		test	cx, cx
		jz	loc_66F344
		push	614C6553h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jnz	short loc_66F2B3
		mov	eax, 0C0000017h
		jmp	loc_66F349
; 

loc_66F2B3:				; CODE XREF: SepFlattenAcl(x,x,x,x)+85j
		mov	ecx, [ebp+var_10]
		xor	edx, edx
		mov	[ebp+var_14], eax
		cmp	dx, [ecx+4]
		jnb	short loc_66F32D
		mov	edi, eax
		xor	ecx, ecx

loc_66F2C5:				; CODE XREF: SepFlattenAcl(x,x,x,x)+103j
		mov	al, [ebx]
		cmp	al, 3
		jbe	short loc_66F2D7
		cmp	al, 11h
		jz	short loc_66F2D7
		cmp	al, 14h
		jz	short loc_66F2D7
		cmp	al, 15h
		jnz	short loc_66F312

loc_66F2D7:				; CODE XREF: SepFlattenAcl(x,x,x,x)+A7j
					; SepFlattenAcl(x,x,x,x)+ABj ...
		movzx	eax, byte ptr [ebx+1]
		lea	esi, [ebx+8]
		mov	ecx, [ebx+4]
		mov	[edi+4], eax
		movzx	eax, byte ptr [ebx]
		mov	[edi], eax
		mov	[edi+8], ecx
		movzx	eax, byte ptr [esi+1]
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		lea	eax, [edi+0Ch]
		push	esi		; void *
		push	eax		; void *
		call	_memcpy
		movzx	eax, byte ptr [esi+1]
		add	esp, 0Ch
		mov	ecx, [ebp+var_4]
		lea	edi, [edi+eax*4]
		add	edi, 14h

loc_66F312:				; CODE XREF: SepFlattenAcl(x,x,x,x)+B3j
		movzx	eax, word ptr [ebx+2]
		add	ebx, eax
		mov	eax, [ebp+var_10]
		inc	ecx
		mov	[ebp+var_4], ecx
		movzx	eax, word ptr [eax+4]
		cmp	ecx, eax
		jb	short loc_66F2C5
		mov	edi, [ebp+var_8]
		mov	eax, [ebp+var_18]

loc_66F32D:				; CODE XREF: SepFlattenAcl(x,x,x,x)+9Dj
		mov	ecx, [ebp+var_1C]
		mov	[ecx], eax
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_C]
		mov	[eax], edi
		mov	eax, [ebp+arg_4]
		mov	[eax], cx
		xor	eax, eax
		jmp	short loc_66F349
; 

loc_66F344:				; CODE XREF: SepFlattenAcl(x,x,x,x)+33j
					; SepFlattenAcl(x,x,x,x)+6Dj
		mov	eax, 0C0000225h

loc_66F349:				; CODE XREF: SepFlattenAcl(x,x,x,x)+8Cj
					; SepFlattenAcl(x,x,x,x)+120j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_SepFlattenAcl@16 endp


;  S U B	R O U T	I N E 


; __stdcall SepGetCurrentLogLevel()
_SepGetCurrentLogLevel@0 proc near	; CODE XREF: sub_5EC64A+14Cp
					; SepGetLearningModeObjectInformation(x)+2Fp
		mov	edi, edi
		push	esi
		mov	esi, large fs:124h
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	al, al
		jnz	short loc_66F370
		movzx	eax, byte ptr [esi+84h]
		and	eax, 1
		pop	esi
		retn
; 

loc_66F370:				; CODE XREF: SepGetCurrentLogLevel()+12j
		push	2
		pop	eax
		pop	esi
		retn
_SepGetCurrentLogLevel@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepGetLearningModeObjectInformation(x)
_SepGetLearningModeObjectInformation@4 proc near ; CODE	XREF: SeLogAccessFailure+D5A32p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= word ptr -1Ah
ms_exc		= CPPEH_RECORD ptr -18h

		push	44h
		push	offset dword_6A9368
		call	__SEH_prolog4
		mov	edi, ecx
		mov	[ebp+var_40], edi
		xor	ebx, ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	esi, large fs:124h
		call	_SepGetCurrentLogLevel@0 ; SepGetCurrentLogLevel()
		mov	ecx, eax
		mov	[edi], bl
		mov	eax, [esi+360h]
		test	eax, eax
		jz	short loc_66F3C0
		cmp	[eax+4], ecx
		jz	loc_66F663

loc_66F3C0:				; CODE XREF: SepGetLearningModeObjectInformation(x)+40j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		cmp	al, 1
		jnz	loc_66F661
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, large fs:124h
		test	dword ptr [eax+58h], 400h
		jnz	short loc_66F3F7
		cmp	byte ptr [eax+16Ah], 1
		jz	short loc_66F3F7
		mov	eax, [eax+0A8h]
		jmp	short loc_66F3F9
; 

loc_66F3F7:				; CODE XREF: SepGetLearningModeObjectInformation(x)+6Fj
					; SepGetLearningModeObjectInformation(x)+78j
		mov	eax, ebx

loc_66F3F9:				; CODE XREF: SepGetLearningModeObjectInformation(x)+80j
		mov	[ebp+var_34], eax
		test	eax, eax
		jz	loc_66F65A
		mov	eax, [eax+14h]
		mov	[ebp+var_38], eax
		test	eax, eax
		jz	loc_66F65A
		test	al, 3
		jz	short loc_66F41B

loc_66F416:				; CODE XREF: SepGetLearningModeObjectInformation(x)+D9j
					; SepGetLearningModeObjectInformation(x)+F1j ...
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_66F41B:				; CODE XREF: SepGetLearningModeObjectInformation(x)+9Fj
		lea	ecx, [eax+0Ch]
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		ja	short loc_66F42C
		cmp	ecx, eax
		jnb	short loc_66F42E

loc_66F42C:				; CODE XREF: SepGetLearningModeObjectInformation(x)+B1j
		mov	[edx], bl

loc_66F42E:				; CODE XREF: SepGetLearningModeObjectInformation(x)+B5j
		cmp	dword ptr [eax], 0ACCE550Bh
		jnz	loc_66F65A
		mov	eax, [eax+4]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+var_38]
		mov	edx, [eax+8]
		mov	[ebp+var_4C], edx
		mov	eax, [ebp+var_3C]
		test	al, 3
		jnz	short loc_66F416
		lea	ecx, [eax+8]
		mov	esi, ds:_MmUserProbeAddress
		cmp	ecx, esi
		ja	short loc_66F461
		cmp	ecx, eax
		jnb	short loc_66F463

loc_66F461:				; CODE XREF: SepGetLearningModeObjectInformation(x)+E6j
		mov	[esi], bl

loc_66F463:				; CODE XREF: SepGetLearningModeObjectInformation(x)+EAj
		test	dl, 3
		jnz	short loc_66F416
		lea	ecx, [edx+8]
		mov	esi, ds:_MmUserProbeAddress
		cmp	ecx, esi
		ja	short loc_66F479
		cmp	ecx, edx
		jnb	short loc_66F47B

loc_66F479:				; CODE XREF: SepGetLearningModeObjectInformation(x)+FEj
		mov	[esi], bl

loc_66F47B:				; CODE XREF: SepGetLearningModeObjectInformation(x)+102j
		mov	ecx, [eax]
		mov	[ebp+var_54], ecx
		mov	eax, [eax+4]
		mov	[ebp+var_30], eax
		mov	[ebp+var_50], eax
		mov	eax, [edx]
		mov	[ebp+var_48], eax
		mov	edx, [edx+4]
		mov	[ebp+var_2C], edx
		mov	[ebp+var_44], edx
		shr	ecx, 10h
		test	cx, cx
		jz	short loc_66F4C4
		mov	edx, [ebp+var_30]
		test	dl, 1
		jnz	loc_66F416
		movzx	eax, word ptr [ebp+var_54+2]
		add	eax, edx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_66F4BF
		cmp	eax, edx
		jnb	short loc_66F4C1

loc_66F4BF:				; CODE XREF: SepGetLearningModeObjectInformation(x)+144j
		mov	[ecx], bl

loc_66F4C1:				; CODE XREF: SepGetLearningModeObjectInformation(x)+148j
		mov	edx, [ebp+var_2C]

loc_66F4C4:				; CODE XREF: SepGetLearningModeObjectInformation(x)+128j
		mov	ax, word ptr [ebp+var_48+2]
		mov	[ebp+var_1A], ax
		test	ax, ax
		jz	short loc_66F4EF
		test	dl, 1
		jnz	loc_66F416
		movzx	eax, ax
		add	eax, edx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_66F4ED
		cmp	eax, edx
		jnb	short loc_66F4EF

loc_66F4ED:				; CODE XREF: SepGetLearningModeObjectInformation(x)+172j
		mov	[ecx], bl

loc_66F4EF:				; CODE XREF: SepGetLearningModeObjectInformation(x)+15Aj
					; SepGetLearningModeObjectInformation(x)+176j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	494F6553h
		push	1Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_38], esi
		test	esi, esi
		jz	loc_66F661
		push	7
		pop	ecx
		xor	eax, eax
		mov	edi, esi
		rep stosd
		push	544F6553h
		push	8
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_44], edi
		test	edi, edi
		jz	loc_66F620
		mov	[edi], ebx
		mov	[edi+4], ebx
		movzx	eax, word ptr [ebp+var_54+2]
		push	544F6553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_20], eax
		mov	[ebp+var_4C], eax
		test	eax, eax
		jz	loc_66F615
		push	4E4F6553h
		push	8
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_24], eax
		mov	[ebp+var_34], eax
		test	eax, eax
		jz	loc_66F615
		mov	[eax], ebx
		mov	[eax+4], ebx
		movzx	eax, [ebp+var_1A]
		mov	[ebp+var_3C], eax
		push	4E4F6553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_28], eax
		mov	[ebp-1Ch], eax
		test	eax, eax
		jz	short loc_66F615
		mov	[ebp+ms_exc.disabled], 1
		movzx	eax, word ptr [ebp+var_54+2]
		push	eax		; size_t
		push	[ebp+var_30]	; void *
		mov	ebx, [ebp+var_20]
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	ebx
		push	edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	[ebp+var_3C]	; size_t
		push	[ebp+var_2C]	; void *
		mov	ebx, [ebp+var_28]
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+var_24]
		push	ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[esi+8], edi
		mov	[esi+0Ch], ebx
		mov	eax, [ebp+var_40]
		mov	byte ptr [eax],	1
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi
		jmp	short loc_66F663
; 

loc_66F5ED:				; DATA XREF: .text:006A9388o
		xor	eax, eax
		inc	eax
		retn
; 

loc_66F5F1:				; DATA XREF: .text:006A938Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp+var_38]
		mov	eax, [ebp+var_34]
		mov	[ebp+var_24], eax
		mov	eax, [ebp-1Ch]
		mov	[ebp+var_28], eax
		mov	edi, [ebp+var_44]
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_20], eax

loc_66F615:				; CODE XREF: SepGetLearningModeObjectInformation(x)+1DEj
					; SepGetLearningModeObjectInformation(x)+1FAj ...
		test	edi, edi
		jz	short loc_66F620
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_66F620:				; CODE XREF: SepGetLearningModeObjectInformation(x)+1BAj
					; SepGetLearningModeObjectInformation(x)+2A2j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_66F62E
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_66F62E:				; CODE XREF: SepGetLearningModeObjectInformation(x)+2B0j
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	short loc_66F63C
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_66F63C:				; CODE XREF: SepGetLearningModeObjectInformation(x)+2BEj
		mov	eax, [ebp+var_28]
		test	eax, eax
		jz	short loc_66F64A
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_66F64A:				; CODE XREF: SepGetLearningModeObjectInformation(x)+2CCj
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_66F661
; 

loc_66F653:				; DATA XREF: .text:006A937Co
		xor	eax, eax
		inc	eax
		retn
; 

loc_66F657:				; DATA XREF: .text:006A9380o
		mov	esp, [ebp+ms_exc.old_esp]

loc_66F65A:				; CODE XREF: SepGetLearningModeObjectInformation(x)+89j
					; SepGetLearningModeObjectInformation(x)+97j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_66F661:				; CODE XREF: SepGetLearningModeObjectInformation(x)+59j
					; SepGetLearningModeObjectInformation(x)+196j ...
		xor	eax, eax

loc_66F663:				; CODE XREF: SepGetLearningModeObjectInformation(x)+45j
					; SepGetLearningModeObjectInformation(x)+276j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SepGetLearningModeObjectInformation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepGetSidValuesDump(x, x)
_SepGetSidValuesDump@8 proc near	; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+2B2p
					; SepLogTokenSidManagement(x,x,x,x,x)+36Ep

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	eax, edx
		mov	ebx, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_14], eax
		mov	[eax], edi
		test	ebx, ebx
		jz	short loc_66F708
		cmp	[ebx+8], edi
		jz	short loc_66F708
		mov	eax, [ebx]
		push	69536553h
		sub	eax, 0Ch
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	short loc_66F708
		lea	ecx, [ebx+0Ch]
		mov	edx, eax
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], edi
		cmp	[ebx+8], edi
		jbe	short loc_66F701
		push	esi

loc_66F6BE:				; CODE XREF: SepGetSidValuesDump(x,x)+88j
		movzx	eax, byte ptr [ecx+1]
		push	ecx		; void *
		push	edx		; void *
		lea	esi, ds:8[eax*4]
		push	esi		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		mov	ecx, [ebp+var_4]
		add	edi, esi
		mov	edx, [ebp+var_8]
		add	edx, esi
		mov	[ebp+var_8], edx
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	ecx, eax
		mov	eax, [ebp+var_C]
		inc	eax
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], eax
		cmp	eax, [ebx+8]
		jb	short loc_66F6BE
		mov	eax, [ebp+var_10]
		pop	esi

loc_66F701:				; CODE XREF: SepGetSidValuesDump(x,x)+48j
		mov	ecx, [ebp+var_14]
		mov	[ecx], edi
		jmp	short loc_66F70A
; 

loc_66F708:				; CODE XREF: SepGetSidValuesDump(x,x)+17j
					; SepGetSidValuesDump(x,x)+1Cj	...
		xor	eax, eax

loc_66F70A:				; CODE XREF: SepGetSidValuesDump(x,x)+93j
		pop	edi
		pop	ebx
		leave
		retn
_SepGetSidValuesDump@8 endp


;  S U B	R O U T	I N E 


; __stdcall SepIsAdminlessAuditModeEnabled()
_SepIsAdminlessAuditModeEnabled@0 proc near
					; CODE XREF: SeSecurityModelQueryInformation(x,x,x)+30p
		cmp	ds:_SeAdminlessEnableWatsonReporting, 0
		setnz	al
		retn
_SepIsAdminlessAuditModeEnabled@0 endp


;  S U B	R O U T	I N E 


; __stdcall SepIsDeviceOwnerProtectionDowngradeAllowed()
_SepIsDeviceOwnerProtectionDowngradeAllowed@0 proc near
					; CODE XREF: SeSecurityModelQueryInformation(x,x,x):loc_9D912Ep
		cmp	ds:_SeDeviceOwnerProtectionDowngradeAllowed, 0
		setnz	al
		retn
_SepIsDeviceOwnerProtectionDowngradeAllowed@0 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2501. SeReportSecurityEvent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeReportSecurityEvent(x, x,	x, x)
		public _SeReportSecurityEvent@16
_SeReportSecurityEvent@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_66F73B
		mov	dword ptr [eax], 3

loc_66F73B:				; CODE XREF: SeReportSecurityEvent(x,x,x,x)+Aj
		push	7Bh
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	SeReportSecurityEventWithSubCategory
		pop	ebp
		retn	10h
_SeReportSecurityEvent@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdtAuditablePrivilege(x,	x)
_SepAdtAuditablePrivilege@8 proc near	; CODE XREF: SepAdtTokenRightAdjusted+14A8D8p
					; SepAdtTokenRightAdjusted+14A8EAp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		xor	ecx, ecx
		mov	[ebp+var_4], ebx
		push	edi
		mov	edi, ecx
		test	ebx, ebx
		jz	short loc_66F7A6

loc_66F76A:				; CODE XREF: SepAdtAuditablePrivilege(x,x)+50j
		mov	eax, [esi]
		mov	edx, ecx
		mov	[ebp+var_8], eax

loc_66F771:				; CODE XREF: SepAdtAuditablePrivilege(x,x)+48j
		mov	eax, dword ptr ds:loc_404DD4[edx]
		mov	ebx, [ebp+var_8]
		mov	[ebp+var_C], eax
		cmp	ebx, [eax]
		mov	ebx, [ebp+var_4]
		jnz	short loc_66F792
		mov	ebx, [ebp+var_C]
		mov	eax, [esi+4]
		cmp	eax, [ebx+4]
		mov	ebx, [ebp+var_4]
		jz	short loc_66F7A4

loc_66F792:				; CODE XREF: SepAdtAuditablePrivilege(x,x)+32j
		add	edx, 4
		cmp	edx, 38h
		jb	short loc_66F771
		inc	edi
		add	esi, 0Ch
		cmp	edi, ebx
		jb	short loc_66F76A
		jmp	short loc_66F7A6
; 

loc_66F7A4:				; CODE XREF: SepAdtAuditablePrivilege(x,x)+40j
		mov	cl, 1

loc_66F7A6:				; CODE XREF: SepAdtAuditablePrivilege(x,x)+18j
					; SepAdtAuditablePrivilege(x,x)+52j
		pop	edi
		pop	esi
		mov	al, cl
		pop	ebx
		leave
		retn
_SepAdtAuditablePrivilege@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepCheckAndCopySelfRelativeSD(x, x,	x, x)
_SepCheckAndCopySelfRelativeSD@16 proc near
					; CODE XREF: SeOperationAuditAlarm(x,x,x,x,x,x,x)+2E8p
					; SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+340p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		xor	ecx, ecx
		mov	[ebp+var_4], ebx
		mov	esi, ecx
		mov	[edi], ecx
		mov	[eax], ecx
		mov	eax, [ebp+arg_4]
		mov	[eax], cl
		test	ebx, ebx
		jz	short loc_66F83C
		cmp	[ebx+2], cx
		jl	short loc_66F82E
		mov	ebx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	ebx
		push	ecx
		push	eax
		call	_RtlAbsoluteToSelfRelativeSD@12	; RtlAbsoluteToSelfRelativeSD(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_66F83C
		push	70416553h
		push	dword ptr [ebx]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi], eax
		test	eax, eax
		jnz	short loc_66F808
		add	esi, 77h
		jmp	short loc_66F83C
; 

loc_66F808:				; CODE XREF: SepCheckAndCopySelfRelativeSD(x,x,x,x)+54j
		push	ebx
		push	eax
		push	[ebp+var_4]
		call	_RtlAbsoluteToSelfRelativeSD@12	; RtlAbsoluteToSelfRelativeSD(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_66F826
		push	0
		push	dword ptr [edi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi], 0
		jmp	short loc_66F83C
; 

loc_66F826:				; CODE XREF: SepCheckAndCopySelfRelativeSD(x,x,x,x)+69j
		mov	eax, [ebp+arg_4]
		mov	byte ptr [eax],	1
		jmp	short loc_66F83C
; 

loc_66F82E:				; CODE XREF: SepCheckAndCopySelfRelativeSD(x,x,x,x)+28j
		mov	ecx, ebx
		call	_SepSecurityDescriptorStrictLength@4 ; SepSecurityDescriptorStrictLength(x)
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	[edi], ebx

loc_66F83C:				; CODE XREF: SepCheckAndCopySelfRelativeSD(x,x,x,x)+22j
					; SepCheckAndCopySelfRelativeSD(x,x,x,x)+40j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_SepCheckAndCopySelfRelativeSD@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepExamineGlobalSaclEx(x, x, x, x, x, x, x,	x, x, x, x, x, x)
_SepExamineGlobalSaclEx@52 proc	near	; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AE3Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_28]
		push	edi
		mov	edi, [ebp+arg_24]
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ecx
		test	edi, edi
		jz	short loc_66F865
		cmp	byte ptr [edi],	0
		jz	short loc_66F876

loc_66F865:				; CODE XREF: SepExamineGlobalSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+19j
		test	esi, esi
		jz	loc_66F915
		cmp	byte ptr [esi],	0
		jnz	loc_66F915

loc_66F876:				; CODE XREF: SepExamineGlobalSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+1Ej
		mov	eax, large fs:124h
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _SepRmGlobalSaclLock
		call	ExAcquireResourceSharedLite
		push	ebx
		push	[ebp+var_8]
		xor	edx, edx
		lea	ecx, [ebp+var_4]
		call	_SepRmGlobalSaclFind@16	; SepRmGlobalSaclFind(x,x,x,x)
		test	eax, eax
		js	short loc_66F906
		mov	eax, [ebp+var_4]
		mov	ecx, [eax+0Ch]
		test	ecx, ecx
		jz	short loc_66F906
		lea	eax, [ebp+arg_28+3]
		mov	edx, [ebp+var_C]
		push	eax
		lea	eax, [ebp+arg_24+3]
		mov	byte ptr [ebp+arg_24+3], bl
		push	eax
		push	[ebp+arg_20]
		mov	byte ptr [ebp+arg_28+3], bl
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_SepExamineSaclEx@52 ; SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)
		test	edi, edi
		jz	short loc_66F8F5
		cmp	[edi], bl
		jnz	short loc_66F8F1
		mov	al, bl
		cmp	byte ptr [ebp+arg_24+3], bl
		jz	short loc_66F8F3

loc_66F8F1:				; CODE XREF: SepExamineGlobalSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+A3j
		mov	al, 1

loc_66F8F3:				; CODE XREF: SepExamineGlobalSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+AAj
		mov	[edi], al

loc_66F8F5:				; CODE XREF: SepExamineGlobalSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+9Fj
		test	esi, esi
		jz	short loc_66F906
		cmp	[esi], bl
		jnz	short loc_66F902
		cmp	byte ptr [ebp+arg_28+3], bl
		jz	short loc_66F904

loc_66F902:				; CODE XREF: SepExamineGlobalSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+B6j
		mov	bl, 1

loc_66F904:				; CODE XREF: SepExamineGlobalSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+BBj
		mov	[esi], bl

loc_66F906:				; CODE XREF: SepExamineGlobalSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+60j
					; SepExamineGlobalSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+6Aj ...
		mov	ecx, offset _SepRmGlobalSaclLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_66F915:				; CODE XREF: SepExamineGlobalSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+22j
					; SepExamineGlobalSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+2Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	2Ch
_SepExamineGlobalSaclEx@52 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2457. SeCreateClientSecurityFromSubjectContextEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeCreateClientSecurityFromSubjectContextEx(x, x, x,	x)
		public _SeCreateClientSecurityFromSubjectContextEx@16
_SeCreateClientSecurityFromSubjectContextEx@16 proc near

var_E		= byte ptr -0Eh
var_D		= byte ptr -0Dh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	eax, eax
		mov	[esp+20h+var_C], eax
		mov	byte ptr [esp+20h+var_8], al
		mov	[esp+20h+var_D], al
		mov	esi, [edi]
		test	esi, esi
		jnz	short loc_66F949
		mov	esi, [edi+8]

loc_66F949:				; CODE XREF: SeCreateClientSecurityFromSubjectContextEx(x,x,x,x)+23j
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	edx, [edi]
		test	edx, edx
		jz	short loc_66F98E
		mov	eax, [edi+8]
		mov	edx, [edx+280h]
		mov	[esp+20h+var_4], 2
		mov	ebx, [eax+280h]
		lea	eax, [esp+13h]
		push	eax
		mov	ecx, ebx
		call	_RtlSidDominatesForTrust@12 ; RtlSidDominatesForTrust(x,x,x)
		cmp	[esp+20h+var_D], 0
		jnz	short loc_66F996
		mov	byte ptr [esp+20h+var_8], 1
		mov	eax, ebx
		jmp	short loc_66F99A
; 

loc_66F98E:				; CODE XREF: SeCreateClientSecurityFromSubjectContextEx(x,x,x,x)+38j
		mov	[esp+20h+var_4], 1

loc_66F996:				; CODE XREF: SeCreateClientSecurityFromSubjectContextEx(x,x,x,x)+62j
		mov	eax, [esp+20h+var_C]

loc_66F99A:				; CODE XREF: SeCreateClientSecurityFromSubjectContextEx(x,x,x,x)+6Bj
		mov	ebx, [ebp+arg_C]
		mov	ecx, esi
		mov	edx, [ebp+arg_4]
		push	ebx
		push	eax
		push	[esp+28h+var_8]
		push	0
		push	1
		push	dword ptr [edi+4]
		push	0
		push	[esp+3Ch+var_4]
		push	[ebp+arg_8]
		call	SepCreateClientSecurityEx
		mov	edi, eax
		test	edi, edi
		js	short loc_66F9C9
		cmp	byte ptr [ebx+8], 0
		jnz	short loc_66F9D5

loc_66F9C9:				; CODE XREF: SeCreateClientSecurityFromSubjectContextEx(x,x,x,x)+A0j
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_66F9D5:				; CODE XREF: SeCreateClientSecurityFromSubjectContextEx(x,x,x,x)+A6j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_SeCreateClientSecurityFromSubjectContextEx@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeIsSystemContext(x, x)
_SeIsSystemContext@8 proc near		; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+4E5p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+20h+var_10]
		stosd
		mov	esi, edx
		xor	edx, edx
		push	edx
		mov	[esp+24h+var_14], edx
		stosd
		mov	[esp+24h+var_18], edx
		mov	[esi], dl
		stosd
		stosd
		lea	eax, [esp+24h+var_18]
		push	eax
		lea	eax, [esp+28h+var_14]
		mov	[esp+28h+var_8], ecx
		push	eax
		push	1
		push	offset _SystemContextGenericMapping
		push	edx
		push	edx
		push	1
		push	edx
		lea	eax, [esp+44h+var_10]
		mov	ecx, offset _SepSystemContextSecurityDescriptor
		push	eax
		call	SeAccessCheckWithHintWithAdminlessChecks
		test	al, al
		jz	short loc_66FA36
		mov	byte ptr [esi],	1

loc_66FA36:				; CODE XREF: SeIsSystemContext(x,x)+51j
		mov	eax, [esp+20h+var_18]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_SeIsSystemContext@8 endp


;  S U B	R O U T	I N E 


; __stdcall SeTokenIsNoChildProcessRestrictionEnforced(x, x)
_SeTokenIsNoChildProcessRestrictionEnforced@8 proc near
					; CODE XREF: SeSubProcessToken+14A83Cp
		mov	edi, edi
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceSharedLite
		mov	ecx, [esi+30h]
		mov	ebx, [esi+0B0h]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		shr	ebx, 13h
		and	bl, 1
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ecx
		retn
_SeTokenIsNoChildProcessRestrictionEnforced@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepLogUnmatchedSessionFlagImpersonationAttempt(x, x)
_SepLogUnmatchedSessionFlagImpersonationAttempt@8 proc near
					; CODE XREF: SeTokenCanImpersonate(x,x,x,x)+1E4p

var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_90], 0
		xor	eax, eax
		and	[ebp+var_8C], 0
		push	ebx
		push	esi
		push	edi
		mov	word ptr [ebp+var_A4], ax
		mov	ebx, edx
		push	2
		pop	eax
		mov	word ptr [ebp+var_A4+2], ax
		mov	eax, large fs:124h
		mov	[ebp+var_94], ecx
		mov	[ebp+var_A0], offset ??_C@_11LOCGONAA@@FNODOBFM@
		mov	ecx, [eax+80h]
		mov	edi, [ecx+1C0h]
		test	edi, edi
		jnz	short loc_66FAEC
		lea	edi, [ebp+var_A4]

loc_66FAEC:				; CODE XREF: SepLogUnmatchedSessionFlagImpersonationAttempt(x,x)+5Fj
		lea	edx, [ebp+var_90]
		call	EtwpQueryProcessCommandLine
		cmp	ds:dword_6B29A8, 5
		mov	esi, [ebp+var_8C]
		jbe	loc_66FBD0
		push	4000h
		push	0
		mov	ecx, offset dword_6B29A8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_66FBD0
		mov	eax, [ebp+var_94]
		xor	edx, edx
		push	4
		pop	ecx
		push	2
		mov	eax, [eax+0C0h]
		mov	eax, [eax+18h]
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_98]
		mov	[ebp+var_68], eax
		mov	eax, [ebx+0C0h]
		mov	[ebp+var_60], ecx
		mov	[ebp+var_64], edx
		mov	[ebp+var_5C], edx
		mov	eax, [eax+18h]
		mov	[ebp+var_9C], eax
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_30]
		mov	[ebp+var_48], eax
		mov	eax, [edi+4]
		mov	[ebp+var_38], eax
		movzx	eax, word ptr [edi]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_28], eax
		movzx	eax, word ptr [ebp+var_90]
		mov	[ebp+var_50], ecx
		pop	ecx
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_88]
		push	eax
		push	8
		push	edx
		push	edx
		push	offset loc_422B1C
		push	offset dword_6B29A8
		mov	[ebp+var_54], edx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], edx
		mov	[ebp+var_C], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_66FBD0:				; CODE XREF: SepLogUnmatchedSessionFlagImpersonationAttempt(x,x)+7Fj
					; SepLogUnmatchedSessionFlagImpersonationAttempt(x,x)+98j
		test	esi, esi
		jz	short loc_66FBDC
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_66FBDC:				; CODE XREF: SepLogUnmatchedSessionFlagImpersonationAttempt(x,x)+14Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_SepLogUnmatchedSessionFlagImpersonationAttempt@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSetTokenAllApplicationPackagesPolicy(x, x)
_SepSetTokenAllApplicationPackagesPolicy@8 proc	near ; CODE XREF: SeSubProcessToken+14A98Cp

var_34		= dword	ptr -34h
var_2C		= word ptr -2Ch
var_2A		= word ptr -2Ah
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_1A		= word ptr -1Ah
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	esi
		push	edi
		push	6
		mov	esi, ecx
		mov	[ebp+var_10], edx
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		and	[ebp+var_C], eax
		rep stosd
		push	offset ??_C@_1CE@CHNBNALE@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAN?$AAO?$AAA?$AAL?$AAL?$AAA?$AAP?$AAP?$AAP@FNODOBFM@
		lea	eax, [ebp+var_34]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		and	[ebp+var_28], 0
		lea	edx, [ebp+var_4]
		xor	eax, eax
		mov	[ebp+var_4], 4
		mov	[ebp+var_2A], ax
		xor	ecx, ecx
		push	2
		pop	eax
		mov	[ebp+var_2C], ax
		inc	ecx
		lea	eax, [ebp+var_10]
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], eax
		xor	eax, eax
		mov	[ebp+var_1A], ax
		lea	eax, [ebp+var_34]
		mov	[ebp+var_14], eax
		lea	eax, [ebp-1Ch]
		mov	[ebp+var_1C], cx
		mov	[ebp+var_18], ecx
		mov	ecx, [esi+1DCh]
		push	eax
		call	AuthzBasepSetSecurityAttributesToken
		pop	edi
		pop	esi
		leave
		retn
_SepSetTokenAllApplicationPackagesPolicy@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeQueryTrustedPlatformModuleInformation(x, x, x)
_SeQueryTrustedPlatformModuleInformation@12 proc near ;	CODE XREF: PAGE:00781BDAp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	10h
		push	offset dword_6A9448
		call	__SEH_prolog4
		xor	esi, esi
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	short loc_66FC87
		mov	esi, 0C0000022h
		jmp	short loc_66FD02
; 

loc_66FC87:				; CODE XREF: SeQueryTrustedPlatformModuleInformation(x,x,x)+1Cj
		cmp	edx, 4
		jnb	short loc_66FCBF
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_66FCB8
		mov	[ebp+ms_exc.disabled], esi
		mov	dword ptr [eax], 4
		jmp	short loc_66FCB1
; 

loc_66FC9E:				; DATA XREF: .text:006A945Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_66FCAE:				; DATA XREF: .text:006A9460o
		mov	esp, [ebp+ms_exc.old_esp]

loc_66FCB1:				; CODE XREF: SeQueryTrustedPlatformModuleInformation(x,x,x)+3Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_66FCB8:				; CODE XREF: SeQueryTrustedPlatformModuleInformation(x,x,x)+2Fj
		mov	esi, 0C0000004h
		jmp	short loc_66FD02
; 

loc_66FCBF:				; CODE XREF: SeQueryTrustedPlatformModuleInformation(x,x,x)+28j
		xor	edx, edx
		inc	edx
		mov	[ebp+ms_exc.disabled], edx
		mov	[ecx], esi
		mov	eax, esi
		cmp	ds:_SepOsLoaderTpmDriverLoaded,	al
		jz	short loc_66FCD5
		mov	[ecx], edx
		mov	eax, edx

loc_66FCD5:				; CODE XREF: SeQueryTrustedPlatformModuleInformation(x,x,x)+6Dj
		cmp	ds:_PnpCoreDriverGroupLoadPhase, 2
		jle	short loc_66FCFB
		or	eax, 2
		mov	[ecx], eax
		jmp	short loc_66FCFB
; 

loc_66FCE5:				; DATA XREF: .text:006A9468o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_66FCF5:				; DATA XREF: .text:006A946Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_1C]

loc_66FCFB:				; CODE XREF: SeQueryTrustedPlatformModuleInformation(x,x,x)+7Aj
					; SeQueryTrustedPlatformModuleInformation(x,x,x)+81j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_66FD02:				; CODE XREF: SeQueryTrustedPlatformModuleInformation(x,x,x)+23j
					; SeQueryTrustedPlatformModuleInformation(x,x,x)+5Bj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_SeQueryTrustedPlatformModuleInformation@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2507. SeSetSecurityAttributesTokenEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeSetSecurityAttributesTokenEx(x, x, x, x, x, x, x)
		public _SeSetSecurityAttributesTokenEx@28
_SeSetSecurityAttributesTokenEx@28 proc	near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		xor	ebx, ebx
		push	esi
		push	edi
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		cmp	[ebp+arg_8], ebx
		jz	short loc_66FD40
		mov	esi, 0C000000Dh
		jmp	loc_66FE39
; 

loc_66FD40:				; CODE XREF: SeSetSecurityAttributesTokenEx(x,x,x,x,x,x,x)+19j
		cmp	[ebp+arg_C], bl
		jz	loc_66FE1F
		mov	eax, ds:_SepTokenSingletonAttributesConfig
		and	eax, 3
		cmp	al, 3
		jnz	loc_66FE1F
		cmp	byte ptr [ebp+arg_4], bl
		jz	short loc_66FD68
		mov	esi, 0C0000022h
		jmp	loc_66FE39
; 

loc_66FD68:				; CODE XREF: SeSetSecurityAttributesTokenEx(x,x,x,x,x,x,x)+41j
		mov	eax, ds:_SeTokenObjectType
		lea	ecx, [ebp+arg_4]
		push	ebx
		push	ecx
		push	ebx
		push	eax
		push	80h
		push	[ebp+arg_0]
		mov	[ebp+arg_4], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [ebp+arg_4]
		mov	esi, eax
		test	esi, esi
		js	loc_66FE12
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [edi+30h]
		call	ExAcquireResourceExclusiveLite
		mov	[ebp+arg_4], ebx
		lea	eax, [ebp+arg_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		lea	eax, [ebp+var_C]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_4]
		mov	cl, 1
		push	eax
		call	_SepGetProcUniqueLuidAndIndexFromTokenEx@16 ; SepGetProcUniqueLuidAndIndexFromTokenEx(x,x,x,x)
		mov	edx, [ebp+arg_10]
		push	[ebp+arg_14]
		test	eax, eax
		jns	short loc_66FDDE
		mov	eax, [ebp+arg_18]
		mov	[eax], bl
		mov	ecx, [edi+1DCh]
		call	AuthzBasepSetSecurityAttributesToken
		mov	esi, eax
		test	esi, esi
		js	short loc_66FDFA
		jmp	short loc_66FDF2
; 

loc_66FDDE:				; CODE XREF: SeSetSecurityAttributesTokenEx(x,x,x,x,x,x,x)+A9j
		mov	ecx, [ebp+var_4]
		call	_SepSetSingletonEntry@12 ; SepSetSingletonEntry(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_66FDFA
		mov	eax, [ebp+arg_18]
		mov	byte ptr [eax],	1

loc_66FDF2:				; CODE XREF: SeSetSecurityAttributesTokenEx(x,x,x,x,x,x,x)+C1j
		lea	ecx, [edi+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)

loc_66FDFA:				; CODE XREF: SeSetSecurityAttributesTokenEx(x,x,x,x,x,x,x)+BFj
					; SeSetSecurityAttributesTokenEx(x,x,x,x,x,x,x)+CFj
		mov	[ebp+arg_4], ebx
		lea	eax, [ebp+arg_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [edi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_66FE12:				; CODE XREF: SeSetSecurityAttributesTokenEx(x,x,x,x,x,x,x)+70j
		test	edi, edi
		jz	short loc_66FE39
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	short loc_66FE39
; 

loc_66FE1F:				; CODE XREF: SeSetSecurityAttributesTokenEx(x,x,x,x,x,x,x)+28j
					; SeSetSecurityAttributesTokenEx(x,x,x,x,x,x,x)+38j
		push	[ebp+arg_14]
		mov	eax, [ebp+arg_18]
		push	[ebp+arg_10]
		mov	dl, byte ptr [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	1
		mov	[eax], bl
		call	_SepInternalSetSecurityAttributesToken@20 ; SepInternalSetSecurityAttributesToken(x,x,x,x,x)
		mov	esi, eax

loc_66FE39:				; CODE XREF: SeSetSecurityAttributesTokenEx(x,x,x,x,x,x,x)+20j
					; SeSetSecurityAttributesTokenEx(x,x,x,x,x,x,x)+48j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_SeSetSecurityAttributesTokenEx@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepGetProcUniqueLuidAndIndexFromAttributeInfo(x, x,	x)
_SepGetProcUniqueLuidAndIndexFromAttributeInfo@12 proc near
					; CODE XREF: SepGetProcUniqueLuidAndIndexFromTokenEx(x,x,x,x)+52p
					; SepValidateAndCopyGlobalEntry(x,x)+24p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= word ptr -34h
var_32		= word ptr -32h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, ds:_SepTokenSingletonAttributesConfig
		push	ebx
		push	esi
		and	eax, 3
		mov	[ebp+var_40], ecx
		mov	ebx, edx
		mov	esi, 0C0000225h
		push	edi
		mov	edi, [ebp+arg_0]
		cmp	al, 3
		jnz	short loc_66FED2
		push	30h		; size_t
		lea	eax, [ebp+var_3C]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ax, ds:_SepProcUniqueAttributeName
		lea	ecx, [ebp+var_3C]
		mov	[ebp+var_34], ax
		add	esp, 0Ch
		mov	ax, ds:word_6B36DE
		mov	[ebp+var_32], ax
		mov	eax, ds:off_6B36E0
		mov	[ebp+var_30], eax
		mov	eax, [ebp+var_40]
		mov	[ebp+var_38], eax
		call	AuthzBasepQuerySecurityAttributeAndValues
		mov	esi, eax
		test	esi, esi
		js	short loc_66FED2
		mov	eax, [ebp+var_20]
		lea	ecx, [ebp+var_3C]
		mov	eax, [eax]
		mov	[ebx], eax
		call	AuthzBasepQuerySecurityAttributeAndValues
		mov	esi, eax
		test	esi, esi
		js	short loc_66FED2
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx]
		mov	[edi], eax
		mov	eax, [ecx+4]
		mov	[edi+4], eax

loc_66FED2:				; CODE XREF: SepGetProcUniqueLuidAndIndexFromAttributeInfo(x,x,x)+2Cj
					; SepGetProcUniqueLuidAndIndexFromAttributeInfo(x,x,x)+6Cj ...
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_SepGetProcUniqueLuidAndIndexFromAttributeInfo@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepGetProcUniqueLuidAndIndexFromTokenEx(x, x, x, x)
_SepGetProcUniqueLuidAndIndexFromTokenEx@16 proc near
					; CODE XREF: SepInternalQuerySecurityAttributesTokenEx+D0B8Fp
					; SeSetSecurityAttributesTokenEx(x,x,x,x,x,x,x)+9Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_SepTokenSingletonAttributesConfig
		push	ebx
		push	esi
		and	eax, 3
		xor	bl, bl
		mov	esi, edx
		push	edi
		mov	edi, 0C0000225h
		cmp	al, 3
		jnz	short loc_66FF4F
		test	cl, cl
		jnz	short loc_66FF2B
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_66FF2B
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	ebx, ebx
		inc	ebx
		push	ebx
		push	dword ptr [esi+30h]
		call	ExAcquireResourceSharedLite

loc_66FF2B:				; CODE XREF: SepGetProcUniqueLuidAndIndexFromTokenEx(x,x,x,x)+20j
					; SepGetProcUniqueLuidAndIndexFromTokenEx(x,x,x,x)+2Aj
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	ecx, [esi+1DCh]
		call	_SepGetProcUniqueLuidAndIndexFromAttributeInfo@12 ; SepGetProcUniqueLuidAndIndexFromAttributeInfo(x,x,x)
		mov	edi, eax
		test	bl, bl
		jz	short loc_66FF4F
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_66FF4F:				; CODE XREF: SepGetProcUniqueLuidAndIndexFromTokenEx(x,x,x,x)+1Cj
					; SepGetProcUniqueLuidAndIndexFromTokenEx(x,x,x,x)+5Bj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
_SepGetProcUniqueLuidAndIndexFromTokenEx@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepInternalFillNoAttribs(x,	x, x)
_SepInternalFillNoAttribs@12 proc near	; CODE XREF: SepInternalQuerySecurityAttributesTokenEx+D0BDBp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 0Ch
		cmp	edx, 0Ch
		jnb	short loc_66FF73
		mov	eax, 0C0000023h
		jmp	short loc_66FF84
; 

loc_66FF73:				; CODE XREF: SepInternalFillNoAttribs(x,x,x)+11j
		push	edi
		xor	eax, eax
		mov	edi, ecx
		stosd
		stosd
		stosd
		xor	eax, eax
		inc	eax
		mov	[ecx], ax
		xor	eax, eax
		pop	edi

loc_66FF84:				; CODE XREF: SepInternalFillNoAttribs(x,x,x)+18j
		pop	ebp
		retn	4
_SepInternalFillNoAttribs@12 endp

; 
		db 3 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSetSingletonEntry(x, x, x)
_SepSetSingletonEntry@12 proc near	; CODE XREF: SeSetSecurityAttributesTokenEx(x,x,x,x,x,x,x)+C6p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		xor	edi, edi
		call	_SepGetSingletonEntryFromIndexNumber@4 ; SepGetSingletonEntryFromIndexNumber(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_670019
		push	ebx
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	ecx, [esi+10h]
		mov	bl, al
		test	ecx, ecx
		jnz	short loc_66FFF3
		push	74416553h
		push	18h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+10h], eax
		test	eax, eax
		jnz	short loc_66FFD2
		mov	edi, 0C0000017h
		jmp	short loc_67000A
; 

loc_66FFD2:				; CODE XREF: SepSetSingletonEntry(x,x,x)+3Ej
		mov	[eax], edi
		mov	eax, [esi+10h]
		mov	[eax+0Ch], edi
		mov	eax, [esi+10h]
		add	eax, 4
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [esi+10h]
		add	eax, 10h
		mov	[eax+4], eax
		mov	[eax], eax
		mov	ecx, [esi+10h]

loc_66FFF3:				; CODE XREF: SepSetSingletonEntry(x,x,x)+26j
		push	[ebp+arg_0]
		mov	edx, [ebp+var_4]
		call	AuthzBasepSetSecurityAttributesToken

loc_66FFFE:				; DATA XREF: .text:00403712o
		mov	ecx, ds:_SepSingletonGlobal

loc_670004:				; DATA XREF: .text:00425DBCo
		mov	edi, eax
		or	dword ptr [ecx+0Ch], 1

loc_67000A:				; CODE XREF: SepSetSingletonEntry(x,x,x)+45j
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx

loc_670019:				; CODE XREF: SepSetSingletonEntry(x,x,x)+16j
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn	4
_SepSetSingletonEntry@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepValidateAndCopyGlobalEntry(x, x)
_SepValidateAndCopyGlobalEntry@8 proc near ; CODE XREF:	.text:005E9CEFp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, edx
		lea	edx, [ebp+var_8]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_C], eax
		push	esi
		mov	[eax], ebx
		lea	eax, [ebp+var_18]
		push	edi
		push	eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		call	_SepGetProcUniqueLuidAndIndexFromAttributeInfo@12 ; SepGetProcUniqueLuidAndIndexFromAttributeInfo(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_6700FA
		push	74416553h
		push	18h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)

loc_670065:				; DATA XREF: .text:0040861Co
					; .text:00408B5Co ...
		mov	esi, eax
		test	esi, esi
		jnz	short loc_670075

loc_67006B:				; DATA XREF: .text:004085BCo
					; .text:004085F0o
		mov	edi, 0C0000017h

loc_670070:				; DATA XREF: .text:005A3CACo
					; .text:005A6E20o
		jmp	loc_6700FA
; 

loc_670075:				; CODE XREF: SepValidateAndCopyGlobalEntry(x,x)+48j
		mov	ecx, [ebp+var_8]
		lea	eax, [esi+4]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+10h]
		mov	[esi], ebx
		mov	[esi+0Ch], ebx
		mov	[eax+4], eax
		mov	[eax], eax
		call	_SepGetSingletonEntryFromIndexNumber@4 ; SepGetSingletonEntryFromIndexNumber(x)
		mov	ebx, eax
		push	ebx
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	ecx, [ebx+8]
		mov	[ebp+var_1], al
		cmp	ecx, [ebp+var_18]
		jnz	short loc_6700D7
		mov	ecx, [ebx+0Ch]
		cmp	ecx, [ebp+var_14]
		jnz	short loc_6700D7
		mov	ecx, [ebx+10h]
		test	ecx, ecx
		jz	short loc_6700C6
		push	0
		mov	edx, esi
		call	AuthzBasepDuplicateSecurityAttributes
		mov	edi, eax
		mov	eax, [ebp+var_C]
		mov	[eax], esi
		xor	esi, esi

loc_6700C6:				; CODE XREF: SepValidateAndCopyGlobalEntry(x,x)+91j
		push	ebx
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_6700EB
; 

loc_6700D7:				; CODE XREF: SepValidateAndCopyGlobalEntry(x,x)+82j
					; SepValidateAndCopyGlobalEntry(x,x)+8Aj
		push	ebx
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edi, 0C0000225h

loc_6700EB:				; CODE XREF: SepValidateAndCopyGlobalEntry(x,x)+B4j
		test	esi, esi
		jz	short loc_6700FA
		push	74416553h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_6700FA:				; CODE XREF: SepValidateAndCopyGlobalEntry(x,x)+2Dj
					; SepValidateAndCopyGlobalEntry(x,x):loc_670070j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SepValidateAndCopyGlobalEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepGetTokenSessionMapEntry(x, x, x)
_SepGetTokenSessionMapEntry@12 proc near
					; CODE XREF: SepDereferenceLowBoxNumberEntry+128C62p
					; SepSetTokenLowboxNumber+128353p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:_g_SessionLowboxMap
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	bl, dl
		mov	esi, ecx
		and	dword ptr [edi], 0
		test	eax, eax
		jnz	short loc_67013C
		test	bl, bl
		jz	short loc_67014F
		push	734C6553h
		push	8
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ds:_g_SessionLowboxMap,	eax
		test	eax, eax
		jz	short loc_67016D
		mov	[eax+4], eax
		mov	[eax], eax

loc_67013C:				; CODE XREF: SepGetTokenSessionMapEntry(x,x,x)+19j
		mov	ecx, [eax]
		jmp	short loc_670147
; 

loc_670140:				; CODE XREF: SepGetTokenSessionMapEntry(x,x,x)+48j
		cmp	[ecx+8], esi
		jz	short loc_670156
		mov	ecx, [ecx]

loc_670147:				; CODE XREF: SepGetTokenSessionMapEntry(x,x,x)+3Dj
		cmp	ecx, eax
		jnz	short loc_670140
		test	bl, bl
		jnz	short loc_67015B

loc_67014F:				; CODE XREF: SepGetTokenSessionMapEntry(x,x,x)+1Dj
		mov	eax, 0C0000225h
		jmp	short loc_6701A1
; 

loc_670156:				; CODE XREF: SepGetTokenSessionMapEntry(x,x,x)+42j
		add	ecx, 0Ch
		jmp	short loc_67019D
; 

loc_67015B:				; CODE XREF: SepGetTokenSessionMapEntry(x,x,x)+4Cj
		push	734C6553h
		push	20h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_670174

loc_67016D:				; CODE XREF: SepGetTokenSessionMapEntry(x,x,x)+34j
		mov	eax, 0C000009Ah
		jmp	short loc_6701A1
; 

loc_670174:				; CODE XREF: SepGetTokenSessionMapEntry(x,x,x)+6Aj
		mov	edx, ds:_g_SessionLowboxMap
		lea	ecx, [eax+0Ch]
		and	dword ptr [ecx], 0
		mov	byte ptr [eax+1Ch], 0
		mov	[eax+8], esi
		mov	esi, [edx]
		cmp	[esi+4], edx
		jz	short loc_670193
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_670193:				; CODE XREF: SepGetTokenSessionMapEntry(x,x,x)+8Bj
		mov	[eax], esi
		mov	[eax+4], edx
		mov	[esi+4], eax
		mov	[edx], eax

loc_67019D:				; CODE XREF: SepGetTokenSessionMapEntry(x,x,x)+58j
		mov	[edi], ecx
		xor	eax, eax

loc_6701A1:				; CODE XREF: SepGetTokenSessionMapEntry(x,x,x)+53j
					; SepGetTokenSessionMapEntry(x,x,x)+71j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_SepGetTokenSessionMapEntry@12 endp


;  S U B	R O U T	I N E 


; __stdcall SepAuditFailedRaisedIrql(x)
_SepAuditFailedRaisedIrql@4 proc near	; CODE XREF: SepAdtLogAuditRecord(x)+70p
					; SepAdtLogAuditRecord(x):loc_5744F8p
		cmp	ds:_SepCrashOnAuditFail, 0
		push	esi
		mov	esi, ecx
		jz	short loc_6701E9
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_6701C6
		push	esi
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		pop	esi
		retn
; 

loc_6701C6:				; CODE XREF: SepAuditFailedRaisedIrql(x)+14j
		and	ds:_SepAdtCrashOnAuditFailWorkItem, 0
		push	2
		push	offset _SepAdtCrashOnAuditFailWorkItem
		mov	ds:dword_6BE748, offset	_SepAuditFailed@4 ; SepAuditFailed(x)
		mov	ds:dword_6BE74C, esi
		call	ExQueueWorkItem

loc_6701E9:				; CODE XREF: SepAuditFailedRaisedIrql(x)+Aj
		pop	esi
		retn
_SepAuditFailedRaisedIrql@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeRmReferenceFindCapName(x,	x, x)
_SeRmReferenceFindCapName@12 proc near	; CODE XREF: AdtpBuildContextFromSecurityDescriptor(x,x)+25p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_1C], edx
		mov	esi, edi
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], edi

loc_670206:				; CODE XREF: SeRmReferenceFindCapName(x,x,x)+2Ej
		mov	ecx, [ebp+edi*4+var_C]
		call	_SepValidateCAPID@4 ; SepValidateCAPID(x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_67021D
		inc	edi
		cmp	edi, 1
		jb	short loc_670206
		test	ebx, ebx

loc_67021D:				; CODE XREF: SeRmReferenceFindCapName(x,x,x)+28j
		push	0
		pop	edi
		js	loc_670317
		mov	ecx, [ebp+var_C]
		lea	edx, [ebp+var_8]
		call	_SepRmReferenceFindCap@8 ; SepRmReferenceFindCap(x,x)
		mov	esi, [ebp+var_8]
		mov	ebx, eax
		mov	[ebp+var_18], ebx
		test	ebx, ebx
		js	loc_670317
		mov	edx, [esi+20h]
		mov	[ebp+var_14], edx
		mov	[ebp+var_C], 2
		test	edx, edx
		jz	short loc_67027C
		lea	edi, [esi+24h]
		mov	esi, [ebp+var_4]

loc_670258:				; CODE XREF: SeRmReferenceFindCapName(x,x,x)+84j
		mov	eax, [edi]
		lea	edi, [edi+4]
		movzx	eax, word ptr [eax]
		cmp	word ptr [ebp+var_C], ax
		mov	ecx, eax
		sbb	eax, eax
		and	eax, ecx
		add	esi, eax
		sub	edx, 1
		jnz	short loc_670258
		mov	edx, [ebp+var_14]
		xor	edi, edi
		mov	[ebp+var_4], esi
		mov	esi, [ebp+var_8]

loc_67027C:				; CODE XREF: SeRmReferenceFindCapName(x,x,x)+65j
		mov	eax, [ebp+var_4]
		push	70536553h
		lea	eax, [eax+edx*8]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_8], eax
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_67029F
		mov	ebx, 0C0000017h
		jmp	short loc_670319
; 

loc_67029F:				; CODE XREF: SeRmReferenceFindCapName(x,x,x)+ABj
		mov	eax, [esi+20h]
		mov	[ebp+var_14], edi
		lea	edx, [ecx+eax*8]
		mov	[ebp+var_4], edx
		test	eax, eax
		jz	short loc_670319
		mov	edi, [ebp+var_8]
		lea	edx, [esi+24h]
		mov	ebx, [ebp+var_14]
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_C], edx

loc_6702BE:				; CODE XREF: SeRmReferenceFindCapName(x,x,x)+120j
		mov	[edi+ebx*8+4], ecx
		mov	eax, [edx]
		push	2
		movzx	ecx, word ptr [eax]
		pop	eax
		cmp	ax, cx
		sbb	eax, eax
		and	eax, ecx
		movzx	eax, ax
		push	eax		; size_t
		mov	[edi+ebx*8+2], ax
		mov	[edi+ebx*8], ax
		mov	eax, [edx]
		mov	edx, [ebp+var_4]
		push	dword ptr [eax+4] ; void *
		push	edx		; void *
		call	_memcpy
		movzx	eax, word ptr [edi+ebx*8]
		add	esp, 0Ch
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_C]
		shr	eax, 1
		add	edx, 4
		inc	ebx
		mov	[ebp+var_C], edx
		lea	ecx, [ecx+eax*2]
		mov	[ebp+var_4], ecx
		cmp	ebx, [esi+20h]
		jb	short loc_6702BE
		mov	ebx, [ebp+var_18]
		xor	edi, edi
		mov	ecx, [ebp+var_8]
		jmp	short loc_670319
; 

loc_670317:				; CODE XREF: SeRmReferenceFindCapName(x,x,x)+35j
					; SeRmReferenceFindCapName(x,x,x)+50j
		mov	ecx, edi

loc_670319:				; CODE XREF: SeRmReferenceFindCapName(x,x,x)+B2j
					; SeRmReferenceFindCapName(x,x,x)+C2j ...
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		test	esi, esi
		jz	short loc_670325
		mov	edi, [esi+20h]

loc_670325:				; CODE XREF: SeRmReferenceFindCapName(x,x,x)+135j
		mov	eax, [ebp+var_1C]
		mov	[eax], edi
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_SeRmReferenceFindCapName@12 endp


;  S U B	R O U T	I N E 


; __stdcall SepRmCapPoolExpand(x, x)
_SepRmCapPoolExpand@8 proc near		; CODE XREF: SepReadAndPopulateCapes+8CCD8p
					; SepAuditFailed(x)+157p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, 70536553h
		mov	esi, edx
		push	edi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	edi
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	edi
		pop	esi
		retn
_SepRmCapPoolExpand@8 endp


;  S U B	R O U T	I N E 


; __stdcall SepRmReferenceCapTable()
_SepRmReferenceCapTable@0 proc near	; CODE XREF: SepRmReferenceFindCap(x,x)+23p
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _SepRmCapTableLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	esi, ds:_SepRmCapTable
		test	esi, esi
		jz	short loc_67038C
		xor	eax, eax
		inc	eax
		lock xadd [esi+24h], eax
		inc	eax
		cmp	eax, 1
		jg	short loc_67038C
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_67038C:				; CODE XREF: SepRmReferenceCapTable()+26j
					; SepRmReferenceCapTable()+34j
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_6703A1
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_6703A1:				; CODE XREF: SepRmReferenceCapTable()+47j
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_SepRmReferenceCapTable@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepRmReferenceFindCap(x, x)
_SepRmReferenceFindCap@8 proc near	; CODE XREF: SeComputeCreatorDeniedRights(x,x,x,x)+C6p
					; SeAccessCheckWithHintWithAdminlessChecks+CF3C7p ...

var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	dword ptr [edx], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		mov	[ebp+var_8], edx
		stosd
		mov	esi, ecx
		mov	[ebp+var_4], esi
		mov	ebx, 0C0000225h
		stosd
		stosd
		call	_SepRmReferenceCapTable@0 ; SepRmReferenceCapTable()
		mov	edi, eax
		test	edi, edi
		jz	short loc_670450
		cmp	ds:_SepRmEnforceCap, 0
		jz	short loc_670433
		lea	eax, [ebp+var_14]
		mov	ecx, esi
		push	eax
		call	_SepComputeSidSignature@4 ; SepComputeSidSignature(x)
		push	eax
		push	edi
		call	_RtlLookupEntryHashTable@12 ; RtlLookupEntryHashTable(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_670433
		mov	ebx, [ebp+var_4]

loc_670404:				; CODE XREF: SepRmReferenceFindCap(x,x)+6Dj
		push	dword ptr [esi+0Ch]
		push	ebx
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		cmp	al, 1
		jz	short loc_670421
		lea	eax, [ebp+var_14]
		push	eax
		push	edi
		call	RtlGetNextEntryHashTable
		mov	esi, eax
		test	esi, esi
		jnz	short loc_670404

loc_670421:				; CODE XREF: SepRmReferenceFindCap(x,x)+5Dj
		mov	ebx, 0C0000225h
		test	esi, esi
		jz	short loc_670433
		mov	eax, [ebp+var_8]
		xor	ebx, ebx
		mov	[eax], esi
		jmp	short loc_670450
; 

loc_670433:				; CODE XREF: SepRmReferenceFindCap(x,x)+35j
					; SepRmReferenceFindCap(x,x)+4Dj ...
		or	eax, 0FFFFFFFFh
		lock xadd [edi+24h], eax
		dec	eax
		test	eax, eax
		jg	short loc_670450
		jz	short loc_670449
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_670450
; 

loc_670449:				; CODE XREF: SepRmReferenceFindCap(x,x)+8Ej
		mov	ecx, edi
		call	_SepRmDestroyCapTable@4	; SepRmDestroyCapTable(x)

loc_670450:				; CODE XREF: SepRmReferenceFindCap(x,x)+2Cj
					; SepRmReferenceFindCap(x,x)+7Fj ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_SepRmReferenceFindCap@8 endp


;  S U B	R O U T	I N E 


; __stdcall SepValidateCAPID(x)
_SepValidateCAPID@4 proc near		; CODE XREF: SeRmReferenceFindCapName(x,x,x)+1Fp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jnz	short loc_670467
		mov	eax, 0C000000Dh
		pop	esi
		retn
; 

loc_670467:				; CODE XREF: SepValidateCAPID(x)+7j
		push	esi
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jnz	short loc_670478
		mov	eax, 0C0000078h
		pop	esi
		retn
; 

loc_670478:				; CODE XREF: SepValidateCAPID(x)+18j
		push	6		; size_t
		lea	eax, [esi+2]
		push	offset _CAP_AUTHORITY ;	void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		neg	eax
		sbb	eax, eax
		and	eax, 0C0000084h
		pop	esi
		retn
_SepValidateCAPID@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2449. SeConvertSidToStringSid

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeConvertSidToStringSid(x, x)
		public _SeConvertSidToStringSid@8
_SeConvertSidToStringSid@8 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	LocalConvertSidToStringSidW
		pop	ebp
		retn	8
_SeConvertSidToStringSid@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static struct	B_TREE_HEADER<unsigned long, struct ST_STORE<struct SM_TRAITS>::_ST_HASH_ENTRY>::NODE *	* __stdcall B_TREE<unsigned long, struct ST_STORE<struct SM_TRAITS>::_ST_HASH_ENTRY, 4096, struct NP_CONTEXT, struct ST_STORE<struct SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeDescendToSibling(struct B_TREE<unsigned long, struct ST_STORE<struct SM_TRAITS>::_ST_HASH_ENTRY, 4096,	struct NP_CONTEXT, struct ST_STORE<struct SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::PATH_ENTRY *, unsigned	long, struct B_TREE<unsigned long, struct ST_STORE<struct SM_TRAITS>::_ST_HASH_ENTRY, 4096, struct NP_CONTEXT, struct ST_STORE<struct SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *)
?BTreeDescendToSibling@?$B_TREE@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_HASH_ENTRY_COMPARATOR@2@@@SGPAPAUNODE@?$B_TREE_HEADER@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAUPATH_ENTRY@1@KPAUSEARCH_RESULT@1@@Z proc	near
					; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+31p
					; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+A7p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ecx]
		push	esi
		mov	esi, [ecx+4]
		push	edi
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_6704D2
		movzx	eax, byte ptr [edx+2]
		mov	ecx, [edi+0Ch]
		sub	ecx, eax
		mov	eax, [edi]
		lea	eax, [eax+ecx*8]
		jmp	short loc_6704D4
; 

loc_6704D2:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeDescendToSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::PATH_ENTRY	*,ulong,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *)+11j
		xor	eax, eax

loc_6704D4:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeDescendToSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::PATH_ENTRY	*,ulong,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *)+21j
		lea	ecx, [esi+4]
		add	esi, 8

loc_6704DA:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeDescendToSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::PATH_ENTRY	*,ulong,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *)+45j
		test	eax, eax
		jz	short loc_6704E6
		mov	[eax], edx
		mov	[eax+4], esi
		add	eax, 8

loc_6704E6:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeDescendToSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::PATH_ENTRY	*,ulong,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *)+2Dj
		cmp	byte ptr [edx+2], 2
		jz	short loc_6704F6
		mov	edx, [ecx]
		lea	ecx, [edx+4]
		lea	esi, [edx+8]
		jmp	short loc_6704DA
; 

loc_6704F6:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeDescendToSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::PATH_ENTRY	*,ulong,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *)+3Bj
		pop	edi
		mov	eax, ecx
		pop	esi
		pop	ebp
		retn	4
?BTreeDescendToSibling@?$B_TREE@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_HASH_ENTRY_COMPARATOR@2@@@SGPAPAUNODE@?$B_TREE_HEADER@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAUPATH_ENTRY@1@KPAUSEARCH_RESULT@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static struct	B_TREE_HEADER<unsigned long, struct ST_STORE<struct SM_TRAITS>::_ST_HASH_ENTRY>::NODE *	__stdcall B_TREE<unsigned long,	struct ST_STORE<struct SM_TRAITS>::_ST_HASH_ENTRY, 4096, struct	NP_CONTEXT, struct ST_STORE<struct SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeFindLeafSibling(struct B_TREE<unsigned long, struct ST_STORE<struct SM_TRAITS>::_ST_HASH_ENTRY, 4096, struct NP_CONTEXT,	struct ST_STORE<struct SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR> *,	struct B_TREE_HEADER<unsigned long, struct ST_STORE<struct SM_TRAITS>::_ST_HASH_ENTRY>::NODE *,	unsigned long)
?BTreeFindLeafSibling@?$B_TREE@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_HASH_ENTRY_COMPARATOR@2@@@SGPAUNODE@?$B_TREE_HEADER@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAU23@K@Z	proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmCombineBufferAddEntry+FC2F2p

var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], edx
		lea	edi, [ebp+var_28]
		mov	edx, ecx
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd
		mov	eax, [edx]
		xor	ebx, ebx
		mov	[ebp+var_C], edx
		test	eax, eax
		jnz	short loc_670531
		mov	edi, ebx
		jmp	short loc_67053A
; 

loc_670531:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeFindLeafSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY>::NODE *,ulong)+2Dj
		movzx	edi, byte ptr [eax+2]
		cmp	edi, 1
		jz	short loc_6705AA

loc_67053A:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeFindLeafSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY>::NODE *,ulong)+31j
		mov	eax, edi
		shl	eax, 3
		call	__alloca_probe_16
		mov	esi, esp
		lea	ecx, [ebp+var_28]
		push	2
		pop	edx
		call	?BTreeSearchResultInit@?$B_TREE@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_HASH_ENTRY_COMPARATOR@2@@@SGXPAUSEARCH_RESULT@1@K@Z ;	B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeSearchResultInit(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_28]
		mov	[ebp+var_1C], ebx
		mov	ebx, [ebp+var_C]
		mov	ecx, ebx
		push	eax
		mov	edx, [edx+8]
		mov	[ebp+var_28], esi
		mov	[ebp+var_18], edi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeSearchKey
		mov	ecx, [esi+edi*8-0Ch]
		mov	edi, [esi+edi*8-10h]
		lea	eax, [edi+8]
		cmp	ecx, eax
		jbe	short loc_670582
		lea	edi, [ecx-4]
		jmp	short loc_670585
; 

loc_670582:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeFindLeafSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY>::NODE *,ulong)+7Dj
		add	edi, 4

loc_670585:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeFindLeafSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY>::NODE *,ulong)+82j
		push	ecx
		lea	edx, [ebp+var_28]
		mov	ecx, ebx
		call	?BTreeFindLeafSiblingEx@?$B_TREE@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_HASH_ENTRY_COMPARATOR@2@@@SGPAUNODE@?$B_TREE_HEADER@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAUSEARCH_RESULT@1@K@Z ; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)
		mov	ebx, eax
		test	edi, edi
		jz	short loc_6705AA
		mov	ecx, [ebp+var_C]
		add	ecx, 8
		mov	esi, [ecx]
		cmp	dword ptr [esi], 0FFFFFFFFh
		jz	short loc_6705AA
		mov	edx, edi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)

loc_6705AA:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeFindLeafSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY>::NODE *,ulong)+3Aj
					; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeFindLeafSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>	*,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY>::NODE *,ulong)+96j ...
		mov	eax, ebx
		lea	esp, [ebp-34h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
?BTreeFindLeafSibling@?$B_TREE@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_HASH_ENTRY_COMPARATOR@2@@@SGPAUNODE@?$B_TREE_HEADER@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAU23@K@Z	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static struct	B_TREE_HEADER<unsigned long, struct ST_STORE<struct SM_TRAITS>::_ST_REGION_ENTRY>::NODE	* __stdcall B_TREE<unsigned long, struct ST_STORE<struct SM_TRAITS>::_ST_REGION_ENTRY, 4096, struct NP_CONTEXT,	struct ST_STORE<struct SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSibling(struct B_TREE<unsigned long, struct ST_STORE<struct SM_TRAITS>::_ST_REGION_ENTRY, 4096, struct NP_CONTEXT,	struct ST_STORE<struct SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *, struct B_TREE_HEADER<unsigned	long, struct ST_STORE<struct SM_TRAITS>::_ST_REGION_ENTRY>::NODE *, unsigned long)
?BTreeFindLeafSibling@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGPAUNODE@?$B_TREE_HEADER@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAU23@K@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StCompactRegions+FCBFFp
					; ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned __int64 *)+E6p

var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], edx
		lea	edi, [ebp+var_28]
		mov	edx, ecx
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd
		mov	eax, [edx]
		xor	ebx, ebx
		mov	[ebp+var_C], edx
		test	eax, eax
		jnz	short loc_6705F3
		mov	edi, ebx
		jmp	short loc_6705FC
; 

loc_6705F3:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,ulong)+2Dj
		movzx	edi, byte ptr [eax+2]
		cmp	edi, 1
		jz	short loc_67066D

loc_6705FC:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,ulong)+31j
		mov	eax, edi
		shl	eax, 3
		call	__alloca_probe_16
		mov	esi, esp
		lea	ecx, [ebp+var_28]
		push	2
		pop	edx
		call	?BTreeSearchResultInit@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAUSEARCH_RESULT@1@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultInit(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_28]
		mov	[ebp+var_1C], ebx
		mov	ebx, [ebp+var_C]
		mov	ecx, ebx
		push	eax
		mov	edx, [edx+8]
		mov	[ebp+var_28], esi
		mov	[ebp+var_18], edi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey
		mov	ecx, [esi+edi*8-0Ch]
		mov	edi, [esi+edi*8-10h]
		lea	eax, [edi+8]
		cmp	ecx, eax
		jbe	short loc_670644
		lea	edi, [ecx-4]
		jmp	short loc_670647
; 

loc_670644:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,ulong)+7Dj
		add	edi, 4

loc_670647:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,ulong)+82j
		push	3
		lea	edx, [ebp+var_28]
		mov	ecx, ebx
		call	?BTreeFindLeafSiblingEx@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGPAUNODE@?$B_TREE_HEADER@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAUSEARCH_RESULT@1@K@Z ; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)
		mov	ebx, eax
		test	edi, edi
		jz	short loc_67066D
		mov	ecx, [ebp+var_C]
		add	ecx, 8
		mov	esi, [ecx]
		cmp	dword ptr [esi], 0FFFFFFFFh
		jz	short loc_67066D
		mov	edx, edi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)

loc_67066D:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,ulong)+3Aj
					; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>	*,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,ulong)+97j ...
		mov	eax, ebx
		lea	esp, [ebp-34h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
?BTreeFindLeafSibling@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGPAUNODE@?$B_TREE_HEADER@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAU23@K@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static struct	B_TREE_HEADER<union _SM_PAGE_KEY, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY>::NODE * __stdcall B_TREE<union _SM_PAGE_KEY, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY, 4096, struct NP_CONTEXT, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>>::BTreeFindLeafSibling(struct B_TREE<union _SM_PAGE_KEY,	struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY, 4096, struct	NP_CONTEXT, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>> *, struct	B_TREE_HEADER<union _SM_PAGE_KEY, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_ENTRY>::NODE *, unsigned long)
?BTreeFindLeafSibling@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAU23@K@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC500p
					; ST_STORE_SM_TRAITS___StDmCombineLazyCleanup+FA7DFp ...

var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], edx
		lea	edi, [ebp+var_28]
		mov	edx, ecx
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd
		mov	eax, [edx]
		xor	ebx, ebx
		mov	[ebp+var_C], edx
		test	eax, eax
		jnz	short loc_6706B6
		mov	edi, ebx
		jmp	short loc_6706BF
; 

loc_6706B6:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSibling(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE_HEADER<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY>::NODE *,ulong)+2Dj
		movzx	edi, byte ptr [eax+2]
		cmp	edi, 1
		jz	short loc_67072F

loc_6706BF:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSibling(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE_HEADER<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY>::NODE *,ulong)+31j
		mov	eax, edi
		shl	eax, 3
		call	__alloca_probe_16
		mov	esi, esp
		lea	ecx, [ebp+var_28]
		push	2
		pop	edx
		call	?BTreeSearchResultInit@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAUSEARCH_RESULT@1@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultInit(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)
		mov	eax, [ebp+var_10]
		lea	edx, [ebp+var_28]
		mov	[ebp+var_1C], ebx
		mov	ebx, [ebp+var_C]
		mov	ecx, ebx
		mov	[ebp+var_28], esi
		mov	eax, [eax+8]
		push	eax
		mov	[ebp+var_18], edi
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		mov	ecx, [esi+edi*8-0Ch]
		mov	edi, [esi+edi*8-10h]
		lea	eax, [edi+8]
		cmp	ecx, eax
		jbe	short loc_670707
		lea	edi, [ecx-4]
		jmp	short loc_67070A
; 

loc_670707:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSibling(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE_HEADER<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY>::NODE *,ulong)+7Dj
		add	edi, 4

loc_67070A:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSibling(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE_HEADER<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY>::NODE *,ulong)+82j
		push	ecx
		lea	edx, [ebp+var_28]
		mov	ecx, ebx
		call	?BTreeFindLeafSiblingEx@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAUSEARCH_RESULT@1@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSiblingEx(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)
		mov	ebx, eax
		test	edi, edi
		jz	short loc_67072F
		mov	ecx, [ebp+var_C]
		add	ecx, 8
		mov	esi, [ecx]
		cmp	dword ptr [esi], 0FFFFFFFFh
		jz	short loc_67072F
		mov	edx, edi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)

loc_67072F:				; CODE XREF: B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSibling(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE_HEADER<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY>::NODE *,ulong)+3Aj
					; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSibling(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE_HEADER<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY>::NODE *,ulong)+96j	...
		mov	eax, ebx
		lea	esp, [ebp-34h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
?BTreeFindLeafSibling@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAU23@K@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static struct	B_TREE_HEADER<unsigned long, struct ST_STORE<struct SM_TRAITS>::_ST_HASH_ENTRY>::NODE *	__stdcall B_TREE<unsigned long,	struct ST_STORE<struct SM_TRAITS>::_ST_HASH_ENTRY, 4096, struct	NP_CONTEXT, struct ST_STORE<struct SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(struct	B_TREE<unsigned	long, struct ST_STORE<struct SM_TRAITS>::_ST_HASH_ENTRY, 4096, struct NP_CONTEXT, struct ST_STORE<struct SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR> *, struct B_TREE<unsigned long, struct ST_STORE<struct SM_TRAITS>::_ST_HASH_ENTRY, 4096,	struct NP_CONTEXT, struct ST_STORE<struct SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *, unsigned long)
?BTreeFindLeafSiblingEx@?$B_TREE@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_HASH_ENTRY_COMPARATOR@2@@@SGPAUNODE@?$B_TREE_HEADER@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAUSEARCH_RESULT@1@K@Z proc near
					; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeFindLeafSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY>::NODE *,ulong)+8Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	ebx, edx
		lea	eax, [ebp+var_C]
		push	edi
		xor	edx, edx
		mov	esi, ecx
		xor	edi, edi
		inc	edx
		push	eax
		mov	ecx, ebx
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_HASH_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_HASH_ENTRY_COMPARATOR___BTreeFindSeperatorIndexEntry
		test	eax, eax
		jz	loc_670801
		push	edi
		lea	ecx, [ebp+var_C]
		call	?BTreeDescendToSibling@?$B_TREE@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_HASH_ENTRY_COMPARATOR@2@@@SGPAPAUNODE@?$B_TREE_HEADER@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAUPATH_ENTRY@1@KPAUSEARCH_RESULT@1@@Z ; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeDescendToSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::PATH_ENTRY	*,ulong,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *)
		mov	edx, [ebx+14h]
		lea	ecx, [esi+8]
		and	edx, 1
		mov	[ebp+var_4], eax
		add	edx, edx
		mov	edi, esi
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		mov	eax, [edi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_67079F
		mov	edx, [ebp+var_4]
		mov	edi, [edx]
		jmp	short loc_6707AC
; 

loc_67079F:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+51j
		push	edx
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		call	?NpLeafRefInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAXK@Z ; NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)
		mov	edi, eax

loc_6707AC:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+58j
		test	edi, edi
		jnz	short loc_6707B5
		or	edi, 0FFFFFFFFh
		jmp	short loc_670801
; 

loc_6707B5:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+69j
		mov	eax, [ebx]
		mov	ecx, [ebx+0Ch]
		mov	edx, [eax+ecx*8-0Ch]
		mov	ecx, [eax+ecx*8-10h]
		lea	eax, [ecx+8]
		cmp	edx, eax
		jbe	short loc_6707CE
		add	edx, 0FFFFFFFCh
		jmp	short loc_6707D1
; 

loc_6707CE:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+82j
		lea	edx, [ecx+4]

loc_6707D1:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+87j
		lea	eax, [esi+8]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		mov	eax, [esi]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_6707E8
		mov	ecx, esi
		call	?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)

loc_6707E8:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+9Aj
		push	ebx
		lea	ecx, [ebp+var_C]
		call	?BTreeDescendToSibling@?$B_TREE@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_HASH_ENTRY_COMPARATOR@2@@@SGPAPAUNODE@?$B_TREE_HEADER@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAUPATH_ENTRY@1@KPAUSEARCH_RESULT@1@@Z ; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeDescendToSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::PATH_ENTRY	*,ulong,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *)
		mov	esi, [ebx+0Ch]
		lea	ecx, [edi+8]
		mov	edx, [ebx]
		mov	[edx+esi*8-8], edi
		mov	[edx+esi*8-4], ecx

loc_670801:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+27j
					; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_HASH_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_HASH_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+6Ej
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
?BTreeFindLeafSiblingEx@?$B_TREE@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_HASH_ENTRY_COMPARATOR@2@@@SGPAUNODE@?$B_TREE_HEADER@KU_ST_HASH_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAUSEARCH_RESULT@1@K@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	B_TREE<union _SM_PAGE_KEY, struct SMKM_STORE_MGR<struct	SM_TRAITS>::SMKM_FRONTEND_ENTRY, 4096, struct B_TREE_DUMMY_NODE_POOL, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>>::BTreeNodeFree(struct B_TREE<union _SM_PAGE_KEY, struct	SMKM_STORE_MGR<struct SM_TRAITS>::SMKM_FRONTEND_ENTRY, 4096, struct B_TREE_DUMMY_NODE_POOL, struct B_TREE_KEY_COMPARATOR<union _SM_PAGE_KEY>> *, struct	B_TREE_HEADER<union _SM_PAGE_KEY, struct SMKM_STORE_MGR<struct SM_TRAITS>::SMKM_FRONTEND_ENTRY>::NODE *)
?BTreeNodeFree@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@@@@Z proc near
					; CODE XREF: B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNodeFree(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE_HEADER<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY>::NODE *)+37p
					; SMKM_STORE_MGR<SM_TRAITS>::SmCleanup(SMKM_STORE_MGR<SM_TRAITS> *)+16p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		cmp	byte ptr [edi+3], 0
		jnz	short loc_670853
		movzx	eax, word ptr [edi]
		push	ebx
		lea	ebx, [edi+8]
		push	esi
		mov	esi, ebx
		lea	eax, [esi+eax*8]
		mov	[ebp+var_8], eax
		cmp	esi, eax
		ja	short loc_670851

loc_670831:				; CODE XREF: B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNodeFree(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE_HEADER<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY>::NODE *)+45j
		lea	eax, [esi-4]
		cmp	esi, ebx
		ja	short loc_67083B
		lea	eax, [edi+4]

loc_67083B:				; CODE XREF: B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNodeFree(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE_HEADER<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY>::NODE *)+2Cj
		mov	edx, [eax]
		test	edx, edx
		jz	short loc_670849
		call	?BTreeNodeFree@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@@@@Z ; B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNodeFree(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>	*,B_TREE_HEADER<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY>::NODE *)
		mov	ecx, [ebp+var_4]

loc_670849:				; CODE XREF: B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNodeFree(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE_HEADER<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY>::NODE *)+35j
		add	esi, 8
		cmp	esi, [ebp+var_8]
		jbe	short loc_670831

loc_670851:				; CODE XREF: B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNodeFree(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE_HEADER<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY>::NODE *)+25j
		pop	esi
		pop	ebx

loc_670853:				; CODE XREF: B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNodeFree(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE_HEADER<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY>::NODE *)+11j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		leave
		retn
?BTreeNodeFree@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall B_TREE_unsigned long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeWalkPostOrderInternal(int,void *,int,int,int,int)
?BTreeWalkPostOrderInternal@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGJPAU1@PAUNODE@?$B_TREE_HEADER@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU_SINGLE_LIST_ENTRY@@P6GJPAX3PAK@Z3PAPAU23@@Z proc	near
					; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeWalkPostOrderInternal(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,_SINGLE_LIST_ENTRY *,long	(*)(void *,void	*,ulong	*),void	*,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE * *)+B8p
					; ST_STORE<SM_TRAITS>::StNpEnumBTreeNodes(NP_CONTEXT::NP_CTX *,long (*)(void *,void *,ulong *),void *)+33p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	[ebp+var_4], ecx
		mov	edi, [esi]
		test	edi, edi
		jz	short loc_67088E
		mov	eax, [edi]
		mov	ebx, edi
		push	1000h		; size_t
		push	edx		; void *
		push	edi		; void *
		mov	[esi], eax
		call	_memcpy
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		jmp	short loc_670890
; 

loc_67088E:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeWalkPostOrderInternal(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,_SINGLE_LIST_ENTRY *,long	(*)(void *,void	*,ulong	*),void	*,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE * *)+14j
		mov	ebx, edx

loc_670890:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeWalkPostOrderInternal(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,_SINGLE_LIST_ENTRY *,long	(*)(void *,void	*,ulong	*),void	*,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE * *)+2Ej
		cmp	byte ptr [ebx+3], 0
		jz	short loc_6708A7
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	ebx
		call	[ebp+arg_4]
		mov	ecx, eax
		jmp	loc_670943
; 

loc_6708A7:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeWalkPostOrderInternal(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,_SINGLE_LIST_ENTRY *,long	(*)(void *,void	*,ulong	*),void	*,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE * *)+36j
		movzx	eax, word ptr [ebx]
		lea	esi, [ebx+8]
		lea	edx, [esi+eax*8]
		mov	eax, [ebp+var_4]
		add	eax, 8
		mov	[ebp+var_8], edx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	short loc_6708F6
		cmp	byte ptr [ebx+2], 2
		jnz	short loc_6708F6
		cmp	esi, edx
		ja	short loc_670929

loc_6708D0:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeWalkPostOrderInternal(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,_SINGLE_LIST_ENTRY *,long	(*)(void *,void	*,ulong	*),void	*,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE * *)+94j
		lea	eax, [ebx+8]
		cmp	esi, eax
		lea	eax, [esi-4]
		ja	short loc_6708DD
		lea	eax, [ebx+4]

loc_6708DD:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeWalkPostOrderInternal(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,_SINGLE_LIST_ENTRY *,long	(*)(void *,void	*,ulong	*),void	*,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE * *)+7Aj
		push	eax
		push	[ebp+arg_8]
		push	0
		call	[ebp+arg_4]
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_670940
		add	esi, 8
		cmp	esi, [ebp+var_8]
		jbe	short loc_6708D0
		jmp	short loc_670929
; 

loc_6708F6:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeWalkPostOrderInternal(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,_SINGLE_LIST_ENTRY *,long	(*)(void *,void	*,ulong	*),void	*,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE * *)+66j
					; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeWalkPostOrderInternal(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,_SINGLE_LIST_ENTRY *,long (*)(void *,void *,ulong *),void *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE	* *)+6Cj
		cmp	esi, edx
		ja	short loc_670929

loc_6708FA:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeWalkPostOrderInternal(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,_SINGLE_LIST_ENTRY *,long	(*)(void *,void	*,ulong	*),void	*,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE * *)+C9j
		lea	eax, [ebx+8]
		lea	edx, [esi-4]
		cmp	esi, eax
		ja	short loc_670907
		lea	edx, [ebx+4]

loc_670907:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeWalkPostOrderInternal(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,_SINGLE_LIST_ENTRY *,long	(*)(void *,void	*,ulong	*),void	*,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE * *)+A4j
		mov	ecx, [ebp+var_4] ; int
		push	edx		; int
		push	[ebp+arg_8]	; int
		mov	edx, [edx]	; void *
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		call	?BTreeWalkPostOrderInternal@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGJPAU1@PAUNODE@?$B_TREE_HEADER@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU_SINGLE_LIST_ENTRY@@P6GJPAX3PAK@Z3PAPAU23@@Z ; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeWalkPostOrderInternal(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,_SINGLE_LIST_ENTRY *,long	(*)(void *,void	*,ulong	*),void	*,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE * *)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_670940
		add	esi, 8
		cmp	esi, [ebp+var_8]
		jbe	short loc_6708FA

loc_670929:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeWalkPostOrderInternal(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,_SINGLE_LIST_ENTRY *,long	(*)(void *,void	*,ulong	*),void	*,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE * *)+70j
					; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeWalkPostOrderInternal(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,_SINGLE_LIST_ENTRY *,long (*)(void *,void *,ulong *),void *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE	* *)+96j ...
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	ebx
		call	[ebp+arg_4]
		mov	esi, [ebp+arg_0]
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_670943
		xor	ecx, ecx
		jmp	short loc_670943
; 

loc_670940:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeWalkPostOrderInternal(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,_SINGLE_LIST_ENTRY *,long	(*)(void *,void	*,ulong	*),void	*,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE * *)+8Cj
					; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeWalkPostOrderInternal(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,_SINGLE_LIST_ENTRY *,long (*)(void *,void *,ulong *),void *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE	* *)+C1j
		mov	esi, [ebp+arg_0]

loc_670943:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeWalkPostOrderInternal(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,_SINGLE_LIST_ENTRY *,long	(*)(void *,void	*,ulong	*),void	*,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE * *)+44j
					; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeWalkPostOrderInternal(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,_SINGLE_LIST_ENTRY *,long (*)(void *,void *,ulong *),void *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE	* *)+DCj ...
		test	edi, edi
		jz	short loc_67094D
		mov	eax, [esi]
		mov	[edi], eax
		mov	[esi], edi

loc_67094D:				; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeWalkPostOrderInternal(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,_SINGLE_LIST_ENTRY *,long	(*)(void *,void	*,ulong	*),void	*,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE * *)+E7j
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	10h
?BTreeWalkPostOrderInternal@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGJPAU1@PAUNODE@?$B_TREE_HEADER@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU_SINGLE_LIST_ENTRY@@P6GJPAX3PAK@Z3PAPAU23@@Z endp


;  S U B	R O U T	I N E 


; public: static struct	B_TREE_NODE_HDR	* __stdcall NP_CONTEXT::NpGetResidentLeaf(struct NP_CONTEXT::NP_CTX *, union _NP_LEAF_PTR *)
?NpGetResidentLeaf@NP_CONTEXT@@SGPAUB_TREE_NODE_HDR@@PAUNP_CTX@1@PAT_NP_LEAF_PTR@@@Z proc near
					; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+118p
					; B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSplitChild+199p ...
		mov	eax, [edx]
		test	al, 2
		jnz	short loc_670966
		and	eax, 0FFFFF007h
		or	eax, 6
		jmp	short loc_670973
; 

loc_670966:				; CODE XREF: NP_CONTEXT::NpGetResidentLeaf(NP_CONTEXT::NP_CTX *,_NP_LEAF_PTR *)+4j
		lea	ecx, [eax+4]
		xor	ecx, eax
		and	ecx, 0FFCh
		xor	eax, ecx

loc_670973:				; CODE XREF: NP_CONTEXT::NpGetResidentLeaf(NP_CONTEXT::NP_CTX *,_NP_LEAF_PTR *)+Ej
		mov	[edx], eax
		and	eax, 0FFFFF000h
		retn
?NpGetResidentLeaf@NP_CONTEXT@@SGPAUB_TREE_NODE_HDR@@PAUNP_CTX@1@PAT_NP_LEAF_PTR@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	NP_CONTEXT::NpLeafDerefInternal(struct NP_CONTEXT::NP_CTX *, void * *)
?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	proc near
					; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+91p
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+166p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	ecx, 0FFCh
		mov	esi, [edi]
		mov	eax, esi
		shr	eax, 2
		lea	eax, ds:0FFFFFFFCh[eax*4]
		xor	eax, esi
		and	eax, ecx
		xor	eax, esi
		mov	[edi], eax
		test	eax, ecx
		jnz	short loc_670A18
		and	[ebp+var_8], 0
		and	eax, 0FFFFFFFDh
		and	[ebp+var_4], 0
		mov	[edi], eax
		lea	eax, [ebp+var_8]
		push	eax
		call	KeQueryTickCount
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		shrd	eax, ecx, 0Ch
		mov	ecx, [ebx]
		mul	ds:_KeMaximumIncrement
		mov	esi, eax
		mov	eax, 3FFh
		shrd	esi, edx, 11h
		mov	edx, esi
		sub	edx, [ecx+24h]
		cmp	edx, eax
		jbe	short loc_6709E6
		mov	edx, eax

loc_6709E6:				; CODE XREF: NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX	*,void * *)+67j
		mov	eax, edx
		shl	eax, 2
		xor	eax, [edi]
		and	eax, 0FFCh
		xor	[edi], eax
		cmp	edx, 2FFh
		jb	short loc_670A18
		mov	ecx, [ebx]
		add	esi, 0FFFFFE01h
		mov	eax, esi
		sub	eax, [ecx+24h]
		push	eax
		push	offset ?NpiRebaseCallback@NP_CONTEXT@@SGJPAX0PAK@Z ; NP_CONTEXT::NpiRebaseCallback(void	*,void *,ulong *)
		push	ebx
		call	dword ptr [ecx+8]
		mov	eax, [ebx]
		mov	[eax+24h], esi

loc_670A18:				; CODE XREF: NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX	*,void * *)+2Bj
					; NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX *,void * *)+7Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
?NpLeafDerefInternal@NP_CONTEXT@@SGXPAUNP_CTX@1@PAPAX@Z	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void *	__stdcall NP_CONTEXT::NpLeafRefInternal(struct NP_CONTEXT::NP_CTX *, void * *, unsigned	long)
?NpLeafRefInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAXK@Z proc near
					; CODE XREF: B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSiblingEx(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *,ulong)+C1p
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeChangeKey+17Cp ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		test	byte ptr [edi],	1
		jnz	short loc_670A47
		test	[ebp+arg_0], 1
		jz	short loc_670A38

loc_670A34:				; CODE XREF: NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)+28j
		xor	esi, esi
		jmp	short loc_670A64
; 

loc_670A38:				; CODE XREF: NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)+15j
		mov	ecx, [ebx]
		mov	edx, ebx
		push	edi
		call	?NpiLeafPageIn@NP_CONTEXT@@SGXPAU1@PAUNP_CTX@1@PAT_NP_LEAF_PTR@@@Z ; NP_CONTEXT::NpiLeafPageIn(NP_CONTEXT *,NP_CONTEXT::NP_CTX *,_NP_LEAF_PTR *)
		test	byte ptr [edi],	1
		jz	short loc_670A34

loc_670A47:				; CODE XREF: NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)+Fj
		mov	edx, edi
		call	?NpGetResidentLeaf@NP_CONTEXT@@SGPAUB_TREE_NODE_HDR@@PAUNP_CTX@1@PAT_NP_LEAF_PTR@@@Z ; NP_CONTEXT::NpGetResidentLeaf(NP_CONTEXT::NP_CTX	*,_NP_LEAF_PTR *)
		test	[ebp+arg_0], 2
		mov	esi, eax
		jnz	short loc_670A64
		mov	ecx, [ebx]
		cmp	dword ptr [ecx], 0FFFFFFFFh
		jz	short loc_670A64
		mov	ecx, ebx
		call	?NpLeafRemoveInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAX@Z ; NP_CONTEXT::NpLeafRemoveInternal(NP_CONTEXT::NP_CTX *,void	* *)

loc_670A64:				; CODE XREF: NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)+19j
					; NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)+37j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
?NpLeafRefInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAXK@Z endp


;  S U B	R O U T	I N E 


; public: static void *	__stdcall NP_CONTEXT::NpLeafRemoveInternal(struct NP_CONTEXT::NP_CTX *,	void * *)
?NpLeafRemoveInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAX@Z proc	near
					; CODE XREF: B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeMergeNodes+C3p
					; B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeMergeNodes+C5p ...
		mov	edi, edi
		push	ebx
		mov	ebx, [edx]
		push	esi
		mov	esi, [ecx]
		push	edi
		test	bl, 1
		jz	short loc_670A9E
		and	ebx, 0FFFFF000h
		lea	edi, [ebx+7]
		and	edi, 0FFFFFFFCh
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_670AA9
		test	al, 2
		jnz	short loc_670AA9
		push	eax
		push	ecx
		call	dword ptr [esi+14h]
		or	dword ptr [edi], 2
		dec	dword ptr [esi+20h]
		jmp	short loc_670AA9
; 

loc_670A9E:				; CODE XREF: NP_CONTEXT::NpLeafRemoveInternal(NP_CONTEXT::NP_CTX *,void	* *)+Cj
		dec	dword ptr [esi+1Ch]
		push	dword ptr [edx]
		push	ecx
		call	dword ptr [esi+14h]
		xor	ebx, ebx

loc_670AA9:				; CODE XREF: NP_CONTEXT::NpLeafRemoveInternal(NP_CONTEXT::NP_CTX *,void	* *)+1Ej
					; NP_CONTEXT::NpLeafRemoveInternal(NP_CONTEXT::NP_CTX *,void * *)+22j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		retn
?NpLeafRemoveInternal@NP_CONTEXT@@SGPAXPAUNP_CTX@1@PAPAX@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void *	__stdcall NP_CONTEXT::NpiGetReservedBuffer(struct NP_CONTEXT *,	struct NP_CONTEXT::NP_CTX *)
?NpiGetReservedBuffer@NP_CONTEXT@@SGPAXPAU1@PAUNP_CTX@1@@Z proc	near
					; CODE XREF: NP_CONTEXT__NpNodeAllocate+F9ABFp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	eax, edx
		push	esi
		push	edi
		mov	[ebp+var_4], eax
		xor	edi, edi
		lea	esi, [ebx+2Ch]

loc_670AC4:				; CODE XREF: NP_CONTEXT::NpiGetReservedBuffer(NP_CONTEXT *,NP_CONTEXT::NP_CTX *)+2Cj
		mov	edx, [esi+4]
		cmp	edx, esi
		jnz	short loc_670ADD
		mov	edx, eax
		mov	ecx, ebx
		call	?NpiPerformPageOut@NP_CONTEXT@@SGJPAU1@PAUNP_CTX@1@@Z ;	NP_CONTEXT::NpiPerformPageOut(NP_CONTEXT *,NP_CONTEXT::NP_CTX *)
		test	eax, eax
		js	short loc_670AF2
		mov	eax, [ebp+var_4]
		jmp	short loc_670AC4
; 

loc_670ADD:				; CODE XREF: NP_CONTEXT::NpiGetReservedBuffer(NP_CONTEXT *,NP_CONTEXT::NP_CTX *)+1Aj
		mov	ecx, [esi]
		mov	eax, [ecx]
		mov	[esi], eax
		cmp	ecx, edx
		jnz	short loc_670AEE
		mov	[esi+4], esi
		mov	[esi], edi
		jmp	short loc_670AF0
; 

loc_670AEE:				; CODE XREF: NP_CONTEXT::NpiGetReservedBuffer(NP_CONTEXT *,NP_CONTEXT::NP_CTX *)+36j
		dec	dword ptr [edx]

loc_670AF0:				; CODE XREF: NP_CONTEXT::NpiGetReservedBuffer(NP_CONTEXT *,NP_CONTEXT::NP_CTX *)+3Dj
		mov	edi, ecx

loc_670AF2:				; CODE XREF: NP_CONTEXT::NpiGetReservedBuffer(NP_CONTEXT *,NP_CONTEXT::NP_CTX *)+27j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
?NpiGetReservedBuffer@NP_CONTEXT@@SGPAXPAU1@PAUNP_CTX@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	NP_CONTEXT::NpiLeafPageIn(struct NP_CONTEXT *, struct NP_CONTEXT::NP_CTX *, union _NP_LEAF_PTR *)
?NpiLeafPageIn@NP_CONTEXT@@SGXPAU1@PAUNP_CTX@1@PAT_NP_LEAF_PTR@@@Z proc	near
					; CODE XREF: NP_CONTEXT::NpLeafRefInternal(NP_CONTEXT::NP_CTX *,void * *,ulong)+20p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		push	3
		mov	ecx, ebx
		call	NP_CONTEXT__NpNodeAllocate
		mov	edi, eax
		test	edi, edi
		jnz	short loc_670B19
		inc	dword ptr [esi+40h]
		jmp	short loc_670B58
; 

loc_670B19:				; CODE XREF: NP_CONTEXT::NpiLeafPageIn(NP_CONTEXT *,NP_CONTEXT::NP_CTX *,_NP_LEAF_PTR *)+19j
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax]
		push	edi
		push	ebx
		call	dword ptr [esi+10h]
		test	eax, eax
		jns	short loc_670B2C
		inc	dword ptr [esi+40h]
		jmp	short loc_670B49
; 

loc_670B2C:				; CODE XREF: NP_CONTEXT::NpiLeafPageIn(NP_CONTEXT *,NP_CONTEXT::NP_CTX *,_NP_LEAF_PTR *)+2Cj
		inc	dword ptr [esi+38h]
		lea	ecx, [edi+7]
		dec	dword ptr [esi+1Ch]
		and	ecx, 0FFFFFFFCh
		mov	edx, [ebp+arg_0]
		or	edi, 1
		inc	dword ptr [esi+20h]
		mov	eax, [edx]
		mov	[ecx], eax
		mov	[edx], edi
		xor	edi, edi

loc_670B49:				; CODE XREF: NP_CONTEXT::NpiLeafPageIn(NP_CONTEXT *,NP_CONTEXT::NP_CTX *,_NP_LEAF_PTR *)+31j
		test	edi, edi
		jz	short loc_670B58
		push	1
		mov	edx, edi
		mov	ecx, ebx
		call	NP_CONTEXT__NpNodeFree

loc_670B58:				; CODE XREF: NP_CONTEXT::NpiLeafPageIn(NP_CONTEXT *,NP_CONTEXT::NP_CTX *,_NP_LEAF_PTR *)+1Ej
					; NP_CONTEXT::NpiLeafPageIn(NP_CONTEXT *,NP_CONTEXT::NP_CTX *,_NP_LEAF_PTR *)+52j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
?NpiLeafPageIn@NP_CONTEXT@@SGXPAU1@PAUNP_CTX@1@PAT_NP_LEAF_PTR@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	NP_CONTEXT::NpiLeafPageOut(struct NP_CONTEXT *,	struct NP_CONTEXT::NP_CTX *, union _NP_LEAF_PTR	*, unsigned long)
?NpiLeafPageOut@NP_CONTEXT@@SGJPAU1@PAUNP_CTX@1@PAT_NP_LEAF_PTR@@K@Z proc near
					; CODE XREF: NP_CONTEXT::NpiPerformPageOut(NP_CONTEXT *,NP_CONTEXT::NP_CTX *)+28p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, ecx
		mov	ecx, [edi]
		and	ecx, 0FFFFF000h
		lea	eax, [ecx+7]
		and	eax, 0FFFFFFFCh
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_670B88
		test	al, 2
		jnz	short loc_670B88
		dec	dword ptr [esi+20h]
		jmp	short loc_670B9E
; 

loc_670B88:				; CODE XREF: NP_CONTEXT::NpiLeafPageOut(NP_CONTEXT *,NP_CONTEXT::NP_CTX	*,_NP_LEAF_PTR *,ulong)+1Ej
					; NP_CONTEXT::NpiLeafPageOut(NP_CONTEXT	*,NP_CONTEXT::NP_CTX *,_NP_LEAF_PTR *,ulong)+22j
		push	ecx
		push	edx
		call	dword ptr [esi+0Ch]
		test	eax, eax
		jnz	short loc_670B9B
		inc	dword ptr [esi+3Ch]
		mov	eax, 0C0000185h
		jmp	short loc_670BA5
; 

loc_670B9B:				; CODE XREF: NP_CONTEXT::NpiLeafPageOut(NP_CONTEXT *,NP_CONTEXT::NP_CTX	*,_NP_LEAF_PTR *,ulong)+30j
		inc	dword ptr [esi+34h]

loc_670B9E:				; CODE XREF: NP_CONTEXT::NpiLeafPageOut(NP_CONTEXT *,NP_CONTEXT::NP_CTX	*,_NP_LEAF_PTR *,ulong)+27j
		inc	dword ptr [esi+1Ch]
		mov	[edi], eax
		xor	eax, eax

loc_670BA5:				; CODE XREF: NP_CONTEXT::NpiLeafPageOut(NP_CONTEXT *,NP_CONTEXT::NP_CTX	*,_NP_LEAF_PTR *,ulong)+3Aj
		pop	edi
		pop	esi
		pop	ebp
		retn	8
?NpiLeafPageOut@NP_CONTEXT@@SGJPAU1@PAUNP_CTX@1@PAT_NP_LEAF_PTR@@K@Z endp


;  S U B	R O U T	I N E 


; public: static long __stdcall	NP_CONTEXT::NpiPerformPageOut(struct NP_CONTEXT	*, struct NP_CONTEXT::NP_CTX *)
?NpiPerformPageOut@NP_CONTEXT@@SGJPAU1@PAUNP_CTX@1@@Z proc near
					; CODE XREF: NP_CONTEXT__NpNodeAllocate+F9AD7p
					; NP_CONTEXT::NpiGetReservedBuffer(NP_CONTEXT *,NP_CONTEXT::NP_CTX *)+20p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx

loc_670BB4:				; CODE XREF: NP_CONTEXT::NpiPerformPageOut(NP_CONTEXT *,NP_CONTEXT::NP_CTX *)+41j
		and	dword ptr [esi+28h], 0
		push	esi
		push	offset ?NpiTreeWalkCallback@NP_CONTEXT@@SGJPAX0PAK@Z ; NP_CONTEXT::NpiTreeWalkCallback(void *,void *,ulong *)
		push	edi
		call	dword ptr [esi+8]
		mov	eax, [esi+28h]
		mov	edx, edi
		push	ecx
		push	eax
		mov	ecx, esi
		mov	ebx, [eax]
		and	ebx, 0FFFFF000h
		call	?NpiLeafPageOut@NP_CONTEXT@@SGJPAU1@PAUNP_CTX@1@PAT_NP_LEAF_PTR@@K@Z ; NP_CONTEXT::NpiLeafPageOut(NP_CONTEXT *,NP_CONTEXT::NP_CTX *,_NP_LEAF_PTR *,ulong)
		test	eax, eax
		js	short loc_670BF0
		push	1
		mov	edx, ebx
		mov	ecx, edi
		call	NP_CONTEXT__NpNodeFree
		mov	eax, [esi+18h]
		cmp	eax, [esi]
		ja	short loc_670BB4
		xor	eax, eax

loc_670BF0:				; CODE XREF: NP_CONTEXT::NpiPerformPageOut(NP_CONTEXT *,NP_CONTEXT::NP_CTX *)+2Fj
		pop	edi
		pop	esi
		pop	ebx
		retn
?NpiPerformPageOut@NP_CONTEXT@@SGJPAU1@PAUNP_CTX@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	NP_CONTEXT::NpiRebaseCallback(void *, void *, unsigned long *)
?NpiRebaseCallback@NP_CONTEXT@@SGJPAX0PAK@Z proc near
					; DATA XREF: NP_CONTEXT::NpLeafDerefInternal(NP_CONTEXT::NP_CTX	*,void * *)+8Fo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jnz	short loc_670C3A
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ecx, [esi]
		mov	eax, ecx
		and	al, 3
		cmp	al, 1
		jnz	short loc_670C39
		mov	eax, ecx
		mov	edx, ecx
		shr	eax, 2
		and	edx, 0FFFFF003h
		push	edi
		mov	edi, [ebp+arg_4]
		and	eax, 3FFh
		cmp	eax, edi
		jbe	short loc_670C36
		mov	eax, edi
		shl	eax, 2
		sub	ecx, eax
		and	ecx, 0FFCh
		or	edx, ecx

loc_670C36:				; CODE XREF: NP_CONTEXT::NpiRebaseCallback(void	*,void *,ulong *)+31j
		mov	[esi], edx
		pop	edi

loc_670C39:				; CODE XREF: NP_CONTEXT::NpiRebaseCallback(void	*,void *,ulong *)+17j
		pop	esi

loc_670C3A:				; CODE XREF: NP_CONTEXT::NpiRebaseCallback(void	*,void *,ulong *)+9j
		xor	eax, eax
		pop	ebp
		retn	0Ch
?NpiRebaseCallback@NP_CONTEXT@@SGJPAX0PAK@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	NP_CONTEXT::NpiTreeWalkCallback(void *,	void *,	unsigned long *)
?NpiTreeWalkCallback@NP_CONTEXT@@SGJPAX0PAK@Z proc near
					; DATA XREF: NP_CONTEXT::NpiPerformPageOut(NP_CONTEXT *,NP_CONTEXT::NP_CTX *)+Eo

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_8]
		mov	ecx, [edx]
		mov	eax, ecx
		and	al, 3
		cmp	al, 1
		jnz	short loc_670C72
		push	esi
		mov	esi, [ebp+arg_4]
		mov	eax, [esi+28h]
		test	eax, eax
		jz	short loc_670C6E
		mov	eax, [eax]
		push	edi
		mov	edi, 0FFCh
		and	ecx, edi
		and	eax, edi
		pop	edi
		cmp	ecx, eax
		jnb	short loc_670C71

loc_670C6E:				; CODE XREF: NP_CONTEXT::NpiTreeWalkCallback(void *,void *,ulong *)+1Bj
		mov	[esi+28h], edx

loc_670C71:				; CODE XREF: NP_CONTEXT::NpiTreeWalkCallback(void *,void *,ulong *)+2Cj
		pop	esi

loc_670C72:				; CODE XREF: NP_CONTEXT::NpiTreeWalkCallback(void *,void *,ulong *)+10j
		xor	eax, eax
		pop	ebp
		retn	0Ch
?NpiTreeWalkCallback@NP_CONTEXT@@SGJPAX0PAK@Z endp


;  S U B	R O U T	I N E 


; public: static void __stdcall	SMKM_STORE_MGR<struct SM_TRAITS>::SmCleanup(struct SMKM_STORE_MGR<struct SM_TRAITS> *)
?SmCleanup@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@@Z proc near
					; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmReInitialize(SMKM_STORE_MGR<SM_TRAITS> *)+1Dp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_SmKmCleanup@4	; SmKmCleanup(x)
		lea	ecx, [esi+0F4h]
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_670C93
		call	?BTreeNodeFree@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@@@@Z ; B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNodeFree(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>	*,B_TREE_HEADER<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY>::NODE *)

loc_670C93:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmCleanup(SMKM_STORE_MGR<SM_TRAITS> *)+14j
		lea	ecx, [esi+368h]
		call	SmFpCleanup
		lea	ecx, [esi+3ACh]
		call	SmFpCleanup
		xor	edx, edx
		lea	ecx, [esi+300h]
		inc	edx
		call	?SmDrainSList@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAT_SLIST_HEADER@@K@Z ;	SMKM_STORE_MGR<SM_TRAITS>::SmDrainSList(_SLIST_HEADER *,ulong)
		lea	ecx, [esi+308h]
		call	?SmCompressCtxCleanup@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU_SM_COMPRESS_CONTEXT@1@@Z ; SMKM_STORE_MGR<SM_TRAITS>::SmCompressCtxCleanup(SMKM_STORE_MGR<SM_TRAITS>::_SM_COMPRESS_CONTEXT *)
		xor	edx, edx
		lea	ecx, [esi+360h]
		inc	edx
		pop	esi
		jmp	?SmDrainSList@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAT_SLIST_HEADER@@K@Z ;	SMKM_STORE_MGR<SM_TRAITS>::SmDrainSList(_SLIST_HEADER *,ulong)
?SmCleanup@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@@Z endp


;  S U B	R O U T	I N E 


; public: static void __stdcall	SMKM_STORE_MGR<struct SM_TRAITS>::SmCompressCtxCleanup(struct SMKM_STORE_MGR<struct SM_TRAITS>::_SM_COMPRESS_CONTEXT *)
?SmCompressCtxCleanup@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU_SM_COMPRESS_CONTEXT@1@@Z proc near
					; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmCleanup(SMKM_STORE_MGR<SM_TRAITS> *)+45p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		push	esi
		call	ExAcquireSpinLockExclusive
		xor	edi, edi
		lea	edx, [esi+0Ch]
		push	edi
		push	edi
		push	edx
		mov	bl, al
		mov	[esi+34h], edi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	edi
		push	edi
		lea	eax, [esi+1Ch]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		lea	ecx, [esi+48h]
		pop	esi
		pop	ebx
		jmp	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
?SmCompressCtxCleanup@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU_SM_COMPRESS_CONTEXT@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	SMKM_STORE_MGR<struct SM_TRAITS>::SmFeEmpty(struct SMKM_STORE_MGR<struct SM_TRAITS> *)
?SmFeEmpty@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@@Z proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStoreMgrCallback+F7DF2p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		dec	word ptr [eax+13Eh]
		nop
		lea	eax, [esi+0F0h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	ExAcquirePushLockExclusiveEx
		lea	edi, [esi+0F4h]
		mov	edx, [edi]
		test	edx, edx
		jz	short loc_670D65
		mov	ecx, edi
		call	?BTreeNodeFree@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@@@@Z ; B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeNodeFree(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>	*,B_TREE_HEADER<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY>::NODE *)

loc_670D65:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeEmpty(SMKM_STORE_MGR<SM_TRAITS> *)+48j
		and	dword ptr [edi], 0
		lea	ecx, [esi+0F0h]
		and	dword ptr [edi+4], 0
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_C], edx
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_670D8C
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]

loc_670D8C:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeEmpty(SMKM_STORE_MGR<SM_TRAITS> *)+6Ej
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	loc_670F1D
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	edx, ds:dword_6D07D0
		shr	eax, 15h
		cmp	ecx, edx
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], esi
		pop	edx
		jb	short loc_670DC5
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_670DD3

loc_670DC5:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeEmpty(SMKM_STORE_MGR<SM_TRAITS> *)+A6j
		cmp	ecx, [ebp+var_20]
		jb	short loc_670DE6
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_670DE6

loc_670DD3:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeEmpty(SMKM_STORE_MGR<SM_TRAITS> *)+AFj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_C], eax

loc_670DE6:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeEmpty(SMKM_STORE_MGR<SM_TRAITS> *)+B4j
					; SMKM_STORE_MGR<SM_TRAITS>::SmFeEmpty(SMKM_STORE_MGR<SM_TRAITS> *)+BDj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	byte ptr [ebp+var_4+3],	al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_670E32
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_670EA4
		mov	eax, [ebp+var_8]
		push	ecx
		push	[ebp+var_C]
		push	eax
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_670E32:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeEmpty(SMKM_STORE_MGR<SM_TRAITS> *)+FBj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_670E48
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_670E48:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeEmpty(SMKM_STORE_MGR<SM_TRAITS> *)+12Aj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_670E92
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_670EA4
; 

loc_670E92:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeEmpty(SMKM_STORE_MGR<SM_TRAITS> *)+16Aj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]

loc_670EA4:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeEmpty(SMKM_STORE_MGR<SM_TRAITS> *)+105j
					; SMKM_STORE_MGR<SM_TRAITS>::SmFeEmpty(SMKM_STORE_MGR<SM_TRAITS> *)+17Cj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jz	short loc_670F05
		test	edi, 8000h
		jz	short loc_670EC8
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_670EC8:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeEmpty(SMKM_STORE_MGR<SM_TRAITS> *)+1A9j
		test	byte ptr [ebp+var_10+2], 1
		jz	short loc_670ED8
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_670ED8:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeEmpty(SMKM_STORE_MGR<SM_TRAITS> *)+1B8j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_670EEC
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_670EEC:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeEmpty(SMKM_STORE_MGR<SM_TRAITS> *)+1CBj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_670F05
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_670F05:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeEmpty(SMKM_STORE_MGR<SM_TRAITS> *)+1A1j
					; SMKM_STORE_MGR<SM_TRAITS>::SmFeEmpty(SMKM_STORE_MGR<SM_TRAITS> *)+1E2j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_670F1D
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_670F1D
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_670F1D:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeEmpty(SMKM_STORE_MGR<SM_TRAITS> *)+83j
					; SMKM_STORE_MGR<SM_TRAITS>::SmFeEmpty(SMKM_STORE_MGR<SM_TRAITS> *)+1FAj ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
?SmFeEmpty@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@@Z endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	SMKM_STORE_MGR<struct SM_TRAITS>::SmFeSetEvictFailed(struct SMKM_STORE_MGR<struct SM_TRAITS> *,	union _SM_PAGE_KEY *, unsigned long, unsigned long)
?SmFeSetEvictFailed@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@PAT_SM_PAGE_KEY@@KK@Z proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict+1233C6p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_61		= byte ptr -61h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, [edx]
		lea	eax, [ebp+var_60]
		push	edi
		push	58h		; size_t
		xor	edi, edi
		push	edi		; int
		push	eax		; void *
		call	_memset
		lea	eax, [ebp+var_48]
		mov	[ebp+var_5C], edi
		mov	[ebp+var_60], eax
		add	esp, 0Ch
		mov	eax, large fs:124h
		mov	[ebp+var_58], edi
		mov	[ebp+var_4C], edi
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], 8
		dec	word ptr [eax+13Eh]
		mov	[ebp+var_70], edi
		mov	[ebp+var_6C], edi
		nop
		xor	edx, edx
		mov	ecx, offset unk_7180B0
		call	ExAcquirePushLockExclusiveEx
		push	esi
		lea	edx, [ebp+var_60]
		mov	ecx, offset unk_7180B4
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		lea	eax, [ebp+var_60]
		push	eax
		lea	edx, [ebp+var_70]
		call	?BTreeIteratorFromSearchResult@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUITERATOR@1@PAUSEARCH_RESULT@1@@Z ; B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeIteratorFromSearchResult(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::ITERATOR *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)
		mov	esi, [ebp+var_6C]
		mov	edx, [ebp+var_70]

loc_670FC7:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+D4j
		test	edx, edx
		jnz	short loc_670FCF
		xor	ecx, ecx
		jmp	short loc_670FFA
; 

loc_670FCF:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+97j
		movzx	eax, word ptr [edx]
		add	esi, 8
		inc	eax
		mov	[ebp+var_6C], esi
		mov	ecx, esi
		lea	eax, [edx+eax*8]
		cmp	ecx, eax
		jb	short loc_670FFA
		mov	ecx, [edx+4]
		test	ecx, ecx
		jz	short loc_670FF1
		lea	esi, [ecx+8]
		mov	edx, ecx
		mov	[ebp+var_6C], esi

loc_670FF1:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+B5j
		lea	eax, [ecx+8]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_670FFA:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+9Bj
					; SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+AEj
		or	byte ptr [ecx+7], 1
		inc	edi
		mov	byte ptr [ecx+6], 3
		cmp	edi, [ebx+8]
		jnz	short loc_670FC7
		mov	[ebp+var_70], edx
		or	ecx, 0FFFFFFFFh
		mov	edx, offset unk_7180B0
		mov	[ebp+var_74], ecx
		mov	eax, ecx
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_671031
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	ecx, 0FFFFFFFFh
		mov	edx, offset unk_7180B0

loc_671031:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+EEj
		xor	edi, edi
		mov	[ebp+var_78], edi
		test	edx, 7FFFFFFCh
		jz	loc_6711C6
		mov	esi, large fs:124h
		mov	eax, edx
		mov	edx, ds:dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_68], esi
		cmp	edx, offset unk_7180B0
		ja	short loc_671089
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_671079
		cmp	edx, offset unk_7180B0
		ja	short loc_671089
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_671089

loc_671079:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+134j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_74], eax

loc_671089:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+12Bj
					; SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+13Cj ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	edx, offset unk_7180B0
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_61], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_7C], ecx
		test	ecx, ecx
		jnz	short loc_6710D9
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_67114B
		push	ecx
		push	[ebp+var_74]
		push	offset unk_7180B0
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_6710D9:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+183j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_6710EF
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_7C]

loc_6710EF:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+1B3j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_78], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_61], 1
		mov	edx, eax
		jnz	short loc_671139
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_67114B
; 

loc_671139:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+1F3j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_68]

loc_67114B:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+18Dj
					; SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+205j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_68], eax
		jz	short loc_6711AE
		test	edi, 8000h
		jz	short loc_67116F
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_67116F:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+232j
		test	byte ptr [ebp+var_78+2], 1
		jz	short loc_67117F
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_67117F:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+241j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_671193
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_671193:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+254j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_6711AE
		push	[ebp+var_68]
		mov	edx, offset unk_7180B0
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_6711AE:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+22Aj
					; SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+26Bj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_6711C6
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_6711C6
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_6711C6:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+10Aj
					; SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+285j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
?SmFeSetEvictFailed@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@PAT_SM_PAGE_KEY@@KK@Z endp ;	sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	SMKM_STORE_MGR<struct SM_TRAITS>::SmReInitialize(struct	SMKM_STORE_MGR<struct SM_TRAITS> *)
?SmReInitialize@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@@Z proc near
					; CODE XREF: SmFirstTimeInit+F82F8p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, ecx
		mov	eax, [esi+464h]
		mov	[ebp+var_8], eax
		mov	eax, [esi+468h]
		mov	[ebp+var_4], eax
		call	?SmCleanup@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@@Z ; SMKM_STORE_MGR<SM_TRAITS>::SmCleanup(SMKM_STORE_MGR<SM_TRAITS> *)
		lea	edx, [ebp+var_8]
		mov	ecx, esi	; void *
		call	?SmInitialize@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@PAU_SMKM_STORE_MGR_PARAMS@@@Z ; SMKM_STORE_MGR<SM_TRAITS>::SmInitialize(SMKM_STORE_MGR<SM_TRAITS> *,_SMKM_STORE_MGR_PARAMS	*)
		pop	esi
		leave
		retn
?SmReInitialize@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@@Z endp


;  S U B	R O U T	I N E 


; public: static long __stdcall	SMKM_STORE<struct SM_TRAITS>::SmStAllocatePhysicalRegion(struct	SMKM_STORE<struct SM_TRAITS> *,	unsigned long)
?SmStAllocatePhysicalRegion@?$SMKM_STORE@USM_TRAITS@@@@SGJPAU1@K@Z proc	near
					; CODE XREF: ST_STORE_SM_TRAITS___StMapAndLockRegion:loc_49A109p
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, [ecx+1184h]
		xor	esi, esi
		push	edi
		push	0Dh
		push	1
		push	dword ptr [ecx+117Ch]
		mov	edi, edx
		push	esi
		push	esi
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		push	esi
		push	esi
		call	_MmAllocatePagesForMdlEx@36 ; MmAllocatePagesForMdlEx(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_671247
		mov	esi, 0C000009Ah
		jmp	short loc_67124A
; 

loc_671247:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStAllocatePhysicalRegion(SMKM_STORE<SM_TRAITS> *,ulong)+28j
		mov	[ebx+edi*4], eax

loc_67124A:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStAllocatePhysicalRegion(SMKM_STORE<SM_TRAITS> *,ulong)+2Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
?SmStAllocatePhysicalRegion@?$SMKM_STORE@USM_TRAITS@@@@SGJPAU1@K@Z endp


;  S U B	R O U T	I N E 


; public: static char *	__stdcall SMKM_STORE<struct SM_TRAITS>::SmStGetRegionVA(struct SMKM_STORE<struct SM_TRAITS> *, unsigned	long)
?SmStGetRegionVA@?$SMKM_STORE@USM_TRAITS@@@@SGPADPAU1@K@Z proc near
					; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+C5p
		test	byte ptr [ecx+10F5h], 4
		mov	eax, [ecx+1184h]
		mov	eax, [eax+edx*4]
		jz	short loc_671268
		and	eax, 7FFF0000h
		retn
; 

loc_671268:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStGetRegionVA(SMKM_STORE<SM_TRAITS> *,ulong)+10j
		and	eax, 0FFFFFFF8h
		mov	eax, [eax+0Ch]
		retn
?SmStGetRegionVA@?$SMKM_STORE@USM_TRAITS@@@@SGPADPAU1@K@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void *	__stdcall SMKM_STORE<struct SM_TRAITS>::SmStMapPhysicalRegion(struct SMKM_STORE<struct SM_TRAITS> *, unsigned long, unsigned long, unsigned long, unsigned long)
?SmStMapPhysicalRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAXPAU1@KKKK@Z proc	near
					; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong):loc_499E6Ep
					; ST_STORE_SM_TRAITS___StMapAndLockRegion:loc_49A0A5p ...

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, [ebx+1184h]
		mov	eax, [edi+esi*4]
		mov	edx, eax
		and	edx, 0FFFFFFF8h
		test	al, 3
		jnz	short loc_6712B3
		mov	eax, [ebp+arg_8]
		mov	ecx, large fs:124h
		and	eax, 1
		push	eax
		push	edx
		push	ecx
		push	5
		lea	ecx, [ebx+1270h]
		pop	edx
		call	SmFpAllocate
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_6712B6
		jmp	short loc_6712C7
; 

loc_6712B3:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapPhysicalRegion(SMKM_STORE<SM_TRAITS>	*,ulong,ulong,ulong,ulong)+1Cj
		mov	ecx, [edx+0Ch]

loc_6712B6:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapPhysicalRegion(SMKM_STORE<SM_TRAITS>	*,ulong,ulong,ulong,ulong)+40j
		test	byte ptr [ebp+arg_8], 10h
		push	0
		pop	eax
		setnz	al
		inc	eax
		or	[edi+esi*4], eax
		add	ecx, [ebp+arg_0]

loc_6712C7:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStMapPhysicalRegion(SMKM_STORE<SM_TRAITS>	*,ulong,ulong,ulong,ulong)+42j
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		pop	ebp
		retn	0Ch
?SmStMapPhysicalRegion@?$SMKM_STORE@USM_TRAITS@@@@SGPAXPAU1@KKKK@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	SMKM_STORE<struct SM_TRAITS>::SmStUnhandledExceptionFilter(void	*, struct _EXCEPTION_POINTERS *, enum  SMKM_STORE<struct SM_TRAITS>::_SMST_STORE_EXCEPTION_SOURCE)
?SmStUnhandledExceptionFilter@?$SMKM_STORE@USM_TRAITS@@@@SGJPAXPAU_EXCEPTION_POINTERS@@W4_SMST_STORE_EXCEPTION_SOURCE@1@@Z proc	near
					; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+201p
					; sub_5D4A73+8p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	14h
		push	offset dword_6A9470
		call	__SEH_prolog4
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		cmp	[ebp+arg_0], 1
		jnz	short loc_671321
		mov	eax, [edx]
		mov	eax, [eax]
		cmp	eax, 0C0000005h
		jz	short loc_6712FA
		cmp	eax, 0C0000420h
		jnz	short loc_671321

loc_6712FA:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStUnhandledExceptionFilter(void *,_EXCEPTION_POINTERS *,SMKM_STORE<SM_TRAITS>::_SMST_STORE_EXCEPTION_SOURCE)+21j
		and	[ebp+ms_exc.disabled], 0
		push	1
		mov	ecx, [ebp+var_1C]
		lea	ecx, [ecx+0A4h]
		push	2
		pop	edx
		call	_SmHpChunkHeapProtect@12 ; SmHpChunkHeapProtect(x,x,x)
		jmp	short loc_67131A
; 

loc_671313:				; DATA XREF: .text:006A9484o
		xor	eax, eax
		inc	eax
		retn
; 

loc_671317:				; DATA XREF: .text:006A9488o
		mov	esp, [ebp+ms_exc.old_esp]

loc_67131A:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStUnhandledExceptionFilter(void *,_EXCEPTION_POINTERS *,SMKM_STORE<SM_TRAITS>::_SMST_STORE_EXCEPTION_SOURCE)+41j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_671321:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStUnhandledExceptionFilter(void *,_EXCEPTION_POINTERS *,SMKM_STORE<SM_TRAITS>::_SMST_STORE_EXCEPTION_SOURCE)+16j
					; SMKM_STORE<SM_TRAITS>::SmStUnhandledExceptionFilter(void *,_EXCEPTION_POINTERS *,SMKM_STORE<SM_TRAITS>::_SMST_STORE_EXCEPTION_SOURCE)+28j
		mov	edx, [ebp+var_20]
		test	edx, edx
		jz	short loc_67133B
		push	0
		push	[ebp+arg_0]
		push	edx
		push	[ebp+var_1C]
		push	154h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_67133B:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStUnhandledExceptionFilter(void *,_EXCEPTION_POINTERS *,SMKM_STORE<SM_TRAITS>::_SMST_STORE_EXCEPTION_SOURCE)+56j
		xor	eax, eax
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
?SmStUnhandledExceptionFilter@?$SMKM_STORE@USM_TRAITS@@@@SGJPAXPAU_EXCEPTION_POINTERS@@W4_SMST_STORE_EXCEPTION_SOURCE@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	SMKM_STORE<struct SM_TRAITS>::SmStUnmapPhysicalRegion(struct SMKM_STORE<struct SM_TRAITS> *, unsigned long, unsigned long, unsigned long, void *, unsigned long)
?SmStUnmapPhysicalRegion@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@KKKPAXK@Z proc near
					; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong):loc_499E38p
					; SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong):loc_499F29p ...

arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	ebx, ecx
		and	al, 4
		push	esi
		push	edi
		movzx	eax, al
		mov	edi, [ebx+1184h]
		mov	esi, [edi+edx*4]
		mov	ecx, esi
		and	ecx, 0FFFFFFF8h
		neg	eax
		sbb	eax, eax
		sub	eax, 2
		and	eax, esi
		mov	[edi+edx*4], eax
		test	al, 3
		jnz	short loc_671396
		mov	eax, large fs:124h
		push	ecx
		push	eax
		push	5
		lea	ecx, [ebx+1270h]
		pop	edx
		call	SmFpFree

loc_671396:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStUnmapPhysicalRegion(SMKM_STORE<SM_TRAITS> *,ulong,ulong,ulong,void *,ulong)+2Fj
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	10h
?SmStUnmapPhysicalRegion@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@KKKPAXK@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StAddRemoveRegions(struct ST_STORE<struct SM_TRAITS> *, struct ST_STORE<struct SM_TRAITS>::_ST_WORK_ITEM *)
?StAddRemoveRegions@?$ST_STORE@USM_TRAITS@@@@SGJPAU1@PAU_ST_WORK_ITEM@1@@Z proc	near
					; CODE XREF: ST_STORE<SM_TRAITS>::StChangeState(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *,long	*):loc_671527p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		mov	ebx, edx
		lea	eax, [ecx+38h]
		mov	[ebp+var_18], eax
		push	esi
		push	edi
		mov	eax, [ebx+4]
		xor	edi, edi
		mov	ecx, [ebx+0Ch]
		and	al, 7
		mov	[ebp+var_4], edi
		mov	[ebp+var_10], ecx
		cmp	al, 4
		jnz	loc_67149F
		mov	eax, [ebx+8]
		mov	[ebp+var_20], eax

loc_6713CF:				; CODE XREF: ST_STORE<SM_TRAITS>::StAddRemoveRegions(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+FCj
		test	ecx, ecx
		jz	loc_6714F6
		mov	ecx, [eax]
		mov	edx, [ebp+var_4]
		cmp	edx, ecx
		mov	eax, [eax+4]
		sbb	esi, esi
		mov	[ebp+var_C], ecx
		and	esi, edx
		mov	[ebp+var_8], eax
		lea	ebx, [ecx-1]

loc_6713EE:				; CODE XREF: ST_STORE<SM_TRAITS>::StAddRemoveRegions(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+D9j
		mov	eax, ebx
		mov	[ebp+var_14], esi
		sub	eax, esi
		mov	[ebp+var_1C], edi
		inc	eax
		cmp	eax, 1
		jnb	short loc_671403
		or	esi, 0FFFFFFFFh
		jmp	short loc_671466
; 

loc_671403:				; CODE XREF: ST_STORE<SM_TRAITS>::StAddRemoveRegions(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+5Ej
		mov	ecx, [ebp+var_8]
		mov	eax, ebx
		shr	eax, 5
		xor	edx, edx
		inc	edx
		lea	eax, [ecx+eax*4]
		mov	ecx, esi
		mov	[ebp+var_1C], eax
		and	ecx, 1Fh
		shl	edx, cl
		mov	eax, esi
		mov	ecx, [ebp+var_8]
		dec	edx
		shr	eax, 5
		lea	esi, [ecx+eax*4]
		mov	eax, [esi]
		not	eax
		or	eax, edx
		or	edx, 0FFFFFFFFh
		cmp	eax, edx
		jnz	short loc_671449
		mov	ecx, [ebp+var_1C]

loc_671437:				; CODE XREF: ST_STORE<SM_TRAITS>::StAddRemoveRegions(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+A6j
		add	esi, 4
		cmp	esi, ecx
		ja	short loc_67147C
		mov	eax, [esi]
		not	eax
		cmp	eax, edx
		jz	short loc_671437
		mov	ecx, [ebp+var_8]

loc_671449:				; CODE XREF: ST_STORE<SM_TRAITS>::StAddRemoveRegions(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+94j
		not	eax
		sub	esi, ecx
		bsf	eax, eax
		sar	esi, 2
		shl	esi, 5
		add	esi, eax
		cmp	esi, ebx
		ja	short loc_67147C
		cmp	esi, edx
		jnz	short loc_671480

loc_671460:				; CODE XREF: ST_STORE<SM_TRAITS>::StAddRemoveRegions(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+E0j
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+var_4]

loc_671466:				; CODE XREF: ST_STORE<SM_TRAITS>::StAddRemoveRegions(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+63j
		cmp	[ebp+var_14], edi
		jz	short loc_671480
		lea	ebx, [edx+1]
		cmp	ebx, ecx
		jbe	short loc_671474
		mov	ebx, ecx

loc_671474:				; CODE XREF: ST_STORE<SM_TRAITS>::StAddRemoveRegions(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+D2j
		dec	ebx
		mov	esi, edi
		jmp	loc_6713EE
; 

loc_67147C:				; CODE XREF: ST_STORE<SM_TRAITS>::StAddRemoveRegions(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+9Ej
					; ST_STORE<SM_TRAITS>::StAddRemoveRegions(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+BCj
		mov	esi, edx
		jmp	short loc_671460
; 

loc_671480:				; CODE XREF: ST_STORE<SM_TRAITS>::StAddRemoveRegions(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+C0j
					; ST_STORE<SM_TRAITS>::StAddRemoveRegions(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+CBj
		mov	ecx, [ebp+var_18]
		mov	edx, esi
		call	?StDmRegionAdd@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@K@Z ; ST_STORE<SM_TRAITS>::StDmRegionAdd(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ulong)
		mov	ecx, [ebp+var_10]
		lea	eax, [esi+1]
		dec	ecx
		mov	[ebp+var_4], eax
		mov	eax, [ebp+var_20]
		mov	[ebp+var_10], ecx
		jmp	loc_6713CF
; 

loc_67149F:				; CODE XREF: ST_STORE<SM_TRAITS>::StAddRemoveRegions(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+25j
		mov	esi, edi
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_14], esi
		test	ecx, ecx
		jz	short loc_6714F3

loc_6714AB:				; CODE XREF: ST_STORE<SM_TRAITS>::StAddRemoveRegions(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+143j
		mov	ecx, [ebp+var_18]
		lea	edx, [ebp+var_4]
		call	?StDmRegionRemove@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAK@Z ;	ST_STORE<SM_TRAITS>::StDmRegionRemove(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ulong	*)
		mov	edi, eax
		test	edi, edi
		js	short loc_6714E5
		mov	ecx, [ebx+8]
		mov	esi, [ecx+4]
		mov	ecx, [ebp+var_4]
		mov	edx, ecx
		shr	edx, 3
		and	ecx, 7
		movzx	eax, byte ptr [edx+esi]
		bts	eax, ecx
		mov	[edx+esi], al
		mov	esi, [ebp+var_14]
		inc	esi
		mov	[ebp+var_14], esi
		cmp	esi, [ebp+var_10]
		jb	short loc_6714AB
		jmp	short loc_6714F3
; 

loc_6714E5:				; CODE XREF: ST_STORE<SM_TRAITS>::StAddRemoveRegions(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+11Cj
		lea	eax, [edi+3FFFFFFAh]
		neg	eax
		sbb	eax, eax
		not	eax
		and	edi, eax

loc_6714F3:				; CODE XREF: ST_STORE<SM_TRAITS>::StAddRemoveRegions(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+10Bj
					; ST_STORE<SM_TRAITS>::StAddRemoveRegions(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+145j
		mov	[ebx+0Ch], esi

loc_6714F6:				; CODE XREF: ST_STORE<SM_TRAITS>::StAddRemoveRegions(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+33j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
?StAddRemoveRegions@?$ST_STORE@USM_TRAITS@@@@SGJPAU1@PAU_ST_WORK_ITEM@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StChangeState(struct ST_STORE<struct SM_TRAITS> *, struct ST_STORE<struct SM_TRAITS>::_ST_WORK_ITEM	*, long	*)
?StChangeState@?$ST_STORE@USM_TRAITS@@@@SGJPAU1@PAU_ST_WORK_ITEM@1@PAJ@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+1320CCp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [edx+4]
		and	eax, 7
		jnz	short loc_671516
		xor	edx, edx
		call	?StEmptyStore@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@K@Z ; ST_STORE<SM_TRAITS>::StEmptyStore(ST_STORE<SM_TRAITS> *,ulong)
		xor	eax, eax
		jmp	short loc_671532
; 

loc_671516:				; CODE XREF: ST_STORE<SM_TRAITS>::StChangeState(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *,long	*)+Cj
		cmp	eax, 4
		jz	short loc_671527
		cmp	eax, 5
		jz	short loc_671527
		mov	eax, 0C000000Dh
		jmp	short loc_671532
; 

loc_671527:				; CODE XREF: ST_STORE<SM_TRAITS>::StChangeState(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *,long	*)+1Cj
					; ST_STORE<SM_TRAITS>::StChangeState(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *,long *)+21j
		call	?StAddRemoveRegions@?$ST_STORE@USM_TRAITS@@@@SGJPAU1@PAU_ST_WORK_ITEM@1@@Z ; ST_STORE<SM_TRAITS>::StAddRemoveRegions(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)
		mov	ecx, [ebp+arg_0]
		and	dword ptr [ecx], 0

loc_671532:				; CODE XREF: ST_STORE<SM_TRAITS>::StChangeState(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *,long	*)+17j
					; ST_STORE<SM_TRAITS>::StChangeState(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *,long *)+28j
		pop	ecx
		pop	ebp
		retn	4
?StChangeState@?$ST_STORE@USM_TRAITS@@@@SGJPAU1@PAU_ST_WORK_ITEM@1@PAJ@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StCompactionPerformEmergency(struct	ST_STORE<struct	SM_TRAITS>::_ST_DATA_MGR *)
?StCompactionPerformEmergency@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+13201Ep

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	ebx, ecx
		xor	esi, esi
		push	edi
		push	esi
		xor	edx, edx
		mov	edi, esi
		mov	eax, [ebx+1B4h]
		mov	[ebp+var_14], eax
		call	ST_STORE_SM_TRAITS___StDmLazyRegionsWorker
		mov	eax, [ebp+var_14]
		mov	cl, 1
		mov	[ebp+var_10], esi
		lea	eax, [eax-1000h]
		shr	eax, 4
		mov	[ebp+var_24], eax
		call	KiQueryUnbiasedInterruptTime
		mov	ecx, [ebx+240h]
		mov	[ebp+var_1C], eax
		mov	eax, [ebx+264h]
		mov	[ebp+var_20], edx
		lea	edx, [ecx+eax*2]
		mov	eax, [ebx+1E4h]
		mov	[ebp+var_18], edx
		lea	eax, [ecx+eax*2]
		mov	[ebp+var_8], eax

loc_671596:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+20Fj
		mov	ecx, edx
		mov	[ebp+var_4], ecx
		cmp	edx, eax
		jnb	loc_67172D

loc_6715A3:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+1E5j
		mov	ecx, [ebx+1C0h]
		xor	edx, edx
		inc	edx
		call	SmWorkQueueGetDepth
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_6715FC
		mov	eax, [ebp+var_10]
		test	al, 7
		jnz	short loc_6715FC
		test	eax, eax
		jz	short loc_6715FC
		mov	cl, dl
		call	KiQueryUnbiasedInterruptTime
		sub	eax, [ebp+var_1C]
		sbb	edx, [ebp+var_20]
		cmp	[ebp+var_C], 40h
		jnb	short loc_6715E7
		cmp	edx, esi
		ja	loc_671724
		jb	short loc_6715FC
		cmp	eax, 2FAF080h
		jmp	short loc_6715F6
; 

loc_6715E7:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+9Dj
		cmp	edx, esi
		ja	loc_671724
		jb	short loc_6715FC
		cmp	eax, 1C9C380h

loc_6715F6:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+AEj
		jnb	loc_671724

loc_6715FC:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+7Fj
					; ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+86j ...
		mov	ecx, [ebp+var_4]
		mov	edx, 1FFFh
		movzx	eax, word ptr [ecx]
		test	eax, edx
		jz	loc_671711
		mov	[ebp+var_28], eax
		and	eax, edx
		cmp	eax, [ebp+var_24]
		ja	loc_671711
		mov	eax, ecx
		mov	ecx, [ebx+1C0h]
		sub	eax, [ebx+240h]
		sar	eax, 1
		mov	edx, eax
		mov	[ebp+var_C], eax
		call	?SmStIsRegionBusy@?$SMKM_STORE@USM_TRAITS@@@@SGKPAU1@K@Z ; SMKM_STORE<SM_TRAITS>::SmStIsRegionBusy(SMKM_STORE<SM_TRAITS> *,ulong)
		test	eax, eax
		jz	short loc_671643

loc_67163B:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+16Cj
					; ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+171j
		xor	edi, edi
		inc	edi
		jmp	loc_67170E
; 

loc_671643:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+102j
		mov	ecx, [ebp+var_28]
		movzx	eax, byte ptr [ebx+1ACh]
		shr	ecx, 0Dh
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, ecx
		mov	ecx, [ebp+var_C]
		imul	eax, 0Ch
		cmp	ecx, [eax+ebx+2B4h]
		jz	loc_67170E
		inc	[ebp+var_10]
		xor	edx, edx
		push	esi
		push	ecx
		push	esi
		push	ecx
		mov	ecx, ebx
		call	ST_STORE_SM_TRAITS___StCompactRegions
		test	eax, eax
		jns	short loc_6716C9
		push	2
		pop	edx
		mov	ecx, ebx
		call	ST_STORE_SM_TRAITS___StDmCheckForCompaction
		cmp	eax, 2
		jnz	loc_671724
		mov	edx, [ebp+var_C]
		mov	ecx, ebx
		push	1
		push	esi
		call	ST_STORE_SM_TRAITS___StMapAndLockRegion
		mov	edx, eax
		test	edx, edx
		jz	short loc_67163B
		cmp	edx, 0FFFFFFFFh
		jz	short loc_67163B
		mov	eax, [ebp+var_C]
		mov	ecx, ebx
		push	esi
		push	eax
		push	edx
		push	eax
		call	ST_STORE_SM_TRAITS___StCompactRegions
		test	eax, eax
		jns	short loc_6716BE
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_6716BE:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+183j
		mov	edx, [ebp+var_C]
		push	ecx
		mov	ecx, ebx
		call	?StUnlockAndUnmapRegion@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@KPAD@Z ; ST_STORE<SM_TRAITS>::StUnlockAndUnmapRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,char *)

loc_6716C9:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+146j
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_C]
		movzx	eax, word ptr [eax]
		and	eax, 1FFFh
		shl	eax, 4
		add	eax, 0FFFh
		and	eax, 0FFFFF000h
		mov	[ebp+var_28], eax
		mov	eax, [ebx+1C0h]
		mov	eax, [eax+1184h]
		mov	ecx, [eax+ecx*4]
		test	ecx, ecx
		js	short loc_67170E
		mov	edx, [ebp+var_14]
		and	ecx, 7FFF0000h
		sub	edx, [ebp+var_28]
		add	ecx, [ebp+var_28]
		call	_MmStoreDecommitVirtualMemory@8	; MmStoreDecommitVirtualMemory(x,x)

loc_67170E:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+107j
					; ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+12Ej ...
		mov	ecx, [ebp+var_4]

loc_671711:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+D2j
					; ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+E0j
		mov	eax, [ebp+var_8]
		add	ecx, 2
		mov	[ebp+var_4], ecx
		cmp	ecx, eax
		jb	loc_6715A3
		jmp	short loc_67172A
; 

loc_671724:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+A1j
					; ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+B2j ...
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_8]

loc_67172A:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+1EBj
		mov	edx, [ebp+var_18]

loc_67172D:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+66j
		cmp	ecx, eax
		jnz	short loc_67174B
		mov	eax, [ebx+240h]
		cmp	edx, eax
		jz	short loc_671756
		mov	[ebp+var_8], edx
		mov	edx, eax
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_8]
		jmp	loc_671596
; 

loc_67174B:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+1F8j
		mov	esi, [ebp+var_4]
		sub	esi, [ebx+240h]
		sar	esi, 1

loc_671756:				; CODE XREF: ST_STORE<SM_TRAITS>::StCompactionPerformEmergency(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+202j
		neg	edi
		mov	[ebx+264h], esi
		sbb	edi, edi
		and	edi, 0C000022Dh
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
?StCompactionPerformEmergency@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	ST_STORE<struct	SM_TRAITS>::StCopyIoStats(struct _ST_IO_STATS *, struct	_ST_IO_COUNTS *)
?StCopyIoStats@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_IO_STATS@@PAU_ST_IO_COUNTS@@@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StGetStatsWorker+D113Fp
					; SMKM_STORE<SM_TRAITS>::SmStEtwFillStoreStatsEvent(SMKM_STORE<SM_TRAITS> *,_SMKM_EVENT_DESCRIPTOR *)+94p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		push	edi
		push	40h
		pop	edi
		mov	eax, [ebx+4]
		lea	edx, [ecx+4]
		inc	eax
		cmp	eax, edi
		jbe	short loc_67178A
		mov	eax, edi

loc_67178A:				; CODE XREF: ST_STORE<SM_TRAITS>::StCopyIoStats(_ST_IO_STATS *,_ST_IO_COUNTS *)+19j
		mov	[ecx], eax
		mov	eax, [ebx+4]
		cmp	eax, edi
		jb	short loc_6717C8
		push	esi
		lea	esi, [eax+1]
		mov	ecx, 500h
		and	esi, 3Fh
		imul	eax, esi, 14h
		sub	ecx, eax
		imul	eax, esi, 14h
		push	ecx		; size_t
		add	eax, 10h
		add	eax, ebx
		push	eax		; void *
		push	edx		; void *
		call	_memcpy
		mov	edx, [ebp+var_4]
		sub	edi, esi
		imul	eax, edi, 14h
		add	esp, 0Ch
		add	edx, 4
		pop	esi
		add	edx, eax
		mov	eax, [ebx+4]

loc_6717C8:				; CODE XREF: ST_STORE<SM_TRAITS>::StCopyIoStats(_ST_IO_STATS *,_ST_IO_COUNTS *)+24j
		inc	eax
		and	eax, 3Fh
		imul	eax, 14h
		push	eax		; size_t
		lea	eax, [ebx+10h]
		push	eax		; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		pop	edi
		pop	ebx
		leave
		retn
?StCopyIoStats@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_IO_STATS@@PAU_ST_IO_COUNTS@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static struct	ST_STORE<struct	SM_TRAITS>::_ST_WORK_ITEM * __stdcall ST_STORE<struct SM_TRAITS>::StDeviceIoBuild(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_LOCATION *, unsigned long, void *)
?StDeviceIoBuild@?$ST_STORE@USM_TRAITS@@@@SGPAU_ST_WORK_ITEM@1@PAU_ST_DATA_MGR@1@PAU_ST_PAGE_LOCATION@1@KPAX@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaPerformIo(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong)+45p
					; ST_STORE<SM_TRAITS>::StDmSinglePageRetrieveSync(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,void *,void *,ulong)+63p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_18], 0
		mov	eax, edx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], eax
		push	esi
		push	edi
		movzx	edi, word ptr [eax+4]
		mov	eax, [eax]
		mov	edx, [ebx+1BCh]
		mov	esi, [ebx+1C4h]
		mov	ecx, [ebx+1C8h]
		and	esi, eax
		add	edi, [ebx+1D4h]
		shr	eax, cl
		lea	ecx, [edx-1]
		mov	[ebp+var_14], eax
		lea	eax, [edx-1]
		shl	esi, 4
		dec	edx
		and	esi, ecx
		add	eax, esi
		add	eax, edi
		and	eax, ecx
		mov	ecx, ebx
		sub	esi, eax
		add	esi, edx
		mov	edx, [ebp+var_14]
		add	esi, edi
		mov	[ebp+var_C], esi
		call	?StRegionReadReference@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DATA_MGR@1@K@Z ; ST_STORE<SM_TRAITS>::StRegionReadReference(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ulong)
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_6719DB
		mov	eax, [ebx+1BCh]
		mov	edx, [ebx+424h]
		add	eax, 1Ch
		add	eax, esi
		mov	[ebp+var_4], edx
		test	edx, edx
		jz	short loc_671871
		mov	eax, edx
		or	eax, 1
		mov	[ebx+424h], eax
		jmp	short loc_67188E
; 

loc_671871:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)+81j
		push	74536D73h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_4], eax
		test	edx, edx
		jz	loc_6719CA

loc_67188E:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)+8Ej
		mov	esi, [ebp+var_8]
		lea	edi, [edx+0Ch]
		xor	eax, eax
		mov	[edx+4], eax
		mov	[edx+8], eax
		mov	[edx+0Ch], eax
		mov	[edx+10h], eax
		mov	[edx+14h], eax
		mov	[edx+18h], eax
		mov	dword ptr [edx], 1
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ebx+1C0h]
		test	dword ptr [eax], 2000h
		jz	short loc_6718C5
		push	20h
		pop	edi
		jmp	short loc_6718F5
; 

loc_6718C5:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)+DDj
		mov	eax, [edx]
		mov	ecx, [ebx+1BCh]
		shl	eax, 4
		add	eax, 0Bh
		add	eax, ecx
		neg	ecx
		add	eax, edx
		and	eax, ecx
		mov	ecx, [ebp+var_C]
		and	eax, 0FFFh
		add	ecx, 0FFFh
		add	eax, ecx
		shr	eax, 0Ch
		lea	edi, ds:3Ch[eax*4]

loc_6718F5:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)+E2j
		mov	esi, [ebx+428h]
		test	esi, esi
		jz	short loc_67190C
		mov	eax, esi
		or	eax, 1
		mov	[ebx+428h], eax
		jmp	short loc_671922
; 

loc_67190C:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)+11Cj
		push	74536D73h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_67196C

loc_671922:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)+129j
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		or	dword ptr [esi], 7
		mov	ecx, [ebp+var_4]
		mov	[esi+4], eax
		mov	eax, [ebp+var_8]
		mov	[esi+8], ecx
		mov	[ebp+var_18], esi
		mov	eax, [eax]
		mov	[esi+0Ch], eax
		mov	eax, [esi+10h]
		mov	ecx, [ebx+1D8h]
		and	eax, 1Dh
		and	ecx, 2
		or	ecx, eax
		mov	eax, [ebp+var_C]
		shl	eax, 5
		or	ecx, eax
		mov	[esi+10h], ecx
		xor	ecx, ecx
		xor	esi, esi
		xor	edi, edi
		jmp	short loc_671972
; 

loc_67196C:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)+13Fj
		mov	ecx, [ebp+var_4]
		mov	edi, [ebp+var_10]

loc_671972:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)+189j
		test	ecx, ecx
		jz	short loc_67199D
		mov	edx, [ebx+424h]
		test	dl, 1
		jz	short loc_671995
		mov	eax, ecx
		or	eax, 1
		cmp	eax, edx
		jnz	short loc_671995
		and	edx, 0FFFFFFFEh
		mov	[ebx+424h], edx
		jmp	short loc_67199D
; 

loc_671995:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)+19Ej
					; ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)+1A7j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_67199D:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)+193j
					; ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)+1B2j
		test	esi, esi
		jz	short loc_6719CD
		mov	ecx, [ebx+428h]
		test	cl, 1
		jz	short loc_6719C0
		mov	eax, esi
		or	eax, 1
		cmp	eax, ecx
		jnz	short loc_6719C0
		and	ecx, 0FFFFFFFEh
		mov	[ebx+428h], ecx
		jmp	short loc_6719CD
; 

loc_6719C0:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)+1C9j
					; ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)+1D2j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_6719CD
; 

loc_6719CA:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)+A7j
		mov	edi, [ebp+var_10]

loc_6719CD:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)+1BEj
					; ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)+1DDj	...
		test	edi, edi
		jz	short loc_6719DB
		mov	edx, [ebp+var_14]
		mov	ecx, ebx
		call	?StRegionReadDereference@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@K@Z ; ST_STORE<SM_TRAITS>::StRegionReadDereference(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)

loc_6719DB:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)+65j
					; ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)+1EEj
		mov	eax, [ebp+var_18]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
?StDeviceIoBuild@?$ST_STORE@USM_TRAITS@@@@SGPAU_ST_WORK_ITEM@1@PAU_ST_DATA_MGR@1@PAU_ST_PAGE_LOCATION@1@KPAX@Z endp


;  S U B	R O U T	I N E 


; public: static unsigned long __stdcall ST_STORE<struct SM_TRAITS>::StDeviceIoIsFailed(struct ST_STORE<struct SM_TRAITS>::_ST_DEVICE_IO *, long *)
?StDeviceIoIsFailed@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DEVICE_IO@1@PAJ@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+F3p
					; ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+2ECp
		test	byte ptr [ecx+0Ch], 1
		jnz	short loc_6719EE
		xor	eax, eax
		retn
; 

loc_6719EE:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoIsFailed(ST_STORE<SM_TRAITS>::_ST_DEVICE_IO	*,long *)+4j
		test	edx, edx
		jz	short loc_671A00
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_6719FC
		lea	ecx, [eax+4]

loc_6719FC:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoIsFailed(ST_STORE<SM_TRAITS>::_ST_DEVICE_IO	*,long *)+12j
		mov	eax, [ecx]
		mov	[edx], eax

loc_671A00:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoIsFailed(ST_STORE<SM_TRAITS>::_ST_DEVICE_IO	*,long *)+Bj
		xor	eax, eax
		inc	eax
		retn
?StDeviceIoIsFailed@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DEVICE_IO@1@PAJ@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StDeviceIoIssue(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, struct _PF_QUEUE	*)
?StDeviceIoIssue@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_PF_QUEUE@@@Z	proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaPerformIo(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong)+84p
					; ST_STORE<SM_TRAITS>::StDmSinglePageRetrieveSync(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,void *,void *,ulong)+B2p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		mov	edx, 8000000Eh

loc_671A19:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoIssue(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,_PF_QUEUE	*)+10Bj
		mov	esi, [edi+4]
		cmp	esi, edi
		jz	loc_671B4F
		mov	ebx, [edi]
		mov	eax, [ebx]
		and	eax, 0FFFFFFF8h
		mov	[edi], eax
		cmp	ebx, esi
		jnz	short loc_671A39
		and	dword ptr [edi], 0
		mov	[edi+4], edi
		jmp	short loc_671A4E
; 

loc_671A39:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoIssue(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,_PF_QUEUE	*)+2Bj
		mov	ecx, [esi]
		mov	eax, ecx
		shr	eax, 3
		and	ecx, 7
		lea	eax, ds:0FFFFFFF8h[eax*8]
		or	eax, ecx
		mov	[esi], eax

loc_671A4E:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoIssue(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,_PF_QUEUE	*)+33j
		mov	edx, [ebp+var_4]
		lea	esi, [ebx+4]
		mov	ecx, [esi+8]
		mov	[ebp+var_C], ecx
		mov	eax, [edx+1C4h]
		and	eax, ecx
		mov	ecx, [edx+1C8h]
		shr	[ebp+var_C], cl
		mov	ecx, [esi+0Ch]
		shl	eax, 4
		mov	[ebp+var_8], eax
		mov	eax, [edx+1BCh]
		neg	eax
		and	[ebp+var_8], eax
		mov	eax, ecx
		shr	eax, 5
		cmp	dword ptr [edx+42Ch], 0
		mov	[ebp+var_14], eax
		mov	eax, [esi+4]
		mov	[ebp+var_10], eax
		mov	eax, ecx
		jz	short loc_671AB1
		test	cl, 4
		jnz	short loc_671AB1
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, [ebp+var_10]
		mov	[ecx+4], eax
		mov	[ecx+8], edx
		mov	eax, [esi+0Ch]

loc_671AB1:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoIssue(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,_PF_QUEUE	*)+92j
					; ST_STORE<SM_TRAITS>::StDeviceIoIssue(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,_PF_QUEUE *)+97j
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_14]
		shr	eax, 3
		and	eax, 1
		mov	ecx, [ecx+228h]
		or	eax, esi
		push	eax
		push	0
		call	_StEtaIoStart@16 ; StEtaIoStart(x,x,x,x)
		or	dword ptr [esi+0Ch], 8
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+var_10]
		mov	ecx, [eax+1BCh]
		mov	eax, [edx]
		lea	esi, [edx+0Bh]
		mov	edx, [ebp+var_C]
		shl	eax, 4
		add	eax, ecx
		neg	ecx
		add	esi, eax
		mov	eax, ebx
		or	eax, 1
		and	esi, ecx
		push	eax
		mov	eax, [ebp+var_4]
		push	esi
		push	[ebp+var_14]
		push	[ebp+var_8]
		mov	ecx, [eax+1C0h]
		call	_SmIssueIo@24	; SmIssueIo(x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jns	loc_671A19
		or	dword ptr [ebx+10h], 1
		mov	eax, [ebx+8]
		test	eax, eax
		jz	short loc_671B25
		mov	[eax+4], edx
		jmp	short loc_671B28
; 

loc_671B25:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoIssue(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,_PF_QUEUE	*)+11Aj
		mov	[ebx+4], edx

loc_671B28:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoIssue(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,_PF_QUEUE	*)+11Fj
		mov	eax, [edi+4]
		mov	eax, [eax]
		shr	eax, 3
		lea	ecx, ds:8[eax*8]
		mov	eax, [ebx]
		and	eax, 7
		or	ecx, eax
		mov	[ebx], ecx
		mov	ecx, [edi+4]
		mov	eax, [ecx]
		and	eax, 7
		or	eax, ebx
		mov	[ecx], eax
		mov	[edi+4], ebx

loc_671B4F:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoIssue(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,_PF_QUEUE	*)+1Aj
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn
?StDeviceIoIssue@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_PF_QUEUE@@@Z	endp


;  S U B	R O U T	I N E 


; public: static void __stdcall	ST_STORE<struct	SM_TRAITS>::StDeviceWorkItemCleanup(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, struct ST_STORE<struct SM_TRAITS>::_ST_WORK_ITEM	*)
?StDeviceWorkItemCleanup@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@PAU_ST_WORK_ITEM@1@@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+393p
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		mov	edx, [esi+0Ch]
		mov	ecx, [edi+1C8h]
		shr	edx, cl
		mov	ecx, edi
		call	?StRegionReadDereference@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@K@Z ; ST_STORE<SM_TRAITS>::StRegionReadDereference(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)
		mov	ecx, [edi+424h]
		test	cl, 1
		jz	short loc_671B90
		mov	eax, [esi+8]
		or	eax, 1
		cmp	eax, ecx
		jnz	short loc_671B90
		and	ecx, 0FFFFFFFEh
		mov	[edi+424h], ecx
		jmp	short loc_671B9A
; 

loc_671B90:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceWorkItemCleanup(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+23j
					; ST_STORE<SM_TRAITS>::StDeviceWorkItemCleanup(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+2Dj
		push	0
		push	dword ptr [esi+8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_671B9A:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceWorkItemCleanup(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+38j
		mov	ecx, [edi+428h]
		test	cl, 1
		jz	short loc_671BB9
		mov	eax, esi
		or	eax, 1
		cmp	eax, ecx
		jnz	short loc_671BB9
		and	ecx, 0FFFFFFFEh
		mov	[edi+428h], ecx
		jmp	short loc_671BC1
; 

loc_671BB9:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceWorkItemCleanup(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+4Dj
					; ST_STORE<SM_TRAITS>::StDeviceWorkItemCleanup(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+56j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_671BC1:				; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceWorkItemCleanup(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+61j
		pop	edi
		pop	esi
		retn
?StDeviceWorkItemCleanup@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@PAU_ST_WORK_ITEM@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	ST_STORE<struct	SM_TRAITS>::StDmDeviceError(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, enum  ST_STORE<struct SM_TRAITS>::_ST_DEVICE_FAIL_TYPE, long)
?StDmDeviceError@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@W4_ST_DEVICE_FAIL_TYPE@1@J@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+109p
					; ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+302p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ecx
		mov	[ebp+var_8], edx
		push	esi
		mov	[ebp+var_4], eax
		mov	esi, [eax+42Ch]
		test	esi, esi
		jz	loc_671CCB
		push	edi
		mov	edi, [ebp+arg_0]
		cmp	edi, 0C0000085h
		jz	loc_671CCA
		cmp	edi, 0C00002FEh
		jz	loc_671CCA
		cmp	edi, 0C000009Ah
		jz	loc_671CCA
		cmp	edi, 0C0000017h
		jz	loc_671CCA
		cmp	edi, 0C0000114h
		jz	loc_671CCA
		cmp	edi, 0C0000113h
		jz	loc_671CCA
		test	dword ptr [eax+1ACh], 2000h
		jz	short loc_671C46
		cmp	edi, 80000016h
		jz	loc_671CCA

loc_671C46:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DEVICE_FAIL_TYPE,long)+74j
		push	ebx
		push	7
		pop	eax
		mov	ebx, eax
		test	edx, edx
		jnz	short loc_671C74
		inc	dword ptr [esi+4]
		mov	eax, [esi+4]
		test	al, 0Fh
		jnz	short loc_671CC9
		mov	eax, [esi]
		mov	ecx, eax
		sub	ecx, [esi+8]
		and	ecx, 0FFFFFFE0h
		mov	[esi+8], eax
		cmp	ecx, 200h
		ja	short loc_671CC9
		push	3
		pop	ebx
		jmp	short loc_671CAC
; 

loc_671C74:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DEVICE_FAIL_TYPE,long)+8Aj
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		shrd	eax, edx, 17h
		mov	edx, [esi]
		mov	ecx, edx
		sub	ecx, [esi+10h]
		mov	[esi+10h], edx
		jnz	short loc_671CA2
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_671CA2
		sub	eax, ecx
		push	7
		pop	ecx
		cmp	ecx, eax
		sbb	ebx, ebx
		and	ebx, 0FFFFFFFDh
		add	ebx, ecx
		jmp	short loc_671CA8
; 

loc_671CA2:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DEVICE_FAIL_TYPE,long)+C5j
					; ST_STORE<SM_TRAITS>::StDmDeviceError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DEVICE_FAIL_TYPE,long)+CCj
		push	7
		mov	[esi+0Ch], eax
		pop	ecx

loc_671CA8:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DEVICE_FAIL_TYPE,long)+DCj
		cmp	ebx, ecx
		jz	short loc_671CC9

loc_671CAC:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DEVICE_FAIL_TYPE,long)+AEj
		mov	edx, [ebp+var_4]
		push	edi
		push	ebx
		mov	edx, [edx+1C0h]
		call	SMKM_STORE_MGR_SM_TRAITS___SmStoreActionNotify
		test	eax, eax
		jns	short loc_671CC9
		cmp	[ebp+var_8], 0
		jnz	short loc_671CC9
		dec	dword ptr [esi+4]

loc_671CC9:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DEVICE_FAIL_TYPE,long)+94j
					; ST_STORE<SM_TRAITS>::StDmDeviceError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DEVICE_FAIL_TYPE,long)+A9j	...
		pop	ebx

loc_671CCA:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DEVICE_FAIL_TYPE,long)+28j
					; ST_STORE<SM_TRAITS>::StDmDeviceError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DEVICE_FAIL_TYPE,long)+34j	...
		pop	edi

loc_671CCB:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DEVICE_FAIL_TYPE,long)+18j
		pop	esi
		leave
		retn	4
?StDmDeviceError@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@W4_ST_DEVICE_FAIL_TYPE@1@J@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StDmDeviceIoCompletion(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, struct ST_STORE<struct SM_TRAITS>::_ST_WORK_ITEM *)
?StDmDeviceIoCompletion@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_ST_WORK_ITEM@1@@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+132064p
					; ST_STORE_SM_TRAITS___StDmPageRetrieve+93220p	...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, edx
		push	ebx
		mov	ebx, ecx
		mov	[esp+28h+var_24], eax
		push	esi
		mov	edx, [eax+0Ch]
		lea	ecx, [eax+4]
		mov	[esp+2Ch+var_20], ecx
		xor	esi, esi
		mov	ecx, [ebx+1C8h]
		shr	edx, cl
		mov	ecx, [ebx+240h]
		push	edi
		mov	[esp+30h+var_18], esi
		lea	edi, [edx+edx]
		mov	[esp+30h+var_14], edx
		add	ecx, edi
		mov	[esp+30h+var_4], edi
		mov	[esp+30h+var_10], ecx
		cmp	[eax+8], esi
		jnz	loc_671F11
		lea	eax, [ebx+26Ch]
		mov	[esp+30h+var_C], eax
		cmp	[eax], edx
		jz	short loc_671D37

loc_671D2C:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+61j
		add	eax, 0Ch
		cmp	[eax], edx
		jnz	short loc_671D2C
		mov	[esp+30h+var_C], eax

loc_671D37:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+5Aj
		mov	eax, [ebx+228h]
		mov	ecx, [ebx+1B4h]
		mov	[esp+30h+var_8], eax
		mov	eax, [eax+14h]
		mov	[esp+30h+var_1C], eax
		cmp	[eax], ecx
		jnb	short loc_671D5D

loc_671D52:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+87j
		add	eax, 20h
		cmp	[eax], ecx
		jb	short loc_671D52
		mov	[esp+30h+var_1C], eax

loc_671D5D:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+80j
		mov	ecx, [esp+30h+var_20]
		xor	edi, edi
		inc	edi
		cmp	ecx, [eax+18h]
		jnz	short loc_671DB3
		push	esi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, eax
		mov	esi, edx
		mov	eax, [esp+34h+var_20]
		push	7
		pop	edx
		push	7
		or	[eax+18h], edi
		mov	eax, [eax+0Ch]
		mul	edx
		pop	edx
		mov	edi, eax
		mov	eax, [esp+34h+var_20]
		mov	eax, [eax+8]
		mul	edx
		add	edi, edx
		mov	edx, [esp+34h+var_20]
		sub	eax, [edx+10h]
		sbb	edi, [edx+14h]
		add	eax, ecx
		adc	edi, esi
		xor	esi, esi
		shrd	eax, edi, 3
		shr	edi, 3
		mov	[edx+0Ch], edi
		xor	edi, edi
		mov	[edx+8], eax
		inc	edi

loc_671DB3:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+97j
		mov	eax, [esp+34h+var_C]
		lock dec dword ptr [eax+8]
		mov	ecx, [esp+34h+var_24]
		lea	edx, [esp+34h+var_1C]
		call	?StDeviceIoIsFailed@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DEVICE_IO@1@PAJ@Z ; ST_STORE<SM_TRAITS>::StDeviceIoIsFailed(ST_STORE<SM_TRAITS>::_ST_DEVICE_IO *,long *)
		test	eax, eax
		jz	short loc_671DE4
		mov	eax, [esp+34h+var_1C]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		mov	[esp+38h+var_20], eax
		call	?StDmDeviceError@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@W4_ST_DEVICE_FAIL_TYPE@1@J@Z ; ST_STORE<SM_TRAITS>::StDmDeviceError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DEVICE_FAIL_TYPE,long)
		mov	edx, [esp+34h+var_20]
		jmp	short loc_671DF6
; 

loc_671DE4:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+FAj
		mov	eax, [ebx+42Ch]
		mov	edx, esi
		mov	[esp+34h+var_20], edx
		test	eax, eax
		jz	short loc_671DF6
		inc	dword ptr [eax]

loc_671DF6:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+112j
					; ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+122j
		mov	ecx, [esp+34h+var_14]
		movzx	eax, word ptr [ecx]
		test	ax, ax
		jns	short loc_671E67
		and	eax, 7FFFh
		mov	[ecx], ax
		mov	edi, eax
		xor	ecx, ecx
		call	_SmEtwEnabled@4	; SmEtwEnabled(x)
		mov	[esp+34h+var_C], eax
		mov	ecx, 1FFFh
		test	eax, eax
		jz	short loc_671E4A
		mov	eax, [esp+34h+var_18]
		and	edi, 1FFFh
		mov	ecx, [ebx+248h]
		movzx	ecx, byte ptr [ecx+eax]
		push	ecx
		mov	ecx, [esp+38h+var_C]
		push	edi
		push	edx
		push	eax
		push	ebx
		push	4
		pop	edx
		call	_SmEtwLogRegionOp@28 ; SmEtwLogRegionOp(x,x,x,x,x,x,x)
		mov	ecx, 1FFFh

loc_671E4A:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+14Ej
		mov	edx, [esp+34h+var_28]
		test	byte ptr [edx+10h], 1
		jz	short loc_671E92
		mov	eax, [esp+34h+var_14]
		inc	dword ptr [ebx+470h]
		test	[eax], cx
		jbe	short loc_671E92
		mov	edx, esi
		jmp	short loc_671E95
; 

loc_671E67:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+130j
		mov	edx, [esp+34h+var_28]
		test	byte ptr [edx+10h], 1
		jnz	short loc_671E77
		mov	[esp+34h+var_14], esi
		jmp	short loc_671E81
; 

loc_671E77:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+19Fj
		inc	dword ptr [ebx+474h]
		mov	[esp+34h+var_14], edi

loc_671E81:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+1A5j
		mov	edx, [esp+34h+var_18]
		mov	ecx, ebx
		call	?StRegionReadDereference@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@K@Z ; ST_STORE<SM_TRAITS>::StRegionReadDereference(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)
		mov	edx, [esp+34h+var_14]
		jmp	short loc_671E95
; 

loc_671E92:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+182j
					; ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+191j
		xor	edx, edx
		inc	edx

loc_671E95:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+195j
					; ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+1C0j
		mov	edi, [esp+34h+var_24]
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		test	edx, edx
		jz	loc_672068
		mov	edi, [esp+34h+var_10]
		cmp	dword ptr [edi], 0FFFFFFFFh
		jz	short loc_671EC2
		push	esi
		push	dword ptr [edi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	esi
		push	dword ptr [edi+8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_671EC2:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+1DEj
		mov	[edi+4], esi
		mov	[edi+8], esi
		or	dword ptr [edi], 0FFFFFFFFh
		cmp	byte ptr [ebx+1ACh], 0
		jnz	short loc_671EE5
		mov	eax, [ebx+240h]
		mov	ecx, [esp+34h+var_8]
		movzx	esi, word ptr [ecx+eax]
		shr	esi, 0Dh

loc_671EE5:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+202j
		mov	ecx, [esp+34h+var_18]
		imul	eax, esi, 0Ch
		cmp	ecx, [eax+ebx+2B4h]
		jz	short loc_671EF8
		push	8
		pop	esi

loc_671EF8:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+223j
		cmp	esi, 8
		jz	loc_672068
		push	0FFFFFFFFh
		mov	edx, esi
		mov	ecx, ebx
		call	ST_STORE_SM_TRAITS___StDmCurrentRegionSet
		jmp	loc_672068
; 

loc_671F11:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+48j
		mov	ecx, [eax+10h]
		xor	edi, edi
		inc	edi
		test	cl, 8
		jz	loc_671FA0
		mov	edx, [ebx+228h]
		shr	ecx, 5
		mov	[esp+30h+var_4], edx
		mov	edi, [edx+10h]
		mov	[esp+30h+var_14], edi
		cmp	[edi], ecx
		jnb	short loc_671F43

loc_671F38:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+26Dj
		add	edi, 20h
		cmp	[edi], ecx
		jb	short loc_671F38
		mov	[esp+30h+var_14], edi

loc_671F43:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+266j
		lea	ecx, [eax+4]
		cmp	ecx, [edi+18h]
		jnz	short loc_671F99
		push	esi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	esi, edx
		mov	ecx, eax
		mov	eax, [edi+0Ch]
		xor	edx, edx
		inc	edx
		or	[edi+18h], edx
		push	7
		pop	edx
		mul	edx
		push	7
		mov	edi, eax
		mov	eax, [esp+38h+var_18]
		pop	edx
		mov	eax, [eax+8]
		mul	edx
		add	edi, edx
		mov	edx, [esp+34h+var_18]
		sub	eax, [edx+10h]
		sbb	edi, [edx+14h]
		add	eax, ecx
		adc	edi, esi
		shrd	eax, edi, 3
		shr	edi, 3
		xor	esi, esi
		mov	[edx+8], eax
		mov	eax, [esp+34h+var_28]
		mov	[edx+0Ch], edi
		mov	edx, [esp+34h+var_8]

loc_671F99:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+279j
		lock dec dword ptr [edx+8]
		xor	edi, edi
		inc	edi

loc_671FA0:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+24Aj
		test	byte ptr [eax+10h], 4
		mov	eax, [esp+34h+var_24]
		jz	short loc_671FB0
		mov	[esp+34h+var_10], esi
		jmp	short loc_671FB6
; 

loc_671FB0:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+2D8j
		mov	ecx, [eax]
		mov	[esp+34h+var_10], ecx

loc_671FB6:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+2DEj
		lea	edx, [esp+34h+var_1C]
		mov	ecx, eax
		call	?StDeviceIoIsFailed@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DEVICE_IO@1@PAJ@Z ; ST_STORE<SM_TRAITS>::StDeviceIoIsFailed(ST_STORE<SM_TRAITS>::_ST_DEVICE_IO *,long *)
		mov	ecx, ebx
		test	eax, eax
		jz	short loc_671FDC
		mov	eax, [esp+34h+var_1C]
		mov	edx, edi
		push	eax
		mov	[esp+38h+var_20], eax
		call	?StDmDeviceError@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@W4_ST_DEVICE_FAIL_TYPE@1@J@Z ; ST_STORE<SM_TRAITS>::StDmDeviceError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_DEVICE_FAIL_TYPE,long)
		jmp	loc_67205D
; 

loc_671FDC:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+2F5j
		push	[esp+34h+var_24]
		mov	edx, [esp+38h+var_10]
		call	?StDmDeviceIoTransfer@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_ST_WORK_ITEM@1@PAU_ST_DEVICE_IO@1@@Z ; ST_STORE<SM_TRAITS>::StDmDeviceIoTransfer(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*,ST_STORE<SM_TRAITS>::_ST_DEVICE_IO *)
		mov	ecx, [ebx+42Ch]
		mov	[esp+34h+var_20], eax
		test	ecx, ecx
		jz	short loc_67205D
		test	eax, eax
		js	short loc_671FFD
		inc	dword ptr [ecx]

loc_671FFD:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+329j
		mov	edx, [esp+34h+var_28]
		test	byte ptr [edx+10h], 4
		jnz	short loc_672061
		push	esi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	edi, eax
		mov	[esp+38h+var_C], edx
		mov	eax, [esp+38h+var_2C]
		mov	ecx, [eax+8]
		mov	esi, [ecx+4]
		sub	edi, esi
		mov	ecx, [ecx+8]
		mov	esi, edx
		sbb	esi, ecx
		mov	ecx, [ebx+42Ch]
		add	ecx, 528h
		mov	edx, [ecx]
		cmp	[edx+4], esi
		jb	short loc_672051
		ja	short loc_672040
		cmp	[edx], edi
		jb	short loc_672051

loc_672040:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+36Aj
		cmp	edx, [ecx+8]
		jz	short loc_67205A
		cmp	[edx-0Ch], esi
		jb	short loc_67205A
		ja	short loc_672051
		cmp	[edx-10h], edi
		jb	short loc_67205A

loc_672051:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+368j
					; ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+36Ej ...
		push	esi
		push	edi
		call	_StLcBucketLocate@12 ; StLcBucketLocate(x,x,x)
		mov	edx, eax

loc_67205A:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+373j
					; ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+378j ...
		inc	dword ptr [edx+8]

loc_67205D:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+307j
					; ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+325j
		mov	edx, [esp+38h+var_2C]

loc_672061:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+335j
		mov	ecx, ebx
		call	?StDeviceWorkItemCleanup@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@PAU_ST_WORK_ITEM@1@@Z ; ST_STORE<SM_TRAITS>::StDeviceWorkItemCleanup(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)

loc_672068:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+1D1j
					; ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+22Bj ...
		mov	eax, [esp+38h+var_24]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
?StDmDeviceIoCompletion@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_ST_WORK_ITEM@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StDmDeviceIoTransfer(struct	ST_STORE<struct	SM_TRAITS>::_ST_DATA_MGR *, struct ST_STORE<struct SM_TRAITS>::_ST_WORK_ITEM *,	struct ST_STORE<struct SM_TRAITS>::_ST_DEVICE_IO *)
?StDmDeviceIoTransfer@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_ST_WORK_ITEM@1@PAU_ST_DEVICE_IO@1@@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+314p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], edx
		mov	edi, [edi+4]
		mov	eax, [eax+1BCh]
		mov	esi, [edi]
		lea	ecx, [edi+0Ch]
		shl	esi, 4
		lea	ebx, [edi+0Ch]
		add	ecx, esi
		mov	[ebp+var_4], ecx
		mov	ecx, eax
		add	eax, esi
		neg	ecx
		lea	esi, [edi+0Bh]
		mov	edi, [ebp+var_8]
		add	esi, eax
		and	esi, ecx
		mov	eax, [edi+1C4h]
		and	eax, [ebx]
		shl	eax, 4
		and	ecx, eax
		sub	eax, ecx
		add	esi, eax
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+0Ch]
		shr	ecx, 3
		and	ecx, 2
		mov	[ebp+var_8], ecx
		jmp	short loc_67210B
; 

loc_6720D4:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoTransfer(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *,ST_STORE<SM_TRAITS>::_ST_DEVICE_IO *)+9Bj
		mov	ecx, [ebx]
		sub	ecx, [eax+8]
		shl	ecx, 4
		add	ecx, esi
		test	edx, edx
		jz	short loc_6720E5
		lea	eax, [edx+8]

loc_6720E5:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoTransfer(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *,ST_STORE<SM_TRAITS>::_ST_DEVICE_IO *)+6Dj
		push	0
		push	ebx
		push	dword ptr [eax]
		mov	eax, [ebp+var_8]
		push	edx
		mov	edx, [edi+200h]
		or	eax, ecx
		push	eax
		mov	ecx, edi
		call	ST_STORE_SM_TRAITS___StDmSinglePageTransfer
		test	eax, eax
		js	short loc_672112
		mov	edx, [ebp+var_C]
		add	ebx, 10h
		mov	eax, [ebp+arg_0]

loc_67210B:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoTransfer(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *,ST_STORE<SM_TRAITS>::_ST_DEVICE_IO *)+5Fj
		cmp	ebx, [ebp+var_4]
		jb	short loc_6720D4
		xor	eax, eax

loc_672112:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoTransfer(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *,ST_STORE<SM_TRAITS>::_ST_DEVICE_IO *)+8Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
?StDmDeviceIoTransfer@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_ST_WORK_ITEM@1@PAU_ST_DEVICE_IO@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StDmEtaPerformIo(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *,	unsigned long, unsigned	long)
?StDmEtaPerformIo@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@KK@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaRefresh(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+86p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_8		= dword	ptr -8
arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		mov	ebx, ecx
		push	0DEADh
		mov	ecx, [ebx+1C8h]
		stosd
		shl	edx, cl
		push	ecx
		mov	ecx, ebx
		stosd
		stosd
		mov	ax, [ebp+arg_0]
		sub	ax, [ebx+1D4h]
		mov	[ebp+var_18], edx
		lea	edx, [ebp+var_18]
		mov	[ebp+var_14], ax
		call	?StDeviceIoBuild@?$ST_STORE@USM_TRAITS@@@@SGPAU_ST_WORK_ITEM@1@PAU_ST_DATA_MGR@1@PAU_ST_PAGE_LOCATION@1@KPAX@Z ; ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_672170
		mov	edi, 0C000009Ah
		jmp	short loc_6721DB
; 

loc_672170:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaPerformIo(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong)+4Ej
		or	dword ptr [esi+10h], 0Ch
		lea	eax, [ebp+var_20]
		mov	[ebp+var_1C], eax
		lea	edx, [ebp+var_20]
		xor	edi, edi
		mov	[ebp+var_20], edi
		mov	eax, [esi]
		and	eax, 7
		or	eax, 8
		mov	[esi], eax
		mov	ecx, [ebp+var_1C]
		mov	eax, [ecx]
		and	eax, 7
		or	eax, esi
		mov	[ecx], eax
		mov	ecx, ebx
		mov	[ebp+var_1C], esi
		call	?StDeviceIoIssue@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_PF_QUEUE@@@Z	; ST_STORE<SM_TRAITS>::StDeviceIoIssue(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,_PF_QUEUE *)
		test	eax, eax
		js	short loc_6721B1
		mov	ecx, [ebx+1C0h]
		call	_SmWaitForSyncIo@4 ; SmWaitForSyncIo(x)

loc_6721B1:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaPerformIo(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong)+8Bj
		test	byte ptr [esi+10h], 1
		jnz	short loc_6721D2
		or	dword ptr [esi+10h], 1
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_6721CB
		mov	dword ptr [eax+4], 0C0000085h
		jmp	short loc_6721D2
; 

loc_6721CB:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaPerformIo(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong)+A7j
		mov	dword ptr [esi+4], 0C0000085h

loc_6721D2:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaPerformIo(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong)+9Cj
					; ST_STORE<SM_TRAITS>::StDmEtaPerformIo(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong)+B0j
		mov	edx, esi
		mov	ecx, ebx
		call	?StDmDeviceIoCompletion@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_ST_WORK_ITEM@1@@Z ; ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)

loc_6721DB:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaPerformIo(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong)+55j
		mov	ecx, [ebp+var_8]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
?StDmEtaPerformIo@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@KK@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StDmEtaRefresh(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *)
?StDmEtaRefresh@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+131F8Dp
					; ST_STORE_SM_TRAITS___StWorkItemProcess:loc_5B5153p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, 0FFFFh
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], ecx
		mov	eax, [edi+1B4h]
		mov	[ebp+var_C], ecx
		cmp	eax, ebx
		ja	short loc_672217
		mov	ebx, eax

loc_672217:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaRefresh(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+25j
		mov	[ebp+var_14], ecx

loc_67221A:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaRefresh(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+B6j
		mov	eax, [edi+228h]
		lea	ecx, [ebp+var_4]
		push	ecx
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_10], eax
		push	ecx
		lea	edx, [ebp+var_C]
		mov	ecx, eax
		call	_StEtaCheckForRefresh@16 ; StEtaCheckForRefresh(x,x,x,x)
		test	eax, eax
		jz	short loc_6722AA
		mov	eax, [ebp+var_8]
		mov	esi, [ebp+var_4]
		test	eax, eax
		jz	short loc_672249
		sub	esi, eax
		shr	esi, 1
		add	esi, eax

loc_672249:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaRefresh(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+53j
		cmp	esi, ebx
		jb	short loc_67224F
		mov	esi, ebx

loc_67224F:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaRefresh(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+5Dj
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		push	esi
		call	_StEtaStartRefresh@12 ;	StEtaStartRefresh(x,x,x)
		test	eax, eax
		jz	short loc_6722C9
		and	[ebp+var_10], 0

loc_672263:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaRefresh(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+9Bj
		mov	ecx, edi
		call	?StDmPickRandomRegion@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DATA_MGR@1@@Z ; ST_STORE<SM_TRAITS>::StDmPickRandomRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_6722B3
		push	esi
		mov	edx, eax
		mov	ecx, edi
		call	?StDmEtaPerformIo@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@KK@Z ; ST_STORE<SM_TRAITS>::StDmEtaPerformIo(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_6722B8
		mov	eax, [ebp+var_10]
		inc	eax
		mov	[ebp+var_10], eax
		cmp	eax, 20h
		jb	short loc_672263
		mov	eax, [edi+228h]
		push	0FFFFFFFEh
		add	eax, 28h
		pop	ecx
		lock and [eax],	ecx
		mov	esi, [ebp+var_14]
		inc	esi
		mov	[ebp+var_14], esi
		cmp	esi, 0Ah
		jb	loc_67221A

loc_6722AA:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaRefresh(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+49j
		xor	ecx, ecx

loc_6722AC:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaRefresh(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+D9j
					; ST_STORE<SM_TRAITS>::StDmEtaRefresh(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*)+E0j
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn
; 

loc_6722B3:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaRefresh(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+7Fj
		mov	ecx, 0C0000178h

loc_6722B8:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaRefresh(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+8Fj
		mov	eax, [edi+228h]
		push	0FFFFFFFEh
		add	eax, 28h
		pop	edx
		lock and [eax],	edx
		jmp	short loc_6722AC
; 

loc_6722C9:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaRefresh(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+6Fj
		mov	ecx, 0C00000BBh
		jmp	short loc_6722AC
?StDmEtaRefresh@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StDmEtwPageRundown(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *)
?StDmEtwPageRundown@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StGetStats(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+5Ap
					; ST_STORE<SM_TRAITS>::StGetStats(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+69p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		push	3
		pop	ecx
		mov	[ebp+var_8], esi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		call	_SmEtwEnabled@4	; SmEtwEnabled(x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	short loc_672301
		mov	edi, 0C00000BBh
		jmp	loc_6723BE
; 

loc_672301:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtwPageRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+25j
		mov	edx, esi
		lea	ecx, [ebp+var_14]
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorAttachEx
		cmp	eax, 0FFFFFFFFh
		jz	loc_6723B9
		mov	ebx, [ebp+var_10]

loc_672317:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtwPageRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+E4j
		mov	edx, [ebp+var_14]
		test	edx, edx
		jz	loc_6723BE
		movzx	eax, word ptr [edx]
		add	ebx, 8
		inc	eax
		mov	[ebp+var_10], ebx
		lea	eax, [edx+eax*8]
		cmp	ebx, eax
		jnb	short loc_672337
		mov	eax, ebx
		jmp	short loc_672363
; 

loc_672337:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtwPageRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+61j
		mov	ecx, esi
		lea	eax, [esi+8]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_672354
		mov	eax, [edx+4]

loc_67234C:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtwPageRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+8Fj
		test	eax, eax
		jnz	short loc_672368
		mov	eax, edi
		jmp	short loc_672363
; 

loc_672354:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtwPageRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+77j
		push	ecx
		mov	ecx, esi
		call	?BTreeFindLeafSibling@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGPAUNODE@?$B_TREE_HEADER@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAU23@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeFindLeafSibling(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE_HEADER<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY>::NODE *,ulong)
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_67234C
		or	eax, eax

loc_672363:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtwPageRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+65j
					; ST_STORE<SM_TRAITS>::StDmEtwPageRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+82j
		mov	[ebp+var_4], eax
		jmp	short loc_672376
; 

loc_672368:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtwPageRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+7Ej
		lea	ebx, [eax+8]
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], ebx
		mov	eax, ebx
		mov	[ebp+var_4], ebx

loc_672376:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtwPageRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+96j
		test	eax, eax
		jz	short loc_6723BE
		cmp	eax, 0FFFFFFFFh
		jz	short loc_6723B9
		mov	edx, eax
		mov	ecx, esi
		call	?ST_PAGE_RECORD_GET@?$ST_STORE@USM_TRAITS@@@@SGPAU_ST_PAGE_RECORD@1@PAU_ST_DATA_MGR@1@PAU_ST_PAGE_ENTRY@1@@Z ; ST_STORE<SM_TRAITS>::ST_PAGE_RECORD_GET(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY *)
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		movzx	esi, word ptr [eax+4]
		call	?ST_PAGE_RECORD_GET@?$ST_STORE@USM_TRAITS@@@@SGPAU_ST_PAGE_RECORD@1@PAU_ST_DATA_MGR@1@PAU_ST_PAGE_ENTRY@1@@Z ; ST_STORE<SM_TRAITS>::ST_PAGE_RECORD_GET(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY *)
		push	edi
		and	esi, 0FFFh
		push	esi
		mov	esi, [ebp+var_8]
		push	esi
		push	dword ptr [eax]
		push	ecx
		push	[ebp+var_4]
		mov	ecx, [ebp+var_C]
		push	2
		pop	edx
		call	_SmEtwLogStoreOp@32 ; SmEtwLogStoreOp(x,x,x,x,x,x,x,x)
		jmp	loc_672317
; 

loc_6723B9:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtwPageRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+3Ej
					; ST_STORE<SM_TRAITS>::StDmEtwPageRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+ADj
		mov	edi, 0C0000006h

loc_6723BE:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtwPageRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+2Cj
					; ST_STORE<SM_TRAITS>::StDmEtwPageRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+4Cj ...
		mov	edx, esi
		lea	ecx, [ebp+var_14]
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeIteratorCleanup
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
?StDmEtwPageRundown@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StDmEtwRegionRundown(struct	ST_STORE<struct	SM_TRAITS>::_ST_DATA_MGR *)
?StDmEtwRegionRundown@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StGetStats(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+47p
					; ST_STORE<SM_TRAITS>::StGetStats(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+52p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		push	3
		mov	ebx, ecx
		pop	ecx
		call	_SmEtwEnabled@4	; SmEtwEnabled(x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	short loc_6723EF
		mov	edi, 0C00000BBh
		jmp	short loc_672437
; 

loc_6723EF:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtwRegionRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+17j
		push	esi
		or	esi, 0FFFFFFFFh
		xor	edi, edi

loc_6723F5:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtwRegionRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+41j
					; ST_STORE<SM_TRAITS>::StDmEtwRegionRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+65j
		inc	esi
		cmp	esi, [ebx+1B8h]
		jz	short loc_672436
		mov	eax, [ebx+240h]
		mov	edx, 1FFFh
		mov	cx, [eax+esi*2]
		and	cx, dx
		jz	short loc_6723F5
		mov	eax, [ebx+248h]
		test	eax, eax
		jz	short loc_672422
		movzx	eax, byte ptr [eax+esi]
		jmp	short loc_672424
; 

loc_672422:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtwRegionRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+4Bj
		mov	eax, edi

loc_672424:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtwRegionRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+51j
		push	eax
		push	ecx
		mov	ecx, [ebp+var_4]
		push	edi
		push	esi
		push	ebx
		push	0Ah
		pop	edx
		call	_SmEtwLogRegionOp@28 ; SmEtwLogRegionOp(x,x,x,x,x,x,x)
		jmp	short loc_6723F5
; 

loc_672436:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtwRegionRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+2Dj
		pop	esi

loc_672437:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtwRegionRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+1Ej
		mov	eax, edi
		pop	edi
		pop	ebx
		leave
		retn
?StDmEtwRegionRundown@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StDmGetStatsBitmap(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, unsigned long, unsigned char *, unsigned __int64 *)
?StDmGetStatsBitmap@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@KPAEPA_K@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StGetStatsWorker+D1209p
					; ST_STORE_SM_TRAITS___StGetStatsWorker+D122Ep

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], edx
		xor	eax, eax
		mov	[ebp+var_14], edi
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		cmp	[edi+28h], eax
		jz	loc_6725F6
		mov	eax, [edi+20h]
		test	al, 1
		jnz	short loc_672479
		lea	edx, [edi+0Ch]
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref
		mov	eax, [edi+20h]

loc_672479:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned	__int64	*)+2Fj
		or	eax, 1
		lea	esi, [edi+30h]
		mov	[edi+20h], eax
		mov	eax, [esi+14h]
		test	al, 1
		jnz	short loc_672496
		mov	edx, esi
		lea	ecx, [edi+24h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref
		mov	eax, [esi+14h]

loc_672496:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned	__int64	*)+4Aj
		or	eax, 1
		mov	ecx, edi
		mov	[esi+14h], eax
		mov	edx, [edi+1A4h]
		call	?StDmPageRecordUnprotect@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@PAU_ST_PAGE_RECORD@1@@Z ; ST_STORE<SM_TRAITS>::StDmPageRecordUnprotect(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_PAGE_RECORD *)
		mov	eax, [edi+1A4h]
		lea	ecx, [edi+24h]
		push	esi
		and	dword ptr [eax], 0
		mov	edx, [edi+1A8h]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey
		mov	ebx, eax
		cmp	ebx, 0C0000006h
		jz	loc_672606
		push	esi
		lea	esi, [edi+24h]
		lea	edx, [ebp+var_1C]
		mov	ecx, esi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorFromSearchResult
		mov	ebx, [ebp+var_18]
		jmp	short loc_6724E5
; 

loc_6724E2:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned	__int64	*)+180j
					; ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned __int64 *)+1ADj
		lea	esi, [edi+24h]

loc_6724E5:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned	__int64	*)+A3j
		mov	edx, [ebp+var_1C]
		test	edx, edx
		jz	loc_6725F6
		movzx	eax, word ptr [edx]
		add	ebx, 4
		add	eax, 2
		mov	[ebp+var_18], ebx
		lea	eax, [edx+eax*4]
		cmp	ebx, eax
		jb	short loc_67253A
		mov	ecx, esi
		lea	eax, [esi+8]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, [ecx]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_672520
		mov	eax, [edx+4]

loc_672518:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned	__int64	*)+EEj
		test	eax, eax
		jnz	short loc_672531
		xor	esi, esi
		jmp	short loc_67253C
; 

loc_672520:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned	__int64	*)+D6j
		push	ecx
		mov	ecx, esi
		call	?BTreeFindLeafSibling@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGPAUNODE@?$B_TREE_HEADER@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU1@PAU23@K@Z ;	B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindLeafSibling(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,ulong)
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_672518
		or	esi, eax
		jmp	short loc_67253C
; 

loc_672531:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned	__int64	*)+DDj
		lea	ebx, [eax+8]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], ebx

loc_67253A:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned	__int64	*)+C4j
		mov	esi, ebx

loc_67253C:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned	__int64	*)+E1j
					; ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned __int64 *)+F2j
		test	esi, esi
		jz	loc_6725F6
		cmp	esi, 0FFFFFFFFh
		jz	loc_6725EF
		mov	esi, [esi]
		mov	edx, esi
		mov	ecx, [edi+0F4h]
		shr	edx, cl
		mov	ecx, [edi+0F8h]
		bsr	eax, edx
		and	[ebp+var_10], 0
		and	ecx, esi
		imul	ecx, [edi+0FCh]
		btc	edx, eax
		imul	edx, 0Ch
		mov	eax, [edi+eax*4+6Ch]
		mov	edx, [edx+eax]
		add	edx, ecx
		add	edx, [edi+104h]
		mov	eax, [edx+4]
		and	eax, 0FFFh
		mov	ecx, eax
		ja	short loc_672595
		mov	ecx, 1000h

loc_672595:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned	__int64	*)+151j
		add	[ebp+var_4], ecx
		adc	[ebp+var_8], 0
		test	eax, eax
		jnz	short loc_6725A5
		mov	eax, 1000h

loc_6725A5:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned	__int64	*)+161j
		lea	esi, [eax+0Fh]
		mov	eax, [edx]
		xor	edx, edx
		add	esi, [edi+1D4h]
		div	[ebp+var_C]
		shr	esi, 4
		mov	[ebp+var_10], eax
		test	esi, esi
		jz	loc_6724E2
		mov	ebx, [ebp+arg_0]
		mov	edi, eax

loc_6725C8:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned	__int64	*)+1A5j
		sub	esi, [ebp+var_C]
		mov	edx, edi
		shr	edx, 3
		mov	eax, edi
		and	eax, 7
		movzx	ecx, byte ptr [edx+ebx]
		bts	ecx, eax
		inc	edi
		mov	[edx+ebx], cl
		test	esi, esi
		jg	short loc_6725C8
		mov	edi, [ebp+var_14]
		mov	ebx, [ebp+var_18]
		jmp	loc_6724E2
; 

loc_6725EF:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned	__int64	*)+10Aj
		mov	ebx, 0C0000006h
		jmp	short loc_672606
; 

loc_6725F6:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned	__int64	*)+24j
					; ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned __int64 *)+ADj ...
		mov	eax, [ebp+arg_4]
		xor	ebx, ebx
		mov	ecx, [ebp+var_4]
		mov	[eax], ecx
		mov	ecx, [ebp+var_8]
		mov	[eax+4], ecx

loc_672606:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned	__int64	*)+8Cj
					; ST_STORE<SM_TRAITS>::StDmGetStatsBitmap(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,uchar *,unsigned __int64 *)+1B7j
		lea	edx, [edi+24h]
		lea	ecx, [ebp+var_1C]
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeIteratorCleanup
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
?StDmGetStatsBitmap@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@KPAEPA_K@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static unsigned long __stdcall ST_STORE<struct SM_TRAITS>::StDmHandleDecompressionFailure(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, char *, char *, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_LOCATION *, struct ST_STORE<struct SM_TRAITS>::_STDM_READ_CONTEXT *)
?StDmHandleDecompressionFailure@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DATA_MGR@1@PAD1PAU_ST_PAGE_LOCATION@1@PAU_STDM_READ_CONTEXT@1@@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmPageError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char	*,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *,long)+AAp

var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		push	6
		xor	eax, eax
		lea	edi, [ebp+var_30]
		and	[ebp+var_C], eax
		pop	ecx
		rep stosd
		mov	edi, [ebp+arg_4]
		mov	eax, [ebx+1C4h]
		mov	ecx, [ebx+1C8h]
		push	2
		mov	esi, [edi]
		and	eax, esi
		shl	eax, 4
		shr	esi, cl
		sub	edx, eax
		mov	[ebp+var_10], edx
		lea	ecx, [ebp+var_30]
		mov	[ebp+arg_4], esi
		xor	esi, esi
		pop	edx
		call	?BTreeSearchResultInit@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAUSEARCH_RESULT@1@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultInit(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)
		mov	eax, [ebp+arg_8]
		lea	edx, [ebp+var_30]
		mov	ecx, ebx
		mov	eax, [eax+18h]
		push	dword ptr [eax+8]
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		test	eax, eax
		js	short loc_6726A1
		mov	ecx, [ebp+var_24]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_672693
		test	ecx, ecx
		jz	short loc_672693
		lea	edx, ds:0FFFFFFFCh[ecx*8]
		add	edx, [ebp+var_30]
		jmp	short loc_672696
; 

loc_672693:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+67j
					; ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+6Bj
		lea	edx, [ebp+var_28]

loc_672696:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+77j
		mov	edx, [edx]
		mov	ecx, ebx
		call	?ST_PAGE_RECORD_GET@?$ST_STORE@USM_TRAITS@@@@SGPAU_ST_PAGE_RECORD@1@PAU_ST_DATA_MGR@1@PAU_ST_PAGE_ENTRY@1@@Z ; ST_STORE<SM_TRAITS>::ST_PAGE_RECORD_GET(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY *)
		mov	esi, eax

loc_6726A1:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+5Fj
		push	0
		lea	edx, [ebp+var_30]
		mov	ecx, ebx
		call	?BTreeSearchResultCleanup@?$B_TREE@T_SM_PAGE_KEY@@U_ST_PAGE_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUSEARCH_RESULT@1@K@Z ; B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultCleanup(B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>	*,B_TREE<_SM_PAGE_KEY,ST_STORE<SM_TRAITS>::_ST_PAGE_ENTRY,4096,NP_CONTEXT,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *,ulong)
		test	esi, esi
		jz	loc_67275D
		mov	eax, [edi]
		cmp	eax, [esi]
		jnz	loc_67274D
		mov	ecx, [esi+4]
		and	ecx, 0FFFh
		ja	short loc_6726CF
		mov	ecx, 1000h

loc_6726CF:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+AEj
		movzx	eax, word ptr [edi+4]
		cmp	eax, ecx
		jnz	short loc_67274D
		and	esi, 0FFFFF000h
		lea	ecx, [ebx+6Ch]
		push	2
		push	6
		mov	[ebp+var_14], esi
		mov	edx, [esi+8]
		bsr	eax, edx
		btc	edx, eax
		imul	edx, 0Ch
		add	edx, [ebx+eax*4+6Ch]
		call	SmHpBufferProtectEx
		mov	esi, eax
		and	esi, 1
		jnz	short loc_67275D
		push	[ebp+arg_0]
		movzx	eax, word ptr [ebx+224h]
		push	[ebp+var_8]
		mov	edx, [ebx+1B4h]
		push	dword ptr [edi+8]
		mov	ecx, [ebp+var_10]
		push	eax
		push	[ebp+arg_4]
		movzx	eax, word ptr [edi+4]
		push	eax
		call	_SmPrepareForFatalPageError@32 ; SmPrepareForFatalPageError(x,x,x,x,x,x,x,x)
		mov	edx, [ebp+var_14]
		lea	ecx, [ebx+6Ch]
		push	2
		push	2
		mov	edx, [edx+8]
		bsr	eax, edx
		btc	edx, eax
		imul	edx, 0Ch
		add	edx, [ecx+eax*4]
		call	SmHpBufferProtectEx
		jmp	loc_67288D
; 

loc_67274D:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+9Fj
					; ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+BBj
		push	0
		push	esi
		push	edi
		push	3
		push	1C7h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_67275D:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+95j
					; ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+E7j
		mov	esi, [ebx+1C0h]
		mov	ecx, [ebp+arg_8]
		add	esi, 10F8h
		add	ecx, 1Ch
		jnz	short loc_67278A
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		jmp	short loc_6727B2
; 

loc_67278A:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+155j
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_67279F
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_67279F:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+17Cj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_6727B2:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+16Ej
		mov	eax, [ebp+arg_8]
		mov	esi, [eax+14h]
		movzx	eax, word ptr [edi+4]
		push	eax		; size_t
		push	[ebp+var_8]	; void *
		mov	[ebp+var_14], esi
		push	esi		; void *
		call	_memcpy
		movzx	edx, word ptr [edi+4]
		add	esp, 0Ch
		mov	ecx, esi
		push	dword ptr [edi+8]
		call	_SmFixSingleBitCorruption@12 ; SmFixSingleBitCorruption(x,x,x)
		mov	esi, eax
		and	esi, 1
		jz	short loc_672838
		mov	eax, [ebp+arg_8]
		push	dword ptr [eax+4]
		lea	eax, [ebp+var_C]
		push	eax
		movzx	eax, word ptr [edi+4]
		push	eax
		push	[ebp+var_14]
		movzx	eax, word ptr [ebx+224h]
		push	1000h
		push	[ebp+arg_0]
		push	eax
		call	_RtlDecompressBufferEx@28 ; RtlDecompressBufferEx(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_672838
		cmp	[ebp+var_C], 1000h
		jnz	short loc_672838
		lock inc dword ptr [ebx+488h]
		movzx	edx, word ptr [edi+4]
		lock inc ds:dword_718664
		push	ds:dword_718664
		mov	ecx, [ebp+var_8]
		call	_MmStoreLogCorruptionFixed@12 ;	MmStoreLogCorruptionFixed(x,x,x)
		or	esi, 2

loc_672838:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+1C5j
					; ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+1F0j ...
		mov	eax, large fs:124h
		mov	ecx, [ebx+1C0h]
		dec	word ptr [eax+13Eh]
		nop
		add	ecx, 10F8h
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebp+arg_8]
		push	2
		pop	ecx
		mov	[eax+1Ch], ecx
		cmp	esi, ecx
		jnb	short loc_67288D
		push	[ebp+arg_0]
		movzx	eax, word ptr [ebx+224h]
		push	[ebp+var_8]
		mov	edx, [ebx+1B4h]
		push	dword ptr [edi+8]
		mov	ecx, [ebp+var_10]
		push	eax
		push	[ebp+arg_4]
		movzx	eax, word ptr [edi+4]
		push	eax
		call	_SmPrepareForFatalPageError@32 ; SmPrepareForFatalPageError(x,x,x,x,x,x,x,x)

loc_67288D:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+12Ej
					; ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+24Aj
		shr	esi, 1
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
?StDmHandleDecompressionFailure@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DATA_MGR@1@PAD1PAU_ST_PAGE_LOCATION@1@PAU_STDM_READ_CONTEXT@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static unsigned long __stdcall ST_STORE<struct SM_TRAITS>::StDmPageError(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, char *, char *, struct ST_STORE<struct SM_TRAITS>::_ST_PAGE_LOCATION *, struct ST_STORE<struct SM_TRAITS>::_STDM_READ_CONTEXT *, long)
?StDmPageError@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DATA_MGR@1@PAD1PAU_ST_PAGE_LOCATION@1@PAU_STDM_READ_CONTEXT@1@J@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+9303Bp
					; ST_STORE_SM_TRAITS___StDmSinglePageCopy+93086p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10h
		and	[esp+10h+var_8], 0
		and	[esp+10h+var_4], 0
		push	ebx
		mov	ebx, ecx
		mov	[esp+14h+var_C], edx
		push	esi
		movzx	ecx, byte ptr [ebx+1ACh]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 0FFFFFFFEh
		add	ecx, 2
		call	_SmEtwEnabled@4	; SmEtwEnabled(x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_672907
		cmp	[ebp+arg_C], 0C00002C4h
		jnz	short loc_6728E1
		mov	byte ptr [esp+18h+var_8+1], 2
		jmp	short loc_6728EF
; 

loc_6728E1:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmPageError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char	*,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *,long)+40j
		cmp	[ebp+arg_C], 0C000003Fh
		jnz	short loc_6728EF
		mov	byte ptr [esp+18h+var_8+1], 1

loc_6728EF:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmPageError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char	*,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *,long)+47j
					; ST_STORE<SM_TRAITS>::StDmPageError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT	*,long)+50j
		lea	eax, [esp+18h+var_8]
		push	eax
		mov	eax, [ebp+arg_4]
		movzx	eax, word ptr [eax+4]
		push	eax
		push	edx
		push	ebx
		call	_SmEtwLogStoreCorruption@24 ; SmEtwLogStoreCorruption(x,x,x,x,x,x)
		mov	edx, [esp+18h+var_C]

loc_672907:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmPageError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char	*,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *,long)+37j
		mov	esi, [ebx+1D8h]
		shr	esi, 5
		and	esi, 3
		cmp	esi, 2
		jb	short loc_672922
		cmp	ds:_KdDebuggerEnabled, 0
		jz	short loc_672922
		int	3		; Trap to Debugger

loc_672922:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmPageError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char	*,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *,long)+7Ej
					; ST_STORE<SM_TRAITS>::StDmPageError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT	*,long)+87j
		test	dword ptr [ebx+1ACh], 40000h
		jz	short loc_67294B
		cmp	[ebp+arg_C], 0C00002C4h
		jnz	short loc_67294B
		push	[ebp+arg_8]
		mov	ecx, ebx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	?StDmHandleDecompressionFailure@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DATA_MGR@1@PAD1PAU_ST_PAGE_LOCATION@1@PAU_STDM_READ_CONTEXT@1@@Z ; ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)
		test	eax, eax
		jnz	short loc_67296E

loc_67294B:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmPageError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char	*,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *,long)+94j
					; ST_STORE<SM_TRAITS>::StDmPageError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT	*,long)+9Dj
		cmp	esi, 3
		jb	short loc_67296C
		push	[ebp+arg_0]
		mov	eax, [ebp+arg_4]
		push	[esp+1Ch+var_C]
		movzx	eax, word ptr [eax+4]
		push	eax
		push	[ebp+arg_C]
		push	12Bh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_67296C:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmPageError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char	*,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *,long)+B6j
		xor	eax, eax

loc_67296E:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmPageError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char	*,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *,long)+B1j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
?StDmPageError@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DATA_MGR@1@PAD1PAU_ST_PAGE_LOCATION@1@PAU_STDM_READ_CONTEXT@1@J@Z endp


;  S U B	R O U T	I N E 


; public: static unsigned long __stdcall ST_STORE<struct SM_TRAITS>::StDmPickRandomRegion(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *)
?StDmPickRandomRegion@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DATA_MGR@1@@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaRefresh(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+77p
		mov	edi, edi
		push	edi
		mov	edi, ecx
		mov	ecx, [edi+1E4h]
		test	ecx, ecx
		jz	short loc_6729C7
		rdtsc
		shrd	eax, edx, 4
		xor	edx, edx
		div	ecx
		push	0FFFFFFFFh
		mov	eax, edx
		pop	edx
		add	eax, 1
		jz	short loc_67299C
		lea	edx, [eax-1]

loc_67299C:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmPickRandomRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+21j
		push	esi
		xor	esi, esi

loc_67299F:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmPickRandomRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+49j
		mov	ecx, edi
		call	?StStagingRegionFind@?$ST_STORE@USM_TRAITS@@@@SGPAU_ST_STAGING_REGION@1@PAU_ST_DATA_MGR@1@K@Z ;	ST_STORE<SM_TRAITS>::StStagingRegionFind(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)
		test	eax, eax
		jz	short loc_6729C1
		lea	eax, [edx+1]
		inc	esi
		mov	edx, eax
		sub	edx, [edi+1B8h]
		neg	edx
		sbb	edx, edx
		and	edx, eax
		cmp	esi, 7
		jb	short loc_67299F

loc_6729C1:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmPickRandomRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+32j
		cmp	esi, 7
		pop	esi
		jb	short loc_6729CA

loc_6729C7:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmPickRandomRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+Dj
		or	edx, 0FFFFFFFFh

loc_6729CA:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmPickRandomRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+4Fj
		mov	eax, edx
		pop	edi
		retn
?StDmPickRandomRegion@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DATA_MGR@1@@Z endp


;  S U B	R O U T	I N E 


; public: static void __stdcall	ST_STORE<struct	SM_TRAITS>::StDmRegionAdd(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, unsigned long)
?StDmRegionAdd@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@K@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StAddRemoveRegions(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+E7p
					; ST_STORE<SM_TRAITS>::StMetaRegionsUpdate(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+A1p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, [ecx+1E0h]
		mov	esi, edx
		shr	esi, 3
		and	edx, 7
		movzx	eax, byte ptr [esi+edi]
		bts	eax, edx
		mov	[esi+edi], al
		inc	dword ptr [ecx+1E4h]
		pop	edi
		pop	esi
		retn
?StDmRegionAdd@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@K@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StDmRegionEvict(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, struct ST_STORE<struct SM_TRAITS>::_STDM_SEARCH_RESULTS *, unsigned long, unsigned long,	unsigned long, unsigned	long)
?StDmRegionEvict@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_STDM_SEARCH_RESULTS@1@KKKK@Z	proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionRemove(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *)+5Ap

var_40		= dword	ptr -40h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_10], edx
		xor	edx, edx
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_28], edx
		mov	eax, edx
		mov	[ebp+var_30], ecx
		or	eax, ecx
		mov	[ebp+var_20], edx
		push	edi
		xor	ecx, ecx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_24], eax
		call	_SmEtwEnabled@4	; SmEtwEnabled(x)
		mov	edi, [ebp+arg_0]
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_672A6B
		mov	ecx, [esi+248h]
		test	ecx, ecx
		jz	short loc_672A45
		movzx	eax, byte ptr [ecx+edi]
		jmp	short loc_672A47
; 

loc_672A45:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionEvict(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS	*,ulong,ulong,ulong,ulong)+4Aj
		mov	eax, edx

loc_672A47:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionEvict(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS	*,ulong,ulong,ulong,ulong)+50j
		push	eax
		mov	eax, [esi+240h]
		mov	ecx, 1FFFh
		mov	ax, [eax+edi*2]
		and	ax, cx
		mov	ecx, ebx
		movzx	eax, ax
		push	eax
		push	edx
		push	edi
		push	esi
		push	3
		pop	edx
		call	_SmEtwLogRegionOp@28 ; SmEtwLogRegionOp(x,x,x,x,x,x,x)

loc_672A6B:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionEvict(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS	*,ulong,ulong,ulong,ulong)+40j
		mov	eax, 400h
		call	__alloca_probe_16
		mov	edx, esp
		mov	[ebp+var_C], edx

loc_672A7A:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionEvict(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS	*,ulong,ulong,ulong,ulong)+116j
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], 100h
		push	eax
		push	edx
		push	[ebp+arg_8]
		mov	edx, [ebp+var_10]
		push	ecx
		push	edi
		mov	ecx, esi
		call	?StDmRegionGetKeys@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_STDM_SEARCH_RESULTS@1@KKKPAT_SM_PAGE_KEY@@PAK@Z ; ST_STORE<SM_TRAITS>::StDmRegionGetKeys(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS *,ulong,ulong,ulong,_SM_PAGE_KEY *,ulong *)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_672B0F
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_672B0F
		push	offset ?StpKeyCompare@?$ST_STORE@USM_TRAITS@@@@SAHPBX0@Z ; int __cdecl (*)(const void *,const void *)
		push	4		; size_t
		push	eax		; size_t
		push	[ebp+var_C]	; void *
		call	_qsort
		mov	edx, [ebp+var_C]
		add	esp, 10h
		mov	ecx, [ebp+var_8]
		mov	edi, edx
		lea	eax, [edx+ecx*4]
		xor	ecx, ecx
		mov	[ebp+var_14], eax
		mov	eax, [edx]
		mov	edx, eax
		mov	[ebp+var_2C], eax

loc_672ACC:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionEvict(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS	*,ulong,ulong,ulong,ulong)+107j
		cmp	eax, edx
		jnz	short loc_672ADB

loc_672AD0:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionEvict(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS	*,ulong,ulong,ulong,ulong)+102j
		add	edi, 4
		inc	ecx
		cmp	edi, [ebp+var_14]
		jb	short loc_672AF7
		jnz	short loc_672AFC

loc_672ADB:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionEvict(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS	*,ulong,ulong,ulong,ulong)+DBj
		mov	[ebp+var_28], ecx
		lea	edx, [ebp+var_30]
		mov	ecx, esi
		call	ST_STORE_SM_TRAITS___StDmPageRemove
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_672B0F
		mov	eax, [edi]
		xor	ecx, ecx
		mov	[ebp+var_2C], eax
		jmp	short loc_672AD0
; 

loc_672AF7:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionEvict(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS	*,ulong,ulong,ulong,ulong)+E4j
		mov	edx, [edi]
		inc	eax
		jmp	short loc_672ACC
; 

loc_672AFC:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionEvict(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS	*,ulong,ulong,ulong,ulong)+E6j
		cmp	[ebp+var_8], 100h
		mov	edi, [ebp+arg_0]
		mov	edx, [ebp+var_C]
		jnb	loc_672A7A

loc_672B0F:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionEvict(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS	*,ulong,ulong,ulong,ulong)+A6j
					; ST_STORE<SM_TRAITS>::StDmRegionEvict(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS *,ulong,ulong,ulong,ulong)+ADj ...
		mov	eax, ebx
		lea	esp, [ebp-40h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
?StDmRegionEvict@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_STDM_SEARCH_RESULTS@1@KKKK@Z	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StDmRegionGetKeys(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, struct	ST_STORE<struct	SM_TRAITS>::_STDM_SEARCH_RESULTS *, unsigned long, unsigned long, unsigned long, union _SM_PAGE_KEY *, unsigned	long *)
?StDmRegionGetKeys@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_STDM_SEARCH_RESULTS@1@KKKPAT_SM_PAGE_KEY@@PAK@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionEvict(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS	*,ulong,ulong,ulong,ulong)+9Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	eax, [eax]
		mov	esi, ecx
		mov	ecx, [ebp+arg_C]
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], esi
		lea	eax, [ecx+eax*4]
		mov	ecx, [esi+1C8h]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		shl	ebx, cl
		dec	eax
		or	ebx, eax
		lea	ecx, [esi+24h]
		mov	[ebp+var_C], ebx
		mov	ebx, [edx+4]
		mov	[ebp+arg_8], ecx
		mov	eax, [ebx+14h]
		test	al, 1
		jnz	short loc_672B73
		mov	edx, ebx
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchResultDeref
		mov	eax, [ebx+14h]

loc_672B73:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionGetKeys(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS *,ulong,ulong,ulong,_SM_PAGE_KEY *,ulong *)+42j
		mov	ecx, [ebp+var_C]
		or	eax, 1
		mov	[ebx+14h], eax
		mov	eax, [esi+1A4h]
		push	ebx
		mov	[eax], ecx
		mov	edx, [esi+1A8h]
		mov	esi, [ebp+arg_8]
		mov	ecx, esi
		call	B_TREE_unsigned_long_ST_STORE_SM_TRAITS____ST_REGION_ENTRY_4096_NP_CONTEXT_ST_STORE_SM_TRAITS___ST_REGION_ENTRY_COMPARATOR___BTreeSearchKey
		cmp	eax, 0C0000006h
		jz	loc_672CA0
		test	eax, eax
		jnz	loc_672C8A
		mov	ecx, [ebx+0Ch]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_672BBE
		test	ecx, ecx
		jz	short loc_672BBE
		mov	eax, [ebx]
		lea	eax, [eax+ecx*8]
		add	eax, 0FFFFFFFCh
		jmp	short loc_672BC1
; 

loc_672BBE:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionGetKeys(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS *,ulong,ulong,ulong,_SM_PAGE_KEY *,ulong *)+89j
					; ST_STORE<SM_TRAITS>::StDmRegionGetKeys(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS *,ulong,ulong,ulong,_SM_PAGE_KEY	*,ulong	*)+8Dj
		lea	eax, [ebx+8]

loc_672BC1:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionGetKeys(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS *,ulong,ulong,ulong,_SM_PAGE_KEY *,ulong *)+97j
		mov	eax, [eax]
		mov	edi, [ebp+var_4]
		and	[ebp+var_C], 0
		mov	esi, [eax]
		mov	edx, esi
		mov	ecx, [edi+0F4h]
		shr	edx, cl
		bsr	eax, edx
		btc	edx, eax
		imul	ecx, edx, 0Ch
		mov	edx, [edi+0F8h]
		mov	eax, [edi+eax*4+6Ch]
		and	edx, esi
		imul	edx, [edi+0FCh]
		add	edx, [ecx+eax]
		mov	eax, [edi+104h]
		mov	ecx, [ebp+arg_C]
		mov	eax, [edx+eax+8]
		mov	[ecx], eax
		lea	edi, [ecx+4]
		jmp	short loc_672C87
; 

loc_672C09:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionGetKeys(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS *,ulong,ulong,ulong,_SM_PAGE_KEY *,ulong *)+168j
		mov	edx, ebx
		mov	ecx, esi
		call	?BTreeFindPreviousEntry@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGPAU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@PAU1@PAUSEARCH_RESULT@1@@Z ; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeFindPreviousEntry(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::SEARCH_RESULT *)
		cmp	eax, 0FFFFFFFFh
		jz	loc_672CA7
		test	eax, eax
		jz	short loc_672C93
		mov	esi, [eax]
		mov	edx, esi
		mov	ecx, [ebp+var_4]
		and	[ebp+var_C], 0
		mov	ecx, [ecx+0F4h]
		shr	edx, cl
		mov	ecx, [ebp+var_4]
		bsr	eax, edx
		btc	edx, eax
		imul	edx, 0Ch
		mov	eax, [ecx+eax*4+6Ch]
		mov	ecx, [ecx+0F8h]
		and	ecx, esi
		mov	esi, [ebp+var_4]
		imul	ecx, [esi+0FCh]
		mov	edx, [edx+eax]
		add	edx, ecx
		mov	ecx, [esi+1C4h]
		add	edx, [esi+104h]
		mov	eax, [edx]
		and	ecx, eax
		mov	[ebp+var_C], ecx
		mov	ecx, [esi+1C8h]
		shr	eax, cl
		cmp	eax, [ebp+arg_0]
		jnz	short loc_672C93
		mov	eax, [edx+8]
		mov	[edi], eax
		add	edi, 4
		cmp	[ebp+var_C], 0
		jz	short loc_672C93

loc_672C87:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionGetKeys(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS *,ulong,ulong,ulong,_SM_PAGE_KEY *,ulong *)+E2j
		mov	esi, [ebp+arg_8]

loc_672C8A:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionGetKeys(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS *,ulong,ulong,ulong,_SM_PAGE_KEY *,ulong *)+7Dj
		cmp	edi, [ebp+var_8]
		jb	loc_672C09

loc_672C93:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionGetKeys(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS *,ulong,ulong,ulong,_SM_PAGE_KEY *,ulong *)+F8j
					; ST_STORE<SM_TRAITS>::StDmRegionGetKeys(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS *,ulong,ulong,ulong,_SM_PAGE_KEY	*,ulong	*)+152j ...
		mov	eax, [ebp+arg_10]
		sub	edi, [ebp+arg_C]
		sar	edi, 2
		mov	[eax], edi
		xor	eax, eax

loc_672CA0:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionGetKeys(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS *,ulong,ulong,ulong,_SM_PAGE_KEY *,ulong *)+75j
					; ST_STORE<SM_TRAITS>::StDmRegionGetKeys(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS *,ulong,ulong,ulong,_SM_PAGE_KEY	*,ulong	*)+187j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_672CA7:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionGetKeys(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS *,ulong,ulong,ulong,_SM_PAGE_KEY *,ulong *)+F0j
		mov	eax, 0C0000006h
		jmp	short loc_672CA0
?StDmRegionGetKeys@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_STDM_SEARCH_RESULTS@1@KKKPAT_SM_PAGE_KEY@@PAK@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StDmRegionRemove(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *,	unsigned long *)
?StDmRegionRemove@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAK@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StAddRemoveRegions(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+113p
					; ST_STORE<SM_TRAITS>::StMetaRegionsUpdate(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+90p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	eax, edx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		mov	edx, [eax]
		call	?StRegionFindRepurpose@?$ST_STORE@USM_TRAITS@@@@SGPAT_ST_REGION_STATE@1@PAU_ST_DATA_MGR@1@K@Z ;	ST_STORE<SM_TRAITS>::StRegionFindRepurpose(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)
		test	eax, eax
		jnz	short loc_672CD5

loc_672CCB:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionRemove(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *)+45j
		mov	edi, 0C0000225h
		jmp	loc_672DAF
; 

loc_672CD5:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionRemove(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *)+1Bj
		mov	edx, eax
		mov	ecx, 1FFFh
		sub	edx, [ebx+240h]
		sar	edx, 1
		mov	[ebp+var_4], edx
		test	[eax], cx
		jbe	short loc_672D1A
		test	byte ptr [ebx+1D8h], 2
		jnz	short loc_672CCB
		mov	eax, [ebx+1C4h]
		push	ecx
		inc	eax
		push	eax
		push	ecx
		push	edx
		lea	edx, [ebx+20Ch]
		mov	ecx, ebx
		call	?StDmRegionEvict@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_STDM_SEARCH_RESULTS@1@KKKK@Z	; ST_STORE<SM_TRAITS>::StDmRegionEvict(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS *,ulong,ulong,ulong,ulong)
		mov	edi, eax
		test	edi, edi
		js	loc_672DAF
		mov	edx, [ebp+var_4]

loc_672D1A:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionRemove(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *)+3Cj
		xor	edi, edi
		cmp	byte ptr [ebx+1ACh], 0
		jnz	short loc_672D34
		mov	eax, [ebx+240h]
		movzx	ecx, word ptr [eax+edx*2]
		shr	ecx, 0Dh
		jmp	short loc_672D36
; 

loc_672D34:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionRemove(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *)+75j
		mov	ecx, edi

loc_672D36:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionRemove(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *)+84j
		imul	eax, ecx, 0Ch
		cmp	edx, [eax+ebx+2B4h]
		jz	short loc_672D45
		push	8
		pop	ecx

loc_672D45:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionRemove(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *)+92j
		cmp	ecx, 8
		jz	short loc_672D58
		mov	edx, ecx
		mov	ecx, ebx
		push	0FFFFFFFFh
		call	ST_STORE_SM_TRAITS___StDmCurrentRegionSet
		mov	edx, [ebp+var_4]

loc_672D58:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionRemove(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *)+9Aj
		mov	ecx, ebx
		call	?StStagingRegionFind@?$ST_STORE@USM_TRAITS@@@@SGPAU_ST_STAGING_REGION@1@PAU_ST_DATA_MGR@1@K@Z ;	ST_STORE<SM_TRAITS>::StStagingRegionFind(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)
		mov	esi, eax
		test	esi, esi
		jz	short loc_672D88
		cmp	dword ptr [esi], 0FFFFFFFFh
		jz	short loc_672D7F
		push	edi
		push	dword ptr [esi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	edi
		push	dword ptr [esi+8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, [ebp+var_4]

loc_672D7F:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionRemove(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *)+BAj
		mov	[esi+4], edi
		mov	[esi+8], edi
		or	dword ptr [esi], 0FFFFFFFFh

loc_672D88:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionRemove(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *)+B5j
		mov	esi, [ebx+1E0h]
		mov	eax, [ebp+var_4]
		shr	edx, 3
		and	eax, 7
		movzx	ecx, byte ptr [edx+esi]
		btr	ecx, eax
		mov	eax, [ebp+var_4]
		mov	[edx+esi], cl
		mov	ecx, [ebp+var_8]
		dec	dword ptr [ebx+1E4h]
		mov	[ecx], eax

loc_672DAF:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionRemove(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *)+22j
					; ST_STORE<SM_TRAITS>::StDmRegionRemove(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *)+63j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
?StDmRegionRemove@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAK@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StDmSinglePageRetrieveSync(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, void *, void *, unsigned long)
?StDmSinglePageRetrieveSync@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAX1K@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StNpLeafPageIn(NP_CONTEXT::NP_CTX *,void *,ulong)+2Fp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_28], 0
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, ecx
		mov	ecx, [ebp+arg_0]
		push	edi
		lea	edi, [ebp+var_14]
		mov	[ebp+var_24], ecx
		stosd
		stosd
		stosd
		stosd
		mov	edi, esi
		and	edi, 2
		jz	short loc_672DEF
		mov	[ebp+var_20], edx
		jmp	short loc_672DF4
; 

loc_672DEF:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmSinglePageRetrieveSync(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,void *,void *,ulong)+32j
		mov	eax, [edx]
		mov	[ebp+var_20], eax

loc_672DF4:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmSinglePageRetrieveSync(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,void *,void *,ulong)+37j
		lea	eax, [ebp+var_14]
		mov	ecx, ebx
		push	eax
		push	esi
		lea	eax, [ebp+var_28]
		push	eax
		lea	edx, [ebx+204h]
		call	ST_STORE_SM_TRAITS___StDmpSinglePageRetrieve
		test	eax, eax
		js	short loc_672E8B
		jz	short loc_672E8B
		push	[ebp+var_24]
		lea	edx, [ebp+var_14]
		push	ecx
		mov	ecx, ebx
		call	?StDeviceIoBuild@?$ST_STORE@USM_TRAITS@@@@SGPAU_ST_WORK_ITEM@1@PAU_ST_DATA_MGR@1@PAU_ST_PAGE_LOCATION@1@KPAX@Z ; ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_672E2B
		mov	eax, 0C000009Ah
		jmp	short loc_672E8B
; 

loc_672E2B:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmSinglePageRetrieveSync(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,void *,void *,ulong)+6Cj
		mov	eax, [esi+10h]
		lea	edx, [ebp+var_1C]
		neg	edi
		sbb	edi, edi
		and	eax, 0FFFFFFEFh
		and	edi, 10h
		or	edi, eax
		lea	eax, [ebp+var_1C]
		or	edi, 0Ch
		mov	[esi+10h], edi
		and	[ebp+var_1C], 0
		mov	[ebp+var_18], eax
		mov	eax, [esi]
		and	eax, 7
		or	eax, 8
		mov	[esi], eax
		mov	ecx, [ebp+var_18]
		mov	eax, [ecx]
		and	eax, 7
		or	eax, esi
		mov	[ecx], eax
		mov	ecx, ebx
		mov	[ebp+var_18], esi
		call	?StDeviceIoIssue@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_PF_QUEUE@@@Z	; ST_STORE<SM_TRAITS>::StDeviceIoIssue(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,_PF_QUEUE *)
		test	eax, eax
		js	short loc_672E7C
		mov	ecx, [ebx+1C0h]
		call	_SmWaitForSyncIo@4 ; SmWaitForSyncIo(x)

loc_672E7C:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmSinglePageRetrieveSync(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,void *,void *,ulong)+B9j
		mov	edx, esi
		mov	ecx, ebx
		call	?StDmDeviceIoCompletion@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_ST_WORK_ITEM@1@@Z ; ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)
		test	eax, eax
		js	short loc_672E8B
		xor	eax, eax

loc_672E8B:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmSinglePageRetrieveSync(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,void *,void *,ulong)+56j
					; ST_STORE<SM_TRAITS>::StDmSinglePageRetrieveSync(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,void *,void *,ulong)+58j	...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
?StDmSinglePageRetrieveSync@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAX1K@Z endp


;  S U B	R O U T	I N E 


; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StDmpCurrentRegionWrite(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *)
?StDmpCurrentRegionWrite@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC2EFp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		lea	ebx, [esi+2B4h]
		mov	edx, ebx
		call	?StDmReuseCurrentRegion@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_ST_CURRENT_REGION@1@@Z ; ST_STORE<SM_TRAITS>::StDmReuseCurrentRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_CURRENT_REGION *)
		mov	edi, eax
		cmp	edi, 0C000007Fh
		jnz	short loc_672ED5
		mov	eax, [ebx]
		lea	edx, [esi+26Ch]
		xor	edi, edi
		jmp	short loc_672EC9
; 

loc_672EC6:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmpCurrentRegionWrite(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+2Fj
		add	edx, 0Ch

loc_672EC9:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmpCurrentRegionWrite(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+28j
		cmp	[edx], eax
		jnz	short loc_672EC6
		push	ecx
		mov	ecx, esi
		call	?StStagingRegionIssueIo@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_ST_STAGING_REGION@1@K@Z ; ST_STORE<SM_TRAITS>::StStagingRegionIssueIo(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_STAGING_REGION *,ulong)

loc_672ED5:				; CODE XREF: ST_STORE<SM_TRAITS>::StDmpCurrentRegionWrite(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+1Cj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
?StDmpCurrentRegionWrite@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z endp


;  S U B	R O U T	I N E 


; public: static void __stdcall	ST_STORE<struct	SM_TRAITS>::StEmptyStore(struct	ST_STORE<struct	SM_TRAITS> *, unsigned long)
?StEmptyStore@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@K@Z proc	near
					; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+1320E0p
					; ST_STORE<SM_TRAITS>::StChangeState(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *,long *)+10p
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		push	edi
		mov	edi, edx
		call	_SmEtwEnabled@4	; SmEtwEnabled(x)
		test	eax, eax
		jz	short loc_672EF8
		push	edi
		push	esi
		mov	ecx, eax
		call	_SmEtwLogStoreStateChange@16 ; SmEtwLogStoreStateChange(x,x,x,x)

loc_672EF8:				; CODE XREF: ST_STORE<SM_TRAITS>::StEmptyStore(ST_STORE<SM_TRAITS> *,ulong)+12j
		cmp	dword ptr [esi+0FE8h], 0
		jz	short loc_672F1A
		mov	ecx, [esi+4B8h]
		and	dword ptr [esi+0FE8h], 0
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		push	6
		pop	edx
		call	ST_STORE_SM_TRAITS___StLazyWorkMgrQueueWork

loc_672F1A:				; CODE XREF: ST_STORE<SM_TRAITS>::StEmptyStore(ST_STORE<SM_TRAITS> *,ulong)+24j
		xor	edx, edx
		lea	ecx, [esi+38h]
		inc	edx
		call	ST_STORE_SM_TRAITS___StDmCleanup
		test	edi, edi
		jz	short loc_672F37
		xor	edx, edx
		lea	ecx, [esi+4C8h]
		inc	edx
		call	ST_STORE_SM_TRAITS___StDmCleanup

loc_672F37:				; CODE XREF: ST_STORE<SM_TRAITS>::StEmptyStore(ST_STORE<SM_TRAITS> *,ulong)+4Cj
		pop	edi
		pop	esi
		pop	ecx
		retn
?StEmptyStore@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@K@Z endp


;  S U B	R O U T	I N E 


; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StGetStats(struct ST_STORE<struct SM_TRAITS> *, struct ST_STORE<struct SM_TRAITS>::_ST_WORK_ITEM *)
?StGetStats@?$ST_STORE@USM_TRAITS@@@@SGJPAU1@PAU_ST_WORK_ITEM@1@@Z proc	near
					; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+131F5Ep
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_672F75
		test	byte ptr [eax+6], 5
		jz	short loc_672F56
		mov	ecx, [eax+0Ch]
		jmp	short loc_672F6A
; 

loc_672F56:				; CODE XREF: ST_STORE<SM_TRAITS>::StGetStats(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+14j
		push	40000010h
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	1
		push	ecx
		push	eax
		call	MmMapLockedPagesSpecifyCache
		mov	ecx, eax

loc_672F6A:				; CODE XREF: ST_STORE<SM_TRAITS>::StGetStats(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+19j
		test	ecx, ecx
		jnz	short loc_672F77
		mov	eax, 0C000009Ah
		jmp	short loc_672FB7
; 

loc_672F75:				; CODE XREF: ST_STORE<SM_TRAITS>::StGetStats(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+Ej
		xor	ecx, ecx

loc_672F77:				; CODE XREF: ST_STORE<SM_TRAITS>::StGetStats(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+31j
		mov	edx, [esi+4]
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_672FAB
		lea	ecx, [edi+38h]
		call	?StDmEtwRegionRundown@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z ; ST_STORE<SM_TRAITS>::StDmEtwRegionRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)
		lea	ecx, [edi+4C8h]
		call	?StDmEtwRegionRundown@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z ; ST_STORE<SM_TRAITS>::StDmEtwRegionRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)
		lea	ecx, [edi+38h]
		call	?StDmEtwPageRundown@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z ; ST_STORE<SM_TRAITS>::StDmEtwPageRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)
		test	eax, eax
		js	short loc_672FB7
		lea	ecx, [edi+4C8h]
		call	?StDmEtwPageRundown@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@@Z ; ST_STORE<SM_TRAITS>::StDmEtwPageRundown(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)
		jmp	short loc_672FB7
; 

loc_672FAB:				; CODE XREF: ST_STORE<SM_TRAITS>::StGetStats(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+42j
		lea	eax, [esi+8]
		push	eax
		push	ecx
		mov	ecx, edi
		call	ST_STORE_SM_TRAITS___StGetStatsWorker

loc_672FB7:				; CODE XREF: ST_STORE<SM_TRAITS>::StGetStats(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+38j
					; ST_STORE<SM_TRAITS>::StGetStats(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+61j ...
		pop	edi
		pop	esi
		pop	ecx
		retn
?StGetStats@?$ST_STORE@USM_TRAITS@@@@SGJPAU1@PAU_ST_WORK_ITEM@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StMetaRegionsUpdate(struct ST_STORE<struct SM_TRAITS> *, struct ST_STORE<struct SM_TRAITS>::_ST_WORK_ITEM *)
?StMetaRegionsUpdate@?$ST_STORE@USM_TRAITS@@@@SGJPAU1@PAU_ST_WORK_ITEM@1@@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+131FA9p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_14], edx
		xor	eax, eax
		lea	edx, [ebp+var_10]
		mov	ebx, eax
		mov	[ebp+var_10], eax
		push	eax
		lea	esi, [edi+4C8h]
		mov	[ebp+var_4], ebx
		mov	ecx, esi
		mov	[ebp+var_8], eax
		call	?StDmGetSpaceStats@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@PAK1@Z	; ST_STORE<SM_TRAITS>::StDmGetSpaceStats(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *,ulong *)
		mov	ecx, [ebp+var_14]
		mov	eax, [edi+6ACh]
		sub	eax, [ebp+var_10]
		test	byte ptr [ecx+0Ch], 1
		jz	short loc_673018
		push	2
		pop	ebx
		cmp	eax, ebx
		jb	short loc_673009
		mov	esi, 40190034h
		jmp	short loc_67306E
; 

loc_673009:				; CODE XREF: ST_STORE<SM_TRAITS>::StMetaRegionsUpdate(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+45j
		and	[ebp+var_C], 0
		lea	eax, [edi+38h]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], esi
		jmp	short loc_673046
; 

loc_673018:				; CODE XREF: ST_STORE<SM_TRAITS>::StMetaRegionsUpdate(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+3Ej
		cmp	eax, 8
		jnb	short loc_673024
		mov	esi, 40190034h
		jmp	short loc_673071
; 

loc_673024:				; CODE XREF: ST_STORE<SM_TRAITS>::StMetaRegionsUpdate(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+60j
		mov	edx, esi
		lea	ecx, [edi+38h]
		mov	[ebp+var_10], edx
		mov	ebx, eax
		mov	[ebp+var_8], ecx
		cmp	[edx+1E4h], eax
		jnz	short loc_67303C
		lea	ebx, [eax-1]

loc_67303C:				; CODE XREF: ST_STORE<SM_TRAITS>::StMetaRegionsUpdate(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+7Cj
		and	[ebp+var_C], 0
		test	ebx, ebx
		jz	short loc_67306C
		mov	eax, edx

loc_673046:				; CODE XREF: ST_STORE<SM_TRAITS>::StMetaRegionsUpdate(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+5Bj
					; ST_STORE<SM_TRAITS>::StMetaRegionsUpdate(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+AFj
		lea	edx, [ebp+var_C]
		mov	ecx, eax
		call	?StDmRegionRemove@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAK@Z ;	ST_STORE<SM_TRAITS>::StDmRegionRemove(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ulong	*)
		mov	esi, eax
		test	esi, esi
		js	short loc_67306E
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		call	?StDmRegionAdd@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@K@Z ; ST_STORE<SM_TRAITS>::StDmRegionAdd(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ulong)
		inc	[ebp+var_4]
		mov	eax, [ebp+var_10]
		sub	ebx, 1
		jnz	short loc_673046

loc_67306C:				; CODE XREF: ST_STORE<SM_TRAITS>::StMetaRegionsUpdate(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+87j
		xor	esi, esi

loc_67306E:				; CODE XREF: ST_STORE<SM_TRAITS>::StMetaRegionsUpdate(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+4Cj
					; ST_STORE<SM_TRAITS>::StMetaRegionsUpdate(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+99j
		mov	ebx, [ebp+var_4]

loc_673071:				; CODE XREF: ST_STORE<SM_TRAITS>::StMetaRegionsUpdate(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+67j
		mov	edx, [ebp+var_14]
		mov	ecx, edi
		call	?StStoreWorkItemCleanup@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@PAU_ST_WORK_ITEM@1@@Z ; ST_STORE<SM_TRAITS>::StStoreWorkItemCleanup(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)
		lea	eax, [edi+4C8h]
		cmp	[ebp+var_8], eax
		jnz	short loc_6730C6
		test	ebx, ebx
		jz	short loc_6730C6
		cmp	esi, 0C0000006h
		jz	short loc_6730C6
		lea	edx, [edi+38h]
		neg	edx
		lea	eax, [edi+40h]
		sbb	edx, edx
		and	edx, eax
		mov	ecx, [edx]
		mov	eax, [ecx+18h]
		cmp	eax, [ecx]
		jbe	short loc_6730AC
		call	?NpiPerformPageOut@NP_CONTEXT@@SGJPAU1@PAUNP_CTX@1@@Z ;	NP_CONTEXT::NpiPerformPageOut(NP_CONTEXT *,NP_CONTEXT::NP_CTX *)

loc_6730AC:				; CODE XREF: ST_STORE<SM_TRAITS>::StMetaRegionsUpdate(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+EAj
		lea	edx, [edi+5Ch]
		neg	edx
		lea	eax, [edi+64h]
		sbb	edx, edx
		and	edx, eax
		mov	ecx, [edx]
		mov	eax, [ecx+18h]
		cmp	eax, [ecx]
		jbe	short loc_6730C6
		call	?NpiPerformPageOut@NP_CONTEXT@@SGJPAU1@PAUNP_CTX@1@@Z ;	NP_CONTEXT::NpiPerformPageOut(NP_CONTEXT *,NP_CONTEXT::NP_CTX *)

loc_6730C6:				; CODE XREF: ST_STORE<SM_TRAITS>::StMetaRegionsUpdate(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+C9j
					; ST_STORE<SM_TRAITS>::StMetaRegionsUpdate(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+CDj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
?StMetaRegionsUpdate@?$ST_STORE@USM_TRAITS@@@@SGJPAU1@PAU_ST_WORK_ITEM@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StNpEnumBTreeNodes(struct NP_CONTEXT::NP_CTX *, long (__stdcall *)(void *, void *, unsigned	long *), void *)
?StNpEnumBTreeNodes@?$ST_STORE@USM_TRAITS@@@@SGJPAUNP_CTX@NP_CONTEXT@@P6GJPAX1PAK@Z1@Z proc near
					; DATA XREF: ST_STORE_SM_TRAITS___StDmStart+18Eo

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], esi
		mov	eax, [eax]
		mov	[ebp+arg_0], esi
		cmp	[eax+44h], esi
		jnz	short loc_673107
		lea	ecx, [eax-314h]	; int
		mov	edx, [ecx]	; void *
		test	edx, edx
		jz	short loc_673128
		lea	eax, [ebp+arg_0]
		push	eax		; int
		push	[ebp+arg_8]	; int
		lea	eax, [ebp+var_4]
		push	[ebp+arg_4]	; int
		push	eax		; int
		call	?BTreeWalkPostOrderInternal@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGJPAU1@PAUNODE@?$B_TREE_HEADER@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU_SINGLE_LIST_ENTRY@@P6GJPAX3PAK@Z3PAPAU23@@Z ; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeWalkPostOrderInternal(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,_SINGLE_LIST_ENTRY *,long	(*)(void *,void	*,ulong	*),void	*,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE * *)
		jmp	short loc_673126
; 

loc_673107:				; CODE XREF: ST_STORE<SM_TRAITS>::StNpEnumBTreeNodes(NP_CONTEXT::NP_CTX	*,long (*)(void	*,void *,ulong *),void *)+17j
		lea	ecx, [eax-348h]	; int
		mov	edx, [ecx]	; void *
		test	edx, edx
		jz	short loc_673128
		lea	eax, [ebp+arg_0]
		push	eax		; int
		push	[ebp+arg_8]	; int
		lea	eax, [ebp+var_4]
		push	[ebp+arg_4]	; int
		push	eax		; int
		call	?BTreeWalkPostOrderInternal@?$B_TREE@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@$0BAAA@UNP_CONTEXT@@UST_REGION_ENTRY_COMPARATOR@2@@@SGJPAU1@PAUNODE@?$B_TREE_HEADER@KU_ST_REGION_ENTRY@?$ST_STORE@USM_TRAITS@@@@@@PAU_SINGLE_LIST_ENTRY@@P6GJPAX3PAK@Z3PAPAU23@@Z ; B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR>::BTreeWalkPostOrderInternal(B_TREE<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT,ST_STORE<SM_TRAITS>::ST_REGION_ENTRY_COMPARATOR> *,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE *,_SINGLE_LIST_ENTRY *,long	(*)(void *,void	*,ulong	*),void	*,B_TREE_HEADER<ulong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY>::NODE * *)

loc_673126:				; CODE XREF: ST_STORE<SM_TRAITS>::StNpEnumBTreeNodes(NP_CONTEXT::NP_CTX	*,long (*)(void	*,void *,ulong *),void *)+38j
		mov	esi, eax

loc_673128:				; CODE XREF: ST_STORE<SM_TRAITS>::StNpEnumBTreeNodes(NP_CONTEXT::NP_CTX	*,long (*)(void	*,void *,ulong *),void *)+23j
					; ST_STORE<SM_TRAITS>::StNpEnumBTreeNodes(NP_CONTEXT::NP_CTX *,long (*)(void *,void *,ulong *),void *)+44j
		mov	eax, esi
		pop	esi
		leave
		retn	0Ch
?StNpEnumBTreeNodes@?$ST_STORE@USM_TRAITS@@@@SGJPAUNP_CTX@NP_CONTEXT@@P6GJPAX1PAK@Z1@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	ST_STORE<struct	SM_TRAITS>::StNpLeafDelete(struct NP_CONTEXT::NP_CTX *,	unsigned long)
?StNpLeafDelete@?$ST_STORE@USM_TRAITS@@@@SGXPAUNP_CTX@NP_CONTEXT@@K@Z proc near
					; DATA XREF: ST_STORE_SM_TRAITS___StDmStart+1A6o

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		xor	eax, eax
		lea	edx, [esp+18h+var_18]
		mov	[esp+18h+var_C], eax
		xor	ecx, ecx
		mov	[esp+18h+var_8], eax
		inc	ecx
		mov	[esp+18h+var_4], eax
		mov	eax, [ebp+arg_4]
		and	eax, 0FFFFFFFCh
		mov	[esp+18h+var_18], ecx
		mov	[esp+18h+var_14], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+18h+var_10], ecx
		mov	ecx, [eax]
		mov	ecx, [ecx+54h]
		call	ST_STORE_SM_TRAITS___StDmPageRemove
		mov	esp, ebp
		pop	ebp
		retn	8
?StNpLeafDelete@?$ST_STORE@USM_TRAITS@@@@SGXPAUNP_CTX@NP_CONTEXT@@K@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StNpLeafPageIn(struct NP_CONTEXT::NP_CTX *,	void *,	unsigned long)
?StNpLeafPageIn@?$ST_STORE@USM_TRAITS@@@@SGJPAUNP_CTX@NP_CONTEXT@@PAXK@Z proc near
					; DATA XREF: ST_STORE_SM_TRAITS___StDmStart+19Fo

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax]
		xor	esi, esi
		mov	ebx, [eax+54h]
		mov	eax, [ebp+arg_8]
		and	eax, 0FFFFFFFCh
		xor	edi, edi
		mov	[esp+18h+var_C], eax

loc_673196:				; CODE XREF: ST_STORE<SM_TRAITS>::StNpLeafPageIn(NP_CONTEXT::NP_CTX *,void *,ulong)+8Aj
		push	0
		push	[ebp+arg_4]
		lea	edx, [esp+20h+var_C]
		mov	ecx, ebx
		call	?StDmSinglePageRetrieveSync@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAX1K@Z ; ST_STORE<SM_TRAITS>::StDmSinglePageRetrieveSync(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,void *,void *,ulong)
		test	eax, eax
		jns	short loc_6731FE
		test	dword ptr [ebx+1ACh], 2000h
		jz	short loc_673200
		cmp	eax, 80000016h
		jnz	short loc_673200
		test	edi, edi
		ja	short loc_673200
		jb	short loc_6731CB
		cmp	esi, 1C9C380h
		jnb	short loc_673200

loc_6731CB:				; CODE XREF: ST_STORE<SM_TRAITS>::StNpLeafPageIn(NP_CONTEXT::NP_CTX *,void *,ulong)+4Fj
		add	esi, 7A120h
		adc	edi, 0
		push	edi
		push	esi
		push	ecx
		mov	ecx, [ebx+228h]
		call	_StEtaIoTimeout@20 ; StEtaIoTimeout(x,x,x,x,x)
		xor	ecx, ecx
		mov	[esp+18h+var_8], 7A120h
		lea	eax, [esp+18h+var_8]
		mov	[esp+18h+var_4], ecx
		push	eax
		push	ecx
		push	ecx
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	short loc_673196
; 

loc_6731FE:				; CODE XREF: ST_STORE<SM_TRAITS>::StNpLeafPageIn(NP_CONTEXT::NP_CTX *,void *,ulong)+36j
		xor	eax, eax

loc_673200:				; CODE XREF: ST_STORE<SM_TRAITS>::StNpLeafPageIn(NP_CONTEXT::NP_CTX *,void *,ulong)+42j
					; ST_STORE<SM_TRAITS>::StNpLeafPageIn(NP_CONTEXT::NP_CTX *,void	*,ulong)+49j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
?StNpLeafPageIn@?$ST_STORE@USM_TRAITS@@@@SGJPAUNP_CTX@NP_CONTEXT@@PAXK@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static unsigned long __stdcall ST_STORE<struct SM_TRAITS>::StNpLeafPageOut(struct NP_CONTEXT::NP_CTX *, void *)
?StNpLeafPageOut@?$ST_STORE@USM_TRAITS@@@@SGKPAUNP_CTX@NP_CONTEXT@@PAX@Z proc near
					; DATA XREF: ST_STORE_SM_TRAITS___StDmStart+198o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax]
		mov	ecx, [edi+54h]
		mov	[ebp+arg_0], ecx
		lea	ebx, [ecx+0Ch]
		mov	eax, [ebx+14h]
		test	al, 1
		jnz	short loc_673236
		mov	edx, ebx
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchResultDeref
		mov	eax, [ebx+14h]
		mov	ecx, [ebp+arg_0]

loc_673236:				; CODE XREF: ST_STORE<SM_TRAITS>::StNpLeafPageOut(NP_CONTEXT::NP_CTX *,void *)+1Ej
		or	eax, 1
		mov	[ebx+14h], eax

loc_67323C:				; CODE XREF: ST_STORE<SM_TRAITS>::StNpLeafPageOut(NP_CONTEXT::NP_CTX *,void *)+59j
		mov	esi, [edi+48h]
		cmp	esi, [edi+50h]
		jnz	short loc_673249
		mov	eax, [edi+4Ch]
		jmp	short loc_67324C
; 

loc_673249:				; CODE XREF: ST_STORE<SM_TRAITS>::StNpLeafPageOut(NP_CONTEXT::NP_CTX *,void *)+39j
		lea	eax, [esi+1]

loc_67324C:				; CODE XREF: ST_STORE<SM_TRAITS>::StNpLeafPageOut(NP_CONTEXT::NP_CTX *,void *)+3Ej
		shl	esi, 2
		mov	edx, ebx
		push	esi
		mov	[edi+48h], eax
		call	B_TREE__SM_PAGE_KEY_ST_STORE_SM_TRAITS____ST_PAGE_ENTRY_4096_NP_CONTEXT_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		mov	ecx, [ebp+arg_0]
		cmp	eax, 0C0000225h
		jnz	short loc_67323C
		mov	eax, [ebp+arg_4]
		lea	edx, [ebp+var_C]
		mov	[ebp+var_8], eax
		xor	edi, edi
		mov	eax, [ecx+1D0h]
		mov	[ebp+arg_0], eax
		lea	eax, [ebp+arg_0]
		push	eax
		push	edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_4], esi
		call	ST_STORE_SM_TRAITS___StDmpSinglePageAdd
		test	eax, eax
		js	short loc_67328E
		mov	edi, esi

loc_67328E:				; CODE XREF: ST_STORE<SM_TRAITS>::StNpLeafPageOut(NP_CONTEXT::NP_CTX *,void *)+81j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
?StNpLeafPageOut@?$ST_STORE@USM_TRAITS@@@@SGKPAUNP_CTX@NP_CONTEXT@@PAX@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static union ST_STORE<struct SM_TRAITS>::_ST_REGION_STATE * __stdcall	ST_STORE<struct	SM_TRAITS>::StRegionFindRepurpose(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, unsigned long)
?StRegionFindRepurpose@?$ST_STORE@USM_TRAITS@@@@SGPAT_ST_REGION_STATE@1@PAU_ST_DATA_MGR@1@K@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmRegionRemove(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *)+14p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	byte ptr [ebp+var_1], 0FFh
		mov	ecx, 1FFFh
		lea	ebx, [ebp+var_1]
		mov	[ebp+var_28], ecx
		lea	esi, [ebp+var_8]
		mov	[ebp+var_18], ebx
		mov	eax, [edi+1E4h]
		mov	[ebp+var_C], eax
		mov	eax, [edi+240h]
		mov	[ebp+var_1C], eax
		mov	eax, [edi+248h]
		mov	[ebp+var_14], eax
		mov	ax, [edi+1CCh]
		and	ax, cx
		xor	ecx, ecx
		dec	edx
		mov	word ptr [ebp+var_8], ax
		cmp	[ebp+var_C], ecx
		jbe	short loc_673368
		mov	eax, [edi+1B8h]
		mov	ebx, [ebp+var_C]
		mov	[ebp+var_10], eax

loc_6732F6:				; CODE XREF: ST_STORE<SM_TRAITS>::StRegionFindRepurpose(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)+C0j
		inc	edx
		cmp	edx, eax
		jnz	short loc_673301
		or	edx, 0FFFFFFFFh
		dec	ecx
		jmp	short loc_673354
; 

loc_673301:				; CODE XREF: ST_STORE<SM_TRAITS>::StRegionFindRepurpose(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)+62j
		mov	ebx, [ebp+var_1C]
		mov	[ebp+var_20], 4000h
		lea	edi, [ebx+edx*2]
		movzx	ebx, word ptr [edi]
		mov	[ebp+var_24], edi
		cmp	bx, word ptr [ebp+var_20]
		jnb	short loc_673351
		mov	eax, 1FFFh
		and	ebx, eax
		jz	short loc_67335B
		mov	eax, [ebp+var_14]
		mov	edi, [ebp+var_18]
		add	eax, edx
		mov	al, [eax]
		mov	ah, [edi]
		mov	edi, [ebp+var_24]
		cmp	al, ah
		ja	short loc_67334E
		jb	short loc_673344
		mov	ax, [esi]
		and	ax, word ptr [ebp+var_28]
		cmp	bx, ax
		ja	short loc_67334E

loc_673344:				; CODE XREF: ST_STORE<SM_TRAITS>::StRegionFindRepurpose(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)+9Fj
		mov	eax, [ebp+var_14]
		mov	esi, edi
		add	eax, edx
		mov	[ebp+var_18], eax

loc_67334E:				; CODE XREF: ST_STORE<SM_TRAITS>::StRegionFindRepurpose(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)+9Dj
					; ST_STORE<SM_TRAITS>::StRegionFindRepurpose(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)+ABj
		mov	eax, [ebp+var_10]

loc_673351:				; CODE XREF: ST_STORE<SM_TRAITS>::StRegionFindRepurpose(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)+81j
		mov	ebx, [ebp+var_C]

loc_673354:				; CODE XREF: ST_STORE<SM_TRAITS>::StRegionFindRepurpose(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)+68j
		inc	ecx
		cmp	ecx, ebx
		jb	short loc_6732F6
		jmp	short loc_67335D
; 

loc_67335B:				; CODE XREF: ST_STORE<SM_TRAITS>::StRegionFindRepurpose(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)+8Aj
		mov	esi, edi

loc_67335D:				; CODE XREF: ST_STORE<SM_TRAITS>::StRegionFindRepurpose(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)+C2j
		lea	eax, [ebp+var_8]
		cmp	esi, eax
		jz	short loc_673368
		mov	eax, esi
		jmp	short loc_67336A
; 

loc_673368:				; CODE XREF: ST_STORE<SM_TRAITS>::StRegionFindRepurpose(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)+51j
					; ST_STORE<SM_TRAITS>::StRegionFindRepurpose(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)+CBj
		xor	eax, eax

loc_67336A:				; CODE XREF: ST_STORE<SM_TRAITS>::StRegionFindRepurpose(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)+CFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
?StRegionFindRepurpose@?$ST_STORE@USM_TRAITS@@@@SGPAT_ST_REGION_STATE@1@PAU_ST_DATA_MGR@1@K@Z endp


;  S U B	R O U T	I N E 


; public: static void __stdcall	ST_STORE<struct	SM_TRAITS>::StRegionReadDereference(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, unsigned	long)
?StRegionReadDereference@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@K@Z proc	near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)+1F5p
					; ST_STORE<SM_TRAITS>::StDeviceWorkItemCleanup(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+15p ...
		mov	edi, edi
		push	esi
		mov	esi, [ecx+244h]
		mov	ecx, [ecx+240h]
		mov	al, [esi+edx]
		test	al, al
		jz	short loc_67338C
		dec	al
		mov	[esi+edx], al
		pop	esi
		retn
; 

loc_67338C:				; CODE XREF: ST_STORE<SM_TRAITS>::StRegionReadDereference(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)+14j
		mov	eax, 0BFFFh
		and	[ecx+edx*2], ax
		pop	esi
		retn
?StRegionReadDereference@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@K@Z endp


;  S U B	R O U T	I N E 


; public: static unsigned long __stdcall ST_STORE<struct SM_TRAITS>::StRegionReadReference(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, unsigned long)
?StRegionReadReference@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DATA_MGR@1@K@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoBuild(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ulong,void *)+5Bp
		mov	edi, edi
		push	esi
		mov	esi, [ecx+240h]
		push	edi
		mov	edi, 4000h
		movzx	eax, word ptr [esi+edx*2]
		test	eax, edi
		jnz	short loc_6733B9
		or	eax, edi
		mov	[esi+edx*2], ax

loc_6733B4:				; CODE XREF: ST_STORE<SM_TRAITS>::StRegionReadReference(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)+34j
		xor	eax, eax
		inc	eax
		jmp	short loc_6733CF
; 

loc_6733B9:				; CODE XREF: ST_STORE<SM_TRAITS>::StRegionReadReference(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)+15j
		mov	ecx, [ecx+244h]
		mov	al, [ecx+edx]
		cmp	al, 0FFh
		jnb	short loc_6733CD
		inc	al
		mov	[ecx+edx], al
		jmp	short loc_6733B4
; 

loc_6733CD:				; CODE XREF: ST_STORE<SM_TRAITS>::StRegionReadReference(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)+2Dj
		xor	eax, eax

loc_6733CF:				; CODE XREF: ST_STORE<SM_TRAITS>::StRegionReadReference(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong)+20j
		pop	edi
		pop	esi
		retn
?StRegionReadReference@?$ST_STORE@USM_TRAITS@@@@SGKPAU_ST_DATA_MGR@1@K@Z endp


;  S U B	R O U T	I N E 


; public: static struct	ST_STORE<struct	SM_TRAITS>::_ST_STAGING_REGION * __stdcall ST_STORE<struct SM_TRAITS>::StStagingRegionFind(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, unsigned long)
?StStagingRegionFind@?$ST_STORE@USM_TRAITS@@@@SGPAU_ST_STAGING_REGION@1@PAU_ST_DATA_MGR@1@K@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmPickRandomRegion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+2Bp
					; ST_STORE<SM_TRAITS>::StDmRegionRemove(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *)+ACp
		lea	eax, [ecx+26Ch]
		add	ecx, 2B4h
		jmp	short loc_6733E7
; 

loc_6733E0:				; CODE XREF: ST_STORE<SM_TRAITS>::StStagingRegionFind(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ulong)+17j
		cmp	[eax], edx
		jz	short locret_6733ED
		add	eax, 0Ch

loc_6733E7:				; CODE XREF: ST_STORE<SM_TRAITS>::StStagingRegionFind(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ulong)+Cj
		cmp	eax, ecx
		jb	short loc_6733E0
		xor	eax, eax

locret_6733ED:				; CODE XREF: ST_STORE<SM_TRAITS>::StStagingRegionFind(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ulong)+10j
		retn
?StStagingRegionFind@?$ST_STORE@USM_TRAITS@@@@SGPAU_ST_STAGING_REGION@1@PAU_ST_DATA_MGR@1@K@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	ST_STORE<struct	SM_TRAITS>::StStagingRegionIssueIo(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, struct ST_STORE<struct SM_TRAITS>::_ST_STAGING_REGION *, unsigned	long)
?StStagingRegionIssueIo@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_ST_STAGING_REGION@1@K@Z proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmpCurrentRegionWrite(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+34p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ecx+240h]
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		mov	ecx, [ecx+1C8h]
		mov	eax, [edi+8]
		mov	ebx, [edi]
		mov	[ebp+var_8], eax
		lea	edx, [eax+4]
		mov	eax, ebx
		shl	eax, cl
		mov	ecx, [ebp+var_4]
		mov	[edx+8], eax
		mov	eax, [edx+0Ch]
		push	edx
		xor	eax, [ecx+1D8h]
		and	eax, 2
		xor	[edx+0Ch], eax
		mov	eax, 8000h
		or	[esi+ebx*2], ax
		mov	esi, ecx
		push	1
		mov	eax, [esi+1D8h]
		shr	eax, 2
		xor	eax, [edx+0Ch]
		and	eax, 4
		xor	[edx+0Ch], eax
		mov	edx, [esi+1B4h]
		mov	ecx, [esi+228h]
		call	_StEtaIoStart@16 ; StEtaIoStart(x,x,x,x)
		push	[ebp+var_8]
		mov	ecx, [esi+1C0h]
		mov	edx, ebx
		push	dword ptr [edi+4]
		push	dword ptr [esi+1B4h]
		push	0
		call	_SmIssueIo@24	; SmIssueIo(x,x,x,x,x,x)
		mov	edi, [ebp+var_8]
		mov	esi, eax
		mov	eax, [edi+10h]
		test	esi, esi
		jns	short loc_6734A6
		or	eax, 1
		mov	[edi+10h], eax
		mov	eax, [edi+8]
		test	eax, eax
		jz	short loc_673497
		mov	[eax+4], esi
		jmp	short loc_67349A
; 

loc_673497:				; CODE XREF: ST_STORE<SM_TRAITS>::StStagingRegionIssueIo(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_STAGING_REGION *,ulong)+A2j
		mov	[edi+4], esi

loc_67349A:				; CODE XREF: ST_STORE<SM_TRAITS>::StStagingRegionIssueIo(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_STAGING_REGION *,ulong)+A7j
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		call	?StDmDeviceIoCompletion@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_ST_WORK_ITEM@1@@Z ; ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)
		jmp	short loc_6734C3
; 

loc_6734A6:				; CODE XREF: ST_STORE<SM_TRAITS>::StStagingRegionIssueIo(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_STAGING_REGION *,ulong)+95j
		test	al, 4
		jz	short loc_6734C3
		mov	ebx, [ebp+var_4]
		mov	ecx, [ebx+1C0h]
		call	_SmWaitForSyncIo@4 ; SmWaitForSyncIo(x)
		mov	edx, edi
		mov	ecx, ebx
		call	?StDmDeviceIoCompletion@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_ST_WORK_ITEM@1@@Z ; ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)
		mov	esi, eax

loc_6734C3:				; CODE XREF: ST_STORE<SM_TRAITS>::StStagingRegionIssueIo(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_STAGING_REGION *,ulong)+B6j
					; ST_STORE<SM_TRAITS>::StStagingRegionIssueIo(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_STAGING_REGION *,ulong)+BAj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
?StStagingRegionIssueIo@?$ST_STORE@USM_TRAITS@@@@SGJPAU_ST_DATA_MGR@1@PAU_ST_STAGING_REGION@1@K@Z endp


;  S U B	R O U T	I N E 


; public: static void __stdcall	ST_STORE<struct	SM_TRAITS>::StStoreWorkItemCleanup(struct ST_STORE<struct SM_TRAITS> *,	struct ST_STORE<struct SM_TRAITS>::_ST_WORK_ITEM *)
?StStoreWorkItemCleanup@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@PAU_ST_WORK_ITEM@1@@Z proc near
					; CODE XREF: SMKM_STORE_SM_TRAITS___SmStWorker+1327F9p
					; ST_STORE_SM_TRAITS___StWorkItemProcess+1320F2p ...
		mov	eax, [edx+4]
		cmp	eax, 2
		jnz	short loc_6734DD
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
; 

loc_6734DD:				; CODE XREF: ST_STORE<SM_TRAITS>::StStoreWorkItemCleanup(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+6j
		cmp	eax, 3
		jnz	short locret_6734E9
		and	dword ptr [ecx+0A28h], 0FFFFFFFEh

locret_6734E9:				; CODE XREF: ST_STORE<SM_TRAITS>::StStoreWorkItemCleanup(ST_STORE<SM_TRAITS> *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+14j
		retn
?StStoreWorkItemCleanup@?$ST_STORE@USM_TRAITS@@@@SGXPAU1@PAU_ST_WORK_ITEM@1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl ST_STORE_SM_TRAITS___StpKeyCompare(const void *,const void *)
?StpKeyCompare@?$ST_STORE@USM_TRAITS@@@@SAHPBX0@Z proc near
					; DATA XREF: ST_STORE<SM_TRAITS>::StDmRegionEvict(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_STDM_SEARCH_RESULTS	*,ulong,ulong,ulong,ulong)+AFo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		mov	eax, [ebp+arg_4]
		mov	edx, [eax]
		cmp	ecx, edx
		jnb	short loc_673502
		or	eax, 0FFFFFFFFh
		pop	ebp
		retn
; 

loc_673502:				; CODE XREF: ST_STORE<SM_TRAITS>::StpKeyCompare(void const *,void const	*)+11j
		xor	eax, eax
		cmp	ecx, edx
		setnz	al
		pop	ebp
		retn
?StpKeyCompare@?$ST_STORE@USM_TRAITS@@@@SAHPBX0@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmPageRead(x, x, x,	x)
_SmPageRead@16	proc near		; CODE XREF: MiPfExecuteReadList+172A02p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, edx
		lea	edx, [ebp+var_4]
		call	?SmKeyConvert@@YGJPAT_MM_STORE_KEY@@PAT_SM_PAGE_KEY@@@Z	; SmKeyConvert(_MM_STORE_KEY *,_SM_PAGE_KEY *)
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	esi
		call	SMKM_STORE_MGR_SM_TRAITS___SmPageRead
		pop	esi
		leave
		retn	8
_SmPageRead@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmQueryStoreCommitUsage(x, x)
_SmQueryStoreCommitUsage@8 proc	near	; CODE XREF: MiReleaseOutSwappedProcessCommit(x)+718p

var_608		= dword	ptr -608h
var_5FC		= dword	ptr -5FCh
var_5DC		= dword	ptr -5DCh
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 608h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	600h		; size_t
		lea	eax, [ebp+var_608]
		mov	edi, edx
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		add	esp, 0Ch
		lea	edx, [ebp+var_608]
		mov	ecx, esi
		call	_SmpProcessQueryStoreStats@8 ; SmpProcessQueryStoreStats(x,x)
		test	eax, eax
		js	short loc_67358F
		xor	eax, eax
		xor	ecx, ecx

loc_673577:				; CODE XREF: SmQueryStoreCommitUsage(x,x)+51j
		add	eax, [ebp+ecx*8+var_5DC]
		inc	ecx
		cmp	ecx, 8
		jb	short loc_673577
		imul	eax, [ebp+var_5FC]
		mov	[edi], eax
		xor	eax, eax

loc_67358F:				; CODE XREF: SmQueryStoreCommitUsage(x,x)+40j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_SmQueryStoreCommitUsage@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmFixSingleBitCorruption(x,	x, x)
_SmFixSingleBitCorruption@12 proc near	; CODE XREF: ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+1BBp

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		mov	esi, edx
		xor	ebx, ebx
		mov	edx, ecx
		mov	[ebp+var_10], esi
		mov	eax, esi
		mov	[ebp+var_24], edx
		shl	eax, 3
		mov	ecx, ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_34], eax
		mov	[ebp+var_14], ebx
		mov	[ebp+var_18], ebx
		push	edi
		lea	edi, [edx-1]
		mov	[ebp+var_C], edi
		cmp	eax, ebx
		jbe	loc_67378C
		lea	eax, [edx+esi]
		mov	[ebp+var_8], eax
		jmp	short loc_6735EC
; 

loc_6735E6:				; CODE XREF: SmFixSingleBitCorruption(x,x,x)+1B9j
					; SmFixSingleBitCorruption(x,x,x)+1C4j
		mov	esi, [ebp+var_10]
		mov	eax, [ebp+var_8]

loc_6735EC:				; CODE XREF: SmFixSingleBitCorruption(x,x,x)+47j
		and	ecx, 7
		jnz	short loc_6735F5
		inc	edi
		mov	[ebp+var_C], edi

loc_6735F5:				; CODE XREF: SmFixSingleBitCorruption(x,x,x)+52j
		mov	bl, 1
		shl	bl, cl
		xor	[edi], bl
		mov	bh, [edi]
		cmp	esi, 10h
		jb	loc_673697
		add	eax, 0FFFFFFF0h
		mov	esi, 24234428h
		and	[ebp+var_4], 0
		mov	edi, 85EBCA77h
		mov	[ebp+var_30], eax
		mov	ecx, 61C8864Fh

loc_67361F:				; CODE XREF: SmFixSingleBitCorruption(x,x,x)+D6j
		imul	eax, [edx], 7A143589h
		sub	esi, eax
		imul	eax, [edx+4], 7A143589h
		rol	esi, 0Dh
		imul	esi, 9E3779B1h
		sub	edi, eax
		imul	eax, [edx+8], 7A143589h
		rol	edi, 0Dh
		imul	edi, 9E3779B1h
		sub	[ebp+var_4], eax
		mov	eax, [ebp+var_4]
		rol	eax, 0Dh
		imul	eax, 9E3779B1h
		mov	[ebp+var_4], eax
		imul	eax, [edx+0Ch],	7A143589h
		add	edx, 10h
		sub	ecx, eax
		rol	ecx, 0Dh
		imul	ecx, 9E3779B1h
		cmp	edx, [ebp+var_30]
		jbe	short loc_67361F
		mov	eax, [ebp+var_4]
		rol	eax, 0Ch
		rol	ecx, 12h
		add	ecx, eax
		mov	[ebp+var_30], edi
		mov	eax, [ebp+var_30]
		mov	edi, [ebp+var_C]
		rol	eax, 7
		rol	esi, 1
		add	ecx, eax
		add	ecx, esi
		mov	esi, [ebp+var_10]
		jmp	short loc_67369C
; 

loc_673697:				; CODE XREF: SmFixSingleBitCorruption(x,x,x)+63j
		mov	ecx, 165667B1h

loc_67369C:				; CODE XREF: SmFixSingleBitCorruption(x,x,x)+F8j
		add	ecx, esi
		lea	esi, [edx+4]
		cmp	esi, [ebp+var_8]
		ja	short loc_6736C6
		mov	edi, [ebp+var_8]

loc_6736A9:				; CODE XREF: SmFixSingleBitCorruption(x,x,x)+124j
		imul	eax, [edx], 3D4D51C3h
		mov	edx, esi
		lea	esi, [edx+4]
		sub	ecx, eax
		rol	ecx, 11h
		imul	ecx, 27D4EB2Fh
		cmp	esi, edi
		jbe	short loc_6736A9
		mov	edi, [ebp+var_C]

loc_6736C6:				; CODE XREF: SmFixSingleBitCorruption(x,x,x)+107j
		mov	eax, [ebp+var_8]
		and	[ebp+var_30], 0
		sub	eax, edx
		cmp	[ebp+var_8], edx
		sbb	esi, esi
		not	esi
		and	esi, eax
		jbe	short loc_6736FA
		mov	edi, [ebp+var_30]

loc_6736DD:				; CODE XREF: SmFixSingleBitCorruption(x,x,x)+158j
		movzx	eax, byte ptr [edx]
		imul	eax, 165667B1h
		add	eax, ecx
		rol	eax, 0Bh
		imul	ecx, eax, 9E3779B1h
		inc	edx
		inc	edi
		cmp	edi, esi
		jb	short loc_6736DD
		mov	edi, [ebp+var_C]

loc_6736FA:				; CODE XREF: SmFixSingleBitCorruption(x,x,x)+13Bj
		mov	eax, ecx
		shr	eax, 0Fh
		xor	eax, ecx
		imul	ecx, eax, 85EBCA77h
		mov	eax, ecx
		shr	eax, 0Dh
		xor	eax, ecx
		imul	eax, 0C2B2AE3Dh
		mov	ecx, eax
		shr	ecx, 10h
		xor	ecx, eax
		cmp	ecx, [ebp+arg_0]
		mov	ecx, [ebp+var_14]
		jnz	short loc_673738
		add	[ebp+var_1C], 1
		mov	eax, ecx
		mov	esi, [ebp+var_18]
		adc	[ebp+var_20], 0
		mov	[ebp+var_28], eax
		mov	[ebp+var_2C], esi
		jmp	short loc_67373E
; 

loc_673738:				; CODE XREF: SmFixSingleBitCorruption(x,x,x)+184j
		mov	eax, [ebp+var_28]
		mov	esi, [ebp+var_2C]

loc_67373E:				; CODE XREF: SmFixSingleBitCorruption(x,x,x)+199j
		mov	edx, [ebp+var_24]
		xor	bl, bh
		add	ecx, 1
		mov	[edi], bl
		mov	ebx, [ebp+var_18]
		adc	ebx, 0
		mov	[ebp+var_14], ecx
		mov	[ebp+var_18], ebx
		test	ebx, ebx
		jb	loc_6735E6
		ja	short loc_673767
		cmp	ecx, [ebp+var_34]
		jb	loc_6735E6

loc_673767:				; CODE XREF: SmFixSingleBitCorruption(x,x,x)+1BFj
		cmp	[ebp+var_1C], 1
		jnz	short loc_67378C
		cmp	[ebp+var_20], 0
		jnz	short loc_67378C
		mov	edx, eax
		and	eax, 7
		shrd	edx, esi, 3
		add	edx, [ebp+var_24]
		movsx	ecx, byte ptr [edx]
		btc	ecx, eax
		xor	eax, eax
		mov	[edx], cl
		inc	eax
		jmp	short loc_67378E
; 

loc_67378C:				; CODE XREF: SmFixSingleBitCorruption(x,x,x)+3Bj
					; SmFixSingleBitCorruption(x,x,x)+1CEj	...
		xor	eax, eax

loc_67378E:				; CODE XREF: SmFixSingleBitCorruption(x,x,x)+1EDj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_SmFixSingleBitCorruption@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmSanitizeString(x,	x)
_SmSanitizeString@8 proc near		; CODE XREF: SmKmVolumeQueryUniqueId(x,x,x,x)+50p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		shr	edx, 1
		dec	edx
		push	ebx
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		lea	eax, [edi+edx*2]
		mov	edx, eax
		sub	edx, edi
		inc	edx
		shr	edx, 1
		cmp	eax, edi
		sbb	eax, eax
		not	eax
		and	eax, edx
		mov	[ebp+var_8], eax
		jbe	short loc_673813
		push	esi

loc_6737BD:				; CODE XREF: SmSanitizeString(x,x)+7Bj
		movzx	esi, word ptr [edi]
		mov	eax, esi
		mov	[ebp+var_4], eax
		test	si, si
		jnz	short loc_6737CF
		push	7Eh
		pop	eax
		jmp	short loc_673806
; 

loc_6737CF:				; CODE XREF: SmSanitizeString(x,x)+33j
		mov	ecx, 0FFh
		movzx	eax, ax
		cmp	si, cx
		ja	short loc_6737ED
		push	eax		; int
		call	_isprint
		pop	ecx
		test	eax, eax
		jnz	short loc_6737FA
		mov	ecx, [ebp+var_4]
		movzx	eax, cx

loc_6737ED:				; CODE XREF: SmSanitizeString(x,x)+45j
		push	57h
		xor	edx, edx
		pop	ecx
		div	ecx
		lea	eax, [edx+24h]
		movzx	esi, ax

loc_6737FA:				; CODE XREF: SmSanitizeString(x,x)+50j
		cmp	si, 5Ch
		jnz	short loc_673803
		push	5Fh
		pop	esi

loc_673803:				; CODE XREF: SmSanitizeString(x,x)+69j
		movzx	eax, si

loc_673806:				; CODE XREF: SmSanitizeString(x,x)+38j
		mov	[edi], ax
		add	edi, 2
		inc	ebx
		cmp	ebx, [ebp+var_8]
		jb	short loc_6737BD
		pop	esi

loc_673813:				; CODE XREF: SmSanitizeString(x,x)+25j
		xor	eax, eax
		mov	[edi], ax
		pop	edi
		pop	ebx
		leave
		retn
_SmSanitizeString@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall SmUniqueIdParseProductName(wchar_t *,int,int)
_SmUniqueIdParseProductName@12 proc near ; CODE	XREF: SmKmEtwAppendProductName(x,x)+A9p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	eax, ecx
		mov	ebx, edx
		push	offset ??_C@_1M@POLHGOIG@?$AA?$CG?$AAV?$AAe?$AAn?$AA_@FNODOBFM@	; wchar_t *
		push	eax		; wchar_t *
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], ebx
		call	_wcsstr
		mov	esi, eax
		pop	ecx
		pop	ecx
		test	esi, esi
		jnz	short loc_67384C
		mov	eax, 0C000A000h
		jmp	loc_6738FB
; 

loc_67384C:				; CODE XREF: SmUniqueIdParseProductName(x,x,x)+24j
		push	edi
		add	esi, 0Ah
		push	26h		; wchar_t
		push	esi		; wchar_t *
		call	_wcschr
		mov	edi, [ebp+arg_0]
		sub	eax, esi
		sar	eax, 1
		pop	ecx
		pop	ecx
		jz	short loc_673897
		add	eax, eax
		mov	edx, edi
		push	eax
		push	esi
		mov	ecx, ebx
		mov	[ebp+var_4], eax
		call	_StringCbCopyNW@16 ; StringCbCopyNW(x,x,x,x)
		test	eax, eax
		js	short loc_6738D8
		push	ecx
		mov	edx, edi
		mov	ecx, ebx
		call	_StringCbCatW@12 ; StringCbCatW(x,x,x)
		test	eax, eax
		js	short loc_6738D8
		mov	ecx, [ebp+var_4]
		push	0FFFFFFFEh
		lea	eax, [ecx+2]
		add	eax, ebx
		mov	[ebp+var_4], eax
		pop	eax
		sub	eax, ecx
		add	edi, eax

loc_673897:				; CODE XREF: SmUniqueIdParseProductName(x,x,x)+45j
		push	offset ??_C@_1O@NMOFFKFA@?$AA?$CG?$AAP?$AAr?$AAo?$AAd?$AA_@FNODOBFM@ ; wchar_t *
		push	[ebp+var_8]	; wchar_t *
		call	_wcsstr
		mov	esi, eax
		pop	ecx
		pop	ecx
		test	esi, esi
		jnz	short loc_6738B3
		mov	eax, 0C000A000h
		jmp	short loc_6738FA
; 

loc_6738B3:				; CODE XREF: SmUniqueIdParseProductName(x,x,x)+8Ej
		add	esi, 0Ch
		push	26h		; wchar_t
		push	esi		; wchar_t *
		call	_wcschr
		sub	eax, esi
		sar	eax, 1
		pop	ecx
		pop	ecx
		jz	short loc_6738DF
		mov	ecx, [ebp+var_4]
		add	eax, eax
		push	eax
		push	esi
		mov	edx, edi
		call	_StringCbCopyNW@16 ; StringCbCopyNW(x,x,x,x)
		test	eax, eax
		jns	short loc_6738DF

loc_6738D8:				; CODE XREF: SmUniqueIdParseProductName(x,x,x)+59j
					; SmUniqueIdParseProductName(x,x,x)+67j
		mov	eax, 0C0000023h
		jmp	short loc_6738FA
; 

loc_6738DF:				; CODE XREF: SmUniqueIdParseProductName(x,x,x)+A8j
					; SmUniqueIdParseProductName(x,x,x)+BAj
		push	5Fh
		push	ebx
		jmp	short loc_6738ED
; 

loc_6738E4:				; CODE XREF: SmUniqueIdParseProductName(x,x,x)+DAj
		push	20h
		pop	ecx
		push	5Fh		; wchar_t
		mov	[eax], cx
		push	eax		; wchar_t *

loc_6738ED:				; CODE XREF: SmUniqueIdParseProductName(x,x,x)+C6j
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_6738E4
		xor	eax, eax

loc_6738FA:				; CODE XREF: SmUniqueIdParseProductName(x,x,x)+95j
					; SmUniqueIdParseProductName(x,x,x)+C1j
		pop	edi

loc_6738FB:				; CODE XREF: SmUniqueIdParseProductName(x,x,x)+2Bj
		pop	esi
		pop	ebx
		leave
		retn	4
_SmUniqueIdParseProductName@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall StEtaCheckForRefresh(x, x, x, x)
_StEtaCheckForRefresh@16 proc near	; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaRefresh(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+42p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], edx
		push	edi
		mov	edi, esi
		lea	edx, [ecx+10h]

loc_673914:				; CODE XREF: StEtaCheckForRefresh(x,x,x,x)+46j
		mov	ecx, [edx]
		test	ecx, ecx
		jz	short loc_673940
		mov	eax, ecx

loc_67391C:				; CODE XREF: StEtaCheckForRefresh(x,x,x,x)+3Dj
		mov	ebx, 80h
		cmp	[eax+4], bx
		mov	ebx, [ebp+var_4]
		jbe	short loc_673936
		cmp	[eax+0Ch], esi
		ja	short loc_673952
		jb	short loc_673936
		cmp	[eax+8], esi
		ja	short loc_673952

loc_673936:				; CODE XREF: StEtaCheckForRefresh(x,x,x,x)+27j
					; StEtaCheckForRefresh(x,x,x,x)+2Ej
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnb	short loc_673940
		add	eax, 20h
		jmp	short loc_67391C
; 

loc_673940:				; CODE XREF: StEtaCheckForRefresh(x,x,x,x)+17j
					; StEtaCheckForRefresh(x,x,x,x)+38j
		inc	edi
		add	edx, 4
		cmp	edi, 2
		jl	short loc_673914
		xor	eax, eax

loc_67394B:				; CODE XREF: StEtaCheckForRefresh(x,x,x,x)+76j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_673952:				; CODE XREF: StEtaCheckForRefresh(x,x,x,x)+2Cj
					; StEtaCheckForRefresh(x,x,x,x)+33j
		cmp	eax, ecx
		jbe	short loc_67395A
		mov	esi, [eax-20h]
		inc	esi

loc_67395A:				; CODE XREF: StEtaCheckForRefresh(x,x,x,x)+53j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_673963
		mov	[ecx], esi

loc_673963:				; CODE XREF: StEtaCheckForRefresh(x,x,x,x)+5Ej
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_67396E
		mov	eax, [eax]
		mov	[ecx], eax

loc_67396E:				; CODE XREF: StEtaCheckForRefresh(x,x,x,x)+67j
		test	ebx, ebx
		jz	short loc_673974
		mov	[ebx], edi

loc_673974:				; CODE XREF: StEtaCheckForRefresh(x,x,x,x)+6Fj
		xor	eax, eax
		inc	eax
		jmp	short loc_67394B
_StEtaCheckForRefresh@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall StEtaIoStart(x, x, x, x)
_StEtaIoStart@16 proc near		; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoIssue(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,_PF_QUEUE	*)+C4p
					; ST_STORE<SM_TRAITS>::StStagingRegionIssueIo(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_STAGING_REGION *,ulong)+6Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_C], ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	esi, [ecx+esi*4+10h]
		test	al, 1
		jz	short loc_6739A9
		and	eax, 0FFFFFFFEh
		mov	[ebp+arg_4], eax
		jmp	short loc_6739A0
; 

loc_67399D:				; CODE XREF: StEtaIoStart(x,x,x,x)+29j
		add	esi, 20h

loc_6739A0:				; CODE XREF: StEtaIoStart(x,x,x,x)+22j
		cmp	[esi], edx
		jb	short loc_67399D
		jmp	short loc_6739B3
; 

loc_6739A6:				; CODE XREF: StEtaIoStart(x,x,x,x)+32j
		add	esi, 20h

loc_6739A9:				; CODE XREF: StEtaIoStart(x,x,x,x)+1Aj
		cmp	[esi], edx
		jb	short loc_6739A6
		xor	eax, eax
		mov	[esi+4], ax

loc_6739B3:				; CODE XREF: StEtaIoStart(x,x,x,x)+2Bj
		mov	ebx, [esi+8]
		lea	edx, [ecx+0Ch]
		mov	eax, [edx]
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_8], edx
		inc	eax
		lock xadd [ecx+8], eax
		inc	eax
		xor	edi, edi
		cmp	eax, 1
		jnz	short loc_673A0C
		push	edi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, [ebp+var_C]
		mov	[ecx], eax
		mov	eax, [ebp+var_4]
		mov	[ecx+4], edx
		mov	ecx, ebx
		mov	edx, [ebp+var_8]
		lock cmpxchg [edx], ecx
		mov	edx, [ebp+var_4]
		cmp	eax, edx
		jz	short loc_673A17
		mov	esi, [ebp+var_8]

loc_6739F6:				; CODE XREF: StEtaIoStart(x,x,x,x)+8Fj
		jle	short loc_6739FE
		mov	ecx, eax
		sub	ecx, edx
		add	ebx, ecx

loc_6739FE:				; CODE XREF: StEtaIoStart(x,x,x,x):loc_6739F6j
		mov	edx, eax
		mov	ecx, ebx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_6739F6
		jmp	short loc_673A58
; 

loc_673A0C:				; CODE XREF: StEtaIoStart(x,x,x,x)+56j
		lock xadd [edx], ebx
		cmp	eax, 1
		jle	short loc_673A1A
		jmp	short loc_673A58
; 

loc_673A17:				; CODE XREF: StEtaIoStart(x,x,x,x)+78j
		mov	ecx, [ebp+var_C]

loc_673A1A:				; CODE XREF: StEtaIoStart(x,x,x,x)+9Aj
		mov	ax, [esi+6]
		inc	ax
		movzx	edx, ax
		mov	eax, [ebp+arg_0]
		mov	[esi+6], dx
		cmp	dx, [ecx+eax*4+18h]
		jb	short loc_673A42
		movzx	eax, word ptr [ecx+eax*4+1Ah]
		test	ax, ax
		jz	short loc_673A58
		and	eax, edx
		test	ax, ax
		jnz	short loc_673A58

loc_673A42:				; CODE XREF: StEtaIoStart(x,x,x,x)+B6j
		push	edi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	[esi+10h], eax
		xor	edi, edi
		mov	eax, [ebp+arg_4]
		inc	edi
		mov	[esi+14h], edx
		mov	[esi+18h], eax

loc_673A58:				; CODE XREF: StEtaIoStart(x,x,x,x)+91j
					; StEtaIoStart(x,x,x,x)+9Cj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_StEtaIoStart@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall StEtaIoTimeout(x, x, x, x, x)
_StEtaIoTimeout@20 proc	near		; CODE XREF: ST_STORE<SM_TRAITS>::StNpLeafPageIn(NP_CONTEXT::NP_CTX *,void *,ulong)+6Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		lea	eax, [ebp+var_8]
		xor	edi, edi
		push	eax
		mov	esi, ecx
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		push	edi
		push	0Ah
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	__aulldiv
		push	[ebp+var_4]
		push	[ebp+var_8]
		push	edi
		push	eax
		call	__allmul
		push	edi
		push	0F4240h
		push	edx
		push	eax
		call	__alldiv
		mov	ecx, [esi+10h]

loc_673AA9:				; CODE XREF: StEtaIoTimeout(x,x,x,x,x)+6Aj
		mov	edi, [ecx+0Ch]
		mov	esi, [ecx+8]
		cmp	edx, edi
		jb	short loc_673ABD
		ja	short loc_673AB9
		cmp	eax, esi
		jbe	short loc_673ABD

loc_673AB9:				; CODE XREF: StEtaIoTimeout(x,x,x,x,x)+52j
		mov	esi, eax
		mov	edi, edx

loc_673ABD:				; CODE XREF: StEtaIoTimeout(x,x,x,x,x)+50j
					; StEtaIoTimeout(x,x,x,x,x)+56j
		cmp	dword ptr [ecx], 0FFFFFFFFh
		mov	[ecx+8], esi
		mov	[ecx+0Ch], edi
		jz	short loc_673ACD
		add	ecx, 20h
		jmp	short loc_673AA9
; 

loc_673ACD:				; CODE XREF: StEtaIoTimeout(x,x,x,x,x)+65j
		pop	edi
		pop	esi
		leave
		retn	0Ch
_StEtaIoTimeout@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall StEtaStartRefresh(x, x, x)
_StEtaStartRefresh@12 proc near		; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaRefresh(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *)+68p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	ebx, edx
		cmp	[edi+8], esi
		jg	short loc_673B1F
		lea	edx, [edi+28h]
		inc	esi
		mov	eax, [edx]

loc_673AEC:				; CODE XREF: StEtaStartRefresh(x,x,x)+21j
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_673AEC
		push	0
		pop	esi
		test	al, 1
		jnz	short loc_673B1F
		mov	eax, [edi+ebx*4+10h]
		mov	ecx, [ebp+arg_0]
		jmp	short loc_673B09
; 

loc_673B06:				; CODE XREF: StEtaStartRefresh(x,x,x)+38j
		add	eax, 20h

loc_673B09:				; CODE XREF: StEtaStartRefresh(x,x,x)+31j
		cmp	[eax], ecx
		jb	short loc_673B06
		push	70h
		pop	ecx
		mov	[eax+4], cx
		xor	ecx, ecx
		mov	[eax+6], cx
		xor	eax, eax
		lea	esi, [eax+1]

loc_673B1F:				; CODE XREF: StEtaStartRefresh(x,x,x)+11j
					; StEtaStartRefresh(x,x,x)+28j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_StEtaStartRefresh@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall StIoCountsMovePeriod(x, x, x)
_StIoCountsMovePeriod@12 proc near	; CODE XREF: ST_STORE_SM_TRAITS___StDmPageAdd+131732p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	ecx, [ebx+8]
		sub	eax, ecx
		mov	esi, [ebx+0Ch]
		sbb	edx, esi
		mov	[ebp+var_4], ecx
		xor	ecx, ecx
		mov	[ebp+var_8], esi
		mov	esi, 23C34600h
		cmp	edx, ecx
		ja	short loc_673B60
		jb	short loc_673B5B
		cmp	eax, esi
		jnb	short loc_673B60

loc_673B5B:				; CODE XREF: StIoCountsMovePeriod(x,x,x)+2Dj
		xor	edi, edi
		inc	edi
		jmp	short loc_673B78
; 

loc_673B60:				; CODE XREF: StIoCountsMovePeriod(x,x,x)+2Bj
					; StIoCountsMovePeriod(x,x,x)+31j
		add	eax, 23C345FFh
		push	ecx
		push	esi
		adc	edx, ecx
		push	edx
		push	eax
		call	__aulldiv
		mov	edi, eax
		mul	esi
		mov	esi, eax
		mov	ecx, edx

loc_673B78:				; CODE XREF: StIoCountsMovePeriod(x,x,x)+36j
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+var_8]
		add	eax, esi
		mov	[ebx+8], eax
		adc	edx, ecx
		add	[ebx+4], edi
		mov	eax, [ebx+4]
		lea	ecx, [ebx+10h]
		and	eax, 3Fh
		mov	[ebx+0Ch], edx
		imul	eax, 14h
		add	ecx, eax
		xor	eax, eax
		mov	edi, ecx
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	eax, ecx
		pop	edi
		pop	esi
		mov	[ebx], ecx
		pop	ebx
		leave
		retn	8
_StIoCountsMovePeriod@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall StLcBucketLocate(x,	x, x)
_StLcBucketLocate@12 proc near		; CODE XREF: ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM	*)+383p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		mov	edx, [esi+8]
		mov	eax, [edx+4]
		cmp	eax, [ebp+arg_4]
		ja	short loc_673BDD
		jb	short loc_673BC9
		mov	eax, [edx]
		cmp	eax, [ebp+arg_0]
		jnb	short loc_673BDD

loc_673BC9:				; CODE XREF: StLcBucketLocate(x,x,x)+13j
					; StLcBucketLocate(x,x,x)+25j ...
		mov	eax, [edx+14h]
		add	edx, 10h
		cmp	eax, [ebp+arg_4]
		jb	short loc_673BC9
		ja	short loc_673BDD
		mov	ecx, [edx]
		cmp	ecx, [ebp+arg_0]
		jb	short loc_673BC9

loc_673BDD:				; CODE XREF: StLcBucketLocate(x,x,x)+11j
					; StLcBucketLocate(x,x,x)+1Aj ...
		mov	[esi], edx
		mov	eax, edx
		pop	esi
		pop	ebp
		retn	8
_StLcBucketLocate@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall StLcBucketsCopy(x, x, x, x)
_StLcBucketsCopy@16 proc near		; CODE XREF: ST_STORE_SM_TRAITS___StGetStatsWorker+D1156p
					; SMKM_STORE<SM_TRAITS>::SmStEtwFillStoreStatsEvent(SMKM_STORE<SM_TRAITS> *,_SMKM_EVENT_DESCRIPTOR *)+ABp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		push	edi
		push	8
		pop	edi
		mov	[ebp+var_4], ecx
		cmp	[ebp+arg_4], edi
		ja	short loc_673C07
		mov	edi, [ebp+arg_4]

loc_673C07:				; CODE XREF: StLcBucketsCopy(x,x,x,x)+1Cj
		lea	eax, [ebp+var_10]
		push	eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		xor	esi, esi
		test	edi, edi
		jz	short loc_673C62
		mov	ebx, [ebp+arg_0]

loc_673C1A:				; CODE XREF: StLcBucketsCopy(x,x,x,x)+7Aj
		push	0
		push	0F4240h
		push	dword ptr [ebx+4]
		push	dword ptr [ebx]
		call	__allmul
		push	[ebp+var_C]
		push	[ebp+var_10]
		push	edx
		push	eax
		call	__alldiv
		add	eax, 9
		xor	edx, edx
		push	0Ah
		pop	ecx
		div	ecx
		mov	ecx, [ebp+var_4]
		imul	eax, 0Ah
		mov	[ecx+esi*8], eax
		test	eax, eax
		jnz	short loc_673C53
		or	dword ptr [ecx+esi*8], 0FFFFFFFFh

loc_673C53:				; CODE XREF: StLcBucketsCopy(x,x,x,x)+67j
		mov	eax, [ebx+8]
		add	ebx, 10h
		mov	[ecx+esi*8+4], eax
		inc	esi
		cmp	esi, edi
		jb	short loc_673C1A

loc_673C62:				; CODE XREF: StLcBucketsCopy(x,x,x,x)+2Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_StLcBucketsCopy@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall StringCbCatW(x, x, x)
_StringCbCatW@12 proc near		; CODE XREF: SmUniqueIdParseProductName(x,x,x)+60p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, edx
		xor	edx, edx
		shr	esi, 1
		mov	eax, esi
		mov	[ebp+var_4], edx
		neg	eax
		push	edi
		sbb	eax, eax
		mov	edi, ecx
		and	eax, 7FF8FFA9h
		add	eax, 80070057h
		test	esi, esi
		jz	short loc_673C9E
		lea	eax, [ebp+var_4]
		mov	edx, esi
		push	eax
		call	sub_673D4F
		mov	edx, [ebp+var_4]

loc_673C9E:				; CODE XREF: StringCbCatW(x,x,x)+25j
		test	eax, eax
		js	short loc_673CB9
		push	7FFFFFFEh
		push	offset ??_C@_13HOIJIPNN@?$AA?5@FNODOBFM@
		push	ecx
		sub	esi, edx
		lea	ecx, [edi+edx*2]
		mov	edx, esi
		call	StringCopyWorkerW

loc_673CB9:				; CODE XREF: StringCbCatW(x,x,x)+37j
		pop	edi
		pop	esi
		leave
		retn	4
_StringCbCatW@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall StringCbCopyNW(x, x, x, x)
_StringCbCopyNW@16 proc	near		; CODE XREF: SmUniqueIdParseProductName(x,x,x)+52p
					; SmUniqueIdParseProductName(x,x,x)+B3p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		shr	edx, 1
		mov	eax, edx
		neg	eax
		push	esi
		sbb	eax, eax
		mov	esi, 80070057h
		and	eax, 7FF8FFA9h
		add	eax, esi
		test	edx, edx
		jz	short loc_673CFC
		mov	eax, [ebp+arg_4]
		shr	eax, 1
		cmp	eax, 7FFFFFFEh
		jbe	short loc_673CF2
		xor	edx, edx
		mov	eax, esi
		mov	[ecx], dx
		jmp	short loc_673CFC
; 

loc_673CF2:				; CODE XREF: StringCbCopyNW(x,x,x,x)+28j
		push	eax
		push	[ebp+arg_0]
		push	ecx
		call	StringCopyWorkerW

loc_673CFC:				; CODE XREF: StringCbCopyNW(x,x,x,x)+1Cj
					; StringCbCopyNW(x,x,x,x)+31j
		pop	esi
		pop	ebp
		retn	8
_StringCbCopyNW@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

StringCopyWorkerW proc near		; CODE XREF: StringCbCatW(x,x,x)+4Bp
					; StringCbCopyNW(x,x,x,x)+38p

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	edx, edx
		jz	short loc_673D33
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_8]
		sub	eax, ecx
		push	edi

loc_673D14:				; CODE XREF: StringCopyWorkerW+2Aj
		test	esi, esi
		jz	short loc_673D2D
		movzx	edi, word ptr [eax+ecx]
		test	di, di
		jz	short loc_673D2D
		mov	[ecx], di
		add	ecx, 2
		dec	esi
		sub	edx, 1
		jnz	short loc_673D14

loc_673D2D:				; CODE XREF: StringCopyWorkerW+15j
					; StringCopyWorkerW+1Ej
		pop	edi
		pop	esi
		test	edx, edx
		jnz	short loc_673D36

loc_673D33:				; CODE XREF: StringCopyWorkerW+7j
		sub	ecx, 2

loc_673D36:				; CODE XREF: StringCopyWorkerW+30j
		neg	edx
		sbb	edx, edx
		and	edx, 7FF8FF86h
		xor	eax, eax
		mov	[ecx], ax
		lea	eax, [edx-7FF8FF86h]
		pop	ebp
		retn	0Ch
StringCopyWorkerW endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_673D4F	proc near		; CODE XREF: StringCbCatW(x,x,x)+2Dp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, edx
		test	edx, edx
		jz	short loc_673D6B

loc_673D5E:				; CODE XREF: sub_673D4F+1Aj
		cmp	[ecx], di
		jz	short loc_673D6B
		add	ecx, 2
		sub	edx, 1
		jnz	short loc_673D5E

loc_673D6B:				; CODE XREF: sub_673D4F+Dj
					; sub_673D4F+12j
		mov	ecx, [ebp+arg_0]
		mov	eax, edx
		neg	eax
		sbb	eax, eax
		and	eax, 7FF8FFA9h
		add	eax, 80070057h
		test	ecx, ecx
		jz	short loc_673D8E
		test	edx, edx
		jz	short loc_673D8C
		sub	esi, edx
		mov	[ecx], esi
		jmp	short loc_673D8E
; 

loc_673D8C:				; CODE XREF: sub_673D4F+35j
		mov	[ecx], edi

loc_673D8E:				; CODE XREF: sub_673D4F+31j
					; sub_673D4F+3Bj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
sub_673D4F	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; long __stdcall RtlStringCbCopyUnicodeString(unsigned short *,	unsigned int, struct _UNICODE_STRING const *)
?RtlStringCbCopyUnicodeString@@YGJPAGIPBU_UNICODE_STRING@@@Z proc near
					; CODE XREF: SmKmKeyGenStart(x,x)+35p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	0
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		shr	ebx, 1
		pop	ecx
		mov	eax, ecx
		jz	short loc_673DB1
		cmp	ebx, 7FFFh
		jbe	short loc_673DB6

loc_673DB1:				; CODE XREF: RtlStringCbCopyUnicodeString(ushort *,uint,_UNICODE_STRING	const *)+13j
		mov	eax, 0C000000Dh

loc_673DB6:				; CODE XREF: RtlStringCbCopyUnicodeString(ushort *,uint,_UNICODE_STRING	const *)+1Bj
		test	eax, eax
		js	short loc_673DFA
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		push	ecx
		mov	ecx, esi
		call	sub_65D066
		test	eax, eax
		js	short loc_673DDB
		test	esi, esi
		jz	short loc_673DDB
		movzx	edi, word ptr [esi]
		mov	ecx, [esi+4]
		shr	edi, 1
		jmp	short loc_673DDD
; 

loc_673DDB:				; CODE XREF: RtlStringCbCopyUnicodeString(ushort *,uint,_UNICODE_STRING	const *)+37j
					; RtlStringCbCopyUnicodeString(ushort *,uint,_UNICODE_STRING const *)+3Bj
		xor	ecx, ecx

loc_673DDD:				; CODE XREF: RtlStringCbCopyUnicodeString(ushort *,uint,_UNICODE_STRING	const *)+45j
		test	eax, eax
		js	short loc_673DF0
		push	edi
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		call	sub_673DFF
		jmp	short loc_673DF8
; 

loc_673DF0:				; CODE XREF: RtlStringCbCopyUnicodeString(ushort *,uint,_UNICODE_STRING	const *)+4Bj
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		mov	[ecx], dx

loc_673DF8:				; CODE XREF: RtlStringCbCopyUnicodeString(ushort *,uint,_UNICODE_STRING	const *)+5Aj
		pop	edi
		pop	esi

loc_673DFA:				; CODE XREF: RtlStringCbCopyUnicodeString(ushort *,uint,_UNICODE_STRING	const *)+24j
		pop	ebx
		leave
		retn	4
?RtlStringCbCopyUnicodeString@@YGJPAGIPBU_UNICODE_STRING@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_673DFF	proc near		; CODE XREF: RtlStringCbCopyUnicodeString(ushort *,uint,_UNICODE_STRING	const *)+55p

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	edx, edx
		jz	short loc_673E2C
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_8]
		sub	esi, ecx

loc_673E12:				; CODE XREF: sub_673DFF+25j
		test	edi, edi
		jz	short loc_673E26
		mov	ax, [esi+ecx]
		mov	[ecx], ax
		add	ecx, 2
		dec	edi
		sub	edx, 1
		jnz	short loc_673E12

loc_673E26:				; CODE XREF: sub_673DFF+15j
		pop	edi
		pop	esi
		test	edx, edx
		jnz	short loc_673E2F

loc_673E2C:				; CODE XREF: sub_673DFF+7j
		sub	ecx, 2

loc_673E2F:				; CODE XREF: sub_673DFF+2Bj
		neg	edx
		sbb	edx, edx
		and	edx, 7FFFFFFBh
		xor	eax, eax
		mov	[ecx], ax
		lea	eax, [edx-7FFFFFFBh]
		pop	ebp
		retn	0Ch
sub_673DFF	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_673E48	proc near		; CODE XREF: sub_673E8F+21p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, 7FFFh
		push	edi
		mov	edx, esi
		xor	edi, edi

loc_673E59:				; CODE XREF: sub_673E48+1Cj
		cmp	[ecx], di
		jz	short loc_673E66
		add	ecx, 2
		sub	edx, 1
		jnz	short loc_673E59

loc_673E66:				; CODE XREF: sub_673E48+14j
		mov	ecx, [ebp+arg_0]
		mov	eax, edx
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFFF3h
		add	eax, 0C000000Dh
		test	ecx, ecx
		jz	short loc_673E89
		test	edx, edx
		jz	short loc_673E87
		sub	esi, edx
		mov	[ecx], esi
		jmp	short loc_673E89
; 

loc_673E87:				; CODE XREF: sub_673E48+37j
		mov	[ecx], edi

loc_673E89:				; CODE XREF: sub_673E48+33j
					; sub_673E48+3Dj
		pop	edi
		pop	esi
		leave
		retn	4
sub_673E48	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_673E8F	proc near		; CODE XREF: SmKmKeyGenLoadKey(x,x,x)+A5p
					; SmKmKeyGenNewKey(x,x,x)+11Fp	...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	ebx, edx
		mov	[edi], esi
		mov	[edi+4], esi
		test	ebx, ebx
		jz	short loc_673ED9
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], esi
		push	eax
		mov	ecx, ebx
		call	sub_673E48
		mov	esi, eax
		test	esi, esi
		js	short loc_673ED9
		test	edi, edi
		jz	short loc_673ED4
		mov	ecx, [ebp+var_4]
		mov	[edi+4], ebx
		lea	eax, [ecx+ecx]
		mov	[edi], ax
		add	eax, 2
		mov	[edi+2], ax
		jmp	short loc_673ED9
; 

loc_673ED4:				; CODE XREF: sub_673E8F+2Ej
		mov	esi, 0C000000Dh

loc_673ED9:				; CODE XREF: sub_673E8F+16j
					; sub_673E8F+2Aj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
sub_673E8F	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; long __stdcall SmKmIssueFileIo(struct	_SMKM_FILE_INFO	*, struct _SMKM_ISSUE_IO_PARAMS	*, union _LARGE_INTEGER	*, void	(__stdcall *)(void *, struct _IO_STATUS_BLOCK *, unsigned long), void *)
?SmKmIssueFileIo@@YGJPAU_SMKM_FILE_INFO@@PAU_SMKM_ISSUE_IO_PARAMS@@PAT_LARGE_INTEGER@@P6GXPAXPAU_IO_STATUS_BLOCK@@K@Z3@Z proc near
					; CODE XREF: SmKmIssueIo(x,x,x,x,x)+48p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	byte ptr [edx+18h], 1
		mov	eax, [ecx]
		mov	ecx, [edx+8]
		push	ebx
		mov	ebx, [edx+4]
		push	edi
		mov	edi, [edx]
		push	0
		push	[ebp+arg_0]
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	edi
		push	ebx
		push	[ebp+arg_4]
		push	0
		push	eax
		jz	short loc_673F13
		call	_NtReadFile@36	; NtReadFile(x,x,x,x,x,x,x,x,x)
		jmp	short loc_673F18
; 

loc_673F13:				; CODE XREF: SmKmIssueFileIo(_SMKM_FILE_INFO *,_SMKM_ISSUE_IO_PARAMS *,_LARGE_INTEGER *,void (*)(void *,_IO_STATUS_BLOCK *,ulong),void *)+28j
		call	_NtWriteFile@36	; NtWriteFile(x,x,x,x,x,x,x,x,x)

loc_673F18:				; CODE XREF: SmKmIssueFileIo(_SMKM_FILE_INFO *,_SMKM_ISSUE_IO_PARAMS *,_LARGE_INTEGER *,void (*)(void *,_IO_STATUS_BLOCK *,ulong),void *)+2Fj
		mov	edx, 0C0000000h
		mov	ecx, eax
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_673F2E
		push	0
		push	edi
		push	ebx
		mov	[edi], ecx
		call	[ebp+arg_4]

loc_673F2E:				; CODE XREF: SmKmIssueFileIo(_SMKM_FILE_INFO *,_SMKM_ISSUE_IO_PARAMS *,_LARGE_INTEGER *,void (*)(void *,_IO_STATUS_BLOCK *,ulong),void *)+41j
		pop	edi
		mov	eax, 103h
		pop	ebx
		pop	ecx
		pop	ebp
		retn	0Ch
?SmKmIssueFileIo@@YGJPAU_SMKM_FILE_INFO@@PAU_SMKM_ISSUE_IO_PARAMS@@PAT_LARGE_INTEGER@@P6GXPAXPAU_IO_STATUS_BLOCK@@K@Z3@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmEtwLogRegionOp(x,	x, x, x, x, x, x)
_SmEtwLogRegionOp@28 proc near		; CODE XREF: ST_STORE_SM_TRAITS___StReleaseRegion+FA0BCp
					; ST_STORE<SM_TRAITS>::StDmDeviceIoCompletion(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_WORK_ITEM *)+170p ...

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	4
		pop	esi
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_4C], esi
		mov	[ebp+var_54], eax
		xor	edi, edi
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_3C], esi
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_8]
		push	2
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_C]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_10]
		mov	[ebp+var_2C], esi
		pop	esi
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		push	edi
		push	edi
		push	1
		push	edi
		push	edi
		push	dword ptr ds:(loc_404E4B+1)[edx*4]
		mov	[ebp+var_50], edi
		push	dword ptr [ecx+4]
		mov	[ebp+var_48], edi
		push	dword ptr [ecx]
		mov	[ebp+var_40], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], edi
		call	EtwWriteEx
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_SmEtwLogRegionOp@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmEtwLogStoreCorruption(x, x, x, x,	x, x)
_SmEtwLogStoreCorruption@24 proc near	; CODE XREF: ST_STORE<SM_TRAITS>::StDmPageError(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char	*,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *,long)+66p

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 94h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, [ebp+arg_C]
		push	ebx
		mov	ebx, dword ptr ds:loc_404E6B+1
		push	esi
		mov	eax, [edx]
		mov	esi, ecx
		push	edi
		mov	edi, [ebp+arg_4]
		push	ebx
		push	dword ptr [esi+4]
		mov	[ebp+var_80], eax
		mov	eax, [edx+4]
		push	dword ptr [esi]
		mov	[ebp+var_84], edi
		mov	[ebp+var_7C], eax
		call	EtwEventEnabled
		test	al, al
		jz	loc_6740C5
		push	4
		lea	eax, [ebp+arg_0]
		xor	edx, edx
		pop	ecx
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_84]
		push	edi
		mov	[ebp+var_74], edx
		mov	[ebp+var_70], ecx
		mov	[ebp+var_6C], edx
		mov	[ebp+var_68], eax
		mov	[ebp+var_64], edx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], edx
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		mov	[ebp+var_90], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_90]
		mov	[ebp+var_8C], edx
		mov	[ebp+var_58], eax
		xor	edx, edx
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_54], edx
		mov	[ebp+var_48], eax
		inc	ecx
		lea	eax, [ebp+var_80]
		mov	[ebp+var_50], 8
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_80+1]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	7
		push	edx
		push	edx
		push	ecx
		push	edx
		push	edx
		push	ebx
		push	dword ptr [esi+4]
		mov	[ebp+var_4C], edx
		push	dword ptr [esi]
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], 2
		mov	[ebp+var_3C], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], edx
		call	EtwWriteEx

loc_6740C5:				; CODE XREF: SmEtwLogStoreCorruption(x,x,x,x,x,x)+44j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_SmEtwLogStoreCorruption@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmEtwLogStoreOp(x, x, x, x,	x, x, x, x)
_SmEtwLogStoreOp@32 proc near		; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC52Ep
					; ST_STORE_SM_TRAITS___StDmpSinglePageInsert+FB8E1p ...

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, dword ptr ds:(loc_404E4B+1)[edx*4]
		xor	ebx, ebx
		mov	[ebp+var_54], eax
		lea	eax, [ebp+arg_C]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_34], eax
		mov	[ebp+var_50], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		push	edi
		push	4
		pop	edi
		mov	[ebp+var_4C], edi
		mov	[ebp+var_3C], edi
		mov	[ebp+var_2C], edi
		push	3
		pop	eax
		cmp	edx, 1
		jz	short loc_674150
		push	2
		lea	eax, [ebp+arg_10]
		mov	[ebp+var_20], ebx
		pop	edx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_14]
		push	5
		mov	[ebp+var_14], eax
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ebx
		pop	eax

loc_674150:				; CODE XREF: SmEtwLogStoreOp(x,x,x,x,x,x,x,x)+54j
		lea	edx, [ebp+var_54]
		push	edx
		push	eax
		push	ebx
		push	ebx
		push	1
		push	ebx
		push	ebx
		push	esi
		push	dword ptr [ecx+4]
		push	dword ptr [ecx]
		call	EtwWriteEx
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_SmEtwLogStoreOp@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmEtwLogStoreStateChange(x,	x, x, x)
_SmEtwLogStoreStateChange@16 proc near	; CODE XREF: ST_STORE<SM_TRAITS>::StEmptyStore(ST_STORE<SM_TRAITS> *,ulong)+18p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	4
		pop	edx
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_1C], edx
		mov	[ebp+var_24], eax
		xor	esi, esi
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_20], esi
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	esi
		push	esi
		push	1
		push	esi
		push	esi
		push	dword ptr ds:loc_404E6B+5
		mov	[ebp+var_18], esi
		push	dword ptr [ecx+4]
		mov	[ebp+var_10], esi
		push	dword ptr [ecx]
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], esi
		call	EtwWriteEx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_SmEtwLogStoreStateChange@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmEtwAppendObjectName(x, x)
_SmKmEtwAppendObjectName@8 proc	near	; CODE XREF: SmKmStoreTerminateWorker(x)+26Cp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[esp+48h+var_38], ecx
		lea	edi, [esp+48h+var_24]
		and	[esp+48h+var_34], 0
		mov	esi, offset ??_C@_1CA@KMFLJPPI@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAU?$AAn?$AAk?$AAn?$AAo?$AAw?$AAn@FNODOBFM@
		push	8
		pop	ecx
		rep movsd
		mov	edi, [esp+48h+var_38]
		mov	ebx, edx
		push	0
		mov	eax, [edi+10h]
		mov	ecx, [edi+4]
		add	ecx, eax
		lea	edx, [ecx+2]
		lea	esi, [edx+3]
		mov	[esp+4Ch+var_28], edx
		mov	edx, [edi+14h]
		and	esi, 0FFFFFFFCh
		sub	edx, eax
		sub	edx, esi
		add	edx, ecx
		push	esi
		mov	[esp+50h+var_30], edx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		test	bl, 1
		jz	short loc_674254
		and	ebx, 0FFFFFFFEh
		mov	edx, 746C6644h
		mov	ecx, ebx
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	ebx, eax
		mov	[esp+48h+var_38], ebx
		jmp	short loc_674259
; 

loc_674254:				; CODE XREF: SmKmEtwAppendObjectName(x,x)+63j
		and	[esp+48h+var_38], 0

loc_674259:				; CODE XREF: SmKmEtwAppendObjectName(x,x)+7Aj
		test	ebx, ebx
		jz	short loc_674299
		push	0
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	byte ptr [esp+48h+var_2C], al
		lea	eax, [esp+48h+var_34]
		push	eax
		push	[esp+4Ch+var_30]
		push	esi
		push	ebx
		call	_ObQueryNameString@16 ;	ObQueryNameString(x,x,x,x)
		mov	ebx, eax
		mov	eax, [esp+48h+var_38]
		test	eax, eax
		jz	short loc_67428E
		mov	edx, 746C6644h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag

loc_67428E:				; CODE XREF: SmKmEtwAppendObjectName(x,x)+A8j
		push	[esp+48h+var_2C]
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		jmp	short loc_67429E
; 

loc_674299:				; CODE XREF: SmKmEtwAppendObjectName(x,x)+83j
		mov	ebx, 0C000000Fh

loc_67429E:				; CODE XREF: SmKmEtwAppendObjectName(x,x)+BFj
		test	ebx, ebx
		js	short loc_6742B5
		movzx	eax, word ptr [esi]
		test	ax, ax
		jz	short loc_6742B5
		mov	ecx, [esi+4]
		shr	ax, 1
		movzx	ebx, ax
		jmp	short loc_6742BC
; 

loc_6742B5:				; CODE XREF: SmKmEtwAppendObjectName(x,x)+C8j
					; SmKmEtwAppendObjectName(x,x)+D0j
		push	0Fh
		lea	ecx, [esp+4Ch+var_24]
		pop	ebx

loc_6742BC:				; CODE XREF: SmKmEtwAppendObjectName(x,x)+DBj
		movzx	esi, bx
		add	esi, esi
		push	esi		; size_t
		push	ecx		; void *
		push	[esp+50h+var_28] ; void	*
		call	_memmove
		mov	eax, [edi+10h]
		add	esp, 0Ch
		add	eax, [edi+4]
		push	2
		mov	[eax], bx
		xor	ebx, ebx
		mov	ecx, [edi+8]
		shl	ecx, 4
		add	ecx, [edi]
		mov	[ecx], eax
		mov	[ecx+4], ebx
		mov	[ecx+0Ch], ebx
		pop	eax
		mov	[ecx+8], eax
		inc	dword ptr [edi+8]
		mov	edx, [edi+8]
		add	[edi+10h], eax
		mov	eax, [edi+4]
		add	eax, [edi+10h]
		mov	ecx, [esp+48h+var_4]
		shl	edx, 4
		add	edx, [edi]
		mov	[edx+4], ebx
		mov	[edx+8], esi
		mov	[edx+0Ch], ebx
		mov	[edx], eax
		add	[edi+10h], esi
		inc	dword ptr [edi+8]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_SmKmEtwAppendObjectName@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmEtwAppendProductName(x,	x)
_SmKmEtwAppendProductName@8 proc near	; CODE XREF: SmKmStoreTerminateWorker(x)+260p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		mov	eax, edx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		push	edi
		mov	ebx, [eax+0Ch]
		mov	[esp+20h+var_10], esi
		mov	[esp+20h+var_C], ecx
		mov	[esp+20h+var_14], ebx
		test	ebx, ebx
		jnz	short loc_674363
		lea	ecx, [esp+20h+var_14]
		push	ecx
		mov	ecx, [eax+4]
		lea	edx, [esp+24h+var_C]
		call	_SmKmStoreFileOpenVolume@12 ; SmKmStoreFileOpenVolume(x,x,x)
		mov	ebx, [esp+20h+var_14]

loc_674363:				; CODE XREF: SmKmEtwAppendProductName(x,x)+25j
		mov	ecx, [esi+4]
		mov	eax, [esi+10h]
		add	ecx, eax
		mov	esi, [esi+14h]
		sub	esi, eax
		lea	edi, [ecx+1]
		and	edi, 0FFFFFFFEh
		sub	esi, edi
		add	esi, ecx
		test	ebx, ebx
		jz	short loc_674396
		mov	eax, 100h
		cmp	esi, eax
		jnb	short loc_674389
		mov	eax, esi

loc_674389:				; CODE XREF: SmKmEtwAppendProductName(x,x)+5Ej
		push	ecx
		push	eax
		mov	edx, edi
		mov	ecx, ebx
		call	_SmKmVolumeQueryUniqueId@16 ; SmKmVolumeQueryUniqueId(x,x,x,x)
		jmp	short loc_67439B
; 

loc_674396:				; CODE XREF: SmKmEtwAppendProductName(x,x)+55j
		mov	eax, 0C0000225h

loc_67439B:				; CODE XREF: SmKmEtwAppendProductName(x,x)+6Dj
		test	eax, eax
		jns	short loc_6743A4
		xor	eax, eax
		mov	[edi], ax

loc_6743A4:				; CODE XREF: SmKmEtwAppendProductName(x,x)+76j
		mov	ecx, edi
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_6743AB:				; CODE XREF: SmKmEtwAppendProductName(x,x)+8Dj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_6743AB
		sub	ecx, edx
		lea	ebx, [edi+2]
		sar	ecx, 1
		lea	eax, [ecx+ecx]
		mov	ecx, edi	; wchar_t *
		sub	esi, eax
		add	ebx, eax
		sub	esi, 2
		mov	[esp+20h+var_8], ebx
		push	esi		; int
		mov	edx, ebx	; int
		call	_SmUniqueIdParseProductName@12 ; SmUniqueIdParseProductName(x,x,x)
		test	eax, eax
		js	short loc_6743F1
		mov	edi, ebx
		xor	edx, edx
		lea	ecx, [edi+2]

loc_6743E0:				; CODE XREF: SmKmEtwAppendProductName(x,x)+C2j
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, dx
		jnz	short loc_6743E0
		sub	edi, ecx
		sar	edi, 1
		jmp	short loc_6743F5
; 

loc_6743F1:				; CODE XREF: SmKmEtwAppendProductName(x,x)+B0j
		xor	eax, eax
		mov	edi, eax

loc_6743F5:				; CODE XREF: SmKmEtwAppendProductName(x,x)+C8j
		mov	ebx, [esp+20h+var_10]
		mov	eax, [ebx+10h]
		mov	esi, [ebx+4]
		mov	edx, [ebx+8]
		mov	[esp+20h+var_10], eax
		lea	ecx, [esi+eax]
		mov	eax, [ebx]
		mov	[esp+20h+var_14], eax
		mov	eax, edx
		shl	eax, 4
		add	eax, [esp+20h+var_14]
		mov	[ecx], di
		add	edi, edi
		mov	[eax], ecx
		xor	ecx, ecx
		mov	[eax+4], ecx
		mov	[eax+0Ch], ecx
		lea	ecx, [edx+1]
		mov	dword ptr [eax+8], 2
		mov	eax, [esp+20h+var_10]
		add	eax, 2
		mov	[esp+20h+var_4], ecx
		add	esi, eax
		mov	eax, [esp+20h+var_8]
		test	eax, eax
		jz	short loc_674455
		push	edi		; size_t
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		mov	ecx, [esp+2Ch+var_4]
		add	esp, 0Ch

loc_674455:				; CODE XREF: SmKmEtwAppendProductName(x,x)+11Dj
		mov	eax, ecx
		xor	edx, edx
		shl	eax, 4
		add	eax, [esp+20h+var_14]
		mov	[eax], esi
		mov	[eax+4], edx
		mov	[eax+8], edi
		mov	[eax+0Ch], edx
		lea	eax, [ecx+1]
		mov	ecx, [esp+20h+var_C]
		mov	[ebx+8], eax
		mov	eax, [esp+20h+var_10]
		add	eax, 2
		add	eax, edi
		mov	[ebx+10h], eax
		test	ecx, ecx
		jz	short loc_67448F
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag

loc_67448F:				; CODE XREF: SmKmEtwAppendProductName(x,x)+15Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_SmKmEtwAppendProductName@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmIssueIo(x, x, x, x, x)
_SmKmIssueIo@20	proc near		; CODE XREF: SmIssueIo(x,x,x,x,x,x)+D5p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, edx
		push	esi
		mov	esi, [ecx+18h]
		push	edi
		mov	edi, [ebx+10h]
		jmp	short loc_6744AF
; 

loc_6744AA:				; CODE XREF: SmKmIssueIo(x,x,x,x,x)+1Dj
		sub	edi, eax
		add	esi, 10h

loc_6744AF:				; CODE XREF: SmKmIssueIo(x,x,x,x,x)+12j
		mov	eax, [esi]
		cmp	edi, eax
		jnb	short loc_6744AA
		mov	eax, [ebx+14h]
		push	[ebp+arg_4]
		mul	edi
		push	[ebp+arg_0]
		add	eax, [ebx+0Ch]
		adc	edx, 0
		add	eax, [esi+8]
		adc	edx, [esi+0Ch]
		cmp	[ebp+arg_8], 0
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], edx
		mov	edx, ebx
		push	eax
		jz	short loc_6744E5
		call	?SmKmIssueFileIo@@YGJPAU_SMKM_FILE_INFO@@PAU_SMKM_ISSUE_IO_PARAMS@@PAT_LARGE_INTEGER@@P6GXPAXPAU_IO_STATUS_BLOCK@@K@Z3@Z ; SmKmIssueFileIo(_SMKM_FILE_INFO *,_SMKM_ISSUE_IO_PARAMS *,_LARGE_INTEGER *,void (*)(void *,_IO_STATUS_BLOCK *,ulong),void *)
		jmp	short loc_6744EA
; 

loc_6744E5:				; CODE XREF: SmKmIssueIo(x,x,x,x,x)+46j
		call	_SmKmIssueVolumeIo@20 ;	SmKmIssueVolumeIo(x,x,x,x,x)

loc_6744EA:				; CODE XREF: SmKmIssueIo(x,x,x,x,x)+4Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_SmKmIssueIo@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmIssueVolumeIo(x, x, x, x, x)
_SmKmIssueVolumeIo@20 proc near		; CODE XREF: SmKmIssueIo(x,x,x,x,x):loc_6744E5p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, edx
		mov	eax, ecx
		mov	[ebp+var_8], eax
		push	edi
		mov	[ebp+var_4], esi
		mov	ebx, [esi]
		mov	eax, [eax+0Ch]
		mov	[ebp+var_C], eax
		test	bl, 1
		jnz	short loc_674583
		movzx	eax, byte ptr [eax+30h]
		push	0
		push	eax
		call	IoAllocateIrp
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_67452F
		mov	eax, 0C000009Ah
		jmp	loc_6745F9
; 

loc_67452F:				; CODE XREF: SmKmIssueVolumeIo(x,x,x,x,x)+32j
		mov	edi, [esi]
		mov	eax, [ebp+var_4]
		mov	esi, [esi+8]
		push	edi
		and	dword ptr [edi], 0
		mov	edx, [eax+4]
		mov	ecx, edx
		and	ecx, 0FFFh
		mov	[edi+14h], esi
		lea	eax, [esi+0FFFh]
		mov	[edi+18h], ecx
		add	eax, ecx
		and	edx, 0FFFFF000h
		shr	eax, 0Ch
		mov	[edi+10h], edx
		lea	eax, ds:1Ch[eax*4]
		mov	[edi+4], ax
		xor	eax, eax
		mov	[edi+6], ax
		call	MmBuildMdlForNonPagedPool
		push	1
		push	edi
		call	_MmMdlPageContentsState@8 ; MmMdlPageContentsState(x,x)
		mov	esi, [ebp+var_4]
		jmp	short loc_674589
; 

loc_674583:				; CODE XREF: SmKmIssueVolumeIo(x,x,x,x,x)+20j
		mov	edi, [esi+4]
		and	ebx, 0FFFFFFFEh

loc_674589:				; CODE XREF: SmKmIssueVolumeIo(x,x,x,x,x)+90j
		mov	eax, large fs:124h
		mov	edx, ebx
		mov	[ebx+50h], eax
		lea	eax, [ebx+18h]
		mov	[ebx+28h], eax
		mov	eax, [ebp+var_8]
		mov	esi, [esi+8]
		mov	ecx, [ebp+arg_0]
		mov	[ebx+4], edi
		mov	edi, [ebx+60h]
		mov	byte ptr [ebx+20h], 0
		mov	eax, [eax+4]
		mov	[ebx+64h], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+18h]
		and	al, 1
		neg	al
		sbb	al, al
		add	al, 4
		mov	[edi-24h], al
		mov	eax, [ecx]
		mov	[edi-18h], eax
		mov	eax, [ecx+4]
		mov	ecx, [ebp+var_C]
		mov	[edi-14h], eax
		mov	eax, [ebp+arg_4]
		mov	[edi-20h], esi
		mov	dword ptr [edi-1Ch], 534D4473h
		mov	esi, [ebx+60h]
		mov	[esi-8], eax
		mov	eax, [ebp+arg_8]
		mov	[esi-4], eax
		mov	byte ptr [esi-21h], 0E0h
		call	IofCallDriver
		mov	eax, 103h

loc_6745F9:				; CODE XREF: SmKmIssueVolumeIo(x,x,x,x,x)+39j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_SmKmIssueVolumeIo@20 endp


;  S U B	R O U T	I N E 


; __stdcall SmKmStoreDereference(x, x, x)
_SmKmStoreDereference@12 proc near	; CODE XREF: SmKmStoreTerminateWorker(x)+171p
					; SmKmStoreTerminateWorker(x)+284p
		and	edx, 3FFh
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		retn	4
_SmKmStoreDereference@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmStoreTerminateWorker(x)
_SmKmStoreTerminateWorker@4 proc near	; DATA XREF: SMKM_STORE_MGR<SM_TRAITS>::SmStoreTerminate(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE<SM_TRAITS> *,_ST_ETW_TERMINATION_REASON,long)+59o

var_568		= dword	ptr -568h
var_564		= dword	ptr -564h
var_560		= dword	ptr -560h
var_55C		= dword	ptr -55Ch
var_558		= dword	ptr -558h
var_554		= dword	ptr -554h
var_550		= dword	ptr -550h
var_54C		= dword	ptr -54Ch
var_548		= dword	ptr -548h
var_544		= dword	ptr -544h
var_540		= dword	ptr -540h
var_53C		= dword	ptr -53Ch
var_538		= dword	ptr -538h
var_534		= dword	ptr -534h
var_530		= dword	ptr -530h
var_52C		= dword	ptr -52Ch
var_528		= dword	ptr -528h
var_524		= dword	ptr -524h
var_520		= dword	ptr -520h
var_51C		= dword	ptr -51Ch
var_518		= dword	ptr -518h
var_514		= dword	ptr -514h
var_4D0		= dword	ptr -4D0h
var_4CC		= dword	ptr -4CCh
var_4C0		= dword	ptr -4C0h
var_4B0		= dword	ptr -4B0h
var_470		= dword	ptr -470h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 568h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+568h+var_4], eax
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, [esp+570h+var_4D0]
		xor	esi, esi
		push	468h		; size_t
		push	esi		; int
		push	eax		; void *
		mov	[esp+57Ch+var_568], esi
		call	_memset
		add	esp, 0Ch
		mov	[esp+570h+var_548], esi
		lea	eax, [esp+570h+var_68]
		mov	[esp+570h+var_544], esi
		push	60h		; size_t
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		push	44h
		pop	esi
		push	esi		; size_t
		push	eax		; int
		lea	eax, [esp+578h+var_518]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+570h+var_560], 8
		lea	eax, [esp+570h+var_518]
		mov	[esp+570h+var_558], esi
		mov	[esp+570h+var_55C], eax
		xor	ecx, ecx
		lea	eax, [esp+570h+var_568]
		inc	ecx
		push	eax
		push	10h
		lea	eax, [esp+578h+var_564]
		mov	[esp+578h+var_564], ecx
		push	eax
		push	6Dh
		mov	[esp+580h+var_518], ecx
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	loc_674780
		lea	eax, [esp+570h+var_4D0]
		mov	[esp+570h+var_564], 1
		push	464h		; size_t
		mov	[esp+574h+var_55C], eax
		xor	esi, esi
		lea	eax, [esp+574h+var_4CC]
		mov	[esp+574h+var_560], 0Dh
		push	esi		; int
		push	eax		; void *
		mov	[esp+57Ch+var_558], 468h
		call	_memset
		add	esp, 0Ch
		mov	[esp+570h+var_4D0], 103h
		test	[esp+570h+var_518], 0FF00h
		mov	[esp+570h+var_554], esi
		jbe	short loc_674780

loc_674710:				; CODE XREF: SmKmStoreTerminateWorker(x)+168j
		mov	eax, [esp+esi*4+570h+var_514]
		mov	[esp+570h+var_4CC], eax
		lea	eax, [esp+570h+var_568]
		push	eax
		push	10h
		lea	eax, [esp+578h+var_564]
		push	eax
		push	6Dh
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_67476D
		xor	eax, eax
		mov	ecx, eax
		cmp	[esp+570h+var_4C0], eax
		jbe	short loc_67476D
		mov	edx, [edi+1Ch]

loc_674742:				; CODE XREF: SmKmStoreTerminateWorker(x)+155j
		xor	eax, eax
		inc	eax
		shl	eax, cl
		and	eax, [esp+570h+var_470]
		neg	eax
		sbb	eax, eax
		inc	eax
		cmp	eax, edx
		jnz	short loc_674763
		mov	eax, [esp+ecx*4+570h+var_4B0]
		cmp	eax, [edi+18h]
		jz	short loc_6747AA

loc_674763:				; CODE XREF: SmKmStoreTerminateWorker(x)+13Fj
		inc	ecx
		cmp	ecx, [esp+570h+var_4C0]
		jb	short loc_674742

loc_67476D:				; CODE XREF: SmKmStoreTerminateWorker(x)+11Aj
					; SmKmStoreTerminateWorker(x)+127j
		mov	eax, [esp+570h+var_518]
		inc	esi
		shr	eax, 8
		movzx	eax, al
		mov	[esp+570h+var_554], esi
		cmp	esi, eax
		jb	short loc_674710

loc_674780:				; CODE XREF: SmKmStoreTerminateWorker(x)+A0j
					; SmKmStoreTerminateWorker(x)+F8j
		mov	edx, [edi+18h]
		push	ecx
		mov	ecx, [edi+10h]
		call	_SmKmStoreDereference@12 ; SmKmStoreDereference(x,x,x)

loc_67478C:				; CODE XREF: SmKmStoreTerminateWorker(x)+2C8j
					; SmKmStoreTerminateWorker(x)+2D0j ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [esp+570h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_6747AA:				; CODE XREF: SmKmStoreTerminateWorker(x)+14Bj
		xor	eax, eax
		mov	[esp+570h+var_534], 6
		mov	edx, eax
		mov	[esp+570h+var_52C], 40Ch
		lea	eax, [esp+570h+var_68]
		mov	[esp+570h+var_550], edx
		mov	[esp+570h+var_540], eax
		lea	eax, [esp+570h+var_4D0]
		push	2
		pop	ecx
		mov	[esp+570h+var_53C], eax
		call	_SmEtwEnabled@4	; SmEtwEnabled(x)
		mov	esi, eax
		mov	[esp+570h+var_54C], esi
		test	esi, esi
		jz	loc_674893
		xor	esi, esi
		lea	ecx, [esp+570h+var_4D0]
		lea	eax, [edi+20h]
		add	ecx, esi
		test	eax, eax
		jz	short loc_674804
		mov	al, [eax]
		mov	[ecx], al

loc_674804:				; CODE XREF: SmKmStoreTerminateWorker(x)+1E8j
		mov	eax, edx
		add	eax, eax
		mov	[esp+eax*8+570h+var_68], ecx
		lea	ecx, [esp+esi+570h+var_4D0+1]
		mov	[esp+eax*8+570h+var_64], esi
		mov	[esp+eax*8+570h+var_60], 1
		mov	[esp+eax*8+570h+var_5C], esi
		lea	eax, [edi+24h]
		test	eax, eax
		jz	short loc_67483A
		mov	eax, [eax]
		mov	[ecx], eax

loc_67483A:				; CODE XREF: SmKmStoreTerminateWorker(x)+21Ej
		lea	eax, [edx+1]
		add	eax, eax
		mov	[esp+eax*8+570h+var_68], ecx
		lea	ecx, [esp+570h+var_540]
		mov	[esp+eax*8+570h+var_64], esi
		mov	[esp+eax*8+570h+var_60], 4
		mov	[esp+eax*8+570h+var_5C], esi
		lea	eax, [edx+2]
		mov	[esp+570h+var_538], eax
		lea	eax, [esi+5]
		mov	esi, [edi+14h]
		mov	edx, esi
		mov	[esp+570h+var_530], eax
		call	_SmKmEtwAppendProductName@8 ; SmKmEtwAppendProductName(x,x)
		mov	edx, [esi+4]
		lea	ecx, [esp+570h+var_540]
		call	_SmKmEtwAppendObjectName@8 ; SmKmEtwAppendObjectName(x,x)
		mov	eax, [esp+570h+var_538]
		mov	esi, [esp+570h+var_54C]
		mov	[esp+570h+var_550], eax

loc_674893:				; CODE XREF: SmKmStoreTerminateWorker(x)+1D2j
		mov	edx, [edi+18h]
		push	ecx
		mov	ecx, [edi+10h]
		call	_SmKmStoreDereference@12 ; SmKmStoreDereference(x,x,x)
		lea	eax, [esp+570h+var_548]
		mov	[esp+570h+var_560], 0Ah
		mov	[esp+570h+var_55C], eax
		xor	ecx, ecx
		mov	eax, [esp+570h+var_554]
		inc	ecx
		push	10h
		mov	[esp+574h+var_564], ecx
		mov	[esp+574h+var_558], 8
		mov	eax, [esp+eax*4+574h+var_514]
		mov	[esp+574h+var_544], eax
		lea	eax, [esp+574h+var_564]
		push	eax
		push	6Dh
		mov	[esp+57Ch+var_548], ecx
		call	_ZwSetSystemInformation@12 ; ZwSetSystemInformation(x,x,x)
		test	eax, eax
		js	loc_67478C
		test	esi, esi
		jz	loc_67478C
		push	[esp+570h+var_540]
		xor	eax, eax
		push	[esp+574h+var_550]
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _SmEventCacheTermination
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		call	EtwWriteEx
		cmp	dword ptr [edi+20h], 0
		jnz	loc_67478C
		mov	eax, [esp+570h+var_540]
		mov	esi, [eax+38h]
		push	esi		; size_t
		mov	[esp+574h+var_568], esi
		push	dword ptr [eax+30h] ; void *
		lea	eax, [esp+578h+var_4D0]
		push	eax		; void *
		call	_memmove
		shr	esi, 1
		xor	eax, eax
		add	esp, 0Ch
		mov	word ptr [esp+esi*2+570h+var_4D0], ax
		lea	eax, [esp+570h+var_4D0]
		cmp	word ptr [esp+570h+var_4D0], 0
		jnz	short loc_674956
		mov	eax, offset ??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@FNODOBFM@ ; "(null)"

loc_674956:				; CODE XREF: SmKmStoreTerminateWorker(x)+339j
		mov	[esp+570h+var_524], eax
		mov	eax, [edi+24h]
		mov	[esp+570h+var_51C], eax
		lea	eax, [esp+570h+var_528]
		push	eax
		mov	eax, [esp+574h+var_54C]
		mov	[esp+574h+var_528], 2
		mov	[esp+574h+var_520], 1
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		call	_SmKmSqmAddToStream@20 ; SmKmSqmAddToStream(x,x,x,x,x)
		jmp	loc_67478C
_SmKmStoreTerminateWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmVirtualLockContextIncreaseWsMin(x, x, x)
_SmKmVirtualLockContextIncreaseWsMin@12	proc near
					; CODE XREF: SmKmVirtualLockCtxLockMemory(x,x,x)+9Bp

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, large fs:124h
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		push	esi
		dec	word ptr [eax+13Ch]
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_14], esi
		nop
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebx+8]
		cmp	eax, [esi+8]
		jnb	short loc_6749DD
		mov	[ebp+var_8], 40190034h
		jmp	loc_674AA0
; 

loc_6749DD:				; CODE XREF: SmKmVirtualLockContextIncreaseWsMin(x,x,x)+46j
		and	[ebp+var_18], 0
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		lea	edx, [ebp+var_20]
		lea	ecx, [ebp+var_24]
		call	_MmQueryWorkingSetInformation@24 ; MmQueryWorkingSetInformation(x,x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		js	loc_674AA0
		add	edi, 3FFFFFh
		and	edi, 0FFC00000h

loc_674A15:				; CODE XREF: SmKmVirtualLockContextIncreaseWsMin(x,x,x)+F9j
		mov	eax, [ebp+var_10]
		lea	ecx, [edi+eax]
		cmp	ecx, eax
		jbe	short loc_674A99
		mov	edx, [ebp+var_C]
		mov	[ebp+var_10], ecx
		cmp	ecx, edx
		jbe	short loc_674A2E
		mov	edx, ecx
		mov	[ebp+var_C], edx

loc_674A2E:				; CODE XREF: SmKmVirtualLockContextIncreaseWsMin(x,x,x)+9Ej
		lea	eax, [ebp+var_4+3]
		mov	byte ptr [ebp+var_4+3],	0
		push	eax
		push	0
		push	1
		push	0
		call	MmAdjustWorkingSetSizeEx
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jns	short loc_674A86
		cmp	ecx, 0C000004Ch
		jnz	short loc_674AA0
		xor	eax, eax
		lea	edx, [ebp+var_20]
		mov	[ebp+var_24], eax
		lea	ecx, [ebp+var_24]
		mov	[ebp+var_20], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	_MmQueryWorkingSetInformation@24 ; MmQueryWorkingSetInformation(x,x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jns	short loc_674A15
		jmp	short loc_674AA0
; 

loc_674A86:				; CODE XREF: SmKmVirtualLockContextIncreaseWsMin(x,x,x)+BFj
		mov	eax, [esi+8]
		lea	ecx, [eax+edi]
		cmp	ecx, eax
		jbe	short loc_674A93
		mov	[esi+8], ecx

loc_674A93:				; CODE XREF: SmKmVirtualLockContextIncreaseWsMin(x,x,x)+105j
		and	[ebp+var_8], 0
		jmp	short loc_674AA0
; 

loc_674A99:				; CODE XREF: SmKmVirtualLockContextIncreaseWsMin(x,x,x)+94j
		mov	[ebp+var_8], 0C0000095h

loc_674AA0:				; CODE XREF: SmKmVirtualLockContextIncreaseWsMin(x,x,x)+4Fj
					; SmKmVirtualLockContextIncreaseWsMin(x,x,x)+7Aj ...
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_28], edx
		mov	eax, edx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_674AB9
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_674AB9:				; CODE XREF: SmKmVirtualLockContextIncreaseWsMin(x,x,x)+127j
		xor	edi, edi
		mov	[ebp+var_2C], edi
		test	esi, 7FFFFFFCh
		jz	loc_674C4C
		mov	eax, [ebp+var_14]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		cmp	eax, edx
		push	0FFFFFFFFh
		mov	[ebp+var_40], edx
		mov	[ebp+var_44], esi
		pop	edx
		jb	short loc_674AF5
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_674B03

loc_674AF5:				; CODE XREF: SmKmVirtualLockContextIncreaseWsMin(x,x,x)+161j
		cmp	eax, [ebp+var_40]
		jb	short loc_674B16
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_674B16

loc_674B03:				; CODE XREF: SmKmVirtualLockContextIncreaseWsMin(x,x,x)+16Aj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_14]

loc_674B16:				; CODE XREF: SmKmVirtualLockContextIncreaseWsMin(x,x,x)+16Fj
					; SmKmVirtualLockContextIncreaseWsMin(x,x,x)+178j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+2],	cl
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_40], ecx
		test	ecx, ecx
		jnz	short loc_674B61
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_674BD3
		push	ecx
		push	[ebp+var_28]
		push	[ebp+var_14]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_674B61:				; CODE XREF: SmKmVirtualLockContextIncreaseWsMin(x,x,x)+1B6j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_674B77
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_40]

loc_674B77:				; CODE XREF: SmKmVirtualLockContextIncreaseWsMin(x,x,x)+1E4j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_2C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+2],	1
		mov	edx, eax
		jnz	short loc_674BC1
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_674BD3
; 

loc_674BC1:				; CODE XREF: SmKmVirtualLockContextIncreaseWsMin(x,x,x)+224j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_44]

loc_674BD3:				; CODE XREF: SmKmVirtualLockContextIncreaseWsMin(x,x,x)+1C0j
					; SmKmVirtualLockContextIncreaseWsMin(x,x,x)+236j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_44], eax
		jz	short loc_674C34
		test	edi, 8000h
		jz	short loc_674BF7
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_674BF7:				; CODE XREF: SmKmVirtualLockContextIncreaseWsMin(x,x,x)+263j
		test	byte ptr [ebp+var_2C+2], 1
		jz	short loc_674C07
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_674C07:				; CODE XREF: SmKmVirtualLockContextIncreaseWsMin(x,x,x)+272j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_674C1B
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_674C1B:				; CODE XREF: SmKmVirtualLockContextIncreaseWsMin(x,x,x)+285j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_674C34
		push	[ebp+var_44]
		mov	edx, [ebp+var_14]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_674C34:				; CODE XREF: SmKmVirtualLockContextIncreaseWsMin(x,x,x)+25Bj
					; SmKmVirtualLockContextIncreaseWsMin(x,x,x)+29Cj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_674C4C
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_674C4C
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_674C4C:				; CODE XREF: SmKmVirtualLockContextIncreaseWsMin(x,x,x)+13Bj
					; SmKmVirtualLockContextIncreaseWsMin(x,x,x)+2B4j ...
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
_SmKmVirtualLockContextIncreaseWsMin@12	endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmVirtualLockCtxLockMemory(x, x, x)
_SmKmVirtualLockCtxLockMemory@12 proc near
					; CODE XREF: SmKmStoreHelperCommandProcess+123501p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	esi, ecx
		xor	ebx, ebx

loc_674C6F:				; CODE XREF: SmKmVirtualLockCtxLockMemory(x,x,x)+A4j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		test	ebx, ebx
		jnz	short loc_674CB1
		lea	edi, [esi+4]
		mov	edx, [edi]
		mov	ecx, [ebp+arg_0]
		add	ecx, edx
		jmp	short loc_674CA7
; 

loc_674C96:				; CODE XREF: SmKmVirtualLockCtxLockMemory(x,x,x)+4Bj
		mov	eax, edx
		lock cmpxchg [edi], ecx
		mov	ecx, eax
		cmp	ecx, edx
		jz	short loc_674CAE
		mov	edx, ecx
		add	ecx, [ebp+arg_0]

loc_674CA7:				; CODE XREF: SmKmVirtualLockCtxLockMemory(x,x,x)+35j
		cmp	ecx, [esi+8]
		jbe	short loc_674C96
		jmp	short loc_674CD0
; 

loc_674CAE:				; CODE XREF: SmKmVirtualLockCtxLockMemory(x,x,x)+41j
		xor	ebx, ebx
		inc	ebx

loc_674CB1:				; CODE XREF: SmKmVirtualLockCtxLockMemory(x,x,x)+29j
		push	1
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	0FFFFFFFFh
		call	_ZwLockVirtualMemory@16	; ZwLockVirtualMemory(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_674D0B
		cmp	edi, 0C00000A1h
		jnz	short loc_674D0F

loc_674CD0:				; CODE XREF: SmKmVirtualLockCtxLockMemory(x,x,x)+4Dj
		mov	edi, [esi+8]
		xor	ecx, ecx
		push	11h
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_674CE8
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_674CE8:				; CODE XREF: SmKmVirtualLockCtxLockMemory(x,x,x)+80j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	edi
		call	_SmKmVirtualLockContextIncreaseWsMin@12	; SmKmVirtualLockContextIncreaseWsMin(x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	loc_674C6F
		jmp	short loc_674D30
; 

loc_674D0B:				; CODE XREF: SmKmVirtualLockCtxLockMemory(x,x,x)+67j
		xor	ebx, ebx
		xor	edi, edi

loc_674D0F:				; CODE XREF: SmKmVirtualLockCtxLockMemory(x,x,x)+6Fj
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_674D24
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_674D24:				; CODE XREF: SmKmVirtualLockCtxLockMemory(x,x,x)+BCj
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_674D30:				; CODE XREF: SmKmVirtualLockCtxLockMemory(x,x,x)+AAj
		test	ebx, ebx
		jz	short loc_674D3E
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_SmKmVirtualLockCtxMemoryUnlocked@8 ; SmKmVirtualLockCtxMemoryUnlocked(x,x)

loc_674D3E:				; CODE XREF: SmKmVirtualLockCtxLockMemory(x,x,x)+D3j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_SmKmVirtualLockCtxLockMemory@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmVirtualLockCtxMemoryUnlocked(x,	x)
_SmKmVirtualLockCtxMemoryUnlocked@8 proc near
					; CODE XREF: SmKmStoreHelperCommandProcess+1234E8p
					; SmKmVirtualLockCtxLockMemory(x,x,x)+DAp

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 48h
		and	[ebp+var_C], 0
		neg	edx
		and	[ebp+var_10], 0
		push	esi
		mov	esi, ecx
		push	edi
		mov	[ebp+var_8], esi
		lea	edi, [esi+4]
		lock xadd [edi], edx
		mov	ecx, [edi]
		mov	eax, [esi+8]
		cmp	ecx, eax
		jnb	loc_674FCE
		test	ecx, ecx
		jz	short loc_674D97
		sub	eax, ecx
		cmp	eax, 800000h
		jb	loc_674FCE

loc_674D97:				; CODE XREF: SmKmVirtualLockCtxMemoryUnlocked(x,x)+41j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [edi]
		mov	eax, [esi+8]
		mov	edi, eax
		sub	edi, ecx
		cmp	edi, 800000h
		jnb	short loc_674DC7
		test	ecx, ecx
		jnz	short loc_674E1D
		test	eax, eax
		jz	short loc_674E1D

loc_674DC7:				; CODE XREF: SmKmVirtualLockCtxMemoryUnlocked(x,x)+76j
		xor	eax, eax
		lea	edx, [ebp+var_24]
		mov	[ebp+var_28], eax
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_24], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_MmQueryWorkingSetInformation@24 ; MmQueryWorkingSetInformation(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_674E1D
		mov	ecx, [ebp+var_C]
		and	edi, 0FFC00000h
		sub	[esi+8], edi
		cmp	ecx, edi
		jb	short loc_674E1D
		xor	edx, edx
		lea	eax, [ebp+var_4+3]
		push	eax
		push	edx
		push	edx
		sub	ecx, edi
		mov	byte ptr [ebp+var_4+3],	dl
		push	edx
		mov	edx, [ebp+var_10]
		mov	[ebp+var_C], ecx
		call	MmAdjustWorkingSetSizeEx

loc_674E1D:				; CODE XREF: SmKmVirtualLockCtxMemoryUnlocked(x,x)+7Aj
					; SmKmVirtualLockCtxMemoryUnlocked(x,x)+7Ej ...
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_14], edx
		mov	eax, edx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_674E36
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_674E36:				; CODE XREF: SmKmVirtualLockCtxMemoryUnlocked(x,x)+E6j
		xor	edi, edi
		mov	[ebp+var_18], edi
		test	esi, 7FFFFFFCh
		jz	loc_674FC9
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		cmp	eax, edx
		push	0FFFFFFFFh
		mov	[ebp+var_40], edx
		mov	[ebp+var_44], esi
		pop	edx
		jb	short loc_674E72
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_674E80

loc_674E72:				; CODE XREF: SmKmVirtualLockCtxMemoryUnlocked(x,x)+120j
		cmp	eax, [ebp+var_40]
		jb	short loc_674E93
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_674E93

loc_674E80:				; CODE XREF: SmKmVirtualLockCtxMemoryUnlocked(x,x)+129j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_8]

loc_674E93:				; CODE XREF: SmKmVirtualLockCtxMemoryUnlocked(x,x)+12Ej
					; SmKmVirtualLockCtxMemoryUnlocked(x,x)+137j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+2],	cl
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_40], ecx
		test	ecx, ecx
		jnz	short loc_674EDE
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_674F50
		push	ecx
		push	[ebp+var_14]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_674EDE:				; CODE XREF: SmKmVirtualLockCtxMemoryUnlocked(x,x)+175j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_674EF4
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_40]

loc_674EF4:				; CODE XREF: SmKmVirtualLockCtxMemoryUnlocked(x,x)+1A3j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_18], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+2],	1
		mov	edx, eax
		jnz	short loc_674F3E
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_674F50
; 

loc_674F3E:				; CODE XREF: SmKmVirtualLockCtxMemoryUnlocked(x,x)+1E3j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_44]

loc_674F50:				; CODE XREF: SmKmVirtualLockCtxMemoryUnlocked(x,x)+17Fj
					; SmKmVirtualLockCtxMemoryUnlocked(x,x)+1F5j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_44], eax
		jz	short loc_674FB1
		test	edi, 8000h
		jz	short loc_674F74
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_674F74:				; CODE XREF: SmKmVirtualLockCtxMemoryUnlocked(x,x)+222j
		test	byte ptr [ebp+var_18+2], 1
		jz	short loc_674F84
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_674F84:				; CODE XREF: SmKmVirtualLockCtxMemoryUnlocked(x,x)+231j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_674F98
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_674F98:				; CODE XREF: SmKmVirtualLockCtxMemoryUnlocked(x,x)+244j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_674FB1
		push	[ebp+var_44]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_674FB1:				; CODE XREF: SmKmVirtualLockCtxMemoryUnlocked(x,x)+21Aj
					; SmKmVirtualLockCtxMemoryUnlocked(x,x)+25Bj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_674FC9
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_674FC9
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_674FC9:				; CODE XREF: SmKmVirtualLockCtxMemoryUnlocked(x,x)+FAj
					; SmKmVirtualLockCtxMemoryUnlocked(x,x)+273j ...
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_674FCE:				; CODE XREF: SmKmVirtualLockCtxMemoryUnlocked(x,x)+39j
					; SmKmVirtualLockCtxMemoryUnlocked(x,x)+4Aj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_SmKmVirtualLockCtxMemoryUnlocked@8 endp ; sp =	 4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmpFpAllocateResource(x, x)
_SmpFpAllocateResource@8 proc near	; CODE XREF: SmpFpWaitForResource(x,x,x)+51p

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		push	ebx
		call	ExAcquireSpinLockExclusive
		mov	[ebp+var_1], al
		mov	eax, [ebp+var_8]
		mov	edi, [ebx+eax*4+14h]
		jmp	short loc_674FFA
; 

loc_674FF8:				; CODE XREF: SmpFpAllocateResource(x,x)+27j
		mov	edi, [edi]

loc_674FFA:				; CODE XREF: SmpFpAllocateResource(x,x)+1Fj
		test	byte ptr [edi+4], 1
		jnz	short loc_674FF8
		mov	esi, [edi+4]
		mov	ecx, esi
		or	ecx, 1
		mov	[edi+4], ecx
		inc	byte ptr [ebx+eax+2Ch]
		inc	byte ptr [ebx+32h]
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_SmpFpAllocateResource@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmpFpReleaseResource(x, x, x)
_SmpFpReleaseResource@12 proc near	; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+122D39p
					; SmFpFree+122A3Bp

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	esi, [edi+ebx*4+14h]
		mov	[ebp+var_1], al
		jmp	short loc_675053
; 

loc_675044:				; CODE XREF: SmpFpReleaseResource(x,x,x)+2Dj
		mov	ecx, [esi+4]
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	eax, [ebp+arg_0]
		jz	short loc_67506F
		mov	esi, [esi]

loc_675053:				; CODE XREF: SmpFpReleaseResource(x,x,x)+1Aj
		test	esi, esi
		jnz	short loc_675044

loc_675057:				; CODE XREF: SmpFpReleaseResource(x,x,x)+57j
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_67506F:				; CODE XREF: SmpFpReleaseResource(x,x,x)+27j
		and	ecx, 0FFFFFFFEh
		mov	[esi+4], ecx
		xor	esi, esi
		dec	byte ptr [edi+ebx+2Ch]
		dec	byte ptr [edi+32h]
		inc	esi
		jmp	short loc_675057
_SmpFpReleaseResource@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmpFpWaitForResource(x, x, x)
_SmpFpWaitForResource@12 proc near	; CODE XREF: SmFpAllocate+123322p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		mov	[ebp+arg_0], esi
		push	edi
		test	esi, esi
		jnz	short loc_6750A0
		mov	esi, large fs:124h

loc_6750A0:				; CODE XREF: SmpFpWaitForResource(x,x,x)+16j
		lea	edi, [ebx+40h]
		cmp	esi, [edi]
		jz	short loc_6750D0
		xor	edx, edx

loc_6750A9:				; CODE XREF: SmpFpWaitForResource(x,x,x)+4Aj
		cmp	[edi], edx
		jnz	short loc_6750B9
		mov	ecx, esi
		xor	eax, eax
		lock cmpxchg [edi], ecx
		test	eax, eax
		jz	short loc_6750CD

loc_6750B9:				; CODE XREF: SmpFpWaitForResource(x,x,x)+2Aj
		push	edx
		push	edx
		push	edx
		push	edx
		lea	eax, [ebx+4]
		push	eax
		call	KeWaitForSingleObject
		push	0
		pop	edx
		cmp	esi, [edi]
		jnz	short loc_6750A9

loc_6750CD:				; CODE XREF: SmpFpWaitForResource(x,x,x)+36j
		mov	edx, [ebp+var_4]

loc_6750D0:				; CODE XREF: SmpFpWaitForResource(x,x,x)+24j
		mov	ecx, ebx
		call	_SmpFpAllocateResource@8 ; SmpFpAllocateResource(x,x)
		cmp	[ebp+arg_0], 0
		jnz	short loc_6750E1
		mov	ecx, eax
		xchg	ecx, [edi]

loc_6750E1:				; CODE XREF: SmpFpWaitForResource(x,x,x)+5Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_SmpFpWaitForResource@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	SMKM_STORE_MGR<struct SM_TRAITS>::SmEvictKeys(struct SMKM_STORE_MGR<struct SM_TRAITS> *, union _SM_PAGE_KEY *, unsigned	long, struct SMKM_STORE<struct SM_TRAITS> *)
?SmEvictKeys@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@PAT_SM_PAGE_KEY@@KPAU?$SMKM_STORE@USM_TRAITS@@@@@Z proc near
					; CODE XREF: ST_STORE_SM_TRAITS___StDmPageRemove+FC7EAp
					; ST_STORE_SM_TRAITS___StDmPageRemove+FCA71p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [edx]
		lea	edx, [ebp+var_4]
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		mov	[ebp+var_4], eax
		call	?SmFeStoreEvictKeys@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@PAT_SM_PAGE_KEY@@KK@Z ; SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)
		leave
		retn	8
?SmEvictKeys@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@PAT_SM_PAGE_KEY@@KPAU?$SMKM_STORE@USM_TRAITS@@@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void __stdcall SmFatalHeapCorruptionDumpCallback(enum	 _KBUGCHECK_CALLBACK_REASON, struct _KBUGCHECK_REASON_CALLBACK_RECORD *, void *, unsigned long)
?SmFatalHeapCorruptionDumpCallback@@YGXW4_KBUGCHECK_CALLBACK_REASON@@PAU_KBUGCHECK_REASON_CALLBACK_RECORD@@PAXK@Z proc near
					; DATA XREF: SmPrepareForFatalHeapCorruption(x,x,x,x,x)+B0o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+arg_8]
		add	ecx, 23h
		and	ecx, 0FFFFFFF8h
		mov	eax, [ecx+10h]
		add	eax, 30h
		cmp	eax, [edx+8]
		jbe	short loc_675129
		xor	eax, eax
		jmp	short loc_67513C
; 

loc_675129:				; CODE XREF: SmFatalHeapCorruptionDumpCallback(_KBUGCHECK_CALLBACK_REASON,_KBUGCHECK_REASON_CALLBACK_RECORD *,void *,ulong)+1Aj
		push	esi
		push	edi
		mov	esi, offset dword_42E39C
		mov	[edx+1Ch], ecx
		lea	edi, [edx+0Ch]
		movsd
		movsd
		movsd
		movsd
		pop	edi
		pop	esi

loc_67513C:				; CODE XREF: SmFatalHeapCorruptionDumpCallback(_KBUGCHECK_CALLBACK_REASON,_KBUGCHECK_REASON_CALLBACK_RECORD *,void *,ulong)+1Ej
		mov	[edx+20h], eax
		pop	ebp
		retn	10h
?SmFatalHeapCorruptionDumpCallback@@YGXW4_KBUGCHECK_CALLBACK_REASON@@PAU_KBUGCHECK_REASON_CALLBACK_RECORD@@PAXK@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void __stdcall SmFatalPageErrorDumpCallback(enum  _KBUGCHECK_CALLBACK_REASON,	struct _KBUGCHECK_REASON_CALLBACK_RECORD *, void *, unsigned long)
?SmFatalPageErrorDumpCallback@@YGXW4_KBUGCHECK_CALLBACK_REASON@@PAU_KBUGCHECK_REASON_CALLBACK_RECORD@@PAXK@Z proc near
					; DATA XREF: SmPrepareForFatalPageError(x,x,x,x,x,x,x,x)+1EFo

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+arg_8]
		add	ecx, 23h
		and	ecx, 0FFFFFFF8h
		mov	eax, [ecx+0Ch]
		add	eax, 38h
		cmp	eax, [edx+8]
		jbe	short loc_675163
		xor	eax, eax
		jmp	short loc_675176
; 

loc_675163:				; CODE XREF: SmFatalPageErrorDumpCallback(_KBUGCHECK_CALLBACK_REASON,_KBUGCHECK_REASON_CALLBACK_RECORD *,void *,ulong)+1Aj
		push	esi
		push	edi
		mov	esi, offset byte_42E3AC
		mov	[edx+1Ch], ecx
		lea	edi, [edx+0Ch]
		movsd
		movsd
		movsd
		movsd
		pop	edi
		pop	esi

loc_675176:				; CODE XREF: SmFatalPageErrorDumpCallback(_KBUGCHECK_CALLBACK_REASON,_KBUGCHECK_REASON_CALLBACK_RECORD *,void *,ulong)+1Ej
		mov	[edx+20h], eax
		pop	ebp
		retn	10h
?SmFatalPageErrorDumpCallback@@YGXW4_KBUGCHECK_CALLBACK_REASON@@PAU_KBUGCHECK_REASON_CALLBACK_RECORD@@PAXK@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	SMKM_STORE_MGR<struct SM_TRAITS>::SmFeStoreEvictKeys(struct SMKM_STORE_MGR<struct SM_TRAITS> *,	union _SM_PAGE_KEY *, unsigned long, unsigned long)
?SmFeStoreEvictKeys@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@PAT_SM_PAGE_KEY@@KK@Z proc near
					; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,SMKM_STORE<SM_TRAITS> *)+18p

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_71		= byte ptr -71h
var_70		= dword	ptr -70h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 98h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, [edx]
		lea	eax, [ebp+var_60]
		push	edi
		push	58h		; size_t
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		lea	eax, [ebp+var_48]
		mov	[ebp+var_50], 8
		mov	[ebp+var_60], eax
		xor	ecx, ecx
		xor	eax, eax
		mov	[ebp+var_5C], ecx
		inc	eax
		mov	[ebp+var_58], ecx
		mov	[ebp+var_70], eax
		add	esp, 0Ch
		mov	eax, large fs:124h
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_90], ecx
		dec	word ptr [eax+13Eh]
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_84], ecx
		nop
		lea	eax, [edi+0F0h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_80], eax
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [ebp+var_8C]
		lea	ecx, [edi+0F4h]
		mov	edi, [ebp+var_90]
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_88], eax
		mov	eax, [ebp+var_70]
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_78], edx

loc_675231:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+1CFj
		test	eax, eax
		jz	short loc_675261
		push	esi
		lea	edx, [ebp+var_60]
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		lea	eax, [ebp+var_60]
		push	eax
		lea	edx, [ebp+var_90]
		call	?BTreeIteratorFromSearchResult@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUITERATOR@1@PAUSEARCH_RESULT@1@@Z ; B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeIteratorFromSearchResult(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>> *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::ITERATOR *,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)
		mov	edx, [ebp+var_8C]
		xor	eax, eax
		mov	edi, [ebp+var_90]
		mov	[ebp+var_70], eax
		mov	[ebp+var_78], edx

loc_675261:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+B6j
		test	edi, edi
		jnz	short loc_675269
		xor	ecx, ecx
		jmp	short loc_6752A6
; 

loc_675269:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+E6j
		movzx	eax, word ptr [edi]
		add	edx, 8
		inc	eax
		mov	[ebp+var_78], edx
		mov	ecx, edx
		mov	[ebp+var_8C], edx
		lea	eax, [edi+eax*8]
		cmp	ecx, eax
		jb	short loc_6752A6
		mov	ecx, [edi+4]
		test	ecx, ecx
		jz	short loc_67529D
		lea	edx, [ecx+8]
		mov	edi, ecx
		mov	[ebp+var_90], edi
		mov	[ebp+var_78], edx
		mov	[ebp+var_8C], edx

loc_67529D:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+10Aj
		lea	eax, [ecx+8]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_6752A6:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+EAj
					; SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+103j
		cmp	byte ptr [ecx+6], 3
		jnz	loc_675330
		mov	byte ptr [ecx+6], 0
		mov	ecx, [ebp+var_54]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_6752C9
		test	ecx, ecx
		jz	short loc_6752C9
		mov	eax, [ebp+var_60]
		dec	ecx
		lea	ecx, [eax+ecx*8]
		jmp	short loc_6752CC
; 

loc_6752C9:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+13Dj
					; SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+141j
		lea	ecx, [ebp+var_5C]

loc_6752CC:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+14Aj
		cmp	[ecx], edi
		jnz	short loc_6752D5
		mov	[ecx+4], edx
		jmp	short loc_67531D
; 

loc_6752D5:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+151j
		lea	edx, [ebp+var_60]
		call	?BTreeSearchResultDeref@?$B_TREE@T_SM_PAGE_KEY@@USMKM_FRONTEND_ENTRY@?$SMKM_STORE_MGR@USM_TRAITS@@@@$0BAAA@UB_TREE_DUMMY_NODE_POOL@@U?$B_TREE_KEY_COMPARATOR@T_SM_PAGE_KEY@@@@@@SGXPAU1@PAUSEARCH_RESULT@1@@Z ;	B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::BTreeSearchResultDeref(B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>	*,B_TREE<_SM_PAGE_KEY,SMKM_STORE_MGR<SM_TRAITS>::SMKM_FRONTEND_ENTRY,4096,B_TREE_DUMMY_NODE_POOL,B_TREE_KEY_COMPARATOR<_SM_PAGE_KEY>>::SEARCH_RESULT *)
		cmp	[ebp+var_54], 0FFFFFFFFh
		jnz	short loc_6752ED
		mov	eax, [ebp+var_78]
		mov	[ecx], edi
		mov	[ecx+4], eax
		jmp	short loc_67531D
; 

loc_6752ED:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+164j
		push	dword ptr [edi+8]
		mov	ecx, [ebp+var_7C]
		lea	edx, [ebp+var_60]
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeSearchKey
		mov	ecx, [ebp+var_54]
		or	eax, 0FFFFFFFFh
		cmp	ecx, eax
		jz	short loc_675315
		test	ecx, ecx
		jz	short loc_675315
		lea	ecx, ds:0FFFFFFFCh[ecx*8]
		add	ecx, [ebp+var_60]
		jmp	short loc_675318
; 

loc_675315:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+186j
					; SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+18Aj
		lea	ecx, [ebp+var_58]

loc_675318:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+196j
		mov	eax, [ebp+var_78]
		mov	[ecx], eax

loc_67531D:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+156j
					; SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+16Ej
		mov	ecx, [ebp+var_7C]
		lea	edx, [ebp+var_60]
		call	B_TREE__SM_PAGE_KEY_SMKM_STORE_MGR_SM_TRAITS___SMKM_FRONTEND_ENTRY_4096_B_TREE_DUMMY_NODE_POOL_B_TREE_KEY_COMPARATOR__SM_PAGE_KEY_____BTreeDeleteEx
		xor	eax, eax
		inc	eax
		mov	[ebp+var_70], eax
		jmp	short loc_675333
; 

loc_675330:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+12Dj
		mov	eax, [ebp+var_70]

loc_675333:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+1B1j
		mov	ecx, [ebp+var_84]
		inc	ecx
		mov	[ebp+var_84], ecx
		cmp	ecx, [ebx+8]
		jz	short loc_675351
		mov	edx, [ebp+var_78]
		inc	esi
		mov	ecx, [ebp+var_7C]
		jmp	loc_675231
; 

loc_675351:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+1C6j
		mov	ecx, [ebp+var_80]
		or	edx, 0FFFFFFFFh
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_67536E
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_80]
		or	edx, 0FFFFFFFFh

loc_67536E:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+1E4j
		xor	edi, edi
		mov	[ebp+var_7C], edi
		test	ecx, 7FFFFFFCh
		jz	loc_675515
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	[ebp+var_84], esi
		mov	esi, ds:dword_6D07D0
		shr	eax, 15h
		cmp	ecx, esi
		mov	[ebp+var_70], esi
		mov	esi, [ebp+var_84]
		jb	short loc_6753AD
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_6753BB

loc_6753AD:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+225j
		cmp	ecx, [ebp+var_70]
		jb	short loc_6753D1
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_6753D1

loc_6753BB:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+22Ej
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_80]
		mov	edx, eax
		mov	[ebp+var_88], edx

loc_6753D1:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+233j
					; SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+23Cj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		push	edx
		mov	edx, ecx
		mov	[ebp+var_71], al
		mov	ecx, esi
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_70], ecx
		test	ecx, ecx
		jnz	short loc_675421
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_675496
		mov	eax, [ebp+var_88]
		push	ecx
		push	eax
		mov	eax, [ebp+var_80]
		push	eax
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_675421:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+27Dj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_675437
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_70]

loc_675437:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+2B0j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_7C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_71], 1
		mov	edx, eax
		jnz	short loc_675481
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_675496
; 

loc_675481:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+2F0j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_84]

loc_675496:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+287j
					; SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+302j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_88], eax
		jz	short loc_6754FD
		test	edi, 8000h
		jz	short loc_6754BD
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_6754BD:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+335j
		test	byte ptr [ebp+var_7C+2], 1
		jz	short loc_6754CD
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_6754CD:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+344j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_6754E1
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_6754E1:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+357j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_6754FD
		push	[ebp+var_88]
		mov	edx, [ebp+var_80]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_6754FD:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+32Dj
					; SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+36Ej
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_675515
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_675515
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_675515:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+1FCj
					; SMKM_STORE_MGR<SM_TRAITS>::SmFeStoreEvictKeys(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+389j ...
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
?SmFeStoreEvictKeys@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@PAT_SM_PAGE_KEY@@KK@Z endp ;	sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	SMKM_STORE<struct SM_TRAITS>::SmStEtwFillStoreEvent(struct SMKM_STORE<struct SM_TRAITS>	*, struct _SMKM_EVENT_DESCRIPTOR *)
?SmStEtwFillStoreEvent@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@PAU_SMKM_EVENT_DESCRIPTOR@@@Z	proc near
					; CODE XREF: SmKmEtwLogStoreChange(x,x,x)+B3p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		xor	esi, esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_10], esi
		mov	eax, [edi+10h]
		add	eax, [edi+4]
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		mov	[eax], ebx
		mov	ecx, [edi+8]
		shl	ecx, 4
		add	ecx, [edi]
		mov	[ecx], eax
		mov	[ecx+4], esi
		mov	dword ptr [ecx+8], 4
		mov	[ecx+0Ch], esi
		mov	edx, [edi+10h]
		inc	dword ptr [edi+8]
		add	edx, 4
		mov	[edi+10h], edx
		cmp	byte ptr [ebx+10F4h], 1
		jnz	short loc_675592
		mov	eax, [ebx+1188h]
		mov	ecx, [eax+0Ch]
		jmp	short loc_675594
; 

loc_675592:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStEtwFillStoreEvent(SMKM_STORE<SM_TRAITS>	*,_SMKM_EVENT_DESCRIPTOR *)+4Fj
		mov	ecx, esi

loc_675594:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStEtwFillStoreEvent(SMKM_STORE<SM_TRAITS>	*,_SMKM_EVENT_DESCRIPTOR *)+5Aj
		mov	eax, [edi+4]
		add	eax, edx
		lea	edx, [ebx+38h]
		push	4
		mov	[eax], ecx
		mov	ecx, [edi+8]
		shl	ecx, 4
		add	ecx, [edi]
		mov	[ecx], eax
		mov	[ecx+4], esi
		mov	[ecx+0Ch], esi
		mov	dword ptr [ecx+8], 4
		add	dword ptr [edi+10h], 4
		mov	eax, [edi+4]
		add	eax, [edi+10h]
		inc	dword ptr [edi+8]
		mov	[eax], edx
		lea	edx, [ebx+4C8h]
		mov	ecx, [edi+8]
		shl	ecx, 4
		add	ecx, [edi]
		mov	[ecx], eax
		mov	[ecx+4], esi
		mov	[ecx+0Ch], esi
		pop	eax
		mov	[ecx+8], eax
		add	[edi+10h], eax
		mov	eax, [edi+4]
		add	eax, [edi+10h]
		inc	dword ptr [edi+8]
		push	4
		mov	[eax], edx
		mov	ecx, [edi+8]
		shl	ecx, 4
		add	ecx, [edi]
		mov	[ecx], eax
		mov	[ecx+4], esi
		mov	[ecx+0Ch], esi
		lea	esi, [ebx+117Ch]
		pop	eax
		mov	[ecx+8], eax
		add	[edi+10h], eax
		mov	ecx, [edi+10h]
		inc	dword ptr [edi+8]
		add	ecx, [edi+4]
		mov	edx, [edi+8]
		test	esi, esi
		jz	short loc_675624
		mov	eax, [esi]
		mov	[ecx], eax
		mov	edx, [edi+8]

loc_675624:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStEtwFillStoreEvent(SMKM_STORE<SM_TRAITS>	*,_SMKM_EVENT_DESCRIPTOR *)+E5j
		shl	edx, 4
		xor	esi, esi
		add	edx, [edi]
		push	4
		pop	eax
		push	4
		mov	[edx], ecx
		mov	[edx+4], esi
		mov	[edx+0Ch], esi
		mov	[edx+8], eax
		add	[edi+10h], eax
		inc	dword ptr [edi+8]
		mov	edx, [ebx+21Ch]
		add	edx, [ebx+6ACh]
		mov	eax, [edi+4]
		add	eax, [edi+10h]
		mov	[eax], edx
		mov	ecx, [edi+8]
		shl	ecx, 4
		add	ecx, [edi]
		pop	edx
		mov	[ecx+4], esi
		mov	[ecx+0Ch], esi
		mov	[ecx], eax
		mov	[ecx+8], edx
		add	[edi+10h], edx
		mov	eax, [edi+4]
		add	eax, [edi+10h]
		inc	dword ptr [edi+8]
		mov	dword ptr [eax], 1000h
		mov	ecx, [edi+8]
		shl	ecx, 4
		add	ecx, [edi]
		mov	[ecx+4], esi
		mov	[ecx+0Ch], esi
		lea	esi, [ebx+10h]
		mov	[ecx], eax
		mov	[ecx+8], edx
		add	dword ptr [edi+10h], 4
		mov	ecx, [edi+10h]
		inc	dword ptr [edi+8]
		add	ecx, [edi+4]
		mov	edx, [edi+8]
		test	esi, esi
		jz	short loc_6756AC
		mov	eax, [esi]
		mov	[ecx], eax
		mov	edx, [edi+8]

loc_6756AC:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStEtwFillStoreEvent(SMKM_STORE<SM_TRAITS>	*,_SMKM_EVENT_DESCRIPTOR *)+16Dj
		shl	edx, 4
		xor	esi, esi
		add	edx, [edi]
		push	4
		pop	eax
		push	4
		mov	[edx], ecx
		mov	[edx+8], eax
		mov	[edx+4], esi
		mov	[edx+0Ch], esi
		add	[edi+10h], eax
		inc	dword ptr [edi+8]
		mov	edx, [ebx+9B4h]
		mov	eax, [edi+4]
		add	eax, [edi+10h]
		shl	edx, 3
		mov	[eax], edx
		mov	ecx, [edi+8]
		shl	ecx, 4
		add	ecx, [edi]
		mov	[ecx], eax
		mov	[ecx+4], esi
		mov	[ecx+0Ch], esi
		pop	eax
		mov	[ecx+8], eax
		add	[edi+10h], eax
		inc	dword ptr [edi+8]
		mov	eax, [edi+4]
		add	eax, [edi+10h]
		movzx	edx, byte ptr [ebx+10F4h]
		push	2
		mov	[eax], dx
		mov	ecx, [edi+8]
		shl	ecx, 4
		add	ecx, [edi]
		mov	[ecx], eax
		mov	[ecx+4], esi
		mov	[ecx+0Ch], esi
		lea	esi, [ebx+10F0h]
		pop	eax
		mov	[ecx+8], eax
		add	[edi+10h], eax
		mov	ecx, [edi+10h]
		inc	dword ptr [edi+8]
		add	ecx, [edi+4]
		mov	edx, [edi+8]
		test	esi, esi
		jz	short loc_67573C
		mov	ax, [esi]
		mov	[ecx], ax
		mov	edx, [edi+8]

loc_67573C:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStEtwFillStoreEvent(SMKM_STORE<SM_TRAITS>	*,_SMKM_EVENT_DESCRIPTOR *)+1FBj
		shl	edx, 4
		add	edx, [edi]
		push	2
		pop	eax
		and	dword ptr [edx+4], 0
		and	dword ptr [edx+0Ch], 0
		mov	[edx], ecx
		mov	[edx+8], eax
		lea	edx, [ebx+3Ch]
		add	[edi+10h], eax
		mov	ecx, [edi+10h]
		inc	dword ptr [edi+8]
		add	ecx, [edi+4]
		mov	esi, [edi+8]
		test	edx, edx
		jz	short loc_67576E
		mov	eax, [edx]
		mov	[ecx], eax
		mov	esi, [edi+8]

loc_67576E:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStEtwFillStoreEvent(SMKM_STORE<SM_TRAITS>	*,_SMKM_EVENT_DESCRIPTOR *)+22Fj
		shl	esi, 4
		lea	edx, [ebp+var_C]
		add	esi, [edi]
		push	4
		pop	eax
		and	dword ptr [esi+4], 0
		and	dword ptr [esi+0Ch], 0
		mov	[esi], ecx
		lea	ecx, [ebx+38h]
		mov	[esi+8], eax
		add	[edi+10h], eax
		lea	eax, [ebp+var_10]
		inc	dword ptr [edi+8]
		push	eax
		call	?StDmGetSpaceStats@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@PAK1@Z	; ST_STORE<SM_TRAITS>::StDmGetSpaceStats(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *,ulong *)
		lea	eax, [ebp+var_8]
		push	eax
		lea	edx, [ebp+var_4]
		lea	ecx, [ebx+4C8h]
		call	?StDmGetSpaceStats@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_DATA_MGR@1@PAK1@Z	; ST_STORE<SM_TRAITS>::StDmGetSpaceStats(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong *,ulong *)
		mov	eax, [edi+4]
		xor	esi, esi
		add	eax, [edi+10h]
		mov	ecx, [ebp+var_C]
		add	ecx, [ebp+var_4]
		mov	edx, [ebp+var_10]
		mov	[eax], ecx
		mov	ecx, [edi+8]
		add	edx, [ebp+var_8]
		shl	ecx, 4
		add	ecx, [edi]
		push	4
		mov	[ecx], eax
		mov	[ecx+4], esi
		mov	[ecx+0Ch], esi
		pop	eax
		mov	[ecx+8], eax
		add	[edi+10h], eax
		inc	dword ptr [edi+8]
		mov	eax, [edi+4]
		add	eax, [edi+10h]
		push	4
		mov	[eax], edx
		mov	ecx, [edi+8]
		shl	ecx, 4
		add	ecx, [edi]
		mov	[ecx], eax
		mov	[ecx+4], esi
		mov	[ecx+0Ch], esi
		pop	eax
		mov	[ecx+8], eax
		add	[edi+10h], eax
		mov	eax, [edi+4]
		add	eax, [edi+10h]
		inc	dword ptr [edi+8]
		mov	edx, [ebx+1E4h]
		push	4
		mov	[eax], edx
		mov	ecx, [edi+8]
		shl	ecx, 4
		add	ecx, [edi]
		mov	[ecx], eax
		mov	[ecx+4], esi
		pop	eax
		mov	[ecx+8], eax
		mov	[ecx+0Ch], esi
		add	[edi+10h], eax
		lea	eax, [ebx+6ACh]
		mov	ecx, [edi+10h]
		inc	dword ptr [edi+8]
		add	ecx, [edi+4]
		mov	edx, [edi+8]
		test	eax, eax
		jz	short loc_675844
		mov	eax, [eax]
		mov	[ecx], eax
		mov	edx, [edi+8]

loc_675844:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStEtwFillStoreEvent(SMKM_STORE<SM_TRAITS>	*,_SMKM_EVENT_DESCRIPTOR *)+305j
		shl	edx, 4
		add	edx, [edi]
		push	4
		mov	[edx], ecx
		mov	[edx+4], esi
		mov	dword ptr [edx+8], 4
		mov	[edx+0Ch], esi
		mov	eax, [edi+4]
		inc	dword ptr [edi+8]
		mov	ecx, [ebp+var_4]
		pop	edx
		add	[edi+10h], edx
		add	eax, [edi+10h]
		mov	[eax], ecx
		mov	ecx, [edi+8]
		shl	ecx, 4
		add	ecx, [edi]
		mov	[ecx], eax
		mov	[ecx+4], esi
		mov	[ecx+8], edx
		mov	[ecx+0Ch], esi
		add	[edi+10h], edx
		mov	eax, [edi+4]
		add	eax, [edi+10h]
		inc	dword ptr [edi+8]
		mov	ecx, [ebp+var_8]
		mov	[eax], ecx
		mov	ecx, [edi+8]
		shl	ecx, 4
		add	ecx, [edi]
		mov	[ecx], eax
		mov	[ecx+4], esi
		mov	[ecx+8], edx
		mov	[ecx+0Ch], esi
		add	dword ptr [edi+10h], 4
		mov	ecx, [edi+10h]
		inc	dword ptr [edi+8]
		add	ecx, [edi+4]
		mov	edx, [edi+8]
		add	ebx, 2A0h
		jz	short loc_6758C2
		mov	eax, [ebx]
		mov	[ecx], eax
		mov	edx, [edi+8]

loc_6758C2:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStEtwFillStoreEvent(SMKM_STORE<SM_TRAITS>	*,_SMKM_EVENT_DESCRIPTOR *)+383j
		shl	edx, 4
		add	edx, [edi]
		push	4
		pop	eax
		mov	[edx+4], esi
		mov	[edx+0Ch], esi
		mov	[edx], ecx
		mov	[edx+8], eax
		inc	dword ptr [edi+8]
		add	[edi+10h], eax
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
?SmStEtwFillStoreEvent@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@PAU_SMKM_EVENT_DESCRIPTOR@@@Z	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static unsigned long __stdcall SMKM_STORE<struct SM_TRAITS>::SmStEtwFillStoreStatsEvent(struct SMKM_STORE<struct SM_TRAITS> *, struct	_SMKM_EVENT_DESCRIPTOR *)
?SmStEtwFillStoreStatsEvent@?$SMKM_STORE@USM_TRAITS@@@@SGKPAU1@PAU_SMKM_EVENT_DESCRIPTOR@@@Z proc near
					; CODE XREF: SmKmEtwLogStoreStats(x,x,x)+78p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		push	edi
		mov	edi, edx
		cmp	[ecx+464h], ebx
		jz	loc_675992
		mov	eax, [edi+10h]
		add	eax, [edi+4]
		push	esi
		push	4
		pop	edx
		mov	[eax], ecx
		mov	ecx, [edi+8]
		shl	ecx, 4
		add	ecx, [edi]
		mov	[ecx], eax
		mov	[ecx+8], edx
		mov	[ecx+4], ebx
		mov	[ecx+0Ch], ebx
		add	[edi+10h], edx
		mov	ecx, [edi+10h]
		add	ecx, [edi+4]
		inc	dword ptr [edi+8]
		mov	dword ptr [ecx], 544h
		mov	eax, [edi+8]
		shl	eax, 4
		add	eax, [edi]
		mov	[eax], ecx
		mov	[eax+8], edx
		mov	[eax+4], ebx
		mov	[eax+0Ch], ebx
		mov	eax, 544h
		inc	dword ptr [edi+8]
		mov	ecx, [edi+8]
		add	[edi+10h], edx
		mov	esi, [edi+4]
		add	esi, [edi+10h]
		shl	ecx, 4
		add	ecx, [edi]
		mov	[ecx], esi
		mov	[ecx+4], ebx
		mov	[ecx+8], eax
		mov	[ecx+0Ch], ebx
		mov	ecx, esi
		inc	dword ptr [edi+8]
		add	[edi+10h], eax
		mov	edi, [ebp+var_4]
		lea	edx, [edi+0A48h]
		call	?StCopyIoStats@?$ST_STORE@USM_TRAITS@@@@SGXPAU_ST_IO_STATS@@PAU_ST_IO_COUNTS@@@Z ; ST_STORE<SM_TRAITS>::StCopyIoStats(_ST_IO_STATS *,_ST_IO_COUNTS *)
		push	dword ptr [edi+0F5Ch]
		lea	ecx, [esi+504h]
		push	dword ptr [edi+0F60h]
		call	_StLcBucketsCopy@16 ; StLcBucketsCopy(x,x,x,x)
		inc	ebx
		pop	esi

loc_675992:				; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStEtwFillStoreStatsEvent(SMKM_STORE<SM_TRAITS> *,_SMKM_EVENT_DESCRIPTOR *)+15j
		pop	edi
		mov	eax, ebx
		pop	ebx
		leave
		retn
?SmStEtwFillStoreStatsEvent@?$SMKM_STORE@USM_TRAITS@@@@SGKPAU1@PAU_SMKM_EVENT_DESCRIPTOR@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	SMKM_STORE_MGR<struct SM_TRAITS>::SmStoreContentsRundown(struct	SMKM_STORE_MGR<struct SM_TRAITS> *, struct SMKM_STORE<struct SM_TRAITS>	*)
?SmStoreContentsRundown@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGJPAU1@PAU?$SMKM_STORE@USM_TRAITS@@@@@Z	proc near
					; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmStoresContentsRundown(SMKM_STORE_MGR<SM_TRAITS> *)+20p

var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		xor	eax, eax
		mov	[ebp+var_8], ecx
		push	edi
		push	eax
		push	eax
		mov	[ebp+var_10], eax
		mov	edi, edx
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_20]
		push	eax
		mov	[ebp+var_4], edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	64576D73h
		push	20h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_6759ED
		mov	edi, 0C000009Ah
		jmp	short loc_675A42
; 

loc_6759ED:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmStoreContentsRundown(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE<SM_TRAITS> *)+4Cj
		xor	eax, eax
		mov	edx, edi
		mov	[esi+8], eax
		mov	[esi+0Ch], eax
		mov	[esi+10h], eax
		mov	[esi+14h], eax
		mov	[esi+18h], eax
		mov	[esi+1Ch], eax
		lea	eax, [ebp+var_10]
		or	dword ptr [esi+4], 0FFFFFFFFh
		push	eax
		lea	eax, [ebp+var_20]
		mov	dword ptr [esi], 3
		push	eax
		push	esi
		call	?SmStoreRequestEx@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGJPAU1@PAU?$SMKM_STORE@USM_TRAITS@@@@PAU_SM_WORK_ITEM@1@PAU_KEVENT@@PAU_IO_STATUS_BLOCK@@@Z ;	SMKM_STORE_MGR<SM_TRAITS>::SmStoreRequestEx(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE<SM_TRAITS> *,SMKM_STORE_MGR<SM_TRAITS>::_SM_WORK_ITEM *,_KEVENT *,_IO_STATUS_BLOCK *)
		mov	edi, eax
		test	edi, edi
		js	short loc_675A36
		xor	esi, esi
		lea	eax, [ebp+var_20]
		push	esi
		push	esi
		push	esi
		push	esi
		push	eax
		call	KeWaitForSingleObject
		mov	edi, [ebp+var_10]
		mov	[ebp+var_4], esi

loc_675A36:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmStoreContentsRundown(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE<SM_TRAITS> *)+87j
		test	esi, esi
		jz	short loc_675A42
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_675A42:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmStoreContentsRundown(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE<SM_TRAITS> *)+53j
					; SMKM_STORE_MGR<SM_TRAITS>::SmStoreContentsRundown(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE<SM_TRAITS> *)+A0j
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_675A65
		mov	edx, [eax+10F0h]
		mov	ecx, [ebp+var_8]
		and	edx, 3FFh
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_675A65:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmStoreContentsRundown(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE<SM_TRAITS> *)+AFj
		mov	eax, edi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
?SmStoreContentsRundown@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGJPAU1@PAU?$SMKM_STORE@USM_TRAITS@@@@@Z	endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static long __stdcall	SMKM_STORE_MGR<struct SM_TRAITS>::SmStoreTerminate(struct SMKM_STORE_MGR<struct	SM_TRAITS> *, struct SMKM_STORE<struct SM_TRAITS> *, enum  _ST_ETW_TERMINATION_REASON, long)
?SmStoreTerminate@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGJPAU1@PAU?$SMKM_STORE@USM_TRAITS@@@@W4_ST_ETW_TERMINATION_REASON@@J@Z proc near
					; CODE XREF: SMKM_STORE_MGR_SM_TRAITS___SmStoreActionNotify+D371Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	6D546D73h
		push	28h
		push	200h
		mov	edi, edx
		mov	ebx, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_675A9A
		mov	edi, 0C000009Ah
		jmp	short loc_675B14
; 

loc_675A9A:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmStoreTerminate(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE<SM_TRAITS> *,_ST_ETW_TERMINATION_REASON,long)+21j
		mov	edx, [edi+10F0h]
		mov	ecx, ebx
		call	SmKmStoreReference
		xor	ecx, ecx
		test	eax, eax
		jnz	short loc_675AB4
		mov	edi, 0C0000189h
		jmp	short loc_675B09
; 

loc_675AB4:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmStoreTerminate(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE<SM_TRAITS> *,_ST_ETW_TERMINATION_REASON,long)+3Bj
		mov	[esi+4], ecx
		lea	eax, [edi+1184h]
		mov	[esi+18h], ecx
		mov	[esi+1Ch], ecx
		mov	[esi+20h], ecx
		mov	[esi+24h], ecx
		mov	dword ptr [esi+8], offset _SmKmStoreTerminateWorker@4 ;	SmKmStoreTerminateWorker(x)
		mov	[esi+0Ch], esi
		mov	[esi], ecx
		mov	[esi+14h], eax
		mov	[esi+10h], ebx
		mov	eax, [edi+10F0h]
		mov	[esi+18h], eax
		mov	eax, [ebx+464h]
		and	eax, 1
		mov	[esi+1Ch], eax
		mov	eax, [ebp+arg_0]
		push	ecx
		mov	[esi+20h], eax
		mov	eax, [ebp+arg_4]
		push	esi
		mov	[esi+24h], eax
		call	ExQueueWorkItem
		xor	ecx, ecx
		mov	esi, ecx
		mov	edi, ecx

loc_675B09:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmStoreTerminate(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE<SM_TRAITS> *,_ST_ETW_TERMINATION_REASON,long)+42j
		test	esi, esi
		jz	short loc_675B14
		push	ecx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_675B14:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmStoreTerminate(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE<SM_TRAITS> *,_ST_ETW_TERMINATION_REASON,long)+28j
					; SMKM_STORE_MGR<SM_TRAITS>::SmStoreTerminate(SMKM_STORE_MGR<SM_TRAITS>	*,SMKM_STORE<SM_TRAITS>	*,_ST_ETW_TERMINATION_REASON,long)+9Bj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
?SmStoreTerminate@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGJPAU1@PAU?$SMKM_STORE@USM_TRAITS@@@@W4_ST_ETW_TERMINATION_REASON@@J@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: static void __stdcall	SMKM_STORE_MGR<struct SM_TRAITS>::SmStoresContentsRundown(struct SMKM_STORE_MGR<struct SM_TRAITS> *)
?SmStoresContentsRundown@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@@Z proc	near
					; CODE XREF: SmEtwEnableCallback+6Ap
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi

loc_675B2B:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmStoresContentsRundown(SMKM_STORE_MGR<SM_TRAITS> *)+2Cj
		push	ecx
		mov	edx, esi
		mov	ecx, edi
		call	_SmKmStoreReferenceEx@12 ; SmKmStoreReferenceEx(x,x,x)
		test	eax, eax
		jz	short loc_675B42
		mov	edx, eax
		mov	ecx, edi
		call	?SmStoreContentsRundown@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGJPAU1@PAU?$SMKM_STORE@USM_TRAITS@@@@@Z	; SMKM_STORE_MGR<SM_TRAITS>::SmStoreContentsRundown(SMKM_STORE_MGR<SM_TRAITS> *,SMKM_STORE<SM_TRAITS> *)

loc_675B42:				; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmStoresContentsRundown(SMKM_STORE_MGR<SM_TRAITS> *)+1Aj
		inc	esi
		cmp	esi, 400h
		jb	short loc_675B2B
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
?SmStoresContentsRundown@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; long __stdcall SmpDeviceIoCompletion(struct _DEVICE_OBJECT *,	struct _IRP *, void *)
?SmpDeviceIoCompletion@@YGJPAU_DEVICE_OBJECT@@PAU_IRP@@PAX@Z proc near
					; DATA XREF: SmIssueIo(x,x,x,x,x,x)+B9o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	ecx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	eax, [ecx+18h]
		mov	edi, [esi+1Ch]
		test	eax, eax
		jns	short loc_675B80
		or	dword ptr [esi+10h], 1
		mov	edx, [esi+8]
		test	edx, edx
		jz	short loc_675B7B
		mov	[edx+4], eax
		jmp	short loc_675BA3
; 

loc_675B7B:				; CODE XREF: SmpDeviceIoCompletion(_DEVICE_OBJECT *,_IRP *,void	*)+23j
		mov	[esi+4], eax
		jmp	short loc_675BA3
; 

loc_675B80:				; CODE XREF: SmpDeviceIoCompletion(_DEVICE_OBJECT *,_IRP *,void	*)+18j
		mov	eax, [ecx+1Ch]
		cmp	eax, [esi+18h]
		jnb	short loc_675BA3
		or	dword ptr [esi+10h], 1
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_675B9C
		mov	dword ptr [eax+4], 0C0000185h
		jmp	short loc_675BA3
; 

loc_675B9C:				; CODE XREF: SmpDeviceIoCompletion(_DEVICE_OBJECT *,_IRP *,void	*)+40j
		mov	dword ptr [esi+4], 0C0000185h

loc_675BA3:				; CODE XREF: SmpDeviceIoCompletion(_DEVICE_OBJECT *,_IRP *,void	*)+28j
					; SmpDeviceIoCompletion(_DEVICE_OBJECT *,_IRP *,void *)+2Dj ...
		push	ecx
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		cmp	dword ptr [esi+8], 0
		jz	short loc_675BB6
		lock dec dword ptr [edi+1130h]

loc_675BB6:				; CODE XREF: SmpDeviceIoCompletion(_DEVICE_OBJECT *,_IRP *,void	*)+5Cj
		test	byte ptr [esi+10h], 4
		jz	short loc_675BCE
		push	0
		push	1
		lea	eax, [edi+1168h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_675BF7
; 

loc_675BCE:				; CODE XREF: SmpDeviceIoCompletion(_DEVICE_OBJECT *,_IRP *,void	*)+69j
		push	1
		mov	edx, esi
		mov	ecx, edi
		call	SMKM_STORE_SM_TRAITS___SmStWorkItemQueue
		mov	edx, [edi+10F0h]
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		and	edx, 3FFh
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_675BF7:				; CODE XREF: SmpDeviceIoCompletion(_DEVICE_OBJECT *,_IRP *,void	*)+7Bj
		pop	edi
		mov	eax, 0C0000016h
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
?SmpDeviceIoCompletion@@YGJPAU_DEVICE_OBJECT@@PAU_IRP@@PAX@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void __stdcall SmpIoCompletionApc(void *, struct _IO_STATUS_BLOCK *, unsigned	long)
?SmpIoCompletionApc@@YGXPAXPAU_IO_STATUS_BLOCK@@K@Z proc near
					; DATA XREF: SmIssueIo(x,x,x,x,x,x)+AAo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, [ebp+arg_4]
		push	esi
		lea	edx, [eax-18h]
		mov	eax, [eax]
		test	eax, eax
		jns	short loc_675C2D
		or	dword ptr [edx+10h], 1
		mov	ecx, [edx+8]
		test	ecx, ecx
		jz	short loc_675C2A
		mov	[ecx+4], eax
		jmp	short loc_675C2D
; 

loc_675C2A:				; CODE XREF: SmpIoCompletionApc(void *,_IO_STATUS_BLOCK	*,ulong)+1Fj
		mov	[edx+4], eax

loc_675C2D:				; CODE XREF: SmpIoCompletionApc(void *,_IO_STATUS_BLOCK	*,ulong)+14j
					; SmpIoCompletionApc(void *,_IO_STATUS_BLOCK *,ulong)+24j
		cmp	dword ptr [edx+8], 0
		mov	esi, [ebp+arg_0]
		jz	short loc_675C3D
		lock dec dword ptr [esi+1130h]

loc_675C3D:				; CODE XREF: SmpIoCompletionApc(void *,_IO_STATUS_BLOCK	*,ulong)+30j
		test	byte ptr [edx+10h], 4
		jz	short loc_675C55
		push	0
		push	1
		lea	eax, [esi+1168h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_675C7C
; 

loc_675C55:				; CODE XREF: SmpIoCompletionApc(void *,_IO_STATUS_BLOCK	*,ulong)+3Dj
		push	1
		mov	ecx, esi
		call	SMKM_STORE_SM_TRAITS___SmStWorkItemQueue
		mov	edx, [esi+10F0h]
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		and	edx, 3FFh
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_675C7C:				; CODE XREF: SmpIoCompletionApc(void *,_IO_STATUS_BLOCK	*,ulong)+4Fj
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
?SmpIoCompletionApc@@YGXPAXPAU_IO_STATUS_BLOCK@@K@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmIssueIo(x, x, x, x, x, x)
_SmIssueIo@24	proc near		; CODE XREF: ST_STORE<SM_TRAITS>::StDeviceIoIssue(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,_PF_QUEUE	*)+102p
					; ST_STORE<SM_TRAITS>::StStagingRegionIssueIo(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,ST_STORE<SM_TRAITS>::_ST_STAGING_REGION *,ulong)+86p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_C]
		mov	esi, ecx
		xor	ebx, ebx
		mov	ecx, edi
		and	[ebp+var_4], ebx
		mov	eax, edx
		and	ecx, 1
		mov	[ebp+var_8], eax
		mov	[ebp+arg_C], ecx
		jz	short loc_675CAA
		and	edi, 0FFFFFFFEh

loc_675CAA:				; CODE XREF: SmIssueIo(x,x,x,x,x,x)+22j
		test	byte ptr [edi+10h], 4
		jnz	short loc_675CD9
		mov	edx, [esi+10F0h]
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	SmKmStoreReference
		test	eax, eax
		jnz	short loc_675CCE

loc_675CC4:				; CODE XREF: SmIssueIo(x,x,x,x,x,x)+5Dj
		mov	edi, 0C00002FEh
		jmp	loc_675D99
; 

loc_675CCE:				; CODE XREF: SmIssueIo(x,x,x,x,x,x)+3Fj
		mov	ecx, [ebp+arg_C]
		xor	ebx, ebx
		mov	eax, [ebp+var_8]
		inc	ebx
		jmp	short loc_675CE2
; 

loc_675CD9:				; CODE XREF: SmIssueIo(x,x,x,x,x,x)+2Bj
		test	byte ptr [esi+10F5h], 1
		jnz	short loc_675CC4

loc_675CE2:				; CODE XREF: SmIssueIo(x,x,x,x,x,x)+54j
		test	ecx, ecx
		jz	short loc_675CF4
		lock inc dword ptr [esi+1130h]
		mov	[ebp+var_4], 1

loc_675CF4:				; CODE XREF: SmIssueIo(x,x,x,x,x,x)+61j
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_18], eax
		mov	eax, [esi+117Ch]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_20], eax
		xor	eax, eax
		and	eax, 0FFFFFFFEh
		mov	[ebp+var_1C], edx
		or	eax, ecx
		lea	ecx, [edi+18h]
		mov	[ebp+var_C], eax
		mov	eax, [esi]
		test	eax, 2000h
		jz	short loc_675D34
		mov	[ebp+var_24], ecx
		mov	edi, esi
		mov	ecx, offset ?SmpIoCompletionApc@@YGXPAXPAU_IO_STATUS_BLOCK@@K@Z	; SmpIoCompletionApc(void *,_IO_STATUS_BLOCK *,ulong)
		jmp	short loc_675D46
; 

loc_675D34:				; CODE XREF: SmIssueIo(x,x,x,x,x,x)+A3j
		lea	eax, [edi+20h]
		mov	[ecx], edx
		mov	[ebp+var_24], eax
		mov	ecx, offset ?SmpDeviceIoCompletion@@YGJPAU_DEVICE_OBJECT@@PAU_IRP@@PAX@Z ; SmpDeviceIoCompletion(_DEVICE_OBJECT	*,_IRP *,void *)
		mov	[edi+1Ch], esi
		mov	eax, [esi]

loc_675D46:				; CODE XREF: SmIssueIo(x,x,x,x,x,x)+AFj
		shr	eax, 0Dh
		lea	edx, [ebp+var_24]
		and	eax, 1
		push	eax
		push	edi
		push	ecx
		lea	ecx, [esi+1184h]
		call	_SmKmIssueIo@20	; SmKmIssueIo(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_675D69
		xor	ebx, ebx
		xor	eax, eax
		jmp	short loc_675D6C
; 

loc_675D69:				; CODE XREF: SmIssueIo(x,x,x,x,x,x)+DEj
		mov	eax, [ebp+var_4]

loc_675D6C:				; CODE XREF: SmIssueIo(x,x,x,x,x,x)+E4j
		test	eax, eax
		jz	short loc_675D77
		lock dec dword ptr [esi+1130h]

loc_675D77:				; CODE XREF: SmIssueIo(x,x,x,x,x,x)+EBj
		test	ebx, ebx
		jz	short loc_675D99
		mov	edx, [esi+10F0h]
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		and	edx, 3FFh
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_675D99:				; CODE XREF: SmIssueIo(x,x,x,x,x,x)+46j
					; SmIssueIo(x,x,x,x,x,x)+F6j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_SmIssueIo@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmPrepareForFatalHeapCorruption(x, x, x, x,	x)
_SmPrepareForFatalHeapCorruption@20 proc near ;	CODE XREF: SmHpBufferProtectEx+FBB77p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		push	ebx
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		push	0
		push	1000h
		push	edx
		push	eax
		call	__alldiv
		mov	edi, [ebp+arg_8]
		push	50626D73h
		push	1050h
		push	200h
		mov	[edi], eax
		mov	[edi+4], edx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_675DEC
		mov	edi, 0C000009Ah
		jmp	loc_675E78
; 

loc_675DEC:				; CODE XREF: SmPrepareForFatalHeapCorruption(x,x,x,x,x)+3Ej
		xor	edx, edx
		lea	ecx, [esi+23h]
		and	ecx, 0FFFFFFF8h
		mov	[esi+18h], dl
		xor	eax, eax
		inc	eax
		push	1000h		; size_t
		mov	[ecx+4], edx
		mov	[ecx+30h], edx
		mov	[ecx+34h], edx
		mov	[ecx], ax
		xor	eax, eax
		mov	[ecx+2], ax
		mov	eax, [ebp+arg_4]
		mov	[ecx+20h], eax
		mov	eax, [ebp+arg_0]
		mov	[ecx+18h], eax
		mov	eax, [edi]
		mov	[ecx+28h], eax
		mov	eax, [edi+4]
		mov	[ecx+2Ch], eax
		lea	eax, [ecx+30h]
		push	ebx		; void *
		push	eax		; void *
		mov	[ecx+8], ebx
		mov	[ecx+0Ch], edx
		mov	dword ptr [ecx+10h], 1000h
		mov	[ecx+14h], edx
		mov	[ecx+24h], edx
		mov	[ecx+1Ch], edx
		call	_memcpy
		add	esp, 0Ch
		push	offset ??_C@_0BM@OPJPGACH@nt?$CBstore?5memory?5compression@FNODOBFM@ ; "nt!store memory	compression"
		push	2
		push	offset ?SmFatalHeapCorruptionDumpCallback@@YGXW4_KBUGCHECK_CALLBACK_REASON@@PAU_KBUGCHECK_REASON_CALLBACK_RECORD@@PAXK@Z ; SmFatalHeapCorruptionDumpCallback(_KBUGCHECK_CALLBACK_REASON,_KBUGCHECK_REASON_CALLBACK_RECORD *,void *,ulong)
		push	esi
		call	KeRegisterBugCheckReasonCallback
		test	al, al
		jnz	short loc_675E68
		mov	edi, 0C000009Ah
		jmp	short loc_675E6C
; 

loc_675E68:				; CODE XREF: SmPrepareForFatalHeapCorruption(x,x,x,x,x)+BDj
		xor	esi, esi
		xor	edi, edi

loc_675E6C:				; CODE XREF: SmPrepareForFatalHeapCorruption(x,x,x,x,x)+C4j
		test	esi, esi
		jz	short loc_675E78
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_675E78:				; CODE XREF: SmPrepareForFatalHeapCorruption(x,x,x,x,x)+45j
					; SmPrepareForFatalHeapCorruption(x,x,x,x,x)+CCj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_SmPrepareForFatalHeapCorruption@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmPrepareForFatalPageError(x, x, x,	x, x, x, x, x)
_SmPrepareForFatalPageError@32 proc near
					; CODE XREF: ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+10Bp
					; ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+26Ep

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		push	38h
		push	offset dword_6A9600
		call	__SEH_prolog4
		mov	[ebp+var_24], edx
		mov	[ebp+var_2C], ecx
		xor	ebx, ebx
		mov	edi, ebx
		mov	esi, ebx
		mov	eax, ebx
		mov	[ebp+var_28], eax
		lea	eax, [edx+58h]
		push	50626D73h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_1C], eax
		mov	[ebp+var_3C], eax
		test	eax, eax
		jnz	short loc_675EC7

loc_675EBB:				; CODE XREF: SmPrepareForFatalPageError(x,x,x,x,x,x,x,x)+80j
					; SmPrepareForFatalPageError(x,x,x,x,x,x,x,x)+EBj ...
		mov	[ebp+arg_0], 0C000009Ah
		jmp	loc_6760BD
; 

loc_675EC7:				; CODE XREF: SmPrepareForFatalPageError(x,x,x,x,x,x,x,x)+38j
		mov	eax, [ebp+var_2C]
		and	eax, 0FFFh
		mov	[ebp+var_20], eax
		mov	ecx, [ebp+var_24]
		add	ecx, 0FFFh
		add	eax, ecx
		shr	eax, 0Ch
		mov	[ebp+var_30], eax
		push	50426D73h
		lea	eax, ds:1Ch[eax*4]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_38], edi
		test	edi, edi
		jz	short loc_675EBB
		mov	[edi], ebx
		mov	eax, [ebp+var_30]
		lea	eax, ds:1Ch[eax*4]
		mov	[edi+4], ax
		xor	eax, eax
		mov	[edi+6], ax
		mov	eax, [ebp+var_2C]
		and	eax, 0FFFFF000h
		mov	[edi+10h], eax
		mov	eax, [ebp+var_20]
		mov	[edi+18h], eax
		mov	eax, [ebp+var_24]
		mov	[edi+14h], eax
		mov	[ebp+ms_exc.disabled], ebx
		push	ebx
		push	ebx
		push	edi
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_28], ecx
		test	byte ptr [edi+6], 5
		jz	short loc_675F53
		mov	esi, [edi+0Ch]
		jmp	short loc_675F67
; 

loc_675F53:				; CODE XREF: SmPrepareForFatalPageError(x,x,x,x,x,x,x,x)+CBj
		push	40000020h
		push	ebx
		push	ebx
		push	ecx
		push	ebx
		push	edi
		call	MmMapLockedPagesSpecifyCache
		mov	esi, eax
		mov	ecx, [ebp+var_28]

loc_675F67:				; CODE XREF: SmPrepareForFatalPageError(x,x,x,x,x,x,x,x)+D0j
		mov	[ebp+var_20], esi
		test	esi, esi
		jz	loc_675EBB
		mov	eax, [ebp+var_1C]
		lea	edx, [eax+23h]
		and	edx, 0FFFFFFF8h
		mov	[ebp+var_30], edx
		mov	[eax+18h], bl
		mov	[edx+20h], ebx
		mov	[edx+24h], ebx
		mov	[edx+28h], ebx
		mov	[edx+2Ch], ebx
		mov	[edx+30h], ebx
		mov	[edx+34h], ebx
		mov	[edx+38h], ebx
		mov	[edx+3Ch], ebx
		push	3
		pop	eax
		mov	[edx], ax
		mov	[edx+2], cx
		mov	eax, [ebp+arg_0]
		mov	[edx+4], eax
		mov	eax, [ebp+arg_4]
		mov	[edx+8], eax
		mov	eax, [ebp+var_24]
		mov	[edx+0Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[edx+10h], eax
		mov	esi, [ebp+arg_10]
		mov	ecx, esi
		sub	ecx, [ebp+var_2C]
		mov	[edx+14h], ecx
		mov	eax, [ebp+arg_C]
		mov	[edx+18h], eax
		mov	[edx+1Ch], ebx
		mov	eax, [ebp+var_20]
		add	eax, ecx
		push	eax
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		push	ebx
		push	1000h
		push	edx
		push	eax
		call	__alldiv
		mov	ecx, [ebp+var_30]
		mov	[ecx+20h], eax
		mov	[ecx+24h], edx
		and	esi, 0FFFh
		mov	edx, [ebp+arg_0]
		lea	eax, [edx+0FFFh]
		add	eax, esi
		and	eax, 0FFFFF000h
		mov	esi, [ebp+var_20]
		cmp	eax, 1000h
		jz	short loc_676030
		mov	eax, [ecx+14h]
		add	eax, esi
		dec	edx
		add	eax, edx
		push	eax
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		push	ebx
		push	1000h
		push	edx
		push	eax
		call	__alldiv
		mov	ecx, [ebp+var_30]
		jmp	short loc_676035
; 

loc_676030:				; CODE XREF: SmPrepareForFatalPageError(x,x,x,x,x,x,x,x)+18Dj
		or	eax, 0FFFFFFFFh
		mov	edx, eax

loc_676035:				; CODE XREF: SmPrepareForFatalPageError(x,x,x,x,x,x,x,x)+1ADj
		mov	[ecx+28h], eax
		mov	[ecx+2Ch], edx
		push	[ebp+arg_14]
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		push	ebx
		push	1000h
		push	edx
		push	eax
		call	__alldiv
		mov	ecx, [ebp+var_30]
		mov	[ecx+30h], eax
		mov	[ecx+34h], edx
		push	[ebp+var_24]	; size_t
		push	esi		; void *
		lea	eax, [ecx+38h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		push	offset ??_C@_0BM@OPJPGACH@nt?$CBstore?5memory?5compression@FNODOBFM@ ; "nt!store memory	compression"
		push	2
		push	offset ?SmFatalPageErrorDumpCallback@@YGXW4_KBUGCHECK_CALLBACK_REASON@@PAU_KBUGCHECK_REASON_CALLBACK_RECORD@@PAXK@Z ; SmFatalPageErrorDumpCallback(_KBUGCHECK_CALLBACK_REASON,_KBUGCHECK_REASON_CALLBACK_RECORD	*,void *,ulong)
		push	[ebp+var_1C]
		call	KeRegisterBugCheckReasonCallback
		test	al, al
		jz	loc_675EBB
		mov	[ebp+var_1C], ebx
		mov	[ebp+arg_0], ebx
		jmp	short loc_6760BD
; 

loc_67608D:				; DATA XREF: .text:006A9614o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_67609B:				; DATA XREF: .text:006A9618o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_34]
		mov	[ebp+arg_0], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	edi, [ebp+var_38]
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_1C], eax
		mov	esi, ebx
		mov	eax, ebx
		mov	[ebp+var_28], eax

loc_6760BD:				; CODE XREF: SmPrepareForFatalPageError(x,x,x,x,x,x,x,x)+41j
					; SmPrepareForFatalPageError(x,x,x,x,x,x,x,x)+20Aj
		test	esi, esi
		jz	short loc_6760C8
		push	edi
		push	esi
		call	MmUnmapLockedPages

loc_6760C8:				; CODE XREF: SmPrepareForFatalPageError(x,x,x,x,x,x,x,x)+23Ej
		cmp	[ebp+var_28], 0
		jz	short loc_6760D4
		push	edi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)

loc_6760D4:				; CODE XREF: SmPrepareForFatalPageError(x,x,x,x,x,x,x,x)+24Bj
		test	edi, edi
		jz	short loc_6760DF
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_6760DF:				; CODE XREF: SmPrepareForFatalPageError(x,x,x,x,x,x,x,x)+255j
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_6760ED
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_6760ED:				; CODE XREF: SmPrepareForFatalPageError(x,x,x,x,x,x,x,x)+263j
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_SmPrepareForFatalPageError@32 endp


;  S U B	R O U T	I N E 


; __stdcall SmWaitForSyncIo(x)
_SmWaitForSyncIo@4 proc	near		; CODE XREF: ST_STORE<SM_TRAITS>::StDmEtaPerformIo(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,ulong,ulong)+93p
					; ST_STORE<SM_TRAITS>::StDmSinglePageRetrieveSync(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,void *,void *,ulong)+C1p	...
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	7
		lea	eax, [ecx+1168h]
		push	eax
		call	KeWaitForSingleObject
		retn
_SmWaitForSyncIo@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmCrAuthDecrypt(x, x, x, x,	x, x, x, x)
_SmCrAuthDecrypt@32 proc near		; CODE XREF: ST_STORE_SM_TRAITS___StDmSinglePageCopy+93017p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_8]
		and	[ebp+var_4], 0
		push	ecx
		mov	[ecx+28h], eax
		mov	eax, [ebp+arg_10]
		mov	[ecx+38h], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		lea	eax, [ecx+20h]
		mov	dword ptr [ecx+2Ch], 0Ch
		push	[ebp+arg_0]
		mov	dword ptr [ecx+3Ch], 10h
		push	ecx
		push	ecx
		mov	ecx, [ecx+10h]
		push	eax
		push	[ebp+arg_4]
		call	_BCryptDecrypt@40 ; BCryptDecrypt(x,x,x,x,x,x,x,x,x,x)
		leave
		retn	18h
_SmCrAuthDecrypt@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmCrAuthEncrypt(x, x, x, x,	x, x, x, x)
_SmCrAuthEncrypt@32 proc near		; CODE XREF: ST_STORE_SM_TRAITS___StDmpSinglePageAdd+FC2AFp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_8]
		push	esi
		mov	[ecx+28h], eax
		xor	esi, esi
		mov	eax, [ebp+arg_10]

loc_67616C:				; DATA XREF: .text:off_420040o
		push	esi
		mov	[ecx+38h], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		lea	eax, [ecx+20h]
		mov	dword ptr [ecx+2Ch], 0Ch
		push	[ebp+arg_0]
		mov	dword ptr [ecx+3Ch], 10h
		mov	ecx, [ecx+10h]
		push	esi
		push	esi
		push	eax
		push	[ebp+arg_4]
		mov	[ebp+var_4], esi
		call	_BCryptEncrypt@40 ; BCryptEncrypt(x,x,x,x,x,x,x,x,x,x)
		pop	esi
		leave
		retn	18h
_SmCrAuthEncrypt@32 endp


;  S U B	R O U T	I N E 


; __stdcall SmCrGenRandom(x, x)
_SmCrGenRandom@8 proc near		; CODE XREF: SmKmKeyGenNewKey(x,x,x)+C0p
					; SmCrEncStart(x,x,x,x)+8Ep
		mov	edi, edi
		push	ecx
		push	edx
		mov	edx, ecx
		call	_BCryptGenRandom@16 ; BCryptGenRandom(x,x,x,x)
		retn
_SmCrGenRandom@8 endp


;  S U B	R O U T	I N E 


; int __fastcall IsEqualGUID(void *,void *)
?IsEqualGUID@@YGHABU_GUID@@0@Z proc near
					; CODE XREF: SC_DISK_LAYOUT::FindPartitionGpt(_GUID)+30p
					; SC_DISK::Initialize(void)+1Ap ...
		push	10h		; size_t
		push	edx		; void *
		push	ecx		; void *
		call	_memcmp
		xor	ecx, ecx
		add	esp, 0Ch
		test	eax, eax
		setz	cl
		mov	eax, ecx
		retn
?IsEqualGUID@@YGHABU_GUID@@0@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmSqmAddToStream(x, x, x,	x, x)
_SmKmSqmAddToStream@20 proc near	; CODE XREF: SmKmStoreTerminateWorker(x)+369p

var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_198		= dword	ptr -198h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 208h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		lea	eax, [ebp+var_200]
		mov	[ebp+var_208], 2
		push	edi
		xor	edi, edi
		mov	[ebp+var_1F4], eax
		lea	eax, [ebp+var_204]
		mov	[ebp+var_204], 1AB7h
		push	4
		pop	esi
		mov	[ebp+var_1D4], eax
		lea	ecx, [ebp+var_1B4]
		lea	eax, [ebp+var_208]
		mov	[ebp+var_200], 0Bh
		mov	[ebp+var_1FC], edi
		lea	edx, [ebp+var_198]
		mov	[ebp+var_1F0], edi
		mov	ebx, edi
		mov	[ebp+var_1EC], esi
		mov	[ebp+var_1E8], edi
		mov	[ebp+var_1E4], offset unk_6B6768
		mov	[ebp+var_1E0], edi
		mov	[ebp+var_1DC], 10h
		mov	[ebp+var_1D8], edi
		mov	[ebp+var_1D0], edi
		mov	[ebp+var_1CC], esi
		mov	[ebp+var_1C8], edi
		mov	[ebp+var_1C4], eax
		mov	[ebp+var_1C0], edi
		mov	[ebp+var_1BC], esi
		mov	[ebp+var_1B8], edi

loc_67628C:				; CODE XREF: SmKmSqmAddToStream(x,x,x,x,x)+14Ej
		mov	eax, [ebp+arg_8]
		mov	[edx-14h], esi
		mov	[ecx+4], edi
		mov	[edx-10h], edi
		lea	eax, [eax+ebx*8]
		mov	esi, [eax]
		lea	edi, [eax+4]
		mov	[ecx], eax
		cmp	esi, 1
		jz	short loc_6762AD
		lea	edi, [ebp+var_1FC]

loc_6762AD:				; CODE XREF: SmKmSqmAddToStream(x,x,x,x,x)+E2j
		mov	[edx-0Ch], edi
		xor	edi, edi
		mov	[edx-8], edi
		mov	dword ptr [edx-4], 4
		mov	[edx], edi
		cmp	esi, 2
		jnz	short loc_6762C8
		mov	edi, [eax+4]
		jmp	short loc_6762CD
; 

loc_6762C8:				; CODE XREF: SmKmSqmAddToStream(x,x,x,x,x)+FEj
		mov	edi, offset ??_C@_13COJANIEC@?$AA0@FNODOBFM@ ; "0"

loc_6762CD:				; CODE XREF: SmKmSqmAddToStream(x,x,x,x,x)+103j
		mov	esi, edi
		lea	eax, [esi+2]
		mov	[ebp+var_1F8], eax

loc_6762D8:				; CODE XREF: SmKmSqmAddToStream(x,x,x,x,x)+122j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, word ptr [ebp+var_1FC]
		jnz	short loc_6762D8
		sub	esi, [ebp+var_1F8]
		add	ecx, 30h
		sar	esi, 1
		mov	[edx+4], edi
		xor	edi, edi
		mov	[edx+8], edi
		inc	ebx
		mov	[edx+10h], edi
		lea	eax, ds:2[esi*2]
		mov	[edx+0Ch], eax
		add	edx, 30h
		push	4
		pop	esi
		cmp	ebx, 2
		jb	loc_67628C
		lea	eax, [ebp+var_1F4]
		push	eax
		sub	ecx, eax
		sar	ecx, 4
		push	ecx
		push	edi
		push	offset _SmEventSQMStreamRow
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_SmKmSqmAddToStream@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmCheckPMCliTimeStamp()
_VdmCheckPMCliTimeStamp@0 proc near	; CODE XREF: NtVdmControl(x,x):loc_9E87A4p
					; VdmpDispatchableIntPending(x)+4Ep

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	14h
		push	offset dword_6A9648
		call	__SEH_prolog4
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		xor	edi, edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edi
		mov	esi, [ecx+0F4h]
		test	byte ptr [esi+0BAh], 1
		jz	short loc_6763DC
		cmp	[esi+0BCh], edi
		jz	short loc_6763DC
		lea	edx, [ebp+var_1C]
		call	_PsQueryRuntimeProcess@8 ; PsQueryRuntimeProcess(x,x)
		mov	eax, [ebp+var_1C]
		sub	eax, [esi+0BCh]
		inc	eax
		cmp	eax, ds:_VdmpMaxPMCliTime
		jb	short loc_6763DC
		mov	[esi+0BCh], edi
		mov	[ebp+ms_exc.disabled], edi
		mov	esi, 200h
		mov	eax, 714h
		lock or	[eax], esi
		lea	ecx, [ebp+var_20]
		call	_VdmpGetVdmTib@4 ; VdmpGetVdmTib(x)
		test	eax, eax
		js	short loc_6763D5
		mov	eax, [ebp+var_20]
		or	[eax+398h], esi
		jmp	short loc_6763D5
; 

loc_6763C4:				; DATA XREF: .text:006A965Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_6763D2:				; DATA XREF: .text:006A9660o
		mov	esp, [ebp+ms_exc.old_esp]

loc_6763D5:				; CODE XREF: VdmCheckPMCliTimeStamp()+71j
					; VdmCheckPMCliTimeStamp()+7Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_6763DC:				; CODE XREF: VdmCheckPMCliTimeStamp()+2Dj
					; VdmCheckPMCliTimeStamp()+35j	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VdmCheckPMCliTimeStamp@0 endp


;  S U B	R O U T	I N E 


; __stdcall VdmClearPMCliTimeStamp()
_VdmClearPMCliTimeStamp@0 proc near	; CODE XREF: NtVdmControl(x,x)+310p
					; OpcodeSTIp
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+0F4h]
		test	byte ptr [eax+0BAh], 1
		jz	short locret_67640E
		and	dword ptr [eax+0BCh], 0

locret_67640E:				; CODE XREF: VdmClearPMCliTimeStamp()+19j
		retn
_VdmClearPMCliTimeStamp@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmSetPMCliTimeStamp(x)
_VdmSetPMCliTimeStamp@4	proc near	; CODE XREF: NtVdmControl(x,x):loc_9E87BFp
					; OpcodeCLI+2Ap

var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		and	[ebp+var_4], 0
		push	esi
		mov	ecx, [eax+80h]
		mov	esi, [ecx+0F4h]
		test	byte ptr [esi+0BAh], 1
		jz	short loc_676456
		cmp	[ebp+arg_0], 0
		jnz	short loc_676444
		cmp	dword ptr [esi+0BCh], 0
		jnz	short loc_676456

loc_676444:				; CODE XREF: VdmSetPMCliTimeStamp(x)+2Aj
		lea	edx, [ebp+var_4]
		call	_PsQueryRuntimeProcess@8 ; PsQueryRuntimeProcess(x,x)
		mov	eax, [ebp+var_4]
		inc	eax
		mov	[esi+0BCh], eax

loc_676456:				; CODE XREF: VdmSetPMCliTimeStamp(x)+24j
					; VdmSetPMCliTimeStamp(x)+33j
		pop	esi
		leave
		retn	4
_VdmSetPMCliTimeStamp@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmDispatchOpcode_try(x)
_VdmDispatchOpcode_try@4 proc near	; CODE XREF: Ktd_ExceptionHandler+ED0p

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	8
		push	offset dword_6A9748
		call	__SEH_prolog4
		and	[ebp+ms_exc.disabled], 0
		push	[ebp+arg_0]
		call	_Ki386DispatchOpcode@4 ; Ki386DispatchOpcode(x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_67648C
; 

loc_67647C:				; DATA XREF: .text:006A975Co
		xor	eax, eax
		inc	eax
		retn
; 

loc_676480:				; DATA XREF: .text:006A9760o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax

loc_67648C:				; CODE XREF: VdmDispatchOpcode_try(x)+1Fj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_VdmDispatchOpcode_try@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmRundownDpcs(x)
_VdmRundownDpcs@4 proc near		; CODE XREF: PspExitThread+1686C2p

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	eax, ecx
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		mov	ebx, [eax+0F4h]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	esi, [ebx+84h]
		mov	[ebp+var_1], al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	eax, [ebx+88h]
		mov	edi, [eax]
		cmp	edi, eax
		jz	short loc_676533

loc_6764D5:				; CODE XREF: VdmRundownDpcs(x)+8Dj
		lea	esi, [edi]
		mov	edi, [edi]
		lea	eax, [esi+60h]
		push	eax
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		test	al, al
		jz	short loc_676523
		mov	ecx, [esi+0Ch]
		and	dword ptr [esi+0Ch], 0
		test	ecx, ecx
		jz	short loc_6764FB
		mov	edx, 496D6456h
		call	ObfDereferenceObjectWithTag

loc_6764FB:				; CODE XREF: VdmRundownDpcs(x)+51j
		mov	ecx, [esi+8Ch]
		and	dword ptr [esi+8Ch], 0
		test	ecx, ecx
		jz	short loc_676516
		mov	edx, 496D6456h
		call	ObfDereferenceObjectWithTag

loc_676516:				; CODE XREF: VdmRundownDpcs(x)+6Cj
		mov	ecx, [ebp+var_8]
		mov	edx, 496D6456h
		call	ObfDereferenceObjectWithTag

loc_676523:				; CODE XREF: VdmRundownDpcs(x)+46j
		lea	eax, [ebx+88h]
		cmp	edi, eax
		jnz	short loc_6764D5
		lea	esi, [ebx+84h]

loc_676533:				; CODE XREF: VdmRundownDpcs(x)+35j
		mov	ecx, [ebx+94h]
		test	ecx, ecx
		jz	short loc_67654E
		mov	edx, 496D6456h
		call	ObfDereferenceObjectWithTag
		and	dword ptr [ebx+94h], 0

loc_67654E:				; CODE XREF: VdmRundownDpcs(x)+9Dj
		test	ds:byte_70EFC6,	1
		jz	short loc_676563
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_676568
; 

loc_676563:				; CODE XREF: VdmRundownDpcs(x)+B7j
		xor	eax, eax
		lock and [esi],	eax

loc_676568:				; CODE XREF: VdmRundownDpcs(x)+C3j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VdmRundownDpcs@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmpDelayIntApcRoutine(x, x, x, x, x)
_VdmpDelayIntApcRoutine@20 proc	near	; CODE XREF: VdmpRundownRoutine(x)+11p
					; DATA XREF: VdmpDelayIntDpcRoutine(x,x,x,x)+7Eo ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	24h
		push	offset dword_6A9958
		call	__SEH_prolog4
		and	[ebp+var_24], 0
		xor	edi, edi
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	esi, [eax+0F4h]
		mov	[ebp+var_30], esi
		lea	eax, [esi+64h]
		mov	[ebp+var_2C], eax
		mov	ecx, eax
		call	ExAcquireFastMutex
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp-19h], al
		lea	eax, [esi+84h]
		mov	[ebp+var_20], eax
		mov	ecx, eax
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [ebp+arg_0]
		cmp	byte ptr [ecx+2Eh], 0
		jnz	short loc_6765CF
		and	[ecx+8], edi

loc_6765CF:				; CODE XREF: VdmpDelayIntApcRoutine(x,x,x,x,x)+54j
		lea	edx, [esi+88h]
		mov	ecx, [edx]
		jmp	short loc_6765E3
; 

loc_6765D9:				; CODE XREF: VdmpDelayIntApcRoutine(x,x,x,x,x)+6Fj
		lea	eax, [ecx+30h]
		cmp	eax, [ebp+arg_0]
		jz	short loc_676600
		mov	ecx, [ecx]

loc_6765E3:				; CODE XREF: VdmpDelayIntApcRoutine(x,x,x,x,x)+61j
		cmp	ecx, edx
		jnz	short loc_6765D9

loc_6765E7:				; CODE XREF: VdmpDelayIntApcRoutine(x,x,x,x,x)+91j
		xor	esi, esi
		inc	esi

loc_6765EA:				; CODE XREF: VdmpDelayIntApcRoutine(x,x,x,x,x)+A3j
		test	ds:byte_70EFC6,	1
		jz	short loc_67661B
		mov	edx, [ebp+4]
		mov	ecx, [ebp+var_20]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_676623
; 

loc_676600:				; CODE XREF: VdmpDelayIntApcRoutine(x,x,x,x,x)+69j
		cmp	byte ptr [ecx+88h], 0
		jz	short loc_6765E7
		mov	byte ptr [ecx+88h], 0
		mov	edi, [ecx+8]
		xor	esi, esi
		inc	esi
		mov	[ebp+var_24], esi
		jmp	short loc_6765EA
; 

loc_67661B:				; CODE XREF: VdmpDelayIntApcRoutine(x,x,x,x,x)+7Bj
		xor	ecx, ecx
		mov	eax, [ebp+var_20]
		lock and [eax],	ecx

loc_676623:				; CODE XREF: VdmpDelayIntApcRoutine(x,x,x,x,x)+88j
		mov	cl, [ebp-19h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+var_24], 0
		jz	short loc_6766AA
		mov	eax, [ebp+var_30]
		mov	eax, [eax+90h]
		mov	ecx, [eax+0Ch]
		mov	edx, [eax+10h]
		mov	eax, [eax+14h]
		mov	[ebp+var_30], eax
		and	[ebp+var_28], 0
		and	[ebp+ms_exc.disabled], 0
		mov	eax, edi
		not	eax
		and	[ecx], eax
		lock or	[edx], edi
		mov	eax, [ebp+var_30]
		test	[eax], edi
		jnz	short loc_676670
		mov	eax, 714h
		lock or	[eax], esi
		cmp	[ebp+arg_4], 0
		jz	short loc_676670
		mov	[ebp+var_28], esi

loc_676670:				; CODE XREF: VdmpDelayIntApcRoutine(x,x,x,x,x)+E7j
					; VdmpDelayIntApcRoutine(x,x,x,x,x)+F5j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_67668C
; 

loc_676679:				; DATA XREF: .text:006A996Co
		call	_VdmpExceptionHandler@4	; VdmpExceptionHandler(x)
		retn
; 

loc_67667F:				; DATA XREF: .text:006A9970o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	esi, esi
		inc	esi

loc_67668C:				; CODE XREF: VdmpDelayIntApcRoutine(x,x,x,x,x)+101j
		cmp	[ebp+var_28], esi
		jnz	short loc_6766AA
		mov	[ebp+var_1A], 0
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		lea	eax, [ebp+var_1A]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_VdmpQueueIntApcRoutine@20 ; VdmpQueueIntApcRoutine(x,x,x,x,x)

loc_6766AA:				; CODE XREF: VdmpDelayIntApcRoutine(x,x,x,x,x)+BAj
					; VdmpDelayIntApcRoutine(x,x,x,x,x)+119j
		mov	ecx, [ebp+var_2C]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_VdmpDelayIntApcRoutine@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmpDelayIntDpcRoutine(x, x, x, x)
_VdmpDelayIntDpcRoutine@16 proc	near	; DATA XREF: VdmpDelayInterrupt(x)+28Eo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	esi, [esi+0F4h]
		lea	edi, [esi+84h]
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	ecx, [esi+88h]
		mov	esi, [ecx]
		jmp	short loc_6766F5
; 

loc_6766EB:				; CODE XREF: VdmpDelayIntDpcRoutine(x,x,x,x)+33j
		lea	eax, [esi+10h]
		cmp	eax, [ebp+arg_0]
		jz	short loc_676715
		mov	esi, [esi]

loc_6766F5:				; CODE XREF: VdmpDelayIntDpcRoutine(x,x,x,x)+25j
		cmp	esi, ecx
		jnz	short loc_6766EB
		test	ds:byte_70EFC6,	1
		jz	loc_6767D0
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_6767D5
; 

loc_676715:				; CODE XREF: VdmpDelayIntDpcRoutine(x,x,x,x)+2Dj
		mov	eax, [esi+0Ch]
		xor	ecx, ecx
		push	ebx
		mov	ebx, [esi+8Ch]
		mov	[ebp+arg_0], eax
		mov	[esi+0Ch], ecx
		mov	[esi+8Ch], ecx
		cmp	[esi+88h], cl
		jz	short loc_676789
		test	eax, eax
		jz	short loc_676758
		push	1
		push	ecx
		push	offset _VdmpQueueIntNormalRoutine@12 ; VdmpQueueIntNormalRoutine(x,x,x)
		push	ecx
		push	offset _VdmpDelayIntApcRoutine@20 ; VdmpDelayIntApcRoutine(x,x,x,x,x)
		push	ecx
		lea	ecx, [esi+30h]
		mov	edx, eax
		call	_KeVdmInsertQueueApc@32	; KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)
		test	al, al
		jnz	short loc_676779
		xor	ecx, ecx

loc_676758:				; CODE XREF: VdmpDelayIntDpcRoutine(x,x,x,x)+73j
		test	ebx, ebx
		jz	short loc_676782
		push	1
		push	ecx
		push	offset _VdmpQueueIntNormalRoutine@12 ; VdmpQueueIntNormalRoutine(x,x,x)
		push	ecx
		push	offset _VdmpDelayIntApcRoutine@20 ; VdmpDelayIntApcRoutine(x,x,x,x,x)
		push	ecx
		lea	ecx, [esi+30h]
		mov	edx, ebx
		call	_KeVdmInsertQueueApc@32	; KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)
		test	al, al
		jz	short loc_676782

loc_676779:				; CODE XREF: VdmpDelayIntDpcRoutine(x,x,x,x)+90j
		mov	byte ptr [esi+88h], 3
		jmp	short loc_676789
; 

loc_676782:				; CODE XREF: VdmpDelayIntDpcRoutine(x,x,x,x)+96j
					; VdmpDelayIntDpcRoutine(x,x,x,x)+B3j
		mov	byte ptr [esi+88h], 0

loc_676789:				; CODE XREF: VdmpDelayIntDpcRoutine(x,x,x,x)+6Fj
					; VdmpDelayIntDpcRoutine(x,x,x,x)+BCj
		test	ds:byte_70EFC6,	1
		jz	short loc_67679E
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6767A3
; 

loc_67679E:				; CODE XREF: VdmpDelayIntDpcRoutine(x,x,x,x)+CCj
		xor	eax, eax
		lock and [edi],	eax

loc_6767A3:				; CODE XREF: VdmpDelayIntDpcRoutine(x,x,x,x)+D8j
		mov	ecx, [ebp+arg_0]
		mov	esi, 496D6456h
		test	ecx, ecx
		jz	short loc_6767B6
		mov	edx, esi
		call	ObfDereferenceObjectWithTag

loc_6767B6:				; CODE XREF: VdmpDelayIntDpcRoutine(x,x,x,x)+E9j
		test	ebx, ebx
		jz	short loc_6767C3
		mov	edx, esi
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_6767C3:				; CODE XREF: VdmpDelayIntDpcRoutine(x,x,x,x)+F4j
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	ObfDereferenceObjectWithTag
		pop	ebx
		jmp	short loc_6767D5
; 

loc_6767D0:				; CODE XREF: VdmpDelayIntDpcRoutine(x,x,x,x)+3Cj
		xor	eax, eax
		lock and [edi],	eax

loc_6767D5:				; CODE XREF: VdmpDelayIntDpcRoutine(x,x,x,x)+4Cj
					; VdmpDelayIntDpcRoutine(x,x,x,x)+10Aj
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
_VdmpDelayIntDpcRoutine@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmpDelayInterrupt(x)
_VdmpDelayInterrupt@4 proc near		; CODE XREF: NtVdmControl(x,x)+B6p

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

		push	70h
		push	offset dword_6A9A78
		call	__SEH_prolog4
		xor	eax, eax
		lea	edi, [ebp+var_80]
		stosd
		stosd
		stosd
		xor	ebx, ebx
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], ebx
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[ebp+var_30], eax
		mov	eax, [eax+0F4h]
		mov	[ebp+var_28], eax
		mov	[ebp+var_44], eax
		test	eax, eax
		jnz	short loc_676820
		mov	eax, 0C00000EFh
		jmp	loc_676C6A
; 

loc_676820:				; CODE XREF: VdmpDelayInterrupt(x)+39j
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		xor	eax, eax
		inc	eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_48], eax
		mov	[ebp+ms_exc.disabled], ebx
		test	cl, 3
		jz	short loc_67683F
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_67683F:				; CODE XREF: VdmpDelayInterrupt(x)+5Dj
		lea	eax, [ecx+0Ch]
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	short loc_676850
		cmp	eax, ecx
		jnb	short loc_676852

loc_676850:				; CODE XREF: VdmpDelayInterrupt(x)+6Fj
		mov	[edx], bl

loc_676852:				; CODE XREF: VdmpDelayInterrupt(x)+73j
		mov	esi, ecx
		lea	edi, [ebp+var_80]
		movsd
		movsd
		movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	edi, edi
		inc	edi
		mov	eax, edi
		mov	ecx, [ebp+var_7C]
		shl	eax, cl
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	short loc_67687C
		mov	eax, 0C00000F0h
		jmp	loc_676C6A
; 

loc_67687C:				; CODE XREF: VdmpDelayInterrupt(x)+95j
		mov	esi, [ebp+var_28]
		lea	eax, [esi+64h]
		mov	[ebp+var_54], eax
		mov	ecx, eax
		call	ExAcquireFastMutex
		mov	eax, [esi+90h]
		mov	edx, [eax+0Ch]
		mov	[ebp+var_50], edx
		mov	[ebp+var_5C], edx
		mov	eax, [eax+10h]
		mov	[ebp+var_34], eax
		mov	[ebp+var_60], eax
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_6768B4
		mov	ecx, eax

loc_6768B4:				; CODE XREF: VdmpDelayInterrupt(x)+D5j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+var_34]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_6768C6
		mov	ecx, eax

loc_6768C6:				; CODE XREF: VdmpDelayInterrupt(x)+E7j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_80]
		mov	[ebp+var_20], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_6768F1
		lea	eax, [ebp+var_20]
		push	eax
		push	ebx
		push	ds:_KeMaximumIncrement
		call	_ZwSetTimerResolution@12 ; ZwSetTimerResolution(x,x,x)
		jmp	loc_6769AA
; 

loc_6768F1:				; CODE XREF: VdmpDelayInterrupt(x)+FFj
		mov	ecx, ebx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_48], ecx
		cmp	eax, 3E8h
		mov	ecx, 2710h
		jb	short loc_676908
		imul	ecx, eax, 0Ah

loc_676908:				; CODE XREF: VdmpDelayInterrupt(x)+128j
		mov	[ebp+var_20], ecx
		cmp	ecx, 249F0h
		jnb	short loc_676953
		mov	eax, ecx
		shr	eax, 1
		mov	edx, ds:_KeTimeIncrement
		cmp	eax, edx
		jnb	short loc_676937
		cmp	edx, ds:_KeMinimumIncrement
		jbe	short loc_676937
		lea	ecx, [ebp+var_74]
		push	ecx
		push	edi
		push	eax
		call	_ZwSetTimerResolution@12 ; ZwSetTimerResolution(x,x,x)
		mov	ecx, [ebp+var_20]

loc_676937:				; CODE XREF: VdmpDelayInterrupt(x)+144j
					; VdmpDelayInterrupt(x)+14Cj
		mov	edx, ds:_KeTimeIncrement
		cmp	ecx, edx
		jnb	short loc_676945
		shr	ecx, 1
		jmp	short loc_676950
; 

loc_676945:				; CODE XREF: VdmpDelayInterrupt(x)+164j
		lea	eax, [edx+edx]
		cmp	ecx, eax
		jnb	short loc_676953
		shr	edx, 1
		sub	ecx, edx

loc_676950:				; CODE XREF: VdmpDelayInterrupt(x)+168j
		mov	[ebp+var_20], ecx

loc_676953:				; CODE XREF: VdmpDelayInterrupt(x)+136j
					; VdmpDelayInterrupt(x)+16Fj
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_4C], al
		push	ebx
		lea	eax, [ebp+var_38]
		push	eax
		push	496D6456h
		push	[ebp+var_4C]
		push	ds:_PsThreadType
		push	40h
		push	[ebp+var_78]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_40], edi
		test	edi, edi
		jns	short loc_676997
		mov	ecx, [ebp+var_54]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, edi
		jmp	loc_676C6A
; 

loc_676997:				; CODE XREF: VdmpDelayInterrupt(x)+1ABj
		mov	ecx, [esi+94h]
		mov	[ebp+var_3C], ecx
		mov	edx, 496D6456h
		call	ObfReferenceObjectWithTag

loc_6769AA:				; CODE XREF: VdmpDelayInterrupt(x)+111j
		mov	edi, ebx

loc_6769AC:				; CODE XREF: VdmpDelayInterrupt(x)+29Fj
		lea	eax, [esi+84h]
		mov	[ebp+var_4C], eax
		mov	ecx, eax
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	[ebp+var_19], al
		lea	eax, [esi+88h]
		mov	edx, [eax]
		mov	esi, ebx
		mov	ecx, [ebp+var_24]

loc_6769CC:				; CODE XREF: VdmpDelayInterrupt(x)+1FEj
		cmp	edx, eax
		jz	short loc_6769E3
		mov	esi, edx
		cmp	[edx+8], ecx
		jz	short loc_6769DB
		mov	edx, [edx]
		jmp	short loc_6769CC
; 

loc_6769DB:				; CODE XREF: VdmpDelayInterrupt(x)+1FAj
		cmp	edx, eax
		jnz	loc_676AF8

loc_6769E3:				; CODE XREF: VdmpDelayInterrupt(x)+1F3j
		mov	esi, ebx
		cmp	[ebp+var_2C], esi
		jnz	loc_676B4C
		test	edi, edi
		jnz	loc_676ABB
		mov	dl, [ebp+var_19]
		mov	ecx, [ebp+var_4C]
		call	KfReleaseSpinLock
		push	204D4456h
		mov	esi, 90h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_54], edi
		test	edi, edi
		jnz	short loc_676A2C
		mov	esi, 0C0000017h
		xor	ebx, ebx
		inc	ebx
		jmp	loc_676B9F
; 

loc_676A2C:				; CODE XREF: VdmpDelayInterrupt(x)+242j
		mov	[ebp+ms_exc.disabled], 2
		push	esi
		push	200h
		mov	esi, [ebp+var_30]
		push	esi
		call	_PsChargePoolQuota@12 ;	PsChargePoolQuota(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	90h		; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, [ebp+var_24]
		mov	[edi+8], eax
		push	ebx
		lea	eax, [edi+60h]
		push	eax
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	esi
		push	offset _VdmpDelayIntDpcRoutine@16 ; VdmpDelayIntDpcRoutine(x,x,x,x)
		lea	eax, [edi+10h]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	esi, [ebp+var_28]
		jmp	loc_6769AC
; 

loc_676A7F:				; DATA XREF: .text:006A9AA4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_58], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_676A8D:				; DATA XREF: .text:006A9AA8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_58]
		push	0
		push	[ebp+var_54]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ebx, ebx
		inc	ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edx, [ebp+var_44]
		mov	edi, [ebp+var_5C]
		mov	eax, [ebp+var_60]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+var_48]
		jmp	loc_676BA8
; 

loc_676ABB:				; CODE XREF: VdmpDelayInterrupt(x)+215j
		mov	eax, [ebp+var_28]
		add	eax, 88h
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jz	short loc_676ACF
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_676ACF:				; CODE XREF: VdmpDelayInterrupt(x)+2EDj
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi
		mov	esi, edi

loc_676ADB:				; CODE XREF: VdmpDelayInterrupt(x)+31Fj
		mov	edi, [ebp+var_30]

loc_676ADE:				; CODE XREF: VdmpDelayInterrupt(x)+33Bj
		mov	al, [esi+88h]
		cmp	[ebp+var_20], 0FFFFFFFFh
		jnz	short loc_676B18
		cmp	al, 1
		jnz	short loc_676B4C
		mov	[esi+88h], bl
		mov	esi, ebx
		jmp	short loc_676B4C
; 

loc_676AF8:				; CODE XREF: VdmpDelayInterrupt(x)+202j
		test	edi, edi
		jz	short loc_676ADB
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	90h
		push	200h
		mov	edi, [ebp+var_30]
		push	edi
		call	_PsReturnPoolQuota@12 ;	PsReturnPoolQuota(x,x,x)
		jmp	short loc_676ADE
; 

loc_676B18:				; CODE XREF: VdmpDelayInterrupt(x)+30Dj
		test	al, al
		jnz	short loc_676B4C
		mov	eax, [ebp+var_20]
		cdq
		neg	eax
		adc	edx, ebx
		neg	edx
		mov	[ebp+var_74], eax
		mov	[ebp+var_70], edx
		lea	ecx, [esi+10h]
		push	ecx
		push	ebx
		push	edx
		push	eax
		lea	eax, [esi+60h]
		push	eax
		call	_KeSetTimerEx@20 ; KeSetTimerEx(x,x,x,x,x)
		test	al, al
		jnz	short loc_676B4C
		mov	edx, 496D6456h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag

loc_676B4C:				; CODE XREF: VdmpDelayInterrupt(x)+20Dj
					; VdmpDelayInterrupt(x)+311j ...
		test	esi, esi
		jz	short loc_676B8E
		cmp	byte ptr [esi+88h], 0
		jnz	short loc_676B8E
		mov	edi, [ebp+var_40]
		test	edi, edi
		js	short loc_676B7A
		mov	eax, [ebp+var_38]
		mov	[esi+0Ch], eax
		mov	[ebp+var_38], ebx
		mov	eax, [ebp+var_3C]
		mov	[esi+8Ch], eax
		mov	[ebp+var_3C], ebx
		xor	eax, eax
		inc	eax
		jmp	short loc_676B86
; 

loc_676B7A:				; CODE XREF: VdmpDelayInterrupt(x)+383j
		mov	[esi+0Ch], ebx
		mov	[ebp+var_2C], 1
		mov	al, bl

loc_676B86:				; CODE XREF: VdmpDelayInterrupt(x)+39Dj
		mov	[esi+88h], al
		jmp	short loc_676B91
; 

loc_676B8E:				; CODE XREF: VdmpDelayInterrupt(x)+373j
					; VdmpDelayInterrupt(x)+37Cj
		xor	ebx, ebx
		inc	ebx

loc_676B91:				; CODE XREF: VdmpDelayInterrupt(x)+3B1j
		mov	dl, [ebp+var_19]
		mov	ecx, [ebp+var_4C]
		call	KfReleaseSpinLock
		mov	esi, [ebp+var_40]

loc_676B9F:				; CODE XREF: VdmpDelayInterrupt(x)+24Cj
		mov	eax, [ebp+var_2C]
		mov	edi, [ebp+var_50]
		mov	edx, [ebp+var_28]

loc_676BA8:				; CODE XREF: VdmpDelayInterrupt(x)+2DBj
		mov	ecx, [ebp+var_24]
		mov	[ebp+ms_exc.disabled], 3
		test	eax, eax
		jz	short loc_676BC4
		mov	eax, ecx
		not	eax
		and	[edi], eax
		mov	eax, [ebp+var_34]
		lock or	[eax], ecx
		jmp	short loc_676BD2
; 

loc_676BC4:				; CODE XREF: VdmpDelayInterrupt(x)+3D9j
		test	ebx, ebx
		jnz	short loc_676BD2
		or	[edi], ecx
		not	ecx
		mov	eax, [ebp+var_34]
		lock and [eax],	ecx

loc_676BD2:				; CODE XREF: VdmpDelayInterrupt(x)+3E7j
					; VdmpDelayInterrupt(x)+3EBj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_676BF9
; 

loc_676BDB:				; DATA XREF: .text:006A9AB0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_64], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_676BE9:				; DATA XREF: .text:006A9AB4o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_64]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edx, [ebp+var_44]

loc_676BF9:				; CODE XREF: VdmpDelayInterrupt(x)+3FEj
		lea	ecx, [edx+64h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, [ebp+var_38]
		test	ecx, ecx
		jz	short loc_676C12
		mov	edx, 496D6456h
		call	ObfDereferenceObjectWithTag

loc_676C12:				; CODE XREF: VdmpDelayInterrupt(x)+42Bj
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jz	short loc_676C23
		mov	edx, 496D6456h
		call	ObfDereferenceObjectWithTag

loc_676C23:				; CODE XREF: VdmpDelayInterrupt(x)+43Cj
		mov	eax, esi
		jmp	short loc_676C6A
; 

loc_676C27:				; DATA XREF: .text:006A9A98o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_68], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_676C35:				; DATA XREF: .text:006A9A9Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ecx, [ebp+var_44]
		lea	ecx, [ecx+64h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_68]
		jmp	short loc_676C6A
; 

loc_676C4F:				; DATA XREF: .text:006A9A8Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_6C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_676C5D:				; DATA XREF: .text:006A9A90o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_6C]

loc_676C6A:				; CODE XREF: VdmpDelayInterrupt(x)+40j
					; VdmpDelayInterrupt(x)+9Cj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VdmpDelayInterrupt@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmpQueueIntApcRoutine(x, x, x, x, x)
_VdmpQueueIntApcRoutine@20 proc	near	; CODE XREF: VdmpDelayIntApcRoutine(x,x,x,x,x)+12Fp
					; DATA XREF: VdmpQueueIntApcRoutine(x,x,x,x,x)+1E6o ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	1Ch
		push	offset dword_6A9A30
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		mov	ecx, [ebp+arg_4]
		cmp	dword ptr [ecx], offset	_xKdUnmapVirtualAddress@12 ; xKdUnmapVirtualAddress(x,x,x)
		jnz	short loc_676C98
		mov	[ecx], ebx

loc_676C98:				; CODE XREF: VdmpQueueIntApcRoutine(x,x,x,x,x)+1Aj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	edi, [eax+0F4h]
		mov	[ebp+var_24], edi
		lea	ecx, [edi+84h]
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	edx, [ebp+arg_0]
		cmp	[edx+2Eh], bl
		jnz	short loc_676CC3
		mov	[edx+8], ebx

loc_676CC3:				; CODE XREF: VdmpQueueIntApcRoutine(x,x,x,x,x)+44j
		mov	dl, al
		lea	ecx, [edi+84h]
		call	KfReleaseSpinLock
		mov	esi, large fs:124h
		mov	[ebp+var_2C], esi
		mov	eax, [esi+2FCh]
		xor	edx, edx
		inc	edx
		test	al, dl
		jnz	loc_676EF0
		mov	esi, [esi+20h]
		sub	esi, 8Ch
		mov	[ebp+arg_0], esi
		test	dword ptr [esi+70h], 20000h
		jnz	short loc_676D08
		cmp	dword ptr [esi+6Ch], 1Bh
		mov	cl, bl
		jz	short loc_676D0A

loc_676D08:				; CODE XREF: VdmpQueueIntApcRoutine(x,x,x,x,x)+84j
		mov	cl, dl

loc_676D0A:				; CODE XREF: VdmpQueueIntApcRoutine(x,x,x,x,x)+8Cj
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+arg_8]
		cmp	[eax], dl
		mov	eax, large ds:714h
		jnz	short loc_676D7D
		test	eax, 1000000h
		jz	loc_676DDB
		test	cl, cl
		jz	loc_676DDB
		lea	ecx, [ebp+var_1C]
		call	_VdmpGetVdmTib@4 ; VdmpGetVdmTib(x)
		test	eax, eax
		js	loc_676EE9
		mov	ecx, 0FEFFFFFFh
		mov	eax, 714h
		lock and [eax],	ecx
		mov	eax, [ebp+var_1C]
		mov	dword ptr [eax+5A8h], 7
		mov	[eax+5ACh], ebx
		mov	[eax+5B0h], ebx
		push	eax
		push	esi
		call	_VdmEndExecution@8 ; VdmEndExecution(x,x)
		mov	ecx, large fs:124h
		xor	edx, edx
		inc	edx
		call	KeBoostPriorityThread
		jmp	loc_676EE9
; 

loc_676D7D:				; CODE XREF: VdmpQueueIntApcRoutine(x,x,x,x,x)+9Dj
		test	eax, 1000000h
		jz	short loc_676DDB
		test	cl, cl
		jz	short loc_676DDB
		mov	[ebp+ms_exc.disabled], edx
		mov	eax, [ebp+var_24]
		mov	eax, [eax+90h]
		mov	eax, [eax+28h]
		mov	ecx, [eax]
		mov	eax, ds:_ExEventObjectType
		mov	[ebp+var_20], ebx
		push	ebx
		lea	edi, [ebp+var_20]
		push	edi
		push	edx
		push	eax
		push	2
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_676DC7
		push	ebx
		push	1
		push	[ebp+var_20]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObject

loc_676DC7:				; CODE XREF: VdmpQueueIntApcRoutine(x,x,x,x,x)+138j
		mov	[ebp+ms_exc.disabled], ebx
		jmp	short loc_676DDB
; 

loc_676DCC:				; DATA XREF: .text:006A9A50o
		xor	eax, eax
		inc	eax
		retn
; 

loc_676DD0:				; DATA XREF: .text:006A9A54o
		mov	esp, [ebp+ms_exc.old_esp]
		xor	ebx, ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	esi, [ebp+arg_0]

loc_676DDB:				; CODE XREF: VdmpQueueIntApcRoutine(x,x,x,x,x)+A4j
					; VdmpQueueIntApcRoutine(x,x,x,x,x)+ACj ...
		mov	eax, large ds:714h
		test	al, 3
		jz	loc_676EE9
		mov	ecx, [esi+70h]
		call	_VdmpDispatchableIntPending@4 ;	VdmpDispatchableIntPending(x)
		mov	ecx, [esi+70h]
		mov	edx, ecx
		and	edx, 20000h
		test	al, al
		jz	loc_676EC8
		test	edx, edx
		jnz	short loc_676E2F
		cmp	dword ptr [esi+6Ch], 1Bh
		jnz	short loc_676E2F
		mov	ecx, [ebp+arg_4]
		cmp	[ecx], ebx
		jz	loc_676EE9
		mov	eax, large ds:714h
		test	eax, 100000h
		jnz	loc_676EE9
		mov	[ecx], ebx
		jmp	loc_676EE9
; 

loc_676E2F:				; CODE XREF: VdmpQueueIntApcRoutine(x,x,x,x,x)+18Bj
					; VdmpQueueIntApcRoutine(x,x,x,x,x)+191j
		mov	eax, [ebp+arg_8]
		cmp	byte ptr [eax],	0
		jnz	short loc_676E7D
		mov	eax, large ds:714h
		mov	[ebp+var_28], eax
		mov	edi, [ebp+var_24]
		lea	esi, [edi+84h]
		mov	ecx, esi
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	bl, al
		mov	ecx, [ebp+var_28]
		and	ecx, 1
		push	ecx
		push	1
		push	offset _xKdUnmapVirtualAddress@12 ; xKdUnmapVirtualAddress(x,x,x)
		push	ecx
		push	offset _VdmpQueueIntApcRoutine@20 ; VdmpQueueIntApcRoutine(x,x,x,x,x)
		push	1
		lea	ecx, [edi+34h]
		mov	edx, [ebp+var_2C]
		call	_KeVdmInsertQueueApc@32	; KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)
		mov	dl, bl
		mov	ecx, esi
		call	KfReleaseSpinLock
		jmp	short loc_676EE9
; 

loc_676E7D:				; CODE XREF: VdmpQueueIntApcRoutine(x,x,x,x,x)+1BBj
		lea	ecx, [ebp+var_1C]
		call	_VdmpGetVdmTib@4 ; VdmpGetVdmTib(x)
		test	eax, eax
		js	short loc_676EE9
		mov	eax, large ds:714h
		test	al, 2
		jz	short loc_676EBD
		mov	eax, large ds:714h
		test	al, 1
		jnz	short loc_676EBD
		mov	eax, [ebp+var_1C]
		mov	dword ptr [eax+5A8h], 3
		mov	[eax+5ACh], ebx
		mov	[eax+5B0h], ebx
		push	eax
		push	esi
		call	_VdmEndExecution@8 ; VdmEndExecution(x,x)
		jmp	short loc_676EE9
; 

loc_676EBD:				; CODE XREF: VdmpQueueIntApcRoutine(x,x,x,x,x)+216j
					; VdmpQueueIntApcRoutine(x,x,x,x,x)+21Fj
		push	[ebp+var_1C]
		push	esi
		call	_VdmDispatchInterrupts@8 ; VdmDispatchInterrupts(x,x)
		jmp	short loc_676EE9
; 

loc_676EC8:				; CODE XREF: VdmpQueueIntApcRoutine(x,x,x,x,x)+183j
		test	edx, edx
		jz	short loc_676EE9
		test	byte ptr ds:_KeI386VirtualIntExtensions, 1
		jz	short loc_676EE9
		or	ecx, 100000h
		mov	[esi+70h], ecx
		jmp	short loc_676EE9
; 

loc_676EE0:				; DATA XREF: .text:006A9A44o
		call	_VdmpExceptionHandler@4	; VdmpExceptionHandler(x)
		retn
; 

loc_676EE6:				; DATA XREF: .text:006A9A48o
		mov	esp, [ebp+ms_exc.old_esp]

loc_676EE9:				; CODE XREF: VdmpQueueIntApcRoutine(x,x,x,x,x)+BCj
					; VdmpQueueIntApcRoutine(x,x,x,x,x)+FEj ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_676EF0:				; CODE XREF: VdmpQueueIntApcRoutine(x,x,x,x,x)+6Bj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_VdmpQueueIntApcRoutine@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmpQueueInterrupt(x)
_VdmpQueueInterrupt@4 proc near		; CODE XREF: NtVdmControl(x,x)+A4p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		and	[ebp+var_8], 0
		push	0
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_C], al
		lea	eax, [ebp+var_8]
		push	eax
		push	496D6456h
		push	[ebp+var_C]
		push	ds:_PsThreadType
		push	40h
		push	ecx
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	locret_676FE7
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	edi, [ebp+var_8]
		mov	eax, [eax+80h]
		cmp	eax, [edi+150h]
		jnz	short loc_676FD2
		mov	esi, [eax+0F4h]
		test	esi, esi
		jz	short loc_676FD2
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ebx, [esi+84h]
		mov	[ebp+var_1], al
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		push	1
		push	0
		push	offset _VdmpQueueIntNormalRoutine@12 ; VdmpQueueIntNormalRoutine(x,x,x)
		push	ecx
		push	offset _VdmpQueueIntApcRoutine@20 ; VdmpQueueIntApcRoutine(x,x,x,x,x)
		push	0
		lea	ecx, [esi+4]
		mov	edx, edi
		call	_KeVdmInsertQueueApc@32	; KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 3FFFFFFFh
		add	esi, 0C0000001h
		test	ds:byte_70EFC6,	1
		jz	short loc_676FC1
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	edi, [ebp+var_8]
		jmp	short loc_676FC6
; 

loc_676FC1:				; CODE XREF: VdmpQueueInterrupt(x)+AEj
		xor	eax, eax
		lock and [ebx],	eax

loc_676FC6:				; CODE XREF: VdmpQueueInterrupt(x)+BDj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx
		jmp	short loc_676FD7
; 

loc_676FD2:				; CODE XREF: VdmpQueueInterrupt(x)+56j
					; VdmpQueueInterrupt(x)+60j
		mov	esi, 0C00000EFh

loc_676FD7:				; CODE XREF: VdmpQueueInterrupt(x)+CEj
		mov	edx, 496D6456h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		pop	edi
		mov	eax, esi
		pop	esi

locret_676FE7:				; CODE XREF: VdmpQueueInterrupt(x)+39j
		leave
		retn
_VdmpQueueInterrupt@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmpPreInitialize()
_VdmpPreInitialize@0 proc near		; CODE XREF: NtVdmControl(x,x)+FCp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	40h
		push	2000h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_8], 1
		push	eax
		push	0
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], 0FFFFh
		push	eax
		push	0FFFFFFFFh
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		leave
		retn
_VdmpPreInitialize@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfClearVerifierSettings()
_VfClearVerifierSettings@0 proc	near	; CODE XREF: VfNotifyVerifierOfEvent(x)+6Ep
					; INIT:00ABFD50p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:_VfOptionFlags
		push	esi		; char
		xor	esi, esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		test	al, 20h
		jz	short loc_67703A
		and	eax, 0FFFFFFCFh
		jmp	short loc_67704B
; 

loc_67703A:				; CODE XREF: VfClearVerifierSettings()+1Bj
		test	eax, 400h
		jz	short loc_677048
		and	eax, 0FFFFFBC7h
		jmp	short loc_67704B
; 

loc_677048:				; CODE XREF: VfClearVerifierSettings()+27j
		and	eax, 0FFFFFFE7h

loc_67704B:				; CODE XREF: VfClearVerifierSettings()+20j
					; VfClearVerifierSettings()+2Ej
		mov	[ebp+var_8], eax
		mov	eax, offset _VfPersistentStateRoot
		cmp	ds:_CmStateSeparationEnabled, esi
		jnz	short loc_677060
		mov	eax, offset _CmRegistryMachineSystemCurrentControlSetControlSessionManagerMemoryManagement

loc_677060:				; CODE XREF: VfClearVerifierSettings()+41j
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_4]
		mov	[ebp+var_28], 18h
		push	eax
		mov	[ebp+var_24], esi
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_67733E
		push	(offset	off_5A5E68+2)
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [ebp+var_8]
		push	eax
		push	4
		push	esi
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_677327
		push	offset ??_C@_1CE@OMAJLJIP@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAy?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAL?$AAe?$AAv@FNODOBFM@
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_4]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		mov	esi, 0C0000034h
		test	eax, eax
		jns	short loc_6770F3
		cmp	eax, esi
		jz	short loc_6770F3
		push	eax		; char
		push	offset ??_C@_0FB@KHOJFBKG@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@ ; char	*
		call	_VfUtilDbgPrint
		pop	ecx
		pop	ecx

loc_6770F3:				; CODE XREF: VfClearVerifierSettings()+C8j
					; VfClearVerifierSettings()+CCj
		push	offset ??_C@_1CK@MAPACCND@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAS?$AAe?$AAt?$AAt?$AAi?$AAn?$AAg@FNODOBFM@
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_4]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		test	eax, eax
		jns	short loc_677122
		cmp	eax, esi
		jz	short loc_677122
		push	eax		; char
		push	offset ??_C@_0EL@LIJEAGMD@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@ ; char	*
		call	_VfUtilDbgPrint
		pop	ecx
		pop	ecx

loc_677122:				; CODE XREF: VfClearVerifierSettings()+F7j
					; VfClearVerifierSettings()+FBj
		push	offset ??_C@_1BM@JKLADBPD@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAy?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAs@FNODOBFM@
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_4]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		test	eax, eax
		jns	short loc_677151
		cmp	eax, esi
		jz	short loc_677151
		push	eax		; char
		push	offset ??_C@_0EN@LOCFEIO@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@	; char *
		call	_VfUtilDbgPrint
		pop	ecx
		pop	ecx

loc_677151:				; CODE XREF: VfClearVerifierSettings()+126j
					; VfClearVerifierSettings()+12Aj
		push	offset ??_C@_1CM@JGABLCCH@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAR?$AAa?$AAn?$AAd?$AAo?$AAm?$AAT@FNODOBFM@
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_4]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		test	eax, eax
		jns	short loc_677180
		cmp	eax, esi
		jz	short loc_677180
		push	eax		; char
		push	offset ??_C@_0FF@EODOLEPB@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@ ; char	*
		call	_VfUtilDbgPrint
		pop	ecx
		pop	ecx

loc_677180:				; CODE XREF: VfClearVerifierSettings()+155j
					; VfClearVerifierSettings()+159j
		cmp	ds:_VfFlightOptions, 0
		jz	short loc_6771B8
		push	(offset	loc_5A61B7+1)
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_4]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		test	eax, eax
		jns	short loc_6771B8
		cmp	eax, esi
		jz	short loc_6771B8
		push	eax		; char
		push	offset ??_C@_0FC@NKFHKLGM@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@ ; char	*
		call	_VfUtilDbgPrint
		pop	ecx
		pop	ecx

loc_6771B8:				; CODE XREF: VfClearVerifierSettings()+16Fj
					; VfClearVerifierSettings()+18Dj ...
		push	(offset	loc_5A6235+1)
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_4]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		test	eax, eax
		jns	short loc_6771E7
		cmp	eax, esi
		jz	short loc_6771E7
		push	eax		; char
		push	offset ??_C@_0FI@OBNEOIHB@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@ ; char	*
		call	_VfUtilDbgPrint
		pop	ecx
		pop	ecx

loc_6771E7:				; CODE XREF: VfClearVerifierSettings()+1BCj
					; VfClearVerifierSettings()+1C0j
		push	offset ??_C@_1CM@MEHIEDNP@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAT?$AAr?$AAi?$AAa?$AAg?$AAe?$AAC@FNODOBFM@
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_4]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		test	eax, eax
		jns	short loc_677216
		cmp	eax, esi
		jz	short loc_677216
		push	eax		; char
		push	offset ??_C@_0FF@BIPCHIHK@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@ ; char	*
		call	_VfUtilDbgPrint
		pop	ecx
		pop	ecx

loc_677216:				; CODE XREF: VfClearVerifierSettings()+1EBj
					; VfClearVerifierSettings()+1EFj
		cmp	ds:_VfXdvSuppressDriversBufferLength, 0FFFFFFFFh
		jz	short loc_67724E
		push	offset ??_C@_1CM@FCKBPIFI@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAy?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAs?$AAS?$AAu@FNODOBFM@
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_4]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		test	eax, eax
		jns	short loc_67724E
		cmp	eax, esi
		jz	short loc_67724E
		push	eax		; char
		push	offset ??_C@_0FF@KGKKPAEN@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@ ; char	*
		call	_VfUtilDbgPrint
		pop	ecx
		pop	ecx

loc_67724E:				; CODE XREF: VfClearVerifierSettings()+205j
					; VfClearVerifierSettings()+223j ...
		push	offset ??_C@_1DE@OKMGEIMP@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAT?$AAi?$AAp?$AAL?$AAi?$AAm?$AAi@FNODOBFM@
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_4]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		test	eax, eax
		jns	short loc_67727D
		cmp	eax, esi
		jz	short loc_67727D
		push	eax		; char
		push	offset ??_C@_0FJ@KFCCLHMP@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@ ; char	*
		call	_VfUtilDbgPrint
		pop	ecx
		pop	ecx

loc_67727D:				; CODE XREF: VfClearVerifierSettings()+252j
					; VfClearVerifierSettings()+256j
		push	offset ??_C@_1DI@MPLMMFJA@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAT?$AAi?$AAp?$AAL?$AAi?$AAm?$AAi@FNODOBFM@
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_4]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		test	eax, eax
		jns	short loc_6772AC
		cmp	eax, esi
		jz	short loc_6772AC
		push	eax		; char
		push	offset ??_C@_0FL@FCAMDLPO@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@ ; char	*
		call	_VfUtilDbgPrint
		pop	ecx
		pop	ecx

loc_6772AC:				; CODE XREF: VfClearVerifierSettings()+281j
					; VfClearVerifierSettings()+285j
		push	offset ??_C@_1CM@EFDMDBJD@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAT?$AAi?$AAp?$AAS?$AAp?$AAa?$AAr@FNODOBFM@
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_4]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		test	eax, eax
		jns	short loc_6772DB
		cmp	eax, esi
		jz	short loc_6772DB
		push	eax		; char
		push	offset ??_C@_0FF@ODGMKIGJ@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@ ; char	*
		call	_VfUtilDbgPrint
		pop	ecx
		pop	ecx

loc_6772DB:				; CODE XREF: VfClearVerifierSettings()+2B0j
					; VfClearVerifierSettings()+2B4j
		push	offset ??_C@_1CK@KFCLOIKL@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAL?$AAw?$AAs?$AAp?$AAP?$AAo?$AAo@FNODOBFM@
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_4]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		test	eax, eax
		jns	short loc_67730A
		cmp	eax, esi
		jz	short loc_67730A
		push	eax		; char
		push	offset ??_C@_0FE@MHHNNDFG@Driver?5Verifier?3?5Failed?5to?5dele@FNODOBFM@ ; "Driver Verifier: Failed to delete Verif"...
		call	_VfUtilDbgPrint
		pop	ecx
		pop	ecx

loc_67730A:				; CODE XREF: VfClearVerifierSettings()+2DFj
					; VfClearVerifierSettings()+2E3j
		push	[ebp+var_4]
		call	_ZwFlushKey@4	; ZwFlushKey(x)
		cmp	ds:_VfClearanceFlag, 0
		jz	short loc_677334
		push	offset ??_C@_0FK@HBFLDIIC@Driver?5Verifier?3?5Clearing?5Verif@FNODOBFM@	; char *
		call	_VfUtilDbgPrint
		jmp	short loc_677333
; 

loc_677327:				; CODE XREF: VfClearVerifierSettings()+A1j
		push	eax		; char
		push	offset ??_C@_0GK@MKDMPILG@Driver?5Verifier?3?5Failed?5to?5set?5@FNODOBFM@ ; char *
		call	_VfUtilDbgPrint
		pop	ecx

loc_677333:				; CODE XREF: VfClearVerifierSettings()+30Dj
		pop	ecx

loc_677334:				; CODE XREF: VfClearVerifierSettings()+301j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_67734B
; 

loc_67733E:				; CODE XREF: VfClearVerifierSettings()+76j
		push	eax		; char
		push	offset ??_C@_0GD@KMANJMFL@Driver?5Verifier?3?5Failed?5to?5open@FNODOBFM@ ; char	*
		call	_VfUtilDbgPrint
		pop	ecx
		pop	ecx

loc_67734B:				; CODE XREF: VfClearVerifierSettings()+324j
		pop	esi
		leave
		retn
_VfClearVerifierSettings@0 endp


;  S U B	R O U T	I N E 


; __stdcall VfIsVerificationEnabledForImage(x)
_VfIsVerificationEnabledForImage@4 proc	near
					; CODE XREF: KsepPatchDriverImportsTable(x,x)+D0p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_VfDriverLock@0	; VfDriverLock()
		mov	ecx, esi
		call	_ViIsDriverSuspectForVerifier@4	; ViIsDriverSuspectForVerifier(x)
		mov	esi, eax
		call	_VfDriverUnlock@0 ; VfDriverUnlock()
		mov	eax, esi
		pop	esi
		retn
_VfIsVerificationEnabledForImage@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfIsVerifierExtensionEnabled()
_VfIsVerifierExtensionEnabled@0	proc near
					; CODE XREF: PopMarkComponentsBootPhase:loc_729A0Dp
					; VfNotifyOfHibernate(x):loc_A5F29Bp
		mov	eax, ds:_XdvEnabled
		retn
_VfIsVerifierExtensionEnabled@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl VfUtilDbgPrint(char *,char)
_VfUtilDbgPrint	proc near		; CODE XREF: VfClearVerifierSettings()+D4p
					; VfClearVerifierSettings()+103p ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	1		; char
		lea	eax, [ebp+arg_4]
		mov	ecx, offset ??_C@_00CNPNBAHC@@FNODOBFM@
		push	eax		; va_list
		push	[ebp+arg_0]	; char *
		push	0		; int
		push	65h
		pop	edx
		call	vDbgPrintExWithPrefixInternal
		pop	ecx
		pop	ebp
		retn
_VfUtilDbgPrint	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilFreePoolDispatchLevel(x)
_VfUtilFreePoolDispatchLevel@4 proc near
					; CODE XREF: ViTargetFreeContiguousMemoryFromNode(x,x)+42p
					; ViTargetRemovingCheckContiguousMemory(x,x)+46p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	VfPoolDelayFreeIfPossible
		pop	ebp
		retn	4
_VfUtilFreePoolDispatchLevel@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilGetDifPluginDriverData(x)
_VfUtilGetDifPluginDriverData@4	proc near ; DATA XREF: PAGEVRFD:00AA8040o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_VfTargetDriversGetVerifierData@4 ; VfTargetDriversGetVerifierData(x)
		test	eax, eax
		jz	short loc_6773B8
		mov	eax, [eax+30h]

loc_6773B8:				; CODE XREF: VfUtilGetDifPluginDriverData(x)+Fj
		pop	ebp
		retn	4
_VfUtilGetDifPluginDriverData@4	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2578. VfCheckNxPagePriority

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfCheckNxPagePriority(x, x)
		public _VfCheckNxPagePriority@8
_VfCheckNxPagePriority@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_ViVerifierEnabled, 0
		jz	short loc_6773DA
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	_VfCheckPagePriority@8 ; VfCheckPagePriority(x,x)

loc_6773DA:				; CODE XREF: VfCheckNxPagePriority(x,x)+Cj
		pop	ebp
		retn	8
_VfCheckNxPagePriority@8 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 2579. VfCheckNxPageProtection

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfCheckNxPageProtection(x, x)
		public _VfCheckNxPageProtection@8
_VfCheckNxPageProtection@8 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_ViVerifierEnabled, 0
		jz	short loc_6773FC
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	_VfCheckPageProtection@8 ; VfCheckPageProtection(x,x)

loc_6773FC:				; CODE XREF: VfCheckNxPageProtection(x,x)+Cj
		pop	ebp
		retn	8
_VfCheckNxPageProtection@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2580. VfCheckNxPoolType

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfCheckNxPoolType(x, x, x)
		public _VfCheckNxPoolType@12
_VfCheckNxPoolType@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_ViVerifierEnabled, 0
		jz	short loc_677421
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	_VfCheckPoolType@12 ; VfCheckPoolType(x,x,x)

loc_677421:				; CODE XREF: VfCheckNxPoolType(x,x,x)+Cj
		pop	ebp
		retn	0Ch
_VfCheckNxPoolType@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2582. VfFailDriver

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _VfFailDriver
_VfFailDriver	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_ViDdiInitialized, 0
		jz	short loc_677448
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		mov	ecx, [ebp+arg_0]
		push	eax
		push	eax
		push	eax
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_677448:				; CODE XREF: _VfFailDriver+Cj
		pop	ebp
		retn
_VfFailDriver	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2583. VfFailSystemBIOS

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public _VfFailSystemBIOS
_VfFailSystemBIOS proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_ViDdiInitialized, 0
		jz	short loc_677479
		test	ds:_MmVerifierData, 40000000h
		jz	short loc_677479
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		mov	ecx, [ebp+arg_0]
		push	eax
		push	eax
		push	eax
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_677479:				; CODE XREF: _VfFailSystemBIOS+Cj
					; _VfFailSystemBIOS+18j
		pop	ebp
		retn
_VfFailSystemBIOS endp

; 
		align 10h
; Exported entry 2584. VfInsertContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfInsertContext(x)
		public _VfInsertContext@4
_VfInsertContext@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_ViVerifierEnabled, 0
		jnz	short loc_677498
		mov	eax, 0C0000001h
		jmp	loc_67752C
; 

loc_677498:				; CODE XREF: VfInsertContext(x)+Cj
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		movzx	edi, word ptr [esi]
		movzx	edx, word ptr [esi+2]
		mov	ecx, edi
		call	@ViIsContextIdValid@8 ;	ViIsContextIdValid(x,x)
		test	al, al
		jnz	short loc_6774B6
		mov	eax, 0C000000Dh
		jmp	short loc_67752A
; 

loc_6774B6:				; CODE XREF: VfInsertContext(x)+2Dj
		mov	ecx, [esi+8]
		mov	edx, edi
		call	@ViGetContextPointer@8 ; ViGetContextPointer(x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_6774EE
		mov	eax, 0C00000BBh
		jmp	short loc_67752A
; 

loc_6774CD:				; CODE XREF: VfInsertContext(x)+77j
		movzx	ecx, word ptr [esi]
		call	_ViAllocateContextTable@4 ; ViAllocateContextTable(x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_677515
		mov	ecx, edx
		xor	eax, eax
		lock cmpxchg [edi], ecx
		test	eax, eax
		jz	short loc_6774F9
		mov	ecx, edx
		call	_ViFreeContextTable@4 ;	ViFreeContextTable(x)

loc_6774EE:				; CODE XREF: VfInsertContext(x)+44j
		mov	ecx, edi
		call	@ViLockContextPointer@4	; ViLockContextPointer(x)
		test	al, al
		jz	short loc_6774CD

loc_6774F9:				; CODE XREF: VfInsertContext(x)+65j
		mov	eax, [edi]
		xor	edx, edx
		movzx	ecx, word ptr [esi+2]
		cmp	[eax+ecx*4+8], edx
		jnz	short loc_67751C
		mov	[eax+ecx*4+8], esi
		lock inc dword ptr [eax+4]
		lock inc dword ptr [esi+4]
		jmp	short loc_677521
; 

loc_677515:				; CODE XREF: VfInsertContext(x)+59j
		mov	eax, 0C000009Ah
		jmp	short loc_67752A
; 

loc_67751C:				; CODE XREF: VfInsertContext(x)+85j
		mov	edx, 0C000022Ah

loc_677521:				; CODE XREF: VfInsertContext(x)+93j
		mov	ecx, edi
		call	@ViUnlockContextPointer@4 ; ViUnlockContextPointer(x)
		mov	eax, edx

loc_67752A:				; CODE XREF: VfInsertContext(x)+34j
					; VfInsertContext(x)+4Bj ...
		pop	edi
		pop	esi

loc_67752C:				; CODE XREF: VfInsertContext(x)+13j
		pop	ebp
		retn	4
_VfInsertContext@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2587. VfQueryDeviceContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfQueryDeviceContext(x, x)
		public _VfQueryDeviceContext@8
_VfQueryDeviceContext@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_ViVerifierEnabled, 0
		jz	short loc_67755E
		mov	edx, [ebp+arg_4]
		xor	ecx, ecx
		call	@ViIsContextIdValid@8 ;	ViIsContextIdValid(x,x)
		test	al, al
		jz	short loc_67755E
		mov	ecx, [ebp+arg_0]
		push	edx
		xor	edx, edx
		call	_ViQueryObjectContext@12 ; ViQueryObjectContext(x,x,x)
		jmp	short loc_677560
; 

loc_67755E:				; CODE XREF: VfQueryDeviceContext(x,x)+Cj
					; VfQueryDeviceContext(x,x)+1Aj
		xor	eax, eax

loc_677560:				; CODE XREF: VfQueryDeviceContext(x,x)+27j
		pop	ebp
		retn	8
_VfQueryDeviceContext@8	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2589. VfQueryDriverContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfQueryDriverContext(x, x)
		public _VfQueryDriverContext@8
_VfQueryDriverContext@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_ViVerifierEnabled, 0
		jz	short loc_677594
		mov	edx, [ebp+arg_4]
		xor	ecx, ecx
		inc	ecx
		call	@ViIsContextIdValid@8 ;	ViIsContextIdValid(x,x)
		test	al, al
		jz	short loc_677594
		mov	ecx, [ebp+arg_0]
		push	edx
		xor	edx, edx
		inc	edx
		call	_ViQueryObjectContext@12 ; ViQueryObjectContext(x,x,x)
		jmp	short loc_677596
; 

loc_677594:				; CODE XREF: VfQueryDriverContext(x,x)+Cj
					; VfQueryDriverContext(x,x)+1Bj
		xor	eax, eax

loc_677596:				; CODE XREF: VfQueryDriverContext(x,x)+29j
		pop	ebp
		retn	8
_VfQueryDriverContext@8	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2590. VfQueryIrpContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfQueryIrpContext(x, x)
		public _VfQueryIrpContext@8
_VfQueryIrpContext@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_ViVerifierEnabled, 0
		jz	short loc_6775CA
		mov	edx, [ebp+arg_4]
		push	2
		pop	ecx
		call	@ViIsContextIdValid@8 ;	ViIsContextIdValid(x,x)
		test	al, al
		jz	short loc_6775CA
		mov	ecx, [ebp+arg_0]
		push	edx
		push	2
		pop	edx
		call	_ViQueryObjectContext@12 ; ViQueryObjectContext(x,x,x)
		jmp	short loc_6775CC
; 

loc_6775CA:				; CODE XREF: VfQueryIrpContext(x,x)+Cj
					; VfQueryIrpContext(x,x)+1Bj
		xor	eax, eax

loc_6775CC:				; CODE XREF: VfQueryIrpContext(x,x)+29j
		pop	ebp
		retn	8
_VfQueryIrpContext@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2591. VfQueryThreadContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfQueryThreadContext(x, x)
		public _VfQueryThreadContext@8
_VfQueryThreadContext@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_ViVerifierEnabled, 0
		jz	short loc_677600
		mov	edx, [ebp+arg_4]
		push	3
		pop	ecx
		call	@ViIsContextIdValid@8 ;	ViIsContextIdValid(x,x)
		test	al, al
		jz	short loc_677600
		mov	ecx, [ebp+arg_0]
		push	edx
		push	3
		pop	edx
		call	_ViQueryObjectContext@12 ; ViQueryObjectContext(x,x,x)
		jmp	short loc_677602
; 

loc_677600:				; CODE XREF: VfQueryThreadContext(x,x)+Cj
					; VfQueryThreadContext(x,x)+1Bj
		xor	eax, eax

loc_677602:				; CODE XREF: VfQueryThreadContext(x,x)+29j
		pop	ebp
		retn	8
_VfQueryThreadContext@8	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2592. VfRemoveContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfRemoveContext(x)
		public _VfRemoveContext@4
_VfRemoveContext@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	ds:_ViVerifierEnabled, 0
		push	edi
		mov	edi, 0C0000225h
		jnz	short loc_67762A
		mov	eax, 0C0000001h
		jmp	loc_6776C3
; 

loc_67762A:				; CODE XREF: VfRemoveContext(x)+13j
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		movzx	ebx, word ptr [esi]
		movzx	edx, word ptr [esi+2]
		mov	ecx, ebx
		call	@ViIsContextIdValid@8 ;	ViIsContextIdValid(x,x)
		test	al, al
		jnz	short loc_677648
		mov	eax, 0C000000Dh
		jmp	short loc_6776C1
; 

loc_677648:				; CODE XREF: VfRemoveContext(x)+34j
		mov	ecx, [esi+8]
		mov	edx, ebx
		call	@ViGetContextPointer@8 ; ViGetContextPointer(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_67765F
		mov	eax, 0C00000BBh
		jmp	short loc_6776C1
; 

loc_67765F:				; CODE XREF: VfRemoveContext(x)+4Bj
		mov	ecx, ebx
		call	@ViLockContextPointer@4	; ViLockContextPointer(x)
		test	al, al
		jz	short loc_6776BF
		mov	ecx, [ebx]
		or	edx, 0FFFFFFFFh
		movzx	eax, word ptr [esi+2]
		mov	[ebp+arg_0], ecx
		cmp	[ecx+eax*4+8], esi
		jnz	short loc_6776A8
		xor	edi, edi
		mov	[ecx+eax*4+8], edi
		mov	eax, edx
		lock xadd [ecx+4], eax
		dec	eax
		jnz	short loc_6776A8
		xor	eax, eax
		xchg	eax, [ebx]
		lock xadd [esi+4], edx
		dec	edx
		jnz	short loc_67769F
		push	esi
		call	dword ptr [esi+0Ch]
		mov	ecx, [ebp+arg_0]

loc_67769F:				; CODE XREF: VfRemoveContext(x)+8Bj
		call	_ViFreeContextTable@4 ;	ViFreeContextTable(x)
		xor	eax, eax
		jmp	short loc_6776C1
; 

loc_6776A8:				; CODE XREF: VfRemoveContext(x)+6Fj
					; VfRemoveContext(x)+7Fj
		mov	ecx, ebx
		call	@ViUnlockContextPointer@4 ; ViUnlockContextPointer(x)
		test	edi, edi
		js	short loc_6776BF
		lock xadd [esi+4], edx
		dec	edx
		jnz	short loc_6776BF
		push	esi
		call	dword ptr [esi+0Ch]

loc_6776BF:				; CODE XREF: VfRemoveContext(x)+5Dj
					; VfRemoveContext(x)+A6j ...
		mov	eax, edi

loc_6776C1:				; CODE XREF: VfRemoveContext(x)+3Bj
					; VfRemoveContext(x)+52j ...
		pop	esi
		pop	ebx

loc_6776C3:				; CODE XREF: VfRemoveContext(x)+1Aj
		pop	edi
		leave
		retn	4
_VfRemoveContext@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierCrashEvent(x)
_VerifierCrashEvent@4 proc near		; DATA XREF: .data:006B3704o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_6776D8
		xor	eax, eax
		jmp	short loc_677747
; 

loc_6776D8:				; CODE XREF: VerifierCrashEvent(x)+Aj
		cmp	ds:_VfClearanceFlag, 0
		push	edi
		jz	short loc_677742
		test	ds:_VfRuleClassesRecord, 400000h
		jz	short loc_677742
		mov	eax, ds:_VfBugcheckTmpData
		xor	edi, edi
		mov	[edx], eax
		inc	edi
		mov	eax, ds:dword_AB1D04
		mov	[edx+4], eax
		mov	eax, ds:dword_AB1D08
		mov	[edx+8], eax
		mov	eax, ds:dword_AB1D0C
		mov	[edx+0Ch], eax
		mov	eax, ds:dword_AB1D10
		push	esi
		mov	[edx+10h], eax
		xor	esi, esi

loc_67771B:				; CODE XREF: VerifierCrashEvent(x)+65j
		mov	ecx, [edx+14h]
		mov	eax, ds:_VfRuleClassesRecord[esi]
		mov	[esi+ecx], eax
		add	esi, 4
		cmp	esi, 8
		jb	short loc_67771B
		mov	eax, ds:_VfOptionFlags
		mov	[edx+18h], eax
		mov	eax, ds:_VfFlightOptions
		mov	[edx+1Ch], eax
		pop	esi
		jmp	short loc_677744
; 

loc_677742:				; CODE XREF: VerifierCrashEvent(x)+18j
					; VerifierCrashEvent(x)+24j
		xor	edi, edi

loc_677744:				; CODE XREF: VerifierCrashEvent(x)+78j
		mov	eax, edi
		pop	edi

loc_677747:				; CODE XREF: VerifierCrashEvent(x)+Ej
		pop	ebp
		retn	4
_VerifierCrashEvent@4 endp

; 
		align 10h
; Exported entry 2588. VfQueryDispatchTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfQueryDispatchTable(x, x)
		public _VfQueryDispatchTable@8
_VfQueryDispatchTable@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	ecx, ecx
		cmp	ds:_ViVerifierDriverAddedThunkListHead,	ecx
		jnz	short loc_67776B
		cmp	ds:_VfClearanceFlag, ecx
		jnz	short loc_67776B
		xor	eax, eax
		jmp	short loc_6777B7
; 

loc_67776B:				; CODE XREF: VfQueryDispatchTable(x,x)+Dj
					; VfQueryDispatchTable(x,x)+15j
		mov	eax, [ebp+arg_0]
		sub	eax, ecx
		jz	short loc_6777A5
		dec	eax
		sub	eax, 1
		jz	short loc_67778F
		sub	eax, 1
		jnz	short loc_6777B5
		mov	eax, [ebp+arg_4]
		cmp	eax, ds:dword_6B36F8
		ja	short loc_6777B5
		mov	ecx, offset _VfXdvDispatchTable
		jmp	short loc_6777B5
; 

loc_67778F:				; CODE XREF: VfQueryDispatchTable(x,x)+26j
		mov	eax, ds:_ViFnXdvQueryDispatchTable
		test	eax, eax
		jz	short loc_6777B5
		push	[ebp+arg_4]
		push	2
		call	eax
		pop	ecx
		pop	ecx
		mov	ecx, eax
		jmp	short loc_6777B5
; 

loc_6777A5:				; CODE XREF: VfQueryDispatchTable(x,x)+20j
		mov	eax, [ebp+arg_4]
		cmp	eax, ds:dword_6B3710
		ja	short loc_6777B5
		mov	ecx, offset _VfWdmDispatchTable

loc_6777B5:				; CODE XREF: VfQueryDispatchTable(x,x)+2Bj
					; VfQueryDispatchTable(x,x)+36j ...
		mov	eax, ecx

loc_6777B7:				; CODE XREF: VfQueryDispatchTable(x,x)+19j
		pop	ebp
		retn	8
_VfQueryDispatchTable@8	endp


;  S U B	R O U T	I N E 


; __stdcall ViDifAllocateCallbackStorage()
_ViDifAllocateCallbackStorage@0	proc near ; CODE XREF: VfDifCaptureDriverEntry:loc_5DC7AAp
					; VfXdvDriverCaptureIoCallbacks(x)+18p
		mov	edi, edi
		push	esi
		push	edi
		push	494F6656h
		mov	edi, 80h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_6777E6
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch

loc_6777E6:				; CODE XREF: ViDifAllocateCallbackStorage()+1Dj
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_ViDifAllocateCallbackStorage@0	endp


;  S U B	R O U T	I N E 


; __stdcall ViDifCaptureDriverEntry(x)
_ViDifCaptureDriverEntry@4 proc	near	; CODE XREF: VfDifCaptureDriverEntry+91F10p
					; VfXdvDriverCaptureIoCallbacks(x)+26p
		mov	eax, [ecx+18h]
		mov	edx, [eax+20h]
		mov	eax, [ecx+2Ch]
		mov	[edx], eax
		cmp	dword ptr [ecx+2Ch], 0
		jz	short loc_677804
		mov	eax, ds:_pXdvDriverEntry
		mov	[ecx+2Ch], eax

loc_677804:				; CODE XREF: ViDifCaptureDriverEntry(x)+Fj
		mov	al, 1
		retn
_ViDifCaptureDriverEntry@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViDifCaptureIoCallbacks(x)
_ViDifCaptureIoCallbacks@4 proc	near	; CODE XREF: VfDifCaptureIoCallbacks(x)+13j
					; VfXdvDriverCaptureIoCallbacks(x)+2Fp
		mov	edx, ecx
		push	edi
		mov	edi, [edx+18h]
		mov	ecx, [edi+20h]
		test	ecx, ecx
		jnz	short loc_677818
		xor	al, al
		pop	edi
		retn
; 

loc_677818:				; CODE XREF: ViDifCaptureIoCallbacks(x)+Bj
		mov	eax, [edx+30h]
		push	ebx
		mov	[ecx+4], eax
		lea	ebx, [edx+38h]
		mov	eax, [edx+34h]
		push	esi
		mov	[ecx+8], eax
		mov	eax, [edi+4]
		push	1Ch
		mov	[ecx+0Ch], eax
		add	ecx, 10h
		pop	esi

loc_677835:				; CODE XREF: ViDifCaptureIoCallbacks(x)+46j
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_677844
		cmp	eax, offset _IopInvalidDeviceRequest@8 ; IopInvalidDeviceRequest(x,x)
		jz	short loc_677844
		mov	[ecx], eax

loc_677844:				; CODE XREF: ViDifCaptureIoCallbacks(x)+32j
					; ViDifCaptureIoCallbacks(x)+39j
		add	ebx, 4
		add	ecx, 4
		sub	esi, 1
		jnz	short loc_677835
		mov	eax, [edx+30h]
		lea	esi, [edx+38h]
		test	eax, eax
		jz	short loc_677868
		cmp	eax, offset _IopInvalidDeviceRequest@8 ; IopInvalidDeviceRequest(x,x)
		jz	short loc_677868
		mov	eax, ds:_pXdvDriverStartIo
		mov	[edx+30h], eax

loc_677868:				; CODE XREF: ViDifCaptureIoCallbacks(x)+50j
					; ViDifCaptureIoCallbacks(x)+57j
		xor	ecx, ecx
		cmp	[edx+34h], ecx
		jz	short loc_677877
		mov	eax, ds:_pXdvDriverUnload
		mov	[edx+34h], eax

loc_677877:				; CODE XREF: ViDifCaptureIoCallbacks(x)+66j
		cmp	[edi+4], ecx
		jz	short loc_677884
		mov	eax, ds:_pXdvAddDevice
		mov	[edi+4], eax

loc_677884:				; CODE XREF: ViDifCaptureIoCallbacks(x)+73j
					; ViDifCaptureIoCallbacks(x)+A0j
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_67789B
		cmp	eax, offset _IopInvalidDeviceRequest@8 ; IopInvalidDeviceRequest(x,x)
		jz	short loc_67789B
		mov	eax, ds:off_AA8A40[ecx]
		mov	eax, [eax]
		mov	[esi], eax

loc_67789B:				; CODE XREF: ViDifCaptureIoCallbacks(x)+81j
					; ViDifCaptureIoCallbacks(x)+88j
		add	ecx, 10h
		add	esi, 4
		cmp	ecx, 1B0h
		jbe	short loc_677884
		pop	esi
		pop	ebx
		mov	al, 1
		pop	edi
		retn
_ViDifCaptureIoCallbacks@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViSetRequestedIoCallbacks(x)
_ViSetRequestedIoCallbacks@4 proc near	; CODE XREF: ViXdvSetRequestedAPIsforDIF(x)+3Fp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	ds:_VfXdvIoCallbackThunks, 0
		push	esi
		mov	esi, offset _VfXdvIoCallbackThunks
		jz	short loc_67790C
		push	edi

loc_6778C5:				; CODE XREF: ViSetRequestedIoCallbacks(x)+5Aj
		mov	eax, ds:_VfDifAPIThunkContextHead
		mov	edi, [eax]
		cmp	edi, eax
		jz	short loc_677903

loc_6778D0:				; CODE XREF: ViSetRequestedIoCallbacks(x)+52j
		push	dword ptr [edi-8] ; char *
		push	dword ptr [esi]	; char *
		call	__stricmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_6778F9
		cmp	dword ptr [esi+0Ch], 0FFFFh
		jz	short loc_6778F9
		or	dword ptr [esi+4], 1
		mov	eax, [esi+4]
		or	[edi-4], eax
		mov	eax, [esi+0Ch]
		mov	[edi+18h], eax

loc_6778F9:				; CODE XREF: ViSetRequestedIoCallbacks(x)+2Fj
					; ViSetRequestedIoCallbacks(x)+38j
		mov	edi, [edi]
		cmp	edi, ds:_VfDifAPIThunkContextHead
		jnz	short loc_6778D0

loc_677903:				; CODE XREF: ViSetRequestedIoCallbacks(x)+1Fj
		add	esi, 10h
		cmp	dword ptr [esi], 0
		jnz	short loc_6778C5
		pop	edi

loc_67790C:				; CODE XREF: ViSetRequestedIoCallbacks(x)+13j
		pop	esi
		leave
		retn
_ViSetRequestedIoCallbacks@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViSetRequestedOrderDependentAPIs(x)
_ViSetRequestedOrderDependentAPIs@4 proc near
					; CODE XREF: ViXdvSetRequestedAPIsforDIF(x)+1Cp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	ds:_VfOrderDependentThunks, 0
		push	esi
		mov	esi, offset _VfOrderDependentThunks
		jz	short loc_67796C
		push	edi

loc_677925:				; CODE XREF: ViSetRequestedOrderDependentAPIs(x)+5Aj
		mov	eax, ds:_VfDifAPIThunkContextHead
		mov	edi, [eax]
		cmp	edi, eax
		jz	short loc_677963

loc_677930:				; CODE XREF: ViSetRequestedOrderDependentAPIs(x)+52j
		push	dword ptr [edi-8] ; char *
		push	dword ptr [esi]	; char *
		call	__stricmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_677959
		cmp	dword ptr [esi+18h], 0FFFFh
		jz	short loc_677959
		or	dword ptr [esi+0Ch], 1
		mov	eax, [esi+0Ch]
		or	[edi-4], eax
		mov	eax, [esi+18h]
		mov	[edi+18h], eax

loc_677959:				; CODE XREF: ViSetRequestedOrderDependentAPIs(x)+2Fj
					; ViSetRequestedOrderDependentAPIs(x)+38j
		mov	edi, [edi]
		cmp	edi, ds:_VfDifAPIThunkContextHead
		jnz	short loc_677930

loc_677963:				; CODE XREF: ViSetRequestedOrderDependentAPIs(x)+1Fj
		add	esi, 1Ch
		cmp	dword ptr [esi], 0
		jnz	short loc_677925
		pop	edi

loc_67796C:				; CODE XREF: ViSetRequestedOrderDependentAPIs(x)+13j
		pop	esi
		leave
		retn
_ViSetRequestedOrderDependentAPIs@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViXdvSetXdvKernelUtilities(x)
_ViXdvSetXdvKernelUtilities@4 proc near	; CODE XREF: ViXdvDriverLoadImage(x)+1E6p
		test	ecx, ecx
		jnz	short loc_677976
		xor	al, al
		retn
; 

loc_677976:				; CODE XREF: ViXdvSetXdvKernelUtilities(x)+2j
		push	offset _ViUtilsForXDV
		call	ecx
		pop	ecx
		mov	al, 1
		retn
_ViXdvSetXdvKernelUtilities@4 endp


;  S U B	R O U T	I N E 


; __stdcall MdlInvariantFindMdlInfo(x, x)
_MdlInvariantFindMdlInfo@8 proc	near	; CODE XREF: MdlInvariantPostDriverCompletion(x,x)+26p
					; MdlInvariantPostDriverCompletion(x,x)+52p ...
		mov	eax, [ecx+84h]
		push	esi
		push	edi
		mov	edi, edx
		test	eax, eax
		jz	short loc_6779AC
		mov	esi, [eax]
		xor	ecx, ecx
		test	esi, esi
		jz	short loc_6779AC
		mov	eax, [eax+4]

loc_67799A:				; CODE XREF: MdlInvariantFindMdlInfo(x,x)+29j
		mov	edx, [eax]
		test	edx, edx
		jz	short loc_6779A4
		cmp	edx, edi
		jz	short loc_6779AE

loc_6779A4:				; CODE XREF: MdlInvariantFindMdlInfo(x,x)+1Dj
		inc	ecx
		add	eax, 20h
		cmp	ecx, esi
		jb	short loc_67799A

loc_6779AC:				; CODE XREF: MdlInvariantFindMdlInfo(x,x)+Cj
					; MdlInvariantFindMdlInfo(x,x)+14j
		xor	eax, eax

loc_6779AE:				; CODE XREF: MdlInvariantFindMdlInfo(x,x)+21j
		pop	edi
		pop	esi
		retn
_MdlInvariantFindMdlInfo@8 endp


;  S U B	R O U T	I N E 


; __stdcall MdlInvariantInsertMdlInfo(x, x)
_MdlInvariantInsertMdlInfo@8 proc near	; CODE XREF: MdlInvariantPreProcessing1(x,x,x)+122p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	esi, [edi+84h]
		test	esi, esi
		jnz	short loc_6779FA
		push	6D646C56h
		push	4Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_677A14
		push	4Ch		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		lea	eax, [esi+0Ch]
		mov	dword ptr [esi], 2
		mov	[esi+4], eax
		add	esp, 0Ch
		mov	[edi+84h], esi

loc_6779FA:				; CODE XREF: MdlInvariantInsertMdlInfo(x,x)+11j
		mov	ecx, [esi]
		xor	edi, edi
		test	ecx, ecx
		jz	short loc_677A14
		mov	edx, [esi+4]
		mov	eax, edx

loc_677A07:				; CODE XREF: MdlInvariantInsertMdlInfo(x,x)+61j
		cmp	dword ptr [eax], 0
		jz	short loc_677A1A
		inc	edi
		add	eax, 20h
		cmp	edi, ecx
		jb	short loc_677A07

loc_677A14:				; CODE XREF: MdlInvariantInsertMdlInfo(x,x)+28j
					; MdlInvariantInsertMdlInfo(x,x)+4Fj
		xor	eax, eax

loc_677A16:				; CODE XREF: MdlInvariantInsertMdlInfo(x,x)+78j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_677A1A:				; CODE XREF: MdlInvariantInsertMdlInfo(x,x)+59j
		shl	edi, 5
		add	edi, edx
		push	8
		pop	ecx
		mov	esi, ebx
		rep movsd
		xor	eax, eax
		inc	eax
		jmp	short loc_677A16
_MdlInvariantInsertMdlInfo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MdlInvariantPostDriverCompletion(x,	x)
_MdlInvariantPostDriverCompletion@8 proc near ;	CODE XREF: IovpCompleteRequest4(x,x,x,x)+64p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		mov	edi, [edx+4]
		mov	ebx, ecx
		cmp	dword ptr [edi], 0
		jnz	short loc_677AA2
		movsx	eax, byte ptr [edx+22h]
		movsx	ecx, byte ptr [edx+23h]
		dec	eax
		mov	[ebp+var_4], ecx
		cmp	ecx, eax
		jl	short loc_677A67
		mov	edx, edi
		mov	ecx, ebx
		call	_MdlInvariantFindMdlInfo@8 ; MdlInvariantFindMdlInfo(x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_677A67
		push	8
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd
		jmp	short loc_677AA2
; 

loc_677A67:				; CODE XREF: MdlInvariantPostDriverCompletion(x,x)+20j
					; MdlInvariantPostDriverCompletion(x,x)+2Fj
		push	esi
		mov	esi, [ebx+84h]
		test	esi, esi
		jz	short loc_677AA1
		mov	esi, [esi+8]
		test	esi, esi
		jz	short loc_677AA1
		mov	edx, esi
		mov	ecx, ebx
		call	_MdlInvariantFindMdlInfo@8 ; MdlInvariantFindMdlInfo(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_677AA1
		mov	ecx, [ebp+var_4]
		movsx	edx, byte ptr [ebx+18h]
		inc	ecx
		cmp	edx, ecx
		jz	short loc_677A98
		cmp	esi, edi
		jz	short loc_677AA1

loc_677A98:				; CODE XREF: MdlInvariantPostDriverCompletion(x,x)+67j
		push	8
		pop	ecx
		xor	eax, eax
		mov	edi, ebx
		rep stosd

loc_677AA1:				; CODE XREF: MdlInvariantPostDriverCompletion(x,x)+45j
					; MdlInvariantPostDriverCompletion(x,x)+4Cj ...
		pop	esi

loc_677AA2:				; CODE XREF: MdlInvariantPostDriverCompletion(x,x)+10j
					; MdlInvariantPostDriverCompletion(x,x)+3Aj
		pop	edi
		pop	ebx
		leave
		retn
_MdlInvariantPostDriverCompletion@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MdlInvariantPostProcessing1(x, x, x)
_MdlInvariantPostProcessing1@12	proc near ; CODE XREF: IovpCompleteRequest2(x,x)+BFp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	eax, [edi+4]
		cmp	dword ptr [eax], 0
		jnz	loc_677C08
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_677AD6
		mov	eax, [edi+4]
		cmp	dword ptr [eax+14h], 0FFFFFFFFh
		jnb	loc_677C08

loc_677AD6:				; CODE XREF: MdlInvariantPostProcessing1(x,x,x)+21j
		mov	eax, ds:_MmVerifierData
		mov	cl, [edi+23h]
		mov	dl, [edi+22h]
		test	eax, 2000h
		jz	short loc_677AF7
		test	eax, 4000h
		jnz	short loc_677AF7
		cmp	cl, dl
		jnz	loc_677C08

loc_677AF7:				; CODE XREF: MdlInvariantPostProcessing1(x,x,x)+40j
					; MdlInvariantPostProcessing1(x,x,x)+47j
		push	2
		push	dword ptr [edi+4]
		call	_MmMdlPageContentsState@8 ; MmMdlPageContentsState(x,x)
		cmp	eax, 1
		jnz	loc_677C08
		mov	ecx, [esi+84h]
		test	ecx, ecx
		jz	short loc_677B1A
		mov	eax, [edi+4]
		mov	[ecx+8], eax

loc_677B1A:				; CODE XREF: MdlInvariantPostProcessing1(x,x,x)+6Cj
		push	ebx
		mov	ebx, [edi+4]
		mov	ecx, esi
		mov	edx, ebx
		call	_MdlInvariantFindMdlInfo@8 ; MdlInvariantFindMdlInfo(x,x)
		mov	esi, [ebp+arg_0]
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jnz	short loc_677B3C
		cmp	byte ptr [esi],	4
		jz	loc_677C07

loc_677B3C:				; CODE XREF: MdlInvariantPostProcessing1(x,x,x)+8Bj
		test	byte ptr [ebx+6], 5
		jz	short loc_677B47
		mov	ebx, [ebx+0Ch]
		jmp	short loc_677B5E
; 

loc_677B47:				; CODE XREF: MdlInvariantPostProcessing1(x,x,x)+9Aj
		push	40000020h
		xor	eax, eax
		push	eax
		push	eax
		push	1
		push	eax
		push	ebx
		call	MmMapLockedPagesSpecifyCache
		mov	ecx, [ebp+var_4]
		mov	ebx, eax

loc_677B5E:				; CODE XREF: MdlInvariantPostProcessing1(x,x,x)+9Fj
		test	ebx, ebx
		jz	loc_677C07
		test	ecx, ecx
		jz	loc_677C23
		mov	eax, [edi+4]
		mov	edx, [ecx+14h]
		mov	eax, [eax+14h]
		mov	[ebp+var_8], eax
		cmp	edx, eax
		jz	loc_677C23
		mov	eax, [ecx+10h]
		cmp	ebx, eax
		jb	loc_677C0E
		mov	ecx, [ebp+var_8]
		add	eax, edx
		add	ecx, ebx
		cmp	ecx, eax
		ja	short loc_677C0E
		mov	al, [esi]

loc_677B9A:				; CODE XREF: MdlInvariantPostProcessing1(x,x,x)+181j
		cmp	al, 3
		jnz	short loc_677C07
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_677C07
		mov	eax, [edi+4]
		mov	ecx, ebx
		push	offset _Crc64Ctrl
		push	0
		push	0
		mov	edx, [eax+14h]
		call	RtlpComputeCrcInternal
		push	offset _IovMdlInvariant10Milliseconds
		push	0
		push	0
		mov	esi, eax
		mov	[ebp+var_8], edx
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	ecx, [edi+4]
		push	offset _Crc64Ctrl
		push	0
		push	0
		mov	edx, [ecx+14h]
		mov	ecx, ebx
		call	RtlpComputeCrcInternal
		cmp	esi, eax
		jnz	short loc_677BF0
		cmp	[ebp+var_8], edx
		jz	short loc_677C07

loc_677BF0:				; CODE XREF: MdlInvariantPostProcessing1(x,x,x)+143j
		mov	eax, [ebp+arg_0]
		mov	edx, 1011h
		push	ebx
		push	edi
		push	dword ptr [eax+14h]

loc_677BFD:				; CODE XREF: MdlInvariantPostProcessing1(x,x,x)+17Bj
					; MdlInvariantPostProcessing1(x,x,x)+1B4j
		mov	ecx, 0C4h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_677C07:				; CODE XREF: MdlInvariantPostProcessing1(x,x,x)+90j
					; MdlInvariantPostProcessing1(x,x,x)+BAj ...
		pop	ebx

loc_677C08:				; CODE XREF: MdlInvariantPostProcessing1(x,x,x)+13j
					; MdlInvariantPostProcessing1(x,x,x)+2Aj ...
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_677C0E:				; CODE XREF: MdlInvariantPostProcessing1(x,x,x)+E1j
					; MdlInvariantPostProcessing1(x,x,x)+F0j
		xor	edx, edx
		cmp	byte ptr [esi],	4
		push	ebx
		push	edi
		push	dword ptr [esi+14h]
		setnz	dl
		add	edx, 1010h
		jmp	short loc_677BFD
; 

loc_677C23:				; CODE XREF: MdlInvariantPostProcessing1(x,x,x)+C2j
					; MdlInvariantPostProcessing1(x,x,x)+D6j
		mov	al, [esi]
		cmp	al, 4
		jnz	loc_677B9A
		mov	eax, [edi+4]
		mov	ecx, ebx
		push	offset _Crc64Ctrl
		push	0
		push	0
		mov	edx, [eax+14h]
		call	RtlpComputeCrcInternal
		mov	ecx, [ebp+var_4]
		cmp	eax, [ecx+8]
		jnz	short loc_677C50
		cmp	edx, [ecx+0Ch]
		jz	short loc_677C07

loc_677C50:				; CODE XREF: MdlInvariantPostProcessing1(x,x,x)+1A3j
		push	ebx
		push	edi
		push	dword ptr [esi+14h]
		mov	edx, 1010h
		jmp	short loc_677BFD
_MdlInvariantPostProcessing1@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MdlInvariantPreProcessing1(x, x, x)
_MdlInvariantPreProcessing1@12 proc near ; CODE	XREF: IovpCallDriver1(x)+16Ap

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		mov	[esp+40h+var_34], ecx
		lea	edi, [esp+40h+var_20]
		xor	eax, eax
		xor	ebx, ebx
		push	8
		pop	ecx
		rep stosd
		mov	edi, [esp+40h+var_34]
		mov	esi, edx
		mov	[esp+40h+var_2C], esi
		mov	eax, [edi+5Ch]
		mov	[esp+40h+var_24], eax
		mov	eax, [eax+4]
		cmp	[eax], ebx
		jnz	loc_677E40
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_677CB1
		mov	eax, [edi+5Ch]
		mov	eax, [eax+4]
		cmp	dword ptr [eax+14h], 0FFFFFFFFh
		jnb	loc_677E40

loc_677CB1:				; CODE XREF: MdlInvariantPreProcessing1(x,x,x)+43j
		mov	eax, [edi+5Ch]
		push	2
		push	dword ptr [eax+4]
		call	_MmMdlPageContentsState@8 ; MmMdlPageContentsState(x,x)
		cmp	eax, 1
		jnz	loc_677E40
		mov	eax, [edi+5Ch]
		mov	eax, [eax+4]
		test	byte ptr [eax+6], 5
		jz	short loc_677CD8
		mov	ebx, [eax+0Ch]
		jmp	short loc_677CEA
; 

loc_677CD8:				; CODE XREF: MdlInvariantPreProcessing1(x,x,x)+75j
		push	40000020h
		push	ebx
		push	ebx
		push	1
		push	ebx
		push	eax
		call	MmMapLockedPagesSpecifyCache
		mov	ebx, eax

loc_677CEA:				; CODE XREF: MdlInvariantPreProcessing1(x,x,x)+7Aj
		test	ebx, ebx
		jz	loc_677E40
		mov	edx, [edi+5Ch]
		mov	ecx, esi
		mov	[esp+40h+var_30], edx
		mov	edx, [edx+4]
		call	_MdlInvariantFindMdlInfo@8 ; MdlInvariantFindMdlInfo(x,x)
		mov	edx, [esp+40h+var_30]
		mov	esi, eax
		test	esi, esi
		jz	short loc_677D3A
		mov	al, [edx+23h]
		cmp	al, [edx+22h]
		jz	short loc_677D1A
		cmp	[esi+18h], al
		jnz	short loc_677D3A

loc_677D1A:				; CODE XREF: MdlInvariantPreProcessing1(x,x,x)+B7j
		xor	eax, eax
		mov	edi, esi
		push	8
		pop	ecx
		rep stosd
		mov	eax, [esp+40h+var_2C]
		mov	edi, [esp+40h+var_34]
		mov	eax, [eax+84h]
		and	dword ptr [eax+8], 0
		xor	esi, esi
		mov	edx, [edi+5Ch]

loc_677D3A:				; CODE XREF: MdlInvariantPreProcessing1(x,x,x)+AFj
					; MdlInvariantPreProcessing1(x,x,x)+BCj
		mov	eax, [edx+4]
		test	esi, esi
		jnz	short loc_677D88
		mov	edx, [eax+14h]
		mov	ecx, ebx
		push	offset _Crc64Ctrl
		push	esi
		push	esi
		call	RtlpComputeCrcInternal
		mov	esi, [edi+5Ch]
		mov	[esp+40h+var_18], eax
		mov	[esp+40h+var_14], edx
		lea	edx, [esp+40h+var_20]
		mov	[esp+40h+var_10], ebx
		mov	ecx, [esi+4]
		mov	[esp+40h+var_20], ecx
		mov	eax, [ecx+14h]
		mov	ecx, [esp+40h+var_2C]
		mov	[esp+40h+var_C], eax
		mov	al, [esi+23h]
		mov	[esp+40h+var_8], al
		call	_MdlInvariantInsertMdlInfo@8 ; MdlInvariantInsertMdlInfo(x,x)
		jmp	loc_677E40
; 

loc_677D88:				; CODE XREF: MdlInvariantPreProcessing1(x,x,x)+E3j
		mov	ecx, [esi+14h]
		mov	eax, [eax+14h]
		mov	[esp+40h+var_30], ecx
		mov	[esp+40h+var_28], eax
		cmp	ecx, eax
		jz	short loc_677DD4
		mov	ecx, [esi+10h]
		mov	[esp+40h+var_2C], ecx
		cmp	ebx, ecx
		jb	short loc_677DB8
		mov	edi, [esp+40h+var_34]
		lea	ecx, [eax+ebx]
		mov	eax, [esp+40h+var_2C]
		add	eax, [esp+40h+var_30]
		cmp	ecx, eax
		jbe	short loc_677DD0

loc_677DB8:				; CODE XREF: MdlInvariantPreProcessing1(x,x,x)+147j
		mov	eax, [ebp+arg_0]
		push	ebx
		push	edx
		xor	edx, edx
		cmp	byte ptr [eax],	4
		push	dword ptr [eax+14h]
		setnz	dl
		add	edx, 1010h
		jmp	short loc_677E36
; 

loc_677DD0:				; CODE XREF: MdlInvariantPreProcessing1(x,x,x)+15Aj
		mov	eax, [esp+40h+var_28]

loc_677DD4:				; CODE XREF: MdlInvariantPreProcessing1(x,x,x)+13Cj
		test	ds:_MmVerifierData, 4000h
		jz	short loc_677E40
		push	offset _Crc64Ctrl
		push	0
		push	0
		mov	edx, eax
		mov	ecx, ebx
		call	RtlpComputeCrcInternal
		mov	[esp+40h+var_28], eax
		cmp	[esi+8], eax
		jnz	short loc_677E00
		cmp	[esi+0Ch], edx
		jz	short loc_677E40

loc_677E00:				; CODE XREF: MdlInvariantPreProcessing1(x,x,x)+19Dj
		mov	ecx, [ebp+arg_0]
		cmp	byte ptr [ecx],	4
		jnz	short loc_677E0F
		mov	edx, 1010h
		jmp	short loc_677E2F
; 

loc_677E0F:				; CODE XREF: MdlInvariantPreProcessing1(x,x,x)+1AAj
		mov	eax, [esp+40h+var_24]
		mov	eax, [eax+60h]
		mov	eax, [eax+4]
		cmp	eax, [ecx+4]
		jz	short loc_677E2A
		mov	eax, [esp+40h+var_28]
		mov	[esi+8], eax
		mov	[esi+0Ch], edx
		jmp	short loc_677E40
; 

loc_677E2A:				; CODE XREF: MdlInvariantPreProcessing1(x,x,x)+1C0j
		mov	edx, 1011h

loc_677E2F:				; CODE XREF: MdlInvariantPreProcessing1(x,x,x)+1B1j
		push	ebx
		push	dword ptr [edi+5Ch]
		push	dword ptr [ecx+14h]

loc_677E36:				; CODE XREF: MdlInvariantPreProcessing1(x,x,x)+172j
		mov	ecx, 0C4h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_677E40:				; CODE XREF: MdlInvariantPreProcessing1(x,x,x)+35j
					; MdlInvariantPreProcessing1(x,x,x)+4Fj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MdlInvariantPreProcessing1@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfAllocateDomainCommonBuffer(x, x, x, x, x,	x, x, x, x)
_VfAllocateDomainCommonBuffer@36 proc near ; DATA XREF:	PAGEVRFD:00AA8184o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	566C6148h
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_677E6E
		mov	edi, 0C000009Ah
		jmp	short loc_677EBB
; 

loc_677E6E:				; CODE XREF: VfAllocateDomainCommonBuffer(x,x,x,x,x,x,x,x,x)+1Cj
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	74h
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		push	[ebp+arg_20]
		mov	ebx, [ebp+arg_1C]
		push	ebx
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	eax
		mov	edi, eax
		test	edi, edi
		js	short loc_677EB2
		mov	ecx, [ebx]
		mov	[esi+8], ecx
		mov	ecx, [ebx+4]
		mov	[esi+0Ch], ecx
		mov	ecx, esi
		call	_ViHalTrackDomainCommonBuffer@4	; ViHalTrackDomainCommonBuffer(x)
		jmp	short loc_677EBA
; 

loc_677EB2:				; CODE XREF: VfAllocateDomainCommonBuffer(x,x,x,x,x,x,x,x,x)+53j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_677EBA:				; CODE XREF: VfAllocateDomainCommonBuffer(x,x,x,x,x,x,x,x,x)+67j
		pop	ebx

loc_677EBB:				; CODE XREF: VfAllocateDomainCommonBuffer(x,x,x,x,x,x,x,x,x)+23j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	24h
_VfAllocateDomainCommonBuffer@36 endp


;  S U B	R O U T	I N E 


; __stdcall VfDisableHalVerifier()
_VfDisableHalVerifier@0	proc near	; CODE XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+FAp
					; IopWriteCapsuleTriageDumpToFirmware(x,x,x,x,x,x,x,x)+4Bp ...
		cmp	ds:_ViVerifyDma, 0
		jz	short locret_677EF5
		and	ds:_ViVerifyDma, 0
		mov	ecx, ds:_ViAdapterList
		push	esi
		mov	esi, offset _ViAdapterList
		jmp	short loc_677EF0
; 

loc_677EE1:				; CODE XREF: VfDisableHalVerifier()+2Fj
		mov	edx, [ecx+8]
		test	edx, edx
		jz	short loc_677EEE
		mov	eax, [ecx+1Ch]
		mov	[edx+4], eax

loc_677EEE:				; CODE XREF: VfDisableHalVerifier()+23j
		mov	ecx, [ecx]

loc_677EF0:				; CODE XREF: VfDisableHalVerifier()+1Cj
		cmp	ecx, esi
		jnz	short loc_677EE1
		pop	esi

locret_677EF5:				; CODE XREF: VfDisableHalVerifier()+7j
		retn
_VfDisableHalVerifier@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfFlushDmaBuffer(x,	x, x)
_VfFlushDmaBuffer@12 proc near		; DATA XREF: PAGEVRFD:00AA8188o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	78h
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		pop	ebp
		jmp	eax
_VfFlushDmaBuffer@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfGetDmaDomain(x)
_VfGetDmaDomain@4 proc near		; DATA XREF: PAGEVRFD:00AA8194o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, 84h
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		pop	ebp
		jmp	eax
_VfGetDmaDomain@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfJoinDmaDomain(x, x)
_VfJoinDmaDomain@8 proc	near		; DATA XREF: PAGEVRFD:00AA818Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	7Ch
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		pop	ebp
		jmp	eax
_VfJoinDmaDomain@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfLeaveDmaDomain(x)
_VfLeaveDmaDomain@4 proc near		; DATA XREF: PAGEVRFD:00AA8190o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, 80h
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		pop	ebp
		jmp	eax
_VfLeaveDmaDomain@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFlushZeroMapRegisterBaseWcbs(x)
_ViFlushZeroMapRegisterBaseWcbs@4 proc near ; CODE XREF: VfPutDmaAdapter(x)+8Fp

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		mov	ebx, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	edi, [ebx+4Ch]
		mov	[ebp+var_1], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	eax, [ebx+44h]
		mov	edx, [eax]
		cmp	edx, eax
		jz	short loc_677F89
		push	esi

loc_677F6D:				; CODE XREF: ViFlushZeroMapRegisterBaseWcbs(x)+40j
		lea	esi, [edx-28h]
		mov	edx, [edx]
		cmp	dword ptr [esi+30h], 0
		jnz	short loc_677F84
		cmp	dword ptr [esi+34h], 0
		jnz	short loc_677F84
		cmp	dword ptr [esi+1Ch], 3
		jz	short loc_677F9E

loc_677F84:				; CODE XREF: ViFlushZeroMapRegisterBaseWcbs(x)+30j
					; ViFlushZeroMapRegisterBaseWcbs(x)+36j
		cmp	edx, eax
		jnz	short loc_677F6D

loc_677F88:				; CODE XREF: ViFlushZeroMapRegisterBaseWcbs(x)+84j
		pop	esi

loc_677F89:				; CODE XREF: ViFlushZeroMapRegisterBaseWcbs(x)+24j
		test	ds:byte_70EFC6,	1
		jz	short loc_677FD1
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_677FD6
; 

loc_677F9E:				; CODE XREF: ViFlushZeroMapRegisterBaseWcbs(x)+3Cj
		lea	eax, [esi+28h]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_677FCC
		cmp	[ecx], eax
		jnz	short loc_677FCC
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, ebx
		mov	edx, [esi+18h]
		call	_SUBTRACT_MAP_REGISTERS@8 ; SUBTRACT_MAP_REGISTERS(x,x)
		mov	edx, esi
		mov	ecx, offset _ViHalWaitBlockLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	short loc_677F88
; 

loc_677FCC:				; CODE XREF: ViFlushZeroMapRegisterBaseWcbs(x)+63j
					; ViFlushZeroMapRegisterBaseWcbs(x)+67j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_677FD1:				; CODE XREF: ViFlushZeroMapRegisterBaseWcbs(x)+4Aj
		xor	eax, eax
		lock and [edi],	eax

loc_677FD6:				; CODE XREF: ViFlushZeroMapRegisterBaseWcbs(x)+56j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	ebx
		leave
		retn
_ViFlushZeroMapRegisterBaseWcbs@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViIsActiveChannelWcb(x, x)
_ViIsActiveChannelWcb@8	proc near	; CODE XREF: VfAllocateAdapterChannel(x,x,x,x,x)+F1p
					; VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+DDp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	esi, ecx
		xor	bl, bl
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	edi, [esi+4Ch]
		mov	bh, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		add	esi, 44h
		mov	eax, [esi]
		sub	eax, 28h
		lea	ecx, [eax+28h]
		cmp	esi, ecx
		jz	short loc_67802B
		mov	edx, [ebp+var_4]

loc_678017:				; CODE XREF: ViIsActiveChannelWcb(x,x)+42j
		cmp	edx, eax
		jz	short loc_678029
		mov	eax, [ecx]
		sub	eax, 28h
		lea	ecx, [eax+28h]
		cmp	esi, ecx
		jnz	short loc_678017
		jmp	short loc_67802B
; 

loc_678029:				; CODE XREF: ViIsActiveChannelWcb(x,x)+36j
		mov	bl, 1

loc_67802B:				; CODE XREF: ViIsActiveChannelWcb(x,x)+2Fj
					; ViIsActiveChannelWcb(x,x)+44j
		test	ds:byte_70EFC6,	1
		jz	short loc_678040
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_678045
; 

loc_678040:				; CODE XREF: ViIsActiveChannelWcb(x,x)+4Fj
		xor	eax, eax
		lock and [edi],	eax

loc_678045:				; CODE XREF: ViIsActiveChannelWcb(x,x)+5Bj
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_ViIsActiveChannelWcb@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViRemoveChannelWcb(x, x, x)
_ViRemoveChannelWcb@12 proc near	; CODE XREF: VfCancelAdapterChannel(x,x,x)+3Dp
					; VfFreeAdapterChannel(x)+3Dp ...

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_1], 0
		mov	esi, ecx
		test	edi, edi
		jz	short loc_678078
		test	ebx, ebx
		jz	short loc_678078
		xor	eax, eax
		jmp	loc_678116
; 

loc_678078:				; CODE XREF: ViRemoveChannelWcb(x,x,x)+17j
					; ViRemoveChannelWcb(x,x,x)+1Bj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+arg_0+3],	al
		lea	eax, [esi+4Ch]
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	edx, [esi+44h]
		mov	esi, [edx]
		jmp	short loc_6780BA
; 

loc_678095:				; CODE XREF: ViRemoveChannelWcb(x,x,x)+6Ej
		test	edi, edi
		jz	short loc_6780A3
		cmp	[esi+34h], edi
		jz	short loc_6780DD
		cmp	[esi+30h], edi
		jz	short loc_6780DD

loc_6780A3:				; CODE XREF: ViRemoveChannelWcb(x,x,x)+43j
		test	ebx, ebx
		jz	short loc_6780AC
		cmp	[esi+14h], ebx
		jz	short loc_6780DD

loc_6780AC:				; CODE XREF: ViRemoveChannelWcb(x,x,x)+51j
		mov	eax, [esi+1Ch]
		cmp	eax, 1
		jz	short loc_6780DD
		test	eax, eax
		jz	short loc_6780DD
		mov	esi, [ecx]

loc_6780BA:				; CODE XREF: ViRemoveChannelWcb(x,x,x)+3Fj
		sub	esi, 28h
		lea	ecx, [esi+28h]
		cmp	edx, ecx
		jnz	short loc_678095
		mov	bl, [ebp+var_1]

loc_6780C7:				; CODE XREF: ViRemoveChannelWcb(x,x,x)+A1j
		test	ds:byte_70EFC6,	1
		jz	short loc_6780FC
		mov	edx, [ebp+4]
		mov	ecx, [ebp+var_8]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_678104
; 

loc_6780DD:				; CODE XREF: ViRemoveChannelWcb(x,x,x)+48j
					; ViRemoveChannelWcb(x,x,x)+4Dj ...
		lea	eax, [esi+28h]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_6780F7
		cmp	[ecx], eax
		jnz	short loc_6780F7
		mov	[ecx], edx
		mov	bl, 1
		mov	[edx+4], ecx
		jmp	short loc_6780C7
; 

loc_6780F7:				; CODE XREF: ViRemoveChannelWcb(x,x,x)+94j
					; ViRemoveChannelWcb(x,x,x)+98j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_6780FC:				; CODE XREF: ViRemoveChannelWcb(x,x,x)+7Aj
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_678104:				; CODE XREF: ViRemoveChannelWcb(x,x,x)+87j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	bl, 1
		jz	short loc_678114
		xor	esi, esi

loc_678114:				; CODE XREF: ViRemoveChannelWcb(x,x,x)+BCj
		mov	eax, esi

loc_678116:				; CODE XREF: ViRemoveChannelWcb(x,x,x)+1Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ViRemoveChannelWcb@12 endp


;  S U B	R O U T	I N E 


; __stdcall VfBugCheckNoStackUsage()
_VfBugCheckNoStackUsage@0 proc near	; CODE XREF: IovCallDriver(x,x,x):loc_A58818p
					; IovpCallDriverWithStackBuffer(x,x,x):loc_A58BBDp ...
		push	ds:dword_AB1D10
		push	ds:dword_AB1D0C
		push	ds:dword_AB1D08
		push	ds:dword_AB1D04
		push	ds:_VfBugcheckTmpData
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_VfBugCheckNoStackUsage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlRegisterUncProviderEx(x, x, x,	x)
_VerifierFsRtlRegisterUncProviderEx@16 proc near ; DATA	XREF: PAGEVRFD:00AA93DCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlRegisterUncProviderEx
_VerifierFsRtlRegisterUncProviderEx@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoGetDeviceToVerify(x)
_VerifierIoGetDeviceToVerify@4 proc near ; DATA	XREF: PAGEVRFD:00AA9784o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoGetDeviceToVerify
_VerifierIoGetDeviceToVerify@4 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierIoInvalidateDeviceRelations(x, x)
_VerifierIoInvalidateDeviceRelations@8 proc near ; DATA	XREF: PAGEVRFD:00AA97FCo
		jmp	ds:_pXdvIoInvalidateDeviceRelations
_VerifierIoInvalidateDeviceRelations@8 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierIoSetDeviceToVerify(x,x).	PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwFlushKey(x)
_VerifierZwFlushKey@4 proc near		; DATA XREF: PAGEVRFD:00AAA8C4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwFlushKey
_VerifierZwFlushKey@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall XdvExInitializeLookasideListExInternal(x, x, x, x, x, x, x,	x, x, x)
_XdvExInitializeLookasideListExInternal@40 proc	near
					; CODE XREF: VerifierExInitializeLookasideListEx(x,x,x,x,x,x,x,x)+70p
					; DATA XREF: PAGEVRFD:_pXdvExInitializeLookasideListExo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	[ebp+arg_24]
		pop	ebp
		retn	28h
_XdvExInitializeLookasideListExInternal@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall XdvIoAllocateIrp(x,	x, x, x, x)
_XdvIoAllocateIrp@20 proc near		; CODE XREF: IovAllocateIrp(x,x,x,x)+81p
					; VerifierIoAllocateIrp(x,x)+73p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	[ebp+arg_10]
		pop	ebp
		retn	14h
_XdvIoAllocateIrp@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall XdvIoAllocateMdl(x,	x, x, x, x, x, x)
_XdvIoAllocateMdl@28 proc near		; CODE XREF: VerifierIoAllocateMdl(x,x,x,x,x)+3Bp
					; VerifierPortIoAllocateMdl(x,x,x,x,x,x)+42p
					; DATA XREF: ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	[ebp+arg_18]
		pop	ebp
		retn	1Ch
_XdvIoAllocateMdl@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall XdvIoAllocateWorkItem(x, x,	x)
_XdvIoAllocateWorkItem@12 proc near	; CODE XREF: VerifierIoAllocateWorkItem(x)+10p
					; VerifierPortIoAllocateWorkItem(x,x)+10p
					; DATA XREF: ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	[ebp+arg_8]
		pop	ebp
		retn	0Ch
_XdvIoAllocateWorkItem@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall XdvIoBuildDeviceIoControlRequest(x,	x, x, x, x, x, x, x, x,	x, x)
_XdvIoBuildDeviceIoControlRequest@44 proc near
					; CODE XREF: IovBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)+33p
					; DATA XREF: PAGEVRFD:_pXdvIoBuildDeviceIoControlRequesto

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	[ebp+arg_28]
		pop	ebp
		retn	2Ch
_XdvIoBuildDeviceIoControlRequest@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall XdvIoBuildSynchronousFsdRequest(x, x, x, x,	x, x, x, x, x)
_XdvIoBuildSynchronousFsdRequest@36 proc near
					; CODE XREF: IovBuildSynchronousFsdRequest(x,x,x,x,x,x,x)+2Dp
					; DATA XREF: PAGEVRFD:_pXdvIopBuildSynchronousFsdRequesto

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	[ebp+arg_20]
		pop	ebp
		retn	24h
_XdvIoBuildSynchronousFsdRequest@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall XdvIopBuildAsynchronousFsdRequest(x, x, x, x, x, x,	x, x)
_XdvIopBuildAsynchronousFsdRequest@32 proc near
					; CODE XREF: IovBuildAsynchronousFsdRequest(x,x,x,x,x,x)+2Ap
					; DATA XREF: PAGEVRFD:_pXdvIopBuildAsynchronousFsdRequesto

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	[ebp+arg_1C]
		pop	ebp
		retn	20h
_XdvIopBuildAsynchronousFsdRequest@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFreeTrackedPool(x, x, x, x)
_VerifierFreeTrackedPool@16 proc near	; CODE XREF: ExFreeHeapPool+C75E9p
					; ExpFreeHeapSpecialPool(x,x)+D0p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_VerifierIsTrackingPool, 0
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		jnz	short loc_678275
		push	0
		mov	edx, 99h
		push	0
		push	esi
		lea	ecx, [edx+29h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_678275:				; CODE XREF: VerifierFreeTrackedPool(x,x,x,x)+12j
		push	[ebp+arg_4]
		mov	edx, edi
		mov	ecx, esi
		push	[ebp+arg_0]
		call	_ViFreeTrackedPool@16 ;	ViFreeTrackedPool(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_VerifierFreeTrackedPool@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViPendingTryReserveWorker(x)
_ViPendingTryReserveWorker@4 proc near	; CODE XREF: ViPendingQueuePassiveLevelCompletion(x)+2Cp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ds:_ViPendingWorkersCount
		mov	eax, ecx
		push	esi
		push	edi
		mov	edi, ds:_ViPendingWorkerIndexHint
		mov	[ebp+var_4], eax

loc_6782A4:				; CODE XREF: ViPendingTryReserveWorker(x)+46j
		imul	edx, edi, 1Ch
		mov	esi, eax
		xor	eax, eax
		add	edx, offset unk_6BE024
		lock cmpxchg [edx], esi
		mov	ecx, eax
		lea	eax, [edi+1]
		cmp	eax, ds:_ViPendingWorkersCount
		sbb	edx, edx
		and	edx, eax
		test	ecx, ecx
		jz	short loc_6782DD
		mov	eax, [ebp+var_4]
		mov	edi, edx
		sub	ebx, 1
		jnz	short loc_6782A4
		inc	ds:_ViPendingWorkersBusyCount
		or	eax, 0FFFFFFFFh
		jmp	short loc_6782E5
; 

loc_6782DD:				; CODE XREF: ViPendingTryReserveWorker(x)+3Cj
		mov	ds:_ViPendingWorkerIndexHint, edx
		mov	eax, edi

loc_6782E5:				; CODE XREF: ViPendingTryReserveWorker(x)+51j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ViPendingTryReserveWorker@4 endp


;  S U B	R O U T	I N E 


; __stdcall IovUtilMarkDeviceObject(x, x)
_IovUtilMarkDeviceObject@8 proc	near	; CODE XREF: VfIoDeleteDevice(x,x)+3Bp
					; ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)+125p
		cmp	ds:_IovUtilVerifierEnabled, 0
		jnz	_IovpUtilMarkDeviceObject@8 ; IovpUtilMarkDeviceObject(x,x)
		retn
_IovUtilMarkDeviceObject@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfTargetDriversGetNode(x)
_VfTargetDriversGetNode@4 proc near	; CODE XREF: VfTargetDriversGetVerifierData(x):loc_A64344p
					; ViThunkApplyThunksCurrentSession(x,x)+20p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	esi
		xor	esi, esi
		cmp	ds:_VfSafeMode,	esi
		jnz	short loc_67833A
		cmp	ds:_ViTargetInitialized, esi
		jz	short loc_67833A
		push	1
		push	ecx
		lea	edx, [esp+18h+var_8]
		mov	[esp+18h+var_8], esi
		mov	ecx, offset _ViTargetDriversAvl
		mov	[esp+18h+var_4], esi
		call	VfAvlLookupTreeNode
		lea	ecx, [esp+10h+var_8]
		mov	esi, eax
		call	VfAvlCleanupLockContext

loc_67833A:				; CODE XREF: VfTargetDriversGetNode(x)+14j
					; VfTargetDriversGetNode(x)+1Cj
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_VfTargetDriversGetNode@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall VfReportIssueWithOptions(int,int,int,int,int,int)
_VfReportIssueWithOptions@24 proc near	; CODE XREF: VfCheckImageCompliance(x)+E2p
					; VfCheckImageCompliance(x)+186p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		mov	ebx, ecx
		push	edi		; char
		mov	edi, edx
		mov	edx, [esi]
		test	edx, edx
		jz	loc_678416
		test	dl, 2
		jnz	loc_678416
		test	dl, 8
		setz	cl
		bt	ds:_VfOptionFlags, 9
		setnb	al
		test	cl, al
		jz	loc_678404
		cmp	ds:_KdDebuggerEnabled, 0
		jz	short loc_678404
		test	dl, 4
		jz	loc_678416

loc_67838F:				; CODE XREF: VfReportIssueWithOptions(x,x,x,x,x,x)+9Ej
					; VfReportIssueWithOptions(x,x,x,x,x,x)+A5j ...
		push	offset ??_C@_0CE@NJAPFAAD@?6?$CK?$CK?$CK?5Verifier?5assertion?5failed?5@FNODOBFM@ ; char *
		call	_VfUtilDbgPrint
		pop	ecx
		push	2
		lea	eax, [ebp+arg_C]
		push	eax
		push	offset ??_C@_0DC@NENOIKJC@?$CIB?$CJreak?0?5?$CII?$CJgnore?0?5?$CIW?$CJarn?5only?0@FNODOBFM@
		call	_DbgPrompt@12	; DbgPrompt(x,x,x)
		movsx	eax, byte ptr [ebp+arg_C]
		cmp	eax, 62h
		jg	short loc_6783E8
		jz	short loc_6783C9
		cmp	eax, 42h
		jz	short loc_6783C9
		cmp	eax, 49h
		jz	short loc_678416
		cmp	eax, 52h
		jz	short loc_6783FF
		cmp	eax, 57h
		jmp	short loc_6783F5
; 

loc_6783C9:				; CODE XREF: VfReportIssueWithOptions(x,x,x,x,x,x)+72j
					; VfReportIssueWithOptions(x,x,x,x,x,x)+77j
		push	[ebp+arg_8]
		mov	edx, edi
		mov	ecx, ebx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_VfErrorStoreTriageInformation@20 ; VfErrorStoreTriageInformation(x,x,x,x,x)
		nop
		int	3		; Trap to Debugger
		test	eax, eax
		jz	short loc_67838F
		call	_VfErrorReleaseTriageInformation@0 ; VfErrorReleaseTriageInformation()
		jmp	short loc_67838F
; 

loc_6783E8:				; CODE XREF: VfReportIssueWithOptions(x,x,x,x,x,x)+70j
		cmp	eax, 69h
		jz	short loc_678416
		cmp	eax, 72h
		jz	short loc_6783FF
		cmp	eax, 77h

loc_6783F5:				; CODE XREF: VfReportIssueWithOptions(x,x,x,x,x,x)+86j
		jnz	short loc_67838F
		mov	dword ptr [esi], 2
		jmp	short loc_678416
; 

loc_6783FF:				; CODE XREF: VfReportIssueWithOptions(x,x,x,x,x,x)+81j
					; VfReportIssueWithOptions(x,x,x,x,x,x)+AFj
		and	dword ptr [esi], 0
		jmp	short loc_678416
; 

loc_678404:				; CODE XREF: VfReportIssueWithOptions(x,x,x,x,x,x)+36j
					; VfReportIssueWithOptions(x,x,x,x,x,x)+43j
		push	[ebp+arg_8]
		mov	edx, edi
		mov	ecx, ebx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_678416:				; CODE XREF: VfReportIssueWithOptions(x,x,x,x,x,x)+14j
					; VfReportIssueWithOptions(x,x,x,x,x,x)+1Dj ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	10h
_VfReportIssueWithOptions@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ViErrorReport10(int,int,int,int)
_ViErrorReport10@16 proc near		; CODE XREF: IovpCallDriver2(x,x)+EFp
					; VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)+13Ap ...

var_5C		= dword	ptr -5Ch
var_58		= byte ptr -58h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi		; char
		mov	edi, edx
		mov	[ebp+var_5C], eax
		mov	esi, ecx
		call	_ViErrorDisplayDescription@4 ; ViErrorDisplayDescription(x)
		push	[ebp+var_5C]
		lea	eax, [ebp+var_58]
		push	ebx
		push	edi		; char
		push	offset ??_C@_0DD@KMOJDKJL@CulpritAddress?5?$DN?5?$CFp?0?5Irp?5?$DN?5?$CFp?0?5@FNODOBFM@	; "CulpritAddress = %p,	Irp = %p, DeviceOb"...
		push	4Bh		; int
		push	eax		; char *
		call	RtlStringCbPrintfA
		add	esp, 18h
		test	eax, eax
		js	short loc_67846B
		lea	eax, [ebp+var_58]
		push	eax		; char *
		call	_VfUtilDbgPrint
		pop	ecx

loc_67846B:				; CODE XREF: ViErrorReport10(x,x,x,x)+41j
		push	[ebp+var_5C]	; int
		mov	edx, edi	; int
		mov	ecx, esi	; int
		push	ebx		; int
		call	_ViErrorFinishReport@16	; ViErrorFinishReport(x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_ViErrorReport10@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ViErrorReport11(int,int,int,char)
_ViErrorReport11@16 proc near		; CODE XREF: ViGenericVerifyIrpStackDownward(x,x,x,x,x,x,x)+93p
					; ViGenericVerifyNewIrp(x,x,x,x,x)+5Dp

var_4C		= dword	ptr -4Ch
var_48		= byte ptr -48h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi		; char
		mov	edi, edx
		mov	esi, ecx
		call	_ViErrorDisplayDescription@4 ; ViErrorDisplayDescription(x)
		movzx	eax, [ebp+arg_4]
		push	eax
		push	ebx
		push	edi		; char
		push	offset ??_C@_0CL@GINJCKBC@CulpritAddress?5?$DN?5?$CFp?0?5Irp?5?$DN?5?$CFp?0?5@FNODOBFM@	; "CulpritAddress = %p,	Irp = %p, IRQL = %"...
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_48]
		push	43h		; int
		push	eax		; char *
		call	RtlStringCbPrintfA
		add	esp, 18h
		test	eax, eax
		js	short loc_6784D5
		lea	eax, [ebp+var_48]
		push	eax		; char *
		call	_VfUtilDbgPrint
		pop	ecx

loc_6784D5:				; CODE XREF: ViErrorReport11(x,x,x,x)+40j
		push	[ebp+var_4C]	; int
		mov	edx, edi	; int
		mov	ecx, esi	; int
		push	ebx		; int
		call	_ViErrorFinishReport@16	; ViErrorFinishReport(x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_ViErrorReport11@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ViErrorReport1(int,int,int)
_ViErrorReport1@12 proc	near		; CODE XREF: ViGenericVerifyIrpStackDownward(x,x,x,x,x,x,x)+E3p
					; ViGenericVerifyIrpStackDownward(x,x,x,x,x,x,x):loc_A5A9C6p ...

var_38		= byte ptr -38h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi		; char
		mov	edi, edx
		mov	esi, ecx
		call	_ViErrorDisplayDescription@4 ; ViErrorDisplayDescription(x)
		push	ebx
		push	edi		; char
		push	offset ??_C@_0CA@KOPMCEDG@CulpritAddress?5?$DN?5?$CFp?0?5Irp?5?$DN?5?$CFp?4?6@FNODOBFM@	; "CulpritAddress = %p,	Irp = %p.\n"
		lea	eax, [ebp+var_38]
		push	30h		; int
		push	eax		; char *
		call	RtlStringCbPrintfA
		add	esp, 14h
		test	eax, eax
		js	short loc_678537
		lea	eax, [ebp+var_38]
		push	eax		; char *
		call	_VfUtilDbgPrint
		pop	ecx

loc_678537:				; CODE XREF: ViErrorReport1(x,x,x)+38j
		push	0		; int
		push	ebx		; int
		mov	edx, edi	; int
		mov	ecx, esi	; int
		call	_ViErrorFinishReport@16	; ViErrorFinishReport(x,x,x,x)
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_ViErrorReport1@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ViErrorReport4(int,int,int,int,int)
_ViErrorReport4@20 proc	near		; CODE XREF: IovpCallDriver2(x,x)+18Dp

var_78		= byte ptr -78h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi		; char
		mov	edi, [ebp+arg_0]
		mov	ecx, 224h
		mov	esi, edx
		call	_ViErrorDisplayDescription@4 ; ViErrorDisplayDescription(x)
		push	[ebp+arg_8]
		lea	eax, [ebp+var_78]
		push	[ebp+arg_4]
		push	dword ptr [edi]
		push	esi		; char
		push	offset ??_C@_0EM@PJLILDNA@CulpritAddress?5?$DN?5?$CFp?0?5Irp?5?$DN?5?$CFp?0?5@FNODOBFM@	; "CulpritAddress = %p,	Irp = %p, Expected"...
		push	6Ch		; int
		push	eax		; char *
		call	RtlStringCbPrintfA
		add	esp, 1Ch
		test	eax, eax
		js	short loc_6785A1
		lea	eax, [ebp+var_78]
		push	eax		; char *
		call	_VfUtilDbgPrint
		pop	ecx

loc_6785A1:				; CODE XREF: ViErrorReport4(x,x,x,x,x)+41j
		push	[ebp+arg_4]	; int
		mov	edx, esi	; int
		mov	ecx, 224h	; int
		push	dword ptr [edi]	; int
		call	_ViErrorFinishReport@16	; ViErrorFinishReport(x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_ViErrorReport4@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ViErrorReport6(int,int,int,int)
_ViErrorReport6@16 proc	near		; CODE XREF: ViGenericVerifyIrpStackDownward(x,x,x,x,x,x,x)+146p
					; ViGenericVerifyIrpStackUpward(x,x,x,x,x,x)+8Ap ...

var_50		= byte ptr -50h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi		; char
		mov	edi, edx
		mov	esi, ecx
		call	_ViErrorDisplayDescription@4 ; ViErrorDisplayDescription(x)
		push	[ebp+arg_4]
		lea	eax, [ebp+var_50]
		push	ebx
		push	edi		; char
		push	offset ??_C@_0CP@KGPLDNDG@CulpritAddress?5?$DN?5?$CFp?0?5Irp?5?$DN?5?$CFp?0?5@FNODOBFM@	; char *
		push	47h		; int
		push	eax		; char *
		call	RtlStringCbPrintfA
		add	esp, 18h
		test	eax, eax
		js	short loc_678609
		lea	eax, [ebp+var_50]
		push	eax		; char *
		call	_VfUtilDbgPrint
		pop	ecx

loc_678609:				; CODE XREF: ViErrorReport6(x,x,x,x)+3Bj
		push	[ebp+arg_4]	; int
		mov	edx, edi	; int
		mov	ecx, esi	; int
		push	ebx		; int
		call	_ViErrorFinishReport@16	; ViErrorFinishReport(x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_ViErrorReport6@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ViErrorReport7(int,int,int,int)
_ViErrorReport7@16 proc	near		; CODE XREF: VfErrorReport7(x,x,x,x)+6j

var_60		= byte ptr -60h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	ecx, 249h
		push	esi
		push	edi		; char
		mov	edi, [ebp+arg_0]
		mov	esi, edx
		call	_ViErrorDisplayDescription@4 ; ViErrorDisplayDescription(x)
		push	ebx
		push	edi
		push	esi		; char
		push	offset ??_C@_0DO@JGJDPOJH@CulpritAddress?5?$DN?5?$CFp?0?5DeviceObje@FNODOBFM@ ;	"CulpritAddress	= %p, DeviceObject1 = %p"...
		lea	eax, [ebp+var_60]
		push	56h		; int
		push	eax		; char *
		call	RtlStringCbPrintfA
		add	esp, 18h
		test	eax, eax
		js	short loc_678672
		lea	eax, [ebp+var_60]
		push	eax		; char *
		call	_VfUtilDbgPrint
		pop	ecx

loc_678672:				; CODE XREF: ViErrorReport7(x,x,x,x)+3Fj
		push	ebx		; int
		push	edi		; int
		mov	edx, esi	; int
		mov	ecx, 249h	; int
		call	_ViErrorFinishReport@16	; ViErrorFinishReport(x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_ViErrorReport7@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ViErrorReport8(int,int,int)
_ViErrorReport8@12 proc	near		; CODE XREF: IovDetachDevice(x,x)+18p
					; VfErrorReport8(x,x,x)+9p

var_40		= byte ptr -40h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi		; char
		mov	edi, edx
		mov	esi, ecx
		call	_ViErrorDisplayDescription@4 ; ViErrorDisplayDescription(x)
		push	ebx
		push	edi		; char
		push	offset ??_C@_0CJ@BMPCEADM@CulpritAddress?5?$DN?5?$CFp?0?5DeviceObje@FNODOBFM@ ;	"CulpritAddress	= %p, DeviceObject = %p."...
		lea	eax, [ebp+var_40]
		push	39h		; int
		push	eax		; char *
		call	RtlStringCbPrintfA
		add	esp, 14h
		test	eax, eax
		js	short loc_6786D5
		lea	eax, [ebp+var_40]
		push	eax		; char *
		call	_VfUtilDbgPrint
		pop	ecx

loc_6786D5:				; CODE XREF: ViErrorReport8(x,x,x)+38j
		push	0		; int
		push	ebx		; int
		mov	edx, edi	; int
		mov	ecx, esi	; int
		call	_ViErrorFinishReport@16	; ViErrorFinishReport(x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_ViErrorReport8@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViErrorReport9(x, x)
_ViErrorReport9@8 proc near		; CODE XREF: VfIoDeleteDevice(x,x)+32p
					; VfIoDeleteDevice(x,x)+52p ...

var_24		= byte ptr -24h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi		; char
		mov	edi, edx
		mov	esi, ecx
		call	_ViErrorDisplayDescription@4 ; ViErrorDisplayDescription(x)
		push	edi		; char
		push	offset ??_C@_0BG@NIJPFGLB@CulpritAddress?5?$DN?5?$CFp?4?6@FNODOBFM@ ; "CulpritAddress =	%p.\n"
		lea	eax, [ebp+var_24]
		push	1Eh		; int
		push	eax		; char *
		call	RtlStringCbPrintfA
		add	esp, 10h
		test	eax, eax
		js	short loc_678731
		lea	eax, [ebp+var_24]
		push	eax		; char *
		call	_VfUtilDbgPrint
		pop	ecx

loc_678731:				; CODE XREF: ViErrorReport9(x,x)+33j
		push	0		; int
		push	0		; int
		mov	edx, edi	; int
		mov	ecx, esi	; int
		call	_ViErrorFinishReport@16	; ViErrorFinishReport(x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_ViErrorReport9@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViInitializeKernelVerifierThunks()
_ViInitializeKernelVerifierThunks@0 proc near ;	CODE XREF: MiInitSystem:loc_AE1C01p
		xor	ecx, ecx

loc_67874E:				; CODE XREF: ViInitializeKernelVerifierThunks()+31j
		cmp	ds:_VfRegularThunks, 0
		mov	eax, offset _VfRegularThunks
		jz	short loc_67876F
		mov	edx, dword ptr ds:_ViKernelVerifierMap[ecx]

loc_678762:				; CODE XREF: ViInitializeKernelVerifierThunks()+21j
		cmp	[eax+14h], edx
		jz	short loc_678771
		add	eax, 18h
		cmp	dword ptr [eax], 0
		jnz	short loc_678762

loc_67876F:				; CODE XREF: ViInitializeKernelVerifierThunks()+Ej
		xor	eax, eax

loc_678771:				; CODE XREF: ViInitializeKernelVerifierThunks()+19j
		mov	ds:_ViKernelVerifierThunks[ecx], eax
		add	ecx, 4
		cmp	ecx, 14h
		jb	short loc_67874E
		retn
_ViInitializeKernelVerifierThunks@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfTriageActionTaken()
_VfTriageActionTaken@0 proc near	; CODE XREF: MmWriteTriageInformation(x)+21p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		mov	esi, ds:_VerifierTriageActionTaken
		push	eax
		call	_RtlGetNtProductType@4 ; RtlGetNtProductType(x)
		cmp	[ebp+var_4], 1
		jnz	short loc_6787C1
		push	6
		call	_ExVerifySuite@4 ; ExVerifySuite(x)
		test	al, al
		jnz	short loc_6787C1
		push	0Bh
		call	_ExVerifySuite@4 ; ExVerifySuite(x)
		test	al, al
		jnz	short loc_6787C1
		push	0Ch
		call	_ExVerifySuite@4 ; ExVerifySuite(x)
		test	al, al
		jz	short loc_6787C7

loc_6787C1:				; CODE XREF: VfTriageActionTaken()+1Ej
					; VfTriageActionTaken()+29j ...
		or	esi, 80000000h

loc_6787C7:				; CODE XREF: VfTriageActionTaken()+3Fj
		mov	eax, esi
		pop	esi
		leave
		retn
_VfTriageActionTaken@0 endp


;  S U B	R O U T	I N E 


; __stdcall VfShutdownScheduleWatchdog()
_VfShutdownScheduleWatchdog@0 proc near	; CODE XREF: PopGracefulShutdown(x):loc_72F4ABp
		cmp	ds:_ViVerifierEnabled, 0
		jnz	_ViShutdownScheduleWatchdog@0 ;	ViShutdownScheduleWatchdog()
		retn
_VfShutdownScheduleWatchdog@0 endp


;  S U B	R O U T	I N E 


; __stdcall ViKeLogCriticalRegionStackTrace()
_ViKeLogCriticalRegionStackTrace@0 proc	near
					; CODE XREF: VerifierKeEnterCriticalRegion():loc_A56C1Dp
					; VerifierKeEnterCriticalRegion():loc_A56C24p ...
		cmp	ds:_VfKeCriticalRegionTraces, 0
		jz	short locret_678827
		xor	ecx, ecx
		push	esi
		inc	ecx
		lock xadd ds:_VfKeCriticalRegionTracesIndex, ecx
		inc	ecx
		mov	esi, ds:_VfKeCriticalRegionTracesLength
		mov	eax, large fs:124h
		dec	esi
		and	esi, ecx
		shl	esi, 5
		add	esi, ds:_VfKeCriticalRegionTraces
		push	0
		mov	[esi], eax
		lea	eax, [esi+4]
		push	eax
		push	7
		push	0
		call	RtlCaptureStackBackTrace
		movzx	eax, ax
		cmp	eax, 7
		jnb	short loc_678826
		and	dword ptr [esi+eax*4+4], 0

loc_678826:				; CODE XREF: ViKeLogCriticalRegionStackTrace()+45j
		pop	esi

locret_678827:				; CODE XREF: ViKeLogCriticalRegionStackTrace()+7j
		retn
_ViKeLogCriticalRegionStackTrace@0 endp


;  S U B	R O U T	I N E 


; __stdcall ViDeadlockDetectionTryConvertSharedToExclusive()
_ViDeadlockDetectionTryConvertSharedToExclusive@0 proc near
					; CODE XREF: ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+86p
					; ViDeadlockRemoveMemoryRangeThreads(x,x,x,x)+88p ...
		mov	edi, edi
		push	ecx
		push	offset _ViDeadlockDatabaseLock
		call	ExTryConvertSharedSpinLockExclusive
		test	eax, eax
		jz	short loc_678846
		mov	ecx, large fs:124h
		mov	ds:_ViDeadlockDatabaseOwner, ecx

loc_678846:				; CODE XREF: ViDeadlockDetectionTryConvertSharedToExclusive()+Fj
		pop	ecx
		retn
_ViDeadlockDetectionTryConvertSharedToExclusive@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViDeadlockRemoveMemoryRangeResources(x, x, x, x)
_ViDeadlockRemoveMemoryRangeResources@16 proc near
					; CODE XREF: VfDeadlockDeleteMemoryRange(x,x)+47p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	eax, ecx
		mov	[ebp+var_14], edx
		xor	edi, edi
		mov	[ebp+var_1C], eax
		mov	[ebp+var_10], edi
		call	_ViDeadlockDatabaseHashIndex@4 ; ViDeadlockDatabaseHashIndex(x)
		mov	esi, eax
		mov	ebx, edi
		mov	[ebp+var_18], esi
		call	_ViRaiseIrqlToDpcLevel@0 ; ViRaiseIrqlToDpcLevel()
		shl	esi, 3
		mov	[ebp+var_1], al
		mov	[ebp+var_20], esi

loc_67887A:				; CODE XREF: ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+B0j
		mov	ecx, ebx
		call	_ViDeadlockDetectionLock@4 ; ViDeadlockDetectionLock(x)
		mov	ecx, ds:_ViDeadlockGlobals
		mov	eax, [ecx+10h]
		add	eax, esi
		mov	[ebp+var_C], eax
		mov	esi, [eax]
		cmp	esi, eax
		jz	short loc_6788FA
		mov	eax, [ebp+var_18]
		push	[ebp+var_14]
		mov	edx, [ebp+var_1C]
		lea	ecx, [ecx+eax*8]
		add	ecx, 18h
		call	_VfUtilAddressRangeFit@12 ; VfUtilAddressRangeFit(x,x,x)
		test	eax, eax
		jz	short loc_6788FA

loc_6788AD:				; CODE XREF: ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+A4j
		mov	eax, [ebp+var_C]

loc_6788B0:				; CODE XREF: ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+7Aj
					; ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+7Fj
		cmp	esi, eax
		jz	short loc_6788FA
		lea	ecx, [esi-18h]
		mov	esi, [esi]
		mov	[ebp+var_8], ecx
		mov	ecx, [ecx+8]
		cmp	ecx, [ebp+arg_0]
		jb	short loc_6788B0
		cmp	ecx, [ebp+arg_4]
		jnb	short loc_6788B0
		test	ebx, ebx
		jnz	short loc_6788D7
		inc	ebx
		call	_ViDeadlockDetectionTryConvertSharedToExclusive@0 ; ViDeadlockDetectionTryConvertSharedToExclusive()
		test	eax, eax
		jz	short loc_6788EE

loc_6788D7:				; CODE XREF: ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+83j
		mov	ecx, [ebp+var_8] ; int
		lea	eax, [ebp+var_10]
		push	eax		; int
		xor	edx, edx	; int
		call	_ViDeadlockRemoveResource@12 ; ViDeadlockRemoveResource(x,x,x)
		mov	eax, [ebp+var_8]
		mov	[eax], edi
		mov	edi, eax
		jmp	short loc_6788AD
; 

loc_6788EE:				; CODE XREF: ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+8Dj
		xor	ecx, ecx
		call	_ViDeadlockDetectionUnlock@4 ; ViDeadlockDetectionUnlock(x)
		mov	esi, [ebp+var_20]
		jmp	short loc_67887A
; 

loc_6788FA:				; CODE XREF: ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+4Bj
					; ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+63j ...
		mov	ecx, ebx
		call	_ViDeadlockDetectionUnlock@4 ; ViDeadlockDetectionUnlock(x)
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	cl, [ebp+var_1]
		cmp	cl, al
		jnb	short loc_678914
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_678914:				; CODE XREF: ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+C4j
		mov	ecx, [ebp+var_10]
		test	ecx, ecx
		jz	short loc_67892B

loc_67891B:				; CODE XREF: ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+E1j
		mov	esi, [ecx]
		push	2
		pop	edx
		call	_ViDeadlockFree@8 ; ViDeadlockFree(x,x)
		mov	ecx, esi
		test	esi, esi
		jnz	short loc_67891B

loc_67892B:				; CODE XREF: ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+D1j
		test	edi, edi
		jz	short loc_678941

loc_67892F:				; CODE XREF: ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+F7j
		mov	esi, [edi]
		xor	edx, edx
		inc	edx
		mov	ecx, edi
		call	_ViDeadlockFree@8 ; ViDeadlockFree(x,x)
		mov	edi, esi
		test	esi, esi
		jnz	short loc_67892F

loc_678941:				; CODE XREF: ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+E5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_ViDeadlockRemoveMemoryRangeResources@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViDeadlockRemoveMemoryRangeThreads(x, x, x,	x)
_ViDeadlockRemoveMemoryRangeThreads@16 proc near
					; CODE XREF: VfDeadlockDeleteMemoryRange(x,x)+53p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	eax, ecx
		mov	[ebp+var_10], edx
		push	edi
		mov	[ebp+var_18], eax
		xor	edi, edi
		call	_ViDeadlockDatabaseHashIndex@4 ; ViDeadlockDatabaseHashIndex(x)
		mov	esi, eax
		mov	ebx, edi
		mov	[ebp+var_14], esi
		call	_ViRaiseIrqlToDpcLevel@0 ; ViRaiseIrqlToDpcLevel()
		shl	esi, 3
		mov	[ebp+var_1], al
		mov	[ebp+var_1C], esi

loc_678977:				; CODE XREF: ViDeadlockRemoveMemoryRangeThreads(x,x,x,x)+AEj
		mov	ecx, ebx
		call	_ViDeadlockDetectionLock@4 ; ViDeadlockDetectionLock(x)
		mov	ecx, ds:_ViDeadlockGlobals
		mov	eax, [ecx+2010h]
		add	eax, esi
		mov	[ebp+var_C], eax
		mov	esi, [eax]
		cmp	esi, eax
		jz	short loc_6789FB
		mov	eax, [ebp+var_14]
		push	[ebp+var_10]
		mov	edx, [ebp+var_18]
		lea	ecx, [ecx+eax*8]
		add	ecx, 2018h
		call	_VfUtilAddressRangeFit@12 ; VfUtilAddressRangeFit(x,x,x)
		test	eax, eax
		jz	short loc_6789FB

loc_6789B0:				; CODE XREF: ViDeadlockRemoveMemoryRangeThreads(x,x,x,x)+A2j
		mov	eax, [ebp+var_C]

loc_6789B3:				; CODE XREF: ViDeadlockRemoveMemoryRangeThreads(x,x,x,x)+7Cj
					; ViDeadlockRemoveMemoryRangeThreads(x,x,x,x)+81j
		cmp	esi, eax
		jz	short loc_6789FB
		lea	ecx, [esi-0Ch]
		mov	esi, [esi]
		mov	edx, [ecx]
		mov	[ebp+var_8], ecx
		cmp	edx, [ebp+arg_0]
		jb	short loc_6789B3
		cmp	edx, [ebp+arg_4]
		jnb	short loc_6789B3
		test	ebx, ebx
		jnz	short loc_6789DC
		inc	ebx
		call	_ViDeadlockDetectionTryConvertSharedToExclusive@0 ; ViDeadlockDetectionTryConvertSharedToExclusive()
		test	eax, eax
		jz	short loc_6789EC
		mov	ecx, [ebp+var_8] ; int

loc_6789DC:				; CODE XREF: ViDeadlockRemoveMemoryRangeThreads(x,x,x,x)+85j
		xor	edx, edx
		call	_ViDeadlockRemoveThread@8 ; ViDeadlockRemoveThread(x,x)
		mov	eax, [ebp+var_8]
		mov	[eax], edi
		mov	edi, eax
		jmp	short loc_6789B0
; 

loc_6789EC:				; CODE XREF: ViDeadlockRemoveMemoryRangeThreads(x,x,x,x)+8Fj
		xor	ecx, ecx
		call	_ViDeadlockDetectionUnlock@4 ; ViDeadlockDetectionUnlock(x)
		mov	esi, [ebp+var_1C]
		jmp	loc_678977
; 

loc_6789FB:				; CODE XREF: ViDeadlockRemoveMemoryRangeThreads(x,x,x,x)+4Bj
					; ViDeadlockRemoveMemoryRangeThreads(x,x,x,x)+66j ...
		mov	ecx, ebx
		call	_ViDeadlockDetectionUnlock@4 ; ViDeadlockDetectionUnlock(x)
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	cl, [ebp+var_1]
		cmp	cl, al
		jnb	short loc_678A15
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_678A15:				; CODE XREF: ViDeadlockRemoveMemoryRangeThreads(x,x,x,x)+C5j
		test	edi, edi
		jz	short loc_678A2B

loc_678A19:				; CODE XREF: ViDeadlockRemoveMemoryRangeThreads(x,x,x,x)+E1j
		mov	esi, [edi]
		mov	ecx, edi
		push	3
		pop	edx
		call	_ViDeadlockFree@8 ; ViDeadlockFree(x,x)
		mov	edi, esi
		test	esi, esi
		jnz	short loc_678A19

loc_678A2B:				; CODE XREF: ViDeadlockRemoveMemoryRangeThreads(x,x,x,x)+CFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_ViDeadlockRemoveMemoryRangeThreads@16 endp


;  S U B	R O U T	I N E 


; __stdcall ViLowerIrql(x)
_ViLowerIrql@4	proc near		; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+4B8p
					; VfDeadlockAfterCallDriver(x)+48p ...
		mov	edi, edi
		push	ebx
		mov	bl, cl
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	bl, al
		jnb	short loc_678A4A
		mov	cl, bl
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
; 

loc_678A4A:				; CODE XREF: ViLowerIrql(x)+Dj
		pop	ebx
		retn
_ViLowerIrql@4	endp


;  S U B	R O U T	I N E 


; __stdcall ViRaiseIrqlToDpcLevel()
_ViRaiseIrqlToDpcLevel@0 proc near	; CODE XREF: ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+24p
					; ViDeadlockRemoveMemoryRangeThreads(x,x,x,x)+21p ...
		mov	edi, edi
		push	ebx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, al
		cmp	bl, 2
		jnb	short loc_678A62
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()

loc_678A62:				; CODE XREF: ViRaiseIrqlToDpcLevel()+Ej
		mov	al, bl
		pop	ebx
		retn
_ViRaiseIrqlToDpcLevel@0 endp


;  S U B	R O U T	I N E 


; __stdcall VfPoolIsInternalFree()
_VfPoolIsInternalFree@0	proc near	; CODE XREF: VfRemLockDeleteMemoryRange(x,x)+2Cp
					; VfCheckForLookaside(x,x):loc_A6B9ECp	...
		mov	ecx, large fs:124h
		mov	eax, offset unk_6BE3D8

loc_678A72:				; CODE XREF: VfPoolIsInternalFree()+18j
		cmp	ecx, [eax]
		jz	short loc_678A83
		add	eax, 30h
		cmp	eax, offset unk_6BE438
		jl	short loc_678A72
		xor	eax, eax
		retn
; 

loc_678A83:				; CODE XREF: VfPoolIsInternalFree()+Ej
		xor	eax, eax
		inc	eax
		retn
_VfPoolIsInternalFree@0	endp


;  S U B	R O U T	I N E 


; __stdcall VfAvlInitializeLockContext(x, x)
_VfAvlInitializeLockContext@8 proc near	; CODE XREF: VfDevObjIsDeviceRemoved(x)+2Ep
					; VfDevObjMarkDeviceRemoved(x)+24p ...
		and	dword ptr [ecx], 0
		and	dword ptr [ecx+4], 0
		test	edx, edx
		jnz	short locret_678A96
		mov	byte ptr [ecx+5], 4

locret_678A96:				; CODE XREF: VfAvlInitializeLockContext(x,x)+9j
		retn
_VfAvlInitializeLockContext@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfAvlInitializeTree(x, x, x, x)
_VfAvlInitializeTree@16	proc near	; CODE XREF: VfInitVerifierComponents(x,x,x)+71p
					; VfInitVerifierComponents(x,x,x)+CBp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		push	0
		push	[ebp+arg_0]
		call	VfAvlInitializeTreeEx
		pop	ebp
		retn	8
_VfAvlInitializeTree@16	endp


;  S U B	R O U T	I N E 


; __stdcall ViIrpDatabaseAcquireLockExclusive(x)
_ViIrpDatabaseAcquireLockExclusive@4 proc near
					; CODE XREF: VfIrpDatabaseEntryDereference(x,x)+1Bp
					; VfIrpDatabaseEntryInsertAndLock(x,x,x)+36p ...
		mov	edi, edi
		push	esi
		push	offset _ViIrpDatabaseLock
		mov	esi, ecx
		call	ExAcquireSpinLockExclusive
		mov	[esi], al
		pop	esi
		retn
_ViIrpDatabaseAcquireLockExclusive@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViIrpDatabaseAcquireLockShared(x)
_ViIrpDatabaseAcquireLockShared@4 proc near ; CODE XREF: VfIrpDatabaseCheckExFreePool(x)+3Cp
					; VfIrpDatabaseEntryFindAndLock(x)+3Dp
		mov	edi, edi
		push	esi
		push	offset _ViIrpDatabaseLock
		mov	esi, ecx
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	[esi], al
		pop	esi
		retn
_ViIrpDatabaseAcquireLockShared@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViIrpDatabaseReleaseLockExclusive(x)
_ViIrpDatabaseReleaseLockExclusive@4 proc near
					; CODE XREF: VfIrpDatabaseEntryDereference(x,x)+4Ap
					; VfIrpDatabaseEntryInsertAndLock(x,x,x)+78p ...
		mov	edi, edi
		push	ebx
		push	offset _ViIrpDatabaseLock
		mov	bl, cl
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_ViIrpDatabaseReleaseLockExclusive@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViIrpDatabaseReleaseLockShared(x)
_ViIrpDatabaseReleaseLockShared@4 proc near ; CODE XREF: VfIrpDatabaseCheckExFreePool(x)+4Dp
					; VfIrpDatabaseEntryFindAndLock(x)+52p	...
		mov	edi, edi
		push	ebx
		push	offset _ViIrpDatabaseLock
		mov	bl, cl
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bl
		pop	ebx
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_ViIrpDatabaseReleaseLockShared@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmFlushTb(x, x, x)
_VmFlushTb@12	proc near		; CODE XREF: KeFlushMultipleRangeTb+15E116p
					; MiTerminateWsleCluster+15A75Ep ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		cmp	[ebp+arg_0], 1
		push	esi
		mov	esi, ecx
		jnz	short loc_678B33
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, [eax+3E4h]
		test	ecx, ecx
		jz	short loc_678B33
		push	edx
		mov	edx, esi
		call	_VmpFlushTb@12	; VmpFlushTb(x,x,x)

loc_678B33:				; CODE XREF: VmFlushTb(x,x,x)+10j
					; VmFlushTb(x,x,x)+26j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
_VmFlushTb@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmColdPagesHint(x, x, x, x)
_VmColdPagesHint@16 proc near

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[esp+2Ch+var_20], esi
		mov	[esp+2Ch+var_24], esi
		mov	eax, [eax+80h]
		push	edi
		mov	edi, [eax+3E4h]
		mov	[esp+30h+var_18], edi
		test	edi, edi
		jnz	short loc_678B78
		int	2Ch		; Internal routine for MSDOS (IRET)
		mov	esi, 0C0000141h
		jmp	loc_678D1A
; 

loc_678B78:				; CODE XREF: VmColdPagesHint(x,x,x,x)+30j
		mov	eax, [edi+24h]
		cmp	eax, [ebp+arg_C]
		jz	short loc_678B8C
		int	2Ch		; Internal routine for MSDOS (IRET)
		mov	esi, 0C000010Ah
		jmp	loc_678D1A
; 

loc_678B8C:				; CODE XREF: VmColdPagesHint(x,x,x,x)+44j
		mov	ebx, [ebp+arg_0]
		mov	edx, esi
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		shrd	ebx, eax, 0Ch
		mov	[esp+30h+var_10], esi
		shr	eax, 0Ch
		add	ecx, ebx
		mov	[esp+30h+var_14], esi
		adc	edx, eax
		mov	[esp+30h+var_1C], eax
		add	ecx, 0FFFFFFFFh
		mov	[esp+30h+var_8], ecx
		adc	edx, 0FFFFFFFFh
		mov	[esp+30h+var_4], edx

loc_678BBC:				; CODE XREF: VmColdPagesHint(x,x,x,x)+1A7j
					; VmColdPagesHint(x,x,x,x)+1B6j
		mov	ecx, edi
		call	_VmpProcessContextLockShared@4 ; VmpProcessContextLockShared(x)
		mov	[esp+30h+var_C], eax
		lea	eax, [edi+4]
		test	byte ptr [eax+4], 1
		mov	ecx, [eax]
		jz	short loc_678BDC
		test	ecx, ecx
		jz	short loc_678BDA
		xor	ecx, eax
		jmp	short loc_678BDC
; 

loc_678BDA:				; CODE XREF: VmColdPagesHint(x,x,x,x)+9Aj
		mov	ecx, esi

loc_678BDC:				; CODE XREF: VmColdPagesHint(x,x,x,x)+96j
					; VmColdPagesHint(x,x,x,x)+9Ej
		movzx	edx, byte ptr [eax+4]
		and	edx, 1
		test	ecx, ecx
		jz	short loc_678C20
		mov	edi, [esp+30h+var_1C]

loc_678BEB:				; CODE XREF: VmColdPagesHint(x,x,x,x)+E0j
		cmp	edi, [ecx+18h]
		ja	short loc_678C07
		jb	short loc_678BF7
		cmp	ebx, [ecx+14h]
		ja	short loc_678C07

loc_678BF7:				; CODE XREF: VmColdPagesHint(x,x,x,x)+B6j
		cmp	edi, [ecx+10h]
		ja	short loc_678C1C
		jb	short loc_678C03
		cmp	ebx, [ecx+0Ch]
		jnb	short loc_678C1C

loc_678C03:				; CODE XREF: VmColdPagesHint(x,x,x,x)+C2j
		mov	eax, [ecx]
		jmp	short loc_678C0A
; 

loc_678C07:				; CODE XREF: VmColdPagesHint(x,x,x,x)+B4j
					; VmColdPagesHint(x,x,x,x)+BBj
		mov	eax, [ecx+4]

loc_678C0A:				; CODE XREF: VmColdPagesHint(x,x,x,x)+CBj
		test	edx, edx
		jz	short loc_678C16
		test	eax, eax
		jz	short loc_678C16
		xor	ecx, eax
		jmp	short loc_678C18
; 

loc_678C16:				; CODE XREF: VmColdPagesHint(x,x,x,x)+D2j
					; VmColdPagesHint(x,x,x,x)+D6j
		mov	ecx, eax

loc_678C18:				; CODE XREF: VmColdPagesHint(x,x,x,x)+DAj
		test	ecx, ecx
		jnz	short loc_678BEB

loc_678C1C:				; CODE XREF: VmColdPagesHint(x,x,x,x)+C0j
					; VmColdPagesHint(x,x,x,x)+C7j
		mov	edi, [esp+30h+var_18]

loc_678C20:				; CODE XREF: VmColdPagesHint(x,x,x,x)+ABj
		lea	eax, [ecx-0Ch]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		jz	loc_678CFC
		mov	eax, [ecx+8]
		mov	eax, [eax+0Ch]
		mov	[esp+30h+var_24], eax
		sub	eax, [ecx+18h]
		add	eax, ebx
		mov	[esp+30h+var_24], eax
		mov	eax, [ecx+24h]
		cmp	eax, [esp+30h+var_4]
		jb	short loc_678C5C
		ja	short loc_678C56
		mov	eax, [ecx+20h]
		cmp	eax, [esp+30h+var_8]
		jb	short loc_678C5C

loc_678C56:				; CODE XREF: VmColdPagesHint(x,x,x,x)+111j
		mov	eax, [esp+30h+var_8]
		jmp	short loc_678C5F
; 

loc_678C5C:				; CODE XREF: VmColdPagesHint(x,x,x,x)+10Fj
					; VmColdPagesHint(x,x,x,x)+11Aj
		mov	eax, [ecx+20h]

loc_678C5F:				; CODE XREF: VmColdPagesHint(x,x,x,x)+120j
		sub	eax, ebx
		inc	eax
		push	edi
		mov	[esp+34h+var_20], eax
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, byte ptr [esp+30h+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		or	[esp+30h+var_C], 0FFFFFFFFh
		mov	edi, [esp+30h+var_20]
		add	[esp+30h+var_10], edi
		mov	ecx, ds:_VmpTraceLoggingProvider
		adc	[esp+30h+var_14], esi
		add	ebx, edi
		adc	[esp+30h+var_1C], esi
		test	ecx, ecx
		jz	short loc_678CBA
		cmp	[ecx], esi
		jbe	short loc_678CBA
		push	esi
		push	4
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_678CBA
		mov	edx, [esp+30h+var_24]
		push	edi
		push	[esp+34h+var_1C]
		push	ebx
		call	_VmpLogColdHint@20 ; VmpLogColdHint(x,x,x,x,x)
		mov	edi, [esp+30h+var_20]

loc_678CBA:				; CODE XREF: VmColdPagesHint(x,x,x,x)+15Bj
					; VmColdPagesHint(x,x,x,x)+15Fj ...
		shl	[esp+30h+var_24], 0Ch
		lea	eax, [esp+30h+var_20]
		push	1
		push	eax
		lea	eax, [esp+38h+var_24]
		shl	edi, 0Ch
		push	eax
		push	0FFFFFFFFh
		mov	[esp+40h+var_20], edi
		call	_ZwUnlockVirtualMemory@16 ; ZwUnlockVirtualMemory(x,x,x,x)
		mov	edi, [esp+30h+var_18]
		cmp	[esp+30h+var_14], esi
		jb	loc_678BBC
		ja	short loc_678CF6
		mov	eax, [esp+30h+var_10]
		cmp	eax, [ebp+arg_8]
		jb	loc_678BBC

loc_678CF6:				; CODE XREF: VmColdPagesHint(x,x,x,x)+1ADj
		mov	edi, [esp+30h+var_18]
		jmp	short loc_678D03
; 

loc_678CFC:				; CODE XREF: VmColdPagesHint(x,x,x,x)+EFj
		int	2Ch		; Internal routine for MSDOS (IRET)
		mov	esi, 0C0000088h

loc_678D03:				; CODE XREF: VmColdPagesHint(x,x,x,x)+1C0j
		mov	ebx, [esp+30h+var_C]
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_678D1A
		push	edi
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_678D1A:				; CODE XREF: VmColdPagesHint(x,x,x,x)+39j
					; VmColdPagesHint(x,x,x,x)+4Dj	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_VmColdPagesHint@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmProbeAndLockPages(x, x, x)
_VmProbeAndLockPages@12	proc near

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		push	0Ch
		push	offset dword_6A9C00
		call	__SEH_prolog4
		cmp	[ebp+arg_4], 0
		jz	short loc_678D3E

loc_678D37:				; CODE XREF: VmProbeAndLockPages(x,x,x)+23j
		mov	esi, 0C000000Dh
		jmp	short loc_678DB8
; 

loc_678D3E:				; CODE XREF: VmProbeAndLockPages(x,x,x)+10j
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_678D4A
		cmp	ecx, 1
		jnz	short loc_678D37

loc_678D4A:				; CODE XREF: VmProbeAndLockPages(x,x,x)+1Ej
		mov	edi, [ebp+arg_0]
		mov	eax, [edi+18h]
		add	eax, [edi+14h]
		add	eax, [edi+10h]
		cmp	eax, ds:_MmHighestUserAddress
		jbe	short loc_678D65

loc_678D5E:				; CODE XREF: VmProbeAndLockPages(x,x,x)+6Aj
		mov	esi, 0C00000BBh
		jmp	short loc_678DB8
; 

loc_678D65:				; CODE XREF: VmProbeAndLockPages(x,x,x)+37j
		xor	esi, esi
		mov	[ebp+ms_exc.disabled], esi
		push	ecx
		push	esi
		push	edi
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		movsx	eax, word ptr [edi+6]
		and	eax, 0FFFFFF77h
		cmp	eax, 102h
		jz	short loc_678D91
		push	edi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		jmp	short loc_678D5E
; 

loc_678D91:				; CODE XREF: VmProbeAndLockPages(x,x,x)+62j
		xor	edx, edx
		inc	edx
		mov	ecx, edi
		call	_MmUpdateMdlTrackerForMdlSwitch@8 ; MmUpdateMdlTrackerForMdlSwitch(x,x)
		jmp	short loc_678DB8
; 

loc_678D9D:				; DATA XREF: .text:006A9C14o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_678DAB:				; DATA XREF: .text:006A9C18o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_1C]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_678DB8:				; CODE XREF: VmProbeAndLockPages(x,x,x)+17j
					; VmProbeAndLockPages(x,x,x)+3Ej ...
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_VmProbeAndLockPages@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmUnlockPages(x, x)
_VmUnlockPages@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_678DDF
		cmp	ecx, 1
		jz	short loc_678DDF
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_678DDF:				; CODE XREF: VmUnlockPages(x,x)+Aj
					; VmUnlockPages(x,x)+Fj
		push	esi
		mov	esi, [ebp+arg_0]
		movzx	edx, word ptr [esi+6]
		mov	eax, edx
		and	eax, 0FFFFFFF7h
		test	ax, ax
		jz	short loc_678DF3
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_678DF3:				; CODE XREF: VmUnlockPages(x,x)+23j
		or	edx, 102h
		movzx	eax, dx
		mov	[esi+6], dx
		cmp	ecx, 1
		jnz	short loc_678E0E
		or	eax, 80h
		mov	[esi+6], ax

loc_678E0E:				; CODE XREF: VmUnlockPages(x,x)+37j
		xor	edx, edx
		mov	ecx, esi
		call	_MmUpdateMdlTrackerForMdlSwitch@8 ; MmUpdateMdlTrackerForMdlSwitch(x,x)
		push	esi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		pop	esi
		pop	ebp
		retn	8
_VmUnlockPages@8 endp ;	sp = -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpAccessFaultBatch(x, x, x, x, x, x, x, x)
_VmpAccessFaultBatch@32	proc near	; CODE XREF: VmAccessFault(x,x,x,x,x,x,x)+1E4p
					; VmAccessFault(x,x,x,x,x,x,x)+257p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	ebx, edx
		mov	eax, ecx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_8], eax

loc_678E3A:				; CODE XREF: VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+181j
		push	edi
		mov	edx, ebx
		mov	ecx, eax
		call	_VmpFaultEntryInsert@12	; VmpFaultEntryInsert(x,x,x)
		push	[ebp+arg_10]
		mov	edx, edi
		mov	[ebp+var_14], 1
		push	[ebp+arg_C]
		mov	ecx, ebx
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_VmpAccessFaultBatchResolve@24 ; VmpAccessFaultBatchResolve(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_678FCA
		mov	esi, [ebp+var_8]
		mov	ecx, esi
		call	_VmpProcessContextLockShared@4 ; VmpProcessContextLockShared(x)
		mov	ecx, [ebp+arg_14]
		mov	[ebp+var_C], eax
		cmp	[esi+24h], ecx
		jnz	loc_678FDE
		and	[ebp+var_4], 0
		mov	eax, edi
		shl	eax, 5
		add	eax, ebx
		mov	[ebp+var_10], eax
		cmp	ebx, eax
		jnb	short loc_678ECD
		mov	esi, [ebp+var_4]
		lea	edx, [ebx+10h]
		mov	ecx, eax
		sub	ecx, ebx
		dec	ecx
		shr	ecx, 5
		inc	ecx

loc_678EA4:				; CODE XREF: VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+A3j
		test	dword ptr [edx-4], 100000h
		jnz	short loc_678EB3
		test	byte ptr [edx+7], 1
		jz	short loc_678EBF

loc_678EB3:				; CODE XREF: VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+89j
		mov	eax, [edx]
		or	dword ptr [edx+4], 800000h
		inc	esi
		mov	[edx], eax

loc_678EBF:				; CODE XREF: VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+8Fj
		add	edx, 20h
		sub	ecx, 1
		jnz	short loc_678EA4
		mov	[ebp+var_4], esi
		mov	esi, [ebp+var_8]

loc_678ECD:				; CODE XREF: VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+71j
		cmp	[ebp+var_4], edi
		jz	short loc_678EF6
		mov	eax, [ebp+arg_8]
		mov	edx, ebx
		shr	eax, 5
		mov	ecx, esi
		and	eax, 1
		push	eax
		push	[ebp+arg_4]
		push	edi
		call	_VmpProcessUpdateSlat@20 ; VmpProcessUpdateSlat(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_678FAB
		mov	esi, [ebp+var_8]

loc_678EF6:				; CODE XREF: VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+AEj
		push	esi
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, byte ptr [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		or	[ebp+var_C], 0FFFFFFFFh
		mov	edx, ebx
		push	edi
		mov	ecx, esi
		call	_VmpFaultEntryRemove@12	; VmpFaultEntryRemove(x,x,x)
		and	[ebp+var_14], 0
		cmp	[ebp+var_4], 0
		jz	loc_678FA9
		mov	edx, [ebp+var_10]
		xor	edi, edi
		mov	[ebp+arg_0], edi
		cmp	ebx, edx
		jnb	short loc_678FA9
		lea	eax, [ebx+10h]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_18], eax
		mov	ebx, eax

loc_678F38:				; CODE XREF: VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+177j
		mov	eax, [ebx]
		mov	esi, [ebx+4]
		mov	ecx, esi
		mov	[ebp+var_18], eax
		and	ecx, 800000h
		xor	eax, eax
		or	eax, ecx
		jz	short loc_678F91
		mov	ecx, esi
		xor	eax, eax
		and	ecx, 1000000h
		or	eax, ecx
		jnz	short loc_678F8B
		mov	eax, [ebp+var_18]
		and	esi, 0FFFFFh
		and	dword ptr [ebx-4], 0FFEFFFFFh
		mov	[ebx], eax
		mov	eax, [ebp+var_10]
		mov	edi, eax
		mov	[ebx+4], esi
		lea	esi, [ebx-10h]
		push	8
		pop	ecx
		rep movsd
		mov	edi, [ebp+arg_0]
		inc	edi
		add	eax, 20h
		mov	[ebp+arg_0], edi
		mov	[ebp+var_10], eax

loc_678F8B:				; CODE XREF: VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+138j
		sub	[ebp+var_4], 1
		jz	short loc_678F9B

loc_678F91:				; CODE XREF: VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+12Aj
		add	ebx, 20h
		lea	eax, [ebx-10h]
		cmp	eax, edx
		jb	short loc_678F38

loc_678F9B:				; CODE XREF: VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+16Dj
		mov	ebx, [ebp+var_1C]
		mov	eax, [ebp+var_8]
		test	edi, edi
		jnz	loc_678E3A

loc_678FA9:				; CODE XREF: VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+F9j
					; VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+109j
		xor	esi, esi

loc_678FAB:				; CODE XREF: VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+CBj
		mov	eax, [ebp+var_C]

loc_678FAE:				; CODE XREF: VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+1C1j
		cmp	eax, 0FFFFFFFFh
		jz	short loc_678FC4
		push	[ebp+var_8]
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, byte ptr [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_678FC4:				; CODE XREF: VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+18Fj
		cmp	[ebp+var_14], 0
		jz	short loc_678FD5

loc_678FCA:				; CODE XREF: VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+42j
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		push	edi
		call	_VmpFaultEntryRemove@12	; VmpFaultEntryRemove(x,x,x)

loc_678FD5:				; CODE XREF: VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+1A6j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_678FDE:				; CODE XREF: VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+5Bj
		mov	esi, 0C000010Ah
		jmp	short loc_678FAE
_VmpAccessFaultBatch@32	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpConvertPortionVpnRangeToGpnRange(x, x, x, x, x, x)
_VmpConvertPortionVpnRangeToGpnRange@24	proc near
					; CODE XREF: VmpFillGpnRanges(x,x,x,x,x,x)+31p
					; VmpFlushTbVaRange(x,x,x,x,x,x)+58p ...

var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, [edx]
		mov	[ebp+var_14], eax
		push	ebx
		mov	ebx, eax
		mov	[ebp+var_10], ecx
		mov	eax, [ebp+arg_8]
		mov	ecx, [edx+8]
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_18], edx
		mov	edx, [ebp+arg_4]
		lea	edi, [ebp+var_28]
		mov	[eax+8], esi
		dec	ecx
		xor	eax, eax
		mov	[ebp+var_8], esi
		stosd
		add	ecx, ebx
		mov	edx, [edx]
		mov	[ebp+var_4], ecx
		stosd
		stosd
		stosd
		mov	edi, [ebp+arg_4]
		test	edx, edx
		jz	short loc_67904F
		mov	eax, [edi+4]
		test	eax, eax
		jz	short loc_67903B
		mov	ebx, [edi+8]
		mov	[ebp+var_8], eax
		mov	[edi+4], esi
		mov	[edi+8], esi
		jmp	short loc_679047
; 

loc_67903B:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+46j
		cmp	ebx, [edx+0Ch]
		jb	short loc_679045
		cmp	ebx, [edx+10h]
		jbe	short loc_679047

loc_679045:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+59j
		mov	edx, esi

loc_679047:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+54j
					; VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+5Ej
		test	edx, edx
		jnz	loc_6790E4

loc_67904F:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+3Fj
		mov	eax, [ebp+var_10]
		add	eax, 0Ch
		test	byte ptr [eax+4], 1
		mov	ecx, [eax]
		jz	short loc_679067
		test	ecx, ecx
		jz	short loc_679065
		xor	ecx, eax
		jmp	short loc_679067
; 

loc_679065:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+7Aj
		mov	ecx, esi

loc_679067:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+76j
					; VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+7Ej
		movzx	esi, byte ptr [eax+4]
		and	esi, 1
		xor	edx, edx
		jmp	short loc_6790B5
; 

loc_679072:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+D2j
		cmp	ebx, [ecx+10h]
		ja	short loc_6790A4
		mov	edx, ecx
		mov	eax, [ecx]
		cmp	ebx, [ecx+0Ch]
		jb	short loc_6790A7
		test	esi, esi
		jz	short loc_67908A
		test	eax, eax
		jz	short loc_67908A
		xor	eax, ecx

loc_67908A:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+9Dj
					; VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+A1j
		xor	ecx, ecx
		mov	[ebp+var_C], ecx
		test	eax, eax
		jz	short loc_6790D9

loc_679093:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+E9j
		cmp	ebx, [eax+10h]
		ja	short loc_6790BB
		mov	ecx, [eax]
		cmp	ebx, [eax+0Ch]
		jb	short loc_6790BE
		mov	[ebp+var_C], eax
		jmp	short loc_6790BE
; 

loc_6790A4:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+90j
		mov	eax, [ecx+4]

loc_6790A7:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+99j
		test	esi, esi
		jz	short loc_6790B3
		test	eax, eax
		jz	short loc_6790B3
		xor	ecx, eax
		jmp	short loc_6790B5
; 

loc_6790B3:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+C4j
					; VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+C8j
		mov	ecx, eax

loc_6790B5:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+8Bj
					; VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+CCj
		test	ecx, ecx
		jnz	short loc_679072
		jmp	short loc_6790D9
; 

loc_6790BB:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+B1j
		mov	ecx, [eax+4]

loc_6790BE:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+B8j
					; VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+BDj
		test	esi, esi
		jz	short loc_6790CA
		test	ecx, ecx
		jz	short loc_6790CA
		xor	eax, ecx
		jmp	short loc_6790CC
; 

loc_6790CA:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+DBj
					; VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+DFj
		mov	eax, ecx

loc_6790CC:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+E3j
		test	eax, eax
		jnz	short loc_679093
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_6790D9
		mov	edx, eax

loc_6790D9:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+ACj
					; VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+D4j	...
		test	edx, edx
		jz	loc_6791A3
		mov	ecx, [ebp+var_4]

loc_6790E4:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+64j
		mov	esi, [edx+0Ch]
		cmp	ebx, esi
		jnb	short loc_6790F5
		cmp	ecx, esi
		jb	loc_6791A3
		mov	ebx, esi

loc_6790F5:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+104j
		cmp	[ebp+var_8], 0
		mov	[edi], edx
		jnz	short loc_679103
		mov	eax, [edx+14h]
		mov	[ebp+var_8], eax

loc_679103:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+116j
		mov	edi, [ebp+var_8]
		xor	eax, eax
		mov	ecx, ebx
		sub	ecx, esi
		add	ecx, [edi+18h]
		adc	eax, [edi+1Ch]
		mov	edi, [ebp+arg_8]
		mov	[edi+4], eax
		mov	eax, [ebp+var_4]
		sub	eax, ebx
		mov	[edi], ecx
		mov	ecx, [ebp+arg_0]
		inc	eax
		cmp	eax, ecx
		jbe	short loc_67912C
		dec	ecx
		add	ecx, ebx
		jmp	short loc_67912F
; 

loc_67912C:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+140j
		mov	ecx, [ebp+var_4]

loc_67912F:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+145j
		mov	eax, [edx+10h]
		mov	edi, [ebp+arg_4]
		mov	[ebp+arg_0], eax
		cmp	ecx, eax
		jb	short loc_67914E
		mov	ecx, [ebp+arg_8]
		sub	eax, ebx
		inc	eax
		mov	[ecx+8], eax
		mov	eax, [ebp+arg_0]
		inc	eax
		mov	[ebp+var_28], eax
		jmp	short loc_679167
; 

loc_67914E:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+155j
		mov	edi, [ebp+arg_8]
		mov	eax, ecx
		sub	eax, ebx
		inc	eax
		mov	[edi+8], eax
		lea	eax, [ecx+1]
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_28], eax
		cmp	ecx, [ebp+var_4]
		jnz	short loc_67916C

loc_679167:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+167j
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_679177
; 

loc_67916C:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+180j
		mov	ecx, [ebp+var_8]
		mov	[edi+4], ecx
		xor	ecx, ecx
		mov	[edi+8], eax

loc_679177:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+185j
		sub	[ebp+var_4], eax
		mov	eax, [ebp+var_4]
		inc	eax
		mov	[ebp+var_20], eax
		test	ecx, ecx
		jz	short loc_6791AD
		mov	eax, [ebp+var_8]
		mov	ecx, [eax]
		lea	eax, [edx+14h]
		cmp	ecx, eax
		jnz	short loc_6791B6
		mov	eax, [ebp+var_4]
		add	eax, 1
		jz	short loc_6791A3
		mov	ecx, [ebp+var_10]
		call	_VmpVaMemoryRangeGetNext@8 ; VmpVaMemoryRangeGetNext(x,x)
		mov	[edi], eax

loc_6791A3:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+F6j
					; VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+108j ...
		mov	edi, [ebp+var_18]
		lea	esi, [ebp+var_28]
		movsd
		movsd
		movsd
		movsd

loc_6791AD:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+19Ej
					; VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+1E0j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
; 

loc_6791B6:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+1AAj
		mov	eax, [ebp+var_14]
		mov	[edi+4], ecx
		cmp	eax, esi
		ja	short loc_6791C2
		mov	eax, esi

loc_6791C2:				; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+1D9j
		mov	[edi+8], eax
		jmp	short loc_6791AD
_VmpConvertPortionVpnRangeToGpnRange@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpFaultEntryInsert(x, x, x)
_VmpFaultEntryInsert@12	proc near	; CODE XREF: VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+1Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	esi, edx
		shl	ebx, 5
		mov	edi, ecx
		add	ebx, esi
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	byte ptr [ebp+arg_0+3],	al
		lea	eax, [edi+20h]
		push	eax
		mov	[ebp+var_C], eax
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		cmp	esi, ebx
		jnb	loc_67927E
		add	edi, 18h

loc_679200:				; CODE XREF: VmpFaultEntryInsert(x,x,x)+B5j
		mov	edx, [esi+0Ch]
		mov	ecx, [edi]
		and	edx, 0FFFFFh
		test	byte ptr [edi+4], 1
		jz	short loc_67921B
		test	ecx, ecx
		jz	short loc_679219
		xor	ecx, edi
		jmp	short loc_67921B
; 

loc_679219:				; CODE XREF: VmpFaultEntryInsert(x,x,x)+4Cj
		xor	ecx, ecx

loc_67921B:				; CODE XREF: VmpFaultEntryInsert(x,x,x)+48j
					; VmpFaultEntryInsert(x,x,x)+50j
		movzx	eax, byte ptr [edi+4]
		and	eax, 1
		mov	byte ptr [ebp+var_4], 0
		mov	[ebp+var_8], eax
		test	ecx, ecx
		jz	short loc_67926C

loc_67922D:				; CODE XREF: VmpFaultEntryInsert(x,x,x)+9Fj
		mov	eax, [ecx+0Ch]
		and	eax, 0FFFFFh
		cmp	edx, eax
		jnb	short loc_679251
		cmp	[ebp+var_8], 0
		mov	eax, [ecx]
		jz	short loc_679247
		test	eax, eax
		jz	short loc_67924B
		xor	eax, ecx

loc_679247:				; CODE XREF: VmpFaultEntryInsert(x,x,x)+78j
		test	eax, eax
		jnz	short loc_679264

loc_67924B:				; CODE XREF: VmpFaultEntryInsert(x,x,x)+7Cj
		mov	byte ptr [ebp+var_4], 0
		jmp	short loc_67926C
; 

loc_679251:				; CODE XREF: VmpFaultEntryInsert(x,x,x)+70j
		cmp	[ebp+var_8], 0
		mov	eax, [ecx+4]
		jz	short loc_679260
		test	eax, eax
		jz	short loc_679268
		xor	eax, ecx

loc_679260:				; CODE XREF: VmpFaultEntryInsert(x,x,x)+91j
		test	eax, eax
		jz	short loc_679268

loc_679264:				; CODE XREF: VmpFaultEntryInsert(x,x,x)+82j
		mov	ecx, eax
		jmp	short loc_67922D
; 

loc_679268:				; CODE XREF: VmpFaultEntryInsert(x,x,x)+95j
					; VmpFaultEntryInsert(x,x,x)+9Bj
		mov	byte ptr [ebp+var_4], 1

loc_67926C:				; CODE XREF: VmpFaultEntryInsert(x,x,x)+64j
					; VmpFaultEntryInsert(x,x,x)+88j
		push	esi
		push	[ebp+var_4]
		push	ecx
		push	edi
		call	RtlRbInsertNodeEx
		add	esi, 20h
		cmp	esi, ebx
		jb	short loc_679200

loc_67927E:				; CODE XREF: VmpFaultEntryInsert(x,x,x)+30j
		push	[ebp+var_C]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_VmpFaultEntryInsert@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpFaultEntryRemove(x, x, x)
_VmpFaultEntryRemove@12	proc near	; CODE XREF: VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+ECp
					; VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+1AEp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, ecx
		mov	esi, edx
		shl	edi, 5
		mov	cl, 1Fh
		mov	[ebp+var_4], ebx
		add	edi, esi
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	byte ptr [ebp+arg_0+3],	al
		lea	eax, [ebx+20h]
		push	eax
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		cmp	esi, edi
		jnb	short loc_6792DB
		add	ebx, 18h

loc_6792CA:				; CODE XREF: VmpFaultEntryRemove(x,x,x)+40j
		push	esi
		push	ebx
		call	RtlRbRemoveNode
		add	esi, 20h
		cmp	esi, edi
		jb	short loc_6792CA
		mov	ebx, [ebp+var_4]

loc_6792DB:				; CODE XREF: VmpFaultEntryRemove(x,x,x)+2Fj
		lea	eax, [ebx+20h]
		push	eax
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_VmpFaultEntryRemove@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpFillGpnRanges(x,	x, x, x, x, x)
_VmpFillGpnRanges@24 proc near		; CODE XREF: VmpPrefetchVirtualAddresses(x,x,x)+10Dp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_10], edx
		cmp	dword ptr [edx+8], 0
		lea	edi, [ebp+var_28]
		stosd
		mov	[ebp+var_14], ecx
		stosd
		stosd
		stosd
		jz	loc_6793D5
		mov	ebx, [ebp+arg_0]

loc_67931B:				; CODE XREF: VmpFillGpnRanges(x,x,x,x,x,x)+DBj
		push	ecx
		lea	eax, [ebp+var_28]
		push	eax
		push	[ebp+arg_C]
		push	0FFFFFFFFh
		call	_VmpConvertPortionVpnRangeToGpnRange@24	; VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)
		cmp	[ebp+var_20], 0
		jz	loc_6793D5
		mov	eax, [ebp+arg_4]
		mov	edx, [eax]
		test	edx, edx
		jz	short loc_6793AA
		and	[ebp+arg_0], 0
		mov	ecx, edx
		add	ecx, ecx
		mov	eax, [ebx+ecx*8-0Ch]
		mov	edi, [ebx+ecx*8-8]
		mov	esi, [ebx+ecx*8-10h]
		mov	[ebp+var_4], eax
		mov	eax, edi
		add	eax, esi
		mov	[ebp+var_8], esi
		mov	esi, [ebp+var_4]
		adc	[ebp+arg_0], esi
		mov	esi, [ebp+var_20]
		mov	[ebp+var_C], edi
		cmp	eax, [ebp+var_28]
		jnz	short loc_67937D
		mov	eax, [ebp+arg_0]
		cmp	eax, [ebp+var_24]
		jnz	short loc_67937D
		lea	eax, [edi+esi]
		mov	[ebx+ecx*8-8], eax
		jmp	short loc_6793C5
; 

loc_67937D:				; CODE XREF: VmpFillGpnRanges(x,x,x,x,x,x)+76j
					; VmpFillGpnRanges(x,x,x,x,x,x)+7Ej
		xor	edi, edi
		mov	eax, esi
		add	eax, [ebp+var_28]
		adc	edi, [ebp+var_24]
		cmp	[ebp+var_8], eax
		jnz	short loc_6793AA
		cmp	[ebp+var_4], edi
		jnz	short loc_6793AA
		mov	eax, [ebp+var_C]
		add	eax, esi
		mov	[ebx+ecx*8-8], eax
		mov	eax, [ebp+var_28]
		mov	[ebx+ecx*8-10h], eax
		mov	eax, [ebp+var_24]
		mov	[ebx+ecx*8-0Ch], eax
		jmp	short loc_6793C5
; 

loc_6793AA:				; CODE XREF: VmpFillGpnRanges(x,x,x,x,x,x)+47j
					; VmpFillGpnRanges(x,x,x,x,x,x)+96j ...
		mov	ecx, [ebp+arg_4]
		lea	esi, [ebp+var_28]
		mov	edi, edx
		lea	eax, [edx+1]
		shl	edi, 4
		add	edi, ebx
		mov	[ecx], eax
		movsd
		movsd
		movsd
		movsd
		cmp	eax, [ebp+arg_8]
		jz	short loc_6793D5

loc_6793C5:				; CODE XREF: VmpFillGpnRanges(x,x,x,x,x,x)+87j
					; VmpFillGpnRanges(x,x,x,x,x,x)+B4j
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_14]
		cmp	dword ptr [edx+8], 0
		jnz	loc_67931B

loc_6793D5:				; CODE XREF: VmpFillGpnRanges(x,x,x,x,x,x)+1Ej
					; VmpFillGpnRanges(x,x,x,x,x,x)+3Aj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_VmpFillGpnRanges@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpFillSlat(x, x, x, x, x, x)
_VmpFillSlat@24	proc near		; CODE XREF: VmpProcessUpdateSlat(x,x,x,x,x)+118p
					; VmpProcessUpdateSlat(x,x,x,x,x)+198p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	ecx, [eax+2Ch]
		mov	ebx, edx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], ecx
		test	cl, 1
		jz	short loc_6793FF
		or	ebx, 20000h

loc_6793FF:				; CODE XREF: VmpFillSlat(x,x,x,x,x,x)+1Bj
		cmp	[ebp+arg_0], 200h
		mov	esi, [ebp+arg_8]
		jnz	loc_679528
		cmp	[ebp+arg_4], 0
		jnz	loc_679528
		mov	eax, [esi]
		mov	edi, 1FFh
		mov	edx, [esi+4]
		mov	[ebp+arg_8], eax
		and	eax, edi
		or	eax, 0
		mov	[ebp+var_4], edx
		jnz	loc_679528
		mov	eax, [esi+8]
		mov	edx, [esi+0Ch]
		mov	[ebp+var_8], eax
		and	eax, edi
		or	eax, 0
		jnz	loc_679528
		add	[ebp+arg_8], 1FFh
		lea	edi, [esi+2000h]
		adc	[ebp+var_4], eax
		mov	eax, [edi-10h]
		cmp	eax, [ebp+arg_8]
		jnz	loc_679528
		mov	eax, [edi-0Ch]
		cmp	eax, [ebp+var_4]
		jnz	loc_679528
		add	[ebp+var_8], 1FFh
		mov	eax, [edi-8]
		adc	edx, 0
		cmp	eax, [ebp+var_8]
		jnz	loc_679528
		cmp	[edi-4], edx
		jnz	loc_679528
		lea	edx, [esi+10h]
		cmp	edx, edi
		jnb	short loc_6794D9

loc_679496:				; CODE XREF: VmpFillSlat(x,x,x,x,x,x)+F6j
		mov	ecx, [edx-10h]
		mov	eax, [edx-0Ch]
		add	ecx, 1
		adc	eax, 0
		mov	[ebp+arg_8], eax
		cmp	[edx], ecx
		jnz	short loc_6794D4
		mov	eax, [edx+4]
		cmp	eax, [ebp+arg_8]
		jnz	short loc_6794D4
		mov	ecx, [edx-8]
		mov	eax, [edx-4]
		add	ecx, 1
		adc	eax, 0
		mov	[ebp+arg_8], eax
		cmp	[edx+8], ecx
		jnz	short loc_6794D4
		mov	eax, [edx+0Ch]
		cmp	eax, [ebp+arg_8]
		jnz	short loc_6794D4
		add	edx, 10h
		cmp	edx, edi
		jb	short loc_679496

loc_6794D4:				; CODE XREF: VmpFillSlat(x,x,x,x,x,x)+CBj
					; VmpFillSlat(x,x,x,x,x,x)+D3j	...
		mov	ecx, [ebp+var_C]
		cmp	edx, edi

loc_6794D9:				; CODE XREF: VmpFillSlat(x,x,x,x,x,x)+B8j
		jnz	short loc_679528
		mov	eax, [ebp+var_10]
		or	ecx, 1
		mov	[eax+2Ch], ecx
		mov	ecx, ds:_VmpTraceLoggingProvider
		test	ecx, ecx
		jz	short loc_679512
		cmp	dword ptr [ecx], 0
		jbe	short loc_679512
		push	0
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_679512
		push	dword ptr [esi+0Ch]
		mov	edx, ebx
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		call	_VmpLogLargeSlatFill@24	; VmpLogLargeSlatFill(x,x,x,x,x,x)

loc_679512:				; CODE XREF: VmpFillSlat(x,x,x,x,x,x)+110j
					; VmpFillSlat(x,x,x,x,x,x)+115j ...
		mov	edx, [ebp+arg_C]
		mov	eax, [edx]
		mov	ecx, [edx+4]
		shld	ecx, eax, 9
		shl	eax, 9
		mov	[edx], eax
		mov	[edx+4], ecx
		jmp	short loc_67954F
; 

loc_679528:				; CODE XREF: VmpFillSlat(x,x,x,x,x,x)+2Dj
					; VmpFillSlat(x,x,x,x,x,x)+37j	...
		mov	ecx, ds:_VmpTraceLoggingProvider
		test	ecx, ecx
		jz	short loc_67954F
		cmp	dword ptr [ecx], 0
		jbe	short loc_67954F
		push	0
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_67954F
		push	ebx
		push	[ebp+arg_0]
		mov	edx, esi
		call	_VmpLogSparseSlatFill@16 ; VmpLogSparseSlatFill(x,x,x,x)

loc_67954F:				; CODE XREF: VmpFillSlat(x,x,x,x,x,x)+14Aj
					; VmpFillSlat(x,x,x,x,x,x)+154j ...
		pop	edi
		pop	esi
		mov	eax, 0C0000001h
		pop	ebx
		leave
		retn	10h
_VmpFillSlat@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpFlushTb(x, x, x)
_VmpFlushTb@12	proc near		; CODE XREF: VmFlushTb(x,x,x)+2Bp

var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		and	[ebp+var_C], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_1C]
		or	ebx, 0FFFFFFFFh
		stosd
		mov	esi, ecx
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], ebx
		stosd
		stosd
		test	edx, edx
		jnz	short loc_6795A8
		call	_VmpProcessContextLockExclusive@4 ; VmpProcessContextLockExclusive(x)
		mov	[ebp+var_4], eax
		xor	edx, edx
		lea	eax, [ebp+var_4]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	100000h
		call	_VmpFlushTbVaRange@24 ;	VmpFlushTbVaRange(x,x,x,x,x,x)
		mov	ebx, [ebp+var_4]
		jmp	short loc_67961C
; 

loc_6795A8:				; CODE XREF: VmpFlushTb(x,x,x)+24j
		mov	esi, [ebp+arg_0]
		lea	eax, [esi+edx*4]
		mov	[ebp+var_10], eax
		cmp	esi, eax
		jnb	short loc_67962F

loc_6795B5:				; CODE XREF: VmpFlushTb(x,x,x)+BCj
		mov	edi, [esi]
		cmp	edi, ds:_MmHighestUserAddress
		ja	short loc_679612
		mov	eax, edi
		mov	ecx, edi
		and	eax, 3FFh
		shr	ecx, 0Ah
		inc	eax
		and	ecx, 3
		jz	short loc_6795D9

loc_6795D1:				; CODE XREF: VmpFlushTb(x,x,x)+7Cj
		shl	eax, 9
		sub	ecx, 1
		jnz	short loc_6795D1

loc_6795D9:				; CODE XREF: VmpFlushTb(x,x,x)+74j
		shr	edi, 0Ch
		dec	eax
		add	eax, edi
		mov	[ebp+arg_0], eax
		cmp	ebx, 0FFFFFFFFh
		jnz	short loc_6795F5
		mov	ecx, [ebp+var_8]
		call	_VmpProcessContextLockExclusive@4 ; VmpProcessContextLockExclusive(x)
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]

loc_6795F5:				; CODE XREF: VmpFlushTb(x,x,x)+8Aj
		lea	ecx, [ebp+var_4]
		mov	edx, edi
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		lea	ecx, [ebp+var_1C]
		push	ecx
		mov	ecx, [ebp+var_8]
		push	eax
		call	_VmpFlushTbVaRange@24 ;	VmpFlushTbVaRange(x,x,x,x,x,x)
		mov	ebx, [ebp+var_4]
		mov	eax, [ebp+var_10]

loc_679612:				; CODE XREF: VmpFlushTb(x,x,x)+62j
		add	esi, 4
		cmp	esi, eax
		jb	short loc_6795B5
		mov	esi, [ebp+var_8]

loc_67961C:				; CODE XREF: VmpFlushTb(x,x,x)+4Bj
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_67962F
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_67962F:				; CODE XREF: VmpFlushTb(x,x,x)+58j
					; VmpFlushTb(x,x,x)+C4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_VmpFlushTb@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpFlushTbVaRange(x, x, x, x, x, x)
_VmpFlushTbVaRange@24 proc near		; CODE XREF: VmpFlushTb(x,x,x)+43p
					; VmpFlushTb(x,x,x)+ACp ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+38h+var_10]
		mov	ebx, ecx
		stosd
		mov	[esp+38h+var_24], ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+38h+var_20]
		mov	[esp+38h+var_10], edx
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		sub	eax, edx
		add	eax, 1
		mov	[esp+38h+var_8], eax
		jz	loc_679733
		mov	edi, [ebp+arg_8]

loc_679677:				; CODE XREF: VmpFlushTbVaRange(x,x,x,x,x,x)+F7j
		push	ecx
		lea	ecx, [esp+3Ch+var_20]
		mov	eax, 40000h
		sub	eax, [edi]
		lea	edx, [esp+3Ch+var_10]
		push	ecx
		push	[ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	_VmpConvertPortionVpnRangeToGpnRange@24	; VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)
		mov	esi, [esp+38h+var_18]
		mov	[esp+38h+var_28], eax
		test	esi, esi
		jz	loc_679733
		mov	ecx, ds:_VmpTraceLoggingProvider
		test	ecx, ecx
		jz	short loc_6796D1
		cmp	dword ptr [ecx], 0
		jbe	short loc_6796D1
		push	0
		push	2
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_6796D1
		mov	edx, [esp+38h+var_28]
		push	esi
		push	[esp+3Ch+var_1C]
		push	[esp+40h+var_20]
		call	_VmpLogTbFlushSlatInvalidate@20	; VmpLogTbFlushSlatInvalidate(x,x,x,x,x)

loc_6796D1:				; CODE XREF: VmpFlushTbVaRange(x,x,x,x,x,x)+75j
					; VmpFlushTbVaRange(x,x,x,x,x,x)+7Aj ...
		int	2Ch		; Internal routine for MSDOS (IRET)
		int	2Ch		; Internal routine for MSDOS (IRET)
		mov	edx, [esp+38h+var_28]
		push	ecx
		push	esi
		mov	ecx, ebx
		call	_VmpInvalidateOutstandingFaults@16 ; VmpInvalidateOutstandingFaults(x,x,x,x)
		add	[edi], esi
		cmp	dword ptr [edi], 40000h
		jb	short loc_679728
		mov	eax, [ebp+arg_C]
		mov	esi, [ebx+14h]
		push	[esp+38h+var_24]
		mov	ebx, [eax]
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [esp+38h+var_24]
		mov	ecx, ebx
		and	dword ptr [edi], 0
		call	_VmpProcessContextLockExclusive@4 ; VmpProcessContextLockExclusive(x)
		mov	ecx, [ebp+arg_C]
		mov	[ecx], eax
		cmp	esi, [ebx+14h]
		jz	short loc_679728
		mov	edi, [ebp+arg_4]
		xor	eax, eax
		stosd
		stosd
		stosd
		mov	edi, [ebp+arg_8]

loc_679728:				; CODE XREF: VmpFlushTbVaRange(x,x,x,x,x,x)+B4j
					; VmpFlushTbVaRange(x,x,x,x,x,x)+E5j
		cmp	[esp+38h+var_8], 0
		jnz	loc_679677

loc_679733:				; CODE XREF: VmpFlushTbVaRange(x,x,x,x,x,x)+38j
					; VmpFlushTbVaRange(x,x,x,x,x,x)+67j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_VmpFlushTbVaRange@24 endp


;  S U B	R O U T	I N E 


; __stdcall VmpInsertGpaMemoryRange(x)
_VmpInsertGpaMemoryRange@4 proc	near	; CODE XREF: VmpInsertMemoryRange(x,x,x)+17Cp
		mov	edi, edi
		push	esi
		mov	esi, [ecx+8]
		add	esi, 14h
		mov	edx, [esi]
		cmp	edx, esi
		jz	short loc_679767
		push	ebx
		mov	ebx, [ecx+1Ch]
		push	edi
		mov	edi, [ecx+18h]

loc_679753:				; CODE XREF: VmpInsertGpaMemoryRange(x)+27j
		cmp	[edx+1Ch], ebx
		ja	short loc_679765
		jb	short loc_67975F
		cmp	[edx+18h], edi
		ja	short loc_679765

loc_67975F:				; CODE XREF: VmpInsertGpaMemoryRange(x)+1Cj
		mov	edx, [edx]
		cmp	edx, esi
		jnz	short loc_679753

loc_679765:				; CODE XREF: VmpInsertGpaMemoryRange(x)+1Aj
					; VmpInsertGpaMemoryRange(x)+21j
		pop	edi
		pop	ebx

loc_679767:				; CODE XREF: VmpInsertGpaMemoryRange(x)+Dj
		mov	eax, [edx+4]
		pop	esi
		mov	[eax], ecx
		mov	eax, [edx+4]
		mov	[ecx+4], eax
		mov	[edx+4], ecx
		mov	[ecx], edx
		retn
_VmpInsertGpaMemoryRange@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpInsertMemoryRange(x, x, x)
_VmpInsertMemoryRange@12 proc near	; CODE XREF: VmCreateMemoryRange(x,x,x,x,x,x)+116p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		mov	eax, edx
		xor	ebx, ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_4], eax
		mov	edi, [eax+14h]
		mov	[ebp+var_8], esi
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], edi
		call	_VmpProcessContextLockExclusive@4 ; VmpProcessContextLockExclusive(x)
		mov	ecx, [esi+24h]
		mov	[ebp+var_1C], eax
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_6797C8
		mov	ecx, [ebp+arg_0]
		mov	[esi+24h], ecx

loc_6797B2:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+52j
		add	esi, 4
		mov	[ebp+arg_0], esi
		test	byte ptr [esi+4], 1
		mov	ecx, [esi]
		jz	short loc_6797D9
		test	ecx, ecx
		jz	short loc_6797D7
		xor	ecx, esi
		jmp	short loc_6797D9
; 

loc_6797C8:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+31j
		cmp	ecx, [ebp+arg_0]
		jz	short loc_6797B2
		mov	ebx, 0C0000719h
		jmp	loc_679A00
; 

loc_6797D7:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+49j
		mov	ecx, ebx

loc_6797D9:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+45j
					; VmpInsertMemoryRange(x,x,x)+4Dj
		movzx	edx, byte ptr [esi+4]
		and	edx, 1
		test	ecx, ecx
		jz	short loc_67983D
		mov	eax, [edi+20h]
		mov	[ebp+var_14], eax
		mov	eax, [edi+24h]
		mov	[ebp+var_C], eax

loc_6797F0:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+B4j
		cmp	eax, [ecx+10h]
		jb	short loc_679816
		ja	short loc_6797FF
		mov	eax, [ebp+var_14]
		cmp	eax, [ecx+0Ch]
		jb	short loc_679816

loc_6797FF:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+7Cj
		mov	eax, [edi+1Ch]
		cmp	eax, [ecx+18h]
		jb	short loc_67982F
		ja	short loc_679811
		mov	eax, [edi+18h]
		cmp	eax, [ecx+14h]
		jbe	short loc_67982F

loc_679811:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+8Ej
		mov	eax, [ecx+4]
		jmp	short loc_679818
; 

loc_679816:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+7Aj
					; VmpInsertMemoryRange(x,x,x)+84j
		mov	eax, [ecx]

loc_679818:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+9Bj
		test	edx, edx
		jz	short loc_679824
		test	eax, eax
		jz	short loc_679824
		xor	ecx, eax
		jmp	short loc_679826
; 

loc_679824:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+A1j
					; VmpInsertMemoryRange(x,x,x)+A5j
		mov	ecx, eax

loc_679826:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+A9j
		test	ecx, ecx
		jz	short loc_67983D
		mov	eax, [ebp+var_C]
		jmp	short loc_6797F0
; 

loc_67982F:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+8Cj
					; VmpInsertMemoryRange(x,x,x)+96j
		test	ecx, ecx
		jz	short loc_67983D

loc_679833:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+14Fj
					; VmpInsertMemoryRange(x,x,x)+15Bj
		mov	ebx, 0C0000018h
		jmp	loc_6799FD
; 

loc_67983D:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+69j
					; VmpInsertMemoryRange(x,x,x)+AFj ...
		mov	edi, [ebp+var_8]
		add	edi, 0Ch
		test	byte ptr [edi+4], 1
		mov	eax, [edi]
		jz	short loc_679855
		test	eax, eax
		jz	short loc_679853
		xor	eax, edi
		jmp	short loc_679855
; 

loc_679853:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+D4j
		mov	eax, ebx

loc_679855:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+D0j
					; VmpInsertMemoryRange(x,x,x)+D8j
		movzx	edx, byte ptr [edi+4]
		and	edx, 1
		test	eax, eax
		jz	short loc_6798A1
		mov	ecx, [ebp+var_4]
		mov	esi, [ecx+10h]
		mov	[ebp+var_C], esi

loc_679869:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+123j
		mov	ecx, [eax+0Ch]
		cmp	esi, ecx
		jb	short loc_6798B1
		mov	ebx, [ebp+var_4]
		push	0
		mov	esi, [ebx+0Ch]
		mov	ebx, [eax+10h]
		cmp	esi, ebx
		mov	[ebp+var_14], ebx
		pop	ebx
		jbe	short loc_6798BF
		mov	ecx, [eax+4]
		test	edx, edx
		jz	short loc_679895
		test	ecx, ecx
		jz	short loc_679895
		mov	esi, [ebp+var_C]
		xor	eax, ecx
		jmp	short loc_67989A
; 

loc_679895:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+10Fj
					; VmpInsertMemoryRange(x,x,x)+113j
		mov	esi, [ebp+var_C]

loc_679898:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+13Cj
					; VmpInsertMemoryRange(x,x,x)+140j
		mov	eax, ecx

loc_67989A:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+11Aj
					; VmpInsertMemoryRange(x,x,x)+144j
		test	eax, eax
		jnz	short loc_679869

loc_67989E:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+148j
					; VmpInsertMemoryRange(x,x,x)+187j
		mov	esi, [ebp+arg_0]

loc_6798A1:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+E5j
		test	byte ptr [esi+4], 1
		mov	ecx, [esi]
		jz	short loc_679909
		test	ecx, ecx
		jz	short loc_679907
		xor	ecx, esi
		jmp	short loc_679909
; 

loc_6798B1:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+F5j
		mov	ecx, [eax]
		test	edx, edx
		jz	short loc_679898
		test	ecx, ecx
		jz	short loc_679898
		xor	eax, ecx
		jmp	short loc_67989A
; 

loc_6798BF:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+108j
		test	eax, eax
		jz	short loc_67989E
		mov	[ebp+var_18], eax
		cmp	ecx, esi
		jnz	loc_679833
		mov	ecx, [ebp+var_C]
		cmp	[ebp+var_14], ecx
		jnz	loc_679833
		mov	esi, [ebp+var_10]
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_679902
		mov	edx, [esi+4]
		cmp	[edx], esi
		jnz	short loc_679902
		mov	[edx], ecx
		mov	[ecx+4], edx
		mov	ecx, esi
		mov	[esi+8], eax
		call	_VmpInsertGpaMemoryRange@4 ; VmpInsertGpaMemoryRange(x)
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_20], ecx
		jmp	short loc_67989E
; 

loc_679902:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+169j
					; VmpInsertMemoryRange(x,x,x)+170j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_679907:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+132j
		mov	ecx, ebx

loc_679909:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+12Ej
					; VmpInsertMemoryRange(x,x,x)+136j
		movzx	edx, byte ptr [esi+4]
		and	edx, 1
		mov	byte ptr [ebp+var_C], bl
		test	ecx, ecx
		jz	short loc_67997B
		mov	esi, [ebp+var_10]
		mov	eax, [esi+18h]
		mov	esi, [esi+1Ch]
		mov	[ebp+var_24], eax
		mov	[ebp+var_14], esi

loc_679926:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+1FCj
		mov	esi, [ebp+var_14]
		cmp	esi, [ecx+18h]
		mov	esi, [ebp+arg_0]
		ja	short loc_67995F
		jb	short loc_679938
		cmp	eax, [ecx+14h]
		ja	short loc_67995F

loc_679938:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+1B8j
		mov	esi, [ebp+var_14]
		cmp	esi, [ecx+10h]
		mov	esi, [ebp+arg_0]
		ja	short loc_67995F
		jb	short loc_67994A
		cmp	eax, [ecx+0Ch]
		jnb	short loc_67995F

loc_67994A:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+1CAj
		mov	eax, [ecx]
		test	edx, edx
		jz	short loc_679956
		test	eax, eax
		jz	short loc_67995A
		xor	eax, ecx

loc_679956:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+1D5j
		test	eax, eax
		jnz	short loc_679970

loc_67995A:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+1D9j
		mov	byte ptr [ebp+var_C], bl
		jmp	short loc_67997B
; 

loc_67995F:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+1B6j
					; VmpInsertMemoryRange(x,x,x)+1BDj ...
		mov	eax, [ecx+4]
		test	edx, edx
		jz	short loc_67996C
		test	eax, eax
		jz	short loc_679977
		xor	eax, ecx

loc_67996C:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+1EBj
		test	eax, eax
		jz	short loc_679977

loc_679970:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+1DFj
		mov	ecx, eax
		mov	eax, [ebp+var_24]
		jmp	short loc_679926
; 

loc_679977:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+1EFj
					; VmpInsertMemoryRange(x,x,x)+1F5j
		mov	byte ptr [ebp+var_C], 1

loc_67997B:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+19Cj
					; VmpInsertMemoryRange(x,x,x)+1E4j
		mov	eax, [ebp+var_10]
		add	eax, 0Ch
		push	eax
		push	[ebp+var_C]
		push	ecx
		push	esi
		call	RtlRbInsertNodeEx
		cmp	[ebp+var_18], 0
		jnz	short loc_6799FD
		test	byte ptr [edi+4], 1
		mov	eax, [edi]
		jz	short loc_6799A4
		test	eax, eax
		jz	short loc_6799A2
		xor	eax, edi
		jmp	short loc_6799A4
; 

loc_6799A2:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+223j
		mov	eax, ebx

loc_6799A4:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+21Fj
					; VmpInsertMemoryRange(x,x,x)+227j
		movzx	edx, byte ptr [edi+4]
		and	edx, 1
		mov	byte ptr [ebp+arg_0], bl
		test	eax, eax
		jz	short loc_6799F0
		mov	ecx, [ebp+var_4]
		mov	esi, [ecx+0Ch]

loc_6799B8:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+271j
		cmp	esi, [eax+10h]
		ja	short loc_6799D7
		cmp	esi, [eax+0Ch]
		jnb	short loc_6799D7
		mov	ecx, [eax]
		test	edx, edx
		jz	short loc_6799CE
		test	ecx, ecx
		jz	short loc_6799D2
		xor	ecx, eax

loc_6799CE:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+24Dj
		test	ecx, ecx
		jnz	short loc_6799E8

loc_6799D2:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+251j
		mov	byte ptr [ebp+arg_0], bl
		jmp	short loc_6799F0
; 

loc_6799D7:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+242j
					; VmpInsertMemoryRange(x,x,x)+247j
		mov	ecx, [eax+4]
		test	edx, edx
		jz	short loc_6799E4
		test	ecx, ecx
		jz	short loc_6799EC
		xor	ecx, eax

loc_6799E4:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+263j
		test	ecx, ecx
		jz	short loc_6799EC

loc_6799E8:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+257j
		mov	eax, ecx
		jmp	short loc_6799B8
; 

loc_6799EC:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+267j
					; VmpInsertMemoryRange(x,x,x)+26Dj
		mov	byte ptr [ebp+arg_0], 1

loc_6799F0:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+237j
					; VmpInsertMemoryRange(x,x,x)+25Cj
		push	[ebp+var_4]
		push	[ebp+arg_0]
		push	eax
		push	edi
		call	RtlRbInsertNodeEx

loc_6799FD:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+BFj
					; VmpInsertMemoryRange(x,x,x)+217j
		mov	esi, [ebp+var_8]

loc_679A00:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+59j
		cmp	[ebp+var_1C], 0FFFFFFFFh
		jz	short loc_679A15
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_1C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_679A15:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+28Bj
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_679A23
		mov	ecx, eax
		call	_VmpFreeMemoryRanges@4 ; VmpFreeMemoryRanges(x)

loc_679A23:				; CODE XREF: VmpInsertMemoryRange(x,x,x)+2A1j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
_VmpInsertMemoryRange@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpInvalidateOutstandingFaults(x, x, x, x)
_VmpInvalidateOutstandingFaults@16 proc	near ; CODE XREF: VmpFlushTbVaRange(x,x,x,x,x,x)+A7p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		dec	eax
		mov	ebx, edx
		mov	esi, ecx
		add	eax, ebx
		mov	[ebp+arg_0], eax
		push	edi
		lea	eax, [esi+20h]
		push	eax
		mov	[ebp+var_4], eax
		call	ExAcquireSpinLockSharedAtDpcLevel
		add	esi, 18h
		test	byte ptr [esi+4], 1
		mov	ecx, [esi]
		jz	short loc_679A63
		test	ecx, ecx
		jz	short loc_679A61
		xor	ecx, esi
		jmp	short loc_679A63
; 

loc_679A61:				; CODE XREF: VmpInvalidateOutstandingFaults(x,x,x,x)+2Fj
		xor	ecx, ecx

loc_679A63:				; CODE XREF: VmpInvalidateOutstandingFaults(x,x,x,x)+2Bj
					; VmpInvalidateOutstandingFaults(x,x,x,x)+33j
		movzx	edi, byte ptr [esi+4]
		xor	esi, esi
		and	edi, 1
		mov	edx, esi
		test	ecx, ecx
		jz	short loc_679ADE

loc_679A72:				; CODE XREF: VmpInvalidateOutstandingFaults(x,x,x,x)+91j
		mov	esi, [ecx+0Ch]
		and	esi, 0FFFFFh
		cmp	ebx, esi
		ja	short loc_679AAA
		mov	eax, [ecx]
		mov	edx, ecx
		jb	short loc_679AAD
		test	edi, edi
		jz	short loc_679A8F
		test	eax, eax
		jz	short loc_679A8F
		xor	eax, ecx

loc_679A8F:				; CODE XREF: VmpInvalidateOutstandingFaults(x,x,x,x)+5Bj
					; VmpInvalidateOutstandingFaults(x,x,x,x)+5Fj
		xor	esi, esi
		test	eax, eax
		jz	short loc_679ADC

loc_679A95:				; CODE XREF: VmpInvalidateOutstandingFaults(x,x,x,x)+A8j
		mov	ecx, [eax+0Ch]
		and	ecx, 0FFFFFh
		cmp	ebx, ecx
		ja	short loc_679AC1
		mov	ecx, [eax]
		jb	short loc_679AC4
		mov	esi, eax
		jmp	short loc_679AC4
; 

loc_679AAA:				; CODE XREF: VmpInvalidateOutstandingFaults(x,x,x,x)+51j
		mov	eax, [ecx+4]

loc_679AAD:				; CODE XREF: VmpInvalidateOutstandingFaults(x,x,x,x)+57j
		test	edi, edi
		jz	short loc_679AB9
		test	eax, eax
		jz	short loc_679AB9
		xor	ecx, eax
		jmp	short loc_679ABB
; 

loc_679AB9:				; CODE XREF: VmpInvalidateOutstandingFaults(x,x,x,x)+83j
					; VmpInvalidateOutstandingFaults(x,x,x,x)+87j
		mov	ecx, eax

loc_679ABB:				; CODE XREF: VmpInvalidateOutstandingFaults(x,x,x,x)+8Bj
		test	ecx, ecx
		jnz	short loc_679A72
		jmp	short loc_679ADC
; 

loc_679AC1:				; CODE XREF: VmpInvalidateOutstandingFaults(x,x,x,x)+74j
		mov	ecx, [eax+4]

loc_679AC4:				; CODE XREF: VmpInvalidateOutstandingFaults(x,x,x,x)+78j
					; VmpInvalidateOutstandingFaults(x,x,x,x)+7Cj
		test	edi, edi
		jz	short loc_679AD0
		test	ecx, ecx
		jz	short loc_679AD0
		xor	eax, ecx
		jmp	short loc_679AD2
; 

loc_679AD0:				; CODE XREF: VmpInvalidateOutstandingFaults(x,x,x,x)+9Aj
					; VmpInvalidateOutstandingFaults(x,x,x,x)+9Ej
		mov	eax, ecx

loc_679AD2:				; CODE XREF: VmpInvalidateOutstandingFaults(x,x,x,x)+A2j
		test	eax, eax
		jnz	short loc_679A95
		test	esi, esi
		jz	short loc_679ADC
		mov	edx, esi

loc_679ADC:				; CODE XREF: VmpInvalidateOutstandingFaults(x,x,x,x)+67j
					; VmpInvalidateOutstandingFaults(x,x,x,x)+93j ...
		xor	esi, esi

loc_679ADE:				; CODE XREF: VmpInvalidateOutstandingFaults(x,x,x,x)+44j
		test	edx, edx
		jz	short loc_679B2C
		mov	edi, [ebp+arg_0]

loc_679AE5:				; CODE XREF: VmpInvalidateOutstandingFaults(x,x,x,x)+FEj
		mov	ecx, [edx+0Ch]
		mov	eax, ecx
		and	eax, 0FFFFFh
		cmp	eax, edi
		ja	short loc_679B2C
		or	ecx, 100000h
		inc	esi
		mov	[edx+0Ch], ecx
		mov	ecx, edx
		mov	eax, [edx+4]
		test	eax, eax
		jz	short loc_679B20
		mov	edx, eax
		mov	ecx, [edx]
		test	ecx, ecx
		jz	short loc_679B28

loc_679B0E:				; CODE XREF: VmpInvalidateOutstandingFaults(x,x,x,x)+EAj
		mov	eax, [ecx]
		mov	edx, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_679B0E
		jmp	short loc_679B28
; 

loc_679B1A:				; CODE XREF: VmpInvalidateOutstandingFaults(x,x,x,x)+FAj
		cmp	[edx], ecx
		jz	short loc_679B28
		mov	ecx, edx

loc_679B20:				; CODE XREF: VmpInvalidateOutstandingFaults(x,x,x,x)+D8j
		mov	edx, [edx+8]
		and	edx, 0FFFFFFFCh
		jnz	short loc_679B1A

loc_679B28:				; CODE XREF: VmpInvalidateOutstandingFaults(x,x,x,x)+E0j
					; VmpInvalidateOutstandingFaults(x,x,x,x)+ECj ...
		test	edx, edx
		jnz	short loc_679AE5

loc_679B2C:				; CODE XREF: VmpInvalidateOutstandingFaults(x,x,x,x)+B4j
					; VmpInvalidateOutstandingFaults(x,x,x,x)+C5j
		push	[ebp+var_4]
		call	ExReleaseSpinLockSharedFromDpcLevel
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_VmpInvalidateOutstandingFaults@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpLogAccessFault(x, x, x, x, x, x,	x, x)
_VmpLogAccessFault@32 proc near		; CODE XREF: VmAccessFault(x,x,x,x,x,x,x)+164p

var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ds:_VmpTraceLoggingProvider
		push	edi
		mov	edi, edx
		cmp	dword ptr [esi], 5
		jbe	loc_679C78
		xor	ebx, ebx
		mov	ecx, esi
		push	ebx
		push	8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_679C78
		mov	eax, large fs:124h
		push	4
		pop	ecx
		push	8
		mov	eax, [eax+80h]
		pop	edx
		mov	eax, [eax+0E4h]
		mov	[ebp+var_9C], eax
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_68], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_B8], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_C0], eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_A8], eax
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_98]
		push	eax
		push	9
		push	ecx
		push	ecx
		push	ebx
		push	ecx
		mov	[ebp+var_70], ecx
		mov	[ebp+var_60], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_40], edx
		mov	edx, (offset loc_422BAE+6)
		mov	[ebp+var_30], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_10], ecx
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_74], ebx
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_B0], edi
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_BC], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], ebx
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)

loc_679C78:				; CODE XREF: VmpLogAccessFault(x,x,x,x,x,x,x,x)+23j
					; VmpLogAccessFault(x,x,x,x,x,x,x,x)+37j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_VmpLogAccessFault@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpLogColdHint(x, x, x, x, x)
_VmpLogColdHint@20 proc	near		; CODE XREF: VmColdPagesHint(x,x,x,x)+177p

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 90h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, ds:_VmpTraceLoggingProvider
		push	edi
		mov	edi, edx
		cmp	dword ptr [esi], 5
		jbe	loc_679D5F
		xor	ebx, ebx
		mov	ecx, esi
		push	ebx
		push	4
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_679D5F
		mov	eax, large fs:124h
		mov	edx, offset loc_422CDA
		push	8
		pop	ecx
		mov	eax, [eax+80h]
		mov	eax, [eax+0E4h]
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_7C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	6
		push	ecx
		push	ecx
		push	ebx
		push	ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_14], ecx
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], 4
		mov	[ebp+var_40], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_84], edi
		mov	[ebp+var_80], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_88], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)

loc_679D5F:				; CODE XREF: VmpLogColdHint(x,x,x,x,x)+23j
					; VmpLogColdHint(x,x,x,x,x)+37j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_VmpLogColdHint@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpLogLargeSlatFill(x, x, x, x, x, x)
_VmpLogLargeSlatFill@24	proc near	; CODE XREF: VmpFillSlat(x,x,x,x,x,x)+131p

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ds:_VmpTraceLoggingProvider
		push	edi
		mov	edi, edx
		cmp	dword ptr [esi], 5
		jbe	loc_679E36
		xor	ebx, ebx
		mov	ecx, esi
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_679E36
		mov	eax, large fs:124h
		push	4
		pop	edx
		push	8
		mov	eax, [eax+80h]
		pop	ecx
		mov	eax, [eax+0E4h]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_78], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_80], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	6
		push	ecx
		push	ecx
		push	ebx
		push	ecx
		mov	[ebp+var_40], edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_10], edx
		mov	edx, offset loc_422C90
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_44], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_70], edi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], ebx
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)

loc_679E36:				; CODE XREF: VmpLogLargeSlatFill(x,x,x,x,x,x)+23j
					; VmpLogLargeSlatFill(x,x,x,x,x,x)+37j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_VmpLogLargeSlatFill@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpLogSparseSlatFill(x, x, x, x)
_VmpLogSparseSlatFill@16 proc near	; CODE XREF: VmpFillSlat(x,x,x,x,x,x)+16Ep

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ds:_VmpTraceLoggingProvider
		push	edi
		mov	edi, edx
		cmp	dword ptr [esi], 5
		jbe	loc_679F1A
		xor	ebx, ebx
		mov	ecx, esi
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_679F1A
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_88]
		push	4
		pop	edx
		mov	eax, [eax+80h]
		mov	eax, [eax+0E4h]
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_88], eax
		shl	eax, 4
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	7
		mov	[ebp+var_48], ecx
		lea	ecx, [ebp+arg_0]
		push	ecx
		push	ecx
		push	ebx
		push	ecx
		mov	[ebp+var_50], edx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_30], edx
		mov	[ebp+var_10], edx
		mov	edx, offset loc_422C37
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_54], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_84], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], 8
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], ebx
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)

loc_679F1A:				; CODE XREF: VmpLogSparseSlatFill(x,x,x,x)+23j
					; VmpLogSparseSlatFill(x,x,x,x)+37j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_VmpLogSparseSlatFill@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpLogTbFlushSlatInvalidate(x, x, x, x, x)
_VmpLogTbFlushSlatInvalidate@20	proc near ; CODE XREF: VmpFlushTbVaRange(x,x,x,x,x,x)+96p

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 90h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, ds:_VmpTraceLoggingProvider
		push	edi
		mov	edi, edx
		cmp	dword ptr [esi], 5
		jbe	loc_67A001
		xor	ebx, ebx
		mov	ecx, esi
		push	ebx
		push	2
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_67A001
		mov	eax, large fs:124h
		mov	edx, (offset loc_422D20+2)
		push	8
		pop	ecx
		mov	eax, [eax+80h]
		mov	eax, [eax+0E4h]
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_84], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	6
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_14], ecx
		mov	ecx, esi
		push	ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], 4
		mov	[ebp+var_40], ebx
		mov	[ebp+var_7C], edi
		mov	[ebp+var_78], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_88], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)

loc_67A001:				; CODE XREF: VmpLogTbFlushSlatInvalidate(x,x,x,x,x)+23j
					; VmpLogTbFlushSlatInvalidate(x,x,x,x,x)+37j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_VmpLogTbFlushSlatInvalidate@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpMergeMemoryRanges(x, x, x)
_VmpMergeMemoryRanges@12 proc near	; CODE XREF: VmMergeMemoryRanges(x,x)+40p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_18], edx
		xor	ebx, ebx
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], ebx
		call	_VmpProcessContextLockExclusive@4 ; VmpProcessContextLockExclusive(x)
		mov	esi, [edi+24h]
		mov	[ebp+var_1C], eax
		cmp	esi, [ebp+arg_0]
		jz	short loc_67A044
		mov	esi, 0C0000719h
		jmp	loc_67A1AC
; 

loc_67A044:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+26j
		lea	eax, [edi+0Ch]
		test	byte ptr [eax+4], 1
		mov	edi, [eax]
		mov	[ebp+var_2C], eax
		jz	short loc_67A058
		test	edi, edi
		jz	short loc_67A077
		xor	edi, eax

loc_67A058:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+3Ej
		mov	[ebp+arg_0], edi

loc_67A05B:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+6Aj
		movzx	eax, byte ptr [eax+4]
		mov	edx, [ebp+var_18]
		and	eax, 1
		test	edi, edi
		jz	short loc_67A09A

loc_67A069:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+7Fj
		cmp	edx, [edi+10h]
		ja	short loc_67A07E
		cmp	edx, [edi+0Ch]
		jnb	short loc_67A093
		mov	ecx, [edi]
		jmp	short loc_67A081
; 

loc_67A077:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+42j
		mov	edi, ebx
		mov	[ebp+arg_0], ebx
		jmp	short loc_67A05B
; 

loc_67A07E:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+5Aj
		mov	ecx, [edi+4]

loc_67A081:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+63j
		test	eax, eax
		jz	short loc_67A08D
		test	ecx, ecx
		jz	short loc_67A08D
		xor	edi, ecx
		jmp	short loc_67A08F
; 

loc_67A08D:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+71j
					; VmpMergeMemoryRanges(x,x,x)+75j
		mov	edi, ecx

loc_67A08F:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+79j
		test	edi, edi
		jnz	short loc_67A069

loc_67A093:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+5Fj
		mov	[ebp+arg_0], edi
		test	edi, edi
		jnz	short loc_67A0A4

loc_67A09A:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+55j
		mov	esi, 0C000028Ch
		jmp	loc_67A1A9
; 

loc_67A0A4:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+86j
		cmp	[edi+10h], edx
		jz	short loc_67A0B3
		mov	esi, 0C0000141h
		jmp	loc_67A1A9
; 

loc_67A0B3:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+95j
		mov	ecx, edi
		mov	ebx, [ecx+4]
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		jz	short loc_67A0D4
		mov	ecx, [ebx]
		test	ecx, ecx
		jz	short loc_67A0F0

loc_67A0C5:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+BEj
		mov	eax, [ecx]
		mov	ebx, ecx
		mov	[ebp+var_C], ebx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_67A0C5
		jmp	short loc_67A0F0
; 

loc_67A0D4:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+ABj
		mov	ebx, [ecx+8]
		and	ebx, 0FFFFFFFCh
		mov	[ebp+var_C], ebx
		jz	short loc_67A0F0

loc_67A0DF:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+D9j
		cmp	[ebx], ecx
		jz	short loc_67A0ED
		mov	ecx, ebx
		mov	ebx, [ebx+8]
		and	ebx, 0FFFFFFFCh
		jnz	short loc_67A0DF

loc_67A0ED:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+CFj
		mov	[ebp+var_C], ebx

loc_67A0F0:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+B1j
					; VmpMergeMemoryRanges(x,x,x)+C0j ...
		test	ebx, ebx
		jnz	short loc_67A0FE

loc_67A0F4:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+F2j
		mov	esi, 0C0000141h
		jmp	loc_67A1A6
; 

loc_67A0FE:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+E0j
		lea	eax, [edx+1]
		cmp	[ebx+0Ch], eax
		jnz	short loc_67A0F4
		mov	ecx, edi
		call	_VmpVaRangeNumberOfGpaRanges@4 ; VmpVaRangeNumberOfGpaRanges(x)
		mov	ecx, ebx
		mov	[ebp+var_18], edx
		mov	esi, eax
		call	_VmpVaRangeNumberOfGpaRanges@4 ; VmpVaRangeNumberOfGpaRanges(x)
		cmp	esi, eax
		jnz	loc_67A1A1
		cmp	[ebp+var_18], edx
		jnz	short loc_67A1A1
		lea	eax, [edi+14h]
		mov	[ebp+var_28], eax
		mov	eax, [eax]
		mov	edx, eax
		mov	[ebp+var_24], eax
		mov	eax, [ebx+14h]
		mov	[ebp+var_20], eax
		mov	ecx, [edx+20h]
		mov	esi, ecx
		add	esi, 1
		mov	[ebp+var_14], eax
		mov	eax, [edx+24h]
		push	0
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], eax
		pop	esi
		adc	eax, esi
		cmp	eax, [ebp+var_10]
		jb	short loc_67A1A1
		ja	short loc_67A15E
		cmp	[ebp+var_18], ecx
		jb	short loc_67A1A1

loc_67A15E:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+145j
					; VmpMergeMemoryRanges(x,x,x)+186j ...
		mov	ebx, [ebp+var_14]
		add	ecx, 1
		mov	eax, [ebp+var_10]
		adc	eax, esi
		cmp	ecx, [ebx+18h]
		jnz	short loc_67A1A1
		mov	ecx, ebx
		cmp	eax, [ecx+1Ch]
		jnz	short loc_67A1A1
		mov	edx, [edx]
		lea	eax, [edi+14h]
		mov	ecx, [ecx]
		mov	[ebp+var_14], ecx
		cmp	edx, eax
		jz	short loc_67A1D5
		mov	ecx, [edx+20h]
		mov	eax, [edx+24h]
		mov	[ebp+var_18], ecx
		add	[ebp+var_18], 1
		mov	[ebp+var_10], eax
		adc	eax, esi
		cmp	eax, [ebp+var_10]
		ja	short loc_67A15E
		jb	short loc_67A1A1
		cmp	[ebp+var_18], ecx
		jnb	short loc_67A15E

loc_67A1A1:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+109j
					; VmpMergeMemoryRanges(x,x,x)+112j ...
		mov	esi, 0C0000282h

loc_67A1A6:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+E7j
		mov	ebx, [ebp+var_8]

loc_67A1A9:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+8Dj
					; VmpMergeMemoryRanges(x,x,x)+9Cj
		mov	edi, [ebp+var_4]

loc_67A1AC:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+2Dj
					; VmpMergeMemoryRanges(x,x,x)+213j
		cmp	[ebp+var_1C], 0FFFFFFFFh
		jz	short loc_67A1C1
		push	edi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_1C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_67A1C1:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+19Ej
		test	ebx, ebx
		jz	short loc_67A1CC
		mov	ecx, ebx
		call	_VmpFreeMemoryRanges@4 ; VmpFreeMemoryRanges(x)

loc_67A1CC:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+1B1j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_67A1D5:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+16Fj
		mov	edi, [ebp+var_4]
		mov	esi, [ebp+var_20]
		add	edi, 4
		mov	ebx, [ebp+var_24]

loc_67A1E1:				; CODE XREF: VmpMergeMemoryRanges(x,x,x)+1F0j
		lea	eax, [esi+0Ch]
		push	eax
		push	edi
		call	RtlRbRemoveNode
		or	dword ptr [esi+14h], 0FFFFFFFFh
		mov	eax, [esi+20h]
		mov	[ebx+20h], eax
		mov	eax, [esi+24h]
		mov	[ebx+24h], eax
		mov	ebx, [ebx]
		mov	esi, [esi]
		cmp	ebx, [ebp+var_28]
		jnz	short loc_67A1E1
		mov	ebx, [ebp+var_C]
		push	ebx
		push	[ebp+var_2C]
		call	RtlRbRemoveNode
		mov	edi, [ebp+arg_0]
		or	dword ptr [ebx+8], 0FFFFFFFFh
		mov	eax, [ebx+10h]
		mov	[edi+10h], eax
		mov	edi, [ebp+var_4]
		inc	dword ptr [edi+14h]
		xor	esi, esi
		jmp	short loc_67A1AC
_VmpMergeMemoryRanges@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpPrefetchVirtualAddresses(x, x, x)
_VmpPrefetchVirtualAddresses@12	proc near ; CODE XREF: VmPrefetchVirtualAddresses(x,x,x)+3Bp
					; VmpPrefetchWorker(x)+44p

var_60		= dword	ptr -60h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		push	ebx
		xor	eax, eax
		mov	[esp+48h+var_3C], edx
		push	esi
		push	edi
		lea	edi, [esp+50h+var_10]
		mov	[esp+50h+var_30], ecx
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ecx+24h]
		mov	[esp+50h+var_28], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_67A25D

loc_67A253:				; CODE XREF: VmpPrefetchVirtualAddresses(x,x,x)+47j
		mov	esi, 0C000009Dh
		jmp	loc_67A408
; 

loc_67A25D:				; CODE XREF: VmpPrefetchVirtualAddresses(x,x,x)+2Aj
		mov	ecx, ds:_VmpExtensionHost
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		mov	[esp+50h+var_24], eax
		test	eax, eax
		jz	short loc_67A253
		mov	ecx, [ebp+arg_0]
		mov	eax, 2000h
		xor	ebx, ebx
		mov	[esp+50h+var_44], eax
		mov	[esp+50h+var_38], ebx
		cmp	ecx, eax
		jnb	short loc_67A28C
		mov	eax, ecx
		mov	[esp+50h+var_44], ecx

loc_67A28C:				; CODE XREF: VmpPrefetchVirtualAddresses(x,x,x)+5Dj
		push	72506D56h
		shl	eax, 4
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[esp+50h+var_40], esi
		test	esi, esi
		jnz	short loc_67A2B3
		mov	esi, 0C000009Ah
		jmp	loc_67A3ED
; 

loc_67A2B3:				; CODE XREF: VmpPrefetchVirtualAddresses(x,x,x)+80j
		mov	ecx, [ebp+arg_0]
		lea	edi, [esp+50h+var_1C]
		xor	eax, eax
		stosd
		stosd
		stosd
		mov	eax, [esp+50h+var_3C]
		mov	edi, [esp+50h+var_30]
		lea	eax, [eax+ecx*8]
		mov	ecx, edi
		mov	[esp+50h+var_2C], eax
		call	_VmpProcessContextLockShared@4 ; VmpProcessContextLockShared(x)
		mov	[esp+50h+var_34], eax
		mov	eax, [esp+50h+var_3C]
		cmp	eax, [esp+50h+var_2C]
		jnb	loc_67A3C3

loc_67A2E7:				; CODE XREF: VmpPrefetchVirtualAddresses(x,x,x)+192j
		mov	edx, [eax]
		mov	ecx, edx
		mov	eax, [eax+4]
		and	ecx, 0FFFh
		add	eax, 0FFFh
		mov	esi, edx
		add	eax, ecx
		shr	esi, 0Ch
		and	eax, 0FFFFF000h
		mov	[esp+50h+var_10], esi
		add	eax, edx
		shr	eax, 0Ch
		sub	eax, esi
		mov	[esp+50h+var_8], eax
		jz	loc_67A3AA
		mov	esi, [esp+50h+var_40]
		mov	eax, [esp+50h+var_44]

loc_67A322:				; CODE XREF: VmpPrefetchVirtualAddresses(x,x,x)+17Dj
		lea	ecx, [esp+50h+var_1C]
		push	ecx
		push	eax
		lea	eax, [esp+58h+var_38]
		mov	ecx, edi
		push	eax
		push	esi
		lea	edx, [esp+60h+var_10]
		call	_VmpFillGpnRanges@24 ; VmpFillGpnRanges(x,x,x,x,x,x)
		mov	ebx, [esp+50h+var_38]
		mov	eax, [esp+50h+var_44]
		cmp	ebx, eax
		jb	short loc_67A39F
		mov	eax, [edi+14h]
		push	edi
		mov	[esp+54h+var_20], eax
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, byte ptr [esp+50h+var_34]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esp+50h+var_24]
		push	1
		push	[esp+54h+var_28]
		push	ebx
		push	esi
		call	dword ptr [eax]
		mov	esi, eax
		test	esi, esi
		js	short loc_67A3ED
		xor	ebx, ebx
		mov	ecx, edi
		mov	[esp+60h+var_48], ebx
		call	_VmpProcessContextLockShared@4 ; VmpProcessContextLockShared(x)
		mov	esi, [esp+60h+var_50]
		mov	[esp+60h+var_44], eax
		mov	eax, [esp+60h+var_30]
		cmp	eax, [edi+14h]
		jz	short loc_67A39B
		xor	eax, eax
		lea	edi, [esp+60h+var_2C]
		stosd
		stosd
		stosd
		mov	edi, [esp+60h+var_40]

loc_67A39B:				; CODE XREF: VmpPrefetchVirtualAddresses(x,x,x)+165j
		mov	eax, [esp+60h+var_54]

loc_67A39F:				; CODE XREF: VmpPrefetchVirtualAddresses(x,x,x)+11Cj
		cmp	[esp+60h+var_18], 0
		jnz	loc_67A322

loc_67A3AA:				; CODE XREF: VmpPrefetchVirtualAddresses(x,x,x)+EDj
		mov	eax, [esp+60h+var_4C]
		add	eax, 8
		mov	[esp+60h+var_4C], eax
		cmp	eax, [esp+60h+var_3C]
		jb	loc_67A2E7
		mov	esi, [esp+60h+var_50]

loc_67A3C3:				; CODE XREF: VmpPrefetchVirtualAddresses(x,x,x)+BAj
		push	edi
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, byte ptr [esp+60h+var_44]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jz	short loc_67A3EB
		mov	eax, [esp+60h+var_34]
		push	1
		push	[esp+64h+var_38]
		push	ebx
		push	esi
		call	dword ptr [eax]
		mov	esi, eax
		test	esi, esi
		js	short loc_67A3ED

loc_67A3EB:				; CODE XREF: VmpPrefetchVirtualAddresses(x,x,x)+1AEj
		xor	esi, esi

loc_67A3ED:				; CODE XREF: VmpPrefetchVirtualAddresses(x,x,x)+87j
					; VmpPrefetchVirtualAddresses(x,x,x)+147j ...
		mov	ecx, ds:_VmpExtensionHost
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)
		mov	eax, [esp+70h+var_60]
		test	eax, eax
		jz	short loc_67A408
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_67A408:				; CODE XREF: VmpPrefetchVirtualAddresses(x,x,x)+31j
					; VmpPrefetchVirtualAddresses(x,x,x)+1D7j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_VmpPrefetchVirtualAddresses@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpProcessAccessedBatch(x, x, x, x,	x)
_VmpProcessAccessedBatch@20 proc near	; CODE XREF: VmpQueryAccessedState(x,x,x,x)+EDp
					; VmpQueryAccessedState(x,x,x,x)+14Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_67A445
		push	esi
		push	edi

loc_67A424:				; CODE XREF: VmpProcessAccessedBatch(x,x,x,x,x)+2Ej
		mov	esi, [ecx]
		mov	eax, esi
		mov	edi, [ecx+4]
		and	eax, 4
		or	eax, 0
		jnz	short loc_67A43B
		or	esi, 6
		mov	[ecx+4], edi
		mov	[ecx], esi

loc_67A43B:				; CODE XREF: VmpProcessAccessedBatch(x,x,x,x,x)+1Ej
		add	ecx, 8
		sub	edx, 1
		jnz	short loc_67A424
		pop	edi
		pop	esi

loc_67A445:				; CODE XREF: VmpProcessAccessedBatch(x,x,x,x,x)+Dj
		pop	ebp
		retn	0Ch
_VmpProcessAccessedBatch@20 endp


;  S U B	R O U T	I N E 


; __stdcall VmpProcessContextLockExclusive(x)
_VmpProcessContextLockExclusive@4 proc near ; CODE XREF: VmpFlushTb(x,x,x)+26p
					; VmpFlushTb(x,x,x)+8Fp ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	esi
		mov	bl, al
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		pop	esi
		movzx	eax, bl
		pop	ebx
		retn
_VmpProcessContextLockExclusive@4 endp


;  S U B	R O U T	I N E 


; __stdcall VmpProcessContextLockShared(x)
_VmpProcessContextLockShared@4 proc near ; CODE	XREF: VmColdPagesHint(x,x,x,x)+84p
					; VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+4Dp ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	esi
		mov	bl, al
		call	ExAcquireSpinLockSharedAtDpcLevel
		pop	esi
		movzx	eax, bl
		pop	ebx
		retn
_VmpProcessContextLockShared@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpProcessUpdateSlat(x, x, x, x, x)
_VmpProcessUpdateSlat@20 proc near	; CODE XREF: VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+C2p

var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 130h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	[ebp+var_124], ecx
		xor	ecx, ecx
		mov	[ebp+var_12C], ecx
		mov	[ebp+var_128], ecx
		push	esi
		push	edi
		test	eax, eax
		jz	short loc_67A4C1
		mov	edi, [eax+0Ch]
		mov	eax, [eax]
		mov	[ebp+var_120], eax
		jmp	short loc_67A4D1
; 

loc_67A4C1:				; CODE XREF: VmpProcessUpdateSlat(x,x,x,x,x)+31j
		lea	edi, [ebp+var_10C]
		mov	[ebp+var_120], 10h

loc_67A4D1:				; CODE XREF: VmpProcessUpdateSlat(x,x,x,x,x)+3Ej
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		shl	esi, 5
		add	esi, edx
		mov	[ebp+var_118], edi
		mov	[ebp+var_11C], ecx
		cmp	edx, esi
		jnb	loc_67A61E
		sub	esi, edx
		lea	eax, [edx+10h]
		dec	esi
		mov	[ebp+var_110], eax
		shr	esi, 5
		inc	esi

loc_67A4FF:				; CODE XREF: VmpProcessUpdateSlat(x,x,x,x,x)+178j
		mov	ecx, [eax]
		mov	edx, [eax+4]
		xor	eax, eax
		mov	[ebp+var_114], ecx
		mov	ecx, edx
		and	ecx, 800000h
		or	eax, ecx
		jnz	loc_67A5E7
		xor	edi, edi
		mov	ecx, edx
		and	ecx, 100000h
		inc	edi
		or	eax, ecx
		jz	short loc_67A52E
		push	3
		pop	edi

loc_67A52E:				; CODE XREF: VmpProcessUpdateSlat(x,x,x,x,x)+A8j
		mov	ecx, edx
		xor	eax, eax
		and	ecx, 200000h
		or	eax, ecx
		jz	short loc_67A53F
		or	edi, 0Ch

loc_67A53F:				; CODE XREF: VmpProcessUpdateSlat(x,x,x,x,x)+B9j
		mov	ecx, edx
		xor	eax, eax
		and	ecx, 400000h
		or	eax, ecx
		jz	short loc_67A553
		or	edi, 4000h

loc_67A553:				; CODE XREF: VmpProcessUpdateSlat(x,x,x,x,x)+CAj
		cmp	[ebp+arg_8], 0
		jnz	short loc_67A55F
		or	edi, 20000h

loc_67A55F:				; CODE XREF: VmpProcessUpdateSlat(x,x,x,x,x)+D6j
		mov	eax, [ebp+var_11C]
		cmp	eax, edi
		jnz	short loc_67A571
		cmp	ebx, [ebp+var_120]
		jnz	short loc_67A5B7

loc_67A571:				; CODE XREF: VmpProcessUpdateSlat(x,x,x,x,x)+E6j
		mov	ecx, [ebp+var_114]
		mov	[ebp+var_114], ecx
		test	ebx, ebx
		jz	short loc_67A5B1
		lea	ecx, [ebp+var_12C]
		mov	edx, eax
		push	ecx
		push	[ebp+var_118]
		mov	ecx, [ebp+var_124]
		push	0
		push	ebx
		call	_VmpFillSlat@24	; VmpFillSlat(x,x,x,x,x,x)
		mov	eax, [ebp+var_110]
		xor	ebx, ebx
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	[ebp+var_114], ecx

loc_67A5B1:				; CODE XREF: VmpProcessUpdateSlat(x,x,x,x,x)+FEj
		mov	[ebp+var_11C], edi

loc_67A5B7:				; CODE XREF: VmpProcessUpdateSlat(x,x,x,x,x)+EEj
		mov	edi, [ebp+var_118]
		mov	ecx, ebx
		mov	eax, [ebp+var_114]
		add	ecx, ecx
		and	edx, 0FFFFFh
		mov	[edi+ecx*8], eax
		mov	eax, [ebp+var_110]
		mov	[edi+ecx*8+4], edx
		mov	eax, [eax+8]
		and	dword ptr [edi+ecx*8+0Ch], 0
		inc	ebx
		mov	[edi+ecx*8+8], eax

loc_67A5E7:				; CODE XREF: VmpProcessUpdateSlat(x,x,x,x,x)+95j
		mov	eax, [ebp+var_110]
		add	eax, 20h
		mov	[ebp+var_110], eax
		sub	esi, 1
		jnz	loc_67A4FF
		test	ebx, ebx
		jz	short loc_67A61E
		mov	edx, [ebp+var_11C]
		lea	eax, [ebp+var_12C]
		mov	ecx, [ebp+var_124]
		push	eax
		push	edi
		push	esi
		push	ebx
		call	_VmpFillSlat@24	; VmpFillSlat(x,x,x,x,x,x)

loc_67A61E:				; CODE XREF: VmpProcessUpdateSlat(x,x,x,x,x)+68j
					; VmpProcessUpdateSlat(x,x,x,x,x)+180j
		mov	ecx, [ebp+var_8]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_VmpProcessUpdateSlat@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpQueryAccessedState(x, x,	x, x)
_VmpQueryAccessedState@16 proc near	; CODE XREF: MiQueryEPTAccessedState(x,x,x)+2Ap

var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_128		= dword	ptr -128h
var_120		= dword	ptr -120h
var_114		= dword	ptr -114h
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+14Ch+var_4], eax
		xor	eax, eax
		and	[esp+14Ch+var_144], 0
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+158h+var_128]
		mov	ebx, edx
		stosd
		mov	esi, ecx
		mov	[esp+158h+var_14C], esi
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+158h+var_138]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+158h+var_114]
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		xor	edi, edi
		lea	eax, [ebx+eax*8]
		mov	[esp+158h+var_140], eax
		call	_VmpProcessContextLockShared@4 ; VmpProcessContextLockShared(x)
		mov	[esp+158h+var_148], eax
		jmp	loc_67A757
; 

loc_67A694:				; CODE XREF: VmpQueryAccessedState(x,x,x,x)+12Aj
		mov	ecx, [ebx]
		lea	edx, [esp+158h+var_128]
		mov	eax, [ebx+4]
		shrd	ecx, eax, 0Ch
		lea	eax, [esp+158h+var_138]
		mov	[esp+158h+var_120], 1
		push	ecx
		push	eax
		lea	eax, [esp+160h+var_114]
		mov	[esp+160h+var_128], ecx
		push	eax
		push	0FFFFFFFFh
		mov	ecx, esi
		call	_VmpConvertPortionVpnRangeToGpnRange@24	; VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)
		cmp	[esp+158h+var_130], 0
		jnz	short loc_67A6D7
		or	dword ptr [ebx], 6
		mov	eax, [ebx+4]
		mov	[ebx+4], eax
		test	edi, edi
		jnz	short loc_67A702
		jmp	short loc_67A754
; 

loc_67A6D7:				; CODE XREF: VmpQueryAccessedState(x,x,x,x)+95j
		mov	eax, [esp+158h+var_138]
		mov	[esp+edi*8+158h+var_108], eax
		mov	eax, [esp+158h+var_134]
		mov	[esp+edi*8+158h+var_104], eax
		inc	edi
		cmp	edi, 1
		jnz	short loc_67A6F1
		mov	[esp+158h+var_144], ebx

loc_67A6F1:				; CODE XREF: VmpQueryAccessedState(x,x,x,x)+BAj
		cmp	[esp+158h+var_120], 0
		jz	short loc_67A6FD
		sub	ebx, 8
		jmp	short loc_67A702
; 

loc_67A6FD:				; CODE XREF: VmpQueryAccessedState(x,x,x,x)+C5j
		cmp	edi, 20h
		jnz	short loc_67A754

loc_67A702:				; CODE XREF: VmpQueryAccessedState(x,x,x,x)+A2j
					; VmpQueryAccessedState(x,x,x,x)+CAj
		push	[esp+158h+var_14C]
		mov	esi, [esi+14h]
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, byte ptr [esp+158h+var_148]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	ecx
		push	[esp+15Ch+var_144]
		push	edi
		call	_VmpProcessAccessedBatch@20 ; VmpProcessAccessedBatch(x,x,x,x,x)
		mov	ecx, [esp+158h+var_14C]
		xor	edi, edi
		mov	[esp+158h+var_13C], edi
		call	_VmpProcessContextLockShared@4 ; VmpProcessContextLockShared(x)
		mov	[esp+158h+var_148], eax
		mov	eax, [esp+158h+var_14C]
		cmp	esi, [eax+14h]
		jz	short loc_67A752
		mov	esi, [esp+158h+var_14C]
		lea	edi, [esp+158h+var_114]
		xor	eax, eax
		stosd
		stosd
		stosd
		mov	edi, [esp+158h+var_13C]
		jmp	short loc_67A754
; 

loc_67A752:				; CODE XREF: VmpQueryAccessedState(x,x,x,x)+10Cj
		mov	esi, eax

loc_67A754:				; CODE XREF: VmpQueryAccessedState(x,x,x,x)+A4j
					; VmpQueryAccessedState(x,x,x,x)+CFj ...
		add	ebx, 8

loc_67A757:				; CODE XREF: VmpQueryAccessedState(x,x,x,x)+5Ej
		cmp	ebx, [esp+158h+var_140]
		jb	loc_67A694
		push	esi
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, byte ptr [esp+158h+var_148]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	short loc_67A784
		mov	eax, edi
		shl	eax, 3
		push	ecx
		sub	ebx, eax
		push	ebx
		push	edi
		call	_VmpProcessAccessedBatch@20 ; VmpProcessAccessedBatch(x,x,x,x,x)

loc_67A784:				; CODE XREF: VmpQueryAccessedState(x,x,x,x)+142j
		mov	ecx, [esp+158h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_VmpQueryAccessedState@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpRemoveMemoryRange(x, x, x, x, x,	x)
_VmpRemoveMemoryRange@24 proc near	; CODE XREF: VmDeleteMemoryRange(x,x,x,x,x)+5Bp

var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		xor	eax, eax
		and	[ebp+var_1C], eax
		push	ebx
		mov	[ebp+var_20], eax
		mov	ebx, ecx
		mov	eax, [ebp+arg_8]
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], ebx
		push	edi
		xor	edi, edi
		mov	[ebp+var_14], esi
		mov	[ebp+var_C], edi
		lea	ecx, [esi+eax]
		mov	[ebp+var_10], ecx
		xor	ecx, ecx
		add	eax, [ebp+arg_0]
		adc	ecx, [ebp+arg_4]
		add	eax, 0FFFFFFFFh
		mov	[ebp+arg_8], eax
		adc	ecx, 0FFFFFFFFh
		mov	[ebp+var_8], ecx
		mov	ecx, ebx
		call	_VmpProcessContextLockExclusive@4 ; VmpProcessContextLockExclusive(x)
		mov	[ebp+var_18], eax
		mov	eax, [ebx+24h]
		cmp	eax, [ebp+arg_C]
		jz	short loc_67A7F6
		mov	esi, 0C0000719h
		jmp	loc_67A9E9
; 

loc_67A7F6:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+4Fj
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		stosd
		mov	edx, esi
		mov	ecx, ebx
		stosd
		stosd
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		mov	eax, [ebp+var_10]
		dec	eax
		push	eax
		call	_VmpFlushTbVaRange@24 ;	VmpFlushTbVaRange(x,x,x,x,x,x)
		add	ebx, 4
		test	byte ptr [ebx+4], 1
		mov	esi, [ebx]
		jz	short loc_67A82D
		test	esi, esi
		jz	short loc_67A82B
		xor	esi, ebx
		jmp	short loc_67A82D
; 

loc_67A82B:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+8Aj
		xor	esi, esi

loc_67A82D:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+86j
					; VmpRemoveMemoryRange(x,x,x,x,x,x)+8Ej
		movzx	edi, byte ptr [ebx+4]
		mov	ecx, [ebp+arg_4]
		and	edi, 1
		mov	edx, [ebp+arg_0]

loc_67A83A:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+CCj
					; VmpRemoveMemoryRange(x,x,x,x,x,x)+D0j
		test	esi, esi
		jz	short loc_67A86D
		cmp	ecx, [esi+18h]
		ja	short loc_67A85A
		jb	short loc_67A84A
		cmp	edx, [esi+14h]
		ja	short loc_67A85A

loc_67A84A:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+A8j
		cmp	ecx, [esi+10h]
		ja	short loc_67A86D
		jb	short loc_67A856
		cmp	edx, [esi+0Ch]
		jnb	short loc_67A86D

loc_67A856:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+B4j
		mov	eax, [esi]
		jmp	short loc_67A85D
; 

loc_67A85A:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+A6j
					; VmpRemoveMemoryRange(x,x,x,x,x,x)+ADj
		mov	eax, [esi+4]

loc_67A85D:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+BDj
		test	edi, edi
		jz	short loc_67A869
		test	eax, eax
		jz	short loc_67A869
		xor	esi, eax
		jmp	short loc_67A83A
; 

loc_67A869:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+C4j
					; VmpRemoveMemoryRange(x,x,x,x,x,x)+C8j
		mov	esi, eax
		jmp	short loc_67A83A
; 

loc_67A86D:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+A1j
					; VmpRemoveMemoryRange(x,x,x,x,x,x)+B2j ...
		lea	eax, [esi-0Ch]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jnz	short loc_67A882
		mov	esi, 0C000028Ch
		jmp	loc_67A9E3
; 

loc_67A882:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+DBj
		mov	eax, [esi+18h]
		mov	edi, [esi+8]
		mov	[ebp+arg_C], eax
		mov	eax, [esi+1Ch]
		mov	[ebp+var_1C], eax
		cmp	[ebp+arg_C], edx
		jnz	loc_67A932
		cmp	eax, ecx
		jnz	loc_67A932
		mov	eax, [esi+20h]
		cmp	eax, [ebp+arg_8]
		jnz	loc_67A932
		mov	eax, [esi+24h]
		cmp	eax, [ebp+var_8]
		jnz	short loc_67A932
		mov	eax, [ebp+var_14]
		cmp	[edi+0Ch], eax
		jnz	short loc_67A932
		mov	eax, [ebp+var_10]
		dec	eax
		cmp	[edi+10h], eax
		jnz	short loc_67A932
		lea	eax, [esi+0Ch]
		push	eax
		push	ebx
		call	RtlRbRemoveNode
		or	dword ptr [esi+14h], 0FFFFFFFFh
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_67A92D
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_67A92D
		mov	[eax], ecx
		mov	[ecx+4], eax
		lea	eax, [edi+14h]
		mov	[ebp+var_20], esi
		cmp	[eax], eax
		jnz	loc_67A9D1
		mov	eax, [ebp+var_4]
		push	edi
		add	eax, 0Ch
		push	eax
		call	RtlRbRemoveNode
		or	dword ptr [edi+8], 0FFFFFFFFh
		test	byte ptr [ebx+4], 1
		mov	eax, [ebx]
		jz	short loc_67A915
		test	eax, eax
		jz	short loc_67A91D
		xor	eax, ebx

loc_67A915:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+172j
		test	eax, eax
		jnz	loc_67A9D4

loc_67A91D:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+176j
		mov	ebx, [ebp+var_4]
		or	dword ptr [ebx+24h], 0FFFFFFFFh
		and	dword ptr [ebx+2Ch], 0
		jmp	loc_67A9D7
; 

loc_67A92D:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+13Fj
					; VmpRemoveMemoryRange(x,x,x,x,x,x)+146j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_67A932:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+F9j
					; VmpRemoveMemoryRange(x,x,x,x,x,x)+101j ...
		mov	ecx, edi
		call	_VmpVaRangeNumberOfGpaRanges@4 ; VmpVaRangeNumberOfGpaRanges(x)
		test	edx, edx
		jnz	loc_67A9DE
		cmp	eax, 1
		ja	loc_67A9DE
		mov	ebx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_8]
		cmp	ebx, [ebp+arg_C]
		jnz	short loc_67A997
		cmp	edx, [ebp+var_1C]
		jnz	short loc_67A997
		mov	eax, [ebp+var_14]
		cmp	eax, [edi+0Ch]
		jnz	short loc_67A997
		cmp	ecx, [esi+24h]
		ja	short loc_67A997
		jb	short loc_67A974
		mov	eax, [ebp+arg_8]
		cmp	eax, [esi+20h]
		jnb	short loc_67A997

loc_67A974:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+1CFj
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+arg_8]
		dec	ecx
		cmp	ecx, [edi+10h]
		mov	ecx, [ebp+var_8]
		jnb	short loc_67A997
		add	eax, 1
		mov	[esi+18h], eax
		mov	eax, [ebp+var_10]
		adc	ecx, 0
		mov	[esi+1Ch], ecx
		mov	[edi+0Ch], eax
		jmp	short loc_67A9D1
; 

loc_67A997:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+1BBj
					; VmpRemoveMemoryRange(x,x,x,x,x,x)+1C0j ...
		mov	eax, [ebp+arg_8]
		cmp	eax, [esi+20h]
		jnz	short loc_67A9DE
		cmp	ecx, [esi+24h]
		jnz	short loc_67A9DE
		mov	eax, [ebp+var_10]
		dec	eax
		cmp	eax, [edi+10h]
		jnz	short loc_67A9DE
		cmp	edx, [ebp+var_1C]
		jb	short loc_67A9DE
		ja	short loc_67A9B9
		cmp	ebx, [ebp+arg_C]
		jbe	short loc_67A9DE

loc_67A9B9:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+217j
		mov	eax, [ebp+var_14]
		cmp	eax, [edi+0Ch]
		jbe	short loc_67A9DE
		add	ebx, 0FFFFFFFFh
		mov	[esi+20h], ebx
		adc	edx, 0FFFFFFFFh
		dec	eax
		mov	[esi+24h], edx
		mov	[edi+10h], eax

loc_67A9D1:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+155j
					; VmpRemoveMemoryRange(x,x,x,x,x,x)+1FAj
		mov	edi, [ebp+var_C]

loc_67A9D4:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+17Cj
		mov	ebx, [ebp+var_4]

loc_67A9D7:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+18Dj
		inc	dword ptr [ebx+14h]
		xor	esi, esi
		jmp	short loc_67A9E9
; 

loc_67A9DE:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+1A0j
					; VmpRemoveMemoryRange(x,x,x,x,x,x)+1A9j ...
		mov	esi, 0C00000BBh

loc_67A9E3:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+E2j
		mov	ebx, [ebp+var_4]
		mov	edi, [ebp+var_C]

loc_67A9E9:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+56j
					; VmpRemoveMemoryRange(x,x,x,x,x,x)+241j
		cmp	[ebp+var_18], 0FFFFFFFFh
		jz	short loc_67A9FE
		push	ebx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_18]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_67A9FE:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+252j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_67AA0D
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_67AA0D:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+268j
		test	edi, edi
		jz	short loc_67AA18
		mov	ecx, edi
		call	_VmpFreeMemoryRanges@4 ; VmpFreeMemoryRanges(x)

loc_67AA18:				; CODE XREF: VmpRemoveMemoryRange(x,x,x,x,x,x)+274j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_VmpRemoveMemoryRange@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpSplitMemoryRange(x, x, x)
_VmpSplitMemoryRange@12	proc near	; CODE XREF: VmSplitMemoryRange(x,x)+40p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	[ebp+var_C], edi
		mov	[ebp+var_10], esi

loc_67AA36:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+EAj
		mov	ecx, esi
		mov	[ebp+var_18], 1
		call	_VmpProcessContextLockShared@4 ; VmpProcessContextLockShared(x)
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		cmp	[esi+24h], eax
		jnz	loc_67ACAD
		lea	ecx, [esi+0Ch]
		test	byte ptr [ecx+4], 1
		mov	ebx, [ecx]
		jz	short loc_67AA68
		test	ebx, ebx
		jz	short loc_67AA66
		xor	ebx, ecx
		jmp	short loc_67AA68
; 

loc_67AA66:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+3Fj
		xor	ebx, ebx

loc_67AA68:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+3Bj
					; VmpSplitMemoryRange(x,x,x)+43j
		movzx	ecx, byte ptr [ecx+4]
		and	ecx, 1
		jmp	short loc_67AA90
; 

loc_67AA71:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+71j
		cmp	edi, [ebx+10h]
		ja	short loc_67AA7F
		cmp	edi, [ebx+0Ch]
		jnb	short loc_67AA94
		mov	eax, [ebx]
		jmp	short loc_67AA82
; 

loc_67AA7F:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+53j
		mov	eax, [ebx+4]

loc_67AA82:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+5Cj
		test	ecx, ecx
		jz	short loc_67AA8E
		test	eax, eax
		jz	short loc_67AA8E
		xor	ebx, eax
		jmp	short loc_67AA90
; 

loc_67AA8E:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+63j
					; VmpSplitMemoryRange(x,x,x)+67j
		mov	ebx, eax

loc_67AA90:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+4Ej
					; VmpSplitMemoryRange(x,x,x)+6Bj
		test	ebx, ebx
		jnz	short loc_67AA71

loc_67AA94:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+58j
		test	ebx, ebx
		jz	loc_67ACA6
		cmp	edi, [ebx+10h]
		jz	loc_67AC9F
		mov	ecx, ebx
		call	_VmpVaRangeNumberOfGpaRanges@4 ; VmpVaRangeNumberOfGpaRanges(x)
		mov	edi, eax
		mov	esi, edx
		mov	eax, [ebp+var_10]
		push	eax
		mov	ecx, [eax+14h]
		mov	[ebp+var_14], ecx
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, byte ptr [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		and	[ebp+var_18], 0
		push	esi
		push	edi
		call	_VmpAllocateMemoryRanges@8 ; VmpAllocateMemoryRanges(x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_67AC98
		mov	esi, [ebp+var_10]
		mov	ecx, esi
		call	_VmpProcessContextLockExclusive@4 ; VmpProcessContextLockExclusive(x)
		mov	[ebp+var_4], eax
		mov	eax, [ebp+var_14]
		cmp	eax, [esi+14h]
		jz	short loc_67AB10
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, edi
		call	_VmpFreeMemoryRanges@4 ; VmpFreeMemoryRanges(x)
		mov	edi, [ebp+var_C]
		jmp	loc_67AA36
; 

loc_67AB10:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+CFj
		mov	ecx, [ebp+var_C]
		lea	edx, [esi+0Ch]
		mov	eax, ecx
		sub	eax, [ebx+0Ch]
		inc	eax
		mov	[ebp+var_1C], eax
		mov	eax, [ebx+10h]
		mov	[edi+10h], eax
		lea	eax, [ecx+1]
		mov	[edi+0Ch], eax
		mov	[ebx+10h], ecx
		test	byte ptr [edx+4], 1
		mov	ecx, [edx]
		jz	short loc_67AB40
		test	ecx, ecx
		jz	short loc_67AB3E
		xor	ecx, edx
		jmp	short loc_67AB40
; 

loc_67AB3E:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+117j
		xor	ecx, ecx

loc_67AB40:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+113j
					; VmpSplitMemoryRange(x,x,x)+11Bj
		movzx	eax, byte ptr [edx+4]
		and	eax, 1
		mov	byte ptr [ebp+arg_0], 0
		mov	[ebp+var_C], eax
		test	ecx, ecx
		jz	short loc_67AB98
		mov	eax, [edi+0Ch]
		mov	[ebp+var_14], eax

loc_67AB58:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+171j
		cmp	eax, [ecx+10h]
		ja	short loc_67AB7A
		cmp	eax, [ecx+0Ch]
		jnb	short loc_67AB7A
		cmp	[ebp+var_C], 0
		mov	eax, [ecx]
		jz	short loc_67AB70
		test	eax, eax
		jz	short loc_67AB74
		xor	eax, ecx

loc_67AB70:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+147j
		test	eax, eax
		jnz	short loc_67AB8D

loc_67AB74:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+14Bj
		mov	byte ptr [ebp+arg_0], 0
		jmp	short loc_67AB98
; 

loc_67AB7A:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+13Aj
					; VmpSplitMemoryRange(x,x,x)+13Fj
		cmp	[ebp+var_C], 0
		mov	eax, [ecx+4]
		jz	short loc_67AB89
		test	eax, eax
		jz	short loc_67AB94
		xor	eax, ecx

loc_67AB89:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+160j
		test	eax, eax
		jz	short loc_67AB94

loc_67AB8D:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+151j
		mov	ecx, eax
		mov	eax, [ebp+var_14]
		jmp	short loc_67AB58
; 

loc_67AB94:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+164j
					; VmpSplitMemoryRange(x,x,x)+16Aj
		mov	byte ptr [ebp+arg_0], 1

loc_67AB98:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+12Fj
					; VmpSplitMemoryRange(x,x,x)+157j
		push	edi
		push	[ebp+arg_0]
		push	ecx
		push	edx
		call	RtlRbInsertNodeEx
		mov	edi, [edi+14h]
		lea	eax, [ebx+14h]
		mov	ecx, [eax]
		xor	ebx, ebx
		mov	[ebp+var_24], eax
		lea	eax, [esi+4]
		mov	[ebp+arg_0], ecx
		mov	esi, eax
		mov	[ebp+var_8], eax

loc_67ABBB:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+26Aj
		mov	edx, [ecx+18h]
		mov	ecx, [ecx+1Ch]
		add	edx, [ebp+var_1C]
		mov	eax, [ebp+arg_0]
		adc	ecx, ebx
		mov	[edi+18h], edx
		mov	[edi+1Ch], ecx
		add	edx, 0FFFFFFFFh
		mov	eax, [eax+20h]
		adc	ecx, 0FFFFFFFFh
		mov	[edi+20h], eax
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+24h]
		mov	[edi+24h], eax
		mov	eax, [ebp+arg_0]
		mov	[eax+20h], edx
		mov	[eax+24h], ecx
		test	byte ptr [esi+4], 1
		mov	ecx, [esi]
		jz	short loc_67ABFF
		test	ecx, ecx
		jz	short loc_67ABFD
		xor	ecx, esi
		jmp	short loc_67ABFF
; 

loc_67ABFD:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+1D6j
		mov	ecx, ebx

loc_67ABFF:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+1D2j
					; VmpSplitMemoryRange(x,x,x)+1DAj
		movzx	edx, byte ptr [esi+4]
		and	edx, 1
		mov	byte ptr [ebp+var_C], bl
		test	ecx, ecx
		jz	short loc_67AC6E
		mov	eax, [edi+18h]
		mov	esi, [edi+1Ch]
		mov	[ebp+var_20], eax
		mov	[ebp+var_14], esi

loc_67AC19:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+247j
		mov	esi, [ebp+var_14]
		cmp	esi, [ecx+18h]
		mov	esi, [ebp+var_8]
		ja	short loc_67AC52
		jb	short loc_67AC2B
		cmp	eax, [ecx+14h]
		ja	short loc_67AC52

loc_67AC2B:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+203j
		mov	esi, [ebp+var_14]
		cmp	esi, [ecx+10h]
		mov	esi, [ebp+var_8]
		ja	short loc_67AC52
		jb	short loc_67AC3D
		cmp	eax, [ecx+0Ch]
		jnb	short loc_67AC52

loc_67AC3D:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+215j
		mov	eax, [ecx]
		test	edx, edx
		jz	short loc_67AC49
		test	eax, eax
		jz	short loc_67AC4D
		xor	eax, ecx

loc_67AC49:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+220j
		test	eax, eax
		jnz	short loc_67AC63

loc_67AC4D:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+224j
		mov	byte ptr [ebp+var_C], bl
		jmp	short loc_67AC6E
; 

loc_67AC52:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+201j
					; VmpSplitMemoryRange(x,x,x)+208j ...
		mov	eax, [ecx+4]
		test	edx, edx
		jz	short loc_67AC5F
		test	eax, eax
		jz	short loc_67AC6A
		xor	eax, ecx

loc_67AC5F:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+236j
		test	eax, eax
		jz	short loc_67AC6A

loc_67AC63:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+22Aj
		mov	ecx, eax
		mov	eax, [ebp+var_20]
		jmp	short loc_67AC19
; 

loc_67AC6A:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+23Aj
					; VmpSplitMemoryRange(x,x,x)+240j
		mov	byte ptr [ebp+var_C], 1

loc_67AC6E:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+1EAj
					; VmpSplitMemoryRange(x,x,x)+22Fj
		lea	eax, [edi+0Ch]
		push	eax
		push	[ebp+var_C]
		push	ecx
		push	esi
		call	RtlRbInsertNodeEx
		mov	ecx, [ebp+arg_0]
		mov	ecx, [ecx]
		mov	[ebp+arg_0], ecx
		cmp	ecx, [ebp+var_24]
		jz	short loc_67AC90
		mov	edi, [edi]
		jmp	loc_67ABBB
; 

loc_67AC90:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+266j
		mov	esi, [ebp+var_10]
		inc	dword ptr [esi+14h]
		jmp	short loc_67ACB2
; 

loc_67AC98:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+B6j
		mov	ebx, 0C000009Ah
		jmp	short loc_67ACD4
; 

loc_67AC9F:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+7Ej
		mov	ebx, 0C0000141h
		jmp	short loc_67ACB2
; 

loc_67ACA6:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+75j
		mov	ebx, 0C000028Ch
		jmp	short loc_67ACB2
; 

loc_67ACAD:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+2Cj
		mov	ebx, 0C0000719h

loc_67ACB2:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+275j
					; VmpSplitMemoryRange(x,x,x)+283j ...
		cmp	[ebp+var_4], 0FFFFFFFFh
		jz	short loc_67ACD4
		cmp	[ebp+var_18], 0
		push	esi
		jz	short loc_67ACC6
		call	ExReleaseSpinLockSharedFromDpcLevel
		jmp	short loc_67ACCB
; 

loc_67ACC6:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+29Cj
		call	ExReleaseSpinLockExclusiveFromDpcLevel

loc_67ACCB:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+2A3j
		mov	cl, byte ptr [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_67ACD4:				; CODE XREF: VmpSplitMemoryRange(x,x,x)+27Cj
					; VmpSplitMemoryRange(x,x,x)+295j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
_VmpSplitMemoryRange@12	endp


;  S U B	R O U T	I N E 


; __stdcall VmpVaMemoryRangeGetNext(x, x)
_VmpVaMemoryRangeGetNext@8 proc	near	; CODE XREF: VmpConvertPortionVpnRangeToGpnRange(x,x,x,x,x,x)+1B7p
		test	edx, edx
		jnz	short loc_67ACFF
		mov	eax, [ecx+10h]
		add	ecx, 0Ch
		test	al, 1
		jz	short loc_67ACFB
		cmp	eax, 1
		jnz	short loc_67ACF4
		xor	ecx, ecx
		jmp	short loc_67AD2B
; 

loc_67ACF4:				; CODE XREF: VmpVaMemoryRangeGetNext(x,x)+11j
		or	ecx, 1
		xor	ecx, eax
		jmp	short loc_67AD2B
; 

loc_67ACFB:				; CODE XREF: VmpVaMemoryRangeGetNext(x,x)+Cj
		mov	ecx, eax
		jmp	short loc_67AD2B
; 

loc_67ACFF:				; CODE XREF: VmpVaMemoryRangeGetNext(x,x)+2j
		mov	ecx, [edx+4]
		test	ecx, ecx
		jz	short loc_67AD18
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_67AD2B

loc_67AD0C:				; CODE XREF: VmpVaMemoryRangeGetNext(x,x)+37j
		mov	eax, [edx]
		mov	ecx, edx
		mov	edx, eax
		test	eax, eax
		jnz	short loc_67AD0C
		jmp	short loc_67AD2B
; 

loc_67AD18:				; CODE XREF: VmpVaMemoryRangeGetNext(x,x)+27j
		mov	ecx, [edx+8]
		jmp	short loc_67AD26
; 

loc_67AD1D:				; CODE XREF: VmpVaMemoryRangeGetNext(x,x)+4Cj
		cmp	[ecx], edx
		jz	short loc_67AD2B
		mov	edx, ecx
		mov	ecx, [ecx+8]

loc_67AD26:				; CODE XREF: VmpVaMemoryRangeGetNext(x,x)+3Ej
		and	ecx, 0FFFFFFFCh
		jnz	short loc_67AD1D

loc_67AD2B:				; CODE XREF: VmpVaMemoryRangeGetNext(x,x)+15j
					; VmpVaMemoryRangeGetNext(x,x)+1Cj ...
		mov	eax, ecx
		retn
_VmpVaMemoryRangeGetNext@8 endp


;  S U B	R O U T	I N E 


; __stdcall VmpVaRangeNumberOfGpaRanges(x)
_VmpVaRangeNumberOfGpaRanges@4 proc near ; CODE	XREF: VmpMergeMemoryRanges(x,x,x)+F6p
					; VmpMergeMemoryRanges(x,x,x)+102p ...
		mov	edi, edi
		push	esi
		lea	esi, [ecx+14h]
		xor	eax, eax
		mov	ecx, [esi]
		xor	edx, edx
		jmp	short loc_67AD44
; 

loc_67AD3C:				; CODE XREF: VmpVaRangeNumberOfGpaRanges(x)+18j
		mov	ecx, [ecx]
		add	eax, 1
		adc	edx, 0

loc_67AD44:				; CODE XREF: VmpVaRangeNumberOfGpaRanges(x)+Cj
		cmp	ecx, esi
		jnz	short loc_67AD3C
		pop	esi
		retn
_VmpVaRangeNumberOfGpaRanges@4 endp


;  S U B	R O U T	I N E 


; __stdcall WdiUpdateSem()
_WdiUpdateSem@0	proc near		; CODE XREF: NtTraceControl(x,x,x,x,x,x)+4B9p
		mov	edi, edi
		push	ecx
		call	_WdipAccessCheck@0 ; WdipAccessCheck()
		test	eax, eax
		js	short loc_67AD5B
		call	_WdipSemUpdate@0 ; WdipSemUpdate()

loc_67AD5B:				; CODE XREF: WdiUpdateSem()+Aj
		pop	ecx
		retn
_WdiUpdateSem@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipAccessCheck()
_WdipAccessCheck@0 proc	near		; CODE XREF: WdiUpdateSem()+3p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= word ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	eax, 20000h
		mov	[esp+40h+var_2C], 500h
		mov	[esp+40h+var_10], eax
		lea	edi, [esp+40h+var_24]
		mov	[esp+40h+var_C], eax
		xor	ecx, ecx
		xor	eax, eax
		mov	[esp+40h+var_30], ecx
		stosd
		mov	ebx, ecx
		mov	[esp+40h+var_14], 20001h
		mov	[esp+40h+var_8], 1F0001h
		mov	[esp+40h+var_28], ecx
		stosd
		stosd
		stosd
		mov	edi, 73494457h
		push	edi
		push	6
		call	_RtlLengthRequiredSid@4	; RtlLengthRequiredSid(x)
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_67ADD5
		mov	eax, 0C000009Ah
		jmp	loc_67AF35
; 

loc_67ADD5:				; CODE XREF: WdipAccessCheck()+6Cj
		push	6
		lea	eax, [esp+44h+var_30]
		push	eax
		push	esi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	[esp+40h+var_34], eax
		test	eax, eax
		js	loc_67AF1D
		mov	eax, ds:_SeLocalSystemSid
		mov	dword ptr [esi+8], 50h
		mov	dword ptr [esi+0Ch], 0B10FF35Eh
		mov	dword ptr [esi+10h], 4AE6481h
		mov	dword ptr [esi+14h], 29A24CB1h
		mov	dword ptr [esi+18h], 214CB114h
		mov	dword ptr [esi+1Ch], 568656A6h
		movzx	ecx, byte ptr [eax+1]
		mov	eax, ds:_SeAliasAdminsSid
		push	edi
		movzx	eax, byte ptr [eax+1]
		add	ecx, eax
		movzx	eax, byte ptr [esi+1]
		add	ecx, eax
		lea	eax, ds:58h[ecx*4]
		push	eax
		push	1
		mov	[esp+4Ch+var_30], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_67AE59
		mov	[esp+40h+var_34], 0C000009Ah
		jmp	loc_67AF1D
; 

loc_67AE59:				; CODE XREF: WdipAccessCheck()+EDj
		push	1
		push	ebx
		lea	edi, [ebx+14h]
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	[esp+40h+var_34], eax
		test	eax, eax
		js	loc_67AF1D
		mov	eax, [esp+40h+var_30]
		push	2		; int
		add	eax, 0FFFFFFECh
		push	eax		; size_t
		push	edi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	[esp+40h+var_34], eax
		test	eax, eax
		js	loc_67AF1D
		push	ds:_SeAliasAdminsSid
		push	1
		push	2
		push	edi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	[esp+40h+var_34], eax
		test	eax, eax
		js	short loc_67AF1D
		push	ds:_SeLocalSystemSid
		push	1
		push	2
		push	edi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	[esp+40h+var_34], eax
		test	eax, eax
		js	short loc_67AF1D
		push	esi
		push	1
		push	2
		push	edi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	[esp+40h+var_34], eax
		test	eax, eax
		js	short loc_67AF1D
		push	0
		push	edi
		push	1
		push	ebx
		call	RtlSetDaclSecurityDescriptor
		mov	[esp+40h+var_34], eax
		test	eax, eax
		js	short loc_67AF1D
		lea	eax, [esp+40h+var_24]
		push	eax
		call	SeCaptureSubjectContext
		xor	ecx, ecx
		lea	eax, [esp+40h+var_34]
		push	ecx
		push	eax
		lea	eax, [esp+48h+var_28]
		xor	edx, edx
		push	eax
		push	1
		lea	eax, [esp+50h+var_14]
		push	eax
		push	ecx
		push	ecx
		push	1
		push	ecx
		lea	eax, [esp+64h+var_24]
		mov	ecx, ebx
		push	eax
		call	SeAccessCheckWithHintWithAdminlessChecks
		lea	eax, [esp+40h+var_24]
		push	eax
		call	SeReleaseSubjectContext

loc_67AF1D:				; CODE XREF: WdipAccessCheck()+8Bj
					; WdipAccessCheck()+F7j ...
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		jz	short loc_67AF31
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_67AF31:				; CODE XREF: WdipAccessCheck()+1CAj
		mov	eax, [esp+40h+var_34]

loc_67AF35:				; CODE XREF: WdipAccessCheck()+73j
		mov	ecx, [esp+40h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_WdipAccessCheck@0 endp


;  S U B	R O U T	I N E 


; __stdcall WmipEnterSMCritSection()
_WmipEnterSMCritSection@0 proc near	; CODE XREF: .text:0067AFBEp
					; .text:0067B01Ep ...
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		retn
_WmipEnterSMCritSection@0 endp


;  S U B	R O U T	I N E 


; __stdcall WmiVerifierCopyEvent(x)
_WmiVerifierCopyEvent@4	proc near	; CODE XREF: VerifierIoWMIWriteEvent(x)+1Ep
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		push	70696D57h
		mov	ebx, [edi]
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_67AF82
		push	ebx		; size_t
		push	edi		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_67AF82:				; CODE XREF: WmiVerifierCopyEvent(x)+1Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_WmiVerifierCopyEvent@4	endp


;  S U B	R O U T	I N E 


; __stdcall WmiVerifierTakeEventOwnership(x)
_WmiVerifierTakeEventOwnership@4 proc near ; CODE XREF:	VerifierIoWMIWriteEvent(x)+9p
		mov	eax, [ecx+2Ch]
		shr	eax, 11h
		not	al
		and	al, 1
		retn
_WmiVerifierTakeEventOwnership@4 endp

; 
		align 4
		db 2 dup(0CCh)
; 

; __stdcall WmipDeregisterRegEntry(x)
_WmipDeregisterRegEntry@4:		; CODE XREF: WmipRegisterDevice+119p
					; WmipDeregisterDevice(x)+64p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+10h]
		stosd
		mov	esi, ecx
		push	0
		push	1
		stosd
		stosd
		stosd
		lea	eax, [esp+18h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		call	_WmipEnterSMCritSection@0 ; WmipEnterSMCritSection()
		mov	ecx, offset _WmipRegistrationSpinLock
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	bl, al
		lea	edx, [esi+18h]
		lea	eax, [esp+10h]
		mov	edi, 0A0000000h
		mov	[esi+14h], eax
		mov	eax, [edx]

loc_67AFE0:				; CODE XREF: .text:0067AFE8j
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_67AFE0
		mov	edi, offset _WmipRegistrationSpinLock
		mov	[esp+0Ch], eax
		mov	dl, bl
		mov	ecx, edi
		call	KfReleaseSpinLock
		xor	ebx, ebx
		push	ebx
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	ecx, esi
		call	WmipUnreferenceRegEntry
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esp+20h]
		push	eax
		call	KeWaitForSingleObject
		call	_WmipEnterSMCritSection@0 ; WmipEnterSMCritSection()
		mov	ecx, edi
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	edi, [esi]
		dec	ds:_WmipInUseRegEntryCount
		cmp	[edi+4], esi
		jnz	short loc_67B092
		mov	edx, [esi+4]
		cmp	[edx], esi
		jnz	short loc_67B092
		mov	[edx], edi
		mov	ecx, offset _WmipRegistrationSpinLock
		mov	[edi+4], edx
		mov	dl, al
		call	KfReleaseSpinLock
		push	ebx
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		test	dword ptr [esp+0Ch], 10000000h
		jnz	short loc_67B06C
		mov	ecx, [esi+8]
		call	ObfDereferenceObject

loc_67B06C:				; CODE XREF: .text:0067B062j
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_67B078
		call	ObfDereferenceObject

loc_67B078:				; CODE XREF: .text:0067B071j
		mov	ecx, esi
		call	_WmipRemoveDS@4	; WmipRemoveDS(x)
		mov	edx, esi
		mov	ecx, offset _WmipRegLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_67B092:				; CODE XREF: .text:0067B035j
					; .text:0067B03Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		dd 0CCCCCCCCh
; Exported entry 172. WmiGetClock

;  S U B	R O U T	I N E 


; __fastcall WmiGetClock(x, x)
		public @WmiGetClock@8
@WmiGetClock@8	proc near
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	eax, [eax+1F0h]
		test	esi, esi
		jz	short loc_67B0D1
		cmp	esi, 2
		jz	short loc_67B0E3
		jle	short loc_67B0CB
		cmp	esi, 4
		jle	short loc_67B0C5
		cmp	esi, 5
		jnz	short loc_67B0CB

loc_67B0C1:				; CODE XREF: WmiGetClock(x,x)+45j
		rdtsc
		pop	esi
		retn
; 

loc_67B0C5:				; CODE XREF: WmiGetClock(x,x)+1Ej
		xor	eax, eax
		mov	edx, eax
		pop	esi
		retn
; 

loc_67B0CB:				; CODE XREF: WmiGetClock(x,x)+19j
					; WmiGetClock(x,x)+23j	...
		pop	esi
		jmp	RtlGetSystemTimePrecise
; 

loc_67B0D1:				; CODE XREF: WmiGetClock(x,x)+12j
		movzx	eax, byte ptr [eax+915h]
		dec	eax
		sub	eax, 1
		jz	short loc_67B0CB
		sub	eax, 1
		jz	short loc_67B0C1

loc_67B0E3:				; CODE XREF: WmiGetClock(x,x)+17j
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		pop	esi
		retn
@WmiGetClock@8	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 292. EtwSendTraceBuffer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwSendTraceBuffer(x, x, x,	x, x, x)
		public _EtwSendTraceBuffer@24
_EtwSendTraceBuffer@24 proc near

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= word ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	[ebp+var_1], bl
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		movzx	esi, [ebp+arg_0]
		mov	eax, [eax+1F0h]
		cmp	esi, [eax+8]
		jb	short loc_67B11D
		mov	eax, 0C0000008h
		jmp	loc_67B241
; 

loc_67B11D:				; CODE XREF: EtwSendTraceBuffer(x,x,x,x,x,x)+1Fj
		mov	edx, ds:_EtwpHostSiloState
		lea	eax, [ebp-1]
		push	edi
		push	eax
		push	ebx
		mov	ecx, esi
		call	_EtwpOpenLogger@16 ; EtwpOpenLogger(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_67B140
		mov	eax, 0C0000296h
		jmp	loc_67B240
; 

loc_67B140:				; CODE XREF: EtwSendTraceBuffer(x,x,x,x,x,x)+42j
		cmp	[edi+0F8h], ebx
		jnz	short loc_67B152
		mov	ebx, 0C0000302h
		jmp	loc_67B215
; 

loc_67B152:				; CODE XREF: EtwSendTraceBuffer(x,x,x,x,x,x)+54j
		test	dword ptr [edi+0Ch], 40000h
		jnz	short loc_67B165
		mov	ebx, 0C0000008h
		jmp	loc_67B215
; 

loc_67B165:				; CODE XREF: EtwSendTraceBuffer(x,x,x,x,x,x)+67j
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	short loc_67B176
		lea	eax, [edi+0A8h]
		lock xadd [eax], ecx

loc_67B176:				; CODE XREF: EtwSendTraceBuffer(x,x,x,x,x,x)+78j
		mov	esi, [ebp+arg_8]
		push	5
		mov	ecx, [esi+30h]
		mov	eax, [esi]
		add	eax, ecx
		mov	[esi+4], ecx
		test	byte ptr [esi+34h], 20h
		mov	[esi+8], eax
		pop	eax
		mov	dword ptr [esi+2Ch], 3
		mov	[esi+36h], ax
		jnz	short loc_67B1A2
		movzx	eax, byte ptr [esi+28h]
		mov	[esi+28h], ax

loc_67B1A2:				; CODE XREF: EtwSendTraceBuffer(x,x,x,x,x,x)+A6j
		mov	eax, [ebp+arg_10]
		mov	ecx, edi
		mov	[esi+38h], eax
		mov	eax, [ebp+arg_14]
		mov	[esi+3Ch], eax
		call	EtwpGetLoggerTimeStamp
		mov	[esi+10h], eax
		lea	ebx, [edi+58h]
		mov	[esi+14h], edx

loc_67B1BE:				; CODE XREF: EtwSendTraceBuffer(x,x,x,x,x,x)+DBj
		mov	edx, [ebx]
		mov	ecx, esi
		mov	[esi+20h], edx
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	short loc_67B1BE
		push	0
		pop	ebx
		test	edx, edx
		jnz	short loc_67B211
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_67B1F9
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		ja	short loc_67B1F9
		push	ebx
		push	ebx
		lea	eax, [edi+174h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_67B211
; 

loc_67B1F9:				; CODE XREF: EtwSendTraceBuffer(x,x,x,x,x,x)+EBj
					; EtwSendTraceBuffer(x,x,x,x,x,x)+F5j
		lea	eax, [edi+25Ch]
		lock bts dword ptr [eax], 8
		jb	short loc_67B211
		lea	ecx, [edi+1B0h]
		call	_EtwpInsertQueueDpc@4 ;	EtwpInsertQueueDpc(x)

loc_67B211:				; CODE XREF: EtwSendTraceBuffer(x,x,x,x,x,x)+E2j
					; EtwSendTraceBuffer(x,x,x,x,x,x)+105j	...
		movzx	esi, [ebp+arg_0]

loc_67B215:				; CODE XREF: EtwSendTraceBuffer(x,x,x,x,x,x)+5Bj
					; EtwSendTraceBuffer(x,x,x,x,x,x)+6Ej
		cmp	[ebp+var_1], 0
		jz	short loc_67B23E
		mov	edx, ds:_EtwpHostSiloState
		mov	ecx, [edx+188h]
		xor	edx, edx
		inc	edx
		mov	ecx, [ecx+esi*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_67B23E:				; CODE XREF: EtwSendTraceBuffer(x,x,x,x,x,x)+127j
		mov	eax, ebx

loc_67B240:				; CODE XREF: EtwSendTraceBuffer(x,x,x,x,x,x)+49j
		pop	edi

loc_67B241:				; CODE XREF: EtwSendTraceBuffer(x,x,x,x,x,x)+26j
		pop	esi
		pop	ebx
		leave
		retn	18h
_EtwSendTraceBuffer@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceEvent(x, x,	x, x, x, x)
_EtwTraceEvent@24 proc near		; CODE XREF: .text:005ADE0Bp
					; .text:005ADF39p ...

var_178		= dword	ptr -178h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_122		= dword	ptr -122h
var_118		= dword	ptr -118h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= word ptr  8
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		push	168h
		push	offset dword_6A9CC8
		call	__SEH_prolog4_GS
		mov	esi, edx
		mov	[ebp+var_130], esi
		mov	ebx, ecx
		mov	cl, [ebp+arg_C]
		mov	byte ptr [ebp+var_122+1], cl
		mov	byte ptr [ebp+var_13C],	cl
		xor	eax, eax
		lea	edi, [ebp+var_178]
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_14C], eax
		mov	byte ptr [ebp+var_122],	al
		mov	[ebp+var_140], eax
		mov	[ebp+var_12C], eax
		mov	[ebp+var_128], eax
		mov	[ebp+var_160], eax
		mov	[ebp+var_15C], eax
		movzx	eax, [ebp+arg_0]
		mov	[ebp+var_148], eax
		test	cl, cl
		jnz	short loc_67B2BB
		mov	eax, ds:_EtwpHostSiloState
		jmp	short loc_67B2C6
; 

loc_67B2BB:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+6Bj
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	eax, [eax+1F0h]

loc_67B2C6:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+72j
		mov	[ebp+var_138], eax
		mov	ecx, [ebp+var_148]
		cmp	ecx, [eax+8]
		jb	short loc_67B2E1

loc_67B2D7:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+BCj
		mov	eax, 0C0000008h
		jmp	loc_67B6EA
; 

loc_67B2E1:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+8Ej
		lea	eax, [ebp+var_122]
		push	eax
		push	[ebp+var_13C]
		mov	edx, [ebp+var_138]
		call	_EtwpOpenLogger@16 ; EtwpOpenLogger(x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_134], edi
		test	edi, edi
		jz	short loc_67B2D7
		mov	eax, [edi+0Ch]
		test	al, al
		jns	short loc_67B31C
		mov	eax, 0C0000022h

loc_67B311:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+EBj
					; EtwTraceEvent(x,x,x,x,x,x)+23Cj ...
		mov	[ebp+var_128], eax
		jmp	loc_67B6B2
; 

loc_67B31C:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+C3j
		mov	cl, byte ptr [ebp+var_122+1]
		test	cl, cl
		jnz	short loc_67B334
		test	eax, 1000000h
		jz	short loc_67B334
		mov	eax, 0C00000BBh
		jmp	short loc_67B311
; 

loc_67B334:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+DDj
					; EtwTraceEvent(x,x,x,x,x,x)+E4j
		and	[ebp+ms_exc.disabled], 0
		test	cl, cl
		jz	short loc_67B35F
		test	bl, 3
		jz	short loc_67B346

loc_67B341:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+181j
					; EtwTraceEvent(x,x,x,x,x,x)+325j ...
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_67B346:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+F8j
		lea	ecx, [esi+ebx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_67B356
		cmp	ecx, ebx
		jnb	short loc_67B359

loc_67B356:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+109j
		mov	byte ptr [eax],	0

loc_67B359:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+10Dj
		mov	cl, byte ptr [ebp+var_122+1]

loc_67B35F:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+F3j
		movzx	eax, word ptr [ebx]
		mov	[ebp+var_12C], eax
		cmp	eax, esi
		jnb	short loc_67B376
		mov	eax, 0C000000Dh
		jmp	loc_67B6A5
; 

loc_67B376:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+123j
		mov	eax, [ebx+2Ch]
		mov	[ebp+var_14C], eax
		mov	[ebp+var_158], eax
		test	eax, 100000h
		jz	loc_67B43C
		and	[ebp+var_150], 0
		lea	eax, [esi+ebx]
		mov	esi, [ebp+var_12C]
		mov	edi, esi
		sub	edi, [ebp+var_130]
		cmp	edi, 100h
		jbe	short loc_67B3BA
		mov	eax, 0C000008Ch
		jmp	loc_67B6A5
; 

loc_67B3BA:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+167j
		test	edi, edi
		jz	loc_67B444
		test	cl, cl
		jz	short loc_67B3E2
		test	al, 3
		jnz	loc_67B341
		lea	ecx, [edi+eax]
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		ja	short loc_67B3DF
		cmp	ecx, eax
		jnb	short loc_67B3E2

loc_67B3DF:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+192j
		mov	byte ptr [edx],	0

loc_67B3E2:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+17Dj
					; EtwTraceEvent(x,x,x,x,x,x)+196j
		push	edi		; size_t
		push	eax		; void *
		lea	eax, [ebp+var_122+2]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	esi, [ebp+var_130]
		mov	[ebp+var_12C], esi
		shr	edi, 4
		mov	[ebp+var_140], edi
		xor	ecx, ecx

loc_67B40A:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+1F3j
		mov	[ebp+var_150], ecx
		cmp	ecx, [ebp+var_140]
		jge	short loc_67B444
		mov	eax, ecx
		add	eax, eax
		mov	eax, [ebp+eax*8+var_118]
		add	esi, eax
		mov	[ebp+var_12C], esi
		cmp	esi, eax
		jnb	short loc_67B439
		mov	eax, 80000005h
		jmp	loc_67B6A5
; 

loc_67B439:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+1E6j
		inc	ecx
		jmp	short loc_67B40A
; 

loc_67B43C:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+143j
		mov	esi, [ebp+var_12C]
		jmp	short loc_67B44A
; 

loc_67B444:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+175j
					; EtwTraceEvent(x,x,x,x,x,x)+1CFj
		mov	edi, [ebp+var_134]

loc_67B44A:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+1FBj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	0
		lea	eax, [ebp+var_160]
		push	eax
		lea	eax, [ebp+var_178]
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	EtwpReserveTraceBuffer
		mov	edi, eax
		mov	[ebp+var_13C], edi
		test	edi, edi
		jnz	short loc_67B4A2
		cmp	esi, 0FFF8h
		jbe	short loc_67B488
		mov	eax, 0C0000095h
		jmp	loc_67B311
; 

loc_67B488:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+235j
		mov	ecx, [ebp+var_134]
		cmp	[ecx+8], esi
		sbb	eax, eax
		and	eax, 0BFFFFFEEh
		add	eax, 0C0000017h
		jmp	loc_67B311
; 

loc_67B4A2:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+22Dj
		mov	[ebp+ms_exc.disabled], 1
		test	[ebp+var_158], 100000h
		jz	loc_67B55C
		and	[ebp+var_154], 0
		mov	ecx, [ebp+var_130]
		lea	eax, [ecx+edi]
		mov	[ebp+var_144], eax
		push	ecx		; size_t
		push	ebx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	esi, esi

loc_67B4DC:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+313j
		mov	[ebp+var_154], esi
		cmp	esi, [ebp+var_140]
		jge	loc_67B591
		mov	eax, esi
		add	eax, eax
		mov	ecx, [ebp+eax*8+var_122+2]
		mov	eax, [ebp+eax*8+var_118]
		mov	[ebp+var_164], eax
		test	ecx, ecx
		jz	short loc_67B559
		test	eax, eax
		jz	short loc_67B559
		cmp	byte ptr [ebp+var_122+1], 0
		jz	short loc_67B53D
		lea	edx, [eax+ecx]
		mov	edi, ds:_MmUserProbeAddress
		mov	[ebp+var_130], edi
		cmp	edx, edi
		mov	edi, [ebp+var_13C]
		ja	short loc_67B534
		cmp	edx, ecx
		jnb	short loc_67B53D

loc_67B534:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+2E7j
		mov	edx, [ebp+var_130]
		mov	byte ptr [edx],	0

loc_67B53D:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+2CEj
					; EtwTraceEvent(x,x,x,x,x,x)+2EBj
		push	eax		; size_t
		push	ecx		; void *
		push	[ebp+var_144]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_164]
		add	[ebp+var_144], eax

loc_67B559:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+2C1j
					; EtwTraceEvent(x,x,x,x,x,x)+2C5j
		inc	esi
		jmp	short loc_67B4DC
; 

loc_67B55C:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+26Cj
		cmp	byte ptr [ebp+var_122+1], 0
		jz	short loc_67B586
		test	esi, esi
		jz	short loc_67B586
		test	bl, 3
		jnz	loc_67B341
		lea	eax, [ebx+esi]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_67B583
		cmp	eax, ebx
		jnb	short loc_67B586

loc_67B583:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+336j
		mov	byte ptr [ecx],	0

loc_67B586:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+31Cj
					; EtwTraceEvent(x,x,x,x,x,x)+320j ...
		push	esi		; size_t
		push	ebx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_67B591:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+2A1j
		test	[ebp+var_158], 80000h
		jz	short loc_67B5EE
		mov	ecx, [ebx+18h]
		cmp	byte ptr [ebp+var_122+1], 0
		jz	short loc_67B5C3
		mov	eax, ecx
		test	cl, 3
		jnz	loc_67B341
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		jb	short loc_67B5C0
		mov	eax, edx

loc_67B5C0:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+375j
		nop
		mov	al, [eax]

loc_67B5C3:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+360j
		add	edi, 18h
		mov	esi, ecx
		movsd
		movsd
		movsd
		movsd
		jmp	short loc_67B5EE
; 

loc_67B5CE:				; DATA XREF: .text:006A9CE8o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_168], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_67B5DF:				; DATA XREF: .text:006A9CECo
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_168]
		mov	[ebp+var_128], eax

loc_67B5EE:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+354j
					; EtwTraceEvent(x,x,x,x,x,x)+385j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, large fs:124h
		mov	eax, [ebp+var_12C]
		or	eax, [ebp+arg_8]
		mov	edx, [ebp+var_13C]
		mov	[edx], eax
		mov	eax, [ebp+var_160]
		mov	[edx+10h], eax
		mov	eax, [ebp+var_15C]
		mov	[edx+14h], eax
		mov	eax, [ecx+194h]
		mov	[edx+28h], eax
		mov	eax, [ecx+1C0h]
		mov	[edx+2Ch], eax
		mov	eax, [ecx+2B0h]
		mov	[edx+8], eax
		mov	eax, [ecx+2ACh]
		mov	[edx+0Ch], eax
		mov	ecx, [ebp+var_134]
		test	dword ptr [ecx+0Ch], 80000h
		jz	short loc_67B678
		cmp	ds:_KdDebuggerNotPresent, 0
		jnz	short loc_67B664
		cmp	ds:_KdPitchDebugger, 0
		jz	short loc_67B66D

loc_67B664:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+412j
		cmp	ds:_KdEventLoggingPresent, 0
		jz	short loc_67B678

loc_67B66D:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+41Bj
		lea	edx, [ebp+var_178]
		call	_EtwpSendTraceEvent@8 ;	EtwpSendTraceEvent(x,x)

loc_67B678:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+409j
					; EtwTraceEvent(x,x,x,x,x,x)+424j
		lea	ecx, [ebp+var_178]
		call	_EtwpReleaseTraceBuffer@4 ; EtwpReleaseTraceBuffer(x)
		mov	eax, [ebp+var_128]
		jmp	short loc_67B6B2
; 

loc_67B68B:				; DATA XREF: .text:006A9CDCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_16C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_67B69C:				; DATA XREF: .text:006A9CE0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_16C]

loc_67B6A5:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+12Aj
					; EtwTraceEvent(x,x,x,x,x,x)+16Ej ...
		mov	[ebp+var_128], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_67B6B2:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+D0j
					; EtwTraceEvent(x,x,x,x,x,x)+442j
		cmp	byte ptr [ebp+var_122],	0
		jz	short loc_67B6EA
		mov	eax, [ebp+var_138]
		mov	eax, [eax+188h]
		xor	edx, edx
		inc	edx
		mov	ecx, [ebp+var_148]
		mov	ecx, [eax+ecx*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [ebp+var_128]

loc_67B6EA:				; CODE XREF: EtwTraceEvent(x,x,x,x,x,x)+95j
					; EtwTraceEvent(x,x,x,x,x,x)+472j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_EtwTraceEvent@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceRaw(x, x, x, x, x)
_EtwTraceRaw@20	proc near		; CODE XREF: .text:005ADF0Cp

var_44		= dword	ptr -44h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		push	34h
		push	offset dword_6A9CA0
		call	__SEH_prolog4
		mov	ebx, edx
		mov	[ebp+var_24], ecx
		xor	eax, eax
		lea	edi, [ebp+var_44]
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_19], al
		mov	esi, eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		movzx	eax, [ebp+arg_0]
		mov	[ebp+var_20], eax
		cmp	[ebp+arg_8], 0
		jnz	short loc_67B736
		mov	eax, ds:_EtwpHostSiloState
		jmp	short loc_67B741
; 

loc_67B736:				; CODE XREF: EtwTraceRaw(x,x,x,x,x)+31j
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	eax, [eax+1F0h]

loc_67B741:				; CODE XREF: EtwTraceRaw(x,x,x,x,x)+38j
		mov	[ebp+arg_4], eax
		mov	ecx, [ebp+var_20]
		cmp	ecx, [eax+8]
		jb	short loc_67B756

loc_67B74C:				; CODE XREF: EtwTraceRaw(x,x,x,x,x)+70j
		mov	esi, 0C0000008h
		jmp	loc_67B8DE
; 

loc_67B756:				; CODE XREF: EtwTraceRaw(x,x,x,x,x)+4Ej
		lea	eax, [ebp+var_19]
		push	eax
		push	dword ptr [ebp+arg_8]
		mov	edx, [ebp+arg_4]
		call	_EtwpOpenLogger@16 ; EtwpOpenLogger(x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_30], edi
		test	edi, edi
		jz	short loc_67B74C
		test	byte ptr [edi+0Ch], 80h
		jz	short loc_67B77E
		mov	esi, 0C0000022h
		jmp	loc_67B8B5
; 

loc_67B77E:				; CODE XREF: EtwTraceRaw(x,x,x,x,x)+76j
		cmp	[ebp+arg_8], 0
		jz	short loc_67B7A0
		mov	edx, edi
		mov	ecx, 200h
		call	_EtwpCheckLoggerControlAccess@8	; EtwpCheckLoggerControlAccess(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_67B8B5
		cmp	[ebp+arg_8], 0
		jnz	short loc_67B7B9

loc_67B7A0:				; CODE XREF: EtwTraceRaw(x,x,x,x,x)+86j
		test	dword ptr [edi+0Ch], 1000000h
		jz	short loc_67B7B3
		mov	esi, 0C00000BBh
		jmp	loc_67B8B5
; 

loc_67B7B3:				; CODE XREF: EtwTraceRaw(x,x,x,x,x)+ABj
		cmp	[ebp+arg_8], 0
		jz	short loc_67B7E8

loc_67B7B9:				; CODE XREF: EtwTraceRaw(x,x,x,x,x)+A2j
		and	[ebp+ms_exc.disabled], 0
		test	ebx, ebx
		jz	short loc_67B7E1
		mov	edx, [ebp+var_24]
		test	dl, 3
		jz	short loc_67B7CE
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_67B7CE:				; CODE XREF: EtwTraceRaw(x,x,x,x,x)+CBj
		lea	ecx, [edx+ebx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_67B7DE
		cmp	ecx, edx
		jnb	short loc_67B7E1

loc_67B7DE:				; CODE XREF: EtwTraceRaw(x,x,x,x,x)+DCj
		mov	byte ptr [eax],	0

loc_67B7E1:				; CODE XREF: EtwTraceRaw(x,x,x,x,x)+C3j
					; EtwTraceRaw(x,x,x,x,x)+E0j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_67B7E8:				; CODE XREF: EtwTraceRaw(x,x,x,x,x)+BBj
		push	0
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ebp+var_44]
		push	eax
		mov	edx, ebx
		mov	ecx, edi
		call	EtwpReserveTraceBuffer
		test	eax, eax
		jnz	short loc_67B844
		cmp	ebx, 0FFF8h
		jbe	short loc_67B831
		mov	esi, 0C0000095h
		jmp	loc_67B8B5
; 

loc_67B811:				; DATA XREF: .text:006A9CB4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_67B81F:				; DATA XREF: .text:006A9CB8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_28]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_67B8B5
; 

loc_67B831:				; CODE XREF: EtwTraceRaw(x,x,x,x,x)+109j
		cmp	[edi+8], ebx
		sbb	esi, esi
		and	esi, 0BFFFFFEEh
		add	esi, 0C0000017h
		jmp	short loc_67B8B5
; 

loc_67B844:				; CODE XREF: EtwTraceRaw(x,x,x,x,x)+101j
		mov	[ebp+ms_exc.disabled], 1
		push	ebx		; size_t
		push	[ebp+var_24]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_67B87F
; 

loc_67B861:				; DATA XREF: .text:006A9CC0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_67B86F:				; DATA XREF: .text:006A9CC4o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_2C]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_30]

loc_67B87F:				; CODE XREF: EtwTraceRaw(x,x,x,x,x)+163j
		test	dword ptr [edi+0Ch], 80000h
		jz	short loc_67B8AD
		cmp	ds:_KdDebuggerNotPresent, 0
		jnz	short loc_67B89A
		cmp	ds:_KdPitchDebugger, 0
		jz	short loc_67B8A3

loc_67B89A:				; CODE XREF: EtwTraceRaw(x,x,x,x,x)+193j
		cmp	ds:_KdEventLoggingPresent, 0
		jz	short loc_67B8AD

loc_67B8A3:				; CODE XREF: EtwTraceRaw(x,x,x,x,x)+19Cj
		lea	edx, [ebp+var_44]
		mov	ecx, edi
		call	_EtwpSendTraceEvent@8 ;	EtwpSendTraceEvent(x,x)

loc_67B8AD:				; CODE XREF: EtwTraceRaw(x,x,x,x,x)+18Aj
					; EtwTraceRaw(x,x,x,x,x)+1A5j
		lea	ecx, [ebp+var_44]
		call	_EtwpReleaseTraceBuffer@4 ; EtwpReleaseTraceBuffer(x)

loc_67B8B5:				; CODE XREF: EtwTraceRaw(x,x,x,x,x)+7Dj
					; EtwTraceRaw(x,x,x,x,x)+98j ...
		cmp	[ebp+var_19], 0
		jz	short loc_67B8DE
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+188h]
		xor	edx, edx
		inc	edx
		mov	ecx, [ebp+var_20]
		mov	ecx, [eax+ecx*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_67B8DE:				; CODE XREF: EtwTraceRaw(x,x,x,x,x)+55j
					; EtwTraceRaw(x,x,x,x,x)+1BDj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_EtwTraceRaw@20	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2635. WmiTraceMessageVa

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmiTraceMessageVa(x, x, x, x, x, x)
		public _WmiTraceMessageVa@24
_WmiTraceMessageVa@24 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+arg_8]
		push	0
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	EtwpTraceMessageVa
		pop	ebp
		retn	18h
_WmiTraceMessageVa@24 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 300. EtwWriteString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwWriteString(x, x, x, x, x, x, x)
		public _EtwWriteString@28
_EtwWriteString@28 proc	near

var_A6		= byte ptr -0A6h
var_A5		= byte ptr -0A5h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_78		= dword	ptr -78h
var_66		= byte ptr -66h
var_65		= byte ptr -65h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= byte ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+6Ch+var_4], eax
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, edx
		push	edi
		mov	[esp+78h+var_54], eax
		lea	edi, [esp+78h+var_24]
		mov	eax, [ebp+arg_14]
		push	8
		mov	[esp+7Ch+var_5C], eax
		xor	eax, eax
		mov	[esp+7Ch+var_4C], edx
		mov	[esp+7Ch+var_58], edx
		mov	[esp+7Ch+var_54], edx
		pop	ecx
		rep stosd
		test	esi, esi
		jnz	short loc_67B971
		mov	eax, 0C0000008h
		jmp	loc_67BB97
; 

loc_67B971:				; CODE XREF: EtwWriteString(x,x,x,x,x,x,x)+47j
		mov	ecx, [esi+38h]
		lea	edi, [esp+78h+var_38]
		mov	dl, [ebp+arg_8]
		lea	eax, [ecx+10h]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		xor	eax, eax
		stosd
		mov	[esp+78h+var_60], ecx
		mov	ecx, [ebp+arg_18]
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_10]
		mov	edi, [ebp+arg_C]
		mov	[esp+78h+var_2C], eax
		lea	eax, [ecx+2]
		mov	[esp+78h+var_34], dl
		mov	[esp+78h+var_30], edi
		mov	[esp+78h+var_64], eax

loc_67B9AA:				; CODE XREF: EtwWriteString(x,x,x,x,x,x,x)+97j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+78h+var_4C]
		jnz	short loc_67B9AA
		sub	ecx, [esp+78h+var_64]
		mov	eax, [ebp+arg_18]
		mov	[esp+78h+var_48], eax
		xor	eax, eax
		sar	ecx, 1
		mov	[esp+78h+var_44], eax
		lea	eax, ds:2[ecx*2]
		mov	[esp+78h+var_40], eax
		xor	eax, eax
		mov	[esp+78h+var_3C], eax
		mov	al, [esi+34h]
		mov	[esp+78h+var_65], al
		test	al, al
		jz	short loc_67BA40
		mov	eax, [esi+10h]
		push	[ebp+arg_10]
		mov	[esp+7Ch+var_64], eax
		push	edi
		lea	ecx, [eax+40h]
		call	_EtwpLevelKeywordEnabled@16 ; EtwpLevelKeywordEnabled(x,x,x,x)
		mov	edi, [esp+78h+var_60]
		test	al, al
		jz	short loc_67BA3B
		xor	ecx, ecx
		mov	dl, [esp+78h+var_65]
		lea	eax, [esp+78h+var_58]
		push	eax
		movzx	eax, word ptr [esi+32h]
		push	edi
		push	eax
		push	ecx
		lea	eax, [esp+88h+var_24]
		push	eax
		push	ecx
		lea	eax, [esp+90h+var_48]
		push	eax
		push	1
		push	ecx
		push	[esp+9Ch+var_5C]
		lea	eax, [esp+0A0h+var_38]
		push	ecx
		push	4
		push	eax
		push	ecx
		push	ecx
		push	ecx
		mov	ecx, [esp+0B8h+var_64]
		call	_EtwpEventWriteFull@72 ; EtwpEventWriteFull(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax

loc_67BA3B:				; CODE XREF: EtwWriteString(x,x,x,x,x,x,x)+E1j
		mov	dl, [ebp+arg_8]
		jmp	short loc_67BA44
; 

loc_67BA40:				; CODE XREF: EtwWriteString(x,x,x,x,x,x,x)+C6j
		mov	edi, [esp+78h+var_60]

loc_67BA44:				; CODE XREF: EtwWriteString(x,x,x,x,x,x,x)+120j
		mov	al, [esi+35h]
		mov	[esp+78h+var_65], al
		test	al, al
		jz	short loc_67BAA4
		mov	eax, [esi+14h]
		push	[ebp+arg_10]
		mov	[esp+7Ch+var_64], eax
		push	[ebp+arg_C]
		lea	ecx, [eax+40h]
		call	_EtwpLevelKeywordEnabled@16 ; EtwpLevelKeywordEnabled(x,x,x,x)
		test	al, al
		jz	short loc_67BAA4
		lea	eax, [esp+78h+var_58]
		mov	dl, [esp+78h+var_65]
		push	eax
		movzx	eax, word ptr [esi+32h]
		xor	ecx, ecx
		push	edi
		push	eax
		push	[esp+84h+var_64]
		lea	eax, [esp+88h+var_24]
		push	eax
		push	ecx
		lea	eax, [esp+90h+var_48]
		push	eax
		push	1
		push	ecx
		push	[esp+9Ch+var_5C]
		lea	eax, [esp+0A0h+var_38]
		push	ecx
		push	4
		push	eax
		push	ecx
		push	ecx
		push	ecx
		mov	ecx, [esi+10h]
		call	_EtwpEventWriteFull@72 ; EtwpEventWriteFull(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax

loc_67BAA4:				; CODE XREF: EtwWriteString(x,x,x,x,x,x,x)+12Fj
					; EtwWriteString(x,x,x,x,x,x,x)+148j
		mov	edx, [esi+10h]
		xor	eax, eax
		cmp	[edx+168h], eax
		jz	loc_67BB95
		push	8
		pop	ecx
		lea	edi, [esp+0B8h+var_64]
		rep stosd
		mov	al, [esi+36h]
		mov	[esp+0B8h+var_A5], al
		test	al, al
		jz	short loc_67BB28
		mov	eax, [edx+168h]
		push	[ebp+arg_10]
		mov	dl, [ebp+arg_8]
		push	[ebp+arg_C]
		lea	ecx, [eax+40h]
		mov	[esp+0C0h+var_A4], eax
		call	_EtwpLevelKeywordEnabled@16 ; EtwpLevelKeywordEnabled(x,x,x,x)
		mov	edi, [esp+0B8h+var_A0]
		test	al, al
		jz	short loc_67BB2C
		xor	ecx, ecx
		mov	dl, [esp+0B8h+var_A5]
		lea	eax, [esp+0B8h+var_98]
		push	eax
		movzx	eax, word ptr [esi+32h]
		push	edi
		push	eax
		push	ecx
		lea	eax, [esp+0C8h+var_64]
		push	eax
		push	ecx
		lea	eax, [esp+0D0h+var_88]
		push	eax
		push	1
		push	ecx
		push	[esp+0DCh+var_9C]
		lea	eax, [esp+0E0h+var_78]
		push	ecx
		push	4
		push	eax
		push	ecx
		push	ecx
		push	ecx
		mov	ecx, [esp+0F8h+var_A4]
		call	_EtwpEventWriteFull@72 ; EtwpEventWriteFull(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		jmp	short loc_67BB2C
; 

loc_67BB28:				; CODE XREF: EtwWriteString(x,x,x,x,x,x,x)+1A9j
		mov	edi, [esp+0B8h+var_A0]

loc_67BB2C:				; CODE XREF: EtwWriteString(x,x,x,x,x,x,x)+1CCj
					; EtwWriteString(x,x,x,x,x,x,x)+208j
		cmp	byte ptr [esi+37h], 0
		jz	short loc_67BB95
		mov	eax, [esi+14h]
		push	[ebp+arg_10]
		mov	dl, [ebp+arg_8]
		push	[ebp+arg_C]
		mov	eax, [eax+168h]
		mov	[esp+0C0h+var_A4], eax
		lea	ecx, [eax+40h]
		call	_EtwpLevelKeywordEnabled@16 ; EtwpLevelKeywordEnabled(x,x,x,x)
		test	al, al
		jz	short loc_67BB95
		lea	eax, [esp+0B8h+var_98]
		mov	dl, [esi+35h]
		push	eax
		movzx	eax, word ptr [esi+32h]
		xor	ecx, ecx
		push	edi
		push	eax
		push	[esp+0C4h+var_A4]
		lea	eax, [esp+0C8h+var_64]
		push	eax
		push	ecx
		lea	eax, [esp+0D0h+var_88]
		push	eax
		push	1
		push	ecx
		push	[esp+0DCh+var_9C]
		lea	eax, [esp+0E0h+var_78]
		push	ecx
		push	4
		push	eax
		push	ecx
		push	ecx
		push	ecx
		mov	ecx, [esi+10h]
		mov	ecx, [ecx+168h]
		call	_EtwpEventWriteFull@72 ; EtwpEventWriteFull(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax

loc_67BB95:				; CODE XREF: EtwWriteString(x,x,x,x,x,x,x)+191j
					; EtwWriteString(x,x,x,x,x,x,x)+212j ...
		mov	eax, ebx

loc_67BB97:				; CODE XREF: EtwWriteString(x,x,x,x,x,x,x)+4Ej
		mov	ecx, [esp+0F8h+var_84]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_EtwWriteString@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCrimsonStackWalkApc(x, x, x, x,	x)
_EtwpCrimsonStackWalkApc@20 proc near	; DATA XREF: .text:00529168o
					; .text:0052916Fo

var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_16C		= dword	ptr -16Ch
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_120		= dword	ptr -120h
var_11C		= byte ptr -11Ch
var_11A		= word ptr -11Ah
var_118		= dword	ptr -118h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_44		= dword	ptr -44h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 184h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+184h+var_4], eax
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		and	dword ptr [eax], 0
		push	edi
		mov	edi, [ebp+arg_10]
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [edi]
		mov	ebx, [esi]
		push	178h		; size_t
		mov	[esp+194h+var_184], eax
		lea	eax, [esp+194h+var_180]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [esp+19Ch+var_184]
		lea	edi, [esp+19Ch+var_16C]
		mov	esi, offset _EventTracingProvGuid
		lea	ecx, [esp+19Ch+var_180]
		add	esp, 0Ch
		mov	dl, 1
		movsd
		movsd
		movsd
		movsd
		mov	[esp+190h+var_14C], eax
		mov	eax, ds:_EtwpHostSiloState
		mov	[esp+190h+var_1C], eax
		mov	eax, [ebp+arg_8]
		or	[esp+190h+var_110], 0FFFFFFFFh
		or	[esp+190h+var_10C], 0FFFFFFFFh
		mov	[esp+190h+var_150], ebx
		mov	ax, [eax]
		mov	[esp+190h+var_11A], ax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _ETW_EVENT_USER_STACK_TRACE
		push	eax
		push	eax
		push	eax
		mov	[esp+1D0h+var_120], 1
		mov	[esp+1D0h+var_118], 44h
		mov	[esp+1D0h+var_11C], 0FFh
		mov	[esp+1D0h+var_108], eax
		mov	[esp+1D0h+var_104], eax
		call	_EtwpEventWriteFull@72 ; EtwpEventWriteFull(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [esp+1D0h+var_44]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
_EtwpCrimsonStackWalkApc@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpGetStackExtendedHeaderItem(x, x, x, x, x, x)
_EtwpGetStackExtendedHeaderItem@24 proc	near ; CODE XREF: .text:00528ABEp
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+5FAp	...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_18], edx
		mov	eax, [eax]
		xor	esi, esi
		and	[ebp+var_14], ebx
		add	eax, 10h
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], esi
		mov	[ebp+var_1C], eax
		cmp	byte ptr [ebp+arg_8], bl
		jz	short loc_67BCF3
		push	300h
		push	[ebp+arg_0]
		push	eax
		call	RtlWalkFrameChain
		mov	ebx, eax
		cmp	ebx, 3
		ja	short loc_67BCED
		xor	ebx, ebx
		jmp	short loc_67BCF0
; 

loc_67BCED:				; CODE XREF: EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+46j
		sub	ebx, 3

loc_67BCF0:				; CODE XREF: EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+4Aj
		mov	[ebp+var_C], ebx

loc_67BCF3:				; CODE XREF: EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+31j
		mov	eax, [ebp+var_10]
		test	dword ptr [eax+58h], 400h
		jnz	loc_67BE60
		mov	eax, [eax+2FCh]
		test	al, 1
		jnz	loc_67BE60
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	loc_67BE60
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnz	short loc_67BD76
		mov	eax, large fs:20h
		cmp	byte ptr [eax+11h], 0
		jnz	loc_67BE60
		mov	[ebp+arg_8], offset _EtwpStackMatchId

loc_67BD3F:				; CODE XREF: EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+CAj
					; EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+CEj
		mov	edi, ds:_EtwpStackMatchId
		xor	eax, eax
		mov	esi, ds:dword_6B68B4
		inc	eax
		mov	ebx, edi
		mov	[ebp+var_4], esi
		add	ebx, eax
		mov	ecx, esi
		mov	eax, edi
		mov	edx, esi
		adc	ecx, 0
		nop
		mov	esi, [ebp+arg_8]
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [ebp+var_4]
		cmp	eax, edi
		jnz	short loc_67BD3F
		cmp	edx, esi
		jnz	short loc_67BD3F
		jmp	loc_67BE52
; 

loc_67BD76:				; CODE XREF: EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+85j
		jnb	loc_67BE60
		mov	ecx, [ebp+var_10]
		cmp	byte ptr [ecx+30Ah], 0
		jnz	loc_67BE19
		call	_KeIsAttachedProcess@0 ; KeIsAttachedProcess()
		test	al, al
		jnz	loc_67BE19
		mov	ecx, [ebp+var_18]
		xor	edx, edx
		inc	edx
		and	ecx, edx
		jz	short loc_67BDF1
		mov	eax, large fs:124h
		cmp	[eax+13Ch], esi
		jz	short loc_67BDF1
		mov	[ebp+arg_8], offset _EtwpStackMatchId
		jmp	short loc_67BDBD
; 

loc_67BDBA:				; CODE XREF: EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+145j
		xor	edx, edx
		inc	edx

loc_67BDBD:				; CODE XREF: EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+117j
					; EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+14Cj
		mov	edi, ds:_EtwpStackMatchId
		mov	ebx, edi
		mov	esi, ds:dword_6B68B4
		add	ebx, edx
		mov	ecx, esi
		mov	[ebp+var_4], esi
		adc	ecx, 0
		mov	eax, edi
		mov	edx, esi
		nop
		mov	esi, [ebp+arg_8]
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [ebp+var_4]
		cmp	eax, edi
		jnz	short loc_67BDBA
		push	1
		cmp	edx, esi
		pop	edx
		jnz	short loc_67BDBD
		jmp	short loc_67BE52
; 

loc_67BDF1:				; CODE XREF: EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+100j
					; EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+10Ej
		test	ecx, ecx
		jnz	short loc_67BE60
		mov	eax, [ebp+arg_0]
		sub	eax, ebx
		push	edx
		push	eax
		mov	eax, [ebp+var_1C]
		lea	eax, [eax+ebx*4]
		push	eax
		call	RtlWalkFrameChain
		mov	ecx, [ebp+arg_C]
		mov	[ebp+var_14], eax
		test	ecx, ecx
		jz	short loc_67BE60
		mov	edi, [ecx]
		mov	esi, [ecx+4]
		jmp	short loc_67BE5A
; 

loc_67BE19:				; CODE XREF: EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+E5j
					; EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+F2j
		mov	[ebp+arg_8], offset _EtwpStackMatchId

loc_67BE20:				; CODE XREF: EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+1ABj
					; EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+1AFj
		mov	edi, ds:_EtwpStackMatchId
		xor	eax, eax
		mov	esi, ds:dword_6B68B4
		inc	eax
		mov	ebx, edi
		mov	[ebp+var_4], esi
		add	ebx, eax
		mov	ecx, esi
		mov	eax, edi
		mov	edx, esi
		adc	ecx, 0
		nop
		mov	esi, [ebp+arg_8]
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [ebp+var_4]
		cmp	eax, edi
		jnz	short loc_67BE20
		cmp	edx, esi
		jnz	short loc_67BE20

loc_67BE52:				; CODE XREF: EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+D0j
					; EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+14Ej
		xor	eax, eax
		inc	eax
		add	edi, eax
		adc	esi, 0

loc_67BE5A:				; CODE XREF: EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+176j
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], edi

loc_67BE60:				; CODE XREF: EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+5Cj
					; EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+6Aj ...
		mov	eax, [ebp+var_C]
		add	eax, [ebp+var_14]
		movzx	eax, ax
		mov	ecx, eax
		test	ax, ax
		jnz	short loc_67BE99
		mov	eax, edi
		or	eax, esi
		jnz	short loc_67BE99
		cmp	[ebp+arg_0], 100h
		jnz	short loc_67BE91
		mov	eax, [ebp+arg_4]
		mov	ecx, offset _EtwpStackLookAsideList
		mov	edx, [eax]
		sub	edx, 4
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_67BE91:				; CODE XREF: EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+1DCj
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0
		jmp	short loc_67BF00
; 

loc_67BE99:				; CODE XREF: EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+1CDj
					; EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+1D3j
		mov	ebx, [ebp+arg_4]
		lea	eax, ds:8[ecx*4]
		mov	edx, [ebp+var_8]
		movzx	edi, ax
		lea	eax, [edi+8]
		movzx	ecx, ax
		mov	eax, [ebx]
		lea	esi, [ecx+7]
		mov	[eax+8], edx
		and	esi, 0FFF8h
		mov	edx, [ebp+var_4]
		mov	[eax+0Ch], edx
		movzx	eax, si
		sub	eax, ecx
		push	eax		; size_t
		mov	eax, [ebx]
		add	eax, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebx]
		add	esp, 0Ch
		mov	[eax], si
		mov	eax, [ebx]
		push	5
		pop	ecx
		mov	[eax+2], cx
		mov	ecx, 0FFFEh
		mov	eax, [ebx]
		mov	[eax+6], di
		mov	eax, [ebx]
		and	[eax+4], cx
		xor	ecx, ecx
		mov	eax, [ebx]
		inc	ecx
		and	[eax+4], cx

loc_67BF00:				; CODE XREF: EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+1F6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_EtwpGetStackExtendedHeaderItem@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageHighIrqlCPWorkItemCallback(x)
_EtwpCoverageHighIrqlCPWorkItemCallback@4 proc near
					; DATA XREF: EtwpCoverageEnsureContext()+F2o

var_26		= byte ptr -26h
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		and	[esp+2Ch+var_20], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+38h+var_10]
		stosd
		stosd
		stosd
		stosd
		mov	edi, [ebp+arg_0]
		mov	edi, [edi]
		add	edi, 18h
		mov	[esp+38h+var_14], edi

loc_67BF30:				; CODE XREF: EtwpCoverageHighIrqlCPWorkItemCallback(x)+114j
		lea	ebx, [edi+8]

loc_67BF33:				; CODE XREF: EtwpCoverageHighIrqlCPWorkItemCallback(x)+103j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	[esp+38h+var_25], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, [ebx]
		mov	[esp+38h+var_1C], esi
		cmp	esi, ebx
		jz	short loc_67BF71
		mov	eax, [esi]
		cmp	[esi+4], ebx
		jnz	loc_67C020
		cmp	[eax+4], esi
		jnz	loc_67C020
		mov	[ebx], eax
		mov	[eax+4], ebx
		mov	[esp+38h+var_18], 1
		jmp	short loc_67BF89
; 

loc_67BF71:				; CODE XREF: EtwpCoverageHighIrqlCPWorkItemCallback(x)+45j
		mov	esi, [edi+4]
		mov	[esp+38h+var_1C], esi
		mov	eax, [esi+10h]
		cmp	eax, [esi+0Ch]
		jnb	loc_67C025
		and	[esp+38h+var_18], 0

loc_67BF89:				; CODE XREF: EtwpCoverageHighIrqlCPWorkItemCallback(x)+68j
		mov	eax, [esi+0Ch]
		mov	ebx, [esi+10h]
		mov	[esi+10h], eax
		test	ds:byte_70EFC6,	1
		mov	[esp+38h+var_24], eax
		jz	short loc_67BFAB
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_67BFB0
; 

loc_67BFAB:				; CODE XREF: EtwpCoverageHighIrqlCPWorkItemCallback(x)+96j
		xor	eax, eax
		lock and [edi],	eax

loc_67BFB0:				; CODE XREF: EtwpCoverageHighIrqlCPWorkItemCallback(x)+A2j
		mov	cl, [esp+38h+var_25]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	ebx, [esp+38h+var_24]
		jnb	short loc_67C002
		mov	edi, [esp+38h+var_24]
		mov	esi, [ebp+arg_0]

loc_67BFC7:				; CODE XREF: EtwpCoverageHighIrqlCPWorkItemCallback(x)+F1j
		and	[esp+38h+var_8], 0
		lea	edx, [esp+38h+var_20]
		and	[esp+38h+var_4], 0
		mov	ecx, ebx
		mov	[esp+38h+var_10], ebx
		call	_TelemetryCoverageStringHashInternal@8 ; TelemetryCoverageStringHashInternal(x,x)
		lea	edx, [esp+38h+var_10]
		mov	[esp+38h+var_C], eax
		mov	ecx, esi
		call	_EtwpCoverageRecord@8 ;	EtwpCoverageRecord(x,x)
		mov	eax, [esp+38h+var_20]
		inc	eax
		add	ebx, eax
		cmp	ebx, edi
		jb	short loc_67BFC7
		mov	esi, [esp+38h+var_1C]
		mov	edi, [esp+38h+var_14]

loc_67C002:				; CODE XREF: EtwpCoverageHighIrqlCPWorkItemCallback(x)+B7j
		cmp	[esp+38h+var_18], 0
		lea	ebx, [edi+8]
		jz	loc_67BF33
		push	56777445h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_67BF30
; 

loc_67C020:				; CODE XREF: EtwpCoverageHighIrqlCPWorkItemCallback(x)+4Cj
					; EtwpCoverageHighIrqlCPWorkItemCallback(x)+55j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_67C025:				; CODE XREF: EtwpCoverageHighIrqlCPWorkItemCallback(x)+77j
		lea	eax, [esi+14h]
		mov	[esi+0Ch], eax
		mov	[esi+10h], eax
		and	dword ptr [edi+24h], 0
		test	ds:byte_70EFC6,	1
		jz	short loc_67C047
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_67C04C
; 

loc_67C047:				; CODE XREF: EtwpCoverageHighIrqlCPWorkItemCallback(x)+132j
		xor	eax, eax
		lock and [edi],	eax

loc_67C04C:				; CODE XREF: EtwpCoverageHighIrqlCPWorkItemCallback(x)+13Ej
		mov	cl, [esp+38h+var_25]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_EtwpCoverageHighIrqlCPWorkItemCallback@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageRecordAtHighIrql(x)
_EtwpCoverageRecordAtHighIrql@4	proc near ; CODE XREF: EtwSetProcessTelemetryCoverage+AEF9Dp

var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_4C], 0
		lea	edx, [ebp+var_4C]
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_50], ebx
		call	_EtwpCoverageValidateCP@8 ; EtwpCoverageValidateCP(x,x)
		test	eax, eax
		jz	short loc_67C0CD
		push	dword ptr [ebx]
		mov	esi, ebx
		lea	edi, [ebp+var_60]
		push	40h
		pop	edx
		lea	ecx, [ebp+var_48]
		movsd
		movsd
		movsd
		movsd
		call	_RtlStringCchCopyA@12 ;	RtlStringCchCopyA(x,x,x)
		and	[ebp+var_58], 0
		lea	eax, [ebp+var_48]
		mov	cl, 2
		mov	[ebp+var_60], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		lea	eax, [ebp+var_60]
		push	eax
		call	_EtwTelemetryCoverageReport@4 ;	EtwTelemetryCoverageReport(x)
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_50]
		mov	eax, [ebp+var_58]
		mov	[ecx+8], eax

loc_67C0CD:				; CODE XREF: EtwpCoverageRecordAtHighIrql(x)+28j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpCoverageRecordAtHighIrql@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageResetTimerCallback(x, x)
_EtwpCoverageResetTimerCallback@8 proc near ; DATA XREF: EtwpCoverageEnsureContext()+169o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		xor	edx, edx
		inc	edx
		xor	eax, eax
		lea	ecx, [esi+8]
		lock cmpxchg [ecx], edx
		test	eax, eax
		jnz	short loc_67C103
		push	3
		lea	eax, [esi+100h]
		push	eax
		call	ExQueueWorkItem

loc_67C103:				; CODE XREF: EtwpCoverageResetTimerCallback(x,x)+17j
		pop	esi
		pop	ebp
		retn	8
_EtwpCoverageResetTimerCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCancelStackWalkApc(x)
_EtwpCancelStackWalkApc@4 proc near	; DATA XREF: EtwpQueueStackWalkApc(x,x,x,x)+BBo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, ecx
		mov	ecx, [ecx+20h]
		call	_EtwpFinalizePendingApc@8 ; EtwpFinalizePendingApc(x,x)
		pop	ebp
		retn	4
_EtwpCancelStackWalkApc@4 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpFinalizePendingApc(x, x)
_EtwpFinalizePendingApc@8 proc near	; CODE XREF: EtwpCancelPendingStackwalkApcs+DC1AAp
					; EtwpCancelStackWalkApc(x)+Dp	...
		mov	eax, [edx+8]
		push	esi
		push	edi
		mov	edi, ecx
		add	eax, 5Ch
		movzx	esi, word ptr [edi+25Ah]
		and	esi, 7
		add	esi, 18h
		lock btr [eax],	esi
		lea	ecx, [edi+290h]
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		lock dec dword ptr [edi+2A4h]
		mov	eax, [edi+2E4h]
		xor	edx, edx
		mov	esi, [edi]
		inc	edx
		pop	edi
		mov	ecx, [eax+188h]
		mov	ecx, [ecx+esi*4]
		pop	esi
		jmp	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
_EtwpFinalizePendingApc@8 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpGetStackLookasideListEntry()
_EtwpGetStackLookasideListEntry@0 proc near ; CODE XREF: .text:005289B9p
					; EtwpTraceStackWalk(x,x,x,x)+84p ...
		mov	ecx, offset _EtwpStackLookAsideList
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jnz	short loc_67C17C
		mov	eax, ds:dword_6BC448
		xor	eax, eax
		retn
; 

loc_67C17C:				; CODE XREF: EtwpGetStackLookasideListEntry()+Cj
		add	eax, 4
		retn
_EtwpGetStackLookasideListEntry@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpQueueStackWalkApc(x, x,	x, x)
_EtwpQueueStackWalkApc@16 proc near	; CODE XREF: EtwpStackTraceDispatcher(x,x,x,x)+C1p
					; EtwpStackTraceDispatcher(x,x,x,x)+139p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	[ebp+var_1], dl
		mov	edx, ecx
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_8], edx
		mov	[ebp+var_2], 0
		cmp	edx, large fs:124h
		jnz	loc_67C2CB
		mov	eax, [edx+150h]
		mov	ecx, [eax+64h]
		shr	ecx, 3
		and	ecx, 1
		add	ecx, [eax+98h]
		jnz	loc_67C2CB
		cmp	[edx+18Ch], bl
		jnz	loc_67C2CB
		push	edi
		mov	edi, [ebp+arg_0]
		lea	ecx, [edx+5Ch]
		mov	[ebp+var_C], ecx
		movzx	eax, word ptr [edi+25Ah]
		and	eax, 7
		add	eax, 18h
		mov	[ebp+arg_0], eax
		lock bts [ecx],	eax
		jb	loc_67C2CA
		test	dword ptr [edx+58h], 4000h
		push	esi
		jz	loc_67C292
		mov	eax, [edi+2E4h]
		xor	edx, edx
		mov	esi, [edi]
		inc	edx
		mov	ecx, [eax+188h]
		mov	ecx, [ecx+esi*4]
		call	@ExAcquireRundownProtectionCacheAwareEx@8 ; ExAcquireRundownProtectionCacheAwareEx(x,x)
		test	al, al
		jz	short loc_67C28F
		lea	ecx, [edi+290h]
		mov	[ebp+var_2], 1
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_67C28F
		mov	esi, [ebp+var_8]
		mov	eax, offset _EtwpStackWalkApc@20 ; EtwpStackWalkApc(x,x,x,x,x)
		push	edi
		push	0
		push	eax
		push	offset _EtwpCancelStackWalkApc@4 ; EtwpCancelStackWalkApc(x)
		push	eax
		push	0
		push	esi
		push	ebx
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		cmp	dword ptr [edi+0F8h], 0
		jz	short loc_67C28F
		cmp	[ebp+var_1], 2
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax+4]
		mov	eax, [eax]
		jbe	short loc_67C26D
		push	ecx
		mov	edx, eax
		mov	ecx, ebx
		call	_KeTryToInsertQueueApc@12 ; KeTryToInsertQueueApc(x,x,x)
		jmp	short loc_67C277
; 

loc_67C26D:				; CODE XREF: EtwpQueueStackWalkApc(x,x,x,x)+DFj
		push	0
		push	ecx
		push	eax
		push	ebx
		call	KeInsertQueueApc

loc_67C277:				; CODE XREF: EtwpQueueStackWalkApc(x,x,x,x)+EBj
		cmp	dword ptr [edi+0F8h], 0
		jnz	short loc_67C2D0
		test	al, al
		jz	short loc_67C28F
		mov	ecx, ebx
		call	KeRemoveQueueApc
		test	al, al
		jz	short loc_67C2C9

loc_67C28F:				; CODE XREF: EtwpQueueStackWalkApc(x,x,x,x)+98j
					; EtwpQueueStackWalkApc(x,x,x,x)+ADj ...
		mov	eax, [ebp+arg_0]

loc_67C292:				; CODE XREF: EtwpQueueStackWalkApc(x,x,x,x)+77j
		mov	edx, [ebp+var_C]
		lock btr [edx],	eax
		cmp	[ebp+var_2], 0
		jz	short loc_67C2B8
		mov	eax, [edi+2E4h]
		xor	edx, edx
		mov	esi, [edi]
		inc	edx
		mov	ecx, [eax+188h]
		mov	ecx, [ecx+esi*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)

loc_67C2B8:				; CODE XREF: EtwpQueueStackWalkApc(x,x,x,x)+11Dj
		test	ebx, ebx
		jz	short loc_67C2C9
		lea	ecx, [edi+290h]
		mov	edx, ebx
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_67C2C9:				; CODE XREF: EtwpQueueStackWalkApc(x,x,x,x)+10Dj
					; EtwpQueueStackWalkApc(x,x,x,x)+13Aj ...
		pop	esi

loc_67C2CA:				; CODE XREF: EtwpQueueStackWalkApc(x,x,x,x)+69j
		pop	edi

loc_67C2CB:				; CODE XREF: EtwpQueueStackWalkApc(x,x,x,x)+1Ej
					; EtwpQueueStackWalkApc(x,x,x,x)+39j ...
		pop	ebx
		leave
		retn	8
; 

loc_67C2D0:				; CODE XREF: EtwpQueueStackWalkApc(x,x,x,x)+FEj
		test	al, al
		jnz	short loc_67C2E8
		cmp	[ebp+var_1], 2
		jbe	short loc_67C28F
		push	[ebp+arg_4]
		mov	edx, edi
		mov	ecx, esi
		call	_EtwpQueueStackWalkDpc@12 ; EtwpQueueStackWalkDpc(x,x,x)
		jmp	short loc_67C28F
; 

loc_67C2E8:				; CODE XREF: EtwpQueueStackWalkApc(x,x,x,x)+152j
		lea	eax, [edi+2A4h]
		lock inc dword ptr [eax]
		mov	eax, [eax]
		cmp	eax, [edi+2A8h]
		jle	short loc_67C2C9
		mov	[edi+2A8h], eax
		jmp	short loc_67C2C9
_EtwpQueueStackWalkApc@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpQueueStackWalkDpc(x, x,	x)
_EtwpQueueStackWalkDpc@12 proc near	; CODE XREF: EtwpQueueStackWalkApc(x,x,x,x)+161p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		lea	eax, [edi+2A0h]
		lock bts dword ptr [eax], 1
		jnb	short loc_67C325
		mov	eax, 103h
		jmp	loc_67C3B4
; 

loc_67C325:				; CODE XREF: EtwpQueueStackWalkDpc(x,x,x)+16j
		mov	eax, [edi+2E4h]
		xor	edx, edx
		push	esi
		mov	esi, [edi]
		inc	edx
		mov	ecx, [eax+188h]
		mov	ecx, [ecx+esi*4]
		call	@ExAcquireRundownProtectionCacheAwareEx@8 ; ExAcquireRundownProtectionCacheAwareEx(x,x)
		test	al, al
		jnz	short loc_67C34A
		mov	eax, 0C0000001h
		jmp	short loc_67C3B3
; 

loc_67C34A:				; CODE XREF: EtwpQueueStackWalkDpc(x,x,x)+3Ej
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx]
		mov	[edi+260h], eax
		mov	eax, [ecx+4]
		lea	ecx, [edi+26Ch]
		mov	[edi+264h], eax
		mov	eax, large fs:20h
		mov	[edi+268h], ebx
		mov	edx, [eax+3CCh]
		mov	eax, [ecx+1Ch]
		test	eax, eax
		jnz	short loc_67C384
		lea	eax, [edx+20h]
		mov	[ecx+2], ax

loc_67C384:				; CODE XREF: EtwpQueueStackWalkDpc(x,x,x)+78j
		push	0
		push	edi
		push	ecx
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)
		test	al, al
		jnz	short loc_67C3B1
		mov	eax, [edi+2E4h]
		xor	edx, edx
		mov	esi, [edi]
		inc	edx
		mov	ecx, [eax+188h]
		mov	ecx, [ecx+esi*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		mov	eax, 0C000009Ah
		jmp	short loc_67C3B3
; 

loc_67C3B1:				; CODE XREF: EtwpQueueStackWalkDpc(x,x,x)+8Cj
		xor	eax, eax

loc_67C3B3:				; CODE XREF: EtwpQueueStackWalkDpc(x,x,x)+45j
					; EtwpQueueStackWalkDpc(x,x,x)+ACj
		pop	esi

loc_67C3B4:				; CODE XREF: EtwpQueueStackWalkDpc(x,x,x)+1Dj
		pop	edi
		pop	ebx
		pop	ebp
		retn	4
_EtwpQueueStackWalkDpc@12 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpReleaseStackLookasideList()
_EtwpReleaseStackLookasideList@0 proc near ; CODE XREF:	NtQueryPerformanceCounter+23Fp
		mov	edi, edi
		lock dec ds:dword_6BC448
		retn
_EtwpReleaseStackLookasideList@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpStackTraceDispatcher(x,	x, x, x)
_EtwpStackTraceDispatcher@16 proc near	; CODE XREF: EtwpLogKernelEvent+12E24Cp
					; EtwpLogSystemEventUnsafe+EDEF0p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, ecx
		mov	[esp+14h+var_4], edx
		mov	[esp+14h+var_8], ebx
		push	edi
		mov	edi, large fs:124h
		test	esi, 4000h
		jz	short loc_67C3FD
		mov	eax, large fs:20h
		cmp	[eax+0Ch], edi
		jz	loc_67C51F

loc_67C3FD:				; CODE XREF: EtwpStackTraceDispatcher(x,x,x,x)+28j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_67C409
		mov	ecx, edi
		mov	[ebp+arg_0], ecx

loc_67C409:				; CODE XREF: EtwpStackTraceDispatcher(x,x,x,x)+3Ej
		mov	eax, esi
		and	eax, 3000h
		cmp	eax, 1000h
		jnz	loc_67C50A
		test	dword ptr [edi+58h], 400h
		jnz	short loc_67C43A
		cmp	edi, ecx
		jnz	short loc_67C43A
		mov	eax, [edi+2FCh]
		test	al, 1
		jz	short loc_67C445
		test	esi, 4000000h
		jnz	short loc_67C445

loc_67C43A:				; CODE XREF: EtwpStackTraceDispatcher(x,x,x,x)+5Ej
					; EtwpStackTraceDispatcher(x,x,x,x)+62j
		and	esi, 0FFFFEFFFh
		jmp	loc_67C50A
; 

loc_67C445:				; CODE XREF: EtwpStackTraceDispatcher(x,x,x,x)+6Cj
					; EtwpStackTraceDispatcher(x,x,x,x)+74j
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jnz	short loc_67C452
		mov	bl, 1Fh
		jmp	short loc_67C45F
; 

loc_67C452:				; CODE XREF: EtwpStackTraceDispatcher(x,x,x,x)+88j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, al
		cmp	bl, 2
		jb	short loc_67C4A7

loc_67C45F:				; CODE XREF: EtwpStackTraceDispatcher(x,x,x,x)+8Cj
		mov	ecx, large fs:20h
		and	esi, 0FFFFEFFFh
		mov	al, [ecx+11h]
		cmp	bl, 2
		jnz	short loc_67C48C
		test	al, al
		jnz	short loc_67C490
		push	[esp+18h+var_4]
		mov	ebx, [esp+1Ch+var_8]
		mov	dl, 2
		push	ebx
		mov	ecx, edi
		call	_EtwpQueueStackWalkApc@16 ; EtwpQueueStackWalkApc(x,x,x,x)
		jmp	short loc_67C506
; 

loc_67C48C:				; CODE XREF: EtwpStackTraceDispatcher(x,x,x,x)+AEj
		test	al, al
		jz	short loc_67C49C

loc_67C490:				; CODE XREF: EtwpStackTraceDispatcher(x,x,x,x)+B2j
		test	esi, 8000h
		jz	short loc_67C502
		cmp	al, 1
		jnz	short loc_67C502

loc_67C49C:				; CODE XREF: EtwpStackTraceDispatcher(x,x,x,x)+CAj
		push	[esp+18h+var_4]
		mov	eax, [esp+1Ch+var_8]
		push	eax
		jmp	short loc_67C4F9
; 

loc_67C4A7:				; CODE XREF: EtwpStackTraceDispatcher(x,x,x,x)+99j
		mov	eax, [esp+18h+var_8]
		test	dword ptr [eax+258h], 1000000h
		jz	short loc_67C4C1
		mov	eax, [edi+2FCh]
		test	al, 1
		jz	short loc_67C4EB

loc_67C4C1:				; CODE XREF: EtwpStackTraceDispatcher(x,x,x,x)+F1j
		call	_MmCanThreadFault@0 ; MmCanThreadFault()
		test	eax, eax
		jz	short loc_67C4EB
		cmp	byte ptr [edi+30Ah], 0
		jnz	short loc_67C4EB
		call	_KeIsAttachedProcess@0 ; KeIsAttachedProcess()
		test	al, al
		jnz	short loc_67C4EB
		test	esi, 1000000h
		jnz	short loc_67C4EB
		bt	dword ptr [edi+58h], 5
		jnb	short loc_67C502

loc_67C4EB:				; CODE XREF: EtwpStackTraceDispatcher(x,x,x,x)+FBj
					; EtwpStackTraceDispatcher(x,x,x,x)+104j ...
		push	[esp+18h+var_4]
		and	esi, 0FFFFEFFFh
		push	[esp+1Ch+var_8]

loc_67C4F9:				; CODE XREF: EtwpStackTraceDispatcher(x,x,x,x)+E1j
		mov	dl, bl
		mov	ecx, edi
		call	_EtwpQueueStackWalkApc@16 ; EtwpQueueStackWalkApc(x,x,x,x)

loc_67C502:				; CODE XREF: EtwpStackTraceDispatcher(x,x,x,x)+D2j
					; EtwpStackTraceDispatcher(x,x,x,x)+D6j ...
		mov	ebx, [esp+18h+var_8]

loc_67C506:				; CODE XREF: EtwpStackTraceDispatcher(x,x,x,x)+C6j
		mov	edx, [esp+18h+var_4]

loc_67C50A:				; CODE XREF: EtwpStackTraceDispatcher(x,x,x,x)+51j
					; EtwpStackTraceDispatcher(x,x,x,x)+7Cj
		test	esi, 1800h
		jz	short loc_67C51F
		push	edx
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, ebx
		call	_EtwpTraceStackWalk@16 ; EtwpTraceStackWalk(x,x,x,x)

loc_67C51F:				; CODE XREF: EtwpStackTraceDispatcher(x,x,x,x)+33j
					; EtwpStackTraceDispatcher(x,x,x,x)+14Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_EtwpStackTraceDispatcher@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpStackWalkApc(x,	x, x, x, x)
_EtwpStackWalkApc@20 proc near		; DATA XREF: EtwpQueueStackWalkApc(x,x,x,x)+B2o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_8]
		mov	ecx, large fs:124h
		push	esi
		mov	esi, [eax]
		mov	eax, [ecx+2FCh]
		test	al, 1
		jnz	short loc_67C567
		mov	eax, [ebp+arg_C]
		mov	edx, 1000h
		mov	eax, [eax]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_10]
		mov	eax, [eax]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	ecx
		mov	ecx, esi
		call	_EtwpTraceStackWalk@16 ; EtwpTraceStackWalk(x,x,x,x)

loc_67C567:				; CODE XREF: EtwpStackWalkApc(x,x,x,x,x)+1Cj
		mov	eax, [ebp+arg_4]
		mov	ecx, esi
		mov	edx, [ebp+arg_0]
		and	dword ptr [eax], 0
		call	_EtwpFinalizePendingApc@8 ; EtwpFinalizePendingApc(x,x)
		pop	esi
		leave
		retn	14h
_EtwpStackWalkApc@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpStackWalkDpc(x,	x, x, x)
_EtwpStackWalkDpc@16 proc near		; DATA XREF: EtwTraceDpcEnqueueEvent(x,x,x,x,x,x)+1Eo
					; EtwpInitializeStackTracing(x)+92o

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	dl, 2
		mov	ecx, [edi+268h]
		lea	eax, [edi+260h]
		push	eax
		push	edi
		call	_EtwpQueueStackWalkApc@16 ; EtwpQueueStackWalkApc(x,x,x,x)
		mov	eax, [edi+2E4h]
		xor	edx, edx
		mov	esi, [edi]
		inc	edx
		mov	ecx, [eax+188h]
		mov	ecx, [ecx+esi*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		lea	eax, [edi+2A0h]
		lock btr dword ptr [eax], 1
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
_EtwpStackWalkDpc@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceStackWalk(x, x, x,	x)
_EtwpTraceStackWalk@16 proc near	; CODE XREF: EtwpStackTraceDispatcher(x,x,x,x)+156p
					; EtwpStackWalkApc(x,x,x,x,x)+3Ap

var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		mov	[ebp+var_38], ecx
		lea	edi, [ebp+var_58]
		pop	ecx
		xor	eax, eax
		xor	ebx, ebx
		rep stosd
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_3C], ebx
		push	eax
		lea	eax, [ebp+var_34]
		mov	[ebp+var_34], ebx
		push	eax
		mov	esi, edx
		mov	[ebp+var_2C], ebx
		call	_KeGetCurrentStackPointer@0 ; KeGetCurrentStackPointer()
		lea	edx, [ebp+var_3C]
		mov	ecx, eax
		call	KeQueryCurrentStackInformationEx
		test	al, al
		jz	loc_67C7FF
		mov	eax, [ebp+var_3C]
		test	eax, eax
		jz	loc_67C7FF
		cmp	eax, 5
		jz	loc_67C7FF
		cmp	eax, 7
		jz	loc_67C7FF
		cmp	eax, 8
		jz	loc_67C7FF
		cmp	eax, 9
		jz	loc_67C7FF
		mov	[ebp+var_30], 100h
		call	_EtwpGetStackLookasideListEntry@0 ; EtwpGetStackLookasideListEntry()
		mov	edi, eax
		test	edi, edi
		jnz	short loc_67C67D
		call	_KeGetCurrentStackPointer@0 ; KeGetCurrentStackPointer()
		sub	eax, [ebp+var_34]
		cmp	eax, 520h
		jbe	loc_67C7FF
		mov	eax, 300h
		call	__alloca_probe_16
		mov	edx, 0C0h
		mov	edi, esp
		mov	[ebp+var_30], edx
		jmp	short loc_67C680
; 

loc_67C67D:				; CODE XREF: EtwpTraceStackWalk(x,x,x,x)+8Dj
		mov	edx, [ebp+var_30]

loc_67C680:				; CODE XREF: EtwpTraceStackWalk(x,x,x,x)+B6j
		mov	eax, [ebp+var_38]
		mov	ecx, 800h
		and	[ebp+var_34], ebx
		test	dword ptr [eax+258h], 40000000h
		jz	short loc_67C6AB
		test	esi, ecx
		jz	short loc_67C6D9
		mov	eax, ds:_PsNtosImageBase
		xor	ebx, ebx
		inc	ebx
		mov	[edi], eax
		and	esi, 0FFFFF7FFh

loc_67C6AB:				; CODE XREF: EtwpTraceStackWalk(x,x,x,x)+D0j
		test	esi, ecx
		jz	short loc_67C6D9
		mov	ecx, esi
		shr	ecx, 14h
		and	ecx, 0Fh
		mov	eax, ecx
		mov	[ebp+var_2C], ecx
		shl	eax, 8
		push	eax
		lea	eax, [edx+ecx]
		push	eax
		push	edi
		call	RtlWalkFrameChain
		mov	ebx, eax
		mov	eax, [ebp+var_2C]
		cmp	ebx, eax
		ja	short loc_67C6D7
		xor	ebx, ebx
		jmp	short loc_67C6D9
; 

loc_67C6D7:				; CODE XREF: EtwpTraceStackWalk(x,x,x,x)+10Cj
		sub	ebx, eax

loc_67C6D9:				; CODE XREF: EtwpTraceStackWalk(x,x,x,x)+D4j
					; EtwpTraceStackWalk(x,x,x,x)+E8j ...
		test	esi, 1000h
		jz	short loc_67C735
		mov	eax, large fs:124h
		lea	ecx, [edi+ebx*4]
		mov	edx, [ebp+var_30]
		sub	edx, ebx
		mov	eax, [eax+80h]
		cmp	dword ptr [eax+3D4h], 0
		jz	short loc_67C705
		call	_PsPicoWalkUserStack@8 ; PsPicoWalkUserStack(x,x)
		jmp	short loc_67C738
; 

loc_67C705:				; CODE XREF: EtwpTraceStackWalk(x,x,x,x)+137j
		mov	ecx, esi
		shr	ecx, 10h
		and	ecx, 0Fh
		mov	eax, ecx
		mov	[ebp+var_2C], ecx
		shl	eax, 8
		or	eax, 1
		push	eax
		lea	eax, [edx+ecx]
		push	eax
		lea	eax, [edi+ebx*4]
		push	eax
		call	RtlWalkFrameChain
		mov	ecx, [ebp+var_2C]
		cmp	eax, ecx
		ja	short loc_67C731
		xor	eax, eax
		jmp	short loc_67C738
; 

loc_67C731:				; CODE XREF: EtwpTraceStackWalk(x,x,x,x)+166j
		sub	eax, ecx
		jmp	short loc_67C738
; 

loc_67C735:				; CODE XREF: EtwpTraceStackWalk(x,x,x,x)+11Aj
		mov	eax, [ebp+var_34]

loc_67C738:				; CODE XREF: EtwpTraceStackWalk(x,x,x,x)+13Ej
					; EtwpTraceStackWalk(x,x,x,x)+16Aj ...
		lea	edx, [eax+ebx]
		mov	[ebp+var_2C], edx
		test	edx, edx
		jz	loc_67C7E9
		mov	ecx, [ebp+arg_0]
		and	esi, 0FFFFE602h
		and	[ebp+var_24], 0
		or	esi, 2
		and	[ebp+var_1C], 0
		mov	[ebp+var_20], 10h
		mov	eax, [ecx+2ACh]
		mov	[ebp+var_50], eax
		mov	eax, [ecx+2B0h]
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_4C], eax
		mov	eax, [ecx]
		mov	[ebp+var_58], eax
		mov	eax, [ecx+4]
		mov	ecx, [ebp+var_38]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_28], eax
		test	dword ptr [ecx+258h], 1000000h
		jz	short loc_67C7BE
		cmp	edx, 4
		jb	short loc_67C7BE
		push	edx
		push	edi
		lea	eax, [ebp+var_28]
		mov	edx, esi
		push	eax
		xor	eax, eax
		cmp	eax, ebx
		sbb	eax, eax
		add	eax, 1826h
		push	eax
		call	_EtwpTraceStackKey@24 ;	EtwpTraceStackKey(x,x,x,x,x,x)
		test	al, al
		jnz	short loc_67C7E9
		mov	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_38]

loc_67C7BE:				; CODE XREF: EtwpTraceStackWalk(x,x,x,x)+1CFj
					; EtwpTraceStackWalk(x,x,x,x)+1D4j
		and	[ebp+var_14], 0
		mov	eax, edx
		mov	edx, [ecx+2E4h]
		and	[ebp+var_C], 0
		push	esi
		push	1820h
		push	2
		push	dword ptr [ecx]
		shl	eax, 2
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], eax
		call	EtwpLogKernelEvent

loc_67C7E9:				; CODE XREF: EtwpTraceStackWalk(x,x,x,x)+17Bj
					; EtwpTraceStackWalk(x,x,x,x)+1F1j
		cmp	[ebp+var_30], 100h
		jnz	short loc_67C7FF
		lea	edx, [edi-4]
		mov	ecx, offset _EtwpStackLookAsideList
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_67C7FF:				; CODE XREF: EtwpTraceStackWalk(x,x,x,x)+48j
					; EtwpTraceStackWalk(x,x,x,x)+53j ...
		lea	esp, [ebp-68h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwpTraceStackWalk@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall EtwTraceDebuggerEvent(x, x, x)
@EtwTraceDebuggerEvent@12 proc near	; CODE XREF: NtDebugContinue(x,x,x)+159p
					; DbgkpSendApiMessage(x,x,x)+38p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ecx+0E4h]
		lea	ecx, [ebp+var_20]
		and	[ebp+var_1C], 0
		and	[ebp+var_14], 0
		mov	[ebp+var_10], eax
		mov	eax, [edx+2B0h]
		xor	edx, edx
		mov	[ebp+var_C], eax
		inc	edx
		mov	eax, [ebp+arg_0]
		push	(offset	off_401A00+2)
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_10]
		push	370h
		push	400000h
		mov	[ebp+var_20], eax
		mov	[ebp+var_18], 0Ch
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
@EtwTraceDebuggerEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall EtwTracePageFault(x, x, x,	x)
@EtwTracePageFault@16 proc near		; CODE XREF: MmAccessFault+14B433p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		cmp	ecx, 111h
		jnz	short loc_67C89D
		mov	ecx, 20Bh
		jmp	short loc_67C8EA
; 

loc_67C89D:				; CODE XREF: EtwTracePageFault(x,x,x,x)+1Aj
		cmp	ecx, 110h
		jnz	short loc_67C8AC
		mov	ecx, 20Ah
		jmp	short loc_67C8EA
; 

loc_67C8AC:				; CODE XREF: EtwTracePageFault(x,x,x,x)+29j
		cmp	ecx, 112h
		jnz	short loc_67C8BB
		mov	ecx, 20Ch
		jmp	short loc_67C8EA
; 

loc_67C8BB:				; CODE XREF: EtwTracePageFault(x,x,x,x)+38j
		cmp	ecx, 114h
		jnz	short loc_67C8CA
		mov	ecx, 20Eh
		jmp	short loc_67C8EA
; 

loc_67C8CA:				; CODE XREF: EtwTracePageFault(x,x,x,x)+47j
		cmp	ecx, 113h
		jnz	short loc_67C8D9
		mov	ecx, 20Dh
		jmp	short loc_67C8EA
; 

loc_67C8D9:				; CODE XREF: EtwTracePageFault(x,x,x,x)+56j
		cmp	ecx, 0C0000005h
		jnz	loc_67C9A9
		mov	ecx, 20Fh

loc_67C8EA:				; CODE XREF: EtwTracePageFault(x,x,x,x)+21j
					; EtwTracePageFault(x,x,x,x)+30j ...
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_20], edx
		xor	edx, edx
		mov	[ebp+var_1C], edx
		test	eax, eax
		jz	short loc_67C8FF
		mov	eax, [eax+68h]
		mov	[ebp+var_1C], eax

loc_67C8FF:				; CODE XREF: EtwTracePageFault(x,x,x,x)+7Dj
		mov	esi, large fs:124h
		lea	eax, [ebp+var_20]
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], 8
		mov	[ebp+var_C], edx
		test	byte ptr [esi+304h], 10h
		jz	short loc_67C941
		push	2500102h
		push	ecx
		push	1000h
		push	1
		push	esi
		call	_PsGetThreadServerSilo@4 ; PsGetThreadServerSilo(x)
		lea	edx, [ebp+var_18]
		mov	ecx, eax
		call	EtwTraceSiloKernelEvent
		jmp	short loc_67C9A9
; 

loc_67C941:				; CODE XREF: EtwTracePageFault(x,x,x,x)+A6j
		dec	word ptr [esi+13Eh]
		nop
		or	byte ptr [esi+304h], 10h
		xor	eax, eax
		cmp	byte ptr [ebp+arg_0], al
		mov	edi, 1000h
		setz	al
		dec	eax
		and	eax, 0FEFFF800h
		add	eax, 3501902h
		push	eax
		push	ecx
		push	edi
		push	1
		push	esi
		call	_PsGetThreadServerSilo@4 ; PsGetThreadServerSilo(x)
		lea	edx, [ebp+var_18]
		mov	ecx, eax
		call	EtwTraceSiloKernelEvent
		and	byte ptr [esi+304h], 0EFh
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, ds:_EtwpHostSiloState
		add	eax, 0A68h
		jz	short loc_67C9A9
		test	[eax], edi
		jz	short loc_67C9A9
		push	[ebp+arg_0]
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_1C]
		call	_EtwpCoverageSamplerPageFault@12 ; EtwpCoverageSamplerPageFault(x,x,x)

loc_67C9A9:				; CODE XREF: EtwTracePageFault(x,x,x,x)+65j
					; EtwTracePageFault(x,x,x,x)+C5j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
@EtwTracePageFault@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall EtwpPmcInterrupt(x, x)
@EtwpPmcInterrupt@8 proc near		; DATA XREF: EtwpSetPmcProfileSource(x,x)+A0o

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= word ptr -18h
var_16		= word ptr -16h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, [ecx+68h]
		push	esi
		mov	esi, 2C09A02h
		cmp	ecx, ds:_MmHighestUserAddress
		ja	short loc_67C9E1
		mov	esi, 2C09202h

loc_67C9E1:				; CODE XREF: EtwpPmcInterrupt(x,x)+21j
		mov	eax, large fs:124h
		and	[ebp+var_10], 0
		and	[ebp+var_8], 0
		push	esi
		mov	eax, [eax+2B0h]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		mov	[ebp+var_18], dx
		xor	edx, edx
		mov	[ebp+var_16], ax
		inc	edx
		push	0F2Fh
		mov	[ebp+var_20], ecx
		lea	eax, [ebp+var_20]
		push	20000400h
		lea	ecx, [ebp+var_14]
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], 0Ch
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
@EtwpPmcInterrupt@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall EtwpProfileInterrupt(x, x)
@EtwpProfileInterrupt@8	proc near	; DATA XREF: EtwpTimeProfileInit()+15o

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= word ptr -18h
var_16		= byte ptr -16h
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ecx+68h]
		mov	edx, 2C0DA02h
		push	edi
		cmp	esi, ds:_MmHighestUserAddress
		ja	short loc_67CA5F
		mov	edx, 2C0D202h

loc_67CA5F:				; CODE XREF: EtwpProfileInterrupt(x,x)+23j
		mov	edi, large fs:124h
		mov	eax, [edi+2B0h]
		mov	ebx, [edi+150h]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		mov	[ebp+var_16], 0
		inc	eax
		mov	cl, [edi+87h]
		mov	[ebp+var_20], esi
		mov	esi, large fs:20h
		shl	cl, 3
		mov	[ebp+var_16], cl
		mov	[ebp+var_18], ax
		mov	al, [esi+11h]
		cmp	al, 2
		jnz	short loc_67CAAF
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jz	short loc_67CAB3
		or	cl, 1
		jmp	short loc_67CAB6
; 

loc_67CAAF:				; CODE XREF: EtwpProfileInterrupt(x,x)+66j
		cmp	al, 1
		jbe	short loc_67CABF

loc_67CAB3:				; CODE XREF: EtwpProfileInterrupt(x,x)+73j
		or	cl, 2

loc_67CAB6:				; CODE XREF: EtwpProfileInterrupt(x,x)+78j
		and	edx, 0FFFFBFFFh
		mov	[ebp+var_16], cl

loc_67CABF:				; CODE XREF: EtwpProfileInterrupt(x,x)+7Cj
		mov	ecx, [edi+50h]
		test	ecx, ecx
		jnz	short loc_67CACA
		xor	cl, cl
		jmp	short loc_67CAF1
; 

loc_67CACA:				; CODE XREF: EtwpProfileInterrupt(x,x)+8Fj
		mov	eax, [esi+3B34h]
		add	eax, ecx

loc_67CAD2:				; CODE XREF: EtwpProfileInterrupt(x,x)+BAj
		cmp	dword ptr [eax+60h], 0FFh
		ja	short loc_67CAE0
		mov	cl, [eax+60h]
		jmp	short loc_67CAE3
; 

loc_67CAE0:				; CODE XREF: EtwpProfileInterrupt(x,x)+A4j
		or	cl, 0FFh

loc_67CAE3:				; CODE XREF: EtwpProfileInterrupt(x,x)+A9j
		test	cl, cl
		jnz	short loc_67CAF1
		mov	eax, [eax+0F4h]
		test	eax, eax
		jnz	short loc_67CAD2

loc_67CAF1:				; CODE XREF: EtwpProfileInterrupt(x,x)+93j
					; EtwpProfileInterrupt(x,x)+B0j
		and	[ebp+var_10], 0
		lea	eax, [ebp+var_20]
		and	[ebp+var_8], 0
		push	edx
		push	0F2Eh
		push	20000002h
		mov	[ebp+var_15], cl
		lea	edx, [ebp+var_14]
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], 0Ch
		mov	ecx, [ebx+3A0h]
		push	1
		call	EtwTraceSiloKernelEvent
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
@EtwpProfileInterrupt@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall EtwpTraceALPC(x, x)
@EtwpTraceALPC@8 proc near		; DATA XREF: AlpcRegisterLogRoutine(x)+25o
					; AlpcUnregisterLogRoutine(x):loc_9959C7o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ecx+8]
		dec	eax
		cmp	eax, 8		; switch 9 cases
		ja	loc_67CBF9	; default
		jmp	ds:off_67CC07[eax*4] ; switch jump

loc_67CB59:				; DATA XREF: .text:off_67CC07o
		push	(offset	off_401900+2) ;	case 0x0
		push	1A21h
		jmp	short loc_67CBD6
; 

loc_67CB65:				; CODE XREF: EtwpTraceALPC(x,x)+1Fj
					; DATA XREF: .text:off_67CC07o
		push	(offset	off_401900+2) ;	case 0x1
		push	1A22h
		jmp	short loc_67CBD6
; 

loc_67CB71:				; CODE XREF: EtwpTraceALPC(x,x)+1Fj
					; DATA XREF: .text:off_67CC07o
		push	(offset	off_401900+2) ;	case 0x2
		push	1A23h
		jmp	short loc_67CBD6
; 

loc_67CB7D:				; CODE XREF: EtwpTraceALPC(x,x)+1Fj
					; DATA XREF: .text:off_67CC07o
		lea	eax, [ecx+0Ch]	; case 0x3
		mov	[ebp+var_14], eax
		lea	eax, [edx-0Ch]
		push	(offset	off_401900+2)
		mov	[ebp+var_C], eax
		push	1A24h
		jmp	short loc_67CBE3
; 

loc_67CB95:				; CODE XREF: EtwpTraceALPC(x,x)+1Fj
					; DATA XREF: .text:off_67CC07o
		push	(offset	off_401900+2) ;	case 0x4
		push	1A25h
		jmp	short loc_67CBD6
; 

loc_67CBA1:				; CODE XREF: EtwpTraceALPC(x,x)+1Fj
					; DATA XREF: .text:off_67CC07o
		push	(offset	off_401900+2) ;	case 0x5
		push	1A26h
		jmp	short loc_67CBD6
; 

loc_67CBAD:				; CODE XREF: EtwpTraceALPC(x,x)+1Fj
					; DATA XREF: .text:off_67CC07o
		push	(offset	off_401900+2) ;	case 0x6
		push	1A27h
		jmp	short loc_67CBD6
; 

loc_67CBB9:				; CODE XREF: EtwpTraceALPC(x,x)+1Fj
					; DATA XREF: .text:off_67CC07o
		push	(offset	off_401900+2) ;	case 0x7
		mov	[ebp+var_C], 8
		push	1A28h
		jmp	short loc_67CBDD
; 

loc_67CBCC:				; CODE XREF: EtwpTraceALPC(x,x)+1Fj
					; DATA XREF: .text:off_67CC07o
		push	(offset	off_401900+2) ;	case 0x8
		push	1A29h

loc_67CBD6:				; CODE XREF: EtwpTraceALPC(x,x)+30j
					; EtwpTraceALPC(x,x)+3Cj ...
		mov	[ebp+var_C], 4

loc_67CBDD:				; CODE XREF: EtwpTraceALPC(x,x)+97j
		lea	eax, [ecx+0Ch]
		mov	[ebp+var_14], eax

loc_67CBE3:				; CODE XREF: EtwpTraceALPC(x,x)+60j
		xor	edx, edx
		lea	ecx, [ebp+var_14]
		and	[ebp+var_10], edx
		and	[ebp+var_8], edx
		inc	edx
		push	100000h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_67CBF9:				; CODE XREF: EtwpTraceALPC(x,x)+19j
		mov	ecx, [ebp+var_4] ; default
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
@EtwpTraceALPC@8 endp

; 
		db 8Bh,	0FFh
off_67CC07	dd offset loc_67CB59	; DATA XREF: EtwpTraceALPC(x,x)+1Fr
		dd offset loc_67CB65	; jump table for switch	statement
		dd offset loc_67CB71
		dd offset loc_67CB7D
		dd offset loc_67CB95
		dd offset loc_67CBA1
		dd offset loc_67CBAD
		dd offset loc_67CBB9
		dd offset loc_67CBCC

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PerfInfoLogSysCallEntry(x)
@PerfInfoLogSysCallEntry@4 proc	near	; CODE XREF: KiSystemServiceAccessTeb()+485p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], 4
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], edi
		xor	esi, esi
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], esi
		mov	[ebp+var_8], esi
		call	_KeIsExecutingInArbitraryThreadContext@0 ; KeIsExecutingInArbitraryThreadContext()
		test	eax, eax
		jnz	short loc_67CC70
		mov	eax, large fs:124h
		push	eax
		call	_PsGetThreadServerSilo@4 ; PsGetThreadServerSilo(x)
		mov	esi, eax

loc_67CC70:				; CODE XREF: PerfInfoLogSysCallEntry(x)+35j
		push	501802h
		push	0F33h
		push	40000040h
		push	1
		lea	edx, [ebp+var_14]
		mov	ecx, esi
		call	EtwTraceSiloKernelEvent
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
@PerfInfoLogSysCallEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PerfInfoLogSysCallExit(x)
@PerfInfoLogSysCallExit@4 proc near	; CODE XREF: KiSystemServicePostCall()+41Bp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], 4
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], edi
		xor	esi, esi
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], esi
		mov	[ebp+var_8], esi
		call	_KeIsExecutingInArbitraryThreadContext@0 ; KeIsExecutingInArbitraryThreadContext()
		test	eax, eax
		jnz	short loc_67CCE0
		mov	eax, large fs:124h
		push	eax
		call	_PsGetThreadServerSilo@4 ; PsGetThreadServerSilo(x)
		mov	esi, eax

loc_67CCE0:				; CODE XREF: PerfInfoLogSysCallExit(x)+35j
		push	501802h
		push	0F34h
		push	40000040h
		push	1
		lea	edx, [ebp+var_14]
		mov	ecx, esi
		call	EtwTraceSiloKernelEvent
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
@PerfInfoLogSysCallExit@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PerfInfoLogUnexpectedInterrupt(x)
@PerfInfoLogUnexpectedInterrupt@4 proc near ; CODE XREF: V86_kira_a+82Dp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_10], 0
		lea	eax, [ebp+var_18]
		and	[ebp+var_8], 0
		xor	edx, edx
		push	400A02h
		push	0F5Ch
		mov	[ebp+var_18], ecx
		inc	edx
		push	20004000h
		lea	ecx, [ebp+var_14]
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], 2
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
@PerfInfoLogUnexpectedInterrupt@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceAntiStarvationBoost(x, x)
_EtwTraceAntiStarvationBoost@8 proc near ; CODE	XREF: KiQuantumEnd+169BE1p
					; KiQuantumEnd+169D20p

var_1C		= dword	ptr -1Ch
var_18		= word ptr -18h
var_16		= byte ptr -16h
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ecx+2B0h]
		mov	[ebp+var_1C], eax
		mov	eax, [ecx+148h]
		xor	ecx, ecx
		push	offset byte_401802
		mov	[ebp+var_16], dl
		xor	edx, edx
		mov	[ebp+var_18], ax
		inc	edx
		push	53Ch
		mov	[ebp+var_15], cl
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		lea	ecx, [ebp+var_14]
		push	40000001h
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], 8
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwTraceAntiStarvationBoost@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceAutoBoostSetFloor(x, x, x, x, x, x,	x, x, x, x)
_EtwTraceAutoBoostSetFloor@40 proc near	; CODE XREF: KiAbApplyWakeupBoost+16EF7Ep
					; KiAbSetMinimumThreadPriority+D5908p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= byte ptr -18h
var_17		= byte ptr -17h
var_16		= byte ptr -16h
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h
arg_10		= byte ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= byte ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ecx
		mov	[ebp+var_20], edx
		mov	cl, [ebp+arg_8]
		lea	edx, [ebp+var_14]
		and	cl, 1
		push	500A02h
		mov	eax, [esi+2B0h]
		mov	[ebp+var_1C], eax
		mov	al, [ebp+arg_0]
		mov	[ebp+var_18], al
		mov	al, [ebp+arg_C]
		mov	[ebp+var_17], al
		mov	al, [ebp+arg_14]
		add	al, al
		or	cl, al
		mov	al, [ebp+arg_10]
		shl	cl, 3
		and	al, 7
		or	cl, al
		mov	al, [ebp+arg_4]
		shl	cl, 3
		and	al, 7
		or	cl, al
		mov	al, [ebp+arg_1C]
		mov	[ebp+var_16], cl
		and	al, 3
		mov	cl, large fs:235Ch
		and	cl, 1
		shl	al, 2
		or	cl, al
		mov	[ebp+var_C], 0Ch
		cmp	[ebp+arg_18], 0
		push	542h
		setz	al
		and	[ebp+var_10], 0
		and	[ebp+var_8], 0
		dec	al
		and	al, 2
		or	cl, al
		lea	eax, [ebp+var_20]
		mov	[ebp+var_15], cl
		mov	ecx, [esi+150h]
		push	20000200h
		mov	[ebp+var_14], eax
		push	1
		mov	ecx, [ecx+3A0h]
		call	EtwTraceSiloKernelEvent
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	20h
_EtwTraceAutoBoostSetFloor@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceCpuCacheFlush(x, x,	x, x, x, x)
_EtwTraceCpuCacheFlush@24 proc near	; CODE XREF: KeFlushIoBuffers+D9CFEp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_7		= word ptr -7
var_5		= byte ptr -5
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C], eax
		mov	al, [ebp+arg_4]
		push	ecx
		mov	[ebp+var_8], al
		mov	ecx, 0F63h
		xor	eax, eax
		mov	[ebp+var_10], edx
		push	1501A02h
		mov	[ebp+var_7], ax
		mov	edx, 84000000h
		mov	[ebp+var_5], al
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_10]
		push	10h
		push	eax
		call	_EtwTraceTimedEvent@24 ; EtwTraceTimedEvent(x,x,x,x,x,x)
		leave
		retn	10h
_EtwTraceCpuCacheFlush@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceDequeueWork(x, x, x)
_EtwTraceDequeueWork@12	proc near	; CODE XREF: KeRemoveQueueEx+C2D0Fp
					; KeRemoveQueueEx+C2EAFp ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ecx+2B0h]
		lea	ecx, [ebp+var_38]
		push	esi
		push	1501E02h
		push	53Fh
		mov	[ebp+var_38], eax
		xor	esi, esi
		mov	eax, [ebp+arg_0]
		push	21000000h
		mov	[ebp+var_34], eax
		push	2
		mov	[ebp+var_2C], ecx
		lea	ecx, [ebp+var_2C]
		mov	[ebp+var_1C], edx
		shl	eax, 2
		pop	edx
		mov	[ebp+var_30], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], 8
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], esi
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_EtwTraceDequeueWork@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceDpcEnqueueEvent(x, x, x, x,	x, x)
_EtwTraceDpcEnqueueEvent@24 proc near	; CODE XREF: KiInsertQueueDpc+12B1F3p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_7		= word ptr -7
var_5		= byte ptr -5
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		xor	ebx, ebx
		mov	[ebp+var_7], ax
		mov	[ebp+var_5], bl
		cmp	edx, offset _EtwpStackWalkDpc@16 ; EtwpStackWalkDpc(x,x,x,x)
		jz	short loc_67CFA8
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		mov	[ebp+var_14], eax
		inc	edx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_C], eax
		mov	al, [ebp+arg_C]
		push	offset loc_501E02
		mov	[ebp+var_8], al
		lea	eax, [ebp+var_18]
		push	0F64h
		mov	[ebp+var_18], ecx
		lea	ecx, [ebp+var_28]
		push	20040000h
		mov	[ebp+var_7], bx
		mov	[ebp+var_5], bl
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], 14h
		mov	[ebp+var_1C], ebx
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_67CFA8:				; CODE XREF: EtwTraceDpcEnqueueEvent(x,x,x,x,x,x)+24j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_EtwTraceDpcEnqueueEvent@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceEnqueueWork(x, x, x)
_EtwTraceEnqueueWork@12	proc near	; CODE XREF: KeSetProcess+D5p
					; KeTerminateThread+221p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ecx+2B0h]
		lea	ecx, [ebp+var_14]
		and	[ebp+var_10], 0
		and	[ebp+var_8], 0
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_14], eax
		xor	eax, eax
		cmp	[ebp+arg_0], al
		mov	[ebp+var_1C], edx
		setz	al
		mov	[ebp+var_C], 8
		dec	eax
		xor	edx, edx
		and	eax, 1800h
		inc	edx
		add	eax, 500602h
		push	eax
		push	53Eh
		push	21000000h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_EtwTraceEnqueueWork@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceIdealProcessor(x, x, x, x)
_EtwTraceIdealProcessor@16 proc	near	; CODE XREF: KeRevertToUserGroupAffinityThread+16C0BBp
					; KiQueueReadyThread+16B9FCp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	esi, edi
		jz	short loc_67D079
		mov	eax, [ecx+2B0h]
		lea	ecx, [ebp+var_20]
		and	[ebp+var_1C], 0
		and	[ebp+var_14], 0
		push	1501903h
		push	edx
		mov	[ebp+var_10], eax
		xor	edx, edx
		lea	eax, [ebp+var_10]
		mov	[ebp+var_C], esi
		push	88000000h
		inc	edx
		mov	[ebp+var_8], edi
		mov	[ebp+var_20], eax
		mov	[ebp+var_18], 0Ch
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_67D079:				; CODE XREF: EtwTraceIdealProcessor(x,x,x,x)+1Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwTraceIdealProcessor@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceInswapProcess(x)
_EtwTraceInswapProcess@4 proc near	; CODE XREF: MmInSwapProcess+16281Ap

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ecx+0E4h]
		xor	edx, edx
		and	[ebp+var_14], 0
		inc	edx
		and	[ebp+var_C], 0
		mov	[ebp+var_1C], eax
		mov	eax, [ecx+18h]
		lea	ecx, [ebp+var_18]
		push	offset loc_501902
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_20]
		push	323h
		push	20000800h
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], 8
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwTraceInswapProcess@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceIoTimerEvent(x, x, x)
_EtwTraceIoTimerEvent@12 proc near	; CODE XREF: IopDisableTimer(x)+70p
					; IopEnableTimer(x)+91p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_10], 0
		and	[ebp+var_8], 0
		push	501802h
		mov	[ebp+var_1C], edx
		xor	edx, edx
		push	ecx
		mov	[ebp+var_18], eax
		lea	ecx, [ebp+var_14]
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_C], 8
		push	40800000h
		inc	edx
		mov	[ebp+var_14], eax
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_EtwTraceIoTimerEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceObjectOperation(x, x, x, x)
_EtwTraceObjectOperation@16 proc near	; CODE XREF: ObpPushStackInfo(x,x,x,x)+45p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_20], 0
		mov	eax, edx
		shr	eax, 8
		push	ebx
		push	esi
		movzx	esi, al
		movzx	eax, byte ptr [edx+0Ch]
		xor	esi, eax
		mov	[ebp+var_2C], ecx
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	esi, eax
		mov	[ebp+var_28], edx
		mov	eax, ds:_ObTypeIndexTable[esi*4]
		xor	esi, esi
		mov	eax, [eax+84h]
		mov	[ebp+var_24], eax
		mov	eax, ds:_EtwpHostSiloState
		mov	ecx, [eax+924h]
		bsf	ebx, ecx
		jz	loc_67D245
		push	edi

loc_67D195:				; CODE XREF: EtwTraceObjectOperation(x,x,x,x)+C7j
		lea	eax, [ecx-1]
		and	ecx, eax
		mov	eax, ds:_EtwpHostSiloState
		mov	[ebp+var_20], ecx
		add	eax, 948h
		mov	ecx, ebx
		shl	ecx, 5
		add	eax, ecx
		jz	short loc_67D1FA
		test	byte ptr [eax+10h], 80h
		jz	short loc_67D1FA
		and	[ebp+var_18], 0
		xor	eax, eax
		imul	edi, ebx, 14h
		add	edi, offset _EtwpObjectTypeFilter
		cmp	ax, [edi]
		jnb	short loc_67D1FA
		lea	ecx, [edi+4]
		mov	[ebp+var_1C], ecx

loc_67D1D0:				; CODE XREF: EtwTraceObjectOperation(x,x,x,x)+BAj
		mov	edx, [ecx]
		mov	ecx, [ebp+var_24]
		call	_ExCheckSingleFilter@8 ; ExCheckSingleFilter(x,x)
		test	eax, eax
		jnz	short loc_67D1F7
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_1C]
		inc	edx
		movzx	eax, word ptr [edi]
		add	ecx, 4
		mov	[ebp+var_18], edx
		mov	[ebp+var_1C], ecx
		cmp	edx, eax
		jb	short loc_67D1D0
		jmp	short loc_67D1FA
; 

loc_67D1F7:				; CODE XREF: EtwTraceObjectOperation(x,x,x,x)+A3j
		bts	esi, ebx

loc_67D1FA:				; CODE XREF: EtwTraceObjectOperation(x,x,x,x)+75j
					; EtwTraceObjectOperation(x,x,x,x)+7Bj	...
		mov	ecx, [ebp+var_20]
		bsf	ebx, ecx
		jnz	short loc_67D195
		pop	edi
		test	esi, esi
		jz	short loc_67D245
		mov	eax, [ebp+var_28]
		lea	ecx, [ebp+var_14]
		and	[ebp+var_10], 0
		add	eax, 18h
		and	[ebp+var_8], 0
		xor	edx, edx
		mov	[ebp+var_38], eax
		inc	edx
		mov	eax, [ebp+arg_4]
		push	11501F02h
		push	[ebp+var_2C]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_38]
		push	esi
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], 0Ch
		call	_EtwpTraceKernelEventWithFilter@20 ; EtwpTraceKernelEventWithFilter(x,x,x,x,x)

loc_67D245:				; CODE XREF: EtwTraceObjectOperation(x,x,x,x)+55j
					; EtwTraceObjectOperation(x,x,x,x)+CCj
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwTraceObjectOperation@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTracePool(x, x, x, x, x)
_EtwTracePool@20 proc near		; CODE XREF: ExpInsertPoolTrackerExpansion+DF563p
					; ExpInsertPoolTrackerExpansion+DF654p	...

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, edx
		push	edi
		xor	edi, edi
		mov	edx, ecx
		and	ebx, 26Dh
		mov	[ebp+var_30], edx
		cmp	[ebp+arg_8], 0FF0h
		mov	[ebp+var_3C], edi
		mov	[ebp+var_34], edi
		jbe	short loc_67D293
		or	ebx, 10000000h
		jmp	short loc_67D2A0
; 

loc_67D293:				; CODE XREF: EtwTracePool(x,x,x,x,x)+34j
		test	ds:byte_70EFC4,	40h
		jz	loc_67D3A1

loc_67D2A0:				; CODE XREF: EtwTracePool(x,x,x,x,x)+3Cj
		mov	eax, 0E22h
		cmp	dx, ax
		jnz	short loc_67D2C3
		test	bl, 1
		jnz	short loc_67D2C3
		mov	ecx, esi
		call	_MmIsNonPagedPoolNx@4 ;	MmIsNonPagedPoolNx(x)
		mov	edx, [ebp+var_30]
		test	eax, eax
		jz	short loc_67D2C3
		or	ebx, 200h

loc_67D2C3:				; CODE XREF: EtwTracePool(x,x,x,x,x)+53j
					; EtwTracePool(x,x,x,x,x)+58j ...
		mov	[ebp+var_38], 1
		test	bl, 20h
		jz	short loc_67D302
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_34], eax
		inc	edx
		lea	eax, [ebp+var_34]
		mov	[ebp+var_18], edi
		mov	[ebp+var_1C], eax
		mov	[ebp+var_14], 4
		mov	[ebp+var_10], edi
		mov	[ebp+var_38], 2
		mov	[ebp+var_30], edx

loc_67D302:				; CODE XREF: EtwTracePool(x,x,x,x,x)+78j
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_8]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_2C], eax
		mov	eax, ds:_EtwpHostSiloState
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], esi
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], 10h
		mov	[ebp+var_20], edi
		mov	edi, [eax+924h]
		jmp	short loc_67D39C
; 

loc_67D334:				; CODE XREF: EtwTracePool(x,x,x,x,x)+14Aj
		mov	ecx, ds:_EtwpHostSiloState
		lea	eax, [edi-1]
		and	edi, eax
		mov	[ebp+var_3C], ecx
		mov	eax, ebx
		shl	eax, 5
		lea	esi, [ecx+948h]
		add	esi, eax
		jz	short loc_67D368
		test	byte ptr [esi+4], 40h
		jz	short loc_67D368
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	_EtwpCheckPoolTagFilters@8 ; EtwpCheckPoolTagFilters(x,x)
		test	al, al
		jnz	short loc_67D37A
		mov	edx, [ebp+arg_8]

loc_67D368:				; CODE XREF: EtwTracePool(x,x,x,x,x)+FAj
					; EtwTracePool(x,x,x,x,x)+100j
		test	esi, esi
		jz	short loc_67D399
		test	byte ptr [esi+4], 1
		jz	short loc_67D399
		cmp	edx, 0FF0h
		jbe	short loc_67D399

loc_67D37A:				; CODE XREF: EtwTracePool(x,x,x,x,x)+10Ej
		mov	edx, [ebp+var_3C]
		lea	ecx, [ebp+var_2C]
		push	1401B02h
		push	[ebp+var_30]
		push	[ebp+var_38]
		movzx	eax, byte ptr [edx+ebx*2+914h]
		push	eax
		call	EtwpLogKernelEvent

loc_67D399:				; CODE XREF: EtwTracePool(x,x,x,x,x)+115j
					; EtwTracePool(x,x,x,x,x)+11Bj	...
		mov	edx, [ebp+arg_8]

loc_67D39C:				; CODE XREF: EtwTracePool(x,x,x,x,x)+DDj
		bsf	ebx, edi
		jnz	short loc_67D334

loc_67D3A1:				; CODE XREF: EtwTracePool(x,x,x,x,x)+45j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_EtwTracePool@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTracePriority(x,	x, x, x, x)
_EtwTracePriority@20 proc near		; CODE XREF: KeSetPriorityAndQuantumProcess+16A17Dp
					; KeSetPriorityAndQuantumProcess+16A1A1p ...

var_1C		= dword	ptr -1Ch
var_18		= byte ptr -18h
var_17		= byte ptr -17h
var_16		= word ptr -16h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	ecx, [ebp+arg_4]
		cmp	ebx, ecx
		jz	short loc_67D443
		mov	eax, ds:_EtwpHostSiloState
		add	eax, 0A48h
		jz	short loc_67D3F9
		test	dword ptr [eax+4], 2000h
		jz	short loc_67D3F9
		push	ecx
		push	ebx
		movzx	edx, si
		mov	ecx, edi
		call	_EtwpPsProvTracePriority@16 ; EtwpPsProvTracePriority(x,x,x,x)
		mov	ecx, [ebp+arg_4]

loc_67D3F9:				; CODE XREF: EtwTracePriority(x,x,x,x,x)+2Dj
					; EtwTracePriority(x,x,x,x,x)+36j
		mov	eax, [edi+2B0h]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_17], cl
		xor	ecx, ecx
		mov	[ebp+var_18], bl
		mov	[ebp+var_16], cx
		test	eax, eax
		jz	short loc_67D41A
		mov	al, [eax]
		mov	byte ptr [ebp+var_16], al

loc_67D41A:				; CODE XREF: EtwTracePriority(x,x,x,x,x)+61j
		push	1501903h
		push	esi
		xor	edx, edx
		mov	[ebp+var_10], ecx
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_8], ecx
		push	20002000h
		inc	edx
		mov	[ebp+var_14], eax
		lea	ecx, [ebp+var_14]
		mov	[ebp+var_C], 8
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_67D443:				; CODE XREF: EtwTracePriority(x,x,x,x,x)+21j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_EtwTracePriority@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceReadyThread(x, x, x, x)
_EtwTraceReadyThread@16	proc near	; CODE XREF: KiFastReadyThread+168CDBp
					; KiReadyOutSwappedThreads+1628A3p ...

var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[esp+2Ch+var_1C], dl
		mov	ecx, large fs:235Ch
		and	cl, 1
		mov	[esp+2Ch+var_19], 0
		push	edi
		mov	eax, [esi+2B0h]
		mov	[esp+30h+var_20], eax
		mov	al, [ebp+arg_0]
		mov	[esp+30h+var_1B], al
		mov	al, [esi+5Eh]
		not	al
		and	al, 2
		or	cl, al
		mov	eax, [esi+80h]
		mov	[esp+30h+var_1A], cl
		mov	ebx, [eax+7Ch]
		mov	cl, [esp+30h+var_1A]
		and	bl, 7
		mov	al, [ebp+arg_4]
		neg	bl
		sbb	bl, bl
		shl	al, 3
		and	bl, 4
		mov	dl, bl
		or	dl, cl
		and	cl, 0FBh
		xor	dl, al
		or	cl, bl
		and	dl, 8
		xor	dl, cl
		mov	ecx, esi
		mov	[esp+30h+var_1A], dl
		xor	edx, edx
		call	_PsQueryThreadStartAddress@8 ; PsQueryThreadStartAddress(x,x)
		test	[ebp+arg_4], 2
		mov	edi, offset loc_501A02
		jnz	short loc_67D511
		cmp	eax, offset _KeSwapProcessOrStack@4 ; KeSwapProcessOrStack(x)
		jz	short loc_67D511
		cmp	eax, offset _EtwpLogger@4 ; EtwpLogger(x)
		jz	short loc_67D511
		mov	eax, ds:_EtwpHostSiloState
		add	eax, 0A68h
		jz	short loc_67D516
		test	dword ptr [eax+4], 200h
		jz	short loc_67D516
		mov	ecx, esi
		call	_EtwpCoverageSamplerReadyThread@4 ; EtwpCoverageSamplerReadyThread(x)
		jmp	short loc_67D516
; 

loc_67D511:				; CODE XREF: EtwTraceReadyThread(x,x,x,x)+8Fj
					; EtwTraceReadyThread(x,x,x,x)+96j ...
		mov	edi, 500A02h

loc_67D516:				; CODE XREF: EtwTraceReadyThread(x,x,x,x)+A9j
					; EtwTraceReadyThread(x,x,x,x)+B2j ...
		mov	ecx, [esi+150h]
		lea	eax, [esp+30h+var_20]
		and	[esp+30h+var_14], 0
		lea	edx, [esp+30h+var_18]
		and	[esp+30h+var_C], 0
		push	edi
		push	532h
		push	20000200h
		mov	[esp+3Ch+var_18], eax
		mov	[esp+3Ch+var_10], 8
		mov	ecx, [ecx+3A0h]
		push	1
		call	EtwTraceSiloKernelEvent
		mov	ecx, [esp+30h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_EtwTraceReadyThread@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceShouldYieldProcessor(x, x, x)
_EtwTraceShouldYieldProcessor@12 proc near ; CODE XREF:	KeShouldYieldProcessor+F0DF0p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_1C], 0
		and	[ebp+var_14], 0
		push	400A02h
		mov	[ebp+var_C], edx
		xor	edx, edx
		mov	[ebp+var_8], eax
		inc	edx
		push	0F6Dh
		mov	[ebp+var_10], ecx
		lea	eax, [ebp+var_10]
		push	24000000h
		lea	ecx, [ebp+var_20]
		mov	[ebp+var_20], eax
		mov	[ebp+var_18], 0Ch
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_EtwTraceShouldYieldProcessor@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceSiloDcEvent(x, x, x, x, x, x)
_EtwTraceSiloDcEvent@24	proc near	; CODE XREF: CmpMachineHiveCallbackFatalFilter(x,x)+28Cp
					; CmpMachineHiveCallbackFatalFilter(x,x)+3DEp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	edx
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		call	EtwpLogKernelEvent
		pop	ebp
		retn	10h
_EtwTraceSiloDcEvent@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceSiloTimedEvent(x, x, x, x, x, x, x)
_EtwTraceSiloTimedEvent@28 proc	near	; CODE XREF: PfHardFaultLog+1665FEp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	[ebp+var_14], eax
		mov	ebx, edx
		mov	eax, ds:_EtwpHostSiloState
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], 18h
		xor	ecx, ecx
		mov	[ebp+var_28], edi
		mov	esi, [eax+924h]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		bsf	ecx, esi
		jz	short loc_67D680
		mov	edi, [ebp+arg_10]

loc_67D620:				; CODE XREF: EtwTraceSiloTimedEvent(x,x,x,x,x,x,x)+9Fj
		mov	edx, ds:_EtwpHostSiloState
		lea	eax, [esi-1]
		and	esi, eax
		mov	eax, ecx
		shl	eax, 5
		add	eax, 948h
		add	eax, edx
		jz	short loc_67D678
		test	dword ptr [eax], 2000h
		jz	short loc_67D678
		movzx	eax, byte ptr [edx+ecx*2+915h]
		and	[ebp+var_20], 0
		dec	eax
		and	[ebp+var_18], 0
		push	offset byte_401802
		push	ebx
		lea	eax, [edi+eax*8]
		mov	[ebp+var_1C], 8
		mov	[ebp+var_24], eax
		movzx	eax, byte ptr [edx+ecx*2+914h]
		lea	ecx, [ebp+var_24]
		push	2
		push	eax
		call	EtwpLogKernelEvent

loc_67D678:				; CODE XREF: EtwTraceSiloTimedEvent(x,x,x,x,x,x,x)+5Bj
					; EtwTraceSiloTimedEvent(x,x,x,x,x,x,x)+63j
		bsf	ecx, esi
		jnz	short loc_67D620
		mov	edi, [ebp+var_28]

loc_67D680:				; CODE XREF: EtwTraceSiloTimedEvent(x,x,x,x,x,x,x)+3Fj
		test	edi, edi
		jz	short loc_67D6FA
		mov	eax, [edi+2F8h]
		mov	esi, [eax+1F0h]
		test	esi, esi
		jz	short loc_67D6FA
		mov	edi, [esi+924h]
		jmp	short loc_67D6F5
; 

loc_67D69C:				; CODE XREF: EtwTraceSiloTimedEvent(x,x,x,x,x,x,x)+11Cj
		lea	eax, [edi-1]
		and	edi, eax
		mov	eax, ecx
		shl	eax, 5
		add	eax, 948h
		add	eax, esi
		jz	short loc_67D6F5
		test	dword ptr [eax], 2000h
		jz	short loc_67D6F5
		movzx	eax, byte ptr [esi+ecx*2+915h]
		mov	edx, [ebp+arg_10]
		and	[ebp+var_20], 0
		sub	edx, 8
		and	[ebp+var_18], 0
		push	offset byte_401802
		push	ebx
		lea	eax, [edx+eax*8]
		mov	[ebp+var_1C], 8
		mov	[ebp+var_24], eax
		mov	edx, esi
		movzx	eax, byte ptr [esi+ecx*2+914h]
		lea	ecx, [ebp+var_24]
		push	2
		push	eax
		call	EtwpLogKernelEvent

loc_67D6F5:				; CODE XREF: EtwTraceSiloTimedEvent(x,x,x,x,x,x,x)+BEj
					; EtwTraceSiloTimedEvent(x,x,x,x,x,x,x)+D1j ...
		bsf	ecx, edi
		jnz	short loc_67D69C

loc_67D6FA:				; CODE XREF: EtwTraceSiloTimedEvent(x,x,x,x,x,x,x)+A6j
					; EtwTraceSiloTimedEvent(x,x,x,x,x,x,x)+B6j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_EtwTraceSiloTimedEvent@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceThreadAffinity(x, x)
_EtwTraceThreadAffinity@8 proc near	; CODE XREF: KeRevertToUserGroupAffinityThread+16C0C9p
					; KeSetSystemGroupAffinityThread+16A942p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_6		= word ptr -6
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ecx+2B0h]
		lea	ecx, [ebp+var_20]
		and	[ebp+var_1C], 0
		and	[ebp+var_14], 0
		mov	[ebp+var_C], eax
		mov	eax, [edx]
		mov	[ebp+var_10], eax
		mov	ax, [edx+4]
		xor	edx, edx
		mov	[ebp+var_8], ax
		inc	edx
		xor	eax, eax
		mov	[ebp+var_18], 0Ch
		push	offset loc_501902
		mov	[ebp+var_6], ax
		lea	eax, [ebp+var_10]
		push	535h
		push	20001000h
		mov	[ebp+var_20], eax
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwTraceThreadAffinity@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceThreadWorkItem(x, x)
_EtwTraceThreadWorkItem@8 proc near	; CODE XREF: ExpWorkerThread+160DF7p
					; ExpWorkerThread+160E0Ap ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	[ebp+var_18], ecx
		cmp	ecx, offset IopProcessWorkItem
		jz	short loc_67D7BC
		and	[ebp+var_10], 0
		lea	eax, [ebp+var_18]
		and	[ebp+var_8], 0
		lea	ecx, [ebp+var_14]
		push	11501902h
		push	edx
		xor	edx, edx
		mov	[ebp+var_14], eax
		push	48000000h
		inc	edx
		mov	[ebp+var_C], 4
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_67D7BC:				; CODE XREF: EtwTraceThreadWorkItem(x,x)+1Bj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwTraceThreadWorkItem@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceTimedEvent(x, x, x,	x, x, x)
_EtwTraceTimedEvent@24 proc near	; CODE XREF: KiProcessExpiredTimerList+163230p
					; KeDisableTimer2+F20B9p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_C], eax
		mov	eax, ds:_EtwpHostSiloState
		push	ebx
		mov	[ebp+var_28], ecx
		mov	ebx, edx
		xor	ecx, ecx
		push	esi
		mov	esi, [eax+924h]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		bsf	ecx, esi
		jz	short loc_67D873
		push	edi

loc_67D806:				; CODE XREF: EtwTraceTimedEvent(x,x,x,x,x,x)+A8j
		mov	edx, ds:_EtwpHostSiloState
		lea	eax, [esi-1]
		and	esi, eax
		mov	eax, ecx
		shl	eax, 5
		lea	edi, [edx+948h]
		add	edi, eax
		jz	short loc_67D86D
		mov	eax, ebx
		shr	eax, 1Dh
		mov	eax, [edi+eax*4]
		and	eax, ebx
		test	eax, 1FFFFFFFh
		jz	short loc_67D86D
		movzx	eax, byte ptr [edx+ecx*2+915h]
		mov	edi, [ebp+arg_C]
		push	[ebp+arg_8]
		and	[ebp+var_20], 0
		sub	edi, 8
		push	[ebp+var_28]
		and	[ebp+var_18], 0
		mov	[ebp+var_1C], 8
		lea	eax, [edi+eax*8]
		mov	[ebp+var_24], eax
		movzx	eax, byte ptr [edx+ecx*2+914h]
		lea	ecx, [ebp+var_24]
		push	2
		push	eax
		call	EtwpLogKernelEvent

loc_67D86D:				; CODE XREF: EtwTraceTimedEvent(x,x,x,x,x,x)+56j
					; EtwTraceTimedEvent(x,x,x,x,x,x)+67j
		bsf	ecx, esi
		jnz	short loc_67D806
		pop	edi

loc_67D873:				; CODE XREF: EtwTraceTimedEvent(x,x,x,x,x,x)+3Bj
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_EtwTraceTimedEvent@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCancelTraceImageUnloadApc(x)
_EtwpCancelTraceImageUnloadApc@4 proc near ; DATA XREF:	PerfLogImageUnload+D5o

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[esp+2Ch+var_8], eax
		mov	[esp+2Ch+var_4], eax
		mov	[esp+2Ch+var_20], eax
		mov	eax, ds:_FltMgrCallbacks
		mov	ecx, [esi+30h]
		push	edi
		test	eax, eax
		jnz	short loc_67D8B5
		mov	eax, 0C00000BBh
		jmp	short loc_67D8C8
; 

loc_67D8B5:				; CODE XREF: EtwpCancelTraceImageUnloadApc(x)+29j
		lea	edx, [esp+30h+var_20]
		push	edx
		lea	edx, [esp+34h+var_8]
		push	edx
		push	200h
		push	ecx
		call	dword ptr [eax+0Ch]

loc_67D8C8:				; CODE XREF: EtwpCancelTraceImageUnloadApc(x)+30j
		mov	ecx, [esi+44h]
		mov	edx, [esi+50h]
		mov	edi, [esi+4Ch]
		mov	ebx, [esi+48h]
		mov	[esp+40h+var_2C], ecx
		mov	ecx, [esi+40h]
		mov	[esp+40h+var_28], ecx
		mov	ecx, [esi+3Ch]
		mov	[esp+40h+var_24], ecx
		mov	ecx, [esi+38h]
		mov	[esp+40h+var_20], ecx
		mov	ecx, [esi+34h]
		mov	[esp+40h+var_1C], ecx
		test	eax, eax
		js	short loc_67D8FE
		lea	ecx, [esp+40h+var_18]
		jmp	short loc_67D904
; 

loc_67D8FE:				; CODE XREF: EtwpCancelTraceImageUnloadApc(x)+73j
		mov	ecx, [esi+30h]
		add	ecx, 30h

loc_67D904:				; CODE XREF: EtwpCancelTraceImageUnloadApc(x)+79j
		push	0
		push	edx
		mov	edx, [esp+48h+var_1C]
		push	edi
		push	ebx
		push	[esp+50h+var_2C]
		push	[esp+54h+var_28]
		push	[esp+58h+var_24]
		push	[esp+5Ch+var_20]
		call	_EtwpTraceImageUnload@40 ; EtwpTraceImageUnload(x,x,x,x,x,x,x,x,x,x)
		cmp	[esp+40h+var_30], 0
		jz	short loc_67D935
		mov	eax, ds:_FltMgrCallbacks
		push	[esp+40h+var_30]
		call	dword ptr [eax+10h]

loc_67D935:				; CODE XREF: EtwpCancelTraceImageUnloadApc(x)+A4j
		mov	ecx, [esi+30h]
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_EtwpCancelTraceImageUnloadApc@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpDiskProvTraceDisk(x, x,	x, x)
_EtwpDiskProvTraceDisk@16 proc near	; CODE XREF: EtwpTraceIo+DA93Cp

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, ds:_EtwpDiskProvRegHandle
		push	esi
		push	edi
		mov	[ebp+var_30], eax
		lea	edi, [ebp+var_24]
		mov	eax, [ebp+arg_4]
		mov	si, cx
		mov	[ebp+var_38], eax
		xor	eax, eax
		and	[ebp+var_44], eax
		and	[ebp+var_40], eax
		mov	[ebp+var_34], edx
		push	8
		pop	ecx
		rep stosd
		test	ebx, ebx
		jz	loc_67DB51
		movzx	eax, si
		sub	eax, 10Ah
		jz	short loc_67D9B5
		sub	eax, 4
		jz	short loc_67D9AE
		mov	esi, offset _KDskEvt_Write
		jmp	short loc_67D9BA
; 

loc_67D9AE:				; CODE XREF: EtwpDiskProvTraceDisk(x,x,x,x)+52j
		mov	esi, offset _KDskEvt_Flush
		jmp	short loc_67D9BA
; 

loc_67D9B5:				; CODE XREF: EtwpDiskProvTraceDisk(x,x,x,x)+4Dj
		mov	esi, offset _KDskEvt_Read

loc_67D9BA:				; CODE XREF: EtwpDiskProvTraceDisk(x,x,x,x)+59j
					; EtwpDiskProvTraceDisk(x,x,x,x)+60j
		add	dword ptr [edx+8], 0FFFFFFFCh
		mov	edi, [ebx+38h]
		lea	eax, [edi+10h]
		neg	edi
		sbb	edi, edi
		and	edi, eax
		mov	al, [ebx+34h]
		mov	[ebp+var_3C], edi
		mov	[ebp+var_25], al
		test	al, al
		jz	short loc_67DA20
		mov	eax, [ebx+10h]
		push	dword ptr [esi+0Ch]
		mov	dl, [esi+4]
		push	dword ptr [esi+8]
		lea	ecx, [eax+40h]
		mov	[ebp+var_2C], eax
		call	_EtwpLevelKeywordEnabled@16 ; EtwpLevelKeywordEnabled(x,x,x,x)
		test	al, al
		jz	short loc_67DA20
		xor	ecx, ecx
		mov	dl, [ebp+var_25]
		lea	eax, [ebp+var_44]
		push	eax
		movzx	eax, word ptr [ebx+32h]
		push	edi
		push	eax
		push	ecx
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_30]
		push	[ebp+var_34]
		push	1
		push	ecx
		push	[ebp+var_38]
		push	ecx
		push	ecx
		push	esi
		push	ecx
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_2C]
		call	_EtwpEventWriteFull@72 ; EtwpEventWriteFull(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)

loc_67DA20:				; CODE XREF: EtwpDiskProvTraceDisk(x,x,x,x)+82j
					; EtwpDiskProvTraceDisk(x,x,x,x)+9Dj
		mov	al, [ebx+35h]
		mov	[ebp+var_25], al
		test	al, al
		jz	short loc_67DA75
		mov	eax, [ebx+14h]
		push	dword ptr [esi+0Ch]
		mov	dl, [esi+4]
		push	dword ptr [esi+8]
		lea	ecx, [eax+40h]
		mov	[ebp+var_2C], eax
		call	_EtwpLevelKeywordEnabled@16 ; EtwpLevelKeywordEnabled(x,x,x,x)
		test	al, al
		jz	short loc_67DA75
		lea	eax, [ebp+var_44]
		mov	dl, [ebp+var_25]
		push	eax
		movzx	eax, word ptr [ebx+32h]
		push	edi
		push	eax
		push	[ebp+var_2C]
		mov	ecx, [ebx+10h]
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_30]
		xor	eax, eax
		push	[ebp+var_34]
		push	1
		push	eax
		push	[ebp+var_38]
		push	eax
		push	eax
		push	esi
		push	eax
		push	eax
		push	eax
		call	_EtwpEventWriteFull@72 ; EtwpEventWriteFull(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)

loc_67DA75:				; CODE XREF: EtwpDiskProvTraceDisk(x,x,x,x)+D5j
					; EtwpDiskProvTraceDisk(x,x,x,x)+F0j
		mov	eax, [ebx+10h]
		cmp	dword ptr [eax+168h], 0
		jz	loc_67DB51
		push	8
		xor	eax, eax
		lea	edi, [ebp+var_24]
		pop	ecx
		rep stosd
		mov	al, [ebx+36h]
		mov	[ebp+var_25], al
		test	al, al
		jz	short loc_67DAED
		mov	eax, [ebx+10h]
		push	dword ptr [esi+0Ch]
		mov	dl, [esi+4]
		push	dword ptr [esi+8]
		mov	eax, [eax+168h]
		mov	[ebp+var_2C], eax
		lea	ecx, [eax+40h]
		call	_EtwpLevelKeywordEnabled@16 ; EtwpLevelKeywordEnabled(x,x,x,x)
		mov	edi, [ebp+var_3C]
		test	al, al
		jz	short loc_67DAF0
		xor	ecx, ecx
		mov	dl, [ebp+var_25]
		lea	eax, [ebp+var_44]
		push	eax
		movzx	eax, word ptr [ebx+32h]
		push	edi
		push	eax
		push	ecx
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_30]
		push	[ebp+var_34]
		push	1
		push	ecx
		push	[ebp+var_38]
		push	ecx
		push	ecx
		push	esi
		push	ecx
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_2C]
		call	_EtwpEventWriteFull@72 ; EtwpEventWriteFull(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		jmp	short loc_67DAF0
; 

loc_67DAED:				; CODE XREF: EtwpDiskProvTraceDisk(x,x,x,x)+144j
		mov	edi, [ebp+var_3C]

loc_67DAF0:				; CODE XREF: EtwpDiskProvTraceDisk(x,x,x,x)+168j
					; EtwpDiskProvTraceDisk(x,x,x,x)+198j
		mov	al, [ebx+37h]
		mov	[ebp+var_25], al
		test	al, al
		jz	short loc_67DB51
		mov	eax, [ebx+14h]
		push	dword ptr [esi+0Ch]
		mov	dl, [esi+4]
		push	dword ptr [esi+8]
		mov	eax, [eax+168h]
		mov	[ebp+var_2C], eax
		lea	ecx, [eax+40h]
		call	_EtwpLevelKeywordEnabled@16 ; EtwpLevelKeywordEnabled(x,x,x,x)
		test	al, al
		jz	short loc_67DB51
		mov	ecx, [ebx+10h]
		lea	eax, [ebp+var_44]
		push	eax
		movzx	eax, word ptr [ebx+32h]
		push	edi
		push	eax
		push	[ebp+var_2C]
		mov	dl, [ebp+var_25]
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_30]
		mov	ecx, [ecx+168h]
		xor	eax, eax
		push	[ebp+var_34]
		push	1
		push	eax
		push	[ebp+var_38]
		push	eax
		push	eax
		push	esi
		push	eax
		push	eax
		push	eax
		call	_EtwpEventWriteFull@72 ; EtwpEventWriteFull(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)

loc_67DB51:				; CODE XREF: EtwpDiskProvTraceDisk(x,x,x,x)+3Fj
					; EtwpDiskProvTraceDisk(x,x,x,x)+12Cj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwpDiskProvTraceDisk@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpFileProvTrace(x, x, x, x)
_EtwpFileProvTrace@16 proc near		; CODE XREF: EtwpTraceFileIo(x,x,x,x,x,x)+3Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		movzx	eax, word ptr [ebp+arg_0]
		push	edi
		add	eax, 0FFFFFBC0h
		mov	[ebp+var_8], edx
		xor	edi, edi
		mov	[ebp+var_4], ecx
		cmp	eax, 16h
		ja	loc_67DC76
		push	esi
		jmp	ds:off_67DC7E[eax*4]

loc_67DB8C:				; DATA XREF: .text:0067DCAEo
		xor	edi, edi
		mov	esi, offset _KFileEvt_OperationEnd
		inc	edi
		jmp	loc_67DC40
; 

loc_67DB99:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:off_67DC7Eo
		mov	esi, offset _KFileEvt_Create
		jmp	loc_67DC40
; 

loc_67DBA3:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:0067DC82o
		mov	esi, offset _KFileEvt_Cleanup
		jmp	loc_67DC40
; 

loc_67DBAD:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:0067DC86o
		mov	esi, offset _KFileEvt_Close
		jmp	loc_67DC40
; 

loc_67DBB7:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:0067DC8Ao
		xor	edi, edi
		mov	esi, offset _KFileEvt_Read
		inc	edi
		jmp	short loc_67DC40
; 

loc_67DBC1:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:0067DC8Eo
		xor	edi, edi
		mov	esi, offset _KFileEvt_Write
		inc	edi
		jmp	short loc_67DC40
; 

loc_67DBCB:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:0067DCA6o
		mov	esi, offset _KFileEvt_QueryInformation
		jmp	short loc_67DC40
; 

loc_67DBD2:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:0067DC9Eo
		mov	esi, offset _KFileEvt_DirEnum
		jmp	short loc_67DC40
; 

loc_67DBD9:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:0067DC92o
		mov	esi, offset _KFileEvt_SetInformation
		jmp	short loc_67DC40
; 

loc_67DBE0:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:0067DC96o
		mov	esi, offset _KFileEvt_Delete
		jmp	short loc_67DC40
; 

loc_67DBE7:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:0067DC9Ao
		mov	esi, offset _KFileEvt_Rename
		jmp	short loc_67DC40
; 

loc_67DBEE:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:0067DCC6o
		mov	esi, offset _KFileEvt_SetLink
		jmp	short loc_67DC40
; 

loc_67DBF5:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:0067DCA2o
		mov	esi, offset _KFileEvt_Flush
		jmp	short loc_67DC40
; 

loc_67DBFC:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:0067DCAAo
		mov	esi, offset _KFileEvt_FSCTL
		jmp	short loc_67DC40
; 

loc_67DC03:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:0067DCB2o
		mov	esi, offset _KFileEvt_DirNotify
		jmp	short loc_67DC40
; 

loc_67DC0A:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:0067DCB6o
		mov	esi, offset _KFileEvt_CreateNewFile
		jmp	short loc_67DC40
; 

loc_67DC11:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:0067DCBAo
		mov	esi, offset _KFileEvt_DeletePath
		jmp	short loc_67DC40
; 

loc_67DC18:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:0067DCBEo
		mov	esi, offset _KFileEvt_RenamePath
		jmp	short loc_67DC40
; 

loc_67DC1F:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:0067DCC2o
		mov	esi, offset _KFileEvt_SetLinkPath
		jmp	short loc_67DC40
; 

loc_67DC26:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:0067DCCAo
		mov	esi, offset _KFileEvt_SetSecurity
		jmp	short loc_67DC40
; 

loc_67DC2D:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:0067DCCEo
		mov	esi, offset _KFileEvt_QuerySecurity
		jmp	short loc_67DC40
; 

loc_67DC34:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:0067DCD2o
		mov	esi, offset _KFileEvt_SetEA
		jmp	short loc_67DC40
; 

loc_67DC3B:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+23j
					; DATA XREF: .text:0067DCD6o
		mov	esi, offset _KFileEvt_QueryEA

loc_67DC40:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+32j
					; EtwpFileProvTrace(x,x,x,x)+3Cj ...
		mov	eax, ds:_EtwpFileProvRegHandle
		push	ebx
		mov	ebx, ds:dword_6BC314
		push	esi
		push	ebx
		push	eax
		mov	[ebp+arg_0], eax
		call	EtwEventEnabled
		test	al, al
		jz	short loc_67DC74
		push	[ebp+var_4]
		xor	eax, eax
		push	[ebp+var_8]
		push	eax
		push	[ebp+arg_4]
		push	edi
		push	eax
		push	eax
		push	esi
		push	ebx
		push	[ebp+arg_0]
		call	EtwWriteEx

loc_67DC74:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+F7j
		pop	ebx
		pop	esi

loc_67DC76:				; CODE XREF: EtwpFileProvTrace(x,x,x,x)+1Cj
		pop	edi
		leave
		retn	8
_EtwpFileProvTrace@16 endp

; 
		db 8Dh
		db 49h,	0
off_67DC7E	dd offset loc_67DB99	; DATA XREF: EtwpFileProvTrace(x,x,x,x)+23r
		dd offset loc_67DBA3
		dd offset loc_67DBAD
		dd offset loc_67DBB7
		dd offset loc_67DBC1
		dd offset loc_67DBD9
		dd offset loc_67DBE0
		dd offset loc_67DBE7
		dd offset loc_67DBD2
		dd offset loc_67DBF5
		dd offset loc_67DBCB
		dd offset loc_67DBFC
		dd offset loc_67DB8C
		dd offset loc_67DC03
		dd offset loc_67DC0A
		dd offset loc_67DC11
		dd offset loc_67DC18
		dd offset loc_67DC1F
		dd offset loc_67DBEE
		dd offset loc_67DC26
		dd offset loc_67DC2D
		dd offset loc_67DC34
		dd offset loc_67DC3B

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpGetDurationSince(x, x, x, x)
_EtwpGetDurationSince@16 proc near	; CODE XREF: MiAllocatePagesForMdl+121536p
					; MiAllocateContiguousMemory+DF4B3p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	eax, [ebp+var_8]
		push	edi
		push	eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	esi, eax
		lea	ecx, [ebp+var_10]
		sub	esi, [ebp+arg_8]
		mov	edi, edx
		push	ebx
		sbb	edi, [ebp+arg_C]
		push	0F4240h
		push	edi
		push	esi
		call	_RtlULongLongMult@20 ; RtlULongLongMult(x,x,x,x,x)
		test	eax, eax
		js	short loc_67DD29
		push	[ebp+var_4]
		push	[ebp+var_8]
		push	[ebp+var_C]
		push	[ebp+var_10]
		jmp	short loc_67DD4A
; 

loc_67DD29:				; CODE XREF: EtwpGetDurationSince(x,x,x,x)+3Fj
		push	ebx
		push	0F4240h
		push	[ebp+var_4]
		push	[ebp+var_8]
		call	__aulldiv
		mov	ecx, eax
		or	ecx, edx
		jnz	short loc_67DD46
		xor	eax, eax
		xor	edx, edx
		jmp	short loc_67DD4F
; 

loc_67DD46:				; CODE XREF: EtwpGetDurationSince(x,x,x,x)+64j
		push	edx
		push	eax
		push	edi
		push	esi

loc_67DD4A:				; CODE XREF: EtwpGetDurationSince(x,x,x,x)+4Dj
		call	__aulldiv

loc_67DD4F:				; CODE XREF: EtwpGetDurationSince(x,x,x,x)+6Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_EtwpGetDurationSince@16 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpGetScsiPassThroughCdb(x)
_EtwpGetScsiPassThroughCdb@4 proc near	; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+A2p
					; EtwpTraceOpticalIoInit(x)+2Dp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, [ecx+60h]
		mov	ebx, 4D044h
		xor	edx, edx
		push	edi
		mov	eax, [esi+0Ch]
		lea	edi, [ebx+4]
		cmp	eax, 4D004h
		jz	short loc_67DD81
		cmp	eax, 4D014h
		jz	short loc_67DD81
		cmp	eax, ebx
		jz	short loc_67DD81
		cmp	eax, edi
		jnz	short loc_67DDA9

loc_67DD81:				; CODE XREF: EtwpGetScsiPassThroughCdb(x)+1Aj
					; EtwpGetScsiPassThroughCdb(x)+21j ...
		mov	ecx, [ecx+0Ch]
		test	ecx, ecx
		jz	short loc_67DDA9
		mov	esi, [esi+8]
		cmp	eax, ebx
		jz	short loc_67DDA1
		cmp	eax, edi
		jz	short loc_67DDA1
		cmp	esi, 2Ch
		lea	eax, [ecx+1Ch]
		sbb	edx, edx
		not	edx
		and	edx, eax
		jmp	short loc_67DDA9
; 

loc_67DDA1:				; CODE XREF: EtwpGetScsiPassThroughCdb(x)+37j
					; EtwpGetScsiPassThroughCdb(x)+3Bj
		cmp	esi, 34h
		jb	short loc_67DDA9
		lea	edx, [ecx+30h]

loc_67DDA9:				; CODE XREF: EtwpGetScsiPassThroughCdb(x)+29j
					; EtwpGetScsiPassThroughCdb(x)+30j ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		retn
_EtwpGetScsiPassThroughCdb@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpLogMemInfo(x, x)
_EtwpLogMemInfo@8 proc near		; CODE XREF: EtwpLogMemInfoTimerCallback(x,x)+3Ap
					; EtwpLogMemInfoRundown(x)+2Bp

var_98		= dword	ptr -98h
var_91		= byte ptr -91h
var_90		= dword	ptr -90h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 9Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_98], 0
		lea	eax, [ebp+var_90]
		push	ebx
		push	esi
		push	edi
		push	58h
		pop	ebx
		push	ebx		; size_t
		push	0		; int
		push	eax		; void *
		mov	esi, edx
		mov	edi, ecx
		call	_memset
		and	[ebp+var_34], 0
		lea	eax, [ebp-91h]
		and	[ebp+var_2C], 0
		lea	edx, [ebp+var_90]
		add	esp, 0Ch
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_98]
		mov	[ebp+var_91], 8
		mov	[ebp+var_30], 1
		push	eax
		push	ecx
		push	ebx
		xor	ecx, ecx
		call	MmQueryMemoryListInformation
		xor	ecx, ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_24], ecx
		lea	eax, [ebp+var_90]
		mov	[ebp+var_28], eax
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], 10h
		mov	[ebp+var_C], ecx
		test	edi, edi
		jnz	short loc_67DE92
		mov	eax, ds:_EtwpHostSiloState
		add	eax, 0A48h
		jz	short loc_67DE76
		test	dword ptr [eax+4], 80000h
		jz	short loc_67DE76
		lea	eax, [ebp+var_38]
		push	eax
		push	3
		push	ecx
		push	offset _KERNEL_MEM_EVENT_MEMINFO
		push	ds:dword_6BC304
		push	ds:_EtwpMemoryProvRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_67DE76:				; CODE XREF: EtwpLogMemInfo(x,x)+9Fj
					; EtwpLogMemInfo(x,x)+A8j
		push	offset byte_401803
		push	270h
		push	20080000h
		push	2
		pop	edx
		lea	ecx, [ebp+var_28]
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	short loc_67DEAE
; 

loc_67DE92:				; CODE XREF: EtwpLogMemInfo(x,x)+93j
		mov	edx, [edi+2E4h]
		lea	ecx, [ebp+var_28]
		push	offset byte_401803
		push	270h
		push	2
		push	dword ptr [edi]
		call	EtwpLogKernelEvent

loc_67DEAE:				; CODE XREF: EtwpLogMemInfo(x,x)+E1j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpLogMemInfo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpLogMemInfoTimerCallback(x, x)
_EtwpLogMemInfoTimerCallback@8 proc near ; DATA	XREF: EtwpInitialize+14Ao

var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+14h+var_4], eax
		push	edi
		xor	eax, eax
		lea	edi, [esp+18h+var_14]
		stosd
		lea	ecx, [esp+18h+var_14]
		stosd
		stosd
		stosd
		call	_MmQuerySystemMemoryInformation@8 ; MmQuerySystemMemoryInformation(x,x)
		test	dword ptr ds:byte_70EFC4, 80000h
		jz	short loc_67DF01
		mov	edx, ecx
		xor	ecx, ecx
		call	_EtwpLogMemInfo@8 ; EtwpLogMemInfo(x,x)
		call	_EtwpLogMemNodeInfo@0 ;	EtwpLogMemNodeInfo()

loc_67DF01:				; CODE XREF: EtwpLogMemInfoTimerCallback(x,x)+34j
		test	dword ptr ds:byte_70EFC4, 800000h
		jz	short loc_67DF16
		mov	ecx, [esp+18h+var_14]
		call	_EtwpQueuePerfMemInfoWorkItem@4	; EtwpQueuePerfMemInfoWorkItem(x)

loc_67DF16:				; CODE XREF: EtwpLogMemInfoTimerCallback(x,x)+4Ej
		mov	ecx, [esp+18h+var_4]
		pop	edi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_EtwpLogMemInfoTimerCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpLogMemNodeInfo()
_EtwpLogMemNodeInfo@0 proc near		; CODE XREF: EtwpLogMemInfoTimerCallback(x,x)+3Fp

var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_294		= dword	ptr -294h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 29Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ds:_EtwpHostSiloState
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_298], ebx
		mov	[ebp+var_29C], ebx
		add	eax, 0A48h
		jz	loc_67E054
		test	dword ptr [eax+4], 80000h
		jz	loc_67E054
		push	ebx
		push	400h
		push	ebx
		push	ds:dword_6BC304
		push	ds:_EtwpMemoryProvRegHandle
		call	EtwProviderEnabled
		test	al, al
		jz	loc_67E054
		mov	ax, ds:_KeNumberNodes
		push	esi
		cmp	ax, 8
		ja	short loc_67DF9E
		lea	esi, [ebp+var_294]
		jmp	short loc_67DFBE
; 

loc_67DF9E:				; CODE XREF: EtwpLogMemNodeInfo()+6Cj
		movzx	eax, ax
		imul	eax, 4Ch
		push	74777445h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_67E053

loc_67DFBE:				; CODE XREF: EtwpLogMemNodeInfo()+74j
		push	edi
		xor	ecx, ecx
		jmp	short loc_67E036
; 

loc_67DFC3:				; CODE XREF: EtwpLogMemNodeInfo()+117j
		lea	eax, [ebp+var_298]
		mov	edx, esi
		push	eax
		movzx	eax, ds:_KeNumberNodes
		mov	ecx, edi
		push	eax
		call	_MmFillEtwNodeInformation@16 ; MmFillEtwNodeInformation(x,x,x,x)
		mov	[ebp+var_29C], eax
		lea	ecx, [ebp+var_298]
		push	4
		imul	eax, 4Ch
		lea	edx, [ebp+var_29C]
		mov	[ebp+var_34], ecx
		pop	ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	ebx
		push	offset _KERNEL_MEM_EVENT_MEMINFO_NODE
		push	ds:dword_6BC304
		mov	[ebp+var_28], ebx
		push	ds:_EtwpMemoryProvRegHandle
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, edi

loc_67E036:				; CODE XREF: EtwpLogMemNodeInfo()+99j
		call	_PsGetNextPartition@4 ;	PsGetNextPartition(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_67DFC3
		lea	eax, [ebp+var_294]
		pop	edi
		cmp	esi, eax
		jz	short loc_67E053
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_67E053:				; CODE XREF: EtwpLogMemNodeInfo()+90j
					; EtwpLogMemNodeInfo()+122j
		pop	esi

loc_67E054:				; CODE XREF: EtwpLogMemNodeInfo()+2Ej
					; EtwpLogMemNodeInfo()+3Bj ...
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpLogMemNodeInfo@0 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpNetProvTraceNetwork(x, x)
_EtwpNetProvTraceNetwork@8 proc	near	; CODE XREF: EtwpTraceNetwork(x,x,x,x)+46p
		movzx	eax, dx
		mov	edx, 80Ah
		cmp	eax, edx
		ja	loc_67E11C
		jz	loc_67E115
		sub	eax, 60Ah	; switch 25 cases
		cmp	eax, 18h
		ja	locret_67E163	; default
		jmp	ds:off_67E165[eax*4] ; switch jump

loc_67E08C:				; DATA XREF: .text:off_67E165o
		mov	eax, offset _KNetEvt_SendIPV4 ;	case 0x60A
		jmp	loc_67E14C
; 

loc_67E096:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+24j
					; DATA XREF: .text:off_67E165o
		mov	eax, offset _KNetEvt_RecvIPV4 ;	case 0x60B
		jmp	loc_67E14C
; 

loc_67E0A0:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+24j
					; DATA XREF: .text:off_67E165o
		mov	eax, offset _KNetEvt_ConnectIPV4 ; case	0x60C
		jmp	loc_67E14C
; 

loc_67E0AA:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+24j
					; DATA XREF: .text:off_67E165o
		mov	eax, offset _KNetEvt_DisconnectIPV4 ; case 0x60D
		jmp	loc_67E14C
; 

loc_67E0B4:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+24j
					; DATA XREF: .text:off_67E165o
		mov	eax, offset _KNetEvt_RetransmitIPV4 ; case 0x60E
		jmp	loc_67E14C
; 

loc_67E0BE:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+24j
					; DATA XREF: .text:off_67E165o
		mov	eax, offset _KNetEvt_AcceptIPV4	; case 0x60F
		jmp	loc_67E14C
; 

loc_67E0C8:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+24j
					; DATA XREF: .text:off_67E165o
		mov	eax, offset _KNetEvt_ReconnectIPV4 ; case 0x610
		jmp	short loc_67E14C
; 

loc_67E0CF:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+24j
					; DATA XREF: .text:off_67E165o
		mov	eax, offset _KNetEvt_Fail ; case 0x611
		jmp	short loc_67E14C
; 

loc_67E0D6:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+24j
					; DATA XREF: .text:off_67E165o
		mov	eax, offset _KNetEvt_TcpCopyIPV4 ; case	0x612
		jmp	short loc_67E14C
; 

loc_67E0DD:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+24j
					; DATA XREF: .text:off_67E165o
		mov	eax, offset _KNetEvt_SendIPV6 ;	case 0x61A
		jmp	short loc_67E14C
; 

loc_67E0E4:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+24j
					; DATA XREF: .text:off_67E165o
		mov	eax, offset _KNetEvt_RecvIPV6 ;	case 0x61B
		jmp	short loc_67E14C
; 

loc_67E0EB:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+24j
					; DATA XREF: .text:off_67E165o
		mov	eax, offset _KNetEvt_ConnectIPV6 ; case	0x61C
		jmp	short loc_67E14C
; 

loc_67E0F2:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+24j
					; DATA XREF: .text:off_67E165o
		mov	eax, offset _KNetEvt_DisconnectIPV6 ; case 0x61D
		jmp	short loc_67E14C
; 

loc_67E0F9:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+24j
					; DATA XREF: .text:off_67E165o
		mov	eax, offset _KNetEvt_RetransmitIPV6 ; case 0x61E
		jmp	short loc_67E14C
; 

loc_67E100:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+24j
					; DATA XREF: .text:off_67E165o
		mov	eax, offset _KNetEvt_AcceptIPV6	; case 0x61F
		jmp	short loc_67E14C
; 

loc_67E107:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+24j
					; DATA XREF: .text:off_67E165o
		mov	eax, offset _KNetEvt_ReconnectIPV6 ; case 0x620
		jmp	short loc_67E14C
; 

loc_67E10E:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+24j
					; DATA XREF: .text:off_67E165o
		mov	eax, offset _KNetEvt_TcpCopyIPV6 ; case	0x622
		jmp	short loc_67E14C
; 

loc_67E115:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+10j
		mov	eax, offset _KNetEvt_SendIPV4Udp
		jmp	short loc_67E14C
; 

loc_67E11C:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+Aj
		sub	eax, 80Bh
		jz	short loc_67E147
		sub	eax, 6
		jz	short loc_67E140
		sub	eax, 9
		jz	short loc_67E139
		sub	eax, 1
		jnz	short locret_67E163 ; default
		mov	eax, offset _KNetEvt_RecvIPV6Udp
		jmp	short loc_67E14C
; 

loc_67E139:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+CAj
		mov	eax, offset _KNetEvt_SendIPV6Udp
		jmp	short loc_67E14C
; 

loc_67E140:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+C5j
		mov	eax, offset _KNetEvt_FailUdp
		jmp	short loc_67E14C
; 

loc_67E147:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+C0j
		mov	eax, offset _KNetEvt_RecvIPV4Udp

loc_67E14C:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+30j
					; EtwpNetProvTraceNetwork(x,x)+3Aj ...
		push	ecx
		push	1
		push	0
		push	eax
		push	ds:dword_6BC184
		push	ds:_EtwpNetProvRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

locret_67E163:				; CODE XREF: EtwpNetProvTraceNetwork(x,x)+1Ej
					; EtwpNetProvTraceNetwork(x,x)+24j ...
		retn			; default
_EtwpNetProvTraceNetwork@8 endp

; 
		db 90h
off_67E165	dd offset loc_67E08C	; DATA XREF: EtwpNetProvTraceNetwork(x,x)+24r
		dd offset loc_67E096	; jump table for switch	statement
		dd offset loc_67E0A0
		dd offset loc_67E0AA
		dd offset loc_67E0B4
		dd offset loc_67E0BE
		dd offset loc_67E0C8
		dd offset loc_67E0CF
		dd offset loc_67E0D6
		dd offset locret_67E163
		dd offset locret_67E163
		dd offset locret_67E163
		dd offset locret_67E163
		dd offset locret_67E163
		dd offset locret_67E163
		dd offset locret_67E163
		dd offset loc_67E0DD
		dd offset loc_67E0E4
		dd offset loc_67E0EB
		dd offset loc_67E0F2
		dd offset loc_67E0F9
		dd offset loc_67E100
		dd offset loc_67E107
		dd offset locret_67E163
		dd offset loc_67E10E

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpPsProvTracePriority(x, x, x, x)
_EtwpPsProvTracePriority@16 proc near	; CODE XREF: EtwTracePriority(x,x,x,x,x)+3Fp

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ecx
		sub	edx, 530h
		jz	short loc_67E20F
		sub	edx, 1
		jz	short loc_67E208
		dec	edx
		sub	edx, 1
		jz	short loc_67E201
		sub	edx, 1
		jnz	loc_67E28A
		mov	ecx, offset _ThreadIoPriorityChange
		jmp	short loc_67E214
; 

loc_67E201:				; CODE XREF: EtwpPsProvTracePriority(x,x,x,x)+26j
		mov	ecx, offset _ThreadPagePriorityChange
		jmp	short loc_67E214
; 

loc_67E208:				; CODE XREF: EtwpPsProvTracePriority(x,x,x,x)+20j
		mov	ecx, offset _ThreadCpuBasePriorityChange
		jmp	short loc_67E214
; 

loc_67E20F:				; CODE XREF: EtwpPsProvTracePriority(x,x,x,x)+1Bj
		mov	ecx, offset _ThreadCpuPriorityChange

loc_67E214:				; CODE XREF: EtwpPsProvTracePriority(x,x,x,x)+36j
					; EtwpPsProvTracePriority(x,x,x,x)+3Dj	...
		mov	eax, [esi+2ACh]
		xor	edx, edx
		mov	[ebp+var_48], eax
		inc	edx
		push	ebx
		push	edi
		lea	eax, [ebp+var_48]
		mov	[ebp+var_1C], edx
		mov	[ebp+var_44], eax
		xor	ebx, ebx
		mov	eax, [esi+2B0h]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_4C]
		push	4
		pop	edi
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	edi
		push	ebx
		push	ebx
		push	edx
		push	ebx
		push	ebx
		push	ecx
		push	ds:dword_6BC18C
		mov	[ebp+var_40], ebx
		push	ds:_EtwpPsProvRegHandle
		mov	[ebp+var_3C], edi
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], edi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ebx
		call	EtwWriteEx
		pop	edi
		pop	ebx

loc_67E28A:				; CODE XREF: EtwpPsProvTracePriority(x,x,x,x)+2Bj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwpPsProvTracePriority@16 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpQueuePerfMemInfoWorkItem(x)
_EtwpQueuePerfMemInfoWorkItem@4	proc near ; CODE XREF: EtwpLogMemInfoTimerCallback(x,x)+54p
		mov	edi, edi
		push	esi
		push	57777445h
		push	14h
		push	200h
		mov	esi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_67E2CB
		and	dword ptr [eax], 0
		push	0
		push	eax
		mov	[eax+10h], esi
		mov	dword ptr [eax+8], offset _EtwpPerfMemInfoWork@4 ; EtwpPerfMemInfoWork(x)
		mov	[eax+0Ch], eax
		call	ExQueueWorkItem

loc_67E2CB:				; CODE XREF: EtwpQueuePerfMemInfoWorkItem(x)+18j
		pop	esi
		retn
_EtwpQueuePerfMemInfoWorkItem@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpReserveWithPebsIndex(x,	x, x, x, x, x)
_EtwpReserveWithPebsIndex@24 proc near	; CODE XREF: EtwpLogKernelEvent+12E183p
					; EtwpLogContextSwapEvent+EBD6Dp

var_2		= word ptr -2
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_8]
		add	esi, 18h
		push	ebx
		push	edi
		push	[ebp+arg_4]
		mov	[ebp+var_2], dx
		mov	edx, esi
		call	EtwpReserveTraceBuffer
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_67E331
		mov	eax, [edi]
		mov	[ecx+8], eax
		mov	eax, [edi+4]
		mov	[ecx+0Ch], eax
		movzx	eax, bl
		or	eax, 0C0108000h
		mov	[ecx+4], si
		mov	[ecx], eax
		mov	ax, [ebp+var_2]
		mov	[ecx+6], ax
		mov	eax, large fs:20h
		mov	eax, [eax+407Ch]
		mov	eax, [eax]
		and	dword ptr [ecx+14h], 0
		mov	[ecx+10h], eax
		lea	eax, [ecx+18h]

loc_67E331:				; CODE XREF: EtwpReserveWithPebsIndex(x,x,x,x,x,x)+29j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_EtwpReserveWithPebsIndex@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpReserveWithPmcCounters(x, x, x,	x, x, x)
_EtwpReserveWithPmcCounters@24 proc near ; CODE	XREF: EtwpLogKernelEvent+12E1AEp
					; EtwpLogContextSwapEvent+EBD93p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= word ptr -2
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_2], dx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, [esi+2BCh]
		mov	[ebp+var_C], eax
		mov	eax, [eax+10h]
		movzx	eax, al
		mov	[ebp+var_8], eax
		lea	eax, ds:10h[eax*8]
		mov	[ebp+var_10], eax
		add	edi, eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, al
		cmp	bl, 2
		jnb	short loc_67E37F
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)

loc_67E37F:				; CODE XREF: EtwpReserveWithPmcCounters(x,x,x,x,x,x)+3Dj
		push	[ebp+arg_C]
		mov	edx, edi
		mov	ecx, esi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	EtwpReserveTraceBuffer
		mov	esi, eax
		test	esi, esi
		jnz	short loc_67E3A8
		cmp	bl, 2
		jnb	short loc_67E3A4
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_67E3A4:				; CODE XREF: EtwpReserveWithPmcCounters(x,x,x,x,x,x)+62j
		xor	eax, eax
		jmp	short loc_67E41D
; 

loc_67E3A8:				; CODE XREF: EtwpReserveWithPmcCounters(x,x,x,x,x,x)+5Dj
		mov	ecx, [ebp+arg_8]
		mov	edx, [ebp+var_8]
		mov	eax, [ecx]
		mov	[esi+8], eax
		mov	eax, [ecx+4]
		mov	ecx, edx
		mov	[esi+0Ch], eax
		or	ecx, 0FFC01000h
		mov	eax, [ebp+arg_C]
		movzx	eax, al
		shl	ecx, 8
		or	ecx, eax
		mov	[esi+4], di
		mov	ax, [ebp+var_2]
		mov	edi, [ebp+var_C]
		mov	[esi+6], ax
		movzx	eax, large byte	ptr fs:51h
		mov	[esi], ecx
		lea	ecx, [esi+10h]
		mov	eax, [edi+eax*4+14h]
		test	eax, eax
		jz	short loc_67E3FA
		push	ecx
		push	eax
		call	ds:off_6B1334	; xHalCollectPmcCounters(x,x)
		jmp	short loc_67E40B
; 

loc_67E3FA:				; CODE XREF: EtwpReserveWithPmcCounters(x,x,x,x,x,x)+B6j
		mov	eax, edx
		shl	eax, 3
		push	eax		; size_t
		push	0		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch

loc_67E40B:				; CODE XREF: EtwpReserveWithPmcCounters(x,x,x,x,x,x)+C0j
		cmp	bl, 2
		jnb	short loc_67E418
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_67E418:				; CODE XREF: EtwpReserveWithPmcCounters(x,x,x,x,x,x)+D6j
		mov	eax, [ebp+var_10]
		add	eax, esi

loc_67E41D:				; CODE XREF: EtwpReserveWithPmcCounters(x,x,x,x,x,x)+6Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_EtwpReserveWithPmcCounters@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpSystemTraceWdf(x, x, x,	x, x)
_EtwpSystemTraceWdf@20 proc near	; DATA XREF: EtwpEnableKernelTrace+129A56o
					; PAGE:00A41020o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_14]
		and	[ebp+var_10], 0
		xor	edx, edx
		and	[ebp+var_8], 0
		inc	edx
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_C], eax
		movzx	eax, [ebp+arg_10]
		or	eax, (offset off_401900+3)
		push	eax
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_EtwpSystemTraceWdf@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceDebugPrint(x, x, x)
_EtwpTraceDebugPrint@12	proc near	; DATA XREF: EtwpEnableKernelTrace+129AE4o
					; EtwpDisableKernelTrace+129A22o

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		mov	ecx, 200h
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_40], eax
		movzx	eax, word ptr [edx]
		push	esi
		xor	esi, esi
		mov	[ebp+var_38], esi
		cmp	cx, ax
		jb	short loc_67E4A9
		mov	ecx, eax

loc_67E4A9:				; CODE XREF: EtwpTraceDebugPrint(x,x,x)+32j
		push	offset loc_501902
		push	0A20h
		push	40000h
		lea	eax, [ebp+var_40]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_34], eax
		lea	ecx, [ebp+var_34]
		mov	eax, [edx+4]
		push	3
		pop	edx
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], 8
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], offset _EtwpNull
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], 1
		mov	[ebp+var_8], esi
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_EtwpTraceDebugPrint@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceFileIo(x, x, x, x,	x, x)
_EtwpTraceFileIo@24 proc near		; DATA XREF: EtwpEnableKernelTrace+9Eo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	esi
		jnz	short loc_67E518
		xor	esi, esi
		jmp	short loc_67E522
; 

loc_67E518:				; CODE XREF: EtwpTraceFileIo(x,x,x,x,x,x)+Aj
		push	[ebp+arg_0]
		call	_PsGetThreadServerSilo@4 ; PsGetThreadServerSilo(x)
		mov	esi, eax

loc_67E522:				; CODE XREF: EtwpTraceFileIo(x,x,x,x,x,x)+Ej
		mov	ecx, ds:_EtwpHostSiloState
		add	ecx, 0A48h
		jz	short loc_67E549
		test	dword ptr [ecx], 6000000h
		jz	short loc_67E549
		push	[ebp+arg_14]
		mov	edx, [ebp+arg_8]
		push	[ebp+arg_10]
		mov	ecx, [ebp+arg_4]
		call	_EtwpFileProvTrace@16 ;	EtwpFileProvTrace(x,x,x,x)

loc_67E549:				; CODE XREF: EtwpTraceFileIo(x,x,x,x,x,x)+26j
					; EtwpTraceFileIo(x,x,x,x,x,x)+2Ej
		mov	eax, 44Eh
		cmp	word ptr [ebp+arg_10], ax
		jz	short loc_67E56C
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		push	(offset	loc_501902+1)
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	EtwTraceSiloKernelEvent

loc_67E56C:				; CODE XREF: EtwpTraceFileIo(x,x,x,x,x,x)+4Aj
		pop	esi
		pop	ebp
		retn	18h
_EtwpTraceFileIo@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceFltIo(x, x, x, x)
_EtwpTraceFltIo@16 proc	near		; DATA XREF: EtwpEnableKernelTrace+1299DAo
					; EtwpEnableKernelTrace+1299F1o ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_14]
		and	[ebp+var_10], 0
		xor	edx, edx
		and	[ebp+var_8], 0
		inc	edx
		push	(offset	loc_501902+1)
		push	[ebp+arg_C]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_4]
		push	[ebp+arg_8]
		mov	[ebp+var_C], eax
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_EtwpTraceFltIo@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceFltTimedIo(x, x, x, x, x)
_EtwpTraceFltTimedIo@20	proc near	; DATA XREF: EtwpEnableKernelTrace:loc_7E385Bo
					; PAGE:00A41014o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_C]
		push	offset byte_401803
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_EtwTraceTimedEvent@24 ; EtwTraceTimedEvent(x,x,x,x,x,x)
		pop	ebp
		retn	14h
_EtwpTraceFltTimedIo@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceIoInit(x)
_EtwpTraceIoInit@4 proc	near		; DATA XREF: EtwpEnableKernelTrace+129985o

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	eax, [esi+60h]
		mov	al, [eax]
		cmp	al, 3
		jnz	short loc_67E605
		mov	ebx, 10Ch
		jmp	short loc_67E613
; 

loc_67E605:				; CODE XREF: EtwpTraceIoInit(x)+1Fj
		xor	ebx, ebx
		cmp	al, 9
		setz	bl
		lea	ebx, ds:10Dh[ebx*2]

loc_67E613:				; CODE XREF: EtwpTraceIoInit(x)+26j
		mov	edi, [esi+50h]
		test	edi, edi
		jnz	short loc_67E624
		xor	eax, eax
		mov	[ebp+var_1C], esi
		or	ecx, 0FFFFFFFFh
		jmp	short loc_67E633
; 

loc_67E624:				; CODE XREF: EtwpTraceIoInit(x)+3Bj
		push	edi
		call	_PsGetThreadServerSilo@4 ; PsGetThreadServerSilo(x)
		mov	[ebp+var_1C], esi
		mov	ecx, [edi+2B0h]

loc_67E633:				; CODE XREF: EtwpTraceIoInit(x)+45j
		and	[ebp+var_10], 0
		lea	edx, [ebp+var_14]
		and	[ebp+var_8], 0
		push	1501903h
		mov	[ebp+var_18], ecx
		lea	ecx, [ebp+var_1C]
		push	ebx
		push	400h
		mov	[ebp+var_14], ecx
		mov	ecx, eax
		push	1
		mov	[ebp+var_C], 8
		call	EtwTraceSiloKernelEvent
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_EtwpTraceIoInit@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceKernelEventWithFilter(x, x, x, x, x)
_EtwpTraceKernelEventWithFilter@20 proc	near
					; CODE XREF: EtwTraceObjectOperation(x,x,x,x)+107p
					; EtwTraceDuplicateHandle(x,x,x,x,x,x)+105p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_EtwpHostSiloState
		push	ebx
		push	esi
		push	edi
		mov	esi, [eax+924h]
		mov	edi, edx
		and	esi, [ebp+arg_0]
		mov	ebx, ecx
		jmp	short loc_67E6B2
; 

loc_67E690:				; CODE XREF: EtwpTraceKernelEventWithFilter(x,x,x,x,x)+42j
		push	[ebp+arg_8]
		mov	edx, ds:_EtwpHostSiloState
		lea	eax, [esi-1]
		push	[ebp+arg_4]
		and	esi, eax
		push	edi
		movzx	eax, byte ptr [edx+ecx*2+914h]
		mov	ecx, ebx
		push	eax
		call	EtwpLogKernelEvent

loc_67E6B2:				; CODE XREF: EtwpTraceKernelEventWithFilter(x,x,x,x,x)+1Bj
		bsf	ecx, esi
		jnz	short loc_67E690
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_EtwpTraceKernelEventWithFilter@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceNetwork(x,	x, x, x)
_EtwpTraceNetwork@16 proc near		; DATA XREF: EtwpEnableKernelTrace:loc_90D1E6o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		and	[ebp+var_10], 0
		and	[ebp+var_8], 0
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_C], eax
		mov	eax, ds:_EtwpHostSiloState
		push	esi
		movzx	esi, [ebp+arg_0]
		push	edi
		mov	edi, 10000h
		add	eax, 0A48h
		jz	short loc_67E709
		test	[eax], edi
		jz	short loc_67E709
		mov	edx, esi
		lea	ecx, [ebp+var_14]
		call	_EtwpNetProvTraceNetwork@8 ; EtwpNetProvTraceNetwork(x,x)

loc_67E709:				; CODE XREF: EtwpTraceNetwork(x,x,x,x)+3Bj
					; EtwpTraceNetwork(x,x,x,x)+3Fj
		push	offset byte_401802
		push	esi
		xor	edx, edx
		lea	ecx, [ebp+var_14]
		push	edi
		inc	edx
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_EtwpTraceNetwork@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceOpticalIo(x, x, x,	x, x)
_EtwpTraceOpticalIo@20 proc near	; DATA XREF: EtwpEnableKernelTrace+12999Ao

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+6Ch+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		xor	ebx, ebx
		push	edi
		mov	[esp+78h+var_1C], ebx
		mov	edi, [esi+60h]
		mov	cl, [edi]
		cmp	cl, 3
		jz	loc_67E8F8
		cmp	cl, 4
		jz	loc_67E8F8
		cmp	cl, 9
		jnz	short loc_67E7C2
		mov	eax, [ebp+arg_4]
		mov	[esp+78h+var_60], eax
		mov	eax, [esi+8]
		mov	[esp+78h+var_5C], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+78h+var_58], eax
		mov	eax, [ebp+arg_10]
		mov	[esp+78h+var_54], eax
		mov	eax, [esi+50h]
		mov	[esp+78h+var_50], esi
		test	eax, eax
		jz	short loc_67E798
		mov	eax, [eax+2B0h]
		jmp	short loc_67E79B
; 

loc_67E798:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+63j
		or	eax, 0FFFFFFFFh

loc_67E79B:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+6Bj
		push	offset byte_401803
		mov	[esp+7Ch+var_4C], eax
		lea	eax, [esp+7Ch+var_60]
		mov	[esp+7Ch+var_14], ebx
		mov	[esp+7Ch+var_10], 18h
		mov	[esp+7Ch+var_C], ebx
		push	139h
		jmp	loc_67EA0B
; 

loc_67E7C2:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+3Cj
		cmp	cl, 0Eh
		jnz	loc_67EA20
		mov	ecx, esi
		call	_EtwpGetScsiPassThroughCdb@4 ; EtwpGetScsiPassThroughCdb(x)
		mov	edx, eax
		test	edx, edx
		jz	loc_67EA20
		movzx	eax, byte ptr [edx+2]
		movzx	ecx, byte ptr [edx+3]
		mov	bl, [edx]
		shl	eax, 8
		or	eax, ecx
		movzx	ecx, byte ptr [edx+4]
		shl	eax, 8
		or	eax, ecx
		movzx	ecx, byte ptr [edx+5]
		shl	eax, 8
		or	eax, ecx
		cdq
		mov	[esp+78h+var_68], eax
		mov	[esp+78h+var_64], edx
		mov	ecx, 0Bh
		mov	eax, [esp+78h+var_68]
		mov	edx, [esp+78h+var_64]
		shld	edx, eax, cl
		shl	eax, cl
		mov	edi, eax
		cmp	bl, 28h
		jz	short loc_67E891
		cmp	bl, 0A8h
		jz	short loc_67E891
		cmp	bl, 2Ah
		jz	short loc_67E88A
		cmp	bl, 0AAh
		jz	short loc_67E88A
		cmp	bl, 35h
		jnz	loc_67EA20
		mov	eax, [ebp+arg_4]
		mov	[esp+78h+var_60], eax
		mov	eax, [esi+8]
		mov	[esp+78h+var_5C], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+78h+var_58], eax
		mov	eax, [ebp+arg_10]
		mov	[esp+78h+var_54], eax
		mov	eax, [esi+50h]
		mov	[esp+78h+var_50], esi
		test	eax, eax
		jz	short loc_67E866
		mov	eax, [eax+2B0h]
		jmp	short loc_67E869
; 

loc_67E866:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+131j
		or	eax, 0FFFFFFFFh

loc_67E869:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+139j
		push	offset byte_401803
		mov	[esp+7Ch+var_4C], eax
		xor	edx, edx
		lea	eax, [esp+7Ch+var_60]
		mov	[esp+7Ch+var_10], 18h
		push	139h
		jmp	loc_67EA03
; 

loc_67E88A:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+FCj
					; EtwpTraceOpticalIo(x,x,x,x,x)+101j
		mov	ecx, 138h
		jmp	short loc_67E896
; 

loc_67E891:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+F2j
					; EtwpTraceOpticalIo(x,x,x,x,x)+F7j
		mov	ecx, 137h

loc_67E896:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+164j
		mov	eax, [ebp+arg_4]
		mov	[esp+78h+var_48], eax
		mov	eax, [esi+8]
		mov	[esp+78h+var_44], eax
		mov	eax, [esi+1Ch]
		mov	[esp+78h+var_40], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+78h+var_28], eax
		mov	eax, [ebp+arg_10]
		mov	[esp+78h+var_34], edx
		xor	edx, edx
		mov	[esp+78h+var_24], eax
		mov	eax, [esi+50h]
		mov	[esp+78h+var_2C], esi
		mov	[esp+78h+var_38], edi
		mov	[esp+78h+var_3C], edx
		mov	[esp+78h+var_30], edx
		test	eax, eax
		jz	short loc_67E8DE
		mov	eax, [eax+2B0h]
		jmp	short loc_67E8E1
; 

loc_67E8DE:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+1A9j
		or	eax, 0FFFFFFFFh

loc_67E8E1:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+1B1j
		push	offset byte_401803
		mov	[esp+7Ch+var_20], eax
		mov	[esp+7Ch+var_10], 18h
		push	ecx
		jmp	loc_67E9FF
; 

loc_67E8F8:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+2Aj
					; EtwpTraceOpticalIo(x,x,x,x,x)+33j
		mov	edx, [esi+8]
		xor	eax, eax
		cmp	cl, 3
		mov	[esp+78h+var_44], edx
		mov	[esp+78h+var_2C], esi
		setnz	al
		add	eax, 137h
		movzx	ecx, ax
		mov	eax, [ebp+arg_4]
		mov	[esp+78h+var_48], eax
		mov	eax, [esi+1Ch]
		mov	[esp+78h+var_40], eax
		mov	eax, [edi+0Ch]
		mov	[esp+78h+var_38], eax
		mov	eax, [edi+10h]
		mov	[esp+78h+var_34], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+78h+var_28], eax
		mov	eax, [ebp+arg_10]
		mov	[esp+78h+var_24], eax
		mov	eax, [esi+50h]
		mov	[esp+78h+var_68], ecx
		mov	[esp+78h+var_3C], ebx
		test	eax, eax
		jz	short loc_67E954
		mov	eax, [eax+2B0h]
		jmp	short loc_67E957
; 

loc_67E954:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+21Fj
		or	eax, 0FFFFFFFFh

loc_67E957:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+227j
		mov	ecx, [ebp+arg_0]
		mov	[esp+78h+var_20], eax
		mov	eax, ecx
		and	eax, 0FFFF0000h
		cmp	eax, 56530000h
		jnz	short loc_67E976
		mov	[esp+78h+var_3C], 1
		jmp	short loc_67E994
; 

loc_67E976:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+23Fj
		and	ecx, 0FFFFFFh
		cmp	ecx, offset loc_536D64
		jz	short loc_67E98C
		cmp	ecx, 535242h
		jnz	short loc_67E994

loc_67E98C:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+257j
		mov	[esp+78h+var_3C], 2

loc_67E994:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+249j
					; EtwpTraceOpticalIo(x,x,x,x,x)+25Fj
		test	dl, 8
		jz	short loc_67E9AF
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_67E9E8
		mov	ecx, [eax+64h]
		test	ecx, ecx
		jnz	short loc_67E9DD
		mov	eax, [eax+60h]
		mov	ecx, [eax+18h]
		jmp	short loc_67E9D9
; 

loc_67E9AF:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+26Cj
		mov	ecx, [esi+64h]
		test	ecx, ecx
		jnz	short loc_67E9DD
		mov	dl, [esi+23h]
		movsx	ebx, byte ptr [esi+22h]
		movzx	eax, dl
		cmp	eax, ebx
		jg	short loc_67E9E8
		lea	esi, [edi+18h]

loc_67E9C7:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+2ACj
		mov	ecx, [esi]
		test	ecx, ecx
		jnz	short loc_67E9DD
		inc	dl
		add	esi, 24h
		movzx	eax, dl
		cmp	eax, ebx
		jle	short loc_67E9C7

loc_67E9D9:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+282j
		test	ecx, ecx
		jz	short loc_67E9E8

loc_67E9DD:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+27Aj
					; EtwpTraceOpticalIo(x,x,x,x,x)+289j ...
		mov	eax, [ecx+0Ch]
		xor	edx, edx
		mov	[esp+78h+var_30], eax
		jmp	short loc_67E9EE
; 

loc_67E9E8:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+273j
					; EtwpTraceOpticalIo(x,x,x,x,x)+297j ...
		xor	edx, edx
		mov	[esp+78h+var_30], edx

loc_67E9EE:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+2BBj
		push	offset byte_401803
		push	[esp+7Ch+var_68]
		mov	[esp+80h+var_10], 2Ch

loc_67E9FF:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+1C8j
		lea	eax, [esp+80h+var_48]

loc_67EA03:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+15Aj
		mov	[esp+80h+var_14], edx
		mov	[esp+80h+var_C], edx

loc_67EA0B:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+92j
		xor	edx, edx
		mov	[esp+80h+var_18], eax
		push	80000001h
		inc	edx
		lea	ecx, [esp+84h+var_18]
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_67EA20:				; CODE XREF: EtwpTraceOpticalIo(x,x,x,x,x)+9Aj
					; EtwpTraceOpticalIo(x,x,x,x,x)+ABj ...
		mov	ecx, [esp+78h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
_EtwpTraceOpticalIo@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceOpticalIoInit(x)
_EtwpTraceOpticalIoInit@4 proc near	; DATA XREF: EtwpEnableKernelTrace+1299B2o

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+60h]
		mov	al, [eax]
		cmp	al, 3
		jz	short loc_67EA8E
		cmp	al, 4
		jz	short loc_67EA87
		cmp	al, 9
		jz	short loc_67EA80
		cmp	al, 0Eh
		jnz	short loc_67EAD6
		mov	ecx, esi
		call	_EtwpGetScsiPassThroughCdb@4 ; EtwpGetScsiPassThroughCdb(x)
		test	eax, eax
		jz	short loc_67EAD6
		mov	al, [eax]
		cmp	al, 28h
		jz	short loc_67EA8E
		cmp	al, 0A8h
		jz	short loc_67EA8E
		cmp	al, 2Ah
		jz	short loc_67EA87
		cmp	al, 0AAh
		jz	short loc_67EA87
		cmp	al, 35h
		jnz	short loc_67EAD6

loc_67EA80:				; CODE XREF: EtwpTraceOpticalIoInit(x)+25j
		mov	eax, 13Ch
		jmp	short loc_67EA93
; 

loc_67EA87:				; CODE XREF: EtwpTraceOpticalIoInit(x)+21j
					; EtwpTraceOpticalIoInit(x)+42j ...
		mov	eax, 13Bh
		jmp	short loc_67EA93
; 

loc_67EA8E:				; CODE XREF: EtwpTraceOpticalIoInit(x)+1Dj
					; EtwpTraceOpticalIoInit(x)+3Aj ...
		mov	eax, 13Ah

loc_67EA93:				; CODE XREF: EtwpTraceOpticalIoInit(x)+51j
					; EtwpTraceOpticalIoInit(x)+58j
		mov	ecx, [esi+50h]
		mov	[ebp+var_1C], esi
		test	ecx, ecx
		jz	short loc_67EAA5
		mov	ecx, [ecx+2B0h]
		jmp	short loc_67EAA8
; 

loc_67EAA5:				; CODE XREF: EtwpTraceOpticalIoInit(x)+67j
		or	ecx, 0FFFFFFFFh

loc_67EAA8:				; CODE XREF: EtwpTraceOpticalIoInit(x)+6Fj
		and	[ebp+var_10], 0
		xor	edx, edx
		and	[ebp+var_8], 0
		inc	edx
		mov	[ebp+var_18], ecx
		lea	ecx, [ebp+var_1C]
		push	(offset	loc_501902+1)
		push	eax
		mov	[ebp+var_14], ecx
		lea	ecx, [ebp+var_14]
		push	80000002h
		mov	[ebp+var_C], 8
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_67EAD6:				; CODE XREF: EtwpTraceOpticalIoInit(x)+29j
					; EtwpTraceOpticalIoInit(x)+34j ...
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_EtwpTraceOpticalIoInit@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceRedirectedIo(x, x)
_EtwpTraceRedirectedIo@8 proc near	; DATA XREF: EtwpEnableKernelTrace+20Bo
					; PAGE:00A41024o

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_1C], eax
		mov	ecx, [eax+50h]
		test	ecx, ecx
		jnz	short loc_67EB08
		xor	eax, eax
		jmp	short loc_67EB0E
; 

loc_67EB08:				; CODE XREF: EtwpTraceRedirectedIo(x,x)+1Dj
		push	ecx
		call	_PsGetThreadServerSilo@4 ; PsGetThreadServerSilo(x)

loc_67EB0E:				; CODE XREF: EtwpTraceRedirectedIo(x,x)+21j
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_67EB1D
		mov	ecx, [ecx+0Ch]
		mov	[ebp+var_18], ecx
		jmp	short loc_67EB21
; 

loc_67EB1D:				; CODE XREF: EtwpTraceRedirectedIo(x,x)+2Ej
		and	[ebp+var_18], 0

loc_67EB21:				; CODE XREF: EtwpTraceRedirectedIo(x,x)+36j
		and	[ebp+var_10], 0
		lea	ecx, [ebp+var_1C]
		and	[ebp+var_8], 0
		lea	edx, [ebp+var_14]
		push	11501902h
		push	110h
		push	300h
		mov	[ebp+var_14], ecx
		mov	ecx, eax
		push	1
		mov	[ebp+var_C], 8
		call	EtwTraceSiloKernelEvent
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwpTraceRedirectedIo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceSplitIo(x,	x, x)
_EtwpTraceSplitIo@12 proc near		; DATA XREF: EtwpEnableKernelTrace+1299C6o

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		push	4
		pop	ecx
		push	offset byte_401802
		push	[ebp+arg_8]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_4]
		push	200000h
		push	2
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		lea	ecx, [ebp+var_24]
		mov	[ebp+var_8], edx
		pop	edx
		mov	[ebp+var_14], eax
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_EtwpTraceSplitIo@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceWdf(x, x, x, x, x)
_EtwpTraceWdf@20 proc near		; DATA XREF: EtwpEnableKernelTrace+13Co
					; PAGE:00A4101Co

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_14]
		and	[ebp+var_10], 0
		xor	edx, edx
		and	[ebp+var_8], 0
		inc	edx
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_C], eax
		movzx	eax, [ebp+arg_10]
		or	eax, offset byte_401800
		push	eax
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_EtwpTraceWdf@20 endp


;  S U B	R O U T	I N E 


; __stdcall PMC_MONITORING_ENABLED(x, x)
_PMC_MONITORING_ENABLED@8 proc near	; CODE XREF: EtwpLogKernelEvent+12E18Fp
					; EtwpLogContextSwapEvent:loc_5CBFC6p
		test	dword ptr [ecx+258h], 800h
		push	esi
		push	edi
		mov	di, dx
		jz	short loc_67EC3F
		mov	eax, [ecx+2BCh]
		xor	esi, esi
		cmp	[eax+4], esi
		jbe	short loc_67EC3F
		push	8
		pop	eax

loc_67EC2A:				; CODE XREF: PMC_MONITORING_ENABLED(x,x)+34j
		mov	edx, [ecx+2BCh]
		cmp	[eax+edx], di
		jz	short loc_67EC44
		inc	esi
		add	eax, 2
		cmp	esi, [edx+4]
		jb	short loc_67EC2A

loc_67EC3F:				; CODE XREF: PMC_MONITORING_ENABLED(x,x)+Fj
					; PMC_MONITORING_ENABLED(x,x)+1Cj
		xor	al, al

loc_67EC41:				; CODE XREF: PMC_MONITORING_ENABLED(x,x)+3Dj
		pop	edi
		pop	esi
		retn
; 

loc_67EC44:				; CODE XREF: PMC_MONITORING_ENABLED(x,x)+2Bj
		mov	al, 1
		jmp	short loc_67EC41
_PMC_MONITORING_ENABLED@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PerfInfoLogIpiReceive(x, x,	x)
_PerfInfoLogIpiReceive@12 proc near	; CODE XREF: KiIpiProcessRequest+C8DEDp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_0]
		and	[ebp+var_14], 0
		and	[ebp+var_10], 0
		push	ecx
		push	400A02h
		mov	[ebp+var_C], eax
		mov	ecx, 0F71h
		push	8
		lea	eax, [ebp+var_C]
		mov	[ebp+var_8], edx
		push	eax
		mov	edx, 40400000h
		call	_EtwTraceTimedEvent@24 ; EtwTraceTimedEvent(x,x,x,x,x,x)
		leave
		retn	4
_PerfInfoLogIpiReceive@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PerfInfoLogIpiSend(x, x, x,	x, x)
_PerfInfoLogIpiSend@20 proc near	; CODE XREF: KiIpiSendRequest+12A1D3p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_48], edx
		movzx	ecx, word ptr [eax]
		lea	edx, [ebp+var_4C]
		add	eax, 8
		mov	[ebp+var_40], ecx
		xor	ebx, ebx
		mov	[ebp+var_1C], eax
		mov	eax, ecx
		mov	[ebp+var_54], ebx
		shl	eax, 2
		mov	[ebp+var_14], eax
		mov	eax, ds:_EtwpHostSiloState
		mov	[ebp+var_50], ebx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], ebx
		mov	esi, [eax+924h]
		mov	[ebp+var_24], 10h
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		jmp	short loc_67ED46
; 

loc_67ECEB:				; CODE XREF: PerfInfoLogIpiSend(x,x,x,x,x)+C9j
		mov	edx, ds:_EtwpHostSiloState
		lea	eax, [esi-1]
		and	esi, eax
		mov	eax, ecx
		shl	eax, 5
		add	eax, 948h
		add	eax, edx
		jz	short loc_67ED46
		test	dword ptr [eax+8], 400000h
		jz	short loc_67ED46
		movzx	eax, byte ptr [edx+ecx*2+915h]
		dec	eax
		mov	[ebp+var_38], ebx
		push	(offset	off_401A00+2)
		push	0F70h
		mov	[ebp+var_34], 8
		lea	eax, [edi+eax*8]
		mov	[ebp+var_30], ebx
		mov	[ebp+var_3C], eax
		movzx	eax, byte ptr [edx+ecx*2+914h]
		lea	ecx, [ebp+var_3C]
		push	3
		push	eax
		call	EtwpLogKernelEvent

loc_67ED46:				; CODE XREF: PerfInfoLogIpiSend(x,x,x,x,x)+69j
					; PerfInfoLogIpiSend(x,x,x,x,x)+82j ...
		bsf	ecx, esi
		jnz	short loc_67ECEB
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_PerfInfoLogIpiSend@20 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2462. SeEtwWriteKMCveEvent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeEtwWriteKMCveEvent(x, x)
		public _SeEtwWriteKMCveEvent@8
_SeEtwWriteKMCveEvent@8	proc near

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_48], esi
		test	ecx, ecx
		jnz	short loc_67ED9F
		mov	eax, 0C000000Dh
		jmp	short loc_67EE18
; 

loc_67ED9F:				; CODE XREF: SeEtwWriteKMCveEvent(x,x)+35j
		mov	eax, [ecx+4]
		push	ebx
		push	edi
		mov	[ebp+var_44], eax
		lea	ebx, [ebp+var_48]
		movzx	eax, word ptr [ecx]
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], esi
		mov	[ebp+var_28], esi
		push	2
		pop	edi
		mov	[ebp+var_2C], edi
		mov	edx, edi
		test	ecx, ecx
		jz	short loc_67EDE3
		mov	eax, [ecx+4]
		mov	[ebp+var_24], eax
		movzx	eax, word ptr [ecx]
		push	3
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], esi
		pop	edx

loc_67EDE3:				; CODE XREF: SeEtwWriteKMCveEvent(x,x)+6Bj
		mov	eax, edx
		add	eax, eax
		mov	[ebp+eax*8+var_44], ebx
		mov	[ebp+eax*8+var_40], esi
		mov	[ebp+eax*8+var_3C], edi
		mov	[ebp+eax*8+var_38], esi
		lea	eax, [ebp+var_44]
		push	eax
		lea	eax, [edx+1]
		push	eax
		push	esi
		push	offset _CVE_AUDIT_DETECT_KM
		push	ds:dword_6BC33C
		push	ds:_EtwCVEAuditProvRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	edi
		pop	ebx

loc_67EE18:				; CODE XREF: SeEtwWriteKMCveEvent(x,x)+3Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_SeEtwWriteKMCveEvent@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwGetProcessorBuffer(x, x,	x)
_EtwGetProcessorBuffer@12 proc near	; CODE XREF: KiSaveCurrentEtwTraceBuffer()+25p
					; KiSaveCurrentEtwTraceBuffer()+96p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		cmp	ds:_EtwpInitialized, 0
		jnz	short loc_67EE42
		mov	eax, 0C0000001h
		jmp	loc_67EEC8
; 

loc_67EE42:				; CODE XREF: EtwGetProcessorBuffer(x,x,x)+Fj
		mov	eax, ds:_EtwpHostSiloState
		cmp	ecx, [eax+8]
		jnb	short loc_67EE5A
		lfence	eax
		mov	eax, [eax+18Ch]
		mov	eax, [eax+ecx*4]
		jmp	short loc_67EE5D
; 

loc_67EE5A:				; CODE XREF: EtwGetProcessorBuffer(x,x,x)+23j
		xor	eax, eax
		inc	eax

loc_67EE5D:				; CODE XREF: EtwGetProcessorBuffer(x,x,x)+31j
		test	al, 1
		jz	short loc_67EE68
		mov	esi, 0C0000008h
		jmp	short loc_67EEC6
; 

loc_67EE68:				; CODE XREF: EtwGetProcessorBuffer(x,x,x)+38j
		cmp	dword ptr [eax+0E0h], 1
		jnz	short loc_67EE78
		mov	esi, 0C000000Dh
		jmp	short loc_67EEC6
; 

loc_67EE78:				; CODE XREF: EtwGetProcessorBuffer(x,x,x)+48j
		test	dword ptr [eax+0Ch], 10000000h
		jz	short loc_67EE86
		mov	ecx, [eax+58h]
		jmp	short loc_67EE9B
; 

loc_67EE86:				; CODE XREF: EtwGetProcessorBuffer(x,x,x)+58j
		mov	eax, [eax+2E4h]
		shl	edx, 6
		mov	eax, [eax+8D8h]
		mov	eax, [eax+edx]
		mov	ecx, [eax+ecx*4]

loc_67EE9B:				; CODE XREF: EtwGetProcessorBuffer(x,x,x)+5Dj
		and	ecx, 0FFFFFFF8h
		jnz	short loc_67EEA7
		mov	esi, 0C0000001h
		jmp	short loc_67EEC6
; 

loc_67EEA7:				; CODE XREF: EtwGetProcessorBuffer(x,x,x)+77j
		mov	edx, [ebp+arg_0]
		mov	eax, [ecx]
		mov	[edx+4], eax
		mov	eax, [ecx+8]
		mov	[edx], ecx
		cmp	eax, [ecx]
		jbe	short loc_67EEC0
		mov	eax, [ecx+4]
		mov	[edx+8], eax
		jmp	short loc_67EEC6
; 

loc_67EEC0:				; CODE XREF: EtwGetProcessorBuffer(x,x,x)+8Fj
		mov	ecx, [ecx+8]
		mov	[edx+8], ecx

loc_67EEC6:				; CODE XREF: EtwGetProcessorBuffer(x,x,x)+3Fj
					; EtwGetProcessorBuffer(x,x,x)+4Fj ...
		mov	eax, esi

loc_67EEC8:				; CODE XREF: EtwGetProcessorBuffer(x,x,x)+16j
		pop	esi
		pop	ebp
		retn	4
_EtwGetProcessorBuffer@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCheckPoolTagFilters(x, x)
_EtwpCheckPoolTagFilters@8 proc	near	; CODE XREF: EtwTracePool(x,x,x,x,x)+107p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		imul	eax, ecx, 14h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edx
		movzx	ebx, ds:_EtwpPoolTagFilter[eax]
		test	ebx, ebx
		jz	short loc_67EF05
		lea	esi, dword_6BC264[eax]

loc_67EEEF:				; CODE XREF: EtwpCheckPoolTagFilters(x,x)+36j
		mov	ecx, [ebp+var_4]
		mov	edx, [esi]
		call	_ExCheckSingleFilter@8 ; ExCheckSingleFilter(x,x)
		test	eax, eax
		jnz	short loc_67EF0C
		inc	edi
		add	esi, 4
		cmp	edi, ebx
		jb	short loc_67EEEF

loc_67EF05:				; CODE XREF: EtwpCheckPoolTagFilters(x,x)+1Aj
		xor	al, al

loc_67EF07:				; CODE XREF: EtwpCheckPoolTagFilters(x,x)+41j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_67EF0C:				; CODE XREF: EtwpCheckPoolTagFilters(x,x)+2Ej
		mov	al, 1
		jmp	short loc_67EF07
_EtwpCheckPoolTagFilters@8 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCheckSiloGroupMasks(x)
_EtwpCheckSiloGroupMasks@4 proc	near	; CODE XREF: EtwpUpdateGroupMasks+12A18Cp
		mov	edi, edi
		push	esi
		mov	esi, offset _EtwpSiloAllowedGroupMask
		xor	edx, edx
		sub	esi, ecx

loc_67EF1C:				; CODE XREF: EtwpCheckSiloGroupMasks(x)+1Cj
		mov	eax, [esi+ecx]
		not	eax
		test	[ecx], eax
		jnz	short loc_67EF32
		inc	edx
		add	ecx, 4
		cmp	edx, 8
		jb	short loc_67EF1C
		xor	eax, eax
		pop	esi
		retn
; 

loc_67EF32:				; CODE XREF: EtwpCheckSiloGroupMasks(x)+13j
		mov	eax, 0C0000061h
		pop	esi
		retn
_EtwpCheckSiloGroupMasks@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl EtwpComparePfn(const void	*,const	void *)
_EtwpComparePfn	proc near		; DATA XREF: EtwpAllocateTraceBuffer:loc_5E858Ao

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		mov	eax, [ebp+arg_4]
		cmp	ecx, [eax]
		sbb	eax, eax
		and	eax, 0FFFFFFFEh
		inc	eax
		pop	ebp
		retn
_EtwpComparePfn	endp


;  S U B	R O U T	I N E 


; __stdcall EtwpContainerResumeWnfCallback(x, x, x, x, x, x)
_EtwpContainerResumeWnfCallback@24 proc	near ; DATA XREF: EtwInitializeSiloState+1E7o
		mov	ecx, ds:_EtwpHostSiloState
		lea	eax, [ecx+8F0h]
		push	eax
		lea	eax, [ecx+900h]
		push	eax
		lea	eax, [ecx+910h]
		push	eax
		lea	eax, [ecx+90Ch]
		lea	edx, [ecx+908h]
		add	ecx, 8E0h
		push	eax
		call	EtwpQueryPartitionRegistryInformation
		xor	eax, eax
		retn	18h
_EtwpContainerResumeWnfCallback@24 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpGetCurrentSiloState()
_EtwpGetCurrentSiloState@0 proc	near	; CODE XREF: NtTraceControl(x,x,x,x,x,x)+49p
					; NtTraceControl(x,x,x,x,x,x)+7BEp
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	eax, [eax+1F0h]
		retn
_EtwpGetCurrentSiloState@0 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpSetQpcDeltaTracking(x)
_EtwpSetQpcDeltaTracking@4 proc	near	; CODE XREF: EtwpStartLogger+120A88p
		mov	eax, [ecx+7Ch]
		cmp	eax, 4
		jz	short loc_67EFB2
		cmp	eax, 3
		jz	short loc_67EFB2
		mov	edx, 8000000h
		lea	eax, [ecx+258h]
		lock or	[eax], edx
		xor	eax, eax
		retn
; 

loc_67EFB2:				; CODE XREF: EtwpSetQpcDeltaTracking(x)+6j
					; EtwpSetQpcDeltaTracking(x)+Bj
		mov	eax, 0C00000BBh
		retn
_EtwpSetQpcDeltaTracking@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceLostEvent(x, x, x,	x)
_EtwpTraceLostEvent@16 proc near	; CODE XREF: .text:00528C52p
					; EtwpFailLogging+9546Bp ...

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	64h
		push	offset dword_6A9F40
		call	__SEH_prolog4_GS
		mov	esi, edx
		mov	[ebp+var_74], ecx
		push	10h		; size_t
		push	offset _EventTracingProvGuid ; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_67F080
		xor	edx, edx
		mov	[ebp+ms_exc.disabled], edx
		movzx	eax, word ptr [esi]
		mov	[ebp+var_70], eax
		jmp	short loc_67EFFA
; 

loc_67EFEE:				; DATA XREF: .text:006A9F54o
		xor	eax, eax
		inc	eax
		retn
; 

loc_67EFF2:				; DATA XREF: .text:006A9F58o
		mov	esp, [ebp+ms_exc.old_esp]
		xor	edx, edx
		mov	[ebp+var_70], edx

loc_67EFFA:				; CODE XREF: EtwpTraceLostEvent(x,x,x,x)+34j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_74]
		mov	[ebp+var_6C], eax
		mov	[ebp+var_68], edx
		mov	[ebp+var_64], 10h
		mov	[ebp+var_60], edx
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_5C], eax
		mov	[ebp+var_58], edx
		mov	[ebp+var_54], 4
		mov	[ebp+var_50], edx
		lea	eax, [ebp+var_70]
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], edx
		push	2
		pop	esi
		mov	[ebp+var_44], esi
		mov	[ebp+var_40], edx
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+4]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], edx
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], offset _EtwpNull
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], edx
		lea	eax, [ebp+var_6C]
		push	eax
		push	5
		push	edx
		push	edx
		push	1
		push	edx
		push	edx
		push	offset _ETW_EVENT_LOST_EVENT
		push	ds:dword_6BC30C
		push	ds:_EtwpEventTracingProvRegHandle
		call	EtwWriteEx

loc_67F080:				; CODE XREF: EtwpTraceLostEvent(x,x,x,x)+23j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_EtwpTraceLostEvent@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTiLogInsertQueueUserApc(x, x, x,	x, x, x, x)
_EtwTiLogInsertQueueUserApc@28 proc near ; CODE	XREF: .text:0052502Ep
					; KeInsertQueueApc+16730Fp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= byte ptr -30h
var_2C		= dword	ptr -2Ch
var_26		= byte ptr -26h
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_25], cl
		push	eax
		push	3000h
		push	eax
		push	ds:dword_6BC124
		mov	ebx, edx
		mov	[ebp+var_38], eax
		push	ds:_EtwThreatIntProvRegHandle
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_34], eax
		call	EtwProviderEnabled
		test	al, al
		jz	loc_67F30A
		mov	eax, large fs:124h
		mov	edi, [ebx+150h]
		mov	ecx, [eax+80h]
		mov	eax, large fs:124h
		mov	[ebp+var_24], ecx
		mov	edx, [eax+150h]
		xor	eax, eax
		mov	dword ptr [ebp+var_30],	edx
		cmp	[ebp+arg_10], al
		jz	short loc_67F106
		cmp	edx, edi
		jmp	short loc_67F108
; 

loc_67F106:				; CODE XREF: EtwTiLogInsertQueueUserApc(x,x,x,x,x,x,x)+6Ej
		cmp	ecx, edi

loc_67F108:				; CODE XREF: EtwTiLogInsertQueueUserApc(x,x,x,x,x,x,x)+72j
		setnz	al
		test	eax, eax
		jz	loc_67F30A
		cmp	[ebp+var_25], 0
		mov	ebx, offset _THREATINT_QUEUEUSERAPC_REMOTE_KERNEL_CALLER
		jz	short loc_67F123
		mov	ebx, offset _THREATINT_QUEUEUSERAPC_REMOTE

loc_67F123:				; CODE XREF: EtwTiLogInsertQueueUserApc(x,x,x,x,x,x,x)+8Aj
		push	ebx
		push	ds:dword_6BC124
		push	ds:_EtwThreatIntProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_67F30A
		push	6E734954h
		push	2A0h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_67F30A
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_20]
		push	eax
		mov	ecx, esi
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		mov	ecx, eax
		mov	eax, large fs:124h
		mov	edx, ecx
		mov	[ebp+var_24], ecx
		shl	edx, 4
		add	edx, esi
		lea	ecx, [eax+2B0h]
		add	eax, 280h
		mov	[edx], ecx
		xor	ecx, ecx
		mov	[edx+4], ecx
		mov	[edx+0Ch], ecx
		mov	dword ptr [edx+8], 4
		mov	[edx+14h], ecx
		mov	[edx+1Ch], ecx
		lea	ecx, [ebp+var_18]
		mov	[edx+10h], eax
		mov	eax, [ebp+var_24]
		add	eax, 2
		mov	dword ptr [edx+18h], 8
		push	ecx
		mov	ecx, eax
		mov	[ebp+var_24], eax
		shl	ecx, 4
		mov	edx, edi
		add	ecx, esi
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		mov	edx, [ebp+var_24]
		add	edx, eax
		mov	eax, [ebp+var_2C]
		mov	ecx, edx
		add	eax, 2B0h
		shl	ecx, 4
		add	edx, 2
		add	ecx, esi
		mov	[ebp+var_24], edx
		and	dword ptr [ecx+4], 0
		and	dword ptr [ecx+0Ch], 0
		mov	[ecx], eax
		mov	eax, [ebp+var_2C]
		mov	dword ptr [ecx+8], 4
		add	eax, 280h
		and	dword ptr [ecx+14h], 0
		and	dword ptr [ecx+1Ch], 0
		mov	[ecx+10h], eax
		lea	eax, [ebp+var_10]
		mov	dword ptr [ecx+18h], 8
		mov	ecx, edx
		mov	edx, dword ptr [ebp+var_30]
		shl	ecx, 4
		push	eax
		add	ecx, esi
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		mov	ecx, [ebp+var_24]
		lea	edx, [ebp-26h]
		add	ecx, eax
		mov	eax, [ebp+var_2C]
		mov	eax, [eax+58h]
		shr	eax, 4
		and	al, 1
		mov	[ebp+var_26], al
		mov	eax, ecx
		shl	eax, 4
		add	eax, esi
		and	dword ptr [eax+4], 0
		and	dword ptr [eax+0Ch], 0
		mov	[eax], edx
		lea	edx, [ebp+var_38]
		mov	dword ptr [eax+8], 1
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_38], eax
		lea	eax, [ecx+1]
		shl	eax, 4
		add	eax, esi
		and	dword ptr [eax+4], 0
		mov	[eax], edx
		and	dword ptr [eax+0Ch], 0
		lea	edx, [ebp+arg_4]
		mov	dword ptr [eax+8], 4
		lea	eax, [ecx+2]
		shl	eax, 4
		add	eax, esi
		and	dword ptr [eax+4], 0
		and	dword ptr [eax+0Ch], 0
		mov	[eax], edx
		lea	edx, [ebp+arg_8]
		mov	dword ptr [eax+8], 4
		lea	eax, [ecx+3]
		shl	eax, 4
		add	eax, esi
		and	dword ptr [eax+4], 0
		and	dword ptr [eax+0Ch], 0
		mov	[eax], edx
		lea	edx, [ebp+arg_C]
		mov	dword ptr [eax+8], 4
		lea	eax, [ecx+4]
		shl	eax, 4
		add	ecx, 5
		add	eax, esi
		mov	[ebp+var_24], ecx
		mov	[eax], edx
		xor	edx, edx
		push	edx
		push	8000000h
		push	edx
		mov	[eax+4], edx
		mov	dword ptr [eax+8], 4
		mov	[eax+0Ch], edx
		push	ds:dword_6BC124
		push	ds:_EtwThreatIntProvRegHandle
		call	EtwProviderEnabled
		mov	[ebp+var_30], al
		test	al, al
		jz	short loc_67F2E9
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_34], eax

loc_67F2E9:				; CODE XREF: EtwTiLogInsertQueueUserApc(x,x,x,x,x,x,x)+24Fj
		push	dword ptr [ebp+var_30] ; char
		mov	ecx, [ebp+var_24]
		lea	eax, [ebp+var_38]
		push	ebx		; int
		push	2		; int
		push	eax		; void *
		push	edi		; int
		push	ecx		; int
		push	2Ah
		pop	edx
		mov	ecx, esi
		call	_EtwpTiVadQueryEventWrite@32 ; EtwpTiVadQueryEventWrite(x,x,x,x,x,x,x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_67F30A:				; CODE XREF: EtwTiLogInsertQueueUserApc(x,x,x,x,x,x,x)+3Fj
					; EtwTiLogInsertQueueUserApc(x,x,x,x,x,x,x)+7Bj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_EtwTiLogInsertQueueUserApc@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwpTiAllocVadQueryEventWriteWorkItemContext(int,int,void *,int,int,int)
_EtwpTiAllocVadQueryEventWriteWorkItemContext@32 proc near
					; CODE XREF: EtwpTiAsyncVadQueryEventWrite(x,x,x,x,x,x,x)+1Dp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_8], 0
		mov	eax, ecx
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_10], edx
		xor	edi, edi
		mov	[ebp+var_14], eax
		push	10h
		mov	[ebp+var_4], esi
		pop	ecx
		cmp	[ebp+arg_0], esi
		jbe	short loc_67F36B
		lea	ebx, [eax+8]

loc_67F348:				; CODE XREF: EtwpTiAllocVadQueryEventWriteWorkItemContext(x,x,x,x,x,x,x,x)+4Ej
		mov	edx, [ebx]
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_67F49B
		mov	esi, [ebp+var_4]
		inc	edi
		push	10h
		pop	ecx
		add	ebx, ecx
		cmp	edi, [ebp+arg_0]
		jb	short loc_67F348

loc_67F36B:				; CODE XREF: EtwpTiAllocVadQueryEventWriteWorkItemContext(x,x,x,x,x,x,x,x)+28j
		mov	eax, [ebp+var_10]
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_67F49B
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	2Ch
		pop	ecx
		push	eax
		mov	[ebp+var_4], ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_67F49B
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		mov	edx, esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_67F49B
		mov	eax, [ebp+arg_C]
		push	4
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_C]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_67F49B
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_67F49B
		push	6E734954h
		push	[ebp+var_4]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_67F405
		mov	eax, 0C0000017h
		jmp	loc_67F49B
; 

loc_67F405:				; CODE XREF: EtwpTiAllocVadQueryEventWriteWorkItemContext(x,x,x,x,x,x,x,x)+DEj
		lea	ebx, [edi+2Ch]
		mov	[edi+10h], ebx
		add	ebx, [ebp+var_8]
		mov	[edi+14h], ebx
		lea	eax, [ebx+esi]
		mov	[edi+28h], eax
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_67F462
		mov	edx, [ebp+var_14]
		push	0FFFFFFF8h
		pop	ecx
		sub	ecx, edx
		mov	[ebp+var_8], eax
		lea	esi, [edx+8]
		mov	[ebp+var_14], ecx

loc_67F42F:				; CODE XREF: EtwpTiAllocVadQueryEventWriteWorkItemContext(x,x,x,x,x,x,x,x)+142j
		push	dword ptr [esi]	; size_t
		push	dword ptr [esi-8] ; void *
		push	ebx		; void *
		call	_memcpy
		mov	ecx, [edi+10h]
		add	esp, 0Ch
		add	ecx, [ebp+var_14]
		mov	eax, [esi]
		add	ecx, esi
		and	dword ptr [ecx+4], 0
		and	dword ptr [ecx+0Ch], 0
		mov	[ecx], ebx
		mov	[ecx+8], eax
		add	ebx, [esi]
		add	esi, 10h
		sub	[ebp+var_8], 1
		jnz	short loc_67F42F
		mov	eax, [ebp+arg_0]

loc_67F462:				; CODE XREF: EtwpTiAllocVadQueryEventWriteWorkItemContext(x,x,x,x,x,x,x,x)+101j
		mov	esi, [ebp+arg_4]
		mov	edx, 69547445h
		mov	ecx, esi
		mov	[edi+18h], eax
		call	ObfReferenceObjectWithTag
		push	[ebp+var_C]	; size_t
		mov	[edi+24h], esi
		push	[ebp+arg_8]	; void *
		push	dword ptr [edi+28h] ; void *
		call	_memcpy
		mov	eax, [ebp+arg_C]
		add	esp, 0Ch
		mov	[edi+1Ch], eax
		mov	eax, [ebp+arg_10]
		mov	[edi+20h], eax
		mov	eax, [ebp+arg_14]
		mov	[eax], edi
		xor	eax, eax

loc_67F49B:				; CODE XREF: EtwpTiAllocVadQueryEventWriteWorkItemContext(x,x,x,x,x,x,x,x)+3Cj
					; EtwpTiAllocVadQueryEventWriteWorkItemContext(x,x,x,x,x,x,x,x)+61j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_EtwpTiAllocVadQueryEventWriteWorkItemContext@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwpTiAsyncVadQueryEventWrite(int,int,void *,int,int)
_EtwpTiAsyncVadQueryEventWrite@28 proc near
					; CODE XREF: EtwpTiVadQueryEventWrite(x,x,x,x,x,x,x,x)+52p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; void *
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		call	_EtwpTiAllocVadQueryEventWriteWorkItemContext@32 ; EtwpTiAllocVadQueryEventWriteWorkItemContext(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short locret_67F4E0
		mov	eax, [ebp+var_4]
		push	1
		push	eax
		and	dword ptr [eax], 0
		mov	dword ptr [eax+8], offset _EtwpTiVadQueryEventWriteCallback@4 ;	EtwpTiVadQueryEventWriteCallback(x)
		mov	[eax+0Ch], eax
		call	ExQueueWorkItem

locret_67F4E0:				; CODE XREF: EtwpTiAsyncVadQueryEventWrite(x,x,x,x,x,x,x)+24j
		leave
		retn	14h
_EtwpTiAsyncVadQueryEventWrite@28 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpTiFillVad(x, x)
_EtwpTiFillVad@8 proc near		; CODE XREF: EtwpTiFillVadEventWrite(x,x,x,x,x,x,x)+2Fp
		lea	eax, [edx+4]
		mov	[ecx], edx
		mov	[ecx+10h], eax
		lea	eax, [edx+8]
		mov	[ecx+20h], eax
		lea	eax, [edx+0Ch]
		push	esi
		push	edi
		xor	edi, edi
		mov	[ecx+30h], eax
		lea	eax, [edx+10h]
		mov	[ecx+4], edi
		push	4
		pop	esi
		mov	[ecx+40h], eax
		lea	eax, [edx+14h]
		mov	[ecx+8], esi
		mov	[ecx+0Ch], edi
		mov	[ecx+14h], edi
		mov	[ecx+18h], esi
		mov	[ecx+1Ch], edi
		mov	[ecx+24h], edi
		mov	[ecx+28h], esi
		mov	[ecx+2Ch], edi
		mov	[ecx+34h], edi
		mov	[ecx+38h], esi
		mov	[ecx+3Ch], edi
		mov	[ecx+44h], edi
		mov	[ecx+48h], esi
		mov	[ecx+4Ch], edi
		mov	[ecx+50h], eax
		mov	[ecx+54h], edi
		mov	[ecx+58h], esi
		mov	[ecx+5Ch], edi
		mov	edx, [edx+20h]
		test	edx, edx
		jz	short loc_67F55A
		mov	eax, [edx+4]
		test	eax, eax
		jz	short loc_67F55A
		cmp	[edx], di
		jz	short loc_67F55A
		movzx	edx, word ptr [edx+2]
		jmp	short loc_67F562
; 

loc_67F55A:				; CODE XREF: EtwpTiFillVad(x,x)+62j
					; EtwpTiFillVad(x,x)+69j ...
		push	2
		pop	edx
		mov	eax, offset dword_42E408

loc_67F562:				; CODE XREF: EtwpTiFillVad(x,x)+74j
		mov	[ecx+60h], eax
		push	7
		mov	[ecx+64h], edi
		pop	eax
		mov	[ecx+68h], edx
		mov	[ecx+6Ch], edi
		pop	edi
		pop	esi
		retn
_EtwpTiFillVad@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTiFillVadEventWrite(x, x, x, x,	x, x, x)
_EtwpTiFillVadEventWrite@28 proc near	; CODE XREF: EtwpTiVadQueryEventWrite(x,x,x,x,x,x,x,x)+5Cp
					; EtwpTiVadQueryEventWriteCallback(x)+6Fp

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, edx
		mov	ebx, ecx
		cmp	[ebp+arg_C], edi
		jbe	short loc_67F5C2

loc_67F587:				; CODE XREF: EtwpTiFillVadEventWrite(x,x,x,x,x,x,x)+4Cj
		cmp	[ebp+arg_0], 0
		jz	short loc_67F5AA
		xor	eax, eax
		mov	ecx, edi
		inc	eax
		shl	eax, cl
		test	[ebp+arg_8], eax
		jz	short loc_67F5AA
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		shl	ecx, 4
		add	ecx, ebx
		call	_EtwpTiFillVad@8 ; EtwpTiFillVad(x,x)
		jmp	short loc_67F5B6
; 

loc_67F5AA:				; CODE XREF: EtwpTiFillVadEventWrite(x,x,x,x,x,x,x)+17j
					; EtwpTiFillVadEventWrite(x,x,x,x,x,x,x)+23j
		mov	ecx, esi
		shl	ecx, 4
		add	ecx, ebx
		call	_EtwpTiFillZeroVad@4 ; EtwpTiFillZeroVad(x)

loc_67F5B6:				; CODE XREF: EtwpTiFillVadEventWrite(x,x,x,x,x,x,x)+34j
		add	[ebp+arg_4], 24h
		add	esi, eax
		inc	edi
		cmp	edi, [ebp+arg_C]
		jb	short loc_67F587

loc_67F5C2:				; CODE XREF: EtwpTiFillVadEventWrite(x,x,x,x,x,x,x)+11j
		push	ebx
		push	esi
		push	0
		push	[ebp+arg_10]
		push	ds:dword_6BC124
		push	ds:_EtwThreatIntProvRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
_EtwpTiFillVadEventWrite@28 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpTiFillZeroVad(x)
_EtwpTiFillZeroVad@4 proc near		; CODE XREF: EtwpTiFillVadEventWrite(x,x,x,x,x,x,x)+3Dp
		mov	edi, edi
		push	esi
		xor	esi, esi
		mov	dword ptr [ecx+68h], 2
		push	4
		pop	eax
		mov	edx, offset dword_42E404
		mov	[ecx+8], eax
		push	7
		mov	[ecx+18h], eax
		mov	[ecx+28h], eax
		mov	[ecx+38h], eax
		mov	[ecx+48h], eax
		mov	[ecx+58h], eax
		pop	eax
		mov	[ecx+4], esi
		mov	[ecx+0Ch], esi
		mov	[ecx+14h], esi
		mov	[ecx+1Ch], esi
		mov	[ecx+24h], esi
		mov	[ecx+2Ch], esi
		mov	[ecx+34h], esi
		mov	[ecx+3Ch], esi
		mov	[ecx+44h], esi
		mov	[ecx+4Ch], esi
		mov	[ecx+54h], esi
		mov	[ecx+5Ch], esi
		mov	[ecx+64h], esi
		mov	[ecx+6Ch], esi
		mov	[ecx], edx
		mov	[ecx+10h], edx
		mov	[ecx+20h], edx
		mov	[ecx+30h], edx
		mov	[ecx+40h], edx
		mov	[ecx+50h], edx
		mov	[ecx+60h], edx
		pop	esi
		retn
_EtwpTiFillZeroVad@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwpTiVadQueryEventWrite(int,int,void *,int,int,char)
_EtwpTiVadQueryEventWrite@32 proc near	; CODE XREF: EtwTiLogInsertQueueUserApc(x,x,x,x,x,x,x)+26Bp
					; EtwTiLogSetContextThread(x,x,x,x)+28Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_8]
		xor	ebx, ebx
		push	eax
		mov	edi, edx
		mov	[ebp+var_8], ebx
		mov	esi, ecx
		mov	[ebp+var_4], ebx
		call	KeQuerySystemTime
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_8]
		push	[ebp+arg_10]	; int
		mov	eax, edx
		push	[ebp+arg_C]	; int
		shl	eax, 4
		add	eax, esi
		inc	edx
		mov	[eax], ecx
		mov	ecx, esi
		mov	[eax+4], ebx
		mov	dword ptr [eax+8], 8
		mov	[eax+0Ch], ebx
		cmp	[ebp+arg_14], bl
		jz	short loc_67F6A3
		push	[ebp+arg_8]	; void *
		push	[ebp+arg_4]	; int
		push	edx		; int
		mov	edx, edi
		call	_EtwpTiAsyncVadQueryEventWrite@28 ; EtwpTiAsyncVadQueryEventWrite(x,x,x,x,x,x,x)
		jmp	short loc_67F6AB
; 

loc_67F6A3:				; CODE XREF: EtwpTiVadQueryEventWrite(x,x,x,x,x,x,x,x)+47j
		push	ebx
		push	ebx
		push	ebx
		call	_EtwpTiFillVadEventWrite@28 ; EtwpTiFillVadEventWrite(x,x,x,x,x,x,x)

loc_67F6AB:				; CODE XREF: EtwpTiVadQueryEventWrite(x,x,x,x,x,x,x,x)+57j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_EtwpTiVadQueryEventWrite@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpBugCheckMultiPartCallback(x, x,	x, x)
_EtwpBugCheckMultiPartCallback@16 proc near ; DATA XREF: EtwpInitialize+1EEo

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		xor	eax, eax
		mov	esi, offset _EtwSecondaryDumpDataGuid
		mov	ebx, [edi+24h]
		mov	[edi+20h], eax
		add	edi, 0Ch
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+arg_8]
		test	ebx, ebx
		jnz	short loc_67F6EC
		mov	ebx, offset _EtwpDumpCallbackContext
		mov	ds:_EtwpDumpCallbackContext, eax
		mov	ds:dword_6BC0E4, eax
		mov	[esi+24h], ebx

loc_67F6EC:				; CODE XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+26j
		cmp	[ebx+2], al
		jnz	short loc_67F749
		push	20h
		pop	edx
		mov	[esi+20h], edx
		cmp	[esi+4], eax
		jz	short loc_67F740
		mov	ecx, [esi]
		mov	eax, ds:_EtwpBootTime
		mov	[ecx+10h], eax
		mov	eax, ds:dword_6BC194
		mov	[ecx+14h], eax
		mov	eax, ds:_EtwCPUSpeedInMHz
		mov	[ecx+8], eax
		mov	eax, ds:_EtwPerfFreq
		mov	[ecx+18h], eax
		mov	eax, ds:dword_6BC154
		mov	[ecx+1Ch], eax
		mov	eax, ds:_KeMaximumIncrement
		mov	[ecx], eax
		mov	eax, ds:_NtBuildNumber
		mov	[ecx+4], eax
		mov	eax, [esi]
		mov	[esi+20h], edx
		mov	[esi+4], edx
		mov	[esi+1Ch], eax

loc_67F740:				; CODE XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+48j
		mov	byte ptr [ebx+2], 1
		jmp	loc_67F8A7
; 

loc_67F749:				; CODE XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+3Dj
		mov	edx, [ebx+4]
		movzx	eax, word ptr [ebx]
		mov	ecx, eax
		test	edx, edx
		jnz	loc_67F85B
		mov	edx, ds:_EtwpHostSiloState
		cmp	ecx, [edx+8]
		jnb	loc_67F8A7
		mov	edi, eax

loc_67F76A:				; CODE XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+125j
		mov	eax, [edx+18Ch]
		movzx	ecx, di
		mov	ecx, [eax+ecx*4]
		mov	[ebp+var_4], ecx
		test	cl, 1
		jnz	short loc_67F7BF
		cmp	dword ptr [ecx+0Ch], 0
		jge	short loc_67F7BF
		test	byte ptr [ecx+0E0h], 1
		jnz	short loc_67F7BF
		add	ecx, 1F4h
		call	@KeTestSpinLock@4 ; KeTestSpinLock(x)
		test	al, al
		jz	short loc_67F7BF
		cmp	dword ptr [esi+4], 0
		mov	edx, [ebp+var_4]
		movzx	eax, word ptr [edx+5Ch]
		lea	eax, ds:30h[eax*2]
		mov	[ebp+var_8], eax
		mov	[esi+20h], eax
		jz	loc_67F84D
		cmp	eax, [esi+8]
		jbe	short loc_67F7DE

loc_67F7BF:				; CODE XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+CAj
					; EtwpBugCheckMultiPartCallback(x,x,x,x)+D0j ...
		mov	ax, [ebx]
		mov	edx, ds:_EtwpHostSiloState
		inc	ax
		movzx	ecx, ax
		mov	[ebx], ax
		mov	edi, ecx
		mov	eax, ecx
		cmp	eax, [edx+8]
		jb	short loc_67F76A
		jmp	loc_67F8A7
; 

loc_67F7DE:				; CODE XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+10Bj
		mov	ecx, [esi]
		lea	esi, [edx+0E8h]
		mov	dword ptr [ecx], 1EBAFE1h
		lea	edi, [ecx+20h]
		mov	eax, [edx]
		mov	[ecx+4], eax
		mov	eax, [edx+4]
		mov	[ecx+10h], eax
		mov	eax, [edx+7Ch]
		mov	[ecx+0Ch], eax
		mov	eax, [edx+240h]
		mov	[ecx+18h], eax
		mov	eax, [edx+244h]
		mov	[ecx+1Ch], eax
		mov	eax, [edx+0Ch]
		mov	[ecx+8], eax
		movzx	eax, word ptr [edx+5Ch]
		mov	[ecx+14h], eax
		movsd
		movsd
		movsd
		movsd
		movzx	eax, word ptr [edx+5Ch]
		add	eax, eax
		push	eax		; size_t
		push	dword ptr [edx+60h] ; void *
		lea	eax, [ecx+30h]
		push	eax		; void *
		call	_memcpy
		mov	esi, [ebp+arg_8]
		add	esp, 0Ch
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_4]
		mov	[esi+20h], eax
		mov	[esi+4], eax
		mov	eax, [esi]
		mov	[esi+1Ch], eax

loc_67F84D:				; CODE XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+102j
		mov	ecx, edx
		call	_EtwpGetFirstBuffer@4 ;	EtwpGetFirstBuffer(x)
		mov	[ebx+4], eax
		test	eax, eax
		jmp	short loc_67F8A2
; 

loc_67F85B:				; CODE XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+A1j
		mov	eax, ds:_EtwpHostSiloState
		mov	eax, [eax+18Ch]
		mov	edi, [eax+ecx*4]
		mov	ecx, [edx+8]
		mov	eax, [ecx+8]
		cmp	eax, [ecx]
		jbe	short loc_67F87B
		mov	eax, [ecx+4]
		mov	[ecx+30h], eax
		jmp	short loc_67F881
; 

loc_67F87B:				; CODE XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+1BFj
		mov	eax, [ecx+8]
		mov	[ecx+30h], eax

loc_67F881:				; CODE XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+1C7j
		cmp	dword ptr [esi+4], 0
		mov	[esi+20h], eax
		jz	short loc_67F88D
		mov	[esi+1Ch], ecx

loc_67F88D:				; CODE XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+1D6j
		mov	eax, [ebx+4]
		mov	ecx, [eax]
		lea	eax, [edi+40h]
		mov	edx, ecx
		sub	edx, eax
		neg	edx
		sbb	edx, edx
		and	edx, ecx
		mov	[ebx+4], edx

loc_67F8A2:				; CODE XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+1A7j
		jnz	short loc_67F8A7
		inc	word ptr [ebx]

loc_67F8A7:				; CODE XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+92j
					; EtwpBugCheckMultiPartCallback(x,x,x,x)+B0j ...
		mov	eax, ds:_EtwpHostSiloState
		movzx	ecx, word ptr [ebx]
		mov	edx, [esi+28h]
		cmp	ecx, [eax+8]
		jnb	short loc_67F8BF
		or	edx, 1
		mov	[esi+28h], edx
		jmp	short loc_67F8D2
; 

loc_67F8BF:				; CODE XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+203j
		and	edx, 0FFFFFFFEh
		mov	[esi+28h], edx
		and	dword ptr [ebx+4], 0
		xor	eax, eax
		mov	byte ptr [ebx+2], 0
		mov	[ebx], ax

loc_67F8D2:				; CODE XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+20Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_EtwpBugCheckMultiPartCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpSendTraceEvent(x, x)
_EtwpSendTraceEvent@8 proc near		; CODE XREF: .text:0052966Dp
					; EtwpTraceMessageVa+166D12p ...

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_18		= dword	ptr -18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		and	[esp+64h+var_60], 0
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	eax, [esi+25Ch]
		test	eax, 800h
		jz	short loc_67F917
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_67F917
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_67F917
		mov	ecx, esi
		call	_EtwpSendDbgId@4 ; EtwpSendDbgId(x)

loc_67F917:				; CODE XREF: EtwpSendTraceEvent(x,x)+22j
					; EtwpSendTraceEvent(x,x)+2Bj ...
		mov	eax, [edi+8]
		lea	ecx, [esp+70h+var_60]
		mov	ebx, [edi]
		mov	edx, eax
		push	ecx
		mov	ecx, ebx
		mov	[esp+74h+var_5C], eax
		call	_EtwpGetNextEventOffsetType@12 ; EtwpGetNextEventOffsetType(x,x,x)
		test	eax, eax
		jz	short loc_67F986
		mov	edx, [esp+70h+var_60]
		mov	eax, ds:_KdTransportMaxPacketSize
		add	edx, 48h
		add	eax, 0FFFFFFC0h
		cmp	edx, eax
		ja	short loc_67F986
		push	12h
		lea	eax, [esp+74h+var_48]
		mov	[esp+74h+var_54], 48h
		mov	[esp+74h+var_58], eax
		lea	edi, [esp+74h+var_48]
		mov	eax, [esp+74h+var_5C]
		mov	esi, ebx
		pop	ecx
		rep movsd
		add	eax, ebx
		mov	[esp+70h+var_48], edx
		push	2
		mov	[esp+74h+var_18], edx
		lea	ecx, [esp+74h+var_58]
		mov	[esp+74h+var_50], eax
		mov	eax, [esp+74h+var_60]
		pop	edx
		mov	[esp+70h+var_4C], eax
		call	_KdSendTraceData@8 ; KdSendTraceData(x,x)

loc_67F986:				; CODE XREF: EtwpSendTraceEvent(x,x)+57j
					; EtwpSendTraceEvent(x,x)+6Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_EtwpSendTraceEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PerfLogExecutiveResourceAcquire(x,	x, x, x)
@PerfLogExecutiveResourceAcquire@16 proc near
					; CODE XREF: ExpAcquireSharedStarveExclusive+125F61p
					; ExpAcquireSharedStarveExclusive+125F89p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_5		= byte ptr -5
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_5], 0
		rdtsc
		mov	[ebp+var_C], eax
		mov	ebx, ecx
		mov	eax, large fs:20h
		mov	[ebp+var_14], edx
		mov	edx, ebx
		and	edx, 0FFFF0000h
		mov	[ebp+var_10], eax
		mov	cl, [eax+3C4h]
		movzx	esi, byte ptr [eax+3C5h]
		inc	dword ptr [eax+4150h]
		mov	[ebp+var_1], cl
		mov	[ebp-6], cl
		mov	ecx, edi
		mov	[ebp+var_8], si
		call	_EtwpGetTrackingLockSlotForThread@8 ; EtwpGetTrackingLockSlotForThread(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_67FA96
		mov	eax, [ebp+var_10]
		inc	dword ptr [eax+4154h]
		cmp	ebx, 10021h
		jz	short loc_67FA3C
		cmp	ebx, 10041h
		jz	short loc_67FA3C
		cmp	ebx, 10031h
		jz	short loc_67FA14
		cmp	ebx, 10051h
		jnz	loc_67FA96

loc_67FA14:				; CODE XREF: PerfLogExecutiveResourceAcquire(x,x,x,x)+79j
		xor	edx, edx
		xor	eax, eax
		inc	edx
		cmp	[ecx+1Ch], eax
		jnz	short loc_67FA2F
		mov	dword ptr [ecx+8], 2
		mov	[ecx+0Ch], eax
		mov	[ecx], edx
		mov	[ecx+4], eax
		jmp	short loc_67FA81
; 

loc_67FA2F:				; CODE XREF: PerfLogExecutiveResourceAcquire(x,x,x,x)+8Fj
		mov	eax, [ebp+arg_0]
		cmp	[ecx+20h], eax
		jnb	short loc_67FA93
		mov	[ecx+20h], eax
		jmp	short loc_67FA93
; 

loc_67FA3C:				; CODE XREF: PerfLogExecutiveResourceAcquire(x,x,x,x)+69j
					; PerfLogExecutiveResourceAcquire(x,x,x,x)+71j
		mov	eax, [ebp+var_C]
		xor	edx, edx
		mov	ebx, [ebp+var_14]
		mov	edi, esi
		mov	esi, [ecx+1Ch]
		inc	edx
		mov	[ecx+8], eax
		mov	[ecx+0Ch], ebx
		test	esi, esi
		jz	short loc_67FA7A
		cmp	esi, 4
		jnz	short loc_67FA7A
		cmp	[ecx+14h], di
		jnz	short loc_67FA76
		mov	al, [ebp+var_1]
		cmp	[ecx+16h], al
		mov	eax, [ebp+var_C]
		jnz	short loc_67FA76
		sub	eax, [ecx]
		mov	[ecx], eax
		sbb	ebx, [ecx+4]
		mov	[ecx+4], ebx
		jmp	short loc_67FA81
; 

loc_67FA76:				; CODE XREF: PerfLogExecutiveResourceAcquire(x,x,x,x)+D0j
					; PerfLogExecutiveResourceAcquire(x,x,x,x)+DBj
		mov	[ecx], edx
		jmp	short loc_67FA7D
; 

loc_67FA7A:				; CODE XREF: PerfLogExecutiveResourceAcquire(x,x,x,x)+C5j
					; PerfLogExecutiveResourceAcquire(x,x,x,x)+CAj
		and	dword ptr [ecx], 0

loc_67FA7D:				; CODE XREF: PerfLogExecutiveResourceAcquire(x,x,x,x)+EBj
		and	dword ptr [ecx+4], 0

loc_67FA81:				; CODE XREF: PerfLogExecutiveResourceAcquire(x,x,x,x)+A0j
					; PerfLogExecutiveResourceAcquire(x,x,x,x)+E7j
		mov	eax, dword ptr [ebp+var_8]
		mov	[ecx+14h], eax
		mov	eax, [ebp+arg_0]
		mov	[ecx+20h], eax
		mov	eax, [ebp+arg_4]
		mov	[ecx+28h], eax

loc_67FA93:				; CODE XREF: PerfLogExecutiveResourceAcquire(x,x,x,x)+A8j
					; PerfLogExecutiveResourceAcquire(x,x,x,x)+ADj
		mov	[ecx+1Ch], edx

loc_67FA96:				; CODE XREF: PerfLogExecutiveResourceAcquire(x,x,x,x)+54j
					; PerfLogExecutiveResourceAcquire(x,x,x,x)+81j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
@PerfLogExecutiveResourceAcquire@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PerfLogExecutiveResourceInitialize(x, x, x, x)
@PerfLogExecutiveResourceInitialize@16 proc near
					; CODE XREF: ExReinitializeResourceLite+121781p
					; ExInitializeResourceLite+B887Ep

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, large fs:20h
		push	esi
		xor	esi, esi
		mov	[ebp+var_1C], esi
		inc	dword ptr [eax+4150h]
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_30], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_20], eax
		mov	eax, large fs:124h
		mov	[ebp+var_28], edx
		xor	edx, edx
		mov	[ebp+var_24], ecx
		inc	edx
		push	1501802h
		mov	[ebp+var_48], esi
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_44], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], esi
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], esi
		mov	eax, [eax+2B0h]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_48]
		push	52Bh
		push	20020000h
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], 30h
		mov	[ebp+var_C], esi
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
@PerfLogExecutiveResourceInitialize@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PerfLogExecutiveResourceRelease(x,	x, x, x)
@PerfLogExecutiveResourceRelease@16 proc near
					; CODE XREF: ExpReleaseResourceForThreadLite+D0F79p
					; ExpReleaseResourceExclusiveForThreadLite+CE5BCp ...

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_34], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:20h
		mov	esi, edx
		rdtsc
		mov	[ebp+var_20], eax
		mov	ebx, ecx
		mov	[ebp+var_2C], esi
		movzx	eax, byte ptr [edi+3C5h]
		inc	dword ptr [edi+4150h]
		mov	[ebp+var_28], eax
		mov	al, [edi+3C4h]
		mov	[ebp+var_19], al
		mov	eax, large fs:124h
		mov	[ebp+var_24], edx
		cmp	dword ptr [eax+354h], 0
		jz	loc_67FCEF
		mov	edx, ebx
		mov	ecx, esi
		and	edx, 0FFFF0000h
		call	_EtwpGetTrackingLockSlotForThread@8 ; EtwpGetTrackingLockSlotForThread(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_67FCEF
		cmp	dword ptr [esi+1Ch], 0
		jz	loc_67FCEB
		inc	dword ptr [edi+4154h]
		mov	eax, [ebp+arg_0]
		inc	eax
		cmp	[esi+20h], eax
		jnb	short loc_67FBC0
		mov	[esi+20h], eax

loc_67FBC0:				; CODE XREF: PerfLogExecutiveResourceRelease(x,x,x,x)+8Bj
		cmp	ebx, 10022h
		jz	short loc_67FBF0
		cmp	ebx, 10042h
		jz	short loc_67FBF0
		cmp	ebx, 10032h
		jz	short loc_67FBE4
		cmp	ebx, 10052h
		jnz	loc_67FCEF

loc_67FBE4:				; CODE XREF: PerfLogExecutiveResourceRelease(x,x,x,x)+A6j
		mov	dword ptr [esi+1Ch], 2
		jmp	loc_67FCEF
; 

loc_67FBF0:				; CODE XREF: PerfLogExecutiveResourceRelease(x,x,x,x)+96j
					; PerfLogExecutiveResourceRelease(x,x,x,x)+9Ej
		mov	ecx, [esi+0Ch]
		mov	eax, [esi+8]
		test	ecx, ecx
		jnz	short loc_67FBFF
		cmp	eax, 2
		jbe	short loc_67FC18

loc_67FBFF:				; CODE XREF: PerfLogExecutiveResourceRelease(x,x,x,x)+C8j
		mov	edx, [ebp+var_28]
		cmp	[esi+14h], dx
		jnz	short loc_67FC18
		mov	dl, [ebp+var_19]
		cmp	[esi+16h], dl
		jnz	short loc_67FC18
		sub	[ebp+var_20], eax
		sbb	[ebp+var_24], ecx
		jmp	short loc_67FC20
; 

loc_67FC18:				; CODE XREF: PerfLogExecutiveResourceRelease(x,x,x,x)+CDj
					; PerfLogExecutiveResourceRelease(x,x,x,x)+D6j	...
		and	[ebp+var_20], 0
		and	[ebp+var_24], 0

loc_67FC20:				; CODE XREF: PerfLogExecutiveResourceRelease(x,x,x,x)+E6j
		cmp	dword ptr [esi+4], 0
		mov	ecx, [ebp+arg_4]
		ja	short loc_67FC2E
		cmp	dword ptr [esi], 1
		jbe	short loc_67FC46

loc_67FC2E:				; CODE XREF: PerfLogExecutiveResourceRelease(x,x,x,x)+F7j
		mov	eax, [edi+40D0h]
		xor	edx, edx
		add	eax, [edi+40CCh]
		div	ds:_EtwpExecutiveResourceContentionSampleRate
		test	edx, edx
		jz	short loc_67FC75

loc_67FC46:				; CODE XREF: PerfLogExecutiveResourceRelease(x,x,x,x)+FCj
		mov	edx, [esi+28h]
		cmp	ecx, edx
		jbe	short loc_67FC5D
		mov	eax, ecx
		sub	eax, edx
		xor	edx, edx
		div	ds:_EtwpExecutiveResourceContentionSampleRate
		test	edx, edx
		jz	short loc_67FC75

loc_67FC5D:				; CODE XREF: PerfLogExecutiveResourceRelease(x,x,x,x)+11Bj
		mov	eax, [edi+40D0h]
		xor	edx, edx
		add	eax, [edi+40CCh]
		div	ds:_EtwpExecutiveResourceReleaseSampleRate
		test	edx, edx
		jnz	short loc_67FCEB

loc_67FC75:				; CODE XREF: PerfLogExecutiveResourceRelease(x,x,x,x)+114j
					; PerfLogExecutiveResourceRelease(x,x,x,x)+12Bj
		mov	eax, [ebp+var_2C]
		mov	edx, [ebp+var_24]
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], ebx
		mov	eax, [esi+8]
		mov	[ebp+var_60], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_5C], eax
		mov	eax, [esi+20h]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+var_20]
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], edx
		xor	edx, edx
		mov	eax, [esi]
		inc	edx
		mov	[ebp+var_50], eax
		mov	eax, [esi+4]
		mov	[ebp+var_4C], eax
		mov	eax, large fs:124h
		sub	ecx, [esi+28h]
		and	[ebp+var_14], 0
		and	[ebp+var_C], 0
		mov	[ebp+var_38], ecx
		lea	ecx, [ebp+var_18]
		mov	eax, [eax+2B0h]
		push	1501802h
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_60]
		push	52Bh
		push	20020000h
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], 30h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_67FCEB:				; CODE XREF: PerfLogExecutiveResourceRelease(x,x,x,x)+78j
					; PerfLogExecutiveResourceRelease(x,x,x,x)+143j
		and	dword ptr [esi+18h], 0

loc_67FCEF:				; CODE XREF: PerfLogExecutiveResourceRelease(x,x,x,x)+55j
					; PerfLogExecutiveResourceRelease(x,x,x,x)+6Ej	...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
@PerfLogExecutiveResourceRelease@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PerfLogExecutiveResourceSetOwnerPointer(x,	x)
@PerfLogExecutiveResourceSetOwnerPointer@8 proc	near
					; CODE XREF: ExpSetResourceOwnerPointerEx+DA133p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:20h
		mov	esi, ecx
		mov	eax, large fs:124h
		xor	ecx, ecx
		mov	ebx, edx
		mov	[esp+58h+var_1C], ecx
		push	1501802h
		inc	dword ptr [edi+4150h]
		xor	edx, edx
		mov	[esp+5Ch+var_48], ecx
		inc	edx
		mov	[esp+5Ch+var_44], ecx
		mov	[esp+5Ch+var_30], ecx
		mov	[esp+5Ch+var_40], ecx
		mov	[esp+5Ch+var_3C], ecx
		mov	[esp+5Ch+var_38], ecx
		mov	[esp+5Ch+var_34], ecx
		mov	[esp+5Ch+var_20], ecx
		mov	[esp+5Ch+var_24], esi
		mov	[esp+5Ch+var_28], ebx
		mov	eax, [eax+2B0h]
		mov	[esp+5Ch+var_2C], eax
		lea	eax, [esp+5Ch+var_48]
		push	52Bh
		mov	[esp+60h+var_14], ecx
		mov	[esp+60h+var_C], ecx
		lea	ecx, [esp+60h+var_18]
		push	20020000h
		mov	[esp+64h+var_18], eax
		mov	[esp+64h+var_10], 30h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	eax, large fs:124h
		cmp	dword ptr [eax+354h], 0
		jz	short loc_67FDE9
		and	esi, 0FFFF0000h
		mov	ecx, ebx
		mov	edx, esi
		call	_EtwpGetTrackingLockSlotForThread@8 ; EtwpGetTrackingLockSlotForThread(x,x)
		test	eax, eax
		jz	short loc_67FDE9
		xor	edx, edx
		cmp	[eax+1Ch], edx
		jz	short loc_67FDE6
		inc	dword ptr [edi+4154h]
		xor	ecx, ecx
		mov	[eax+10h], edx
		mov	[eax+1Ch], edx
		mov	[eax+20h], edx
		mov	[eax], edx
		mov	[eax+4], edx
		mov	[eax+8], edx
		mov	[eax+0Ch], edx
		mov	[eax+14h], ecx
		mov	[eax+28h], edx

loc_67FDE6:				; CODE XREF: PerfLogExecutiveResourceSetOwnerPointer(x,x)+C2j
		mov	[eax+18h], edx

loc_67FDE9:				; CODE XREF: PerfLogExecutiveResourceSetOwnerPointer(x,x)+A8j
					; PerfLogExecutiveResourceSetOwnerPointer(x,x)+BBj
		mov	ecx, [esp+58h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
@PerfLogExecutiveResourceSetOwnerPointer@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PerfLogExecutiveResourceWait(x, x,	x)
@PerfLogExecutiveResourceWait@12 proc near
					; CODE XREF: ExpAcquireSharedStarveExclusive+12601Ap
					; sub_5CF2F2+6p ...

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= word ptr -24h
var_21		= byte ptr -21h
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		and	[ebp+var_38], 0
		push	ebx
		push	esi
		mov	[ebp+var_28], edx
		mov	esi, ecx
		mov	ecx, large fs:20h
		rdtsc
		push	edi
		mov	edi, eax
		mov	[ebp+var_2C], ecx
		movzx	eax, byte ptr [ecx+3C5h]
		mov	ebx, edx
		inc	dword ptr [ecx+4150h]
		mov	edx, eax
		mov	[ebp+var_30], edx
		mov	edx, esi
		mov	[ebp+var_24], ax
		and	edx, 0FFFF0000h
		mov	al, [ecx+3C4h]
		mov	ecx, [ebp+var_28]
		mov	[ebp+var_1D], al
		mov	[ebp-22h], al
		mov	[ebp+var_21], 0
		call	_EtwpGetTrackingLockSlotForThread@8 ; EtwpGetTrackingLockSlotForThread(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_67FF49
		mov	eax, [ebp+var_2C]
		inc	dword ptr [eax+4154h]
		cmp	esi, 10024h
		jz	loc_67FF37
		cmp	esi, 10044h
		jz	loc_67FF37
		cmp	esi, 10224h
		jz	short loc_67FE9E
		cmp	esi, 10244h
		jnz	loc_67FF49

loc_67FE9E:				; CODE XREF: PerfLogExecutiveResourceWait(x,x,x)+95j
		cmp	dword ptr [ecx+1Ch], 4
		mov	eax, [ebp+var_30]
		movzx	eax, ax
		jnz	short loc_67FEBF
		cmp	[ecx+14h], ax
		jnz	short loc_67FEBF
		mov	al, [ebp+var_1D]
		cmp	[ecx+16h], al
		jnz	short loc_67FEBF
		sub	edi, [ecx]
		sbb	ebx, [ecx+4]
		jmp	short loc_67FEC3
; 

loc_67FEBF:				; CODE XREF: PerfLogExecutiveResourceWait(x,x,x)+ADj
					; PerfLogExecutiveResourceWait(x,x,x)+B3j ...
		xor	edi, edi
		xor	ebx, ebx

loc_67FEC3:				; CODE XREF: PerfLogExecutiveResourceWait(x,x,x)+C2j
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		div	ds:_EtwpExecutiveResourceTimeout
		test	edx, edx
		jnz	short loc_67FF49
		mov	eax, [ebp+var_28]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4C], eax
		mov	[ebp+var_64], edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_40], esi
		mov	[ebp+var_5C], edi
		mov	[ebp+var_58], ebx
		mov	eax, [ecx]
		mov	[ebp+var_54], eax
		mov	eax, [ecx+4]
		lea	ecx, [ebp+var_1C]
		mov	[ebp+var_50], eax
		mov	eax, large fs:124h
		mov	[ebp+var_3C], edx
		push	1501802h
		push	52Bh
		mov	eax, [eax+2B0h]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		inc	edx
		push	20020000h
		mov	[ebp+var_1C], eax
		mov	[ebp+var_14], 30h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	short loc_67FF49
; 

loc_67FF37:				; CODE XREF: PerfLogExecutiveResourceWait(x,x,x)+7Dj
					; PerfLogExecutiveResourceWait(x,x,x)+89j
		mov	eax, dword ptr [ebp+var_24]
		mov	dword ptr [ecx+1Ch], 4
		mov	[ecx], edi
		mov	[ecx+4], ebx
		mov	[ecx+14h], eax

loc_67FF49:				; CODE XREF: PerfLogExecutiveResourceWait(x,x,x)+68j
					; PerfLogExecutiveResourceWait(x,x,x)+9Dj ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
@PerfLogExecutiveResourceWait@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PerfLogSpinLockAcquire(x, x, x, x,	x, x, x)
@PerfLogSpinLockAcquire@28 proc	near	; CODE XREF: KiAcquireQueuedSpinLockInstrumented(x,x)+78p
					; KiTryToAcquireQueuedSpinLockInstrumented(x,x)+68p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:20h
		push	ebx
		push	esi
		push	edi
		mov	esi, [eax+4054h]
		mov	edi, ecx
		mov	bl, [esi+110h]
		cmp	bl, 8
		jb	short loc_67FF83
		inc	dword ptr [esi+114h]
		jmp	short loc_67FFBD
; 

loc_67FF83:				; CODE XREF: PerfLogSpinLockAcquire(x,x,x,x,x,x,x)+1Fj
		movzx	ecx, bl
		lea	eax, [ebx+1]
		mov	[esi+110h], al
		mov	eax, [ebp+arg_0]
		shl	ecx, 5
		mov	[ecx+esi+10h], eax
		mov	eax, [ebp+arg_4]
		mov	[ecx+esi+14h], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+esi+20h], eax
		mov	eax, [ebp+arg_C]
		mov	[ecx+esi+24h], eax
		mov	al, [ebp+arg_10]
		mov	[ecx+esi+18h], edi
		mov	[ecx+esi+1Ch], edx
		mov	[ecx+esi+28h], al

loc_67FFBD:				; CODE XREF: PerfLogSpinLockAcquire(x,x,x,x,x,x,x)+27j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
@PerfLogSpinLockAcquire@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PerfLogSpinLockRelease(x, x, x, x)
@PerfLogSpinLockRelease@16 proc	near	; CODE XREF: KiReleaseQueuedSpinLockInstrumented(x,x)+55p
					; KiReleaseSpinLockInstrumented(x,x)+17p ...

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4B		= byte ptr -4Bh
var_4A		= byte ptr -4Ah
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_1F		= byte ptr -1Fh
var_1E		= byte ptr -1Eh
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		lea	eax, [ebp+var_48]
		mov	[ebp+var_58], edx
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_54], esi
		call	_memset
		mov	eax, large fs:20h
		add	esp, 0Ch
		mov	ebx, [eax+4054h]
		add	ebx, 10h

loc_680000:				; DATA XREF: .text:004254FCo
					; .text:00425DACo
		mov	cl, [ebx+100h]
		mov	[ebp+var_4A], cl
		test	cl, cl
		jz	loc_680190
		mov	ch, cl

loc_680013:				; CODE XREF: PerfLogSpinLockRelease(x,x,x,x)+64j
		dec	ch
		movzx	edx, ch
		mov	eax, edx
		mov	[ebp+var_4B], ch
		shl	eax, 5
		cmp	[eax+ebx+8], esi
		jz	short loc_680035
		test	ch, ch
		jnz	short loc_680013
		inc	dword ptr [ebx+108h]
		jmp	loc_680190
; 

loc_680035:				; CODE XREF: PerfLogSpinLockRelease(x,x,x,x)+60j
		mov	esi, large fs:20h
		shl	edx, 5

loc_68003F:				; DATA XREF: .text:005A7B74o
		cmp	byte ptr [ebx+101h], 0
		lea	edi, [edx+ebx]
		jnz	loc_680171

loc_68004F:				; DATA XREF: .text:??_C@_1BO@KOODFPKJ@?$AAT?$AAh?$AAe?$AAr?$AAm?$AAa?$AAl?$AAL?$AAo?$AAg?$AAg?$AAi?$AAn?$AAg@FNODOBFM@o
		mov	edx, ds:_EtwpSpinLockHoldThreshold
		test	edx, edx
		jz	short loc_680062
		mov	eax, [ebp+arg_0]
		sub	eax, [edi]
		cmp	eax, edx
		ja	short loc_6800A9

loc_680062:				; CODE XREF: PerfLogSpinLockRelease(x,x,x,x)+93j
		mov	eax, [edi+10h]
		mov	[ebp+var_50], eax
		cmp	eax, ds:_EtwpSpinLockSpinThreshold
		jb	short loc_680085
		mov	eax, [esi+40A4h]
		xor	edx, edx
		div	ds:_EtwpSpinLockContentionSampleRate
		test	edx, edx
		jz	short loc_6800A9
		mov	eax, [ebp+var_50]

loc_680085:				; CODE XREF: PerfLogSpinLockRelease(x,x,x,x)+AAj
		test	eax, eax
		jnz	loc_680171
		mov	eax, [esi+40A0h]
		xor	edx, edx
		sub	eax, [esi+40A4h]
		div	ds:_EtwpSpinLockAcquireSampleRate
		test	edx, edx
		jnz	loc_680171

loc_6800A9:				; CODE XREF: PerfLogSpinLockRelease(x,x,x,x)+9Cj
					; PerfLogSpinLockRelease(x,x,x,x)+BCj
		mov	al, [esi+11h]
		mov	[ebp+var_49], al
		mov	eax, [ebp+var_54]
		mov	byte ptr [ebx+101h], 1
		mov	[ebp+var_48], eax
		mov	eax, [ebp+var_58]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_34], eax
		mov	eax, large fs:124h
		mov	eax, [eax+2B0h]
		mov	[ebp+var_28], eax
		mov	[ebp+var_1F], cl
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[ebp+var_20], al
		mov	eax, [edi]
		mov	[ebp+var_40], eax
		mov	eax, [edi+4]
		mov	[ebp+var_3C], eax
		mov	eax, [edi+0Ch]
		mov	[ebp+var_30], eax
		mov	eax, [edi+10h]
		mov	[ebp+var_2C], eax
		mov	eax, [esi+4A0h]
		sub	eax, [edi+14h]
		mov	[ebp+var_24], eax
		mov	al, [ebp+var_49]
		mov	cl, [edi+18h]
		mov	[ebp+var_1E], cl
		cmp	al, 1
		jnz	short loc_68012B
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jz	short loc_68012F
		or	cl, 40h
		jmp	short loc_680132
; 

loc_68012B:				; CODE XREF: PerfLogSpinLockRelease(x,x,x,x)+153j
		test	al, al
		jz	short loc_680135

loc_68012F:				; CODE XREF: PerfLogSpinLockRelease(x,x,x,x)+160j
		or	cl, 80h

loc_680132:				; CODE XREF: PerfLogSpinLockRelease(x,x,x,x)+165j
		mov	[ebp+var_1E], cl

loc_680135:				; CODE XREF: PerfLogSpinLockRelease(x,x,x,x)+169j
		and	[ebp+var_14], 0
		lea	eax, [ebp+var_48]
		and	[ebp+var_C], 0
		lea	ecx, [ebp+var_18]
		push	602h
		push	529h
		xor	edx, edx
		mov	[ebp+var_18], eax
		push	20010000h
		inc	edx
		mov	[ebp+var_10], 30h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	cl, [ebp+var_4A]
		mov	ch, [ebp+var_4B]
		mov	byte ptr [ebx+101h], 0

loc_680171:				; CODE XREF: PerfLogSpinLockRelease(x,x,x,x)+85j
					; PerfLogSpinLockRelease(x,x,x,x)+C3j ...
		dec	cl
		cmp	ch, cl
		jnb	short loc_68018A
		sub	cl, ch
		lea	esi, [edi+20h]
		movzx	ecx, cl
		and	ecx, 7FFFFFFh
		shl	ecx, 3
		rep movsd

loc_68018A:				; CODE XREF: PerfLogSpinLockRelease(x,x,x,x)+1B1j
		dec	byte ptr [ebx+100h]

loc_680190:				; CODE XREF: PerfLogSpinLockRelease(x,x,x,x)+47j
					; PerfLogSpinLockRelease(x,x,x,x)+6Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
@PerfLogSpinLockRelease@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpGetTrackingLockSlotForThread(x,	x)
_EtwpGetTrackingLockSlotForThread@8 proc near
					; CODE XREF: PerfLogExecutiveResourceAcquire(x,x,x,x)+4Bp
					; PerfLogExecutiveResourceRelease(x,x,x,x)+65p	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, large fs:124h
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], edi
		mov	eax, [esi+2FCh]
		test	al, 1
		jnz	loc_6802A2
		mov	ebx, ds:_EtwpEthreadSyncTrackingSequence
		lea	eax, [esi+354h]
		mov	esi, [eax]
		mov	[ebp+var_C], eax
		test	esi, esi
		jnz	short loc_680238
		push	72546552h
		mov	esi, 200h
		push	esi
		push	204h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_6802A2
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		mov	[edi+10h], eax
		mov	eax, [ebp+var_4]
		mov	[edi+18h], eax
		xor	eax, eax
		mov	[edi+24h], ebx
		lock cmpxchg [edx], ecx
		mov	esi, eax
		test	esi, esi
		jnz	short loc_68022D
		mov	eax, edi
		jmp	short loc_6802A4
; 

loc_68022D:				; CODE XREF: EtwpGetTrackingLockSlotForThread(x,x)+86j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [ebp+var_4]

loc_680238:				; CODE XREF: EtwpGetTrackingLockSlotForThread(x,x)+3Bj
		xor	eax, eax
		xor	ecx, ecx

loc_68023C:				; CODE XREF: EtwpGetTrackingLockSlotForThread(x,x)+CAj
		mov	edx, [esi+18h]
		cmp	edx, edi
		jnz	short loc_680253
		mov	edi, [ebp+var_8]
		cmp	[esi+10h], edi
		mov	edi, [ebp+var_4]
		jnz	short loc_680253
		cmp	[esi+24h], ebx
		jz	short loc_68029E

loc_680253:				; CODE XREF: EtwpGetTrackingLockSlotForThread(x,x)+A0j
					; EtwpGetTrackingLockSlotForThread(x,x)+ABj
		test	eax, eax
		jnz	short loc_680264
		test	edx, edx
		jnz	short loc_68025F
		mov	eax, esi
		jmp	short loc_680264
; 

loc_68025F:				; CODE XREF: EtwpGetTrackingLockSlotForThread(x,x)+B8j
		cmp	[esi+24h], ebx
		jl	short loc_68026F

loc_680264:				; CODE XREF: EtwpGetTrackingLockSlotForThread(x,x)+B4j
					; EtwpGetTrackingLockSlotForThread(x,x)+BCj
		add	esi, 40h
		inc	ecx
		cmp	ecx, 8
		jb	short loc_68023C
		jmp	short loc_680271
; 

loc_68026F:				; CODE XREF: EtwpGetTrackingLockSlotForThread(x,x)+C1j
		mov	eax, esi

loc_680271:				; CODE XREF: EtwpGetTrackingLockSlotForThread(x,x)+CCj
		mov	esi, eax
		test	eax, eax
		jz	short loc_68029E
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		mov	[eax+10h], ecx
		xor	ecx, ecx
		mov	[eax+18h], edi
		mov	[eax+1Ch], edx
		mov	[eax+20h], edx
		mov	[eax], edx
		mov	[eax+4], edx
		mov	[eax+8], edx
		mov	[eax+0Ch], edx
		mov	[eax+14h], ecx
		mov	[eax+24h], ebx
		mov	[eax+28h], edx

loc_68029E:				; CODE XREF: EtwpGetTrackingLockSlotForThread(x,x)+B0j
					; EtwpGetTrackingLockSlotForThread(x,x)+D4j
		mov	eax, esi
		jmp	short loc_6802A4
; 

loc_6802A2:				; CODE XREF: EtwpGetTrackingLockSlotForThread(x,x)+22j
					; EtwpGetTrackingLockSlotForThread(x,x)+56j
		xor	eax, eax

loc_6802A4:				; CODE XREF: EtwpGetTrackingLockSlotForThread(x,x)+8Aj
					; EtwpGetTrackingLockSlotForThread(x,x)+FFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpGetTrackingLockSlotForThread@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpAddLastDroppedEvent(x, x, x)
_EtwpAddLastDroppedEvent@12 proc near	; CODE XREF: EtwpFinalizeHeader+134BE6p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		cmp	dword ptr [edi+368h], 0
		jnz	short loc_6802C4
		mov	eax, 0C00000BBh
		jmp	short loc_680320
; 

loc_6802C4:				; CODE XREF: EtwpAddLastDroppedEvent(x,x,x)+12j
		push	esi
		mov	esi, [ebp+arg_0]
		sub	esi, [ebx+30h]
		call	EtwpQueryUsedProcessorCount
		lea	ecx, [ebp+arg_0]
		push	ecx		; int
		push	esi		; int
		lea	eax, ds:8[eax*8]
		mov	ecx, ebx
		push	eax		; size_t
		push	dword ptr [edi+368h] ; void *
		lea	eax, [ebx+58h]
		push	eax		; int
		push	52h
		pop	edx
		call	_EtwpAddEventToBuffer@28 ; EtwpAddEventToBuffer(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_6802FE
		mov	eax, 0C0000206h
		jmp	short loc_68031F
; 

loc_6802FE:				; CODE XREF: EtwpAddLastDroppedEvent(x,x,x)+4Cj
		mov	ecx, edi
		call	EtwpQueryUsedProcessorCount
		mov	[esi], eax
		shl	eax, 3
		push	eax		; size_t
		push	dword ptr [edi+368h] ; void *
		lea	eax, [esi+8]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax

loc_68031F:				; CODE XREF: EtwpAddLastDroppedEvent(x,x,x)+53j
		pop	esi

loc_680320:				; CODE XREF: EtwpAddLastDroppedEvent(x,x,x)+19j
		pop	edi
		pop	ebx
		pop	ebp
		retn	4
_EtwpAddLastDroppedEvent@12 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpGetFirstBuffer(x)
_EtwpGetFirstBuffer@4 proc near		; CODE XREF: EtwpRemoveBufferFromGlobalList(x,x)+9p
					; EtwpBugCheckMultiPartCallback(x,x,x,x)+19Dp ...
		add	ecx, 40h
		mov	edx, [ecx]
		mov	eax, edx
		sub	eax, ecx
		neg	eax
		sbb	eax, eax
		and	eax, edx
		retn
_EtwpGetFirstBuffer@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpGetTimeStampAndQpcDelta(x, x, x)
_EtwpGetTimeStampAndQpcDelta@12	proc near ; CODE XREF: EtwpReserveTraceBuffer+12E015p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_24]
		and	[ebp+var_8], eax
		mov	ebx, ecx
		push	6
		pop	ecx
		rep stosd
		lea	eax, [ebp+var_8]
		mov	esi, edx
		push	eax
		xor	eax, eax
		cmp	dword ptr [ebx+7Ch], 2
		setz	al
		lea	eax, ds:3[eax*4]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	RtlGetMultiTimePrecise
		test	eax, eax
		jz	short loc_680384
		mov	edx, 0F7FFFFFFh
		lea	ecx, [ebx+258h]
		lock and [ecx],	edx
		jmp	short loc_6803D8
; 

loc_680384:				; CODE XREF: EtwpGetTimeStampAndQpcDelta(x,x,x)+3Cj
		test	byte ptr [ebp+var_8], 2
		jz	short loc_6803C5
		test	byte ptr [ebp+var_8], 1
		jz	short loc_6803C5
		mov	edx, [ebp+var_1C]
		mov	eax, [ebp+arg_0]
		mov	edi, [ebp+var_24]
		sub	edx, edi
		mov	ecx, [ebp+var_18]
		sbb	ecx, [ebp+var_20]
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	eax, [ebx+7Ch]
		dec	eax
		sub	eax, 1
		jz	short loc_6803B6
		mov	eax, [ebp+var_20]
		mov	[esi], edi
		jmp	short loc_6803BE
; 

loc_6803B6:				; CODE XREF: EtwpGetTimeStampAndQpcDelta(x,x,x)+77j
		mov	eax, [ebp+var_14]
		mov	[esi], eax
		mov	eax, [ebp+var_10]

loc_6803BE:				; CODE XREF: EtwpGetTimeStampAndQpcDelta(x,x,x)+7Ej
		mov	[esi+4], eax
		xor	eax, eax
		jmp	short loc_6803D8
; 

loc_6803C5:				; CODE XREF: EtwpGetTimeStampAndQpcDelta(x,x,x)+52j
					; EtwpGetTimeStampAndQpcDelta(x,x,x)+58j
		mov	ecx, 0F7FFFFFFh
		lea	eax, [ebx+258h]
		lock and [eax],	ecx
		mov	eax, 0C0000001h

loc_6803D8:				; CODE XREF: EtwpGetTimeStampAndQpcDelta(x,x,x)+4Cj
					; EtwpGetTimeStampAndQpcDelta(x,x,x)+8Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpGetTimeStampAndQpcDelta@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpThreadRundownApc(x, x, x, x, x)
_EtwpThreadRundownApc@20 proc near	; DATA XREF: EtwpTraceThreadRundownWithStack(x,x)+57o

arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		mov	edx, [ebp+arg_10]
		mov	ecx, large fs:124h
		push	esi
		mov	esi, [eax]
		mov	edx, [edx]
		call	EtwpTraceThreadRundown
		push	0
		push	0
		push	esi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	esi
		pop	ebp
		retn	14h
_EtwpThreadRundownApc@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceThreadRundownWithStack(x, x)
_EtwpTraceThreadRundownWithStack@8 proc	near
					; CODE XREF: EtwpThreadEnumCallback(x,x,x):loc_7A679Cp

var_48		= dword	ptr -48h
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		lea	eax, [ebp+var_48]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	ebx, ecx
		call	_memset
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		add	esp, 0Ch
		stosd
		stosd
		stosd
		xor	edi, edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		cmp	ebx, large fs:124h
		jz	loc_6804D6
		cmp	byte ptr [esi+27h], 0
		jnz	loc_6804D6
		push	edi
		push	1
		lea	eax, [ebp+var_18]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		push	edi
		push	edi
		push	offset _EtwpThreadRundownApc@20	; EtwpThreadRundownApc(x,x,x,x,x)
		push	edi
		push	ebx
		lea	eax, [ebp+var_48]
		push	eax
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		push	edi
		push	esi
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		call	KeInsertQueueApc
		test	al, al
		jz	short loc_6804D6
		push	ds:dword_40FA04
		push	ds:_EtwpOneMs
		push	edi
		push	ds:_EtwpStackCaptureTimeout
		call	__allmul
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		push	edi
		push	7
		lea	eax, [ebp+var_18]
		mov	[ebp+var_4], edx
		push	eax
		call	KeWaitForSingleObject
		cmp	eax, 102h
		jnz	short loc_6804DF
		lea	ecx, [ebp+var_48]
		call	KeRemoveQueueApc
		test	al, al
		jnz	short loc_6804D6
		push	edi
		push	edi
		push	edi
		push	7
		lea	eax, [ebp+var_18]
		push	eax
		call	KeWaitForSingleObject
		jmp	short loc_6804DF
; 

loc_6804D6:				; CODE XREF: EtwpTraceThreadRundownWithStack(x,x)+37j
					; EtwpTraceThreadRundownWithStack(x,x)+41j ...
		mov	edx, esi
		mov	ecx, ebx
		call	EtwpTraceThreadRundown

loc_6804DF:				; CODE XREF: EtwpTraceThreadRundownWithStack(x,x)+AEj
					; EtwpTraceThreadRundownWithStack(x,x)+CAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpTraceThreadRundownWithStack@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCreateKey(x)
_EtwpCreateKey@4 proc near		; CODE XREF: EtwpCreateKeyTreeForPath(x)+6Dp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	esi
		xor	esi, esi
		lea	eax, [ebp+var_C]
		push	ecx
		push	eax
		mov	[ebp+var_4], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		push	esi
		push	esi
		lea	eax, [ebp+var_C]
		mov	[ebp+var_24], 18h
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_24]
		push	esi
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_4]
		mov	[ebp+var_20], esi
		push	eax
		mov	[ebp+var_18], 240h
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_680543
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_680543:				; CODE XREF: EtwpCreateKey(x)+55j
		mov	eax, esi
		pop	esi
		leave
		retn
_EtwpCreateKey@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCreateKeyTreeForPath(x)
_EtwpCreateKeyTreeForPath@4 proc near	; CODE XREF: EtwStartAutoLogger+A083Fp

var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 214h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	esi, ecx
		push	200h		; size_t
		push	eax		; int
		mov	ebx, eax
		mov	edi, eax
		lea	eax, [ebp+var_208]
		push	eax		; void *
		call	_memset
		xor	ecx, ecx
		add	esp, 0Ch
		mov	eax, ecx
		mov	[ebp+var_210], eax
		cmp	[esi], cx
		jz	short loc_6805E4
		lea	ecx, [ebp+var_208]
		sub	ecx, esi
		mov	[ebp+var_20C], ecx
		mov	edx, ecx

loc_68059C:				; CODE XREF: EtwpCreateKeyTreeForPath(x)+9Aj
		cmp	eax, 100h
		jnb	short loc_6805E4
		cmp	word ptr [esi],	5Ch
		jnz	short loc_6805CC
		inc	ebx
		cmp	ebx, 3
		jbe	short loc_6805CC
		lea	ecx, [ebp+var_208]
		call	_EtwpCreateKey@4 ; EtwpCreateKey(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_6805E4
		mov	eax, [ebp+var_210]
		mov	edx, [ebp+var_20C]

loc_6805CC:				; CODE XREF: EtwpCreateKeyTreeForPath(x)+5Fj
					; EtwpCreateKeyTreeForPath(x)+65j
		mov	cx, [esi]
		inc	eax
		mov	[edx+esi], cx
		add	esi, 2
		xor	ecx, ecx
		mov	[ebp+var_210], eax
		cmp	[esi], cx
		jnz	short loc_68059C

loc_6805E4:				; CODE XREF: EtwpCreateKeyTreeForPath(x)+42j
					; EtwpCreateKeyTreeForPath(x)+59j ...
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpCreateKeyTreeForPath@4 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCCSwapDeleteProcessor(x)
_EtwpCCSwapDeleteProcessor@4 proc near	; CODE XREF: EtwDeleteProcessor(x)+Fp
		mov	edi, edi
		push	esi
		push	edi
		push	5
		lea	esi, [ecx+128h]
		pop	edi

loc_680602:				; CODE XREF: EtwpCCSwapDeleteProcessor(x)+21j
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_680610
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_680610:				; CODE XREF: EtwpCCSwapDeleteProcessor(x)+11j
		add	esi, 4
		sub	edi, 1
		jnz	short loc_680602
		pop	edi
		pop	esi
		retn
_EtwpCCSwapDeleteProcessor@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpBufferingModeCompressionFlush(x)
_EtwpBufferingModeCompressionFlush@4 proc near ; CODE XREF: EtwpBufferingModeFlush(x)+113p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, [esi+308h]
		test	eax, eax
		jz	loc_680815
		call	_EtwpCompressPendingBuffers@4 ;	EtwpCompressPendingBuffers(x)
		lea	eax, [esi+2FCh]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, esi
		call	_EtwpRelinquishCompressionTarget@4 ; EtwpRelinquishCompressionTarget(x)
		mov	edx, [ebp+var_8]
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_C], eax
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_680682
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp+var_8]

loc_680682:				; CODE XREF: EtwpBufferingModeCompressionFlush(x)+5Bj
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	edx, 7FFFFFFCh
		jz	loc_680815
		mov	esi, large fs:124h
		mov	ecx, edx
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], eax
		cmp	edx, eax
		jb	short loc_6806C9
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_6806CE
		mov	eax, [ebp+var_20]
		cmp	edx, eax
		jb	short loc_6806C9
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jz	short loc_6806CE

loc_6806C9:				; CODE XREF: EtwpBufferingModeCompressionFlush(x)+91j
					; EtwpBufferingModeCompressionFlush(x)+A3j
		or	eax, 0FFFFFFFFh
		jmp	short loc_6806DC
; 

loc_6806CE:				; CODE XREF: EtwpBufferingModeCompressionFlush(x)+9Cj
					; EtwpBufferingModeCompressionFlush(x)+ACj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_C], eax

loc_6806DC:				; CODE XREF: EtwpBufferingModeCompressionFlush(x)+B1j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_680722
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_680788
		mov	eax, [ebp+var_8]
		push	ecx
		push	[ebp+var_C]
		push	eax
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_680722:				; CODE XREF: EtwpBufferingModeCompressionFlush(x)+E8j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_680738
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_680738:				; CODE XREF: EtwpBufferingModeCompressionFlush(x)+113j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	short loc_68077C
		or	[esi+1E4h], dl
		jmp	short loc_680788
; 

loc_68077C:				; CODE XREF: EtwpBufferingModeCompressionFlush(x)+157j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_24]

loc_680788:				; CODE XREF: EtwpBufferingModeCompressionFlush(x)+F2j
					; EtwpBufferingModeCompressionFlush(x)+15Fj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jz	short loc_6807EF
		test	edi, 8000h
		jz	short loc_6807AC
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_6807AC:				; CODE XREF: EtwpBufferingModeCompressionFlush(x)+186j
		test	byte ptr [ebp+var_10+2], 1
		jz	short loc_6807C2
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_6807C2:				; CODE XREF: EtwpBufferingModeCompressionFlush(x)+195j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_6807D6
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_6807D6:				; CODE XREF: EtwpBufferingModeCompressionFlush(x)+1AEj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_6807EF
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_6807EF:				; CODE XREF: EtwpBufferingModeCompressionFlush(x)+17Ej
					; EtwpBufferingModeCompressionFlush(x)+1C5j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_680815
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_680815
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_680815:				; CODE XREF: EtwpBufferingModeCompressionFlush(x)+26j
					; EtwpBufferingModeCompressionFlush(x)+72j ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_EtwpBufferingModeCompressionFlush@4 endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCompressBuffer(x, x)
_EtwpCompressBuffer@8 proc near		; CODE XREF: EtwpCompressPendingBuffers(x)+77p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		and	[ebp+var_8], 0
		and	[ebp+var_14], 0
		mov	eax, [edx+8]
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_10], edx
		push	esi
		push	edi
		mov	[ebp+var_28], ebx
		cmp	eax, [edx]
		jbe	short loc_680845
		mov	eax, [edx+4]
		jmp	short loc_680848
; 

loc_680845:				; CODE XREF: EtwpCompressBuffer(x,x)+20j
		mov	eax, [edx+8]

loc_680848:				; CODE XREF: EtwpCompressBuffer(x,x)+25j
		lea	esi, [eax-48h]
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], esi
		push	48h
		pop	edi
		test	esi, esi
		jnz	short loc_68085F

loc_680858:				; CODE XREF: EtwpCompressBuffer(x,x)+12Ej
		xor	edx, edx
		jmp	loc_680A95
; 

loc_68085F:				; CODE XREF: EtwpCompressBuffer(x,x)+38j
		call	_EtwpRotateCompressionTargetIfNeeded@4 ; EtwpRotateCompressionTargetIfNeeded(x)
		jmp	loc_680A0A
; 

loc_680869:				; CODE XREF: EtwpCompressBuffer(x,x)+1F4j
		mov	ecx, [ecx+8]
		mov	eax, [ebx+300h]
		add	ecx, eax
		mov	[ebp+var_1C], ecx
		mov	eax, [eax+8]
		lea	edx, [ecx+48h]
		mov	ecx, [ebx+4]
		sub	ecx, eax
		mov	[ebp+var_30], edx
		mov	eax, [ebx+300h]
		sub	ecx, 48h
		mov	[ebp+var_2C], ecx
		cmp	dword ptr [eax+8], 48h
		jz	short loc_6808A4
		mov	eax, [ebx+30Ch]
		imul	eax, ecx
		cmp	esi, eax
		jnb	short loc_6808CA

loc_6808A4:				; CODE XREF: EtwpCompressBuffer(x,x)+77j
		push	dword ptr [ebx+304h]
		lea	eax, [ebp+var_8]
		push	eax
		mov	eax, [ebp+var_10]
		push	0
		push	ecx
		push	edx
		push	esi
		add	eax, edi
		push	eax
		push	3
		call	_RtlCompressBuffer@32 ;	RtlCompressBuffer(x,x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jns	loc_680A37

loc_6808CA:				; CODE XREF: EtwpCompressBuffer(x,x)+84j
		xor	eax, eax
		inc	eax
		mov	[ebp+var_18], eax
		cmp	[ebx+310h], eax
		jb	loc_6809FB

loc_6808DC:				; CODE XREF: EtwpCompressBuffer(x,x)+178j
		mov	ebx, [ebp+var_10]
		mov	ecx, eax
		shr	esi, cl
		add	esi, edi
		xor	eax, eax

loc_6808E7:				; CODE XREF: EtwpCompressBuffer(x,x)+F8j
		mov	[ebp+var_C], eax
		add	eax, edi
		lea	ecx, [ebp+var_14]
		push	ecx
		mov	edx, eax
		mov	[ebp+var_20], eax
		mov	ecx, ebx
		call	_EtwpGetNextEventOffsetType@12 ; EtwpGetNextEventOffsetType(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jz	short loc_68091B
		mov	ecx, [ebp+var_20]
		mov	edx, [ebp+var_14]
		add	ecx, edx
		cmp	ecx, esi
		ja	short loc_680918
		mov	eax, [ebp+var_C]
		add	eax, edx
		jmp	short loc_6808E7
; 

loc_680918:				; CODE XREF: EtwpCompressBuffer(x,x)+F1j
		mov	ecx, [ebp+var_24]

loc_68091B:				; CODE XREF: EtwpCompressBuffer(x,x)+E5j
		mov	eax, [ebp+var_C]
		mov	ebx, [ebp+var_28]
		test	eax, eax
		jnz	short loc_68095F
		mov	eax, [ebx+300h]
		cmp	dword ptr [eax+8], 48h
		jnz	loc_6809FB
		test	ecx, ecx
		jz	loc_680A2F
		mov	ecx, ebx
		call	EtwpUpdateEventsLostCount
		add	edi, [ebp+var_14]
		mov	eax, [ebp+var_4]
		cmp	edi, eax
		jz	loc_680858
		ja	loc_680A28
		mov	esi, eax
		mov	eax, [ebp+var_18]
		jmp	short loc_68098E
; 

loc_68095F:				; CODE XREF: EtwpCompressBuffer(x,x)+105j
		push	dword ptr [ebx+304h]
		mov	esi, [ebp+var_10]
		lea	ecx, [ebp+var_8]
		push	ecx
		push	0
		push	[ebp+var_2C]
		push	[ebp+var_30]
		push	eax
		lea	eax, [edi+esi]
		push	eax
		push	3
		call	_RtlCompressBuffer@32 ;	RtlCompressBuffer(x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_68099E
		mov	eax, [ebp+var_18]
		mov	esi, [ebp+var_4]
		inc	eax
		mov	[ebp+var_18], eax

loc_68098E:				; CODE XREF: EtwpCompressBuffer(x,x)+13Fj
		sub	esi, edi
		cmp	eax, [ebx+310h]
		jbe	loc_6808DC
		jmp	short loc_6809FB
; 

loc_68099E:				; CODE XREF: EtwpCompressBuffer(x,x)+164j
		mov	edx, [ebp+var_1C]
		mov	edi, edx
		push	12h
		pop	ecx
		rep movsd
		mov	eax, [ebp+var_8]
		add	eax, 48h
		mov	dword ptr [edx+2Ch], 3
		mov	[edx], eax
		mov	eax, [ebp+var_C]
		add	eax, 48h
		mov	edi, [ebp+var_20]
		mov	[edx+8], eax
		mov	[edx+4], eax
		xor	eax, eax
		mov	[edx+18h], eax
		mov	[edx+1Ch], eax
		mov	[edx+0Ch], eax
		mov	eax, [ebx+300h]
		mov	ecx, [eax+8]
		mov	eax, [ebx+300h]
		add	ecx, 48h
		mov	[eax+8], ecx
		mov	eax, [ebx+300h]
		mov	ecx, [eax+8]
		mov	eax, [ebx+300h]
		add	ecx, [ebp+var_8]
		mov	[eax+8], ecx

loc_6809FB:				; CODE XREF: EtwpCompressBuffer(x,x)+B8j
					; EtwpCompressBuffer(x,x)+111j	...
		mov	esi, [ebp+var_4]
		mov	ecx, ebx
		sub	esi, edi
		mov	[ebp+var_C], esi
		call	_EtwpRotateCompressionTarget@4 ; EtwpRotateCompressionTarget(x)

loc_680A0A:				; CODE XREF: EtwpCompressBuffer(x,x)+46j
		mov	ecx, [ebx+300h]
		test	ecx, ecx
		jnz	loc_680869
		inc	dword ptr [ebx+0B4h]
		mov	eax, 0C0000017h

loc_680A23:				; CODE XREF: EtwpCompressBuffer(x,x)+279j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_680A28:				; CODE XREF: EtwpCompressBuffer(x,x)+134j
					; EtwpCompressBuffer(x,x)+217j
		mov	edx, 0C0000102h
		jmp	short loc_680A95
; 

loc_680A2F:				; CODE XREF: EtwpCompressBuffer(x,x)+119j
		inc	dword ptr [ebx+0B4h]
		jmp	short loc_680A28
; 

loc_680A37:				; CODE XREF: EtwpCompressBuffer(x,x)+A6j
		mov	esi, [ebp+var_10]
		mov	edi, [ebp+var_1C]
		push	12h
		pop	ecx
		rep movsd
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_1C]
		add	eax, 48h
		mov	[ecx], eax
		mov	eax, [ebp+var_C]
		add	eax, 48h
		mov	dword ptr [ecx+2Ch], 3
		mov	[ecx+8], eax
		mov	[ecx+4], eax
		xor	eax, eax
		mov	[ecx+18h], eax
		mov	[ecx+1Ch], eax
		mov	[ecx+0Ch], eax
		mov	eax, [ebx+300h]
		mov	ecx, [eax+8]
		mov	eax, [ebx+300h]
		add	ecx, 48h
		mov	[eax+8], ecx
		mov	eax, [ebx+300h]
		mov	ecx, [eax+8]
		mov	eax, [ebx+300h]
		add	ecx, [ebp+var_8]
		mov	[eax+8], ecx

loc_680A95:				; CODE XREF: EtwpCompressBuffer(x,x)+3Cj
					; EtwpCompressBuffer(x,x)+20Fj
		mov	eax, edx
		jmp	short loc_680A23
_EtwpCompressBuffer@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCompressPendingBuffers(x)
_EtwpCompressPendingBuffers@4 proc near	; CODE XREF: EtwpBufferingModeCompressionFlush(x)+2Cp
					; EtwpCompressionProc(x)+2Dp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		mov	esi, ecx
		xor	edx, edx
		push	edi
		lea	eax, [esi+2FCh]
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, esi
		call	_EtwpRotateCompressionTargetIfNeeded@4 ; EtwpRotateCompressionTargetIfNeeded(x)

loc_680AD0:				; CODE XREF: EtwpCompressPendingBuffers(x)+71j
					; EtwpCompressPendingBuffers(x)+C6j ...
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, esi
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], edx
		call	_EtwpDequeueBufferPendingCompression@4 ; EtwpDequeueBufferPendingCompression(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_680B8C
		cmp	dword ptr [edi+0Ch], 0
		jg	short loc_680B0C
		cmp	dword ptr [edi+4], 48h
		jbe	short loc_680B01
		cmp	dword ptr [edi+8], 48h
		ja	short loc_680B0C

loc_680B01:				; CODE XREF: EtwpCompressPendingBuffers(x)+60j
		mov	edx, edi
		mov	ecx, esi
		call	_EtwpCompleteBuffer@8 ;	EtwpCompleteBuffer(x,x)
		jmp	short loc_680AD0
; 

loc_680B0C:				; CODE XREF: EtwpCompressPendingBuffers(x)+5Aj
					; EtwpCompressPendingBuffers(x)+66j
		mov	edx, edi
		mov	ecx, esi
		call	_EtwpCompressBuffer@8 ;	EtwpCompressBuffer(x,x)
		test	eax, eax
		jns	short loc_680B20
		lock inc dword ptr [esi+0B4h]

loc_680B20:				; CODE XREF: EtwpCompressPendingBuffers(x)+7Ej
		mov	edx, edi
		mov	ecx, esi
		call	_EtwpCompleteBuffer@8 ;	EtwpCompleteBuffer(x,x)
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, [esi+350h]
		mov	edi, eax
		sub	edi, [ebp+var_10]
		mov	eax, edx
		mov	edx, [esi+354h]
		sbb	eax, [ebp+var_C]
		mov	[ebp+var_C], eax
		mov	eax, ecx
		or	eax, edx
		jnz	short loc_680B64
		mov	eax, [ebp+var_C]
		mov	[esi+350h], edi
		mov	[esi+354h], eax
		jmp	loc_680AD0
; 

loc_680B64:				; CODE XREF: EtwpCompressPendingBuffers(x)+B5j
		shld	edx, ecx, 2
		push	0
		shl	ecx, 2
		add	ecx, edi
		push	5
		adc	edx, [ebp+var_C]
		push	edx
		push	ecx
		call	__alldiv
		mov	[esi+350h], eax
		mov	[esi+354h], edx
		jmp	loc_680AD0
; 

loc_680B8C:				; CODE XREF: EtwpCompressPendingBuffers(x)+50j
		mov	edx, [ebp+var_8]
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_C], eax
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_680BA9
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp+var_8]

loc_680BA9:				; CODE XREF: EtwpCompressPendingBuffers(x)+104j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	edx, 7FFFFFFCh
		jz	loc_680D3C
		mov	esi, large fs:124h
		mov	ecx, edx
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], eax
		cmp	edx, eax
		jb	short loc_680BF0
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_680BF5
		mov	eax, [ebp+var_20]
		cmp	edx, eax
		jb	short loc_680BF0
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jz	short loc_680BF5

loc_680BF0:				; CODE XREF: EtwpCompressPendingBuffers(x)+13Aj
					; EtwpCompressPendingBuffers(x)+14Cj
		or	eax, 0FFFFFFFFh
		jmp	short loc_680C03
; 

loc_680BF5:				; CODE XREF: EtwpCompressPendingBuffers(x)+145j
					; EtwpCompressPendingBuffers(x)+155j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_C], eax

loc_680C03:				; CODE XREF: EtwpCompressPendingBuffers(x)+15Aj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_680C49
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_680CAF
		mov	eax, [ebp+var_8]
		push	ecx
		push	[ebp+var_C]
		push	eax
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_680C49:				; CODE XREF: EtwpCompressPendingBuffers(x)+191j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_680C5F
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_680C5F:				; CODE XREF: EtwpCompressPendingBuffers(x)+1BCj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	short loc_680CA3
		or	[esi+1E4h], dl
		jmp	short loc_680CAF
; 

loc_680CA3:				; CODE XREF: EtwpCompressPendingBuffers(x)+200j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_24]

loc_680CAF:				; CODE XREF: EtwpCompressPendingBuffers(x)+19Bj
					; EtwpCompressPendingBuffers(x)+208j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jz	short loc_680D16
		test	edi, 8000h
		jz	short loc_680CD3
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_680CD3:				; CODE XREF: EtwpCompressPendingBuffers(x)+22Fj
		test	byte ptr [ebp+var_10+2], 1
		jz	short loc_680CE9
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_680CE9:				; CODE XREF: EtwpCompressPendingBuffers(x)+23Ej
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_680CFD
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_680CFD:				; CODE XREF: EtwpCompressPendingBuffers(x)+257j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_680D16
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_680D16:				; CODE XREF: EtwpCompressPendingBuffers(x)+227j
					; EtwpCompressPendingBuffers(x)+26Ej
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_680D3C
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_680D3C
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_680D3C:				; CODE XREF: EtwpCompressPendingBuffers(x)+11Bj
					; EtwpCompressPendingBuffers(x)+294j ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_EtwpCompressPendingBuffers@4 endp ; sp	=  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCompressionDpc(x, x, x,	x)
_EtwpCompressionDpc@16 proc near	; CODE XREF: EtwpPrepareDirtyBuffer+D3A45p
					; DATA XREF: EtwpInitializeCompression(x)+7Eo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	edx, edx
		inc	edx
		mov	eax, [edi+2E4h]
		mov	esi, [edi]
		mov	ecx, [eax+188h]
		mov	ecx, [ecx+esi*4]
		call	@ExAcquireRundownProtectionCacheAwareEx@8 ; ExAcquireRundownProtectionCacheAwareEx(x,x)
		push	1
		lea	eax, [edi+2E8h]
		push	eax
		call	ExQueueWorkItem
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
_EtwpCompressionDpc@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCompressionProc(x)
_EtwpCompressionProc@4 proc near	; DATA XREF: EtwpInitializeCompression(x)+30o

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		mov	esi, [ebx+8]
		push	edi
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_C], edi
		jmp	short loc_680DAE
; 

loc_680DA3:				; CODE XREF: EtwpCompressionProc(x)+48j
		test	eax, eax
		jz	short loc_680DB4
		mov	ecx, esi
		call	_EtwpCompressPendingBuffers@4 ;	EtwpCompressPendingBuffers(x)

loc_680DAE:				; CODE XREF: EtwpCompressionProc(x)+25j
		lea	ecx, [esi+2F8h]

loc_680DB4:				; CODE XREF: EtwpCompressionProc(x)+29j
		mov	eax, edi
		lock xadd [ecx], eax
		dec	eax
		cmp	eax, 1
		mov	eax, [esi+308h]
		jz	short loc_680DA3
		test	eax, eax
		jnz	loc_680F96
		lea	eax, [esi+2FCh]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, esi
		call	_EtwpRelinquishCompressionTarget@4 ; EtwpRelinquishCompressionTarget(x)
		mov	edx, [ebp+var_8]
		mov	eax, edi
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_680E00
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp+var_8]

loc_680E00:				; CODE XREF: EtwpCompressionProc(x)+78j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	edx, 7FFFFFFCh
		jz	loc_680F96
		mov	esi, large fs:124h
		mov	ecx, edx
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], eax
		cmp	edx, eax
		jb	short loc_680E47
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_680E4C
		mov	eax, [ebp+var_20]
		cmp	edx, eax
		jb	short loc_680E47
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jz	short loc_680E4C

loc_680E47:				; CODE XREF: EtwpCompressionProc(x)+AEj
					; EtwpCompressionProc(x)+C0j
		or	eax, 0FFFFFFFFh
		jmp	short loc_680E5A
; 

loc_680E4C:				; CODE XREF: EtwpCompressionProc(x)+B9j
					; EtwpCompressionProc(x)+C9j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_C], eax

loc_680E5A:				; CODE XREF: EtwpCompressionProc(x)+CEj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_680EA0
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_680F06
		mov	eax, [ebp+var_8]
		push	ecx
		push	[ebp+var_C]
		push	eax
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_680EA0:				; CODE XREF: EtwpCompressionProc(x)+105j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_680EB6
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_680EB6:				; CODE XREF: EtwpCompressionProc(x)+130j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	short loc_680EFA
		or	[esi+1E4h], dl
		jmp	short loc_680F06
; 

loc_680EFA:				; CODE XREF: EtwpCompressionProc(x)+174j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_24]

loc_680F06:				; CODE XREF: EtwpCompressionProc(x)+10Fj
					; EtwpCompressionProc(x)+17Cj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jz	short loc_680F6D
		test	edi, 8000h
		jz	short loc_680F2A
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_680F2A:				; CODE XREF: EtwpCompressionProc(x)+1A3j
		test	byte ptr [ebp+var_10+2], 1
		jz	short loc_680F40
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_680F40:				; CODE XREF: EtwpCompressionProc(x)+1B2j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_680F54
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_680F54:				; CODE XREF: EtwpCompressionProc(x)+1CBj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_680F6D
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_680F6D:				; CODE XREF: EtwpCompressionProc(x)+19Bj
					; EtwpCompressionProc(x)+1E2j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_680F93
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_680F93
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_680F93:				; CODE XREF: EtwpCompressionProc(x)+208j
					; EtwpCompressionProc(x)+210j
		mov	esi, [ebx+8]

loc_680F96:				; CODE XREF: EtwpCompressionProc(x)+4Cj
					; EtwpCompressionProc(x)+8Fj
		mov	eax, [esi+2E4h]
		xor	edx, edx
		mov	esi, [esi]
		inc	edx
		mov	ecx, [eax+188h]
		mov	ecx, [ecx+esi*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
_EtwpCompressionProc@4 endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpDequeueBufferPendingCompression(x)
_EtwpDequeueBufferPendingCompression@4 proc near
					; CODE XREF: EtwpCompressPendingBuffers(x)+47p

var_2		= byte ptr -2

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	byte ptr [ebp-1], 0
		call	_EtwpGetPlaceholderBuffer@4 ; EtwpGetPlaceholderBuffer(x)
		mov	ebx, eax
		mov	ecx, esi
		test	ebx, ebx
		jnz	short loc_680FDE
		call	_EtwpDisableCompression@4 ; EtwpDisableCompression(x)
		xor	eax, eax
		jmp	short loc_68102F
; 

loc_680FDE:				; CODE XREF: EtwpDequeueBufferPendingCompression(x)+19j
		push	edi
		lea	edx, [ebp-1]
		call	_EtwpLockBufferList@8 ;	EtwpLockBufferList(x,x)
		lea	edx, [esi+9Ch]
		push	ebx
		lea	ecx, [esi+38h]
		call	_EtwpDequeueBufferPendingCompressionFromQueue@12 ; EtwpDequeueBufferPendingCompressionFromQueue(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_68100D
		push	ebx
		lea	ecx, [esi+30h]
		lea	edx, [esi+9Ch]
		call	_EtwpDequeueBufferPendingCompressionFromQueue@12 ; EtwpDequeueBufferPendingCompressionFromQueue(x,x,x)
		mov	edi, eax

loc_68100D:				; CODE XREF: EtwpDequeueBufferPendingCompression(x)+40j
		lea	edx, [ebp-1]
		mov	ecx, esi
		call	EtwpUnlockBufferList
		test	edi, edi
		jnz	short loc_68102C
		mov	eax, [esi+318h]
		lea	ecx, [ebx+20h]
		mov	[ecx], eax
		mov	[esi+318h], ecx

loc_68102C:				; CODE XREF: EtwpDequeueBufferPendingCompression(x)+5Fj
		mov	eax, edi
		pop	edi

loc_68102F:				; CODE XREF: EtwpDequeueBufferPendingCompression(x)+22j
		pop	esi
		pop	ebx
		leave
		retn
_EtwpDequeueBufferPendingCompression@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpDequeueBufferPendingCompressionFromQueue(x, x, x)
_EtwpDequeueBufferPendingCompressionFromQueue@12 proc near
					; CODE XREF: EtwpDequeueBufferPendingCompression(x)+37p
					; EtwpDequeueBufferPendingCompression(x)+4Cp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		lea	edx, [ebx+4]
		mov	esi, [edx]
		test	esi, esi
		jz	short loc_681060

loc_68104A:				; CODE XREF: EtwpDequeueBufferPendingCompressionFromQueue(x,x,x)+2Bj
		cmp	dword ptr [esi+0Ch], 4
		jnz	short loc_681056
		test	byte ptr [esi+14h], 80h
		jz	short loc_681069

loc_681056:				; CODE XREF: EtwpDequeueBufferPendingCompressionFromQueue(x,x,x)+1Bj
		mov	eax, [esi]
		mov	edx, esi
		mov	esi, eax
		test	eax, eax
		jnz	short loc_68104A

loc_681060:				; CODE XREF: EtwpDequeueBufferPendingCompressionFromQueue(x,x,x)+15j
		xor	eax, eax

loc_681062:				; CODE XREF: EtwpDequeueBufferPendingCompressionFromQueue(x,x,x)+56j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_681069:				; CODE XREF: EtwpDequeueBufferPendingCompressionFromQueue(x,x,x)+21j
		mov	eax, [ebp+var_4]
		lock dec dword ptr [eax]
		call	_EtwpBufferQueueRemoveAfter@8 ;	EtwpBufferQueueRemoveAfter(x,x)
		mov	eax, [ebp+arg_0]
		mov	ecx, [edx]
		add	eax, 20h
		mov	[eax], ecx
		mov	[edx], eax
		cmp	edx, [ebx]
		jnz	short loc_681086
		mov	[ebx], eax

loc_681086:				; CODE XREF: EtwpDequeueBufferPendingCompressionFromQueue(x,x,x)+4Fj
		lea	eax, [esi-20h]
		jmp	short loc_681062
_EtwpDequeueBufferPendingCompressionFromQueue@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpDisableCompression(x)
_EtwpDisableCompression@4 proc near	; CODE XREF: EtwpDequeueFreeBuffer+D3B43p
					; EtwpDequeueBufferPendingCompression(x)+1Bp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		push	edi
		mov	edi, ecx
		cmp	dword ptr [edi+314h], 1
		jz	loc_6812B6
		xor	edx, edx
		lea	eax, [edi+308h]
		xchg	edx, [eax]
		test	edx, edx
		jz	loc_6812B6
		mov	eax, [edi+2F8h]
		test	eax, eax
		jnz	loc_6812B6
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	loc_6812B6
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_6812B6
		lea	esi, [edi+2FCh]
		xor	edx, edx
		mov	ecx, esi
		mov	[ebp+var_8], esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, edi
		call	_EtwpRelinquishCompressionTarget@4 ; EtwpRelinquishCompressionTarget(x)
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_C], edx
		mov	eax, edx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_681123
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_681123:				; CODE XREF: EtwpDisableCompression(x)+8Fj
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	esi, 7FFFFFFCh
		jz	loc_6812B6
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		cmp	eax, edx
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], esi
		pop	edx
		jb	short loc_68115F
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_68116D

loc_68115F:				; CODE XREF: EtwpDisableCompression(x)+C9j
		cmp	eax, [ebp+var_20]
		jb	short loc_681180
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_681180

loc_68116D:				; CODE XREF: EtwpDisableCompression(x)+D2j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_8]

loc_681180:				; CODE XREF: EtwpDisableCompression(x)+D7j
					; EtwpDisableCompression(x)+E0j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_6811CB
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_68123D
		push	ecx
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_6811CB:				; CODE XREF: EtwpDisableCompression(x)+11Ej
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_6811E1
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_6811E1:				; CODE XREF: EtwpDisableCompression(x)+14Cj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_68122B
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_68123D
; 

loc_68122B:				; CODE XREF: EtwpDisableCompression(x)+18Cj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]

loc_68123D:				; CODE XREF: EtwpDisableCompression(x)+128j
					; EtwpDisableCompression(x)+19Ej
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jz	short loc_68129E
		test	edi, 8000h
		jz	short loc_681261
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_681261:				; CODE XREF: EtwpDisableCompression(x)+1CBj
		test	byte ptr [ebp+var_10+2], 1
		jz	short loc_681271
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_681271:				; CODE XREF: EtwpDisableCompression(x)+1DAj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_681285
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_681285:				; CODE XREF: EtwpDisableCompression(x)+1EDj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_68129E
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_68129E:				; CODE XREF: EtwpDisableCompression(x)+1C3j
					; EtwpDisableCompression(x)+204j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_6812B6
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_6812B6
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_6812B6:				; CODE XREF: EtwpDisableCompression(x)+25j
					; EtwpDisableCompression(x)+37j ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_EtwpDisableCompression@4 endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpGetCompressionSettings(x, x)
_EtwpGetCompressionSettings@8 proc near	; CODE XREF: NtTraceControl(x,x,x,x,x,x)+6CDp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		movzx	edi, word ptr [ecx]
		mov	ebx, edx
		mov	[ebp+var_8], ebx
		xor	esi, esi
		mov	[ebp+var_4], edi
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		push	esi
		mov	edx, edi
		mov	ecx, [eax+1F0h]
		call	EtwpAcquireLoggerContextByLoggerId
		mov	edi, eax
		test	edi, edi
		jnz	short loc_6812F7
		mov	esi, 0C000000Dh
		jmp	short loc_68134E
; 

loc_6812F7:				; CODE XREF: EtwpGetCompressionSettings(x,x)+2Fj
		mov	eax, [ebp+var_4]
		xor	edx, edx
		mov	[ebx], eax
		lea	ebx, [edi+2FCh]
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp+var_8]
		mov	eax, [edi+310h]
		mov	[ecx+4], eax
		mov	eax, [edi+30Ch]
		mov	[ecx+8], eax
		mov	eax, [edi+314h]
		mov	[ecx+0Ch], eax
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_68133E
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_68133E:				; CODE XREF: EtwpGetCompressionSettings(x,x)+76j
		mov	ecx, ebx
		call	KeAbPostRelease
		xor	dl, dl
		mov	ecx, edi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_68134E:				; CODE XREF: EtwpGetCompressionSettings(x,x)+36j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpGetCompressionSettings@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpGetNextEventOffsetType(x, x, x)
_EtwpGetNextEventOffsetType@12 proc near ; CODE	XREF: EtwpSendTraceEvent(x,x)+50p
					; EtwpCompressBuffer(x,x)+D9p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ecx]
		and	dword ptr [eax], 0
		push	edi
		test	esi, esi
		jz	loc_6813F6
		cmp	edx, 48h
		jb	loc_6813F6
		lea	eax, [esi-4]
		cmp	edx, eax
		jnb	short loc_6813F6
		mov	edi, [ecx+edx]
		mov	eax, edi
		and	eax, 0FF000000h
		cmp	eax, 90000000h
		jz	short loc_6813FF
		cmp	eax, 0C0000000h
		jnz	short loc_6813F6
		mov	eax, edi
		shr	eax, 10h
		movzx	ebx, al
		lea	eax, [ebx-1]
		cmp	eax, 14h
		ja	short loc_6813F6
		movzx	eax, ds:byte_68143D[eax]
		jmp	ds:off_681425[eax*4]

loc_6813B3:				; DATA XREF: .text:00681435o
		lea	eax, [esi-8]
		cmp	edx, eax
		jnb	short loc_6813F6
		movzx	eax, word ptr [ecx+edx+4]
		cmp	eax, 10h
		jmp	short loc_6813F4
; 

loc_6813C4:				; CODE XREF: EtwpGetNextEventOffsetType(x,x,x)+57j
					; DATA XREF: .text:off_681425o
		lea	eax, [esi-8]
		cmp	edx, eax
		jnb	short loc_6813F6
		movzx	eax, word ptr [ecx+edx+4]
		cmp	eax, 20h
		jmp	short loc_6813F4
; 

loc_6813D5:				; CODE XREF: EtwpGetNextEventOffsetType(x,x,x)+57j
					; DATA XREF: .text:00681429o
		lea	eax, [esi-8]
		cmp	edx, eax
		jnb	short loc_6813F6
		movzx	eax, word ptr [ecx+edx+4]
		cmp	eax, 18h
		jmp	short loc_6813F4
; 

loc_6813E6:				; CODE XREF: EtwpGetNextEventOffsetType(x,x,x)+57j
					; DATA XREF: .text:0068142Do
		movzx	eax, di
		cmp	eax, 30h
		jmp	short loc_6813F4
; 

loc_6813EE:				; CODE XREF: EtwpGetNextEventOffsetType(x,x,x)+57j
					; DATA XREF: .text:00681431o
		movzx	eax, di
		cmp	eax, 50h

loc_6813F4:				; CODE XREF: EtwpGetNextEventOffsetType(x,x,x)+6Dj
					; EtwpGetNextEventOffsetType(x,x,x)+7Ej ...
		jnb	short loc_68140A

loc_6813F6:				; CODE XREF: EtwpGetNextEventOffsetType(x,x,x)+12j
					; EtwpGetNextEventOffsetType(x,x,x)+1Bj ...
		xor	eax, eax

loc_6813F8:				; CODE XREF: EtwpGetNextEventOffsetType(x,x,x)+CDj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_6813FF:				; CODE XREF: EtwpGetNextEventOffsetType(x,x,x)+37j
		movzx	eax, di
		push	0Fh
		pop	ebx
		cmp	eax, 8
		jb	short loc_6813F6

loc_68140A:				; CODE XREF: EtwpGetNextEventOffsetType(x,x,x):loc_6813F4j
		add	eax, 7
		and	eax, 0FFFFFFF8h
		cmp	eax, esi
		jnb	short loc_6813F6
		lea	ecx, [eax+edx]
		cmp	ecx, esi
		ja	short loc_6813F6
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, ebx
		jmp	short loc_6813F8
_EtwpGetNextEventOffsetType@12 endp

; 
		db 90h
off_681425	dd offset loc_6813C4	; DATA XREF: EtwpGetNextEventOffsetType(x,x,x)+57r
		dd offset loc_6813D5
		dd offset loc_6813E6
		dd offset loc_6813EE
		dd offset loc_6813B3
		dd offset loc_6813F6
byte_68143D	db 0			; DATA XREF: EtwpGetNextEventOffsetType(x,x,x)+50r
		dw 100h
		dd 5050501h, 2020505h, 5050305h, 3030404h
; 
		add	al, [edx]

;  S U B	R O U T	I N E 


; __stdcall EtwpGetPlaceholderBuffer(x)
_EtwpGetPlaceholderBuffer@4 proc near	; CODE XREF: EtwpDequeueBufferPendingCompression(x)+Ep
		mov	edx, [ecx+318h]
		test	edx, edx
		jz	short loc_681468
		mov	eax, [edx]
		mov	[ecx+318h], eax
		lea	eax, [edx-20h]
		retn
; 

loc_681468:				; CODE XREF: EtwpGetPlaceholderBuffer(x)+8j
		push	42777445h
		push	48h
		push	dword ptr [ecx+0E0h]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short locret_681489
		and	dword ptr [eax+20h], 0
		mov	dword ptr [eax+2Ch], 6

locret_681489:				; CODE XREF: EtwpGetPlaceholderBuffer(x)+2Aj
		retn
_EtwpGetPlaceholderBuffer@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpInitializeCompression(x)
_EtwpInitializeCompression@4 proc near	; CODE XREF: EtwpInitLoggerContext+E20BCp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	eax, [ebp+var_8]
		push	3
		pop	ecx
		push	eax
		lea	eax, [ebp+var_4]
		mov	dword ptr [esi+30Ch], 5
		xor	edi, edi
		mov	[esi+310h], ecx
		push	eax
		push	ecx
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], edi
		mov	dword ptr [esi+2F0h], offset _EtwpCompressionProc@4 ; EtwpCompressionProc(x)
		mov	[esi+2F4h], esi
		mov	[esi+2E8h], edi
		call	_RtlGetCompressionWorkSpaceSize@12 ; RtlGetCompressionWorkSpaceSize(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_681571
		cmp	[ebp+var_4], edi
		jbe	short loc_681507
		push	5A777445h
		push	[ebp+var_4]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+304h], eax
		test	eax, eax
		jnz	short loc_681507
		mov	eax, 0C0000017h
		jmp	short loc_681571
; 

loc_681507:				; CODE XREF: EtwpInitializeCompression(x)+58j
					; EtwpInitializeCompression(x)+74j
		push	esi
		push	offset _EtwpCompressionDpc@16 ;	EtwpCompressionDpc(x,x,x,x)
		lea	eax, [esi+31Ch]
		mov	[esi+2FCh], edi
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	[esi+318h], edi
		cmp	[esi+30Ch], edi
		jbe	short loc_681564

loc_68152D:				; CODE XREF: EtwpInitializeCompression(x)+D8j
		push	42777445h
		push	48h
		push	dword ptr [esi+0E0h]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_681576
		mov	dword ptr [eax+2Ch], 6
		lea	ecx, [eax+20h]
		mov	eax, [esi+318h]
		inc	edi
		mov	[ecx], eax
		mov	[esi+318h], ecx
		cmp	edi, [esi+30Ch]
		jb	short loc_68152D

loc_681564:				; CODE XREF: EtwpInitializeCompression(x)+A1j
		xor	ecx, ecx
		lea	eax, [esi+308h]
		inc	ecx
		xchg	ecx, [eax]

loc_68156F:				; CODE XREF: EtwpInitializeCompression(x)+F8j
		mov	eax, ebx

loc_681571:				; CODE XREF: EtwpInitializeCompression(x)+4Fj
					; EtwpInitializeCompression(x)+7Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_681576:				; CODE XREF: EtwpInitializeCompression(x)+B7j
		mov	ecx, esi
		mov	ebx, 0C0000017h
		call	EtwpFreePlaceholderList
		jmp	short loc_68156F
_EtwpInitializeCompression@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpReenableCompression(x)
_EtwpReenableCompression@4 proc	near	; CODE XREF: EtwpPrepareDirtyBuffer+D3A06p

var_2		= byte ptr -2

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		mov	byte ptr [ebp-1], 0
		cmp	dword ptr [esi+314h], 2
		jz	short loc_681613
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_681613
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_681613
		xor	ecx, ecx
		lea	eax, [esi+308h]
		inc	ecx
		xchg	ecx, [eax]
		cmp	ecx, 1
		jz	short loc_681613
		push	edi
		lea	edx, [ebp-1]
		mov	ecx, esi
		call	_EtwpLockBufferList@8 ;	EtwpLockBufferList(x,x)
		mov	edi, [esi+3Ch]
		mov	ecx, esi
		call	EtwpQueryUsedProcessorCount
		mov	edx, 80h
		jmp	short loc_6815EA
; 

loc_6815D9:				; CODE XREF: EtwpReenableCompression(x)+68j
		test	edi, edi
		jz	short loc_6815EE
		dec	eax
		cmp	dword ptr [edi+0Ch], 4
		jnz	short loc_6815E8
		or	[edi+14h], dx

loc_6815E8:				; CODE XREF: EtwpReenableCompression(x)+5Ej
		mov	edi, [edi]

loc_6815EA:				; CODE XREF: EtwpReenableCompression(x)+53j
		test	eax, eax
		jnz	short loc_6815D9

loc_6815EE:				; CODE XREF: EtwpReenableCompression(x)+57j
		mov	ecx, [esi+34h]
		pop	edi
		jmp	short loc_681605
; 

loc_6815F4:				; CODE XREF: EtwpReenableCompression(x)+83j
		test	ecx, ecx
		jz	short loc_681609
		dec	eax
		cmp	dword ptr [ecx+0Ch], 4
		jnz	short loc_681603
		or	[ecx+14h], dx

loc_681603:				; CODE XREF: EtwpReenableCompression(x)+79j
		mov	ecx, [ecx]

loc_681605:				; CODE XREF: EtwpReenableCompression(x)+6Ej
		test	eax, eax
		jnz	short loc_6815F4

loc_681609:				; CODE XREF: EtwpReenableCompression(x)+72j
		lea	edx, [ebp-1]
		mov	ecx, esi
		call	EtwpUnlockBufferList

loc_681613:				; CODE XREF: EtwpReenableCompression(x)+14j
					; EtwpReenableCompression(x)+1Dj ...
		pop	esi
		leave
		retn
_EtwpReenableCompression@4 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpRelinquishCompressionTarget(x)
_EtwpRelinquishCompressionTarget@4 proc	near ; CODE XREF: EtwpFreeCompression+DC012p
					; EtwpBufferingModeCompressionFlush(x)+45p ...
		mov	edi, edi
		push	edi
		mov	edi, ecx
		cmp	dword ptr [edi+300h], 0
		jz	short loc_68164D
		push	esi
		call	EtwpGetLoggerTimeStamp
		mov	esi, [edi+300h]
		mov	ecx, edi
		push	5
		mov	[esi+10h], eax
		mov	[esi+14h], edx
		mov	edx, [edi+300h]
		call	EtwpEnqueueAvailableBuffer
		and	dword ptr [edi+300h], 0
		pop	esi

loc_68164D:				; CODE XREF: EtwpRelinquishCompressionTarget(x)+Cj
		pop	edi
		retn
_EtwpRelinquishCompressionTarget@4 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpRotateCompressionTarget(x)
_EtwpRotateCompressionTarget@4 proc near ; CODE	XREF: EtwpCompressBuffer(x,x)+1E7p
					; EtwpRotateCompressionTargetIfNeeded(x):loc_6816B5j
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		cmp	[esi+300h], edi
		jz	short loc_68167F
		call	EtwpGetLoggerTimeStamp
		mov	ecx, [esi+300h]
		push	5
		mov	[ecx+10h], eax
		mov	[ecx+14h], edx
		mov	ecx, esi
		mov	edx, [esi+300h]
		call	EtwpEnqueueAvailableBuffer

loc_68167F:				; CODE XREF: EtwpRotateCompressionTarget(x)+Ej
		mov	eax, [esi+308h]
		test	eax, eax
		jz	short loc_681692
		mov	ecx, esi
		call	EtwpDequeueFreeBuffer
		mov	edi, eax

loc_681692:				; CODE XREF: EtwpRotateCompressionTarget(x)+38j
		mov	[esi+300h], edi
		pop	edi
		pop	esi
		retn
_EtwpRotateCompressionTarget@4 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpRotateCompressionTargetIfNeeded(x)
_EtwpRotateCompressionTargetIfNeeded@4 proc near
					; CODE XREF: EtwpCompressBuffer(x,x):loc_68085Fp
					; EtwpCompressPendingBuffers(x)+32p
		mov	eax, [ecx+300h]
		test	eax, eax
		jz	short loc_6816B5
		mov	eax, [eax+8]
		mov	edx, [ecx+4]
		sub	edx, eax
		cmp	edx, 148h
		ja	short locret_6816BA

loc_6816B5:				; CODE XREF: EtwpRotateCompressionTargetIfNeeded(x)+8j
		jmp	_EtwpRotateCompressionTarget@4 ; EtwpRotateCompressionTarget(x)
; 

locret_6816BA:				; CODE XREF: EtwpRotateCompressionTargetIfNeeded(x)+18j
		retn
_EtwpRotateCompressionTargetIfNeeded@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpSetCompressionSettings(x)
_EtwpSetCompressionSettings@4 proc near	; CODE XREF: NtTraceControl(x,x,x,x,x,x)+6A8p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	[ebp+var_10], edi
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	edx, [edi]
		push	esi
		mov	ecx, [eax+1F0h]
		call	EtwpAcquireLoggerContextByLoggerId
		mov	edi, eax
		mov	[ebp+var_28], edi
		test	edi, edi
		jnz	short loc_681704
		mov	esi, 0C000000Dh
		jmp	loc_6818F0
; 

loc_681704:				; CODE XREF: EtwpSetCompressionSettings(x)+3Dj
		lea	eax, [edi+2FCh]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_10]
		mov	eax, [ecx+4]
		mov	[edi+310h], eax
		mov	eax, [ecx+8]
		mov	[edi+30Ch], eax
		mov	eax, [ecx+0Ch]
		mov	[edi+314h], eax
		mov	edx, [ebp+var_8]
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_C], eax
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_681751
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp+var_8]

loc_681751:				; CODE XREF: EtwpSetCompressionSettings(x)+8Aj
		mov	edi, esi
		mov	[ebp+var_10], edi
		test	edx, 7FFFFFFCh
		jz	loc_6818E6
		mov	esi, large fs:124h
		mov	ecx, edx
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], eax
		cmp	edx, eax
		jb	short loc_681798
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68179D
		mov	eax, [ebp+var_20]
		cmp	edx, eax
		jb	short loc_681798
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jz	short loc_68179D

loc_681798:				; CODE XREF: EtwpSetCompressionSettings(x)+C0j
					; EtwpSetCompressionSettings(x)+D2j
		or	eax, 0FFFFFFFFh
		jmp	short loc_6817AB
; 

loc_68179D:				; CODE XREF: EtwpSetCompressionSettings(x)+CBj
					; EtwpSetCompressionSettings(x)+DBj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_C], eax

loc_6817AB:				; CODE XREF: EtwpSetCompressionSettings(x)+E0j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_6817F1
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_681857
		mov	eax, [ebp+var_8]
		push	ecx
		push	[ebp+var_C]
		push	eax
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_6817F1:				; CODE XREF: EtwpSetCompressionSettings(x)+117j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_681807
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_681807:				; CODE XREF: EtwpSetCompressionSettings(x)+142j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	short loc_68184B
		or	[esi+1E4h], dl
		jmp	short loc_681857
; 

loc_68184B:				; CODE XREF: EtwpSetCompressionSettings(x)+186j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_24]

loc_681857:				; CODE XREF: EtwpSetCompressionSettings(x)+121j
					; EtwpSetCompressionSettings(x)+18Ej
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jz	short loc_6818BE
		test	edi, 8000h
		jz	short loc_68187B
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_68187B:				; CODE XREF: EtwpSetCompressionSettings(x)+1B5j
		test	byte ptr [ebp+var_10+2], 1
		jz	short loc_681891
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_681891:				; CODE XREF: EtwpSetCompressionSettings(x)+1C4j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_6818A5
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_6818A5:				; CODE XREF: EtwpSetCompressionSettings(x)+1DDj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_6818BE
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_6818BE:				; CODE XREF: EtwpSetCompressionSettings(x)+1ADj
					; EtwpSetCompressionSettings(x)+1F4j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_6818E4
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_6818E4
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_6818E4:				; CODE XREF: EtwpSetCompressionSettings(x)+21Aj
					; EtwpSetCompressionSettings(x)+222j
		xor	esi, esi

loc_6818E6:				; CODE XREF: EtwpSetCompressionSettings(x)+A1j
		mov	ecx, [ebp+var_28]
		xor	dl, dl
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_6818F0:				; CODE XREF: EtwpSetCompressionSettings(x)+44j
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_EtwpSetCompressionSettings@4 endp ; sp	=  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpApplyEventNameFilter(x,	x, x, x, x, x, x, x, x,	x)
_EtwpApplyEventNameFilter@40 proc near	; CODE XREF: .text:005284B8p
					; .text:00528995p ...

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2F		= byte ptr -2Fh
var_2E		= byte ptr -2Eh
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h
arg_10		= byte ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= byte ptr  24h

		push	3Ch
		push	offset dword_6A9FC0
		call	__SEH_prolog4_GS
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], ecx
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_38], edx
		xor	ecx, ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_34], ecx
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		stosd
		stosd
		stosd
		stosd
		mov	edi, ecx
		mov	[ebp+var_3C], edi
		mov	[ebp+var_2E], cl
		mov	[ebp+var_2F], cl
		xor	ebx, ebx
		inc	ebx
		mov	[ebp+var_2D], bl
		cmp	[ebp+arg_8], cl
		jz	short loc_68196A
		mov	[ebp+ms_exc.disabled], ecx
		mov	eax, [ebp+arg_0]
		shl	eax, 4
		test	eax, eax
		jz	short loc_681963
		test	dl, 3
		jz	short loc_681951
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_681951:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+4Fj
		add	eax, edx
		mov	esi, ds:_MmUserProbeAddress
		cmp	eax, esi
		ja	short loc_681961
		cmp	eax, edx
		jnb	short loc_681963

loc_681961:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+60j
		mov	[esi], cl

loc_681963:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+4Aj
					; EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+64j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_68196A:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+3Dj
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, ecx
		mov	esi, [ebp+var_38]

loc_681972:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+19Aj
		mov	[ebp+var_4C], eax
		cmp	eax, [ebp+arg_0]
		jnb	loc_681A3E
		mov	edx, eax
		add	edx, edx
		cmp	[esi+edx*8+0Ch], bl
		jnz	loc_681A94
		lea	edi, [esi+edx*8]
		cmp	[ebp+arg_C], 2
		jnb	loc_681A8A
		mov	esi, edi
		lea	edi, [ebp+var_2C]
		movsd
		movsd
		movsd
		movsd
		lea	edi, [ebp+var_2C]
		mov	[ebp+var_3C], edi
		mov	esi, [ebp+var_24]
		cmp	esi, 0FFFFh
		jb	short loc_6819CF
		mov	bl, cl
		jmp	loc_681B86
; 

loc_6819BA:				; DATA XREF: .text:006A9FD4o
		xor	eax, eax
		inc	eax
		retn
; 

loc_6819BE:				; DATA XREF: .text:006A9FD8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	al, al
		jmp	loc_681BA2
; 

loc_6819CF:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+B6j
		cmp	[ebp+arg_8], 0
		jz	short loc_6819F6
		test	esi, esi
		jz	short loc_6819F6
		mov	edx, [ebp+var_2C]
		lea	eax, [esi+edx]
		mov	[ebp+var_38], eax
		mov	eax, ds:_MmUserProbeAddress
		cmp	[ebp+var_38], eax
		ja	short loc_6819F1
		cmp	[ebp+var_38], edx
		jnb	short loc_6819F6

loc_6819F1:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+EFj
		mov	[eax], cl
		mov	esi, [edi+8]

loc_6819F6:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+D8j
					; EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+DCj ...
		mov	eax, [edi+8]
		cmp	esi, 100h
		jbe	short loc_681A24
		push	74777445h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_34], eax
		test	eax, eax
		jz	loc_681B86
		mov	[ebp+var_2F], bl
		mov	esi, [edi+8]
		jmp	short loc_681A2F
; 

loc_681A24:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+104j
		call	__alloca_probe_16
		mov	[ebp+ms_exc.old_esp], esp
		mov	[ebp+var_34], esp

loc_681A2F:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+127j
		push	esi		; size_t
		push	[ebp+var_2C]	; void *
		push	[ebp+var_34]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_681A3E:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+7Dj
					; EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+197j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	edi, edi
		jz	loc_681B90
		cmp	[ebp+var_34], 0
		jz	loc_681B90
		cmp	[ebp+arg_C], 2
		jnb	short loc_681A66
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_2E], al

loc_681A66:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+160j
		mov	eax, [ebp+var_40]
		mov	ecx, [eax+160h]
		test	ecx, ecx
		jz	loc_681B4B
		mov	edi, [ebp+var_44]
		imul	esi, edi, 34h
		mov	al, [ebp+arg_1C]
		test	al, al
		jz	short loc_681A9A
		mov	esi, [esi+ecx+1Ch]
		jmp	short loc_681A9E
; 

loc_681A8A:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+98j
		mov	[ebp+var_3C], edi
		mov	eax, [edi]
		mov	[ebp+var_34], eax
		jmp	short loc_681A3E
; 

loc_681A94:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+8Bj
		inc	eax
		jmp	loc_681972
; 

loc_681A9A:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+187j
		mov	esi, [esi+ecx+30h]

loc_681A9E:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+18Dj
		test	esi, esi
		jz	loc_681B78
		xor	edx, edx
		mov	ecx, [ebp+var_40]
		mov	ecx, [ecx+160h]
		test	ecx, ecx
		jz	loc_681B78
		test	al, al
		jnz	short loc_681ADF
		imul	edi, 34h
		mov	eax, [edi+ecx]
		and	eax, 80000400h
		cmp	eax, 80000400h
		jnz	short loc_681AD5
		mov	edx, [edi+ecx+30h]
		jmp	short loc_681AF5
; 

loc_681AD5:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+1D2j
		mov	al, [ebp+arg_1C]
		mov	edi, [ebp+var_44]
		test	al, al
		jz	short loc_681AF5

loc_681ADF:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+1C0j
		imul	edi, 34h
		mov	eax, [edi+ecx]
		and	eax, 80002000h
		cmp	eax, 80002000h
		jnz	short loc_681AF5
		mov	edx, [edi+ecx+1Ch]

loc_681AF5:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+1D8j
					; EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+1E2j ...
		test	edx, edx
		jz	short loc_681B78
		mov	al, [edx+1]
		cmp	[ebp+arg_10], al
		jbe	short loc_681B05
		test	al, al
		jnz	short loc_681B78

loc_681B05:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+204j
		mov	eax, [ebp+arg_14]
		or	eax, [ebp+arg_18]
		jz	short loc_681B35
		mov	ecx, [edx+8]
		and	ecx, [ebp+arg_14]
		mov	eax, [edx+0Ch]
		and	eax, [ebp+arg_18]
		or	ecx, eax
		jz	short loc_681B78
		mov	ecx, [edx+10h]
		mov	edi, [edx+14h]
		mov	eax, ecx
		and	eax, [ebp+arg_14]
		mov	edx, edi
		and	edx, [ebp+arg_18]
		cmp	eax, ecx
		jnz	short loc_681B78
		cmp	edx, edi
		jnz	short loc_681B78

loc_681B35:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+210j
		lea	eax, [ebp+var_48]
		push	eax
		mov	edx, [ebp+var_3C]
		mov	edx, [edx+8]
		mov	ecx, [ebp+var_34]
		call	_EtwpGetEventNameFromEventMetadata@12 ;	EtwpGetEventNameFromEventMetadata(x,x,x)
		test	eax, eax
		jnz	short loc_681B5C

loc_681B4B:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+176j
					; EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+276j ...
		cmp	[ebp+arg_C], 2
		jnb	short loc_681B90
		mov	cl, [ebp+var_2E]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_681B90
; 

loc_681B5C:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+24Ej
		mov	edx, [ebp+var_48]
		test	dx, dx
		jz	short loc_681B73
		push	esi
		mov	ecx, eax
		call	_EtwpEventNameFilterSearch@12 ;	EtwpEventNameFilterSearch(x,x,x)
		cmp	[esi], al

loc_681B6E:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+27Bj
		setz	bl
		jmp	short loc_681B4B
; 

loc_681B73:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+267j
		cmp	byte ptr [esi],	0
		jmp	short loc_681B6E
; 

loc_681B78:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+1A5j
					; EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+1B8j ...
		mov	bl, [ebp+var_2D]
		jmp	short loc_681B4B
; 

loc_681B7D:				; DATA XREF: .text:006A9FE0o
		xor	eax, eax
		inc	eax
		retn
; 

loc_681B81:				; DATA XREF: .text:006A9FE4o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	bl, 1

loc_681B86:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+BAj
					; EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+11Bj
		mov	[ebp+var_2D], bl
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_681B90:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+14Cj
					; EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+156j ...
		cmp	[ebp+var_2F], 0
		jz	short loc_681BA0
		push	0
		push	[ebp+var_34]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_681BA0:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+299j
		mov	al, bl

loc_681BA2:				; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+CFj
		lea	esp, [ebp-5Ch]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
_EtwpApplyEventNameFilter@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpApplyStackWalkIdFilter(x, x, x,	x)
_EtwpApplyStackWalkIdFilter@16 proc near ; CODE	XREF: .text:00528950p
					; EtwpApplyStackWalkFilterOnUserEvent(x,x,x)+23p

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, 1
		imul	ecx, [ebp+arg_0], 34h
		cmp	[ebp+arg_4], 0
		push	edi
		mov	edi, edx
		mov	[ebp+arg_0], ecx
		jz	short loc_681C01
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edx, [ebp+arg_0]
		mov	bh, al
		mov	eax, [edi+160h]
		mov	edx, [eax+edx+18h]
		test	edx, edx
		jz	short loc_681BF7
		mov	ecx, esi
		call	_EtwpPerfectHashFunctionSearch@8 ; EtwpPerfectHashFunctionSearch(x,x)
		cmp	[edx], al
		setz	bl

loc_681BF7:				; CODE XREF: EtwpApplyStackWalkIdFilter(x,x,x,x)+32j
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_681C1B
; 

loc_681C01:				; CODE XREF: EtwpApplyStackWalkIdFilter(x,x,x,x)+19j
		mov	eax, [edi+160h]
		mov	edx, [eax+ecx+18h]
		test	edx, edx
		jz	short loc_681C1B
		mov	ecx, esi
		call	_EtwpPerfectHashFunctionSearch@8 ; EtwpPerfectHashFunctionSearch(x,x)
		cmp	[edx], al
		setz	bl

loc_681C1B:				; CODE XREF: EtwpApplyStackWalkIdFilter(x,x,x,x)+48j
					; EtwpApplyStackWalkIdFilter(x,x,x,x)+56j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	8
_EtwpApplyStackWalkIdFilter@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpEventNameFilterSearch(x, x, x)
_EtwpEventNameFilterSearch@12 proc near	; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+26Cp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	eax, ecx
		movzx	edx, dx
		mov	[ebp+var_C], eax
		mov	esi, 4CB2Fh
		push	edi
		mov	edi, eax
		cmp	edx, 8
		jb	short loc_681CA2
		mov	ebx, edx
		shr	ebx, 3
		imul	eax, ebx, -8
		add	edx, eax

loc_681C4D:				; CODE XREF: EtwpEventNameFilterSearch(x,x,x)+7Cj
		movzx	eax, byte ptr [edi+1]
		imul	ecx, eax, 25h
		movzx	eax, byte ptr [edi+2]
		add	ecx, eax
		movzx	eax, byte ptr [edi+3]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edi+4]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edi+5]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edi+6]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edi]
		imul	ecx, 25h
		imul	eax, 1A617D0Dh
		add	ecx, eax
		imul	eax, esi, 2FE8ED1Fh
		movzx	esi, byte ptr [edi+7]
		add	edi, 8
		sub	ecx, eax
		add	esi, ecx
		sub	ebx, 1
		jnz	short loc_681C4D

loc_681CA2:				; CODE XREF: EtwpEventNameFilterSearch(x,x,x)+1Dj
		sub	edx, 1
		jz	short loc_681CFB
		sub	edx, 1
		jz	short loc_681CF2
		sub	edx, 1
		jz	short loc_681CE9
		sub	edx, 1
		jz	short loc_681CE0
		sub	edx, 1
		jz	short loc_681CD7
		sub	edx, 1
		jz	short loc_681CCE
		sub	edx, 1
		jnz	short loc_681D03
		movzx	eax, byte ptr [edi]
		imul	esi, 25h
		add	esi, eax
		inc	edi

loc_681CCE:				; CODE XREF: EtwpEventNameFilterSearch(x,x,x)+9Aj
		movzx	eax, byte ptr [edi]
		imul	esi, 25h
		add	esi, eax
		inc	edi

loc_681CD7:				; CODE XREF: EtwpEventNameFilterSearch(x,x,x)+95j
		movzx	eax, byte ptr [edi]
		imul	esi, 25h
		add	esi, eax
		inc	edi

loc_681CE0:				; CODE XREF: EtwpEventNameFilterSearch(x,x,x)+90j
		movzx	eax, byte ptr [edi]
		imul	esi, 25h
		add	esi, eax
		inc	edi

loc_681CE9:				; CODE XREF: EtwpEventNameFilterSearch(x,x,x)+8Bj
		movzx	eax, byte ptr [edi]
		imul	esi, 25h
		add	esi, eax
		inc	edi

loc_681CF2:				; CODE XREF: EtwpEventNameFilterSearch(x,x,x)+86j
		movzx	eax, byte ptr [edi]
		imul	esi, 25h
		add	esi, eax
		inc	edi

loc_681CFB:				; CODE XREF: EtwpEventNameFilterSearch(x,x,x)+81j
		movzx	eax, byte ptr [edi]
		imul	esi, 25h
		add	esi, eax

loc_681D03:				; CODE XREF: EtwpEventNameFilterSearch(x,x,x)+9Fj
		mov	eax, [ebp+arg_0]
		or	edi, 0FFFFFFFFh
		mov	ebx, esi
		mov	eax, [eax+1Ch]
		mov	ecx, eax
		and	ecx, 1Fh
		mov	[ebp+var_10], eax
		shl	edi, cl
		shr	eax, 5
		and	ebx, edi
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_681DCA
		movzx	eax, bl
		add	eax, offset unk_B15DCB
		imul	ecx, eax, 25h
		movzx	eax, bh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+3]
		imul	edx, ecx, 25h
		mov	ecx, [ebp+var_8]
		add	edx, eax
		mov	eax, [ebp+arg_0]
		dec	ecx
		and	ecx, edx
		mov	eax, [eax+20h]
		lea	edx, [eax+ecx*4]

loc_681D5C:				; CODE XREF: EtwpEventNameFilterSearch(x,x,x)+149j
		mov	edx, [edx]
		test	edx, 1
		jnz	short loc_681DC4
		mov	eax, [edx+4]
		and	eax, edi
		cmp	ebx, eax
		jnz	short loc_681D5C
		jmp	short loc_681DC6
; 

loc_681D71:				; CODE XREF: EtwpEventNameFilterSearch(x,x,x)+1A4j
		mov	ecx, [edx+8]
		mov	eax, [ebp+var_C]

loc_681D77:				; CODE XREF: EtwpEventNameFilterSearch(x,x,x)+16Dj
		mov	bl, [eax]
		cmp	bl, [ecx]
		jnz	short loc_681D97
		test	bl, bl
		jz	short loc_681D93
		mov	bl, [eax+1]
		cmp	bl, [ecx+1]
		jnz	short loc_681D97
		add	eax, 2
		add	ecx, 2
		test	bl, bl
		jnz	short loc_681D77

loc_681D93:				; CODE XREF: EtwpEventNameFilterSearch(x,x,x)+15Bj
		xor	eax, eax
		jmp	short loc_681D9C
; 

loc_681D97:				; CODE XREF: EtwpEventNameFilterSearch(x,x,x)+157j
					; EtwpEventNameFilterSearch(x,x,x)+163j
		sbb	eax, eax
		or	eax, 1

loc_681D9C:				; CODE XREF: EtwpEventNameFilterSearch(x,x,x)+171j
		test	eax, eax
		jz	short loc_681DD3
		mov	ecx, [ebp+var_10]
		or	edi, 0FFFFFFFFh
		and	ecx, 1Fh
		shl	edi, cl
		mov	ecx, edi
		and	ecx, esi

loc_681DAF:				; CODE XREF: EtwpEventNameFilterSearch(x,x,x)+19Ej
		mov	edx, [edx]
		test	edx, 1
		jnz	short loc_681DC4
		mov	eax, [edx+4]
		and	eax, edi
		cmp	ecx, eax
		jz	short loc_681DC6
		jmp	short loc_681DAF
; 

loc_681DC4:				; CODE XREF: EtwpEventNameFilterSearch(x,x,x)+140j
					; EtwpEventNameFilterSearch(x,x,x)+193j
		xor	edx, edx

loc_681DC6:				; CODE XREF: EtwpEventNameFilterSearch(x,x,x)+14Bj
					; EtwpEventNameFilterSearch(x,x,x)+19Cj
		test	edx, edx
		jnz	short loc_681D71

loc_681DCA:				; CODE XREF: EtwpEventNameFilterSearch(x,x,x)+101j
		xor	al, al

loc_681DCC:				; CODE XREF: EtwpEventNameFilterSearch(x,x,x)+1B1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_681DD3:				; CODE XREF: EtwpEventNameFilterSearch(x,x,x)+17Aj
		mov	al, 1
		jmp	short loc_681DCC
_EtwpEventNameFilterSearch@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpGetEventNameFromEventMetadata(x, x, x)
_EtwpGetEventNameFromEventMetadata@12 proc near
					; CODE XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+247p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		cmp	edx, 3
		jb	short loc_681E19
		lea	edi, [ecx+2]
		lea	eax, [ecx+edx]

loc_681DE8:				; CODE XREF: EtwpGetEventNameFromEventMetadata(x,x,x)+1Aj
		cmp	edi, eax
		jz	short loc_681E19
		inc	edi
		cmp	byte ptr [edi-1], 0
		jl	short loc_681DE8
		cmp	edi, eax
		jz	short loc_681E19
		sub	eax, edi
		mov	ecx, edi
		push	esi
		movzx	esi, ax
		mov	edx, esi
		call	strnlen_s
		mov	ecx, [ebp+arg_0]
		movzx	edx, ax
		cmp	dx, si
		pop	esi
		mov	[ecx], dx
		jz	short loc_681E19
		mov	eax, edi
		jmp	short loc_681E1B
; 

loc_681E19:				; CODE XREF: EtwpGetEventNameFromEventMetadata(x,x,x)+9j
					; EtwpGetEventNameFromEventMetadata(x,x,x)+13j	...
		xor	eax, eax

loc_681E1B:				; CODE XREF: EtwpGetEventNameFromEventMetadata(x,x,x)+40j
		pop	edi
		pop	ebp
		retn	4
_EtwpGetEventNameFromEventMetadata@12 endp


;  S U B	R O U T	I N E 


strnlen_s	proc near		; CODE XREF: EtwpGetEventNameFromEventMetadata(x,x,x)+2Ap
					; EtwpAllocateEventNameFilter(x,x)+13Bp
		test	ecx, ecx
		jnz	short loc_681E27
		xor	eax, eax
		retn
; 

loc_681E27:				; CODE XREF: strnlen_s+2j
		push	edx
		push	ecx
		call	_strnlen
		pop	ecx
		pop	ecx
		retn
strnlen_s	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpDereferenceStackEntry(x, x)
_EtwpDereferenceStackEntry@8 proc near	; CODE XREF: EtwpStackRundown(x,x,x)+B4p
					; EtwpTraceStackKey(x,x,x,x,x,x)+2ABp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		or	eax, 0FFFFFFFFh
		lock xadd [edi+0Ch], eax
		dec	eax
		jnz	short loc_681E74
		mov	ecx, [esi]
		push	ebx
		push	edi
		push	1823h
		mov	edx, [ecx]
		mov	ecx, [ecx+2E4h]
		call	_EtwpTraceCachedStack@16 ; EtwpTraceCachedStack(x,x,x,x)
		lea	ebx, [esi+8]

loc_681E61:				; CODE XREF: EtwpDereferenceStackEntry(x,x)+40j
		mov	esi, [edi+8]
		mov	edx, edi
		mov	ecx, ebx
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		mov	edi, esi
		test	esi, esi
		jnz	short loc_681E61
		pop	ebx

loc_681E74:				; CODE XREF: EtwpDereferenceStackEntry(x,x)+15j
		pop	edi
		pop	esi
		leave
		retn
_EtwpDereferenceStackEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpStackRundown(x,	x, x)
_EtwpStackRundown@12 proc near		; CODE XREF: EtwpStopLoggerInstance(x)+118p
					; EtwpCheckLoggerAccessAndDoRundown(x,x,x,x)+8Cp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_2C], edx
		lea	edi, [ebp+var_14]
		mov	[ebp+var_1C], ecx
		stosd
		xor	esi, esi
		mov	[ebp+var_20], esi
		stosd
		stosd
		stosd
		cmp	[ecx+4], esi
		jbe	loc_681F53
		lea	edi, [ecx+10h]
		mov	[ebp+var_24], edi
		push	ebx

loc_681EB0:				; CODE XREF: EtwpStackRundown(x,x,x)+D4j
		cmp	[edi], edi
		jz	loc_681F3F
		mov	cl, 2
		xor	ebx, ebx
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		lea	ecx, [edi+8]
		mov	[ebp+var_15], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, [edi]
		jmp	short loc_681EDC
; 

loc_681ED1:				; CODE XREF: EtwpStackRundown(x,x,x)+66j
		lock inc dword ptr [edx+0Ch]
		mov	[ebp+ebx*4+var_14], edx
		inc	ebx
		mov	edx, [edx]

loc_681EDC:				; CODE XREF: EtwpStackRundown(x,x,x)+57j
		cmp	edx, edi
		jnz	short loc_681ED1
		test	ds:byte_70EFC6,	1
		jz	short loc_681EF6
		mov	edx, [ebp+4]
		lea	ecx, [edi+8]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_681EFE
; 

loc_681EF6:				; CODE XREF: EtwpStackRundown(x,x,x)+6Fj
		xor	ecx, ecx
		lea	eax, [edi+8]
		lock and [eax],	ecx

loc_681EFE:				; CODE XREF: EtwpStackRundown(x,x,x)+7Cj
		mov	cl, [ebp+var_15]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		and	[ebp+var_28], 0
		test	ebx, ebx
		jz	short loc_681F3C
		mov	edi, [ebp+var_28]

loc_681F12:				; CODE XREF: EtwpStackRundown(x,x,x)+BCj
		mov	esi, [ebp+edi*4+var_14]
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_2C]
		push	esi
		push	1824h
		call	_EtwpTraceCachedStack@16 ; EtwpTraceCachedStack(x,x,x,x)
		mov	edx, [ebp+var_1C]
		mov	ecx, esi
		call	_EtwpDereferenceStackEntry@8 ; EtwpDereferenceStackEntry(x,x)
		inc	edi
		cmp	edi, ebx
		jb	short loc_681F12
		mov	edi, [ebp+var_24]
		mov	esi, [ebp+var_20]

loc_681F3C:				; CODE XREF: EtwpStackRundown(x,x,x)+95j
		mov	ecx, [ebp+var_1C]

loc_681F3F:				; CODE XREF: EtwpStackRundown(x,x,x)+3Aj
		inc	esi
		add	edi, 0Ch
		mov	[ebp+var_20], esi
		mov	[ebp+var_24], edi
		cmp	esi, [ecx+4]
		jb	loc_681EB0
		pop	ebx

loc_681F53:				; CODE XREF: EtwpStackRundown(x,x,x)+2Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_EtwpStackRundown@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceCachedStack(x, x, x, x)
_EtwpTraceCachedStack@16 proc near	; CODE XREF: EtwpDereferenceStackEntry(x,x)+28p
					; EtwpStackRundown(x,x,x)+AAp

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 98h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_90], 0
		lea	eax, [ebp+arg_4]
		and	[ebp+var_88], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, edx
		push	edi
		xor	edi, edi
		mov	[ebp+var_98], ecx
		mov	[ebp+var_94], eax
		inc	edi
		mov	[ebp+var_8C], 4

loc_681FAA:				; CODE XREF: EtwpTraceCachedStack(x,x,x,x)+83j
		mov	edx, [esi+14h]
		cmp	edx, 20h
		jb	short loc_681FB5
		push	20h
		pop	edx

loc_681FB5:				; CODE XREF: EtwpTraceCachedStack(x,x,x,x)+4Dj
		movzx	ecx, di
		lea	eax, [esi+18h]
		add	ecx, ecx
		and	[ebp+ecx*8+var_90], 0
		and	[ebp+ecx*8+var_88], 0
		mov	[ebp+ecx*8+var_94], eax
		mov	eax, edx
		shl	eax, 2
		inc	edi
		mov	[ebp+ecx*8+var_8C], eax
		mov	esi, [esi+8]
		test	esi, esi
		jnz	short loc_681FAA
		mov	edx, [ebp+var_98]
		xor	eax, eax
		mov	ecx, 1824h
		cmp	word ptr [ebp+arg_0], cx
		lea	ecx, [ebp+var_94]
		setnz	al
		dec	eax
		and	eax, 0FFFFFA00h
		add	eax, 400602h
		push	eax
		push	[ebp+arg_0]
		movzx	eax, di
		push	eax
		push	ebx
		call	EtwpLogKernelEvent
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwpTraceCachedStack@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceStackKey(x, x, x, x, x, x)
_EtwpTraceStackKey@24 proc near		; CODE XREF: EtwpTraceStackWalk(x,x,x,x)+1EAp

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ecx
		mov	[ebp+var_30], edx
		push	ebx
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_34], eax
		mov	edi, [eax+2B8h]
		mov	[ebp+var_20], ebx
		mov	[ebp+var_10], edi
		test	edi, edi
		jz	loc_682381
		push	esi
		mov	esi, [ebp+arg_C]
		mov	eax, ebx
		mov	[ebp+var_1C], ebx
		mov	edx, ebx
		mov	[ebp+var_C], eax
		add	esi, esi
		jz	short loc_682088
		mov	edi, ebx

loc_682068:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+51j
		mov	eax, [ebp+arg_8]
		movzx	ecx, word ptr [eax+edx*2+2]
		movzx	eax, word ptr [eax+edx*2]
		add	edx, 2
		xor	ecx, eax
		add	edi, ecx
		cmp	edx, esi
		jb	short loc_682068
		mov	[ebp+var_C], edi
		mov	edi, [ebp+var_10]
		mov	eax, [ebp+var_C]

loc_682088:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+38j
		xor	edx, edx
		lea	esi, [edi+10h]
		div	dword ptr [edi+4]
		imul	eax, edx, 0Ch
		add	esi, eax
		mov	[ebp+var_18], esi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[ebp+var_1], al
		cmp	al, 1
		jbe	short loc_6820D5
		cmp	al, 2
		jz	short loc_6820DD
		test	ds:byte_70EFC6,	21h
		lea	eax, [esi+8]
		mov	[ebp+var_8], eax
		jz	short loc_6820C1
		mov	ecx, eax
		call	@KiTryToAcquireSpinLockInstrumented@4 ;	KiTryToAcquireSpinLockInstrumented(x)
		jmp	short loc_6820CC
; 

loc_6820C1:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+8Aj
		lock bts dword ptr [eax], 0
		jnb	short loc_6820EA
		mov	al, bl
		pause

loc_6820CC:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+93j
		test	al, al
		jnz	short loc_6820EA
		jmp	loc_682380
; 

loc_6820D5:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+77j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)

loc_6820DD:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+7Bj
		lea	eax, [esi+8]
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)

loc_6820EA:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+9Aj
					; EtwpTraceStackKey(x,x,x,x,x,x)+A2j
		mov	edi, [esi]
		cmp	edi, esi
		jz	loc_6821E0
		mov	ecx, [ebp+var_C]
		mov	eax, ebx

loc_6820F9:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+18Bj
		inc	eax
		mov	[ebp+var_2C], eax
		cmp	[edi+10h], ecx
		jnz	loc_6821B3
		mov	eax, [ebp+arg_C]
		cmp	[edi+14h], eax
		jnz	loc_6821B0
		mov	edx, ebx
		mov	[ebp+var_24], ebx
		mov	ecx, edi
		mov	[ebp+var_28], edi

loc_68211C:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+12Fj
		mov	eax, [ecx+14h]
		mov	[ebp+var_14], eax
		cmp	eax, 20h
		jb	short loc_68212D
		push	20h
		pop	eax
		mov	[ebp+var_14], eax

loc_68212D:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+F9j
		mov	esi, eax
		mov	eax, [ebp+arg_8]
		shl	esi, 2
		push	esi		; Length
		lea	eax, [eax+edx*4]
		push	eax		; Source2
		lea	eax, [ecx+18h]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, esi
		jnz	short loc_6821AA
		mov	ecx, [ebp+var_28]
		mov	edx, [ebp+var_24]
		add	edx, [ebp+var_14]
		mov	[ebp+var_24], edx
		mov	ecx, [ecx+8]
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		jnz	short loc_68211C
		lock inc dword ptr [edi+0Ch]
		mov	ecx, [edi]
		mov	eax, [edi+4]
		cmp	[ecx+4], edi
		jnz	loc_6822F8
		cmp	[eax], edi
		jnz	loc_6822F8
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	eax, [ebp+var_18]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_6822F8
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[ecx+4], edi
		mov	[eax], edi
		test	ds:byte_70EFC6,	1
		jz	short loc_682218
		mov	edx, [ebp+4]
		mov	ecx, [ebp+var_8]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_682220
; 

loc_6821AA:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+119j
		mov	esi, [ebp+var_18]
		mov	ecx, [ebp+var_C]

loc_6821B0:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+E0j
		mov	eax, [ebp+var_2C]

loc_6821B3:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+D4j
		mov	edi, [edi]
		cmp	edi, esi
		jnz	loc_6820F9
		cmp	eax, 4
		jnz	short loc_6821E0
		mov	ecx, [esi+4]
		mov	[ebp+var_1C], ecx
		mov	eax, [ecx+4]
		cmp	[ecx], esi
		jnz	loc_6822F8
		cmp	[eax], ecx
		jnz	loc_6822F8
		mov	[esi+4], eax
		mov	[eax], esi

loc_6821E0:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+C2j
					; EtwpTraceStackKey(x,x,x,x,x,x)+194j
		mov	eax, [ebp+arg_C]
		mov	edi, ebx
		mov	[ebp+var_28], ebx
		test	eax, eax
		jz	loc_6822E1
		mov	ecx, [ebp+var_10]
		mov	esi, ebx
		add	ecx, 8
		mov	[ebp+var_24], ecx

loc_6821FB:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+24Bj
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	ecx, eax
		mov	[ebp+var_2C], ecx
		test	ecx, ecx
		jz	short loc_68227B
		mov	edx, [ebp+arg_C]
		lea	eax, [esi+20h]
		cmp	eax, edx
		jnb	short loc_68222E
		push	20h
		pop	eax
		jmp	short loc_682232
; 

loc_682218:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+16Fj
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_682220:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+17Cj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_68233F
; 

loc_68222E:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+1E5j
		mov	eax, edx
		sub	eax, esi

loc_682232:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+1EAj
		mov	[ebp+var_14], eax
		shl	eax, 2
		push	eax		; size_t
		mov	eax, [ebp+arg_8]
		lea	eax, [eax+esi*4]
		push	eax		; void *
		lea	eax, [ecx+18h]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_2C]
		add	esp, 0Ch
		mov	ecx, [ebp+var_14]
		test	esi, esi
		jnz	short loc_68225A
		mov	edi, eax
		jmp	short loc_68225D
; 

loc_68225A:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+228j
		mov	[eax+14h], ecx

loc_68225D:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+22Cj
		mov	edx, [ebp+var_28]
		test	edx, edx
		jz	short loc_682267
		mov	[edx+8], eax

loc_682267:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+236j
		add	esi, ecx
		mov	[ebp+var_28], eax
		mov	ecx, [ebp+var_24]
		mov	[eax+8], ebx
		mov	eax, [ebp+arg_C]
		cmp	esi, eax
		jb	short loc_6821FB
		jmp	short loc_68227E
; 

loc_68227B:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+1DBj
		mov	eax, [ebp+arg_C]

loc_68227E:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+24Dj
		cmp	esi, eax
		mov	esi, [ebp+var_18]
		jnb	short loc_6822E1
		test	ds:byte_70EFC6,	1
		jz	short loc_68229B
		mov	edx, [ebp+4]
		mov	ecx, [ebp+var_8]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6822A3
; 

loc_68229B:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+260j
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_6822A3:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+26Dj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	short loc_6822C7
		mov	ebx, [ebp+var_24]

loc_6822B3:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+297j
		mov	esi, [edi+8]
		mov	edx, edi
		mov	ecx, ebx
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		mov	edi, esi
		test	esi, esi
		jnz	short loc_6822B3
		xor	ebx, ebx

loc_6822C7:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+282j
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	loc_682380
		mov	edx, [ebp+var_10]
		mov	ecx, eax
		call	_EtwpDereferenceStackEntry@8 ; EtwpDereferenceStackEntry(x,x)
		jmp	loc_682380
; 

loc_6822E1:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+1BEj
					; EtwpTraceStackKey(x,x,x,x,x,x)+257j
		mov	ecx, [ebp+var_C]
		mov	[edi+10h], ecx
		mov	[edi+14h], eax
		mov	dword ptr [edi+0Ch], 2
		mov	eax, [esi+4]
		cmp	[eax], esi
		jz	short loc_6822FD

loc_6822F8:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+13Dj
					; EtwpTraceStackKey(x,x,x,x,x,x)+145j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_6822FD:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+2CAj
		mov	[edi], esi
		mov	[edi+4], eax
		mov	[eax], edi
		mov	[esi+4], edi
		test	ds:byte_70EFC6,	1
		jz	short loc_68231D
		mov	edx, [ebp+4]
		lea	ecx, [esi+8]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_682325
; 

loc_68231D:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+2E2j
		xor	ecx, ecx
		lea	eax, [esi+8]
		lock and [eax],	ecx

loc_682325:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+2EFj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_68233F
		mov	edx, [ebp+var_10]
		mov	ecx, eax
		call	_EtwpDereferenceStackEntry@8 ; EtwpDereferenceStackEntry(x,x)

loc_68233F:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+1FDj
					; EtwpTraceStackKey(x,x,x,x,x,x)+307j
		push	[ebp+var_30]
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+var_20]
		push	[ebp+arg_0]
		mov	esi, [ebp+var_34]
		push	2
		mov	[ecx+10h], eax
		mov	[ecx+14h], ebx
		mov	dword ptr [ecx+18h], 4
		mov	[ecx+1Ch], ebx
		push	dword ptr [esi]
		mov	edx, [esi+2E4h]
		mov	[ebp+var_20], edi
		call	EtwpLogKernelEvent
		mov	edx, [esi+2B8h]
		mov	ecx, [ebp+var_20]
		call	_EtwpDereferenceStackEntry@8 ; EtwpDereferenceStackEntry(x,x)
		mov	bl, 1

loc_682380:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+A4j
					; EtwpTraceStackKey(x,x,x,x,x,x)+2A0j ...
		pop	esi

loc_682381:				; CODE XREF: EtwpTraceStackKey(x,x,x,x,x,x)+22j
		pop	edi
		mov	al, bl
		pop	ebx
		leave
		retn	10h
_EtwpTraceStackKey@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall EtwpCovSampProfileInterrupt(x, x)
@EtwpCovSampProfileInterrupt@8 proc near ; DATA	XREF: EtwpCoverageSamplerStart(x)+1FDo

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, large fs:20h
		mov	ebx, ecx
		mov	eax, large fs:124h
		mov	[ebp+var_4], ebx
		cmp	eax, [esi+0Ch]
		jnz	short loc_6823B2
		cmp	byte ptr [esi+11h], 1
		jbe	loc_682462

loc_6823B2:				; CODE XREF: EtwpCovSampProfileInterrupt(x,x)+1Dj
		mov	ecx, [edx+4]
		call	@ExSaDecodeHandle@4 ; ExSaDecodeHandle(x)
		mov	esi, eax
		cmp	dword ptr [esi+58h], 0
		jz	loc_68244E
		push	edi
		mov	edi, ds:_KeTickCount
		mov	eax, edi
		sub	eax, [esi+5Ch]
		cmp	eax, [esi+60h]
		jbe	short loc_68242D
		mov	ebx, [esi+58h]
		add	[esi+6Ch], ebx
		mov	ecx, [esi+64h]
		mov	[esi+5Ch], edi
		cmp	[esi+6Ch], ecx
		jle	short loc_6823EB
		mov	[esi+6Ch], ecx

loc_6823EB:				; CODE XREF: EtwpCovSampProfileInterrupt(x,x)+5Dj
		mov	edx, [esi+68h]
		lea	eax, [ebx+ebx]
		add	edx, [esi+74h]
		and	dword ptr [esi+68h], 0
		shr	edx, 1
		mov	[esi+74h], edx
		cmp	edx, eax
		jnb	short loc_682409
		xor	eax, eax
		inc	eax
		mov	[esi+78h], eax
		jmp	short loc_682427
; 

loc_682409:				; CODE XREF: EtwpCovSampProfileInterrupt(x,x)+76j
		mov	eax, edx
		lea	ecx, [ebx+1]
		xor	edx, edx
		div	ecx
		mov	ecx, [esi+7Ch]
		xor	ecx, edi
		mov	[esi+78h], eax
		imul	ecx, 1000193h
		add	eax, eax
		mov	[esi+7Ch], ecx
		and	eax, ecx

loc_682427:				; CODE XREF: EtwpCovSampProfileInterrupt(x,x)+7Ej
		mov	ebx, [ebp+var_4]
		mov	[esi+70h], eax

loc_68242D:				; CODE XREF: EtwpCovSampProfileInterrupt(x,x)+4Cj
		inc	dword ptr [esi+68h]
		mov	ecx, [esi+6Ch]
		pop	edi
		test	ecx, ecx
		jle	short loc_682462
		dec	dword ptr [esi+70h]
		mov	eax, [esi+70h]
		test	eax, eax
		jg	short loc_682462
		lea	eax, [ecx-1]
		mov	[esi+6Ch], eax
		mov	eax, [esi+78h]
		mov	[esi+70h], eax

loc_68244E:				; CODE XREF: EtwpCovSampProfileInterrupt(x,x)+37j
		mov	ecx, [ebx+68h]
		lock inc dword ptr [esi+108h]
		mov	edx, 50000002h
		call	_EtwpCovSampCaptureSample@8 ; EtwpCovSampCaptureSample(x,x)

loc_682462:				; CODE XREF: EtwpCovSampProfileInterrupt(x,x)+23j
					; EtwpCovSampProfileInterrupt(x,x)+ADj	...
		pop	esi
		pop	ebx
		leave
		retn
@EtwpCovSampProfileInterrupt@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwCovSampHash(x, x, x, x)
_EtwCovSampHash@16 proc	near		; CODE XREF: EtwpCovSampCalculateModuleId(x,x,x,x,x,x)+11p
					; EtwpCovSampCalculateModuleId(x,x,x,x,x,x)+1Ep ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		movzx	eax, al
		xor	eax, [ebp+arg_8]
		imul	edx, eax, 1000193h
		push	ebx
		mov	ebx, [ebp+arg_4]
		movzx	eax, bl
		xor	eax, [ebp+arg_C]
		imul	ecx, eax, 1000193h
		mov	eax, ebx
		shr	eax, 8
		movzx	eax, al
		push	esi
		push	edi
		xor	ecx, eax
		mov	eax, ebx
		xor	ecx, edx
		imul	edi, ecx, 1000193h
		mov	ecx, [ebp+arg_0]
		shrd	ecx, eax, 8
		movzx	eax, cl
		mov	ecx, [ebp+arg_0]
		xor	eax, edx
		imul	edx, eax, 1000193h
		mov	eax, ebx
		shrd	ecx, eax, 10h
		movzx	eax, cl
		xor	edx, eax
		mov	eax, ebx
		shr	eax, 10h
		xor	edx, edi
		movzx	eax, al
		xor	eax, edi
		imul	esi, edx, 1000193h
		imul	ecx, eax, 1000193h
		mov	eax, ebx
		shr	eax, 18h
		pop	edi
		xor	ecx, eax
		mov	eax, [ebp+arg_0]
		shrd	eax, ebx, 18h
		xor	ecx, esi
		movzx	eax, al
		xor	eax, esi
		imul	edx, ecx, 1000193h
		imul	eax, 1000193h
		pop	esi
		pop	ebx
		xor	eax, edx
		pop	ebp
		retn	10h
_EtwCovSampHash@16 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCheckDebugInfoEqual(x, x)
_EtwpCheckDebugInfoEqual@8 proc	near	; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+8E0p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		test	esi, esi
		jnz	short loc_682511
		test	edx, edx
		jmp	short loc_682533
; 

loc_682511:				; CODE XREF: EtwpCheckDebugInfoEqual(x,x)+9j
		test	edx, edx
		jz	short loc_682536
		mov	eax, [esi+14h]
		cmp	eax, [edx+14h]
		jnz	short loc_682536
		lea	eax, [edx+4]
		push	10h		; size_t
		push	eax		; void *
		lea	eax, [esi+4]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		xor	ecx, ecx
		test	eax, eax

loc_682533:				; CODE XREF: EtwpCheckDebugInfoEqual(x,x)+Dj
		setz	cl

loc_682536:				; CODE XREF: EtwpCheckDebugInfoEqual(x,x)+11j
					; EtwpCheckDebugInfoEqual(x,x)+19j
		mov	eax, ecx
		pop	esi
		retn
_EtwpCheckDebugInfoEqual@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCalculateModuleId(x, x, x, x, x,	x)
_EtwpCovSampCalculateModuleId@24 proc near
					; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+32Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		push	0
		push	ecx
		push	[ebp+arg_0]
		push	edx
		call	_EtwCovSampHash@16 ; EtwCovSampHash(x,x,x,x)
		push	edx
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_EtwCovSampHash@16 ; EtwCovSampHash(x,x,x,x)
		mov	esi, [ebp+arg_C]
		lea	edi, [ebp+var_10]
		push	edx
		push	eax
		movsd
		movsd
		movsd
		movsd
		push	[ebp+var_C]
		push	[ebp+var_10]
		call	_EtwCovSampHash@16 ; EtwCovSampHash(x,x,x,x)
		push	edx
		push	eax
		push	[ebp+var_4]
		push	[ebp+var_8]
		call	_EtwCovSampHash@16 ; EtwCovSampHash(x,x,x,x)
		xor	edx, eax
		pop	edi
		pop	esi
		jnz	short loc_682588
		inc	edx

loc_682588:				; CODE XREF: EtwpCovSampCalculateModuleId(x,x,x,x,x,x)+4Bj
		mov	eax, edx
		leave
		retn	10h
_EtwpCovSampCalculateModuleId@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureApc(x, x,	x, x, x)
_EtwpCovSampCaptureApc@20 proc near	; DATA XREF: EtwpCovSampCaptureQueueApc(x)+AEo

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_8]
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		mov	ebx, [eax]
		xor	ecx, ecx
		mov	eax, [ebp+arg_C]
		mov	edi, [ebp+arg_0]
		add	edi, 0FFFFFFECh
		mov	[ebp+arg_8], edx
		mov	[ebp+arg_C], edx
		mov	eax, [eax]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		lea	eax, [ebp+arg_C]
		lock or	[eax], ecx
		mov	eax, [edi+10h]
		cmp	[eax+14h], edx
		jz	short loc_682603
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	esi, [ebx+3Ch]
		mov	byte ptr [ebp+arg_0+3],	al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		and	dword ptr [edi+1Ch], 0
		test	ds:byte_70EFC6,	1
		jz	short loc_6825F3
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6825F8
; 

loc_6825F3:				; CODE XREF: EtwpCovSampCaptureApc(x,x,x,x,x)+57j
		xor	eax, eax
		lock and [esi],	eax

loc_6825F8:				; CODE XREF: EtwpCovSampCaptureApc(x,x,x,x,x)+63j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	edx, edx

loc_682603:				; CODE XREF: EtwpCovSampCaptureApc(x,x,x,x,x)+37j
		mov	esi, ds:dword_6BC094
		lea	eax, [edi+14h]
		push	30h		; size_t
		push	edx		; int
		push	eax		; void *
		call	_memset
		mov	edx, [edi+10h]
		add	esp, 0Ch
		and	dword ptr [edi+44h], 0
		mov	ecx, esi
		push	edi
		call	_EtwpCovSampCaptureReleaseToLookaside@12 ; EtwpCovSampCaptureReleaseToLookaside(x,x,x)
		xor	ecx, ecx
		lea	edx, [ebp+arg_8]
		inc	ecx
		call	_EtwpCovSampSafeForUserAddressCapture@8	; EtwpCovSampSafeForUserAddressCapture(x,x)
		test	eax, eax
		js	short loc_682646
		cmp	[ebp+arg_8], 0
		jnz	short loc_682646
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		call	_EtwpCovSampCaptureUserAddresses@8 ; EtwpCovSampCaptureUserAddresses(x,x)

loc_682646:				; CODE XREF: EtwpCovSampCaptureApc(x,x,x,x,x)+A6j
					; EtwpCovSampCaptureApc(x,x,x,x,x)+ACj
		mov	eax, large fs:124h
		mov	ecx, 0FF7FFFFFh
		add	eax, 2FCh
		lock and [eax],	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_EtwpCovSampCaptureApc@20 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCovSampCaptureApcRelease(x)
_EtwpCovSampCaptureApcRelease@4	proc near ; CODE XREF: EtwpCovSampCaptureApcRundown(x)+Bp
		mov	edi, edi
		push	esi
		mov	esi, ds:dword_6BC094
		push	edi
		mov	edi, ecx
		push	30h		; size_t
		push	0		; int
		lea	eax, [edi+14h]
		push	eax		; void *
		call	_memset
		mov	edx, [edi+10h]
		add	esp, 0Ch
		and	dword ptr [edi+44h], 0
		mov	ecx, esi
		push	edi
		call	_EtwpCovSampCaptureReleaseToLookaside@12 ; EtwpCovSampCaptureReleaseToLookaside(x,x,x)
		pop	edi
		pop	esi
		retn
_EtwpCovSampCaptureApcRelease@4	endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCovSampCaptureBufferAddIP(x, x)
_EtwpCovSampCaptureBufferAddIP@8 proc near ; CODE XREF:	EtwpCovSampCaptureSample(x,x)+5Bp
					; EtwpCovSampCaptureUserAddresses(x,x)+1Fp
		mov	edi, edi
		push	esi
		mov	esi, edx
		test	esi, esi
		jz	short loc_6826BF
		mov	edx, [ecx+14h]
		xor	eax, eax
		inc	eax
		mov	[ecx+20h], esi
		mov	[ecx+1Ah], ax
		mov	eax, edx
		or	eax, 8
		mov	[ecx+14h], eax
		cmp	esi, ds:_MmSystemRangeStart
		jb	short loc_6826B9
		or	edx, 9
		jmp	short loc_6826BC
; 

loc_6826B9:				; CODE XREF: EtwpCovSampCaptureBufferAddIP(x,x)+24j
		or	edx, 0Ah

loc_6826BC:				; CODE XREF: EtwpCovSampCaptureBufferAddIP(x,x)+29j
		mov	[ecx+14h], edx

loc_6826BF:				; CODE XREF: EtwpCovSampCaptureBufferAddIP(x,x)+7j
		pop	esi
		retn
_EtwpCovSampCaptureBufferAddIP@8 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCovSampCaptureBufferGet(x)
_EtwpCovSampCaptureBufferGet@4 proc near ; CODE	XREF: EtwpCovSampCaptureSample(x,x)+4Cp
					; EtwpCovSampCaptureUserAddresses(x,x)+9p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	ecx, [esi+4]
		call	@ExSaDecodeHandle@4 ; ExSaDecodeHandle(x)
		mov	edi, eax
		mov	ecx, esi
		lea	edx, [edi+30h]
		call	_EtwpCovSampLookasidePop@8 ; EtwpCovSampLookasidePop(x,x)
		test	eax, eax
		jnz	short loc_6826E8
		lock inc dword ptr [edi+100h]
		jmp	short loc_6826F1
; 

loc_6826E8:				; CODE XREF: EtwpCovSampCaptureBufferGet(x)+1Cj
		xor	ecx, ecx
		and	[eax+14h], ecx
		mov	[eax+1Ah], cx

loc_6826F1:				; CODE XREF: EtwpCovSampCaptureBufferGet(x)+25j
		pop	edi
		pop	esi
		retn
_EtwpCovSampCaptureBufferGet@4 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCovSampCaptureBufferIsEmpty(x)
_EtwpCovSampCaptureBufferIsEmpty@4 proc	near
					; CODE XREF: EtwpCovSampCaptureBufferMapAddressesAndQueue(x,x)+1Ap
		xor	eax, eax
		cmp	[ecx+1Ah], ax
		setz	al
		retn
_EtwpCovSampCaptureBufferIsEmpty@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureBufferOptimizeIP(x)
_EtwpCovSampCaptureBufferOptimizeIP@4 proc near
					; CODE XREF: EtwpCovSampCaptureKernelStack(x,x)+90p
					; EtwpCovSampCaptureUserStack(x)+56p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		test	byte ptr [esi+14h], 8
		jz	short loc_682767
		mov	eax, [esi+20h]
		movzx	ecx, word ptr [esi+1Ah]
		mov	[ebp+var_4], eax
		xor	eax, eax
		inc	eax
		push	edi
		cmp	ax, cx
		jnb	short loc_682766
		push	ebx
		mov	edx, ecx
		lea	ebx, [esi+24h]
		mov	[ebp+var_8], edx
		mov	ecx, ebx

loc_68272C:				; CODE XREF: EtwpCovSampCaptureBufferOptimizeIP(x)+44j
		mov	edi, [ebp+var_4]
		cmp	edi, [ecx]
		lea	edi, [esi+20h]
		movzx	edx, dx
		jz	short loc_682746
		inc	eax
		add	ecx, 4
		cmp	eax, edx
		mov	edx, [ebp+var_8]
		jb	short loc_68272C
		jmp	short loc_682765
; 

loc_682746:				; CODE XREF: EtwpCovSampCaptureBufferOptimizeIP(x)+39j
		lea	eax, ds:0FFFFFFFCh[edx*4]
		push	eax		; size_t
		push	ebx		; void *
		push	edi		; void *
		call	_memmove
		mov	eax, 0FFFFh
		add	esp, 0Ch
		add	[esi+1Ah], ax
		and	dword ptr [esi+14h], 0FFFFFFF7h

loc_682765:				; CODE XREF: EtwpCovSampCaptureBufferOptimizeIP(x)+46j
		pop	ebx

loc_682766:				; CODE XREF: EtwpCovSampCaptureBufferOptimizeIP(x)+21j
		pop	edi

loc_682767:				; CODE XREF: EtwpCovSampCaptureBufferOptimizeIP(x)+Ej
		pop	esi
		leave
		retn
_EtwpCovSampCaptureBufferOptimizeIP@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureBufferQueue(x, x)
_EtwpCovSampCaptureBufferQueue@8 proc near ; CODE XREF:	EtwpCovSampCaptureSample(x,x)+78p
					; EtwpCovSampCaptureBufferMapAddressesAndQueue(x,x)+BCp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		movzx	eax, word ptr [esi+1Ah]
		mov	ecx, eax
		test	ax, ax
		jz	loc_682811
		test	byte ptr [esi+14h], 4
		lea	eax, [ebp+var_4]
		push	0
		pop	ebx
		setnz	bl
		push	eax
		lea	ebx, ds:4[ebx*4]
		imul	ebx, ecx
		mov	ecx, edi
		mov	edx, ebx
		call	_EtwpCovSampSampleBufferReserve@12 ; EtwpCovSampSampleBufferReserve(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_68281F
		movzx	ecx, word ptr [esi+1Ah]
		shl	ecx, 10h
		xor	ecx, [edx+4]
		and	ecx, 7FFF0000h
		xor	[edx+4], ecx
		mov	ecx, [esi+14h]
		mov	eax, [esi+14h]
		shl	ecx, 1Dh
		xor	ecx, [edx+4]
		shl	eax, 1Dh
		and	ecx, 7FFFFFFFh
		xor	ecx, eax
		lea	eax, [esi+20h]
		push	ebx		; size_t
		push	eax		; void *
		lea	eax, [edx+8]
		mov	[edx+4], ecx
		push	eax		; void *
		call	_memcpy
		mov	edx, [ebp+var_4]
		add	esp, 0Ch
		or	eax, 0FFFFFFFFh
		lock xadd [edx+10h], eax
		dec	eax
		test	eax, eax
		jg	short loc_682811
		jz	short loc_68280A
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		test	eax, eax
		jnz	short loc_682811

loc_68280A:				; CODE XREF: EtwpCovSampCaptureBufferQueue(x,x)+95j
		mov	ecx, edi
		call	_EtwpCovSampCaptureQueueBuffer@8 ; EtwpCovSampCaptureQueueBuffer(x,x)

loc_682811:				; CODE XREF: EtwpCovSampCaptureBufferQueue(x,x)+1Aj
					; EtwpCovSampCaptureBufferQueue(x,x)+93j ...
		mov	edx, esi
		mov	ecx, edi
		call	_EtwpCovSampCaptureBufferRelease@8 ; EtwpCovSampCaptureBufferRelease(x,x)

loc_68281A:				; CODE XREF: EtwpCovSampCaptureBufferQueue(x,x)+BEj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_68281F:				; CODE XREF: EtwpCovSampCaptureBufferQueue(x,x)+45j
		mov	edx, esi
		mov	ecx, edi
		call	_EtwpCovSampCaptureQueueBuffer@8 ; EtwpCovSampCaptureQueueBuffer(x,x)
		jmp	short loc_68281A
_EtwpCovSampCaptureBufferQueue@8 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCovSampCaptureBufferRelease(x, x)
_EtwpCovSampCaptureBufferRelease@8 proc	near
					; CODE XREF: EtwpCovSampCaptureBufferQueue(x,x)+ABp
					; EtwpCovSampCaptureSample(x,x)+EEp ...
		mov	edi, edi
		push	edx
		mov	edx, [edx+10h]
		call	_EtwpCovSampCaptureReleaseToLookaside@12 ; EtwpCovSampCaptureReleaseToLookaside(x,x,x)
		retn
_EtwpCovSampCaptureBufferRelease@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureCancelApcs(x)
_EtwpCovSampCaptureCancelApcs@4	proc near
					; CODE XREF: EtwpCovSampCaptureContextStop(x):loc_682A73p

var_A		= byte ptr -0Ah
var_9		= byte ptr -9
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, [ecx+70h]
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		cmp	eax, [ecx+6Ch]
		jz	loc_682916
		lea	ebx, [ecx+50h]
		mov	edi, [ebx]
		cmp	edi, ebx
		jz	loc_682916
		lea	eax, [ecx+3Ch]
		mov	[esp+18h+var_8], eax

loc_682864:				; CODE XREF: EtwpCovSampCaptureCancelApcs(x)+DAj
		xor	esi, esi
		mov	[esp+18h+var_4], esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, [esp+18h+var_8]
		mov	[esp+18h+var_9], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	byte ptr [edi+3Ah], 0
		jz	short loc_68289A
		mov	esi, [edi+14h]
		mov	[esp+18h+var_4], esi
		test	esi, esi
		jz	short loc_68289A
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag

loc_68289A:				; CODE XREF: EtwpCovSampCaptureCancelApcs(x)+4Bj
					; EtwpCovSampCaptureCancelApcs(x)+56j
		test	ds:byte_70EFC6,	1
		jz	short loc_6828B1
		mov	edx, [ebp+4]
		mov	ecx, [esp+18h+var_8]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6828BA
; 

loc_6828B1:				; CODE XREF: EtwpCovSampCaptureCancelApcs(x)+6Bj
		mov	eax, [esp+18h+var_8]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_6828BA:				; CODE XREF: EtwpCovSampCaptureCancelApcs(x)+79j
		mov	cl, [esp+18h+var_9]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_68290C
		lea	ecx, [edi+0Ch]
		call	KeRemoveQueueApc
		test	al, al
		jz	short loc_682900
		mov	esi, ds:dword_6BC094
		lea	eax, [edi+0Ch]
		push	30h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [edi-8]
		mov	edx, [eax+10h]
		mov	ecx, esi
		and	dword ptr [eax+44h], 0
		push	eax
		call	_EtwpCovSampCaptureReleaseToLookaside@12 ; EtwpCovSampCaptureReleaseToLookaside(x,x,x)
		mov	esi, [esp+18h+var_4]

loc_682900:				; CODE XREF: EtwpCovSampCaptureCancelApcs(x)+9Cj
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_68290C:				; CODE XREF: EtwpCovSampCaptureCancelApcs(x)+90j
		mov	edi, [edi]
		cmp	edi, ebx
		jnz	loc_682864

loc_682916:				; CODE XREF: EtwpCovSampCaptureCancelApcs(x)+14j
					; EtwpCovSampCaptureCancelApcs(x)+21j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_EtwpCovSampCaptureCancelApcs@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureCleanupDpc(x, x, x, x)
_EtwpCovSampCaptureCleanupDpc@16 proc near
					; DATA XREF: EtwpCovSampCaptureContextStart(x)+BEo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		call	_EtwpCovSampCaptureCleanupLookasides@4 ; EtwpCovSampCaptureCleanupLookasides(x)
		pop	ebp
		retn	10h
_EtwpCovSampCaptureCleanupDpc@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureCleanupLookasides(x)
_EtwpCovSampCaptureCleanupLookasides@4 proc near
					; CODE XREF: EtwpCovSampCaptureCleanupDpc(x,x,x,x)+8p
					; EtwpCovSampCaptureContextStop(x)+71p

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], 1
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ebx, [esi+3Ch]
		mov	[ebp+var_1], al
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	dword ptr [esi+1C8h], 0
		jnz	short loc_6829CC
		cmp	dword ptr [esi+1D0h], 0
		jnz	short loc_6829CC
		lea	eax, [esi+110h]
		push	edi
		mov	edi, [eax]
		cmp	edi, eax
		jz	short loc_682989
		lea	ebx, [esi+110h]

loc_682978:				; CODE XREF: EtwpCovSampCaptureCleanupLookasides(x)+56j
		lea	ecx, [edi-8]
		call	_EtwpCovSampLookasideFlushFreeListToCleanupList@4 ; EtwpCovSampLookasideFlushFreeListToCleanupList(x)
		mov	edi, [edi]
		cmp	edi, ebx
		jnz	short loc_682978
		lea	ebx, [esi+3Ch]

loc_682989:				; CODE XREF: EtwpCovSampCaptureCleanupLookasides(x)+42j
		lea	edx, [esi+118h]
		mov	ecx, [edx]
		pop	edi
		cmp	ecx, edx
		jz	short loc_6829B2
		mov	ebx, [ebp+var_8]

loc_682999:				; CODE XREF: EtwpCovSampCaptureCleanupLookasides(x)+7Bj
		mov	eax, [ecx+28h]
		cmp	eax, [ecx+24h]
		mov	ecx, [ecx]
		sbb	eax, eax
		not	eax
		and	ebx, eax
		cmp	ecx, edx
		jnz	short loc_682999
		test	ebx, ebx
		lea	ebx, [esi+3Ch]
		jz	short loc_6829CC

loc_6829B2:				; CODE XREF: EtwpCovSampCaptureCleanupLookasides(x)+66j
		push	0
		push	0
		lea	eax, [esi+1B8h]
		mov	dword ptr [esi+1D0h], 1
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_6829CC:				; CODE XREF: EtwpCovSampCaptureCleanupLookasides(x)+2Cj
					; EtwpCovSampCaptureCleanupLookasides(x)+35j ...
		test	ds:byte_70EFC6,	1
		jz	short loc_6829E1
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6829E6
; 

loc_6829E1:				; CODE XREF: EtwpCovSampCaptureCleanupLookasides(x)+A5j
		xor	eax, eax
		lock and [ebx],	eax

loc_6829E6:				; CODE XREF: EtwpCovSampCaptureCleanupLookasides(x)+B1j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		pop	ebx
		leave
		retn
_EtwpCovSampCaptureCleanupLookasides@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureContextStop(x)
_EtwpCovSampCaptureContextStop@4 proc near ; CODE XREF:	EtwpCoverageSamplerStop(x)+198p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		lea	ecx, [esi+3Ch]
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		xor	ecx, ecx
		mov	bl, al
		mov	[esi+1C8h], ecx
		cmp	[esi+1CCh], ecx
		jz	short loc_682A28
		mov	[esi+1CCh], ecx

loc_682A28:				; CODE XREF: EtwpCovSampCaptureContextStop(x)+2Dj
		lea	edx, [esi+110h]
		mov	eax, [edx]
		jmp	short loc_682A3A
; 

loc_682A32:				; CODE XREF: EtwpCovSampCaptureContextStop(x)+49j
		mov	[eax+0Ch], ecx
		mov	[eax+10h], ecx
		mov	eax, [eax]

loc_682A3A:				; CODE XREF: EtwpCovSampCaptureContextStop(x)+3Dj
		cmp	eax, edx
		jnz	short loc_682A32
		lea	eax, [esi+1B8h]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		and	dword ptr [esi+1D0h], 0
		lea	ecx, [esi+3Ch]
		mov	dl, bl
		call	KfReleaseSpinLock
		mov	ecx, esi
		call	_EtwpCovSampCaptureFlushSampleBuffers@4	; EtwpCovSampCaptureFlushSampleBuffers(x)
		mov	ecx, esi
		call	_EtwpCovSampCaptureCleanupLookasides@4 ; EtwpCovSampCaptureCleanupLookasides(x)
		mov	edi, 0FFD9DA60h
		or	ebx, 0FFFFFFFFh
		jmp	short loc_682AA4
; 

loc_682A73:				; CODE XREF: EtwpCovSampCaptureContextStop(x)+D3j
		call	_EtwpCovSampCaptureCancelApcs@4	; EtwpCovSampCaptureCancelApcs(x)
		mov	ecx, esi
		call	_EtwpCovSampCaptureFlushSampleBuffers@4	; EtwpCovSampCaptureFlushSampleBuffers(x)
		shld	ebx, edi, 1
		add	edi, edi
		mov	[esp+18h+var_4], ebx
		mov	[esp+18h+var_8], edi
		cmp	ebx, 0FFFFFFFDh
		jg	short loc_682AAC
		jl	short loc_682A9C
		cmp	edi, 0C3CBA000h
		jnb	short loc_682AAC

loc_682A9C:				; CODE XREF: EtwpCovSampCaptureContextStop(x)+9Fj
		push	0FFFFFFFDh
		mov	edi, 0C3CBA000h
		pop	ebx

loc_682AA4:				; CODE XREF: EtwpCovSampCaptureContextStop(x)+7Ej
		mov	[esp+18h+var_4], ebx
		mov	[esp+18h+var_8], edi

loc_682AAC:				; CODE XREF: EtwpCovSampCaptureContextStop(x)+9Dj
					; EtwpCovSampCaptureContextStop(x)+A7j
		lea	eax, [esp+18h+var_8]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esi+1B8h]
		push	eax
		call	KeWaitForSingleObject
		mov	ecx, esi
		test	eax, eax
		jnz	short loc_682A73
		call	_EtwpCovSampCaptureFreeLookasides@8 ; EtwpCovSampCaptureFreeLookasides(x,x)
		mov	eax, [esi+1E8h]
		mov	edi, 56777445h
		test	eax, eax
		jz	short loc_682AEA
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+1E8h], 0

loc_682AEA:				; CODE XREF: EtwpCovSampCaptureContextStop(x)+E7j
		mov	eax, [esi+1ECh]
		test	eax, eax
		jz	short loc_682B02
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+1ECh], 0

loc_682B02:				; CODE XREF: EtwpCovSampCaptureContextStop(x)+FFj
		and	dword ptr [esi+1E4h], 0
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_EtwpCovSampCaptureContextStop@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureFlushSampleBuffers(x)
_EtwpCovSampCaptureFlushSampleBuffers@4	proc near
					; CODE XREF: EtwpCovSampCaptureContextStop(x)+6Ap
					; EtwpCovSampCaptureContextStop(x)+87p	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	byte ptr [ebp+var_1], 0
		push	0FFFFh
		mov	[ebp+var_8], edi
		call	KeQueryMaximumProcessorCountEx
		xor	esi, esi
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_682BBB

loc_682B3C:				; CODE XREF: EtwpCovSampCaptureFlushSampleBuffers(x)+A4j
		mov	ecx, [edi+4]
		mov	edx, esi
		xor	ebx, ebx
		call	@ExSaDecodeHandleForIndex@8 ; ExSaDecodeHandleForIndex(x,x)
		mov	edi, eax
		lea	edx, [ebp+var_1]
		mov	ecx, edi
		call	_EtwpCovSampTryAcquireBufferLock@8 ; EtwpCovSampTryAcquireBufferLock(x,x)
		test	eax, eax
		jz	short loc_682BB2
		mov	eax, [edi+4]
		test	eax, eax
		jz	short loc_682B65
		and	dword ptr [edi+4], 0
		mov	ebx, eax

loc_682B65:				; CODE XREF: EtwpCovSampCaptureFlushSampleBuffers(x)+48j
		test	ds:byte_70EFC6,	1
		jz	short loc_682B7A
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_682B7F
; 

loc_682B7A:				; CODE XREF: EtwpCovSampCaptureFlushSampleBuffers(x)+57j
		xor	eax, eax
		lock and [edi],	eax

loc_682B7F:				; CODE XREF: EtwpCovSampCaptureFlushSampleBuffers(x)+63j
		mov	cl, byte ptr [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jz	short loc_682BB2
		or	eax, 0FFFFFFFFh
		lock xadd [ebx+10h], eax
		dec	eax
		test	eax, eax
		jg	short loc_682BB2
		jz	short loc_682BA4
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		test	eax, eax
		jnz	short loc_682BB2

loc_682BA4:				; CODE XREF: EtwpCovSampCaptureFlushSampleBuffers(x)+84j
		mov	edi, [ebp+var_8]
		mov	edx, ebx
		mov	ecx, edi
		call	_EtwpCovSampCaptureQueueBuffer@8 ; EtwpCovSampCaptureQueueBuffer(x,x)
		jmp	short loc_682BB5
; 

loc_682BB2:				; CODE XREF: EtwpCovSampCaptureFlushSampleBuffers(x)+41j
					; EtwpCovSampCaptureFlushSampleBuffers(x)+75j ...
		mov	edi, [ebp+var_8]

loc_682BB5:				; CODE XREF: EtwpCovSampCaptureFlushSampleBuffers(x)+9Bj
		inc	esi
		cmp	esi, [ebp+var_C]
		jb	short loc_682B3C

loc_682BBB:				; CODE XREF: EtwpCovSampCaptureFlushSampleBuffers(x)+25j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpCovSampCaptureFlushSampleBuffers@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureKernelStack(x, x)
_EtwpCovSampCaptureKernelStack@8 proc near ; CODE XREF:	EtwpCovSampCaptureSample(x,x)+6Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_8]
		xor	esi, esi
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_8], esi
		push	eax
		mov	ebx, edx
		mov	[ebp+var_C], esi
		mov	edi, ecx
		mov	[ebp+var_4], esi
		call	_KeGetCurrentStackPointer@0 ; KeGetCurrentStackPointer()
		lea	edx, [ebp+var_4]
		mov	ecx, eax
		call	KeQueryCurrentStackInformationEx
		test	al, al
		jz	short loc_682C5E
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_682C5E
		cmp	eax, 5
		jz	short loc_682C5E
		cmp	eax, 7
		jz	short loc_682C5E
		cmp	eax, 8
		jz	short loc_682C5E
		cmp	eax, 9
		jz	short loc_682C5E
		movzx	eax, word ptr [edi+1Ah]
		movzx	edx, word ptr [edi+18h]
		shr	ebx, 1Ch
		cmp	dx, ax
		jb	short loc_682C57
		mov	ecx, eax
		mov	eax, ebx
		sub	edx, ecx
		shl	eax, 8
		add	ecx, 8
		add	edx, ebx
		push	eax
		push	edx
		lea	eax, [edi+ecx*4]
		push	eax
		call	RtlWalkFrameChain
		cmp	eax, ebx
		ja	short loc_682C44
		mov	esi, 0C0000225h
		jmp	short loc_682C63
; 

loc_682C44:				; CODE XREF: EtwpCovSampCaptureKernelStack(x,x)+7Bj
		or	dword ptr [edi+14h], 1
		sub	eax, ebx
		add	[edi+1Ah], ax
		mov	ecx, edi
		call	_EtwpCovSampCaptureBufferOptimizeIP@4 ;	EtwpCovSampCaptureBufferOptimizeIP(x)
		jmp	short loc_682C63
; 

loc_682C57:				; CODE XREF: EtwpCovSampCaptureKernelStack(x,x)+5Ej
		mov	esi, 0C00000E5h
		jmp	short loc_682C63
; 

loc_682C5E:				; CODE XREF: EtwpCovSampCaptureKernelStack(x,x)+33j
					; EtwpCovSampCaptureKernelStack(x,x)+3Aj ...
		mov	esi, 0C00000BBh

loc_682C63:				; CODE XREF: EtwpCovSampCaptureKernelStack(x,x)+82j
					; EtwpCovSampCaptureKernelStack(x,x)+95j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpCovSampCaptureKernelStack@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureQueueApc(x)
_EtwpCovSampCaptureQueueApc@4 proc near	; CODE XREF: EtwpCovSampCaptureSample(x,x)+DEp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	edx, ds:dword_6BC094
		push	ebx
		push	esi
		mov	esi, large fs:124h
		xor	ebx, ebx
		and	[ebp+var_4], ebx
		and	[ebp+var_10], ebx
		mov	[ebp+var_C], ecx
		mov	eax, [esi+150h]
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edx
		inc	edi
		mov	[ebp+var_18], esi
		mov	ecx, [eax+64h]
		shr	ecx, 3
		and	ecx, edi
		add	ecx, [eax+98h]
		jnz	loc_682DA8
		cmp	[esi+18Ch], bl
		jnz	loc_682DA8
		test	dword ptr [esi+58h], 4000h
		jz	loc_682DA8
		lea	eax, [esi+2FCh]
		mov	[ebp+var_14], eax
		lock bts dword ptr [eax], 17h
		jnb	short loc_682CE3
		mov	edi, 0C0000718h
		jmp	loc_682DF8
; 

loc_682CE3:				; CODE XREF: EtwpCovSampCaptureQueueApc(x)+6Dj
		mov	ecx, [edx+4]
		mov	[ebp+var_4], edi
		call	@ExSaDecodeHandle@4 ; ExSaDecodeHandle(x)
		mov	ecx, [ebp+var_8]
		mov	edi, eax
		lea	edx, [edi+8]
		call	_EtwpCovSampLookasidePop@8 ; EtwpCovSampLookasidePop(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_682D15
		lock inc dword ptr [edi+0FCh]
		mov	esi, [ebp+var_14]
		mov	edi, 0C000009Ah
		jmp	loc_682DF0
; 

loc_682D15:				; CODE XREF: EtwpCovSampCaptureQueueApc(x)+95j
		push	[ebp+var_8]
		mov	eax, offset _EtwpCovSampCaptureApc@20 ;	EtwpCovSampCaptureApc(x,x,x,x,x)
		lea	edi, [ebx+14h]
		push	0
		push	eax
		push	offset _EtwpCovSampCaptureApcRundown@4 ; EtwpCovSampCaptureApcRundown(x)
		push	eax
		push	0
		push	esi
		push	edi
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		and	dword ptr [ebx+38h], 0
		mov	eax, ds:_KeTickCount
		mov	[ebx+44h], eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jbe	short loc_682D6F
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		push	0
		call	_KeTryToInsertQueueApc@12 ; KeTryToInsertQueueApc(x,x,x)
		test	al, al
		jnz	short loc_682D9E
		test	dword ptr [esi+58h], 4000h
		jz	short loc_682D68
		mov	ecx, esi
		call	_KeIsThreadRunning@4 ; KeIsThreadRunning(x)

loc_682D68:				; CODE XREF: EtwpCovSampCaptureQueueApc(x)+F5j
		mov	edi, 0C0000001h
		jmp	short loc_682DB8
; 

loc_682D6F:				; CODE XREF: EtwpCovSampCaptureQueueApc(x)+DCj
		jnb	short loc_682D86
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	[ebp+var_10], 1

loc_682D86:				; CODE XREF: EtwpCovSampCaptureQueueApc(x):loc_682D6Fj
		push	0
		push	0
		push	[ebp+var_C]
		push	edi
		call	KeInsertQueueApc
		test	al, al
		jnz	short loc_682D9E
		mov	edi, 0C0000001h
		jmp	short loc_682DAD
; 

loc_682D9E:				; CODE XREF: EtwpCovSampCaptureQueueApc(x)+ECj
					; EtwpCovSampCaptureQueueApc(x)+12Bj
		and	[ebp+var_4], 0
		xor	ebx, ebx
		xor	edi, edi
		jmp	short loc_682DAD
; 

loc_682DA8:				; CODE XREF: EtwpCovSampCaptureQueueApc(x)+40j
					; EtwpCovSampCaptureQueueApc(x)+4Cj ...
		mov	edi, 0C00000BBh

loc_682DAD:				; CODE XREF: EtwpCovSampCaptureQueueApc(x)+132j
					; EtwpCovSampCaptureQueueApc(x)+13Cj
		cmp	[ebp+var_10], 0
		jz	short loc_682DB8
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_682DB8:				; CODE XREF: EtwpCovSampCaptureQueueApc(x)+103j
					; EtwpCovSampCaptureQueueApc(x)+147j
		test	ebx, ebx
		jz	short loc_682DE4
		mov	esi, ds:dword_6BC094
		lea	eax, [ebx+14h]
		push	30h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebx+10h]
		add	esp, 0Ch
		and	dword ptr [ebx+44h], 0
		mov	ecx, esi
		push	ebx
		call	_EtwpCovSampCaptureReleaseToLookaside@12 ; EtwpCovSampCaptureReleaseToLookaside(x,x,x)
		mov	esi, [ebp+var_18]

loc_682DE4:				; CODE XREF: EtwpCovSampCaptureQueueApc(x)+150j
		cmp	[ebp+var_4], 0
		jz	short loc_682DF8
		add	esi, 2FCh

loc_682DF0:				; CODE XREF: EtwpCovSampCaptureQueueApc(x)+A6j
		mov	eax, 0FF7FFFFFh
		lock and [esi],	eax

loc_682DF8:				; CODE XREF: EtwpCovSampCaptureQueueApc(x)+74j
					; EtwpCovSampCaptureQueueApc(x)+17Ej
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpCovSampCaptureQueueApc@4 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCovSampCaptureQueueBuffer(x, x)
_EtwpCovSampCaptureQueueBuffer@8 proc near
					; CODE XREF: EtwpCovSampCaptureBufferQueue(x,x)+A2p
					; EtwpCovSampCaptureBufferQueue(x,x)+B9p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	edx, edi
		cmp	al, 2
		jbe	short loc_682E32
		lea	ecx, [esi+158h]
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		test	eax, eax
		jnz	short loc_682E54
		push	eax
		push	eax
		lea	eax, [esi+178h]
		push	eax
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)
		jmp	short loc_682E54
; 

loc_682E32:				; CODE XREF: EtwpCovSampCaptureQueueBuffer(x,x)+12j
		lea	ecx, [esi+160h]
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		test	eax, eax
		jnz	short loc_682E54
		push	eax
		push	dword ptr [esi+1E0h]
		lea	eax, [esi+168h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_682E54:				; CODE XREF: EtwpCovSampCaptureQueueBuffer(x,x)+21j
					; EtwpCovSampCaptureQueueBuffer(x,x)+31j ...
		pop	edi
		pop	esi
		retn
_EtwpCovSampCaptureQueueBuffer@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureQueueDpc(x, x, x,	x)
_EtwpCovSampCaptureQueueDpc@16 proc near ; DATA	XREF: EtwpCovSampCaptureContextStart(x)+ACo

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, [ebp+arg_4]
		lea	ecx, [esi+158h]
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		test	eax, eax
		jz	short loc_682E9C
		lea	ecx, [ebp+var_4]
		mov	edx, eax
		push	ecx
		lea	ecx, [esi+160h]
		call	_EtwpCovSampPushListSList@12 ; EtwpCovSampPushListSList(x,x,x)
		test	eax, eax
		jnz	short loc_682E9C
		push	eax
		push	dword ptr [esi+1E0h]
		lea	eax, [esi+168h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_682E9C:				; CODE XREF: EtwpCovSampCaptureQueueDpc(x,x,x,x)+1Bj
					; EtwpCovSampCaptureQueueDpc(x,x,x,x)+30j
		pop	esi
		leave
		retn	10h
_EtwpCovSampCaptureQueueDpc@16 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCovSampCaptureQueueRebalance(x)
_EtwpCovSampCaptureQueueRebalance@4 proc near ;	CODE XREF: EtwpCovSampLookasidePop(x,x)+2Bp
		mov	edx, ds:_KeTickCount
		mov	eax, edx
		sub	eax, [ecx+154h]
		cmp	eax, 40h
		jb	short locret_682ECA
		push	0
		push	0
		lea	eax, [ecx+120h]
		mov	[ecx+154h], edx
		push	eax
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)

locret_682ECA:				; CODE XREF: EtwpCovSampCaptureQueueRebalance(x)+11j
		retn
_EtwpCovSampCaptureQueueRebalance@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureRebalanceDpc(x, x, x, x)
_EtwpCovSampCaptureRebalanceDpc@16 proc	near
					; DATA XREF: EtwpCovSampCaptureContextStart(x)+7Eo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	eax, ds:_KeTickCount
		push	0
		push	0
		mov	[ecx+154h], eax
		lea	eax, [ecx+140h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	ebp
		retn	10h
_EtwpCovSampCaptureRebalanceDpc@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureReleaseToLookaside(x, x, x)
_EtwpCovSampCaptureReleaseToLookaside@12 proc near
					; CODE XREF: EtwpCovSampCaptureApc(x,x,x,x,x)+94p
					; EtwpCovSampCaptureApcRelease(x)+26p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		mov	edx, [ebp+arg_0]
		push	edi
		mov	eax, [esi+14h]
		mov	edi, [esi+10h]
		test	eax, eax
		jnz	short loc_682F22
		mov	ecx, edi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		xor	eax, eax
		inc	eax
		lock xadd [edi+30h], eax
		inc	eax
		cmp	eax, [edi+2Ch]
		jb	short loc_682F40
		jmp	short loc_682F30
; 

loc_682F22:				; CODE XREF: EtwpCovSampCaptureReleaseToLookaside(x,x,x)+17j
		mov	ecx, esi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		mov	eax, [esi+14h]
		test	eax, eax
		jnz	short loc_682F40

loc_682F30:				; CODE XREF: EtwpCovSampCaptureReleaseToLookaside(x,x,x)+2Ej
		push	0
		push	0
		lea	eax, [ebx+198h]
		push	eax
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)

loc_682F40:				; CODE XREF: EtwpCovSampCaptureReleaseToLookaside(x,x,x)+2Cj
					; EtwpCovSampCaptureReleaseToLookaside(x,x,x)+3Cj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_EtwpCovSampCaptureReleaseToLookaside@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureSample(x,	x)
_EtwpCovSampCaptureSample@8 proc near	; CODE XREF: EtwpCovSampProfileInterrupt(x,x)+D4p
					; EtwpCoverageSamplerContextSwap(x)+11Fj ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ds:dword_6BC094
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], edx
		mov	ecx, [eax+4]
		xor	esi, esi
		and	[ebp+var_8], esi
		mov	[ebp+var_4], eax
		call	@ExSaDecodeHandle@4 ; ExSaDecodeHandle(x)
		cmp	[eax+20h], esi
		jz	short loc_682F84
		lock inc dword ptr [eax+0F8h]
		jmp	loc_68303A
; 

loc_682F84:				; CODE XREF: EtwpCovSampCaptureSample(x,x)+2Fj
		test	edi, edi
		jz	short loc_682F90
		cmp	edi, ds:_MmSystemRangeStart
		jb	short loc_682FC8

loc_682F90:				; CODE XREF: EtwpCovSampCaptureSample(x,x)+3Fj
		mov	ecx, [ebp+var_4]
		call	_EtwpCovSampCaptureBufferGet@4 ; EtwpCovSampCaptureBufferGet(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_682FC6
		mov	edx, edi
		mov	ecx, esi
		call	_EtwpCovSampCaptureBufferAddIP@8 ; EtwpCovSampCaptureBufferAddIP(x,x)
		mov	edi, [ebp+var_4]
		cmp	dword ptr [edi+1D4h], 0
		jnz	short loc_682FBB
		mov	edx, [ebp+var_C]
		call	_EtwpCovSampCaptureKernelStack@8 ; EtwpCovSampCaptureKernelStack(x,x)

loc_682FBB:				; CODE XREF: EtwpCovSampCaptureSample(x,x)+6Aj
		mov	edx, esi
		mov	ecx, edi
		call	_EtwpCovSampCaptureBufferQueue@8 ; EtwpCovSampCaptureBufferQueue(x,x)
		xor	esi, esi

loc_682FC6:				; CODE XREF: EtwpCovSampCaptureSample(x,x)+55j
		xor	edi, edi

loc_682FC8:				; CODE XREF: EtwpCovSampCaptureSample(x,x)+47j
		test	dword ptr [ebx+58h], 400h
		jnz	short loc_68302A
		lea	eax, [ebx+2FCh]
		mov	[ebp+var_C], eax
		mov	eax, [eax]
		test	al, 1
		jnz	short loc_68302A
		test	dword ptr [ebx+58h], 4000h
		jz	short loc_68302A
		cmp	dword ptr [ebx+0A8h], 0
		jz	short loc_68302A
		mov	eax, [ebx+150h]
		mov	ecx, [eax+64h]
		shr	ecx, 3
		and	ecx, 1
		add	ecx, [eax+98h]
		jnz	short loc_68302A
		cmp	[ebx+18Ch], cl
		jnz	short loc_68302A
		lea	edx, [ebp+var_8]
		call	_EtwpCovSampSafeForUserAddressCapture@8	; EtwpCovSampSafeForUserAddressCapture(x,x)
		test	eax, eax
		jns	short loc_68303F
		cmp	[ebp+var_8], 0
		jnz	short loc_68302A
		mov	ecx, edi
		call	_EtwpCovSampCaptureQueueApc@4 ;	EtwpCovSampCaptureQueueApc(x)

loc_68302A:				; CODE XREF: EtwpCovSampCaptureSample(x,x)+88j
					; EtwpCovSampCaptureSample(x,x)+97j ...
		mov	ebx, [ebp+var_4]

loc_68302D:				; CODE XREF: EtwpCovSampCaptureSample(x,x)+106j
					; EtwpCovSampCaptureSample(x,x)+11Cj
		test	esi, esi
		jz	short loc_68303A
		mov	edx, esi
		mov	ecx, ebx
		call	_EtwpCovSampCaptureBufferRelease@8 ; EtwpCovSampCaptureBufferRelease(x,x)

loc_68303A:				; CODE XREF: EtwpCovSampCaptureSample(x,x)+38j
					; EtwpCovSampCaptureSample(x,x)+E8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_68303F:				; CODE XREF: EtwpCovSampCaptureSample(x,x)+D4j
		lea	eax, [ebx+2FCh]
		lock bts dword ptr [eax], 17h
		mov	ebx, [ebp+var_4]
		jb	short loc_68302D
		mov	edx, edi
		mov	ecx, ebx
		call	_EtwpCovSampCaptureUserAddresses@8 ; EtwpCovSampCaptureUserAddresses(x,x)
		mov	eax, [ebp+var_C]
		mov	ecx, 0FF7FFFFFh
		lock and [eax],	ecx
		jmp	short loc_68302D
_EtwpCovSampCaptureSample@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampLookasideFlushFreeListToCleanupList(x)
_EtwpCovSampLookasideFlushFreeListToCleanupList@4 proc near
					; CODE XREF: EtwpCovSampCaptureCleanupLookasides(x)+4Dp
					; EtwpCovSampCaptureFreeLookasides(x,x)+18p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, [ecx+10h]
		xor	esi, esi
		mov	[ebp+var_4], esi
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		test	eax, eax
		jz	short loc_683097
		lea	ecx, [ebp+var_4]
		mov	edx, eax
		push	ecx
		mov	ecx, edi
		call	_EtwpCovSampPushListSList@12 ; EtwpCovSampPushListSList(x,x,x)
		mov	esi, [ebp+var_4]
		lea	ecx, [edi+30h]
		mov	edx, esi
		lock xadd [ecx], edx

loc_683097:				; CODE XREF: EtwpCovSampLookasideFlushFreeListToCleanupList(x)+17j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_EtwpCovSampLookasideFlushFreeListToCleanupList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampLookasideGrow(x,	x)
_EtwpCovSampLookasideGrow@8 proc near	; CODE XREF: EtwpCovSampCaptureContextStart(x)+38Fp
					; EtwpCovSampCaptureRebalance(x)+3Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_8], ebx
		mov	edi, [esi+10h]
		mov	[ebp+var_C], edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	eax, [esi+20h]
		cmp	eax, [esi+24h]
		jb	short loc_6830CD
		mov	edi, 0FFh
		jmp	loc_683179
; 

loc_6830CD:				; CODE XREF: EtwpCovSampLookasideGrow(x,x)+24j
		push	esi
		push	ebx
		call	dword ptr [edi+18h]
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_6830E2
		mov	edi, 0C000009Ah
		jmp	loc_683179
; 

loc_6830E2:				; CODE XREF: EtwpCovSampLookasideGrow(x,x)+39j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, [ebp+var_8]
		add	ecx, 3Ch
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		xor	edi, edi
		cmp	[esi+14h], edi
		jz	short loc_683138
		mov	eax, [esi+20h]
		cmp	eax, [esi+24h]
		jnb	short loc_683138
		inc	eax
		lea	ecx, [ebx+8]
		mov	[esi+20h], eax
		mov	eax, [ebp+var_C]
		inc	dword ptr [eax+2Ch]
		add	eax, 10h
		mov	edx, [eax+4]
		cmp	[edx], eax
		jz	short loc_683121
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_683121:				; CODE XREF: EtwpCovSampLookasideGrow(x,x)+7Dj
		mov	[ecx+4], edx
		mov	[ecx], eax
		mov	[edx], ecx
		mov	edx, ebx
		mov	[eax+4], ecx
		mov	ecx, esi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		mov	ebx, edi
		jmp	short loc_68313D
; 

loc_683138:				; CODE XREF: EtwpCovSampLookasideGrow(x,x)+5Ej
					; EtwpCovSampLookasideGrow(x,x)+66j
		mov	edi, 0FFh

loc_68313D:				; CODE XREF: EtwpCovSampLookasideGrow(x,x)+99j
		test	ds:byte_70EFC6,	1
		jz	short loc_683156
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+4]
		lea	ecx, [ecx+3Ch]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_683161
; 

loc_683156:				; CODE XREF: EtwpCovSampLookasideGrow(x,x)+A7j
		mov	eax, [ebp+var_8]
		xor	edx, edx
		add	eax, 3Ch
		lock and [eax],	edx

loc_683161:				; CODE XREF: EtwpCovSampLookasideGrow(x,x)+B7j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jz	short loc_683179
		push	56777445h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_683179:				; CODE XREF: EtwpCovSampLookasideGrow(x,x)+2Bj
					; EtwpCovSampLookasideGrow(x,x)+40j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpCovSampLookasideGrow@8 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCovSampLookasidePop(x, x)
_EtwpCovSampLookasidePop@8 proc	near	; CODE XREF: EtwpCovSampCaptureBufferGet(x)+15p
					; EtwpCovSampCaptureQueueApc(x)+8Cp ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		xor	edx, edx
		push	edi
		mov	edi, ecx
		cmp	[esi+4], dx
		jz	short loc_683199
		mov	ecx, esi
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edx, eax

loc_683199:				; CODE XREF: EtwpCovSampLookasidePop(x,x)+Ej
		test	edx, edx
		jnz	short loc_6831B4
		mov	eax, [esi+20h]
		cmp	eax, [esi+24h]
		jnb	short loc_6831B0
		lock inc dword ptr [esi+1Ch]
		mov	ecx, edi
		call	_EtwpCovSampCaptureQueueRebalance@4 ; EtwpCovSampCaptureQueueRebalance(x)

loc_6831B0:				; CODE XREF: EtwpCovSampLookasidePop(x,x)+23j
					; EtwpCovSampLookasidePop(x,x)+45j
		xor	eax, eax
		jmp	short loc_6831CF
; 

loc_6831B4:				; CODE XREF: EtwpCovSampLookasidePop(x,x)+1Bj
		mov	eax, [esi+14h]
		test	eax, eax
		jnz	short loc_6831C7
		push	edx
		mov	edx, esi
		mov	ecx, edi
		call	_EtwpCovSampCaptureReleaseToLookaside@12 ; EtwpCovSampCaptureReleaseToLookaside(x,x,x)
		jmp	short loc_6831B0
; 

loc_6831C7:				; CODE XREF: EtwpCovSampLookasidePop(x,x)+39j
		mov	dword ptr [edx], 1B1Dh
		mov	eax, edx

loc_6831CF:				; CODE XREF: EtwpCovSampLookasidePop(x,x)+32j
		pop	edi
		pop	esi
		retn
_EtwpCovSampLookasidePop@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampPushListSList(x,	x, x)
_EtwpCovSampPushListSList@12 proc near	; CODE XREF: EtwpCovSampCaptureQueueDpc(x,x,x,x)+29p
					; EtwpCovSampLookasideFlushFreeListToCleanupList(x)+21p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [edx]
		mov	ebx, ecx
		push	edi
		xor	edi, edi
		mov	ecx, edx
		inc	edi
		test	esi, esi
		jz	short loc_6831F2

loc_6831E7:				; CODE XREF: EtwpCovSampPushListSList(x,x,x)+1Ej
		mov	eax, [esi]
		inc	edi
		mov	ecx, esi
		mov	esi, eax
		test	eax, eax
		jnz	short loc_6831E7

loc_6831F2:				; CODE XREF: EtwpCovSampPushListSList(x,x,x)+13j
		push	edi
		push	ecx
		mov	ecx, ebx
		call	@InterlockedPushListSList@16 ; InterlockedPushListSList(x,x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	[ecx], edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_EtwpCovSampPushListSList@12 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCovSampSafeForUserAddressCapture(x, x)
_EtwpCovSampSafeForUserAddressCapture@8	proc near
					; CODE XREF: EtwpCovSampCaptureApc(x,x,x,x,x)+9Fp
					; EtwpCovSampCaptureSample(x,x)+CDp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	esi, large fs:124h
		mov	cl, al
		mov	eax, [esi+2FCh]
		test	al, 1
		jnz	short loc_683236
		cmp	dword ptr [esi+0A8h], 0
		jz	short loc_683236
		xor	eax, eax
		jmp	short loc_683239
; 

loc_683236:				; CODE XREF: EtwpCovSampSafeForUserAddressCapture(x,x)+20j
					; EtwpCovSampSafeForUserAddressCapture(x,x)+29j
		xor	eax, eax
		inc	eax

loc_683239:				; CODE XREF: EtwpCovSampSafeForUserAddressCapture(x,x)+2Dj
		mov	[ebx], eax
		cmp	cl, 2
		jnb	short loc_683272
		mov	eax, large fs:124h
		cmp	dword ptr [eax+13Ch], 0
		jnz	short loc_683272
		call	_MmCanThreadFault@0 ; MmCanThreadFault()
		test	eax, eax
		jz	short loc_683272
		cmp	byte ptr [esi+30Ah], 0
		jz	short loc_683265
		test	edi, edi
		jz	short loc_683272

loc_683265:				; CODE XREF: EtwpCovSampSafeForUserAddressCapture(x,x)+58j
		call	_KeIsAttachedProcess@0 ; KeIsAttachedProcess()
		test	al, al
		jnz	short loc_683272
		xor	eax, eax
		jmp	short loc_683277
; 

loc_683272:				; CODE XREF: EtwpCovSampSafeForUserAddressCapture(x,x)+37j
					; EtwpCovSampSafeForUserAddressCapture(x,x)+46j ...
		mov	eax, 0C00000BBh

loc_683277:				; CODE XREF: EtwpCovSampSafeForUserAddressCapture(x,x)+69j
		pop	edi
		pop	esi
		pop	ebx
		retn
_EtwpCovSampSafeForUserAddressCapture@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampSampleBufferReserve(x, x, x)
_EtwpCovSampSampleBufferReserve@12 proc	near
					; CODE XREF: EtwpCovSampCaptureBufferQueue(x,x)+3Cp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	eax, ecx
		mov	[ebp+var_8], edx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_C], eax
		push	edi
		mov	ecx, [eax+4]
		mov	edi, ebx
		mov	[ebp+var_10], ebx
		mov	byte ptr [ebp+var_1], bl
		call	@ExSaDecodeHandle@4 ; ExSaDecodeHandle(x)
		mov	edx, [ebp+var_8]
		mov	esi, eax
		add	edx, 8
		push	7
		pop	ecx
		lea	eax, [edx-1]
		and	eax, ecx
		sub	ecx, eax
		add	edx, ecx
		mov	[ebp+var_8], edx

loc_6832B7:				; CODE XREF: EtwpCovSampSampleBufferReserve(x,x,x)+BDj
					; EtwpCovSampSampleBufferReserve(x,x,x)+10Cj ...
		lea	edx, [ebp+var_1]
		mov	[ebp+var_14], edi
		mov	ecx, esi
		call	_EtwpCovSampTryAcquireBufferLock@8 ; EtwpCovSampTryAcquireBufferLock(x,x)
		test	eax, eax
		jz	loc_68342E
		mov	ebx, [esi+4]
		test	ebx, ebx
		jnz	short loc_68333D
		test	edi, edi
		jz	short loc_6832EC
		xor	eax, eax
		cmp	[esi+44h], eax
		jz	loc_6833AB
		mov	ebx, [ebp+var_14]
		mov	[esi+4], edi
		mov	edi, eax
		jmp	short loc_68333F
; 

loc_6832EC:				; CODE XREF: EtwpCovSampSampleBufferReserve(x,x,x)+5Aj
		test	ds:byte_70EFC6,	1
		jz	short loc_683301
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_683306
; 

loc_683301:				; CODE XREF: EtwpCovSampSampleBufferReserve(x,x,x)+78j
		xor	eax, eax
		lock and [esi],	eax

loc_683306:				; CODE XREF: EtwpCovSampSampleBufferReserve(x,x,x)+84j
		mov	cl, byte ptr [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_C]
		mov	ecx, eax
		lea	edx, [eax+0E8h]
		call	_EtwpCovSampLookasidePop@8 ; EtwpCovSampLookasidePop(x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_6833D0
		xor	eax, eax
		mov	dword ptr [edi+10h], 1
		mov	[edi+18h], eax
		mov	[edi+14h], eax
		jmp	loc_6832B7
; 

loc_68333D:				; CODE XREF: EtwpCovSampSampleBufferReserve(x,x,x)+56j
		xor	eax, eax

loc_68333F:				; CODE XREF: EtwpCovSampSampleBufferReserve(x,x,x)+6Fj
		mov	ecx, [ebp+var_8]
		mov	edx, [ebx+18h]
		movzx	ecx, cx
		add	ecx, edx
		mov	[ebp+var_14], edx
		cmp	ecx, [ebx+1Ch]
		jle	loc_6833D9
		mov	[esi+4], eax
		test	ds:byte_70EFC6,	1
		jz	short loc_68336E
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_683373
; 

loc_68336E:				; CODE XREF: EtwpCovSampSampleBufferReserve(x,x,x)+E5j
		xor	eax, eax
		lock and [esi],	eax

loc_683373:				; CODE XREF: EtwpCovSampSampleBufferReserve(x,x,x)+F1j
		mov	cl, byte ptr [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		or	eax, 0FFFFFFFFh
		lock xadd [ebx+10h], eax
		dec	eax
		test	eax, eax
		jg	loc_6832B7
		jz	short loc_68339C
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		test	eax, eax
		jnz	loc_6832B7

loc_68339C:				; CODE XREF: EtwpCovSampSampleBufferReserve(x,x,x)+112j
		mov	ecx, [ebp+var_C]
		mov	edx, ebx
		call	_EtwpCovSampCaptureQueueBuffer@8 ; EtwpCovSampCaptureQueueBuffer(x,x)
		jmp	loc_6832B7
; 

loc_6833AB:				; CODE XREF: EtwpCovSampSampleBufferReserve(x,x,x)+61j
		test	ds:byte_70EFC6,	1
		jz	short loc_6833C0
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6833C5
; 

loc_6833C0:				; CODE XREF: EtwpCovSampSampleBufferReserve(x,x,x)+137j
		xor	eax, eax
		lock and [esi],	eax

loc_6833C5:				; CODE XREF: EtwpCovSampSampleBufferReserve(x,x,x)+143j
		mov	cl, byte ptr [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_68342E
; 

loc_6833D0:				; CODE XREF: EtwpCovSampSampleBufferReserve(x,x,x)+A8j
		lock inc dword ptr [esi+104h]
		jmp	short loc_683454
; 

loc_6833D9:				; CODE XREF: EtwpCovSampSampleBufferReserve(x,x,x)+D5j
		inc	dword ptr [ebx+14h]
		xor	eax, eax
		mov	[ebx+18h], ecx
		inc	eax
		lock xadd [ebx+10h], eax
		inc	eax
		cmp	eax, 1
		jg	short loc_6833F2
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_6833F2:				; CODE XREF: EtwpCovSampSampleBufferReserve(x,x,x)+170j
		test	ds:byte_70EFC6,	1
		jz	short loc_683407
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_68340C
; 

loc_683407:				; CODE XREF: EtwpCovSampSampleBufferReserve(x,x,x)+17Ej
		xor	eax, eax
		lock and [esi],	eax

loc_68340C:				; CODE XREF: EtwpCovSampSampleBufferReserve(x,x,x)+18Aj
		mov	cl, byte ptr [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_14]
		lea	eax, [ecx+20h]
		add	eax, ebx
		mov	[ebp+var_10], eax
		mov	[eax], ecx
		mov	ecx, [ebp+var_8]
		mov	[eax+4], cx
		mov	eax, [ebp+arg_0]
		mov	[eax], ebx

loc_68342E:				; CODE XREF: EtwpCovSampSampleBufferReserve(x,x,x)+4Bj
					; EtwpCovSampSampleBufferReserve(x,x,x)+153j
		test	edi, edi
		jz	short loc_683454
		or	eax, 0FFFFFFFFh
		lock xadd [edi+10h], eax
		dec	eax
		test	eax, eax
		jg	short loc_683454
		jz	short loc_68344A
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		test	eax, eax
		jnz	short loc_683454

loc_68344A:				; CODE XREF: EtwpCovSampSampleBufferReserve(x,x,x)+1C4j
		mov	ecx, [ebp+var_C]
		mov	edx, edi
		call	_EtwpCovSampCaptureQueueBuffer@8 ; EtwpCovSampCaptureQueueBuffer(x,x)

loc_683454:				; CODE XREF: EtwpCovSampSampleBufferReserve(x,x,x)+15Cj
					; EtwpCovSampSampleBufferReserve(x,x,x)+1B5j ...
		mov	eax, [ebp+var_10]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpCovSampSampleBufferReserve@12 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCovSampTryAcquireBufferLock(x, x)
_EtwpCovSampTryAcquireBufferLock@8 proc	near
					; CODE XREF: EtwpCovSampCaptureFlushSampleBuffers(x)+3Ap
					; EtwpCovSampSampleBufferReserve(x,x,x)+44p
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[esi], al
		cmp	al, 1
		jbe	short loc_68349C
		cmp	al, 2
		jz	short loc_6834A4
		test	ds:byte_70EFC6,	21h
		jz	short loc_683488
		mov	ecx, edi
		call	@KiTryToAcquireSpinLockInstrumented@4 ;	KiTryToAcquireSpinLockInstrumented(x)
		jmp	short loc_683497
; 

loc_683488:				; CODE XREF: EtwpCovSampTryAcquireBufferLock(x,x)+1Fj
		lock bts dword ptr [edi], 0
		jnb	short loc_683495
		xor	al, al
		pause
		jmp	short loc_683497
; 

loc_683495:				; CODE XREF: EtwpCovSampTryAcquireBufferLock(x,x)+2Fj
		mov	al, 1

loc_683497:				; CODE XREF: EtwpCovSampTryAcquireBufferLock(x,x)+28j
					; EtwpCovSampTryAcquireBufferLock(x,x)+35j
		movzx	eax, al
		jmp	short loc_6834AE
; 

loc_68349C:				; CODE XREF: EtwpCovSampTryAcquireBufferLock(x,x)+12j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)

loc_6834A4:				; CODE XREF: EtwpCovSampTryAcquireBufferLock(x,x)+16j
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		xor	eax, eax
		inc	eax

loc_6834AE:				; CODE XREF: EtwpCovSampTryAcquireBufferLock(x,x)+3Cj
		pop	edi
		pop	esi
		retn
_EtwpCovSampTryAcquireBufferLock@8 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCoverageSamplerContextSwap(x)
_EtwpCoverageSamplerContextSwap@4 proc near ; CODE XREF: EtwTraceContextSwap+D0p
		mov	edx, ds:dword_6BC094
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	loc_6835D5
		cmp	ecx, [edx]
		jz	loc_6835D5
		mov	eax, large fs:20h
		cmp	ecx, [eax+0Ch]
		jz	loc_6835D5
		mov	ecx, [edx+4]
		call	@ExSaDecodeHandle@4 ; ExSaDecodeHandle(x)
		mov	esi, eax
		cmp	dword ptr [esi+80h], 0
		jz	loc_6835BF
		mov	edi, ds:_KeTickCount
		mov	eax, edi
		sub	eax, [esi+84h]
		cmp	eax, [esi+88h]
		jbe	loc_68358A
		mov	ebx, [esi+80h]
		add	[esi+94h], ebx
		mov	ecx, [esi+8Ch]
		mov	[esi+84h], edi
		cmp	[esi+94h], ecx
		jle	short loc_683530
		mov	[esi+94h], ecx

loc_683530:				; CODE XREF: EtwpCoverageSamplerContextSwap(x)+77j
		mov	edx, [esi+90h]
		lea	eax, [ebx+ebx]
		add	edx, [esi+9Ch]
		and	dword ptr [esi+90h], 0
		shr	edx, 1
		mov	[esi+9Ch], edx
		cmp	edx, eax
		jnb	short loc_68355D
		xor	eax, eax
		inc	eax
		mov	[esi+0A0h], eax
		jmp	short loc_683584
; 

loc_68355D:				; CODE XREF: EtwpCoverageSamplerContextSwap(x)+9Fj
		mov	eax, edx
		lea	ecx, [ebx+1]
		xor	edx, edx
		div	ecx
		mov	ecx, [esi+0A4h]
		xor	ecx, edi
		mov	[esi+0A0h], eax
		imul	ecx, 1000193h
		add	eax, eax
		mov	[esi+0A4h], ecx
		and	eax, ecx

loc_683584:				; CODE XREF: EtwpCoverageSamplerContextSwap(x)+AAj
		mov	[esi+98h], eax

loc_68358A:				; CODE XREF: EtwpCoverageSamplerContextSwap(x)+53j
		inc	dword ptr [esi+90h]
		mov	ecx, [esi+94h]
		test	ecx, ecx
		jle	short loc_6835D5
		dec	dword ptr [esi+98h]
		mov	eax, [esi+98h]
		test	eax, eax
		jg	short loc_6835D5
		lea	eax, [ecx-1]
		mov	[esi+94h], eax
		mov	eax, [esi+0A0h]
		mov	[esi+98h], eax

loc_6835BF:				; CODE XREF: EtwpCoverageSamplerContextSwap(x)+39j
		lock inc dword ptr [esi+10Ch]
		mov	edx, 50000004h
		xor	ecx, ecx
		pop	edi
		pop	esi
		pop	ebx
		jmp	_EtwpCovSampCaptureSample@8 ; EtwpCovSampCaptureSample(x,x)
; 

loc_6835D5:				; CODE XREF: EtwpCoverageSamplerContextSwap(x)+Bj
					; EtwpCoverageSamplerContextSwap(x)+13j ...
		pop	edi
		pop	esi
		pop	ebx
		retn
_EtwpCoverageSamplerContextSwap@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageSamplerPageFault(x, x, x)
_EtwpCoverageSamplerPageFault@12 proc near ; CODE XREF:	EtwTracePageFault(x,x,x,x)+12Ap

var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	[ebp+arg_0], 0
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	ecx, ds:dword_6BC094
		push	edi
		jz	loc_68373B
		test	ebx, ebx
		jz	loc_68373B
		mov	eax, ds:_MmSystemRangeStart
		cmp	ebx, eax
		jnb	loc_68373B
		cmp	edx, eax
		jnb	loc_68373B
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		mov	ecx, [ecx+4]
		call	@ExSaDecodeHandle@4 ; ExSaDecodeHandle(x)
		mov	esi, eax
		xor	edi, edi
		cmp	[esi+0D0h], edi
		jz	loc_683715
		mov	ecx, ds:_KeTickCount
		mov	eax, ecx
		sub	eax, [esi+0D4h]
		mov	[ebp+var_4], ecx
		cmp	eax, [esi+0D8h]
		jbe	loc_6836E0
		mov	eax, [esi+0D0h]
		add	[esi+0E4h], eax
		mov	[esi+0D4h], ecx
		mov	ecx, [esi+0DCh]
		cmp	[esi+0E4h], ecx
		jle	short loc_68367B
		mov	[esi+0E4h], ecx

loc_68367B:				; CODE XREF: EtwpCoverageSamplerPageFault(x,x,x)+9Aj
		mov	edx, [esi+0ECh]
		mov	ecx, eax
		add	edx, [esi+0E0h]
		shr	edx, 1
		mov	[esi+0ECh], edx
		lea	eax, [ecx+ecx]
		mov	[esi+0E0h], edi
		cmp	edx, eax
		jnb	short loc_6836B4
		mov	dword ptr [esi+0F0h], 1
		mov	dword ptr [esi+0E8h], 1
		jmp	short loc_6836E0
; 

loc_6836B4:				; CODE XREF: EtwpCoverageSamplerPageFault(x,x,x)+C3j
		inc	ecx
		mov	eax, edx
		xor	edx, edx
		div	ecx
		mov	ecx, [esi+0F4h]
		xor	ecx, [ebp+var_4]
		imul	ecx, 1000193h
		mov	[esi+0F0h], eax
		add	eax, eax
		and	eax, ecx
		mov	[esi+0F4h], ecx
		mov	[esi+0E8h], eax

loc_6836E0:				; CODE XREF: EtwpCoverageSamplerPageFault(x,x,x)+76j
					; EtwpCoverageSamplerPageFault(x,x,x)+D9j
		inc	dword ptr [esi+0E0h]
		mov	ecx, [esi+0E4h]
		test	ecx, ecx
		jle	short loc_683718
		dec	dword ptr [esi+0E8h]
		mov	eax, [esi+0E8h]
		test	eax, eax
		jg	short loc_683718
		lea	eax, [ecx-1]
		mov	[esi+0E4h], eax
		mov	eax, [esi+0F0h]
		mov	[esi+0E8h], eax

loc_683715:				; CODE XREF: EtwpCoverageSamplerPageFault(x,x,x)+59j
		xor	edi, edi
		inc	edi

loc_683718:				; CODE XREF: EtwpCoverageSamplerPageFault(x,x,x)+115j
					; EtwpCoverageSamplerPageFault(x,x,x)+125j
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		test	edi, edi
		jz	short loc_68373B
		lock inc dword ptr [esi+114h]
		mov	edx, 50000010h
		mov	ecx, ebx
		call	_EtwpCovSampCaptureSample@8 ; EtwpCovSampCaptureSample(x,x)

loc_68373B:				; CODE XREF: EtwpCoverageSamplerPageFault(x,x,x)+16j
					; EtwpCoverageSamplerPageFault(x,x,x)+1Ej ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpCoverageSamplerPageFault@12 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCoverageSamplerReadyThread(x)
_EtwpCoverageSamplerReadyThread@4 proc near ; CODE XREF: EtwTraceReadyThread(x,x,x,x)+B6p
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ecx, ds:dword_6BC094
		push	edi
		mov	edx, [ecx]
		cmp	edx, eax
		jz	loc_68387D
		cmp	edx, esi
		jz	loc_68387D
		mov	edx, large fs:20h
		mov	eax, large fs:124h
		cmp	eax, [edx+0Ch]
		jnz	short loc_683781
		cmp	byte ptr [edx+11h], 1
		jbe	loc_68387D

loc_683781:				; CODE XREF: EtwpCoverageSamplerReadyThread(x)+33j
		mov	ecx, [ecx+4]
		call	@ExSaDecodeHandle@4 ; ExSaDecodeHandle(x)
		mov	esi, eax
		cmp	dword ptr [esi+0A8h], 0
		jz	loc_683867
		mov	edi, ds:_KeTickCount
		mov	eax, edi
		sub	eax, [esi+0ACh]
		cmp	eax, [esi+0B0h]
		jbe	loc_683832
		mov	ebx, [esi+0A8h]
		add	[esi+0BCh], ebx
		mov	ecx, [esi+0B4h]
		mov	[esi+0ACh], edi
		cmp	[esi+0BCh], ecx
		jle	short loc_6837D8
		mov	[esi+0BCh], ecx

loc_6837D8:				; CODE XREF: EtwpCoverageSamplerReadyThread(x)+8Ej
		mov	edx, [esi+0B8h]
		lea	eax, [ebx+ebx]
		add	edx, [esi+0C4h]
		and	dword ptr [esi+0B8h], 0
		shr	edx, 1
		mov	[esi+0C4h], edx
		cmp	edx, eax
		jnb	short loc_683805
		xor	eax, eax
		inc	eax
		mov	[esi+0C8h], eax
		jmp	short loc_68382C
; 

loc_683805:				; CODE XREF: EtwpCoverageSamplerReadyThread(x)+B6j
		mov	eax, edx
		lea	ecx, [ebx+1]
		xor	edx, edx
		div	ecx
		mov	ecx, [esi+0CCh]
		xor	ecx, edi
		mov	[esi+0C8h], eax
		imul	ecx, 1000193h
		add	eax, eax
		mov	[esi+0CCh], ecx
		and	eax, ecx

loc_68382C:				; CODE XREF: EtwpCoverageSamplerReadyThread(x)+C1j
		mov	[esi+0C0h], eax

loc_683832:				; CODE XREF: EtwpCoverageSamplerReadyThread(x)+6Aj
		inc	dword ptr [esi+0B8h]
		mov	ecx, [esi+0BCh]
		test	ecx, ecx
		jle	short loc_68387D
		dec	dword ptr [esi+0C0h]
		mov	eax, [esi+0C0h]
		test	eax, eax
		jg	short loc_68387D
		lea	eax, [ecx-1]
		mov	[esi+0BCh], eax
		mov	eax, [esi+0C8h]
		mov	[esi+0C0h], eax

loc_683867:				; CODE XREF: EtwpCoverageSamplerReadyThread(x)+50j
		lock inc dword ptr [esi+110h]
		mov	edx, 30000008h
		xor	ecx, ecx
		pop	edi
		pop	esi
		pop	ebx
		jmp	_EtwpCovSampCaptureSample@8 ; EtwpCovSampCaptureSample(x,x)
; 

loc_68387D:				; CODE XREF: EtwpCoverageSamplerReadyThread(x)+15j
					; EtwpCoverageSamplerReadyThread(x)+1Dj ...
		pop	edi
		pop	esi
		pop	ebx
		retn
_EtwpCoverageSamplerReadyThread@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ProcessForExeModule(x, x, x, x)
_ProcessForExeModule@16	proc near	; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+117p
					; EtwpCovSampContextGetModule(x,x,x,x,x,x)+651p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	dword ptr [ecx+4], 400h
		push	esi
		mov	esi, edx
		jz	short loc_6838AF
		cmp	[ebp+arg_4], 0
		jz	short loc_6838AF
		mov	edx, [ebp+arg_0]
		mov	[esi+20h], edx
		mov	eax, [edx+44h]
		mov	[esi+18h], eax
		mov	eax, [edx+48h]
		mov	[esi+1Ch], eax
		call	_EtwpCovSampModuleReference@8 ;	EtwpCovSampModuleReference(x,x)

loc_6838AF:				; CODE XREF: ProcessForExeModule(x,x,x,x)+Fj
					; ProcessForExeModule(x,x,x,x)+15j
		pop	esi
		pop	ebp
		retn	8
_ProcessForExeModule@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceLastBranchRecord(x, x, x, x)
_EtwpTraceLastBranchRecord@16 proc near	; CODE XREF: EtwpLogKernelEvent+12E298p
					; EtwpLogSystemEventUnsafe+EDF4Cp ...

var_70		= dword	ptr -70h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_64], ecx
		lea	edi, [ebp+var_48]
		push	8
		xor	eax, eax
		mov	[ebp+var_60], edx
		pop	ecx
		rep stosd
		mov	ecx, large fs:124h
		xor	edx, edx
		mov	eax, large fs:20h
		mov	[ebp+var_58], edx
		mov	[ebp+var_5C], edx
		mov	[ebp+var_54], edx
		mov	[ebp+var_50], edx
		cmp	[eax+0Ch], ecx
		jz	loc_683A41
		test	[ebp+arg_4], 1800h
		jz	loc_683A41
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jnz	short loc_683913
		mov	ebx, ecx

loc_683913:				; CODE XREF: EtwpTraceLastBranchRecord(x,x,x,x)+5Bj
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_54]
		push	eax
		call	_KeGetCurrentStackPointer@0 ; KeGetCurrentStackPointer()
		lea	edx, [ebp+var_50]
		mov	ecx, eax
		call	KeQueryCurrentStackInformationEx
		test	al, al
		jz	loc_683A41
		mov	eax, [ebp+var_50]
		test	eax, eax
		jz	loc_683A41
		cmp	eax, 5
		jz	loc_683A41
		cmp	eax, 7
		jz	loc_683A41
		cmp	eax, 8
		jz	loc_683A41
		cmp	eax, 9
		jz	loc_683A41
		imul	edi, ds:_EtwpLastBranchStackSize, 0Ch
		mov	ecx, offset _EtwpLastBranchLookAsideList
		mov	[ebp+var_49], 0
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jz	short loc_683981
		lea	esi, [eax+4]
		test	esi, esi
		jnz	short loc_6839A4

loc_683981:				; CODE XREF: EtwpTraceLastBranchRecord(x,x,x,x)+C4j
		call	_KeGetCurrentStackPointer@0 ; KeGetCurrentStackPointer()
		sub	eax, [ebp+var_54]
		lea	ecx, [edi+218h]
		cmp	eax, ecx
		jbe	loc_683A41
		mov	eax, edi
		call	__alloca_probe_16
		mov	esi, esp
		mov	[ebp+var_49], 1

loc_6839A4:				; CODE XREF: EtwpTraceLastBranchRecord(x,x,x,x)+CBj
		lea	eax, [ebp+var_58]
		push	eax
		push	esi
		push	edi
		call	ds:off_6B140C	; MmProtectDriverSection(x,x,x)
		test	eax, eax
		js	short loc_683A2E
		mov	ecx, [ebp+var_58]
		test	ecx, ecx
		jz	short loc_683A2E
		mov	eax, [ebx+2ACh]
		mov	edx, [ebp+var_60]
		mov	[ebp+var_40], eax
		mov	eax, [ebx+2B0h]
		mov	[ebp+var_3C], eax
		mov	eax, [edx]
		mov	[ebp+var_48], eax
		mov	eax, [edx+4]
		mov	edx, [ebp+var_64]
		mov	[ebp+var_44], eax
		mov	eax, [edx+2C0h]
		mov	eax, [eax+4]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_28], eax
		xor	eax, eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_4]
		and	eax, 0FFFFE602h
		mov	[ebp+var_10], ecx
		or	eax, 2
		mov	[ebp+var_20], 14h
		push	eax
		push	0C20h
		push	2
		push	dword ptr [edx]
		mov	edx, [edx+2E4h]
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_18], esi
		call	EtwpLogKernelEvent

loc_683A2E:				; CODE XREF: EtwpTraceLastBranchRecord(x,x,x,x)+FEj
					; EtwpTraceLastBranchRecord(x,x,x,x)+105j
		cmp	[ebp+var_49], 0
		jnz	short loc_683A41
		lea	edx, [esi-4]
		mov	ecx, offset _EtwpLastBranchLookAsideList
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_683A41:				; CODE XREF: EtwpTraceLastBranchRecord(x,x,x,x)+43j
					; EtwpTraceLastBranchRecord(x,x,x,x)+50j ...
		lea	esp, [ebp-70h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwpTraceLastBranchRecord@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceProcessorTrace(x, x, x, x)
_EtwpTraceProcessorTrace@16 proc near	; CODE XREF: EtwpLogKernelEvent+12E2DBp
					; EtwpLogSystemEventUnsafe+EDF8Fp ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		mov	[ebp+var_3C], eax
		mov	ecx, large fs:124h
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], eax
		mov	eax, large fs:20h
		cmp	[eax+0Ch], ecx
		jz	short loc_683AE5
		mov	eax, [ebp+arg_4]
		test	eax, 1800h
		jz	short loc_683AE5
		test	esi, esi
		jnz	short loc_683AA4
		mov	esi, ecx

loc_683AA4:				; CODE XREF: EtwpTraceProcessorTrace(x,x,x,x)+4Bj
		mov	ecx, [edi+2C4h]
		mov	[ebp+var_10], eax
		mov	[ebp+var_40], edi
		mov	eax, [esi+2ACh]
		mov	[ebp+var_30], eax
		mov	eax, [esi+2B0h]
		mov	[ebp+var_2C], eax
		mov	eax, [edx]
		mov	[ebp+var_38], eax
		mov	eax, [edx+4]
		lea	edx, [ebp+var_40]
		mov	[ebp+var_34], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_28], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_24], eax
		mov	eax, [ecx+10h]
		push	edx
		push	dword ptr [ecx]
		call	dword ptr [eax+8]

loc_683AE5:				; CODE XREF: EtwpTraceProcessorTrace(x,x,x,x)+3Dj
					; EtwpTraceProcessorTrace(x,x,x,x)+47j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwpTraceProcessorTrace@16 endp

; 
; __stdcall EtwpWriteProcessorTrace(x, x, x, x)
_EtwpWriteProcessorTrace@16 dw 0FF8Bh	; DATA XREF: .text:004037CDr
; 
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		mov	edx, [ebp+8]
		mov	ecx, [ebp+10h]
		mov	eax, [ebp+14h]
		push	esi
		mov	esi, [edx+30h]
		push	edi
		mov	[edx+24h], eax
		and	esi, 0FFFFE602h
		mov	[edx+20h], ecx
		lea	eax, [edx+8]
		or	esi, 2
		mov	[ebp-24h], eax
		mov	eax, [ebp+0Ch]
		xor	edi, edi
		mov	[edx+30h], esi
		mov	edx, [edx]
		push	esi
		push	1F20h
		push	2
		push	dword ptr [edx]
		mov	edx, [edx+2E4h]
		mov	[ebp-0Ch], ecx
		lea	ecx, [ebp-24h]
		mov	[ebp-20h], edi
		mov	dword ptr [ebp-1Ch], 20h
		mov	[ebp-18h], edi
		mov	[ebp-14h], eax
		mov	[ebp-10h], edi
		mov	[ebp-8], edi
		call	EtwpLogKernelEvent
		mov	ecx, [ebp-4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpAllocatePartitionMemory(x, x)
_EtwpAllocatePartitionMemory@8 proc near ; CODE	XREF: EtwpAllocateTraceBuffer:loc_51474Cp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		xor	edi, edi
		push	dword ptr [ebx]
		push	5
		push	edi
		push	1
		push	edx
		push	edi
		push	edi
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		push	edi
		push	edi
		call	MmAllocatePartitionNodePagesForMdlEx
		mov	esi, eax
		test	esi, esi
		jz	short loc_683BDC
		push	40000020h
		push	edi
		push	edi
		push	1
		push	edi
		push	esi
		call	MmMapLockedPagesSpecifyCache
		mov	edi, eax
		test	edi, edi
		jz	short loc_683BCB
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	_EtwpRegisterPartitionPages@12 ; EtwpRegisterPartitionPages(x,x,x)
		test	al, al
		jnz	short loc_683BE5
		push	esi
		push	edi
		call	MmUnmapLockedPages

loc_683BCB:				; CODE XREF: EtwpAllocatePartitionMemory(x,x)+3Fj
		xor	edx, edx
		mov	ecx, esi
		call	_MiFreePagesFromMdl@8 ;	MiFreePagesFromMdl(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_683BDC:				; CODE XREF: EtwpAllocatePartitionMemory(x,x)+29j
		xor	eax, eax

loc_683BDE:				; CODE XREF: EtwpAllocatePartitionMemory(x,x)+72j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_683BE5:				; CODE XREF: EtwpAllocatePartitionMemory(x,x)+4Dj
		mov	eax, edi
		jmp	short loc_683BDE
_EtwpAllocatePartitionMemory@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpFreePartitionMemory(x, x)
_EtwpFreePartitionMemory@8 proc	near	; CODE XREF: EtwpFreeTraceBuffer:loc_4F67FAp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	ecx, [ebp+var_4]
		push	esi
		push	edi
		mov	edi, edx
		call	_EtwpUnregisterPartitionPages@8	; EtwpUnregisterPartitionPages(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_683C1D
		push	esi
		push	edi
		call	MmUnmapLockedPages
		xor	edx, edx
		mov	ecx, esi
		call	_MiFreePagesFromMdl@8 ;	MiFreePagesFromMdl(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_683C1D:				; CODE XREF: EtwpFreePartitionMemory(x,x)+1Aj
		pop	edi
		pop	esi
		leave
		retn
_EtwpFreePartitionMemory@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpMdlHashTableAllocator(x, x)
_EtwpMdlHashTableAllocator@8 proc near	; CODE XREF: EtwpRegisterPartitionPages(x,x,x)+95p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	42777445h
		push	[ebp+arg_0]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	8
_EtwpMdlHashTableAllocator@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpMdlHashTableDeallocator(x, x)
_EtwpMdlHashTableDeallocator@8 proc near ; CODE	XREF: EtwpRegisterPartitionPages(x,x,x)+1B6p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	42777445h
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	8
_EtwpMdlHashTableDeallocator@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpRegisterPartitionPages(x, x, x)
_EtwpRegisterPartitionPages@12 proc near ; CODE	XREF: EtwpAllocatePartitionMemory(x,x)+46p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		push	4F777445h
		push	10h
		push	200h
		mov	esi, edx
		mov	[ebp+var_C], ecx
		xor	ebx, ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_18], edi
		test	edi, edi
		jnz	short loc_683C85
		xor	al, al
		jmp	loc_683E93
; 

loc_683C85:				; CODE XREF: EtwpRegisterPartitionPages(x,x,x)+2Aj
		mov	eax, [ebp+arg_0]
		mov	[edi+4], eax
		mov	eax, [ebp+var_C]
		push	offset dword_6BC05C
		mov	[edi+8], esi
		mov	[edi+0Ch], eax
		call	ExAcquireSpinLockExclusive
		mov	ecx, ds:dword_6BC054
		shr	ecx, 5
		mov	byte ptr [ebp+arg_0+3],	al
		mov	[ebp+var_8], ebx
		lea	eax, [ecx+ecx]
		cmp	ds:_EtwpMdlTable, eax
		jb	loc_683E1B
		push	2
		mov	eax, ecx
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_683E1B
		mov	esi, [ebp+var_8]
		cmp	esi, 4
		jnb	short loc_683CE0
		push	4
		pop	esi

loc_683CE0:				; CODE XREF: EtwpRegisterPartitionPages(x,x,x)+89j
		mov	eax, esi
		push	ebx
		shl	eax, 2
		push	eax
		call	_EtwpMdlHashTableAllocator@8 ; EtwpMdlHashTableAllocator(x,x)
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	loc_683E0F
		lea	eax, [esi-1]
		test	eax, esi
		jz	short loc_683D14
		or	ecx, 0FFFFFFFFh
		test	esi, esi
		jz	short loc_683D0C

loc_683D07:				; CODE XREF: EtwpRegisterPartitionPages(x,x,x)+B8j
		inc	ecx
		shr	esi, 1
		jnz	short loc_683D07

loc_683D0C:				; CODE XREF: EtwpRegisterPartitionPages(x,x,x)+B3j
		xor	esi, esi
		inc	esi
		shl	esi, cl
		mov	ecx, [ebp+var_4]

loc_683D14:				; CODE XREF: EtwpRegisterPartitionPages(x,x,x)+ACj
		mov	eax, 4000000h
		cmp	esi, eax
		jbe	short loc_683D1F
		mov	esi, eax

loc_683D1F:				; CODE XREF: EtwpRegisterPartitionPages(x,x,x)+C9j
		mov	[ebp+var_C], ecx
		mov	edx, esi
		shl	edx, 2
		mov	eax, offset _EtwpMdlTable
		add	ecx, edx
		mov	[ebp+var_8], ebx
		or	eax, 1
		shr	edx, 2
		cmp	ecx, [ebp+var_4]
		sbb	ecx, ecx
		not	ecx
		and	ecx, edx
		jbe	short loc_683D52
		mov	edx, [ebp+var_C]

loc_683D45:				; CODE XREF: EtwpRegisterPartitionPages(x,x,x)+FEj
		inc	[ebp+var_8]
		mov	[edx], eax
		lea	edx, [edx+4]
		cmp	[ebp+var_8], ecx
		jb	short loc_683D45

loc_683D52:				; CODE XREF: EtwpRegisterPartitionPages(x,x,x)+EEj
		mov	edx, ds:dword_6BC054
		or	eax, 0FFFFFFFFh
		mov	ecx, edx
		and	ecx, 1Fh
		shl	eax, cl
		mov	[ebp+var_10], eax
		test	edx, 0FFFFFFE0h
		jbe	short loc_683DE6
		mov	edi, ebx

loc_683D6F:				; CODE XREF: EtwpRegisterPartitionPages(x,x,x)+18Fj
		mov	edx, ds:dword_6BC058
		mov	[ebp+var_14], edx

loc_683D78:				; CODE XREF: EtwpRegisterPartitionPages(x,x,x)+17Cj
		mov	ecx, [edx+edi*4]
		mov	[ebp+var_C], ecx
		test	ecx, 1
		jnz	short loc_683DD0
		mov	eax, [ecx]
		mov	[edx+edi*4], eax
		mov	edx, [ecx+4]
		and	edx, [ebp+var_10]
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	ebx, [ebp+var_C]
		imul	ecx, eax, 25h
		movzx	eax, dh
		mov	[ebp+var_8], edx
		lea	edx, [esi-1]
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_8+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_8+3]
		imul	ecx, 25h
		add	ecx, eax
		and	edx, ecx
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+edx*4]
		mov	[ebx], eax
		mov	eax, ebx
		mov	[ecx+edx*4], eax
		mov	edx, [ebp+var_14]
		jmp	short loc_683D78
; 

loc_683DD0:				; CODE XREF: EtwpRegisterPartitionPages(x,x,x)+132j
		mov	edx, ds:dword_6BC054
		inc	edi
		mov	eax, edx
		shr	eax, 5
		push	0
		pop	ebx
		cmp	edi, eax
		jb	short loc_683D6F
		mov	edi, [ebp+var_18]

loc_683DE6:				; CODE XREF: EtwpRegisterPartitionPages(x,x,x)+119j
		mov	ecx, ds:dword_6BC058
		and	edx, 1Fh
		mov	eax, [ebp+var_4]
		shl	esi, 5
		or	edx, esi
		mov	ds:dword_6BC058, eax
		mov	ds:dword_6BC054, edx
		test	ecx, ecx
		jz	short loc_683E1B
		push	ebx
		push	ecx
		call	_EtwpMdlHashTableDeallocator@8 ; EtwpMdlHashTableDeallocator(x,x)
		jmp	short loc_683E1B
; 

loc_683E0F:				; CODE XREF: EtwpRegisterPartitionPages(x,x,x)+A1j
		test	ds:dword_6BC054, 0FFFFFFE0h
		jz	short loc_683E6F

loc_683E1B:				; CODE XREF: EtwpRegisterPartitionPages(x,x,x)+64j
					; EtwpRegisterPartitionPages(x,x,x)+7Dj ...
		mov	ecx, ds:dword_6BC054
		or	ebx, 0FFFFFFFFh
		mov	edx, ecx
		and	ecx, 1Fh
		shl	ebx, cl
		and	ebx, [edi+4]
		movzx	eax, bl
		add	eax, offset unk_B15DCB
		mov	[ebp+var_C], ebx
		imul	ecx, eax, 25h
		mov	bl, 1
		movzx	eax, bh
		shr	edx, 5
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_C+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_C+3]
		imul	ecx, 25h
		add	ecx, eax
		dec	edx
		and	edx, ecx
		mov	ecx, ds:dword_6BC058
		mov	eax, [ecx+edx*4]
		mov	[edi], eax
		mov	[ecx+edx*4], edi
		inc	ds:_EtwpMdlTable

loc_683E6F:				; CODE XREF: EtwpRegisterPartitionPages(x,x,x)+1C7j
		push	offset dword_6BC05C
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bl, bl
		jnz	short loc_683E91
		push	4F777445h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_683E91:				; CODE XREF: EtwpRegisterPartitionPages(x,x,x)+232j
		mov	al, bl

loc_683E93:				; CODE XREF: EtwpRegisterPartitionPages(x,x,x)+2Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpRegisterPartitionPages@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpSetPartitionContext(x, x)
_EtwpSetPartitionContext@8 proc	near	; CODE XREF: EtwpStartLogger+120A68p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		push	edi
		mov	ecx, [ebx]
		mov	edi, edx
		mov	[ebp+var_4], esi
		test	ecx, ecx
		jz	short loc_683EBA
		call	PsDereferencePartition
		mov	[ebx], esi

loc_683EBA:				; CODE XREF: EtwpSetPartitionContext(x,x)+17j
		test	edi, edi
		jz	short loc_683EF4
		cmp	edi, 0FFFFFFFEh
		jz	short loc_683EF4
		mov	eax, large fs:124h
		push	ecx
		mov	ecx, edi
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_8], al
		lea	eax, [ebp+var_4]
		push	eax
		push	6F777445h
		push	[ebp+var_8]
		push	2
		pop	edx
		call	_PsReferencePartitionByHandle@24 ; PsReferencePartitionByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_683EF4
		mov	ecx, [ebp+var_4]
		mov	[ebx], ecx

loc_683EF4:				; CODE XREF: EtwpSetPartitionContext(x,x)+22j
					; EtwpSetPartitionContext(x,x)+27j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpSetPartitionContext@8 endp

; 
		align 4
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUnregisterPartitionPages(x, x)
_EtwpUnregisterPartitionPages@8	proc near ; CODE XREF: EtwpFreePartitionMemory(x,x)+11p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_18], ecx
		push	offset dword_6BC05C
		mov	esi, edx
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], eax
		call	ExAcquireSpinLockExclusive
		mov	edi, ds:dword_6BC054
		mov	ecx, edi
		mov	[ebp+var_1], al
		and	ecx, 1Fh
		or	eax, 0FFFFFFFFh
		shr	edi, 5
		shl	eax, cl
		mov	ebx, eax
		mov	[ebp+var_14], eax
		and	ebx, esi
		mov	[ebp+var_8], ebx
		test	edi, edi
		jz	loc_68400C
		movzx	eax, bl
		add	eax, offset unk_B15DCB
		imul	ecx, eax, 25h
		movzx	eax, bh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_8+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_8+3]
		imul	edx, ecx, 25h
		add	edx, eax
		mov	eax, ds:dword_6BC058
		dec	edi
		mov	ecx, edi
		and	ecx, edx
		lea	esi, [eax+ecx*4]
		mov	ecx, [ebp+var_14]

loc_683F7A:				; CODE XREF: EtwpUnregisterPartitionPages(x,x)+8Dj
		mov	esi, [esi]
		test	esi, 1
		jnz	short loc_683F8F
		mov	eax, [esi+4]
		and	eax, ecx
		cmp	ebx, eax
		jnz	short loc_683F7A
		jmp	short loc_683F91
; 

loc_683F8F:				; CODE XREF: EtwpUnregisterPartitionPages(x,x)+84j
		xor	esi, esi

loc_683F91:				; CODE XREF: EtwpUnregisterPartitionPages(x,x)+8Fj
		test	esi, esi
		jz	short loc_68400C
		mov	edx, [ebp+var_18]
		mov	ebx, [esi+8]
		mov	[ebp+var_10], esi
		test	edx, edx
		jz	short loc_683FA7
		mov	eax, [esi+0Ch]
		mov	[edx], eax

loc_683FA7:				; CODE XREF: EtwpUnregisterPartitionPages(x,x)+A2j
		mov	edx, [esi+4]
		and	edx, ecx
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	[ebp+var_8], edx
		imul	ecx, eax, 25h
		movzx	eax, dh
		xor	edx, edx
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_8+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_8+3]
		imul	ecx, 25h
		add	ecx, eax
		mov	eax, ds:dword_6BC058
		and	edi, ecx
		lea	ecx, [eax+edi*4]
		mov	eax, [esi]
		mov	edi, 80000002h
		and	eax, edi
		cmp	eax, edi
		jnz	short loc_683FEC
		mov	eax, [edx]

loc_683FEC:				; CODE XREF: EtwpUnregisterPartitionPages(x,x)+EAj
					; EtwpUnregisterPartitionPages(x,x)+FAj
		mov	eax, [ecx]
		test	al, 1
		jnz	short loc_684008
		cmp	eax, esi
		jz	short loc_683FFA
		mov	ecx, eax
		jmp	short loc_683FEC
; 

loc_683FFA:				; CODE XREF: EtwpUnregisterPartitionPages(x,x)+F6j
		mov	eax, [esi]
		mov	[ecx], eax
		dec	ds:_EtwpMdlTable
		or	[esi], edi
		jmp	short loc_68400F
; 

loc_684008:				; CODE XREF: EtwpUnregisterPartitionPages(x,x)+F2j
		mov	eax, [edx]
		jmp	short loc_68400F
; 

loc_68400C:				; CODE XREF: EtwpUnregisterPartitionPages(x,x)+44j
					; EtwpUnregisterPartitionPages(x,x)+95j
		mov	ebx, [ebp+var_C]

loc_68400F:				; CODE XREF: EtwpUnregisterPartitionPages(x,x)+108j
					; EtwpUnregisterPartitionPages(x,x)+10Cj
		push	offset dword_6BC05C
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_684034
		push	4F777445h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_684034:				; CODE XREF: EtwpUnregisterPartitionPages(x,x)+129j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_EtwpUnregisterPartitionPages@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwpApplyPayloadFilterInternal(void *,char,int,int,int)
_EtwpApplyPayloadFilterInternal@28 proc	near ; CODE XREF: .text:00528353p
					; EtwpApplyEventIdPayloadFilter+CE32Ep

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5D		= byte ptr -5Dh
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_1F		= byte ptr -1Fh
var_1E		= dword	ptr -1Eh
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	68h
		push	offset dword_6AA208
		call	__SEH_prolog4_GS
		mov	eax, edx
		mov	[ebp+var_50], eax
		xor	edx, edx
		mov	[ebp+var_74], edx
		mov	[ebp+var_70], edx
		mov	[ebp+var_54], edx
		mov	[ebp+var_6C], edx
		mov	[ebp+var_5C], edx
		mov	[ebp+var_58], edx
		mov	byte ptr [ebp+var_1E], dl
		mov	[ebp+var_2C], 0C000000Dh
		cmp	eax, 80h
		ja	loc_684756
		mov	[ebp+ms_exc.disabled], edx
		movzx	eax, word ptr [ecx]
		mov	esi, eax
		mov	[ebp+var_78], esi
		mov	bl, [ecx+2]
		mov	[ebp+var_5D], bl
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	3Fh
		pop	ecx
		div	ecx
		mov	ecx, edx
		xor	eax, eax
		inc	eax
		xor	edx, edx
		call	__allshl
		mov	edi, [ebp+arg_C]
		and	eax, [edi+8]
		and	edx, [edi+0Ch]
		or	eax, edx
		jz	loc_68473C
		xor	ecx, ecx
		mov	[ebp+var_30], ecx
		movzx	eax, word ptr [edi+20h]
		add	eax, edi
		mov	[ebp+var_48], eax
		mov	[ebp+var_40], ecx
		movzx	eax, word ptr [edi+22h]
		xor	edx, edx
		push	0Ch
		pop	edi
		div	edi
		mov	edi, eax
		mov	[ebp+var_4C], edi
		mov	eax, [ebp+var_48]

loc_6840D3:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+D1j
		cmp	ecx, edi
		jnb	short loc_684110
		cmp	[eax], si
		jnz	short loc_6840E1
		cmp	[eax+2], bl
		jz	short loc_68410E

loc_6840E1:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+9Fj
		mov	dl, [eax+3]
		movzx	eax, dl
		mov	edi, [ebp+var_48]
		cmp	ax, [edi+6]
		mov	edi, [ebp+var_4C]
		jnb	loc_684756
		movzx	eax, dl
		cmp	[ebp+var_40], eax
		jnb	short loc_684102
		mov	[ebp+var_40], eax

loc_684102:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+C2j
		mov	eax, [ebp+var_48]
		add	eax, 0Ch
		mov	[ebp+var_48], eax
		inc	ecx
		jmp	short loc_6840D3
; 

loc_68410E:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+A4j
		cmp	ecx, edi

loc_684110:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+9Aj
		jz	loc_68473C
		xor	ecx, ecx
		mov	[ebp+var_38], ecx
		mov	esi, [ebp+var_50]
		shl	esi, 4
		movzx	eax, byte ptr [eax+3]
		inc	eax
		mov	[ebp+var_64], eax
		mov	edi, eax
		shl	edi, 2
		mov	[ebp+var_24], ecx
		mov	[ebp+var_3C], ecx
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		call	IoGetStackLimits
		lea	ecx, [esi+1000h]
		add	ecx, edi
		lea	eax, [ebp+var_24]
		sub	eax, [ebp+var_3C]
		cmp	eax, ecx
		jnb	short loc_68415D
		mov	eax, 0C000009Ah
		jmp	loc_68475B
; 

loc_68415D:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+116j
		mov	eax, edi
		call	__alloca_probe_16
		mov	[ebp+ms_exc.old_esp], esp
		mov	[ebp+var_40], esp
		mov	bl, [ebp+arg_4]
		test	bl, bl
		jz	short loc_684182
		mov	eax, esi
		call	__alloca_probe_16
		mov	[ebp+ms_exc.old_esp], esp
		mov	edi, esp
		mov	[ebp+var_38], edi
		jmp	short loc_684185
; 

loc_684182:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+134j
		mov	edi, [ebp+var_38]

loc_684185:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+145j
		test	bl, bl
		jz	loc_68421A
		mov	[ebp+ms_exc.disabled], 1
		test	esi, esi
		jz	short loc_6841BD
		test	byte ptr [ebp+arg_0], 3
		jz	short loc_6841A3
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_6841A3:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+161j
		mov	eax, [ebp+arg_0]
		lea	ecx, [esi+eax]
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		ja	short loc_6841B7
		cmp	ecx, eax
		jnb	short loc_6841BD

loc_6841B7:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+176j
		xor	ebx, ebx
		mov	[edx], bl
		jmp	short loc_6841BF
; 

loc_6841BD:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+15Bj
					; EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+17Aj
		xor	ebx, ebx

loc_6841BF:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+180j
		push	esi		; size_t
		push	[ebp+arg_0]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, ebx
		mov	ecx, ebx

loc_6841D0:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+1C3j
		mov	[ebp+var_6C], eax
		mov	edx, [ebp+var_50]
		cmp	ecx, edx
		jnb	short loc_684200
		mov	ecx, eax
		add	ecx, ecx
		mov	edx, [edi+ecx*8+8]
		test	edx, edx
		jz	short loc_6841FB
		mov	ecx, [edi+ecx*8]
		add	edx, ecx
		mov	esi, ds:_MmUserProbeAddress
		cmp	edx, esi
		ja	short loc_6841F9
		cmp	edx, ecx
		jnb	short loc_6841FB

loc_6841F9:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+1B8j
		mov	[esi], bl

loc_6841FB:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+1A9j
					; EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+1BCj
		inc	eax
		mov	ecx, eax
		jmp	short loc_6841D0
; 

loc_684200:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+19Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_38]
		jmp	short loc_684225
; 

loc_68420C:				; DATA XREF: .text:006AA228o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_684212:				; DATA XREF: .text:006AA22Co
		mov	eax, [ebp+var_2C]
		jmp	loc_6845E5
; 

loc_68421A:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+14Cj
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_38], eax
		mov	edx, [ebp+var_50]
		xor	ebx, ebx

loc_684225:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+1CFj
		mov	ecx, [ebp+arg_C]
		movzx	edi, word ptr [ecx+24h]
		add	edi, ecx
		mov	[ebp+var_2C], edi
		mov	ecx, ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_44], eax
		mov	eax, [ebp+var_48]
		movzx	eax, word ptr [eax+4]
		lea	eax, [edi+eax*4]
		mov	esi, [ebp+var_40]
		xor	edi, edi
		mov	[ebp+var_3C], edi

loc_68424B:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+5C8j
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], eax
		mov	edi, [ebp+var_64]
		cmp	[ebp+var_3C], edi
		mov	edi, [ebp+var_2C]
		jnb	loc_684612
		cmp	ecx, edx
		jz	loc_684618
		mov	dl, [eax]
		mov	al, dl
		and	al, 0Fh
		mov	ecx, [ebp+var_24]
		movzx	ecx, word ptr [ecx+2]
		cmp	al, 7
		jnz	short loc_6842A9
		test	cx, cx
		jnz	loc_68431C
		mov	eax, [ebp+var_34]
		mov	[esi+3], al
		mov	ecx, ebx
		and	ecx, 0FFFh
		shl	ecx, 0Ch
		mov	eax, [esi]
		and	eax, 0FF000000h
		or	ecx, eax
		mov	[esi], ecx
		mov	ecx, [ebp+var_34]
		mov	edx, [ebp+var_50]
		jmp	loc_6845F7
; 

loc_6842A9:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+23Cj
		mov	esi, ecx
		cmp	al, 8
		jnz	short loc_6842B2
		push	4
		pop	esi

loc_6842B2:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+272j
		test	dl, 10h
		jz	short loc_684326
		cmp	esi, [ebp+var_3C]
		jnb	short loc_68431C
		mov	cl, [edi+esi*4]
		mov	al, cl
		and	al, 0Fh
		cmp	al, 2
		jz	short loc_6842CB
		cmp	al, 1
		jnz	short loc_68431C

loc_6842CB:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+28Aj
		test	cl, 30h
		jnz	short loc_68431C
		push	8
		pop	eax
		cmp	[edi+esi*4+2], ax
		ja	short loc_68431C
		cmp	byte ptr [edi+esi*4+1],	1
		jnz	short loc_68431C
		lfence	eax
		lea	eax, [ebp+var_5C]
		push	eax
		movzx	edx, word ptr [edi+esi*4+2]
		mov	ecx, [ebp+var_40]
		movzx	eax, byte ptr [ecx+esi*4+3]
		add	eax, eax
		mov	ecx, [ecx+esi*4]
		shr	ecx, 0Ch
		and	ecx, 0FFFh
		mov	esi, [ebp+var_38]
		add	ecx, [esi+eax*8]
		call	EtwpGetFieldValue
		test	al, al
		jz	short loc_68431C
		mov	esi, [ebp+var_5C]
		xor	ecx, ecx
		cmp	ecx, [ebp+var_58]
		jz	short loc_684328

loc_68431C:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+241j
					; EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+27Fj ...
		mov	eax, 0C0000030h
		jmp	loc_68475B
; 

loc_684326:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+27Aj
		xor	ecx, ecx

loc_684328:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+2DFj
		mov	eax, [ebp+var_24]
		movzx	edi, byte ptr [eax+1]
		mov	[ebp+var_4C], edi
		test	byte ptr [eax],	20h
		jz	short loc_6843A9
		cmp	edi, [ebp+var_3C]
		jnb	short loc_68431C
		mov	edx, [ebp+var_2C]
		mov	cl, [edx+edi*4]
		mov	al, cl
		and	al, 0Fh
		cmp	al, 2
		jz	short loc_68434E
		cmp	al, 1
		jnz	short loc_68431C

loc_68434E:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+30Dj
		test	cl, 30h
		jnz	short loc_68431C
		push	8
		pop	eax
		cmp	[edx+edi*4+2], ax
		ja	short loc_68431C
		cmp	byte ptr [edx+edi*4+1],	1
		jnz	short loc_68431C
		lfence	eax
		lea	eax, [ebp+var_5C]
		push	eax
		movzx	edx, word ptr [edx+edi*4+2]
		mov	ecx, [ebp+var_40]
		movzx	eax, byte ptr [ecx+edi*4+3]
		add	eax, eax
		mov	ecx, [ecx+edi*4]
		shr	ecx, 0Ch
		and	ecx, 0FFFh
		mov	edi, [ebp+var_38]
		add	ecx, [edi+eax*8]
		call	EtwpGetFieldValue
		test	al, al
		jz	short loc_68431C
		mov	edi, [ebp+var_5C]
		mov	[ebp+var_4C], edi
		xor	ecx, ecx
		cmp	ecx, [ebp+var_58]
		jnz	loc_68431C
		mov	eax, [ebp+var_24]

loc_6843A9:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+2FAj
		test	esi, esi
		jnz	loc_684497
		mov	al, [eax]
		test	al, 10h
		jnz	loc_68431C
		cmp	edi, 1
		jnz	loc_68431C
		movzx	eax, al
		and	eax, 0Fh
		push	3
		pop	esi
		sub	eax, esi
		jz	loc_684587
		sub	eax, edi
		jz	short loc_684425
		dec	eax
		sub	eax, edi
		jnz	loc_68431C
		mov	edi, [ebp+var_44]
		mov	ecx, [edi]
		inc	ecx
		mov	eax, [edi+8]
		sub	eax, ebx
		cmp	eax, 2
		jb	loc_684756
		lea	eax, [ebp+var_5C]
		push	eax
		add	ecx, ebx
		xor	edx, edx
		inc	edx
		call	EtwpGetFieldValue
		test	al, al
		jz	loc_684756
		push	[ebp+var_5C]
		call	_RtlLengthRequiredSid@4	; RtlLengthRequiredSid(x)
		mov	esi, eax
		cmp	esi, 0FFFFFFFFh
		jz	loc_684756
		xor	eax, eax
		mov	ecx, eax
		jmp	short loc_68449A
; 

loc_684425:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+39Cj
		mov	eax, [ebp+var_44]
		mov	edi, [eax+8]
		mov	[ebp+var_68], edi
		mov	edx, edi
		sub	edx, ebx
		push	2
		pop	esi
		cmp	edx, esi
		jb	loc_684756
		mov	eax, [eax]
		add	eax, ebx
		shr	edx, 1
		xor	ecx, ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+ms_exc.disabled], esi
		mov	esi, ecx

loc_68444D:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+42Cj
		mov	ecx, eax
		cmp	esi, edx
		jnb	short loc_684469
		xor	edi, edi
		cmp	[eax], di
		mov	edi, [ebp+var_68]
		jz	short loc_684469
		inc	esi
		mov	[ebp+var_54], esi
		lea	eax, [ecx+2]
		mov	[ebp+var_70], eax
		jmp	short loc_68444D
; 

loc_684469:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+416j
					; EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+420j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	esi, edx
		jnz	short loc_68447B
		mov	[ebp+var_30], 2

loc_68447B:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+437j
		mov	ecx, esi
		sub	ecx, edx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 2
		cmp	esi, edx
		jnz	short loc_684495
		lea	eax, [ebx+edx*2]
		cmp	eax, edi
		jnz	loc_684756

loc_684495:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+44Dj
		add	esi, esi

loc_684497:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+370j
		mov	edi, [ebp+var_44]

loc_68449A:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+3E8j
					; EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+59Aj
		imul	esi, [ebp+var_4C]
		mov	eax, [edi+8]
		sub	eax, ebx
		cmp	eax, esi
		jb	loc_684618
		mov	eax, [ebp+var_34]
		mov	edx, [ebp+var_28]
		mov	[edx+3], al
		mov	edx, ebx
		and	edx, 0FFFh
		shl	edx, 0Ch
		mov	eax, [ebp+var_28]
		mov	eax, [eax]
		and	eax, 0FF000000h
		or	edx, eax
		mov	eax, esi
		and	eax, 0FFFh
		or	edx, eax
		mov	eax, [ebp+var_28]
		mov	[eax], edx
		movzx	eax, byte ptr [eax+3]
		cmp	eax, [ebp+var_34]
		jnz	loc_684618
		mov	eax, edx
		shr	eax, 0Ch
		and	eax, 0FFFh
		cmp	eax, ebx
		jnz	loc_684618
		and	edx, 0FFFh
		cmp	edx, esi
		jnz	loc_684618
		lea	eax, [ecx+esi]
		add	ebx, eax
		cmp	ebx, [edi+8]
		ja	loc_684608
		mov	ecx, [ebp+var_34]
		mov	edx, [ebp+var_50]
		jnz	loc_6845F4
		inc	ecx
		mov	[ebp+var_34], ecx
		cmp	ecx, edx
		jnb	loc_6845F4
		xor	eax, eax
		mov	ebx, eax
		add	edi, 10h
		mov	[ebp+var_44], edi
		mov	eax, edx
		shl	eax, 4
		add	eax, [ebp+var_38]
		cmp	edi, eax
		jnb	loc_684608
		mov	eax, [ebp+var_30]
		test	eax, eax
		jz	short loc_684558
		cmp	[edi+8], eax
		jb	loc_684618
		mov	ebx, eax

loc_684558:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+510j
		xor	eax, eax
		mov	[ebp+var_30], eax
		cmp	ebx, [edi+8]
		jnz	loc_6845F4
		inc	ecx
		mov	[ebp+var_34], ecx
		mov	esi, [ebp+var_28]
		cmp	ecx, edx
		jnb	loc_6845F7
		mov	ebx, eax
		add	edi, 10h
		mov	[ebp+var_44], edi
		jmp	short loc_6845F7
; 

loc_68457F:				; DATA XREF: .text:006AA234o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_684585:				; DATA XREF: .text:006AA238o
		jmp	short loc_6845E0
; 

loc_684587:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+394j
		mov	edi, [ebp+var_44]
		mov	edx, [edi+8]
		cmp	ebx, edx
		jnb	loc_684756
		mov	eax, [edi]
		add	eax, ebx
		sub	edx, ebx
		xor	ecx, ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+ms_exc.disabled], esi
		mov	esi, ecx

loc_6845A5:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+57Fj
		mov	ecx, eax
		cmp	esi, edx
		jnb	short loc_6845BC
		cmp	byte ptr [eax],	0
		jz	short loc_6845BC
		inc	esi
		mov	[ebp+var_54], esi
		lea	eax, [ecx+1]
		mov	[ebp+var_74], eax
		jmp	short loc_6845A5
; 

loc_6845BC:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+56Ej
					; EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+573j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	esi, edx
		jnz	short loc_6845CE
		mov	[ebp+var_30], 1

loc_6845CE:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+58Aj
		xor	ecx, ecx
		cmp	esi, edx
		setnz	cl
		jmp	loc_68449A
; 

loc_6845DA:				; DATA XREF: .text:006AA240o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_6845E0:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x):loc_684585j
					; DATA XREF: .text:006AA244o
		mov	eax, 0C000000Dh

loc_6845E5:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+1DAj
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_68475B
; 

loc_6845F4:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+4DFj
					; EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+4EBj ...
		mov	esi, [ebp+var_28]

loc_6845F7:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+269j
					; EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+534j ...
		inc	[ebp+var_3C]
		mov	eax, [ebp+var_24]
		add	eax, 4
		add	esi, 4
		jmp	loc_68424B
; 

loc_684608:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+4D3j
					; EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+505j
		mov	eax, 0C0000001h
		jmp	loc_68475B
; 

loc_684612:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+21Fj
		cmp	[ebp+var_30], 0
		jz	short loc_684622

loc_684618:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+227j
					; EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+46Aj ...
		mov	eax, 0C0000206h
		jmp	loc_68475B
; 

loc_684622:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+5DBj
		mov	esi, [ebp+var_48]
		movzx	eax, word ptr [esi+4]
		lea	eax, [edi+eax*4]
		mov	[ebp+var_68], eax
		movzx	ecx, word ptr [esi+8]
		mov	edx, [ebp+arg_C]
		movzx	eax, word ptr [edx+28h]
		add	eax, edx
		lea	edi, [eax+ecx*4]
		xor	eax, eax
		mov	cl, al
		mov	byte ptr [ebp+var_1E+1], cl
		mov	bl, al
		mov	[ebp+var_20], 1
		mov	edx, eax

loc_68464E:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+6F3j
		mov	[ebp+var_24], edx
		movzx	eax, word ptr [esi+0Ah]
		cmp	edx, eax
		jnb	loc_684733
		movzx	eax, word ptr [edi+2]
		imul	eax, 18h
		mov	esi, [ebp+arg_C]
		add	esi, 38h
		add	esi, eax
		mov	dl, 1
		xor	eax, eax
		mov	bh, al
		mov	ecx, eax

loc_684674:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+6B4j
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_1F], dl
		mov	[ebp+var_30], esi
		movzx	eax, word ptr [edi]
		mov	esi, eax
		mov	[ebp+var_64], esi
		shr	eax, 2
		and	eax, 3Fh
		cmp	ecx, eax
		mov	esi, [ebp+var_30]
		jnb	short loc_6846F1
		movzx	esi, word ptr [esi]
		mov	eax, [ebp+var_68]
		movzx	edx, byte ptr [eax+esi*4]
		and	edx, 0Fh
		mov	eax, [ebp+var_40]
		mov	ecx, [eax+esi*4]
		lea	eax, [ebp+var_1E]
		push	eax		; int
		mov	eax, ecx
		and	eax, 0FFFh
		push	eax		; size_t
		mov	eax, [ebp+var_40]
		movzx	eax, byte ptr [eax+esi*4+3]
		add	eax, eax
		shr	ecx, 0Ch
		and	ecx, 0FFFh
		mov	esi, [ebp+var_38]
		add	ecx, [esi+eax*8]
		push	ecx		; char *
		mov	esi, [ebp+var_30]
		push	esi		; int
		mov	ecx, [ebp+arg_C]
		call	EtwpApplyPredicate
		test	al, al
		jz	loc_68431C
		mov	dl, [ebp+var_1F]
		and	dl, byte ptr [ebp+var_1E]
		or	bh, byte ptr [ebp+var_1E]
		mov	ecx, [ebp+var_4C]
		inc	ecx
		add	esi, 18h
		jmp	short loc_684674
; 

loc_6846F1:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+655j
		mov	eax, [ebp+var_64]
		test	al, 2
		jnz	short loc_6846FA
		mov	bh, dl

loc_6846FA:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+6BBj
		test	al, 1
		jz	short loc_68471A
		cmp	[ebp+var_20], 0
		jz	short loc_68470B
		mov	cl, bh
		mov	byte ptr [ebp+var_1E+1], bh
		jmp	short loc_684713
; 

loc_68470B:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+6C7j
		mov	cl, byte ptr [ebp+var_1E+1]
		and	cl, bh
		mov	byte ptr [ebp+var_1E+1], cl

loc_684713:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+6CEj
		xor	eax, eax
		mov	[ebp+var_20], al
		jmp	short loc_684724
; 

loc_68471A:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+6C1j
		or	bl, bh
		mov	cl, byte ptr [ebp+var_1E+1]
		cmp	bl, 1
		jz	short loc_684733

loc_684724:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+6DDj
		mov	edx, [ebp+var_24]
		inc	edx
		add	edi, 4
		mov	esi, [ebp+var_48]
		jmp	loc_68464E
; 

loc_684733:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+61Cj
					; EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+6E7j
		or	bl, cl
		mov	eax, [ebp+arg_10]
		mov	[eax], bl
		jmp	short loc_684742
; 

loc_68473C:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+6Ej
					; EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x):loc_684110j
		mov	eax, [ebp+arg_10]
		mov	byte ptr [eax],	1

loc_684742:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+6FFj
		xor	eax, eax
		jmp	short loc_68475B
; 

loc_684746:				; DATA XREF: .text:006AA21Co
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_68474C:				; DATA XREF: .text:006AA220o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_684756:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+34j
					; EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+B6j ...
		mov	eax, 0C000000Dh

loc_68475B:				; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+11Dj
					; EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+2E6j ...
		lea	esp, [ebp-88h]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_EtwpApplyPayloadFilterInternal@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwpApplyPredicate(int,char *,size_t,int)
EtwpApplyPredicate proc	near		; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+697p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	30h
		push	offset dword_6AA178
		call	__SEH_prolog4
		mov	eax, ecx
		xor	ebx, ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ebx
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_684807 ; default
		mov	bh, bl
		mov	esi, [ebp+arg_0]
		movzx	edi, word ptr [esi+2]
		mov	[ebp+arg_8], edi
		sub	edx, 1
		jz	loc_684B9A
		sub	edx, 1
		jz	loc_684A42
		sub	edx, 1
		jz	loc_68494E
		sub	edx, 1
		jz	short loc_68482D
		sub	edx, 1
		jnz	short loc_684807 ; default
		cmp	ecx, 10h
		jnz	short loc_684807 ; default
		mov	[ebp+ms_exc.disabled], 4
		push	ecx		; size_t
		lea	eax, [esi+8]
		push	eax		; void *
		push	[ebp+arg_4]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		setz	bl
		mov	[ebp+var_19], bl
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		movzx	eax, di
		sub	eax, 1Eh
		jz	loc_684A98
		sub	eax, 1
		jz	loc_684928

loc_684807:				; CODE XREF: EtwpApplyPredicate+21j
					; EtwpApplyPredicate+52j ...
		xor	al, al		; default

loc_684809:				; CODE XREF: EtwpApplyPredicate+32Cj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_68481B:				; DATA XREF: .text:006AA1BCo
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_684821:				; CODE XREF: EtwpApplyPredicate:loc_6848D0j
					; EtwpApplyPredicate:loc_684949j ...
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_684807 ; default
; 

loc_68482D:				; CODE XREF: EtwpApplyPredicate+4Dj
		test	cl, 1
		jnz	short loc_684807 ; default
		shr	ecx, 1
		mov	[ebp+arg_8], ecx
		movzx	ecx, word ptr [eax+2Ch]
		add	ecx, eax
		movzx	eax, word ptr [eax+2Eh]
		shr	eax, 1
		lea	edx, [ecx+eax*2]
		mov	eax, [esi+8]
		lea	ecx, [ecx+eax*2]
		mov	[ebp+arg_0], ecx
		cmp	ecx, edx
		jnb	short loc_684807 ; default
		mov	esi, ecx
		xor	eax, eax

loc_684857:				; CODE XREF: EtwpApplyPredicate+F0j
		cmp	[esi], ax
		jz	short loc_684865
		cmp	esi, edx
		jnb	short loc_684865
		add	esi, 2
		jmp	short loc_684857
; 

loc_684865:				; CODE XREF: EtwpApplyPredicate+E7j
					; EtwpApplyPredicate+EBj
		sub	esi, ecx
		sar	esi, 1
		jnz	short loc_684872
		mov	bl, al
		jmp	loc_684A98
; 

loc_684872:				; CODE XREF: EtwpApplyPredicate+F6j
		movzx	eax, di
		sub	eax, 14h
		jz	short loc_6848D7
		sub	eax, 1
		jz	short loc_6848D5
		sub	eax, 9
		jz	short loc_68488F
		sub	eax, 1
		jnz	loc_684807	; default
		mov	bh, 1

loc_68488F:				; CODE XREF: EtwpApplyPredicate+10Fj
		mov	bl, bh
		mov	eax, [ebp+arg_8]
		cmp	esi, eax
		jnz	loc_684A98
		mov	bl, 1
		mov	edx, [ebp+arg_4]
		mov	[ebp+ms_exc.disabled], 1

loc_6848A8:				; CODE XREF: EtwpApplyPredicate+155j
		test	esi, esi
		jz	short loc_684919
		mov	ax, [ecx]
		cmp	ax, [edx]
		jz	short loc_6848B8

loc_6848B4:				; CODE XREF: EtwpApplyPredicate+24Aj
		xor	bl, bl
		jmp	short loc_684916
; 

loc_6848B8:				; CODE XREF: EtwpApplyPredicate+13Fj
		add	edx, 2
		mov	[ebp+var_20], edx
		add	ecx, 2
		mov	[ebp+var_2C], ecx
		dec	esi
		mov	[ebp+var_24], esi
		jmp	short loc_6848A8
; 

loc_6848CA:				; DATA XREF: .text:006AA198o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_6848D0:				; DATA XREF: .text:006AA19Co
		jmp	loc_684821
; 

loc_6848D5:				; CODE XREF: EtwpApplyPredicate+10Aj
		mov	bh, 1

loc_6848D7:				; CODE XREF: EtwpApplyPredicate+105j
		mov	bl, bh
		mov	eax, [ebp+arg_8]
		cmp	esi, eax
		ja	loc_684A98
		mov	edi, [ebp+arg_4]
		movzx	edx, word ptr [ecx]
		mov	[ebp+arg_4], edx
		sub	eax, esi
		inc	eax
		lea	eax, [edi+eax*2]
		mov	[ebp+arg_8], eax
		xor	bl, bl
		and	[ebp+ms_exc.disabled], 0

loc_6848FC:				; CODE XREF: EtwpApplyPredicate+1CEj
		cmp	edi, eax
		jnb	short loc_684919
		cmp	[edi], dx
		jnz	short loc_68493B
		push	esi		; size_t
		push	ecx		; wchar_t *
		push	edi		; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_684932

loc_684914:				; CODE XREF: EtwpApplyPredicate+2AFj
		mov	bl, 1

loc_684916:				; CODE XREF: EtwpApplyPredicate+143j
		mov	[ebp+var_19], bl

loc_684919:				; CODE XREF: EtwpApplyPredicate+137j
					; EtwpApplyPredicate+18Bj ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	bh, bh
		jz	loc_684A98

loc_684928:				; CODE XREF: EtwpApplyPredicate+8Ej
		test	bl, bl
		setz	bl
		jmp	loc_684A98
; 

loc_684932:				; CODE XREF: EtwpApplyPredicate+19Fj
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		mov	eax, [ebp+arg_8]

loc_68493B:				; CODE XREF: EtwpApplyPredicate+190j
		add	edi, 2
		mov	[ebp+var_20], edi
		jmp	short loc_6848FC
; 

loc_684943:				; DATA XREF: .text:006AA18Co
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_684949:				; DATA XREF: .text:006AA190o
		jmp	loc_684821
; 

loc_68494E:				; CODE XREF: EtwpApplyPredicate+44j
		movzx	edi, word ptr [eax+30h]
		add	edi, eax
		movzx	eax, word ptr [eax+32h]
		add	eax, edi
		add	edi, [esi+8]
		cmp	edi, eax
		jnb	loc_684807	; default
		mov	esi, edi

loc_684967:				; CODE XREF: EtwpApplyPredicate+1FEj
		cmp	byte ptr [esi],	0
		jz	short loc_684973
		cmp	esi, eax
		jnb	short loc_684973
		inc	esi
		jmp	short loc_684967
; 

loc_684973:				; CODE XREF: EtwpApplyPredicate+1F7j
					; EtwpApplyPredicate+1FBj
		sub	esi, edi
		jz	loc_684A96
		mov	eax, [ebp+arg_8]
		movzx	eax, ax
		sub	eax, 14h
		jz	short loc_6849DE
		sub	eax, 1
		jz	short loc_6849DC
		sub	eax, 9
		jz	short loc_68499B
		sub	eax, 1
		jnz	loc_684807	; default
		mov	bh, 1

loc_68499B:				; CODE XREF: EtwpApplyPredicate+21Bj
		mov	bl, bh
		cmp	esi, ecx
		jnz	loc_684A98
		mov	bl, 1
		mov	ecx, [ebp+arg_4]
		mov	[ebp+ms_exc.disabled], 3

loc_6849B1:				; CODE XREF: EtwpApplyPredicate+25Cj
		test	esi, esi
		jz	loc_684919
		mov	al, [ecx]
		cmp	al, [edi]
		jnz	loc_6848B4
		inc	ecx
		mov	[ebp+var_28], ecx
		inc	edi
		mov	[ebp+var_30], edi
		dec	esi
		mov	[ebp+var_24], esi
		jmp	short loc_6849B1
; 

loc_6849D1:				; DATA XREF: .text:006AA1B0o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_6849D7:				; DATA XREF: .text:006AA1B4o
		jmp	loc_684821
; 

loc_6849DC:				; CODE XREF: EtwpApplyPredicate+216j
		mov	bh, 1

loc_6849DE:				; CODE XREF: EtwpApplyPredicate+211j
		mov	bl, bh
		cmp	esi, ecx
		ja	loc_684A98
		mov	edx, [ebp+arg_4]
		mov	[ebp+arg_8], edx
		mov	al, [edi]
		mov	byte ptr [ebp+arg_4+3],	al
		mov	eax, edx
		sub	eax, esi
		inc	eax
		add	eax, ecx
		mov	[ebp+arg_0], eax
		xor	bl, bl
		mov	[ebp+ms_exc.disabled], 2

loc_684A06:				; CODE XREF: EtwpApplyPredicate+2C2j
		cmp	edx, eax
		jnb	loc_684919
		mov	al, byte ptr [ebp+arg_4+3]
		cmp	[edx], al
		jnz	short loc_684A2B
		push	esi		; size_t
		push	edi		; char *
		push	edx		; char *
		call	_strncmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_684914
		mov	edx, [ebp+arg_8]

loc_684A2B:				; CODE XREF: EtwpApplyPredicate+2A0j
		inc	edx
		mov	[ebp+arg_8], edx
		mov	[ebp+var_28], edx
		mov	eax, [ebp+arg_0]
		jmp	short loc_684A06
; 

loc_684A37:				; DATA XREF: .text:006AA1A4o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_684A3D:				; DATA XREF: .text:006AA1A8o
		jmp	loc_684821
; 

loc_684A42:				; CODE XREF: EtwpApplyPredicate+3Bj
		lea	eax, [ebp+var_40]
		push	eax
		mov	edx, ecx
		mov	ecx, [ebp+arg_4]
		call	EtwpGetFieldValue
		test	al, al
		jz	loc_684807	; default
		movzx	eax, di
		cmp	eax, 8		; switch 9 cases
		ja	loc_684807	; default
		jmp	ds:off_684CB7[eax*4] ; switch jump

loc_684A6B:				; DATA XREF: .text:off_684CB7o
		mov	eax, [ebp+var_40] ; case 0x0
		cmp	eax, [esi+8]
		jnz	short loc_684A96
		mov	eax, [ebp+var_3C]
		cmp	eax, [esi+0Ch]
		jmp	loc_684CA8
; 

loc_684A7E:				; CODE XREF: EtwpApplyPredicate+2F1j
					; DATA XREF: .text:off_684CB7o
		mov	eax, [ebp+var_40] ; case 0x1
		cmp	eax, [esi+8]
		jnz	loc_684CAE
		mov	eax, [ebp+var_3C]
		cmp	eax, [esi+0Ch]

loc_684A90:				; CODE XREF: EtwpApplyPredicate+479j
		jnz	loc_684CAE

loc_684A96:				; CODE XREF: EtwpApplyPredicate+202j
					; EtwpApplyPredicate+2FEj ...
		xor	bl, bl

loc_684A98:				; CODE XREF: EtwpApplyPredicate+85j
					; EtwpApplyPredicate+FAj ...
		mov	ecx, [ebp+arg_C]
		mov	[ecx], bl
		mov	al, 1
		jmp	loc_684809
; 

loc_684AA4:				; CODE XREF: EtwpApplyPredicate+2F1j
					; DATA XREF: .text:off_684CB7o
		mov	eax, [ebp+var_3C] ; case 0x2
		cmp	eax, [esi+0Ch]
		ja	short loc_684A96
		jb	loc_684CAE
		mov	eax, [ebp+var_40]
		cmp	eax, [esi+8]

loc_684AB8:				; CODE XREF: EtwpApplyPredicate+3CCj
					; EtwpApplyPredicate+490j ...
		ja	short loc_684A96
		jmp	loc_684CAE
; 

loc_684ABF:				; CODE XREF: EtwpApplyPredicate+2F1j
					; DATA XREF: .text:off_684CB7o
		mov	eax, [ebp+var_3C] ; case 0x3
		cmp	eax, [esi+0Ch]
		jb	short loc_684A96
		ja	loc_684CAE
		mov	eax, [ebp+var_40]
		cmp	eax, [esi+8]

loc_684AD3:				; CODE XREF: EtwpApplyPredicate+4A7j
		jbe	short loc_684A96
		jmp	loc_684CAE
; 

loc_684ADA:				; CODE XREF: EtwpApplyPredicate+2F1j
					; DATA XREF: .text:off_684CB7o
		mov	eax, [ebp+var_3C] ; case 0x4
		cmp	eax, [esi+0Ch]
		ja	short loc_684A96
		jb	loc_684CAE
		mov	eax, [ebp+var_40]
		cmp	eax, [esi+8]

loc_684AEE:				; CODE XREF: EtwpApplyPredicate+400j
					; EtwpApplyPredicate+4BEj ...
		jnb	short loc_684A96
		jmp	loc_684CAE
; 

loc_684AF5:				; CODE XREF: EtwpApplyPredicate+2F1j
					; DATA XREF: .text:off_684CB7o
		mov	eax, [ebp+var_3C] ; case 0x5
		cmp	eax, [esi+0Ch]
		jb	short loc_684A96
		ja	loc_684CAE
		mov	eax, [ebp+var_40]
		cmp	eax, [esi+8]

loc_684B09:				; CODE XREF: EtwpApplyPredicate+4D1j
		jb	short loc_684A96
		jmp	loc_684CAE
; 

loc_684B10:				; CODE XREF: EtwpApplyPredicate+2F1j
					; DATA XREF: .text:off_684CB7o
		mov	ecx, [ebp+var_3C] ; case 0x6
		cmp	[esi+0Ch], ecx
		ja	loc_684A96
		jb	short loc_684B2A
		mov	eax, [esi+8]
		cmp	eax, [ebp+var_40]
		ja	loc_684A96

loc_684B2A:				; CODE XREF: EtwpApplyPredicate+3A9j
		cmp	ecx, [esi+14h]
		ja	loc_684A96
		jb	loc_684CAE
		mov	eax, [ebp+var_40]
		cmp	eax, [esi+10h]
		jmp	loc_684AB8
; 

loc_684B44:				; CODE XREF: EtwpApplyPredicate+2F1j
					; DATA XREF: .text:off_684CB7o
		mov	ecx, [ebp+var_3C] ; case 0x7
		cmp	ecx, [esi+0Ch]
		jb	loc_684CAE
		ja	short loc_684B5E
		mov	eax, [ebp+var_40]
		cmp	eax, [esi+8]
		jb	loc_684CAE

loc_684B5E:				; CODE XREF: EtwpApplyPredicate+3DDj
		cmp	[esi+14h], ecx
		jb	loc_684CAE
		ja	loc_684A96
		mov	eax, [esi+10h]
		cmp	eax, [ebp+var_40]
		jmp	loc_684AEE
; 

loc_684B78:				; CODE XREF: EtwpApplyPredicate+2F1j
					; DATA XREF: .text:off_684CB7o
		mov	ecx, [esi+8]	; case 0x8
		mov	edx, [esi+0Ch]
		mov	eax, ecx
		or	eax, edx
		jz	loc_684807	; default
		push	edx
		push	ecx
		push	[ebp+var_3C]
		push	[ebp+var_40]
		call	__aullrem
		jmp	loc_684CA6
; 

loc_684B9A:				; CODE XREF: EtwpApplyPredicate+32j
		lea	eax, [ebp+var_38]
		push	eax
		mov	edx, ecx
		mov	ecx, [ebp+arg_4]
		call	EtwpGetSignedFieldValue
		test	al, al
		jz	loc_684807	; default
		mov	edx, [esi+8]
		mov	ecx, [esi+0Ch]
		mov	eax, [esi+10h]
		mov	esi, [esi+14h]
		movzx	edi, di
		cmp	edi, 8		; switch 9 cases
		ja	loc_684807	; default
		jmp	ds:off_684CDB[edi*4] ; switch jump

loc_684BCF:				; DATA XREF: .text:off_684CDBo
		cmp	[ebp+var_38], edx ; case 0x0
		jnz	loc_684A96
		cmp	[ebp+var_34], ecx
		jmp	loc_684CA8
; 

loc_684BE0:				; CODE XREF: EtwpApplyPredicate+455j
					; DATA XREF: .text:off_684CDBo
		cmp	[ebp+var_38], edx ; case 0x1
		jnz	loc_684CAE
		cmp	[ebp+var_34], ecx
		jmp	loc_684A90
; 

loc_684BF1:				; CODE XREF: EtwpApplyPredicate+455j
					; DATA XREF: .text:off_684CDBo
		cmp	[ebp+var_34], ecx ; case 0x2
		jg	loc_684A96
		jl	loc_684CAE
		cmp	[ebp+var_38], edx
		jmp	loc_684AB8
; 

loc_684C08:				; CODE XREF: EtwpApplyPredicate+455j
					; DATA XREF: .text:off_684CDBo
		cmp	[ebp+var_34], ecx ; case 0x3
		jl	loc_684A96
		jg	loc_684CAE
		cmp	[ebp+var_38], edx
		jmp	loc_684AD3
; 

loc_684C1F:				; CODE XREF: EtwpApplyPredicate+455j
					; DATA XREF: .text:off_684CDBo
		cmp	[ebp+var_34], ecx ; case 0x4
		jg	loc_684A96
		jl	loc_684CAE
		cmp	[ebp+var_38], edx
		jmp	loc_684AEE
; 

loc_684C36:				; CODE XREF: EtwpApplyPredicate+455j
					; DATA XREF: .text:off_684CDBo
		cmp	[ebp+var_34], ecx ; case 0x5
		jl	loc_684A96
		jg	short loc_684CAE
		cmp	[ebp+var_38], edx
		jmp	loc_684B09
; 

loc_684C49:				; CODE XREF: EtwpApplyPredicate+455j
					; DATA XREF: .text:off_684CDBo
		cmp	ecx, [ebp+var_34] ; case 0x6
		jg	loc_684A96
		jl	short loc_684C5D
		cmp	edx, [ebp+var_38]
		ja	loc_684A96

loc_684C5D:				; CODE XREF: EtwpApplyPredicate+4DFj
		cmp	[ebp+var_34], esi
		jg	loc_684A96
		jl	short loc_684CAE
		cmp	[ebp+var_38], eax
		jmp	loc_684AB8
; 

loc_684C70:				; CODE XREF: EtwpApplyPredicate+455j
					; DATA XREF: .text:off_684CDBo
		cmp	[ebp+var_34], ecx ; case 0x7
		jl	short loc_684CAE
		jg	short loc_684C7C
		cmp	[ebp+var_38], edx
		jb	short loc_684CAE

loc_684C7C:				; CODE XREF: EtwpApplyPredicate+502j
		cmp	esi, [ebp+var_34]
		jl	short loc_684CAE
		jg	loc_684A96
		cmp	eax, [ebp+var_38]
		jmp	loc_684AEE
; 

loc_684C8F:				; CODE XREF: EtwpApplyPredicate+455j
					; DATA XREF: .text:off_684CDBo
		mov	eax, edx	; case 0x8
		or	eax, ecx
		jz	loc_684807	; default
		push	ecx
		push	edx
		push	[ebp+var_34]
		push	[ebp+var_38]
		call	__allrem

loc_684CA6:				; CODE XREF: EtwpApplyPredicate+422j
		or	eax, edx

loc_684CA8:				; CODE XREF: EtwpApplyPredicate+306j
					; EtwpApplyPredicate+468j
		jnz	loc_684A96

loc_684CAE:				; CODE XREF: EtwpApplyPredicate+311j
					; EtwpApplyPredicate:loc_684A90j ...
		mov	bl, 1
		jmp	loc_684A98
EtwpApplyPredicate endp

; 
		db 8Bh,	0FFh
off_684CB7	dd offset loc_684A6B	; DATA XREF: EtwpApplyPredicate+2F1r
		dd offset loc_684A7E	; jump table for switch	statement
		dd offset loc_684AA4
		dd offset loc_684ABF
		dd offset loc_684ADA
		dd offset loc_684AF5
		dd offset loc_684B10
		dd offset loc_684B44
		dd offset loc_684B78
off_684CDB	dd offset loc_684BCF	; DATA XREF: EtwpApplyPredicate+455r
		dd offset loc_684BE0	; jump table for switch	statement
		dd offset loc_684BF1
		dd offset loc_684C08
		dd offset loc_684C1F
		dd offset loc_684C36
		dd offset loc_684C49
		dd offset loc_684C70
		dd offset loc_684C8F

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpGetFieldValue proc near		; CODE XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+2CEp
					; EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+351p ...

var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	0Ch
		push	offset dword_6AA1E8
		call	__SEH_prolog4
		mov	esi, ecx
		mov	bl, 1
		and	[ebp+ms_exc.disabled], 0
		sub	edx, 1
		jz	short loc_684D49
		sub	edx, 1
		jz	short loc_684D44
		dec	edx
		sub	edx, 1
		jz	short loc_684D37
		sub	edx, 4
		jnz	short loc_684D60
		mov	eax, [esi]
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, [esi+4]
		mov	[ecx+4], eax
		jmp	short loc_684D65
; 

loc_684D37:				; CODE XREF: EtwpGetFieldValue+22j
		mov	eax, [esi]
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		and	dword ptr [ecx+4], 0
		jmp	short loc_684D65
; 

loc_684D44:				; CODE XREF: EtwpGetFieldValue+1Cj
		movzx	eax, word ptr [esi]
		jmp	short loc_684D4C
; 

loc_684D49:				; CODE XREF: EtwpGetFieldValue+17j
		movzx	eax, byte ptr [esi]

loc_684D4C:				; CODE XREF: EtwpGetFieldValue+48j
		mov	ecx, [ebp+arg_0]
		cdq
		mov	[ecx], eax
		mov	[ecx+4], edx
		jmp	short loc_684D65
; 

loc_684D57:				; DATA XREF: .text:006AA1FCo
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_684D5D:				; DATA XREF: .text:006AA200o
		mov	esp, [ebp+ms_exc.old_esp]

loc_684D60:				; CODE XREF: EtwpGetFieldValue+27j
		xor	bl, bl
		mov	[ebp+var_19], bl

loc_684D65:				; CODE XREF: EtwpGetFieldValue+36j
					; EtwpGetFieldValue+43j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	al, bl
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
EtwpGetFieldValue endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpGetSignedFieldValue	proc near	; CODE XREF: EtwpApplyPredicate+430p

var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	0Ch
		push	offset dword_6AA1C8
		call	__SEH_prolog4
		mov	esi, ecx
		mov	bl, 1
		and	[ebp+ms_exc.disabled], 0
		sub	edx, 1
		jz	short loc_684DC1
		sub	edx, 1
		jz	short loc_684DBC
		dec	edx
		sub	edx, 1
		jz	short loc_684DB8
		sub	edx, 4
		jnz	short loc_684DD8
		mov	eax, [esi]
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, [esi+4]
		mov	[ecx+4], eax
		jmp	short loc_684DDD
; 

loc_684DB8:				; CODE XREF: EtwpGetSignedFieldValue+22j
		mov	eax, [esi]
		jmp	short loc_684DC4
; 

loc_684DBC:				; CODE XREF: EtwpGetSignedFieldValue+1Cj
		movsx	eax, word ptr [esi]
		jmp	short loc_684DC4
; 

loc_684DC1:				; CODE XREF: EtwpGetSignedFieldValue+17j
		movsx	eax, byte ptr [esi]

loc_684DC4:				; CODE XREF: EtwpGetSignedFieldValue+3Aj
					; EtwpGetSignedFieldValue+3Fj
		mov	ecx, [ebp+arg_0]
		cdq
		mov	[ecx], eax
		mov	[ecx+4], edx
		jmp	short loc_684DDD
; 

loc_684DCF:				; DATA XREF: .text:006AA1DCo
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_684DD5:				; DATA XREF: .text:006AA1E0o
		mov	esp, [ebp+ms_exc.old_esp]

loc_684DD8:				; CODE XREF: EtwpGetSignedFieldValue+27j
		xor	bl, bl
		mov	[ebp+var_19], bl

loc_684DDD:				; CODE XREF: EtwpGetSignedFieldValue+36j
					; EtwpGetSignedFieldValue+4Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	al, bl
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
EtwpGetSignedFieldValue	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 365. ExGetCurrentProcessorCpuUsage

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExGetCurrentProcessorCpuUsage(x)
		public _ExGetCurrentProcessorCpuUsage@4
_ExGetCurrentProcessorCpuUsage@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:20h
		xor	ecx, ecx
		push	esi
		push	edi
		push	64h
		mov	esi, [eax+4A8h]
		add	esi, [eax+4A4h]
		mov	eax, [eax+0Ch]
		pop	edi
		adc	ecx, ecx
		push	ecx
		mov	eax, [eax+194h]
		mul	edi
		push	esi
		push	edx
		push	eax
		call	__aulldiv
		sub	edi, eax
		mov	eax, [ebp+arg_0]
		mov	[eax], edi
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_ExGetCurrentProcessorCpuUsage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpGetLookasideInformation(x, x, x)
_ExpGetLookasideInformation@12 proc near ; CODE	XREF: PAGE:0078004Fp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_C], 0
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	ebx, edx
		xor	esi, esi
		shr	ebx, 5
		push	edi
		xor	edi, edi
		mov	[ebp+var_14], ebx
		test	ebx, ebx
		jz	loc_6850A3
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_10], al
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		push	[ebp+var_10]
		call	ExLockUserBuffer
		mov	[ebp+var_10], eax
		test	eax, eax
		js	loc_6850A1
		and	[ebp+var_10], esi
		mov	edx, offset _ExPoolLookasideListHead
		mov	ecx, ds:_ExPoolLookasideListHead
		mov	esi, [ebp+var_8]

loc_684EA2:				; CODE XREF: ExpGetLookasideInformation(x,x,x)+B8j
		cmp	ecx, edx
		jz	short loc_684EF8
		mov	ax, [ecx-2Ch]
		mov	[esi], ax
		mov	ax, [ecx-28h]
		mov	[esi+2], ax
		mov	eax, [ecx-24h]
		mov	[esi+4], eax
		mov	eax, [ecx-24h]
		sub	eax, [ecx-20h]
		mov	[esi+8], eax
		mov	eax, [ecx-1Ch]
		mov	[esi+0Ch], eax
		mov	eax, [ecx-1Ch]
		sub	eax, [ecx-18h]
		inc	edi
		mov	[esi+10h], eax
		mov	eax, [ecx-14h]
		mov	[esi+14h], eax
		mov	eax, [ecx-10h]
		mov	[esi+18h], eax
		mov	eax, [ecx-0Ch]
		mov	[esi+1Ch], eax
		cmp	edi, ebx
		jz	loc_68508A
		mov	ecx, [ecx]
		add	esi, 20h
		mov	[ebp+var_8], esi
		jmp	short loc_684EA2
; 

loc_684EF8:				; CODE XREF: ExpGetLookasideInformation(x,x,x)+66j
		mov	ecx, ds:_ExSystemLookasideListHead
		mov	edx, offset _ExSystemLookasideListHead
		jmp	short loc_684F4F
; 

loc_684F05:				; CODE XREF: ExpGetLookasideInformation(x,x,x)+113j
		mov	ax, [ecx-2Ch]
		inc	edi
		mov	[esi], ax
		mov	ax, [ecx-28h]
		mov	[esi+2], ax
		mov	eax, [ecx-24h]
		mov	[esi+4], eax
		mov	eax, [ecx-20h]
		mov	[esi+8], eax
		mov	eax, [ecx-1Ch]
		mov	[esi+0Ch], eax
		mov	eax, [ecx-18h]
		mov	[esi+10h], eax
		mov	eax, [ecx-14h]
		mov	[esi+14h], eax
		mov	eax, [ecx-10h]
		mov	[esi+18h], eax
		mov	eax, [ecx-0Ch]
		mov	[esi+1Ch], eax
		cmp	edi, ebx
		jz	loc_68508A
		mov	ecx, [ecx]
		add	esi, 20h
		mov	[ebp+var_8], esi

loc_684F4F:				; CODE XREF: ExpGetLookasideInformation(x,x,x)+C5j
		cmp	ecx, edx
		jnz	short loc_684F05
		mov	ebx, offset _ExNPagedLookasideLock
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, ebx
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:_ExNPagedLookasideListHead
		cmp	ecx, offset _ExNPagedLookasideListHead
		jz	short loc_684FC9
		mov	edx, [ebp+var_14]

loc_684F79:				; CODE XREF: ExpGetLookasideInformation(x,x,x)+189j
		mov	ax, [ecx-2Ch]
		mov	[esi], ax
		mov	ax, [ecx-28h]
		mov	[esi+2], ax
		mov	eax, [ecx-24h]
		mov	[esi+4], eax
		mov	eax, [ecx-20h]
		mov	[esi+8], eax
		mov	eax, [ecx-1Ch]
		mov	[esi+0Ch], eax
		mov	eax, [ecx-18h]
		mov	[esi+10h], eax
		and	dword ptr [esi+14h], 0
		inc	edi
		mov	eax, [ecx-10h]
		mov	[esi+18h], eax
		mov	eax, [ecx-0Ch]
		mov	[esi+1Ch], eax
		cmp	edi, edx
		jz	loc_685067
		mov	ecx, [ecx]
		add	esi, 20h
		mov	[ebp+var_8], esi
		cmp	ecx, offset _ExNPagedLookasideListHead
		jnz	short loc_684F79

loc_684FC9:				; CODE XREF: ExpGetLookasideInformation(x,x,x)+136j
		test	ds:byte_70EFC6,	1
		jz	short loc_684FE1
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	esi, [ebp+var_8]
		jmp	short loc_684FE6
; 

loc_684FE1:				; CODE XREF: ExpGetLookasideInformation(x,x,x)+192j
		xor	eax, eax
		lock and [ebx],	eax

loc_684FE6:				; CODE XREF: ExpGetLookasideInformation(x,x,x)+1A1j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, offset _ExPagedLookasideLock
		mov	[ebp+var_8], ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, ebx
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, ds:_ExPagedLookasideListHead
		mov	ecx, offset _ExPagedLookasideListHead
		cmp	edx, ecx
		jz	short loc_685067
		mov	ebx, [ebp+var_14]
		add	esi, 4

loc_68501C:				; CODE XREF: ExpGetLookasideInformation(x,x,x)+224j
		mov	ax, [edx-2Ch]
		inc	edi
		mov	[esi-4], ax
		mov	ax, [edx-28h]
		mov	[esi-2], ax
		mov	eax, [edx-24h]
		mov	[esi], eax
		mov	eax, [edx-20h]
		mov	[esi+4], eax
		mov	eax, [edx-1Ch]
		mov	[esi+8], eax
		mov	eax, [edx-18h]
		mov	[esi+0Ch], eax
		mov	dword ptr [esi+10h], 1
		mov	eax, [edx-10h]
		mov	[esi+14h], eax
		mov	eax, [edx-0Ch]
		mov	[esi+18h], eax
		cmp	edi, ebx
		jz	short loc_685064
		mov	edx, [edx]
		add	esi, 20h
		cmp	edx, ecx
		jnz	short loc_68501C

loc_685064:				; CODE XREF: ExpGetLookasideInformation(x,x,x)+21Bj
		mov	ebx, [ebp+var_8]

loc_685067:				; CODE XREF: ExpGetLookasideInformation(x,x,x)+175j
					; ExpGetLookasideInformation(x,x,x)+1D6j
		test	ds:byte_70EFC6,	1
		jz	short loc_68507C
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_685081
; 

loc_68507C:				; CODE XREF: ExpGetLookasideInformation(x,x,x)+230j
		xor	eax, eax
		lock and [ebx],	eax

loc_685081:				; CODE XREF: ExpGetLookasideInformation(x,x,x)+23Cj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_68508A:				; CODE XREF: ExpGetLookasideInformation(x,x,x)+AAj
					; ExpGetLookasideInformation(x,x,x)+103j
		push	[ebp+var_C]
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	0
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_10]
		jmp	short loc_6850A3
; 

loc_6850A1:				; CODE XREF: ExpGetLookasideInformation(x,x,x)+4Dj
		mov	esi, eax

loc_6850A3:				; CODE XREF: ExpGetLookasideInformation(x,x,x)+21j
					; ExpGetLookasideInformation(x,x,x)+261j
		mov	eax, [ebp+arg_0]
		shl	edi, 5
		mov	[eax], edi
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ExpGetLookasideInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpGetStackTraceInformation(x, x, x)
_ExpGetStackTraceInformation@12	proc near ; CODE XREF: PAGE:0077F049p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	28h
		push	offset dword_6AA2C8
		call	__SEH_prolog4
		mov	esi, ds:_RtlpStackTraceDatabase
		mov	[ebp+var_38], esi
		test	esi, esi
		jnz	short loc_6850D7
		mov	eax, 0C0000001h
		jmp	loc_6851CA
; 

loc_6850D7:				; CODE XREF: ExpGetStackTraceInformation(x,x,x)+17j
		mov	byte ptr [esi+45h], 1
		xor	edi, edi
		mov	ebx, 0C0000004h
		push	10h
		pop	eax
		mov	[ebp+var_20], eax
		and	[ebp+ms_exc.disabled], edi
		cmp	edx, eax
		jb	short loc_68510F
		mov	eax, [esi+50h]
		sub	eax, [esi+48h]
		mov	[ecx], eax
		mov	eax, [esi+64h]
		sub	eax, [esi+48h]
		mov	[ecx+4], eax
		mov	eax, [esi+5Ch]
		mov	[ecx+8], eax
		mov	edi, [esi+60h]
		mov	[ebp+var_24], edi
		mov	[ecx+0Ch], edi

loc_68510F:				; CODE XREF: ExpGetStackTraceInformation(x,x,x)+39j
		imul	eax, edi, 8Ch
		add	eax, 10h
		mov	[ebp+var_20], eax
		cmp	edx, eax
		jb	short loc_68518C
		xor	ebx, ebx
		mov	[ebp+var_34], ebx
		lea	edx, [ecx+10h]
		mov	[ebp+var_1C], edx
		mov	ecx, [esi+64h]
		mov	[ebp+var_28], ecx

loc_685130:				; CODE XREF: ExpGetStackTraceInformation(x,x,x)+D6j
		mov	eax, edi
		dec	edi
		mov	[ebp+var_24], edi
		test	eax, eax
		jz	short loc_68518C
		sub	ecx, 4
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ecx
		mov	ecx, [ecx]
		and	[edx], ebx
		movzx	eax, word ptr [ecx+4]
		and	eax, 7FFh
		mov	[edx+4], eax
		mov	ax, [ecx+8]
		mov	[edx+8], ax
		mov	ax, [ecx+0Ah]
		mov	[edx+0Ah], ax
		movzx	eax, word ptr [ecx+0Ah]
		shl	eax, 2
		push	eax		; size_t
		lea	eax, [ecx+0Ch]
		push	eax		; void *
		lea	eax, [edx+0Ch]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edx, [ebp+var_1C]
		add	edx, 8Ch
		mov	[ebp+var_1C], edx
		mov	ecx, [ebp+var_2C]
		jmp	short loc_685130
; 

loc_68518C:				; CODE XREF: ExpGetStackTraceInformation(x,x,x)+69j
					; ExpGetStackTraceInformation(x,x,x)+84j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_6851B8
; 

loc_685195:				; DATA XREF: .text:006AA2DCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_6851A5:				; DATA XREF: .text:006AA2E0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_30]
		mov	[ebp+var_34], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+var_38]

loc_6851B8:				; CODE XREF: ExpGetStackTraceInformation(x,x,x)+DFj
		mov	byte ptr [esi+45h], 0
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_6851C8
		mov	ecx, [ebp+var_20]
		mov	[eax], ecx

loc_6851C8:				; CODE XREF: ExpGetStackTraceInformation(x,x,x)+10Dj
		mov	eax, ebx

loc_6851CA:				; CODE XREF: ExpGetStackTraceInformation(x,x,x)+1Ej
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ExpGetStackTraceInformation@12	endp

; 

; __stdcall ExCleanTimerResolutionRequest()
_ExCleanTimerResolutionRequest@0:	; CODE XREF: PspExitProcess:loc_76CEC7p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		and	dword ptr [ebp-4], 0
		push	ebx
		push	esi
		mov	esi, [eax+80h]
		push	edi
		test	dword ptr [esi+0FCh], 1000h
		jz	short loc_685212
		lea	eax, [ebp-4]
		push	eax
		push	0
		push	ds:_KeMaximumIncrement
		call	_ZwSetTimerResolution@12 ; ZwSetTimerResolution(x,x,x)

loc_685212:				; CODE XREF: .text:006851FFj
		mov	cl, 1
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _ExpKernelResolutionLock
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	eax, [esi+374h]
		mov	edi, [eax]
		mov	edx, [eax+4]
		cmp	[edi+4], eax
		jnz	short loc_68528B
		cmp	[edx], eax
		jnz	short loc_68528B
		mov	[edx], edi
		mov	ecx, offset _ExpKernelResolutionLock
		mov	[edi+4], edx
		test	ds:byte_70EFC6,	1
		jz	short loc_68525C
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_685261
; 

loc_68525C:				; CODE XREF: .text:00685250j
		xor	eax, eax
		lock and [ecx],	eax

loc_685261:				; CODE XREF: .text:0068525Aj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edi, [esi+37Ch]
		and	dword ptr [esi+37Ch], 0
		call	_ExReleaseTimeRefreshLock@0 ; ExReleaseTimeRefreshLock()
		test	edi, edi
		jz	short loc_685286
		mov	ecx, edi
		call	_PoDiagFreeUsermodeStack@4 ; PoDiagFreeUsermodeStack(x)

loc_685286:				; CODE XREF: .text:0068527Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_68528B:				; CODE XREF: .text:00685239j
					; .text:0068523Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 435. ExSetTimerResolution

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExSetTimerResolution(x, x)
		public _ExSetTimerResolution@8
_ExSetTimerResolution@8	proc near

var_2		= byte ptr -2
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		movzx	ecx, [ebp+arg_4]
		mov	edx, 52545345h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		xor	edi, edi
		neg	ecx
		push	edi
		sbb	ecx, ecx
		and	ecx, esi
		call	PoTraceSystemTimerResolutionKernel
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	bl, al
		mov	ecx, offset _ExpKernelResolutionLock
		mov	byte ptr [ebp+arg_0+3],	bl
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	[ebp+arg_4], 0
		mov	[ebp-1], bl
		mov	ebx, ds:_KeTimeIncrement
		jnz	short loc_6852FD
		mov	ecx, ds:_ExpKernelResolutionCount
		test	ecx, ecx
		jz	short loc_685315
		sub	ecx, 1
		mov	ds:_ExpKernelResolutionCount, ecx
		jnz	short loc_685315
		mov	eax, ds:_KeMaximumIncrement
		mov	ds:_KeNonHrTimeIncrement, eax
		jmp	short loc_685345
; 

loc_6852FD:				; CODE XREF: ExSetTimerResolution(x,x)+45j
		mov	eax, ds:_ExpKernelResolutionCount
		inc	eax
		mov	ds:_ExpKernelResolutionCount, eax
		cmp	eax, 1
		jz	short loc_68533D
		cmp	esi, ds:_ExpKernelRequestedTimerResolution
		jb	short loc_68533D

loc_685315:				; CODE XREF: ExSetTimerResolution(x,x)+4Fj
					; ExSetTimerResolution(x,x)+5Aj
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _ExpKernelResolutionLock
		jz	short loc_68532D
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_685332
; 

loc_68532D:				; CODE XREF: ExSetTimerResolution(x,x)+8Cj
		xor	eax, eax
		lock and [ecx],	eax

loc_685332:				; CODE XREF: ExSetTimerResolution(x,x)+96j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_68535B
; 

loc_68533D:				; CODE XREF: ExSetTimerResolution(x,x)+76j
					; ExSetTimerResolution(x,x)+7Ej
		mov	ds:_KeNonHrTimeIncrement, esi
		mov	edi, esi

loc_685345:				; CODE XREF: ExSetTimerResolution(x,x)+66j
		mov	cl, [ebp+arg_4]
		lea	eax, [ebp-1]
		push	eax
		mov	edx, edi
		mov	ds:_ExpKernelRequestedTimerResolution, edi
		call	ExpUpdateTimerResolution
		mov	ebx, eax

loc_68535B:				; CODE XREF: ExSetTimerResolution(x,x)+A6j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_ExSetTimerResolution@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCenturyDpcRoutine(x, x, x, x)
_ExpCenturyDpcRoutine@16 proc near	; DATA XREF: ExpRefreshTimeZoneInformation(x)+D0o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		push	esi
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	esi, [eax+268h]
		xor	eax, eax
		inc	eax
		lock xadd [esi+2C8h], eax
		inc	eax
		cmp	eax, 1
		jnz	short loc_6853AE
		push	ecx
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jnz	short loc_6853A0
		mov	ecx, [ebp+arg_4]
		mov	edx, 53707845h
		call	ObfReferenceObjectWithTag

loc_6853A0:				; CODE XREF: ExpCenturyDpcRoutine(x,x,x,x)+2Dj
		push	1
		lea	eax, [esi+260h]
		push	eax
		call	ExQueueWorkItem

loc_6853AE:				; CODE XREF: ExpCenturyDpcRoutine(x,x,x,x)+23j
		pop	esi
		pop	ebp
		retn	10h
_ExpCenturyDpcRoutine@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpNextYearDpcRoutine(x, x,	x, x)
_ExpNextYearDpcRoutine@16 proc near	; DATA XREF: ExpRefreshTimeZoneInformation(x)+BDo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		push	esi
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	esi, [eax+268h]
		xor	eax, eax
		inc	eax
		lock xadd [esi+2C8h], eax
		inc	eax
		cmp	eax, 1
		jnz	short loc_6853FD
		push	ecx
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jnz	short loc_6853EF
		mov	ecx, [ebp+arg_4]
		mov	edx, 53707845h
		call	ObfReferenceObjectWithTag

loc_6853EF:				; CODE XREF: ExpNextYearDpcRoutine(x,x,x,x)+2Dj
		push	1
		lea	eax, [esi+2B8h]
		push	eax
		call	ExQueueWorkItem

loc_6853FD:				; CODE XREF: ExpNextYearDpcRoutine(x,x,x,x)+23j
		pop	esi
		pop	ebp
		retn	10h
_ExpNextYearDpcRoutine@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpRecordShutdownTime()
_ExpRecordShutdownTime@0 proc near	; CODE XREF: ExShutdownSystem(x)+18p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	esi
		xor	esi, esi
		lea	eax, [ebp+var_18]
		push	eax
		mov	[ebp+var_4], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		call	KeQuerySystemTime
		push	(offset	loc_5A68ED+1)
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_C]
		mov	[ebp+var_38], 18h
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_4]
		mov	[ebp+var_34], esi
		push	eax
		mov	[ebp+var_2C], 240h
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_68549F
		push	offset ??_C@_1BK@DFILMBJE@?$AAS?$AAh?$AAu?$AAt?$AAd?$AAo?$AAw?$AAn?$AAT?$AAi?$AAm?$AAe@FNODOBFM@
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	8
		lea	eax, [ebp+var_18]
		push	eax
		push	3
		push	esi
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[ebp+var_4]
		call	_ZwFlushKey@4	; ZwFlushKey(x)
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_68549F:				; CODE XREF: ExpRecordShutdownTime()+68j
		pop	esi
		leave
		retn
_ExpRecordShutdownTime@0 endp


;  S U B	R O U T	I N E 


; __stdcall ExpTimeRefreshCallback(x, x)
_ExpTimeRefreshCallback@8 proc near	; DATA XREF: ExInitializeTimeRefresh+6Do
		xor	eax, eax
		xor	edx, edx
		push	eax
		push	eax
		push	eax
		mov	ecx, offset _ExpTimeRefreshDpc
		call	KiInsertQueueDpc
		retn	8
_ExpTimeRefreshCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTimeRefreshDpcRoutine(x,	x, x, x)
_ExpTimeRefreshDpcRoutine@16 proc near	; DATA XREF: ExInitializeTimeRefresh+4Co

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		inc	ecx
		lock xadd [eax], ecx
		inc	ecx
		cmp	ecx, 1
		jnz	short loc_6854D6
		push	ecx
		push	offset _ExpTimeRefreshWorkItem
		call	ExQueueWorkItem

loc_6854D6:				; CODE XREF: ExpTimeRefreshDpcRoutine(x,x,x,x)+13j
		pop	ebp
		retn	10h
_ExpTimeRefreshDpcRoutine@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTimeZoneDpcRoutine(x, x,	x, x)
_ExpTimeZoneDpcRoutine@16 proc near	; DATA XREF: ExpRefreshTimeZoneInformation(x)+AAo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		push	esi
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	esi, [eax+268h]
		xor	eax, eax
		inc	eax
		lock xadd [esi+2C8h], eax
		inc	eax
		cmp	eax, 1
		jnz	short loc_685524
		push	ecx
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jnz	short loc_685516
		mov	ecx, [ebp+arg_4]
		mov	edx, 53707845h
		call	ObfReferenceObjectWithTag

loc_685516:				; CODE XREF: ExpTimeZoneDpcRoutine(x,x,x,x)+2Dj
		push	1
		lea	eax, [esi+208h]
		push	eax
		call	ExQueueWorkItem

loc_685524:				; CODE XREF: ExpTimeZoneDpcRoutine(x,x,x,x)+23j
		pop	esi
		pop	ebp
		retn	10h
_ExpTimeZoneDpcRoutine@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtDrawText(x)
_NtDrawText@4	proc near		; DATA XREF: .text:0058108Co

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	24h
		push	offset dword_6AA430
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		mov	edi, ebx
		mov	esi, ebx
		mov	[ebp+var_20], esi
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		mov	byte ptr [ebp+var_24], al
		push	[ebp+var_24]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_685578
		mov	eax, 0C0000061h
		jmp	loc_6856C7
; 

loc_685578:				; CODE XREF: NtDrawText(x)+43j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_685589
		mov	eax, 0C000000Dh
		jmp	loc_6856C7
; 

loc_685589:				; CODE XREF: NtDrawText(x)+54j
		cmp	[ebp+var_19], bl
		jz	loc_685627
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_6855A0
		mov	ecx, eax

loc_6855A0:				; CODE XREF: NtDrawText(x)+73j
		nop
		mov	eax, [ecx]
		mov	[ebp+arg_0], eax
		mov	[ebp+var_34], eax
		mov	ecx, [ecx+4]
		mov	[ebp+var_24], ecx
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jz	loc_685680
		sar	eax, 10h
		test	ax, ax
		jz	loc_685680
		movzx	edi, word ptr [ebp+arg_0+2]
		lea	edx, [edi+ecx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_6855DA
		cmp	edx, ecx
		jnb	short loc_6855DC

loc_6855DA:				; CODE XREF: NtDrawText(x)+ABj
		mov	[eax], bl

loc_6855DC:				; CODE XREF: NtDrawText(x)+AFj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	67727453h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		jnz	short loc_685606
		mov	edi, 0C0000017h
		jmp	loc_6856BA
; 

loc_685606:				; CODE XREF: NtDrawText(x)+D1j
		mov	[ebp+ms_exc.disabled], 1
		push	edi		; size_t
		push	[ebp+var_24]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+var_30], esi
		lea	ecx, [ebp+var_34]

loc_685627:				; CODE XREF: NtDrawText(x)+63j
		mov	edi, 0C000000Dh
		mov	ax, [ecx+2]
		shr	ax, 1
		movzx	edx, ax
		test	dx, dx
		jz	short loc_6856AC
		mov	eax, [ecx+4]
		mov	[ebp+arg_0], eax

loc_685641:				; CODE XREF: NtDrawText(x)+131j
		movzx	eax, dx
		mov	esi, [ebp+arg_0]
		cmp	[esi+eax*2-2], bx
		mov	esi, [ebp+var_20]
		jz	short loc_6856AA
		add	edx, 0FFFFh
		test	dx, dx
		jnz	short loc_685641
		jmp	short loc_6856AC
; 

loc_68565E:				; DATA XREF: .text:006AA450o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_68566C:				; DATA XREF: .text:006AA454o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_28]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp+var_20]
		jmp	short loc_6856BA
; 

loc_685680:				; CODE XREF: NtDrawText(x)+8Bj
					; NtDrawText(x)+97j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_6856BA
; 

loc_685689:				; DATA XREF: .text:006AA444o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_685697:				; DATA XREF: .text:006AA448o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_2C]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, ebx
		jmp	short loc_6856BA
; 

loc_6856AA:				; CODE XREF: NtDrawText(x)+126j
		mov	edi, ebx

loc_6856AC:				; CODE XREF: NtDrawText(x)+110j
					; NtDrawText(x)+133j
		test	edi, edi
		js	short loc_6856BA
		mov	ecx, [ecx+4]
		call	_BgkDrawText@4	; BgkDrawText(x)
		mov	edi, eax

loc_6856BA:				; CODE XREF: NtDrawText(x)+D8j
					; NtDrawText(x)+155j ...
		test	esi, esi
		jz	short loc_6856C5
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_6856C5:				; CODE XREF: NtDrawText(x)+193j
		mov	eax, edi

loc_6856C7:				; CODE XREF: NtDrawText(x)+4Aj
					; NtDrawText(x)+5Bj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_NtDrawText@4	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1599. NtShutdownSystem

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtShutdownSystem(x)
		public _NtShutdownSystem@4
_NtShutdownSystem@4 proc near		; DATA XREF: .text:00580C44o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		sub	eax, 0
		jz	short loc_685704
		sub	eax, 1
		jz	short loc_685700
		sub	eax, 1
		jz	short loc_6856FC
		mov	eax, 0C000000Dh
		jmp	short loc_685714
; 

loc_6856FC:				; CODE XREF: NtShutdownSystem(x)+15j
		push	6
		jmp	short loc_685706
; 

loc_685700:				; CODE XREF: NtShutdownSystem(x)+10j
		push	5
		jmp	short loc_685706
; 

loc_685704:				; CODE XREF: NtShutdownSystem(x)+Bj
		push	4

loc_685706:				; CODE XREF: NtShutdownSystem(x)+20j
					; NtShutdownSystem(x)+24j
		pop	eax
		push	0C0000004h
		push	4
		push	eax
		call	_NtSetSystemPowerState@12 ; NtSetSystemPowerState(x,x,x)

loc_685714:				; CODE XREF: NtShutdownSystem(x)+1Cj
		pop	ebp
		retn	4
_NtShutdownSystem@4 endp


;  S U B	R O U T	I N E 


; __stdcall HdlspUTF8Encode(x, x)
_HdlspUTF8Encode@8 proc	near		; CODE XREF: HdlspPutString(x)+ADp
					; HdlspPutWideString(x)+45p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, edx
		movzx	edx, bx
		test	ebx, 0FF80h
		jnz	short loc_685730
		mov	[esi+2], bl
		jmp	short loc_685761
; 

loc_685730:				; CODE XREF: HdlspUTF8Encode(x,x)+11j
		mov	al, bl
		shr	edx, 6
		and	al, 3Fh
		and	ecx, 0F800h
		or	al, 80h
		mov	[esi+2], al
		test	cx, cx
		jnz	short loc_68574F
		and	dl, 1Fh
		or	dl, 0C0h
		jmp	short loc_68575E
; 

loc_68574F:				; CODE XREF: HdlspUTF8Encode(x,x)+2Dj
		and	dl, 3Fh
		shr	bx, 0Ch
		or	dl, 80h
		or	bl, 0E0h
		mov	[esi], bl

loc_68575E:				; CODE XREF: HdlspUTF8Encode(x,x)+35j
		mov	[esi+1], dl

loc_685761:				; CODE XREF: HdlspUTF8Encode(x,x)+16j
		pop	esi
		pop	ebx
		retn
_HdlspUTF8Encode@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExDisableHandleTracing(x)
_ExDisableHandleTracing@4 proc near	; CODE XREF: PsSetProcessHandleTracingInformation(x,x):loc_9C9289p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_28], eax
		dec	word ptr [eax+13Ch]
		mov	[ebp+var_30], edi
		nop
		lea	esi, [edi+24h]
		xor	edx, edx
		mov	ecx, esi
		mov	[ebp+var_8], esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+54h]
		and	dword ptr [edi+54h], 0
		mov	[ebp+var_2C], eax
		test	eax, eax
		jz	short loc_6857BD
		test	byte ptr [eax+8], 8
		jnz	short loc_6857BD
		and	byte ptr [edi+1Ch], 0FDh

loc_6857BD:				; CODE XREF: ExDisableHandleTracing(x)+4Dj
					; ExDisableHandleTracing(x)+53j
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_C], edx
		mov	eax, edx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_6857D6
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_6857D6:				; CODE XREF: ExDisableHandleTracing(x)+69j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	esi, 7FFFFFFCh
		jz	loc_685969
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		mov	esi, large fs:124h
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		cmp	eax, edx
		push	0FFFFFFFFh
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], esi
		pop	edx
		jb	short loc_685812
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_685820

loc_685812:				; CODE XREF: ExDisableHandleTracing(x)+A3j
		cmp	eax, [ebp+var_20]
		jb	short loc_685833
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_685833

loc_685820:				; CODE XREF: ExDisableHandleTracing(x)+ACj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_8]

loc_685833:				; CODE XREF: ExDisableHandleTracing(x)+B1j
					; ExDisableHandleTracing(x)+BAj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_68587E
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_6858F0
		push	ecx
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_68587E:				; CODE XREF: ExDisableHandleTracing(x)+F8j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_685894
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_685894:				; CODE XREF: ExDisableHandleTracing(x)+126j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_6858DE
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_6858F0
; 

loc_6858DE:				; CODE XREF: ExDisableHandleTracing(x)+166j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]

loc_6858F0:				; CODE XREF: ExDisableHandleTracing(x)+102j
					; ExDisableHandleTracing(x)+178j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jz	short loc_685951
		test	edi, 8000h
		jz	short loc_685914
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_685914:				; CODE XREF: ExDisableHandleTracing(x)+1A5j
		test	byte ptr [ebp+var_10+2], 1
		jz	short loc_685924
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_685924:				; CODE XREF: ExDisableHandleTracing(x)+1B4j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_685938
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_685938:				; CODE XREF: ExDisableHandleTracing(x)+1C7j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_685951
		push	[ebp+var_24]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_685951:				; CODE XREF: ExDisableHandleTracing(x)+19Dj
					; ExDisableHandleTracing(x)+1DEj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_685969
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_685969
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_685969:				; CODE XREF: ExDisableHandleTracing(x)+7Dj
					; ExDisableHandleTracing(x)+1F6j ...
		mov	ecx, [ebp+var_28]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	edx, [ebp+var_2C]
		test	edx, edx
		jz	short loc_685980
		mov	ecx, [ebp+var_30]
		call	_ExDereferenceHandleDebugInfo@8	; ExDereferenceHandleDebugInfo(x,x)

loc_685980:				; CODE XREF: ExDisableHandleTracing(x)+212j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_ExDisableHandleTracing@4 endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BapdpKsrCancelScenario(x, x)
_BapdpKsrCancelScenario@8 proc near	; DATA XREF: ExpSetSoftRebootFlags(x)+39o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, 3000000h
		and	eax, ecx
		jz	short loc_6859BE
		test	[ebp+arg_4], ecx
		jnz	short loc_6859BE
		mov	ecx, ds:dword_6BBDD8
		test	ecx, ecx
		jz	short loc_6859BE
		xor	edx, edx
		push	edx
		push	edx
		push	edx
		push	eax
		call	ecx
		test	eax, eax
		js	short loc_6859C3
		and	ds:_ExSoftRebootFlags, 0FFFFFFFBh
		jmp	short loc_6859C3
; 

loc_6859BE:				; CODE XREF: BapdpKsrCancelScenario(x,x)+Fj
					; BapdpKsrCancelScenario(x,x)+14j ...
		mov	eax, 0C00000BBh

loc_6859C3:				; CODE XREF: BapdpKsrCancelScenario(x,x)+2Aj
					; BapdpKsrCancelScenario(x,x)+33j
		pop	ebp
		retn	8
_BapdpKsrCancelScenario@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BapdpKsrComplete(x,	x)
_BapdpKsrComplete@8 proc near		; DATA XREF: ExpSetSoftRebootFlags(x)+EAo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		or	eax, ecx
		test	eax, 3000000h
		jnz	short loc_6859FA
		shr	ecx, 2
		not	cl
		and	cl, 1
		movzx	eax, cl
		push	eax
		call	ds:__imp__KsrCleanupPageDatabase@4 ; KsrCleanupPageDatabase(x)
		test	eax, eax
		js	short loc_6859FF
		and	ds:_ExSoftRebootFlags, 0FFFFFFFBh
		jmp	short loc_6859FF
; 

loc_6859FA:				; CODE XREF: BapdpKsrComplete(x,x)+12j
		mov	eax, 0C00000BBh

loc_6859FF:				; CODE XREF: BapdpKsrComplete(x,x)+28j
					; BapdpKsrComplete(x,x)+31j
		pop	ebp
		retn	8
_BapdpKsrComplete@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BapdpKsrCompleteScenario(x,	x)
_BapdpKsrCompleteScenario@8 proc near	; DATA XREF: ExpSetSoftRebootFlags(x)+C3o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, 3000000h
		and	eax, ecx
		jz	short loc_685A28
		test	[ebp+arg_4], ecx
		jnz	short loc_685A28
		mov	ecx, ds:dword_6BBDDC
		test	ecx, ecx
		jz	short loc_685A28
		push	eax
		call	ecx
		jmp	short loc_685A2D
; 

loc_685A28:				; CODE XREF: BapdpKsrCompleteScenario(x,x)+Fj
					; BapdpKsrCompleteScenario(x,x)+14j ...
		mov	eax, 0C00000BBh

loc_685A2D:				; CODE XREF: BapdpKsrCompleteScenario(x,x)+23j
		pop	ebp
		retn	8
_BapdpKsrCompleteScenario@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BapdpKsrCompleteScenarioPhase0(x, x)
_BapdpKsrCompleteScenarioPhase0@8 proc near ; DATA XREF: ExpSetSoftRebootFlags(x)+A1o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	edx, 3000000h
		mov	eax, [ebp+arg_0]
		and	ecx, edx
		and	eax, edx
		cmp	eax, ecx
		jnz	short loc_685A57
		mov	eax, ds:dword_6BBDD4
		test	eax, eax
		jz	short loc_685A57
		push	ecx
		call	eax
		jmp	short loc_685A5C
; 

loc_685A57:				; CODE XREF: BapdpKsrCompleteScenarioPhase0(x,x)+16j
					; BapdpKsrCompleteScenarioPhase0(x,x)+1Fj
		mov	eax, 0C00000BBh

loc_685A5C:				; CODE XREF: BapdpKsrCompleteScenarioPhase0(x,x)+24j
		pop	ebp
		retn	8
_BapdpKsrCompleteScenarioPhase0@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BapdpKsrInitiateScenarioPhase0(x, x)
_BapdpKsrInitiateScenarioPhase0@8 proc near ; DATA XREF: ExpSetSoftRebootFlags(x)+34o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	ecx, 3000000h
		and	eax, ecx
		test	[ebp+arg_0], ecx
		jnz	short loc_685A90
		test	eax, eax
		jz	short loc_685A90
		mov	ecx, ds:_ExKsrInterface
		test	ecx, ecx
		jnz	short loc_685A89
		mov	eax, 0C00000BBh
		jmp	short loc_685A95
; 

loc_685A89:				; CODE XREF: BapdpKsrInitiateScenarioPhase0(x,x)+20j
		push	0
		push	eax
		call	ecx
		jmp	short loc_685A95
; 

loc_685A90:				; CODE XREF: BapdpKsrInitiateScenarioPhase0(x,x)+12j
					; BapdpKsrInitiateScenarioPhase0(x,x)+16j
		mov	eax, 0C000000Dh

loc_685A95:				; CODE XREF: BapdpKsrInitiateScenarioPhase0(x,x)+27j
					; BapdpKsrInitiateScenarioPhase0(x,x)+2Ej
		pop	ebp
		retn	8
_BapdpKsrInitiateScenarioPhase0@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BapdpKsrpInitiateScenario(x, x)
_BapdpKsrpInitiateScenario@8 proc near	; DATA XREF: ExpSetSoftRebootFlags(x)+4Ao

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	ecx, 3000000h
		and	eax, ecx
		test	[ebp+arg_0], ecx
		jnz	short loc_685AC9
		test	eax, eax
		jz	short loc_685AC9
		mov	ecx, ds:_ExKsrInterface
		test	ecx, ecx
		jnz	short loc_685AC2
		mov	eax, 0C00000BBh
		jmp	short loc_685ACE
; 

loc_685AC2:				; CODE XREF: BapdpKsrpInitiateScenario(x,x)+20j
		push	1
		push	eax
		call	ecx
		jmp	short loc_685ACE
; 

loc_685AC9:				; CODE XREF: BapdpKsrpInitiateScenario(x,x)+12j
					; BapdpKsrpInitiateScenario(x,x)+16j
		mov	eax, 0C000000Dh

loc_685ACE:				; CODE XREF: BapdpKsrpInitiateScenario(x,x)+27j
					; BapdpKsrpInitiateScenario(x,x)+2Ej
		pop	ebp
		retn	8
_BapdpKsrpInitiateScenario@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSetSoftRebootFlags(x)
_ExpSetSoftRebootFlags@4 proc near	; CODE XREF: PAGE:007B46D3p

var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D4h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	8
		pop	eax
		xor	esi, esi
		mov	[ebp+var_B4], eax
		mov	ebx, ecx
		mov	[ebp+var_AC], eax
		push	10h
		pop	ecx
		mov	[ebp+var_A0], eax
		mov	edi, offset _BapdpKsrInitiateScenarioPhase0@8 ;	BapdpKsrInitiateScenarioPhase0(x,x)
		mov	eax, offset _BapdpKsrCancelScenario@8 ;	BapdpKsrCancelScenario(x,x)
		mov	[ebp+var_A8], ecx
		mov	[ebp+var_98], eax
		mov	edx, offset _BapdpKsrpInitiateScenario@8 ; BapdpKsrpInitiateScenario(x,x)
		mov	[ebp+var_74], eax
		push	2
		pop	eax
		mov	[ebp+var_90], ecx
		mov	[ebp+var_88], ecx
		mov	[ebp+var_84], ecx
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_70], ecx
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_6C], eax
		mov	[ebp+var_58], eax
		mov	[ebp+var_4C], eax
		mov	[ebp+var_40], eax
		mov	eax, ebx
		and	eax, 8000001Bh
		mov	[ebp+var_C4], esi
		mov	[ebp+var_C0], esi
		mov	[ebp+var_BC], esi
		mov	[ebp+var_B8], esi
		mov	[ebp+var_B0], edi
		mov	[ebp+var_A4], offset _BapdpKsrCompleteScenarioPhase0@8 ; BapdpKsrCompleteScenarioPhase0(x,x)
		mov	[ebp+var_9C], esi
		mov	[ebp+var_94], esi
		mov	[ebp+var_8C], edx
		mov	[ebp+var_80], esi
		mov	[ebp+var_78], esi
		mov	[ebp+var_68], offset _BapdpKsrCompleteScenario@8 ; BapdpKsrCompleteScenario(x,x)
		mov	[ebp+var_64], esi
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], esi
		mov	[ebp+var_54], 8
		mov	[ebp+var_50], edi
		mov	[ebp+var_48], 10h
		mov	[ebp+var_44], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], offset _BapdpKsrComplete@8 ; BapdpKsrComplete(x,x)
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], esi
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], 8
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], 10h
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_D0], eax
		jge	short loc_685BFE
		mov	eax, 0C000000Dh
		jmp	short loc_685C64
; 

loc_685BFE:				; CODE XREF: ExpSetSoftRebootFlags(x)+123j
		mov	edi, esi
		lea	ecx, [ebp+var_C4]
		mov	[ebp+var_C8], edi
		mov	[ebp+var_CC], ecx

loc_685C12:				; CODE XREF: ExpSetSoftRebootFlags(x)+18Bj
		cmp	eax, [ecx+4]
		jnz	short loc_685C4A
		mov	edx, [ecx]
		mov	edi, offset _ExSoftRebootState
		mov	ecx, eax
		mov	eax, edx
		or	ecx, 80000000h
		lock cmpxchg [edi], ecx
		mov	edi, [ebp+var_C8]
		mov	ecx, eax
		mov	[ebp+var_D4], ecx
		cmp	ecx, edx
		jz	short loc_685C73
		mov	eax, [ebp+var_D0]
		mov	ecx, [ebp+var_CC]

loc_685C4A:				; CODE XREF: ExpSetSoftRebootFlags(x)+143j
		inc	edi
		add	ecx, 0Ch
		mov	[ebp+var_C8], edi
		mov	[ebp+var_CC], ecx
		cmp	edi, 10h
		jb	short loc_685C12
		mov	eax, 0C000A003h

loc_685C64:				; CODE XREF: ExpSetSoftRebootFlags(x)+12Aj
					; ExpSetSoftRebootFlags(x)+207j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_685C73:				; CODE XREF: ExpSetSoftRebootFlags(x)+16Aj
		imul	eax, [ebp+var_C8], 0Ch
		mov	edi, ds:_ExSoftRebootFlags
		mov	eax, [ebp+eax+var_BC]
		test	eax, eax
		jz	short loc_685C97
		push	ebx
		push	edi
		call	eax
		mov	ecx, [ebp+var_D4]
		mov	esi, eax

loc_685C97:				; CODE XREF: ExpSetSoftRebootFlags(x)+1B7j
		mov	eax, ds:_ExSoftRebootFlags
		and	eax, 7CFFFFE4h
		test	esi, esi
		js	short loc_685CC2
		and	ebx, 8300001Bh
		mov	ecx, offset _ExSoftRebootState
		or	ebx, eax
		mov	eax, [ebp+var_D0]
		mov	ds:_ExSoftRebootFlags, ebx
		xchg	eax, [ecx]
		jmp	short loc_685CD7
; 

loc_685CC2:				; CODE XREF: ExpSetSoftRebootFlags(x)+1D1j
		and	edi, 8300001Bh
		or	edi, eax
		mov	eax, offset _ExSoftRebootState
		mov	ds:_ExSoftRebootFlags, edi
		xchg	ecx, [eax]

loc_685CD7:				; CODE XREF: ExpSetSoftRebootFlags(x)+1EEj
		mov	eax, esi
		jmp	short loc_685C64
_ExpSetSoftRebootFlags@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpDeleteSiloState(x)
_ExpDeleteSiloState@4 proc near		; CODE XREF: PspDeleteServerSiloGlobals(x)+C6p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, 69534C53h
		push	edi
		xor	edi, edi
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_685CFC
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi], edi

loc_685CFC:				; CODE XREF: ExpDeleteSiloState(x)+16j
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_685D0B
		call	ObfDereferenceObject
		mov	[esi+8], edi

loc_685D0B:				; CODE XREF: ExpDeleteSiloState(x)+26j
		mov	eax, [esi+5B7Ch]
		test	eax, eax
		jz	short loc_685D21
		push	eax
		call	_MmUnmapViewInSystemSpace@4 ; MmUnmapViewInSystemSpace(x)
		mov	[esi+5B7Ch], edi

loc_685D21:				; CODE XREF: ExpDeleteSiloState(x)+38j
		mov	ecx, [esi+5B84h]
		test	ecx, ecx
		jz	short loc_685D41
		call	_ExWaitForCallBacks@4 ;	ExWaitForCallBacks(x)
		mov	ecx, [esi+5B84h]
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)
		mov	[esi+5B84h], edi

loc_685D41:				; CODE XREF: ExpDeleteSiloState(x)+4Ej
		mov	eax, [esi+5C24h]
		test	eax, eax
		jz	short loc_685D7F
		mov	eax, [eax]
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_4], eax
		call	sub_782FD2
		test	eax, eax
		js	short loc_685D69
		push	20534C53h
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_685D69:				; CODE XREF: ExpDeleteSiloState(x)+7Fj
		push	20534C53h
		push	dword ptr [esi+5C24h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+5C24h], edi

loc_685D7F:				; CODE XREF: ExpDeleteSiloState(x)+6Ej
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpDeleteSiloState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpGetLicenseTamperState(x,	x)
_ExpGetLicenseTamperState@8 proc near	; CODE XREF: ExGetLicenseTamperState(x)+3Bp
					; ExSetLicenseTamperState(x)+5Ep ...

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= byte ptr -38h
var_37		= dword	ptr -37h
var_33		= word ptr -33h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		lea	eax, [esp+7Ch+var_30]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	[esp+84h+var_68], esi
		mov	ebx, ecx
		call	_memset
		add	esp, 0Ch
		cmp	dword ptr [ebx+5B7Ch], 0
		jnz	short loc_685DC8
		mov	eax, [ebx+5C0Ch]

loc_685DC1:				; CODE XREF: ExpGetLicenseTamperState(x,x)+50j
		mov	[esi], eax
		jmp	loc_685ED0
; 

loc_685DC8:				; CODE XREF: ExpGetLicenseTamperState(x,x)+2Ej
		lea	eax, [esp+78h+var_30]
		push	eax
		push	ebx
		call	ExpGetKernelDataProtection
		test	eax, eax
		js	short loc_685DDD
		mov	eax, [esp+78h+var_28]
		jmp	short loc_685DC1
; 

loc_685DDD:				; CODE XREF: ExpGetLicenseTamperState(x,x)+4Aj
		cmp	eax, 0C0000225h
		jnz	loc_685ECA
		mov	ecx, [ebx+5B7Ch]
		lea	edi, [ebx+0Ch]
		and	[esp+78h+var_54], 0
		xor	eax, eax
		and	[esp+78h+var_37], 0
		mov	edx, [ebx+5B74h]
		mov	[esp+78h+var_33], ax
		mov	[esp+78h+var_31], al
		test	ecx, ecx
		jz	loc_685EAA
		test	edx, edx
		jz	short loc_685E20
		test	edi, edi
		jz	loc_685ECA

loc_685E20:				; CODE XREF: ExpGetLicenseTamperState(x,x)+8Bj
		push	4
		mov	[esp+7Ch+var_60], eax
		add	ecx, 14h
		mov	[esp+7Ch+var_5C], eax
		mov	[esp+7Ch+var_50], eax
		mov	[esp+7Ch+var_4C], eax
		pop	esi
		mov	[esp+78h+var_48], eax
		mov	[esp+78h+var_44], eax
		mov	[esp+78h+var_40], eax
		mov	[esp+78h+var_3C], eax
		lea	eax, [esp+78h+var_60]
		push	eax
		mov	[esp+7Ch+var_58], esi
		mov	[esp+7Ch+var_38], 1
		call	_ExpLicUpdateChecksum@12 ; ExpLicUpdateChecksum(x,x,x)
		test	eax, eax
		jnz	short loc_685E87
		test	edx, edx
		jz	short loc_685E83
		push	8
		pop	ecx
		mov	eax, edx
		mul	ecx
		lea	ecx, [esp+78h+var_64]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		jnz	short loc_685E87
		lea	eax, [esp+78h+var_60]
		mov	ecx, edi
		push	eax
		call	_ExpLicUpdateChecksum@12 ; ExpLicUpdateChecksum(x,x,x)

loc_685E83:				; CODE XREF: ExpGetLicenseTamperState(x,x)+D4j
		test	eax, eax
		jz	short loc_685E95

loc_685E87:				; CODE XREF: ExpGetLicenseTamperState(x,x)+D0j
					; ExpGetLicenseTamperState(x,x)+EAj
		and	[esp+78h+var_60], 0
		and	[esp+78h+var_5C], 0
		mov	[esp+78h+var_58], esi

loc_685E95:				; CODE XREF: ExpGetLicenseTamperState(x,x)+FAj
		push	0Ch
		pop	ecx
		lea	esi, [esp+78h+var_60]
		xor	eax, eax
		lea	edi, [esp+78h+var_30]
		rep movsd
		mov	esi, [esp+78h+var_68]
		jmp	short loc_685EAF
; 

loc_685EAA:				; CODE XREF: ExpGetLicenseTamperState(x,x)+83j
		mov	eax, 0C000000Dh

loc_685EAF:				; CODE XREF: ExpGetLicenseTamperState(x,x)+11Dj
		test	eax, eax
		js	short loc_685ECA
		push	0
		push	0FFFFFFFFh
		lea	eax, [esp+80h+var_30]
		mov	[esp+80h+var_28], 4
		push	eax
		push	ebx
		call	ExpSetKernelDataProtection

loc_685ECA:				; CODE XREF: ExpGetLicenseTamperState(x,x)+57j
					; ExpGetLicenseTamperState(x,x)+8Fj ...
		mov	dword ptr [esi], 4

loc_685ED0:				; CODE XREF: ExpGetLicenseTamperState(x,x)+38j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_ExpGetLicenseTamperState@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpLicUpdateChecksum(x, x, x)
_ExpLicUpdateChecksum@12 proc near	; CODE XREF: ExpGetLicenseTamperState(x,x)+C9p
					; ExpGetLicenseTamperState(x,x)+F3p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		test	ecx, ecx
		jz	short loc_685EF0
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_685EF0
		mov	[ecx], eax
		mov	[ecx+4], eax
		jmp	short loc_685EF5
; 

loc_685EF0:				; CODE XREF: ExpLicUpdateChecksum(x,x,x)+9j
					; ExpLicUpdateChecksum(x,x,x)+10j
		mov	eax, 0C000000Dh

loc_685EF5:				; CODE XREF: ExpLicUpdateChecksum(x,x,x)+17j
		pop	ebp
		retn	4
_ExpLicUpdateChecksum@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_685EF9	proc near		; CODE XREF: PspInitializeServerSiloDeferred(x)+13p

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		mov	eax, ecx
		mov	[esp+40h+var_3C], eax
		push	esi
		mov	esi, offset _PspHostSiloGlobals
		push	edi
		test	eax, eax
		jz	short loc_685F1C
		mov	esi, [eax+2F8h]

loc_685F1C:				; CODE XREF: sub_685EF9+1Bj
		push	69534C53h
		push	14008h
		xor	edi, edi
		push	edi
		push	100h
		call	_ExAllocatePool2@16 ; ExAllocatePool2(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_685F43

loc_685F39:				; CODE XREF: sub_685EF9+64j
		mov	esi, 0C0000017h
		jmp	loc_68603C
; 

loc_685F43:				; CODE XREF: sub_685EF9+3Ej
		push	69534C53h
		push	5C34h
		push	0
		push	100h
		call	_ExAllocatePool2@16 ; ExAllocatePool2(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_685F39
		push	14000h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [edi+4]
		push	5C2Ch		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		xor	ecx, ecx
		mov	[esp+74h+var_58], offset _ExpQueryRegistryRoutine@24 ; ExpQueryRegistryRoutine(x,x,x,x,x,x)
		mov	eax, 14000h
		mov	[ebx+14004h], ecx
		mov	[ebx+14000h], eax
		add	esp, 0Ch
		or	dword ptr [edi+5C30h], 0FFFFFFFFh
		mov	[edi], ebx
		mov	[esp+68h+var_44], ecx
		mov	[esp+68h+var_3C], ecx
		mov	[esp+68h+var_38], ecx
		mov	[esp+68h+var_34], ecx
		mov	[esp+68h+var_30], ecx
		mov	[esp+68h+var_2C], ecx
		mov	[esp+68h+var_28], ecx
		mov	[esp+68h+var_24], ecx
		mov	ecx, esi
		mov	[esi+204h], edi
		mov	[esp+68h+var_54], 100h
		mov	[esp+68h+var_50], offset ??_C@_1BM@NLGAGAOC@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@FNODOBFM@
		mov	[esp+68h+var_48], 3000003h
		mov	[esp+68h+var_40], eax
		mov	[esp+68h+var_4C], edi
		call	_ExpInitLicensing@4 ; ExpInitLicensing(x)
		mov	eax, large fs:124h
		mov	ecx, [esp+68h+var_5C]
		push	0
		push	0
		mov	esi, [eax+390h]
		mov	[eax+390h], ecx
		lea	eax, [esp+70h+var_58]
		push	eax
		push	offset ??_C@_1BO@EDPDEJHE@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAO?$AAp?$AAt?$AAi?$AAo?$AAn?$AAs@FNODOBFM@
		push	2
		call	_RtlQueryRegistryValuesEx@20 ; RtlQueryRegistryValuesEx(x,x,x,x,x)
		mov	[esp+68h+var_5C], eax
		call	ExInitLicenseData
		mov	ecx, large fs:124h
		mov	[ecx+390h], esi
		mov	esi, [esp+68h+var_5C]
		test	esi, esi
		jns	short loc_68605A

loc_68603C:				; CODE XREF: sub_685EF9+45j
		test	ebx, ebx
		jz	short loc_68604B
		push	69534C53h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_68604B:				; CODE XREF: sub_685EF9+145j
		test	edi, edi
		jz	short loc_68605A
		push	69534C53h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_68605A:				; CODE XREF: sub_685EF9+141j
					; sub_685EF9+154j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
sub_685EF9	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ExpQueryRegistryRoutine(int,int,void *,size_t,int,int)
_ExpQueryRegistryRoutine@24 proc near	; DATA XREF: sub_685EF9+88o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 3
		push	edi
		jnz	short loc_6860A5
		mov	edi, [ebp+arg_C]
		cmp	edi, 14000h
		ja	short loc_6860A5
		push	esi
		mov	esi, [ebp+arg_14]
		push	edi		; size_t
		push	[ebp+arg_8]	; void *
		push	dword ptr [esi]	; void *
		call	_memcpy
		mov	eax, [esi]
		add	esp, 0Ch
		mov	[eax+14000h], edi
		mov	eax, [esi]
		pop	esi
		mov	dword ptr [eax+14004h],	3
		xor	eax, eax
		jmp	short loc_6860AA
; 

loc_6860A5:				; CODE XREF: ExpQueryRegistryRoutine(x,x,x,x,x,x)+Aj
					; ExpQueryRegistryRoutine(x,x,x,x,x,x)+15j
		mov	eax, 0C000014Ch

loc_6860AA:				; CODE XREF: ExpQueryRegistryRoutine(x,x,x,x,x,x)+40j
		pop	edi
		pop	ebp
		retn	18h
_ExpQueryRegistryRoutine@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSetLicenseTamperState(x,	x)
_ExpSetLicenseTamperState@8 proc near	; CODE XREF: ExpLoadAndSortLicensingCacheDescriptors+84A42p
					; ExSetLicenseTamperState(x)+79p ...

var_30		= dword	ptr -30h
var_28		= dword	ptr -28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 30h
		push	esi
		push	edi
		push	30h		; size_t
		lea	eax, [esp+3Ch+var_30]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		add	esp, 0Ch
		mov	[edi+5C0Ch], esi
		lea	eax, [esp+38h+var_30]
		mov	[esp+38h+var_28], esi
		push	0
		push	2
		push	eax
		push	edi
		call	ExpSetKernelDataProtection
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_ExpSetLicenseTamperState@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_6860F0	proc near		; DATA XREF: PAGE:00A465B4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_14]
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+arg_8]
		mov	byte ptr [eax],	1
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax+4]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	sub_A06277
		pop	ebp
		retn	18h
sub_6860F0	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 398. ExNotifyBootDeviceRemoval

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExNotifyBootDeviceRemoval(x)
		public _ExNotifyBootDeviceRemoval@4
_ExNotifyBootDeviceRemoval@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		cmp	dword ptr [ecx], 504E4442h
		jz	short loc_68612F
		xor	al, al
		jmp	short loc_68615B
; 

loc_68612F:				; CODE XREF: ExNotifyBootDeviceRemoval(x)+Ej
		xor	eax, eax
		inc	eax
		lock xadd [ecx+4], eax
		inc	eax
		cmp	eax, 1
		jnz	short loc_686159
		lock xadd ds:_ExNumMissingBootDevices, eax
		inc	eax
		cmp	eax, 1
		jnz	short loc_686159
		push	0
		push	0
		push	offset _ExBootDevicesRemovedEvent
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_686159:				; CODE XREF: ExNotifyBootDeviceRemoval(x)+20j
					; ExNotifyBootDeviceRemoval(x)+2Ej
		mov	al, 1

loc_68615B:				; CODE XREF: ExNotifyBootDeviceRemoval(x)+12j
		pop	ebp
		retn	4
_ExNotifyBootDeviceRemoval@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 412. ExRegisterBootDevice

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExRegisterBootDevice(x, x)
		public _ExRegisterBootDevice@8
_ExRegisterBootDevice@8	proc near

var_22		= byte ptr -22h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, offset _ExExternalBootSupportInitializationEvent
		push	edi
		push	edi
		push	edi
		push	edi
		push	esi
		mov	ebx, edi
		mov	[esp+44h+var_20], edi
		call	KeWaitForSingleObject
		cmp	ds:_ExBootDeviceRemovalHandler,	ebx
		jnz	short loc_68620A
		push	edi
		push	offset _ExpWaitForBootDevices@4	; ExpWaitForBootDevices(x)
		push	edi
		push	edi
		lea	eax, [esp+40h+var_18]
		mov	[esp+40h+var_18], 18h
		push	eax
		push	edi
		lea	eax, [esp+48h+var_20]
		mov	[esp+48h+var_14], edi
		push	eax
		mov	[esp+4Ch+var_C], 200h
		mov	[esp+4Ch+var_10], edi
		mov	[esp+4Ch+var_8], edi
		mov	[esp+4Ch+var_4], edi
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_68620A
		push	edi
		lea	eax, [esp+34h+var_1C]
		mov	[esp+34h+var_1C], edi
		push	eax
		push	edi
		push	edi
		push	1FFFFFh
		push	[esp+44h+var_20]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		push	[esp+30h+var_20]
		mov	ebx, eax
		mov	eax, [esp+34h+var_1C]
		mov	ds:_ExBootDeviceRemovalHandler,	eax
		call	_ZwClose@4	; ZwClose(x)
		push	1Fh
		push	ds:_ExBootDeviceRemovalHandler
		call	KeSetPriorityThread

loc_68620A:				; CODE XREF: ExRegisterBootDevice(x,x)+2Bj
					; ExRegisterBootDevice(x,x)+69j
		push	edi
		push	edi
		push	esi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		test	ebx, ebx
		js	loc_686304
		mov	esi, [ebp+arg_0]
		cmp	dword ptr [esi], 1
		jnz	short loc_686231
		cmp	[esi+8], edi
		jz	short loc_686231
		cmp	[esi+4], edi
		jnz	short loc_686231
		cmp	[esi+10h], edi
		jnz	short loc_686236

loc_686231:				; CODE XREF: ExRegisterBootDevice(x,x)+BCj
					; ExRegisterBootDevice(x,x)+C1j ...
		mov	ebx, 0C000000Dh

loc_686236:				; CODE XREF: ExRegisterBootDevice(x,x)+CBj
		test	ebx, ebx
		js	loc_686304
		push	504E4442h
		push	28h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+30h+var_1C], edi
		test	edi, edi
		jnz	short loc_68625E
		mov	ebx, 0C000009Ah

loc_68625E:				; CODE XREF: ExRegisterBootDevice(x,x)+F3j
		test	ebx, ebx
		js	loc_686304
		mov	ecx, [esi+8]
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_686284
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag

loc_686284:				; CODE XREF: ExRegisterBootDevice(x,x)+114j
		push	0Ah
		pop	ecx
		xor	eax, eax
		rep stosd
		mov	eax, [esp+30h+var_1C]
		push	6
		pop	ecx
		lea	edi, [eax+10h]
		mov	dword ptr [eax], 504E4442h
		rep movsd
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _ExBootDeviceListSpinLock
		mov	[esp+30h+var_21], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, ds:dword_6BBD8C
		mov	eax, offset _ExBootDeviceList
		mov	esi, [esp+30h+var_1C]
		lea	ecx, [esi+8]
		cmp	[edx], eax
		jz	short loc_6862CE
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_6862CE:				; CODE XREF: ExRegisterBootDevice(x,x)+163j
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		test	ds:byte_70EFC6,	1
		mov	ds:dword_6BBD8C, ecx
		jz	short loc_6862F0
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6862F5
; 

loc_6862F0:				; CODE XREF: ExRegisterBootDevice(x,x)+17Ej
		xor	eax, eax
		lock and [edi],	eax

loc_6862F5:				; CODE XREF: ExRegisterBootDevice(x,x)+18Aj
		mov	cl, [esp+30h+var_21]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+arg_4]
		mov	[eax], esi

loc_686304:				; CODE XREF: ExRegisterBootDevice(x,x)+B0j
					; ExRegisterBootDevice(x,x)+D4j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_ExRegisterBootDevice@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWaitForBootDevices(x)
_ExpWaitForBootDevices@4 proc near	; DATA XREF: ExRegisterBootDevice(x,x)+2Eo

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, offset _ExBootDeviceListSpinLock

loc_68631D:				; CODE XREF: ExpWaitForBootDevices(x)+CAj
		push	0
		push	0
		push	0
		push	0
		push	offset _ExBootDevicesRemovedEvent
		call	KeWaitForSingleObject
		mov	[ebp+var_4], 3Ch

loc_686336:				; CODE XREF: ExpWaitForBootDevices(x)+EFj
		mov	esi, offset _ExBootDeviceList
		jmp	short loc_686342
; 

loc_68633D:				; CODE XREF: ExpWaitForBootDevices(x)+75j
					; ExpWaitForBootDevices(x)+82j
		mov	edi, offset _ExBootDeviceListSpinLock

loc_686342:				; CODE XREF: ExpWaitForBootDevices(x)+2Cj
					; ExpWaitForBootDevices(x)+90j	...
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, [esi+4]
		cmp	esi, offset _ExBootDeviceList
		jz	short loc_6863B0
		test	ds:byte_70EFC6,	1
		jz	short loc_686371
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_686376
; 

loc_686371:				; CODE XREF: ExpWaitForBootDevices(x)+54j
		xor	eax, eax
		lock and [edi],	eax

loc_686376:				; CODE XREF: ExpWaitForBootDevices(x)+60j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	edi, [esi-4]
		cmp	dword ptr [edi], 0
		jz	short loc_68633D
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+14h]
		call	dword ptr [esi+18h]
		test	al, al
		jz	short loc_68633D
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		mov	edi, offset _ExBootDeviceListSpinLock
		jnz	short loc_686342
		or	eax, 0FFFFFFFFh
		lock xadd ds:_ExNumMissingBootDevices, eax
		jz	short loc_6863D2
		jmp	short loc_686342
; 

loc_6863B0:				; CODE XREF: ExpWaitForBootDevices(x)+4Bj
		test	ds:byte_70EFC6,	1
		jz	short loc_6863C5
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_6863CA
; 

loc_6863C5:				; CODE XREF: ExpWaitForBootDevices(x)+A8j
		xor	eax, eax
		lock and [edi],	eax

loc_6863CA:				; CODE XREF: ExpWaitForBootDevices(x)+B4j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_6863D2:				; CODE XREF: ExpWaitForBootDevices(x)+9Dj
		cmp	ds:_ExNumMissingBootDevices, 0
		jz	loc_68631D
		xor	edx, edx
		xor	ecx, ecx
		call	_KeFreezeExecution@8 ; KeFreezeExecution(x,x)
		push	0F4240h
		call	ds:__imp__KeStallExecutionProcessor@4 ;	KeStallExecutionProcessor(x)
		mov	cl, 1
		call	_KeThawExecution@4 ; KeThawExecution(x)
		sub	[ebp+var_4], 1
		jnz	loc_686336
		push	0
		push	3
		push	0
		push	0
		push	7Bh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_ExpWaitForBootDevices@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExAddPrivateDataToCrashDump(x, x)
_ExAddPrivateDataToCrashDump@8 proc near
					; CODE XREF: IopAddLiveDumpPagesToPartialKernelDump(x,x,x,x,x)+1D4p
					; IopLiveDumpMarkImportantDumpData(x,x)+69p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, ecx
		mov	esi, edi

loc_68641F:				; CODE XREF: ExAddPrivateDataToCrashDump(x,x)+3Aj
		mov	edx, ds:_ExPoolTagTables[esi]
		test	edx, edx
		jz	short loc_686445
		imul	eax, ds:_PoolTrackTableSize, 30h
		mov	ecx, ebx
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		jns	short loc_686445
		mov	edi, eax
		cmp	eax, 0C0000023h
		jz	short loc_68646B

loc_686445:				; CODE XREF: ExAddPrivateDataToCrashDump(x,x)+13j
					; ExAddPrivateDataToCrashDump(x,x)+26j
		add	esi, 4
		cmp	esi, 80h
		jb	short loc_68641F
		imul	eax, ds:_ExpSessionPoolTrackTableSize, 30h
		mov	ecx, ebx
		mov	edx, ds:_ExpSessionPoolTrackTable
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		jns	short loc_68646B
		mov	edi, eax

loc_68646B:				; CODE XREF: ExAddPrivateDataToCrashDump(x,x)+2Fj
					; ExAddPrivateDataToCrashDump(x,x)+53j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_ExAddPrivateDataToCrashDump@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 324. ExAllocatePoolWithQuota

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExAllocatePoolWithQuota(x, x)
		public _ExAllocatePoolWithQuota@8
_ExAllocatePoolWithQuota@8 proc	near	; CODE XREF: VerifierExAllocatePoolWithQuota(x,x)+33j

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	656E6F4Eh
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ExAllocatePoolWithQuotaTag
		pop	ebp
		retn	8
_ExAllocatePoolWithQuota@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExCheckSingleFilter(x, x)
_ExCheckSingleFilter@8 proc near	; CODE XREF: ExAllocateHeapPool+BBD6Ep
					; EtwTraceObjectOperation(x,x,x,x)+9Cp	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	[ebp+var_4], edx
		xor	eax, eax
		mov	[ebp+var_8], ecx

loc_68649E:				; CODE XREF: ExCheckSingleFilter(x,x)+27j
		mov	cl, byte ptr [ebp+eax+var_4]
		cmp	cl, 2Ah
		jz	short loc_6864B8
		cmp	cl, 3Fh
		jz	short loc_6864B2
		cmp	byte ptr [ebp+eax+var_8], cl
		jnz	short loc_6864BD

loc_6864B2:				; CODE XREF: ExCheckSingleFilter(x,x)+1Bj
		inc	eax
		cmp	eax, 4
		jb	short loc_68649E

loc_6864B8:				; CODE XREF: ExCheckSingleFilter(x,x)+16j
		xor	eax, eax
		inc	eax
		leave
		retn
; 

loc_6864BD:				; CODE XREF: ExCheckSingleFilter(x,x)+21j
		xor	eax, eax
		leave
		retn
_ExCheckSingleFilter@8 endp


;  S U B	R O U T	I N E 


; __stdcall ExClearPoolFlags(x)
_ExClearPoolFlags@4 proc near		; CODE XREF: VfSettingsApplyMiscellaneousChecks(x)+25j
		not	ecx
		mov	eax, offset _ExpPoolFlags
		lock and [eax],	ecx
		retn
_ExClearPoolFlags@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExDeletePoolTagTable(x)
_ExDeletePoolTagTable@4	proc near	; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+4C1p
					; KeStartAllProcessors+257C8p ...
		mov	eax, ds:_PoolTrackTableSize
		push	ebx
		mov	ebx, ecx
		inc	eax
		push	esi
		push	edi
		mov	cl, 2
		imul	edi, eax, 30h
		mov	esi, ds:_ExPoolTagTables[ebx*4]
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		and	ds:_ExPoolTagTables[ebx*4], 0
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, edi
		mov	ecx, esi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_MmFreeIndependentPages@8 ; MmFreeIndependentPages(x,x)
_ExDeletePoolTagTable@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExGetBigPoolInfo(x,	x, x, x)
_ExGetBigPoolInfo@16 proc near		; CODE XREF: PAGE:0077F595p
					; EtwpPoolRunDown(x,x)+136p ...

var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_21		= byte ptr -21h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6AA530
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		push	ecx
		push	ecx
		push	ebx
		sub	esp, 38h
		push	esi
		push	edi
		mov	eax, ds:___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_38], edx
		xor	esi, esi
		mov	edi, esi
		mov	[ebp+var_48], edi
		mov	[ebp+var_34], esi
		mov	[ebp+var_44], esi
		cmp	dword ptr [ebx+8], 1
		jnz	short loc_686572
		mov	edx, ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_30], 4
		jmp	short loc_68657F
; 

loc_686572:				; CODE XREF: ExGetBigPoolInfo(x,x,x,x)+5Dj
		lea	edx, [ecx+8]
		mov	[ebp+var_3C], edx
		mov	[ebp+var_30], 0Ch

loc_68657F:				; CODE XREF: ExGetBigPoolInfo(x,x,x,x)+6Bj
		xor	eax, eax
		cmp	dword ptr [ebx+8], 1
		setnz	al
		lea	eax, ds:4[eax*8]
		add	eax, ecx
		mov	[ebp+var_50], eax
		cmp	[ebp+var_38], esi
		jz	short loc_6865A5
		mov	[ebp+var_4], esi
		mov	[edx], esi
		mov	[ebp+var_4], 0FFFFFFFEh

loc_6865A5:				; CODE XREF: ExGetBigPoolInfo(x,x,x,x)+92j
					; ExGetBigPoolInfo(x,x,x,x)+29Dj
		push	offset _ExpLargePoolTableLock
		call	ExAcquireSpinLockExclusive
		mov	[ebp+var_21], al
		cmp	dword ptr [ebx+8], 1
		jnz	short loc_6865EB
		mov	ecx, ds:_PoolBigPageTable
		mov	eax, ds:_PoolBigPageTableSize
		jmp	short loc_6865FC
; 

loc_6865C5:				; DATA XREF: .text:006AA544o
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_6865D6:				; DATA XREF: .text:006AA548o
		mov	ebx, [ebp-1Ch]
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-4Ch]
		jmp	loc_6867AD
; 

loc_6865EB:				; CODE XREF: ExGetBigPoolInfo(x,x,x,x)+B1j
		mov	eax, ds:dword_6D05D4
		mov	ecx, [eax+242Ch]
		mov	eax, [eax+2430h]

loc_6865FC:				; CODE XREF: ExGetBigPoolInfo(x,x,x,x)+BEj
		mov	[ebp+var_28], eax
		test	ecx, ecx
		jnz	short loc_686639
		push	offset _ExpLargePoolTableLock
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_21]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jz	short loc_68662D
		mov	ecx, edi
		call	ExGetHeapFromVA
		push	esi
		push	esi
		push	esi
		mov	edx, edi
		mov	ecx, eax
		call	RtlpHpFreeHeap

loc_68662D:				; CODE XREF: ExGetBigPoolInfo(x,x,x,x)+113j
		mov	eax, [ebx+0Ch]
		mov	[eax], esi
		xor	eax, eax
		jmp	loc_6867AD
; 

loc_686639:				; CODE XREF: ExGetBigPoolInfo(x,x,x,x)+FCj
		test	edi, edi
		jz	loc_68675B
		cmp	[ebp+var_44], eax
		jb	loc_68675B
		shl	eax, 4
		mov	[ebp+var_28], eax
		push	eax		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	offset _ExpLargePoolTableLock
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_21]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	[ebp+var_2C], edi
		mov	ecx, [ebp+var_28]
		add	ecx, edi
		mov	[ebp+var_28], ecx
		mov	[ebp+var_4], 1
		mov	eax, [ebp+var_50]
		mov	[ebp+var_40], eax

loc_686686:				; CODE XREF: ExGetBigPoolInfo(x,x,x,x)+208j
		mov	edx, [ebp+var_2C]
		cmp	edx, ecx
		jnb	short loc_6866BA
		mov	eax, [edx]
		mov	[ebp+var_50], eax
		mov	edx, eax
		test	dl, 1
		jnz	short loc_686709
		mov	ecx, [ebp+var_38]
		test	ecx, ecx
		jz	short loc_6866A5
		mov	eax, [ebp+var_3C]
		inc	dword ptr [eax]

loc_6866A5:				; CODE XREF: ExGetBigPoolInfo(x,x,x,x)+199j
		mov	eax, [ebp+var_30]
		add	eax, 0Ch
		mov	[ebp+var_30], eax
		cmp	eax, 0Ch
		jnb	short loc_6866C3
		mov	[ebp+var_34], 0C0000095h

loc_6866BA:				; CODE XREF: ExGetBigPoolInfo(x,x,x,x)+186j
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_68673B
; 

loc_6866C3:				; CODE XREF: ExGetBigPoolInfo(x,x,x,x)+1ACj
		cmp	[ebp+var_30], ecx
		jbe	short loc_6866D1
		mov	[ebp+var_34], 0C0000004h
		jmp	short loc_686706
; 

loc_6866D1:				; CODE XREF: ExGetBigPoolInfo(x,x,x,x)+1C1j
		test	ecx, ecx
		jz	short loc_686706
		mov	ecx, [ebp+var_40]
		mov	[ecx], edx
		cmp	dword ptr [ebx+8], 1
		jnz	short loc_6866F1
		mov	eax, [ebp+var_2C]
		test	dword ptr [eax+8], 100h
		jnz	short loc_6866F1
		or	edx, 1
		mov	[ecx], edx

loc_6866F1:				; CODE XREF: ExGetBigPoolInfo(x,x,x,x)+1D9j
					; ExGetBigPoolInfo(x,x,x,x)+1E5j
		mov	edx, [ebp+var_2C]
		mov	eax, [edx+4]
		mov	[ecx+8], eax
		mov	eax, [edx+0Ch]
		mov	[ecx+4], eax
		add	ecx, 0Ch
		mov	[ebp+var_40], ecx

loc_686706:				; CODE XREF: ExGetBigPoolInfo(x,x,x,x)+1CAj
					; ExGetBigPoolInfo(x,x,x,x)+1CEj
		mov	ecx, [ebp+var_28]

loc_686709:				; CODE XREF: ExGetBigPoolInfo(x,x,x,x)+192j
		add	[ebp+var_2C], 10h
		jmp	loc_686686
; 

loc_686712:				; DATA XREF: .text:006AA550o
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-54h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_686723:				; DATA XREF: .text:006AA554o
		mov	ebx, [ebp-1Ch]
		mov	esp, [ebp-18h]
		mov	eax, [ebp-54h]
		mov	[ebp-34h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	esi, esi
		mov	edi, [ebp-48h]

loc_68673B:				; CODE XREF: ExGetBigPoolInfo(x,x,x,x)+1BCj
		mov	ecx, edi
		call	ExGetHeapFromVA
		push	esi
		push	esi
		push	esi
		mov	edx, edi
		mov	ecx, eax
		call	RtlpHpFreeHeap
		mov	ecx, [ebx+0Ch]
		mov	eax, [ebp+var_30]
		mov	[ecx], eax
		mov	eax, [ebp+var_34]
		jmp	short loc_6867AD
; 

loc_68675B:				; CODE XREF: ExGetBigPoolInfo(x,x,x,x)+136j
					; ExGetBigPoolInfo(x,x,x,x)+13Fj
		mov	[ebp+var_44], eax
		push	offset _ExpLargePoolTableLock
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_21]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_28]
		shl	eax, 4
		mov	[ebp+var_28], eax
		test	edi, edi
		jz	short loc_686794
		mov	ecx, edi
		call	ExGetHeapFromVA
		push	esi
		push	esi
		push	esi
		mov	edx, edi
		mov	ecx, eax
		call	RtlpHpFreeHeap
		mov	eax, [ebp+var_28]

loc_686794:				; CODE XREF: ExGetBigPoolInfo(x,x,x,x)+277j
		mov	edx, eax
		call	_ExAllocateHeapPages@8 ; ExAllocateHeapPages(x,x)
		mov	edi, eax
		mov	[ebp+var_48], edi
		test	edi, edi
		jnz	loc_6865A5
		mov	eax, 0C000009Ah

loc_6867AD:				; CODE XREF: ExGetBigPoolInfo(x,x,x,x)+E1j
					; ExGetBigPoolInfo(x,x,x,x)+12Fj ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
_ExGetBigPoolInfo@16 endp ; sp =  4

; 
		align 8
; Exported entry 401. ExQueryPoolBlockSize

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExQueryPoolBlockSize(x, x)
		public _ExQueryPoolBlockSize@8
_ExQueryPoolBlockSize@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	ExGetHeapFromVA
		mov	ecx, eax
		call	_ExpHpIsSpecialPoolHeap@4 ; ExpHpIsSpecialPoolHeap(x)
		test	eax, eax
		jz	short loc_6867F2
		mov	eax, [ebp+arg_4]
		mov	ecx, esi
		mov	byte ptr [eax],	0
		call	_MmQuerySpecialPoolBlockSize@4 ; MmQuerySpecialPoolBlockSize(x)
		jmp	short loc_68682B
; 

loc_6867F2:				; CODE XREF: ExQueryPoolBlockSize(x,x)+19j
		test	esi, 0FFFh
		jnz	short loc_686807
		mov	eax, [ebp+arg_4]
		mov	byte ptr [eax],	0
		mov	eax, 1000h
		jmp	short loc_68682B
; 

loc_686807:				; CODE XREF: ExQueryPoolBlockSize(x,x)+30j
		lea	ecx, [esi-8]
		movzx	eax, word ptr [ecx+2]
		and	eax, 1FFh
		lea	esi, ds:0FFFFFFF8h[eax*8]
		call	ExpGetBilledProcess
		mov	ecx, [ebp+arg_4]
		test	eax, eax
		mov	eax, esi
		setnz	dl
		mov	[ecx], dl

loc_68682B:				; CODE XREF: ExQueryPoolBlockSize(x,x)+28j
					; ExQueryPoolBlockSize(x,x)+3Dj
		pop	esi
		pop	ebp
		retn	8
_ExQueryPoolBlockSize@8	endp


;  S U B	R O U T	I N E 


; __stdcall ExSetPoolFlags(x)
_ExSetPoolFlags@4 proc near		; CODE XREF: VfInitSystemNoRebootNeeded(x,x)+98p
					; VfInitVerifierComponents(x,x,x)+26p ...
		mov	eax, offset _ExpPoolFlags
		lock or	[eax], ecx
		retn
_ExSetPoolFlags@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpRemoveTagForBigPages(x, x, x, x,	x, x, x, x)
_ExpRemoveTagForBigPages@32 proc near	; CODE XREF: ExpSizeHeapPool(x)+49p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		push	edi
		push	offset _ExpLargePoolTableLock
		mov	[ebp+var_14], edx
		mov	[ebp+var_8], ecx
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	edx, [ebp+var_14]
		mov	[ebp+var_1], al
		test	dl, 20h
		jnz	short loc_686873
		mov	edi, ds:_PoolBigPageTable
		mov	esi, ds:_PoolBigPageTableSize
		mov	[ebp+var_C], offset _ExpPoolBigEntriesInUse
		jmp	short loc_68688C
; 

loc_686873:				; CODE XREF: ExpRemoveTagForBigPages(x,x,x,x,x,x,x,x)+23j
		mov	eax, ds:dword_6D05D4
		mov	edi, [eax+242Ch]
		mov	esi, [eax+2430h]
		add	eax, 23E4h
		mov	[ebp+var_C], eax

loc_68688C:				; CODE XREF: ExpRemoveTagForBigPages(x,x,x,x,x,x,x,x)+38j
		mov	ecx, [ebp+var_8]
		shr	ecx, 0Ch
		movzx	eax, cl
		shl	eax, 2
		mov	[ebp+var_18], eax
		mov	eax, ecx
		shr	eax, 8
		shr	ecx, 10h
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], ecx

loc_6868A9:				; CODE XREF: ExpRemoveTagForBigPages(x,x,x,x,x,x,x,x)+100j
		movzx	eax, al
		xor	eax, [ebp+var_18]
		shl	eax, 2
		xor	eax, [ebp+var_1C]
		imul	ecx, eax, 2797Ch
		lea	eax, [esi-1]
		mov	[ebp+var_10], 1
		sar	ecx, 2
		and	ecx, eax

loc_6868CA:				; CODE XREF: ExpRemoveTagForBigPages(x,x,x,x,x,x,x,x)+A2j
					; ExpRemoveTagForBigPages(x,x,x,x,x,x,x,x)+B1j
		mov	edx, ecx
		shl	edx, 4
		add	edx, edi
		mov	eax, [edx]
		cmp	eax, [ebp+var_8]
		jz	short loc_6868EC
		inc	ecx
		cmp	ecx, esi
		jb	short loc_6868CA
		cmp	[ebp+var_10], 0
		jz	short loc_6868F0
		xor	eax, eax
		mov	ecx, eax
		mov	[ebp+var_10], eax
		jmp	short loc_6868CA
; 

loc_6868EC:				; CODE XREF: ExpRemoveTagForBigPages(x,x,x,x,x,x,x,x)+9Dj
		test	edx, edx
		jnz	short loc_68694F

loc_6868F0:				; CODE XREF: ExpRemoveTagForBigPages(x,x,x,x,x,x,x,x)+A8j
		mov	edx, [ebp+var_14]
		test	dl, 21h
		jnz	short loc_68693F
		cmp	edi, ds:_PoolBigPageTable
		jnz	short loc_68693F
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_68693F
		mov	eax, ds:dword_6D05D4
		mov	edi, [eax+242Ch]
		mov	esi, [eax+2430h]
		add	eax, 23E4h
		mov	[ebp+var_C], eax
		test	edi, edi
		jz	short loc_68693F
		mov	eax, [ebp+var_20]
		test	esi, esi
		jnz	loc_6868A9

loc_68693F:				; CODE XREF: ExpRemoveTagForBigPages(x,x,x,x,x,x,x,x)+BDj
					; ExpRemoveTagForBigPages(x,x,x,x,x,x,x,x)+C5j	...
		xor	ecx, ecx
		push	ecx
		push	edx
		push	[ebp+var_8]
		push	22h
		push	19h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_68694F:				; CODE XREF: ExpRemoveTagForBigPages(x,x,x,x,x,x,x,x)+B5j
		mov	eax, [ebp+arg_4]
		mov	ecx, [edx+4]
		mov	esi, [edx+8]
		mov	[ebp+var_20], ecx
		mov	[eax], ecx
		mov	ecx, esi
		mov	eax, [ebp+arg_8]
		shr	ecx, 8
		and	ecx, 0FFFh
		mov	[eax], ecx
		mov	eax, [ebp+arg_C]
		mov	ecx, [edx+0Ch]
		mov	[eax], ecx
		cmp	edi, ds:_PoolBigPageTable
		jnz	short loc_686993
		cmp	[ebp+var_20], 6C6F6F50h
		jz	short loc_686993
		mov	al, [edx+8]
		shr	esi, 14h
		mov	ecx, eax
		mov	[ebp+arg_4], eax
		jmp	short loc_686997
; 

loc_686993:				; CODE XREF: ExpRemoveTagForBigPages(x,x,x,x,x,x,x,x)+142j
					; ExpRemoveTagForBigPages(x,x,x,x,x,x,x,x)+14Bj
		xor	ecx, ecx
		mov	esi, ecx

loc_686997:				; CODE XREF: ExpRemoveTagForBigPages(x,x,x,x,x,x,x,x)+158j
		cmp	[ebp+arg_0], 0
		mov	eax, [ebp+arg_14]
		pop	edi
		mov	[eax], cl
		mov	eax, [ebp+arg_10]
		mov	[eax], si
		pop	esi
		jz	short loc_6869B3
		mov	eax, [ebp+var_C]
		lock dec dword ptr [eax]
		lock inc dword ptr [edx]

loc_6869B3:				; CODE XREF: ExpRemoveTagForBigPages(x,x,x,x,x,x,x,x)+16Fj
		push	offset _ExpLargePoolTableLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		leave
		retn	18h
_ExpRemoveTagForBigPages@32 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry  73. ExTryAcquireAutoExpandPushLockExclusive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExTryAcquireAutoExpandPushLockExclusive(x,	x)
		public @ExTryAcquireAutoExpandPushLockExclusive@8
@ExTryAcquireAutoExpandPushLockExclusive@8 proc	near

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		test	edx, 0FFFFFFFCh
		jz	short loc_6869F2
		push	edi
		push	edi
		push	esi
		push	edx
		push	152h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_6869F2:				; CODE XREF: ExTryAcquireAutoExpandPushLockExclusive(x,x)+13j
		xor	ebx, ebx
		inc	ebx
		test	dl, 2
		jnz	short loc_686A04
		push	ebx
		xor	edx, edx
		call	KeAbPreAcquire
		mov	edi, eax

loc_686A04:				; CODE XREF: ExTryAcquireAutoExpandPushLockExclusive(x,x)+29j
		lock bts dword ptr [esi], 0
		jb	short loc_686A39
		mov	ecx, [esi+4]
		test	cl, 1
		jz	short loc_686A53
		and	ecx, 0FFFFFFF8h
		call	_ExpTryAcquireFannedOutPushLockExclusive@4 ; ExpTryAcquireFannedOutPushLockExclusive(x)
		mov	bl, al
		test	bl, bl
		jnz	short loc_686A53
		or	ecx, 0FFFFFFFFh
		lock xadd [esi], ecx
		and	cl, 6
		cmp	cl, 2
		jnz	short loc_686A53
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_686A53
; 

loc_686A39:				; CODE XREF: ExTryAcquireAutoExpandPushLockExclusive(x,x)+3Aj
		mov	eax, [esi+8]
		lea	ecx, [ebp+var_4]
		xor	bl, bl
		mov	[ebp+var_4], eax
		call	_ExpAeUpdateStatsForExclusiveRelease@4 ; ExpAeUpdateStatsForExclusiveRelease(x)
		test	al, al
		jz	short loc_686A53
		mov	eax, [ebp+var_4]
		mov	[esi+8], eax

loc_686A53:				; CODE XREF: ExTryAcquireAutoExpandPushLockExclusive(x,x)+42j
					; ExTryAcquireAutoExpandPushLockExclusive(x,x)+50j ...
		test	edi, edi
		jz	short loc_686A6A
		test	bl, bl
		jnz	short loc_686A66
		mov	edx, edi
		mov	ecx, esi
		call	KeAbPostReleaseEx
		jmp	short loc_686A6A
; 

loc_686A66:				; CODE XREF: ExTryAcquireAutoExpandPushLockExclusive(x,x)+8Aj
		or	byte ptr [edi+0Eh], 1

loc_686A6A:				; CODE XREF: ExTryAcquireAutoExpandPushLockExclusive(x,x)+86j
					; ExTryAcquireAutoExpandPushLockExclusive(x,x)+95j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
@ExTryAcquireAutoExpandPushLockExclusive@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry  74. ExTryAcquireAutoExpandPushLockShared

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExTryAcquireAutoExpandPushLockShared(x, x)
		public @ExTryAcquireAutoExpandPushLockShared@8
@ExTryAcquireAutoExpandPushLockShared@8	proc near

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	eax, edx
		xor	edi, edi
		mov	ebx, ecx
		mov	esi, edi
		test	eax, 0FFFFFFFCh
		jz	short loc_686A9C
		push	edi
		push	edi
		push	ebx
		push	eax
		push	152h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_686A9C:				; CODE XREF: ExTryAcquireAutoExpandPushLockShared(x,x)+16j
		and	eax, 2
		mov	[ebp+var_4], eax
		jnz	short loc_686AAF
		push	1
		xor	edx, edx
		call	KeAbPreAcquire
		mov	edi, eax

loc_686AAF:				; CODE XREF: ExTryAcquireAutoExpandPushLockShared(x,x)+2Cj
		mov	ecx, [ebx+4]
		test	cl, 1
		jz	short loc_686AC3
		and	ecx, 0FFFFFFF8h
		call	@ExpTryAcquireFannedOutPushLockShared@4	; ExpTryAcquireFannedOutPushLockShared(x)
		mov	esi, eax
		jmp	short loc_686AE0
; 

loc_686AC3:				; CODE XREF: ExTryAcquireAutoExpandPushLockShared(x,x)+3Fj
		push	11h
		pop	ecx
		xor	eax, eax
		lock cmpxchg [ebx], ecx
		test	eax, eax
		jz	short loc_686ADB
		mov	ecx, ebx
		call	@ExfTryAcquirePushLockShared@4 ; ExfTryAcquirePushLockShared(x)
		test	al, al
		jz	short loc_686AE0

loc_686ADB:				; CODE XREF: ExTryAcquireAutoExpandPushLockShared(x,x)+58j
		mov	esi, ebx
		or	esi, 1

loc_686AE0:				; CODE XREF: ExTryAcquireAutoExpandPushLockShared(x,x)+4Bj
					; ExTryAcquireAutoExpandPushLockShared(x,x)+63j
		cmp	[ebp+var_4], 0
		jnz	short loc_686AED
		test	esi, esi
		jz	short loc_686AED
		or	esi, 2

loc_686AED:				; CODE XREF: ExTryAcquireAutoExpandPushLockShared(x,x)+6Ej
					; ExTryAcquireAutoExpandPushLockShared(x,x)+72j
		test	edi, edi
		jz	short loc_686B04
		test	esi, esi
		jnz	short loc_686B00
		mov	edx, edi
		mov	ecx, ebx
		call	KeAbPostReleaseEx
		jmp	short loc_686B04
; 

loc_686B00:				; CODE XREF: ExTryAcquireAutoExpandPushLockShared(x,x)+7Dj
		or	byte ptr [edi+0Eh], 1

loc_686B04:				; CODE XREF: ExTryAcquireAutoExpandPushLockShared(x,x)+79j
					; ExTryAcquireAutoExpandPushLockShared(x,x)+88j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
@ExTryAcquireAutoExpandPushLockShared@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExpAcquireFannedOutPushLockExclusive(x, x,	x)
@ExpAcquireFannedOutPushLockExclusive@12 proc near
					; CODE XREF: ExAcquireAutoExpandPushLockExclusive+DAD53p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	eax, ecx
		mov	ebx, edx
		push	edi
		xor	edx, edx
		mov	[esp+10h+var_4], eax
		call	@ExSaDecodeHandleForIndex@8 ; ExSaDecodeHandleForIndex(x,x)
		lock bts dword ptr [eax], 0
		jnb	short loc_686B39
		push	[ebp+arg_0]
		mov	edx, ebx
		mov	ecx, eax
		call	ExfAcquirePushLockExclusiveEx

loc_686B39:				; CODE XREF: ExpAcquireFannedOutPushLockExclusive(x,x,x)+20j
		xor	esi, esi
		push	0FFFFh
		inc	esi
		call	KeQueryMaximumProcessorCountEx
		mov	edi, eax
		cmp	edi, esi
		jbe	short loc_686B84

loc_686B4C:				; CODE XREF: ExpAcquireFannedOutPushLockExclusive(x,x,x)+77j
		mov	ecx, [esp+14h+var_8]
		mov	edx, esi
		call	@ExSaDecodeHandleForIndex@8 ; ExSaDecodeHandleForIndex(x,x)
		lock bts dword ptr [eax], 0
		jb	short loc_686B61
		inc	esi
		jmp	short loc_686B80
; 

loc_686B61:				; CODE XREF: ExpAcquireFannedOutPushLockExclusive(x,x,x)+51j
		mov	ecx, [esp+14h+var_8]
		dec	edi
		mov	edx, edi
		call	@ExSaDecodeHandleForIndex@8 ; ExSaDecodeHandleForIndex(x,x)
		lock bts dword ptr [eax], 0
		jnb	short loc_686B80
		push	[ebp+arg_0]
		mov	edx, ebx
		mov	ecx, eax
		call	ExfAcquirePushLockExclusiveEx

loc_686B80:				; CODE XREF: ExpAcquireFannedOutPushLockExclusive(x,x,x)+54j
					; ExpAcquireFannedOutPushLockExclusive(x,x,x)+67j
		cmp	esi, edi
		jb	short loc_686B4C

loc_686B84:				; CODE XREF: ExpAcquireFannedOutPushLockExclusive(x,x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
@ExpAcquireFannedOutPushLockExclusive@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExpAcquireFannedOutPushLockShared(x, x, x)
@ExpAcquireFannedOutPushLockShared@12 proc near
					; CODE XREF: ExAcquireAutoExpandPushLockShared+170412p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, edx
		call	@ExSaDecodeHandle@4 ; ExSaDecodeHandle(x)
		push	11h
		mov	esi, eax
		xor	eax, eax
		pop	ecx
		lock cmpxchg [esi], ecx
		test	eax, eax
		jz	short loc_686BB6
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockSharedEx

loc_686BB6:				; CODE XREF: ExpAcquireFannedOutPushLockShared(x,x,x)+1Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
@ExpAcquireFannedOutPushLockShared@12 endp


;  S U B	R O U T	I N E 


; __fastcall ExpTryAcquireFannedOutPushLockShared(x)
@ExpTryAcquireFannedOutPushLockShared@4	proc near
					; CODE XREF: ExTryAcquireAutoExpandPushLockShared(x,x)+44p
		mov	edi, edi
		push	esi
		call	@ExSaDecodeHandle@4 ; ExSaDecodeHandle(x)
		push	11h
		mov	esi, eax
		xor	eax, eax
		pop	ecx
		lock cmpxchg [esi], ecx
		test	eax, eax
		jz	short loc_686BE5
		mov	ecx, esi
		call	@ExfTryAcquirePushLockShared@4 ; ExfTryAcquirePushLockShared(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	esi, eax

loc_686BE5:				; CODE XREF: ExpTryAcquireFannedOutPushLockShared(x)+15j
		mov	eax, esi
		pop	esi
		retn
@ExpTryAcquireFannedOutPushLockShared@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExpTryExpandAutoExpandPushLock(x)
@ExpTryExpandAutoExpandPushLock@4 proc near
					; CODE XREF: ExReleaseAutoExpandPushLockShared+EA8F5p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		lea	esi, [edi+4]
		mov	ecx, [esi]
		mov	[ebp+var_4], ecx
		test	cl, 3
		jnz	short loc_686C4F
		mov	edx, ecx
		mov	eax, ecx
		or	edx, 2
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jnz	short loc_686C4F
		shr	ecx, 2
		not	ecx
		and	ecx, 1
		mov	edx, ecx
		mov	ecx, edi
		call	_ExpAllocateFannedOutPushLock@8	; ExpAllocateFannedOutPushLock(x,x)
		mov	edx, eax
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_686C40
		mov	eax, [edi+8]
		shr	eax, 2
		and	eax, 3FF33FFFh
		mov	[edi+8], eax
		mov	eax, [ebp+var_4]
		and	eax, 0FFFFFFFDh
		mov	[esi], eax
		jmp	short loc_686C4F
; 

loc_686C40:				; CODE XREF: ExpTryExpandAutoExpandPushLock(x)+3Dj
		mov	ecx, edx
		xor	ecx, [ebp+var_4]
		and	ecx, 4
		xor	ecx, edx
		or	ecx, 1
		mov	[esi], ecx

loc_686C4F:				; CODE XREF: ExpTryExpandAutoExpandPushLock(x)+16j
					; ExpTryExpandAutoExpandPushLock(x)+25j ...
		pop	edi
		pop	esi
		leave
		retn
@ExpTryExpandAutoExpandPushLock@4 endp

; 
		align 8
; Exported entry 317. ExAllocateAutoExpandPushLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExAllocateAutoExpandPushLock(x)
		public _ExAllocateAutoExpandPushLock@4
_ExAllocateAutoExpandPushLock@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:20h
		push	0
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		mov	eax, [ebp+arg_0]
		and	al, 1
		movzx	ecx, al
		neg	ecx
		push	6C706541h
		sbb	ecx, ecx
		and	ecx, 1FFh
		push	0Ch
		inc	ecx
		pop	edx
		call	ExpAllocatePoolWithTagFromNode
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_686CA6
		mov	edx, [ebp+arg_0]
		call	_ExpInitializeAutoExpandPushLock@8 ; ExpInitializeAutoExpandPushLock(x,x)

loc_686CA6:				; CODE XREF: ExAllocateAutoExpandPushLock(x)+44j
		mov	eax, ecx
		pop	ebp
		retn	4
_ExAllocateAutoExpandPushLock@4	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 358. ExFreeAutoExpandPushLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExFreeAutoExpandPushLock(x)
		public _ExFreeAutoExpandPushLock@4
_ExFreeAutoExpandPushLock@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi+4]
		test	cl, 1
		jz	short loc_686CCE
		and	ecx, 0FFFFFFF8h
		call	_ExpFreeFannedOutPushLock@4 ; ExpFreeFannedOutPushLock(x)

loc_686CCE:				; CODE XREF: ExFreeAutoExpandPushLock(x)+13j
		mov	ecx, esi
		call	ExFreeHeapPool
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
_ExFreeAutoExpandPushLock@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 437. ExSizeOfAutoExpandPushLock

;  S U B	R O U T	I N E 


; __stdcall ExSizeOfAutoExpandPushLock(x)
		public _ExSizeOfAutoExpandPushLock@4
_ExSizeOfAutoExpandPushLock@4 proc near
		push	0Ch
		pop	eax
		retn	4
_ExSizeOfAutoExpandPushLock@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExpAllocateFannedOutPushLock(x, x)
_ExpAllocateFannedOutPushLock@8	proc near ; CODE XREF: ExpTryExpandAutoExpandPushLock(x)+33p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	ecx
		not	edx
		mov	ebx, ecx
		push	8
		and	edx, 1
		pop	ecx
		call	_ExSaAllocate@12 ; ExSaAllocate(x,x,x)
		mov	esi, eax
		cmp	esi, 0FFFFFFFFh
		jz	short loc_686D27
		push	0FFFFh
		call	KeQueryMaximumProcessorCountEx
		mov	edi, eax
		xor	edx, edx
		test	edi, edi
		jz	short loc_686D27

loc_686D15:				; CODE XREF: ExpAllocateFannedOutPushLock(x,x)+3Ej
		mov	ecx, esi
		call	@ExSaDecodeHandleForIndex@8 ; ExSaDecodeHandleForIndex(x,x)
		and	dword ptr [eax], 0
		inc	edx
		mov	[eax+4], ebx
		cmp	edx, edi
		jb	short loc_686D15

loc_686D27:				; CODE XREF: ExpAllocateFannedOutPushLock(x,x)+1Aj
					; ExpAllocateFannedOutPushLock(x,x)+2Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_ExpAllocateFannedOutPushLock@8	endp ; sp = -4


;  S U B	R O U T	I N E 


; __stdcall ExpFreeFannedOutPushLock(x)
_ExpFreeFannedOutPushLock@4 proc near	; CODE XREF: ExCleanupAutoExpandPushLock+1723A3p
					; ExFreeAutoExpandPushLock(x)+18p
		mov	edi, edi
		push	ecx
		push	8
		pop	edx
		call	_ExSaFree@8	; ExSaFree(x,x)
		pop	ecx
		retn
_ExpFreeFannedOutPushLock@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExpInitializeAutoExpandPushLock(x, x)
_ExpInitializeAutoExpandPushLock@8 proc	near
					; CODE XREF: ExAllocateAutoExpandPushLock(x)+49p
		xor	eax, eax
		mov	[ecx+4], eax
		mov	[ecx+8], eax
		test	dl, 1
		jnz	short loc_686D4E
		mov	dword ptr [ecx+4], 4

loc_686D4E:				; CODE XREF: ExpInitializeAutoExpandPushLock(x,x)+Bj
		mov	[ecx], eax
		retn
_ExpInitializeAutoExpandPushLock@8 endp


;  S U B	R O U T	I N E 


; __stdcall ExpReleaseFannedOutPushLockExclusive(x)
_ExpReleaseFannedOutPushLockExclusive@4	proc near
					; CODE XREF: ExReleaseAutoExpandPushLockExclusive+DAB14p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	0FFFFh
		mov	ebx, ecx
		call	KeQueryMaximumProcessorCountEx
		mov	edi, eax
		xor	esi, esi
		test	edi, edi
		jz	short loc_686D8E

loc_686D6A:				; CODE XREF: ExpReleaseFannedOutPushLockExclusive(x)+3Bj
		mov	edx, esi
		mov	ecx, ebx
		call	@ExSaDecodeHandleForIndex@8 ; ExSaDecodeHandleForIndex(x,x)
		or	ecx, 0FFFFFFFFh
		lock xadd [eax], ecx
		and	cl, 6
		cmp	cl, 2
		jnz	short loc_686D89
		mov	ecx, eax
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_686D89:				; CODE XREF: ExpReleaseFannedOutPushLockExclusive(x)+2Fj
		inc	esi
		cmp	esi, edi
		jb	short loc_686D6A

loc_686D8E:				; CODE XREF: ExpReleaseFannedOutPushLockExclusive(x)+17j
		pop	edi
		pop	esi
		pop	ebx
		retn
_ExpReleaseFannedOutPushLockExclusive@4	endp ; sp = -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTryAcquireFannedOutPushLockExclusive(x)
_ExpTryAcquireFannedOutPushLockExclusive@4 proc	near
					; CODE XREF: ExTryAcquireAutoExpandPushLockExclusive(x,x)+47p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	0FFFFh
		mov	[ebp+var_4], ecx
		call	KeQueryMaximumProcessorCountEx
		mov	edi, eax
		xor	ebx, ebx
		mov	esi, ebx
		test	edi, edi
		jz	short loc_686DC8

loc_686DB2:				; CODE XREF: ExpTryAcquireFannedOutPushLockExclusive(x)+34j
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		call	@ExSaDecodeHandleForIndex@8 ; ExSaDecodeHandleForIndex(x,x)
		lock bts dword ptr [eax], 0
		jb	short loc_686DD1
		inc	esi
		cmp	esi, edi
		jb	short loc_686DB2

loc_686DC8:				; CODE XREF: ExpTryAcquireFannedOutPushLockExclusive(x)+1Ej
		mov	bl, 1

loc_686DCA:				; CODE XREF: ExpTryAcquireFannedOutPushLockExclusive(x)+41j
					; ExpTryAcquireFannedOutPushLockExclusive(x)+6Dj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_686DD1:				; CODE XREF: ExpTryAcquireFannedOutPushLockExclusive(x)+2Fj
		test	esi, esi
		jz	short loc_686DCA
		mov	ebx, [ebp+var_4]

loc_686DD8:				; CODE XREF: ExpTryAcquireFannedOutPushLockExclusive(x)+69j
		lea	edx, [esi-1]
		mov	ecx, ebx
		call	@ExSaDecodeHandleForIndex@8 ; ExSaDecodeHandleForIndex(x,x)
		or	ecx, 0FFFFFFFFh
		lock xadd [eax], ecx
		and	cl, 6
		cmp	cl, 2
		jnz	short loc_686DF8
		mov	ecx, eax
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_686DF8:				; CODE XREF: ExpTryAcquireFannedOutPushLockExclusive(x)+5Dj
		sub	esi, 1
		jnz	short loc_686DD8
		xor	ebx, ebx
		jmp	short loc_686DCA
_ExpTryAcquireFannedOutPushLockExclusive@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry  75. ExTryAcquireCacheAwarePushLockExclusiveEx

;  S U B	R O U T	I N E 


; __fastcall ExTryAcquireCacheAwarePushLockExclusiveEx(x, x)
		public @ExTryAcquireCacheAwarePushLockExclusiveEx@8
@ExTryAcquireCacheAwarePushLockExclusiveEx@8 proc near
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	edx, 0FFFFFFFCh
		jz	short loc_686E25
		push	0
		push	0
		push	esi
		push	edx
		push	152h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_686E25:				; CODE XREF: ExTryAcquireCacheAwarePushLockExclusiveEx(x,x)+Dj
		lea	ecx, [esi+80h]
		mov	edi, esi
		test	dl, 2
		jnz	short loc_686E47
		push	1
		xor	edx, edx
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	ebx, eax
		lea	ecx, [esi+80h]
		jmp	short loc_686E49
; 

loc_686E47:				; CODE XREF: ExTryAcquireCacheAwarePushLockExclusiveEx(x,x)+2Aj
		xor	ebx, ebx

loc_686E49:				; CODE XREF: ExTryAcquireCacheAwarePushLockExclusiveEx(x,x)+3Fj
		cmp	esi, ecx
		jnb	short loc_686E5D

loc_686E4D:				; CODE XREF: ExTryAcquireCacheAwarePushLockExclusiveEx(x,x)+55j
		mov	eax, [edi]
		lock bts dword ptr [eax], 0
		jb	short loc_686E82
		add	edi, 4
		cmp	edi, ecx
		jb	short loc_686E4D

loc_686E5D:				; CODE XREF: ExTryAcquireCacheAwarePushLockExclusiveEx(x,x)+45j
		test	ebx, ebx
		jz	short loc_686E65
		or	byte ptr [ebx+0Eh], 1

loc_686E65:				; CODE XREF: ExTryAcquireCacheAwarePushLockExclusiveEx(x,x)+59j
		mov	al, 1

loc_686E67:				; CODE XREF: ExTryAcquireCacheAwarePushLockExclusiveEx(x,x)+8Fj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_686E6B:				; CODE XREF: ExTryAcquireCacheAwarePushLockExclusiveEx(x,x)+7Ej
		sub	edi, 4
		or	eax, 0FFFFFFFFh
		mov	ecx, [edi]
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_686E82
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_686E82:				; CODE XREF: ExTryAcquireCacheAwarePushLockExclusiveEx(x,x)+4Ej
					; ExTryAcquireCacheAwarePushLockExclusiveEx(x,x)+75j
		cmp	edi, esi
		jnz	short loc_686E6B
		test	ebx, ebx
		jz	short loc_686E93
		mov	edx, ebx
		mov	ecx, esi
		call	KeAbPostReleaseEx

loc_686E93:				; CODE XREF: ExTryAcquireCacheAwarePushLockExclusiveEx(x,x)+82j
		xor	al, al
		jmp	short loc_686E67
@ExTryAcquireCacheAwarePushLockExclusiveEx@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry  76. ExTryAcquireCacheAwarePushLockSharedEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExTryAcquireCacheAwarePushLockSharedEx(x, x)
		public @ExTryAcquireCacheAwarePushLockSharedEx@8
@ExTryAcquireCacheAwarePushLockSharedEx@8 proc near

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		test	edx, 0FFFFFFFCh
		jz	short loc_686EBF
		push	ebx
		push	ebx
		push	edi
		push	edx
		push	152h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_686EBF:				; CODE XREF: ExTryAcquireCacheAwarePushLockSharedEx(x,x)+13j
		mov	al, large fs:51h
		and	eax, 1Fh
		mov	eax, [edi+eax*4]
		mov	[ebp+var_4], eax
		test	dl, 2
		jnz	short loc_686EE0
		push	1
		xor	edx, edx
		call	KeAbPreAcquire
		mov	esi, eax
		jmp	short loc_686EE2
; 

loc_686EE0:				; CODE XREF: ExTryAcquireCacheAwarePushLockSharedEx(x,x)+35j
		mov	esi, ebx

loc_686EE2:				; CODE XREF: ExTryAcquireCacheAwarePushLockSharedEx(x,x)+42j
		mov	edx, [ebp+var_4]
		xor	eax, eax
		push	11h
		pop	ecx
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	short loc_686EFD
		mov	ecx, edx
		call	@ExfTryAcquirePushLockShared@4 ; ExfTryAcquirePushLockShared(x)
		test	al, al
		jz	short loc_686EFF

loc_686EFD:				; CODE XREF: ExTryAcquireCacheAwarePushLockSharedEx(x,x)+54j
		mov	bl, 1

loc_686EFF:				; CODE XREF: ExTryAcquireCacheAwarePushLockSharedEx(x,x)+5Fj
		test	esi, esi
		jz	short loc_686F16
		test	bl, bl
		jz	short loc_686F0D
		or	byte ptr [esi+0Eh], 1
		jmp	short loc_686F16
; 

loc_686F0D:				; CODE XREF: ExTryAcquireCacheAwarePushLockSharedEx(x,x)+69j
		mov	edx, esi
		mov	ecx, edi
		call	KeAbPostReleaseEx

loc_686F16:				; CODE XREF: ExTryAcquireCacheAwarePushLockSharedEx(x,x)+65j
					; ExTryAcquireCacheAwarePushLockSharedEx(x,x)+6Fj
		movzx	eax, bl
		neg	eax
		pop	edi
		sbb	eax, eax
		and	eax, [ebp+var_4]
		pop	esi
		pop	ebx
		leave
		retn
@ExTryAcquireCacheAwarePushLockSharedEx@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry  85. ExWaitForUnblockPushLock

;  S U B	R O U T	I N E 


; __fastcall ExWaitForUnblockPushLock(x, x)
		public @ExWaitForUnblockPushLock@8
@ExWaitForUnblockPushLock@8 proc near
		push	0
		call	ExTimedWaitForUnblockPushLock
		retn
@ExWaitForUnblockPushLock@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 359. ExFreeCacheAwarePushLock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExFreeCacheAwarePushLock(x)
		public _ExFreeCacheAwarePushLock@4
_ExFreeCacheAwarePushLock@4 proc near	; CODE XREF: ExAllocateCacheAwarePushLock+80921p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_686F6C
		xor	ebx, ebx
		cmp	[eax+4], bl
		setnz	bl
		dec	ebx
		and	ebx, 1Fh
		inc	ebx
		xor	esi, esi

loc_686F5B:				; CODE XREF: ExFreeCacheAwarePushLock(x)+33j
		mov	ecx, [edi+esi*4]
		test	ecx, ecx
		jz	short loc_686F67
		call	ExFreeHeapPool

loc_686F67:				; CODE XREF: ExFreeCacheAwarePushLock(x)+29j
		inc	esi
		cmp	esi, ebx
		jb	short loc_686F5B

loc_686F6C:				; CODE XREF: ExFreeCacheAwarePushLock(x)+13j
		mov	ecx, edi
		call	ExFreeHeapPool
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_ExFreeCacheAwarePushLock@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry  69. ExReleaseRundownProtectionEx

;  S U B	R O U T	I N E 


; __fastcall ExReleaseRundownProtectionEx(x, x)
		public @ExReleaseRundownProtectionEx@8
@ExReleaseRundownProtectionEx@8	proc near
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	edx, [edi]
		test	dl, 1
		jnz	short loc_686FA8
		lea	ebx, [esi+esi]

loc_686F94:				; CODE XREF: ExReleaseRundownProtectionEx(x,x)+25j
		mov	ecx, edx
		mov	eax, edx
		sub	ecx, ebx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_686FCE
		mov	edx, eax
		test	al, 1
		jz	short loc_686F94

loc_686FA8:				; CODE XREF: ExReleaseRundownProtectionEx(x,x)+Ej
		mov	eax, esi
		and	edx, 0FFFFFFFEh
		neg	eax
		lock xadd [edx], eax
		cmp	eax, esi
		jnz	short loc_686FCE
		lea	eax, [edx+14h]
		lock btr dword ptr [eax], 0
		jb	short loc_686FCE
		push	0
		push	0
		lea	eax, [edx+4]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_686FCE:				; CODE XREF: ExReleaseRundownProtectionEx(x,x)+1Fj
					; ExReleaseRundownProtectionEx(x,x)+34j ...
		pop	edi
		pop	esi
		pop	ebx
		retn
@ExReleaseRundownProtectionEx@8	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry  41. ExInterlockedAddUlong

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExInterlockedAddUlong(x, x, x)
		public @ExInterlockedAddUlong@12
@ExInterlockedAddUlong@12 proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	@ExfInterlockedAddUlong@12 ; ExfInterlockedAddUlong(x,x,x)
@ExInterlockedAddUlong@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry  44. ExInterlockedInsertHeadList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExInterlockedInsertHeadList(x, x, x)
		public @ExInterlockedInsertHeadList@12
@ExInterlockedInsertHeadList@12	proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	@ExfInterlockedInsertHeadList@12 ; ExfInterlockedInsertHeadList(x,x,x)
@ExInterlockedInsertHeadList@12	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry  45. ExInterlockedInsertTailList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExInterlockedInsertTailList(x, x, x)
		public @ExInterlockedInsertTailList@12
@ExInterlockedInsertTailList@12	proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	@ExfInterlockedInsertTailList@12 ; ExfInterlockedInsertTailList(x,x,x)
@ExInterlockedInsertTailList@12	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry  46. ExInterlockedPopEntryList

;  S U B	R O U T	I N E 


; __fastcall ExInterlockedPopEntryList(x, x)
		public @ExInterlockedPopEntryList@8
@ExInterlockedPopEntryList@8 proc near
		jmp	@ExfInterlockedPopEntryList@8 ;	ExfInterlockedPopEntryList(x,x)
@ExInterlockedPopEntryList@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry  48. ExInterlockedPushEntryList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExInterlockedPushEntryList(x, x, x)
		public @ExInterlockedPushEntryList@12
@ExInterlockedPushEntryList@12 proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	@ExfInterlockedPushEntryList@12	; ExfInterlockedPushEntryList(x,x,x)
@ExInterlockedPushEntryList@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry  50. ExInterlockedRemoveHeadList

;  S U B	R O U T	I N E 


; __fastcall ExInterlockedRemoveHeadList(x, x)
		public @ExInterlockedRemoveHeadList@8
@ExInterlockedRemoveHeadList@8 proc near
		jmp	@ExfInterlockedRemoveHeadList@8	; ExfInterlockedRemoveHeadList(x,x)
@ExInterlockedRemoveHeadList@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 101. Exfi386InterlockedDecrementLong

;  S U B	R O U T	I N E 


; __fastcall Exfi386InterlockedDecrementLong(x)
		public @Exfi386InterlockedDecrementLong@4
@Exfi386InterlockedDecrementLong@4 proc	near ; CODE XREF: ExInterlockedDecrementLong(x,x)+8p
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		dec	eax
		test	eax, eax
		jle	short loc_68703A
		xor	eax, eax
		retn
; 

loc_68703A:				; CODE XREF: Exfi386InterlockedDecrementLong(x)+Aj
		neg	eax
		mov	ecx, 4000h
		sbb	eax, eax
		and	eax, ecx
		add	eax, ecx
		retn
@Exfi386InterlockedDecrementLong@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 102. Exfi386InterlockedExchangeUlong
; Exported entry 110. InterlockedExchange

;  S U B	R O U T	I N E 


; __fastcall Exfi386InterlockedExchangeUlong(x,	x)
		public @Exfi386InterlockedExchangeUlong@8
@Exfi386InterlockedExchangeUlong@8 proc	near
		xchg	edx, [ecx]	; Exfi386InterlockedExchangeUlong
		mov	eax, edx
		retn
@Exfi386InterlockedExchangeUlong@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 103. Exfi386InterlockedIncrementLong

;  S U B	R O U T	I N E 


; __fastcall Exfi386InterlockedIncrementLong(x)
		public @Exfi386InterlockedIncrementLong@4
@Exfi386InterlockedIncrementLong@4 proc	near ; CODE XREF: ExInterlockedIncrementLong(x,x)+8p
		xor	eax, eax
		inc	eax
		lock xadd [ecx], eax
		inc	eax
		test	eax, eax
		jle	short loc_687066
		xor	eax, eax
		retn
; 

loc_687066:				; CODE XREF: Exfi386InterlockedIncrementLong(x)+Aj
		neg	eax
		mov	ecx, 4000h
		sbb	eax, eax
		and	eax, ecx
		add	eax, ecx
		retn
@Exfi386InterlockedIncrementLong@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry  64. ExReleaseResourceAndLeavePriorityRegion

;  S U B	R O U T	I N E 


; __fastcall ExReleaseResourceAndLeavePriorityRegion(x)
		public @ExReleaseResourceAndLeavePriorityRegion@4
@ExReleaseResourceAndLeavePriorityRegion@4 proc	near
		mov	edi, edi
		push	esi
		call	ExReleaseResourceLite
		mov	esi, large fs:124h
		mov	dl, 1
		push	0
		push	0
		mov	ecx, esi
		call	PsBoostThreadIoEx
		mov	ecx, esi
		pop	esi
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
@ExReleaseResourceAndLeavePriorityRegion@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 349. ExEnterCriticalRegionAndAcquireSharedWaitForExclusive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExEnterCriticalRegionAndAcquireSharedWaitForExclusive(x)
		public _ExEnterCriticalRegionAndAcquireSharedWaitForExclusive@4
_ExEnterCriticalRegionAndAcquireSharedWaitForExclusive@4 proc near
					; CODE XREF: VerifierExEnterCriticalRegionAndAcquireSharedWaitForExclusive(x)+Fj

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	[ebp+arg_0]
		call	ExAcquireSharedWaitForExclusive
		mov	eax, large fs:124h
		mov	eax, [eax+124h]
		pop	ebp
		retn	4
_ExEnterCriticalRegionAndAcquireSharedWaitForExclusive@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 350. ExEnterPriorityRegionAndAcquireResourceExclusive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExEnterPriorityRegionAndAcquireResourceExclusive(x)
		public _ExEnterPriorityRegionAndAcquireResourceExclusive@4
_ExEnterPriorityRegionAndAcquireResourceExclusive@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, large fs:124h
		xor	dl, dl
		push	0
		push	0
		mov	ecx, esi
		call	PsBoostThreadIoEx
		dec	word ptr [esi+13Ch]
		nop
		push	1
		push	[ebp+arg_0]
		call	ExAcquireResourceExclusiveLite
		mov	eax, [esi+124h]
		pop	esi
		pop	ebp
		retn	4
_ExEnterPriorityRegionAndAcquireResourceExclusive@4 endp ; sp =	-8

; 
		align 10h
; Exported entry 366. ExGetExclusiveWaiterCount

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExGetExclusiveWaiterCount(x)
		public _ExGetExclusiveWaiterCount@4
_ExGetExclusiveWaiterCount@4 proc near	; CODE XREF: CmpIsRegistryLockContended()+13p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	byte ptr [eax+0Eh], 1
		jz	short loc_68712F
		push	0
		push	0
		push	eax
		push	0Eh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_68712F:				; CODE XREF: ExGetExclusiveWaiterCount(x)+Cj
		mov	eax, [eax+2Ch]
		pop	ebp
		retn	4
_ExGetExclusiveWaiterCount@4 endp ; sp = -14h

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 371. ExGetSharedWaiterCount

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExGetSharedWaiterCount(x)
		public _ExGetSharedWaiterCount@4
_ExGetSharedWaiterCount@4 proc near	; CODE XREF: CmpIsRegistryLockContended()+9p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	byte ptr [eax+0Eh], 1
		jz	short loc_68715A
		push	0
		push	0
		push	eax
		push	0Eh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_68715A:				; CODE XREF: ExGetSharedWaiterCount(x)+Cj
		mov	eax, [eax+28h]
		pop	ebp
		retn	4
_ExGetSharedWaiterCount@4 endp ; sp = -14h


;  S U B	R O U T	I N E 


; __stdcall ExTryConvertSharedToExclusiveLite(x)
_ExTryConvertSharedToExclusiveLite@4 proc near
					; CODE XREF: CmpReplicateKeyToVirtual(x,x,x,x)+83p
		test	byte ptr ds:word_71104E, 1
		jz	short loc_68717F
		push	0
		push	0
		push	offset _CmpRegistryLock
		push	0Eh
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_68717F:				; CODE XREF: ExTryConvertSharedToExclusiveLite(x)+7j
		jmp	_ExpTryConvertSharedToExclusiveLite@4 ;	ExpTryConvertSharedToExclusiveLite(x)
_ExTryConvertSharedToExclusiveLite@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 449. ExTryToAcquireResourceExclusiveLite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExTryToAcquireResourceExclusiveLite(x)
		public _ExTryToAcquireResourceExclusiveLite@4
_ExTryToAcquireResourceExclusiveLite@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		movzx	ecx, word ptr [esi+0Eh]
		mov	al, cl
		mov	edx, ecx
		and	al, 41h
		cmp	al, 1
		jnz	short loc_6871B1
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	esi
		push	0Fh

loc_6871A7:				; CODE XREF: ExTryToAcquireResourceExclusiveLite(x)+4Ej
					; ExTryToAcquireResourceExclusiveLite(x)+66j ...
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_6871B1:				; CODE XREF: ExTryToAcquireResourceExclusiveLite(x)+15j
		mov	eax, edx
		test	cl, 1
		jz	short loc_687227
		push	edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	edi, large fs:124h
		mov	dl, al
		cmp	dl, 2
		jbe	short loc_6871D9
		xor	ecx, ecx
		movzx	eax, dl
		push	ecx
		push	2
		push	eax
		push	ecx
		jmp	short loc_6871A7
; 

loc_6871D9:				; CODE XREF: ExTryToAcquireResourceExclusiveLite(x)+42j
		jb	short loc_6871F1
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jz	short loc_6871F1
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	5
		jmp	short loc_6871A7
; 

loc_6871F1:				; CODE XREF: ExTryToAcquireResourceExclusiveLite(x):loc_6871D9j
					; ExTryToAcquireResourceExclusiveLite(x)+5Dj
		test	byte ptr [edi+84h], 2
		jz	short loc_687203
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	6
		jmp	short loc_6871A7
; 

loc_687203:				; CODE XREF: ExTryToAcquireResourceExclusiveLite(x)+6Fj
		cmp	dl, 1
		jnb	short loc_687222
		test	dword ptr [edi+58h], 400h
		jnz	short loc_687222
		xor	ecx, ecx
		cmp	[edi+13Ch], ecx
		jnz	short loc_687222
		push	ecx
		push	ecx
		push	ecx
		push	7
		jmp	short loc_6871A7
; 

loc_687222:				; CODE XREF: ExTryToAcquireResourceExclusiveLite(x)+7Dj
					; ExTryToAcquireResourceExclusiveLite(x)+86j ...
		movzx	eax, word ptr [esi+0Eh]
		pop	edi

loc_687227:				; CODE XREF: ExTryToAcquireResourceExclusiveLite(x)+2Dj
		mov	ecx, esi
		test	al, 1
		jz	short loc_687236
		xor	dl, dl
		call	_ExpFastResourceLegacyAcquireExclusive@8 ; ExpFastResourceLegacyAcquireExclusive(x,x)
		jmp	short loc_68723B
; 

loc_687236:				; CODE XREF: ExTryToAcquireResourceExclusiveLite(x)+A2j
		call	_ExpTryToAcquireResourceExclusiveLite@4	; ExpTryToAcquireResourceExclusiveLite(x)

loc_68723B:				; CODE XREF: ExTryToAcquireResourceExclusiveLite(x)+ABj
		pop	esi
		pop	ebp
		retn	4
_ExTryToAcquireResourceExclusiveLite@4 endp ; sp = -14h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCheckForResource(x, x)
_ExpCheckForResource@8 proc near	; CODE XREF: ExpFreePoolChecks+D1CE1p
					; ExFreeHeapPool+C757Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		test	ds:_MmVerifierData, 800h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], 0
		mov	ebx, edx
		mov	edi, ecx
		mov	[ebp+var_C], 0
		jz	short loc_687272
		call	_VfCheckForResource@8 ;	VfCheckForResource(x,x)
		test	eax, eax
		jnz	short loc_6872E9

loc_687272:				; CODE XREF: ExpCheckForResource(x,x)+27j
		cmp	ds:_KeNumberProcessors,	1
		ja	short loc_6872E9
		test	ds:_ExResourceCheckFlags, 1
		jz	short loc_6872E9
		push	offset _ExpResourceSpinLock
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	esi, ds:_ExpSystemResourcesList
		mov	edx, offset _ExpSystemResourcesList
		mov	[ebp+var_1], al
		cmp	esi, edx
		jz	short loc_6872BA
		lea	ecx, [edi+ebx]

loc_6872A3:				; CODE XREF: ExpCheckForResource(x,x)+78j
		cmp	esi, edi
		jb	short loc_6872AB
		cmp	esi, ecx
		jb	short loc_6872D3

loc_6872AB:				; CODE XREF: ExpCheckForResource(x,x)+65j
		mov	eax, [ebp+var_8]
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], esi
		mov	esi, [esi]
		cmp	esi, edx
		jnz	short loc_6872A3

loc_6872BA:				; CODE XREF: ExpCheckForResource(x,x)+5Ej
		xor	esi, esi

loc_6872BC:				; CODE XREF: ExpCheckForResource(x,x)+A7j
		push	offset _ExpResourceSpinLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi
		jmp	short loc_6872EB
; 

loc_6872D3:				; CODE XREF: ExpCheckForResource(x,x)+69j
		push	ebx
		push	edi		; char
		push	offset ??_C@_0FP@MBKODDEI@EX?3?5ExFreePool?$CI?5?$CFp?0?5?$CFIx?5?$CJ?5conta@FNODOBFM@ ; "EX: ExFreePool( %p, %Ix ) contains an	E"...
		push	0		; int
		push	0		; int
		call	_DbgPrintEx
		add	esp, 14h
		int	3		; Trap to Debugger
		jmp	short loc_6872BC
; 

loc_6872E9:				; CODE XREF: ExpCheckForResource(x,x)+30j
					; ExpCheckForResource(x,x)+39j	...
		xor	eax, eax

loc_6872EB:				; CODE XREF: ExpCheckForResource(x,x)+91j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpCheckForResource@8 endp


;  S U B	R O U T	I N E 


; __stdcall ExpResourceEnforcesOwnershipTransfer(x)
_ExpResourceEnforcesOwnershipTransfer@4	proc near ; CODE XREF: ExDeleteResourceLite+12458Ap
					; ExReinitializeResourceLite+121684p
		test	byte ptr [ecx+0Eh], 1
		jnz	short loc_687302
		cmp	ds:_ExpResourceEnforceOwnerTransfer, 0
		jnz	short loc_687302
		xor	al, al
		retn
; 

loc_687302:				; CODE XREF: ExpResourceEnforcesOwnershipTransfer(x)+4j
					; ExpResourceEnforcesOwnershipTransfer(x)+Dj
		mov	al, 1
		retn
_ExpResourceEnforcesOwnershipTransfer@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTryConvertSharedToExclusiveLite(x)
_ExpTryConvertSharedToExclusiveLite@4 proc near
					; CODE XREF: ExTryConvertSharedToExclusiveLite(x):loc_68717Fj

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		lea	edx, [ebp+var_14]
		mov	ecx, offset unk_711074
		stosd
		stosd
		mov	eax, large fs:124h
		mov	[ebp+var_8], eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		xor	ecx, ecx
		inc	ecx
		pop	edi
		cmp	ds:dword_711060, ecx
		jz	short loc_68733E
		mov	[ebp+var_1], 0
		jmp	short loc_68739A
; 

loc_68733E:				; CODE XREF: ExpTryConvertSharedToExclusiveLite(x)+31j
		mov	eax, 80h
		mov	[ebp+var_1], cl
		or	ds:word_71104E,	ax
		mov	eax, [ebp+var_8]
		test	al, 3
		jz	short loc_687358
		xor	ecx, ecx
		jmp	short loc_68735F
; 

loc_687358:				; CODE XREF: ExpTryConvertSharedToExclusiveLite(x)+4Dj
		movzx	ecx, byte ptr [eax+26Ch]

loc_68735F:				; CODE XREF: ExpTryConvertSharedToExclusiveLite(x)+51j
		push	ecx
		push	0
		push	0
		lea	ecx, [ebp+var_14]
		mov	edx, eax
		push	ecx
		mov	ecx, offset _CmpRegistryLock
		call	@ExpFindCurrentThread@24 ; ExpFindCurrentThread(x,x,x,x,x,x)
		mov	ecx, eax
		cmp	ecx, offset dword_711058
		jz	short loc_68739A
		mov	eax, [ecx]
		mov	ds:dword_711058, eax
		mov	eax, [ecx+4]
		and	eax, 7
		or	eax, 8
		mov	ds:dword_71105C, eax
		and	dword ptr [ecx], 0
		and	dword ptr [ecx+4], 0

loc_68739A:				; CODE XREF: ExpTryConvertSharedToExclusiveLite(x)+37j
					; ExpTryConvertSharedToExclusiveLite(x)+77j
		test	ds:byte_70EFC6,	1
		jz	short loc_6873B0
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6873DF
; 

loc_6873B0:				; CODE XREF: ExpTryConvertSharedToExclusiveLite(x)+9Cj
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_6873CF
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_6873DF
		call	KxWaitForLockChainValid

loc_6873CF:				; CODE XREF: ExpTryConvertSharedToExclusiveLite(x)+B0j
		lea	ecx, [eax+4]
		mov	[ebp+var_14], 0
		xor	eax, eax
		inc	eax
		lock xor [ecx],	eax

loc_6873DF:				; CODE XREF: ExpTryConvertSharedToExclusiveLite(x)+A9j
					; ExpTryConvertSharedToExclusiveLite(x)+C3j
		mov	cl, [ebp+var_C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, [ebp+var_1]
		leave
		retn
_ExpTryConvertSharedToExclusiveLite@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTryToAcquireResourceExclusiveLite(x)
_ExpTryToAcquireResourceExclusiveLite@4	proc near
					; CODE XREF: ExTryToAcquireResourceExclusiveLite(x):loc_687236p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= byte ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_C], 10001h
		lea	edi, [ebp+var_1C]
		mov	esi, ecx
		stosd
		lea	edx, [ebp+var_1C]
		lea	ecx, [esi+34h]
		stosd
		stosd
		mov	eax, large fs:124h
		xor	edi, edi
		and	[ebp+var_8], edi
		mov	[ebp+var_10], eax
		mov	eax, dword ptr ds:byte_70EFC4
		inc	large dword ptr	fs:4260h
		and	eax, 20000h
		mov	[ebp+var_4], eax
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, esi
		call	_ExpTryAcquireResourceExclusive@4 ; ExpTryAcquireResourceExclusive(x)
		xor	edx, edx
		mov	bl, al
		inc	edx
		test	bl, bl
		jz	short loc_68746E
		mov	ecx, [esi+1Ch]
		mov	eax, [ebp+var_10]
		and	ecx, 7
		or	ecx, 8
		mov	[esi+18h], eax
		mov	[esi+1Ch], ecx
		cmp	[ebp+var_4], edi
		jz	short loc_6874A2
		mov	eax, [esi+24h]
		mov	edi, edx
		mov	[ebp+var_C], 10021h
		mov	[ebp+var_8], eax
		jmp	short loc_6874A2
; 

loc_68746E:				; CODE XREF: ExpTryToAcquireResourceExclusiveLite(x)+57j
		test	byte ptr [esi+0Eh], 80h
		jz	short loc_6874A0
		mov	eax, [ebp+var_10]
		cmp	[esi+18h], eax
		jnz	short loc_6874A0
		mov	eax, [esi+1Ch]
		add	eax, 8
		mov	[esi+1Ch], eax
		cmp	[ebp+var_4], edi
		jz	short loc_68749C
		mov	edi, eax
		mov	[ebp+var_C], 10031h
		mov	eax, [esi+24h]
		shr	edi, 3
		mov	[ebp+var_8], eax

loc_68749C:				; CODE XREF: ExpTryToAcquireResourceExclusiveLite(x)+9Bj
		mov	bl, dl
		jmp	short loc_6874A2
; 

loc_6874A0:				; CODE XREF: ExpTryToAcquireResourceExclusiveLite(x)+85j
					; ExpTryToAcquireResourceExclusiveLite(x)+8Dj
		xor	bl, bl

loc_6874A2:				; CODE XREF: ExpTryToAcquireResourceExclusiveLite(x)+6Ej
					; ExpTryToAcquireResourceExclusiveLite(x)+7Fj ...
		test	ds:byte_70EFC6,	1
		jz	short loc_6874B8
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6874E7
; 

loc_6874B8:				; CODE XREF: ExpTryToAcquireResourceExclusiveLite(x)+BCj
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_6874DA
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jz	short loc_6874E7
		call	KxWaitForLockChainValid
		xor	edx, edx
		inc	edx

loc_6874DA:				; CODE XREF: ExpTryToAcquireResourceExclusiveLite(x)+D0j
		mov	[ebp+var_1C], 0
		add	eax, 4
		lock xor [eax],	edx

loc_6874E7:				; CODE XREF: ExpTryToAcquireResourceExclusiveLite(x)+C9j
					; ExpTryToAcquireResourceExclusiveLite(x)+E3j
		mov	cl, [ebp+var_14]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bl, bl
		jz	short loc_687502
		inc	large dword ptr	fs:4264h
		inc	large dword ptr	fs:41E4h

loc_687502:				; CODE XREF: ExpTryToAcquireResourceExclusiveLite(x)+105j
		cmp	[ebp+var_4], 0
		jz	short loc_687516
		push	[ebp+var_8]
		mov	ecx, [ebp+var_C]
		mov	edx, esi
		push	edi
		call	@PerfLogExecutiveResourceAcquire@16 ; PerfLogExecutiveResourceAcquire(x,x,x,x)

loc_687516:				; CODE XREF: ExpTryToAcquireResourceExclusiveLite(x)+119j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_ExpTryToAcquireResourceExclusiveLite@4	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry  88. ExfInterlockedAddUlong

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExfInterlockedAddUlong(x, x, x)
		public @ExfInterlockedAddUlong@12
@ExfInterlockedAddUlong@12 proc	near	; CODE XREF: ExInterlockedAddUlong(x,x,x)+6j

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	ecx, ebx
		call	ExpAcquireSpinLockDisabled
		mov	ecx, [edi]
		lea	edx, [ecx+esi]
		mov	[edi], edx
		xor	edx, edx
		lock and [ebx],	edx
		pop	edi
		pop	esi
		pop	ebx
		test	al, al
		jz	short loc_68754C
		sti

loc_68754C:				; CODE XREF: ExfInterlockedAddUlong(x,x,x)+27j
		mov	eax, ecx
		pop	ebp
		retn	4
@ExfInterlockedAddUlong@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry  92. ExfInterlockedPopEntryList

;  S U B	R O U T	I N E 


; __fastcall ExfInterlockedPopEntryList(x, x)
		public @ExfInterlockedPopEntryList@8
@ExfInterlockedPopEntryList@8 proc near	; CODE XREF: ExInterlockedPopEntryList(x,x)j
					; VerifierExfInterlockedPopEntryList(x,x)j
					; DATA XREF: ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	ecx, edi
		call	ExpAcquireSpinLockDisabled
		mov	cl, al
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_687572
		mov	edx, [eax]
		mov	[esi], edx

loc_687572:				; CODE XREF: ExfInterlockedPopEntryList(x,x)+15j
		xor	edx, edx
		lock and [edi],	edx
		pop	edi
		pop	esi
		test	cl, cl
		jz	short locret_68757E
		sti

locret_68757E:				; CODE XREF: ExfInterlockedPopEntryList(x,x)+24j
		retn
@ExfInterlockedPopEntryList@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry  93. ExfInterlockedPushEntryList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExfInterlockedPushEntryList(x, x, x)
		public @ExfInterlockedPushEntryList@12
@ExfInterlockedPushEntryList@12	proc near ; CODE XREF: ExInterlockedPushEntryList(x,x,x)+6j
					; VerifierExfInterlockedPushEntryList(x,x,x)+6j
					; DATA XREF: ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		mov	ecx, ebx
		push	edi
		mov	edi, edx
		call	ExpAcquireSpinLockDisabled
		mov	ecx, [esi]
		xor	edx, edx
		mov	[edi], ecx
		mov	[esi], edi
		lock and [ebx],	edx
		pop	edi
		pop	esi
		pop	ebx
		test	al, al
		jz	short loc_6875AD
		sti

loc_6875AD:				; CODE XREF: ExfInterlockedPushEntryList(x,x,x)+26j
		mov	eax, ecx
		pop	ebp
		retn	4
@ExfInterlockedPushEntryList@12	endp

; 
		align 8
; Exported entry 384. ExInterlockedAddLargeInteger

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExInterlockedAddLargeInteger(x, x, x, x)
		public _ExInterlockedAddLargeInteger@16
_ExInterlockedAddLargeInteger@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_C]
		mov	ecx, edi
		call	ExpAcquireSpinLockDisabled
		mov	esi, [ebp+arg_0]
		mov	ebx, [esi]
		mov	edx, ebx
		mov	ecx, [esi+4]
		add	edx, [ebp+arg_4]
		mov	[ebp+arg_C], ecx
		adc	ecx, [ebp+arg_8]
		mov	[esi+4], ecx
		xor	ecx, ecx
		mov	[esi], edx
		lock and [edi],	ecx
		test	al, al
		jz	short loc_6875EC
		sti

loc_6875EC:				; CODE XREF: ExInterlockedAddLargeInteger(x,x,x,x)+31j
		mov	edx, [ebp+arg_C]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
_ExInterlockedAddLargeInteger@16 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 385. ExInterlockedDecrementLong
; Exported entry 458. Exi386InterlockedDecrementLong

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExInterlockedDecrementLong(x, x)
		public _ExInterlockedDecrementLong@8
_ExInterlockedDecrementLong@8 proc near

arg_0		= dword	ptr  8

		mov	edi, edi	; ExInterlockedDecrementLong
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	@Exfi386InterlockedDecrementLong@4 ; Exfi386InterlockedDecrementLong(x)
		pop	ebp
		retn	8
_ExInterlockedDecrementLong@8 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 386. ExInterlockedExchangeUlong
; Exported entry 459. Exi386InterlockedExchangeUlong

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExInterlockedExchangeUlong(x, x, x)
		public _ExInterlockedExchangeUlong@12
_ExInterlockedExchangeUlong@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi	; ExInterlockedExchangeUlong
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		xchg	eax, [ecx]
		pop	ebp
		retn	0Ch
_ExInterlockedExchangeUlong@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 388. ExInterlockedIncrementLong
; Exported entry 460. Exi386InterlockedIncrementLong

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExInterlockedIncrementLong(x, x)
		public _ExInterlockedIncrementLong@8
_ExInterlockedIncrementLong@8 proc near

arg_0		= dword	ptr  8

		mov	edi, edi	; ExInterlockedIncrementLong
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	@Exfi386InterlockedIncrementLong@4 ; Exfi386InterlockedIncrementLong(x)
		pop	ebp
		retn	8
_ExInterlockedIncrementLong@8 endp

; 
		align 4
		db 3 dup(0CCh)
; 
; Exported entry 305. ExAcquireFastResourceExclusive

; __stdcall ExAcquireFastResourceExclusive(x, x, x)
		public _ExAcquireFastResourceExclusive@12
_ExAcquireFastResourceExclusive@12:	; CODE XREF: ExpFastResourceLegacyAcquireExclusive(x,x)+17p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		xor	eax, eax
		xor	ebx, ebx
		cmp	[ebp+10h], bl
		push	esi
		push	edi
		push	7
		pop	ecx
		lea	edi, [ebp-30h]
		rep stosd
		lea	edi, [ebp-14h]
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		mov	edi, [ebp+8]
		mov	[ebp-8], eax
		setz	al
		inc	al
		mov	[ebp-1], al
		xor	eax, eax
		inc	eax
		test	[edi+0Eh], al
		jnz	short loc_68768A
		push	ebx
		push	ebx
		push	edi
		push	3

loc_687680:				; CODE XREF: .text:006876ACj
					; .text:006876C7j ...
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_68768A:				; CODE XREF: .text:00687679j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	edx, large fs:124h
		mov	cl, al
		mov	al, [ebp-1]
		cmp	cl, al
		jbe	short loc_6876AE
		push	0
		movzx	eax, al
		push	eax
		movzx	eax, cl
		push	eax
		push	0
		jmp	short loc_687680
; 

loc_6876AE:				; CODE XREF: .text:0068769Ej
		cmp	cl, 2
		jb	short loc_6876C9
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jz	short loc_6876C9
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	5
		jmp	short loc_687680
; 

loc_6876C9:				; CODE XREF: .text:006876B1j
					; .text:006876BEj
		movzx	eax, byte ptr [edx+84h]
		test	al, 2
		jz	short loc_6876DD
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	6
		jmp	short loc_687680
; 

loc_6876DD:				; CODE XREF: .text:006876D2j
		xor	eax, eax
		inc	eax
		cmp	cl, al
		jnb	short loc_6876FF
		test	dword ptr [edx+58h], 400h
		jnz	short loc_6876FF
		cmp	[edx+13Ch], ebx
		jnz	short loc_6876FF
		push	0
		push	0
		push	0
		push	7
		jmp	short loc_687680
; 

loc_6876FF:				; CODE XREF: .text:006876E2j
					; .text:006876EBj ...
		mov	esi, [ebp+0Ch]
		mov	eax, [esi+10h]
		cmp	eax, edx
		jz	short loc_687714
		push	0
		push	eax
		push	esi
		push	9
		jmp	loc_687680
; 

loc_687714:				; CODE XREF: .text:00687707j
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_687726
		push	0
		push	eax
		push	esi
		push	2
		jmp	loc_687680
; 

loc_687726:				; CODE XREF: .text:00687719j
		or	byte ptr [esi+9], 4
		mov	[esi+0Ch], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	byte ptr [edi+0Eh], 80h
		mov	[ebp+0Fh], al
		jz	short loc_687771
		mov	ecx, [ebp-8]
		mov	edx, edi
		push	0
		push	0
		call	_ExpFindFastOwnerEntryForThread@16 ; ExpFindFastOwnerEntryForThread(x,x,x,x)
		test	eax, eax
		jz	short loc_687771
		mov	ecx, [eax+18h]
		add	eax, 14h
		cmp	[ecx], eax
		jnz	loc_6879D2
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		xor	eax, eax
		inc	eax
		mov	[ebp+0Bh], al
		jmp	loc_687899
; 

loc_687771:				; CODE XREF: .text:0068773Aj
					; .text:0068774Cj
		xor	eax, eax
		mov	ecx, edi
		cmp	[ebp+10h], al
		setz	al
		xor	edx, edx
		push	eax
		call	KeAbPreAcquire
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_687793
		mov	ecx, ebx
		call	_KeAbEncodeLockHandle@4	; KeAbEncodeLockHandle(x)
		mov	[esi+8], al

loc_687793:				; CODE XREF: .text:00687787j
		and	dword ptr [ebp-14h], 0
		lea	eax, [edi+34h]
		test	ds:byte_70EFC6,	21h
		mov	[ebp-10h], eax
		jz	short loc_6877B2
		mov	edx, eax
		lea	ecx, [ebp-14h]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6877C3
; 

loc_6877B2:				; CODE XREF: .text:006877A4j
		lea	edx, [ebp-14h]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_6877C3
		lea	ecx, [ebp-14h]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_6877C3:				; CODE XREF: .text:006877B0j
					; .text:006877B9j
		mov	ecx, edi
		call	_ExpTryAcquireResourceExclusive@4 ; ExpTryAcquireResourceExclusive(x)
		mov	[ebp+0Bh], al
		test	al, al
		jz	short loc_687840
		lea	ecx, [edi+18h]
		mov	edx, [ecx+4]
		lea	eax, [esi+1Ch]
		cmp	[edx], ecx
		jnz	loc_6879D2
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_687804
		mov	edx, [ebp+4]
		lea	ecx, [ebp-14h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_687833
; 

loc_687804:				; CODE XREF: .text:006877F5j
		mov	eax, [ebp-14h]
		test	eax, eax
		jnz	short loc_687823
		mov	edx, [ebp-10h]
		lea	eax, [ebp-14h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-14h]
		cmp	eax, ecx
		jz	short loc_687833
		call	KxWaitForLockChainValid

loc_687823:				; CODE XREF: .text:00687809j
		xor	ecx, ecx
		mov	dword ptr [ebp-14h], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_687833:				; CODE XREF: .text:00687802j
					; .text:0068781Cj
		mov	ecx, [ebp-8]
		push	esi
		push	0
		call	_ExpAddFastOwnerEntryToThreadList@16 ; ExpAddFastOwnerEntryToThreadList(x,x,x,x)
		jmp	short loc_687899
; 

loc_687840:				; CODE XREF: .text:006877CFj
		cmp	byte ptr [ebp+10h], 0
		jnz	short loc_6878AD
		and	byte ptr [esi+9], 0FAh
		xor	eax, eax
		and	dword ptr [esi+0Ch], 0
		inc	eax
		mov	byte ptr [esi+8], 0
		test	ds:byte_70EFC6,	al
		jz	short loc_68786A
		mov	edx, [ebp+4]
		lea	ecx, [ebp-14h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_687899
; 

loc_68786A:				; CODE XREF: .text:0068785Bj
		mov	eax, [ebp-14h]
		test	eax, eax
		jnz	short loc_687889
		mov	edx, [ebp-10h]
		lea	eax, [ebp-14h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-14h]
		cmp	eax, ecx
		jz	short loc_687899
		call	KxWaitForLockChainValid

loc_687889:				; CODE XREF: .text:0068786Fj
		xor	ecx, ecx
		mov	dword ptr [ebp-14h], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_687899:				; CODE XREF: .text:0068776Cj
					; .text:0068783Ej ...
		mov	cl, [ebp+0Fh]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, [ebp+0Bh]
		xor	ecx, ecx
		inc	ecx
		jmp	loc_6879B2
; 

loc_6878AD:				; CODE XREF: .text:00687844j
		test	ebx, ebx
		jz	short loc_6878B8
		mov	ecx, ebx
		call	_KeAbPreWait@4	; KeAbPreWait(x)

loc_6878B8:				; CODE XREF: .text:006878AFj
		lea	eax, [edi+18h]
		mov	edx, [eax+4]
		lea	ecx, [esi+1Ch]
		cmp	[edx], eax
		jnz	loc_6879D2
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		xor	edx, edx
		mov	[eax+4], ecx
		inc	edx
		mov	eax, [ebp-8]
		xor	ecx, ecx
		push	ecx
		mov	[ebp-28h], eax
		lea	eax, [ebp-24h]
		push	edx
		mov	[esi+0Bh], dl
		inc	dword ptr [edi+2Ch]
		push	eax
		mov	[ebp-24h], ecx
		mov	[ebp-20h], ecx
		mov	[ebp-1Ch], ecx
		mov	[ebp-18h], ecx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [edi+14h]
		test	eax, eax
		jz	short loc_68791F
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_6879D2
		mov	[ebp-2Ch], ecx
		lea	edx, [ebp-30h]
		mov	[ebp-30h], eax
		mov	[ecx], edx
		mov	ecx, edx
		mov	[eax+4], ecx
		jmp	short loc_68792B
; 

loc_68791F:				; CODE XREF: .text:00687900j
		lea	eax, [ebp-30h]
		mov	[ebp-2Ch], eax
		mov	[ebp-30h], eax
		mov	[edi+14h], eax

loc_68792B:				; CODE XREF: .text:0068791Dj
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_687943
		mov	edx, [ebp+4]
		lea	ecx, [ebp-14h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_687972
; 

loc_687943:				; CODE XREF: .text:00687934j
		mov	eax, [ebp-14h]
		test	eax, eax
		jnz	short loc_687962
		mov	edx, [ebp-10h]
		lea	eax, [ebp-14h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-14h]
		cmp	eax, ecx
		jz	short loc_687972
		call	KxWaitForLockChainValid

loc_687962:				; CODE XREF: .text:00687948j
		xor	ecx, ecx
		mov	dword ptr [ebp-14h], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_687972:				; CODE XREF: .text:00687941j
					; .text:0068795Bj
		mov	ecx, [ebp-8]
		push	esi
		push	0
		call	_ExpAddFastOwnerEntryToThreadList@16 ; ExpAddFastOwnerEntryToThreadList(x,x,x,x)
		mov	cl, [ebp+0Fh]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	10224h
		lea	edx, [ebp-30h]
		mov	ecx, edi
		call	ExpWaitForResource
		mov	byte ptr [esi+0Bh], 0
		test	ebx, ebx
		jz	short loc_6879AA
		push	0
		mov	edx, ebx
		mov	ecx, edi
		call	KeAbPreAcquire

loc_6879AA:				; CODE XREF: .text:0068799Dj
		xor	ecx, ecx
		inc	ecx
		mov	al, cl
		mov	[ebp+0Bh], al

loc_6879B2:				; CODE XREF: .text:006878A8j
		test	ebx, ebx
		jz	short loc_6879C8
		test	al, al
		jz	short loc_6879BF
		or	[ebx+0Eh], cl
		jmp	short loc_6879C8
; 

loc_6879BF:				; CODE XREF: .text:006879B8j
		mov	edx, ebx
		mov	ecx, edi
		call	KeAbPostReleaseEx

loc_6879C8:				; CODE XREF: .text:006879B4j
					; .text:006879BDj
		mov	al, [ebp+0Bh]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_6879D2:				; CODE XREF: .text:00687756j
					; .text:006877DCj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		dd 0CCCCCCCCh
; Exported entry 306. ExAcquireFastResourceShared

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExAcquireFastResourceShared(x, x, x)
		public _ExAcquireFastResourceShared@12
_ExAcquireFastResourceShared@12	proc near
					; CODE XREF: ExpFastResourceLegacyAcquireShared(x,x)+17p

var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		xor	eax, eax
		xor	ebx, ebx
		cmp	[ebp+arg_8], bl
		push	esi
		push	edi
		push	7
		pop	ecx
		lea	edi, [ebp+var_30]
		rep stosd
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_8], eax
		setz	al
		inc	al
		mov	[ebp+var_1], al
		xor	eax, eax
		inc	eax
		test	[edi+0Eh], al
		jnz	short loc_687A27
		push	ebx
		push	ebx
		push	edi
		push	3

loc_687A1D:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+6Dj
					; ExAcquireFastResourceShared(x,x,x)+88j ...
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_687A27:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+3Aj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	edx, large fs:124h
		mov	cl, al
		mov	al, [ebp+var_1]
		cmp	cl, al
		jbe	short loc_687A4B
		push	0
		movzx	eax, al
		push	eax
		movzx	eax, cl
		push	eax
		push	0
		jmp	short loc_687A1D
; 

loc_687A4B:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+5Fj
		cmp	cl, 2
		jb	short loc_687A66
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jz	short loc_687A66
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	5
		jmp	short loc_687A1D
; 

loc_687A66:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+72j
					; ExAcquireFastResourceShared(x,x,x)+7Fj
		movzx	eax, byte ptr [edx+84h]
		test	al, 2
		jz	short loc_687A7A
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	6
		jmp	short loc_687A1D
; 

loc_687A7A:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+93j
		xor	eax, eax
		inc	eax
		cmp	cl, al
		jnb	short loc_687A9C
		test	dword ptr [edx+58h], 400h
		jnz	short loc_687A9C
		cmp	[edx+13Ch], ebx
		jnz	short loc_687A9C
		push	0
		push	0
		push	0
		push	7
		jmp	short loc_687A1D
; 

loc_687A9C:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+A3j
					; ExAcquireFastResourceShared(x,x,x)+ACj ...
		mov	esi, [ebp+arg_4]
		mov	eax, [esi+10h]
		cmp	eax, edx
		jz	short loc_687AB1
		push	0
		push	eax
		push	esi
		push	9
		jmp	loc_687A1D
; 

loc_687AB1:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+C8j
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_687AC3
		push	0
		push	eax
		push	esi
		push	2
		jmp	loc_687A1D
; 

loc_687AC3:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+DAj
		and	byte ptr [esi+9], 0FBh
		mov	[esi+0Ch], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+arg_4+3],	al
		xor	eax, eax
		cmp	[edi+20h], eax
		jz	short loc_687B0D
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		push	eax
		push	eax
		call	_ExpFindFastOwnerEntryForThread@16 ; ExpFindFastOwnerEntryForThread(x,x,x,x)
		test	eax, eax
		jz	short loc_687B0D
		mov	ecx, [eax+18h]
		add	eax, 14h
		cmp	[ecx], eax
		jnz	loc_687C61
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		xor	eax, eax
		inc	eax
		mov	byte ptr [ebp+arg_0+3],	al
		jmp	loc_687C35
; 

loc_687B0D:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+FCj
					; ExAcquireFastResourceShared(x,x,x)+10Cj
		xor	eax, eax
		mov	ecx, edi
		cmp	[ebp+arg_8], al
		setz	al
		xor	edx, edx
		push	eax
		call	KeAbPreAcquire
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_687B2F
		mov	ecx, ebx
		call	_KeAbEncodeLockHandle@4	; KeAbEncodeLockHandle(x)
		mov	[esi+8], al

loc_687B2F:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+147j
		and	[ebp+var_14], 0
		lea	eax, [edi+34h]
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_10], eax
		jz	short loc_687B4E
		mov	edx, eax
		lea	ecx, [ebp+var_14]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_687B5F
; 

loc_687B4E:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+164j
		lea	edx, [ebp+var_14]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_687B5F
		lea	ecx, [ebp+var_14]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_687B5F:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+170j
					; ExAcquireFastResourceShared(x,x,x)+179j
		mov	ecx, edi
		call	_ExpTryAcquireResourceShared@4 ; ExpTryAcquireResourceShared(x)
		mov	byte ptr [ebp+arg_0+3],	al
		test	al, al
		jz	short loc_687BDC
		lea	ecx, [edi+18h]
		mov	edx, [ecx+4]
		lea	eax, [esi+1Ch]
		cmp	[edx], ecx
		jnz	loc_687C61
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_687BA0
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_687BCF
; 

loc_687BA0:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+1B5j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_687BBF
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_687BCF
		call	KxWaitForLockChainValid

loc_687BBF:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+1C9j
		xor	ecx, ecx
		mov	[ebp+var_14], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_687BCF:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+1C2j
					; ExAcquireFastResourceShared(x,x,x)+1DCj
		mov	ecx, [ebp+var_8]
		push	esi
		push	0
		call	_ExpAddFastOwnerEntryToThreadList@16 ; ExpAddFastOwnerEntryToThreadList(x,x,x,x)
		jmp	short loc_687C35
; 

loc_687BDC:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+18Fj
		cmp	[ebp+arg_8], 0
		jnz	short loc_687C49
		and	byte ptr [esi+9], 0FAh
		xor	eax, eax
		and	dword ptr [esi+0Ch], 0
		inc	eax
		mov	byte ptr [esi+8], 0
		test	ds:byte_70EFC6,	al
		jz	short loc_687C06
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_687C35
; 

loc_687C06:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+21Bj
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_687C25
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_687C35
		call	KxWaitForLockChainValid

loc_687C25:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+22Fj
		xor	ecx, ecx
		mov	[ebp+var_14], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_687C35:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+12Cj
					; ExAcquireFastResourceShared(x,x,x)+1FEj ...
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, byte ptr [ebp+arg_0+3]
		xor	ecx, ecx
		inc	ecx
		jmp	loc_687D2A
; 

loc_687C49:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+204j
		test	ebx, ebx
		jz	short loc_687C54
		mov	ecx, ebx
		call	_KeAbPreWait@4	; KeAbPreWait(x)

loc_687C54:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+26Fj
		lea	eax, [edi+18h]
		mov	edx, [eax+4]
		lea	ecx, [esi+1Ch]
		cmp	[edx], eax
		jz	short loc_687C66

loc_687C61:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+116j
					; ExAcquireFastResourceShared(x,x,x)+19Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_687C66:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+283j
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		xor	ecx, ecx
		mov	eax, [ebp+var_8]
		inc	dword ptr [edi+28h]
		mov	[ebp+var_28], eax
		xor	eax, eax
		push	ecx
		inc	eax
		mov	[ebp+var_24], ecx
		push	eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_20], ecx
		push	eax
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ecx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	ecx, [edi+10h]
		lea	edx, [ebp+var_30]
		call	RtlInsertHeadCircularList
		xor	eax, eax
		inc	eax
		mov	[esi+0Bh], al
		test	ds:byte_70EFC6,	al
		jz	short loc_687CBB
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_687CEA
; 

loc_687CBB:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+2D0j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_687CDA
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_687CEA
		call	KxWaitForLockChainValid

loc_687CDA:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+2E4j
		xor	ecx, ecx
		mov	[ebp+var_14], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_687CEA:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+2DDj
					; ExAcquireFastResourceShared(x,x,x)+2F7j
		mov	ecx, [ebp+var_8]
		push	esi
		push	0
		call	_ExpAddFastOwnerEntryToThreadList@16 ; ExpAddFastOwnerEntryToThreadList(x,x,x,x)
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	10244h
		lea	edx, [ebp+var_30]
		mov	ecx, edi
		call	ExpWaitForResource
		mov	byte ptr [esi+0Bh], 0
		test	ebx, ebx
		jz	short loc_687D22
		push	0
		mov	edx, ebx
		mov	ecx, edi
		call	KeAbPreAcquire

loc_687D22:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+339j
		xor	ecx, ecx
		inc	ecx
		mov	al, cl
		mov	byte ptr [ebp+arg_0+3],	al

loc_687D2A:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+268j
		test	ebx, ebx
		jz	short loc_687D40
		test	al, al
		jz	short loc_687D37
		or	[ebx+0Eh], cl
		jmp	short loc_687D40
; 

loc_687D37:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+354j
		mov	edx, ebx
		mov	ecx, edi
		call	KeAbPostReleaseEx

loc_687D40:				; CODE XREF: ExAcquireFastResourceShared(x,x,x)+350j
					; ExAcquireFastResourceShared(x,x,x)+359j
		mov	al, byte ptr [ebp+arg_0+3]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_ExAcquireFastResourceShared@12	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 307. ExAcquireFastResourceSharedStarveExclusive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExAcquireFastResourceSharedStarveExclusive(x, x, x)
		public _ExAcquireFastResourceSharedStarveExclusive@12
_ExAcquireFastResourceSharedStarveExclusive@12 proc near
					; CODE XREF: ExpFastResourceLegacyAcquireSharedStarveExclusive(x,x)+17p

var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		xor	eax, eax
		xor	ebx, ebx
		cmp	[ebp+arg_8], bl
		push	esi
		push	edi
		push	7
		pop	ecx
		lea	edi, [ebp+var_30]
		rep stosd
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_8], eax
		setz	al
		inc	al
		mov	[ebp+var_1], al
		xor	eax, eax
		inc	eax
		test	[edi+0Eh], al
		jnz	short loc_687D9A
		push	ebx
		push	ebx
		push	edi
		push	3

loc_687D90:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+6Dj
					; ExAcquireFastResourceSharedStarveExclusive(x,x,x)+88j ...
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_687D9A:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+3Aj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	edx, large fs:124h
		mov	cl, al
		mov	al, [ebp+var_1]
		cmp	cl, al
		jbe	short loc_687DBE
		push	0
		movzx	eax, al
		push	eax
		movzx	eax, cl
		push	eax
		push	0
		jmp	short loc_687D90
; 

loc_687DBE:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+5Fj
		cmp	cl, 2
		jb	short loc_687DD9
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jz	short loc_687DD9
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	5
		jmp	short loc_687D90
; 

loc_687DD9:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+72j
					; ExAcquireFastResourceSharedStarveExclusive(x,x,x)+7Fj
		movzx	eax, byte ptr [edx+84h]
		test	al, 2
		jz	short loc_687DED
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	6
		jmp	short loc_687D90
; 

loc_687DED:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+93j
		xor	eax, eax
		inc	eax
		cmp	cl, al
		jnb	short loc_687E0F
		test	dword ptr [edx+58h], 400h
		jnz	short loc_687E0F
		cmp	[edx+13Ch], ebx
		jnz	short loc_687E0F
		push	0
		push	0
		push	0
		push	7
		jmp	short loc_687D90
; 

loc_687E0F:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+A3j
					; ExAcquireFastResourceSharedStarveExclusive(x,x,x)+ACj ...
		mov	esi, [ebp+arg_4]
		mov	eax, [esi+10h]
		cmp	eax, edx
		jz	short loc_687E24
		push	0
		push	eax
		push	esi
		push	9
		jmp	loc_687D90
; 

loc_687E24:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+C8j
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_687E36
		push	0
		push	eax
		push	esi
		push	2
		jmp	loc_687D90
; 

loc_687E36:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+DAj
		and	byte ptr [esi+9], 0FBh
		mov	[esi+0Ch], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+arg_4+3],	al
		xor	eax, eax
		cmp	[edi+20h], eax
		jz	short loc_687E80
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		push	eax
		push	eax
		call	_ExpFindFastOwnerEntryForThread@16 ; ExpFindFastOwnerEntryForThread(x,x,x,x)
		test	eax, eax
		jz	short loc_687E80
		mov	ecx, [eax+18h]
		add	eax, 14h
		cmp	[ecx], eax
		jnz	loc_687FD4
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		xor	eax, eax
		inc	eax
		mov	byte ptr [ebp+arg_0+3],	al
		jmp	loc_687FA8
; 

loc_687E80:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+FCj
					; ExAcquireFastResourceSharedStarveExclusive(x,x,x)+10Cj
		xor	eax, eax
		mov	ecx, edi
		cmp	[ebp+arg_8], al
		setz	al
		xor	edx, edx
		push	eax
		call	KeAbPreAcquire
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_687EA2
		mov	ecx, ebx
		call	_KeAbEncodeLockHandle@4	; KeAbEncodeLockHandle(x)
		mov	[esi+8], al

loc_687EA2:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+147j
		and	[ebp+var_14], 0
		lea	eax, [edi+34h]
		test	ds:byte_70EFC6,	21h
		mov	[ebp+var_10], eax
		jz	short loc_687EC1
		mov	edx, eax
		lea	ecx, [ebp+var_14]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_687ED2
; 

loc_687EC1:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+164j
		lea	edx, [ebp+var_14]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_687ED2
		lea	ecx, [ebp+var_14]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_687ED2:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+170j
					; ExAcquireFastResourceSharedStarveExclusive(x,x,x)+179j
		mov	ecx, edi
		call	_ExpTryAcquireResourceSharedStarveExclusive@4 ;	ExpTryAcquireResourceSharedStarveExclusive(x)
		mov	byte ptr [ebp+arg_0+3],	al
		test	al, al
		jz	short loc_687F4F
		lea	ecx, [edi+18h]
		mov	edx, [ecx+4]
		lea	eax, [esi+1Ch]
		cmp	[edx], ecx
		jnz	loc_687FD4
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_687F13
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_687F42
; 

loc_687F13:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+1B5j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_687F32
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_687F42
		call	KxWaitForLockChainValid

loc_687F32:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+1C9j
		xor	ecx, ecx
		mov	[ebp+var_14], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_687F42:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+1C2j
					; ExAcquireFastResourceSharedStarveExclusive(x,x,x)+1DCj
		mov	ecx, [ebp+var_8]
		push	esi
		push	0
		call	_ExpAddFastOwnerEntryToThreadList@16 ; ExpAddFastOwnerEntryToThreadList(x,x,x,x)
		jmp	short loc_687FA8
; 

loc_687F4F:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+18Fj
		cmp	[ebp+arg_8], 0
		jnz	short loc_687FBC
		and	byte ptr [esi+9], 0FAh
		xor	eax, eax
		and	dword ptr [esi+0Ch], 0
		inc	eax
		mov	byte ptr [esi+8], 0
		test	ds:byte_70EFC6,	al
		jz	short loc_687F79
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_687FA8
; 

loc_687F79:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+21Bj
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_687F98
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_687FA8
		call	KxWaitForLockChainValid

loc_687F98:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+22Fj
		xor	ecx, ecx
		mov	[ebp+var_14], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_687FA8:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+12Cj
					; ExAcquireFastResourceSharedStarveExclusive(x,x,x)+1FEj ...
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, byte ptr [ebp+arg_0+3]
		xor	ecx, ecx
		inc	ecx
		jmp	loc_68809D
; 

loc_687FBC:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+204j
		test	ebx, ebx
		jz	short loc_687FC7
		mov	ecx, ebx
		call	_KeAbPreWait@4	; KeAbPreWait(x)

loc_687FC7:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+26Fj
		lea	eax, [edi+18h]
		mov	edx, [eax+4]
		lea	ecx, [esi+1Ch]
		cmp	[edx], eax
		jz	short loc_687FD9

loc_687FD4:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+116j
					; ExAcquireFastResourceSharedStarveExclusive(x,x,x)+19Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_687FD9:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+283j
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		xor	ecx, ecx
		mov	eax, [ebp+var_8]
		inc	dword ptr [edi+28h]
		mov	[ebp+var_28], eax
		xor	eax, eax
		push	ecx
		inc	eax
		mov	[ebp+var_24], ecx
		push	eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_20], ecx
		push	eax
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ecx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	ecx, [edi+10h]
		lea	edx, [ebp+var_30]
		call	RtlInsertHeadCircularList
		xor	eax, eax
		inc	eax
		mov	[esi+0Bh], al
		test	ds:byte_70EFC6,	al
		jz	short loc_68802E
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_14]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_68805D
; 

loc_68802E:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+2D0j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_68804D
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	short loc_68805D
		call	KxWaitForLockChainValid

loc_68804D:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+2E4j
		xor	ecx, ecx
		mov	[ebp+var_14], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_68805D:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+2DDj
					; ExAcquireFastResourceSharedStarveExclusive(x,x,x)+2F7j
		mov	ecx, [ebp+var_8]
		push	esi
		push	0
		call	_ExpAddFastOwnerEntryToThreadList@16 ; ExpAddFastOwnerEntryToThreadList(x,x,x,x)
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	10244h
		lea	edx, [ebp+var_30]
		mov	ecx, edi
		call	ExpWaitForResource
		mov	byte ptr [esi+0Bh], 0
		test	ebx, ebx
		jz	short loc_688095
		push	0
		mov	edx, ebx
		mov	ecx, edi
		call	KeAbPreAcquire

loc_688095:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+339j
		xor	ecx, ecx
		inc	ecx
		mov	al, cl
		mov	byte ptr [ebp+arg_0+3],	al

loc_68809D:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+268j
		test	ebx, ebx
		jz	short loc_6880B3
		test	al, al
		jz	short loc_6880AA
		or	[ebx+0Eh], cl
		jmp	short loc_6880B3
; 

loc_6880AA:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+354j
		mov	edx, ebx
		mov	ecx, edi
		call	KeAbPostReleaseEx

loc_6880B3:				; CODE XREF: ExAcquireFastResourceSharedStarveExclusive(x,x,x)+350j
					; ExAcquireFastResourceSharedStarveExclusive(x,x,x)+359j
		mov	al, byte ptr [ebp+arg_0+3]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_ExAcquireFastResourceSharedStarveExclusive@12 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 334. ExConvertFastResourceExclusiveToShared

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExConvertFastResourceExclusiveToShared(x, x)
		public _ExConvertFastResourceExclusiveToShared@8
_ExConvertFastResourceExclusiveToShared@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	byte ptr [esi+0Eh], 1
		jnz	short loc_6880E2
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	esi
		push	3

loc_6880D8:				; CODE XREF: ExConvertFastResourceExclusiveToShared(x,x)+3Cj
					; ExConvertFastResourceExclusiveToShared(x,x)+56j ...
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_6880E2:				; CODE XREF: ExConvertFastResourceExclusiveToShared(x,x)+Dj
		push	edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	edi, large fs:124h
		xor	ecx, ecx
		cmp	al, 1
		jbe	short loc_688100
		push	ecx
		push	1
		movzx	eax, al
		push	eax
		push	ecx
		jmp	short loc_6880D8
; 

loc_688100:				; CODE XREF: ExConvertFastResourceExclusiveToShared(x,x)+32j
		jnb	short loc_68811A
		test	dword ptr [edi+58h], 400h
		jnz	short loc_68811A
		cmp	[edi+13Ch], ecx
		jnz	short loc_68811A
		push	ecx
		push	ecx
		push	ecx
		push	7
		jmp	short loc_6880D8
; 

loc_68811A:				; CODE XREF: ExConvertFastResourceExclusiveToShared(x,x):loc_688100j
					; ExConvertFastResourceExclusiveToShared(x,x)+47j ...
		mov	edx, [ebp+arg_4]
		mov	eax, [edx+10h]
		cmp	eax, edi
		pop	edi
		jz	short loc_68812C
		push	ecx
		push	eax
		push	edx
		push	9
		jmp	short loc_6880D8
; 

loc_68812C:				; CODE XREF: ExConvertFastResourceExclusiveToShared(x,x)+61j
		mov	eax, [edx+0Ch]
		cmp	eax, esi
		jz	short loc_68813A
		push	eax
		push	edx
		push	esi
		push	8
		jmp	short loc_6880D8
; 

loc_68813A:				; CODE XREF: ExConvertFastResourceExclusiveToShared(x,x)+6Fj
		mov	al, [edx+9]
		test	al, 1
		jz	short loc_688148
		push	ecx
		push	ecx
		push	edx
		push	0Ah
		jmp	short loc_6880D8
; 

loc_688148:				; CODE XREF: ExConvertFastResourceExclusiveToShared(x,x)+7Dj
		test	al, 4
		jnz	short loc_688162
		movzx	eax, al
		and	eax, 4
		push	ecx
		shl	eax, 0Eh
		or	eax, 1
		push	eax
		push	edx
		push	0Bh
		jmp	loc_6880D8
; 

loc_688162:				; CODE XREF: ExConvertFastResourceExclusiveToShared(x,x)+88j
		cmp	[edx+0Ah], cl
		jz	short loc_68817A
		lea	eax, [edx+14h]
		cmp	[eax], eax
		jnz	short loc_68817A
		mov	ecx, esi
		call	_ExpConvertFastResourceExclusiveToShared@8 ; ExpConvertFastResourceExclusiveToShared(x,x)
		pop	esi
		pop	ebp
		retn	8
; 

loc_68817A:				; CODE XREF: ExConvertFastResourceExclusiveToShared(x,x)+A3j
					; ExConvertFastResourceExclusiveToShared(x,x)+AAj
		push	ecx
		push	ecx
		push	esi
		push	13h
		jmp	loc_6880D8
_ExConvertFastResourceExclusiveToShared@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 338. ExDeleteFastResource

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExDeleteFastResource(x)
		public _ExDeleteFastResource@4
_ExDeleteFastResource@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	byte ptr [esi+0Eh], 1
		jnz	short loc_6881A9
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	esi
		push	3

loc_68819F:				; CODE XREF: ExDeleteFastResource(x)+34j
					; ExDeleteFastResource(x)+40j
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_6881A9:				; CODE XREF: ExDeleteFastResource(x)+Dj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		xor	ecx, ecx
		cmp	al, 1
		jbe	short loc_6881BF
		push	ecx
		push	1
		movzx	eax, al
		push	eax
		push	ecx
		jmp	short loc_68819F
; 

loc_6881BF:				; CODE XREF: ExDeleteFastResource(x)+2Aj
		cmp	[esi+20h], ecx
		jz	short loc_6881CB
		push	ecx
		push	ecx
		push	esi
		push	4
		jmp	short loc_68819F
; 

loc_6881CB:				; CODE XREF: ExDeleteFastResource(x)+39j
		mov	eax, 0FFBEh
		mov	ecx, esi
		and	[esi+0Eh], ax
		call	_ExpDeleteResource@4 ; ExpDeleteResource(x)
		pop	esi
		pop	ebp
		retn	4
_ExDeleteFastResource@4	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; 
; Exported entry 346. ExDisownFastResource

; __stdcall ExDisownFastResource(x, x)
		public _ExDisownFastResource@8
_ExDisownFastResource@8:
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		xor	eax, eax
		xor	edx, edx
		push	esi
		mov	esi, [ebp+0Ch]
		mov	bl, dl
		push	edi
		lea	edi, [ebp-1Ch]
		mov	[ebp-20h], edx
		stosd
		mov	[ebp-10h], edx
		mov	[ebp-0Ch], edx
		mov	[ebp+0Fh], bl
		stosd
		stosd
		mov	eax, large fs:124h
		mov	edi, [ebp+8]
		mov	[ebp-4], eax
		xor	eax, eax
		inc	eax
		test	[edi+0Eh], al
		jnz	short loc_68822E
		push	edx
		push	edx
		push	edi
		push	3

loc_688224:				; CODE XREF: .text:00688249j
					; .text:0068826Aj ...
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_68822E:				; CODE XREF: .text:0068821Dj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, large fs:124h
		cmp	al, 2
		jbe	short loc_68824B
		push	0
		push	2
		movzx	eax, al
		push	eax
		push	0
		jmp	short loc_688224
; 

loc_68824B:				; CODE XREF: .text:0068823Dj
		xor	edx, edx
		inc	edx
		cmp	al, dl
		jnb	short loc_68826C
		xor	edx, edx
		test	dword ptr [ecx+58h], 400h
		jnz	short loc_68826E
		cmp	[ecx+13Ch], edx
		jnz	short loc_68826E
		push	edx
		push	edx
		push	edx
		push	7
		jmp	short loc_688224
; 

loc_68826C:				; CODE XREF: .text:00688250j
		xor	edx, edx

loc_68826E:				; CODE XREF: .text:0068825Bj
					; .text:00688263j
		mov	eax, [esi+10h]
		cmp	eax, ecx
		jz	short loc_68827C
		push	edx
		push	eax
		push	esi
		push	9
		jmp	short loc_688224
; 

loc_68827C:				; CODE XREF: .text:00688273j
		mov	eax, [esi+0Ch]
		cmp	eax, edi
		jz	short loc_68828A
		push	eax
		push	esi
		push	edi
		push	8
		jmp	short loc_688224
; 

loc_68828A:				; CODE XREF: .text:00688281j
		xor	eax, eax
		inc	eax
		test	[esi+9], al
		jz	short loc_688299
		push	edx
		push	edx
		push	esi
		push	0Ah
		jmp	short loc_688224
; 

loc_688299:				; CODE XREF: .text:00688290j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	byte ptr [edi+0Eh], 80h
		mov	bh, al
		mov	[ebp+0Bh], bh
		jz	short loc_6882C3
		cmp	byte ptr [esi+0Ah], 0
		jz	short loc_6882B7
		lea	ecx, [esi+14h]
		cmp	[ecx], ecx
		jz	short loc_6882C3

loc_6882B7:				; CODE XREF: .text:006882AEj
		push	0
		push	0
		push	edi
		push	12h
		jmp	loc_688224
; 

loc_6882C3:				; CODE XREF: .text:006882A8j
					; .text:006882B5j
		and	dword ptr [ebp-28h], 0
		xor	eax, eax
		inc	eax
		or	[esi+9], al
		mov	eax, [ebp-4]
		add	eax, 3ACh
		test	ds:byte_70EFC6,	21h
		mov	[ebp-24h], eax
		jz	short loc_6882ED
		mov	edx, eax
		lea	ecx, [ebp-28h]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6882FE
; 

loc_6882ED:				; CODE XREF: .text:006882DFj
		lea	edx, [ebp-28h]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_6882FE
		lea	ecx, [ebp-28h]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_6882FE:				; CODE XREF: .text:006882EBj
					; .text:006882F4j
		mov	ecx, [ebp-4]
		xor	eax, eax
		push	0
		inc	eax
		mov	edx, edi
		push	eax
		call	_ExpFindFastOwnerEntryForThread@16 ; ExpFindFastOwnerEntryForThread(x,x,x,x)
		mov	cl, [esi+0Ah]
		mov	edx, eax
		mov	[ebp-8], edx
		test	edx, edx
		jz	loc_68850A
		test	cl, cl
		jnz	short loc_688364
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	loc_688752
		cmp	[eax], esi
		jnz	loc_688752
		mov	[eax], ecx
		mov	[ecx+4], eax
		lea	eax, [edx+14h]
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_688752
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		mov	esi, [ebp-4]
		jmp	loc_6886CE
; 

loc_688364:				; CODE XREF: .text:00688320j
		and	dword ptr [ebp-1Ch], 0
		lea	ebx, [esi+14h]
		lea	eax, [edi+34h]
		mov	[ebp-18h], eax
		cmp	[ebx], ebx
		jz	loc_688438
		test	ds:byte_70EFC6,	21h
		jz	short loc_68838E
		mov	edx, eax
		lea	ecx, [ebp-1Ch]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_68839F
; 

loc_68838E:				; CODE XREF: .text:00688380j
		lea	edx, [ebp-1Ch]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_68839F
		lea	ecx, [ebp-1Ch]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_68839F:				; CODE XREF: .text:0068838Cj
					; .text:00688395j
		xor	ebx, ebx
		mov	edx, esi
		inc	ebx
		mov	ecx, edi
		push	ebx
		call	_ExpRotateFastOwnerEntrySublistHead@12 ; ExpRotateFastOwnerEntrySublistHead(x,x,x)
		test	ds:byte_70EFC6,	bl
		jz	short loc_6883C1
		mov	edx, [ebp+4]
		lea	ecx, [ebp-1Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6883ED
; 

loc_6883C1:				; CODE XREF: .text:006883B2j
		mov	eax, [ebp-1Ch]
		test	eax, eax
		jnz	short loc_6883E0
		mov	edx, [ebp-18h]
		lea	eax, [ebp-1Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-1Ch]
		cmp	eax, ecx
		jz	short loc_6883ED
		call	KxWaitForLockChainValid

loc_6883E0:				; CODE XREF: .text:006883C6j
		mov	dword ptr [ebp-1Ch], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_6883ED:				; CODE XREF: .text:006883BFj
					; .text:006883D9j
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	loc_688752
		cmp	[eax], esi
		jnz	loc_688752
		mov	[eax], ecx
		mov	[ecx+4], eax
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0

loc_68840F:				; CODE XREF: .text:00688505j
		mov	eax, [ebp-8]
		add	eax, 14h
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_688752
		mov	bl, [ebp+0Fh]
		mov	bh, [ebp+0Bh]
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		mov	esi, [ebp-4]
		jmp	loc_6886CE
; 

loc_688438:				; CODE XREF: .text:00688373j
		test	ds:byte_70EFC6,	21h
		jz	short loc_68844D
		mov	edx, eax
		lea	ecx, [ebp-1Ch]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_68845E
; 

loc_68844D:				; CODE XREF: .text:0068843Fj
		lea	edx, [ebp-1Ch]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_68845E
		lea	ecx, [ebp-1Ch]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_68845E:				; CODE XREF: .text:0068844Bj
					; .text:00688454j
		dec	dword ptr [edi+20h]
		lea	eax, [esi+1Ch]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_688752
		cmp	[ecx], eax
		jnz	loc_688752
		mov	[ecx], edx
		mov	[edx+4], ecx
		and	dword ptr [eax], 0
		and	dword ptr [eax+4], 0
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_68849E
		mov	edx, [ebp+4]
		lea	ecx, [ebp-1Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6884CD
; 

loc_68849E:				; CODE XREF: .text:0068848Fj
		mov	eax, [ebp-1Ch]
		test	eax, eax
		jnz	short loc_6884BD
		mov	edx, [ebp-18h]
		lea	eax, [ebp-1Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-1Ch]
		cmp	eax, ecx
		jz	short loc_6884CD
		call	KxWaitForLockChainValid

loc_6884BD:				; CODE XREF: .text:006884A3j
		xor	edx, edx
		mov	dword ptr [ebp-1Ch], 0
		add	eax, 4
		inc	edx
		lock xor [eax],	edx

loc_6884CD:				; CODE XREF: .text:0068849Cj
					; .text:006884B6j
		mov	byte ptr [esi+0Ah], 0
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	loc_688752
		cmp	[eax], esi
		jnz	loc_688752
		mov	[eax], ecx
		mov	[ecx+4], eax
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0
		and	dword ptr [ebx], 0
		and	dword ptr [ebx+4], 0
		movzx	eax, byte ptr [esi+8]
		mov	[ebp-10h], eax
		mov	byte ptr [esi+8], 0
		jmp	loc_68840F
; 

loc_68850A:				; CODE XREF: .text:00688318j
		test	cl, cl
		jnz	loc_6885D2
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	loc_688752
		cmp	[eax], esi
		jnz	loc_688752
		mov	[eax], ecx
		mov	[ecx+4], eax
		xor	ecx, ecx
		mov	[esi], ecx
		lea	eax, [edi+34h]
		mov	[esi+4], ecx
		test	ds:byte_70EFC6,	21h
		mov	[ebp-18h], eax
		mov	[ebp-1Ch], ecx
		jz	short loc_688552
		mov	edx, eax
		lea	ecx, [ebp-1Ch]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_688563
; 

loc_688552:				; CODE XREF: .text:00688544j
		lea	edx, [ebp-1Ch]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_688563
		lea	ecx, [ebp-1Ch]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_688563:				; CODE XREF: .text:00688550j
					; .text:00688559j
		inc	dword ptr [edi+20h]
		lea	ecx, [edi+18h]
		mov	edx, [ecx+4]
		lea	eax, [esi+1Ch]
		cmp	[edx], ecx
		jnz	loc_688752
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_688599
		mov	edx, [ebp+4]
		lea	ecx, [ebp-1Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6885C8
; 

loc_688599:				; CODE XREF: .text:0068858Aj
		mov	eax, [ebp-1Ch]
		test	eax, eax
		jnz	short loc_6885B8
		mov	edx, [ebp-18h]
		lea	eax, [ebp-1Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-1Ch]
		cmp	eax, ecx
		jz	short loc_6885C8
		call	KxWaitForLockChainValid

loc_6885B8:				; CODE XREF: .text:0068859Ej
		xor	edx, edx
		mov	dword ptr [ebp-1Ch], 0
		add	eax, 4
		inc	edx
		lock xor [eax],	edx

loc_6885C8:				; CODE XREF: .text:00688597j
					; .text:006885B1j
		xor	eax, eax
		inc	eax
		mov	bl, al
		jmp	loc_6886C2
; 

loc_6885D2:				; CODE XREF: .text:0068850Cj
		lea	eax, [esi+14h]
		cmp	[eax], eax
		jz	loc_688688
		and	dword ptr [ebp-1Ch], 0
		lea	eax, [edi+34h]
		test	ds:byte_70EFC6,	21h
		mov	[ebp-18h], eax
		jz	short loc_6885FC
		mov	edx, eax
		lea	ecx, [ebp-1Ch]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_68860D
; 

loc_6885FC:				; CODE XREF: .text:006885EEj
		lea	edx, [ebp-1Ch]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_68860D
		lea	ecx, [ebp-1Ch]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_68860D:				; CODE XREF: .text:006885FAj
					; .text:00688603j
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	_ExpRotateFastOwnerEntrySublistHead@12 ; ExpRotateFastOwnerEntrySublistHead(x,x,x)
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_688630
		mov	edx, [ebp+4]
		lea	ecx, [ebp-1Ch]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_68865F
; 

loc_688630:				; CODE XREF: .text:00688621j
		mov	eax, [ebp-1Ch]
		test	eax, eax
		jnz	short loc_68864F
		mov	edx, [ebp-18h]
		lea	eax, [ebp-1Ch]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-1Ch]
		cmp	eax, ecx
		jz	short loc_68865F
		call	KxWaitForLockChainValid

loc_68864F:				; CODE XREF: .text:00688635j
		xor	edx, edx
		mov	dword ptr [ebp-1Ch], 0
		add	eax, 4
		inc	edx
		lock xor [eax],	edx

loc_68865F:				; CODE XREF: .text:0068862Ej
					; .text:00688648j
		mov	ecx, [esi]
		xor	eax, eax
		inc	eax
		mov	bl, al
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	loc_688752
		cmp	[eax], esi
		jnz	loc_688752
		mov	[eax], ecx
		mov	[ecx+4], eax
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0
		jmp	short loc_6886BF
; 

loc_688688:				; CODE XREF: .text:006885D7j
		movzx	ecx, byte ptr [esi+8]
		xor	edx, edx
		inc	edx
		mov	byte ptr [esi+0Ah], 0
		mov	bl, dl
		mov	[ebp-0Ch], ecx
		mov	edx, [esi]
		mov	ecx, [esi+4]
		cmp	[edx+4], esi
		jnz	loc_688752
		cmp	[ecx], esi
		jnz	loc_688752
		mov	[ecx], edx
		mov	[edx+4], ecx
		xor	ecx, ecx
		mov	[esi], ecx
		mov	[esi+4], ecx
		mov	[eax], ecx
		mov	[eax+4], ecx

loc_6886BF:				; CODE XREF: .text:00688686j
		xor	eax, eax
		inc	eax

loc_6886C2:				; CODE XREF: .text:006885CDj
		push	esi
		mov	esi, [ebp-4]
		mov	ecx, esi
		push	eax
		call	_ExpAddFastOwnerEntryToThreadList@16 ; ExpAddFastOwnerEntryToThreadList(x,x,x,x)

loc_6886CE:				; CODE XREF: .text:0068835Fj
					; .text:00688433j
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_6886E6
		mov	edx, [ebp+4]
		lea	ecx, [ebp-28h]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_688715
; 

loc_6886E6:				; CODE XREF: .text:006886D7j
		mov	eax, [ebp-28h]
		test	eax, eax
		jnz	short loc_688705
		mov	edx, [ebp-24h]
		lea	eax, [ebp-28h]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp-28h]
		cmp	eax, ecx
		jz	short loc_688715
		call	KxWaitForLockChainValid

loc_688705:				; CODE XREF: .text:006886EBj
		xor	edx, edx
		mov	dword ptr [ebp-28h], 0
		add	eax, 4
		inc	edx
		lock xor [eax],	edx

loc_688715:				; CODE XREF: .text:006886E4j
					; .text:006886FEj
		mov	eax, [ebp-0Ch]
		test	eax, eax
		jz	short loc_688723
		mov	edx, eax
		call	_KeAbMarkCrossThreadReleasable@8 ; KeAbMarkCrossThreadReleasable(x,x)

loc_688723:				; CODE XREF: .text:0068871Aj
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bl, bl
		jz	short loc_68873B
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag

loc_68873B:				; CODE XREF: .text:0068872Dj
		mov	eax, [ebp-10h]
		test	eax, eax
		jz	short loc_68874B
		mov	edx, eax
		mov	ecx, edi
		call	KeAbPostReleaseEx

loc_68874B:				; CODE XREF: .text:00688740j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_688752:				; CODE XREF: .text:0068832Aj
					; .text:00688332j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		dd 0CCCCCCCCh
; Exported entry 374. ExInitializeFastOwnerEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExInitializeFastOwnerEntry(x)
		public _ExInitializeFastOwnerEntry@4
_ExInitializeFastOwnerEntry@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jbe	short loc_68877F
		push	0
		push	2
		movzx	eax, al
		push	eax
		push	0
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_68877F:				; CODE XREF: ExInitializeFastOwnerEntry(x)+Dj
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		push	edi
		push	9
		pop	ecx
		mov	edi, edx
		rep stosd
		mov	eax, large fs:124h
		mov	[edx+10h], eax
		pop	edi
		pop	ebp
		retn	4
_ExInitializeFastOwnerEntry@4 endp ; sp	= -14h

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 389. ExIsFastResourceContended

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExIsFastResourceContended(x)
		public _ExIsFastResourceContended@4
_ExIsFastResourceContended@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	byte ptr [esi+0Eh], 1
		jnz	short loc_6887BF
		push	0
		push	0
		push	esi
		push	3

loc_6887B5:				; CODE XREF: ExIsFastResourceContended(x)+34j
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_6887BF:				; CODE XREF: ExIsFastResourceContended(x)+Dj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jbe	short loc_6887D5
		push	0
		push	2
		movzx	eax, al
		push	eax
		push	0
		jmp	short loc_6887B5
; 

loc_6887D5:				; CODE XREF: ExIsFastResourceContended(x)+28j
		cmp	dword ptr [esi+28h], 0
		jnz	short loc_6887E5
		cmp	dword ptr [esi+2Ch], 0
		jnz	short loc_6887E5
		xor	al, al
		jmp	short loc_6887E7
; 

loc_6887E5:				; CODE XREF: ExIsFastResourceContended(x)+3Aj
					; ExIsFastResourceContended(x)+40j
		mov	al, 1

loc_6887E7:				; CODE XREF: ExIsFastResourceContended(x)+44j
		pop	esi
		pop	ebp
		retn	4
_ExIsFastResourceContended@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 390. ExIsFastResourceHeld

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExIsFastResourceHeld(x)
		public _ExIsFastResourceHeld@4
_ExIsFastResourceHeld@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	byte ptr [esi+0Eh], 1
		jnz	short loc_688811
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	esi
		push	3

loc_688807:				; CODE XREF: ExIsFastResourceHeld(x)+34j
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_688811:				; CODE XREF: ExIsFastResourceHeld(x)+Dj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jbe	short loc_688827
		xor	ecx, ecx
		movzx	eax, al
		push	ecx
		push	2
		push	eax
		push	ecx
		jmp	short loc_688807
; 

loc_688827:				; CODE XREF: ExIsFastResourceHeld(x)+28j
		xor	eax, eax
		cmp	[esi+20h], eax
		jz	short loc_688859
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		xor	ecx, ecx
		mov	edx, esi
		push	ecx
		push	ecx
		mov	ecx, large fs:124h
		mov	bl, al
		call	_ExpFindFastOwnerEntryForThread@16 ; ExpFindFastOwnerEntryForThread(x,x,x,x)
		mov	cl, bl
		mov	esi, eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		pop	ebx
		setnz	al

loc_688859:				; CODE XREF: ExIsFastResourceHeld(x)+3Bj
		pop	esi
		pop	ebp
		retn	4
_ExIsFastResourceHeld@4	endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 391. ExIsFastResourceHeldExclusive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExIsFastResourceHeldExclusive(x)
		public _ExIsFastResourceHeldExclusive@4
_ExIsFastResourceHeldExclusive@4 proc near
					; CODE XREF: ExIsResourceAcquiredExclusiveLite+51p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	byte ptr [esi+0Eh], 1
		jnz	short loc_688883
		push	0
		push	0
		push	esi
		push	3

loc_688879:				; CODE XREF: ExIsFastResourceHeldExclusive(x)+34j
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_688883:				; CODE XREF: ExIsFastResourceHeldExclusive(x)+Dj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jbe	short loc_688899
		push	0
		push	2
		movzx	eax, al
		push	eax
		push	0
		jmp	short loc_688879
; 

loc_688899:				; CODE XREF: ExIsFastResourceHeldExclusive(x)+28j
		test	byte ptr [esi+0Eh], 80h
		jnz	short loc_6888A3
		xor	al, al
		jmp	short loc_6888CE
; 

loc_6888A3:				; CODE XREF: ExIsFastResourceHeldExclusive(x)+3Aj
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, large fs:124h
		mov	edx, esi
		push	0
		push	0
		mov	bl, al
		call	_ExpFindFastOwnerEntryForThread@16 ; ExpFindFastOwnerEntryForThread(x,x,x,x)
		mov	cl, bl
		mov	esi, eax
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		pop	ebx
		setnz	al

loc_6888CE:				; CODE XREF: ExIsFastResourceHeldExclusive(x)+3Ej
		pop	esi
		pop	ebp
		retn	4
_ExIsFastResourceHeldExclusive@4 endp

; 
		align 8
; Exported entry 415. ExReinitializeFastResource

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExReinitializeFastResource(x)
		public _ExReinitializeFastResource@4
_ExReinitializeFastResource@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	byte ptr [esi+0Eh], 1
		jnz	short loc_6888F8
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	esi
		push	3

loc_6888EE:				; CODE XREF: ExReinitializeFastResource(x)+34j
					; ExReinitializeFastResource(x)+40j
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_6888F8:				; CODE XREF: ExReinitializeFastResource(x)+Dj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		xor	ecx, ecx
		cmp	al, 1
		jbe	short loc_68890E
		push	ecx
		push	1
		movzx	eax, al
		push	eax
		push	ecx
		jmp	short loc_6888EE
; 

loc_68890E:				; CODE XREF: ExReinitializeFastResource(x)+2Aj
		cmp	[esi+20h], ecx
		jz	short loc_68891A
		push	ecx
		push	ecx
		push	esi
		push	4
		jmp	short loc_6888EE
; 

loc_68891A:				; CODE XREF: ExReinitializeFastResource(x)+39j
		mov	ax, [esi+0Eh]
		xor	edx, edx
		mov	[esi+0Ch], edx
		and	ax, 41h
		mov	[esi+10h], ecx
		mov	[esi+14h], ecx
		movzx	eax, ax
		or	[esi+0Eh], ax
		lea	eax, [esi+18h]
		mov	[esi+20h], ecx
		mov	[esi+24h], ecx
		mov	[esi+28h], ecx
		mov	[esi+2Ch], ecx
		mov	[eax+4], eax
		mov	[eax], eax
		pop	esi
		pop	ebp
		retn	4
_ExReinitializeFastResource@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 418. ExReleaseDisownedFastResource

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExReleaseDisownedFastResource(x, x)
		public _ExReleaseDisownedFastResource@8
_ExReleaseDisownedFastResource@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	byte ptr [esi+0Eh], 1
		jnz	short loc_688972
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	esi
		push	3

loc_688968:				; CODE XREF: ExReleaseDisownedFastResource(x,x)+3Bj
					; ExReleaseDisownedFastResource(x,x)+57j ...
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_688972:				; CODE XREF: ExReleaseDisownedFastResource(x,x)+Dj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	edx, large fs:124h
		xor	ecx, ecx
		cmp	al, 2
		jbe	short loc_68898F
		push	ecx
		push	2
		movzx	eax, al
		push	eax
		push	ecx
		jmp	short loc_688968
; 

loc_68898F:				; CODE XREF: ExReleaseDisownedFastResource(x,x)+31j
		cmp	al, 1
		jnb	short loc_6889AB
		test	dword ptr [edx+58h], 400h
		jnz	short loc_6889AB
		cmp	[edx+13Ch], ecx
		jnz	short loc_6889AB
		push	ecx
		push	ecx
		push	ecx
		push	7
		jmp	short loc_688968
; 

loc_6889AB:				; CODE XREF: ExReleaseDisownedFastResource(x,x)+3Fj
					; ExReleaseDisownedFastResource(x,x)+48j ...
		mov	edx, [ebp+arg_4]
		mov	eax, [edx+0Ch]
		cmp	eax, esi
		jz	short loc_6889BC
		push	eax
		push	edx
		push	esi
		push	0Ch
		jmp	short loc_688968
; 

loc_6889BC:				; CODE XREF: ExReleaseDisownedFastResource(x,x)+61j
		test	byte ptr [edx+9], 1
		jnz	short loc_6889C9
		push	ecx
		push	ecx
		push	edx
		push	0Dh
		jmp	short loc_688968
; 

loc_6889C9:				; CODE XREF: ExReleaseDisownedFastResource(x,x)+6Ej
		test	byte ptr [esi+0Eh], 80h
		mov	ecx, esi
		jz	short loc_6889D8
		call	_ExpReleaseDisownedFastResourceExclusive@8 ; ExpReleaseDisownedFastResourceExclusive(x,x)
		jmp	short loc_6889DD
; 

loc_6889D8:				; CODE XREF: ExReleaseDisownedFastResource(x,x)+7Dj
		call	_ExpReleaseDisownedFastResourceShared@8	; ExpReleaseDisownedFastResourceShared(x,x)

loc_6889DD:				; CODE XREF: ExReleaseDisownedFastResource(x,x)+84j
		pop	esi
		pop	ebp
		retn	8
_ExReleaseDisownedFastResource@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 419. ExReleaseDisownedFastResourceExclusive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExReleaseDisownedFastResourceExclusive(x, x)
		public _ExReleaseDisownedFastResourceExclusive@8
_ExReleaseDisownedFastResourceExclusive@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	byte ptr [esi+0Eh], 1
		jnz	short loc_688A07
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	esi
		push	3

loc_6889FD:				; CODE XREF: ExReleaseDisownedFastResourceExclusive(x,x)+3Bj
					; ExReleaseDisownedFastResourceExclusive(x,x)+57j ...
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_688A07:				; CODE XREF: ExReleaseDisownedFastResourceExclusive(x,x)+Dj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	edx, large fs:124h
		xor	ecx, ecx
		cmp	al, 2
		jbe	short loc_688A24
		push	ecx
		push	2
		movzx	eax, al
		push	eax
		push	ecx
		jmp	short loc_6889FD
; 

loc_688A24:				; CODE XREF: ExReleaseDisownedFastResourceExclusive(x,x)+31j
		cmp	al, 1
		jnb	short loc_688A40
		test	dword ptr [edx+58h], 400h
		jnz	short loc_688A40
		cmp	[edx+13Ch], ecx
		jnz	short loc_688A40
		push	ecx
		push	ecx
		push	ecx
		push	7
		jmp	short loc_6889FD
; 

loc_688A40:				; CODE XREF: ExReleaseDisownedFastResourceExclusive(x,x)+3Fj
					; ExReleaseDisownedFastResourceExclusive(x,x)+48j ...
		mov	edx, [ebp+arg_4]
		mov	al, [edx+9]
		test	al, 4
		jnz	short loc_688A5D
		movzx	eax, al
		and	eax, 4
		push	ecx
		shl	eax, 0Eh
		or	eax, 1
		push	eax
		push	edx
		push	0Bh
		jmp	short loc_6889FD
; 

loc_688A5D:				; CODE XREF: ExReleaseDisownedFastResourceExclusive(x,x)+61j
		push	edi
		mov	edi, [edx+0Ch]
		cmp	edi, esi
		jz	short loc_688A6C
		push	edi
		push	edx
		push	esi
		push	0Ch
		jmp	short loc_6889FD
; 

loc_688A6C:				; CODE XREF: ExReleaseDisownedFastResourceExclusive(x,x)+7Cj
		pop	edi
		test	al, 1
		jnz	short loc_688A78
		push	ecx
		push	ecx
		push	edx
		push	0Dh
		jmp	short loc_6889FD
; 

loc_688A78:				; CODE XREF: ExReleaseDisownedFastResourceExclusive(x,x)+88j
		mov	ecx, esi
		call	_ExpReleaseDisownedFastResourceExclusive@8 ; ExpReleaseDisownedFastResourceExclusive(x,x)
		pop	esi
		pop	ebp
		retn	8
_ExReleaseDisownedFastResourceExclusive@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 420. ExReleaseDisownedFastResourceShared

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExReleaseDisownedFastResourceShared(x, x)
		public _ExReleaseDisownedFastResourceShared@8
_ExReleaseDisownedFastResourceShared@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	byte ptr [esi+0Eh], 1
		jnz	short loc_688AA9
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	esi
		push	3

loc_688A9F:				; CODE XREF: ExReleaseDisownedFastResourceShared(x,x)+3Bj
					; ExReleaseDisownedFastResourceShared(x,x)+57j	...
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_688AA9:				; CODE XREF: ExReleaseDisownedFastResourceShared(x,x)+Dj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	edx, large fs:124h
		xor	ecx, ecx
		cmp	al, 2
		jbe	short loc_688AC6
		push	ecx
		push	2
		movzx	eax, al
		push	eax
		push	ecx
		jmp	short loc_688A9F
; 

loc_688AC6:				; CODE XREF: ExReleaseDisownedFastResourceShared(x,x)+31j
		cmp	al, 1
		jnb	short loc_688AE2
		test	dword ptr [edx+58h], 400h
		jnz	short loc_688AE2
		cmp	[edx+13Ch], ecx
		jnz	short loc_688AE2
		push	ecx
		push	ecx
		push	ecx
		push	7
		jmp	short loc_688A9F
; 

loc_688AE2:				; CODE XREF: ExReleaseDisownedFastResourceShared(x,x)+3Fj
					; ExReleaseDisownedFastResourceShared(x,x)+48j	...
		mov	edx, [ebp+arg_4]
		mov	al, [edx+9]
		test	al, 4
		jz	short loc_688AFC
		movzx	eax, al
		push	ecx
		and	eax, 4
		shl	eax, 0Eh
		push	eax
		push	edx
		push	0Bh
		jmp	short loc_688A9F
; 

loc_688AFC:				; CODE XREF: ExReleaseDisownedFastResourceShared(x,x)+61j
		push	edi
		mov	edi, [edx+0Ch]
		cmp	edi, esi
		jz	short loc_688B0B
		push	edi
		push	edx
		push	esi
		push	0Ch
		jmp	short loc_688A9F
; 

loc_688B0B:				; CODE XREF: ExReleaseDisownedFastResourceShared(x,x)+79j
		pop	edi
		test	al, 1
		jnz	short loc_688B17
		push	ecx
		push	ecx
		push	edx
		push	0Dh
		jmp	short loc_688A9F
; 

loc_688B17:				; CODE XREF: ExReleaseDisownedFastResourceShared(x,x)+85j
		test	byte ptr [esi+0Eh], 80h
		mov	ecx, esi
		jz	short loc_688B26
		call	_ExpReleaseDisownedFastResourceExclusive@8 ; ExpReleaseDisownedFastResourceExclusive(x,x)
		jmp	short loc_688B2B
; 

loc_688B26:				; CODE XREF: ExReleaseDisownedFastResourceShared(x,x)+94j
		call	_ExpReleaseDisownedFastResourceShared@8	; ExpReleaseDisownedFastResourceShared(x,x)

loc_688B2B:				; CODE XREF: ExReleaseDisownedFastResourceShared(x,x)+9Bj
		pop	esi
		pop	ebp
		retn	8
_ExReleaseDisownedFastResourceShared@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 421. ExReleaseFastResource

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExReleaseFastResource(x, x)
		public _ExReleaseFastResource@8
_ExReleaseFastResource@8 proc near	; CODE XREF: ExpFastResourceLegacyRelease(x)+4Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	byte ptr [esi+0Eh], 1
		jnz	short loc_688B56
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	esi
		push	3

loc_688B4C:				; CODE XREF: ExReleaseFastResource(x,x)+3Cj
					; ExReleaseFastResource(x,x)+58j ...
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_688B56:				; CODE XREF: ExReleaseFastResource(x,x)+Ej
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	edi, large fs:124h
		xor	ecx, ecx
		cmp	al, 2
		jbe	short loc_688B73
		push	ecx
		push	2
		movzx	eax, al
		push	eax
		push	ecx
		jmp	short loc_688B4C
; 

loc_688B73:				; CODE XREF: ExReleaseFastResource(x,x)+32j
		cmp	al, 1
		jnb	short loc_688B8F
		test	dword ptr [edi+58h], 400h
		jnz	short loc_688B8F
		cmp	[edi+13Ch], ecx
		jnz	short loc_688B8F
		push	ecx
		push	ecx
		push	ecx
		push	7
		jmp	short loc_688B4C
; 

loc_688B8F:				; CODE XREF: ExReleaseFastResource(x,x)+40j
					; ExReleaseFastResource(x,x)+49j ...
		mov	edx, [ebp+arg_4]
		mov	eax, [edx+10h]
		cmp	eax, edi
		jz	short loc_688BA0
		push	ecx
		push	eax
		push	edx
		push	9
		jmp	short loc_688B4C
; 

loc_688BA0:				; CODE XREF: ExReleaseFastResource(x,x)+62j
		mov	eax, [edx+0Ch]
		cmp	eax, esi
		jz	short loc_688BAE
		push	eax
		push	edx
		push	esi
		push	8
		jmp	short loc_688B4C
; 

loc_688BAE:				; CODE XREF: ExReleaseFastResource(x,x)+70j
		test	byte ptr [edx+9], 1
		jz	short loc_688BBB
		push	ecx
		push	ecx
		push	edx
		push	0Ah
		jmp	short loc_688B4C
; 

loc_688BBB:				; CODE XREF: ExReleaseFastResource(x,x)+7Dj
		test	byte ptr [esi+0Eh], 80h
		mov	ecx, esi
		jnz	short loc_688BCA
		call	_ExpReleaseFastResourceShared@8	; ExpReleaseFastResourceShared(x,x)
		jmp	short loc_688BCF
; 

loc_688BCA:				; CODE XREF: ExReleaseFastResource(x,x)+8Cj
		call	_ExpReleaseFastResourceExclusive@8 ; ExpReleaseFastResourceExclusive(x,x)

loc_688BCF:				; CODE XREF: ExReleaseFastResource(x,x)+93j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_ExReleaseFastResource@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 422. ExReleaseFastResourceExclusive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExReleaseFastResourceExclusive(x, x)
		public _ExReleaseFastResourceExclusive@8
_ExReleaseFastResourceExclusive@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	byte ptr [esi+0Eh], 1
		jnz	short loc_688BFA
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	esi
		push	3

loc_688BF0:				; CODE XREF: ExReleaseFastResourceExclusive(x,x)+3Cj
					; ExReleaseFastResourceExclusive(x,x)+58j ...
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_688BFA:				; CODE XREF: ExReleaseFastResourceExclusive(x,x)+Dj
		push	edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	edi, large fs:124h
		xor	ecx, ecx
		cmp	al, 2
		jbe	short loc_688C18
		push	ecx
		push	2
		movzx	eax, al
		push	eax
		push	ecx
		jmp	short loc_688BF0
; 

loc_688C18:				; CODE XREF: ExReleaseFastResourceExclusive(x,x)+32j
		cmp	al, 1
		jnb	short loc_688C34
		test	dword ptr [edi+58h], 400h
		jnz	short loc_688C34
		cmp	[edi+13Ch], ecx
		jnz	short loc_688C34
		push	ecx
		push	ecx
		push	ecx
		push	7
		jmp	short loc_688BF0
; 

loc_688C34:				; CODE XREF: ExReleaseFastResourceExclusive(x,x)+40j
					; ExReleaseFastResourceExclusive(x,x)+49j ...
		mov	edx, [ebp+arg_4]
		mov	eax, [edx+10h]
		cmp	eax, edi
		pop	edi
		jz	short loc_688C46
		push	ecx
		push	eax
		push	edx
		push	9
		jmp	short loc_688BF0
; 

loc_688C46:				; CODE XREF: ExReleaseFastResourceExclusive(x,x)+63j
		mov	eax, [edx+0Ch]
		cmp	eax, esi
		jz	short loc_688C54
		push	eax
		push	edx
		push	esi
		push	8
		jmp	short loc_688BF0
; 

loc_688C54:				; CODE XREF: ExReleaseFastResourceExclusive(x,x)+71j
		mov	al, [edx+9]
		test	al, 1
		jz	short loc_688C62
		push	ecx
		push	ecx
		push	edx
		push	0Ah
		jmp	short loc_688BF0
; 

loc_688C62:				; CODE XREF: ExReleaseFastResourceExclusive(x,x)+7Fj
		test	al, 4
		jnz	short loc_688C7C
		movzx	eax, al
		and	eax, 4
		push	ecx
		shl	eax, 0Eh
		or	eax, 1
		push	eax
		push	edx
		push	0Bh
		jmp	loc_688BF0
; 

loc_688C7C:				; CODE XREF: ExReleaseFastResourceExclusive(x,x)+8Aj
		mov	ecx, esi
		call	_ExpReleaseFastResourceExclusive@8 ; ExpReleaseFastResourceExclusive(x,x)
		pop	esi
		pop	ebp
		retn	8
_ExReleaseFastResourceExclusive@8 endp ; sp = -14h

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 423. ExReleaseFastResourceShared

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExReleaseFastResourceShared(x, x)
		public _ExReleaseFastResourceShared@8
_ExReleaseFastResourceShared@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	byte ptr [esi+0Eh], 1
		jnz	short loc_688CAD
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	esi
		push	3

loc_688CA3:				; CODE XREF: ExReleaseFastResourceShared(x,x)+3Cj
					; ExReleaseFastResourceShared(x,x)+58j	...
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_688CAD:				; CODE XREF: ExReleaseFastResourceShared(x,x)+Dj
		push	edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	edi, large fs:124h
		xor	ecx, ecx
		cmp	al, 2
		jbe	short loc_688CCB
		push	ecx
		push	2
		movzx	eax, al
		push	eax
		push	ecx
		jmp	short loc_688CA3
; 

loc_688CCB:				; CODE XREF: ExReleaseFastResourceShared(x,x)+32j
		cmp	al, 1
		jnb	short loc_688CE7
		test	dword ptr [edi+58h], 400h
		jnz	short loc_688CE7
		cmp	[edi+13Ch], ecx
		jnz	short loc_688CE7
		push	ecx
		push	ecx
		push	ecx
		push	7
		jmp	short loc_688CA3
; 

loc_688CE7:				; CODE XREF: ExReleaseFastResourceShared(x,x)+40j
					; ExReleaseFastResourceShared(x,x)+49j	...
		mov	edx, [ebp+arg_4]
		mov	eax, [edx+10h]
		cmp	eax, edi
		pop	edi
		jz	short loc_688CF9
		push	ecx
		push	eax
		push	edx
		push	9
		jmp	short loc_688CA3
; 

loc_688CF9:				; CODE XREF: ExReleaseFastResourceShared(x,x)+63j
		mov	eax, [edx+0Ch]
		cmp	eax, esi
		jz	short loc_688D07
		push	eax
		push	edx
		push	esi
		push	8
		jmp	short loc_688CA3
; 

loc_688D07:				; CODE XREF: ExReleaseFastResourceShared(x,x)+71j
		mov	al, [edx+9]
		test	al, 1
		jz	short loc_688D15
		push	ecx
		push	ecx
		push	edx
		push	0Ah
		jmp	short loc_688CA3
; 

loc_688D15:				; CODE XREF: ExReleaseFastResourceShared(x,x)+7Fj
		test	al, 4
		jz	short loc_688D2C
		movzx	eax, al
		push	ecx
		and	eax, 4
		shl	eax, 0Eh
		push	eax
		push	edx
		push	0Bh
		jmp	loc_688CA3
; 

loc_688D2C:				; CODE XREF: ExReleaseFastResourceShared(x,x)+8Aj
		test	byte ptr [esi+0Eh], 80h
		mov	ecx, esi
		jnz	short loc_688D3B
		call	_ExpReleaseFastResourceShared@8	; ExpReleaseFastResourceShared(x,x)
		jmp	short loc_688D40
; 

loc_688D3B:				; CODE XREF: ExReleaseFastResourceShared(x,x)+A5j
		call	_ExpReleaseFastResourceExclusive@8 ; ExpReleaseFastResourceExclusive(x,x)

loc_688D40:				; CODE XREF: ExReleaseFastResourceShared(x,x)+ACj
		pop	esi
		pop	ebp
		retn	8
_ExReleaseFastResourceShared@8 endp ; sp = -14h

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 450. ExTryToConvertFastResourceSharedToExclusive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExTryToConvertFastResourceSharedToExclusive(x, x)
		public _ExTryToConvertFastResourceSharedToExclusive@8
_ExTryToConvertFastResourceSharedToExclusive@8 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	eax, eax
		xor	ebx, ebx
		inc	eax
		mov	[ebp+var_4], ebx
		test	[edi+0Eh], al
		jnz	short loc_688D74
		push	ebx
		push	ebx
		push	edi
		push	3

loc_688D6A:				; CODE XREF: ExTryToConvertFastResourceSharedToExclusive(x,x)+45j
					; ExTryToConvertFastResourceSharedToExclusive(x,x)+5Fj	...
		push	1C6h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_688D74:				; CODE XREF: ExTryToConvertFastResourceSharedToExclusive(x,x)+19j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, large fs:124h
		xor	edx, edx
		inc	edx
		cmp	al, dl
		jbe	short loc_688D91
		push	ebx
		push	edx
		movzx	eax, al
		push	eax
		push	ebx
		jmp	short loc_688D6A
; 

loc_688D91:				; CODE XREF: ExTryToConvertFastResourceSharedToExclusive(x,x)+3Cj
		jnb	short loc_688DAB
		test	dword ptr [ecx+58h], 400h
		jnz	short loc_688DAB
		cmp	[ecx+13Ch], ebx
		jnz	short loc_688DAB
		push	ebx
		push	ebx
		push	ebx
		push	7
		jmp	short loc_688D6A
; 

loc_688DAB:				; CODE XREF: ExTryToConvertFastResourceSharedToExclusive(x,x):loc_688D91j
					; ExTryToConvertFastResourceSharedToExclusive(x,x)+50j	...
		mov	esi, [ebp+arg_4]
		mov	eax, [esi+10h]
		cmp	eax, ecx
		jz	short loc_688DBC
		push	ebx
		push	eax
		push	esi
		push	9
		jmp	short loc_688D6A
; 

loc_688DBC:				; CODE XREF: ExTryToConvertFastResourceSharedToExclusive(x,x)+69j
		mov	eax, [esi+0Ch]
		cmp	eax, edi
		jz	short loc_688DCA
		push	eax
		push	esi
		push	edi
		push	8
		jmp	short loc_688D6A
; 

loc_688DCA:				; CODE XREF: ExTryToConvertFastResourceSharedToExclusive(x,x)+77j
		mov	al, [esi+9]
		test	al, dl
		jz	short loc_688DD8
		push	ebx
		push	ebx
		push	esi
		push	0Ah
		jmp	short loc_688D6A
; 

loc_688DD8:				; CODE XREF: ExTryToConvertFastResourceSharedToExclusive(x,x)+85j
		test	al, 4
		jz	short loc_688DEF
		movzx	eax, al
		push	ebx
		and	eax, 4
		shl	eax, 0Eh
		push	eax
		push	esi
		push	0Bh
		jmp	loc_688D6A
; 

loc_688DEF:				; CODE XREF: ExTryToConvertFastResourceSharedToExclusive(x,x)+90j
		cmp	[esi+0Ah], bl
		jz	loc_688EAF
		lea	eax, [esi+14h]
		cmp	[eax], eax
		jnz	loc_688EAF
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[ebp+var_C], 0
		lea	ecx, [edi+34h]
		test	ds:byte_70EFC6,	21h
		mov	bh, al
		mov	[ebp+var_8], ecx
		jz	short loc_688E2A
		mov	edx, ecx
		lea	ecx, [ebp+var_C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_688E3B
; 

loc_688E2A:				; CODE XREF: ExTryToConvertFastResourceSharedToExclusive(x,x)+D2j
		lea	edx, [ebp+var_C]
		xchg	edx, [ecx]
		test	edx, edx
		jz	short loc_688E3B
		lea	ecx, [ebp+var_C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_688E3B:				; CODE XREF: ExTryToConvertFastResourceSharedToExclusive(x,x)+DEj
					; ExTryToConvertFastResourceSharedToExclusive(x,x)+E7j
		xor	ecx, ecx
		inc	ecx
		cmp	[edi+20h], ecx
		jz	short loc_688E47
		xor	bl, bl
		jmp	short loc_688E52
; 

loc_688E47:				; CODE XREF: ExTryToConvertFastResourceSharedToExclusive(x,x)+F7j
		mov	eax, 80h
		mov	bl, cl
		or	[edi+0Eh], ax

loc_688E52:				; CODE XREF: ExTryToConvertFastResourceSharedToExclusive(x,x)+FBj
		test	ds:byte_70EFC6,	cl
		jz	short loc_688E67
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_688E96
; 

loc_688E67:				; CODE XREF: ExTryToConvertFastResourceSharedToExclusive(x,x)+10Ej
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_688E89
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_688E96
		call	KxWaitForLockChainValid
		xor	ecx, ecx
		inc	ecx

loc_688E89:				; CODE XREF: ExTryToConvertFastResourceSharedToExclusive(x,x)+122j
		mov	[ebp+var_C], 0
		add	eax, 4
		lock xor [eax],	ecx

loc_688E96:				; CODE XREF: ExTryToConvertFastResourceSharedToExclusive(x,x)+11Bj
					; ExTryToConvertFastResourceSharedToExclusive(x,x)+135j
		test	bl, bl
		jz	short loc_688E9E
		or	byte ptr [esi+9], 4

loc_688E9E:				; CODE XREF: ExTryToConvertFastResourceSharedToExclusive(x,x)+14Ej
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	8
; 

loc_688EAF:				; CODE XREF: ExTryToConvertFastResourceSharedToExclusive(x,x)+A8j
					; ExTryToConvertFastResourceSharedToExclusive(x,x)+B3j
		push	ebx
		push	ebx
		push	edi
		push	13h
		jmp	loc_688D6A
_ExTryToConvertFastResourceSharedToExclusive@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpAddFastOwnerEntryToThreadList(x,	x, x, x)
_ExpAddFastOwnerEntryToThreadList@16 proc near ; CODE XREF: .text:00687839p
					; .text:00687978p ...

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		mov	edx, [ebp+arg_4]
		lea	eax, [edx+14h]
		mov	byte ptr [edx+0Ah], 1
		mov	[eax+4], eax
		mov	[eax], eax
		jnz	short loc_688EEE
		lea	eax, [ecx+3A4h]

loc_688ED9:				; CODE XREF: ExpAddFastOwnerEntryToThreadList(x,x,x,x)+3Bj
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_688EF6
		mov	[edx], ecx
		mov	[edx+4], eax
		mov	[ecx+4], edx
		mov	[eax], edx
		pop	ebp
		retn	8
; 

loc_688EEE:				; CODE XREF: ExpAddFastOwnerEntryToThreadList(x,x,x,x)+18j
		lea	eax, [ecx+3B0h]
		jmp	short loc_688ED9
; 

loc_688EF6:				; CODE XREF: ExpAddFastOwnerEntryToThreadList(x,x,x,x)+25j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall ExpAllocateOwnerEntryForLegacyShim()
_ExpAllocateOwnerEntryForLegacyShim@0:	; CODE XREF: ExpFastResourceLegacyAcquireExclusive(x,x)+Dp
					; ExpFastResourceLegacyAcquireShared(x,x)+Dp ...
		mov	edi, edi

loc_688EFD:				; CODE XREF: ExpAddFastOwnerEntryToThreadList(x,x,x,x)+75j
		mov	eax, large fs:20h
		mov	ecx, 200h
		push	0
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	454F5246h
		push	24h
		pop	edx
		call	ExpAllocatePoolWithTagFromNode
		mov	edx, eax
		test	edx, edx
		jz	short loc_688EFD
		push	edi
		push	9
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd
		mov	ecx, large fs:124h
		mov	eax, edx
		or	byte ptr [edx+9], 2
		mov	[edx+10h], ecx
		pop	edi
		retn
_ExpAddFastOwnerEntryToThreadList@16 endp ; sp = -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpConvertFastResourceExclusiveToShared(x, x)
_ExpConvertFastResourceExclusiveToShared@8 proc	near
					; CODE XREF: ExConvertFastResourceExclusiveToShared(x,x)+AEp
					; ExpFastResourceLegacyConvertExclusiveToShared(x)+69p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		and	[ebp+var_10], 0
		lea	ecx, [esi+34h]
		test	ds:byte_70EFC6,	21h
		mov	bl, al
		mov	[ebp+var_C], ecx
		jz	short loc_688F86
		mov	edx, ecx
		lea	ecx, [ebp+var_10]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_688F97
; 

loc_688F86:				; CODE XREF: ExpConvertFastResourceExclusiveToShared(x,x)+2Cj
		lea	edx, [ebp+var_10]
		xchg	edx, [ecx]
		test	edx, edx
		jz	short loc_688F97
		lea	ecx, [ebp+var_10]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_688F97:				; CODE XREF: ExpConvertFastResourceExclusiveToShared(x,x)+38j
					; ExpConvertFastResourceExclusiveToShared(x,x)+41j
		mov	eax, 0FF7Fh
		and	[esi+0Eh], ax
		mov	eax, [esi+10h]
		and	dword ptr [esi+10h], 0
		mov	[ebp+var_4], eax
		mov	eax, [esi+28h]
		and	dword ptr [esi+28h], 0
		add	[esi+20h], eax
		test	ds:byte_70EFC6,	1
		jz	short loc_688FCA
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_688FF9
; 

loc_688FCA:				; CODE XREF: ExpConvertFastResourceExclusiveToShared(x,x)+6Fj
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_688FE9
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jz	short loc_688FF9
		call	KxWaitForLockChainValid

loc_688FE9:				; CODE XREF: ExpConvertFastResourceExclusiveToShared(x,x)+83j
		xor	ecx, ecx
		mov	[ebp+var_10], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_688FF9:				; CODE XREF: ExpConvertFastResourceExclusiveToShared(x,x)+7Cj
					; ExpConvertFastResourceExclusiveToShared(x,x)+96j
		push	0
		xor	edx, edx
		lea	ecx, [ebp+var_4]
		call	KeWakeWaitChain
		and	byte ptr [edi+9], 0FBh
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpConvertFastResourceExclusiveToShared@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpFastResourceLegacyAcquireExclusive(x, x)
_ExpFastResourceLegacyAcquireExclusive@8 proc near
					; CODE XREF: ExEnterCriticalRegionAndAcquireResourceExclusive:loc_51E17Bp
					; ExAcquireResourceExclusiveLite+CDDC2p ...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	_ExpAllocateOwnerEntryForLegacyShim@0 ;	ExpAllocateOwnerEntryForLegacyShim()
		push	esi
		mov	ebx, eax
		push	ebx
		push	edi
		call	_ExAcquireFastResourceExclusive@12 ; ExAcquireFastResourceExclusive(x,x,x)
		mov	[ebp+var_1], al
		test	al, al
		jnz	short loc_689044
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	al, [ebp+var_1]

loc_689044:				; CODE XREF: ExpFastResourceLegacyAcquireExclusive(x,x)+21j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpFastResourceLegacyAcquireExclusive@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpFastResourceLegacyAcquireShared(x, x)
_ExpFastResourceLegacyAcquireShared@8 proc near
					; CODE XREF: ExEnterCriticalRegionAndAcquireResourceShared:loc_4E6F25p
					; ExEnterPriorityRegionAndAcquireResourceShared:loc_4E81B1p ...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	_ExpAllocateOwnerEntryForLegacyShim@0 ;	ExpAllocateOwnerEntryForLegacyShim()
		push	esi
		mov	ebx, eax
		push	ebx
		push	edi
		call	_ExAcquireFastResourceShared@12	; ExAcquireFastResourceShared(x,x,x)
		mov	[ebp+var_1], al
		test	al, al
		jnz	short loc_689077
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	al, [ebp+var_1]

loc_689077:				; CODE XREF: ExpFastResourceLegacyAcquireShared(x,x)+21j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpFastResourceLegacyAcquireShared@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpFastResourceLegacyAcquireSharedStarveExclusive(x, x)
_ExpFastResourceLegacyAcquireSharedStarveExclusive@8 proc near
					; CODE XREF: ExAcquireSharedStarveExclusive:loc_494A93p
					; CcPinFileData:loc_5BB1AAp

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	_ExpAllocateOwnerEntryForLegacyShim@0 ;	ExpAllocateOwnerEntryForLegacyShim()
		push	esi
		mov	ebx, eax
		push	ebx
		push	edi
		call	_ExAcquireFastResourceSharedStarveExclusive@12 ; ExAcquireFastResourceSharedStarveExclusive(x,x,x)
		mov	[ebp+var_1], al
		test	al, al
		jnz	short loc_6890AA
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	al, [ebp+var_1]

loc_6890AA:				; CODE XREF: ExpFastResourceLegacyAcquireSharedStarveExclusive(x,x)+21j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpFastResourceLegacyAcquireSharedStarveExclusive@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpFastResourceLegacyConvertExclusiveToShared(x)
_ExpFastResourceLegacyConvertExclusiveToShared@4 proc near
					; CODE XREF: ExConvertExclusiveToSharedLite:loc_4FC063p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		push	1
		push	0
		mov	edx, esi
		mov	[ebp+var_1], al
		mov	ecx, ebx
		call	_ExpFindFastOwnerEntryForThread@16 ; ExpFindFastOwnerEntryForThread(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_6890EB
		push	eax
		push	eax
		push	ebx
		push	esi
		push	0E3h

loc_6890E6:				; CODE XREF: ExpFastResourceLegacyConvertExclusiveToShared(x)+63j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_6890EB:				; CODE XREF: ExpFastResourceLegacyConvertExclusiveToShared(x)+2Cj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	byte ptr [edi+0Ah], 0
		jz	short loc_689122
		lea	eax, [edi+14h]
		cmp	[eax], eax
		jnz	short loc_689122
		test	byte ptr [esi+0Eh], 80h
		jnz	short loc_689114
		push	0
		push	ebx
		push	esi
		push	16h

loc_68910D:				; CODE XREF: ExpFastResourceLegacyConvertExclusiveToShared(x)+7Aj
		push	1C6h
		jmp	short loc_6890E6
; 

loc_689114:				; CODE XREF: ExpFastResourceLegacyConvertExclusiveToShared(x)+56j
		mov	edx, edi
		mov	ecx, esi
		call	_ExpConvertFastResourceExclusiveToShared@8 ; ExpConvertFastResourceExclusiveToShared(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_689122:				; CODE XREF: ExpFastResourceLegacyConvertExclusiveToShared(x)+49j
					; ExpFastResourceLegacyConvertExclusiveToShared(x)+50j
		push	0
		push	0
		push	esi
		push	13h
		jmp	short loc_68910D
_ExpFastResourceLegacyConvertExclusiveToShared@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExpFastResourceLegacyIsAcquiredShared(x)
_ExpFastResourceLegacyIsAcquiredShared@4 proc near
					; CODE XREF: ExIsResourceAcquiredSharedLite+CCC27p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		cmp	[edi+20h], esi
		jz	short loc_68916D
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, large fs:124h
		mov	edx, edi
		push	esi
		push	esi
		mov	bl, al
		call	_ExpFindFastOwnerEntryForThread@16 ; ExpFindFastOwnerEntryForThread(x,x,x,x)
		test	eax, eax
		jz	short loc_689164
		lea	edx, [eax+14h]
		inc	esi
		mov	ecx, [edx]
		jmp	short loc_689160
; 

loc_68915D:				; CODE XREF: ExpFastResourceLegacyIsAcquiredShared(x)+37j
		mov	ecx, [ecx]
		inc	esi

loc_689160:				; CODE XREF: ExpFastResourceLegacyIsAcquiredShared(x)+30j
		cmp	ecx, edx
		jnz	short loc_68915D

loc_689164:				; CODE XREF: ExpFastResourceLegacyIsAcquiredShared(x)+28j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	ebx

loc_68916D:				; CODE XREF: ExpFastResourceLegacyIsAcquiredShared(x)+Bj
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_ExpFastResourceLegacyIsAcquiredShared@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpFastResourceLegacyRelease(x)
_ExpFastResourceLegacyRelease@4	proc near
					; CODE XREF: SepCanTokenMatchAllPackageSid:loc_518CCBp
					; SeSecurityAttributePresent:loc_518E4Cp ...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		push	edi
		mov	edi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		push	1
		push	0
		mov	edx, edi
		mov	[ebp+var_1], al
		mov	ecx, ebx
		call	_ExpFindFastOwnerEntryForThread@16 ; ExpFindFastOwnerEntryForThread(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_6891AE
		push	eax
		push	eax
		push	ebx
		push	edi
		push	0E3h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_6891AE:				; CODE XREF: ExpFastResourceLegacyRelease(x)+2Cj
		mov	cl, [ebp+var_1]
		and	byte ptr [esi+9], 0FDh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	esi
		push	edi
		call	_ExReleaseFastResource@8 ; ExReleaseFastResource(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpFastResourceLegacyRelease@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpFindFastOwnerEntryForThread(x, x, x, x)
_ExpFindFastOwnerEntryForThread@16 proc	near ; CODE XREF: .text:00687745p
					; ExAcquireFastResourceShared(x,x,x)+105p ...

arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		cmp	[ebp+arg_0], al
		setz	al
		dec	eax
		and	eax, 0Ch
		add	eax, 3A4h
		add	ecx, eax
		mov	eax, [ecx]
		jmp	short loc_6891F2
; 

loc_6891EB:				; CODE XREF: ExpFindFastOwnerEntryForThread(x,x,x,x)+25j
		cmp	[eax+0Ch], edx
		jz	short loc_6891FC
		mov	eax, [eax]

loc_6891F2:				; CODE XREF: ExpFindFastOwnerEntryForThread(x,x,x,x)+1Aj
		cmp	eax, ecx
		jnz	short loc_6891EB

loc_6891F6:				; CODE XREF: ExpFindFastOwnerEntryForThread(x,x,x,x)+4Dj
		xor	eax, eax

loc_6891F8:				; CODE XREF: ExpFindFastOwnerEntryForThread(x,x,x,x)+31j
					; ExpFindFastOwnerEntryForThread(x,x,x,x)+37j ...
		pop	ebp
		retn	8
; 

loc_6891FC:				; CODE XREF: ExpFindFastOwnerEntryForThread(x,x,x,x)+1Fj
		cmp	[ebp+arg_4], 0
		jz	short loc_6891F8
		test	byte ptr [eax+9], 2
		jnz	short loc_6891F8
		mov	ecx, [eax+14h]
		add	eax, 14h
		jmp	short loc_689218
; 

loc_689210:				; CODE XREF: ExpFindFastOwnerEntryForThread(x,x,x,x)+4Bj
		test	byte ptr [ecx+9], 2
		jnz	short loc_68921E
		mov	ecx, [ecx]

loc_689218:				; CODE XREF: ExpFindFastOwnerEntryForThread(x,x,x,x)+3Fj
		cmp	ecx, eax
		jnz	short loc_689210
		jmp	short loc_6891F6
; 

loc_68921E:				; CODE XREF: ExpFindFastOwnerEntryForThread(x,x,x,x)+45j
		mov	eax, ecx
		jmp	short loc_6891F8
_ExpFindFastOwnerEntryForThread@16 endp


;  S U B	R O U T	I N E 


; __stdcall ExpLockThreadDisownedOwnerEntryListAtDpcLevel(x, x)
_ExpLockThreadDisownedOwnerEntryListAtDpcLevel@8 proc near
					; CODE XREF: ExpReleaseDisownedFastResourceExclusive(x,x)+39p
					; ExpReleaseDisownedFastResourceShared(x,x)+39p
		mov	eax, edx
		add	ecx, 3ACh
		and	dword ptr [eax], 0
		mov	[eax+4], ecx
		test	ds:byte_70EFC6,	21h
		jz	short loc_689242
		mov	edx, ecx
		mov	ecx, eax
		jmp	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
; 

loc_689242:				; CODE XREF: ExpLockThreadDisownedOwnerEntryListAtDpcLevel(x,x)+15j
		xchg	edx, [ecx]
		test	edx, edx
		jz	short locret_68924F
		mov	ecx, eax
		jmp	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
; 

locret_68924F:				; CODE XREF: ExpLockThreadDisownedOwnerEntryListAtDpcLevel(x,x)+24j
		retn
_ExpLockThreadDisownedOwnerEntryListAtDpcLevel@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpReleaseDisownedFastResourceExclusive(x, x)
_ExpReleaseDisownedFastResourceExclusive@8 proc	near
					; CODE XREF: ExReleaseDisownedFastResource(x,x)+7Fp
					; ExReleaseDisownedFastResourceExclusive(x,x)+93p ...

var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		stosd
		mov	esi, edx
		mov	ebx, ecx
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_C], eax
		lea	edi, [ebp+var_28]
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], eax
		stosd
		stosd
		stosd
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, [esi+10h]
		lea	edx, [ebp+var_28]
		mov	ecx, edi
		mov	[ebp+var_1], al
		call	_ExpLockThreadDisownedOwnerEntryListAtDpcLevel@8 ; ExpLockThreadDisownedOwnerEntryListAtDpcLevel(x,x)
		cmp	byte ptr [esi+0Ah], 0
		jz	short loc_6892B8
		lea	ecx, [esi+14h]
		cmp	[ecx], ecx
		lea	edx, [ebp+var_1C]
		mov	ecx, ebx
		jz	short loc_6892E1
		call	_ExpLockResourceAtDpcLevel@8 ; ExpLockResourceAtDpcLevel(x,x)
		push	1
		mov	edx, esi
		mov	ecx, ebx
		call	_ExpRotateFastOwnerEntrySublistHead@12 ; ExpRotateFastOwnerEntrySublistHead(x,x,x)
		lea	edx, [ebp+var_1C]
		call	_ExpUnlockResourceAtDpcLevel@8 ; ExpUnlockResourceAtDpcLevel(x,x)

loc_6892B8:				; CODE XREF: ExpReleaseDisownedFastResourceExclusive(x,x)+42j
		mov	ecx, esi
		call	_ExpRemoveFastOwnerEntryFromSublist@4 ;	ExpRemoveFastOwnerEntryFromSublist(x)
		lea	edx, [ebp+var_28]
		call	_ExpUnlockResourceAtDpcLevel@8 ; ExpUnlockResourceAtDpcLevel(x,x)
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_6892D0:				; CODE XREF: ExpReleaseDisownedFastResourceExclusive(x,x)+FFj
		and	byte ptr [esi+9], 0FAh
		and	dword ptr [esi+0Ch], 0
		pop	edi
		mov	byte ptr [esi+8], 0
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_6892E1:				; CODE XREF: ExpReleaseDisownedFastResourceExclusive(x,x)+4Ej
		call	_ExpLockResourceAtDpcLevel@8 ; ExpLockResourceAtDpcLevel(x,x)
		lea	eax, [ebp+var_10]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	edx, [ebp+var_C]
		call	_ExpPrepareToWakeResourceExclusive@16 ;	ExpPrepareToWakeResourceExclusive(x,x,x,x)
		mov	ecx, esi
		call	_ExpRemoveFastOwnerEntryFromResourceList@4 ; ExpRemoveFastOwnerEntryFromResourceList(x)
		lea	edx, [ebp+var_1C]
		call	_ExpUnlockResourceAtDpcLevel@8 ; ExpUnlockResourceAtDpcLevel(x,x)
		mov	ecx, esi
		call	_ExpRemoveFastOwnerEntryFromThreadList@4 ; ExpRemoveFastOwnerEntryFromThreadList(x)
		lea	edx, [ebp+var_28]
		call	_ExpUnlockResourceAtDpcLevel@8 ; ExpUnlockResourceAtDpcLevel(x,x)
		cmp	[ebp+var_8], 0
		lea	edx, [ebp+var_C]
		push	0
		push	ecx
		setnz	byte ptr [ebp+var_10]
		push	[ebp+var_10]
		call	_ExpCommitWakeResourceExclusive@20 ; ExpCommitWakeResourceExclusive(x,x,x,x,x)
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, [esi+8]
		test	al, al
		jz	short loc_689347
		push	edi
		movzx	edx, al
		mov	ecx, ebx
		call	_KeAbCrossThreadRelease@12 ; KeAbCrossThreadRelease(x,x,x)

loc_689347:				; CODE XREF: ExpReleaseDisownedFastResourceExclusive(x,x)+EAj
		mov	ecx, [esi+10h]
		call	ObfDereferenceObject
		jmp	loc_6892D0
_ExpReleaseDisownedFastResourceExclusive@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpReleaseDisownedFastResourceShared(x, x)
_ExpReleaseDisownedFastResourceShared@8	proc near
					; CODE XREF: ExReleaseDisownedFastResource(x,x):loc_6889D8p
					; ExReleaseDisownedFastResourceShared(x,x):loc_688B26p

var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		stosd
		mov	esi, edx
		mov	ebx, ecx
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_C], eax
		lea	edi, [ebp+var_28]
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], eax
		stosd
		stosd
		stosd
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, [esi+10h]
		lea	edx, [ebp+var_28]
		mov	ecx, edi
		mov	[ebp+var_1], al
		call	_ExpLockThreadDisownedOwnerEntryListAtDpcLevel@8 ; ExpLockThreadDisownedOwnerEntryListAtDpcLevel(x,x)
		cmp	byte ptr [esi+0Ah], 0
		jz	short loc_6893BC
		lea	ecx, [esi+14h]
		cmp	[ecx], ecx
		lea	edx, [ebp+var_1C]
		mov	ecx, ebx
		jz	short loc_6893E5
		call	_ExpLockResourceAtDpcLevel@8 ; ExpLockResourceAtDpcLevel(x,x)
		push	1
		mov	edx, esi
		mov	ecx, ebx
		call	_ExpRotateFastOwnerEntrySublistHead@12 ; ExpRotateFastOwnerEntrySublistHead(x,x,x)
		lea	edx, [ebp+var_1C]
		call	_ExpUnlockResourceAtDpcLevel@8 ; ExpUnlockResourceAtDpcLevel(x,x)

loc_6893BC:				; CODE XREF: ExpReleaseDisownedFastResourceShared(x,x)+42j
		mov	ecx, esi
		call	_ExpRemoveFastOwnerEntryFromSublist@4 ;	ExpRemoveFastOwnerEntryFromSublist(x)
		lea	edx, [ebp+var_28]
		call	_ExpUnlockResourceAtDpcLevel@8 ; ExpUnlockResourceAtDpcLevel(x,x)
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_6893D4:				; CODE XREF: ExpReleaseDisownedFastResourceShared(x,x)+FFj
		and	byte ptr [esi+9], 0FAh
		and	dword ptr [esi+0Ch], 0
		pop	edi
		mov	byte ptr [esi+8], 0
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_6893E5:				; CODE XREF: ExpReleaseDisownedFastResourceShared(x,x)+4Ej
		call	_ExpLockResourceAtDpcLevel@8 ; ExpLockResourceAtDpcLevel(x,x)
		lea	eax, [ebp+var_10]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	edx, [ebp+var_C]
		call	_ExpPrepareToWakeResourceShared@16 ; ExpPrepareToWakeResourceShared(x,x,x,x)
		mov	ecx, esi
		call	_ExpRemoveFastOwnerEntryFromResourceList@4 ; ExpRemoveFastOwnerEntryFromResourceList(x)
		lea	edx, [ebp+var_1C]
		call	_ExpUnlockResourceAtDpcLevel@8 ; ExpUnlockResourceAtDpcLevel(x,x)
		mov	ecx, esi
		call	_ExpRemoveFastOwnerEntryFromThreadList@4 ; ExpRemoveFastOwnerEntryFromThreadList(x)
		lea	edx, [ebp+var_28]
		call	_ExpUnlockResourceAtDpcLevel@8 ; ExpUnlockResourceAtDpcLevel(x,x)
		cmp	[ebp+var_8], 0
		lea	edx, [ebp+var_C]
		push	0
		push	ecx
		setnz	byte ptr [ebp+var_10]
		push	[ebp+var_10]
		call	_ExpCommitWakeResourceExclusive@20 ; ExpCommitWakeResourceExclusive(x,x,x,x,x)
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, [esi+8]
		test	al, al
		jz	short loc_68944B
		push	edi
		movzx	edx, al
		mov	ecx, ebx
		call	_KeAbCrossThreadRelease@12 ; KeAbCrossThreadRelease(x,x,x)

loc_68944B:				; CODE XREF: ExpReleaseDisownedFastResourceShared(x,x)+EAj
		mov	ecx, [esi+10h]
		call	ObfDereferenceObject
		jmp	loc_6893D4
_ExpReleaseDisownedFastResourceShared@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpReleaseFastResourceExclusive(x, x)
_ExpReleaseFastResourceExclusive@8 proc	near
					; CODE XREF: ExReleaseFastResource(x,x):loc_688BCAp
					; ExReleaseFastResourceExclusive(x,x)+A4p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		stosd
		mov	esi, edx
		mov	ebx, ecx
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		cmp	byte ptr [esi+0Ah], 0
		mov	[ebp+var_1], al
		jnz	short loc_6894A9
		mov	edx, [esi]
		mov	ecx, [esi+4]
		cmp	[edx+4], esi
		jnz	loc_689670
		cmp	[ecx], esi
		jnz	loc_689670
		mov	[ecx], edx
		mov	[edx+4], ecx
		jmp	loc_689551
; 

loc_6894A9:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+2Fj
		and	[ebp+var_1C], 0
		lea	edi, [esi+14h]
		lea	eax, [ebx+34h]
		mov	[ebp+var_18], eax
		cmp	[edi], edi
		jz	loc_689565
		test	ds:byte_70EFC6,	21h
		jz	short loc_6894D3
		mov	edx, eax
		lea	ecx, [ebp+var_1C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6894E4
; 

loc_6894D3:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+6Dj
		lea	edx, [ebp+var_1C]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_6894E4
		lea	ecx, [ebp+var_1C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_6894E4:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+79j
					; ExpReleaseFastResourceExclusive(x,x)+82j
		xor	edi, edi
		mov	edx, esi
		inc	edi
		mov	ecx, ebx
		push	edi
		call	_ExpRotateFastOwnerEntrySublistHead@12 ; ExpRotateFastOwnerEntrySublistHead(x,x,x)
		test	ds:byte_70EFC6,	1
		jz	short loc_689507
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_689533
; 

loc_689507:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+A0j
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_689526
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jz	short loc_689533
		call	KxWaitForLockChainValid

loc_689526:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+B4j
		mov	[ebp+var_1C], 0
		add	eax, 4
		lock xor [eax],	edi

loc_689533:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+ADj
					; ExpReleaseFastResourceExclusive(x,x)+C7j
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	loc_689670
		cmp	[eax], esi
		jnz	loc_689670
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	al, [ebp+var_1]

loc_689551:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+4Cj
		and	dword ptr [esi], 0
		mov	cl, al
		and	dword ptr [esi+4], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_68965F
; 

loc_689565:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+60j
		test	ds:byte_70EFC6,	21h
		jz	short loc_68957A
		mov	edx, eax
		lea	ecx, [ebp+var_1C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_68958B
; 

loc_68957A:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+114j
		lea	edx, [ebp+var_1C]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_68958B
		lea	ecx, [ebp+var_1C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_68958B:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+120j
					; ExpReleaseFastResourceExclusive(x,x)+129j
		lea	eax, [ebp+var_10]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	edx, [ebp+var_C]
		call	_ExpPrepareToWakeResourceExclusive@16 ;	ExpPrepareToWakeResourceExclusive(x,x,x,x)
		lea	eax, [esi+1Ch]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_689670
		cmp	[ecx], eax
		jnz	loc_689670
		mov	[ecx], edx
		mov	[edx+4], ecx
		and	dword ptr [eax], 0
		and	dword ptr [eax+4], 0
		test	ds:byte_70EFC6,	1
		jz	short loc_6895D8
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_689607
; 

loc_6895D8:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+171j
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_6895F7
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jz	short loc_689607
		call	KxWaitForLockChainValid

loc_6895F7:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+185j
		xor	ecx, ecx
		mov	[ebp+var_1C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_689607:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+17Ej
					; ExpReleaseFastResourceExclusive(x,x)+198j
		cmp	[ebp+var_8], 0
		lea	ecx, [ebp+var_C]
		setnz	al
		xor	edx, edx
		movzx	eax, al
		lea	eax, ds:1[eax*2]
		push	eax
		call	KeWakeWaitChain
		xor	edx, edx
		mov	[esi+0Ah], dl
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	short loc_689670
		cmp	[eax], esi
		jnz	short loc_689670
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	cl, [ebp+var_1]
		mov	[esi], edx
		mov	[esi+4], edx
		mov	[edi], edx
		mov	[edi+4], edx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, [esi+8]
		test	al, al
		jz	short loc_68965F
		movzx	edx, al
		mov	ecx, ebx
		call	KeAbPostReleaseEx

loc_68965F:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+108j
					; ExpReleaseFastResourceExclusive(x,x)+1FBj
		and	byte ptr [esi+9], 0FAh
		and	dword ptr [esi+0Ch], 0
		pop	edi
		mov	byte ptr [esi+8], 0
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_689670:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+39j
					; ExpReleaseFastResourceExclusive(x,x)+41j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall ExpReleaseFastResourceShared(x, x)
_ExpReleaseFastResourceShared@8:	; CODE XREF: ExReleaseFastResource(x,x)+8Ep
					; ExReleaseFastResourceShared(x,x)+A7p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		stosd
		mov	esi, edx
		mov	ebx, ecx
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		cmp	byte ptr [esi+0Ah], 0
		mov	[ebp+var_1], al
		jnz	short loc_6896C6
		mov	edx, [esi]
		mov	ecx, [esi+4]
		cmp	[edx+4], esi
		jnz	loc_68988D
		cmp	[ecx], esi
		jnz	loc_68988D
		mov	[ecx], edx
		mov	[edx+4], ecx
		jmp	loc_68976E
; 

loc_6896C6:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+24Cj
		and	[ebp+var_1C], 0
		lea	edi, [esi+14h]
		lea	eax, [ebx+34h]
		mov	[ebp+var_18], eax
		cmp	[edi], edi
		jz	loc_689782
		test	ds:byte_70EFC6,	21h
		jz	short loc_6896F0
		mov	edx, eax
		lea	ecx, [ebp+var_1C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_689701
; 

loc_6896F0:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+28Aj
		lea	edx, [ebp+var_1C]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_689701
		lea	ecx, [ebp+var_1C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_689701:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+296j
					; ExpReleaseFastResourceExclusive(x,x)+29Fj
		xor	edi, edi
		mov	edx, esi
		inc	edi
		mov	ecx, ebx
		push	edi
		call	_ExpRotateFastOwnerEntrySublistHead@12 ; ExpRotateFastOwnerEntrySublistHead(x,x,x)
		test	ds:byte_70EFC6,	1
		jz	short loc_689724
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_689750
; 

loc_689724:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+2BDj
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_689743
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jz	short loc_689750
		call	KxWaitForLockChainValid

loc_689743:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+2D1j
		mov	[ebp+var_1C], 0
		add	eax, 4
		lock xor [eax],	edi

loc_689750:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+2CAj
					; ExpReleaseFastResourceExclusive(x,x)+2E4j
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	loc_68988D
		cmp	[eax], esi
		jnz	loc_68988D
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	al, [ebp+var_1]

loc_68976E:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+269j
		and	dword ptr [esi], 0
		mov	cl, al
		and	dword ptr [esi+4], 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_68987C
; 

loc_689782:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+27Dj
		test	ds:byte_70EFC6,	21h
		jz	short loc_689797
		mov	edx, eax
		lea	ecx, [ebp+var_1C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_6897A8
; 

loc_689797:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+331j
		lea	edx, [ebp+var_1C]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_6897A8
		lea	ecx, [ebp+var_1C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_6897A8:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+33Dj
					; ExpReleaseFastResourceExclusive(x,x)+346j
		lea	eax, [ebp+var_10]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	edx, [ebp+var_C]
		call	_ExpPrepareToWakeResourceShared@16 ; ExpPrepareToWakeResourceShared(x,x,x,x)
		lea	eax, [esi+1Ch]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_68988D
		cmp	[ecx], eax
		jnz	loc_68988D
		mov	[ecx], edx
		mov	[edx+4], ecx
		and	dword ptr [eax], 0
		and	dword ptr [eax+4], 0
		test	ds:byte_70EFC6,	1
		jz	short loc_6897F5
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_1C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_689824
; 

loc_6897F5:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+38Ej
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_689814
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_1C]
		cmp	eax, ecx
		jz	short loc_689824
		call	KxWaitForLockChainValid

loc_689814:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+3A2j
		xor	ecx, ecx
		mov	[ebp+var_1C], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_689824:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+39Bj
					; ExpReleaseFastResourceExclusive(x,x)+3B5j
		cmp	[ebp+var_8], 0
		lea	ecx, [ebp+var_C]
		setnz	al
		xor	edx, edx
		movzx	eax, al
		lea	eax, ds:1[eax*2]
		push	eax
		call	KeWakeWaitChain
		xor	edx, edx
		mov	[esi+0Ah], dl
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	short loc_68988D
		cmp	[eax], esi
		jnz	short loc_68988D
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	cl, [ebp+var_1]
		mov	[esi], edx
		mov	[esi+4], edx
		mov	[edi], edx
		mov	[edi+4], edx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, [esi+8]
		test	al, al
		jz	short loc_68987C
		movzx	edx, al
		mov	ecx, ebx
		call	KeAbPostReleaseEx

loc_68987C:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+325j
					; ExpReleaseFastResourceExclusive(x,x)+418j
		and	byte ptr [esi+9], 0FAh
		and	dword ptr [esi+0Ch], 0
		pop	edi
		mov	byte ptr [esi+8], 0
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_68988D:				; CODE XREF: ExpReleaseFastResourceExclusive(x,x)+256j
					; ExpReleaseFastResourceExclusive(x,x)+25Ej ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ExpReleaseFastResourceExclusive@8 endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall ExpRemoveFastOwnerEntryFromResourceList(x)
_ExpRemoveFastOwnerEntryFromResourceList@4 proc	near
					; CODE XREF: ExpReleaseDisownedFastResourceExclusive(x,x)+AAp
					; ExpReleaseDisownedFastResourceShared(x,x)+AAp
		add	ecx, 1Ch
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_6898B0
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	short loc_6898B0
		mov	[eax], edx
		mov	[edx+4], eax
		and	dword ptr [ecx], 0
		and	dword ptr [ecx+4], 0
		retn
; 

loc_6898B0:				; CODE XREF: ExpRemoveFastOwnerEntryFromResourceList(x)+8j
					; ExpRemoveFastOwnerEntryFromResourceList(x)+Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ExpRemoveFastOwnerEntryFromResourceList@4 endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall ExpRemoveFastOwnerEntryFromSublist(x)
_ExpRemoveFastOwnerEntryFromSublist@4 proc near
					; CODE XREF: ExpReleaseDisownedFastResourceExclusive(x,x)+6Ap
					; ExpReleaseDisownedFastResourceShared(x,x)+6Ap
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_6898D0
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_6898D0
		mov	[edx], eax
		mov	[eax+4], edx
		and	dword ptr [ecx], 0
		and	dword ptr [ecx+4], 0
		retn
; 

loc_6898D0:				; CODE XREF: ExpRemoveFastOwnerEntryFromSublist(x)+5j
					; ExpRemoveFastOwnerEntryFromSublist(x)+Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ExpRemoveFastOwnerEntryFromSublist@4 endp ; AL	= character to display


;  S U B	R O U T	I N E 


; __stdcall ExpRemoveFastOwnerEntryFromThreadList(x)
_ExpRemoveFastOwnerEntryFromThreadList@4 proc near
					; CODE XREF: ExpReleaseDisownedFastResourceExclusive(x,x)+B9p
					; ExpReleaseDisownedFastResourceShared(x,x)+B9p
		mov	edi, edi
		push	ebx
		xor	ebx, ebx
		mov	[ecx+0Ah], bl
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_6898FD
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_6898FD
		mov	[edx], eax
		mov	[eax+4], edx
		mov	[ecx], ebx
		mov	[ecx+4], ebx
		mov	[ecx+14h], ebx
		mov	[ecx+18h], ebx
		pop	ebx
		retn
; 

loc_6898FD:				; CODE XREF: ExpRemoveFastOwnerEntryFromThreadList(x)+Dj
					; ExpRemoveFastOwnerEntryFromThreadList(x)+14j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ExpRemoveFastOwnerEntryFromThreadList@4 endp ;	AL = character to display


;  S U B	R O U T	I N E 


; __stdcall ExpReplaceListEntry(x, x)
_ExpReplaceListEntry@8 proc near	; CODE XREF: ExpRotateFastOwnerEntrySublistHead(x,x,x)+3Ap
					; ExpRotateFastOwnerEntrySublistHead(x,x,x)+44p ...
		mov	edi, edi
		push	esi
		mov	esi, [ecx]
		push	edi
		xor	edi, edi
		test	esi, esi
		jnz	short loc_689915
		mov	[edx], edi
		mov	[edx+4], edi
		jmp	short loc_68992D
; 

loc_689915:				; CODE XREF: ExpReplaceListEntry(x,x)+Aj
		cmp	esi, ecx
		jnz	short loc_689920
		mov	[edx+4], edx
		mov	[edx], edx
		jmp	short loc_68992D
; 

loc_689920:				; CODE XREF: ExpReplaceListEntry(x,x)+15j
		mov	eax, [ecx+4]
		mov	[edx], esi
		mov	[edx+4], eax
		mov	[esi+4], edx
		mov	[eax], edx

loc_68992D:				; CODE XREF: ExpReplaceListEntry(x,x)+11j
					; ExpReplaceListEntry(x,x)+1Cj
		mov	[ecx], edi
		mov	[ecx+4], edi
		pop	edi
		pop	esi
		retn
_ExpReplaceListEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpRotateFastOwnerEntrySublistHead(x, x, x)
_ExpRotateFastOwnerEntrySublistHead@12 proc near ; CODE	XREF: .text:006883A7p
					; .text:00688613p ...

var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], ecx
		push	edi
		lea	ebx, [esi+14h]
		mov	edi, [ebx]
		cmp	[edi+4], ebx
		jnz	short loc_6899C3
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	short loc_6899C3
		mov	[ebx], eax
		mov	edx, edi
		mov	[eax+4], ebx
		mov	ecx, esi
		mov	byte ptr [edi+0Ah], 1
		mov	al, [esi+8]
		mov	byte ptr [esi+0Ah], 0
		mov	[edi+8], al
		mov	byte ptr [esi+8], 0
		call	_ExpReplaceListEntry@8 ; ExpReplaceListEntry(x,x)
		lea	edx, [edi+14h]
		mov	ecx, ebx
		call	_ExpReplaceListEntry@8 ; ExpReplaceListEntry(x,x)
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	short loc_6899C3
		cmp	[ebp+arg_0], 0
		mov	[esi+4], edx
		mov	[esi], eax
		mov	[eax+4], esi
		mov	[edx], esi
		lea	edx, [edi+1Ch]
		jz	short loc_6899A7
		lea	ecx, [esi+1Ch]
		call	_ExpReplaceListEntry@8 ; ExpReplaceListEntry(x,x)

loc_6899A0:				; CODE XREF: ExpRotateFastOwnerEntrySublistHead(x,x,x)+8Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_6899A7:				; CODE XREF: ExpRotateFastOwnerEntrySublistHead(x,x,x)+61j
		mov	eax, [ebp+var_4]
		inc	dword ptr [eax+20h]
		add	eax, 18h
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_6899C3
		mov	[edx], eax
		mov	[edx+4], ecx
		mov	[ecx], edx
		mov	[eax+4], edx
		jmp	short loc_6899A0
; 

loc_6899C3:				; CODE XREF: ExpRotateFastOwnerEntrySublistHead(x,x,x)+16j
					; ExpRotateFastOwnerEntrySublistHead(x,x,x)+1Dj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ExpRotateFastOwnerEntrySublistHead@12 endp ; AL = character to	display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpUnlockResourceAtDpcLevel(x, x)
_ExpUnlockResourceAtDpcLevel@8 proc near
					; CODE XREF: ExpReleaseDisownedFastResourceExclusive(x,x)+63p
					; ExpReleaseDisownedFastResourceExclusive(x,x)+72p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ds:byte_70EFC6,	1
		push	esi
		mov	esi, edx
		jz	short loc_6899E5
		mov	edx, [ebp+4]
		mov	ecx, esi
		pop	esi
		pop	ebp
		jmp	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
; 

loc_6899E5:				; CODE XREF: ExpUnlockResourceAtDpcLevel(x,x)+Fj
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_689A01
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_689A10
		mov	ecx, esi
		call	KxWaitForLockChainValid

loc_689A01:				; CODE XREF: ExpUnlockResourceAtDpcLevel(x,x)+21j
		xor	ecx, ecx
		mov	dword ptr [esi], 0
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx

loc_689A10:				; CODE XREF: ExpUnlockResourceAtDpcLevel(x,x)+30j
		pop	esi
		pop	ebp
		retn
_ExpUnlockResourceAtDpcLevel@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x, x)
@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 proc near
					; CODE XREF: MiDeleteVad(x,x,x)+18Ap
					; MiDeleteVad(x,x,x)+988p ...

var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, large fs:20h
		xor	ebx, ebx
		test	ds:byte_70EFC6,	1
		mov	al, dl
		push	edi
		mov	[ebp+var_2], al
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ebx
		jz	short loc_689A54
		rdtsc
		mov	ebx, eax
		mov	[ebp+var_8], edx
		mov	eax, [esi+4A0h]
		mov	[ebp+var_8], eax
		mov	al, [ebp+var_2]
		mov	[ebp+var_1], 1
		jmp	short loc_689A5A
; 

loc_689A54:				; CODE XREF: ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)+26j
		mov	[ebp+var_1], bl
		mov	[ebp+var_8], ebx

loc_689A5A:				; CODE XREF: ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)+3Fj
		inc	dword ptr [esi+40A0h]
		mov	dl, al
		call	ExpAcquireSpinLockExclusive
		mov	edi, eax
		test	edi, edi
		jz	short loc_689A79
		inc	dword ptr [esi+40A4h]
		add	[esi+40A8h], edi

loc_689A79:				; CODE XREF: ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)+58j
		cmp	[ebp+var_1], 0
		jz	short loc_689A97
		push	3
		push	[ebp+var_8]
		rdtsc
		mov	ecx, edx
		mov	edx, eax
		push	edi
		push	ecx
		mov	ecx, [ebp+var_10]
		sub	edx, ebx
		push	eax
		call	@PerfLogSpinLockAcquire@28 ; PerfLogSpinLockAcquire(x,x,x,x,x,x,x)

loc_689A97:				; CODE XREF: ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented(x,x)+6Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
@ExpAcquireSpinLockExclusiveAtDpcLevelInstrumented@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x, x)
@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 proc near
					; CODE XREF: MiCountSharedPages(x,x,x)+7Ep
					; .text:00452E73p ...

var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, large fs:20h
		xor	ebx, ebx
		test	ds:byte_70EFC6,	1
		push	edi
		mov	[ebp+var_2], dl
		mov	edi, ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		jz	short loc_689ADB
		rdtsc
		mov	[ebp+var_10], eax
		mov	eax, [esi+4A0h]
		mov	[ebp+var_8], edx
		mov	[ebp+var_1], 1
		mov	[ebp+var_8], eax
		jmp	short loc_689AE1
; 

loc_689ADB:				; CODE XREF: ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)+26j
		mov	[ebp+var_1], bl
		mov	[ebp+var_8], ebx

loc_689AE1:				; CODE XREF: ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)+3Dj
		inc	dword ptr [esi+40A0h]
		call	_ExpTryAcquireSpinLockShared@4 ; ExpTryAcquireSpinLockShared(x)
		test	al, al
		jnz	short loc_689B06
		mov	dl, [ebp+var_2]
		call	ExpWaitForSpinLockSharedAndAcquire
		inc	dword ptr [esi+40A4h]
		mov	ebx, eax
		add	[esi+40A8h], ebx

loc_689B06:				; CODE XREF: ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)+52j
		cmp	[ebp+var_1], 0
		jz	short loc_689B24
		push	2
		push	[ebp+var_8]
		rdtsc
		mov	ecx, edx
		mov	edx, eax
		sub	edx, [ebp+var_10]
		push	ebx
		push	ecx
		push	eax
		mov	ecx, edi
		call	@PerfLogSpinLockAcquire@28 ; PerfLogSpinLockAcquire(x,x,x,x,x,x,x)

loc_689B24:				; CODE XREF: ExpAcquireSpinLockSharedAtDpcLevelInstrumented(x,x)+6Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
@ExpAcquireSpinLockSharedAtDpcLevelInstrumented@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented(x, x)
@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 proc near
					; CODE XREF: MiDeleteVad(x,x,x)+2E0p
					; MiDeleteVad(x,x,x)+C74p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	esi
		mov	esi, edx
		mov	dword ptr [ecx], 0
		rdtsc
		push	edx
		push	eax
		mov	edx, esi
		call	@PerfLogSpinLockRelease@16 ; PerfLogSpinLockRelease(x,x,x,x)
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
@ExpReleaseSpinLockExclusiveFromDpcLevelInstrumented@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExpReleaseSpinLockSharedFromDpcLevelInstrumented(x, x)
@ExpReleaseSpinLockSharedFromDpcLevelInstrumented@8 proc near
					; CODE XREF: ObReferenceObjectExWithTag+BF257p
					; MiOffsetToProtos+154B40p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, 0BFFFFFFFh
		rdtsc
		lock and [ecx],	edi
		lock dec dword ptr [ecx]
		push	edx
		push	eax
		mov	edx, esi
		call	@PerfLogSpinLockRelease@16 ; PerfLogSpinLockRelease(x,x,x,x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
@ExpReleaseSpinLockSharedFromDpcLevelInstrumented@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExpTryAcquireSpinLockExclusiveAtDpcLevelInstrumented(x)
@ExpTryAcquireSpinLockExclusiveAtDpcLevelInstrumented@4	proc near
					; CODE XREF: ExTryAcquireSpinLockExclusiveAtDpcLevel(x):loc_4DA5C5p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, large fs:20h
		test	ds:byte_70EFC6,	1
		push	edi
		mov	[ebp+var_8], ecx
		jz	short loc_689BA4
		mov	edi, [esi+4A0h]
		mov	bl, 1
		rdtsc
		mov	[ebp+var_4], eax
		jmp	short loc_689BA8
; 

loc_689BA4:				; CODE XREF: ExpTryAcquireSpinLockExclusiveAtDpcLevelInstrumented(x)+20j
		xor	bl, bl
		xor	edi, edi

loc_689BA8:				; CODE XREF: ExpTryAcquireSpinLockExclusiveAtDpcLevelInstrumented(x)+2Fj
		mov	edx, [ebp+var_8]
		mov	ecx, 80000000h
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	short loc_689BBE
		xor	eax, eax
		jmp	short loc_689BE3
; 

loc_689BBE:				; CODE XREF: ExpTryAcquireSpinLockExclusiveAtDpcLevelInstrumented(x)+45j
		inc	dword ptr [esi+40A0h]
		test	bl, bl
		jz	short loc_689BE0
		push	3
		rdtsc
		push	edi
		mov	ecx, edx
		mov	edx, eax
		sub	edx, [ebp+var_4]
		push	0
		push	ecx
		mov	ecx, [ebp+var_8]
		push	eax
		call	@PerfLogSpinLockAcquire@28 ; PerfLogSpinLockAcquire(x,x,x,x,x,x,x)

loc_689BE0:				; CODE XREF: ExpTryAcquireSpinLockExclusiveAtDpcLevelInstrumented(x)+53j
		xor	eax, eax
		inc	eax

loc_689BE3:				; CODE XREF: ExpTryAcquireSpinLockExclusiveAtDpcLevelInstrumented(x)+49j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
@ExpTryAcquireSpinLockExclusiveAtDpcLevelInstrumented@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExpTryAcquireSpinLockSharedAtDpcLevelInstrumented(x)
@ExpTryAcquireSpinLockSharedAtDpcLevelInstrumented@4 proc near
					; CODE XREF: ExTryAcquireSpinLockSharedAtDpcLevel(x)+11p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, large fs:20h
		test	ds:byte_70EFC6,	1
		push	edi
		mov	[ebp+var_8], ecx
		jz	short loc_689C19
		mov	edi, [esi+4A0h]
		mov	bl, 1
		rdtsc
		mov	[ebp+var_4], eax
		jmp	short loc_689C1D
; 

loc_689C19:				; CODE XREF: ExpTryAcquireSpinLockSharedAtDpcLevelInstrumented(x)+20j
		xor	bl, bl
		xor	edi, edi

loc_689C1D:				; CODE XREF: ExpTryAcquireSpinLockSharedAtDpcLevelInstrumented(x)+2Fj
		call	_ExpTryAcquireSpinLockShared@4 ; ExpTryAcquireSpinLockShared(x)
		test	al, al
		jnz	short loc_689C2A
		xor	eax, eax
		jmp	short loc_689C4F
; 

loc_689C2A:				; CODE XREF: ExpTryAcquireSpinLockSharedAtDpcLevelInstrumented(x)+3Cj
		inc	dword ptr [esi+40A0h]
		test	bl, bl
		jz	short loc_689C4C
		push	2
		rdtsc
		push	edi
		mov	ecx, edx
		mov	edx, eax
		sub	edx, [ebp+var_4]
		push	0
		push	ecx
		mov	ecx, [ebp+var_8]
		push	eax
		call	@PerfLogSpinLockAcquire@28 ; PerfLogSpinLockAcquire(x,x,x,x,x,x,x)

loc_689C4C:				; CODE XREF: ExpTryAcquireSpinLockSharedAtDpcLevelInstrumented(x)+4Aj
		xor	eax, eax
		inc	eax

loc_689C4F:				; CODE XREF: ExpTryAcquireSpinLockSharedAtDpcLevelInstrumented(x)+40j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
@ExpTryAcquireSpinLockSharedAtDpcLevelInstrumented@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 446. ExTryAcquireSpinLockSharedAtDpcLevel

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExTryAcquireSpinLockSharedAtDpcLevel(x)
		public _ExTryAcquireSpinLockSharedAtDpcLevel@4
_ExTryAcquireSpinLockSharedAtDpcLevel@4	proc near
					; CODE XREF: MmReadProcessPageTables(x)+3Ap

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ds:byte_70EFC6,	21h
		mov	ecx, [ebp+arg_0]
		jz	short loc_689C71
		call	@ExpTryAcquireSpinLockSharedAtDpcLevelInstrumented@4 ; ExpTryAcquireSpinLockSharedAtDpcLevelInstrumented(x)
		jmp	short loc_689C79
; 

loc_689C71:				; CODE XREF: ExTryAcquireSpinLockSharedAtDpcLevel(x)+Fj
		call	_ExpTryAcquireSpinLockShared@4 ; ExpTryAcquireSpinLockShared(x)
		movzx	eax, al

loc_689C79:				; CODE XREF: ExTryAcquireSpinLockSharedAtDpcLevel(x)+16j
		pop	ebp
		retn	4
_ExTryAcquireSpinLockSharedAtDpcLevel@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTryConvertSharedSpinLockExclusiveInstrumented(x,	x)
_ExpTryConvertSharedSpinLockExclusiveInstrumented@8 proc near
					; CODE XREF: KiAbEntryGetLockedHeadEntry+634p
					; ExTryConvertSharedSpinLockExclusive+8CDDBp

var_16		= byte ptr -16h
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, large fs:20h
		push	edi
		mov	edi, ecx
		mov	[esp+28h+var_4], edx
		xor	ecx, ecx
		test	ds:byte_70EFC6,	1
		mov	[esp+28h+var_8], ecx
		jz	short loc_689CBE
		rdtsc
		mov	[esp+28h+var_8], eax
		mov	eax, [esi+4A0h]
		mov	[esp+28h+var_15], 1
		mov	[esp+28h+var_10], eax
		jmp	short loc_689CC6
; 

loc_689CBE:				; CODE XREF: ExpTryConvertSharedSpinLockExclusiveInstrumented(x,x)+28j
		mov	[esp+28h+var_15], cl
		mov	[esp+28h+var_10], ecx

loc_689CC6:				; CODE XREF: ExpTryConvertSharedSpinLockExclusiveInstrumented(x,x)+3Fj
		lock bts dword ptr [edi], 1Fh
		jb	loc_689D60
		inc	dword ptr [esi+40A0h]
		mov	edx, [edi]
		mov	eax, edx
		and	eax, 0BFFFFFFFh
		mov	[esp+28h+var_14], ecx
		cmp	eax, 80000001h
		jz	short loc_689D1B
		mov	ebx, 40000000h

loc_689CF0:				; CODE XREF: ExpTryConvertSharedSpinLockExclusiveInstrumented(x,x)+9Cj
		test	edx, ebx
		jnz	short loc_689D02
		mov	ecx, edx
		mov	eax, edx
		or	ecx, ebx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_689D0D

loc_689D02:				; CODE XREF: ExpTryConvertSharedSpinLockExclusiveInstrumented(x,x)+75j
		lea	ecx, [esp+28h+var_14]
		call	KeYieldProcessorEx
		mov	eax, [edi]

loc_689D0D:				; CODE XREF: ExpTryConvertSharedSpinLockExclusiveInstrumented(x,x)+83j
		mov	edx, eax
		and	eax, 0BFFFFFFFh
		cmp	eax, 80000001h
		jnz	short loc_689CF0

loc_689D1B:				; CODE XREF: ExpTryConvertSharedSpinLockExclusiveInstrumented(x,x)+6Cj
		mov	ebx, [esp+28h+var_14]
		inc	dword ptr [esi+40A4h]
		add	[esi+40A8h], ebx
		cmp	[esp+28h+var_15], 0
		jz	short loc_689D5B
		rdtsc
		push	edx
		mov	edx, [esp+2Ch+var_4]
		mov	ecx, edi
		push	eax
		call	@PerfLogSpinLockRelease@16 ; PerfLogSpinLockRelease(x,x,x,x)
		push	4
		push	[esp+2Ch+var_10]
		rdtsc
		mov	ecx, edx
		mov	edx, eax
		sub	edx, [esp+30h+var_8]
		push	ebx
		push	ecx
		push	eax
		mov	ecx, edi
		call	@PerfLogSpinLockAcquire@28 ; PerfLogSpinLockAcquire(x,x,x,x,x,x,x)

loc_689D5B:				; CODE XREF: ExpTryConvertSharedSpinLockExclusiveInstrumented(x,x)+B3j
		xor	eax, eax
		inc	eax
		jmp	short loc_689D62
; 

loc_689D60:				; CODE XREF: ExpTryConvertSharedSpinLockExclusiveInstrumented(x,x)+4Ej
		xor	eax, eax

loc_689D62:				; CODE XREF: ExpTryConvertSharedSpinLockExclusiveInstrumented(x,x)+E1j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_ExpTryConvertSharedSpinLockExclusiveInstrumented@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry   3.

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExAllocateTimerInternal(x, x, x)
		public _ExAllocateTimerInternal@12
_ExAllocateTimerInternal@12 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	[ebp+arg_8], 2
		push	dword ptr [ebp+arg_8]
		jz	short loc_689D90
		xor	eax, eax
		inc	eax
		mov	word ptr [ebp+var_4], ax
		xor	eax, eax
		mov	word ptr [ebp+var_4+2],	ax
		lea	eax, [ebp+var_4]
		push	eax
		jmp	short loc_689D92
; 

loc_689D90:				; CODE XREF: ExAllocateTimerInternal(x,x,x)+Dj
		push	0

loc_689D92:				; CODE XREF: ExAllocateTimerInternal(x,x,x)+20j
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ExAllocateTimerInternal2
		leave
		retn	0Ch
_ExAllocateTimerInternal@12 endp


;  S U B	R O U T	I N E 


; __stdcall ExCopyWakeTimerInfo(x, x)
_ExCopyWakeTimerInfo@8 proc near	; CODE XREF: PopHandleWakeSources+71A3p
		mov	eax, large fs:20h
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax+338h]
		mov	esi, ecx
		push	0
		xor	ecx, ecx
		mov	ebx, edx
		inc	ecx
		movzx	eax, word ptr [eax+8Ah]
		mov	edx, [esi]
		or	eax, 80000000h
		push	eax
		push	53577254h
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		test	edi, edi
		jnz	short loc_689DDF
		mov	eax, 0C000009Ah
		jmp	short loc_689DEF
; 

loc_689DDF:				; CODE XREF: ExCopyWakeTimerInfo(x,x)+35j
		push	dword ptr [esi]	; size_t
		push	esi		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebx], edi
		xor	eax, eax

loc_689DEF:				; CODE XREF: ExCopyWakeTimerInfo(x,x)+3Cj
		pop	edi
		pop	esi
		pop	ebx
		retn
_ExCopyWakeTimerInfo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExDeleteWakeTimerInfo(x)
_ExDeleteWakeTimerInfo@4 proc near	; CODE XREF: PAGELK:0071F24Ap
					; PopFreeWakeSource(x)+21p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		call	ExFreeHeapPool
		mov	esp, ebp
		pop	ebp
		retn
_ExDeleteWakeTimerInfo@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExGetNextWakeTimeForDeepSleep()
_ExGetNextWakeTimeForDeepSleep@0 proc near
					; CODE XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x):loc_592180p
		mov	edi, edi
		push	ebx
		push	esi
		or	esi, 0FFFFFFFFh
		cmp	ds:_PoRtcWakeAllowed, 0
		mov	ebx, esi
		mov	eax, esi
		mov	edx, esi
		jz	short loc_689E5C
		push	edi
		mov	edi, ds:_ExpWakeTimerList
		jmp	short loc_689E4F
; 

loc_689E23:				; CODE XREF: ExGetNextWakeTimeForDeepSleep()+51j
		lea	ecx, [edi-94h]
		mov	edi, [edi]
		cmp	dword ptr [ecx+90h], 0
		jz	short loc_689E39
		call	_KeQueryTimerDueTime@4 ; KeQueryTimerDueTime(x)

loc_689E39:				; CODE XREF: ExGetNextWakeTimeForDeepSleep()+2Ej
		test	edx, edx
		jnz	short loc_689E41
		test	eax, eax
		jz	short loc_689E4F

loc_689E41:				; CODE XREF: ExGetNextWakeTimeForDeepSleep()+37j
		cmp	edx, ebx
		ja	short loc_689E4F
		jb	short loc_689E4B
		cmp	eax, esi
		jnb	short loc_689E4F

loc_689E4B:				; CODE XREF: ExGetNextWakeTimeForDeepSleep()+41j
		mov	esi, eax
		mov	ebx, edx

loc_689E4F:				; CODE XREF: ExGetNextWakeTimeForDeepSleep()+1Dj
					; ExGetNextWakeTimeForDeepSleep()+3Bj ...
		cmp	edi, offset _ExpWakeTimerList
		jnz	short loc_689E23
		mov	eax, esi
		mov	edx, ebx
		pop	edi

loc_689E5C:				; CODE XREF: ExGetNextWakeTimeForDeepSleep()+14j
		pop	esi
		pop	ebx
		retn
_ExGetNextWakeTimeForDeepSleep@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExGetWakeTimerList(x, x)
_ExGetWakeTimerList@8 proc near		; CODE XREF: NtPowerInformation+172386p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, large fs:124h
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_58], edx
		dec	word ptr [eax+13Ch]
		mov	[ebp+var_4C], edi
		mov	[ebp+var_54], ecx
		mov	[ebp+var_8], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_4C], eax
		nop
		mov	ecx, offset _ExpWakeTimerLock
		mov	[ebp+var_3C], edi
		mov	eax, ecx
		mov	[ebp+var_30], 0FFFFFFFFh
		and	eax, 7FFFFFFCh
		mov	[ebp+var_2C], eax
		jz	loc_689FDB
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jz	short loc_689EE5
		push	edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		mov	eax, offset _ExpWakeTimerLock
		push	eax
		push	esi
		push	192h

loc_689EE0:				; CODE XREF: ExGetWakeTimerList(x,x)+43Bj
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_689EE5:				; CODE XREF: ExGetWakeTimerList(x,x)+68j
		mov	dl, [esi+1E4h]
		mov	[ebp+var_38], edi
		test	dl, dl
		jnz	short loc_689F08
		lea	ecx, [esi+222h]
		cmp	[ecx], dl
		jz	short loc_689F34
		xor	al, al
		xchg	al, [ecx]
		mov	dl, [esi+1E4h]
		or	dl, al

loc_689F08:				; CODE XREF: ExGetWakeTimerList(x,x)+91j
		movzx	eax, dl
		bsf	ecx, eax
		mov	al, 1
		shl	al, cl
		imul	edi, ecx, 30h
		not	al
		and	al, dl
		mov	[ebp+var_38], ecx
		mov	[esi+1E4h], al
		add	edi, [esi+1E8h]
		jnz	short loc_689F4E

loc_689F2A:				; CODE XREF: ExGetWakeTimerList(x,x)+DFj
					; ExGetWakeTimerList(x,x)+EDj
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_689F99
; 

loc_689F34:				; CODE XREF: ExGetWakeTimerList(x,x)+9Bj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_689F2A
		mov	edx, offset _ExpWakeTimerLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	short loc_689F2A
; 

loc_689F4E:				; CODE XREF: ExGetWakeTimerList(x,x)+C9j
		mov	edx, ds:dword_6D07D0
		mov	eax, offset _ExpWakeTimerLock
		mov	ecx, eax
		shr	ecx, 15h
		cmp	edx, eax
		ja	short loc_689F7F
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_689F84
		mov	eax, offset _ExpWakeTimerLock
		cmp	edx, eax
		ja	short loc_689F7F
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jz	short loc_689F84

loc_689F7F:				; CODE XREF: ExGetWakeTimerList(x,x)+101j
					; ExGetWakeTimerList(x,x)+115j
		or	eax, 0FFFFFFFFh
		jmp	short loc_689F8F
; 

loc_689F84:				; CODE XREF: ExGetWakeTimerList(x,x)+10Cj
					; ExGetWakeTimerList(x,x)+11Ej
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)

loc_689F8F:				; CODE XREF: ExGetWakeTimerList(x,x)+123j
		mov	[edi+14h], eax
		nop
		mov	eax, [ebp+var_2C]
		mov	[edi+10h], eax

loc_689F99:				; CODE XREF: ExGetWakeTimerList(x,x)+D3j
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp+var_3C]
		push	eax
		mov	edx, offset _ExpWakeTimerLock
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_689FD6
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_689FD6
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_689FD6:				; CODE XREF: ExGetWakeTimerList(x,x)+168j
					; ExGetWakeTimerList(x,x)+170j
		mov	ecx, offset _ExpWakeTimerLock

loc_689FDB:				; CODE XREF: ExGetWakeTimerList(x,x)+45j
		lock bts dword ptr [ecx], 0
		jnb	short loc_689FEA
		push	ecx
		mov	edx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_689FEA:				; CODE XREF: ExGetWakeTimerList(x,x)+181j
		test	edi, edi
		jz	short loc_689FF2
		or	byte ptr [edi+0Eh], 1

loc_689FF2:				; CODE XREF: ExGetWakeTimerList(x,x)+18Dj
		mov	esi, ds:_ExpWakeTimerList
		mov	edi, offset _ExpWakeTimerList
		push	30h
		pop	eax
		cmp	esi, edi
		jz	short loc_68A03C

loc_68A004:				; CODE XREF: ExGetWakeTimerList(x,x)+1D4j
		mov	ecx, [esi-4]
		test	ecx, ecx
		jz	short loc_68A02C
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		push	ecx
		push	eax
		xor	edx, edx
		call	PoStoreDiagnosticContext
		mov	ecx, [ebp+var_C]
		add	ecx, 1Bh
		add	ecx, [ebp+var_8]
		and	ecx, 0FFFFFFF8h
		mov	[ebp+var_C], ecx
		jmp	short loc_68A02F
; 

loc_68A02C:				; CODE XREF: ExGetWakeTimerList(x,x)+1AAj
		mov	ecx, [ebp+var_C]

loc_68A02F:				; CODE XREF: ExGetWakeTimerList(x,x)+1CBj
		mov	esi, [esi]
		cmp	esi, edi
		jnz	short loc_68A004
		test	ecx, ecx
		jnz	short loc_68A041
		push	30h
		pop	eax

loc_68A03C:				; CODE XREF: ExGetWakeTimerList(x,x)+1A3j
		mov	ecx, eax
		mov	[ebp+var_C], ecx

loc_68A041:				; CODE XREF: ExGetWakeTimerList(x,x)+1D8j
		push	734C6B57h
		push	ecx
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	[ebp+var_34], eax
		test	eax, eax
		jnz	short loc_68A061
		mov	[ebp+var_10], 0C000009Ah
		jmp	loc_68A1D7
; 

loc_68A061:				; CODE XREF: ExGetWakeTimerList(x,x)+1F4j
		push	[ebp+var_C]	; size_t
		and	[ebp+var_10], 0
		mov	edi, eax
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_24], edi
		call	_memset
		mov	eax, [ebp+var_C]
		add	esp, 0Ch
		mov	ecx, ds:_ExpWakeTimerList
		xor	esi, esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_14], eax
		jmp	loc_68A1B8
; 

loc_68A08E:				; CODE XREF: ExGetWakeTimerList(x,x)+362j
		cmp	eax, 30h
		jb	loc_68A29F
		lea	eax, [ecx-94h]
		mov	[ebp+var_1C], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	[ebp+var_1], al
		mov	eax, [ebp+var_1C]
		add	eax, 28h
		mov	ecx, eax
		mov	[ebp+var_20], eax
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebp+var_1C]
		mov	ecx, [eax+90h]
		mov	edx, [eax+84h]
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], edx
		test	ecx, ecx
		jnz	short loc_68A0DA
		and	[ebp+var_18], ecx
		and	[ebp+var_1C], ecx
		jmp	short loc_68A0E7
; 

loc_68A0DA:				; CODE XREF: ExGetWakeTimerList(x,x)+271j
		mov	ecx, eax
		call	_KeQueryTimerDueTime@4 ; KeQueryTimerDueTime(x)
		mov	[ebp+var_18], eax
		mov	[ebp+var_1C], edx

loc_68A0E7:				; CODE XREF: ExGetWakeTimerList(x,x)+279j
		test	ds:byte_70EFC6,	1
		mov	ecx, [ebp+var_20]
		jz	short loc_68A100
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	esi, [ebp+var_8]
		jmp	short loc_68A105
; 

loc_68A100:				; CODE XREF: ExGetWakeTimerList(x,x)+292j
		xor	eax, eax
		lock and [ecx],	eax

loc_68A105:				; CODE XREF: ExGetWakeTimerList(x,x)+29Fj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [ebp+var_18]
		mov	eax, edx
		or	eax, [ebp+var_1C]
		jz	loc_68A1B0
		mov	eax, ds:0FFDF000Ch
		and	[ebp+var_40], 0
		mov	ecx, ds:0FFDF0008h
		cmp	eax, ds:0FFDF0010h
		jz	short loc_68A156
		mov	esi, 0FFDF000Ch
		lea	edi, [esi-4]

loc_68A13B:				; CODE XREF: ExGetWakeTimerList(x,x)+2EFj
		lea	ecx, [ebp+var_40]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		mov	edx, 0FFDF0010h
		mov	ecx, [edi]
		cmp	eax, [edx]
		jnz	short loc_68A13B
		mov	edi, [ebp+var_24]
		mov	edx, [ebp+var_18]

loc_68A156:				; CODE XREF: ExGetWakeTimerList(x,x)+2D2j
		sub	edx, ecx
		mov	ecx, [ebp+var_1C]
		mov	[edi+8], edx
		lea	edx, [edi+14h]
		sbb	ecx, eax
		mov	eax, [ebp+var_44]
		mov	[edi+10h], eax
		mov	eax, [ebp+var_14]
		add	eax, 0FFFFFFECh
		mov	[edi+0Ch], ecx
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		push	ecx
		mov	ecx, [ebp+var_48]
		push	eax
		call	PoStoreDiagnosticContext
		mov	ecx, eax
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		js	short loc_68A1D7
		mov	esi, [ebp+var_8]
		mov	eax, [ebp+var_14]
		add	esi, 1Bh
		and	esi, 0FFFFFFF8h
		mov	[ebp+var_8], esi
		cmp	eax, esi
		jb	loc_68A29F
		sub	eax, esi
		mov	[edi], esi
		add	edi, esi
		mov	[ebp+var_14], eax
		mov	[ebp+var_24], edi
		jmp	short loc_68A1B3
; 

loc_68A1B0:				; CODE XREF: ExGetWakeTimerList(x,x)+2B7j
		mov	eax, [ebp+var_14]

loc_68A1B3:				; CODE XREF: ExGetWakeTimerList(x,x)+34Fj
		mov	ecx, [ebp+var_28]
		mov	ecx, [ecx]

loc_68A1B8:				; CODE XREF: ExGetWakeTimerList(x,x)+22Aj
		mov	[ebp+var_28], ecx
		cmp	ecx, offset _ExpWakeTimerList
		jnz	loc_68A08E
		sub	edi, esi
		xor	eax, eax
		mov	[edi], eax
		test	esi, esi
		jnz	short loc_68A1D7
		mov	[edi+8], eax
		mov	[edi+0Ch], eax

loc_68A1D7:				; CODE XREF: ExGetWakeTimerList(x,x)+1FDj
					; ExGetWakeTimerList(x,x)+32Aj	...
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _ExpWakeTimerLock
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_68A1F8
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _ExpWakeTimerLock

loc_68A1F8:				; CODE XREF: ExGetWakeTimerList(x,x)+38Aj
		xor	edi, edi
		mov	[ebp+var_28], edi
		cmp	[ebp+var_2C], edi
		jz	loc_68A3A6
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	ecx, ds:dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_44], esi
		cmp	ecx, offset _ExpWakeTimerLock
		ja	short loc_68A24D
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68A23D
		cmp	ecx, offset _ExpWakeTimerLock
		ja	short loc_68A24D
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_68A24D

loc_68A23D:				; CODE XREF: ExGetWakeTimerList(x,x)+3CBj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_30], edx

loc_68A24D:				; CODE XREF: ExGetWakeTimerList(x,x)+3C2j
					; ExGetWakeTimerList(x,x)+3D3j	...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _ExpWakeTimerLock
		mov	[ebp+var_1], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_48], ecx
		test	ecx, ecx
		jnz	short loc_68A2AB
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_68A31D
		mov	eax, [ebp+var_30]
		push	ecx
		push	eax
		mov	eax, offset _ExpWakeTimerLock
		push	eax
		push	esi
		push	162h
		jmp	loc_689EE0
; 

loc_68A29F:				; CODE XREF: ExGetWakeTimerList(x,x)+232j
					; ExGetWakeTimerList(x,x)+33Dj
		mov	[ebp+var_10], 0C0000023h
		jmp	loc_68A1D7
; 

loc_68A2AB:				; CODE XREF: ExGetWakeTimerList(x,x)+41Aj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_68A2C1
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_48]

loc_68A2C1:				; CODE XREF: ExGetWakeTimerList(x,x)+458j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_28], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_1], 1
		mov	edx, eax
		jnz	short loc_68A30B
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_68A31D
; 

loc_68A30B:				; CODE XREF: ExGetWakeTimerList(x,x)+498j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_44]

loc_68A31D:				; CODE XREF: ExGetWakeTimerList(x,x)+424j
					; ExGetWakeTimerList(x,x)+4AAj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_48], eax
		jz	short loc_68A380
		test	edi, 8000h
		jz	short loc_68A341
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_68A341:				; CODE XREF: ExGetWakeTimerList(x,x)+4D7j
		test	byte ptr [ebp+var_28+2], 1
		jz	short loc_68A351
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_68A351:				; CODE XREF: ExGetWakeTimerList(x,x)+4E6j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_68A365
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_68A365:				; CODE XREF: ExGetWakeTimerList(x,x)+4F9j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_68A380
		push	[ebp+var_48]
		mov	edx, offset _ExpWakeTimerLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_68A380:				; CODE XREF: ExGetWakeTimerList(x,x)+4CFj
					; ExGetWakeTimerList(x,x)+510j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_68A3A6
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_68A3A6
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68A3A6:				; CODE XREF: ExGetWakeTimerList(x,x)+3A1j
					; ExGetWakeTimerList(x,x)+538j	...
		mov	ecx, [ebp+var_4C]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	esi, [ebp+var_10]
		mov	eax, [ebp+var_34]
		test	esi, esi
		jns	short loc_68A3C9
		test	eax, eax
		jz	short loc_68A3D6
		push	734C6B57h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_68A3D6
; 

loc_68A3C9:				; CODE XREF: ExGetWakeTimerList(x,x)+557j
		mov	ecx, [ebp+var_54]
		mov	[ecx], eax
		mov	ecx, [ebp+var_58]
		mov	eax, [ebp+var_C]
		mov	[ecx], eax

loc_68A3D6:				; CODE XREF: ExGetWakeTimerList(x,x)+55Bj
					; ExGetWakeTimerList(x,x)+568j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_ExGetWakeTimerList@8 endp


;  S U B	R O U T	I N E 


; __stdcall ExRecordOneTimerExpiry(x, x, x, x)
_ExRecordOneTimerExpiry@16 proc	near	; CODE XREF: KeResumeClockTimerFromIdle+12B497p
		mov	edi, edi
		push	edi
		mov	edi, ds:_ExpIRTimerExpiryCounts
		mov	al, dl
		test	edi, edi
		jz	short loc_68A432
		cmp	cl, 10h
		push	ebx
		sbb	bl, bl
		and	bl, cl
		cmp	cl, 10h
		push	esi
		sbb	dl, dl
		and	dl, al
		movzx	eax, bl
		imul	eax, 0Ch
		mov	cl, ds:byte_403D40[eax]
		cmp	dl, cl
		sbb	al, al
		and	al, dl
		cmp	dl, cl
		movzx	esi, al
		sbb	al, al
		and	al, bl
		movzx	edx, al
		jz	short loc_68A42D
		mov	ecx, offset byte_403D40

loc_68A420:				; CODE XREF: ExRecordOneTimerExpiry(x,x,x,x)+4Fj
		movzx	eax, byte ptr [ecx]
		lea	ecx, [ecx+0Ch]
		add	esi, eax
		sub	edx, 1
		jnz	short loc_68A420

loc_68A42D:				; CODE XREF: ExRecordOneTimerExpiry(x,x,x,x)+3Dj
		inc	dword ptr [edi+esi*4]
		pop	esi
		pop	ebx

loc_68A432:				; CODE XREF: ExRecordOneTimerExpiry(x,x,x,x)+Dj
		pop	edi
		retn	8
_ExRecordOneTimerExpiry@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCalcAdjustedDueTime(x, x, x, x, x, x, x,	x, x)
_ExpCalcAdjustedDueTime@36 proc	near	; CODE XREF: ExpTimerAdjust(x,x,x,x,x,x,x,x)+60p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	edx, edx
		xor	esi, esi
		cmp	ecx, 1
		jz	short loc_68A486
		lea	eax, [ecx-2]
		cmp	eax, 1
		ja	short loc_68A4AE
		mov	eax, [ebp+arg_18]
		sub	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_1C]
		mov	edx, eax
		sbb	ecx, [ebp+arg_4]
		sub	edx, [ebp+arg_8]
		mov	esi, ecx
		sbb	esi, [ebp+arg_C]
		js	short loc_68A4AE
		jg	short loc_68A46B
		test	edx, edx
		jz	short loc_68A4AE

loc_68A46B:				; CODE XREF: ExpCalcAdjustedDueTime(x,x,x,x,x,x,x,x,x)+2Fj
		cmp	[ebp+arg_C], 0
		jl	short loc_68A47F
		jg	short loc_68A479
		cmp	[ebp+arg_8], 0
		jbe	short loc_68A47F

loc_68A479:				; CODE XREF: ExpCalcAdjustedDueTime(x,x,x,x,x,x,x,x,x)+3Bj
		mov	edx, eax
		mov	esi, ecx
		jmp	short loc_68A4AE
; 

loc_68A47F:				; CODE XREF: ExpCalcAdjustedDueTime(x,x,x,x,x,x,x,x,x)+39j
					; ExpCalcAdjustedDueTime(x,x,x,x,x,x,x,x,x)+41j
		or	edx, 0FFFFFFFFh
		mov	esi, edx
		jmp	short loc_68A4AE
; 

loc_68A486:				; CODE XREF: ExpCalcAdjustedDueTime(x,x,x,x,x,x,x,x,x)+Dj
		mov	edx, [ebp+arg_0]
		sub	edx, [ebp+arg_18]
		mov	esi, [ebp+arg_4]
		sbb	esi, [ebp+arg_1C]
		add	edx, [ebp+arg_8]
		adc	esi, [ebp+arg_C]
		add	edx, [ebp+arg_10]
		adc	esi, [ebp+arg_14]
		test	esi, esi
		jg	short loc_68A4AE
		jl	short loc_68A4A8
		test	edx, edx
		jnb	short loc_68A4AE

loc_68A4A8:				; CODE XREF: ExpCalcAdjustedDueTime(x,x,x,x,x,x,x,x,x)+6Cj
		mov	edx, [ebp+arg_10]
		mov	esi, [ebp+arg_14]

loc_68A4AE:				; CODE XREF: ExpCalcAdjustedDueTime(x,x,x,x,x,x,x,x,x)+15j
					; ExpCalcAdjustedDueTime(x,x,x,x,x,x,x,x,x)+2Dj ...
		mov	eax, edx
		mov	edx, esi
		pop	esi
		pop	ebp
		retn	20h
_ExpCalcAdjustedDueTime@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCalcDueTimeWithDelay(x, x)
_ExpCalcDueTimeWithDelay@8 proc	near	; CODE XREF: .text:005F2B9Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		and	[ebp+var_8], 0
		mov	eax, [ecx]
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		mov	edx, [ecx+4]
		mov	esi, eax
		push	edi
		mov	edi, edx
		test	edi, edi
		jg	short loc_68A4F5
		jl	short loc_68A4E2
		test	esi, esi
		jnb	short loc_68A4F5

loc_68A4E2:				; CODE XREF: ExpCalcDueTimeWithDelay(x,x)+25j
		sub	esi, ebx
		sbb	edi, 0
		cmp	edi, edx
		jl	short loc_68A532
		jg	short loc_68A4F1
		cmp	esi, eax
		jbe	short loc_68A532

loc_68A4F1:				; CODE XREF: ExpCalcDueTimeWithDelay(x,x)+34j
		mov	edi, edx
		jmp	short loc_68A530
; 

loc_68A4F5:				; CODE XREF: ExpCalcDueTimeWithDelay(x,x)+23j
					; ExpCalcDueTimeWithDelay(x,x)+29j
		lea	eax, [ebp+var_C]
		push	eax
		call	KeQuerySystemTime
		cmp	edi, [ebp+var_8]
		ja	short loc_68A517
		jb	short loc_68A50A
		cmp	esi, [ebp+var_C]
		ja	short loc_68A517

loc_68A50A:				; CODE XREF: ExpCalcDueTimeWithDelay(x,x)+4Cj
		mov	esi, ebx
		add	esi, [ebp+var_C]
		push	0
		pop	edi
		adc	edi, [ebp+var_8]
		jmp	short loc_68A51C
; 

loc_68A517:				; CODE XREF: ExpCalcDueTimeWithDelay(x,x)+4Aj
					; ExpCalcDueTimeWithDelay(x,x)+51j
		add	esi, ebx
		adc	edi, 0

loc_68A51C:				; CODE XREF: ExpCalcDueTimeWithDelay(x,x)+5Ej
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		cmp	edi, ecx
		jg	short loc_68A532
		jl	short loc_68A52E
		cmp	esi, eax
		jnb	short loc_68A532

loc_68A52E:				; CODE XREF: ExpCalcDueTimeWithDelay(x,x)+71j
		mov	edi, ecx

loc_68A530:				; CODE XREF: ExpCalcDueTimeWithDelay(x,x)+3Cj
		mov	esi, eax

loc_68A532:				; CODE XREF: ExpCalcDueTimeWithDelay(x,x)+32j
					; ExpCalcDueTimeWithDelay(x,x)+38j ...
		mov	edx, edi
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpCalcDueTimeWithDelay@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTimerAdjust(x, x, x, x, x, x, x,	x)
_ExpTimerAdjust@32 proc	near		; CODE XREF: PspSetProcessTimerDelayForKTimers(x)+17Bp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], edx
		xor	eax, eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		lea	ebx, [esi+28h]
		mov	[ebp+var_8], eax
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	eax, [esi+0B8h]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	edx, [ebp+var_14]
		call	_KeCancelTimerInternal@16 ; KeCancelTimerInternal(x,x,x,x)
		mov	[ebp+var_1], al
		test	al, al
		jz	loc_68A61B
		push	edi
		push	[ebp+arg_14]
		mov	ecx, [ebp+var_8]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	[ebp+var_10]
		push	[ebp+var_14]
		call	_ExpCalcAdjustedDueTime@36 ; ExpCalcAdjustedDueTime(x,x,x,x,x,x,x,x,x)
		mov	edi, [esi+84h]
		mov	ecx, [esi+88h]
		mov	[ebp+arg_14], eax
		mov	[ebp+arg_C], edx
		test	edi, edi
		jz	short loc_68A5E3
		test	ecx, ecx
		jz	short loc_68A5BC
		sub	edi, ecx

loc_68A5BC:				; CODE XREF: ExpTimerAdjust(x,x,x,x,x,x,x,x)+7Dj
		mov	eax, [ebp+var_C]
		xor	edx, edx
		mov	ecx, 2710h
		div	ecx
		mov	edx, [ebp+arg_C]
		lea	ecx, [edi+eax]
		cmp	ecx, edi
		jb	short loc_68A5E0
		mov	edi, ecx
		mov	[esi+88h], eax
		mov	[esi+84h], edi

loc_68A5E0:				; CODE XREF: ExpTimerAdjust(x,x,x,x,x,x,x,x)+95j
		mov	eax, [ebp+arg_14]

loc_68A5E3:				; CODE XREF: ExpTimerAdjust(x,x,x,x,x,x,x,x)+79j
		mov	cl, [esi+0A8h]
		and	cl, 1
		jz	short loc_68A5F0
		xor	edi, edi

loc_68A5F0:				; CODE XREF: ExpTimerAdjust(x,x,x,x,x,x,x,x)+B1j
		movzx	ecx, cl
		neg	ecx
		mov	[esi+0B0h], eax
		lea	eax, [esi+5Ch]
		mov	[esi+0B4h], edx
		sbb	ecx, ecx
		and	ecx, eax
		push	ecx
		push	dword ptr [esi+0B8h]
		push	edi
		push	edx
		push	[ebp+arg_14]
		push	esi
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)
		pop	edi

loc_68A61B:				; CODE XREF: ExpTimerAdjust(x,x,x,x,x,x,x,x)+3Ej
		test	ds:byte_70EFC6,	1
		jz	short loc_68A630
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_68A635
; 

loc_68A630:				; CODE XREF: ExpTimerAdjust(x,x,x,x,x,x,x,x)+E7j
		xor	eax, eax
		lock and [ebx],	eax

loc_68A635:				; CODE XREF: ExpTimerAdjust(x,x,x,x,x,x,x,x)+F3j
		mov	al, [ebp+var_1]
		pop	esi
		pop	ebx
		leave
		retn	18h
_ExpTimerAdjust@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTimerApcRoutine(x, x, x,	x, x)
_ExpTimerApcRoutine@20 proc near	; DATA XREF: .text:0053E74Ao

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	edi, [esi-4]
		mov	[esp+10h+var_1], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	byte ptr [esi+7Ch], 1
		jz	short loc_68A6C1
		cmp	ebx, [esi+8]
		jnz	short loc_68A6C1
		cmp	dword ptr [esi+58h], 0
		jnz	short loc_68A6C7
		add	ebx, 2A0h
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	ecx, [esi+50h]
		mov	edx, [ecx]
		mov	eax, [ecx+4]
		cmp	[edx+4], ecx
		jnz	short loc_68A6BC
		cmp	[eax], ecx
		jnz	short loc_68A6BC
		mov	[eax], edx
		mov	[edx+4], eax
		test	ds:byte_70EFC6,	1
		jz	short loc_68A6B1
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_68A6B6
; 

loc_68A6B1:				; CODE XREF: ExpTimerApcRoutine(x,x,x,x,x)+65j
		xor	eax, eax
		lock and [ebx],	eax

loc_68A6B6:				; CODE XREF: ExpTimerApcRoutine(x,x,x,x,x)+71j
		and	byte ptr [esi+7Ch], 0FEh
		jmp	short loc_68A6C7
; 

loc_68A6BC:				; CODE XREF: ExpTimerApcRoutine(x,x,x,x,x)+53j
					; ExpTimerApcRoutine(x,x,x,x,x)+57j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_68A6C1:				; CODE XREF: ExpTimerApcRoutine(x,x,x,x,x)+2Ej
					; ExpTimerApcRoutine(x,x,x,x,x)+33j
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0

loc_68A6C7:				; CODE XREF: ExpTimerApcRoutine(x,x,x,x,x)+39j
					; ExpTimerApcRoutine(x,x,x,x,x)+7Cj
		test	ds:byte_70EFC6,	1
		jz	short loc_68A6DC
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_68A6E1
; 

loc_68A6DC:				; CODE XREF: ExpTimerApcRoutine(x,x,x,x,x)+90j
		xor	eax, eax
		lock and [edi],	eax

loc_68A6E1:				; CODE XREF: ExpTimerApcRoutine(x,x,x,x,x)+9Cj
		mov	cl, [esp+10h+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, 746C6644h
		lea	ecx, [esi-2Ch]
		call	ObfDereferenceObjectWithTag
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
_ExpTimerApcRoutine@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTimerDpcRoutine(x, x, x,	x)
_ExpTimerDpcRoutine@16 proc near	; DATA XREF: NtCreateTimer+86o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		xor	edi, edi
		lea	ebx, [esi+28h]
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	byte ptr [esi+0A8h], 1
		jz	loc_68A7C8
		and	[esp+10h+var_4], edi
		mov	eax, 0FFDF0018h
		mov	ecx, [eax]
		add	eax, 0FFFFFFFCh
		mov	edx, [eax]
		mov	eax, 0FFDF001Ch
		mov	eax, [eax]
		cmp	ecx, eax
		jz	short loc_68A76A
		mov	ebx, 0FFDF0018h
		lea	esi, [ebx-4]
		lea	edi, [ebx+4]

loc_68A74F:				; CODE XREF: ExpTimerDpcRoutine(x,x,x,x)+5Fj
		lea	ecx, [esp+10h+var_4]
		call	KeYieldProcessorEx
		mov	ecx, [ebx]
		mov	edx, [esi]
		mov	eax, [edi]
		cmp	ecx, eax
		jnz	short loc_68A74F
		mov	esi, [ebp+arg_4]
		xor	edi, edi
		lea	ebx, [esi+28h]

loc_68A76A:				; CODE XREF: ExpTimerDpcRoutine(x,x,x,x)+41j
		push	0
		push	ecx
		push	edx
		lea	eax, [esi+2Ch]
		push	eax
		call	KeInsertQueueApc
		test	al, al
		jnz	short loc_68A77E
		xor	edi, edi
		inc	edi

loc_68A77E:				; CODE XREF: ExpTimerDpcRoutine(x,x,x,x)+78j
		cmp	dword ptr [esi+84h], 0
		jz	short loc_68A7C8
		sub	edi, 1
		jns	short loc_68A79A
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		xor	edi, edi

loc_68A79A:				; CODE XREF: ExpTimerDpcRoutine(x,x,x,x)+89j
		test	byte ptr [esi+0A8h], 2
		jnz	short loc_68A7C8
		push	[ebp+arg_0]
		mov	eax, [esi+84h]
		mov	ecx, 0FFFFD8F0h
		push	dword ptr [esi+0B8h]
		imul	ecx
		push	0
		push	edx
		push	eax
		push	esi
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)
		test	al, al
		jz	short loc_68A7C8
		inc	edi

loc_68A7C8:				; CODE XREF: ExpTimerDpcRoutine(x,x,x,x)+22j
					; ExpTimerDpcRoutine(x,x,x,x)+84j ...
		test	ds:byte_70EFC6,	1
		jz	short loc_68A7DD
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_68A7E2
; 

loc_68A7DD:				; CODE XREF: ExpTimerDpcRoutine(x,x,x,x)+CEj
		xor	eax, eax
		lock and [ebx],	eax

loc_68A7E2:				; CODE XREF: ExpTimerDpcRoutine(x,x,x,x)+DAj
		test	edi, edi
		jz	short loc_68A7F2
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_68A7F2:				; CODE XREF: ExpTimerDpcRoutine(x,x,x,x)+E3j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_ExpTimerDpcRoutine@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExDisableAllLookasideLists()
_ExDisableAllLookasideLists@0 proc near	; CODE XREF: VfInitSystemNoRebootNeeded(x,x):loc_A5A4AAp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	eax, eax
		push	edi
		mov	edi, ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ds:_ExMinimumLookasideDepth, ax
		call	edi
		mov	esi, offset _ExNPagedLookasideLock
		mov	bl, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, ds:_ExNPagedLookasideListHead
		mov	ecx, offset _ExNPagedLookasideListHead
		cmp	edx, ecx
		jz	short loc_68A843

loc_68A831:				; CODE XREF: ExDisableAllLookasideLists()+41j
		mov	dword ptr [edx-28h], 0FFFF0000h
		mov	edx, [edx]
		cmp	edx, ecx
		jnz	short loc_68A831
		mov	esi, offset _ExNPagedLookasideLock

loc_68A843:				; CODE XREF: ExDisableAllLookasideLists()+34j
		test	ds:byte_70EFC6,	1
		jz	short loc_68A858
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_68A85D
; 

loc_68A858:				; CODE XREF: ExDisableAllLookasideLists()+4Fj
		xor	eax, eax
		lock and [esi],	eax

loc_68A85D:				; CODE XREF: ExDisableAllLookasideLists()+5Bj
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	cl, bl
		call	esi
		call	edi
		mov	edi, offset _ExPagedLookasideLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, ds:_ExPagedLookasideListHead
		mov	ecx, offset _ExPagedLookasideListHead
		cmp	edx, ecx
		jz	short loc_68A898

loc_68A886:				; CODE XREF: ExDisableAllLookasideLists()+96j
		mov	dword ptr [edx-28h], 0FFFF0000h
		mov	edx, [edx]
		cmp	edx, ecx
		jnz	short loc_68A886
		mov	edi, offset _ExPagedLookasideLock

loc_68A898:				; CODE XREF: ExDisableAllLookasideLists()+89j
		test	ds:byte_70EFC6,	1
		jz	short loc_68A8AD
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_68A8B2
; 

loc_68A8AD:				; CODE XREF: ExDisableAllLookasideLists()+A4j
		xor	eax, eax
		lock and [edi],	eax

loc_68A8B2:				; CODE XREF: ExDisableAllLookasideLists()+B0j
		mov	cl, bl
		call	esi
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn
_ExDisableAllLookasideLists@0 endp


;  S U B	R O U T	I N E 


; __stdcall ExpCheckForLookaside(x, x)
_ExpCheckForLookaside@8	proc near	; CODE XREF: ExpFreePoolChecks+D1CBDp
					; ExFreeHeapPool+C7549p
		mov	edi, edi
		push	ecx
		test	ds:_MmVerifierData, 800h
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jz	short loc_68A8DA
		call	_VfCheckForLookaside@8 ; VfCheckForLookaside(x,x)
		test	eax, eax
		jnz	short loc_68A900

loc_68A8DA:				; CODE XREF: ExpCheckForLookaside(x,x)+13j
		push	offset _ExNPagedLookasideLock
		push	offset _ExNPagedLookasideListHead
		mov	edx, esi
		mov	ecx, edi
		call	_ExpCheckForLookasideList@16 ; ExpCheckForLookasideList(x,x,x,x)
		push	offset _ExPagedLookasideLock
		push	offset _ExPagedLookasideListHead
		mov	edx, esi
		mov	ecx, edi
		call	_ExpCheckForLookasideList@16 ; ExpCheckForLookasideList(x,x,x,x)

loc_68A900:				; CODE XREF: ExpCheckForLookaside(x,x)+1Cj
		pop	edi
		pop	esi
		pop	ecx
		retn
_ExpCheckForLookaside@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCheckForLookasideList(x,	x, x, x)
_ExpCheckForLookasideList@16 proc near	; CODE XREF: ExpCheckForLookaside(x,x)+2Cp
					; ExpCheckForLookaside(x,x)+3Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	eax, edx
		mov	ebx, ecx
		push	esi
		mov	[ebp+var_C], eax
		add	eax, ebx
		push	edi
		mov	[ebp+var_8], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, [ebp+arg_4]
		mov	ecx, edi
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebp+arg_0]
		mov	esi, [eax]
		cmp	esi, eax
		jz	short loc_68A964
		mov	edi, eax

loc_68A939:				; CODE XREF: ExpCheckForLookasideList(x,x,x,x)+5Bj
		lea	eax, [esi-30h]
		cmp	eax, ebx
		jb	short loc_68A95B
		cmp	eax, [ebp+var_8]
		jnb	short loc_68A95B
		push	[ebp+var_C]
		push	ebx		; char
		push	offset ??_C@_0FK@GHMJMIG@EX?3?5ExFreePool?$CI?5?$CFp?0?5?$CFIx?5?$CJ?5conta@FNODOBFM@ ;	"EX: ExFreePool( %p, %Ix ) contains a lo"...
		push	0		; int
		push	0		; int
		call	_DbgPrintEx
		add	esp, 14h
		int	3		; Trap to Debugger

loc_68A95B:				; CODE XREF: ExpCheckForLookasideList(x,x,x,x)+3Aj
					; ExpCheckForLookasideList(x,x,x,x)+3Fj
		mov	esi, [esi]
		cmp	esi, edi
		jnz	short loc_68A939
		mov	edi, [ebp+arg_4]

loc_68A964:				; CODE XREF: ExpCheckForLookasideList(x,x,x,x)+31j
		test	ds:byte_70EFC6,	1
		jz	short loc_68A979
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_68A97E
; 

loc_68A979:				; CODE XREF: ExpCheckForLookasideList(x,x,x,x)+67j
		xor	eax, eax
		lock and [edi],	eax

loc_68A97E:				; CODE XREF: ExpCheckForLookasideList(x,x,x,x)+73j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_ExpCheckForLookasideList@16 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 355. ExExtendZone

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExExtendZone(x, x, x)
		public _ExExtendZone@12
_ExExtendZone@12 proc near		; CODE XREF: ExInterlockedExtendZone(x,x,x,x)+23p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	eax, ecx
		push	esi
		mov	esi, [ebp+arg_8]
		or	eax, esi
		test	al, 7
		jnz	short loc_68A9E6
		mov	edx, [ebp+arg_0]
		cmp	[edx+8], esi
		ja	short loc_68A9E6
		mov	eax, [edx+4]
		push	ebx
		push	edi
		mov	[ecx], eax
		lea	ebx, [ecx+8]
		push	8
		mov	eax, esi
		mov	[edx+4], ecx
		sub	eax, [edx+8]
		pop	edi
		cmp	eax, edi
		jb	short loc_68A9DD

loc_68A9C8:				; CODE XREF: ExExtendZone(x,x,x)+48j
		mov	eax, [edx]
		mov	[ebx], eax
		mov	eax, esi
		mov	ecx, [edx+8]
		add	edi, ecx
		mov	[edx], ebx
		sub	eax, ecx
		add	ebx, ecx
		cmp	edi, eax
		jbe	short loc_68A9C8

loc_68A9DD:				; CODE XREF: ExExtendZone(x,x,x)+33j
		add	[edx+0Ch], edi
		xor	eax, eax
		pop	edi
		pop	ebx
		jmp	short loc_68A9EB
; 

loc_68A9E6:				; CODE XREF: ExExtendZone(x,x,x)+12j
					; ExExtendZone(x,x,x)+1Aj
		mov	eax, 0C0000001h

loc_68A9EB:				; CODE XREF: ExExtendZone(x,x,x)+51j
		pop	esi
		pop	ebp
		retn	0Ch
_ExExtendZone@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 383. ExInitializeZone

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExInitializeZone(x,	x, x, x)
		public _ExInitializeZone@16
_ExInitializeZone@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	eax, ecx
		push	esi
		mov	esi, [ebp+arg_8]
		or	eax, esi
		push	edi
		test	al, 7
		jnz	short loc_68AA46
		mov	edi, [ebp+arg_C]
		cmp	ecx, edi
		ja	short loc_68AA46
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		push	ebx
		push	8
		lea	ebx, [esi+8]
		sub	edi, ecx
		mov	[edx+4], esi
		mov	[edx+8], ecx
		mov	[esi], eax
		mov	[esi+4], eax
		pop	esi
		mov	[edx], eax
		cmp	edi, esi
		jb	short loc_68AA3E

loc_68AA30:				; CODE XREF: ExInitializeZone(x,x,x,x)+47j
		mov	eax, [edx]
		add	esi, ecx
		mov	[ebx], eax
		mov	[edx], ebx
		add	ebx, ecx
		cmp	esi, edi
		jbe	short loc_68AA30

loc_68AA3E:				; CODE XREF: ExInitializeZone(x,x,x,x)+39j
		mov	[edx+0Ch], esi
		xor	eax, eax
		pop	ebx
		jmp	short loc_68AA4B
; 

loc_68AA46:				; CODE XREF: ExInitializeZone(x,x,x,x)+13j
					; ExInitializeZone(x,x,x,x)+1Aj
		mov	eax, 0C000000Dh

loc_68AA4B:				; CODE XREF: ExInitializeZone(x,x,x,x)+4Fj
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
_ExInitializeZone@16 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 387. ExInterlockedExtendZone

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExInterlockedExtendZone(x, x, x, x)
		public _ExInterlockedExtendZone@16
_ExInterlockedExtendZone@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, [ebp+arg_C]
		mov	bl, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_ExExtendZone@12 ; ExExtendZone(x,x,x)
		test	ds:byte_70EFC6,	1
		mov	edi, eax
		jz	short loc_68AA95
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_68AA9A
; 

loc_68AA95:				; CODE XREF: ExInterlockedExtendZone(x,x,x,x)+31j
		xor	eax, eax
		lock and [esi],	eax

loc_68AA9A:				; CODE XREF: ExInterlockedExtendZone(x,x,x,x)+3Dj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
_ExInterlockedExtendZone@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpInitExpCheckTestSigningInfo(x, x, x)
_ExpInitExpCheckTestSigningInfo@12 proc	near ; DATA XREF: ExpCheckTestsigningEnabled()+7o
					; ExpFirmwareAccessAppContainerCheck(x)+102o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	8
		pop	ecx
		lea	eax, [ebp+var_4]
		mov	[ebp+var_C], ecx
		push	eax
		push	ecx
		lea	eax, [ebp+var_C]
		xor	ebx, ebx
		push	eax
		push	67h
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ebx
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_68AAE3
		inc	ebx
		test	byte ptr [ebp+var_8], 2
		jz	short loc_68AAE3
		mov	ds:_ExpTestSigningEnabled, bl

loc_68AAE3:				; CODE XREF: ExpInitExpCheckTestSigningInfo(x,x,x)+29j
					; ExpInitExpCheckTestSigningInfo(x,x,x)+30j
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
_ExpInitExpCheckTestSigningInfo@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpIsDevicePathForRemovableMedia(x)
_ExpIsDevicePathForRemovableMedia@4 proc near ;	CODE XREF: NtEnumerateBootEntries(x,x)+455p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	edx, edi
		mov	ebx, edi
		mov	cl, [esi]
		mov	al, cl
		mov	[ebp+var_4], edx
		and	al, 7Fh
		cmp	al, 7Fh
		jz	short loc_68AB77

loc_68AB08:				; CODE XREF: ExpIsDevicePathForRemovableMedia(x)+7Aj
		and	cl, 7Fh
		cmp	cl, 1
		jnz	short loc_68AB34
		cmp	byte ptr [esi+1], 4
		jnz	short loc_68AB4D
		push	10h		; size_t
		lea	eax, [esi+4]
		push	offset _ExpUnknownDeviceGuid ; void *
		push	eax		; void *
		call	_memcmp
		mov	edx, [ebp+var_4]
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_68AB4D
		mov	edi, esi
		jmp	short loc_68AB4D
; 

loc_68AB34:				; CODE XREF: ExpIsDevicePathForRemovableMedia(x)+24j
		cmp	cl, 4
		jnz	short loc_68AB4D
		mov	al, [esi+1]
		cmp	al, 1
		jnz	short loc_68AB47
		mov	edx, esi
		mov	[ebp+var_4], edx
		jmp	short loc_68AB4D
; 

loc_68AB47:				; CODE XREF: ExpIsDevicePathForRemovableMedia(x)+54j
		cmp	al, 4
		jnz	short loc_68AB4D
		mov	ebx, esi

loc_68AB4D:				; CODE XREF: ExpIsDevicePathForRemovableMedia(x)+2Aj
					; ExpIsDevicePathForRemovableMedia(x)+44j ...
		movzx	ecx, byte ptr [esi+3]
		movzx	eax, byte ptr [esi+2]
		shl	ecx, 8
		or	ecx, eax
		add	esi, ecx
		mov	cl, [esi]
		mov	al, cl
		and	al, 7Fh
		cmp	al, 7Fh
		jnz	short loc_68AB08
		test	edi, edi
		jz	short loc_68AB77
		test	edx, edx
		jnz	short loc_68AB77
		test	ebx, ebx
		jnz	short loc_68AB77
		xor	eax, eax
		inc	eax
		jmp	short loc_68AB79
; 

loc_68AB77:				; CODE XREF: ExpIsDevicePathForRemovableMedia(x)+1Cj
					; ExpIsDevicePathForRemovableMedia(x)+7Ej ...
		xor	eax, eax

loc_68AB79:				; CODE XREF: ExpIsDevicePathForRemovableMedia(x)+8Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpIsDevicePathForRemovableMedia@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExQueueWorkItemExFromIo(x, x, x)
_ExQueueWorkItemExFromIo@12 proc near	; CODE XREF: IoQueueWorkItemToNode(x,x,x,x,x)+1Fp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	ExpValidateWorkItem
		cmp	esi, 7
		jnb	short loc_68AB9C
		mov	esi, ds:_ExpBuiltinPriorities[esi*4]
		jmp	short loc_68AB9F
; 

loc_68AB9C:				; CODE XREF: ExQueueWorkItemExFromIo(x,x,x)+13j
		add	esi, 0FFFFFFE0h

loc_68AB9F:				; CODE XREF: ExQueueWorkItemExFromIo(x,x,x)+1Cj
		mov	eax, ds:_PspSystemPartition
		mov	edx, edi
		push	1
		push	[ebp+arg_0]
		mov	ecx, [eax+8]
		push	esi
		call	ExpQueueWorkItem
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_ExQueueWorkItemExFromIo@12 endp ; sp =	-0Ch

; 

; __stdcall ExpCheckForWorker(x, x)
_ExpCheckForWorker@8:			; CODE XREF: ExpFreePoolChecks+D1CF7p
					; ExFreeHeapPool+C759Bp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ecx
		xor	ecx, ecx
		mov	[ebp-18h], eax
		add	eax, edx
		push	esi
		mov	[ebp-14h], eax
		call	_PsGetNextPartition@4 ;	PsGetNextPartition(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_68ACB7
		push	ebx
		push	edi

loc_68ABE0:				; CODE XREF: .text:0068ACAFj
		cmp	esi, ds:_PspSystemPartition
		jnz	short loc_68ABF3
		mov	eax, [esi+8]
		test	eax, eax
		jz	loc_68ACA4

loc_68ABF3:				; CODE XREF: .text:0068ABE6j
		xor	eax, eax
		xor	edi, edi
		cmp	ax, ds:_KeNumberNodes
		jnb	loc_68ACA4

loc_68AC04:				; CODE XREF: .text:0068AC9Ej
		mov	ecx, edi
		call	_KeIsNodeInitialized@4 ; KeIsNodeInitialized(x)
		test	al, al
		jnz	short loc_68AC13
		xor	eax, eax
		jmp	short loc_68AC1D
; 

loc_68AC13:				; CODE XREF: .text:0068AC0Dj
		movzx	eax, di
		mov	eax, ds:_KeNodeBlock[eax*4]

loc_68AC1D:				; CODE XREF: .text:0068AC11j
		mov	[ebp-10h], eax
		xor	ebx, ebx

loc_68AC22:				; CODE XREF: .text:0068AC94j
		mov	ecx, [esi+8]
		mov	edx, eax
		push	ebx
		call	_ExpPartitionGetQueue@12 ; ExpPartitionGetQueue(x,x,x)
		mov	[ebp-0Ch], eax
		test	eax, eax
		jz	short loc_68AC8D
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, [ebp-0Ch]
		mov	[ebp-1], al
		call	_KiAcquireKobjectLockSafe@4 ; KiAcquireKobjectLockSafe(x)
		and	dword ptr [ebp-8], 0
		mov	edx, [ebp-0Ch]
		mov	eax, [ebp-8]
		add	edx, 10h

loc_68AC52:				; CODE XREF: .text:0068AC77j
		mov	ecx, [edx]
		cmp	ecx, edx
		jz	short loc_68AC6D
		mov	eax, [ebp-18h]

loc_68AC5B:				; CODE XREF: .text:0068AC68j
		cmp	ecx, eax
		jb	short loc_68AC64
		cmp	ecx, [ebp-14h]
		jb	short loc_68ACBA

loc_68AC64:				; CODE XREF: .text:0068AC5Dj
		mov	ecx, [ecx]
		cmp	ecx, edx
		jnz	short loc_68AC5B
		mov	eax, [ebp-8]

loc_68AC6D:				; CODE XREF: .text:0068AC56j
		inc	eax
		add	edx, 8
		mov	[ebp-8], eax
		cmp	eax, 20h
		jl	short loc_68AC52
		mov	eax, [ebp-0Ch]
		mov	ecx, 0FFFFFF7Fh
		lock and [eax],	ecx
		mov	cl, [ebp-1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_68AC8D:				; CODE XREF: .text:0068AC32j
		mov	eax, [ebp-10h]
		inc	ebx
		cmp	ebx, 8
		jl	short loc_68AC22
		inc	edi
		cmp	di, ds:_KeNumberNodes
		jb	loc_68AC04

loc_68ACA4:				; CODE XREF: .text:0068ABEDj
					; .text:0068ABFEj
		mov	ecx, esi
		call	_PsGetNextPartition@4 ;	PsGetNextPartition(x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_68ABE0
		pop	edi
		pop	ebx

loc_68ACB7:				; CODE XREF: .text:0068ABD8j
		pop	esi
		leave
		retn
; 

loc_68ACBA:				; CODE XREF: .text:0068AC62j
		push	dword ptr [ebp-14h]
		push	eax
		push	ecx
		push	0
		push	0E4h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 0CCh
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2925. _purecall

;  S U B	R O U T	I N E 


		public __purecall
__purecall	proc near		; DATA XREF: .text:004050E8o
					; .text:004050ECo ...
		push	0C0000002h
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger
__purecall	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExFlushTb(x, x, x)
_ExFlushTb@12	proc near		; CODE XREF: KeFlushMultipleRangeTb+15E132p
					; MiTerminateWsleCluster+15A780p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 1
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		jz	short loc_68AD05
		mov	eax, ds:_HalIommuDispatch
		push	edx
		push	ecx
		push	ds:_ExpSvmIommuSystemContext
		call	dword ptr [eax+28h]
		jmp	short loc_68AD1A
; 

loc_68AD05:				; CODE XREF: ExFlushTb(x,x,x)+15j
		mov	eax, [eax+3B0h]
		test	eax, eax
		jz	short loc_68AD1A
		push	edx
		push	ecx
		push	eax
		mov	eax, ds:_HalIommuDispatch
		call	dword ptr [eax+24h]

loc_68AD1A:				; CODE XREF: ExFlushTb(x,x,x)+27j
					; ExFlushTb(x,x,x)+31j
		pop	ebp
		retn	4
_ExFlushTb@12	endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 436. ExShareAddressSpaceWithDevice

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExShareAddressSpaceWithDevice(x, x)
		public _ExShareAddressSpaceWithDevice@8
_ExShareAddressSpaceWithDevice@8 proc near

var_D0		= dword	ptr -0D0h
var_C8		= dword	ptr -0C8h
var_C2		= byte ptr -0C2h
var_C1		= byte ptr -0C1h
var_BE		= byte ptr -0BEh
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		sub	esp, 0A8h
		and	[esp+0A8h+var_98], 0
		xor	eax, eax
		and	[esp+0A8h+var_94], 0
		push	esi
		push	edi
		push	0Ah
		pop	ecx
		lea	edi, [esp+0B0h+var_28]
		rep stosd
		mov	ecx, [ebp+arg_4]
		lea	edi, [esp+0B0h+var_34]
		stosd
		stosd
		stosd
		or	eax, 0FFFFFFFFh
		mov	[ecx], eax
		cmp	ds:_ExpSvmIommuSystemContext, 0
		mov	[esp+0B0h+var_8C], eax
		jnz	short loc_68AD71
		mov	eax, 0C00000BBh
		jmp	loc_68B88B
; 

loc_68AD71:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+42j
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jnz	short loc_68AD82
		mov	eax, 0C00000EFh
		jmp	loc_68B88B
; 

loc_68AD82:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+53j
		mov	eax, large fs:124h
		mov	[esp+0B0h+var_68], eax
		mov	edi, [eax+80h]
		mov	[esp+0B0h+var_90], edi
		lea	eax, [edi+0F0h]
		mov	ecx, eax
		mov	[esp+0B0h+var_38], eax
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_68ADB5
		mov	eax, 0C000010Ah
		jmp	loc_68B88B
; 

loc_68ADB5:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+86j
		lea	eax, [esp+0B0h+var_28]
		push	eax		; void *
		push	esi		; int
		xor	eax, eax
		inc	eax
		push	eax		; __int16
		push	28h		; __int16
		push	offset _GUID_IOMMU_BUS_INTERFACE ; int
		push	0		; char
		push	esi		; int
		call	_IoQueryInterface@28 ; IoQueryInterface(x,x,x,x,x,x,x)
		mov	[esp+0B0h+var_9C], eax
		test	eax, eax
		js	loc_68B6B1
		mov	eax, [esp+0B0h+var_68]
		dec	word ptr [eax+13Eh]
		nop
		add	edi, 3B4h
		xor	eax, eax
		mov	ecx, edi
		mov	[esp+0B0h+var_60], eax
		and	ecx, 7FFFFFFCh
		mov	[esp+0B0h+var_84], ecx
		jnz	short loc_68AE0A
		mov	esi, eax
		jmp	loc_68AF3B
; 

loc_68AE0A:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+DEj
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		xor	ecx, ecx
		inc	ecx
		cmp	[esi+1E6h], cl
		jz	short loc_68AE42
		push	eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	edi

loc_68AE37:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+3C2j
		push	esi
		push	192h

loc_68AE3D:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+604j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_68AE42:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+106j
		mov	dl, [esi+1E4h]
		mov	[esp+0C4h+var_78], eax
		test	dl, dl
		jnz	short loc_68AE66
		lea	ecx, [esi+222h]
		cmp	[ecx], al
		jz	short loc_68AE98
		xor	al, al
		xchg	al, [ecx]
		mov	dl, [esi+1E4h]
		or	dl, al

loc_68AE66:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+12Bj
		movzx	eax, dl
		bsf	ecx, eax
		xor	eax, eax
		inc	eax
		mov	[esp+0C4h+var_78], ecx
		shl	al, cl
		not	al
		and	al, dl
		imul	edx, ecx, 30h
		mov	[esi+1E4h], al
		add	edx, [esi+1E8h]
		mov	[esp+0C4h+var_9C], edx
		jnz	short loc_68AEB3

loc_68AE8E:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+183j
					; ExShareAddressSpaceWithDevice(x,x)+18Ej
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_68AEFC
; 

loc_68AE98:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+135j
		test	dword ptr ds:byte_70EFC4, 200h
		mov	[esp+0C4h+var_9C], eax
		jz	short loc_68AE8E
		mov	edx, edi
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	short loc_68AE8E
; 

loc_68AEB3:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+169j
		mov	eax, ds:dword_6D07D0
		mov	ecx, edi
		shr	ecx, 15h
		mov	[esp+0C4h+var_94], eax
		cmp	edi, eax
		jb	short loc_68AEE1
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68AEE6
		mov	eax, [esp+0C4h+var_94]
		cmp	edi, eax
		jb	short loc_68AEE1
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jz	short loc_68AEE6

loc_68AEE1:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+1A0j
					; ExShareAddressSpaceWithDevice(x,x)+1B3j
		or	eax, 0FFFFFFFFh
		jmp	short loc_68AEF1
; 

loc_68AEE6:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+1ABj
					; ExShareAddressSpaceWithDevice(x,x)+1BCj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)

loc_68AEF1:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+1C1j
		mov	[edx+14h], eax
		nop
		mov	eax, [esp+0C4h+var_98]
		mov	[edx+10h], eax

loc_68AEFC:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+173j
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [esp+0C4h+var_74]
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_68AF37
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_68AF37
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68AF37:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+205j
					; ExShareAddressSpaceWithDevice(x,x)+20Dj
		mov	esi, [esp+0C4h+var_9C]

loc_68AF3B:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+E2j
		lock bts dword ptr [edi], 0
		jnb	short loc_68AF4C
		push	edi
		mov	edx, esi
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_68AF4C:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+21Dj
		test	esi, esi
		jz	short loc_68AF56
		xor	eax, eax
		inc	eax
		or	[esi+0Eh], al

loc_68AF56:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+22Bj
		mov	edi, [esp+0C4h+var_A4]
		mov	esi, [edi+3ACh]
		test	esi, esi
		jnz	short loc_68AF93
		call	_ExpAllocateAsid@0 ; ExpAllocateAsid()
		mov	esi, eax
		mov	[esp+0C4h+var_94], esi
		test	esi, esi
		jnz	short loc_68AF80
		mov	[esp+0C4h+var_B0], 0C0000073h
		jmp	loc_68B5B6
; 

loc_68AF80:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+24Ej
		mov	edx, esi
		mov	ecx, edi
		call	_ExpAssignPasid@8 ; ExpAssignPasid(x,x)
		test	eax, eax
		jnz	short loc_68AF93
		mov	esi, [edi+3ACh]

loc_68AF93:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+23Fj
					; ExShareAddressSpaceWithDevice(x,x)+268j
		mov	eax, [edi+3B0h]
		dec	esi
		mov	[esp+0C4h+var_94], esi
		mov	[esp+0C4h+var_AC], eax
		test	eax, eax
		jnz	loc_68B094
		lea	eax, [esp+0C4h+var_AC]
		push	eax
		mov	eax, ds:_HalIommuDispatch
		push	0
		push	esi
		call	dword ptr [eax+8]
		mov	[esp+0D0h+var_BC], eax
		test	eax, eax
		js	loc_68B5B6
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		and	[esp+0D0h+var_54], 0
		test	ds:byte_70EFC6,	21h
		mov	[esp+0D0h+var_BE], al
		lea	eax, [edi+3B8h]
		mov	[esp+0D0h+var_50], eax
		jz	short loc_68AFFA
		mov	edx, eax
		lea	ecx, [esp+0D0h+var_54]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_68B00D
; 

loc_68AFFA:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+2C8j
		lea	edx, [esp+0D0h+var_54]
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_68B00D
		lea	ecx, [esp+0D0h+var_54]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_68B00D:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+2D5j
					; ExShareAddressSpaceWithDevice(x,x)+2DFj
		mov	eax, [edi+3B0h]
		test	eax, eax
		jz	short loc_68B021
		mov	esi, [esp+0D0h+var_B8]
		mov	[esp+0D0h+var_B8], eax
		jmp	short loc_68B02D
; 

loc_68B021:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+2F2j
		mov	eax, [esp+0D0h+var_B8]
		xor	esi, esi
		mov	[edi+3B0h], eax

loc_68B02D:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+2FCj
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_68B046
		mov	edx, [ebp+4]
		lea	ecx, [esp+0D0h+var_54]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_68B07D
; 

loc_68B046:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+313j
		mov	eax, [esp+0D0h+var_54]
		test	eax, eax
		jnz	short loc_68B06C
		mov	edx, [esp+0D0h+var_50]
		lea	eax, [esp+0D0h+var_54]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+0D0h+var_54]
		cmp	eax, ecx
		jz	short loc_68B07D
		call	KxWaitForLockChainValid

loc_68B06C:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+329j
		xor	ecx, ecx
		mov	[esp+0D0h+var_54], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_68B07D:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+321j
					; ExShareAddressSpaceWithDevice(x,x)+342j
		mov	cl, [esp+0D0h+var_BE]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_68B094
		mov	eax, ds:_HalIommuDispatch
		push	esi
		call	dword ptr [eax+20h]

loc_68B094:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+281j
					; ExShareAddressSpaceWithDevice(x,x)+366j
		mov	ecx, offset _ExpSvmDeviceListLock
		xor	eax, eax
		mov	esi, ecx
		mov	[esp+0D4h+var_7C], eax
		and	esi, 7FFFFFFCh
		mov	[esp+0D4h+var_AC], esi
		jnz	short loc_68B0B4
		mov	edi, eax
		jmp	loc_68B1EB
; 

loc_68B0B4:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+388j
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		xor	ecx, ecx
		inc	ecx
		cmp	[esi+1E6h], cl
		jz	short loc_68B0EA
		push	eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	offset _ExpSvmDeviceListLock
		jmp	loc_68AE37
; 

loc_68B0EA:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+3B0j
		mov	dl, [esi+1E4h]
		mov	[esp+0D4h+var_80], eax
		test	dl, dl
		jnz	short loc_68B10E
		lea	ecx, [esi+222h]
		cmp	[ecx], al
		jz	short loc_68B13C
		xor	al, al
		xchg	al, [ecx]
		mov	dl, [esi+1E4h]
		or	dl, al

loc_68B10E:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+3D3j
		movzx	eax, dl
		bsf	ecx, eax
		xor	eax, eax
		inc	eax
		imul	edi, ecx, 30h
		shl	al, cl
		not	al
		mov	[esp+0D4h+var_80], ecx
		and	al, dl
		mov	[esi+1E4h], al
		add	edi, [esi+1E8h]
		jnz	short loc_68B158

loc_68B132:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+425j
					; ExShareAddressSpaceWithDevice(x,x)+433j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_68B1A4
; 

loc_68B13C:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+3DDj
		test	dword ptr ds:byte_70EFC4, 200h
		mov	edi, eax
		jz	short loc_68B132
		mov	edx, offset _ExpSvmDeviceListLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	short loc_68B132
; 

loc_68B158:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+40Dj
		mov	edx, ds:dword_6D07D0
		mov	eax, offset _ExpSvmDeviceListLock
		mov	ecx, eax
		shr	ecx, 15h
		cmp	edx, eax
		ja	short loc_68B189
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68B18E
		mov	eax, offset _ExpSvmDeviceListLock
		cmp	edx, eax
		ja	short loc_68B189
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jz	short loc_68B18E

loc_68B189:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+447j
					; ExShareAddressSpaceWithDevice(x,x)+45Bj
		or	eax, 0FFFFFFFFh
		jmp	short loc_68B199
; 

loc_68B18E:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+452j
					; ExShareAddressSpaceWithDevice(x,x)+464j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)

loc_68B199:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+469j
		mov	[edi+14h], eax
		nop
		mov	eax, [esp+0D4h+var_AC]
		mov	[edi+10h], eax

loc_68B1A4:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+417j
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [esp+0D4h+var_7C]
		push	eax
		mov	edx, offset _ExpSvmDeviceListLock
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_68B1E2
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_68B1E2
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68B1E2:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+4B0j
					; ExShareAddressSpaceWithDevice(x,x)+4B8j
		mov	esi, [esp+0D4h+var_AC]
		mov	ecx, offset _ExpSvmDeviceListLock

loc_68B1EB:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+38Cj
		lock bts dword ptr [ecx], 0
		jnb	short loc_68B1FA
		push	ecx
		mov	edx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_68B1FA:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+4CDj
		test	edi, edi
		jz	short loc_68B204
		xor	eax, eax
		inc	eax
		or	[edi+0Eh], al

loc_68B204:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+4D9j
		mov	eax, ds:_ExpSvmDevices
		mov	edi, offset _ExpSvmDevices
		cmp	eax, edi
		jz	short loc_68B243
		mov	edx, [ebp+arg_0]

loc_68B215:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+501j
		mov	ecx, eax
		mov	[esp+0D4h+var_B8], eax
		cmp	[eax+8], edx
		jz	short loc_68B226
		mov	eax, [eax]
		cmp	eax, edi
		jnz	short loc_68B215

loc_68B226:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+4FBj
		mov	eax, [esp+0D4h+var_B8]
		cmp	[eax+8], edx
		jz	short loc_68B236
		and	[esp+0D4h+var_B8], 0
		xor	ecx, ecx

loc_68B236:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+50Aj
		test	ecx, ecx
		jz	short loc_68B243
		mov	eax, [esp+0D4h+var_B8]
		inc	dword ptr [eax+0Ch]
		jmp	short loc_68B260
; 

loc_68B243:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+4EDj
					; ExShareAddressSpaceWithDevice(x,x)+515j
		mov	edx, [esp+0D4h+var_BC]
		lea	eax, [esp+0D4h+var_B8]
		mov	ecx, [ebp+arg_0]
		push	eax
		lea	eax, [esp+0D8h+var_4C]
		push	eax
		call	_ExpPrepareNewSvmDevice@16 ; ExpPrepareNewSvmDevice(x,x,x,x)
		mov	[esp+14h], eax

loc_68B260:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+51Ej
		or	eax, 0FFFFFFFFh
		mov	ecx, offset _ExpSvmDeviceListLock
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_68B27C
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset _ExpSvmDeviceListLock

loc_68B27C:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+54Dj
		xor	edi, edi
		mov	[esp+0D4h+var_A8], edi
		test	esi, esi
		jz	loc_68B42F
		mov	esi, large fs:124h
		mov	eax, offset _ExpSvmDeviceListLock
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[esp+0D4h+var_74], esi
		cmp	edx, eax
		ja	short loc_68B2C4
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68B2C9
		mov	eax, offset _ExpSvmDeviceListLock
		cmp	edx, eax
		ja	short loc_68B2C4
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jz	short loc_68B2C9

loc_68B2C4:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+582j
					; ExShareAddressSpaceWithDevice(x,x)+596j
		or	eax, 0FFFFFFFFh
		jmp	short loc_68B2D4
; 

loc_68B2C9:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+58Dj
					; ExShareAddressSpaceWithDevice(x,x)+59Fj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)

loc_68B2D4:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+5A4j
		dec	word ptr [esi+13Eh]
		mov	[esp+0D4h+var_AC], eax
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	edx, offset _ExpSvmDeviceListLock
		mov	[esp+0D4h+var_C2], cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[esp+0D4h+var_78], ecx
		test	ecx, ecx
		jnz	short loc_68B32C
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_68B39B
		push	ecx
		push	[esp+0D8h+var_AC]
		mov	eax, offset _ExpSvmDeviceListLock
		push	eax

loc_68B321:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+A4Bj
		push	esi
		push	162h
		jmp	loc_68AE3D
; 

loc_68B32C:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+5E3j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_68B343
		call	KiAbEntryRemoveFromTree
		mov	ecx, [esp+0D4h+var_78]

loc_68B343:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+615j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+0D4h+var_A8], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		cdq
		push	30h
		pop	ecx
		idiv	ecx
		xor	ecx, ecx
		lea	edx, [ecx+1]
		mov	ecx, eax
		xor	eax, eax
		shl	dl, cl
		inc	eax
		cmp	[esp+0D4h+var_C2], al
		jnz	short loc_68B38E
		or	[esi+1E4h], dl
		jmp	short loc_68B39B
; 

loc_68B38E:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+661j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [esp+0D4h+var_74]

loc_68B39B:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+5EDj
					; ExShareAddressSpaceWithDevice(x,x)+669j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+0D4h+var_74], eax
		jz	short loc_68B409
		test	edi, 8000h
		jz	short loc_68B3C0
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_68B3C0:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+692j
		xor	eax, eax
		inc	eax
		test	byte ptr [esp+0D4h+var_A8+2], al
		jz	short loc_68B3D9
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_68B3D9:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+6A4j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_68B3ED
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_68B3ED:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+6BDj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_68B409
		push	[esp+0D4h+var_74]
		mov	edx, offset _ExpSvmDeviceListLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_68B409:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+68Aj
					; ExShareAddressSpaceWithDevice(x,x)+6D4j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_68B42F
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_68B42F
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68B42F:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+561j
					; ExShareAddressSpaceWithDevice(x,x)+6FDj ...
		cmp	dword ptr [esp+14h], 0
		jl	loc_68B5B2
		mov	eax, large fs:20h
		mov	ecx, 200h
		push	0
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	64507845h
		push	0Ch
		pop	edx
		call	ExpAllocatePoolWithTagFromNode
		mov	esi, eax
		test	esi, esi
		jnz	short loc_68B47E
		mov	edi, [esp+0D4h+var_B4]
		mov	dword ptr [esp+14h], 0C000009Ah
		jmp	loc_68B5B8
; 

loc_68B47E:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+748j
		mov	eax, [esp+0D4h+var_B8]
		mov	cl, 1Fh
		mov	[esi+8], eax
		mov	[esp+0D4h+var_C2], 0
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edi, [esp+0D4h+var_B4]
		and	[esp+0D4h+var_58], 0
		test	ds:byte_70EFC6,	21h
		mov	[esp+0D4h+var_C1], al
		lea	ecx, [edi+3B8h]
		mov	[esp+0D4h+var_54], ecx
		jz	short loc_68B4C2
		mov	edx, ecx
		lea	ecx, [esp+0D4h+var_58]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_68B4D5
; 

loc_68B4C2:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+790j
		lea	edx, [esp+0D4h+var_58]
		xchg	edx, [ecx]
		test	edx, edx
		jz	short loc_68B4D5
		lea	ecx, [esp+0D4h+var_58]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_68B4D5:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+79Dj
					; ExShareAddressSpaceWithDevice(x,x)+7A7j
		lea	ecx, [edi+3BCh]
		mov	edx, [ecx]
		jmp	short loc_68B4F0
; 

loc_68B4DF:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+7CFj
		mov	eax, [edx+8]
		mov	edi, [ebp+arg_0]
		cmp	[eax+8], edi
		mov	edi, [esp+0D4h+var_B4]
		jz	short loc_68B522
		mov	edx, [edx]

loc_68B4F0:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+7BAj
		cmp	edx, ecx
		jnz	short loc_68B4DF
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	loc_68B6A3
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[eax+4], esi
		xor	eax, eax
		mov	[ecx], esi
		inc	eax

loc_68B50C:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+806j
		test	ds:byte_70EFC6,	al
		jz	short loc_68B52B
		mov	edx, [ebp+4]
		lea	ecx, [esp+0D4h+var_58]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_68B562
; 

loc_68B522:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+7C9j
		xor	eax, eax
		inc	eax
		mov	[esp+0D4h+var_C2], al
		jmp	short loc_68B50C
; 

loc_68B52B:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+7EFj
		mov	eax, [esp+0D4h+var_58]
		test	eax, eax
		jnz	short loc_68B551
		mov	edx, [esp+0D4h+var_54]
		lea	eax, [esp+0D4h+var_58]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+0D4h+var_58]
		cmp	eax, ecx
		jz	short loc_68B562
		call	KxWaitForLockChainValid

loc_68B551:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+80Ej
		xor	ecx, ecx
		mov	[esp+0D4h+var_58], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_68B562:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+7FDj
					; ExShareAddressSpaceWithDevice(x,x)+827j
		mov	cl, [esp+0D4h+var_C1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[esp+0D4h+var_C2], 0
		jz	short loc_68B57C
		mov	ecx, esi
		call	ExFreeHeapPool
		jmp	short loc_68B5B6
; 

loc_68B57C:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+84Ej
		call	_MmEnableProcessSvm@0 ;	MmEnableProcessSvm()
		mov	eax, [esp+0D4h+var_B8]
		push	dword ptr [eax+3Ch]
		mov	eax, ds:_HalIommuDispatch
		push	[esp+0D8h+var_BC]
		call	dword ptr [eax+10h]
		mov	[esp+0DCh+var_C8], eax
		test	eax, eax
		js	short loc_68B5B8
		mov	eax, [edi+18h]
		push	eax
		mov	eax, ds:_HalIommuDispatch
		push	dword ptr [esp+1Ch]
		call	dword ptr [eax+14h]
		mov	[esp+0E4h+var_D0], eax
		jmp	short loc_68B5B8
; 

loc_68B5B2:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+711j
		mov	edi, [esp+0D4h+var_B4]

loc_68B5B6:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+258j
					; ExShareAddressSpaceWithDevice(x,x)+29Dj ...
		xor	esi, esi

loc_68B5B8:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+756j
					; ExShareAddressSpaceWithDevice(x,x)+877j ...
		push	[esp+0D4h+var_48]
		call	[esp+0D8h+var_40]
		cmp	dword ptr [esp+14h], 0
		jge	loc_68B6A8
		mov	ecx, [esp+0D8h+var_BC]
		test	ecx, ecx
		jz	short loc_68B5DE
		call	_ExpSvmDereferenceDevice@4 ; ExpSvmDereferenceDevice(x)

loc_68B5DE:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+8B4j
		test	esi, esi
		jz	loc_68B6B1
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		and	[esp+0D8h+var_5C], 0
		lea	ecx, [edi+3B8h]
		test	ds:byte_70EFC6,	21h
		mov	byte ptr [esp+0D8h+var_C8+3], al
		mov	[esp+0D8h+var_58], ecx
		jz	short loc_68B61A
		mov	edx, ecx
		lea	ecx, [esp+0D8h+var_5C]
		call	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
		jmp	short loc_68B62D
; 

loc_68B61A:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+8E8j
		lea	edx, [esp+0D8h+var_5C]
		xchg	edx, [ecx]
		test	edx, edx
		jz	short loc_68B62D
		lea	ecx, [esp+0D8h+var_5C]
		call	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)

loc_68B62D:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+8F5j
					; ExShareAddressSpaceWithDevice(x,x)+8FFj
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	short loc_68B6A3
		cmp	[eax], esi
		jnz	short loc_68B6A3
		mov	[eax], ecx
		mov	[ecx+4], eax
		xor	eax, eax
		inc	eax
		test	ds:byte_70EFC6,	al
		jz	short loc_68B659
		mov	edx, [ebp+4]
		lea	ecx, [esp+0D8h+var_5C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_68B690
; 

loc_68B659:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+926j
		mov	eax, [esp+0D8h+var_5C]
		test	eax, eax
		jnz	short loc_68B67F
		mov	edx, [esp+0D8h+var_58]
		lea	eax, [esp+0D8h+var_5C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+0D8h+var_5C]
		cmp	eax, ecx
		jz	short loc_68B690
		call	KxWaitForLockChainValid

loc_68B67F:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+93Cj
		xor	ecx, ecx
		mov	[esp+0D8h+var_5C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_68B690:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+934j
					; ExShareAddressSpaceWithDevice(x,x)+955j
		mov	cl, byte ptr [esp+0D8h+var_C8+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, esi
		call	ExFreeHeapPool
		jmp	short loc_68B6B1
; 

loc_68B6A3:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+7D6j
					; ExShareAddressSpaceWithDevice(x,x)+912j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_68B6A8:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+8A8j
		mov	ecx, [ebp+arg_4]
		mov	eax, [esp+0D4h+var_A4]
		mov	[ecx], eax

loc_68B6B1:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+B4j
					; ExShareAddressSpaceWithDevice(x,x)+8BDj ...
		lea	edx, [edi+3B4h]
		or	eax, 0FFFFFFFFh
		mov	[esp+0D4h+var_B4], edx
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_68B6D3
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [esp+0D4h+var_B4]

loc_68B6D3:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+9A3j
		xor	edi, edi
		mov	[esp+0D4h+var_A4], edi
		test	edx, 7FFFFFFCh
		jz	loc_68B875
		mov	esi, large fs:124h
		mov	ecx, edx
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[esp+0D4h+var_78], esi
		mov	[esp+0D4h+var_74], eax
		cmp	edx, eax
		jb	short loc_68B72D
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68B71E
		mov	eax, [esp+0D4h+var_74]
		cmp	edx, eax
		jb	short loc_68B72D
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_68B72D

loc_68B71E:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+9E8j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[esp+0D4h+var_B0], eax

loc_68B72D:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+9DDj
					; ExShareAddressSpaceWithDevice(x,x)+9F0j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	[esp+0D4h+var_B0]
		mov	[esp+0D8h+var_C1], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[esp+0D4h+var_74], ecx
		test	ecx, ecx
		jnz	short loc_68B773
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_68B7E2
		push	ecx
		push	[esp+0D8h+var_B0]
		push	[esp+0DCh+var_B4]
		jmp	loc_68B321
; 

loc_68B773:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+A36j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_68B78A
		call	KiAbEntryRemoveFromTree
		mov	ecx, [esp+0D4h+var_74]

loc_68B78A:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+A5Cj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+0D4h+var_A4], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		cdq
		push	30h
		pop	ecx
		idiv	ecx
		xor	ecx, ecx
		lea	edx, [ecx+1]
		mov	ecx, eax
		xor	eax, eax
		shl	dl, cl
		inc	eax
		cmp	[esp+0D4h+var_C1], al
		jnz	short loc_68B7D5
		or	[esi+1E4h], dl
		jmp	short loc_68B7E2
; 

loc_68B7D5:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+AA8j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [esp+0D4h+var_78]

loc_68B7E2:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+A40j
					; ExShareAddressSpaceWithDevice(x,x)+AB0j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+0D4h+var_74], eax
		jz	short loc_68B84F
		test	edi, 8000h
		jz	short loc_68B807
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_68B807:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+AD9j
		xor	eax, eax
		inc	eax
		test	byte ptr [esp+0D4h+var_A4+2], al
		jz	short loc_68B820
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_68B820:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+AEBj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_68B834
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_68B834:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+B04j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_68B84F
		push	[esp+0D4h+var_74]
		mov	edx, [esp+0D8h+var_B4]
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_68B84F:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+AD1j
					; ExShareAddressSpaceWithDevice(x,x)+B1Bj
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_68B875
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_68B875
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68B875:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+9BCj
					; ExShareAddressSpaceWithDevice(x,x)+B43j ...
		mov	ecx, [esp+0D4h+var_8C]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [esp+0D4h+var_5C]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	eax, [esp+14h]

loc_68B88B:				; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+49j
					; ExShareAddressSpaceWithDevice(x,x)+5Aj ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
_ExShareAddressSpaceWithDevice@8 endp

; 
		align 8
; Exported entry 440. ExSvmBeginDeviceReset

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExSvmBeginDeviceReset(x, x)
		public _ExSvmBeginDeviceReset@8
_ExSvmBeginDeviceReset@8 proc near

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	[ebp+var_38], eax
		dec	word ptr [eax+13Eh]
		nop
		mov	eax, offset _ExpSvmDeviceListLock
		mov	[ebp+var_C], 0FFFFFFFFh
		xor	edi, edi
		mov	esi, eax
		and	esi, 7FFFFFFCh
		mov	[ebp+var_18], edi
		mov	[ebp+var_8], esi
		jz	loc_68BA18
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jz	short loc_68B922
		push	edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		mov	eax, offset _ExpSvmDeviceListLock
		push	eax
		push	esi
		push	192h

loc_68B91D:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+292j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_68B922:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+6Cj
		mov	dl, [esi+1E4h]
		mov	[ebp+var_14], edi
		test	dl, dl
		jnz	short loc_68B945
		lea	ecx, [esi+222h]
		cmp	[ecx], dl
		jz	short loc_68B971
		xor	al, al
		xchg	al, [ecx]
		mov	dl, [esi+1E4h]
		or	dl, al

loc_68B945:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+95j
		movzx	eax, dl
		bsf	ecx, eax
		mov	al, 1
		shl	al, cl
		imul	edi, ecx, 30h
		not	al
		and	al, dl
		mov	[ebp+var_14], ecx
		mov	[esi+1E4h], al
		add	edi, [esi+1E8h]
		jnz	short loc_68B988

loc_68B967:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+E3j
					; ExSvmBeginDeviceReset(x,x)+EEj
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_68B9D3
; 

loc_68B971:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+9Fj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_68B967
		mov	edx, eax
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	short loc_68B967
; 

loc_68B988:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+CDj
		mov	edx, ds:dword_6D07D0
		mov	eax, offset _ExpSvmDeviceListLock
		mov	ecx, eax
		shr	ecx, 15h
		cmp	edx, eax
		ja	short loc_68B9B9
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68B9BE
		mov	eax, offset _ExpSvmDeviceListLock
		cmp	edx, eax
		ja	short loc_68B9B9
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jz	short loc_68B9BE

loc_68B9B9:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+102j
					; ExSvmBeginDeviceReset(x,x)+116j
		or	eax, 0FFFFFFFFh
		jmp	short loc_68B9C9
; 

loc_68B9BE:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+10Dj
					; ExSvmBeginDeviceReset(x,x)+11Fj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)

loc_68B9C9:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+124j
		mov	[edi+14h], eax
		nop
		mov	eax, [ebp+var_8]
		mov	[edi+10h], eax

loc_68B9D3:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+D7j
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp+var_18]
		push	eax
		mov	edx, offset _ExpSvmDeviceListLock
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_68BA10
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_68BA10
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68BA10:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+169j
					; ExSvmBeginDeviceReset(x,x)+171j
		mov	esi, [ebp+var_8]
		mov	eax, offset _ExpSvmDeviceListLock

loc_68BA18:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+49j
		lock bts dword ptr [eax], 0
		jnb	short loc_68BA29
		push	eax
		mov	edx, edi
		mov	ecx, eax
		call	ExfAcquirePushLockExclusiveEx

loc_68BA29:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+185j
		test	edi, edi
		jz	short loc_68BA31
		or	byte ptr [edi+0Eh], 1

loc_68BA31:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+193j
		mov	eax, ds:_ExpSvmDevices
		mov	edi, offset _ExpSvmDevices
		cmp	eax, edi
		jz	short loc_68BA62
		mov	edx, [ebx+8]

loc_68BA42:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+1B5j
		lea	ecx, [eax]
		cmp	[eax+8], edx
		jz	short loc_68BA4F
		mov	eax, [eax]
		cmp	eax, edi
		jnz	short loc_68BA42

loc_68BA4F:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+1AFj
		push	dword ptr [ebx+0Ch]
		mov	eax, ds:_HalIommuDispatch
		push	dword ptr [ecx+3Ch]
		call	dword ptr [eax+44h]
		mov	[ebp+var_10], eax
		jmp	short loc_68BA69
; 

loc_68BA62:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+1A5j
		mov	[ebp+var_10], 0C000000Eh

loc_68BA69:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+1C8j
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _ExpSvmDeviceListLock
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_68BA8A
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _ExpSvmDeviceListLock

loc_68BA8A:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+1E3j
		xor	edi, edi
		mov	[ebp+var_8], edi
		test	esi, esi
		jz	loc_68BC24
		mov	esi, large fs:124h
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], eax
		cmp	eax, offset _ExpSvmDeviceListLock
		ja	short loc_68BAE1
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68BAD1
		mov	eax, [ebp+var_30]
		cmp	eax, offset _ExpSvmDeviceListLock
		ja	short loc_68BAE1
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_68BAE1

loc_68BAD1:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+224j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_C], edx

loc_68BAE1:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+219j
					; ExSvmBeginDeviceReset(x,x)+22Ej ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _ExpSvmDeviceListLock
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_68BB2F
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_68BB95
		mov	eax, [ebp+var_C]
		push	ecx
		push	eax
		mov	eax, offset _ExpSvmDeviceListLock
		push	eax
		push	esi
		push	162h
		jmp	loc_68B91D
; 

loc_68BB2F:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+275j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_68BB45
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_68BB45:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+2A3j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_8], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	short loc_68BB89
		or	[esi+1E4h], dl
		jmp	short loc_68BB95
; 

loc_68BB89:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+2E7j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_34]

loc_68BB95:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+27Fj
					; ExSvmBeginDeviceReset(x,x)+2EFj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_34], eax
		jz	short loc_68BBFE
		test	edi, 8000h
		jz	short loc_68BBB9
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_68BBB9:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+316j
		test	byte ptr [ebp+var_8+2],	1
		jz	short loc_68BBCF
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_68BBCF:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+325j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_68BBE3
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_68BBE3:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+33Ej
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_68BBFE
		push	[ebp+var_34]
		mov	edx, offset _ExpSvmDeviceListLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_68BBFE:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+30Ej
					; ExSvmBeginDeviceReset(x,x)+355j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_68BC24
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_68BC24
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68BC24:				; CODE XREF: ExSvmBeginDeviceReset(x,x)+1F9j
					; ExSvmBeginDeviceReset(x,x)+37Dj ...
		mov	ecx, [ebp+var_38]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+var_10]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
_ExSvmBeginDeviceReset@8 endp ;	sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExSvmDevicePowerCallback(x,	x, x)
_ExSvmDevicePowerCallback@12 proc near	; DATA XREF: ExpPrepareNewSvmDevice(x,x,x,x)+16Do

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 1
		setz	al
		movzx	eax, al
		push	eax
		push	[ebp+arg_8]
		mov	eax, ds:_HalIommuDispatch
		push	ds:_ExpSvmIommuSystemContext
		call	dword ptr [eax+40h]
		pop	ebp
		retn	0Ch
_ExSvmDevicePowerCallback@12 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 441. ExSvmFinalizeDeviceReset

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExSvmFinalizeDeviceReset(x)
		public _ExSvmFinalizeDeviceReset@4
_ExSvmFinalizeDeviceReset@4 proc near

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	[ebp+var_38], eax
		dec	word ptr [eax+13Eh]
		nop
		mov	eax, offset _ExpSvmDeviceListLock
		mov	[ebp+var_C], 0FFFFFFFFh
		xor	edi, edi
		mov	esi, eax
		and	esi, 7FFFFFFCh
		mov	[ebp+var_18], edi
		mov	[ebp+var_8], esi
		jz	loc_68BDE4
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jz	short loc_68BCEE
		push	edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		mov	eax, offset _ExpSvmDeviceListLock
		push	eax
		push	esi
		push	192h

loc_68BCE9:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+28Fj
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_68BCEE:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+6Cj
		mov	dl, [esi+1E4h]
		mov	[ebp+var_14], edi
		test	dl, dl
		jnz	short loc_68BD11
		lea	ecx, [esi+222h]
		cmp	[ecx], dl
		jz	short loc_68BD3D
		xor	al, al
		xchg	al, [ecx]
		mov	dl, [esi+1E4h]
		or	dl, al

loc_68BD11:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+95j
		movzx	eax, dl
		bsf	ecx, eax
		mov	al, 1
		shl	al, cl
		imul	edi, ecx, 30h
		not	al
		and	al, dl
		mov	[ebp+var_14], ecx
		mov	[esi+1E4h], al
		add	edi, [esi+1E8h]
		jnz	short loc_68BD54

loc_68BD33:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+E3j
					; ExSvmFinalizeDeviceReset(x)+EEj
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_68BD9F
; 

loc_68BD3D:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+9Fj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_68BD33
		mov	edx, eax
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	short loc_68BD33
; 

loc_68BD54:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+CDj
		mov	edx, ds:dword_6D07D0
		mov	eax, offset _ExpSvmDeviceListLock
		mov	ecx, eax
		shr	ecx, 15h
		cmp	edx, eax
		ja	short loc_68BD85
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68BD8A
		mov	eax, offset _ExpSvmDeviceListLock
		cmp	edx, eax
		ja	short loc_68BD85
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jz	short loc_68BD8A

loc_68BD85:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+102j
					; ExSvmFinalizeDeviceReset(x)+116j
		or	eax, 0FFFFFFFFh
		jmp	short loc_68BD95
; 

loc_68BD8A:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+10Dj
					; ExSvmFinalizeDeviceReset(x)+11Fj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)

loc_68BD95:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+124j
		mov	[edi+14h], eax
		nop
		mov	eax, [ebp+var_8]
		mov	[edi+10h], eax

loc_68BD9F:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+D7j
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp+var_18]
		push	eax
		mov	edx, offset _ExpSvmDeviceListLock
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_68BDDC
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_68BDDC
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68BDDC:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+169j
					; ExSvmFinalizeDeviceReset(x)+171j
		mov	esi, [ebp+var_8]
		mov	eax, offset _ExpSvmDeviceListLock

loc_68BDE4:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+49j
		lock bts dword ptr [eax], 0
		jnb	short loc_68BDF5
		push	eax
		mov	edx, edi
		mov	ecx, eax
		call	ExfAcquirePushLockExclusiveEx

loc_68BDF5:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+185j
		test	edi, edi
		jz	short loc_68BDFD
		or	byte ptr [edi+0Eh], 1

loc_68BDFD:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+193j
		mov	eax, ds:_ExpSvmDevices
		mov	edi, offset _ExpSvmDevices
		cmp	eax, edi
		jz	short loc_68BE2B
		mov	edx, [ebx+8]

loc_68BE0E:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+1B5j
		lea	ecx, [eax]
		cmp	[eax+8], edx
		jz	short loc_68BE1B
		mov	eax, [eax]
		cmp	eax, edi
		jnz	short loc_68BE0E

loc_68BE1B:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+1AFj
		mov	eax, ds:_HalIommuDispatch
		push	dword ptr [ecx+3Ch]
		call	dword ptr [eax+48h]
		mov	[ebp+var_10], eax
		jmp	short loc_68BE32
; 

loc_68BE2B:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+1A5j
		mov	[ebp+var_10], 0C000000Eh

loc_68BE32:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+1C5j
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _ExpSvmDeviceListLock
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_68BE53
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _ExpSvmDeviceListLock

loc_68BE53:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+1E0j
		xor	edi, edi
		mov	[ebp+var_8], edi
		test	esi, esi
		jz	loc_68BFED
		mov	esi, large fs:124h
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], eax
		cmp	eax, offset _ExpSvmDeviceListLock
		ja	short loc_68BEAA
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68BE9A
		mov	eax, [ebp+var_30]
		cmp	eax, offset _ExpSvmDeviceListLock
		ja	short loc_68BEAA
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_68BEAA

loc_68BE9A:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+221j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_C], edx

loc_68BEAA:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+216j
					; ExSvmFinalizeDeviceReset(x)+22Bj ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _ExpSvmDeviceListLock
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_68BEF8
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	short loc_68BF5E
		mov	eax, [ebp+var_C]
		push	ecx
		push	eax
		mov	eax, offset _ExpSvmDeviceListLock
		push	eax
		push	esi
		push	162h
		jmp	loc_68BCE9
; 

loc_68BEF8:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+272j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_68BF0E
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_68BF0E:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+2A0j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_8], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	short loc_68BF52
		or	[esi+1E4h], dl
		jmp	short loc_68BF5E
; 

loc_68BF52:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+2E4j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_34]

loc_68BF5E:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+27Cj
					; ExSvmFinalizeDeviceReset(x)+2ECj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_34], eax
		jz	short loc_68BFC7
		test	edi, 8000h
		jz	short loc_68BF82
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_68BF82:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+313j
		test	byte ptr [ebp+var_8+2],	1
		jz	short loc_68BF98
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_68BF98:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+322j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_68BFAC
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_68BFAC:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+33Bj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_68BFC7
		push	[ebp+var_34]
		mov	edx, offset _ExpSvmDeviceListLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_68BFC7:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+30Bj
					; ExSvmFinalizeDeviceReset(x)+352j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_68BFED
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_68BFED
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68BFED:				; CODE XREF: ExSvmFinalizeDeviceReset(x)+1F6j
					; ExSvmFinalizeDeviceReset(x)+37Aj ...
		mov	ecx, [ebp+var_38]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+var_10]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
_ExSvmFinalizeDeviceReset@4 endp ; sp =	 4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpAllocateAsid()
_ExpAllocateAsid@0 proc	near		; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+241p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+20h+var_C]
		stosd
		lea	edx, [esp+20h+var_C]
		mov	ecx, offset dword_6BBB10
		stosd
		stosd
		mov	eax, large fs:124h
		mov	ebx, [eax+80h]
		mov	[esp+20h+var_10], ebx
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, ds:dword_6BBB04
		xor	edi, edi
		mov	esi, ecx
		inc	edi
		mov	edx, esi
		cmp	esi, ds:dword_6BBB08
		jnz	loc_68C1EF

loc_68C051:				; CODE XREF: ExpAllocateAsid()+1E2j
		cmp	esi, ds:_ExpSvmAgents
		jz	loc_68C209
		test	ds:byte_70EFC6,	1
		jz	short loc_68C074
		mov	edx, [ebp+4]
		lea	ecx, [esp+20h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_68C0A5
; 

loc_68C074:				; CODE XREF: ExpAllocateAsid()+61j
		mov	eax, [esp+20h+var_C]
		test	eax, eax
		jnz	short loc_68C097
		mov	edx, [esp+20h+var_8]
		lea	eax, [esp+20h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+20h+var_C]
		cmp	eax, ecx
		jz	short loc_68C0A5
		call	KxWaitForLockChainValid

loc_68C097:				; CODE XREF: ExpAllocateAsid()+77j
		mov	[esp+20h+var_C], 0
		add	eax, 4
		lock xor [eax],	edi

loc_68C0A5:				; CODE XREF: ExpAllocateAsid()+6Fj
					; ExpAllocateAsid()+8Dj
		mov	cl, [esp+20h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	edi, [esi+8]
		cmp	edi, esi
		ja	short loc_68C0BE
		mov	edi, ds:_ExpSvmAgents
		jmp	short loc_68C0C9
; 

loc_68C0BE:				; CODE XREF: ExpAllocateAsid()+B1j
		mov	eax, ds:_ExpSvmAgents
		cmp	edi, eax
		jbe	short loc_68C0C9
		mov	edi, eax

loc_68C0C9:				; CODE XREF: ExpAllocateAsid()+B9j
					; ExpAllocateAsid()+C2j
		mov	eax, large fs:20h
		mov	edx, edi
		push	0
		shl	edx, 3
		mov	ecx, 200h
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	73417845h
		call	ExpAllocatePoolWithTagFromNode
		mov	ebx, eax
		mov	[esp+20h+var_14], ebx
		test	ebx, ebx
		jz	loc_68C25B
		lea	edx, [esp+20h+var_C]
		mov	ecx, offset dword_6BBB10
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		cmp	esi, ds:dword_6BBB04
		jnz	short loc_68C164
		mov	ebx, ds:dword_6BBB0C
		test	ebx, ebx
		jz	short loc_68C139
		mov	eax, esi
		shl	eax, 3
		push	eax		; size_t
		push	ebx		; void *
		push	[esp+28h+var_14] ; void	*
		call	_memcpy
		add	esp, 0Ch

loc_68C139:				; CODE XREF: ExpAllocateAsid()+121j
		mov	eax, edi
		sub	eax, esi
		shl	eax, 3
		push	eax		; size_t
		mov	eax, [esp+24h+var_14]
		push	0		; int
		lea	eax, [eax+esi*8]
		push	eax		; void *
		call	_memset
		mov	eax, [esp+2Ch+var_14]
		mov	ecx, edi
		add	esp, 0Ch
		mov	ds:dword_6BBB0C, eax
		mov	ds:dword_6BBB04, ecx

loc_68C164:				; CODE XREF: ExpAllocateAsid()+117j
		test	ebx, ebx
		jz	short loc_68C1D2
		test	ds:byte_70EFC6,	1
		jz	short loc_68C17F
		mov	edx, [ebp+4]
		lea	ecx, [esp+20h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_68C1B3
; 

loc_68C17F:				; CODE XREF: ExpAllocateAsid()+16Cj
		mov	eax, [esp+20h+var_C]
		test	eax, eax
		jnz	short loc_68C1A2
		mov	edx, [esp+20h+var_8]
		lea	eax, [esp+20h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+20h+var_C]
		cmp	eax, ecx
		jz	short loc_68C1B3
		call	KxWaitForLockChainValid

loc_68C1A2:				; CODE XREF: ExpAllocateAsid()+182j
		xor	ecx, ecx
		mov	[esp+20h+var_C], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_68C1B3:				; CODE XREF: ExpAllocateAsid()+17Aj
					; ExpAllocateAsid()+198j
		mov	cl, [esp+20h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, ebx
		call	ExFreeHeapPool
		lea	edx, [esp+20h+var_C]
		mov	ecx, offset dword_6BBB10
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)

loc_68C1D2:				; CODE XREF: ExpAllocateAsid()+163j
		mov	ecx, ds:dword_6BBB04
		mov	esi, ecx
		mov	edx, esi
		push	1
		pop	edi
		cmp	esi, ds:dword_6BBB08
		jz	loc_68C051
		mov	ebx, [esp+20h+var_10]

loc_68C1EF:				; CODE XREF: ExpAllocateAsid()+48j
		mov	eax, ds:dword_6BBB0C
		xor	esi, esi
		test	edx, edx
		jz	short loc_68C264

loc_68C1FA:				; CODE XREF: ExpAllocateAsid()+202j
		cmp	dword ptr [eax], 0
		jz	short loc_68C25F
		add	eax, 8
		inc	esi
		cmp	esi, ecx
		jb	short loc_68C1FA
		jmp	short loc_68C264
; 

loc_68C209:				; CODE XREF: ExpAllocateAsid()+54j
		test	ds:byte_70EFC6,	1
		jz	short loc_68C220
		mov	edx, [ebp+4]
		lea	ecx, [esp+20h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_68C251
; 

loc_68C220:				; CODE XREF: ExpAllocateAsid()+20Dj
		mov	eax, [esp+20h+var_C]
		test	eax, eax
		jnz	short loc_68C243
		mov	edx, [esp+20h+var_8]
		lea	eax, [esp+20h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+20h+var_C]
		cmp	eax, ecx
		jz	short loc_68C251
		call	KxWaitForLockChainValid

loc_68C243:				; CODE XREF: ExpAllocateAsid()+223j
		mov	[esp+20h+var_C], 0
		add	eax, 4
		lock xor [eax],	edi

loc_68C251:				; CODE XREF: ExpAllocateAsid()+21Bj
					; ExpAllocateAsid()+239j
		mov	cl, [esp+20h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_68C25B:				; CODE XREF: ExpAllocateAsid()+FDj
		xor	eax, eax
		jmp	short loc_68C2BF
; 

loc_68C25F:				; CODE XREF: ExpAllocateAsid()+1FAj
		mov	[eax+4], edi
		mov	[eax], ebx

loc_68C264:				; CODE XREF: ExpAllocateAsid()+1F5j
					; ExpAllocateAsid()+204j
		inc	ds:dword_6BBB08
		test	ds:byte_70EFC6,	1
		jz	short loc_68C281
		mov	edx, [ebp+4]
		lea	ecx, [esp+20h+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_68C2B2
; 

loc_68C281:				; CODE XREF: ExpAllocateAsid()+26Ej
		mov	eax, [esp+20h+var_C]
		test	eax, eax
		jnz	short loc_68C2A4
		mov	edx, [esp+20h+var_8]
		lea	eax, [esp+20h+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+20h+var_C]
		cmp	eax, ecx
		jz	short loc_68C2B2
		call	KxWaitForLockChainValid

loc_68C2A4:				; CODE XREF: ExpAllocateAsid()+284j
		mov	[esp+20h+var_C], 0
		add	eax, 4
		lock xor [eax],	edi

loc_68C2B2:				; CODE XREF: ExpAllocateAsid()+27Cj
					; ExpAllocateAsid()+29Aj
		mov	cl, [esp+20h+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	eax, [esi+1]

loc_68C2BF:				; CODE XREF: ExpAllocateAsid()+25Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_ExpAllocateAsid@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpFreeAsid(x)
_ExpFreeAsid@4	proc near		; CODE XREF: ExFreeSvmAsid+D04B0p
					; ExpAssignPasid(x,x)+2Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		mov	ecx, offset dword_6BBB10
		stosd
		stosd
		mov	eax, large fs:124h
		mov	edi, [eax+80h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, ds:dword_6BBB0C
		push	1
		pop	ebx
		sub	dword ptr [ecx+esi*8+4], 1
		mov	eax, [ecx+esi*8+4]
		jnz	short loc_68C316
		and	dword ptr [ecx+esi*8], 0
		mov	esi, ebx
		dec	ds:dword_6BBB08
		jmp	short loc_68C321
; 

loc_68C316:				; CODE XREF: ExpFreeAsid(x)+40j
		or	eax, 80000000h
		mov	[ecx+esi*8+4], eax
		xor	esi, esi

loc_68C321:				; CODE XREF: ExpFreeAsid(x)+4Ej
		test	ds:byte_70EFC6,	1
		jz	short loc_68C337
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_68C363
; 

loc_68C337:				; CODE XREF: ExpFreeAsid(x)+62j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_68C356
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_68C363
		call	KxWaitForLockChainValid

loc_68C356:				; CODE XREF: ExpFreeAsid(x)+76j
		mov	[ebp+var_C], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_68C363:				; CODE XREF: ExpFreeAsid(x)+6Fj
					; ExpFreeAsid(x)+89j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	esi, ebx
		jnz	short loc_68C377
		mov	ecx, edi
		call	ObfDereferenceObject

loc_68C377:				; CODE XREF: ExpFreeAsid(x)+A8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpFreeAsid@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpPrepareNewSvmDevice(x, x, x, x)
_ExpPrepareNewSvmDevice@16 proc	near	; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+534p

var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+30h+var_1C], edx
		mov	edx, [ebp+arg_4]
		lea	edi, [esp+30h+var_10]
		stosd
		mov	[esp+30h+var_18], ecx
		mov	ecx, [ebp+arg_0]
		mov	[esp+30h+var_20], ecx
		stosd
		mov	[esp+30h+var_14], edx
		stosd
		lea	eax, [esp+30h+var_24]
		xor	edi, edi
		push	eax
		push	edi
		push	edi
		mov	[edx], edi
		push	dword ptr [ecx+4]
		mov	[esp+40h+var_24], edi
		call	dword ptr [ecx+20h]
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_68C3E5
		test	esi, esi
		js	loc_68C55A

loc_68C3DB:				; CODE XREF: ExpPrepareNewSvmDevice(x,x,x,x)+6Fj
		mov	esi, 0C0000001h
		jmp	loc_68C55A
; 

loc_68C3E5:				; CODE XREF: ExpPrepareNewSvmDevice(x,x,x,x)+55j
		mov	eax, [esp+40h+var_34]
		test	eax, eax
		jz	short loc_68C3DB
		lea	esi, [eax+40h]
		mov	ecx, 200h
		mov	eax, large fs:20h
		mov	edx, esi
		push	edi
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	65447845h
		call	ExpAllocatePoolWithTagFromNode
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_68C42B
		mov	esi, 0C000009Ah
		jmp	loc_68C55A
; 

loc_68C42B:				; CODE XREF: ExpPrepareNewSvmDevice(x,x,x,x)+A3j
		push	esi		; size_t
		push	edi		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [esp+4Ch+var_28]
		lea	edi, [ebx+10h]
		mov	esi, [esp+4Ch+var_30]
		add	esp, 0Ch
		mov	[ebx+8], eax
		lea	eax, [ebx+40h]
		mov	dword ptr [ebx+0Ch], 1
		push	0Ah
		pop	ecx
		push	0
		rep movsd
		push	eax
		mov	[ebx+38h], eax
		push	[esp+48h+var_34]
		push	dword ptr [ebx+14h]
		call	dword ptr [ebx+30h]
		mov	esi, eax
		test	esi, esi
		js	loc_68C538
		mov	eax, [ebx+20h]
		test	eax, eax
		jnz	short loc_68C47E
		mov	esi, 0C00000BBh
		jmp	loc_68C538
; 

loc_68C47E:				; CODE XREF: ExpPrepareNewSvmDevice(x,x,x,x)+F6j
		lea	ecx, [esp+50h+var_30]
		push	ecx
		push	dword ptr [ebx+14h]
		call	eax
		mov	esi, eax
		test	esi, esi
		js	loc_68C538
		mov	eax, [esp+58h+var_38]
		and	eax, 7
		cmp	al, 7
		jnz	loc_68C52F
		mov	ecx, [esp+58h+var_34]
		xor	eax, eax
		and	ecx, 1Fh
		inc	eax
		shl	eax, cl
		cmp	eax, ds:_ExpSvmAgents
		jb	short loc_68C52F
		lock inc ds:_ExTbFlushActive
		lea	edi, [ebx+3Ch]
		push	edi
		lea	eax, [esp+5Ch+var_38]
		push	eax
		push	dword ptr [ebx+38h]
		mov	eax, ds:_HalIommuDispatch
		push	[esp+64h+var_44]
		call	dword ptr [eax+0Ch]
		mov	esi, eax
		test	esi, esi
		jns	short loc_68C4E3
		lock dec ds:_ExTbFlushActive
		jmp	short loc_68C534
; 

loc_68C4E3:				; CODE XREF: ExpPrepareNewSvmDevice(x,x,x,x)+15Cj
		push	dword ptr [edi]
		lea	eax, [esp+6Ch+var_48]
		push	offset _ExSvmDevicePowerCallback@12 ; ExSvmDevicePowerCallback(x,x,x)
		push	eax
		push	dword ptr [ebx+14h]
		call	dword ptr [ebx+24h]
		mov	esi, eax
		test	esi, esi
		js	short loc_68C538
		mov	eax, [esp+78h+var_68]
		push	dword ptr [eax+4]
		call	dword ptr [eax+8]
		mov	eax, ds:_ExpSvmDevices
		mov	ecx, offset _ExpSvmDevices
		cmp	[eax+4], ecx
		jz	short loc_68C519
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_68C519:				; CODE XREF: ExpPrepareNewSvmDevice(x,x,x,x)+196j
		mov	[ebx], eax
		mov	[ebx+4], ecx
		mov	[eax+4], ebx
		mov	eax, [esp+7Ch+var_60]
		mov	ds:_ExpSvmDevices, ebx
		mov	[eax], ebx
		jmp	short loc_68C534
; 

loc_68C52F:				; CODE XREF: ExpPrepareNewSvmDevice(x,x,x,x)+11Fj
					; ExpPrepareNewSvmDevice(x,x,x,x)+137j
		mov	esi, 0C00000EFh

loc_68C534:				; CODE XREF: ExpPrepareNewSvmDevice(x,x,x,x)+165j
					; ExpPrepareNewSvmDevice(x,x,x,x)+1B1j
		test	esi, esi
		jns	short loc_68C55A

loc_68C538:				; CODE XREF: ExpPrepareNewSvmDevice(x,x,x,x)+EBj
					; ExpPrepareNewSvmDevice(x,x,x,x)+FDj ...
		mov	eax, [ebx+3Ch]
		test	eax, eax
		jz	short loc_68C553
		push	eax
		mov	eax, ds:_HalIommuDispatch
		push	[esp+5Ch+var_44]
		call	dword ptr [eax+1Ch]
		lock dec ds:_ExTbFlushActive

loc_68C553:				; CODE XREF: ExpPrepareNewSvmDevice(x,x,x,x)+1C1j
		mov	ecx, ebx
		call	ExFreeHeapPool

loc_68C55A:				; CODE XREF: ExpPrepareNewSvmDevice(x,x,x,x)+59j
					; ExpPrepareNewSvmDevice(x,x,x,x)+64j ...
		mov	ecx, [esp+60h+var_34]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_ExpPrepareNewSvmDevice@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSvmDereferenceAsid(x)
_ExpSvmDereferenceAsid@4 proc near	; DATA XREF: ExpInitializeSvm+A9o

var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		mov	ecx, offset dword_6BBB10
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [ebp+arg_0]
		mov	edx, ds:dword_6BBB0C
		pop	edi
		dec	dword ptr [edx+ecx*8+4]
		cmp	dword ptr [edx+ecx*8+4], 80000000h
		jnz	short loc_68C5B7
		and	dword ptr [edx+ecx*8], 0
		xor	ecx, ecx
		call	ObfDereferenceObject
		dec	ds:dword_6BBB08

loc_68C5B7:				; CODE XREF: ExpSvmDereferenceAsid(x)+34j
		lea	ecx, [ebp+var_C]
		call	KeReleaseInStackQueuedSpinLock
		leave
		retn	4
_ExpSvmDereferenceAsid@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSvmDereferenceDevice(x)
_ExpSvmDereferenceDevice@4 proc	near	; CODE XREF: ExFreeSvmAsid+D048Ap
					; ExShareAddressSpaceWithDevice(x,x)+8B6p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		mov	esi, ecx
		mov	[ebp+var_1C], esi
		stosd
		stosd
		mov	eax, large fs:124h
		xor	edi, edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_34], eax
		dec	word ptr [eax+13Eh]
		nop
		mov	ecx, offset _ExpSvmDeviceListLock
		mov	[ebp+var_30], edi
		mov	eax, ecx
		push	0FFFFFFFFh
		and	eax, 7FFFFFFCh
		pop	edx
		mov	[ebp+var_18], eax
		mov	[ebp+var_24], edx
		jz	loc_68C74A
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jz	short loc_68C665
		push	edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		mov	eax, offset _ExpSvmDeviceListLock
		push	eax
		push	esi
		push	192h

loc_68C660:				; CODE XREF: ExpSvmDereferenceDevice(x)+2BCj
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_68C665:				; CODE XREF: ExpSvmDereferenceDevice(x)+84j
		mov	cl, [esi+1E4h]
		mov	[ebp+var_2C], edi
		test	cl, cl
		jnz	short loc_68C689
		lea	ecx, [esi+222h]
		cmp	byte ptr [ecx],	0
		jz	short loc_68C6B0
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [esi+1E4h]
		or	cl, al

loc_68C689:				; CODE XREF: ExpSvmDereferenceDevice(x)+ADj
		movzx	ecx, cl
		bsf	eax, ecx
		imul	edi, eax, 30h
		btr	ecx, eax
		mov	[ebp+var_2C], eax
		mov	[esi+1E4h], cl
		add	edi, [esi+1E8h]
		jnz	short loc_68C6CA

loc_68C6A6:				; CODE XREF: ExpSvmDereferenceDevice(x)+F7j
					; ExpSvmDereferenceDevice(x)+105j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_68C713
; 

loc_68C6B0:				; CODE XREF: ExpSvmDereferenceDevice(x)+B8j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_68C6A6
		mov	edx, offset _ExpSvmDeviceListLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	short loc_68C6A6
; 

loc_68C6CA:				; CODE XREF: ExpSvmDereferenceDevice(x)+E1j
		mov	ecx, ds:dword_6D07D0
		mov	eax, offset _ExpSvmDeviceListLock
		shr	eax, 15h
		cmp	ecx, offset _ExpSvmDeviceListLock
		ja	short loc_68C707
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68C6FA
		cmp	ecx, offset _ExpSvmDeviceListLock
		ja	short loc_68C707
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_68C707

loc_68C6FA:				; CODE XREF: ExpSvmDereferenceDevice(x)+124j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	short loc_68C709
; 

loc_68C707:				; CODE XREF: ExpSvmDereferenceDevice(x)+11Bj
					; ExpSvmDereferenceDevice(x)+12Cj ...
		mov	eax, edx

loc_68C709:				; CODE XREF: ExpSvmDereferenceDevice(x)+142j
		mov	[edi+14h], eax
		nop
		mov	eax, [ebp+var_18]
		mov	[edi+10h], eax

loc_68C713:				; CODE XREF: ExpSvmDereferenceDevice(x)+EBj
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp+var_30]
		push	eax
		mov	edx, offset _ExpSvmDeviceListLock
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_68C742
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_68C742
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68C742:				; CODE XREF: ExpSvmDereferenceDevice(x)+170j
					; ExpSvmDereferenceDevice(x)+178j
		mov	esi, [ebp+var_1C]
		mov	ecx, offset _ExpSvmDeviceListLock

loc_68C74A:				; CODE XREF: ExpSvmDereferenceDevice(x)+61j
		lock bts dword ptr [ecx], 0
		jnb	short loc_68C759
		push	ecx
		mov	edx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_68C759:				; CODE XREF: ExpSvmDereferenceDevice(x)+18Cj
		test	edi, edi
		jz	short loc_68C761
		or	byte ptr [edi+0Eh], 1

loc_68C761:				; CODE XREF: ExpSvmDereferenceDevice(x)+198j
		sub	dword ptr [esi+0Ch], 1
		jnz	short loc_68C7BC
		lea	eax, [ebp+var_10]
		mov	[ebp+var_10], 7
		push	eax
		push	dword ptr [esi+14h]
		call	dword ptr [esi+28h]
		push	dword ptr [esi+3Ch]
		mov	eax, ds:_HalIommuDispatch
		push	ds:_ExpSvmIommuSystemContext
		call	dword ptr [eax+1Ch]
		mov	[ebp+var_28], eax
		lock dec ds:_ExTbFlushActive
		mov	edx, [esi]
		cmp	[edx+4], esi
		jnz	loc_68C884
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_68C884
		mov	[ecx], edx
		mov	[edx+4], ecx
		push	dword ptr [esi+14h]
		call	dword ptr [esi+1Ch]
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_68C7BC:				; CODE XREF: ExpSvmDereferenceDevice(x)+1A2j
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _ExpSvmDeviceListLock
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_68C7DD
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _ExpSvmDeviceListLock

loc_68C7DD:				; CODE XREF: ExpSvmDereferenceDevice(x)+20Bj
		xor	edi, edi
		mov	[ebp+var_1C], edi
		cmp	[ebp+var_18], edi
		jz	loc_68C976
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	ecx, ds:dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_20], esi
		cmp	ecx, offset _ExpSvmDeviceListLock
		ja	short loc_68C832
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68C822
		cmp	ecx, offset _ExpSvmDeviceListLock
		ja	short loc_68C832
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_68C832

loc_68C822:				; CODE XREF: ExpSvmDereferenceDevice(x)+24Cj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_24], eax

loc_68C832:				; CODE XREF: ExpSvmDereferenceDevice(x)+243j
					; ExpSvmDereferenceDevice(x)+254j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _ExpSvmDeviceListLock
		mov	[ebp+var_11], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_18], ecx
		test	ecx, ecx
		jnz	short loc_68C889
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_68C8FB
		mov	edx, [ebp+var_24]
		mov	eax, offset _ExpSvmDeviceListLock
		push	ecx
		push	edx
		push	eax
		push	esi
		push	162h
		jmp	loc_68C660
; 

loc_68C884:				; CODE XREF: ExpSvmDereferenceDevice(x)+1D5j
					; ExpSvmDereferenceDevice(x)+1E0j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_68C889:				; CODE XREF: ExpSvmDereferenceDevice(x)+29Bj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_68C89F
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_18]

loc_68C89F:				; CODE XREF: ExpSvmDereferenceDevice(x)+2D2j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_1C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[ebp+var_11], 1
		mov	edx, eax
		jnz	short loc_68C8E9
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_68C8FB
; 

loc_68C8E9:				; CODE XREF: ExpSvmDereferenceDevice(x)+312j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_20]

loc_68C8FB:				; CODE XREF: ExpSvmDereferenceDevice(x)+2A5j
					; ExpSvmDereferenceDevice(x)+324j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_20], eax
		jz	short loc_68C95E
		test	edi, 8000h
		jz	short loc_68C91F
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_68C91F:				; CODE XREF: ExpSvmDereferenceDevice(x)+351j
		test	byte ptr [ebp+var_1C+2], 1
		jz	short loc_68C92F
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_68C92F:				; CODE XREF: ExpSvmDereferenceDevice(x)+360j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_68C943
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_68C943:				; CODE XREF: ExpSvmDereferenceDevice(x)+373j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_68C95E
		push	[ebp+var_20]
		mov	edx, offset _ExpSvmDeviceListLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_68C95E:				; CODE XREF: ExpSvmDereferenceDevice(x)+349j
					; ExpSvmDereferenceDevice(x)+38Aj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_68C976
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_68C976
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68C976:				; CODE XREF: ExpSvmDereferenceDevice(x)+222j
					; ExpSvmDereferenceDevice(x)+3A4j ...
		mov	ecx, [ebp+var_34]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_28]
		xor	ecx, ebp
		pop	edi
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_ExpSvmDereferenceDevice@4 endp	; sp =	4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSvmDpcRoutine(x,	x, x, x)
_ExpSvmDpcRoutine@16 proc near		; DATA XREF: ExpInitializeSvm+67o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		imul	eax, [ebp+arg_4], 34h
		push	2
		add	eax, ds:_ExpSvmWorkQueues
		push	eax
		call	ExQueueWorkItem
		pop	ebp
		retn	10h
_ExpSvmDpcRoutine@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSvmFaultRoutine(x)
_ExpSvmFaultRoutine@4 proc near		; DATA XREF: ExpInitializeSvm+9Bo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, ds:_ExpSvmWorkQueues
		xor	edx, edx
		push	esi
		imul	esi, [ebp+arg_0], 34h
		add	ecx, 30h
		inc	edx
		xor	eax, eax
		add	ecx, esi
		lock cmpxchg [ecx], edx
		test	eax, eax
		jnz	short loc_68C9E6
		mov	ecx, ds:_ExpSvmWorkQueues
		xor	edx, edx
		push	eax
		push	eax
		add	ecx, 10h
		push	eax
		add	ecx, esi
		call	KiInsertQueueDpc

loc_68C9E6:				; CODE XREF: ExpSvmFaultRoutine(x)+20j
		pop	esi
		pop	ebp
		retn	4
_ExpSvmFaultRoutine@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSvmReferenceAsid(x)
_ExpSvmReferenceAsid@4 proc near	; DATA XREF: ExpInitializeSvm+A2o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		mov	ecx, offset dword_6BBB10
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		mov	ebx, ds:dword_6BBB04
		mov	edx, ds:dword_6BBB0C
		cmp	ecx, ebx
		jnb	short loc_68CA97
		mov	esi, [edx+ecx*8]
		test	esi, esi
		jz	short loc_68CA91
		mov	edi, [edx+ecx*8+4]
		test	edi, edi
		js	short loc_68CA91
		lea	eax, [edi+1]
		mov	[edx+ecx*8+4], eax
		test	ds:byte_70EFC6,	1
		jz	short loc_68CA4C
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_68CA7B
; 

loc_68CA4C:				; CODE XREF: ExpSvmReferenceAsid(x)+52j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_68CA6B
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_68CA7B
		call	KxWaitForLockChainValid

loc_68CA6B:				; CODE XREF: ExpSvmReferenceAsid(x)+66j
		xor	edx, edx
		mov	[ebp+var_C], 0
		inc	edx
		lea	ecx, [eax+4]
		lock xor [ecx],	edx

loc_68CA7B:				; CODE XREF: ExpSvmReferenceAsid(x)+5Fj
					; ExpSvmReferenceAsid(x)+79j
		mov	cl, [ebp+var_4]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [esi+3B0h]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_68CA91:				; CODE XREF: ExpSvmReferenceAsid(x)+3Aj
					; ExpSvmReferenceAsid(x)+42j
		mov	esi, [edx+ecx*8+4]
		jmp	short loc_68CA99
; 

loc_68CA97:				; CODE XREF: ExpSvmReferenceAsid(x)+33j
		mov	esi, eax

loc_68CA99:				; CODE XREF: ExpSvmReferenceAsid(x)+AAj
		cmp	ecx, ebx
		jnb	short loc_68CAA0
		mov	eax, [edx+ecx*8]

loc_68CAA0:				; CODE XREF: ExpSvmReferenceAsid(x)+B0j
		push	esi
		push	eax
		push	ebx
		push	ecx
		push	158h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_ExpSvmReferenceAsid@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSvmServicePageFault(x, x, x)
_ExpSvmServicePageFault@12 proc	near	; DATA XREF: ExpInitializeSvm+B0o

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= byte ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		mov	eax, [ebp+arg_4]
		lea	edx, [esp+2Ch+var_2C]
		push	ebx
		push	esi
		push	edi
		mov	esi, [ebp+arg_8]
		lea	edi, [esp+38h+var_1C]
		mov	[esp+38h+var_20], eax
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd
		lea	edi, [esp+38h+var_2C]
		mov	ecx, offset dword_6BBB10
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		mov	edi, [eax+80h]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	eax, ds:dword_6BBB0C
		xor	ebx, ebx
		inc	ebx
		mov	esi, [eax+esi*8]
		test	ds:byte_70EFC6,	bl
		jz	short loc_68CB1E
		mov	edx, [ebp+4]
		lea	ecx, [esp+38h+var_2C]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_68CB4F
; 

loc_68CB1E:				; CODE XREF: ExpSvmServicePageFault(x,x,x)+5Fj
		mov	eax, [esp+38h+var_2C]
		test	eax, eax
		jnz	short loc_68CB41
		mov	edx, [esp+38h+var_28]
		lea	eax, [esp+38h+var_2C]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [esp+38h+var_2C]
		cmp	eax, ecx
		jz	short loc_68CB4F
		call	KxWaitForLockChainValid

loc_68CB41:				; CODE XREF: ExpSvmServicePageFault(x,x,x)+75j
		mov	[esp+38h+var_2C], 0
		add	eax, 4
		lock xor [eax],	ebx

loc_68CB4F:				; CODE XREF: ExpSvmServicePageFault(x,x,x)+6Dj
					; ExpSvmServicePageFault(x,x,x)+8Bj
		mov	cl, [esp+38h+var_24]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	bl, bl
		cmp	edi, esi
		jz	short loc_68CB6F
		lea	eax, [esp+38h+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, esi
		call	KiStackAttachProcess
		inc	bl

loc_68CB6F:				; CODE XREF: ExpSvmServicePageFault(x,x,x)+AEj
		test	byte ptr [ebp+arg_0], 8
		jz	short loc_68CB7C
		mov	esi, 0C0000005h
		jmp	short loc_68CB9B
; 

loc_68CB7C:				; CODE XREF: ExpSvmServicePageFault(x,x,x)+C4j
		mov	eax, [ebp+arg_0]
		and	eax, 2
		test	byte ptr [ebp+arg_0], 4
		jz	short loc_68CB8B
		or	eax, 10h

loc_68CB8B:				; CODE XREF: ExpSvmServicePageFault(x,x,x)+D7j
		push	0
		push	1
		push	[esp+40h+var_20]
		push	eax
		call	MmAccessFault
		mov	esi, eax

loc_68CB9B:				; CODE XREF: ExpSvmServicePageFault(x,x,x)+CBj
		test	bl, bl
		jz	short loc_68CBAA
		xor	edx, edx
		lea	ecx, [esp+38h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_68CBAA:				; CODE XREF: ExpSvmServicePageFault(x,x,x)+EEj
		mov	ecx, [esp+38h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_ExpSvmServicePageFault@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSvmWorkerThread(x)
_ExpSvmWorkerThread@4 proc near		; DATA XREF: ExpInitializeSvm+6Eo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	bl, bl

loc_68CBCC:				; CODE XREF: ExpSvmWorkerThread(x)+17j
					; ExpSvmWorkerThread(x)+30j
		mov	eax, ds:_HalIommuDispatch
		push	esi
		call	dword ptr [eax+2Ch]
		test	al, al
		jnz	short loc_68CBCC
		test	bl, bl
		jnz	short loc_68CBF2
		mov	eax, ds:_ExpSvmWorkQueues
		xor	edx, edx
		imul	ecx, esi, 34h
		add	eax, 30h
		add	eax, ecx
		xchg	edx, [eax]
		inc	bl
		jmp	short loc_68CBCC
; 

loc_68CBF2:				; CODE XREF: ExpSvmWorkerThread(x)+1Bj
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_ExpSvmWorkerThread@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1334. KitLogFeatureUsage

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KitLogFeatureUsage(x, x, x)
		public _KitLogFeatureUsage@12
_KitLogFeatureUsage@12 proc near

var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 254h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, ds:_KitEtwHandle
		mov	eax, ecx
		mov	edx, ds:dword_6FD64C
		push	ebx
		xor	ebx, ebx
		or	eax, edx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_24C], ebx
		mov	[ebp+var_248], ebx
		mov	[ebp+var_250], esi
		jz	loc_68CDA6
		push	offset _KitFeatureIdUsedEvent
		push	edx
		push	ecx
		call	EtwEventEnabled
		test	al, al
		jz	loc_68CDA6
		sub	esi, ebx
		jz	short loc_68CC7A
		sub	esi, 1
		jz	short loc_68CC72
		sub	esi, 1
		jnz	short loc_68CC81
		mov	eax, [ebp+arg_4]
		mov	esi, [eax+8]
		test	esi, esi
		jz	short loc_68CC81
		mov	esi, [esi+0Ch]
		jmp	short loc_68CC7D
; 

loc_68CC72:				; CODE XREF: KitLogFeatureUsage(x,x,x)+5Fj
		mov	eax, [ebp+arg_4]
		mov	esi, [eax+0Ch]
		jmp	short loc_68CC7D
; 

loc_68CC7A:				; CODE XREF: KitLogFeatureUsage(x,x,x)+5Aj
		mov	esi, [ebp+arg_4]

loc_68CC7D:				; CODE XREF: KitLogFeatureUsage(x,x,x)+73j
					; KitLogFeatureUsage(x,x,x)+7Bj
		test	esi, esi
		jnz	short loc_68CC9E

loc_68CC81:				; CODE XREF: KitLogFeatureUsage(x,x,x)+64j
					; KitLogFeatureUsage(x,x,x)+6Ej ...
		mov	eax, dword ptr ds:loc_404E7B+5
		mov	edx, dword ptr ds:loc_404E83+1
		mov	[ebp+var_24C], eax
		mov	[ebp+var_250], 3
		jmp	short loc_68CCF1
; 

loc_68CC9E:				; CODE XREF: KitLogFeatureUsage(x,x,x)+82j
		push	edi
		mov	edi, 1FEh
		lea	eax, [ebp+var_204]
		push	edi		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	word ptr [ebp+var_24C+2], di
		lea	eax, [ebp+var_204]
		mov	[ebp+var_248], eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		pop	edi
		cmp	al, 1
		lea	eax, [ebp+var_24C]
		push	eax
		push	esi
		ja	short loc_68CCE2
		call	_RtlPcToFilePath@8 ; RtlPcToFilePath(x,x)
		jmp	short loc_68CCE7
; 

loc_68CCE2:				; CODE XREF: KitLogFeatureUsage(x,x,x)+DCj
		call	RtlPcToFileName

loc_68CCE7:				; CODE XREF: KitLogFeatureUsage(x,x,x)+E3j
		test	eax, eax
		js	short loc_68CC81
		mov	edx, [ebp+var_248]

loc_68CCF1:				; CODE XREF: KitLogFeatureUsage(x,x,x)+9Fj
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_244], eax
		lea	eax, [ebp+var_250]
		mov	[ebp+var_234], eax
		mov	ax, word ptr [ebp+var_24C]
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_254], eax
		lea	eax, [ebp+var_254]
		push	4
		pop	esi
		mov	[ebp+var_224], eax
		movzx	eax, word ptr [ebp+var_24C]
		mov	[ebp+var_20C], eax
		lea	eax, [ebp+var_244]
		push	eax
		push	esi
		push	ebx
		push	offset _KitFeatureIdUsedEvent
		push	ds:dword_6FD64C
		mov	[ebp+var_240], ebx
		push	ds:_KitEtwHandle
		mov	[ebp+var_23C], 10h
		mov	[ebp+var_238], ebx
		mov	[ebp+var_230], ebx
		mov	[ebp+var_22C], esi
		mov	[ebp+var_228], ebx
		mov	[ebp+var_220], ebx
		mov	[ebp+var_21C], 2
		mov	[ebp+var_218], ebx
		mov	[ebp+var_214], edx
		mov	[ebp+var_210], ebx
		mov	[ebp+var_208], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	short loc_68CDA8
; 

loc_68CDA6:				; CODE XREF: KitLogFeatureUsage(x,x,x)+3Ej
					; KitLogFeatureUsage(x,x,x)+52j
		xor	eax, eax

loc_68CDA8:				; CODE XREF: KitLogFeatureUsage(x,x,x)+1A7j
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_KitLogFeatureUsage@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2636. XIPDispatch

;  S U B	R O U T	I N E 


; __stdcall XIPDispatch(x, x, x)
		public _XIPDispatch@12
_XIPDispatch@12	proc near
		mov	eax, 0C000000Eh
		retn	0Ch
_XIPDispatch@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQueryInformationWorkerFactory(x, x, x, x,	x)
_NtQueryInformationWorkerFactory@20 proc near ;	DATA XREF: .text:00580E50o

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= word ptr -78h
var_76		= byte ptr -76h
var_75		= byte ptr -75h
var_74		= byte ptr -74h
var_73		= byte ptr -73h
var_72		= byte ptr -72h
var_71		= byte ptr -71h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= byte ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	80h
		push	offset dword_6AA838
		call	__SEH_prolog4
		xor	eax, eax
		lea	edi, [ebp+var_30]
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		cmp	[ebp+arg_4], 7
		jz	short loc_68CDFB
		mov	eax, 0C0000003h
		jmp	loc_68CFE8
; 

loc_68CDFB:				; CODE XREF: NtQueryInformationWorkerFactory(x,x,x,x,x)+2Aj
		xor	ebx, ebx
		test	al, al
		jz	short loc_68CE6A
		mov	[ebp+ms_exc.disabled], ebx
		test	byte ptr [ebp+arg_8], 3
		jz	short loc_68CE0F
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_68CE0F:				; CODE XREF: NtQueryInformationWorkerFactory(x,x,x,x,x)+43j
		mov	eax, ds:_MmUserProbeAddress
		cmp	[ebp+arg_8], eax
		jb	short loc_68CE1B
		mov	[eax], bl

loc_68CE1B:				; CODE XREF: NtQueryInformationWorkerFactory(x,x,x,x,x)+52j
		mov	ecx, [ebp+arg_8]
		mov	al, [ecx]
		mov	[ecx], al
		mov	al, [ecx+5Ch]
		mov	[ecx+5Ch], al
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_68CE41
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_68CE3B
		mov	eax, ecx

loc_68CE3B:				; CODE XREF: NtQueryInformationWorkerFactory(x,x,x,x,x)+72j
		mov	dword ptr [eax], 60h

loc_68CE41:				; CODE XREF: NtQueryInformationWorkerFactory(x,x,x,x,x)+68j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_68CE77
; 

loc_68CE4A:				; DATA XREF: .text:006AA84Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_68CE58:				; DATA XREF: .text:006AA850o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_20]
		jmp	loc_68CFE8
; 

loc_68CE6A:				; CODE XREF: NtQueryInformationWorkerFactory(x,x,x,x,x)+3Aj
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_68CE77
		mov	dword ptr [eax], 60h

loc_68CE77:				; CODE XREF: NtQueryInformationWorkerFactory(x,x,x,x,x)+83j
					; NtQueryInformationWorkerFactory(x,x,x,x,x)+AAj
		cmp	[ebp+arg_C], 60h
		jz	short loc_68CE87
		mov	eax, 0C0000004h
		jmp	loc_68CFE8
; 

loc_68CE87:				; CODE XREF: NtQueryInformationWorkerFactory(x,x,x,x,x)+B6j
		mov	eax, ds:_ExpWorkerFactoryObjectType
		mov	[ebp+var_1C], ebx
		push	ebx
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_24]
		push	eax
		push	8
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	loc_68CFE8
		mov	[ebp+var_71], bl
		mov	[ebp+var_54], ebx
		mov	esi, [ebp+var_1C]
		lea	edx, [ebp+var_30]
		mov	ecx, [esi+4]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	[ebp+var_90], ebx
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_88], ebx
		mov	[ebp+var_84], ebx
		mov	eax, [esi+38h]
		mov	[ebp+var_80], eax
		mov	eax, [esi+3Ch]
		mov	[ebp+var_7C], eax
		mov	[ebp+var_78], 0
		mov	al, [esi+68h]
		shr	al, 3
		and	al, 1
		mov	[ebp+var_76], al
		mov	edx, [esi+4]
		mov	ecx, [edx+10h]
		test	ecx, ecx
		setz	[ebp+var_75]
		cmp	[esi+60h], ebx
		setnbe	[ebp+var_74]
		mov	al, [edx+14h]
		mov	[ebp+var_73], al
		mov	al, [edx+15h]
		mov	[ebp+var_72], al
		mov	eax, [esi+64h]
		mov	[ebp+var_70], eax
		mov	eax, [esi+48h]
		mov	[ebp+var_6C], eax
		mov	eax, [esi+4Ch]
		mov	[ebp+var_68], eax
		mov	eax, [esi+58h]
		mov	[ebp+var_64], eax
		mov	[ebp+var_60], ecx
		mov	eax, [esi+54h]
		mov	[ebp+var_5C], eax
		mov	eax, [edx+0Ch]
		mov	[ebp+var_58], eax
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ebx
		mov	eax, [esi+8]
		mov	[ebp+var_48], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_44], eax
		mov	eax, [esi+14h]
		mov	eax, [eax+0E4h]
		mov	[ebp+var_40], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_3C], eax
		mov	eax, [esi+1Ch]
		mov	[ebp+var_38], eax
		mov	eax, [esi+70h]
		mov	[ebp+var_34], eax
		test	ds:byte_70EFC6,	1
		jz	short loc_68CF85
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_30]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)

loc_68CF7D:				; CODE XREF: NtQueryInformationWorkerFactory(x,x,x,x,x)+1D8j
		xor	edi, edi
		inc	edi
		mov	esi, [ebp+var_1C]
		jmp	short loc_68CFB3
; 

loc_68CF85:				; CODE XREF: NtQueryInformationWorkerFactory(x,x,x,x,x)+1ABj
		mov	eax, [ebp+var_30]
		test	eax, eax
		jnz	short loc_68CFA7
		mov	edx, [ebp+var_2C]
		lea	eax, [ebp+var_30]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_30]
		cmp	eax, ecx
		jz	short loc_68CF7D
		call	KxWaitForLockChainValid
		mov	esi, [ebp+var_1C]

loc_68CFA7:				; CODE XREF: NtQueryInformationWorkerFactory(x,x,x,x,x)+1C5j
		mov	[ebp+var_30], ebx
		xor	edi, edi
		inc	edi
		add	eax, 4
		lock xor [eax],	edi

loc_68CFB3:				; CODE XREF: NtQueryInformationWorkerFactory(x,x,x,x,x)+1BEj
		mov	cl, [ebp+var_28]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	[ebp+ms_exc.disabled], edi
		push	18h
		pop	ecx
		lea	esi, [ebp+var_90]
		mov	edi, [ebp+arg_8]
		rep movsd
		jmp	short loc_68CFDF
; 

loc_68CFD6:				; DATA XREF: .text:006AA858o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_68CFDC:				; DATA XREF: .text:006AA85Co
		mov	esp, [ebp+ms_exc.old_esp]

loc_68CFDF:				; CODE XREF: NtQueryInformationWorkerFactory(x,x,x,x,x)+20Fj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax

loc_68CFE8:				; CODE XREF: NtQueryInformationWorkerFactory(x,x,x,x,x)+31j
					; NtQueryInformationWorkerFactory(x,x,x,x,x)+A0j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_NtQueryInformationWorkerFactory@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCommitWakeResourceExclusive(x, x, x, x, x)
_ExpCommitWakeResourceExclusive@20 proc	near
					; CODE XREF: ExpReleaseDisownedFastResourceExclusive(x,x)+D7p
					; ExpReleaseDisownedFastResourceShared(x,x)+D7p

arg_0		= byte ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		mov	ecx, edx
		cmp	[ebp+arg_0], al
		mov	edx, [ebp+arg_8]
		setnz	al
		lea	eax, ds:1[eax*2]
		push	eax
		call	KeWakeWaitChain
		pop	ebp
		retn	0Ch
_ExpCommitWakeResourceExclusive@20 endp


;  S U B	R O U T	I N E 


; __stdcall ExpDeleteResource(x)
_ExpDeleteResource@4 proc near		; CODE XREF: ExDeleteFastResource(x)+4Dp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, offset _ExpResourceSpinLock
		mov	esi, ecx
		push	edi
		call	ExAcquireSpinLockExclusive
		mov	edx, [esi]
		mov	bl, al
		cmp	[edx+4], esi
		jnz	short loc_68D05D
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_68D05D
		mov	[ecx], edx
		push	edi
		mov	[edx+4], ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_68D05D:				; CODE XREF: ExpDeleteResource(x)+19j
					; ExpDeleteResource(x)+20j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ExpDeleteResource@4 endp		; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall ExpLockResourceAtDpcLevel(x, x)
_ExpLockResourceAtDpcLevel@8 proc near	; CODE XREF: ExpReleaseDisownedFastResourceExclusive(x,x)+50p
					; ExpReleaseDisownedFastResourceExclusive(x,x):loc_6892E1p ...
		mov	eax, edx
		add	ecx, 34h
		and	dword ptr [eax], 0
		mov	[eax+4], ecx
		test	ds:byte_70EFC6,	21h
		jz	short loc_68D07F
		mov	edx, ecx
		mov	ecx, eax
		jmp	@KiAcquireQueuedSpinLockInstrumented@8 ; KiAcquireQueuedSpinLockInstrumented(x,x)
; 

loc_68D07F:				; CODE XREF: ExpLockResourceAtDpcLevel(x,x)+12j
		xchg	edx, [ecx]
		test	edx, edx
		jz	short locret_68D08C
		mov	ecx, eax
		jmp	@KxWaitForLockOwnerShip@8 ; KxWaitForLockOwnerShip(x,x)
; 

locret_68D08C:				; CODE XREF: ExpLockResourceAtDpcLevel(x,x)+21j
		retn
_ExpLockResourceAtDpcLevel@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpPrepareToWakeResourceExclusive(x, x, x, x)
_ExpPrepareToWakeResourceExclusive@16 proc near
					; CODE XREF: ExpReleaseDisownedFastResourceExclusive(x,x)+A3p
					; ExpReleaseFastResourceExclusive(x,x)+140p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		mov	[ebp+var_4], ecx
		cmp	[esi+28h], ecx
		jz	short loc_68D0B0
		mov	eax, [esi+10h]
		mov	[edx], eax
		mov	edx, [esi+28h]
		mov	[esi+10h], ecx
		mov	[esi+28h], ecx
		jmp	short loc_68D0E6
; 

loc_68D0B0:				; CODE XREF: ExpPrepareToWakeResourceExclusive(x,x,x,x)+11j
		cmp	[esi+2Ch], ecx
		jz	short loc_68D0E2
		lea	eax, [ebp+var_4]
		push	eax
		lea	ecx, [esi+14h]
		call	KeCaptureWaitChainHeadEx
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		inc	edx
		dec	dword ptr [esi+2Ch]

loc_68D0CA:				; CODE XREF: ExpPrepareToWakeResourceExclusive(x,x,x,x)+64j
		mov	eax, [esi+20h]
		dec	eax
		add	eax, edx

loc_68D0D0:				; CODE XREF: ExpPrepareToWakeResourceExclusive(x,x,x,x)+6Cj
		mov	[esi+20h], eax
		mov	eax, [ebp+arg_4]
		pop	esi
		mov	[eax], edx
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		leave
		retn	8
; 

loc_68D0E2:				; CODE XREF: ExpPrepareToWakeResourceExclusive(x,x,x,x)+26j
		mov	[edx], ecx
		mov	edx, ecx

loc_68D0E6:				; CODE XREF: ExpPrepareToWakeResourceExclusive(x,x,x,x)+21j
		mov	eax, 0FF7Fh
		and	[esi+0Eh], ax
		test	edx, edx
		jnz	short loc_68D0CA
		xor	eax, eax
		mov	[esi+0Ch], ax
		jmp	short loc_68D0D0
_ExpPrepareToWakeResourceExclusive@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpPrepareToWakeResourceShared(x, x, x, x)
_ExpPrepareToWakeResourceShared@16 proc	near
					; CODE XREF: ExpReleaseDisownedFastResourceShared(x,x)+A3p
					; ExpReleaseFastResourceExclusive(x,x)+35Dp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		xor	ecx, ecx
		inc	edi
		mov	[ebp+var_4], ecx
		cmp	[esi+20h], edi
		ja	short loc_68D147
		cmp	[esi+2Ch], ecx
		jz	short loc_68D132
		lea	eax, [ebp+var_4]
		push	eax
		lea	ecx, [esi+14h]
		call	KeCaptureWaitChainHeadEx
		dec	dword ptr [esi+2Ch]
		lea	eax, [edi+7Fh]
		or	[esi+0Eh], ax
		mov	ecx, [ebp+var_4]
		jmp	short loc_68D14B
; 

loc_68D132:				; CODE XREF: ExpPrepareToWakeResourceShared(x,x,x,x)+1Aj
		cmp	[esi+28h], ecx
		jz	short loc_68D147
		mov	eax, [esi+10h]
		mov	[edx], eax
		mov	edi, [esi+28h]
		mov	[esi+10h], ecx
		mov	[esi+28h], ecx
		jmp	short loc_68D14B
; 

loc_68D147:				; CODE XREF: ExpPrepareToWakeResourceShared(x,x,x,x)+15j
					; ExpPrepareToWakeResourceShared(x,x,x,x)+3Aj
		mov	edi, ecx
		mov	[edx], ecx

loc_68D14B:				; CODE XREF: ExpPrepareToWakeResourceShared(x,x,x,x)+35j
					; ExpPrepareToWakeResourceShared(x,x,x,x)+4Aj
		lea	eax, [edi-1]
		add	[esi+20h], eax
		jnz	short loc_68D159
		xor	eax, eax
		mov	[esi+0Ch], ax

loc_68D159:				; CODE XREF: ExpPrepareToWakeResourceShared(x,x,x,x)+56j
		mov	eax, [ebp+arg_4]
		mov	[eax], edi
		mov	eax, [ebp+arg_0]
		pop	edi
		pop	esi
		mov	[eax], ecx
		leave
		retn	8
_ExpPrepareToWakeResourceShared@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpResourceTimeoutCaptureLiveDump(x)
_ExpResourceTimeoutCaptureLiveDump@4 proc near ; DATA XREF: ExpWaitForResource+E284Fo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	eax		; int
		push	eax		; int
		push	eax		; int
		push	dword ptr [esi+1Ch] ; int
		push	dword ptr [esi+18h] ; int
		push	dword ptr [esi+10h] ; int
		push	dword ptr [esi+14h] ; int
		push	1CCh		; int
		push	offset ??_C@_1CA@GFDMJKJ@?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc?$AAe?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@FNODOBFM@ ; int
		call	_DbgkWerCaptureLiveKernelDump@36 ; DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)
		mov	ecx, esi
		call	ExFreeHeapPool
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
_ExpResourceTimeoutCaptureLiveDump@4 endp


;  S U B	R O U T	I N E 


; __stdcall MUIBugCheck(x)
_MUIBugCheck@4	proc near		; CODE XREF: NtGetMUIRegistryInfo:loc_8F1F92p
		push	0
		push	0
		push	ecx
		push	2
		push	12Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_MUIBugCheck@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MigrateOOBELanguageToInstallationLanguage()
_MigrateOOBELanguageToInstallationLanguage@0 proc near
					; CODE XREF: NtGetMUIRegistryInfo+128270p
					; NtFlushInstallUILanguage+8420Ap

var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 254h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		xor	ebx, ebx
		mov	[ebp+var_230], ebx
		mov	[ebp+var_22C], ebx
		mov	[ebp+var_224], ebx
		stosd
		stosw
		lea	eax, [ebp+var_220]
		mov	edi, 210h
		push	edi		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_234], ebx
		lea	eax, [ebp+var_230]
		mov	[ebp+var_23C], ebx
		mov	[ebp+var_238], ebx
		push	offset ??_C@_1IA@HPIKAKLL@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@FNODOBFM@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_230]
		mov	[ebp+var_254], 18h
		mov	[ebp+var_24C], eax
		lea	eax, [ebp+var_254]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_224]
		mov	[ebp+var_250], ebx
		push	eax
		mov	[ebp+var_248], 240h
		mov	[ebp+var_244], ebx
		mov	[ebp+var_240], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_68D34A
		push	offset ??_C@_1CA@HNCMOGDF@?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAL?$AAa?$AAn?$AAg?$AAu?$AAa?$AAg?$AAe@FNODOBFM@
		lea	eax, [ebp+var_230]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	ecx, ds:_PsInstallUILanguageId
		push	3
		mov	[ebp+var_228], ecx
		mov	si, cx
		pop	edx

loc_68D29C:				; CODE XREF: MigrateOOBELanguageToInstallationLanguage()+115j
		and	ecx, 0Fh
		push	9
		pop	eax
		cmp	ax, cx
		sbb	eax, eax
		shr	si, 4
		and	eax, 7
		mov	word ptr [ebp+var_228],	si
		add	eax, 30h
		add	ax, cx
		mov	word ptr [ebp+edx*2+var_10], ax
		sub	edx, 1
		js	short loc_68D2CD
		mov	ecx, [ebp+var_228]
		jmp	short loc_68D29C
; 

loc_68D2CD:				; CODE XREF: MigrateOOBELanguageToInstallationLanguage()+10Dj
		lea	eax, [ebp+var_234]
		push	eax
		push	edi
		lea	eax, [ebp+var_220]
		push	eax
		push	2
		lea	eax, [ebp+var_230]
		push	eax
		push	[ebp+var_224]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_68D327
		push	(offset	loc_5A6DEB+1)
		lea	eax, [ebp+var_23C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	[ebp+var_218]
		lea	eax, [ebp+var_214]
		push	eax
		push	1
		push	ebx
		lea	eax, [ebp+var_23C]
		push	eax
		push	[ebp+var_224]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_68D327:				; CODE XREF: MigrateOOBELanguageToInstallationLanguage()+13Cj
		push	0Ah
		lea	eax, [ebp+var_10]
		push	eax
		push	1
		push	ebx
		lea	eax, [ebp+var_230]
		push	eax
		push	[ebp+var_224]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_68D34A
		mov	esi, ebx

loc_68D34A:				; CODE XREF: MigrateOOBELanguageToInstallationLanguage()+BCj
					; MigrateOOBELanguageToInstallationLanguage()+190j
		cmp	[ebp+var_224], ebx
		jz	short loc_68D35D
		push	[ebp+var_224]
		call	_ZwClose@4	; ZwClose(x)

loc_68D35D:				; CODE XREF: MigrateOOBELanguageToInstallationLanguage()+19Aj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MigrateOOBELanguageToInstallationLanguage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExAllocateHeapSpecialPool(x, x, x)
_ExAllocateHeapSpecialPool@12 proc near	; CODE XREF: ExAllocateHeapPool+BBDA0p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= byte ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		and	[ebp+var_38], 0
		xor	eax, eax
		and	[ebp+var_34], 0
		inc	eax
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		mov	ebx, esi
		push	edi
		mov	edi, edx
		and	ebx, eax
		jnz	short loc_68D3AD
		bt	ds:_ExpPoolFlags, 0Ah
		setb	cl
		bt	esi, 9
		setnb	al
		test	cl, al
		jz	short loc_68D3AD
		or	esi, 200h

loc_68D3AD:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+21j
					; ExAllocateHeapSpecialPool(x,x,x)+37j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	ebx, ebx
		setz	cl
		inc	cl
		cmp	al, cl
		jbe	short loc_68D3D0
		push	30h
		push	edi
		push	esi
		movzx	eax, al
		push	eax
		push	0C1h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_68D3D0:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+4Ej
		xor	eax, eax
		mov	edx, 80000000h
		inc	eax
		mov	ecx, esi
		push	eax
		call	ExGetHeapFromType
		push	4
		pop	ecx
		push	ecx
		mov	edx, 1000h
		mov	[ebp+var_24], ecx
		push	edx
		push	edx
		lea	ecx, [eax+100h]
		call	RtlpHpSegAlloc
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_68D6B7
		lea	eax, [ebp+var_38]
		push	eax
		call	KeQueryTickCount
		mov	eax, [ebp+var_38]
		movzx	eax, al
		or	eax, 1
		push	0FF8h		; size_t
		push	eax		; int
		lea	eax, [ebx+8]
		push	eax		; void *
		call	_memset
		mov	edx, esi
		add	esp, 0Ch
		and	edx, 40h
		jz	short loc_68D434
		sub	edi, 4
		mov	[ebp+var_4], edi

loc_68D434:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+BEj
		mov	eax, [ebp+var_38]
		or	al, 1
		mov	[ebx], edi
		movzx	ecx, al
		mov	ax, [ebx+2]
		mov	[ebp+var_28], 0FE00h
		and	ax, word ptr [ebp+var_28]
		or	cx, ax
		mov	eax, [ebp+arg_0]
		mov	[ebx+2], cx
		mov	[ebx+4], eax
		test	edx, edx
		jz	short loc_68D464
		or	dword ptr [ebx], 4000h

loc_68D464:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+EEj
		mov	eax, ebx
		sub	eax, edi
		add	eax, 1000h
		and	eax, 0FFFFFFF8h
		mov	[ebp+var_28], eax
		test	esi, 400h
		jz	short loc_68D487
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_68D487:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+10Bj
		mov	ecx, ebx
		call	_MiDeterminePoolType@4 ; MiDeterminePoolType(x)
		mov	ecx, [ebp+arg_0]
		lea	edi, [ebp+var_44]
		mov	[ebp+arg_0], ecx
		lea	edx, [eax-20h]
		neg	edx
		sbb	edx, edx
		and	edx, eax
		xor	eax, eax
		stosd
		mov	[ebp+var_C], edx
		stosd
		stosd
		mov	eax, ds:_PoolHitTag
		cmp	ecx, eax
		jnz	short loc_68D4B2
		int	3		; Trap to Debugger

loc_68D4B2:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+141j
		test	ds:byte_70EFC4,	41h
		mov	edi, [ebp+var_4]
		jz	short loc_68D4D0
		push	edi
		push	ebx
		push	[ebp+arg_0]
		mov	ecx, 0E20h
		call	_EtwTracePool@20 ; EtwTracePool(x,x,x,x,x)
		mov	edx, [ebp+var_C]

loc_68D4D0:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+14Ej
		mov	eax, edx
		and	eax, 20h
		mov	[ebp+var_14], eax
		jnz	short loc_68D4F6
		movzx	eax, large byte	ptr fs:51h
		mov	ebx, ds:_PoolTrackTableMask
		mov	esi, ds:_ExPoolTagTables[eax*4]
		mov	eax, ds:_PoolTrackTableSize
		jmp	short loc_68D507
; 

loc_68D4F6:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+16Aj
		mov	esi, ds:_ExpSessionPoolTrackTable
		mov	ebx, ds:_ExpSessionPoolTrackTableMask
		mov	eax, ds:_ExpSessionPoolTrackTableSize

loc_68D507:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+186j
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_0]
		movzx	ecx, al
		shl	ecx, 2
		movzx	eax, ah
		xor	ecx, eax
		mov	[ebp+var_1C], ebx
		movzx	eax, byte ptr [ebp+arg_0+2]
		shl	ecx, 2
		xor	ecx, eax
		mov	[ebp+var_10], esi
		movzx	eax, byte ptr [ebp+arg_0+3]
		shl	ecx, 2
		xor	ecx, eax
		imul	ecx, 9E5Fh
		sar	ecx, 2
		and	ecx, ebx
		imul	eax, ecx, 30h
		mov	[ebp+var_20], ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_8], eax
		lea	ebx, [eax+esi]
		mov	eax, [ebx]
		mov	esi, [ebp+arg_0]
		cmp	eax, esi
		jz	loc_68D638

loc_68D557:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+2C1j
		test	eax, eax
		jnz	loc_68D611
		mov	edx, [ebp+var_14]
		test	edx, edx
		jnz	short loc_68D582
		mov	eax, ds:_PoolTrackTable
		mov	edx, [ebp+var_8]
		mov	eax, [edx+eax]
		test	eax, eax
		jz	short loc_68D57C
		mov	[ebx], eax
		jmp	loc_68D61D
; 

loc_68D57C:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+205j
		mov	esi, [ebp+arg_0]
		mov	edx, [ebp+var_14]

loc_68D582:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+1F6j
		mov	eax, [ebp+var_18]
		dec	eax
		cmp	ecx, eax
		jz	loc_68D611
		test	edx, edx
		jz	short loc_68D59D
		xor	eax, eax
		lock cmpxchg [ebx], esi
		jmp	loc_68D61D
; 

loc_68D59D:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+222j
		lea	edx, [ebp+var_44]
		mov	ecx, offset _ExpTaggedPoolLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	edx, ds:_PoolTrackTable
		mov	ecx, [ebp+var_8]
		cmp	dword ptr [ecx+edx], 0
		jnz	short loc_68D5BE
		mov	[ecx+edx], esi
		mov	[ebx], esi

loc_68D5BE:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+249j
		test	ds:byte_70EFC6,	1
		jz	short loc_68D5D4
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_44]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	short loc_68D603
; 

loc_68D5D4:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+257j
		mov	eax, [ebp+var_44]
		test	eax, eax
		jnz	short loc_68D5F3
		mov	edx, [ebp+var_40]
		lea	eax, [ebp+var_44]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_44]
		cmp	eax, ecx
		jz	short loc_68D603
		call	KxWaitForLockChainValid

loc_68D5F3:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+26Bj
		xor	ecx, ecx
		mov	[ebp+var_44], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx

loc_68D603:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+264j
					; ExAllocateHeapSpecialPool(x,x,x)+27Ej
		mov	cl, [ebp+var_3C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_20]
		jmp	short loc_68D61D
; 

loc_68D611:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+1EBj
					; ExAllocateHeapSpecialPool(x,x,x)+21Aj
		inc	ecx
		and	ecx, [ebp+var_1C]
		mov	[ebp+var_20], ecx
		cmp	ecx, [ebp+var_2C]
		jz	short loc_68D666

loc_68D61D:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+209j
					; ExAllocateHeapSpecialPool(x,x,x)+22Aj ...
		mov	ebx, [ebp+var_10]
		imul	eax, ecx, 30h
		add	ebx, eax
		mov	[ebp+var_8], eax
		mov	eax, [ebx]
		mov	esi, [ebp+arg_0]
		cmp	eax, esi
		jnz	loc_68D557
		mov	edx, [ebp+var_C]

loc_68D638:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+1E3j
		test	dl, 1
		jnz	short loc_68D674
		lea	edi, [ebx+8]

loc_68D640:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+2EFj
					; ExAllocateHeapSpecialPool(x,x,x)+2F4j
		mov	esi, [edi]
		xor	eax, eax
		mov	edx, [edi+4]
		inc	eax
		mov	ebx, esi
		mov	[ebp+arg_0], edx
		add	ebx, eax
		mov	ecx, edx
		mov	eax, esi
		adc	ecx, 0
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_68D640
		cmp	edx, [ebp+arg_0]
		jnz	short loc_68D640
		jmp	short loc_68D6A2
; 

loc_68D666:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+2ADj
		push	[ebp+var_C]
		mov	edx, edi
		mov	ecx, esi
		call	ExpInsertPoolTrackerExpansion
		jmp	short loc_68D6B4
; 

loc_68D674:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+2CDj
		lea	edi, [ebx+20h]

loc_68D677:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+326j
					; ExAllocateHeapSpecialPool(x,x,x)+32Bj
		mov	esi, [edi]
		xor	eax, eax
		mov	edx, [edi+4]
		inc	eax
		mov	ebx, esi
		mov	[ebp+arg_0], edx
		add	ebx, eax
		mov	ecx, edx
		mov	eax, esi
		adc	ecx, 0
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_68D677
		cmp	edx, [ebp+arg_0]
		jnz	short loc_68D677
		mov	[ebp+var_24], 18h

loc_68D6A2:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+2F6j
		mov	eax, [ebp+var_8]
		add	eax, [ebp+var_10]
		mov	ecx, [ebp+var_24]
		mov	edi, [ebp+var_4]
		add	ecx, eax
		lock xadd [ecx], edi

loc_68D6B4:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+304j
		mov	eax, [ebp+var_28]

loc_68D6B7:				; CODE XREF: ExAllocateHeapSpecialPool(x,x,x)+8Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ExAllocateHeapSpecialPool@12 endp


;  S U B	R O U T	I N E 


; __stdcall ExIsSpecialPoolAddress(x)
_ExIsSpecialPoolAddress@4 proc near	; CODE XREF: VfUtilIsSpecialPoolAddress(x):loc_A5A0F3p
					; VeAllocatePoolWithTagPriority(x,x,x,x,x)+227p ...
		call	ExGetHeapFromVA
		mov	ecx, eax
		jmp	_ExpHpIsSpecialPoolHeap@4 ; ExpHpIsSpecialPoolHeap(x)
_ExIsSpecialPoolAddress@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpFreeHeapSpecialPool(x, x)
_ExpFreeHeapSpecialPool@8 proc near	; CODE XREF: PspReturnQuota+C7543p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_2C], ecx
		push	edi
		mov	ecx, esi
		call	_MiDeterminePoolType@4 ; MiDeterminePoolType(x)
		mov	ecx, 1000h
		push	0
		lea	ebx, [eax-20h]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, eax
		mov	eax, esi
		and	eax, 0FFFh
		mov	[ebp+var_18], ebx
		sub	ecx, eax
		mov	[ebp+var_20], ecx
		mov	edx, ecx
		mov	ecx, esi
		call	ExpFreePoolChecks
		mov	edi, ebx
		and	edi, 1
		mov	[ebp+var_28], edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	edi, edi
		setz	cl
		inc	cl
		cmp	al, cl
		jbe	short loc_68D735
		push	31h
		push	esi
		push	1
		movzx	eax, al
		push	eax

loc_68D72B:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+94j
		push	0C1h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_68D735:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+56j
		mov	edx, [ebp+var_20]
		mov	ecx, esi
		and	ecx, 0FFFFF000h
		mov	[ebp+var_1C], ecx
		movzx	edi, word ptr [ecx]
		and	edi, 1FFFh
		mov	[ebp+var_14], edi
		lea	eax, [edi+7]
		and	eax, 0FFFFFFF8h
		cmp	eax, edx
		jz	short loc_68D760
		push	21h
		push	edx
		push	edi

loc_68D75D:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+125j
		push	esi
		jmp	short loc_68D72B
; 

loc_68D760:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+8Dj
		mov	edx, [ecx]
		lea	eax, [ecx+8]
		mov	[ebp+var_20], edx
		and	edx, 4000h
		jz	short loc_68D773
		lea	eax, [ecx+0Ch]

loc_68D773:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+A4j
		cmp	eax, esi
		jnb	short loc_68D78F
		mov	bl, [ecx+2]
		mov	[ebp+var_1], bl
		mov	ebx, [ebp+var_18]

loc_68D780:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+C3j
		mov	cl, [ebp+var_1]
		cmp	[eax], cl
		mov	ecx, [ebp+var_1C]
		jnz	short loc_68D7E9
		inc	eax
		cmp	eax, esi
		jb	short loc_68D780

loc_68D78F:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+ABj
		test	edx, edx
		jz	short loc_68D7A2
		push	1
		push	ebx
		mov	edx, edi
		mov	ecx, esi
		call	_VerifierFreeTrackedPool@16 ; VerifierFreeTrackedPool(x,x,x,x)
		mov	ecx, [ebp+var_1C]

loc_68D7A2:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+C7j
		mov	eax, [ecx+4]
		mov	[ebp+var_8], eax
		cmp	eax, ds:_PoolHitTag
		jnz	short loc_68D7B1
		int	3		; Trap to Debugger

loc_68D7B1:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+E4j
		test	ds:byte_70EFC4,	41h
		jz	short loc_68D7CB
		push	edi
		push	esi
		push	[ebp+var_8]
		mov	edx, ebx
		mov	ecx, 0E22h
		call	_EtwTracePool@20 ; EtwTracePool(x,x,x,x,x)

loc_68D7CB:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+EEj
		mov	esi, ebx
		and	esi, 20h
		jnz	short loc_68D7F4
		movzx	eax, large byte	ptr fs:51h
		mov	edx, ds:_PoolTrackTableMask
		mov	eax, ds:_ExPoolTagTables[eax*4]
		jmp	short loc_68D7FF
; 

loc_68D7E9:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+BEj
		push	23h
		push	[ebp+var_20]
		push	eax
		jmp	loc_68D75D
; 

loc_68D7F4:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+106j
		mov	eax, ds:_ExpSessionPoolTrackTable
		mov	edx, ds:_ExpSessionPoolTrackTableMask

loc_68D7FF:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+11Dj
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_8]
		movzx	ecx, al
		shl	ecx, 2
		movzx	eax, ah
		xor	ecx, eax
		mov	[ebp+var_20], edx
		movzx	eax, byte ptr [ebp+var_8+2]
		shl	ecx, 2
		xor	ecx, eax
		movzx	eax, byte ptr [ebp+var_8+3]
		shl	ecx, 2
		xor	ecx, eax
		imul	ecx, 9E5Fh
		sar	ecx, 2
		and	ecx, edx
		mov	[ebp+var_24], ecx
		jmp	short loc_68D861
; 

loc_68D835:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+1ADj
		cmp	[ebp+var_C], 0
		jnz	short loc_68D858
		test	esi, esi
		jnz	short loc_68D858
		mov	edi, [ebp+var_18]
		mov	eax, ds:_PoolTrackTable
		mov	eax, [edi+eax]
		mov	edi, [ebp+var_14]
		test	eax, eax
		jz	short loc_68D855
		mov	[edx], eax
		jmp	short loc_68D861
; 

loc_68D855:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+185j
		mov	eax, [ebp+var_8]

loc_68D858:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+16Fj
					; ExpFreeHeapSpecialPool(x,x)+173j
		inc	ecx
		and	ecx, [ebp+var_20]
		cmp	ecx, [ebp+var_24]
		jz	short loc_68D8A8

loc_68D861:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+169j
					; ExpFreeHeapSpecialPool(x,x)+189j
		mov	edx, [ebp+var_10]
		imul	eax, ecx, 30h
		add	edx, eax
		mov	[ebp+var_18], eax
		mov	eax, [edx]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_8]
		cmp	[ebp+var_C], eax
		jnz	short loc_68D835
		cmp	[ebp+var_28], 0
		jnz	short loc_68D8B4
		lea	edi, [edx+10h]

loc_68D882:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+1D3j
					; ExpFreeHeapSpecialPool(x,x)+1D8j
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[ebp+var_28], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_68D882
		cmp	edx, [ebp+var_28]
		jnz	short loc_68D882
		push	4
		jmp	short loc_68D8DB
; 

loc_68D8A8:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+195j
		push	ebx
		mov	edx, edi
		mov	ecx, eax
		call	ExpRemovePoolTrackerExpansion
		jmp	short loc_68D8ED
; 

loc_68D8B4:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+1B3j
		lea	edi, [edx+28h]

loc_68D8B7:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+208j
					; ExpFreeHeapSpecialPool(x,x)+20Dj
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[ebp+var_28], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_68D8B7
		cmp	edx, [ebp+var_28]
		jnz	short loc_68D8B7
		push	18h

loc_68D8DB:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+1DCj
		mov	eax, [ebp+var_18]
		mov	edi, [ebp+var_14]
		add	eax, [ebp+var_10]
		neg	edi
		pop	ecx
		add	eax, ecx
		lock xadd [eax], edi

loc_68D8ED:				; CODE XREF: ExpFreeHeapSpecialPool(x,x)+1E8j
		mov	edx, [ebp+var_1C]
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_2C]
		push	0
		call	RtlpHpFreeHeap
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpFreeHeapSpecialPool@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpHeapQueryPoolPages(x, x,	x, x)
_ExpHeapQueryPoolPages@16 proc near	; CODE XREF: ExpAllocatePoolWithTagFromNode+BBD4Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ds:dword_6D8E84
		test	edx, 200h
		jnz	short loc_68D91B
		mov	esi, ds:dword_6D8E80

loc_68D91B:				; CODE XREF: ExpHeapQueryPoolPages(x,x,x,x)+12j
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		mov	ecx, [esi+84h]
		mov	[eax], ecx
		mov	ecx, [esi+94h]
		mov	eax, [edx]
		add	eax, ecx
		mov	ecx, [esi+9Ch]
		add	ecx, eax
		mov	[edx], ecx
		pop	esi
		pop	ebp
		retn	8
_ExpHeapQueryPoolPages@16 endp


;  S U B	R O U T	I N E 


; __stdcall ExpHpIsSpecialPoolHeap(x)
_ExpHpIsSpecialPoolHeap@4 proc near	; CODE XREF: ExReturnPoolQuota+D2FE4p
					; ExAllocatePoolWithQuotaTag+C7807p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		call	_MiDeterminePoolType@4 ; MiDeterminePoolType(x)
		lea	edx, [eax-20h]
		neg	edx
		sbb	edx, edx
		and	edx, eax
		cmp	edx, 21h
		jnz	short loc_68D980
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		mov	eax, [eax+1D8h]
		cmp	esi, [eax+1C7Ch]
		setz	bl
		jmp	short loc_68D998
; 

loc_68D980:				; CODE XREF: ExpHpIsSpecialPoolHeap(x)+19j
		mov	eax, offset dword_6F9A80

loc_68D985:				; CODE XREF: ExpHpIsSpecialPoolHeap(x)+4Fj
		cmp	esi, [eax]
		jz	short loc_68D995
		add	eax, 4
		cmp	eax, offset unk_6F9A90
		jl	short loc_68D985
		jmp	short loc_68D998
; 

loc_68D995:				; CODE XREF: ExpHpIsSpecialPoolHeap(x)+45j
		xor	ebx, ebx
		inc	ebx

loc_68D998:				; CODE XREF: ExpHpIsSpecialPoolHeap(x)+3Cj
					; ExpHpIsSpecialPoolHeap(x)+51j
		pop	esi
		mov	eax, ebx
		pop	ebx
		retn
_ExpHpIsSpecialPoolHeap@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSizeHeapPool(x)
_ExpSizeHeapPool@4 proc	near		; CODE XREF: ViPostPoolAllocation(x,x)+2Fp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	edx, edx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edx
		mov	byte ptr [ebp+var_1], dl
		test	esi, 0FFFh
		jnz	short loc_68D9F0
		call	_MiDeterminePoolType@4 ; MiDeterminePoolType(x)
		lea	ecx, [ebp+var_1]
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		lea	ecx, [ebp+var_8]
		push	ecx
		lea	ecx, [ebp+var_10]
		push	ecx
		lea	ecx, [ebp+var_14]
		push	ecx
		push	edx
		lea	edx, [eax-20h]
		mov	ecx, esi
		neg	edx
		sbb	edx, edx
		and	edx, eax
		call	_ExpRemoveTagForBigPages@32 ; ExpRemoveTagForBigPages(x,x,x,x,x,x,x,x)
		mov	eax, [ebp+var_8]
		jmp	short loc_68D9FC
; 

loc_68D9F0:				; CODE XREF: ExpSizeHeapPool(x)+22j
		movzx	eax, word ptr [esi-6]
		and	eax, 1FFh
		shl	eax, 3

loc_68D9FC:				; CODE XREF: ExpSizeHeapPool(x)+51j
		pop	esi
		leave
		retn
_ExpSizeHeapPool@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExSaDecodeHandle(x)
@ExSaDecodeHandle@4 proc near		; CODE XREF: EtwpCovSampProfileInterrupt(x,x)+2Cp
					; EtwpCovSampCaptureBufferGet(x)+9p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:20h
		push	esi
		mov	esi, ecx
		shr	ecx, 3
		shr	esi, 0Dh
		mov	eax, [eax+47B4h]
		and	esi, 3FFFFh
		bsr	edx, esi
		btc	esi, edx
		and	ecx, 3FFh
		mov	eax, [eax+edx*4-8]
		mov	eax, [eax+esi*4+4]
		pop	esi
		lea	eax, [eax+ecx*4]
		leave
		retn
@ExSaDecodeHandle@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ExSaDecodeHandleForIndex(x, x)
@ExSaDecodeHandleForIndex@8 proc near	; CODE XREF: EtwpCovSampCaptureFlushSampleBuffers(x)+2Ep
					; ExpAcquireFannedOutPushLockExclusive(x,x,x)+16p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_ExSaPageArrays
		push	esi
		push	edi
		mov	edi, ecx
		shr	ecx, 3
		mov	eax, [eax+edx*4]
		shr	edi, 0Dh
		and	edi, 3FFFFh
		bsr	esi, edi
		btc	edi, esi
		and	ecx, 3FFh
		mov	eax, [eax+esi*4-8]
		mov	eax, [eax+edi*4+4]
		pop	edi
		pop	esi
		lea	eax, [eax+ecx*4]
		leave
		retn
@ExSaDecodeHandleForIndex@8 endp


;  S U B	R O U T	I N E 


; __stdcall ExSaAllocate(x, x, x)
_ExSaAllocate@12 proc near		; CODE XREF: ExpAllocateFannedOutPushLock(x,x)+10p
					; EtwpCovSampCaptureContextStart(x)+1A2p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		test	edx, 0FFFFFFFEh
		jz	short loc_68DA91
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	edx
		push	16Dh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_68DA91:				; CODE XREF: ExSaAllocate(x,x,x)+Cj
		mov	ecx, ds:_ExSaPagedSlotAllocator
		test	dl, 1
		jnz	short loc_68DAA2
		mov	ecx, ds:_ExSaNonPagedSlotAllocator

loc_68DAA2:				; CODE XREF: ExSaAllocate(x,x,x)+27j
		or	esi, 0FFFFFFFFh
		test	ecx, ecx
		jz	short loc_68DAD9
		cmp	edi, 1000h
		ja	short loc_68DAD9
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		lea	edx, [edi+3]
		push	ecx
		shr	edx, 2
		call	_ExpSaAllocatorAllocate@12 ; ExpSaAllocatorAllocate(x,x,x)
		mov	ecx, large fs:124h
		mov	esi, eax
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_68DAD9:				; CODE XREF: ExSaAllocate(x,x,x)+34j
					; ExSaAllocate(x,x,x)+3Cj
		pop	edi
		mov	eax, esi
		pop	esi
		retn	4
_ExSaAllocate@12 endp ;	sp = -14h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExSaFree(x,	x)
_ExSaFree@8	proc near		; CODE XREF: ExpFreeFannedOutPushLock(x)+6p
					; EtwpCovSampCaptureContextStart(x)+3EDp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_ExSaPageGroupDescriptorArray
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		mov	edx, ebx
		shr	edx, 0Dh
		and	edx, 3FFFFh
		bsr	esi, edx
		btc	edx, esi
		mov	eax, [eax+esi*4-8]
		mov	edx, [eax+edx*4+4]
		mov	eax, large fs:124h
		mov	ecx, [edx+8]
		dec	word ptr [eax+13Eh]
		nop
		lea	eax, [edi+3]
		shr	eax, 2
		push	eax
		push	ebx
		call	_ExpSaAllocatorFree@16 ; ExpSaAllocatorFree(x,x,x,x)
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExSaFree@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSaAllocatorAllocate(x, x, x)
_ExpSaAllocatorAllocate@12 proc	near	; CODE XREF: ExSaAllocate(x,x,x)+53p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_1C], edx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], eax
		xor	edx, edx
		mov	eax, esi
		mov	[ebp+var_C], esi
		and	eax, 7FFFFFFCh
		mov	byte ptr [ebp+var_4+3],	dl
		push	edi
		mov	[ebp+var_24], edx
		mov	[ebp+var_8], eax
		jnz	short loc_68DB82
		mov	edi, edx
		jmp	loc_68DC8F
; 

loc_68DB82:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+3Fj
		mov	edi, large fs:124h
		dec	word ptr [edi+13Eh]
		nop
		inc	byte ptr [edi+1E6h]
		nop
		cmp	byte ptr [edi+1E6h], 1
		jz	short loc_68DBB8
		push	edx

loc_68DBA2:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+374j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	esi
		push	edi
		push	192h

loc_68DBB3:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+493j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_68DBB8:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+65j
		mov	cl, [edi+1E4h]
		mov	[ebp+var_20], edx
		test	cl, cl
		jnz	short loc_68DBDB
		lea	ecx, [edi+222h]
		cmp	[ecx], dl
		jz	short loc_68DC05
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [edi+1E4h]
		or	cl, al

loc_68DBDB:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+89j
		movzx	ecx, cl
		bsf	eax, ecx
		imul	edx, eax, 30h
		btr	ecx, eax
		mov	[ebp+var_20], eax
		mov	[edi+1E4h], cl
		add	edx, [edi+1E8h]
		mov	[ebp+var_18], edx
		jnz	short loc_68DC1F

loc_68DBFB:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+D8j
					; ExpSaAllocatorAllocate(x,x,x)+E3j
		lea	eax, [edi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_68DC60
; 

loc_68DC05:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+93j
		test	dword ptr ds:byte_70EFC4, 200h
		mov	[ebp+var_18], edx
		jz	short loc_68DBFB
		mov	edx, esi
		mov	ecx, edi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	short loc_68DBFB
; 

loc_68DC1F:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+BFj
		mov	ecx, ds:dword_6D07D0
		mov	eax, esi
		shr	eax, 15h
		cmp	esi, ecx
		jb	short loc_68DC51
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68DC44
		cmp	esi, ecx
		jb	short loc_68DC51
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_68DC51

loc_68DC44:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+FBj
		mov	ecx, [edi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	short loc_68DC56
; 

loc_68DC51:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+F2j
					; ExpSaAllocatorAllocate(x,x,x)+FFj ...
		or	ecx, 0FFFFFFFFh
		mov	eax, ecx

loc_68DC56:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+115j
		mov	[edx+14h], eax
		nop
		mov	eax, [ebp+var_8]
		mov	[edx+10h], eax

loc_68DC60:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+C9j
		nop
		dec	byte ptr [edi+1E6h]
		lea	eax, [ebp+var_24]
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [edi+13Eh], 1
		jnz	short loc_68DC8C
		nop
		lea	eax, [edi+70h]
		cmp	[eax], eax
		jz	short loc_68DC8C
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68DC8C:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+143j
					; ExpSaAllocatorAllocate(x,x,x)+14Bj
		mov	edi, [ebp+var_18]

loc_68DC8F:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+43j
		push	11h
		pop	ecx
		xor	eax, eax
		lock cmpxchg [esi], ecx
		test	eax, eax
		jz	short loc_68DCA6
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockSharedEx

loc_68DCA6:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+160j
		test	edi, edi
		jz	short loc_68DCAE
		or	byte ptr [edi+0Eh], 1

loc_68DCAE:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+16Ej
		mov	al, byte ptr [ebp+var_4+3]
		lea	edx, [esi+4]
		mov	edi, [edx]
		mov	[ebp+var_28], edx

loc_68DCB9:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+314j
		cmp	edi, edx
		jz	short loc_68DCE4

loc_68DCBD:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+1A2j
		mov	edx, [ebp+var_1C]
		mov	ecx, edi
		call	_ExpSaPageGroupAllocateMemory@8	; ExpSaPageGroupAllocateMemory(x,x)
		mov	esi, eax
		mov	[ebp+var_14], esi
		cmp	esi, 0FFFFFFFFh
		jnz	loc_68DE98
		mov	edi, [edi]
		mov	edx, [ebp+var_28]
		cmp	edi, edx
		jnz	short loc_68DCBD
		mov	esi, [ebp+var_C]
		mov	al, byte ptr [ebp+var_4+3]

loc_68DCE4:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+181j
		mov	edi, [edx]
		mov	[ebp+var_34], edi
		test	al, al
		jnz	loc_68DE44
		push	11h
		xor	ecx, ecx
		pop	edi
		inc	ecx
		mov	eax, edi
		lock cmpxchg [esi], ecx
		cmp	eax, edi
		jz	loc_68DE44
		xor	ecx, ecx
		mov	eax, edi
		lock cmpxchg [esi], ecx
		cmp	eax, edi
		jz	short loc_68DD18
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_68DD18:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+1D5j
		mov	ecx, esi
		call	KeAbPostRelease
		xor	eax, eax
		mov	[ebp+var_30], eax
		cmp	[ebp+var_8], eax
		jnz	short loc_68DD30
		mov	edi, eax
		jmp	loc_68DE28
; 

loc_68DD30:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+1EDj
		mov	edi, large fs:124h
		dec	word ptr [edi+13Eh]
		nop
		inc	byte ptr [edi+1E6h]
		nop
		cmp	byte ptr [edi+1E6h], 1
		jnz	loc_68DEAD
		mov	cl, [edi+1E4h]
		mov	[ebp+var_2C], eax
		test	cl, cl
		jnz	short loc_68DD76
		lea	ecx, [edi+222h]
		cmp	[ecx], al
		jz	short loc_68DDA0
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [edi+1E4h]
		or	cl, al

loc_68DD76:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+224j
		movzx	ecx, cl
		bsf	eax, ecx
		imul	edx, eax, 30h
		btr	ecx, eax
		mov	[ebp+var_2C], eax
		mov	[edi+1E4h], cl
		add	edx, [edi+1E8h]
		mov	[ebp+var_18], edx
		jnz	short loc_68DDBA

loc_68DD96:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+273j
					; ExpSaAllocatorAllocate(x,x,x)+27Ej
		lea	eax, [edi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_68DDF9
; 

loc_68DDA0:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+22Ej
		test	dword ptr ds:byte_70EFC4, 200h
		mov	[ebp+var_18], eax
		jz	short loc_68DD96
		mov	edx, esi
		mov	ecx, edi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	short loc_68DD96
; 

loc_68DDBA:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+25Aj
		mov	ecx, ds:dword_6D07D0
		mov	eax, esi
		shr	eax, 15h
		cmp	esi, ecx
		jb	short loc_68DDEC
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68DDDF
		cmp	esi, ecx
		jb	short loc_68DDEC
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_68DDEC

loc_68DDDF:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+296j
		mov	ecx, [edi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	short loc_68DDEF
; 

loc_68DDEC:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+28Dj
					; ExpSaAllocatorAllocate(x,x,x)+29Aj ...
		or	eax, 0FFFFFFFFh

loc_68DDEF:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+2B0j
		mov	[edx+14h], eax
		nop
		mov	eax, [ebp+var_8]
		mov	[edx+10h], eax

loc_68DDF9:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+264j
		nop
		dec	byte ptr [edi+1E6h]
		lea	eax, [ebp+var_30]
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [edi+13Eh], 1
		jnz	short loc_68DE25
		nop
		lea	eax, [edi+70h]
		cmp	[eax], eax
		jz	short loc_68DE25
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68DE25:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+2DCj
					; ExpSaAllocatorAllocate(x,x,x)+2E4j
		mov	edi, [ebp+var_18]

loc_68DE28:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+1F1j
		lock bts dword ptr [esi], 0
		jnb	short loc_68DE39
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockExclusiveEx

loc_68DE39:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+2F3j
		lea	edx, [esi+4]
		test	edi, edi
		jz	short loc_68DE44
		or	byte ptr [edi+0Eh], 1

loc_68DE44:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+1B1j
					; ExpSaAllocatorAllocate(x,x,x)+1C5j ...
		mov	edi, [edx]
		mov	al, 1
		mov	byte ptr [ebp+var_4+3],	al
		cmp	[ebp+var_34], edi
		jnz	loc_68DCB9
		mov	edx, [esi+24h]
		mov	ecx, esi
		and	dl, al
		call	_ExpSaPageGroupDescriptorAllocate@8 ; ExpSaPageGroupDescriptorAllocate(x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_68DF21
		mov	edx, [ebp+var_1C]
		mov	ecx, edi
		call	_ExpSaPageGroupAllocateMemory@8	; ExpSaPageGroupAllocateMemory(x,x)
		mov	[ebp+var_14], eax
		mov	eax, [edi+14h]
		test	eax, eax
		jz	short loc_68DEB3
		and	dword ptr [edi+18h], 0
		lea	eax, [esi+4]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_68DEC4
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[ecx+4], edi
		mov	[eax], edi
		jmp	short loc_68DED3
; 

loc_68DE98:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+195j
		mov	eax, [edi+14h]
		mov	esi, [ebp+var_C]
		test	eax, eax
		jnz	short loc_68DED3
		push	2
		pop	ecx
		lea	eax, [esi+24h]
		lock or	[eax], ecx
		jmp	short loc_68DED3
; 

loc_68DEAD:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+213j
		push	eax
		jmp	loc_68DBA2
; 

loc_68DEB3:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+342j
		lea	eax, [esi+0Ch]
		mov	dword ptr [edi+18h], 1
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jz	short loc_68DEC9

loc_68DEC4:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+350j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_68DEC9:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+388j
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi

loc_68DED3:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+35Cj
					; ExpSaAllocatorAllocate(x,x,x)+366j ...
		mov	eax, [esi+24h]
		test	al, 2
		jz	short loc_68DEFA
		cmp	byte ptr [ebp+var_4+3],	0
		jnz	short loc_68DEEF
		xor	ecx, ecx
		push	11h
		inc	ecx
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jnz	short loc_68DF00

loc_68DEEF:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+3A4j
		mov	ecx, esi
		mov	byte ptr [ebp+var_4+3],	1
		call	_ExpSaAllocatorOptimizeList@4 ;	ExpSaAllocatorOptimizeList(x)

loc_68DEFA:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+39Ej
		cmp	byte ptr [ebp+var_4+3],	0
		jnz	short loc_68DF21

loc_68DF00:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+3B3j
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_68DF15
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_68DF15:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+3D2j
		mov	ecx, esi
		call	KeAbPostRelease
		jmp	loc_68E0DB
; 

loc_68DF21:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+32Aj
					; ExpSaAllocatorAllocate(x,x,x)+3C4j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_68DF35
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_68DF35:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+3F2j
		xor	edi, edi
		mov	[ebp+var_1C], edi
		cmp	[ebp+var_8], edi
		jz	loc_68E0DB
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_8], eax
		cmp	esi, edx
		jb	short loc_68DF82
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_68DF71
		cmp	esi, edx
		jb	short loc_68DF82
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_68DF82

loc_68DF71:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+428j
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_8]

loc_68DF82:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+41Fj
					; ExpSaAllocatorAllocate(x,x,x)+42Cj ...
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	cl, [eax+1E6h]
		mov	edx, esi
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, [ebp+var_10]
		push	ecx
		mov	ecx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_34], ecx
		test	ecx, ecx
		jnz	short loc_68DFD2
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_68E052
		push	0
		push	[ebp+var_10]
		push	esi
		push	ecx
		push	162h
		jmp	loc_68DBB3
; 

loc_68DFD2:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+474j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_68DFE8
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_34]

loc_68DFE8:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+4A4j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_1C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	eax, [ebp+var_8]
		mov	dword ptr [ecx+10h], 0
		push	30h
		sub	ecx, [eax+1E8h]
		mov	eax, ecx
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_68E038
		mov	eax, [ebp+var_8]
		movzx	ecx, byte ptr [eax+1E4h]
		bts	ecx, edx
		mov	[eax+1E4h], cl
		jmp	short loc_68E054
; 

loc_68E038:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+4E7j
		mov	esi, [ebp+var_8]
		mov	al, 1
		mov	ecx, edx
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_C]
		mov	eax, [ebp+var_8]
		jmp	short loc_68E054
; 

loc_68E052:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+481j
		mov	eax, ecx

loc_68E054:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+4FCj
					; ExpSaAllocatorAllocate(x,x,x)+516j
		nop
		dec	byte ptr [eax+1E6h]
		mov	ecx, edi
		and	ecx, 1FFFFh
		mov	[ebp+var_34], ecx
		jz	short loc_68E0C3
		test	edi, 8000h
		jz	short loc_68E07C
		xor	edx, edx
		mov	ecx, eax
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp+var_8]

loc_68E07C:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+534j
		test	byte ptr [ebp+var_1C+2], 1
		jz	short loc_68E08C
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_68E08C:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+546j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_68E0A5
		and	edi, eax
		mov	edx, edi
		mov	edi, [ebp+var_8]
		mov	ecx, edi
		call	KiAbThreadUnboostCpuPriority
		jmp	short loc_68E0A8
; 

loc_68E0A5:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+559j
		mov	edi, [ebp+var_8]

loc_68E0A8:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+569j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_68E0C0
		push	[ebp+var_34]
		mov	edx, esi
		mov	ecx, edi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_68E0C0:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+578j
		mov	eax, [ebp+var_8]

loc_68E0C3:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+52Cj
		nop
		add	word ptr [eax+13Eh], 1
		jnz	short loc_68E0DB
		nop
		add	eax, 70h
		cmp	[eax], eax
		jz	short loc_68E0DB
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68E0DB:				; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+3E2j
					; ExpSaAllocatorAllocate(x,x,x)+403j ...
		mov	eax, [ebp+var_14]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
_ExpSaAllocatorAllocate@12 endp	; sp =	4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSaAllocatorFree(x, x, x,	x)
_ExpSaAllocatorFree@16 proc near	; CODE XREF: ExSaFree(x,x)+44p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, edx
		mov	[ebp+var_C], 0FFFFFFFFh
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], eax
		push	edi
		cmp	dword ptr [eax+18h], 1
		mov	[ebp+var_28], esi
		jnz	loc_68E297
		xor	eax, eax
		mov	byte ptr [ebp+var_4+3],	1
		and	ecx, 7FFFFFFCh
		mov	[ebp+var_1C], eax
		mov	[ebp+var_8], ecx
		jnz	short loc_68E13B
		mov	edi, eax
		jmp	loc_68E246
; 

loc_68E13B:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+49j
		mov	edi, large fs:124h
		dec	word ptr [edi+13Eh]
		nop
		inc	byte ptr [edi+1E6h]
		nop
		cmp	byte ptr [edi+1E6h], 1
		jz	short loc_68E171

loc_68E15A:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+1E5j
		push	eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	esi
		push	edi
		push	192h

loc_68E16C:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+3E3j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_68E171:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+6Fj
		mov	cl, [edi+1E4h]
		mov	[ebp+var_18], eax
		test	cl, cl
		jnz	short loc_68E194
		lea	ecx, [edi+222h]
		cmp	[ecx], al
		jz	short loc_68E1BE
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [edi+1E4h]
		or	cl, al

loc_68E194:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+93j
		movzx	ecx, cl
		bsf	eax, ecx
		imul	edx, eax, 30h
		btr	ecx, eax
		mov	[ebp+var_18], eax
		mov	[edi+1E4h], cl
		add	edx, [edi+1E8h]
		mov	[ebp+var_10], edx
		jnz	short loc_68E1D8

loc_68E1B4:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+E2j
					; ExpSaAllocatorFree(x,x,x,x)+EDj
		lea	eax, [edi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_68E217
; 

loc_68E1BE:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+9Dj
		test	dword ptr ds:byte_70EFC4, 200h
		mov	[ebp+var_10], eax
		jz	short loc_68E1B4
		mov	edx, esi
		mov	ecx, edi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	short loc_68E1B4
; 

loc_68E1D8:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+C9j
		mov	ecx, ds:dword_6D07D0
		mov	eax, esi
		shr	eax, 15h
		cmp	esi, ecx
		jb	short loc_68E20A
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68E1FD
		cmp	esi, ecx
		jb	short loc_68E20A
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_68E20A

loc_68E1FD:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+105j
		mov	ecx, [edi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	short loc_68E20D
; 

loc_68E20A:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+FCj
					; ExpSaAllocatorFree(x,x,x,x)+109j ...
		or	eax, 0FFFFFFFFh

loc_68E20D:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+11Fj
		mov	[edx+14h], eax
		nop
		mov	eax, [ebp+var_8]
		mov	[edx+10h], eax

loc_68E217:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+D3j
		nop
		dec	byte ptr [edi+1E6h]
		lea	eax, [ebp+var_1C]
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [edi+13Eh], 1
		jnz	short loc_68E243
		nop
		lea	eax, [edi+70h]
		cmp	[eax], eax
		jz	short loc_68E243
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68E243:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+14Bj
					; ExpSaAllocatorFree(x,x,x,x)+153j
		mov	edi, [ebp+var_10]

loc_68E246:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+4Dj
		lock bts dword ptr [esi], 0
		jnb	short loc_68E257
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockExclusiveEx

loc_68E257:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+162j
		test	edi, edi
		jz	short loc_68E25F
		or	byte ptr [edi+0Eh], 1

loc_68E25F:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+170j
		mov	edx, [ebp+var_14]
		and	dword ptr [edx+18h], 0
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	short loc_68E292
		mov	ecx, [edx+4]
		cmp	[ecx], edx
		jnz	short loc_68E292
		mov	[ecx], eax
		mov	[eax+4], ecx
		lea	eax, [esi+4]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_68E292
		mov	[edx], eax
		mov	[edx+4], ecx
		mov	[ecx], edx
		mov	[eax+4], edx
		jmp	loc_68E3C8
; 

loc_68E292:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+182j
					; ExpSaAllocatorFree(x,x,x,x)+189j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_68E297:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+31j
		xor	eax, eax
		and	ecx, 7FFFFFFCh
		mov	byte ptr [ebp+var_4+3],	al
		mov	[ebp+var_24], eax
		mov	[ebp+var_8], ecx
		jnz	short loc_68E2B1
		mov	edi, eax
		jmp	loc_68E3A9
; 

loc_68E2B1:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+1BFj
		mov	edi, large fs:124h
		dec	word ptr [edi+13Eh]
		nop
		inc	byte ptr [edi+1E6h]
		nop
		cmp	byte ptr [edi+1E6h], 1
		jnz	loc_68E15A
		mov	cl, [edi+1E4h]
		mov	[ebp+var_20], eax
		test	cl, cl
		jnz	short loc_68E2F7
		lea	ecx, [edi+222h]
		cmp	[ecx], al
		jz	short loc_68E321
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [edi+1E4h]
		or	cl, al

loc_68E2F7:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+1F6j
		movzx	ecx, cl
		bsf	eax, ecx
		imul	edx, eax, 30h
		btr	ecx, eax
		mov	[ebp+var_20], eax
		mov	[edi+1E4h], cl
		add	edx, [edi+1E8h]
		mov	[ebp+var_10], edx
		jnz	short loc_68E33B

loc_68E317:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+245j
					; ExpSaAllocatorFree(x,x,x,x)+250j
		lea	eax, [edi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_68E37A
; 

loc_68E321:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+200j
		test	dword ptr ds:byte_70EFC4, 200h
		mov	[ebp+var_10], eax
		jz	short loc_68E317
		mov	edx, esi
		mov	ecx, edi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	short loc_68E317
; 

loc_68E33B:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+22Cj
		mov	ecx, ds:dword_6D07D0
		mov	eax, esi
		shr	eax, 15h
		cmp	esi, ecx
		jb	short loc_68E36D
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68E360
		cmp	esi, ecx
		jb	short loc_68E36D
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_68E36D

loc_68E360:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+268j
		mov	ecx, [edi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	short loc_68E370
; 

loc_68E36D:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+25Fj
					; ExpSaAllocatorFree(x,x,x,x)+26Cj ...
		or	eax, 0FFFFFFFFh

loc_68E370:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+282j
		mov	[edx+14h], eax
		nop
		mov	eax, [ebp+var_8]
		mov	[edx+10h], eax

loc_68E37A:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+236j
		nop
		dec	byte ptr [edi+1E6h]
		lea	eax, [ebp+var_24]
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [edi+13Eh], 1
		jnz	short loc_68E3A6
		nop
		lea	eax, [edi+70h]
		cmp	[eax], eax
		jz	short loc_68E3A6
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68E3A6:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+2AEj
					; ExpSaAllocatorFree(x,x,x,x)+2B6j
		mov	edi, [ebp+var_10]

loc_68E3A9:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+1C3j
		push	11h
		pop	ecx
		xor	eax, eax
		lock cmpxchg [esi], ecx
		test	eax, eax
		jz	short loc_68E3C0
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockSharedEx

loc_68E3C0:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+2CBj
		test	edi, edi
		jz	short loc_68E3C8
		or	byte ptr [edi+0Eh], 1

loc_68E3C8:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+1A4j
					; ExpSaAllocatorFree(x,x,x,x)+2D9j
		push	dword ptr [ebx+8]
		mov	edx, [ebx+0Ch]
		lea	edi, [esi+24h]
		mov	ecx, [ebp+var_14]
		call	_ExpSaPageGroupFreeMemory@12 ; ExpSaPageGroupFreeMemory(x,x,x)
		test	al, al
		jz	short loc_68E3F0
		push	2
		pop	edx
		mov	eax, [edi]

loc_68E3E2:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+301j
		mov	ecx, eax
		or	ecx, edx
		lock cmpxchg [edi], ecx
		jnz	short loc_68E3E2
		or	eax, edx
		jmp	short loc_68E3F2
; 

loc_68E3F0:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+2F2j
		mov	eax, [edi]

loc_68E3F2:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+305j
		test	al, 2
		jz	short loc_68E40F
		cmp	byte ptr [ebp+var_4+3],	0
		jnz	short loc_68E41A
		xor	ecx, ecx
		push	11h
		inc	ecx
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_68E41A
		xor	al, al
		jmp	short loc_68E412
; 

loc_68E40F:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+30Bj
		mov	al, byte ptr [ebp+var_4+3]

loc_68E412:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+324j
		test	al, al
		jz	loc_68E5DC

loc_68E41A:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+311j
					; ExpSaAllocatorFree(x,x,x,x)+320j
		mov	ecx, esi
		call	_ExpSaAllocatorOptimizeList@4 ;	ExpSaAllocatorOptimizeList(x)
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_68E435
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_68E435:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+343j
		xor	edi, edi
		mov	[ebp+var_14], edi
		cmp	[ebp+var_8], edi
		jz	loc_68E5F8
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	edx, ds:dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_8], eax
		cmp	esi, edx
		jb	short loc_68E482
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_68E471
		cmp	esi, edx
		jb	short loc_68E482
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_68E482

loc_68E471:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+379j
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_8]

loc_68E482:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+370j
					; ExpSaAllocatorFree(x,x,x,x)+37Dj ...
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	cl, [eax+1E6h]
		mov	edx, esi
		push	[ebp+var_C]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jnz	short loc_68E4D1
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_68E551
		push	0
		push	[ebp+var_C]
		push	esi
		push	ecx
		push	162h
		jmp	loc_68E16C
; 

loc_68E4D1:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+3C4j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_68E4E7
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_10]

loc_68E4E7:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+3F4j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_14], edi
		mov	[ecx+2Ch], eax
		nop
		mov	eax, [ebp+var_8]
		mov	dword ptr [ecx+10h], 0
		push	30h
		sub	ecx, [eax+1E8h]
		mov	eax, ecx
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_68E537
		mov	eax, [ebp+var_8]
		movzx	ecx, byte ptr [eax+1E4h]
		bts	ecx, edx
		mov	[eax+1E4h], cl
		jmp	short loc_68E553
; 

loc_68E537:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+437j
		mov	esi, [ebp+var_8]
		mov	al, 1
		mov	ecx, edx
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_28]
		mov	eax, [ebp+var_8]
		jmp	short loc_68E553
; 

loc_68E551:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+3D1j
		mov	eax, ecx

loc_68E553:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+44Cj
					; ExpSaAllocatorFree(x,x,x,x)+466j
		nop
		dec	byte ptr [eax+1E6h]
		mov	ecx, edi
		and	ecx, 1FFFFh
		mov	[ebp+var_28], ecx
		jz	short loc_68E5C2
		test	edi, 8000h
		jz	short loc_68E57B
		xor	edx, edx
		mov	ecx, eax
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp+var_8]

loc_68E57B:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+484j
		test	byte ptr [ebp+var_14+2], 1
		jz	short loc_68E58B
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_68E58B:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+496j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_68E5A4
		and	edi, eax
		mov	edx, edi
		mov	edi, [ebp+var_8]
		mov	ecx, edi
		call	KiAbThreadUnboostCpuPriority
		jmp	short loc_68E5A7
; 

loc_68E5A4:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+4A9j
		mov	edi, [ebp+var_8]

loc_68E5A7:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+4B9j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_68E5BF
		push	[ebp+var_28]
		mov	edx, esi
		mov	ecx, edi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_68E5BF:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+4C8j
		mov	eax, [ebp+var_8]

loc_68E5C2:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+47Cj
		nop
		add	word ptr [eax+13Eh], 1
		jnz	short loc_68E5F8
		nop
		add	eax, 70h
		cmp	[eax], eax
		jz	short loc_68E5F8
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_68E5F8
; 

loc_68E5DC:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+32Bj
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_68E5F1
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_68E5F1:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+4FFj
		mov	ecx, esi
		call	KeAbPostRelease

loc_68E5F8:				; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+354j
					; ExpSaAllocatorFree(x,x,x,x)+4E2j ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
_ExpSaAllocatorFree@16 endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSaAllocatorOptimizeList(x)
_ExpSaAllocatorOptimizeList@4 proc near	; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+3BBp
					; ExpSaAllocatorFree(x,x,x,x)+333p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, [esi+24h]
		mov	[ebp+var_4], eax
		test	al, 2
		jz	short loc_68E68B
		lea	edi, [esi+4]
		mov	ecx, [edi]
		cmp	ecx, edi
		jz	short loc_68E685

loc_68E621:				; CODE XREF: ExpSaAllocatorOptimizeList(x)+7Dj
		mov	eax, [ecx+14h]
		mov	ebx, [ecx]
		cmp	eax, 400h
		jnz	short loc_68E647
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_68E690
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_68E690
		mov	[edx], eax
		mov	[eax+4], edx
		call	_ExpSaPageGroupDescriptorFree@4	; ExpSaPageGroupDescriptorFree(x)
		jmp	short loc_68E67C
; 

loc_68E647:				; CODE XREF: ExpSaAllocatorOptimizeList(x)+28j
		mov	eax, [ecx+14h]
		test	eax, eax
		jnz	short loc_68E67C
		mov	eax, [ecx]
		mov	dword ptr [ecx+18h], 1
		cmp	[eax+4], ecx
		jnz	short loc_68E690
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_68E690
		mov	[edx], eax
		mov	[eax+4], edx
		lea	eax, [esi+0Ch]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_68E690
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx

loc_68E67C:				; CODE XREF: ExpSaAllocatorOptimizeList(x)+42j
					; ExpSaAllocatorOptimizeList(x)+49j
		mov	ecx, ebx
		cmp	ebx, edi
		jnz	short loc_68E621
		mov	eax, [ebp+var_4]

loc_68E685:				; CODE XREF: ExpSaAllocatorOptimizeList(x)+1Cj
		and	eax, 0FFFFFFFDh
		mov	[esi+24h], eax

loc_68E68B:				; CODE XREF: ExpSaAllocatorOptimizeList(x)+13j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_68E690:				; CODE XREF: ExpSaAllocatorOptimizeList(x)+2Fj
					; ExpSaAllocatorOptimizeList(x)+36j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ExpSaAllocatorOptimizeList@4 endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall ExpSaBinaryArrayChunkAllocate(x, x)
_ExpSaBinaryArrayChunkAllocate@8 proc near ; CODE XREF:	ExpSaBinaryArrayInsert(x,x,x)+24p
		mov	edi, edi
		push	esi
		push	edi
		movzx	eax, dx
		lea	edi, ds:4[ecx*4]
		push	0
		or	eax, 80000000h
		mov	edx, edi
		push	eax
		push	61537845h
		mov	ecx, 200h
		call	ExpAllocatePoolWithTagFromNode
		mov	esi, eax
		test	esi, esi
		jz	short loc_68E6CE
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch

loc_68E6CE:				; CODE XREF: ExpSaBinaryArrayChunkAllocate(x,x)+2Bj
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_ExpSaBinaryArrayChunkAllocate@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSaBinaryArrayInsert(x, x, x)
_ExpSaBinaryArrayInsert@12 proc	near	; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+260p
					; ExpSaPageGroupDescriptorAllocate(x,x)+355p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	ebx, ecx
		xor	esi, esi

loc_68E6E3:				; CODE XREF: ExpSaBinaryArrayInsert(x,x,x)+3Cj
		mov	edx, [ebx+esi*4]
		lea	ecx, [esi+2]
		xor	edi, edi
		inc	edi
		shl	edi, cl
		test	edx, edx
		jnz	short loc_68E705
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_ExpSaBinaryArrayChunkAllocate@8 ; ExpSaBinaryArrayChunkAllocate(x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_68E711
		mov	[ebx+esi*4], edx

loc_68E705:				; CODE XREF: ExpSaBinaryArrayInsert(x,x,x)+1Dj
		mov	ecx, [edx]
		cmp	ecx, edi
		jb	short loc_68E716
		inc	esi
		cmp	esi, 10h
		jb	short loc_68E6E3

loc_68E711:				; CODE XREF: ExpSaBinaryArrayInsert(x,x,x)+2Dj
		or	eax, 0FFFFFFFFh
		jmp	short loc_68E73A
; 

loc_68E716:				; CODE XREF: ExpSaBinaryArrayInsert(x,x,x)+36j
		mov	eax, ecx
		cmp	dword ptr [edx+eax*4+4], 0
		jz	short loc_68E72A
		dec	edi

loc_68E720:				; CODE XREF: ExpSaBinaryArrayInsert(x,x,x)+55j
		inc	eax
		and	eax, edi
		cmp	dword ptr [edx+eax*4+4], 0
		jnz	short loc_68E720

loc_68E72A:				; CODE XREF: ExpSaBinaryArrayInsert(x,x,x)+4Aj
		inc	ecx
		mov	[edx], ecx
		mov	ecx, [ebp+var_4]
		mov	[edx+eax*4+4], ecx
		lea	ecx, [esi+2]
		bts	eax, ecx

loc_68E73A:				; CODE XREF: ExpSaBinaryArrayInsert(x,x,x)+41j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ExpSaBinaryArrayInsert@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSaBinaryArrayRemove(x, x)
_ExpSaBinaryArrayRemove@8 proc near	; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+3E2p
					; ExpSaPageGroupDescriptorAllocate(x,x)+3FDp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		bsr	eax, edx
		push	esi
		mov	esi, ecx
		btc	edx, eax
		push	edi
		xor	edi, edi
		mov	ecx, [esi+eax*4-8]
		mov	[ecx+edx*4+4], edi
		sub	dword ptr [ecx], 1
		jnz	short loc_68E76B
		push	edi
		push	ecx
		mov	[esi+eax*4-8], edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_68E76B:				; CODE XREF: ExpSaBinaryArrayRemove(x,x)+1Dj
		pop	edi
		pop	esi
		leave
		retn
_ExpSaBinaryArrayRemove@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSaPageGroupAllocateMemory(x, x)
_ExpSaPageGroupAllocateMemory@8	proc near ; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+188p
					; ExpSaAllocatorAllocate(x,x,x)+335p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, [ecx+14h]
		mov	[ebp+var_14], edx
		mov	[ebp+var_C], ecx
		push	esi
		push	edi
		cmp	eax, edx
		jnb	short loc_68E7A0
		or	eax, 0FFFFFFFFh
		jmp	loc_68EB07
; 

loc_68E7A0:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+27j
		lea	esi, [ecx+0Ch]
		mov	[ebp+var_10], 0FFFFFFFFh
		xor	edx, edx
		mov	eax, esi
		and	eax, 7FFFFFFCh
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], eax
		jnz	short loc_68E7C2
		mov	edi, edx
		jmp	loc_68E8CF
; 

loc_68E7C2:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+4Aj
		mov	edi, large fs:124h
		dec	word ptr [edi+13Eh]
		nop
		inc	byte ptr [edi+1E6h]
		nop
		cmp	byte ptr [edi+1E6h], 1
		jz	short loc_68E7F8
		push	edx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	esi
		push	edi
		push	192h

loc_68E7F3:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+281j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_68E7F8:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+70j
		mov	cl, [edi+1E4h]
		mov	[ebp+var_34], edx
		test	cl, cl
		jnz	short loc_68E81B
		lea	ecx, [edi+222h]
		cmp	[ecx], dl
		jz	short loc_68E845
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [edi+1E4h]
		or	cl, al

loc_68E81B:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+94j
		movzx	ecx, cl
		bsf	eax, ecx
		imul	edx, eax, 30h
		btr	ecx, eax
		mov	[ebp+var_34], eax
		mov	[edi+1E4h], cl
		add	edx, [edi+1E8h]
		mov	[ebp+var_8], edx
		jnz	short loc_68E85F

loc_68E83B:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+E3j
					; ExpSaPageGroupAllocateMemory(x,x)+EEj
		lea	eax, [edi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_68E8A0
; 

loc_68E845:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+9Ej
		test	dword ptr ds:byte_70EFC4, 200h
		mov	[ebp+var_8], edx
		jz	short loc_68E83B
		mov	edx, esi
		mov	ecx, edi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	short loc_68E83B
; 

loc_68E85F:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+CAj
		mov	ecx, ds:dword_6D07D0
		mov	eax, esi
		shr	eax, 15h
		cmp	esi, ecx
		jb	short loc_68E893
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68E884
		cmp	esi, ecx
		jb	short loc_68E893
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_68E893

loc_68E884:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+106j
		mov	ecx, [edi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		jmp	short loc_68E896
; 

loc_68E893:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+FDj
					; ExpSaPageGroupAllocateMemory(x,x)+10Aj ...
		or	ecx, 0FFFFFFFFh

loc_68E896:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+122j
		mov	[edx+14h], ecx
		nop
		mov	eax, [ebp+var_30]
		mov	[edx+10h], eax

loc_68E8A0:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+D4j
		nop
		dec	byte ptr [edi+1E6h]
		lea	eax, [ebp+var_38]
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [edi+13Eh], 1
		jnz	short loc_68E8CC
		nop
		lea	eax, [edi+70h]
		cmp	[eax], eax
		jz	short loc_68E8CC
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68E8CC:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+14Ej
					; ExpSaPageGroupAllocateMemory(x,x)+156j
		mov	edi, [ebp+var_8]

loc_68E8CF:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+4Ej
		lock bts dword ptr [esi], 0
		jnb	short loc_68E8E0
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockExclusiveEx

loc_68E8E0:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+165j
		test	edi, edi
		jz	short loc_68E8E8
		or	byte ptr [edi+0Eh], 1

loc_68E8E8:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+173j
		mov	edi, [ebp+var_C]
		mov	ecx, [ebp+var_14]
		mov	eax, [edi+14h]
		cmp	eax, ecx
		jnb	short loc_68E8FC
		or	eax, 0FFFFFFFFh

loc_68E8F8:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+1A1j
		mov	edi, eax
		jmp	short loc_68E937
; 

loc_68E8FC:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+184j
		push	dword ptr [edi+1Ch]
		lea	eax, [edi+20h]
		push	ecx
		push	eax
		call	RtlFindClearBitsAndSet
		mov	ecx, eax
		or	eax, 0FFFFFFFFh
		cmp	ecx, eax
		jz	short loc_68E8F8
		mov	eax, [ebp+var_14]
		sub	[edi+14h], eax
		add	eax, ecx
		mov	[edi+1Ch], eax
		and	ecx, 3FFh
		mov	edi, [edi+10h]
		and	edi, 3FFFFh
		shl	edi, 0Ah
		or	edi, ecx
		shl	edi, 3
		or	eax, 0FFFFFFFFh

loc_68E937:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+18Bj
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_68E948
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_68E948:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+1D0j
		xor	esi, esi
		mov	[ebp+var_14], esi
		cmp	[ebp+var_30], esi
		jz	loc_68EB05
		mov	edx, [ebp+var_C]
		mov	eax, large fs:124h
		add	edx, 0Ch
		mov	[ebp+var_8], eax
		mov	ecx, edx
		mov	eax, ds:dword_6D07D0
		shr	ecx, 15h
		cmp	edx, eax
		mov	[ebp+var_30], eax
		mov	eax, [ebp+var_8]
		jb	short loc_68E982
		cmp	byte ptr ds:dword_6D3994[ecx], 1
		jz	short loc_68E990

loc_68E982:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+208j
		cmp	edx, [ebp+var_30]
		jb	short loc_68E9A1
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jnz	short loc_68E9A1

loc_68E990:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+211j
		mov	ecx, [eax+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_8]

loc_68E9A1:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+216j
					; ExpSaPageGroupAllocateMemory(x,x)+21Fj
		dec	word ptr [eax+13Eh]
		nop
		inc	byte ptr [eax+1E6h]
		nop
		mov	cl, [eax+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, [ebp+var_10]
		push	ecx
		mov	ecx, eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_68E9F5
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jnz	loc_68EA78
		mov	edx, [ebp+var_C]
		push	0
		push	[ebp+var_10]
		add	edx, 0Ch
		push	edx
		push	ecx
		push	162h
		jmp	loc_68E7F3
; 

loc_68E9F5:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+25Cj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], esi
		jge	short loc_68EA0B
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_68EA0B:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+292j
		mov	eax, [ecx+2Ch]
		mov	esi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	esi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_30], esi
		mov	[ebp+var_14], esi
		mov	[ecx+2Ch], eax
		nop
		mov	eax, [ebp+var_8]
		mov	dword ptr [ecx+10h], 0
		push	30h
		sub	ecx, [eax+1E8h]
		mov	eax, ecx
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_68EA5E
		mov	eax, [ebp+var_8]
		movzx	ecx, byte ptr [eax+1E4h]
		bts	ecx, edx
		mov	[eax+1E4h], cl
		jmp	short loc_68EA7A
; 

loc_68EA5E:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+2D8j
		mov	esi, [ebp+var_8]
		mov	al, 1
		mov	ecx, edx
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_30]
		mov	eax, [ebp+var_8]
		jmp	short loc_68EA7A
; 

loc_68EA78:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+269j
		mov	eax, ecx

loc_68EA7A:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+2EDj
					; ExpSaPageGroupAllocateMemory(x,x)+307j
		nop
		dec	byte ptr [eax+1E6h]
		mov	ecx, esi
		and	ecx, 1FFFFh
		mov	[ebp+var_38], ecx
		jz	short loc_68EAED
		test	esi, 8000h
		jz	short loc_68EAA2
		xor	edx, edx
		mov	ecx, eax
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)
		mov	eax, [ebp+var_8]

loc_68EAA2:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+325j
		test	byte ptr [ebp+var_14+2], 1
		jz	short loc_68EAB2
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_68EAB2:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+337j
		mov	eax, 7FFFh
		test	esi, eax
		jz	short loc_68EACB
		and	esi, eax
		mov	edx, esi
		mov	esi, [ebp+var_8]
		mov	ecx, esi
		call	KiAbThreadUnboostCpuPriority
		jmp	short loc_68EACE
; 

loc_68EACB:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+34Aj
		mov	esi, [ebp+var_8]

loc_68EACE:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+35Aj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_68EAEA
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		push	[ebp+var_38]
		lea	edx, [edx+0Ch]
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_68EAEA:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+369j
		mov	eax, [ebp+var_8]

loc_68EAED:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+31Dj
		nop
		add	word ptr [eax+13Eh], 1
		jnz	short loc_68EB05
		nop
		add	eax, 70h
		cmp	[eax], eax
		jz	short loc_68EB05
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68EB05:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+1E1j
					; ExpSaPageGroupAllocateMemory(x,x)+387j ...
		mov	eax, edi

loc_68EB07:				; CODE XREF: ExpSaPageGroupAllocateMemory(x,x)+2Cj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_ExpSaPageGroupAllocateMemory@8	endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSaPageGroupDescriptorAllocate(x,	x)
_ExpSaPageGroupDescriptorAllocate@8 proc near
					; CODE XREF: ExpSaAllocatorAllocate(x,x,x)+321p

var_76		= byte ptr -76h
var_75		= byte ptr -75h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_62		= byte ptr -62h
var_5E		= byte ptr -5Eh
var_5D		= byte ptr -5Dh
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF0h
		sub	esp, 68h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+68h+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+70h+var_5E], dl
		lea	edi, [esp+70h+var_1C]
		mov	[esp+70h+var_5D], 0
		stosd
		mov	esi, ecx
		push	0FFFFh
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+74h+var_10]
		stosd
		stosd
		stosd
		call	KeQueryMaximumProcessorCountEx
		and	dword ptr [esp+14h], 0
		xor	ecx, ecx
		cmp	[esp+74h+var_62], cl
		mov	edx, 0A8h
		mov	[esp+74h+var_58], eax
		mov	eax, large fs:20h
		setnz	cl
		dec	ecx
		push	0
		and	ecx, 1FFh
		mov	eax, [eax+338h]
		inc	ecx
		mov	[esp+78h+var_38], ecx
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	61537845h
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		mov	[esp+74h+var_2C], edi
		test	edi, edi
		jz	loc_68F0F2
		push	0A8h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	ecx, 400h
		mov	[esp+80h+var_30], 0FFFFFFFFh
		lea	eax, [edi+28h]
		mov	[edi+20h], ecx
		mov	[edi+24h], eax
		mov	edx, offset _ExSaPageGroupDescriptorArrayLock
		mov	[edi+14h], ecx
		mov	eax, edx
		xor	ecx, ecx
		mov	[edi+8], esi
		add	esp, 0Ch
		mov	[esp+74h+var_24], ecx
		and	eax, 7FFFFFFCh
		mov	[esp+74h+var_34], eax
		jnz	short loc_68EBF0
		mov	esi, ecx
		jmp	loc_68ED38
; 

loc_68EBF0:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+D7j
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jz	short loc_68EC2B
		push	ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		mov	eax, offset _ExSaPageGroupDescriptorArrayLock
		push	eax
		push	esi
		push	192h

loc_68EC26:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+4D7j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_68EC2B:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+FDj
		mov	dl, [esi+1E4h]
		mov	[esp+88h+var_3C], ecx
		test	dl, dl
		jnz	short loc_68EC4F
		lea	ecx, [esi+222h]
		cmp	[ecx], dl
		jz	short loc_68EC80
		xor	al, al
		xchg	al, [ecx]
		mov	dl, [esi+1E4h]
		or	dl, al

loc_68EC4F:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+127j
		movzx	eax, dl
		bsf	ecx, eax
		mov	al, 1
		shl	al, cl
		not	al
		mov	[esp+88h+var_3C], ecx
		and	al, dl
		imul	edx, ecx, 30h
		mov	[esi+1E4h], al
		add	edx, [esi+1E8h]
		mov	[esp+88h+var_70], edx
		jnz	short loc_68EC9F

loc_68EC76:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+17Fj
					; ExpSaPageGroupDescriptorAllocate(x,x)+18Dj
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_68ECF1
; 

loc_68EC80:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+131j
		and	[esp+88h+var_70], 0
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_68EC76
		mov	edx, offset _ExSaPageGroupDescriptorArrayLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	short loc_68EC76
; 

loc_68EC9F:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+164j
		mov	eax, ds:dword_6D07D0
		mov	ecx, offset _ExSaPageGroupDescriptorArrayLock
		shr	ecx, 15h
		mov	[esp+88h+var_68], eax
		cmp	eax, offset _ExSaPageGroupDescriptorArrayLock
		ja	short loc_68ECD6
		mov	eax, ecx
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68ECDB
		mov	eax, [esp+88h+var_68]
		cmp	eax, offset _ExSaPageGroupDescriptorArrayLock
		ja	short loc_68ECD6
		cmp	byte ptr ds:dword_6D3994[ecx], 0Bh
		jz	short loc_68ECDB

loc_68ECD6:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+1A5j
					; ExpSaPageGroupDescriptorAllocate(x,x)+1BBj
		or	eax, 0FFFFFFFFh
		jmp	short loc_68ECE6
; 

loc_68ECDB:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+1B0j
					; ExpSaPageGroupDescriptorAllocate(x,x)+1C4j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)

loc_68ECE6:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+1C9j
		mov	[edx+14h], eax
		nop
		mov	eax, [esp+88h+var_48]
		mov	[edx+10h], eax

loc_68ECF1:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+16Ej
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [esp+88h+var_38]
		push	eax
		mov	edx, offset _ExSaPageGroupDescriptorArrayLock
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_68ED2F
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_68ED2F
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68ED2F:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+210j
					; ExpSaPageGroupDescriptorAllocate(x,x)+218j
		mov	esi, [esp+88h+var_70]
		mov	edx, offset _ExSaPageGroupDescriptorArrayLock

loc_68ED38:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+DBj
		lock bts dword ptr [edx], 0
		jnb	short loc_68ED4C
		push	edx
		mov	edx, esi
		mov	ecx, offset _ExSaPageGroupDescriptorArrayLock
		call	ExfAcquirePushLockExclusiveEx

loc_68ED4C:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+22Dj
		test	esi, esi
		jz	short loc_68ED54
		or	byte ptr [esi+0Eh], 1

loc_68ED54:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+23Ej
		mov	eax, large fs:20h
		mov	edx, edi
		mov	ecx, ds:_ExSaPageGroupDescriptorArray
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		push	eax
		call	_ExpSaBinaryArrayInsert@12 ; ExpSaBinaryArrayInsert(x,x,x)
		mov	[edi+10h], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_68EEB8
		mov	edx, ds:_KeNumberProcessors
		xor	ecx, ecx
		mov	[esp+88h+var_54], edx
		mov	[esp+88h+var_74], ecx
		cmp	[esp+88h+var_6C], ecx
		jbe	loc_68EE8E

loc_68ED9B:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+372j
		mov	eax, ds:_ExSaPageArrays
		mov	eax, [eax+ecx*4]
		mov	[esp+88h+var_68], eax
		cmp	ecx, edx
		jnb	short loc_68EDB2
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		jmp	short loc_68EDB8
; 

loc_68EDB2:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+299j
		mov	eax, large fs:20h

loc_68EDB8:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+2A0j
		cmp	[esp+88h+var_76], 0
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		mov	[esp+88h+var_70], eax
		jz	short loc_68EE33
		xor	esi, esi
		lea	ecx, [esp+88h+var_34]
		push	esi
		push	ecx
		push	eax
		call	_KeQueryNodeActiveAffinity@12 ;	KeQueryNodeActiveAffinity(x,x,x)
		cmp	[esp+88h+var_75], 0
		jnz	short loc_68EDF1
		lea	eax, [esp+88h+var_28]
		mov	[esp+88h+var_75], 1
		push	eax
		jmp	short loc_68EDF2
; 

loc_68EDF1:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+2D3j
		push	esi

loc_68EDF2:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+2DFj
		lea	eax, [esp+8Ch+var_34]
		push	eax
		call	KeSetSystemGroupAffinityThread
		mov	eax, large fs:20h
		mov	edx, 1000h
		mov	ecx, [esp+88h+var_4C]
		push	esi
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	61537845h
		call	ExpAllocatePoolWithTagFromNode
		mov	esi, eax
		test	esi, esi
		jz	short loc_68EE87
		mov	cl, [esi]
		jmp	short loc_68EE57
; 

loc_68EE33:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+2BEj
		mov	ecx, [esp+88h+var_4C]
		mov	edx, 1000h
		movzx	eax, ax
		push	0
		or	eax, 80000000h
		push	eax
		push	61537845h
		call	ExpAllocatePoolWithTagFromNode
		mov	esi, eax
		test	esi, esi
		jz	short loc_68EE87

loc_68EE57:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+321j
		test	esi, esi
		jz	short loc_68EE87
		push	[esp+88h+var_70]
		mov	ecx, [esp+8Ch+var_68]
		mov	edx, esi
		call	_ExpSaBinaryArrayInsert@12 ; ExpSaBinaryArrayInsert(x,x,x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_68EE87
		mov	ecx, [esp+88h+var_74]
		inc	ecx
		mov	[esp+88h+var_74], ecx
		cmp	ecx, [esp+88h+var_6C]
		jnb	short loc_68EE8E
		mov	edx, [esp+88h+var_54]
		jmp	loc_68ED9B
; 

loc_68EE87:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+31Dj
					; ExpSaPageGroupDescriptorAllocate(x,x)+345j ...
		mov	[esp+88h+var_76], 0
		jmp	short loc_68EE95
; 

loc_68EE8E:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+285j
					; ExpSaPageGroupDescriptorAllocate(x,x)+36Cj
		xor	esi, esi
		mov	[esp+88h+var_76], 1

loc_68EE95:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+37Cj
		cmp	[esp+88h+var_75], 0
		jz	short loc_68EEA6
		lea	eax, [esp+88h+var_28]
		push	eax
		call	KeRevertToUserGroupAffinityThread

loc_68EEA6:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+38Aj
		test	esi, esi
		jz	short loc_68EEB1
		mov	ecx, esi
		call	ExFreeHeapPool

loc_68EEB1:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+398j
		cmp	[esp+88h+var_76], 0
		jnz	short loc_68EF1E

loc_68EEB8:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+26Bj
		mov	edx, [edi+10h]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_68EF12
		mov	ecx, [esp+88h+var_74]
		test	ecx, ecx
		jz	short loc_68EF07

loc_68EEC8:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+3F2j
		mov	eax, ds:_ExSaPageArrays
		mov	esi, [eax+ecx*4-4]
		mov	eax, [edi+10h]
		bsr	ecx, eax
		btc	eax, ecx
		sub	ecx, 2
		mov	[esp+88h+var_50], ecx
		mov	ecx, [esi+ecx*4]
		mov	ecx, [ecx+eax*4+4]
		call	ExFreeHeapPool
		mov	edx, [edi+10h]
		mov	ecx, esi
		call	_ExpSaBinaryArrayRemove@8 ; ExpSaBinaryArrayRemove(x,x)
		mov	ecx, [esp+88h+var_74]
		sub	ecx, 1
		mov	[esp+88h+var_74], ecx
		jnz	short loc_68EEC8
		mov	edx, [edi+10h]

loc_68EF07:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+3B6j
		mov	ecx, ds:_ExSaPageGroupDescriptorArray
		call	_ExpSaBinaryArrayRemove@8 ; ExpSaBinaryArrayRemove(x,x)

loc_68EF12:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+3AEj
		mov	ecx, edi
		call	ExFreeHeapPool
		and	[esp+88h+var_40], 0

loc_68EF1E:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+3A6j
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _ExSaPageGroupDescriptorArrayLock
		mov	eax, edx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_68EF3F
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _ExSaPageGroupDescriptorArrayLock

loc_68EF3F:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+420j
		xor	edi, edi
		mov	[esp+88h+var_6C], edi
		cmp	[esp+88h+var_48], edi
		jz	loc_68F0EE
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	ecx, ds:dword_6D07D0
		shr	eax, 15h
		mov	[esp+88h+var_68], esi
		cmp	ecx, offset _ExSaPageGroupDescriptorArrayLock
		ja	short loc_68EF98
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68EF87
		cmp	ecx, offset _ExSaPageGroupDescriptorArrayLock
		ja	short loc_68EF98
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_68EF98

loc_68EF87:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+464j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[esp+88h+var_44], edx

loc_68EF98:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+45Bj
					; ExpSaPageGroupDescriptorAllocate(x,x)+46Cj ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _ExSaPageGroupDescriptorArrayLock
		mov	[esp+8Ch+var_75], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[esp+88h+var_54], ecx
		test	ecx, ecx
		jnz	short loc_68EFEC
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_68F062
		push	ecx
		push	[esp+8Ch+var_44]
		mov	eax, offset _ExSaPageGroupDescriptorArrayLock
		push	eax
		push	esi
		push	162h
		jmp	loc_68EC26
; 

loc_68EFEC:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+4B6j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_68F003
		call	KiAbEntryRemoveFromTree
		mov	ecx, [esp+88h+var_54]

loc_68F003:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+4E8j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+88h+var_6C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[esp+88h+var_75], 1
		mov	edx, eax
		jnz	short loc_68F04F
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_68F062
; 

loc_68F04F:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+52Bj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [esp+88h+var_68]

loc_68F062:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+4C0j
					; ExpSaPageGroupDescriptorAllocate(x,x)+53Dj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+88h+var_50], eax
		jz	short loc_68F0C8
		test	edi, 8000h
		jz	short loc_68F087
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_68F087:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+56Cj
		test	byte ptr [esp+88h+var_6C+2], 1
		jz	short loc_68F098
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_68F098:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+57Cj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_68F0AC
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_68F0AC:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+58Fj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_68F0C8
		push	[esp+88h+var_50]
		mov	edx, offset _ExSaPageGroupDescriptorArrayLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_68F0C8:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+564j
					; ExpSaPageGroupDescriptorAllocate(x,x)+5A6j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_68F0EE
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_68F0EE
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68F0EE:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+439j
					; ExpSaPageGroupDescriptorAllocate(x,x)+5CFj ...
		mov	eax, [esp+88h+var_40]

loc_68F0F2:				; CODE XREF: ExpSaPageGroupDescriptorAllocate(x,x)+8Fj
		mov	ecx, [esp+88h+var_1C]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_ExpSaPageGroupDescriptorAllocate@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSaPageGroupDescriptorFree(x)
_ExpSaPageGroupDescriptorFree@4	proc near ; CODE XREF: ExpSaAllocatorOptimizeList(x)+3Dp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		push	edi
		push	0FFFFh
		mov	[ebp+var_8], ecx
		call	KeQueryMaximumProcessorCountEx
		mov	esi, eax
		mov	ecx, offset _ExSaPageGroupDescriptorArrayLock
		xor	edi, edi
		mov	[ebp+var_C], esi
		mov	eax, ecx
		mov	[ebp+var_1C], edi
		push	0FFFFFFFFh
		and	eax, 7FFFFFFCh
		pop	edx
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], edx
		jz	loc_68F26F
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jz	short loc_68F18C
		push	edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		mov	eax, offset _ExSaPageGroupDescriptorArrayLock
		push	eax
		push	esi
		push	192h

loc_68F187:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+295j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_68F18C:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+6Bj
		mov	cl, [esi+1E4h]
		mov	[ebp+var_18], edi
		test	cl, cl
		jnz	short loc_68F1B0
		lea	ecx, [esi+222h]
		cmp	byte ptr [ecx],	0
		jz	short loc_68F1D7
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [esi+1E4h]
		or	cl, al

loc_68F1B0:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+94j
		movzx	ecx, cl
		bsf	eax, ecx
		imul	edi, eax, 30h
		btr	ecx, eax
		mov	[ebp+var_18], eax
		mov	[esi+1E4h], cl
		add	edi, [esi+1E8h]
		jnz	short loc_68F1F1

loc_68F1CD:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+DEj
					; ExpSaPageGroupDescriptorFree(x)+ECj
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_68F238
; 

loc_68F1D7:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+9Fj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_68F1CD
		mov	edx, offset _ExSaPageGroupDescriptorArrayLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	short loc_68F1CD
; 

loc_68F1F1:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+C8j
		mov	ecx, ds:dword_6D07D0
		mov	eax, offset _ExSaPageGroupDescriptorArrayLock
		shr	eax, 15h
		cmp	ecx, offset _ExSaPageGroupDescriptorArrayLock
		ja	short loc_68F22E
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68F221
		cmp	ecx, offset _ExSaPageGroupDescriptorArrayLock
		ja	short loc_68F22E
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_68F22E

loc_68F221:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+10Bj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax

loc_68F22E:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+102j
					; ExpSaPageGroupDescriptorFree(x)+113j	...
		mov	[edi+14h], edx
		nop
		mov	eax, [ebp+var_10]
		mov	[edi+10h], eax

loc_68F238:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+D2j
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp+var_1C]
		push	eax
		mov	edx, offset _ExSaPageGroupDescriptorArrayLock
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_68F267
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_68F267
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68F267:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+155j
					; ExpSaPageGroupDescriptorFree(x)+15Dj
		mov	esi, [ebp+var_C]
		mov	ecx, offset _ExSaPageGroupDescriptorArrayLock

loc_68F26F:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+48j
		lock bts dword ptr [ecx], 0
		jnb	short loc_68F27E
		push	ecx
		mov	edx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_68F27E:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+171j
		test	edi, edi
		jz	short loc_68F286
		or	byte ptr [edi+0Eh], 1

loc_68F286:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+17Dj
		xor	edi, edi
		test	esi, esi
		jz	short loc_68F2C2

loc_68F28C:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+1BDj
		mov	eax, ds:_ExSaPageArrays
		mov	ecx, [eax+edi*4]
		mov	eax, [ebp+var_8]
		mov	edx, [eax+10h]
		mov	esi, edx
		bsr	eax, edx
		btc	esi, eax
		sub	eax, 2
		mov	[ebp+var_20], eax
		mov	eax, [ecx+eax*4]
		mov	esi, [eax+esi*4+4]
		call	_ExpSaBinaryArrayRemove@8 ; ExpSaBinaryArrayRemove(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		inc	edi
		cmp	edi, [ebp+var_C]
		jb	short loc_68F28C

loc_68F2C2:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+187j
		mov	eax, [ebp+var_8]
		mov	ecx, ds:_ExSaPageGroupDescriptorArray
		mov	edx, [eax+10h]
		call	_ExpSaBinaryArrayRemove@8 ; ExpSaBinaryArrayRemove(x,x)
		or	ecx, 0FFFFFFFFh
		mov	edx, offset _ExSaPageGroupDescriptorArrayLock
		mov	eax, ecx
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_68F2F6
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	ecx, 0FFFFFFFFh
		mov	edx, offset _ExSaPageGroupDescriptorArrayLock

loc_68F2F6:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+1E2j
		xor	edi, edi
		mov	[ebp+var_C], edi
		cmp	[ebp+var_10], edi
		jz	loc_68F48A
		mov	esi, large fs:124h
		mov	eax, edx
		mov	edx, ds:dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_24], esi
		cmp	edx, offset _ExSaPageGroupDescriptorArrayLock
		ja	short loc_68F34B
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68F33B
		cmp	edx, offset _ExSaPageGroupDescriptorArrayLock
		ja	short loc_68F34B
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_68F34B

loc_68F33B:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+225j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_14], ecx

loc_68F34B:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+21Cj
					; ExpSaPageGroupDescriptorFree(x)+22Dj	...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	edx, offset _ExSaPageGroupDescriptorArrayLock
		push	ecx
		mov	ecx, esi
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jnz	short loc_68F39D
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_68F40F
		mov	edx, [ebp+var_14]
		mov	eax, offset _ExSaPageGroupDescriptorArrayLock
		push	ecx
		push	edx
		push	eax
		push	esi
		push	162h
		jmp	loc_68F187
; 

loc_68F39D:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+274j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_68F3B3
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_10]

loc_68F3B3:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+2A6j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_68F3FD
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_68F40F
; 

loc_68F3FD:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+2E6j
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_24]

loc_68F40F:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+27Ej
					; ExpSaPageGroupDescriptorFree(x)+2F8j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jz	short loc_68F472
		test	edi, 8000h
		jz	short loc_68F433
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_68F433:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+325j
		test	byte ptr [ebp+var_C+2],	1
		jz	short loc_68F443
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_68F443:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+334j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_68F457
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_68F457:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+347j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_68F472
		push	[ebp+var_24]
		mov	edx, offset _ExSaPageGroupDescriptorArrayLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_68F472:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+31Dj
					; ExpSaPageGroupDescriptorFree(x)+35Ej
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_68F48A
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_68F48A
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68F48A:				; CODE XREF: ExpSaPageGroupDescriptorFree(x)+1FBj
					; ExpSaPageGroupDescriptorFree(x)+378j	...
		push	0
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_ExpSaPageGroupDescriptorFree@4	endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSaPageGroupFreeMemory(x,	x, x)
_ExpSaPageGroupFreeMemory@12 proc near	; CODE XREF: ExpSaAllocatorFree(x,x,x,x)+2EBp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ecx
		mov	[ebp+var_20], edx
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		xor	edx, edx
		lea	edi, [eax+0Ch]
		mov	[ebp+var_1C], edx
		mov	eax, edi
		mov	[ebp+var_14], 0FFFFFFFFh
		and	eax, 7FFFFFFCh
		mov	[ebp+var_10], eax
		jnz	short loc_68F4E3
		mov	esi, edx
		jmp	loc_68F5EE
; 

loc_68F4E3:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+3Dj
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jz	short loc_68F519
		push	edx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	edi
		push	esi
		push	192h

loc_68F514:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+249j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_68F519:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+63j
		mov	cl, [esi+1E4h]
		mov	[ebp+var_18], edx
		test	cl, cl
		jnz	short loc_68F53C
		lea	ecx, [esi+222h]
		cmp	[ecx], dl
		jz	short loc_68F566
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [esi+1E4h]
		or	cl, al

loc_68F53C:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+87j
		movzx	ecx, cl
		bsf	eax, ecx
		imul	edx, eax, 30h
		btr	ecx, eax
		mov	[ebp+var_18], eax
		mov	[esi+1E4h], cl
		add	edx, [esi+1E8h]
		mov	[ebp+var_C], edx
		jnz	short loc_68F580

loc_68F55C:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+D6j
					; ExpSaPageGroupFreeMemory(x,x,x)+E1j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_68F5BF
; 

loc_68F566:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+91j
		test	dword ptr ds:byte_70EFC4, 200h
		mov	[ebp+var_C], edx
		jz	short loc_68F55C
		mov	edx, edi
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	short loc_68F55C
; 

loc_68F580:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+BDj
		mov	ecx, ds:dword_6D07D0
		mov	eax, edi
		shr	eax, 15h
		cmp	edi, ecx
		jb	short loc_68F5B2
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68F5A5
		cmp	edi, ecx
		jb	short loc_68F5B2
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_68F5B2

loc_68F5A5:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+F9j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	short loc_68F5B5
; 

loc_68F5B2:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+F0j
					; ExpSaPageGroupFreeMemory(x,x,x)+FDj ...
		or	eax, 0FFFFFFFFh

loc_68F5B5:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+113j
		mov	[edx+14h], eax
		nop
		mov	eax, [ebp+var_10]
		mov	[edx+10h], eax

loc_68F5BF:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+C7j
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp+var_1C]
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_68F5EB
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_68F5EB
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68F5EB:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+13Fj
					; ExpSaPageGroupFreeMemory(x,x,x)+147j
		mov	esi, [ebp+var_C]

loc_68F5EE:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+41j
		lock bts dword ptr [edi], 0
		jnb	short loc_68F5FF
		push	edi
		mov	edx, esi
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_68F5FF:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+156j
		test	esi, esi
		jz	short loc_68F607
		or	byte ptr [esi+0Eh], 1

loc_68F607:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+164j
		mov	eax, [ebx+8]
		mov	esi, [ebp+var_20]
		shr	eax, 3
		and	eax, 3FFh
		push	esi
		push	eax
		mov	eax, [ebp+var_8]
		add	eax, 20h
		push	eax
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		mov	ecx, [ebp+var_8]
		add	[ecx+14h], esi
		cmp	dword ptr [ecx+14h], 400h
		setz	byte ptr [ebp+var_4+2]
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_68F64B
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]

loc_68F64B:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+1A2j
		xor	edi, edi
		mov	[ebp+var_C], edi
		cmp	[ebp+var_10], edi
		jz	loc_68F7D9
		mov	esi, large fs:124h
		lea	edx, [ecx+0Ch]
		mov	ecx, ds:dword_6D07D0
		mov	eax, edx
		shr	eax, 15h
		mov	[ebp+var_10], esi
		cmp	edx, ecx
		jb	short loc_68F69B
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_68F68B
		cmp	edx, ecx
		jb	short loc_68F69B
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_68F69B

loc_68F68B:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+1DFj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_14], eax
		jmp	short loc_68F69E
; 

loc_68F69B:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+1D6j
					; ExpSaPageGroupFreeMemory(x,x,x)+1E3j	...
		or	eax, 0FFFFFFFFh

loc_68F69E:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+1FCj
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	byte ptr [ebp+var_4+3],	cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_68F6EB
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_68F75D
		mov	edx, [ebp+var_8]
		push	ecx
		push	[ebp+var_14]
		add	edx, 0Ch
		push	edx
		push	esi
		push	162h
		jmp	loc_68F514
; 

loc_68F6EB:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+228j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_68F701
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_68F701:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+25Aj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	edx, eax
		jnz	short loc_68F74B
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_68F75D
; 

loc_68F74B:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+29Aj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp+var_10]

loc_68F75D:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+232j
					; ExpSaPageGroupFreeMemory(x,x,x)+2ACj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_20], eax
		jz	short loc_68F7C1
		test	edi, 8000h
		jz	short loc_68F781
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_68F781:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+2D9j
		test	byte ptr [ebp+var_C+2],	1
		jz	short loc_68F791
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_68F791:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+2E8j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_68F7A5
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_68F7A5:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+2FBj
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_68F7C1
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		push	[ebp+var_20]
		lea	edx, [edx+0Ch]
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_68F7C1:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+2D1j
					; ExpSaPageGroupFreeMemory(x,x,x)+312j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_68F7D9
		nop
		lea	ecx, [esi+70h]
		cmp	[ecx], ecx
		jz	short loc_68F7D9
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_68F7D9:				; CODE XREF: ExpSaPageGroupFreeMemory(x,x,x)+1B6j
					; ExpSaPageGroupFreeMemory(x,x,x)+32Dj	...
		mov	al, byte ptr [ebp+var_4+2]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
_ExpSaPageGroupFreeMemory@12 endp ; sp =  4


;  S U B	R O U T	I N E 


AllocateMemory	proc near		; CODE XREF: OpenGlobalizationUserSettingsKey_ForMua+4Bp
					; OpenGlobalizationUserSettingsKey_ForMua+119p	...
		mov	eax, large fs:20h
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		mov	eax, [eax+338h]
		mov	edx, edi
		push	0
		inc	ecx
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	(offset	loc_4E4C52+1)
		call	ExpAllocatePoolWithTagFromNode
		mov	esi, eax
		test	esi, esi
		jz	short loc_68F827
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch

loc_68F827:				; CODE XREF: AllocateMemory+32j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
AllocateMemory	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

OpenGlobalizationUserSettingsKey_ForMua	proc near
					; CODE XREF: OpenGlobalizationUserSettingsKey+8FBFCp

var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+24Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[esp+258h+var_234], eax
		lea	edi, [esp+258h+var_228]
		mov	eax, [ebp+arg_4]
		xor	esi, esi
		push	6
		pop	ecx
		mov	[esp+258h+var_244], eax
		mov	ebx, esi
		xor	eax, eax
		mov	[esp+258h+var_230], esi
		rep stosd
		push	4Ch
		pop	ecx
		mov	[esp+258h+var_22C], esi
		mov	[esp+258h+var_240], esi
		call	AllocateMemory
		mov	edi, eax
		test	edi, edi
		jz	short loc_68F8A5
		lea	eax, [esp+258h+var_248]
		mov	[esp+258h+var_248], esi
		push	eax
		push	4Ch
		push	edi
		push	1
		push	0FFFFFFFAh
		call	_ZwQueryInformationToken@20 ; ZwQueryInformationToken(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_68FA49
		mov	ebx, [edi]
		jmp	short loc_68F8AA
; 

loc_68F8A5:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForMua+54j
		mov	esi, 0C0000017h

loc_68F8AA:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForMua+77j
		test	esi, esi
		js	loc_68FA49
		mov	al, [ebx+1]
		cmp	al, 2
		jb	short loc_68F8CC
		cmp	al, 5
		jnz	short loc_68F8E0
		cmp	dword ptr [ebx+8], 15h
		jnz	short loc_68F8E0
		cmp	dword ptr [ebx+18h], 1F7h
		jnz	short loc_68F8E0

loc_68F8CC:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForMua+8Bj
		mov	eax, [esp+258h+var_244]
		mov	esi, 0C0000136h
		mov	[esp+258h+var_240], 1
		and	dword ptr [eax], 0

loc_68F8E0:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForMua+8Fj
					; OpenGlobalizationUserSettingsKey_ForMua+95j ...
		test	esi, esi
		js	loc_68FA37
		push	1
		push	ebx
		lea	eax, [esp+260h+var_230]
		push	eax
		call	RtlConvertSidToUnicodeString
		mov	esi, eax
		test	esi, esi
		js	loc_68FA37
		and	[esp+258h+var_248], 0
		lea	eax, [esp+258h+var_248]
		push	eax		; int
		push	208h		; int
		lea	eax, [esp+260h+var_210]
		push	eax		; void *
		push	0		; int
		push	offset ??_C@_1IC@LJOADGCI@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@ ; void *
		push	offset ??_C@_1BK@CIGKBGGO@?$AAT?$AAa?$AAr?$AAg?$AAe?$AAt?$AAN?$AAt?$AAP?$AAa?$AAt?$AAh@FNODOBFM@ ; int
		push	offset ??_C@_1DE@JGIJLCKE@?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AAi?$AAz?$AAa?$AAt?$AAi?$AAo?$AAn?$AAU?$AAs@FNODOBFM@	; int
		call	RtlGetPersistedStateLocation
		mov	esi, eax
		test	esi, esi
		js	loc_68FA2D
		mov	ecx, [esp+258h+var_230]
		mov	eax, [esp+258h+var_248]
		add	ecx, 4
		add	eax, ecx
		movzx	esi, ax
		mov	ecx, esi
		call	AllocateMemory
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_68FA28
		and	[esp+258h+var_23C], 0
		lea	eax, [esp+258h+var_210]
		push	eax		; void *
		lea	eax, [esp+25Ch+var_23C]
		mov	word ptr [esp+25Ch+var_23C+2], si
		push	eax		; int
		mov	[esp+260h+var_238], ebx
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_68FA1F
		push	(offset	loc_5A53CA+2) ;	void *
		lea	eax, [esp+25Ch+var_23C]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_68FA1F
		lea	eax, [esp+258h+var_230]
		push	eax
		lea	eax, [esp+25Ch+var_23C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_68FA1F
		lea	eax, [esp+258h+var_23C]
		mov	[esp+258h+var_228], 18h
		mov	[esp+258h+var_220], eax
		xor	ecx, ecx
		lea	eax, [esp+258h+var_228]
		mov	[esp+258h+var_224], ecx
		push	eax
		push	20019h
		lea	eax, [esp+260h+var_248]
		mov	[esp+260h+var_21C], 240h
		push	eax
		mov	[esp+264h+var_218], ecx
		mov	[esp+264h+var_214], ecx
		mov	[esp+264h+var_248], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_68FA12
		push	[esp+258h+var_248]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [esp+258h+var_244]
		mov	dword ptr [eax], 2
		lea	eax, [esp+258h+var_228]
		push	eax
		push	8
		push	[esp+260h+var_234]
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		jmp	short loc_68FA1F
; 

loc_68FA12:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForMua+1BDj
		mov	eax, [esp+258h+var_244]
		xor	ecx, ecx
		inc	ecx
		mov	[esp+258h+var_240], ecx
		mov	[eax], ecx

loc_68FA1F:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForMua+149j
					; OpenGlobalizationUserSettingsKey_ForMua+162j	...
		mov	ecx, ebx
		call	ExFreeHeapPool
		jmp	short loc_68FA2D
; 

loc_68FA28:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForMua+122j
		mov	esi, 0C0000017h

loc_68FA2D:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForMua+101j
					; OpenGlobalizationUserSettingsKey_ForMua+1FAj
		lea	eax, [esp+258h+var_230]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_68FA37:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForMua+B6j
					; OpenGlobalizationUserSettingsKey_ForMua+CDj
		cmp	[esp+258h+var_240], 0
		jz	short loc_68FA49
		mov	edx, [esp+258h+var_234]
		call	OpenGlobalizationUserSettingsKey_ForSingleUserModel
		mov	esi, eax

loc_68FA49:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForMua+6Fj
					; OpenGlobalizationUserSettingsKey_ForMua+80j ...
		test	edi, edi
		jz	short loc_68FA54
		mov	ecx, edi
		call	ExFreeHeapPool

loc_68FA54:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForMua+21Fj
		mov	ecx, [esp+258h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
OpenGlobalizationUserSettingsKey_ForMua	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

OpenGlobalizationUserSettingsKey_ForSingleUserModel proc near
					; CODE XREF: OpenGlobalizationUserSettingsKey+8FC08p
					; OpenGlobalizationUserSettingsKey_ForMua+216p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, edx
		push	edi
		cmp	ds:dword_701330, esi
		jz	short loc_68FAD6
		push	offset unk_6FF228
		lea	eax, [esp+5Ch+var_20]
		mov	[esp+5Ch+var_20], esi
		push	eax
		mov	[esp+60h+var_1C], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+58h+var_20]
		mov	[esp+58h+var_18], 18h
		mov	[esp+58h+var_10], eax
		lea	eax, [esp+58h+var_18]
		push	eax
		push	8
		push	ebx
		mov	[esp+64h+var_14], esi
		mov	[esp+64h+var_C], 240h
		mov	[esp+64h+var_8], esi
		mov	[esp+64h+var_4], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	edi, eax
		jmp	loc_68FCC1
; 

loc_68FAD6:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForSingleUserModel+18j
		push	offset ??_C@_1JG@EEECFNPB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@
		lea	eax, [esp+5Ch+var_30]
		mov	[esp+5Ch+var_48], esi
		push	eax
		mov	[esp+60h+var_30], esi
		mov	[esp+60h+var_2C], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+58h+var_30]
		mov	[esp+58h+var_18], 18h
		mov	[esp+58h+var_10], eax
		lea	eax, [esp+58h+var_18]
		push	eax
		push	8
		lea	eax, [esp+60h+var_48]
		mov	[esp+60h+var_14], esi
		push	eax
		mov	[esp+64h+var_C], 240h
		mov	[esp+64h+var_8], esi
		mov	[esp+64h+var_4], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_68FCB2
		push	(offset	off_5A6E68+2)
		lea	eax, [esp+5Ch+var_28]
		mov	[esp+5Ch+var_44], esi
		push	eax
		mov	[esp+60h+var_28], esi
		mov	[esp+60h+var_24], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+58h+var_44]
		push	eax
		push	esi
		push	esi
		push	2
		lea	eax, [esp+68h+var_28]
		push	eax
		push	[esp+6Ch+var_48]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	ecx, [esp+58h+var_44]
		test	ecx, ecx
		jz	loc_68FC70
		cmp	eax, 0C0000023h
		jz	short loc_68FB80
		cmp	eax, 80000005h
		jnz	loc_68FC70

loc_68FB80:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForSingleUserModel+106j
		call	AllocateMemory
		mov	[esp+58h+var_3C], eax
		test	eax, eax
		jz	loc_68FC69
		lea	ecx, [esp+58h+var_44]
		push	ecx
		push	[esp+5Ch+var_44]
		push	eax
		push	2
		lea	eax, [esp+68h+var_28]
		push	eax
		push	[esp+6Ch+var_48]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_68FC5E
		mov	eax, [esp+58h+var_3C]
		cmp	dword ptr [eax+4], 1
		jnz	loc_68FC54
		add	eax, 0Ch
		mov	[esp+58h+var_40], esi
		push	eax
		lea	eax, [esp+5Ch+var_38]
		mov	[esp+5Ch+var_38], esi
		push	eax
		mov	[esp+60h+var_34], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+58h+var_38]
		mov	[esp+58h+var_18], 18h
		mov	[esp+58h+var_10], eax
		lea	eax, [esp+58h+var_18]
		push	eax
		push	8
		lea	eax, [esp+60h+var_40]
		mov	[esp+60h+var_14], esi
		push	eax
		mov	[esp+64h+var_C], 240h
		mov	[esp+64h+var_8], esi
		mov	[esp+64h+var_4], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_68FC5E
		mov	eax, 0AAh
		mov	[esp+58h+var_20], esi
		mov	word ptr [esp+58h+var_20+2], ax
		mov	[esp+58h+var_1C], offset unk_6FF228
		cmp	ax, word ptr [esp+58h+var_38]
		jb	short loc_68FC4E
		lea	eax, [esp+58h+var_38]
		push	eax
		lea	eax, [esp+5Ch+var_20]
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		mov	ds:dword_701330, 1

loc_68FC4E:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForSingleUserModel+1C6j
		mov	eax, [esp+58h+var_40]
		jmp	short loc_68FC5C
; 

loc_68FC54:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForSingleUserModel+150j
		mov	eax, [esp+58h+var_48]
		mov	[esp+58h+var_48], esi

loc_68FC5C:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForSingleUserModel+1E5j
		mov	[ebx], eax

loc_68FC5E:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForSingleUserModel+142j
					; OpenGlobalizationUserSettingsKey_ForSingleUserModel+1A9j
		mov	ecx, [esp+58h+var_3C]
		call	ExFreeHeapPool
		jmp	short loc_68FCB2
; 

loc_68FC69:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForSingleUserModel+11Ej
		mov	edi, 0C0000017h
		jmp	short loc_68FCB2
; 

loc_68FC70:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForSingleUserModel+FBj
					; OpenGlobalizationUserSettingsKey_ForSingleUserModel+10Dj
		mov	eax, 0AAh
		mov	[esp+58h+var_20], esi
		mov	word ptr [esp+58h+var_20+2], ax
		mov	[esp+58h+var_1C], offset unk_6FF228
		cmp	ax, word ptr [esp+58h+var_30]
		jb	short loc_68FCA6
		lea	eax, [esp+58h+var_30]
		push	eax
		lea	eax, [esp+5Ch+var_20]
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		mov	ds:dword_701330, 1

loc_68FCA6:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForSingleUserModel+21Ej
		mov	eax, [esp+58h+var_48]
		mov	edi, esi
		mov	[ebx], eax
		mov	[esp+58h+var_48], esi

loc_68FCB2:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForSingleUserModel+BDj
					; OpenGlobalizationUserSettingsKey_ForSingleUserModel+1FAj ...
		cmp	[esp+58h+var_48], esi
		jz	short loc_68FCC1
		push	[esp+58h+var_48]
		call	_ZwClose@4	; ZwClose(x)

loc_68FCC1:				; CODE XREF: OpenGlobalizationUserSettingsKey_ForSingleUserModel+64j
					; OpenGlobalizationUserSettingsKey_ForSingleUserModel+249j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
OpenGlobalizationUserSettingsKey_ForSingleUserModel endp


;  S U B	R O U T	I N E 


; __stdcall WheapInitializeDeferredErrorSources(x)
_WheapInitializeDeferredErrorSources@4 proc near ; CODE	XREF: WheaConfigureErrorSource+36E8p
		mov	eax, ds:dword_6F9ACC
		push	ebx
		push	esi
		mov	esi, ds:dword_6F9AD4
		mov	ebx, ecx
		push	edi
		xor	edi, edi
		test	eax, eax
		jle	short loc_68FD29

loc_68FCE0:				; CODE XREF: WheapInitializeDeferredErrorSources(x)+5Dj
		cmp	[esi+58h], ebx
		jnz	short loc_68FD1E
		cmp	byte ptr [esi+48h], 0
		jz	short loc_68FD1E
		cmp	dword ptr [esi+5Ch], 1
		jnz	short loc_68FD1E
		mov	ecx, esi
		call	WheapInitializeErrorSource
		test	eax, eax
		js	short loc_68FD1E
		xor	edx, edx
		mov	dword ptr [esi+5Ch], 2
		inc	edx
		mov	ecx, esi
		call	_WheapCallErrorSourceInitialize@8 ; WheapCallErrorSourceInitialize(x,x)
		test	eax, eax
		jns	short loc_68FD1A
		mov	dword ptr [esi+5Ch], 1
		jmp	short loc_68FD1E
; 

loc_68FD1A:				; CODE XREF: WheapInitializeDeferredErrorSources(x)+45j
		mov	byte ptr [esi+48h], 0

loc_68FD1E:				; CODE XREF: WheapInitializeDeferredErrorSources(x)+19j
					; WheapInitializeDeferredErrorSources(x)+1Fj ...
		mov	esi, [esi]
		inc	edi
		cmp	edi, ds:dword_6F9ACC
		jl	short loc_68FCE0

loc_68FD29:				; CODE XREF: WheapInitializeDeferredErrorSources(x)+14j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		retn
_WheapInitializeDeferredErrorSources@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapReportBootError(x)
_WheapReportBootError@4	proc near	; CODE XREF: WheapCheckForAndReportErrorsFromPreviousSession:loc_5FB148p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:1Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax+20h]
		mov	[ebp+var_8], ecx
		mov	edi, [eax+4050h]
		test	edi, edi
		jz	short loc_68FDBE
		mov	edx, [ecx+18h]
		mov	ecx, [edi+4]
		call	_WheapGetErrorSource@8 ; WheapGetErrorSource(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_68FDBE
		lock inc dword ptr [esi+10h]
		and	[ebp+var_4], 0
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	_WheapAllocErrorRecord@8 ; WheapAllocErrorRecord(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_68FDBE
		push	0
		push	2
		pop	edx
		mov	ecx, esi
		call	_WheapGetErrorSourceFunction@12	; WheapGetErrorSourceFunction(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_68FDA1
		push	dword ptr [esi+28h]
		mov	ecx, [ebp+var_4]
		lea	eax, [esi+50h]
		add	ecx, 0FFFFFFE4h
		push	ecx
		lea	ecx, [ebx+1Ch]
		push	ecx
		push	[ebp+var_8]
		push	eax
		call	edx

loc_68FDA1:				; CODE XREF: WheapReportBootError(x)+59j
		lock dec dword ptr [esi+4Ch]
		push	3
		lea	edx, [ebx+1Ch]
		pop	ecx
		call	_WheapCompressErrorRecord@8 ; WheapCompressErrorRecord(x,x)
		mov	ecx, [edi+8]
		mov	edx, ebx
		call	_WheapWorkQueueAddItem@8 ; WheapWorkQueueAddItem(x,x)
		mov	al, 1
		jmp	short loc_68FDC0
; 

loc_68FDBE:				; CODE XREF: WheapReportBootError(x)+1Ej
					; WheapReportBootError(x)+2Fj ...
		xor	al, al

loc_68FDC0:				; CODE XREF: WheapReportBootError(x)+8Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_WheapReportBootError@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapReportPersistedErrorRecord(x)
_WheapReportPersistedErrorRecord@4 proc	near
					; CODE XREF: WheapCheckForAndReportErrorsFromPreviousSession+7DFCEp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:1Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax+20h]
		mov	edi, ecx
		mov	ebx, [eax+4050h]
		test	ebx, ebx
		jz	short loc_68FE52
		mov	eax, large fs:20h
		mov	ecx, [edi+14h]
		add	ecx, 1Ch
		push	0
		mov	eax, [eax+338h]
		mov	edx, ecx
		mov	[ebp+var_4], ecx
		xor	ecx, ecx
		inc	ecx
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	61656857h
		call	ExpAllocatePoolWithTagFromNode
		mov	esi, eax
		test	esi, esi
		jz	short loc_68FE52
		push	[ebp+var_4]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_4]
		lea	edx, [esi+1Ch]
		mov	[esi+8], eax
		mov	dword ptr [esi+10h], 2
		push	dword ptr [edi+14h] ; size_t
		push	edi		; void *
		push	edx		; void *
		call	_memcpy
		mov	ecx, [ebx+8]
		add	esp, 18h
		mov	edx, esi
		call	_WheapWorkQueueAddItem@8 ; WheapWorkQueueAddItem(x,x)
		mov	al, 1
		jmp	short loc_68FE54
; 

loc_68FE52:				; CODE XREF: WheapReportPersistedErrorRecord(x)+1Cj
					; WheapReportPersistedErrorRecord(x)+55j
		xor	al, al

loc_68FE54:				; CODE XREF: WheapReportPersistedErrorRecord(x)+8Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_WheapReportPersistedErrorRecord@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaGetErrPacketFromErrRecord(x)
_WheaGetErrPacketFromErrRecord@4 proc near
					; CODE XREF: WheapAttemptArchitecturalErrorRecovery(x)+17p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		cmp	dword ptr [edi], 52455043h
		jnz	short loc_68FED2
		movzx	ecx, word ptr [edi+0Ah]
		imul	eax, ecx, 48h
		sub	eax, 0FFFFFF80h
		cmp	[edi+14h], eax
		jb	short loc_68FED2
		mov	[ebp+var_4], esi
		push	ebx
		lea	ebx, [edi+80h]
		test	ecx, ecx
		jz	short loc_68FED1

loc_68FE8A:				; CODE XREF: WheaGetErrPacketFromErrRecord(x)+56j
		push	10h		; Length
		push	offset _WHEA_ERROR_PACKET_SECTION_GUID ; Source2
		lea	eax, [ebx+10h]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 10h
		jz	short loc_68FEB3
		mov	ecx, [ebp+var_4]
		add	ebx, 48h
		movzx	eax, word ptr [edi+0Ah]
		inc	ecx
		mov	[ebp+var_4], ecx
		cmp	ecx, eax
		jb	short loc_68FE8A
		jmp	short loc_68FED1
; 

loc_68FEB3:				; CODE XREF: WheaGetErrPacketFromErrRecord(x)+44j
		mov	eax, [ebx+4]
		mov	ecx, [ebx]
		add	eax, ecx
		cmp	[edi+14h], eax
		jb	short loc_68FED1
		add	ecx, edi
		mov	esi, [ecx]
		sub	esi, 41454857h
		neg	esi
		sbb	esi, esi
		not	esi
		and	esi, ecx

loc_68FED1:				; CODE XREF: WheaGetErrPacketFromErrRecord(x)+2Fj
					; WheaGetErrPacketFromErrRecord(x)+58j	...
		pop	ebx

loc_68FED2:				; CODE XREF: WheaGetErrPacketFromErrRecord(x)+12j
					; WheaGetErrPacketFromErrRecord(x)+21j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_WheaGetErrPacketFromErrRecord@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2614. WheaGetErrorSource

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaGetErrorSource(x)
		public _WheaGetErrorSource@4
_WheaGetErrorSource@4 proc near		; CODE XREF: WheaAddHwErrorReportSectionDeviceDriver(x,x,x)+24p
					; WheaHwErrorReportSubmitDeviceDriver(x)+2Bp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, offset _WheapErrorSourceTable
		call	_WheapGetErrorSource@8 ; WheapGetErrorSource(x,x)
		lea	ecx, [eax+50h]
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		pop	ebp
		retn	4
_WheaGetErrorSource@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2629. WheaReportHwError

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaReportHwError(x)
		public _WheaReportHwError@4
_WheaReportHwError@4 proc near		; CODE XREF: WheaHwErrorReportSubmitDeviceDriver(x)+B7p

var_9E		= byte ptr -9Eh
var_9C		= dword	ptr -9Ch
var_92		= byte ptr -92h
var_90		= dword	ptr -90h
var_8A		= byte ptr -8Ah
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_7E		= byte ptr -7Eh
var_7D		= byte ptr -7Dh
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_6A		= byte ptr -6Ah
var_69		= byte ptr -69h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+6Ch+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		push	9
		mov	edx, [ebx+14h]
		lea	edi, [esp+7Ch+var_50]
		pop	ecx
		rep stosd
		xor	ecx, ecx
		mov	esi, 0C0000000h
		mov	eax, edx
		mov	[esp+78h+var_60], ecx
		and	eax, esi
		mov	[esp+78h+var_6A], cl
		mov	[esp+78h+var_69], cl
		mov	[esp+78h+var_5C], ecx
		cmp	eax, esi
		jnz	short loc_68FF52
		lea	eax, [esi+0Dh]
		jmp	loc_6900E3
; 

loc_68FF52:				; CODE XREF: WheaReportHwError(x)+47j
		test	edx, 40000000h
		jz	loc_690056
		lea	esi, [ebx+3]
		mov	[esp+78h+var_69], 1
		add	esi, [ebx+8]
		and	edx, 0BFFFFFFFh
		and	esi, 0FFFFFFFCh
		mov	[ebx+14h], edx
		mov	[esp+78h+var_5C], esi

loc_68FF79:				; CODE XREF: WheaReportHwError(x)+157j
		mov	al, cl

loc_68FF7B:				; CODE XREF: WheaReportHwError(x):loc_69006Dj
		cmp	edx, 3
		jnz	short loc_68FF88
		test	al, al
		jz	loc_6900E1

loc_68FF88:				; CODE XREF: WheaReportHwError(x)+7Dj
		mov	eax, ds:_Feature_LogErrorRecords__private_featureState
		mov	[esp+78h+var_58], ecx
		test	al, 10h
		jnz	short loc_68FF9E
		push	ecx
		push	eax
		call	_Feature_LogErrorRecords__private_ReportUsageFallback@12 ; Feature_LogErrorRecords__private_ReportUsageFallback(x,x,x)
		xor	ecx, ecx

loc_68FF9E:				; CODE XREF: WheaReportHwError(x)+92j
		cmp	[esp+78h+var_6A], 0
		jnz	short loc_68FFFB
		cmp	dword ptr [ebx+14h], 2
		jz	short loc_68FFFB
		test	byte ptr [ebx+0Ch], 1
		jnz	short loc_68FFFB
		lea	eax, [esp+78h+var_50]
		mov	[esp+78h+var_50], 674C6857h
		push	eax
		mov	[esp+7Ch+var_4C], 1
		mov	[esp+7Ch+var_48], 24h
		mov	[esp+7Ch+var_44], ecx
		mov	[esp+7Ch+var_3C], 80000005h
		mov	[esp+7Ch+var_40], 4C4E524Bh
		mov	[esp+7Ch+var_38], 8
		mov	[esp+7Ch+var_34], 4
		mov	[esp+7Ch+var_30], ebx
		call	WheaLogInternalEvent

loc_68FFFB:				; CODE XREF: WheaReportHwError(x)+A2j
					; WheaReportHwError(x)+A8j ...
		mov	eax, large fs:1Ch
		xor	edi, edi
		mov	eax, [eax+20h]
		mov	eax, [eax+4050h]
		mov	[esp+78h+var_58], eax
		test	eax, eax
		jz	loc_690372
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	loc_690372
		cmp	[ecx+4], edi
		jz	loc_690372
		mov	edx, [ebx+18h]
		call	_WheapGetErrorSource@8 ; WheapGetErrorSource(x,x)
		mov	esi, eax
		mov	[esp+78h+var_68], esi
		test	esi, esi
		jnz	short loc_690079
		mov	eax, [ebx+14h]
		cmp	eax, 1

loc_690044:				; DATA XREF: .text:??_C@_1CI@BPFKPPAM@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAF?$AAG?$AAB?$AAo?$AAo?$AAs?$AAt?$AAD@FNODOBFM@o
		jz	short loc_69004A

loc_690046:				; DATA XREF: .text:004085F4o
		test	eax, eax

loc_690048:				; DATA XREF: .text:_PopHiberbootEnabledRegNameo
		jnz	short loc_690072

loc_69004A:				; CODE XREF: WheaReportHwError(x):loc_690044j
					; DATA XREF: .text:??_C@_1O@BMELCLLB@?$AAM?$AAi?$AAn?$AAi?$AAN?$AAT@FNODOBFM@o
		test	byte ptr [ebx+0Ch], 1

loc_69004E:				; DATA XREF: .text:005A3CBCo
		jz	loc_690397

loc_690054:				; DATA XREF: .text:005A69BEo
		jmp	short loc_690072
; 

loc_690056:				; CODE XREF: WheaReportHwError(x)+57j
					; DATA XREF: .text:??_C@_1DA@NGKONPGD@?$AAV?$AAi?$AAr?$AAt?$AAu?$AAa?$AAl?$AAD?$AAi?$AAs?$AAk?$AAM?$AAa?$AAx?$AAT@FNODOBFM@o ...
		test	edx, edx
		jns	loc_68FF79

loc_69005E:				; DATA XREF: .text:005A7606o
		and	edx, 7FFFFFFFh
		mov	al, 1

loc_690066:				; DATA XREF: .text:005A374Eo
					; .text:005A4290o ...
		mov	[ebx+14h], edx
		mov	[esp+78h+var_6A], al

loc_69006D:				; DATA XREF: .text:005A55AAo
		jmp	loc_68FF7B
; 

loc_690072:				; CODE XREF: WheaReportHwError(x):loc_690048j
					; WheaReportHwError(x):loc_690054j
					; DATA XREF: ...
		mov	eax, 0C00000C0h
		jmp	short loc_6900E3
; 

loc_690079:				; CODE XREF: WheaReportHwError(x)+13Bj
		lock inc dword ptr [esi+10h]
		cmp	dword ptr [ebx+14h], 2
		jnz	short loc_6900F7
		mov	ecx, esi
		call	_WheapApplyThresholdChecks@8 ; WheapApplyThresholdChecks(x,x)
		test	al, al
		jz	short loc_6900F7
		xor	eax, eax
		mov	[esp+78h+var_2C], 674C6857h
		inc	eax
		mov	[esp+78h+var_24], 28h
		mov	[esp+78h+var_28], eax
		mov	[esp+78h+var_20], eax
		mov	eax, [ebx+1Ch]
		mov	[esp+78h+var_C], eax
		mov	eax, [ebx+18h]
		mov	[esp+78h+var_8], eax
		lea	eax, [esp+78h+var_2C]
		push	eax
		mov	[esp+7Ch+var_18], 80000004h
		mov	[esp+7Ch+var_1C], 4C4E524Bh
		mov	[esp+7Ch+var_14], 2
		mov	[esp+7Ch+var_10], 8
		call	WheaLogInternalEvent

loc_6900E1:				; CODE XREF: WheaReportHwError(x)+81j
					; WheaReportHwError(x)+47Bj ...
		xor	eax, eax

loc_6900E3:				; CODE XREF: WheaReportHwError(x)+4Cj
					; WheaReportHwError(x)+176j ...
		mov	ecx, [esp+78h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_6900F7:				; CODE XREF: WheaReportHwError(x)+180j
					; WheaReportHwError(x)+18Bj
		lea	edx, [esp+78h+var_60]
		mov	ecx, esi
		call	_WheapAllocErrorRecord@8 ; WheapAllocErrorRecord(x,x)
		mov	edx, eax
		mov	[esp+78h+var_64], edx
		test	edx, edx
		jnz	short loc_69013D
		inc	dword ptr [esi+8]
		mov	eax, [ebx+14h]
		cmp	eax, 1
		jz	short loc_69011B
		test	eax, eax
		jnz	short loc_690136

loc_69011B:				; CODE XREF: WheaReportHwError(x)+214j
		test	byte ptr [ebx+0Ch], 1
		jnz	short loc_690136
		cmp	[esp+78h+var_6A], 0
		jnz	short loc_690136
		push	edi
		push	dword ptr [ebx+18h]
		push	dword ptr [ebx+1Ch]
		push	0Ah
		jmp	loc_69039E
; 

loc_690136:				; CODE XREF: WheaReportHwError(x)+218j
					; WheaReportHwError(x)+21Ej ...
		mov	eax, 0C000009Ah
		jmp	short loc_6900E3
; 

loc_69013D:				; CODE XREF: WheaReportHwError(x)+209j
		mov	eax, [ebx+0Ch]
		lea	esi, [edx+1Ch]
		shr	eax, 2
		xor	eax, [edx+10h]
		and	eax, 4
		xor	[edx+10h], eax
		mov	ecx, [ebx+0Ch]
		mov	eax, [edx+10h]
		shr	ecx, 2
		xor	ecx, eax
		and	ecx, 8
		push	edi
		xor	ecx, eax
		mov	[edx+10h], ecx
		mov	ecx, [esp+7Ch+var_68]
		push	2
		pop	edx
		call	_WheapGetErrorSourceFunction@12	; WheapGetErrorSourceFunction(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_690180
		mov	ecx, 0C0000002h
		mov	[esp+78h+var_60], ecx
		jmp	short loc_69019D
; 

loc_690180:				; CODE XREF: WheaReportHwError(x)+272j
		mov	ecx, [esp+78h+var_68]
		mov	eax, [esp+78h+var_60]
		add	eax, 0FFFFFFE4h
		push	dword ptr [ecx+28h]
		push	eax
		push	esi
		push	ebx
		lea	eax, [ecx+50h]
		push	eax
		call	edx
		mov	ecx, eax
		mov	[esp+8Ch+var_74], eax

loc_69019D:				; CODE XREF: WheaReportHwError(x)+27Dj
		mov	eax, [esp+8Ch+var_7C]
		lock dec dword ptr [eax+4Ch]
		test	ecx, ecx
		jns	short loc_6901E2
		mov	ecx, [ebx+14h]
		cmp	ecx, 1
		jz	short loc_6901B5
		test	ecx, ecx
		jnz	short loc_6901D0

loc_6901B5:				; CODE XREF: WheaReportHwError(x)+2AEj
		test	byte ptr [ebx+0Ch], 1
		jnz	short loc_6901D0
		cmp	[esp+8Ch+var_7E], 0
		jnz	short loc_6901D0
		push	edi
		push	dword ptr [ebx+18h]
		push	dword ptr [ebx+1Ch]
		push	0Bh
		jmp	loc_69039E
; 

loc_6901D0:				; CODE XREF: WheaReportHwError(x)+2B2j
					; WheaReportHwError(x)+2B8j ...
		mov	ecx, [esp+8Ch+var_78]
		call	_WheapFreeErrorRecord@4	; WheapFreeErrorRecord(x)
		mov	eax, [esp+8Ch+var_74]
		jmp	loc_6900E3
; 

loc_6901E2:				; CODE XREF: WheaReportHwError(x)+2A6j
		mov	cl, [esp+8Ch+var_7E]
		test	cl, cl
		jnz	short loc_6901F0
		cmp	[esp+8Ch+var_7D], cl
		jz	short loc_6901F4

loc_6901F0:				; CODE XREF: WheaReportHwError(x)+2E7j
		or	dword ptr [esi+68h], 8

loc_6901F4:				; CODE XREF: WheaReportHwError(x)+2EDj
		mov	edx, [esi+68h]
		test	dl, 2
		jz	short loc_690233
		push	3
		mov	edx, esi
		pop	ecx
		call	_WheapCompressErrorRecord@8 ; WheapCompressErrorRecord(x,x)

loc_690206:				; CODE XREF: WheaReportHwError(x)+400j
					; WheaReportHwError(x)+430j
		mov	ebx, [esp+8Ch+var_78]
		test	byte ptr [ebx+10h], 1
		jz	short loc_69022C
		cmp	ds:_WheapEventingInitialized, 1
		jnz	short loc_690220
		mov	ecx, esi
		call	_WheapGenerateETWEvents@4 ; WheapGenerateETWEvents(x)

loc_690220:				; CODE XREF: WheaReportHwError(x)+316j
		mov	ecx, ebx
		call	_WheapFreeErrorRecord@4	; WheapFreeErrorRecord(x)
		jmp	loc_69036B
; 

loc_69022C:				; CODE XREF: WheaReportHwError(x)+30Dj
		mov	edx, ebx
		jmp	loc_69035F
; 

loc_690233:				; CODE XREF: WheaReportHwError(x)+2F9j
		cmp	ds:_WheapPolicyIgnoreDummyWrite, 0
		jnz	short loc_690268
		test	cl, cl
		jnz	short loc_690268
		mov	edx, esi
		xor	ecx, ecx
		call	_WheapCompressErrorRecord@8 ; WheapCompressErrorRecord(x,x)
		push	esi
		push	dword ptr [esi+14h]
		push	1
		call	ds:__imp__PshedWriteErrorRecord@12 ; PshedWriteErrorRecord(x,x,x)
		mov	cl, [esp+98h+var_8A]
		test	eax, eax
		mov	eax, [esp+98h+var_88]
		jns	short loc_690268
		mov	ds:_WheapPolicyIgnoreDummyWrite, 1

loc_690268:				; CODE XREF: WheaReportHwError(x)+339j
					; WheaReportHwError(x)+33Dj ...
		mov	edx, [ebx+14h]
		cmp	edx, 1
		jnz	short loc_6902CC
		test	cl, cl
		jnz	loc_690346
		lea	ebx, [eax+50h]
		push	ebx
		push	esi
		call	ds:__imp__PshedFinalizeErrorRecord@8 ; PshedFinalizeErrorRecord(x,x)
		mov	ecx, esi
		call	_WheapPersistPageForMemoryError@4 ; WheapPersistPageForMemoryError(x)
		push	3
		mov	edx, esi
		pop	ecx
		call	_WheapCompressErrorRecord@8 ; WheapCompressErrorRecord(x,x)
		push	esi
		push	dword ptr [esi+14h]
		push	edi
		call	ds:__imp__PshedWriteErrorRecord@12 ; PshedWriteErrorRecord(x,x,x)
		mov	edx, [esi+14h]
		mov	ecx, esi
		call	_WheapAddToDumpFile@8 ;	WheapAddToDumpFile(x,x)
		cmp	byte ptr [esp+0Fh], 0
		jz	short loc_690323
		mov	eax, [esp+0ACh+var_90]
		push	dword ptr [eax+4Ch]
		push	dword ptr [eax+48h]
		mov	eax, [esp+0B4h+var_9C]
		push	esi
		push	dword ptr [eax+58h]

loc_6902C2:				; CODE XREF: WheaReportHwError(x)+491j
		push	124h
		jmp	loc_6903A3
; 

loc_6902CC:				; CODE XREF: WheaReportHwError(x)+36Dj
		cmp	edx, 2
		jz	short loc_690346
		cmp	edx, 3
		jz	short loc_690346
		test	edx, edx
		jnz	short loc_690336
		lea	ebx, [eax+50h]
		push	ebx
		push	esi
		call	ds:__imp__PshedFinalizeErrorRecord@8 ; PshedFinalizeErrorRecord(x,x)
		mov	ecx, esi
		call	_WheapAttemptErrorRecovery@4 ; WheapAttemptErrorRecovery(x)
		push	3
		mov	edx, esi
		pop	ecx
		call	_WheapCompressErrorRecord@8 ; WheapCompressErrorRecord(x,x)
		cmp	dword ptr [esi+0Ch], 2
		jz	short loc_69032D
		cmp	[esp+0A0h+var_92], 0
		jnz	loc_690206
		mov	ecx, esi
		call	_WheapPersistPageForMemoryError@4 ; WheapPersistPageForMemoryError(x)
		push	esi
		push	dword ptr [esi+14h]
		push	edi
		call	ds:__imp__PshedWriteErrorRecord@12 ; PshedWriteErrorRecord(x,x,x)
		mov	edx, [esi+14h]
		mov	ecx, esi
		call	_WheapAddToDumpFile@8 ;	WheapAddToDumpFile(x,x)

loc_690323:				; CODE XREF: WheaReportHwError(x)+3ADj
		push	esi
		push	ebx
		call	ds:__imp__PshedBugCheckSystem@8	; PshedBugCheckSystem(x,x)
		jmp	short loc_69036B
; 

loc_69032D:				; CODE XREF: WheaReportHwError(x)+3F9j
		or	dword ptr [esi+68h], 1
		jmp	loc_690206
; 

loc_690336:				; CODE XREF: WheaReportHwError(x)+3D7j
		mov	ecx, [esp+98h+var_84]
		call	_WheapFreeErrorRecord@4	; WheapFreeErrorRecord(x)
		mov	edi, 0C000000Dh
		jmp	short loc_69036B
; 

loc_690346:				; CODE XREF: WheaReportHwError(x)+371j
					; WheaReportHwError(x)+3CEj ...
		add	eax, 50h
		push	eax
		push	esi
		call	ds:__imp__PshedFinalizeErrorRecord@8 ; PshedFinalizeErrorRecord(x,x)
		push	3
		mov	edx, esi
		pop	ecx
		call	_WheapCompressErrorRecord@8 ; WheapCompressErrorRecord(x,x)
		mov	edx, [esp+14h]

loc_69035F:				; CODE XREF: WheaReportHwError(x)+32Dj
		mov	ecx, [esp+20h]
		mov	ecx, [ecx+8]
		call	_WheapWorkQueueAddItem@8 ; WheapWorkQueueAddItem(x,x)

loc_69036B:				; CODE XREF: WheaReportHwError(x)+326j
					; WheaReportHwError(x)+42Aj ...
		mov	eax, edi
		jmp	loc_6900E3
; 

loc_690372:				; CODE XREF: WheaReportHwError(x)+111j
					; WheaReportHwError(x)+11Cj ...
		mov	eax, [ebx+14h]
		cmp	eax, 1
		jz	short loc_690382
		test	eax, eax
		jnz	loc_6900E1

loc_690382:				; CODE XREF: WheaReportHwError(x)+477j
		test	byte ptr [ebx+0Ch], 1
		jnz	loc_6900E1
		push	edi
		push	edi
		push	edi
		push	dword ptr [ebx+1Ch]
		jmp	loc_6902C2
; 

loc_690397:				; CODE XREF: WheaReportHwError(x):loc_69004Ej
		push	edi
		push	edx
		push	dword ptr [ebx+1Ch]
		push	9

loc_69039E:				; CODE XREF: WheaReportHwError(x)+230j
					; WheaReportHwError(x)+2CAj
		push	122h

loc_6903A3:				; CODE XREF: WheaReportHwError(x)+3C6j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_WheaReportHwError@4 endp


;  S U B	R O U T	I N E 


; __stdcall WheapAddToDumpFile(x, x)
_WheapAddToDumpFile@8 proc near		; CODE XREF: WheaReportHwError(x)+3A3p
					; WheaReportHwError(x)+41Dp
		test	ecx, ecx
		jz	short locret_6903D1
		push	esi
		mov	esi, 0FFFFF000h
		test	ecx, esi
		jz	short loc_6903D0
		mov	eax, ecx
		add	edx, 0FFFh
		and	eax, 0FFFh
		add	edx, eax
		and	edx, esi
		and	ecx, esi
		pop	esi
		jmp	IoAddTriageDumpDataBlock
; 

loc_6903D0:				; CODE XREF: WheapAddToDumpFile(x,x)+Cj
		pop	esi

locret_6903D1:				; CODE XREF: WheapAddToDumpFile(x,x)+2j
		retn
_WheapAddToDumpFile@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapAllocErrorRecord(x, x)
_WheapAllocErrorRecord@8 proc near	; CODE XREF: WheapReportBootError(x)+3Ep
					; WheaReportHwError(x)+1FCp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	[ebp+var_4], edi
		mov	eax, [ebx+18h]
		mov	[edi], eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		ja	short loc_69043F
		mov	eax, large fs:20h
		mov	ecx, 200h
		mov	esi, [ebx+1Ch]
		mov	edx, [edi]
		push	0
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	esi
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		test	edi, edi
		jz	short loc_690458
		mov	eax, [ebp+var_4]
		mov	esi, [eax]
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	edx, esi
		mov	ecx, edi
		push	ebx
		call	_WheapInitializeErrorRecordWrapper@12 ;	WheapInitializeErrorRecordWrapper(x,x,x)
		jmp	short loc_690453
; 

loc_69043F:				; CODE XREF: WheapAllocErrorRecord(x,x)+1Dj
		mov	ecx, ebx
		call	_WheapGetPreallocatedErrorRecord@4 ; WheapGetPreallocatedErrorRecord(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_690458
		mov	dword ptr [edi+10h], 1

loc_690453:				; CODE XREF: WheapAllocErrorRecord(x,x)+6Bj
		mov	[edi+18h], ebx
		jmp	short loc_69045E
; 

loc_690458:				; CODE XREF: WheapAllocErrorRecord(x,x)+4Ej
					; WheapAllocErrorRecord(x,x)+78j
		mov	eax, [ebp+var_4]
		and	dword ptr [eax], 0

loc_69045E:				; CODE XREF: WheapAllocErrorRecord(x,x)+84j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_WheapAllocErrorRecord@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapApplyThresholdChecks(x, x)
_WheapApplyThresholdChecks@8 proc near	; CODE XREF: WheaReportHwError(x)+184p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		lea	edx, [ebp+var_4]
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		push	eax
		inc	dword ptr [esi+44h]
		call	_WheapGetErrorThresholdInformation@12 ;	WheapGetErrorThresholdInformation(x,x,x)
		cmp	[ebp+var_8], 1
		jbe	short loc_6904EB
		lea	eax, [ebp+var_10]
		push	eax
		call	KeQueryTickCount
		cmp	[ebp+var_4], 0
		jz	short loc_6904F2
		mov	edi, [ebp+var_10]
		mov	ecx, edi
		sub	ecx, [esi+38h]
		mov	ebx, [ebp+var_C]
		mov	eax, ebx
		sbb	eax, [esi+3Ch]
		push	0
		push	ds:_KeMaximumIncrement
		push	eax
		push	ecx
		call	__allmul
		push	0
		push	989680h
		push	edx
		push	eax
		call	__alldiv
		test	edx, edx
		jb	short loc_6904F2
		ja	short loc_6904DE
		cmp	eax, [ebp+var_4]
		jbe	short loc_6904F2

loc_6904DE:				; CODE XREF: WheapApplyThresholdChecks(x,x)+72j
		mov	dword ptr [esi+40h], 1
		mov	[esi+38h], edi
		mov	[esi+3Ch], ebx

loc_6904EB:				; CODE XREF: WheapApplyThresholdChecks(x,x)+30j
					; WheapApplyThresholdChecks(x,x)+96j
		xor	al, al

loc_6904ED:				; CODE XREF: WheapApplyThresholdChecks(x,x)+9Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_6904F2:				; CODE XREF: WheapApplyThresholdChecks(x,x)+3Fj
					; WheapApplyThresholdChecks(x,x)+70j ...
		inc	dword ptr [esi+40h]
		mov	ecx, [esi+40h]
		cmp	ecx, [ebp+var_8]
		jb	short loc_6904EB
		and	dword ptr [esi+40h], 0
		mov	al, 1
		jmp	short loc_6904ED
_WheapApplyThresholdChecks@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapAttemptArchitecturalErrorRecovery(x)
_WheapAttemptArchitecturalErrorRecovery@4 proc near
					; CODE XREF: WheapAttemptErrorRecovery(x)+7p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		mov	eax, ecx
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		mov	edi, 0C000000Dh
		call	_WheaGetErrPacketFromErrRecord@4 ; WheaGetErrPacketFromErrRecord(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_690578
		cmp	dword ptr [esi+1Ch], 10h
		ja	short loc_690578
		mov	edx, [esi+18h]
		mov	ecx, offset _WheapErrorSourceTable
		push	ebx
		call	_WheapGetErrorSource@8 ; WheapGetErrorSource(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_690577
		mov	eax, [esi+30h]
		or	eax, [esi+34h]
		jz	short loc_690577
		mov	esi, [esi+30h]
		mov	ecx, ebx
		push	0
		push	3
		pop	edx
		call	_WheapGetErrorSourceFunction@12	; WheapGetErrorSourceFunction(x,x,x)
		test	eax, eax
		jnz	short loc_690561
		add	edi, 0FFFFFFF5h
		jmp	short loc_69056A
; 

loc_690561:				; CODE XREF: WheapAttemptArchitecturalErrorRecovery(x)+55j
		lea	ecx, [ebp+var_4]
		push	ecx
		push	esi
		call	eax
		mov	edi, eax

loc_69056A:				; CODE XREF: WheapAttemptArchitecturalErrorRecovery(x)+5Aj
		lock dec dword ptr [ebx+4Ch]
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		mov	[eax+0Ch], ecx

loc_690577:				; CODE XREF: WheapAttemptArchitecturalErrorRecovery(x)+3Aj
					; WheapAttemptArchitecturalErrorRecovery(x)+42j
		pop	ebx

loc_690578:				; CODE XREF: WheapAttemptArchitecturalErrorRecovery(x)+20j
					; WheapAttemptArchitecturalErrorRecovery(x)+26j
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn
_WheapAttemptArchitecturalErrorRecovery@4 endp


;  S U B	R O U T	I N E 


; __stdcall WheapAttemptErrorRecovery(x)
_WheapAttemptErrorRecovery@4 proc near	; CODE XREF: WheaReportHwError(x)+3E6p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	_WheapAttemptArchitecturalErrorRecovery@4 ; WheapAttemptArchitecturalErrorRecovery(x)
		mov	edi, eax
		push	2
		pop	ebx
		test	edi, edi
		js	short loc_69059C
		cmp	dword ptr [esi+0Ch], 0
		jnz	short loc_69059C
		mov	[esi+0Ch], ebx

loc_69059C:				; CODE XREF: WheapAttemptErrorRecovery(x)+13j
					; WheapAttemptErrorRecovery(x)+19j
		push	esi
		call	ds:__imp__PshedAttemptErrorRecovery@4 ;	PshedAttemptErrorRecovery(x)
		mov	ecx, [esi+0Ch]
		xor	edx, edx
		inc	edx
		test	ecx, ecx
		jnz	short loc_6905BB
		test	eax, eax
		js	short loc_6905B6
		mov	[esi+0Ch], ebx
		jmp	short loc_6905BF
; 

loc_6905B6:				; CODE XREF: WheapAttemptErrorRecovery(x)+31j
		mov	[esi+0Ch], edx
		mov	ecx, edx

loc_6905BB:				; CODE XREF: WheapAttemptErrorRecovery(x)+2Dj
		cmp	ecx, ebx
		jnz	short loc_6905C2

loc_6905BF:				; CODE XREF: WheapAttemptErrorRecovery(x)+36j
		or	[esi+68h], edx

loc_6905C2:				; CODE XREF: WheapAttemptErrorRecovery(x)+3Fj
		test	edi, edi
		jns	short loc_6905CC
		test	eax, eax
		js	short loc_6905CC
		mov	edi, eax

loc_6905CC:				; CODE XREF: WheapAttemptErrorRecovery(x)+46j
					; WheapAttemptErrorRecovery(x)+4Aj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_WheapAttemptErrorRecovery@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapCompressErrorRecord(x,	x)
_WheapCompressErrorRecord@8 proc near	; CODE XREF: WheapReportBootError(x)+7Cp
					; WheaReportHwError(x)+300p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	eax, ecx
		mov	[ebp+var_C], eax
		movzx	edx, word ptr [edi+0Ah]
		test	al, 2
		jz	loc_690673
		xor	ecx, ecx
		lea	ebx, [edi+80h]
		and	[ebp+var_4], ecx
		xor	esi, esi
		mov	[ebp+var_8], ecx
		mov	eax, edx
		cmp	si, dx
		jnb	short loc_690665
		mov	esi, edx

loc_690609:				; CODE XREF: WheapCompressErrorRecord(x,x)+8Bj
		push	10h		; size_t
		lea	eax, [ebx+10h]
		push	offset _WHEA_ERROR_PACKET_SECTION_GUID ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		movzx	ecx, si
		test	eax, eax
		jnz	short loc_69064B
		movzx	eax, si
		sub	eax, [ebp+var_4]
		sub	eax, 1
		jz	short loc_690643
		imul	eax, 48h
		push	eax		; size_t
		lea	eax, [ebx+48h]
		push	eax		; void *
		push	ebx		; void *
		call	_memmove
		movzx	ecx, word ptr [edi+0Ah]
		add	esp, 0Ch

loc_690643:				; CODE XREF: WheapCompressErrorRecord(x,x)+5Aj
		inc	[ebp+var_8]
		movzx	ecx, cx
		jmp	short loc_69064E
; 

loc_69064B:				; CODE XREF: WheapCompressErrorRecord(x,x)+4Fj
		add	ebx, 48h

loc_69064E:				; CODE XREF: WheapCompressErrorRecord(x,x)+77j
		mov	edx, [ebp+var_4]
		inc	edx
		movzx	eax, cx
		mov	[ebp+var_4], edx
		movzx	esi, cx
		cmp	edx, eax
		jb	short loc_690609
		movzx	eax, cx
		mov	ecx, [ebp+var_8]

loc_690665:				; CODE XREF: WheapCompressErrorRecord(x,x)+33j
		sub	eax, ecx
		mov	[edi+0Ah], ax
		movzx	ecx, ax
		mov	eax, [ebp+var_C]
		jmp	short loc_690675
; 

loc_690673:				; CODE XREF: WheapCompressErrorRecord(x,x)+18j
		mov	ecx, edx

loc_690675:				; CODE XREF: WheapCompressErrorRecord(x,x)+9Fj
		and	eax, 1
		lea	ebx, [edi+80h]
		mov	[ebp+var_C], eax
		jz	short loc_69068E
		movzx	eax, cx
		imul	esi, eax, 48h
		sub	esi, 0FFFFFF80h
		jmp	short loc_690690
; 

loc_69068E:				; CODE XREF: WheapCompressErrorRecord(x,x)+AFj
		mov	esi, [ebx]

loc_690690:				; CODE XREF: WheapCompressErrorRecord(x,x)+BAj
		xor	eax, eax
		xor	edx, edx
		cmp	ax, cx
		jmp	short loc_6906C3
; 

loc_690699:				; CODE XREF: WheapCompressErrorRecord(x,x)+F4j
		mov	eax, [ebx]
		cmp	esi, eax
		jnb	short loc_6906B6
		push	dword ptr [ebx+4] ; size_t
		add	eax, edi
		push	eax		; void *
		lea	eax, [esi+edi]
		push	eax		; void *
		call	_memmove
		mov	edx, [ebp+var_8]
		add	esp, 0Ch
		mov	[ebx], esi

loc_6906B6:				; CODE XREF: WheapCompressErrorRecord(x,x)+CBj
		add	esi, [ebx+4]
		add	ebx, 48h
		movzx	eax, word ptr [edi+0Ah]
		inc	edx
		cmp	edx, eax

loc_6906C3:				; CODE XREF: WheapCompressErrorRecord(x,x)+C5j
		mov	[ebp+var_8], edx
		jb	short loc_690699
		mov	eax, [edi+14h]
		sub	eax, esi
		push	eax		; size_t
		lea	eax, [esi+edi]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		cmp	[ebp+var_C], 0
		jz	short loc_6906E5
		mov	[edi+14h], esi

loc_6906E5:				; CODE XREF: WheapCompressErrorRecord(x,x)+10Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_WheapCompressErrorRecord@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapFreeErrorRecord(x)
_WheapFreeErrorRecord@4	proc near	; CODE XREF: WheaReportHwError(x)+2D3p
					; WheaReportHwError(x)+321p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		test	byte ptr [ecx+10h], 1
		jz	short loc_690701
		xor	edx, edx
		lea	eax, [ecx+14h]
		xchg	edx, [eax]
		jmp	short loc_690706
; 

loc_690701:				; CODE XREF: WheapFreeErrorRecord(x)+Cj
		call	ExFreeHeapPool

loc_690706:				; CODE XREF: WheapFreeErrorRecord(x)+15j
		mov	esp, ebp
		pop	ebp
		retn
_WheapFreeErrorRecord@4	endp


;  S U B	R O U T	I N E 


; __stdcall WheapGetErrorSource(x, x)
_WheapGetErrorSource@8 proc near	; CODE XREF: WheapReportBootError(x)+26p
					; WheaGetErrorSource(x)+Dp ...
		cmp	dword ptr [ecx], 4C424154h
		push	esi
		jnz	short loc_690737
		mov	eax, [ecx+0Ch]
		xor	esi, esi
		mov	ecx, [ecx+4]
		test	ecx, ecx
		jle	short loc_690737

loc_69071F:				; CODE XREF: WheapGetErrorSource(x,x)+2Bj
		cmp	[eax+6Ch], edx
		jnz	short loc_690730
		cmp	byte ptr [eax+48h], 0
		jnz	short loc_690730
		cmp	dword ptr [eax+5Ch], 2
		jz	short loc_690739

loc_690730:				; CODE XREF: WheapGetErrorSource(x,x)+18j
					; WheapGetErrorSource(x,x)+1Ej
		mov	eax, [eax]
		inc	esi
		cmp	esi, ecx
		jl	short loc_69071F

loc_690737:				; CODE XREF: WheapGetErrorSource(x,x)+7j
					; WheapGetErrorSource(x,x)+13j
		xor	eax, eax

loc_690739:				; CODE XREF: WheapGetErrorSource(x,x)+24j
		pop	esi
		retn
_WheapGetErrorSource@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapGetErrorThresholdInformation(x, x, x)
_WheapGetErrorThresholdInformation@12 proc near
					; CODE XREF: WheapApplyThresholdChecks(x,x)+27p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+58h]
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, esi
		cmp	eax, 1
		jz	short loc_690773
		cmp	eax, 2
		jz	short loc_6907A8
		cmp	eax, 4
		jz	short loc_6907A8
		cmp	eax, 5
		jz	short loc_69076C
		cmp	eax, 8
		jz	short loc_69076C
		cmp	eax, 0Bh
		jle	short loc_6907A8
		cmp	eax, 0Dh
		jg	short loc_6907A8

loc_69076C:				; CODE XREF: WheapGetErrorThresholdInformation(x,x,x)+20j
					; WheapGetErrorThresholdInformation(x,x,x)+25j
		mov	eax, 90h
		jmp	short loc_690778
; 

loc_690773:				; CODE XREF: WheapGetErrorThresholdInformation(x,x,x)+11j
		mov	eax, 80h

loc_690778:				; CODE XREF: WheapGetErrorThresholdInformation(x,x,x)+36j
		add	eax, ecx
		jz	short loc_6907A8
		movzx	ecx, byte ptr [eax]
		sub	ecx, 1
		jz	short loc_6907A2
		sub	ecx, 1
		jz	short loc_6907A2
		sub	ecx, 1
		jz	short loc_6907A2
		sub	ecx, 1
		jz	short loc_6907A2
		sub	ecx, 4
		jz	short loc_6907A2
		sub	ecx, 1
		jz	short loc_6907A2
		sub	ecx, 1
		jnz	short loc_6907A8

loc_6907A2:				; CODE XREF: WheapGetErrorThresholdInformation(x,x,x)+47j
					; WheapGetErrorThresholdInformation(x,x,x)+4Cj	...
		mov	edi, [eax+18h]
		mov	esi, [eax+14h]

loc_6907A8:				; CODE XREF: WheapGetErrorThresholdInformation(x,x,x)+16j
					; WheapGetErrorThresholdInformation(x,x,x)+1Bj	...
		mov	eax, [ebp+arg_0]
		mov	[edx], edi
		pop	edi
		mov	[eax], esi
		pop	esi
		pop	ebp
		retn	4
_WheapGetErrorThresholdInformation@12 endp


;  S U B	R O U T	I N E 


; __stdcall WheapGetPreallocatedErrorRecord(x)
_WheapGetPreallocatedErrorRecord@4 proc	near ; CODE XREF: WheapAllocErrorRecord(x,x)+6Fp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		mov	esi, ebx
		mov	edx, [edi+24h]
		cmp	[edi+14h], ebx
		jbe	short loc_6907EE

loc_6907C8:				; CODE XREF: WheapGetPreallocatedErrorRecord(x)+33j
		cmp	dword ptr [edx+14h], 1
		jz	short loc_6907E1
		xor	ecx, ecx
		lea	ebx, [edx+14h]
		inc	ecx
		xor	eax, eax
		lock cmpxchg [ebx], ecx
		push	0
		pop	ebx
		test	eax, eax
		jz	short loc_6907EC

loc_6907E1:				; CODE XREF: WheapGetPreallocatedErrorRecord(x)+17j
		add	edx, [edx+8]
		inc	esi
		cmp	esi, [edi+14h]
		jb	short loc_6907C8
		jmp	short loc_6907EE
; 

loc_6907EC:				; CODE XREF: WheapGetPreallocatedErrorRecord(x)+2Aj
		mov	bl, 1

loc_6907EE:				; CODE XREF: WheapGetPreallocatedErrorRecord(x)+11j
					; WheapGetPreallocatedErrorRecord(x)+35j
		movzx	eax, bl
		neg	eax
		pop	edi
		sbb	eax, eax
		pop	esi
		and	eax, edx
		pop	ebx
		retn
_WheapGetPreallocatedErrorRecord@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapPersistPageForMemoryError(x)
_WheapPersistPageForMemoryError@4 proc near ; CODE XREF: WheaReportHwError(x)+384p
					; WheaReportHwError(x)+408p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		test	byte ptr [ecx+68h], 20h
		jz	short locret_690857
		call	_WheapErrorContainsMemorySection@4 ; WheapErrorContainsMemorySection(x)
		test	eax, eax
		jz	short locret_690857
		mov	ecx, [eax]
		and	ecx, 2
		or	ecx, 0
		jz	short locret_690857
		push	esi
		mov	esi, [eax+10h]
		push	edi
		mov	edi, [eax+14h]
		lea	eax, [ebp+var_8]
		push	eax
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], edi
		call	_MmGetPageBadStatus@4 ;	MmGetPageBadStatus(x)
		test	eax, eax
		jnz	short loc_690855
		push	7
		push	4
		lea	eax, [ebp+var_4]
		push	eax
		shrd	esi, edi, 0Ch
		push	offset _WheapHardwareErrorGuid
		push	offset ??_C@_1DC@FLHAMKMH@?$AAU?$AAn?$AAc?$AAo?$AAr?$AAr?$AAe?$AAc?$AAt?$AAe?$AAd?$AAB?$AAa?$AAd?$AAM@FNODOBFM@
		mov	[ebp+var_4], esi
		call	ds:__imp__HalSetEnvironmentVariableEx@20 ; HalSetEnvironmentVariableEx(x,x,x,x,x)

loc_690855:				; CODE XREF: WheapPersistPageForMemoryError(x)+39j
		pop	edi
		pop	esi

locret_690857:				; CODE XREF: WheapPersistPageForMemoryError(x)+Bj
					; WheapPersistPageForMemoryError(x)+14j ...
		leave
		retn
_WheapPersistPageForMemoryError@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapProcessWorkQueueItem(x, x)
_WheapProcessWorkQueueItem@8 proc near	; DATA XREF: WheapInitializeWorkQueue(x,x)+4Fo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		cmp	ds:_WheapPreviousSessionFailure, 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		jz	short loc_6908AF
		test	byte ptr [esi+84h], 2
		jz	short loc_6908AF
		mov	eax, [esi+28h]
		cmp	eax, 1
		jz	short loc_690886
		test	eax, eax
		jnz	short loc_6908AF

loc_690886:				; CODE XREF: WheapProcessWorkQueueItem(x,x)+27j
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_6908AF
		mov	eax, [eax+20h]
		test	eax, eax
		jz	short loc_6908A8
		cmp	eax, 3
		jz	short loc_6908A8
		cmp	eax, 4
		jz	short loc_6908A8
		cmp	eax, 7
		jz	short loc_6908A8
		cmp	eax, 9
		jnz	short loc_6908AF

loc_6908A8:				; CODE XREF: WheapProcessWorkQueueItem(x,x)+39j
					; WheapProcessWorkQueueItem(x,x)+3Ej ...
		mov	ecx, esi
		call	_WheapCreateLiveDumpFromPreviousSession@4 ; WheapCreateLiveDumpFromPreviousSession(x)

loc_6908AF:				; CODE XREF: WheapProcessWorkQueueItem(x,x)+16j
					; WheapProcessWorkQueueItem(x,x)+1Fj ...
		cmp	ds:_WheapEventingInitialized, 0
		jz	short loc_6908D0
		mov	ecx, esi
		call	_WheapPredictiveFailureAnalysis@4 ; WheapPredictiveFailureAnalysis(x)
		lea	ecx, [esi+1Ch]
		call	_WheapGenerateETWEvents@4 ; WheapGenerateETWEvents(x)
		mov	ecx, esi
		call	_WheapFreeErrorRecord@4	; WheapFreeErrorRecord(x)
		jmp	short loc_690909
; 

loc_6908D0:				; CODE XREF: WheapProcessWorkQueueItem(x,x)+5Dj
		xor	edi, edi
		mov	ebx, offset _WheapWaitingETWEventLock
		push	edi
		push	edi
		push	edi
		push	edi
		push	ebx
		call	KeWaitForSingleObject
		mov	eax, ds:dword_6BB3D4
		mov	ecx, offset _WheapWaitingETWEvents
		cmp	[eax], ecx
		jz	short loc_6908F4
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_6908F4:				; CODE XREF: WheapProcessWorkQueueItem(x,x)+94j
		push	edi
		mov	[esi], ecx
		mov	[esi+4], eax
		push	edi
		mov	[eax], esi
		push	ebx
		mov	ds:dword_6BB3D4, esi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_690909:				; CODE XREF: WheapProcessWorkQueueItem(x,x)+75j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_WheapProcessWorkQueueItem@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2609. WheaAddHwErrorReportSectionDeviceDriver

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaAddHwErrorReportSectionDeviceDriver(x, x, x)
		public _WheaAddHwErrorReportSectionDeviceDriver@12
_WheaAddHwErrorReportSectionDeviceDriver@12 proc near
					; CODE XREF: WheaReportFatalHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x,x)+6Ap
					; WheaReportHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x)+6Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		test	edi, edi
		jz	loc_6909D6
		cmp	dword ptr [edi], 41454857h
		jnz	loc_6909D6
		push	dword ptr [edi+0Ch]
		call	_WheaGetErrorSource@4 ;	WheaGetErrorSource(x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_690950
		mov	ebx, 0C00002B6h
		jmp	loc_6909DB
; 

loc_690950:				; CODE XREF: WheaAddHwErrorReportSectionDeviceDriver(x,x,x)+2Dj
		mov	eax, [edi+4]
		cmp	eax, [ecx+7Ch]
		jnb	short loc_6909CF
		mov	esi, [ebp+arg_4]
		cmp	esi, [ecx+78h]
		ja	short loc_6909CF
		mov	eax, [edi+8]
		add	eax, esi
		cmp	eax, [ecx+10h]
		ja	short loc_6909CF
		mov	edx, [edi+10h]
		mov	eax, [edx]
		lea	ecx, [eax+10h]
		xor	ecx, eax
		and	ecx, 3FF0h
		xor	ecx, eax
		mov	[edx], ecx
		mov	edx, [edi+14h]
		mov	eax, [edi+24h]
		mov	[edx+10h], eax
		lea	ecx, [edx+48h]
		mov	[edx+18h], esi
		mov	eax, 300h
		mov	esi, [ebp+arg_8]
		mov	[edx+14h], ax
		lea	eax, [edx+2Ch]
		mov	[esi+10h], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+0Ch], edx
		or	byte ptr [edx+16h], 2
		inc	dword ptr [edi+4]
		mov	[esi+8], eax
		lea	eax, [edx+17h]
		mov	edx, [ebp+arg_4]
		mov	[esi+14h], eax
		mov	[esi+4], ecx
		lea	eax, [ecx+edx]
		mov	[edi+14h], eax
		lea	eax, [edx+48h]
		add	[edi+8], eax
		mov	dword ptr [esi], 1
		jmp	short loc_6909DB
; 

loc_6909CF:				; CODE XREF: WheaAddHwErrorReportSectionDeviceDriver(x,x,x)+3Fj
					; WheaAddHwErrorReportSectionDeviceDriver(x,x,x)+47j ...
		mov	ebx, 0C000009Ah
		jmp	short loc_6909DB
; 

loc_6909D6:				; CODE XREF: WheaAddHwErrorReportSectionDeviceDriver(x,x,x)+Fj
					; WheaAddHwErrorReportSectionDeviceDriver(x,x,x)+1Bj
		mov	ebx, 0C0000008h

loc_6909DB:				; CODE XREF: WheaAddHwErrorReportSectionDeviceDriver(x,x,x)+34j
					; WheaAddHwErrorReportSectionDeviceDriver(x,x,x)+B6j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	0Ch
_WheaAddHwErrorReportSectionDeviceDriver@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2613. WheaCreateHwErrorReportDeviceDriver

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaCreateHwErrorReportDeviceDriver(x, x)
		public _WheaCreateHwErrorReportDeviceDriver@8
_WheaCreateHwErrorReportDeviceDriver@8 proc near
					; CODE XREF: WheaReportFatalHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x,x)+23p
					; WheaReportHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x)+23p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_4]
		and	[ebp+var_4], 0
		call	_WheapInitErrorReportDeviceDriver@8 ; WheapInitErrorReportDeviceDriver(x,x)
		test	eax, eax
		js	short loc_690A07
		mov	eax, [ebp+var_4]
		jmp	short locret_690A09
; 

loc_690A07:				; CODE XREF: WheaCreateHwErrorReportDeviceDriver(x,x)+17j
		xor	eax, eax

locret_690A09:				; CODE XREF: WheaCreateHwErrorReportDeviceDriver(x,x)+1Cj
		leave
		retn	8
_WheaCreateHwErrorReportDeviceDriver@8 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2617. WheaHwErrorReportAbandonDeviceDriver

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaHwErrorReportAbandonDeviceDriver(x)
		public _WheaHwErrorReportAbandonDeviceDriver@4
_WheaHwErrorReportAbandonDeviceDriver@4	proc near
					; CODE XREF: WheaReportFatalHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x,x)+76p
					; WheaReportHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x)+76p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_690A30
		cmp	dword ptr [ecx], 41454857h
		jnz	short loc_690A30
		call	_WheapFreeDriverPacketBuffer@4 ; WheapFreeDriverPacketBuffer(x)
		xor	eax, eax
		jmp	short loc_690A35
; 

loc_690A30:				; CODE XREF: WheaHwErrorReportAbandonDeviceDriver(x)+Bj
					; WheaHwErrorReportAbandonDeviceDriver(x)+13j
		mov	eax, 0C0000008h

loc_690A35:				; CODE XREF: WheaHwErrorReportAbandonDeviceDriver(x)+1Cj
		pop	ecx
		pop	ebp
		retn	4
_WheaHwErrorReportAbandonDeviceDriver@4	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2618. WheaHwErrorReportGetLogDataBufferDeviceDriver

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaHwErrorReportGetLogDataBufferDeviceDriver(x, x,	x)
		public _WheaHwErrorReportGetLogDataBufferDeviceDriver@12
_WheaHwErrorReportGetLogDataBufferDeviceDriver@12 proc near
					; CODE XREF: WheaReportFatalHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x,x)+4Ap
					; WheaReportHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x)+4Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_690A7C
		cmp	dword ptr [eax], 41454857h
		jnz	short loc_690A7C
		mov	ecx, [ebp+arg_4]
		cmp	ecx, 24h
		jbe	short loc_690A62
		mov	eax, 0C000009Ah
		jmp	short loc_690A81
; 

loc_690A62:				; CODE XREF: WheaHwErrorReportGetLogDataBufferDeviceDriver(x,x,x)+1Aj
		mov	edx, [ebp+arg_8]
		test	edx, edx
		jnz	short loc_690A70
		mov	eax, 0C00000F1h
		jmp	short loc_690A81
; 

loc_690A70:				; CODE XREF: WheaHwErrorReportGetLogDataBufferDeviceDriver(x,x,x)+28j
		mov	[eax+50h], ecx
		add	eax, 2Ch
		mov	[edx], eax
		xor	eax, eax
		jmp	short loc_690A81
; 

loc_690A7C:				; CODE XREF: WheaHwErrorReportGetLogDataBufferDeviceDriver(x,x,x)+Aj
					; WheaHwErrorReportGetLogDataBufferDeviceDriver(x,x,x)+12j
		mov	eax, 0C0000008h

loc_690A81:				; CODE XREF: WheaHwErrorReportGetLogDataBufferDeviceDriver(x,x,x)+21j
					; WheaHwErrorReportGetLogDataBufferDeviceDriver(x,x,x)+2Fj ...
		pop	ebp
		retn	0Ch
_WheaHwErrorReportGetLogDataBufferDeviceDriver@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2619. WheaHwErrorReportMarkAsCriticalDeviceDriver

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaHwErrorReportMarkAsCriticalDeviceDriver(x)
		public _WheaHwErrorReportMarkAsCriticalDeviceDriver@4
_WheaHwErrorReportMarkAsCriticalDeviceDriver@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_690AA9
		cmp	dword ptr [eax], 41454857h
		jnz	short loc_690AA9
		mov	eax, [eax+1Ch]
		or	dword ptr [eax+0Ch], 2
		xor	eax, eax
		jmp	short loc_690AAE
; 

loc_690AA9:				; CODE XREF: WheaHwErrorReportMarkAsCriticalDeviceDriver(x)+Aj
					; WheaHwErrorReportMarkAsCriticalDeviceDriver(x)+12j
		mov	eax, 0C0000008h

loc_690AAE:				; CODE XREF: WheaHwErrorReportMarkAsCriticalDeviceDriver(x)+1Dj
		pop	ebp
		retn	4
_WheaHwErrorReportMarkAsCriticalDeviceDriver@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2620. WheaHwErrorReportSetFatalSeverityDeviceDriver

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaHwErrorReportSetFatalSeverityDeviceDriver(x, x)
		public _WheaHwErrorReportSetFatalSeverityDeviceDriver@8
_WheaHwErrorReportSetFatalSeverityDeviceDriver@8 proc near
					; CODE XREF: WheaReportFatalHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x,x)+3Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_690AF2
		cmp	dword ptr [esi], 41454857h
		jnz	short loc_690AF2
		push	1
		push	esi
		call	_WheaHwErrorReportSetSeverityDeviceDriver@8 ; WheaHwErrorReportSetSeverityDeviceDriver(x,x)
		mov	eax, [esi+1Ch]
		or	dword ptr [eax+14h], 40000000h
		mov	eax, [esi+1Ch]
		and	dword ptr [eax+14h], 7FFFFFFFh
		mov	eax, [ebp+arg_4]
		mov	[esi+28h], eax
		xor	eax, eax
		jmp	short loc_690AF7
; 

loc_690AF2:				; CODE XREF: WheaHwErrorReportSetFatalSeverityDeviceDriver(x,x)+Bj
					; WheaHwErrorReportSetFatalSeverityDeviceDriver(x,x)+13j
		mov	eax, 0C0000008h

loc_690AF7:				; CODE XREF: WheaHwErrorReportSetFatalSeverityDeviceDriver(x,x)+39j
		pop	esi
		pop	ebp
		retn	8
_WheaHwErrorReportSetFatalSeverityDeviceDriver@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2621. WheaHwErrorReportSetSectionNameDeviceDriver

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaHwErrorReportSetSectionNameDeviceDriver(x, x, x)
		public _WheaHwErrorReportSetSectionNameDeviceDriver@12
_WheaHwErrorReportSetSectionNameDeviceDriver@12	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_690B14
		mov	eax, 0C00000EFh
		jmp	short loc_690B3D
; 

loc_690B14:				; CODE XREF: WheaHwErrorReportSetSectionNameDeviceDriver(x,x,x)+Aj
		mov	edx, [ebp+arg_4]
		cmp	edx, 14h
		jbe	short loc_690B23
		mov	eax, 0C00000F0h
		jmp	short loc_690B3D
; 

loc_690B23:				; CODE XREF: WheaHwErrorReportSetSectionNameDeviceDriver(x,x,x)+19j
		cmp	[ebp+arg_8], 0
		jnz	short loc_690B30
		mov	eax, 0C00000F1h
		jmp	short loc_690B3D
; 

loc_690B30:				; CODE XREF: WheaHwErrorReportSetSectionNameDeviceDriver(x,x,x)+26j
		push	[ebp+arg_8]
		mov	ecx, [ecx+10h]
		call	_RtlStringCchCopyA@12 ;	RtlStringCchCopyA(x,x,x)
		xor	eax, eax

loc_690B3D:				; CODE XREF: WheaHwErrorReportSetSectionNameDeviceDriver(x,x,x)+11j
					; WheaHwErrorReportSetSectionNameDeviceDriver(x,x,x)+20j ...
		pop	ebp
		retn	0Ch
_WheaHwErrorReportSetSectionNameDeviceDriver@12	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2622. WheaHwErrorReportSetSeverityDeviceDriver

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaHwErrorReportSetSeverityDeviceDriver(x,	x)
		public _WheaHwErrorReportSetSeverityDeviceDriver@8
_WheaHwErrorReportSetSeverityDeviceDriver@8 proc near
					; CODE XREF: WheaHwErrorReportSetFatalSeverityDeviceDriver(x,x)+18p
					; WheaReportHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x)+3Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	short loc_690B7E
		cmp	dword ptr [edx], 41454857h
		jnz	short loc_690B7E
		mov	eax, [edx+1Ch]
		mov	ecx, [ebp+arg_4]
		mov	[edx+24h], ecx
		mov	[eax+14h], ecx
		mov	eax, [edx+1Ch]
		and	dword ptr [eax+14h], 0BFFFFFFFh
		mov	eax, [edx+1Ch]
		or	dword ptr [eax+14h], 80000000h
		xor	eax, eax
		jmp	short loc_690B83
; 

loc_690B7E:				; CODE XREF: WheaHwErrorReportSetSeverityDeviceDriver(x,x)+Aj
					; WheaHwErrorReportSetSeverityDeviceDriver(x,x)+12j
		mov	eax, 0C0000008h

loc_690B83:				; CODE XREF: WheaHwErrorReportSetSeverityDeviceDriver(x,x)+36j
		pop	ebp
		retn	8
_WheaHwErrorReportSetSeverityDeviceDriver@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2623. WheaHwErrorReportSubmitDeviceDriver

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaHwErrorReportSubmitDeviceDriver(x)
		public _WheaHwErrorReportSubmitDeviceDriver@4
_WheaHwErrorReportSubmitDeviceDriver@4 proc near
					; CODE XREF: WheaReportFatalHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x,x)+B7p
					; WheaReportHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x)+B7p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	esi, esi
		jz	loc_690C53
		cmp	dword ptr [esi], 41454857h
		jnz	loc_690C53
		mov	ecx, [esi+1Ch]
		mov	eax, [esi+8]
		mov	[ecx+8], eax
		push	dword ptr [esi+0Ch]
		call	_WheaGetErrorSource@4 ;	WheaGetErrorSource(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_690BCC
		mov	edi, 0C00002B6h
		jmp	loc_690C58
; 

loc_690BCC:				; CODE XREF: WheaHwErrorReportSubmitDeviceDriver(x)+34j
		mov	eax, [esi+10h]
		mov	eax, [eax]
		and	eax, 3FF0h
		cmp	eax, 10h
		jnb	short loc_690BE2
		mov	edi, 0C0000023h
		jmp	short loc_690C58
; 

loc_690BE2:				; CODE XREF: WheaHwErrorReportSubmitDeviceDriver(x)+4Dj
		mov	edi, [esi+14h]
		mov	eax, [esi+8]
		add	edi, 3
		mov	ecx, [esi+50h]
		and	edi, 0FFFFFFFCh
		add	eax, ecx
		cmp	eax, [ebx+10h]
		jbe	short loc_690BFF
		mov	edi, 0C000009Ah
		jmp	short loc_690C58
; 

loc_690BFF:				; CODE XREF: WheaHwErrorReportSubmitDeviceDriver(x)+6Aj
		test	ecx, ecx
		jz	short loc_690C26
		cmp	ecx, 24h
		jnb	short loc_690C26
		push	ecx		; size_t
		lea	eax, [esi+2Ch]
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [esi+50h]
		add	esp, 0Ch
		mov	[edi+50h], eax
		mov	ax, [ebx+3Ch]
		mov	[edi+54h], ax
		jmp	short loc_690C2A
; 

loc_690C26:				; CODE XREF: WheaHwErrorReportSubmitDeviceDriver(x)+75j
					; WheaHwErrorReportSubmitDeviceDriver(x)+7Aj
		and	dword ptr [edi+50h], 0

loc_690C2A:				; CODE XREF: WheaHwErrorReportSubmitDeviceDriver(x)+98j
		lea	eax, [ebx+2Ch]
		mov	[edi+48h], eax
		mov	eax, [esi+28h]
		push	ebx
		mov	[edi+4Ch], eax
		push	dword ptr [esi+1Ch]
		call	ds:__imp__PshedRetrieveErrorInfo@8 ; PshedRetrieveErrorInfo(x,x)
		push	dword ptr [esi+1Ch]
		call	_WheaReportHwError@4 ; WheaReportHwError(x)
		mov	ecx, esi
		mov	edi, eax
		call	_WheapFreeDriverPacketBuffer@4 ; WheapFreeDriverPacketBuffer(x)
		jmp	short loc_690C58
; 

loc_690C53:				; CODE XREF: WheaHwErrorReportSubmitDeviceDriver(x)+Dj
					; WheaHwErrorReportSubmitDeviceDriver(x)+19j
		mov	edi, 0C0000008h

loc_690C58:				; CODE XREF: WheaHwErrorReportSubmitDeviceDriver(x)+3Bj
					; WheaHwErrorReportSubmitDeviceDriver(x)+54j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_WheaHwErrorReportSubmitDeviceDriver@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2628. WheaReportFatalHwErrorDeviceDriverEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	WheaReportFatalHwErrorDeviceDriverEx(int,int,void *,size_t,void	*,size_t,int,int,int,int,int)
		public _WheaReportFatalHwErrorDeviceDriverEx@44
_WheaReportFatalHwErrorDeviceDriverEx@44 proc near

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_20		= dword	ptr  28h
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		push	6
		pop	ecx
		push	[ebp+arg_4]
		xor	eax, eax
		lea	edi, [esp+2Ch+var_18]
		push	[ebp+arg_0]
		and	[esp+30h+var_1C], eax
		rep stosd
		call	_WheaCreateHwErrorReportDeviceDriver@8 ; WheaCreateHwErrorReportDeviceDriver(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_690C9E
		mov	esi, 0C000009Ah
		jmp	loc_690D24
; 

loc_690C9E:				; CODE XREF: WheaReportFatalHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x,x)+2Cj
		push	[ebp+arg_28]
		push	ebx
		call	_WheaHwErrorReportSetFatalSeverityDeviceDriver@8 ; WheaHwErrorReportSetFatalSeverityDeviceDriver(x,x)
		lea	eax, [esp+28h+var_1C]
		push	eax
		push	[ebp+arg_14]
		push	ebx
		call	_WheaHwErrorReportGetLogDataBufferDeviceDriver@12 ; WheaHwErrorReportGetLogDataBufferDeviceDriver(x,x,x)
		push	[ebp+arg_14]	; size_t
		push	[ebp+arg_10]	; void *
		push	[esp+30h+var_1C] ; void	*
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [esp+28h+var_18]
		push	eax
		push	[ebp+arg_C]
		push	ebx
		call	_WheaAddHwErrorReportSectionDeviceDriver@12 ; WheaAddHwErrorReportSectionDeviceDriver(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_690CE3
		push	ebx
		call	_WheaHwErrorReportAbandonDeviceDriver@4	; WheaHwErrorReportAbandonDeviceDriver(x)
		jmp	short loc_690D24
; 

loc_690CE3:				; CODE XREF: WheaReportFatalHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x,x)+73j
		push	[ebp+arg_C]	; size_t
		push	[ebp+arg_8]	; void *
		push	[esp+30h+var_14] ; void	*
		call	_memcpy
		mov	esi, [ebp+arg_18]
		add	esp, 0Ch
		cmp	[ebp+arg_20], 0
		mov	edi, [esp+28h+var_C]
		mov	eax, [esp+28h+var_4]
		movsd
		movsd
		movsd
		movsd
		mov	byte ptr [eax],	1
		jz	short loc_690D1C
		push	[ebp+arg_20]
		mov	ecx, [esp+2Ch+var_8]
		push	14h
		pop	edx
		call	_RtlStringCchCopyA@12 ;	RtlStringCchCopyA(x,x,x)

loc_690D1C:				; CODE XREF: WheaReportFatalHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x,x)+A5j
		push	ebx
		call	_WheaHwErrorReportSubmitDeviceDriver@4 ; WheaHwErrorReportSubmitDeviceDriver(x)
		mov	esi, eax

loc_690D24:				; CODE XREF: WheaReportFatalHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x,x)+33j
					; WheaReportFatalHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x,x)+7Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
_WheaReportFatalHwErrorDeviceDriverEx@44 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2631. WheaReportHwErrorDeviceDriverEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	WheaReportHwErrorDeviceDriverEx(int,int,void *,size_t,void *,size_t,int,int,int,int)
		public _WheaReportHwErrorDeviceDriverEx@40
_WheaReportHwErrorDeviceDriverEx@40 proc near
					; CODE XREF: WheaReportHwErrorDeviceDriver(x,x,x,x,x,x,x)+1Fp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		push	6
		pop	ecx
		push	[ebp+arg_4]
		xor	eax, eax
		lea	edi, [esp+2Ch+var_18]
		push	[ebp+arg_0]
		and	[esp+30h+var_1C], eax
		rep stosd
		call	_WheaCreateHwErrorReportDeviceDriver@8 ; WheaCreateHwErrorReportDeviceDriver(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_690D6C
		mov	esi, 0C000009Ah
		jmp	loc_690DF2
; 

loc_690D6C:				; CODE XREF: WheaReportHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x)+2Cj
		push	[ebp+arg_20]
		push	ebx
		call	_WheaHwErrorReportSetSeverityDeviceDriver@8 ; WheaHwErrorReportSetSeverityDeviceDriver(x,x)
		lea	eax, [esp+28h+var_1C]
		push	eax
		push	[ebp+arg_14]
		push	ebx
		call	_WheaHwErrorReportGetLogDataBufferDeviceDriver@12 ; WheaHwErrorReportGetLogDataBufferDeviceDriver(x,x,x)
		push	[ebp+arg_14]	; size_t
		push	[ebp+arg_10]	; void *
		push	[esp+30h+var_1C] ; void	*
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [esp+28h+var_18]
		push	eax
		push	[ebp+arg_C]
		push	ebx
		call	_WheaAddHwErrorReportSectionDeviceDriver@12 ; WheaAddHwErrorReportSectionDeviceDriver(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_690DB1
		push	ebx
		call	_WheaHwErrorReportAbandonDeviceDriver@4	; WheaHwErrorReportAbandonDeviceDriver(x)
		jmp	short loc_690DF2
; 

loc_690DB1:				; CODE XREF: WheaReportHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x)+73j
		push	[ebp+arg_C]	; size_t
		push	[ebp+arg_8]	; void *
		push	[esp+30h+var_14] ; void	*
		call	_memcpy
		mov	esi, [ebp+arg_18]
		add	esp, 0Ch
		cmp	[ebp+arg_24], 0
		mov	edi, [esp+28h+var_C]
		mov	eax, [esp+28h+var_4]
		movsd
		movsd
		movsd
		movsd
		mov	byte ptr [eax],	1
		jz	short loc_690DEA
		push	[ebp+arg_24]
		mov	ecx, [esp+2Ch+var_8]
		push	14h
		pop	edx
		call	_RtlStringCchCopyA@12 ;	RtlStringCchCopyA(x,x,x)

loc_690DEA:				; CODE XREF: WheaReportHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x)+A5j
		push	ebx
		call	_WheaHwErrorReportSubmitDeviceDriver@4 ; WheaHwErrorReportSubmitDeviceDriver(x)
		mov	esi, eax

loc_690DF2:				; CODE XREF: WheaReportHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x)+33j
					; WheaReportHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x)+7Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	28h
_WheaReportHwErrorDeviceDriverEx@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapDeviceDriverCreateRecord(x, x,	x, x, x)
_WheapDeviceDriverCreateRecord@20 proc near ; DATA XREF: .data:006B302Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 0C8h
		jnb	short loc_690E12
		mov	eax, 0C0000023h
		jmp	short loc_690E76
; 

loc_690E12:				; CODE XREF: WheapDeviceDriverCreateRecord(x,x,x,x,x)+Cj
		mov	eax, [ebp+arg_4]
		cmp	dword ptr [eax+38h], 7
		jnz	short loc_690E6F
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	edx, eax
		push	esi
		push	edi
		push	ecx
		push	[ebp+arg_C]
		mov	ecx, ebx
		push	[ebp+arg_8]
		call	_WheapCreateRecordFromGenericErrorData@20 ; WheapCreateRecordFromGenericErrorData(x,x,x,x,x)
		mov	ecx, [ebp+arg_8]
		lea	esi, [ebx+58h]
		mov	edx, eax
		mov	eax, [ebp+arg_4]
		lea	edi, [ecx+40h]
		movsd
		movsd
		movsd
		movsd
		lea	esi, [ebx+68h]
		lea	edi, [ecx+30h]
		movsd
		movsd
		movsd
		movsd
		lea	esi, [ebx+2Ch]
		lea	edi, [ecx+20h]
		movsd
		movsd
		movsd
		movsd
		or	dword ptr [ecx+10h], 5
		mov	eax, [eax+0Ch]
		shl	eax, 3
		xor	eax, [ecx+68h]
		pop	edi
		and	eax, 10h
		xor	[ecx+68h], eax
		pop	esi
		pop	ebx
		jmp	short loc_690E74
; 

loc_690E6F:				; CODE XREF: WheapDeviceDriverCreateRecord(x,x,x,x,x)+1Cj
		mov	edx, 0C0000002h

loc_690E74:				; CODE XREF: WheapDeviceDriverCreateRecord(x,x,x,x,x)+70j
		mov	eax, edx

loc_690E76:				; CODE XREF: WheapDeviceDriverCreateRecord(x,x,x,x,x)+13j
		pop	ebp
		retn	14h
_WheapDeviceDriverCreateRecord@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapFreeDriverPacketBuffer(x)
_WheapFreeDriverPacketBuffer@4 proc near
					; CODE XREF: WheaHwErrorReportAbandonDeviceDriver(x)+15p
					; WheaHwErrorReportSubmitDeviceDriver(x)+C0p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		mov	esi, ecx
		push	edi
		push	dword ptr [esi+0Ch]
		call	_WheaGetErrorSource@4 ;	WheaGetErrorSource(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_690EBB
		and	dword ptr [esi], 0
		cmp	byte ptr [esi+20h], 0
		mov	eax, [esi+18h]
		jz	short loc_690EA6
		xor	ecx, ecx
		xchg	ecx, [eax]
		jmp	short loc_690EB4
; 

loc_690EA6:				; CODE XREF: WheapFreeDriverPacketBuffer(x)+24j
		mov	ecx, eax
		call	ExFreeHeapPool
		mov	ecx, esi
		call	ExFreeHeapPool

loc_690EB4:				; CODE XREF: WheapFreeDriverPacketBuffer(x)+2Aj
		lock dec dword ptr [edi+84h]

loc_690EBB:				; CODE XREF: WheapFreeDriverPacketBuffer(x)+18j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_WheapFreeDriverPacketBuffer@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapGetPreallocatedPacketBuffer(x,	x)
_WheapGetPreallocatedPacketBuffer@8 proc near
					; CODE XREF: WheapInitErrorReportDeviceDriver(x,x)+164p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	edi
		push	ecx
		mov	[ebp+var_10], edx
		call	_WheaGetErrorSource@4 ;	WheaGetErrorSource(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_690EDE
		xor	edi, edi
		jmp	short loc_690F3B
; 

loc_690EDE:				; CODE XREF: WheapGetPreallocatedPacketBuffer(x,x)+17j
		mov	eax, [ebx+40h]
		xor	ecx, ecx
		mov	edi, [ebx+48h]
		mov	[ebp+var_C], eax
		mov	eax, [ebx+80h]
		push	esi
		mov	[ebp+var_14], eax
		mov	[ebp+var_8], ecx
		cmp	[ebx+44h], ecx
		jbe	short loc_690F38

loc_690EFB:				; CODE XREF: WheapGetPreallocatedPacketBuffer(x,x)+75j
		mov	[ebp+var_4], edi
		mov	eax, [ebp+var_4]
		mov	eax, [eax]
		and	eax, 0F0000000h
		cmp	eax, 80000000h
		jz	short loc_690F2C
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_4]
		mov	esi, [eax]
		mov	edx, esi
		or	edx, 80000000h
		mov	eax, esi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jz	short loc_690F41
		mov	ecx, [ebp+var_8]

loc_690F2C:				; CODE XREF: WheapGetPreallocatedPacketBuffer(x,x)+4Cj
		add	edi, [ebp+var_C]
		inc	ecx
		mov	[ebp+var_8], ecx
		cmp	ecx, [ebx+44h]
		jb	short loc_690EFB

loc_690F38:				; CODE XREF: WheapGetPreallocatedPacketBuffer(x,x)+38j
		xor	edi, edi

loc_690F3A:				; CODE XREF: WheapGetPreallocatedPacketBuffer(x,x)+85j
					; WheapGetPreallocatedPacketBuffer(x,x)+90j
		pop	esi

loc_690F3B:				; CODE XREF: WheapGetPreallocatedPacketBuffer(x,x)+1Bj
		mov	eax, edi
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_690F41:				; CODE XREF: WheapGetPreallocatedPacketBuffer(x,x)+66j
		mov	ecx, [ebp+var_10]
		test	ecx, ecx
		jz	short loc_690F3A
		imul	eax, [ebp+var_8], 54h
		add	eax, [ebp+var_14]
		mov	[ecx], eax
		jmp	short loc_690F3A
_WheapGetPreallocatedPacketBuffer@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapInitErrorReportDeviceDriver(x,	x)
_WheapInitErrorReportDeviceDriver@8 proc near
					; CODE XREF: WheaCreateHwErrorReportDeviceDriver(x,x)+10p

var_62		= byte ptr -62h
var_61		= byte ptr -61h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+64h+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	40h		; size_t
		xor	ebx, ebx
		mov	[esp+74h+var_5C], ecx
		lea	eax, [esp+74h+var_48]
		mov	edi, edx
		push	ebx		; int
		push	eax		; void *
		mov	[esp+7Ch+var_58], edi
		call	_memset
		add	esp, 0Ch
		mov	[edi], ebx
		mov	esi, ebx
		mov	[esp+70h+var_61], bl
		push	[esp+70h+var_5C]
		call	_WheaGetErrorSource@4 ;	WheaGetErrorSource(x)
		mov	[esp+70h+var_60], eax
		test	eax, eax
		jz	loc_69119F
		add	eax, 84h
		mov	[esp+70h+var_50], eax
		mov	edi, [eax]
		cmp	edi, 0FFFFFFFFh
		jz	loc_69119F
		mov	[esp+70h+var_54], ebx

loc_690FBD:				; CODE XREF: WheapInitErrorReportDeviceDriver(x,x)+9Ej
		cmp	edi, 0FFFFFFFFh
		jz	loc_691198
		lea	edx, [edi+1]
		mov	eax, edi
		mov	edi, [esp+70h+var_50]
		mov	ecx, edx
		lock cmpxchg [edi], ecx
		mov	edi, eax
		xor	ecx, ecx
		lea	eax, [edx-1]
		inc	ecx
		cmp	eax, edi
		mov	[esp+70h+var_4C], ecx
		mov	eax, [esp+70h+var_54]
		jz	short loc_690FF5
		inc	eax
		mov	[esp+70h+var_54], eax
		cmp	eax, 0Ah
		jb	short loc_690FBD
		jmp	short loc_690FF9
; 

loc_690FF5:				; CODE XREF: WheapInitErrorReportDeviceDriver(x,x)+94j
		mov	[esp+70h+var_61], cl

loc_690FF9:				; CODE XREF: WheapInitErrorReportDeviceDriver(x,x)+A0j
		cmp	eax, 0Ah
		jb	short loc_691013
		mov	[esp+70h+var_44], ecx
		mov	[esp+70h+var_3C], ecx
		mov	[esp+70h+var_34], 8000002Ch
		jmp	loc_6911B2
; 

loc_691013:				; CODE XREF: WheapInitErrorReportDeviceDriver(x,x)+A9j
		mov	edi, [esp+70h+var_60]
		mov	esi, [edi+10h]
		mov	[esp+70h+var_50], esi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_6910AD
		mov	eax, large fs:20h
		mov	edx, esi
		push	ebx
		mov	ecx, 200h
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	41454857h
		call	ExpAllocatePoolWithTagFromNode
		mov	esi, eax
		test	esi, esi
		jnz	short loc_691067
		mov	ebx, 0C000009Ah
		jmp	loc_6911FA
; 

loc_691067:				; CODE XREF: WheapInitErrorReportDeviceDriver(x,x)+108j
		mov	eax, large fs:20h
		mov	ecx, 200h
		push	ebx
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	41454857h
		push	54h
		pop	edx
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, [esp+70h+var_58]
		mov	[edi], eax
		test	eax, eax
		jnz	short loc_6910A7

loc_69109D:				; CODE XREF: WheapInitErrorReportDeviceDriver(x,x)+16Dj
		mov	ebx, 0C000009Ah
		jmp	loc_6911F6
; 

loc_6910A7:				; CODE XREF: WheapInitErrorReportDeviceDriver(x,x)+148j
		mov	byte ptr [esp+70h+var_4C], bl
		jmp	short loc_6910C2
; 

loc_6910AD:				; CODE XREF: WheapInitErrorReportDeviceDriver(x,x)+D3j
		mov	edi, [esp+70h+var_58]
		mov	edx, edi
		mov	ecx, [esp+70h+var_5C]
		call	_WheapGetPreallocatedPacketBuffer@8 ; WheapGetPreallocatedPacketBuffer(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_69109D

loc_6910C2:				; CODE XREF: WheapInitErrorReportDeviceDriver(x,x)+158j
		push	54h		; size_t
		push	ebx		; int
		push	dword ptr [edi]	; void *
		call	_memset
		mov	eax, [edi]
		lea	ebx, [esi+8]
		mov	ecx, [esp+7Ch+var_5C]
		add	esp, 0Ch
		mov	dword ptr [eax], 41454857h
		mov	eax, [edi]
		mov	[eax+0Ch], ecx
		mov	eax, [edi]
		mov	ecx, [esp+70h+var_4C]
		mov	dword ptr [eax+24h], 2
		mov	eax, [edi]
		mov	[eax+20h], cl
		mov	eax, [edi]
		mov	[eax+1Ch], ebx
		mov	eax, [edi]
		mov	[eax+18h], esi
		mov	esi, [esp+70h+var_50]
		lea	eax, [esi-8]
		push	eax		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	edx, [esp+7Ch+var_58]
		lea	eax, [esi-64h]
		mov	ecx, [esp+7Ch+var_5C]
		lea	edi, [ebx+20h]
		mov	esi, offset _DEVICE_DRIVER_NOTIFY_TYPE_GUID
		mov	[ebx+8], eax
		mov	[ebx+18h], ecx
		add	eax, 0FFFFFFB0h
		mov	[ebx+44h], eax
		lea	ecx, [ebx+50h]
		mov	dword ptr [ebx], 41454857h
		add	esp, 0Ch
		movsd
		mov	dword ptr [ebx+4], 3
		mov	dword ptr [ebx+10h], 6
		mov	dword ptr [ebx+14h], 80000002h
		movsd
		mov	dword ptr [ebx+1Ch], 0Ch
		mov	dword ptr [ebx+38h], 7
		mov	dword ptr [ebx+40h], 50h
		movsd
		movsd
		mov	eax, [edx]
		mov	[eax+10h], ecx
		and	dword ptr [ecx], 0FFFFC00Fh
		mov	dword ptr [ecx+10h], 2
		mov	eax, [ebx+8]
		sub	eax, 64h
		mov	[ecx+0Ch], eax
		add	ecx, 14h
		mov	eax, [edx]
		mov	[eax+14h], ecx
		mov	eax, [edx]
		add	dword ptr [eax+8], 64h
		xor	ebx, ebx
		jmp	loc_691222
; 

loc_691198:				; CODE XREF: WheapInitErrorReportDeviceDriver(x,x)+6Dj
		mov	ebx, 0C000000Dh
		jmp	short loc_691213
; 

loc_69119F:				; CODE XREF: WheapInitErrorReportDeviceDriver(x,x)+4Cj
					; WheapInitErrorReportDeviceDriver(x,x)+60j
		xor	eax, eax
		mov	[esp+70h+var_34], 8000002Bh
		inc	eax
		mov	[esp+70h+var_44], eax
		mov	[esp+70h+var_3C], eax

loc_6911B2:				; CODE XREF: WheapInitErrorReportDeviceDriver(x,x)+BBj
		push	20h
		pop	edx
		push	offset ??_C@_0BM@DGNKLLNF@InitErrorReportDeviceDriver@FNODOBFM@	; "InitErrorReportDeviceDriver"
		lea	ecx, [esp+74h+var_28]
		mov	[esp+74h+var_48], 674C6857h
		mov	[esp+74h+var_40], 40h
		mov	[esp+74h+var_38], 4C4E524Bh
		mov	[esp+74h+var_30], 2
		mov	[esp+74h+var_2C], edx
		call	_RtlStringCchCopyA@12 ;	RtlStringCchCopyA(x,x,x)
		lea	eax, [esp+70h+var_48]
		push	eax
		call	WheaLogInternalEvent
		mov	ebx, 0C000000Dh

loc_6911F6:				; CODE XREF: WheapInitErrorReportDeviceDriver(x,x)+14Fj
		mov	edi, [esp+70h+var_60]

loc_6911FA:				; CODE XREF: WheapInitErrorReportDeviceDriver(x,x)+10Fj
		cmp	[esp+70h+var_61], 0
		jz	short loc_691208
		lock dec dword ptr [edi+84h]

loc_691208:				; CODE XREF: WheapInitErrorReportDeviceDriver(x,x)+2ACj
		test	esi, esi
		jz	short loc_691213
		mov	ecx, esi
		call	ExFreeHeapPool

loc_691213:				; CODE XREF: WheapInitErrorReportDeviceDriver(x,x)+24Aj
					; WheapInitErrorReportDeviceDriver(x,x)+2B7j
		mov	eax, [esp+70h+var_58]
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_691222
		call	ExFreeHeapPool

loc_691222:				; CODE XREF: WheapInitErrorReportDeviceDriver(x,x)+240j
					; WheapInitErrorReportDeviceDriver(x,x)+2C8j
		mov	ecx, [esp+70h+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_WheapInitErrorReportDeviceDriver@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaPersistBadPageToBcd(x)
_WheaPersistBadPageToBcd@4 proc	near	; CODE XREF: WheapProcessEfiBadMemoryPage+7DFC8p
					; EmpRemoveBadS3PageWorker(x)+6p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		and	[esp+1Ch+var_10], 0
		lea	eax, [esp+1Ch+var_10]
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+28h+var_C], ecx
		and	[esp+28h+var_18], edi
		xor	edx, edx
		push	eax
		call	BcdOpenStore
		mov	esi, eax
		test	esi, esi
		js	loc_6913B5
		mov	ebx, [esp+28h+var_10]
		lea	eax, [esp+28h+var_18]
		mov	esi, (offset loc_428C91+3)
		mov	ecx, ebx
		push	eax
		mov	edx, esi
		call	BcdOpenObject
		test	eax, eax
		jns	short loc_6912B6
		lea	eax, [esp+28h+var_18]
		mov	[esp+28h+var_8], 1
		push	eax
		lea	eax, [esp+2Ch+var_8]
		mov	[esp+2Ch+var_4], 20100000h
		push	eax
		mov	edx, esi
		mov	ecx, ebx
		call	_BcdCreateObject@16 ; BcdCreateObject(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_6912B6
		mov	ebx, [esp+28h+var_18]
		jmp	loc_6913AA
; 

loc_6912B6:				; CODE XREF: WheaPersistBadPageToBcd(x)+4Cj
					; WheaPersistBadPageToBcd(x)+75j
		mov	ecx, [esp+28h+var_18]
		lea	eax, [esp+28h+var_14]
		xor	ebx, ebx
		mov	edx, 1700000Ah
		push	eax
		push	ebx
		mov	[esp+30h+var_14], ebx
		call	_BcdGetElementData@16 ;	BcdGetElementData(x,x,x,x)
		mov	esi, eax
		push	ebx
		lea	eax, [esi+3FFFFFDDh]
		neg	eax
		sbb	eax, eax
		xor	ecx, ecx
		not	eax
		inc	ecx
		and	eax, [esp+2Ch+var_14]
		mov	[esp+2Ch+var_14], eax
		lea	edx, [eax+8]
		mov	eax, large fs:20h
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	61656857h
		call	ExpAllocatePoolWithTagFromNode
		mov	ebx, [esp+28h+var_18]
		mov	edi, eax
		test	edi, edi
		jnz	short loc_691324
		mov	esi, 0C000009Ah
		jmp	loc_6913AA
; 

loc_691324:				; CODE XREF: WheaPersistBadPageToBcd(x)+E2j
		cmp	esi, 0C0000023h
		jnz	short loc_691344
		lea	eax, [esp+28h+var_14]
		mov	edx, 1700000Ah
		push	eax
		push	edi
		mov	ecx, ebx
		call	_BcdGetElementData@16 ;	BcdGetElementData(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_6913AA

loc_691344:				; CODE XREF: WheaPersistBadPageToBcd(x)+F4j
		mov	esi, [esp+28h+var_14]
		mov	ecx, edi
		push	[esp+28h+var_C]
		shr	esi, 3
		mov	edx, esi
		call	_WheapIsPageInList@12 ;	WheapIsPageInList(x,x,x)
		test	al, al
		jnz	short loc_6913A8
		mov	eax, [esp+28h+var_C]
		lea	edx, [esi+1]
		and	dword ptr [edi+esi*8+4], 0
		mov	ecx, edi
		mov	[edi+esi*8], eax
		mov	eax, [esp+28h+var_14]
		add	eax, 8
		mov	[esp+28h+var_C], eax
		call	_WheapSortBadPages@8 ; WheapSortBadPages(x,x)
		lea	edx, [esi+1]
		call	_WheapCountBadPageExtents@8 ; WheapCountBadPageExtents(x,x)
		cmp	eax, 40h
		jbe	short loc_691391
		mov	esi, 0C0000001h
		jmp	short loc_6913AA
; 

loc_691391:				; CODE XREF: WheaPersistBadPageToBcd(x)+152j
		push	[esp+28h+var_C]
		mov	edx, 1700000Ah
		mov	ecx, ebx
		push	edi
		call	_BcdSetElementData@16 ;	BcdSetElementData(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_6913AA

loc_6913A8:				; CODE XREF: WheaPersistBadPageToBcd(x)+124j
		xor	esi, esi

loc_6913AA:				; CODE XREF: WheaPersistBadPageToBcd(x)+7Bj
					; WheaPersistBadPageToBcd(x)+E9j ...
		test	ebx, ebx
		jz	short loc_6913B5
		mov	ecx, ebx
		call	_BcdCloseObject@4 ; BcdCloseObject(x)

loc_6913B5:				; CODE XREF: WheaPersistBadPageToBcd(x)+2Dj
					; WheaPersistBadPageToBcd(x)+176j
		mov	ebx, [esp+28h+var_10]
		test	ebx, ebx
		jz	short loc_6913C4
		mov	ecx, ebx
		call	BcdCloseStore

loc_6913C4:				; CODE XREF: WheaPersistBadPageToBcd(x)+185j
		test	edi, edi
		jz	short loc_6913CF
		mov	ecx, edi
		call	ExFreeHeapPool

loc_6913CF:				; CODE XREF: WheaPersistBadPageToBcd(x)+190j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_WheaPersistBadPageToBcd@4 endp


;  S U B	R O U T	I N E 


; __stdcall WheapErrorContainsMemorySection(x)
_WheapErrorContainsMemorySection@4 proc	near
					; CODE XREF: WheapPersistPageForMemoryError(x)+Dp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		movzx	ecx, word ptr [edi+0Ah]
		test	cx, cx
		jz	short loc_691424
		xor	eax, eax
		test	ecx, ecx
		jz	short loc_691401
		lea	esi, [edi+80h]

loc_6913F3:				; CODE XREF: WheapErrorContainsMemorySection(x)+27j
		test	byte ptr [esi+0Ch], 1
		jnz	short loc_691407
		inc	eax
		add	esi, 48h
		cmp	eax, ecx
		jb	short loc_6913F3

loc_691401:				; CODE XREF: WheapErrorContainsMemorySection(x)+13j
		lea	esi, [edi+80h]

loc_691407:				; CODE XREF: WheapErrorContainsMemorySection(x)+1Fj
		push	10h		; size_t
		lea	eax, [esi+10h]
		push	offset _MEMORY_ERROR_SECTION_GUID ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_691424
		mov	eax, [esi]
		add	eax, edi
		jmp	short loc_691426
; 

loc_691424:				; CODE XREF: WheapErrorContainsMemorySection(x)+Dj
					; WheapErrorContainsMemorySection(x)+44j
		xor	eax, eax

loc_691426:				; CODE XREF: WheapErrorContainsMemorySection(x)+4Aj
		pop	edi
		pop	esi
		retn
_WheapErrorContainsMemorySection@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapGetTimestamp(x)
_WheapGetTimestamp@4 proc near		; CODE XREF: WheaInitializeRecordHeader(x)+4Ap

var_18		= dword	ptr -18h
var_14		= byte ptr -14h
var_12		= byte ptr -12h
var_10		= byte ptr -10h
var_E		= byte ptr -0Eh
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_8], 0
		xor	eax, eax
		and	[ebp+var_4], 0
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	esi, ecx
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_8]
		push	eax
		call	KeQuerySystemTime
		push	ecx
		lea	edx, [ebp+var_18]
		lea	ecx, [ebp+var_8]
		call	RtlpTimeToTimeFields
		mov	al, [ebp+var_E]
		mov	[esi], al
		mov	al, [ebp+var_10]
		mov	[esi+1], al
		mov	al, [ebp+var_12]
		mov	[esi+2], al
		mov	eax, [esi+4]
		and	dword ptr [esi], 0FEFFFFFFh
		mov	[esi+4], eax
		mov	al, [ebp+var_14]
		mov	[esi+4], al
		mov	al, byte ptr [ebp+var_18+2]
		mov	[esi+5], al
		movsx	eax, word ptr [ebp+var_18]
		push	64h
		pop	ecx
		cdq
		idiv	ecx
		pop	edi
		mov	[esi+6], dl
		mov	[esi+7], al
		pop	esi
		leave
		retn
_WheapGetTimestamp@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2624. WheaInitializeRecordHeader

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	WheaInitializeRecordHeader(void	*)
		public _WheaInitializeRecordHeader@4
_WheaInitializeRecordHeader@4 proc near	; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+10Ap

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	80h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		or	dword ptr [ebx+6], 0FFFFFFFFh
		lea	edi, [ebx+40h]
		or	dword ptr [ebx+10h], 2
		lea	ecx, [ebx+18h]
		mov	esi, offset _WHEA_RECORD_CREATOR_GUID
		mov	dword ptr [ebx], 52455043h
		add	esp, 0Ch
		mov	dword ptr [ebx+0Ch], 3
		mov	eax, 210h
		mov	[ebx+4], ax
		movsd
		movsd
		movsd
		movsd
		call	_WheapGetTimestamp@4 ; WheapGetTimestamp(x)

loc_6914EC:				; CODE XREF: WheaInitializeRecordHeader(x)+7Bj
					; WheaInitializeRecordHeader(x)+7Fj
		mov	edi, ds:_WheapErrorRecordId
		mov	ebx, edi
		mov	esi, ds:dword_6FD65C
		add	ebx, 1
		mov	ecx, esi
		mov	[ebp+var_4], esi
		mov	edx, esi
		adc	ecx, 0
		mov	eax, edi
		mov	esi, offset _WheapErrorRecordId
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [ebp+var_4]
		cmp	eax, edi
		jnz	short loc_6914EC
		cmp	edx, esi
		jnz	short loc_6914EC
		mov	eax, [ebp+arg_0]
		add	edi, 1
		adc	esi, 0
		mov	[eax+60h], edi
		pop	edi
		mov	[eax+64h], esi
		xor	eax, eax
		pop	esi
		pop	ebx
		leave
		retn	4
_WheaInitializeRecordHeader@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapAddRecoveryPacketToErrorRecord(x, x, x)
_WheapAddRecoveryPacketToErrorRecord@12	proc near
					; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+2A5p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10], esi
		movzx	ecx, word ptr [esi+0Ah]
		mov	[ebp+var_8], ecx
		mov	eax, [edi+18h]
		movzx	ecx, cx
		mov	[ebp+var_C], eax
		cmp	ecx, eax
		jb	short loc_691566

loc_69155C:				; CODE XREF: WheapAddRecoveryPacketToErrorRecord(x,x,x)+9Aj
		mov	ebx, 0C0000023h
		jmp	loc_691601
; 

loc_691566:				; CODE XREF: WheapAddRecoveryPacketToErrorRecord(x,x,x)+24j
		push	50h		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_64]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		cdq
		add	esp, 0Ch
		mov	[ebp+var_34], eax
		mov	eax, [edi+1Ch]
		mov	[ebp+var_4C], eax
		mov	eax, [edi+8]
		mov	[ebp+var_30], edx
		lea	edx, [esi+80h]
		mov	[ebp+var_64], 41454857h
		mov	[ebp+var_60], 3
		mov	[ebp+var_5C], 50h
		mov	[ebp+var_48], eax
		test	cx, cx
		jnz	short loc_6915B8
		imul	ecx, [ebp+var_C], 48h
		sub	ecx, 0FFFFFF80h
		jmp	short loc_6915C6
; 

loc_6915B8:				; CODE XREF: WheapAddRecoveryPacketToErrorRecord(x,x,x)+77j
		movzx	eax, cx
		imul	eax, 48h
		add	edx, eax
		mov	ecx, [edx-44h]
		add	ecx, [edx-48h]

loc_6915C6:				; CODE XREF: WheapAddRecoveryPacketToErrorRecord(x,x,x)+80j
		mov	eax, [ebp+arg_0]
		push	50h
		sub	eax, ecx
		pop	esi
		cmp	eax, esi
		jb	short loc_69155C
		mov	[edx+4], esi
		lea	edi, [edx+10h]
		mov	[edx], ecx
		mov	esi, offset _WHEA_ERROR_PACKET_SECTION_GUID
		mov	eax, 300h
		mov	[edx+8], ax
		mov	eax, [ebp+var_10]
		movsd
		push	14h
		movsd
		movsd
		movsd
		lea	edi, [ecx+eax]
		mov	[edx+30h], ebx
		pop	ecx
		lea	esi, [ebp+var_64]
		rep movsd
		inc	word ptr [eax+0Ah]

loc_691601:				; CODE XREF: WheapAddRecoveryPacketToErrorRecord(x,x,x)+2Bj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
_WheapAddRecoveryPacketToErrorRecord@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	WheapAddSectionFromGenericErrorData(int,int,size_t,char)
_WheapAddSectionFromGenericErrorData@24	proc near
					; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+1F6p
					; WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+239p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, edx
		mov	edx, [ecx+18h]
		push	esi
		push	edi
		mov	[ebp+var_4], eax
		movzx	esi, word ptr [eax+0Ah]
		mov	edi, esi
		cmp	edi, edx
		jb	short loc_69162E
		mov	eax, 0C0000023h
		jmp	loc_6916F2
; 

loc_69162E:				; CODE XREF: WheapAddSectionFromGenericErrorData(x,x,x,x,x,x)+18j
		lea	ecx, [eax+80h]
		test	si, si
		jnz	short loc_691641
		imul	edx, 48h
		sub	edx, 0FFFFFF80h
		jmp	short loc_69164C
; 

loc_691641:				; CODE XREF: WheapAddSectionFromGenericErrorData(x,x,x,x,x,x)+2Dj
		imul	eax, edi, 48h
		add	ecx, eax
		mov	edx, [ecx-44h]
		add	edx, [ecx-48h]

loc_69164C:				; CODE XREF: WheapAddSectionFromGenericErrorData(x,x,x,x,x,x)+35j
		mov	esi, [ebp+arg_4]
		mov	eax, 300h
		push	ebx
		xor	ebx, ebx
		cmp	[ebp+arg_C], bl
		jz	short loc_691672
		cmp	[esi+14h], ax
		mov	edi, [esi+18h]
		setz	bl
		mov	dword ptr [ebp+arg_C], esi
		lea	ebx, ds:40h[ebx*8]
		jmp	short loc_69167C
; 

loc_691672:				; CODE XREF: WheapAddSectionFromGenericErrorData(x,x,x,x,x,x)+50j
		mov	edi, [ebp+arg_8]
		mov	dword ptr [ebp+arg_C], (offset loc_42E0D6+2)

loc_69167C:				; CODE XREF: WheapAddSectionFromGenericErrorData(x,x,x,x,x,x)+66j
		mov	eax, [ebp+arg_0]
		sub	eax, edx
		mov	[ebp+arg_8], edi
		cmp	eax, edi
		jnb	short loc_69168F
		mov	eax, 0C0000023h
		jmp	short loc_6916F1
; 

loc_69168F:				; CODE XREF: WheapAddSectionFromGenericErrorData(x,x,x,x,x,x)+7Cj
		mov	[ecx+4], edi
		mov	eax, 300h
		mov	[ecx+8], ax
		lea	edi, [ecx+10h]
		mov	[ecx], edx
		mov	al, [esi+16h]
		mov	[ecx+0Ah], al
		movzx	eax, byte ptr [esi+17h]
		mov	esi, dword ptr [ebp+arg_C]
		mov	[ecx+0Ch], eax
		mov	eax, [ebp+arg_4]
		push	5
		movsd
		movsd
		movsd
		movsd
		lea	edi, [ecx+20h]
		lea	esi, [eax+1Ch]
		movsd
		movsd
		movsd
		movsd
		mov	eax, [eax+10h]
		lea	edi, [ecx+34h]
		mov	[ecx+30h], eax
		mov	eax, [ebp+arg_4]
		pop	ecx
		push	[ebp+arg_8]	; size_t
		lea	esi, [eax+2Ch]
		rep movsd
		mov	esi, [ebp+var_4]
		lea	ecx, [ebx+eax]
		push	ecx		; void *
		lea	ecx, [edx+esi]
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		inc	word ptr [esi+0Ah]
		xor	eax, eax

loc_6916F1:				; CODE XREF: WheapAddSectionFromGenericErrorData(x,x,x,x,x,x)+83j
		pop	ebx

loc_6916F2:				; CODE XREF: WheapAddSectionFromGenericErrorData(x,x,x,x,x,x)+1Fj
		pop	edi
		pop	esi
		leave
		retn	10h
_WheapAddSectionFromGenericErrorData@24	endp


;  S U B	R O U T	I N E 


; __stdcall WheapCallErrorSourceUninitialize(x)
_WheapCallErrorSourceUninitialize@4 proc near ;	CODE XREF: WheaRemoveErrorSource(x)+A6p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	1
		push	4
		pop	edx
		cmp	dword ptr [esi+20h], 10h
		jnz	short loc_69171A
		call	_WheapGetErrorSourceFunction@12	; WheapGetErrorSourceFunction(x,x,x)
		test	eax, eax
		jz	short loc_691716

loc_691711:				; CODE XREF: WheapCallErrorSourceUninitialize(x)+29j
		push	dword ptr [esi+28h]
		call	eax

loc_691716:				; CODE XREF: WheapCallErrorSourceUninitialize(x)+17j
		xor	eax, eax
		pop	esi
		retn
; 

loc_69171A:				; CODE XREF: WheapCallErrorSourceUninitialize(x)+Ej
		call	_WheapGetErrorSourceFunction@12	; WheapGetErrorSourceFunction(x,x,x)
		test	eax, eax
		jnz	short loc_691711
		mov	eax, 0C0000002h
		pop	esi
		retn
_WheapCallErrorSourceUninitialize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapCreateRecordFromGenericErrorData(x, x,	x, x, x)
_WheapCreateRecordFromGenericErrorData@20 proc near
					; CODE XREF: WheapDeviceDriverCreateRecord(x,x,x,x,x)+2Fp
					; WheapDefaultErrSrcCreateRecord(x,x,x,x,x)+18p

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+74h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		push	48h		; size_t
		push	eax		; int
		mov	[esp+88h+var_5C], eax
		mov	edi, edx
		mov	[esp+88h+var_68], eax
		mov	[esp+88h+var_60], eax
		lea	eax, [esp+88h+var_50]
		push	eax		; void *
		mov	[esp+8Ch+var_58], edi
		mov	[esp+8Ch+var_74], ecx
		mov	[esp+8Ch+var_64], esi
		call	_memset
		mov	ebx, [edi+40h]
		add	esp, 0Ch
		mov	ecx, [edi+44h]
		add	ebx, edi
		mov	[esp+80h+var_70], ecx
		push	14h
		pop	eax
		cmp	ecx, eax
		jnb	short loc_6917A0
		push	(offset	loc_5A7054+2)

loc_69178A:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+92j
					; WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+ADj	...
		push	20h
		pop	edx
		lea	ecx, [esp+84h+var_30]
		mov	esi, 0C000000Dh
		call	_RtlStringCchCopyA@12 ;	RtlStringCchCopyA(x,x,x)
		jmp	loc_6919DA
; 

loc_6917A0:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+59j
		mov	edx, [ebx+0Ch]
		lea	ecx, [esp+80h+var_6C]
		push	ecx
		mov	ecx, eax
		mov	[esp+84h+var_6C], eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jns	short loc_6917BE
		push	offset ??_C@_0CA@KJNCJDDD@Overflow_Finding_Structured_Len@FNODOBFM@
		jmp	short loc_69178A
; 

loc_6917BE:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+8Bj
		mov	ecx, [ebx+4]
		test	ecx, ecx
		jz	short loc_6917FF
		mov	edx, [ebx+8]
		test	edx, edx
		jz	short loc_6917FF
		cmp	[esp+80h+var_6C], ecx
		jbe	short loc_6917D9
		push	offset ??_C@_0BL@BDDMBBNP@Unstructered_Data_Too_Soon@FNODOBFM@
		jmp	short loc_69178A
; 

loc_6917D9:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+A6j
		lea	eax, [esp+80h+var_60]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jns	short loc_6917EE
		push	offset ??_C@_0BK@MFIAHGKF@Overflow_Unstructured_End@FNODOBFM@
		jmp	short loc_69178A
; 

loc_6917EE:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+BBj
		mov	eax, [esp+80h+var_70]
		cmp	[esp+80h+var_60], eax
		jbe	short loc_691813
		push	offset ??_C@_0BN@MMNDOKOI@Unstructured_Overruns_Buffer@FNODOBFM@
		jmp	short loc_69178A
; 

loc_6917FF:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+99j
					; WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+A0j
		mov	eax, [esp+80h+var_70]
		cmp	[esp+80h+var_6C], eax
		jbe	short loc_691813
		push	offset ??_C@_0BG@DPJJEMKI@Error_Overruns_Buffer@FNODOBFM@
		jmp	loc_69178A
; 

loc_691813:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+CCj
					; WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+DDj
		mov	eax, [ebp+arg_4]
		cmp	eax, 80h
		jnb	short loc_691827
		push	(offset	loc_5A712F+1)
		jmp	loc_69178A
; 

loc_691827:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+F1j
		push	eax		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		push	esi		; void *
		call	_WheaInitializeRecordHeader@4 ;	WheaInitializeRecordHeader(x)
		mov	eax, [edi+14h]
		mov	edx, esi
		mov	ecx, [esp+80h+var_58]
		lea	esi, [edi+20h]
		mov	[edx+0Ch], eax
		lea	edi, [edx+50h]
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ecx+0Ch]
		mov	edi, [ebp+arg_4]
		add	eax, eax
		xor	eax, [edx+68h]
		and	eax, 2
		xor	[edx+68h], eax
		mov	ecx, [ecx+0Ch]
		mov	eax, [edx+68h]
		shr	ecx, 1
		xor	ecx, eax
		mov	[edx+14h], edi
		and	ecx, 4
		xor	ecx, eax
		mov	[edx+68h], ecx
		mov	esi, [ebx]
		shr	esi, 4
		and	esi, 3FFh
		mov	[esp+80h+var_70], esi
		jbe	loc_691947
		push	14h
		pop	edi

loc_69188D:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+210j
		lea	eax, [esp+80h+var_68]
		mov	ecx, edi
		push	eax
		push	40h
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_6919B0
		mov	esi, [esp+80h+var_6C]
		cmp	[esp+80h+var_68], esi
		ja	loc_6919A6
		lea	edx, [ebx+edi]
		mov	[esp+80h+var_60], 300h
		movzx	eax, word ptr [edx+14h]
		lea	ecx, [esp+80h+var_5C]
		push	ecx
		xor	ecx, ecx
		mov	[esp+84h+var_54], edx
		cmp	ax, word ptr [esp+84h+var_60]
		mov	edx, [edx+18h]
		setz	cl
		lea	ecx, ds:40h[ecx*8]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_69199C
		mov	edx, [esp+80h+var_5C]
		lea	eax, [esp+80h+var_68]
		push	eax
		mov	ecx, edi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_691992
		mov	edi, [esp+80h+var_68]
		cmp	edi, esi
		ja	short loc_691988
		mov	edx, [esp+80h+var_64]
		mov	ecx, [esp+80h+var_74]
		push	1		; char
		push	[esp+84h+var_5C] ; size_t
		push	[esp+88h+var_54] ; int
		push	[ebp+arg_4]	; int
		call	_WheapAddSectionFromGenericErrorData@24	; WheapAddSectionFromGenericErrorData(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_691975
		mov	eax, [esp+80h+var_70]
		dec	eax
		inc	[esp+80h+var_10]
		mov	[esp+80h+var_70], eax
		test	eax, eax
		jnz	loc_69188D
		mov	edi, [ebp+arg_4]
		mov	edx, [esp+80h+var_64]

loc_691947:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+15Aj
		mov	ecx, [ebx+4]
		test	ecx, ecx
		jz	short loc_6919BA
		mov	eax, [ebx+8]
		test	eax, eax
		jz	short loc_6919BA
		push	0		; char
		push	eax		; size_t
		lea	eax, [ecx+ebx]
		mov	ebx, [esp+88h+var_74]
		push	eax		; int
		push	edi		; int
		mov	ecx, ebx
		call	_WheapAddSectionFromGenericErrorData@24	; WheapAddSectionFromGenericErrorData(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_6919BE
		push	offset ??_C@_0BI@GGEIBMFK@Failed_Add_Unstructured@FNODOBFM@
		jmp	short loc_69197A
; 

loc_691975:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+1FFj
		push	(offset	loc_5A7093+1)

loc_69197A:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+249j
		push	20h
		pop	edx
		lea	ecx, [esp+84h+var_30]
		call	_RtlStringCchCopyA@12 ;	RtlStringCchCopyA(x,x,x)
		jmp	short loc_6919D6
; 

loc_691988:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+1DFj
		push	offset ??_C@_0BO@EOPDDLPJ@Next_Entry_Overruns_Structure@FNODOBFM@
		jmp	loc_69178A
; 

loc_691992:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+1D3j
		push	(offset	loc_5A70BD+3)
		jmp	loc_69178A
; 

loc_69199C:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+1BBj
		push	(offset	loc_5A7119+1)
		jmp	loc_69178A
; 

loc_6919A6:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+182j
		push	(offset	loc_5A70F9+1)
		jmp	loc_69178A
; 

loc_6919B0:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+174j
		push	offset ??_C@_0BN@GLMPFHPA@Overflow_Entry_Header_Offset@FNODOBFM@
		jmp	loc_69178A
; 

loc_6919BA:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+222j
					; WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+229j
		mov	ebx, [esp+80h+var_74]

loc_6919BE:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+242j
		mov	eax, [esp+80h+var_58]
		cmp	dword ptr [eax+14h], 0
		jnz	short loc_6919D4
		mov	edx, [esp+80h+var_64]
		mov	ecx, ebx
		push	edi
		call	_WheapAddRecoveryPacketToErrorRecord@12	; WheapAddRecoveryPacketToErrorRecord(x,x,x)

loc_6919D4:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+29Cj
		xor	esi, esi

loc_6919D6:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+25Cj
		test	esi, esi
		jns	short loc_691A2F

loc_6919DA:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+71j
		mov	eax, [esp+80h+var_74]
		cmp	byte ptr [eax+40h], 0
		jnz	short loc_691A2F
		and	[esp+80h+var_44], 0
		lea	eax, [esp+80h+var_50]
		push	eax
		mov	[esp+84h+var_50], 674C6857h
		mov	[esp+84h+var_4C], 1
		mov	[esp+84h+var_48], 48h
		mov	[esp+84h+var_3C], 80000015h
		mov	[esp+84h+var_40], 4C4E524Bh
		mov	[esp+84h+var_38], 2
		mov	[esp+84h+var_34], 28h
		mov	[esp+84h+var_C], esi
		call	WheaLogInternalEvent

loc_691A2F:				; CODE XREF: WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+2AEj
					; WheapCreateRecordFromGenericErrorData(x,x,x,x,x)+2B8j
		mov	ecx, [esp+80h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_WheapCreateRecordFromGenericErrorData@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapDefaultErrSrcCreateRecord(x, x, x, x, x)
_WheapDefaultErrSrcCreateRecord@20 proc	near ; DATA XREF: WheaUnconfigureErrorSource(x)+96o
					; WheapSetDefaultErrorSourceConfiguration()+1Eo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		cmp	dword ptr [edx+38h], 7
		jnz	short loc_691A64
		push	ecx
		push	[ebp+arg_C]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_8]
		call	_WheapCreateRecordFromGenericErrorData@20 ; WheapCreateRecordFromGenericErrorData(x,x,x,x,x)
		jmp	short loc_691A69
; 

loc_691A64:				; CODE XREF: WheapDefaultErrSrcCreateRecord(x,x,x,x,x)+Cj
		mov	eax, 0C0000002h

loc_691A69:				; CODE XREF: WheapDefaultErrSrcCreateRecord(x,x,x,x,x)+1Dj
		pop	ebp
		retn	14h
_WheapDefaultErrSrcCreateRecord@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapGenericErrSrcRecover(x, x)
_WheapGenericErrSrcRecover@8 proc near	; DATA XREF: WheaConfigureErrorSource:loc_727B51o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:off_6B1434	; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)
_WheapGenericErrSrcRecover@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2615. WheaHighIrqlLogSelEventHandlerRegister

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaHighIrqlLogSelEventHandlerRegister(x, x)
		public _WheaHighIrqlLogSelEventHandlerRegister@8
_WheaHighIrqlLogSelEventHandlerRegister@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_WheapHighIrqlLogSelHandler,	0
		push	ebx
		jnz	short loc_691AC5
		xor	ebx, ebx
		inc	ebx
		mov	cl, bl
		call	_WheapHighIrqlLogSelEventHandlerAcquireLock@4 ;	WheapHighIrqlLogSelEventHandlerAcquireLock(x)
		cmp	ds:_WheapHighIrqlLogSelHandler,	0
		jnz	short loc_691AB8
		mov	eax, [ebp+arg_0]
		mov	ds:dword_6B7358, eax
		mov	eax, [ebp+arg_4]
		mov	ds:dword_6B735C, eax
		mov	ds:_WheapHighIrqlLogSelHandler,	ebx
		jmp	short loc_691ABA
; 

loc_691AB8:				; CODE XREF: WheaHighIrqlLogSelEventHandlerRegister(x,x)+20j
		xor	bl, bl

loc_691ABA:				; CODE XREF: WheaHighIrqlLogSelEventHandlerRegister(x,x)+38j
		xor	eax, eax
		mov	ecx, offset unk_6B7354
		xchg	eax, [ecx]
		jmp	short loc_691AC7
; 

loc_691AC5:				; CODE XREF: WheaHighIrqlLogSelEventHandlerRegister(x,x)+Dj
		xor	bl, bl

loc_691AC7:				; CODE XREF: WheaHighIrqlLogSelEventHandlerRegister(x,x)+45j
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	8
_WheaHighIrqlLogSelEventHandlerRegister@8 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 2616. WheaHighIrqlLogSelEventHandlerUnregister

;  S U B	R O U T	I N E 


; __stdcall WheaHighIrqlLogSelEventHandlerUnregister()
		public _WheaHighIrqlLogSelEventHandlerUnregister@0
_WheaHighIrqlLogSelEventHandlerUnregister@0 proc near
		cmp	ds:_WheapHighIrqlLogSelHandler,	0
		jz	short locret_691AFB
		mov	cl, 1
		call	_WheapHighIrqlLogSelEventHandlerAcquireLock@4 ;	WheapHighIrqlLogSelEventHandlerAcquireLock(x)
		xor	eax, eax
		mov	ecx, offset unk_6B7354
		mov	ds:dword_6B7358, eax
		mov	ds:dword_6B735C, eax
		mov	ds:_WheapHighIrqlLogSelHandler,	eax
		xchg	eax, [ecx]

locret_691AFB:				; CODE XREF: WheaHighIrqlLogSelEventHandlerUnregister()+7j
		retn
_WheaHighIrqlLogSelEventHandlerUnregister@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapGenerateETWEvents(x)
_WheapGenerateETWEvents@4 proc near	; CODE XREF: WheaReportHwError(x)+31Ap
					; WheapProcessWorkQueueItem(x,x)+69p ...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_50]
		push	0Ah
		xor	eax, eax
		pop	ecx
		rep stosd
		lea	ebx, [esi+14h]
		mov	eax, 0FBFBh
		mov	edi, [ebx]
		xor	ecx, ecx
		cmp	edi, eax
		jbe	short loc_691B7A
		mov	edi, eax
		mov	[ebp+var_50], 674C6857h
		mov	eax, [esi+60h]
		mov	[ebp+var_30], eax
		mov	eax, [esi+64h]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_50]
		push	eax
		mov	[ebp+var_4C], 1
		mov	[ebp+var_48], 28h
		mov	[ebp+var_44], ecx
		mov	[ebp+var_3C], 8000001Dh
		mov	[ebp+var_40], 4C4E524Bh
		mov	[ebp+var_38], 2
		mov	[ebp+var_34], 8
		call	WheaLogInternalEvent
		xor	ecx, ecx

loc_691B7A:				; CODE XREF: WheapGenerateETWEvents(x)+2Fj
		lea	eax, [ebp+var_28]
		mov	[ebp+var_28], ebx
		push	eax
		push	2
		push	ecx
		push	offset _EVENT_WHEA_ERROR
		push	ds:dword_6B9384
		mov	[ebp+var_24], ecx
		push	ds:_WheapEtwHandle
		mov	[ebp+var_20], 4
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_WheapGenerateETWEvents@4 endp


;  S U B	R O U T	I N E 


; __stdcall WheapHighIrqlLogSelEventHandlerAcquireLock(x)
_WheapHighIrqlLogSelEventHandlerAcquireLock@4 proc near
					; CODE XREF: WheaHighIrqlLogSelEventHandlerRegister(x,x)+14p
					; WheaHighIrqlLogSelEventHandlerUnregister()+Bp ...
		mov	edi, edi
		push	ebx
		push	esi
		xor	bl, bl

loc_691BC8:				; CODE XREF: WheapHighIrqlLogSelEventHandlerAcquireLock(x)+1Aj
		xor	edx, edx
		mov	esi, offset unk_6B7354
		inc	edx
		xor	eax, eax
		lock cmpxchg [esi], edx
		test	eax, eax
		jz	short loc_691BE0
		test	cl, cl
		jnz	short loc_691BC8
		jmp	short loc_691BE2
; 

loc_691BE0:				; CODE XREF: WheapHighIrqlLogSelEventHandlerAcquireLock(x)+16j
		mov	bl, 1

loc_691BE2:				; CODE XREF: WheapHighIrqlLogSelEventHandlerAcquireLock(x)+1Cj
		pop	esi
		mov	al, bl
		pop	ebx
		retn
_WheapHighIrqlLogSelEventHandlerAcquireLock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapLogIpmiSELEvent(x, x, x)
_WheapLogIpmiSELEvent@12 proc near	; CODE XREF: WheaSelLogErrorPkt(x)+B3p
					; WheaSelLogEvent(x):loc_6924FEp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_WheapHighIrqlLogSelHandler,	0
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jz	short loc_691C5B
		push	ebx
		push	0FECh		; size_t
		push	0		; int
		mov	ebx, offset unk_6BA3D4
		push	ebx		; void *
		call	_memset
		lea	eax, [esi+15h]
		add	esp, 0Ch
		cmp	eax, 1000h
		jbe	short loc_691C20
		mov	esi, 0FEBh

loc_691C20:				; CODE XREF: WheapLogIpmiSELEvent(x,x,x)+32j
		push	esi		; size_t
		lea	eax, [esi+14h]
		mov	ds:_WheapSelBuffer, 5253534Fh
		mov	ds:dword_6BA3C8, eax
		mov	eax, [ebp+arg_0]
		push	edi		; void *
		push	ebx		; void *
		mov	ds:dword_6BA3C4, 1
		mov	ds:dword_6BA3CC, eax
		mov	ds:dword_6BA3D0, esi
		call	_memcpy
		add	esp, 0Ch
		call	_WheapLogIpmiSELEventHighIrql@4	; WheapLogIpmiSELEventHighIrql(x)
		pop	ebx

loc_691C5B:				; CODE XREF: WheapLogIpmiSELEvent(x,x,x)+12j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_WheapLogIpmiSELEvent@12 endp


;  S U B	R O U T	I N E 


; __stdcall WheapLogIpmiSELEventHighIrql(x)
_WheapLogIpmiSELEventHighIrql@4	proc near ; CODE XREF: WheapLogIpmiSELEvent(x,x,x)+6Ep
		cmp	ds:_WheapHighIrqlLogSelHandler,	0
		jz	short locret_691C98
		xor	cl, cl
		call	_WheapHighIrqlLogSelEventHandlerAcquireLock@4 ;	WheapHighIrqlLogSelEventHandlerAcquireLock(x)
		test	al, al
		jz	short locret_691C98
		cmp	ds:_WheapHighIrqlLogSelHandler,	0
		jz	short loc_691C8F
		push	offset _WheapSelBuffer
		push	ds:dword_6B735C
		call	ds:dword_6B7358

loc_691C8F:				; CODE XREF: WheapLogIpmiSELEventHighIrql(x)+1Bj
		xor	eax, eax
		mov	ecx, offset unk_6B7354
		xchg	eax, [ecx]

locret_691C98:				; CODE XREF: WheapLogIpmiSELEventHighIrql(x)+7j
					; WheapLogIpmiSELEventHighIrql(x)+12j
		retn
_WheapLogIpmiSELEventHighIrql@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapLogPageOfflineAttemptEvent(x, x, x, x,	x, x)
_WheapLogPageOfflineAttemptEvent@24 proc near
					; CODE XREF: WheapAttemptPhysicalPageOffline(x,x,x,x,x,x)+13Fp

var_58		= byte ptr -58h
var_57		= byte ptr -57h
var_56		= byte ptr -56h
var_55		= dword	ptr -55h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		test	cl, cl
		mov	[ebp+var_4C], 8
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_55+1],	eax
		setnz	byte ptr [ebp+var_55]
		cmp	[ebp+arg_C], 0
		lea	eax, [ebp+var_55]
		mov	[ebp+var_44], eax
		lea	eax, [ebp-56h]
		setnz	[ebp+var_56]
		mov	[ebp+var_34], eax
		test	dl, dl
		lea	eax, [ebp-57h]
		mov	[ebp+var_24], eax
		lea	eax, [ebp-58h]
		setnz	[ebp+var_57]
		mov	[ebp+var_14], eax
		cmp	[ebp+arg_8], 0
		lea	eax, [ebp+var_55+1]
		push	eax
		setnz	[ebp+var_58]
		xor	edx, edx
		push	5
		push	edx
		push	offset _EVENT_WHEA_MEMORY_OFFLINE
		push	ds:dword_6B9384
		xor	ecx, ecx
		mov	[ebp+var_50], edx
		push	ds:_WheapEtwHandle
		inc	ecx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_WheapLogPageOfflineAttemptEvent@24 endp


;  S U B	R O U T	I N E 


; __stdcall WheapWorkQueueAddItem(x, x)
_WheapWorkQueueAddItem@8 proc near	; CODE XREF: WheapReportBootError(x)+86p
					; WheapReportPersistedErrorRecord(x)+84p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		lea	eax, [esi+8]
		push	eax
		call	@ExfInterlockedInsertTailList@12 ; ExfInterlockedInsertTailList(x,x,x)
		xor	eax, eax
		inc	eax
		lock xadd [esi+0Ch], eax
		inc	eax
		cmp	eax, 1
		jnz	short loc_691D88
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		ja	short loc_691D79
		push	1
		lea	eax, [esi+30h]
		push	eax
		call	ExQueueWorkItem
		pop	esi
		retn
; 

loc_691D79:				; CODE XREF: WheapWorkQueueAddItem(x,x)+24j
		xor	eax, eax
		lea	ecx, [esi+10h]
		push	eax
		push	eax
		push	eax
		xor	edx, edx
		call	KiInsertQueueDpc

loc_691D88:				; CODE XREF: WheapWorkQueueAddItem(x,x)+1Aj
		pop	esi
		retn
_WheapWorkQueueAddItem@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapWorkQueueDpcRoutine(x,	x, x, x)
_WheapWorkQueueDpcRoutine@16 proc near	; DATA XREF: WheapInitializeWorkQueue(x,x)+29o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	1
		add	eax, 30h
		push	eax
		call	ExQueueWorkItem
		pop	ebp
		retn	10h
_WheapWorkQueueDpcRoutine@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapWorkQueueWorkerRoutine(x)
_WheapWorkQueueWorkerRoutine@4 proc near ; DATA	XREF: WheapInitializeWorkQueue(x,x)+45o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	ebx, [esi+0Ch]

loc_691DAF:				; CODE XREF: WheapWorkQueueWorkerRoutine(x)+25j
		lea	edx, [esi+8]
		mov	ecx, esi
		call	@ExfInterlockedRemoveHeadList@8	; ExfInterlockedRemoveHeadList(x,x)
		push	eax
		push	esi
		call	dword ptr [esi+40h]
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		dec	eax
		jnz	short loc_691DAF
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_WheapWorkQueueWorkerRoutine@4 endp


;  S U B	R O U T	I N E 


; __stdcall WheaWmiInit()
_WheaWmiInit@0	proc near		; CODE XREF: INIT:00AC455Ep
		mov	edi, edi
		push	ecx
		push	80000001h
		push	offset _WheapDispatchPtr
		mov	ds:_WheapDispatchPtr, offset WheaWmiDispatch
		call	IoWMIRegistrationControl
		pop	ecx
		retn
_WheaWmiInit@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapWmiExecuteErrorInjectionMethod(x, x, x, x, x)
_WheapWmiExecuteErrorInjectionMethod@20	proc near
					; CODE XREF: WheapWmiExecuteMethod(x,x,x,x)+75p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		sub	ecx, 1
		jz	loc_691E91
		sub	ecx, 1
		jz	short loc_691E14
		xor	edi, edi
		mov	esi, 0C0000297h
		jmp	loc_691EC9
; 

loc_691E14:				; CODE XREF: WheapWmiExecuteErrorInjectionMethod(x,x,x,x,x)+19j
		cmp	[ebp+arg_4], 24h
		jnb	short loc_691E26
		mov	esi, 0C000000Dh
		xor	edi, edi
		jmp	loc_691EC9
; 

loc_691E26:				; CODE XREF: WheapWmiExecuteErrorInjectionMethod(x,x,x,x,x)+2Bj
		mov	eax, [ebp+arg_0]
		push	8
		pop	edi
		push	4
		mov	ecx, [eax]
		add	eax, 8
		mov	[ebp+var_10], ecx
		mov	ecx, [eax]
		mov	[ebp+var_C], ecx
		mov	ecx, [eax+4]
		add	eax, edi
		mov	[ebp+var_8], ecx
		mov	ecx, [eax]
		mov	[ebp+var_4], ecx
		mov	ecx, [eax+4]
		add	eax, edi
		pop	edi
		mov	[ebp+arg_4], ecx
		cmp	ebx, edi
		jb	short loc_691EA7
		mov	ecx, [eax+0Ch]
		mov	esi, [eax+8]
		mov	edx, [eax]
		mov	eax, [eax+4]
		push	ecx
		push	esi
		push	eax
		push	edx
		push	[ebp+arg_4]
		push	[ebp+var_4]
		push	[ebp+var_8]
		push	[ebp+var_C]
		push	[ebp+var_10]
		call	ds:__imp__PshedInjectError@36 ;	PshedInjectError(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_691E83
		xor	eax, eax
		jmp	short loc_691E8A
; 

loc_691E83:				; CODE XREF: WheapWmiExecuteErrorInjectionMethod(x,x,x,x,x)+90j
		mov	esi, 0C0000001h
		mov	eax, esi

loc_691E8A:				; CODE XREF: WheapWmiExecuteErrorInjectionMethod(x,x,x,x,x)+94j
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		jmp	short loc_691EC9
; 

loc_691E91:				; CODE XREF: WheapWmiExecuteErrorInjectionMethod(x,x,x,x,x)+10j
		lea	eax, [ebp+arg_4]
		xor	esi, esi
		push	eax
		mov	[ebp+arg_4], esi
		call	ds:__imp__PshedGetInjectionCapabilities@4 ; PshedGetInjectionCapabilities(x)
		push	8
		pop	edi
		cmp	ebx, edi
		jnb	short loc_691EAE

loc_691EA7:				; CODE XREF: WheapWmiExecuteErrorInjectionMethod(x,x,x,x,x)+66j
		mov	esi, 0C0000023h
		jmp	short loc_691EC9
; 

loc_691EAE:				; CODE XREF: WheapWmiExecuteErrorInjectionMethod(x,x,x,x,x)+B8j
		test	eax, eax
		js	short loc_691EBF
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		mov	[ecx], esi
		mov	[ecx+4], eax
		jmp	short loc_691EC9
; 

loc_691EBF:				; CODE XREF: WheapWmiExecuteErrorInjectionMethod(x,x,x,x,x)+C3j
		mov	eax, [ebp+arg_0]
		mov	esi, 0C0000001h
		mov	[eax], esi

loc_691EC9:				; CODE XREF: WheapWmiExecuteErrorInjectionMethod(x,x,x,x,x)+22j
					; WheapWmiExecuteErrorInjectionMethod(x,x,x,x,x)+34j ...
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_WheapWmiExecuteErrorInjectionMethod@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapWmiExecuteErrorSourceMethod(x,	x, x, x, x)
_WheapWmiExecuteErrorSourceMethod@20 proc near
					; CODE XREF: WheapWmiExecuteMethod(x,x,x,x)+49p

var_3E8		= dword	ptr -3E8h
var_3E4		= dword	ptr -3E4h
var_3E0		= dword	ptr -3E0h
var_3DC		= dword	ptr -3DCh
var_3D8		= dword	ptr -3D8h
var_3D4		= dword	ptr -3D4h
var_3D0		= dword	ptr -3D0h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3E8h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_3E8], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_3D8], edi
		sub	ecx, 1
		jz	loc_692079
		sub	ecx, 1
		jz	loc_692016
		sub	ecx, 1
		jz	loc_691FC3
		sub	ecx, 1
		jz	short loc_691F77
		sub	ecx, 1
		jz	short loc_691F32
		mov	ebx, 0C0000297h
		xor	eax, eax
		jmp	loc_692131
; 

loc_691F32:				; CODE XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+4Dj
		xor	ebx, ebx
		cmp	[ebp+arg_4], 4
		mov	eax, ebx
		jb	loc_692028
		push	4
		pop	eax
		mov	[ebp+var_3D4], eax
		cmp	edx, eax
		jb	loc_69209E
		mov	edx, [edi]
		mov	ecx, offset _WheapErrorSourceTable
		call	_WheapGetErrorSource@8 ; WheapGetErrorSource(x,x)
		test	eax, eax
		jz	loc_692051
		cmp	dword ptr [eax+5Ch], 1
		jz	short loc_691FBC
		add	eax, 50h
		push	eax
		call	ds:__imp__PshedDisableErrorSource@4 ; PshedDisableErrorSource(x)
		jmp	short loc_691FBA
; 

loc_691F77:				; CODE XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+48j
		xor	ebx, ebx
		cmp	[ebp+arg_4], 4
		mov	eax, ebx
		jb	loc_692028
		push	4
		pop	eax
		mov	[ebp+var_3D4], eax
		cmp	edx, eax
		jb	loc_69209E
		mov	edx, [edi]
		mov	ecx, offset _WheapErrorSourceTable
		call	_WheapGetErrorSource@8 ; WheapGetErrorSource(x,x)
		test	eax, eax
		jz	loc_692051
		cmp	dword ptr [eax+5Ch], 2
		jz	short loc_691FBC
		add	eax, 50h
		push	eax
		call	ds:__imp__PshedEnableErrorSource@4 ; PshedEnableErrorSource(x)

loc_691FBA:				; CODE XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+9Ej
		mov	ebx, eax

loc_691FBC:				; CODE XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+92j
					; WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+D7j
		mov	[edi], ebx
		jmp	loc_692056
; 

loc_691FC3:				; CODE XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+3Fj
		xor	ebx, ebx
		cmp	[ebp+arg_4], 3D0h
		mov	eax, ebx
		jb	short loc_692028
		push	4
		pop	eax
		mov	[ebp+var_3D4], eax
		cmp	edx, eax
		jb	loc_69209E
		cmp	dword ptr [edi], 3CCh
		jz	short loc_691FED
		mov	eax, ebx
		jmp	short loc_692028
; 

loc_691FED:				; CODE XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+110j
		lea	esi, [edi+4]
		mov	ecx, 0F3h
		lea	eax, [ebp+var_3D0]
		lea	edi, [ebp+var_3D0]
		rep movsd
		push	eax
		call	ds:__imp__PshedSetErrorSourceInfo@4 ; PshedSetErrorSourceInfo(x)
		mov	ebx, eax
		mov	eax, [ebp+var_3D8]
		mov	[eax], ebx
		jmp	short loc_692056
; 

loc_692016:				; CODE XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+36j
		xor	ebx, ebx
		mov	eax, ebx
		cmp	ds:dword_6F9ACC, eax
		jz	short loc_692087
		cmp	[ebp+arg_4], 4
		jnb	short loc_692032

loc_692028:				; CODE XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+63j
					; WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+A8j ...
		mov	ebx, 0C000000Dh
		jmp	loc_692131
; 

loc_692032:				; CODE XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+14Fj
		mov	eax, 3D4h
		mov	[ebp+var_3D4], eax
		cmp	edx, eax
		jb	short loc_69209E
		mov	edx, [edi]
		mov	ecx, offset _WheapErrorSourceTable
		call	_WheapGetErrorSource@8 ; WheapGetErrorSource(x,x)
		test	eax, eax
		jnz	short loc_692061

loc_692051:				; CODE XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+88j
					; WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+CDj
		mov	ebx, 0C0000225h

loc_692056:				; CODE XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+E7j
					; WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+13Dj ...
		mov	eax, [ebp+var_3D4]
		jmp	loc_692131
; 

loc_692061:				; CODE XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+178j
		mov	[edi], ebx
		lea	esi, [eax+50h]
		mov	dword ptr [edi+4], 3CCh
		mov	ecx, 0F3h
		add	edi, 8
		rep movsd
		jmp	short loc_692056
; 

loc_692079:				; CODE XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+2Dj
		mov	ecx, ds:dword_6F9ACC
		xor	ebx, ebx
		mov	eax, ebx
		test	ecx, ecx
		jnz	short loc_692091

loc_692087:				; CODE XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+149j
		mov	ebx, 0C0000225h
		jmp	loc_692131
; 

loc_692091:				; CODE XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+1AEj
		imul	eax, ecx, 3CCh
		add	eax, 0Ch
		cmp	eax, edx
		jbe	short loc_6920A8

loc_69209E:				; CODE XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+74j
					; WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+B9j ...
		mov	ebx, 0C0000023h
		jmp	loc_692131
; 

loc_6920A8:				; CODE XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+1C5j
		mov	[edi], ebx
		mov	esi, ebx
		mov	ecx, ds:dword_6F9AD4
		add	edi, 4
		mov	[ebp+var_3E0], edi
		mov	edx, ebx
		add	edi, 4
		mov	[ebp+var_3DC], esi
		mov	[ebp+var_3E4], edi
		add	edi, 4
		mov	[ebp+var_3D4], ecx
		cmp	ecx, offset dword_6F9AD4
		jz	short loc_692121
		mov	ebx, edi

loc_6920DF:				; CODE XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+246j
		cmp	edx, ds:dword_6F9ACC
		jnb	short loc_69211F
		lea	esi, [ecx+50h]
		mov	edi, ebx
		mov	ecx, 0F3h
		rep movsd
		mov	ecx, [ebp+var_3D4]
		mov	edi, 3CCh
		mov	esi, [ebp+var_3DC]
		add	ebx, edi
		add	esi, edi
		inc	edx
		mov	[ebp+var_3DC], esi
		mov	ecx, [ecx]
		mov	[ebp+var_3D4], ecx
		cmp	ecx, offset dword_6F9AD4
		jnz	short loc_6920DF

loc_69211F:				; CODE XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+20Ej
		xor	ebx, ebx

loc_692121:				; CODE XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+204j
		mov	ecx, [ebp+var_3E0]
		mov	[ecx], edx
		mov	ecx, [ebp+var_3E4]
		mov	[ecx], esi

loc_692131:				; CODE XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+56j
					; WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+156j ...
		mov	ecx, [ebp+var_3E8]
		pop	edi
		pop	esi
		mov	[ecx], eax
		mov	eax, ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_WheapWmiExecuteErrorSourceMethod@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall WheapWmiExecuteMethod(void *,int,int,int)
_WheapWmiExecuteMethod@16 proc near	; CODE XREF: WheaWmiDispatch+7E2FEp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, edx
		push	edi
		push	10h		; size_t
		push	ecx		; void *
		mov	eax, [esi+3Ch]
		xor	edi, edi
		mov	[ebp+var_C], ebx
		sub	ebx, eax
		push	offset _WHEAErrorSourceMethods_GUID ; void *
		mov	[ebp+var_8], ecx
		lea	edx, [eax+esi]
		mov	[ebp+arg_0], edi
		mov	[ebp+var_4], edx
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_69219C
		mov	ecx, [esi+38h]
		lea	eax, [ebp+arg_0]
		push	eax
		push	dword ptr [esi+40h]
		mov	edx, ebx
		push	[ebp+var_4]
		call	_WheapWmiExecuteErrorSourceMethod@20 ; WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)
		jmp	short loc_6921F2
; 

loc_69219C:				; CODE XREF: WheapWmiExecuteMethod(x,x,x,x)+38j
		push	10h		; size_t
		push	[ebp+var_8]	; void *
		push	offset _WHEAErrorInjectionMethods_GUID ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_6921C8
		mov	ecx, [esi+38h]
		lea	eax, [ebp+arg_0]
		push	eax
		push	dword ptr [esi+40h]
		mov	edx, ebx
		push	[ebp+var_4]
		call	_WheapWmiExecuteErrorInjectionMethod@20	; WheapWmiExecuteErrorInjectionMethod(x,x,x,x,x)
		jmp	short loc_6921F2
; 

loc_6921C8:				; CODE XREF: WheapWmiExecuteMethod(x,x,x,x)+64j
		push	10h		; size_t
		push	[ebp+var_8]	; void *
		push	offset _WHEAPolicyManagementMethods_GUID ; void	*
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_69222C
		mov	ecx, [esi+38h]
		lea	eax, [ebp+arg_0]
		push	eax
		push	dword ptr [esi+40h]
		mov	edx, ebx
		push	[ebp+var_4]
		call	_WheapWmiExecutePolicyManagementMethod@20 ; WheapWmiExecutePolicyManagementMethod(x,x,x,x,x)

loc_6921F2:				; CODE XREF: WheapWmiExecuteMethod(x,x,x,x)+4Ej
					; WheapWmiExecuteMethod(x,x,x,x)+7Aj
		mov	edi, [esi+3Ch]
		mov	ecx, eax
		mov	eax, [ebp+arg_0]
		mov	edx, 0C0000023h
		add	edi, eax
		cmp	ecx, edx
		jnz	short loc_692225
		push	38h
		pop	eax
		cmp	[ebp+var_C], eax
		jb	short loc_69221F
		mov	[esi+30h], edi
		xor	ecx, ecx
		mov	[esi], eax
		mov	edi, eax
		mov	dword ptr [esi+2Ch], 20h
		jmp	short loc_692231
; 

loc_69221F:				; CODE XREF: WheapWmiExecuteMethod(x,x,x,x)+BFj
		mov	ecx, edx
		xor	edi, edi
		jmp	short loc_692231
; 

loc_692225:				; CODE XREF: WheapWmiExecuteMethod(x,x,x,x)+B7j
		mov	[esi], edi
		mov	[esi+40h], eax
		jmp	short loc_692231
; 

loc_69222C:				; CODE XREF: WheapWmiExecuteMethod(x,x,x,x)+90j
		mov	ecx, 0C0000010h

loc_692231:				; CODE XREF: WheapWmiExecuteMethod(x,x,x,x)+D1j
					; WheapWmiExecuteMethod(x,x,x,x)+D7j ...
		mov	eax, [ebp+arg_4]
		mov	[eax], edi
		mov	eax, ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_WheapWmiExecuteMethod@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapWmiExecutePolicyManagementMethod(x, x,	x, x, x)
_WheapWmiExecutePolicyManagementMethod@20 proc near
					; CODE XREF: WheapWmiExecuteMethod(x,x,x,x)+A1p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		push	edi
		mov	edi, esi
		sub	ecx, 1
		jz	loc_6922E3
		sub	ecx, 1
		jz	short loc_6922B2
		sub	ecx, 1
		jz	short loc_69228C
		sub	ecx, 1
		jz	short loc_692274
		mov	edx, 0C0000297h
		jmp	loc_692318
; 

loc_692274:				; CODE XREF: WheapWmiExecutePolicyManagementMethod(x,x,x,x,x)+29j
		push	4
		pop	edi
		cmp	edx, edi
		jb	short loc_6922F1
		call	_WheapCommitPolicy@0 ; WheapCommitPolicy()
		mov	ecx, [ebp+arg_0]
		mov	edx, eax
		mov	[ecx], edx
		jmp	loc_692318
; 

loc_69228C:				; CODE XREF: WheapWmiExecutePolicyManagementMethod(x,x,x,x,x)+24j
		cmp	[ebp+arg_4], 8
		jb	short loc_6922B8
		mov	esi, [ebp+arg_0]
		push	4
		pop	edi
		mov	eax, [esi+4]
		mov	ecx, [esi]
		mov	[ebp+var_4], eax
		cmp	edx, edi
		jb	short loc_6922F1
		lea	edx, [ebp+var_4]
		call	_WheapSetPolicyValue@8 ; WheapSetPolicyValue(x,x)
		mov	edx, eax
		mov	[esi], edx
		jmp	short loc_692318
; 

loc_6922B2:				; CODE XREF: WheapWmiExecutePolicyManagementMethod(x,x,x,x,x)+1Fj
		cmp	[ebp+arg_4], 4
		jnb	short loc_6922BF

loc_6922B8:				; CODE XREF: WheapWmiExecutePolicyManagementMethod(x,x,x,x,x)+51j
		mov	edx, 0C000000Dh
		jmp	short loc_692318
; 

loc_6922BF:				; CODE XREF: WheapWmiExecutePolicyManagementMethod(x,x,x,x,x)+77j
		push	8
		pop	edi
		cmp	edx, edi
		jb	short loc_6922F1
		mov	esi, [ebp+arg_0]
		lea	edx, [ebp+var_4]
		mov	ecx, [esi]
		call	_WheapGetPolicyValue@8 ; WheapGetPolicyValue(x,x)
		mov	edx, eax
		mov	[esi], edx
		test	edx, edx
		jnz	short loc_692318
		mov	eax, [ebp+var_4]
		mov	[esi+4], eax
		jmp	short loc_692318
; 

loc_6922E3:				; CODE XREF: WheapWmiExecutePolicyManagementMethod(x,x,x,x,x)+16j
		call	_WheapGetAllPolicyBufferSize@0 ; WheapGetAllPolicyBufferSize()
		mov	ecx, eax
		lea	edi, [ecx+0Ch]
		cmp	edx, edi
		jnb	short loc_6922F8

loc_6922F1:				; CODE XREF: WheapWmiExecutePolicyManagementMethod(x,x,x,x,x)+3Aj
					; WheapWmiExecutePolicyManagementMethod(x,x,x,x,x)+63j	...
		mov	edx, 0C0000023h
		jmp	short loc_692318
; 

loc_6922F8:				; CODE XREF: WheapWmiExecutePolicyManagementMethod(x,x,x,x,x)+B0j
		mov	eax, [ebp+arg_0]
		mov	edx, ecx
		mov	[eax], esi
		lea	esi, [eax+4]
		mov	[eax+8], ecx
		add	eax, 0Ch
		push	eax
		lea	ecx, [ebp+var_8]
		call	_WheapGetAllPolicyValues@12 ; WheapGetAllPolicyValues(x,x,x)
		mov	edx, eax
		mov	eax, [ebp+var_8]
		mov	[esi], eax

loc_692318:				; CODE XREF: WheapWmiExecutePolicyManagementMethod(x,x,x,x,x)+30j
					; WheapWmiExecutePolicyManagementMethod(x,x,x,x,x)+48j	...
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		mov	eax, edx
		pop	edi
		pop	esi
		leave
		retn	0Ch
_WheapWmiExecutePolicyManagementMethod@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WheapWmiGetAllData proc	near		; CODE XREF: WheaWmiDispatch+7E324p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		push	48h
		pop	eax
		mov	edi, eax
		cmp	edx, eax
		jnb	short loc_692354
		push	38h
		pop	edi
		cmp	edx, edi
		jb	short loc_69234B
		mov	dword ptr [esi+2Ch], 20h
		jmp	short loc_692370
; 

loc_69234B:				; CODE XREF: WheapWmiGetAllData+1Bj
		mov	ebx, 0C0000023h
		xor	edi, edi
		jmp	short loc_692373
; 

loc_692354:				; CODE XREF: WheapWmiGetAllData+14j
		mov	[esi], eax
		lea	eax, [esi+10h]
		push	eax
		call	KeQuerySystemTime
		or	dword ptr [esi+2Ch], 10h
		push	48h
		mov	dword ptr [esi+34h], 1
		mov	[esi+3Ch], ebx
		pop	eax

loc_692370:				; CODE XREF: WheapWmiGetAllData+24j
		mov	[esi+30h], eax

loc_692373:				; CODE XREF: WheapWmiGetAllData+2Dj
		mov	ecx, [ebp+arg_4]
		mov	eax, ebx
		mov	[ecx], edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
WheapWmiGetAllData endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WheapWmiGetSingleInstance proc near	; CODE XREF: WheaWmiDispatch+7E311p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		push	66h
		pop	edi
		cmp	edx, edi
		jnb	short loc_6923AE
		cmp	edx, 38h
		jb	short loc_6923A5
		mov	eax, [ebp+arg_0]
		push	38h
		mov	[eax+30h], edi
		mov	dword ptr [eax+2Ch], 20h
		pop	edi
		jmp	short loc_6923CC
; 

loc_6923A5:				; CODE XREF: WheapWmiGetSingleInstance+10j
		mov	eax, 0C0000023h
		xor	edi, edi
		jmp	short loc_6923CE
; 

loc_6923AE:				; CODE XREF: WheapWmiGetSingleInstance+Bj
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [esi+10h]
		mov	[esi], edi
		push	eax
		call	KeQuerySystemTime
		mov	dword ptr [esi+3Ch], 26h
		mov	dword ptr [esi+38h], 40h
		pop	esi

loc_6923CC:				; CODE XREF: WheapWmiGetSingleInstance+22j
		xor	eax, eax

loc_6923CE:				; CODE XREF: WheapWmiGetSingleInstance+2Bj
		mov	ecx, [ebp+arg_4]
		mov	[ecx], edi
		pop	edi
		pop	ebp
		retn	8
WheapWmiGetSingleInstance endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaSelLogErrorPkt(x)
_WheaSelLogErrorPkt@4 proc near		; CODE XREF: WheaSelLogEvent(x)+79j

var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	edx, [ecx+20h]
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		stosd
		mov	ecx, [edx+40h]
		add	ecx, edx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_28]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_3C]
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		stosd
		stosd
		stosd
		mov	eax, [edx+38h]
		sub	eax, 1
		jz	short loc_69246F
		dec	eax
		sub	eax, 1
		jz	short loc_692455
		push	0Ch
		sub	eax, 1
		jz	short loc_692445
		mov	eax, [edx+1Ch]
		lea	ecx, [ebp+var_10]
		mov	[ebp+var_10], eax
		mov	eax, [edx+14h]
		mov	[ebp+var_C], eax
		mov	eax, [edx+0Ch]
		pop	edx
		mov	[ebp+var_8], eax
		push	5
		jmp	short loc_692489
; 

loc_692445:				; CODE XREF: WheaSelLogErrorPkt(x)+51j
		mov	esi, ecx
		lea	edi, [ebp+var_28]
		pop	edx
		lea	ecx, [ebp+var_28]
		push	4
		movsd
		movsd
		movsd
		jmp	short loc_692489
; 

loc_692455:				; CODE XREF: WheaSelLogErrorPkt(x)+4Aj
		mov	eax, [ecx+8]
		lea	esi, [ecx+18h]
		lea	edi, [ebp+var_3C]
		movsd
		lea	ecx, [ebp+var_3C]
		push	14h
		pop	edx
		push	3
		movsd
		movsd
		movsd
		mov	[ebp+var_2C], eax
		jmp	short loc_692489
; 

loc_69246F:				; CODE XREF: WheaSelLogErrorPkt(x)+44j
		mov	eax, [ecx+28h]
		mov	[ebp+var_1C], eax
		mov	eax, [ecx+2Ch]
		push	0Ch
		mov	[ebp+var_18], eax
		mov	eax, [ecx+24h]
		lea	ecx, [ebp+var_1C]
		pop	edx
		mov	[ebp+var_14], eax
		push	2

loc_692489:				; CODE XREF: WheaSelLogErrorPkt(x)+6Bj
					; WheaSelLogErrorPkt(x)+7Bj ...
		pop	eax
		push	eax
		call	_WheapLogIpmiSELEvent@12 ; WheapLogIpmiSELEvent(x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_WheaSelLogErrorPkt@4 endp


;  S U B	R O U T	I N E 


; __stdcall WheaSelLogEvent(x)
_WheaSelLogEvent@4 proc	near		; CODE XREF: WheaLogInternalEvent+10Ap
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+18h]
		test	cl, 10h
		jz	short loc_6924D8
		test	cl, 20h
		jz	short loc_6924B5
		push	6
		pop	eax
		jmp	short loc_6924C8
; 

loc_6924B5:				; CODE XREF: WheaSelLogEvent(x)+10j
		mov	eax, [esi+10h]
		shl	eax, 10h
		test	cl, 40h
		jz	short loc_6924C5
		or	eax, 7
		jmp	short loc_6924C8
; 

loc_6924C5:				; CODE XREF: WheaSelLogEvent(x)+20j
		or	eax, 1

loc_6924C8:				; CODE XREF: WheaSelLogEvent(x)+15j
					; WheaSelLogEvent(x)+25j
		mov	edx, [esi+1Ch]
		lea	ecx, [esi+20h]
		mov	dword ptr [esi+10h], 4C4E524Bh
		push	eax
		jmp	short loc_6924FE
; 

loc_6924D8:				; CODE XREF: WheaSelLogEvent(x)+Bj
		mov	eax, [esi+14h]
		cmp	eax, 80000005h
		jz	short loc_692514
		mov	edx, [esi+1Ch]
		cmp	eax, 8000002Ah
		jz	short loc_692505
		add	edx, 20h
		mov	ecx, esi
		cmp	eax, 8000002Fh
		jz	short loc_6924FC
		push	0
		jmp	short loc_6924FE
; 

loc_6924FC:				; CODE XREF: WheaSelLogEvent(x)+58j
		push	9

loc_6924FE:				; CODE XREF: WheaSelLogEvent(x)+38j
					; WheaSelLogEvent(x)+5Cj ...
		call	_WheapLogIpmiSELEvent@12 ; WheapLogIpmiSELEvent(x,x,x)
		pop	esi
		retn
; 

loc_692505:				; CODE XREF: WheaSelLogEvent(x)+4Cj
		mov	eax, [esi+10h]
		lea	ecx, [esi+20h]
		shl	eax, 10h
		or	eax, 8
		push	eax
		jmp	short loc_6924FE
; 

loc_692514:				; CODE XREF: WheaSelLogEvent(x)+42j
		mov	ecx, esi
		pop	esi
		jmp	_WheaSelLogErrorPkt@4 ;	WheaSelLogErrorPkt(x)
_WheaSelLogEvent@4 endp


;  S U B	R O U T	I N E 


; int __fastcall DownLevelGetParentLanguageName(void *,int,int,int)
_DownLevelGetParentLanguageName@16 proc	near ; CODE XREF: LdrpGetParentLangId+8FBBAp
		mov	edi, edi
		push	esi
		mov	esi, edx
		push	edi
		test	ecx, ecx
		jz	short loc_692591
		test	esi, esi
		jz	short loc_692591
		push	offset ?CompareLangName@@YAHPBX0@Z ; int __cdecl (*)(const void	*,const	void *)
		push	4		; size_t
		push	1B4h		; size_t
		mov	edi, (offset loc_401BEF+1)
		push	edi		; void *
		push	ecx		; void *
		call	_bsearch
		add	esp, 14h
		test	eax, eax
		jz	short loc_692591
		sub	eax, edi
		sar	eax, 2
		movsx	eax, word ptr ds:(loc_418C0F+1)[eax*2]
		imul	eax, 0Ch
		imul	eax, ds:dword_4022C8[eax], 0Ch
		mov	edx, ds:off_4022C0[eax]
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_69256B:				; CODE XREF: DownLevelGetParentLanguageName(x,x,x,x)+58j
		mov	ax, [ecx]
		add	ecx, 2
		test	ax, ax
		jnz	short loc_69256B
		sub	ecx, edi
		sar	ecx, 1
		lea	edi, [ecx+1]
		mov	ecx, esi
		push	edi
		push	edx
		push	55h
		pop	edx
		call	StringCchCopyNW
		test	eax, eax
		js	short loc_692591
		mov	eax, edi
		jmp	short loc_692593
; 

loc_692591:				; CODE XREF: DownLevelGetParentLanguageName(x,x,x,x)+8j
					; DownLevelGetParentLanguageName(x,x,x,x)+Cj ...
		xor	eax, eax

loc_692593:				; CODE XREF: DownLevelGetParentLanguageName(x,x,x,x)+73j
		pop	edi
		pop	esi
		retn	8
_DownLevelGetParentLanguageName@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ApiSetValidateSchemaFormat(x, x)
_ApiSetValidateSchemaFormat@8 proc near	; CODE XREF: ApiSetComposeSchema(x,x,x,x)+5Fp
					; ApiSetComposeSchema(x,x,x,x)+73p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		cmp	dword ptr [esi], 4
		ja	short loc_6925BE
		mov	eax, 0C00000BBh
		jmp	loc_6927CE
; 

loc_6925BE:				; CODE XREF: ApiSetValidateSchemaFormat(x,x)+1Aj
		push	edi
		cmp	edx, 1Ch
		jb	loc_6927C8
		mov	edi, [esi+4]
		cmp	edi, edx
		ja	loc_6927C8
		mov	ebx, [esi+0Ch]
		mov	eax, ebx
		push	18h
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_20], ebx
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_6927CD
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		push	1Ch
		pop	ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_6927CD
		cmp	[ebp+var_8], edi
		ja	loc_6927C8
		and	[ebp+var_1C], 0
		test	ebx, ebx
		jz	loc_692795
		lea	ebx, [esi+0Ch]
		add	ebx, [esi+10h]

loc_692624:				; CODE XREF: ApiSetValidateSchemaFormat(x,x)+1F4j
		mov	edx, [ebx-4]
		cmp	edx, 0FFFFh
		ja	loc_6927C8
		cmp	dword ptr [ebx], 0FFFFh
		ja	loc_6927C8
		mov	eax, [ebx-8]
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	short loc_692652
		cmp	eax, [ebp+var_8]
		jb	loc_6927C8

loc_692652:				; CODE XREF: ApiSetValidateSchemaFormat(x,x)+AFj
		lea	ecx, [ebp+var_C]
		push	ecx
		mov	ecx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_6927CD
		cmp	[ebp+var_C], edi
		ja	loc_6927C8
		mov	ax, [ebx]
		mov	ecx, esi
		mov	edx, [ebp+var_18]
		shr	ax, 1
		movzx	eax, ax
		push	eax
		lea	edx, [edx+esi]
		call	ApiSetpSearchForApiSet
		lea	ecx, [ebx-0Ch]
		cmp	eax, ecx
		jnz	loc_6927C8
		mov	eax, [ebx+4]
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	short loc_6926A3
		cmp	eax, [ebp+var_8]
		jb	loc_6927C8

loc_6926A3:				; CODE XREF: ApiSetValidateSchemaFormat(x,x)+100j
		mov	eax, [ebx+8]
		push	14h
		pop	ecx
		mov	[ebp+var_18], eax
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_6927CD
		mov	edx, [ebp+var_4]
		mov	eax, ecx
		mov	ecx, [ebp+var_10]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_6927CD
		cmp	[ebp+var_4], edi
		ja	loc_6927C8
		and	[ebp+var_14], 0
		cmp	[ebp+var_18], 0
		jbe	loc_69277F
		mov	eax, [ebp+var_10]
		add	eax, 10h
		add	eax, esi
		mov	[ebp+var_10], eax

loc_6926F8:				; CODE XREF: ApiSetValidateSchemaFormat(x,x)+1E1j
		mov	edx, [eax-8]
		cmp	edx, 0FFFFh
		ja	loc_6927C8
		mov	ecx, [eax]
		mov	[ebp+var_24], ecx
		cmp	ecx, 0FFFFh
		ja	loc_6927C8
		mov	ecx, [eax-0Ch]
		test	ecx, ecx
		jz	short loc_692728
		cmp	ecx, [ebp+var_8]
		jb	loc_6927C8

loc_692728:				; CODE XREF: ApiSetValidateSchemaFormat(x,x)+185j
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_6927CD
		cmp	[ebp+var_C], edi
		ja	loc_6927C8
		mov	eax, [ebp+var_10]
		mov	ecx, [eax-4]
		test	ecx, ecx
		jz	short loc_692751
		cmp	ecx, [ebp+var_8]
		jb	short loc_6927C8

loc_692751:				; CODE XREF: ApiSetValidateSchemaFormat(x,x)+1B2j
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_6927CD
		cmp	[ebp+var_C], edi
		ja	short loc_6927C8
		mov	ecx, [ebp+var_14]
		mov	eax, [ebp+var_10]
		inc	ecx
		add	eax, 14h
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], eax
		cmp	ecx, [ebp+var_18]
		jb	loc_6926F8

loc_69277F:				; CODE XREF: ApiSetValidateSchemaFormat(x,x)+14Fj
		mov	ecx, [ebp+var_1C]
		add	ebx, 18h
		inc	ecx
		mov	[ebp+var_1C], ecx
		cmp	ecx, [ebp+var_20]
		jb	loc_692624
		mov	ebx, [ebp+var_20]

loc_692795:				; CODE XREF: ApiSetValidateSchemaFormat(x,x)+80j
		push	8
		pop	ecx
		mov	eax, ebx
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_6927CD
		mov	edx, [ebp+var_4]
		mov	eax, ecx
		mov	ecx, [esi+14h]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_6927CD
		cmp	edi, [ebp+var_4]
		sbb	eax, eax
		and	eax, 0C00000E4h
		jmp	short loc_6927CD
; 

loc_6927C8:				; CODE XREF: ApiSetValidateSchemaFormat(x,x)+2Aj
					; ApiSetValidateSchemaFormat(x,x)+35j ...
		mov	eax, 0C00000E4h

loc_6927CD:				; CODE XREF: ApiSetValidateSchemaFormat(x,x)+54j
					; ApiSetValidateSchemaFormat(x,x)+6Bj ...
		pop	edi

loc_6927CE:				; CODE XREF: ApiSetValidateSchemaFormat(x,x)+21j
		pop	esi
		pop	ebx
		leave
		retn
_ApiSetValidateSchemaFormat@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ApiSetpSearchForApiSetHost(x, x, x,	x)
_ApiSetpSearchForApiSetHost@16 proc near ; CODE	XREF: ApiSetResolveToHost+925ACp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ecx+10h]
		mov	[ebp+var_10], edx
		mov	edx, [ebp+arg_4]
		push	ebx
		mov	[ebp+var_C], eax
		push	esi
		mov	esi, [ecx+14h]
		lea	ebx, [eax+edx]
		xor	eax, eax
		inc	eax
		dec	esi
		mov	[ebp+var_8], eax
		cmp	esi, eax
		jl	short loc_69284A
		movzx	ecx, [ebp+arg_0]
		push	edi

loc_6927FE:				; CODE XREF: ApiSetpSearchForApiSetHost(x,x,x,x)+71j
		add	eax, esi
		sar	eax, 1
		imul	edi, eax, 14h
		mov	[ebp+var_4], eax
		push	1
		add	edi, [ebp+var_C]
		add	edi, edx
		mov	eax, [edi+8]
		shr	eax, 1
		push	eax
		mov	eax, [edi+4]
		add	eax, edx
		push	eax
		push	ecx
		push	[ebp+var_10]
		call	_RtlCompareUnicodeStrings@20 ; RtlCompareUnicodeStrings(x,x,x,x,x)
		test	eax, eax
		jns	short loc_692831
		mov	esi, [ebp+var_4]
		mov	eax, [ebp+var_8]
		dec	esi
		jmp	short loc_69283A
; 

loc_692831:				; CODE XREF: ApiSetpSearchForApiSetHost(x,x,x,x)+54j
		jle	short loc_692847
		mov	eax, [ebp+var_4]
		inc	eax
		mov	[ebp+var_8], eax

loc_69283A:				; CODE XREF: ApiSetpSearchForApiSetHost(x,x,x,x)+5Dj
		mov	edx, [ebp+arg_4]
		movzx	ecx, [ebp+arg_0]
		cmp	eax, esi
		jle	short loc_6927FE
		jmp	short loc_692849
; 

loc_692847:				; CODE XREF: ApiSetpSearchForApiSetHost(x,x,x,x):loc_692831j
		mov	ebx, edi

loc_692849:				; CODE XREF: ApiSetpSearchForApiSetHost(x,x,x,x)+73j
		pop	edi

loc_69284A:				; CODE XREF: ApiSetpSearchForApiSetHost(x,x,x,x)+25j
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_ApiSetpSearchForApiSetHost@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ApiSetReleaseSchema(x)
_ApiSetReleaseSchema@4 proc near	; CODE XREF: PspSiloLoadApiSets(x)+9Ep
					; ApiSetLoadSchemaWithExtensions(x,x,x)+8Bp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		call	ExFreeHeapPool
		mov	al, 1
		mov	esp, ebp
		pop	ebp
		retn
_ApiSetReleaseSchema@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ApiSetComposeSchema(x, x, x, x)
_ApiSetComposeSchema@16	proc near	; CODE XREF: ApiSetpLoadSchemaExtension+CFp

var_7E		= byte ptr -7Eh
var_7D		= byte ptr -7Dh
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 84h
		mov	eax, ecx
		mov	[esp+84h+var_2C], edx
		mov	[esp+84h+var_30], eax
		push	ebx
		push	esi
		mov	eax, [eax]
		push	edi
		mov	[esp+90h+var_70], eax
		cmp	dword ptr [eax], 5
		jb	loc_692F75
		mov	ebx, [ebp+arg_0]
		cmp	dword ptr [ebx], 5
		jb	loc_692F75
		test	byte ptr [eax+8], 1
		jnz	loc_692F6E
		xor	ecx, ecx
		cmp	[eax+0Ch], ecx
		jz	loc_692F6E
		cmp	[ebx+0Ch], ecx
		jz	loc_692F6E
		mov	edx, [eax+4]
		mov	edi, ecx
		mov	[esp+90h+var_74], ecx
		mov	ecx, eax
		call	_ApiSetValidateSchemaFormat@8 ;	ApiSetValidateSchemaFormat(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_692F30
		mov	edx, [ebx+4]
		mov	ecx, ebx
		call	_ApiSetValidateSchemaFormat@8 ;	ApiSetValidateSchemaFormat(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_692F30
		mov	eax, [ebx+0Ch]
		xor	ecx, ecx
		mov	[esp+90h+var_5C], ecx
		mov	[esp+90h+var_44], eax
		test	eax, eax
		jz	loc_692A3F
		mov	eax, [ebx+10h]
		lea	esi, [ebx+8]
		add	esi, eax
		mov	[esp+90h+var_60], esi

loc_692908:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+1D4j
		test	byte ptr [esi-8], 4
		jz	short loc_692921
		mov	eax, [esi]
		inc	[esp+90h+var_74]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		add	edi, eax
		jmp	loc_692A29
; 

loc_692921:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+A7j
		and	[esp+90h+var_58], 0
		xor	al, al
		mov	[esp+90h+var_7D], al
		mov	eax, [esi+0Ch]
		mov	[esp+90h+var_40], eax
		test	eax, eax
		jz	loc_692A29
		mov	eax, [esi+8]
		add	eax, 0Ch
		add	eax, ebx
		mov	[esp+90h+var_64], eax

loc_692947:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+1BAj
		mov	edx, [eax]
		mov	eax, [eax+4]
		add	edx, ebx
		lea	ecx, [edx+eax]
		cmp	eax, 1
		jbe	short loc_692970
		push	2Dh
		pop	esi

loc_692959:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+102j
		lea	ecx, [ecx-2]
		sub	eax, 2
		cmp	[ecx], si
		jz	short loc_692969
		cmp	eax, 1
		ja	short loc_692959

loc_692969:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+FDj
		mov	ebx, [ebp+arg_0]
		mov	esi, [esp+90h+var_60]

loc_692970:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+EFj
		shr	ax, 1
		movzx	ecx, ax
		test	cx, cx
		jz	loc_692AA0
		mov	eax, [esp+90h+var_64]
		push	ecx
		mov	ecx, [esp+94h+var_70]
		mov	eax, [eax-8]
		mov	[esp+94h+var_3C], eax
		call	ApiSetpSearchForApiSet
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_6929C5
		mov	eax, [esp+90h+var_64]
		inc	[esp+90h+var_74]
		mov	eax, [eax+4]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		add	eax, 14h
		add	edi, eax
		cmp	[esp+90h+var_7D], cl
		jnz	short loc_692A07
		mov	eax, [esi]
		add	eax, 3
		mov	[esp+90h+var_7D], 1
		and	eax, 0FFFFFFFCh
		jmp	short loc_692A05
; 

loc_6929C5:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+133j
		test	byte ptr [ecx],	1
		jnz	short loc_692A07
		cmp	[esp+90h+var_7D], 0
		jnz	short loc_6929E0
		mov	eax, [esi]
		add	eax, 3
		mov	[esp+90h+var_7D], 1
		and	eax, 0FFFFFFFCh
		add	edi, eax

loc_6929E0:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+16Aj
		mov	edx, [ecx+14h]
		test	edx, edx
		jz	loc_692A96
		mov	eax, [ecx+10h]
		add	eax, [esp+90h+var_70]
		cmp	dword ptr [eax+10h], 0
		jz	short loc_692A07
		cmp	[esp+90h+var_3C], 0
		jz	short loc_692A07
		imul	eax, edx, 14h
		add	edi, 14h

loc_692A05:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+15Ej
		add	edi, eax

loc_692A07:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+14Fj
					; ApiSetComposeSchema(x,x,x,x)+163j ...
		mov	ecx, [esp+90h+var_58]
		mov	eax, [esp+90h+var_64]
		inc	ecx
		add	eax, 14h
		mov	[esp+90h+var_58], ecx
		mov	[esp+90h+var_64], eax
		cmp	ecx, [esp+90h+var_40]
		jb	loc_692947
		mov	ecx, [esp+90h+var_5C]

loc_692A29:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+B7j
					; ApiSetComposeSchema(x,x,x,x)+D0j
		inc	ecx
		add	esi, 18h
		mov	[esp+90h+var_5C], ecx
		mov	[esp+90h+var_60], esi
		cmp	ecx, [esp+90h+var_44]
		jb	loc_692908

loc_692A3F:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+91j
		mov	edx, [esp+90h+var_74]
		mov	eax, [esp+90h+var_70]
		imul	ecx, edx, 18h
		push	0
		mov	eax, [eax+4]
		mov	[esp+94h+var_64], ecx
		lea	ecx, [ecx+edx*8]
		add	ecx, eax
		mov	eax, large fs:20h
		add	ecx, edi
		mov	[esp+94h+var_58], ecx
		mov	edx, ecx
		xor	ecx, ecx
		mov	eax, [eax+338h]
		inc	ecx
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	68635341h
		call	ExpAllocatePoolWithTagFromNode
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_692AAA
		mov	esi, 0C0000017h
		jmp	loc_692F30
; 

loc_692A96:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+180j
		mov	esi, 0C000000Dh
		jmp	loc_692F30
; 

loc_692AA0:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+114j
		mov	esi, 0C0000482h
		jmp	loc_692F30
; 

loc_692AAA:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+225j
		mov	eax, [esp+90h+var_70]
		imul	esi, [eax+0Ch],	18h
		add	esi, [eax+10h]
		push	esi		; size_t
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		mov	edx, [esp+9Ch+var_70]
		mov	ecx, [esp+9Ch+var_64]
		add	ecx, esi
		mov	eax, [edx+14h]
		sub	eax, esi
		push	eax		; size_t
		lea	edx, [eax+ecx]
		mov	eax, [esp+0A0h+var_70]
		add	eax, esi
		mov	[esp+0A0h+var_78], edx
		push	eax		; void *
		lea	eax, [ecx+ebx]
		mov	[esp+0A4h+var_7C], edx
		push	eax		; void *
		call	_memcpy
		mov	esi, [esp+0A8h+var_78]
		push	edi		; size_t
		push	0		; int
		lea	eax, [esi+ebx]
		push	eax		; void *
		call	_memset
		mov	ecx, [esp+0B4h+var_70]
		add	esi, edi
		mov	eax, [ecx+0Ch]
		shl	eax, 3
		push	eax		; size_t
		mov	eax, [ecx+14h]
		add	eax, ecx
		push	eax		; void *
		lea	eax, [esi+ebx]
		push	eax		; void *
		call	_memcpy
		mov	eax, [esp+0C0h+var_58]
		add	esp, 30h
		mov	[ebx+14h], esi
		mov	esi, [esp+90h+var_64]
		mov	[ebx+4], eax
		test	esi, esi
		jz	loc_692BDB
		xor	edx, edx
		mov	[esp+90h+var_60], edx
		cmp	[ebx+0Ch], edx
		jbe	loc_692BDB
		xor	eax, eax
		mov	[esp+90h+var_68], eax

loc_692B42:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+36Cj
		mov	ecx, [ebx+10h]
		add	ecx, eax
		add	ecx, ebx
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_692B55
		add	eax, esi
		mov	[ecx+4], eax

loc_692B55:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+2E9j
		mov	eax, [ecx+10h]
		test	eax, eax
		jz	short loc_692B61
		add	eax, esi
		mov	[ecx+10h], eax

loc_692B61:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+2F5j
		xor	eax, eax
		mov	[esp+90h+var_5C], eax
		cmp	[ecx+14h], eax
		jbe	short loc_692BBE
		xor	edi, edi

loc_692B6E:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+353j
		mov	edx, [ecx+10h]
		add	edx, edi
		add	edx, ebx
		mov	esi, [edx+4]
		test	esi, esi
		mov	[esp+90h+var_3C], esi
		mov	esi, [esp+90h+var_64]
		jz	short loc_692B91
		mov	eax, [esp+90h+var_3C]
		add	eax, esi
		mov	[edx+4], eax
		mov	eax, [esp+90h+var_5C]

loc_692B91:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+31Dj
		mov	esi, [edx+0Ch]
		test	esi, esi
		mov	[esp+90h+var_3C], esi
		mov	esi, [esp+90h+var_64]
		jz	short loc_692BAD
		mov	eax, [esp+90h+var_3C]
		add	eax, esi
		mov	[edx+0Ch], eax
		mov	eax, [esp+90h+var_5C]

loc_692BAD:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+339j
		inc	eax
		add	edi, 14h
		mov	[esp+90h+var_5C], eax
		cmp	eax, [ecx+14h]
		jb	short loc_692B6E
		mov	edx, [esp+90h+var_60]

loc_692BBE:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+305j
		mov	eax, [esp+90h+var_68]
		inc	edx
		add	eax, 18h
		mov	[esp+90h+var_60], edx
		mov	[esp+90h+var_68], eax
		cmp	edx, [ebx+0Ch]
		jb	loc_692B42
		mov	eax, [esp+90h+var_58]

loc_692BDB:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+2C2j
					; ApiSetComposeSchema(x,x,x,x)+2D1j
		mov	edx, eax
		mov	ecx, ebx
		call	_ApiSetValidateSchemaFormat@8 ;	ApiSetValidateSchemaFormat(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_692F29
		mov	edi, [ebp+arg_0]
		xor	ecx, ecx
		and	[esp+90h+var_40], ecx
		mov	[esp+90h+var_64], ecx
		cmp	[edi+0Ch], ecx
		jbe	loc_692F12
		xor	eax, eax
		mov	[esp+90h+var_3C], eax

loc_692C0A:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+6A7j
		mov	esi, [edi+10h]
		add	esi, eax
		add	esi, edi
		mov	[esp+90h+var_5C], esi
		mov	eax, [esi+8]
		mov	[esp+90h+var_68], eax
		mov	eax, [esi+4]
		add	eax, edi
		test	byte ptr [esi],	4
		mov	[esp+90h+var_4C], eax
		jz	short loc_692C90
		cmp	ecx, [esp+90h+var_74]
		jnb	loc_692F34
		mov	eax, [ebx+0Ch]
		inc	ecx
		imul	edx, eax, 18h
		push	6
		mov	[esp+94h+var_64], ecx
		pop	ecx
		add	edx, [ebx+10h]
		add	edx, ebx
		inc	eax
		mov	[ebx+0Ch], eax
		mov	edi, edx
		xor	eax, eax
		rep stosd
		mov	eax, [esi]
		mov	ecx, ebx
		mov	[edx], eax
		mov	eax, [esp+90h+var_78]
		mov	[edx+4], eax
		mov	eax, [esp+90h+var_68]
		push	eax		; int
		push	[esp+94h+var_4C] ; void	*
		mov	[edx+8], eax
		mov	[edx+0Ch], eax
		lea	edx, [esp+98h+var_7C]
		call	_AsiAddDataToSchema@16 ; AsiAddDataToSchema(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_692F29
		mov	edx, [esp+90h+var_7C]
		mov	edi, [ebp+arg_0]
		mov	[esp+90h+var_78], edx
		jmp	loc_692EF1
; 

loc_692C90:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+3C3j
		xor	edx, edx
		and	[esp+90h+var_48], edx
		mov	[esp+90h+var_60], edx
		cmp	[esi+14h], edx
		jbe	loc_692EF5
		mov	[esp+90h+var_44], edx

loc_692CA7:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+686j
		mov	ecx, [esi+10h]
		add	ecx, edx
		add	ecx, edi
		mov	[esp+90h+var_38], ecx
		mov	edx, [ecx+0Ch]
		mov	eax, [ecx+10h]
		add	edx, edi
		mov	[esp+90h+var_50], edx
		add	edx, eax
		mov	[esp+90h+var_54], eax
		cmp	eax, 1
		jbe	short loc_692CE7
		push	2Dh
		pop	edi

loc_692CCC:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+475j
		lea	edx, [edx-2]
		sub	eax, 2
		cmp	[edx], di
		jz	short loc_692CDC
		cmp	eax, 1
		ja	short loc_692CCC

loc_692CDC:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+470j
		mov	edi, [ebp+arg_0]
		mov	esi, [esp+90h+var_5C]
		mov	[esp+90h+var_54], eax

loc_692CE7:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+462j
		shr	ax, 1
		movzx	eax, ax
		test	ax, ax
		jz	loc_692F42
		mov	ecx, [ecx+4]
		mov	edx, [esp+90h+var_50]
		mov	[esp+90h+var_34], ecx
		mov	ecx, ebx
		push	eax
		call	ApiSetpSearchForApiSet
		mov	[esp+90h+var_6C], eax
		test	eax, eax
		jnz	loc_692DC9
		mov	eax, [esp+90h+var_64]
		cmp	eax, [esp+90h+var_74]
		jnb	loc_692F34
		inc	eax
		mov	[esp+90h+var_64], eax
		mov	eax, [ebx+0Ch]
		imul	edx, eax, 18h
		push	6
		pop	ecx
		add	edx, [ebx+10h]
		add	edx, ebx
		inc	eax
		mov	[ebx+0Ch], eax
		mov	edi, edx
		xor	eax, eax
		mov	[esp+90h+var_6C], edx
		rep stosd
		mov	ecx, [esp+90h+var_38]
		mov	eax, [esp+90h+var_78]
		mov	[edx+4], eax
		mov	eax, [ecx+10h]
		mov	[edx+8], eax
		mov	eax, [esp+90h+var_54]
		mov	[edx+0Ch], eax
		lea	edx, [esp+90h+var_7C]
		push	dword ptr [ecx+10h] ; int
		mov	ecx, ebx
		push	[esp+94h+var_50] ; void	*
		call	_AsiAddDataToSchema@16 ; AsiAddDataToSchema(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_692F29
		mov	ecx, [esp+90h+var_6C]
		lea	edi, [esp+90h+var_14]
		xor	eax, eax
		lea	edx, [esp+90h+var_7C]
		stosd
		push	14h		; int
		mov	dword ptr [ecx+14h], 1
		stosd
		stosd
		stosd
		stosd
		mov	eax, [esp+94h+var_7C]
		mov	[ecx+10h], eax
		lea	eax, [esp+94h+var_14]
		push	eax		; void *
		mov	ecx, ebx
		call	_AsiAddDataToSchema@16 ; AsiAddDataToSchema(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_692F29
		mov	edx, [esp+90h+var_7C]
		mov	edi, [ebp+arg_0]
		mov	eax, [esp+90h+var_6C]
		mov	esi, [esp+90h+var_5C]
		mov	[esp+90h+var_78], edx
		jmp	short loc_692DCD
; 

loc_692DC9:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+4AAj
		mov	edx, [esp+90h+var_78]

loc_692DCD:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+562j
		test	byte ptr [eax],	1
		jnz	loc_692ED4
		mov	esi, [esp+90h+var_60]
		test	esi, esi
		jnz	short loc_692E0F
		push	[esp+90h+var_68] ; int
		mov	[esp+94h+var_60], edx
		mov	ecx, ebx
		push	[esp+94h+var_4C] ; void	*
		lea	edx, [esp+98h+var_7C]
		call	_AsiAddDataToSchema@16 ; AsiAddDataToSchema(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_692F29
		mov	eax, [esp+90h+var_7C]
		mov	esi, [esp+90h+var_60]
		mov	[esp+90h+var_78], eax
		mov	eax, [esp+90h+var_6C]

loc_692E0F:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+577j
		cmp	dword ptr [eax+14h], 0
		jz	loc_692F3B
		mov	ecx, [eax+10h]
		add	ecx, ebx
		cmp	dword ptr [ecx+10h], 0
		jz	loc_692EB7
		cmp	[esp+90h+var_34], 0
		jz	loc_692EB7
		mov	edx, [esp+90h+var_68]
		mov	[ecx+8], edx
		lea	edx, [esp+90h+var_7C]
		mov	[ecx+4], esi
		imul	eax, [eax+14h],	14h
		push	eax		; int
		push	ecx		; void *
		mov	ecx, ebx
		call	_AsiAddDataToSchema@16 ; AsiAddDataToSchema(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_692F29
		mov	ecx, [esp+90h+var_6C]
		mov	eax, [esp+90h+var_78]
		mov	edx, [esp+90h+var_60]
		push	14h		; int
		mov	[ecx+10h], eax
		xor	eax, eax
		mov	[esp+94h+var_28], eax
		mov	ecx, ebx
		mov	[esp+94h+var_24], eax
		mov	[esp+94h+var_20], eax
		mov	eax, [esp+94h+var_68]
		mov	[esp+94h+var_18], eax
		lea	eax, [esp+94h+var_28]
		mov	[esp+94h+var_1C], edx
		lea	edx, [esp+94h+var_7C]
		push	eax		; void *
		call	_AsiAddDataToSchema@16 ; AsiAddDataToSchema(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_692F29
		mov	eax, [esp+90h+var_6C]
		mov	ecx, ebx
		mov	edx, eax
		inc	dword ptr [eax+14h]
		call	_AsiSortValueList@8 ; AsiSortValueList(x,x)
		mov	eax, [esp+90h+var_7C]
		mov	[esp+90h+var_78], eax
		jmp	short loc_692ED0
; 

loc_692EB7:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+5BDj
					; ApiSetComposeSchema(x,x,x,x)+5C8j
		and	dword ptr [ecx+4], 0
		mov	edx, [esp+90h+var_68]
		and	dword ptr [ecx+8], 0
		mov	[ecx+0Ch], esi
		mov	[ecx+10h], edx
		mov	dword ptr [eax+14h], 1

loc_692ED0:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+650j
		mov	esi, [esp+90h+var_5C]

loc_692ED4:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+56Bj
		mov	eax, [esp+90h+var_48]
		mov	edx, [esp+90h+var_44]
		inc	eax
		add	edx, 14h
		mov	[esp+90h+var_48], eax
		mov	[esp+90h+var_44], edx
		cmp	eax, [esi+14h]
		jb	loc_692CA7

loc_692EF1:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+426j
		mov	ecx, [esp+90h+var_64]

loc_692EF5:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+438j
		mov	edx, [esp+90h+var_40]
		mov	eax, [esp+90h+var_3C]
		inc	edx
		add	eax, 18h
		mov	[esp+90h+var_40], edx
		mov	[esp+90h+var_3C], eax
		cmp	edx, [edi+0Ch]
		jb	loc_692C0A

loc_692F12:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+399j
		cmp	[esp+90h+var_74], 0
		jbe	short loc_692F49
		mov	ecx, ebx
		call	_AsiPopulateHashes@4 ; AsiPopulateHashes(x)
		test	eax, eax
		jnz	short loc_692F49
		mov	esi, 0C0000001h

loc_692F29:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+383j
					; ApiSetComposeSchema(x,x,x,x)+415j ...
		mov	ecx, ebx

loc_692F2B:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+707j
		call	ExFreeHeapPool

loc_692F30:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+68j
					; ApiSetComposeSchema(x,x,x,x)+7Cj ...
		mov	eax, esi
		jmp	short loc_692F7A
; 

loc_692F34:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+3C9j
					; ApiSetComposeSchema(x,x,x,x)+4B8j
		mov	esi, 80000005h
		jmp	short loc_692F29
; 

loc_692F3B:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+5AEj
		mov	esi, 0C000000Dh
		jmp	short loc_692F29
; 

loc_692F42:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+48Bj
		mov	esi, 0C0000482h
		jmp	short loc_692F29
; 

loc_692F49:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+6B2j
					; ApiSetComposeSchema(x,x,x,x)+6BDj
		mov	edi, [esp+90h+var_58]
		mov	ecx, ebx
		mov	edx, edi
		call	_ApiSetValidateSchemaFormat@8 ;	ApiSetValidateSchemaFormat(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_692F29
		mov	eax, [esp+90h+var_30]
		mov	ecx, [esp+90h+var_70]
		mov	[eax], ebx
		mov	eax, [esp+90h+var_2C]
		mov	[eax], edi
		jmp	short loc_692F2B
; 

loc_692F6E:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+3Aj
					; ApiSetComposeSchema(x,x,x,x)+45j ...
		mov	eax, 0C000000Dh
		jmp	short loc_692F7A
; 

loc_692F75:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+24j
					; ApiSetComposeSchema(x,x,x,x)+30j
		mov	eax, 0C00000BBh

loc_692F7A:				; CODE XREF: ApiSetComposeSchema(x,x,x,x)+6CDj
					; ApiSetComposeSchema(x,x,x,x)+70Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_ApiSetComposeSchema@16	endp


;  S U B	R O U T	I N E 


; __stdcall ApiSetIsSchemaSealed(x)
_ApiSetIsSchemaSealed@4	proc near	; CODE XREF: ApiSetLoadSchemaWithExtensions(x,x,x)+2Dp
		mov	al, [ecx+8]
		and	al, 1
		retn
_ApiSetIsSchemaSealed@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	AsiAddDataToSchema(void	*,int)
_AsiAddDataToSchema@16 proc near	; CODE XREF: ApiSetComposeSchema(x,x,x,x)+40Cp
					; ApiSetComposeSchema(x,x,x,x)+504p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		lea	esi, [edi+3]
		and	esi, 0FFFFFFFCh
		cmp	esi, edi
		jnb	short loc_692FAB
		mov	eax, 0C0000095h
		jmp	short loc_693004
; 

loc_692FAB:				; CODE XREF: AsiAddDataToSchema(x,x,x,x)+19j
		mov	ecx, [ebx]
		lea	eax, [ebp+arg_4]
		and	[ebp+arg_4], 0
		mov	edx, esi
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_693004
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+arg_4]
		cmp	eax, [ecx+14h]
		jbe	short loc_692FD2
		mov	eax, 80000005h
		jmp	short loc_693004
; 

loc_692FD2:				; CODE XREF: AsiAddDataToSchema(x,x,x,x)+40j
		mov	eax, [ebx]
		push	edi		; size_t
		push	[ebp+arg_0]	; void *
		add	eax, ecx
		push	eax		; void *
		mov	[ebp+var_4], eax
		call	_memcpy
		add	esp, 0Ch
		cmp	edi, esi
		jnb	short loc_692FFD
		mov	eax, [ebp+var_4]
		sub	esi, edi
		push	esi		; size_t
		add	eax, edi
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_692FFD:				; CODE XREF: AsiAddDataToSchema(x,x,x,x)+5Fj
		mov	eax, [ebp+arg_4]
		mov	[ebx], eax
		xor	eax, eax

loc_693004:				; CODE XREF: AsiAddDataToSchema(x,x,x,x)+20j
					; AsiAddDataToSchema(x,x,x,x)+35j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_AsiAddDataToSchema@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AsiPopulateHashes(x)
_AsiPopulateHashes@4 proc near		; CODE XREF: ApiSetComposeSchema(x,x,x,x)+6B6p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_18], esi
		mov	[ebp+var_C], ebx
		mov	ecx, [esi+0Ch]
		mov	[ebp+var_4], ecx

loc_693026:				; CODE XREF: AsiPopulateHashes(x)+DDj
		mov	eax, ds:dword_42E778[ebx]
		xor	edx, edx
		mov	[ebp+var_10], eax
		test	ecx, ecx
		jz	short loc_6930A2
		xor	ebx, ebx

loc_693037:				; CODE XREF: AsiPopulateHashes(x)+92j
		mov	eax, [esi+10h]
		lea	edi, [esi+edx*8]
		add	edi, [esi+14h]
		add	eax, ebx
		mov	[ebp+var_1C], edi
		mov	edi, [eax+esi+0Ch]
		mov	eax, [eax+esi+4]
		shr	edi, 1
		add	eax, esi
		mov	[ebp+var_8], edi
		xor	edi, edi
		mov	[ebp+var_14], eax
		cmp	[ebp+var_8], edi
		jbe	short loc_69308F
		mov	esi, [ebp+var_8]
		mov	ecx, eax

loc_693063:				; CODE XREF: AsiPopulateHashes(x)+7Cj
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_8], eax
		add	eax, 0FFFFFFBFh
		cmp	ax, 19h
		mov	eax, [ebp+var_8]
		ja	short loc_693078
		add	eax, 20h

loc_693078:				; CODE XREF: AsiPopulateHashes(x)+68j
		imul	edi, [ebp+var_10]
		add	ecx, 2
		movzx	eax, ax
		add	edi, eax
		sub	esi, 1
		jnz	short loc_693063
		mov	esi, [ebp+var_18]
		mov	ecx, [ebp+var_4]

loc_69308F:				; CODE XREF: AsiPopulateHashes(x)+51j
		mov	eax, [ebp+var_1C]
		add	ebx, 18h
		mov	[eax+4], edx
		inc	edx
		mov	[eax], edi
		cmp	edx, ecx
		jb	short loc_693037
		mov	ebx, [ebp+var_C]

loc_6930A2:				; CODE XREF: AsiPopulateHashes(x)+28j
		mov	edi, [esi+14h]
		push	offset _MiMdlPageSort ;	int __cdecl (*)(const void *,const void	*)
		push	8		; size_t
		push	ecx		; size_t
		add	edi, esi
		push	edi		; void *
		call	_qsort
		add	esp, 10h
		cmp	[ebp+var_4], 1
		jbe	short loc_6930F2
		mov	edx, [edi]
		xor	eax, eax
		inc	eax

loc_6930C3:				; CODE XREF: AsiPopulateHashes(x)+CFj
		lea	edi, [edi+8]
		mov	ecx, [edi]
		cmp	edx, ecx
		mov	[ebp+var_1C], ecx
		mov	ecx, [ebp+var_4]
		jz	short loc_6930DC
		inc	eax
		cmp	eax, ecx
		jnb	short loc_6930F2
		mov	edx, [ebp+var_1C]
		jmp	short loc_6930C3
; 

loc_6930DC:				; CODE XREF: AsiPopulateHashes(x)+C5j
		add	ebx, 4
		mov	[ebp+var_C], ebx
		cmp	ebx, 190h
		jb	loc_693026
		xor	eax, eax
		jmp	short loc_6930FB
; 

loc_6930F2:				; CODE XREF: AsiPopulateHashes(x)+B1j
					; AsiPopulateHashes(x)+CAj
		mov	eax, [ebp+var_10]
		mov	[esi+18h], eax
		xor	eax, eax
		inc	eax

loc_6930FB:				; CODE XREF: AsiPopulateHashes(x)+E5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AsiPopulateHashes@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AsiSortValueList(x,	x)
_AsiSortValueList@8 proc near		; CODE XREF: ApiSetComposeSchema(x,x,x,x)+643p

var_30		= dword	ptr -30h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, edx
		mov	[ebp+var_14], ecx
		push	ebx
		mov	[ebp+var_1C], eax
		mov	ebx, [eax+14h]
		sub	ebx, 1
		mov	[ebp+var_10], ebx
		jz	loc_6931BF
		push	esi
		push	edi

loc_693122:				; CODE XREF: AsiSortValueList(x,x)+B7j
		mov	eax, [eax+10h]
		add	eax, ecx
		mov	[ebp+var_1], 0
		mov	[ebp+var_18], eax
		lea	edx, [eax+14h]
		mov	[ebp+var_8], edx
		test	ebx, ebx
		jz	loc_6931BD
		mov	esi, ebx
		mov	[ebp+var_C], ebx
		mov	ebx, eax

loc_693143:				; CODE XREF: AsiSortValueList(x,x)+A5j
		mov	eax, [edx+8]
		shr	eax, 1
		push	1
		push	eax
		mov	eax, [edx+4]
		add	eax, ecx
		push	eax
		mov	eax, [ebx+8]
		shr	eax, 1
		push	eax
		mov	eax, [ebx+4]
		add	eax, ecx
		push	eax
		call	_RtlCompareUnicodeStrings@20 ; RtlCompareUnicodeStrings(x,x,x,x,x)
		mov	edx, [ebp+var_8]
		test	eax, eax
		jz	short loc_693190
		push	5
		pop	ecx
		mov	esi, edx
		lea	edi, [ebp+var_30]
		rep movsd
		push	5
		pop	ecx
		mov	esi, ebx
		mov	edi, edx
		rep movsd
		push	5
		pop	ecx
		lea	esi, [ebp+var_30]
		mov	edi, ebx
		rep movsd
		mov	esi, [ebp+var_C]
		mov	al, 1
		mov	[ebp+var_1], al
		jmp	short loc_693193
; 

loc_693190:				; CODE XREF: AsiSortValueList(x,x)+67j
		mov	al, [ebp+var_1]

loc_693193:				; CODE XREF: AsiSortValueList(x,x)+8Ej
		mov	ecx, [ebp+var_14]
		add	edx, 14h
		add	ebx, 14h
		mov	[ebp+var_8], edx
		sub	esi, 1
		mov	[ebp+var_C], esi
		jnz	short loc_693143
		mov	ebx, [ebp+var_10]
		test	al, al
		jz	short loc_6931BD
		mov	eax, [ebp+var_1C]
		sub	ebx, 1
		mov	[ebp+var_10], ebx
		jnz	loc_693122

loc_6931BD:				; CODE XREF: AsiSortValueList(x,x)+36j
					; AsiSortValueList(x,x)+ACj
		pop	edi
		pop	esi

loc_6931BF:				; CODE XREF: AsiSortValueList(x,x)+1Aj
		pop	ebx
		leave
		retn
_AsiSortValueList@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 685. HviGetDebugDeviceOptions

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HviGetDebugDeviceOptions(x)
		public _HviGetDebugDeviceOptions@4
_HviGetDebugDeviceOptions@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_HviIsHypervisorVendorMicrosoft@0 ; HviIsHypervisorVendorMicrosoft()
		test	al, al
		jz	short loc_6931E6
		mov	ecx, 400000FFh
		rdmsr
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	[ecx+4], edx
		jmp	short loc_6931F0
; 

loc_6931E6:				; CODE XREF: HviGetDebugDeviceOptions(x)+Cj
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax], 0
		and	dword ptr [eax+4], 0

loc_6931F0:				; CODE XREF: HviGetDebugDeviceOptions(x)+1Dj
		pop	ebp
		retn	4
_HviGetDebugDeviceOptions@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 687. HviGetHardwareFeatures

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HviGetHardwareFeatures(x)
		public _HviGetHardwareFeatures@4
_HviGetHardwareFeatures@4 proc near	; CODE XREF: HvlpDetermineEnlightenments()+96p
					; HviIsIommuInUse()+20p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	[ebp+var_1C], ebx
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_18]
		push	eax
		call	_HviGetHypervisorVendorAndMaxFunction@4	; HviGetHypervisorVendorAndMaxFunction(x)
		mov	eax, 40000006h
		cmp	[ebp+var_18], eax
		jb	short loc_693249
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	edi, [ebp+var_1C]
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		jmp	short loc_693256
; 

loc_693249:				; CODE XREF: HviGetHardwareFeatures(x)+35j
		xor	eax, eax
		mov	[ebx], eax
		mov	[ebx+4], eax
		mov	[ebx+8], eax
		mov	[ebx+0Ch], eax

loc_693256:				; CODE XREF: HviGetHardwareFeatures(x)+4Ej
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_HviGetHardwareFeatures@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 690. HviGetHypervisorVendorAndMaxFunction

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HviGetHypervisorVendorAndMaxFunction(x)
		public _HviGetHypervisorVendorAndMaxFunction@4
_HviGetHypervisorVendorAndMaxFunction@4	proc near
					; CODE XREF: HvlpHvIdentityInfoCallback(x,x,x,x)+35p
					; HviGetHardwareFeatures(x)+28p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		call	HviIsAnyHypervisorPresent
		xor	ecx, ecx
		test	al, al
		jz	short loc_69329B
		mov	eax, 40000000h
		push	ebx
		cpuid
		mov	edi, ebx
		pop	ebx
		nop
		mov	esi, [ebp+arg_0]
		mov	[esi], eax
		mov	[esi+4], edi
		mov	[esi+8], ecx
		mov	[esi+0Ch], edx
		jmp	short loc_6932A9
; 

loc_69329B:				; CODE XREF: HviGetHypervisorVendorAndMaxFunction(x)+11j
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	[eax+4], ecx
		mov	[eax+8], ecx
		mov	[eax+0Ch], ecx

loc_6932A9:				; CODE XREF: HviGetHypervisorVendorAndMaxFunction(x)+2Dj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_HviGetHypervisorVendorAndMaxFunction@4	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 691. HviGetHypervisorVersion

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HviGetHypervisorVersion(x)
		public _HviGetHypervisorVersion@4
_HviGetHypervisorVersion@4 proc	near	; CODE XREF: KiIsHyperVCr3RspErrataPresent(x)+53p
					; HvlpHvIdentityInfoCallback(x,x,x,x)+47p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		call	_HviIsHypervisorMicrosoftCompatible@0 ;	HviIsHypervisorMicrosoftCompatible()
		xor	ecx, ecx
		test	al, al
		jz	short loc_6932E4
		mov	eax, 40000002h
		push	ebx
		cpuid
		mov	edi, ebx
		pop	ebx
		nop
		mov	esi, [ebp+arg_0]
		mov	[esi], eax
		mov	[esi+4], edi
		mov	[esi+8], ecx
		mov	[esi+0Ch], edx
		jmp	short loc_6932F2
; 

loc_6932E4:				; CODE XREF: HviGetHypervisorVersion(x)+11j
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	[eax+4], ecx
		mov	[eax+8], ecx
		mov	[eax+0Ch], ecx

loc_6932F2:				; CODE XREF: HviGetHypervisorVersion(x)+2Dj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_HviGetHypervisorVersion@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 692. HviGetImplementationLimits

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HviGetImplementationLimits(x)
		public _HviGetImplementationLimits@4
_HviGetImplementationLimits@4 proc near	; CODE XREF: HvlpSelectLpSet(x,x,x)+90p
					; HvlpSelectVpSet(x,x,x)+36p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		call	_HviIsHypervisorMicrosoftCompatible@0 ;	HviIsHypervisorMicrosoftCompatible()
		xor	ecx, ecx
		test	al, al
		jz	short loc_69332D
		mov	eax, 40000005h
		push	ebx
		cpuid
		mov	edi, ebx
		pop	ebx
		nop
		mov	esi, [ebp+arg_0]
		mov	[esi], eax
		mov	[esi+4], edi
		mov	[esi+8], ecx
		mov	[esi+0Ch], edx
		jmp	short loc_69333B
; 

loc_69332D:				; CODE XREF: HviGetImplementationLimits(x)+11j
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	[eax+4], ecx
		mov	[eax+8], ecx
		mov	[eax+0Ch], ecx

loc_69333B:				; CODE XREF: HviGetImplementationLimits(x)+2Dj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_HviGetImplementationLimits@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HviGetIptFeatures(x)
_HviGetIptFeatures@4 proc near		; CODE XREF: KiGetIptInfo+8931Ap

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		mov	[ebp+var_2C], ebx
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_28]
		stosd
		stosd
		stosd
		stosd
		call	_HviIsHypervisorMicrosoftCompatible@0 ;	HviIsHypervisorMicrosoftCompatible()
		test	al, al
		jz	short loc_6933B7
		lea	eax, [ebp+var_14]
		push	eax
		call	_HviGetHypervisorVendorAndMaxFunction@4	; HviGetHypervisorVendorAndMaxFunction(x)
		mov	esi, 4000000Bh
		cmp	[ebp+var_14], esi
		jb	short loc_6933B7
		lea	ecx, [ebp+var_28]
		push	ecx
		call	HviGetHypervisorFeatures
		test	[ebp+var_1C], 8000000h
		jz	short loc_6933B7
		mov	eax, esi
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	edi, [ebp+var_2C]
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		jmp	short loc_6933C4
; 

loc_6933B7:				; CODE XREF: HviGetIptFeatures(x)+33j
					; HviGetIptFeatures(x)+46j ...
		xor	eax, eax
		mov	[ebx], eax
		mov	[ebx+4], eax
		mov	[ebx+8], eax
		mov	[ebx+0Ch], eax

loc_6933C4:				; CODE XREF: HviGetIptFeatures(x)+73j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_HviGetIptFeatures@4 endp

; 
		align 8
; Exported entry 696. HviIsHypervisorVendorMicrosoft

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HviIsHypervisorVendorMicrosoft()
		public _HviIsHypervisorVendorMicrosoft@0
_HviIsHypervisorVendorMicrosoft@0 proc near
					; CODE XREF: KiIsHyperVCr3RspErrataPresent(x)+25p
					; HviGetDebugDeviceOptions(x)+5p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		stosd
		call	HviIsAnyHypervisorPresent
		test	al, al
		jz	short loc_69343A
		mov	eax, 40000000h
		lea	edi, [ebp+var_18]
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		cmp	[ebp+var_14], 7263694Dh
		jnz	short loc_69343A
		cmp	[ebp+var_10], 666F736Fh
		jnz	short loc_69343A
		cmp	[ebp+var_C], 76482074h
		jnz	short loc_69343A
		mov	al, 1
		jmp	short loc_69343C
; 

loc_69343A:				; CODE XREF: HviIsHypervisorVendorMicrosoft()+25j
					; HviIsHypervisorVendorMicrosoft()+4Aj	...
		xor	al, al

loc_69343C:				; CODE XREF: HviIsHypervisorVendorMicrosoft()+60j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_HviIsHypervisorVendorMicrosoft@0 endp

; 
		align 10h
; Exported entry 697. HviIsIommuInUse

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HviIsIommuInUse()
		public _HviIsIommuInUse@0
_HviIsIommuInUse@0 proc	near

var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_14]
		push	eax
		call	_HviGetHardwareFeatures@4 ; HviGetHardwareFeatures(x)
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+var_4]
		and	eax, 30h
		cmp	al, 30h
		pop	edi
		setz	al
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_HviIsIommuInUse@0 endp


;  S U B	R O U T	I N E 


; __stdcall HvcallInitInputControl(x, x)
_HvcallInitInputControl@8 proc near	; CODE XREF: HvlpCreateRootVirtualProcessor+4Cp
		mov	edi, edi
		push	esi
		mov	esi, edx
		mov	eax, ecx
		cdq
		mov	[esi], eax
		mov	[esi+4], edx
		pop	esi
		retn
_HvcallInitInputControl@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_69349C	proc near		; CODE XREF: sub_785212+1B39p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		and	[esp+4Ch+var_44], 0
		and	[esp+4Ch+var_10], 0
		and	[esp+4Ch+var_C], 0
		and	[esp+4Ch+var_18], 0
		and	[esp+4Ch+var_1C], 0
		and	[esp+4Ch+var_3C], 0
		and	[esp+4Ch+var_4C], 0
		and	[esp+4Ch+var_8], 0
		push	ebx
		mov	ebx, ecx
		mov	[esp+50h+var_4], edx
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+58h+var_40], ebx
		and	[esp+58h+var_20], edi
		mov	eax, [ebx+8]
		test	eax, eax
		jnz	short loc_6934EF

loc_6934E8:				; CODE XREF: sub_69349C+56j
		mov	esi, 0C000000Dh
		jmp	short loc_693561
; 

loc_6934EF:				; CODE XREF: sub_69349C+4Aj
		cmp	dword ptr [ebx], 3
		jbe	short loc_6934E8
		xor	ebx, ebx

loc_6934F6:				; CODE XREF: sub_69349C+7Fj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_693558
		lea	eax, [esp+58h+var_38]
		mov	[esp+58h+var_38], ecx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_693532
		mov	eax, [esp+58h+var_38]
		inc	ebx
		cmp	ebx, 3
		jb	short loc_6934F6
		mov	edi, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_693558
		mov	eax, edi
		xor	esi, esi
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_693536
; 

loc_693532:				; CODE XREF: sub_69349C+75j
		mov	eax, [esp+58h+var_20]

loc_693536:				; CODE XREF: sub_69349C+94j
		test	esi, esi
		js	short loc_69355D
		cmp	eax, 8
		jz	short loc_693549

loc_69353F:				; CODE XREF: sub_69349C+19Bj
		mov	esi, 0C0000023h
		jmp	loc_693B7B
; 

loc_693549:				; CODE XREF: sub_69349C+A1j
		mov	eax, [edi]
		mov	[esp+58h+var_10], eax
		mov	eax, [edi+4]
		mov	[esp+58h+var_C], eax
		jmp	short loc_69355D
; 

loc_693558:				; CODE XREF: sub_69349C+61j
					; sub_69349C+88j
		mov	esi, 0C0000095h

loc_69355D:				; CODE XREF: sub_69349C+9Cj
					; sub_69349C+BAj
		mov	ebx, [esp+58h+var_40]

loc_693561:				; CODE XREF: sub_69349C+51j
		test	esi, esi
		js	loc_693B7B
		mov	eax, [ebx+8]
		test	eax, eax
		jnz	short loc_69357A

loc_693570:				; CODE XREF: sub_69349C+E1j
		mov	esi, 0C000000Dh
		jmp	loc_693B7B
; 

loc_69357A:				; CODE XREF: sub_69349C+D2j
		cmp	dword ptr [ebx], 4
		jbe	short loc_693570
		xor	edi, edi

loc_693581:				; CODE XREF: sub_69349C+112j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_693B76
		lea	eax, [esp+58h+var_34]
		mov	[esp+58h+var_34], ecx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_693B7B
		mov	eax, [esp+58h+var_34]
		inc	edi
		cmp	edi, 4
		jb	short loc_693581
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_693B76
		mov	[esp+58h+var_1C], edx
		xor	esi, esi
		neg	edx
		sbb	edx, edx
		and	edx, ecx
		mov	[esp+58h+var_18], edx
		test	esi, esi
		js	loc_693B7B
		mov	eax, [ebx+8]
		xor	edi, edi
		and	[esp+58h+var_20], edi
		test	eax, eax
		jnz	short loc_6935E9

loc_6935E2:				; CODE XREF: sub_69349C+150j
		mov	esi, 0C000000Dh
		jmp	short loc_69364A
; 

loc_6935E9:				; CODE XREF: sub_69349C+144j
		cmp	dword ptr [ebx], 5
		jbe	short loc_6935E2
		xor	ebx, ebx

loc_6935F0:				; CODE XREF: sub_69349C+179j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_693645
		lea	eax, [esp+58h+var_30]
		mov	[esp+58h+var_30], ecx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_69362C
		mov	eax, [esp+58h+var_30]
		inc	ebx
		cmp	ebx, 5
		jb	short loc_6935F0
		mov	edi, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_693645
		mov	eax, edi
		xor	esi, esi
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_693630
; 

loc_69362C:				; CODE XREF: sub_69349C+16Fj
		mov	eax, [esp+58h+var_20]

loc_693630:				; CODE XREF: sub_69349C+18Ej
		test	esi, esi
		js	short loc_69364A
		cmp	eax, 4
		jnz	loc_69353F
		mov	ebx, [edi]
		mov	[esp+58h+var_4C], ebx
		jmp	short loc_69364E
; 

loc_693645:				; CODE XREF: sub_69349C+15Bj
					; sub_69349C+182j
		mov	esi, 0C0000095h

loc_69364A:				; CODE XREF: sub_69349C+14Bj
					; sub_69349C+196j
		mov	ebx, [esp+58h+var_4C]

loc_69364E:				; CODE XREF: sub_69349C+1A7j
		test	esi, esi
		js	loc_693B7B
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_6936A7
		mov	eax, large fs:20h
		xor	ecx, ecx
		push	esi
		mov	edx, ebx
		inc	ecx
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	20534C53h
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		mov	[esp+58h+var_3C], edi
		test	edi, edi
		jnz	short loc_693699
		mov	esi, 0C0000017h
		jmp	loc_693B7B
; 

loc_693699:				; CODE XREF: sub_69349C+1F1j
		push	ebx		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_6936AC
; 

loc_6936A7:				; CODE XREF: sub_69349C+1BEj
		mov	edi, [esp+58h+var_3C]
		inc	esi

loc_6936AC:				; CODE XREF: sub_69349C+209j
		mov	eax, ds:dword_A93E94
		test	eax, eax
		jz	short loc_6936D0
		neg	esi
		lea	ecx, [esp+58h+var_8]
		push	ecx
		sbb	esi, esi
		push	ebx
		not	esi
		and	esi, edi
		push	esi
		push	[esp+64h+var_1C]
		push	[esp+68h+var_18]
		call	eax
		jmp	short loc_6936D5
; 

loc_6936D0:				; CODE XREF: sub_69349C+217j
		mov	eax, 0C00000BBh

loc_6936D5:				; CODE XREF: sub_69349C+232j
		and	[esp+58h+var_48], 0
		mov	[esp+58h+var_38], eax
		lea	eax, [esp+58h+var_48]
		xor	ecx, ecx
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_69374C
		mov	ecx, [esp+58h+var_48]
		lea	eax, [esp+58h+var_48]
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_69374C
		lea	edx, [ebx+4]
		cmp	edx, 4
		jb	short loc_693747
		mov	ecx, [esp+58h+var_48]
		lea	eax, [esp+58h+var_48]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_69374C
		mov	ecx, [esp+58h+var_48]
		lea	eax, [esp+58h+var_48]
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_69374C
		mov	eax, [esp+58h+var_48]
		mov	[esp+58h+var_44], eax
		jmp	short loc_693750
; 

loc_693747:				; CODE XREF: sub_69349C+274j
		mov	esi, 0C0000095h

loc_69374C:				; CODE XREF: sub_69349C+255j
					; sub_69349C+26Cj ...
		mov	eax, [esp+58h+var_44]

loc_693750:				; CODE XREF: sub_69349C+2A9j
		test	esi, esi
		js	loc_693B65
		xor	edi, edi
		mov	[esp+58h+var_14], 8
		lea	ecx, [esp+58h+var_14]
		mov	edx, eax
		push	ecx
		push	8
		pop	ecx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_693B65
		mov	eax, [esp+58h+var_14]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_693790
		mov	esi, 0C0000095h
		jmp	short loc_693799
; 

loc_693790:				; CODE XREF: sub_69349C+2EBj
		lea	edi, [ecx+8]
		cmp	edi, ecx
		jb	short loc_69380E
		xor	esi, esi

loc_693799:				; CODE XREF: sub_69349C+2F2j
		test	esi, esi
		js	loc_693B65
		mov	ebx, [esp+58h+var_4]
		mov	edx, edi
		push	4
		pop	ecx
		mov	[esp+58h+var_40], ecx
		mov	eax, [ebx+10h]
		mov	ebx, [ebx+8]
		mov	[esp+58h+var_4], eax
		lea	eax, [esp+58h+var_40]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_693B65
		mov	eax, [esp+58h+var_40]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_69380E
		lea	eax, [esp+58h+var_40]
		mov	[esp+58h+var_40], ecx
		push	eax
		mov	edx, ebx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_693B65
		mov	eax, [esp+58h+var_40]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_69380E
		mov	edx, [esp+58h+var_4]
		lea	eax, [esp+58h+var_40]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		jmp	short loc_693813
; 

loc_69380E:				; CODE XREF: sub_69349C+2F9j
					; sub_69349C+339j ...
		mov	esi, 0C0000095h

loc_693813:				; CODE XREF: sub_69349C+370j
		test	esi, esi
		js	loc_693B65
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	short loc_69382C
		mov	esi, 0C000000Dh
		jmp	loc_693B65
; 

loc_69382C:				; CODE XREF: sub_69349C+384j
		mov	eax, [esp+58h+var_44]
		lea	ebx, [edi+4]
		xor	esi, esi
		mov	[ebx], eax
		test	eax, eax
		jnz	short loc_693842
		mov	esi, 0C000003Eh
		jmp	short loc_69385F
; 

loc_693842:				; CODE XREF: sub_69349C+39Dj
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_69385A
		mov	esi, 0C0000017h
		jmp	short loc_69385F
; 

loc_69385A:				; CODE XREF: sub_69349C+3B5j
		mov	[edi+8], eax
		and	[edi], esi

loc_69385F:				; CODE XREF: sub_69349C+3A4j
					; sub_69349C+3BCj
		test	esi, esi
		js	loc_693B65
		mov	eax, [edi+8]
		or	[esp+58h+var_38], 10000000h
		mov	[esp+58h+var_1C], eax
		test	eax, eax
		jnz	short loc_693896
		mov	ecx, [ebx]
		push	ebx
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_693B65
		inc	dword ptr [edi]
		jmp	loc_693921
; 

loc_693896:				; CODE XREF: sub_69349C+3DCj
		mov	ecx, [edi]
		mov	ebx, eax
		and	[esp+58h+var_18], 0
		mov	[esp+58h+var_2C], ebx
		mov	[esp+58h+var_4], ecx
		test	ecx, ecx
		jz	short loc_6938DE

loc_6938AB:				; CODE XREF: sub_69349C+43Cj
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_693901
		lea	eax, [esp+58h+var_2C]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_693916
		mov	ecx, [esp+58h+var_18]
		mov	ebx, [esp+58h+var_2C]
		inc	ecx
		mov	[esp+58h+var_18], ecx
		cmp	ecx, [esp+58h+var_4]
		jb	short loc_6938AB
		mov	eax, [esp+58h+var_1C]

loc_6938DE:				; CODE XREF: sub_69349C+40Dj
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	loc_693B60
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [ebx+8]
		cmp	eax, ecx
		jbe	short loc_693908

loc_6938F7:				; CODE XREF: sub_69349C+50Fj
					; sub_69349C+62Dj ...
		mov	esi, 0C0000023h
		jmp	loc_693B65
; 

loc_693901:				; CODE XREF: sub_69349C+417j
		mov	esi, 0C0000095h
		jmp	short loc_693916
; 

loc_693908:				; CODE XREF: sub_69349C+459j
		mov	eax, [esp+58h+var_38]
		mov	dword ptr [ebx], 4
		mov	[edx], eax
		inc	dword ptr [edi]

loc_693916:				; CODE XREF: sub_69349C+429j
					; sub_69349C+46Aj
		lea	ebx, [edi+4]
		test	esi, esi
		js	loc_693B65

loc_693921:				; CODE XREF: sub_69349C+3F5j
		mov	eax, [edi+8]
		mov	[esp+58h+var_1C], eax
		test	eax, eax
		jnz	short loc_693948
		mov	ecx, [ebx]
		push	ebx
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_693B65
		inc	dword ptr [edi]
		jmp	loc_6939D1
; 

loc_693948:				; CODE XREF: sub_69349C+48Ej
		mov	ecx, [edi]
		mov	ebx, eax
		and	[esp+58h+var_18], 0
		mov	[esp+58h+var_28], ebx
		mov	[esp+58h+var_4], ecx
		test	ecx, ecx
		jz	short loc_693994

loc_69395D:				; CODE XREF: sub_69349C+4F2j
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	loc_693A25
		lea	eax, [esp+58h+var_28]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_6939C6
		mov	ecx, [esp+58h+var_18]
		mov	ebx, [esp+58h+var_28]
		inc	ecx
		mov	[esp+58h+var_18], ecx
		cmp	ecx, [esp+58h+var_4]
		jb	short loc_69395D
		mov	eax, [esp+58h+var_1C]

loc_693994:				; CODE XREF: sub_69349C+4BFj
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	loc_693B60
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [ebx+0Ch]
		cmp	eax, ecx
		ja	loc_6938F7
		mov	eax, [esp+58h+var_10]
		mov	dword ptr [ebx], 8
		mov	[edx], eax
		mov	eax, [esp+58h+var_C]
		mov	[edx+4], eax
		inc	dword ptr [edi]

loc_6939C6:				; CODE XREF: sub_69349C+4DFj
					; sub_69349C+58Ej
		lea	ebx, [edi+4]
		test	esi, esi
		js	loc_693B65

loc_6939D1:				; CODE XREF: sub_69349C+4A7j
		cmp	[esp+58h+var_3C], 0
		mov	ecx, [esp+58h+var_4C]
		jnz	short loc_693A2C
		test	ecx, ecx
		jz	short loc_693A30

loc_6939E0:				; CODE XREF: sub_69349C+592j
		mov	esi, 0C000000Dh

loc_6939E5:				; CODE XREF: sub_69349C+5C2j
					; sub_69349C+64Ej
		test	esi, esi
		js	loc_693B65
		lea	ebx, [edi+4]

loc_6939F0:				; CODE XREF: sub_69349C+5BBj
		mov	eax, [esp+58h+var_8]
		mov	[esp+58h+var_18], eax
		mov	eax, [edi+8]
		mov	[esp+58h+var_10], eax
		test	eax, eax
		jnz	loc_693AEF
		mov	ecx, [ebx]
		push	ebx
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_693B65
		inc	dword ptr [edi]
		xor	esi, esi
		jmp	loc_693B65
; 

loc_693A25:				; CODE XREF: sub_69349C+4C9j
		mov	esi, 0C0000095h
		jmp	short loc_6939C6
; 

loc_693A2C:				; CODE XREF: sub_69349C+53Ej
		test	ecx, ecx
		jz	short loc_6939E0

loc_693A30:				; CODE XREF: sub_69349C+542j
		mov	eax, [edi+8]
		mov	[esp+58h+var_10], eax
		test	eax, eax
		jnz	short loc_693A60
		lea	edx, [ecx+4]
		cmp	edx, 4
		jb	short loc_693A59
		mov	ecx, [ebx]
		push	ebx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_693B65
		inc	dword ptr [edi]
		jmp	short loc_6939F0
; 

loc_693A59:				; CODE XREF: sub_69349C+5A5j
					; sub_69349C+5E1j
		mov	esi, 0C0000095h
		jmp	short loc_6939E5
; 

loc_693A60:				; CODE XREF: sub_69349C+59Dj
		mov	ecx, [edi]
		mov	ebx, eax
		and	[esp+58h+var_C], 0
		mov	[esp+58h+var_24], ebx
		mov	[esp+58h+var_4], ecx
		test	ecx, ecx
		jz	short loc_693AAC

loc_693A75:				; CODE XREF: sub_69349C+60Aj
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_693A59
		lea	eax, [esp+58h+var_24]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_693B65
		mov	ecx, [esp+58h+var_C]
		mov	ebx, [esp+58h+var_24]
		inc	ecx
		mov	[esp+58h+var_C], ecx
		cmp	ecx, [esp+58h+var_4]
		jb	short loc_693A75
		mov	eax, [esp+58h+var_10]

loc_693AAC:				; CODE XREF: sub_69349C+5D7j
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	loc_693B60
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		mov	eax, [esp+58h+var_4C]
		add	eax, 4
		add	eax, ebx
		cmp	eax, ecx
		ja	loc_6938F7
		mov	ecx, [esp+58h+var_3C]
		mov	eax, [esp+58h+var_4C]
		mov	[ebx], eax
		test	ecx, ecx
		jz	short loc_693AE8
		push	eax		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_693AE8:				; CODE XREF: sub_69349C+63Fj
		inc	dword ptr [edi]
		jmp	loc_6939E5
; 

loc_693AEF:				; CODE XREF: sub_69349C+565j
		mov	ecx, [edi]
		mov	ebx, eax
		and	[esp+58h+var_C], 0
		mov	[esp+58h+var_20], ebx
		mov	[esp+58h+var_4], ecx
		test	ecx, ecx
		jz	short loc_693B37

loc_693B04:				; CODE XREF: sub_69349C+695j
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_693B60
		lea	eax, [esp+58h+var_20]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_693B65
		mov	ecx, [esp+58h+var_C]
		mov	ebx, [esp+58h+var_20]
		inc	ecx
		mov	[esp+58h+var_C], ecx
		cmp	ecx, [esp+58h+var_4]
		jb	short loc_693B04
		mov	eax, [esp+58h+var_10]

loc_693B37:				; CODE XREF: sub_69349C+666j
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	short loc_693B60
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [ebx+8]
		cmp	eax, ecx
		ja	loc_6938F7
		mov	eax, [esp+58h+var_18]
		mov	dword ptr [ebx], 4
		mov	[edx], eax
		inc	dword ptr [edi]
		jmp	short loc_693B65
; 

loc_693B60:				; CODE XREF: sub_69349C+447j
					; sub_69349C+4FDj ...
		mov	esi, 0C0000095h

loc_693B65:				; CODE XREF: sub_69349C+2B6j
					; sub_69349C+2D9j ...
		mov	eax, [esp+58h+var_3C]
		test	eax, eax
		jz	short loc_693B7B
		mov	ecx, eax
		call	ExFreeHeapPool
		jmp	short loc_693B7B
; 

loc_693B76:				; CODE XREF: sub_69349C+ECj
					; sub_69349C+11Bj
		mov	esi, 0C0000095h

loc_693B7B:				; CODE XREF: sub_69349C+A8j
					; sub_69349C+C7j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
sub_69349C	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_693B86	proc near		; CODE XREF: sub_785212+2353p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		and	[esp+44h+var_38], 0
		and	[esp+44h+var_10], 0
		and	[esp+44h+var_C], 0
		and	[esp+44h+var_30], 0
		and	[esp+44h+var_40], 0
		and	[esp+44h+var_8], 0
		mov	eax, [ecx+8]
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+50h+var_4], edx
		and	[esp+50h+var_18], edi
		mov	[esp+50h+var_34], ecx
		test	eax, eax
		jnz	short loc_693BCE

loc_693BC7:				; CODE XREF: sub_693B86+4Bj
		mov	esi, 0C000000Dh
		jmp	short loc_693C40
; 

loc_693BCE:				; CODE XREF: sub_693B86+3Fj
		cmp	dword ptr [ecx], 3
		jbe	short loc_693BC7
		xor	ebx, ebx

loc_693BD5:				; CODE XREF: sub_693B86+74j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_693C37
		lea	eax, [esp+50h+var_2C]
		mov	[esp+50h+var_2C], ecx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_693C11
		mov	eax, [esp+50h+var_2C]
		inc	ebx
		cmp	ebx, 3
		jb	short loc_693BD5
		mov	edi, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_693C37
		mov	eax, edi
		xor	esi, esi
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_693C15
; 

loc_693C11:				; CODE XREF: sub_693B86+6Aj
		mov	eax, [esp+50h+var_18]

loc_693C15:				; CODE XREF: sub_693B86+89j
		test	esi, esi
		js	short loc_693C3C
		cmp	eax, 8
		jz	short loc_693C28

loc_693C1E:				; CODE XREF: sub_693B86+124j
		mov	esi, 0C0000023h
		jmp	loc_6941DF
; 

loc_693C28:				; CODE XREF: sub_693B86+96j
		mov	eax, [edi]
		mov	[esp+50h+var_10], eax
		mov	eax, [edi+4]
		mov	[esp+50h+var_C], eax
		jmp	short loc_693C3C
; 

loc_693C37:				; CODE XREF: sub_693B86+56j
					; sub_693B86+7Dj
		mov	esi, 0C0000095h

loc_693C3C:				; CODE XREF: sub_693B86+91j
					; sub_693B86+AFj
		mov	ecx, [esp+50h+var_34]

loc_693C40:				; CODE XREF: sub_693B86+46j
		test	esi, esi
		js	loc_6941DF
		mov	eax, [ecx+8]
		xor	edi, edi
		and	[esp+50h+var_18], edi
		test	eax, eax
		jnz	short loc_693C5C

loc_693C55:				; CODE XREF: sub_693B86+D9j
		mov	esi, 0C000000Dh
		jmp	short loc_693CBD
; 

loc_693C5C:				; CODE XREF: sub_693B86+CDj
		cmp	dword ptr [ecx], 4
		jbe	short loc_693C55
		xor	ebx, ebx

loc_693C63:				; CODE XREF: sub_693B86+102j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_693CB8
		lea	eax, [esp+50h+var_28]
		mov	[esp+50h+var_28], ecx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_693C9F
		mov	eax, [esp+50h+var_28]
		inc	ebx
		cmp	ebx, 4
		jb	short loc_693C63
		mov	edi, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_693CB8
		mov	eax, edi
		xor	esi, esi
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_693CA3
; 

loc_693C9F:				; CODE XREF: sub_693B86+F8j
		mov	eax, [esp+50h+var_18]

loc_693CA3:				; CODE XREF: sub_693B86+117j
		test	esi, esi
		js	short loc_693CBD
		cmp	eax, 4
		jnz	loc_693C1E
		mov	ebx, [edi]
		mov	[esp+50h+var_40], ebx
		jmp	short loc_693CC1
; 

loc_693CB8:				; CODE XREF: sub_693B86+E4j
					; sub_693B86+10Bj
		mov	esi, 0C0000095h

loc_693CBD:				; CODE XREF: sub_693B86+D4j
					; sub_693B86+11Fj
		mov	ebx, [esp+50h+var_40]

loc_693CC1:				; CODE XREF: sub_693B86+130j
		test	esi, esi
		js	loc_6941DF
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_693D1A
		mov	eax, large fs:20h
		xor	ecx, ecx
		push	esi
		mov	edx, ebx
		inc	ecx
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	20534C53h
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		mov	[esp+50h+var_30], edi
		test	edi, edi
		jnz	short loc_693D0C
		mov	esi, 0C0000017h
		jmp	loc_6941DF
; 

loc_693D0C:				; CODE XREF: sub_693B86+17Aj
		push	ebx		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_693D1F
; 

loc_693D1A:				; CODE XREF: sub_693B86+147j
		mov	edi, [esp+50h+var_30]
		inc	esi

loc_693D1F:				; CODE XREF: sub_693B86+192j
		mov	eax, ds:dword_A93EC4
		test	eax, eax
		jz	short loc_693D3B
		neg	esi
		lea	ecx, [esp+50h+var_8]
		push	ecx
		sbb	esi, esi
		not	esi
		push	ebx
		and	esi, edi
		push	esi
		call	eax
		jmp	short loc_693D40
; 

loc_693D3B:				; CODE XREF: sub_693B86+1A0j
		mov	eax, 0C00000BBh

loc_693D40:				; CODE XREF: sub_693B86+1B3j
		and	[esp+50h+var_3C], 0
		mov	[esp+50h+var_2C], eax
		lea	eax, [esp+50h+var_3C]
		xor	ecx, ecx
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_693DB7
		mov	ecx, [esp+50h+var_3C]
		lea	eax, [esp+50h+var_3C]
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_693DB7
		lea	edx, [ebx+4]
		cmp	edx, 4
		jb	short loc_693DB2
		mov	ecx, [esp+50h+var_3C]
		lea	eax, [esp+50h+var_3C]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_693DB7
		mov	ecx, [esp+50h+var_3C]
		lea	eax, [esp+50h+var_3C]
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_693DB7
		mov	eax, [esp+50h+var_3C]
		mov	[esp+50h+var_38], eax
		jmp	short loc_693DBB
; 

loc_693DB2:				; CODE XREF: sub_693B86+1F5j
		mov	esi, 0C0000095h

loc_693DB7:				; CODE XREF: sub_693B86+1D6j
					; sub_693B86+1EDj ...
		mov	eax, [esp+50h+var_38]

loc_693DBB:				; CODE XREF: sub_693B86+22Aj
		test	esi, esi
		js	loc_6941D0
		xor	edi, edi
		mov	[esp+50h+var_14], 8
		lea	ecx, [esp+50h+var_14]
		mov	edx, eax
		push	ecx
		push	8
		pop	ecx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_6941D0
		mov	eax, [esp+50h+var_14]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_693DFB
		mov	esi, 0C0000095h
		jmp	short loc_693E04
; 

loc_693DFB:				; CODE XREF: sub_693B86+26Cj
		lea	edi, [ecx+8]
		cmp	edi, ecx
		jb	short loc_693E79
		xor	esi, esi

loc_693E04:				; CODE XREF: sub_693B86+273j
		test	esi, esi
		js	loc_6941D0
		mov	ebx, [esp+50h+var_4]
		mov	edx, edi
		push	4
		pop	ecx
		mov	[esp+50h+var_34], ecx
		mov	eax, [ebx+10h]
		mov	ebx, [ebx+8]
		mov	[esp+50h+var_4], eax
		lea	eax, [esp+50h+var_34]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_6941D0
		mov	eax, [esp+50h+var_34]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_693E79
		lea	eax, [esp+50h+var_34]
		mov	[esp+50h+var_34], ecx
		push	eax
		mov	edx, ebx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_6941D0
		mov	eax, [esp+50h+var_34]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_693E79
		mov	edx, [esp+50h+var_4]
		lea	eax, [esp+50h+var_34]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		jmp	short loc_693E7E
; 

loc_693E79:				; CODE XREF: sub_693B86+27Aj
					; sub_693B86+2BAj ...
		mov	esi, 0C0000095h

loc_693E7E:				; CODE XREF: sub_693B86+2F1j
		test	esi, esi
		js	loc_6941D0
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	short loc_693E97
		mov	esi, 0C000000Dh
		jmp	loc_6941D0
; 

loc_693E97:				; CODE XREF: sub_693B86+305j
		mov	eax, [esp+50h+var_38]
		lea	ebx, [edi+4]
		xor	esi, esi
		mov	[ebx], eax
		test	eax, eax
		jnz	short loc_693EAD
		mov	esi, 0C000003Eh
		jmp	short loc_693ECA
; 

loc_693EAD:				; CODE XREF: sub_693B86+31Ej
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_693EC5
		mov	esi, 0C0000017h
		jmp	short loc_693ECA
; 

loc_693EC5:				; CODE XREF: sub_693B86+336j
		mov	[edi+8], eax
		and	[edi], esi

loc_693ECA:				; CODE XREF: sub_693B86+325j
					; sub_693B86+33Dj
		test	esi, esi
		js	loc_6941D0
		mov	eax, [edi+8]
		or	[esp+50h+var_2C], 10000000h
		mov	[esp+50h+var_1C], eax
		test	eax, eax
		jnz	short loc_693F01
		mov	ecx, [ebx]
		push	ebx
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_6941D0
		inc	dword ptr [edi]
		jmp	loc_693F8C
; 

loc_693F01:				; CODE XREF: sub_693B86+35Dj
		mov	ecx, [edi]
		mov	ebx, eax
		and	[esp+50h+var_18], 0
		mov	[esp+50h+var_24], ebx
		mov	[esp+50h+var_4], ecx
		test	ecx, ecx
		jz	short loc_693F49

loc_693F16:				; CODE XREF: sub_693B86+3BDj
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_693F6C
		lea	eax, [esp+50h+var_24]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_693F81
		mov	ecx, [esp+50h+var_18]
		mov	ebx, [esp+50h+var_24]
		inc	ecx
		mov	[esp+50h+var_18], ecx
		cmp	ecx, [esp+50h+var_4]
		jb	short loc_693F16
		mov	eax, [esp+50h+var_1C]

loc_693F49:				; CODE XREF: sub_693B86+38Ej
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	loc_6941CB
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [ebx+8]
		cmp	eax, ecx
		jbe	short loc_693F73

loc_693F62:				; CODE XREF: sub_693B86+490j
					; sub_693B86+5AEj ...
		mov	esi, 0C0000023h
		jmp	loc_6941D0
; 

loc_693F6C:				; CODE XREF: sub_693B86+398j
		mov	esi, 0C0000095h
		jmp	short loc_693F81
; 

loc_693F73:				; CODE XREF: sub_693B86+3DAj
		mov	eax, [esp+50h+var_2C]
		mov	dword ptr [ebx], 4
		mov	[edx], eax
		inc	dword ptr [edi]

loc_693F81:				; CODE XREF: sub_693B86+3AAj
					; sub_693B86+3EBj
		lea	ebx, [edi+4]
		test	esi, esi
		js	loc_6941D0

loc_693F8C:				; CODE XREF: sub_693B86+376j
		mov	eax, [edi+8]
		mov	[esp+50h+var_1C], eax
		test	eax, eax
		jnz	short loc_693FB3
		mov	ecx, [ebx]
		push	ebx
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_6941D0
		inc	dword ptr [edi]
		jmp	loc_69403C
; 

loc_693FB3:				; CODE XREF: sub_693B86+40Fj
		mov	ecx, [edi]
		mov	ebx, eax
		and	[esp+50h+var_18], 0
		mov	[esp+50h+var_20], ebx
		mov	[esp+50h+var_4], ecx
		test	ecx, ecx
		jz	short loc_693FFF

loc_693FC8:				; CODE XREF: sub_693B86+473j
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	loc_694090
		lea	eax, [esp+50h+var_20]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_694031
		mov	ecx, [esp+50h+var_18]
		mov	ebx, [esp+50h+var_20]
		inc	ecx
		mov	[esp+50h+var_18], ecx
		cmp	ecx, [esp+50h+var_4]
		jb	short loc_693FC8
		mov	eax, [esp+50h+var_1C]

loc_693FFF:				; CODE XREF: sub_693B86+440j
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	loc_6941CB
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [ebx+0Ch]
		cmp	eax, ecx
		ja	loc_693F62
		mov	eax, [esp+50h+var_10]
		mov	dword ptr [ebx], 8
		mov	[edx], eax
		mov	eax, [esp+50h+var_C]
		mov	[edx+4], eax
		inc	dword ptr [edi]

loc_694031:				; CODE XREF: sub_693B86+460j
					; sub_693B86+50Fj
		lea	ebx, [edi+4]
		test	esi, esi
		js	loc_6941D0

loc_69403C:				; CODE XREF: sub_693B86+428j
		cmp	[esp+50h+var_30], 0
		mov	ecx, [esp+50h+var_40]
		jnz	short loc_694097
		test	ecx, ecx
		jz	short loc_69409B

loc_69404B:				; CODE XREF: sub_693B86+513j
		mov	esi, 0C000000Dh

loc_694050:				; CODE XREF: sub_693B86+543j
					; sub_693B86+5CFj
		test	esi, esi
		js	loc_6941D0
		lea	ebx, [edi+4]

loc_69405B:				; CODE XREF: sub_693B86+53Cj
		mov	eax, [esp+50h+var_8]
		mov	[esp+50h+var_1C], eax
		mov	eax, [edi+8]
		mov	[esp+50h+var_10], eax
		test	eax, eax
		jnz	loc_69415A
		mov	ecx, [ebx]
		push	ebx
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_6941D0
		inc	dword ptr [edi]
		xor	esi, esi
		jmp	loc_6941D0
; 

loc_694090:				; CODE XREF: sub_693B86+44Aj
		mov	esi, 0C0000095h
		jmp	short loc_694031
; 

loc_694097:				; CODE XREF: sub_693B86+4BFj
		test	ecx, ecx
		jz	short loc_69404B

loc_69409B:				; CODE XREF: sub_693B86+4C3j
		mov	eax, [edi+8]
		mov	[esp+50h+var_10], eax
		test	eax, eax
		jnz	short loc_6940CB
		lea	edx, [ecx+4]
		cmp	edx, 4
		jb	short loc_6940C4
		mov	ecx, [ebx]

loc_6940B0:				; DATA XREF: .text:004305D0o
		push	ebx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_6941D0
		inc	dword ptr [edi]
		jmp	short loc_69405B
; 

loc_6940C4:				; CODE XREF: sub_693B86+526j
					; sub_693B86+562j
		mov	esi, 0C0000095h
		jmp	short loc_694050
; 

loc_6940CB:				; CODE XREF: sub_693B86+51Ej
		mov	ecx, [edi]
		mov	ebx, eax
		and	[esp+50h+var_C], 0
		mov	[esp+50h+var_1C], ebx
		mov	[esp+50h+var_4], ecx
		test	ecx, ecx
		jz	short loc_694117

loc_6940E0:				; CODE XREF: sub_693B86+58Bj
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_6940C4
		lea	eax, [esp+50h+var_1C]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_6941D0
		mov	ecx, [esp+50h+var_C]
		mov	ebx, [esp+50h+var_1C]
		inc	ecx
		mov	[esp+50h+var_C], ecx
		cmp	ecx, [esp+50h+var_4]
		jb	short loc_6940E0
		mov	eax, [esp+50h+var_10]

loc_694117:				; CODE XREF: sub_693B86+558j
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	loc_6941CB
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		mov	eax, [esp+50h+var_40]
		add	eax, 4
		add	eax, ebx
		cmp	eax, ecx
		ja	loc_693F62
		mov	ecx, [esp+50h+var_30]
		mov	eax, [esp+50h+var_40]
		mov	[ebx], eax
		test	ecx, ecx
		jz	short loc_694153
		push	eax		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_694153:				; CODE XREF: sub_693B86+5C0j
		inc	dword ptr [edi]
		jmp	loc_694050
; 

loc_69415A:				; CODE XREF: sub_693B86+4E6j
		mov	ecx, [edi]
		mov	ebx, eax
		and	[esp+50h+var_C], 0
		mov	[esp+50h+var_18], ebx
		mov	[esp+50h+var_4], ecx
		test	ecx, ecx
		jz	short loc_6941A2

loc_69416F:				; CODE XREF: sub_693B86+616j
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_6941CB
		lea	eax, [esp+50h+var_18]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_6941D0
		mov	ecx, [esp+50h+var_C]
		mov	ebx, [esp+50h+var_18]
		inc	ecx
		mov	[esp+50h+var_C], ecx
		cmp	ecx, [esp+50h+var_4]
		jb	short loc_69416F
		mov	eax, [esp+50h+var_10]

loc_6941A2:				; CODE XREF: sub_693B86+5E7j
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	short loc_6941CB
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [ebx+8]
		cmp	eax, ecx
		ja	loc_693F62
		mov	eax, [esp+50h+var_1C]
		mov	dword ptr [ebx], 4
		mov	[edx], eax
		inc	dword ptr [edi]
		jmp	short loc_6941D0
; 

loc_6941CB:				; CODE XREF: sub_693B86+3C8j
					; sub_693B86+47Ej ...
		mov	esi, 0C0000095h

loc_6941D0:				; CODE XREF: sub_693B86+237j
					; sub_693B86+25Aj ...
		mov	eax, [esp+50h+var_30]
		test	eax, eax
		jz	short loc_6941DF
		mov	ecx, eax
		call	ExFreeHeapPool

loc_6941DF:				; CODE XREF: sub_693B86+9Dj
					; sub_693B86+BCj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
sub_693B86	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_6941EA	proc near		; CODE XREF: sub_694B86+4Cp
					; sub_694B86+62p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, ebx
		mov	esi, ecx
		shl	edi, 4
		mov	[ebp+var_18], esi
		mov	[ebp+var_1C], edi
		mov	eax, [edi+esi+4]
		cmp	eax, 1Eh	; switch 31 cases
		ja	loc_694AF6	; default
		jmp	ds:off_694B0A[eax*4] ; switch jump

loc_694223:				; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x0
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], eax
		mov	eax, [edi+esi+8]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_14], ecx
		push	3
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		lea	eax, [ebx+1]
		add	eax, edx
		and	ebx, ecx
		and	eax, ecx
		mov	ecx, [ebp+var_18]
		movzx	edi, word ptr [ebp+eax*2+var_C]
		movzx	eax, word ptr [ebp+ebx*2+var_14]
		xor	edi, esi
		imul	edi, eax
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+ecx+0Ch]

loc_694265:				; CODE XREF: sub_6941EA+288j
		push	0Fh
		xor	edx, edx
		pop	ecx
		div	ecx
		lea	ecx, [edx+1]
		shr	esi, cl

loc_694271:				; CODE XREF: sub_6941EA+397j
		lea	eax, [esi+edi]
		jmp	loc_694AF8
; 

loc_694279:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x1
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+8]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	3
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		lea	eax, [ebx+1]
		add	eax, edx
		and	ebx, ecx
		and	eax, ecx
		mov	edi, esi
		mov	ecx, [ebp+var_18]
		movzx	eax, word ptr [ebp+eax*2+var_14]
		sub	edi, eax
		movzx	eax, word ptr [ebp+ebx*2+var_C]
		imul	edi, eax
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+ecx+0Ch]

loc_6942BD:				; CODE XREF: sub_6941EA+2D5j
		push	0Fh
		xor	edx, edx
		pop	ecx
		div	ecx
		lea	ecx, [edx+1]
		shr	esi, cl

loc_6942C9:				; CODE XREF: sub_6941EA+3FDj
		sub	edi, esi

loc_6942CB:				; CODE XREF: sub_6941EA+138j
		mov	eax, edi
		jmp	loc_694AF8
; 

loc_6942D2:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x2
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+8]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	3
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		lea	eax, [ebx+1]
		add	eax, edx
		and	ebx, ecx
		and	eax, ecx
		mov	ecx, [ebp+var_18]
		movzx	edi, word ptr [ebp+eax*2+var_14]
		movzx	eax, word ptr [ebp+ebx*2+var_C]
		xor	edi, esi
		imul	edi, eax
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+ecx+0Ch]

loc_694314:				; CODE XREF: sub_6941EA+331j
		push	0Fh
		xor	edx, edx
		pop	ecx
		div	ecx
		lea	ecx, [edx+1]
		shr	esi, cl

loc_694320:				; CODE XREF: sub_6941EA+463j
		xor	edi, esi
		jmp	short loc_6942CB
; 

loc_694324:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x3
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_8], eax
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], eax
		mov	eax, [edi+esi+0Ch]
		mov	[ebp+var_C], ecx
		push	0Fh
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		push	3
		lea	ecx, [edx+1]
		xor	edx, edx
		ror	esi, cl
		mov	ecx, [ebp+var_18]
		mov	eax, [edi+ecx+8]
		lea	ecx, [ebx+1]
		pop	edi
		div	edi
		and	ebx, edi
		add	ecx, edx
		and	ecx, edi
		movzx	eax, word ptr [ebp+ecx*2+var_14]
		xor	eax, [ebp+arg_4]
		movzx	ecx, word ptr [ebp+ebx*2+var_C]
		imul	eax, ecx
		add	eax, esi
		jmp	loc_694AF8
; 

loc_694377:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x4
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], eax
		mov	eax, [edi+esi+0Ch]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	0Fh
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		push	3
		lea	ecx, [edx+1]
		xor	edx, edx
		ror	esi, cl
		mov	ecx, [ebp+var_18]
		mov	eax, [edi+ecx+8]
		pop	ecx
		div	ecx
		lea	eax, [ebx+1]
		and	ebx, ecx
		add	eax, edx
		and	eax, ecx
		movzx	ecx, word ptr [ebp+ebx*2+var_C]
		movzx	eax, word ptr [ebp+eax*2+var_14]
		xor	eax, [ebp+arg_4]
		imul	eax, ecx
		sub	eax, esi
		jmp	loc_694AF8
; 

loc_6943CA:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x5
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_8], eax
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], eax
		mov	eax, [edi+esi+0Ch]
		mov	[ebp+var_C], ecx
		push	0Fh
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		push	3
		lea	ecx, [edx+1]
		xor	edx, edx
		ror	esi, cl
		mov	ecx, [ebp+var_18]
		mov	eax, [edi+ecx+8]
		lea	ecx, [ebx+1]
		pop	edi
		div	edi
		and	ebx, edi
		add	ecx, edx
		and	ecx, edi
		movzx	eax, word ptr [ebp+ecx*2+var_14]
		xor	eax, [ebp+arg_4]
		movzx	ecx, word ptr [ebp+ebx*2+var_C]
		imul	eax, ecx
		xor	eax, esi
		jmp	loc_694AF8
; 

loc_69441D:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x6
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+0Ch]
		push	7
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		pop	ecx
		div	ecx
		mov	eax, [edi+esi+8]
		push	3
		pop	esi
		push	3
		lea	ecx, [edx+1]
		xor	edx, edx
		div	esi
		lea	eax, [ebx+1]
		add	eax, edx
		and	eax, esi
		mov	esi, [ebp+arg_4]
		movzx	edi, word ptr [ebp+eax*2+var_14]
		pop	eax
		and	ebx, eax
		xor	edi, esi
		rol	edi, cl
		mov	ecx, [ebp+var_18]
		movzx	eax, word ptr [ebp+ebx*2+var_C]
		imul	edi, eax
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+ecx+10h]
		jmp	loc_694265
; 

loc_694477:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x7
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+0Ch]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	7
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		mov	eax, ebx
		shr	eax, 1
		and	ebx, 3
		dec	eax
		and	eax, 1
		lea	ecx, [edx+1]
		mov	edi, [ebp+eax*4+var_14]
		movzx	eax, word ptr [ebp+ebx*2+var_C]
		xor	edi, esi
		rol	edi, cl
		mov	ecx, [ebp+var_18]
		imul	edi, eax
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+ecx+10h]
		jmp	loc_6942BD
; 

loc_6944C4:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x8
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+0Ch]
		push	7
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		pop	ecx
		div	ecx
		mov	eax, [edi+esi+8]
		push	3
		pop	esi
		push	3
		lea	ecx, [edx+1]
		xor	edx, edx
		div	esi
		lea	eax, [ebx+1]
		add	eax, edx
		and	eax, esi
		mov	esi, [ebp+arg_4]
		mov	edi, esi
		movzx	eax, word ptr [ebp+eax*2+var_14]
		sub	edi, eax
		pop	eax
		and	ebx, eax
		rol	edi, cl
		mov	ecx, [ebp+var_18]
		movzx	eax, word ptr [ebp+ebx*2+var_C]
		imul	edi, eax
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+ecx+10h]
		jmp	loc_694314
; 

loc_694520:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x9
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+0Ch]
		push	7
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		pop	ecx
		div	ecx
		mov	eax, [edi+esi+8]
		push	3
		pop	esi
		push	3
		lea	ecx, [edx+1]
		xor	edx, edx
		div	esi
		lea	eax, [ebx+1]
		add	eax, edx
		and	eax, esi
		mov	esi, [ebp+arg_4]
		movzx	edi, word ptr [ebp+eax*2+var_14]
		xor	edi, esi
		pop	eax
		rol	edi, cl
		and	ebx, eax
		movzx	eax, word ptr [ebp+ebx*2+var_C]

loc_694568:				; CODE XREF: sub_6941EA+4A3j
					; sub_6941EA+4E3j ...
		mov	ecx, [ebp+var_18]
		xor	edx, edx
		imul	edi, eax
		mov	eax, [ebp+var_1C]
		push	1Fh
		mov	eax, [eax+ecx+10h]
		pop	ecx
		div	ecx
		lea	ecx, [edx+1]
		ror	esi, cl
		jmp	loc_694271
; 

loc_694586:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0xA
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+0Ch]
		push	7
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		pop	ecx
		div	ecx
		mov	eax, [edi+esi+8]
		push	3
		pop	esi
		push	3
		lea	ecx, [edx+1]
		xor	edx, edx
		div	esi
		lea	eax, [ebx+1]
		add	eax, edx
		and	eax, esi
		mov	esi, [ebp+arg_4]
		movzx	edi, word ptr [ebp+eax*2+var_14]
		xor	edi, esi
		pop	eax
		rol	edi, cl
		and	ebx, eax
		movzx	eax, word ptr [ebp+ebx*2+var_C]

loc_6945CE:				; CODE XREF: sub_6941EA+563j
					; sub_6941EA+5A3j ...
		mov	ecx, [ebp+var_18]
		xor	edx, edx
		imul	edi, eax
		mov	eax, [ebp+var_1C]
		push	1Fh
		mov	eax, [eax+ecx+10h]
		pop	ecx
		div	ecx
		lea	ecx, [edx+1]
		ror	esi, cl
		jmp	loc_6942C9
; 

loc_6945EC:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0xB
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+0Ch]
		push	7
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		pop	ecx
		div	ecx
		mov	eax, [edi+esi+8]
		push	3
		pop	esi
		push	3
		lea	ecx, [edx+1]
		xor	edx, edx
		div	esi
		lea	eax, [ebx+1]
		add	eax, edx
		and	eax, esi
		mov	esi, [ebp+arg_4]
		movzx	edi, word ptr [ebp+eax*2+var_14]
		xor	edi, esi
		pop	eax
		rol	edi, cl
		and	ebx, eax
		movzx	eax, word ptr [ebp+ebx*2+var_C]

loc_694634:				; CODE XREF: sub_6941EA+623j
					; sub_6941EA+663j ...
		mov	ecx, [ebp+var_18]
		xor	edx, edx
		imul	edi, eax
		mov	eax, [ebp+var_1C]
		push	1Fh
		mov	eax, [eax+ecx+10h]
		pop	ecx
		div	ecx
		lea	ecx, [edx+1]
		ror	esi, cl
		jmp	loc_694320
; 

loc_694652:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0xC
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+0Ch]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	1Fh
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		mov	eax, ebx
		shr	eax, 1
		dec	eax
		and	eax, 1
		lea	ecx, [edx+1]
		mov	edi, [ebp+eax*4+var_14]
		add	edi, esi
		ror	edi, cl
		and	ebx, 3
		movzx	eax, word ptr [ebp+ebx*2+var_C]
		jmp	loc_694568
; 

loc_694692:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0xD
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+0Ch]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	1Fh
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		mov	eax, ebx
		shr	eax, 1
		dec	eax
		and	eax, 1
		lea	ecx, [edx+1]
		mov	edi, [ebp+eax*4+var_14]
		sub	edi, esi
		ror	edi, cl
		and	ebx, 3
		movzx	eax, word ptr [ebp+ebx*2+var_C]
		jmp	loc_694568
; 

loc_6946D2:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0xE
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+0Ch]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	1Fh
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		mov	eax, ebx
		shr	eax, 1
		dec	eax
		and	eax, 1
		lea	ecx, [edx+1]
		mov	edi, [ebp+eax*4+var_14]
		xor	edi, esi
		ror	edi, cl
		and	ebx, 3
		movzx	eax, word ptr [ebp+ebx*2+var_C]
		jmp	loc_694568
; 

loc_694712:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0xF
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+0Ch]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	1Fh
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		mov	eax, ebx
		shr	eax, 1
		dec	eax
		and	eax, 1
		lea	ecx, [edx+1]
		mov	edi, [ebp+eax*4+var_14]
		add	edi, esi
		ror	edi, cl
		and	ebx, 3
		movzx	eax, word ptr [ebp+ebx*2+var_C]
		jmp	loc_6945CE
; 

loc_694752:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x10
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+0Ch]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	1Fh
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		mov	eax, ebx
		shr	eax, 1
		dec	eax
		and	eax, 1
		lea	ecx, [edx+1]
		mov	edi, [ebp+eax*4+var_14]
		sub	edi, esi
		ror	edi, cl
		and	ebx, 3
		movzx	eax, word ptr [ebp+ebx*2+var_C]
		jmp	loc_6945CE
; 

loc_694792:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x11
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+0Ch]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	1Fh
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		mov	eax, ebx
		shr	eax, 1
		dec	eax
		and	eax, 1
		lea	ecx, [edx+1]
		mov	edi, [ebp+eax*4+var_14]
		xor	edi, esi
		ror	edi, cl
		and	ebx, 3
		movzx	eax, word ptr [ebp+ebx*2+var_C]
		jmp	loc_6945CE
; 

loc_6947D2:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x12
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+0Ch]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	1Fh
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		mov	eax, ebx
		shr	eax, 1
		mov	edi, esi
		dec	eax
		and	eax, 1
		lea	ecx, [edx+1]
		sub	edi, [ebp+eax*4+var_14]
		ror	edi, cl
		and	ebx, 3
		movzx	eax, word ptr [ebp+ebx*2+var_C]
		jmp	loc_694634
; 

loc_694812:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x13
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+0Ch]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	1Fh
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		mov	eax, ebx
		shr	eax, 1
		dec	eax
		and	eax, 1
		lea	ecx, [edx+1]
		mov	edi, [ebp+eax*4+var_14]
		sub	edi, esi
		ror	edi, cl
		and	ebx, 3
		movzx	eax, word ptr [ebp+ebx*2+var_C]
		jmp	loc_694634
; 

loc_694852:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x14
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+0Ch]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	1Fh
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		mov	eax, ebx
		shr	eax, 1
		dec	eax
		and	eax, 1
		lea	ecx, [edx+1]
		mov	edi, [ebp+eax*4+var_14]
		xor	edi, esi
		ror	edi, cl
		and	ebx, 3
		movzx	eax, word ptr [ebp+ebx*2+var_C]
		jmp	loc_694634
; 

loc_694892:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x15
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+0Ch]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	1Fh
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		mov	eax, ebx
		shr	eax, 1
		mov	edi, esi
		dec	eax
		and	eax, 1
		lea	ecx, [edx+1]
		sub	edi, [ebp+eax*4+var_14]
		ror	edi, cl
		and	ebx, 3
		movzx	eax, word ptr [ebp+ebx*2+var_C]
		jmp	loc_694568
; 

loc_6948D2:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x16
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+0Ch]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	1Fh
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		mov	eax, ebx
		shr	eax, 1
		mov	edi, esi
		dec	eax
		and	eax, 1
		lea	ecx, [edx+1]
		sub	edi, [ebp+eax*4+var_14]
		ror	edi, cl
		and	ebx, 3
		movzx	eax, word ptr [ebp+ebx*2+var_C]
		jmp	loc_6945CE
; 

loc_694912:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x17
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+0Ch]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	1Fh
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		mov	eax, ebx
		shr	eax, 1
		mov	edi, esi
		dec	eax
		and	eax, 1
		lea	ecx, [edx+1]
		sub	edi, [ebp+eax*4+var_14]
		ror	edi, cl
		and	ebx, 3
		movzx	eax, word ptr [ebp+ebx*2+var_C]
		jmp	loc_694634
; 

loc_694952:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x18
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+8]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	0Fh
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		mov	eax, ebx
		and	eax, 3
		not	esi
		push	3
		lea	ecx, [edx+1]
		xor	edx, edx
		movzx	eax, word ptr [ebp+eax*2+var_14]
		ror	esi, cl
		mov	ecx, [ebp+var_18]
		add	esi, eax
		mov	eax, [edi+ecx+0Ch]
		lea	ecx, [ebx+1]
		pop	edi
		div	edi
		add	ecx, edx
		and	ecx, edi
		movzx	eax, word ptr [ebp+ecx*2+var_C]

loc_69499F:				; CODE XREF: sub_6941EA+808j
					; sub_6941EA+855j
		imul	eax, esi
		jmp	loc_694AF8
; 

loc_6949A7:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x19
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+8]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	0Fh
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		mov	eax, ebx
		and	eax, 3
		push	3
		lea	ecx, [edx+1]
		xor	edx, edx
		movzx	eax, word ptr [ebp+eax*2+var_14]
		ror	esi, cl
		mov	ecx, [ebp+var_18]
		sub	esi, eax
		mov	eax, [edi+ecx+0Ch]
		lea	ecx, [ebx+1]
		pop	edi
		div	edi
		add	ecx, edx
		and	ecx, edi
		movzx	eax, word ptr [ebp+ecx*2+var_C]
		jmp	short loc_69499F
; 

loc_6949F4:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x1A
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [edi+esi+8]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	0Fh
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_4]
		mov	eax, ebx
		and	eax, 3
		push	3
		lea	ecx, [edx+1]
		xor	edx, edx
		movzx	eax, word ptr [ebp+eax*2+var_14]
		ror	esi, cl
		mov	ecx, [ebp+var_18]
		xor	esi, eax
		mov	eax, [edi+ecx+0Ch]
		lea	ecx, [ebx+1]
		pop	edi
		div	edi
		add	ecx, edx
		and	ecx, edi
		movzx	eax, word ptr [ebp+ecx*2+var_C]
		jmp	loc_69499F
; 

loc_694A44:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	eax, [ebp+arg_C] ; case	0x1B
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, ebx
		and	eax, 1
		mov	[ebp+var_C], ecx
		mov	[ebp+var_14], ecx
		mov	ecx, [ebp+eax*4+var_14]
		lea	eax, [ebx-1]
		xor	ecx, [ebp+arg_4]
		and	eax, 1
		mov	eax, [ebp+eax*4+var_C]

loc_694A6C:				; CODE XREF: sub_6941EA+907j
		sub	eax, ecx
		jmp	loc_694AF8
; 

loc_694A73:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	eax, [ebp+arg_C] ; case	0x1C
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], eax
		lea	eax, [ebx-1]
		and	eax, 1
		mov	[ebp+var_14], ecx
		and	ebx, 1
		mov	[ebp+var_C], ecx
		mov	eax, [ebp+eax*4+var_14]
		xor	eax, [ebp+ebx*4+var_C]
		xor	eax, [ebp+arg_4]
		jmp	short loc_694AF8
; 

loc_694A9B:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	eax, [ebp+arg_C] ; case	0x1D
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, ebx
		and	eax, 3
		mov	[ebp+var_C], ecx
		mov	[ebp+var_14], ecx
		shr	ebx, 1
		movzx	ecx, word ptr [ebp+eax*2+var_14]
		mov	eax, [ebp+arg_4]
		sub	eax, ecx
		dec	ebx
		and	ebx, 1
		xor	eax, [ebp+ebx*4+var_C]
		jmp	short loc_694AF8
; 

loc_694AC8:				; CODE XREF: sub_6941EA+32j
					; DATA XREF: .text:off_694B0Ao
		mov	ecx, [ebp+arg_8] ; case	0x1E
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		mov	ecx, ebx
		shr	ecx, 1
		dec	ecx
		mov	[ebp+var_8], eax
		and	ecx, 1
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_4]
		sub	eax, [ebp+ecx*4+var_14]
		and	ebx, 3
		movzx	ecx, word ptr [ebp+ebx*2+var_C]
		jmp	loc_694A6C
; 

loc_694AF6:				; CODE XREF: sub_6941EA+2Cj
		xor	eax, eax	; default

loc_694AF8:				; CODE XREF: sub_6941EA+8Aj
					; sub_6941EA+E3j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
sub_6941EA	endp

; 
		align 2
off_694B0A	dd offset loc_694223	; DATA XREF: sub_6941EA+32r
		dd offset loc_694279	; jump table for switch	statement
		dd offset loc_6942D2
		dd offset loc_694324
		dd offset loc_694377
		dd offset loc_6943CA
		dd offset loc_69441D
		dd offset loc_694477
		dd offset loc_6944C4
		dd offset loc_694520
		dd offset loc_694586
		dd offset loc_6945EC
		dd offset loc_694652
		dd offset loc_694692
		dd offset loc_6946D2
		dd offset loc_694712
		dd offset loc_694752
		dd offset loc_694792
		dd offset loc_6947D2
		dd offset loc_694812
		dd offset loc_694852
		dd offset loc_694892
		dd offset loc_6948D2
		dd offset loc_694912
		dd offset loc_694952
		dd offset loc_6949A7
		dd offset loc_6949F4
		dd offset loc_694A44
		dd offset loc_694A73
		dd offset loc_694A9B
		dd offset loc_694AC8

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	sub_694B86(void	*,void *,int,int,int,int,int)
sub_694B86	proc near		; CODE XREF: sub_A1AC58:loc_A1ACBAp
					; DATA XREF: .text:loc_404E8Ao

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+38h+var_2C], edi
		test	eax, eax
		jz	loc_694E69
		mov	edx, [ebp+arg_14]
		xor	ecx, ecx
		mov	[esp+38h+var_20], ecx
		mov	ebx, eax
		mov	ecx, edx
		xor	esi, esi
		and	ebx, 7
		not	ecx
		mov	[esp+38h+var_1C], ebx
		mov	[esp+38h+var_28], ecx
		jz	loc_694D11
		push	[ebp+arg_10]
		mov	ecx, edi
		push	[ebp+arg_C]
		push	edx
		push	9
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	esi, eax
		mov	ecx, edi
		push	[ebp+arg_C]
		xor	esi, [esp+40h+var_28]
		push	esi
		push	8
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ecx, [esp+3Ch+var_2C]
		mov	edi, eax
		push	[ebp+arg_C]
		xor	edi, [ebp+arg_14]
		push	edi
		push	7
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ecx, [esp+3Ch+var_2C]
		mov	ebx, eax
		push	[ebp+arg_C]
		xor	ebx, esi
		push	ebx
		push	6
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ecx, [esp+3Ch+var_2C]
		mov	esi, eax
		push	[ebp+arg_C]
		xor	esi, edi
		push	esi
		push	5
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ecx, [esp+3Ch+var_2C]
		mov	edi, eax
		push	[ebp+arg_C]
		xor	edi, ebx
		push	edi
		push	4
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ecx, [esp+3Ch+var_2C]
		mov	ebx, eax
		push	[ebp+arg_C]
		xor	ebx, esi
		push	ebx
		push	3
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ecx, [esp+3Ch+var_2C]
		xor	eax, edi
		push	[ebp+arg_C]
		mov	edi, eax
		mov	[esp+40h+var_18], eax
		push	edi
		push	2
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ecx, [esp+3Ch+var_2C]
		mov	esi, eax
		push	[ebp+arg_C]
		xor	esi, ebx
		push	esi
		push	1
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ecx, [esp+3Ch+var_2C]
		xor	edi, eax
		push	[ebp+arg_C]
		push	edi
		push	0
		call	sub_6941EA
		and	[esp+38h+var_10], 0
		xor	esi, eax
		and	[esp+38h+var_C], 0
		mov	ebx, [esp+38h+var_1C]
		lea	eax, [esp+38h+var_10]
		push	ebx		; size_t
		push	[ebp+arg_0]	; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [esp+44h+var_10]
		xor	edi, eax
		mov	[esp+44h+var_28], eax
		mov	eax, [esp+44h+var_C]
		xor	esi, eax
		mov	[ebp+arg_14], eax
		push	8
		pop	eax
		sub	eax, ebx
		mov	[esp+44h+var_8], edi
		push	eax		; size_t
		lea	eax, [esp+48h+var_8]
		mov	[esp+48h+var_4], esi
		add	eax, ebx
		push	0		; int
		push	eax		; void *
		call	_memset
		push	ebx		; size_t
		lea	eax, [esp+54h+var_8]
		push	eax		; void *
		push	[ebp+arg_4]	; void *
		call	_memcpy
		mov	ecx, [esp+5Ch+var_8]
		add	esp, 24h
		mov	esi, [esp+38h+var_4]
		mov	eax, [ebp+arg_8]
		mov	edi, [esp+38h+var_2C]
		mov	[esp+38h+var_20], ecx

loc_694D11:				; CODE XREF: sub_694B86+3Bj
		mov	edx, [ebp+arg_4]
		mov	ecx, eax
		shr	ecx, 3
		add	edx, ebx
		mov	[esp+38h+var_1C], edx
		mov	[esp+38h+var_18], ecx
		test	ecx, ecx
		jz	loc_694E5D
		mov	eax, [ebp+arg_0]
		sub	ebx, edx
		add	eax, ebx
		mov	[esp+38h+var_8], eax

loc_694D36:				; CODE XREF: sub_694B86+2CEj
		push	[ebp+arg_10]
		mov	ebx, [eax+edx]
		mov	ecx, edi
		mov	eax, [eax+edx+4]
		xor	esi, eax
		push	[ebp+arg_C]
		mov	[esp+40h+var_14], ebx
		push	esi
		push	9
		mov	[esp+48h+var_10], eax
		mov	[esp+48h+var_24], esi
		call	sub_6941EA
		push	[ebp+arg_10]
		xor	eax, ebx
		mov	ecx, edi
		push	[ebp+arg_C]
		mov	ebx, [esp+40h+var_20]
		xor	ebx, eax
		push	ebx
		push	8
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	esi, eax
		mov	ecx, edi
		push	[ebp+arg_C]
		xor	esi, [esp+40h+var_24]
		push	esi
		push	7
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ecx, [esp+3Ch+var_2C]
		mov	edi, eax
		push	[ebp+arg_C]
		xor	edi, ebx
		push	edi
		push	6
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ecx, [esp+3Ch+var_2C]
		mov	ebx, eax
		push	[ebp+arg_C]
		xor	ebx, esi
		push	ebx
		push	5
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	esi, eax
		push	[ebp+arg_C]
		xor	esi, edi
		mov	edi, [esp+40h+var_2C]
		push	esi
		push	4
		mov	ecx, edi
		call	sub_6941EA
		push	[ebp+arg_10]
		xor	eax, ebx
		mov	ecx, edi
		push	[ebp+arg_C]
		mov	[esp+40h+var_24], eax
		push	eax
		push	3
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ebx, eax
		mov	ecx, edi
		push	[ebp+arg_C]
		xor	ebx, esi
		push	ebx
		push	2
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	esi, [esp+3Ch+var_24]
		mov	ecx, edi
		push	[ebp+arg_C]
		xor	esi, eax
		push	esi
		push	1
		call	sub_6941EA
		push	[ebp+arg_10]
		xor	ebx, eax
		push	[ebp+arg_C]
		push	ebx
		push	0
		mov	ecx, edi
		call	sub_6941EA
		mov	edx, [esp+38h+var_1C]
		xor	esi, eax
		xor	ebx, [esp+38h+var_28]
		xor	esi, [ebp+arg_14]
		mov	eax, [esp+38h+var_14]
		mov	[esp+38h+var_28], eax
		mov	eax, [esp+38h+var_10]
		mov	[edx], ebx
		mov	[edx+4], esi
		add	edx, 8
		sub	[esp+38h+var_18], 1
		mov	[ebp+arg_14], eax
		mov	eax, [esp+38h+var_8]
		mov	[esp+38h+var_20], ebx
		mov	[esp+38h+var_1C], edx
		jnz	loc_694D36
		mov	eax, [ebp+arg_8]

loc_694E5D:				; CODE XREF: sub_694B86+19Fj
		mov	ecx, [ebp+arg_4]
		mov	cl, [ecx+eax-1]
		mov	eax, [ebp+arg_18]
		mov	[eax], cl

loc_694E69:				; CODE XREF: sub_694B86+19j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
sub_694B86	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	sub_694E72(void	*,void *,int,int,int,int,int)
sub_694E72	proc near		; CODE XREF: sub_A1AC58+5Bp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, [ebp+arg_8]
		mov	[esp+38h+var_28], edi
		test	ecx, ecx
		jz	loc_69514E
		mov	eax, [ebp+arg_0]
		mov	ebx, ecx
		mov	esi, [ebp+arg_14]
		and	ebx, 7
		mov	[esp+38h+var_1C], ebx
		mov	dl, [eax+ecx-1]
		mov	eax, [ebp+arg_18]
		mov	[eax], dl
		mov	edx, esi
		not	edx
		mov	[esp+38h+var_24], edx
		jnz	short loc_694EC2
		and	[esp+38h+var_20], 0
		and	[esp+38h+var_1C], 0
		jmp	loc_695008
; 

loc_694EC2:				; CODE XREF: sub_694E72+3Fj
		push	[ebp+arg_10]
		mov	ecx, edi
		push	[ebp+arg_C]
		push	esi
		push	9
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	esi, eax
		mov	ecx, edi
		push	[ebp+arg_C]
		xor	esi, [esp+40h+var_24]
		push	esi
		push	8
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ecx, [esp+3Ch+var_28]
		mov	edi, eax
		push	[ebp+arg_C]
		xor	edi, [ebp+arg_14]
		push	edi
		push	7
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ecx, [esp+3Ch+var_28]
		mov	ebx, eax
		push	[ebp+arg_C]
		xor	ebx, esi
		push	ebx
		push	6
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ecx, [esp+3Ch+var_28]
		mov	esi, eax
		push	[ebp+arg_C]
		xor	esi, edi
		push	esi
		push	5
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ecx, [esp+3Ch+var_28]
		mov	edi, eax
		push	[ebp+arg_C]
		xor	edi, ebx
		push	edi
		push	4
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ecx, [esp+3Ch+var_28]
		mov	ebx, eax
		push	[ebp+arg_C]
		xor	ebx, esi
		push	ebx
		push	3
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ecx, [esp+3Ch+var_28]
		xor	eax, edi
		push	[ebp+arg_C]
		mov	edi, eax
		mov	[esp+40h+var_18], eax
		push	edi
		push	2
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ecx, [esp+3Ch+var_28]
		mov	esi, eax
		push	[ebp+arg_C]
		xor	esi, ebx
		push	esi
		push	1
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ecx, [esp+3Ch+var_28]
		xor	edi, eax
		push	[ebp+arg_C]
		xor	ebx, ebx
		push	edi
		push	ebx
		call	sub_6941EA
		xor	esi, eax
		mov	[esp+38h+var_10], ebx
		mov	[esp+38h+var_C], ebx
		lea	eax, [esp+38h+var_10]
		mov	ebx, [esp+38h+var_1C]
		push	ebx		; size_t
		push	[ebp+arg_0]	; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [esp+44h+var_10]
		xor	edi, eax
		mov	[esp+44h+var_20], eax
		mov	eax, [esp+44h+var_C]
		xor	esi, eax
		mov	[esp+44h+var_1C], eax
		push	8
		pop	eax
		sub	eax, ebx
		mov	[esp+44h+var_8], edi
		push	eax		; size_t
		lea	eax, [esp+48h+var_8]
		mov	[esp+48h+var_4], esi
		add	eax, ebx
		push	0		; int
		push	eax		; void *
		call	_memset
		push	ebx		; size_t
		lea	eax, [esp+54h+var_8]
		push	eax		; void *
		push	[ebp+arg_4]	; void *
		call	_memcpy
		mov	esi, [esp+5Ch+var_4]
		add	esp, 24h
		mov	edx, [esp+38h+var_8]
		mov	ecx, [ebp+arg_8]
		mov	edi, [esp+38h+var_28]

loc_695008:				; CODE XREF: sub_694E72+4Bj
		mov	eax, [ebp+arg_4]
		shr	ecx, 3
		add	eax, ebx
		mov	[esp+38h+var_18], eax
		mov	[ebp+arg_8], ecx
		test	ecx, ecx
		jz	loc_69514E
		mov	ecx, eax
		sub	ebx, ecx
		add	ebx, [ebp+arg_0]
		mov	[esp+38h+var_8], ebx

loc_69502A:				; CODE XREF: sub_694E72+2D6j
		push	[ebp+arg_10]
		mov	eax, [ebx+ecx]
		xor	edx, eax
		push	[ebp+arg_C]
		mov	ebx, [ebx+ecx+4]
		mov	ecx, edi
		push	edx
		push	0
		mov	[esp+48h+var_14], eax
		mov	[esp+48h+var_10], ebx
		mov	[esp+48h+var_24], edx
		call	sub_6941EA
		push	[ebp+arg_10]
		xor	eax, ebx
		mov	ecx, edi
		push	[ebp+arg_C]
		xor	esi, eax
		push	esi
		push	1
		mov	[ebp+arg_14], esi
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	esi, eax
		mov	ecx, edi
		push	[ebp+arg_C]
		xor	esi, [esp+40h+var_24]
		push	esi
		push	2
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ecx, [esp+3Ch+var_28]
		mov	edi, eax
		push	[ebp+arg_C]
		xor	edi, [ebp+arg_14]
		push	edi
		push	3
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ecx, [esp+3Ch+var_28]
		mov	ebx, eax
		push	[ebp+arg_C]
		xor	ebx, esi
		push	ebx
		push	4
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	ecx, [esp+3Ch+var_28]
		mov	esi, eax
		push	[ebp+arg_C]
		xor	esi, edi
		push	esi
		push	5
		call	sub_6941EA
		push	[ebp+arg_10]
		mov	edi, eax
		push	[ebp+arg_C]
		xor	edi, ebx
		mov	ebx, [esp+40h+var_28]
		push	edi
		push	6
		mov	ecx, ebx
		call	sub_6941EA
		push	[ebp+arg_10]
		xor	eax, esi
		mov	ecx, ebx
		push	[ebp+arg_C]
		mov	esi, eax
		mov	[ebp+arg_14], eax
		push	esi
		push	7
		call	sub_6941EA
		push	[ebp+arg_10]
		xor	edi, eax
		mov	ecx, ebx
		push	[ebp+arg_C]
		push	edi
		push	8
		call	sub_6941EA
		push	[ebp+arg_10]
		xor	esi, eax
		push	[ebp+arg_C]
		push	esi
		push	9
		mov	ecx, ebx
		call	sub_6941EA
		mov	ecx, [esp+38h+var_18]
		mov	edx, eax
		xor	esi, [esp+38h+var_1C]
		xor	edx, edi
		xor	edx, [esp+38h+var_20]
		mov	edi, ebx
		mov	eax, [esp+38h+var_14]
		mov	ebx, [esp+38h+var_8]
		mov	[ecx], edx
		mov	[ecx+4], esi
		add	ecx, 8
		sub	[ebp+arg_8], 1
		mov	[esp+38h+var_20], eax
		mov	eax, [esp+38h+var_10]
		mov	[esp+38h+var_1C], eax
		mov	[esp+38h+var_18], ecx
		jnz	loc_69502A

loc_69514E:				; CODE XREF: sub_694E72+19j
					; sub_694E72+1A7j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
sub_694E72	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; long __stdcall RtlULongAdd(unsigned long, unsigned long, unsigned long *)
?RtlULongAdd@@YGJKKPAK@Z proc near	; CODE XREF: sub_A1C264+76p
					; sub_A1CAF1+38p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		lea	eax, [ecx+edx]
		cmp	eax, ecx
		jb	short loc_695167
		mov	edx, eax
		jmp	short loc_69516A
; 

loc_695167:				; CODE XREF: RtlULongAdd(ulong,ulong,ulong *)+Aj
		or	edx, 0FFFFFFFFh

loc_69516A:				; CODE XREF: RtlULongAdd(ulong,ulong,ulong *)+Ej
		cmp	eax, ecx
		mov	ecx, [ebp+arg_0]
		sbb	eax, eax
		and	eax, 0C0000095h
		mov	[ecx], edx
		pop	ebp
		retn	4
?RtlULongAdd@@YGJKKPAK@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; long __stdcall RtlULongMult(unsigned long, unsigned long, unsigned long *)
?RtlULongMult@@YGJKKPAK@Z proc near	; CODE XREF: sub_A1CAF1+26p
					; sub_A1CAF1+4Bp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ecx
		mul	edx
		push	esi
		xor	esi, esi
		cmp	edx, esi
		ja	short loc_695193
		jb	short loc_69519B
		cmp	eax, 0FFFFFFFFh
		jbe	short loc_69519B

loc_695193:				; CODE XREF: RtlULongMult(ulong,ulong,ulong *)+Ej
		mov	esi, 0C0000095h
		or	eax, 0FFFFFFFFh

loc_69519B:				; CODE XREF: RtlULongMult(ulong,ulong,ulong *)+10j
					; RtlULongMult(ulong,ulong,ulong *)+15j
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
?RtlULongMult@@YGJKKPAK@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_6951A7	proc near		; CODE XREF: sub_695200+42p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	edx, ecx
		mov	ebx, 0FFFFFFFh

loc_6951B9:				; CODE XREF: sub_6951A7+3Aj
					; sub_6951A7+46j ...
		mov	esi, [edx+10h]
		cmp	esi, [edx]
		jnb	short loc_6951F9
		mov	eax, [edx+4]
		mov	eax, [eax+esi*4]
		mov	ecx, eax
		and	ecx, ebx
		cmp	ecx, [edx+0Ch]
		jnb	short loc_6951F9
		lea	ecx, [esi+1]
		mov	[edx+10h], ecx
		mov	ecx, eax
		and	ecx, ebx
		add	ecx, [edx+14h]
		cmp	eax, 10000000h
		jb	short loc_6951B9
		and	eax, 0F0000000h
		cmp	eax, 30000000h
		jnz	short loc_6951B9
		mov	eax, [ecx]
		add	eax, [ebp+arg_4]
		mov	[ecx+edi], eax
		jmp	short loc_6951B9
; 

loc_6951F9:				; CODE XREF: sub_6951A7+17j
					; sub_6951A7+26j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
sub_6951A7	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_695200	proc near		; CODE XREF: sub_A1BBB6+B2p
					; sub_A1BBB6+11Cp ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, [ebp+arg_0]
		and	[ebp+var_14], 0
		push	esi
		mov	esi, [ebp+arg_8]
		sub	esi, eax
		mov	[ebp+var_18], ecx
		push	esi
		lea	ecx, [ebp+var_1C]
		mov	[ebp+var_1C], edx
		mov	[ebp+var_8], eax
		call	sub_69524E
		mov	ecx, [ebp+arg_10]
		push	[ebp+arg_4]
		mov	[ebp+var_14], eax
		add	ecx, esi
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_C]
		sub	eax, [ebp+arg_8]
		mov	[ebp+var_10], ecx
		lea	ecx, [ebp+var_1C]
		push	eax
		call	sub_6951A7
		xor	eax, eax
		pop	esi
		leave
		retn	14h
sub_695200	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_69524E	proc near		; CODE XREF: sub_695200+22p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ecx]
		push	edi
		xor	edi, edi
		sub	esi, 1
		js	short loc_695286
		mov	ebx, [ecx+4]

loc_695262:				; CODE XREF: sub_69524E+36j
		lea	eax, [esi+edi]
		cdq
		sub	eax, edx
		sar	eax, 1
		mov	ecx, [ebx+eax*4]
		and	ecx, 0FFFFFFFh
		cmp	[ebp+arg_0], ecx
		jnb	short loc_69527D
		lea	esi, [eax-1]
		jmp	short loc_695282
; 

loc_69527D:				; CODE XREF: sub_69524E+28j
		jbe	short loc_695288
		lea	edi, [eax+1]

loc_695282:				; CODE XREF: sub_69524E+2Dj
		cmp	esi, edi
		jge	short loc_695262

loc_695286:				; CODE XREF: sub_69524E+Fj
		mov	eax, edi

loc_695288:				; CODE XREF: sub_69524E:loc_69527Dj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
sub_69524E	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpGetPathAppPatchPreRS3(x, x, x, x)
_SdbpGetPathAppPatchPreRS3@16 proc near	; DATA XREF: .text:00404EACo
					; .text:00404EBCo ...

var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 234h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	[ebp+arg_4], 0Bh
		push	ebx
		push	esi
		push	edi
		mov	eax, [ebp+arg_0]
		lea	edi, [ebp+var_1C]
		push	5
		mov	ebx, [ebp+arg_8]
		mov	esi, offset ??_C@_1BG@OGGJFFOD@?$AAA?$AAp?$AAp?$AAP?$AAa?$AAt?$AAc?$AAh?$AA6?$AA4@FNODOBFM@
		pop	ecx
		rep movsd
		mov	[ebp+var_234], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_230], eax
		movsw
		jnb	short loc_6952DB
		mov	eax, 0C0000023h
		jmp	loc_6953C1
; 

loc_6952DB:				; CODE XREF: SdbpGetPathAppPatchPreRS3(x,x,x,x)+40j
		xor	ecx, ecx
		lea	edx, [ebp+var_228]
		mov	word ptr [ebp+var_224],	cx
		mov	ecx, 0FFFFh
		mov	[ebp+var_22C], ecx
		mov	[ebp+var_228], ecx
		lea	ecx, [ebp+var_22C]
		push	eax
		call	_SdbpGetProcessHostGuestArchitectures@12 ; SdbpGetProcessHostGuestArchitectures(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_69532C
		push	esi
		push	offset ??_C@_0DB@LPCMCBIC@SdbpGetProcessHostGuestArchitec@FNODOBFM@
		push	3E0h

loc_695318:				; CODE XREF: SdbpGetPathAppPatchPreRS3(x,x,x,x)+DCj
					; SdbpGetPathAppPatchPreRS3(x,x,x,x)+10Ej
		push	offset ??_C@_0BK@CIBBJEAE@SdbpGetPathAppPatchPreRS3@FNODOBFM@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_6953BF
; 

loc_69532C:				; CODE XREF: SdbpGetPathAppPatchPreRS3(x,x,x,x)+7Cj
		cmp	word ptr [ebp+var_228],	9
		jz	short loc_69536D
		cmp	word ptr [ebp+var_228],	0Ch
		jz	short loc_69536D
		test	ebx, ebx
		jnz	short loc_695349
		mov	ebx, offset ??_C@_11LOCGONAA@@FNODOBFM@

loc_695349:				; CODE XREF: SdbpGetPathAppPatchPreRS3(x,x,x,x)+B3j
		push	ebx
		mov	edx, 104h
		lea	ecx, [ebp+var_224]
		call	RtlStringCchCopyW
		mov	esi, eax
		test	esi, esi
		jns	short loc_6953A2
		push	esi
		push	offset ??_C@_0CP@DHCDBBNC@RtlStringCchCopyW?5failed?5to?5cop@FNODOBFM@
		push	3F2h
		jmp	short loc_695318
; 

loc_69536D:				; CODE XREF: SdbpGetPathAppPatchPreRS3(x,x,x,x)+A5j
					; SdbpGetPathAppPatchPreRS3(x,x,x,x)+AFj
		test	ebx, ebx
		jnz	short loc_695376
		mov	ebx, offset ??_C@_11LOCGONAA@@FNODOBFM@

loc_695376:				; CODE XREF: SdbpGetPathAppPatchPreRS3(x,x,x,x)+E0j
		push	104h
		lea	eax, [ebp+var_224]
		mov	edx, ebx
		push	eax
		lea	ecx, [ebp+var_1C]
		call	_AslPathCombine@16 ; AslPathCombine(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_6953A2
		push	esi
		push	offset ??_C@_0BL@IPDIPDIN@AslPathCombine?5failed?5?$FL?$CFx?$FN@FNODOBFM@
		push	3ECh
		jmp	loc_695318
; 

loc_6953A2:				; CODE XREF: SdbpGetPathAppPatchPreRS3(x,x,x,x)+CFj
					; SdbpGetPathAppPatchPreRS3(x,x,x,x)+101j
		push	[ebp+var_230]
		lea	eax, [ebp+var_224]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+var_234]
		call	_SdbpGetPathAppPatch@16	; SdbpGetPathAppPatch(x,x,x,x)
		mov	esi, eax

loc_6953BF:				; CODE XREF: SdbpGetPathAppPatchPreRS3(x,x,x,x)+98j
		mov	eax, esi

loc_6953C1:				; CODE XREF: SdbpGetPathAppPatchPreRS3(x,x,x,x)+47j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_SdbpGetPathAppPatchPreRS3@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpGetPathCustomSdbPreRS3(x, x, x,	x)
_SdbpGetPathCustomSdbPreRS3@16 proc near ; DATA	XREF: .text:00404F0Co

var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_34		= dword	ptr -34h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	[ebp+arg_4], 7
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_C]
		push	ebx
		push	esi
		mov	ebx, [ebp+arg_8]
		mov	esi, offset ??_C@_1O@KKPPJBFG@?$AAC?$AAu?$AAs?$AAt?$AAo?$AAm@FNODOBFM@
		push	edi
		lea	edi, [ebp+var_14]
		mov	[ebp+var_24C], eax
		push	8
		movsd
		pop	ecx
		mov	[ebp+var_248], edx
		movsd
		movsd
		movsw
		mov	esi, offset ??_C@_1CA@JIADDLNO@?$AAC?$AAu?$AAs?$AAt?$AAo?$AAm?$AA?2?$AAC?$AAu?$AAs?$AAt?$AAo?$AAm?$AA6?$AA4@FNODOBFM@
		lea	edi, [ebp+var_34]
		rep movsd
		jnb	short loc_695429
		mov	eax, 0C0000023h
		jmp	loc_6954E4
; 

loc_695429:				; CODE XREF: SdbpGetPathCustomSdbPreRS3(x,x,x,x)+4Bj
		xor	ecx, ecx
		lea	edi, [ebp+var_14]
		mov	[eax], cx
		mov	eax, 0FFFFh
		mov	word ptr [ebp+var_23C],	cx
		lea	ecx, [ebp+var_244]
		push	edx
		lea	edx, [ebp+var_240]
		mov	[ebp+var_244], eax
		mov	[ebp+var_240], eax
		call	_SdbpGetProcessHostGuestArchitectures@12 ; SdbpGetProcessHostGuestArchitectures(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_69547D
		push	esi
		push	offset ??_C@_0DB@LPCMCBIC@SdbpGetProcessHostGuestArchitec@FNODOBFM@
		push	47Bh

loc_69546C:				; CODE XREF: SdbpGetPathCustomSdbPreRS3(x,x,x,x)+F1j
		push	offset ??_C@_0BL@JIJBPBNE@SdbpGetPathCustomSdbPreRS3@FNODOBFM@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_6954E2
; 

loc_69547D:				; CODE XREF: SdbpGetPathCustomSdbPreRS3(x,x,x,x)+8Dj
		cmp	word ptr [ebp+var_240],	9
		jz	short loc_695491
		cmp	word ptr [ebp+var_240],	0Ch
		jnz	short loc_695494

loc_695491:				; CODE XREF: SdbpGetPathCustomSdbPreRS3(x,x,x,x)+B3j
		lea	edi, [ebp+var_34]

loc_695494:				; CODE XREF: SdbpGetPathCustomSdbPreRS3(x,x,x,x)+BDj
		test	ebx, ebx
		jnz	short loc_69549D
		mov	ebx, offset ??_C@_11LOCGONAA@@FNODOBFM@

loc_69549D:				; CODE XREF: SdbpGetPathCustomSdbPreRS3(x,x,x,x)+C4j
		push	104h
		lea	eax, [ebp+var_23C]
		mov	edx, ebx
		push	eax
		mov	ecx, edi
		call	_AslPathCombine@16 ; AslPathCombine(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_6954C5
		push	esi
		push	offset ??_C@_0BL@IPDIPDIN@AslPathCombine?5failed?5?$FL?$CFx?$FN@FNODOBFM@
		push	489h
		jmp	short loc_69546C
; 

loc_6954C5:				; CODE XREF: SdbpGetPathCustomSdbPreRS3(x,x,x,x)+E4j
		push	[ebp+var_248]
		lea	eax, [ebp+var_23C]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+var_24C]
		call	_SdbpGetPathAppPatch@16	; SdbpGetPathAppPatch(x,x,x,x)
		mov	esi, eax

loc_6954E2:				; CODE XREF: SdbpGetPathCustomSdbPreRS3(x,x,x,x)+A9j
		mov	eax, esi

loc_6954E4:				; CODE XREF: SdbpGetPathCustomSdbPreRS3(x,x,x,x)+52j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_SdbpGetPathCustomSdbPreRS3@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlFileMapMapView(x, x)
_RtlFileMapMapView@8 proc near		; CODE XREF: AslFileMappingEnsure(x)+40p
					; AslFileMappingEnsureMappedAs(x,x)+2Fp ...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_21], dl
		push	6
		xor	eax, eax
		lea	edi, [ebp+var_50]
		and	[ebp+var_38], eax
		and	[ebp+var_34], eax
		pop	ecx
		rep stosd
		push	6
		pop	ecx
		lea	edi, [ebp+var_20]
		rep stosd
		xor	edi, edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_2C], edi
		mov	[ebp+var_30], edi
		cmp	[ebx+10h], edi
		jz	short loc_695541
		mov	esi, 0C000010Eh
		jmp	loc_695601
; 

loc_695541:				; CODE XREF: RtlFileMapMapView(x,x)+40j
		push	5
		push	18h
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		push	dword ptr [ebx]
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6955E5
		push	dword ptr [ebx]
		xor	eax, eax
		mov	[ebp+var_50], 18h
		cmp	[ebp+var_21], al
		mov	[ebp+var_4C], edi
		setnz	al
		mov	[ebp+var_44], 200h
		dec	eax
		mov	[ebp+var_48], edi
		and	eax, 0F7000000h
		mov	[ebp+var_40], edi
		add	eax, 11000000h
		mov	[ebp+var_3C], edi
		push	eax
		push	2
		push	edi
		lea	eax, [ebp+var_50]
		push	eax
		push	0F0005h
		lea	eax, [ebp+var_28]
		push	eax
		call	_ZwCreateSection@28 ; ZwCreateSection(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_6955E5
		push	2
		push	offset loc_500000
		push	2
		lea	eax, [ebp+var_30]
		push	eax
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_2C]
		push	eax
		push	0FFFFFFFFh
		push	[ebp+var_28]
		call	_ZwMapViewOfSection@40 ; ZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_6955E5
		push	2
		push	[ebp+var_30]
		push	[ebp+var_2C]
		call	_MmSecureVirtualMemory@12 ; MmSecureVirtualMemory(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_695612
		mov	esi, 0C0000001h

loc_6955E5:				; CODE XREF: RtlFileMapMapView(x,x)+63j
					; RtlFileMapMapView(x,x)+B2j ...
		cmp	[ebp+var_28], edi
		jz	short loc_6955F2
		push	[ebp+var_28]
		call	_ZwClose@4	; ZwClose(x)

loc_6955F2:				; CODE XREF: RtlFileMapMapView(x,x)+F3j
		cmp	[ebp+var_2C], edi
		jz	short loc_695601
		push	[ebp+var_2C]
		push	0FFFFFFFFh
		call	_ZwUnmapViewOfSection@8	; ZwUnmapViewOfSection(x,x)

loc_695601:				; CODE XREF: RtlFileMapMapView(x,x)+47j
					; RtlFileMapMapView(x,x)+100j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_695612:				; CODE XREF: RtlFileMapMapView(x,x)+E9j
		mov	eax, [ebp+var_28]
		mov	esi, edi
		mov	[ebx+4], eax
		mov	eax, [ebp+var_2C]
		mov	[ebx+10h], eax
		mov	eax, [ebp+var_30]
		mov	[ebx+14h], eax
		mov	eax, [ebp+var_18]
		mov	[ebx+8], eax
		mov	eax, [ebp+var_14]
		mov	[ebx+0Ch], eax
		mov	al, [ebp+var_21]
		mov	word ptr [ebx+1Dh], 101h
		mov	[ebx+1Fh], al
		mov	[ebx+18h], ecx
		jmp	short loc_695601
_RtlFileMapMapView@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStringCbCatNW(x,	x, x, x)
_RtlStringCbCatNW@16 proc near		; CODE XREF: AslPathWildcardFindNext(x,x,x)+6E3p
					; AslPathWildcardFindNext(x,x,x)+709p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	eax
		mov	esi, ecx
		call	sub_6956DA
		test	eax, eax
		js	short loc_695687
		mov	eax, [ebp+arg_4]
		shr	eax, 1
		cmp	eax, 7FFFFFFEh
		jbe	short loc_695670
		mov	eax, 0C000000Dh
		jmp	short loc_695687
; 

loc_695670:				; CODE XREF: RtlStringCbCatNW(x,x,x,x)+24j
		push	eax
		mov	eax, [ebp+var_4]
		mov	edx, 104h
		push	[ebp+arg_0]
		sub	edx, eax
		push	ecx
		lea	ecx, [esi+eax*2]
		call	sub_69568C

loc_695687:				; CODE XREF: RtlStringCbCatNW(x,x,x,x)+18j
					; RtlStringCbCatNW(x,x,x,x)+2Bj
		pop	esi
		leave
		retn	8
_RtlStringCbCatNW@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_69568C	proc near		; CODE XREF: RtlStringCbCatNW(x,x,x,x)+3Fp

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	edx, edx
		jz	short loc_6956BE
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_8]
		sub	eax, ecx
		push	edi

loc_69569F:				; CODE XREF: sub_69568C+2Aj
		test	esi, esi
		jz	short loc_6956B8
		movzx	edi, word ptr [eax+ecx]
		test	di, di
		jz	short loc_6956B8
		mov	[ecx], di
		add	ecx, 2
		dec	esi
		sub	edx, 1
		jnz	short loc_69569F

loc_6956B8:				; CODE XREF: sub_69568C+15j
					; sub_69568C+1Ej
		pop	edi
		pop	esi
		test	edx, edx
		jnz	short loc_6956C1

loc_6956BE:				; CODE XREF: sub_69568C+7j
		sub	ecx, 2

loc_6956C1:				; CODE XREF: sub_69568C+30j
		neg	edx
		sbb	edx, edx
		and	edx, 7FFFFFFBh
		xor	eax, eax
		mov	[ecx], ax
		lea	eax, [edx-7FFFFFFBh]
		pop	ebp
		retn	0Ch
sub_69568C	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_6956DA	proc near		; CODE XREF: RtlStringCbCatNW(x,x,x,x)+11p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, 104h
		push	edi
		mov	edx, esi
		xor	edi, edi

loc_6956EB:				; CODE XREF: sub_6956DA+1Cj
		cmp	[ecx], di
		jz	short loc_6956F8
		add	ecx, 2
		sub	edx, 1
		jnz	short loc_6956EB

loc_6956F8:				; CODE XREF: sub_6956DA+14j
		mov	ecx, [ebp+arg_0]
		mov	eax, edx
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFFF3h
		add	eax, 0C000000Dh
		test	ecx, ecx
		jz	short loc_69571B
		test	edx, edx
		jz	short loc_695719
		sub	esi, edx
		mov	[ecx], esi
		jmp	short loc_69571B
; 

loc_695719:				; CODE XREF: sub_6956DA+37j
		mov	[ecx], edi

loc_69571B:				; CODE XREF: sub_6956DA+33j
					; sub_6956DA+3Dj
		pop	edi
		pop	esi
		leave
		retn	4
sub_6956DA	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlUnicodeStringCbCatStringN(x, x, x)
_RtlUnicodeStringCbCatStringN@12 proc near
					; CODE XREF: AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+140p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		push	ecx
		mov	[ebp+var_8], edx
		mov	esi, ecx
		xor	edi, edi
		xor	ebx, ebx
		call	sub_65D066
		test	eax, eax
		js	short loc_695756
		test	esi, esi
		jz	short loc_695756
		movzx	edi, word ptr [esi+2]
		movzx	ebx, word ptr [esi]
		mov	ecx, [esi+4]
		shr	edi, 1
		shr	ebx, 1
		jmp	short loc_695759
; 

loc_695756:				; CODE XREF: RtlUnicodeStringCbCatStringN(x,x,x)+1Fj
					; RtlUnicodeStringCbCatStringN(x,x,x)+23j
		mov	ecx, [ebp+var_4]

loc_695759:				; CODE XREF: RtlUnicodeStringCbCatStringN(x,x,x)+33j
		test	eax, eax
		js	short loc_695792
		mov	eax, [ebp+arg_0]
		shr	eax, 1
		cmp	eax, 7FFFh
		jbe	short loc_695770
		mov	eax, 0C000000Dh
		jmp	short loc_695792
; 

loc_695770:				; CODE XREF: RtlUnicodeStringCbCatStringN(x,x,x)+46j
		and	[ebp+arg_0], 0
		lea	ecx, [ecx+ebx*2]
		push	eax
		push	[ebp+var_8]
		lea	eax, [ebp+arg_0]
		sub	edi, ebx
		push	eax
		mov	edx, edi
		call	sub_65D0A7
		mov	ecx, [ebp+arg_0]
		add	ecx, ebx
		add	ecx, ecx
		mov	[esi], cx

loc_695792:				; CODE XREF: RtlUnicodeStringCbCatStringN(x,x,x)+3Aj
					; RtlUnicodeStringCbCatStringN(x,x,x)+4Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_RtlUnicodeStringCbCatStringN@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileStringTokenize(x, x, x)
_AslpFileStringTokenize@12 proc	near	; CODE XREF: AslpFileVerQueryBlock(x,x,x,x)+14Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	loc_695854
		test	ecx, ecx
		jnz	short loc_6957BA
		mov	ecx, [esi]
		test	ecx, ecx
		jz	loc_695854

loc_6957BA:				; CODE XREF: AslpFileStringTokenize(x,x,x)+15j
		movzx	edx, word ptr [ecx]
		push	ebx
		push	edi
		test	dx, dx
		jz	short loc_6957F9

loc_6957C4:				; CODE XREF: AslpFileStringTokenize(x,x,x)+5Bj
		push	5Ch
		mov	ebx, offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@
		pop	edi

loc_6957CC:				; CODE XREF: AslpFileStringTokenize(x,x,x)+4Bj
		movzx	eax, di
		cmp	di, dx
		jz	short loc_6957E6
		add	ebx, 2
		movzx	eax, word ptr [ebx]
		mov	esi, eax
		mov	edi, eax
		mov	[ebp+var_4], esi
		test	ax, ax
		jnz	short loc_6957CC

loc_6957E6:				; CODE XREF: AslpFileStringTokenize(x,x,x)+39j
		test	ax, ax
		jz	short loc_6957F6
		add	ecx, 2
		movzx	edx, word ptr [ecx]
		test	dx, dx
		jnz	short loc_6957C4

loc_6957F6:				; CODE XREF: AslpFileStringTokenize(x,x,x)+50j
		mov	esi, [ebp+arg_0]

loc_6957F9:				; CODE XREF: AslpFileStringTokenize(x,x,x)+29j
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], ecx
		jmp	short loc_69582E
; 

loc_695801:				; CODE XREF: AslpFileStringTokenize(x,x,x)+9Dj
		push	5Ch
		movzx	esi, dx
		mov	ebx, offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@
		pop	edx

loc_69580C:				; CODE XREF: AslpFileStringTokenize(x,x,x)+88j
		movzx	edi, dx
		cmp	dx, si
		jz	short loc_695823
		add	ebx, 2
		movzx	eax, word ptr [ebx]
		mov	edx, eax
		mov	edi, eax
		test	ax, ax
		jnz	short loc_69580C

loc_695823:				; CODE XREF: AslpFileStringTokenize(x,x,x)+79j
		mov	esi, [ebp+arg_0]
		test	di, di
		jnz	short loc_69583A
		add	ecx, 2

loc_69582E:				; CODE XREF: AslpFileStringTokenize(x,x,x)+66j
		movzx	eax, word ptr [ecx]
		mov	edx, eax
		test	ax, ax
		jnz	short loc_695801
		jmp	short loc_695842
; 

loc_69583A:				; CODE XREF: AslpFileStringTokenize(x,x,x)+90j
		xor	edx, edx
		mov	[ecx], dx
		add	ecx, 2

loc_695842:				; CODE XREF: AslpFileStringTokenize(x,x,x)+9Fj
		mov	[esi], ecx
		sub	ecx, [ebp+var_4]
		neg	ecx
		pop	edi
		sbb	ecx, ecx
		and	ecx, [ebp+var_8]
		mov	eax, ecx
		pop	ebx
		jmp	short loc_695856
; 

loc_695854:				; CODE XREF: AslpFileStringTokenize(x,x,x)+Dj
					; AslpFileStringTokenize(x,x,x)+1Bj
		xor	eax, eax

loc_695856:				; CODE XREF: AslpFileStringTokenize(x,x,x)+B9j
		pop	esi
		leave
		retn	4
_AslpFileStringTokenize@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileVerBlockGetValueOffset(x, x, x)
_AslpFileVerBlockGetValueOffset@12 proc	near
					; CODE XREF: AslpFileMakeStringVersionAttributes(x,x)+B7p
					; AslpFileVerQueryBlock(x,x,x,x)+E6p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	edx, [ebp+arg_0]
		and	dword ptr [esi], 0
		lea	eax, [edx-8]
		cmp	eax, 7FF7h
		ja	short loc_6958B0
		lea	eax, [ebp+var_4]
		add	edx, 0FFFFFFFAh
		push	eax
		lea	ecx, [edi+6]
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		test	eax, eax
		js	short loc_6958B5
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	8
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_6958B5
		mov	eax, [ebp+var_4]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		mov	[esi], eax
		xor	eax, eax
		jmp	short loc_6958B5
; 

loc_6958B0:				; CODE XREF: AslpFileVerBlockGetValueOffset(x,x,x)+1Ej
		mov	eax, 0C000000Dh

loc_6958B5:				; CODE XREF: AslpFileVerBlockGetValueOffset(x,x,x)+31j
					; AslpFileVerBlockGetValueOffset(x,x,x)+44j ...
		pop	edi
		pop	esi
		leave
		retn	4
_AslpFileVerBlockGetValueOffset@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepAddSecurityAttributeToLists(x, x,	x, x)
_AuthzBasepAddSecurityAttributeToLists@16 proc near
					; CODE XREF: AuthzBasepDeleteAllSecurityAttributes(x)+1Ap

arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		push	esi
		jz	short loc_6958ED
		test	byte ptr [edx+20h], 2
		jnz	short loc_6958ED
		lea	esi, [ecx+10h]
		push	edi
		mov	edi, [esi+4]
		lea	eax, [edx+8]
		cmp	[edi], esi
		jnz	short loc_695903
		mov	[eax+4], edi
		mov	[eax], esi
		mov	[edi], eax
		mov	[esi+4], eax
		or	dword ptr [edx+20h], 2
		inc	dword ptr [ecx+0Ch]
		pop	edi

loc_6958ED:				; CODE XREF: AuthzBasepAddSecurityAttributeToLists(x,x,x,x)+Aj
					; AuthzBasepAddSecurityAttributeToLists(x,x,x,x)+10j
		cmp	[ebp+arg_0], 0
		jz	short loc_695918
		test	byte ptr [edx+20h], 1
		jnz	short loc_695918
		lea	eax, [ecx+4]
		mov	esi, [eax+4]
		cmp	[esi], eax
		jz	short loc_695908

loc_695903:				; CODE XREF: AuthzBasepAddSecurityAttributeToLists(x,x,x,x)+1Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_695908:				; CODE XREF: AuthzBasepAddSecurityAttributeToLists(x,x,x,x)+46j
		mov	[edx], eax
		mov	[edx+4], esi
		mov	[esi], edx
		mov	[eax+4], edx
		or	dword ptr [edx+20h], 1
		inc	dword ptr [ecx]

loc_695918:				; CODE XREF: AuthzBasepAddSecurityAttributeToLists(x,x,x,x)+36j
					; AuthzBasepAddSecurityAttributeToLists(x,x,x,x)+3Cj
		pop	esi
		pop	ebp
		retn	8
_AuthzBasepAddSecurityAttributeToLists@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepAddSecurityAttributeValueToLists(x, x, x,	x)
_AuthzBasepAddSecurityAttributeValueToLists@16 proc near ; CODE	XREF: .text:005ED2A5p
					; .text:005ED301p ...

arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		push	esi
		jz	short loc_69594F
		test	byte ptr [edx+10h], 2
		jnz	short loc_69594F
		lea	esi, [ecx+38h]
		push	edi
		mov	edi, [esi+4]
		lea	eax, [edx+8]
		cmp	[edi], esi
		jnz	short loc_695965
		mov	[eax+4], edi
		mov	[eax], esi
		mov	[edi], eax
		mov	[esi+4], eax
		or	dword ptr [edx+10h], 2
		inc	dword ptr [ecx+34h]
		pop	edi

loc_69594F:				; CODE XREF: AuthzBasepAddSecurityAttributeValueToLists(x,x,x,x)+Aj
					; AuthzBasepAddSecurityAttributeValueToLists(x,x,x,x)+10j
		cmp	[ebp+arg_0], 0
		jz	short loc_69597B
		test	byte ptr [edx+10h], 1
		jnz	short loc_69597B
		lea	eax, [ecx+2Ch]
		mov	esi, [eax+4]
		cmp	[esi], eax
		jz	short loc_69596A

loc_695965:				; CODE XREF: AuthzBasepAddSecurityAttributeValueToLists(x,x,x,x)+1Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_69596A:				; CODE XREF: AuthzBasepAddSecurityAttributeValueToLists(x,x,x,x)+46j
		mov	[edx], eax
		mov	[edx+4], esi
		mov	[esi], edx
		mov	[eax+4], edx
		or	dword ptr [edx+10h], 1
		inc	dword ptr [ecx+24h]

loc_69597B:				; CODE XREF: AuthzBasepAddSecurityAttributeValueToLists(x,x,x,x)+36j
					; AuthzBasepAddSecurityAttributeValueToLists(x,x,x,x)+3Cj
		pop	esi
		pop	ebp
		retn	8
_AuthzBasepAddSecurityAttributeValueToLists@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	AuthzBasepConvertRelativeToAbsoluteTokenAttribute(int,void *)
_AuthzBasepConvertRelativeToAbsoluteTokenAttribute@16 proc near
					; CODE XREF: AuthzBasepInitializeResourceClaimsFromSacl+EBD21p
					; AuthzBasepInitializeResourceClaimsFromSacl+EBD68p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_14], edx
		mov	eax, ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_24], ebx
		push	18h
		pop	ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_10], ecx
		test	eax, eax
		jz	loc_6960AD
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	loc_6960AD
		cmp	[ebp+arg_4], ebx
		jz	loc_6960AD
		cmp	edx, 14h
		jnb	short loc_6959D8

loc_6959CE:				; CODE XREF: AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+60j
					; AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+66j ...
		mov	esi, 0C0000077h
		jmp	loc_6960B2
; 

loc_6959D8:				; CODE XREF: AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+4Cj
		mov	ecx, [eax+0Ch]
		mov	[ebp+arg_0], ecx
		test	ecx, ecx
		jz	short loc_6959CE
		mov	ecx, [eax]
		cmp	edx, ecx
		jb	short loc_6959CE
		push	4
		sub	edx, ecx
		pop	esi
		cmp	edx, esi
		jb	short loc_6959CE
		lea	esi, [ebp+var_18]
		add	ecx, eax
		push	esi
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	ecx, [ebp+var_18]
		lea	eax, [ebp+var_1C]
		push	eax
		push	2
		pop	eax
		mov	edx, eax
		mov	[ebp+var_2C], eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	ecx, [ebp+var_1C]
		lea	eax, [ebp+var_8]
		push	eax
		push	3
		pop	eax
		mov	edx, eax
		mov	[ebp+var_28], eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_10]
		push	eax
		push	18h
		and	edx, 0FFFFFFFCh
		pop	ecx
		mov	[ebp+var_8], edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	eax, [ebp+arg_0]
		push	4
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_24]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	eax, [ebp+var_14]
		add	eax, 0FFFFFFF0h
		cmp	eax, [ebp+var_24]
		jb	loc_6959CE
		mov	esi, [ebp+var_C]
		push	8
		mov	[ebp+var_24], 5
		mov	[ebp+var_30], 6
		movzx	ecx, word ptr [esi+4]
		mov	eax, ecx
		pop	edx
		test	ax, ax
		jz	loc_695D30
		cmp	ax, word ptr [ebp+var_2C]
		jbe	loc_695CBE
		cmp	ax, word ptr [ebp+var_28]
		jz	loc_695BCE
		cmp	ax, word ptr [ebp+var_24]
		jz	short loc_695ADF
		cmp	ax, word ptr [ebp+var_30]
		jz	loc_695CBE
		push	10h
		pop	eax
		cmp	cx, ax
		jnz	loc_695D30

loc_695ADF:				; CODE XREF: AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+147j
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_8]
		mul	edx
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_10]
		mov	ecx, [ebp+var_10]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	[ebp+var_28], ebx
		cmp	[ebp+arg_0], ebx
		jbe	loc_695D2D
		mov	ecx, [ebp+var_C]
		lea	eax, [ecx+10h]
		mov	[ebp+var_2C], eax

loc_695B26:				; CODE XREF: AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+241j
		mov	esi, [eax]
		mov	eax, [ebp+var_14]
		mov	[ebp+var_24], esi
		cmp	eax, esi
		jb	loc_6959CE
		push	4
		sub	eax, esi
		pop	edx
		cmp	eax, edx
		jb	loc_6959CE
		mov	eax, [esi+ecx]
		mov	ecx, esi
		mov	[ebp+var_30], eax
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	eax, [ebp+var_14]
		sub	eax, [ebp+var_24]
		mov	ecx, [ebp+var_30]
		cmp	eax, ecx
		jb	loc_6959CE
		lea	eax, [ebp+var_8]
		push	eax
		push	3
		pop	eax
		mov	edx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_10]
		mov	ecx, [ebp+var_10]
		and	edx, 0FFFFFFFCh
		push	eax
		mov	[ebp+var_8], edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	edx, [ebp+var_28]
		mov	eax, [ebp+var_2C]
		inc	edx
		push	4
		pop	ecx
		add	eax, ecx
		mov	[ebp+var_28], edx
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_2C], eax
		cmp	edx, [ebp+arg_0]
		jb	loc_695B26
		mov	esi, ecx
		jmp	loc_695D30
; 

loc_695BCE:				; CODE XREF: AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+13Dj
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_8]
		mul	edx
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_10]
		mov	ecx, [ebp+var_10]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	[ebp+var_2C], ebx
		cmp	[ebp+arg_0], ebx
		jbe	loc_695D2D
		mov	eax, [ebp+var_C]
		lea	ecx, [eax+10h]
		mov	[ebp+var_28], ecx

loc_695C15:				; CODE XREF: AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+334j
		mov	esi, [ecx]
		mov	ecx, [ebp+var_14]
		cmp	ecx, esi
		jb	loc_6959CE
		mov	edx, ecx
		push	2
		sub	edx, esi
		pop	ecx
		cmp	edx, ecx
		jb	loc_6959CE
		lea	ecx, [ebp+var_18]
		push	ecx
		lea	ecx, [esi+eax]
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	ecx, [ebp+var_18]
		lea	eax, [ebp+var_8]
		push	eax
		push	2
		pop	eax
		mov	edx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_8]
		push	eax
		push	3
		pop	eax
		mov	edx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_10]
		mov	ecx, [ebp+var_10]
		and	edx, 0FFFFFFFCh
		push	eax
		mov	[ebp+var_8], edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_28]
		inc	edx
		push	4
		pop	eax
		add	ecx, eax
		mov	[ebp+var_2C], edx
		mov	eax, [ebp+var_C]
		mov	[ebp+var_28], ecx
		cmp	edx, [ebp+arg_0]
		jb	loc_695C15
		mov	esi, eax
		jmp	short loc_695D30
; 

loc_695CBE:				; CODE XREF: AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+133j
					; AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+14Dj
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_8]
		mul	edx
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_10]
		mov	ecx, [ebp+var_10]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	ecx, [ebp+arg_0]
		mov	esi, [ebp+var_C]
		mov	[ebp+var_2C], ebx
		test	ecx, ecx
		jz	short loc_695D30
		lea	edx, [esi+10h]

loc_695D00:				; CODE XREF: AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+3A9j
		mov	eax, [edx]
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_14]
		cmp	eax, [ebp+arg_0]
		jb	loc_6959CE
		sub	eax, [ebp+arg_0]
		cmp	eax, 8
		jb	loc_6959CE
		mov	eax, [ebp+var_2C]
		add	edx, 4
		inc	eax
		mov	[ebp+var_2C], eax
		cmp	eax, ecx
		jb	short loc_695D00
		jmp	short loc_695D30
; 

loc_695D2D:				; CODE XREF: AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+197j
					; AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+286j
		mov	esi, [ebp+var_C]

loc_695D30:				; CODE XREF: AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+129j
					; AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+159j ...
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_10]
		cmp	[ecx], eax
		mov	[ecx], eax
		jnb	short loc_695D46
		mov	esi, 0C0000023h
		jmp	loc_6960B2
; 

loc_695D46:				; CODE XREF: AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+3BAj
		push	eax		; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		mov	ax, [esi+4]
		add	esp, 0Ch
		mov	edx, [ebp+var_1C]
		mov	[edi+8], ax
		mov	ax, [esi+6]
		mov	[edi+0Ah], ax
		mov	eax, [esi+8]
		mov	[edi+0Ch], eax
		mov	eax, [esi+0Ch]
		mov	[edi+10h], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	18h
		pop	ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	3
		pop	eax
		mov	edx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	ecx, [ebp+var_C]
		push	[ebp+var_1C]	; size_t
		mov	esi, [ebp+var_4]
		and	esi, 0FFFFFFFCh
		mov	eax, [ecx]
		add	eax, ecx
		mov	[ebp+var_4], esi
		push	eax		; void *
		lea	eax, [edi+18h]
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+var_1C]
		lea	eax, [edi+18h]
		mov	[edi+4], eax
		add	esp, 0Ch
		mov	[edi+2], cx
		lea	eax, [ecx-2]
		movzx	ecx, word ptr [edi+8]
		mov	[edi], ax
		lea	eax, [esi+edi]
		mov	[ebp+arg_4], eax
		mov	eax, ecx
		test	ax, ax
		jz	loc_6959CE
		push	2
		pop	edx
		cmp	ax, dx
		jbe	loc_69603D
		push	3
		pop	edx
		cmp	ax, dx
		jz	loc_695F21
		push	5
		pop	edx
		cmp	ax, dx
		jz	short loc_695E21
		push	6
		pop	edx
		cmp	ax, dx
		jz	loc_69603D
		push	10h
		pop	eax
		cmp	cx, ax
		jnz	loc_6959CE

loc_695E21:				; CODE XREF: AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+487j
		mov	eax, [edi+10h]
		push	8
		pop	ecx
		mov	[ebp+var_30], eax
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	eax, [ebp+arg_4]
		mov	[edi+14h], eax
		mov	eax, [ebp+var_4]
		add	eax, edi
		mov	[ebp+arg_0], ebx
		mov	[ebp+arg_4], eax
		cmp	[ebp+var_30], ebx
		jbe	loc_6960B2
		mov	ecx, [ebp+var_C]
		lea	eax, [ecx+10h]
		mov	[ebp+var_20], eax

loc_695E7C:				; CODE XREF: AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+596j
		mov	eax, [eax]
		mov	eax, [ecx+eax]
		lea	ecx, [ebp+var_4]
		push	ecx
		mov	ecx, [ebp+var_4]
		mov	edx, eax
		mov	[ebp+var_2C], eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	3
		pop	eax
		mov	edx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	eax, [edi+14h]
		mov	ecx, [ebp+arg_0]
		and	[ebp+var_4], 0FFFFFFFCh
		mov	[eax+ecx*8], ebx
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jz	short loc_695EF1
		mov	ecx, [ebp+var_C]
		push	eax		; size_t
		mov	eax, [ebp+var_20]
		add	ecx, 4
		mov	eax, [eax]
		add	eax, ecx
		push	eax		; void *
		push	[ebp+arg_4]	; void *
		call	_memcpy
		mov	eax, [edi+14h]
		add	esp, 0Ch
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		mov	[eax+ecx*8], edx

loc_695EF1:				; CODE XREF: AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+549j
		mov	eax, [edi+14h]
		mov	edx, [ebp+var_2C]
		mov	[eax+ecx*8+4], edx
		mov	eax, [ebp+var_4]
		add	eax, edi
		inc	ecx
		mov	[ebp+arg_4], eax
		mov	eax, [ebp+var_20]
		add	eax, 4
		mov	[ebp+arg_0], ecx
		cmp	ecx, [edi+10h]
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_20], eax
		jb	loc_695E7C
		jmp	loc_6960B2
; 

loc_695F21:				; CODE XREF: AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+47Bj
		mov	eax, [edi+10h]
		push	8
		pop	ecx
		mov	[ebp+arg_0], eax
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	eax, [ebp+arg_4]
		mov	[edi+14h], eax
		mov	eax, [ebp+var_4]
		add	eax, edi
		mov	[ebp+arg_4], eax
		cmp	[ebp+arg_0], ebx
		jbe	loc_6960B2
		mov	ecx, [ebp+var_C]
		lea	eax, [ecx+10h]
		mov	[ebp+arg_0], eax

loc_695F79:				; CODE XREF: AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+6B5j
		mov	eax, [eax]
		mov	edx, [ebp+var_14]
		add	eax, ecx
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_30], eax
		push	ecx
		mov	ecx, eax
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	ecx, [ebp+var_18]
		lea	eax, [ebp+var_20]
		push	eax
		push	2
		pop	eax
		mov	edx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	3
		pop	eax
		mov	edx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_6960B2
		push	[ebp+var_20]	; size_t
		and	[ebp+var_4], 0FFFFFFFCh
		push	[ebp+var_30]	; void *
		push	[ebp+arg_4]	; void *
		call	_memcpy
		mov	eax, [edi+14h]
		add	esp, 0Ch
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+var_20]
		mov	[eax+ebx*8+4], ecx
		mov	eax, [edi+14h]
		lea	ecx, [edx-2]
		push	4
		mov	[eax+ebx*8], cx
		mov	eax, [edi+14h]
		pop	ecx
		mov	[eax+ebx*8+2], dx
		mov	eax, [ebp+var_4]
		add	eax, edi
		inc	ebx
		mov	[ebp+arg_4], eax
		mov	eax, [ebp+arg_0]
		add	eax, ecx
		mov	ecx, [ebp+var_C]
		mov	[ebp+arg_0], eax
		cmp	ebx, [edi+10h]
		jb	loc_695F79
		jmp	short loc_6960B2
; 

loc_69603D:				; CODE XREF: AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+46Fj
					; AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+48Fj
		mov	eax, [edi+10h]
		push	8
		pop	ecx
		mov	[ebp+arg_0], eax
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_6960B2
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		mov	[ebp+var_30], esi
		test	esi, esi
		js	short loc_6960B2
		mov	eax, [ebp+arg_4]
		mov	[edi+14h], eax
		cmp	[ebp+arg_0], ebx
		jbe	short loc_6960B2
		mov	esi, [ebp+var_C]
		lea	eax, [esi+10h]
		mov	[ebp+arg_4], eax

loc_696084:				; CODE XREF: AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+726j
		mov	ecx, [eax]
		mov	edx, [edi+14h]
		push	4
		mov	eax, [esi+ecx]
		mov	[edx+ebx*8], eax
		mov	eax, [esi+ecx+4]
		mov	[edx+ebx*8+4], eax
		inc	ebx
		mov	eax, [ebp+arg_4]
		pop	ecx
		add	eax, ecx
		mov	[ebp+arg_4], eax
		cmp	ebx, [edi+10h]
		jb	short loc_696084
		mov	esi, [ebp+var_30]
		jmp	short loc_6960B2
; 

loc_6960AD:				; CODE XREF: AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+2Fj
					; AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+3Aj ...
		mov	esi, 0C000000Dh

loc_6960B2:				; CODE XREF: AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+53j
					; AuthzBasepConvertRelativeToAbsoluteTokenAttribute(x,x,x,x)+80j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_AuthzBasepConvertRelativeToAbsoluteTokenAttribute@16 endp


;  S U B	R O U T	I N E 


; __stdcall AuthzBasepDeleteAllSecurityAttributes(x)
_AuthzBasepDeleteAllSecurityAttributes@4 proc near
					; CODE XREF: AuthzBasepSetSecurityAttributesToken+EF2E5p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		lea	edi, [ebx+4]
		mov	esi, [edi]
		jmp	short loc_6960E3
; 

loc_6960C9:				; CODE XREF: AuthzBasepDeleteAllSecurityAttributes(x)+2Aj
		or	dword ptr [esi+20h], 4
		mov	edx, esi
		push	1
		push	0
		mov	ecx, ebx
		call	_AuthzBasepAddSecurityAttributeToLists@16 ; AuthzBasepAddSecurityAttributeToLists(x,x,x,x)
		mov	ecx, esi
		call	_AuthzBasepDeleteAllSecurityAttributeValues@4 ;	AuthzBasepDeleteAllSecurityAttributeValues(x)
		mov	esi, [esi]

loc_6960E3:				; CODE XREF: AuthzBasepDeleteAllSecurityAttributes(x)+Cj
		cmp	esi, edi
		jnz	short loc_6960C9
		pop	edi
		pop	esi
		pop	ebx
		retn
_AuthzBasepDeleteAllSecurityAttributes@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepDeleteSecurityAttributeValues(x, x, x)
_AuthzBasepDeleteSecurityAttributeValues@12 proc near
					; CODE XREF: AuthzBasepDeleteSecurityAttribute+EECDCp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], edx
		xor	ebx, ebx
		mov	[eax], bl
		push	edi
		mov	ax, [esi+18h]
		xor	edi, edi
		cmp	ax, [edx+8]
		jz	short loc_696118
		mov	edi, 0C000000Dh
		jmp	loc_6961FD
; 

loc_696118:				; CODE XREF: AuthzBasepDeleteSecurityAttributeValues(x,x,x)+21j
		xor	ecx, ecx
		mov	[ebp+var_C], ecx
		cmp	[edx+10h], ecx
		jbe	loc_6961EA
		and	[ebp+var_8], ecx
		mov	[ebp+var_10], 4

loc_696130:				; CODE XREF: AuthzBasepDeleteSecurityAttributeValues(x,x,x)+F9j
		movzx	eax, word ptr [esi+18h]
		mov	[ebp+var_4], eax
		movzx	eax, ax
		test	ax, ax
		jz	short loc_69618D
		cmp	eax, 2
		jbe	short loc_696175
		cmp	eax, 3
		jz	short loc_696162
		cmp	ax, word ptr [ebp+var_10]
		jz	short loc_69616D
		cmp	eax, 5
		jz	short loc_696162
		cmp	eax, 6
		jz	short loc_696175
		push	10h
		pop	eax
		cmp	word ptr [ebp+var_4], ax
		jnz	short loc_69618D

loc_696162:				; CODE XREF: AuthzBasepDeleteSecurityAttributeValues(x,x,x)+5Cj
					; AuthzBasepDeleteSecurityAttributeValues(x,x,x)+67j
		mov	eax, [edx+14h]
		lea	eax, [eax+ecx*8]

loc_696168:				; CODE XREF: AuthzBasepDeleteSecurityAttributeValues(x,x,x)+88j
		cdq
		push	edx
		push	eax
		jmp	short loc_69617F
; 

loc_69616D:				; CODE XREF: AuthzBasepDeleteSecurityAttributeValues(x,x,x)+62j
		mov	eax, [edx+14h]
		add	eax, [ebp+var_8]
		jmp	short loc_696168
; 

loc_696175:				; CODE XREF: AuthzBasepDeleteSecurityAttributeValues(x,x,x)+57j
					; AuthzBasepDeleteSecurityAttributeValues(x,x,x)+6Cj
		mov	eax, [edx+14h]
		push	dword ptr [eax+ecx*8+4]
		push	dword ptr [eax+ecx*8]

loc_69617F:				; CODE XREF: AuthzBasepDeleteSecurityAttributeValues(x,x,x)+80j
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		call	AuthzBasepFindSecurityAttributeValue
		mov	ebx, eax
		jmp	short loc_696192
; 

loc_69618D:				; CODE XREF: AuthzBasepDeleteSecurityAttributeValues(x,x,x)+52j
					; AuthzBasepDeleteSecurityAttributeValues(x,x,x)+75j
		mov	edi, 0C000000Dh

loc_696192:				; CODE XREF: AuthzBasepDeleteSecurityAttributeValues(x,x,x)+A0j
		test	edi, edi
		js	short loc_6961FD
		test	ebx, ebx
		jz	short loc_696206
		mov	eax, [ebx+10h]
		test	al, 4
		jnz	short loc_696206
		mov	edx, ebx
		test	al, 1
		jnz	short loc_6961BB
		push	ecx
		push	0
		mov	ecx, esi
		call	_AuthzBasepRemoveSecurityAttributeValueFromLists@16 ; AuthzBasepRemoveSecurityAttributeValueFromLists(x,x,x,x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_6961D1
; 

loc_6961BB:				; CODE XREF: AuthzBasepDeleteSecurityAttributeValues(x,x,x)+BAj
		push	4
		pop	ecx
		or	eax, ecx
		mov	ecx, esi
		push	1
		push	0
		mov	[ebx+10h], eax
		call	_AuthzBasepAddSecurityAttributeValueToLists@16 ; AuthzBasepAddSecurityAttributeValueToLists(x,x,x,x)
		inc	dword ptr [esi+28h]

loc_6961D1:				; CODE XREF: AuthzBasepDeleteSecurityAttributeValues(x,x,x)+CEj
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+var_14]
		inc	ecx
		push	10h
		pop	eax
		add	[ebp+var_8], eax
		mov	[ebp+var_C], ecx
		cmp	ecx, [edx+10h]
		jb	loc_696130

loc_6961EA:				; CODE XREF: AuthzBasepDeleteSecurityAttributeValues(x,x,x)+35j
		mov	eax, [esi+24h]
		cmp	eax, [esi+28h]
		jnz	short loc_6961FD
		cmp	[esi+34h], eax
		ja	short loc_6961FD
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax],	1

loc_6961FD:				; CODE XREF: AuthzBasepDeleteSecurityAttributeValues(x,x,x)+28j
					; AuthzBasepDeleteSecurityAttributeValues(x,x,x)+A9j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_696206:				; CODE XREF: AuthzBasepDeleteSecurityAttributeValues(x,x,x)+ADj
					; AuthzBasepDeleteSecurityAttributeValues(x,x,x)+B4j
		mov	edi, 0C0000225h
		jmp	short loc_6961FD
_AuthzBasepDeleteSecurityAttributeValues@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepFindTokenAttribute(x)
_AuthzBasepFindTokenAttribute@4	proc near
					; CODE XREF: AuthzBasepQueryTokenAttributeAndValues(x)+29p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		mov	eax, ecx
		push	edi
		mov	[ebp+var_4], eax
		mov	ebx, esi
		mov	edi, esi

loc_696221:				; CODE XREF: AuthzBasepFindTokenAttribute(x)+30j
		mov	edx, ds:_TokenAttributeLookupTable[edi]
		push	ecx
		mov	ecx, eax
		call	AuthzBasepEqualUnicodeString
		test	al, al
		jnz	short loc_696241
		mov	eax, [ebp+var_4]
		add	edi, 0Ch
		inc	ebx
		cmp	edi, 30h
		jb	short loc_696221
		jmp	short loc_69624A
; 

loc_696241:				; CODE XREF: AuthzBasepFindTokenAttribute(x)+24j
		imul	esi, ebx, 0Ch
		add	esi, offset _TokenAttributeLookupTable

loc_69624A:				; CODE XREF: AuthzBasepFindTokenAttribute(x)+32j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_AuthzBasepFindTokenAttribute@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepQueryTokenAttributeAndValues(x)
_AuthzBasepQueryTokenAttributeAndValues@4 proc near
					; CODE XREF: AuthzBasepQuerySecurityAttributeAndValues+D13A1j

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], esi
		mov	[ebp+var_14], edi
		mov	eax, [esi+20h]
		mov	[ebp+var_10], edi
		mov	[esi+14h], edi
		test	eax, eax
		jnz	loc_69634E
		lea	ecx, [esi+8]
		call	_AuthzBasepFindTokenAttribute@4	; AuthzBasepFindTokenAttribute(x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_69628F

loc_696285:				; CODE XREF: AuthzBasepQueryTokenAttributeAndValues(x)+69j
					; AuthzBasepQueryTokenAttributeAndValues(x)+72j ...
		mov	edi, 0C0000225h
		jmp	loc_6963A1
; 

loc_69628F:				; CODE XREF: AuthzBasepQueryTokenAttributeAndValues(x)+32j
		mov	[esi+20h], ecx
		mov	[esi+24h], edi
		mov	ax, [ecx+8]
		mov	[esi+10h], ax
		mov	eax, [ecx+4]
		sub	eax, 1
		jz	short loc_6962E9
		sub	eax, 1
		jz	short loc_6962C7
		sub	eax, 1
		mov	eax, [esi+4]
		mov	eax, [eax+280h]
		jz	short loc_6962C1
		test	eax, eax
		jz	short loc_696285
		mov	eax, [eax+0Ch]
		jmp	short loc_6962D8
; 

loc_6962C1:				; CODE XREF: AuthzBasepQueryTokenAttributeAndValues(x)+65j
		test	eax, eax
		jz	short loc_696285
		jmp	short loc_6962D5
; 

loc_6962C7:				; CODE XREF: AuthzBasepQueryTokenAttributeAndValues(x)+57j
		mov	ecx, [esi+4]
		lea	edx, [ebp+var_14]
		call	_SepCopyTokenIntegrity@8 ; SepCopyTokenIntegrity(x,x)
		mov	eax, [ebp+var_14]

loc_6962D5:				; CODE XREF: AuthzBasepQueryTokenAttributeAndValues(x)+74j
		mov	eax, [eax+8]

loc_6962D8:				; CODE XREF: AuthzBasepQueryTokenAttributeAndValues(x)+6Ej
		lea	ebx, [esi+28h]
		mov	dword ptr [esi+18h], 1
		mov	[ebx], eax
		mov	[ebx+4], edi
		jmp	short loc_696349
; 

loc_6962E9:				; CODE XREF: AuthzBasepQueryTokenAttributeAndValues(x)+52j
		mov	eax, [esi+4]
		lea	ebx, [esi+28h]
		push	2
		mov	esi, edi
		mov	ecx, [eax+48h]
		mov	eax, [eax+4Ch]
		mov	[ebp+var_C], ecx
		pop	ecx
		mov	[ebp+var_10], eax
		mov	[ebx], edi
		mov	[ebx+4], edi
		mov	[ebp+var_4], ecx

loc_696308:				; CODE XREF: AuthzBasepQueryTokenAttributeAndValues(x)+E2j
		xor	eax, eax
		xor	edx, edx
		inc	eax
		call	__allshl
		and	eax, [ebp+var_C]
		and	edx, [ebp+var_10]
		or	eax, edx
		mov	ecx, [ebp+var_4]
		jz	short loc_69632C
		mov	eax, [ebx]
		inc	esi
		or	eax, [ebx+4]
		jnz	short loc_69632C
		mov	[ebx], ecx
		mov	[ebx+4], edi

loc_69632C:				; CODE XREF: AuthzBasepQueryTokenAttributeAndValues(x)+CCj
					; AuthzBasepQueryTokenAttributeAndValues(x)+D4j
		inc	ecx
		mov	[ebp+var_4], ecx
		cmp	ecx, 24h
		jbe	short loc_696308
		mov	[ebp+var_4], esi
		mov	esi, [ebp+var_8]
		mov	eax, [ebp+var_4]
		mov	[esi+18h], eax
		test	eax, eax
		jz	loc_696285

loc_696349:				; CODE XREF: AuthzBasepQueryTokenAttributeAndValues(x)+96j
		mov	[esi+1Ch], ebx
		jmp	short loc_6963A1
; 

loc_69634E:				; CODE XREF: AuthzBasepQueryTokenAttributeAndValues(x)+20j
		cmp	dword ptr [eax+4], 1
		jnz	short loc_69639C
		mov	eax, [esi+4]
		mov	ebx, [esi+28h]
		inc	ebx
		mov	ecx, [eax+48h]
		mov	eax, [eax+4Ch]
		cmp	ebx, 24h
		ja	short loc_69639C
		mov	esi, ecx
		mov	edi, eax

loc_69636A:				; CODE XREF: AuthzBasepQueryTokenAttributeAndValues(x)+131j
		xor	eax, eax
		xor	edx, edx
		inc	eax
		mov	ecx, ebx
		call	__allshl
		and	eax, esi
		and	edx, edi
		or	eax, edx
		jnz	short loc_696384
		inc	ebx
		cmp	ebx, 24h
		jbe	short loc_69636A

loc_696384:				; CODE XREF: AuthzBasepQueryTokenAttributeAndValues(x)+12Bj
		mov	esi, [ebp+var_8]
		push	0
		pop	edi
		cmp	ebx, 24h
		ja	short loc_69639C
		lea	eax, [esi+28h]
		mov	[eax], ebx
		mov	[eax+4], edi
		mov	[esi+1Ch], eax
		jmp	short loc_6963A1
; 

loc_69639C:				; CODE XREF: AuthzBasepQueryTokenAttributeAndValues(x)+101j
					; AuthzBasepQueryTokenAttributeAndValues(x)+113j ...
		mov	edi, 8000001Ah

loc_6963A1:				; CODE XREF: AuthzBasepQueryTokenAttributeAndValues(x)+39j
					; AuthzBasepQueryTokenAttributeAndValues(x)+FBj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AuthzBasepQueryTokenAttributeAndValues@4 endp


;  S U B	R O U T	I N E 


; __stdcall AuthzBasepRollbackSecurityAttributeChanges(x, x)
_AuthzBasepRollbackSecurityAttributeChanges@8 proc near
					; CODE XREF: AuthzBasepFinaliseSecurityAttributesList(x,x):loc_4DB442p
					; .text:005ED390p
		mov	edi, edi
		push	ebx
		push	esi
		push	1
		xor	ebx, ebx
		mov	esi, edx
		push	ebx
		call	AuthzBasepRemoveSecurityAttributeFromLists
		mov	eax, [esi+20h]
		test	al, 4
		jz	short loc_6963DB
		mov	ecx, esi
		test	al, 1
		jnz	short loc_6963CE
		xor	dl, dl
		call	AuthzBasepFreeSecurityAttributeValues
		jmp	short loc_696416
; 

loc_6963CE:				; CODE XREF: AuthzBasepRollbackSecurityAttributeChanges(x,x)+1Bj
		and	eax, 0FFFFFFFBh
		mov	dl, 1
		mov	[esi+20h], eax
		call	AuthzBasepFreeSecurityAttributeValues

loc_6963DB:				; CODE XREF: AuthzBasepRollbackSecurityAttributeChanges(x,x)+15j
		push	edi
		lea	edi, [esi+38h]

loc_6963DF:				; CODE XREF: AuthzBasepRollbackSecurityAttributeChanges(x,x)+5Cj
					; AuthzBasepRollbackSecurityAttributeChanges(x,x)+65j
		mov	edx, [edi]
		cmp	edx, edi
		jz	short loc_69640F
		push	ecx
		add	edx, 0FFFFFFF8h
		mov	ecx, esi
		push	ebx
		call	_AuthzBasepRemoveSecurityAttributeValueFromLists@16 ; AuthzBasepRemoveSecurityAttributeValueFromLists(x,x,x,x)
		mov	eax, [edx+10h]
		test	al, 4
		jz	short loc_696402
		dec	dword ptr [esi+28h]
		and	dword ptr [edx+10h], 0FFFFFFFBh
		mov	eax, [edx+10h]

loc_696402:				; CODE XREF: AuthzBasepRollbackSecurityAttributeChanges(x,x)+4Ej
		test	al, 1
		jnz	short loc_6963DF
		push	ebx
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_6963DF
; 

loc_69640F:				; CODE XREF: AuthzBasepRollbackSecurityAttributeChanges(x,x)+3Bj
		test	byte ptr [esi+20h], 1
		pop	edi
		jnz	short loc_696418

loc_696416:				; CODE XREF: AuthzBasepRollbackSecurityAttributeChanges(x,x)+24j
		mov	bl, 1

loc_696418:				; CODE XREF: AuthzBasepRollbackSecurityAttributeChanges(x,x)+6Cj
		pop	esi
		mov	al, bl
		pop	ebx
		retn
_AuthzBasepRollbackSecurityAttributeChanges@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepMergeAccessReasons(x, x, x)
_AuthzBasepMergeAccessReasons@12 proc near
					; CODE XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+10E2p
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+1158p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	eax, edx
		mov	esi, ecx
		sub	eax, esi
		push	20h
		mov	[ebp+var_4], eax
		pop	ebx

loc_696432:				; CODE XREF: AuthzBasepMergeAccessReasons(x,x,x)+47j
		mov	edi, [eax+esi]
		mov	ecx, edi
		and	ecx, 0FF0000h
		mov	edx, edi
		neg	ecx
		sbb	cl, cl
		inc	cl
		and	edx, [ebp+arg_0]
		setz	al
		test	cl, al
		jnz	short loc_69645B
		cmp	[ebp+arg_0], 0
		jz	short loc_696459
		or	[esi], edx
		jmp	short loc_69645B
; 

loc_696459:				; CODE XREF: AuthzBasepMergeAccessReasons(x,x,x)+36j
		mov	[esi], edi

loc_69645B:				; CODE XREF: AuthzBasepMergeAccessReasons(x,x,x)+30j
					; AuthzBasepMergeAccessReasons(x,x,x)+3Aj
		mov	eax, [ebp+var_4]
		add	esi, 4
		sub	ebx, 1
		jnz	short loc_696432
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_AuthzBasepMergeAccessReasons@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepObjectInTypeList(x, x, x,	x)
_AuthzBasepObjectInTypeList@16 proc near ; CODE	XREF: SepMaximumAccessCheck+EC235p
					; SepMaximumAccessCheck+EC34Cp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, ecx
		cmp	[ebp+arg_0], esi
		jbe	short loc_6964A8
		mov	ebx, [edi]
		lea	ecx, [edx+0Ch]

loc_696483:				; CODE XREF: AuthzBasepObjectInTypeList(x,x,x,x)+39j
		cmp	ebx, [ecx-8]
		jnz	short loc_69649F
		mov	eax, [edi+4]
		cmp	eax, [ecx-4]
		jnz	short loc_69649F
		mov	eax, [edi+8]
		cmp	eax, [ecx]
		jnz	short loc_69649F
		mov	eax, [edi+0Ch]
		cmp	eax, [ecx+4]
		jz	short loc_6964B1

loc_69649F:				; CODE XREF: AuthzBasepObjectInTypeList(x,x,x,x)+19j
					; AuthzBasepObjectInTypeList(x,x,x,x)+21j ...
		inc	esi
		add	ecx, 2Ch
		cmp	esi, [ebp+arg_0]
		jb	short loc_696483

loc_6964A8:				; CODE XREF: AuthzBasepObjectInTypeList(x,x,x,x)+Fj
		xor	al, al

loc_6964AA:				; CODE XREF: AuthzBasepObjectInTypeList(x,x,x,x)+4Bj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_6964B1:				; CODE XREF: AuthzBasepObjectInTypeList(x,x,x,x)+30j
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		mov	al, 1
		jmp	short loc_6964AA
_AuthzBasepObjectInTypeList@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepSetAppContainerAccessReasons(x, x, x, x)
_AuthzBasepSetAppContainerAccessReasons@16 proc	near
					; CODE XREF: AuthzBasepAddAccessTypeList+EBD38p
					; AuthzBasepAddAccessTypeList+EBDDDp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	esi
		xor	esi, esi
		inc	esi
		test	edx, edx
		jz	short loc_6964FA

loc_6964CA:				; CODE XREF: AuthzBasepSetAppContainerAccessReasons(x,x,x,x)+3Ej
		test	esi, esi
		jz	short loc_6964FA
		test	esi, ecx
		jz	short loc_6964F3
		mov	eax, [edx]
		cmp	eax, 10000h
		jz	short loc_6964E9
		cmp	eax, 30000h
		jz	short loc_6964E9
		cmp	eax, 400000h
		jnz	short loc_6964F3

loc_6964E9:				; CODE XREF: AuthzBasepSetAppContainerAccessReasons(x,x,x,x)+1Fj
					; AuthzBasepSetAppContainerAccessReasons(x,x,x,x)+26j
		mov	eax, [ebp+arg_0]
		or	eax, 70000h
		mov	[edx], eax

loc_6964F3:				; CODE XREF: AuthzBasepSetAppContainerAccessReasons(x,x,x,x)+16j
					; AuthzBasepSetAppContainerAccessReasons(x,x,x,x)+2Dj
		add	edx, 4
		add	esi, esi
		jmp	short loc_6964CA
; 

loc_6964FA:				; CODE XREF: AuthzBasepSetAppContainerAccessReasons(x,x,x,x)+Ej
					; AuthzBasepSetAppContainerAccessReasons(x,x,x,x)+12j
		pop	esi
		pop	ebp
		retn	8
_AuthzBasepSetAppContainerAccessReasons@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepSetTypeListAccessReasons(x, x, x,	x, x, x)
_AuthzBasepSetTypeListAccessReasons@24 proc near
					; CODE XREF: SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+112p
					; SepAccessCheckEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+138p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jz	short loc_696529
		push	edi
		mov	edi, [ebp+arg_4]
		add	edi, 28h

loc_696513:				; CODE XREF: AuthzBasepSetTypeListAccessReasons(x,x,x,x,x,x)+27j
		push	[ebp+arg_C]
		push	dword ptr [edi]
		push	[ebp+arg_0]
		call	AuthzBasepSetAccessReasons
		lea	edi, [edi+2Ch]
		sub	esi, 1
		jnz	short loc_696513
		pop	edi

loc_696529:				; CODE XREF: AuthzBasepSetTypeListAccessReasons(x,x,x,x,x,x)+Bj
		pop	esi
		pop	ebp
		retn	10h
_AuthzBasepSetTypeListAccessReasons@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepUpdateParentTypeList(x, x, x, x, x)
_AuthzBasepUpdateParentTypeList@20 proc	near ; CODE XREF: AuthzBasepAddAccessTypeList+EBD86p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		mov	[ebp+var_10], esi

loc_696541:				; CODE XREF: AuthzBasepUpdateParentTypeList(x,x,x,x,x)+ABj
					; AuthzBasepUpdateParentTypeList(x,x,x,x,x):loc_6965FFj ...
		imul	eax, [ebp+arg_0], 2Ch
		xor	ebx, ebx
		or	edx, 0FFFFFFFFh
		xor	edi, edi
		mov	ecx, [eax+esi+14h]
		mov	[ebp+arg_0], ecx
		cmp	ecx, 0FFFFFFFFh
		jz	loc_69661D
		movzx	eax, word ptr [eax+esi]
		inc	ecx
		mov	[ebp+var_C], eax
		cmp	ecx, [ebp+var_4]
		jnb	short loc_6965A0
		imul	eax, [ebp+arg_0], 2Ch
		movzx	eax, word ptr [eax+esi]
		mov	[ebp+var_8], eax
		imul	eax, ecx, 2Ch
		add	eax, 1Ch
		add	eax, esi

loc_69657C:				; CODE XREF: AuthzBasepUpdateParentTypeList(x,x,x,x,x)+6Dj
		movzx	esi, word ptr [eax-1Ch]
		cmp	si, word ptr [ebp+var_8]
		jbe	short loc_69659D
		cmp	si, word ptr [ebp+var_C]
		jnz	short loc_696594
		or	ebx, [eax-4]
		and	edx, [eax]
		or	edi, [eax+4]

loc_696594:				; CODE XREF: AuthzBasepUpdateParentTypeList(x,x,x,x,x)+5Cj
		inc	ecx
		add	eax, 2Ch
		cmp	ecx, [ebp+var_4]
		jb	short loc_69657C

loc_69659D:				; CODE XREF: AuthzBasepUpdateParentTypeList(x,x,x,x,x)+56j
		mov	esi, [ebp+var_10]

loc_6965A0:				; CODE XREF: AuthzBasepUpdateParentTypeList(x,x,x,x,x)+39j
		imul	eax, [ebp+arg_0], 2Ch
		mov	ecx, [eax+esi+18h]
		mov	[ebp+var_C], ecx
		cmp	ebx, ecx
		jnz	short loc_6965BB
		cmp	edx, [eax+esi+1Ch]
		jnz	short loc_6965BB
		cmp	edi, [eax+esi+20h]
		jz	short loc_69661D

loc_6965BB:				; CODE XREF: AuthzBasepUpdateParentTypeList(x,x,x,x,x)+7Fj
					; AuthzBasepUpdateParentTypeList(x,x,x,x,x)+85j
		mov	ecx, [ebp+arg_8]
		sub	ecx, 0
		jz	short loc_6965F4
		sub	ecx, 1
		jz	short loc_6965E6
		sub	ecx, 1
		jnz	short loc_69661D
		mov	ecx, [eax+esi+20h]
		not	ecx
		mov	[eax+esi+20h], edi
		and	ecx, edi
		jz	loc_696541
		mov	edx, 20000h
		jmp	short loc_69660A
; 

loc_6965E6:				; CODE XREF: AuthzBasepUpdateParentTypeList(x,x,x,x,x)+98j
		mov	ecx, [eax+esi+1Ch]
		not	ecx
		mov	[eax+esi+1Ch], edx
		and	ecx, edx
		jmp	short loc_6965FF
; 

loc_6965F4:				; CODE XREF: AuthzBasepUpdateParentTypeList(x,x,x,x,x)+93j
		mov	ecx, ebx
		mov	[eax+esi+18h], ebx
		not	ecx
		and	ecx, [ebp+var_C]

loc_6965FF:				; CODE XREF: AuthzBasepUpdateParentTypeList(x,x,x,x,x)+C4j
		jz	loc_696541
		mov	edx, 10000h

loc_69660A:				; CODE XREF: AuthzBasepUpdateParentTypeList(x,x,x,x,x)+B6j
		push	0
		push	dword ptr [eax+esi+28h]
		push	[ebp+arg_4]
		call	AuthzBasepSetAccessReasons
		jmp	loc_696541
; 

loc_69661D:				; CODE XREF: AuthzBasepUpdateParentTypeList(x,x,x,x,x)+28j
					; AuthzBasepUpdateParentTypeList(x,x,x,x,x)+8Bj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_AuthzBasepUpdateParentTypeList@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepCompareFQBNOperands(x, x,	x)
_AuthzBasepCompareFQBNOperands@12 proc near ; CODE XREF: AuthzBasepValueInSet+EDE40p
					; AuthzBasepEvaluateExpression+ED879p

var_74		= dword	ptr -74h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	64h
		push	offset dword_6AAE20
		call	__SEH_prolog4
		mov	[ebp+var_30], edx
		mov	[ebp+var_1B], cl
		xor	ebx, ebx
		mov	[ebp+var_28], ebx
		push	7
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_74]
		rep stosd
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ebx
		mov	word ptr [ebp+var_20], bx
		mov	[ebp+var_19], bl
		mov	esi, [ebp+arg_0]
		mov	[esi], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_4C], ebx
		lea	edx, [ebp+var_19]
		mov	ecx, [ebp+var_30]
		call	_AuthzBasepGetOperandStringCaseForEvaluation@8 ; AuthzBasepGetOperandStringCaseForEvaluation(x,x)
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		push	2
		test	ecx, ecx
		pop	ecx
		jns	short loc_696684
		or	dword ptr [esi], 0FFFFFFFFh
		mov	edi, eax
		jmp	loc_69673C
; 

loc_696684:				; CODE XREF: AuthzBasepCompareFQBNOperands(x,x,x)+54j
		mov	edi, ebx
		mov	eax, [ebp+var_30]
		add	eax, 14h
		mov	[ebp+var_2C], eax

loc_69668F:				; CODE XREF: AuthzBasepCompareFQBNOperands(x,x,x)+177j
		cmp	dword ptr [eax-8], 1
		jnz	loc_69676B
		cmp	[eax-10h], bl
		jz	loc_6967CA
		lea	ecx, [ebp+var_28]
		push	ecx
		lea	ecx, [ebp+var_74]
		push	ecx
		mov	edx, [eax]
		mov	ecx, [eax+4]
		call	AuthzBasepGetConstantOperand
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		js	short loc_696733
		cmp	word ptr [ebp+var_74], 3
		jnz	short loc_696733
		cmp	[ebp+var_19], bl
		setz	dl
		lea	eax, [ebp+var_20]
		add	eax, edi
		push	eax
		lea	eax, [ebp+var_58]
		lea	eax, [eax+edi*8]
		push	eax
		lea	ecx, [ebp+var_74]
		call	AuthzBasepUnicodeStringFromOperandValue
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		js	short loc_696733
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		mov	ecx, [ebp+var_2C]
		mov	edx, [ecx]
		sub	edx, [ebp+var_28]
		mov	ecx, [ecx+4]
		add	ecx, [ebp+var_28]
		call	AuthzBasepGetConstantOperand
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		push	2
		test	ecx, ecx
		pop	ecx
		js	loc_6967C2
		cmp	word ptr [ebp+var_74], cx
		jnz	loc_6967C2
		mov	ecx, [ebp+var_5C]
		mov	eax, [ecx]
		mov	[ebp+edi*8+var_48], eax
		mov	eax, [ecx+4]
		mov	[ebp+edi*8+var_44], eax
		cmp	byte ptr [ecx+8], 2
		jnz	short loc_69678C

loc_696733:				; CODE XREF: AuthzBasepCompareFQBNOperands(x,x,x)+97j
					; AuthzBasepCompareFQBNOperands(x,x,x)+9Ej ...
		or	dword ptr [esi], 0FFFFFFFFh

loc_696736:				; CODE XREF: AuthzBasepCompareFQBNOperands(x,x,x)+203j
					; AuthzBasepCompareFQBNOperands(x,x,x)+20Bj ...
		push	2
		pop	ecx

loc_696739:				; CODE XREF: AuthzBasepCompareFQBNOperands(x,x,x)+1A1j
		mov	edi, [ebp+var_24]

loc_69673C:				; CODE XREF: AuthzBasepCompareFQBNOperands(x,x,x)+5Bj
					; AuthzBasepCompareFQBNOperands(x,x,x)+1AEj ...
		mov	esi, ebx

loc_69673E:				; CODE XREF: AuthzBasepCompareFQBNOperands(x,x,x)+131j
		cmp	byte ptr [ebp+esi+var_20], 0
		jz	short loc_696752
		push	ebx
		push	[ebp+esi*8+var_54]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	2
		pop	ecx

loc_696752:				; CODE XREF: AuthzBasepCompareFQBNOperands(x,x,x)+11Fj
		inc	esi
		cmp	esi, ecx
		jb	short loc_69673E
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_69676B:				; CODE XREF: AuthzBasepCompareFQBNOperands(x,x,x)+6Fj
		mov	eax, [eax-4]
		mov	ecx, [eax+1Ch]
		mov	eax, [ecx]
		mov	[ebp+edi*8+var_48], eax
		mov	eax, [ecx+4]
		mov	[ebp+edi*8+var_44], eax
		mov	eax, [ecx+8]
		mov	[ebp+edi*8+var_58], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp+edi*8+var_54], eax

loc_69678C:				; CODE XREF: AuthzBasepCompareFQBNOperands(x,x,x)+10Dj
		inc	edi
		mov	eax, [ebp+var_2C]
		add	eax, 1Ch
		mov	[ebp+var_2C], eax
		push	2
		pop	ecx
		cmp	edi, ecx
		jb	loc_69668F
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+var_30]
		push	ebx
		cmp	dword ptr [eax+28h], 1
		jnz	short loc_6967D7
		cmp	[ebp+var_19], 0
		setz	byte ptr [ebp+var_30]
		push	[ebp+var_30]
		lea	eax, [ebp+var_58]
		push	eax
		lea	eax, [ebp+var_50]
		jmp	short loc_6967E9
; 

loc_6967C2:				; CODE XREF: AuthzBasepCompareFQBNOperands(x,x,x)+E9j
					; AuthzBasepCompareFQBNOperands(x,x,x)+F3j
		or	dword ptr [esi], 0FFFFFFFFh
		jmp	loc_696739
; 

loc_6967CA:				; CODE XREF: AuthzBasepCompareFQBNOperands(x,x,x)+78j
		mov	edi, 0C00001A2h
		or	dword ptr [esi], 0FFFFFFFFh
		jmp	loc_69673C
; 

loc_6967D7:				; CODE XREF: AuthzBasepCompareFQBNOperands(x,x,x)+188j
		cmp	[ebp+var_19], 0
		setz	byte ptr [ebp+var_30]
		push	[ebp+var_30]
		lea	eax, [ebp+var_50]
		push	eax
		lea	eax, [ebp+var_58]

loc_6967E9:				; CODE XREF: AuthzBasepCompareFQBNOperands(x,x,x)+19Cj
		push	eax
		call	RtlIsNameInExpression
		mov	cl, al
		mov	[ebp+var_1A], cl
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edx, [ebp+var_48]
		mov	edi, [ebp+var_40]
		cmp	edx, edi
		jnz	short loc_696816
		mov	eax, [ebp+var_44]
		cmp	eax, [ebp+var_3C]
		jnz	short loc_696816
		test	cl, cl
		jz	short loc_696816
		xor	eax, eax
		inc	eax
		jmp	short loc_696818
; 

loc_696816:				; CODE XREF: AuthzBasepCompareFQBNOperands(x,x,x)+1DFj
					; AuthzBasepCompareFQBNOperands(x,x,x)+1E7j ...
		mov	eax, ebx

loc_696818:				; CODE XREF: AuthzBasepCompareFQBNOperands(x,x,x)+1F0j
		mov	[esi], eax
		mov	ch, [ebp+var_1B]
		cmp	ch, 81h
		jnz	short loc_69682C
		xor	eax, 1

loc_696825:				; CODE XREF: AuthzBasepCompareFQBNOperands(x,x,x)+22Bj
		mov	[esi], eax
		jmp	loc_696736
; 

loc_69682C:				; CODE XREF: AuthzBasepCompareFQBNOperands(x,x,x)+1FCj
		cmp	ch, 80h
		jz	loc_696736
		test	cl, cl
		jnz	short loc_696840
		mov	[esi], ebx
		jmp	loc_696736
; 

loc_696840:				; CODE XREF: AuthzBasepCompareFQBNOperands(x,x,x)+213j
		push	[ebp+var_3C]
		push	edi
		push	[ebp+var_44]
		push	edx
		mov	cl, ch
		call	_AuthzBasepCompareUnsigned@20 ;	AuthzBasepCompareUnsigned(x,x,x,x,x)
		jmp	short loc_696825
_AuthzBasepCompareFQBNOperands@12 endp


;  S U B	R O U T	I N E 


sub_696851	proc near		; DATA XREF: .text:006AAE34o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		xor	eax, eax
		inc	eax
		retn
sub_696851	endp


;  S U B	R O U T	I N E 


sub_69685F	proc near		; DATA XREF: .text:006AAE38o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-34h]
		mov	eax, [ebp+8]
		or	dword ptr [eax], 0FFFFFFFFh
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		push	2
		pop	ecx
		jmp	loc_69673C
sub_69685F	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepCompareIntegerOperands(x,	x)
_AuthzBasepCompareIntegerOperands@8 proc near ;	CODE XREF: AuthzBasepValueInSet+EDE4Fp
					; AuthzBasepEvaluateExpression+ED86Ap

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_4], 2
		xor	esi, esi
		mov	[ebp+var_14], eax
		mov	ebx, esi
		mov	[ebp+var_10], eax
		mov	esi, [ebp+var_4]
		add	edx, 18h
		push	edi
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax

loc_6968A7:				; CODE XREF: AuthzBasepCompareIntegerOperands(x,x)+53j
		cmp	dword ptr [edx-0Ch], 1
		jnz	short loc_6968B1
		mov	edi, [edx]
		jmp	short loc_6968BB
; 

loc_6968B1:				; CODE XREF: AuthzBasepCompareIntegerOperands(x,x)+2Fj
		mov	eax, [edx-8]
		movzx	esi, word ptr [edx-18h]
		mov	edi, [eax+1Ch]

loc_6968BB:				; CODE XREF: AuthzBasepCompareIntegerOperands(x,x)+33j
		mov	eax, [edi]
		add	edx, 1Ch
		mov	[ebp+ebx*8+var_14], eax
		mov	eax, [edi+4]
		mov	[ebp+ebx*8+var_10], eax
		inc	ebx
		cmp	ebx, 2
		jl	short loc_6968A7
		movzx	eax, si
		push	0
		pop	esi
		sub	eax, 1
		jz	short loc_696924
		sub	eax, 1
		jz	short loc_696911
		sub	eax, 4
		jnz	short loc_696937
		mov	eax, [ebp+var_14]
		or	eax, [ebp+var_10]
		jz	short loc_6968F9
		cmp	[ebp+var_14], 1
		jnz	short loc_69690C
		cmp	[ebp+var_10], esi
		jnz	short loc_69690C

loc_6968F9:				; CODE XREF: AuthzBasepCompareIntegerOperands(x,x)+70j
		mov	eax, [ebp+var_C]
		or	eax, [ebp+var_8]
		jz	short loc_696911
		cmp	[ebp+var_C], 1
		jnz	short loc_69690C
		cmp	[ebp+var_8], esi
		jz	short loc_696911

loc_69690C:				; CODE XREF: AuthzBasepCompareIntegerOperands(x,x)+76j
					; AuthzBasepCompareIntegerOperands(x,x)+7Bj ...
		or	esi, 0FFFFFFFFh
		jmp	short loc_696937
; 

loc_696911:				; CODE XREF: AuthzBasepCompareIntegerOperands(x,x)+63j
					; AuthzBasepCompareIntegerOperands(x,x)+83j ...
		push	[ebp+var_8]
		push	[ebp+var_C]
		push	[ebp+var_10]
		push	[ebp+var_14]
		call	_AuthzBasepCompareUnsigned@20 ;	AuthzBasepCompareUnsigned(x,x,x,x,x)
		jmp	short loc_696935
; 

loc_696924:				; CODE XREF: AuthzBasepCompareIntegerOperands(x,x)+5Ej
		push	[ebp+var_8]
		push	[ebp+var_C]
		push	[ebp+var_10]
		push	[ebp+var_14]
		call	_AuthzBasepCompareSigned@20 ; AuthzBasepCompareSigned(x,x,x,x,x)

loc_696935:				; CODE XREF: AuthzBasepCompareIntegerOperands(x,x)+A6j
		mov	esi, eax

loc_696937:				; CODE XREF: AuthzBasepCompareIntegerOperands(x,x)+68j
					; AuthzBasepCompareIntegerOperands(x,x)+93j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_AuthzBasepCompareIntegerOperands@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepCompareOctetStringOperands(x, x)
_AuthzBasepCompareOctetStringOperands@8	proc near ; CODE XREF: AuthzBasepValueInSet+EDE33p
					; AuthzBasepEvaluateExpression+ED861p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	esi, esi
		mov	bl, cl
		add	edx, 18h

loc_69694F:				; CODE XREF: AuthzBasepCompareOctetStringOperands(x,x)+38j
		cmp	dword ptr [edx-0Ch], 1
		jnz	short loc_69695C
		mov	ecx, [edx-4]
		mov	eax, edx
		jmp	short loc_696965
; 

loc_69695C:				; CODE XREF: AuthzBasepCompareOctetStringOperands(x,x)+15j
		mov	eax, [edx-8]
		mov	eax, [eax+1Ch]
		mov	ecx, [eax+4]

loc_696965:				; CODE XREF: AuthzBasepCompareOctetStringOperands(x,x)+1Cj
		mov	eax, [eax]
		add	edx, 1Ch
		mov	[ebp+esi*8+var_10], eax
		mov	[ebp+esi*8+var_C], ecx
		inc	esi
		cmp	esi, 2
		jl	short loc_69694F
		mov	esi, [ebp+var_C]
		mov	eax, esi
		cmp	esi, [ebp+var_4]
		jb	short loc_696985
		mov	eax, [ebp+var_4]

loc_696985:				; CODE XREF: AuthzBasepCompareOctetStringOperands(x,x)+42j
		push	eax		; size_t
		push	[ebp+var_8]	; void *
		push	[ebp+var_10]	; void *
		call	_memcmp
		mov	ecx, eax
		add	esp, 0Ch
		test	ecx, ecx
		jnz	short loc_6969A7
		cmp	esi, [ebp+var_4]
		jbe	short loc_6969A2
		inc	ecx
		jmp	short loc_6969A7
; 

loc_6969A2:				; CODE XREF: AuthzBasepCompareOctetStringOperands(x,x)+5Fj
		jnb	short loc_6969A7
		or	ecx, 0FFFFFFFFh

loc_6969A7:				; CODE XREF: AuthzBasepCompareOctetStringOperands(x,x)+5Aj
					; AuthzBasepCompareOctetStringOperands(x,x)+62j ...
		movzx	eax, bl
		pop	esi
		pop	ebx
		sub	eax, 80h
		jz	short loc_6969EE
		sub	eax, 1
		jz	short loc_6969E5
		sub	eax, 1
		jz	short loc_6969CE
		sub	eax, 1
		jz	short loc_6969DC
		sub	eax, 1
		jz	short loc_6969D3
		sub	eax, 1
		jnz	short loc_6969F7
		not	ecx

loc_6969CE:				; CODE XREF: AuthzBasepCompareOctetStringOperands(x,x)+7Dj
		shr	ecx, 1Fh
		jmp	short loc_6969F7
; 

loc_6969D3:				; CODE XREF: AuthzBasepCompareOctetStringOperands(x,x)+87j
		xor	eax, eax
		test	ecx, ecx
		setnle	al
		jmp	short loc_6969F5
; 

loc_6969DC:				; CODE XREF: AuthzBasepCompareOctetStringOperands(x,x)+82j
		xor	eax, eax
		test	ecx, ecx
		setle	al
		jmp	short loc_6969F5
; 

loc_6969E5:				; CODE XREF: AuthzBasepCompareOctetStringOperands(x,x)+78j
		xor	eax, eax
		test	ecx, ecx
		setnz	al
		jmp	short loc_6969F5
; 

loc_6969EE:				; CODE XREF: AuthzBasepCompareOctetStringOperands(x,x)+73j
		xor	eax, eax
		test	ecx, ecx
		setz	al

loc_6969F5:				; CODE XREF: AuthzBasepCompareOctetStringOperands(x,x)+9Cj
					; AuthzBasepCompareOctetStringOperands(x,x)+A5j ...
		mov	ecx, eax

loc_6969F7:				; CODE XREF: AuthzBasepCompareOctetStringOperands(x,x)+8Cj
					; AuthzBasepCompareOctetStringOperands(x,x)+93j
		mov	eax, ecx
		leave
		retn
_AuthzBasepCompareOctetStringOperands@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepCompareSigned(x, x, x, x,	x)
_AuthzBasepCompareSigned@20 proc near	; CODE XREF: AuthzBasepCompareIntegerOperands(x,x)+B4p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, cl
		sub	eax, 80h
		jz	loc_696A95
		sub	eax, 1
		jz	short loc_696A83
		sub	eax, 1
		jz	short loc_696A6F
		sub	eax, 1
		jz	short loc_696A5B
		sub	eax, 1
		jz	short loc_696A47
		sub	eax, 1
		jnz	short loc_696A39
		mov	eax, [ebp+arg_4]
		cmp	eax, [ebp+arg_C]
		jl	short loc_696A39
		jg	short loc_696AA5
		mov	eax, [ebp+arg_0]
		cmp	eax, [ebp+arg_8]
		jnb	short loc_696AA5

loc_696A39:				; CODE XREF: AuthzBasepCompareSigned(x,x,x,x,x)+2Aj
					; AuthzBasepCompareSigned(x,x,x,x,x)+32j ...
		xor	cl, cl

loc_696A3B:				; CODE XREF: AuthzBasepCompareSigned(x,x,x,x,x)+ACj
		xor	eax, eax
		cmp	cl, 1
		setz	al
		pop	ebp
		retn	10h
; 

loc_696A47:				; CODE XREF: AuthzBasepCompareSigned(x,x,x,x,x)+25j
		mov	eax, [ebp+arg_4]
		cmp	eax, [ebp+arg_C]
		jl	short loc_696A39
		jg	short loc_696AA5
		mov	eax, [ebp+arg_0]
		cmp	eax, [ebp+arg_8]
		jbe	short loc_696A39
		jmp	short loc_696AA5
; 

loc_696A5B:				; CODE XREF: AuthzBasepCompareSigned(x,x,x,x,x)+20j
		mov	eax, [ebp+arg_4]
		cmp	eax, [ebp+arg_C]
		jg	short loc_696A39
		jl	short loc_696AA5
		mov	eax, [ebp+arg_0]
		cmp	eax, [ebp+arg_8]
		ja	short loc_696A39
		jmp	short loc_696AA5
; 

loc_696A6F:				; CODE XREF: AuthzBasepCompareSigned(x,x,x,x,x)+1Bj
		mov	eax, [ebp+arg_4]
		cmp	eax, [ebp+arg_C]
		jg	short loc_696A39
		jl	short loc_696AA5
		mov	eax, [ebp+arg_0]
		cmp	eax, [ebp+arg_8]
		jnb	short loc_696A39
		jmp	short loc_696AA5
; 

loc_696A83:				; CODE XREF: AuthzBasepCompareSigned(x,x,x,x,x)+16j
		mov	eax, [ebp+arg_0]
		cmp	eax, [ebp+arg_8]
		jnz	short loc_696AA5
		mov	eax, [ebp+arg_4]
		cmp	eax, [ebp+arg_C]
		jz	short loc_696A39
		jmp	short loc_696AA5
; 

loc_696A95:				; CODE XREF: AuthzBasepCompareSigned(x,x,x,x,x)+Dj
		mov	eax, [ebp+arg_0]
		cmp	eax, [ebp+arg_8]
		jnz	short loc_696A39
		mov	eax, [ebp+arg_4]
		cmp	eax, [ebp+arg_C]
		jnz	short loc_696A39

loc_696AA5:				; CODE XREF: AuthzBasepCompareSigned(x,x,x,x,x)+34j
					; AuthzBasepCompareSigned(x,x,x,x,x)+3Cj ...
		mov	cl, 1
		jmp	short loc_696A3B
_AuthzBasepCompareSigned@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepCompareUnicodeStringCaseSensitive(x, x)
_AuthzBasepCompareUnicodeStringCaseSensitive@8 proc near
					; CODE XREF: AuthzBasepCompareUnicodeStringOperands+EDDD4p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+4]
		push	ebx
		movzx	ebx, word ptr [ecx]
		movzx	ecx, word ptr [edx]
		mov	[ebp+var_4], ecx
		push	esi
		push	edi
		cmp	bx, cx
		jnb	short loc_696AC7
		mov	ecx, ebx
		jmp	short loc_696ACA
; 

loc_696AC7:				; CODE XREF: AuthzBasepCompareUnicodeStringCaseSensitive(x,x)+18j
		movzx	ecx, cx

loc_696ACA:				; CODE XREF: AuthzBasepCompareUnicodeStringCaseSensitive(x,x)+1Cj
		movzx	ecx, cx
		add	ecx, eax
		cmp	eax, ecx
		jnb	short loc_696AEB
		mov	edx, [edx+4]
		sub	edx, eax

loc_696AD8:				; CODE XREF: AuthzBasepCompareUnicodeStringCaseSensitive(x,x)+40j
		movzx	esi, word ptr [eax]
		movzx	edi, word ptr [edx+eax]
		cmp	si, di
		jnz	short loc_696AFA
		add	eax, 2
		cmp	eax, ecx
		jb	short loc_696AD8

loc_696AEB:				; CODE XREF: AuthzBasepCompareUnicodeStringCaseSensitive(x,x)+28j
		mov	eax, [ebp+var_4]
		movzx	ecx, ax
		mov	eax, ebx

loc_696AF3:				; CODE XREF: AuthzBasepCompareUnicodeStringCaseSensitive(x,x)+55j
		pop	edi
		pop	esi
		sub	eax, ecx
		pop	ebx
		leave
		retn
; 

loc_696AFA:				; CODE XREF: AuthzBasepCompareUnicodeStringCaseSensitive(x,x)+39j
		mov	ecx, edi
		mov	eax, esi
		jmp	short loc_696AF3
_AuthzBasepCompareUnicodeStringCaseSensitive@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepCompareUnsigned(x, x, x, x, x)
_AuthzBasepCompareUnsigned@20 proc near	; CODE XREF: AuthzBasepCompareFQBNOperands(x,x,x)+226p
					; AuthzBasepCompareIntegerOperands(x,x)+A1p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, cl
		sub	eax, 80h
		jz	loc_696B9A
		sub	eax, 1
		jz	short loc_696B88
		sub	eax, 1
		jz	short loc_696B74
		sub	eax, 1
		jz	short loc_696B60
		sub	eax, 1
		jz	short loc_696B4C
		sub	eax, 1
		jnz	short loc_696B3E
		mov	eax, [ebp+arg_4]
		cmp	eax, [ebp+arg_C]
		jb	short loc_696B3E
		ja	short loc_696BAA
		mov	eax, [ebp+arg_0]
		cmp	eax, [ebp+arg_8]
		jnb	short loc_696BAA

loc_696B3E:				; CODE XREF: AuthzBasepCompareUnsigned(x,x,x,x,x)+2Aj
					; AuthzBasepCompareUnsigned(x,x,x,x,x)+32j ...
		xor	cl, cl

loc_696B40:				; CODE XREF: AuthzBasepCompareUnsigned(x,x,x,x,x)+ACj
		xor	eax, eax
		cmp	cl, 1
		setz	al
		pop	ebp
		retn	10h
; 

loc_696B4C:				; CODE XREF: AuthzBasepCompareUnsigned(x,x,x,x,x)+25j
		mov	eax, [ebp+arg_4]
		cmp	eax, [ebp+arg_C]
		jb	short loc_696B3E
		ja	short loc_696BAA
		mov	eax, [ebp+arg_0]
		cmp	eax, [ebp+arg_8]
		jbe	short loc_696B3E
		jmp	short loc_696BAA
; 

loc_696B60:				; CODE XREF: AuthzBasepCompareUnsigned(x,x,x,x,x)+20j
		mov	eax, [ebp+arg_4]
		cmp	eax, [ebp+arg_C]
		ja	short loc_696B3E
		jb	short loc_696BAA
		mov	eax, [ebp+arg_0]
		cmp	eax, [ebp+arg_8]
		ja	short loc_696B3E
		jmp	short loc_696BAA
; 

loc_696B74:				; CODE XREF: AuthzBasepCompareUnsigned(x,x,x,x,x)+1Bj
		mov	eax, [ebp+arg_4]
		cmp	eax, [ebp+arg_C]
		ja	short loc_696B3E
		jb	short loc_696BAA
		mov	eax, [ebp+arg_0]
		cmp	eax, [ebp+arg_8]
		jnb	short loc_696B3E
		jmp	short loc_696BAA
; 

loc_696B88:				; CODE XREF: AuthzBasepCompareUnsigned(x,x,x,x,x)+16j
		mov	eax, [ebp+arg_0]
		cmp	eax, [ebp+arg_8]
		jnz	short loc_696BAA
		mov	eax, [ebp+arg_4]
		cmp	eax, [ebp+arg_C]
		jz	short loc_696B3E
		jmp	short loc_696BAA
; 

loc_696B9A:				; CODE XREF: AuthzBasepCompareUnsigned(x,x,x,x,x)+Dj
		mov	eax, [ebp+arg_0]
		cmp	eax, [ebp+arg_8]
		jnz	short loc_696B3E
		mov	eax, [ebp+arg_4]
		cmp	eax, [ebp+arg_C]
		jnz	short loc_696B3E

loc_696BAA:				; CODE XREF: AuthzBasepCompareUnsigned(x,x,x,x,x)+34j
					; AuthzBasepCompareUnsigned(x,x,x,x,x)+3Cj ...
		mov	cl, 1
		jmp	short loc_696B40
_AuthzBasepCompareUnsigned@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepComputeBitwise(x,	x)
_AuthzBasepComputeBitwise@8 proc near	; CODE XREF: AuthzBasepComputeExpression(x,x,x)+51p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		or	edi, 0FFFFFFFFh
		xor	esi, esi
		mov	bl, cl
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		add	edx, 18h
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi

loc_696BCF:				; CODE XREF: AuthzBasepComputeBitwise(x,x)+45j
		cmp	dword ptr [edx-0Ch], 1
		jnz	short loc_696BD9
		mov	ecx, [edx]
		jmp	short loc_696BDF
; 

loc_696BD9:				; CODE XREF: AuthzBasepComputeBitwise(x,x)+25j
		mov	eax, [edx-8]
		mov	ecx, [eax+1Ch]

loc_696BDF:				; CODE XREF: AuthzBasepComputeBitwise(x,x)+29j
		mov	eax, [ecx]
		add	edx, 1Ch
		mov	[ebp+esi*8+var_10], eax
		mov	eax, [ecx+4]
		mov	[ebp+esi*8+var_C], eax
		inc	esi
		cmp	esi, 2
		jl	short loc_696BCF
		cmp	bl, 0A3h
		jz	short loc_696C00
		mov	eax, edi
		mov	edx, edi
		jmp	short loc_696C0C
; 

loc_696C00:				; CODE XREF: AuthzBasepComputeBitwise(x,x)+4Aj
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_4]
		and	eax, [ebp+var_10]
		and	edx, [ebp+var_C]

loc_696C0C:				; CODE XREF: AuthzBasepComputeBitwise(x,x)+50j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AuthzBasepComputeBitwise@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepComputeExpression(x, x, x)
_AuthzBasepComputeExpression@12	proc near ; CODE XREF: .text:005E9967p

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_1], cl
		xor	esi, esi
		mov	[ebx], esi
		mov	[ebx+4], esi
		cmp	dword ptr [edi+0Ch], 1
		lea	eax, [edi+1Ch]
		jz	short loc_696C34
		mov	eax, edi

loc_696C34:				; CODE XREF: AuthzBasepComputeExpression(x,x,x)+1Fj
		movzx	eax, word ptr [eax]
		mov	ecx, edi
		mov	[ebp+arg_0], eax
		call	AuthzBasepOperandValueTypesCompatible
		test	al, al
		jnz	short loc_696C4C

loc_696C45:				; CODE XREF: AuthzBasepComputeExpression(x,x,x)+3Fj
					; AuthzBasepComputeExpression(x,x,x)+4Bj
		mov	esi, 0C00001A2h
		jmp	short loc_696C6C
; 

loc_696C4C:				; CODE XREF: AuthzBasepComputeExpression(x,x,x)+32j
		cmp	[ebp+var_1], 0A3h
		jnz	short loc_696C45
		mov	eax, [ebp+arg_0]
		movzx	eax, ax
		dec	eax
		sub	eax, 1
		jnz	short loc_696C45
		mov	edx, edi
		mov	cl, 0A3h
		call	_AuthzBasepComputeBitwise@8 ; AuthzBasepComputeBitwise(x,x)
		mov	[ebx], eax
		mov	[ebx+4], edx

loc_696C6C:				; CODE XREF: AuthzBasepComputeExpression(x,x,x)+39j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_AuthzBasepComputeExpression@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepDeviceMemberOf(x,	x, x, x, x, x)
_AuthzBasepDeviceMemberOf@24 proc near	; CODE XREF: .text:005E9ADCp

var_70		= dword	ptr -70h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	bh, [ebp+arg_8]
		xor	eax, eax
		push	esi
		push	edi
		mov	[ebp+var_50], edx
		lea	edi, [ebp+var_70]
		mov	edx, [ebp+arg_C]
		mov	esi, ecx
		push	7
		pop	ecx
		test	bh, bh
		mov	[ebp+var_4C], esi
		rep stosd
		mov	edi, [ebp+var_50]
		setnz	bl
		mov	[ebp+var_54], edx
		mov	[edx], al

loc_696CAF:				; CODE XREF: AuthzBasepDeviceMemberOf(x,x,x,x,x,x)+8Ej
		lea	edx, [ebp+var_70]
		mov	ecx, esi
		call	AuthzBasepGetNextValue
		mov	esi, eax
		cmp	esi, 8000001Ah
		jz	short loc_696D05
		test	esi, esi
		js	short loc_696D10
		mov	eax, [ebp+var_5C]
		cmp	eax, 44h
		jb	short loc_696CD2
		push	44h
		pop	eax

loc_696CD2:				; CODE XREF: AuthzBasepDeviceMemberOf(x,x,x,x,x,x)+58j
		push	eax		; int
		push	[ebp+var_58]	; void *
		lea	eax, [ebp+var_48]
		push	eax		; void *
		call	_memcpy
		pop	ecx
		pop	ecx
		push	dword ptr [ebp+arg_4] ;	char
		lea	eax, [ebp+var_48]
		mov	ecx, edi
		push	dword ptr [ebp+arg_0] ;	char
		push	eax		; void *
		call	_SepDeviceSidInToken@24	; SepDeviceSidInToken(x,x,x,x,x,x)
		test	bh, bh
		jz	short loc_696CFC
		and	bl, al
		jz	short loc_696D07
		jmp	short loc_696D00
; 

loc_696CFC:				; CODE XREF: AuthzBasepDeviceMemberOf(x,x,x,x,x,x)+7Fj
		or	bl, al
		jnz	short loc_696D07

loc_696D00:				; CODE XREF: AuthzBasepDeviceMemberOf(x,x,x,x,x,x)+85j
		mov	esi, [ebp+var_4C]
		jmp	short loc_696CAF
; 

loc_696D05:				; CODE XREF: AuthzBasepDeviceMemberOf(x,x,x,x,x,x)+4Cj
		xor	esi, esi

loc_696D07:				; CODE XREF: AuthzBasepDeviceMemberOf(x,x,x,x,x,x)+83j
					; AuthzBasepDeviceMemberOf(x,x,x,x,x,x)+89j
		test	esi, esi
		js	short loc_696D10
		mov	eax, [ebp+var_54]
		mov	[eax], bl

loc_696D10:				; CODE XREF: AuthzBasepDeviceMemberOf(x,x,x,x,x,x)+50j
					; AuthzBasepDeviceMemberOf(x,x,x,x,x,x)+94j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_AuthzBasepDeviceMemberOf@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepMemberOf(x, x, x,	x, x, x)
_AuthzBasepMemberOf@24 proc near	; CODE XREF: .text:005E9A09p

var_70		= dword	ptr -70h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	bh, [ebp+arg_8]
		xor	eax, eax
		push	esi
		push	edi
		mov	[ebp+var_50], edx
		lea	edi, [ebp+var_70]
		mov	edx, [ebp+arg_C]
		mov	esi, ecx
		push	7
		pop	ecx
		test	bh, bh
		mov	[ebp+var_4C], esi
		rep stosd
		mov	edi, [ebp+var_50]
		setnz	bl
		mov	[ebp+var_54], edx
		mov	[edx], al

loc_696D5D:				; CODE XREF: AuthzBasepMemberOf(x,x,x,x,x,x)+AAj
		lea	edx, [ebp+var_70]
		mov	ecx, esi
		call	AuthzBasepGetNextValue
		mov	esi, eax
		cmp	esi, 8000001Ah
		jz	short loc_696DCF
		test	esi, esi
		js	short loc_696DDA
		mov	eax, [ebp+var_5C]
		cmp	eax, 44h
		jb	short loc_696D80
		push	44h
		pop	eax

loc_696D80:				; CODE XREF: AuthzBasepMemberOf(x,x,x,x,x,x)+58j
		push	eax		; size_t
		push	[ebp+var_58]	; void *
		lea	eax, [ebp+var_48]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_48]
		xor	ecx, ecx
		cmp	[ebp+arg_4], cl
		push	0		; char
		setnz	cl
		xor	edx, edx
		push	0		; char
		push	dword ptr [ebp+arg_4] ;	char
		dec	ecx
		push	dword ptr [ebp+arg_0] ;	char
		and	ecx, 0FFFFFF78h
		add	ecx, 154h
		push	eax		; void *
		add	ecx, edi
		call	SepSidInTokenSidHash
		test	bh, bh
		jz	short loc_696DC6
		and	bl, al
		jz	short loc_696DD1
		jmp	short loc_696DCA
; 

loc_696DC6:				; CODE XREF: AuthzBasepMemberOf(x,x,x,x,x,x)+9Bj
		or	bl, al
		jnz	short loc_696DD1

loc_696DCA:				; CODE XREF: AuthzBasepMemberOf(x,x,x,x,x,x)+A1j
		mov	esi, [ebp+var_4C]
		jmp	short loc_696D5D
; 

loc_696DCF:				; CODE XREF: AuthzBasepMemberOf(x,x,x,x,x,x)+4Cj
		xor	esi, esi

loc_696DD1:				; CODE XREF: AuthzBasepMemberOf(x,x,x,x,x,x)+9Fj
					; AuthzBasepMemberOf(x,x,x,x,x,x)+A5j
		test	esi, esi
		js	short loc_696DDA
		mov	eax, [ebp+var_54]
		mov	[eax], bl

loc_696DDA:				; CODE XREF: AuthzBasepMemberOf(x,x,x,x,x,x)+50j
					; AuthzBasepMemberOf(x,x,x,x,x,x)+B0j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_AuthzBasepMemberOf@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepPopResult(x, x, x)
_AuthzBasepPopResult@12	proc near	; CODE XREF: .text:005E9810p
					; .text:005E983Cp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		xor	eax, eax
		mov	ecx, [edx]
		cmp	ecx, 1
		jnb	short loc_696E05
		mov	eax, 0C00001A2h
		jmp	short loc_696E10
; 

loc_696E05:				; CODE XREF: AuthzBasepPopResult(x,x,x)+Fj
		dec	ecx
		mov	[edx], ecx
		mov	edx, [esi+ecx*4]
		mov	ecx, [ebp+arg_0]
		mov	[ecx], edx

loc_696E10:				; CODE XREF: AuthzBasepPopResult(x,x,x)+16j
		pop	esi
		pop	ebp
		retn	4
_AuthzBasepPopResult@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpWriteToEtwEx(x,	x)
_AdtpWriteToEtwEx@8 proc near		; CODE XREF: SeAuditPlugAndPlay(x,x,x,x,x,x,x,x,x)+3B6p

var_BFC		= dword	ptr -0BFCh
var_BF8		= dword	ptr -0BF8h
var_BF4		= dword	ptr -0BF4h
var_BF0		= dword	ptr -0BF0h
var_BEC		= dword	ptr -0BECh
var_BE8		= word ptr -0BE8h
var_BE5		= word ptr -0BE5h
var_BE3		= byte ptr -0BE3h
var_BE2		= word ptr -0BE2h
var_BE0		= dword	ptr -0BE0h
var_BDC		= dword	ptr -0BDCh
var_BD8		= dword	ptr -0BD8h
var_BD0		= dword	ptr -0BD0h
var_8D8		= dword	ptr -8D8h
var_838		= dword	ptr -838h
var_34		= dword	ptr -34h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0BFCh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_838]
		push	800h		; size_t
		mov	esi, edx
		mov	[ebp+var_BEC], ebx
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_BFC], esi
		mov	edi, ecx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_8D8]
		push	0A0h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_34]
		push	30h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi], bl
		mov	edx, edi
		xor	ecx, ecx
		call	AdtpNormalizeAuditInfoHelper
		cmp	[edi+2Ch], ebx
		jnz	short loc_696E92
		mov	esi, 0C000000Dh
		jmp	loc_696FD3
; 

loc_696E92:				; CODE XREF: AdtpWriteToEtwEx(x,x)+71j
		cmp	word ptr [edi+16h], 8
		mov	[ebp+var_BF8], 80200000h
		jz	short loc_696EAD
		mov	[ebp+var_BF8], 80100000h

loc_696EAD:				; CODE XREF: AdtpWriteToEtwEx(x,x)+8Cj
		lea	eax, [ebp+var_34]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_BEC]
		xor	ecx, ecx
		push	eax
		lea	eax, [ebp+var_BD8]
		push	eax
		lea	eax, [ebp+var_8D8]
		push	eax
		lea	eax, [ebp+var_838]
		push	eax
		push	2
		call	AdtpPackageParameters
		mov	esi, eax
		test	esi, esi
		js	loc_696FD3
		movzx	eax, word ptr [edi+14h]
		test	ax, ax
		jz	short loc_696F0F
		lea	ecx, [ebp+var_BF4]
		mov	[ebp+var_BF0], ebx
		push	ecx
		mov	ecx, eax
		mov	[ebp+var_BF4], ebx
		lea	edx, [ebp+var_BF0]
		call	AdtpGetCategoryAndSubCategoryId
		test	eax, eax
		jns	short loc_696F16

loc_696F0F:				; CODE XREF: AdtpWriteToEtwEx(x,x)+D4j
		mov	ecx, 0FF00h
		jmp	short loc_696F2B
; 

loc_696F16:				; CODE XREF: AdtpWriteToEtwEx(x,x)+F8j
		mov	eax, [ebp+var_BF0]
		add	eax, 30h
		shl	eax, 8
		add	eax, [ebp+var_BF4]
		movzx	ecx, ax

loc_696F2B:				; CODE XREF: AdtpWriteToEtwEx(x,x)+FFj
		mov	ax, [edi+4]
		mov	[ebp+var_BE8], ax
		mov	al, [edi+8]
		mov	[ebp-0BE6h], al
		mov	eax, ebx
		mov	[ebp+var_BE0], eax
		mov	eax, [ebp+var_BF8]
		mov	[ebp+var_BDC], eax
		xor	eax, eax
		mov	[ebp+var_BE2], cx
		mov	ecx, [ebp+var_BEC]
		mov	[ebp+var_BE5], 0Ah
		mov	[ebp+var_BE3], bl
		cmp	ax, cx
		jnb	short loc_696FA1
		lea	eax, [ebp+var_BD0]
		movzx	edx, cx

loc_696F7F:				; CODE XREF: AdtpWriteToEtwEx(x,x)+172j
		add	ebx, [eax]
		lea	eax, [eax+10h]
		sub	edx, 1
		jnz	short loc_696F7F
		cmp	ebx, 0DC00h
		jbe	short loc_696FA1
		mov	eax, [ebp+var_BFC]
		mov	esi, 80000005h
		mov	byte ptr [eax],	1
		jmp	short loc_696FD9
; 

loc_696FA1:				; CODE XREF: AdtpWriteToEtwEx(x,x)+15Fj
					; AdtpWriteToEtwEx(x,x)+17Aj
		movzx	eax, cx
		lea	edx, [ebp+var_BD8]
		neg	eax
		sbb	eax, eax
		and	eax, edx
		push	eax
		movzx	eax, cx
		lea	ecx, [ebp+var_BE8]
		push	eax
		call	_EtwWriteKMSecurityEvent@16 ; EtwWriteKMSecurityEvent(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C00002FEh
		jnz	short loc_696FD3
		mov	eax, [ebp+var_BFC]
		mov	byte ptr [eax],	1

loc_696FD3:				; CODE XREF: AdtpWriteToEtwEx(x,x)+78j
					; AdtpWriteToEtwEx(x,x)+C7j ...
		mov	ecx, [ebp+var_BEC]

loc_696FD9:				; CODE XREF: AdtpWriteToEtwEx(x,x)+18Aj
		movzx	eax, cx
		lea	edx, [ebp+var_BD8]
		push	eax
		lea	ecx, [ebp+var_34]
		call	_AdtpCleanupParameterAllocations@12 ; AdtpCleanupParameterAllocations(x,x,x)
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_AdtpWriteToEtwEx@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpBuildAccessReasonAuditString(x,	x, x, x, x, x, x, x, x)
_AdtpBuildAccessReasonAuditString@36 proc near ; CODE XREF: AdtpPackageParameters+8430Cp

var_15E		= byte ptr -15Eh
var_15D		= byte ptr -15Dh
var_15C		= byte ptr -15Ch
var_15B		= byte ptr -15Bh
var_15A		= byte ptr -15Ah
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 164h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+164h+var_4], eax
		mov	eax, [ebp+arg_18]
		mov	[esp+164h+var_130], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+164h+var_140], eax
		mov	eax, [ebp+arg_10]
		mov	[esp+164h+var_12C], eax
		mov	eax, [ebp+arg_14]
		push	ebx
		mov	[esp+168h+var_10C], eax
		xor	ebx, ebx
		xor	eax, eax
		mov	[esp+168h+var_138], edx
		push	esi
		push	edi
		lea	edi, [esp+170h+var_124]
		mov	[esp+170h+var_134], ecx
		stosd
		xor	edx, edx
		mov	ecx, [ebp+arg_C]
		inc	edx
		mov	esi, ebx
		mov	[esp+170h+var_128], ecx
		mov	[esp+170h+var_14C], esi
		stosd
		mov	[esp+170h+var_148], ebx
		mov	[esp+17h], bl
		mov	[esp+170h+var_154], ebx
		stosd
		xor	eax, eax
		lea	edi, [esp+170h+var_118]
		mov	[esp+170h+var_15C], dl
		stosd
		mov	[esp+170h+var_15D], bl
		mov	[esp+170h+var_15A], bl
		mov	[esp+170h+var_15B], bl
		stosd
		mov	[esp+170h+var_144], ebx
		stosd
		mov	eax, [esp+170h+var_140]
		cmp	[eax], ebx
		jnz	short loc_69709D

loc_69708B:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+19Cj
		test	ecx, ecx
		jz	loc_6974AF
		call	_AdtpEtwBuildDashString@4 ; AdtpEtwBuildDashString(x)
		jmp	loc_6974AF
; 

loc_69709D:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+8Dj
		lea	edi, [eax+8Ch]
		mov	[esp+170h+var_150], ebx
		add	eax, 4
		mov	ecx, ebx
		mov	[esp+170h+var_13C], eax
		mov	[esp+170h+var_158], eax

loc_6970B4:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+18Fj
		mov	eax, [eax]
		and	eax, 0FF0000h
		jz	loc_697174
		cmp	eax, 10000h
		jz	loc_69715E
		cmp	eax, 20000h
		jz	loc_69715E
		cmp	eax, 30000h
		jz	short loc_6970FB
		cmp	eax, 40000h
		jz	short loc_6970FB
		cmp	eax, 50000h
		jz	short loc_69715E
		cmp	eax, 60000h
		jz	short loc_6970FB
		mov	al, bl
		mov	[esp+170h+var_15C], al
		jmp	short loc_697178
; 

loc_6970FB:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+E0j
					; AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+E7j ...
		lea	edx, [esp+170h+var_15B]
		mov	[esp+170h+var_15C], bl
		mov	ecx, edi
		call	_AdtpIsSDValidSelfRelative@8 ; AdtpIsSDValidSelfRelative(x,x)
		mov	esi, eax
		mov	[esp+170h+var_14C], esi
		test	esi, esi
		js	short loc_697124
		cmp	[esp+170h+var_15B], bl
		jnz	short loc_69712C

loc_69711A:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+14Dj
					; AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+171j
		mov	esi, 0C000000Dh
		jmp	loc_6974AF
; 

loc_697124:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+116j
		cmp	esi, 0C0000058h
		jnz	short loc_697147

loc_69712C:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+11Cj
		push	edi
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		add	eax, edi
		xor	edx, edx
		mov	ecx, eax
		mov	[esp+170h+var_144], eax
		call	_AdtpIsSDValidSelfRelative@8 ; AdtpIsSDValidSelfRelative(x,x)
		mov	esi, eax
		mov	[esp+170h+var_14C], eax

loc_697147:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+12Ej
		test	esi, esi
		js	short loc_69711A
		xor	edx, edx
		inc	edx
		mov	[esp+170h+var_15A], dl

loc_697152:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+176j
		mov	ecx, [esp+170h+var_150]
		mov	al, bl
		mov	[esp+170h+var_15D], dl
		jmp	short loc_697178
; 

loc_69715E:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+CAj
					; AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+D5j ...
		xor	edx, edx
		mov	[esp+170h+var_15C], bl
		mov	ecx, edi
		call	_AdtpIsSDValidSelfRelative@8 ; AdtpIsSDValidSelfRelative(x,x)
		test	eax, eax
		js	short loc_69711A
		xor	edx, edx
		inc	edx
		jmp	short loc_697152
; 

loc_697174:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+BFj
		mov	al, [esp+170h+var_15C]

loc_697178:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+FDj
					; AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+160j
		add	[esp+170h+var_158], 4
		inc	ecx
		mov	[esp+170h+var_150], ecx
		cmp	ecx, 20h
		jnb	short loc_697190
		mov	eax, [esp+170h+var_158]
		jmp	loc_6970B4
; 

loc_697190:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+189j
		cmp	al, dl
		jnz	short loc_69719D
		mov	ecx, [esp+170h+var_128]
		jmp	loc_69708B
; 

loc_69719D:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+196j
		push	100h		; size_t
		lea	eax, [esp+174h+var_108]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		xor	ecx, ecx
		add	esp, 0Ch
		inc	ecx
		cmp	[esp+170h+var_15D], cl
		jnz	short loc_6971C7
		lea	edx, [esp+170h+var_124]
		mov	ecx, edi
		call	_AdtpBuildContextFromSecurityDescriptor@8 ; AdtpBuildContextFromSecurityDescriptor(x,x)
		xor	ecx, ecx
		inc	ecx

loc_6971C7:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+1BBj
		cmp	[esp+170h+var_15A], cl
		jnz	short loc_6971DD
		mov	ecx, [esp+170h+var_144]
		lea	edx, [esp+170h+var_118]
		call	_AdtpBuildContextFromSecurityDescriptor@8 ; AdtpBuildContextFromSecurityDescriptor(x,x)
		xor	ecx, ecx
		inc	ecx

loc_6971DD:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+1CFj
		lea	edx, [esp+170h+var_108]
		mov	[esp+170h+var_158], ebx
		mov	[esp+170h+var_144], edx
		mov	esi, ebx

loc_6971EB:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+2C5j
		mov	eax, ds:_AdtpStandardAccessTypes[esi]
		mov	[esp+170h+var_150], eax
		cmp	[ebp+arg_4], cl
		jnz	short loc_697245
		mov	[esp+170h+var_15D], bl
		jmp	short loc_697204
; 

loc_697200:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+20Aj
		inc	[esp+170h+var_15D]

loc_697204:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+202j
		shr	eax, 1
		jnz	short loc_697200
		movzx	eax, [esp+170h+var_15D]
		mov	edi, [esp+170h+var_140]
		cmp	[edi+eax*4+4], ebx
		jge	loc_6972B3
		push	ecx
		push	edx
		mov	edx, [esp+178h+var_138]
		lea	eax, [edi+4]
		push	eax
		push	ecx
		push	[esp+180h+var_150]
		mov	ecx, [esp+184h+var_134]
		lea	eax, [esp+184h+var_118]
		push	eax
		lea	eax, [esp+188h+var_124]
		push	eax
		call	_AdtpBuildStagingReasonAuditStringInternal@36 ;	AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[esp+170h+var_14C], esi
		jmp	short loc_697286
; 

loc_697245:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+1FCj
		mov	edi, [esp+170h+var_140]
		mov	edi, [edi]
		and	edi, eax
		jz	short loc_6972B3
		mov	ecx, [esp+170h+var_134]
		lea	eax, [esp+17h]
		push	eax
		mov	eax, [esp+174h+var_140]
		push	ebx
		push	ebx
		push	ebx
		movzx	eax, byte ptr [eax+88h]
		push	edx
		push	[esp+184h+var_13C]
		mov	edx, [esp+188h+var_138]
		push	eax
		push	edi
		lea	eax, [esp+190h+var_118]
		push	eax
		lea	eax, [esp+194h+var_124]
		push	eax
		call	_AdtpBuildAccessReasonAuditStringInternal@48 ; AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[esp+170h+var_14C], eax

loc_697286:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+247j
		test	esi, esi
		js	loc_697495
		mov	edx, [esp+170h+var_144]
		xor	ecx, ecx
		mov	edi, [esp+170h+var_154]
		mov	esi, [esp+170h+var_158]
		movzx	eax, word ptr [edx]
		add	edx, 8
		add	edi, eax
		mov	[esp+170h+var_144], edx
		inc	[esp+170h+var_148]
		inc	ecx
		mov	[esp+170h+var_154], edi
		jmp	short loc_6972B7
; 

loc_6972B3:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+219j
					; AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+251j
		mov	edi, [esp+170h+var_154]

loc_6972B7:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+2B5j
		add	esi, 4
		mov	[esp+170h+var_158], esi
		cmp	esi, 1Ch
		jb	loc_6971EB
		mov	eax, [esp+170h+var_140]
		movzx	eax, word ptr [eax]
		test	eax, eax
		jz	loc_6973AF
		mov	edx, [esp+170h+var_148]
		lea	esi, [esp+170h+var_108]
		mov	eax, ecx
		mov	[esp+170h+var_150], ebx
		mov	[esp+170h+var_154], eax
		lea	edx, [esi+edx*8]
		mov	esi, [esp+170h+var_13C]
		mov	[esp+170h+var_144], edx
		mov	[esp+170h+var_158], esi

loc_6972F7:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+3ADj
		cmp	[ebp+arg_4], cl
		jnz	short loc_69732B
		cmp	[esi], ebx
		jge	loc_697393
		push	ecx
		push	edx
		push	[esp+178h+var_13C]
		mov	edx, [esp+17Ch+var_138]
		push	ecx
		mov	ecx, [esp+180h+var_134]
		push	eax
		lea	eax, [esp+184h+var_118]
		push	eax
		lea	eax, [esp+188h+var_124]
		push	eax
		call	_AdtpBuildStagingReasonAuditStringInternal@36 ;	AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[esp+170h+var_14C], esi
		jmp	short loc_69736C
; 

loc_69732B:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+2FEj
		mov	esi, [esp+170h+var_140]
		mov	esi, [esi]
		and	esi, eax
		jz	short loc_69738F
		mov	ecx, [esp+170h+var_134]
		lea	eax, [esp+17h]
		push	eax
		mov	eax, [esp+174h+var_140]
		push	ebx
		push	ebx
		push	ebx
		movzx	eax, byte ptr [eax+88h]
		push	edx
		push	[esp+184h+var_13C]
		mov	edx, [esp+188h+var_138]
		push	eax
		push	esi
		lea	eax, [esp+190h+var_118]
		push	eax
		lea	eax, [esp+194h+var_124]
		push	eax
		call	_AdtpBuildAccessReasonAuditStringInternal@48 ; AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[esp+170h+var_14C], eax

loc_69736C:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+32Dj
		test	esi, esi
		js	loc_697495
		mov	edx, [esp+170h+var_144]
		xor	ecx, ecx
		movzx	eax, word ptr [edx]
		add	edx, 8
		add	edi, eax
		mov	[esp+170h+var_144], edx
		inc	[esp+170h+var_148]
		inc	ecx
		mov	eax, [esp+170h+var_154]

loc_69738F:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+337j
		mov	esi, [esp+170h+var_158]

loc_697393:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+302j
		inc	[esp+170h+var_150]
		add	esi, 4
		add	eax, eax
		mov	[esp+170h+var_158], esi
		cmp	[esp+170h+var_150], 10h
		mov	[esp+170h+var_154], eax
		jb	loc_6972F7

loc_6973AF:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+2D4j
		shr	edi, 1
		inc	edi
		mov	[esp+170h+var_154], edi
		cmp	[esp+170h+var_12C], ebx
		jz	short loc_6973DE
		mov	esi, [esp+170h+var_10C]
		test	esi, esi
		jz	short loc_6973DE
		mov	eax, [esi]
		lea	edx, [eax+edi]
		cmp	edx, 400h
		jnb	short loc_6973DE
		mov	ecx, [esp+170h+var_12C]
		mov	[esi], edx
		lea	edi, [ecx+eax*2]
		mov	al, bl
		jmp	short loc_697418
; 

loc_6973DE:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+3BEj
					; AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+3C6j ...
		mov	eax, large fs:20h
		lea	edx, [edi+edi]
		push	ebx
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	6B416553h
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		test	edi, edi
		jnz	short loc_697415
		mov	esi, 0C0000017h
		jmp	loc_697495
; 

loc_697415:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+40Dj
		xor	eax, eax
		inc	eax

loc_697418:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+3E0j
		mov	ecx, [esp+170h+var_130]
		mov	esi, ebx
		mov	[ecx], al
		mov	eax, [esp+170h+var_148]
		test	eax, eax
		jz	short loc_697455

loc_697428:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+455j
		mov	ecx, [esp+esi*8+170h+var_104]
		test	ecx, ecx
		jz	short loc_69744E
		movzx	eax, word ptr [esp+esi*8+170h+var_108]
		push	eax		; size_t
		push	ecx		; void *
		lea	eax, [ebx+edi]
		push	eax		; void *
		call	_memcpy
		movzx	eax, word ptr [esp+esi*8+17Ch+var_108]
		add	esp, 0Ch
		add	ebx, eax
		mov	eax, [esp+170h+var_148]

loc_69744E:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+432j
		inc	esi
		cmp	esi, eax
		jb	short loc_697428
		xor	ebx, ebx

loc_697455:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+42Aj
		mov	edx, [esp+170h+var_154]
		xor	eax, eax
		mov	esi, [esp+170h+var_14C]
		lea	ecx, [edx+edx]
		mov	[ecx+edi-2], ax
		mov	eax, [esp+170h+var_128]
		test	eax, eax
		jz	short loc_69747C
		mov	[eax], edi
		mov	[eax+4], ebx
		mov	[eax+8], ecx
		mov	[eax+0Ch], ebx
		jmp	short loc_697495
; 

loc_69747C:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+471j
		lea	eax, [edx+edx]
		mov	large ds:4, edi
		movzx	ecx, ax
		mov	large ds:2, cx
		lea	eax, [ecx-2]
		mov	[ebx], ax

loc_697495:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+28Cj
					; AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+372j ...
		mov	edi, [esp+170h+var_148]
		test	edi, edi
		jz	short loc_6974AF

loc_69749D:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+4B1j
		mov	ecx, [esp+ebx*8+170h+var_104]
		test	ecx, ecx
		jz	short loc_6974AA
		call	ExFreeHeapPool

loc_6974AA:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+4A7j
		inc	ebx
		cmp	ebx, edi
		jb	short loc_69749D

loc_6974AF:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+91j
					; AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+9Cj ...
		cmp	[esp+170h+var_120], 0
		jz	short loc_6974C3
		mov	ecx, [esp+170h+var_11C]
		test	ecx, ecx
		jz	short loc_6974C3
		call	ExFreeHeapPool

loc_6974C3:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+4B8j
					; AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+4C0j
		cmp	[esp+170h+var_114], 0
		jz	short loc_6974D7
		mov	ecx, [esp+170h+var_110]
		test	ecx, ecx
		jz	short loc_6974D7
		call	ExFreeHeapPool

loc_6974D7:				; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+4CCj
					; AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+4D4j
		mov	ecx, [esp+170h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_AdtpBuildAccessReasonAuditString@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpBuildAccessReasonAuditStringInternal(x,	x, x, x, x, x, x, x, x,	x, x, x)
_AdtpBuildAccessReasonAuditStringInternal@48 proc near
					; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+27Fp
					; AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+365p

var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_1FE		= dword	ptr -1FEh
var_1F8		= dword	ptr -1F8h
var_1F4		= byte ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_140		= word ptr -140h
var_120		= dword	ptr -120h
var_10C		= word ptr -10Ch
var_E4		= dword	ptr -0E4h
var_C4		= dword	ptr -0C4h
var_A4		= dword	ptr -0A4h
var_84		= dword	ptr -84h
var_64		= dword	ptr -64h
var_44		= dword	ptr -44h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 20Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+20Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+20Ch+var_1F0], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+20Ch+var_1EC], eax
		mov	eax, [ebp+arg_10]
		mov	[esp+20Ch+var_1E4], eax
		mov	eax, [ebp+arg_14]
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	[esp+210h+var_17C], eax
		mov	eax, [ebp+arg_24]
		push	esi
		mov	[esp+214h+var_180], eax
		xor	eax, eax
		mov	[esp+214h+var_1E8], ecx
		xor	ecx, ecx
		push	edi
		mov	edi, eax
		mov	[esp+218h+var_1FE+2], edx
		mov	[esp+218h+var_1C4], eax
		inc	ecx
		mov	byte ptr [esp+218h+var_1FE+1], al
		mov	dword ptr [esp+218h+var_1F4], eax
		mov	[esp+218h+var_1F8], eax
		mov	[esp+218h+var_1CC], eax
		mov	[esp+218h+var_1C8], eax
		mov	[esp+218h+var_208], eax
		mov	[esp+218h+var_204], edi
		mov	[esp+218h+var_1D4], eax
		mov	[esp+218h+var_1D0], eax

loc_697572:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+8Cj
		test	ecx, ebx
		jnz	short loc_697580
		inc	eax
		add	ecx, ecx	; int
		cmp	eax, 20h
		jb	short loc_697572
		jmp	short loc_697584
; 

loc_697580:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+84j
		mov	[esp+218h+var_1F8], eax

loc_697584:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+8Ej
		push	14h
		lea	eax, [esp+21Ch+var_120]
		mov	edx, 709h
		mov	[esp+21Ch+var_1A4], eax
		lea	ecx, [esp+21Ch+var_1C0]
		pop	eax
		mov	word ptr [esp+218h+var_1A8+2], ax
		xor	eax, eax
		mov	word ptr [esp+218h+var_1A8], ax
		lea	eax, [esp+218h+var_E4]
		push	1Eh
		mov	[esp+21Ch+var_1BC], eax
		pop	eax
		mov	word ptr [esp+218h+var_1C0+2], ax
		xor	eax, eax
		push	1		; char
		mov	word ptr [esp+21Ch+var_1C0], ax
		call	_AdtpFormatPrefix@12 ; AdtpFormatPrefix(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_697F21
		lea	eax, [esp+218h+var_C4]
		mov	edx, 70Ah	; int
		push	1Eh
		mov	[esp+21Ch+var_19C], eax
		lea	ecx, [esp+21Ch+var_1A0]
		pop	eax
		mov	word ptr [esp+218h+var_1A0+2], ax
		xor	eax, eax
		push	1		; char
		mov	word ptr [esp+21Ch+var_1A0], ax
		call	_AdtpFormatPrefix@12 ; AdtpFormatPrefix(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_697F21
		lea	eax, [esp+218h+var_A4]
		mov	edx, 713h	; int
		push	1Eh
		mov	[esp+21Ch+var_194], eax
		lea	ecx, [esp+21Ch+var_198]
		pop	eax
		mov	word ptr [esp+218h+var_198+2], ax
		xor	eax, eax
		push	1		; char
		mov	word ptr [esp+21Ch+var_198], ax
		call	_AdtpFormatPrefix@12 ; AdtpFormatPrefix(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_697F21
		lea	eax, [esp+218h+var_84]
		mov	edx, 714h	; int
		push	1Eh
		mov	[esp+21Ch+var_18C], eax
		lea	ecx, [esp+21Ch+var_190]
		pop	eax
		mov	word ptr [esp+218h+var_190+2], ax
		xor	eax, eax
		push	1		; char
		mov	word ptr [esp+21Ch+var_190], ax
		call	_AdtpFormatPrefix@12 ; AdtpFormatPrefix(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_697F21
		lea	eax, [esp+218h+var_64]
		mov	edx, 712h	; int
		push	1Eh
		mov	[esp+21Ch+var_1AC], eax
		lea	ecx, [esp+21Ch+var_1B0]
		pop	eax
		mov	word ptr [esp+218h+var_1B0+2], ax
		xor	eax, eax
		push	1		; char
		mov	word ptr [esp+21Ch+var_1B0], ax
		call	_AdtpFormatPrefix@12 ; AdtpFormatPrefix(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_697F21
		lea	eax, [esp+218h+var_44]
		mov	edx, 716h	; int
		push	1Eh
		mov	[esp+21Ch+var_184], eax
		lea	ecx, [esp+21Ch+var_188]
		pop	eax
		mov	word ptr [esp+218h+var_188+2], ax
		xor	eax, eax
		push	eax		; char
		mov	word ptr [esp+21Ch+var_188], ax
		call	_AdtpFormatPrefix@12 ; AdtpFormatPrefix(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_697F21
		lea	eax, [esp+218h+var_24]
		mov	edx, 718h	; int
		push	1Eh
		mov	[esp+21Ch+var_1B4], eax
		lea	ecx, [esp+21Ch+var_1B8]
		pop	eax
		mov	word ptr [esp+218h+var_1B8+2], ax
		xor	eax, eax
		push	eax		; char
		mov	word ptr [esp+21Ch+var_1B8], ax
		call	_AdtpFormatPrefix@12 ; AdtpFormatPrefix(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_697F21
		mov	edx, [esp+218h+var_1FE+2]
		lea	eax, [esp+1Bh]
		mov	ecx, [esp+218h+var_1E8]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+228h+var_1CC]
		push	eax
		push	2
		pop	eax
		push	eax
		push	ebx
		call	_AdtpBuildAccessesString@36 ; AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_697F21
		movzx	eax, word ptr [esp+218h+var_1CC]
		mov	edx, offset unk_700000
		mov	ecx, [esp+218h+var_1E4]
		shr	eax, 1
		mov	[esp+218h+var_1E8], eax
		mov	eax, [esp+218h+var_1F8]
		mov	ecx, [ecx+eax*4]
		mov	ebx, ecx
		and	ebx, 0FF0000h
		mov	eax, 200000h
		cmp	ebx, eax
		ja	loc_697CED
		jz	loc_697ABE
		mov	eax, 40000h
		cmp	ebx, eax
		ja	loc_697A8D
		mov	esi, 20000h
		jz	short loc_6977C4
		test	ebx, ebx
		jz	loc_697D34
		cmp	ebx, 10000h
		jz	short loc_6977C4
		cmp	ebx, esi
		jz	short loc_6977C4
		cmp	ebx, 30000h
		jnz	loc_697E32

loc_6977C4:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+2B2j
					; AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+2C2j ...
		xor	eax, eax
		lea	edi, [esp+218h+var_174]
		mov	[esp+218h+var_1FE+2], eax
		mov	byte ptr [esp+218h+var_1FE], al
		mov	[esp+218h+var_1F8], eax
		stosd
		stosd
		stosd
		stosd
		stosd
		movzx	edi, cx
		cmp	ebx, 10000h
		jz	short loc_6977F1
		mov	eax, [esp+218h+var_1EC]
		cmp	ebx, esi
		jnz	short loc_6977F5

loc_6977F1:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+2F7j
		mov	eax, [esp+218h+var_1F0]

loc_6977F5:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+2FFj
		lea	ecx, [esp+43h]
		push	ecx
		lea	ecx, [esp+21Ch+var_1FE+2]
		push	ecx
		lea	ecx, [esp+220h+var_1FE]
		push	ecx
		push	dword ptr [eax]
		call	_RtlGetDaclSecurityDescriptor@16 ; RtlGetDaclSecurityDescriptor(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_697F1D
		cmp	byte ptr [esp+218h+var_1FE], 0
		jz	loc_697F1D
		lea	eax, [esp+218h+var_1F8]
		push	eax
		push	edi
		push	[esp+220h+var_1FE+2]
		call	_RtlGetAce@12	; RtlGetAce(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_697F1D
		mov	eax, [esp+218h+var_1F8]
		xor	ecx, ecx
		mov	[esp+218h+var_1E4], eax
		push	ecx
		inc	ecx
		movzx	esi, word ptr [eax+2]
		mov	eax, large fs:20h
		add	esi, 8
		mov	edx, esi
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	6B416553h
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		test	edi, edi
		jnz	short loc_697881
		mov	esi, 0C0000017h
		jmp	loc_697F1D
; 

loc_697881:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+385j
		mov	eax, [esp+218h+var_1FE+2]
		movzx	eax, byte ptr [eax]
		push	eax		; int
		push	esi		; size_t
		push	edi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_697F12
		mov	eax, [esp+218h+var_1E4]
		movzx	eax, word ptr [eax+2]
		push	eax
		push	[esp+21Ch+var_1F8]
		xor	eax, eax
		push	eax
		mov	eax, [esp+224h+var_1FE+2]
		movzx	eax, byte ptr [eax]
		push	eax
		push	edi
		call	RtlAddAce
		mov	esi, eax
		test	esi, esi
		js	loc_697F12
		push	1
		lea	eax, [esp+21Ch+var_174]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_697F12
		xor	eax, eax
		push	eax
		push	edi
		push	1
		lea	eax, [esp+224h+var_174]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	loc_697F12
		lea	eax, [esp+218h+var_178]
		push	eax
		lea	eax, [esp+21Ch+var_1F4]
		push	eax
		push	4
		push	1
		lea	eax, [esp+228h+var_174]
		push	eax
		call	SeConvertSecurityDescriptorToStringSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	short loc_697922
		mov	esi, dword ptr [esp+218h+var_1F4]
		jmp	short loc_697956
; 

loc_697922:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+42Aj
		cmp	esi, 0C0000017h
		jz	loc_697F05
		push	esi		; char
		push	offset ??_C@_1BC@JBLGCGBA@?$AA?$DM?$AA0?$AAx?$AA?$CF?$AA0?$AA8?$AAX?$AA?$DO@FNODOBFM@ ;	wchar_t	*
		lea	eax, [esp+220h+var_140]
		push	10h		; int
		push	eax		; wchar_t *
		call	StringCchPrintfW
		add	esp, 10h
		lea	esi, [esp+218h+var_140]
		test	eax, eax
		jns	short loc_697956
		mov	esi, offset ??_C@_13IMODFHAA@?$AA?9@FNODOBFM@

loc_697956:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+430j
					; AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+45Fj
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_69795B:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+476j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+218h+var_1C4]
		jnz	short loc_69795B
		sub	ecx, edx
		sar	ecx, 1
		inc	ecx
		mov	[esp+218h+var_1F0], ecx
		lea	eax, [ecx+ecx]
		cmp	eax, 0FFFFh
		jbe	short loc_6979C3
		push	724h		; char
		push	(offset	loc_5A7403+1) ;	wchar_t	*
		lea	eax, [esp+220h+var_140]
		push	10h		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	esi, eax
		add	esp, 10h
		test	esi, esi
		js	loc_697F05
		lea	esi, [esp+218h+var_140]
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_6979AD:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+4C8j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+218h+var_1C4]
		jnz	short loc_6979AD
		sub	ecx, edx
		sar	ecx, 1
		inc	ecx
		mov	[esp+218h+var_1F0], ecx

loc_6979C3:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+489j
		mov	eax, large fs:20h
		xor	edx, edx
		push	edx
		lea	edx, ds:36h[ecx*2]
		xor	ecx, ecx
		inc	ecx
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	6B416553h
		call	ExpAllocatePoolWithTagFromNode
		mov	[esp+218h+var_204], eax
		test	eax, eax
		jnz	short loc_697A05
		mov	esi, 0C0000017h
		jmp	loc_697F05
; 

loc_697A05:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+509j
		xor	eax, eax
		mov	word ptr [esp+218h+var_208], ax
		mov	eax, [esp+218h+var_1F0]
		lea	eax, ds:36h[eax*2]
		mov	word ptr [esp+218h+var_208+2], ax
		cmp	ebx, 10000h
		jnz	short loc_697A2A
		lea	eax, [esp+218h+var_1C0]
		jmp	short loc_697A58
; 

loc_697A2A:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+532j
		cmp	ebx, 20000h
		jnz	short loc_697A38
		lea	eax, [esp+218h+var_1A0]
		jmp	short loc_697A58
; 

loc_697A38:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+540j
		cmp	ebx, 30000h
		jnz	short loc_697A49
		lea	eax, [esp+218h+var_198]
		jmp	short loc_697A58
; 

loc_697A49:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+54Ej
		cmp	ebx, 40000h
		jnz	short loc_697A63
		lea	eax, [esp+218h+var_190]

loc_697A58:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+538j
					; AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+546j ...
		push	eax
		lea	eax, [esp+21Ch+var_208]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)

loc_697A63:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+55Fj
		push	esi		; void *
		lea	eax, [esp+21Ch+var_208]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	ecx, dword ptr [esp+218h+var_1F4]
		test	ecx, ecx
		jz	short loc_697A81
		call	ExFreeHeapPool
		xor	eax, eax
		mov	dword ptr [esp+218h+var_1F4], eax

loc_697A81:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+584j
		mov	ecx, edi
		call	ExFreeHeapPool
		jmp	loc_697E32
; 

loc_697A8D:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+2A7j
		mov	eax, 60000h
		cmp	ebx, 50000h
		jz	loc_697B71
		cmp	ebx, eax
		jz	loc_697B71
		cmp	ebx, 70000h
		jz	loc_697D3C
		cmp	ebx, 100000h
		jnz	loc_697E32

loc_697ABE:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+29Aj
		xor	eax, eax
		lea	edx, [esp+218h+var_1D4]
		inc	eax
		mov	[esp+218h+var_160], eax
		mov	[esp+218h+var_15C], eax
		movzx	eax, cx
		xor	ecx, ecx
		mov	[esp+218h+var_158], eax
		lea	eax, [esp+218h+var_1FE+1]
		push	eax
		push	ecx
		push	ecx
		mov	[esp+224h+var_154], ecx
		mov	[esp+224h+var_150], ecx
		push	ecx
		lea	ecx, [esp+228h+var_160]
		call	_AdtpBuildPrivilegeAuditString@24 ; AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_697F21
		mov	eax, large fs:20h
		xor	ecx, ecx
		movzx	esi, word ptr [esp+218h+var_1D4]
		shr	esi, 1
		push	ecx
		mov	eax, [eax+338h]
		add	esi, 1Bh
		inc	ecx
		movzx	eax, word ptr [eax+8Ah]
		lea	edx, [esi+esi]
		or	eax, 80000000h
		push	eax
		push	6B416553h
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		mov	[esp+218h+var_204], edi
		test	edi, edi
		jz	loc_697C61
		xor	eax, eax
		mov	word ptr [esp+218h+var_208], ax
		lea	eax, [esi+esi]
		mov	word ptr [esp+218h+var_208+2], ax
		cmp	ebx, 200000h
		jnz	loc_697CAB
		lea	eax, [esp+218h+var_1C0]
		jmp	loc_697CB7
; 

loc_697B71:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+5A8j
					; AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+5B0j
		mov	[esp+218h+var_1DC], offset ??_C@_13IMODFHAA@?$AA?9@FNODOBFM@
		mov	esi, offset ??_C@_19KCEMLJNN@?$AA?$CD?$AA?5?$AA?$CF?$AAd@FNODOBFM@
		movzx	edx, cx
		lea	edi, [esp+218h+var_14C]
		push	2
		movsd
		movsd
		movsw
		pop	edi
		mov	word ptr [esp+218h+var_1E0+2], di
		mov	si, di
		mov	word ptr [esp+218h+var_1E0], si
		cmp	ebx, eax
		jz	short loc_697BB9
		mov	ecx, [esp+218h+var_1F0]

loc_697BA4:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+6CDj
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_697BDB
		cmp	edx, eax
		jb	short loc_697BBF
		mov	esi, 0C000000Dh
		jmp	loc_697F1D
; 

loc_697BB9:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+6AEj
		mov	ecx, [esp+218h+var_1EC]
		jmp	short loc_697BA4
; 

loc_697BBF:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+6BDj
		mov	ecx, [ecx+8]
		mov	eax, [ecx+edx*8]
		mov	[esp+218h+var_1E0], eax
		mov	si, word ptr [esp+218h+var_1E0]
		mov	eax, [ecx+edx*8+4]
		mov	[esp+218h+var_1DC], eax
		cmp	si, di
		ja	short loc_697C28

loc_697BDB:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+6B9j
		push	edx		; char
		xor	ecx, ecx
		lea	eax, [esp+21Ch+var_14C]
		push	eax		; int
		push	ecx		; int
		lea	eax, [esp+224h+var_1EC]
		mov	[esp+224h+var_1EC], ecx
		push	eax		; int
		push	ecx		; int
		lea	eax, [esp+22Ch+var_10C]
		push	14h		; int
		push	eax		; wchar_t *
		call	_StringCchPrintfExW
		add	esp, 1Ch
		test	eax, eax
		js	short loc_697C28
		push	28h
		pop	eax
		push	14h
		pop	esi
		sub	esi, [esp+218h+var_1EC]
		mov	word ptr [esp+218h+var_1E0+2], ax
		add	esi, esi
		lea	eax, [esp+218h+var_10C]
		mov	word ptr [esp+218h+var_1E0], si
		mov	[esp+218h+var_1DC], eax

loc_697C28:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+6E9j
					; AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+715j
		mov	eax, large fs:20h
		xor	ecx, ecx
		push	ecx
		movzx	esi, si
		inc	ecx
		add	esi, 36h
		mov	eax, [eax+338h]
		mov	edx, esi
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	6B416553h
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		mov	[esp+218h+var_204], edi
		test	edi, edi
		jnz	short loc_697C6B

loc_697C61:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+657j
					; AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+8FBj
		mov	esi, 0C0000017h
		jmp	loc_697F21
; 

loc_697C6B:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+76Fj
		xor	eax, eax
		mov	word ptr [esp+218h+var_208], ax
		lea	eax, [esi+esi]
		mov	word ptr [esp+218h+var_208+2], ax
		cmp	ebx, 50000h
		jnz	short loc_697C8B
		lea	eax, [esp+218h+var_188]
		jmp	short loc_697C97
; 

loc_697C8B:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+790j
		cmp	ebx, 60000h
		jnz	short loc_697CA2
		lea	eax, [esp+218h+var_1B8]

loc_697C97:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+799j
		push	eax
		lea	eax, [esp+21Ch+var_208]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)

loc_697CA2:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+7A1j
		lea	eax, [esp+218h+var_1E0]
		jmp	loc_697E27
; 

loc_697CAB:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+672j
		cmp	ebx, 100000h
		jnz	short loc_697CC2
		lea	eax, [esp+218h+var_1B0]

loc_697CB7:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+67Cj
		push	eax
		lea	eax, [esp+21Ch+var_208]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)

loc_697CC2:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+7C1j
		lea	eax, [esp+218h+var_1D4]
		push	eax
		lea	eax, [esp+21Ch+var_208]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	ecx, [esp+218h+var_1D0]
		test	ecx, ecx
		jz	loc_697E32
		call	ExFreeHeapPool
		xor	eax, eax
		mov	[esp+218h+var_1D0], eax
		jmp	loc_697E32
; 

loc_697CED:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+294j
		cmp	ebx, edx
		ja	short loc_697D18
		jz	short loc_697D34
		cmp	ebx, 300000h
		jz	short loc_697D34
		cmp	ebx, 400000h
		jz	short loc_697D34
		cmp	ebx, offset loc_500000
		jz	short loc_697D34
		cmp	ebx, (offset loc_5FFFFF+1)
		jz	short loc_697D34
		jmp	loc_697E32
; 

loc_697D18:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+7FFj
		cmp	ebx, 800000h
		jz	short loc_697D34
		cmp	ebx, (offset loc_8FFFFD+3)
		jz	short loc_697D34
		cmp	ebx, 0A00000h
		jnz	loc_697E32

loc_697D34:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+2B6j
					; AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+801j ...
		cmp	ebx, 70000h
		jnz	short loc_697D43

loc_697D3C:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+5BCj
		mov	esi, 726h
		jmp	short loc_697D4A
; 

loc_697D43:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+84Aj
		mov	esi, [esp+218h+var_178]

loc_697D4A:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+851j
		cmp	ebx, 300000h
		jnz	short loc_697D57
		mov	esi, 70Bh

loc_697D57:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+860j
		cmp	ebx, 400000h
		jnz	short loc_697D64
		mov	esi, 70Ch

loc_697D64:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+86Dj
		cmp	ebx, offset loc_500000
		jnz	short loc_697D71
		mov	esi, 70Eh

loc_697D71:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+87Aj
		cmp	ebx, (offset loc_5FFFFF+1)
		jnz	short loc_697D7E
		mov	esi, 70Fh

loc_697D7E:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+887j
		cmp	ebx, edx
		jnz	short loc_697D87
		mov	esi, 710h

loc_697D87:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+890j
		test	ebx, ebx
		jnz	short loc_697D90
		mov	esi, 711h

loc_697D90:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+899j
		cmp	ebx, 800000h
		jnz	short loc_697D9D
		mov	esi, 70Dh

loc_697D9D:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+8A6j
		cmp	ebx, (offset loc_8FFFFD+3)
		jnz	short loc_697DAA
		mov	esi, 731h

loc_697DAA:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+8B3j
		cmp	ebx, 0A00000h
		jnz	short loc_697DB7
		mov	esi, 740h

loc_697DB7:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+8C0j
		mov	eax, large fs:20h
		xor	ecx, ecx
		push	ecx
		inc	ecx
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	6B416553h
		push	4Eh
		pop	ebx
		mov	edx, ebx
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		mov	[esp+218h+var_204], edi
		test	edi, edi
		jz	loc_697C61
		xor	eax, eax
		mov	word ptr [esp+218h+var_208+2], bx
		mov	word ptr [esp+218h+var_208], ax
		lea	eax, [esp+218h+var_208]
		push	offset ??_C@_15IOLAJFNF@?$AA?$CF?$AA?$CF@FNODOBFM@ ; void *
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		lea	eax, [esp+218h+var_1A8]
		push	eax
		push	0Ah
		push	esi
		call	_RtlIntegerToUnicodeString@12 ;	RtlIntegerToUnicodeString(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_697F1D
		lea	eax, [esp+218h+var_1A8]

loc_697E27:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+7B6j
		push	eax
		lea	eax, [esp+21Ch+var_208]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)

loc_697E32:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+2CEj
					; AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+598j ...
		push	offset ??_C@_1O@MKNEDAKB@?$AA?$AN?$AA?6?$AA?7?$AA?7?$AA?7?$AA?7@FNODOBFM@ ; void *
		lea	eax, [esp+21Ch+var_208]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		movzx	ebx, word ptr [esp+218h+var_208]
		mov	esi, eax
		mov	ecx, [esp+218h+var_1E8]
		mov	eax, ebx
		shr	eax, 1
		inc	ecx
		add	ecx, eax
		xor	edx, edx
		mov	eax, large fs:20h
		mov	[esp+218h+var_1E8], ecx
		add	ecx, ecx
		push	edx
		mov	[esp+21Ch+var_1E4], ecx
		mov	edx, ecx
		mov	eax, [eax+338h]
		xor	ecx, ecx
		inc	ecx
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	6B416553h
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		test	edi, edi
		jnz	short loc_697E95
		mov	esi, 0C0000017h
		jmp	short loc_697F01
; 

loc_697E95:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+99Cj
		mov	eax, [esp+218h+var_180]
		mov	ecx, [esp+218h+var_1CC]
		mov	byte ptr [eax],	1
		test	cx, cx
		jz	short loc_697EBD
		movzx	eax, cx
		push	eax		; size_t
		push	[esp+21Ch+var_1C8] ; void *
		push	edi		; void *
		call	_memcpy
		mov	ecx, [esp+224h+var_1CC]
		add	esp, 0Ch

loc_697EBD:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+9B6j
		cmp	word ptr [esp+218h+var_208], 0
		jz	short loc_697ED9
		mov	eax, [esp+218h+var_204]
		push	ebx		; size_t
		push	eax		; void *
		movzx	eax, cx
		add	eax, edi
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_697ED9:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+9D3j
		mov	eax, [esp+218h+var_1E4]
		xor	ecx, ecx
		mov	edx, [esp+218h+var_17C]
		mov	[eax+edi-2], cx
		mov	eax, [esp+218h+var_1E8]
		add	eax, eax
		mov	[edx+4], edi
		movzx	ecx, ax
		mov	[edx+2], cx
		lea	eax, [ecx-2]
		mov	[edx], ax

loc_697F01:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+9A3j
		xor	eax, eax
		mov	edi, eax

loc_697F05:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+438j
					; AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+4ABj ...
		mov	ecx, dword ptr [esp+218h+var_1F4]
		test	ecx, ecx
		jz	short loc_697F12
		call	ExFreeHeapPool

loc_697F12:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+3A4j
					; AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+3CCj ...
		test	edi, edi
		jz	short loc_697F1D
		mov	ecx, edi
		call	ExFreeHeapPool

loc_697F1D:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+31Fj
					; AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+32Aj ...
		mov	edi, [esp+218h+var_204]

loc_697F21:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+DCj
					; AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+113j ...
		mov	ecx, [esp+218h+var_1D0]
		test	ecx, ecx
		jz	short loc_697F2E
		call	ExFreeHeapPool

loc_697F2E:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+A37j
		mov	ecx, [esp+218h+var_1C8]
		test	ecx, ecx
		jz	short loc_697F3B
		call	ExFreeHeapPool

loc_697F3B:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+A44j
		test	edi, edi
		jz	short loc_697F46
		mov	ecx, edi
		call	ExFreeHeapPool

loc_697F46:				; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+A4Dj
		mov	ecx, [esp+218h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	28h
_AdtpBuildAccessReasonAuditStringInternal@48 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpBuildContextFromSecurityDescriptor(x, x)
_AdtpBuildContextFromSecurityDescriptor@8 proc near
					; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+1C3p
					; AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+1D9p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, edx
		lea	edx, [ebp+var_4]
		mov	[esi], ecx
		call	_AdtpGetCapID@8	; AdtpGetCapID(x,x)
		test	eax, eax
		js	short loc_697F8D
		mov	ecx, [ebp+var_4]
		lea	eax, [esi+8]
		push	eax
		lea	edx, [esi+4]
		call	_SeRmReferenceFindCapName@12 ; SeRmReferenceFindCapName(x,x,x)
		test	eax, eax
		jns	short loc_697F95

loc_697F8D:				; CODE XREF: AdtpBuildContextFromSecurityDescriptor(x,x)+19j
		and	dword ptr [esi+4], 0
		and	dword ptr [esi+8], 0

loc_697F95:				; CODE XREF: AdtpBuildContextFromSecurityDescriptor(x,x)+2Cj
		pop	esi
		leave
		retn
_AdtpBuildContextFromSecurityDescriptor@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpBuildStagingReasonAuditStringInternal(x, x, x, x, x, x,	x, x, x)
_AdtpBuildStagingReasonAuditStringInternal@36 proc near
					; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+23Cp
					; AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+322p

var_9A		= byte ptr -9Ah
var_99		= byte ptr -99h
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_4C		= word ptr -4Ch
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 9Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+9Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[esp+0A8h+var_7C], eax
		lea	edi, [esp+0A8h+var_58]
		mov	eax, [ebp+arg_4]
		mov	esi, offset ??_C@_19KCEMLJNN@?$AA?$CD?$AA?5?$AA?$CF?$AAd@FNODOBFM@
		mov	[esp+0A8h+var_78], eax
		mov	eax, [ebp+arg_10]
		mov	[esp+0A8h+var_60], eax
		mov	eax, [ebp+arg_14]
		movsd
		mov	[esp+0A8h+var_5C], eax
		mov	[esp+0A8h+var_98], ecx
		xor	ecx, ecx
		xor	eax, eax
		mov	[esp+0A8h+var_70], ecx
		mov	word ptr [esp+0A8h+var_68], ax
		mov	ebx, ecx
		push	1Eh
		movsd
		pop	eax
		mov	word ptr [esp+0A8h+var_68+2], ax
		lea	eax, [esp+0A8h+var_24]
		push	2
		movsw
		pop	edi
		mov	[esp+0A8h+var_64], eax
		mov	ax, di
		mov	[esp+0A8h+var_94], eax
		mov	word ptr [esp+0A8h+var_90], ax
		mov	al, cl
		mov	[esp+0A8h+var_6C], ecx
		mov	[esp+0A8h+var_88], ecx
		mov	[esp+0A8h+var_99], cl
		mov	ecx, [ebp+arg_8]
		mov	[esp+0A8h+var_80], ebx
		mov	word ptr [esp+0A8h+var_90+2], di
		mov	[esp+0A8h+var_8C], offset ??_C@_13IMODFHAA@?$AA?9@FNODOBFM@
		jmp	short loc_69803B
; 

loc_698039:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+A5j
		inc	al

loc_69803B:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+9Fj
		shr	ecx, 1
		jnz	short loc_698039
		mov	ecx, [esp+0A8h+var_98]
		movzx	esi, al
		lea	eax, [esp+0Fh]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+0B8h+var_70]
		push	eax
		push	edi
		push	[ebp+arg_8]
		call	_AdtpBuildAccessesString@36 ; AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_69815B
		mov	ebx, [esp+0A8h+var_60]
		movzx	eax, word ptr [esp+0A8h+var_70]
		shr	eax, 1
		mov	[esp+0A8h+var_74], eax
		mov	eax, 200000h
		mov	ebx, [ebx+esi*4]
		mov	esi, ebx
		shr	ebx, 18h
		and	esi, 0FF0000h
		and	ebx, 7Fh
		cmp	esi, eax
		ja	short loc_6980D9
		jz	short loc_698110
		cmp	esi, 10000h
		jz	short loc_698110
		cmp	esi, 20000h
		jz	short loc_698117
		cmp	esi, 30000h
		jz	short loc_6980D2
		cmp	esi, 50000h
		jz	short loc_698117
		cmp	esi, 60000h
		jz	short loc_6980CB
		cmp	esi, 70000h
		jz	short loc_698117
		cmp	esi, 100000h
		jmp	short loc_698107
; 

loc_6980CB:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+121j
		mov	eax, 717h
		jmp	short loc_69811C
; 

loc_6980D2:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+111j
		mov	eax, 718h
		jmp	short loc_69811C
; 

loc_6980D9:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+F7j
		cmp	esi, 300000h
		jz	short loc_698117
		cmp	esi, 400000h
		jz	short loc_698110
		cmp	esi, offset loc_500000
		jz	short loc_698117
		cmp	esi, (offset loc_5FFFFF+1)
		jz	short loc_698110
		cmp	esi, offset unk_700000
		jz	short loc_698110
		cmp	esi, (offset loc_7FFFFF+1)

loc_698107:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+131j
		jz	short loc_698117
		mov	eax, 711h
		jmp	short loc_69811C
; 

loc_698110:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+F9j
					; AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+101j ...
		mov	eax, 716h
		jmp	short loc_69811C
; 

loc_698117:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+109j
					; AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+119j ...
		mov	eax, 715h

loc_69811C:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+138j
					; AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+13Fj ...
		push	0		; char
		mov	edx, eax	; int
		mov	[esp+0ACh+var_98], eax
		lea	ecx, [esp+0ACh+var_68] ; int
		call	_AdtpFormatPrefix@12 ; AdtpFormatPrefix(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_698157
		cmp	esi, 30000h
		jz	short loc_698193
		cmp	esi, 60000h
		jz	short loc_698193
		mov	ecx, [esp+0A8h+var_7C]

loc_698147:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+1FFj
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_6981BA
		cmp	ebx, eax
		jb	short loc_698199
		mov	edi, 0C000000Dh

loc_698157:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+199j
		mov	ebx, [esp+0A8h+var_80]

loc_69815B:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+CAj
					; AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+2A9j ...
		cmp	[esp+0A8h+var_99], 0
		jz	short loc_69816F
		mov	ecx, [esp+0A8h+var_6C]
		test	ecx, ecx
		jz	short loc_69816F
		call	ExFreeHeapPool

loc_69816F:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+1C8j
					; AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+1D0j
		test	ebx, ebx
		jz	short loc_69817A
		mov	ecx, ebx
		call	ExFreeHeapPool

loc_69817A:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+1D9j
		mov	ecx, [esp+0A8h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_698193:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+1A1j
					; AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+1A9j
		mov	ecx, [esp+0A8h+var_78]
		jmp	short loc_698147
; 

loc_698199:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+1B8j
		mov	ecx, [ecx+8]
		push	2
		mov	eax, [ecx+ebx*8]
		mov	[esp+0ACh+var_90], eax
		mov	eax, [ecx+ebx*8+4]
		mov	si, word ptr [esp+0ACh+var_90]
		mov	[esp+0ACh+var_8C], eax
		pop	eax
		cmp	si, ax
		ja	short loc_698202
		jmp	short loc_6981BE
; 

loc_6981BA:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+1B4j
		mov	esi, [esp+0A8h+var_94]

loc_6981BE:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+220j
		push	ebx		; char
		xor	ecx, ecx
		lea	eax, [esp+0ACh+var_58]
		push	eax		; int
		push	ecx		; int
		lea	eax, [esp+0B4h+var_94]
		mov	[esp+0B4h+var_94], ecx
		push	eax		; int
		push	ecx		; int
		lea	eax, [esp+0BCh+var_4C]
		push	14h		; int
		push	eax		; wchar_t *
		call	_StringCchPrintfExW
		add	esp, 1Ch
		test	eax, eax
		js	short loc_698202
		push	28h
		pop	eax
		push	14h
		pop	esi
		sub	esi, [esp+0A8h+var_94]
		mov	word ptr [esp+0A8h+var_90+2], ax
		add	esi, esi
		lea	eax, [esp+0A8h+var_4C]
		mov	word ptr [esp+0A8h+var_90], si
		mov	[esp+0A8h+var_8C], eax

loc_698202:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+21Ej
					; AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+24Aj
		mov	eax, large fs:20h
		xor	ecx, ecx
		push	0
		movzx	esi, si
		inc	ecx
		add	esi, 36h
		mov	eax, [eax+338h]
		mov	edx, esi
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	6B416553h
		call	ExpAllocatePoolWithTagFromNode
		mov	ebx, eax
		mov	[esp+0A8h+var_84], ebx
		test	ebx, ebx
		jnz	short loc_698246
		mov	edi, 0C0000017h
		jmp	loc_69815B
; 

loc_698246:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+2A2j
		xor	eax, eax
		mov	word ptr [esp+0A8h+var_88], ax
		lea	eax, [esi+esi]
		mov	word ptr [esp+0A8h+var_88+2], ax
		lea	eax, [esp+0A8h+var_68]
		push	eax
		lea	eax, [esp+0ACh+var_88]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		cmp	[esp+0A8h+var_98], 711h
		jz	short loc_69827D
		lea	eax, [esp+0A8h+var_90]
		push	eax
		lea	eax, [esp+0ACh+var_88]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)

loc_69827D:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+2D4j
		push	offset ??_C@_1O@MKNEDAKB@?$AA?$AN?$AA?6?$AA?7?$AA?7?$AA?7?$AA?7@FNODOBFM@ ; void *
		lea	eax, [esp+0ACh+var_88]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	ecx, [esp+0A8h+var_74]
		mov	edi, eax
		movzx	eax, word ptr [esp+0A8h+var_88]
		inc	ecx
		mov	[esp+0A8h+var_78], eax
		shr	eax, 1
		add	ecx, eax
		mov	eax, large fs:20h
		mov	[esp+0A8h+var_7C], ecx
		add	ecx, ecx
		push	0
		mov	[esp+0ACh+var_74], ecx
		mov	edx, ecx
		mov	eax, [eax+338h]
		xor	ecx, ecx
		inc	ecx
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	6B416553h
		call	ExpAllocatePoolWithTagFromNode
		mov	esi, eax
		test	esi, esi
		jnz	short loc_6982E8
		mov	ebx, [esp+0A8h+var_84]
		mov	edi, 0C0000017h
		jmp	loc_69815B
; 

loc_6982E8:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+340j
		mov	eax, [esp+0A8h+var_70]
		test	ax, ax
		jz	short loc_698306
		movzx	eax, ax
		push	eax		; size_t
		push	[esp+0ACh+var_6C] ; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [esp+0B4h+var_70]
		add	esp, 0Ch

loc_698306:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+357j
		cmp	word ptr [esp+0A8h+var_88], 0
		mov	ebx, [esp+0A8h+var_84]
		jz	short loc_698325
		push	[esp+0A8h+var_78] ; size_t
		movzx	eax, ax
		add	eax, esi
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_698325:				; CODE XREF: AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+378j
		mov	eax, [esp+0A8h+var_74]
		xor	ecx, ecx
		mov	edx, [esp+0A8h+var_5C]
		mov	[eax+esi-2], cx
		mov	eax, [esp+0A8h+var_7C]
		add	eax, eax
		mov	[edx+4], esi
		movzx	ecx, ax
		mov	[edx+2], cx
		lea	eax, [ecx-2]
		mov	[edx], ax
		jmp	loc_69815B
_AdtpBuildStagingReasonAuditStringInternal@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall AdtpFormatPrefix(int,int,char)
_AdtpFormatPrefix@12 proc near		; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+D3p
					; AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+10Ap ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	14h
		lea	eax, [ebp+var_18]
		mov	edi, ecx
		mov	[ebp+var_1C], eax
		mov	esi, edx
		pop	eax
		mov	word ptr [ebp+var_20+2], ax
		xor	eax, eax
		push	offset ??_C@_15IOLAJFNF@?$AA?$CF?$AA?$CF@FNODOBFM@ ; void *
		push	edi		; int
		mov	word ptr [ebp+var_20], ax
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		lea	eax, [ebp+var_20]
		push	eax
		push	0Ah
		push	esi
		call	_RtlIntegerToUnicodeString@12 ;	RtlIntegerToUnicodeString(x,x,x)
		test	eax, eax
		js	short loc_6983B0
		lea	eax, [ebp+var_20]
		push	eax
		push	edi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		cmp	[ebp+arg_0], 1
		jnz	short loc_6983B0
		push	offset ??_C@_13KDLDGPGJ@?$AA?7@FNODOBFM@ ; void	*
		push	edi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)

loc_6983B0:				; CODE XREF: AdtpFormatPrefix(x,x,x)+44j
					; AdtpFormatPrefix(x,x,x)+54j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_AdtpFormatPrefix@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpGetCapID(x, x)
_AdtpGetCapID@8	proc near		; CODE XREF: AdtpBuildContextFromSecurityDescriptor(x,x)+12p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp-2]
		xor	ebx, ebx
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], ebx
		push	eax
		lea	eax, [ebp-1]
		mov	[ebp+var_1], bl
		push	eax
		push	ecx
		mov	esi, edx
		mov	[ebp+var_8], ebx
		call	_RtlGetSaclSecurityDescriptor@16 ; RtlGetSaclSecurityDescriptor(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_69841D
		mov	[esi], ebx
		cmp	[ebp+var_1], bl
		jz	short loc_69841D

loc_6983F7:				; CODE XREF: AdtpGetCapID(x,x)+54j
		lea	eax, [ebp+var_8]
		push	eax
		push	13h
		push	[ebp+var_C]
		call	_RtlFindAceByType@12 ; RtlFindAceByType(x,x,x)
		test	eax, eax
		jz	short loc_69840F
		test	byte ptr [eax+1], 8
		jz	short loc_698418

loc_69840F:				; CODE XREF: AdtpGetCapID(x,x)+47j
		inc	[ebp+var_8]
		test	eax, eax
		jnz	short loc_6983F7
		jmp	short loc_69841D
; 

loc_698418:				; CODE XREF: AdtpGetCapID(x,x)+4Dj
		add	eax, 8
		mov	[esi], eax

loc_69841D:				; CODE XREF: AdtpGetCapID(x,x)+2Ej
					; AdtpGetCapID(x,x)+35j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AdtpGetCapID@8	endp


;  S U B	R O U T	I N E 


; __stdcall AdtpLookupKnownPrivilegeNameQuickly(x, x)
_AdtpLookupKnownPrivilegeNameQuickly@8 proc near
					; CODE XREF: AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)+127p
		mov	edi, edi
		push	esi
		xor	esi, esi
		cmp	[ecx+4], esi
		jnz	short loc_698451
		mov	ecx, [ecx]
		lea	eax, [ecx-2]
		cmp	eax, 22h
		ja	short loc_698451
		add	ecx, 0FFFFFFFEh
		shl	ecx, 4
		mov	eax, ds:_AdtpKnownPrivilege[ecx]
		mov	[edx], eax
		mov	eax, ds:dword_6B7064[ecx]
		mov	[edx+4], eax
		jmp	short loc_698456
; 

loc_698451:				; CODE XREF: AdtpLookupKnownPrivilegeNameQuickly(x,x)+8j
					; AdtpLookupKnownPrivilegeNameQuickly(x,x)+12j
		mov	esi, 0C0000060h

loc_698456:				; CODE XREF: AdtpLookupKnownPrivilegeNameQuickly(x,x)+2Bj
		mov	eax, esi
		pop	esi
		retn
_AdtpLookupKnownPrivilegeNameQuickly@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl StringCchPrintfExW(wchar_t *,int,int,int,int,int,char)
_StringCchPrintfExW proc near		; CODE XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+70Bp
					; AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+240p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= byte ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_10]
		sub	esp, 0Ch
		xor	eax, eax
		mov	ecx, edx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, eax
		push	edi
		mov	edi, [ebp+arg_4]
		and	ecx, 100h
		jz	short loc_698486
		test	ebx, ebx
		jnz	short loc_69848A
		test	edi, edi
		jnz	short loc_698492
		jmp	short loc_69848A
; 

loc_698486:				; CODE XREF: _StringCchPrintfExW+20j
		test	edi, edi
		jz	short loc_698492

loc_69848A:				; CODE XREF: _StringCchPrintfExW+24j
					; _StringCchPrintfExW+2Aj
		cmp	edi, 7FFFFFFFh
		jbe	short loc_698497

loc_698492:				; CODE XREF: _StringCchPrintfExW+28j
					; _StringCchPrintfExW+2Ej
		mov	esi, 80070057h

loc_698497:				; CODE XREF: _StringCchPrintfExW+36j
		test	esi, esi
		js	loc_6985A8
		mov	eax, edi
		mov	[ebp+var_4], ebx
		test	ecx, ecx
		mov	[ebp+var_8], eax
		mov	ecx, [ebp+arg_14]
		jz	short loc_6984BA
		test	ecx, ecx
		jnz	short loc_6984BA
		mov	ecx, offset ??_C@_11LOCGONAA@@FNODOBFM@
		mov	[ebp+arg_14], ecx

loc_6984BA:				; CODE XREF: _StringCchPrintfExW+52j
					; _StringCchPrintfExW+56j
		xor	esi, esi
		test	edx, 0FFFFE000h
		jz	short loc_6984DB
		mov	esi, 80070057h
		test	edi, edi
		jz	loc_698562
		xor	ecx, ecx
		mov	[ebx], cx
		jmp	loc_698562
; 

loc_6984DB:				; CODE XREF: _StringCchPrintfExW+68j
		test	edi, edi
		jnz	short loc_6984FE
		xor	edx, edx
		cmp	[ecx], dx
		mov	edx, [ebp+arg_10]
		jz	loc_698591
		mov	esi, ebx
		neg	esi
		sbb	esi, esi
		and	esi, 23h
		add	esi, 80070057h
		jmp	short loc_698562
; 

loc_6984FE:				; CODE XREF: _StringCchPrintfExW+83j
		xor	eax, eax
		mov	edx, edi	; int
		mov	[ebp+var_8], eax
		lea	eax, [ebp+arg_18]
		push	eax		; va_list
		push	ecx		; wchar_t *
		lea	eax, [ebp+var_8]
		mov	ecx, ebx	; wchar_t *
		push	eax		; int
		call	sub_6985B8
		mov	ecx, [ebp+var_8]
		mov	esi, eax
		mov	eax, edi
		sub	eax, ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		lea	edx, [ebx+ecx*2]
		mov	[ebp+var_4], edx
		test	esi, esi
		js	short loc_69855F
		mov	ecx, [ebp+arg_10]
		test	ecx, 200h
		jz	short loc_698594
		cmp	eax, 1
		jbe	short loc_698594
		lea	edi, [eax+eax]
		cmp	edi, 2
		jbe	short loc_698594
		lea	eax, [edi-2]
		push	eax		; size_t
		movzx	eax, cl
		push	eax		; int
		lea	eax, [edx+2]
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_C]
		add	esp, 0Ch
		jmp	short loc_698591
; 

loc_69855F:				; CODE XREF: _StringCchPrintfExW+D2j
		mov	edx, [ebp+arg_10]

loc_698562:				; CODE XREF: _StringCchPrintfExW+71j
					; _StringCchPrintfExW+7Cj ...
		test	edx, 1C00h
		jz	short loc_698585
		test	edi, edi
		jz	short loc_698585
		push	edx		; int
		lea	eax, [ebp+var_8]
		push	eax		; int
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	ecx		; int
		lea	edx, [edi+edi]	; size_t
		mov	ecx, ebx	; void *
		call	StringExHandleOtherFlagsW
		mov	eax, [ebp+var_8]

loc_698585:				; CODE XREF: _StringCchPrintfExW+10Ej
					; _StringCchPrintfExW+112j
		test	esi, esi
		jns	short loc_698591
		cmp	esi, 8007007Ah
		jnz	short loc_6985B1

loc_698591:				; CODE XREF: _StringCchPrintfExW+8Dj
					; _StringCchPrintfExW+103j ...
		mov	edx, [ebp+var_4]

loc_698594:				; CODE XREF: _StringCchPrintfExW+DDj
					; _StringCchPrintfExW+E2j ...
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_69859D
		mov	[ecx], edx

loc_69859D:				; CODE XREF: _StringCchPrintfExW+13Fj
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	short loc_6985B1
		mov	[ecx], eax
		jmp	short loc_6985B1
; 

loc_6985A8:				; CODE XREF: _StringCchPrintfExW+3Fj
		test	edi, edi
		jz	short loc_6985B1
		xor	eax, eax
		mov	[ebx], ax

loc_6985B1:				; CODE XREF: _StringCchPrintfExW+135j
					; _StringCchPrintfExW+148j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_StringCchPrintfExW endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall sub_6985B8(wchar_t *,int,int,wchar_t *,va_list)
sub_6985B8	proc near		; CODE XREF: _StringCchPrintfExW+B6p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_8]	; va_list
		lea	esi, [edx-1]
		mov	edi, ecx
		push	[ebp+arg_4]	; wchar_t *
		xor	ebx, ebx
		push	esi		; size_t
		push	edi		; wchar_t *
		call	__vsnwprintf
		add	esp, 10h
		test	eax, eax
		js	short loc_6985E5
		cmp	eax, esi
		ja	short loc_6985E5
		jz	short loc_6985EA
		mov	esi, eax
		jmp	short loc_6985F0
; 

loc_6985E5:				; CODE XREF: sub_6985B8+21j
					; sub_6985B8+25j
		mov	ebx, 8007007Ah

loc_6985EA:				; CODE XREF: sub_6985B8+27j
		xor	eax, eax
		mov	[edi+esi*2], ax

loc_6985F0:				; CODE XREF: sub_6985B8+2Bj
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_6985F9
		mov	[ecx], esi

loc_6985F9:				; CODE XREF: sub_6985B8+3Dj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	0Ch
sub_6985B8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl CompareObjectTypes(const void *,const void *)
_CompareObjectTypes proc near		; DATA XREF: AdtpBuildObjectTypeStrings(x,x,x,x,x,x)+42o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	edx, [eax+14h]
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax+14h]
		cmp	ecx, edx
		sbb	eax, eax
		neg	eax
		cmp	edx, ecx
		sbb	ecx, ecx
		neg	ecx
		sub	eax, ecx
		pop	ebp
		retn
_CompareObjectTypes endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiOpenStoreKeyFromObject(x,	x)
_BiOpenStoreKeyFromObject@8 proc near	; CODE XREF: BiSetFirmwareModifiedFromObject(x,x)+Ep

var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_6A		= word ptr -6Ah
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ACh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, 0A0h
		lea	eax, [ebp+var_A8]
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		mov	edi, edx
		mov	ebx, ecx
		call	_memset
		and	dword ptr [edi], 0
		add	esp, 0Ch
		mov	[ebp+var_AC], esi
		test	bl, 1
		jz	short loc_69866B
		mov	esi, 0C0000002h
		jmp	short loc_6986BE
; 

loc_69866B:				; CODE XREF: BiOpenStoreKeyFromObject(x,x)+3Fj
		lea	eax, [ebp+var_AC]
		push	eax
		push	esi
		lea	eax, [ebp+var_A8]
		push	eax
		push	3
		push	ebx
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_6986B0
		cmp	[ebp+var_A8], 4Ch
		jb	short loc_6986AC
		push	edi
		xor	eax, eax
		lea	edx, [ebp+var_A4]
		push	2001Fh
		xor	ecx, ecx
		mov	[ebp+var_6A], ax
		call	BiOpenKey
		mov	esi, eax

loc_6986AC:				; CODE XREF: BiOpenStoreKeyFromObject(x,x)+6Cj
		test	esi, esi
		jns	short loc_6986BE

loc_6986B0:				; CODE XREF: BiOpenStoreKeyFromObject(x,x)+63j
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_6986BE
		call	_BiCloseKey@4	; BiCloseKey(x)
		and	dword ptr [edi], 0

loc_6986BE:				; CODE XREF: BiOpenStoreKeyFromObject(x,x)+46j
					; BiOpenStoreKeyFromObject(x,x)+8Bj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_BiOpenStoreKeyFromObject@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiSetFirmwareModifiedFromObject(x, x)
_BiSetFirmwareModifiedFromObject@8 proc	near ; CODE XREF: BiDeleteElement+143p
					; BcdSetElementDataWithFlags+1A8p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	edx, [ebp+var_4]
		push	edi
		call	_BiOpenStoreKeyFromObject@8 ; BiOpenStoreKeyFromObject(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_6986F2
		mov	ecx, [ebp+var_4]
		mov	dl, 1
		call	BiSetFirmwareModified

loc_6986F2:				; CODE XREF: BiSetFirmwareModifiedFromObject(x,x)+17j
		cmp	[ebp+var_4], 0
		jz	short loc_698700
		mov	ecx, [ebp+var_4]
		call	_BiCloseKey@4	; BiCloseKey(x)

loc_698700:				; CODE XREF: BiSetFirmwareModifiedFromObject(x,x)+27j
		mov	eax, edi
		pop	edi
		leave
		retn
_BiSetFirmwareModifiedFromObject@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiLogFileOwnerProcess(x, x)
_BiLogFileOwnerProcess@8 proc near	; CODE XREF: BiLoadSystemStore+A304Cp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	edi, [esp+60h+var_30]
		push	6
		mov	edx, ecx
		mov	[esp+64h+var_40], ebx
		pop	ecx
		xor	eax, eax
		mov	[esp+60h+var_3C], ebx
		rep stosd
		mov	[esp+60h+var_38], ebx
		mov	edi, ebx
		mov	[esp+60h+var_34], ebx
		mov	esi, ebx
		mov	[esp+60h+var_50], ebx
		mov	[esp+60h+var_4C], ebx
		mov	[esp+60h+var_48], ebx
		call	_BiIsLogEnabled@0 ; BiIsLogEnabled()
		test	al, al
		jz	loc_6989BD
		push	dword ptr [edx+4]
		push	offset ??_C@_1FG@CNICICCJ@?$AAA?$AAt?$AAt?$AAe?$AAm?$AAp?$AAt?$AAi?$AAn?$AAg?$AA?5?$AAt?$AAo?$AA?5?$AAd@FNODOBFM@ ; "Attempting	to determine owner of file %"...
		push	2
		call	_BiLogMessage
		add	esp, 0Ch
		mov	[esp+60h+var_18], 18h
		lea	eax, [esp+60h+var_38]
		mov	[esp+60h+var_14], ebx
		mov	[esp+60h+var_C], 40h
		mov	[esp+60h+var_10], edx
		push	4020h
		push	7
		push	eax
		lea	eax, [esp+6Ch+var_18]
		mov	[esp+6Ch+var_8], ebx
		push	eax
		push	100080h
		lea	eax, [esp+74h+var_48]
		mov	[esp+74h+var_4], ebx
		push	eax
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_6987B0
		push	eax
		push	offset ??_C@_1FG@IMCMKLHL@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAo?$AAp?$AAe?$AAn?$AA?5@FNODOBFM@
		jmp	loc_69897D
; 

loc_6987B0:				; CODE XREF: BiLogFileOwnerProcess(x,x)+9Ej
		mov	eax, large fs:20h
		mov	edx, 400h
		mov	[esp+60h+var_50], edx
		xor	ecx, ecx
		push	ebx
		inc	ecx
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	4B444342h
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		test	edi, edi
		jnz	short loc_6987FA
		push	offset ??_C@_1EM@MMKFALCH@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAa?$AAl?$AAl?$AAo?$AAc@FNODOBFM@

loc_6987EB:				; CODE XREF: BiLogFileOwnerProcess(x,x)+124j
					; BiLogFileOwnerProcess(x,x)+26Dj
		push	4
		call	_BiLogMessage
		add	esp, 8
		jmp	loc_698987
; 

loc_6987FA:				; CODE XREF: BiLogFileOwnerProcess(x,x)+DFj
		push	2Fh
		push	[esp+64h+var_50]
		lea	eax, [esp+68h+var_38]
		push	edi
		push	eax
		push	[esp+70h+var_48]
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		test	eax, eax
		jns	short loc_69881E
		push	eax
		push	offset ??_C@_1EM@PHONPJKB@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAq?$AAu?$AAe?$AAr?$AAy@FNODOBFM@
		jmp	loc_69897D
; 

loc_69881E:				; CODE XREF: BiLogFileOwnerProcess(x,x)+10Cj
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_69882B
		push	offset ??_C@_1EE@DHCKIGJ@?$AAN?$AAo?$AA?5?$AAp?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAe?$AAs?$AA?5?$AAa?$AAr@FNODOBFM@
		jmp	short loc_6987EB
; 

loc_69882B:				; CODE XREF: BiLogFileOwnerProcess(x,x)+11Dj
		push	eax
		push	offset ??_C@_1EI@JACBKJGA@?$AAF?$AAo?$AAu?$AAn?$AAd?$AA?5?$AA?$CF?$AAd?$AA?5?$AAp?$AAr?$AAo?$AAc?$AAe?$AAs@FNODOBFM@
		push	2
		call	_BiLogMessage
		xor	esi, esi
		add	esp, 0Ch
		cmp	[edi], esi
		jbe	loc_6989A2
		lea	eax, [edi+4]
		mov	[esp+60h+var_44], eax

loc_69884C:				; CODE XREF: BiLogFileOwnerProcess(x,x)+253j
		mov	[esp+60h+var_3C], esi
		mov	eax, [eax]
		mov	[esp+60h+var_40], eax
		lea	eax, [esp+60h+var_40]
		push	eax
		lea	eax, [esp+64h+var_30]
		mov	[esp+64h+var_30], 18h
		push	eax
		push	1000h
		lea	eax, [esp+6Ch+var_4C]
		mov	[esp+6Ch+var_2C], esi
		push	eax
		mov	[esp+70h+var_24], esi
		mov	[esp+70h+var_28], esi
		mov	[esp+70h+var_20], esi
		mov	[esp+70h+var_1C], esi
		call	_ZwOpenProcess@16 ; ZwOpenProcess(x,x,x,x)
		test	eax, eax
		js	loc_698977
		lea	eax, [esp+60h+var_50]
		mov	[esp+60h+var_50], esi
		push	eax
		push	esi
		push	esi
		push	1Bh
		push	[esp+70h+var_4C]
		call	_ZwQueryInformationProcess@20 ;	ZwQueryInformationProcess(x,x,x,x,x)
		cmp	eax, 80000005h
		jz	short loc_6988C2
		cmp	eax, 0C0000023h
		jz	short loc_6988C2
		cmp	eax, 0C0000004h
		jnz	loc_69895D

loc_6988C2:				; CODE XREF: BiLogFileOwnerProcess(x,x)+1A9j
					; BiLogFileOwnerProcess(x,x)+1B0j
		mov	eax, large fs:20h
		xor	ecx, ecx
		mov	edx, [esp+60h+var_50]
		inc	ecx
		push	esi
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	4B444342h
		call	ExpAllocatePoolWithTagFromNode
		mov	esi, eax
		test	esi, esi
		jz	short loc_69896D
		lea	eax, [esp+60h+var_50]
		push	eax
		push	[esp+64h+var_50]
		push	esi
		push	1Bh
		push	[esp+70h+var_4C]
		call	_ZwQueryInformationProcess@20 ;	ZwQueryInformationProcess(x,x,x,x,x)
		test	eax, eax
		js	short loc_698965
		xor	eax, eax
		cmp	[esi], ax
		jbe	short loc_698918
		mov	eax, [esi+4]
		jmp	short loc_69891D
; 

loc_698918:				; CODE XREF: BiLogFileOwnerProcess(x,x)+20Cj
		mov	eax, offset ??_C@_1O@GINMMDNN@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm@FNODOBFM@

loc_69891D:				; CODE XREF: BiLogFileOwnerProcess(x,x)+211j
		push	eax
		push	ebx
		push	offset ??_C@_1CO@NHPCNFEE@?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AA?5?$AAN?$AAa?$AAm?$AAe?$AA?5?$AA?$FL?$AA?$CF@FNODOBFM@
		push	4
		call	_BiLogMessage
		add	esp, 10h
		push	[esp+60h+var_4C]
		call	_ZwClose@4	; ZwClose(x)
		xor	eax, eax
		mov	ecx, esi
		mov	[esp+60h+var_4C], eax
		call	ExFreeHeapPool
		xor	eax, eax
		inc	ebx
		mov	esi, eax
		mov	eax, [esp+60h+var_44]
		add	eax, 4
		mov	[esp+60h+var_44], eax
		cmp	ebx, [edi]
		jnb	short loc_698987
		jmp	loc_69884C
; 

loc_69895D:				; CODE XREF: BiLogFileOwnerProcess(x,x)+1B7j
		push	eax
		push	offset ??_C@_1HC@GNNAHMPH@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAq?$AAu?$AAe?$AAr?$AAy@FNODOBFM@
		jmp	short loc_69897D
; 

loc_698965:				; CODE XREF: BiLogFileOwnerProcess(x,x)+205j
		push	eax
		push	(offset	off_5A7602+2)
		jmp	short loc_69897D
; 

loc_69896D:				; CODE XREF: BiLogFileOwnerProcess(x,x)+1ECj
		push	offset ??_C@_1GM@IKCHKJKN@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAa?$AAl?$AAl?$AAo?$AAc@FNODOBFM@
		jmp	loc_6987EB
; 

loc_698977:				; CODE XREF: BiLogFileOwnerProcess(x,x)+188j
		push	eax
		push	offset ??_C@_1EG@GECEKDAJ@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAo?$AAp?$AAe?$AAn?$AA?5@FNODOBFM@

loc_69897D:				; CODE XREF: BiLogFileOwnerProcess(x,x)+A6j
					; BiLogFileOwnerProcess(x,x)+114j ...
		push	4
		call	_BiLogMessage
		add	esp, 0Ch

loc_698987:				; CODE XREF: BiLogFileOwnerProcess(x,x)+F0j
					; BiLogFileOwnerProcess(x,x)+251j
		cmp	[esp+60h+var_4C], 0
		jz	short loc_698997
		push	[esp+60h+var_4C]
		call	_ZwClose@4	; ZwClose(x)

loc_698997:				; CODE XREF: BiLogFileOwnerProcess(x,x)+287j
		test	esi, esi
		jz	short loc_6989A2
		mov	ecx, esi
		call	ExFreeHeapPool

loc_6989A2:				; CODE XREF: BiLogFileOwnerProcess(x,x)+13Aj
					; BiLogFileOwnerProcess(x,x)+294j
		test	edi, edi
		jz	short loc_6989AD
		mov	ecx, edi
		call	ExFreeHeapPool

loc_6989AD:				; CODE XREF: BiLogFileOwnerProcess(x,x)+29Fj
		cmp	[esp+60h+var_48], 0
		jz	short loc_6989BD
		push	[esp+60h+var_48]
		call	_ZwClose@4	; ZwClose(x)

loc_6989BD:				; CODE XREF: BiLogFileOwnerProcess(x,x)+44j
					; BiLogFileOwnerProcess(x,x)+2ADj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_BiLogFileOwnerProcess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiMapEfiDeviceForSpaces(x, x, x)
_BiMapEfiDeviceForSpaces@12 proc near	; CODE XREF: BiUpdateBcdObject(x,x)+1BBp

var_12		= byte ptr -12h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		xor	ebx, ebx
		mov	[esp+18h+var_8], edx
		test	byte ptr [ecx+20h], 8
		push	esi
		push	edi
		mov	[esp+20h+var_11], bl
		mov	edi, ebx
		mov	[esp+20h+var_10], ebx
		jnz	loc_698B37
		lea	eax, [esp+20h+var_10]
		xor	edx, edx
		push	eax
		xor	ecx, ecx
		call	_SyspartGetSystemPartition@12 ;	SyspartGetSystemPartition(x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_698A0C
		cmp	edi, 0C0000023h
		jnz	loc_698B37

loc_698A0C:				; CODE XREF: BiMapEfiDeviceForSpaces(x,x,x)+3Aj
		mov	eax, large fs:20h
		xor	ecx, ecx
		mov	edx, [esp+20h+var_10]
		inc	ecx
		push	ebx
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	4B444342h
		call	ExpAllocatePoolWithTagFromNode
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_698A47
		mov	edi, 0C0000017h
		jmp	loc_698B37
; 

loc_698A47:				; CODE XREF: BiMapEfiDeviceForSpaces(x,x,x)+77j
		mov	edx, [esp+20h+var_10]
		lea	eax, [esp+20h+var_10]
		push	eax
		mov	ecx, ebx
		call	_SyspartGetSystemPartition@12 ;	SyspartGetSystemPartition(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_698B30
		lea	edx, [esp+0Fh]
		mov	ecx, ebx
		call	_SyspartIsSpace@8 ; SyspartIsSpace(x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_698A87
		push	ebx
		push	(offset	loc_5A7901+1)
		push	4
		call	_BiLogMessage
		add	esp, 0Ch
		jmp	loc_698B30
; 

loc_698A87:				; CODE XREF: BiMapEfiDeviceForSpaces(x,x,x)+ACj
		cmp	[esp+20h+var_11], 0
		jz	loc_698B30
		mov	eax, large fs:20h
		xor	ecx, ecx
		mov	esi, [esp+20h+var_10]
		inc	ecx
		push	0
		add	esi, 14h
		mov	eax, [eax+338h]
		mov	edx, esi
		mov	[esp+24h+var_4], esi
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	4B444342h
		call	ExpAllocatePoolWithTagFromNode
		mov	[esp+20h+var_C], eax
		test	eax, eax
		jnz	short loc_698AD6
		mov	edi, 0C0000017h
		jmp	short loc_698B30
; 

loc_698AD6:				; CODE XREF: BiMapEfiDeviceForSpaces(x,x,x)+109j
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, [eax]
		cmp	esi, eax
		jnb	short loc_698AED
		mov	eax, esi

loc_698AED:				; CODE XREF: BiMapEfiDeviceForSpaces(x,x,x)+125j
		mov	esi, [esp+20h+var_8]
		push	eax		; size_t
		mov	esi, [esi]
		push	esi		; void *
		push	[esp+28h+var_C]	; void *
		call	_memcpy
		mov	eax, [esp+2Ch+var_C]
		add	esp, 0Ch
		add	eax, 14h
		push	[esp+20h+var_10] ; size_t
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, esi
		call	ExFreeHeapPool
		mov	ecx, [esp+20h+var_8]
		mov	eax, [esp+20h+var_C]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_0]
		mov	eax, [esp+20h+var_4]
		mov	[ecx], eax

loc_698B30:				; CODE XREF: BiMapEfiDeviceForSpaces(x,x,x)+97j
					; BiMapEfiDeviceForSpaces(x,x,x)+BEj ...
		mov	ecx, ebx
		call	ExFreeHeapPool

loc_698B37:				; CODE XREF: BiMapEfiDeviceForSpaces(x,x,x)+22j
					; BiMapEfiDeviceForSpaces(x,x,x)+42j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_BiMapEfiDeviceForSpaces@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiSpacesUpdatePhysicalDevicePath(x)
_BiSpacesUpdatePhysicalDevicePath@4 proc near ;	CODE XREF: BiUpdateEfiEntry(x,x)+74p

var_1E		= byte ptr -1Eh
var_1D		= dword	ptr -1Dh
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		mov	[esp+30h+var_10], ecx
		mov	ebx, ecx
		mov	byte ptr [esp+30h+var_1D], cl
		push	6Ch
		mov	ecx, [edi]
		pop	eax
		mov	[esp+30h+var_C], edi
		mov	[esp+30h+var_18], eax
		cmp	dword ptr [ecx], 2
		jnz	loc_698DC3
		add	ecx, 14h
		lea	edx, [esp+30h+var_1D]
		call	_SyspartIsSpace@8 ; SyspartIsSpace(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_698BA0
		mov	ecx, [edi]
		add	ecx, 14h
		push	ecx
		push	offset ??_C@_1DK@DKFKOOJM@?$AAS?$AAy?$AAs?$AAp?$AAa?$AAr?$AAt?$AAI?$AAs?$AAS?$AAp?$AAa?$AAc?$AAe?$AA?5@FNODOBFM@
		push	4
		call	_BiLogMessage
		add	esp, 0Ch
		jmp	loc_698DC3
; 

loc_698BA0:				; CODE XREF: BiSpacesUpdatePhysicalDevicePath(x)+42j
		cmp	byte ptr [esp+30h+var_1D], 0
		jz	loc_698DC3
		mov	eax, large fs:20h
		xor	ecx, ecx
		push	ecx
		mov	esi, 208h
		inc	ecx
		mov	edx, esi
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	4B444342h
		call	ExpAllocatePoolWithTagFromNode
		mov	ecx, large fs:20h
		mov	ebx, eax
		xor	eax, eax
		mov	[esp+30h+var_14], ebx
		push	eax
		mov	edx, esi
		mov	ecx, [ecx+338h]
		movzx	ecx, word ptr [ecx+8Ah]
		or	ecx, 80000000h
		push	ecx
		xor	ecx, ecx
		push	4B444342h
		inc	ecx
		call	ExpAllocatePoolWithTagFromNode
		mov	esi, eax
		mov	[esp+30h+var_1D+1], esi
		test	ebx, ebx
		jz	loc_698DA4
		test	esi, esi
		jz	loc_698DA4
		mov	ecx, [edi]
		lea	eax, [ecx+14h]
		cmp	word ptr [eax],	5Ch
		jnz	short loc_698C30
		lea	eax, [ecx+16h]

loc_698C30:				; CODE XREF: BiSpacesUpdatePhysicalDevicePath(x)+E9j
		push	eax
		push	(offset	loc_5A7829+1)
		push	(offset	loc_5A7885+1)
		push	104h
		push	ebx
		call	_swprintf_s
		add	esp, 14h
		push	6Ch
		pop	ebx

loc_698C4C:				; CODE XREF: BiSpacesUpdatePhysicalDevicePath(x)+171j
		mov	eax, large fs:20h
		xor	ecx, ecx
		push	ecx
		mov	edx, ebx
		inc	ecx
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	4B444342h
		call	ExpAllocatePoolWithTagFromNode
		mov	esi, eax
		mov	[esp+30h+var_4], esi
		test	esi, esi
		jz	loc_698DA0
		mov	ecx, [esp+30h+var_14]
		mov	edx, esi
		push	ebx
		call	_SyspartGetPhysicalPartitions@12 ; SyspartGetPhysicalPartitions(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_698C9D
		cmp	ebx, 80000005h
		jnz	short loc_698CB5

loc_698C9D:				; CODE XREF: BiSpacesUpdatePhysicalDevicePath(x)+151j
		mov	ecx, [esi+4]
		cmp	ecx, [esp+30h+var_18]
		jbe	short loc_698CCA
		mov	ebx, ecx
		mov	ecx, esi
		mov	[esp+30h+var_18], ebx
		call	ExFreeHeapPool
		jmp	short loc_698C4C
; 

loc_698CB5:				; CODE XREF: BiSpacesUpdatePhysicalDevicePath(x)+159j
		push	ebx
		push	(offset	loc_5A7891+1)
		push	4
		call	_BiLogMessage
		add	esp, 0Ch
		jmp	loc_698D93
; 

loc_698CCA:				; CODE XREF: BiSpacesUpdatePhysicalDevicePath(x)+162j
		xor	eax, eax
		cmp	[esi+8], eax
		jnz	short loc_698CDB
		mov	ebx, 0C0000001h
		jmp	loc_698D93
; 

loc_698CDB:				; CODE XREF: BiSpacesUpdatePhysicalDevicePath(x)+18Dj
		push	dword ptr [esi+14h]
		push	dword ptr [esi+10h]
		push	(offset	loc_5A7847+1)
		push	104h
		push	[esp+40h+var_1D+1]
		call	_swprintf_s
		mov	ecx, [esp+44h+var_1D+1]
		add	esp, 14h
		lea	edx, [ecx+2]

loc_698CFE:				; CODE XREF: BiSpacesUpdatePhysicalDevicePath(x)+1C7j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+30h+var_10]
		jnz	short loc_698CFE
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, ds:2[ecx*2]
		xor	ecx, ecx
		mov	[esp+30h+var_10], eax
		lea	edx, [eax+3Ch]
		mov	eax, large fs:20h
		push	ecx
		inc	ecx
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	4B444342h
		call	ExpAllocatePoolWithTagFromNode
		mov	edx, eax
		mov	[esp+30h+var_8], edx
		test	edx, edx
		jnz	short loc_698D55
		mov	ebx, 0C0000017h
		jmp	short loc_698D93
; 

loc_698D55:				; CODE XREF: BiSpacesUpdatePhysicalDevicePath(x)+20Aj
		mov	eax, [edi]
		mov	esi, eax
		push	0Fh
		pop	ecx
		push	[esp+30h+var_10] ; size_t
		mov	[esp+34h+var_18], eax
		mov	edi, edx
		push	[esp+34h+var_1D+1] ; void *
		lea	eax, [edx+14h]
		rep movsd
		push	eax		; void *
		call	_memcpy
		mov	ecx, [esp+3Ch+var_18]
		add	esp, 0Ch
		test	ecx, ecx
		jz	short loc_698D85
		call	ExFreeHeapPool

loc_698D85:				; CODE XREF: BiSpacesUpdatePhysicalDevicePath(x)+23Cj
		mov	eax, [esp+30h+var_C]
		mov	ecx, [esp+30h+var_8]
		mov	esi, [esp+30h+var_4]
		mov	[eax], ecx

loc_698D93:				; CODE XREF: BiSpacesUpdatePhysicalDevicePath(x)+183j
					; BiSpacesUpdatePhysicalDevicePath(x)+194j ...
		mov	ecx, esi
		call	ExFreeHeapPool
		mov	esi, [esp+30h+var_1D+1]
		jmp	short loc_698DA9
; 

loc_698DA0:				; CODE XREF: BiSpacesUpdatePhysicalDevicePath(x)+13Bj
		mov	esi, [esp+30h+var_1D+1]

loc_698DA4:				; CODE XREF: BiSpacesUpdatePhysicalDevicePath(x)+D2j
					; BiSpacesUpdatePhysicalDevicePath(x)+DAj
		mov	ebx, 0C0000017h

loc_698DA9:				; CODE XREF: BiSpacesUpdatePhysicalDevicePath(x)+25Cj
		mov	eax, [esp+30h+var_14]
		test	eax, eax
		jz	short loc_698DB8
		mov	ecx, eax
		call	ExFreeHeapPool

loc_698DB8:				; CODE XREF: BiSpacesUpdatePhysicalDevicePath(x)+26Dj
		test	esi, esi
		jz	short loc_698DC3
		mov	ecx, esi
		call	ExFreeHeapPool

loc_698DC3:				; CODE XREF: BiSpacesUpdatePhysicalDevicePath(x)+2Cj
					; BiSpacesUpdatePhysicalDevicePath(x)+59j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_BiSpacesUpdatePhysicalDevicePath@4 endp


;  S U B	R O U T	I N E 


; __stdcall BgDisplaySafeToPowerOffScreen()
_BgDisplaySafeToPowerOffScreen@0 proc near ; CODE XREF:	PopShutdownHandler(x,x,x,x,x)+17p
		mov	edi, edi
		push	esi
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		test	byte ptr ds:dword_6B6BB8, 2
		jnz	short loc_698DE4
		mov	esi, 0C0000001h
		jmp	short loc_698DEB
; 

loc_698DE4:				; CODE XREF: BgDisplaySafeToPowerOffScreen()+Fj
		call	_BgpDisplaySafeToPowerOffScreen@0 ; BgpDisplaySafeToPowerOffScreen()
		mov	esi, eax

loc_698DEB:				; CODE XREF: BgDisplaySafeToPowerOffScreen()+16j
		call	BgpFwReleaseLock
		mov	eax, esi
		pop	esi
		retn
_BgDisplaySafeToPowerOffScreen@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpClearScreen(x)
_BgpClearScreen@4 proc near		; CODE XREF: BgpDisplaySafeToPowerOffScreen()+61p
					; BgpFwDisplayBugCheckScreen(x,x,x,x,x):loc_69A058p ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		test	byte ptr ds:dword_6B6BB8, 1
		push	ebx
		push	esi
		push	edi
		mov	[esp+40h+var_28], ecx
		jnz	short loc_698E19
		mov	esi, 0C0000001h
		jmp	loc_698F50
; 

loc_698E19:				; CODE XREF: BgpClearScreen(x)+19j
		mov	edx, ds:dword_6B6B68
		mov	ebx, ds:dword_6B6B64
		mov	eax, ds:dword_6B6B6C
		mov	[esp+40h+var_30], edx
		mov	[esp+40h+var_C], edx
		mov	[esp+40h+var_2C], ebx
		mov	[esp+40h+var_8], ebx
		mov	[esp+40h+var_4], eax
		call	_BgpGetBitsPerPixel@0 ;	BgpGetBitsPerPixel()
		mov	ecx, eax
		mov	eax, edx
		imul	eax, ebx
		shr	ecx, 3
		mov	[esp+40h+var_24], ecx
		imul	eax, ecx
		mov	ecx, 1FC0h
		cmp	eax, ecx
		jnb	short loc_698E5F
		mov	ecx, eax

loc_698E5F:				; CODE XREF: BgpClearScreen(x)+67j
		lea	esi, [esp+40h+var_C]
		lea	edi, [esp+40h+var_18]
		movsd
		movsd
		movsd
		mov	edi, [esp+40h+var_14]
		mov	ebx, [esp+40h+var_18]
		cmp	eax, ecx
		jbe	short loc_698E9C
		mov	edx, [esp+40h+var_10]
		mov	esi, [esp+40h+var_24]

loc_698E7E:				; CODE XREF: BgpClearScreen(x)+9Aj
		shr	ebx, 1
		shr	edi, 1
		mov	eax, ebx
		imul	eax, edi
		shr	edx, 1
		imul	eax, esi
		cmp	eax, ecx
		ja	short loc_698E7E
		mov	[esp+40h+var_14], edi
		mov	[esp+40h+var_18], ebx
		mov	[esp+40h+var_10], edx

loc_698E9C:				; CODE XREF: BgpClearScreen(x)+80j
		push	2000h
		push	offset unk_6FF2D8
		call	_BgpGetBitsPerPixel@0 ;	BgpGetBitsPerPixel()
		mov	edx, eax
		lea	ecx, [esp+48h+var_18]
		call	_BgpGxInitializeRectangle@16 ; BgpGxInitializeRectangle(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_698F50
		push	[esp+40h+var_28]
		mov	ecx, offset unk_6FF2D8
		call	_BgpGxFillRectangle@8 ;	BgpGxFillRectangle(x,x)
		xor	esi, esi
		mov	eax, esi
		mov	[esp+40h+var_24], esi
		mov	[esp+40h+var_1C], eax
		cmp	[esp+40h+var_2C], eax
		jbe	short loc_698F46
		mov	ecx, [esp+40h+var_30]
		mov	edx, [esp+40h+var_2C]

loc_698EE8:				; CODE XREF: BgpClearScreen(x)+150j
		mov	[esp+40h+var_20], esi
		test	ecx, ecx
		jz	short loc_698F3C
		mov	edi, [esp+40h+var_30]
		mov	esi, [esp+40h+var_28]

loc_698EF8:				; CODE XREF: BgpClearScreen(x)+132j
		lea	edx, [esp+40h+var_20]
		mov	ecx, offset unk_6FF2D8
		call	BgpGxDrawRectangle
		test	ds:byte_6FF2E8,	10h
		jz	short loc_698F1A
		push	esi
		mov	ecx, offset unk_6FF2D8
		call	_BgpGxFillRectangle@8 ;	BgpGxFillRectangle(x,x)

loc_698F1A:				; CODE XREF: BgpClearScreen(x)+119j
		mov	eax, [esp+40h+var_20]
		add	eax, ebx
		mov	[esp+40h+var_20], eax
		cmp	eax, edi
		jb	short loc_698EF8
		mov	eax, [esp+40h+var_1C]
		mov	esi, [esp+40h+var_24]
		mov	edi, [esp+40h+var_14]
		mov	ecx, [esp+40h+var_30]
		mov	edx, [esp+40h+var_2C]

loc_698F3C:				; CODE XREF: BgpClearScreen(x)+FAj
		add	eax, edi
		mov	[esp+40h+var_1C], eax
		cmp	eax, edx
		jb	short loc_698EE8

loc_698F46:				; CODE XREF: BgpClearScreen(x)+EAj
		or	ds:dword_6B6BB8, 2000h

loc_698F50:				; CODE XREF: BgpClearScreen(x)+20j
					; BgpClearScreen(x)+C6j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_BgpClearScreen@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpDisplayCharacterEx(x, x,	x, x, x, x, x, x, x, x)
_BgpDisplayCharacterEx@40 proc near	; CODE XREF: BcpDisplayCriticalCharacter(x,x,x)+56p
					; BcpDisplayCriticalString(x,x,x,x)+277p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_C], 0
		test	byte ptr ds:dword_6B6BB8, 1
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jnz	short loc_698F7B
		mov	eax, 0C0000001h
		jmp	short loc_698FC7
; 

loc_698F7B:				; CODE XREF: BgpDisplayCharacterEx(x,x,x,x,x,x,x,x,x,x)+19j
		mov	eax, [ebp+arg_0]
		lea	edx, [ebp+var_8]
		mov	ecx, [esi+14h]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_18], eax
		mov	eax, [esi+4]
		mov	[ebp+var_10], eax
		mov	eax, [esi]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	_BgpTxtAdjustStaticRegion@12 ; BgpTxtAdjustStaticRegion(x,x,x)
		test	eax, eax
		js	short loc_698FC7
		push	[ebp+arg_1C]
		mov	edx, edi
		push	ecx
		push	[ebp+arg_14]
		mov	ecx, [esi+14h]
		push	[ebp+arg_10]
		push	0
		call	BgpTxtDisplayCharacter

loc_698FC7:				; CODE XREF: BgpDisplayCharacterEx(x,x,x,x,x,x,x,x,x,x)+20j
					; BgpDisplayCharacterEx(x,x,x,x,x,x,x,x,x,x)+56j
		pop	edi
		pop	esi
		leave
		retn	20h
_BgpDisplayCharacterEx@40 endp

; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 


; __stdcall BgpFwSetBootGraphicsInformation(x, x)
_BgpFwSetBootGraphicsInformation@8 proc	near
					; CODE XREF: BgSetBootGraphicsInformation(x,x)+30p
		cmp	byte ptr ds:_BgInternal, 0
		jz	short loc_698FDE

loc_698FD8:				; CODE XREF: BgpFwSetBootGraphicsInformation(x,x)+42j
		mov	eax, 0C00000BBh
		retn
; 

loc_698FDE:				; CODE XREF: BgpFwSetBootGraphicsInformation(x,x)+7j
		push	esi
		push	edi
		push	8
		pop	ecx
		mov	esi, edx
		mov	edi, offset dword_6B6B98
		rep movsd
		mov	eax, [edx+8]
		mov	ds:dword_6B6B68, eax
		mov	eax, [edx+0Ch]
		mov	ds:dword_6B6B64, eax
		mov	eax, [edx+10h]
		mov	ds:dword_6B6B6C, eax
		mov	eax, [edx+18h]
		pop	edi
		pop	esi
		sub	eax, 3
		jz	short loc_69901F
		sub	eax, 1
		jnz	short loc_698FD8
		mov	ds:dword_6B6B70, 5
		jmp	short loc_699029
; 

loc_69901F:				; CODE XREF: BgpFwSetBootGraphicsInformation(x,x)+3Dj
		mov	ds:dword_6B6B70, 4

loc_699029:				; CODE XREF: BgpFwSetBootGraphicsInformation(x,x)+4Ej
		mov	ds:_BgInternal,	1
		xor	eax, eax
		mov	ecx, [edx]
		mov	ds:dword_6B6B78, ecx
		retn
_BgpFwSetBootGraphicsInformation@8 endp


;  S U B	R O U T	I N E 


; __stdcall BgpGxIsRectangleValid(x)
_BgpGxIsRectangleValid@4 proc near	; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+1F2p
		mov	edx, ecx
		test	edx, edx
		jz	short loc_69905C
		call	_BgpGetBitsPerPixel@0 ;	BgpGetBitsPerPixel()
		cmp	[edx+8], eax
		jnb	short loc_699059
		test	ds:dword_6B6BB8, 0C00h
		jnz	short loc_69905C

loc_699059:				; CODE XREF: BgpGxIsRectangleValid(x)+Ej
		mov	al, 1
		retn
; 

loc_69905C:				; CODE XREF: BgpGxIsRectangleValid(x)+4j
					; BgpGxIsRectangleValid(x)+1Aj
		xor	al, al
		retn
_BgpGxIsRectangleValid@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall GxpGetRotatedPixelOffset(x,	x, x, x, x, x, x, x, x,	x)
_GxpGetRotatedPixelOffset@40 proc near	; CODE XREF: GxpWriteFrameBufferPixels+87D07p
					; TxtpAddCacheEntry+1BC1p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, ds:byte_6B6B62
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		sub	eax, esi
		jz	short loc_6990B5
		sub	eax, 1
		jz	short loc_6990A9
		sub	eax, 1
		jz	short loc_69909A
		sub	eax, 1
		jz	short loc_69908E
		mov	esi, 0C00000BBh
		jmp	short loc_6990CA
; 

loc_69908E:				; CODE XREF: GxpGetRotatedPixelOffset(x,x,x,x,x,x,x,x,x,x)+26j
		mov	eax, [ebp+arg_4]
		sub	eax, [ebp+arg_1C]
		mov	edx, [ebp+arg_18]
		dec	eax
		jmp	short loc_6990BB
; 

loc_69909A:				; CODE XREF: GxpGetRotatedPixelOffset(x,x,x,x,x,x,x,x,x,x)+21j
		mov	eax, [ebp+arg_0]
		sub	eax, [ebp+arg_18]
		mov	edx, [ebp+arg_4]
		dec	eax
		sub	edx, [ebp+arg_1C]
		jmp	short loc_6990B2
; 

loc_6990A9:				; CODE XREF: GxpGetRotatedPixelOffset(x,x,x,x,x,x,x,x,x,x)+1Cj
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+arg_1C]
		sub	edx, [ebp+arg_18]

loc_6990B2:				; CODE XREF: GxpGetRotatedPixelOffset(x,x,x,x,x,x,x,x,x,x)+48j
		dec	edx
		jmp	short loc_6990BB
; 

loc_6990B5:				; CODE XREF: GxpGetRotatedPixelOffset(x,x,x,x,x,x,x,x,x,x)+17j
		mov	edx, [ebp+arg_1C]
		mov	eax, [ebp+arg_18]

loc_6990BB:				; CODE XREF: GxpGetRotatedPixelOffset(x,x,x,x,x,x,x,x,x,x)+39j
					; GxpGetRotatedPixelOffset(x,x,x,x,x,x,x,x,x,x)+54j
		mov	ecx, [edi+4]
		add	ecx, edx
		imul	ecx, [ebp+arg_14]
		add	ecx, [edi]
		add	ecx, eax
		mov	[ebx], ecx

loc_6990CA:				; CODE XREF: GxpGetRotatedPixelOffset(x,x,x,x,x,x,x,x,x,x)+2Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	20h
_GxpGetRotatedPixelOffset@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall GxpMatchPaletteColor(x, x)
_GxpMatchPaletteColor@8	proc near	; CODE XREF: BgpGxConvertRectangleEx+879C5p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		or	[ebp+var_8], 0FFFFFFFFh
		lea	eax, [ebp+var_4]
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_10], edx
		mov	esi, (offset aVVHriGh+0Fh)
		mov	[ebp+var_4], ecx
		push	edi
		mov	[ebp+var_C], ebx
		sub	esi, eax

loc_6990F7:				; CODE XREF: GxpMatchPaletteColor(x,x)+60j
		xor	edi, edi
		xor	ebx, ebx

loc_6990FB:				; CODE XREF: GxpMatchPaletteColor(x,x)+44j
		lea	eax, [ebp+var_4]
		add	eax, ebx
		movzx	ecx, byte ptr [esi+eax]
		movzx	eax, byte ptr [eax]
		sub	eax, ecx
		cdq
		xor	eax, edx
		sub	eax, edx
		imul	eax, 3
		add	edi, eax
		inc	ebx
		cmp	ebx, 3
		jb	short loc_6990FB
		mov	ebx, [ebp+var_C]
		cmp	edi, [ebp+var_8]
		jnb	short loc_699129
		mov	eax, [ebp+var_10]
		mov	[ebp+var_8], edi
		mov	[eax], bl

loc_699129:				; CODE XREF: GxpMatchPaletteColor(x,x)+4Cj
		inc	ebx
		add	esi, 4
		mov	[ebp+var_C], ebx
		cmp	ebx, 10h
		jb	short loc_6990F7
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_GxpMatchPaletteColor@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpFoGetAdvanceWidth(x, x, x, x, x)
_BgpFoGetAdvanceWidth@20 proc near	; CODE XREF: BgpTxtDisplayString(x,x,x,x,x)+9Dp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	_BgpRasGetGlyphAdvanceWidth@20 ; BgpRasGetGlyphAdvanceWidth(x,x,x,x,x)
_BgpFoGetAdvanceWidth@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpFoGetStringAdvanceWidth(x, x, x,	x, x)
_BgpFoGetStringAdvanceWidth@20 proc near ; CODE	XREF: BcpDisplayCriticalString(x,x,x,x)+9Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	ax, [edx]
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_8], ecx
		mov	ecx, 0FFFEh
		and	ax, cx
		mov	[ebp+var_C], edx
		push	esi
		xor	esi, esi
		xor	ecx, ecx
		mov	[ebp+var_4], esi
		mov	[ebx], esi
		push	edi
		mov	edi, esi
		cmp	cx, ax
		jnb	short loc_6991AA

loc_699174:				; CODE XREF: BgpFoGetStringAdvanceWidth(x,x,x,x,x)+63j
		push	offset _BcpWorkspace
		push	ecx
		lea	eax, [ebp+var_4]
		movzx	ecx, di
		push	eax
		mov	eax, [edx+4]
		mov	dx, [eax+ecx*2]
		mov	ecx, [ebp+var_8]
		call	_BgpRasGetGlyphAdvanceWidth@20 ; BgpRasGetGlyphAdvanceWidth(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_6991AA
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_4]
		add	[ebx], ecx
		inc	edi
		mov	cx, [edx]
		shr	cx, 1
		cmp	di, cx
		jb	short loc_699174

loc_6991AA:				; CODE XREF: BgpFoGetStringAdvanceWidth(x,x,x,x,x)+2Dj
					; BgpFoGetStringAdvanceWidth(x,x,x,x,x)+4Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_BgpFoGetStringAdvanceWidth@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpTxtAdjustStaticRegion(x,	x, x)
_BgpTxtAdjustStaticRegion@12 proc near	; CODE XREF: BgpDisplayCharacterEx(x,x,x,x,x,x,x,x,x,x)+4Fp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		push	edi
		test	esi, esi
		jz	short loc_699204
		mov	edi, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_6991CB
		test	edi, edi
		jz	short loc_699204

loc_6991CB:				; CODE XREF: BgpTxtAdjustStaticRegion(x,x,x)+12j
		test	byte ptr [esi+30h], 1
		jz	short loc_699204
		test	edx, edx
		jz	short loc_6991DF
		mov	eax, [edx]
		mov	[esi], eax
		mov	eax, [edx+4]
		mov	[esi+4], eax

loc_6991DF:				; CODE XREF: BgpTxtAdjustStaticRegion(x,x,x)+20j
		test	edi, edi
		jz	short loc_699200
		mov	ecx, [esi+14h]
		test	ecx, ecx
		jz	short loc_6991FA
		mov	eax, [edi]
		cmp	[esi+1Ch], eax
		jz	short loc_6991FA
		push	eax
		mov	[esi+1Ch], eax
		call	_BgpGxFillRectangle@8 ;	BgpGxFillRectangle(x,x)

loc_6991FA:				; CODE XREF: BgpTxtAdjustStaticRegion(x,x,x)+35j
					; BgpTxtAdjustStaticRegion(x,x,x)+3Cj
		mov	eax, [edi+4]
		mov	[esi+20h], eax

loc_699200:				; CODE XREF: BgpTxtAdjustStaticRegion(x,x,x)+2Ej
		xor	eax, eax
		jmp	short loc_699209
; 

loc_699204:				; CODE XREF: BgpTxtAdjustStaticRegion(x,x,x)+Bj
					; BgpTxtAdjustStaticRegion(x,x,x)+16j ...
		mov	eax, 0C000000Dh

loc_699209:				; CODE XREF: BgpTxtAdjustStaticRegion(x,x,x)+4Fj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_BgpTxtAdjustStaticRegion@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BcpConvertBugDataToString(x, x)
_BcpConvertBugDataToString@8 proc near	; CODE XREF: BcpDisplayErrorInformation(x,x,x,x,x,x)+1A3p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [edx+4]
		mov	ebx, ecx
		push	edi
		movzx	edi, word ptr [edx+2]
		shr	edi, 1
		push	1Ch
		pop	ecx
		push	0
		pop	edx
		jz	short loc_69927E
		push	30h
		pop	eax
		mov	[ebp+var_4], eax

loc_699231:				; CODE XREF: BcpConvertBugDataToString(x,x)+6Dj
		test	edx, edx
		jnz	short loc_69923B
		mov	[esi+edx*2], ax
		jmp	short loc_699279
; 

loc_69923B:				; CODE XREF: BcpConvertBugDataToString(x,x)+24j
		cmp	edx, 1
		jnz	short loc_699245
		push	78h
		pop	eax
		jmp	short loc_699272
; 

loc_699245:				; CODE XREF: BcpConvertBugDataToString(x,x)+2Fj
		lea	eax, [edi-1]
		cmp	edx, eax
		jnz	short loc_699250
		xor	eax, eax
		jmp	short loc_699272
; 

loc_699250:				; CODE XREF: BcpConvertBugDataToString(x,x)+3Bj
		mov	eax, ebx
		shr	eax, cl
		and	al, 0Fh
		cmp	al, 0Ah
		jnb	short loc_699263
		movzx	eax, al
		add	ax, word ptr [ebp+var_4]
		jmp	short loc_69926C
; 

loc_699263:				; CODE XREF: BcpConvertBugDataToString(x,x)+49j
		sub	al, 0Ah
		movzx	eax, al
		add	ax, 41h

loc_69926C:				; CODE XREF: BcpConvertBugDataToString(x,x)+52j
		movzx	eax, ax
		sub	ecx, 4

loc_699272:				; CODE XREF: BcpConvertBugDataToString(x,x)+34j
					; BcpConvertBugDataToString(x,x)+3Fj
		push	30h
		mov	[esi+edx*2], ax
		pop	eax

loc_699279:				; CODE XREF: BcpConvertBugDataToString(x,x)+2Aj
		inc	edx
		cmp	edx, edi
		jb	short loc_699231

loc_69927E:				; CODE XREF: BcpConvertBugDataToString(x,x)+1Aj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
_BcpConvertBugDataToString@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BcpConvertProgressToString(x, x)
_BcpConvertProgressToString@8 proc near	; CODE XREF: BcpDisplayProgress(x,x)+64p
					; BgpFwDisplayBugCheckProgressUpdate(x,x,x)+228p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	ebx, edx
		mov	eax, ecx
		push	edi
		push	0Ah
		mov	esi, 3E8h
		mov	[ebp+var_10], ebx
		mov	ecx, [ebx+4]
		movzx	edi, word ptr [ebx+2]
		mov	[ebp+var_8], ecx
		shr	edi, 1
		mov	[ebp+var_4], eax
		pop	ecx
		mov	[ebp+var_C], ecx
		cmp	eax, esi
		jnb	short loc_6992C9

loc_6992B5:				; CODE XREF: BcpConvertProgressToString(x,x)+42j
		cmp	esi, 1
		jbe	short loc_6992C9
		mov	eax, esi
		xor	edx, edx
		div	ecx
		mov	esi, eax
		mov	eax, [ebp+var_4]
		cmp	esi, eax
		ja	short loc_6992B5

loc_6992C9:				; CODE XREF: BcpConvertProgressToString(x,x)+2Ej
					; BcpConvertProgressToString(x,x)+33j
		xor	ecx, ecx
		test	edi, edi
		jz	short loc_699301
		mov	ebx, [ebp+var_8]

loc_6992D2:				; CODE XREF: BcpConvertProgressToString(x,x)+77j
		cmp	esi, 1
		jb	short loc_6992FE
		xor	edx, edx
		div	esi
		xor	edx, edx
		div	[ebp+var_C]
		push	0Ah
		movzx	eax, dl
		xor	edx, edx
		add	ax, 30h
		mov	[ebx+ecx*2], ax
		mov	eax, esi
		pop	esi
		div	esi
		inc	ecx
		mov	esi, eax
		mov	eax, [ebp+var_4]
		cmp	ecx, edi
		jb	short loc_6992D2

loc_6992FE:				; CODE XREF: BcpConvertProgressToString(x,x)+50j
		mov	ebx, [ebp+var_10]

loc_699301:				; CODE XREF: BcpConvertProgressToString(x,x)+48j
		mov	eax, [ebp+var_8]
		xor	edx, edx
		pop	edi
		pop	esi
		mov	[eax+ecx*2], dx
		lea	eax, [ecx+ecx]
		mov	[ebx], ax
		xor	eax, eax
		pop	ebx
		leave
		retn
_BcpConvertProgressToString@8 endp


;  S U B	R O U T	I N E 


; __stdcall BcpCursorLessThan(x, x)
_BcpCursorLessThan@8 proc near		; CODE XREF: BcpDisplayProgress(x,x)+B6p
					; BcpDisplayProgress(x,x)+119p
		mov	eax, [ecx+4]
		cmp	eax, ds:dword_6B6B14
		jb	short loc_699331
		jnz	short loc_69932E
		mov	eax, [ecx]
		cmp	eax, ds:_BcpProgressEnd
		jb	short loc_699331

loc_69932E:				; CODE XREF: BcpCursorLessThan(x,x)+Bj
		xor	al, al
		retn
; 

loc_699331:				; CODE XREF: BcpCursorLessThan(x,x)+9j
					; BcpCursorLessThan(x,x)+15j
		mov	al, 1
		retn
_BcpCursorLessThan@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BcpDisplayCriticalCharacter(x, x, x)
_BcpDisplayCriticalCharacter@12	proc near
					; CODE XREF: BcpDisplayErrorInformation(x,x,x,x,x,x)+D7p
					; BcpDisplayErrorInformation(x,x,x,x,x,x)+127p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ds:dword_6D6C78
		push	ebx
		mov	ebx, ds:_BcpCursor
		push	esi
		mov	ecx, [eax+14h]
		push	edi
		mov	edi, ds:dword_6CEA98
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		mov	[ecx+28h], edx
		mov	eax, ds:dword_6D6C78
		mov	esi, ds:dword_6CEA9C
		push	offset _BcpWorkspace
		push	ecx
		mov	[eax+4], edx
		mov	eax, [ecx+1Ch]
		lea	ecx, [ebp+var_4]
		mov	edx, ds:dword_6D6C78
		push	ecx
		lea	ecx, [ebp+var_8]
		push	ecx
		push	0FFFFFFFFh
		push	eax
		push	edi
		push	ebx
		push	20h
		pop	ecx
		call	_BgpDisplayCharacterEx@40 ; BgpDisplayCharacterEx(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_6993B4
		mov	eax, [ebp+var_4]
		add	eax, edi
		cmp	esi, eax
		jnb	short loc_69939E
		mov	esi, eax

loc_69939E:				; CODE XREF: BcpDisplayCriticalCharacter(x,x,x)+66j
		mov	eax, [ebp+var_8]
		add	eax, ebx
		mov	ds:dword_6CEA98, edi
		mov	ds:_BcpCursor, eax
		mov	ds:dword_6CEA9C, esi

loc_6993B4:				; CODE XREF: BcpDisplayCriticalCharacter(x,x,x)+5Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_BcpDisplayCriticalCharacter@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BcpDisplayCriticalString(x,	x, x, x)
_BcpDisplayCriticalString@16 proc near	; CODE XREF: BcpDisplayErrorInformation(x,x,x,x,x,x)+5Ep
					; BcpDisplayErrorInformation(x,x,x,x,x,x)+6Dp ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		xor	eax, eax
		mov	[ebp+var_10], ecx
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_24], eax
		imul	eax, [ebp+arg_4], 48h
		push	ebx
		push	esi
		mov	esi, ds:_BcpTextBoxLeftEdgeOverride
		push	edi
		mov	[ebp+var_2C], eax
		test	esi, esi
		jz	short loc_6993E9
		mov	ecx, [esi]
		jmp	short loc_6993F5
; 

loc_6993E9:				; CODE XREF: BcpDisplayCriticalString(x,x,x,x)+28j
		mov	ecx, ds:dword_6B58E8[eax]
		add	ecx, ds:dword_6B58F8[eax]

loc_6993F5:				; CODE XREF: BcpDisplayCriticalString(x,x,x,x)+2Cj
		mov	edi, ds:_BcpTextBoxRightEdgeOverride
		mov	[ebp+var_20], ecx
		test	edi, edi
		jz	short loc_699406
		mov	edi, [edi]
		jmp	short loc_699418
; 

loc_699406:				; CODE XREF: BcpDisplayCriticalString(x,x,x,x)+45j
		mov	edi, ds:dword_6B58E8[eax]
		add	edi, ds:dword_6B58F0[eax]
		add	edi, ds:dword_6B58F8[eax]

loc_699418:				; CODE XREF: BcpDisplayCriticalString(x,x,x,x)+49j
		mov	eax, ds:dword_6D6C78
		mov	ebx, ds:_BcpCursor
		mov	esi, ds:dword_6CEA9C
		mov	[ebp+var_30], edi
		mov	ecx, [eax+14h]
		push	ecx
		push	ecx
		mov	byte ptr [ebp+arg_4+3],	0
		mov	[ecx+28h], edx
		mov	eax, ds:dword_6D6C78
		mov	[eax+4], edx
		mov	eax, ds:dword_6CEA98
		mov	edx, [ebp+var_10]
		mov	[ebp+var_8], eax
		lea	eax, [ecx+1Ch]
		lea	ecx, [ebp+var_24]
		mov	[ebp+var_1C], eax
		push	ecx
		mov	ecx, eax
		call	_BgpFoGetStringAdvanceWidth@20 ; BgpFoGetStringAdvanceWidth(x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_69946F
		mov	ecx, [ebp+var_24]
		add	ecx, ebx
		cmp	ecx, edi
		jbe	short loc_69946F
		mov	byte ptr [ebp+arg_4+3],	1

loc_69946F:				; CODE XREF: BcpDisplayCriticalString(x,x,x,x)+A5j
					; BcpDisplayCriticalString(x,x,x,x)+AEj
		mov	ecx, [ebp+var_8]
		sub	esi, ecx
		test	esi, esi
		jg	short loc_69947A
		xor	esi, esi

loc_69947A:				; CODE XREF: BcpDisplayCriticalString(x,x,x,x)+BBj
		mov	eax, [ebp+var_1C]
		and	[ebp+var_18], 0
		and	[ebp+var_4], 0
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_10]
		movzx	eax, word ptr [eax]
		test	eax, 0FFFFFFFEh
		jbe	loc_699662
		mov	ecx, [ebp+var_4]

loc_69949E:				; CODE XREF: BcpDisplayCriticalString(x,x,x,x)+29Ej
		cmp	byte ptr [ebp+arg_4+3],	0
		push	20h
		pop	edx
		jz	loc_69957D
		mov	eax, [ebp+var_4]
		cmp	[ebp+var_18], eax
		ja	loc_69957A
		mov	ecx, [ebp+var_10]
		and	[ebp+var_28], 0
		mov	[ebp+var_18], eax
		add	eax, eax
		mov	ecx, [ecx+4]
		cmp	[eax+ecx], dx
		jz	loc_69957A

loc_6994D0:				; CODE XREF: BcpDisplayCriticalString(x,x,x,x)+17Aj
		movzx	edx, word ptr [eax+ecx]
		test	dx, dx
		jz	loc_69957A
		cmp	edx, 0Dh
		jz	loc_69957A
		cmp	edx, 0Ah
		jz	loc_69957A
		push	offset _BcpWorkspace
		push	ecx
		mov	ecx, [ebp+var_1C]
		lea	eax, [ebp+var_14]
		push	eax
		call	_BgpRasGetGlyphAdvanceWidth@20 ; BgpRasGetGlyphAdvanceWidth(x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	loc_69965F
		mov	eax, [ebp+var_28]
		add	eax, [ebp+var_14]
		mov	edx, [ebp+var_18]
		mov	[ebp+var_28], eax
		inc	edx
		add	eax, ebx
		mov	[ebp+var_18], edx
		cmp	edi, eax
		jnb	short loc_699525
		test	esi, esi
		jnz	short loc_699539

loc_699525:				; CODE XREF: BcpDisplayCriticalString(x,x,x,x)+164j
		mov	eax, [ebp+var_10]
		push	20h
		mov	ecx, [eax+4]
		lea	eax, [edx+edx]
		pop	edx
		cmp	[ecx+eax], dx
		jnz	short loc_6994D0
		jmp	short loc_69957A
; 

loc_699539:				; CODE XREF: BcpDisplayCriticalString(x,x,x,x)+168j
		cmp	ebx, edi
		jnb	short loc_699567
		mov	ecx, ds:dword_6D6C78
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+var_24]
		mov	edx, ebx
		push	[ebp+var_8]
		push	edi
		call	_BcpPrintSpaces@24 ; BcpPrintSpaces(x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	loc_69965F
		cmp	esi, [ebp+var_C]
		jnb	short loc_699567
		mov	esi, [ebp+var_C]

loc_699567:				; CODE XREF: BcpDisplayCriticalString(x,x,x,x)+180j
					; BcpDisplayCriticalString(x,x,x,x)+1A7j
		mov	eax, [ebp+var_2C]
		mov	ebx, [ebp+var_20]
		mov	eax, ds:dword_6B5900[eax]
		add	eax, esi
		add	[ebp+var_8], eax
		xor	esi, esi

loc_69957A:				; CODE XREF: BcpDisplayCriticalString(x,x,x,x)+F6j
					; BcpDisplayCriticalString(x,x,x,x)+10Fj ...
		mov	ecx, [ebp+var_4]

loc_69957D:				; CODE XREF: BcpDisplayCriticalString(x,x,x,x)+EAj
		mov	eax, [ebp+var_10]
		push	offset _BcpWorkspace
		push	ecx
		mov	eax, [eax+4]
		movzx	edx, word ptr [eax+ecx*2]
		lea	eax, [ebp+var_14]
		mov	ecx, [ebp+var_1C]
		push	eax
		call	_BgpRasGetGlyphAdvanceWidth@20 ; BgpRasGetGlyphAdvanceWidth(x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	loc_69965F
		mov	eax, [ebp+var_14]
		add	eax, ebx
		cmp	edi, eax
		jnb	short loc_699607
		cmp	ebx, edi
		jnb	short loc_6995DA
		mov	ecx, ds:dword_6D6C78
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+var_24]
		mov	edx, ebx
		push	[ebp+var_8]
		push	edi
		call	_BcpPrintSpaces@24 ; BcpPrintSpaces(x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	loc_69965F
		cmp	esi, [ebp+var_C]
		jnb	short loc_6995DA
		mov	esi, [ebp+var_C]

loc_6995DA:				; CODE XREF: BcpDisplayCriticalString(x,x,x,x)+1F3j
					; BcpDisplayCriticalString(x,x,x,x)+21Aj
		mov	eax, [ebp+var_2C]
		mov	ecx, [ebp+var_4]
		mov	ebx, [ebp+var_20]
		push	20h
		mov	eax, ds:dword_6B5900[eax]
		add	eax, esi
		xor	esi, esi
		add	[ebp+var_8], eax
		mov	eax, [ebp+var_10]
		pop	edi
		mov	eax, [eax+4]
		cmp	[eax+ecx*2], di
		mov	edi, [ebp+var_30]
		mov	ecx, [ebp+var_8]
		jz	short loc_699648
		jmp	short loc_69960A
; 

loc_699607:				; CODE XREF: BcpDisplayCriticalString(x,x,x,x)+1EFj
		mov	ecx, [ebp+var_8]

loc_69960A:				; CODE XREF: BcpDisplayCriticalString(x,x,x,x)+24Aj
		mov	edx, ds:dword_6D6C78
		lea	eax, [ebp+var_C]
		push	offset _BcpWorkspace
		push	ecx
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		mov	eax, [ebp+var_10]
		push	0FFFFFFFFh
		push	[ebp+var_24]
		mov	eax, [eax+4]
		push	ecx
		mov	ecx, [ebp+var_4]
		push	ebx
		mov	cx, [eax+ecx*2]
		call	_BgpDisplayCharacterEx@40 ; BgpDisplayCharacterEx(x,x,x,x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_69965F
		add	ebx, [ebp+var_14]
		cmp	[ebp+var_C], esi
		jbe	short loc_699648
		mov	esi, [ebp+var_C]

loc_699648:				; CODE XREF: BcpDisplayCriticalString(x,x,x,x)+248j
					; BcpDisplayCriticalString(x,x,x,x)+288j
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+var_4]
		inc	ecx
		mov	[ebp+var_4], ecx
		movzx	eax, word ptr [eax]
		shr	eax, 1
		cmp	ecx, eax
		jb	loc_69949E

loc_69965F:				; CODE XREF: BcpDisplayCriticalString(x,x,x,x)+14Aj
					; BcpDisplayCriticalString(x,x,x,x)+19Ej ...
		mov	ecx, [ebp+var_8]

loc_699662:				; CODE XREF: BcpDisplayCriticalString(x,x,x,x)+DAj
		lea	eax, [ecx+esi]
		mov	ds:_BcpCursor, ebx
		pop	edi
		pop	esi
		mov	ds:dword_6CEA9C, eax
		mov	eax, edx
		mov	ds:dword_6CEA98, ecx
		pop	ebx
		leave
		retn	8
_BcpDisplayCriticalString@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BcpDisplayErrorInformation(x, x, x,	x, x, x)
_BcpDisplayErrorInformation@24 proc near
					; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+271p

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ACh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_90], eax
		mov	eax, ds:_BcpCursor
		push	edi
		imul	edi, ebx, 48h
		push	ebx
		mov	[ebp+var_8C], eax
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_A4], edx
		add	edi, offset unk_6B58D8
		mov	[ebp+var_A8], ebx
		push	ecx
		mov	ecx, offset unk_6D6C48
		mov	ds:_BcpTextBoxLeftEdgeOverride,	eax
		mov	edx, [edi+4]
		call	_BcpDisplayCriticalString@16 ; BcpDisplayCriticalString(x,x,x,x)
		mov	edx, [edi+4]
		push	ebx
		push	ecx
		mov	ecx, offset unk_6D6C50
		call	_BcpDisplayCriticalString@16 ; BcpDisplayCriticalString(x,x,x,x)
		mov	ecx, [edi+2Ch]
		mov	eax, ds:dword_6CEA9C
		mov	edx, [ebp+var_8C]
		add	eax, ecx
		push	ebx
		mov	ds:_BcpCursor, edx
		mov	edx, [edi]
		lea	esi, [eax+ecx]
		mov	ds:dword_6CEA98, eax
		push	ecx
		mov	ecx, offset unk_6D6BF0
		mov	ds:dword_6CEA9C, esi
		call	_BcpDisplayCriticalString@16 ; BcpDisplayCriticalString(x,x,x,x)
		mov	eax, [edi+2Ch]
		mov	ecx, [ebp+var_8C]
		add	eax, esi
		mov	edx, [edi]
		push	ebx
		mov	ds:_BcpCursor, ecx
		push	ecx
		mov	ecx, offset unk_6D6C40
		mov	[ebp+var_94], eax
		mov	ds:dword_6CEA98, esi
		mov	ds:dword_6CEA9C, eax
		call	_BcpDisplayCriticalString@16 ; BcpDisplayCriticalString(x,x,x,x)
		mov	edx, [edi]
		push	ecx
		call	_BcpDisplayCriticalCharacter@12	; BcpDisplayCriticalCharacter(x,x,x)
		mov	edx, [edi]
		push	ebx
		push	ecx
		mov	ecx, [ebp+var_90]
		add	ecx, 8
		call	_BcpDisplayCriticalString@16 ; BcpDisplayCriticalString(x,x,x,x)
		cmp	[ebp+arg_4], 0
		jz	short loc_6997DE
		mov	ecx, [ebp+var_94]
		mov	eax, [edi+2Ch]
		mov	edx, [ebp+var_8C]
		add	eax, ecx
		push	ebx
		mov	ds:_BcpCursor, edx
		mov	edx, [edi]
		mov	ds:dword_6CEA98, ecx
		push	ecx
		mov	ecx, offset unk_6D6C38
		mov	ds:dword_6CEA9C, eax
		call	_BcpDisplayCriticalString@16 ; BcpDisplayCriticalString(x,x,x,x)
		mov	edx, [edi]
		push	ecx
		call	_BcpDisplayCriticalCharacter@12	; BcpDisplayCriticalCharacter(x,x,x)
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+var_88]
		lea	edx, [ebp+var_9C]
		mov	[ebp+var_98], eax
		mov	[ebp+var_9C], (offset loc_7FFFFF+1)
		call	_BcpSanitizeDriverName@8 ; BcpSanitizeDriverName(x,x)
		mov	edx, [edi]
		push	ebx
		push	ecx
		lea	ecx, [ebp+var_9C]
		call	_BcpDisplayCriticalString@16 ; BcpDisplayCriticalString(x,x,x,x)

loc_6997DE:				; CODE XREF: BcpDisplayErrorInformation(x,x,x,x,x,x)+F2j
		mov	eax, ds:_BcpCursor
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_94], eax
		mov	eax, ds:dword_6CEA98
		mov	[ebp+var_8C], eax
		mov	eax, ds:dword_6CEA9C
		mov	[ebp+var_98], eax
		xor	eax, eax
		mov	ds:_BcpCursor, eax
		mov	esi, eax
		mov	ds:dword_6CEA98, eax
		mov	ds:dword_6CEA9C, eax

loc_699815:				; CODE XREF: BcpDisplayErrorInformation(x,x,x,x,x,x)+1F6j
		mov	edx, [ebp+var_90]
		mov	ecx, [ebx]
		add	edx, 10h
		add	edx, esi
		call	_BcpConvertBugDataToString@8 ; BcpConvertBugDataToString(x,x)
		cmp	ds:_BcpDisplayParameters, 0
		jnz	short loc_699842
		test	[ebp+arg_C], 8
		jz	short loc_69986C
		cmp	[ebp+var_A4], 13Dh
		jnz	short loc_69986C

loc_699842:				; CODE XREF: BcpDisplayErrorInformation(x,x,x,x,x,x)+1AFj
		push	[ebp+var_A8]
		mov	edx, [edi]
		push	ecx
		mov	ecx, [ebp+var_90]
		add	ecx, 10h
		add	ecx, esi
		call	_BcpDisplayCriticalString@16 ; BcpDisplayCriticalString(x,x,x,x)
		mov	eax, ds:dword_6CEA9C
		and	ds:_BcpCursor, 0
		mov	ds:dword_6CEA98, eax

loc_69986C:				; CODE XREF: BcpDisplayErrorInformation(x,x,x,x,x,x)+1B5j
					; BcpDisplayErrorInformation(x,x,x,x,x,x)+1C1j
		add	esi, 8
		add	ebx, 4
		cmp	esi, 20h
		jb	short loc_699815
		mov	eax, [ebp+var_94]
		mov	ecx, [ebp+var_4]
		and	ds:_BcpTextBoxLeftEdgeOverride,	0
		xor	ecx, ebp
		mov	ds:_BcpCursor, eax
		mov	eax, [ebp+var_8C]
		pop	edi
		mov	ds:dword_6CEA98, eax
		mov	eax, [ebp+var_98]
		pop	esi
		mov	ds:dword_6CEA9C, eax
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_BcpDisplayErrorInformation@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BcpDisplayProgress(x, x)
_BcpDisplayProgress@8 proc near		; CODE XREF: BcpGetComponentOffsets(x,x,x,x,x,x)+7Cp
					; BgpFwDisplayBugCheckProgressUpdate(x,x,x)+17Bp ...

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[ebp+var_10], ecx
		push	esi
		push	edi
		mov	[ebp+var_20], eax
		lea	edi, [ebp+var_30]
		mov	[ebp+var_24], eax
		mov	esi, edx
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], eax
		stosd
		imul	ebx, esi, 48h
		cmp	ecx, 1
		mov	ecx, offset unk_6D6C18
		stosd
		stosd
		jz	short loc_6998F0
		mov	ecx, offset unk_6D6C28

loc_6998F0:				; CODE XREF: BcpDisplayProgress(x,x)+39j
		mov	edx, ds:dword_6B58E0[ebx]
		push	esi
		push	ecx
		call	_BcpDisplayCriticalString@16 ; BcpDisplayCriticalString(x,x,x,x)
		and	[ebp+var_1C], 0
		lea	edx, [ebp+var_1C]
		mov	ecx, [ebp+var_10]
		push	8
		pop	eax
		mov	word ptr [ebp+var_1C+2], ax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_18], eax
		call	_BcpConvertProgressToString@8 ;	BcpConvertProgressToString(x,x)
		mov	edx, ds:dword_6B58E0[ebx]
		push	esi
		push	ecx
		lea	ecx, [ebp+var_1C]
		call	_BcpDisplayCriticalString@16 ; BcpDisplayCriticalString(x,x,x,x)
		cmp	[ebp+var_10], 1
		mov	ecx, offset unk_6D6C20
		jz	short loc_699939
		mov	ecx, offset unk_6D6C30

loc_699939:				; CODE XREF: BcpDisplayProgress(x,x)+82j
		mov	edx, ds:dword_6B58E0[ebx]
		push	esi
		push	ecx
		call	_BcpDisplayCriticalString@16 ; BcpDisplayCriticalString(x,x,x,x)
		mov	edx, ds:dword_6CEA98
		lea	ecx, [ebp+var_3C]
		mov	eax, ds:dword_6CEA9C
		mov	esi, ds:_BcpCursor
		mov	[ebp+var_3C], esi
		mov	[ebp+var_14], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], eax
		call	_BcpCursorLessThan@8 ; BcpCursorLessThan(x,x)
		test	al, al
		jz	loc_699A16
		mov	eax, ds:dword_6D6C78
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], edx
		mov	eax, [eax+14h]
		mov	eax, [eax+1Ch]
		mov	[ebp+var_18], eax
		mov	eax, ds:_BcpTextBoxLeftEdgeOverride
		test	eax, eax
		jz	short loc_699994
		mov	eax, [eax]
		jmp	short loc_6999A0
; 

loc_699994:				; CODE XREF: BcpDisplayProgress(x,x)+DEj
		mov	eax, ds:dword_6B58E8[ebx]
		add	eax, ds:dword_6B58F8[ebx]

loc_6999A0:				; CODE XREF: BcpDisplayProgress(x,x)+E2j
		mov	edi, ds:_BcpTextBoxRightEdgeOverride
		mov	[ebp+var_10], eax
		test	edi, edi
		jz	short loc_6999B1
		mov	edi, [edi]
		jmp	short loc_6999C3
; 

loc_6999B1:				; CODE XREF: BcpDisplayProgress(x,x)+FBj
		mov	edi, ds:dword_6B58E8[ebx]
		add	edi, ds:dword_6B58F0[ebx]
		add	edi, ds:dword_6B58F8[ebx]

loc_6999C3:				; CODE XREF: BcpDisplayProgress(x,x)+FFj
		mov	ebx, [ebp+var_10]

loc_6999C6:				; CODE XREF: BcpDisplayProgress(x,x)+154j
					; BcpDisplayProgress(x,x)+164j
		lea	ecx, [ebp+var_30]
		call	_BcpCursorLessThan@8 ; BcpCursorLessThan(x,x)
		test	al, al
		jz	short loc_699A16
		push	offset _BcpWorkspace
		push	ecx
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		mov	eax, [ebp+var_18]
		push	eax
		push	eax
		push	edx
		mov	edx, ds:dword_6D6C78
		push	esi
		push	20h
		pop	ecx
		call	_BgpDisplayCharacterEx@40 ; BgpDisplayCharacterEx(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_699A2D
		add	esi, [ebp+var_20]
		mov	edx, [ebp+var_14]
		mov	[ebp+var_30], esi
		cmp	esi, edi
		jbe	short loc_6999C6
		add	edx, [ebp+var_24]
		mov	esi, ebx
		mov	[ebp+var_30], esi
		mov	[ebp+var_14], edx
		mov	[ebp+var_2C], edx
		jmp	short loc_6999C6
; 

loc_699A16:				; CODE XREF: BcpDisplayProgress(x,x)+BDj
					; BcpDisplayProgress(x,x)+120j
		test	ds:dword_6B6BB8, 1000000h
		jnz	short loc_699A2D
		mov	edi, offset _BcpProgressEnd
		lea	esi, [ebp+var_3C]
		movsd
		movsd
		movsd

loc_699A2D:				; CODE XREF: BcpDisplayProgress(x,x)+147j
					; BcpDisplayProgress(x,x)+170j
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_BcpDisplayProgress@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BcpGetComponentOffsets(x, x, x, x, x, x)
_BcpGetComponentOffsets@24 proc	near	; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+225p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:_BcpCursor
		push	ebx
		imul	ebx, [ebp+arg_4], 48h
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], edx
		mov	ecx, ds:dword_6CEA9C
		xor	edx, edx
		push	edi
		mov	[ebp+var_8], esi
		lea	edi, [ebp+var_18]
		mov	[esi], eax
		mov	eax, ds:dword_6CEA98
		mov	[esi+4], eax
		mov	[esi+8], ecx
		mov	eax, ds:dword_6B58F8[ebx]
		add	eax, ds:dword_6B58E8[ebx]
		mov	[esi], eax
		add	ecx, ds:dword_6B5904[ebx]
		mov	[esi+4], ecx
		mov	eax, ds:dword_6B5904[ebx]
		add	eax, ecx
		mov	[ebp+var_4], edx
		mov	[esi+8], eax
		movsd
		movsd
		movsd
		cmp	[ebp+arg_C], dl
		jz	loc_699B25
		or	ds:dword_6B6BB8, 1000000h
		mov	esi, edx
		mov	edi, [ebp+var_14]
		mov	dword ptr [ebp+arg_C], esi

loc_699AB5:				; CODE XREF: BcpGetComponentOffsets(x,x,x,x,x,x)+D9j
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		call	_BcpDisplayProgress@8 ;	BcpDisplayProgress(x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		js	loc_699B74
		cmp	edi, ds:dword_6B6B14
		jb	short loc_699ADF
		jnz	short loc_699AF0
		mov	eax, [ebp+var_18]
		cmp	eax, ds:_BcpProgressEnd
		jnb	short loc_699AF0

loc_699ADF:				; CODE XREF: BcpGetComponentOffsets(x,x,x,x,x,x)+92j
		mov	esi, offset _BcpProgressEnd
		lea	edi, [ebp+var_18]
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_14]
		mov	esi, dword ptr [ebp+arg_C]

loc_699AF0:				; CODE XREF: BcpGetComponentOffsets(x,x,x,x,x,x)+94j
					; BcpGetComponentOffsets(x,x,x,x,x,x)+9Fj
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx]
		mov	ds:_BcpCursor, eax
		mov	eax, [ecx+4]
		mov	ds:dword_6CEA98, eax
		lea	eax, [ecx+8]
		test	eax, eax
		jz	short loc_699B10
		mov	eax, [eax]
		mov	ds:dword_6CEA9C, eax

loc_699B10:				; CODE XREF: BcpGetComponentOffsets(x,x,x,x,x,x)+C9j
		inc	esi
		mov	dword ptr [ebp+arg_C], esi
		cmp	esi, 64h
		jbe	short loc_699AB5
		and	ds:dword_6B6BB8, 0FEFFFFFFh
		xor	edx, edx

loc_699B25:				; CODE XREF: BcpGetComponentOffsets(x,x,x,x,x,x)+5Fj
		mov	esi, ds:dword_6B58F8[ebx]
		mov	ecx, [ebp+arg_0]
		add	esi, ds:dword_6B58E8[ebx]
		mov	edi, [ebp+var_10]
		mov	[ecx], esi
		mov	eax, ds:dword_6B590C[ebx]
		add	eax, edi
		cmp	[ebp+arg_8], 0
		mov	[ecx+4], eax
		jz	short loc_699B53
		mov	edx, ds:dword_6B5910[ebx]
		add	edx, [ebp+arg_8]

loc_699B53:				; CODE XREF: BcpGetComponentOffsets(x,x,x,x,x,x)+10Aj
		lea	eax, [esi+edx]
		mov	edx, [ebp+var_C]
		mov	[edx], eax
		mov	ecx, ds:dword_6B5914[ebx]
		add	ecx, edi
		mov	[edx+4], ecx
		mov	eax, ds:dword_6B5904[ebx]
		add	eax, ecx
		mov	[edx+8], eax
		mov	eax, [ebp+var_4]

loc_699B74:				; CODE XREF: BcpGetComponentOffsets(x,x,x,x,x,x)+86j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_BcpGetComponentOffsets@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BcpGetDisplayType(x, x, x)
_BcpGetDisplayType@12 proc near		; CODE XREF: BgpDisplaySafeToPowerOffScreen()+47p
					; BgpFwDisplayBugCheckProgressUpdate(x,x,x)+14Ap ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, eax

loc_699B8B:				; CODE XREF: BcpGetDisplayType(x,x,x)+2Aj
		cmp	esi, ds:dword_6B5960[ecx]
		jb	short loc_699BA7
		cmp	edx, ds:dword_6B5964[ecx]
		jb	short loc_699BA7
		add	ecx, 48h
		inc	eax
		cmp	ecx, 120h
		jl	short loc_699B8B

loc_699BA7:				; CODE XREF: BcpGetDisplayType(x,x,x)+16j
					; BcpGetDisplayType(x,x,x)+1Ej
		pop	esi
		pop	ebp
		retn	0Ch
_BcpGetDisplayType@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BcpPrintSpaces(x, x, x, x, x, x)
_BcpPrintSpaces@24 proc	near		; CODE XREF: BcpDisplayCriticalString(x,x,x,x)+195p
					; BcpDisplayCriticalString(x,x,x,x)+208p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		xor	edx, edx
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], edi
		cmp	esi, [ebp+arg_0]
		jnb	short loc_699BFD

loc_699BCA:				; CODE XREF: BcpPrintSpaces(x,x,x,x,x,x)+4Cj
		push	offset _BcpWorkspace
		push	ecx
		lea	eax, [ebp+var_8]
		mov	edx, ebx
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		push	20h
		pop	ecx
		call	_BgpDisplayCharacterEx@40 ; BgpDisplayCharacterEx(x,x,x,x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_699C02
		add	esi, [ebp+var_4]
		cmp	esi, [ebp+arg_0]
		jb	short loc_699BCA
		mov	edi, [ebp+var_8]

loc_699BFD:				; CODE XREF: BcpPrintSpaces(x,x,x,x,x,x)+1Cj
		mov	eax, [ebp+arg_C]
		mov	[eax], edi

loc_699C02:				; CODE XREF: BcpPrintSpaces(x,x,x,x,x,x)+44j
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	10h
_BcpPrintSpaces@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BcpSanitizeDriverName(x, x)
_BcpSanitizeDriverName@8 proc near	; CODE XREF: BcpDisplayErrorInformation(x,x,x,x,x,x)+14Bp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ecx+4]
		movzx	ecx, word ptr [ecx]
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], edi
		movzx	eax, word ptr [edi+2]
		mov	esi, [edi+4]
		sub	eax, 2
		cmp	ecx, eax
		jb	short loc_699C2F
		mov	ecx, eax

loc_699C2F:				; CODE XREF: BcpSanitizeDriverName(x,x)+20j
		shr	ecx, 1
		xor	edx, edx
		test	ecx, ecx
		jz	short loc_699C79
		push	20h
		pop	edi

loc_699C3A:				; CODE XREF: BcpSanitizeDriverName(x,x)+69j
		movzx	eax, word ptr [ebx+edx*2]
		cmp	eax, 2Eh
		jz	short loc_699C6D
		cmp	eax, 5Fh
		jz	short loc_699C6D
		cmp	ax, di
		jz	short loc_699C6D
		cmp	eax, 61h
		jb	short loc_699C57
		cmp	eax, 7Ah
		jbe	short loc_699C6D

loc_699C57:				; CODE XREF: BcpSanitizeDriverName(x,x)+45j
		cmp	eax, 41h
		jb	short loc_699C61
		cmp	eax, 5Ah
		jbe	short loc_699C6D

loc_699C61:				; CODE XREF: BcpSanitizeDriverName(x,x)+4Fj
		cmp	eax, 30h
		jb	short loc_699C6B
		cmp	eax, 39h
		jbe	short loc_699C6D

loc_699C6B:				; CODE XREF: BcpSanitizeDriverName(x,x)+59j
		mov	eax, edi

loc_699C6D:				; CODE XREF: BcpSanitizeDriverName(x,x)+36j
					; BcpSanitizeDriverName(x,x)+3Bj ...
		mov	[esi+edx*2], ax
		inc	edx
		cmp	edx, ecx
		jb	short loc_699C3A
		mov	edi, [ebp+var_4]

loc_699C79:				; CODE XREF: BcpSanitizeDriverName(x,x)+2Aj
		xor	eax, eax
		mov	[esi+edx*2], ax
		lea	eax, [edx+edx]
		mov	[edi], ax
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_BcpSanitizeDriverName@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpDisplaySafeToPowerOffScreen()
_BgpDisplaySafeToPowerOffScreen@0 proc near
					; CODE XREF: BgDisplaySafeToPowerOffScreen():loc_698DE4p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		test	byte ptr ds:dword_6B6BB8, 2
		push	esi
		push	edi
		jnz	short loc_699CAE
		mov	eax, 0C0000001h
		jmp	short loc_699D27
; 

loc_699CAE:				; CODE XREF: BgpDisplaySafeToPowerOffScreen()+1Bj
		mov	eax, ds:dword_6B6B68
		lea	esi, [ebp+var_10]
		mov	[ebp+var_10], eax
		sub	esp, 0Ch
		mov	eax, ds:dword_6B6B64
		mov	edi, esp
		mov	[ebp+var_C], eax
		mov	eax, ds:dword_6B6B6C
		mov	[ebp+var_8], eax
		movsd
		movsd
		movsd
		call	_BcpGetDisplayType@12 ;	BcpGetDisplayType(x,x,x)
		mov	edi, eax
		mov	ecx, 0FF000000h
		mov	eax, ds:dword_6D6C78
		imul	esi, edi, 48h
		mov	eax, [eax+14h]
		mov	[eax+1Ch], ecx
		call	_BgpClearScreen@4 ; BgpClearScreen(x)
		mov	eax, ds:dword_6B58E8[esi]
		mov	ds:_BcpCursor, eax
		lea	eax, dword_6B58EC[esi]
		mov	ecx, [eax]
		mov	ds:dword_6CEA98, ecx
		test	eax, eax
		jz	short loc_699D13
		mov	ds:dword_6CEA9C, ecx

loc_699D13:				; CODE XREF: BgpDisplaySafeToPowerOffScreen()+81j
		mov	edx, ds:dword_6B58E0[esi]
		push	edi
		push	ecx
		mov	ecx, offset unk_6D6C70
		call	_BcpDisplayCriticalString@16 ; BcpDisplayCriticalString(x,x,x,x)
		xor	eax, eax

loc_699D27:				; CODE XREF: BgpDisplaySafeToPowerOffScreen()+22j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_BgpDisplaySafeToPowerOffScreen@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpFwDisplayBugCheckProgressUpdate(x, x, x)
_BgpFwDisplayBugCheckProgressUpdate@12 proc near ; CODE	XREF: KiBugCheckProgress(x)+52p
					; BgpFwDisplayBugCheckProgressUpdate(x,x,x)+209p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+44h+var_4], eax
		mov	eax, ds:dword_6B6BB8
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[esp+4Ch+var_3C], ecx
		mov	[esp+4Ch+var_38], ebx
		mov	[esp+4Ch+var_34], ebx
		push	edi
		mov	edi, edx
		mov	[esp+50h+var_8], edi
		test	eax, 400000h
		jnz	loc_699F89
		test	al, 10h
		jz	loc_699F89
		lea	eax, [esp+50h+var_38]
		push	eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	esi, eax
		mov	ecx, edx
		sub	eax, ds:_BcpStartTicks
		mov	[esp+54h+var_48], eax
		mov	eax, ecx
		sbb	eax, ds:dword_6B6AF4
		sub	esi, ds:_BcpLastProgressUpdateTicks
		push	ebx
		sbb	ecx, ds:dword_6B6AEC
		push	0Ah
		mov	[esp+5Ch+var_18], eax
		mov	eax, [esp+5Ch+var_38]
		push	eax
		mov	[esp+60h+var_10], esi
		mov	esi, [esp+60h+var_3C]
		push	esi
		mov	[esp+64h+var_14], ecx
		mov	[esp+64h+var_44], eax
		call	__allmul
		mov	[esp+54h+var_34], eax
		mov	eax, edx
		mov	edx, [esp+54h+var_44]
		shld	edx, esi, 1
		mov	[esp+54h+var_2C], eax
		add	esi, esi
		mov	[esp+54h+var_44], edx
		mov	[esp+54h+var_30], esi
		cmp	[ebp+arg_0], bl
		jz	short loc_699E21
		mov	ecx, [esp+54h+var_18]
		cmp	ecx, eax
		jg	short loc_699E21
		mov	eax, [esp+54h+var_48]
		jl	short loc_699DFE
		cmp	eax, [esp+54h+var_34]
		jnb	short loc_699E21

loc_699DFE:				; CODE XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+C1j
		push	ebx
		push	64h
		push	ecx
		push	eax
		call	__allmul
		push	[esp+54h+var_2C]
		push	[esp+58h+var_34]
		push	edx
		push	eax
		call	__alldiv
		mov	[esp+54h+var_28], edx
		mov	edx, [esp+54h+var_44]
		jmp	short loc_699E28
; 

loc_699E21:				; CODE XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+B3j
					; BgpFwDisplayBugCheckProgressUpdate(x,x,x)+BBj ...
		push	64h
		pop	eax
		mov	[esp+54h+var_28], ebx

loc_699E28:				; CODE XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+EAj
		mov	ecx, [esp+54h+var_40]
		mov	[esp+54h+var_48], eax
		cmp	ecx, eax
		ja	short loc_699E3A
		mov	eax, ecx
		mov	[esp+54h+var_48], eax

loc_699E3A:				; CODE XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+FDj
		cmp	[esp+54h+var_14], edx
		jl	loc_699ED7
		jg	short loc_699E50
		cmp	[esp+54h+var_10], esi
		jb	loc_699ED7

loc_699E50:				; CODE XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+10Fj
		cmp	eax, ds:_BcpLastProgressDisplayed
		jb	short loc_699ED7
		mov	eax, ds:dword_6B6B68
		lea	esi, [esp+54h+var_2C]
		mov	[esp+54h+var_2C], eax
		sub	esp, 0Ch
		mov	eax, ds:dword_6B6B64
		mov	edi, esp
		mov	[esp+60h+var_28], eax
		mov	eax, ds:dword_6B6B6C
		mov	[esp+60h+var_24], eax
		movsd
		movsd
		movsd
		call	_BcpGetDisplayType@12 ;	BcpGetDisplayType(x,x,x)
		mov	ecx, ds:_BcpProgressOffset
		mov	edx, eax
		mov	esi, [esp+54h+var_48]
		mov	ds:_BcpCursor, ecx
		mov	ecx, ds:dword_6B6B34
		mov	ds:dword_6CEA98, ecx
		mov	ecx, ds:dword_6B6B38
		mov	ds:dword_6CEA9C, ecx
		mov	ecx, esi
		call	_BcpDisplayProgress@8 ;	BcpDisplayProgress(x,x)
		push	ebx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	edi, [esp+58h+var_10]
		mov	ecx, [esp+58h+var_44]
		mov	ds:_BcpLastProgressUpdateTicks,	eax
		mov	ds:dword_6B6AEC, edx
		mov	ds:_BcpLastProgressDisplayed, esi
		jmp	short loc_699EDD
; 

loc_699ED7:				; CODE XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+109j
					; BgpFwDisplayBugCheckProgressUpdate(x,x,x)+115j ...
		mov	esi, ds:_BcpLastProgressDisplayed

loc_699EDD:				; CODE XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+1A0j
		cmp	ecx, 64h
		jnz	short loc_699F47
		cmp	esi, ecx
		jz	short loc_699F47
		push	ebx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, eax
		mov	esi, edx
		sub	ecx, ds:_BcpLastProgressUpdateTicks
		mov	edx, [esp+58h+var_48]
		sbb	esi, ds:dword_6B6AEC
		cmp	esi, edx
		jg	short loc_699F36
		mov	eax, [esp+58h+var_34]
		jl	short loc_699F0F
		cmp	ecx, eax
		jnb	short loc_699F36

loc_699F0F:				; CODE XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+1D4j
		sub	eax, ecx
		push	ebx
		push	0F4240h
		sbb	edx, esi
		push	edx
		push	eax
		call	__allmul
		push	[esp+58h+var_3C]
		push	[esp+5Ch+var_40]
		push	edx
		push	eax
		call	__alldiv
		push	eax
		call	ds:__imp__KeStallExecutionProcessor@4 ;	KeStallExecutionProcessor(x)

loc_699F36:				; CODE XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+1CEj
					; BgpFwDisplayBugCheckProgressUpdate(x,x,x)+1D8j
		push	dword ptr [ebp+arg_0]
		mov	edx, edi
		push	64h
		pop	ecx
		call	_BgpFwDisplayBugCheckProgressUpdate@12 ; BgpFwDisplayBugCheckProgressUpdate(x,x,x)
		mov	ebx, eax
		jmp	short loc_699F85
; 

loc_699F47:				; CODE XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+1ABj
					; BgpFwDisplayBugCheckProgressUpdate(x,x,x)+1AFj
		mov	eax, offset unk_6D6BF8
		cmp	[ebp+arg_0], bl
		jnz	short loc_699F56
		mov	eax, offset unk_6D6C00

loc_699F56:				; CODE XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+21Aj
		lea	edx, [edi+0Ch]
		mov	[edi], eax
		mov	ecx, esi
		call	_BcpConvertProgressToString@8 ;	BcpConvertProgressToString(x,x)
		cmp	[esp+54h+var_40], 1
		jnz	short loc_699F75
		mov	eax, offset unk_6D6C20
		mov	ecx, offset unk_6D6C18
		jmp	short loc_699F7F
; 

loc_699F75:				; CODE XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+232j
		mov	eax, offset unk_6D6C30
		mov	ecx, offset unk_6D6C28

loc_699F7F:				; CODE XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+23Ej
		mov	[edi+4], ecx
		mov	[edi+8], eax

loc_699F85:				; CODE XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+210j
		mov	eax, ebx
		jmp	short loc_699F8B
; 

loc_699F89:				; CODE XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+37j
					; BgpFwDisplayBugCheckProgressUpdate(x,x,x)+3Fj
		xor	eax, eax

loc_699F8B:				; CODE XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+252j
		mov	ecx, [esp+50h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_BgpFwDisplayBugCheckProgressUpdate@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpFwDisplayBugCheckScreen(x, x, x,	x, x)
_BgpFwDisplayBugCheckScreen@20 proc near ; CODE	XREF: KiDisplayBlueScreen(x)+190p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_9		= byte ptr -9
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_24], edx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	ecx, 400000h
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	eax, ds:dword_6B6BB8
		mov	[ebp+var_10], ebx
		push	esi
		push	edi
		test	al, 4
		jz	short loc_699FFD
		test	eax, ecx
		jnz	loc_69A2CE
		push	[ebp+arg_4]
		mov	ecx, ebx
		call	_BcpDisplayEarlyBugCheckScreen@12 ; BcpDisplayEarlyBugCheckScreen(x,x,x)
		mov	ecx, 83h
		mov	esi, eax
		call	_IoSaveBugCheckProgress@4 ; IoSaveBugCheckProgress(x)
		mov	eax, esi
		jmp	loc_69A2E4
; 

loc_699FFD:				; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+37j
		test	eax, ecx
		jnz	loc_69A2CE
		test	al, 10h
		jz	loc_69A2CE
		mov	eax, ds:dword_6B6B68
		lea	esi, [ebp+var_38]
		mov	[ebp+var_38], eax
		sub	esp, 0Ch
		mov	eax, ds:dword_6B6B64
		mov	edi, esp
		mov	[ebp+var_34], eax
		mov	eax, ds:dword_6B6B6C
		mov	[ebp+var_30], eax
		movsd
		movsd
		movsd
		call	_BcpGetDisplayType@12 ;	BcpGetDisplayType(x,x,x)
		mov	ecx, ds:dword_6D6C78
		mov	edi, eax
		imul	esi, edi, 48h
		mov	eax, [ecx+14h]
		cmp	ebx, 1C8h
		jnz	short loc_69A055
		mov	ecx, 0FF000000h
		mov	[eax+1Ch], ecx
		jmp	short loc_69A058
; 

loc_69A055:				; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+AAj
		mov	ecx, [eax+1Ch]

loc_69A058:				; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+B4j
		call	_BgpClearScreen@4 ; BgpClearScreen(x)
		mov	ecx, 85h
		call	_IoSaveBugCheckProgress@4 ; IoSaveBugCheckProgress(x)
		mov	eax, ds:dword_6B58E8[esi]
		mov	ds:_BcpCursor, eax
		lea	eax, dword_6B58EC[esi]
		mov	ecx, [eax]
		mov	ds:dword_6CEA98, ecx
		test	eax, eax
		jz	short loc_69A08A
		mov	ds:dword_6CEA9C, ecx

loc_69A08A:				; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+E3j
		test	ds:dword_6B6BB8, 20000h
		jnz	short loc_69A0B5
		mov	edx, ds:dword_6B58E4[esi]
		push	edi
		push	ecx
		mov	ecx, (offset loc_40372B+5)
		cmp	ebx, 1C8h
		jnz	short loc_69A0B0
		mov	ecx, offset loc_404F80

loc_69A0B0:				; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+10Aj
		call	_BcpDisplayCriticalString@16 ; BcpDisplayCriticalString(x,x,x,x)

loc_69A0B5:				; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+F5j
		mov	edx, ds:dword_6B58E8[esi]
		mov	eax, ds:dword_6B58F8[esi]
		mov	ecx, ds:dword_6B58FC[esi]
		mov	[ebp+var_8], edx
		add	eax, [ebp+var_8]
		mov	edx, ds:dword_6B58E0[esi]
		push	edi
		cmp	ebx, 1C8h
		jnz	short loc_69A0F5
		add	ecx, ds:dword_6CEA9C
		mov	ds:dword_6CEA98, ecx
		push	ecx
		mov	ds:_BcpCursor, eax
		mov	ecx, offset unk_6D6C60
		jmp	short loc_69A124
; 

loc_69A0F5:				; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+13Bj
		mov	[ebp+var_8], eax
		mov	eax, ds:dword_6CEA9C
		add	eax, ecx
		test	ds:dword_6B6BB8, 10000000h
		mov	ecx, [ebp+var_8]
		mov	ds:_BcpCursor, ecx
		push	ecx
		mov	ds:dword_6CEA98, eax
		mov	ecx, offset unk_6D6C58
		jnz	short loc_69A124
		mov	ecx, offset unk_6D6BE8

loc_69A124:				; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+154j
					; BgpFwDisplayBugCheckScreen(x,x,x,x,x)+17Ej
		call	_BcpDisplayCriticalString@16 ; BcpDisplayCriticalString(x,x,x,x)
		mov	edx, ds:dword_6B58E0[esi]
		push	ecx
		call	_BcpDisplayCriticalCharacter@12	; BcpDisplayCriticalCharacter(x,x,x)
		cmp	ebx, 1C8h
		mov	ebx, [ebp+arg_8]
		jnz	short loc_69A149
		push	edi
		push	ecx
		mov	ecx, offset unk_6D6C68
		jmp	short loc_69A17A
; 

loc_69A149:				; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+19Fj
		test	bl, 1
		jnz	short loc_69A185
		mov	eax, ebx
		and	eax, 4
		test	bl, 2
		jz	short loc_69A16A
		test	eax, eax
		jz	short loc_69A163
		mov	ecx, offset unk_6D6C10
		jmp	short loc_69A178
; 

loc_69A163:				; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+1BBj
		mov	ecx, offset unk_6D6C00
		jmp	short loc_69A178
; 

loc_69A16A:				; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+1B7j
		mov	ecx, offset unk_6D6C08
		test	eax, eax
		jnz	short loc_69A178
		mov	ecx, offset unk_6D6BF8

loc_69A178:				; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+1C2j
					; BgpFwDisplayBugCheckScreen(x,x,x,x,x)+1C9j ...
		push	edi
		push	ecx

loc_69A17A:				; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+1A8j
		mov	edx, ds:dword_6B58E0[esi]
		call	_BcpDisplayCriticalString@16 ; BcpDisplayCriticalString(x,x,x,x)

loc_69A185:				; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+1ADj
		mov	esi, ds:dword_6B6C30
		mov	ecx, esi
		and	[ebp+var_8], 0
		call	_BgpGxIsRectangleValid@4 ; BgpGxIsRectangleValid(x)
		mov	[ebp+var_9], al
		test	al, al
		jz	short loc_69A1A3
		mov	eax, [esi+4]
		mov	[ebp+var_8], eax

loc_69A1A3:				; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+1FCj
		mov	eax, ebx
		mov	edx, offset _BcpErrorMessageOffset
		and	eax, 4
		mov	[ebp+var_14], eax
		setz	cl
		movzx	eax, cl
		mov	ecx, offset _BcpProgressOffset
		push	eax
		push	[ebp+var_8]
		lea	eax, [ebp+var_2C]
		push	edi
		push	eax
		call	_BcpGetComponentOffsets@24 ; BcpGetComponentOffsets(x,x,x,x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		js	loc_69A2E4
		mov	ecx, ds:_BcpErrorMessageOffset
		mov	edx, [ebp+var_10]
		mov	esi, [ebp+arg_4]
		mov	ds:_BcpCursor, ecx
		mov	ecx, ds:dword_6B6B04
		mov	ds:dword_6CEA98, ecx
		mov	ecx, ds:dword_6B6B08
		mov	ds:dword_6CEA9C, ecx
		cmp	edx, 1C8h
		jz	short loc_69A229
		push	ebx
		push	esi
		push	[ebp+arg_0]
		mov	ecx, edi
		push	[ebp+var_24]
		call	_BcpDisplayErrorInformation@24 ; BcpDisplayErrorInformation(x,x,x,x,x,x)
		cmp	[ebp+var_9], 0
		jz	short loc_69A229
		mov	ecx, ds:dword_6B6C30
		lea	edx, [ebp+var_2C]
		call	BgpGxDrawRectangle

loc_69A229:				; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+265j
					; BgpFwDisplayBugCheckScreen(x,x,x,x,x)+27Aj
		mov	ecx, 86h
		call	_IoSaveBugCheckProgress@4 ; IoSaveBugCheckProgress(x)
		cmp	[ebp+var_14], 0
		jnz	short loc_69A287
		mov	eax, ds:_BcpProgressOffset
		mov	edx, edi
		mov	ds:_BcpCursor, eax
		xor	ecx, ecx
		mov	eax, ds:dword_6B6B34
		mov	ds:dword_6CEA98, eax
		mov	eax, ds:dword_6B6B38
		mov	ds:dword_6CEA9C, eax
		call	_BcpDisplayProgress@8 ;	BcpDisplayProgress(x,x)
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		and	ds:_BcpLastProgressDisplayed, 0
		mov	ds:_BcpStartTicks, eax
		mov	ds:dword_6B6AF4, edx
		mov	ds:_BcpLastProgressUpdateTicks,	eax
		mov	ds:dword_6B6AEC, edx
		jmp	short loc_69A2BC
; 

loc_69A287:				; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+298j
		test	bl, 2
		jnz	short loc_69A2BC
		lea	eax, [ebp+var_20]
		push	eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		push	0
		push	989680h
		push	[ebp+var_1C]
		push	[ebp+var_20]
		call	__allmul
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	edx
		push	eax
		call	__alldiv
		push	eax
		call	ds:__imp__KeStallExecutionProcessor@4 ;	KeStallExecutionProcessor(x)

loc_69A2BC:				; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+2E6j
					; BgpFwDisplayBugCheckScreen(x,x,x,x,x)+2EBj
		mov	eax, [ebp+var_8]
		mov	dword ptr [esi], offset	unk_6D6BE8
		mov	dword ptr [esi+4], offset unk_6D6BF0
		jmp	short loc_69A2E4
; 

loc_69A2CE:				; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+3Bj
					; BgpFwDisplayBugCheckScreen(x,x,x,x,x)+60j ...
		mov	ecx, 0FF000000h
		call	_BgpClearScreen@4 ; BgpClearScreen(x)
		mov	ecx, 84h
		call	_IoSaveBugCheckProgress@4 ; IoSaveBugCheckProgress(x)
		xor	eax, eax

loc_69A2E4:				; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+59j
					; BgpFwDisplayBugCheckScreen(x,x,x,x,x)+22Fj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_BgpFwDisplayBugCheckScreen@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpRasGetGlyphAdvanceWidth(x, x, x,	x, x)
_BgpRasGetGlyphAdvanceWidth@20 proc near ; CODE	XREF: BgpFoGetAdvanceWidth(x,x,x,x,x)+6j
					; BgpFoGetStringAdvanceWidth(x,x,x,x,x)+46p ...

var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ebx, edx
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		test	esi, esi
		jnz	short loc_69A314
		lea	esi, [ebp+var_C]

loc_69A314:				; CODE XREF: BgpRasGetGlyphAdvanceWidth(x,x,x,x,x)+1Aj
		push	esi
		push	ecx
		push	ecx
		push	[ebp+arg_0]
		mov	edx, ecx
		mov	ecx, ebx
		call	RaspGetXExtent
		and	dword ptr [esi+8], 0
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_BgpRasGetGlyphAdvanceWidth@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RaspGetCompositeGlyphList(int,int,void *,int,int,int)
_RaspGetCompositeGlyphList@32 proc near	; CODE XREF: RaspLoadCompositeGlyphData(x,x,x,x,x)+C4p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ecx
		mov	ecx, [ebp+arg_C]
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_24], eax
		mov	[ecx], edi
		xor	esi, esi
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_C], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_14], edi
		mov	[ecx], si
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_20], edi
		mov	[ebp+var_4], edi
		mov	[ebp+var_18], edi
		mov	[ecx], si
		mov	ecx, [ebp+arg_0]
		mov	[ecx], si
		cmp	edx, 0FFFFFFFFh
		jz	loc_69A600
		test	eax, eax
		jz	loc_69A5F9
		mov	ecx, [eax+28h]
		test	ecx, ecx
		jz	loc_69A5F9
		mov	eax, [eax+8]
		lea	esi, [ecx+edx]
		lea	ecx, [ebp+var_1C]
		mov	[ebp+var_1C], edi
		push	ecx		; void *
		mov	edx, esi
		mov	eax, [eax+8]
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		cmp	word ptr [ebp+var_1C], di
		jge	loc_69A600
		push	ebx
		mov	ebx, [ebp+arg_10]
		add	esi, 0Ah
		mov	[ebp+var_1C], esi
		mov	[ebx+4], ebx
		mov	[ebx], ebx

loc_69A3BB:				; CODE XREF: RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+256j
		mov	edx, [ebp+arg_14]
		push	1Eh
		pop	ecx
		call	RaspAllocateMemory
		mov	edi, eax
		mov	[ebp+arg_10], edi
		test	edi, edi
		jz	loc_69A5AE
		push	7
		xor	eax, eax
		pop	ecx
		rep stosd
		stosw
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jnz	loc_69A5EC
		mov	edi, [ebp+arg_10]
		mov	edx, esi
		mov	ecx, [ebp+var_8]
		mov	[edi+4], eax
		mov	[edi], ebx
		mov	[eax], edi
		lea	eax, [ebp+var_10]
		push	eax		; void *
		mov	[ebx+4], edi
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		mov	eax, [ebp+var_10]
		lea	edx, [esi+2]
		mov	ecx, [ebp+var_8]
		mov	[edi+0Ch], ax
		lea	eax, [ebp+var_14]
		push	eax		; void *
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		mov	ax, word ptr [ebp+var_14]
		lea	edx, [esi+4]
		mov	ecx, [ebp+var_8]
		mov	[edi+0Eh], ax
		lea	eax, [esi+6]
		mov	[ebp+arg_10], eax
		lea	eax, [ebp+var_C]
		push	eax		; void *
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		test	byte ptr [ebp+var_10], 1
		mov	esi, [ebp+arg_10]
		jz	short loc_69A461
		mov	ax, word ptr [ebp+var_C]
		mov	edx, esi
		mov	ecx, [ebp+var_8]
		mov	[edi+10h], ax
		lea	eax, [ebp+var_C]
		push	eax		; void *
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		mov	ax, word ptr [ebp+var_C]
		add	esi, 2
		mov	[edi+12h], ax
		jmp	short loc_69A46F
; 

loc_69A461:				; CODE XREF: RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+10Ej
		mov	ecx, [ebp+var_C]
		mov	eax, ecx
		sar	eax, 8
		mov	[edi+10h], al
		mov	[edi+11h], cl

loc_69A46F:				; CODE XREF: RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+131j
		mov	eax, [ebp+var_10]
		test	al, 8
		jz	short loc_69A494
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax		; void *
		mov	edx, esi
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		mov	ax, word ptr [ebp+var_4]
		add	esi, 2
		mov	[edi+14h], ax
		jmp	loc_69A52B
; 

loc_69A494:				; CODE XREF: RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+146j
		test	al, 40h
		jz	short loc_69A4CA
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax		; void *
		mov	edx, esi
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		mov	ax, word ptr [ebp+var_4]
		lea	edx, [esi+2]
		mov	ecx, [ebp+var_8]
		mov	[edi+14h], ax
		lea	eax, [ebp+var_4]
		push	eax		; void *
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		mov	ax, word ptr [ebp+var_4]
		add	esi, 4
		mov	[edi+16h], ax
		jmp	short loc_69A52B
; 

loc_69A4CA:				; CODE XREF: RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+168j
		test	al, al
		jns	short loc_69A52B
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax		; void *
		mov	edx, esi
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		mov	ax, word ptr [ebp+var_4]
		lea	edx, [esi+2]
		mov	ecx, [ebp+var_8]
		mov	[edi+14h], ax
		lea	eax, [ebp+var_4]
		push	eax		; void *
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		mov	ax, word ptr [ebp+var_4]
		lea	edx, [esi+4]
		mov	ecx, [ebp+var_8]
		mov	[edi+16h], ax
		lea	eax, [ebp+var_4]
		push	eax		; void *
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		mov	ax, word ptr [ebp+var_4]
		lea	edx, [esi+6]
		mov	ecx, [ebp+var_8]
		mov	[edi+18h], ax
		lea	eax, [ebp+var_4]
		push	eax		; void *
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		movsx	eax, word ptr [ebp+var_4]
		add	esi, 8
		mov	[edi+1Ah], eax

loc_69A52B:				; CODE XREF: RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+161j
					; RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+19Aj ...
		movzx	edx, word ptr [ebp+var_14]
		lea	eax, [ebp+var_20]
		mov	ecx, [ebp+var_24]
		push	eax
		call	RaspMapGlyphIndexToLocation
		mov	edx, eax
		mov	[ebp+arg_10], edx
		test	edx, edx
		js	short loc_69A5B5
		push	[ebp+arg_14]
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_18]
		mov	ecx, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	RaspLoadGlyphData
		mov	edx, eax
		mov	[ebp+arg_10], edx
		test	edx, edx
		js	short loc_69A5B5
		mov	eax, [ebp+var_18]
		mov	[edi+8], eax
		mov	ecx, [ebp+var_18]
		mov	edi, [ebp+arg_0]
		mov	ax, [ecx+18h]
		add	[edi], ax
		mov	ax, [ecx]
		mov	ecx, [ebp+arg_4]
		add	[ecx], ax
		mov	eax, [ebp+var_10]
		test	al, 20h
		jnz	loc_69A3BB
		test	eax, 100h
		jz	short loc_69A5A4
		push	[ebp+arg_8]	; void *
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		mov	edx, [ebp+arg_10]
		add	esi, 2

loc_69A5A4:				; CODE XREF: RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+261j
		mov	eax, [ebp+arg_C]
		sub	esi, [ebp+var_1C]
		mov	[eax], esi
		jmp	short loc_69A5F4
; 

loc_69A5AE:				; CODE XREF: RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+9Fj
		mov	[ebp+arg_10], 0C000009Ah

loc_69A5B5:				; CODE XREF: RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+214j
					; RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+233j
		mov	edi, [ebp+arg_14]

loc_69A5B8:				; CODE XREF: RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+2A5j
					; RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+2B3j ...
		mov	esi, [ebx]
		cmp	esi, ebx
		jz	short loc_69A5F1
		cmp	[esi+4], ebx
		jnz	short loc_69A5EC
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_69A5EC
		mov	[ebx], eax
		mov	[eax+4], ebx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_69A5B8
		mov	ecx, [esi+8]
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_69A5B8
		mov	ecx, esi
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		jmp	short loc_69A5B8
; 

loc_69A5EC:				; CODE XREF: RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+B3j
					; RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+293j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_69A5F1:				; CODE XREF: RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+28Ej
		mov	edx, [ebp+arg_10]

loc_69A5F4:				; CODE XREF: RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+27Ej
		mov	eax, edx
		pop	ebx
		jmp	short loc_69A605
; 

loc_69A5F9:				; CODE XREF: RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+47j
					; RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+52j
		mov	eax, 0C0000001h
		jmp	short loc_69A605
; 

loc_69A600:				; CODE XREF: RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+3Fj
					; RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+78j
		mov	eax, 0C000000Dh

loc_69A605:				; CODE XREF: RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+2C9j
					; RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)+2D0j
		pop	edi
		pop	esi
		leave
		retn	18h
_RaspGetCompositeGlyphList@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RaspInitializeCompositeGlyphData(int,int,void *,int,int,int,int,int)
_RaspInitializeCompositeGlyphData@40 proc near
					; CODE XREF: RaspLoadCompositeGlyphData(x,x,x,x,x)+F5p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		movzx	eax, word ptr [ebp+arg_4]
		push	ebx
		mov	[ebp+var_C], ecx
		movsx	ecx, word ptr [ebp+arg_8]
		imul	eax, 9
		push	esi
		movzx	esi, word ptr [ebp+arg_C]
		mov	[ebp+var_10], ecx
		add	ecx, 1Fh
		mov	[ebp+var_14], edx
		mov	edx, [ebp+arg_1C]
		add	eax, esi
		push	edi
		lea	ebx, [eax+ecx*2]
		mov	ecx, ebx
		call	RaspAllocateMemory
		mov	edi, eax
		test	edi, edi
		jnz	short loc_69A650
		mov	eax, 0C000009Ah
		jmp	loc_69A912
; 

loc_69A650:				; CODE XREF: RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)+39j
		push	ebx		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	ecx, [ebp+arg_0]
		mov	ebx, edi
		mov	ax, word ptr [ebp+arg_8]
		add	esp, 0Ch
		mov	[edi], ax
		mov	[ebp+var_2C], ebx
		movsx	edx, word ptr [ecx+2]
		mov	[edi+2], edx
		movsx	eax, word ptr [ecx+4]
		mov	[edi+6], eax
		movsx	eax, word ptr [ecx+6]
		mov	[edi+0Ah], eax
		movsx	eax, word ptr [ecx+8]
		mov	cx, word ptr [ebp+arg_4]
		mov	[edi+0Eh], eax
		lea	eax, [edi+12h]
		mov	[eax], edx
		mov	[ebp+var_18], eax
		mov	ax, word ptr [ebp+arg_C]
		mov	[edi+18h], cx
		mov	ecx, [ebp+var_10]
		mov	[edi+16h], ax
		add	edi, 2Eh
		mov	[ebp+var_4], edi
		mov	[ebx+1Ah], edi
		lea	ecx, [edi+ecx*2]
		mov	[ebp+arg_8], ecx
		mov	edx, ecx
		test	ax, ax
		jz	short loc_69A6D8
		mov	[ebx+1Eh], ecx
		add	ecx, esi
		push	edx		; void *
		mov	edx, [ebp+arg_10]
		mov	[ebp+arg_8], ecx
		mov	ecx, [ebp+var_C]
		push	esi		; size_t
		call	_FioFwReadBytesAtOffset@16 ; FioFwReadBytesAtOffset(x,x,x,x)
		mov	ecx, [ebp+arg_8]
		mov	edi, ebx
		mov	edi, [edi+1Ah]
		mov	[ebp+var_4], edi

loc_69A6D8:				; CODE XREF: RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)+ABj
		movzx	eax, word ptr [ebp+arg_4]
		mov	[ebx+22h], ecx
		lea	esi, [eax+ecx]
		add	eax, 2
		mov	[ebp+arg_10], esi
		mov	[ebx+26h], esi
		lea	eax, [esi+eax*4]
		mov	[ebp+var_10], eax
		mov	[ebx+2Ah], eax
		xor	eax, eax
		mov	[ebp+arg_4], eax
		mov	[ebp+arg_0], eax
		mov	[ebp+arg_C], eax
		mov	word ptr [ebp+arg_4+2],	ax

loc_69A703:				; CODE XREF: RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)+2E3j
					; RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)+2F3j
		mov	edx, [ebp+var_14]
		mov	ebx, [edx]
		mov	[ebp+var_8], ebx
		cmp	ebx, edx
		jz	loc_69A908
		cmp	[ebx+4], edx
		jnz	loc_69A903
		mov	eax, [ebx]
		cmp	[eax+4], ebx
		jnz	loc_69A903
		mov	[edx], eax
		mov	[eax+4], edx
		mov	eax, 200h
		mov	esi, [ebx+8]
		mov	[ebp+var_C], esi
		test	[ebx+0Ch], ax
		jz	short loc_69A74F
		mov	edx, [ebp+arg_14]
		mov	ax, [ebx+0Eh]
		mov	[edx], ax
		mov	edx, [ebp+var_18]
		mov	eax, [esi+2]
		mov	[edx], eax

loc_69A74F:				; CODE XREF: RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)+130j
		xor	eax, eax
		xor	edx, edx
		cmp	ax, [esi]
		jge	short loc_69A781
		mov	ebx, [ebp+arg_C]
		xor	ecx, ecx

loc_69A75D:				; CODE XREF: RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)+16Bj
		mov	eax, [esi+1Ah]
		mov	ax, [eax+ecx*2]
		add	ax, bx
		mov	[edi], ax
		add	edi, 2
		movsx	eax, word ptr [esi]
		inc	edx
		movzx	ecx, dx
		cmp	ecx, eax
		jl	short loc_69A75D
		mov	ebx, [ebp+var_8]
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_4], edi

loc_69A781:				; CODE XREF: RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)+14Bj
		movzx	eax, word ptr [esi+18h]
		add	[ebp+arg_C], eax
		push	eax		; size_t
		push	dword ptr [esi+22h] ; void *
		push	ecx		; void *
		call	_memcpy
		movzx	eax, word ptr [esi+18h]
		add	esp, 0Ch
		movzx	edx, word ptr [ebx+0Ch]
		mov	[ebp+var_1C], eax
		movzx	eax, ax
		add	[ebp+arg_8], eax
		mov	eax, 4000h
		mov	ecx, eax
		test	dl, 8
		jz	short loc_69A7BA
		movzx	eax, word ptr [ebx+14h]
		mov	ecx, eax
		jmp	short loc_69A7C7
; 

loc_69A7BA:				; CODE XREF: RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)+1A5j
		test	dl, 40h
		jz	short loc_69A7C7
		movzx	ecx, word ptr [ebx+14h]
		movzx	eax, word ptr [ebx+16h]

loc_69A7C7:				; CODE XREF: RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)+1ADj
					; RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)+1B2j
		movzx	eax, ax
		xor	edx, edx
		mov	[ebp+var_20], eax
		movzx	eax, cx
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		cmp	dx, word ptr [ebp+var_1C]
		jnb	loc_69A8D4
		mov	esi, [ebp+var_20]
		mov	edi, [ebp+var_10]
		cwde
		cdq
		mov	[ebp+var_24], eax
		movsx	eax, si
		mov	[ebp+var_1C], edx
		cdq
		mov	[ebp+var_28], eax
		mov	[ebp+var_20], edx

loc_69A7F9:				; CODE XREF: RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)+2BDj
		mov	edx, [ebp+var_C]
		mov	eax, [ebp+arg_10]
		push	[ebp+var_1C]
		movzx	esi, cx
		mov	ecx, [edx+26h]
		push	[ebp+var_24]
		mov	cx, [ecx+esi*4]
		mov	[eax], cx
		mov	eax, [edx+2Ah]
		mov	ax, [eax+esi*4]
		mov	esi, [ebp+arg_10]
		mov	[edi], ax
		movsx	eax, word ptr [esi]
		cdq
		push	edx
		push	eax
		call	__allmul
		push	0
		push	4000h
		push	edx
		push	eax
		call	__alldiv
		push	[ebp+var_20]
		mov	[esi], ax
		push	[ebp+var_28]
		movsx	eax, word ptr [edi]
		cdq
		push	edx
		push	eax
		call	__allmul
		push	0
		push	4000h
		push	edx
		push	eax
		call	__alldiv
		mov	ecx, [ebp+var_8]
		mov	[edi], ax
		movzx	eax, ax
		test	cx, cx
		jnz	short loc_69A8A6
		mov	ax, word ptr [ebp+arg_4+2]
		sub	[esi], ax
		mov	eax, [ebp+arg_0]
		sub	[edi], ax
		movzx	edx, word ptr [ebx+0Ch]
		movzx	eax, word ptr [edi]
		test	dl, 2
		jz	short loc_69A8A6
		test	dl, 1
		jz	short loc_69A893
		mov	ax, [ebx+10h]
		add	[esi], ax
		mov	ax, [ebx+12h]
		jmp	short loc_69A8A0
; 

loc_69A893:				; CODE XREF: RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)+279j
		movsx	ax, byte ptr [ebx+10h]
		add	[esi], ax
		movsx	ax, byte ptr [ebx+11h]

loc_69A8A0:				; CODE XREF: RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)+286j
		add	[edi], ax
		movzx	eax, word ptr [edi]

loc_69A8A6:				; CODE XREF: RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)+25Bj
					; RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)+274j
		mov	dx, word ptr [ebp+arg_4+2]
		add	edi, 4
		add	dx, [esi]
		add	esi, 4
		add	[ebp+arg_0], eax
		inc	ecx
		mov	[ebp+arg_10], esi
		mov	esi, [ebp+var_C]
		mov	word ptr [ebp+arg_4+2],	dx
		mov	[ebp+var_8], ecx
		cmp	cx, [esi+18h]
		jb	loc_69A7F9
		mov	[ebp+var_10], edi
		mov	edi, [ebp+var_4]

loc_69A8D4:				; CODE XREF: RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)+1D0j
		mov	eax, [ebp+arg_1C]
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_69A8EB
		mov	ecx, esi
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		mov	ecx, [ebp+arg_1C]
		mov	eax, [ecx]
		test	eax, eax

loc_69A8EB:				; CODE XREF: RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)+2D0j
		mov	ecx, [ebp+arg_8]
		jnz	loc_69A703
		mov	ecx, ebx
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		mov	ecx, [ebp+arg_8]
		jmp	loc_69A703
; 

loc_69A903:				; CODE XREF: RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)+10Bj
					; RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)+116j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_69A908:				; CODE XREF: RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)+102j
		mov	eax, [ebp+arg_18]
		mov	ecx, [ebp+var_2C]
		mov	[eax], ecx
		xor	eax, eax

loc_69A912:				; CODE XREF: RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)+40j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
_RaspInitializeCompositeGlyphData@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RaspLoadCompositeGlyphData(x, x, x,	x, x)
_RaspLoadCompositeGlyphData@20 proc near ; CODE	XREF: RaspLoadGlyphData+86250p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_18], edx
		lea	edi, [ebp+var_30]
		mov	esi, ecx
		stosd
		xor	ecx, ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_8], ecx
		stosd
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_14], ecx
		stosw
		mov	[ebp+var_4], ecx
		test	esi, esi
		jz	loc_69AA7B
		mov	ecx, [esi+28h]
		test	ecx, ecx
		jz	loc_69AA7B
		mov	eax, [esi+8]
		lea	ebx, [ecx+edx]
		mov	edx, ebx
		mov	edi, [eax+8]
		lea	eax, [ebp+var_30]
		push	eax		; void *
		mov	ecx, edi
		mov	[ebp+var_1C], edi
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		lea	eax, [ebp+var_30+2]
		mov	ecx, edi
		push	eax		; void *
		lea	edx, [ebx+2]
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		lea	eax, [ebp+var_2C]
		mov	ecx, edi
		push	eax		; void *
		lea	edx, [ebx+4]
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		lea	eax, [ebp+var_2C+2]
		mov	ecx, edi
		push	eax		; void *
		lea	edx, [ebx+6]
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		lea	eax, [ebp+var_28]
		add	ebx, 8
		push	eax		; void *
		mov	edx, ebx
		mov	ecx, edi
		call	_FioFwReadUshortAtOffset@12 ; FioFwReadUshortAtOffset(x,x,x)
		cmp	word ptr [ebp+var_30], 0
		jl	short loc_69A9C0
		mov	eax, 0C000000Dh
		jmp	loc_69AA80
; 

loc_69A9C0:				; CODE XREF: RaspLoadCompositeGlyphData(x,x,x,x,x)+9Bj
		mov	edi, [ebp+arg_8]
		lea	eax, [ebp+var_24]
		mov	edx, [ebp+var_18]
		mov	ecx, esi
		push	edi		; int
		push	eax		; int
		lea	eax, [ebp+var_8]
		push	eax		; int
		lea	eax, [ebp+var_C]
		push	eax		; void *
		lea	eax, [ebp+var_10]
		push	eax		; int
		lea	eax, [ebp+var_14]
		push	eax		; int
		call	_RaspGetCompositeGlyphList@32 ;	RaspGetCompositeGlyphList(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_69AA80
		mov	ecx, [ebp+var_1C]
		lea	eax, [ebp+var_4]
		push	edi		; int
		push	eax		; int
		push	[ebp+arg_0]	; int
		mov	eax, [ebp+var_8]
		lea	edx, [ebp+var_24]
		add	eax, 2
		add	eax, ebx
		push	eax		; int
		push	[ebp+var_C]	; int
		lea	eax, [ebp+var_30]
		push	[ebp+var_10]	; void *
		push	[ebp+var_14]	; int
		push	eax		; int
		call	_RaspInitializeCompositeGlyphData@40 ; RaspInitializeCompositeGlyphData(x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_69AA6F

loc_69AA19:				; CODE XREF: RaspLoadCompositeGlyphData(x,x,x,x,x)+123j
					; RaspLoadCompositeGlyphData(x,x,x,x,x)+131j ...
		mov	esi, [ebp+var_24]
		lea	eax, [ebp+var_24]
		cmp	esi, eax
		jz	short loc_69AA5A
		cmp	[esi+4], eax
		jnz	short loc_69AA55
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_69AA55
		mov	[ebp+var_24], eax
		lea	ecx, [ebp+var_24]
		mov	[eax+4], ecx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_69AA19
		mov	ecx, [esi+8]
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_69AA19
		mov	ecx, esi
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		jmp	short loc_69AA19
; 

loc_69AA55:				; CODE XREF: RaspLoadCompositeGlyphData(x,x,x,x,x)+10Dj
					; RaspLoadCompositeGlyphData(x,x,x,x,x)+114j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_69AA5A:				; CODE XREF: RaspLoadCompositeGlyphData(x,x,x,x,x)+108j
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_69AA72
		cmp	dword ptr [edi], 0
		jnz	short loc_69AA6B
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_69AA6B:				; CODE XREF: RaspLoadCompositeGlyphData(x,x,x,x,x)+14Bj
		xor	ecx, ecx
		jmp	short loc_69AA72
; 

loc_69AA6F:				; CODE XREF: RaspLoadCompositeGlyphData(x,x,x,x,x)+FEj
		mov	ecx, [ebp+var_4]

loc_69AA72:				; CODE XREF: RaspLoadCompositeGlyphData(x,x,x,x,x)+146j
					; RaspLoadCompositeGlyphData(x,x,x,x,x)+154j
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		mov	eax, ebx
		jmp	short loc_69AA80
; 

loc_69AA7B:				; CODE XREF: RaspLoadCompositeGlyphData(x,x,x,x,x)+32j
					; RaspLoadCompositeGlyphData(x,x,x,x,x)+3Dj
		mov	eax, 0C0000001h

loc_69AA80:				; CODE XREF: RaspLoadCompositeGlyphData(x,x,x,x,x)+A2j
					; RaspLoadCompositeGlyphData(x,x,x,x,x)+CBj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_RaspLoadCompositeGlyphData@20 endp


;  S U B	R O U T	I N E 


; __stdcall _MapCmClassPropertyToRegType(x)
__MapCmClassPropertyToRegType@4	proc near
					; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+83p
		cmp	ecx, 8
		jz	short loc_69AAB7
		cmp	ecx, 0Dh
		jz	short loc_69AAB7
		cmp	ecx, 11h
		jle	short loc_69AAB4
		cmp	ecx, 13h
		jle	short loc_69AAB0
		cmp	ecx, 18h
		jz	short loc_69AAAC
		lea	eax, [ecx-1Ah]
		cmp	eax, 2
		ja	short loc_69AAB4
		push	4
		jmp	short loc_69AAB2
; 

loc_69AAAC:				; CODE XREF: _MapCmClassPropertyToRegType(x)+17j
		push	3
		jmp	short loc_69AAB2
; 

loc_69AAB0:				; CODE XREF: _MapCmClassPropertyToRegType(x)+12j
		push	7

loc_69AAB2:				; CODE XREF: _MapCmClassPropertyToRegType(x)+23j
					; _MapCmClassPropertyToRegType(x)+27j
		pop	eax
		retn
; 

loc_69AAB4:				; CODE XREF: _MapCmClassPropertyToRegType(x)+Dj
					; _MapCmClassPropertyToRegType(x)+1Fj
		xor	eax, eax
		retn
; 

loc_69AAB7:				; CODE XREF: _MapCmClassPropertyToRegType(x)+3j
					; _MapCmClassPropertyToRegType(x)+8j
		xor	eax, eax
		inc	eax
		retn
__MapCmClassPropertyToRegType@4	endp


;  S U B	R O U T	I N E 


; __stdcall _MapCmRelationTypeToNtRelationType(x)
__MapCmRelationTypeToNtRelationType@4 proc near
					; CODE XREF: _CmGetDeviceRelationsList(x,x,x,x,x,x,x)+16p
		cmp	ecx, 4
		jz	short loc_69AAEB
		cmp	ecx, 8
		jz	short loc_69AAE7
		cmp	ecx, 10h
		jz	short loc_69AAE3
		cmp	ecx, 20h
		jz	short loc_69AADF
		xor	eax, eax
		cmp	ecx, 40h
		setz	al
		dec	eax
		and	eax, 0FFFFFFFBh
		add	eax, 4
		retn
; 

loc_69AADF:				; CODE XREF: _MapCmRelationTypeToNtRelationType(x)+12j
		push	3
		jmp	short loc_69AAE5
; 

loc_69AAE3:				; CODE XREF: _MapCmRelationTypeToNtRelationType(x)+Dj
		push	2

loc_69AAE5:				; CODE XREF: _MapCmRelationTypeToNtRelationType(x)+26j
		pop	eax
		retn
; 

loc_69AAE7:				; CODE XREF: _MapCmRelationTypeToNtRelationType(x)+8j
		xor	eax, eax
		inc	eax
		retn
; 

loc_69AAEB:				; CODE XREF: _MapCmRelationTypeToNtRelationType(x)+3j
		xor	eax, eax
		retn
__MapCmRelationTypeToNtRelationType@4 endp


;  S U B	R O U T	I N E 


; __stdcall _IsNeutralLocale(x)
__IsNeutralLocale@4 proc near		; CODE XREF: _PnpSetPropertyWorker+A12E5p
					; _PnpGetGenericStorePropertyLocales(x,x,x,x,x,x,x)+133p
		test	ecx, ecx
		jz	short loc_69AB29
		mov	eax, offset ??_C@_11LOCGONAA@@FNODOBFM@

loc_69AAF7:				; CODE XREF: _IsNeutralLocale(x)+29j
		mov	dx, [ecx]
		cmp	dx, [eax]
		jnz	short loc_69AB1D
		test	dx, dx
		jz	short loc_69AB19
		mov	dx, [ecx+2]
		cmp	dx, [eax+2]
		jnz	short loc_69AB1D
		add	ecx, 4
		add	eax, 4
		test	dx, dx
		jnz	short loc_69AAF7

loc_69AB19:				; CODE XREF: _IsNeutralLocale(x)+14j
		xor	eax, eax
		jmp	short loc_69AB22
; 

loc_69AB1D:				; CODE XREF: _IsNeutralLocale(x)+Fj
					; _IsNeutralLocale(x)+1Ej
		sbb	eax, eax
		or	eax, 1

loc_69AB22:				; CODE XREF: _IsNeutralLocale(x)+2Dj
		test	eax, eax
		jz	short loc_69AB29
		xor	al, al
		retn
; 

loc_69AB29:				; CODE XREF: _IsNeutralLocale(x)+2j
					; _IsNeutralLocale(x)+36j
		mov	al, 1
		retn
__IsNeutralLocale@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbGetConfigurationSubKeyCallback(x, x, x, x)
_DrvDbGetConfigurationSubKeyCallback@16	proc near
					; DATA XREF: DrvDbGetDriverPackageMappedProperty+11AE9Ao

var_30		= byte ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= word ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_2C], eax
		push	esi
		push	edi
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_28], ebx
		mov	dword ptr [ebp+var_30],	ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_20], ebx
		test	edi, edi
		jz	loc_69AD14
		lea	esi, [ebp+var_28]
		push	esi
		push	1
		push	ebx
		push	eax
		call	__PnpCtxRegOpenKey@24 ;	_PnpCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_69ACF9
		lea	eax, [ebp+var_24]
		mov	edx, [ebp+var_28]
		mov	[ebp+var_24], 4
		push	eax
		cmp	[edi+0Ch], bl
		jz	short loc_69ABC7
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	(offset	loc_5A7BC3+1)
		call	__PnpCtxRegQueryValue@24 ; _PnpCtxRegQueryValue(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_69ABB4
		cmp	[ebp+var_20], 4
		jnz	short loc_69ABB4
		cmp	[ebp+var_24], 4
		jz	short loc_69ABF7

loc_69ABB4:				; CODE XREF: DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+7Aj
					; DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+80j
		cmp	esi, 0C0000034h
		jnz	loc_69ACF9
		mov	esi, ebx
		jmp	loc_69ACF9
; 

loc_69ABC7:				; CODE XREF: DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+62j
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	offset ??_C@_1BI@KGJMAEC@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAF?$AAl?$AAa?$AAg?$AAs@FNODOBFM@ ; "ConfigFlags"
		call	__PnpCtxRegQueryValue@24 ; _PnpCtxRegQueryValue(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_69ACED
		cmp	[ebp+var_20], 4
		jnz	loc_69ACED
		cmp	[ebp+var_24], 4
		jnz	loc_69ACED

loc_69ABF7:				; CODE XREF: DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+86j
		mov	ecx, [ebp+var_2C]
		lea	edx, [ecx+2]

loc_69ABFD:				; CODE XREF: DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+DAj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_69ABFD
		sub	ecx, edx
		mov	edx, [edi+8]
		sar	ecx, 1
		mov	[ebp+var_1C], ecx
		lea	eax, [edx+ecx]
		cmp	[edi+4], eax
		jb	short loc_69AC37
		lea	eax, [ecx+ecx]
		push	eax		; size_t
		mov	eax, [edi]
		push	[ebp+var_2C]	; void *
		lea	eax, [eax+edx*2]
		push	eax		; void *
		call	_memcpy
		mov	edx, [edi+8]
		add	esp, 0Ch
		mov	ecx, [ebp+var_1C]
		jmp	short loc_69AC3C
; 

loc_69AC37:				; CODE XREF: DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+ECj
		mov	esi, 0C0000023h

loc_69AC3C:				; CODE XREF: DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+109j
		add	ecx, edx
		mov	[edi+8], ecx
		cmp	[edi+0Ch], bl
		jz	loc_69ACCB
		lea	eax, [ecx+1]
		cmp	[edi+4], eax
		jb	short loc_69AC5E
		mov	eax, [edi]
		push	3Ah
		pop	edx
		mov	[eax+ecx*2], dx
		mov	ecx, [edi+8]

loc_69AC5E:				; CODE XREF: DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+124j
		push	dword ptr [ebp+var_30] ; char
		lea	eax, [ecx+1]
		push	offset ??_C@_15BHOFONJE@?$AA?$CF?$AAX@FNODOBFM@	; wchar_t *
		mov	[edi+8], eax
		lea	eax, [ebp+var_18]
		push	9		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		mov	esi, eax
		add	esp, 10h
		test	esi, esi
		js	short loc_69ACF9
		lea	ecx, [ebp+var_18]
		lea	edx, [ecx+2]

loc_69AC86:				; CODE XREF: DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+163j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_69AC86
		sub	ecx, edx
		mov	edx, [edi+8]
		sar	ecx, 1
		mov	[ebp+var_1C], ecx
		lea	eax, [edx+ecx]
		cmp	[edi+4], eax
		jb	short loc_69ACC1
		lea	eax, [ecx+ecx]
		push	eax		; size_t
		lea	eax, [ebp+var_18]
		push	eax		; void *
		mov	eax, [edi]
		lea	eax, [eax+edx*2]
		push	eax		; void *
		call	_memcpy
		mov	edx, [edi+8]
		add	esp, 0Ch
		mov	ecx, [ebp+var_1C]
		jmp	short loc_69ACC6
; 

loc_69ACC1:				; CODE XREF: DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+175j
		mov	esi, 0C0000023h

loc_69ACC6:				; CODE XREF: DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+193j
		add	ecx, edx
		mov	[edi+8], ecx

loc_69ACCB:				; CODE XREF: DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+118j
		lea	eax, [ecx+1]
		cmp	[edi+4], eax
		jb	short loc_69ACE0
		mov	eax, [edi]
		xor	edx, edx
		mov	[eax+ecx*2], dx
		mov	ecx, [edi+8]
		jmp	short loc_69ACE5
; 

loc_69ACE0:				; CODE XREF: DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+1A5j
		mov	esi, 0C0000023h

loc_69ACE5:				; CODE XREF: DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+1B2j
		lea	eax, [ecx+1]
		mov	[edi+8], eax
		jmp	short loc_69ACF9
; 

loc_69ACED:				; CODE XREF: DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+B1j
					; DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+BBj ...
		lea	eax, [esi+3FFFFFCCh]
		neg	eax
		sbb	eax, eax
		and	esi, eax

loc_69ACF9:				; CODE XREF: DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+4Bj
					; DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+8Ej ...
		mov	edx, [ebp+var_28]
		test	edx, edx
		jz	short loc_69AD05
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)

loc_69AD05:				; CODE XREF: DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+1D2j
		test	esi, esi
		jns	short loc_69AD17
		mov	[edi+10h], esi
		cmp	esi, 0C0000023h
		jz	short loc_69AD17

loc_69AD14:				; CODE XREF: DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+34j
		push	3
		pop	ebx

loc_69AD17:				; CODE XREF: DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+1DBj
					; DrvDbGetConfigurationSubKeyCallback(x,x,x,x)+1E6j
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_DrvDbGetConfigurationSubKeyCallback@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ArrayContains(x, x,	x, x, x)
_ArrayContains@20 proc near		; CODE XREF: PropertyEval+11B0C8p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, edx
		mov	edx, ecx
		xor	ecx, ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], ecx
		push	ebx
		test	eax, eax
		jz	short loc_69ADB0
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_69ADB0
		test	edx, edx
		jz	short loc_69ADB0
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	short loc_69ADB0
		cmp	ebx, eax
		ja	short loc_69ADB0
		test	al, 0Fh
		jnz	short loc_69ADB0
		test	bl, 0Fh
		jnz	short loc_69ADB0
		push	esi
		push	edi
		xor	edi, edi

loc_69AD69:				; CODE XREF: ArrayContains(x,x,x,x,x)+7Ej
		cmp	edi, eax
		jnb	short loc_69ADAA
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_69ADA3

loc_69AD73:				; CODE XREF: ArrayContains(x,x,x,x,x)+74j
		lea	eax, [esi+edx]
		push	10h		; size_t
		push	eax		; void *
		mov	eax, [ebp+var_8]
		add	eax, edi
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_69AD93
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_4], ecx
		jmp	short loc_69AD96
; 

loc_69AD93:				; CODE XREF: ArrayContains(x,x,x,x,x)+5Fj
		mov	ecx, [ebp+var_4]

loc_69AD96:				; CODE XREF: ArrayContains(x,x,x,x,x)+67j
		mov	edx, [ebp+arg_0]
		add	esi, 10h
		cmp	esi, ebx
		jb	short loc_69AD73
		mov	eax, [ebp+var_C]

loc_69ADA3:				; CODE XREF: ArrayContains(x,x,x,x,x)+47j
		add	edi, 10h
		test	ecx, ecx
		jz	short loc_69AD69

loc_69ADAA:				; CODE XREF: ArrayContains(x,x,x,x,x)+41j
		pop	edi
		mov	eax, ecx
		pop	esi
		jmp	short loc_69ADB2
; 

loc_69ADB0:				; CODE XREF: ArrayContains(x,x,x,x,x)+1Aj
					; ArrayContains(x,x,x,x,x)+21j	...
		xor	eax, eax

loc_69ADB2:				; CODE XREF: ArrayContains(x,x,x,x,x)+84j
		pop	ebx
		leave
		retn	0Ch
_ArrayContains@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdtpTimerCallback(x, x)
_WdtpTimerCallback@8 proc near		; DATA XREF: WdtpAllocateTimer+30o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		cmp	byte ptr [esi+1Ch], 0
		jnz	short loc_69AE1E
		mov	eax, [esi+8]
		mov	byte ptr [esi+1Ch], 1
		test	eax, eax
		jz	short loc_69ADDA
		push	dword ptr [esi+4]
		call	eax

loc_69ADDA:				; CODE XREF: WdtpTimerCallback(x,x)+1Cj
		xor	edi, edi
		cmp	[esi+0Ch], edi
		jz	short loc_69ADF8
		lea	eax, [esi+38h]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		lock inc dword ptr [esi+34h]
		push	edi
		lea	eax, [esi+24h]
		push	eax
		call	ExQueueWorkItem

loc_69ADF8:				; CODE XREF: WdtpTimerCallback(x,x)+28j
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_69AE24
		sub	eax, [esi+10h]
		mov	ecx, 2710h
		mul	ecx
		push	edi
		neg	eax
		push	edi
		push	edi
		adc	edx, edi
		neg	edx
		push	edx
		push	eax
		push	dword ptr [esi+20h]
		call	ExSetTimer
		jmp	short loc_69AE24
; 

loc_69AE1E:				; CODE XREF: WdtpTimerCallback(x,x)+11j
		push	dword ptr [esi+4]
		call	dword ptr [esi+18h]

loc_69AE24:				; CODE XREF: WdtpTimerCallback(x,x)+46j
					; WdtpTimerCallback(x,x)+65j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
_WdtpTimerCallback@8 endp

; [00000005 BYTES: COLLAPSED FUNCTION SC_ENV_ALLOCATOR::operator delete(void *). PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; long __stdcall ScAnsiToUnicodeString(char *, struct _UNICODE_STRING *)
?ScAnsiToUnicodeString@@YGJPADPAU_UNICODE_STRING@@@Z proc near
					; CODE XREF: SC_DEVICE::ExtractDeviceStrings(void)+7Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, edx
		mov	esi, ecx
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		call	?ScTrimString@@YGXPAD@Z	; ScTrimString(char *)
		push	esi
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlxAnsiStringToUnicodeSize@4 ; RtlxAnsiStringToUnicodeSize(x)
		mov	ecx, eax
		mov	word ptr [ebp+var_8+2],	ax
		call	?Allocate@SC_ENV@@SGPAXI@Z ; SC_ENV::Allocate(uint)
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	short loc_69AE7F
		mov	esi, 0C000009Ah
		jmp	short loc_69AEBD
; 

loc_69AE7F:				; CODE XREF: ScAnsiToUnicodeString(char	*,_UNICODE_STRING *)+45j
		push	edi
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	RtlAnsiStringToUnicodeString
		mov	esi, eax
		test	esi, esi
		js	short loc_69AEAF
		mov	ecx, [ebx+4]
		test	ecx, ecx
		jz	short loc_69AE9F
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69AE9F:				; CODE XREF: ScAnsiToUnicodeString(char	*,_UNICODE_STRING *)+67j
		mov	eax, [ebp+var_8]
		mov	[ebx], eax
		mov	eax, [ebp+var_4]
		mov	[ebx+4], eax
		mov	[ebp+var_4], edi
		jmp	short loc_69AEB2
; 

loc_69AEAF:				; CODE XREF: ScAnsiToUnicodeString(char	*,_UNICODE_STRING *)+60j
		mov	edi, [ebp+var_4]

loc_69AEB2:				; CODE XREF: ScAnsiToUnicodeString(char	*,_UNICODE_STRING *)+7Cj
		test	edi, edi
		jz	short loc_69AEBD
		mov	ecx, edi
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69AEBD:				; CODE XREF: ScAnsiToUnicodeString(char	*,_UNICODE_STRING *)+4Cj
					; ScAnsiToUnicodeString(char *,_UNICODE_STRING *)+83j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
?ScAnsiToUnicodeString@@YGJPADPAU_UNICODE_STRING@@@Z endp


;  S U B	R O U T	I N E 


; void __stdcall ScTrimString(char *)
?ScTrimString@@YGXPAD@Z	proc near	; CODE XREF: ScAnsiToUnicodeString(char	*,_UNICODE_STRING *)+1Dp
		mov	edi, edi
		push	edi
		mov	edi, ecx
		mov	edx, edi
		lea	ecx, [edx+1]

loc_69AECE:				; CODE XREF: ScTrimString(char *)+Fj
		mov	al, [edx]
		inc	edx
		test	al, al
		jnz	short loc_69AECE
		sub	edx, ecx
		jz	short loc_69AF36
		push	ebx
		push	esi
		lea	esi, [edx-1]
		xor	ebx, ebx
		test	esi, esi
		js	short loc_69AEFB

loc_69AEE4:				; CODE XREF: ScTrimString(char *)+35j
		movsx	eax, byte ptr [esi+edi]
		push	eax		; int
		call	_isspace
		pop	ecx
		test	eax, eax
		jz	short loc_69AEFB
		mov	[esi+edi], bl
		sub	esi, 1
		jns	short loc_69AEE4

loc_69AEFB:				; CODE XREF: ScTrimString(char *)+1Ej
					; ScTrimString(char *)+2Dj
		mov	esi, edi
		lea	ecx, [esi+1]

loc_69AF00:				; CODE XREF: ScTrimString(char *)+41j
		mov	al, [esi]
		inc	esi
		test	al, al
		jnz	short loc_69AF00
		sub	esi, ecx
		jz	short loc_69AF34
		test	esi, esi
		jle	short loc_69AF23

loc_69AF0F:				; CODE XREF: ScTrimString(char *)+5Dj
		movsx	eax, byte ptr [ebx+edi]
		push	eax		; int
		call	_isspace
		pop	ecx
		test	eax, eax
		jz	short loc_69AF23
		inc	ebx
		cmp	ebx, esi
		jl	short loc_69AF0F

loc_69AF23:				; CODE XREF: ScTrimString(char *)+49j
					; ScTrimString(char *)+58j
		sub	esi, ebx
		lea	eax, [ebx+edi]
		inc	esi
		push	esi		; size_t
		push	eax		; void *
		push	edi		; void *
		call	_memmove
		add	esp, 0Ch

loc_69AF34:				; CODE XREF: ScTrimString(char *)+45j
		pop	esi
		pop	ebx

loc_69AF36:				; CODE XREF: ScTrimString(char *)+13j
		pop	edi
		retn
?ScTrimString@@YGXPAD@Z	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: __thiscall SC_DISK::SC_DISK(void)
??0SC_DISK@@QAE@XZ proc	near		; CODE XREF: IoReadPartitionTable(x,x,x,x)+2Cp
					; IoSetPartitionInformation(x,x,x,x)+27p ...

var_18		= dword	ptr -18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	edx, ecx
		push	ebx
		push	esi
		push	edi
		call	??0SC_DEVICE@@QAE@XZ ; SC_DEVICE::SC_DEVICE(void)
		or	dword ptr [edx+0C8h], 0FFFFFFFFh
		lea	edi, [ebp+var_18]
		xor	ebx, ebx
		mov	dword ptr [edx], offset	??_7SC_DISK@@6B@ ; const SC_DISK::`vftable'
		push	6
		pop	ecx
		xor	eax, eax
		mov	[edx+88h], ebx
		or	dword ptr [edx+0CCh], 0FFFFFFFFh
		lea	esi, [ebp+var_18]
		rep stosd
		push	6
		pop	ecx
		lea	edi, [edx+98h]
		mov	[edx+90h], ebx
		rep movsd
		pop	edi
		pop	esi
		mov	[edx+94h], ebx
		mov	eax, edx
		mov	[edx+0B0h], ebx
		mov	[edx+0B8h], ebx
		mov	[edx+0BCh], ebx
		mov	[edx+0C4h], ebx
		mov	[edx+0D0h], ebx
		mov	[edx+0D4h], ebx
		mov	[edx+0D8h], ebx
		mov	[edx+0DCh], ebx
		mov	[edx+0E0h], ebx
		mov	[edx+0E4h], ebx
		mov	[edx+0E8h], ebx
		mov	[edx+0ECh], ebx
		mov	[edx+0F0h], ebx
		mov	[edx+0F4h], ebx
		mov	dword ptr [edx+0C0h], 2
		pop	ebx
		leave
		retn
??0SC_DISK@@QAE@XZ endp


;  S U B	R O U T	I N E 


; public: virtual __thiscall SC_DISK::~SC_DISK(void)
??1SC_DISK@@UAE@XZ proc	near		; CODE XREF: SC_DISK::`vector deleting destructor'(uint)+8p
					; NT_DISK::`scalar deleting destructor'(uint)+Ep ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+0F4h]
		mov	dword ptr [esi], offset	??_7SC_DISK@@6B@ ; const SC_DISK::`vftable'
		test	ecx, ecx
		jz	short loc_69B009
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69B009:				; CODE XREF: SC_DISK::~SC_DISK(void)+13j
		mov	ecx, [esi+0F0h]
		test	ecx, ecx
		jz	short loc_69B018
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69B018:				; CODE XREF: SC_DISK::~SC_DISK(void)+22j
		mov	ecx, [esi+0ECh]
		test	ecx, ecx
		jz	short loc_69B027
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69B027:				; CODE XREF: SC_DISK::~SC_DISK(void)+31j
		mov	ecx, [esi+0E8h]
		test	ecx, ecx
		jz	short loc_69B036
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69B036:				; CODE XREF: SC_DISK::~SC_DISK(void)+40j
		mov	ecx, [esi+0E4h]
		test	ecx, ecx
		jz	short loc_69B045
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69B045:				; CODE XREF: SC_DISK::~SC_DISK(void)+4Fj
		mov	ecx, [esi+0E0h]
		test	ecx, ecx
		jz	short loc_69B054
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69B054:				; CODE XREF: SC_DISK::~SC_DISK(void)+5Ej
		mov	ecx, [esi+0DCh]
		test	ecx, ecx
		jz	short loc_69B063
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69B063:				; CODE XREF: SC_DISK::~SC_DISK(void)+6Dj
		mov	ecx, [esi+0D8h]
		test	ecx, ecx
		jz	short loc_69B072
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69B072:				; CODE XREF: SC_DISK::~SC_DISK(void)+7Cj
		mov	ecx, [esi+0D4h]
		test	ecx, ecx
		jz	short loc_69B081
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69B081:				; CODE XREF: SC_DISK::~SC_DISK(void)+8Bj
		mov	ecx, [esi+0D0h]
		test	ecx, ecx
		jz	short loc_69B090
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69B090:				; CODE XREF: SC_DISK::~SC_DISK(void)+9Aj
		mov	ecx, [esi+0C4h]
		test	ecx, ecx
		jz	short loc_69B09F
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69B09F:				; CODE XREF: SC_DISK::~SC_DISK(void)+A9j
		mov	ecx, esi
		pop	esi
		jmp	??1SC_DEVICE@@UAE@XZ ; SC_DEVICE::~SC_DEVICE(void)
??1SC_DISK@@UAE@XZ endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: virtual void * __thiscall SC_DISK::`vector deleting destructor'(unsigned int)
??_ESC_DISK@@UAEPAXI@Z proc near	; DATA XREF: .text:const SC_DISK::`vftable'o

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		call	??1SC_DISK@@UAE@XZ ; SC_DISK::~SC_DISK(void)
		test	[ebp+arg_0], 1
		jz	short loc_69B0C1
		mov	ecx, esi
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69B0C1:				; CODE XREF: SC_DISK::`vector deleting destructor'(uint)+11j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
??_ESC_DISK@@UAEPAXI@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: long __thiscall SC_DISK::CreatePartitionTable(struct _CREATE_DISK *)
?CreatePartitionTable@SC_DISK@@QAEJPAU_CREATE_DISK@@@Z proc near
					; CODE XREF: SC_DISK::WritePartitionTable(SC_DISK_LAYOUT *)+2Ep
					; IoCreateDisk(x,x)+61p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	2
		pop	eax
		test	esi, esi
		jz	short loc_69B0DA
		mov	eax, [esi]

loc_69B0DA:				; CODE XREF: SC_DISK::CreatePartitionTable(_CREATE_DISK	*)+Ej
		sub	eax, 0
		jz	short loc_69B10B
		sub	eax, 1
		jz	short loc_69B0FD
		sub	eax, 1
		jz	short loc_69B0F0
		mov	eax, 0C00000BBh
		jmp	short loc_69B11D
; 

loc_69B0F0:				; CODE XREF: SC_DISK::CreatePartitionTable(_CREATE_DISK	*)+1Fj
		mov	[ebp+arg_0], ecx
		lea	ecx, [ebp+arg_0]
		call	?CreatePartitionTable@SC_RAW@@QAEJXZ ; SC_RAW::CreatePartitionTable(void)
		jmp	short loc_69B11D
; 

loc_69B0FD:				; CODE XREF: SC_DISK::CreatePartitionTable(_CREATE_DISK	*)+1Aj
		mov	[ebp+arg_0], ecx
		lea	ecx, [ebp+arg_0]
		push	esi
		call	?CreatePartitionTable@SC_GPT@@QAEJPAU_CREATE_DISK@@@Z ;	SC_GPT::CreatePartitionTable(_CREATE_DISK *)
		jmp	short loc_69B11D
; 

loc_69B10B:				; CODE XREF: SC_DISK::CreatePartitionTable(_CREATE_DISK	*)+15j
		push	ecx
		lea	ecx, [ebp+arg_0]
		call	?Initialize@SC_MBR@@QAEXPAVSC_DISK@@@Z ; SC_MBR::Initialize(SC_DISK *)
		push	esi
		lea	ecx, [ebp+arg_0]
		call	?CreatePartitionTable@SC_MBR@@QAEJPAU_CREATE_DISK@@@Z ;	SC_MBR::CreatePartitionTable(_CREATE_DISK *)

loc_69B11D:				; CODE XREF: SC_DISK::CreatePartitionTable(_CREATE_DISK	*)+26j
					; SC_DISK::CreatePartitionTable(_CREATE_DISK *)+33j ...
		pop	esi
		pop	ebp
		retn	4
?CreatePartitionTable@SC_DISK@@QAEJPAU_CREATE_DISK@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: unsigned long	__thiscall SC_DISK_LAYOUT::FindPartitionGpt(struct _GUID)
?FindPartitionGpt@SC_DISK_LAYOUT@@QAEKU_GUID@@@Z proc near
					; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+132p

var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ecx+4]
		push	esi
		push	edi
		lea	esi, [ebp+arg_0]
		lea	edi, [ebp+var_18]
		movsd
		movsd
		movsd
		movsd
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_69B166
		lea	edi, [ecx+50h]

loc_69B14D:				; CODE XREF: SC_DISK_LAYOUT::FindPartitionGpt(_GUID)+42j
		lea	edx, [ebp+var_18] ; void *
		mov	ecx, edi	; void *
		call	?IsEqualGUID@@YGHABU_GUID@@0@Z ; IsEqualGUID(_GUID const &,_GUID const &)
		test	eax, eax
		jnz	short loc_69B169
		inc	esi
		add	edi, 90h
		cmp	esi, ebx
		jb	short loc_69B14D

loc_69B166:				; CODE XREF: SC_DISK_LAYOUT::FindPartitionGpt(_GUID)+26j
		or	esi, 0FFFFFFFFh

loc_69B169:				; CODE XREF: SC_DISK_LAYOUT::FindPartitionGpt(_GUID)+37j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
?FindPartitionGpt@SC_DISK_LAYOUT@@QAEKU_GUID@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; private: long	__thiscall SC_DISK::GetAccessDescPost(struct _STORAGE_ACCESS_ALIGNMENT_DESCRIPTOR *)
?GetAccessDescPost@SC_DISK@@AAEJPAU_STORAGE_ACCESS_ALIGNMENT_DESCRIPTOR@@@Z proc near
					; CODE XREF: SC_DISK::GetStoragePropertyPost(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+2Ap

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ecx+0ACh]
		push	esi
		xor	esi, esi
		cmp	[eax+10h], ecx
		jnz	short loc_69B1A1
		mov	eax, [eax+14h]
		cmp	eax, ecx
		jb	short loc_69B1A1
		xor	edx, edx
		div	ecx
		test	edx, edx
		jz	short loc_69B1A6

loc_69B1A1:				; CODE XREF: SC_DISK::GetAccessDescPost(_STORAGE_ACCESS_ALIGNMENT_DESCRIPTOR *)+14j
					; SC_DISK::GetAccessDescPost(_STORAGE_ACCESS_ALIGNMENT_DESCRIPTOR *)+1Bj
		mov	esi, 0C000090Bh

loc_69B1A6:				; CODE XREF: SC_DISK::GetAccessDescPost(_STORAGE_ACCESS_ALIGNMENT_DESCRIPTOR *)+23j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
?GetAccessDescPost@SC_DISK@@AAEJPAU_STORAGE_ACCESS_ALIGNMENT_DESCRIPTOR@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; protected: virtual long __thiscall SC_DISK::GetStoragePropertyPost(enum  _STORAGE_PROPERTY_ID, struct	_STORAGE_DESCRIPTOR_HEADER *)
?GetStoragePropertyPost@SC_DISK@@MAEJW4_STORAGE_PROPERTY_ID@@PAU_STORAGE_DESCRIPTOR_HEADER@@@Z proc near
					; DATA XREF: .text:004050F4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		cmp	eax, 0Eh
		jg	short loc_69B1E0
		jz	short loc_69B20C
		cmp	eax, 4
		jz	short loc_69B20C
		cmp	eax, 6
		jz	short loc_69B1D4
		jle	short loc_69B20C
		cmp	eax, 8
		jle	short loc_69B20C
		cmp	eax, 0Bh
		jmp	short loc_69B20C
; 

loc_69B1D4:				; CODE XREF: SC_DISK::GetStoragePropertyPost(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+19j
		push	[ebp+arg_4]
		call	?GetAccessDescPost@SC_DISK@@AAEJPAU_STORAGE_ACCESS_ALIGNMENT_DESCRIPTOR@@@Z ; SC_DISK::GetAccessDescPost(_STORAGE_ACCESS_ALIGNMENT_DESCRIPTOR *)
		mov	edx, eax
		jmp	short loc_69B20C
; 

loc_69B1E0:				; CODE XREF: SC_DISK::GetStoragePropertyPost(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+Dj
		sub	eax, 15h
		jz	short loc_69B20C
		sub	eax, 24h
		jz	short loc_69B20C
		sub	eax, 1
		jz	short loc_69B1F5
		dec	eax
		sub	eax, 1
		jmp	short loc_69B20C
; 

loc_69B1F5:				; CODE XREF: SC_DISK::GetStoragePropertyPost(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+40j
		mov	ecx, [ebp+arg_4]
		push	esi
		mov	esi, [ecx+20h]
		cmp	esi, [ecx]
		jb	short loc_69B208
		mov	eax, [ecx+4]
		dec	eax
		cmp	esi, eax
		jbe	short loc_69B20B

loc_69B208:				; CODE XREF: SC_DISK::GetStoragePropertyPost(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+51j
		mov	[ecx+20h], edx

loc_69B20B:				; CODE XREF: SC_DISK::GetStoragePropertyPost(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+59j
		pop	esi

loc_69B20C:				; CODE XREF: SC_DISK::GetStoragePropertyPost(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+Fj
					; SC_DISK::GetStoragePropertyPost(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+14j ...
		mov	eax, edx
		pop	ebp
		retn	8
?GetStoragePropertyPost@SC_DISK@@MAEJW4_STORAGE_PROPERTY_ID@@PAU_STORAGE_DESCRIPTOR_HEADER@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; protected: virtual long __thiscall SC_DISK::GetStoragePropertyPre(enum  _STORAGE_PROPERTY_ID,	unsigned long *)
?GetStoragePropertyPre@SC_DISK@@MAEJW4_STORAGE_PROPERTY_ID@@PAK@Z proc near
					; DATA XREF: .text:004050F0o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		mov	[eax], esi
		push	edi
		mov	edi, ecx
		cmp	edx, 0Eh
		jg	short loc_69B268
		jz	short loc_69B260
		mov	ecx, edx
		sub	ecx, 4
		jz	short loc_69B258
		dec	ecx
		sub	ecx, 1
		jz	short loc_69B258
		sub	ecx, 1
		jz	short loc_69B250
		sub	ecx, 1
		jz	short loc_69B250
		sub	ecx, 3
		jnz	short loc_69B27F
		mov	dword ptr [eax], 28h
		jmp	short loc_69B2AA
; 

loc_69B250:				; CODE XREF: SC_DISK::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)+2Aj
					; SC_DISK::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)+2Fj
		mov	dword ptr [eax], 0Ch
		jmp	short loc_69B2AA
; 

loc_69B258:				; CODE XREF: SC_DISK::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)+1Fj
					; SC_DISK::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)+25j
		mov	dword ptr [eax], 1Ch
		jmp	short loc_69B2AA
; 

loc_69B260:				; CODE XREF: SC_DISK::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)+18j
		mov	dword ptr [eax], 20h
		jmp	short loc_69B2AA
; 

loc_69B268:				; CODE XREF: SC_DISK::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)+16j
		mov	ecx, edx
		sub	ecx, 15h
		jz	short loc_69B2A4
		sub	ecx, 24h
		jz	short loc_69B29C
		sub	ecx, 1
		jz	short loc_69B294
		dec	ecx
		sub	ecx, 1
		jz	short loc_69B28C

loc_69B27F:				; CODE XREF: SC_DISK::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)+34j
		push	eax
		push	edx
		mov	ecx, edi
		call	?GetStoragePropertyPre@SC_DEVICE@@MAEJW4_STORAGE_PROPERTY_ID@@PAK@Z ; SC_DEVICE::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)
		mov	esi, eax
		jmp	short loc_69B2AA
; 

loc_69B28C:				; CODE XREF: SC_DISK::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)+6Bj
		mov	dword ptr [eax], 30h
		jmp	short loc_69B2AA
; 

loc_69B294:				; CODE XREF: SC_DISK::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)+65j
		mov	dword ptr [eax], 24h
		jmp	short loc_69B2AA
; 

loc_69B29C:				; CODE XREF: SC_DISK::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)+60j
		mov	dword ptr [eax], 108h
		jmp	short loc_69B2AA
; 

loc_69B2A4:				; CODE XREF: SC_DISK::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)+5Bj
		mov	dword ptr [eax], 18h

loc_69B2AA:				; CODE XREF: SC_DISK::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)+3Cj
					; SC_DISK::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)+44j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
?GetStoragePropertyPre@SC_DISK@@MAEJW4_STORAGE_PROPERTY_ID@@PAK@Z endp


;  S U B	R O U T	I N E 


; public: virtual long __thiscall SC_DISK::Initialize(void)
?Initialize@SC_DISK@@UAEJXZ proc near	; CODE XREF: IoReadPartitionTable(x,x,x,x)+4Cp
					; IoSetPartitionInformation(x,x,x,x)+68p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	?Initialize@SC_DEVICE@@UAEJXZ ;	SC_DEVICE::Initialize(void)
		test	eax, eax
		js	loc_69B363
		lea	ecx, [esi+4]	; void *
		mov	edx, offset _GUID_DEVCLASS_SMRDISK ; void *
		call	?IsEqualGUID@@YGHABU_GUID@@0@Z ; IsEqualGUID(_GUID const &,_GUID const &)
		test	eax, eax
		jz	short loc_69B2DC
		or	dword ptr [esi+88h], 1

loc_69B2DC:				; CODE XREF: SC_DISK::Initialize(void)+21j
		mov	eax, [esi]
		mov	ecx, esi
		push	ebx
		push	edi
		push	8
		lea	edi, [esi+90h]
		xor	ebx, ebx
		push	edi
		push	ebx
		push	ebx
		push	7405Ch
		call	dword ptr [eax+8]
		test	eax, eax
		js	short loc_69B361
		mov	eax, [edi]
		or	eax, [edi+4]
		jz	short loc_69B327
		mov	edx, [esi]
		lea	eax, [esi+98h]
		push	18h
		push	eax
		push	ebx
		push	ebx
		push	70000h
		mov	ecx, esi
		call	dword ptr [edx+8]
		test	eax, eax
		js	short loc_69B361
		mov	eax, [esi+0ACh]
		test	eax, eax
		jnz	short loc_69B32E

loc_69B327:				; CODE XREF: SC_DISK::Initialize(void)+4Ej
		mov	eax, 0C00000A3h
		jmp	short loc_69B361
; 

loc_69B32E:				; CODE XREF: SC_DISK::Initialize(void)+73j
		bsr	eax, eax
		mov	[esi+0B0h], eax
		mov	eax, [edi]
		mov	edx, [edi+4]
		mov	ecx, [esi+0B0h]
		call	__aullshr
		push	ecx
		mov	ecx, esi
		mov	[esi+0B8h], eax
		mov	[esi+0BCh], edx
		call	?UpdateStorageProperty@SC_DEVICE@@QAEJW4_STORAGE_PROPERTY_ID@@@Z ; SC_DEVICE::UpdateStorageProperty(_STORAGE_PROPERTY_ID)
		test	eax, eax
		jns	short loc_69B361
		mov	eax, ebx

loc_69B361:				; CODE XREF: SC_DISK::Initialize(void)+47j
					; SC_DISK::Initialize(void)+69j ...
		pop	edi
		pop	ebx

loc_69B363:				; CODE XREF: SC_DISK::Initialize(void)+Cj
		pop	esi
		retn
?Initialize@SC_DISK@@UAEJXZ endp ; sp =	-0Ch


;  S U B	R O U T	I N E 


; public: long __thiscall SC_DISK::InitializePartitionCache(void)
?InitializePartitionCache@SC_DISK@@QAEJXZ proc near
					; CODE XREF: IoReadPartitionTable(x,x,x,x)+5Fp
					; IoSetPartitionInformation(x,x,x,x)+7Ap ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	eax, eax
		inc	eax
		mov	ecx, [esi+0B0h]
		shl	eax, cl
		mov	ecx, eax
		call	?Allocate@SC_ENV@@SGPAXI@Z ; SC_ENV::Allocate(uint)
		mov	[esi+0C4h], eax
		test	eax, eax
		jnz	short loc_69B38D
		mov	eax, 0C000009Ah
		pop	esi
		retn
; 

loc_69B38D:				; CODE XREF: SC_DISK::InitializePartitionCache(void)+1Fj
		mov	ecx, esi
		pop	esi
		jmp	?ResetPartitionCache@SC_DISK@@QAEJXZ ; SC_DISK::ResetPartitionCache(void)
?InitializePartitionCache@SC_DISK@@QAEJXZ endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: unsigned char	__thiscall SC_DISK::IsVbr(void)
?IsVbr@SC_DISK@@QAEEXZ proc near	; CODE XREF: SC_DISK::ResetPartitionCache(void)+6Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, 0AA55h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	bl, bl
		mov	esi, [edi+0C4h]
		cmp	[esi+1FEh], ax
		jnz	loc_69B43C
		mov	al, [esi]
		cmp	al, 0EBh
		jz	short loc_69B3C6
		cmp	al, 0E9h
		jnz	short loc_69B43C

loc_69B3C6:				; CODE XREF: SC_DISK::IsVbr(void)+2Bj
		cmp	dword ptr [edi+0A0h], 0Bh
		mov	bl, 1
		jnz	short loc_69B400
		push	8		; size_t
		lea	eax, [esi+3]
		push	(offset	loc_5A7BDB+1) ;	void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_69B43C
		xor	ecx, ecx
		lea	eax, [esi+1C2h]

loc_69B3F0:				; CODE XREF: SC_DISK::IsVbr(void)+67j
		cmp	byte ptr [eax],	0
		jnz	short loc_69B400
		inc	ecx
		add	eax, 10h
		cmp	ecx, 4
		jb	short loc_69B3F0
		jmp	short loc_69B43C
; 

loc_69B400:				; CODE XREF: SC_DISK::IsVbr(void)+3Aj
					; SC_DISK::IsVbr(void)+5Ej
		mov	eax, [edi+0B8h]
		and	[ebp+var_4], 0
		add	esi, 1BEh
		mov	edi, [edi+0BCh]
		mov	[ebp+var_8], eax

loc_69B419:				; CODE XREF: SC_DISK::IsVbr(void)+A3j
		push	edi
		push	eax
		push	0
		mov	ecx, esi
		call	?Validate@MBR_ENTRY@@QAEEK_K@Z ; MBR_ENTRY::Validate(ulong,unsigned __int64)
		test	al, al
		jz	short loc_69B43C
		mov	eax, [ebp+var_4]
		add	esi, 10h
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, 4
		mov	eax, [ebp+var_8]
		jb	short loc_69B419
		xor	bl, bl

loc_69B43C:				; CODE XREF: SC_DISK::IsVbr(void)+21j
					; SC_DISK::IsVbr(void)+2Fj ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
?IsVbr@SC_DISK@@QAEEXZ endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: long __thiscall SC_DISK::ReadPartitionTable(class SC_DISK_LAYOUT * *)
?ReadPartitionTable@SC_DISK@@QAEJPAPAVSC_DISK_LAYOUT@@@Z proc near
					; CODE XREF: IoReadPartitionTable(x,x,x,x)+77p
					; IoReadDiskSignature(x,x,x)+69p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, ecx
		and	dword ptr [edi], 0
		mov	eax, [esi+0C0h]
		sub	eax, 0
		jz	short loc_69B498
		sub	eax, 1
		jz	short loc_69B47D
		sub	eax, 1
		jz	short loc_69B46F
		mov	eax, 0C00000BBh
		jmp	short loc_69B4AA
; 

loc_69B46F:				; CODE XREF: SC_DISK::ReadPartitionTable(SC_DISK_LAYOUT	* *)+23j
		push	edi
		lea	ecx, [ebp+arg_0]
		mov	[ebp+arg_0], esi
		call	?ReadPartitionTable@SC_RAW@@QAEJPAPAVSC_DISK_LAYOUT@@@Z	; SC_RAW::ReadPartitionTable(SC_DISK_LAYOUT * *)
		jmp	short loc_69B4AA
; 

loc_69B47D:				; CODE XREF: SC_DISK::ReadPartitionTable(SC_DISK_LAYOUT	* *)+1Ej
		push	edi
		lea	ecx, [ebp+arg_0]
		mov	[ebp+arg_0], esi
		call	?ReadPartitionTable@SC_GPT@@QAEJPAPAVSC_DISK_LAYOUT@@@Z	; SC_GPT::ReadPartitionTable(SC_DISK_LAYOUT * *)
		test	eax, eax
		jns	short loc_69B4AA
		mov	ecx, esi
		call	?ResetPartitionCache@SC_DISK@@QAEJXZ ; SC_DISK::ResetPartitionCache(void)
		test	eax, eax
		js	short loc_69B4AA

loc_69B498:				; CODE XREF: SC_DISK::ReadPartitionTable(SC_DISK_LAYOUT	* *)+19j
		push	esi
		lea	ecx, [ebp+arg_0]
		call	?Initialize@SC_MBR@@QAEXPAVSC_DISK@@@Z ; SC_MBR::Initialize(SC_DISK *)
		push	edi
		lea	ecx, [ebp+arg_0]
		call	?ReadPartitionTable@SC_MBR@@QAEJPAPAVSC_DISK_LAYOUT@@@Z	; SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)

loc_69B4AA:				; CODE XREF: SC_DISK::ReadPartitionTable(SC_DISK_LAYOUT	* *)+2Aj
					; SC_DISK::ReadPartitionTable(SC_DISK_LAYOUT * *)+38j ...
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
?ReadPartitionTable@SC_DISK@@QAEJPAPAVSC_DISK_LAYOUT@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: long __thiscall SC_DISK::ReadSectors(unsigned	long, unsigned __int64,	void *)
?ReadSectors@SC_DISK@@QAEJK_KPAX@Z proc	near
					; CODE XREF: SC_DISK::ResetPartitionCache(void)+Ep
					; SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+222p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		push	esi
		push	edi
		mov	edi, ecx
		test	eax, eax
		jnz	short loc_69B4C7
		mov	eax, [edi+0C4h]

loc_69B4C7:				; CODE XREF: SC_DISK::ReadSectors(ulong,unsigned __int64,void *)+Ej
		mov	ecx, [edi+0B0h]
		mov	edx, [ebp+arg_8]
		mov	esi, [edi]
		push	eax
		mov	eax, [ebp+arg_0]
		shl	eax, cl
		push	eax
		mov	eax, [ebp+arg_4]
		call	__allshl
		push	edx
		push	eax
		mov	ecx, edi
		call	dword ptr [esi+1Ch]
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
?ReadSectors@SC_DISK@@QAEJK_KPAX@Z endp


;  S U B	R O U T	I N E 


; public: long __thiscall SC_DISK::ResetPartitionCache(void)
?ResetPartitionCache@SC_DISK@@QAEJXZ proc near
					; CODE XREF: SC_DISK::InitializePartitionCache(void)+2Bj
					; SC_DISK::ReadPartitionTable(SC_DISK_LAYOUT * *)+4Cp ...
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		xor	eax, eax
		mov	esi, ecx
		push	eax
		push	eax
		push	eax
		push	1
		call	?ReadSectors@SC_DISK@@QAEJK_KPAX@Z ; SC_DISK::ReadSectors(ulong,unsigned __int64,void *)
		mov	edi, eax
		test	edi, edi
		js	short loc_69B56E
		mov	ecx, [esi+0C4h]
		mov	eax, 0AA55h
		cmp	[ecx+1FEh], ax
		jz	short loc_69B527
		mov	dword ptr [esi+0C0h], 2
		jmp	short loc_69B56E
; 

loc_69B527:				; CODE XREF: SC_DISK::ResetPartitionCache(void)+2Bj
		cmp	byte ptr [ecx+1C2h], 0EEh
		jnz	short loc_69B557
		cmp	byte ptr [ecx+1D2h], 0
		jnz	short loc_69B557
		cmp	byte ptr [ecx+1E2h], 0
		jnz	short loc_69B557
		cmp	byte ptr [ecx+1F2h], 0
		jnz	short loc_69B557
		mov	dword ptr [esi+0C0h], 1
		jmp	short loc_69B56E
; 

loc_69B557:				; CODE XREF: SC_DISK::ResetPartitionCache(void)+40j
					; SC_DISK::ResetPartitionCache(void)+49j ...
		mov	ecx, esi
		call	?IsVbr@SC_DISK@@QAEEXZ ; SC_DISK::IsVbr(void)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 2
		mov	[esi+0C0h], eax

loc_69B56E:				; CODE XREF: SC_DISK::ResetPartitionCache(void)+17j
					; SC_DISK::ResetPartitionCache(void)+37j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ecx
		retn
?ResetPartitionCache@SC_DISK@@QAEJXZ endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; protected: virtual void __thiscall SC_DISK::SaveStorageProperty(enum	_STORAGE_PROPERTY_ID, struct _STORAGE_DESCRIPTOR_HEADER	*)
?SaveStorageProperty@SC_DISK@@MAEXW4_STORAGE_PROPERTY_ID@@PAU_STORAGE_DESCRIPTOR_HEADER@@@Z proc near
					; DATA XREF: .text:00403A52o
					; .text:004050F8o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, ecx
		cmp	edx, 0Bh
		jg	short loc_69B5C1
		jz	short loc_69B5BA
		mov	eax, edx
		sub	eax, 4
		jz	short loc_69B5B3
		dec	eax
		sub	eax, 1
		jz	short loc_69B5AC
		sub	eax, 1
		jz	short loc_69B5A5
		sub	eax, 1
		jnz	short loc_69B5D8
		mov	esi, 0F0h
		jmp	short loc_69B5FD
; 

loc_69B5A5:				; CODE XREF: SC_DISK::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+23j
		mov	esi, 0E8h
		jmp	short loc_69B5FD
; 

loc_69B5AC:				; CODE XREF: SC_DISK::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+1Ej
		mov	esi, 0D0h
		jmp	short loc_69B5FD
; 

loc_69B5B3:				; CODE XREF: SC_DISK::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+18j
		mov	esi, 0D8h
		jmp	short loc_69B5FD
; 

loc_69B5BA:				; CODE XREF: SC_DISK::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+11j
		mov	esi, 0ECh
		jmp	short loc_69B5FD
; 

loc_69B5C1:				; CODE XREF: SC_DISK::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+Fj
		mov	eax, edx
		sub	eax, 0Eh
		jz	short loc_69B5F8
		sub	eax, 2Bh
		jz	short loc_69B5F1
		sub	eax, 1
		jz	short loc_69B5EA
		dec	eax
		sub	eax, 1
		jz	short loc_69B5E3

loc_69B5D8:				; CODE XREF: SC_DISK::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+28j
		push	[ebp+arg_4]
		push	edx
		call	?SaveStorageProperty@SC_DEVICE@@MAEXW4_STORAGE_PROPERTY_ID@@PAU_STORAGE_DESCRIPTOR_HEADER@@@Z ;	SC_DEVICE::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)
		jmp	short loc_69B60F
; 

loc_69B5E3:				; CODE XREF: SC_DISK::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+62j
		mov	esi, 0F4h
		jmp	short loc_69B5FD
; 

loc_69B5EA:				; CODE XREF: SC_DISK::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+5Cj
		mov	esi, 0E0h
		jmp	short loc_69B5FD
; 

loc_69B5F1:				; CODE XREF: SC_DISK::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+57j
		mov	esi, 0D4h
		jmp	short loc_69B5FD
; 

loc_69B5F8:				; CODE XREF: SC_DISK::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+52j
		mov	esi, 0E4h

loc_69B5FD:				; CODE XREF: SC_DISK::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+2Fj
					; SC_DISK::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+36j ...
		mov	ecx, [esi+edi]
		test	ecx, ecx
		jz	short loc_69B609
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69B609:				; CODE XREF: SC_DISK::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+8Ej
		mov	eax, [ebp+arg_4]
		mov	[esi+edi], eax

loc_69B60F:				; CODE XREF: SC_DISK::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+6Dj
		pop	edi
		pop	esi
		pop	ebp
		retn	8
?SaveStorageProperty@SC_DISK@@MAEXW4_STORAGE_PROPERTY_ID@@PAU_STORAGE_DESCRIPTOR_HEADER@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: long __thiscall SC_DISK::SetPartition(unsigned long, struct _SET_PARTITION_INFORMATION_EX *)
?SetPartition@SC_DISK@@QAEJKPAU_SET_PARTITION_INFORMATION_EX@@@Z proc near
					; CODE XREF: IoSetPartitionInformation(x,x,x,x)+94p
					; IoSetPartitionInformationEx(x,x,x)+64p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+0C0h]
		push	esi
		mov	esi, [ebp+arg_4]
		cmp	eax, [esi]
		jz	short loc_69B630
		mov	eax, 0C000000Dh
		jmp	short loc_69B667
; 

loc_69B630:				; CODE XREF: SC_DISK::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+12j
		sub	eax, 0
		jz	short loc_69B652
		sub	eax, 1
		jz	short loc_69B641
		mov	eax, 0C00000BBh
		jmp	short loc_69B667
; 

loc_69B641:				; CODE XREF: SC_DISK::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+23j
		push	esi
		push	[ebp+arg_0]
		mov	[ebp+arg_4], ecx
		lea	ecx, [ebp+arg_4]
		call	?SetPartition@SC_GPT@@QAEJKPAU_SET_PARTITION_INFORMATION_EX@@@Z	; SC_GPT::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)
		jmp	short loc_69B667
; 

loc_69B652:				; CODE XREF: SC_DISK::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+1Ej
		push	ecx
		lea	ecx, [ebp+arg_4]
		call	?Initialize@SC_MBR@@QAEXPAVSC_DISK@@@Z ; SC_MBR::Initialize(SC_DISK *)
		push	esi
		push	[ebp+arg_0]
		lea	ecx, [ebp+arg_4]
		call	?SetPartition@SC_MBR@@QAEJKPAU_SET_PARTITION_INFORMATION_EX@@@Z	; SC_MBR::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)

loc_69B667:				; CODE XREF: SC_DISK::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+19j
					; SC_DISK::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+2Aj ...
		pop	esi
		pop	ecx
		pop	ebp
		retn	8
?SetPartition@SC_DISK@@QAEJKPAU_SET_PARTITION_INFORMATION_EX@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: long __thiscall SC_DISK::VerifyPartitionTable(unsigned char)
?VerifyPartitionTable@SC_DISK@@QAEJE@Z proc near
					; CODE XREF: IoVerifyPartitionTable(x,x)+5Fp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+0C0h]
		xor	edx, edx
		sub	eax, edx
		jz	short loc_69B69B
		sub	eax, 1
		jz	short loc_69B68B
		mov	edx, 0C00000BBh
		jmp	short loc_69B69B
; 

loc_69B68B:				; CODE XREF: SC_DISK::VerifyPartitionTable(uchar)+15j
		push	[ebp+arg_0]
		mov	[ebp+var_4], ecx
		lea	ecx, [ebp+var_4]
		call	?VerifyPartitionTable@SC_GPT@@QAEJE@Z ;	SC_GPT::VerifyPartitionTable(uchar)
		mov	edx, eax

loc_69B69B:				; CODE XREF: SC_DISK::VerifyPartitionTable(uchar)+10j
					; SC_DISK::VerifyPartitionTable(uchar)+1Cj
		mov	eax, edx
		leave
		retn	4
?VerifyPartitionTable@SC_DISK@@QAEJE@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: long __thiscall SC_DISK::WritePartitionTable(class SC_DISK_LAYOUT *)
?WritePartitionTable@SC_DISK@@QAEJPAVSC_DISK_LAYOUT@@@Z	proc near
					; CODE XREF: IoWritePartitionTable(x,x,x,x,x)+105p
					; IoWritePartitionTableEx(x,x)+61p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		cmp	dword ptr [ebx+0C0h], 2
		jnz	short loc_69B6E3
		mov	eax, [esi]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	?CreatePartitionTable@SC_DISK@@QAEJPAU_CREATE_DISK@@@Z ; SC_DISK::CreatePartitionTable(_CREATE_DISK *)
		test	eax, eax
		js	short loc_69B754
		mov	ecx, ebx
		call	?ResetPartitionCache@SC_DISK@@QAEJXZ ; SC_DISK::ResetPartitionCache(void)
		test	eax, eax
		js	short loc_69B754

loc_69B6E3:				; CODE XREF: SC_DISK::WritePartitionTable(SC_DISK_LAYOUT *)+23j
		mov	ecx, [esi]
		sub	ecx, 0
		jz	short loc_69B70B
		sub	ecx, 1
		jnz	short loc_69B754
		cmp	dword ptr [ebx+0C0h], 1
		lea	ecx, [ebp+arg_0]
		mov	[ebp+arg_0], ebx
		setnz	al
		movzx	eax, al
		push	eax
		push	esi
		call	?WritePartitionTable@SC_GPT@@QAEJPAVSC_DISK_LAYOUT@@E@Z	; SC_GPT::WritePartitionTable(SC_DISK_LAYOUT *,uchar)
		jmp	short loc_69B754
; 

loc_69B70B:				; CODE XREF: SC_DISK::WritePartitionTable(SC_DISK_LAYOUT *)+47j
		cmp	dword ptr [ebx+0C0h], 0
		jz	short loc_69B742
		cmp	dword ptr [esi+4], 4
		jnz	short loc_69B73B
		cmp	byte ptr [esi+50h], 0EEh
		jnz	short loc_69B73B
		cmp	byte ptr [esi+0E0h], 0
		jnz	short loc_69B73B
		cmp	byte ptr [esi+170h], 0
		jnz	short loc_69B73B
		cmp	byte ptr [esi+200h], 0
		jz	short loc_69B742

loc_69B73B:				; CODE XREF: SC_DISK::WritePartitionTable(SC_DISK_LAYOUT *)+77j
					; SC_DISK::WritePartitionTable(SC_DISK_LAYOUT *)+7Dj ...
		mov	eax, 0C00000BBh
		jmp	short loc_69B754
; 

loc_69B742:				; CODE XREF: SC_DISK::WritePartitionTable(SC_DISK_LAYOUT *)+71j
					; SC_DISK::WritePartitionTable(SC_DISK_LAYOUT *)+98j
		push	ebx
		lea	ecx, [ebp+arg_0]
		call	?Initialize@SC_MBR@@QAEXPAVSC_DISK@@@Z ; SC_MBR::Initialize(SC_DISK *)
		push	esi
		lea	ecx, [ebp+arg_0]
		call	?WritePartitionTable@SC_MBR@@QAEJPAVSC_DISK_LAYOUT@@@Z ; SC_MBR::WritePartitionTable(SC_DISK_LAYOUT *)

loc_69B754:				; CODE XREF: SC_DISK::WritePartitionTable(SC_DISK_LAYOUT *)+35j
					; SC_DISK::WritePartitionTable(SC_DISK_LAYOUT *)+40j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
?WritePartitionTable@SC_DISK@@QAEJPAVSC_DISK_LAYOUT@@@Z	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: long __thiscall SC_DISK::WriteSectors(unsigned long, unsigned	__int64, void *)
?WriteSectors@SC_DISK@@QAEJK_KPAX@Z proc near
					; CODE XREF: SC_MBR::WritePartitionTable(SC_DISK_LAYOUT	*)+191p
					; SC_GPT::VerifyPartitionTable(uchar)+27Bp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		push	esi
		push	edi
		mov	edi, ecx
		test	eax, eax
		jnz	short loc_69B771
		mov	eax, [edi+0C4h]

loc_69B771:				; CODE XREF: SC_DISK::WriteSectors(ulong,unsigned __int64,void *)+Ej
		mov	ecx, [edi+0B0h]
		mov	edx, [ebp+arg_8]
		mov	esi, [edi]
		push	eax
		mov	eax, [ebp+arg_0]
		shl	eax, cl
		push	eax
		mov	eax, [ebp+arg_4]
		call	__allshl
		push	edx
		push	eax
		mov	ecx, edi
		call	dword ptr [esi+20h]
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
?WriteSectors@SC_DISK@@QAEJK_KPAX@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: __int64 __thiscall SC_DISK::ToSectors<__int64>(__int64)
??$ToSectors@_J@SC_DISK@@QAE_J_J@Z proc	near
					; CODE XREF: SC_MBR::WritePartitionTable(SC_DISK_LAYOUT	*)+11Cp
					; SC_MBR::WritePartitionTable(SC_DISK_LAYOUT *)+132p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ecx+0ACh]
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_69B7B7
		push	0
		push	ecx
		push	edx
		push	eax
		call	__alldiv

loc_69B7B7:				; CODE XREF: SC_DISK::ToSectors<__int64>(__int64)+13j
		pop	ebp
		retn	8
??$ToSectors@_J@SC_DISK@@QAE_J_J@Z endp


;  S U B	R O U T	I N E 


; public: unsigned long	__thiscall MBR_HEADER::CheckSum(void)
?CheckSum@MBR_HEADER@@QAEKXZ proc near	; CODE XREF: SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+6Dp
					; SC_MBR::WritePartitionTable(SC_DISK_LAYOUT *)+79p ...
		xor	eax, eax
		mov	edx, eax

loc_69B7BF:				; CODE XREF: MBR_HEADER::CheckSum(void)+Ej
		add	eax, [ecx+edx*4]
		inc	edx
		cmp	edx, 80h
		jb	short loc_69B7BF
		not	eax
		inc	eax
		retn
?CheckSum@MBR_HEADER@@QAEKXZ endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: void __thiscall MBR_ENTRY::ComputeChs(struct _DISK_GEOMETRY *)
?ComputeChs@MBR_ENTRY@@QAEXPAU_DISK_GEOMETRY@@@Z proc near
					; CODE XREF: SC_MBR::WritePartitionTable(SC_DISK_LAYOUT	*)+147p
					; SC_GPT::WritePartitionTable(SC_DISK_LAYOUT *,uchar)+566p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	edx, ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, [edx+8]
		lea	eax, [edx+1]
		mov	[ebp+var_18], eax
		lea	eax, [edx+5]
		mov	[ebp+var_14], eax
		mov	eax, [esi+0Ch]
		imul	eax, [esi+10h]
		mov	ebx, [esi]
		push	edi
		mov	[ebp+var_10], ecx
		imul	ebx, eax
		mov	[ebp+var_4], eax
		mov	eax, [edx+0Ch]
		dec	eax
		add	eax, ecx
		xor	edi, edi
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], eax

loc_69B80E:				; CODE XREF: MBR_ENTRY::ComputeChs(_DISK_GEOMETRY *)+8Ej
		mov	eax, [ebp+edi+var_10]
		cmp	eax, ebx
		jnb	short loc_69B829
		xor	edx, edx
		div	[ebp+var_4]
		mov	ebx, eax
		mov	eax, edx
		xor	edx, edx
		div	dword ptr [esi+10h]
		lea	ecx, [edx+1]
		jmp	short loc_69B833
; 

loc_69B829:				; CODE XREF: MBR_ENTRY::ComputeChs(_DISK_GEOMETRY *)+45j
		mov	ebx, [esi]
		mov	eax, [esi+0Ch]
		dec	ebx
		mov	ecx, [esi+10h]
		dec	eax

loc_69B833:				; CODE XREF: MBR_ENTRY::ComputeChs(_DISK_GEOMETRY *)+58j
		mov	edx, [ebp+edi+var_18]
		add	edi, 4
		mov	[ebp+arg_0], ecx
		mov	ecx, ebx
		shr	ecx, 2
		xor	cl, byte ptr [ebp+arg_0]
		mov	[edx], al
		and	cl, 3Fh
		mov	eax, ebx
		shr	eax, 2
		xor	cl, al
		mov	[edx+1], cl
		mov	[edx+2], bl
		mov	ebx, [ebp+var_8]
		cmp	edi, 8
		jb	short loc_69B80E
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
?ComputeChs@MBR_ENTRY@@QAEXPAU_DISK_GEOMETRY@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: long __thiscall SC_MBR::CreatePartitionTable(struct _CREATE_DISK *)
?CreatePartitionTable@SC_MBR@@QAEJPAU_CREATE_DISK@@@Z proc near
					; CODE XREF: SC_DISK::CreatePartitionTable(_CREATE_DISK	*)+50p

var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D0h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		push	0B4h		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_C0]
		push	ebx		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		mov	eax, [edi]
		add	esp, 0Ch
		mov	esi, [eax+0C4h]
		push	40h		; size_t
		push	ebx		; int
		lea	eax, [esi+1BEh]
		push	eax		; void *
		call	_memset
		mov	eax, 0AA55h
		mov	[esi+1B8h], ebx
		mov	[esi+1FEh], ax
		add	esp, 0Ch
		mov	eax, [ebp+arg_0]
		mov	ecx, edi
		mov	[ebp+var_CC], ebx
		mov	[ebp+var_C8], ebx
		mov	eax, [eax+4]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_CC]
		push	eax
		call	?WritePartitionTable@SC_MBR@@QAEJPAVSC_DISK_LAYOUT@@@Z ; SC_MBR::WritePartitionTable(SC_DISK_LAYOUT *)
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
?CreatePartitionTable@SC_MBR@@QAEJPAU_CREATE_DISK@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: void __thiscall SC_MBR::Initialize(class SC_DISK *)
?Initialize@SC_MBR@@QAEXPAVSC_DISK@@@Z proc near
					; CODE XREF: SC_DISK::CreatePartitionTable(_CREATE_DISK	*)+47p
					; SC_DISK::ReadPartitionTable(SC_DISK_LAYOUT * *)+59p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		push	esi
		mov	[ecx], edx
		push	edi
		mov	esi, [edx+98h]
		mov	eax, esi
		mov	edi, [edx+9Ch]
		or	eax, edi
		mov	eax, 400h
		jz	short loc_69B927
		test	edi, edi
		jl	short loc_69B936
		jg	short loc_69B927
		cmp	esi, eax
		jbe	short loc_69B936

loc_69B927:				; CODE XREF: SC_MBR::Initialize(SC_DISK	*)+21j
					; SC_MBR::Initialize(SC_DISK *)+27j
		mov	[edx+98h], eax
		and	dword ptr [edx+9Ch], 0
		mov	edx, [ecx]

loc_69B936:				; CODE XREF: SC_MBR::Initialize(SC_DISK	*)+25j
					; SC_MBR::Initialize(SC_DISK *)+2Bj
		mov	eax, [edx+0A4h]
		mov	esi, 0FFh
		test	eax, eax
		jz	short loc_69B949
		cmp	eax, esi
		jbe	short loc_69B951

loc_69B949:				; CODE XREF: SC_MBR::Initialize(SC_DISK	*)+49j
		mov	[edx+0A4h], esi
		mov	edx, [ecx]

loc_69B951:				; CODE XREF: SC_MBR::Initialize(SC_DISK	*)+4Dj
		mov	eax, [edx+0A8h]
		push	3Fh
		pop	ecx
		pop	edi
		pop	esi
		test	eax, eax
		jz	short loc_69B964
		cmp	eax, ecx
		jbe	short loc_69B96A

loc_69B964:				; CODE XREF: SC_MBR::Initialize(SC_DISK	*)+64j
		mov	[edx+0A8h], ecx

loc_69B96A:				; CODE XREF: SC_MBR::Initialize(SC_DISK	*)+68j
		pop	ebp
		retn	4
?Initialize@SC_MBR@@QAEXPAVSC_DISK@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: long __thiscall SC_MBR::ReadPartitionTable(class SC_DISK_LAYOUT * *)
?ReadPartitionTable@SC_MBR@@QAEJPAPAVSC_DISK_LAYOUT@@@Z	proc near
					; CODE XREF: SC_DISK::ReadPartitionTable(SC_DISK_LAYOUT	* *)+62p
					; SC_MBR::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+2Ap

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ecx
		xor	ecx, ecx
		push	ebx
		mov	[ebp+var_C], eax
		mov	ebx, ecx
		push	esi
		mov	eax, [eax]
		push	edi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_8], ecx
		mov	edi, [eax+0C4h]
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_1], cl
		mov	[ebp+var_18], ecx
		mov	[ebp+var_2C], edi
		mov	[eax], ecx
		mov	ecx, 270h
		mov	[ebp+var_1C], ebx
		call	?Allocate@SC_ENV@@SGPAXI@Z ; SC_ENV::Allocate(uint)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_69B9BB
		mov	ebx, 0C000009Ah
		jmp	loc_69BBDE
; 

loc_69B9BB:				; CODE XREF: SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+41j
		push	26Ch		; size_t
		lea	eax, [esi+4]
		push	0		; int
		push	eax		; void *
		call	_memset
		and	[esi], ebx
		add	esp, 0Ch
		mov	eax, [edi+1B8h]
		mov	ecx, edi
		mov	[esi+8], eax
		call	?CheckSum@MBR_HEADER@@QAEKXZ ; MBR_HEADER::CheckSum(void)
		mov	[esi+0Ch], eax
		mov	eax, 0AA55h
		cmp	[edi+1FEh], ax
		jnz	loc_69BBCD
		lea	eax, [edi+1C2h]
		mov	[ebp+var_30], eax

loc_69B9FE:				; CODE XREF: SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+242j
		imul	edi, [ebp+var_8], 90h
		xor	ecx, ecx
		mov	[ebp+var_10], ecx
		mov	ebx, eax
		mov	[ebp+var_24], 4
		add	edi, 40h
		add	edi, esi

loc_69BA18:				; CODE XREF: SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+1A8j
		mov	al, [ebx]
		cmp	al, 5
		jz	short loc_69BA27
		cmp	al, 0Fh
		jz	short loc_69BA27
		mov	ecx, [ebp+var_18]
		jmp	short loc_69BA41
; 

loc_69BA27:				; CODE XREF: SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+AEj
					; SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+B2j
		test	ecx, ecx
		jz	short loc_69BA38
		mov	eax, [ebp+var_8]
		mov	dl, 1
		mov	[ebp+var_1], dl
		jmp	loc_69BB0F
; 

loc_69BA38:				; CODE XREF: SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+BBj
		mov	ecx, [ebp+var_14]
		lea	eax, [ebx-4]
		mov	[ebp+var_10], eax

loc_69BA41:				; CODE XREF: SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+B7j
		mov	eax, [ebp+var_C]
		mov	[ebp+var_20], ecx
		mov	eax, [eax]
		push	dword ptr [eax+0BCh]
		push	dword ptr [eax+0B8h]
		push	ecx
		lea	ecx, [ebx-4]
		call	?Validate@MBR_ENTRY@@QAEEK_K@Z ; MBR_ENTRY::Validate(ulong,unsigned __int64)
		test	al, al
		jnz	short loc_69BA6F
		mov	eax, [ebp+var_8]
		mov	dl, 1
		mov	[ebp+var_1], dl
		jmp	loc_69BB0C
; 

loc_69BA6F:				; CODE XREF: SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+F2j
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		and	dword ptr [edi-10h], 0
		mov	eax, [ebx+4]
		add	eax, [ebp+var_20]
		mov	ecx, [ecx]
		adc	edx, edx
		mov	ecx, [ecx+0B0h]
		call	__allshl
		mov	[edi-8], eax
		mov	ecx, edx
		mov	[ebp+var_20], eax
		xor	edx, edx
		mov	eax, [ebp+var_C]
		mov	[edi-4], ecx
		mov	[ebp+var_28], ecx
		mov	ecx, [eax]
		mov	eax, [ebx+8]
		mov	ecx, [ecx+0B0h]
		call	__allshl
		or	dword ptr [edi+8], 0FFFFFFFFh
		mov	[edi], eax
		mov	[edi+4], edx
		mov	al, [ebx]
		mov	[edi+10h], al
		cmp	byte ptr [ebx-4], 80h
		setz	al
		mov	[edi+11h], al
		mov	al, [ebx]
		test	al, al
		jz	short loc_69BADA
		cmp	al, 5
		jz	short loc_69BADA
		cmp	al, 0Fh
		jz	short loc_69BADA
		mov	al, 1
		jmp	short loc_69BADC
; 

loc_69BADA:				; CODE XREF: SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+15Ej
					; SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+162j ...
		xor	al, al

loc_69BADC:				; CODE XREF: SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+16Aj
		mov	dl, [ebp+var_1]
		mov	[edi+12h], al
		mov	eax, [ebx+4]
		mov	[edi+14h], eax
		mov	eax, [esi+8]
		mov	[edi+18h], eax
		xor	eax, eax
		mov	[edi+1Ch], eax
		mov	eax, [ebp+var_20]
		mov	[edi+20h], eax
		mov	eax, [ebp+var_28]
		mov	[edi+24h], eax
		mov	eax, [ebp+var_8]
		inc	eax
		add	edi, 90h
		mov	[ebp+var_8], eax

loc_69BB0C:				; CODE XREF: SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+FCj
		mov	ecx, [ebp+var_10]

loc_69BB0F:				; CODE XREF: SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+C5j
		add	ebx, 10h
		sub	[ebp+var_24], 1
		jnz	loc_69BA18
		test	dl, dl
		jnz	loc_69BBCA
		test	ecx, ecx
		jz	loc_69BBCA
		mov	edx, [ecx+8]
		mov	ecx, [ebp+var_14]
		lea	ebx, [edx+ecx]
		mov	[ebp+var_18], ebx
		test	ecx, ecx
		jnz	short loc_69BB3F
		mov	[ebp+var_14], edx

loc_69BB3F:				; CODE XREF: SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+1CCj
		imul	ebx, eax, 90h
		lea	ecx, [ebx+270h]
		call	?Allocate@SC_ENV@@SGPAXI@Z ; SC_ENV::Allocate(uint)
		mov	edi, eax
		test	edi, edi
		jz	short loc_69BBB8
		lea	eax, [ebx+30h]
		push	eax		; size_t
		push	esi		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebx+30h]
		add	eax, edi
		push	240h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, esi
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)
		mov	eax, [ebp+var_C]
		mov	esi, edi
		push	0
		push	0
		push	[ebp+var_18]
		mov	ecx, [eax]
		push	1
		call	?ReadSectors@SC_DISK@@QAEJK_KPAX@Z ; SC_DISK::ReadSectors(ulong,unsigned __int64,void *)
		mov	ebx, eax
		mov	[ebp+var_1C], ebx
		test	ebx, ebx
		js	short loc_69BBBD
		mov	eax, [ebp+var_2C]
		mov	ecx, 0AA55h
		cmp	[eax+1FEh], cx
		mov	eax, [ebp+var_30]
		jz	loc_69B9FE
		jmp	short loc_69BBCD
; 

loc_69BBB8:				; CODE XREF: SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+1E6j
		mov	ebx, 0C000009Ah

loc_69BBBD:				; CODE XREF: SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+22Ej
		test	esi, esi
		jz	short loc_69BBDE
		mov	ecx, esi
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)
		jmp	short loc_69BBDE
; 

loc_69BBCA:				; CODE XREF: SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+1B0j
					; SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+1B8j
		mov	ebx, [ebp+var_1C]

loc_69BBCD:				; CODE XREF: SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+81j
					; SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+248j
		mov	eax, [ebp+var_8]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		mov	[esi+4], eax
		mov	eax, [ebp+arg_0]
		mov	[eax], esi

loc_69BBDE:				; CODE XREF: SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+48j
					; SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+251j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
?ReadPartitionTable@SC_MBR@@QAEJPAPAVSC_DISK_LAYOUT@@@Z	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: long __thiscall SC_MBR::SetPartition(unsigned	long, struct _SET_PARTITION_INFORMATION_EX *)
?SetPartition@SC_MBR@@QAEJKPAU_SET_PARTITION_INFORMATION_EX@@@Z	proc near
					; CODE XREF: SC_DISK::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+4Dp

var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		xor	ebx, ebx
		mov	eax, ecx
		push	esi
		push	edi
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], ebx
		cmp	[ebp+arg_0], ebx
		jnz	short loc_69BC0B
		mov	esi, 0C000000Dh
		jmp	loc_69BC9B
; 

loc_69BC0B:				; CODE XREF: SC_MBR::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+18j
		lea	ecx, [ebp+var_8]
		push	ecx
		mov	ecx, eax
		call	?ReadPartitionTable@SC_MBR@@QAEJPAPAVSC_DISK_LAYOUT@@@Z	; SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)
		mov	edi, [ebp+var_8]
		mov	esi, eax
		test	esi, esi
		js	short loc_69BC90
		mov	edx, [edi+4]
		mov	eax, ebx
		mov	[ebp+var_8], edx
		test	edx, edx
		jz	short loc_69BC5C
		lea	ecx, [edi+30h]

loc_69BC2E:				; CODE XREF: SC_MBR::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+71j
		mov	dl, [ecx+20h]
		mov	esi, ecx
		mov	[ebp+var_1], dl
		test	dl, dl
		mov	edx, [ebp+var_8]
		jz	short loc_69BC4F
		cmp	[ebp+var_1], 5
		jz	short loc_69BC4F
		cmp	[ebp+var_1], 0Fh
		jz	short loc_69BC4F
		inc	ebx
		cmp	ebx, [ebp+arg_0]
		jz	short loc_69BC5E

loc_69BC4F:				; CODE XREF: SC_MBR::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+54j
					; SC_MBR::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+5Aj ...
		inc	eax
		add	ecx, 90h
		cmp	eax, edx
		jb	short loc_69BC2E
		jmp	short loc_69BC5E
; 

loc_69BC5C:				; CODE XREF: SC_MBR::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+42j
		mov	esi, eax

loc_69BC5E:				; CODE XREF: SC_MBR::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+66j
					; SC_MBR::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+73j
		cmp	eax, edx
		jb	short loc_69BC69
		mov	esi, 0C000000Dh
		jmp	short loc_69BC90
; 

loc_69BC69:				; CODE XREF: SC_MBR::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+79j
		mov	eax, [ebp+arg_4]
		mov	ebx, [ebp+var_10]
		mov	al, [eax+8]
		mov	[esi+20h], al
		mov	byte ptr [esi+1Ch], 1
		mov	ecx, [ebx]
		call	?ResetPartitionCache@SC_DISK@@QAEJXZ ; SC_DISK::ResetPartitionCache(void)
		mov	esi, eax
		test	esi, esi
		js	short loc_69BC90
		push	edi
		mov	ecx, ebx
		call	?WritePartitionTable@SC_MBR@@QAEJPAVSC_DISK_LAYOUT@@@Z ; SC_MBR::WritePartitionTable(SC_DISK_LAYOUT *)
		mov	esi, eax

loc_69BC90:				; CODE XREF: SC_MBR::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+36j
					; SC_MBR::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+80j ...
		test	edi, edi
		jz	short loc_69BC9B
		mov	ecx, edi
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69BC9B:				; CODE XREF: SC_MBR::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+1Fj
					; SC_MBR::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+ABj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
?SetPartition@SC_MBR@@QAEJKPAU_SET_PARTITION_INFORMATION_EX@@@Z	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: unsigned char	__thiscall MBR_ENTRY::Validate(unsigned	long, unsigned __int64)
?Validate@MBR_ENTRY@@QAEEK_K@Z proc near ; CODE	XREF: SC_DISK::IsVbr(void)+8Ap
					; SC_MBR::ReadPartitionTable(SC_DISK_LAYOUT * *)+EBp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, 1
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ecx, ecx
		mov	edx, [esi+8]
		add	edi, edx
		mov	al, [esi+4]
		test	al, al
		jz	short loc_69BD0E
		cmp	al, 0EEh
		jz	short loc_69BD0E
		mov	bl, cl
		cmp	al, 5
		jz	short loc_69BCCF
		cmp	al, 0Fh
		jnz	short loc_69BCD3

loc_69BCCF:				; CODE XREF: MBR_ENTRY::Validate(ulong,unsigned	__int64)+25j
		test	edx, edx
		jz	short loc_69BD0E

loc_69BCD3:				; CODE XREF: MBR_ENTRY::Validate(ulong,unsigned	__int64)+29j
		mov	eax, [ebp+arg_8]
		cmp	ecx, eax
		ja	short loc_69BD0E
		jb	short loc_69BCE1
		cmp	edi, [ebp+arg_4]
		jnb	short loc_69BD0E

loc_69BCE1:				; CODE XREF: MBR_ENTRY::Validate(ulong,unsigned	__int64)+36j
		push	3
		pop	ecx
		mul	ecx
		push	3
		mov	ecx, eax
		mov	eax, [ebp+arg_4]
		pop	edx
		mul	edx
		push	0
		add	ecx, edx
		mov	edx, [esi+0Ch]
		shrd	eax, ecx, 1
		shr	ecx, 1
		sub	eax, edi
		pop	edi
		sbb	ecx, edi
		cmp	edi, ecx
		ja	short loc_69BD0E
		jb	short loc_69BD0C
		cmp	edx, eax
		ja	short loc_69BD0E

loc_69BD0C:				; CODE XREF: MBR_ENTRY::Validate(ulong,unsigned	__int64)+62j
		mov	bl, 1

loc_69BD0E:				; CODE XREF: MBR_ENTRY::Validate(ulong,unsigned	__int64)+1Bj
					; MBR_ENTRY::Validate(ulong,unsigned __int64)+1Fj ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	0Ch
?Validate@MBR_ENTRY@@QAEEK_K@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: long __thiscall SC_MBR::WritePartitionTable(class SC_DISK_LAYOUT *)
?WritePartitionTable@SC_MBR@@QAEJPAVSC_DISK_LAYOUT@@@Z proc near
					; CODE XREF: SC_DISK::WritePartitionTable(SC_DISK_LAYOUT *)+AEp
					; SC_MBR::CreatePartitionTable(_CREATE_DISK *)+7Ep ...

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, ecx
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_20], eax
		push	ebx
		mov	eax, [eax]
		mov	ebx, edx
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	[ebp+var_28], ecx
		mov	esi, [eax+0C4h]
		xor	eax, eax
		stosd
		mov	[ebp+var_34], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_44], esi
		stosd
		mov	[ebp+var_30], edx
		mov	[ebp+var_19], dl
		stosd
		stosd
		mov	eax, [ecx+8]
		test	eax, eax
		jnz	short loc_69BD7C
		lea	ecx, [ebp+var_18]
		call	?CreateGuid@SC_ENV@@SGJPAU_GUID@@@Z ; SC_ENV::CreateGuid(_GUID *)
		mov	eax, [ebp+var_18]
		xor	eax, [ebp+var_14]
		mov	ecx, [ebp+var_28]
		xor	eax, [ebp+var_10]
		xor	eax, [ebp+var_C]
		mov	[ecx+8], eax

loc_69BD7C:				; CODE XREF: SC_MBR::WritePartitionTable(SC_DISK_LAYOUT	*)+49j
		cmp	[esi+1B8h], eax
		jz	short loc_69BD9B
		mov	ecx, esi
		mov	[esi+1B8h], eax
		mov	[ebp+var_19], 1
		call	?CheckSum@MBR_HEADER@@QAEKXZ ; MBR_HEADER::CheckSum(void)
		mov	ecx, [ebp+var_28]
		mov	[ecx+0Ch], eax

loc_69BD9B:				; CODE XREF: SC_MBR::WritePartitionTable(SC_DISK_LAYOUT	*)+6Bj
		lea	edi, [esi+1BEh]
		mov	[ebp+var_48], edi

loc_69BDA4:				; CODE XREF: SC_MBR::WritePartitionTable(SC_DISK_LAYOUT	*)+1E3j
		imul	esi, [ebp+var_24], 90h
		xor	edx, edx
		and	[ebp+var_3C], edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_40], edi
		add	esi, 5Ch
		add	esi, ecx
		jmp	short loc_69BDC0
; 

loc_69BDBD:				; CODE XREF: SC_MBR::WritePartitionTable(SC_DISK_LAYOUT	*)+177j
		mov	edx, [ebp+var_2C]

loc_69BDC0:				; CODE XREF: SC_MBR::WritePartitionTable(SC_DISK_LAYOUT	*)+A4j
		mov	eax, [ebp+var_24]
		cmp	eax, [ecx+4]
		jnb	loc_69BE94
		mov	al, [esi-0Ch]
		mov	[ebp+var_1A], al
		cmp	al, 5
		jz	short loc_69BDE2
		cmp	al, 0Fh
		jz	short loc_69BDE2
		mov	edx, [ebp+var_30]
		mov	[ebp+var_38], edx
		jmp	short loc_69BDF3
; 

loc_69BDE2:				; CODE XREF: SC_MBR::WritePartitionTable(SC_DISK_LAYOUT	*)+BDj
					; SC_MBR::WritePartitionTable(SC_DISK_LAYOUT *)+C1j
		test	edx, edx
		jnz	loc_69BEFF
		mov	eax, [ebp+var_34]
		mov	[ebp+var_2C], edi
		mov	[ebp+var_38], eax

loc_69BDF3:				; CODE XREF: SC_MBR::WritePartitionTable(SC_DISK_LAYOUT	*)+C9j
		mov	eax, [ecx+8]
		mov	[esi-4], eax
		xor	eax, eax
		cmp	byte ptr [esi-10h], 0
		mov	[esi], eax
		mov	eax, [esi-24h]
		mov	[esi+4], eax
		mov	eax, [esi-20h]
		mov	[esi+8], eax
		jz	short loc_69BE75
		cmp	[ebp+var_1A], 0
		jz	short loc_69BE68
		cmp	byte ptr [esi-0Bh], 0
		mov	ecx, [ebp+var_20]
		setz	al
		dec	al
		and	al, 80h
		mov	[edi], al
		mov	al, [esi-0Ch]
		mov	[edi+4], al
		push	dword ptr [esi-20h]
		mov	ecx, [ecx]
		push	dword ptr [esi-24h]
		call	??$ToSectors@_J@SC_DISK@@QAE_J_J@Z ; SC_DISK::ToSectors<__int64>(__int64)
		sub	eax, [ebp+var_38]
		mov	[edi+8], eax
		mov	eax, [ebp+var_20]
		push	dword ptr [esi-18h]
		push	dword ptr [esi-1Ch]
		mov	ecx, [eax]
		call	??$ToSectors@_J@SC_DISK@@QAE_J_J@Z ; SC_DISK::ToSectors<__int64>(__int64)
		mov	[edi+0Ch], eax
		mov	ecx, edi
		mov	eax, [ebp+var_20]
		mov	eax, [eax]
		add	eax, 98h
		push	eax
		call	?ComputeChs@MBR_ENTRY@@QAEXPAU_DISK_GEOMETRY@@@Z ; MBR_ENTRY::ComputeChs(_DISK_GEOMETRY	*)
		mov	ecx, [ebp+var_28]
		jmp	short loc_69BE71
; 

loc_69BE68:				; CODE XREF: SC_MBR::WritePartitionTable(SC_DISK_LAYOUT	*)+FCj
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		mov	edi, [ebp+var_40]

loc_69BE71:				; CODE XREF: SC_MBR::WritePartitionTable(SC_DISK_LAYOUT	*)+14Fj
		mov	[ebp+var_19], 1

loc_69BE75:				; CODE XREF: SC_MBR::WritePartitionTable(SC_DISK_LAYOUT	*)+F6j
		mov	eax, [ebp+var_3C]
		add	edi, 10h
		inc	eax
		mov	[ebp+var_40], edi
		inc	[ebp+var_24]
		add	esi, 90h
		mov	[ebp+var_3C], eax
		cmp	eax, 4
		jb	loc_69BDBD

loc_69BE94:				; CODE XREF: SC_MBR::WritePartitionTable(SC_DISK_LAYOUT	*)+AFj
		cmp	[ebp+var_19], 0
		mov	edi, [ebp+var_20]
		jz	short loc_69BEB7
		mov	ecx, [edi]
		push	0
		push	0
		push	[ebp+var_30]
		push	1
		call	?WriteSectors@SC_DISK@@QAEJK_KPAX@Z ; SC_DISK::WriteSectors(ulong,unsigned __int64,void	*)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_69BF04
		mov	[ebp+var_19], 0

loc_69BEB7:				; CODE XREF: SC_MBR::WritePartitionTable(SC_DISK_LAYOUT	*)+184j
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jz	short loc_69BF04
		mov	esi, [ebp+var_34]
		mov	eax, [eax+8]
		lea	ecx, [eax+esi]
		mov	[ebp+var_30], ecx
		test	esi, esi
		jnz	short loc_69BED1
		mov	[ebp+var_34], eax

loc_69BED1:				; CODE XREF: SC_MBR::WritePartitionTable(SC_DISK_LAYOUT	*)+1B5j
		push	0
		push	0
		push	ecx
		mov	ecx, [edi]
		push	1
		call	?ReadSectors@SC_DISK@@QAEJK_KPAX@Z ; SC_DISK::ReadSectors(ulong,unsigned __int64,void *)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_69BF04
		mov	eax, [ebp+var_44]
		mov	ecx, 0AA55h
		mov	edi, [ebp+var_48]
		mov	[eax+1FEh], cx
		mov	ecx, [ebp+var_28]
		jmp	loc_69BDA4
; 

loc_69BEFF:				; CODE XREF: SC_MBR::WritePartitionTable(SC_DISK_LAYOUT	*)+CDj
		mov	ebx, 0C0000001h

loc_69BF04:				; CODE XREF: SC_MBR::WritePartitionTable(SC_DISK_LAYOUT	*)+19Aj
					; SC_MBR::WritePartitionTable(SC_DISK_LAYOUT *)+1A5j ...
		mov	ecx, [ebp+var_8]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
?WritePartitionTable@SC_MBR@@QAEJPAVSC_DISK_LAYOUT@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: long __thiscall SC_GPT::CreatePartitionTable(struct _CREATE_DISK *)
?CreatePartitionTable@SC_GPT@@QAEJPAU_CREATE_DISK@@@Z proc near
					; CODE XREF: SC_DISK::CreatePartitionTable(_CREATE_DISK	*)+3Cp

var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_A4		= dword	ptr -0A4h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D0h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		push	0C0h		; size_t
		lea	eax, [ebp+var_CC]
		mov	ebx, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+arg_0]
		lea	edi, [ebp+var_C4]
		and	[ebp+var_C8], 0
		xor	ecx, ecx
		inc	ecx
		add	esp, 0Ch
		mov	[ebp+var_CC], ecx
		lea	esi, [eax+4]
		mov	eax, [eax+14h]
		movsd
		push	ecx
		mov	ecx, ebx
		movsd
		movsd
		movsd
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_CC]
		push	eax
		call	?WritePartitionTable@SC_GPT@@QAEJPAVSC_DISK_LAYOUT@@E@Z	; SC_GPT::WritePartitionTable(SC_DISK_LAYOUT *,uchar)
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
?CreatePartitionTable@SC_GPT@@QAEJPAU_CREATE_DISK@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; private: long	__thiscall SC_GPT::ReadEntries(class GPT_HEADER	*, struct _GPT_ENTRY * *)
?ReadEntries@SC_GPT@@AAEJPAVGPT_HEADER@@PAPAU_GPT_ENTRY@@@Z proc near
					; CODE XREF: SC_GPT::ReadPartitionTable(SC_DISK_LAYOUT * *)+53p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	eax, ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		and	dword ptr [ebx], 0
		mov	[ebp+var_4], eax
		mov	eax, [eax]
		mov	ecx, [edi+54h]
		imul	ecx, [edi+50h]
		mov	edx, [eax+0ACh]
		dec	ecx
		add	ecx, edx
		neg	edx
		and	ecx, edx
		call	?Allocate@SC_ENV@@SGPAXI@Z ; SC_ENV::Allocate(uint)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_69BFCF
		mov	edi, 0C000009Ah
		jmp	short loc_69BFEE
; 

loc_69BFCF:				; CODE XREF: SC_GPT::ReadEntries(GPT_HEADER *,_GPT_ENTRY * *)+36j
		mov	ecx, [ebp+var_4]
		push	esi
		push	edi
		call	?ReadEntries@SC_GPT@@AAEJPAVGPT_HEADER@@PAU_GPT_ENTRY@@@Z ; SC_GPT::ReadEntries(GPT_HEADER *,_GPT_ENTRY	*)
		mov	edi, eax
		test	edi, edi
		js	short loc_69BFE3
		mov	[ebx], esi
		xor	esi, esi

loc_69BFE3:				; CODE XREF: SC_GPT::ReadEntries(GPT_HEADER *,_GPT_ENTRY * *)+4Dj
		test	esi, esi
		jz	short loc_69BFEE
		mov	ecx, esi
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69BFEE:				; CODE XREF: SC_GPT::ReadEntries(GPT_HEADER *,_GPT_ENTRY * *)+3Dj
					; SC_GPT::ReadEntries(GPT_HEADER *,_GPT_ENTRY *	*)+55j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
?ReadEntries@SC_GPT@@AAEJPAVGPT_HEADER@@PAPAU_GPT_ENTRY@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; private: long	__thiscall SC_GPT::ReadEntries(class GPT_HEADER	*, struct _GPT_ENTRY *)
?ReadEntries@SC_GPT@@AAEJPAVGPT_HEADER@@PAU_GPT_ENTRY@@@Z proc near
					; CODE XREF: SC_GPT::ReadEntries(GPT_HEADER *,_GPT_ENTRY * *)+44p
					; SC_GPT::VerifyPartitionTable(uchar)+F8p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ecx]
		push	edi
		mov	edi, [ebp+arg_0]
		push	[ebp+arg_4]
		mov	eax, [esi+0ACh]
		mov	ecx, [esi+0B0h]
		mov	ebx, [edi+54h]
		imul	ebx, [edi+50h]
		push	dword ptr [edi+4Ch]
		push	dword ptr [edi+48h]
		lea	edx, [ebx-1]
		add	edx, eax
		neg	eax
		and	edx, eax
		shr	edx, cl
		mov	ecx, esi
		push	edx
		call	?ReadSectors@SC_DISK@@QAEJK_KPAX@Z ; SC_DISK::ReadSectors(ulong,unsigned __int64,void *)
		mov	esi, eax
		test	esi, esi
		js	short loc_69C04E
		push	ebx
		push	[ebp+arg_4]
		push	0
		call	_RtlComputeCrc32@12 ; RtlComputeCrc32(x,x,x)
		cmp	eax, [edi+58h]
		jz	short loc_69C04E
		mov	esi, 0C0000032h

loc_69C04E:				; CODE XREF: SC_GPT::ReadEntries(GPT_HEADER *,_GPT_ENTRY *)+40j
					; SC_GPT::ReadEntries(GPT_HEADER *,_GPT_ENTRY *)+50j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
?ReadEntries@SC_GPT@@AAEJPAVGPT_HEADER@@PAU_GPT_ENTRY@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; private: long	__thiscall SC_GPT::ReadHeader(unsigned long, class GPT_HEADER *)
?ReadHeader@SC_GPT@@AAEJKPAVGPT_HEADER@@@Z proc	near
					; CODE XREF: SC_GPT::ReadPartitionTable(SC_DISK_LAYOUT * *)+3Ep
					; SC_GPT::VerifyPartitionTable(uchar)+4Ep ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	[ebp+arg_0], 0
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	ecx, [eax]
		mov	[ebp+var_4], eax
		jnz	short loc_69C074
		xor	esi, esi
		inc	esi
		xor	ebx, ebx
		jmp	short loc_69C086
; 

loc_69C074:				; CODE XREF: SC_GPT::ReadHeader(ulong,GPT_HEADER *)+14j
		mov	esi, [ecx+0B8h]
		mov	ebx, [ecx+0BCh]
		add	esi, 0FFFFFFFFh
		adc	ebx, 0FFFFFFFFh

loc_69C086:				; CODE XREF: SC_GPT::ReadHeader(ulong,GPT_HEADER *)+1Bj
		mov	edi, [ebp+arg_4]
		push	edi
		push	ebx
		push	esi
		push	1
		call	?ReadSectors@SC_DISK@@QAEJK_KPAX@Z ; SC_DISK::ReadSectors(ulong,unsigned __int64,void *)
		test	eax, eax
		js	loc_69C140
		cmp	dword ptr [edi], 20494645h
		mov	eax, 0C0000032h
		mov	[ebp+arg_0], eax
		jnz	loc_69C140
		cmp	dword ptr [edi+4], 54524150h
		jnz	loc_69C140
		cmp	dword ptr [edi+8], 10000h
		jnz	short loc_69C140
		cmp	dword ptr [edi+0Ch], 5Ch
		jnz	short loc_69C140
		cmp	dword ptr [edi+54h], 80h
		jnz	short loc_69C140
		mov	ecx, [edi+50h]
		mov	[ebp+arg_4], ecx
		test	ecx, ecx
		jz	short loc_69C140
		cmp	ecx, 400h
		ja	short loc_69C140
		cmp	[edi+18h], esi
		jnz	short loc_69C140
		cmp	[edi+1Ch], ebx
		jnz	short loc_69C140
		mov	esi, [edi+10h]
		and	dword ptr [edi+10h], 0
		push	5Ch
		push	edi
		push	0
		call	_RtlComputeCrc32@12 ; RtlComputeCrc32(x,x,x)
		mov	[edi+10h], esi
		cmp	eax, esi
		jnz	short loc_69C13D
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+arg_4]
		shl	edx, 7
		dec	edx
		mov	ecx, [ecx]
		mov	eax, [ecx+0ACh]
		add	edx, eax
		mov	ecx, [ecx+0B0h]
		neg	eax
		and	edx, eax
		mov	eax, [edi+2Ch]
		shr	edx, cl
		add	edx, 2
		test	eax, eax
		jb	short loc_69C13D
		ja	short loc_69C139
		cmp	[edi+28h], edx
		jb	short loc_69C13D

loc_69C139:				; CODE XREF: SC_GPT::ReadHeader(ulong,GPT_HEADER *)+DBj
		xor	eax, eax
		jmp	short loc_69C140
; 

loc_69C13D:				; CODE XREF: SC_GPT::ReadHeader(ulong,GPT_HEADER *)+AFj
					; SC_GPT::ReadHeader(ulong,GPT_HEADER *)+D9j ...
		mov	eax, [ebp+arg_0]

loc_69C140:				; CODE XREF: SC_GPT::ReadHeader(ulong,GPT_HEADER *)+3Ej
					; SC_GPT::ReadHeader(ulong,GPT_HEADER *)+52j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
?ReadHeader@SC_GPT@@AAEJKPAVGPT_HEADER@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: long __thiscall SC_GPT::ReadPartitionTable(class SC_DISK_LAYOUT * *)
?ReadPartitionTable@SC_GPT@@QAEJPAPAVSC_DISK_LAYOUT@@@Z	proc near
					; CODE XREF: SC_DISK::ReadPartitionTable(SC_DISK_LAYOUT	* *)+41p
					; SC_GPT::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+28p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_10], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		push	0
		mov	[ebp+var_14], edi
		mov	eax, [edi]
		mov	ebx, [eax+0C4h]
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax], 0
		mov	eax, [edi]
		test	byte ptr [eax+88h], 1
		pop	eax
		setz	al
		inc	eax
		mov	[ebp+var_1C], eax
		xor	eax, eax
		mov	[ebp+var_8], eax

loc_69C181:				; CODE XREF: SC_GPT::ReadPartitionTable(SC_DISK_LAYOUT * *)+6Bj
		push	ebx
		push	eax
		mov	ecx, edi
		call	?ReadHeader@SC_GPT@@AAEJKPAVGPT_HEADER@@@Z ; SC_GPT::ReadHeader(ulong,GPT_HEADER *)
		mov	esi, eax
		mov	[ebp+var_20], eax
		test	esi, esi
		js	short loc_69C1A8
		lea	eax, [ebp+var_10]
		mov	ecx, edi
		push	eax
		push	ebx
		call	?ReadEntries@SC_GPT@@AAEJPAVGPT_HEADER@@PAPAU_GPT_ENTRY@@@Z ; SC_GPT::ReadEntries(GPT_HEADER *,_GPT_ENTRY * *)
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		jns	short loc_69C1BE

loc_69C1A8:				; CODE XREF: SC_GPT::ReadPartitionTable(SC_DISK_LAYOUT * *)+4Aj
		mov	eax, [ebp+var_8]
		inc	eax
		mov	[ebp+var_8], eax
		cmp	eax, [ebp+var_1C]
		jb	short loc_69C181
		test	esi, esi
		js	loc_69C380
		jmp	short loc_69C1C1
; 

loc_69C1BE:				; CODE XREF: SC_GPT::ReadPartitionTable(SC_DISK_LAYOUT * *)+5Fj
		mov	eax, [ebp+var_8]

loc_69C1C1:				; CODE XREF: SC_GPT::ReadPartitionTable(SC_DISK_LAYOUT * *)+75j
		mov	esi, [edi]
		mov	edx, [esi+88h]
		test	dl, 1
		jnz	short loc_69C1F3
		test	eax, eax
		jnz	short loc_69C1F3
		mov	ecx, [esi+0B8h]
		mov	edi, [esi+0BCh]
		add	ecx, 0FFFFFFFFh
		adc	edi, 0FFFFFFFFh
		cmp	[ebx+20h], ecx
		jnz	short loc_69C1EE
		cmp	[ebx+24h], edi
		jz	short loc_69C1F3

loc_69C1EE:				; CODE XREF: SC_GPT::ReadPartitionTable(SC_DISK_LAYOUT * *)+A0j
		or	edx, 2
		jmp	short loc_69C1F6
; 

loc_69C1F3:				; CODE XREF: SC_GPT::ReadPartitionTable(SC_DISK_LAYOUT * *)+85j
					; SC_GPT::ReadPartitionTable(SC_DISK_LAYOUT * *)+89j ...
		and	edx, 0FFFFFFFDh

loc_69C1F6:				; CODE XREF: SC_GPT::ReadPartitionTable(SC_DISK_LAYOUT * *)+AAj
		mov	[esi+88h], edx
		imul	esi, [ebx+50h],	90h
		add	esi, 30h
		mov	ecx, esi
		call	?Allocate@SC_ENV@@SGPAXI@Z ; SC_ENV::Allocate(uint)
		mov	edi, eax
		mov	[ebp+var_1C], edi
		test	edi, edi
		jnz	short loc_69C220
		mov	esi, 0C000009Ah
		jmp	loc_69C380
; 

loc_69C220:				; CODE XREF: SC_GPT::ReadPartitionTable(SC_DISK_LAYOUT * *)+CDj
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	dword ptr [edi], 1
		lea	esi, [ebx+38h]
		add	edi, 8
		add	esp, 0Ch
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_14]
		mov	eax, [ebx+28h]
		mov	edx, [ebx+2Ch]
		mov	ecx, [edi]
		mov	ecx, [ecx+0B0h]
		call	__allshl
		mov	esi, [ebp+var_1C]
		mov	[esi+18h], eax
		mov	[esi+1Ch], edx
		mov	eax, [ebx+30h]
		sub	eax, [ebx+28h]
		mov	edx, [ebx+34h]
		sbb	edx, [ebx+2Ch]
		add	eax, 1
		mov	ecx, [edi]
		adc	edx, 0
		mov	ecx, [ecx+0B0h]
		call	__allshl
		xor	ecx, ecx
		mov	[esi+20h], eax
		and	[ebp+var_18], ecx
		mov	[esi+24h], edx
		mov	eax, [ebx+50h]
		mov	[esi+28h], eax
		mov	[ebp+var_C], ecx
		cmp	[ebx+50h], ecx
		jbe	loc_69C375
		mov	ecx, [ebp+var_10]
		lea	eax, [esi+40h]
		add	ecx, 20h
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], ecx
		mov	esi, ecx

loc_69C2A8:				; CODE XREF: SC_GPT::ReadPartitionTable(SC_DISK_LAYOUT * *)+225j
		lea	eax, [esi-20h]
		mov	edx, offset _GUID_NULL ; void *
		mov	ecx, eax	; void *
		mov	[ebp+var_24], eax
		call	?IsEqualGUID@@YGHABU_GUID@@0@Z ; IsEqualGUID(_GUID const &,_GUID const &)
		test	eax, eax
		jnz	loc_69C359
		mov	eax, [ebp+var_4]
		mov	dword ptr [eax-10h], 1
		mov	ecx, [edi]
		mov	eax, [esi]
		mov	edx, [esi+4]
		mov	ecx, [ecx+0B0h]
		call	__allshl
		mov	ecx, [ebp+var_4]
		mov	[ecx-8], eax
		mov	[ecx-4], edx
		mov	eax, [esi+8]
		sub	eax, [esi]
		mov	edx, [esi+0Ch]
		sbb	edx, [esi+4]
		add	eax, 1
		mov	ecx, [edi]
		adc	edx, 0
		mov	ecx, [ecx+0B0h]
		call	__allshl
		mov	ecx, [ebp+var_4]
		mov	esi, [ebp+var_24]
		push	12h
		mov	[ecx+4], edx
		mov	edx, ecx
		mov	[ecx], eax
		mov	ecx, [ebp+var_8]
		or	dword ptr [edx+8], 0FFFFFFFFh
		lea	edi, [edx+10h]
		movsd
		movsd
		movsd
		movsd
		lea	esi, [ecx-10h]
		lea	edi, [edx+20h]
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ecx+10h]
		lea	esi, [ecx+18h]
		mov	[edx+30h], eax
		lea	edi, [edx+38h]
		mov	eax, [ecx+14h]
		mov	[edx+34h], eax
		pop	ecx
		rep movsd
		mov	ecx, [ebp+var_C]
		mov	edi, [ebp+var_14]
		inc	ecx
		mov	esi, [ebp+var_8]
		add	edx, 90h
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], edx
		jmp	short loc_69C35C
; 

loc_69C359:				; CODE XREF: SC_GPT::ReadPartitionTable(SC_DISK_LAYOUT * *)+175j
		mov	ecx, [ebp+var_C]

loc_69C35C:				; CODE XREF: SC_GPT::ReadPartitionTable(SC_DISK_LAYOUT * *)+210j
		mov	eax, [ebp+var_18]
		sub	esi, 0FFFFFF80h
		inc	eax
		mov	[ebp+var_8], esi
		mov	[ebp+var_18], eax
		cmp	eax, [ebx+50h]
		jb	loc_69C2A8
		mov	esi, [ebp+var_1C]

loc_69C375:				; CODE XREF: SC_GPT::ReadPartitionTable(SC_DISK_LAYOUT * *)+14Aj
		mov	eax, [ebp+arg_0]
		mov	[esi+4], ecx
		mov	[eax], esi
		mov	esi, [ebp+var_20]

loc_69C380:				; CODE XREF: SC_GPT::ReadPartitionTable(SC_DISK_LAYOUT * *)+6Fj
					; SC_GPT::ReadPartitionTable(SC_DISK_LAYOUT * *)+D4j
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_69C38E
		mov	ecx, eax
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69C38E:				; CODE XREF: SC_GPT::ReadPartitionTable(SC_DISK_LAYOUT * *)+23Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
?ReadPartitionTable@SC_GPT@@QAEJPAPAVSC_DISK_LAYOUT@@@Z	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: long __thiscall SC_GPT::SetPartition(unsigned	long, struct _SET_PARTITION_INFORMATION_EX *)
?SetPartition@SC_GPT@@QAEJKPAU_SET_PARTITION_INFORMATION_EX@@@Z	proc near
					; CODE XREF: SC_DISK::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+36p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_8], eax
		test	edi, edi
		jnz	short loc_69C3B9
		mov	esi, 0C000000Dh
		jmp	short loc_69C42E
; 

loc_69C3B9:				; CODE XREF: SC_GPT::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+19j
		lea	ecx, [ebp+var_4]
		push	ecx
		mov	ecx, eax
		call	?ReadPartitionTable@SC_GPT@@QAEJPAPAVSC_DISK_LAYOUT@@@Z	; SC_GPT::ReadPartitionTable(SC_DISK_LAYOUT * *)
		mov	ebx, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	short loc_69C423
		dec	edi
		cmp	edi, [ebx+4]
		jb	short loc_69C3DA
		mov	esi, 0C000000Dh
		jmp	short loc_69C423
; 

loc_69C3DA:				; CODE XREF: SC_GPT::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+3Aj
		mov	ecx, [ebp+arg_4]
		imul	edx, edi, 90h
		lea	edi, [ebx+50h]
		push	12h
		lea	esi, [ecx+8]
		add	edi, edx
		movsd
		movsd
		movsd
		movsd
		lea	edi, [ebx+60h]
		add	edi, edx
		lea	esi, [ecx+18h]
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ecx+28h]
		lea	esi, [ecx+30h]
		mov	[edx+ebx+70h], eax
		lea	edi, [ebx+78h]
		mov	eax, [ecx+2Ch]
		add	edi, edx
		pop	ecx
		mov	[edx+ebx+74h], eax
		rep movsd
		mov	ecx, [ebp+var_8]
		push	0
		push	ebx
		call	?WritePartitionTable@SC_GPT@@QAEJPAVSC_DISK_LAYOUT@@E@Z	; SC_GPT::WritePartitionTable(SC_DISK_LAYOUT *,uchar)
		mov	esi, eax

loc_69C423:				; CODE XREF: SC_GPT::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+34j
					; SC_GPT::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+41j
		test	ebx, ebx
		jz	short loc_69C42E
		mov	ecx, ebx
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69C42E:				; CODE XREF: SC_GPT::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+20j
					; SC_GPT::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)+8Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
?SetPartition@SC_GPT@@QAEJKPAU_SET_PARTITION_INFORMATION_EX@@@Z	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: long __thiscall SC_GPT::VerifyPartitionTable(unsigned	char)
?VerifyPartitionTable@SC_GPT@@QAEJE@Z proc near
					; CODE XREF: SC_DISK::VerifyPartitionTable(uchar)+27p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		mov	word ptr [ebp+var_4], ax
		push	esi
		xor	esi, esi
		mov	eax, [ebx]
		push	edi
		push	esi
		mov	[ebp+var_28], esi
		mov	edi, esi
		test	byte ptr [eax+88h], 1
		pop	eax
		setz	al
		mov	[ebp+var_24], esi
		inc	eax
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], eax

loc_69C472:				; CODE XREF: SC_GPT::VerifyPartitionTable(uchar)+10Aj
		mov	eax, [ebx]
		mov	ecx, ebx
		mov	eax, [eax+0C4h]
		push	eax
		push	edi
		mov	[ebp+var_8], eax
		mov	[ebp+edi*4+var_18], eax
		call	?ReadHeader@SC_GPT@@AAEJKPAVGPT_HEADER@@@Z ; SC_GPT::ReadHeader(ulong,GPT_HEADER *)
		test	eax, eax
		js	loc_69C53D
		mov	eax, [ebp+var_8]
		mov	esi, [ebp+var_8]
		mov	ecx, [ebx]
		mov	eax, [eax+54h]
		imul	eax, [esi+50h]
		mov	edx, [ecx+0ACh]
		mov	ecx, [ecx+0B0h]
		lea	esi, [eax-1]
		xor	eax, eax
		add	esi, edx
		inc	eax
		neg	edx
		shl	eax, cl
		and	esi, edx
		mov	[ebp+var_8], esi
		lea	ecx, [eax+esi]
		call	?Allocate@SC_ENV@@SGPAXI@Z ; SC_ENV::Allocate(uint)
		mov	edx, eax
		mov	[ebp+var_C], eax
		mov	[ebp+edi*4+var_28], edx
		push	0
		pop	esi
		test	edx, edx
		jz	loc_69C5FE
		test	edi, edi
		jnz	short loc_69C4E8
		mov	eax, [ebp+var_8]
		add	eax, edx
		mov	[ebp+var_8], eax
		jmp	short loc_69C500
; 

loc_69C4E8:				; CODE XREF: SC_GPT::VerifyPartitionTable(uchar)+A5j
		mov	ecx, [ebx]
		xor	eax, eax
		inc	eax
		mov	[ebp+var_8], edx
		mov	ecx, [ecx+0B0h]
		shl	eax, cl
		add	edx, eax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_C], edx

loc_69C500:				; CODE XREF: SC_GPT::VerifyPartitionTable(uchar)+AFj
		mov	[ebp+edi*4+var_18], eax
		xor	eax, eax
		mov	[ebp+edi*4+var_20], edx
		inc	eax
		mov	edx, [ebx]
		mov	ecx, [edx+0B0h]
		shl	eax, cl
		push	eax		; size_t
		push	dword ptr [edx+0C4h] ; void *
		push	[ebp+var_8]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, ebx
		push	[ebp+var_C]
		push	[ebp+var_8]
		call	?ReadEntries@SC_GPT@@AAEJPAVGPT_HEADER@@PAU_GPT_ENTRY@@@Z ; SC_GPT::ReadEntries(GPT_HEADER *,_GPT_ENTRY	*)
		test	eax, eax
		js	short loc_69C53D
		mov	byte ptr [ebp+edi+var_4], 1

loc_69C53D:				; CODE XREF: SC_GPT::VerifyPartitionTable(uchar)+55j
					; SC_GPT::VerifyPartitionTable(uchar)+FFj
		inc	edi
		cmp	edi, [ebp+var_10]
		jb	loc_69C472
		mov	ax, word ptr [ebp+var_4]
		mov	edi, esi
		mov	[ebp+var_10], edi
		test	al, al
		jnz	short loc_69C55C
		test	ah, ah
		jz	loc_69C5F4

loc_69C55C:				; CODE XREF: SC_GPT::VerifyPartitionTable(uchar)+11Bj
		mov	edx, [ebx]
		mov	[ebp+var_8], edx
		test	byte ptr [edx+88h], 1
		jnz	loc_69C6BE
		test	al, al
		jz	short loc_69C5EE
		test	ah, ah
		jz	short loc_69C5EE
		mov	edi, [ebp+var_14]
		mov	edx, [ebp+var_18]
		mov	ecx, [edi+18h]
		cmp	ecx, [edx+20h]
		jnz	short loc_69C5EB
		mov	ecx, [edi+1Ch]
		cmp	ecx, [edx+24h]
		jnz	short loc_69C5EB
		mov	ecx, [edi+20h]
		cmp	ecx, [edx+18h]
		jnz	short loc_69C5EB
		mov	ecx, [edi+24h]
		cmp	ecx, [edx+1Ch]
		jnz	short loc_69C5EB
		mov	ecx, [edi+28h]
		cmp	ecx, [edx+28h]
		jnz	short loc_69C5EB
		mov	ecx, [edi+2Ch]
		cmp	ecx, [edx+2Ch]
		jnz	short loc_69C5EB
		mov	ecx, [edi+30h]
		cmp	ecx, [edx+30h]
		jnz	short loc_69C5EB
		mov	ecx, [edi+34h]
		cmp	ecx, [edx+34h]
		jnz	short loc_69C5EB
		mov	ecx, [edi+50h]
		cmp	ecx, [edx+50h]
		jnz	short loc_69C5EB
		mov	ecx, [edi+54h]
		cmp	ecx, [edx+54h]
		jnz	short loc_69C5EB
		mov	ecx, [edi+58h]
		cmp	ecx, [edx+58h]
		jnz	short loc_69C5EB
		add	edx, 38h	; void *
		lea	ecx, [edi+38h]	; void *
		call	?IsEqualGUID@@YGHABU_GUID@@0@Z ; IsEqualGUID(_GUID const &,_GUID const &)
		test	eax, eax
		jnz	loc_69C6BB
		mov	ax, word ptr [ebp+var_4]

loc_69C5EB:				; CODE XREF: SC_GPT::VerifyPartitionTable(uchar)+14Bj
					; SC_GPT::VerifyPartitionTable(uchar)+153j ...
		mov	edx, [ebp+var_8]

loc_69C5EE:				; CODE XREF: SC_GPT::VerifyPartitionTable(uchar)+139j
					; SC_GPT::VerifyPartitionTable(uchar)+13Dj
		cmp	[ebp+arg_0], 0
		jnz	short loc_69C608

loc_69C5F4:				; CODE XREF: SC_GPT::VerifyPartitionTable(uchar)+11Fj
		mov	edi, 0C0000032h
		jmp	loc_69C6BE
; 

loc_69C5FE:				; CODE XREF: SC_GPT::VerifyPartitionTable(uchar)+9Dj
		mov	edi, 0C000009Ah
		jmp	loc_69C6BE
; 

loc_69C608:				; CODE XREF: SC_GPT::VerifyPartitionTable(uchar)+1BBj
		test	al, al
		jz	short loc_69C614
		lea	ecx, [ebp+var_20]
		lea	edi, [ebp+var_18]
		jmp	short loc_69C61A
; 

loc_69C614:				; CODE XREF: SC_GPT::VerifyPartitionTable(uchar)+1D3j
		lea	ecx, [ebp+var_1C]
		lea	edi, [ebp+var_14]

loc_69C61A:				; CODE XREF: SC_GPT::VerifyPartitionTable(uchar)+1DBj
		mov	edi, [edi]
		mov	edx, [edx+0ACh]
		mov	[ebp+var_4], ecx
		xor	ecx, ecx
		test	al, al
		mov	eax, [edi+54h]
		setnz	cl
		imul	eax, [edi+50h]
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+var_8]
		dec	eax
		mov	ecx, [ecx+0B0h]
		add	eax, edx
		mov	[edi+10h], esi
		neg	edx
		and	eax, edx
		mov	edx, [edi+1Ch]
		shr	eax, cl
		cmp	[ebp+var_C], 0
		mov	ecx, [edi+18h]
		mov	dword ptr [ebp+arg_0], eax
		mov	eax, [edi+20h]
		mov	[edi+18h], eax
		mov	eax, [edi+24h]
		mov	[edi+1Ch], eax
		mov	[edi+20h], ecx
		mov	[edi+24h], edx
		mov	eax, [edi+18h]
		mov	ecx, [edi+1Ch]
		jnz	short loc_69C679
		add	eax, 1
		adc	ecx, esi
		jmp	short loc_69C67E
; 

loc_69C679:				; CODE XREF: SC_GPT::VerifyPartitionTable(uchar)+239j
		sub	eax, dword ptr [ebp+arg_0]
		sbb	ecx, esi

loc_69C67E:				; CODE XREF: SC_GPT::VerifyPartitionTable(uchar)+240j
		mov	[edi+48h], eax
		mov	[edi+4Ch], ecx
		push	dword ptr [edi+0Ch]
		push	edi
		push	esi
		call	_RtlComputeCrc32@12 ; RtlComputeCrc32(x,x,x)
		mov	[edi+10h], eax
		mov	eax, dword ptr [ebp+arg_0]
		inc	eax
		cmp	[ebp+var_C], 0
		jnz	short loc_69C6A4
		push	edi
		push	dword ptr [edi+1Ch]
		push	dword ptr [edi+18h]
		jmp	short loc_69C6AF
; 

loc_69C6A4:				; CODE XREF: SC_GPT::VerifyPartitionTable(uchar)+262j
		mov	ecx, [ebp+var_4]
		push	dword ptr [ecx]
		push	dword ptr [edi+4Ch]
		push	dword ptr [edi+48h]

loc_69C6AF:				; CODE XREF: SC_GPT::VerifyPartitionTable(uchar)+26Bj
		mov	ecx, [ebx]
		push	eax
		call	?WriteSectors@SC_DISK@@QAEJK_KPAX@Z ; SC_DISK::WriteSectors(ulong,unsigned __int64,void	*)
		mov	edi, eax
		jmp	short loc_69C6BE
; 

loc_69C6BB:				; CODE XREF: SC_GPT::VerifyPartitionTable(uchar)+1AAj
		mov	edi, [ebp+var_10]

loc_69C6BE:				; CODE XREF: SC_GPT::VerifyPartitionTable(uchar)+131j
					; SC_GPT::VerifyPartitionTable(uchar)+1C2j ...
		mov	ecx, [ebp+esi*4+var_28]
		test	ecx, ecx
		jz	short loc_69C6CB
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69C6CB:				; CODE XREF: SC_GPT::VerifyPartitionTable(uchar)+28Dj
		inc	esi
		cmp	esi, 2
		jb	short loc_69C6BE
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
?VerifyPartitionTable@SC_GPT@@QAEJE@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: long __thiscall SC_GPT::WritePartitionTable(class SC_DISK_LAYOUT *, unsigned char)
?WritePartitionTable@SC_GPT@@QAEJPAVSC_DISK_LAYOUT@@E@Z	proc near
					; CODE XREF: SC_DISK::WritePartitionTable(SC_DISK_LAYOUT *)+63p
					; SC_GPT::CreatePartitionTable(_CREATE_DISK *)+63p ...

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		and	[ebp+var_38], 0
		mov	eax, 0AA55h
		cmp	[ebp+arg_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10], edi
		mov	edx, [edi]
		mov	[ebp+var_20], edx
		mov	ebx, [edx+0C4h]
		mov	[ebp+var_4C], ebx
		jz	short loc_69C778
		cmp	[ebx+1FEh], ax
		jnz	short loc_69C719
		mov	eax, [ebx+1B8h]
		mov	[ebp+var_38], eax

loc_69C719:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+34j
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi+28h]
		cmp	ecx, 80h
		ja	short loc_69C72C
		mov	ecx, 80h

loc_69C72C:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+4Bj
		cmp	ecx, 400h
		jbe	short loc_69C73E

loc_69C734:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+119j
		mov	esi, 0C000000Dh
		jmp	loc_69CC67
; 

loc_69C73E:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+58j
		mov	eax, [edx+0ACh]
		and	[ebp+var_8], 0
		shl	ecx, 7
		mov	[ebp+var_34], 80h
		lea	ebx, [eax-1]
		neg	eax
		add	ebx, ecx
		mov	ecx, [edx+0B0h]
		and	ebx, eax
		mov	eax, ebx
		shr	eax, cl
		mov	[ebp+var_C], eax
		add	eax, 2
		mov	[ebp+var_4], eax
		mov	eax, ebx
		shr	eax, 7
		mov	[ebp+var_24], eax
		jmp	short loc_69C7F0
; 

loc_69C778:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+2Bj
		test	byte ptr [edx+88h], 1
		push	0
		pop	eax
		setz	al
		inc	eax
		mov	[ebp+var_34], eax
		xor	eax, eax
		mov	[ebp+var_2C], eax

loc_69C78E:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+CDj
		push	ebx
		push	eax
		mov	ecx, edi
		call	?ReadHeader@SC_GPT@@AAEJKPAVGPT_HEADER@@@Z ; SC_GPT::ReadHeader(ulong,GPT_HEADER *)
		mov	esi, eax
		test	esi, esi
		jns	short loc_69C7AE
		mov	eax, [ebp+var_2C]
		inc	eax
		mov	[ebp+var_2C], eax
		cmp	eax, [ebp+var_34]
		jb	short loc_69C78E
		jmp	loc_69CC67
; 

loc_69C7AE:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+C1j
		mov	eax, [ebx+28h]
		mov	edx, [edi]
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_4], eax
		mov	eax, [ebx+2Ch]
		mov	ecx, [edx+0ACh]
		mov	[ebp+var_8], eax
		mov	eax, [ebx+50h]
		mov	ebx, [ebx+54h]
		mov	[ebp+var_24], eax
		imul	eax, ebx
		mov	[ebp+var_34], ebx
		lea	ebx, [ecx-1]
		neg	ecx
		mov	[ebp+var_20], edx
		add	ebx, eax
		and	ebx, ecx
		mov	ecx, [edx+0B0h]
		mov	eax, ebx
		shr	eax, cl
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_24]

loc_69C7F0:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+9Cj
		cmp	[esi+4], eax
		ja	loc_69C734
		sub	esp, 10h
		mov	esi, offset _PARTITION_LEGACY_BL_GUID
		mov	edi, esp
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	?FindPartitionGpt@SC_DISK_LAYOUT@@QAEKU_GUID@@@Z ; SC_DISK_LAYOUT::FindPartitionGpt(_GUID)
		or	edi, 0FFFFFFFFh
		cmp	eax, edi
		jz	short loc_69C854
		imul	eax, 90h
		push	dword ptr [eax+esi+44h]
		push	dword ptr [eax+esi+40h]
		mov	esi, [ebp+var_20]
		mov	ecx, esi
		call	??$ToSectors@_J@SC_DISK@@QAE_J_J@Z ; SC_DISK::ToSectors<__int64>(__int64)
		mov	ecx, eax
		mov	eax, [ebp+var_C]
		add	ecx, eax
		adc	edx, 0
		add	ecx, 2
		adc	edx, 0
		cmp	[ebp+var_8], edx
		ja	short loc_69C85A
		jb	short loc_69C84C
		cmp	[ebp+var_4], ecx
		jnb	short loc_69C85A

loc_69C84C:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+16Bj
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], edx
		jmp	short loc_69C85A
; 

loc_69C854:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+13Cj
		mov	esi, [ebp+var_20]
		mov	eax, [ebp+var_C]

loc_69C85A:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+169j
					; SC_GPT::WritePartitionTable(SC_DISK_LAYOUT *,uchar)+170j ...
		test	byte ptr [esi+88h], 1
		mov	ecx, [esi+0B8h]
		mov	edx, [esi+0BCh]
		jz	short loc_69C873
		add	ecx, edi
		jmp	short loc_69C87B
; 

loc_69C873:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+193j
		sub	ecx, eax
		sbb	edx, 0
		add	ecx, 0FFFFFFFEh

loc_69C87B:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+197j
		push	2
		adc	edx, edi
		mov	[ebp+var_20], ecx
		mov	ecx, [esi+0B0h]
		pop	eax
		shl	eax, cl
		add	ebx, eax
		mov	[ebp+var_18], edx
		mov	ecx, ebx
		call	?Allocate@SC_ENV@@SGPAXI@Z ; SC_ENV::Allocate(uint)
		mov	esi, eax
		mov	[ebp+var_2C], esi
		test	esi, esi
		jnz	short loc_69C8AA
		mov	esi, 0C000009Ah
		jmp	loc_69CC67
; 

loc_69C8AA:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+1C4j
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	edi, [ebp+var_10]
		xor	eax, eax
		and	[ebp+var_30], 0
		inc	eax
		add	esp, 0Ch
		mov	ecx, [edi]
		mov	ecx, [ecx+0B0h]
		shl	eax, cl
		sub	ebx, eax
		add	ebx, esi
		mov	[ebp+var_48], ebx
		lea	ecx, [eax+esi]
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_28], ecx
		cmp	dword ptr [eax+4], 0
		jbe	loc_69CA15
		lea	edi, [ecx+20h]
		lea	ebx, [eax+60h]
		mov	[ebp+var_14], edi
		mov	[ebp+var_1C], ebx

loc_69C8F0:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+32Cj
		mov	ecx, [ebx-30h]
		sub	ecx, 0
		jz	short loc_69C913
		sub	ecx, 1
		jnz	short loc_69C91D
		lea	ecx, [ebx-10h]	; void *
		mov	edx, (offset loc_42742F+1) ; void *
		call	?IsEqualGUID@@YGHABU_GUID@@0@Z ; IsEqualGUID(_GUID const &,_GUID const &)
		test	eax, eax
		jz	short loc_69C91D
		jmp	loc_69C9F0
; 

loc_69C913:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+21Cj
		cmp	byte ptr [ebx-10h], 0
		jz	loc_69C9F3

loc_69C91D:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+221j
					; SC_GPT::WritePartitionTable(SC_DISK_LAYOUT *,uchar)+232j
		mov	edx, offset _GUID_NULL ; void *
		mov	ecx, ebx	; void *
		call	?IsEqualGUID@@YGHABU_GUID@@0@Z ; IsEqualGUID(_GUID const &,_GUID const &)
		test	eax, eax
		jz	short loc_69C934
		mov	ecx, ebx
		call	?CreateGuid@SC_ENV@@SGJPAU_GUID@@@Z ; SC_ENV::CreateGuid(_GUID *)

loc_69C934:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+251j
		add	edi, 0FFFFFFE0h
		lea	esi, [ebx-10h]
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_14]
		mov	esi, ebx
		lea	edi, [edi-10h]
		movsd
		movsd
		movsd
		movsd
		push	dword ptr [ebx-24h]
		mov	edi, [ebp+var_10]
		push	dword ptr [ebx-28h]
		mov	ecx, [edi]
		call	??$ToSectors@_J@SC_DISK@@QAE_J_J@Z ; SC_DISK::ToSectors<__int64>(__int64)
		mov	ecx, eax
		mov	ebx, edx
		mov	eax, [ebp+var_14]
		mov	[ebp+var_3C], ecx
		mov	[eax], ecx
		mov	[eax+4], ebx
		mov	eax, [ebp+var_1C]
		mov	esi, [eax-20h]
		add	esi, [eax-28h]
		mov	ecx, [eax-1Ch]
		adc	ecx, [eax-24h]
		sub	esi, 1
		sbb	ecx, 0
		push	ecx
		mov	ecx, [edi]
		push	esi
		call	??$ToSectors@_J@SC_DISK@@QAE_J_J@Z ; SC_DISK::ToSectors<__int64>(__int64)
		mov	esi, [ebp+var_1C]
		mov	ecx, eax
		mov	eax, edx
		mov	[ebp+var_44], ecx
		mov	edx, [ebp+var_14]
		push	12h
		mov	[ebp+var_40], eax
		mov	[edx+8], ecx
		lea	edi, [edx+18h]
		mov	[edx+0Ch], eax
		mov	ecx, [esi+10h]
		mov	[edx+10h], ecx
		mov	ecx, [esi+14h]
		add	esi, 18h
		mov	[edx+14h], ecx
		pop	ecx
		rep movsd
		cmp	ebx, [ebp+var_8]
		jb	loc_69CB30
		ja	short loc_69C9CE
		mov	eax, [ebp+var_3C]
		cmp	eax, [ebp+var_4]
		jb	loc_69CB30
		mov	eax, [ebp+var_40]

loc_69C9CE:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+2E3j
		cmp	eax, [ebp+var_18]
		ja	loc_69CB30
		jb	short loc_69C9E5
		mov	eax, [ebp+var_44]
		cmp	eax, [ebp+var_20]
		ja	loc_69CB30

loc_69C9E5:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+2FDj
		mov	ebx, [ebp+var_1C]
		sub	edx, 0FFFFFF80h
		mov	[ebp+var_14], edx
		mov	edi, edx

loc_69C9F0:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+234j
		mov	eax, [ebp+arg_0]

loc_69C9F3:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+23Dj
		mov	ecx, [ebp+var_30]
		add	ebx, 90h
		inc	ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_30], ecx
		cmp	ecx, [eax+4]
		jb	loc_69C8F0
		mov	ebx, [ebp+var_48]
		mov	esi, [ebp+var_2C]
		mov	edi, [ebp+var_10]

loc_69CA15:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+204j
		add	eax, 8
		mov	edx, offset _GUID_NULL ; void *
		mov	ecx, eax	; void *
		mov	[ebp+var_30], eax
		call	?IsEqualGUID@@YGHABU_GUID@@0@Z ; IsEqualGUID(_GUID const &,_GUID const &)
		test	eax, eax
		jz	short loc_69CA33
		mov	ecx, [ebp+var_30]
		call	?CreateGuid@SC_ENV@@SGJPAU_GUID@@@Z ; SC_ENV::CreateGuid(_GUID *)

loc_69CA33:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+34Fj
		mov	eax, [ebp+var_20]
		sub	eax, [ebp+var_4]
		mov	edx, [ebp+var_18]
		sbb	edx, [ebp+var_8]
		add	eax, 1
		mov	ecx, [edi]
		adc	edx, 0
		mov	ecx, [ecx+0B0h]
		call	__allshl
		mov	ecx, [ebp+arg_0]
		mov	edi, [ebp+var_20]
		push	0
		mov	[ecx+20h], eax
		mov	eax, [ebp+var_24]
		mov	[ecx+28h], eax
		mov	[ecx+24h], edx
		and	dword ptr [esi+1Ch], 0
		mov	edx, [ebp+var_C]
		mov	ecx, edx
		add	ecx, edi
		mov	[esi+30h], edi
		pop	eax
		adc	eax, [ebp+var_18]
		lea	edi, [esi+38h]
		add	ecx, 1
		mov	dword ptr [esi], 20494645h
		mov	[esi+20h], ecx
		mov	ecx, [ebp+var_8]
		adc	eax, 0
		mov	[esi+24h], eax
		mov	eax, [ebp+var_4]
		mov	[esi+28h], eax
		mov	eax, [ebp+var_18]
		mov	[esi+34h], eax
		mov	[esi+2Ch], ecx
		mov	eax, [ebp+var_4]
		mov	dword ptr [esi+4], 54524150h
		sub	eax, edx
		mov	dword ptr [esi+8], 10000h
		mov	dword ptr [esi+0Ch], 5Ch
		sbb	ecx, 0
		mov	dword ptr [esi+18h], 1
		mov	esi, [ebp+var_30]
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], ecx
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_2C]
		mov	esi, [ebp+var_10]
		mov	[edi+48h], eax
		mov	eax, [ebp+var_24]
		mov	[edi+50h], eax
		mov	eax, [ebp+var_34]
		mov	[edi+54h], eax
		mov	eax, edx
		mov	[edi+4Ch], ecx
		mov	ecx, [esi]
		mov	ecx, [ecx+0B0h]
		shl	eax, cl
		push	eax
		push	[ebp+var_28]
		push	0
		call	_RtlComputeCrc32@12 ; RtlComputeCrc32(x,x,x)
		push	5Ch
		push	edi
		push	0
		mov	[edi+58h], eax
		call	_RtlComputeCrc32@12 ; RtlComputeCrc32(x,x,x)
		cmp	[ebp+var_4], 2
		mov	[edi+10h], eax
		mov	ecx, [esi]
		jnz	short loc_69CB3A
		cmp	[ebp+var_8], 0
		jnz	short loc_69CB3A
		mov	eax, [ebp+var_C]
		xor	esi, esi
		inc	eax
		mov	[ebp+arg_0], edi
		mov	[ebp+var_34], eax
		mov	edx, eax
		inc	esi
		xor	eax, eax
		jmp	short loc_69CB70
; 

loc_69CB30:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+2DDj
					; SC_GPT::WritePartitionTable(SC_DISK_LAYOUT *,uchar)+2EBj ...
		mov	esi, 0C000000Dh
		jmp	loc_69CC5F
; 

loc_69CB3A:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+43Bj
					; SC_GPT::WritePartitionTable(SC_DISK_LAYOUT *,uchar)+441j
		push	edi
		push	0
		push	1
		push	1
		call	?WriteSectors@SC_DISK@@QAEJK_KPAX@Z ; SC_DISK::WriteSectors(ulong,unsigned __int64,void	*)
		mov	esi, eax
		test	esi, esi
		js	loc_69CC5F
		mov	eax, [ebp+var_10]
		mov	edx, [ebp+var_C]
		mov	esi, [edi+48h]
		mov	ecx, [eax]
		mov	eax, [edi+4Ch]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+var_28]
		mov	[ebp+arg_0], eax
		mov	eax, edx
		inc	eax
		mov	[ebp+var_34], eax
		mov	eax, [ebp+var_48]

loc_69CB70:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+454j
		push	[ebp+arg_0]
		push	eax
		push	esi
		push	edx
		call	?WriteSectors@SC_DISK@@QAEJK_KPAX@Z ; SC_DISK::WriteSectors(ulong,unsigned __int64,void	*)
		mov	esi, eax
		test	esi, esi
		js	loc_69CC5F
		mov	eax, [ebp+var_10]
		mov	eax, [eax]
		test	byte ptr [eax+88h], 1
		jz	short loc_69CB98
		mov	ebx, [ebp+var_10]
		jmp	short loc_69CBEE
; 

loc_69CB98:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+4B7j
		push	17h
		pop	ecx
		mov	esi, edi
		xor	edx, edx
		mov	edi, ebx
		rep movsd
		mov	eax, [ebx+18h]
		mov	edi, [ebx+20h]
		push	dword ptr [ebx+0Ch]
		mov	ecx, [ebx+1Ch]
		mov	esi, [ebx+24h]
		mov	[ebx+18h], edi
		sub	edi, [ebp+var_C]
		mov	[ebx+1Ch], esi
		push	ebx
		sbb	esi, edx
		mov	[ebx+10h], edx
		push	edx
		mov	[ebx+20h], eax
		mov	[ebx+24h], ecx
		mov	[ebx+48h], edi
		mov	[ebx+4Ch], esi
		call	_RtlComputeCrc32@12 ; RtlComputeCrc32(x,x,x)
		push	[ebp+var_28]
		mov	[ebx+10h], eax
		mov	ebx, [ebp+var_10]
		push	esi
		push	edi
		push	[ebp+var_34]
		mov	ecx, [ebx]
		call	?WriteSectors@SC_DISK@@QAEJK_KPAX@Z ; SC_DISK::WriteSectors(ulong,unsigned __int64,void	*)
		mov	esi, eax
		test	esi, esi
		js	short loc_69CC5F

loc_69CBEE:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+4BCj
		mov	eax, [ebx]
		and	dword ptr [eax+88h], 0FFFFFFFDh
		cmp	[ebp+arg_4], 0
		jz	short loc_69CC5F
		mov	esi, [ebp+var_4C]
		xor	edi, edi
		push	200h		; size_t
		push	edi		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_38]
		lea	ecx, [esi+1BEh]
		or	dword ptr [esi+1CAh], 0FFFFFFFFh
		add	esp, 0Ch
		mov	[esi+1B8h], eax
		mov	byte ptr [esi+1C2h], 0EEh
		mov	dword ptr [esi+1C6h], 1
		mov	eax, [ebx]
		add	eax, 98h
		push	eax
		call	?ComputeChs@MBR_ENTRY@@QAEXPAU_DISK_GEOMETRY@@@Z ; MBR_ENTRY::ComputeChs(_DISK_GEOMETRY	*)
		push	edi
		push	edi
		mov	eax, 0AA55h
		push	edi
		mov	[esi+1FEh], ax
		mov	ecx, [ebx]
		push	1
		call	?WriteSectors@SC_DISK@@QAEJK_KPAX@Z ; SC_DISK::WriteSectors(ulong,unsigned __int64,void	*)
		mov	esi, eax

loc_69CC5F:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+45Bj
					; SC_GPT::WritePartitionTable(SC_DISK_LAYOUT *,uchar)+470j ...
		mov	ecx, [ebp+var_2C]
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69CC67:				; CODE XREF: SC_GPT::WritePartitionTable(SC_DISK_LAYOUT	*,uchar)+5Fj
					; SC_GPT::WritePartitionTable(SC_DISK_LAYOUT *,uchar)+CFj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
?WritePartitionTable@SC_GPT@@QAEJPAVSC_DISK_LAYOUT@@E@Z	endp


;  S U B	R O U T	I N E 


; public: __thiscall SC_DEVICE::SC_DEVICE(void)
??0SC_DEVICE@@QAE@XZ proc near		; CODE XREF: SC_DISK::SC_DISK(void)+Dp
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, offset _GUID_NULL
		mov	dword ptr [ecx], offset	??_7SC_DEVICE@@6B@ ; const SC_DEVICE::`vftable'
		lea	edi, [ecx+4]
		xor	eax, eax
		movsd
		movsd
		movsd
		movsd
		pop	edi
		mov	[ecx+14h], eax
		mov	[ecx+18h], eax
		mov	[ecx+1Ch], eax
		mov	[ecx+20h], eax
		mov	[ecx+24h], eax
		mov	[ecx+28h], eax
		mov	[ecx+2Ch], eax
		mov	[ecx+30h], eax
		mov	[ecx+74h], eax
		mov	[ecx+78h], eax
		mov	[ecx+7Ch], eax
		mov	[ecx+80h], eax
		mov	[ecx+84h], eax
		mov	eax, ecx
		pop	esi
		retn
??0SC_DEVICE@@QAE@XZ endp


;  S U B	R O U T	I N E 


; public: virtual __thiscall SC_DEVICE::~SC_DEVICE(void)
??1SC_DEVICE@@UAE@XZ proc near		; CODE XREF: SC_DISK::~SC_DISK(void)+B3j
					; SC_DEVICE::`scalar deleting destructor'(uint)+8p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+84h]
		mov	dword ptr [esi], offset	??_7SC_DEVICE@@6B@ ; const SC_DEVICE::`vftable'
		test	ecx, ecx
		jz	short loc_69CCD4
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69CCD4:				; CODE XREF: SC_DEVICE::~SC_DEVICE(void)+13j
		mov	ecx, [esi+80h]
		test	ecx, ecx
		jz	short loc_69CCE3
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69CCE3:				; CODE XREF: SC_DEVICE::~SC_DEVICE(void)+22j
		mov	ecx, [esi+7Ch]
		test	ecx, ecx
		jz	short loc_69CCEF
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69CCEF:				; CODE XREF: SC_DEVICE::~SC_DEVICE(void)+2Ej
		mov	ecx, [esi+78h]
		test	ecx, ecx
		jz	short loc_69CCFB
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69CCFB:				; CODE XREF: SC_DEVICE::~SC_DEVICE(void)+3Aj
		mov	ecx, [esi+74h]
		test	ecx, ecx
		jz	short loc_69CD07
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69CD07:				; CODE XREF: SC_DEVICE::~SC_DEVICE(void)+46j
		mov	ecx, [esi+30h]
		test	ecx, ecx
		jz	short loc_69CD13
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69CD13:				; CODE XREF: SC_DEVICE::~SC_DEVICE(void)+52j
		mov	ecx, [esi+28h]
		test	ecx, ecx
		jz	short loc_69CD1F
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69CD1F:				; CODE XREF: SC_DEVICE::~SC_DEVICE(void)+5Ej
		mov	ecx, [esi+20h]
		test	ecx, ecx
		jz	short loc_69CD2B
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69CD2B:				; CODE XREF: SC_DEVICE::~SC_DEVICE(void)+6Aj
		mov	ecx, [esi+18h]
		pop	esi
		test	ecx, ecx
		jnz	_ExFreeCallBack@4 ; ExFreeCallBack(x)
		retn
??1SC_DEVICE@@UAE@XZ endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: virtual void * __thiscall SC_DEVICE::`scalar deleting	destructor'(unsigned int)
??_GSC_DEVICE@@UAEPAXI@Z proc near	; DATA XREF: .text:const SC_DEVICE::`vftable'o

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		call	??1SC_DEVICE@@UAE@XZ ; SC_DEVICE::~SC_DEVICE(void)
		test	[ebp+arg_0], 1
		jz	short loc_69CD52
		mov	ecx, esi
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69CD52:				; CODE XREF: SC_DEVICE::`scalar	deleting destructor'(uint)+11j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
??_GSC_DEVICE@@UAEPAXI@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; private: long	__thiscall SC_DEVICE::ExtractDeviceStrings(void)
?ExtractDeviceStrings@SC_DEVICE@@AAEJXZ	proc near
					; CODE XREF: SC_DEVICE::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+6Dp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_50], ecx
		mov	edx, [ecx+78h]
		mov	eax, [edx+0Ch]
		lea	edi, [ebp+var_44]
		mov	[ebp+var_14], eax
		lea	ebx, [ebp+var_44]
		mov	eax, [edx+10h]
		xor	esi, esi
		mov	[ebp+var_10], eax
		mov	eax, [edx+14h]
		mov	[ebp+var_C], eax
		mov	eax, [edx+18h]
		mov	[ebp+var_8], eax
		lea	eax, [ecx+14h]
		mov	[ebp+var_24], eax
		lea	eax, [ecx+1Ch]
		mov	[ebp+var_20], eax
		lea	eax, [ecx+24h]
		mov	[ebp+var_1C], eax
		lea	eax, [ecx+2Ch]
		push	8
		mov	[ebp+var_18], eax
		xor	eax, eax
		pop	ecx
		rep stosd
		mov	ecx, [edx+4]
		mov	edi, esi
		dec	ecx
		mov	[ebp+var_4C], esi
		mov	[ebp+var_48], ecx

loc_69CDBF:				; CODE XREF: SC_DEVICE::ExtractDeviceStrings(void)+93j
		mov	eax, [ebp+edi*4+var_14]
		cmp	eax, 24h
		jb	short loc_69CDE5
		cmp	eax, ecx
		ja	short loc_69CDE5
		mov	ecx, [ebp+var_50]
		mov	edx, ebx
		mov	ecx, [ecx+78h]
		add	ecx, eax
		call	?ScAnsiToUnicodeString@@YGJPADPAU_UNICODE_STRING@@@Z ; ScAnsiToUnicodeString(char *,_UNICODE_STRING *)
		mov	[ebp+var_4C], eax
		test	eax, eax
		js	short loc_69CE1D
		mov	ecx, [ebp+var_48]

loc_69CDE5:				; CODE XREF: SC_DEVICE::ExtractDeviceStrings(void)+6Dj
					; SC_DEVICE::ExtractDeviceStrings(void)+71j
		inc	edi
		add	ebx, 8
		cmp	edi, 4
		jb	short loc_69CDBF
		lea	edx, [ebp+var_44]

loc_69CDF1:				; CODE XREF: SC_DEVICE::ExtractDeviceStrings(void)+BFj
		mov	eax, [ebp+esi+var_14]
		cmp	eax, 24h
		jb	short loc_69CE0C
		cmp	eax, ecx
		ja	short loc_69CE0C
		mov	ecx, [ebp+esi+var_24]
		mov	eax, [edx]
		mov	[ecx], eax
		mov	eax, [edx+4]
		mov	[ecx+4], eax

loc_69CE0C:				; CODE XREF: SC_DEVICE::ExtractDeviceStrings(void)+9Fj
					; SC_DEVICE::ExtractDeviceStrings(void)+A3j
		mov	ecx, [ebp+var_48]
		add	esi, 4
		add	edx, 8
		cmp	esi, 10h
		jb	short loc_69CDF1
		mov	eax, [ebp+var_4C]

loc_69CE1D:				; CODE XREF: SC_DEVICE::ExtractDeviceStrings(void)+87j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
?ExtractDeviceStrings@SC_DEVICE@@AAEJXZ	endp


;  S U B	R O U T	I N E 


; private: long	__thiscall SC_DEVICE::ExtractFaultDomainIds(void)
?ExtractFaultDomainIds@SC_DEVICE@@AAEJXZ proc near
					; CODE XREF: SC_DEVICE::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+64p
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		push	40h		; size_t
		push	0		; int
		lea	edi, [esi+34h]
		push	edi		; void *
		call	_memset
		mov	ecx, [esi+7Ch]
		add	esp, 0Ch
		test	ecx, ecx
		jz	short loc_69CE65
		mov	eax, [ecx+8]
		cmp	eax, 4
		jb	short loc_69CE54
		push	4
		pop	eax

loc_69CE54:				; CODE XREF: SC_DEVICE::ExtractFaultDomainIds(void)+23j
		shl	eax, 4
		push	eax		; size_t
		lea	eax, [ecx+0Ch]
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_69CE65:				; CODE XREF: SC_DEVICE::ExtractFaultDomainIds(void)+1Bj
		pop	edi
		xor	eax, eax
		pop	esi
		retn
?ExtractFaultDomainIds@SC_DEVICE@@AAEJXZ endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: long __thiscall SC_DEVICE::GetStorageProperty(enum  _STORAGE_PROPERTY_ID, struct _STORAGE_DESCRIPTOR_HEADER *	*)
?GetStorageProperty@SC_DEVICE@@QAEJW4_STORAGE_PROPERTY_ID@@PAPAU_STORAGE_DESCRIPTOR_HEADER@@@Z proc near
					; CODE XREF: SC_DEVICE::UpdateStorageProperty(_STORAGE_PROPERTY_ID)+13p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		lea	edx, [ebp+var_14]
		push	ebx
		push	esi
		push	edi
		push	edx
		xor	ebx, ebx
		mov	[ebp+var_1C], eax
		push	6
		mov	[eax], ebx
		mov	eax, [ecx]
		pop	esi
		push	esi
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_8], ebx
		call	dword ptr [eax+10h]
		mov	edi, eax
		test	edi, edi
		js	short loc_69CF02
		mov	[ebp+var_C], ebx
		mov	ebx, [ebp+var_14]
		mov	[ebp+var_10], esi
		jmp	short loc_69CEE5
; 

loc_69CEB0:				; CODE XREF: SC_DEVICE::GetStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER * *)+86j
		mov	eax, [ebp+var_18]
		lea	ecx, [ebp+var_10]
		push	ebx
		push	esi
		push	0Ch
		mov	edx, [eax]
		push	ecx
		push	2D1400h
		mov	ecx, eax
		call	dword ptr [edx+8]
		mov	edi, eax
		test	edi, edi
		jns	short loc_69CED5
		cmp	edi, 80000005h
		jnz	short loc_69CEF7

loc_69CED5:				; CODE XREF: SC_DEVICE::GetStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER * *)+61j
		mov	eax, [esi+4]
		cmp	eax, ebx
		jbe	short loc_69CF15
		mov	ecx, esi
		mov	ebx, eax
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69CEE5:				; CODE XREF: SC_DEVICE::GetStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER * *)+44j
		mov	ecx, ebx
		call	?Allocate@SC_ENV@@SGPAXI@Z ; SC_ENV::Allocate(uint)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_69CEB0
		mov	edi, 0C000009Ah

loc_69CEF7:				; CODE XREF: SC_DEVICE::GetStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER * *)+69j
					; SC_DEVICE::GetStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER	* *)+BDj ...
		test	esi, esi
		jz	short loc_69CF02
		mov	ecx, esi
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69CF02:				; CODE XREF: SC_DEVICE::GetStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER * *)+39j
					; SC_DEVICE::GetStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER	* *)+8Fj
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_69CF15:				; CODE XREF: SC_DEVICE::GetStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER * *)+70j
		mov	ecx, [ebp+var_18]
		mov	[esi+4], ebx
		push	esi
		push	6
		mov	eax, [ecx]
		call	dword ptr [eax+14h]
		mov	edi, eax
		test	edi, edi
		js	short loc_69CEF7
		mov	eax, [ebp+var_1C]
		mov	[eax], esi
		xor	esi, esi
		jmp	short loc_69CEF7
?GetStorageProperty@SC_DEVICE@@QAEJW4_STORAGE_PROPERTY_ID@@PAPAU_STORAGE_DESCRIPTOR_HEADER@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; protected: virtual long __thiscall SC_DEVICE::GetStoragePropertyPre(enum  _STORAGE_PROPERTY_ID, unsigned long	*)
?GetStoragePropertyPre@SC_DEVICE@@MAEJW4_STORAGE_PROPERTY_ID@@PAK@Z proc near
					; CODE XREF: SC_DISK::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)+71p
					; DATA XREF: .text:00405114o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		mov	eax, [ebp+arg_0]
		mov	[ecx], edx
		sub	eax, edx
		jz	short loc_69CF80
		sub	eax, 1
		jz	short loc_69CF78
		sub	eax, 1
		jz	short loc_69CF70
		sub	eax, 3
		jz	short loc_69CF68
		sub	eax, 0Eh
		jz	short loc_69CF60
		mov	edx, 0C0000225h
		jmp	short loc_69CF86
; 

loc_69CF60:				; CODE XREF: SC_DEVICE::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)+25j
		mov	dword ptr [ecx], 1Ch
		jmp	short loc_69CF86
; 

loc_69CF68:				; CODE XREF: SC_DEVICE::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)+20j
		mov	dword ptr [ecx], 18h
		jmp	short loc_69CF86
; 

loc_69CF70:				; CODE XREF: SC_DEVICE::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)+1Bj
		mov	dword ptr [ecx], 10h
		jmp	short loc_69CF86
; 

loc_69CF78:				; CODE XREF: SC_DEVICE::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)+16j
		mov	dword ptr [ecx], 20h
		jmp	short loc_69CF86
; 

loc_69CF80:				; CODE XREF: SC_DEVICE::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)+11j
		mov	dword ptr [ecx], 28h

loc_69CF86:				; CODE XREF: SC_DEVICE::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)+2Cj
					; SC_DEVICE::GetStoragePropertyPre(_STORAGE_PROPERTY_ID,ulong *)+34j ...
		mov	eax, edx
		pop	ebp
		retn	8
?GetStoragePropertyPre@SC_DEVICE@@MAEJW4_STORAGE_PROPERTY_ID@@PAK@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: virtual long __thiscall SC_DEVICE::Initialize(void)
?Initialize@SC_DEVICE@@UAEJXZ proc near	; CODE XREF: SC_DISK::Initialize(void)+5p
					; DATA XREF: .text:00405108o

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_1C], 0
		mov	edx, ecx
		push	ebx
		push	esi
		push	edi
		mov	eax, [edx]
		lea	edi, [ebp+var_18]
		push	5
		pop	ecx
		mov	esi, offset _DEVPKEY_Device_ClassGuid
		mov	[ebp+var_20], edx
		rep movsd
		lea	ecx, [ebp+var_1C]
		push	ecx
		lea	ecx, [ebp+var_18]
		push	ecx
		mov	ecx, edx
		call	dword ptr [eax+0Ch]
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_69CFE2
		mov	edi, [ebp+var_20]
		mov	ecx, [ebp+var_1C]
		add	edi, 4
		mov	esi, ecx
		movsd
		movsd
		movsd
		movsd
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)
		jmp	short loc_69CFE4
; 

loc_69CFE2:				; CODE XREF: SC_DEVICE::Initialize(void)+3Ej
		xor	ebx, ebx

loc_69CFE4:				; CODE XREF: SC_DEVICE::Initialize(void)+54j
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
?Initialize@SC_DEVICE@@UAEJXZ endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; protected: virtual void __thiscall SC_DEVICE::SaveStorageProperty(enum  _STORAGE_PROPERTY_ID,	struct _STORAGE_DESCRIPTOR_HEADER *)
?SaveStorageProperty@SC_DEVICE@@MAEXW4_STORAGE_PROPERTY_ID@@PAU_STORAGE_DESCRIPTOR_HEADER@@@Z proc near
					; CODE XREF: SC_DISK::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+68p
					; DATA XREF: .text:0040511Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, ecx
		sub	eax, edi
		jz	short loc_69D037
		sub	eax, 1
		jz	short loc_69D033
		sub	eax, 1
		jz	short loc_69D02C
		sub	eax, 3
		jz	short loc_69D025
		sub	eax, 0Eh
		jnz	short loc_69D020
		push	7Ch
		jmp	short loc_69D039
; 

loc_69D020:				; CODE XREF: SC_DEVICE::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+25j
		mov	edi, [ebp+arg_4]
		jmp	short loc_69D067
; 

loc_69D025:				; CODE XREF: SC_DEVICE::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+20j
		mov	esi, 84h
		jmp	short loc_69D03A
; 

loc_69D02C:				; CODE XREF: SC_DEVICE::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+1Bj
		mov	esi, 80h
		jmp	short loc_69D03A
; 

loc_69D033:				; CODE XREF: SC_DEVICE::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+16j
		push	74h
		jmp	short loc_69D039
; 

loc_69D037:				; CODE XREF: SC_DEVICE::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+11j
		push	78h

loc_69D039:				; CODE XREF: SC_DEVICE::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+29j
					; SC_DEVICE::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+40j
		pop	esi

loc_69D03A:				; CODE XREF: SC_DEVICE::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+35j
					; SC_DEVICE::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+3Cj
		mov	ecx, [esi+ebx]
		test	ecx, ecx
		jz	short loc_69D046
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69D046:				; CODE XREF: SC_DEVICE::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+4Aj
		mov	eax, [ebp+arg_4]
		mov	[esi+ebx], eax
		cmp	[ebp+arg_0], edi
		jz	short loc_69D060
		cmp	[ebp+arg_0], 13h
		jnz	short loc_69D072
		mov	ecx, ebx
		call	?ExtractFaultDomainIds@SC_DEVICE@@AAEJXZ ; SC_DEVICE::ExtractFaultDomainIds(void)
		jmp	short loc_69D072
; 

loc_69D060:				; CODE XREF: SC_DEVICE::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+5Aj
		mov	ecx, ebx
		call	?ExtractDeviceStrings@SC_DEVICE@@AAEJXZ	; SC_DEVICE::ExtractDeviceStrings(void)

loc_69D067:				; CODE XREF: SC_DEVICE::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+2Ej
		test	edi, edi
		jz	short loc_69D072
		mov	ecx, edi
		call	_ExFreeCallBack@4 ; ExFreeCallBack(x)

loc_69D072:				; CODE XREF: SC_DEVICE::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+60j
					; SC_DEVICE::SaveStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER *)+69j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
?SaveStorageProperty@SC_DEVICE@@MAEXW4_STORAGE_PROPERTY_ID@@PAU_STORAGE_DESCRIPTOR_HEADER@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: long __thiscall SC_DEVICE::UpdateStorageProperty(enum	 _STORAGE_PROPERTY_ID)
?UpdateStorageProperty@SC_DEVICE@@QAEJW4_STORAGE_PROPERTY_ID@@@Z proc near
					; CODE XREF: SC_DISK::Initialize(void)+A4p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		push	eax
		push	ecx
		mov	esi, ecx
		call	?GetStorageProperty@SC_DEVICE@@QAEJW4_STORAGE_PROPERTY_ID@@PAPAU_STORAGE_DESCRIPTOR_HEADER@@@Z ; SC_DEVICE::GetStorageProperty(_STORAGE_PROPERTY_ID,_STORAGE_DESCRIPTOR_HEADER * *)
		mov	edi, eax
		test	edi, edi
		js	short loc_69D0A3
		push	[ebp+var_4]
		mov	edx, [esi]
		mov	ecx, esi
		push	6
		call	dword ptr [edx+18h]

loc_69D0A3:				; CODE XREF: SC_DEVICE::UpdateStorageProperty(_STORAGE_PROPERTY_ID)+1Cj
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn	4
?UpdateStorageProperty@SC_DEVICE@@QAEJW4_STORAGE_PROPERTY_ID@@@Z endp


;  S U B	R O U T	I N E 


; public: long __thiscall SC_RAW::CreatePartitionTable(void)
?CreatePartitionTable@SC_RAW@@QAEJXZ proc near
					; CODE XREF: SC_DISK::CreatePartitionTable(_CREATE_DISK	*)+2Ep
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		push	40h		; size_t
		push	ebx		; int
		mov	eax, [edi]
		mov	esi, [eax+0C4h]
		lea	eax, [esi+1BEh]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+1B8h], ebx
		xor	eax, eax
		mov	[esi+1FEh], ax
		xor	esi, esi
		mov	ecx, [edi]
		inc	esi
		push	ebx
		push	ebx
		push	ebx
		push	esi
		call	?WriteSectors@SC_DISK@@QAEJK_KPAX@Z ; SC_DISK::WriteSectors(ulong,unsigned __int64,void	*)
		test	eax, eax
		js	short loc_69D148
		mov	edx, [edi]
		cmp	[edx+0C0h], esi
		jnz	short loc_69D148
		mov	ecx, [edx+0B0h]
		mov	eax, esi
		shl	eax, cl
		push	eax		; size_t
		push	ebx		; int
		push	dword ptr [edx+0C4h] ; void *
		call	_memset
		mov	ecx, [edi]
		add	esp, 0Ch
		push	ebx
		push	ebx
		push	esi
		push	esi
		call	?WriteSectors@SC_DISK@@QAEJK_KPAX@Z ; SC_DISK::WriteSectors(ulong,unsigned __int64,void	*)
		test	eax, eax
		js	short loc_69D148
		mov	ecx, [edi]
		test	byte ptr [ecx+88h], 1
		jnz	short loc_69D148
		mov	edx, [ecx+0B8h]
		mov	eax, [ecx+0BCh]
		add	edx, 0FFFFFFFFh
		push	ebx
		adc	eax, 0FFFFFFFFh
		push	eax
		push	edx
		push	esi
		call	?WriteSectors@SC_DISK@@QAEJK_KPAX@Z ; SC_DISK::WriteSectors(ulong,unsigned __int64,void	*)

loc_69D148:				; CODE XREF: SC_RAW::CreatePartitionTable(void)+42j
					; SC_RAW::CreatePartitionTable(void)+4Cj ...
		pop	edi
		pop	esi
		pop	ebx
		retn
?CreatePartitionTable@SC_RAW@@QAEJXZ endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: long __thiscall SC_RAW::ReadPartitionTable(class SC_DISK_LAYOUT * *)
?ReadPartitionTable@SC_RAW@@QAEJPAPAVSC_DISK_LAYOUT@@@Z	proc near
					; CODE XREF: SC_DISK::ReadPartitionTable(SC_DISK_LAYOUT	* *)+33p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ecx
		mov	ecx, 0C0h
		push	ebx
		mov	[ebp+var_4], eax
		xor	ebx, ebx
		push	esi
		mov	eax, [eax]
		push	edi
		mov	edi, [eax+0C4h]
		mov	eax, [ebp+arg_0]
		mov	[eax], ebx
		call	?Allocate@SC_ENV@@SGPAXI@Z ; SC_ENV::Allocate(uint)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_69D183
		mov	ebx, 0C000009Ah
		jmp	loc_69D21C
; 

loc_69D183:				; CODE XREF: SC_RAW::ReadPartitionTable(SC_DISK_LAYOUT * *)+2Bj
		push	0C0h		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		mov	eax, [eax]
		cmp	dword ptr [eax+0A0h], 0Bh
		jz	short loc_69D1BA
		mov	eax, 0AA55h
		cmp	[edi+1FEh], ax
		jz	short loc_69D1BA
		mov	ecx, edi
		call	?CheckSum@MBR_HEADER@@QAEKXZ ; MBR_HEADER::CheckSum(void)
		mov	[esi+0Ch], eax
		jmp	short loc_69D217
; 

loc_69D1BA:				; CODE XREF: SC_RAW::ReadPartitionTable(SC_DISK_LAYOUT * *)+52j
					; SC_RAW::ReadPartitionTable(SC_DISK_LAYOUT * *)+60j
		xor	eax, eax
		mov	ecx, edi
		inc	eax
		mov	[esi+4], eax
		mov	[esi+8], eax
		call	?CheckSum@MBR_HEADER@@QAEKXZ ; MBR_HEADER::CheckSum(void)
		mov	[esi+0Ch], eax
		mov	eax, [ebp+var_4]
		mov	[esi+38h], ebx
		mov	[esi+3Ch], ebx
		mov	ecx, [eax]
		mov	eax, [ecx+0B8h]
		mov	edx, [ecx+0BCh]
		mov	ecx, [ecx+0B0h]
		call	__allshl
		or	dword ptr [esi+48h], 0FFFFFFFFh
		mov	[esi+40h], eax
		mov	[esi+44h], edx
		mov	word ptr [esi+50h], 4
		mov	byte ptr [esi+52h], 1
		mov	[esi+54h], ebx
		mov	eax, [esi+8]
		mov	[esi+58h], eax
		xor	eax, eax
		mov	[esi+5Ch], eax
		mov	[esi+60h], ebx
		mov	[esi+64h], ebx

loc_69D217:				; CODE XREF: SC_RAW::ReadPartitionTable(SC_DISK_LAYOUT * *)+6Cj
		mov	eax, [ebp+arg_0]
		mov	[eax], esi

loc_69D21C:				; CODE XREF: SC_RAW::ReadPartitionTable(SC_DISK_LAYOUT * *)+32j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
?ReadPartitionTable@SC_RAW@@QAEJPAPAVSC_DISK_LAYOUT@@@Z	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall StRtlIoStorInfoSetNvCachePriority(int)
_StRtlIoStorInfoSetNvCachePriority@8 proc near ; CODE XREF: IoAsynchronousPageWrite+E8DFEp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		mov	bl, dl
		push	esi
		mov	esi, ecx
		cmp	bl, 0Fh
		jbe	short loc_69D241
		mov	eax, 0C000000Dh
		jmp	short loc_69D275
; 

loc_69D241:				; CODE XREF: StRtlIoStorInfoSetNvCachePriority(x,x)+13j
		push	4		; __int16
		lea	eax, [ebp+var_4]
		push	eax		; void *
		push	esi		; int
		call	IoGetGenericIrpExtension
		test	eax, eax
		jns	short loc_69D258
		cmp	eax, 0C0000225h
		jnz	short loc_69D275

loc_69D258:				; CODE XREF: StRtlIoStorInfoSetNvCachePriority(x,x)+2Aj
		mov	al, byte ptr [ebp+var_4]
		and	bl, 0Fh
		and	al, 0F0h
		or	al, bl
		or	al, 10h
		push	1		; char
		mov	byte ptr [ebp+var_4], al
		lea	eax, [ebp+var_4]
		push	4		; __int16
		push	eax		; void *
		push	esi		; int
		call	IoSetGenericIrpExtension

loc_69D275:				; CODE XREF: StRtlIoStorInfoSetNvCachePriority(x,x)+1Aj
					; StRtlIoStorInfoSetNvCachePriority(x,x)+31j
		pop	esi
		pop	ebx
		leave
		retn
_StRtlIoStorInfoSetNvCachePriority@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

??$Write@U?$_tlgWrapperByRef@$0BA@@@U?$_tlgWrapperByRef@$07@@U2@U2@U?$_tlgWrapperByVal@$03@@U3@U3@U3@U3@@?$_tlgWriteTemplate@$$A6GJPBU_tlgProvider_t@@PBXPBU_GUID@@2IPAU_EVENT_DATA_DESCRIPTOR@@@Z$1?_tlgWriteTransfer_EtwWriteTransfer@@YGJ0122I3@ZPBU2@PBU2@@@SGJPBU_tlgProvider_t@@PBXPBU_GUID@@2ABU?$_tlgWrapperByRef@$0BA@@@ABU?$_tlgWrapperByRef@$07@@44ABU?$_tlgWrapperByVal@$03@@5555@Z	proc near
					; CODE XREF: LookUpTableFlushComplete+84EA1p

var_B4		= dword	ptr -0B4h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B4h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_28]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_24]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_20]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_54], eax
		mov	eax, [ebp+arg_14]
		push	esi
		xor	esi, esi
		mov	[ebp+var_8C], 10h
		push	4
		mov	eax, [eax]
		mov	[ebp+var_64], eax
		mov	eax, [ebp+arg_10]
		pop	ecx
		push	8
		mov	[ebp+var_C], ecx
		mov	eax, [eax]
		mov	[ebp+var_74], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_3C], ecx
		mov	eax, [eax]
		mov	[ebp+var_84], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_4C], ecx
		pop	ecx
		mov	[ebp+var_10], esi
		mov	eax, [eax]
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_B4]
		push	eax
		push	0Bh
		push	esi
		push	esi
		push	edx
		push	offset dword_6B30A8
		mov	[ebp+var_8], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_38], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_48], esi
		mov	[ebp+var_60], esi
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], esi
		mov	[ebp+var_70], esi
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], esi
		mov	[ebp+var_80], esi
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_78], esi
		mov	[ebp+var_90], esi
		mov	[ebp+var_88], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	2Ch
??$Write@U?$_tlgWrapperByRef@$0BA@@@U?$_tlgWrapperByRef@$07@@U2@U2@U?$_tlgWrapperByVal@$03@@U3@U3@U3@U3@@?$_tlgWriteTemplate@$$A6GJPBU_tlgProvider_t@@PBXPBU_GUID@@2IPAU_EVENT_DATA_DESCRIPTOR@@@Z$1?_tlgWriteTransfer_EtwWriteTransfer@@YGJ0122I3@ZPBU2@PBU2@@@SGJPBU_tlgProvider_t@@PBXPBU_GUID@@2ABU?$_tlgWrapperByRef@$0BA@@@ABU?$_tlgWrapperByRef@$07@@44ABU?$_tlgWrapperByVal@$03@@5555@Z	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AggregateField	proc near		; CODE XREF: InsertEventEntryInLookUpTable+369p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], edi
		cmp	edi, 71h
		jz	short loc_69D3C6
		lea	eax, [edi-72h]
		cmp	eax, 1
		ja	short loc_69D3ED

loc_69D37E:				; CODE XREF: AggregateField+66j
		mov	eax, [ecx]
		mov	esi, [ecx+4]
		mov	[ebp+var_8], eax
		cmp	edi, 72h
		jnz	short loc_69D399
		cmp	[ebp+arg_4], esi
		jg	short loc_69D3ED
		jl	short loc_69D3A5
		cmp	[ebp+arg_0], eax
		jnb	short loc_69D3ED
		jmp	short loc_69D3A5
; 

loc_69D399:				; CODE XREF: AggregateField+2Bj
		cmp	[ebp+arg_4], esi
		jl	short loc_69D3ED
		jg	short loc_69D3A5
		cmp	[ebp+arg_0], eax
		jbe	short loc_69D3ED

loc_69D3A5:				; CODE XREF: AggregateField+32j
					; AggregateField+39j ...
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		nop
		mov	ebx, [ebp+arg_0]
		mov	edi, [ebp+var_4]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_C]
		cmp	eax, [ebp+var_8]
		jnz	short loc_69D3C1
		cmp	edx, esi
		jz	short loc_69D3ED

loc_69D3C1:				; CODE XREF: AggregateField+5Dj
		mov	ecx, [ebp+var_4]
		jmp	short loc_69D37E
; 

loc_69D3C6:				; CODE XREF: AggregateField+16j
					; AggregateField+88j ...
		mov	esi, [ecx]
		mov	ebx, esi
		mov	edx, [ecx+4]
		mov	eax, esi
		add	ebx, [ebp+arg_0]
		mov	ecx, edx
		mov	[ebp+var_C], edx
		adc	ecx, [ebp+arg_4]
		nop
		mov	edi, [ebp+var_4]
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, edi
		cmp	eax, esi
		jnz	short loc_69D3C6
		cmp	edx, [ebp+var_C]
		jnz	short loc_69D3C6

loc_69D3ED:				; CODE XREF: AggregateField+1Ej
					; AggregateField+30j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
AggregateField	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CBufferAllocate	proc near		; CODE XREF: CreateNewEventEntry+6Ap

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, edx
		mov	al, cl
		test	esi, esi
		jz	short loc_69D463
		xor	ecx, ecx
		mov	edx, esi
		test	al, al
		mov	eax, large fs:20h
		push	edi
		setz	cl
		dec	ecx
		mov	eax, [eax+338h]
		and	ecx, 0FFFFFE01h
		push	0
		add	ecx, 200h
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	47417254h
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		test	edi, edi
		jz	short loc_69D454
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch

loc_69D454:				; CODE XREF: CBufferAllocate+52j
		mov	[ebx], edi
		test	edi, edi
		pop	edi
		jz	short loc_69D463
		xor	eax, eax
		mov	[ebx+4], esi
		inc	eax
		jmp	short loc_69D465
; 

loc_69D463:				; CODE XREF: CBufferAllocate+10j
					; CBufferAllocate+65j
		xor	eax, eax

loc_69D465:				; CODE XREF: CBufferAllocate+6Dj
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
CBufferAllocate	endp


;  S U B	R O U T	I N E 


CBufferGetNextOffset proc near		; CODE XREF: CreateNewEventEntry+82p
					; CreateNewEventEntry+BFp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		test	esi, esi
		jz	short loc_69D48E
		test	edx, edx
		jz	short loc_69D48E
		mov	edi, [esi+4]
		cmp	edi, edx
		jb	short loc_69D48E
		mov	eax, [esi]
		sub	edi, edx
		mov	[esi+4], edi
		lea	ecx, [eax+edx]
		mov	[esi], ecx
		jmp	short loc_69D490
; 

loc_69D48E:				; CODE XREF: CBufferGetNextOffset+8j
					; CBufferGetNextOffset+Cj ...
		xor	eax, eax

loc_69D490:				; CODE XREF: CBufferGetNextOffset+21j
		pop	edi
		pop	esi
		retn
CBufferGetNextOffset endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CompareEventEntry proc near		; CODE XREF: InsertEventEntryInLookUpTable+2B2p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	bl, cl
		push	edi
		mov	edi, edx
		push	4		; size_t
		mov	eax, [esi+10h]
		mov	[ebp+arg_0], eax
		add	eax, 10h
		push	eax		; void *
		lea	eax, [edi+10h]
		mov	[ebp+var_4], edi
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_69D516
		movzx	esi, byte ptr [esi+21h]
		movzx	eax, bl
		add	esi, 2
		mov	[ebp+var_8], eax
		cmp	esi, eax
		jnb	short loc_69D514
		mov	ecx, [ebp+arg_0]
		mov	eax, esi
		shl	eax, 4
		add	edi, 8
		add	edi, eax
		lea	ebx, [eax+ecx]
		sub	ecx, [ebp+var_4]
		mov	[ebp+arg_0], ecx

loc_69D4EA:				; CODE XREF: CompareEventEntry+7Fj
		mov	edx, [edi]
		mov	eax, edx
		sub	eax, [ecx+edi]
		jnz	short loc_69D516
		push	edx		; size_t
		push	dword ptr [ebx]	; void *
		push	dword ptr [edi-8] ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_69D516
		mov	ecx, [ebp+arg_0]
		inc	esi
		add	ebx, 10h
		add	edi, 10h
		cmp	esi, [ebp+var_8]
		jb	short loc_69D4EA

loc_69D514:				; CODE XREF: CompareEventEntry+3Fj
		xor	eax, eax

loc_69D516:				; CODE XREF: CompareEventEntry+2Ej
					; CompareEventEntry+5Ej ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
CompareEventEntry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ComputeEventEntryHash proc near		; CODE XREF: InsertEventEntryInLookUpTable+3Bp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	bl, cl
		mov	bh, dl
		lea	ecx, [ebp+var_4]
		push	4
		lea	edx, [edi+10h]
		call	RunningHash
		add	bl, 2
		cmp	bl, bh
		jnb	short loc_69D568
		push	esi
		movzx	esi, bl
		shl	esi, 4
		add	esi, edi
		sub	bh, bl
		movzx	edi, bh

loc_69D552:				; CODE XREF: ComputeEventEntryHash+48j
		push	dword ptr [esi+8]
		mov	edx, [esi]
		lea	ecx, [ebp+var_4]
		call	RunningHash
		lea	esi, [esi+10h]
		sub	edi, 1
		jnz	short loc_69D552
		pop	esi

loc_69D568:				; CODE XREF: ComputeEventEntryHash+25j
		imul	ecx, [ebp+var_4], arg_0+1
		pop	edi
		pop	ebx
		mov	eax, ecx
		shr	eax, 0Bh
		xor	eax, ecx
		imul	eax, 8001h
		leave
		retn	4
ComputeEventEntryHash endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CreateNewEventEntry proc near		; CODE XREF: InsertEventEntryInLookUpTable+277p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	bl, byte ptr [ebp+arg_0]
		mov	bh, cl
		xor	ecx, ecx
		mov	[ebp+var_C], edx
		mov	[eax], ecx
		mov	al, cl
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, ecx
		test	bl, bl
		jz	short loc_69D5C4
		mov	ecx, [ebp+arg_4]
		add	ecx, 8

loc_69D5AF:				; CODE XREF: CreateNewEventEntry+43j
		mov	edx, [ecx]
		cmp	al, 2
		jnb	short loc_69D5B9
		add	edi, edx
		jmp	short loc_69D5BB
; 

loc_69D5B9:				; CODE XREF: CreateNewEventEntry+34j
		add	esi, edx

loc_69D5BB:				; CODE XREF: CreateNewEventEntry+38j
		inc	al
		add	ecx, 10h
		cmp	al, bl
		jb	short loc_69D5AF

loc_69D5C4:				; CODE XREF: CreateNewEventEntry+28j
		lea	eax, [esi+edi]
		cmp	eax, 0FFFFh
		jbe	short loc_69D5D8
		mov	eax, 0C0000095h
		jmp	loc_69D718
; 

loc_69D5D8:				; CODE XREF: CreateNewEventEntry+4Dj
		movzx	edi, bl
		lea	edx, [ebp+var_14]
		shl	edi, 4
		mov	cl, bh
		lea	eax, [edi+22h]
		add	eax, esi
		push	eax
		call	CBufferAllocate
		test	eax, eax
		jnz	short loc_69D5FC
		mov	eax, 0C0000017h
		jmp	loc_69D718
; 

loc_69D5FC:				; CODE XREF: CreateNewEventEntry+71j
		mov	edx, edi
		lea	ecx, [ebp+var_14]
		call	CBufferGetNextOffset
		mov	edx, eax
		xor	bh, bh
		movzx	eax, byte ptr [ebp+arg_8]
		add	eax, 2
		mov	[ebp+arg_0], edx
		mov	[ebp+var_8], eax
		jz	short loc_69D673
		xor	ecx, ecx

loc_69D61B:				; CODE XREF: CreateNewEventEntry+F2j
		mov	edi, [ebp+arg_4]
		shl	ecx, 4
		add	edi, ecx
		lea	eax, [ecx+edx]
		mov	[ebp+var_4], eax
		cmp	bh, 2
		jnb	short loc_69D638
		mov	esi, edi
		mov	edi, eax
		movsd
		movsd
		movsd
		movsd
		jmp	short loc_69D669
; 

loc_69D638:				; CODE XREF: CreateNewEventEntry+ADj
		mov	edx, [edi+8]
		lea	ecx, [ebp+var_14]
		call	CBufferGetNextOffset
		push	edx		; size_t
		push	dword ptr [edi]	; void *
		mov	esi, eax
		push	esi		; void *
		call	_memcpy
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		mov	edx, [ebp+arg_0]
		and	dword ptr [ecx+4], 0
		mov	[ecx], esi
		mov	eax, [edi+0Ch]
		mov	[ecx+0Ch], eax
		mov	eax, [edi+8]
		mov	[ecx+8], eax

loc_69D669:				; CODE XREF: CreateNewEventEntry+B7j
		inc	bh
		movzx	ecx, bh
		cmp	ecx, [ebp+var_8]
		jb	short loc_69D61B

loc_69D673:				; CODE XREF: CreateNewEventEntry+98j
		push	22h
		pop	edx
		lea	ecx, [ebp+var_14]
		call	CBufferGetNextOffset
		mov	esi, [ebp+var_C]
		mov	ecx, eax
		mov	eax, [ebp+arg_0]
		mov	edi, ecx
		mov	dl, byte ptr [ebp+arg_8]
		mov	[ebp+var_4], ecx
		mov	[ecx+10h], eax
		mov	eax, [ebp+arg_C]
		movsd
		movsd
		movsd
		movsd
		mov	[ecx+21h], dl
		add	dl, 2
		mov	[ecx+20h], bl
		mov	[ecx+1Ch], eax
		cmp	dl, bl
		jnb	short loc_69D711
		mov	ecx, [ebp+arg_4]
		movzx	eax, dl
		shl	eax, 4
		push	0FFFFFFF8h
		lea	edi, [ecx+8]
		add	edi, eax
		pop	eax
		sub	eax, ecx
		sub	bl, dl
		mov	[ebp+arg_0], eax
		movzx	eax, bl
		mov	ebx, [ebp+var_4]
		mov	[ebp+arg_8], eax

loc_69D6C9:				; CODE XREF: CreateNewEventEntry+18Dj
		mov	edx, [edi]
		lea	ecx, [ebp+var_14]
		call	CBufferGetNextOffset
		push	edx		; size_t
		push	dword ptr [edi-8] ; void *
		mov	esi, eax
		push	esi		; void *
		call	_memcpy
		mov	ecx, [ebx+10h]
		add	esp, 0Ch
		mov	edx, [ebp+arg_0]
		add	edx, edi
		mov	[edx+ecx], esi
		and	dword ptr [edx+ecx+4], 0
		mov	ecx, [ebx+10h]
		mov	eax, [edi+4]
		mov	[edx+ecx+0Ch], eax
		mov	ecx, [ebx+10h]
		mov	eax, [edi]
		add	edi, 10h
		sub	[ebp+arg_8], 1
		mov	[edx+ecx+8], eax
		jnz	short loc_69D6C9
		mov	ecx, [ebp+var_4]

loc_69D711:				; CODE XREF: CreateNewEventEntry+127j
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx
		xor	eax, eax

loc_69D718:				; CODE XREF: CreateNewEventEntry+54j
					; CreateNewEventEntry+78j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
CreateNewEventEntry endp


;  S U B	R O U T	I N E 


DestroyEventEntry proc near		; CODE XREF: FlushEventEntryList+1Fp
		test	ecx, ecx
		jz	short locret_69D72D
		push	0
		push	dword ptr [ecx+10h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

locret_69D72D:				; CODE XREF: DestroyEventEntry+2j
		retn
DestroyEventEntry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EnableFlushTimer proc near		; CODE XREF: InsertEventEntryInLookUpTable+30Cp
					; TlgAggregateInternalFlushTimerCallbackKernelMode(_EX_TIMER *,void *)+38p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+1Ch+var_4], eax
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_69D77C
		or	[esp+20h+var_10], 0FFFFFFFFh
		lea	eax, [esp+20h+var_18]
		or	[esp+20h+var_C], 0FFFFFFFFh
		xor	ecx, ecx
		push	eax
		push	ecx
		push	ecx
		push	0FFFFFFFFh
		push	0FFFFD8F0h
		push	ecx
		push	edx
		mov	[esp+3Ch+var_18], ecx
		mov	[esp+3Ch+var_14], ecx
		call	__allmul
		push	edx
		push	eax
		push	esi
		call	ExSetTimer

loc_69D77C:				; CODE XREF: EnableFlushTimer+1Bj
		mov	ecx, [esp+20h+var_4]
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
EnableFlushTimer endp


;  S U B	R O U T	I N E 


ExtractAggregateFieldTypes proc	near	; CODE XREF: TlgAggregateAbsorbEvent+1Ep
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	bh, bh
		mov	ecx, [edi+10h]
		mov	esi, [edi+18h]
		add	esi, ecx
		add	ecx, 2

loc_69D7A0:				; CODE XREF: ExtractAggregateFieldTypes+19j
		mov	al, [ecx]
		inc	ecx
		test	al, al
		js	short loc_69D7A0

loc_69D7A7:				; CODE XREF: ExtractAggregateFieldTypes+20j
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_69D7A7
		jmp	short loc_69D7EF
; 

loc_69D7B0:				; CODE XREF: ExtractAggregateFieldTypes+29j
					; ExtractAggregateFieldTypes+65j
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_69D7B0
		mov	bl, [ecx]
		test	bl, bl
		jns	short loc_69D7F3
		mov	al, [ecx+1]
		and	bl, 7Fh
		add	ecx, 2
		test	al, al
		jns	short loc_69D7F3
		jmp	short loc_69D7D2
; 

loc_69D7CC:				; CODE XREF: ExtractAggregateFieldTypes+4Aj
		cmp	dl, 80h
		jnz	short loc_69D7F3
		inc	ecx

loc_69D7D2:				; CODE XREF: ExtractAggregateFieldTypes+3Ej
		mov	dl, [ecx]
		test	dl, dl
		js	short loc_69D7CC
		cmp	bl, 9
		jnz	short loc_69D7F3
		lea	eax, [edx-71h]
		cmp	al, 2
		ja	short loc_69D7F3
		movzx	eax, bh
		add	eax, eax
		inc	bh
		mov	[edi+eax*8+2Dh], dl

loc_69D7EF:				; CODE XREF: ExtractAggregateFieldTypes+22j
		cmp	ecx, esi
		jb	short loc_69D7B0

loc_69D7F3:				; CODE XREF: ExtractAggregateFieldTypes+2Fj
					; ExtractAggregateFieldTypes+3Cj ...
		pop	edi
		pop	esi
		mov	al, bh
		pop	ebx
		retn
ExtractAggregateFieldTypes endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FlattenEventEntryTree proc near		; CODE XREF: FlushLookUpTableBucket+1AAp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		xor	eax, eax
		mov	[ebp+var_4], ecx
		lea	edx, [ebp+var_4]
		test	ecx, ecx
		jz	short locret_69D833
		push	esi
		push	edi

loc_69D80D:				; CODE XREF: FlattenEventEntryTree+36j
		mov	edi, [ecx+18h]
		and	dword ptr [ecx+18h], 0
		mov	edx, [edx]
		add	edx, 14h
		mov	esi, edx
		mov	ecx, [edx]
		jmp	short loc_69D824
; 

loc_69D81F:				; CODE XREF: FlattenEventEntryTree+2Dj
		lea	esi, [ecx+18h]
		mov	ecx, [esi]

loc_69D824:				; CODE XREF: FlattenEventEntryTree+24j
		test	ecx, ecx
		jnz	short loc_69D81F
		mov	[esi], edi
		inc	eax
		mov	ecx, [edx]
		test	ecx, ecx
		jnz	short loc_69D80D
		pop	edi
		pop	esi

locret_69D833:				; CODE XREF: FlattenEventEntryTree+10j
		leave
		retn
FlattenEventEntryTree endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FlushLookUpTableBucket proc near	; CODE XREF: LookUpTableFlushComplete+84EC4p
					; LookUpTableFlushPartial+2Ap

var_3A		= byte ptr -3Ah
var_39		= byte ptr -39h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_26		= byte ptr -26h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 28h
		mov	eax, ecx
		mov	[esp+28h+var_C], edx
		xor	ecx, ecx
		mov	[esp+28h+var_24], eax
		push	esi
		push	edi
		cmp	[eax+edx*4], ecx
		jnz	short loc_69D85A
		xor	eax, eax
		jmp	loc_69DBE9
; 

loc_69D85A:				; CODE XREF: FlushLookUpTableBucket+1Cj
		lea	edi, [eax+8Ch]
		mov	[esp+0Bh], cl
		mov	eax, edi
		mov	[esp+30h+var_10], ecx
		and	eax, 7FFFFFFCh
		mov	[esp+30h+var_18], 0FFFFFFFFh
		mov	[esp+30h+var_1C], eax
		jnz	short loc_69D884
		mov	esi, ecx
		jmp	loc_69D998
; 

loc_69D884:				; CODE XREF: FlushLookUpTableBucket+46j
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jz	short loc_69D8BA
		push	ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	edi
		push	esi
		push	192h

loc_69D8B5:				; CODE XREF: FlushLookUpTableBucket+299j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_69D8BA:				; CODE XREF: FlushLookUpTableBucket+6Cj
		mov	[esp+1Ch], ecx
		mov	cl, [esi+1E4h]
		test	cl, cl
		jnz	short loc_69D8DF
		lea	ecx, [esi+222h]
		cmp	byte ptr [ecx],	0
		jz	short loc_69D90B
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [esi+1E4h]
		or	cl, al

loc_69D8DF:				; CODE XREF: FlushLookUpTableBucket+91j
		movzx	ecx, cl
		bsf	eax, ecx
		imul	edx, eax, 30h
		btr	ecx, eax
		mov	[esp+1Ch], eax
		mov	[esi+1E4h], cl
		add	edx, [esi+1E8h]
		mov	[esp+44h+var_34], edx
		jnz	short loc_69D927

loc_69D901:				; CODE XREF: FlushLookUpTableBucket+E5j
					; FlushLookUpTableBucket+F0j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_69D967
; 

loc_69D90B:				; CODE XREF: FlushLookUpTableBucket+9Cj
		and	[esp+44h+var_34], 0
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_69D901
		mov	edx, edi
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	short loc_69D901
; 

loc_69D927:				; CODE XREF: FlushLookUpTableBucket+CAj
		mov	ecx, ds:dword_6D07D0
		mov	eax, edi
		shr	eax, 15h
		cmp	edi, ecx
		jb	short loc_69D959
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_69D94C
		cmp	edi, ecx
		jb	short loc_69D959
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_69D959

loc_69D94C:				; CODE XREF: FlushLookUpTableBucket+108j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	short loc_69D95C
; 

loc_69D959:				; CODE XREF: FlushLookUpTableBucket+FFj
					; FlushLookUpTableBucket+10Cj ...
		or	eax, 0FFFFFFFFh

loc_69D95C:				; CODE XREF: FlushLookUpTableBucket+122j
		mov	[edx+14h], eax
		nop
		mov	eax, [esp+44h+var_30]
		mov	[edx+10h], eax

loc_69D967:				; CODE XREF: FlushLookUpTableBucket+D4j
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [esp+44h+var_24]
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_69D994
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_69D994
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_69D994:				; CODE XREF: FlushLookUpTableBucket+150j
					; FlushLookUpTableBucket+158j
		mov	esi, [esp+44h+var_34]

loc_69D998:				; CODE XREF: FlushLookUpTableBucket+4Aj
		lock bts dword ptr [edi], 0
		jnb	short loc_69D9A9
		push	edi
		mov	edx, esi
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_69D9A9:				; CODE XREF: FlushLookUpTableBucket+168j
		test	esi, esi
		jz	short loc_69D9B1
		or	byte ptr [esi+0Eh], 1

loc_69D9B1:				; CODE XREF: FlushLookUpTableBucket+176j
		mov	esi, [esp+44h+var_38]
		cmp	byte ptr [esi+0D9h], 0
		lea	eax, [esi+90h]
		jnz	short loc_69D9CE
		push	eax
		call	ExAcquireSpinLockExclusive
		mov	[esp+44h+var_39], al

loc_69D9CE:				; CODE XREF: FlushLookUpTableBucket+18Dj
		mov	ecx, [esp+44h+var_20]
		mov	eax, [esi+ecx*4]
		and	dword ptr [esi+ecx*4], 0
		mov	ecx, eax
		mov	[esp+44h+var_1C], eax
		call	FlattenEventEntryTree
		sub	[esi+80h], eax
		cmp	byte ptr [esi+0D9h], 0
		mov	[esp+44h+var_18], eax
		jnz	short loc_69DA0D
		lea	ecx, [esi+90h]
		push	ecx
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [esp+44h+var_39]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_69DA0D:				; CODE XREF: FlushLookUpTableBucket+1C0j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_69DA21
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_69DA21:				; CODE XREF: FlushLookUpTableBucket+1E3j
		xor	edi, edi
		mov	[esp+44h+var_34], edi
		cmp	[esp+44h+var_30], edi
		jz	loc_69DBD0
		mov	edx, [esp+44h+var_38]
		mov	esi, large fs:124h
		add	edx, 8Ch
		mov	ecx, ds:dword_6D07D0
		mov	eax, edx
		shr	eax, 15h
		mov	[esp+44h+var_30], esi
		cmp	edx, ecx
		jb	short loc_69DA7C
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_69DA6B
		cmp	edx, ecx
		jb	short loc_69DA7C
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_69DA7C

loc_69DA6B:				; CODE XREF: FlushLookUpTableBucket+227j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[esp+44h+var_2C], eax
		jmp	short loc_69DA7F
; 

loc_69DA7C:				; CODE XREF: FlushLookUpTableBucket+21Ej
					; FlushLookUpTableBucket+22Bj ...
		or	eax, 0FFFFFFFFh

loc_69DA7F:				; CODE XREF: FlushLookUpTableBucket+245j
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	cl, [esi+1E6h]
		mov	[esp+44h+var_39], cl
		mov	ecx, esi
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[esp+44h+var_20], ecx
		test	ecx, ecx
		jnz	short loc_69DAD3
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_69DB49
		mov	edx, [esp+44h+var_38]
		push	ecx
		push	[esp+48h+var_2C]
		add	edx, 8Ch
		push	edx
		push	esi
		push	162h
		jmp	loc_69D8B5
; 

loc_69DAD3:				; CODE XREF: FlushLookUpTableBucket+273j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_69DAEA
		call	KiAbEntryRemoveFromTree
		mov	ecx, [esp+44h+var_20]

loc_69DAEA:				; CODE XREF: FlushLookUpTableBucket+2AAj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[esp+44h+var_34], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	[esp+44h+var_39], 1
		mov	edx, eax
		jnz	short loc_69DB36
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_69DB49
; 

loc_69DB36:				; CODE XREF: FlushLookUpTableBucket+2EDj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [esp+44h+var_30]

loc_69DB49:				; CODE XREF: FlushLookUpTableBucket+27Dj
					; FlushLookUpTableBucket+2FFj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[esp+44h+var_20], eax
		jz	short loc_69DBB4
		test	edi, 8000h
		jz	short loc_69DB6E
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_69DB6E:				; CODE XREF: FlushLookUpTableBucket+32Ej
		test	byte ptr [esp+44h+var_34+2], 1
		jz	short loc_69DB7F
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_69DB7F:				; CODE XREF: FlushLookUpTableBucket+33Ej
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_69DB93
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_69DB93:				; CODE XREF: FlushLookUpTableBucket+351j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_69DBB4
		mov	edx, [esp+44h+var_38]
		mov	ecx, esi
		push	[esp+44h+var_20]
		lea	edx, [edx+8Ch]
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_69DBB4:				; CODE XREF: FlushLookUpTableBucket+326j
					; FlushLookUpTableBucket+368j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_69DBCC
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_69DBCC
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_69DBCC:				; CODE XREF: FlushLookUpTableBucket+388j
					; FlushLookUpTableBucket+390j
		mov	esi, [esp+44h+var_38]

loc_69DBD0:				; CODE XREF: FlushLookUpTableBucket+1F6j
		mov	eax, [esi+0C8h]
		mov	ecx, [esp+44h+var_1C]
		push	dword ptr [eax+1Ch]
		push	dword ptr [eax+18h]
		call	FlushEventEntryList
		mov	eax, [esp+44h+var_18]

loc_69DBE9:				; CODE XREF: FlushLookUpTableBucket+20j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
FlushLookUpTableBucket endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

InsertEventEntryInLookUpTable proc near	; CODE XREF: TlgAggregateAbsorbEvent+37p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 48h
		push	esi
		mov	esi, [ecx+24h]
		xor	eax, eax
		mov	cl, [ebx+10h]
		push	edi
		push	dword ptr [ebx+0Ch]
		mov	[ebp+var_44], edx
		xor	edi, edi
		mov	dl, [ebx+8]
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_10], eax
		mov	[ebp+var_34], esi
		call	ComputeEventEntryHash
		mov	[ebp+var_14], eax
		and	eax, 1Fh
		mov	[ebp+var_40], eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	byte ptr [ebp+var_4+2],	al
		cmp	al, 2
		jnb	loc_69DDF9
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jz	short loc_69DC90
		cmp	byte ptr [esi+0D9h], 0
		lea	edi, [esi+90h]
		jz	short loc_69DC7F
		push	0
		push	1
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	edi

loc_69DC74:				; CODE XREF: InsertEventEntryInLookUpTable+22Dj
		push	0D1h
		call	ds:__imp__KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_69DC7F:				; CODE XREF: InsertEventEntryInLookUpTable+74j
		push	edi
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	edi, [ebp+var_8]
		mov	[ebp+var_C], edi
		jmp	loc_69DE27
; 

loc_69DC90:				; CODE XREF: InsertEventEntryInLookUpTable+65j
		lea	edx, [esi+8Ch]
		xor	ecx, ecx
		mov	eax, edx
		mov	[ebp+var_30], edx
		and	eax, 7FFFFFFCh
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], eax
		jz	loc_69DDCA
		mov	edi, large fs:124h
		dec	word ptr [edi+13Eh]
		nop
		inc	byte ptr [edi+1E6h]
		nop
		cmp	byte ptr [edi+1E6h], 1
		jz	short loc_69DCE7
		push	ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, [ebp+var_30]
		movzx	eax, al
		push	eax
		push	ecx
		push	edi
		push	192h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_69DCE7:				; CODE XREF: InsertEventEntryInLookUpTable+DCj
		mov	[ebp+var_18], ecx
		mov	cl, [edi+1E4h]
		test	cl, cl
		jnz	short loc_69DD0B
		lea	ecx, [edi+222h]
		cmp	byte ptr [ecx],	0
		jz	short loc_69DD35
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [edi+1E4h]
		or	cl, al

loc_69DD0B:				; CODE XREF: InsertEventEntryInLookUpTable+103j
		movzx	ecx, cl
		bsf	eax, ecx
		btr	ecx, eax
		mov	[ebp+var_18], eax
		mov	[edi+1E4h], cl
		imul	ecx, eax, 30h
		add	ecx, [edi+1E8h]
		mov	[ebp+var_C], ecx
		jnz	short loc_69DD54

loc_69DD2B:				; CODE XREF: InsertEventEntryInLookUpTable+154j
					; InsertEventEntryInLookUpTable+163j
		lea	eax, [edi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_69DD9D
; 

loc_69DD35:				; CODE XREF: InsertEventEntryInLookUpTable+10Ej
		and	[ebp+var_C], 0
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_69DD2B
		mov	ecx, edi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		lea	edx, [esi+8Ch]
		jmp	short loc_69DD2B
; 

loc_69DD54:				; CODE XREF: InsertEventEntryInLookUpTable+13Aj
		mov	esi, ds:dword_6D07D0
		mov	eax, edx
		shr	eax, 15h
		cmp	edx, esi
		mov	[ebp+var_30], esi
		mov	esi, [ebp+var_34]
		jb	short loc_69DD72
		cmp	byte ptr ds:dword_6D3994[eax], 1
		jz	short loc_69DD80

loc_69DD72:				; CODE XREF: InsertEventEntryInLookUpTable+178j
		cmp	edx, [ebp+var_30]
		jb	short loc_69DD90
		cmp	byte ptr ds:dword_6D3994[eax], 0Bh
		jnz	short loc_69DD90

loc_69DD80:				; CODE XREF: InsertEventEntryInLookUpTable+181j
		mov	ecx, [edi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_C]
		jmp	short loc_69DD93
; 

loc_69DD90:				; CODE XREF: InsertEventEntryInLookUpTable+186j
					; InsertEventEntryInLookUpTable+18Fj
		or	eax, 0FFFFFFFFh

loc_69DD93:				; CODE XREF: InsertEventEntryInLookUpTable+19Fj
		mov	[ecx+14h], eax
		nop
		mov	eax, [ebp+var_38]
		mov	[ecx+10h], eax

loc_69DD9D:				; CODE XREF: InsertEventEntryInLookUpTable+144j
		nop
		dec	byte ptr [edi+1E6h]
		lea	eax, [ebp+var_3C]
		push	eax
		mov	ecx, edi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [edi+13Eh], 1
		jnz	short loc_69DDC7
		nop
		lea	eax, [edi+70h]
		cmp	[eax], eax
		jz	short loc_69DDC7
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_69DDC7:				; CODE XREF: InsertEventEntryInLookUpTable+1C9j
					; InsertEventEntryInLookUpTable+1D1j
		mov	edi, [ebp+var_C]

loc_69DDCA:				; CODE XREF: InsertEventEntryInLookUpTable+B9j
		push	11h
		pop	edx
		xor	eax, eax
		lea	ecx, [esi+8Ch]
		lock cmpxchg [ecx], edx
		test	eax, eax
		jz	short loc_69DDE5
		push	ecx
		mov	edx, edi
		call	ExfAcquirePushLockSharedEx

loc_69DDE5:				; CODE XREF: InsertEventEntryInLookUpTable+1ECj
		test	edi, edi
		jz	short loc_69DDED
		or	byte ptr [edi+0Eh], 1

loc_69DDED:				; CODE XREF: InsertEventEntryInLookUpTable+1F8j
		mov	edi, [ebp+var_8]
		mov	byte ptr [ebp+var_4+3],	0
		mov	[ebp+var_C], edi
		jmp	short loc_69DE2B
; 

loc_69DDF9:				; CODE XREF: InsertEventEntryInLookUpTable+54j
		cmp	byte ptr [esi+0D9h], 0
		lea	eax, [esi+90h]
		mov	[ebp+var_3C], eax
		jz	short loc_69DE21
		push	0
		push	1
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	[ebp+var_3C]
		jmp	loc_69DC74
; 

loc_69DE21:				; CODE XREF: InsertEventEntryInLookUpTable+21Aj
		push	eax
		call	ExAcquireSpinLockSharedAtDpcLevel

loc_69DE27:				; CODE XREF: InsertEventEntryInLookUpTable+9Cj
		mov	byte ptr [ebp+var_4+3],	1

loc_69DE2B:				; CODE XREF: InsertEventEntryInLookUpTable+208j
		mov	eax, [ebp+var_40]
		lea	edx, [esi+eax*4]

loc_69DE31:				; CODE XREF: InsertEventEntryInLookUpTable+2C9j
		cmp	dword ptr [edx], 0
		mov	[ebp+var_18], edx
		jnz	short loc_69DE87
		cmp	dword ptr [esi+80h], 400h
		jnb	loc_69DF16
		test	edi, edi
		jnz	short loc_69DE7B
		mov	edx, [ebp+var_44]
		lea	eax, [ebp+var_8]
		mov	cl, [esi+0D9h]
		push	eax
		push	[ebp+var_14]
		push	dword ptr [ebx+10h]
		push	dword ptr [ebx+0Ch]
		push	dword ptr [ebx+8]
		call	CreateNewEventEntry
		mov	edi, [ebp+var_8]
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], edi
		test	edi, edi
		jz	short loc_69DEBD
		mov	edx, [ebp+var_18]

loc_69DE7B:				; CODE XREF: InsertEventEntryInLookUpTable+25Cj
		mov	ecx, edi
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	short loc_69DEDA

loc_69DE87:				; CODE XREF: InsertEventEntryInLookUpTable+248j
		mov	ecx, [edx]
		mov	eax, [ebp+var_14]
		mov	[ebp+var_30], ecx
		mov	edx, [ecx+1Ch]
		cmp	eax, edx
		jz	short loc_69DE9A
		sub	eax, edx
		jmp	short loc_69DEA9
; 

loc_69DE9A:				; CODE XREF: InsertEventEntryInLookUpTable+2A5j
		mov	edx, [ebx+0Ch]
		push	ecx
		mov	cl, [ebx+8]
		call	CompareEventEntry
		mov	ecx, [ebp+var_30]

loc_69DEA9:				; CODE XREF: InsertEventEntryInLookUpTable+2A9j
		test	eax, eax
		jz	short loc_69DF25
		sar	eax, 1Fh
		lea	edx, [ecx+18h]
		and	eax, 0FFFFFFFCh
		add	edx, eax
		jmp	loc_69DE31
; 

loc_69DEBD:				; CODE XREF: InsertEventEntryInLookUpTable+287j
		cmp	eax, 0C0000017h
		jnz	short loc_69DECF
		inc	dword ptr [esi+0B8h]
		jmp	loc_69DF75
; 

loc_69DECF:				; CODE XREF: InsertEventEntryInLookUpTable+2D3j
		inc	dword ptr [esi+0BCh]
		jmp	loc_69DF75
; 

loc_69DEDA:				; CODE XREF: InsertEventEntryInLookUpTable+296j
		xor	eax, eax
		lea	ecx, [esi+80h]
		xor	edi, edi
		inc	eax
		lock xadd [ecx], eax
		inc	eax
		cmp	eax, 1
		jnz	short loc_69DF00
		mov	edx, [esi+0D4h]
		mov	ecx, [esi+0D0h]
		call	EnableFlushTimer

loc_69DF00:				; CODE XREF: InsertEventEntryInLookUpTable+2FEj
		mov	eax, [esi+80h]
		cmp	[esi+0A8h], eax
		jnb	short loc_69DF75
		mov	[esi+0A8h], eax
		jmp	short loc_69DF75
; 

loc_69DF16:				; CODE XREF: InsertEventEntryInLookUpTable+254j
		inc	dword ptr [esi+0B4h]
		mov	[ebp+var_10], 0C0000023h
		jmp	short loc_69DF75
; 

loc_69DF25:				; CODE XREF: InsertEventEntryInLookUpTable+2BCj
		test	ecx, ecx
		jz	short loc_69DF75
		mov	eax, [ebx+10h]
		movzx	edx, al
		push	2
		pop	eax
		add	edx, 2
		mov	[ebp+var_18], eax
		cmp	edx, eax
		jbe	short loc_69DF75
		mov	esi, eax
		mov	edi, edx

loc_69DF40:				; CODE XREF: InsertEventEntryInLookUpTable+37Ej
		mov	eax, [ebx+0Ch]
		add	esi, esi
		mov	ecx, [ecx+10h]
		mov	eax, [eax+esi*8]
		movzx	edx, byte ptr [ecx+esi*8+0Dh]
		mov	ecx, [ecx+esi*8]
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		call	AggregateField
		mov	eax, [ebp+var_18]
		mov	ecx, [ebp+var_30]
		inc	al
		movzx	esi, al
		mov	[ebp+var_18], eax
		cmp	esi, edi
		jb	short loc_69DF40
		mov	esi, [ebp+var_34]
		mov	edi, [ebp+var_C]

loc_69DF75:				; CODE XREF: InsertEventEntryInLookUpTable+2DBj
					; InsertEventEntryInLookUpTable+2E6j ...
		cmp	byte ptr [ebp+var_4+3],	0
		jz	short loc_69DF98
		add	esi, 90h
		push	esi
		call	ExReleaseSpinLockSharedFromDpcLevel
		cmp	byte ptr [ebp+var_4+2],	2
		jnb	short loc_69DFBA
		mov	cl, byte ptr [ebp+var_4+2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_69DFBA
; 

loc_69DF98:				; CODE XREF: InsertEventEntryInLookUpTable+38Aj
		push	11h
		add	esi, 8Ch
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_69DFB3
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_69DFB3:				; CODE XREF: InsertEventEntryInLookUpTable+3BBj
		mov	ecx, esi
		call	KeAbPostRelease

loc_69DFBA:				; CODE XREF: InsertEventEntryInLookUpTable+39Cj
					; InsertEventEntryInLookUpTable+3A7j
		test	edi, edi
		jz	short loc_69DFC8
		push	0
		push	dword ptr [edi+10h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_69DFC8:				; CODE XREF: InsertEventEntryInLookUpTable+3CDj
		mov	eax, [ebp+var_10]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	0Ch
InsertEventEntryInLookUpTable endp ; sp	=  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

TlgAggregateAbsorbEvent	proc near	; CODE XREF: _tlgWriteAgg(x,x,x,x,x)+70p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		mov	eax, 0C000000Dh
		push	edi
		mov	edi, edx
		cmp	dword ptr [esi+20h], offset TlgAggregateInternalRegisteredProviderEtwCallback
		jnz	short loc_69E031
		mov	edx, [ebp+arg_4]
		call	ExtractAggregateFieldTypes
		mov	byte ptr [ebp+var_4], al
		test	al, al
		jz	short loc_69E014
		push	[ebp+var_4]
		mov	edx, edi
		mov	ecx, esi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	InsertEventEntryInLookUpTable
		jmp	short loc_69E031
; 

loc_69E014:				; CODE XREF: TlgAggregateAbsorbEvent+28j
		push	[ebp+arg_4]
		movzx	eax, byte ptr [ebp+arg_0]
		mov	ecx, [esi+1Ch]
		mov	edx, [esi+18h]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	edi
		push	ecx
		push	edx
		call	EtwWriteEx

loc_69E031:				; CODE XREF: TlgAggregateAbsorbEvent+19j
					; TlgAggregateAbsorbEvent+3Cj
		pop	edi
		pop	esi
		leave
		retn	8
TlgAggregateAbsorbEvent	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void __stdcall TlgAggregateInternalFlushTimerCallbackKernelMode(struct _EX_TIMER *, void *)
?TlgAggregateInternalFlushTimerCallbackKernelMode@@YGXPAU_EX_TIMER@@PAX@Z proc near
					; CODE XREF: TlgAggregateFlush(x)+3Fp
					; DATA XREF: CreateTlgAggregateSession+B9o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		xor	eax, eax
		push	edi
		xor	edi, edi
		inc	edi
		mov	dx, di
		lea	ecx, [esi+20h]
		lock cmpxchg [ecx], dx
		movzx	eax, ax
		test	ax, ax
		jnz	short loc_69E062
		push	edi
		push	esi
		call	ExQueueWorkItem
		jmp	short loc_69E074
; 

loc_69E062:				; CODE XREF: TlgAggregateInternalFlushTimerCallbackKernelMode(_EX_TIMER	*,void *)+20j
		cmp	ax, di
		jnz	short loc_69E074
		mov	ecx, [ebp+arg_0]
		mov	edx, 3A98h
		call	EnableFlushTimer

loc_69E074:				; CODE XREF: TlgAggregateInternalFlushTimerCallbackKernelMode(_EX_TIMER	*,void *)+29j
					; TlgAggregateInternalFlushTimerCallbackKernelMode(_EX_TIMER *,void *)+2Ej
		pop	edi
		pop	esi
		pop	ebp
		retn	8
?TlgAggregateInternalFlushTimerCallbackKernelMode@@YGXPAU_EX_TIMER@@PAX@Z endp


;  S U B	R O U T	I N E 


; __stdcall TlgAggregateFlush(x)
_TlgAggregateFlush@4 proc near		; CODE XREF: CmpFlushTraceLoggingProvider()+Dp
					; CmFcShutdownSystem(x)+12p
		cmp	dword ptr [ecx+20h], offset TlgAggregateInternalRegisteredProviderEtwCallback
		push	esi
		jnz	short loc_69E0BE
		mov	esi, [ecx+24h]
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_69E0A6
		mov	eax, large fs:235Ch
		test	eax, 10001h
		jnz	short loc_69E0A6
		mov	ecx, esi
		pop	esi
		jmp	LookUpTableFlushComplete
; 

loc_69E0A6:				; CODE XREF: TlgAggregateFlush(x)+15j
					; TlgAggregateFlush(x)+22j
		push	dword ptr [esi+88h]
		mov	byte ptr [esi+0D8h], 1
		push	dword ptr [esi+0D0h]
		call	?TlgAggregateInternalFlushTimerCallbackKernelMode@@YGXPAU_EX_TIMER@@PAX@Z ; TlgAggregateInternalFlushTimerCallbackKernelMode(_EX_TIMER *,void *)

loc_69E0BE:				; CODE XREF: TlgAggregateFlush(x)+8j
		pop	esi
		retn
_TlgAggregateFlush@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _tlgWriteAgg(x, x, x, x, x)
__tlgWriteAgg@20 proc near		; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+38Dp
					; LdrpGetResourceFileName+467p	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		movzx	eax, byte ptr [edx]
		shl	eax, 18h
		mov	[ebp+var_10], eax
		movzx	eax, word ptr [edx+1]
		mov	[ebp+var_C], eax
		mov	eax, [edx+3]
		mov	[ebp+var_8], eax
		mov	eax, [edx+7]
		add	edx, 0Bh
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], eax
		mov	ecx, [ebp+arg_8]
		push	ecx
		push	[ebp+arg_4]
		mov	eax, [esi+4]
		and	dword ptr [ecx+4], 0
		mov	[ecx], eax
		mov	eax, [esi+4]
		movzx	eax, word ptr [eax]
		and	dword ptr [ecx+14h], 0
		mov	[ecx+8], eax
		mov	[ecx+10h], edx
		mov	dword ptr [ecx+0Ch], 2
		movzx	eax, word ptr [edx]
		lea	edx, [ebp+var_10]
		mov	[ecx+18h], eax
		mov	eax, offset __TraceLoggingMetadataEnd
		mov	dword ptr [ecx+1Ch], 1
		sub	eax, offset __TraceLoggingMetadata
		mov	ecx, esi
		mov	[ebp+arg_8], eax
		call	TlgAggregateAbsorbEvent
		pop	esi
		leave
		retn	0Ch
__tlgWriteAgg@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlConfigureDynamicMemory(x, x, x)
_HvlConfigureDynamicMemory@12 proc near	; CODE XREF: KeConfigureDynamicMemory(x,x,x)+Bp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		cmp	esi, edx
		ja	short loc_69E18A
		sub	edx, esi
		cmp	ds:_HvlHypervisorConnected, 0
		jz	short loc_69E186
		test	byte ptr ds:_HvlpFlags,	2
		jz	short loc_69E186
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		sub	eax, ecx
		jz	short loc_69E174
		sub	eax, 1
		jz	short loc_69E182
		sub	eax, 1
		jz	short loc_69E182
		mov	ecx, 0C000000Dh
		jmp	short loc_69E182
; 

loc_69E174:				; CODE XREF: HvlConfigureDynamicMemory(x,x,x)+27j
		push	ecx
		lea	eax, [edx+1]
		mov	ecx, esi
		push	eax
		call	_HvlpAddPhysicalMemory@12 ; HvlpAddPhysicalMemory(x,x,x)
		mov	ecx, eax

loc_69E182:				; CODE XREF: HvlConfigureDynamicMemory(x,x,x)+2Cj
					; HvlConfigureDynamicMemory(x,x,x)+31j	...
		mov	eax, ecx
		jmp	short loc_69E18F
; 

loc_69E186:				; CODE XREF: HvlConfigureDynamicMemory(x,x,x)+15j
					; HvlConfigureDynamicMemory(x,x,x)+1Ej
		xor	eax, eax
		jmp	short loc_69E18F
; 

loc_69E18A:				; CODE XREF: HvlConfigureDynamicMemory(x,x,x)+Aj
		mov	eax, 0C000000Dh

loc_69E18F:				; CODE XREF: HvlConfigureDynamicMemory(x,x,x)+4Aj
					; HvlConfigureDynamicMemory(x,x,x)+4Ej
		pop	esi
		pop	ebp
		retn	4
_HvlConfigureDynamicMemory@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpAddPhysicalMemory(x, x,	x)
_HvlpAddPhysicalMemory@12 proc near	; CODE XREF: HvlConfigureDynamicMemory(x,x,x)+41p

var_80		= dword	ptr -80h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	[ebp+var_44], ecx
		lea	edi, [ebp+var_80]
		push	6
		xor	eax, eax
		pop	ecx
		rep stosd
		push	6
		pop	ecx
		lea	edi, [ebp+var_68]
		mov	[ebp+var_48], eax
		rep stosd
		mov	ecx, [ebx+0Ch]
		test	ecx, ecx
		mov	[ebp+var_3C], ecx
		mov	ecx, [ebx+8]
		mov	[ebp+var_40], ecx
		jnz	short loc_69E1ED
		test	ecx, ecx

loc_69E1E7:				; CODE XREF: HvlpAddPhysicalMemory(x,x,x)+109j
		jz	loc_69E2A9

loc_69E1ED:				; CODE XREF: HvlpAddPhysicalMemory(x,x,x)+4Fj
					; HvlpAddPhysicalMemory(x,x,x)+101j
		push	10h
		lea	eax, [ebp+var_38]
		xor	edx, edx
		push	eax
		inc	edx
		lea	ecx, [ebp+var_80]
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	8
		mov	esi, eax
		lea	ecx, [ebp+var_68]
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		pop	edx
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	[ebp+var_54]
		and	dword ptr [esi+4], 0
		mov	edi, eax
		push	[ebp+var_58]
		mov	eax, [ebp+var_44]
		push	[ebp+var_6C]
		mov	[esi], eax
		push	[ebp+var_70]
		mov	eax, [ebp+var_40]
		push	0
		mov	[esi+8], eax
		mov	eax, [ebp+var_3C]
		push	0BCh
		mov	[esi+0Ch], eax
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		mov	esi, [ebp+var_40]
		lea	ecx, [ebp+var_68]
		sub	esi, [edi]
		mov	[ebp+var_4C], eax
		mov	eax, [edi+4]
		sbb	[ebp+var_3C], eax
		mov	eax, [ebp+var_44]
		add	eax, [edi]
		mov	[ebp+var_40], esi
		mov	[ebp+var_44], eax
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		lea	ecx, [ebp+var_80]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		mov	eax, [ebp+var_4C]
		cmp	ax, 0Bh
		jnz	short loc_69E289
		push	0
		xor	ecx, ecx
		call	_HvlpDepositPages@12 ; HvlpDepositPages(x,x,x)
		mov	[ebp+var_48], eax
		test	eax, eax
		jns	short loc_69E291
		mov	eax, 0C000009Ah
		jmp	short loc_69E2A9
; 

loc_69E289:				; CODE XREF: HvlpAddPhysicalMemory(x,x,x)+DCj
		test	ax, ax
		jnz	short loc_69E2A2
		mov	eax, [ebp+var_48]

loc_69E291:				; CODE XREF: HvlpAddPhysicalMemory(x,x,x)+ECj
		cmp	[ebp+var_3C], 0
		ja	loc_69E1ED
		test	esi, esi
		jmp	loc_69E1E7
; 

loc_69E2A2:				; CODE XREF: HvlpAddPhysicalMemory(x,x,x)+F8j
		mov	ecx, eax
		call	_HvlpHvToNtStatus@4 ; HvlpHvToNtStatus(x)

loc_69E2A9:				; CODE XREF: HvlpAddPhysicalMemory(x,x,x):loc_69E1E7j
					; HvlpAddPhysicalMemory(x,x,x)+F3j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
_HvlpAddPhysicalMemory@12 endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlFlushRangeListTb(x, x, x, x, x, x, x)
_HvlFlushRangeListTb@28	proc near	; CODE XREF: KeFlushMultipleRangeTb+1C9p
					; KeStackAttachProcess+3F8p ...

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	ecx
		push	[ebp+arg_0]
		call	_HvlpFlushRangeListTb@28 ; HvlpFlushRangeListTb(x,x,x,x,x,x,x)
		mov	al, byte ptr [ebp+arg_8]
		pop	ebp
		retn	14h
_HvlFlushRangeListTb@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlSwitchVirtualAddressSpace(x)
_HvlSwitchVirtualAddressSpace@4	proc near ; CODE XREF: ExUnregisterCallback+B9p
					; _EnlightenedSwapContext_SaveIpt+7Cp ...

var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		xor	eax, eax
		mov	[ebp+var_8], 1
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_0]
		push	eax
		push	10001h
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		leave
		retn	4
_HvlSwitchVirtualAddressSpace@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpCopyFlushVaList(x, x, x, x)
_HvlpCopyFlushVaList@16	proc near	; CODE XREF: HvlpSlowFlushListTb(x,x,x,x,x,x)+7Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	eax, edx
		xor	esi, esi
		cmp	byte ptr [ebp+arg_0], 0
		push	edi
		mov	[ebp+var_4], eax
		mov	edi, ecx
		jnz	short loc_69E343
		test	edi, edi
		jz	loc_69E3BA
		mov	edx, [ebp+arg_4]

loc_69E324:				; CODE XREF: HvlpCopyFlushVaList(x,x,x,x)+3Ej
		mov	eax, [eax+esi*4]
		mov	ecx, eax
		and	dword ptr [edx+esi*8+4], 0
		and	ecx, 400h
		add	ecx, eax
		mov	eax, [ebp+var_4]
		mov	[edx+esi*8], ecx
		inc	esi
		cmp	esi, edi
		jb	short loc_69E324
		jmp	short loc_69E3BA
; 

loc_69E343:				; CODE XREF: HvlpCopyFlushVaList(x,x,x,x)+16j
		push	ebx
		xor	ebx, ebx
		test	edi, edi
		jz	short loc_69E3B9

loc_69E34A:				; CODE XREF: HvlpCopyFlushVaList(x,x,x,x)+B6j
		mov	eax, [eax+ebx*4]
		mov	ecx, eax
		shr	ecx, 0Ah
		mov	edx, eax
		and	ecx, 3
		and	edx, 3FFh
		test	ecx, ecx
		mov	[ebp+arg_0], edx
		mov	[ebp+var_8], ecx
		setnz	dl
		cmp	[ebp+arg_0], 0
		setnz	cl
		test	dl, cl
		jz	short loc_69E3A0
		imul	ecx, [ebp+var_8], arg_0+1
		mov	edx, 1000h
		and	eax, 0FFFFF000h
		shl	edx, cl
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_8], edx
		mov	edx, [ebp+arg_0]
		inc	edx

loc_69E38D:				; CODE XREF: HvlpCopyFlushVaList(x,x,x,x)+9Bj
		and	dword ptr [ecx+esi*8+4], 0
		mov	[ecx+esi*8], eax
		add	eax, [ebp+var_8]
		inc	esi
		sub	edx, 1
		jnz	short loc_69E38D
		jmp	short loc_69E3B1
; 

loc_69E3A0:				; CODE XREF: HvlpCopyFlushVaList(x,x,x,x)+70j
		mov	ecx, [ebp+arg_4]
		and	eax, 0FFFFF3FFh
		and	dword ptr [ecx+esi*8+4], 0
		mov	[ecx+esi*8], eax
		inc	esi

loc_69E3B1:				; CODE XREF: HvlpCopyFlushVaList(x,x,x,x)+9Dj
		mov	eax, [ebp+var_4]
		inc	ebx
		cmp	ebx, edi
		jb	short loc_69E34A

loc_69E3B9:				; CODE XREF: HvlpCopyFlushVaList(x,x,x,x)+47j
		pop	ebx

loc_69E3BA:				; CODE XREF: HvlpCopyFlushVaList(x,x,x,x)+1Aj
					; HvlpCopyFlushVaList(x,x,x,x)+40j
		pop	edi
		pop	esi
		leave
		retn	8
_HvlpCopyFlushVaList@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpFlushRangeListTb(x, x, x, x, x,	x, x)
_HvlpFlushRangeListTb@28 proc near	; CODE XREF: HvlFlushRangeListTb(x,x,x,x,x,x,x)+12p

var_18		= dword	ptr -18h
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		xor	eax, eax
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [esp+20h+var_18]
		push	6
		pop	ecx
		rep stosd
		cmp	byte ptr [ebp+arg_8], al
		jz	short loc_69E3EE
		push	[ebp+arg_0]
		lea	ecx, [esp+24h+var_18]
		push	edx
		mov	edx, esi
		call	_HvlpPrepareFlushHeader@16 ; HvlpPrepareFlushHeader(x,x,x,x)

loc_69E3EE:				; CODE XREF: HvlpFlushRangeListTb(x,x,x,x,x,x,x)+1Dj
		test	ds:_HvlpFlags, 2000h
		mov	edi, [ebp+arg_10]
		mov	edx, [ebp+arg_C]
		jnz	short loc_69E404
		mov	ecx, edx
		jmp	short loc_69E423
; 

loc_69E404:				; CODE XREF: HvlpFlushRangeListTb(x,x,x,x,x,x,x)+3Ej
		xor	ecx, ecx
		mov	esi, ecx
		test	edx, edx
		jz	short loc_69E423

loc_69E40C:				; CODE XREF: HvlpFlushRangeListTb(x,x,x,x,x,x,x)+61j
		mov	eax, [edi+esi*4]
		test	eax, 0C00h
		jz	short loc_69E41D
		and	eax, 3FFh
		add	ecx, eax

loc_69E41D:				; CODE XREF: HvlpFlushRangeListTb(x,x,x,x,x,x,x)+54j
		inc	ecx
		inc	esi
		cmp	esi, edx
		jb	short loc_69E40C

loc_69E423:				; CODE XREF: HvlpFlushRangeListTb(x,x,x,x,x,x,x)+42j
					; HvlpFlushRangeListTb(x,x,x,x,x,x,x)+4Aj
		push	ecx
		push	edi
		push	edx
		push	[ebp+arg_8]
		lea	ecx, [esp+30h+var_18]
		call	_HvlpSlowFlushListTb@24	; HvlpSlowFlushListTb(x,x,x,x,x,x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	14h
_HvlpFlushRangeListTb@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpPrepareFlushHeader(x, x, x, x)
_HvlpPrepareFlushHeader@16 proc	near	; CODE XREF: HvlpFlushRangeListTb(x,x,x,x,x,x,x)+29p
					; HvlpSlowFlushAddressSpaceTb(x,x,x)+48p

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		jnz	short loc_69E451
		push	4
		pop	edi
		jmp	short loc_69E453
; 

loc_69E451:				; CODE XREF: HvlpPrepareFlushHeader(x,x,x,x)+10j
		xor	edi, edi

loc_69E453:				; CODE XREF: HvlpPrepareFlushHeader(x,x,x,x)+15j
		test	ebx, ebx
		jnz	short loc_69E45A
		or	edi, 2

loc_69E45A:				; CODE XREF: HvlpPrepareFlushHeader(x,x,x,x)+1Bj
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_69E46C
		and	[esi+10h], ecx
		or	edi, 1
		and	[esi+14h], ecx
		jmp	short loc_69E47A
; 

loc_69E46C:				; CODE XREF: HvlpPrepareFlushHeader(x,x,x,x)+25j
		mov	ecx, [ecx+8]
		call	_HvlpAffinityToVirtualAffinity@4 ; HvlpAffinityToVirtualAffinity(x)
		mov	[esi+10h], eax
		mov	[esi+14h], edx

loc_69E47A:				; CODE XREF: HvlpPrepareFlushHeader(x,x,x,x)+30j
		and	dword ptr [esi+4], 0
		and	dword ptr [esi+0Ch], 0
		mov	[esi+8], edi
		pop	edi
		mov	[esi], ebx
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_HvlpPrepareFlushHeader@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpSlowFlushAddressSpaceTb(x, x, x)
_HvlpSlowFlushAddressSpaceTb@12	proc near ; CODE XREF: MiDeleteFinalPageTables+172647p
					; KeFlushCurrentTbOnly+D8424p ...

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 58h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+58h+var_4], eax
		push	esi
		push	edi
		push	6
		mov	[esp+64h+var_54], ecx
		lea	edi, [esp+64h+var_50]
		pop	ecx
		xor	eax, eax
		mov	esi, edx
		rep stosd
		push	18h
		lea	eax, [esp+64h+var_38]
		xor	edx, edx
		push	eax
		inc	edx
		lea	ecx, [esp+68h+var_50]
		xor	edi, edi
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	[ebp+arg_0]
		mov	edx, [esp+64h+var_54]
		mov	ecx, eax
		push	esi
		call	_HvlpPrepareFlushHeader@16 ; HvlpPrepareFlushHeader(x,x,x,x)
		push	edi
		push	edi
		push	[esp+68h+var_3C]
		push	[esp+6Ch+var_40]
		push	edi
		push	2
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		lea	ecx, [esp+60h+var_50]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		mov	ecx, [esp+60h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_HvlpSlowFlushAddressSpaceTb@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpSlowFlushListTb(x, x, x, x, x, x)
_HvlpSlowFlushListTb@24	proc near	; CODE XREF: HvlpFlushRangeListTb(x,x,x,x,x,x,x)+6Dp

var_60		= dword	ptr -60h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebx+10h]
		xor	edx, edx
		push	esi
		push	edi
		push	6
		mov	[ebp+var_40], ecx
		lea	edi, [ebp+var_60]
		mov	[ebp+var_3C], eax
		inc	edx
		pop	ecx
		xor	eax, eax
		rep stosd
		push	18h
		lea	eax, [ebp+var_38]
		push	eax
		lea	ecx, [ebp+var_60]
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		mov	esi, [ebx+14h]
		mov	[ebp+var_44], eax
		cmp	esi, 1FDh
		ja	loc_69E5F8
		test	byte ptr [ebp+var_60], 2
		jnz	loc_69E5F8
		mov	edx, [ebp+var_3C]
		lea	ecx, [eax+18h]
		mov	eax, ds:_HvlpFlags
		shr	eax, 0Dh
		and	al, 1
		push	ecx
		mov	ecx, [ebx+0Ch]
		movzx	eax, al
		push	eax
		call	_HvlpCopyFlushVaList@16	; HvlpCopyFlushVaList(x,x,x,x)
		cmp	byte ptr [ebx+8], 0
		jz	short loc_69E5DB
		mov	edx, [ebp+var_44]
		and	esi, 0FFFh
		mov	[ebx+14h], esi
		mov	edi, edx
		mov	esi, [ebp+var_40]
		push	6
		pop	ecx
		rep movsd
		test	ds:_HvlpFlags, 2000h
		mov	[ebp+var_3C], 3
		jnz	short loc_69E5C5
		mov	eax, [edx+0Ch]
		or	dword ptr [edx+8], 8
		mov	[edx+0Ch], eax

loc_69E5C5:				; CODE XREF: HvlpSlowFlushListTb(x,x,x,x,x,x)+B0j
		mov	edx, [ebx+14h]

loc_69E5C8:				; CODE XREF: HvlpSlowFlushListTb(x,x,x,x,x,x)+108j
		push	0
		push	0
		push	[ebp+var_4C]
		push	[ebp+var_50]
		push	edx
		push	[ebp+var_3C]
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)

loc_69E5DB:				; CODE XREF: HvlpSlowFlushListTb(x,x,x,x,x,x)+87j
					; HvlpSlowFlushListTb(x,x,x,x,x,x)+F3j
		lea	ecx, [ebp+var_60]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	10h
; 

loc_69E5F8:				; CODE XREF: HvlpSlowFlushListTb(x,x,x,x,x,x)+56j
					; HvlpSlowFlushListTb(x,x,x,x,x,x)+60j
		cmp	byte ptr [ebx+8], 0
		jz	short loc_69E5DB
		mov	esi, [ebp+var_40]
		mov	edi, eax
		push	6
		pop	ecx
		mov	[ebp+var_3C], 2
		xor	edx, edx
		rep movsd
		jmp	short loc_69E5C8
_HvlpSlowFlushListTb@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlNotifyPageHeat(x, x, x, x)
_HvlNotifyPageHeat@16 proc near		; CODE XREF: MiNotifyPageHeat(x)+1Ep

var_60		= dword	ptr -60h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		push	ebx
		push	esi
		push	edi
		push	6
		mov	[ebp+var_1], dl
		lea	edi, [ebp+var_48]
		mov	edx, ecx
		xor	eax, eax
		pop	ecx
		rep stosd
		push	6
		pop	ecx
		lea	edi, [ebp+var_60]
		xor	esi, esi
		rep stosd
		mov	ecx, 200000h
		sub	edx, esi
		jz	short loc_69E65C
		sub	edx, 1
		jz	short loc_69E64F
		mov	eax, 0C000000Dh
		jmp	loc_69E840
; 

loc_69E64F:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+30j
		test	ds:_HvlEnlightenments, ecx
		jz	short loc_69E668
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_69E674
; 

loc_69E65C:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+2Bj
		test	ds:_HvlEnlightenments, 400000h
		jnz	short loc_69E672

loc_69E668:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+42j
		mov	eax, 0C00000BBh
		jmp	loc_69E840
; 

loc_69E672:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+53j
		mov	ebx, esi

loc_69E674:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+47j
		mov	[ebp+var_20], esi
		cmp	[ebp+var_1], al
		jz	short loc_69E6A7
		test	ds:_HvlpFlags, ecx
		jz	short loc_69E6A7
		mov	eax, [ebp+arg_4]
		lea	ecx, [ebp+var_60]
		push	esi
		push	esi
		push	2
		pop	edx
		mov	[ebp+var_1C], eax
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_18], 8006h
		mov	[ebp+var_14], edi
		mov	eax, esi
		jmp	short loc_69E6B6
; 

loc_69E6A7:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+67j
					; HvlNotifyPageHeat(x,x,x,x)+6Fj
		mov	[ebp+var_1C], esi
		mov	edi, esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_18], 8003h

loc_69E6B6:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+92j
		push	esi
		xor	edx, edx
		mov	[ebp+var_8], eax
		push	esi
		inc	edx
		lea	ecx, [ebp+var_48]
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		mov	ecx, esi
		mov	[ebp+var_24], eax
		mov	[eax], ebx
		mov	ebx, esi
		mov	[eax+4], ecx
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_C], ebx
		jmp	short loc_69E6DD
; 

loc_69E6DA:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+203j
		mov	ebx, [ebp+var_C]

loc_69E6DD:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+C5j
		cmp	ecx, 1FFh
		jb	short loc_69E6EA
		mov	ecx, 1FFh

loc_69E6EA:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+D0j
		mov	edx, [ebp+var_8]
		mov	eax, edx
		xor	eax, ecx
		and	eax, 0FFFh
		xor	edx, eax
		mov	[ebp+var_8], edx
		test	ecx, ecx
		jz	loc_69E7A6
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+var_24]
		add	edx, 8
		lea	edi, [eax+ebx*8]

loc_69E70F:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+187j
		mov	[edx], esi
		mov	[edx+4], esi
		mov	eax, [edi]
		and	eax, 3FFh
		mov	[edx+4], esi
		mov	[edx], eax
		mov	ebx, [edi]
		mov	[ebp+var_10], eax
		mov	eax, [edi+4]
		mov	[ebp+var_28], eax
		mov	eax, ebx
		and	eax, 0C00h
		or	eax, esi
		jnz	short loc_69E748
		mov	eax, [ebp+var_28]
		and	ebx, 0FFFFF000h
		or	ebx, [ebp+var_10]
		or	eax, esi
		mov	[edx], ebx
		jmp	short loc_69E78E
; 

loc_69E748:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+121j
		mov	ebx, [ebp+var_10]
		or	ebx, 800h
		mov	[edx+4], esi
		mov	[edx], ebx
		mov	eax, [edi]
		and	eax, 0FFE00000h
		or	eax, ebx
		mov	ebx, [edi+4]
		or	ebx, esi
		mov	[edx], eax
		mov	[ebp+var_28], ebx
		mov	[edx+4], ebx
		mov	ebx, [edi]
		and	ebx, 0C00h
		cmp	ebx, 400h
		jz	short loc_69E791
		cmp	ebx, 800h
		jnz	short loc_69E791
		or	eax, 1000h
		mov	[edx], eax
		mov	eax, [ebp+var_28]

loc_69E78E:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+133j
		mov	[edx+4], eax

loc_69E791:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+167j
					; HvlNotifyPageHeat(x,x,x,x)+16Fj
		add	edi, 8
		add	edx, 8
		sub	ecx, 1
		jnz	loc_69E70F
		mov	edi, [ebp+var_14]
		mov	edx, [ebp+var_8]

loc_69E7A6:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+EAj
		push	[ebp+var_4C]
		push	[ebp+var_50]
		push	[ebp+var_34]
		push	[ebp+var_38]
		push	edx
		push	[ebp+var_18]
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_2C], edx
		mov	[ebp+var_10], ebx
		test	bx, bx
		jnz	short loc_69E81C
		test	edi, edi
		jz	short loc_69E803
		mov	eax, edx
		mov	ecx, esi
		and	eax, 0FFFh
		mov	[ebp+var_28], eax
		jbe	short loc_69E803
		mov	ebx, [ebp+var_20]
		mov	edx, [ebp+var_1C]

loc_69E7E0:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+1E5j
		cmp	[edi+ecx*8], esi
		jnz	short loc_69E7EB
		cmp	[edi+ecx*8+4], esi
		jz	short loc_69E7F5

loc_69E7EB:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+1D0j
		mov	eax, [edi+ecx*8]
		mov	[edx+ebx*4], eax
		inc	ebx
		mov	eax, [ebp+var_28]

loc_69E7F5:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+1D6j
		inc	ecx
		cmp	ecx, eax
		jb	short loc_69E7E0
		mov	edx, [ebp+var_2C]
		mov	[ebp+var_20], ebx
		mov	ebx, [ebp+var_10]

loc_69E803:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+1B7j
					; HvlNotifyPageHeat(x,x,x,x)+1C5j
		mov	eax, [ebp+var_C]
		and	edx, 0FFFh
		mov	ecx, [ebp+arg_0]
		add	eax, edx
		mov	[ebp+var_C], eax
		sub	ecx, eax
		jnz	loc_69E6DA

loc_69E81C:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+1B3j
		lea	ecx, [ebp+var_48]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		test	edi, edi
		jz	short loc_69E830
		lea	ecx, [ebp+var_60]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)

loc_69E830:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+213j
		test	bx, bx
		jz	short loc_69E83E
		mov	ecx, ebx
		call	_HvlpHvToNtStatus@4 ; HvlpHvToNtStatus(x)
		mov	esi, eax

loc_69E83E:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+220j
		mov	eax, esi

loc_69E840:				; CODE XREF: HvlNotifyPageHeat(x,x,x,x)+37j
					; HvlNotifyPageHeat(x,x,x,x)+5Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_HvlNotifyPageHeat@16 endp


;  S U B	R O U T	I N E 


; __stdcall InbvPortGetByte(x, x)
_InbvPortGetByte@8 proc	near		; CODE XREF: HdlspDispatch(x,x,x,x,x)+2AEp
					; HdlspGetLine(x,x)+CBp
		cmp	ecx, 4
		jnb	short loc_69E883
		imul	ecx, 18h
		lea	eax, _Ports[ecx]
		cmp	dword ptr [eax], 0
		jz	short loc_69E883
		cmp	byte ptr ds:(dword_701394+1)[ecx], 0
		jz	short loc_69E875
		mov	al, byte ptr ds:dword_701394[ecx]
		mov	[edx], al
		mov	byte ptr ds:(dword_701394+1)[ecx], 0

loc_69E872:				; CODE XREF: InbvPortGetByte(x,x)+3Aj
		mov	al, 1
		retn
; 

loc_69E875:				; CODE XREF: InbvPortGetByte(x,x)+1Aj
		push	edx
		push	eax
		mov	eax, ds:_UartHardwareDriver
		call	dword ptr [eax+8]
		test	eax, eax
		jz	short loc_69E872

loc_69E883:				; CODE XREF: InbvPortGetByte(x,x)+3j
					; InbvPortGetByte(x,x)+11j
		xor	al, al
		retn
_InbvPortGetByte@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall InbvPortInitialize(x, x, x,	x, x, x, x, x)
_InbvPortInitialize@32 proc near	; CODE XREF: HdlspEnableTerminal(x)+48p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		test	esi, esi
		jnz	short loc_69E89B
		inc	esi

loc_69E89B:				; CODE XREF: InbvPortInitialize(x,x,x,x,x,x,x,x)+12j
		cmp	esi, 4
		ja	loc_69E949
		imul	eax, esi, 18h
		mov	[esp+10h+var_4], eax
		lea	ebx, dword_701368[eax]
		cmp	dword ptr [ebx], 0
		jnz	loc_69E949
		mov	cl, [ebp+arg_C]
		mov	eax, [ebp+arg_0]
		test	cl, cl
		jnz	short loc_69E8DD
		xor	dl, dl
		mov	[ebp+arg_14], 1
		mov	byte ptr [ebp+arg_8], dl
		mov	byte ptr [ebp+arg_10], 8
		test	eax, eax
		jnz	short loc_69E8D9
		mov	eax, esi
		jmp	short loc_69E8E0
; 

loc_69E8D9:				; CODE XREF: InbvPortInitialize(x,x,x,x,x,x,x,x)+4Dj
		mov	cl, 1
		jmp	short loc_69E8E0
; 

loc_69E8DD:				; CODE XREF: InbvPortInitialize(x,x,x,x,x,x,x,x)+3Cj
		mov	dl, byte ptr [ebp+arg_8]

loc_69E8E0:				; CODE XREF: InbvPortInitialize(x,x,x,x,x,x,x,x)+51j
					; InbvPortInitialize(x,x,x,x,x,x,x,x)+55j
		test	eax, eax
		jz	short loc_69E949
		cmp	cl, 13h
		jnb	short loc_69E949
		movzx	ecx, cl
		mov	ecx, ds:_UartHardwareDrivers[ecx*4]
		mov	ds:_UartHardwareDriver,	ecx
		test	ecx, ecx
		jz	short loc_69E949
		test	dl, dl
		jz	short loc_69E917
		push	204h
		cdq
		push	1000h
		push	edx
		push	eax
		call	_MmMapIoSpaceEx@16 ; MmMapIoSpaceEx(x,x,x,x)
		test	eax, eax
		jz	short loc_69E949

loc_69E917:				; CODE XREF: InbvPortInitialize(x,x,x,x,x,x,x,x)+79j
		test	edi, edi
		jnz	short loc_69E920
		mov	edi, 4B00h

loc_69E920:				; CODE XREF: InbvPortInitialize(x,x,x,x,x,x,x,x)+93j
		push	[ebp+arg_10]
		mov	[ebx], eax
		lea	ecx, [esi-1]
		mov	eax, [esp+14h+var_4]
		push	dword ptr [ebp+arg_14]
		push	[ebp+arg_8]
		mov	ds:dword_70136C[eax], edi
		mov	eax, [ebp+arg_4]
		push	ebx
		push	0
		mov	[eax], ecx
		mov	eax, ds:_UartHardwareDriver
		call	dword ptr [eax]
		jmp	short loc_69E94B
; 

loc_69E949:				; CODE XREF: InbvPortInitialize(x,x,x,x,x,x,x,x)+18j
					; InbvPortInitialize(x,x,x,x,x,x,x,x)+2Ej ...
		xor	al, al

loc_69E94B:				; CODE XREF: InbvPortInitialize(x,x,x,x,x,x,x,x)+C1j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
_InbvPortInitialize@32 endp


;  S U B	R O U T	I N E 


; __stdcall InbvPortPollOnly(x)
_InbvPortPollOnly@4 proc near		; CODE XREF: HdlspDispatch(x,x,x,x,x)+25Dp
					; HdlspDispatch(x,x,x,x,x)+296p ...
		mov	edi, edi
		push	esi
		cmp	ecx, 4
		jnb	short loc_69E992
		imul	esi, ecx, 18h
		lea	ecx, _Ports[esi]
		cmp	dword ptr [ecx], 0
		jz	short loc_69E992
		mov	al, byte ptr ds:(dword_701394+1)[esi]
		test	al, al
		jnz	short loc_69E994
		lea	eax, dword_701394[esi]
		push	eax
		mov	eax, ds:_UartHardwareDriver
		push	ecx
		call	dword ptr [eax+8]
		neg	eax
		sbb	al, al
		inc	al
		mov	byte ptr ds:(dword_701394+1)[esi], al
		pop	esi
		retn
; 

loc_69E992:				; CODE XREF: InbvPortPollOnly(x)+6j
					; InbvPortPollOnly(x)+14j
		xor	al, al

loc_69E994:				; CODE XREF: InbvPortPollOnly(x)+1Ej
		pop	esi
		retn
_InbvPortPollOnly@4 endp


;  S U B	R O U T	I N E 


; __stdcall InbvPortPutByte(x, x)
_InbvPortPutByte@8 proc	near		; CODE XREF: HdlspPutData(x,x)+1Bp
					; HdlspSendStringAtBaud(x)+12p
		cmp	ecx, 4
		jnb	short locret_69E9B5
		imul	eax, ecx, 18h
		lea	eax, _Ports[eax]
		cmp	dword ptr [eax], 0
		jz	short locret_69E9B5
		push	1
		push	edx
		push	eax
		mov	eax, ds:_UartHardwareDriver
		call	dword ptr [eax+0Ch]

locret_69E9B5:				; CODE XREF: InbvPortPutByte(x,x)+3j
					; InbvPortPutByte(x,x)+11j
		retn
_InbvPortPutByte@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall InbvPortTerminate(x)
_InbvPortTerminate@4 proc near		; CODE XREF: HdlspEnableTerminal(x)+90p

var_18		= dword	ptr -18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		push	edi
		cmp	ecx, 4
		jnb	short loc_69E9EB
		imul	eax, ecx, 18h
		lea	edx, _Ports[eax]
		cmp	dword ptr [edx], 0
		jz	short loc_69E9EB
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_18]
		rep stosd
		push	6
		pop	ecx
		lea	esi, [ebp+var_18]
		mov	edi, edx
		rep movsd
		mov	al, 1
		jmp	short loc_69E9ED
; 

loc_69E9EB:				; CODE XREF: InbvPortTerminate(x)+Dj
					; InbvPortTerminate(x)+1Bj
		xor	al, al

loc_69E9ED:				; CODE XREF: InbvPortTerminate(x)+33j
		pop	edi
		pop	esi
		leave
		retn
_InbvPortTerminate@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ReadPort16(x)
_ReadPort16@4	proc near		; CODE XREF: ReadPortWithIndex16+16p
					; DATA XREF: .data:off_6B3888o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:__imp__READ_PORT_USHORT@4 ; READ_PORT_USHORT(x)
_ReadPort16@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ReadPort32(x)
_ReadPort32@4	proc near		; CODE XREF: ReadPortWithIndex32+16p
					; DATA XREF: .data:off_6B3890o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:__imp__READ_PORT_ULONG@4 ; READ_PORT_ULONG(x)
_ReadPort32@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ReadPort8(x)
_ReadPort8@4	proc near		; CODE XREF: ReadPortWithIndex8+16p
					; DATA XREF: .data:_UartHardwareAccesso
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:__imp__READ_PORT_UCHAR@4 ; READ_PORT_UCHAR(x)
_ReadPort8@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ReadRegister16(x)
_ReadRegister16@4 proc near		; CODE XREF: ReadRegisterWithIndex16+16p
					; DATA XREF: .data:off_6B38A0o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	_READ_REGISTER_USHORT@4	; READ_REGISTER_USHORT(x)
_ReadRegister16@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ReadRegister32(x)
_ReadRegister32@4 proc near		; CODE XREF: SpiInit(x,x,x,x)+Fp
					; SpiInit(x,x,x,x)+1Cp	...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	_READ_REGISTER_ULONG@4 ; READ_REGISTER_ULONG(x)
_ReadRegister32@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ReadRegister8(x)
_ReadRegister8@4 proc near		; CODE XREF: ReadRegisterWithIndex8+16p
					; DATA XREF: .data:off_6B3898o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	_READ_REGISTER_UCHAR@4 ; READ_REGISTER_UCHAR(x)
_ReadRegister8@4 endp


;  S U B	R O U T	I N E 


; __stdcall WritePort16(x, x)
_WritePort16@8	proc near		; CODE XREF: WritePortWithIndex16+1Bp
					; DATA XREF: .data:off_6B388Co
		jmp	ds:__imp__WRITE_PORT_USHORT@8 ;	WRITE_PORT_USHORT(x,x)
_WritePort16@8	endp


;  S U B	R O U T	I N E 


; __stdcall WritePort32(x, x)
_WritePort32@8	proc near		; CODE XREF: WritePortWithIndex32+1Bp
					; DATA XREF: .data:off_6B3894o
		jmp	ds:__imp__WRITE_PORT_ULONG@8 ; WRITE_PORT_ULONG(x,x)
_WritePort32@8	endp


;  S U B	R O U T	I N E 


; __stdcall WritePort8(x, x)
_WritePort8@8	proc near		; CODE XREF: WritePortWithIndex8+19p
					; DATA XREF: .data:off_6B3884o
		jmp	ds:__imp__WRITE_PORT_UCHAR@8 ; WRITE_PORT_UCHAR(x,x)
_WritePort8@8	endp


;  S U B	R O U T	I N E 


; __stdcall WriteRegister16(x, x)
_WriteRegister16@8 proc	near		; CODE XREF: WriteRegisterWithIndex16+1Bp
					; DATA XREF: .data:off_6B38A4o
		jmp	_WRITE_REGISTER_USHORT@8 ; WRITE_REGISTER_USHORT(x,x)
_WriteRegister16@8 endp


;  S U B	R O U T	I N E 


; __stdcall WriteRegister32(x, x)
_WriteRegister32@8 proc	near		; CODE XREF: SpiInit(x,x,x,x)+42p
					; SpiInit(x,x,x,x)+50p	...
		jmp	_WRITE_REGISTER_ULONG@8	; WRITE_REGISTER_ULONG(x,x)
_WriteRegister32@8 endp


;  S U B	R O U T	I N E 


; __stdcall WriteRegister8(x, x)
_WriteRegister8@8 proc near		; CODE XREF: WriteRegisterWithIndex8+19p
					; DATA XREF: .data:off_6B389Co
		jmp	_WRITE_REGISTER_UCHAR@8	; WRITE_REGISTER_UCHAR(x,x)
_WriteRegister8@8 endp


;  S U B	R O U T	I N E 


; __stdcall TriageGetLoaderEntry(x, x)
_TriageGetLoaderEntry@8	proc near	; CODE XREF: VfTriageAddDrivers(x)+69p
					; ViTriageSameDriversFromDump(x,x)+4Cp
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	_TriagepVerifyDump@4 ; TriagepVerifyDump(x)
		test	al, al
		jz	short loc_69EAA2
		mov	ecx, ds:_TriageImagePageSize
		cmp	esi, [ecx+edi+34h]
		jnb	short loc_69EAA2
		lfence	eax
		mov	ecx, [ecx+edi+30h]
		imul	eax, esi, 4Ch
		add	ecx, edi
		mov	edx, [eax+ecx]
		lea	esi, [eax+ecx]
		lea	eax, [esi+4]
		mov	cx, [edx+edi]
		add	cx, cx
		mov	[esi+30h], cx
		mov	[esi+32h], cx
		lea	ecx, [edi+4]
		add	ecx, edx
		mov	[esi+34h], ecx
		jmp	short loc_69EAA4
; 

loc_69EAA2:				; CODE XREF: TriageGetLoaderEntry(x,x)+Fj
					; TriageGetLoaderEntry(x,x)+1Bj
		xor	eax, eax

loc_69EAA4:				; CODE XREF: TriageGetLoaderEntry(x,x)+49j
		pop	edi
		pop	esi
		retn
_TriageGetLoaderEntry@8	endp


;  S U B	R O U T	I N E 


; __stdcall TriageGetMmInformation(x)
_TriageGetMmInformation@4 proc near	; CODE XREF: MmTriageActiveInLastCrash(x)+3Ep
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_TriagepVerifyDump@4 ; TriagepVerifyDump(x)
		test	al, al
		jz	short loc_69EAC5
		mov	eax, ds:_TriageImagePageSize
		add	eax, esi
		jz	short loc_69EAC5
		mov	eax, [eax+14h]
		add	eax, esi
		pop	esi
		retn
; 

loc_69EAC5:				; CODE XREF: TriageGetMmInformation(x)+Cj
					; TriageGetMmInformation(x)+15j
		xor	eax, eax
		pop	esi
		retn
_TriageGetMmInformation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtReplacePartitionUnit(x, x, x)
_NtReplacePartitionUnit@12 proc	near	; DATA XREF: .text:00580D6Co

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	2Ch
		push	offset dword_6AAE98
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_20], ebx
		mov	edi, ebx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		cmp	al, 1
		jz	short loc_69EB07
		mov	esi, 0C0000022h

loc_69EB00:				; CODE XREF: NtReplacePartitionUnit(x,x,x)+5Aj
					; NtReplacePartitionUnit(x,x,x)+70j ...
		mov	ecx, ebx
		jmp	loc_69ECF3
; 

loc_69EB07:				; CODE XREF: NtReplacePartitionUnit(x,x,x)+30j
		push	1
		push	ds:dword_A949BC
		push	ds:_SeShutdownPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_69EB25
		mov	esi, 0C0000061h
		jmp	short loc_69EB00
; 

loc_69EB25:				; CODE XREF: NtReplacePartitionUnit(x,x,x)+53j
		mov	eax, 80000000h
		cmp	[ebp+arg_8], eax
		jnz	short loc_69EB3B
		push	eax
		push	ebx
		push	ebx
		call	_IoReplacePartitionUnit@12 ; IoReplacePartitionUnit(x,x,x)
		mov	esi, eax
		jmp	short loc_69EB00
; 

loc_69EB3B:				; CODE XREF: NtReplacePartitionUnit(x,x,x)+64j
		cmp	[ebp+arg_8], ebx
		jz	short loc_69EB47
		mov	esi, 0C00000F1h
		jmp	short loc_69EB00
; 

loc_69EB47:				; CODE XREF: NtReplacePartitionUnit(x,x,x)+75j
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+arg_4]
		test	al, 3
		jz	short loc_69EB56

loc_69EB51:				; CODE XREF: NtReplacePartitionUnit(x,x,x)+A6j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_69EB56:				; CODE XREF: NtReplacePartitionUnit(x,x,x)+86j
		lea	edx, [eax+8]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		ja	short loc_69EB67
		cmp	edx, eax
		jnb	short loc_69EB69

loc_69EB67:				; CODE XREF: NtReplacePartitionUnit(x,x,x)+98j
		mov	[ecx], bl

loc_69EB69:				; CODE XREF: NtReplacePartitionUnit(x,x,x)+9Cj
		mov	ecx, [ebp+arg_0]
		test	cl, 3
		jnz	short loc_69EB51
		lea	edx, [ecx+8]
		mov	esi, ds:_MmUserProbeAddress
		cmp	edx, esi
		ja	short loc_69EB82
		cmp	edx, ecx
		jnb	short loc_69EB84

loc_69EB82:				; CODE XREF: NtReplacePartitionUnit(x,x,x)+B3j
		mov	[esi], bl

loc_69EB84:				; CODE XREF: NtReplacePartitionUnit(x,x,x)+B7j
		mov	edx, [eax]
		mov	[ebp+arg_8], edx
		mov	[ebp+var_3C], edx
		mov	esi, [eax+4]
		mov	[ebp+var_38], esi
		mov	edx, [ecx]
		mov	[ebp+var_34], edx
		mov	eax, [ecx+4]
		mov	[ebp+var_30], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	dx, dx
		jz	loc_69ECC8
		mov	ecx, 0C9h
		cmp	dx, cx
		ja	loc_69ECC8
		shr	edx, 10h
		test	dl, 1
		jnz	loc_69ECC8
		mov	ax, word ptr [ebp+var_3C]
		test	ax, ax
		jz	loc_69ECBE
		cmp	ax, cx
		ja	loc_69ECBE
		mov	ecx, [ebp+arg_8]
		shr	ecx, 10h
		test	cl, 1
		jnz	loc_69ECBE
		push	1
		push	1
		push	2
		movzx	eax, ax
		push	eax
		mov	edx, esi
		lea	ecx, [ebp+var_1C]
		call	PiControlMakeUserModeCallersCopy
		mov	esi, eax
		test	esi, esi
		js	loc_69EB00
		push	1
		push	1
		push	2
		movzx	eax, word ptr [ebp+var_34]
		push	eax
		mov	edx, [ebp+var_30]
		lea	ecx, [ebp+var_20]
		call	PiControlMakeUserModeCallersCopy
		mov	esi, eax
		test	esi, esi
		js	loc_69EB00
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_38], eax
		mov	ax, word ptr [ebp+var_3C]
		mov	word ptr [ebp+var_3C+2], ax
		mov	eax, [ebp+var_20]
		mov	[ebp+var_30], eax
		mov	ax, word ptr [ebp+var_34]
		mov	word ptr [ebp+var_34+2], ax
		mov	edx, 746C6644h
		lea	ecx, [ebp+var_3C]
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	esi, eax
		mov	[ebp+arg_8], esi
		test	esi, esi
		jz	short loc_69ECB4
		mov	ecx, [esi+0B0h]
		mov	eax, [ecx+14h]
		test	eax, eax
		jz	short loc_69ECB4
		test	dword ptr [eax+10Ch], 20000h
		jnz	short loc_69ECB4
		mov	edx, 746C6644h
		lea	ecx, [ebp+var_34]
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_69ECAD
		mov	ecx, [edi+0B0h]
		mov	eax, [ecx+14h]
		test	eax, eax
		jz	short loc_69ECAD
		test	dword ptr [eax+10Ch], 20000h
		jnz	short loc_69ECAD
		push	ebx
		push	esi
		push	edi
		call	_IoReplacePartitionUnit@12 ; IoReplacePartitionUnit(x,x,x)
		mov	esi, eax
		jmp	short loc_69ECB9
; 

loc_69ECAD:				; CODE XREF: NtReplacePartitionUnit(x,x,x)+1BDj
					; NtReplacePartitionUnit(x,x,x)+1CAj ...
		mov	esi, 0C00000EFh
		jmp	short loc_69ECB9
; 

loc_69ECB4:				; CODE XREF: NtReplacePartitionUnit(x,x,x)+191j
					; NtReplacePartitionUnit(x,x,x)+19Ej ...
		mov	esi, 0C00000F0h

loc_69ECB9:				; CODE XREF: NtReplacePartitionUnit(x,x,x)+1E2j
					; NtReplacePartitionUnit(x,x,x)+1E9j
		mov	ecx, [ebp+arg_8]
		jmp	short loc_69ECF3
; 

loc_69ECBE:				; CODE XREF: NtReplacePartitionUnit(x,x,x)+105j
					; NtReplacePartitionUnit(x,x,x)+10Ej ...
		mov	esi, 0C00000F0h
		jmp	loc_69EB00
; 

loc_69ECC8:				; CODE XREF: NtReplacePartitionUnit(x,x,x)+DEj
					; NtReplacePartitionUnit(x,x,x)+ECj ...
		mov	esi, 0C00000EFh
		jmp	loc_69EB00
; 

loc_69ECD2:				; DATA XREF: .text:006AAEACo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_69ECE0:				; DATA XREF: .text:006AAEB0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_24]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	ecx, ebx
		mov	edi, ecx

loc_69ECF3:				; CODE XREF: NtReplacePartitionUnit(x,x,x)+39j
					; NtReplacePartitionUnit(x,x,x)+1F3j
		test	ecx, ecx
		jz	short loc_69ECFC
		call	ObfDereferenceObject

loc_69ECFC:				; CODE XREF: NtReplacePartitionUnit(x,x,x)+22Cj
		test	edi, edi
		jz	short loc_69ED07
		mov	ecx, edi
		call	ObfDereferenceObject

loc_69ED07:				; CODE XREF: NtReplacePartitionUnit(x,x,x)+235j
		cmp	[ebp+var_1C], 0
		jz	short loc_69ED16
		push	ebx
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_69ED16:				; CODE XREF: NtReplacePartitionUnit(x,x,x)+242j
		cmp	[ebp+var_20], 0
		jz	short loc_69ED25
		push	ebx
		push	[ebp+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_69ED25:				; CODE XREF: NtReplacePartitionUnit(x,x,x)+251j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_NtReplacePartitionUnit@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Ke386SetDescriptorProcess(x, x, x, x)
_Ke386SetDescriptorProcess@16 proc near	; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+D6p
					; PsSetLdtEntries(x,x,x,x,x,x)+F1p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		movzx	eax, byte ptr [ecx+20h]
		and	[ebp+var_18], 0
		and	[ebp+var_14], 0
		shr	edx, 3
		mov	[ebp+var_10], edx
		movzx	edx, byte ptr [ecx+23h]
		shl	edx, 8
		or	edx, eax
		mov	[ebp+var_1C], ecx
		movzx	eax, word ptr [ecx+1Eh]
		shl	edx, 10h
		or	edx, eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	offset _Ki386FlushTargetDescriptors@16 ; Ki386FlushTargetDescriptors(x,x,x,x)
		mov	[ebp+var_4], edx
		call	_KeGenericCallDpc@8 ; KeGenericCallDpc(x,x)
		leave
		retn	8
_Ke386SetDescriptorProcess@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Ke386SetLdtProcess(x, x, x)
_Ke386SetLdtProcess@12 proc near	; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+114p
					; PsSetLdtEntries(x,x,x,x,x,x)+15Bp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		test	edx, edx
		jz	short loc_69EDD9
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_69EDD9
		dec	eax
		mov	word ptr [ebp+var_8+2],	dx
		mov	word ptr [ebp+var_8], ax
		mov	eax, edx
		shr	eax, 10h
		shr	edx, 18h
		mov	word ptr [ebp+var_4+1],	cx
		mov	byte ptr [ebp+var_4], al
		mov	byte ptr [ebp+var_4+3],	dl
		mov	ecx, [ebp+var_4]
		and	ecx, 0FFFF82FFh
		or	ecx, 8200h
		jmp	short loc_69EDE1
; 

loc_69EDD9:				; CODE XREF: Ke386SetLdtProcess(x,x,x)+1Bj
					; Ke386SetLdtProcess(x,x,x)+22j
		xor	eax, eax
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], eax

loc_69EDE1:				; CODE XREF: Ke386SetLdtProcess(x,x,x)+4Ej
		mov	eax, [ebp+var_8]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	offset _Ki386LoadTargetLdtr@16 ; Ki386LoadTargetLdtr(x,x,x,x)
		mov	[ebp+var_24], esi
		mov	[ebp+var_1C], ecx
		call	_KeGenericCallDpc@8 ; KeGenericCallDpc(x,x)
		pop	esi
		leave
		retn	4
_Ke386SetLdtProcess@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Ki386FlushTargetDescriptors(x, x, x, x)
_Ki386FlushTargetDescriptors@16	proc near
					; DATA XREF: Ke386SetDescriptorProcess(x,x,x,x)+3Fo

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		call	_KiFlushDescriptors@0 ;	KiFlushDescriptors()
		and	[ebp+var_4], 0
		or	ebx, 0FFFFFFFFh
		mov	edi, [ebp+arg_C]
		mov	eax, ebx
		lock xadd [edi], eax
		dec	eax
		mov	esi, eax
		mov	ecx, 80000000h
		not	esi
		and	esi, ecx
		test	eax, 7FFFFFFFh
		jnz	short loc_69EE62
		mov	eax, [edi+4]
		mov	edx, [ebp+arg_4]
		or	eax, esi
		mov	[edi], eax
		mov	ecx, [edx+0Ch]
		mov	esi, [edx+18h]
		mov	eax, [edx+10h]
		mov	[esi+ecx*8], eax
		mov	eax, [edx+14h]
		mov	[esi+ecx*8+4], eax
		mov	ecx, 80000000h
		jmp	short loc_69EE6A
; 

loc_69EE55:				; CODE XREF: Ki386FlushTargetDescriptors(x,x,x,x)+68j
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	ecx, 80000000h

loc_69EE62:				; CODE XREF: Ki386FlushTargetDescriptors(x,x,x,x)+2Fj
		mov	eax, [edi]
		and	eax, ecx
		cmp	eax, esi
		jnz	short loc_69EE55

loc_69EE6A:				; CODE XREF: Ki386FlushTargetDescriptors(x,x,x,x)+53j
		lock xadd [edi], ebx
		dec	ebx
		mov	esi, ebx
		not	esi
		and	esi, ecx
		test	ebx, 7FFFFFFFh
		jnz	short loc_69EE86
		mov	eax, [edi+4]
		or	eax, esi
		mov	[edi], eax
		jmp	short loc_69EEA3
; 

loc_69EE86:				; CODE XREF: Ki386FlushTargetDescriptors(x,x,x,x)+7Bj
		mov	eax, [edi]
		and	[ebp+arg_C], 0
		and	eax, ecx
		jmp	short loc_69EE9F
; 

loc_69EE90:				; CODE XREF: Ki386FlushTargetDescriptors(x,x,x,x)+A1j
		lea	ecx, [ebp+arg_C]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		and	eax, 80000000h

loc_69EE9F:				; CODE XREF: Ki386FlushTargetDescriptors(x,x,x,x)+8Ej
		cmp	eax, esi
		jnz	short loc_69EE90

loc_69EEA3:				; CODE XREF: Ki386FlushTargetDescriptors(x,x,x,x)+84j
		mov	eax, [ebp+arg_8]
		lock dec dword ptr [eax]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_Ki386FlushTargetDescriptors@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Ki386LoadTargetLdtr(x, x, x, x)
_Ki386LoadTargetLdtr@16	proc near	; DATA XREF: Ke386SetLdtProcess(x,x,x)+62o

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		or	ebx, 0FFFFFFFFh
		push	edi
		mov	eax, ebx
		lock xadd [esi], eax
		dec	eax
		mov	edi, eax
		mov	ecx, 80000000h
		not	edi
		and	edi, ecx
		test	eax, 7FFFFFFFh
		jnz	short loc_69EF08
		mov	eax, [esi+4]
		mov	ecx, [ebp+arg_4]
		or	eax, edi
		mov	[esi], eax
		mov	edx, [ecx]
		mov	eax, [ecx+4]
		mov	[edx+1Ch], eax
		mov	eax, [ecx+8]
		mov	ecx, 80000000h
		mov	[edx+20h], eax
		jmp	short loc_69EF10
; 

loc_69EEFB:				; CODE XREF: Ki386LoadTargetLdtr(x,x,x,x)+5Ej
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	ecx, 80000000h

loc_69EF08:				; CODE XREF: Ki386LoadTargetLdtr(x,x,x,x)+2Aj
		mov	eax, [esi]
		and	eax, ecx
		cmp	eax, edi
		jnz	short loc_69EEFB

loc_69EF10:				; CODE XREF: Ki386LoadTargetLdtr(x,x,x,x)+49j
		lock xadd [esi], ebx
		dec	ebx
		mov	edi, ebx
		not	edi
		and	edi, ecx
		test	ebx, 7FFFFFFFh
		jnz	short loc_69EF2C
		mov	eax, [esi+4]
		or	eax, edi
		mov	[esi], eax
		jmp	short loc_69EF49
; 

loc_69EF2C:				; CODE XREF: Ki386LoadTargetLdtr(x,x,x,x)+71j
		mov	eax, [esi]
		and	[ebp+arg_C], 0
		and	eax, ecx
		jmp	short loc_69EF45
; 

loc_69EF36:				; CODE XREF: Ki386LoadTargetLdtr(x,x,x,x)+97j
		lea	ecx, [ebp+arg_C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		and	eax, 80000000h

loc_69EF45:				; CODE XREF: Ki386LoadTargetLdtr(x,x,x,x)+84j
		cmp	eax, edi
		jnz	short loc_69EF36

loc_69EF49:				; CODE XREF: Ki386LoadTargetLdtr(x,x,x,x)+7Aj
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	@KiLoadLdtr@4	; KiLoadLdtr(x)
		mov	eax, [ebp+arg_8]
		lock dec dword ptr [eax]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_Ki386LoadTargetLdtr@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Ke386SetVdmInterruptHandler(x, x, x, x, x)
_Ke386SetVdmInterruptHandler@20	proc near ; CODE XREF: NtVdmControl(x,x)+165p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, ecx
		push	edi
		cmp	esi, ds:_MmHighestUserAddress
		jnb	short loc_69EFE0
		mov	edi, [ebp+arg_0]
		lea	eax, [ebp+arg_4]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		call	_Ki386GetSelectorParameters@16 ; Ki386GetSelectorParameters(x,x,x,x)
		test	al, al
		jz	short loc_69EFE0
		mov	word ptr [ebp+var_C], si
		or	edi, 7
		shr	esi, 10h
		mov	eax, 0EF00h
		cmp	[ebp+arg_8], 0
		mov	word ptr [ebp+var_C+2],	di
		mov	word ptr [ebp+var_8+2],	si
		jnz	short loc_69EFBB
		mov	eax, 0E700h

loc_69EFBB:				; CODE XREF: Ke386SetVdmInterruptHandler(x,x,x,x,x)+4Cj
		mov	word ptr [ebp+var_8], ax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	offset _Ki386LoadTargetInt21Entry@16 ; Ki386LoadTargetInt21Entry(x,x,x,x)
		mov	[ebp+var_10], ebx
		call	_KeGenericCallDpc@8 ; KeGenericCallDpc(x,x)
		xor	eax, eax
		jmp	short loc_69EFE5
; 

loc_69EFE0:				; CODE XREF: Ke386SetVdmInterruptHandler(x,x,x,x,x)+16j
					; Ke386SetVdmInterruptHandler(x,x,x,x,x)+2Fj
		mov	eax, 0C000000Dh

loc_69EFE5:				; CODE XREF: Ke386SetVdmInterruptHandler(x,x,x,x,x)+76j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_Ke386SetVdmInterruptHandler@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Ki386LoadTargetInt21Entry(x, x, x, x)
_Ki386LoadTargetInt21Entry@16 proc near	; DATA XREF: Ke386SetVdmInterruptHandler(x,x,x,x,x)+67o

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		or	ebx, 0FFFFFFFFh
		push	edi
		mov	eax, ebx
		lock xadd [esi], eax
		dec	eax
		mov	edi, eax
		mov	ecx, 80000000h
		not	edi
		and	edi, ecx
		test	eax, 7FFFFFFFh
		jnz	short loc_69F044
		mov	eax, [esi+4]
		mov	ecx, [ebp+arg_4]
		or	eax, edi
		mov	[esi], eax
		mov	edx, [ecx+8]
		mov	eax, [ecx]
		mov	[edx+24h], eax
		mov	eax, [ecx+4]
		mov	ecx, 80000000h
		mov	[edx+28h], eax
		jmp	short loc_69F04C
; 

loc_69F037:				; CODE XREF: Ki386LoadTargetInt21Entry(x,x,x,x)+5Ej
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	ecx, 80000000h

loc_69F044:				; CODE XREF: Ki386LoadTargetInt21Entry(x,x,x,x)+2Aj
		mov	eax, [esi]
		and	eax, ecx
		cmp	eax, edi
		jnz	short loc_69F037

loc_69F04C:				; CODE XREF: Ki386LoadTargetInt21Entry(x,x,x,x)+49j
		lock xadd [esi], ebx
		dec	ebx
		mov	edi, ebx
		not	edi
		and	edi, ecx
		test	ebx, 7FFFFFFFh
		jnz	short loc_69F068
		mov	eax, [esi+4]
		or	eax, edi
		mov	[esi], eax
		jmp	short loc_69F085
; 

loc_69F068:				; CODE XREF: Ki386LoadTargetInt21Entry(x,x,x,x)+71j
		mov	eax, [esi]
		and	[ebp+arg_C], 0
		and	eax, ecx
		jmp	short loc_69F081
; 

loc_69F072:				; CODE XREF: Ki386LoadTargetInt21Entry(x,x,x,x)+97j
		lea	ecx, [ebp+arg_C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		and	eax, 80000000h

loc_69F081:				; CODE XREF: Ki386LoadTargetInt21Entry(x,x,x,x)+84j
		cmp	eax, edi
		jnz	short loc_69F072

loc_69F085:				; CODE XREF: Ki386LoadTargetInt21Entry(x,x,x,x)+7Aj
		mov	eax, large fs:124h
		mov	edx, [eax+80h]
		mov	eax, large fs:1Ch
		mov	ecx, [eax+38h]
		mov	eax, [edx+24h]
		mov	[ecx+108h], eax
		mov	eax, [edx+28h]
		mov	[ecx+10Ch], eax
		mov	eax, [ebp+arg_8]
		lock dec dword ptr [eax]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_Ki386LoadTargetInt21Entry@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KevSkipVerification()
_KevSkipVerification@0 proc near	; CODE XREF: ExFreePoolSanityChecks(x)+9p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jb	loc_69F156
		mov	esi, large fs:20h
		mov	[ebp+var_8], esi
		mov	al, [esi+223Ah]
		test	al, al
		jz	short loc_69F156
		test	byte ptr [esi+223Ch], 8
		jz	short loc_69F156
		mov	ecx, ds:0FFDF000Ch
		mov	edx, ds:0FFDF0008h
		mov	[ebp+var_4], edi
		cmp	ecx, ds:0FFDF0010h
		jz	short loc_69F12A
		mov	edi, 0FFDF000Ch
		push	ebx
		lea	ebx, [edi-4]
		lea	esi, [edi+4]

loc_69F116:				; CODE XREF: KevSkipVerification()+6Bj
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	ecx, [edi]
		mov	edx, [ebx]
		cmp	ecx, [esi]
		jnz	short loc_69F116
		mov	esi, [ebp+var_8]
		pop	ebx

loc_69F12A:				; CODE XREF: KevSkipVerification()+4Fj
		cmp	ds:_KiSerializeTimerExpiration,	0
		jz	short loc_69F140
		mov	eax, ds:_KiProcessorBlock
		mov	eax, [eax+3AA8h]
		jmp	short loc_69F146
; 

loc_69F140:				; CODE XREF: KevSkipVerification()+78j
		mov	eax, [esi+3AA8h]

loc_69F146:				; CODE XREF: KevSkipVerification()+85j
		shrd	edx, ecx, 12h
		add	eax, 64h
		cmp	eax, edx
		jnb	short loc_69F156
		xor	eax, eax
		inc	eax
		jmp	short loc_69F158
; 

loc_69F156:				; CODE XREF: KevSkipVerification()+17j
					; KevSkipVerification()+2Fj ...
		xor	eax, eax

loc_69F158:				; CODE XREF: KevSkipVerification()+9Bj
		pop	edi
		pop	esi
		leave
		retn
_KevSkipVerification@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall XpressDecode(x, x, x, x, x,	x)
_XpressDecode@24 proc near		; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+187p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		test	esi, esi
		jz	loc_69F248
		cmp	dword ptr [esi+38h], 35DEC0DEh
		jnz	loc_69F248
		mov	ecx, [ebp+arg_C]
		mov	eax, [ebp+arg_0]
		mov	edi, [ebp+arg_4]
		cmp	ecx, eax
		jz	loc_69F244
		jg	loc_69F248
		test	ecx, ecx
		js	loc_69F248
		cmp	eax, 8
		jle	loc_69F248
		cmp	ecx, 8
		jl	loc_69F248
		cmp	eax, 10000h
		jg	loc_69F244
		test	edi, edi
		jle	loc_69F244
		mov	edx, [ebp+arg_8]
		add	eax, ebx
		add	edx, ecx
		mov	[esi], eax
		lea	eax, [ebx+edi]
		mov	[esi+4], ebx
		mov	[esi+0Ch], eax
		mov	[esi+14h], edx
		lea	ecx, [edx-1]
		mov	[esi+8], ebx
		lea	eax, [edx-3]
		mov	[esi+20h], ecx
		mov	[esi+28h], ecx
		lea	ecx, [ebx+edi]
		mov	[esi+24h], eax
		mov	eax, ecx
		sub	eax, ebx
		cmp	eax, 108h
		jbe	short loc_69F1FF
		lea	eax, [ecx-108h]
		mov	[esi+8], eax

loc_69F1FF:				; CODE XREF: XpressDecode(x,x,x,x,x,x)+98j
		mov	ecx, [esi+18h]
		mov	eax, edx
		sub	eax, ecx
		mov	[esi+1Ch], ecx
		cmp	eax, 0E8h
		jbe	short loc_69F219
		lea	eax, [edx-0E8h]
		mov	[esi+1Ch], eax

loc_69F219:				; CODE XREF: XpressDecode(x,x,x,x,x,x)+B2j
		mov	eax, [ebp+arg_8]
		xor	ebx, ebx
		mov	ecx, esi
		mov	[esi+18h], eax
		mov	[esi+30h], ebx
		mov	[esi+34h], ebx
		call	do_decode
		cmp	[esi+30h], ebx
		jz	short loc_69F248
		mov	eax, [esi+0Ch]
		cmp	[esi+10h], eax
		ja	short loc_69F248
		cmp	eax, [esi]
		jnz	short loc_69F244
		cmp	[esi+34h], ebx
		jz	short loc_69F248

loc_69F244:				; CODE XREF: XpressDecode(x,x,x,x,x,x)+2Cj
					; XpressDecode(x,x,x,x,x,x)+57j ...
		mov	eax, edi
		jmp	short loc_69F24B
; 

loc_69F248:				; CODE XREF: XpressDecode(x,x,x,x,x,x)+Ej
					; XpressDecode(x,x,x,x,x,x)+1Bj ...
		or	eax, 0FFFFFFFFh

loc_69F24B:				; CODE XREF: XpressDecode(x,x,x,x,x,x)+EAj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
_XpressDecode@24 endp


;  S U B	R O U T	I N E 


; __stdcall XpressDecodeClose(x, x, x)
_XpressDecodeClose@12 proc near		; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+1F7p
		test	ecx, ecx
		jz	short locret_69F26B
		cmp	dword ptr [ecx+38h], 35DEC0DEh
		jnz	short locret_69F26B
		and	dword ptr [ecx+38h], 0
		push	ecx
		push	0
		call	_CMFFreeFn@8	; CMFFreeFn(x,x)

locret_69F26B:				; CODE XREF: XpressDecodeClose(x,x,x)+2j
					; XpressDecodeClose(x,x,x)+Bj
		retn	4
_XpressDecodeClose@12 endp


;  S U B	R O U T	I N E 


; __stdcall XpressDecodeCreate(x, x)
_XpressDecodeCreate@8 proc near		; CODE XREF: CMFReadCompressedSegment(x,x,x,x):loc_A105A2p
		push	3Ch
		push	0
		call	_CMFAllocFn@8	; CMFAllocFn(x,x)
		test	eax, eax
		jz	short loc_69F283
		mov	dword ptr [eax+38h], 35DEC0DEh
		retn
; 

loc_69F283:				; CODE XREF: XpressDecodeCreate(x,x)+Bj
		xor	eax, eax
		retn
_XpressDecodeCreate@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpMuiRegValidateConfigNode(x, x)
_RtlpMuiRegValidateConfigNode@8	proc near ; CODE XREF: RtlpPopulateLanguageConfigList+9851Fp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= word ptr -2

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		and	[ebp+var_10], 0
		or	eax, 0FFFFFFFFh
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_C], eax
		push	edi
		lea	eax, [ebp+var_10]
		mov	[ebp+var_14], ecx
		push	eax
		movzx	eax, word ptr [ebx]
		movzx	edx, word ptr [ebx+2]
		push	eax
		shr	edx, 0Eh
		call	_RtlpMuiRegGetInstalledLanguageIndex@16	; RtlpMuiRegGetInstalledLanguageIndex(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_69F3DF
		movsx	ecx, word ptr [ebp+var_10]
		mov	eax, 1000h
		imul	edi, ecx, 1Ch
		mov	ecx, [ebp+var_14]
		mov	ecx, [ecx+14h]
		add	edi, [ecx+0Ch]
		test	[edi], ax
		jz	short loc_69F2E2

loc_69F2D8:				; CODE XREF: RtlpMuiRegValidateConfigNode(x,x)+7Cj
					; RtlpMuiRegValidateConfigNode(x,x)+F1j
		mov	esi, 0C0000034h
		jmp	loc_69F3DF
; 

loc_69F2E2:				; CODE XREF: RtlpMuiRegValidateConfigNode(x,x)+50j
		xor	eax, eax
		xor	ecx, ecx
		mov	[ebp+var_24], eax
		mov	[ebp+var_28], ecx

loc_69F2EC:				; CODE XREF: RtlpMuiRegValidateConfigNode(x,x)+147j
		mov	dx, [ebx+2]
		shr	dx, cl
		and	dl, 3
		mov	[ebp+var_2], dx
		jz	loc_69F3D5
		test	edi, edi
		jz	short loc_69F2D8
		and	[ebp+var_8], 0
		xor	ecx, ecx
		cwde
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], ecx
		movzx	eax, word ptr [ebx+eax*2+6]
		mov	[ebp+var_30], eax

loc_69F319:				; CODE XREF: RtlpMuiRegValidateConfigNode(x,x)+FBj
		mov	ax, [edi+8]
		and	[ebp+var_18], 0
		shr	ax, cl
		lea	ecx, [ebp+var_C]
		and	al, 3
		mov	byte ptr [ebp+var_2C], al
		mov	eax, [ebp+var_8]
		push	ecx
		cwde
		lea	ecx, [ebp+var_18]
		push	ecx
		mov	ecx, [ebp+var_14]
		movzx	eax, word ptr [edi+eax*2+0Ch]
		push	eax
		push	[ebp+var_2C]
		push	[ebp+var_30]
		call	_RtlpMuiRegConfigMatchesInstalled@28 ; RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)
		test	al, al
		jz	short loc_69F367
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	short loc_69F35E
		mov	ecx, 1000h
		test	[eax], cx
		jnz	short loc_69F367

loc_69F35E:				; CODE XREF: RtlpMuiRegValidateConfigNode(x,x)+CCj
		test	byte ptr [edi],	4
		jz	short loc_69F383
		test	eax, eax
		jnz	short loc_69F383

loc_69F367:				; CODE XREF: RtlpMuiRegValidateConfigNode(x,x)+C5j
					; RtlpMuiRegValidateConfigNode(x,x)+D6j
		mov	ecx, [ebp+var_1C]
		inc	[ebp+var_8]
		add	ecx, 2
		mov	[ebp+var_1C], ecx
		cmp	cx, 8
		jge	loc_69F2D8
		mov	dx, [ebp+var_2]
		jmp	short loc_69F319
; 

loc_69F383:				; CODE XREF: RtlpMuiRegValidateConfigNode(x,x)+DBj
					; RtlpMuiRegValidateConfigNode(x,x)+DFj
		mov	edi, eax
		or	eax, 0FFFFFFFFh
		cmp	word ptr [ebp+var_C], ax
		jz	short loc_69F3B9
		mov	eax, [ebp+var_20]
		push	3
		pop	edx
		push	2
		lea	ecx, [eax+eax]
		shl	dx, cl
		pop	eax
		not	dx
		shl	ax, cl
		and	dx, [ebx+2]
		mov	ecx, [ebp+var_20]
		or	dx, ax
		mov	eax, [ebp+var_C]
		mov	[ebx+2], dx
		mov	[ebx+ecx*2+6], ax

loc_69F3B9:				; CODE XREF: RtlpMuiRegValidateConfigNode(x,x)+106j
		mov	ecx, [ebp+var_28]
		mov	eax, [ebp+var_24]
		add	ecx, 2
		inc	eax
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], eax
		cmp	cx, 6
		jl	loc_69F2EC
		jmp	short loc_69F3DF
; 

loc_69F3D5:				; CODE XREF: RtlpMuiRegValidateConfigNode(x,x)+74j
		test	ax, ax
		jnz	short loc_69F3DF
		mov	esi, 0C0000001h

loc_69F3DF:				; CODE XREF: RtlpMuiRegValidateConfigNode(x,x)+32j
					; RtlpMuiRegValidateConfigNode(x,x)+57j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_RtlpMuiRegValidateConfigNode@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_SafeReallocBlob proc near		; CODE XREF: RtlpMuiRegResizeLanguageConfigList(x,x)+2Fp
					; RtlpMuiRegResizeLanguages(x,x)+30p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edi, ecx
		mov	[esp+18h+var_4], ebx
		mov	esi, edx
		mov	[esp+18h+var_8], ebx
		test	edi, edi
		jz	loc_69F4D3
		mov	eax, [ebp+arg_0]
		lea	ecx, [esp+18h+var_4]
		mul	[ebp+arg_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_69F4D3
		mov	edx, [esp+18h+var_4]
		lea	eax, [esp+18h+var_8]
		push	eax
		mov	ecx, esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_69F4D3
		push	ebx
		push	ebx
		lea	ecx, [esp+20h+var_4]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_69F4D3
		mov	edx, [esp+18h+var_4]
		lea	eax, [esp+18h+var_8]
		mov	ecx, [esp+18h+var_8]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_69F4D3
		mov	ecx, [ebp+arg_10]
		mov	eax, [esp+18h+var_8]
		test	ecx, ecx
		jz	short loc_69F471
		mov	[ecx], eax

loc_69F471:				; CODE XREF: _SafeReallocBlob+87j
		test	eax, eax
		jz	short loc_69F4B6
		mov	eax, large fs:20h
		xor	ecx, ecx
		mov	edx, [esp+18h+var_8]
		inc	ecx
		push	ebx
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	72746C6Dh
		call	ExpAllocatePoolWithTagFromNode
		mov	esi, eax
		test	esi, esi
		jz	short loc_69F4D3
		push	[esp+18h+var_8]	; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_69F4B8
; 

loc_69F4B6:				; CODE XREF: _SafeReallocBlob+8Dj
		mov	esi, ebx

loc_69F4B8:				; CODE XREF: _SafeReallocBlob+CEj
		test	esi, esi
		jz	short loc_69F4D3
		push	dword ptr [edi]	; size_t
		push	edi		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, edi
		call	ExFreeHeapPool
		mov	eax, esi
		jmp	short loc_69F4D5
; 

loc_69F4D3:				; CODE XREF: _SafeReallocBlob+1Ej
					; _SafeReallocBlob+37j	...
		xor	eax, eax

loc_69F4D5:				; CODE XREF: _SafeReallocBlob+EBj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
_SafeReallocBlob endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	LkmdTelInsertTriageDataBlock(size_t)
_LkmdTelInsertTriageDataBlock@12 proc near ; CODE XREF:	WheapReportLiveDump(x)+8Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		cmp	[ebp+arg_0], 0
		mov	[ebp+var_10], edx
		jnz	short loc_69F4F9
		mov	eax, 0C000000Dh
		jmp	locret_69F62A
; 

loc_69F4F9:				; CODE XREF: LkmdTelInsertTriageDataBlock(x,x,x)+Fj
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx]
		test	dword ptr [edi+0F8Ch], 800h
		jz	loc_69F620
		mov	ecx, [edi+1064h]
		test	ecx, ecx
		jz	loc_69F620
		mov	edx, [edi+1060h]
		mov	eax, ecx
		shl	eax, 4
		mov	ebx, 20000h
		add	eax, edx
		cmp	eax, ebx
		ja	loc_69F620
		xor	esi, esi
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], esi
		mov	ebx, esi
		test	ecx, ecx
		jz	short loc_69F58C
		lea	eax, [edi+0Ch]
		add	eax, edx
		mov	[ebp+var_4], eax

loc_69F54C:				; CODE XREF: LkmdTelInsertTriageDataBlock(x,x,x)+ACj
		mov	edx, [eax-4]
		lea	eax, [edx+7]
		and	eax, 0FFFFFFF8h
		cmp	edx, eax
		jnz	loc_69F620
		mov	eax, [ebp+var_4]
		mov	eax, [eax]
		add	eax, 7
		add	eax, edx
		and	eax, 0FFFFFFF8h
		cmp	edx, [ebp+var_8]
		jnb	short loc_69F572
		mov	[ebp+var_8], edx

loc_69F572:				; CODE XREF: LkmdTelInsertTriageDataBlock(x,x,x)+8Fj
		cmp	eax, ebx
		jbe	short loc_69F578
		mov	ebx, eax

loc_69F578:				; CODE XREF: LkmdTelInsertTriageDataBlock(x,x,x)+96j
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+var_C]
		add	eax, 10h
		inc	edx
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], edx
		cmp	edx, ecx
		jb	short loc_69F54C

loc_69F58C:				; CODE XREF: LkmdTelInsertTriageDataBlock(x,x,x)+64j
		mov	ecx, 1FFFCh
		sub	ecx, ebx
		cmp	ecx, 20000h
		jnb	short loc_69F619
		mov	eax, [ebp+arg_0]
		add	eax, 7
		and	eax, 0FFFFFFF8h
		add	eax, 10h
		cmp	eax, ecx
		ja	short loc_69F619
		mov	edx, [ebp+var_8]
		mov	eax, ebx
		sub	eax, edx
		push	eax		; size_t
		lea	ecx, [edx+edi]
		push	ecx		; void *
		lea	eax, [ecx+10h]
		push	eax		; void *
		call	_memmove
		mov	ecx, [edi+1060h]
		add	esp, 0Ch
		mov	edx, [edi+1064h]
		add	ecx, edi
		mov	eax, esi
		test	edx, edx
		jz	short loc_69F5E9

loc_69F5D7:				; CODE XREF: LkmdTelInsertTriageDataBlock(x,x,x)+109j
		add	dword ptr [ecx+8], 10h
		add	ecx, 10h
		mov	edx, [edi+1064h]
		inc	eax
		cmp	eax, edx
		jb	short loc_69F5D7

loc_69F5E9:				; CODE XREF: LkmdTelInsertTriageDataBlock(x,x,x)+F7j
		lea	eax, [edx+1]
		add	ebx, 10h
		mov	[edi+1064h], eax
		mov	eax, [ebp+var_10]
		cdq
		mov	[ecx], eax
		mov	eax, [ebp+arg_0]
		push	eax		; size_t
		push	[ebp+var_10]	; void *
		mov	[ecx+0Ch], eax
		lea	eax, [ebx+edi]
		push	eax		; void *
		mov	[ecx+4], edx
		mov	[ecx+8], ebx
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_69F625
; 

loc_69F619:				; CODE XREF: LkmdTelInsertTriageDataBlock(x,x,x)+BBj
					; LkmdTelInsertTriageDataBlock(x,x,x)+CBj
		mov	esi, 0C0000023h
		jmp	short loc_69F625
; 

loc_69F620:				; CODE XREF: LkmdTelInsertTriageDataBlock(x,x,x)+2Aj
					; LkmdTelInsertTriageDataBlock(x,x,x)+38j ...
		mov	esi, 0C000000Dh

loc_69F625:				; CODE XREF: LkmdTelInsertTriageDataBlock(x,x,x)+139j
					; LkmdTelInsertTriageDataBlock(x,x,x)+140j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx

locret_69F62A:				; CODE XREF: LkmdTelInsertTriageDataBlock(x,x,x)+16j
		leave
		retn	4
_LkmdTelInsertTriageDataBlock@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Uart16550GetByte(x,	x)
_Uart16550GetByte@8 proc near		; DATA XREF: .data:006B38C0o
					; .data:006B38D4o ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	esi, esi
		jz	short loc_69F6B6
		cmp	dword ptr [esi], 0
		jz	short loc_69F6B6
		push	5
		push	esi
		call	dword ptr [esi+0Ch]
		cmp	al, 0FFh
		jz	short loc_69F6B6
		xor	ebx, ebx
		inc	ebx
		test	al, bl
		jz	short loc_69F67C
		test	al, 0Eh
		jnz	short loc_69F678
		push	0
		push	esi
		call	dword ptr [esi+0Ch]
		test	byte ptr [esi+8], 4
		mov	bl, al
		jz	short loc_69F66F
		push	6
		push	esi
		call	dword ptr [esi+0Ch]
		test	al, al
		jns	short loc_69F6AF

loc_69F66F:				; CODE XREF: Uart16550GetByte(x,x)+35j
		mov	eax, [ebp+arg_4]
		mov	[eax], bl
		xor	eax, eax
		jmp	short loc_69F6B9
; 

loc_69F678:				; CODE XREF: Uart16550GetByte(x,x)+27j
		push	2
		jmp	short loc_69F6B8
; 

loc_69F67C:				; CODE XREF: Uart16550GetByte(x,x)+23j
		push	6
		push	esi
		call	dword ptr [esi+0Ch]
		movzx	edi, word ptr [esi+8]
		and	al, 40h
		setz	dl
		bt	di, bx
		setb	cl
		test	dl, cl
		jnz	short loc_69F6A6
		test	al, al
		setnz	dl
		bt	di, bx
		setnb	cl
		test	dl, cl
		jz	short loc_69F6B2

loc_69F6A6:				; CODE XREF: Uart16550GetByte(x,x)+66j
		or	edi, 4
		mov	[esi+8], di
		jmp	short loc_69F6B2
; 

loc_69F6AF:				; CODE XREF: Uart16550GetByte(x,x)+3Fj
		xor	ebx, ebx
		inc	ebx

loc_69F6B2:				; CODE XREF: Uart16550GetByte(x,x)+76j
					; Uart16550GetByte(x,x)+7Fj
		mov	eax, ebx
		jmp	short loc_69F6B9
; 

loc_69F6B6:				; CODE XREF: Uart16550GetByte(x,x)+Dj
					; Uart16550GetByte(x,x)+12j ...
		push	3

loc_69F6B8:				; CODE XREF: Uart16550GetByte(x,x)+4Cj
		pop	eax

loc_69F6B9:				; CODE XREF: Uart16550GetByte(x,x)+48j
					; Uart16550GetByte(x,x)+86j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_Uart16550GetByte@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Uart16550InitializePort(x, x, x, x,	x)
_Uart16550InitializePort@20 proc near	; DATA XREF: .data:_Uart16550HardwareDrivero

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		push	8
		push	1
		push	[ebp+arg_8]
		mov	[edx+8], ax
		call	_Uart16550InitializePortCommon@20 ; Uart16550InitializePortCommon(x,x,x,x,x)
		pop	ebp
		retn	14h
_Uart16550InitializePort@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Uart16550InitializePortCommon(x, x,	x, x, x)
_Uart16550InitializePortCommon@20 proc near
					; CODE XREF: Uart16550InitializePort(x,x,x,x,x)+15p
					; Uart16550LegacyInitializePort(x,x,x,x,x)+4Bp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	[ebp+arg_8]
		mov	esi, edx
		mov	dl, byte ptr [ebp+arg_0]
		push	[ebp+arg_4]
		mov	ecx, esi
		call	_UartpSetAccess@16 ; UartpSetAccess(x,x,x,x)
		push	3
		push	esi
		call	dword ptr [esi+0Ch]
		and	al, 7Fh
		mov	byte ptr [ebp+arg_0], al
		push	[ebp+arg_0]
		push	3
		push	esi
		call	dword ptr [esi+10h]
		push	0
		push	1
		push	esi
		call	dword ptr [esi+10h]
		push	6
		push	2
		pop	edi
		push	edi
		push	esi
		call	dword ptr [esi+10h]
		test	byte ptr [esi+8], 1
		jnz	short loc_69F72E
		mov	edx, [esi+4]
		push	ecx
		mov	ecx, esi
		call	_Uart16550SetBaudCommon@12 ; Uart16550SetBaudCommon(x,x,x)

loc_69F72E:				; CODE XREF: Uart16550InitializePortCommon(x,x,x,x,x)+43j
		push	1
		push	edi
		push	esi
		call	dword ptr [esi+10h]
		push	3
		push	4
		push	esi
		call	dword ptr [esi+10h]
		push	6
		push	esi
		call	dword ptr [esi+0Ch]
		test	al, 40h
		jz	short loc_69F74B
		or	[esi+8], di

loc_69F74B:				; CODE XREF: Uart16550InitializePortCommon(x,x,x,x,x)+67j
		pop	edi
		mov	al, 1
		pop	esi
		pop	ebp
		retn	0Ch
_Uart16550InitializePortCommon@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Uart16550LegacyInitializePort(x, x,	x, x, x)
_Uart16550LegacyInitializePort@20 proc near ; DATA XREF: .data:_Legacy16550HardwareDrivero

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	eax, [edx]
		sub	eax, 1
		jz	short loc_69F78D
		sub	eax, 1
		jz	short loc_69F785
		sub	eax, 1
		jz	short loc_69F77D
		sub	eax, 1
		jz	short loc_69F775
		xor	al, al
		jmp	short loc_69F7A3
; 

loc_69F775:				; CODE XREF: Uart16550LegacyInitializePort(x,x,x,x,x)+1Cj
		mov	dword ptr [edx], 2E8h
		jmp	short loc_69F793
; 

loc_69F77D:				; CODE XREF: Uart16550LegacyInitializePort(x,x,x,x,x)+17j
		mov	dword ptr [edx], 3E8h
		jmp	short loc_69F793
; 

loc_69F785:				; CODE XREF: Uart16550LegacyInitializePort(x,x,x,x,x)+12j
		mov	dword ptr [edx], 2F8h
		jmp	short loc_69F793
; 

loc_69F78D:				; CODE XREF: Uart16550LegacyInitializePort(x,x,x,x,x)+Dj
		mov	dword ptr [edx], 3F8h

loc_69F793:				; CODE XREF: Uart16550LegacyInitializePort(x,x,x,x,x)+28j
					; Uart16550LegacyInitializePort(x,x,x,x,x)+30j	...
		push	8
		xor	eax, eax
		push	1
		push	eax
		mov	[edx+8], ax
		call	_Uart16550InitializePortCommon@20 ; Uart16550InitializePortCommon(x,x,x,x,x)

loc_69F7A3:				; CODE XREF: Uart16550LegacyInitializePort(x,x,x,x,x)+20j
		pop	ebp
		retn	14h
_Uart16550LegacyInitializePort@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Uart16550MmInitializePort(x, x, x, x, x)
_Uart16550MmInitializePort@20 proc near	; DATA XREF: .data:_MM16550HardwareDrivero

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		push	[ebp+arg_C]
		inc	eax
		push	[ebp+arg_8]
		mov	[edx+8], ax
		call	_Uart16550InitializePortCommon@20 ; Uart16550InitializePortCommon(x,x,x,x,x)
		pop	ebp
		retn	14h
_Uart16550MmInitializePort@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Uart16550PutByte(x,	x, x)
_Uart16550PutByte@12 proc near		; DATA XREF: .data:006B38C4o
					; .data:006B38D8o ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	esi, esi
		jz	loc_69F883
		cmp	dword ptr [esi], 0
		jz	loc_69F883
		test	byte ptr [esi+8], 4
		jz	short loc_69F820
		push	6
		push	esi
		call	dword ptr [esi+0Ch]
		mov	dl, al
		mov	cl, dl
		and	cl, 0B0h
		cmp	cl, 0B0h
		jz	short loc_69F820

loc_69F7FC:				; CODE XREF: Uart16550PutByte(x,x,x)+56j
		test	dl, dl
		js	short loc_69F812
		push	5
		push	esi
		call	dword ptr [esi+0Ch]
		test	byte ptr [esi+8], 1
		jz	short loc_69F812
		push	0
		push	esi
		call	dword ptr [esi+0Ch]

loc_69F812:				; CODE XREF: Uart16550PutByte(x,x,x)+36j
					; Uart16550PutByte(x,x,x)+42j
		push	6
		push	esi
		call	dword ptr [esi+0Ch]
		mov	dl, al
		and	al, 0B0h
		cmp	al, 0B0h
		jnz	short loc_69F7FC

loc_69F820:				; CODE XREF: Uart16550PutByte(x,x,x)+20j
					; Uart16550PutByte(x,x,x)+32j
		push	5
		push	esi
		call	dword ptr [esi+0Ch]
		cmp	al, 0FFh
		jz	short loc_69F883
		test	al, 20h
		jnz	short loc_69F876
		mov	bl, [ebp+arg_8]

loc_69F831:				; CODE XREF: Uart16550PutByte(x,x,x)+ACj
		push	6
		push	esi
		call	dword ptr [esi+0Ch]
		movzx	edi, word ptr [esi+8]
		and	al, 40h
		setz	dl
		xor	ecx, ecx
		inc	ecx
		bt	di, cx
		setb	cl
		test	dl, cl
		jnz	short loc_69F861
		test	al, al
		setnz	cl
		xor	eax, eax
		inc	eax
		bt	di, ax
		setnb	al
		test	cl, al
		jz	short loc_69F868

loc_69F861:				; CODE XREF: Uart16550PutByte(x,x,x)+84j
		or	edi, 4
		mov	[esi+8], di

loc_69F868:				; CODE XREF: Uart16550PutByte(x,x,x)+97j
		test	bl, bl
		jz	short loc_69F883
		push	5
		push	esi
		call	dword ptr [esi+0Ch]
		test	al, 20h
		jz	short loc_69F831

loc_69F876:				; CODE XREF: Uart16550PutByte(x,x,x)+64j
		push	[ebp+arg_4]
		push	0
		push	esi
		call	dword ptr [esi+10h]
		xor	eax, eax
		jmp	short loc_69F886
; 

loc_69F883:				; CODE XREF: Uart16550PutByte(x,x,x)+Dj
					; Uart16550PutByte(x,x,x)+16j ...
		push	3
		pop	eax

loc_69F886:				; CODE XREF: Uart16550PutByte(x,x,x)+B9j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_Uart16550PutByte@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Uart16550RxReady(x)
_Uart16550RxReady@4 proc near		; DATA XREF: .data:006B38C8o
					; .data:006B38DCo ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_69F8B0
		cmp	dword ptr [eax], 0
		jz	short loc_69F8B0
		push	5
		push	eax
		call	dword ptr [eax+0Ch]
		cmp	al, 0FFh
		jz	short loc_69F8B0
		test	al, 1
		jz	short loc_69F8B0
		mov	al, 1
		jmp	short loc_69F8B2
; 

loc_69F8B0:				; CODE XREF: Uart16550RxReady(x)+Aj
					; Uart16550RxReady(x)+Fj ...
		xor	al, al

loc_69F8B2:				; CODE XREF: Uart16550RxReady(x)+21j
		pop	ebp
		retn	4
_Uart16550RxReady@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Uart16550SetBaud(x,	x)
_Uart16550SetBaud@8 proc near		; DATA XREF: .data:006B38BCo
					; .data:006B38D0o ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	byte ptr [ecx+8], 1
		jz	short loc_69F8C8
		xor	al, al
		jmp	short loc_69F8D1
; 

loc_69F8C8:				; CODE XREF: Uart16550SetBaud(x,x)+Cj
		mov	edx, [ebp+arg_4]
		push	ecx
		call	_Uart16550SetBaudCommon@12 ; Uart16550SetBaudCommon(x,x,x)

loc_69F8D1:				; CODE XREF: Uart16550SetBaud(x,x)+10j
		pop	ebp
		retn	8
_Uart16550SetBaud@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Uart16550SetBaudCommon(x, x, x)
_Uart16550SetBaudCommon@12 proc	near	; CODE XREF: Uart16550InitializePortCommon(x,x,x,x,x)+4Bp
					; Uart16550SetBaud(x,x)+16p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		test	edi, edi
		jz	short loc_69F931
		cmp	dword ptr [edi], 0
		jz	short loc_69F931
		test	ebx, ebx
		jz	short loc_69F931
		xor	edx, edx
		mov	eax, 1C200h
		div	ebx
		push	esi
		push	3
		push	edi
		mov	esi, eax
		call	dword ptr [edi+0Ch]
		or	al, 80h
		mov	byte ptr [ebp+var_4], al
		push	[ebp+var_4]
		push	3
		push	edi
		call	dword ptr [edi+10h]
		mov	eax, esi
		shr	eax, 8
		push	eax
		push	1
		push	edi
		call	dword ptr [edi+10h]
		push	esi
		push	0
		push	edi
		call	dword ptr [edi+10h]
		push	3
		push	3
		push	edi
		call	dword ptr [edi+10h]
		mov	[edi+4], ebx
		mov	al, 1
		pop	esi
		jmp	short loc_69F933
; 

loc_69F931:				; CODE XREF: Uart16550SetBaudCommon(x,x,x)+Ej
					; Uart16550SetBaudCommon(x,x,x)+13j ...
		xor	al, al

loc_69F933:				; CODE XREF: Uart16550SetBaudCommon(x,x,x)+5Aj
		pop	edi
		pop	ebx
		leave
		retn	4
_Uart16550SetBaudCommon@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SpiInit(x, x, x, x)
_SpiInit@16	proc near		; CODE XREF: SpiSend16(x,x)+13p

var_4		= dword	ptr -4
arg_4		= word ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [esi+28h]

loc_69F947:				; CODE XREF: SpiInit(x,x,x,x)+19j
		push	edi
		call	ds:off_6B38A8	; ReadRegister32(x)
		and	al, 5
		cmp	al, 4
		jnz	short loc_69F947
		push	edi
		call	ds:off_6B38A8	; ReadRegister32(x)
		test	al, 8
		jz	short loc_69F974
		lea	ebx, [esi+60h]

loc_69F962:				; CODE XREF: SpiInit(x,x,x,x)+39j
		push	ebx
		call	ds:off_6B38A8	; ReadRegister32(x)
		push	edi
		call	ds:off_6B38A8	; ReadRegister32(x)
		test	al, 8
		jnz	short loc_69F962

loc_69F974:				; CODE XREF: SpiInit(x,x,x,x)+24j
		xor	ebx, ebx
		lea	eax, [esi+10h]
		push	ebx
		push	eax
		call	ds:off_6B38AC	; WriteRegister32(x,x)
		lea	edi, [esi+8]
		push	ebx
		push	edi
		mov	[ebp+var_4], edi
		call	ds:off_6B38AC	; WriteRegister32(x,x)
		push	0Fh
		push	esi
		call	ds:off_6B38AC	; WriteRegister32(x,x)
		push	ebx
		lea	eax, [esi+4]
		push	eax
		call	ds:off_6B38AC	; WriteRegister32(x,x)
		movzx	eax, [ebp+arg_4]
		push	eax
		lea	eax, [esi+14h]
		push	eax
		call	ds:off_6B38AC	; WriteRegister32(x,x)
		lea	eax, [esi+30h]
		lea	ebx, [esi+34h]
		mov	edi, eax

loc_69F9BA:				; CODE XREF: SpiInit(x,x,x,x)+98j
					; SpiInit(x,x,x,x)+9Dj
		push	ebx
		call	ds:off_6B38A8	; ReadRegister32(x)
		push	edi
		movzx	esi, ax
		call	ds:off_6B38A8	; ReadRegister32(x)
		movzx	eax, ax
		test	si, si
		jnz	short loc_69F9BA
		test	ax, ax
		jnz	short loc_69F9BA
		mov	edi, [ebp+var_4]
		push	1
		push	edi
		call	ds:off_6B38AC	; WriteRegister32(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_SpiInit@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SpiMax311GetByte(x,	x)
_SpiMax311GetByte@8 proc near		; DATA XREF: .data:006B38FCo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_69FA51
		cmp	dword ptr [ecx], 0
		jz	short loc_69FA51
		mov	eax, ds:dword_6CEAA4
		cmp	eax, ds:dword_6CEAA0
		jz	short loc_69FA28
		movzx	ecx, ds:word_6CEAAA[eax*2]
		mov	eax, [ebp+arg_4]
		mov	[eax], cl
		mov	eax, ds:dword_6CEAA4
		inc	eax
		and	eax, 3FFh
		mov	ds:dword_6CEAA4, eax
		jmp	short loc_69FA3C
; 

loc_69FA28:				; CODE XREF: SpiMax311GetByte(x,x)+1Cj
		xor	edx, edx
		call	_SpiSend16@8	; SpiSend16(x,x)
		movzx	ecx, ax
		test	cx, cx
		jns	short loc_69FA4C
		mov	eax, [ebp+arg_4]
		mov	[eax], cl

loc_69FA3C:				; CODE XREF: SpiMax311GetByte(x,x)+3Bj
		test	ecx, 400h
		jz	short loc_69FA48
		push	2
		jmp	short loc_69FA53
; 

loc_69FA48:				; CODE XREF: SpiMax311GetByte(x,x)+57j
		xor	eax, eax
		jmp	short loc_69FA54
; 

loc_69FA4C:				; CODE XREF: SpiMax311GetByte(x,x)+4Aj
		xor	eax, eax
		inc	eax
		jmp	short loc_69FA54
; 

loc_69FA51:				; CODE XREF: SpiMax311GetByte(x,x)+Aj
					; SpiMax311GetByte(x,x)+Fj
		push	3

loc_69FA53:				; CODE XREF: SpiMax311GetByte(x,x)+5Bj
		pop	eax

loc_69FA54:				; CODE XREF: SpiMax311GetByte(x,x)+5Fj
					; SpiMax311GetByte(x,x)+64j
		pop	ebp
		retn	8
_SpiMax311GetByte@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SpiMax311InitializePort(x, x, x, x,	x)
_SpiMax311InitializePort@20 proc near	; DATA XREF: .data:_SpiMax311HardwareDrivero

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		mov	[ecx+8], ax
		and	ds:dword_6CEAA4, eax
		and	ds:dword_6CEAA0, eax
		mov	eax, [ecx]
		mov	ax, [eax+14h]
		mov	ds:word_6CEAA8,	ax
		push	dword ptr [ecx+4]
		push	ecx
		call	_SpiMax311SetBaud@8 ; SpiMax311SetBaud(x,x)
		mov	al, 1
		pop	ebp
		retn	14h
_SpiMax311InitializePort@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SpiMax311PutByte(x,	x, x)
_SpiMax311PutByte@12 proc near		; DATA XREF: .data:006B3900o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_69FB03
		cmp	dword ptr [esi], 0
		jz	short loc_69FB03
		cmp	[ebp+arg_8], 0
		jz	short loc_69FAB2

loc_69FAA5:				; CODE XREF: SpiMax311PutByte(x,x,x)+21j
		mov	ecx, esi
		call	_SpiMax311TxEmpty@4 ; SpiMax311TxEmpty(x)
		test	al, al
		jz	short loc_69FAA5
		jmp	short loc_69FABD
; 

loc_69FAB2:				; CODE XREF: SpiMax311PutByte(x,x,x)+16j
		mov	ecx, esi
		call	_SpiMax311TxEmpty@4 ; SpiMax311TxEmpty(x)
		test	al, al
		jz	short loc_69FB03

loc_69FABD:				; CODE XREF: SpiMax311PutByte(x,x,x)+23j
		movzx	edx, [ebp+arg_4]
		mov	eax, 8000h
		or	dx, ax
		jmp	short loc_69FAF0
; 

loc_69FACB:				; CODE XREF: SpiMax311PutByte(x,x,x)+70j
		mov	edx, ds:dword_6CEAA0
		lea	eax, [edx+1]
		and	eax, 3FFh
		cmp	eax, ds:dword_6CEAA4
		jz	short loc_69FAEE
		mov	ds:word_6CEAAA[edx*2], cx
		mov	ds:dword_6CEAA0, eax

loc_69FAEE:				; CODE XREF: SpiMax311PutByte(x,x,x)+52j
		xor	edx, edx

loc_69FAF0:				; CODE XREF: SpiMax311PutByte(x,x,x)+3Cj
		mov	ecx, esi
		call	_SpiSend16@8	; SpiSend16(x,x)
		movzx	ecx, ax
		test	cx, cx
		js	short loc_69FACB
		xor	eax, eax
		jmp	short loc_69FB06
; 

loc_69FB03:				; CODE XREF: SpiMax311PutByte(x,x,x)+Bj
					; SpiMax311PutByte(x,x,x)+10j ...
		push	3
		pop	eax

loc_69FB06:				; CODE XREF: SpiMax311PutByte(x,x,x)+74j
		pop	esi
		pop	ebp
		retn	0Ch
_SpiMax311PutByte@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SpiMax311RxReady(x)
_SpiMax311RxReady@4 proc near		; DATA XREF: .data:006B3904o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_69FB64
		cmp	dword ptr [esi], 0
		jz	short loc_69FB64

loc_69FB1D:				; CODE XREF: SpiMax311RxReady(x)+37j
					; SpiMax311RxReady(x)+46j
		xor	edx, edx
		mov	ecx, esi
		call	_SpiSend16@8	; SpiSend16(x,x)
		movzx	edx, ax
		test	dx, dx
		jns	short loc_69FB53
		mov	ecx, ds:dword_6CEAA0
		lea	eax, [ecx+1]
		and	eax, 3FFh
		cmp	eax, ds:dword_6CEAA4
		jz	short loc_69FB1D
		mov	ds:word_6CEAAA[ecx*2], dx
		mov	ds:dword_6CEAA0, eax
		jmp	short loc_69FB1D
; 

loc_69FB53:				; CODE XREF: SpiMax311RxReady(x)+21j
		mov	eax, ds:dword_6CEAA0
		cmp	eax, ds:dword_6CEAA4
		jz	short loc_69FB64
		mov	al, 1
		jmp	short loc_69FB66
; 

loc_69FB64:				; CODE XREF: SpiMax311RxReady(x)+Bj
					; SpiMax311RxReady(x)+10j ...
		xor	al, al

loc_69FB66:				; CODE XREF: SpiMax311RxReady(x)+57j
		pop	esi
		pop	ebp
		retn	4
_SpiMax311RxReady@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SpiMax311SetBaud(x,	x)
_SpiMax311SetBaud@8 proc near		; CODE XREF: SpiMax311InitializePort(x,x,x,x,x)+2Ap
					; DATA XREF: .data:006B38F8o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	loc_69FCA7
		cmp	dword ptr [edi], 0
		jz	loc_69FCA7
		push	esi
		mov	esi, [ebp+arg_4]
		mov	eax, 3840h
		cmp	esi, eax
		ja	loc_69FC31
		jz	loc_69FC2A
		mov	eax, 0E10h
		cmp	esi, eax
		ja	short loc_69FBFD
		jz	short loc_69FBF3
		cmp	esi, 258h
		jz	short loc_69FBE9
		cmp	esi, 4B0h
		jz	short loc_69FBDF
		cmp	esi, 708h
		jz	short loc_69FBD5
		cmp	esi, 960h
		jnz	loc_69FC70
		mov	edx, 0C00Dh
		jmp	loc_69FC98
; 

loc_69FBD5:				; CODE XREF: SpiMax311SetBaud(x,x)+52j
		mov	edx, 0C007h
		jmp	loc_69FC98
; 

loc_69FBDF:				; CODE XREF: SpiMax311SetBaud(x,x)+4Aj
		mov	edx, 0C00Eh
		jmp	loc_69FC98
; 

loc_69FBE9:				; CODE XREF: SpiMax311SetBaud(x,x)+42j
		mov	edx, 0C00Fh
		jmp	loc_69FC98
; 

loc_69FBF3:				; CODE XREF: SpiMax311SetBaud(x,x)+3Aj
		mov	edx, 0C006h
		jmp	loc_69FC98
; 

loc_69FBFD:				; CODE XREF: SpiMax311SetBaud(x,x)+38j
		cmp	esi, 12C0h
		jz	short loc_69FC23
		cmp	esi, 1C20h
		jz	short loc_69FC1C
		cmp	esi, 2580h
		jnz	short loc_69FC70
		mov	edx, 0C00Bh
		jmp	short loc_69FC98
; 

loc_69FC1C:				; CODE XREF: SpiMax311SetBaud(x,x)+A0j
		mov	edx, 0C005h
		jmp	short loc_69FC98
; 

loc_69FC23:				; CODE XREF: SpiMax311SetBaud(x,x)+98j
		mov	edx, 0C00Ch
		jmp	short loc_69FC98
; 

loc_69FC2A:				; CODE XREF: SpiMax311SetBaud(x,x)+2Bj
		mov	edx, 0C004h
		jmp	short loc_69FC98
; 

loc_69FC31:				; CODE XREF: SpiMax311SetBaud(x,x)+25j
		cmp	esi, 4B00h
		jz	short loc_69FC93
		cmp	esi, 7080h
		jz	short loc_69FC8C
		cmp	esi, 9600h
		jz	short loc_69FC85
		cmp	esi, 0E100h
		jz	short loc_69FC7E
		cmp	esi, 12C00h
		jz	short loc_69FC77
		cmp	esi, 1C200h
		jz	short loc_69FC70
		cmp	esi, 38400h
		jnz	short loc_69FC70
		mov	edx, 0C000h
		jmp	short loc_69FC98
; 

loc_69FC70:				; CODE XREF: SpiMax311SetBaud(x,x)+5Aj
					; SpiMax311SetBaud(x,x)+A8j ...
		mov	edx, 0C001h
		jmp	short loc_69FC98
; 

loc_69FC77:				; CODE XREF: SpiMax311SetBaud(x,x)+ECj
		mov	edx, 0C008h
		jmp	short loc_69FC98
; 

loc_69FC7E:				; CODE XREF: SpiMax311SetBaud(x,x)+E4j
		mov	edx, 0C002h
		jmp	short loc_69FC98
; 

loc_69FC85:				; CODE XREF: SpiMax311SetBaud(x,x)+DCj
		mov	edx, 0C009h
		jmp	short loc_69FC98
; 

loc_69FC8C:				; CODE XREF: SpiMax311SetBaud(x,x)+D4j
		mov	edx, 0C003h
		jmp	short loc_69FC98
; 

loc_69FC93:				; CODE XREF: SpiMax311SetBaud(x,x)+CCj
		mov	edx, 0C00Ah

loc_69FC98:				; CODE XREF: SpiMax311SetBaud(x,x)+65j
					; SpiMax311SetBaud(x,x)+6Fj ...
		mov	ecx, edi
		call	_SpiSend16@8	; SpiSend16(x,x)
		mov	[edi+4], esi
		mov	al, 1
		pop	esi
		jmp	short loc_69FCA9
; 

loc_69FCA7:				; CODE XREF: SpiMax311SetBaud(x,x)+Bj
					; SpiMax311SetBaud(x,x)+14j
		xor	al, al

loc_69FCA9:				; CODE XREF: SpiMax311SetBaud(x,x)+13Aj
		pop	edi
		pop	ebp
		retn	8
_SpiMax311SetBaud@8 endp


;  S U B	R O U T	I N E 


; __stdcall SpiMax311TxEmpty(x)
_SpiMax311TxEmpty@4 proc near		; CODE XREF: SpiMax311PutByte(x,x,x)+1Ap
					; SpiMax311PutByte(x,x,x)+27p
		mov	edi, edi
		push	esi
		mov	esi, ecx

loc_69FCB3:				; CODE XREF: SpiMax311TxEmpty(x)+2Bj
					; SpiMax311TxEmpty(x)+3Bj
		xor	edx, edx
		mov	ecx, esi
		call	_SpiSend16@8	; SpiSend16(x,x)
		movzx	eax, ax
		test	ax, ax
		jns	short loc_69FCEB
		mov	edx, ds:dword_6CEAA0
		lea	ecx, [edx+1]
		and	ecx, 3FFh
		cmp	ecx, ds:dword_6CEAA4
		jz	short loc_69FCB3
		mov	ds:word_6CEAAA[edx*2], ax
		mov	ds:dword_6CEAA0, ecx
		jmp	short loc_69FCB3
; 

loc_69FCEB:				; CODE XREF: SpiMax311TxEmpty(x)+14j
		shr	ax, 0Eh
		and	al, 1
		pop	esi
		retn
_SpiMax311TxEmpty@4 endp


;  S U B	R O U T	I N E 


; __stdcall SpiSend16(x, x)
_SpiSend16@8	proc near		; CODE XREF: SpiMax311GetByte(x,x)+3Fp
					; SpiMax311PutByte(x,x,x)+65p ...
		movzx	eax, ds:word_6CEAA8
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx]
		mov	si, dx
		push	eax
		push	ecx
		mov	ecx, edi
		call	_SpiInit@16	; SpiInit(x,x,x,x)
		push	2
		lea	eax, [edi+10h]
		push	eax
		call	ds:off_6B38AC	; WriteRegister32(x,x)
		movzx	eax, si
		lea	ebx, [edi+60h]
		push	eax
		push	ebx
		call	ds:off_6B38AC	; WriteRegister32(x,x)
		add	edi, 28h

loc_69FD28:				; CODE XREF: SpiSend16(x,x)+41j
		push	edi
		call	ds:off_6B38A8	; ReadRegister32(x)
		and	eax, 0Dh
		cmp	al, 0Ch
		jnz	short loc_69FD28
		push	ebx
		call	ds:off_6B38A8	; ReadRegister32(x)
		pop	edi
		pop	esi
		pop	ebx
		retn
_SpiSend16@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall UsifGetByte(x, x)
_UsifGetByte@8	proc near		; DATA XREF: .data:006B3910o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_69FD7E
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_69FD7E
		add	eax, 44h
		push	eax
		call	ds:off_6B38A8	; ReadRegister32(x)
		test	al, al
		jz	short loc_69FD79
		mov	eax, [esi]
		add	eax, 80000h
		push	eax
		call	ds:off_6B38A8	; ReadRegister32(x)
		mov	ecx, [ebp+arg_4]
		mov	[ecx], al
		xor	eax, eax
		jmp	short loc_69FD81
; 

loc_69FD79:				; CODE XREF: UsifGetByte(x,x)+1Fj
		xor	eax, eax
		inc	eax
		jmp	short loc_69FD81
; 

loc_69FD7E:				; CODE XREF: UsifGetByte(x,x)+Bj
					; UsifGetByte(x,x)+11j
		push	3
		pop	eax

loc_69FD81:				; CODE XREF: UsifGetByte(x,x)+36j
					; UsifGetByte(x,x)+3Bj
		pop	esi
		pop	ebp
		retn	8
_UsifGetByte@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall UsifInitializePort(x, x, x,	x, x)
_UsifInitializePort@20 proc near	; DATA XREF: .data:_UsifHardwareDrivero

arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_8], 0
		jnz	short loc_69FD95
		xor	al, al
		jmp	short loc_69FDA0
; 

loc_69FD95:				; CODE XREF: UsifInitializePort(x,x,x,x,x)+9j
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		mov	[eax+8], cx
		mov	al, 1

loc_69FDA0:				; CODE XREF: UsifInitializePort(x,x,x,x,x)+Dj
		pop	ebp
		retn	14h
_UsifInitializePort@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall UsifPutByte(x, x, x)
_UsifPutByte@12	proc near		; DATA XREF: .data:006B3914o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_69FDFA
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_69FDFA
		cmp	[ebp+arg_8], 0
		jz	short loc_69FDD2

loc_69FDBD:				; CODE XREF: UsifPutByte(x,x,x)+2Aj
		mov	eax, [esi]
		add	eax, 44h
		push	eax
		call	ds:off_6B38A8	; ReadRegister32(x)
		test	eax, 0FF0000h
		jnz	short loc_69FDBD
		jmp	short loc_69FDE3
; 

loc_69FDD2:				; CODE XREF: UsifPutByte(x,x,x)+17j
		add	eax, 44h
		push	eax
		call	ds:off_6B38A8	; ReadRegister32(x)
		test	eax, 0FF0000h
		jnz	short loc_69FDFA

loc_69FDE3:				; CODE XREF: UsifPutByte(x,x,x)+2Cj
		movzx	eax, [ebp+arg_4]
		push	eax
		mov	eax, [esi]
		add	eax, 40000h
		push	eax
		call	ds:off_6B38AC	; WriteRegister32(x,x)
		xor	eax, eax
		jmp	short loc_69FDFD
; 

loc_69FDFA:				; CODE XREF: UsifPutByte(x,x,x)+Bj
					; UsifPutByte(x,x,x)+11j ...
		push	3
		pop	eax

loc_69FDFD:				; CODE XREF: UsifPutByte(x,x,x)+54j
		pop	esi
		pop	ebp
		retn	0Ch
_UsifPutByte@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall UsifRxReady(x)
_UsifRxReady@4	proc near		; DATA XREF: .data:006B3918o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_69FE26
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_69FE26
		add	eax, 44h
		push	eax
		call	ds:off_6B38A8	; ReadRegister32(x)
		test	al, al
		jz	short loc_69FE26
		mov	al, 1
		jmp	short loc_69FE28
; 

loc_69FE26:				; CODE XREF: UsifRxReady(x)+Aj
					; UsifRxReady(x)+10j ...
		xor	al, al

loc_69FE28:				; CODE XREF: UsifRxReady(x)+22j
		pop	ebp
		retn	4
_UsifRxReady@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall UsifSetBaud(x, x)
_UsifSetBaud@8	proc near		; DATA XREF: .data:006B390Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_69FE47
		cmp	dword ptr [ecx], 0
		jz	short loc_69FE47
		mov	eax, [ebp+arg_4]
		mov	[ecx+4], eax
		mov	al, 1
		jmp	short loc_69FE49
; 

loc_69FE47:				; CODE XREF: UsifSetBaud(x,x)+Aj
					; UsifSetBaud(x,x)+Fj
		xor	al, al

loc_69FE49:				; CODE XREF: UsifSetBaud(x,x)+19j
		pop	ebp
		retn	8
_UsifSetBaud@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ReadPortWithIndex16 proc near		; DATA XREF: UartpSetAccess(x,x,x,x)+3Do

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		movzx	eax, [ebp+arg_4]
		movzx	edx, byte ptr [ecx+0Ah]
		imul	edx, eax
		add	edx, [ecx]
		push	edx
		call	ds:off_6B3888	; ReadPort16(x)
		pop	ebp
		retn	8
ReadPortWithIndex16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ReadPortWithIndex32 proc near		; DATA XREF: UartpSetAccess(x,x,x,x)+31o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		movzx	eax, [ebp+arg_4]
		movzx	edx, byte ptr [ecx+0Ah]
		imul	edx, eax
		add	edx, [ecx]
		push	edx
		call	ds:off_6B3890	; ReadPort32(x)
		pop	ebp
		retn	8
ReadPortWithIndex32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ReadPortWithIndex8 proc	near		; DATA XREF: UartpSetAccess(x,x,x,x)+49o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		movzx	eax, [ebp+arg_4]
		movzx	edx, byte ptr [ecx+0Ah]
		imul	edx, eax
		add	edx, [ecx]
		push	edx
		call	ds:_UartHardwareAccess ; ReadPort8(x)
		pop	ebp
		retn	8
ReadPortWithIndex8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ReadRegisterWithIndex16	proc near	; DATA XREF: UartpSetAccess(x,x,x,x)+77o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		movzx	eax, [ebp+arg_4]
		movzx	edx, byte ptr [ecx+0Ah]
		imul	edx, eax
		add	edx, [ecx]
		push	edx
		call	ds:off_6B38A0	; ReadRegister16(x)
		pop	ebp
		retn	8
ReadRegisterWithIndex16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ReadRegisterWithIndex32	proc near	; DATA XREF: UartpSetAccess(x,x,x,x)+69o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		movzx	eax, [ebp+arg_4]
		movzx	edx, byte ptr [ecx+0Ah]
		imul	edx, eax
		add	edx, [ecx]
		push	edx
		call	ds:off_6B38A8	; ReadRegister32(x)
		pop	ebp
		retn	8
ReadRegisterWithIndex32	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ReadRegisterWithIndex8 proc near	; DATA XREF: UartpSetAccess(x,x,x,x)+85o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		movzx	eax, [ebp+arg_4]
		movzx	edx, byte ptr [ecx+0Ah]
		imul	edx, eax
		add	edx, [ecx]
		push	edx
		call	ds:off_6B3898	; ReadRegister8(x)
		pop	ebp
		retn	8
ReadRegisterWithIndex8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall UartpSetAccess(x, x, x, x)
_UartpSetAccess@16 proc	near		; CODE XREF: Uart16550InitializePortCommon(x,x,x,x,x)+14p

arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, [ebp+arg_0]
		push	ebx
		mov	bh, 8
		push	esi
		push	edi
		mov	edi, ecx
		test	dl, dl
		jnz	short loc_69FF5D
		sub	eax, 0
		jz	short loc_69FF51
		sub	eax, 1
		jz	short loc_69FF51
		sub	eax, 1
		jz	short loc_69FF45
		sub	eax, 1
		jnz	loc_69FFBD
		mov	edx, offset WritePortWithIndex32
		mov	esi, offset ReadPortWithIndex32
		jmp	short loc_69FF7B
; 

loc_69FF45:				; CODE XREF: UartpSetAccess(x,x,x,x)+21j
		mov	edx, offset WritePortWithIndex16
		mov	esi, offset ReadPortWithIndex16
		jmp	short loc_69FF89
; 

loc_69FF51:				; CODE XREF: UartpSetAccess(x,x,x,x)+17j
					; UartpSetAccess(x,x,x,x)+1Cj
		mov	edx, offset WritePortWithIndex8
		mov	esi, offset ReadPortWithIndex8
		jmp	short loc_69FF97
; 

loc_69FF5D:				; CODE XREF: UartpSetAccess(x,x,x,x)+12j
		sub	eax, 0
		jz	short loc_69FF8D
		sub	eax, 1
		jz	short loc_69FF8D
		sub	eax, 1
		jz	short loc_69FF7F
		sub	eax, 1
		jnz	short loc_69FFBD
		mov	edx, offset WriteRegisterWithIndex32
		mov	esi, offset ReadRegisterWithIndex32

loc_69FF7B:				; CODE XREF: UartpSetAccess(x,x,x,x)+36j
		mov	bh, 20h
		jmp	short loc_69FF97
; 

loc_69FF7F:				; CODE XREF: UartpSetAccess(x,x,x,x)+5Dj
		mov	edx, offset WriteRegisterWithIndex16
		mov	esi, offset ReadRegisterWithIndex16

loc_69FF89:				; CODE XREF: UartpSetAccess(x,x,x,x)+42j
		mov	bh, 10h
		jmp	short loc_69FF97
; 

loc_69FF8D:				; CODE XREF: UartpSetAccess(x,x,x,x)+53j
					; UartpSetAccess(x,x,x,x)+58j
		mov	edx, offset WriteRegisterWithIndex8
		mov	esi, offset ReadRegisterWithIndex8

loc_69FF97:				; CODE XREF: UartpSetAccess(x,x,x,x)+4Ej
					; UartpSetAccess(x,x,x,x)+70j ...
		mov	bl, [ebp+arg_4]
		movzx	ecx, bl
		lea	eax, [ecx-1]
		test	eax, ecx
		jnz	short loc_69FFBD
		cmp	bl, bh
		jb	short loc_69FFBD
		cmp	bl, 20h
		ja	short loc_69FFBD
		shr	bl, 3
		mov	al, 1
		mov	[edi+0Ah], bl
		mov	[edi+10h], edx
		mov	[edi+0Ch], esi
		jmp	short loc_69FFBF
; 

loc_69FFBD:				; CODE XREF: UartpSetAccess(x,x,x,x)+26j
					; UartpSetAccess(x,x,x,x)+62j ...
		xor	al, al

loc_69FFBF:				; CODE XREF: UartpSetAccess(x,x,x,x)+AEj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_UartpSetAccess@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WritePortWithIndex16 proc near		; DATA XREF: UartpSetAccess(x,x,x,x):loc_69FF45o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		movzx	eax, [ebp+arg_8]
		push	eax
		movzx	eax, [ebp+arg_4]
		movzx	edx, byte ptr [ecx+0Ah]
		imul	edx, eax
		add	edx, [ecx]
		push	edx
		call	ds:off_6B388C	; WritePort16(x,x)
		pop	ebp
		retn	0Ch
WritePortWithIndex16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WritePortWithIndex32 proc near		; DATA XREF: UartpSetAccess(x,x,x,x)+2Co

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		movzx	eax, [ebp+arg_8]
		push	eax
		movzx	eax, [ebp+arg_4]
		movzx	edx, byte ptr [ecx+0Ah]

loc_6A0000:				; DATA XREF: .text:off_41B592o
					; IovpCancelRoutine(x,x,x)+5o
		imul	edx, eax
		add	edx, [ecx]
		push	edx
		call	ds:off_6B3894	; WritePort32(x,x)
		pop	ebp
		retn	0Ch
WritePortWithIndex32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WritePortWithIndex8 proc near		; DATA XREF: UartpSetAccess(x,x,x,x):loc_69FF51o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		movzx	eax, [ebp+arg_4]
		push	[ebp+arg_8]
		movzx	edx, byte ptr [ecx+0Ah]
		imul	edx, eax
		add	edx, [ecx]
		push	edx
		call	ds:off_6B3884	; WritePort8(x,x)
		pop	ebp
		retn	0Ch
WritePortWithIndex8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WriteRegisterWithIndex16 proc near	; DATA XREF: UartpSetAccess(x,x,x,x):loc_69FF7Fo

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		movzx	eax, [ebp+arg_8]
		push	eax
		movzx	eax, [ebp+arg_4]
		movzx	edx, byte ptr [ecx+0Ah]
		imul	edx, eax
		add	edx, [ecx]
		push	edx
		call	ds:off_6B38A4	; WriteRegister16(x,x)
		pop	ebp
		retn	0Ch
WriteRegisterWithIndex16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WriteRegisterWithIndex32 proc near	; DATA XREF: UartpSetAccess(x,x,x,x)+64o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		movzx	eax, [ebp+arg_8]
		push	eax
		movzx	eax, [ebp+arg_4]
		movzx	edx, byte ptr [ecx+0Ah]
		imul	edx, eax
		add	edx, [ecx]
		push	edx
		call	ds:off_6B38AC	; WriteRegister32(x,x)
		pop	ebp
		retn	0Ch
WriteRegisterWithIndex32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WriteRegisterWithIndex8	proc near	; DATA XREF: UartpSetAccess(x,x,x,x):loc_69FF8Do

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		movzx	eax, [ebp+arg_4]
		push	[ebp+arg_8]
		movzx	edx, byte ptr [ecx+0Ah]
		imul	edx, eax
		add	edx, [ecx]
		push	edx
		call	ds:off_6B389C	; WriteRegister8(x,x)
		pop	ebp
		retn	0Ch
WriteRegisterWithIndex8	endp

; 
dword_6A00A0	dd 0FFFFFFE4h, 0	; DATA XREF: VrpPostEnumerateKey(x,x)+5o
		dd 0FFFFFE80h, 0
		dd 0FFFFFFFEh
		dd offset loc_73B912
		dd offset loc_73B923
		align 10h
dword_6A00C0	dd 0FFFFFFFEh, 0	; DATA XREF: CmpFireCleanupNotifications+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8CA952
		dd offset loc_8CA95D
		align 10h
dword_6A00E0	dd 0FFFFFFFEh, 0	; DATA XREF: VrpOutputBufferParameter+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8CACDC
		dd offset sub_8CACEA
		align 10h
dword_6A0100	dd 0FFFFFFFEh, 0	; DATA XREF: NtSetTimerResolution(x,x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_73DFD8
		dd offset loc_73DFE8
		dd 0FFFFFFFEh
		dd offset loc_73E13F
		dd offset loc_73E143
dword_6A0128	dd 0FFFFFFE4h, 0	; DATA XREF: PoTraceSystemTimerResolution+5o
		dd 0FFFFFF5Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_8CAEE0
		dd offset sub_8CAEE4
		align 8
dword_6A0148	dd 0FFFFFFFEh, 0	; DATA XREF: CmQuerySingleFeatureConfiguration+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset loc_8CB38C
		dd offset loc_8CB39C
		dd 0FFFFFFFEh
		dd offset sub_8CB328
		dd offset sub_8CB338
		dd 0FFFFFFFEh
		dd offset sub_8CB377
		dd offset sub_8CB387
		align 10h
dword_6A0180	dd 0FFFFFFE4h, 0	; DATA XREF: CmQueryLayeredKey+5o
		dd 0FFFFFF1Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_5A8AB2
		dd offset sub_5A8AC3
		dd 0FFFFFFFEh
		dd offset sub_5A8BD3
		dd offset sub_5A8BE4
		dd 0FFFFFFFEh
		dd offset sub_5A8C2E
		dd offset sub_5A8C3F
		dd 0FFFFFFFEh
		dd offset sub_5A8CEE
		dd offset sub_5A8A9A
dword_6A01C0	dd 0FFFFFFE4h, 0	; DATA XREF: IoQueryInformationByName+5o
		dd 0FFFFFE78h, 0
		dd 0FFFFFFFEh
		dd offset loc_8CB76E
		dd offset loc_8CB77F
		dd 0FFFFFFFEh
		dd offset sub_8CB715
		dd offset sub_8CB726
		dd 0FFFFFFFEh
		dd offset sub_8CB748
		dd offset sub_8CB759
		align 8
dword_6A01F8	dd 0FFFFFFE4h, 0	; DATA XREF: HvlQueryVsmProtectionInfo+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8CB88D
		dd offset sub_8CB89B
		align 8
dword_6A0218	dd 0FFFFFFFEh, 0	; DATA XREF: NtOpenJobObject+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8CB8A6
		dd offset sub_8CB8B4
		dd 0FFFFFFFEh
		dd offset sub_8CB8CA
		dd offset sub_8CB8DA
dword_6A0240	dd 0FFFFFFE4h, 0	; DATA XREF: CmUnloadKey+5o
		dd 0FFFFFEA4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8CBC77
		dd offset sub_8CBB28
		align 10h
dword_6A0260	dd 0FFFFFFFEh, 0	; DATA XREF: RtlWalkFrameChain+7o
		dd 0FFFFFF64h, 0
		dd 0FFFFFFFEh
		dd offset sub_5A9593
		dd offset sub_5A95AC
		align 10h
dword_6A0280	dd 0FFFFFFFEh, 0	; DATA XREF: HvpViewMapTouchPages+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8CDB63
		dd offset sub_8CDB6F
		align 10h
dword_6A02A0	dd 0FFFFFFFEh, 0	; DATA XREF: RtlUpcaseUnicodeStringToCountedOemString+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8CDCD9
		align 10h
dword_6A02C0	dd 0FFFFFFFEh, 0	; DATA XREF: RtlAnsiStringToUnicodeString+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8CDD28
		align 10h
dword_6A02E0	dd 0FFFFFFFEh, 0	; DATA XREF: ExpQueryModuleInformation+7o
		dd 0FFFFFFA4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8CDF48
		dd offset sub_8CDF72
		dd 0FFFFFFFEh
		dd offset sub_8CDF84
		dd offset sub_8CDFAE
dword_6A0308	dd 0FFFFFFFEh, 0	; DATA XREF: RtlUnicodeStringToAnsiString+7o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8CDFEC
		align 8
dword_6A0328	dd 0FFFFFFFEh, 0	; DATA XREF: RtlpIsUtf8Process+7o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8CE1ED
		dd offset sub_8CE1F3
		align 8
dword_6A0348	dd 0FFFFFFE4h, 0	; DATA XREF: RtlLargeIntegerToChar+2o
		dd 0FFFFFF7Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_8CE27E
		dd offset sub_8CE28C
		align 8
dword_6A0368	dd 0FFFFFFFEh, 0	; DATA XREF: RtlUnicodeStringToCountedOemString+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8CE3A2
		align 8
dword_6A0388	dd 0FFFFFFFEh, 0	; DATA XREF: CmpPostApc+2o
		dd 0FFFFFFD8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8CF486
		dd offset sub_8CF48A
		align 8
dword_6A03A8	dd 0FFFFFFE4h, 0	; DATA XREF: CmLoadDifferencingKey+5o
		dd 0FFFFFE38h, 0
		dd 0FFFFFFFEh
		dd offset sub_8CFC20
		dd offset sub_8CFC31
		dd 0FFFFFFFEh
		dd offset sub_8CFBE2
		dd offset sub_8CFBF3
dword_6A03D0	dd 0FFFFFFE4h, 0	; DATA XREF: NtDeleteValueKey+5o
		dd 0FFFFFF38h, 0
		dd 0FFFFFFFEh
		dd offset sub_8CFDD4
		dd offset sub_8CFDE5
		align 10h
dword_6A03F0	dd 0FFFFFFE4h, 0	; DATA XREF: CmpNameFromAttributes+5o
		dd 0FFFFFD84h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D05D5
		dd offset sub_8D05E6
		align 10h
dword_6A0410	dd 0FFFFFFE4h, 0	; DATA XREF: PspApplyWorkingSetLimitsToProcess+2o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D0AEF
		dd offset sub_8D0AFD
		align 10h
dword_6A0430	dd 0FFFFFFE4h, 0	; DATA XREF: EtwQueryProcessTelemetryInfo+5o
		dd 0FFFFFDB4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D0BDE
		dd offset sub_8D0BEF
		align 10h
dword_6A0450	dd 0FFFFFFFEh, 0	; DATA XREF: PspQueryJobHierarchyProcessIdList+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8D2198
		dd offset sub_8D21A8
		align 10h
dword_6A0470	dd 0FFFFFFE4h, 0	; DATA XREF: PfpPrivSourceEnum(x,x,x)+5o
		dd 0FFFFFE8Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_755D5C
		dd offset loc_755D6D
		align 10h
dword_6A0490	dd 0FFFFFFFEh, 0	; DATA XREF: PfpPrivSourceAdd+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D228A
		dd offset sub_8D2298
		align 10h
dword_6A04B0	dd 0FFFFFFE4h, 0	; DATA XREF: PAGE:00757033o
		dd 0FFFFF9D8h, 0
		dd 0FFFFFFFEh
		dd offset loc_8D23E0
		dd offset loc_8D23F1
		dd 0FFFFFFFEh
		dd offset loc_8D24BC
		dd offset loc_8D24CD
		dd 0FFFFFFFEh
		dd offset loc_8D262E
		dd offset loc_8D263F
		dd 0FFFFFFFEh
		dd offset loc_8D2716
		dd offset loc_8D24DC
		dd 0FFFFFFFEh
		dd offset loc_8D2A6B
		dd offset loc_8D2A7C
		dd 0FFFFFFFEh
		dd offset loc_8D2B9F
		dd offset loc_8D2489
		dd 0FFFFFFFEh
		dd offset loc_8D2C13
		dd offset loc_8D2C24
		align 8
dword_6A0518	dd 0FFFFFFE4h, 0	; DATA XREF: NtSetInformationJobObject+5o
		dd 0FFFFF874h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D3053
		dd offset sub_8D3064
		dd 0FFFFFFFEh
		dd offset sub_8D3561
		dd offset sub_8D3572
		dd 0FFFFFFFEh
		dd offset sub_8D35A3
		dd offset sub_8D35B4
		dd 0FFFFFFFEh
		dd offset sub_8D35F4
		dd offset sub_8D3605
		dd 0FFFFFFFEh
		dd offset sub_8D3652
		dd offset sub_8D3663
		dd 0FFFFFFFEh
		dd offset sub_8D36B3
		dd offset sub_8D36C4
		dd 0FFFFFFFEh
		dd offset sub_8D3820
		dd offset sub_8D3831
		dd 0FFFFFFFEh
		dd offset sub_8D3B66
		dd offset sub_8D3B77
		dd 0FFFFFFFEh
		dd offset sub_8D3C25
		dd offset sub_8D3C36
		dd 0FFFFFFFEh
		dd offset loc_8D3C5D
		dd offset loc_8D3C6E
		dd 0FFFFFFFEh
		dd offset sub_8D3C41
		dd offset sub_8D3C52
		dd 0FFFFFFFEh
		dd offset loc_8D3C79
		dd offset loc_8D3C8A
		dd 0FFFFFFFEh
		dd offset sub_8D3C9F
		dd offset sub_8D3CB0
		dd 0FFFFFFFEh
		dd offset sub_8D3CCF
		dd offset sub_8D3CE0
		dd 0FFFFFFFEh
		dd offset sub_8D3CF5
		dd offset sub_8D3D06
		dd 0FFFFFFFEh
		dd offset sub_8D3D24
		dd offset sub_8D3D35
		dd 0FFFFFFFEh
		dd offset sub_8D3E61
		dd offset sub_8D3E72
		dd 0FFFFFFFEh
		dd offset sub_8D3EB2
		dd offset sub_8D3EC3
		dd 0FFFFFFFEh
		dd offset sub_8D3F60
		dd offset sub_8D3F71
		dd 0FFFFFFFEh
		dd offset sub_8D3FEE
		dd offset sub_8D3FFF
		dd 0FFFFFFFEh
		dd offset sub_8D407E
		dd offset sub_8D408F
		dd 0FFFFFFFEh
		dd offset sub_8D40AC
		dd offset sub_8D40BD
		dd 0FFFFFFFEh
		dd offset loc_8D4214
		dd offset loc_8D4225
		dd 0FFFFFFFEh
		dd offset sub_8D4254
		dd offset sub_8D4265
		dd 0FFFFFFFEh
		dd offset sub_8D42E4
		dd offset loc_8D357A
		align 8
dword_6A0658	dd 0FFFFFFFEh, 0	; DATA XREF: ExpCopyProcessInfo+7o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D4348
		dd offset sub_8D4374
		align 8
dword_6A0678	dd 0FFFFFFFEh, 0	; DATA XREF: PspQueryProcessIdListCallback+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D439F
		dd offset sub_8D43AF
		align 8
dword_6A0698	dd 0FFFFFFFEh, 0	; DATA XREF: NtInitializeNlsFiles+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_8D456A
		dd offset loc_8D4578
		dd 0FFFFFFFEh
		dd offset sub_8D454F
		dd offset sub_8D455F
dword_6A06C0	dd 0FFFFFFFEh, 0	; DATA XREF: PspMapSiloSharedDataView+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D468A
		dd offset sub_8D4698
		align 10h
dword_6A06E0	dd 0FFFFFFFEh, 0	; DATA XREF: MmMapApiSetView+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D46BE
		dd offset sub_8D46CC
		align 10h
dword_6A0700	dd 0FFFFFFE4h, 0	; DATA XREF: PAGE:0075B309o
		dd 0FFFFFEF0h, 0
		dd 0FFFFFFFEh
		dd offset loc_75B7E9
		dd offset loc_75B7ED
		dd 0FFFFFFFEh
		dd offset loc_75B7C8
		dd offset loc_75B7CC
		dd 0FFFFFFFEh
		dd offset loc_75B7AF
		dd offset loc_75B7C0
		align 8
dword_6A0738	dd 0FFFFFFE4h, 0	; DATA XREF: PspWritePebAffinityInfo+2o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D4748
		dd offset sub_8D474C
		align 8
dword_6A0758	dd 0FFFFFFFEh, 0	; DATA XREF: PspPrepareSystemDllInitBlock+2o
		dd 0FFFFFF90h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D47A6
		dd offset sub_8D47B4
		align 8
dword_6A0778	dd 0FFFFFFFEh, 0	; DATA XREF: PspCopyAndFixupParameters+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8D4813
		dd offset sub_8D4821
		align 8
dword_6A0798	dd 0FFFFFFFEh, 0	; DATA XREF: PopEtGetProcessImageInfo+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D4964
		dd offset sub_8D4972
		align 8
dword_6A07B8	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpQueryProcessOtherInfo+2o
		dd 0FFFFFFD8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D4B1B
		dd offset sub_8D4B1F
		align 8
dword_6A07D8	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpQueryProcessCommandLine+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset loc_75DF23
		dd offset loc_75DF31
		dd 0FFFFFFFEh
		dd offset sub_8D4B4D
		dd offset sub_8D4B5B
dword_6A0800	dd 0FFFFFFE4h, 0	; DATA XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+5o
		dd 0FFFFFBE4h, 0
		dd 0FFFFFFFEh
		dd offset loc_75FB84
		dd offset loc_75FB95
		align 10h
dword_6A0820	dd 0FFFFFFFEh, 0	; DATA XREF: MiMapViewOfSectionExCommon+19o
		dd 0FFFFFF18h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D503B
		dd offset sub_8D5042
		align 10h
dword_6A0840	dd 0FFFFFFFEh, 0	; DATA XREF: MmAllocateVirtualMemory+7o
		dd 0FFFFFF84h, 0
		dd 0FFFFFFFEh
		dd offset loc_8D511C
		dd offset loc_8D5146
		dd 0FFFFFFFEh
		dd offset sub_8D5104
		dd offset sub_8D510A
dword_6A0868	dd 0FFFFFFFEh, 0	; DATA XREF: MiCaptureAllocateMapExtendedParameters+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D51FA
		dd offset sub_8D51E5
		align 8
dword_6A0888	dd 0FFFFFFE4h, 0	; DATA XREF: DbgkMapViewOfSection+5o
		dd 0FFFFFF1Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_8D52B3
		dd offset sub_8D52B7
		align 8
dword_6A08A8	dd 0FFFFFFFEh, 0	; DATA XREF: CcPerformReadAhead+5o
		dd 0FFFFFF48h, 0
		dd 0FFFFFFFEh, 0
		dd offset loc_5AA9C7
		align 8
		dd offset sub_5AA9AA
		dd offset sub_5AA9BD
dword_6A08D0	dd 0FFFFFFFEh, 0	; DATA XREF: CcAsyncReadPrefetch+2o
		dd 0FFFFFF90h, 0
		dd 0FFFFFFFEh
		dd offset sub_5AAF7B
		dd offset sub_5AAF89
		dd 0FFFFFFFEh, 0
		dd offset j_nullsub_1
dword_6A08F8	dd 0FFFFFFFEh, 0	; DATA XREF: CcMdlRead+2o
		dd 0FFFFFF90h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8D57AB
		align 8
dword_6A0918	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpSetProviderTraitsUm(x,x,x)+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_7632C3
		dd offset loc_7632D1
		align 8
dword_6A0938	dd 0FFFFFFE4h, 0	; DATA XREF: NtPowerInformation+5o
		dd 0FFFFFC38h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D5ECB
		dd offset sub_8D5EDC
		dd 0FFFFFFFEh
		dd offset sub_8D6A86
		dd offset sub_8D6A97
dword_6A0960	dd 0FFFFFFFEh, 0	; DATA XREF: PopBlackBoxUpdate+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D757F
		dd offset sub_8D758D
		dd 0FFFFFFFEh
		dd offset sub_8D75B9
		dd offset loc_8D7592
dword_6A0988	dd 0FFFFFFE4h, 0	; DATA XREF: PopGetSettingNotificationName+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D760C
		dd offset sub_8D761A
		align 8
dword_6A09A8	dd 0FFFFFFFEh, 0	; DATA XREF: NtCreateTimer+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D79A4
		dd offset sub_8D79B2
		dd 0FFFFFFFEh
		dd offset sub_8D79D0
		dd offset sub_8D79D4
dword_6A09D0	dd 0FFFFFFFEh, 0	; DATA XREF: ExpQueryNumaProcessorMap+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D7C3F
		dd offset sub_8D7C4F
		align 10h
dword_6A09F0	dd 0FFFFFFFEh, 0	; DATA XREF: RawDispatch+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D7CD4
		dd offset sub_8D7CEE
		align 10h
dword_6A0A10	dd 0FFFFFFE4h, 0	; DATA XREF: PfSnParsePrefetchParam+2o
		dd 0FFFFFF94h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D8673
		dd offset sub_8D8681
		align 10h
dword_6A0A30	dd 0FFFFFFFEh, 0	; DATA XREF: PfSnCaptureParamBlockString+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D868C
		dd offset sub_8D869A
		align 10h
dword_6A0A50	dd 0FFFFFFFEh, 0	; DATA XREF: PfSnGetUnsafeProcessParameters+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D86A8
		dd offset sub_8D86AC
		align 10h
dword_6A0A70	dd 0FFFFFFFEh, 0	; DATA XREF: RtlUpcaseUnicodeString+7o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8D8943
		align 10h
dword_6A0A90	dd 0FFFFFFFEh, 0	; DATA XREF: PfGetCompletedTrace+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D89B2
		dd offset sub_8D89C0
		align 10h
dword_6A0AB0	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryDefaultLocale+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8D8B84
		dd offset sub_8D8B94
		align 10h
dword_6A0AD0	dd 0FFFFFFE4h, 0	; DATA XREF: EtwTraceThread+5o
		dd 0FFFFFF54h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D8B9F
		dd offset sub_8D8BA3
		dd 0FFFFFFFEh
		dd offset loc_8D8BA5
		dd offset loc_8D8BA9
dword_6A0AF8	dd 0FFFFFFE4h, 0	; DATA XREF: EtwpPsProvTraceThread+5o
		dd 0FFFFFEF4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D8BC0
		dd offset sub_8D8BC4
		dd 0FFFFFFFEh
		dd offset loc_8D8BC6
		dd offset loc_8D8BCA
		dd 0FFFFFFFEh
		dd offset sub_8D8BDB
		dd offset sub_8D8BDF
		align 10h
dword_6A0B30	dd 0FFFFFFE4h, 0	; DATA XREF: PspBuildCreateProcessContext(x,x,x,x)+5o
		dd 0FFFFFED8h, 0
		dd 0FFFFFFFEh
		dd offset loc_76F0C9
		dd offset loc_76F0DA
		align 10h
		dd offset loc_76EC3C
		dd offset loc_76EC4D
dword_6A0B58	dd 0FFFFFFFEh, 0	; DATA XREF: PspUserThreadStartup+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D8C05
		dd offset sub_8D8C09
		align 8
dword_6A0B78	dd 0FFFFFFE4h, 0	; DATA XREF: DbgkCreateThread+5o
		dd 0FFFFFEF8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D8C2F
		dd offset sub_8D8C33
		dd 0FFFFFFFEh
		dd offset sub_8D8C52
		dd offset sub_8D8C56
		dd 0FFFFFFFEh
		dd offset sub_8D8D11
		dd offset sub_8D8D15
		align 10h
dword_6A0BB0	dd 0FFFFFFE4h, 0	; DATA XREF: PspWriteTebIdealProcessor+2o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D8E58
		dd offset sub_8D8E5C
		align 10h
dword_6A0BD0	dd 0FFFFFFE4h, 0	; DATA XREF: PspInitializeThunkContext+5o
		dd 0FFFFFC9Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_8D8EA4
		dd offset sub_8D8EB5
		align 10h
dword_6A0BF0	dd 0FFFFFFE4h, 0	; DATA XREF: PspSetContextThreadInternal+2o
		dd 0FFFFFF64h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D8F30
		dd offset sub_8D8F3E
		align 10h
dword_6A0C10	dd 0FFFFFFE4h, 0	; DATA XREF: PspGetContextThreadInternal+5o
		dd 0FFFFFF4Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_8D9087
		dd offset sub_8D9095
		align 10h
dword_6A0C30	dd 0FFFFFFFEh, 0	; DATA XREF: PspAdjustContextForInstrumentation+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8D9157
		dd offset sub_8D915B
		align 10h
dword_6A0C50	dd 0FFFFFFE4h, 0	; DATA XREF: NtCreateThreadEx+5o
		dd 0FFFFFE4Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_8D9191
		dd offset sub_8D91A2
		align 10h
dword_6A0C70	dd 0FFFFFFFEh, 0	; DATA XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+19o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset loc_770770
		dd offset loc_770786
		dd 0FFFFFFFEh
		dd offset loc_77083B
		dd offset loc_77084C
		dd 0FFFFFFFEh
		dd offset loc_77088F
		dd offset loc_7708A0
		dd 0FFFFFFFEh
		dd offset loc_770A7B
		dd offset loc_770A98
dword_6A0CB0	dd 0FFFFFFE4h, 0	; DATA XREF: PspAllocateThread+5o
		dd 0FFFFFF60h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D9344
		dd offset sub_8D9352
		dd 0FFFFFFFEh
		dd offset sub_8D941B
		dd offset sub_8D9429
		dd 0FFFFFFFEh
		dd offset sub_8D9517
		dd offset sub_8D9528
		align 8
dword_6A0CE8	dd 0FFFFFFFEh, 0	; DATA XREF: PAGELK:0071A56Co
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_728396
		dd offset loc_7283A4
		align 8
dword_6A0D08	dd 0FFFFFFFEh, 0	; DATA XREF: PspExitThread+2o
		dd 0FFFFFF78h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D976D
		dd offset sub_8D9771
		align 8
dword_6A0D28	dd 0FFFFFFFEh, 0	; DATA XREF: CmNotifyRunDown+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D985C
		dd offset sub_8D9860
		align 8
dword_6A0D48	dd 0FFFFFFFEh, 0	; DATA XREF: NtCreateSemaphore+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D98BE
		dd offset sub_8D98CC
		dd 0FFFFFFFEh
		dd offset sub_8D98DE
		dd offset sub_8D98E2
dword_6A0D70	dd 0FFFFFFE4h, 0	; DATA XREF: KiRaiseException(x,x,x,x,x)+5o
		dd 0FFFFFF58h, 0
		dd 0FFFFFFFEh
		dd offset loc_445B2B
		dd offset loc_445B3C
		dd 0FFFFFFFEh
		dd offset sub_445B08
		dd offset sub_445B19
dword_6A0D98	dd 0FFFFFFFEh, 0	; DATA XREF: KiSetupForInstrumentationReturn+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_5AD9CB
		dd offset sub_5AD9CF
		align 8
dword_6A0DB8	dd 0FFFFFFFEh, 0	; DATA XREF: KiContinue+7o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_5AD9F1
		dd offset sub_5ADA01
		align 8
dword_6A0DD8	dd 0FFFFFFFEh, 0	; DATA XREF: RtlGuardIsValidStackPointer+2o
		dd 0FFFFFFD8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8D992C
		dd offset sub_8D9930
		align 8
dword_6A0DF8	dd 0FFFFFFE4h, 0	; DATA XREF: MmCreateTeb+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset sub_8D9947
		dd offset sub_8D9955
		align 8
dword_6A0E18	dd 0FFFFFFFEh, 0	; DATA XREF: RtlCreateUserStack+2o
		dd 0FFFFFF8Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_8D9A5C
		dd offset sub_8D9A6A
		dd 0FFFFFFFEh
		dd offset sub_8D9A2B
		dd offset sub_8D9A39
dword_6A0E40	dd 0FFFFFFFEh, 0	; DATA XREF: NtResumeThread+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_8D9A9E
		dd offset loc_8D9AAC
		dd 0FFFFFFFEh
		dd offset sub_8D9A7C
		dd offset sub_8D9A8C
dword_6A0E68	dd 0FFFFFFE4h, 0	; DATA XREF: .text:00446EE7o
		dd 0FFFFFEE0h, 0
		dd 0FFFFFFFEh
		dd offset loc_5AE167
		dd offset loc_5AE17A
		dd 0FFFFFFFEh
		dd offset loc_5ADDBE
		dd offset loc_5ADDD1
		dd 0FFFFFFFEh
		dd offset loc_5AE06C
		dd offset loc_5AE07F
		dd 0FFFFFFFEh
		dd offset loc_5ADCA7
		dd offset loc_5ADCBA
		dd 0FFFFFFFEh
		dd offset loc_5AE004
		dd offset loc_5AE017
		align 8
dword_6A0EB8	dd 0FFFFFFE4h, 0	; DATA XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7o
		dd 0FFFFFDCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_773291
		dd offset loc_7732A4
		dd 0FFFFFFFEh
		dd offset loc_773D8D
		dd offset loc_773DA0
dword_6A0EE0	dd 0FFFFFFE4h, 0	; DATA XREF: EtwpTraceMessageVa+7o
		dd 0FFFFFF4Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_5AE313
		dd offset sub_5AE326
		dd 0FFFFFFFEh
		dd offset sub_5AE29D
		dd offset sub_5AE2B0
dword_6A0F08	dd 0FFFFFFFEh, 0	; DATA XREF: PerfLogImageUnload+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8D9C69
		dd offset sub_8D9C6D
		align 8
dword_6A0F28	dd 0FFFFFFFEh, 0	; DATA XREF: RtlAddAtomToAtomTableEx+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_5AE41B
		dd offset sub_5AE429
		align 8
dword_6A0F48	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpCaptureViewAttribute+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8DA04D
		dd offset sub_8DA05B
		align 8
dword_6A0F68	dd 0FFFFFFFEh, 0	; DATA XREF: NtAlpcCreateSecurityContext+7o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset sub_8DA258
		dd offset sub_8DA268
		dd 0FFFFFFFEh
		dd offset sub_8DA29D
		dd offset sub_8DA2AD
dword_6A0F90	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpCaptureSecurityAttribute+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8DA46B
		dd offset sub_8DA479
		align 10h
dword_6A0FB0	dd 0FFFFFFE4h, 0	; DATA XREF: RtlQueryAtomInAtomTable+2o
		dd 0FFFFFF94h, 0
		dd 0FFFFFFFEh
		dd offset sub_8DA582
		dd offset sub_8DA590
		align 10h
dword_6A0FD0	dd 0FFFFFFE4h, 0	; DATA XREF: NtFindAtom+7o
		dd 0FFFFFDBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8DA927
		dd offset sub_8DA93A
		dd 0FFFFFFFEh
		dd offset sub_8DA94F
		dd offset sub_8DA962
dword_6A0FF8	dd 0FFFFFFFEh, 0	; DATA XREF: RtlLookupAtomInAtomTable+7o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8DAA87
		dd offset sub_8DAA97
		align 8
dword_6A1018	dd 0FFFFFFE0h, 0	; DATA XREF: PerfLogImageLoad+7o
		dd 0FFFFFF64h, 0
		dd 0FFFFFFFEh
		dd offset sub_8DAB26
		dd offset sub_8DAB2C
		align 8
dword_6A1038	dd 0FFFFFFE0h, 0	; DATA XREF: EtwpEnumerateAddressSpace+7o
		dd 0FFFFFF14h, 0
		dd 0FFFFFFFEh
		dd offset sub_8DABE0
		dd offset sub_8DABE6
		align 8
dword_6A1058	dd 0FFFFFFE4h, 0	; DATA XREF: NtGetWriteWatch+7o
		dd 0FFFFFA54h, 0
		dd 0FFFFFFFEh
		dd offset sub_5AEAA3
		dd offset sub_5AEAB6
		dd 0FFFFFFFEh
		dd offset sub_5AEA75
		dd offset sub_5AEA88
dword_6A1080	dd 0FFFFFFE0h, 0	; DATA XREF: MiCopyToCfgBitMap+7o
		dd 0FFFFFF7Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_8DAF8E
		dd offset sub_8DAF9E
		align 10h
dword_6A10A0	dd 0FFFFFFFEh, 0	; DATA XREF: MiCopyToUserVa(x,x,x,x)+7o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset loc_44B726
		dd offset loc_44B736
		dd 0FFFFFFFEh
		dd offset loc_44B487
		dd offset loc_44B497
dword_6A10C8	dd 0FFFFFFFEh, 0	; DATA XREF: CcCopyReadEx+7o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5B0BF2
		align 8
dword_6A10E8	dd 0FFFFFFFEh, 0	; DATA XREF: CcMapData+7o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8DB080
		align 8
dword_6A1108	dd 0FFFFFFFEh, 0	; DATA XREF: CcCopyBytesToUserBuffer+7o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_5B0E49
		dd offset sub_5B0E55
		align 8
dword_6A1128	dd 0FFFFFFE0h, 0	; DATA XREF: MiMapViewOfSection+7o
		dd 0FFFFFF6Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_8DB4AF
		dd offset sub_8DB4BF
		align 8
dword_6A1148	dd 0FFFFFFFEh, 0	; DATA XREF: NtAllocateVirtualMemory+7o
		dd 0FFFFFF84h, 0
		dd 0FFFFFFFEh
		dd offset loc_8DB567
		dd offset loc_8DB591
		dd 0FFFFFFFEh
		dd offset sub_8DB535
		dd offset sub_8DB555
dword_6A1170	dd 0FFFFFFE4h, 0	; DATA XREF: NtProtectVirtualMemory+7o
		dd 0FFFFFF84h, 0
		dd 0FFFFFFFEh
		dd offset sub_8DBFE2
		dd offset sub_8DBFF2
		dd 0FFFFFFFEh
		dd offset sub_8DC036
		dd offset sub_8DC03C
dword_6A1198	dd 0FFFFFFFEh, 0	; DATA XREF: MiZeroPage(x,x)+7o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset loc_46FB39
		dd offset loc_46FB3F
		align 8
dword_6A11B8	dd 0FFFFFFE0h, 0	; DATA XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+7o
		dd 0FFFFFEFCh, 0
		dd 0FFFFFFFEh
		dd offset loc_477BF3
		dd offset loc_477BFF
		align 8
dword_6A11D8	dd 0FFFFFFFEh, 0	; DATA XREF: CcMapAndCopyInToCache+7o
		dd 0FFFFFF04h, 0
		dd 0FFFFFFFEh, 0
		dd offset loc_5B3D51
		align 8
		dd offset loc_5B3D1B
		dd offset sub_5B3D27
dword_6A1200	dd 0FFFFFFFEh, 0	; DATA XREF: .text:0047C1B7o
		dd 0FFFFFF5Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_47CAC9
		dd offset loc_47CAD9
		dd 0FFFFFFFEh
		dd offset loc_47CA5C
		dd offset loc_47CA68
dword_6A1228	dd 0FFFFFFFEh, 0	; DATA XREF: ExpGetSystemProcessorInformation+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_5B9DCD
		dd offset sub_5B9DDD
		align 8
dword_6A1248	dd 0FFFFFFFEh, 0	; DATA XREF: ExpGetSystemBasicInformation+7o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_5B9DEF
		dd offset sub_5B9DFF
		align 8
dword_6A1268	dd 0FFFFFFE0h, 0	; DATA XREF: MmQueryMemoryListInformation+7o
		dd 0FFFFFF5Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_5B9E1A
		dd offset sub_5B9E2D
		align 8
dword_6A1288	dd 0FFFFFFFEh, 0	; DATA XREF: PfpPfnPrioRequest+7o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8DC724
		dd offset sub_8DC734
		dd 0FFFFFFFEh
		dd offset sub_8DC705
		dd offset sub_8DC715
dword_6A12B0	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:0077D007o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_8DC7AC
		dd offset loc_8DC7BC
		dd 0FFFFFFFEh
		dd offset loc_8DC78B
		dd offset loc_8DC79B
		dd 0FFFFFFFEh
		dd offset loc_8DC776
		dd offset loc_8DC786
		align 8
dword_6A12E8	dd 0FFFFFFE0h, 0	; DATA XREF: PAGE:0077D1C7o
		dd 0FFFFFF4Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_8DC8F4
		dd offset loc_8DC907
		dd 0FFFFFFFEh
		dd offset loc_8DC7FA
		dd offset loc_8DC80A
		dd 0FFFFFFFEh
		dd offset loc_8DC812
		dd offset loc_8DC822
		dd 0FFFFFFFEh
		dd offset loc_8DC854
		dd offset loc_8DC864
		dd 0FFFFFFFEh
		dd offset loc_8DC83C
		dd offset loc_8DC84C
		dd 0FFFFFFFEh
		dd offset loc_8DC8BD
		dd offset loc_8DC8CD
dword_6A1340	dd 0FFFFFFE4h, 0	; DATA XREF: PAGE:0077D637o
		dd 0FFFFFB38h, 0
		dd 0FFFFFFFEh
		dd offset loc_77D7BD
		dd offset loc_77D7D0
		dd 0FFFFFFFEh
		dd offset loc_77D8CC
		dd offset loc_77D8DF
		dd 0FFFFFFFEh
		dd offset loc_77D92D
		dd offset loc_77D940
		dd 0FFFFFFFEh
		dd offset loc_77D980
		dd offset loc_77D993
		dd 0FFFFFFFEh
		dd offset loc_77D9CF
		dd offset loc_77D9E2
		dd 0FFFFFFFEh
		dd offset loc_77DA22
		dd offset loc_77DA35
		dd 0FFFFFFFEh
		dd offset loc_77DA67
		dd offset loc_77DA7A
		dd 0FFFFFFFEh
		dd offset loc_77DAC0
		dd offset loc_77DAD3
		dd 0FFFFFFFEh
		dd offset loc_77DB13
		dd offset loc_77DB26
		dd 0FFFFFFFEh
		dd offset loc_77DB7C
		dd offset loc_77DB8F
		dd 0FFFFFFFEh
		dd offset loc_77DBCF
		dd offset loc_77DBE2
		dd 0FFFFFFFEh
		dd offset loc_77DC60
		dd offset loc_77DC73
		dd 0FFFFFFFEh
		dd offset loc_77DCB3
		dd offset loc_77DCC6
		dd 0FFFFFFFEh
		dd offset loc_77DE21
		dd offset loc_77DE34
		dd 0FFFFFFFEh
		dd offset loc_77DE74
		dd offset loc_77DE87
		dd 0FFFFFFFEh
		dd offset loc_77DF40
		dd offset loc_77DF53
		dd 0FFFFFFFEh
		dd offset loc_77DF93
		dd offset loc_77DFA6
		dd 0FFFFFFFEh
		dd offset loc_77E050
		dd offset loc_77E063
		dd 0FFFFFFFEh
		dd offset loc_77E0A6
		dd offset loc_77E0B9
		dd 0FFFFFFFEh
		dd offset loc_77E102
		dd offset loc_77E115
		dd 0FFFFFFFEh
		dd offset loc_77E31C
		dd offset loc_77E32F
		dd 0FFFFFFFEh
		dd offset loc_77E2B8
		dd offset loc_77E2CB
		dd 0FFFFFFFEh
		dd offset loc_77E460
		dd offset loc_77E473
		dd 0FFFFFFFEh
		dd offset loc_77E5B5
		dd offset loc_77E5C8
		dd 0FFFFFFFEh
		dd offset loc_77E65D
		dd offset loc_77E670
		dd 0FFFFFFFEh
		dd offset loc_77E6AC
		dd offset loc_77E6BF
		dd 0FFFFFFFEh
		dd offset loc_77E711
		dd offset loc_77E724
		dd 0FFFFFFFEh
		dd offset loc_77E764
		dd offset loc_77E777
		dd 0FFFFFFFEh
		dd offset loc_77E82C
		dd offset loc_77E83F
		dd 0FFFFFFFEh
		dd offset loc_77E884
		dd offset loc_77E897
		dd 0FFFFFFFEh
		dd offset loc_77E970
		dd offset loc_77E983
		dd 0FFFFFFFEh
		dd offset loc_77EB55
		dd offset loc_77EB68
		dd 0FFFFFFFEh
		dd offset loc_77EA97
		dd offset loc_77EAAA
		dd 0FFFFFFFEh
		dd offset loc_77EB27
		dd offset loc_77EB3A
		dd 0FFFFFFFEh
		dd offset loc_77EBA8
		dd offset loc_77EBBB
		dd 0FFFFFFFEh
		dd offset loc_77EC25
		dd offset loc_77EC38
		dd 0FFFFFFFEh
		dd offset loc_77EC78
		dd offset loc_77EC8B
		dd 0FFFFFFFEh
		dd offset loc_77ECDF
		dd offset loc_77ECF2
		dd 0FFFFFFFEh
		dd offset loc_77ED42
		dd offset loc_77ED55
		dd 0FFFFFFFEh
		dd offset loc_77ED95
		dd offset loc_77EDA8
		dd 0FFFFFFFEh
		dd offset loc_77EDE7
		dd offset loc_77EDFA
		dd 0FFFFFFFEh
		dd offset loc_77EE3A
		dd offset loc_77EE4D
		dd 0FFFFFFFEh
		dd offset loc_77EE73
		dd offset loc_77EE86
		dd 0FFFFFFFEh
		dd offset loc_77EF85
		dd offset loc_77EF98
		dd 0FFFFFFFEh
		dd offset loc_77F003
		dd offset loc_77F016
		dd 0FFFFFFFEh
		dd offset loc_77F088
		dd offset loc_77F09B
		dd 0FFFFFFFEh
		dd offset loc_77F114
		dd offset loc_77F127
		dd 0FFFFFFFEh
		dd offset loc_77F1A0
		dd offset loc_77F1B3
		dd 0FFFFFFFEh
		dd offset loc_77F235
		dd offset loc_77F248
		dd 0FFFFFFFEh
		dd offset loc_77F2B6
		dd offset loc_77F2C9
		dd 0FFFFFFFEh
		dd offset loc_77F3C0
		dd offset loc_77F3D3
		dd 0FFFFFFFEh
		dd offset loc_77F398
		dd offset loc_77F3AB
		dd 0FFFFFFFEh
		dd offset loc_77F413
		dd offset loc_77F426
		dd 0FFFFFFFEh
		dd offset loc_77F48A
		dd offset loc_77F49D
		dd 0FFFFFFFEh
		dd offset loc_77F4DD
		dd offset loc_77F4F0
		dd 0FFFFFFFEh
		dd offset loc_77F549
		dd offset loc_77F55C
		dd 0FFFFFFFEh
		dd offset loc_77F5CA
		dd offset loc_77F5DD
		dd 0FFFFFFFEh
		dd offset loc_77F658
		dd offset loc_77F66B
		dd 0FFFFFFFEh
		dd offset loc_77F6AB
		dd offset loc_77F6BE
		dd 0FFFFFFFEh
		dd offset loc_77F71A
		dd offset loc_77F72D
		dd 0FFFFFFFEh
		dd offset loc_77F770
		dd offset loc_77F783
		dd 0FFFFFFFEh
		dd offset loc_77F7DD
		dd offset loc_77F7F0
		dd 0FFFFFFFEh
		dd offset loc_77F86A
		dd offset loc_77F87D
		dd 0FFFFFFFEh
		dd offset loc_77F8BD
		dd offset loc_77F8D0
		dd 0FFFFFFFEh
		dd offset loc_77F921
		dd offset loc_77F934
		dd 0FFFFFFFEh
		dd offset loc_77F974
		dd offset loc_77F987
		dd 0FFFFFFFEh
		dd offset loc_77F9CD
		dd offset loc_77F9E0
		dd 0FFFFFFFEh
		dd offset loc_77FA20
		dd offset loc_77FA33
		dd 0FFFFFFFEh
		dd offset loc_77FA93
		dd offset loc_77FAA6
		dd 0FFFFFFFEh
		dd offset loc_77FAE5
		dd offset loc_77FAF8
		dd 0FFFFFFFEh
		dd offset loc_77FB5E
		dd offset loc_77FB71
		dd 0FFFFFFFEh
		dd offset loc_77FC32
		dd offset loc_77FC45
		dd 0FFFFFFFEh
		dd offset loc_77FC85
		dd offset loc_77FC98
		dd 0FFFFFFFEh
		dd offset loc_77FCE8
		dd offset loc_77FCFB
		dd 0FFFFFFFEh
		dd offset loc_77FD5D
		dd offset loc_77FD70
		dd 0FFFFFFFEh
		dd offset loc_77FDB7
		dd offset loc_77FDCA
		dd 0FFFFFFFEh
		dd offset loc_77FE70
		dd offset loc_77FE83
		dd 0FFFFFFFEh
		dd offset loc_77FEC6
		dd offset loc_77FED9
		dd 0FFFFFFFEh
		dd offset loc_77FF44
		dd offset loc_77FF57
		dd 0FFFFFFFEh
		dd offset loc_77FF9A
		dd offset loc_77FFAD
		dd 0FFFFFFFEh
		dd offset loc_780018
		dd offset loc_78002B
		dd 0FFFFFFFEh
		dd offset loc_780084
		dd offset loc_780097
		dd 0FFFFFFFEh
		dd offset loc_7800C6
		dd offset loc_7800D9
		dd 0FFFFFFFEh
		dd offset loc_780119
		dd offset loc_78012C
		dd 0FFFFFFFEh
		dd offset loc_78018A
		dd offset loc_78019D
		dd 0FFFFFFFEh
		dd offset loc_7801F8
		dd offset loc_78020B
		dd 0FFFFFFFEh
		dd offset loc_78026E
		dd offset loc_780281
		dd 0FFFFFFFEh
		dd offset loc_7803A1
		dd offset loc_7803B4
		dd 0FFFFFFFEh
		dd offset loc_7803DA
		dd offset loc_7803ED
		dd 0FFFFFFFEh
		dd offset loc_78042D
		dd offset loc_780440
		dd 0FFFFFFFEh
		dd offset loc_78049F
		dd offset loc_7804B2
		dd 0FFFFFFFEh
		dd offset loc_7804F2
		dd offset loc_780505
		dd 0FFFFFFFEh
		dd offset loc_780548
		dd offset loc_78055B
		dd 0FFFFFFFEh
		dd offset loc_78059B
		dd offset loc_7805AE
		dd 0FFFFFFFEh
		dd offset loc_7805DD
		dd offset loc_7805F0
		dd 0FFFFFFFEh
		dd offset loc_780693
		dd offset loc_7806A6
		dd 0FFFFFFFEh
		dd offset loc_7806EF
		dd offset loc_780702
		dd 0FFFFFFFEh
		dd offset loc_780752
		dd offset loc_780765
		dd 0FFFFFFFEh
		dd offset loc_7807F0
		dd offset loc_780803
		dd 0FFFFFFFEh
		dd offset loc_78097F
		dd offset loc_780992
		dd 0FFFFFFFEh
		dd offset loc_780A31
		dd offset loc_780A44
		dd 0FFFFFFFEh
		dd offset loc_780B07
		dd offset loc_780B1A
		dd 0FFFFFFFEh
		dd offset loc_780BB6
		dd offset loc_780BC9
		dd 0FFFFFFFEh
		dd offset loc_780C7C
		dd offset loc_780C8F
		dd 0FFFFFFFEh
		dd offset loc_780C54
		dd offset loc_780C67
		dd 0FFFFFFFEh
		dd offset loc_780CF2
		dd offset loc_780D05
		dd 0FFFFFFFEh
		dd offset loc_780D71
		dd offset loc_780D84
		dd 0FFFFFFFEh
		dd offset loc_780F55
		dd offset loc_780F68
		dd 0FFFFFFFEh
		dd offset loc_7810D2
		dd offset loc_7810E5
		dd 0FFFFFFFEh
		dd offset loc_7811C8
		dd offset loc_7811DB
		dd 0FFFFFFFEh
		dd offset loc_7811A0
		dd offset loc_7811B3
		dd 0FFFFFFFEh
		dd offset loc_78126B
		dd offset loc_78127E
		dd 0FFFFFFFEh
		dd offset loc_781316
		dd offset loc_781329
		dd 0FFFFFFFEh
		dd offset loc_7813FD
		dd offset loc_781410
		dd 0FFFFFFFEh
		dd offset loc_7814C7
		dd offset loc_7814DA
		dd 0FFFFFFFEh
		dd offset loc_78152A
		dd offset loc_78153D
		dd 0FFFFFFFEh
		dd offset loc_781578
		dd offset loc_78158B
		dd 0FFFFFFFEh
		dd offset loc_781625
		dd offset loc_781638
		dd 0FFFFFFFEh
		dd offset loc_7816DE
		dd offset loc_7816F1
		dd 0FFFFFFFEh
		dd offset loc_78175F
		dd offset loc_781772
		dd 0FFFFFFFEh
		dd offset loc_78188F
		dd offset loc_7818A2
		dd 0FFFFFFFEh
		dd offset loc_7818EE
		dd offset loc_781901
		dd 0FFFFFFFEh
		dd offset loc_78195B
		dd offset loc_78196E
		dd 0FFFFFFFEh
		dd offset loc_781A29
		dd offset loc_781A3C
		dd 0FFFFFFFEh
		dd offset loc_781A8C
		dd offset loc_781A9F
		dd 0FFFFFFFEh
		dd offset loc_781AD4
		dd offset loc_781AE7
		dd 0FFFFFFFEh
		dd offset loc_781BA3
		dd offset loc_781BB6
		dd 0FFFFFFFEh
		dd offset loc_781C19
		dd offset loc_781C2C
		dd 0FFFFFFFEh
		dd offset loc_781C9F
		dd offset loc_781CB2
		dd 0FFFFFFFEh
		dd offset loc_781CF2
		dd offset loc_781D05
		dd 0FFFFFFFEh
		dd offset loc_781D7F
		dd offset loc_781D92
		dd 0FFFFFFFEh
		dd offset loc_781F75
		dd offset loc_781F88
		dd 0FFFFFFFEh
		dd offset loc_781FDC
		dd offset loc_781FEF
		dd 0FFFFFFFEh
		dd offset loc_78201D
		dd offset loc_782030
		dd 0FFFFFFFEh
		dd offset loc_78210C
		dd offset loc_78211F
		dd 0FFFFFFFEh
		dd offset loc_782191
		dd offset loc_7821A4
		dd 0FFFFFFFEh
		dd offset loc_7821F4
		dd offset loc_782207
		dd 0FFFFFFFEh
		dd offset loc_782276
		dd offset loc_782289
		dd 0FFFFFFFEh
		dd offset loc_78234D
		dd offset loc_782360
		dd 0FFFFFFFEh
		dd offset loc_782394
		dd offset loc_7823A7
		dd 0FFFFFFFEh
		dd offset loc_7823C2
		dd offset loc_7823D5
		align 10h
dword_6A19F0	dd 0FFFFFFFEh, 0	; DATA XREF: ExpSetKernelDataProtection+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8DCEBC
		align 10h
dword_6A1A10	dd 0FFFFFFFEh, 0	; DATA XREF: ExpGetKernelDataProtection+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8DD575
		align 10h
dword_6A1A30	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:00788BB7o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset loc_8DD5D8
		dd offset loc_8DD5E8
		dd 0FFFFFFFEh
		dd offset loc_8DD629
		dd offset loc_8DD639
dword_6A1A58	dd 0FFFFFFE4h, 0	; DATA XREF: NtWaitForMultipleObjects+7o
		dd 0FFFFFEC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8DD6F0
		dd offset sub_8DD703
		align 8
dword_6A1A78	dd 0FFFFFFE4h, 0	; DATA XREF: ObWaitForMultipleObjects+7o
		dd 0FFFFFD78h, 0
		dd 0FFFFFFFEh
		dd offset sub_8DD836
		dd offset sub_8DD84F
		align 8
dword_6A1A98	dd 0FFFFFFE4h, 0	; DATA XREF: CcCachemapUninitWorkerThread+2o
		dd 0FFFFFF84h, 0
		dd 0FFFFFFFEh
		dd offset sub_5BA662
		dd offset sub_5BA695
		align 8
dword_6A1AB8	dd 0FFFFFFE4h, 0	; DATA XREF: CcWorkerThread+5o
		dd 0FFFFFF48h, 0
		dd 0FFFFFFFEh
		dd offset sub_5BA6B9
		dd offset sub_5BA817
		align 8
dword_6A1AD8	dd 0FFFFFFFEh, 0	; DATA XREF: CcPinRead+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8DDA6A
		align 8
dword_6A1AF8	dd 0FFFFFFFEh, 0	; DATA XREF: CcPinMappedData+7o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8DDAF2
		align 8
dword_6A1B18	dd 0FFFFFFFEh, 0	; DATA XREF: CcPinFileData+1Ao
		dd 0FFFFFF78h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5BB259
		align 8
dword_6A1B38	dd 0FFFFFFFEh, 0	; DATA XREF: SMKM_STORE<SM_TRAITS>::SmStCompareRegionDataCallback(_SMKM_STORE_HELPER *,void *,ulong)+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset loc_499EED
		dd offset loc_499EFB
		align 8
dword_6A1B58	dd 0FFFFFFE0h, 0	; DATA XREF: MiEliminateZeroPages+7o
		dd 0FFFFFF14h, 0
		dd 0FFFFFFFEh
		dd offset sub_8DDD67
		dd offset sub_8DDD6D
		align 8
dword_6A1B78	dd 0FFFFFFE4h, 0	; DATA XREF: NtUnlockVirtualMemory(x,x,x,x)+7o
		dd 0FFFFFEE4h, 0
		dd 0FFFFFFFEh
		dd offset sub_49FFEA
		dd offset sub_49FFFD
		align 8
dword_6A1B98	dd 0FFFFFFFEh, 0	; DATA XREF: MiLockUnlockCommon+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8DE069
		dd offset sub_8DE079
		align 8
dword_6A1BB8	dd 0FFFFFFE4h, 0	; DATA XREF: NtLockVirtualMemory(x,x,x,x)+5o
		dd 0FFFFFF4Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_4A1ED7
		dd offset loc_4A1EE8
		dd 0FFFFFFFEh
		dd offset loc_4A238C
		dd offset loc_4A239D
dword_6A1BE0	dd 0FFFFFFFEh, 0	; DATA XREF: NtDelayExecution+7o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8DE0CB
		dd offset sub_8DE0DB
		align 10h
dword_6A1C00	dd 0FFFFFFFEh, 0	; DATA XREF: CcAcquireByteRangeForWrite+7o
		dd 0FFFFFF38h, 0
		dd 0FFFFFFFEh
		dd offset loc_5C0B7F
		dd offset sub_5C0BB2
		dd 0FFFFFFFEh
		dd offset sub_5C0CC0
		dd offset sub_5C0CF3
dword_6A1C28	dd 0FFFFFFDCh, 0	; DATA XREF: MiGetWorkingSetInfoList(x,x,x,x)+1Ao
		dd 0FFFFFED8h, 0
		dd 0FFFFFFFEh
		dd offset loc_4B1A16
		dd offset loc_4B1A2C
		dd 0FFFFFFFEh
		dd offset loc_4B2A79
		dd offset loc_4B2A8F
		dd 0FFFFFFFEh
		dd offset loc_4B1DC7
		dd offset loc_4B1DDD
		dd 0FFFFFFFEh
		dd offset loc_4B2A4E
		dd offset loc_4B2A64
dword_6A1C68	dd 0FFFFFFFEh, 0	; DATA XREF: KeExpandKernelStackAndCalloutInternal+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh, 0
		dd offset loc_5C1D2D
		align 8
		dd offset sub_5C1D1A
		dd offset loc_5C1D25
dword_6A1C90	dd 0FFFFFFFEh, 0	; DATA XREF: KeUserModeCallback+7o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset loc_8DE3FA
		dd offset loc_8DE40A
		dd 0FFFFFFFEh
		dd offset sub_8DE3C8
		dd offset sub_8DE3CE
dword_6A1CB8	dd 0FFFFFFE4h, 0	; DATA XREF: RtlpReadExtendedContext+7o
		dd 0FFFFFF90h, 0
		dd 0FFFFFFFEh
		dd offset sub_8DE4FF
		dd offset sub_8DE50F
		align 8
dword_6A1CD8	dd 0FFFFFFE0h, 0	; DATA XREF: KiDispatchException+7o
		dd 0FFFFFEB4h, 0
		dd 0FFFFFFFEh
		dd offset sub_5C2428
		dd offset sub_5C24A4
		align 8
dword_6A1CF8	dd 0FFFFFFFEh, 0	; DATA XREF: RtlpReadExtendedContextLayout+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8DE5EB
		dd offset sub_8DE5F9
		align 8
dword_6A1D18	dd 0FFFFFFFEh, 0	; DATA XREF: NtFreeVirtualMemory+7o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_8DE7EB
		dd offset loc_8DE815
		dd 0FFFFFFFEh
		dd offset sub_8DE7D3
		dd offset sub_8DE7D9
dword_6A1D40	dd 0FFFFFFE4h, 0	; DATA XREF: MiRelocateImage+7o
		dd 0FFFFFF40h, 0
		dd 0FFFFFFFEh
		dd offset sub_8DF076
		dd offset sub_8DF089
		align 10h
dword_6A1D60	dd 0FFFFFFE4h, 0	; DATA XREF: MiParseComAndCetHeaders(x,x,x)+5o
		dd 0FFFFFEFCh, 0
		dd 0FFFFFFFEh
		dd offset loc_791B0C
		dd offset loc_791B1D
		dd 0FFFFFFFEh
		dd offset loc_791CD7
		dd offset loc_791CE8
		dd 0FFFFFFFEh
		dd offset loc_791C9A
		dd offset loc_791CAB
		align 8
dword_6A1D98	dd 0FFFFFFE4h, 0	; DATA XREF: MiParseImageLoadConfig+5o
		dd 0FFFFFE38h, 0
		dd 0FFFFFFFEh
		dd offset sub_8DF40B
		dd offset sub_8DF41C
		dd 0FFFFFFFEh
		dd offset sub_8DF43D
		dd offset sub_8DF44E
dword_6A1DC0	dd 0FFFFFFFEh, 0	; DATA XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+7o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset loc_7928E7
		dd offset loc_7928F7
		align 10h
dword_6A1DE0	dd 0FFFFFFFEh, 0	; DATA XREF: MiCreateFixupRecord(x,x,x,x,x,x,x)+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_792B65
		dd offset loc_792B73
		align 10h
dword_6A1E00	dd 0FFFFFFE4h, 0	; DATA XREF: PAGE:007934D5o
		dd 0FFFFFF34h, 0
		dd 0FFFFFFFEh
		dd offset loc_7937C1
		dd offset loc_7937C5
		align 10h
dword_6A1E20	dd 0FFFFFFFEh, 0	; DATA XREF: ExLockUserBuffer+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8DF96C
		dd offset sub_8DF97A
		align 10h
dword_6A1E40	dd 0FFFFFFFEh, 0	; DATA XREF: PsThawProcess+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_79489C
		dd offset loc_79480C
		align 10h
dword_6A1E60	dd 0FFFFFFFEh, 0	; DATA XREF: PopGetSettingValue+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8DF9FA
		dd offset sub_8DFA08
		align 10h
dword_6A1E80	dd 0FFFFFFE4h, 0	; DATA XREF: PopMarshalSettingValues+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8DFA2E
		align 10h
dword_6A1EA0	dd 0FFFFFFFEh, 0	; DATA XREF: ExGetSessionPoolTagInfo+2o
		dd 0FFFFFF98h, 0
		dd 0FFFFFFFEh
		dd offset sub_5C4CC7
		dd offset sub_5C4CD5
		align 10h
dword_6A1EC0	dd 0FFFFFFE4h, 0	; DATA XREF: MmProcessWorkingSetControl+2o
		dd 0FFFFFF98h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E60A8
		dd offset sub_8E60B6
		align 10h
dword_6A1EE0	dd 0FFFFFFE4h, 0	; DATA XREF: SmProcessCreateRequest+5o
		dd 0FFFFFF38h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E6380
		dd offset sub_8E6391
		dd 0FFFFFFFEh
		dd offset sub_8E6347
		dd offset sub_8E6358
dword_6A1F08	dd 0FFFFFFFEh, 0	; DATA XREF: NtQuerySection+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E664F
		dd offset sub_8E665D
		dd 0FFFFFFFEh
		dd offset sub_8E6695
		dd offset sub_8E66A3
dword_6A1F30	dd 0FFFFFFFEh, 0	; DATA XREF: MmGetSectionInformation(x,x,x)+2o
		dd 0FFFFFF98h, 0
		dd 0FFFFFFFEh
		dd offset loc_7986BC
		dd offset loc_7986CA
		align 10h
dword_6A1F50	dd 0FFFFFFFEh, 0	; DATA XREF: NtPulseEvent+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8E66D6
		dd offset sub_8E66E4
		dd 0FFFFFFFEh
		dd offset sub_8E6714
		dd offset sub_8E6705
dword_6A1F78	dd 0FFFFFFFEh, 0	; DATA XREF: NtAlpcCreatePortSection(x,x,x,x,x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_798A07
		dd offset loc_798A15
		dd 0FFFFFFFEh
		dd offset loc_798A24
		dd offset loc_798A32
dword_6A1FA0	dd 0FFFFFFFEh, 0	; DATA XREF: IopAllocateMiniCompletionPacket+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E6816
		dd offset sub_8E681A
		align 10h
dword_6A1FC0	dd 0FFFFFFFEh, 0	; DATA XREF: ObpCreateDirectoryObject+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E683D
		dd offset sub_8E684B
		dd 0FFFFFFFEh
		dd offset sub_8E6856
		dd offset sub_8E685A
dword_6A1FE8	dd 0FFFFFFFEh, 0	; DATA XREF: NtCreateTimer2+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8E689B
		dd offset sub_8E68A9
		dd 0FFFFFFFEh
		dd offset sub_8E68CD
		dd offset sub_8E68D1
dword_6A2010	dd 0FFFFFFFEh, 0	; DATA XREF: NtCreateWorkerFactory+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset sub_8E68E0
		dd offset sub_8E68EE
		dd 0FFFFFFFEh
		dd offset sub_8E6963
		dd offset sub_8E6969
dword_6A2038	dd 0FFFFFFE4h, 0	; DATA XREF: PAGE:00799F1Bo
		dd 0FFFFFEB4h, 0
		dd 0FFFFFFFEh
		dd offset loc_79A0C7
		dd offset loc_79A0D8
		dd 0FFFFFFFEh
		dd offset loc_79A662
		dd offset loc_79A673
dword_6A2060	dd 0FFFFFFE4h, 0	; DATA XREF: AlpcpConnectPort+5o
		dd 0FFFFFF50h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E69E4
		dd offset sub_8E69CF
		dd 0FFFFFFFEh
		dd offset sub_8E6A03
		dd offset sub_8E6A07
		dd 0FFFFFFFEh
		dd offset sub_8E6A16
		dd offset sub_8E6A27
		align 8
dword_6A2098	dd 0FFFFFFFEh, 0	; DATA XREF: NtDuplicateToken+7o
		dd 0FFFFFF88h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E6ACB
		dd offset sub_8E6ADB
		dd 0FFFFFFFEh
		dd offset sub_8E6AFF
		dd offset sub_8E6B0F
dword_6A20C0	dd 0FFFFFFFEh, 0	; DATA XREF: SeCaptureObjectAttributeSecurityDescriptorPresent+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_5C9578
		dd offset sub_5C9586
		align 10h
dword_6A20E0	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:0079B504o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_8E6B69
		dd offset loc_8E6B77
		align 10h
dword_6A2100	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpProcessConnectionRequest+2o
		dd 0FFFFFF74h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E6BB6
		dd offset sub_8E6BC4
		dd 0FFFFFFFEh
		dd offset sub_8E6C5D
		dd offset sub_8E6C6B
		dd 0FFFFFFFEh
		dd offset sub_8E6C8B
		dd offset sub_8E6C99
		align 8
dword_6A2138	dd 0FFFFFFE4h, 0	; DATA XREF: ExpSetTimer2+2o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset sub_5C972B
		dd offset sub_5C9739
		align 8
dword_6A2158	dd 0FFFFFFFEh, 0	; DATA XREF: NtPrivilegeCheck+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E712A
		dd offset sub_8E7138
		dd 0FFFFFFFEh
		dd offset sub_8E714F
		dd offset sub_8E715D
dword_6A2180	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:0079C8F4o
		dd 0FFFFFF88h, 0
		dd 0FFFFFFFEh
		dd offset loc_8E719B
		dd offset loc_8E71A9
		dd 0FFFFFFFEh
		dd offset loc_8E71AE
		dd offset loc_8E71BC
		dd 0FFFFFFFEh
		dd offset loc_8E71DB
		dd offset byte_8E71E9
		dd 0FFFFFFFEh
		dd offset loc_8E726A
		dd offset dword_8E7278
dword_6A21C0	dd 0FFFFFFFEh, 0	; DATA XREF: SeCaptureLuidAndAttributesArray+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E7425
		dd offset sub_8E7433
		dd 0FFFFFFFEh
		dd offset sub_8E7445
		dd offset sub_8E7453
dword_6A21E8	dd 0FFFFFFE4h, 0	; DATA XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+7o
		dd 0FFFFFE60h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E7506
		dd offset sub_8E7519
		dd 0FFFFFFFEh
		dd offset sub_8E7664
		dd offset sub_8E7677
		dd 0FFFFFFFEh
		dd offset sub_8E826F
		dd offset sub_8E8282
		align 10h
dword_6A2220	dd 0FFFFFFFEh, 0	; DATA XREF: SepProbeAndCaptureString_U+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E833D
		dd offset sub_8E834D
		align 10h
dword_6A2240	dd 0FFFFFFFEh, 0	; DATA XREF: NtDeleteWnfStateName+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset sub_8E934E
		dd offset sub_8E935E
		align 10h
dword_6A2260	dd 0FFFFFFFEh, 0	; DATA XREF: PspCaptureCreateInfo+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E93CE
		dd offset sub_8E93DC
		align 10h
dword_6A2280	dd 0FFFFFFE4h, 0	; DATA XREF: NtCreateWnfStateName+2o
		dd 0FFFFFF84h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E9445
		dd offset sub_8E9455
		dd 0FFFFFFFEh
		dd offset sub_8E94A6
		dd offset loc_8E945A
dword_6A22A8	dd 0FFFFFFE4h, 0	; DATA XREF: NtGetCompleteWnfStateSubscription+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E94FE
		dd offset sub_8E950E
		dd 0FFFFFFFEh
		dd offset loc_8E9513
		dd offset loc_8E9523
dword_6A22D0	dd 0FFFFFFFEh, 0	; DATA XREF: ExpWnfDeliverThreadNotifications+2o
		dd 0FFFFFF90h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E955E
		dd offset sub_8E956E
		align 10h
dword_6A22F0	dd 0FFFFFFE4h, 0	; DATA XREF: ExpNtUpdateWnfStateData+2o
		dd 0FFFFFF68h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E97BB
		dd offset sub_8E97CB
		dd 0FFFFFFFEh
		dd offset sub_8E96FB
		dd offset sub_8E970B
dword_6A2318	dd 0FFFFFFFEh, 0	; DATA XREF: NtSubscribeWnfStateChange+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E97D9
		dd offset sub_8E97E9
		dd 0FFFFFFFEh
		dd offset loc_8E97EE
		dd offset loc_8E97FE
dword_6A2340	dd 0FFFFFFFEh, 0	; DATA XREF: ExpWnfSubscribeWnfStateChange+2o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E9813
		dd offset sub_8E9823
		align 10h
dword_6A2360	dd 0FFFFFFE4h, 0	; DATA XREF: NtQueryWnfStateData+7o
		dd 0FFFFFF64h, 0
		dd 0FFFFFFFEh
		dd offset sub_7A0ACA
		dd offset loc_7A0AF8
		dd 0FFFFFFFEh
		dd offset sub_8E9870
		dd offset sub_8E989A
dword_6A2388	dd 0FFFFFFFEh, 0	; DATA XREF: ExpWnfReadStateData+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh, 0
		dd offset loc_8E9955
		align 8
dword_6A23A8	dd 0FFFFFFE4h, 0	; DATA XREF: ExpWnfWriteStateData+2o
		dd 0FFFFFF6Ch, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8E9AAB
		align 8
dword_6A23C8	dd 0FFFFFFE4h, 0	; DATA XREF: PAGE:007A291Do
		dd 0FFFFFB18h, 0
		dd 0FFFFFFFEh
		dd offset loc_7A3756
		dd offset loc_7A3767
		dd 0FFFFFFFEh
		dd offset loc_7A360E
		dd offset loc_7A3628
dword_6A23F0	dd 0FFFFFFFEh, 0	; DATA XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7o
		dd 0FFFFFF98h, 0
		dd 0FFFFFFFEh
		dd offset loc_7A4009
		dd offset loc_7A4019
		dd 0FFFFFFFEh
		dd offset loc_7A3E22
		dd offset loc_7A3E32
		dd 0FFFFFFFEh
		dd offset loc_7A3F60
		dd offset loc_7A3F70
		dd 0FFFFFFFEh
		dd offset loc_7A45FC
		dd offset loc_7A460C
		dd 0FFFFFFFEh
		dd offset loc_7A4579
		dd offset loc_7A4589
		align 10h
dword_6A2440	dd 0FFFFFFFEh, 0	; DATA XREF: PspUpdateCreateInfo+2o
		dd 0FFFFFFA4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E9E13
		dd offset sub_8E9E21
		dd 0FFFFFFFEh
		dd offset sub_8E9E26
		dd offset loc_8E9DB5
		dd 0FFFFFFFEh
		dd offset sub_8E9DED
		dd offset sub_8E9DFB
		dd 0FFFFFFFEh
		dd offset sub_8E9DA2
		dd offset sub_8E9DB0
		dd 0FFFFFFFEh
		dd offset sub_8E9E34
		dd offset sub_8E9E42
		align 10h
dword_6A2490	dd 0FFFFFFFEh, 0	; DATA XREF: NtAlpcQueryInformationMessage+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E9ED1
		dd offset sub_8E9EDF
		align 10h
dword_6A24B0	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpQueryHandleInformationMessage+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8E9F1D
		dd offset sub_8E9F2D
		dd 0FFFFFFFEh
		dd offset sub_8E9F05
		dd offset sub_8E9F0B
dword_6A24D8	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpCaptureHandleAttribute+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E9F3F
		dd offset sub_8E9F4F
		align 8
dword_6A24F8	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpCaptureHandleAttributeInternal+2o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8E9F89
		dd offset sub_8E9F99
		align 8
dword_6A2518	dd 0FFFFFFFEh, 0	; DATA XREF: NtDuplicateObject+7o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8EA112
		dd offset sub_8EA122
		dd 0FFFFFFFEh
		dd offset sub_8EA13E
		dd offset sub_8EA15E
dword_6A2540	dd 0FFFFFFE4h, 0	; DATA XREF: EtwpTraceThreadRundown+5o
		dd 0FFFFFF58h, 0
		dd 0FFFFFFFEh
		dd offset loc_5CAF27
		dd offset sub_5CAF2B
		align 10h
dword_6A2560	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpLogSystemEventUnsafe+2o
		dd 0FFFFFF98h, 0
		dd 0FFFFFFFEh
		dd offset sub_5CAF42
		dd offset sub_5CAF50
		align 10h
dword_6A2580	dd 0FFFFFFE4h, 0	; DATA XREF: PAGE:007A6DB7o
		dd 0FFFFFC30h, 0
		dd 0FFFFFFFEh
		dd offset loc_7A6FC3
		dd offset loc_7A6FD6
		dd 0FFFFFFFEh
		dd offset loc_7A7166
		dd offset loc_7A7179
		dd 0FFFFFFFEh
		dd offset loc_7A7278
		dd offset loc_7A728B
		dd 0FFFFFFFEh
		dd offset loc_7A7336
		dd offset loc_7A7349
		dd 0FFFFFFFEh
		dd offset loc_7A73DB
		dd offset loc_7A73EE
		dd 0FFFFFFFEh
		dd offset loc_7A74D2
		dd offset loc_7A74E5
		dd 0FFFFFFFEh
		dd offset loc_7A756F
		dd offset loc_7A7582
		dd 0FFFFFFFEh
		dd offset loc_7A75D3
		dd offset loc_7A75E6
		dd 0FFFFFFFEh
		dd offset loc_7A78A0
		dd offset loc_7A78B3
		dd 0FFFFFFFEh
		dd offset loc_7A7716
		dd offset loc_7A7729
		dd 0FFFFFFFEh
		dd offset loc_7A78F9
		dd offset loc_7A790C
		dd 0FFFFFFFEh
		dd offset loc_7A7B0D
		dd offset loc_7A7B20
		dd 0FFFFFFFEh
		dd offset loc_7A7BFF
		dd offset loc_7A7C12
		dd 0FFFFFFFEh
		dd offset loc_7A7C50
		dd offset loc_7A7C63
		dd 0FFFFFFFEh
		dd offset loc_7A7DEC
		dd offset loc_7A7DFF
		dd 0FFFFFFFEh
		dd offset loc_7A7F14
		dd offset loc_7A7F27
		dd 0FFFFFFFEh
		dd offset loc_7A7F85
		dd offset loc_7A7F98
		dd 0FFFFFFFEh
		dd offset loc_7A809D
		dd offset loc_7A80B0
		dd 0FFFFFFFEh
		dd offset loc_7A815A
		dd offset loc_7A816D
		dd 0FFFFFFFEh
		dd offset loc_7A822B
		dd offset loc_7A823E
		dd 0FFFFFFFEh
		dd offset loc_7A82F7
		dd offset loc_7A830A
		dd 0FFFFFFFEh
		dd offset loc_7A836D
		dd offset loc_7A8380
		dd 0FFFFFFFEh
		dd offset loc_7A8533
		dd offset loc_7A8546
		dd 0FFFFFFFEh
		dd offset loc_7A85B3
		dd offset loc_7A85C6
		dd 0FFFFFFFEh
		dd offset loc_7A871A
		dd offset loc_7A872D
		dd 0FFFFFFFEh
		dd offset loc_7A8CC5
		dd offset loc_7A8CD8
		dd 0FFFFFFFEh
		dd offset loc_7A8C57
		dd offset loc_7A8C6A
		dd 0FFFFFFFEh
		dd offset loc_7A89D0
		dd offset loc_7A89E3
		dd 0FFFFFFFEh
		dd offset loc_7A8AF1
		dd offset loc_7A8B04
		dd 0FFFFFFFEh
		dd offset loc_7A8A34
		dd offset loc_7A8A47
		dd 0FFFFFFFEh
		dd offset loc_7A8AAC
		dd offset loc_7A8ABF
		dd 0FFFFFFFEh
		dd offset loc_7A8AD6
		dd offset loc_7A8ADC
		dd 0FFFFFFFEh
		dd offset loc_7A8C3C
		dd offset loc_7A8C4F
		dd 0FFFFFFFEh
		dd offset loc_7A8B80
		dd offset loc_7A8B93
		dd 0FFFFFFFEh
		dd offset loc_7A8BE5
		dd offset loc_7A8BF8
		dd 0FFFFFFFEh
		dd offset loc_7A8C24
		dd offset loc_7A8C2A
		dd 0FFFFFFFEh
		dd offset loc_7A8ECB
		dd offset loc_7A8EDE
		dd 0FFFFFFFEh, 2 dup(0)
		dd 0FFFFFFFEh
		dd offset loc_7A8FD6
		dd offset loc_7A8FE9
		dd 0FFFFFFFEh
		dd offset loc_7A903E
		dd offset loc_7A9051
		dd 0FFFFFFFEh
		dd offset loc_7A9066
		dd offset loc_7A9079
		dd 0FFFFFFFEh
		dd offset loc_7A90D6
		dd offset loc_7A90E9
		dd 0FFFFFFFEh
		dd offset loc_7A91A2
		dd offset loc_7A91B5
		dd 0FFFFFFFEh
		dd offset loc_7A9247
		dd offset loc_7A925A
		dd 0FFFFFFFEh
		dd offset loc_7A92B5
		dd offset loc_7A92C8
		dd 0FFFFFFFEh
		dd offset loc_7A9F17
		dd offset loc_7A9F2A
		dd 0FFFFFFFEh
		dd offset loc_7A9FE8
		dd offset loc_7A9FFB
		dd 0FFFFFFFEh
		dd offset loc_7AA134
		dd offset loc_7AA147
		dd 0FFFFFFFEh
		dd offset loc_7AA2A0
		dd offset loc_7AA2B3
		dd 0FFFFFFFEh
		dd offset loc_7AA369
		dd offset loc_7AA37C
		dd 0FFFFFFFEh
		dd offset loc_7AA48B
		dd offset loc_7AA49E
		dd 0FFFFFFFEh
		dd offset loc_7AA567
		dd offset loc_7AA57A
		dd 0FFFFFFFEh
		dd offset loc_7AA62A
		dd offset loc_7AA63D
		dd 0FFFFFFFEh
		dd offset loc_7AA7A4
		dd offset loc_7AA7B7
		dd 0FFFFFFFEh
		dd offset loc_7AA875
		dd offset loc_7AA888
		dd 0FFFFFFFEh
		dd offset loc_7AA970
		dd offset loc_7AA983
		dd 0FFFFFFFEh
		dd offset loc_7AAA46
		dd offset loc_7AAA59
		dd 0FFFFFFFEh
		dd offset loc_7AAB85
		dd offset loc_7AAB98
		dd 0FFFFFFFEh
		dd offset loc_7AAB5D
		dd offset loc_7AAB70
		dd 0FFFFFFFEh
		dd offset loc_7AACE5
		dd offset loc_7AACF8
		dd 0FFFFFFFEh
		dd offset loc_7AADC2
		dd offset loc_7AADD5
		dd 0FFFFFFFEh
		dd offset loc_7AAE97
		dd offset loc_7AAEAA
		dd 0FFFFFFFEh
		dd offset loc_7AAF4B
		dd offset loc_7AAF5E
		dd 0FFFFFFFEh
		dd offset loc_7AB03C
		dd offset loc_7AB04F
		dd 0FFFFFFFEh
		dd offset loc_7AB015
		dd offset loc_7AB028
		align 10h
dword_6A28A0	dd 0FFFFFFFEh, 0	; DATA XREF: AuthzBasepCompareUnicodeStringOperands+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset sub_5CB484
		dd offset sub_5CB492
		align 10h
dword_6A28C0	dd 0FFFFFFFEh, 0	; DATA XREF: RtlIsNameInExpression+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5CB50D
		align 10h
dword_6A28E0	dd 0FFFFFFFEh, 0	; DATA XREF: RtlIsNameInUnUpcasedExpression+7o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5CB54D
		align 10h
dword_6A2900	dd 0FFFFFFFEh, 0	; DATA XREF: PspCaptureUserProcessParameters+5o
		dd 0FFFFFF50h, 0
		dd 0FFFFFFFEh
		dd offset loc_8EAD8E
		dd offset loc_8EAD9F
		dd 0FFFFFFFEh
		dd offset loc_8EAD68
		dd offset loc_8EAD79
		dd 0FFFFFFFEh
		dd offset sub_8EAB46
		dd offset sub_8EAB57
		dd 0FFFFFFFEh
		dd offset sub_8EABF3
		dd offset sub_8EAC04
		dd 0FFFFFFFEh
		dd offset sub_8EAC82
		dd offset sub_8EAC93
		dd 0FFFFFFFEh
		dd offset sub_8EAD3D
		dd offset sub_8EAD4E
dword_6A2958	dd 0FFFFFFFEh, 0	; DATA XREF: PspCopyUnicodeString+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_8EADB4
		dd offset loc_8EADC2
		align 8
dword_6A2978	dd 0FFFFFFFEh, 0	; DATA XREF: PspCaptureAndValidateUnicodeString+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_8EADF4
		dd offset loc_8EAE02
		dd 0FFFFFFFEh
		dd offset loc_8EADD4
		dd offset loc_8EADE2
dword_6A29A0	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlFindInTunnelCacheEx+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8EAF4E
		align 10h
dword_6A29C0	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlPrivateLock+7o
		dd 0FFFFFF98h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5CC994
		align 10h
dword_6A29E0	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlPrivateInitializeFileLock+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh, 0
		dd offset loc_5CCFB3
		align 10h
dword_6A2A00	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlAddLargeMcbEntry+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5CCFBB
		align 10h
dword_6A2A20	dd 0FFFFFFFEh, 0	; DATA XREF: NtWaitForAlertByThreadId+7o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8EB561
		dd offset sub_8EB571
		align 10h
dword_6A2A40	dd 0FFFFFFFEh, 0	; DATA XREF: NtAlpcQueryInformation+7o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8EB5BB
		dd offset sub_8EB5CB
		align 10h
dword_6A2A60	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpPortQueryBasicInfo+7o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8EB610
		dd offset sub_8EB620
		align 10h
dword_6A2A80	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpPortQueryServerSessionInfo+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8EB62E
		dd offset sub_8EB63C
		align 10h
dword_6A2AA0	dd 0FFFFFFE4h, 0	; DATA XREF: AlpcpPortQueryConnectedSidInfo+2o
		dd 0FFFFFF7Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_8EB658
		dd offset sub_8EB666
		align 10h
dword_6A2AC0	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpWaitForPortReferences+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8EB698
		dd offset sub_8EB6A6
		align 10h
dword_6A2AE0	dd 0FFFFFFFEh, 0	; DATA XREF: NtReleaseSemaphore+7o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8EB78C
		dd offset sub_8EB79C
		dd 0FFFFFFFEh
		dd offset loc_7B028D
		dd offset loc_7B02A8
		dd 0FFFFFFFEh
		dd offset loc_8EB7C2
		dd offset loc_8EB7C8
		align 8
dword_6A2B18	dd 0FFFFFFFEh, 0	; DATA XREF: NtSetEvent+7o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_8EB7FF
		dd offset loc_8EB80F
		dd 0FFFFFFFEh
		dd offset sub_8EB7E4
		dd offset sub_8EB7EA
dword_6A2B40	dd 0FFFFFFE4h, 0	; DATA XREF: NtSecureConnectPort+5o
		dd 0FFFFFF18h, 0
		dd 0FFFFFFFEh
		dd offset sub_8EB9ED
		dd offset sub_8EB994
		dd 0FFFFFFFEh
		dd offset sub_8EBA7D
		dd offset sub_8EBA8B
dword_6A2B68	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpReceiveLegacyConnectionReply+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8EBAF1
		dd offset sub_8EBAFF
		align 8
dword_6A2B88	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:007B1027o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh
		dd offset loc_8EBB2E
		dd offset loc_8EBB3E
		align 8
dword_6A2BA8	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpReceiveLegacyMessage+7o
		dd 0FFFFFFA4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8EBBB4
		dd offset sub_8EBBC4
		dd 0FFFFFFFEh
		dd offset sub_8EBC37
		dd offset sub_8EBC47
dword_6A2BD0	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+2o
		dd 0FFFFFF94h, 0
		dd 0FFFFFFFEh
		dd offset loc_7B16CA
		dd offset loc_7B16D8
		dd 0FFFFFFFEh
		dd offset loc_7B1866
		dd offset loc_7B1874
dword_6A2BF8	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlOplockBreakH+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8EBD88
		align 8
dword_6A2C18	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFFA4h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_4E9B2C
		align 8
dword_6A2C38	dd 0FFFFFFFEh, 0	; DATA XREF: NtAlpcOpenSenderThread+2o
		dd 0FFFFFF90h, 0
		dd 0FFFFFFFEh
		dd offset sub_8EBDE5
		dd offset sub_8EBDF3
		dd 0FFFFFFFEh
		dd offset sub_8EBE80
		dd offset sub_8EBE8E
dword_6A2C60	dd 0FFFFFFE4h, 0	; DATA XREF: PsOpenThread+5o
		dd 0FFFFFDB8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8EBEBB
		dd offset sub_8EBECC
		dd 0FFFFFFFEh
		dd offset sub_8EC054
		dd offset loc_8EBED4
dword_6A2C88	dd 0FFFFFFE4h, 0	; DATA XREF: PAGE:007B31CBo
		dd 0FFFFFE44h, 0
		dd 0FFFFFFFEh
		dd offset loc_7B3267
		dd offset loc_7B3278
		dd 0FFFFFFFEh
		dd offset loc_7B32FB
		dd offset loc_7B330E
		dd 0FFFFFFFEh
		dd offset loc_7B3394
		dd offset loc_7B33A7
		dd 0FFFFFFFEh
		dd offset loc_7B3376
		dd offset loc_7B3389
		dd 0FFFFFFFEh
		dd offset loc_7B342A
		dd offset loc_7B343D
		dd 0FFFFFFFEh
		dd offset loc_7B3529
		dd offset loc_7B353C
		dd 0FFFFFFFEh
		dd offset loc_7B35D7
		dd offset loc_7B35EA
		dd 0FFFFFFFEh
		dd offset loc_7B370F
		dd offset loc_7B3722
		dd 0FFFFFFFEh
		dd offset loc_7B37E6
		dd offset loc_7B37F9
		dd 0FFFFFFFEh
		dd offset loc_7B38D9
		dd offset loc_7B38EA
		dd 0FFFFFFFEh
		dd offset loc_7B398B
		dd offset loc_7B399E
		dd 0FFFFFFFEh
		dd offset loc_7B3AAD
		dd offset loc_7B3ABE
		dd 0FFFFFFFEh
		dd offset loc_7B3A7B
		dd offset loc_7B3A8C
		dd 0FFFFFFFEh
		dd offset loc_7B3BA7
		dd offset loc_7B3BBA
		dd 0FFFFFFFEh
		dd offset loc_7B3B7F
		dd offset loc_7B3B92
		dd 0FFFFFFFEh
		dd offset loc_7B3C7A
		dd offset loc_7B3C8D
		dd 0FFFFFFFEh
		dd offset loc_7B3D0E
		dd offset loc_7B3D1F
		dd 0FFFFFFFEh
		dd offset loc_7B3EBD
		dd offset loc_7B3ED0
		dd 0FFFFFFFEh
		dd offset loc_7B3F22
		dd offset loc_7B3F33
		dd 0FFFFFFFEh
		dd offset loc_7B40F1
		dd offset loc_7B4104
		dd 0FFFFFFFEh
		dd offset loc_7B41B0
		dd offset loc_7B41C3
		dd 0FFFFFFFEh
		dd offset loc_7B42B4
		dd offset loc_7B42C5
		dd 0FFFFFFFEh
		dd offset loc_7B4352
		dd offset loc_7B4365
		dd 0FFFFFFFEh
		dd offset loc_7B43FA
		dd offset loc_7B440D
		dd 0FFFFFFFEh
		dd offset loc_7B43E2
		dd offset loc_7B43E8
		dd 0FFFFFFFEh
		dd offset loc_7B44B9
		dd offset loc_7B44CC
		dd 0FFFFFFFEh
		dd offset loc_7B44AE
		dd offset loc_7B44B4
		dd 0FFFFFFFEh
		dd offset loc_7B45AF
		dd offset loc_7B45C2
		dd 0FFFFFFFEh
		dd offset loc_7B46DD
		dd offset loc_7B46F0
		dd 0FFFFFFFEh
		dd offset loc_7B466E
		dd offset loc_7B4681
		dd 0FFFFFFFEh
		dd offset loc_7B473D
		dd offset loc_7B474E
		dd 0FFFFFFFEh
		dd offset loc_7B4869
		dd offset loc_7B487C
		dd 0FFFFFFFEh
		dd offset loc_7B48DD
		dd offset loc_7B48F0
		dd 0FFFFFFFEh
		dd offset loc_7B4957
		dd offset loc_7B496A
		dd 0FFFFFFFEh
		dd offset loc_7B49F4
		dd offset loc_7B4A07
		dd 0FFFFFFFEh
		dd offset loc_7B4A5D
		dd offset loc_7B4A70
		dd 0FFFFFFFEh
		dd offset loc_7B4B57
		dd offset loc_7B4B6A
		align 8
dword_6A2E58	dd 0FFFFFFE4h, 0	; DATA XREF: PfSetSuperfetchInformation+5o
		dd 0FFFFFF38h, 0
		dd 0FFFFFFFEh
		dd offset sub_8EC0C4
		dd offset sub_8EC0D2
		dd 0FFFFFFFEh
		dd offset sub_8EC1EA
		dd offset sub_8EC1F8
		dd 0FFFFFFFEh
		dd offset sub_8EC1CD
		dd offset sub_8EC1DB
		dd 0FFFFFFFEh
		dd offset sub_8EC189
		dd offset sub_8EC197
		dd 0FFFFFFFEh
		dd offset sub_8EC0E4
		dd offset sub_8EC0F2
		dd 0FFFFFFFEh
		dd offset sub_8EC151
		dd offset sub_8EC15F
		dd 0FFFFFFFEh
		dd offset sub_8EC303
		dd offset loc_8EC1FD
		dd 0FFFFFFFEh
		dd offset sub_8EC275
		dd offset sub_8EC283
		dd 0FFFFFFFEh
		dd offset sub_8EC242
		dd offset sub_8EC250
		dd 0FFFFFFFEh
		dd offset sub_8EC228
		dd offset sub_8EC236
dword_6A2EE0	dd 0FFFFFFE4h, 0	; DATA XREF: PfSnSetPrefetcherInformation+5o
		dd 0FFFFFF28h, 0
		dd 0FFFFFFFEh
		dd offset sub_8EC40A
		dd offset sub_8EC41B
		dd 0FFFFFFFEh
		dd offset sub_8EC3E7
		dd offset sub_8EC3F8
		dd 0FFFFFFFEh
		dd offset loc_8EC3C7
		dd offset loc_8EC3D8
		dd 0FFFFFFFEh
		dd offset sub_8EC3AE
		dd offset sub_8EC3BF
		dd 0FFFFFFFEh
		dd offset sub_8EC381
		dd offset sub_8EC392
		align 10h
dword_6A2F30	dd 0FFFFFFE4h, 0	; DATA XREF: PfpRpControlRequestCopy+2o
		dd 0FFFFFF8Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_8EC469
		dd offset sub_8EC477
		dd 0FFFFFFFEh
		dd offset sub_8EC44C
		dd offset sub_8EC45A
dword_6A2F58	dd 0FFFFFFFEh, 0	; DATA XREF: PfpPrefetchRequest+2o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh
		dd offset loc_8EC50E
		dd offset loc_8EC4F9
		dd 0FFFFFFFEh
		dd offset sub_8EC4E6
		dd offset sub_8EC4F4
dword_6A2F80	dd 0FFFFFFFEh, 0	; DATA XREF: SmSetStoreInformation+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8EC9FE
		dd offset sub_8ECA0C
		align 10h
dword_6A2FA0	dd 0FFFFFFE4h, 0	; DATA XREF: SmProcessStoreMemoryPriorityRequest+2o
		dd 0FFFFFF9Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_8ECA94
		dd offset sub_8ECAA2
		align 10h
dword_6A2FC0	dd 0FFFFFFE4h, 0	; DATA XREF: NtManagePartition+5o
		dd 0FFFFFF34h, 0
		dd 0FFFFFFFEh
		dd offset loc_8ECCE9
		dd offset loc_8ECCFA
		dd 0FFFFFFFEh
		dd offset sub_8ECE21
		dd offset loc_8ECD02
dword_6A2FE8	dd 0FFFFFFFEh, 0	; DATA XREF: IopQueryInformation(x,x,x,x,x)+7o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_7B7FE2
		dd offset loc_7B7FF2
		align 8
dword_6A3008	dd 0FFFFFFFEh, 0	; DATA XREF: WmipProbeAndCaptureGuidObjectAttributes+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8EDEE1
		dd offset sub_8EDEEF
		align 8
dword_6A3028	dd 0FFFFFFFEh, 0	; DATA XREF: NtCancelIoFile+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8EE0AF
		dd offset sub_8EE0BD
		dd 0FFFFFFFEh
		dd offset sub_8EE0E9
		dd offset sub_8EE0ED
dword_6A3050	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlpCancelOplockRHIrp+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5CEEDE
		align 10h
dword_6A3070	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlCancelNotify+2o
		dd 0FFFFFF98h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5CF1B6
		align 10h
		dd offset sub_5CF0D3
		dd offset sub_5CF0F2
dword_6A3098	dd 0FFFFFFE4h, 0	; DATA XREF: PAGE:007BC887o
		dd 0FFFFFE90h, 0
		dd 0FFFFFFFEh
		dd offset loc_8EE18C
		dd offset loc_8EE19F
		dd 0FFFFFFFEh
		dd offset loc_8EE26A
		dd offset loc_8EE27D
dword_6A30C0	dd 0FFFFFFFEh, 0	; DATA XREF: NtAllocateLocallyUniqueId+7o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset loc_8EE2C6
		dd offset loc_8EE2F0
		align 10h
dword_6A30E0	dd 0FFFFFFFEh, 0	; DATA XREF: ExpWaitForResource+7o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_5CF396
		dd offset sub_5CF39C
		align 10h
dword_6A3100	dd 0FFFFFFFEh, 0	; DATA XREF: RtlUnicodeStringToInteger+7o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8EE394
		dd offset sub_8EE3A4
		align 10h
dword_6A3120	dd 0FFFFFFFEh, 0	; DATA XREF: CcZeroData+2o
		dd 0FFFFFF94h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5CF5BF
		align 10h
dword_6A3140	dd 0FFFFFFFEh, 0	; DATA XREF: CcZeroDataInCache+2o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh, 0
		dd offset loc_5CF5DB
		align 10h
dword_6A3160	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:007BD307o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_8EE47B
		dd offset loc_8EE48B
		dd 0FFFFFFFEh
		dd offset loc_8EE4B6
		dd offset loc_8EE4BC
		dd 0FFFFFFFEh
		dd offset loc_8EE4BE
		dd offset loc_8EE4C4
		align 8
dword_6A3198	dd 0FFFFFFFEh, 0	; DATA XREF: CcPurgeAndClearCacheSection+2o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset sub_5CF93F
		dd offset sub_5CF943
		align 8
dword_6A31B8	dd 0FFFFFFFEh, 0	; DATA XREF: NtExtendSection+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8EE512
		dd offset sub_8EE520
		dd 0FFFFFFFEh
		dd offset sub_8EE532
		dd offset sub_8EE536
dword_6A31E0	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:007BDF07o
		dd 0FFFFFF90h, 0
		dd 0FFFFFFFEh
		dd offset loc_7BE059
		dd offset loc_7BE069
		dd 0FFFFFFFEh
		dd offset loc_7BE185
		dd offset loc_7BE195
		dd 0FFFFFFFEh
		dd offset loc_7BE3BB
		dd offset loc_7BE3CB
		align 8
dword_6A3218	dd 0FFFFFFFEh, 0	; DATA XREF: NtOpenSymbolicLinkObject+7o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8EE6E6
		dd offset sub_8EE6F6
		dd 0FFFFFFFEh
		dd offset sub_8EE708
		dd offset sub_8EE70E
dword_6A3240	dd 0FFFFFFE4h, 0	; DATA XREF: IopTrackLink+5o
		dd 0FFFFFD70h, 0
		dd 0FFFFFFFEh
		dd offset sub_8EE720
		dd offset sub_8EE731
		dd 0FFFFFFFEh, 0
		dd offset sub_8EED7D
dword_6A3268	dd 0FFFFFFFEh, 0	; DATA XREF: NtOpenDirectoryObject+7o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8EEDF2
		dd offset sub_8EEE02
		dd 0FFFFFFFEh
		dd offset sub_8EEE14
		dd offset sub_8EEE1A
dword_6A3290	dd 0FFFFFFFEh, 0	; DATA XREF: NtUnsubscribeWnfStateChange+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8EEE2C
		dd offset sub_8EEE3C
		align 10h
dword_6A32B0	dd 0FFFFFFE4h, 0	; DATA XREF: NtQuerySystemEnvironmentValueEx+2o
		dd 0FFFFFF94h, 0
		dd 0FFFFFFFEh
		dd offset loc_8EF031
		dd offset loc_8EF041
		dd 0FFFFFFFEh
		dd offset sub_8EF00F
		dd offset sub_8EF01F
dword_6A32D8	dd 0FFFFFFE4h, 0	; DATA XREF: ExpGetSystemFirmwareTableInformation+2o
		dd 0FFFFFF7Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_8EF5F6
		dd offset sub_8EF604
		dd 0FFFFFFFEh
		dd offset sub_8EF61E
		dd offset loc_8EF609
dword_6A3300	dd 0FFFFFFE4h, 0	; DATA XREF: NtSetInformationVirtualMemory+5o
		dd 0FFFFFE54h, 0
		dd 0FFFFFFFEh
		dd offset sub_8EFA7A
		dd offset sub_8EFA8B
		dd 0FFFFFFFEh
		dd offset loc_8EFC89
		dd offset loc_8EFC9C
		dd 0FFFFFFFEh
		dd offset sub_8EFC68
		dd offset sub_8EFC6E
		align 8
dword_6A3338	dd 0FFFFFFFEh, 0	; DATA XREF: CfgAddressToBitState+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_5D0F85
		dd offset sub_5D0F89
		align 8
dword_6A3358	dd 0FFFFFFFEh, 0	; DATA XREF: NtOpenSection+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8EFE01
		dd offset sub_8EFE0F
		dd 0FFFFFFFEh
		dd offset sub_8EFE21
		dd offset sub_8EFE25
dword_6A3380	dd 0FFFFFFFEh, 0	; DATA XREF: RtlCSparseBitmapFindBitSetCapped+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset sub_5D1500
		dd offset sub_5D1504
		align 10h
dword_6A33A0	dd 0FFFFFFFEh, 0	; DATA XREF: RtlCSparseBitmapBitsClear+2o
		dd 0FFFFFF9Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_5D15B6
		dd offset sub_5D15BA
		align 10h
dword_6A33C0	dd 0FFFFFFFEh, 0	; DATA XREF: RtlpCSparseBitmapPageDecommit+2o
		dd 0FFFFFF84h, 0
		dd 0FFFFFFFEh
		dd offset sub_5D1632
		dd offset sub_5D1636
		align 10h
dword_6A33E0	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryPerformanceCounter+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8EFF61
		dd offset sub_8EFF6F
		align 10h
dword_6A3400	dd 0FFFFFFFEh, 0	; DATA XREF: EtwActivityIdControl+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_5D2788
		dd offset sub_5D2796
		align 10h
dword_6A3420	dd 0FFFFFFFEh, 0	; DATA XREF: NtAlpcOpenSenderProcess+2o
		dd 0FFFFFF90h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F0072
		dd offset sub_8F0080
		dd 0FFFFFFFEh
		dd offset sub_8F0164
		dd offset sub_8F0172
dword_6A3448	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlTeardownPerFileContexts+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8F017D
		align 8
dword_6A3468	dd 0FFFFFFFEh, 0	; DATA XREF: ExHandleSPCall2+2o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F01E4
		dd offset sub_8F01F2
		dd 0FFFFFFFEh
		dd offset sub_8F021B
		dd offset sub_8F0229
dword_6A3490	dd 0FFFFFFFEh, 0	; DATA XREF: RtlDowncaseUnicodeString+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8F039A
		align 10h
dword_6A34B0	dd 0FFFFFFFEh, 0	; DATA XREF: PopEtEnergyTrackerQuery(x,x,x)+5o
		dd 0FFFFFEE4h, 0
		dd 0FFFFFFFEh
		dd offset loc_7C290D
		dd offset loc_7C291E
		dd 0FFFFFFFEh
		dd offset loc_7C28C0
		dd offset loc_7C28D1
dword_6A34D8	dd 0FFFFFFFEh, 0	; DATA XREF: RtlCSparseBitmapBitmaskRead+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_5D300B
		dd offset sub_5D300F
		align 8
dword_6A34F8	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+2o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset loc_7C2E0A
		dd offset loc_7C2E18
		dd 0FFFFFFFEh
		dd offset loc_7C2FA0
		dd offset loc_7C2FAE
dword_6A3520	dd 0FFFFFFFEh, 0	; DATA XREF: NtRemoveIoCompletion+2o
		dd 0FFFFFFA4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F0461
		dd offset sub_8F0471
		dd 0FFFFFFFEh
		dd offset sub_8F0496
		dd offset sub_8F04A4
dword_6A3548	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlTeardownPerStreamContexts+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8F051A
		align 8
dword_6A3568	dd 0FFFFFFFEh, 0	; DATA XREF: NtCreateWaitCompletionPacket+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F0535
		dd offset sub_8F0545
		dd 0FFFFFFFEh
		dd offset sub_8F0557
		dd offset sub_8F055D
dword_6A3590	dd 0FFFFFFE4h, 0	; DATA XREF: PspQueryQuotaLimits+2o
		dd 0FFFFFF68h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F0565
		dd offset sub_8F0573
		align 10h
dword_6A35B0	dd 0FFFFFFFEh, 0	; DATA XREF: RtlNtStatusToDosError+2o
		dd 0FFFFFFD8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F057E
		dd offset sub_8F0582
		align 10h
dword_6A35D0	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFF68h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_7C4009
		align 10h
		dd offset loc_7C3F18
		dd offset loc_7C3F37
dword_6A35F8	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlNotifyFilterChangeDirectory+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8F065B
		align 8
dword_6A3618	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFF8Ch, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_7C468E
		align 8
		dd offset loc_7C4531
		dd offset loc_7C4550
		dd 0
		dd offset loc_7C45D9
		dd offset loc_7C45DD
		align 10h
dword_6A3650	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlNotifyCompleteIrp+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8F06B9
		dd offset sub_8F06BD
		align 10h
dword_6A3670	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlNotifyCleanup+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8F06E1
		align 10h
dword_6A3690	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlNotifyFilterChangeDirectoryLite+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8F0753
		align 10h
dword_6A36B0	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlNotifyUpdateBuffer+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F085D
		dd offset sub_8F0861
		align 10h
dword_6A36D0	dd 0FFFFFFFEh, 0	; DATA XREF: MiMakeProtoLeafValid+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset sub_4F8E3D
		dd offset sub_4F8E4B
		align 10h
dword_6A36F0	dd 0FFFFFFFEh, 0	; DATA XREF: NtOpenEvent+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8F086B
		dd offset sub_8F0879
		dd 0FFFFFFFEh
		dd offset sub_8F088B
		dd offset sub_8F088F
dword_6A3718	dd 0FFFFFFFEh, 0	; DATA XREF: CcWaitForUninitializeCacheMap+2o
		dd 0FFFFFF78h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5D322C
		align 8
dword_6A3738	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlQueryKernelEaFile+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8F08F8
		align 8
dword_6A3758	dd 0FFFFFFE4h, 0	; DATA XREF: PAGE:007C5068o
		dd 0FFFFFF70h, 0
		dd 0FFFFFFFEh
		dd offset loc_7C51E5
		dd offset loc_7C51F3
		dd 0FFFFFFFEh
		dd offset loc_7C51D5
		dd offset loc_7C51D9
dword_6A3780	dd 0FFFFFFE4h, 0	; DATA XREF: ExpRaiseHardError+5o
		dd 0FFFFFE44h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F09E8
		dd offset sub_8F09EC
		dd 0FFFFFFFEh
		dd offset sub_8F0A22
		dd offset sub_8F0A26
dword_6A37A8	dd 0FFFFFFFEh, 0	; DATA XREF: IopCheckInitiatorHint(x,x)+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_4F9984
		dd offset loc_4F9992
		align 8
dword_6A37C8	dd 0FFFFFFFEh, 0	; DATA XREF: ExGetPoolTagInfo+2o
		dd 0FFFFFFA4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F0A73
		dd offset sub_8F0A81
		dd 0FFFFFFFEh
		dd offset sub_8F0A43
		dd offset sub_8F0A51
dword_6A37F0	dd 0FFFFFFFEh, 0	; DATA XREF: NtAlpcCreateSectionView(x,x,x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_7C5B24
		dd offset loc_7C5B32
		dd 0FFFFFFFEh
		dd offset loc_7C5C01
		dd offset loc_7C5C0F
dword_6A3818	dd 0FFFFFFFEh, 0	; DATA XREF: CmpQueryKeyName+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F0AD0
		dd offset loc_8F0ADF
		align 8
dword_6A3838	dd 0FFFFFFE4h, 0	; DATA XREF: CmpDoQueryKeyName+2o
		dd 0FFFFFF64h, 0
		dd 0FFFFFFFEh
		dd offset sub_5D3BC2
		dd offset sub_5D3BD0
		align 8
dword_6A3858	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryEvent+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F0B05
		dd offset sub_8F0B13
		dd 0FFFFFFFEh
		dd offset sub_8F0B2D
		dd offset sub_8F0B31
dword_6A3880	dd 0FFFFFFFEh, 0	; DATA XREF: MiCheckForUserStackOverflow+2o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh
		dd offset loc_8F0C85
		dd offset loc_8F0C89
		dd 0FFFFFFFEh
		dd offset loc_8F0C7F
		dd offset loc_8F0C83
		dd 0FFFFFFFEh
		dd offset sub_8F0C6E
		dd offset sub_8F0C72
		align 8
dword_6A38B8	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpCaptureDirectAttribute+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F0DA4
		dd offset sub_8F0DB2
		align 8
dword_6A38D8	dd 0FFFFFFFEh, 0	; DATA XREF: PiCMReturnHandleResultData+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8F0F57
		dd offset sub_8F0F65
		align 8
dword_6A38F8	dd 0FFFFFFFEh, 0	; DATA XREF: PiCMCaptureRegistryInputData+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F0F89
		dd offset sub_8F0F97
		align 8
dword_6A3918	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlUninitializeOplock+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5D441D
		align 8
dword_6A3938	dd 0FFFFFFFEh, 0	; DATA XREF: NtCreateIoCompletion+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F1088
		dd offset sub_8F1098
		dd 0FFFFFFFEh
		dd offset sub_8F10AA
		dd offset sub_8F10B0
dword_6A3960	dd 0FFFFFFFEh, 0	; DATA XREF: NtOpenMutant+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8F1130
		dd offset sub_8F113E
		dd 0FFFFFFFEh
		dd offset sub_8F1150
		dd offset sub_8F1154
dword_6A3988	dd 0FFFFFFE4h, 0	; DATA XREF: PAGE:007C72C3o
		dd 0FFFFFED0h, 0
		dd 0FFFFFFFEh
		dd offset loc_7C7701
		dd offset loc_7C7712
		dd 0FFFFFFFEh
		dd offset loc_7C76E8
		dd offset loc_7C76F9
		dd 0FFFFFFFEh
		dd offset loc_7C7738
		dd offset loc_7C7749
		align 10h
dword_6A39C0	dd 0FFFFFFFEh, 0	; DATA XREF: CmQueryMultipleValueKey+5o
		dd 0FFFFFF5Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_8F136B
		dd offset sub_8F1379
		align 10h
dword_6A39E0	dd 0FFFFFFFEh, 0	; DATA XREF: PspSystemThreadStartup+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_5D48C9
		dd offset loc_5D48F0
		align 10h
dword_6A3A00	dd 0FFFFFFFEh, 0	; DATA XREF: SMKM_STORE_SM_TRAITS___SmStWorkerThread+2o
		dd 0FFFFFFD8h, 0
		dd 0FFFFFFFEh
		dd offset sub_5D4A73
		dd offset sub_5D4A81
		align 10h
dword_6A3A20	dd 0FFFFFFFEh, 0	; DATA XREF: NtQuerySystemTime+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8F1654
		dd offset sub_8F1662
		align 10h
dword_6A3A40	dd 0FFFFFFFEh, 0	; DATA XREF: IopRetrieveSystemDeviceName+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F16CA
		dd offset sub_8F16D8
		dd 0FFFFFFFEh
		dd offset sub_8F16F6
		dd offset sub_8F1704
dword_6A3A68	dd 0FFFFFFFEh, 0	; DATA XREF: SiGetSystemDeviceName+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8CA1C0
		dd offset sub_8CA1CE
		align 8
dword_6A3A88	dd 0FFFFFFE4h, 0	; DATA XREF: CmQueryFeatureConfigurationSections+2o
		dd 0FFFFFF70h, 0
		dd 0FFFFFFFEh
		dd offset loc_8F1929
		dd offset loc_8F1939
		dd 0FFFFFFFEh
		dd offset sub_8F1914
		dd offset sub_8F1924
dword_6A3AB0	dd 0FFFFFFFEh, 0	; DATA XREF: CcPreparePinWrite+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8F1A66
		align 10h
dword_6A3AD0	dd 0FFFFFFFEh, 0	; DATA XREF: CcMapDataForOverwrite+2o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5D4D5C
		align 10h
dword_6A3AF0	dd 0FFFFFFE4h, 0	; DATA XREF: NtAddAtomEx+5o
		dd 0FFFFFDBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8F1A95
		dd offset sub_8F1AA6
		dd 0FFFFFFFEh
		dd offset sub_8F1ABB
		dd offset sub_8F1ACC
dword_6A3B18	dd 0FFFFFFE4h, 0	; DATA XREF: NtSetInformationKey+5o
		dd 0FFFFFF34h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F1CF8
		dd offset sub_8F1D09
		align 8
dword_6A3B38	dd 0FFFFFFFEh, 0	; DATA XREF: NtGetMUIRegistryInfo+2o
		dd 0FFFFFF78h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F201D
		dd offset sub_8F202B
		dd 0FFFFFFFEh
		dd offset sub_8F1FDF
		dd offset sub_8F1FED
dword_6A3B60	dd 0FFFFFFFEh, 0	; DATA XREF: NtCompareTokens+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F2117
		dd offset sub_8F2125
		dd 0FFFFFFFEh
		dd offset sub_8F21E2
		dd offset sub_8F21F0
dword_6A3B88	dd 0FFFFFFE4h, 0	; DATA XREF: NtGetCachedSigningLevel+5o
		dd 0FFFFFF60h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F241B
		dd offset sub_8F242C
		align 8
dword_6A3BA8	dd 0FFFFFFFEh, 0	; DATA XREF: NtQuerySystemInformationEx+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_7CB33F
		dd offset sub_7CB34D
		align 8
dword_6A3BC8	dd 0FFFFFFFEh, 0	; DATA XREF: NtCloseObjectAuditAlarm+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8F286D
		dd offset sub_8F287B
		align 8
dword_6A3BE8	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryWnfStateNameInformation+2o
		dd 0FFFFFF94h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F2929
		dd offset sub_8F2939
		dd 0FFFFFFFEh
		dd offset sub_8F2907
		dd offset sub_8F2917
		dd 0FFFFFFFEh
		dd offset sub_8F296E
		dd offset sub_8F297E
		align 10h
dword_6A3C20	dd 0FFFFFFE4h, 0	; DATA XREF: NtAlpcSetInformation(x,x,x,x)+2o
		dd 0FFFFFF8Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_7CBAC1
		dd offset loc_7CBACF
		align 10h
dword_6A3C40	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpInitializeCompletionList+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset sub_8F2A86
		dd offset sub_8F2A32
		align 10h
dword_6A3C60	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:007CC434o
		dd 0FFFFFF80h, 0
		dd 0FFFFFFFEh
		dd offset loc_8F2B58
		dd offset loc_8F2B68
		align 10h
dword_6A3C80	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryInformationAtom+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F2BF4
		dd offset sub_8F2C02
		align 10h
dword_6A3CA0	dd 0FFFFFFFEh, 0	; DATA XREF: NtOpenSemaphore+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8F3009
		dd offset sub_8F3017
		dd 0FFFFFFFEh
		dd offset sub_8F3029
		dd offset sub_8F302D
dword_6A3CC8	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlKernelFsControlFile+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8F3135
		align 8
		dd offset sub_8F30A9
		dd offset sub_8F30B7
dword_6A3CF0	dd 0FFFFFFE4h, 0	; DATA XREF: AlpcpQuerySidToken+2o
		dd 0FFFFFF88h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F39C8
		dd offset sub_8F39D6
		align 10h
dword_6A3D10	dd 0FFFFFFFEh, 0	; DATA XREF: PsQueryFullProcessImageName+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F3C63
		dd offset sub_8F3C71
		align 10h
dword_6A3D30	dd 0FFFFFFE4h, 0	; DATA XREF: NtGetNextThread+5o
		dd 0FFFFFE74h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F3F87
		dd offset sub_8F3F9A
		dd 0FFFFFFFEh
		dd offset sub_8F3F1D
		dd offset sub_8F3F30
dword_6A3D58	dd 0FFFFFFFEh, 0	; DATA XREF: NtSuspendThread+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_8F403C
		dd offset loc_8F404A
		dd 0FFFFFFFEh
		dd offset sub_8F401A
		dd offset sub_8F402A
dword_6A3D80	dd 0FFFFFFFEh, 0	; DATA XREF: PsSuspendThread+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F4066
		dd offset sub_8F407D
		align 10h
dword_6A3DA0	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlpAllocateOplock+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8F40CC
		align 10h
dword_6A3DC0	dd 0FFFFFFE4h, 0	; DATA XREF: AlpcpCreateConnectionPort+2o
		dd 0FFFFFF8Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_8F4118
		dd offset sub_8F4126
		dd 0FFFFFFFEh
		dd offset sub_8F414F
		dd offset sub_8F415D
dword_6A3DE8	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpLocateDbgIdForRegEntry+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_8F4389
		dd offset loc_8F4397
		dd 0FFFFFFFEh
		dd offset sub_8F4376
		dd offset sub_8F4384
dword_6A3E10	dd 0FFFFFFFEh, 0	; DATA XREF: IopBuildAsynchronousFsdRequest+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_5D6BDD
		dd offset sub_5D6BE1
		align 10h
dword_6A3E30	dd 0FFFFFFE4h, 0	; DATA XREF: KiInitializeUserApc(x,x,x,x,x,x,x)+5o
		dd 0FFFFFC84h, 0
		dd 0FFFFFFFEh
		dd offset loc_503309
		dd offset loc_503359
		align 10h
dword_6A3E50	dd 0FFFFFFE4h, 0	; DATA XREF: PsQueryProcessCommandLine+2o
		dd 0FFFFFF84h, 0
		dd 0FFFFFFFEh
		dd offset sub_5D6C40
		dd offset sub_5D6C4E
		dd 0FFFFFFFEh
		dd offset sub_5D6C64
		dd offset sub_5D6C72
dword_6A3E78	dd 0FFFFFFE4h, 0	; DATA XREF: NtCreateSymbolicLinkObject+5o
		dd 0FFFFFF38h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F4611
		dd offset sub_8F4622
		align 8
dword_6A3E98	dd 0FFFFFFFEh, 0	; DATA XREF: ObCreateSymbolicLink+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_8F467B
		dd offset loc_8F4689
		dd 0FFFFFFFEh
		dd offset sub_8F4663
		dd offset sub_8F4667
dword_6A3EC0	dd 0FFFFFFFEh, 0	; DATA XREF: RtlpWriteExtendedContext+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F496E
		dd offset sub_8F497C
		align 10h
dword_6A3EE0	dd 0FFFFFFFEh, 0	; DATA XREF: PiCMCaptureDeviceListInputData+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F4A4A
		dd offset sub_8F4A58
		align 10h
dword_6A3F00	dd 0FFFFFFFEh, 0	; DATA XREF: PiDqSerializationWrite+2o
		dd 0FFFFFFD8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F4ADD
		dd offset sub_8F4AE1
		align 10h
dword_6A3F20	dd 0FFFFFFFEh, 0	; DATA XREF: NtFlushVirtualMemory+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8F4BD0
		dd offset sub_8F4BDE
		dd 0FFFFFFFEh
		dd offset sub_8F4C1C
		dd offset sub_8F4C20
dword_6A3F48	dd 0FFFFFFE4h, 0	; DATA XREF: NtGetNlsSectionPtr+5o
		dd 0FFFFFE60h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F4E20
		dd offset sub_8F4E31
		dd 0FFFFFFFEh
		dd offset sub_8F4E65
		dd offset sub_8F4E78
dword_6A3F70	dd 0FFFFFFE4h, 0	; DATA XREF: RtlIntegerToChar+2o
		dd 0FFFFFFA4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F4ED0
		dd offset sub_8F4EDE
		align 10h
dword_6A3F90	dd 0FFFFFFE4h, 0	; DATA XREF: PfSnQueryPrefetcherInformation+5o
		dd 0FFFFFE1Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_8F4F30
		dd offset sub_8F4F3E
		dd 0FFFFFFFEh
		dd offset sub_8F4F13
		dd offset sub_8F4F21
dword_6A3FB8	dd 0FFFFFFFEh, 0	; DATA XREF: PfSnGetCompletedTrace+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F4F50
		dd offset sub_8F4F5E
		align 8
dword_6A3FD8	dd 0FFFFFFFEh, 0	; DATA XREF: NtRequestWaitReplyPort+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8F50A6
		dd offset sub_8F50B4
		align 8
dword_6A3FF8	dd 0FFFFFFE4h, 0	; DATA XREF: NtCreateNamedPipeFile+2o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F50C6
		dd offset sub_8F50D4
		align 8
dword_6A4018	dd 0FFFFFFFEh, 0	; DATA XREF: CcCompleteAsyncRead+2o
		dd 0FFFFFF80h, 0
		dd 0FFFFFFFEh, 0
		dd offset loc_5D7E26
		align 8
		dd offset sub_5D7E02
		dd offset sub_5D7E0E
dword_6A4040	dd 0FFFFFFFEh, 0	; DATA XREF: NtAllocateReserveObject+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8F557D
		dd offset sub_8F558B
		dd 0FFFFFFFEh
		dd offset sub_8F559D
		dd offset sub_8F55A1
dword_6A4068	dd 0FFFFFFFEh, 0	; DATA XREF: SmQueryStoreInformation+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F5627
		dd offset sub_8F5635
		align 8
dword_6A4088	dd 0FFFFFFDCh, 0	; DATA XREF: SmProcessCompressionInfoRequest+19o
		dd 0FFFFF980h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F56AB
		dd offset sub_8F56BF
		dd 0FFFFFFFEh
		dd offset sub_8F5682
		dd offset sub_8F5696
dword_6A40B0	dd 0FFFFFFFEh, 0	; DATA XREF: PiDqIrpQueryGetResult+2o
		dd 0FFFFFFA4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F5709
		dd offset sub_8F5717
		align 10h
dword_6A40D0	dd 0FFFFFFFEh, 0	; DATA XREF: NtAlpcCreateResourceReserve+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F57BC
		dd offset sub_8F57CA
		dd 0FFFFFFFEh
		dd offset sub_8F57DC
		dd offset sub_8F57EA
dword_6A40F8	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlpOplockBreakToII+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5D82EB
		align 8
dword_6A4118	dd 0FFFFFFE4h, 0	; DATA XREF: IopGetFileVolumeNameInformation+5o
		dd 0FFFFFDC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_5D83A0
		dd offset sub_5D83B1
		dd 0FFFFFFFEh
		dd offset sub_5D83C6
		dd offset sub_5D83D7
dword_6A4140	dd 0FFFFFFE4h, 0	; DATA XREF: PspSetQuotaLimits+5o
		dd 0FFFFFF3Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_8F5A2E
		dd offset sub_8F5A3F
		align 10h
dword_6A4160	dd 0FFFFFFE4h, 0	; DATA XREF: PspIsProcessReadyForRemoteThread+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset sub_5D8721
		dd offset sub_5D8725
		align 10h
dword_6A4180	dd 0FFFFFFFEh, 0	; DATA XREF: .text:005083C6o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_5D87DD
		dd offset loc_5D87EB
		dd 0FFFFFFFEh
		dd offset loc_5D87FD
		dd offset loc_5D880D
dword_6A41A8	dd 0FFFFFFFEh, 0	; DATA XREF: RtlPinAtomInAtomTable+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F5C48
		dd offset sub_8F5C56
		align 8
dword_6A41C8	dd 0FFFFFFFEh, 0	; DATA XREF: PopBootStatSet+2o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F5C75
		dd offset sub_8F5C83
		dd 0FFFFFFFEh
		dd offset sub_8F5CA0
		dd offset sub_8F5CAE
dword_6A41F0	dd 0FFFFFFFEh, 0	; DATA XREF: PfSnHashUnsafeUnicodeString+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F6684
		dd offset sub_8F6692
		align 10h
dword_6A4210	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryInstallUILanguage+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8F71AA
		dd offset sub_8F71BA
		align 10h
dword_6A4230	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlSetKernelEaFile+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8F7211
		align 10h
dword_6A4250	dd 0FFFFFFFEh, 0	; DATA XREF: NtPrivilegedServiceAuditAlarm+2o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F72AF
		dd offset sub_8F72BD
		align 10h
dword_6A4270	dd 0FFFFFFFEh, 0	; DATA XREF: PsWow64GetSupportedArchitectures+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F7322
		dd offset sub_8F7332
		align 10h
dword_6A4290	dd 0FFFFFFFEh, 0	; DATA XREF: WmiQueryTraceInformation+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset sub_8F7948
		dd offset sub_8F7956
		align 10h
		dd offset sub_8F7742
		dd offset sub_8F7750
dword_6A42B8	dd 0FFFFFFFEh, 0	; DATA XREF: CcPrepareMdlWrite+2o
		dd 0FFFFFF74h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5D9549
		align 8
dword_6A42D8	dd 0FFFFFFFEh, 0	; DATA XREF: MiAllocatePerSessionProtos+2o
		dd 0FFFFFF8Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_8F7B10
		dd offset sub_8F7B1E
		align 8
dword_6A42F8	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpApplyEventIdPayloadFilterOnUserEvent+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F7BC4
		dd offset sub_8F7BC8
		align 8
dword_6A4318	dd 0FFFFFFFEh, 0	; DATA XREF: NtAllocateUuids+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_8F7D1C
		dd offset loc_8F7D2C
		dd 0FFFFFFFEh
		dd offset sub_8F7CFA
		dd offset sub_8F7D0A
dword_6A4340	dd 0FFFFFFFEh, 0	; DATA XREF: NtFilterToken+2o
		dd 0FFFFFF8Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_8F7E19
		dd offset sub_8F7E27
		dd 0FFFFFFFEh
		dd offset sub_8F7E47
		dd offset sub_8F7E55
dword_6A4368	dd 0FFFFFFFEh, 0	; DATA XREF: SepCaptureHandles+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_5D9AD5
		dd offset sub_5D9AE3
		align 8
dword_6A4388	dd 0FFFFFFFEh, 0	; DATA XREF: RtlGetThreadLangIdByIndex+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_5D9BE0
		dd offset sub_5D9BEE
		align 8
dword_6A43A8	dd 0FFFFFFE4h, 0	; DATA XREF: PfpQueryGpuUtilization+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset loc_8F8A0B
		dd offset loc_8F8A19
		dd 0FFFFFFFEh
		dd offset sub_8F89F8
		dd offset sub_8F8A06
dword_6A43D0	dd 0FFFFFFE4h, 0	; DATA XREF: RtlCreateHeap+5o
		dd 0FFFFFEF0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F8BB1
		dd offset sub_8F8BBE
		align 10h
dword_6A43F0	dd 0FFFFFFFEh, 0	; DATA XREF: SeSecureBootQueryInformation+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_8F91D4
		dd offset loc_8F91E4
		dd 0FFFFFFFEh
		dd offset sub_8F9263
		dd offset sub_8F9273
		dd 0FFFFFFFEh
		dd offset sub_8F91BC
		dd offset sub_8F91CC
		align 8
dword_6A4428	dd 0FFFFFFFEh, 0	; DATA XREF: PfpMemoryRangesQuery+2o
		dd 0FFFFFFA4h, 0
		dd 0FFFFFFFEh
		dd offset loc_5DA3DD
		dd offset loc_5DA3EB
		dd 0FFFFFFFEh
		dd offset sub_5DA3B8
		dd offset sub_5DA3C6
dword_6A4450	dd 0FFFFFFFEh, 0	; DATA XREF: IoQueryLowPriorityIoInformation+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F9C74
		dd offset sub_8F9C82
		align 10h
dword_6A4470	dd 0FFFFFFFEh, 0	; DATA XREF: MiGetWorkingSetInfo+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_5DA562
		dd offset sub_5DA570
		align 10h
dword_6A4490	dd 0FFFFFFFEh, 0	; DATA XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFF98h, 0
		dd 0FFFFFFFEh
		dd offset loc_7DF784
		dd offset loc_7DF790
		dd 0FFFFFFFEh
		dd offset loc_7DFA9E
		dd offset loc_7DFAAC
dword_6A44B8	dd 0FFFFFFFEh, 0	; DATA XREF: PfpVirtualQuery+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8F9EC5
		dd offset sub_8F9ED3
		align 8
dword_6A44D8	dd 0FFFFFFFEh, 0	; DATA XREF: MmGetPageFileInformation+2o
		dd 0FFFFFF94h, 0
		dd 0FFFFFFFEh
		dd offset sub_8F9F3D
		dd offset sub_8F9F4B
		align 8
dword_6A44F8	dd 0FFFFFFFEh, 0	; DATA XREF: PspGetStandardHandleList+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8FA0C2
		dd offset sub_8FA0D0
		align 8
dword_6A4518	dd 0FFFFFFFEh, 0	; DATA XREF: RtlUpcaseUnicodeStringToOemString+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_8FA0FC
		align 8
dword_6A4538	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryTimerResolution+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8FA11F
		dd offset sub_8FA12F
		align 8
dword_6A4558	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:007E0EC0o
		dd 0FFFFFF9Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_7E10E6
		dd offset loc_7E10F2
		dd 0FFFFFFFEh
		dd offset loc_7E13CD
		dd offset loc_7E13DB
dword_6A4580	dd 0FFFFFFFEh, 0	; DATA XREF: MiDuplicateCloneLeaf(x,x,x,x,x)+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset loc_544588
		dd offset loc_54458C
		align 10h
dword_6A45A0	dd 0FFFFFFE4h, 0	; DATA XREF: ExQueryProcessHandleInformation+2o
		dd 0FFFFFF9Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_8FADBC
		dd offset sub_8FADCA
		dd 0FFFFFFFEh
		dd offset sub_8FAE04
		dd offset sub_8FAE12
dword_6A45C8	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryMutant+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8FAE2E
		dd offset sub_8FAE3C
		dd 0FFFFFFFEh
		dd offset sub_8FAE59
		dd offset sub_8FAE5D
		dd 0FFFFFFFEh
		dd offset sub_8FAE72
		dd offset sub_8FAE5D
		align 10h
dword_6A4600	dd 0FFFFFFFEh, 0	; DATA XREF: NtQuerySemaphore+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8FAF2D
		dd offset sub_8FAF3B
		dd 0FFFFFFFEh
		dd offset sub_8FAF6C
		dd offset sub_8FAF70
dword_6A4628	dd 0FFFFFFFEh, 0	; DATA XREF: PfpDeprioritizeOldPagesInWs+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_8FAFC6
		dd offset sub_8FAFD4
		align 8
dword_6A4648	dd 0FFFFFFFEh, 0	; DATA XREF: PfpMemoryListQuery+2o
		dd 0FFFFFF6Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_5DB951
		dd offset sub_5DB95F
		align 8
dword_6A4668	dd 0FFFFFFFEh, 0	; DATA XREF: NtCreateProcessEx+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8FB609
		dd offset sub_8FB617
		align 8
dword_6A4688	dd 0FFFFFFFEh, 0	; DATA XREF: PiCMCaptureInterfaceAliasInputData+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8FB81E
		dd offset sub_8FB82C
		align 8
dword_6A46A8	dd 0FFFFFFFEh, 0	; DATA XREF: CmUnRegisterCallback+2o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh
		dd offset sub_8FBC40
		dd offset sub_8FBC44
		align 8
dword_6A46C8	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryIntervalProfile+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8FBCB0
		dd offset sub_8FBCBE
		dd 0FFFFFFFEh
		dd offset sub_8FBCD0
		dd offset sub_8FBCD4
dword_6A46F0	dd 0FFFFFFFEh, 0	; DATA XREF: NtAcquireProcessActivityReference+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_8FBD4B
		dd offset sub_8FBD59
		dd 0FFFFFFFEh
		dd offset sub_8FBD75
		dd offset sub_8FBD85
dword_6A4718	dd 0FFFFFFFEh, 0	; DATA XREF: SMKM_STORE_SM_TRAITS___SmStDirectReadComplete+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_5DC2A3
		dd offset sub_5DC2B1
		align 8
dword_6A4738	dd 0FFFFFFFEh, 0	; DATA XREF: SMKM_STORE_SM_TRAITS___SmStDirectReadIssue+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_5DC2B9
		dd offset sub_5DC2C7
		align 8
dword_6A4758	dd 0FFFFFFFEh, 0	; DATA XREF: IopLoadDriverImage+2o
		dd 0FFFFFF98h, 0
		dd 0FFFFFFFEh
		dd offset sub_5DC53E
		dd offset sub_5DC54C
		align 8
dword_6A4778	dd 0FFFFFFE4h, 0	; DATA XREF: MiGetSystemAddressForImage+5o
		dd 0FFFFFF24h, 0
		dd 0FFFFFFFEh
		dd offset sub_8FC14D
		dd offset sub_8FC151
		align 8
dword_6A4798	dd 0FFFFFFFEh, 0	; DATA XREF: MiCacheImageSymbols+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8FC45C
		dd offset sub_8FC460
		align 8
dword_6A47B8	dd 0FFFFFFFEh, 0	; DATA XREF: SdbReleaseDatabase+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8FEBBC
		dd offset sub_8FEC0C
		align 8
dword_6A47D8	dd 0FFFFFFFEh, 0	; DATA XREF: IopUnloadDriver+5o
		dd 0FFFFFF60h, 0
		dd 0FFFFFFFEh
		dd offset sub_8FF298
		dd offset sub_8FF2A6
		align 8
dword_6A47F8	dd 0FFFFFFFEh, 0	; DATA XREF: PiCMCaptureRegistryPropertyInputData+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_8FF434
		dd offset sub_8FF442
		align 8
dword_6A4818	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpCoverageEnsureUserModeView+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh
		dd offset loc_8FF5AA
		dd offset loc_8FF5B8
		dd 0FFFFFFFEh
		dd offset sub_8FF597
		dd offset sub_8FF5A5
dword_6A4840	dd 0FFFFFFFEh, 0	; DATA XREF: PiCMReturnStatusResultData+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_900B69
		dd offset sub_900B77
		align 10h
dword_6A4860	dd 0FFFFFFFEh, 0	; DATA XREF: PnpRequestDeviceAction+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset sub_5DD698
		dd offset sub_5DD69C
		align 10h
dword_6A4880	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpRealtimeConnect+2o
		dd 0FFFFFF78h, 0
		dd 0FFFFFFFEh
		dd offset sub_900E37
		dd offset sub_900E45
		align 10h
dword_6A48A0	dd 0FFFFFFE4h, 0	; DATA XREF: PspCreateProcess+5o
		dd 0FFFFFE3Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_900F55
		dd offset sub_900F66
		dd 0FFFFFFFEh
		dd offset sub_9010B6
		dd offset sub_9010BC
dword_6A48C8	dd 0FFFFFFFEh, 0	; DATA XREF: NtOpenObjectAuditAlarm+2o
		dd 0FFFFFF8Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_901479
		dd offset sub_901487
		dd 0FFFFFFFEh
		dd offset sub_9015BE
		dd offset sub_9015CC
dword_6A48F0	dd 0FFFFFFFEh, 0	; DATA XREF: LdrUnloadAlternateResourceModuleEx+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5DE187
		align 10h
dword_6A4910	dd 0FFFFFFFEh, 0	; DATA XREF: NtAlpcCancelMessage+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_901AAE
		dd offset sub_901ABC
		align 10h
dword_6A4930	dd 0FFFFFFFEh, 0	; DATA XREF: NtSetCachedSigningLevel2+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset sub_901D1D
		dd offset sub_901D2D
		align 10h
dword_6A4950	dd 0FFFFFFFEh, 0	; DATA XREF: NtCreateRegistryTransaction+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_90207C
		dd offset sub_90208A
		dd 0FFFFFFFEh
		dd offset sub_9020AB
		dd offset loc_90208F
dword_6A4978	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpGetImageSize+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_9021E8
		dd offset sub_9021F6
		align 8
dword_6A4998	dd 0FFFFFFFEh, 0	; DATA XREF: KiRestoreFeatureBits()+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_551C8E
		dd offset loc_551C92
		align 8
dword_6A49B8	dd 0FFFFFFFEh, 0	; DATA XREF: BiLoadHive+2o
		dd 0FFFFFF7Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_9038D0
		dd offset sub_9038D4
		align 8
dword_6A49D8	dd 0FFFFFFE4h, 0	; DATA XREF: BiEnumerateSubKeys+2o
		dd 0FFFFFF6Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_904396
		dd offset sub_90439A
		align 8
dword_6A49F8	dd 0FFFFFFFEh, 0	; DATA XREF: BiCreateKey+2o
		dd 0FFFFFF98h, 0
		dd 0FFFFFFFEh
		dd offset sub_9044E8
		dd offset sub_9044EC
		align 8
dword_6A4A18	dd 0FFFFFFFEh, 0	; DATA XREF: BiGetRegistryValue+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh
		dd offset sub_904534
		dd offset sub_904538
		align 8
dword_6A4A38	dd 0FFFFFFFEh, 0	; DATA XREF: BiOpenKey+2o
		dd 0FFFFFF98h, 0
		dd 0FFFFFFFEh
		dd offset sub_9045C9
		dd offset sub_9045CD
		align 8
dword_6A4A58	dd 0FFFFFFFEh, 0	; DATA XREF: BiSetRegistryValue+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_9046AB
		dd offset sub_9046AF
		align 8
dword_6A4A78	dd 0FFFFFFFEh, 0	; DATA XREF: BiGetKeyName+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_904938
		dd offset sub_90493C
		align 8
dword_6A4A98	dd 0FFFFFFFEh, 0	; DATA XREF: BiOpenKeyNonBcd+2o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh
		dd offset sub_905587
		dd offset sub_90558B
		align 8
dword_6A4AB8	dd 0FFFFFFFEh, 0	; DATA XREF: PfpQueryScenarioInformation+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset loc_9059B2
		dd offset loc_9059C0
		dd 0FFFFFFFEh
		dd offset sub_90599F
		dd offset sub_9059AD
dword_6A4AE0	dd 0FFFFFFFEh, 0	; DATA XREF: NtSetTimer+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_5E0D57
		dd offset sub_5E0D65
		align 10h
dword_6A4B00	dd 0FFFFFFFEh, 0	; DATA XREF: PiSwIrpPropertySet+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_905F6C
		dd offset sub_905F7E
		align 10h
dword_6A4B20	dd 0FFFFFFE4h, 0	; DATA XREF: SLQueryLicenseValueInternal+5o
		dd 0FFFFFE58h, 0
		dd 0FFFFFFFEh
		dd offset sub_907A5C
		dd offset sub_907A6F
		dd 0FFFFFFFEh
		dd offset sub_907B10
		dd offset sub_907B23
dword_6A4B48	dd 0FFFFFFFEh, 0	; DATA XREF: ExpQueryLicenseValueFromBlobHelper+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5E2CBF
		align 8
dword_6A4B68	dd 0FFFFFFFEh, 0	; DATA XREF: ExpQueryLicenseValueFromBlob+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_907D82
		dd offset sub_907D92
		align 8
dword_6A4B88	dd 0FFFFFFFEh, 0	; DATA XREF: ExpLoadAndSortLicensingCacheDescriptors+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_907DB8
		dd 0FFFFFFFEh, 0
		dd offset sub_907E22
dword_6A4BB0	dd 0FFFFFFE4h, 0	; DATA XREF: NtGetNextProcess+5o
		dd 0FFFFFE78h, 0
		dd 0FFFFFFFEh
		dd offset sub_90AE4F
		dd offset sub_90AE62
		dd 0FFFFFFFEh
		dd offset sub_90AE0F
		dd offset sub_90AE22
dword_6A4BD8	dd 0FFFFFFE4h, 0	; DATA XREF: LdrResGetRCConfig+2o
		dd 0FFFFFFA4h, 0
		dd 0FFFFFFFEh
		dd offset sub_90B6E8
		dd offset sub_90B6F6
		align 8
dword_6A4BF8	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:0086D090o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset loc_90B7B8
		dd offset loc_90B7C6
		align 8
dword_6A4C18	dd 0FFFFFFFEh, 0	; DATA XREF: NtOpenSession+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_90B830
		dd offset sub_90B83E
		dd 0FFFFFFFEh
		dd offset sub_90B850
		dd offset sub_90B856
dword_6A4C40	dd 0FFFFFFFEh, 0	; DATA XREF: RtlOemStringToUnicodeString+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_90B868
		align 10h
dword_6A4C60	dd 0FFFFFFE4h, 0	; DATA XREF: NtNotifyChangeSession+5o
		dd 0FFFFFE8Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_90BA4E
		dd offset sub_90BA52
		align 10h
dword_6A4C80	dd 0FFFFFFE4h, 0	; DATA XREF: SmcProcessListRequest+2o
		dd 0FFFFFF80h, 0
		dd 0FFFFFFFEh
		dd offset loc_90C058
		dd offset loc_90C066
		dd 0FFFFFFFEh
		dd offset sub_90C045
		dd offset sub_90C053
dword_6A4CA8	dd 0FFFFFFFEh, 0	; DATA XREF: RtlUnicodeStringToOemString+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_90C233
		align 8
dword_6A4CC8	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlpOplockBreakToNone+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5E5857
		align 8
dword_6A4CE8	dd 0FFFFFFE4h, 0	; DATA XREF: NtCreateMailslotFile+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh
		dd offset sub_90C2B2
		dd offset sub_90C2C0
		align 8
dword_6A4D08	dd 0FFFFFFE4h, 0	; DATA XREF: FsRtlCheckUpperOplock+2o
		dd 0FFFFFF8Ch, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_90C510
		align 8
dword_6A4D28	dd 0FFFFFFFEh, 0	; DATA XREF: MmIssueMemoryListCommand+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_90C781
		dd offset sub_90C78F
		align 8
dword_6A4D48	dd 0FFFFFFFEh, 0	; DATA XREF: SeQueryHSTIResults+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_90C807
		dd offset sub_90C817
		align 8
dword_6A4D68	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpCaptureString+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_90D60A
		dd offset loc_90D618
		dd 0FFFFFFFEh
		dd offset sub_90D5F7
		dd offset sub_90D605
dword_6A4D90	dd 0FFFFFFE4h, 0	; DATA XREF: EtwpGetLoggerInfoFromContext+2o
		dd 0FFFFFF98h, 0
		dd 0FFFFFFFEh
		dd offset sub_90D637
		dd offset sub_90D645
		dd 0FFFFFFFEh
		dd offset sub_90D677
		dd offset sub_90D685
dword_6A4DB8	dd 0FFFFFFFEh, 0	; DATA XREF: NtAdjustGroupsToken+2o
		dd 0FFFFFF88h, 0
		dd 0FFFFFFFEh
		dd offset sub_90DFB0
		dd offset sub_90DFBE
		dd 0FFFFFFFEh
		dd offset sub_90DFDB
		dd offset sub_90DFE9
		dd 0FFFFFFFEh
		dd offset sub_90E023
		dd offset byte_90E031
		dd 0FFFFFFFEh
		dd offset sub_90E102
		dd offset dword_90E110
dword_6A4DF8	dd 0FFFFFFE4h, 0	; DATA XREF: NtCreateTokenEx+5o
		dd 0FFFFFF04h, 0
		dd 0FFFFFFFEh
		dd offset sub_90E2EB
		dd offset sub_90E2FC
		dd 0FFFFFFFEh
		dd offset sub_90E405
		dd offset sub_90E416
		dd 0FFFFFFFEh
		dd offset sub_90E3E6
		dd offset sub_90E3F7
		align 10h
dword_6A4E30	dd 0FFFFFFFEh, 0	; DATA XREF: SeCaptureSidAndAttributesArray+7o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset sub_90E55E
		dd offset sub_90E56E
		dd 0FFFFFFFEh
		dd offset sub_90E5C3
		dd offset sub_90E5D3
dword_6A4E58	dd 0FFFFFFFEh, 0	; DATA XREF: SeCaptureAcl+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_90E62E
		dd offset sub_90E63C
		dd 0FFFFFFFEh
		dd offset sub_90E662
		dd offset sub_90E670
dword_6A4E80	dd 0FFFFFFFEh, 0	; DATA XREF: NtOpenPrivateNamespace+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_90EBB1
		dd offset sub_90EBBF
		dd 0FFFFFFFEh
		dd offset sub_90EBE7
		dd offset sub_90EBEB
dword_6A4EA8	dd 0FFFFFFFEh, 0	; DATA XREF: NtCreatePrivateNamespace+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_90EC84
		dd offset sub_90EC92
		dd 0FFFFFFFEh
		dd offset sub_90ECE0
		dd offset sub_90ECE4
dword_6A4ED0	dd 0FFFFFFFEh, 0	; DATA XREF: NtCreateJobObject+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh
		dd offset loc_90ED3B
		dd offset loc_90ED4B
		dd 0FFFFFFFEh
		dd offset sub_90ED26
		dd offset sub_90ED36
dword_6A4EF8	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:007E9491o
		dd 0FFFFFE9Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_7E955D
		dd offset loc_7E956B
		dd 0FFFFFFFEh
		dd offset loc_7E9B44
		dd offset loc_7E9B55
		dd 0FFFFFFFEh
		dd offset loc_7E9AA5
		dd offset word_7E9AB6
		dd 0FFFFFFFEh
		dd offset loc_7E9968
		dd offset loc_7E9979
		dd 0FFFFFFFEh
		dd offset loc_7E9818
		dd offset loc_7E9826
		dd 0FFFFFFFEh
		dd offset loc_7E964B
		dd offset loc_7E9659
		dd 0FFFFFFFEh
		dd offset loc_7E9C9C
		dd offset loc_7E9CAD
		dd 0FFFFFFFEh
		dd offset loc_7E9C2B
		dd offset loc_7E9C3C
		dd 0FFFFFFFEh
		dd offset loc_7E9EC3
		dd offset loc_7E9ED4
		dd 0FFFFFFFEh
		dd offset loc_7E9D64
		dd offset loc_7E9D75
		dd 0FFFFFFFEh
		dd offset loc_7E9F8A
		dd offset loc_7E9F9B
		dd 0FFFFFFFEh
		dd offset loc_7EA6CA
		dd offset loc_7EA6DB
		dd 0FFFFFFFEh
		dd offset loc_7EA672
		dd offset loc_7EA683
		dd 0FFFFFFFEh
		dd offset loc_7EA33D
		dd offset loc_7EA34E
		dd 0FFFFFFFEh
		dd offset loc_7EA27E
		dd offset loc_7EA28F
		dd 0FFFFFFFEh
		dd offset loc_7EA104
		dd offset loc_7EA115
		dd 0FFFFFFFEh
		dd offset loc_7EA090
		dd offset loc_7EA0A1
		align 8
dword_6A4FD8	dd 0FFFFFFFEh, 0	; DATA XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_90EE19
		dd offset sub_90EE27
		align 8
dword_6A4FF8	dd 0FFFFFFFEh, 0	; DATA XREF: SepCaptureTokenSecurityAttributesInformation+2o
		dd 0FFFFFF88h, 0
		dd 0FFFFFFFEh
		dd offset sub_90EF2D
		dd offset sub_90EF3B
		align 8
dword_6A5018	dd 0FFFFFFFEh, 0	; DATA XREF: SepCaptureTokenSecurityOperations+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_5E79D2
		dd offset loc_5E79E0
		dd 0FFFFFFFEh
		dd offset sub_5E79A8
		dd offset sub_5E79B6
dword_6A5040	dd 0FFFFFFFEh, 0	; DATA XREF: ObpCaptureBoundaryDescriptor+2o
		dd 0FFFFFF90h, 0
		dd 0FFFFFFFEh
		dd offset sub_90F014
		dd offset sub_90F022
		dd 0FFFFFFFEh
		dd offset sub_90F0D5
		dd offset sub_90F0E8
dword_6A5068	dd 0FFFFFFFEh, 0	; DATA XREF: NtCreateLowBoxToken+2o
		dd 0FFFFFF84h, 0
		dd 0FFFFFFFEh
		dd offset sub_910216
		dd offset sub_910224
		dd 0FFFFFFFEh
		dd offset sub_9102EC
		dd offset sub_9102FA
dword_6A5090	dd 0FFFFFFFEh, 0	; DATA XREF: SepCaptureInt64Array+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_91030C
		dd offset sub_91031A
		align 10h
dword_6A50B0	dd 0FFFFFFE4h, 0	; DATA XREF: RawMountVolume+2o
		dd 0FFFFFF88h, 0
		dd 0FFFFFFFEh
		dd offset sub_9103AA
		dd offset sub_9103B8
		align 10h
dword_6A50D0	dd 0FFFFFFE4h, 0	; DATA XREF: EtwpRealtimeInjectEtwBuffer+2o
		dd 0FFFFFF9Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_911F44
		dd offset loc_911F52
		dd 0FFFFFFFEh
		dd offset sub_911F36
		dd offset sub_911F0E
dword_6A50F8	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpFindUserBufferSpace+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_911F88
		dd offset sub_911F96
		align 8
dword_6A5118	dd 0FFFFFFE4h, 0	; DATA XREF: NtNotifyChangeMultipleKeys+5o
		dd 0FFFFFED0h, 0
		dd 0FFFFFFFEh
		dd offset sub_91204E
		dd offset sub_91205F
		dd 0FFFFFFFEh
		dd offset sub_912317
		dd offset sub_912328
dword_6A5140	dd 0FFFFFFFEh, 0	; DATA XREF: NtFlushBuffersFileEx+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset sub_9127F5
		dd offset sub_912803
		align 10h
dword_6A5160	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:007F61E4o
		dd 0FFFFFF94h, 0
		dd 0FFFFFFFEh
		dd offset loc_7F634E
		dd offset loc_7F635C
		dd 0FFFFFFFEh
		dd offset loc_7F63F0
		dd offset loc_7F63FE
		dd 0FFFFFFFEh
		dd offset loc_7F664D
		dd offset loc_7F665B
		dd 0FFFFFFFEh
		dd offset loc_7F66EE
		dd offset loc_7F66FC
dword_6A51A0	dd 0FFFFFFFEh, 0	; DATA XREF: NtQuerySecurityObject+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_912861
		dd offset sub_91286F
		dd 0FFFFFFFEh
		dd offset sub_912881
		dd offset sub_91288F
dword_6A51C8	dd 0FFFFFFFEh, 0	; DATA XREF: IopGetSetSecurityObject+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset sub_912925
		dd offset sub_912933
		dd 0FFFFFFFEh
		dd offset sub_912958
		dd offset sub_912966
dword_6A51F0	dd 0FFFFFFE4h, 0	; DATA XREF: NtQueryFullAttributesFile+7o
		dd 0FFFFFE58h, 0
		dd 0FFFFFFFEh
		dd offset sub_9129A4
		dd offset sub_9129B7
		dd 0FFFFFFFEh
		dd offset sub_9129E2
		dd offset sub_9129F5
dword_6A5218	dd 0FFFFFFE4h, 0	; DATA XREF: PAGE:007F6E87o
		dd 0FFFFFE60h, 0
		dd 0FFFFFFFEh
		dd offset loc_912A0B
		dd offset loc_912A1E
		align 8
dword_6A5238	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:007F7217o
		dd 0FFFFFF94h, 0
		dd 0FFFFFFFEh
		dd offset loc_7F72DB
		dd offset loc_7F72EB
		dd 0FFFFFFFEh
		dd offset loc_7F7444
		dd offset loc_7F7454
		dd 0FFFFFFFEh
		dd offset loc_7F758C
		dd offset loc_7F759C
		dd 0FFFFFFFEh
		dd offset loc_7F7775
		dd offset loc_7F7785
dword_6A5278	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:007F7857o
		dd 0FFFFFF94h, 0
		dd 0FFFFFFFEh
		dd offset loc_7F7E41
		dd offset loc_7F7E51
		dd 0FFFFFFFEh
		dd offset loc_7F7D04
		dd offset loc_7F7D14
		dd 0FFFFFFFEh
		dd offset loc_7F7DA3
		dd offset loc_7F7DB3
		align 10h
dword_6A52B0	dd 0FFFFFFFEh, 0	; DATA XREF: IopSynchronousApiServiceTail+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_912AB6
		dd offset sub_912AC4
		align 10h
dword_6A52D0	dd 0FFFFFFFEh, 0	; DATA XREF: PfSnOpenVolumesForPrefetch+488o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_912B5F
		dd offset sub_912B6D
		dd 0FFFFFFFEh
		dd offset sub_912B7F
		dd offset sub_912B83
dword_6A52F8	dd 0FFFFFFFEh, 0	; DATA XREF: NtResetEvent+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_912BBF
		dd offset sub_912BCD
		dd 0FFFFFFFEh
		dd offset sub_912BF9
		dd offset sub_912BEA
dword_6A5320	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:007F86CCo
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset loc_7F873F
		dd offset loc_7F874D
		dd 0FFFFFFFEh
		dd offset loc_7F893B
		dd offset loc_7F8949
		dd 0FFFFFFFEh
		dd offset loc_7F89A8
		dd offset loc_7F89B6
		align 8
dword_6A5358	dd 0FFFFFFFEh, 0	; DATA XREF: PiCMReturnBasicResultData+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_913487
		dd offset sub_913495
		align 8
dword_6A5378	dd 0FFFFFFFEh, 0	; DATA XREF: PiDqIrpComplete+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_913633
		dd offset sub_913641
		align 8
dword_6A5398	dd 0FFFFFFE4h, 0	; DATA XREF: PiDqIrpQueryCreate+2o
		dd 0FFFFFF64h, 0
		dd 0FFFFFFFEh
		dd offset sub_9136C7
		dd offset sub_9136D9
		align 8
dword_6A53B8	dd 0FFFFFFFEh, 0	; DATA XREF: PiCMCaptureInterfaceListInputData+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_913A6A
		dd offset sub_913A78
		align 8
dword_6A53D8	dd 0FFFFFFFEh, 0	; DATA XREF: PiDqQuerySerializeActionQueue+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset sub_914272
		dd offset sub_914280
		align 8
dword_6A53F8	dd 0FFFFFFFEh, 0	; DATA XREF: PiCMCaptureObjectInputData+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_914852
		dd offset sub_914860
		align 8
dword_6A5418	dd 0FFFFFFFEh, 0	; DATA XREF: PropertyEval+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_918171
		dd offset sub_918174
		align 8
dword_6A5438	dd 0FFFFFFFEh, 0	; DATA XREF: PiCMCapturePropertyInputData+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_919805
		dd offset sub_919813
		align 8
dword_6A5458	dd 0FFFFFFFEh, 0	; DATA XREF: PiControlCopyUserModeCallersBuffer+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_919974
		dd offset sub_919982
		align 8
dword_6A5478	dd 0FFFFFFFEh, 0	; DATA XREF: PiCMReturnBufferResultData+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_9199CC
		dd offset sub_9199DA
		align 8
dword_6A5498	dd 0FFFFFFE4h, 0	; DATA XREF: NtSetValueKey+7o
		dd 0FFFFFED8h, 0
		dd 0FFFFFFFEh
		dd offset sub_91A3C4
		dd offset sub_91A3D7
		align 8
dword_6A54B8	dd 0FFFFFFE4h, 0	; DATA XREF: MmProbeAndLockProcessPages+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh, 0
		dd offset loc_91AC24
		align 8
dword_6A54D8	dd 0FFFFFFFEh, 0	; DATA XREF: CmpQueryKeyDataFromCache+7o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset sub_91B1B8
		dd offset sub_91B1C8
		align 8
dword_6A54F8	dd 0FFFFFFFEh, 0	; DATA XREF: CcGetDirtyPagesHelper+7o
		dd 0FFFFFF80h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5E9F78
		align 8
dword_6A5518	dd 0FFFFFFFEh, 0	; DATA XREF: RtlpUpcaseUnicodeStringPrivate+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5EA4A0
		align 8
dword_6A5538	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:00807007o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_91B216
		dd offset loc_91B226
		dd 0FFFFFFFEh
		dd offset loc_91B240
		dd offset loc_91B250
dword_6A5560	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:00807B17o
		dd 0FFFFFFA4h, 0
		dd 0FFFFFFFEh
		dd offset loc_91B329
		dd offset loc_91B339
		align 10h
dword_6A5580	dd 0FFFFFFFEh, 0	; DATA XREF: SeCaptureUnicodeStringStructures+7o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_91B3C5
		dd offset sub_91B3D5
		align 10h
dword_6A55A0	dd 0FFFFFFFEh, 0	; DATA XREF: CmpQueryKeyDataFromNode+7o
		dd 0FFFFFF80h, 0
		dd 0FFFFFFFEh
		dd offset sub_91B475
		dd offset sub_91B485
		dd 0FFFFFFFEh
		dd offset sub_91B43E
		dd offset sub_91B44E
		dd 0FFFFFFFEh
		dd offset sub_91B411
		dd offset sub_91B421
		align 8
dword_6A55D8	dd 0FFFFFFE4h, 0	; DATA XREF: NtEnumerateKey+7o
		dd 0FFFFFF00h, 0
		dd 0FFFFFFFEh
		dd offset sub_91BBA3
		dd offset sub_91BBB6
		dd 0FFFFFFFEh
		dd offset sub_91BBEA
		dd offset sub_91BBFD
dword_6A5600	dd 0FFFFFFE4h, 0	; DATA XREF: NtEnumerateValueKey+7o
		dd 0FFFFFEE8h, 0
		dd 0FFFFFFFEh
		dd offset sub_91BE23
		dd offset sub_91BE36
		dd 0FFFFFFFEh
		dd offset sub_91BEAC
		dd offset sub_91BEBF
dword_6A5628	dd 0FFFFFFFEh, 0	; DATA XREF: NtReleaseMutant+7o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset sub_91C19D
		dd offset sub_91C1AD
		dd 0FFFFFFFEh
		dd offset sub_80AA4E
		dd offset sub_80AA73
		dd 0FFFFFFFEh
		dd offset sub_91C1F3
		dd offset sub_91C1F9
		align 10h
dword_6A5660	dd 0FFFFFFE0h, 0	; DATA XREF: NtQueryKey+7o
		dd 0FFFFFEE4h, 0
		dd 0FFFFFFFEh
		dd offset sub_91C2B2
		dd offset sub_91C2C5
		dd 0FFFFFFFEh
		dd offset sub_91C369
		dd offset sub_91C37C
		dd 0FFFFFFFEh
		dd offset sub_91C312
		dd offset sub_91C325
		dd 0FFFFFFFEh
		dd offset sub_91C32D
		dd offset sub_91C340
dword_6A56A0	dd 0FFFFFFE4h, 0	; DATA XREF: CmQueryKey+7o
		dd 0FFFFFF08h, 0
		dd 0FFFFFFFEh, 0
		dd offset loc_91C96D
		align 10h
		dd offset sub_91C49C
		dd offset sub_91C4AF
		dd 0
		dd offset sub_91C517
		dd offset loc_91C4B7
		align 8
		dd offset sub_91C605
		dd offset sub_91C618
		dd 0
		dd offset sub_91C74E
		dd offset sub_91C761
		align 10h
		dd offset sub_91C778
		dd offset sub_91C78B
		dd 0
		dd offset sub_91C83B
		dd offset sub_91C84E
		align 8
		dd offset sub_91C886
		dd offset sub_91C899
		dd 0
		dd offset sub_91C939
		dd offset sub_91C94C
		align 10h
dword_6A5720	dd 0FFFFFFFEh, 0	; DATA XREF: CmpQueryKeyValueData+7o
		dd 0FFFFFF94h, 0
		dd 0FFFFFFFEh
		dd offset sub_91CEA7
		dd offset sub_91CEB7
		dd 0FFFFFFFEh
		dd offset sub_91CECC
		dd offset sub_91CEDC
		dd 0FFFFFFFEh
		dd offset sub_91CF2D
		dd offset sub_91CF3D
		dd 0FFFFFFFEh
		dd offset sub_91CEFE
		dd offset sub_91CF0E
dword_6A5760	dd 0FFFFFFFEh, 0	; DATA XREF: MiReadWriteVirtualMemory+7o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_91CF5C
		dd offset sub_91CF6C
		dd 0FFFFFFFEh
		dd offset sub_91CF86
		dd offset sub_91CF8C
dword_6A5788	dd 0FFFFFFE0h, 0	; DATA XREF: MmCopyVirtualMemory+7o
		dd 0FFFFFCA4h, 0
		dd 0FFFFFFFEh
		dd offset sub_91D55A
		dd offset sub_91D56D
		dd 0FFFFFFFEh
		dd offset loc_80F032
		dd offset loc_80F045
		dd 0FFFFFFFEh
		dd offset sub_91D5D9
		dd offset sub_91D5EC
		dd 0FFFFFFFEh
		dd offset sub_91D66A
		dd offset sub_91D680
dword_6A57C8	dd 0FFFFFFFEh, 0	; DATA XREF: CmpCallCallBacksEx+7o
		dd 0FFFFFF68h, 0
		dd 0FFFFFFFEh
		dd offset sub_91DC6D
		dd offset loc_91DC78
		dd 0FFFFFFFEh
		dd offset sub_91DEAC
		dd offset loc_91DEB7
dword_6A57F0	dd 0FFFFFFE0h, 0	; DATA XREF: ExpGetProcessInformation+7o
		dd 0FFFFFAACh, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_91E4C6
		align 10h
		dd offset sub_91DF7E
		dd offset sub_91DFB7
		dd 0
		dd offset sub_91E05E
		dd offset sub_91E097
		align 8
		dd offset sub_91E0E8
		dd offset sub_91E121
		dd 0
		dd offset sub_91E148
		dd offset sub_91E181
		align 10h
		dd offset sub_91E1C6
		dd offset sub_91E1FF
		dd 0
		dd offset sub_91E23E
		dd offset byte_91E277
		align 8
		dd offset sub_91E2FE
		dd offset sub_91E337
		dd 0
		dd offset sub_91E382
		dd offset sub_91E3BB
		align 10h
		dd offset sub_91E3E8
		dd offset sub_91E421
		dd 0
		dd offset sub_91E45B
		dd offset sub_91E494
		align 8
dword_6A5888	dd 0FFFFFFE4h, 0	; DATA XREF: NtQueryValueKey+7o
		dd 0FFFFFEA0h, 0
		dd 0FFFFFFFEh
		dd offset loc_91EAE0
		dd offset loc_91EAA4
		dd 0FFFFFFFEh
		dd offset sub_91EA89
		dd offset sub_91EA9C
dword_6A58B0	dd 0FFFFFFE0h, 0	; DATA XREF: PAGE:008191C7o
		dd 0FFFFFEACh, 0
		dd 0FFFFFFFEh
		dd offset loc_91EC75
		dd offset loc_91EC88
		dd 0FFFFFFFEh
		dd offset loc_91ED31
		dd offset loc_91ED44
dword_6A58D8	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:00819CF7o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset loc_91EFBD
		dd offset loc_91EFE7
		align 8
dword_6A58F8	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:00819F07o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset loc_91F052
		dd offset loc_91F07C
		align 8
dword_6A5918	dd 0FFFFFFE4h, 0	; DATA XREF: NtSetInformationThread+7o
		dd 0FFFFFE7Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_91F0DD
		dd offset sub_91F0F0
		dd 0FFFFFFFEh
		dd offset sub_91F130
		dd offset sub_91F143
		dd 0FFFFFFFEh
		dd offset sub_91F1AB
		dd offset sub_91F1BE
		dd 0FFFFFFFEh
		dd offset sub_91F1DD
		dd offset sub_91F1F0
		dd 0FFFFFFFEh
		dd offset sub_91F26C
		dd offset sub_91F27F
		dd 0FFFFFFFEh
		dd offset sub_91F2A8
		dd offset sub_91F2BB
		dd 0FFFFFFFEh
		dd offset sub_91F2FA
		dd offset sub_91F30D
		dd 0FFFFFFFEh
		dd offset sub_91FEB2
		dd offset sub_91FEC5
		dd 0FFFFFFFEh
		dd offset sub_91F39E
		dd offset sub_91F3B1
		dd 0FFFFFFFEh
		dd offset sub_91F3CD
		dd offset sub_91F3E0
		dd 0FFFFFFFEh
		dd offset loc_91F433
		dd offset loc_91F446
		dd 0FFFFFFFEh
		dd offset sub_91F3FC
		dd offset sub_91F40F
		dd 0FFFFFFFEh
		dd offset sub_91F4B7
		dd offset sub_91F4CA
		dd 0FFFFFFFEh
		dd offset sub_91F52E
		dd offset sub_91F541
		dd 0FFFFFFFEh
		dd offset sub_91F5A2
		dd offset sub_91F5B5
		dd 0FFFFFFFEh
		dd offset sub_91F5CA
		dd offset sub_91F5DD
		dd 0FFFFFFFEh
		dd offset sub_91F6C9
		dd offset sub_91F6DC
		dd 0FFFFFFFEh
		dd offset sub_91F7A8
		dd offset sub_91F7BB
		dd 0FFFFFFFEh
		dd offset sub_91F76F
		dd offset sub_91F782
		dd 0FFFFFFFEh
		dd offset sub_91F8DE
		dd offset sub_91F8F1
		dd 0FFFFFFFEh
		dd offset sub_91F975
		dd offset sub_91F988
		dd 0FFFFFFFEh
		dd offset sub_91FA0E
		dd offset sub_91FA41
		dd 0FFFFFFFEh
		dd offset sub_91FAC7
		dd offset sub_91FADA
		dd 0FFFFFFFEh, 0
		dd offset sub_91FB95
		dd 17h
		dd offset sub_91FB08
		dd offset sub_91FB1B
		dd 17h
		dd offset sub_91FB3D
		dd offset sub_91FB70
		dd 0FFFFFFFEh
		dd offset sub_91FC6A
		dd offset sub_91FC7D
		dd 0FFFFFFFEh
		dd offset sub_91FEDA
		dd offset sub_91FEED
		dd 0FFFFFFFEh
		dd offset sub_91FCFE
		dd offset sub_91FD11
		dd 0FFFFFFFEh
		dd offset sub_91FE15
		dd offset sub_91FE28
		dd 0FFFFFFFEh
		dd offset sub_91FE58
		dd offset sub_91FE6B
		dd 0FFFFFFFEh
		dd offset sub_91FE80
		dd offset sub_91FE93
dword_6A5AA8	dd 0FFFFFFFEh, 0	; DATA XREF: .text:00521D57o
		dd 0FFFFFF64h, 0
		dd 0FFFFFFFEh
		dd offset loc_521EBE
		dd offset loc_521ECE
		dd 0FFFFFFFEh
		dd offset loc_52210C
		dd offset loc_52211C
		dd 0FFFFFFFEh
		dd offset loc_5220C8
		dd offset loc_5220CE
		dd 0FFFFFFFEh
		dd offset loc_5221C2
		dd offset loc_5221C8
		dd 0FFFFFFFEh
		dd offset loc_522870
		dd offset loc_522880
		dd 0FFFFFFFEh
		dd offset loc_5227D9
		dd offset loc_5227E9
dword_6A5B00	dd 0FFFFFFFEh, 0	; DATA XREF: .text:005229B7o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_522B60
		dd offset loc_522B6C
		align 10h
dword_6A5B20	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryInformationFile(x,x,x,x,x)+7o
		dd 0FFFFFF5Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_81C0E8
		dd offset loc_81C0F8
		dd 0FFFFFFFEh
		dd offset loc_81C1D9
		dd offset loc_81C1E9
		dd 0FFFFFFFEh
		dd offset loc_81C317
		dd offset loc_81C327
		dd 0FFFFFFFEh
		dd offset sub_81C44B
		dd offset sub_81C45B
		dd 3, 0
		dd offset sub_81C42C
		dd 0FFFFFFFEh
		dd offset sub_81C853
		dd offset sub_81C863
		dd 0FFFFFFFEh
		dd offset sub_81C6B6
		dd offset sub_81C6C6
		dd 0FFFFFFFEh
		dd offset sub_81C7CE
		dd offset sub_81C7DE
dword_6A5B90	dd 0FFFFFFFEh, 0	; DATA XREF: IopValidateQueryInformationParameters+7o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_91FF0C
		dd offset sub_91FF1C
		align 10h
dword_6A5BB0	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:0081CF77o
		dd 0FFFFFF4Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_81D0FF
		dd offset loc_81D10F
		dd 0FFFFFFFEh
		dd offset loc_81D2EC
		dd offset loc_81D2FC
		dd 0FFFFFFFEh
		dd offset loc_81D51D
		dd offset loc_81D530
		dd 0FFFFFFFEh
		dd offset loc_81D5E3
		dd offset loc_81D5F6
		dd 0FFFFFFFEh
		dd offset loc_81D8B3
		dd offset loc_81D8C6
		dd 0FFFFFFFEh
		dd offset loc_81D993
		dd offset loc_81D9A6
dword_6A5C08	dd 0FFFFFFFEh, 0	; DATA XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+7o
		dd 0FFFFFF48h, 0
		dd 0FFFFFFFEh
		dd offset sub_82161D
		dd offset sub_821630
		dd 2 dup(0)
		dd offset sub_8215E1
dword_6A5C30	dd 0FFFFFFDCh, 0	; DATA XREF: FsRtlCheckOplockEx2+1Ao
		dd 0FFFFFF40h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5ED758
		align 10h
dword_6A5C50	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlpOplockStoreKeyForDeleteOperation+7o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5ED845
		align 10h
dword_6A5C70	dd 0FFFFFFFEh, 0	; DATA XREF: IopRetrieveTransactionParameters+7o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset sub_920C47
		dd offset sub_920C57
		align 10h
dword_6A5C90	dd 0FFFFFFE4h, 0	; DATA XREF: PAGE:008228F7o
		dd 0FFFFFDC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_822A63
		dd offset loc_822A76
		dd 0FFFFFFFEh
		dd offset loc_822E45
		dd offset loc_822E58
dword_6A5CB8	dd 0FFFFFFE4h, 0	; DATA XREF: .text:00527E57o
		dd 0FFFFFE34h, 0
		dd 0FFFFFFFEh
		dd offset loc_52928D
		dd offset loc_529293
		dd 0FFFFFFFEh
		dd offset loc_52944E
		dd offset loc_529454
		dd 0FFFFFFFEh
		dd offset loc_529513
		dd offset loc_529519
		dd 0FFFFFFFEh
		dd offset loc_5295D3
		dd offset loc_5295D9
dword_6A5CF8	dd 0FFFFFFFEh, 0	; DATA XREF: NtOpenProcessTokenEx+7o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_920F7A
		dd offset sub_920F8A
		dd 0FFFFFFFEh
		dd offset sub_920F9C
		dd offset sub_920FAC
dword_6A5D20	dd 0FFFFFFE0h, 0	; DATA XREF: MmQueryVirtualMemory+7o
		dd 0FFFFFF04h, 0
		dd 0FFFFFFFEh
		dd offset sub_921175
		dd offset sub_921188
		dd 0FFFFFFFEh
		dd offset sub_921217
		dd offset sub_92122A
		dd 0FFFFFFFEh
		dd offset sub_92129B
		dd offset sub_9212A1
		dd 0FFFFFFFEh
		dd offset sub_9212A9
		dd offset sub_9212AF
		dd 0FFFFFFFEh
		dd offset sub_9212DA
		dd offset sub_9212E0
		dd 0FFFFFFFEh
		dd offset sub_921322
		dd offset sub_921328
		dd 0FFFFFFFEh
		dd offset sub_921345
		dd offset sub_921358
		dd 0FFFFFFFEh
		dd offset sub_9215FC
		dd offset sub_92160F
		dd 0FFFFFFFEh
		dd offset sub_921413
		dd offset sub_921446
		dd 0FFFFFFFEh
		dd offset loc_921486
		dd offset loc_921499
		dd 0FFFFFFFEh
		dd offset sub_921465
		dd offset sub_921478
		align 8
dword_6A5DB8	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryInformationToken(x,x,x,x,x)+7o
		dd 0FFFFFE0Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_82532E
		dd offset loc_825341
		dd 0FFFFFFFEh
		dd offset loc_8254B3
		dd offset loc_8254C6
		dd 0FFFFFFFEh
		dd offset loc_825465
		dd offset loc_825478
		dd 0FFFFFFFEh
		dd offset loc_825641
		dd offset loc_825654
		dd 0FFFFFFFEh
		dd offset loc_8255F3
		dd offset loc_825606
		dd 0FFFFFFFEh
		dd offset loc_8257CC
		dd offset loc_8257DF
		dd 0FFFFFFFEh
		dd offset loc_82577E
		dd offset loc_825791
		dd 0FFFFFFFEh
		dd offset loc_825945
		dd offset loc_825958
		dd 0FFFFFFFEh
		dd offset loc_8258F7
		dd offset loc_82590A
		dd 0FFFFFFFEh
		dd offset loc_825A82
		dd offset loc_825A95
		dd 0FFFFFFFEh
		dd offset loc_825A34
		dd offset loc_825A47
		dd 0FFFFFFFEh
		dd offset loc_825BA3
		dd offset loc_825BB6
		dd 0FFFFFFFEh
		dd offset loc_825B55
		dd offset loc_825B68
		dd 0FFFFFFFEh
		dd offset loc_825CFE
		dd offset loc_825D11
		dd 0FFFFFFFEh
		dd offset loc_825CB0
		dd offset loc_825CC3
		dd 0FFFFFFFEh
		dd offset loc_825DF8
		dd offset loc_825E0B
		dd 0FFFFFFFEh
		dd offset loc_825DB9
		dd offset loc_825DCC
		dd 0FFFFFFFEh
		dd offset loc_825ED5
		dd offset loc_825EE8
		dd 0FFFFFFFEh
		dd offset loc_825E96
		dd offset loc_825EA9
		dd 0FFFFFFFEh
		dd offset loc_825FE9
		dd offset loc_825FFC
		dd 0FFFFFFFEh
		dd offset loc_825FAA
		dd offset loc_825FBD
		dd 0FFFFFFFEh
		dd offset loc_8260E9
		dd offset loc_8260FC
		dd 0FFFFFFFEh
		dd offset loc_8260AA
		dd offset loc_8260BD
		dd 0FFFFFFFEh
		dd offset loc_82627F
		dd offset loc_826292
		dd 0FFFFFFFEh
		dd offset loc_826231
		dd offset loc_826244
		dd 0FFFFFFFEh
		dd offset loc_826369
		dd offset loc_82637C
		dd 0FFFFFFFEh
		dd offset loc_82632A
		dd offset loc_82633D
		dd 0FFFFFFFEh
		dd offset loc_8265D3
		dd offset loc_8265E6
		dd 0FFFFFFFEh
		dd offset loc_826585
		dd offset loc_826598
		dd 0FFFFFFFEh
		dd offset loc_82677C
		dd offset loc_82678F
		dd 0FFFFFFFEh
		dd offset loc_82672E
		dd offset loc_826741
		dd 0FFFFFFFEh
		dd offset loc_82686E
		dd offset loc_826881
		dd 0FFFFFFFEh
		dd offset loc_82682F
		dd offset loc_826842
		dd 0FFFFFFFEh
		dd offset loc_826998
		dd offset loc_8269AB
		dd 0FFFFFFFEh
		dd offset loc_82694A
		dd offset loc_82695D
		dd 0FFFFFFFEh
		dd offset loc_826A7E
		dd offset loc_826A91
		dd 0FFFFFFFEh
		dd offset loc_826A3F
		dd offset loc_826A52
		dd 0FFFFFFFEh
		dd offset loc_826CCB
		dd offset loc_826CDE
		dd 0FFFFFFFEh
		dd offset loc_826C84
		dd offset loc_826C97
		dd 0FFFFFFFEh
		dd offset loc_826DAF
		dd offset loc_826DC2
		dd 0FFFFFFFEh
		dd offset loc_826D70
		dd offset loc_826D83
		dd 0FFFFFFFEh
		dd offset loc_826EF5
		dd offset loc_826F08
		dd 0FFFFFFFEh
		dd offset loc_826EB6
		dd offset loc_826EC9
		dd 0FFFFFFFEh
		dd offset loc_827017
		dd offset loc_82702A
		dd 0FFFFFFFEh
		dd offset loc_826FD8
		dd offset loc_826FEB
		dd 0FFFFFFFEh
		dd offset loc_827100
		dd offset loc_827113
		dd 0FFFFFFFEh
		dd offset loc_8270C1
		dd offset loc_8270D4
		dd 0FFFFFFFEh
		dd offset loc_827205
		dd offset loc_827218
		dd 0FFFFFFFEh
		dd offset loc_8271C6
		dd offset loc_8271D9
		dd 0FFFFFFFEh
		dd offset loc_827348
		dd offset loc_82735B
		dd 0FFFFFFFEh
		dd offset loc_8272FA
		dd offset loc_82730D
		dd 0FFFFFFFEh
		dd offset loc_8274B5
		dd offset loc_8274C8
		dd 0FFFFFFFEh
		dd offset loc_827467
		dd offset loc_82747A
		dd 0FFFFFFFEh
		dd offset loc_8275E7
		dd offset loc_8275FA
		dd 0FFFFFFFEh
		dd offset loc_827599
		dd offset loc_8275AC
		dd 0FFFFFFFEh
		dd offset loc_8276ED
		dd offset loc_827700
		dd 0FFFFFFFEh
		dd offset loc_8276AE
		dd offset loc_8276C1
		dd 0FFFFFFFEh
		dd offset loc_827892
		dd offset loc_8278A5
		dd 0FFFFFFFEh
		dd offset loc_827844
		dd offset loc_827857
		dd 0FFFFFFFEh
		dd offset loc_827A59
		dd offset loc_827A6C
		dd 0FFFFFFFEh
		dd offset loc_827A0B
		dd offset loc_827A1E
		dd 0FFFFFFFEh
		dd offset loc_827BD6
		dd offset loc_827BE9
		dd 0FFFFFFFEh
		dd offset loc_827B88
		dd offset loc_827B9B
		dd 0FFFFFFFEh
		dd offset loc_827D0D
		dd offset loc_827D20
		dd 0FFFFFFFEh
		dd offset loc_827CBF
		dd offset loc_827CD2
		dd 0FFFFFFFEh
		dd offset loc_827E5B
		dd offset loc_827E6E
		dd 0FFFFFFFEh
		dd offset loc_827E0D
		dd offset loc_827E20
		dd 0FFFFFFFEh, 2 dup(0)
		dd 0FFFFFFFEh, 2 dup(0)
		dd 0FFFFFFFEh
		dd offset loc_827F15
		dd offset loc_827F28
		dd 0FFFFFFFEh
		dd offset loc_82808F
		dd offset loc_8280A2
		dd 0FFFFFFFEh
		dd offset loc_828041
		dd offset loc_828054
		dd 0FFFFFFFEh
		dd offset loc_828153
		dd offset loc_828166
		dd 0FFFFFFFEh
		dd offset sub_82811C
		dd offset sub_82812F
dword_6A6140	dd 0FFFFFFE4h, 0	; DATA XREF: .text:0052A0A7o
		dd 0FFFFFF8Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_52A744
		dd offset loc_52A754
		dd 0FFFFFFFEh
		dd offset loc_52A324
		dd offset loc_52A32A
dword_6A6168	dd 0FFFFFFE4h, 0	; DATA XREF: .text:0052A837o
		dd 0FFFFFF34h, 0
		dd 0FFFFFFFEh
		dd offset loc_5EDA7A
		dd offset loc_5EDA8D
		dd 0FFFFFFFEh
		dd offset loc_5EDB38
		dd offset loc_5EDB4B
dword_6A6190	dd 0FFFFFFFEh, 0	; DATA XREF: IoRemoveIoCompletion+7o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset loc_5EDBA4
		dd offset loc_5EDBB4
		align 10h
dword_6A61B0	dd 0FFFFFFFEh, 0	; DATA XREF: NtWaitForSingleObject+7o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_921648
		dd offset sub_921658
		align 10h
dword_6A61D0	dd 0FFFFFFFEh, 0	; DATA XREF: ObWaitForSingleObject+7o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_921679
		dd offset sub_92168F
		align 10h
dword_6A61F0	dd 0FFFFFFE4h, 0	; DATA XREF: NtRemoveIoCompletionEx+7o
		dd 0FFFFFF58h, 0
		dd 0FFFFFFFEh
		dd offset sub_9216A7
		dd offset sub_9216DA
		dd 0FFFFFFFEh
		dd offset sub_92171B
		dd offset sub_92172E
dword_6A6218	dd 0FFFFFFFEh, 0	; DATA XREF: NtMapViewOfSection+7o
		dd 0FFFFFF5Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_921ABA
		dd offset sub_921AC0
		align 8
dword_6A6238	dd 0FFFFFFFEh, 0	; DATA XREF: MiMapViewOfSectionCommon+7o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_921B07
		dd offset sub_921B31
		align 8
dword_6A6258	dd 0FFFFFFFEh, 0	; DATA XREF: MiCaptureSectionCreateExtendedParameters+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_921D55
		dd offset sub_921D65
		align 8
dword_6A6278	dd 0FFFFFFFEh, 0	; DATA XREF: MiCreateSectionCommon+7o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh
		dd offset sub_921D9D
		dd offset sub_921DAD
		dd 0FFFFFFFEh
		dd offset sub_921DDD
		dd offset sub_921DE3
dword_6A62A0	dd 0FFFFFFFEh, 0	; DATA XREF: NtCreateEvent+7o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_922204
		dd offset sub_922214
		dd 0FFFFFFFEh
		dd offset sub_922226
		dd offset sub_92222C
dword_6A62C8	dd 0FFFFFFFEh, 0	; DATA XREF: SeAccessCheckByType(x,x,x,x,x,x,x,x,x,x,x,x)+7o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_5380D5
		dd offset loc_5380E5
		align 8
dword_6A62E8	dd 0FFFFFFE4h, 0	; DATA XREF: SeAccessCheckByTypeWithAdminlessChecks+7o
		dd 0FFFFFE7Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_5F069B
		dd offset sub_5F06AE
		dd 0FFFFFFFEh
		dd offset sub_5F0781
		dd offset sub_5F0794
		dd 0FFFFFFFEh
		dd offset sub_5F07EC
		dd offset sub_5F07FF
		dd 0FFFFFFFEh
		dd offset sub_5F0869
		dd offset sub_5F087C
		dd 0FFFFFFFEh
		dd offset sub_5F08B8
		dd offset sub_5F08CB
		dd 0FFFFFFFEh
		dd offset loc_5F11B2
		dd offset loc_5F11C5
		dd 0FFFFFFFEh
		dd offset sub_5F0973
		dd offset sub_5F0986
		dd 0FFFFFFFEh
		dd offset sub_5F0AFD
		dd offset loc_5F098E
		dd 0FFFFFFFEh
		dd offset sub_5F0F61
		dd offset sub_5F0894
		dd 0FFFFFFFEh
		dd offset sub_5F118E
		dd offset sub_5F11A1
dword_6A6370	dd 0FFFFFFFEh, 0	; DATA XREF: SeCaptureSecurityDescriptor+7o
		dd 0FFFFFF40h, 0
		dd 0FFFFFFFEh
		dd offset sub_92230E
		dd offset sub_92231E
		dd 0FFFFFFFEh
		dd offset loc_922513
		dd offset loc_922526
		dd 0FFFFFFFEh
		dd offset sub_92235B
		dd offset sub_92236B
		dd 0FFFFFFFEh
		dd offset sub_922397
		dd offset sub_9223A7
		dd 0FFFFFFFEh
		dd offset sub_9223DD
		dd offset sub_9223ED
		dd 0FFFFFFFEh
		dd offset sub_922419
		dd offset sub_92242C
		dd 0FFFFFFFEh
		dd offset sub_92244B
		dd offset sub_92245E
		dd 0FFFFFFFEh
		dd offset sub_92247D
		dd offset sub_922490
		dd 0FFFFFFFEh
		dd offset sub_9224AF
		dd offset sub_9224C2
		dd 0FFFFFFFEh
		dd offset sub_9224E1
		dd offset sub_9224F4
dword_6A63F8	dd 0FFFFFFE4h, 0	; DATA XREF: SeCaptureObjectTypeList+7o
		dd 0FFFFFF90h, 0
		dd 0FFFFFFFEh
		dd offset sub_5F13FA
		dd offset sub_5F140A
		align 8
dword_6A6418	dd 0FFFFFFFEh, 0	; DATA XREF: NtOpenThreadTokenEx+7o
		dd 0FFFFFF70h, 0
		dd 0FFFFFFFEh
		dd offset sub_922613
		dd offset sub_922623
		dd 0FFFFFFFEh
		dd offset sub_922657
		dd offset sub_922667
dword_6A6440	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryInformationThread+7o
		dd 0FFFFFE60h, 0
		dd 0FFFFFFFEh
		dd offset sub_9226D2
		dd offset sub_9226E5
		dd 0FFFFFFFEh
		dd offset sub_9226FA
		dd offset sub_92270D
		dd 0FFFFFFFEh
		dd offset sub_922722
		dd offset sub_922735
		dd 0FFFFFFFEh
		dd offset sub_92274A
		dd offset sub_92275D
		dd 0FFFFFFFEh
		dd offset sub_922788
		dd offset sub_922798
		dd 0FFFFFFFEh
		dd offset sub_92280C
		dd offset sub_92281C
		dd 0FFFFFFFEh
		dd offset sub_922897
		dd offset sub_9228A7
		dd 0FFFFFFFEh
		dd offset sub_9228CE
		dd offset sub_9228E1
		dd 0FFFFFFFEh
		dd offset sub_922964
		dd offset sub_922977
		dd 0FFFFFFFEh
		dd offset sub_92298C
		dd offset sub_92299F
		dd 0FFFFFFFEh
		dd offset sub_922A09
		dd offset sub_922A1C
		dd 0FFFFFFFEh
		dd offset sub_922A31
		dd offset sub_922A44
		dd 0FFFFFFFEh
		dd offset sub_922AB5
		dd offset sub_922AC8
		dd 0FFFFFFFEh
		dd offset sub_922B17
		dd offset sub_922B2A
		dd 0FFFFFFFEh
		dd offset sub_922B7C
		dd offset sub_922B8F
		dd 0FFFFFFFEh
		dd offset sub_922BB8
		dd offset sub_922BCB
		dd 0FFFFFFFEh
		dd offset sub_922C67
		dd offset sub_922C7A
		dd 0FFFFFFFEh
		dd offset sub_922D28
		dd offset sub_922D3B
		dd 0FFFFFFFEh
		dd offset sub_922DB1
		dd offset sub_922DC4
		dd 0FFFFFFFEh
		dd offset sub_922E43
		dd offset sub_922E56
		dd 0FFFFFFFEh
		dd offset sub_922E91
		dd offset sub_922EA4
		dd 0FFFFFFFEh
		dd offset sub_922F1F
		dd offset sub_922F32
		dd 0FFFFFFFEh, 2 dup(0)
		dd 0FFFFFFFEh
		dd offset sub_922FE3
		dd offset sub_922FF6
		dd 0FFFFFFFEh
		dd offset sub_92300B
		dd offset sub_92301E
		dd 0FFFFFFFEh
		dd offset sub_923095
		dd offset sub_9230A8
		dd 0FFFFFFFEh
		dd offset sub_923120
		dd offset sub_923133
		dd 0FFFFFFFEh
		dd offset sub_9231F3
		dd offset sub_923226
		dd 0FFFFFFFEh
		dd offset sub_92333F
		dd offset loc_923026
		dd 0FFFFFFFEh
		dd offset sub_9233B6
		dd offset sub_9233C9
		dd 0FFFFFFFEh
		dd offset sub_9233E9
		dd offset sub_9233FC
		dd 0FFFFFFFEh, 0
		dd offset sub_923474
		dd 1Fh
		dd offset sub_92341E
		dd offset sub_923451
		dd 0FFFFFFFEh
		dd offset sub_9234E9
		dd offset sub_9234FC
		dd 0FFFFFFFEh
		dd offset sub_923526
		dd offset sub_923559
		dd 0FFFFFFFEh
		dd offset sub_9235C8
		dd offset sub_9227F4
dword_6A6600	dd 0FFFFFFE4h, 0	; DATA XREF: PspWriteTebImpersonationInfo+7o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh
		dd offset sub_923650
		dd offset sub_923656
		align 10h
dword_6A6620	dd 0FFFFFFFEh, 0	; DATA XREF: NtAlpcImpersonateClientOfPort+7o
		dd 0FFFFFF7Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_9236B1
		dd offset sub_9236C1
		align 10h
dword_6A6640	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpExposeHandleAttribute+7o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset sub_9238CA
		dd offset sub_9238F4
		align 10h
dword_6A6660	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpExposeTokenAttribute+7o
		dd 0FFFFFF68h, 0
		dd 0FFFFFFFEh
		dd offset sub_92390F
		dd offset sub_923915
		align 10h
dword_6A6680	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:0082F767o
		dd 0FFFFFF64h, 0
		dd 0FFFFFFFEh
		dd offset loc_82F961
		dd offset loc_82F971
		dd 0FFFFFFFEh
		dd offset loc_82FBA0
		dd offset loc_82FBB0
		dd 0FFFFFFFEh
		dd offset loc_82FCB5
		dd offset loc_82FCC5
		align 8
dword_6A66B8	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:00830497o
		dd 0FFFFFF70h, 0
		dd 0FFFFFFFEh
		dd offset loc_830661
		dd offset loc_830671
		align 8
dword_6A66D8	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpCaptureAttributes+7o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset sub_923B27
		dd offset sub_923B37
		align 8
dword_6A66F8	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpCaptureContextAttribute+7o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_923B5F
		dd offset sub_923B6F
		align 8
dword_6A6718	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpCaptureMessageDataSafe(x)+7o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_8326CC
		dd offset loc_8326D2
		align 8
dword_6A6738	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:00832747o
		dd 0FFFFFF78h, 0
		dd 0FFFFFFFEh
		dd offset loc_923D28
		dd offset loc_923D38
		dd 0FFFFFFFEh
		dd offset loc_923D58
		dd offset loc_923D68
dword_6A6760	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpExposeWorkOnBehalfAttribute+7o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_923DF2
		dd offset sub_923DF8
		align 10h
dword_6A6780	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpGetDataFromUserVaSafe+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_924069
		dd offset sub_92406D
		align 10h
dword_6A67A0	dd 0FFFFFFE4h, 0	; DATA XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+7o
		dd 0FFFFFF00h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_53C56E
		align 10h
dword_6A67C0	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlpOplockFsctrlInternal+7o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_92410B
		dd 0FFFFFFFEh, 0
		dd offset sub_924375
		dd 0FFFFFFFEh, 0
		dd offset sub_9244AD
		align 8
dword_6A67F8	dd 0FFFFFFFEh, 0	; DATA XREF: NtTraceControl(x,x,x,x,x,x)+7o
		dd 0FFFFFF98h, 0
		dd 0FFFFFFFEh
		dd offset loc_834491
		dd offset loc_8344A1
		dd 0FFFFFFFEh
		dd offset loc_8344DA
		dd offset loc_8344EA
		dd 0FFFFFFFEh
		dd offset loc_834764
		dd offset loc_834774
		dd 0FFFFFFFEh
		dd offset loc_8347B5
		dd offset loc_8347C5
		dd 0FFFFFFFEh
		dd offset loc_83492C
		dd offset loc_83493C
		dd 0FFFFFFFEh
		dd offset loc_834C2B
		dd offset loc_834C3B
dword_6A6850	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlpOplockCleanup+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5F2451
		align 10h
dword_6A6870	dd 0FFFFFFE4h, 0	; DATA XREF: RtlIntegerToUnicode+7o
		dd 0FFFFFF80h, 0
		dd 0FFFFFFFEh
		dd offset sub_924E07
		dd offset sub_924E17
		align 10h
dword_6A6890	dd 0FFFFFFFEh, 0	; DATA XREF: RtlCreateUnicodeString+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_92554C
		align 10h
dword_6A68B0	dd 0FFFFFFFEh, 0	; DATA XREF: RtlDuplicateUnicodeString+7o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_925591
		align 10h
dword_6A68D0	dd 0FFFFFFFEh, 0	; DATA XREF: SeQuerySecurityDescriptorInfo+7o
		dd 0FFFFFF9Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_925746
		dd offset sub_925756
		align 10h
dword_6A68F0	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryObject+7o
		dd 0FFFFFF3Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_92579F
		dd offset sub_9257AF
		dd 0FFFFFFFEh
		dd offset sub_925808
		dd offset sub_92582C
		dd 0FFFFFFFEh
		dd offset sub_9258E3
		dd offset sub_92590D
		dd 0FFFFFFFEh
		dd offset sub_92591F
		dd offset sub_925949
		dd 0FFFFFFFEh
		dd offset sub_925961
		dd offset sub_925981
		align 10h
dword_6A6940	dd 0FFFFFFFEh, 0	; DATA XREF: ObQueryNameStringMode+7o
		dd 0FFFFFF94h, 0
		dd 0FFFFFFFEh
		dd offset loc_925A35
		dd offset loc_925A45
		dd 0FFFFFFFEh
		dd offset sub_925A10
		dd offset sub_925A20
		dd 0FFFFFFFEh, 0
		dd offset loc_925ACD
		dd 2
		dd offset sub_925A9E
		dd offset sub_925AAE
		dd 0FFFFFFFEh
		dd offset sub_925B99
		dd offset sub_925B9F
		dd 0FFFFFFFEh
		dd offset sub_925BD5
		dd offset sub_925BE5
dword_6A6998	dd 0FFFFFFFEh, 0	; DATA XREF: ObQueryTypeInfo+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_925BF3
		dd offset sub_925C01
		align 8
dword_6A69B8	dd 0FFFFFFFEh, 0	; DATA XREF: SeCaptureSid+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_925D64
		dd offset sub_925D72
		dd 0FFFFFFFEh
		dd offset sub_925DA6
		dd offset sub_925DB4
dword_6A69E0	dd 0FFFFFFFEh, 0	; DATA XREF: .text:0053D123o
		dd 0FFFFFF70h, 0
		dd 0FFFFFFFEh
		dd offset loc_5F2513
		dd offset loc_5F2524
		dd 0FFFFFFFEh
		dd offset loc_5F262F
		dd offset loc_5F261D
dword_6A6A08	dd 0FFFFFFFEh, 0	; DATA XREF: NtAssociateWaitCompletionPacket+7o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_5F2670
		dd offset sub_5F2679
		align 8
dword_6A6A28	dd 0FFFFFFFEh, 0	; DATA XREF: IopQueryNameInternal+7o
		dd 0FFFFFF9Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_925E2E
		dd offset sub_925E3E
		dd 0FFFFFFFEh
		dd offset sub_925E4E
		dd offset sub_925E61
		dd 0FFFFFFFEh
		dd offset sub_925EA4
		dd offset sub_925EB7
		align 10h
dword_6A6A60	dd 0FFFFFFFEh, 0	; DATA XREF: IopBuildDeviceIoControlRequest+7o
		dd 0FFFFFFD8h, 0
		dd 0FFFFFFFEh
		dd offset sub_5F26F6
		dd offset sub_5F26FC
		align 10h
dword_6A6A80	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:0083A867o
		dd 0FFFFFF8Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_83A9D7
		dd offset loc_83A9E7
		dd 0FFFFFFFEh
		dd offset loc_83AB2D
		dd offset loc_83AB3D
		dd 0FFFFFFFEh
		dd offset loc_83AD9F
		dd offset loc_83ADAF
		align 8
dword_6A6AB8	dd 0FFFFFFFEh, 0	; DATA XREF: NtSetTimerEx+7o
		dd 0FFFFFFA4h, 0
		dd 0FFFFFFFEh
		dd offset sub_5F27E6
		dd offset sub_5F27F6
		dd 0FFFFFFFEh
		dd offset sub_5F2827
		dd offset sub_5F2837
dword_6A6AE0	dd 0FFFFFFFEh, 0	; DATA XREF: .text:0053E157o
		dd 0FFFFFF8Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_5F2CD9
		dd offset loc_5F2CDF
		align 10h
dword_6A6B00	dd 0FFFFFFFEh, 0	; DATA XREF: ObQueryDeviceMapInformation+7o
		dd 0FFFFFFA4h, 0
		dd 0FFFFFFFEh
		dd offset sub_926027
		dd offset sub_926037
		align 10h
dword_6A6B20	dd 0FFFFFFE4h, 0	; DATA XREF: PAGE:0083B2A7o
		dd 0FFFFF898h, 0
		dd 0FFFFFFFEh
		dd offset loc_83B51C
		dd offset loc_83B52F
		dd 0FFFFFFFEh
		dd offset loc_83B62A
		dd offset loc_83B63D
		dd 0FFFFFFFEh
		dd offset loc_83B7A4
		dd offset loc_83B7B7
		dd 0FFFFFFFEh
		dd offset loc_83B824
		dd offset loc_83B837
		dd 0FFFFFFFEh
		dd offset loc_83B8ED
		dd offset loc_83B900
		dd 0FFFFFFFEh
		dd offset loc_83BAD7
		dd offset loc_83BAEA
		dd 0FFFFFFFEh
		dd offset loc_83BB6B
		dd offset loc_83BB7E
		dd 0FFFFFFFEh
		dd offset loc_83BCE3
		dd offset loc_83BCF6
		dd 0FFFFFFFEh
		dd offset loc_83BEDE
		dd offset loc_83BEF1
		dd 0FFFFFFFEh
		dd offset loc_83BFC7
		dd offset loc_83BFDA
		dd 0FFFFFFFEh
		dd offset loc_83C07B
		dd offset loc_83C08E
		dd 0FFFFFFFEh
		dd offset loc_83C111
		dd offset loc_83C124
		dd 0FFFFFFFEh
		dd offset loc_83C1E4
		dd offset loc_83C1F7
		dd 0FFFFFFFEh
		dd offset loc_83C298
		dd offset loc_83C2AB
		dd 0FFFFFFFEh
		dd offset loc_83C365
		dd offset loc_83C378
		dd 0FFFFFFFEh
		dd offset loc_83C460
		dd offset loc_83C473
		dd 0FFFFFFFEh
		dd offset loc_83C4E8
		dd offset loc_83C4FB
		dd 0FFFFFFFEh
		dd offset loc_83C54C
		dd offset loc_83C55F
		dd 0FFFFFFFEh
		dd offset loc_83C603
		dd offset loc_83C616
		dd 0FFFFFFFEh
		dd offset loc_83C6A9
		dd offset loc_83C6BC
		dd 0FFFFFFFEh
		dd offset loc_83C750
		dd offset loc_83C763
		dd 0FFFFFFFEh
		dd offset loc_83C7D0
		dd offset loc_83C7E3
		dd 0FFFFFFFEh
		dd offset loc_83C813
		dd offset loc_83C826
		dd 0FFFFFFFEh
		dd offset loc_83C899
		dd offset loc_83C8AC
		dd 0FFFFFFFEh
		dd offset loc_83CABE
		dd offset loc_83CAD1
		dd 0FFFFFFFEh
		dd offset loc_83CBFA
		dd offset loc_83CC0D
		dd 0FFFFFFFEh
		dd offset loc_83CCC8
		dd offset loc_83CCDB
		dd 0FFFFFFFEh
		dd offset loc_83CECB
		dd offset loc_83CEDE
		dd 0FFFFFFFEh
		dd offset loc_83CF70
		dd offset loc_83CF83
		dd 0FFFFFFFEh
		dd offset loc_83D01E
		dd offset loc_83D031
		dd 0FFFFFFFEh
		dd offset loc_83D0CD
		dd offset loc_83D0E0
		dd 0FFFFFFFEh
		dd offset loc_83D28B
		dd offset loc_83D29E
		dd 0FFFFFFFEh
		dd offset loc_83D3FB
		dd offset loc_83D40E
		dd 0FFFFFFFEh
		dd offset loc_83D3D1
		dd offset loc_83D3E4
		dd 0FFFFFFFEh
		dd offset loc_83D4A4
		dd offset loc_83D4B7
		dd 0FFFFFFFEh
		dd offset loc_83D5A5
		dd offset loc_83D5B8
		dd 0FFFFFFFEh
		dd offset loc_83D67D
		dd offset loc_83D690
		dd 0FFFFFFFEh
		dd offset loc_83D736
		dd offset loc_83D749
		dd 0FFFFFFFEh
		dd offset loc_83D7D1
		dd offset loc_83D7E4
		dd 0FFFFFFFEh
		dd offset loc_83D94E
		dd offset loc_83D961
		dd 0FFFFFFFEh
		dd offset loc_83D9F7
		dd offset loc_83DA0A
		dd 0FFFFFFFEh
		dd offset loc_83DAB3
		dd offset loc_83DAC6
		dd 0FFFFFFFEh
		dd offset loc_83E4EF
		dd offset loc_83E502
		dd 0FFFFFFFEh
		dd offset loc_83DC6B
		dd offset loc_83DC7E
		dd 0FFFFFFFEh
		dd offset loc_83DD13
		dd offset loc_83DD26
		dd 0FFFFFFFEh
		dd offset loc_83DDCA
		dd offset loc_83DDDD
		dd 0FFFFFFFEh
		dd offset loc_83DE77
		dd offset loc_83DE8A
		dd 0FFFFFFFEh
		dd offset loc_83DEE5
		dd offset loc_83DEF8
		dd 0FFFFFFFEh
		dd offset loc_83DF7A
		dd offset loc_83DF8D
		dd 0FFFFFFFEh
		dd offset loc_83DFE0
		dd offset loc_83DFF3
		dd 0FFFFFFFEh
		dd offset loc_83E06E
		dd offset loc_83E081
		dd 0FFFFFFFEh
		dd offset loc_83E129
		dd offset loc_83E13C
		dd 0FFFFFFFEh
		dd offset loc_83E18E
		dd offset loc_83E1A1
		dd 0FFFFFFFEh
		dd offset loc_83E2E4
		dd offset loc_83E2F7
		dd 0FFFFFFFEh
		dd offset loc_83E37B
		dd offset loc_83E38E
		dd 0FFFFFFFEh
		dd offset loc_83E3F3
		dd offset loc_83E406
		dd 0FFFFFFFEh
		dd offset loc_83E494
		dd offset loc_83E4A7
		dd 0FFFFFFFEh
		dd offset loc_83E5A2
		dd offset loc_83E5B5
		dd 0FFFFFFFEh
		dd offset loc_83E655
		dd offset loc_83E668
		dd 0FFFFFFFEh
		dd offset loc_83E7A3
		dd offset loc_83E7B6
		dd 0FFFFFFFEh
		dd offset loc_83E8B2
		dd offset loc_83E8C5
		dd 0FFFFFFFEh
		dd offset loc_83E968
		dd offset loc_83E97B
		dd 0FFFFFFFEh
		dd offset loc_83EB48
		dd offset loc_83EB5B
		dd 0FFFFFFFEh
		dd offset loc_83EB26
		dd offset loc_83EB39
		dd 0FFFFFFFEh
		dd offset loc_83EBF3
		dd offset loc_83EC06
		dd 0FFFFFFFEh
		dd offset loc_83EC93
		dd offset loc_83ECA6
		dd 0FFFFFFFEh
		dd offset loc_83ED6A
		dd offset loc_83ED7D
		dd 0FFFFFFFEh
		dd offset loc_83EE27
		dd offset loc_83EE3A
		dd 0FFFFFFFEh
		dd offset loc_83EEDA
		dd offset loc_83EEED
		dd 0FFFFFFFEh
		dd offset loc_83EF8D
		dd offset loc_83EFA0
		dd 0FFFFFFFEh
		dd offset loc_83F077
		dd offset loc_83F08A
		dd 0FFFFFFFEh
		dd offset loc_83F150
		dd offset loc_83F163
		dd 0FFFFFFFEh
		dd offset loc_83F244
		dd offset loc_83F257
		dd 0FFFFFFFEh
		dd offset loc_83F39B
		dd offset loc_83F3AE
		dd 0FFFFFFFEh
		dd offset loc_83F48E
		dd offset loc_83F4A1
		dd 0FFFFFFFEh
		dd offset loc_83F577
		dd offset loc_83F58A
		dd 0FFFFFFFEh
		dd offset loc_83F59F
		dd offset loc_83F5B2
		dd 0FFFFFFFEh
		dd offset loc_83F876
		dd offset loc_83F889
		dd 0FFFFFFFEh
		dd offset loc_83F97C
		dd offset loc_83F98F
		dd 0FFFFFFFEh
		dd offset loc_83F9D5
		dd offset loc_83F9E8
		dd 0FFFFFFFEh
		dd offset loc_83FA40
		dd offset loc_83FA53
		dd 0FFFFFFFEh
		dd offset loc_83FAA4
		dd offset loc_83FAB7
dword_6A6F08	dd 0FFFFFFFEh, 0	; DATA XREF: NtSetInformationObject+2o
		dd 0FFFFFF8Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_9264C0
		dd offset sub_9264D0
		align 8
dword_6A6F28	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+7o
		dd 0FFFFFF8Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_840B78
		dd offset loc_840B88
		dd 0FFFFFFFEh
		dd offset loc_840F26
		dd offset loc_840F2C
dword_6A6F50	dd 0FFFFFFE4h, 0	; DATA XREF: vDbgPrintExWithPrefixInternal+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset sub_5F31EE
		dd offset sub_5F31FC
		align 10h
dword_6A6F70	dd 0FFFFFFFEh, 0	; DATA XREF: NtSetThreadExecutionState+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9267F3
		dd offset loc_926801
		dd 0FFFFFFFEh
		dd offset sub_9267E0
		dd offset sub_9267EE
dword_6A6F98	dd 0FFFFFFFEh, 0	; DATA XREF: .text:00540418o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh
		dd offset loc_540494
		dd offset loc_5404A2
		align 8
dword_6A6FB8	dd 0FFFFFFFEh, 0	; DATA XREF: PoGetRequester(x,x,x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_54059D
		dd offset loc_5405A1
		align 8
dword_6A6FD8	dd 0FFFFFFE4h, 0	; DATA XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFF90h, 0
		dd 0FFFFFFFEh
		dd offset loc_8431EA
		dd offset loc_8431F8
		dd 0FFFFFFFEh
		dd offset loc_843263
		dd offset loc_843271
		dd 0FFFFFFFEh
		dd offset loc_8433CE
		dd offset loc_8433DC
		dd 0FFFFFFFEh
		dd offset loc_8432AC
		dd offset loc_8432BA
dword_6A7018	dd 0FFFFFFFEh, 0	; DATA XREF: LdrpResGetMappingSize(x,x,x,x)+2o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset loc_8434F2
		dd offset loc_843500
		align 8
dword_6A7038	dd 0FFFFFFE4h, 0	; DATA XREF: LdrpResSearchResourceMappedFile+5o
		dd 0FFFFFCACh, 0
		dd 0FFFFFFFEh
		dd offset sub_5F3600
		dd offset sub_5F3611
		dd 0FFFFFFFEh
		dd offset sub_5F3828
		dd offset sub_5F3814
dword_6A7060	dd 0FFFFFFFEh, 0	; DATA XREF: LdrpResSearchResourceInsideDirectory+2o
		dd 0FFFFFF64h, 0
		dd 0FFFFFFFEh
		dd offset sub_926AB1
		dd offset sub_926ABF
		align 10h
dword_6A7080	dd 0FFFFFFFEh, 0	; DATA XREF: LdrpResGetResourceDirectory+5o
		dd 0FFFFFEB4h, 0
		dd 0FFFFFFFEh
		dd offset sub_926B67
		dd offset sub_926B75
		dd 0FFFFFFFEh
		dd offset sub_926B44
		dd offset sub_926B52
dword_6A70A8	dd 0FFFFFFFEh, 0	; DATA XREF: LdrpGetAlternateResourceModuleHandleEx+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5F389F
		align 8
dword_6A70C8	dd 0FFFFFFFEh, 0	; DATA XREF: LdrpAccessResourceDataNoMultipleLanguage+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh
		dd offset sub_926C60
		dd offset sub_926C6E
		align 8
dword_6A70E8	dd 0FFFFFFFEh, 0	; DATA XREF: LdrRscIsTypeExist+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh
		dd offset sub_5F3A12
		dd offset sub_5F3A20
		align 8
dword_6A7108	dd 0FFFFFFE4h, 0	; DATA XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+5o
		dd 0FFFFFF48h, 0
		dd 0FFFFFFFEh
		dd offset loc_844B5D
		dd offset loc_844B6E
		align 8
dword_6A7128	dd 0FFFFFFE4h, 0	; DATA XREF: LdrLoadAlternateResourceModuleEx+5o
		dd 0FFFFFCE4h, 0
		dd 0FFFFFFFEh
		dd offset sub_5F3A5A
		dd offset sub_5F3A6B
		dd 0FFFFFFFEh
		dd offset sub_5F3AA7
		dd offset sub_5F3AB8
dword_6A7150	dd 0FFFFFFFEh, 0	; DATA XREF: LdrpGetFromMUIMemCache+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5F3AF2
		align 10h
dword_6A7170	dd 0FFFFFFFEh, 0	; DATA XREF: NtCreateMutant(x,x,x,x)+7o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_844F28
		dd offset loc_844F38
		dd 0FFFFFFFEh
		dd offset loc_844FD5
		dd offset loc_844FDB
dword_6A7198	dd 0FFFFFFFEh, 0	; DATA XREF: PnpInsertEventInQueue+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset sub_927678
		dd offset sub_92767C
		align 8
dword_6A71B8	dd 0FFFFFFFEh, 0	; DATA XREF: PnpSetDeviceClassChange+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_927B5E
		dd offset sub_927B62
		align 8
dword_6A71D8	dd 0FFFFFFE4h, 0	; DATA XREF: EmpCacheBiosDate+2o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh
		dd offset sub_AE34F7
		dd offset sub_AE34FB
		align 8
dword_6A71F8	dd 0FFFFFFFEh, 0	; DATA XREF: RtlCharToInteger+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_928328
		dd offset sub_928336
		align 8
dword_6A7218	dd 0FFFFFFE4h, 0	; DATA XREF: KiInitializeKernel(x,x,x,x,x,x)+2o
		dd 0FFFFFF80h, 0
		dd 0FFFFFFFEh
		dd offset loc_7251FB
		dd offset loc_7251FF
		dd 0FFFFFFFEh
		dd offset loc_725854
		dd offset loc_7257FA
dword_6A7240	dd 0FFFFFFE4h, 0	; DATA XREF: PAGELK:00726E6Ao
		dd 0FFFFFF70h, 0
		dd 0FFFFFFFEh
		dd offset loc_72724C
		dd offset loc_727250
		align 10h
dword_6A7260	dd 0FFFFFFFEh, 0	; DATA XREF: PiSwIrpInterfaceSetState+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_92ADE3
		dd offset sub_92ADF5
		align 10h
dword_6A7280	dd 0FFFFFFFEh, 0	; DATA XREF: PiSwIrpInterfaceRegister+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh
		dd offset sub_92AEFF
		dd offset sub_92AF11
		align 10h
dword_6A72A0	dd 0FFFFFFFEh, 0	; DATA XREF: PiSwIrpStartCreate+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_92B0F9
		dd offset sub_92B10B
		align 10h
dword_6A72C0	dd 0FFFFFFFEh, 0	; DATA XREF: PiSwIrpInterfacePropertySet+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_92B52C
		dd offset sub_92B53E
		align 10h
dword_6A72E0	dd 0FFFFFFDCh, 0	; DATA XREF: ExpSetPendingUILanguage+19o
		dd 0FFFFFB60h, 0
		dd 0FFFFFFFEh
		dd offset sub_92C9E2
		dd offset sub_92C9E9
		align 10h
dword_6A7300	dd 0FFFFFFFEh, 0	; DATA XREF: MiCreatePagingFile+5o
		dd 0FFFFFF40h, 0
		dd 0FFFFFFFEh
		dd offset sub_92D8AA
		dd offset sub_92D8B8
		dd 0FFFFFFFEh
		dd offset sub_92D8DD
		dd offset sub_92D8EB
		dd 0FFFFFFFEh
		dd offset sub_92D906
		dd offset sub_92D914
		dd 0FFFFFFFEh
		dd offset sub_92D93B
		dd offset sub_92D949
dword_6A7340	dd 0FFFFFFFEh, 0	; DATA XREF: ExpQueryModuleInformationEx+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_92E22A
		dd offset sub_92E23A
		dd 0FFFFFFFEh
		dd offset sub_92E249
		dd offset sub_92E259
dword_6A7368	dd 0FFFFFFE4h, 0	; DATA XREF: NtLockProductActivationKeys+5o
		dd 0FFFFF73Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_92E695
		dd offset sub_92E6A6
		align 8
dword_6A7388	dd 0FFFFFFFEh, 0	; DATA XREF: PiDqIrpPropertySet+2o
		dd 0FFFFFF9Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_931DFE
		dd offset sub_931E10
		align 8
dword_6A73A8	dd 0FFFFFFFEh, 0	; DATA XREF: AslpFileMappingGetFileKind+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_9320F2
		dd offset sub_932100
		align 8
dword_6A73C8	dd 0FFFFFFFEh, 0	; DATA XREF: LdrpSetAlternateResourceModuleHandle+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5F9506
		align 8
dword_6A73E8	dd 0FFFFFFFEh, 0	; DATA XREF: PopBootStatGet+2o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset sub_933B5E
		dd offset sub_933B6C
		dd 0FFFFFFFEh
		dd offset sub_933B8E
		dd offset loc_933B71
dword_6A7410	dd 0FFFFFFFEh, 0	; DATA XREF: KeQueryCpuSetInformation+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset sub_934744
		dd offset sub_934754
		align 10h
dword_6A7430	dd 0FFFFFFFEh, 0	; DATA XREF: NtCreateKeyedEvent+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_93510D
		dd offset loc_93511D
		dd 0FFFFFFFEh
		dd offset sub_9350EB
		dd offset sub_9350FB
dword_6A7458	dd 0FFFFFFFEh, 0	; DATA XREF: ExpQueryMemoryTopologyInformation+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_9351BB
		dd offset sub_9351CB
		align 8
dword_6A7478	dd 0FFFFFFE4h, 0	; DATA XREF: NtSetUuidSeed+5o
		dd 0FFFFFF58h, 0
		dd 0FFFFFFFEh
		dd offset sub_9352CE
		dd offset sub_9352DC
		align 8
dword_6A7498	dd 0FFFFFFE4h, 0	; DATA XREF: LdrpGetResourceFileName+17Do
		dd 0FFFFFF14h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_57A135
		align 8
dword_6A74B8	dd 0FFFFFFFEh, 0	; DATA XREF: CmpMachineHiveLoadedWorkItem+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset sub_9354F1
		dd offset loc_9354FC
		align 8
dword_6A74D8	dd 0FFFFFFE4h, 0	; DATA XREF: DbgkRegisterErrorPort+5o
		dd 0FFFFFF50h, 0
		dd 0FFFFFFFEh
		dd offset sub_93650E
		dd offset sub_93651C
		align 8
dword_6A74F8	dd 0FFFFFFE4h, 0	; DATA XREF: ExpNtDeleteWnfStateData+2o
		dd 0FFFFFF78h, 0
		dd 0FFFFFFFEh
		dd offset sub_936D66
		dd offset sub_936D76
		align 8
dword_6A7518	dd 0FFFFFFFEh, 0	; DATA XREF: SmProcessConfigRequest+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset sub_936F19
		dd offset sub_936F27
		align 8
dword_6A7538	dd 0FFFFFFFEh, 0	; DATA XREF: SmProcessRegistrationRequest+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_937231
		dd offset loc_93723F
		dd 0FFFFFFFEh
		dd offset sub_93721E
		dd offset sub_93722C
dword_6A7560	dd 0FFFFFFFEh, 0	; DATA XREF: ExInitializeLeapSecondData+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset sub_93728D
		dd offset sub_93729B
		align 10h
dword_6A7580	dd 0FFFFFFFEh, 0	; DATA XREF: ExpQueryInterruptSteeringInformation+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset loc_937384
		dd offset loc_937394
		dd 0FFFFFFFEh
		dd offset sub_93732A
		dd offset sub_93733A
		dd 0FFFFFFFEh
		dd offset sub_937362
		dd offset sub_937372
		align 8
dword_6A75B8	dd 0FFFFFFE4h, 0	; DATA XREF: ExpGetSystemPlatformBinary+2o
		dd 0FFFFFF84h, 0
		dd 0FFFFFFFEh
		dd offset sub_9376B9
		dd offset sub_9376C9
		dd 0FFFFFFFEh
		dd offset sub_937685
		dd offset sub_937695
		dd 0FFFFFFFEh
		dd offset sub_937631
		dd offset sub_937641
		align 10h
dword_6A75F0	dd 0FFFFFFFEh, 0	; DATA XREF: CcSetupWatchForRegistryChanges+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_5FAA9B
		align 10h
dword_6A7610	dd 0FFFFFFE4h, 0	; DATA XREF: ExpGetSystemFlushInformation+2o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh
		dd offset sub_937E75
		dd offset sub_937E85
		align 10h
dword_6A7630	dd 0FFFFFFFEh, 0	; DATA XREF: ExpGetSystemWriteConstraintInformation+2o
		dd 0FFFFFF88h, 0
		dd 0FFFFFFFEh
		dd offset sub_9382B6
		dd offset sub_9382C6
		align 10h
dword_6A7650	dd 0FFFFFFFEh, 0	; DATA XREF: NtOpenPartition+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_9382D1
		dd offset sub_9382E1
		dd 0FFFFFFFEh
		dd offset sub_9382F3
		dd offset sub_938303
dword_6A7678	dd 0FFFFFFFEh, 0	; DATA XREF: HvlQueryEnlightenmentInfo+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset sub_9384CE
		dd offset sub_9384DC
		align 8
dword_6A7698	dd 0FFFFFFFEh, 0	; DATA XREF: IoQueryVhdBootInformation+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_9386F4
		dd offset sub_938702
		align 8
dword_6A76B8	dd 0FFFFFFFEh, 0	; DATA XREF: NtSystemDebugControl+5o
		dd 0FFFFFF30h, 0
		dd 0FFFFFFFEh
		dd offset sub_938801
		dd offset sub_93880F
		dd 0FFFFFFFEh
		dd offset sub_9388B2
		dd offset sub_9388C0
		dd 0FFFFFFFEh
		dd offset sub_938933
		dd offset sub_938941
		dd 0FFFFFFFEh
		dd offset sub_938A40
		dd offset sub_938A4E
		dd 0FFFFFFFEh
		dd offset sub_938A07
		dd offset sub_938A15
		dd 0FFFFFFFEh
		dd offset sub_9389B9
		dd offset sub_9389C7
		dd 0FFFFFFFEh
		dd offset sub_938982
		dd offset sub_938990
		dd 0FFFFFFFEh
		dd offset sub_938A79
		dd offset sub_938A87
		dd 0FFFFFFFEh
		dd offset sub_938AB0
		dd offset sub_938ABE
		dd 0FFFFFFFEh
		dd offset sub_938AD5
		dd offset loc_9388C5
		dd 0FFFFFFFEh
		dd offset sub_938B1F
		dd offset sub_938B2D
		dd 0FFFFFFFEh
		dd offset sub_938B79
		dd offset sub_938B87
		dd 0FFFFFFFEh
		dd offset sub_938BDE
		dd offset sub_938BEC
		dd 0FFFFFFFEh
		dd offset sub_938D04
		dd offset sub_938D12
		dd 0FFFFFFFEh
		dd offset sub_938D68
		dd offset sub_938D76
		dd 0FFFFFFFEh
		dd offset sub_938DD6
		dd offset sub_938DDA
dword_6A7788	dd 0FFFFFFFEh, 0	; DATA XREF: NtListenPort+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_938E17
		dd offset loc_938E25
		align 8
dword_6A77A8	dd 0FFFFFFFEh, 0	; DATA XREF: PsQueryCpuQuotaInformation+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset sub_5FBA78
		dd offset sub_5FBA86
		dd 0FFFFFFFEh
		dd offset sub_5FBAED
		dd offset sub_5FBB01
		dd 0FFFFFFFEh
		dd offset sub_5FBB3F
		dd offset sub_5FBB53
		align 10h
dword_6A77E0	dd 0FFFFFFFEh, 0	; DATA XREF: CcLockSystemCacheBuffer(x,x,x,x,x)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_5FCEE9
		dd offset loc_5FCEF7
		align 10h
dword_6A7800	dd 0FFFFFFFEh, 0	; DATA XREF: NtOpenRegistryTransaction(x,x,x)+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_93A3EC
		dd offset loc_93A3FA
		dd 0FFFFFFFEh
		dd offset loc_93A454
		dd offset loc_93A462
dword_6A7828	dd 0FFFFFFFEh, 0	; DATA XREF: NtCompactKeys(x,x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_93A0CF
		dd offset loc_93A0DD
		align 8
dword_6A7848	dd 0FFFFFFE4h, 0	; DATA XREF: NtRenameKey(x,x)+5o
		dd 0FFFFFF58h, 0
		dd 0FFFFFFFEh
		dd offset loc_93AD14
		dd offset loc_93AD22
		align 8
dword_6A7868	dd 0FFFFFFE4h, 0	; DATA XREF: NtQueryOpenSubKeysEx(x,x,x,x)+5o
		dd 0FFFFFEC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_93A9B2
		dd offset loc_93A9C3
		dd 0FFFFFFFEh
		dd offset loc_93A999
		dd offset loc_93A9AA
		dd 0FFFFFFFEh
		dd offset loc_93A980
		dd offset loc_93A991
		align 10h
dword_6A78A0	dd 0FFFFFFE4h, 0	; DATA XREF: NtQueryOpenSubKeys(x,x)+5o
		dd 0FFFFFEE8h, 0
		dd 0FFFFFFFEh
		dd offset loc_93A64C
		dd offset loc_93A65D
		dd 0FFFFFFFEh
		dd offset loc_93A633
		dd offset loc_93A644
dword_6A78C8	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:00732002o
		dd 0FFFFFF84h, 0
		dd 0FFFFFFFEh
		dd offset loc_732273
		dd offset loc_732281
		dd 0FFFFFFFEh
		dd offset loc_732260
		dd offset loc_73226E
dword_6A78F0	dd 0FFFFFFFEh, 0	; DATA XREF: NtLoadKey3(x,x,x,x,x,x,x,x)+19o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset loc_7323F1
		dd offset loc_732402
		align 10h
dword_6A7910	dd 0FFFFFFFEh, 0	; DATA XREF: CmpMachineHiveCallbackFatalFilter(x,x)+18o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_93BB83
		dd offset loc_93BB87
		align 10h
dword_6A7930	dd 0FFFFFFFEh, 0	; DATA XREF: CmUpdateFeatureUsageSubscription(x,x,x)+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset loc_93CB92
		dd offset loc_93CBA2
		align 10h
dword_6A7950	dd 0FFFFFFFEh, 0	; DATA XREF: CmUpdateFeatureConfiguration(x,x,x)+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset loc_93CA49
		dd offset loc_93CA59
		align 10h
dword_6A7970	dd 0FFFFFFFEh, 0	; DATA XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+5o
		dd 0FFFFFF4Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_732B6B
		dd offset loc_732B7C
		dd 0FFFFFFFEh
		dd offset loc_733096
		dd offset loc_7330A7
dword_6A7998	dd 0FFFFFFFEh, 0	; DATA XREF: CmSetRegistryQuotaInformation(x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_93CC8F
		dd offset loc_93CC9D
		align 8
dword_6A79B8	dd 0FFFFFFFEh, 0	; DATA XREF: CmQueryRegistryQuotaInformation(x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_93CC0A
		dd offset loc_93CC18
		align 8
dword_6A79D8	dd 0FFFFFFFEh, 0	; DATA XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+2o
		dd 0FFFFFF74h, 0
		dd 0FFFFFFFEh
		dd offset loc_93DB5E
		dd offset loc_93DB6C
		align 8
dword_6A79F8	dd 0FFFFFFFEh, 0	; DATA XREF: HvpViewMapMigrateCOWData(x,x,x)+2o
		dd 0FFFFFF9Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_943EDE
		dd offset loc_943E92
		align 8
dword_6A7A18	dd 0FFFFFFFEh, 0	; DATA XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+5o
		dd 0FFFFFF4Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_60006C
		dd offset loc_60007D
		dd 0FFFFFFFEh
		dd offset loc_6000C2
		dd offset loc_6000D3
		dd 0FFFFFFFEh
		dd offset loc_600197
		dd offset loc_6001A8
		dd 0FFFFFFFEh
		dd offset loc_60020C
		dd offset loc_60021D
dword_6A7A58	dd 0FFFFFFE4h, 0	; DATA XREF: VrpPreQueryKeyName(x,x)+5o
		dd 0FFFFFF58h, 0
		dd 0FFFFFFFEh
		dd offset loc_953900
		dd offset loc_953911
		align 8
dword_6A7A78	dd 0FFFFFFE4h, 0	; DATA XREF: VrpPreLoadKey(x,x)+5o
		dd 0FFFFFDF0h, 0
		dd 0FFFFFFFEh
		dd offset loc_953611
		dd offset loc_953615
		align 8
dword_6A7A98	dd 0FFFFFFFEh, 0	; DATA XREF: NtSetInformationDebugObject(x,x,x,x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9551F4
		dd offset loc_955204
		align 8
dword_6A7AB8	dd 0FFFFFFFEh, 0	; DATA XREF: NtDebugContinue(x,x,x)+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_955013
		dd offset loc_955023
		align 8
dword_6A7AD8	dd 0FFFFFFFEh, 0	; DATA XREF: NtWaitForDebugEvent(x,x,x,x)+5o
		dd 0FFFFFF38h, 0
		dd 0FFFFFFFEh
		dd offset loc_9554E8
		dd offset loc_9554F8
		dd 0FFFFFFFEh
		dd offset loc_9554C7
		dd offset loc_9554D7
dword_6A7B00	dd 0FFFFFFFEh, 0	; DATA XREF: DbgkpPostModuleMessages(x,x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_954716
		dd offset loc_95471A
		align 10h
dword_6A7B20	dd 0FFFFFFE4h, 0	; DATA XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+5o
		dd 0FFFFFEDCh, 0
		dd 0FFFFFFFEh
		dd offset loc_9544AD
		dd offset loc_9544B1
		align 10h
dword_6A7B40	dd 0FFFFFFE4h, 0	; DATA XREF: DbgkSendSystemDllMessages(x,x,x)+2o
		dd 0FFFFFF74h, 0
		dd 0FFFFFFFEh
		dd offset loc_953D7B
		dd offset loc_953D7F
		dd 0FFFFFFFEh
		dd offset loc_953E34
		dd offset loc_953E38
dword_6A7B68	dd 0FFFFFFFEh, 0	; DATA XREF: NtCreateDebugObject(x,x,x,x)+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_954D5B
		dd offset loc_954D6B
		dd 0FFFFFFFEh
		dd offset loc_954D3C
		dd offset loc_954D4C
dword_6A7B90	dd 0FFFFFFE4h, 0	; DATA XREF: DbgkpMarkProcessPeb(x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9540FF
		dd offset loc_954103
		align 10h
dword_6A7BB0	dd 0FFFFFFE4h, 0	; DATA XREF: DbgkUserReportWorkRoutine(x)+2o
		dd 0FFFFFF80h, 0
		dd 0FFFFFFFEh
		dd offset loc_955797
		dd offset loc_9557A5
		align 10h
dword_6A7BD0	dd 0FFFFFFFEh, 0	; DATA XREF: DbgkpSuppressDbgMsg(x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_955C66
		dd offset loc_955C6A
		align 10h
dword_6A7BF0	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+2o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset loc_958B3F
		dd offset loc_958B56
		align 10h
dword_6A7C10	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlMdlReadDev(x,x,x,x,x,x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9587DE
		dd offset loc_9587F5
		align 10h
dword_6A7C30	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFF8Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_9582A9
		dd offset loc_9582C0
		align 10h
dword_6A7C50	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlCopyRead(x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_957EDB
		dd offset loc_957EF2
		align 10h
dword_6A7C70	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlSplitLargeMcb(x,x,x,x,x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_60139E
		align 10h
dword_6A7C90	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlLookupLastLargeMcbEntryAndIndex(x,x,x,x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_601080
		align 10h
dword_6A7CB0	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlLookupLastLargeMcbEntry(x,x,x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_601018
		align 10h
dword_6A7CD0	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlLookupLargeMcbEntry(x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_600FB3
		align 10h
dword_6A7CF0	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlRemoveLargeMcbEntry(x,x,x,x,x)+2o
		dd 0FFFFFFD8h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_6011C0
		align 10h
dword_6A7D10	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlpCancelExclusiveIrp(x,x,x)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_602583
		align 10h
dword_6A7D30	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlpCancelReadOnlyOplockIrp(x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_60266F
		align 10h
dword_6A7D50	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlpCancelWaitingIrp(x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_602750
		align 10h
dword_6A7D70	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_602E63
		align 10h
dword_6A7D90	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlpOplockBreakNotify(x,x,x)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_9590A3
		align 10h
dword_6A7DB0	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlpOpBatchBreakClosePending(x,x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_958FBE
		align 10h
dword_6A7DD0	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_602413
		align 10h
dword_6A7DF0	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_601CF6
		align 10h
dword_6A7E10	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlOplockBreakToNoneEx(x,x,x,x,x,x)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_601A58
		align 10h
dword_6A7E30	dd 0FFFFFFE4h, 0	; DATA XREF: FsRtlCheckOplockForFsFilterCallback(x,x,x)+5o
		dd 0FFFFFF10h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_7357DA
		align 10h
dword_6A7E50	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlQueryInformationFile(x,x,x,x,x)+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_95934A
		align 10h
dword_6A7E70	dd 0FFFFFFFEh, 0	; DATA XREF: FsRtlNotifyCleanupAll(x,x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_95A2D9
		align 10h
dword_6A7E90	dd 0FFFFFFE4h, 0	; DATA XREF: HvlQueryDetailInfo(x,x,x,x)+5o
		dd 0FFFFFF58h, 0
		dd 0FFFFFFFEh
		dd offset loc_95AFA7
		dd offset loc_95AFB8
		align 10h
dword_6A7EB0	dd 0FFFFFFE4h, 0	; DATA XREF: IoRaiseHardError(x,x,x)+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset loc_608E76
		dd offset loc_608E7A
		align 10h
dword_6A7ED0	dd 0FFFFFFFEh, 0	; DATA XREF: IopProcessBufferedIoCompletion(x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_5904EF
		dd offset loc_590502
		align 10h
dword_6A7EF0	dd 0FFFFFFFEh, 0	; DATA XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+3A0o
		dd 0FFFFFF84h, 0
		dd 0FFFFFFFEh
		dd offset loc_95DCCF
		dd offset loc_95DCDD
		align 10h
dword_6A7F10	dd 0FFFFFFFEh, 0	; DATA XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+5o
		dd 0FFFFFF50h, 0
		dd 0FFFFFFFEh
		dd offset loc_95E598
		dd offset loc_95E5A6
		dd 0FFFFFFFEh
		dd offset loc_95E56C
		dd offset loc_95E57A
dword_6A7F38	dd 0FFFFFFFEh, 0	; DATA XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+2o
		dd 0FFFFFF98h, 0
		dd 0FFFFFFFEh
		dd offset loc_95D860
		dd offset loc_95D86E
		dd 0FFFFFFFEh
		dd offset loc_95DA53
		dd offset loc_95DA61
		dd 0FFFFFFFEh
		dd offset loc_95DB2B
		dd offset loc_95DB39
		align 10h
dword_6A7F70	dd 0FFFFFFFEh, 0	; DATA XREF: IopInvalidateVolumesForDevice(x)+2o
		dd 0FFFFFF98h, 0
		dd 0FFFFFFFEh
		dd offset loc_95CF29
		dd offset loc_95CF37
		align 10h
dword_6A7F90	dd 0FFFFFFE4h, 0	; DATA XREF: IopInitActivityIdIrp(x)+2o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset loc_60A563
		dd offset loc_60A567
		align 10h
dword_6A7FB0	dd 0FFFFFFFEh, 0	; DATA XREF: IopDumpCallRemovePagesCallbacks(x)+2o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset loc_60C7B5
		dd offset loc_60C7C3
		align 10h
dword_6A7FD0	dd 0FFFFFFFEh, 0	; DATA XREF: IopDumpCallAddPagesCallbacks(x)+2o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset loc_60C6A0
		dd offset loc_60C6AE
		align 10h
dword_6A7FF0	dd 0FFFFFFFEh, 0	; DATA XREF: IopFillTriageDumpDataBlocks(x,x,x,x)+2o
		dd 0FFFFFFA4h, 0
dword_6A8000	dd 0FFFFFFFEh		; DATA XREF: .text:00430608o
		dd offset loc_60C946
		dd offset loc_60C94A
		align 10h
dword_6A8010	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryIoCompletion(x,x,x,x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_95E792
		dd offset loc_95E7A2
		dd 0FFFFFFFEh
		dd offset loc_95E808
		dd offset loc_95E80E
dword_6A8038	dd 0FFFFFFFEh, 0	; DATA XREF: NtOpenIoCompletion(x,x,x)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_95E6C7
		dd offset loc_95E6D7
		dd 0FFFFFFFEh
		dd offset loc_95E6E6
		dd offset loc_95E6EC
dword_6A8060	dd 0FFFFFFFEh, 0	; DATA XREF: NtCancelSynchronousIoFile(x,x,x)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_95E8C4
		dd offset loc_95E8D2
		dd 0FFFFFFFEh
		dd offset loc_95E8E1
		dd offset loc_95E8E5
dword_6A8088	dd 0FFFFFFFEh, 0	; DATA XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFF6Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_735A29
		dd offset loc_735A35
		dd 0FFFFFFFEh
		dd offset loc_735C7E
		dd offset loc_735C8A
		dd 0FFFFFFFEh
		dd offset loc_735D2C
		dd offset loc_735D38
		align 10h
dword_6A80C0	dd 0FFFFFFFEh, 0	; DATA XREF: NtSetEaFile(x,x,x,x)+2o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset loc_95F6B6
		dd offset loc_95F6C4
		dd 0FFFFFFFEh
		dd offset loc_95F89E
		dd offset loc_95F8AC
		dd 0FFFFFFFEh
		dd offset loc_95F92C
		dd offset loc_95F93A
		align 8
dword_6A80F8	dd 0FFFFFFFEh, 0	; DATA XREF: IopQueryProcessIdsUsingFile(x,x,x,x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_95FBDB
		dd offset loc_95FBE9
		dd 0FFFFFFFEh
		dd offset loc_95FB93
		dd offset loc_95FBA1
dword_6A8120	dd 0FFFFFFFEh, 0	; DATA XREF: PAGE:0095FC15o
		dd 0FFFFFF90h, 0
		dd 0FFFFFFFEh
		dd offset loc_95FD8F
		dd offset loc_95FD9D
		dd 0FFFFFFFEh
		dd offset loc_95FE0A
		dd offset loc_95FE18
		dd 0FFFFFFFEh
		dd offset loc_9600BA
		dd offset loc_9600C8
		dd 0FFFFFFFEh
		dd offset loc_96014E
		dd offset loc_96015C
dword_6A8160	dd 0FFFFFFE4h, 0	; DATA XREF: NtSetVolumeInformationFile(x,x,x,x,x)+2o
		dd 0FFFFFF74h, 0
		dd 0FFFFFFFEh
		dd offset loc_960311
		dd offset loc_96031F
		dd 0FFFFFFFEh
		dd offset loc_960541
		dd offset loc_96054F
dword_6A8188	dd 0FFFFFFFEh, 0	; DATA XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFF84h, 0
		dd 0FFFFFFFEh
		dd offset loc_735E8D
		dd offset loc_735E99
		dd 0FFFFFFFEh
		dd offset loc_736102
		dd offset loc_736110
		dd 0FFFFFFFEh
		dd offset loc_736344
		dd offset loc_736352
		dd 0FFFFFFFEh
		dd offset loc_7363C0
		dd offset loc_7363CE
dword_6A81C8	dd 0FFFFFFFEh, 0	; DATA XREF: IopWriteFile(x,x,x,x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFF7Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_736514
		dd offset loc_736522
		align 8
dword_6A81E8	dd 0FFFFFFFEh, 0	; DATA XREF: .text:00591362o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_59146E
		dd offset loc_59147A
		align 8
dword_6A8208	dd 0FFFFFFFEh, 0	; DATA XREF: IopAllocateAndPopulateWriteIrp(x,x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_5911FD
		dd offset loc_59120B
		dd 0FFFFFFFEh
		dd offset loc_591279
		dd offset loc_591287
dword_6A8230	dd 0FFFFFFE4h, 0	; DATA XREF: IopLiveDumpCallRemovePagesCallbacks(x)+5o
		dd 0FFFFFF60h, 0
		dd 0FFFFFFFEh
		dd offset loc_72BAF8
		dd offset loc_72BB06
		align 10h
dword_6A8250	dd 0FFFFFFFEh, 0	; DATA XREF: IovBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_A58FEB
		dd offset sub_A58FF9
		align 10h
dword_6A8270	dd 0FFFFFFFEh, 0	; DATA XREF: IovBuildSynchronousFsdRequest(x,x,x,x,x,x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_A5906F
		dd offset sub_A5907D
		align 10h
dword_6A8290	dd 0FFFFFFFEh, 0	; DATA XREF: IovBuildAsynchronousFsdRequest(x,x,x,x,x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_A58F60
		dd offset sub_A58F6E
		align 10h
dword_6A82B0	dd 0FFFFFFFEh, 0	; DATA XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_983573
		dd offset loc_983581
		align 10h
dword_6A82D0	dd 0FFFFFFFEh, 0	; DATA XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_983241
		dd offset loc_98324F
		align 10h
dword_6A82F0	dd 0FFFFFFFEh, 0	; DATA XREF: PiCMCaptureProblemInputData(x,x,x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9834A4
		dd offset loc_9834B2
		align 10h
dword_6A8310	dd 0FFFFFFFEh, 0	; DATA XREF: PiCMCaptureEnumerateInputData(x,x,x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9833F9
		dd offset loc_983407
		align 10h
dword_6A8330	dd 0FFFFFFFEh, 0	; DATA XREF: PiCMReturnDepthResultData(x,x,x,x,x,x)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_9854C8
		dd offset loc_9854D6
		align 10h
dword_6A8350	dd 0FFFFFFE4h, 0	; DATA XREF: KdpPrompt(x,x,x,x,x,x,x)+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_A4DCE4
		dd offset loc_A4DCE8
		dd 0FFFFFFFEh
		dd offset loc_A4DD58
		dd offset loc_A4DD5C
dword_6A8378	dd 0FFFFFFE4h, 0	; DATA XREF: KdpPrint(x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_A4DBE0
		dd offset loc_A4DBE4
		align 8
dword_6A8398	dd 0FFFFFFFEh, 0	; DATA XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+5o
		dd 0FFFFFEECh, 0
		dd 0FFFFFFFEh
		dd offset loc_98F774
		dd offset loc_98F782
		align 8
dword_6A83B8	dd 0FFFFFFFEh, 0	; DATA XREF: KdpSysReadMsr(x,x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_A4ECCD
		dd offset loc_A4ECD1
		align 8
dword_6A83D8	dd 0FFFFFFFEh, 0	; DATA XREF: KdpSysWriteMsr(x,x)+2o
		dd 0FFFFFFD8h, 0
		dd 0FFFFFFFEh
		dd offset loc_A4EE34
		dd offset loc_A4EE38
		align 8
dword_6A83F8	dd 0FFFFFFBCh, 0	; DATA XREF: KeChangeEnclavePageProtection(x,x)+19o
		dd 0FFFFFF00h, 0
		dd 0FFFFFFFEh
		dd offset loc_618DDA
		dd offset loc_618DEE
		align 8
dword_6A8418	dd 0FFFFFFBCh, 0	; DATA XREF: KeCanChangeEnclavePageProtection(x,x)+19o
		dd 0FFFFFF00h, 0
		dd 0FFFFFFFEh
		dd offset loc_618C64
		dd offset loc_618C78
		align 8
dword_6A8438	dd 0FFFFFFFEh, 0	; DATA XREF: KeTrackEnclaveTbFlush(x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_618FEF
		dd offset loc_618FFD
		align 8
dword_6A8458	dd 0FFFFFFFEh, 0	; DATA XREF: KeDebugWriteEnclaveMemory(x,x,x,x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_990429
		dd offset loc_990437
		align 8
dword_6A8478	dd 0FFFFFFFEh, 0	; DATA XREF: KeDebugReadEnclaveMemory(x,x,x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_99039D
		dd offset loc_9903AB
		align 8
dword_6A8498	dd 0FFFFFFFEh, 0	; DATA XREF: KeBlockEnclavePage(x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_618B86
		dd offset loc_618B94
		align 8
dword_6A84B8	dd 0FFFFFFBCh, 0	; DATA XREF: KeAddEnclavePage(x,x,x,x,x,x)+19o
		dd 0FFFFFF00h, 0
		dd 0FFFFFFFEh
		dd offset loc_618AEF
		dd offset loc_618B03
		align 8
dword_6A84D8	dd 0FFFFFFFEh, 0	; DATA XREF: KeInitializeEnclave(x,x,x,x,x,x)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_9904DE
		dd offset loc_9904EC
		align 8
dword_6A84F8	dd 0FFFFFFFEh, 0	; DATA XREF: KeCreateEnclaveMetadataPage(x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_618E5C
		dd offset loc_618E6A
		align 8
dword_6A8518	dd 0FFFFFFBCh, 0	; DATA XREF: KeCreateEnclave(x,x,x,x,x,x,x,x)+19o
		dd 0FFFFFF00h, 0
		dd 0FFFFFFFEh
		dd offset loc_9902F8
		dd offset loc_99030C
		align 8
dword_6A8538	dd 0FFFFFFFEh, 0	; DATA XREF: KeRemoveEnclavePage(x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_618F80
		dd offset loc_618F8E
		align 8
dword_6A8558	dd 0FFFFFFE4h, 0	; DATA XREF: VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+5o
		dd 0FFFFFF54h, 0
		dd 0FFFFFFFEh
		dd offset loc_990B9B
		dd offset loc_990BAC
		align 8
dword_6A8578	dd 0FFFFFFFEh, 0	; DATA XREF: VdmDispatchStringIoToHandler(x,x,x,x,x,x,x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_990E30
		dd offset loc_990E34
		align 8
dword_6A8598	dd 0FFFFFFE4h, 0	; DATA XREF: Ki386VdmDispatchStringIo(x,x,x,x,x,x,x,x)+5o
		dd 0FFFFFF04h, 0
		dd 0FFFFFFFEh
		dd offset loc_99094B
		dd offset loc_99094F
		align 8
dword_6A85B8	dd 0FFFFFFE4h, 0	; DATA XREF: Ki386VdmDispatchIo(x,x,x,x,x)+5o
		dd 0FFFFFF00h, 0
		dd 0FFFFFFFEh
		dd offset loc_9907AC
		dd offset loc_9907B0
		align 8
dword_6A85D8	dd 0FFFFFFFEh, 0	; DATA XREF: Ki386CheckDivideByZeroTrap(x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_991178
		dd offset loc_99117C
		align 8
dword_6A85F8	dd 0FFFFFFFEh, 0	; DATA XREF: KiInvokeBugCheckAddTriageDumpDataCallbacks()+2o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh
		dd offset loc_61D0EC
		dd offset loc_61D0F0
		align 8
dword_6A8618	dd 0FFFFFFFEh, 0	; DATA XREF: KiInvokeBugCheckEntryCallbacks(x,x,x)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_61D174
		dd offset loc_61D178
		align 8
dword_6A8638	dd 0FFFFFFFEh, 0	; DATA XREF: KiBugCheckDebugBreak(x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_61C97E
		dd offset loc_61C982
		dd 0FFFFFFFEh
		dd offset sub_61CA13
		dd offset sub_61CA17
dword_6A8660	dd 0FFFFFFFEh, 0	; DATA XREF: KiScanBugCheckCallbackList()+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_61D3A2
		dd offset loc_61D3A6
		align 10h
dword_6A8680	dd 0FFFFFFFEh, 0	; DATA XREF: KeGetBugMessageText(x,x)+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_61C6FF
		dd offset loc_61C703
		align 10h
dword_6A86A0	dd 0FFFFFFFEh, 0	; DATA XREF: KiCopyCountersWorker(x,x)+2o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh
		dd offset loc_99178B
		dd offset loc_991799
		align 10h
dword_6A86C0	dd 0FFFFFFFEh, 0	; DATA XREF: KeRaiseUserException(x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_61FC19
		dd offset loc_61FC1D
		align 10h
dword_6A86E0	dd 0FFFFFFFEh, 0	; DATA XREF: KeQuerySpeculationControlInformation(x,x,x)+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset loc_992000
		dd offset loc_992010
		align 10h
dword_6A8700	dd 0FFFFFFFEh, 0	; DATA XREF: KeGetAffinitizedInterruptsInfo(x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_620FA8
		dd offset loc_620FB8
		align 10h
dword_6A8720	dd 0FFFFFFFEh, 0	; DATA XREF: KeQueryKvaShadowInformation(x,x,x)+2o
		dd 0FFFFFFD8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9920F4
		dd offset loc_9920FA
		align 10h
dword_6A8740	dd 0FFFFFFFEh, 0	; DATA XREF: KiFlushReadyLists(x,x,x)+86o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_62299F
		dd offset loc_6229A3
		align 10h
dword_6A8760	dd 0FFFFFFFEh, 0	; DATA XREF: LpcpRequestWaitReplyPort(x,x,x,x,x,x)+2o
		dd 0FFFFFFD8h, 0
		dd 0FFFFFFFEh, 3 dup(0)
dword_6A8780	dd 0FFFFFFFEh, 0	; DATA XREF: NtReplyWaitReplyPort(x,x)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_9945C6
		dd offset loc_9945D4
		align 10h
dword_6A87A0	dd 0FFFFFFFEh, 0	; DATA XREF: LpcpCopyRequestData(x,x,x,x,x,x,x)+2o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9941B7
		dd offset loc_9941C5
		dd 0FFFFFFFEh
		dd offset loc_99432D
		dd offset loc_994331
dword_6A87C8	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryInformationPort(x,x,x,x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_99448C
		dd offset loc_99449A
		dd 0FFFFFFFEh
		dd offset loc_9944A9
		dd offset loc_9944B7
dword_6A87F0	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpQueryTokenModifiedIdMessage(x,x,x,x,x)+2o
		dd 0FFFFFF68h, 0
		dd 0FFFFFFFEh
		dd offset loc_9947DB
		dd offset loc_9947E9
		align 10h
dword_6A8810	dd 0FFFFFFFEh, 0	; DATA XREF: NtAlpcImpersonateClientContainerOfPort(x,x,x)+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset loc_994A39
		dd offset loc_994A47
		dd 0FFFFFFFEh
		dd offset loc_994A06
		dd offset loc_994A0A
dword_6A8838	dd 0FFFFFFFEh, 0	; DATA XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+2o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9951B9
		dd offset loc_9951C7
		dd 0FFFFFFFEh
		dd offset loc_99542D
		dd offset loc_99543B
dword_6A8860	dd 0FFFFFFE4h, 0	; DATA XREF: MiSetPagesModified(x,x)+5o
		dd 0FFFFFF48h, 0
		dd 0FFFFFFFEh
		dd offset loc_62BC4B
		dd offset loc_62BC5C
		align 10h
dword_6A8880	dd 0FFFFFFE4h, 0	; DATA XREF: MmRotatePhysicalView(x,x,x,x,x,x)+5o
		dd 0FFFFFEBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_9996F5
		dd offset loc_999706
		align 10h
dword_6A88A0	dd 0FFFFFFFEh, 0	; DATA XREF: MiDbgCopyMemory(x,x,x,x,x,x)+2o
		dd 0FFFFFF90h, 0
		dd 0FFFFFFFEh
		dd offset loc_633D51
		dd offset loc_633D5F
		align 10h
dword_6A88C0	dd 0FFFFFFE4h, 0	; DATA XREF: MiCopyToUntrustedMemory(x,x,x,x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_633BD0
		dd offset loc_633BDE
		align 10h
dword_6A88E0	dd 0FFFFFFE4h, 0	; DATA XREF: MiCopyFromUntrustedMemory(x,x,x,x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_633ABE
		dd offset loc_633ACC
		align 10h
dword_6A8900	dd 0FFFFFFE4h, 0	; DATA XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+2EAo
		dd 0FFFFFF88h, 0
		dd 0FFFFFFFEh
		dd offset loc_99C2F0
		dd offset loc_99C2FE
		dd 0FFFFFFFEh
		dd offset loc_99C39D
		dd offset loc_99C3AD
		dd 0FFFFFFFEh
		dd offset loc_99C445
		dd offset loc_99C44B
		align 8
dword_6A8938	dd 0FFFFFFE4h, 0	; DATA XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFF6Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_99C51D
		dd offset loc_99C52B
		dd 0FFFFFFFEh
		dd offset loc_99C69F
		dd offset loc_99C6AF
		dd 0FFFFFFFEh
		dd offset loc_99C679
		dd offset loc_99C687
		dd 0FFFFFFFEh
		dd offset loc_99C7DE
		dd offset loc_99C7E4
		dd 0FFFFFFFEh
		dd offset loc_99C808
		dd offset loc_99C80E
		align 8
dword_6A8988	dd 0FFFFFFE4h, 0	; DATA XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFF84h, 0
		dd 0FFFFFFFEh
		dd offset loc_99C007
		dd offset loc_99C015
		dd 0FFFFFFFEh
		dd offset loc_99C1E1
		dd offset loc_99C1F1
		dd 0FFFFFFFEh
		dd offset loc_99C152
		dd offset loc_99C162
		dd 0FFFFFFFEh
		dd offset loc_99C226
		dd offset loc_99C22C
		dd 0FFFFFFFEh
		dd offset loc_99C24D
		dd offset loc_99C253
		align 8
dword_6A89D8	dd 0FFFFFFE4h, 0	; DATA XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+5o
		dd 0FFFFFF00h, 0
		dd 0FFFFFFFEh
		dd offset loc_99B877
		dd offset loc_99B888
		dd 0FFFFFFFEh
		dd offset loc_99B8CC
		dd offset loc_99B8DF
		dd 0FFFFFFFEh
		dd offset loc_99B971
		dd offset loc_99B982
		align 10h
dword_6A8A10	dd 0FFFFFFDCh, 0	; DATA XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+19o
		dd 0FFFFFEC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_635D64
		dd offset loc_635D87
		align 10h
dword_6A8A30	dd 0FFFFFFE4h, 0	; DATA XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+5o
		dd 0FFFFFF48h, 0
		dd 0FFFFFFFEh
		dd offset loc_99C926
		dd offset loc_99C937
		dd 0FFFFFFFEh
		dd offset loc_99CA44
		dd offset loc_99CA55
		dd 0FFFFFFFEh
		dd offset loc_99CC98
		dd offset loc_99CCA9
		dd 0FFFFFFFEh
		dd offset loc_99CC5B
		dd offset loc_99CC6C
dword_6A8A70	dd 0FFFFFFFEh, 0	; DATA XREF: MiCaptureUlongPtrArray(x,x,x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_99D771
		dd offset loc_99D77F
		align 10h
dword_6A8A90	dd 0FFFFFFE4h, 0	; DATA XREF: NtFreeUserPhysicalPages(x,x,x)+5o
		dd 0FFFFF768h, 0
		dd 0FFFFFFFEh
		dd offset loc_99E789
		dd offset loc_99E79C
		dd 0FFFFFFFEh
		dd offset loc_99E773
		dd offset loc_99E777
dword_6A8AB8	dd 0FFFFFFE4h, 0	; DATA XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+5o
		dd 0FFFFFF14h, 0
		dd 0FFFFFFFEh
		dd offset loc_99D676
		dd offset loc_99D689
		dd 0FFFFFFFEh
		dd offset loc_99D5C9
		dd offset loc_99D5CF
dword_6A8AE0	dd 0FFFFFFE4h, 0	; DATA XREF: MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)+5o
		dd 0FFFFFEF8h, 0
		dd 0FFFFFFFEh
		dd offset loc_595260
		dd offset loc_595264
		align 10h
dword_6A8B00	dd 0FFFFFFFEh, 0	; DATA XREF: MiPerformCombineScan(x,x,x,x)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_6421F3
		dd offset loc_6421F7
		align 10h
dword_6A8B20	dd 0FFFFFFFEh, 0	; DATA XREF: MiConvertStandbyToProto(x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFF90h, 0
		dd 0FFFFFFFEh
		dd offset loc_6413CC
		dd offset loc_6413D0
		align 10h
dword_6A8B40	dd 0FFFFFFFEh, 0	; DATA XREF: MiFillCombinePage(x,x,x,x)+2o
		dd 0FFFFFFD8h, 0
		dd 0FFFFFFFEh
		dd offset loc_641B5C
		dd offset loc_641B60
		align 10h
dword_6A8B60	dd 0FFFFFFFEh, 0	; DATA XREF: MiMapSystemImageWithLargePage(x,x,x,x)+2o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh
		dd offset a3@LeslurlmS	; "3@ËeUM\x1B"
		dd offset a3@LeslurlmS+4
		align 10h
dword_6A8B80	dd 0FFFFFFFEh, 0	; DATA XREF: MmManagePartitionNodeInformation(x,x,x)+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset sub_9A266A
		dd offset sub_9A2678
		align 10h
dword_6A8BA0	dd 0FFFFFFFEh, 0	; DATA XREF: MmManagePartitionInitialAddMemory(x,x,x,x)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_9A2328
		dd offset loc_9A2336
		align 10h
dword_6A8BC0	dd 0FFFFFFE4h, 0	; DATA XREF: MmSetSystemVaInformation(x,x,x)+5o
		dd 0FFFFFF4Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_9A2883
		dd offset loc_9A2894
		align 10h
dword_6A8BE0	dd 0FFFFFFE4h, 0	; DATA XREF: MmQuerySystemVaInformation(x,x,x)+5o
		dd 0FFFFFF54h, 0
		dd 0FFFFFFFEh
		dd offset loc_9A27AC
		dd offset loc_9A27BD
		align 10h
dword_6A8C00	dd 0FFFFFFE4h, 0	; DATA XREF: MiScrubLargeMappedPage(x,x,x)+5o
		dd 0FFFFFEE4h, 0
		dd 0FFFFFFFEh
		dd offset loc_647238
		dd offset loc_64723C
		align 10h
dword_6A8C20	dd 0FFFFFFFEh, 0	; DATA XREF: NtSetInformationSymbolicLink(x,x,x,x)+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9A351F
		dd offset loc_9A352D
		dd 0FFFFFFFEh
		dd offset loc_9A3491
		dd offset loc_9A349F
dword_6A8C48	dd 0FFFFFFFEh, 0	; DATA XREF: NtSignalAndWaitForSingleObject(x,x,x,x)+2o
		dd 0FFFFFFA4h, 0
		dd 0FFFFFFFEh
		dd offset loc_647999
		dd offset loc_6479A7
		dd 0FFFFFFFEh
		dd offset loc_647A85
		dd offset loc_647AA4
		dd 0FFFFFFFEh
		dd offset loc_647B2C
		dd offset loc_647B42
		dd 0FFFFFFFEh
		dd offset loc_647B0B
		dd offset loc_647B21
dword_6A8C88	dd 0FFFFFFE4h, 0	; DATA XREF: NtWaitForMultipleObjects32(x,x,x,x,x)+5o
		dd 0FFFFFEBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_9A3A01
		dd offset loc_9A3A12
		align 8
dword_6A8CA8	dd 0FFFFFFFEh, 0	; DATA XREF: ObGetObjectInformation(x,x,x,x)+2o
		dd 0FFFFFF78h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_9A3FE5
		align 8
dword_6A8CC8	dd 0FFFFFFFEh, 0	; DATA XREF: ObQueryTypeName(x,x,x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9A42D6
		dd offset loc_9A42E4
		dd 0FFFFFFFEh
		dd offset loc_9A42C4
		dd offset loc_9A42C8
dword_6A8CF0	dd 0FFFFFFFEh, 0	; DATA XREF: ObQueryRefTraceInformation(x,x,x)+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset loc_9A45FB
		dd offset loc_9A4609
		dd 0FFFFFFFEh
		dd offset loc_9A441D
		dd offset loc_9A442B
		dd 0FFFFFFFEh
		dd offset loc_9A4572
		dd offset loc_9A4580
		dd 0FFFFFFFEh
		dd offset loc_9A45DC
		dd offset loc_9A45EA
dword_6A8D30	dd 0FFFFFFFEh, 0	; DATA XREF: ObSetRefTraceInformation(x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9A46BC
		dd offset loc_9A46CA
		align 10h
dword_6A8D50	dd 0FFFFFFE4h, 0	; DATA XREF: ObpStartRuntimeStackTrace(x)+5o
		dd 0FFFFFF40h, 0
		dd 0FFFFFFFEh
		dd offset loc_9A5345
		dd offset loc_9A5356
		dd 0FFFFFFFEh
		dd offset loc_9A5138
		dd offset loc_9A5149
		dd 0FFFFFFFEh
		dd offset loc_9A51FC
		dd offset loc_9A520D
		align 8
dword_6A8D88	dd 0FFFFFFE4h, 0	; DATA XREF: PfpQueryFileExtentsRequest(x,x,x)+5o
		dd 0FFFFFF0Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_9A5DF2
		dd offset loc_9A5E03
		dd 0FFFFFFFEh
		dd offset loc_9A5DCF
		dd offset loc_9A5DE0
		dd 0FFFFFFFEh
		dd offset loc_9A5D91
		dd offset loc_9A5D9F
		align 10h
dword_6A8DC0	dd 0FFFFFFFEh, 0	; DATA XREF: PoGetRequesterOld(x,x,x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_596856
		dd offset loc_59685A
		align 10h
dword_6A8DE0	dd 0FFFFFFFEh, 0	; DATA XREF: PopReadPagesFromHiberFile(x,x,x)+2o
		dd 0FFFFFF94h, 0
		dd 0FFFFFFFEh
		dd offset loc_9AC3D7
		dd offset loc_9AC3E5
		align 10h
dword_6A8E00	dd 0FFFFFFFEh, 0	; DATA XREF: NtGetDevicePowerState(x,x)+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9B577F
		dd offset loc_9B578D
		dd 0FFFFFFFEh
		dd offset loc_9B579C
		dd offset loc_9B57AA
dword_6A8E28	dd 0FFFFFFFEh, 0	; DATA XREF: PopBootStatCheckIntegrity(x)+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9B73F2
		dd offset loc_9B7400
		dd 0FFFFFFFEh
		dd offset loc_9B747F
		dd offset loc_9B748D
dword_6A8E50	dd 0FFFFFFFEh, 0	; DATA XREF: PopResolveWatchdogParam(x,x)+2o
		dd 0FFFFFFD8h, 0
		dd 0FFFFFFFEh
		dd offset loc_658376
		dd offset loc_65837A
		align 10h
dword_6A8E70	dd 0FFFFFFFEh, 0	; DATA XREF: PsRootSiloInformation(x,x,x)+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset loc_9C7C6F
		dd offset loc_9C7C7D
		dd 0FFFFFFFEh
		dd offset loc_9C7C9C
		dd offset loc_9C7CAA
dword_6A8E98	dd 0FFFFFFE4h, 0	; DATA XREF: NtCreateThread(x,x,x,x,x,x,x,x)+5o
		dd 0FFFFFCC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9C8D23
		dd offset loc_9C8D36
		align 8
dword_6A8EB8	dd 0FFFFFFFEh, 0	; DATA XREF: PsSetCpuQuotaInformation(x,x,x)+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh
		dd offset loc_65E9A6
		dd offset loc_65E9B4
		dd 0FFFFFFFEh
		dd offset loc_65EA69
		dd offset loc_65EA7D
dword_6A8EE0	dd 0FFFFFFE4h, 0	; DATA XREF: PsQueryProcessExceptionFlags(x,x,x)+2o
		dd 0FFFFFF98h, 0
		dd 0FFFFFFFEh
		dd offset loc_9C8F31
		dd offset loc_9C8F3F
		align 10h
dword_6A8F00	dd 0FFFFFFFEh, 0	; DATA XREF: PspQueryLastCallThread(x,x,x,x)+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset loc_9C953A
		dd offset loc_9C9548
		align 10h
dword_6A8F20	dd 0FFFFFFFEh, 0	; DATA XREF: NtGetCurrentProcessorNumberEx(x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9C91F2
		dd offset loc_9C9200
		dd 0FFFFFFFEh
		dd offset loc_9C920F
		dd offset loc_9C921F
dword_6A8F48	dd 0FFFFFFFEh, 0	; DATA XREF: PspQueryPooledQuotaLimits(x,x,x,x,x)+2o
		dd 0FFFFFFA4h, 0
		dd 0FFFFFFFEh
		dd offset loc_9C9688
		dd offset loc_9C9696
		align 8
dword_6A8F68	dd 0FFFFFFFEh, 0	; DATA XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+2o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9C97F5
		dd offset loc_9C9803
		dd 0FFFFFFFEh
		dd offset loc_9C98A0
		dd offset loc_9C98AE
dword_6A8F90	dd 0FFFFFFE4h, 0	; DATA XREF: PspTrySetProcessPebThrottlingFlags(x,x)+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_9C9A1B
		dd offset loc_9C9A1F
		align 10h
dword_6A8FB0	dd 0FFFFFFE4h, 0	; DATA XREF: PspSetNetRateControl(x,x,x)+2o
		dd 0FFFFFF70h, 0
		dd 0FFFFFFFEh
		dd offset loc_9CA94A
		dd offset loc_9CA958
		align 10h
dword_6A8FD0	dd 0FFFFFFFEh, 0	; DATA XREF: PspQueryJobHierarchyInterferenceCount(x,x)+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9CA1E5
		dd offset loc_9CA1F5
		align 10h
dword_6A8FF0	dd 0FFFFFFFEh, 0	; DATA XREF: NtAlertResumeThread(x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9CC0DE
		dd offset loc_9CC0EC
		dd 0FFFFFFFEh
		dd offset loc_9CC0BF
		dd offset loc_9CC0CF
dword_6A9018	dd 0FFFFFFFEh, 0	; DATA XREF: Psp386CreateVdmIoListHead(x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9CC495
		dd offset loc_9CC4A3
		align 8
dword_6A9038	dd 0FFFFFFFEh, 0	; DATA XREF: Psp386InstallIoHandler(x,x,x,x)+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset loc_9CC62D
		dd offset loc_9CC63B
		align 8
dword_6A9058	dd 0FFFFFFFEh, 0	; DATA XREF: PsSetProcessLdtInfo(x,x)+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset loc_9CCCC1
		dd offset loc_9CCCCF
		align 8
dword_6A9078	dd 0FFFFFFFEh, 0	; DATA XREF: PspQueryLdtInformation(x,x,x,x)+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_9CD3AE
		dd offset loc_9CD3BC
		dd 0FFFFFFFEh
		dd offset loc_9CD325
		dd offset loc_9CD333
		dd 0FFFFFFFEh
		dd offset loc_9CD383
		dd offset loc_9CD391
		dd 0FFFFFFFEh
		dd offset loc_9CD370
		dd offset loc_9CD37E
dword_6A90B8	dd 0FFFFFFFEh, 0	; DATA XREF: PspSetLdtInformation(x,x,x)+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset loc_9CD70D
		dd offset loc_9CD71B
		align 8
dword_6A90D8	dd 0FFFFFFFEh, 0	; DATA XREF: PspSetLdtSize(x,x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9CD866
		dd offset loc_9CD874
		align 8
dword_6A90F8	dd 0FFFFFFFEh, 0	; DATA XREF: PspQueryDescriptorThread(x,x,x,x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9CD22F
		dd offset loc_9CD23D
		dd 0FFFFFFFEh
		dd offset loc_9CD16E
		dd offset loc_9CD17C
		dd 0FFFFFFFEh
		dd offset loc_9CD203
		dd offset loc_9CD211
		align 10h
dword_6A9130	dd 0FFFFFFFEh, 0	; DATA XREF: RtlOemStringToCountedUnicodeString(x,x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_9CE54C
		align 10h
dword_6A9150	dd 0FFFFFFFEh, 0	; DATA XREF: RtlUpcaseUnicodeStringToAnsiString(x,x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_9CE6C0
		align 10h
dword_6A9170	dd 0FFFFFFE4h, 0	; DATA XREF: RtlLoadString(x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFF98h, 0
		dd 0FFFFFFFEh
		dd offset loc_9CFD5C
		dd offset loc_9CFD6A
		dd 0FFFFFFFEh
		dd offset loc_9CFE08
		dd offset loc_9CFE16
dword_6A9198	dd 0FFFFFFFEh, 0	; DATA XREF: RtlEmptyAtomTable(x,x)+D0o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_9D138E
		dd offset loc_9D139C
		align 8
dword_6A91B8	dd 0FFFFFFFEh, 0	; DATA XREF: RtlpHpFreeWithExceptionProtection(x,x,x)+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset dword_660D84
		dd offset dword_660D84+3Ah
		align 8
dword_6A91D8	dd 0FFFFFFFEh, 0	; DATA XREF: RtlpHpAllocWithExceptionProtection(x,x,x)+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset byte_660D0D
		dd offset dword_660D24+23h
		align 8
dword_6A91F8	dd 0FFFFFFE4h, 0	; DATA XREF: RtlLargeIntegerToUnicode(x,x,x,x)+5o
		dd 0FFFFFF4Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_9D2AB7
		dd offset loc_9D2AC8
		align 8
dword_6A9218	dd 0FFFFFFFEh, 0	; DATA XREF: RtlpFreeHeap(x,x,x,x)+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_662F00
		align 8
dword_6A9238	dd 0FFFFFFFEh, 0	; DATA XREF: RtlpAllocateHeap(x,x,x,x,x,x)+2o
		dd 0FFFFFF6Ch, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_66260F
		align 8
dword_6A9258	dd 0FFFFFFFEh, 0	; DATA XREF: RtlZeroHeap(x,x)+2o
		dd 0FFFFFFA4h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_9D34BF
		align 8
		dd offset loc_9D347A
		dd offset loc_9D348A
dword_6A9280	dd 0FFFFFFFEh, 0	; DATA XREF: RtlpProbeUserBufferSafe(x,x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_663006
		dd offset loc_663013
		align 10h
dword_6A92A0	dd 0FFFFFFE4h, 0	; DATA XREF: RtlOsDeploymentState(x)+2o
		dd 0FFFFFF8Ch, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_9D66B2
		align 10h
dword_6A92C0	dd 0FFFFFFFEh, 0	; DATA XREF: RtlpHpHeapHandleError(x,x,x)+2o
		dd 0FFFFFFD8h, 0
		dd 0FFFFFFFEh
		dd offset loc_669D5F
		dd offset loc_669D6C
		align 10h
dword_6A92E0	dd 0FFFFFFFEh, 0	; DATA XREF: RtlpAnalyzeHeapFailure(x,x,x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_669C00
		dd offset loc_669C0D
		align 10h
dword_6A9300	dd 0FFFFFFFEh, 0	; DATA XREF: NtQuerySecurityPolicy(x,x,x,x,x,x)+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9D8156
		dd offset loc_9D8166
		dd 0FFFFFFFEh
		dd offset sub_9D81FA
		dd offset sub_9D820A
dword_6A9328	dd 0FFFFFFFEh, 0	; DATA XREF: SeCodeIntegritySetInformationProcess(x,x,x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9D829B
		dd offset loc_9D82AB
		align 8
dword_6A9348	dd 0FFFFFFFEh, 0	; DATA XREF: SeSecurityModelQueryInformation(x,x,x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_9D913C
		dd offset loc_9D9142
		align 8
dword_6A9368	dd 0FFFFFFFEh, 0	; DATA XREF: SepGetLearningModeObjectInformation(x)+2o
		dd 0FFFFFF9Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_66F653
		dd offset loc_66F657
		dd 0FFFFFFFEh
		dd offset loc_66F5ED
		dd offset loc_66F5F1
dword_6A9390	dd 0FFFFFFFEh, 0	; DATA XREF: SepCaptureOctetStringArray(x,x,x,x)+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset loc_9DCF98
		dd offset loc_9DCFA6
		dd 0FFFFFFFEh
		dd offset loc_9DCF6E
		dd offset loc_9DCF7C
dword_6A93B8	dd 0FFFFFFFEh, 0	; DATA XREF: SepCaptureFqbnArray(x,x,x,x)+2o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9DCDB7
		dd offset loc_9DCDC5
		dd 0FFFFFFFEh
		dd offset loc_9DCD7D
		dd offset loc_9DCD8B
dword_6A93E0	dd 0FFFFFFFEh, 0	; DATA XREF: SepCaptureAuditPolicy(x,x,x,x,x,x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9DCB3C
		dd offset loc_9DCB4A
		dd 0FFFFFFFEh
		dd offset loc_9DCB73
		dd offset loc_9DCB81
dword_6A9408	dd 0FFFFFFFEh, 0	; DATA XREF: NtDeleteObjectAuditAlarm(x,x,x)+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_9DD205
		dd offset loc_9DD213
		align 8
dword_6A9428	dd 0FFFFFFFEh, 0	; DATA XREF: NtFilterBootOption(x,x,x,x,x)+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9DF285
		dd offset loc_9DF293
		align 8
dword_6A9448	dd 0FFFFFFFEh, 0	; DATA XREF: SeQueryTrustedPlatformModuleInformation(x,x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_66FC9E
		dd offset loc_66FCAE
		dd 0FFFFFFFEh
		dd offset loc_66FCE5
		dd offset loc_66FCF5
dword_6A9470	dd 0FFFFFFFEh, 0	; DATA XREF: SMKM_STORE<SM_TRAITS>::SmStUnhandledExceptionFilter(void *,_EXCEPTION_POINTERS *,SMKM_STORE<SM_TRAITS>::_SMST_STORE_EXCEPTION_SOURCE)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_671313
		dd offset loc_671317
		align 10h
dword_6A9490	dd 0FFFFFFFEh, 0	; DATA XREF: SmcProcessResizeRequest(x,x,x,x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9E5584
		dd offset loc_9E5592
		dd 0FFFFFFFEh
		dd offset loc_9E556A
		dd offset loc_9E5578
dword_6A94B8	dd 0FFFFFFFEh, 0	; DATA XREF: SmcProcessStoreDeleteRequest(x,x,x,x)+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9E589C
		dd offset loc_9E58AA
		align 8
dword_6A94D8	dd 0FFFFFFFEh, 0	; DATA XREF: SmcProcessStoreCreateRequest(x,x,x,x)+2o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9E57CB
		dd offset loc_9E57D9
		dd 0FFFFFFFEh
		dd offset loc_9E57B1
		dd offset loc_9E57BF
dword_6A9500	dd 0FFFFFFE4h, 0	; DATA XREF: SmcProcessStatsRequest(x,x,x,x,x)+5o
		dd 0FFFFFB54h, 0
		dd 0FFFFFFFEh
		dd offset loc_9E56A6
		dd offset loc_9E56B7
		dd 0FFFFFFFEh
		dd offset loc_9E568D
		dd offset loc_9E569E
dword_6A9528	dd 0FFFFFFFEh, 0	; DATA XREF: SmcProcessDeleteRequest(x,x,x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9E548A
		dd offset loc_9E5498
		align 8
dword_6A9548	dd 0FFFFFFE4h, 0	; DATA XREF: SmcProcessCreateRequest(x,x,x,x)+5o
		dd 0FFFFFB88h, 0
		dd 0FFFFFFFEh
		dd offset sub_9E53DD
		dd offset sub_9E53EE
		dd 0FFFFFFFEh
		dd offset loc_9E5344
		dd offset loc_9E5355
dword_6A9570	dd 0FFFFFFFEh, 0	; DATA XREF: SmProcessSystemStoreTrimRequest(x,x,x)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_9E4E7F
		dd offset loc_9E4E8D
		align 10h
dword_6A9590	dd 0FFFFFFFEh, 0	; DATA XREF: SmProcessListRequest(x,x,x,x,x)+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9E48C0
		dd offset loc_9E48CE
		dd 0FFFFFFFEh
		dd offset loc_9E48A6
		dd offset loc_9E48B4
dword_6A95B8	dd 0FFFFFFFEh, 0	; DATA XREF: SmProcessDeleteRequest(x,x,x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9E474D
		dd offset loc_9E475B
		align 8
dword_6A95D8	dd 0FFFFFFFEh, 0	; DATA XREF: SmProcessStatsRequest(x,x,x,x,x)+19o
		dd 0FFFFFF88h, 0
		dd 0FFFFFFFEh
		dd offset sub_9E4D98
		dd offset sub_9E4DA9
		dd 0FFFFFFFEh
		dd offset loc_9E4D59
		dd offset loc_9E4D6A
dword_6A9600	dd 0FFFFFFFEh, 0	; DATA XREF: SmPrepareForFatalPageError(x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh
		dd offset loc_67608D
		dd offset loc_67609B
		align 10h
dword_6A9620	dd 0FFFFFFFEh, 0	; DATA XREF: VdmpQueryVdmProcess(x)+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_9E885D
		dd offset loc_9E886B
		dd 0FFFFFFFEh
		dd offset loc_9E88F2
		dd offset loc_9E8900
dword_6A9648	dd 0FFFFFFFEh, 0	; DATA XREF: VdmCheckPMCliTimeStamp()+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_6763C4
		dd offset loc_6763D2
		align 8
dword_6A9668	dd 0FFFFFFFEh, 0	; DATA XREF: NtVdmControl(x,x)+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_9E87DD
		dd offset loc_9E87EB
		align 8
dword_6A9688	dd 0FFFFFFFEh, 0	; DATA XREF: VdmpGetVdmTib(x)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_9E8996
		dd offset loc_9E89A4
		align 8
dword_6A96A8	dd 0FFFFFFE4h, 0	; DATA XREF: VdmpStartExecution()+5o
		dd 0FFFFFCF8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9E8E89
		dd offset loc_9E8E9A
		align 8
dword_6A96C8	dd 0FFFFFFE4h, 0	; DATA XREF: VdmEndExecution(x,x)+5o
		dd 0FFFFFD00h, 0
		dd 0FFFFFFFEh
		dd offset loc_9E8A94
		dd offset loc_9E8A98
		align 8
dword_6A96E8	dd 0FFFFFFFEh, 0	; DATA XREF: VdmDispatchPageFault(x,x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9E8F36
		dd offset loc_9E8F44
		align 8
dword_6A9708	dd 0FFFFFFFEh, 0	; DATA XREF: VdmDispatchBop(x)+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9E905C
		dd offset loc_9E9060
		align 8
dword_6A9728	dd 0FFFFFFFEh, 0	; DATA XREF: VdmTibPass1(x,x,x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_9E926F
		dd offset loc_9E9273
		align 8
dword_6A9748	dd 0FFFFFFFEh, 0	; DATA XREF: VdmDispatchOpcode_try(x)+2o
		dd 0FFFFFFD8h, 0
		dd 0FFFFFFFEh
		dd offset loc_67647C
		dd offset loc_676480
		align 8
dword_6A9768	dd 0FFFFFFFEh, 0	; DATA XREF: VdmDispatchOpcodeV86_try(x)+2o
		dd 0FFFFFFD8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9E90B6
		dd offset loc_9E90BA
		align 8
dword_6A9788	dd 0FFFFFFFEh, 0	; DATA XREF: VdmFetchBop1(x)+2o
		dd 0FFFFFFD8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9E9107
		dd offset loc_9E910B
		align 8
dword_6A97A8	dd 0FFFFFFFEh, 0	; DATA XREF: VdmFetchULONG(x)+2o
		dd 0FFFFFFD8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9E91FB
		dd offset loc_9E91FF
		align 8
dword_6A97C8	dd 0FFFFFFFEh, 0	; DATA XREF: VdmFetchBop4(x)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_9E915F
		dd offset loc_9E9163
		dd 0FFFFFFFEh
		dd offset loc_9E91AA
		dd offset loc_9E91AE
dword_6A97F0	dd 0FFFFFFE4h, 0	; DATA XREF: VdmDispatchIRQ13(x)+2o
		dd 0FFFFFF78h, 0
		dd 0FFFFFFFEh
		dd offset loc_9E92E1
		dd offset loc_9E92EF
		dd 0FFFFFFFEh
		dd offset loc_9E932C
		dd offset loc_9E9330
dword_6A9818	dd 0FFFFFFFEh, 0	; DATA XREF: NTFastDOSIO(x,x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9E95FB
		dd offset loc_9E95FF
		dd 0FFFFFFFEh
		dd offset loc_9E95F5
		dd offset loc_9E95F9
		dd 0FFFFFFFEh
		dd offset loc_9E94CE
		dd offset loc_9E94D2
		dd 0FFFFFFFEh
		dd offset loc_9E94C8
		dd offset loc_9E94CC
		dd 0FFFFFFFEh
		dd offset loc_9E9525
		dd offset loc_9E9529
		dd 0FFFFFFFEh
		dd offset loc_9E958D
		dd offset loc_9E9591
		dd 0FFFFFFFEh
		dd offset loc_9E95C9
		dd offset loc_9E95CD
		align 10h
dword_6A9880	dd 0FFFFFFFEh, 0	; DATA XREF: VdmpFlushPrinterWriteData(x)+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9E99E8
		dd offset loc_9E99F6
		dd 0FFFFFFFEh
		dd offset loc_9E9A5D
		dd offset loc_9E9A6B
dword_6A98A8	dd 0FFFFFFFEh, 0	; DATA XREF: VdmPrinterWriteData(x,x,x)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_9E9934
		dd offset loc_9E9942
		align 8
dword_6A98C8	dd 0FFFFFFFEh, 0	; DATA XREF: VdmPrinterStatus(x,x,x)+2o
		dd 0FFFFFF94h, 0
		dd 0FFFFFFFEh
		dd offset loc_9E97C0
		dd offset loc_9E97CE
		dd 0FFFFFFFEh
		dd offset loc_9E983F
		dd offset loc_9E984D
dword_6A98F0	dd 0FFFFFFFEh, 0	; DATA XREF: VdmpPrinterInitialize(x)+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_9E9C20
		dd offset loc_9E9C2E
		align 10h
dword_6A9910	dd 0FFFFFFFEh, 0	; DATA XREF: VdmpPrinterDirectIoClose(x)+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_9E9B70
		dd offset loc_9E9B7E
		dd 0FFFFFFFEh
		dd offset loc_9E9B3C
		dd offset loc_9E9B4A
dword_6A9938	dd 0FFFFFFFEh, 0	; DATA XREF: VdmpDispatchableIntPending(x)+2o
		dd 0FFFFFFD8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9EA468
		dd offset loc_9EA46C
		align 8
dword_6A9958	dd 0FFFFFFFEh, 0	; DATA XREF: VdmpDelayIntApcRoutine(x,x,x,x,x)+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_676679
		dd offset loc_67667F
		align 8
dword_6A9978	dd 0FFFFFFFEh, 0	; DATA XREF: PushPmInterrupt(x,x,x,x)+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset loc_9EA015
		dd offset loc_9EA023
		dd 0FFFFFFFEh
		dd offset loc_9E9FF1
		dd offset loc_9E9FFF
		dd 0FFFFFFFEh
		dd offset loc_9E9FDE
		dd offset loc_9E9FEC
		align 10h
dword_6A99B0	dd 0FFFFFFFEh, 0	; DATA XREF: PushRmInterrupt(x,x,x,x)+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_9EA1A3
		dd offset loc_9EA1A7
		align 10h
dword_6A99D0	dd 0FFFFFFFEh, 0	; DATA XREF: VdmpIcaAccept(x,x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_9EA59B
		dd offset loc_9EA59F
		align 10h
dword_6A99F0	dd 0FFFFFFFEh, 0	; DATA XREF: VdmpRestartDelayedInterrupts(x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_9EA7E0
		dd offset loc_9EA7E4
		align 10h
dword_6A9A10	dd 0FFFFFFFEh, 0	; DATA XREF: VdmpQueueIntNormalRoutine(x,x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9EA749
		dd offset loc_9EA74D
		align 10h
dword_6A9A30	dd 0FFFFFFFEh, 0	; DATA XREF: VdmpQueueIntApcRoutine(x,x,x,x,x)+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_676EE0
		dd offset loc_676EE6
		dd 0
		dd offset loc_676DCC
		dd offset loc_676DD0
dword_6A9A58	dd 0FFFFFFFEh, 0	; DATA XREF: VdmDispatchInterrupts(x,x)+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9EA3DA
		dd offset loc_9EA3E8
		align 8
dword_6A9A78	dd 0FFFFFFFEh, 0	; DATA XREF: VdmpDelayInterrupt(x)+2o
		dd 0FFFFFF70h, 0
		dd 0FFFFFFFEh
		dd offset loc_676C4F
		dd offset loc_676C5D
		dd 0FFFFFFFEh
		dd offset loc_676C27
		dd offset loc_676C35
		dd 0FFFFFFFEh
		dd offset loc_676A7F
		dd offset loc_676A8D
		dd 0FFFFFFFEh
		dd offset loc_676BDB
		dd offset loc_676BE9
dword_6A9AB8	dd 0FFFFFFFEh, 0	; DATA XREF: VdmpInitialize(x)+2o
		dd 0FFFFFF80h, 0
		dd 0FFFFFFFEh
		dd offset loc_9EA92C
		dd offset loc_9EA93A
		dd 0FFFFFFFEh
		dd offset loc_9EA9CD
		dd offset loc_9EA9DB
		dd 0FFFFFFFEh
		dd offset loc_9EAC8F
		dd offset loc_9EAC9D
		align 10h
dword_6A9AF0	dd 0FFFFFFFEh, 0	; DATA XREF: VfProbeAndCaptureUnicodeString(x,x,x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_A59B7D
		dd offset loc_A59B8B
		align 10h
dword_6A9B10	dd 0FFFFFFFEh, 0	; DATA XREF: VfProbeAndCaptureUnicodeStringBuffer(x,x)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_A59C6A
		dd offset loc_A59C78
		dd 0FFFFFFFEh
		dd offset loc_A59C43
		dd offset loc_A59C51
dword_6A9B38	dd 0FFFFFFFEh, 0	; DATA XREF: ViXdvBindXdvDriverEntryWrappers(x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_A5BBFB
		dd offset loc_A5BBFF
		align 8
dword_6A9B58	dd 0FFFFFFFEh, 0	; DATA XREF: ViXdvBindXdvDDIWrappers(x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_A5BB03
		dd offset loc_A5BB07
		align 8
dword_6A9B78	dd 0FFFFFFFEh, 0	; DATA XREF: VfSetVerifierInformationEx(x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_A71C70
		dd offset loc_A71C7E
		align 8
dword_6A9B98	dd 0FFFFFFFEh, 0	; DATA XREF: VfGetVerifierInformationEx(x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_A71A4C
		dd offset loc_A71A5A
		align 8
dword_6A9BB8	dd 0FFFFFFFEh, 0	; DATA XREF: VfGetVerifierInformation(x,x,x,x)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_A719C8
		dd offset loc_A719D6
		align 8
dword_6A9BD8	dd 0FFFFFFFEh, 0	; DATA XREF: VfSetVerifierInformation(x,x,x)+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_A71B82
		dd offset loc_A71B90
		dd 0FFFFFFFEh
		dd offset loc_A71B49
		dd offset loc_A71B57
dword_6A9C00	dd 0FFFFFFFEh, 0	; DATA XREF: VmProbeAndLockPages(x,x,x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_678D9D
		dd offset loc_678DAB
		align 10h
dword_6A9C20	dd 0FFFFFFFEh, 0	; DATA XREF: WmipGetSysIds(x,x,x,x)+2o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9ED87C
		dd offset loc_9ED880
		align 10h
dword_6A9C40	dd 0FFFFFFFEh, 0	; DATA XREF: WmipFindSysIdTable(x,x,x)+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_9ED4D2
		dd offset loc_9ED4D6
		align 10h
dword_6A9C60	dd 0FFFFFFFEh, 0	; DATA XREF: WmipFindSMBiosStructure(x,x,x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9ED3C3
		dd offset loc_9ED3C7
		align 10h
dword_6A9C80	dd 0FFFFFFE4h, 0	; DATA XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+5o
		dd 0FFFFFD0Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_9EEAAD
		dd offset loc_9EEABE
		align 10h
dword_6A9CA0	dd 0FFFFFFFEh, 0	; DATA XREF: EtwTraceRaw(x,x,x,x,x)+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset loc_67B811
		dd offset loc_67B81F
		dd 0FFFFFFFEh
		dd offset loc_67B861
		dd offset loc_67B86F
dword_6A9CC8	dd 0FFFFFFE4h, 0	; DATA XREF: EtwTraceEvent(x,x,x,x,x,x)+5o
		dd 0FFFFFE78h, 0
		dd 0FFFFFFFEh
		dd offset loc_67B68B
		dd offset loc_67B69C
		dd 0FFFFFFFEh
		dd offset loc_67B5CE
		dd offset loc_67B5DF
dword_6A9CF0	dd 0FFFFFFE4h, 0	; DATA XREF: EtwpUpdateProcessTracingCallback(x,x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9F00E8
		dd offset loc_9F00EC
		align 10h
dword_6A9D10	dd 0FFFFFFE4h, 0	; DATA XREF: EtwpUMGLEnabled(x,x)+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9EFF37
		dd offset loc_9EFF3B
		align 10h
dword_6A9D30	dd 0FFFFFFFEh, 0	; DATA XREF: EtwQueryProcessTelemetryCoverage(x,x,x,x)+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_9F0714
		dd offset loc_9F0724
		align 10h
dword_6A9D50	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpUpdateStackTracing(x,x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_9F0FB3
		dd offset loc_9F0FC1
		align 10h
dword_6A9D70	dd 0FFFFFFE4h, 0	; DATA XREF: EtwpSetMark(x,x,x,x,x)+2o
		dd 0FFFFFF9Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_9F2889
		dd offset loc_9F2897
		align 10h
dword_6A9D90	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpUpdatePmcCounters(x,x,x)+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_9F6219
		dd offset loc_9F6227
		align 10h
dword_6A9DB0	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpUpdatePmcEvents(x,x,x)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_9F62DF
		dd offset loc_9F62ED
		align 10h
dword_6A9DD0	dd 0FFFFFFE4h, 0	; DATA XREF: EtwSetPerformanceTraceInformation(x,x,x)+5o
		dd 0FFFFFEFCh, 0
		dd 0FFFFFFFEh
		dd offset sub_9F45BC
		dd offset sub_9F45CD
		dd 0FFFFFFFEh
		dd offset loc_9F3B17
		dd offset loc_9F3B28
		dd 0FFFFFFFEh
		dd offset loc_9F3B92
		dd offset loc_9F3BA3
		dd 0FFFFFFFEh
		dd offset loc_9F3C9D
		dd offset loc_9F3CAE
		dd 0FFFFFFFEh
		dd offset loc_9F3DA0
		dd offset loc_9F3DB1
		dd 0FFFFFFFEh
		dd offset loc_9F3E2C
		dd offset loc_9F3E3D
		dd 0FFFFFFFEh
		dd offset loc_9F3F54
		dd offset loc_9F3F65
		dd 0FFFFFFFEh
		dd offset loc_9F4076
		dd offset loc_9F4087
		dd 0FFFFFFFEh
		dd offset loc_9F4106
		dd offset loc_9F4117
		dd 0FFFFFFFEh
		dd offset loc_9F4208
		dd offset loc_9F4219
		dd 0FFFFFFFEh
		dd offset loc_9F42B2
		dd offset loc_9F42C3
		dd 0FFFFFFFEh
		dd offset loc_9F43C4
		dd offset loc_9F43D5
		dd 0FFFFFFFEh
		dd offset loc_9F44A6
		dd offset loc_9F44B7
		dd 0FFFFFFFEh
		dd offset loc_9F4579
		dd offset loc_9F458A
dword_6A9E88	dd 0FFFFFFFEh, 0	; DATA XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+5o
		dd 0FFFFFF60h, 0
		dd 0FFFFFFFEh
		dd offset loc_9F3991
		dd offset loc_9F399F
		dd 0FFFFFFFEh
		dd offset loc_9F32CF
		dd offset loc_9F32DD
		dd 0FFFFFFFEh
		dd offset loc_9F33A5
		dd offset loc_9F33B3
		dd 0FFFFFFFEh
		dd offset loc_9F3382
		dd offset loc_9F3390
		dd 0FFFFFFFEh
		dd offset loc_9F3417
		dd offset loc_9F3425
		dd 0FFFFFFFEh
		dd offset loc_9F3451
		dd offset loc_9F345F
		dd 0FFFFFFFEh
		dd offset loc_9F3511
		dd offset loc_9F351F
		dd 0FFFFFFFEh
		dd offset loc_9F3570
		dd offset loc_9F357E
		dd 0FFFFFFFEh
		dd offset loc_9F35BA
		dd offset loc_9F35C8
		dd 0FFFFFFFEh
		dd offset loc_9F36E0
		dd offset loc_9F36EE
		dd 0FFFFFFFEh
		dd offset loc_9F36B2
		dd offset loc_9F36C0
		dd 0FFFFFFFEh
		dd offset loc_9F381B
		dd offset loc_9F3829
		dd 0FFFFFFFEh
		dd offset loc_9F37F4
		dd offset loc_9F3802
		dd 0FFFFFFFEh
		dd offset loc_9F38B5
		dd offset loc_9F38C3
dword_6A9F40	dd 0FFFFFFE4h, 0	; DATA XREF: EtwpTraceLostEvent(x,x,x,x)+2o
		dd 0FFFFFF7Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_67EFEE
		dd offset loc_67EFF2
		align 10h
dword_6A9F60	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpCaptureRegistryData(x,x,x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_9F6499
		dd offset loc_9F649D
		align 10h
dword_6A9F80	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpFreeUserBufferSpace(x,x,x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_9FBA00
		dd offset loc_9FBA04
		align 10h
dword_6A9FA0	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpFindDebugId(x,x,x,x,x)+2o
		dd 0FFFFFF9Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_738F1A
		dd offset loc_738F1E
		align 10h
dword_6A9FC0	dd 0FFFFFFE4h, 0	; DATA XREF: EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFFA4h, 0
		dd 0FFFFFFFEh
		dd offset loc_6819BA
		dd offset loc_6819BE
		dd 0FFFFFFFEh
		dd offset loc_681B7D
		dd offset loc_681B81
dword_6A9FE8	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpApplyStackWalkFilterOnUserEvent(x,x,x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_9FC84E
		dd offset loc_9FC852
		align 8
dword_6AA008	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpCovSampContextAddSamples(x,x,x)+2o
		dd 0FFFFFF94h, 0
		dd 0FFFFFFFEh
		dd offset loc_9FDDEC
		dd offset loc_9FDDF0
		align 8
dword_6AA028	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+2o
		dd 0FFFFFF68h, 0
		dd 0FFFFFFFEh
		dd offset loc_9FEBCF
		dd offset loc_9FEBDD
		align 8
dword_6AA048	dd 0FFFFFFE4h, 0	; DATA XREF: EtwpCoverageSamplerQuery(x,x,x,x)+5o
		dd 0FFFFFF28h, 0
		dd 0FFFFFFFEh
		dd offset loc_A00E04
		dd offset loc_A00E15
		dd 0FFFFFFFEh
		dd offset loc_A00DEB
		dd offset loc_A00DFC
dword_6AA070	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpCoverageSamplerQueryStatusInformation(x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_A00F33
		dd offset loc_A00F41
		align 10h
dword_6AA090	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpQueryCoverageSamplerInformation(x,x,x,x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_A016D2
		dd offset loc_A016E0
		align 10h
dword_6AA0B0	dd 0FFFFFFE4h, 0	; DATA XREF: EtwpSetCoverageSamplerInformation(x,x,x)+5o
		dd 0FFFFFCE4h, 0
		dd 0FFFFFFFEh
		dd offset loc_A01C62
		dd offset loc_A01C73
		dd 0FFFFFFFEh
		dd offset loc_A01C49
		dd offset loc_A01C5A
		dd 0FFFFFFFEh
		dd offset loc_A01C30
		dd offset loc_A01C41
		dd 0FFFFFFFEh
		dd offset loc_A01831
		dd offset loc_A01842
dword_6AA0F0	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpUpdateLastBranchTracingEvents(x,x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_A01ECD
		dd offset loc_A01EDB
		align 10h
dword_6AA110	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpUpdateProcessorTraceEvents(x,x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_A020BF
		dd offset loc_A020CD
		align 10h
dword_6AA130	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpGetSoftRestartInformation(x,x,x)+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_A022BE
		dd offset loc_A022CC
		dd 0FFFFFFFEh
		dd offset loc_A022A1
		dd offset loc_A022AF
dword_6AA158	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpSetSoftRestartInformation(x,x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_A02F19
		dd offset loc_A02F27
		align 8
dword_6AA178	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpApplyPredicate+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh
		dd offset loc_684943
		dd offset loc_684949
		dd 0FFFFFFFEh
		dd offset loc_6848CA
		dd offset loc_6848D0
		dd 0FFFFFFFEh
		dd offset loc_684A37
		dd offset loc_684A3D
		dd 0FFFFFFFEh
		dd offset loc_6849D1
		dd offset loc_6849D7
		dd 0FFFFFFFEh
		dd offset loc_68481B
		dd offset loc_684821
		align 8
dword_6AA1C8	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpGetSignedFieldValue+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_684DCF
		dd offset loc_684DD5
		align 8
dword_6AA1E8	dd 0FFFFFFFEh, 0	; DATA XREF: EtwpGetFieldValue+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_684D57
		dd offset loc_684D5D
		align 8
dword_6AA208	dd 0FFFFFFE4h, 0	; DATA XREF: EtwpApplyPayloadFilterInternal(x,x,x,x,x,x,x)+2o
		dd 0FFFFFF78h, 0
		dd 0FFFFFFFEh
		dd offset loc_684746
		dd offset loc_68474C
		dd 0FFFFFFFEh
		dd offset loc_68420C
		dd offset loc_684212
		dd 0FFFFFFFEh
		dd offset loc_68457F
		dd offset loc_684585
		dd 0FFFFFFFEh
		dd offset loc_6845DA
		dd offset loc_6845E0
dword_6AA248	dd 0FFFFFFFEh, 0	; DATA XREF: ExpQueryElamCertInfo(x)+2o
		dd 0FFFFFF98h, 0
		dd 0FFFFFFFEh
		dd offset loc_A04295
		dd offset loc_A0429B
		align 8
dword_6AA268	dd 0FFFFFFFEh, 0	; DATA XREF: ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_A047F2
		dd offset loc_A04802
		align 8
dword_6AA288	dd 0FFFFFFFEh, 0	; DATA XREF: ExpSetProcessorMicrocodeUpdateInformation(x,x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_A049C4
		dd offset loc_A049D2
		align 8
dword_6AA2A8	dd 0FFFFFFFEh, 0	; DATA XREF: ExpQueryLegacyDriverInformation(x,x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0439B
		dd offset loc_A043AB
		align 8
dword_6AA2C8	dd 0FFFFFFFEh, 0	; DATA XREF: ExpGetStackTraceInformation(x,x,x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_685195
		dd offset loc_6851A5
		align 8
dword_6AA2E8	dd 0FFFFFFFEh, 0	; DATA XREF: ExpGetInstemulInformation(x)+5o
		dd 0FFFFFF48h, 0
		dd 0FFFFFFFEh
		dd offset loc_A03CF9
		dd offset loc_A03D09
		align 8
dword_6AA308	dd 0FFFFFFE4h, 0	; DATA XREF: ExpSetTimeZoneInformation(x,x)+5o
		dd 0FFFFFC60h, 0
		dd 0FFFFFFFEh
		dd offset loc_A04AA4
		dd offset loc_A04AB5
		dd 0FFFFFFFEh
		dd offset loc_A04BA0
		dd offset loc_A04BB1
dword_6AA330	dd 0FFFFFFFEh, 0	; DATA XREF: ExpQueryChannelInformation(x,x,x)+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_A03EDC
		dd offset loc_A03EEC
		dd 0FFFFFFFEh
		dd offset loc_A03EC7
		dd offset loc_A03ED7
dword_6AA358	dd 0FFFFFFFEh, 0	; DATA XREF: ExpGetDeviceDataInformation(x,x,x)+2o
		dd 0FFFFFF9Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_A03A79
		dd offset loc_A03A87
		dd 0FFFFFFFEh
		dd offset loc_A03A66
		dd offset loc_A03A74
dword_6AA380	dd 0FFFFFFFEh, 0	; DATA XREF: ExpSetTimeZoneInformation(x,x)+1C6o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_A04C7F
		dd offset loc_A04C8D
		align 10h
dword_6AA3A0	dd 0FFFFFFFEh, 0	; DATA XREF: ExpGetSystemProcessorFeaturesInformation(x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_A03E14
		dd offset loc_A03E24
		align 10h
dword_6AA3C0	dd 0FFFFFFFEh, 0	; DATA XREF: ExpQueryNumaAvailableMemory(x,x,x)+2o
		dd 0FFFFFFACh, 0
		dd 0FFFFFFFEh
		dd offset loc_A04553
		dd offset loc_A04563
		align 10h
dword_6AA3E0	dd 0FFFFFFFEh, 0	; DATA XREF: ExpQueryNumaProximityNode(x,x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_A04639
		dd offset loc_A04649
		dd 0FFFFFFFEh
		dd offset loc_A04624
		dd offset loc_A04634
dword_6AA408	dd 0FFFFFFE4h, 0	; DATA XREF: NtSetSystemTime(x,x)+2o
		dd 0FFFFFF90h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0527B
		dd offset loc_A05289
		dd 0FFFFFFFEh
		dd offset loc_A05305
		dd offset loc_A05313
dword_6AA430	dd 0FFFFFFFEh, 0	; DATA XREF: NtDrawText(x)+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_685689
		dd offset loc_685697
		dd 0FFFFFFFEh
		dd offset loc_68565E
		dd offset loc_68566C
dword_6AA458	dd 0FFFFFFFEh, 0	; DATA XREF: NtDisplayString(x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0594C
		dd offset loc_A0595A
		dd 0FFFFFFFEh
		dd offset loc_A0592C
		dd offset loc_A0593A
dword_6AA480	dd 0FFFFFFFEh, 0	; DATA XREF: ExpUpdateDebugInfo(x,x,x,x)+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_A05F25
		dd offset loc_A05F29
		align 10h
dword_6AA4A0	dd 0FFFFFFFEh, 0	; DATA XREF: SLGetSubscriptionPfn(x,x)+2o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_A06C20
		dd 0FFFFFFFEh, 0
		dd offset sub_A06CD6
dword_6AA4C8	dd 0FFFFFFFEh, 0	; DATA XREF: SLUpdateLicenseDataInternal(x,x,x)+5o
		dd 0FFFFFEECh, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_A07057
		dd 0FFFFFFFEh, 0
		dd offset sub_A074D7
dword_6AA4F0	dd 0FFFFFFFEh, 0	; DATA XREF: sub_A0692F+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_A069DC
		align 10h
dword_6AA510	dd 0FFFFFFFEh, 0	; DATA XREF: ExFetchLicenseData+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_A060A5
		align 10h
dword_6AA530	dd 0FFFFFFFEh, 0	; DATA XREF: ExGetBigPoolInfo(x,x,x,x)+19o
		dd 0FFFFFFA0h, 0
		dd 0FFFFFFFEh
		dd offset loc_6865C5
		dd offset loc_6865D6
		dd 0FFFFFFFEh
		dd offset loc_686712
		dd offset loc_686723
dword_6AA558	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryTimer(x,x,x,x,x)+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_A07A24
		dd offset loc_A07A32
		dd 0FFFFFFFEh
		dd offset loc_A07AF6
		dd offset loc_A07AFA
dword_6AA580	dd 0FFFFFFFEh, 0	; DATA XREF: NtOpenTimer(x,x,x)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_A07950
		dd offset loc_A0795E
		dd 0FFFFFFFEh
		dd offset loc_A0796D
		dd offset loc_A07971
dword_6AA5A8	dd 0FFFFFFE4h, 0	; DATA XREF: ExpSetDriverEntry(x,x,x)+2o
		dd 0FFFFFF80h, 0
		dd 0FFFFFFFEh
		dd offset loc_A09DF5
		dd offset loc_A09E05
		dd 0FFFFFFFEh
		dd offset loc_A09DD6
		dd offset loc_A09DE6
dword_6AA5D0	dd 0FFFFFFE4h, 0	; DATA XREF: ExpSetBootEntry(x,x,x)+2o
		dd 0FFFFFF70h, 0
		dd 0FFFFFFFEh
		dd offset loc_A09924
		dd offset loc_A09934
		dd 0FFFFFFFEh
		dd offset loc_A09905
		dd offset loc_A09915
dword_6AA5F8	dd 0FFFFFFFEh, 0	; DATA XREF: NtTranslateFilePath(x,x,x,x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0D02D
		dd offset loc_A0D03D
		dd 0FFFFFFFEh
		dd offset sub_A0CFFB
		dd offset sub_A0D00B
dword_6AA620	dd 0FFFFFFFEh, 0	; DATA XREF: NtSetDriverEntryOrder(x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_A0C8A5
		dd offset sub_A0C8B5
		align 10h
dword_6AA640	dd 0FFFFFFFEh, 0	; DATA XREF: NtEnumerateDriverEntries(x,x)+2o
		dd 0FFFFFF88h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0B7F2
		dd offset loc_A0B802
		dd 0FFFFFFFEh
		dd offset loc_A0B7D3
		dd offset loc_A0B7E3
dword_6AA668	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryDriverEntryOrder(x,x)+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_A0C0A1
		dd offset loc_A0C0B1
		dd 0FFFFFFFEh
		dd offset loc_A0C082
		dd offset loc_A0C092
dword_6AA690	dd 0FFFFFFFEh, 0	; DATA XREF: NtSetBootOptions(x,x)+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0C6FF
		dd offset loc_A0C70F
		align 10h
dword_6AA6B0	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryBootOptions(x,x)+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0BEB9
		dd offset loc_A0BEC9
		dd 0FFFFFFFEh
		dd offset loc_A0BE9A
		dd offset loc_A0BEAA
dword_6AA6D8	dd 0FFFFFFFEh, 0	; DATA XREF: NtSetBootEntryOrder(x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset sub_A0C556
		dd offset sub_A0C566
		align 8
dword_6AA6F8	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryBootEntryOrder(x,x)+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_A0BC32
		dd offset loc_A0BC42
		dd 0FFFFFFFEh
		dd offset loc_A0BC13
		dd offset loc_A0BC23
dword_6AA720	dd 0FFFFFFFEh, 0	; DATA XREF: NtEnumerateBootEntries(x,x)+2o
		dd 0FFFFFF70h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0B410
		dd offset loc_A0B420
		dd 0FFFFFFFEh
		dd offset loc_A0B3F1
		dd offset loc_A0B401
dword_6AA748	dd 0FFFFFFFEh, 0	; DATA XREF: NtEnumerateSystemEnvironmentValuesEx(x,x,x)+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_A0B984
		dd offset loc_A0B994
		dd 0FFFFFFFEh
		dd offset loc_A0B965
		dd offset loc_A0B975
dword_6AA770	dd 0FFFFFFE4h, 0	; DATA XREF: NtSetSystemEnvironmentValueEx(x,x,x,x,x)+2o
		dd 0FFFFFFA8h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0CD3D
		dd offset loc_A0CD4D
		align 10h
dword_6AA790	dd 0FFFFFFFEh, 0	; DATA XREF: NtSetSystemEnvironmentValue(x,x)+2o
		dd 0FFFFFFA4h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0CAFC
		dd offset loc_A0CB0C
		align 10h
dword_6AA7B0	dd 0FFFFFFFEh, 0	; DATA XREF: NtQuerySystemEnvironmentValue(x,x,x,x)+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0C3A0
		dd offset loc_A0C3B0
		dd 0FFFFFFFEh
		dd offset loc_A0C377
		dd offset loc_A0C387
dword_6AA7D8	dd 0FFFFFFE4h, 0	; DATA XREF: ExpSystemErrorHandler(x,x,x,x,x)+5o
		dd 0FFFFFE54h, 0
		dd 0FFFFFFFEh
		dd offset loc_73064B
		dd offset loc_73064F
		dd 0FFFFFFFEh
		dd offset loc_7308BB
		dd offset loc_7308BF
		dd 0FFFFFFFEh
		dd offset loc_730913
		dd offset loc_730917
		dd 0FFFFFFFEh
		dd offset loc_730A2D
		dd offset loc_730A31
dword_6AA818	dd 0FFFFFFE4h, 0	; DATA XREF: ExRaiseHardError(x,x,x,x,x,x)+5o
		dd 0FFFFFF60h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0D4CF
		dd offset loc_A0D4D3
		align 8
dword_6AA838	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryInformationWorkerFactory(x,x,x,x,x)+5o
		dd 0FFFFFF60h, 0
		dd 0FFFFFFFEh
		dd offset loc_68CE4A
		dd offset loc_68CE58
		dd 0FFFFFFFEh
		dd offset loc_68CFD6
		dd offset loc_68CFDC
dword_6AA860	dd 0FFFFFFFEh, 0	; DATA XREF: ExpCovReadRequestBuffer(x,x,x,x)+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0E2CD
		dd offset loc_A0E2DB
		dd 0FFFFFFFEh
		dd offset loc_A0E2A6
		dd offset loc_A0E2B4
dword_6AA888	dd 0FFFFFFE4h, 0	; DATA XREF: ExpCovQueryInformation(x,x,x)+5o
		dd 0FFFFFF14h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0DFD1
		dd offset loc_A0DFE2
		dd 0FFFFFFFEh
		dd offset loc_A0DD87
		dd offset loc_A0DD98
		dd 0FFFFFFFEh
		dd offset loc_A0DF48
		dd offset loc_A0DF59
		dd 0FFFFFFFEh
		dd offset loc_A0DFB8
		dd offset loc_A0DFC9
dword_6AA8C8	dd 0FFFFFFE4h, 0	; DATA XREF: ExpCovResetInformation(x,x)+2o
		dd 0FFFFFF70h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0E48F
		dd offset loc_A0E49D
		align 8
dword_6AA8E8	dd 0FFFFFFFEh, 0	; DATA XREF: NtWaitForKeyedEvent(x,x,x,x)+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0E92A
		dd offset loc_A0E93A
		align 8
dword_6AA908	dd 0FFFFFFFEh, 0	; DATA XREF: NtReleaseKeyedEvent(x,x,x,x)+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0E647
		dd offset loc_A0E657
		align 8
dword_6AA928	dd 0FFFFFFFEh, 0	; DATA XREF: NtOpenKeyedEvent(x,x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0E587
		dd offset loc_A0E597
		dd 0FFFFFFFEh
		dd offset loc_A0E566
		dd offset loc_A0E576
dword_6AA950	dd 0FFFFFFE4h, 0	; DATA XREF: ExpKdPullRemoteFileForUser(x)+2o
		dd 0FFFFFF88h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0EFE5
		dd offset loc_A0EFF5
		dd 0FFFFFFFEh
		dd offset loc_A0EFAE
		dd offset loc_A0EFBE
dword_6AA978	dd 0FFFFFFFEh, 0	; DATA XREF: NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(x,x,x,x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0F543
		dd offset loc_A0F551
		dd 0FFFFFFFEh
		dd offset loc_A0F52D
		dd offset loc_A0F53B
dword_6AA9A0	dd 0FFFFFFFEh, 0	; DATA XREF: NtQueryAuxiliaryCounterFrequency(x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0F6C7
		dd offset loc_A0F6D5
		dd 0FFFFFFFEh
		dd offset loc_A0F6AA
		dd offset loc_A0F6B8
dword_6AA9C8	dd 0FFFFFFFEh, 0	; DATA XREF: NtStartProfile(x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0F8FB
		dd offset loc_A0F909
		align 8
dword_6AA9E8	dd 0FFFFFFE4h, 0	; DATA XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFF64h, 0
		dd 0FFFFFFFEh
		dd offset loc_A0F1E7
		dd offset loc_A0F1F5
		dd 0FFFFFFFEh
		dd offset loc_A0F1FA
		dd offset loc_A0F208
		dd 0FFFFFFFEh
		dd offset loc_A0F39B
		dd offset loc_A0F39F
		dd 0FFFFFFFEh
		dd offset loc_A0F3C1
		dd offset loc_A0F3C7
dword_6AAA28	dd 0FFFFFFFEh, 0	; DATA XREF: NtMapCMFModule(x,x,x,x,x,x)+5o
		dd 0FFFFFF28h, 0
		dd 0FFFFFFFEh, 0
		dd offset sub_A111B9
		dd 0FFFFFFFEh, 0
		dd offset sub_A1173C
		dd 0FFFFFFFEh
		dd offset sub_A11752
		dd offset sub_A11760
		align 10h
dword_6AAA60	dd 0FFFFFFE4h, 0	; DATA XREF: CMFFlushHitsFile(x,x)+5o
		dd 0FFFFFD78h, 0
		dd 0FFFFFFFEh
		dd offset loc_A103A2
		dd offset loc_A103B3
		align 10h
dword_6AAA80	dd 0FFFFFFE4h, 0	; DATA XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+2o
		dd 0FFFFFF70h, 0
		dd 0FFFFFFFEh
		dd offset loc_A11852
		dd offset loc_A11860
		dd 0FFFFFFFEh
		dd offset loc_A1192E
		dd offset loc_A1193C
		dd 0FFFFFFFEh
		dd offset loc_A11AC5
		dd offset loc_A11AC9
		align 8
dword_6AAAB8	dd 0FFFFFFFEh, 0	; DATA XREF: sub_A14547+2o
		dd 0FFFFFF98h, 0
		dd 0FFFFFFFEh
		dd offset loc_A14652
		dd offset loc_A14685
		align 8
dword_6AAAD8	dd 0FFFFFFFEh, 0	; DATA XREF: sub_A1AAB4+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_A1AB30
		dd offset loc_A1AB40
		align 8
dword_6AAAF8	dd 0FFFFFFFEh, 0	; DATA XREF: sub_A1AF61+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_A1AFE9
		dd offset loc_A1AFF9
		align 8
dword_6AAB18	dd 0FFFFFFFEh, 0	; DATA XREF: sub_A1AE51+2o
		dd 0FFFFFFB0h, 0
		dd 0FFFFFFFEh
		dd offset loc_A1AF13
		dd offset loc_A1AF23
		align 8
dword_6AAB38	dd 0FFFFFFFEh, 0	; DATA XREF: sub_A1B731+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_A1B7D1
		dd offset loc_A1B7E1
		align 8
dword_6AAB58	dd 0FFFFFFFEh, 0	; DATA XREF: sub_A1B649+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_A1B6EE
		dd offset loc_A1B6FE
		align 8
dword_6AAB78	dd 0FFFFFFFEh, 0	; DATA XREF: sub_A1C264+2o
		dd 0FFFFFFA4h, 0
		dd 0FFFFFFFEh
		dd offset loc_A1C48D
		dd offset loc_A1C49D
		align 8
dword_6AAB98	dd 0FFFFFFFEh, 0	; DATA XREF: sub_A1C7EF+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_A1C92C
		dd offset loc_A1C93C
		dd 0FFFFFFFEh
		dd offset loc_A1C8D9
		dd offset loc_A1C8E9
dword_6AABC0	dd 0FFFFFFFEh, 0	; DATA XREF: sub_A1D8A2+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_A1D935
		dd offset loc_A1D945
		align 10h
dword_6AABE0	dd 0FFFFFFFEh, 0	; DATA XREF: sub_A1CBC6+2o
		dd 0FFFFFF7Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_A1CCB8
		dd offset loc_A1CCC8
		dd 0FFFFFFFEh
		dd offset loc_A1D0B2
		dd offset loc_A1D0C2
		dd 0FFFFFFFEh
		dd offset loc_A1D092
		dd offset loc_A1D0A2
		align 8
dword_6AAC18	dd 0FFFFFFFEh, 0	; DATA XREF: sub_A1D969+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_A1DB4D
		dd offset loc_A1DB5D
		dd 0FFFFFFFEh
		dd offset loc_A1DAB1
		dd offset loc_A1DAC1
dword_6AAC40	dd 0FFFFFFFEh, 0	; DATA XREF: AslFileMappingGetImageTypeEx(x,x,x,x,x)+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset loc_A22683
		dd offset loc_A22691
		align 10h
dword_6AAC60	dd 0FFFFFFFEh, 0	; DATA XREF: AslpFileGetClrVersion(x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_A24AEA
		dd offset loc_A24AF8
		align 10h
dword_6AAC80	dd 0FFFFFFFEh, 0	; DATA XREF: AslpFileGetCrcChecksum(x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_A24D05
		dd offset loc_A24D13
		align 10h
dword_6AACA0	dd 0FFFFFFFEh, 0	; DATA XREF: AslpFileGetChecksum(x,x)+2o
		dd 0FFFFFFBCh, 0
		dd 0FFFFFFFEh
		dd offset loc_A247F8
		dd offset loc_A24806
		align 10h
dword_6AACC0	dd 0FFFFFFFEh, 0	; DATA XREF: AslpFileQuery16BitModuleName(x,x)+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_A26135
		dd offset loc_A26143
		align 10h
dword_6AACE0	dd 0FFFFFFFEh, 0	; DATA XREF: AslpFileQuery16BitDescription(x,x)+2o
		dd 0FFFFFFC0h, 0
		dd 0FFFFFFFEh
		dd offset loc_A26019
		dd offset loc_A26027
		align 10h
dword_6AAD00	dd 0FFFFFFFEh, 0	; DATA XREF: AslpFileQueryExportName_Vb(x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_73A7B7
		dd offset loc_73A7C5
		align 10h
dword_6AAD20	dd 0FFFFFFFEh, 0	; DATA XREF: AslpFileHasActiveMarkWrapper(x,x,x)+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_A25BA8
		dd offset loc_A25BB6
		align 10h
dword_6AAD40	dd 0FFFFFFFEh, 0	; DATA XREF: AslpFileGetExeWrapper(x,x)+2o
		dd 0FFFFFFC8h, 0
		dd 0FFFFFFFEh
		dd offset loc_A24E4D
		dd offset loc_A24E5B
		align 10h
dword_6AAD60	dd 0FFFFFFFEh, 0	; DATA XREF: AslpFileGetNtHeaderAttributes(x,x,x,x,x,x,x,x,x)+2o
		dd 0FFFFFFCCh, 0
		dd 0FFFFFFFEh
		dd offset loc_73A64E
		dd offset loc_73A65C
		align 10h
dword_6AAD80	dd 0FFFFFFFEh, 0	; DATA XREF: AslpFileGetVersionBlock(x,x,x)+5o
		dd 0FFFFFE5Ch, 0
		dd 0FFFFFFFEh
		dd offset loc_A25A0F
		dd offset loc_A25A1D
		align 10h
dword_6AADA0	dd 0FFFFFFFEh, 0	; DATA XREF: AslpFileGetImageNtHeader(x,x)+2o
		dd 0FFFFFFD0h, 0
		dd 0FFFFFFFEh
		dd offset loc_A253F0
		dd offset loc_A253FE
		align 10h
dword_6AADC0	dd 0FFFFFFFEh, 0	; DATA XREF: AslpFileLargeGetCrcChecksum(x,x)+2o
		dd 0FFFFFFB8h, 0
		dd 0FFFFFFFEh
		dd offset loc_A26AC7
		dd offset loc_A26AD5
		align 10h
dword_6AADE0	dd 0FFFFFFFEh, 0	; DATA XREF: AslpFileLargeGetChecksum(x,x)+2o
		dd 0FFFFFFC4h, 0
		dd 0FFFFFFFEh
		dd offset loc_A26830
		dd offset loc_A2683E
		align 10h
dword_6AAE00	dd 0FFFFFFFEh, 0	; DATA XREF: AuthzBasepProbeAndInsertTailList(x,x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset sub_73A84E
		dd offset sub_73A85C
		align 10h
dword_6AAE20	dd 0FFFFFFFEh, 0	; DATA XREF: AuthzBasepCompareFQBNOperands(x,x,x)+2o
		dd 0FFFFFF7Ch, 0
		dd 0FFFFFFFEh
		dd offset sub_696851
		dd offset sub_69685F
		align 10h
dword_6AAE40	dd 0FFFFFFFEh, 0	; DATA XREF: AhcCacheQueryHwId(x)+5o
		dd 0FFFFFEF0h, 0
		db 0FEh
byte_6AAE51	db 3 dup(0FFh)		; CODE XREF: .text:_wil_details_featureDescriptors_aj
		dd offset loc_A3BEF8
		dd offset loc_A3BF06
		dd 0FFFFFFFEh
		dd offset loc_A3BEDB
		dd offset loc_A3BEE9
		dd 0FFFFFFFEh
		dd offset loc_A3BEC8
		dd offset loc_A3BED6
		align 8
dword_6AAE78	dd 0FFFFFFFEh, 0	; DATA XREF: TriagepVerifyDump(x)+2o
		dd 0FFFFFFD4h, 0
		dd 0FFFFFFFEh
		dd offset loc_AF1B87
		dd offset loc_AF1B8B
		align 8
dword_6AAE98	dd 0FFFFFFFEh, 0	; DATA XREF: NtReplacePartitionUnit(x,x,x)+2o
		dd 0FFFFFFB4h, 0
		dd 0FFFFFFFEh
		dd offset loc_69ECD2
		dd offset loc_69ECE0
; 

_wil_details_featureDescriptors_a:	; DATA XREF: NtLoadKey3(x,x,x,x,x,x,x,x)+183o
					; wil_details_EvaluateFeatureDependencies()+Fo	...
		loopne	near ptr byte_6AAE51
		outsd
		add	[eax-27h], ch
		outsd
		add	[edx+esi*4+40h], cl
		add	ds:302AFh[ebp],	cl
		add	[ecx], eax
		fdivr	qword ptr [esi+0]
		inc	eax

loc_6AAECB:				; DATA XREF: Feature_Servicing_HibernateRelaxVBSPolicy__private_IsEnabledFallback(x,x,x)+8o
		add	al, dl
		wait
		outsd
		add	al, bl
		fsubr	dword ptr [edi+0]
		push	esp
		mov	dl, 40h
		add	[edx+30368B1h],	cl
; 
		db 2 dup(0), 1
		dd 0
; 

_Feature_Standalone_24_06_NonSec__private_descriptor:
		cmp	[ebx-26AFFF91h], bl
		outsd
		add	[edx+esi*4+40h], cl
		add	al, ch
		cdq
		repne add al, [ebx]
		add	[ecx], al
		add	[esi+edi-6437FFC0h], eax
		outsd
; 
		db 0
; 
		pusha
		fldcw	word ptr [edi+0]
		dec	esp
		mov	dl, 40h
		add	[ebx], bl
		sub	eax, 302AFh
		add	[ecx], eax
		dec	esp
		db	3Eh
		inc	eax
		add	al, dh
		wait
		outsd
		add	[eax-27h], dh
		outsd
		add	[edx+esi*4+40h], cl
		add	ds:302AF2Dh, bl
		add	[ecx], al
		add	[esi+edi-6427FFC0h], edx
		outsd
		add	al, dl
; 
		db 0D9h
; 
		outsd
		add	[edx+esi*4+40h], cl
		add	ds:302AF2Ch, bh
		add	[ecx], al
		add	[eax], eax
; 
		db 3 dup(0)
; 

_Feature_Standalone_24_10_NonSec__private_descriptor:
		sub	[ebx-26DFFF91h], bl
		outsd
		add	[edx+esi*4+40h], cl
		add	ds:302AF2Dh, ch
		add	[ecx], al
		add	[esi+edi-64F7FFC0h], ecx
		outsd
		add	al, ch
; 
		db 0D8h
; 
		outsd
		add	[edx+esi*4+40h], cl
		add	[edx+302AF2Ch],	dh
		add	[ecx], al
		add	[esi+edi+40h], ebx
; 
		db 0
; 

_Feature_TestUx32__private_descriptor:
		add	[ebx-260FFF91h], bl
		outsd
		add	[edx+esi*4+40h], cl
		add	[edi], ch
		xchg	eax, edx
		jecxz	short loc_6AAF86
		add	eax, [eax]

loc_6AAF86:				; CODE XREF: .text:006AAF82j
		add	[ecx], eax
		or	[esi+0], bh
		inc	eax
		add	[eax-65h], dl
		outsd
		add	al, ch
		fldcw	word ptr [edi+0]
		dec	esp
		mov	dl, 40h
		add	[edx], ch
		or	ah, bl
		add	al, [ebx]
		add	[ecx], al
		add	esp, esp
		db	3Eh
		inc	eax
		add	[eax-0FFF9065h], bl
		fsubr	dword ptr [edi+0]
		dec	esp
		mov	dl, 40h
		add	[ecx+3030370h],	dl
		add	[ecx], al
		add	eax, edx
		db	3Eh
		inc	eax
		add	[eax], ah
		wait
		outsd
		add	[eax+4C006FD9h], al
		mov	dl, 40h
		add	[edi], dl
		sub	eax, 302AFh
		add	[ecx], eax
		or	[esi+0], bh
		inc	eax
		add	[eax-4FFF9065h], dl
		fldcw	word ptr [edi+0]
		dec	esp
		mov	dl, 40h
		add	[ebx+ebp*8], bh
		rep add	al, [ebx]
		add	[ecx], al
; 
		db 1
		dd offset _Feature_Standalone_24_04_NonSec__private_requiresFeatures
; 

_Feature_Servicing_Dcr_23_01_NonSec__private_descriptor:
		pusha
		wait
		outsd
		add	[eax+4C006FD9h], ah
		mov	dl, 40h
		add	[eax+2Ch], bh
		scasd
		add	al, [ebx]
		add	[ecx], al
		add	[esi+edi+40h], edx
		add	[eax-65h], cl
		outsd
		add	[eax-27h], al
		outsd
		add	[edx+esi*4+40h], cl
		add	cl, dh
		cdq
		repne add al, [ebx]
		add	[ecx], al
		add	[esi+edi+40h], esp
		add	al, bh
		wait
		outsd
		add	[eax-27h], bh
		outsd
		add	[edx+esi*4+40h], dl
		add	[esp+ecx*4+3], ah
		add	eax, [ebx]
; 
		db 2 dup(0), 1
		dd offset _Feature_SettingsDel__private_requiresFeatures
; 

_Feature_Servicing_Dcr_23_07_NonSec__private_descriptor:
		clc
		call	far ptr	6Fh:0D9D8006Fh
		dec	esp
		mov	dl, 40h
		add	al, dl
		sub	al, 0AFh
		add	al, [ebx]
		add	[ecx], al
		add	[esi+edi+40h], esi
		add	[eax+38006F9Bh], al
		fldcw	word ptr [edi+0]
		dec	esp
		mov	dl, 40h
		add	[edx], ah
		sub	eax, 302AFh
		add	[ecx], eax
		mov	ah, 3Eh
		inc	eax
		add	[eax-57FF9065h], ah
		fldcw	word ptr [edi+0]
		dec	esp
		mov	dl, 40h
		add	cl, bl
		sub	al, 0AFh
		add	al, [ebx]
		add	[ecx], al
; 
		db 1
		dd offset _Feature_Servicing_Dcr_23_08_NonSec__private_requiresFeatures
; 

_Feature_Servicing_Dcr_23_10_NonSec__private_descriptor:
		inc	eax
		wait
		outsd
		add	[eax+4C006FD9h], bl
		mov	dl, 40h
		add	al, ch
		sub	al, 0AFh
		add	al, [ebx]
		add	[ecx], al
		add	[esi+edi], ebp
		inc	eax
		add	[eax], dh
		wait
		outsd
		add	al, bh
; 
		db 0D8h
; 
		outsd
		add	[edx+esi*4+40h], cl
		add	[eax+302AF2Ch],	ch
		add	[ecx], al
		add	[esi+edi+40h], ebp
		add	[eax], dl
		pushf
		outsd
		add	[eax+54006FD9h], cl
		mov	dl, 40h
		add	ah, ch
		mov	word ptr [ebx],	es
		add	eax, [ebx]
; 
		db 2 dup(0), 1
		dd offset _Feature_TestConfVar__private_requiresFeatures
; 

_Feature_Standalone_24_09_NonSec__private_descriptor:
		push	30006F9Bh
		fldcw	word ptr [edi+0]
		dec	esp
		mov	dl, 40h
		add	[esi], ah
		sub	eax, 302AFh
		add	[ecx], eax
		adc	[esi+0], bh
		inc	eax
		add	[eax+48006F9Bh], cl
; 
		db 0D9h
; 
		outsd
		add	[edx+esi*4+40h], cl
		add	[ebp+302E309h],	al
		add	[ecx], al
		add	[eax+3Eh], eax
		inc	eax
		add	[eax], bl
		wait
		outsd
		add	[eax-27h], bl
		outsd
		add	[edx+esi*4+40h], cl
		add	dh, dl
		outsd
		add	eax, [ebx]
		add	eax, [eax]
		add	[ecx], eax
		xor	al, 3Eh
		inc	eax
		add	al, al
		wait
		outsd
		add	al, ah
		fsubr	dword ptr [edi+0]
		dec	esp
		mov	dl, 40h
		add	ds:302AFh[ebp],	al
		add	[ecx], eax
		clc
		db	3Eh
		inc	eax
		add	[eax], dl
		wait
		outsd
		add	al, cl
		fldcw	word ptr [edi+0]
		dec	esp
		mov	dl, 40h
		add	ch, bh
		sub	al, 0AFh
		add	al, [ebx]
		add	[ecx], al
		add	[eax], ecx
		aas
		inc	eax
		add	[eax-65h], dh
		outsd
		add	[eax], bl
		fldcw	word ptr [edi+0]
		dec	esp
		mov	dl, 40h
		add	dl, al
		sub	al, 0AFh
		add	al, [ebx]
		add	[ecx], al
		add	[esi+edi+40h], edi
		add	[eax+6F9Bh], ch
		fldcw	word ptr [edi+0]
		dec	esp
		mov	dl, 40h
		add	[edi+302AF2Ch],	dh
		add	[ecx], al
		add	[eax], eax
		aas
		inc	eax
		add	[eax-65h], bh
		outsd
		add	al, al
		fldcw	word ptr [edi+0]
		dec	esp
		mov	dl, 40h
		add	[ecx], dl
		sub	eax, 302AFh
		add	[ecx], eax
		movsb
		db	3Eh
		inc	eax
		add	al, ch
		wait
		outsd
		add	al, ah
		fldcw	word ptr [edi+0]
		dec	esp
		mov	dl, 40h
		add	al, cl
		sub	al, 0AFh
		add	al, [ebx]
		add	[ecx], al
		add	eax, ecx
		db	3Eh
		inc	eax
		add	[eax-47FF9065h], dh
		fldcw	word ptr [edi+0]
		dec	esp
		mov	dl, 40h
		add	bl, ch
		sub	al, 0AFh
		add	al, [ebx]
		add	[ecx], al

loc_6AB1AF:				; DATA XREF: Feature_Servicing_Opnum_Filter__private_IsEnabledFallback(x,x,x)+8o
		add	[esi+edi-64A7FFC0h], ebp
		outsd
		add	[eax], ch
		fldcw	word ptr [edi+0]
		push	esp
		mov	dl, 40h
		add	bh, cl
		dec	ebp
		add	al, 3
		add	eax, [eax]
		add	[ecx], al
; 
		dd 0
; 

_Feature_Servicing_Dcr_23_09_NonSec__private_descriptor:
		add	[edi+ebp*2+6FD90800h], bl
		add	[edx+esi*4+40h], cl
		add	ah, ah
		sub	al, 0AFh
		add	al, [ebx]
		add	[ecx], al
		add	eax, esi
		db	3Eh
		inc	eax
		add	[eax+10006F9Bh], bh
		fldcw	word ptr [edi+0]
		dec	esp
		mov	dl, 40h
		add	dh, dh
		sub	al, 0AFh
		add	al, [ebx]
		add	[ecx], al
		add	[eax], ebx
		db	3Eh
		inc	eax

loc_6AB1FB:				; DATA XREF: Feature_Servicing_CopyFileMoveFileEventLeak__private_IsEnabledFallback(x,x,x)+8o
		add	[eax], cl
		pushf
		outsd
		add	[eax+54006FD9h], dl
		mov	dl, 40h
		add	cl, al
		mov	esi, 3033Eh
		add	[ecx], al
; 
		dd 0
; 

_Feature_2543631672__private_descriptor:
					; DATA XREF: Feature_2543631672__private_IsEnabledFallback(x,x,x)+8o
		sbb	[edi+ebp*2+6FD9FC00h], bl
		add	[edx+esi*4+40h], dl
		add	[ebx-47h], bh
		jnb	short near ptr loc_6AB226+1
		add	eax, [eax]

loc_6AB226:				; CODE XREF: .text:006AB222j
		add	[ecx], al
; 
		dd 0
_Feature_1148767544__private_descriptor	dd offset _Feature_1148767544__private_featureState
					; DATA XREF: Feature_1148767544__private_IsEnabledFallback(x,x,x)+8o
		dd offset _Feature_1148767544__private_reporting
		dd offset _Feature_Servicing_HibernateRelaxVBSPolicy_logged_traits
		dd 36F404Fh, 1000003h, 0
_Feature_693672248__private_descriptor dd offset _Feature_693672248__private_featureState
					; DATA XREF: Feature_693672248__private_IsEnabledFallback(x,x,x)+8o
		dd offset _Feature_693672248__private_reporting
		dd offset _Feature_Servicing_HibernateRelaxVBSPolicy_logged_traits
		dd 37A0854h, 1000003h, 0
_Feature_3401902395__private_descriptor	dd offset _Feature_3401902395__private_featureState
					; DATA XREF: Feature_3401902395__private_IsEnabledFallback(x,x,x)+8o
		dd offset _Feature_3401902395__private_reporting
		dd offset _Feature_Servicing_HibernateRelaxVBSPolicy_logged_traits
		dd 366EFACh, 1000003h, 0
; 

_Feature_3257204026__private_descriptor:
					; DATA XREF: Feature_3257204026__private_IsEnabledFallback(x,x,x)+8o
		cmp	[edi+ebp*2+6FDA1C00h], bl
		add	[edx+esi*4+40h], dl
		add	dh, ch
		xlat
		arpl	[ebx], ax
		add	eax, [eax]
		add	[ecx], al
; 
		dd 0
; 

_Feature_1445264698__private_descriptor:
					; DATA XREF: Feature_1445264698__private_IsEnabledFallback(x,x,x)+8o
		inc	eax
		pushf
		outsd
		add	[edx+ebx*8], ah
		outsd
		add	[edx+esi*4+40h], dl
		add	bl, cl
		xlat
		arpl	[ebx], ax
		add	eax, [eax]
		add	[ecx], al
; 
		dd 0
_Feature_SchedulerQosPreemption__private_descriptor dd offset _Feature_SchedulerQosPreemption__private_featureState
					; DATA XREF: Feature_SchedulerQosPreemption__private_ReportUsageFallback(x,x,x)+10o
		dd offset _Feature_SchedulerQosPreemption__private_reporting
		dd offset _Feature_UxConfTest_logged_traits
		dd 126E6F7h, 1010003h, 0
_Feature_SchedulerFavoredCoreRotation__private_descriptor dd offset _Feature_SchedulerFavoredCoreRotation__private_featureState
					; DATA XREF: Feature_SchedulerFavoredCoreRotation__private_ReportUsageFallback(x,x,x)+10o
		dd offset _Feature_SchedulerFavoredCoreRotation__private_reporting
		dd offset _Feature_UxConfTest_logged_traits
		dd 1188600h, 1010003h
		db 2 dup(0)
word_6AB2D2	dw 0			; CODE XREF: .text:_Feature_SchedulerAssistHRTimer__private_descriptorj
_Feature_BamQosGrouping__private_descriptor dd offset _Feature_BamQosGrouping__private_featureState
					; DATA XREF: Feature_BamQosGrouping__private_ReportUsageFallback(x,x,x)+10o
		dd offset _Feature_BamQosGrouping__private_reporting
		dd offset _Feature_UxConfTest_logged_traits
		dd 1188553h, 1010003h, 0
; 

_Feature_SchedulerAssistLongSpinWait__private_descriptor:
					; DATA XREF: Feature_SchedulerAssistLongSpinWait__private_ReportUsageFallback(x,x,x)+10o
		pusha
		pushf
		outsd
		add	[eax-26h], dh
		outsd
		add	[edx+esi*4+40h], cl
		add	bh, bl
		out	dx, eax
		std
		add	[ebx], al
		add	[ecx], al
		add	[eax], eax
; 
		db 3 dup(0)
_Feature_SchedulerAssistAllowRealTime__private_descriptor dd offset _Feature_SchedulerAssistAllowRealTime__private_featureState
					; DATA XREF: Feature_SchedulerAssistAllowRealTime__private_ReportUsageFallback(x,x,x)+10o
		dd offset _Feature_SchedulerAssistAllowRealTime__private_reporting
		dd offset _Feature_UxConfTest_logged_traits
		dd 0E4A238h, 1010003h, 0
_Feature_SchedulerAggressiveForegroundBoost__private_descriptor	dd offset _Feature_SchedulerAggressiveForegroundBoost__private_featureState
					; DATA XREF: Feature_SchedulerAggressiveForegroundBoost__private_ReportUsageFallback(x,x,x)+10o
		dd offset _Feature_SchedulerAggressiveForegroundBoost__private_reporting
		dd offset _Feature_UxConfTest_logged_traits
		dd 0DEF75Ch, 1010003h, 0
; 

_Feature_SchedulerAssistHRTimer__private_descriptor:
					; DATA XREF: Feature_SchedulerAssistHRTimer__private_ReportUsageFallback(x,x,x)+10o
		js	short near ptr word_6AB2D2
		outsd
		add	[eax+4C006FDAh], cl
		mov	dl, 40h
		add	[edi-7Eh], ch
		fild	word ptr [eax]
		add	eax, [eax]
		add	[ecx], eax
; 
		dd 0
; 

_Feature_SchedulerAssistSpinLock__private_descriptor:
					; DATA XREF: Feature_SchedulerAssistSpinLock__private_ReportUsageFallback(x,x,x)+10o
		sbb	byte ptr [edi+ebp*2+6FDA9000h],	0
		dec	esp
		mov	dl, 40h
		add	dh, dl
; 
		db 0C5h, 0DEh, 0
		dd 1010003h, 0
_Feature_SchedulerAssistEnableBAM__private_descriptor dd offset	_Feature_SchedulerAssistEnableBAM__private_featureState
					; DATA XREF: Feature_SchedulerAssistEnableBAM__private_ReportUsageFallback(x,x,x)+10o
		dd offset _Feature_SchedulerAssistEnableBAM__private_reporting
		dd offset _Feature_UxConfTest_logged_traits
		dd 0DE148Ch, 1010003h, 0
; 

_Feature_SchedulerAssistForegroundBoostBias__private_descriptor:
					; DATA XREF: Feature_SchedulerAssistForegroundBoostBias__private_ReportUsageFallback(x,x,x)+10o
		nop
		pushf
		outsd
		add	[eax+50006FDAh], ah
		mov	ah, 40h
		add	[esi], cl
		sti
		fld	qword ptr [eax]
		add	eax, [ecx]
; 
		dw 0
		dd 0
; 

_Feature_SchedulerAssistThreadFlag__private_descriptor:
					; DATA XREF: Feature_SchedulerAssistThreadFlag__private_ReportUsageFallback(x,x,x)+10o
		cwde
		pushf
		outsd
		add	[eax+4C006FDAh], ch
		mov	dl, 40h
		add	[ebx], dh
		mov	cl, dh
		add	[ebx], al
		add	[ecx], al
		add	[eax], eax
; 
		db 3 dup(0)
; 

_Feature_SchedulerAssistPreemptionPriorityKick__private_descriptor:
					; DATA XREF: Feature_SchedulerAssistPreemptionPriorityKick__private_ReportUsageFallback(x,x,x)+10o
		mov	al, ds:0B0006F9Ch
		fisubr	dword ptr [edi+0]
		dec	esp
		mov	dl, 40h
		add	ah, bl
		inc	ebp
		rol	byte ptr [eax],	cl
		add	eax, [eax]
		add	[ecx], eax
; 
		dd 0
; 

_Feature_SchedulerAssistReflectPriority__private_descriptor:
					; DATA XREF: Feature_SchedulerAssistReflectPriority__private_ReportUsageFallback(x,x,x)+10o
		test	al, 9Ch
		outsd
		add	[eax+50006FDAh], bh
		mov	ah, 40h
		add	[edx], ah
		mov	cl, dh
		add	[ebx], al
		add	[eax], eax
; 
		db 0
		dd 0
_Feature_DisableLowQosTimerResolution__private_descriptor dd offset _Feature_DisableLowQosTimerResolution__private_featureState
					; DATA XREF: Feature_DisableLowQosTimerResolution__private_ReportUsageFallback(x,x,x)+10o
		dd offset _Feature_DisableLowQosTimerResolution__private_reporting
		dd offset _Feature_RelaxTcbForUWP_logged_traits
		dd 13AEA4Dh, 100h, 0
; 

_Feature_ReduceTimerWakes__private_descriptor:
					; DATA XREF: Feature_ReduceTimerWakes__private_ReportUsageFallback(x,x,x)+10o
		mov	eax, 0C8006F9Ch
		fisubr	dword ptr [edi+0]
		dec	esp
		mov	dl, 40h
		add	[eax-16h], cl
		cmp	al, [ecx]
; 
		dd 1010000h
		db 2 dup(0)
word_6AB40A	dw 0			; CODE XREF: .text:_Feature_SleepReliabilityDetailedDiagnostics__private_descriptorj
_Feature_Leap_Seconds_Sixty_Second__private_descriptor dd offset _Feature_Leap_Seconds_Sixty_Second__private_featureState
					; DATA XREF: Feature_Leap_Seconds_Sixty_Second__private_ReportUsageFallback(x,x,x)+10o
		dd offset _Feature_Leap_Seconds_Sixty_Second__private_reporting
		dd offset _Feature_RelaxTcbForUWP_logged_traits
		dd 0CCD568h, 100h, 0
; 

_Feature_PdttSupport__private_descriptor:
					; DATA XREF: Feature_PdttSupport__private_ReportUsageFallback(x,x,x)+10o
		enter	6F9Ch, 0
		call	near ptr 506B2407h
		mov	ah, 40h
		add	large ds:0F68Ah, cl
		add	[eax], eax
; 
		db 0
		dd 0
_Feature_PowerButtonBugcheck__private_descriptor dd offset _Feature_PowerButtonBugcheck__private_featureState
					; DATA XREF: Feature_PowerButtonBugcheck__private_ReportUsageFallback(x,x,x)+10o
		dd offset _Feature_PowerButtonBugcheck__private_reporting
		dd offset _Feature_RelaxTcbForUWP_logged_traits
		dd 8DF90Eh, 100h, 0
_Feature_DirectedFx__private_descriptor	dd offset _Feature_DirectedFx__private_featureState
					; DATA XREF: Feature_DirectedFx__private_ReportUsageFallback(x,x,x)+10o
		dd offset _Feature_DirectedFx__private_reporting
		dd offset _Feature_RelaxTcbForUWP_logged_traits
		dd 12F004Eh, 100h, 0
; 

_Feature_SleepReliabilityDetailedDiagnostics__private_descriptor:
					; DATA XREF: Feature_SleepReliabilityDetailedDiagnostics__private_IsEnabledFallback(x,x,x)+8o
		loopne	near ptr word_6AB40A
		outsd
; 
		db 0
		dd offset _Feature_SleepReliabilityDetailedDiagnostics__private_reporting
		dd offset dword_40B73C+4
		dd 128F008h, 2 dup(0)
; 

_Feature_SModeAdminless__private_descriptor:
					; DATA XREF: Feature_SModeAdminless__private_ReportUsageFallback(x,x,x)+10o
		lock pushf
		outsd
		add	[eax], bl
		fld	tbyte ptr [edi+0]
		push	eax
		mov	ah, 40h
		add	[ebp+1042Eh], ah
		add	[eax], eax
; 
		db 0
		dd 0
_Feature_PPLEnforcement__private_descriptor dd offset _Feature_PPLEnforcement__private_featureState
					; DATA XREF: Feature_PPLEnforcement__private_ReportUsageFallback(x,x,x)+10o
		dd offset _Feature_PPLEnforcement__private_reporting
		dd offset _Feature_RelaxTcbForUWP_logged_traits
		dd 126C519h, 100h, 0
; 

_Feature_WCOSDeveloperMode__private_descriptor:
					; DATA XREF: Feature_WCOSDeveloperMode__private_ReportUsageFallback(x,x,x)+10o
		clc
		pushf
		outsd
		add	[ebx+ebx*8], ah
		outsd
		add	[edx+esi*4+40h], cl
		add	bh, cl
		adc	[ecx], edx
		add	[eax], eax
		add	[ecx], al
		add	[eax], eax
; 
		db 3 dup(0)
_Feature_WldpDeveloperMode__private_descriptor dd offset _Feature_WldpDeveloperMode__private_featureState
					; DATA XREF: Feature_WldpDeveloperMode__private_ReportUsageFallback(x,x,x)+10o
		dd offset _Feature_WldpDeveloperMode__private_reporting
		dd offset _Feature_UxConfTest_logged_traits
		dd 0F15640h, 1010000h, 0
_Feature_RelaxTcbForUWP__private_descriptor dd offset _Feature_RelaxTcbForUWP__private_featureState
					; DATA XREF: Feature_RelaxTcbForUWP__private_ReportUsageFallback(x,x,x)+10o
		dd offset _Feature_RelaxTcbForUWP__private_reporting
		dd offset _Feature_RelaxTcbForUWP_logged_traits
		dd 0FC13FCh, 103h, 0
; 

_Feature_LogErrorRecords__private_descriptor:
					; DATA XREF: Feature_LogErrorRecords__private_ReportUsageFallback(x,x,x)+10o
		adc	[ebp-24B7FF91h], bl
		outsd
		add	[edx+esi*4+40h], cl
		add	[edi], dl
		inc	ecx
		sbb	eax, [ecx]
; 
		dd 1010000h, 0
off_6AB514	dd offset dword_6F9D20	; DATA XREF: sub_59801E+10o
		dd offset unk_6FDB50
		dd offset _Feature_RelaxTcbForUWP_logged_traits
		dd 0E67B5Ah, 100h, 0
_Feature_CompatBuildInVb__private_descriptor dd	offset _Feature_CompatBuildInVb__private_featureState
					; DATA XREF: Feature_CompatBuildInVb__private_IsEnabledFallback(x,x,x)+8o
		dd offset _Feature_CompatBuildInVb__private_reporting
		dd offset _Feature_Servicing_HibernateRelaxVBSPolicy_logged_traits
		dd 2E4DC11h, 1000003h
		dd offset _Feature_CompatBuildInVb__private_requiresFeatures
_wil_details_featureDescriptors_z dd 2Eh dup(0)
					; DATA XREF: wil_details_FeatureDescriptors_SkipPadding(x)o
		db 3 dup(0)
byte_6AB5FF	db 0			; DATA XREF: PAGE:00A4021Dw
					; PAGE:00A4022Dw
_text		ends

; Section 2. (virtual address 002AC000)
; Virtual size			: 00002327 (   8999.)
; Section size in file		: 00002400 (   9216.)
; Offset to raw	data for section: 002AAE00
; Flags	68000020: Text Not pageable Executable Readable
; Alignment	: default
; 

; Segment type:	Pure code
; Segment permissions: Read/Execute
KVASCODE	segment	para public 'CODE' use32
		assume cs:KVASCODE
		;org 6AC000h
		assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing

;  S U B	R O U T	I N E 


_KiKernelSysretExit proc near		; CODE XREF: sub_5808E5+38j
					; _KiSystemCallExit2+1Fj
					; DATA XREF: ...

arg_5FFC	= dword	ptr  6000h

		mov	esp, large fs:3Ch
		lea	esp, [esp+6000h]
		push	3Bh
		push	ecx
		mov	ecx, large fs:500Ch
		bt	ecx, 1
		jb	short loc_6AC033
		mov	ecx, large fs:5000h
		add	ecx, 20h
		mov	cr3, ecx
		verw	large word ptr fs:5028h

loc_6AC033:				; CODE XREF: _KiKernelSysretExit+1Cj
		pop	ecx
		pop	fs
		sti
		sysexit
		int	3		; Trap to Debugger
_KiKernelSysretExit endp


;  S U B	R O U T	I N E 


_KiKernelExit	proc near		; CODE XREF: sub_5993DC+9Bj
					; sub_5993DC+A7j ...

arg_4		= dword	ptr  8

		mov	large fs:5024h,	esi
		mov	large fs:501Ch,	esp
		mov	esi, large fs:3Ch
		lea	esi, [esi+6000h]
		sub	esi, 14h
		test	[esp+arg_4], 20000h
		jz	short loc_6AC065
		sub	esi, 10h

loc_6AC065:				; CODE XREF: _KiKernelExit+26j
		pop	dword ptr [esi]
		pop	dword ptr [esi+4]
		pop	dword ptr [esi+8]
		pop	dword ptr [esi+0Ch]
		pop	dword ptr [esi+10h]
		test	dword ptr [esi+8], 20000h
		jz	short loc_6AC088
		pop	dword ptr [esi+14h]
		pop	dword ptr [esi+18h]
		pop	dword ptr [esi+1Ch]
		pop	dword ptr [esi+20h]

loc_6AC088:				; CODE XREF: _KiKernelExit+40j
		mov	esp, esi
		push	large dword ptr	fs:5018h
		cmp	large dword ptr	fs:5020h, 0
		jz	short loc_6AC0A9
		push	large dword ptr	fs:5010h
		push	large dword ptr	fs:5014h

loc_6AC0A9:				; CODE XREF: _KiKernelExit+5Fj
		mov	esi, large fs:500Ch
		bt	esi, 1
		jb	short loc_6AC0CB
		mov	esi, large fs:5000h
		add	esi, 20h
		mov	cr3, esi
		verw	large word ptr fs:5028h

loc_6AC0CB:				; CODE XREF: _KiKernelExit+7Aj
		mov	esi, large fs:5024h
		mov	large dword ptr	fs:5024h, 0
		cmp	large dword ptr	fs:5020h, 0
		jz	short loc_6AC0E9
		pop	es
		pop	ds

loc_6AC0E9:				; CODE XREF: _KiKernelExit+ABj
		pop	fs
		iret
_KiKernelExit	endp ; sp =  24h

; 
		db 0CCh

;  S U B	R O U T	I N E 


_KiKernelTaskSwitchExit	proc near	; CODE XREF: sub_59C2E7+15Cj
					; sub_5A18E7+C0j

arg_8C		= dword	ptr  90h
arg_90		= byte ptr  94h
arg_94		= dword	ptr  98h
arg_98		= dword	ptr  9Ch

		mov	ecx, large fs:3Ch
		lea	ecx, [ecx+7000h]
		add	esp, 68h
		sub	ecx, 24h
		pop	dword ptr [ecx]
		pop	dword ptr [ecx+4]
		pop	dword ptr [ecx+8]
		pop	dword ptr [ecx+0Ch]
		pop	dword ptr [ecx+10h]
		pop	dword ptr [ecx+14h]
		pop	dword ptr [ecx+18h]
		pop	dword ptr [ecx+1Ch]
		pop	dword ptr [ecx+20h]
		add	esp, 4
		xchg	esp, ecx
		test	[esp-90h+arg_94], 20000h
		jnz	short loc_6AC163
		test	[esp-90h+arg_90], 1
		jnz	short loc_6AC163
		mov	edi, large fs:3Ch
		lea	edi, [edi+6000h]
		cmp	[esp-90h+arg_98], edi
		ja	short loc_6AC185
		sub	edi, 1000h
		cmp	[esp-90h+arg_98], edi
		jbe	short loc_6AC185
		mov	edi, offset _KiKernelSysretExit
		cmp	[esp-90h+arg_8C], edi
		jb	short loc_6AC185
		mov	edi, offset _KiShadowExitEnd
		cmp	[esp-90h+arg_8C], edi
		jnb	short loc_6AC185

loc_6AC163:				; CODE XREF: _KiKernelTaskSwitchExit+3Aj
					; _KiKernelTaskSwitchExit+41j
		mov	edx, large fs:500Ch
		bt	edx, 1
		jb	short loc_6AC185
		mov	edx, large fs:5000h
		add	edx, 20h
		mov	cr3, edx
		verw	large word ptr fs:5028h

loc_6AC185:				; CODE XREF: _KiKernelTaskSwitchExit+54j
					; _KiKernelTaskSwitchExit+60j ...
		add	esp, 24h
		iret
_KiKernelTaskSwitchExit	endp ; sp =  0B4h

; 
		xchg	esp, ecx
		jmp	eax
; 
		align 2

;  S U B	R O U T	I N E 


_KiShadowExitEnd proc near		; DATA XREF: _KiTrap02+59o
					; V86_kit7_a+358o ...
		nop
		nop

_KiFastCallEntryShadow:			; DATA XREF: KiLoadFastSyscallMachineSpecificRegisters+35o
					; V86_kit1_a+31Co ...
		mov	ecx, 23h
		push	30h
		pop	fs
		assume fs:nothing
		mov	ds, cx
		assume ds:nothing
		mov	es, cx
		assume es:nothing
		xor	ecx, ecx
		mov	gs, cx
		assume gs:nothing
		mov	ecx, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6AC1B6
		mov	cr3, ecx

loc_6AC1B6:				; CODE XREF: _KiShadowExitEnd+23j
		mov	esp, large fs:5004h
		push	23h
		push	edx
		pushf
		jmp	KiFastCallEntryCommon
_KiShadowExitEnd endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiFastCallEntry2Shadow	proc near	; DATA XREF: V86_kit1_a+324o

var_C		= byte ptr -0Ch

		mov	ecx, 23h
		push	30h
		pop	fs
		mov	ds, cx
		mov	es, cx
		xor	ecx, ecx
		mov	gs, cx
		mov	ecx, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6AC1F6
		mov	cr3, ecx

loc_6AC1F6:				; CODE XREF: _KiFastCallEntry2Shadow+21j
		mov	esp, large fs:5004h
		push	23h
		push	edx
		pushf
		or	byte ptr [esp+1], 1
		jmp	KiFastCallEntryCommon
_KiFastCallEntry2Shadow	endp

; 
		jmp	short _KiTrap00Shadow
; 
		align 10h

;  S U B	R O U T	I N E 


_KiTrap00Shadow	proc near		; CODE XREF: KVASCODE:006AC20Bj
					; DATA XREF: .data:_IDTShadowo	...

arg_0		= byte ptr  4
arg_4		= dword	ptr  8

		push	0
		push	esi
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AC249
		test	[esp+8+arg_0], 1
		jnz	short loc_6AC249
		mov	esi, [esp+8]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6AC249
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6AC240
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6AC249

loc_6AC240:				; CODE XREF: _KiTrap00Shadow+26j
					; _KiTrap00Shadow+8Aj
		pop	esi
		add	esp, 4
		jmp	_KiTrap00
; 

loc_6AC249:				; CODE XREF: _KiTrap00Shadow+Bj
					; _KiTrap00Shadow+12j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6AC281
		mov	cr3, esi

loc_6AC281:				; CODE XREF: _KiTrap00Shadow+6Cj
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AC29C
		test	[esp+8+arg_0], 1
		jz	short loc_6AC240

loc_6AC29C:				; CODE XREF: _KiTrap00Shadow+83j
		lea	esi, [esp+8]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6AC2BC
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6AC2BC:				; CODE XREF: _KiTrap00Shadow+9Ej
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		mov	esi, [esi-8]
		jmp	_KiTrap00
_KiTrap00Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiTrap01Shadow	proc near		; DATA XREF: .data:006B082Co

var_14		= byte ptr -14h
arg_0		= byte ptr  4
arg_4		= dword	ptr  8

		test	[esp+arg_4], 20000h
		jnz	short loc_6AC327
		test	[esp+arg_0], 1
		jnz	short loc_6AC327
		push	ecx
		push	eax
		push	edx
		sub	esp, 8
		sidt	fword ptr [esp+14h+var_14]
		mov	eax, dword ptr [esp+14h+var_14+2]
		mov	ecx, 0FFh

loc_6AC304:				; CODE XREF: _KiTrap01Shadow+35j
		mov	edx, ss:[eax+ecx*8-4]
		mov	dx, ss:[eax+ecx*8-8]
		cmp	[esp+14h], edx
		jz	short loc_6AC31F
		loop	loc_6AC304
		add	esp, 8
		pop	edx
		pop	eax
		pop	ecx
		jmp	short loc_6AC327
; 

loc_6AC31F:				; CODE XREF: _KiTrap01Shadow+33j
		add	esp, 8
		pop	edx
		pop	eax
		pop	ecx
		iret
; 
		db 0CCh
; 

loc_6AC327:				; CODE XREF: _KiTrap01Shadow+8j
					; _KiTrap01Shadow+Fj ...
		push	0
		push	esi
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AC360
		test	[esp+8+arg_0], 1
		jnz	short loc_6AC360
		mov	esi, [esp+8]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6AC360
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6AC357
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6AC360

loc_6AC357:				; CODE XREF: _KiTrap01Shadow+6Dj
					; _KiTrap01Shadow+D1j
		pop	esi
		add	esp, 4
		jmp	_KiTrap01
; 

loc_6AC360:				; CODE XREF: _KiTrap01Shadow+52j
					; _KiTrap01Shadow+59j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6AC398
		mov	cr3, esi

loc_6AC398:				; CODE XREF: _KiTrap01Shadow+B3j
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AC3B3
		test	[esp+8+arg_0], 1
		jz	short loc_6AC357

loc_6AC3B3:				; CODE XREF: _KiTrap01Shadow+CAj
		lea	esi, [esp+8]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6AC3D3
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6AC3D3:				; CODE XREF: _KiTrap01Shadow+E5j
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		mov	esi, [esi-8]
		jmp	_KiTrap01
_KiTrap01Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiTrap03Shadow	proc near		; DATA XREF: .data:006B083Co

arg_0		= byte ptr  4
arg_4		= dword	ptr  8

		push	0
		push	esi
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AC429
		test	[esp+8+arg_0], 1
		jnz	short loc_6AC429
		mov	esi, [esp+8]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6AC429
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6AC420
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6AC429

loc_6AC420:				; CODE XREF: _KiTrap03Shadow+26j
					; _KiTrap03Shadow+8Aj
		pop	esi
		add	esp, 4
		jmp	_KiTrap03
; 

loc_6AC429:				; CODE XREF: _KiTrap03Shadow+Bj
					; _KiTrap03Shadow+12j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6AC461
		mov	cr3, esi

loc_6AC461:				; CODE XREF: _KiTrap03Shadow+6Cj
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AC47C
		test	[esp+8+arg_0], 1
		jz	short loc_6AC420

loc_6AC47C:				; CODE XREF: _KiTrap03Shadow+83j
		lea	esi, [esp+8]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6AC49C
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6AC49C:				; CODE XREF: _KiTrap03Shadow+9Ej
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		mov	esi, [esi-8]
		jmp	_KiTrap03
_KiTrap03Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiTrap04Shadow	proc near		; DATA XREF: .data:006B0844o

arg_0		= byte ptr  4
arg_4		= dword	ptr  8

		push	0
		push	esi
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AC4F9
		test	[esp+8+arg_0], 1
		jnz	short loc_6AC4F9
		mov	esi, [esp+8]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6AC4F9
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6AC4F0
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6AC4F9

loc_6AC4F0:				; CODE XREF: _KiTrap04Shadow+26j
					; _KiTrap04Shadow+8Aj
		pop	esi
		add	esp, 4
		jmp	_KiTrap04
; 

loc_6AC4F9:				; CODE XREF: _KiTrap04Shadow+Bj
					; _KiTrap04Shadow+12j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6AC531
		mov	cr3, esi

loc_6AC531:				; CODE XREF: _KiTrap04Shadow+6Cj
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AC54C
		test	[esp+8+arg_0], 1
		jz	short loc_6AC4F0

loc_6AC54C:				; CODE XREF: _KiTrap04Shadow+83j
		lea	esi, [esp+8]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6AC56C
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6AC56C:				; CODE XREF: _KiTrap04Shadow+9Ej
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		mov	esi, [esi-8]
		jmp	_KiTrap04
_KiTrap04Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiTrap05Shadow	proc near		; DATA XREF: .data:006B084Co

arg_0		= byte ptr  4
arg_4		= dword	ptr  8

		push	0
		push	esi
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AC5C9
		test	[esp+8+arg_0], 1
		jnz	short loc_6AC5C9
		mov	esi, [esp+8]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6AC5C9
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6AC5C0
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6AC5C9

loc_6AC5C0:				; CODE XREF: _KiTrap05Shadow+26j
					; _KiTrap05Shadow+8Aj
		pop	esi
		add	esp, 4
		jmp	_KiTrap05
; 

loc_6AC5C9:				; CODE XREF: _KiTrap05Shadow+Bj
					; _KiTrap05Shadow+12j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6AC601
		mov	cr3, esi

loc_6AC601:				; CODE XREF: _KiTrap05Shadow+6Cj
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AC61C
		test	[esp+8+arg_0], 1
		jz	short loc_6AC5C0

loc_6AC61C:				; CODE XREF: _KiTrap05Shadow+83j
		lea	esi, [esp+8]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6AC63C
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6AC63C:				; CODE XREF: _KiTrap05Shadow+9Ej
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		mov	esi, [esi-8]
		jmp	_KiTrap05
_KiTrap05Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiTrap06Shadow	proc near		; DATA XREF: .data:006B0854o

arg_0		= byte ptr  4
arg_4		= dword	ptr  8

		push	0
		push	esi
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AC699
		test	[esp+8+arg_0], 1
		jnz	short loc_6AC699
		mov	esi, [esp+8]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6AC699
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6AC690
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6AC699

loc_6AC690:				; CODE XREF: _KiTrap06Shadow+26j
					; _KiTrap06Shadow+8Aj
		pop	esi
		add	esp, 4
		jmp	_KiTrap06
; 

loc_6AC699:				; CODE XREF: _KiTrap06Shadow+Bj
					; _KiTrap06Shadow+12j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6AC6D1
		mov	cr3, esi

loc_6AC6D1:				; CODE XREF: _KiTrap06Shadow+6Cj
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AC6EC
		test	[esp+8+arg_0], 1
		jz	short loc_6AC690

loc_6AC6EC:				; CODE XREF: _KiTrap06Shadow+83j
		lea	esi, [esp+8]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6AC70C
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6AC70C:				; CODE XREF: _KiTrap06Shadow+9Ej
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		mov	esi, [esi-8]
		jmp	_KiTrap06
_KiTrap06Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiTrap07Shadow	proc near		; DATA XREF: .data:006B085Co

arg_0		= byte ptr  4
arg_4		= dword	ptr  8

		push	0
		push	esi
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AC769
		test	[esp+8+arg_0], 1
		jnz	short loc_6AC769
		mov	esi, [esp+8]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6AC769
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6AC760
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6AC769

loc_6AC760:				; CODE XREF: _KiTrap07Shadow+26j
					; _KiTrap07Shadow+8Aj
		pop	esi
		add	esp, 4
		jmp	_KiTrap07
; 

loc_6AC769:				; CODE XREF: _KiTrap07Shadow+Bj
					; _KiTrap07Shadow+12j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6AC7A1
		mov	cr3, esi

loc_6AC7A1:				; CODE XREF: _KiTrap07Shadow+6Cj
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AC7BC
		test	[esp+8+arg_0], 1
		jz	short loc_6AC760

loc_6AC7BC:				; CODE XREF: _KiTrap07Shadow+83j
		lea	esi, [esp+8]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6AC7DC
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6AC7DC:				; CODE XREF: _KiTrap07Shadow+9Ej
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		mov	esi, [esi-8]
		jmp	_KiTrap07
_KiTrap07Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiTrap09Shadow	proc near		; DATA XREF: .data:006B086Co

arg_0		= byte ptr  4
arg_4		= dword	ptr  8

		push	0
		push	esi
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AC839
		test	[esp+8+arg_0], 1
		jnz	short loc_6AC839
		mov	esi, [esp+8]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6AC839
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6AC830
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6AC839

loc_6AC830:				; CODE XREF: _KiTrap09Shadow+26j
					; _KiTrap09Shadow+8Aj
		pop	esi
		add	esp, 4
		jmp	_KiTrap09
; 

loc_6AC839:				; CODE XREF: _KiTrap09Shadow+Bj
					; _KiTrap09Shadow+12j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6AC871
		mov	cr3, esi

loc_6AC871:				; CODE XREF: _KiTrap09Shadow+6Cj
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AC88C
		test	[esp+8+arg_0], 1
		jz	short loc_6AC830

loc_6AC88C:				; CODE XREF: _KiTrap09Shadow+83j
		lea	esi, [esp+8]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6AC8AC
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6AC8AC:				; CODE XREF: _KiTrap09Shadow+9Ej
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		mov	esi, [esi-8]
		jmp	_KiTrap09
_KiTrap09Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiTrap0AShadow	proc near		; DATA XREF: .data:006B0874o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		push	esi
		test	[esp+arg_8], 20000h
		jnz	short loc_6AC904
		test	[esp+arg_4], 1
		jnz	short loc_6AC904
		mov	esi, [esp+arg_0]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6AC904
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6AC8FE
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6AC904

loc_6AC8FE:				; CODE XREF: _KiTrap0AShadow+24j
					; _KiTrap0AShadow+85j
		pop	esi
		jmp	_KiTrap0A
; 

loc_6AC904:				; CODE XREF: _KiTrap0AShadow+9j
					; _KiTrap0AShadow+10j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6AC93C
		mov	cr3, esi

loc_6AC93C:				; CODE XREF: _KiTrap0AShadow+67j
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+arg_8], 20000h
		jnz	short loc_6AC957
		test	[esp+arg_4], 1
		jz	short loc_6AC8FE

loc_6AC957:				; CODE XREF: _KiTrap0AShadow+7Ej
		lea	esi, [esp+arg_0]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6AC977
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6AC977:				; CODE XREF: _KiTrap0AShadow+99j
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		push	dword ptr [esi-4]
		mov	esi, [esi-8]
		jmp	_KiTrap0A
_KiTrap0AShadow	endp


;  S U B	R O U T	I N E 


_KiTrap0BShadow	proc near		; DATA XREF: .data:006B087Co

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		push	esi
		test	[esp+arg_8], 20000h
		jnz	short loc_6AC9C4
		test	[esp+arg_4], 1
		jnz	short loc_6AC9C4
		mov	esi, [esp+arg_0]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6AC9C4
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6AC9BE
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6AC9C4

loc_6AC9BE:				; CODE XREF: _KiTrap0BShadow+24j
					; _KiTrap0BShadow+85j
		pop	esi
		jmp	_KiTrap0B
; 

loc_6AC9C4:				; CODE XREF: _KiTrap0BShadow+9j
					; _KiTrap0BShadow+10j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6AC9FC
		mov	cr3, esi

loc_6AC9FC:				; CODE XREF: _KiTrap0BShadow+67j
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+arg_8], 20000h
		jnz	short loc_6ACA17
		test	[esp+arg_4], 1
		jz	short loc_6AC9BE

loc_6ACA17:				; CODE XREF: _KiTrap0BShadow+7Ej
		lea	esi, [esp+arg_0]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6ACA37
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6ACA37:				; CODE XREF: _KiTrap0BShadow+99j
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		push	dword ptr [esi-4]
		mov	esi, [esi-8]
		jmp	_KiTrap0B
_KiTrap0BShadow	endp


;  S U B	R O U T	I N E 


_KiTrap0CShadow	proc near		; DATA XREF: .data:006B0884o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		push	esi
		test	[esp+arg_8], 20000h
		jnz	short loc_6ACA84
		test	[esp+arg_4], 1
		jnz	short loc_6ACA84
		mov	esi, [esp+arg_0]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6ACA84
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6ACA7E
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6ACA84

loc_6ACA7E:				; CODE XREF: _KiTrap0CShadow+24j
					; _KiTrap0CShadow+85j
		pop	esi
		jmp	_KiTrap0C
; 

loc_6ACA84:				; CODE XREF: _KiTrap0CShadow+9j
					; _KiTrap0CShadow+10j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6ACABC
		mov	cr3, esi

loc_6ACABC:				; CODE XREF: _KiTrap0CShadow+67j
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+arg_8], 20000h
		jnz	short loc_6ACAD7
		test	[esp+arg_4], 1
		jz	short loc_6ACA7E

loc_6ACAD7:				; CODE XREF: _KiTrap0CShadow+7Ej
		lea	esi, [esp+arg_0]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6ACAF7
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6ACAF7:				; CODE XREF: _KiTrap0CShadow+99j
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		push	dword ptr [esi-4]
		mov	esi, [esi-8]
		jmp	_KiTrap0C
_KiTrap0CShadow	endp


;  S U B	R O U T	I N E 


_KiTrap0DShadow	proc near		; DATA XREF: .data:006B088Co

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		push	esi
		test	[esp+arg_8], 20000h
		jnz	short loc_6ACB44
		test	[esp+arg_4], 1
		jnz	short loc_6ACB44
		mov	esi, [esp+arg_0]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6ACB44
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6ACB3E
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6ACB44

loc_6ACB3E:				; CODE XREF: _KiTrap0DShadow+24j
					; _KiTrap0DShadow+85j
		pop	esi
		jmp	_KiTrap0D
; 

loc_6ACB44:				; CODE XREF: _KiTrap0DShadow+9j
					; _KiTrap0DShadow+10j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6ACB7C
		mov	cr3, esi

loc_6ACB7C:				; CODE XREF: _KiTrap0DShadow+67j
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+arg_8], 20000h
		jnz	short loc_6ACB97
		test	[esp+arg_4], 1
		jz	short loc_6ACB3E

loc_6ACB97:				; CODE XREF: _KiTrap0DShadow+7Ej
		lea	esi, [esp+arg_0]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6ACBB7
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6ACBB7:				; CODE XREF: _KiTrap0DShadow+99j
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		push	dword ptr [esi-4]
		mov	esi, [esi-8]
		jmp	_KiTrap0D
_KiTrap0DShadow	endp


;  S U B	R O U T	I N E 


_KiTrap0EShadow	proc near		; DATA XREF: .data:006B0894o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		push	esi
		test	[esp+arg_8], 20000h
		jnz	short loc_6ACC04
		test	[esp+arg_4], 1
		jnz	short loc_6ACC04
		mov	esi, [esp+arg_0]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6ACC04
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6ACBFE
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6ACC04

loc_6ACBFE:				; CODE XREF: _KiTrap0EShadow+24j
					; _KiTrap0EShadow+85j
		pop	esi
		jmp	_KiTrap0E
; 

loc_6ACC04:				; CODE XREF: _KiTrap0EShadow+9j
					; _KiTrap0EShadow+10j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6ACC3C
		mov	cr3, esi

loc_6ACC3C:				; CODE XREF: _KiTrap0EShadow+67j
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+arg_8], 20000h
		jnz	short loc_6ACC57
		test	[esp+arg_4], 1
		jz	short loc_6ACBFE

loc_6ACC57:				; CODE XREF: _KiTrap0EShadow+7Ej
		lea	esi, [esp+arg_0]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6ACC77
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6ACC77:				; CODE XREF: _KiTrap0EShadow+99j
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		push	dword ptr [esi-4]
		mov	esi, [esi-8]
		jmp	_KiTrap0E
_KiTrap0EShadow	endp


;  S U B	R O U T	I N E 


_KiTrap0FShadow	proc near		; DATA XREF: .data:006B089Co
					; .data:006B08C4o ...

arg_0		= byte ptr  4
arg_4		= dword	ptr  8

		push	0
		push	esi
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6ACCC9
		test	[esp+8+arg_0], 1
		jnz	short loc_6ACCC9
		mov	esi, [esp+8]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6ACCC9
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6ACCC0
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6ACCC9

loc_6ACCC0:				; CODE XREF: _KiTrap0FShadow+26j
					; _KiTrap0FShadow+8Aj
		pop	esi
		add	esp, 4
		jmp	_KiTrap0F
; 

loc_6ACCC9:				; CODE XREF: _KiTrap0FShadow+Bj
					; _KiTrap0FShadow+12j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6ACD01
		mov	cr3, esi

loc_6ACD01:				; CODE XREF: _KiTrap0FShadow+6Cj
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6ACD1C
		test	[esp+8+arg_0], 1
		jz	short loc_6ACCC0

loc_6ACD1C:				; CODE XREF: _KiTrap0FShadow+83j
		lea	esi, [esp+8]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6ACD3C
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6ACD3C:				; CODE XREF: _KiTrap0FShadow+9Ej
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		mov	esi, [esi-8]
		jmp	_KiTrap0F
_KiTrap0FShadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiTrap10Shadow	proc near		; DATA XREF: .data:006B08A4o

arg_0		= byte ptr  4
arg_4		= dword	ptr  8

		push	0
		push	esi
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6ACD99
		test	[esp+8+arg_0], 1
		jnz	short loc_6ACD99
		mov	esi, [esp+8]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6ACD99
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6ACD90
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6ACD99

loc_6ACD90:				; CODE XREF: _KiTrap10Shadow+26j
					; _KiTrap10Shadow+8Aj
		pop	esi
		add	esp, 4
		jmp	_KiTrap10
; 

loc_6ACD99:				; CODE XREF: _KiTrap10Shadow+Bj
					; _KiTrap10Shadow+12j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6ACDD1
		mov	cr3, esi

loc_6ACDD1:				; CODE XREF: _KiTrap10Shadow+6Cj
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6ACDEC
		test	[esp+8+arg_0], 1
		jz	short loc_6ACD90

loc_6ACDEC:				; CODE XREF: _KiTrap10Shadow+83j
		lea	esi, [esp+8]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6ACE0C
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6ACE0C:				; CODE XREF: _KiTrap10Shadow+9Ej
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		mov	esi, [esi-8]
		jmp	_KiTrap10
_KiTrap10Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiTrap11Shadow	proc near		; DATA XREF: .data:006B08ACo

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		push	esi
		test	[esp+arg_8], 20000h
		jnz	short loc_6ACE64
		test	[esp+arg_4], 1
		jnz	short loc_6ACE64
		mov	esi, [esp+arg_0]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6ACE64
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6ACE5E
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6ACE64

loc_6ACE5E:				; CODE XREF: _KiTrap11Shadow+24j
					; _KiTrap11Shadow+85j
		pop	esi
		jmp	_KiTrap11
; 

loc_6ACE64:				; CODE XREF: _KiTrap11Shadow+9j
					; _KiTrap11Shadow+10j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6ACE9C
		mov	cr3, esi

loc_6ACE9C:				; CODE XREF: _KiTrap11Shadow+67j
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+arg_8], 20000h
		jnz	short loc_6ACEB7
		test	[esp+arg_4], 1
		jz	short loc_6ACE5E

loc_6ACEB7:				; CODE XREF: _KiTrap11Shadow+7Ej
		lea	esi, [esp+arg_0]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6ACED7
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6ACED7:				; CODE XREF: _KiTrap11Shadow+99j
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		push	dword ptr [esi-4]
		mov	esi, [esi-8]
		jmp	_KiTrap11
_KiTrap11Shadow	endp


;  S U B	R O U T	I N E 


_KiTrap13Shadow	proc near		; DATA XREF: .data:006B08BCo

arg_0		= byte ptr  4
arg_4		= dword	ptr  8

		push	0
		push	esi
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6ACF29
		test	[esp+8+arg_0], 1
		jnz	short loc_6ACF29
		mov	esi, [esp+8]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6ACF29
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6ACF20
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6ACF29

loc_6ACF20:				; CODE XREF: _KiTrap13Shadow+26j
					; _KiTrap13Shadow+8Aj
		pop	esi
		add	esp, 4
		jmp	_KiTrap13
; 

loc_6ACF29:				; CODE XREF: _KiTrap13Shadow+Bj
					; _KiTrap13Shadow+12j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6ACF61
		mov	cr3, esi

loc_6ACF61:				; CODE XREF: _KiTrap13Shadow+6Cj
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6ACF7C
		test	[esp+8+arg_0], 1
		jz	short loc_6ACF20

loc_6ACF7C:				; CODE XREF: _KiTrap13Shadow+83j
		lea	esi, [esp+8]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6ACF9C
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6ACF9C:				; CODE XREF: _KiTrap13Shadow+9Ej
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		mov	esi, [esi-8]
		jmp	_KiTrap13
_KiTrap13Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiAltSystemServiceShadow proc near	; DATA XREF: .data:006B0964o

arg_0		= byte ptr  4
arg_4		= dword	ptr  8

		push	0
		push	esi
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6ACFF9
		test	[esp+8+arg_0], 1
		jnz	short loc_6ACFF9
		mov	esi, [esp+8]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6ACFF9
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6ACFF0
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6ACFF9

loc_6ACFF0:				; CODE XREF: _KiAltSystemServiceShadow+26j
					; _KiAltSystemServiceShadow+8Aj
		pop	esi
		add	esp, 4
		jmp	_KiAltSystemService
; 

loc_6ACFF9:				; CODE XREF: _KiAltSystemServiceShadow+Bj
					; _KiAltSystemServiceShadow+12j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6AD031
		mov	cr3, esi

loc_6AD031:				; CODE XREF: _KiAltSystemServiceShadow+6Cj
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AD04C
		test	[esp+8+arg_0], 1
		jz	short loc_6ACFF0

loc_6AD04C:				; CODE XREF: _KiAltSystemServiceShadow+83j
		lea	esi, [esp+8]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6AD06C
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6AD06C:				; CODE XREF: _KiAltSystemServiceShadow+9Ej
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		mov	esi, [esi-8]
		jmp	_KiAltSystemService
_KiAltSystemServiceShadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiRaiseSecurityCheckFailureShadow proc	near ; DATA XREF: .data:006B096Co

arg_0		= byte ptr  4
arg_4		= dword	ptr  8

		push	0
		push	esi
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AD0C9
		test	[esp+8+arg_0], 1
		jnz	short loc_6AD0C9
		mov	esi, [esp+8]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6AD0C9
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6AD0C0
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6AD0C9

loc_6AD0C0:				; CODE XREF: _KiRaiseSecurityCheckFailureShadow+26j
					; _KiRaiseSecurityCheckFailureShadow+8Aj
		pop	esi
		add	esp, 4
		jmp	_KiRaiseSecurityCheckFailure
; 

loc_6AD0C9:				; CODE XREF: _KiRaiseSecurityCheckFailureShadow+Bj
					; _KiRaiseSecurityCheckFailureShadow+12j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6AD101
		mov	cr3, esi

loc_6AD101:				; CODE XREF: _KiRaiseSecurityCheckFailureShadow+6Cj
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AD11C
		test	[esp+8+arg_0], 1
		jz	short loc_6AD0C0

loc_6AD11C:				; CODE XREF: _KiRaiseSecurityCheckFailureShadow+83j
		lea	esi, [esp+8]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6AD13C
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6AD13C:				; CODE XREF: _KiRaiseSecurityCheckFailureShadow+9Ej
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		mov	esi, [esi-8]
		jmp	_KiRaiseSecurityCheckFailure
_KiRaiseSecurityCheckFailureShadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiGetTickCountShadow proc near		; DATA XREF: .data:006B0974o

arg_0		= byte ptr  4
arg_4		= dword	ptr  8

		push	0
		push	esi
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AD199
		test	[esp+8+arg_0], 1
		jnz	short loc_6AD199
		mov	esi, [esp+8]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6AD199
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6AD190
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6AD199

loc_6AD190:				; CODE XREF: _KiGetTickCountShadow+26j
					; _KiGetTickCountShadow+8Aj
		pop	esi
		add	esp, 4
		jmp	_KiGetTickCount
; 

loc_6AD199:				; CODE XREF: _KiGetTickCountShadow+Bj
					; _KiGetTickCountShadow+12j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6AD1D1
		mov	cr3, esi

loc_6AD1D1:				; CODE XREF: _KiGetTickCountShadow+6Cj
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AD1EC
		test	[esp+8+arg_0], 1
		jz	short loc_6AD190

loc_6AD1EC:				; CODE XREF: _KiGetTickCountShadow+83j
		lea	esi, [esp+8]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6AD20C
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6AD20C:				; CODE XREF: _KiGetTickCountShadow+9Ej
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		mov	esi, [esi-8]
		jmp	_KiGetTickCount
_KiGetTickCountShadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiCallbackReturnShadow	proc near	; DATA XREF: .data:006B097Co

arg_0		= byte ptr  4
arg_4		= dword	ptr  8

		push	0
		push	esi
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AD269
		test	[esp+8+arg_0], 1
		jnz	short loc_6AD269
		mov	esi, [esp+8]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6AD269
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6AD260
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6AD269

loc_6AD260:				; CODE XREF: _KiCallbackReturnShadow+26j
					; _KiCallbackReturnShadow+8Aj
		pop	esi
		add	esp, 4
		jmp	_KiCallbackReturn
; 

loc_6AD269:				; CODE XREF: _KiCallbackReturnShadow+Bj
					; _KiCallbackReturnShadow+12j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6AD2A1
		mov	cr3, esi

loc_6AD2A1:				; CODE XREF: _KiCallbackReturnShadow+6Cj
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AD2BC
		test	[esp+8+arg_0], 1
		jz	short loc_6AD260

loc_6AD2BC:				; CODE XREF: _KiCallbackReturnShadow+83j
		lea	esi, [esp+8]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6AD2DC
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6AD2DC:				; CODE XREF: _KiCallbackReturnShadow+9Ej
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		mov	esi, [esi-8]
		jmp	_KiCallbackReturn
_KiCallbackReturnShadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiRaiseAssertionShadow	proc near	; DATA XREF: .data:006B0984o

arg_0		= byte ptr  4
arg_4		= dword	ptr  8

		push	0
		push	esi
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AD339
		test	[esp+8+arg_0], 1
		jnz	short loc_6AD339
		mov	esi, [esp+8]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6AD339
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6AD330
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6AD339

loc_6AD330:				; CODE XREF: _KiRaiseAssertionShadow+26j
					; _KiRaiseAssertionShadow+8Aj
		pop	esi
		add	esp, 4
		jmp	_KiRaiseAssertion
; 

loc_6AD339:				; CODE XREF: _KiRaiseAssertionShadow+Bj
					; _KiRaiseAssertionShadow+12j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6AD371
		mov	cr3, esi

loc_6AD371:				; CODE XREF: _KiRaiseAssertionShadow+6Cj
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AD38C
		test	[esp+8+arg_0], 1
		jz	short loc_6AD330

loc_6AD38C:				; CODE XREF: _KiRaiseAssertionShadow+83j
		lea	esi, [esp+8]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6AD3AC
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6AD3AC:				; CODE XREF: _KiRaiseAssertionShadow+9Ej
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		mov	esi, [esi-8]
		jmp	_KiRaiseAssertion
_KiRaiseAssertionShadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiDebugServiceShadow proc near		; DATA XREF: .data:006B098Co

arg_0		= byte ptr  4
arg_4		= dword	ptr  8

		push	0
		push	esi
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AD409
		test	[esp+8+arg_0], 1
		jnz	short loc_6AD409
		mov	esi, [esp+8]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6AD409
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6AD400
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6AD409

loc_6AD400:				; CODE XREF: _KiDebugServiceShadow+26j
					; _KiDebugServiceShadow+8Aj
		pop	esi
		add	esp, 4
		jmp	_KiDebugService
; 

loc_6AD409:				; CODE XREF: _KiDebugServiceShadow+Bj
					; _KiDebugServiceShadow+12j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6AD441
		mov	cr3, esi

loc_6AD441:				; CODE XREF: _KiDebugServiceShadow+6Cj
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AD45C
		test	[esp+8+arg_0], 1
		jz	short loc_6AD400

loc_6AD45C:				; CODE XREF: _KiDebugServiceShadow+83j
		lea	esi, [esp+8]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6AD47C
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6AD47C:				; CODE XREF: _KiDebugServiceShadow+9Ej
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		mov	esi, [esi-8]
		jmp	_KiDebugService
_KiDebugServiceShadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiSystemServiceShadow proc near	; DATA XREF: .data:006B0994o

arg_0		= byte ptr  4
arg_4		= dword	ptr  8

		push	0
		push	esi
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AD4D9
		test	[esp+8+arg_0], 1
		jnz	short loc_6AD4D9
		mov	esi, [esp+8]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6AD4D9
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6AD4D0
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6AD4D9

loc_6AD4D0:				; CODE XREF: _KiSystemServiceShadow+26j
					; _KiSystemServiceShadow+8Aj
		pop	esi
		add	esp, 4
		jmp	_KiSystemService
; 

loc_6AD4D9:				; CODE XREF: _KiSystemServiceShadow+Bj
					; _KiSystemServiceShadow+12j ...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6AD511
		mov	cr3, esi

loc_6AD511:				; CODE XREF: _KiSystemServiceShadow+6Cj
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AD52C
		test	[esp+8+arg_0], 1
		jz	short loc_6AD4D0

loc_6AD52C:				; CODE XREF: _KiSystemServiceShadow+83j
		lea	esi, [esp+8]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6AD54C
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6AD54C:				; CODE XREF: _KiSystemServiceShadow+9Ej
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		mov	esi, [esi-8]
		jmp	_KiSystemService
_KiSystemServiceShadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterruptShadowArea proc near ; DATA XREF:	.data:006B09A4o
		push	30h
		jmp	loc_6AE267
_KiUnexpectedInterruptShadowArea endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt1Shadow proc near	; DATA XREF: .data:006B09ACo
		push	31h
		jmp	loc_6AE267
_KiUnexpectedInterrupt1Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt2Shadow proc near	; DATA XREF: .data:006B09B4o
		push	32h
		jmp	loc_6AE267
_KiUnexpectedInterrupt2Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt3Shadow proc near	; DATA XREF: .data:006B09BCo
		push	33h
		jmp	loc_6AE267
_KiUnexpectedInterrupt3Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt4Shadow proc near	; DATA XREF: .data:006B09C4o
		push	34h
		jmp	loc_6AE267
_KiUnexpectedInterrupt4Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt5Shadow proc near	; DATA XREF: .data:006B09CCo
		push	35h
		jmp	loc_6AE267
_KiUnexpectedInterrupt5Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt6Shadow proc near	; DATA XREF: .data:006B09D4o
		push	36h
		jmp	loc_6AE267
_KiUnexpectedInterrupt6Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt7Shadow proc near	; DATA XREF: .data:006B09DCo
		push	37h
		jmp	loc_6AE267
_KiUnexpectedInterrupt7Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt8Shadow proc near	; DATA XREF: .data:006B09E4o
		push	38h
		jmp	loc_6AE267
_KiUnexpectedInterrupt8Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt9Shadow proc near	; DATA XREF: .data:006B09ECo
		push	39h
		jmp	loc_6AE267
_KiUnexpectedInterrupt9Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt10Shadow proc near ; DATA	XREF: .data:006B09F4o
		push	3Ah
		jmp	loc_6AE267
_KiUnexpectedInterrupt10Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt11Shadow proc near ; DATA	XREF: .data:006B09FCo
		push	3Bh
		jmp	loc_6AE267
_KiUnexpectedInterrupt11Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt12Shadow proc near ; DATA	XREF: .data:006B0A04o
		push	3Ch
		jmp	loc_6AE267
_KiUnexpectedInterrupt12Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt13Shadow proc near ; DATA	XREF: .data:006B0A0Co
		push	3Dh
		jmp	loc_6AE267
_KiUnexpectedInterrupt13Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt14Shadow proc near ; DATA	XREF: .data:006B0A14o
		push	3Eh
		jmp	loc_6AE267
_KiUnexpectedInterrupt14Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt15Shadow proc near ; DATA	XREF: .data:006B0A1Co
		push	3Fh
		jmp	loc_6AE267
_KiUnexpectedInterrupt15Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt16Shadow proc near ; DATA	XREF: .data:006B0A24o
		push	40h
		jmp	loc_6AE267
_KiUnexpectedInterrupt16Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt17Shadow proc near ; DATA	XREF: .data:006B0A2Co
		push	41h
		jmp	loc_6AE267
_KiUnexpectedInterrupt17Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt18Shadow proc near ; DATA	XREF: .data:006B0A34o
		push	42h
		jmp	loc_6AE267
_KiUnexpectedInterrupt18Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt19Shadow proc near ; DATA	XREF: .data:006B0A3Co
		push	43h
		jmp	loc_6AE267
_KiUnexpectedInterrupt19Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt20Shadow proc near ; DATA	XREF: .data:006B0A44o
		push	44h
		jmp	loc_6AE267
_KiUnexpectedInterrupt20Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt21Shadow proc near ; DATA	XREF: .data:006B0A4Co
		push	45h
		jmp	loc_6AE267
_KiUnexpectedInterrupt21Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt22Shadow proc near ; DATA	XREF: .data:006B0A54o
		push	46h
		jmp	loc_6AE267
_KiUnexpectedInterrupt22Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt23Shadow proc near ; DATA	XREF: .data:006B0A5Co
		push	47h
		jmp	loc_6AE267
_KiUnexpectedInterrupt23Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt24Shadow proc near ; DATA	XREF: .data:006B0A64o
		push	48h
		jmp	loc_6AE267
_KiUnexpectedInterrupt24Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt25Shadow proc near ; DATA	XREF: .data:006B0A6Co
		push	49h
		jmp	loc_6AE267
_KiUnexpectedInterrupt25Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt26Shadow proc near ; DATA	XREF: .data:006B0A74o
		push	4Ah
		jmp	loc_6AE267
_KiUnexpectedInterrupt26Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt27Shadow proc near ; DATA	XREF: .data:006B0A7Co
		push	4Bh
		jmp	loc_6AE267
_KiUnexpectedInterrupt27Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt28Shadow proc near ; DATA	XREF: .data:006B0A84o
		push	4Ch
		jmp	loc_6AE267
_KiUnexpectedInterrupt28Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt29Shadow proc near ; DATA	XREF: .data:006B0A8Co
		push	4Dh
		jmp	loc_6AE267
_KiUnexpectedInterrupt29Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt30Shadow proc near ; DATA	XREF: .data:006B0A94o
		push	4Eh
		jmp	loc_6AE267
_KiUnexpectedInterrupt30Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt31Shadow proc near ; DATA	XREF: .data:006B0A9Co
		push	4Fh
		jmp	loc_6AE267
_KiUnexpectedInterrupt31Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt32Shadow proc near ; DATA	XREF: .data:006B0AA4o
		push	50h
		jmp	loc_6AE267
_KiUnexpectedInterrupt32Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt33Shadow proc near ; DATA	XREF: .data:006B0AACo
		push	51h
		jmp	loc_6AE267
_KiUnexpectedInterrupt33Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt34Shadow proc near ; DATA	XREF: .data:006B0AB4o
		push	52h
		jmp	loc_6AE267
_KiUnexpectedInterrupt34Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt35Shadow proc near ; DATA	XREF: .data:006B0ABCo
		push	53h
		jmp	loc_6AE267
_KiUnexpectedInterrupt35Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt36Shadow proc near ; DATA	XREF: .data:006B0AC4o
		push	54h
		jmp	loc_6AE267
_KiUnexpectedInterrupt36Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt37Shadow proc near ; DATA	XREF: .data:006B0ACCo
		push	55h
		jmp	loc_6AE267
_KiUnexpectedInterrupt37Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt38Shadow proc near ; DATA	XREF: .data:006B0AD4o
		push	56h
		jmp	loc_6AE267
_KiUnexpectedInterrupt38Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt39Shadow proc near ; DATA	XREF: .data:006B0ADCo
		push	57h
		jmp	loc_6AE267
_KiUnexpectedInterrupt39Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt40Shadow proc near ; DATA	XREF: .data:006B0AE4o
		push	58h
		jmp	loc_6AE267
_KiUnexpectedInterrupt40Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt41Shadow proc near ; DATA	XREF: .data:006B0AECo
		push	59h
		jmp	loc_6AE267
_KiUnexpectedInterrupt41Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt42Shadow proc near ; DATA	XREF: .data:006B0AF4o
		push	5Ah
		jmp	loc_6AE267
_KiUnexpectedInterrupt42Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt43Shadow proc near ; DATA	XREF: .data:006B0AFCo
		push	5Bh
		jmp	loc_6AE267
_KiUnexpectedInterrupt43Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt44Shadow proc near ; DATA	XREF: .data:006B0B04o
		push	5Ch
		jmp	loc_6AE267
_KiUnexpectedInterrupt44Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt45Shadow proc near ; DATA	XREF: .data:006B0B0Co
		push	5Dh
		jmp	loc_6AE267
_KiUnexpectedInterrupt45Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt46Shadow proc near ; DATA	XREF: .data:006B0B14o
		push	5Eh
		jmp	loc_6AE267
_KiUnexpectedInterrupt46Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt47Shadow proc near ; DATA	XREF: .data:006B0B1Co
		push	5Fh
		jmp	loc_6AE267
_KiUnexpectedInterrupt47Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt48Shadow proc near ; DATA	XREF: .data:006B0B24o
		push	60h
		jmp	loc_6AE267
_KiUnexpectedInterrupt48Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt49Shadow proc near ; DATA	XREF: .data:006B0B2Co
		push	61h
		jmp	loc_6AE267
_KiUnexpectedInterrupt49Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt50Shadow proc near ; DATA	XREF: .data:006B0B34o
		push	62h
		jmp	loc_6AE267
_KiUnexpectedInterrupt50Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt51Shadow proc near ; DATA	XREF: .data:006B0B3Co
		push	63h
		jmp	loc_6AE267
_KiUnexpectedInterrupt51Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt52Shadow proc near ; DATA	XREF: .data:006B0B44o
		push	64h
		jmp	loc_6AE267
_KiUnexpectedInterrupt52Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt53Shadow proc near ; DATA	XREF: .data:006B0B4Co
		push	65h
		jmp	loc_6AE267
_KiUnexpectedInterrupt53Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt54Shadow proc near ; DATA	XREF: .data:006B0B54o
		push	66h
		jmp	loc_6AE267
_KiUnexpectedInterrupt54Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt55Shadow proc near ; DATA	XREF: .data:006B0B5Co
		push	67h
		jmp	loc_6AE267
_KiUnexpectedInterrupt55Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt56Shadow proc near ; DATA	XREF: .data:006B0B64o
		push	68h
		jmp	loc_6AE267
_KiUnexpectedInterrupt56Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt57Shadow proc near ; DATA	XREF: .data:006B0B6Co
		push	69h
		jmp	loc_6AE267
_KiUnexpectedInterrupt57Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt58Shadow proc near ; DATA	XREF: .data:006B0B74o
		push	6Ah
		jmp	loc_6AE267
_KiUnexpectedInterrupt58Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt59Shadow proc near ; DATA	XREF: .data:006B0B7Co
		push	6Bh
		jmp	loc_6AE267
_KiUnexpectedInterrupt59Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt60Shadow proc near ; DATA	XREF: .data:006B0B84o
		push	6Ch
		jmp	loc_6AE267
_KiUnexpectedInterrupt60Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt61Shadow proc near ; DATA	XREF: .data:006B0B8Co
		push	6Dh
		jmp	loc_6AE267
_KiUnexpectedInterrupt61Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt62Shadow proc near ; DATA	XREF: .data:006B0B94o
		push	6Eh
		jmp	loc_6AE267
_KiUnexpectedInterrupt62Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt63Shadow proc near ; DATA	XREF: .data:006B0B9Co
		push	6Fh
		jmp	loc_6AE267
_KiUnexpectedInterrupt63Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt64Shadow proc near ; DATA	XREF: .data:006B0BA4o
		push	70h
		jmp	loc_6AE267
_KiUnexpectedInterrupt64Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt65Shadow proc near ; DATA	XREF: .data:006B0BACo
		push	71h
		jmp	loc_6AE267
_KiUnexpectedInterrupt65Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt66Shadow proc near ; DATA	XREF: .data:006B0BB4o
		push	72h
		jmp	loc_6AE267
_KiUnexpectedInterrupt66Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt67Shadow proc near ; DATA	XREF: .data:006B0BBCo
		push	73h
		jmp	loc_6AE267
_KiUnexpectedInterrupt67Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt68Shadow proc near ; DATA	XREF: .data:006B0BC4o
		push	74h
		jmp	loc_6AE267
_KiUnexpectedInterrupt68Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt69Shadow proc near ; DATA	XREF: .data:006B0BCCo
		push	75h
		jmp	loc_6AE267
_KiUnexpectedInterrupt69Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt70Shadow proc near ; DATA	XREF: .data:006B0BD4o
		push	76h
		jmp	loc_6AE267
_KiUnexpectedInterrupt70Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt71Shadow proc near ; DATA	XREF: .data:006B0BDCo
		push	77h
		jmp	loc_6AE267
_KiUnexpectedInterrupt71Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt72Shadow proc near ; DATA	XREF: .data:006B0BE4o
		push	78h
		jmp	loc_6AE267
_KiUnexpectedInterrupt72Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt73Shadow proc near ; DATA	XREF: .data:006B0BECo
		push	79h
		jmp	loc_6AE267
_KiUnexpectedInterrupt73Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt74Shadow proc near ; DATA	XREF: .data:006B0BF4o
		push	7Ah
		jmp	loc_6AE267
_KiUnexpectedInterrupt74Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt75Shadow proc near ; DATA	XREF: .data:006B0BFCo
		push	7Bh
		jmp	loc_6AE267
_KiUnexpectedInterrupt75Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt76Shadow proc near ; DATA	XREF: .data:006B0C04o
		push	7Ch
		jmp	loc_6AE267
_KiUnexpectedInterrupt76Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt77Shadow proc near ; DATA	XREF: .data:006B0C0Co
		push	7Dh
		jmp	loc_6AE267
_KiUnexpectedInterrupt77Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt78Shadow proc near ; DATA	XREF: .data:006B0C14o
		push	7Eh
		jmp	loc_6AE267
_KiUnexpectedInterrupt78Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt79Shadow proc near ; DATA	XREF: .data:006B0C1Co
		push	7Fh
		jmp	loc_6AE267
_KiUnexpectedInterrupt79Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt80Shadow proc near ; DATA	XREF: .data:006B0C24o
		push	80h
		jmp	loc_6AE267
_KiUnexpectedInterrupt80Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt81Shadow proc near ; DATA	XREF: .data:006B0C2Co
		push	81h
		jmp	loc_6AE267
_KiUnexpectedInterrupt81Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt82Shadow proc near ; DATA	XREF: .data:006B0C34o
		push	82h
		jmp	loc_6AE267
_KiUnexpectedInterrupt82Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt83Shadow proc near ; DATA	XREF: .data:006B0C3Co
		push	83h
		jmp	loc_6AE267
_KiUnexpectedInterrupt83Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt84Shadow proc near ; DATA	XREF: .data:006B0C44o
		push	84h
		jmp	loc_6AE267
_KiUnexpectedInterrupt84Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt85Shadow proc near ; DATA	XREF: .data:006B0C4Co
		push	85h
		jmp	loc_6AE267
_KiUnexpectedInterrupt85Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt86Shadow proc near ; DATA	XREF: .data:006B0C54o
		push	86h
		jmp	loc_6AE267
_KiUnexpectedInterrupt86Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt87Shadow proc near ; DATA	XREF: .data:006B0C5Co
		push	87h
		jmp	loc_6AE267
_KiUnexpectedInterrupt87Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt88Shadow proc near ; DATA	XREF: .data:006B0C64o
		push	88h
		jmp	loc_6AE267
_KiUnexpectedInterrupt88Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt89Shadow proc near ; DATA	XREF: .data:006B0C6Co
		push	89h
		jmp	loc_6AE267
_KiUnexpectedInterrupt89Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt90Shadow proc near ; DATA	XREF: .data:006B0C74o
		push	8Ah
		jmp	loc_6AE267
_KiUnexpectedInterrupt90Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt91Shadow proc near ; DATA	XREF: .data:006B0C7Co
		push	8Bh
		jmp	loc_6AE267
_KiUnexpectedInterrupt91Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt92Shadow proc near ; DATA	XREF: .data:006B0C84o
		push	8Ch
		jmp	loc_6AE267
_KiUnexpectedInterrupt92Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt93Shadow proc near ; DATA	XREF: .data:006B0C8Co
		push	8Dh
		jmp	loc_6AE267
_KiUnexpectedInterrupt93Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt94Shadow proc near ; DATA	XREF: .data:006B0C94o
		push	8Eh
		jmp	loc_6AE267
_KiUnexpectedInterrupt94Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt95Shadow proc near ; DATA	XREF: .data:006B0C9Co
		push	8Fh
		jmp	loc_6AE267
_KiUnexpectedInterrupt95Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt96Shadow proc near ; DATA	XREF: .data:006B0CA4o
		push	90h
		jmp	loc_6AE267
_KiUnexpectedInterrupt96Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt97Shadow proc near ; DATA	XREF: .data:006B0CACo
		push	91h
		jmp	loc_6AE267
_KiUnexpectedInterrupt97Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt98Shadow proc near ; DATA	XREF: .data:006B0CB4o
		push	92h
		jmp	loc_6AE267
_KiUnexpectedInterrupt98Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt99Shadow proc near ; DATA	XREF: .data:006B0CBCo
		push	93h
		jmp	loc_6AE267
_KiUnexpectedInterrupt99Shadow endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt100Shadow	proc near ; DATA XREF: .data:006B0CC4o
		push	94h
		jmp	loc_6AE267
_KiUnexpectedInterrupt100Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt101Shadow	proc near ; DATA XREF: .data:006B0CCCo
		push	95h
		jmp	loc_6AE267
_KiUnexpectedInterrupt101Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt102Shadow	proc near ; DATA XREF: .data:006B0CD4o
		push	96h
		jmp	loc_6AE267
_KiUnexpectedInterrupt102Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt103Shadow	proc near ; DATA XREF: .data:006B0CDCo
		push	97h
		jmp	loc_6AE267
_KiUnexpectedInterrupt103Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt104Shadow	proc near ; DATA XREF: .data:006B0CE4o
		push	98h
		jmp	loc_6AE267
_KiUnexpectedInterrupt104Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt105Shadow	proc near ; DATA XREF: .data:006B0CECo
		push	99h
		jmp	loc_6AE267
_KiUnexpectedInterrupt105Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt106Shadow	proc near ; DATA XREF: .data:006B0CF4o
		push	9Ah
		jmp	loc_6AE267
_KiUnexpectedInterrupt106Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt107Shadow	proc near ; DATA XREF: .data:006B0CFCo
		push	9Bh
		jmp	loc_6AE267
_KiUnexpectedInterrupt107Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt108Shadow	proc near ; DATA XREF: .data:006B0D04o
		push	9Ch
		jmp	loc_6AE267
_KiUnexpectedInterrupt108Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt109Shadow	proc near ; DATA XREF: .data:006B0D0Co
		push	9Dh
		jmp	loc_6AE267
_KiUnexpectedInterrupt109Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt110Shadow	proc near ; DATA XREF: .data:006B0D14o
		push	9Eh
		jmp	loc_6AE267
_KiUnexpectedInterrupt110Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt111Shadow	proc near ; DATA XREF: .data:006B0D1Co
		push	9Fh
		jmp	loc_6AE267
_KiUnexpectedInterrupt111Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt112Shadow	proc near ; DATA XREF: .data:006B0D24o
		push	0A0h
		jmp	loc_6AE267
_KiUnexpectedInterrupt112Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt113Shadow	proc near ; DATA XREF: .data:006B0D2Co
		push	0A1h
		jmp	loc_6AE267
_KiUnexpectedInterrupt113Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt114Shadow	proc near ; DATA XREF: .data:006B0D34o
		push	0A2h
		jmp	loc_6AE267
_KiUnexpectedInterrupt114Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt115Shadow	proc near ; DATA XREF: .data:006B0D3Co
		push	0A3h
		jmp	loc_6AE267
_KiUnexpectedInterrupt115Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt116Shadow	proc near ; DATA XREF: .data:006B0D44o
		push	0A4h
		jmp	loc_6AE267
_KiUnexpectedInterrupt116Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt117Shadow	proc near ; DATA XREF: .data:006B0D4Co
		push	0A5h
		jmp	loc_6AE267
_KiUnexpectedInterrupt117Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt118Shadow	proc near ; DATA XREF: .data:006B0D54o
		push	0A6h
		jmp	loc_6AE267
_KiUnexpectedInterrupt118Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt119Shadow	proc near ; DATA XREF: .data:006B0D5Co
		push	0A7h
		jmp	loc_6AE267
_KiUnexpectedInterrupt119Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt120Shadow	proc near ; DATA XREF: .data:006B0D64o
		push	0A8h
		jmp	loc_6AE267
_KiUnexpectedInterrupt120Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt121Shadow	proc near ; DATA XREF: .data:006B0D6Co
		push	0A9h
		jmp	loc_6AE267
_KiUnexpectedInterrupt121Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt122Shadow	proc near ; DATA XREF: .data:006B0D74o
		push	0AAh
		jmp	loc_6AE267
_KiUnexpectedInterrupt122Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt123Shadow	proc near ; DATA XREF: .data:006B0D7Co
		push	0ABh
		jmp	loc_6AE267
_KiUnexpectedInterrupt123Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt124Shadow	proc near ; DATA XREF: .data:006B0D84o
		push	0ACh
		jmp	loc_6AE267
_KiUnexpectedInterrupt124Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt125Shadow	proc near ; DATA XREF: .data:006B0D8Co
		push	0ADh
		jmp	loc_6AE267
_KiUnexpectedInterrupt125Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt126Shadow	proc near ; DATA XREF: .data:006B0D94o
		push	0AEh
		jmp	loc_6AE267
_KiUnexpectedInterrupt126Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt127Shadow	proc near ; DATA XREF: .data:006B0D9Co
		push	0AFh
		jmp	loc_6AE267
_KiUnexpectedInterrupt127Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt128Shadow	proc near ; DATA XREF: .data:006B0DA4o
		push	0B0h
		jmp	loc_6AE267
_KiUnexpectedInterrupt128Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt129Shadow	proc near ; DATA XREF: .data:006B0DACo
		push	0B1h
		jmp	loc_6AE267
_KiUnexpectedInterrupt129Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt130Shadow	proc near ; DATA XREF: .data:006B0DB4o
		push	0B2h
		jmp	loc_6AE267
_KiUnexpectedInterrupt130Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt131Shadow	proc near ; DATA XREF: .data:006B0DBCo
		push	0B3h
		jmp	loc_6AE267
_KiUnexpectedInterrupt131Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt132Shadow	proc near ; DATA XREF: .data:006B0DC4o
		push	0B4h
		jmp	loc_6AE267
_KiUnexpectedInterrupt132Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt133Shadow	proc near ; DATA XREF: .data:006B0DCCo
		push	0B5h
		jmp	loc_6AE267
_KiUnexpectedInterrupt133Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt134Shadow	proc near ; DATA XREF: .data:006B0DD4o
		push	0B6h
		jmp	loc_6AE267
_KiUnexpectedInterrupt134Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt135Shadow	proc near ; DATA XREF: .data:006B0DDCo
		push	0B7h
		jmp	loc_6AE267
_KiUnexpectedInterrupt135Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt136Shadow	proc near ; DATA XREF: .data:006B0DE4o
		push	0B8h
		jmp	loc_6AE267
_KiUnexpectedInterrupt136Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt137Shadow	proc near ; DATA XREF: .data:006B0DECo
		push	0B9h
		jmp	loc_6AE267
_KiUnexpectedInterrupt137Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt138Shadow	proc near ; DATA XREF: .data:006B0DF4o
		push	0BAh
		jmp	loc_6AE267
_KiUnexpectedInterrupt138Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt139Shadow	proc near ; DATA XREF: .data:006B0DFCo
		push	0BBh
		jmp	loc_6AE267
_KiUnexpectedInterrupt139Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt140Shadow	proc near ; DATA XREF: .data:006B0E04o
		push	0BCh
		jmp	loc_6AE267
_KiUnexpectedInterrupt140Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt141Shadow	proc near ; DATA XREF: .data:006B0E0Co
		push	0BDh
		jmp	loc_6AE267
_KiUnexpectedInterrupt141Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt142Shadow	proc near ; DATA XREF: .data:006B0E14o
		push	0BEh
		jmp	loc_6AE267
_KiUnexpectedInterrupt142Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt143Shadow	proc near ; DATA XREF: .data:006B0E1Co
		push	0BFh
		jmp	loc_6AE267
_KiUnexpectedInterrupt143Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt144Shadow	proc near ; DATA XREF: .data:006B0E24o
		push	0C0h
		jmp	loc_6AE267
_KiUnexpectedInterrupt144Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt145Shadow	proc near ; DATA XREF: .data:006B0E2Co
		push	0C1h
		jmp	loc_6AE267
_KiUnexpectedInterrupt145Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt146Shadow	proc near ; DATA XREF: .data:006B0E34o
		push	0C2h
		jmp	loc_6AE267
_KiUnexpectedInterrupt146Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt147Shadow	proc near ; DATA XREF: .data:006B0E3Co
		push	0C3h
		jmp	loc_6AE267
_KiUnexpectedInterrupt147Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt148Shadow	proc near ; DATA XREF: .data:006B0E44o
		push	0C4h
		jmp	loc_6AE267
_KiUnexpectedInterrupt148Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt149Shadow	proc near ; DATA XREF: .data:006B0E4Co
		push	0C5h
		jmp	loc_6AE267
_KiUnexpectedInterrupt149Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt150Shadow	proc near ; DATA XREF: .data:006B0E54o
		push	0C6h
		jmp	loc_6AE267
_KiUnexpectedInterrupt150Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt151Shadow	proc near ; DATA XREF: .data:006B0E5Co
		push	0C7h
		jmp	loc_6AE267
_KiUnexpectedInterrupt151Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt152Shadow	proc near ; DATA XREF: .data:006B0E64o
		push	0C8h
		jmp	loc_6AE267
_KiUnexpectedInterrupt152Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt153Shadow	proc near ; DATA XREF: .data:006B0E6Co
		push	0C9h
		jmp	loc_6AE267
_KiUnexpectedInterrupt153Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt154Shadow	proc near ; DATA XREF: .data:006B0E74o
		push	0CAh
		jmp	loc_6AE267
_KiUnexpectedInterrupt154Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt155Shadow	proc near ; DATA XREF: .data:006B0E7Co
		push	0CBh
		jmp	loc_6AE267
_KiUnexpectedInterrupt155Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt156Shadow	proc near ; DATA XREF: .data:006B0E84o
		push	0CCh
		jmp	loc_6AE267
_KiUnexpectedInterrupt156Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt157Shadow	proc near ; DATA XREF: .data:006B0E8Co
		push	0CDh
		jmp	loc_6AE267
_KiUnexpectedInterrupt157Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt158Shadow	proc near ; DATA XREF: .data:006B0E94o
		push	0CEh
		jmp	loc_6AE267
_KiUnexpectedInterrupt158Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt159Shadow	proc near ; DATA XREF: .data:006B0E9Co
		push	0CFh
		jmp	loc_6AE267
_KiUnexpectedInterrupt159Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt160Shadow	proc near ; DATA XREF: .data:006B0EA4o
		push	0D0h
		jmp	loc_6AE267
_KiUnexpectedInterrupt160Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt161Shadow	proc near ; DATA XREF: .data:006B0EACo
		push	0D1h
		jmp	loc_6AE267
_KiUnexpectedInterrupt161Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt162Shadow	proc near ; DATA XREF: .data:006B0EB4o
		push	0D2h
		jmp	loc_6AE267
_KiUnexpectedInterrupt162Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt163Shadow	proc near ; DATA XREF: .data:006B0EBCo
		push	0D3h
		jmp	loc_6AE267
_KiUnexpectedInterrupt163Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt164Shadow	proc near ; DATA XREF: .data:006B0EC4o
		push	0D4h
		jmp	loc_6AE267
_KiUnexpectedInterrupt164Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt165Shadow	proc near ; DATA XREF: .data:006B0ECCo
		push	0D5h
		jmp	loc_6AE267
_KiUnexpectedInterrupt165Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt166Shadow	proc near ; DATA XREF: .data:006B0ED4o
		push	0D6h
		jmp	loc_6AE267
_KiUnexpectedInterrupt166Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt167Shadow	proc near ; DATA XREF: .data:006B0EDCo
		push	0D7h
		jmp	loc_6AE267
_KiUnexpectedInterrupt167Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt168Shadow	proc near ; DATA XREF: .data:006B0EE4o
		push	0D8h
		jmp	loc_6AE267
_KiUnexpectedInterrupt168Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt169Shadow	proc near ; DATA XREF: .data:006B0EECo
		push	0D9h
		jmp	loc_6AE267
_KiUnexpectedInterrupt169Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt170Shadow	proc near ; DATA XREF: .data:006B0EF4o
		push	0DAh
		jmp	loc_6AE267
_KiUnexpectedInterrupt170Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt171Shadow	proc near ; DATA XREF: .data:006B0EFCo
		push	0DBh
		jmp	loc_6AE267
_KiUnexpectedInterrupt171Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt172Shadow	proc near ; DATA XREF: .data:006B0F04o
		push	0DCh
		jmp	loc_6AE267
_KiUnexpectedInterrupt172Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt173Shadow	proc near ; DATA XREF: .data:006B0F0Co
		push	0DDh
		jmp	loc_6AE267
_KiUnexpectedInterrupt173Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt174Shadow	proc near ; DATA XREF: .data:006B0F14o
		push	0DEh
		jmp	loc_6AE267
_KiUnexpectedInterrupt174Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt175Shadow	proc near ; DATA XREF: .data:006B0F1Co
		push	0DFh
		jmp	loc_6AE267
_KiUnexpectedInterrupt175Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt176Shadow	proc near ; DATA XREF: .data:006B0F24o
		push	0E0h
		jmp	loc_6AE267
_KiUnexpectedInterrupt176Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt177Shadow	proc near ; DATA XREF: .data:006B0F2Co
		push	0E1h
		jmp	loc_6AE267
_KiUnexpectedInterrupt177Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt178Shadow	proc near ; DATA XREF: .data:006B0F34o
		push	0E2h
		jmp	loc_6AE267
_KiUnexpectedInterrupt178Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt179Shadow	proc near ; DATA XREF: .data:006B0F3Co
		push	0E3h
		jmp	loc_6AE267
_KiUnexpectedInterrupt179Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt180Shadow	proc near ; DATA XREF: .data:006B0F44o
		push	0E4h
		jmp	loc_6AE267
_KiUnexpectedInterrupt180Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt181Shadow	proc near ; DATA XREF: .data:006B0F4Co
		push	0E5h
		jmp	loc_6AE267
_KiUnexpectedInterrupt181Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt182Shadow	proc near ; DATA XREF: .data:006B0F54o
		push	0E6h
		jmp	loc_6AE267
_KiUnexpectedInterrupt182Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt183Shadow	proc near ; DATA XREF: .data:006B0F5Co
		push	0E7h
		jmp	loc_6AE267
_KiUnexpectedInterrupt183Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt184Shadow	proc near ; DATA XREF: .data:006B0F64o
		push	0E8h
		jmp	loc_6AE267
_KiUnexpectedInterrupt184Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt185Shadow	proc near ; DATA XREF: .data:006B0F6Co
		push	0E9h
		jmp	loc_6AE267
_KiUnexpectedInterrupt185Shadow	endp

; 
		align 10h

;  S U B	R O U T	I N E 


_KiUnexpectedInterrupt186Shadow	proc near ; DATA XREF: .data:006B0F74o

arg_0		= byte ptr  4
arg_4		= dword	ptr  8

		push	0EAh
		jmp	loc_6AE267
; 
		align 10h

_KiUnexpectedInterrupt187Shadow:	; DATA XREF: .data:006B0F7Co
		push	0EBh
		jmp	loc_6AE267
; 
		align 10h

_KiUnexpectedInterrupt188Shadow:	; DATA XREF: .data:006B0F84o
		push	0ECh
		jmp	loc_6AE267
; 
		align 10h

_KiUnexpectedInterrupt189Shadow:	; DATA XREF: .data:006B0F8Co
		push	0EDh
		jmp	loc_6AE267
; 
		align 10h

_KiUnexpectedInterrupt190Shadow:	; DATA XREF: .data:006B0F94o
		push	0EEh
		jmp	loc_6AE267
; 
		align 10h

_KiUnexpectedInterrupt191Shadow:	; DATA XREF: .data:006B0F9Co
		push	0EFh
		jmp	loc_6AE267
; 
		align 10h

_KiUnexpectedInterrupt192Shadow:	; DATA XREF: .data:006B0FA4o
		push	0F0h
		jmp	loc_6AE267
; 
		align 10h

_KiUnexpectedInterrupt193Shadow:	; DATA XREF: .data:006B0FACo
		push	0F1h
		jmp	loc_6AE267
; 
		align 10h

_KiUnexpectedInterrupt194Shadow:	; DATA XREF: .data:006B0FB4o
		push	0F2h
		jmp	loc_6AE267
; 
		align 10h

_KiUnexpectedInterrupt195Shadow:	; DATA XREF: .data:006B0FBCo
		push	0F3h
		jmp	loc_6AE267
; 
		align 10h

_KiUnexpectedInterrupt196Shadow:	; DATA XREF: .data:006B0FC4o
		push	0F4h
		jmp	loc_6AE267
; 
		align 10h

_KiUnexpectedInterrupt197Shadow:	; DATA XREF: .data:006B0FCCo
		push	0F5h
		jmp	loc_6AE267
; 
		align 10h

_KiUnexpectedInterrupt198Shadow:	; DATA XREF: .data:006B0FD4o
		push	0F6h
		jmp	loc_6AE267
; 
		align 10h

_KiUnexpectedInterrupt199Shadow:	; DATA XREF: .data:006B0FDCo
		push	0F7h
		jmp	loc_6AE267
; 
		align 10h

_KiUnexpectedInterrupt200Shadow:	; DATA XREF: .data:006B0FE4o
		push	0F8h
		jmp	loc_6AE267
; 
		align 10h

_KiUnexpectedInterrupt201Shadow:	; DATA XREF: .data:006B0FECo
		push	0F9h
		jmp	loc_6AE267
; 
		align 10h

_KiUnexpectedInterrupt202Shadow:	; DATA XREF: .data:006B0FF4o
		push	0FAh
		jmp	short loc_6AE267
; 
		align 10h

_KiUnexpectedInterrupt203Shadow:	; DATA XREF: .data:006B0FFCo
		push	0FBh
		jmp	short loc_6AE267
; 
		align 10h

_KiUnexpectedInterrupt204Shadow:	; DATA XREF: .data:006B1004o
		push	0FCh
		jmp	short loc_6AE267
; 
		align 10h

_KiUnexpectedInterrupt205Shadow:	; DATA XREF: .data:006B100Co
		push	0FDh
		jmp	short loc_6AE267
; 
		align 10h

_KiUnexpectedInterrupt206Shadow:	; DATA XREF: .data:006B1014o
		push	0FEh
		jmp	short loc_6AE267
; 
		align 10h

_KiUnexpectedInterrupt207Shadow:	; DATA XREF: .data:006B101Co
		push	0FFh
		jmp	short $+2

loc_6AE267:				; CODE XREF: _KiUnexpectedInterruptShadowArea+5j
					; _KiUnexpectedInterrupt1Shadow+5j ...
		push	esi
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AE29B
		test	[esp+8+arg_0], 1
		jnz	short loc_6AE29B
		mov	esi, [esp+8]
		cmp	esi, offset _KiFastCallEntryShadow
		jz	short loc_6AE29B
		cmp	esi, offset _KiKernelSysretExit
		jb	short loc_6AE295
		cmp	esi, offset _KiShadowExitEnd
		jb	short loc_6AE29B

loc_6AE295:				; CODE XREF: _KiUnexpectedInterrupt186Shadow+17Bj
					; _KiUnexpectedInterrupt186Shadow+1DCj
		pop	esi
		jmp	_KiUnexpectedInterruptTail
; 

loc_6AE29B:				; CODE XREF: _KiUnexpectedInterrupt186Shadow+160j
					; _KiUnexpectedInterrupt186Shadow+167j	...
		push	ebx
		mov	ebx, fs
		mov	esi, 30h
		mov	fs, si
		mov	large fs:5018h,	ebx
		mov	esi, es
		mov	ebx, ds
		mov	large fs:5014h,	esi
		mov	large fs:5010h,	ebx
		mov	esi, large fs:5000h
		bt	large dword ptr	fs:500Ch, 1
		jb	short loc_6AE2D3
		mov	cr3, esi

loc_6AE2D3:				; CODE XREF: _KiUnexpectedInterrupt186Shadow+1BEj
		mov	ebx, 23h
		mov	ds, bx
		mov	es, bx
		pop	ebx
		test	[esp+8+arg_4], 20000h
		jnz	short loc_6AE2EE
		test	[esp+8+arg_0], 1
		jz	short loc_6AE295

loc_6AE2EE:				; CODE XREF: _KiUnexpectedInterrupt186Shadow+1D5j
		lea	esi, [esp+8]
		mov	esp, large fs:5004h
		test	dword ptr [esi+8], 20000h
		jz	short loc_6AE30E
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]

loc_6AE30E:				; CODE XREF: _KiUnexpectedInterrupt186Shadow+1F0j
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		push	dword ptr [esi-4]
		mov	esi, [esi-8]
		jmp	_KiUnexpectedInterruptTail
_KiUnexpectedInterrupt186Shadow	endp

; 
		align 100h
KVASCODE	ends

; Section 3. (virtual address 002AF000)
; Virtual size			: 000003CF (	975.)
; Section size in file		: 00000400 (   1024.)
; Offset to raw	data for section: 002AD200
; Flags	68000020: Text Not pageable Executable Readable
; Alignment	: default
; 

; Segment type:	Pure code
; Segment permissions: Read/Execute
POOLCODE	segment	para public 'CODE' use32
		assume cs:POOLCODE
		;org 6AF000h
		assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
		dd 4 dup(0CCCCCCCCh)
; Exported entry 326. ExAllocatePoolWithTag

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExAllocatePoolWithTag(x, x,	x)
		public _ExAllocatePoolWithTag@12
_ExAllocatePoolWithTag@12 proc near	; CODE XREF: SepVerifyDesktopAppxImage(x,x,x,x)+ACp
					; HvpAllocateLogBuffers+20p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:20h
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	[ebp+arg_8]
		call	ExpAllocatePoolWithTagFromNode
		pop	ebp
		retn	0Ch
_ExAllocatePoolWithTag@12 endp

; 
		align 10h
; Exported entry 362. ExFreePoolWithTag

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExFreePoolWithTag(x, x)
		public _ExFreePoolWithTag@8
_ExFreePoolWithTag@8 proc near		; CODE XREF: CmQueryLayeredKey+14Fp
					; VrpOriginalKeyNameParameterCleanup(x,x)+22p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	ecx, [ebp+arg_0]
		call	ExFreeHeapPool
		mov	esp, ebp
		pop	ebp
		retn	8
_ExFreePoolWithTag@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpPoolFlagsToPoolType proc near	; CODE XREF: MiAllocatePool(x,x,x,x)+47p
					; MiAllocateAccessLog+E6p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 006AF1BB SIZE 00000039 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		mov	byte ptr [eax],	0
		mov	edi, edx
		mov	eax, [ebp+arg_C]
		mov	ebx, ecx
		mov	dword ptr [edi], 0
		mov	byte ptr [eax],	0
		mov	eax, [ebp+arg_0]
		mov	esi, eax
		and	esi, 0FFFFF800h
		or	esi, 0
		jnz	loc_6AF1EA
		mov	edx, eax
		and	edx, 10h
		mov	ecx, edx
		or	ecx, esi
		jnz	short loc_6AF100

loc_6AF0AD:				; CODE XREF: ExpPoolFlagsToPoolType+92j
		mov	ecx, eax
		and	ecx, 1C0h
		cmp	ecx, 40h
		jnz	loc_6AF16A
		mov	esi, 200h

loc_6AF0C3:				; CODE XREF: ExpPoolFlagsToPoolType+104j
					; ExpPoolFlagsToPoolType+11Dj ...
		mov	ecx, eax
		and	ecx, 4
		or	ecx, 0
		jnz	loc_6AF162

loc_6AF0D1:				; CODE XREF: ExpPoolFlagsToPoolType+F5j
		mov	ecx, eax
		and	ecx, 2
		or	ecx, 0
		jnz	short loc_6AF0E1
		or	esi, 400h

loc_6AF0E1:				; CODE XREF: ExpPoolFlagsToPoolType+69j
		mov	ebx, [ebp+arg_4]
		mov	edx, eax
		mov	ecx, ebx
		and	edx, 629h
		and	ecx, 1
		or	edx, ecx
		jnz	short loc_6AF109

loc_6AF0F5:				; CODE XREF: ExpPoolFlagsToPoolType+EBj
					; ExpPoolFlagsToPoolType+175j
		mov	[edi], esi
		xor	eax, eax

loc_6AF0F9:				; CODE XREF: ExpPoolFlagsToPoolType+17Fj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_6AF100:				; CODE XREF: ExpPoolFlagsToPoolType+3Bj
		test	ebx, ebx
		jnz	short loc_6AF0AD
		jmp	loc_6AF1EA
; 

loc_6AF109:				; CODE XREF: ExpPoolFlagsToPoolType+83j
		mov	ecx, eax
		and	ecx, 8
		or	ecx, 0
		jnz	loc_6AF1BB

loc_6AF117:				; CODE XREF: ExpPoolFlagsToPoolType+14Ej
		mov	ecx, eax
		and	ecx, 200h
		or	ecx, 0
		jnz	loc_6AF1C3

loc_6AF128:				; CODE XREF: ExpPoolFlagsToPoolType+159j
		mov	ecx, eax
		and	ecx, 400h
		or	ecx, 0
		jnz	short loc_6AF19D

loc_6AF135:				; CODE XREF: ExpPoolFlagsToPoolType+130j
		mov	ecx, eax
		and	eax, 1
		and	ecx, 20h
		or	eax, 0
		jz	loc_6AF1CE
		or	ecx, 0
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	1
		jnz	short loc_6AF154
		or	esi, 8

loc_6AF154:				; CODE XREF: ExpPoolFlagsToPoolType+DFj
					; ExpPoolFlagsToPoolType+161j ...
		and	ebx, 1
		xor	eax, eax
		or	eax, ebx
		jz	short loc_6AF0F5
		jmp	loc_6AF1DF
; 

loc_6AF162:				; CODE XREF: ExpPoolFlagsToPoolType+5Bj
		or	esi, 20h
		jmp	loc_6AF0D1
; 

loc_6AF16A:				; CODE XREF: ExpPoolFlagsToPoolType+48j
		cmp	ecx, 80h
		jnz	short loc_6AF179
		xor	esi, esi
		jmp	loc_6AF0C3
; 

loc_6AF179:				; CODE XREF: ExpPoolFlagsToPoolType+100j
		cmp	ecx, 100h
		jnz	loc_6AF1EA
		or	edx, 0
		mov	esi, 1
		jz	loc_6AF0C3
		mov	esi, 80000001h
		jmp	loc_6AF0C3
; 

loc_6AF19D:				; CODE XREF: ExpPoolFlagsToPoolType+C3j
		or	esi, 40h
		jmp	short loc_6AF135
ExpPoolFlagsToPoolType endp

; 
		align 8
; Exported entry 361. ExFreePool

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExFreePool(x)
		public _ExFreePool@4
_ExFreePool@4	proc near		; CODE XREF: NtQueueApcThreadEx2(x,x,x,x,x,x,x)+143p
					; RtlFreeAnsiString(x)+16p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	4
_ExFreePool@4	endp

; 
; START	OF FUNCTION CHUNK FOR ExpPoolFlagsToPoolType

loc_6AF1BB:				; CODE XREF: ExpPoolFlagsToPoolType+A1j
		or	esi, 4
		jmp	loc_6AF117
; 

loc_6AF1C3:				; CODE XREF: ExpPoolFlagsToPoolType+B2j
		or	esi, 80h
		jmp	loc_6AF128
; 

loc_6AF1CE:				; CODE XREF: ExpPoolFlagsToPoolType+D0j
		or	ecx, 0
		jz	loc_6AF154
		or	esi, 10h
		jmp	loc_6AF154
; 

loc_6AF1DF:				; CODE XREF: ExpPoolFlagsToPoolType+EDj
		mov	eax, [ebp+arg_C]
		mov	byte ptr [eax],	1
		jmp	loc_6AF0F5
; 

loc_6AF1EA:				; CODE XREF: ExpPoolFlagsToPoolType+2Cj
					; ExpPoolFlagsToPoolType+94j ...
		mov	eax, 0C000000Dh
		jmp	loc_6AF0F9
; END OF FUNCTION CHUNK	FOR ExpPoolFlagsToPoolType
; 
		dd 0CCCCCCCCh
		db 0CCh
; 
; Exported entry 321. ExAllocatePool2

; __stdcall ExAllocatePool2(x, x, x, x)
		public _ExAllocatePool2@16
_ExAllocatePool2@16:			; CODE XREF: EtwpAllocateFreeBuffers(x,x)+77p
					; SepSetProcessTrustLabelAceForToken(x)+15Cp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, [ebp+8]
		mov	[esp+0Ch], ebx
		mov	[esp+0Bh], bl
		mov	[esp+0Ah], bl
		cmp	[ebp+14h], ebx
		jnz	short loc_6AF222
		mov	eax, 0C000000Dh
		jmp	short loc_6AF23F
; 

loc_6AF222:				; CODE XREF: POOLCODE:006AF219j
		lea	eax, [esp+0Ah]
		xor	ecx, ecx
		push	eax
		lea	eax, [esp+0Fh]
		push	eax
		push	dword ptr [ebp+0Ch]
		lea	edx, [esp+18h]
		push	esi
		call	ExpPoolFlagsToPoolType
		test	eax, eax
		jns	short loc_6AF24A

loc_6AF23F:				; CODE XREF: POOLCODE:006AF220j
		and	esi, 20h
		or	esi, ebx
		jnz	short loc_6AF29C
		xor	eax, eax
		jmp	short loc_6AF294
; 

loc_6AF24A:				; CODE XREF: POOLCODE:006AF23Dj
		cmp	[esp+0Ah], bl
		jz	short loc_6AF253
		xor	ebx, ebx
		inc	ebx

loc_6AF253:				; CODE XREF: POOLCODE:006AF24Ej
		cmp	byte ptr [esp+0Bh], 0
		jz	short loc_6AF26B
		push	dword ptr [ebp+14h]
		push	dword ptr [ebp+10h]
		push	dword ptr [esp+14h]
		call	ExAllocatePoolWithQuotaTag
		jmp	short loc_6AF294
; 

loc_6AF26B:				; CODE XREF: POOLCODE:006AF258j
		mov	eax, large fs:20h
		mov	edx, [ebp+10h]
		mov	ecx, [esp+0Ch]
		push	ebx
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	dword ptr [ebp+14h]
		call	ExpAllocatePoolWithTagFromNode

loc_6AF294:				; CODE XREF: POOLCODE:006AF248j
					; POOLCODE:006AF269j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_6AF29C:				; CODE XREF: POOLCODE:006AF244j
		push	eax
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
; 
		dw 0CCCCh
		align 8
; Exported entry 322. ExAllocatePool3

; __stdcall ExAllocatePool3(x, x, x, x,	x, x)
		public _ExAllocatePool3@24
_ExAllocatePool3@24:			; CODE XREF: VerifierExAllocatePool3(x,x,x,x,x,x)+44p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ebp+8]
		xor	ebx, ebx
		push	edi
		push	10h
		mov	[esp+14h], ebx
		mov	[esp+11h], bl
		mov	[esp+13h], bl
		mov	[esp+12h], bl
		pop	edi
		cmp	[ebp+14h], ebx
		jnz	short loc_6AF2E8

loc_6AF2D3:				; CODE XREF: POOLCODE:006AF334j
					; POOLCODE:006AF345j
		mov	eax, 0C000000Dh

loc_6AF2D8:				; CODE XREF: POOLCODE:006AF303j
		and	esi, 20h
		or	esi, ebx
		jnz	loc_6AF3C8
		jmp	loc_6AF3BD
; 

loc_6AF2E8:				; CODE XREF: POOLCODE:006AF2D1j
		lea	eax, [esp+0Eh]
		xor	ecx, ecx
		push	eax
		lea	eax, [esp+11h]
		push	eax
		push	dword ptr [ebp+0Ch]
		lea	edx, [esp+1Ch]
		push	esi
		call	ExpPoolFlagsToPoolType
		test	eax, eax
		js	short loc_6AF2D8
		mov	[esp+14h], ebx
		cmp	[ebp+1Ch], ebx
		jbe	short loc_6AF358
		mov	edx, [ebp+18h]

loc_6AF311:				; CODE XREF: POOLCODE:006AF356j
		mov	ecx, [edx]
		mov	eax, [edx+4]
		mov	[esp+1Ch], eax
		cmp	cl, 1
		jnz	short loc_6AF33D
		cmp	[esp+0Dh], bl
		jnz	short loc_6AF33D
		mov	edi, [edx+8]
		test	edi, edi
		jz	short loc_6AF336
		cmp	edi, 10h
		jz	short loc_6AF336
		cmp	edi, 20h
		jnz	short loc_6AF2D3

loc_6AF336:				; CODE XREF: POOLCODE:006AF32Aj
					; POOLCODE:006AF32Fj
		mov	byte ptr [esp+0Fh], 1
		jmp	short loc_6AF347
; 

loc_6AF33D:				; CODE XREF: POOLCODE:006AF31Dj
					; POOLCODE:006AF323j
		and	ecx, 100h
		or	ecx, ebx
		jz	short loc_6AF2D3

loc_6AF347:				; CODE XREF: POOLCODE:006AF33Bj
		mov	eax, [esp+14h]
		add	edx, 10h
		inc	eax
		mov	[esp+14h], eax
		cmp	eax, [ebp+1Ch]
		jb	short loc_6AF311

loc_6AF358:				; CODE XREF: POOLCODE:006AF30Cj
		cmp	[esp+0Eh], bl
		jz	short loc_6AF361
		xor	ebx, ebx
		inc	ebx

loc_6AF361:				; CODE XREF: POOLCODE:006AF35Cj
		cmp	byte ptr [esp+0Dh], 0
		jz	short loc_6AF379
		push	dword ptr [ebp+14h]
		push	dword ptr [ebp+10h]
		push	dword ptr [esp+18h]
		call	ExAllocatePoolWithQuotaTag
		jmp	short loc_6AF3BF
; 

loc_6AF379:				; CODE XREF: POOLCODE:006AF366j
		cmp	byte ptr [esp+0Fh], 0
		jz	short loc_6AF392
		push	edi
		push	dword ptr [ebp+14h]
		push	dword ptr [ebp+10h]
		push	dword ptr [esp+1Ch]
		call	ExAllocatePoolWithTagPriority
		jmp	short loc_6AF3BF
; 

loc_6AF392:				; CODE XREF: POOLCODE:006AF37Ej
		mov	eax, large fs:20h
		mov	edx, [ebp+10h]
		mov	ecx, [esp+10h]
		push	ebx
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	dword ptr [ebp+14h]
		call	ExpAllocatePoolWithTagFromNode
		jmp	short loc_6AF3BF
; 

loc_6AF3BD:				; CODE XREF: POOLCODE:006AF2E3j
		xor	eax, eax

loc_6AF3BF:				; CODE XREF: POOLCODE:006AF377j
					; POOLCODE:006AF390j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_6AF3C8:				; CODE XREF: POOLCODE:006AF2DDj
		push	eax
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger
; 
		db 0
		align 40h
POOLCODE	ends

; Section 4. (virtual address 002B0000)
; Virtual size			: 000513E8 ( 332776.)
; Section size in file		: 00006C00 (  27648.)
; Offset to raw	data for section: 002AD600
; Flags	C8000040: Data Not pageable Readable Writable
; Alignment	: default
; 

; Segment type:	Pure data
; Segment permissions: Read/Write
_data		segment	para public 'DATA' use32
		assume cs:_data
		;org 6B0000h
unk_6B0000	db    0			; DATA XREF: sub_59C2E7+56o
		db    0
		db    0
		db    0
dword_6B0004	dd 0FFFFFFFFh		; DATA XREF: sub_59C2E7+4Er
					; sub_59C2E7:loc_59C375w ...
dword_6B0008	dd 0			; DATA XREF: sub_59C2E7:loc_59C351r
					; sub_59C2E7+94w ...
_IDT		dd offset _KiTrap00	; DATA XREF: KiGetVectorInfo:loc_5E3861r
					; KiInitializeIdt(x,x)+11o
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap01
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap02
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap03
		db    0
		db 0EEh	; 
		db    8
		db    0
		dd offset _KiTrap04
		db    0
		db 0EEh	; 
		db    8
		db    0
		dd offset _KiTrap05
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap06
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap07
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap08
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap09
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0A
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0B
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0C
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0D
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0E
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0F
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap10
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap11
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap12
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap13
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0F
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0F
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0F
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0F
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0F
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0F
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0F
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0F
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0F
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0F
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0F
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0F
		db    0
		db  8Eh	; 
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		dd offset _KiAltSystemService
		db    0
		db 0EEh	; 
		db    8
		db    0
		dd offset _KiRaiseSecurityCheckFailure
		db    0
		db 0EEh	; 
		db    8
		db    0
		dd offset _KiGetTickCount
		db    0
		db 0EEh	; 
		db    8
		db    0
		dd offset _KiCallbackReturn
		db    0
		db 0EEh	; 
		db    8
		db    0
		dd offset _KiRaiseAssertion
		db    0
		db 0EEh	; 
		db    8
		db    0
		dd offset _KiDebugService
		db    0
		db 0EEh	; 
		db    8
		db    0
		dd offset _KiSystemService
		db    0
		db 0EEh	; 
		db    8
		db    0
		dd offset _KiTrap0F
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt0
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt1
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt2
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt3
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt4
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt5
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt6
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt7
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt8
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt9
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt10
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt11
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt12
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt13
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt14
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt15
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt16
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt17
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt18
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt19
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt20
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt21
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt22
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt23
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt24
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt25
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt26
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt27
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt28
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt29
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt30
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt31
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt32
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt33
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt34
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt35
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt36
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt37
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt38
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt39
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt40
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt41
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt42
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt43
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt44
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt45
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt46
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt47
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt48
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt49
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt50
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt51
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt52
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt53
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt54
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt55
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt56
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt57
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt58
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt59
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt60
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt61
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt62
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt63
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt64
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt65
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt66
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt67
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt68
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt69
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt70
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt71
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt72
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt73
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt74
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt75
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt76
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt77
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt78
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt79
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt80
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt81
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt82
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt83
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt84
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt85
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt86
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt87
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt88
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt89
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt90
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt91
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt92
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt93
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt94
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt95
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt96
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt97
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt98
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt99
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt100
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt101
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt102
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt103
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt104
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt105
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt106
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt107
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt108
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt109
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt110
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt111
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt112
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt113
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt114
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt115
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt116
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt117
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt118
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt119
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt120
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt121
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt122
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt123
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt124
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt125
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt126
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt127
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt128
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt129
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt130
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt131
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt132
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt133
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt134
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt135
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt136
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt137
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt138
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt139
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt140
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt141
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt142
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt143
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt144
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt145
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt146
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt147
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt148
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt149
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt150
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt151
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt152
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt153
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt154
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt155
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt156
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt157
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt158
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt159
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt160
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt161
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt162
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt163
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt164
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt165
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt166
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt167
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt168
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt169
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt170
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt171
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt172
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt173
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt174
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt175
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt176
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt177
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt178
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt179
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt180
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt181
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt182
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt183
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt184
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt185
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt186
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt187
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt188
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt189
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt190
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt191
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt192
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt193
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt194
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt195
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt196
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt197
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt198
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt199
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt200
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt201
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt202
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt203
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt204
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt205
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt206
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt207
		db    0
		db  8Eh	; 
		db    8
		db    0
_IDTEnd		db 0F2h	; 		; DATA XREF: KiScanForPrefix+31o
		db 0F3h	; 
		db  67h	; g
		db 0F0h	; 
		db  66h	; f
		db  2Eh	; .
		db  3Eh	; >
		db  26h	; &
		db  64h	; d
		db  65h	; e
		db  36h	; 6
aFxAlmccuqno	db 'lmno',0     ; DATA XREF: sub_59F909+661o
_IDTShadow	dd offset _KiTrap00Shadow ; DATA XREF: KiGetVectorInfo+14r
					; KiInitializeIdt(x,x):loc_ABE1B8o
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap01Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap02
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap03Shadow
		db    0
		db 0EEh	; 
		db    8
		db    0
		dd offset _KiTrap04Shadow
		db    0
		db 0EEh	; 
		db    8
		db    0
		dd offset _KiTrap05Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap06Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap07Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap08
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap09Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0AShadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0BShadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0CShadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0DShadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0EShadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0FShadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap10Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap11Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap12
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap13Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0FShadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0FShadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0FShadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0FShadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0FShadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0FShadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0FShadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0FShadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0FShadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0FShadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0FShadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiTrap0FShadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		dd offset _KiAltSystemServiceShadow
		db    0
		db 0EEh	; 
		db    8
		db    0
		dd offset _KiRaiseSecurityCheckFailureShadow
		db    0
		db 0EEh	; 
		db    8
		db    0
		dd offset _KiGetTickCountShadow
		db    0
		db 0EEh	; 
		db    8
		db    0
		dd offset _KiCallbackReturnShadow
		db    0
		db 0EEh	; 
		db    8
		db    0
		dd offset _KiRaiseAssertionShadow
		db    0
		db 0EEh	; 
		db    8
		db    0
		dd offset _KiDebugServiceShadow
		db    0
		db 0EEh	; 
		db    8
		db    0
		dd offset _KiSystemServiceShadow
		db    0
		db 0EEh	; 
		db    8
		db    0
		dd offset _KiTrap0FShadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterruptShadowArea
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt1Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt2Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt3Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt4Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt5Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt6Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt7Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt8Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt9Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt10Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt11Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt12Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt13Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt14Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt15Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt16Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt17Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt18Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt19Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt20Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt21Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt22Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt23Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt24Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt25Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt26Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt27Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt28Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt29Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt30Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt31Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt32Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt33Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt34Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt35Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt36Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt37Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt38Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt39Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt40Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt41Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt42Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt43Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt44Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt45Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt46Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt47Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt48Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt49Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt50Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt51Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt52Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt53Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt54Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt55Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt56Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt57Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt58Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt59Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt60Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt61Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt62Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt63Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt64Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt65Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt66Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt67Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt68Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt69Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt70Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt71Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt72Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt73Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt74Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt75Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt76Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt77Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt78Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt79Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt80Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt81Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt82Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt83Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt84Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt85Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt86Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt87Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt88Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt89Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt90Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt91Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt92Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt93Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt94Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt95Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt96Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt97Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt98Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt99Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt100Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt101Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt102Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt103Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt104Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt105Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt106Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt107Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt108Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt109Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt110Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt111Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt112Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt113Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt114Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt115Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt116Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt117Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt118Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt119Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt120Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt121Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt122Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt123Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt124Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt125Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt126Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt127Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt128Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt129Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt130Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt131Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt132Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt133Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt134Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt135Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt136Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt137Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt138Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt139Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt140Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt141Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt142Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt143Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt144Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt145Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt146Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt147Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt148Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt149Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt150Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt151Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt152Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt153Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt154Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt155Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt156Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt157Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt158Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt159Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt160Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt161Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt162Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt163Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt164Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt165Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt166Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt167Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt168Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt169Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt170Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt171Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt172Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt173Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt174Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt175Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt176Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt177Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt178Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt179Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt180Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt181Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt182Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt183Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt184Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt185Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt186Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt187Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt188Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt189Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt190Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt191Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt192Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt193Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt194Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt195Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt196Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt197Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt198Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt199Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt200Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt201Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt202Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt203Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt204Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt205Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt206Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
		dd offset _KiUnexpectedInterrupt207Shadow
		db    0
		db  8Eh	; 
		db    8
		db    0
; unsigned __int16 *_pctype
__pctype	dd offset asc_409010	; DATA XREF: ___pctype_funcr
					; _hextodec+9r	...
					; "	    (((((		   H"
; wctype_t *_pwctype
__pwctype	dd offset word_409212	; DATA XREF: _iswctype+1Ar
		align 10h
___initiallocinfo db	1		; DATA XREF: .text:___initiallocalestructinfoo
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ___clocalestr
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ___clocalestr
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ___clocalestr
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ___clocalestr
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ___clocalestr
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ___lconv_c
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
off_6B10F8	dd offset asc_409010	; DATA XREF: _isdigit:loc_584424r
					; _islower:loc_58444Ar	...
					; "	    (((((		   H"
		dd offset dword_409460+38h
		dd offset dword_4095E0+38h
		align 8
___lconv_c	dd offset ___lconv_static_decimal ; DATA XREF: .data:006B10ECo
		dd offset ___lconv_static_decimal+2
		dd offset ___lconv_static_decimal+2
		dd offset ___lconv_static_decimal+2
		dd offset ___lconv_static_decimal+2
		dd offset ___lconv_static_decimal+2
		dd offset ___lconv_static_decimal+2
		dd offset ___lconv_static_decimal+2
		dd offset ___lconv_static_decimal+2
		dd offset ___lconv_static_decimal+2
		db  7Fh	; 
		db  7Fh	; 
		db  7Fh	; 
		db  7Fh	; 
		db  7Fh	; 
		db  7Fh	; 
		db  7Fh	; 
		db  7Fh	; 
		dd offset ___lconv_static_W_decimal
		dd offset ___lconv_static_W_null
		dd offset ___lconv_static_W_null
		dd offset ___lconv_static_W_null
		dd offset ___lconv_static_W_null
		dd offset ___lconv_static_W_null
		dd offset ___lconv_static_W_null
		dd offset ___lconv_static_W_null
_SymCryptBuildString dd	offset aV100_5_vb_rele ; DATA XREF: SymCryptInitEnvCommon(x)+25r
					; "v100.5_vb_release_svc_2021-10-19T12:53:"...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_SwapContext_NpxLoad dd	offset _SwapContext_NoNpxLoad ;	DATA XREF: _SwapContext_X87Jmp+27r
					; KiEnableNpxStateSwitching:loc_ADC33Dw ...
_SwapContext_NpxSave dd	offset _SwapContext_NoNpxSave ;	DATA XREF: .text:005A1EBBo
					; KiEnableNpxStateSwitching:loc_ADC365w
_EnlightenedSwapContext_NpxLoad	dd offset _EnlightenedSwapContext_NoNpxLoad
					; DATA XREF: _EnlightenedSwapContext_SaveIpt+F6r
					; KiEnableNpxStateSwitching+35w ...
_EnlightenedSwapContext_NpxSave	dd offset _EnlightenedSwapContext_NoNpxSave
					; DATA XREF: EnlightenedSwapContext+87r
					; KiEnableNpxStateSwitching+5Dw
; Exported entry 683. HalPrivateDispatchTable
		public _HalPrivateDispatchTable
_HalPrivateDispatchTable dd 33h		; DATA XREF: ViHalApplySettings()+1Ar
		dd offset _MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		dd offset _MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
off_6B121C	dd offset _xHalLocateHiberRanges@4
					; DATA XREF: PopMarkComponentsBootPhase+C8r
					; PopAllocateHiberContext+231r
					; xHalLocateHiberRanges(x)
		dd offset _xHalRegisterBusHandler@32 ; xHalRegisterBusHandler(x,x,x,x,x,x,x,x)
		align 8
off_6B1228	dd offset _xHalSetWakeAlarm@16 ; DATA XREF: PAGELK:0071F255r
					; PAGELK:0071F859r
					; xHalSetWakeAlarm(x,x,x,x)
		dd offset _xHalTranslateBusAddress@24 ;	xHalTranslateBusAddress(x,x,x,x,x,x)
		dd offset _xHalTranslateBusAddress@24 ;	xHalTranslateBusAddress(x,x,x,x,x,x)
off_6B1234	dd offset _xHalHaltSystem@0
					; DATA XREF: KeBugCheck2(x,x,x,x,x,x):loc_61C5AFr
					; KiBugCheckDebugBreak(x)+8Dr ...
					; xHalHaltSystem()
		align 10h
off_6B1240	dd offset _xHalConvertPerformanceCounterToAuxiliaryCounter@16
					; DATA XREF: ViHalApplySettings()+29r
					; ViHalApplySettings()+33w
					; xHalConvertPerformanceCounterToAuxiliaryCounter(x,x,x,x)
off_6B1244	dd offset _xHalIommuUnblockDevice@8
					; DATA XREF: HvlDebuggerSupportInitialize+7DDBFr
					; HeadlessInit+1A423r
					; xHalIommuUnblockDevice(x,x)
		dd offset _xKdReleasePciDeviceForDebugging@4 ; xKdReleasePciDeviceForDebugging(x)
		dd offset _xKdGetAcpiTablePhase0@8 ; xKdGetAcpiTablePhase0(x,x)
		dd offset @SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		dd offset _xHalVectorToIDTEntry@4 ; xHalVectorToIDTEntry(x)
		dd offset _ext_ms_win_ntos_ksr_l1_1_3_KsrFreePersistedMemoryBlock@16 ; ext_ms_win_ntos_ksr_l1_1_3_KsrFreePersistedMemoryBlock(x,x,x,x)
		dd offset _xKdUnmapVirtualAddress@12 ; xKdUnmapVirtualAddress(x,x,x)
dword_6B1260	dd 0			; DATA XREF: KdpSysReadBusData(x,x,x,x,x,x,x)+19r
dword_6B1264	dd 0			; DATA XREF: KdpSysWriteBusData(x,x,x,x,x,x,x)+19r
		dd offset _xHalGetInterruptVector@24 ; xHalGetInterruptVector(x,x,x,x,x,x)
		dd offset _ext_ms_win_ntos_tm_l1_1_0_NtQueryInformationTransactionManager@20 ; ext_ms_win_ntos_tm_l1_1_0_NtQueryInformationTransactionManager(x,x,x,x,x)
		dd offset _NtSetHighWaitLowEventPair@4 ; NtSetHighWaitLowEventPair(x)
		dd offset _PsNotifyWriteToExecutableMemory@8 ; PsNotifyWriteToExecutableMemory(x,x)
		dd offset _PsNotifyWriteToExecutableMemory@8 ; PsNotifyWriteToExecutableMemory(x,x)
		dd offset _ext_ms_win_fs_clfs_l1_1_0_ClfsReadNextLogRecord@32 ;	ext_ms_win_fs_clfs_l1_1_0_ClfsReadNextLogRecord(x,x,x,x,x,x,x,x)
		dd offset _xKdUnmapVirtualAddress@12 ; xKdUnmapVirtualAddress(x,x,x)
off_6B1284	dd offset _MmConfigureGraphicsPtes@8 ; DATA XREF: PnprReplaceStart()+4Ar
					; MmConfigureGraphicsPtes(x,x)
off_6B1288	dd offset _xHalLocateHiberRanges@4
					; DATA XREF: PnprQuiesceProcessorDpc(x,x,x,x)+182r
					; xHalLocateHiberRanges(x)
off_6B128C	dd offset _xHalDpReplaceControl@8 ; DATA XREF: PnprEndMirroring(x)+40r
					; PnprInitiateReplaceOperation()+1C0r ...
					; xHalDpReplaceControl(x,x)
off_6B1290	dd offset _PopPdcCallback@4 ; DATA XREF: PnprInitiateReplaceOperation()+281r
					; PopPdcCallback(x)
off_6B1294	dd offset _KeSetDmaIoCoherency@4 ; DATA	XREF: KeBugCheck2(x,x,x,x,x,x)+46Cr
					; KeSetDmaIoCoherency(x)
off_6B1298	dd offset _xHalpIsInterruptTypeSecondary@8
					; DATA XREF: PopInvokeSystemStateHandler+473r
					; PopInvokeSystemStateHandler+CF38r
					; xHalpIsInterruptTypeSecondary(x,x)
off_6B129C	dd offset _RtlEndStrongEnumerationHashTable@8
					; DATA XREF: PpmInstallNewIdleStates+3BFr
					; PpmRemoveIdleStates(x,x,x)+44r
					; RtlEndStrongEnumerationHashTable(x,x)
off_6B12A0	dd offset _xHalTscSynchronization@8 ; DATA XREF: PnprWakeProcessors()+41r
					; KiInitializeDynamicProcessorDpc(x,x,x,x)+C1r	...
					; xHalTscSynchronization(x,x)
		dd offset _ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment@8 ; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)
off_6B12A8	dd offset _KeSetDmaIoCoherency@4 ; DATA	XREF: PopHiberCheckResume+72r
					; KeSetDmaIoCoherency(x)
		dd offset _ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete@16 ;	ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete(x,x,x,x)
		dd offset _ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete@16 ;	ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete(x,x,x,x)
off_6B12B4	dd offset _xHalDpUnmaskLevelTriggeredInterrupts@0
					; DATA XREF: PnprQuiesceProcessors()+E4r
					; xHalDpUnmaskLevelTriggeredInterrupts()
off_6B12B8	dd offset _xHalDpUnmaskLevelTriggeredInterrupts@0
					; DATA XREF: PnprWakeProcessors()+BBr
					; xHalDpUnmaskLevelTriggeredInterrupts()
off_6B12BC	dd offset _xHalDpGetInterruptReplayState@8
					; DATA XREF: PnprQuiesceProcessorDpc(x,x,x,x)+171r
					; xHalDpGetInterruptReplayState(x,x)
off_6B12C0	dd offset _xHalDpReplayInterrupts@4
					; DATA XREF: PnprQuiesceProcessorDpc(x,x,x,x)+2E0r
					; xHalDpReplayInterrupts(x)
		dd offset _xHalQueryIoPortAccessSupported@0 ; xHalQueryIoPortAccessSupported()
off_6B12C8	dd offset _xHalIommuUnblockDevice@8
					; DATA XREF: HvlDebuggerSupportInitialize+7DBDBr
					; xHalIommuUnblockDevice(x,x)
		dd offset _xKdReleasePciDeviceForDebugging@4 ; xKdReleasePciDeviceForDebugging(x)
dword_6B12D0	dd 0			; DATA XREF: HvlpDetermineEnlightenments()+46Fw
dword_6B12D4	dd 0			; DATA XREF: HvlpTryConfigureInterface+89A78r
					; HvlpInitializeBootProcessor(x)+59r ...
dword_6B12D8	dd 0			; DATA XREF: HvlEnlightenProcessor+81937r
					; HvlEnlightenProcessor+819D9r	...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
off_6B12E4	dd offset _RtlEndStrongEnumerationHashTable@8
					; DATA XREF: KiFreezeTargetExecution(x,x)+C0r
					; KiFreezeTargetExecution(x,x)+173r ...
					; RtlEndStrongEnumerationHashTable(x,x)
off_6B12E8	dd offset _ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig@4
					; DATA XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+778r
					; ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig(x)
		dd offset _KeSetDmaIoCoherency@4 ; KeSetDmaIoCoherency(x)
off_6B12F0	dd offset @SymCryptFatalIntercept@4
					; DATA XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+107Dr
					; SymCryptFatalIntercept(x)
		align 8
		dd offset _xHalVectorToIDTEntryEx@4 ; xHalVectorToIDTEntryEx(x)
off_6B12FC	dd offset _ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment@8
					; DATA XREF: KiIntSteerGetLineInformation+845A5r
					; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)
off_6B1300	dd offset _ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment@8
					; DATA XREF: KiMaskInterruptInternal+52r
					; IoProcessPassiveInterrupts(x)+1Cr ...
					; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)
off_6B1304	dd offset _ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment@8
					; DATA XREF: KeUnmaskInterrupt+66r
					; KeConnectInterrupt+8499Er ...
					; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)
off_6B1308	dd offset _xHalpIsInterruptTypeSecondary@8
					; DATA XREF: KiIntSteerGetLineInformation+3Fr
					; KiIsInterruptTypeSecondary+84564r ...
					; xHalpIsInterruptTypeSecondary(x,x)
		dd offset _MmProtectDriverSection@12 ; MmProtectDriverSection(x,x,x)
		dd offset _xHalAddInterruptRemapping@24	; xHalAddInterruptRemapping(x,x,x,x,x,x)
		dd offset _xHalRemoveInterruptRemapping@24 ; xHalRemoveInterruptRemapping(x,x,x,x,x,x)
off_6B1318	dd offset _xHalSaveAndDisableHvEnlightenment@0
					; DATA XREF: PopSaveHiberContext+B8FEr
					; xHalSaveAndDisableHvEnlightenment()
off_6B131C	dd offset _xHalSaveAndDisableHvEnlightenment@0
					; DATA XREF: PopHiberCheckResume+7095r
					; xHalSaveAndDisableHvEnlightenment()
		dd offset _RtlEndStrongEnumerationHashTable@8 ;	RtlEndStrongEnumerationHashTable(x,x)
		dd offset _KeSetDmaIoCoherency@4 ; KeSetDmaIoCoherency(x)
off_6B1328	dd offset _xHalPciEarlyRestore@4 ; DATA	XREF: PopHiberCheckResume+8Er
					; xHalPciEarlyRestore(x)
off_6B132C	dd offset _LpcReplyWaitReplyPort@12
					; DATA XREF: HvlpQueryApicIdAndNumaNode+29r
					; LpcReplyWaitReplyPort(x,x,x)
off_6B1330	dd offset _xHalAllocatePmcCounterSet@16
					; DATA XREF: EtwpUpdatePmcCounters(x,x,x)+A9r
					; xHalAllocatePmcCounterSet(x,x,x,x)
off_6B1334	dd offset _xHalCollectPmcCounters@8
					; DATA XREF: EtwpReserveWithPmcCounters(x,x,x,x,x,x)+BAr
					; xHalCollectPmcCounters(x,x)
off_6B1338	dd offset _PopPdcCallback@4 ; DATA XREF: EtwpFreePmcData(x)+1Fr
					; EtwpUpdatePmcCounters(x,x,x)+F1r
					; PopPdcCallback(x)
		dd offset _xHalProcessorHalt@12	; xHalProcessorHalt(x,x,x)
off_6B1340	dd offset _xHalTimerQueryCycleCounter@4	; DATA XREF: TxtpAddCacheEntry+24D1r
					; AnFwpBackgroundUpdateTimer(x,x,x,x)+25r ...
					; xHalTimerQueryCycleCounter(x)
		align 8
		dd offset _xHalPciMarkHiberPhase@0 ; xHalPciMarkHiberPhase()
		dd offset _xHalQueryProcessorRestartEntryPoint@4 ; xHalQueryProcessorRestartEntryPoint(x)
		dd offset _ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig@4 ;	ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig(x)
		dd offset _MmProtectDriverSection@12 ; MmProtectDriverSection(x,x,x)
		dd offset _RtlEndStrongEnumerationHashTable@8 ;	RtlEndStrongEnumerationHashTable(x,x)
		dd offset _xHalIommuGetLibraryContext@12 ; xHalIommuGetLibraryContext(x,x,x)
		dd offset _xHalFlushIoRectangleExternalCache@24	; xHalFlushIoRectangleExternalCache(x,x,x,x,x,x)
off_6B1364	dd offset _xHalLocateHiberRanges@4 ; DATA XREF:	PopHiberCheckResume+59r
					; PopHiberCheckResume+7Ar
					; xHalLocateHiberRanges(x)
		dd offset _ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete@16 ;	ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete(x,x,x,x)
off_6B136C	dd offset _ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete@16
					; DATA XREF: IopWriteTriageDumpToFirmware(x)+C6r
					; ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete(x,x,x,x)
off_6B1370	dd offset _xHalPciMultiStageResumeCapable@0
					; DATA XREF: PopSaveHiberContext:loc_71D718r
					; xHalPciMultiStageResumeCapable()
off_6B1374	dd offset _KeSetDmaIoCoherency@4 ; DATA	XREF: PopRestoreHiberContext+12Er
					; PopRestoreHiberContext+235r
					; KeSetDmaIoCoherency(x)
off_6B1378	dd offset _KeIsCetCapable@0 ; DATA XREF: KeInitializeTimerTable:loc_928441r
					; PopInitPlatformSettings:loc_AD7E06r
					; KeIsCetCapable()
off_6B137C	dd offset _MmProtectDriverSection@12
					; DATA XREF: KiIntSteerSetDestination(x,x)+52r
					; MmProtectDriverSection(x,x,x)
off_6B1380	dd offset _KeSetDmaIoCoherency@4
					; DATA XREF: EtwpClockSourceRunDown(x,x)+28r
					; KeInitializeClock+E3r
					; KeSetDmaIoCoherency(x)
off_6B1384	dd offset _KeSetDmaIoCoherency@4 ; DATA	XREF: KiResumeClockTimer+69r
					; KeInitializeClock+1AB33r
					; KeSetDmaIoCoherency(x)
off_6B1388	dd offset @SymCryptFatalIntercept@4
					; DATA XREF: KeResumeClockTimerFromIdle:loc_48CDAFr
					; KiResumeClockTimer:loc_4FE70Dr ...
					; SymCryptFatalIntercept(x)
off_6B138C	dd offset @SymCryptFatalIntercept@4
					; DATA XREF: KeResumeClockTimerFromIdle:loc_48CDBDr
					; KiSuspendClockTimer():loc_552A47r ...
					; SymCryptFatalIntercept(x)
off_6B1390	dd offset _ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete@16
					; DATA XREF: KiSetClockTickRate+49r
					; KiSetClockTickRate+12Ar ...
					; ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete(x,x,x,x)
off_6B1394	dd offset _KeIsCetCapable@0
					; DATA XREF: KeResumeClockTimerFromIdle:loc_48CBDFr
					; KeResumeClockTimerFromIdle:loc_5B7E9Fr ...
					; KeIsCetCapable()
		dd offset _xHalAcpiGetMultiNode@0 ; xHalAcpiGetMultiNode()
off_6B139C	dd offset _NtCompleteConnectPort@4
					; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+280r
					; KeBugCheck2(x,x,x,x,x,x)+9BFr ...
					; NtCompleteConnectPort(x)
off_6B13A0	dd offset _xHalIommuRegisterDispatchTable@4 ; DATA XREF: INIT:00ACD2A6r
					; xHalIommuRegisterDispatchTable(x)
off_6B13A4	dd offset @SymCryptFatalIntercept@4
					; DATA XREF: KeBugCheck2(x,x,x,x,x,x):loc_61C54Er
					; PopInvokeSystemStateHandler+2B4r ...
					; SymCryptFatalIntercept(x)
off_6B13A8	dd offset @SymCryptFatalIntercept@4
					; DATA XREF: KeClockInterruptNotify+12EAB3r
					; PopWriteHiberPages:loc_71B991r ...
					; SymCryptFatalIntercept(x)
off_6B13AC	dd offset @SymCryptFatalIntercept@4
					; DATA XREF: KeBugCheck2(x,x,x,x,x,x):loc_61BFF3r
					; PopInvokeSystemStateHandler+CE87r ...
					; SymCryptFatalIntercept(x)
off_6B13B0	dd offset _BiIsLogEnabled@0 ; DATA XREF: PopCheckForAbnormalResetr
					; PAGE:00780648r
					; BiIsLogEnabled()
off_6B13B4	dd offset _xKdReleasePciDeviceForDebugging@4
					; DATA XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+500r
					; PAGE:00780667r ...
					; xKdReleasePciDeviceForDebugging(x)
off_6B13B8	dd offset _ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment@8
					; DATA XREF: KeConnectInterrupt+8497Ar
					; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)
off_6B13BC	dd offset _ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment@8
					; DATA XREF: KeQueryWakeSource(x,x)+2Er
					; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)
		dd offset _ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig@4 ;	ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig(x)
		dd offset _xHalProcessorFreeze@0 ; xHalProcessorFreeze()
		dd offset _xHalProcessorFreeze@0 ; xHalProcessorFreeze()
off_6B13CC	dd offset _ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment@8
					; DATA XREF: IoGetDmaAdapter+69r
					; IoGetDmaAdapter+B3r
					; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)
off_6B13D0	dd offset _ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig@4
					; DATA XREF: VfGetDmaAdapter(x,x,x)+90r
					; VfLegacyGetAdapter(x,x)+76r
					; ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig(x)
		align 8
off_6B13D8	dd offset _xHalConvertPerformanceCounterToAuxiliaryCounter@16
					; DATA XREF: KeConvertPerformanceCounterToAuxiliaryCounter(x,x,x,x)+11r
					; NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(x,x,x,x):loc_A0F4F3r ...
					; xHalConvertPerformanceCounterToAuxiliaryCounter(x,x,x,x)
off_6B13DC	dd offset _xHalConvertPerformanceCounterToAuxiliaryCounter@16
					; DATA XREF: KeConvertAuxiliaryCounterToPerformanceCounter(x,x,x,x)+11r
					; NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(x,x,x,x)+95r ...
					; xHalConvertPerformanceCounterToAuxiliaryCounter(x,x,x,x)
off_6B13E0	dd offset _xKdReleasePciDeviceForDebugging@4
					; DATA XREF: KeQueryAuxiliaryCounterFrequency(x)+6r
					; NtQueryAuxiliaryCounterFrequency(x)+3Er ...
					; xKdReleasePciDeviceForDebugging(x)
		dd offset _ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig@4 ;	ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig(x)
off_6B13E8	dd offset _KeIsCetCapable@0
					; DATA XREF: IoInitializeBugCheckProgress(x,x)+3Ar
					; PopCheckpointSystemSleep:loc_7294C8r
					; KeIsCetCapable()
off_6B13EC	dd offset _xHalTimerQueryAndResetRtcErrors@4 ; DATA XREF: PAGELK:0071F184r
					; xHalTimerQueryAndResetRtcErrors(x)
		dd offset @SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		dd offset _xKdWatchdogDelayExpiration@4	; xKdWatchdogDelayExpiration(x)
		dd offset _ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete@16 ;	ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete(x,x,x,x)
off_6B13FC	dd offset _xHalTimerWatchdogQueryDueTime@4
					; DATA XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+303r
					; xHalTimerWatchdogQueryDueTime(x)
		dd offset _ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig@4 ;	ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig(x)
		dd offset _KeSetDmaIoCoherency@4 ; KeSetDmaIoCoherency(x)
off_6B1408	dd offset _ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete@16
					; DATA XREF: IopEnumerateEnvironmentVariablesHal(x,x,x,x,x,x)+11r
					; ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete(x,x,x,x)
off_6B140C	dd offset _MmProtectDriverSection@12
					; DATA XREF: EtwpTraceLastBranchRecord(x,x,x,x)+F6r
					; MmProtectDriverSection(x,x,x)
		dd offset _KeIsCetCapable@0 ; KeIsCetCapable()
		dd offset _ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment@8 ; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)
off_6B1418	dd offset _xHalpIsInterruptTypeSecondary@8
					; DATA XREF: EtwpInitializeLastBranchTracing+2Br
					; xHalpIsInterruptTypeSecondary(x,x)
		dd offset _KeSetDmaIoCoherency@4 ; KeSetDmaIoCoherency(x)
off_6B1420	dd offset _ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment@8
					; DATA XREF: EtwpUpdateLastBranchTracingConfiguration(x,x)+6Cr
					; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)
off_6B1424	dd offset _ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig@4
					; DATA XREF: EtwpFreeLbrData(x)+29r
					; ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig(x)
off_6B1428	dd offset _xKdReleasePciDeviceForDebugging@4
					; DATA XREF: PiIommuBlockDevice(x)+Er
					; xKdReleasePciDeviceForDebugging(x)
off_6B142C	dd offset _xHalIommuUnblockDevice@8 ; DATA XREF: PiIommuUnblockDevice(x)+1Dr
					; xHalIommuUnblockDevice(x,x)
off_6B1430	dd offset _xHalIommuUnblockDevice@8 ; DATA XREF: IoGetIommuInterface+14r
					; xHalIommuUnblockDevice(x,x)
off_6B1434	dd offset _ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment@8
					; DATA XREF: WheapGenericErrSrcRecover(x,x)+6r
					; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)
off_6B1438	dd offset _ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig@4
					; DATA XREF: EtwGetKernelTraceTimestampSilo+16670Er
					; KiExecuteAllDpcs+12E44Fr ...
					; ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig(x)
		dd offset _xHalTopologyQueryProcessorRelationships@28 ;	xHalTopologyQueryProcessorRelationships(x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
dword_6B1444	dd 0			; DATA XREF: PopPowerButtonWorkCallback(x)+150r
off_6B1448	dd offset _MiIsSoftwareEnclave@4 ; DATA	XREF: RtlGetMultiTimePrecise+4Fr
					; PipInitDeviceOverrideCache+235r
					; MiIsSoftwareEnclave(x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
off_6B1464	dd offset _xHalpIsInterruptTypeSecondary@8
					; DATA XREF: PipDmgSaveDeviceDmarPolicy(x,x,x)+144r
					; xHalpIsInterruptTypeSecondary(x,x)
_PopPowerRequestAttributes dd 0		; DATA XREF: PopHandleSystemRequiredPowerRequestsUpdate+30r
					; PoClearPowerRequestInternal+DFr ...
off_6B146C	dd offset PopNotifySessionDisplayRequired
					; DATA XREF: PoClearPowerRequestInternal:loc_53F5BEr
					; PoSetPowerRequestInternal:loc_53FF52r ...
dword_6B1470	dd 0			; DATA XREF: PopDiagTraceIdleCheck+D3DB7r
					; NtPowerInformation+70Fr ...
		dd offset _PopSystemRequiredCallback@12	; PopSystemRequiredCallback(x,x,x)
dword_6B1478	dd 0			; DATA XREF: PopReadSystemAwayModePolicy+2Cr
		dd offset _PopAwayModePowerRequest@12 ;	PopAwayModePowerRequest(x,x,x)
dword_6B1480	dd 0			; DATA XREF: PopPowerRequestCleanUp(x)+7Bw
					; PopInitSIdle+15Ar
		dd offset _PopExecutionRequiredCallback@12 ; PopExecutionRequiredCallback(x,x,x)
		db    0
		db    0
		db    0
		db    0
		dd offset _PopPerfBoostPowerRequest@12 ; PopPerfBoostPowerRequest(x,x,x)
		db    0
		db    0
		db    0
		db    0
		dd offset _PopActiveLockScreenPowerRequest@12 ;	PopActiveLockScreenPowerRequest(x,x,x)
_EtwpFltIoNotifyRoutines dd offset @EtwGetKernelTraceTimestamp@8
					; DATA XREF: WmiQueryTraceInformation+10Ao
					; EtwGetKernelTraceTimestamp(x,x)
dword_6B149C	dd 0			; DATA XREF: EtwpEnableKernelTrace+1299DAw
					; EtwpDisableKernelTrace:loc_90D33Fw
dword_6B14A0	dd 0			; DATA XREF: EtwpEnableKernelTrace+1299F1w
					; EtwpDisableKernelTrace:loc_90D34Dw
dword_6B14A4	dd 0			; DATA XREF: EtwpEnableKernelTrace+129A0Cw
					; EtwpDisableKernelTrace:loc_90D35Bw
dword_6B14A8	dd 0			; DATA XREF: EtwpEnableKernelTrace+129A1Fw
					; EtwpDisableKernelTrace:loc_90D369w
dword_6B14AC	dd 0			; DATA XREF: EtwpEnableKernelTrace+20Bw
					; EtwpDisableKernelTrace+64w
_EtwpFileIoNotifyRoutines dd offset _EtwpTraceFileName@24
					; DATA XREF: EtwGetNotifyRoutineGroup(x,x)+44o
					; EtwpTraceFileName(x,x,x,x,x,x)
dword_6B14B4	dd 0			; DATA XREF: EtwpEnableKernelTrace+1EBw
					; EtwpDisableKernelTrace+4Fw
dword_6B14B8	dd 0			; DATA XREF: EtwpEnableKernelTrace+129973w
					; EtwpDisableKernelTrace:loc_90D2E8w
dword_6B14BC	dd 0			; DATA XREF: EtwpEnableKernelTrace+129961w
					; EtwpDisableKernelTrace:loc_90D2DBw
_CmpLazyWriterData dd 0			; DATA XREF: CmpArmLazyWriter:loc_433279r
					; CmpArmLazyWriter+17Er ...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B14E8	dd 0			; DATA XREF: CmpArmLazyWriter:loc_4332ABr
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B1518	dd 0			; DATA XREF: CmpArmLazyWriter+72r
					; CmpArmLazyWriter+BBr	...
		dd offset CmpDoFlushNextHive
dword_6B1520	dd 0			; DATA XREF: CmpArmLazyWriter+7Dr
					; CmpArmLazyWriter:loc_43324Fw
dword_6B1524	dd 0			; DATA XREF: CmpArmLazyWriter+85r
					; CmpArmLazyWriter+11Bw
dword_6B1528	dd 3Ch			; DATA XREF: CmpDoFlushNextHive+F6r
					; CmpInitializeLazyWriters+11w
dword_6B152C	dd 3Ch			; DATA XREF: CmpArmLazyWriter+46r
					; CmpArmLazyWriter+E5r	...
dword_6B1530	dd 1388h		; DATA XREF: CmpArmLazyWriter+167r
dword_6B1534	dd 5			; DATA XREF: CmpDoFlushNextHive+17FC80r
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset CmpDoReconcileNextHive
		align 10h
dword_6B15A0	dd 0E10h		; DATA XREF: CmpDoReconcileNextHive+BDr
					; CmpIsHiveEligibleForLazyReconcile(x)+47r ...
dword_6B15A4	dd 258h			; DATA XREF: CmpDoReconcileNextHive+Br
		db  60h	; `
		db 0EAh	; 
		db    0
		db    0
dword_6B15AC	dd 1Eh			; DATA XREF: CmpDoReconcileNextHive+18AD1Er
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset CmpDoLocalizeNextHive
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B1618	dd 3Ch			; DATA XREF: CmpInitializeLazyWriters+34w
dword_6B161C	dd 3Ch			; DATA XREF: CmpDoLocalizeNextHive+6r
		db  88h	; 
		db  13h
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
_CmpMachineHiveList dd offset aHardware	; DATA XREF: CmpBuildMachineHiveMountPoint(x,x):loc_8850AAr
					; PAGE:00888897r ...
					; "HARDWARE"
off_6B162C	dd offset aMachine_1	; DATA XREF: CmpBuildMachineHiveMountPoint(x,x)+16r
					; CmpFinishSystemHivesLoad(x)+1B4r
					; "MACHINE\\"
dword_6B1630	dd 0			; DATA XREF: CmpBuildMachineHiveMountPoint(x,x)+22r
					; CmpBuildMachineHiveMountPoint(x,x)+3Cw ...
dword_6B1634	dd 0			; DATA XREF: CmpInitCmRM:loc_7D9790r
					; CmpInitCmRM+645r ...
dword_6B1638	dd 1			; DATA XREF: PAGE:00888778r
					; PAGE:008887D1r ...
dword_6B163C	dd 108h			; DATA XREF: PAGE:00888832r
					; PAGE:00888A82r
dword_6B1640	dd 200h			; DATA XREF: CmpFinishSystemHivesLoad(x)+215r
					; CmInitSystem1(x)+56Cr
dword_6B1644	dd 0			; DATA XREF: CmpInitCmRM:loc_7D9786r
					; CmpInitCmRM+612r ...
byte_6B1648	db 0			; DATA XREF: CmpFinishSystemHivesLoad(x)+18Fr
					; CmpFinishSystemHivesLoad(x):loc_88F653w ...
byte_6B1649	db 0			; DATA XREF: PAGE:00888D57w
					; CmpFinishSystemHivesLoad(x)+19Cr ...
byte_6B164A	db 0			; DATA XREF: PAGE:loc_888751w
dword_6B164B	dd 101h			; DATA XREF: PAGE:0088877Er
					; CmpFinishSystemHivesLoad(x)+204r ...
		align 10h
dword_6B1650	dd 0			; DATA XREF: CmpInitializeSystemHivesLoad+130o
					; PAGE:00888716r ...
		align 10h
dword_6B1660	dd 0			; DATA XREF: PAGE:00888D51r
					; CmpFinishSystemHivesLoad(x)+EAo ...
		align 10h
dword_6B1670	dd 0			; DATA XREF: CmpParseKey+408o
					; CmpFinishSystemHivesLoad(x)+33Ar ...
dword_6B1674	dd 0			; DATA XREF: CmRegisterMachineHiveLoadedNotification+B7r
					; CmpWaitForHiveMount+BCr
		align 10h
dword_6B1680	dd 0			; DATA XREF: CmRegisterMachineHiveLoadedNotification+A7r
					; CmRegisterMachineHiveLoadedNotification+C5r ...
dword_6B1684	dd 0			; DATA XREF: CmRegisterMachineHiveLoadedNotification+74r
					; CmRegisterMachineHiveLoadedNotification+95r ...
dword_6B1688	dd 0			; DATA XREF: CmRegisterMachineHiveLoadedNotification+7Fr
					; CmpInitializeMachineHiveLoadedCallbacks()+15o
		align 10h
dword_6B1690	dd 0			; DATA XREF: CmpNotifyMachineHiveLoaded(x)+15r
					; CmRegisterMachineHiveLoadedNotification+A2019r
dword_6B1694	dd 0			; DATA XREF: CmpNotifyMachineHiveLoaded(x)+6w
					; CmRegisterMachineHiveLoadedNotification+A2007w
dword_6B1698	dd 0			; DATA XREF: PAGE:00888792r
					; PAGE:008888E0r ...
dword_6B169C	dd 0			; DATA XREF: CmpInitializeSystemHivesLoad+47o
					; PAGE:loc_888D8Ar
		dd offset aSecurity_1	; "SECURITY"
		dd offset aMachine_1	; "MACHINE\\"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    8
		db    1
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    1
byte_6B16C4	db 1			; DATA XREF: CmpUpdateStateSeparationHiveOptions()+28w
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset aSoftware	; "SOFTWARE"
		dd offset aMachine_1	; "MACHINE\\"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B1728	dd 200h			; DATA XREF: CmpUpdateStateSeparationHiveOptions()+36w
		db  18h
		db    1
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
byte_6B1738	db 0			; DATA XREF: CmpFinishSystemHivesLoad(x)+35Br
		align 4
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset aSystem	; "SYSTEM"
		dd offset aMachine_1	; "MACHINE\\"
		db    0
		db    0
		db    0
		db    0
dword_6B179C	dd 0			; DATA XREF: CmpUpdateSystemHiveHysteresis+8r
					; CmpCanGrowHive+Dr ...
dword_6B17A0	dd 200h			; DATA XREF: CmpUpdateStateSeparationHiveOptions()+3Cw
		db    8
		db    3
		db    0
		db    0
dword_6B17A8	dd 400h			; DATA XREF: CmpInitializeSystemHive+D0r
		align 10h
byte_6B17B0	db 0			; DATA XREF: CmpFinishSystemHivesLoad(x)+3EFr
		align 4
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
unk_6B17C8	db    0			; DATA XREF: CmpFinishSystemHivesLoad(x)+10Co
					; CmpFinishSystemHivesLoad(x)+118o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset aDefault	; "DEFAULT"
		dd offset aUser		; "USER\\"
		dd offset a_default	; ".DEFAULT"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    9
		db    1
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    1
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset aSam		; "SAM"
		dd offset aMachine_1	; "MACHINE\\"
		align 10h
		db    2
		db    2
		db    0
		db    0
		db    8
		db    1
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    1
byte_6B18A4	db 1			; DATA XREF: CmpUpdateStateSeparationHiveOptions():loc_AEC46Cw
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset aOsdata	; "OSDATA"
		dd offset aMachine_1	; "MACHINE\\"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db  18h
		db    1
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
byte_6B191B	db 0			; DATA XREF: CmpUpdateStateSeparationHiveOptions()+49w
byte_6B191C	db 0			; DATA XREF: PAGE:008887B1r
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_CmpBootLoadControl dd offset aHardware	; DATA XREF: CmInitSystem1(x):loc_AC7B1Fr
					; "HARDWARE"
dword_6B19EC	dd 0			; DATA XREF: CmpWaitForHiveMount+A1r
					; CmpWaitForHiveMount+B3r
dword_6B19F0	dd 0			; DATA XREF: CmpWaitForHiveMount+6Dr
					; CmInitSystem1(x)+1D6w
dword_6B19F4	dd 0			; DATA XREF: CmpWaitForHiveMount+7Co
					; CmpWaitForHiveMount:loc_8AA588r ...
dword_6B19F8	dd 0			; DATA XREF: CmpWaitForHiveMount+95w
		dd offset aSecurity_1	; "SECURITY"
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset aSoftware	; "SOFTWARE"
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset aSystem	; "SYSTEM"
		db    3
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset a_default	; ".DEFAULT"
		db    4
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset aS1518	; "S-1-5-18"
		db    4
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset aSam		; "SAM"
		db    5
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset aOsdata	; "OSDATA"
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_KdDebuggerDataBlock db	   0		; DATA XREF: IoFillDumpHeader(x,x,x,x,x,x,x,x)+89o
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+161o ...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B1AA0	dd 0			; DATA XREF: KdInitSystem+1F8w
					; KdRegisterDebuggerDataBlock+6BFr
dword_6B1AA4	dd 0			; DATA XREF: KdInitSystem+1FDw
		dd offset _RtlpBreakWithStatusInstruction@0 ; RtlpBreakWithStatusInstruction()
		align 10h
dword_6B1AB0	dd 0			; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+6C0w
dword_6B1AB4	dd 0			; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+6B5w
		db    0
		db    0
		db    0
		db    0
		db  18h
		db    0
		db    1
		db    0
		dd offset _KiCallUserMode@16 ; KiCallUserMode(x,x,x,x)
		align 10h
		dd offset _PsLoadedModuleList
		align 8
		dd offset _PsActiveProcessHead
		align 10h
		dd offset _PspCidTable
		align 8
		dd offset _ExpSystemResourcesList
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _KeTimeIncrement
		align 8
		dd offset _KeBugCheckCallbackListHead
		align 10h
		dd offset _KiBugCheckData
		align 8
		dd offset _IopErrorLogListHead
		align 10h
		dd offset _ObpRootDirectoryObject
		align 8
		dd offset _ObpTypeObjectType
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _MmPfnDatabase
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _MmSizeOfPagedPoolInBytes
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B1BF8	dd 0			; DATA XREF: KdInitSystem+97w
dword_6B1BFC	dd 0			; DATA XREF: KdInitSystem+A1w
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _PoolTrackTable
		align 10h
		dd offset _MmHighestUserAddress
		align 8
		dd offset _MmSystemRangeStart
		align 10h
		dd offset _MmUserProbeAddress
		align 8
		dd offset _KdPrintDefaultCircularBuffer
		align 10h
		dd 0AA72B8h
		align 8
		dd offset _KdPrintWritePointer
		align 10h
		dd offset _KdPrintRolloverCount
		align 10h
		dd offset _NtBuildLabEx
		align 10h
		dd offset _KiProcessorBlock
		align 8
		dd offset _MmUnloadedDrivers
		align 10h
		dd offset _MmLastUnloadedDriver
		align 8
		dd offset _VerifierTriageActionTaken
		align 10h
		dd offset _MmSpecialPoolTag
		align 8
		dd offset _KernelVerifier
		align 10h
		dd offset _MmVerifierData
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _CmNtCSDVersion
		align 8
		dd offset _MmPhysicalMemoryBlock
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  48h	; H
		db    1
		db 0A8h	; 
		db    0
		db  48h	; H
		db    0
		db  20h
		db    0
		db  80h	; 
		db    0
		db  90h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    5
		db  7Ch	; |
		db    1
		db  70h	; p
		db    1
		db  18h
		db    0
		db    0
		db  5Fh	; _
		db  3Ah	; :
		db  22h	; "
		db    4
		db    0
		db 0C0h	; 
		db    3
		db  14h
		db    0
		db  3Ch	; <
		db  3Dh	; =
		db  18h
		db    0
		db 0CCh	; 
		db    3
		db 0E0h	; 
		db    4
byte_6B1D4A	db 0			; DATA XREF: MiInitializeSystemDefaults+ACw
byte_6B1D4B	db 0			; DATA XREF: MiInitializeSystemDefaults+B2w
		align 10h
		dd offset _KdPrintCircularBuffer
		align 8
		dd offset _KdPrintBufferSize
		align 10h
off_6B1D60	dd offset _KeLoaderBlock ; DATA	XREF: KdInitSystem+15Dw
dword_6B1D64	dd 0			; DATA XREF: KdInitSystem+162w
		db  20h
		db  60h	; `
		db  1Ch
		db    0
		db  20h
		db    0
		db  20h
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0E4h	; 
		db    2
		db    8
		db    0
		db  10h
		db    0
		db  30h	; 0
		db    0
		db  18h
		db    0
		db  20h
		db    0
		db  38h	; 8
		db    0
		db  48h	; H
		db    0
		db  28h	; (
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _IopNumTriageDumpDataBlocks
		align 8
		dd offset _IopTriageDumpDataBlocks
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _EtwpDebuggerData
		align 10h
		db  68h	; h
		db  41h	; A
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  24h	; $
		db    0
		db    0
		db    0
		db  28h	; (
		db    0
		db    0
		db    0
		db  40h	; @
		db    1
		db    0
		db    0
		db 0CCh	; 
		db    2
		db    0
		db    0
		db  0Ch
		db    0
		db  3Ch	; <
		db  22h	; "
		db  10h
		db  22h	; "
		db  9Ch	; 
		db  42h	; B
		db    0
		db    0
		db  94h	; 
		db    1
		db  8Bh	; 
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0C0h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_KiNumaQueryNodeDistance dd offset _KiNonNumaQueryNodeDistance@12
					; DATA XREF: KiPerformGroupConfiguration+10Cr
					; KeNumaInitialize()+4Aw
					; KiNonNumaQueryNodeDistance(x,x,x)
_KiNumaQueryNodeCapacity dd offset _KiNonNumaQueryNodeCapacity@8
					; DATA XREF: KiPerformGroupConfiguration+59r
					; KeNumaInitialize()+42w
					; KiNonNumaQueryNodeCapacity(x,x)
_KeZeroPages	dd offset @KiZeroPages@8 ; DATA	XREF: MiFreePagesFromMdl(x,x):loc_44A90Fr
					; MiFreePagesFromMdl(x,x)+BFr ...
					; KiZeroPages(x,x)
_PopPepLastCheckedDevice dd offset _PopPepDeviceList ; DATA XREF: PopPepWork+3Dr
					; PopPepWork+43o ...
; void PsKernelRangeList
_PsKernelRangeList dd offset _PspPicoProviderRoutines ;	DATA XREF: .data:_PspKernelRangeso
					; PipInitializeCoreDriversAndElam(x)+1Eo
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _MmUserProbeAddress
		db    4
		db    0
		db    0
		db    0
		dd offset _MmSystemRangeStart
		db    4
		db    0
		db    0
		db    0
		dd offset _MmHighestUserAddress
		db    4
		db    0
		db    0
		db    0
		dd offset _MmBadPointer
		db    4
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _PsWin32NullCallBack
		db    4
		db    0
		db    0
		db    0
		dd offset _PspSystemMitigationOptions
		db  18h
		db    0
		db    0
		db    0
		dd offset _KdpBootedNodebug
		db    1
		db    0
		db    0
		db    0
		db    8
		db    3
		db 0DFh	; 
		db 0FFh
		db    4
		db    0
		db    0
		db    0
		db  74h	; t
		db    2
		db 0DFh	; 
		db 0FFh
		db  40h	; @
		db    0
		db    0
		db    0
		dd offset _KiDynamicTraceEnabled
		db    4
		db    0
		db    0
		db    0
		dd offset _KiDynamicTraceCallouts
		db  2Ch	; ,
		db    0
		db    0
		db    0
		dd offset off_6B1438
		db    4
		db    0
		db    0
		db    0
		dd offset _BBTBuffer
		db    4
		db    0
		db    0
		db    0
		dd offset _PsAltSystemCallHandlers
		db    8
		db    0
		db    0
		db    0
dword_6B1EB8	dd 0			; DATA XREF: CmFcShutdownSystem(x)+Do
					; CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+1A0r ...
		dd offset loc_424BAB+1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_TmLogExt	dw 6			; DATA XREF: CmpInitCmRM+221r
					; CmpInitCmRM+270o
		db    8
		db    0
		dd offset a_tm		; ".TM"
_CmpClfsLogPrefix dd 120010h		; DATA XREF: CmpInitCmRM+228r
					; CmpInitCmRM+24Bo ...
		dd offset a??Log	; "\\??\\LOG:"
_VrpRegistryValuesTable	db    0		; DATA XREF: VRegSetup+38o
		db    0
		db    0
		db    0
		db  30h	; 0
		db    1
		db    0
		db    0
		dd offset aAllowcontainer ; "AllowContainerNesting"
		dd offset _VrpAllowContainerNesting
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B1F28	dd 0			; DATA XREF: KiTraceLogNmiCallback(x):loc_99001Fr
					; KiTraceLogNmiCallback(x)+C2o	...
		dd offset loc_424DF5
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B1F50	dd 0			; DATA XREF: PAGE:00822C91r
					; PAGE:00822CA5o ...
		dd offset loc_424FD2+5
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B1F68	dd 0			; DATA XREF: PsShutdownSystem()+1EDr
					; PsShutdownSystem()+1FBw
dword_6B1F6C	dd 0			; DATA XREF: PsShutdownSystem():loc_9CB02Fr
					; PsShutdownSystem()+201w
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_RtlpDebugPrintCallbackList dd offset _RtlpDebugPrintCallbackList
					; DATA XREF: vDbgPrintExWithPrefixInternal+B4075r
					; vDbgPrintExWithPrefixInternal:loc_5F3282o ...
off_6B1F7C	dd offset _RtlpDebugPrintCallbackList
					; DATA XREF: DbgpInsertDebugPrintCallback(x)+48r
					; DbgpInsertDebugPrintCallback(x)+67w
unk_6B1F80	db  30h	; 0		; DATA XREF: SepDesktopAppxSubProcessToken(x,x,x,x,x)+18Bo
		db    0
		db  32h	; 2
		db    0
		dd offset aKernelOnecoreV ; "Kernel-OneCore-VailGuest"
_PotentialGlobalAttributePrefixes db  0Ch ; DATA XREF: SepPotentialGlobalTableAttribute+7o
		db    0
		db  0Eh
		db    0
		dd offset aEdp		; "EDP://"
off_6B1F90	dd offset ??_C@_15CBONDBCJ@?$AAC?$AAI@NNGAKEGL@
					; DATA XREF: LookupAceFlagsInTable+5Br
					; LookupAceFlagsInTable+76o
dword_6B1F94	dd 2			; DATA XREF: LookupAceFlagsInTable:loc_7EC605r
dword_6B1F98	dd 2			; DATA XREF: LookupAceFlagsInTable+3Fr
dword_6B1F9C	dd 3			; DATA XREF: LookupAceFlagsInTable:loc_7EC5C9r
dword_6B1FA0	dd 0			; DATA XREF: LookupAceFlagsInTable+27r
dword_6B1FA4	dd 0			; DATA XREF: LookupAceFlagsInTable:loc_91001Fr
		dd offset ??_C@_15FGCPPBFC@?$AAO?$AAI@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_15LAGCDKOC@?$AAN?$AAP@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset loc_8BF773+1
		db    2
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_15HCBMMKJC@?$AAI?$AAD@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_15KGPFOBLH@?$AAC?$AAR@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db  20h
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		dd offset unk_6FDB3C
		dd offset ??_C@_15BCCPBLBP@?$AAT?$AAP@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db  40h	; @
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		dd offset unk_6B6270
		dd offset ??_C@_15OHIPBLFN@?$AAS?$AAA@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db  40h	; @
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset unk_6B6268
		dd offset ??_C@_15LEJEIIHF@?$AAF?$AAA@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db  80h	; 
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset unk_6B6268
off_6B2068	dd offset ??_C@_15CNLFACFL@?$AAN?$AAW@NNGAKEGL@
					; DATA XREF: LookupAccessMaskInTable(x,x,x)+42o
unk_6B206C	db    2			; DATA XREF: LookupAccessMaskInTable(x,x,x)+11o
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset ??_C@_15BKGLPCGJ@?$AAN?$AAR@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset ??_C@_15HFNGBCAN@?$AAN?$AAX@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset ??_C@_15MEHGPIAC@?$AAR?$AAP@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_15JELLGJLB@?$AAW?$AAP@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db  20h
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_15EOFANBEN@?$AAC?$AAC@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_15FDFFOBPF@?$AAD?$AAC@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_15LPAGGDJI@?$AAL?$AAC@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset loc_8BF671+1
		db    2
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset loc_8BF683+1
		db    2
		db    0
		db    0
		db    0
		db  80h	; 
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_15JOJLIOND@?$AAD?$AAT@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db  40h	; @
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_15KGPFOBLH@?$AAC?$AAR@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_15IGNKAAHD@?$AAR?$AAC@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_15ELMAKJHJ@?$AAW?$AAD@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_15JMMBCOHI@?$AAW?$AAO@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_15NAFBOLGP@?$AAS?$AAD@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    1
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_15HPMIFLNA@?$AAG?$AAA@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_15DNGEKDKB@?$AAG?$AAR@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  80h	; 
		db    3
		db    0
		db    0
		db    0
		dd offset loc_8BF6AD+1
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  40h	; @
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_15FCNJEDMF@?$AAG?$AAX@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  20h
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_15LEJEIIHF@?$AAF?$AAA@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db 0FFh
		db    1
		db  1Fh
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_15PGDIHAAE@?$AAF?$AAR@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db  89h	; 
		db    0
		db  12h
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_15MBOGIADG@?$AAF?$AAW@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db  16h
		db    1
		db  12h
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_15JJIFJAGA@?$AAF?$AAX@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db 0A0h	; 
		db    0
		db  12h
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_15IAKJLKL@?$AAK?$AAA@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db  3Fh	; ?
		db    0
		db  0Fh
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_15EKKGGDNK@?$AAK?$AAR@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db  19h
		db    0
		db    2
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_15HNHIJDOI@?$AAK?$AAW@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db    6
		db    0
		db    2
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_15CFBLIDLO@?$AAK?$AAX@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db  19h
		db    0
		db    2
		db    0
		db    3
		db    0
		db    0
		db    0
off_6B2228	dd offset ??_C@_13PNBDBPLL@?$AAA@NNGAKEGL@
					; DATA XREF: LookupAceTypeInTable(x,x,x)+39o
unk_6B222C	db    1			; DATA XREF: LookupAceTypeInTable(x,x,x)+11o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		dd offset ??_C@_13MKMNOPIJ@?$AAD@NNGAKEGL@
		db    1
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		dd offset loc_8BF6C9+1
		db    2
		db    0
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		dd offset ??_C@_15KEEFCJIP@?$AAO?$AAD@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		dd offset ??_C@_15HGOKHIAF@?$AAA?$AAU@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		dd offset ??_C@_15FLPLGABA@?$AAA?$AAL@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		dd offset ??_C@_15EMOABJHF@?$AAO?$AAU@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db    7
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		dd offset ??_C@_15GBPBABGA@?$AAO?$AAL@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		dd offset loc_8BF6ED+1
		db    2
		db    0
		db    0
		db    0
		db  11h
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		dd offset ??_C@_15IOAPDDI@?$AAT?$AAL@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db  14h
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		dd offset ??_C@_15EGPOFAKI@?$AAF?$AAL@NNGAKEGL@	; "F"
		db    2
		db    0
		db    0
		db    0
		db  15h
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		dd offset ??_C@_15INEIOLJO@?$AAX?$AAA@NNGAKEGL@	; "XA"
		db    2
		db    0
		db    0
		db    0
		db    9
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		dd offset ??_C@_15LKJGBLKM@?$AAX?$AAD@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db  0Ah
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		dd offset ??_C@_15CMNDMIPI@?$AAR?$AAA@NNGAKEGL@	; "RA"
		db    2
		db    0
		db    0
		db    0
		db  12h
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		dd offset ??_C@_15PCKCLKH@?$AAS?$AAP@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db  13h
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		dd offset ??_C@_15FCDDCLFG@?$AAX?$AAU@NNGAKEGL@	; "XU"
		db    2
		db    0
		db    0
		db    0
		db  0Dh
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		dd offset ??_C@_15MAIAEKJF@?$AAZ?$AAA@NNGAKEGL@
		db    2
		db    0
		db    0
		db    0
		db  0Bh
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
unk_6B2338	db  1Ch			; DATA XREF: SmFirstTimeInit+326o
		db    0
		db  1Eh
		db    0
		dd offset ??_C@_1BO@NOPLGFGL@?$AAM?$AAe?$AAm?$AAC?$AAo?$AAm?$AAp?$AAr?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn@FNODOBFM@
_VfPersistentStateRoot db  9Ah ; 	; DATA XREF: VfClearVerifierSettings()+36o
		db    0
		db  9Ch	; 
		db    0
		dd offset aRegistryMach_7 ; "\\REGISTRY\\MACHINE\\OSBOOT\\ControlSetOver"...
dword_6B2348	dd 0			; DATA XREF: SetFailureLocation+15r
					; SetFailureLocation+61o ...
		dd offset loc_424B63+1
dword_6B2350	dd 0			; DATA XREF: CmpBounceContextStart+42r
		align 8
dword_6B2358	dd 0			; DATA XREF: CmpBounceContextStart:loc_91EB19r
dword_6B235C	dd 0			; DATA XREF: CmpBounceContextStart+105EFEr
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B2370	dd 0			; DATA XREF: VrpIoctlDeviceDispatch+57r
					; VrpIoctlDeviceDispatch+B2r ...
		dd offset loc_424C06+1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B2388	dd 0			; DATA XREF: VrpRegistryUnload(x)+5Br
					; VrpRegistryUnload(x)+69w
dword_6B238C	dd 0			; DATA XREF: VrpRegistryUnload(x):loc_9524E1r
					; VrpRegistryUnload(x)+6Fw
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B2398	dd 0			; DATA XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+2A7r
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+2BBo ...
		dd offset loc_424C4D+1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_MS_KernelPnP_Provider_Context dd 0	; DATA XREF: McTemplateK0dzd_EtwWriteTransfer(x,x,x,x,x,x)+71o
					; McTemplateK0hzr0_EtwWriteTransfer(x,x,x,x,x)+48o ...
dword_6B23C4	dd 0			; DATA XREF: PnpDiagInitialize()+22r
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  1Fh
		db    0
		dd offset _Microsoft_Windows_Kernel_PnPEnableBits
		dd offset _Microsoft_Windows_Kernel_PnPKeywords
		dd offset _Microsoft_Windows_Kernel_PnPLevels
dword_6B23F8	dd 0			; DATA XREF: PopDiagTraceFxDefaultPepWorkerEnd+B0r
					; PopDiagTraceFxDefaultPepWorkerEnd+C2o ...
		dd offset loc_424E7C+1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_PopBlackBoxEntries dd offset loc_410DC2+2 ; DATA XREF:	PopBlackBoxUpdate+28o
					; PopInitializePowerButtonHold(x)+144o
off_6B2424	dd offset aBlackboxScm	; DATA XREF: PopRecorderInit():loc_AD648Fr
					; "blackbox - SCM"
		db    1
		db    0
		db    0
		db    0
dword_6B242C	dd 0			; DATA XREF: PopRecorderInit()+17r
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
byte_6B2444	db 0			; DATA XREF: PopRecorderInit()+1Dw
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _PopBlackBoxBsdGuid
		dd offset aBlackboxBsd	; "blackbox - BSD"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _PopBlackBoxPnpGuid
		dd offset aBlackboxPnp	; "blackbox - PNP"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _PopBlackBoxAcpiGuid
		dd offset aBlackboxAcpi	; "blackbox - ACPI"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _PopBlackBoxPoIrpGuid
		dd offset aBlackboxPoirp ; "blackbox - POIRP"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset loc_410D73+1
		dd offset aBlackboxWinlog ; "blackbox -	WINLOGON-NOTIFY"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _PopBlackBoxPdcLockGuid
		dd offset aBlackboxPdcloc ; "blackbox -	PDCLOCK"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset loc_410D4D+7
		dd offset aBlackboxPepwor ; "blackbox -	PEPWORKORDER"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _PopBlackBoxPoPowerWatchdogGuid
		dd offset aBlackboxPowerw ; "blackbox -	POWERWATCHDOG"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _PopBlackBoxPnpEventWorkerGuid
		dd offset aBlackboxPnpeve ; "blackbox -	PNPEVENTWORKER"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset loc_410D9E+6
		dd offset aBlackboxDevice ; "blackbox -	DEVICECOMPLETIONQUEUE"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset loc_410D83+1
		dd offset aBlackboxPnpdel ; "blackbox -	PNPDELAYEDREMOVEWORKER"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset loc_410D93+1
		dd offset aBlackboxDxgDis ; "blackbox -	DXG-DISPLAY"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _PopBlackBoxCrashedProcessGuid
		dd offset aBlackboxCrashe ; "blackbox -	CrashedProcess"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _PopBlackBoxUsoCommitGuid
		dd offset aBlackboxUsocom ; "blackbox -	UsoCommit"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _PopBlackBoxWheaGuid
		dd offset aBlackboxWhea	; "blackbox - WHEA"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset loc_410CC3+1
		dd offset aBlackboxNtfs	; "blackbox - NTFS"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset loc_410D32+2
		dd offset aBlackboxWinl_1 ; "blackbox -	Winlogon"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset loc_410D21+3
		dd offset aBlackboxExplor ; "blackbox -	Explorer logon tasks"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _PopBlackBoxExplorerCoreStartupGuid
		dd offset aBlackboxExpl_1 ; "blackbox -	Explorer core startup"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _PopBlackBoxUserModeLKDReason
		dd offset aBlackboxUserMo ; "blackbox -	User mode LKD API caller dat"...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _PopBlackBoxCodeIntegrityGuid
		dd offset aBlackboxCi	; "blackbox - CI"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_PspActivePartitionListHead dd offset _PspActivePartitionListHead
					; DATA XREF: PsGetNextPartitionUnsafe(x)+18r
					; PsGetNextPartitionUnsafe(x):loc_4EAD8Co ...
off_6B29A4	dd offset _PspActivePartitionListHead
					; DATA XREF: PspAddPartitionToGlobalList(x)+12r
					; PspAddPartitionToGlobalList(x)+2Ew
dword_6B29A8	dd 0			; DATA XREF: SepLogUnmatchedSessionFlagImpersonationAttempt(x,x)+72r
					; SepLogUnmatchedSessionFlagImpersonationAttempt(x,x)+8Co ...
		dd offset loc_425075
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_WmipInUseRegEntryHead dd offset _WmipInUseRegEntryHead
					; DATA XREF: WmipDoFindRegEntryByDevice(x)r
					; WmipDoFindRegEntryByDevice(x)+5o ...
off_6B29D4	dd offset _WmipInUseRegEntryHead ; DATA	XREF: WmipAllocRegEntry+5Fr
					; WmipAllocRegEntry+87w
_WmipISChunkInfo dd offset _WmipISChunkInfoLookaside ; DATA XREF: WmipQueryAllData+2B6o
					; WmipQuerySetExecuteSI+16Eo ...
		db  34h	; 4
		db    0
		db    0
		db    0
		dd offset _WmipISCleanup@4 ; WmipISCleanup(x)
		align 8
		db  57h	; W
		db  6Dh	; m
		db  49h	; I
		db  53h	; S
_WmipGEChunkInfo dd offset _WmipGEChunkInfoLookaside ; DATA XREF: WmipDeleteMethod(x)+49o
					; WmipSendEnableRequest+73o ...
		db  70h	; p
		db    0
		db    0
		db    0
		dd offset _WmipGECleanup@4 ; WmipGECleanup(x)
		db    0
		db    0
		db    0
		db  10h
		db  57h	; W
		db  6Dh	; m
		db  47h	; G
		db  45h	; E
_WmipMRChunkInfo dd offset _WmipMRChunkInfoLookaside ; DATA XREF: WmipAddMofResource+24o
					; WmipAddMofResource+135o ...
		db  1Ch
		db    0
		db    0
		db    0
		dd offset _WmipMRCleanup@4 ; WmipMRCleanup(x)
		db    0
		db    0
		db    0
		db  10h
		db  57h	; W
		db  6Dh	; m
		db  4Dh	; M
		db  52h	; R
		db    0
		db    0
		db    0
		db    0
dword_6B2A18	dd 0			; DATA XREF: EtwpWriteProcessStarted:loc_7533EDr
					; EtwpWriteProcessStarted+44o ...
		dd offset word_4250FE+1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B2A40	dd 0			; DATA XREF: EtwTraceSystemTimeChange+6Br
					; EtwTraceSystemTimeChange+7Ao	...
		dd offset dword_425100+33h
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B2A68	dd 0			; DATA XREF: EtwTelemetryCoverageReport(x)+2EBr
					; EtwTelemetryCoverageReport(x)+2FAo ...
		dd offset dword_42514C+1Bh
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B2A90	dd 0			; DATA XREF: ExLogTimeZoneInformation()+1Dr
					; ExLogTimeZoneInformation()+1C2o ...
		dd offset dword_42514C+4Ah
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_TxtpTextCache	dd offset _TxtpTextCache ; DATA	XREF: BgpTxtDisplayCharacter+82o
					; BgpTxtDisplayCharacter+1D5o ...
		dd offset _TxtpTextCache
dword_6B2AC0	dd 0			; DATA XREF: TxtpAddCacheEntry:loc_A7659Ew
off_6B2AC4	dd offset _DEVPKEY_NODE	; DATA XREF: DrvDbGetDriverDatabaseMappedProperty:loc_8A859Er
					; DrvDbGetDriverDatabaseMappedPropertyKeys(x,x,x,x,x,x)+1Fo ...
		dd offset _DEVPKEY_DriverDatabase_Loaded
		dd offset _DEVPKEY_DriverDatabase_Selected
		dd offset _DEVPKEY_DriverDatabase_Disabled
		dd offset _DEVPKEY_DriverDatabase_AccessMask
		dd offset _DEVPKEY_DriverDatabase_LoadStatus
		dd offset _DEVPKEY_DriverDatabase_Extended
off_6B2AE0	dd offset ??_C@_0BF@DEPLDBNI@Kernel_Process_Crash@NNGAKEGL@
					; DATA XREF: PsSetProcessFaultInformation+81r
					; PsSetProcessFaultInformation:loc_847890o
dword_6B2AE4	dd 0			; DATA XREF: PsSetProcessFaultInformation+78r
					; PsSetProcessFaultInformation+8Fw
dword_6B2AE8	dd 0			; DATA XREF: PsSetProcessFaultInformation:loc_847867r
		align 10h
off_6B2AF0	dd offset loc_8BC905+1	; DATA XREF: PopTransitionTelemetryOsState+62Cr
					; PopTransitionTelemetryOsState:loc_86EA4Co
dword_6B2AF4	dd 0			; DATA XREF: PopTransitionTelemetryOsState+624r
					; PopTransitionTelemetryOsState+63Dw
dword_6B2AF8	dd 0			; DATA XREF: PopTransitionTelemetryOsState+613r
		align 10h
off_6B2B00	dd offset ??_C@_0CF@HAHHMNLJ@Kernel_OSStateChange_HiberbootR@NNGAKEGL@
					; DATA XREF: PopTransitionTelemetryOsState+A1r
					; PopTransitionTelemetryOsState:loc_86E4C1o
dword_6B2B04	dd 0			; DATA XREF: PopTransitionTelemetryOsState+99r
					; PopTransitionTelemetryOsState+B2w
dword_6B2B08	dd 0			; DATA XREF: PopTransitionTelemetryOsState+8Cr
		align 10h
_WmipNPEvent	dd offset _WmipNPEvent	; DATA XREF: IoWMIWriteEvent+97o
					; .data:_WmipNPEvento ...
		dd offset _WmipNPEvent
dword_6B2B18	dd 0			; DATA XREF: PnpTraceInterruptConnection+16r
					; PnpTraceInterruptConnection+2Bo ...
		dd offset loc_424D6E+1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_WmipDSChunkInfo dd offset _WmipDSChunkInfoLookaside
					; DATA XREF: WmipSendEnableDisableRequest+1FEo
					; WmipUpdateDataSource+A7o ...
		db  40h	; @
		db    0
		db    0
		db    0
		dd offset _WmipDSCleanup@4 ; WmipDSCleanup(x)
		db    0
		db    0
		db    0
		db  10h
		db  57h	; W
		db  6Dh	; m
		db  44h	; D
		db  53h	; S
		db    0
		db    0
		db    0
		db    0
dword_6B2B58	dd 0			; DATA XREF: BapdRecordFirmwareBootStats+2Do
					; BapdRecordFirmwareBootStats+20Fr ...
		dd offset unk_4251CC
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B2B70	dd 0			; DATA XREF: PopBootLoaderTraceProcess()+19r
					; PopBootLoaderTraceProcess()+27w
dword_6B2B74	dd 0			; DATA XREF: PopBootLoaderTraceProcess()+12r
					; PopBootLoaderTraceProcess()+2Dw
		align 10h
_BgpConsoleInterface dd	offset BgpConsoleInitialize
					; DATA XREF: BgConsoleGetInterface(x)+1Bo
					; TxtpAddCacheEntry+D08o
		dd offset _BgpConsoleClearScreen@0 ; BgpConsoleClearScreen()
		dd offset _BgpConsoleSetTextColor@8 ; BgpConsoleSetTextColor(x,x)
		dd offset _BgpConsoleDisplayString@4 ; BgpConsoleDisplayString(x)
		dd offset _BgpConsoleDisplayCharacter@20 ; BgpConsoleDisplayCharacter(x,x,x,x,x)
		dd offset _BgpConsoleGetState@4	; BgpConsoleGetState(x)
		dd offset _BgpConsoleGetCursorState@12 ; BgpConsoleGetCursorState(x,x,x)
		dd offset _BgpConsoleSetCursor@12 ; BgpConsoleSetCursor(x,x,x)
_VersionDataKeys dd offset aRegistryMac_23 ; DATA XREF:	CmpSetVersionData+77o
					; CmpSetVersionData+7Cr
					; "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft"
		align 8
		db  4Ch	; L
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_CmpConfigurationManagerKeyName	db 0B0h	;  ; DATA XREF: CmpFinishSystemHivesLoad(x)+634o
					; CmpSyncNextBackupHive()+DFo
		db    0
		db 0B2h	; 
		db    0
		dd offset aRegistryMac_22 ; "\\REGISTRY\\MACHINE\\SYSTEM\\CURRENTCONTROL"...
; Exported entry 682. HalDispatchTable
		public _HalDispatchTable
_HalDispatchTable db	4
		db    0
		db    0
		db    0
off_6B2BC4	dd offset _xHalQuerySystemInformation@16
					; DATA XREF: HvlStartBootLogicalProcessors+8A5DAr
					; BapdRecordFirmwareBootStats+BAr ...
					; xHalQuerySystemInformation(x,x,x,x)
off_6B2BC8	dd offset _xHalSetSystemInformation@12
					; DATA XREF: KiSetIntervalWorker(x,x)+Cr
					; EtwSetPerformanceTraceInformation(x,x,x)+532r ...
					; xHalSetSystemInformation(x,x,x)
		dd offset _xHalAllocatePmcCounterSet@16	; xHalAllocatePmcCounterSet(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		dd offset @HalExamineMBR@16 ; HalExamineMBR(x,x,x,x)
		dd offset @IoReadPartitionTable@16 ; IoReadPartitionTable(x,x,x,x)
		dd offset @IoSetPartitionInformation@16	; IoSetPartitionInformation(x,x,x,x)
		dd offset @IoWritePartitionTable@20 ; IoWritePartitionTable(x,x,x,x,x)
		dd offset _MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		dd offset @SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
		dd offset @SymCryptFatalIntercept@4 ; SymCryptFatalIntercept(x)
off_6B2BF0	dd offset _xHalProcessorFreeze@0 ; DATA	XREF: INIT:00AC2C52r
					; xHalProcessorFreeze()
		dd offset _ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment@8 ; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)
dword_6B2BF8	dd 0			; DATA XREF: IoGetDmaAdapter+9Dr
		dd offset _xHalGetInterruptTranslator@28 ; xHalGetInterruptTranslator(x,x,x,x,x,x,x)
off_6B2C00	dd offset _xHalStartMirroring@0	; DATA XREF: MmCreateMirror():loc_9983EEr
					; xHalStartMirroring()
off_6B2C04	dd offset _ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig@4
					; DATA XREF: MmCreateMirror()+B3r
					; ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig(x)
off_6B2C08	dd offset _ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete@16
					; DATA XREF: MmCreateMirror()+BCr
					; ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete(x,x,x,x)
off_6B2C0C	dd offset _xHalSaveAndDisableHvEnlightenment@0
					; DATA XREF: PopGracefulShutdown(x)+50r
					; CmpAcceptBoot:loc_8700ADr
					; xHalSaveAndDisableHvEnlightenment()
off_6B2C10	dd offset _ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete@16
					; DATA XREF: MmCreateMirror()+D8r
					; ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete(x,x,x,x)
		align 10h
off_6B2C20	dd offset _BgkNotifyDisplayOwnershipLost@4
					; DATA XREF: InbvSetFunction(x):loc_56E9E7o
					; InbvDetermineFunction:loc_56EA8Ao
					; BgkNotifyDisplayOwnershipLost(x)
		dd offset _BgkAcquireDisplayOwnership@0	; BgkAcquireDisplayOwnership()
		dd offset BgkNotifyDisplayOwnershipChange
		align 10h
		dd offset _BgkSolidColorFill@20	; BgkSolidColorFill(x,x,x,x,x)
		dd offset _BgkDisplayString@4 ;	BgkDisplayString(x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _BgkSetTextColor@4 ; BgkSetTextColor(x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _BgkSetDisplayOwnership@4 ; BgkSetDisplayOwnership(x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset BvgaReleaseResources
		dd offset BgkSetVirtualFrameBuffer
		align 10h
off_6B2C80	dd offset _BvgaNotifyDisplayOwnershipLost@4
					; DATA XREF: InbvSetFunction(x):loc_56EA10o
					; InbvDetermineFunction+51o ...
					; BvgaNotifyDisplayOwnershipLost(x)
		dd offset _BvgaAcquireDisplayOwnership@0 ; BvgaAcquireDisplayOwnership()
		dd offset _BvgaNotifyDisplayOwnershipChange@8 ;	BvgaNotifyDisplayOwnershipChange(x,x)
		dd offset _BvgaResetDisplay@0 ;	BvgaResetDisplay()
		dd offset _BvgaSolidColorFill@20 ; BvgaSolidColorFill(x,x,x,x,x)
		dd offset _BvgaDisplayString@4 ; BvgaDisplayString(x)
		dd offset _BvgaEnableBootDriver@4 ; BvgaEnableBootDriver(x)
		dd offset _BvgaIsBootDriverInstalled@0 ; BvgaIsBootDriverInstalled()
		dd offset _BvgaCheckDisplayOwnership@0 ; BvgaCheckDisplayOwnership()
		dd offset _BvgaSetScrollRegion@16 ; BvgaSetScrollRegion(x,x,x,x)
		dd offset _BvgaSetTextColor@4 ;	BvgaSetTextColor(x)
		dd offset BvgaDriverInitialize
		dd offset _BvgaBitBlt@12 ; BvgaBitBlt(x,x,x)
		dd offset _BvgaUpdateProgressBar@4 ; BvgaUpdateProgressBar(x)
		dd offset _BvgaSetProgressBarSubset@8 ;	BvgaSetProgressBarSubset(x,x)
		dd offset _BvgaIndicateProgress@0 ; BvgaIndicateProgress()
		dd offset _BvgaGetResourceAddress@4 ; BvgaGetResourceAddress(x)
		dd offset _BvgaSetDisplayOwnership@4 ; BvgaSetDisplayOwnership(x)
		dd offset _BvgaGetDisplayState@0 ; BvgaGetDisplayState()
		dd offset _BvgaAcquireLock@0 ; BvgaAcquireLock()
		dd offset _BvgaReleaseLock@0 ; BvgaReleaseLock()
		dd offset BvgaReleaseResources
		dd offset _xHalIommuUnblockDevice@8 ; xHalIommuUnblockDevice(x,x)
		align 10h
dword_6B2CE0	dd 0			; DATA XREF: IoInitializeLiveDump()+1Do
					; IopLiveDumpTraceCaptureDumpDataBufferingDuration(x)+72r ...
		dd offset loc_424C95
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B2D08	dd 0			; DATA XREF: IopInitializeSystemVariableService+18o
					; ExpGetSystemFirmwareTableInformation+1301F3r	...
		dd offset loc_424CDC+1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_IopRegistryRegisteredCallbacks	dd offset aRegistryMac_24
					; DATA XREF: IopRegistryInitializeCallbacks+11o
					; IopRegistryCallback+2Ar
					; "\\Registry\\Machine\\System\\CurrentControl"...
dword_6B2D34	dd 4			; DATA XREF: IopRegistryCallback:loc_89BC4Er
					; IopRegistryCallback+92A45r ...
off_6B2D38	dd offset _IopSymlinkRegistryCallback@4
					; DATA XREF: IopRegistryInitializeCallbacks+1Dr
					; IopRegistryCallback+92A3Fr ...
					; IopSymlinkRegistryCallback(x)
dword_6B2D3C	dd 0			; DATA XREF: IopRegistryCallback:loc_92E5F1r
					; IopRegistryCallback:loc_92E630r
dword_6B2D40	dd 0			; DATA XREF: IopRegistryCallback+76r
					; IopRegistryCallback+8Aw ...
dword_6B2D44	dd 0			; DATA XREF: IopRegistryCallback+49r
					; IopRegistryCallback+92A7Ew
		dd offset _IopSymlinkRegistryInitCallback@4 ; IopSymlinkRegistryInitCallback(x)
		align 10h
dword_6B2D50	dd 0			; DATA XREF: IopRegistryCallback+36r
		align 10h
dword_6B2D60	dd 0			; DATA XREF: IopRegistryCallback+56r
					; IopRegistryCallback+92A4Br
		align 8
		dd offset aRegistryMac_19 ; "\\Registry\\Machine\\Software\\Policies\\Mic"...
		db    5
		db    0
		db    0
		db    0
		dd offset _IopSymlinkRegistryCallback@4	; IopSymlinkRegistryCallback(x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B2DD8	dd 0			; DATA XREF: PnpTraceClearDevNodeProblem(x,x,x,x)+2Fr
					; PnpTraceClearDevNodeProblem(x,x,x,x)+43o ...
		dd offset loc_424DB1+1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B2E00	dd 0			; DATA XREF: PnpTraceDeviceConfig(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x):loc_986024r
					; PnpTraceDeviceConfig(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+97o ...
		dd offset dword_424D20+3
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_KseZeroPoolShim db  1Ch		; DATA XREF: KseZeroPoolInitialize+7o
		db    0
		db    0
		db    0
		dd offset _KseZeroPoolShimGuid
		dd offset aZeropool	; "ZeroPool"
		align 10h
		dd offset _KseZeroPoolShimHookCollections
_Win7VersionLieShim db	1Ch		; DATA XREF: KseVersionLieInitialize+9o
		db    0
		db    0
		db    0
		dd offset _Win7VersionLieShimGuid
		dd offset aKmwin7versionl ; "KmWin7VersionLie"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _Win7VersionHookCollections
_Win8VersionLieShim db	1Ch		; DATA XREF: KseVersionLieInitialize+23o
		db    0
		db    0
		db    0
		dd offset _Win8VersionLieShimGuid
		dd offset aKmwin8versionl ; "KmWin8VersionLie"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _Win8VersionHookCollections
_Win81VersionLieShim db	 1Ch		; DATA XREF: KseVersionLieInitialize+37o
		db    0
		db    0
		db    0
		dd offset _Win81VersionLieShimGuid
		dd offset aKmwin81version ; "KmWin81VersionLie"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _Win81VersionHookCollections
_KseDsShim	db  1Ch			; DATA XREF: KseDriverScopeInitialize+9o
		db    0
		db    0
		db    0
		dd offset _KseDsShimGuid
		dd offset aDriverscope	; "driverscope"
dword_6B2EA4	dd 0			; DATA XREF: KseDsCallbackHookAddDevice(x,x)+2Fr
					; KseDsCallbackHookDriverStartIo(x,x)+5r ...
		dd offset _KseDsHookDriverUntargeted@4 ; KseDsHookDriverUntargeted(x)
		dd offset _KseDsHookDriverTargeted@20 ;	KseDsHookDriverTargeted(x,x,x,x,x)
		dd offset _KseDsShimHookCollections
_KseSkipDriverUnloadShim db  1Ch	; DATA XREF: KseSkipDriverUnloadInitialize+7o
		db    0
		db    0
		db    0
		dd offset _KseSkipDriverUnloadShimGuid
		dd offset aSkipdriverunlo ; "SkipDriverUnload"
		db    0
		db    0
		db    0
		db    0
		dd offset _KseSkipDriverUnloadHookDriverUntargeted@4 ; KseSkipDriverUnloadHookDriverUntargeted(x)
		dd offset _KseSkipDriverUnloadHookDriverTargeted@20 ; KseSkipDriverUnloadHookDriverTargeted(x,x,x,x,x)
		dd offset _KseSkipDriverUnloadShimHookCollections
_MiVisiblePartition dd offset dword_6D5D80 ; DATA XREF:	MiInitNucleus(x)+30o
		align 8
unk_6B2ED8	db    0			; DATA XREF: MiInitSystem+433o
		db    0
		db    0
		db    0
		dd offset loc_424E3A+1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_PopCoalRegistrationList dd offset _PopCoalRegistrationList
					; DATA XREF: PoIssueCoalescingNotification(x,x,x)+3Ar
					; PoIssueCoalescingNotification(x,x,x):loc_64F9E3o ...
off_6B2F04	dd offset _PopCoalRegistrationList
					; DATA XREF: PoRegisterCoalescingCallback+89r
					; PoRegisterCoalescingCallback+A9w
_PopPolicyDeviceParameters db	 0	; DATA XREF: PopConnectToPolicyDevice+1Fo
		db    0
		db    0
		db    0
dword_6B2F0C	dd 0			; DATA XREF: PopPolicyDeviceTargetChange(x,x)+C6r
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B2F18	dd 0			; DATA XREF: PopPolicyDeviceRemove(x)+24r
		db 0A0h	; 
		db    3
		db    0
		db    0
		db  54h	; T
		db  68h	; h
		db  72h	; r
		db  6Dh	; m
		dd offset _PopThermal
		dd offset PopThermalZoneAdd
		dd offset _PopThermalZoneRemove@4 ; PopThermalZoneRemove(x)
		db 0A8h	; 
		db    0
		db    0
		db    0
		db  42h	; B
		db  61h	; a
		db  74h	; t
		db  74h	; t
		dd offset dword_6C2534
		dd offset _PopBatteryAdd@4 ; PopBatteryAdd(x)
		dd offset _PopBatteryRemove@4 ;	PopBatteryRemove(x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  58h	; X
		db    0
		db    0
		db    0
		db  50h	; P
		db  46h	; F
		db  61h	; a
		db  6Eh	; n
		dd offset _PopFans
		dd offset _PopFanAdd@4	; PopFanAdd(x)
		dd offset _PopFanRemove@4 ; PopFanRemove(x)
dword_6B2FD0	dd 0			; DATA XREF: SshpWriteBlocker(x,x,x)+237r
					; SshpWriteBlocker(x,x,x)+249o	...
		dd offset loc_424F13+2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B2FE8	dd 0			; DATA XREF: SshpUninitialize()+17r
					; SshpUninitialize()+25w
dword_6B2FEC	dd 0			; DATA XREF: SshpUninitialize()+12r
					; SshpUninitialize()+2Bw
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_PspKernelRanges dd offset _PsKernelRangeList
					; DATA XREF: PipInitializeCoreDriversAndElam(x)+2Fw
dword_6B2FFC	dd 14h			; DATA XREF: PipInitializeCoreDriversAndElam(x)+39w
_WmipRegWorkList dd offset _WmipRegWorkList ; DATA XREF: .data:_WmipRegWorkListo
					; .data:off_6B3004o ...
off_6B3004	dd offset _WmipRegWorkList ; DATA XREF:	WmipQueueRegWork(x,x)+38r
					; WmipQueueRegWork(x,x)+4Fw
off_6B3008	dd offset ??_C@_0BA@CPIFCMIM@ETW_TelCov_Boot@NNGAKEGL@
					; DATA XREF: EtwpCoverageEnsureContext()+36Dr
					; EtwpCoverageEnsureContext():loc_8AF48Do
dword_6B300C	dd 0			; DATA XREF: EtwpCoverageEnsureContext()+364r
					; EtwpCoverageEnsureContext()+37Ew
dword_6B3010	dd 0			; DATA XREF: EtwpCoverageEnsureContext()+357r
		align 8
unk_6B3018	db  32h	; 2		; DATA XREF: ExpInitFullProcessSecurityInfo(x,x,x)+77o
		db    0
		db  34h	; 4
		db    0
		dd offset ??_C@_1DE@HOCGNCOF@?$AAF?$AAu?$AAl?$AAl?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAI?$AAn?$AAf?$AAo@LBKOJDO@
_WheaDeviceDriverDefaultSourceConfig db	   0 ; DATA XREF: WheaAddErrorSourceDeviceDriver+4Bo
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _WheapDeviceDriverCreateRecord@20 ; WheapDeviceDriverCreateRecord(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
unk_6B3040	db    0			; DATA XREF: sub_8820B8+4Ao
		db    0
		db    0
		db    0
		dd offset byte_425219+2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
off_6B3068	dd offset ??_C@_1BG@IBFJLDBC@?$AA?$CF?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AA3?$AA2?$AA?$CF@NNGAKEGL@
					; DATA XREF: AslpEnvResolveVars+3Cr
off_6B306C	dd offset ??_C@_1CM@JBIGCHCD@?$AA?$CF?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AAr?$AAo?$AAo?$AAt?$AA?$CF?$AA?2?$AAs?$AAy@NNGAKEGL@
					; DATA XREF: AslpEnvResolveVars+92081r
dword_6B3070	dd 0Ah			; DATA XREF: AslpEnvResolveVars+31r
					; AslpEnvResolveVars+5Br ...
dword_6B3074	dd 15h			; DATA XREF: AslpEnvResolveVars+55r
		dd offset ??_C@_1BI@CLEAEAIO@?$AA?$CF?$AAs?$AAy?$AAs?$AAn?$AAa?$AAt?$AAi?$AAv?$AAe?$AA?$CF@NNGAKEGL@
		dd offset ??_C@_1CM@JBIGCHCD@?$AA?$CF?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AAr?$AAo?$AAo?$AAt?$AA?$CF?$AA?2?$AAs?$AAy@NNGAKEGL@
		db  0Bh
		db    0
		db    0
		db    0
		db  15h
		db    0
		db    0
		db    0
		dd offset ??_C@_1BC@CGIBIBCK@?$AA?$CF?$AAw?$AAi?$AAn?$AAd?$AAi?$AAr?$AA?$CF@NNGAKEGL@
		dd offset ??_C@_1BK@JEOALCGP@?$AA?$CF?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AAr?$AAo?$AAo?$AAt?$AA?$CF@NNGAKEGL@
		db    8
		db    0
		db    0
		db    0
		db  0Ch
		db    0
		db    0
		db    0
		dd offset loc_8C5435+5
		dd offset loc_8C5460+4
		db  14h
		db    0
		db    0
		db    0
		db  1Bh
		db    0
		db    0
		db    0
dword_6B30A8	dd 0			; DATA XREF: _tlgWriteTemplate<long (_tlgProvider_t const *,void const *,_GUID const *,_GUID const *,uint,_EVENT_DATA_DESCRIPTOR *),&_tlgWriteTransfer_EtwWriteTransfer(_tlgProvider_t const *,void const *,_GUID const	*,_GUID	const *,uint,_EVENT_DATA_DESCRIPTOR *),_GUID const *,_GUID const *>::Write<_tlgWrapperByRef<16>,_tlgWrapperByRef<8>,_tlgWrapperByRef<8>,_tlgWrapperByRef<8>,_tlgWrapperByVal<4>,_tlgWrapperByVal<4>,_tlgWrapperByVal<4>,_tlgWrapperByVal<4>,_tlgWrapperByVal<4>>(_tlgProvider_t	const *,void const *,_GUID const *,_GUID const *,_tlgWrapperByRef<16> const &,_tlgWrapperByRef<8> const	&,_tlgWrapperByRef<8> const &,_tlgWrapperByRef<8> const	&,_tlgWrapperByVal<4> const &,_tlgWrapperByVal<4> const	&,_tlgWrapperByVal<4> const &,_tlgWrapperByVal<4> const	&,_tlgWrapperByVal<4> const &)+8Ao
					; TlgRegisterAggregateProviderEx+DAo ...
		dd offset dword_425248+22h
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_TmContainerExt	dw 18h			; DATA XREF: CmpInitCmRM+33Dr
					; CmpInitCmRM+36Ar
		db  1Ah
		db    0
; void *off_6B30D4
off_6B30D4	dd offset a_regtransMs	; DATA XREF: CmpInitCmRM+375r
					; ".regtrans-ms"
_IopRevocationExtension	dd offset _IopStaticRevocationExtension
					; DATA XREF: IopAllocateFileObjectExtension:loc_486886r
					; IopDeleteFileObjectExtension+16r ...
_SepSingletonGlobal dd offset _SepSingletonGlobalData
					; DATA XREF: SepGetSingletonEntryFromIndexNumber(x)+9r
					; SepGetSingletonEntryFromIndexNumber(x)+1Dr ...
off_6B30E0	dd offset _DEVPKEY_Device_InstanceId ; DATA XREF: .text:00401B04o
off_6B30E4	dd offset _DEVPKEY_DeviceInterface_FriendlyName
					; DATA XREF: .text:off_401AF8o
_pXdvKeLowerIrql dd offset _KeLowerIrql@4 ; DATA XREF: PAGEVRFD:00AAB368o
					; KeLowerIrql(x)
_pXdvKeRaiseIrql dd offset _KeRaiseIrql@8 ; DATA XREF: PAGEVRFD:00AAB338o
					; KeRaiseIrql(x,x)
off_6B30F0	dd offset _DEVPKEY_Device_UpdateWithUngroupedDrivers
					; DATA XREF: .text:00401634o
		dd offset _DEVPKEY_Device_DriverInGroup
off_6B30F8	dd offset _DEVPKEY_Device_LowerFilters ; DATA XREF: .text:00401628o
		dd offset _DEVPKEY_Device_LowerFilterCache
off_6B3100	dd offset _DEVPKEY_Device_UpperFilters ; DATA XREF: .text:0040161Co
		dd offset _DEVPKEY_Device_UpperFilterCache
off_6B3108	dd offset loc_4110EC+4	; DATA XREF: .text:00401594o
					; .text:00401610o
		dd offset _DEVPKEY_Device_DevNodeStatusHasProblem
		dd offset _DEVPKEY_Device_ProblemCode
		dd offset _DEVPKEY_Device_IsPresent
off_6B3118	dd offset _DEVPKEY_Device_IsPresent ; DATA XREF: .text:off_40157Co
					; .text:00401604o
		dd offset _DEVPKEY_Device_PresenceNotForDevice
		dd offset _DEVPKEY_Device_DevNodeStatusDeviceDisconnected
off_6B3124	dd offset _DEVPKEY_Device_BaseContainerId ; DATA XREF: .text:004015F8o
off_6B3128	dd offset _DEVPKEY_Device_IsPresent ; DATA XREF: .text:004015ECo
		dd offset _DEVPKEY_Device_DevNodeStatusStarted
		dd offset _DEVPKEY_Device_Capabilities
		dd offset _DEVPKEY_Device_SafeRemovalRequiredOverride
		dd offset _DEVPKEY_Device_Parent
off_6B313C	dd offset _DEVPKEY_Device_ClassGuid ; DATA XREF: .text:004015E0o
off_6B3140	dd offset _DEVPKEY_Device_IsPresent ; DATA XREF: .text:004015D4o
		dd offset _DEVPKEY_Device_ConfigFlags
off_6B3148	dd offset _DEVPKEY_Device_IsPresent ; DATA XREF: .text:004015C8o
		dd offset _DEVPKEY_Device_ConfigFlags
off_6B3150	dd offset _DEVPKEY_Device_DevNodeStatusPrivateProblem
					; DATA XREF: .text:00401588o
					; .text:004015BCo
		dd offset _DEVPKEY_Device_DevNodeStatusHasProblem
		dd offset _DEVPKEY_Device_DevNodeStatusStarted
		dd offset _DEVPKEY_Device_ProblemCode
		dd offset _DEVPKEY_Device_Capabilities
		dd offset _DEVPKEY_Device_IsPresent
off_6B3168	dd offset _DEVPKEY_Device_FriendlyName ; DATA XREF: .text:off_4015B0o
		dd offset _DEVPKEY_Device_DeviceDesc
off_6B3170	dd offset _DEVPKEY_Device_ContainerId ;	DATA XREF: .text:off_4015A0o
		dd offset _DEVPKEY_Device_BaseContainerId
_KvfFeatureStates dd 0			; DATA XREF: KvfCommitFeatureStates+4Ar
					; KvfInitFeatureStatesr ...
unk_6B317C	db  2Ch	; ,		; DATA XREF: KvfCommitFeatureStates+81D30o
		db    0
		db  2Eh	; .
		db    0
		dd offset aKvf_hotpatchsi ; "KVF_HotPatchSimulation"
		align 8
_HalIommuDispatch dd offset _HalIommuDispatchTable ; DATA XREF:	ExFreeSvmAsid+D047Ar
					; ExFreeSvmAsid:loc_5D878Br ...
		align 10h
_HalIommuDispatchTable dd offset _KeIsCetCapable@0 ; DATA XREF:	.data:_HalIommuDispatcho
					; KeIsCetCapable()
		dd offset _xHalIommuGetConfiguration@16	; xHalIommuGetConfiguration(x,x,x,x)
		dd offset _xHalIommuGetLibraryContext@12 ; xHalIommuGetLibraryContext(x,x,x)
		dd offset _xHalIommuMapDevice@16 ; xHalIommuMapDevice(x,x,x,x)
		dd offset _xHalIommuUnblockDevice@8 ; xHalIommuUnblockDevice(x,x)
		dd offset _xHalIommuUnblockDevice@8 ; xHalIommuUnblockDevice(x,x)
		dd offset _xHalIommuUnblockDevice@8 ; xHalIommuUnblockDevice(x,x)
		dd offset _xHalIommuUnblockDevice@8 ; xHalIommuUnblockDevice(x,x)
		dd offset _xKdReleasePciDeviceForDebugging@4 ; xKdReleasePciDeviceForDebugging(x)
		dd offset _xKdUnmapVirtualAddress@12 ; xKdUnmapVirtualAddress(x,x,x)
		dd offset _xKdUnmapVirtualAddress@12 ; xKdUnmapVirtualAddress(x,x,x)
		dd offset _xHalTimerQueryAndResetRtcErrors@4 ; xHalTimerQueryAndResetRtcErrors(x)
		dd offset _KeSetDmaIoCoherency@4 ; KeSetDmaIoCoherency(x)
		dd offset _MiRevokeExecuteTail@4 ; MiRevokeExecuteTail(x)
		dd offset _KeSetDmaIoCoherency@4 ; KeSetDmaIoCoherency(x)
		dd offset ?SmpStoreMgrCallback@@YGJPAU_SMKM_STORE_LIST@@PAXW4_SMKM_CALLBACK_TYPE@@@Z ; SmpStoreMgrCallback(_SMKM_STORE_LIST *,void *,_SMKM_CALLBACK_TYPE)
		dd offset _xHalIommuGetLibraryContext@12 ; xHalIommuGetLibraryContext(x,x,x)
		dd offset _xHalIommuUnblockDevice@8 ; xHalIommuUnblockDevice(x,x)
		dd offset _xKdReleasePciDeviceForDebugging@4 ; xKdReleasePciDeviceForDebugging(x)
_KseZeroPoolKernelHooks	db    0		; DATA XREF: .data:006B3204o
		db    0
		db    0
		db    0
		dd offset aExallocatepo_1 ; "ExAllocatePoolWithTag"
		dd offset _KseHookExAllocatePoolWithTag@12 ; KseHookExAllocatePoolWithTag(x,x,x)
dword_6B31E8	dd 0			; DATA XREF: KseHookExAllocatePoolWithTag(x,x,x)+Fr
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_KseZeroPoolShimHookCollections	db    0	; DATA XREF: .data:006B2E40o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _KseZeroPoolKernelHooks
		db    4
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_Win81VersionKernelHooks db    0	; DATA XREF: .data:006B32DCo
		db    0
		db    0
		db    0
		dd offset aRtlgetversion ; "RtlGetVersion"
		dd offset _Win81RtlGetVersion@4	; Win81RtlGetVersion(x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset aPsgetversion	; "PsGetVersion"
		dd offset _Win81PsGetVersion@16	; Win81PsGetVersion(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_Win7VersionKernelHooks	db    0		; DATA XREF: .data:006B327Co
		db    0
		db    0
		db    0
		dd offset aRtlgetversion ; "RtlGetVersion"
		dd offset _Win7RtlGetVersion@4 ; Win7RtlGetVersion(x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset aPsgetversion	; "PsGetVersion"
		dd offset _Win7PsGetVersion@16 ; Win7PsGetVersion(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_Win7VersionHookCollections db	  0	; DATA XREF: .data:006B2E5Co
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _Win7VersionKernelHooks
		db    4
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_Win8VersionKernelHooks	db    0		; DATA XREF: .data:006B32C4o
		db    0
		db    0
		db    0
		dd offset aRtlgetversion ; "RtlGetVersion"
		dd offset _Win8RtlGetVersion@4 ; Win8RtlGetVersion(x)
		align 10h
		dd offset aPsgetversion	; "PsGetVersion"
		dd offset _Win8PsGetVersion@16 ; Win8PsGetVersion(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_Win8VersionHookCollections db	  0	; DATA XREF: .data:006B2E78o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _Win8VersionKernelHooks
		db    4
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_Win81VersionHookCollections db	   0	; DATA XREF: .data:006B2E94o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _Win81VersionKernelHooks
		db    4
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_KseDsShimIrpHooks db	 1		; DATA XREF: .data:006B33A8o
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		dd offset _KseDsCallbackHookDriverStartIo@8 ; KseDsCallbackHookDriverStartIo(x,x)
		align 10h
		db    1
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset _KseDsCallbackHookDriverUnload@4 ; KseDsCallbackHookDriverUnload(x)
		align 10h
		db    1
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset _KseDsCallbackHookAddDevice@8	; KseDsCallbackHookAddDevice(x,x)
		align 10h
		db    1
		db    0
		db    0
		db    0
		db  67h	; g
		db    0
		db    0
		db    0
		dd offset _KseDsCallbackHookIrpFunction@8 ; KseDsCallbackHookIrpFunction(x,x)
		align 10h
		db    1
		db    0
		db    0
		db    0
		db  68h	; h
		db    0
		db    0
		db    0
		dd offset _KseDsCallbackHookIrpFunction@8 ; KseDsCallbackHookIrpFunction(x,x)
		align 10h
		db    1
		db    0
		db    0
		db    0
		db  64h	; d
		db    0
		db    0
		db    0
		dd offset _KseDsCallbackHookIrpFunction@8 ; KseDsCallbackHookIrpFunction(x,x)
		align 10h
		db    1
		db    0
		db    0
		db    0
		db  72h	; r
		db    0
		db    0
		db    0
		dd offset _KseDsCallbackHookIrpDeviceControlFunction@8 ; KseDsCallbackHookIrpDeviceControlFunction(x,x)
		align 10h
		db    1
		db    0
		db    0
		db    0
		db  73h	; s
		db    0
		db    0
		db    0
		dd offset _KseDsCallbackHookIrpDeviceControlFunction@8 ; KseDsCallbackHookIrpDeviceControlFunction(x,x)
		align 10h
		db    1
		db    0
		db    0
		db    0
		db  7Ah	; z
		db    0
		db    0
		db    0
		dd offset _KseDsCallbackHookIrpPowerFunction@8 ; KseDsCallbackHookIrpPowerFunction(x,x)
		align 10h
		db    1
		db    0
		db    0
		db    0
		db  7Fh	; 
		db    0
		db    0
		db    0
		dd offset _KseDsCallbackHookIrpPnpFunction@8 ; KseDsCallbackHookIrpPnpFunction(x,x)
		align 10h
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_KseDsShimHookCollections db	3	; DATA XREF: .data:006B2EB0o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _KseDsShimIrpHooks
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _KseDsKernelHooks
		db    4
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_KseDsKernelHooks db	0		; DATA XREF: .data:006B33B4o
		db    0
		db    0
		db    0
		dd offset aIocreatedevice ; "IoCreateDevice"
		dd offset _KseDsHookIoCreateDevice@28 ;	KseDsHookIoCreateDevice(x,x,x,x,x,x,x)
dword_6B33D4	dd 0			; DATA XREF: KseDsHookIoCreateDevice(x,x,x,x,x,x,x)+1Dr
		db    0
		db    0
		db    0
		db    0
		dd offset aPorequestpower ; "PoRequestPowerIrp"
		dd offset _KseDsHookPoRequestPowerIrp@24 ; KseDsHookPoRequestPowerIrp(x,x,x,x,x,x)
dword_6B33E4	dd 0			; DATA XREF: KseDsHookPoRequestPowerIrp(x,x,x,x,x,x)+22r
		db    0
		db    0
		db    0
		db    0
		dd offset aExallocatepo_1 ; "ExAllocatePoolWithTag"
		dd offset _KseDsHookExAllocatePoolWithTag@12 ; KseDsHookExAllocatePoolWithTag(x,x,x)
dword_6B33F4	dd 0			; DATA XREF: KseDsHookExAllocatePoolWithTag(x,x,x)+Fr
		db    0
		db    0
		db    0
		db    0
		dd offset aExfreepoolwith ; "ExFreePoolWithTag"
		dd offset _KseDsHookExFreePoolWithTag@8	; KseDsHookExFreePoolWithTag(x,x)
dword_6B3404	dd 0			; DATA XREF: KseDsHookExFreePoolWithTag(x,x)+Br
		db    0
		db    0
		db    0
		db    0
		dd offset aExallocatepool ; "ExAllocatePool"
		dd offset _KseDsHookExAllocatePool@8 ; KseDsHookExAllocatePool(x,x)
dword_6B3414	dd 0			; DATA XREF: KseDsHookExAllocatePool(x,x)+Cr
		db    0
		db    0
		db    0
		db    0
		dd offset aExfreepool	; "ExFreePool"
		dd offset _KseDsHookExFreePool@4 ; KseDsHookExFreePool(x)
dword_6B3424	dd 0			; DATA XREF: KseDsHookExFreePool(x)+8r
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_KseSkipDriverUnloadShimIrpHooks db    1 ; DATA	XREF: .data:006B3460o
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset _KseSkipDriverUnloadCallbackHookDriverUnload@4 ; KseSkipDriverUnloadCallbackHookDriverUnload(x)
		align 8
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_KseSkipDriverUnloadShimHookCollections	db    3	; DATA XREF: .data:006B2ECCo
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _KseSkipDriverUnloadShimIrpHooks
		db    4
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
word_6B3470	dw 0			; DATA XREF: AslpEnvResolveVars+7Cr
					; AslEnvGetSystem32DirPathBuf(x,x,x,x,x):loc_A2411Ar ...
word_6B3472	dw 0			; DATA XREF: AslpEnvResolveVars:loc_89C9ECr
					; AslEnvGetSystem32DirPathBuf(x,x,x,x,x)+5Er ...
; int off_6B3474
off_6B3474	dd offset aSystem32	; DATA XREF: AslpEnvResolveVars+F8r
					; AslEnvGetSystem32DirPathBuf(x,x,x,x,x):loc_A2414Cr
					; "\\System32"
		db    5
		db    0
		db    5
		db    0
		dd offset aSystem32	; "\\System32"
		db    9
		db    0
		db    9
		db    0
		dd offset aSystem32	; "\\System32"
		db    9
		db    0
		db    0
		db    0
		dd offset aSyswow64	; "\\SysWOW64"
		db  0Ch
		db    0
		db  0Ch
		db    0
		dd offset aSystem32	; "\\System32"
		db  0Ch
		db    0
		db    0
		db    0
		dd offset aSyswow64	; "\\SysWOW64"
		db  0Ch
		db    0
		db    5
		db    0
		dd offset aSysarm32	; "\\SysARM32"
; void *off_6B34A8
off_6B34A8	dd offset unk_6B64A4	; DATA XREF: IoQueryVhdBootInformation+22r
					; VhdInitialize+F7D6w
		align 10h
_CmpBackupCountValueName db  16h	; DATA XREF: CmpSyncNextBackupHive()+106o
		db    0
		db  18h
		db    0
		dd offset aBackupcount	; "BackupCount"
_MS_StorageTiering_Provider_Context db	  0
					; DATA XREF: McTemplateK0jq_EtwWriteTransfer(x,x,x,x,x)+3Bo
					; McTemplateK0xxxqq_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)+4Do ...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    5
		db    0
		dd offset _Microsoft_Windows_Storage_Tiering_IoHeatEnableBits
		dd offset _Microsoft_Windows_Storage_Tiering_IoHeatKeywords
		dd offset _Microsoft_Windows_Storage_Tiering_IoHeatLevels
_PalettePtr	dd offset unk_6CD9A8	; DATA XREF: FadePalette(x)+6r
					; RotBarUpdate()+1B6r
_pbih		dd offset _PaletteBmp	; DATA XREF: RotBarInit()r
_PnpEmptyUnicodeString db    0		; DATA XREF: PnpTraceRebalanceResult(x):loc_986A6Eo
		db    0
		db    2
		db    0
		dd offset dword_40FDC4
_AlpcpLogCallbackListHead dd offset _AlpcpLogCallbackListHead
					; DATA XREF: .data:_AlpcpLogCallbackListHeado
					; .data:off_6B3504o ...
off_6B3504	dd offset _AlpcpLogCallbackListHead
					; DATA XREF: AlpcRegisterLogRoutine(x)+4Dr
					; AlpcRegisterLogRoutine(x)+71w
off_6B3508	dd offset loc_8BCAA2+2	; DATA XREF: PopTransitionTelemetryOsState+9D92Dr
					; PopTransitionTelemetryOsState:loc_90BD4Do
dword_6B350C	dd 0			; DATA XREF: PopTransitionTelemetryOsState+9D925r
					; PopTransitionTelemetryOsState+9D93Ew
dword_6B3510	dd 0			; DATA XREF: PopTransitionTelemetryOsState+9D914r
		align 8
off_6B3518	dd offset ??_C@_0BO@GJLIHBGE@Kernel_OSStateChange_CSResume@NNGAKEGL@
					; DATA XREF: PopTransitionTelemetryOsState+9D966r
					; PopTransitionTelemetryOsState:loc_90BD86o
dword_6B351C	dd 0			; DATA XREF: PopTransitionTelemetryOsState+9D95Er
					; PopTransitionTelemetryOsState+9D977w
dword_6B3520	dd 0			; DATA XREF: PopTransitionTelemetryOsState:loc_90BD57r
		align 8
off_6B3528	dd offset ??_C@_0CF@PKCAICNE@Kernel_OSStateChange_HibernateR@NNGAKEGL@
					; DATA XREF: PopTransitionTelemetryOsState+9D99Fr
					; PopTransitionTelemetryOsState:loc_90BDBFo
dword_6B352C	dd 0			; DATA XREF: PopTransitionTelemetryOsState+9D997r
					; PopTransitionTelemetryOsState+9D9B0w
dword_6B3530	dd 0			; DATA XREF: PopTransitionTelemetryOsState:loc_90BD90r
		align 8
off_6B3538	dd offset ??_C@_0BP@BPFAGDNN@Kernel_OSStateChange_Hibernate@NNGAKEGL@
					; DATA XREF: PopTransitionTelemetryOsState+9DA9Er
					; PopTransitionTelemetryOsState:loc_90BEBEo
dword_6B353C	dd 0			; DATA XREF: PopTransitionTelemetryOsState+9DA96r
					; PopTransitionTelemetryOsState+9DAAFw
dword_6B3540	dd 0			; DATA XREF: PopTransitionTelemetryOsState:loc_90BE8Fr
		align 8
off_6B3548	dd offset ??_C@_0BN@PKPNHAOJ@Kernel_OSStateChange_Standby@NNGAKEGL@
					; DATA XREF: PopTransitionTelemetryOsState+9DAD7r
					; PopTransitionTelemetryOsState:loc_90BEF7o
dword_6B354C	dd 0			; DATA XREF: PopTransitionTelemetryOsState+9DACFr
					; PopTransitionTelemetryOsState+9DAE8w
dword_6B3550	dd 0			; DATA XREF: PopTransitionTelemetryOsState:loc_90BEC8r
		align 8
off_6B3558	dd offset ??_C@_0BO@MAGOKJBG@Kernel_OSStateChange_Shutdown@NNGAKEGL@
					; DATA XREF: PopTransitionTelemetryOsState+9DB4Dr
					; PopTransitionTelemetryOsState:loc_90BF6Do
dword_6B355C	dd 0			; DATA XREF: PopTransitionTelemetryOsState+9DB45r
					; PopTransitionTelemetryOsState+9DB5Ew
dword_6B3560	dd 0			; DATA XREF: PopTransitionTelemetryOsState:loc_90BF3Er
		align 8
off_6B3568	dd offset ??_C@_0CD@FCKDPJKO@Kernel_OSStateChange_StandbyRes@NNGAKEGL@
					; DATA XREF: PopTransitionTelemetryOsState+9D9D8r
					; PopTransitionTelemetryOsState:loc_90BDF8o
dword_6B356C	dd 0			; DATA XREF: PopTransitionTelemetryOsState+9D9D0r
					; PopTransitionTelemetryOsState+9D9E9w
dword_6B3570	dd 0			; DATA XREF: PopTransitionTelemetryOsState:loc_90BDC9r
		align 8
off_6B3578	dd offset loc_8BCB03+1	; DATA XREF: PopTransitionTelemetryOsState+9DA2Cr
					; PopTransitionTelemetryOsState:loc_90BE4Co
dword_6B357C	dd 0			; DATA XREF: PopTransitionTelemetryOsState+9DA24r
					; PopTransitionTelemetryOsState+9DA3Dw
dword_6B3580	dd 0			; DATA XREF: PopTransitionTelemetryOsState+9DA13r
		align 8
off_6B3588	dd offset ??_C@_0BI@FGNKIGCJ@Kernel_OSStateChange_CS@NNGAKEGL@
					; DATA XREF: PopTransitionTelemetryOsState+9DA65r
					; PopTransitionTelemetryOsState:loc_90BE85o
dword_6B358C	dd 0			; DATA XREF: PopTransitionTelemetryOsState+9DA5Dr
					; PopTransitionTelemetryOsState+9DA76w
dword_6B3590	dd 0			; DATA XREF: PopTransitionTelemetryOsState:loc_90BE56r
		align 8
off_6B3598	dd offset ??_C@_0BM@FKLINOIP@Kernel_OSStateChange_Reboot@NNGAKEGL@
					; DATA XREF: PopTransitionTelemetryOsState+9DB14r
					; PopTransitionTelemetryOsState:loc_90BF34o
dword_6B359C	dd 0			; DATA XREF: PopTransitionTelemetryOsState+9DB0Cr
					; PopTransitionTelemetryOsState+9DB25w
dword_6B35A0	dd 0			; DATA XREF: PopTransitionTelemetryOsState+9DAFBr
		align 8
_PopPdcDeviceList dd offset _PopPdcDeviceList ;	DATA XREF: .data:_PopPdcDeviceListo
					; .data:off_6B35ACo ...
off_6B35AC	dd offset _PopPdcDeviceList ; DATA XREF: PopPdcCsDeviceNotification(x)+A8r
					; PopPdcCsDeviceNotification(x)+BCw
_PpmCurrentProfile dd offset _PpmDefaultProfile	; DATA XREF: PpmParkDistributeAllUtility()r
					; PoIdle(x)+1Er ...
		align 8
_SshpRoutineBlock db	1		; DATA XREF: PopPowerInformationInternal+4AAo
		db    0
		db    0
		db    0
		dd offset SleepstudyHelperBlockerActiveDereference
		dd offset SleepstudyHelperBlockerActiveReference
		dd offset SleepstudyHelperBuildBlocker
		dd offset _SleepstudyHelperCreateBlockerData@20	; SleepstudyHelperCreateBlockerData(x,x,x,x,x)
		dd offset _SleepstudyHelperCreateBlockerFromComponent@20 ; SleepstudyHelperCreateBlockerFromComponent(x,x,x,x,x)
		dd offset _SleepstudyHelperCreateBlockerFromDevice@16 ;	SleepstudyHelperCreateBlockerFromDevice(x,x,x,x)
		dd offset SleepstudyHelperCreateBlockerFromGuid
		dd offset SleepstudyHelperCreateLibrary
		dd offset _SleepstudyHelperDestroyBlocker@4 ; SleepstudyHelperDestroyBlocker(x)
		dd offset SleepstudyHelperDestroyBlockerBuilder
		dd offset _SleepstudyHelperDestroyBlockerData@4	; SleepstudyHelperDestroyBlockerData(x)
		dd offset _SleepstudyHelperDestroyLibrary@4 ; SleepstudyHelperDestroyLibrary(x)
		dd offset _SleepstudyHelperGetBlockerGuid@8 ; SleepstudyHelperGetBlockerGuid(x,x)
		dd offset _SleepstudyHelperQueryBlockerStatistics@12 ; SleepstudyHelperQueryBlockerStatistics(x,x,x)
		dd offset SleepstudyHelperSetBlockerFriendlyName
		dd offset _SleepstudyHelperSetBlockerParentHandle@8 ; SleepstudyHelperSetBlockerParentHandle(x,x)
		dd offset _SleepstudyHelperSetBlockerVisible@8 ; SleepstudyHelperSetBlockerVisible(x,x)
		dd offset _SleepstudyHelper_Initialize@8 ; SleepstudyHelper_Initialize(x,x)
		dd offset _SleepstudyHelper_Uninitialize@4 ; SleepstudyHelper_Uninitialize(x)
		dd offset _SleepstudyHelper_GenerateGuid@16 ; SleepstudyHelper_GenerateGuid(x,x,x,x)
		dd offset _SleepstudyHelper_RegisterPdoWithParentPdo@16	; SleepstudyHelper_RegisterPdoWithParentPdo(x,x,x,x)
		dd offset _SleepstudyHelper_RegisterPdoWithParentHandle@16 ; SleepstudyHelper_RegisterPdoWithParentHandle(x,x,x,x)
		dd offset _SleepstudyHelper_RegisterPdoWithParentGuid@28 ; SleepstudyHelper_RegisterPdoWithParentGuid(x,x,x,x,x,x,x)
		dd offset _SleepstudyHelper_RegisterComponentEx@44 ; SleepstudyHelper_RegisterComponentEx(x,x,x,x,x,x,x,x,x,x,x)
		dd offset _SleepstudyHelper_UnregisterComponent@4 ; SleepstudyHelper_UnregisterComponent(x)
		dd offset _SleepstudyHelper_ComponentActive@4 ;	SleepstudyHelper_ComponentActive(x)
		dd offset _SleepstudyHelper_ComponentInactive@4	; SleepstudyHelper_ComponentInactive(x)
		dd offset _SleepstudyHelper_ComponentActiveLocked@4 ; SleepstudyHelper_ComponentActiveLocked(x)
		dd offset _SleepstudyHelper_ResetComponentsStartTime@4 ; SleepstudyHelper_ResetComponentsStartTime(x)
		dd offset _SleepstudyHelper_AcquireComponentLock@8 ; SleepstudyHelper_AcquireComponentLock(x,x)
		dd offset _SleepstudyHelper_ReleaseComponentLock@8 ; SleepstudyHelper_ReleaseComponentLock(x,x)
		dd offset _SleepstudyHelper_GetPdoFriendlyName@8 ; SleepstudyHelper_GetPdoFriendlyName(x,x)
		align 10h
_TtmpDeviceWatchdogTimeouts db	  1	; DATA XREF: TtmpStartCallout(x,x,x,x,x,x)+26o
		db    0
		db    0
		db    0
off_6B3644	dd offset aTtmdeviceassig
					; DATA XREF: TtmpInitializeWatchdogTimeouts():loc_9C09FCr
					; "TtmDeviceAssignmentCallbackTimeout"
dword_6B3648	dd 4BAF0h		; DATA XREF: TtmpInitializeWatchdogTimeouts()+27w
		db    2
		db    0
		db    0
		db    0
		dd offset aTtmdeviceclosi ; "TtmDeviceClosingTimeout"
		db 0F0h	; 
		db 0BAh	; 
		db    4
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset aTtmdeviceinput ; "TtmDeviceInputModeChangeTimeout"
		db 0F0h	; 
		db 0BAh	; 
		db    4
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset aTtmdevicedispl ; "TtmDeviceDisplayStateChangeTimeout"
		db 0F0h	; 
		db 0BAh	; 
		db    4
		db    0
		db    5
		db    0
		db    0
		db    0
		dd offset aTtmdevicebuilt ; "TtmDeviceBuiltinPanelStateChangeTimeout"...
		db 0F0h	; 
		db 0BAh	; 
		db    4
		db    0
		db    6
		db    0
		db    0
		db    0
		dd offset aTtmdeviceprima ; "TtmDevicePrimaryDisplayVisibleStateChan"...
		db 0F0h	; 
		db 0BAh	; 
		db    4
		db    0
off_6B3688	dd offset ??_C@_0BE@MGAPJEAL@Kernel_Process_Hang@NNGAKEGL@
					; DATA XREF: PsSetProcessFaultInformation+B38FCr
					; PsSetProcessFaultInformation:loc_8FB10Bo
dword_6B368C	dd 0			; DATA XREF: PsSetProcessFaultInformation+B38F3r
					; PsSetProcessFaultInformation+B390Aw
dword_6B3690	dd 0			; DATA XREF: PsSetProcessFaultInformation:loc_8FB0E2r
		align 8
unk_6B3698	db  8Ch	; 		; DATA XREF: .text:00404DB0o
		db    0
		db  8Eh	; 
		db    0
		dd offset ??_C@_1IO@MNHMIIKM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@FNODOBFM@
dword_6B36A0	dd 0			; DATA XREF: RtlpCapChkTelemetryRunOnce(x,x,x)+4o
					; RtlpLogCapabilityCheckLatency(x,x,x,x,x,x)+81r ...
		dd offset loc_425026+1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_NormalizationListHead dd offset _NormalizationListHead
					; DATA XREF: NormalizationList__InsertTail(x)+5o
					; NormalizationList__Lookup(x)r ...
off_6B36CC	dd offset _NormalizationListHead
					; DATA XREF: NormalizationList__InsertTail(x)r
					; NormalizationList__InsertTail(x)+1Aw
unk_6B36D0	db  54h	; T		; DATA XREF: SepIsLockedDown(x,x)+49o
		db    0
		db  56h	; V
		db    0
		dd offset ??_C@_1FG@HCKJDJMN@?$AAW?$AAS?$AAL?$AAi?$AAc?$AAe?$AAn?$AAs?$AAi?$AAn?$AAg?$AAS?$AAe?$AAr?$AAv@NNGAKEGL@
; Exported entry 2470. SeILSigningPolicyPtr
		public _SeILSigningPolicyPtr
_SeILSigningPolicyPtr dd offset	_SeILSigningPolicy
_SepProcUniqueAttributeName dw 20h	; DATA XREF: SepGetProcUniqueLuidAndIndexFromAttributeInfo(x,x,x)+3Br
word_6B36DE	dw 22h			; DATA XREF: SepGetProcUniqueLuidAndIndexFromAttributeInfo(x,x,x)+4Br
off_6B36E0	dd offset aTsaProcunique
					; DATA XREF: SepGetProcUniqueLuidAndIndexFromAttributeInfo(x,x,x)+55r
					; "TSA://ProcUnique"
_DefaultKey	db    0			; DATA XREF: SepRmFetchGlobalSacl+8CA8Bo
					; SepRmFetchGlobalSacl+8CAF1o
		db    0
		db    2
		db    0
		dd offset dword_40FDC4
_XdvName	db  1Eh			; DATA XREF: sub_AE213B+96o
					; ViLogAndLoadXdv(x)+Eo
		db    0
		db  20h
		db    0
		dd offset aVerifierext_sy ; "VerifierExt.sys"
_VfXdvDispatchTable db	  3		; DATA XREF: VfQueryDispatchTable(x,x)+38o
		db    0
		db    0
		db    0
dword_6B36F8	dd 18h			; DATA XREF: VfQueryDispatchTable(x,x)+30r
		dd offset _VerifierKeIsApcRunningThread@4 ; VerifierKeIsApcRunningThread(x)
		dd offset _VerifierKeIsExecutingLegacyDpc@0 ; VerifierKeIsExecutingLegacyDpc()
		dd offset _VerifierCrashEvent@4	; VerifierCrashEvent(x)
		dd offset _VfIsRuleClassEnabled@4 ; VfIsRuleClassEnabled(x)
_VfWdmDispatchTable db	  0		; DATA XREF: VfQueryDispatchTable(x,x)+60o
		db    0
		db    0
		db    0
dword_6B3710	dd 2Ch			; DATA XREF: VfQueryDispatchTable(x,x)+58r
		dd offset _VerifierPortKeAcquireSpinLock@12 ; VerifierPortKeAcquireSpinLock(x,x,x)
		dd offset _VerifierPortKeReleaseSpinLock@12 ; VerifierPortKeReleaseSpinLock(x,x,x)
		dd offset _VerifierPortKeAcquireSpinLockNoXdv@12 ; VerifierPortKeAcquireSpinLockNoXdv(x,x,x)
		dd offset _VerifierPortKeReleaseSpinLockNoXdv@12 ; VerifierPortKeReleaseSpinLockNoXdv(x,x,x)
		dd offset _VerifierPortExAllocatePoolWithQuotaTag@16 ; VerifierPortExAllocatePoolWithQuotaTag(x,x,x,x)
		dd offset _VerifierPortExAllocatePoolWithTagPriority@20	; VerifierPortExAllocatePoolWithTagPriority(x,x,x,x,x)
		dd offset _VerifierPortIoAllocateMdl@24	; VerifierPortIoAllocateMdl(x,x,x,x,x,x)
		dd offset _VerifierPortIoAllocateIrp@12	; VerifierPortIoAllocateIrp(x,x,x)
		dd offset _VerifierPortIoAllocateWorkItem@8 ; VerifierPortIoAllocateWorkItem(x,x)
off_6B3738	dd offset ??_C@_0BB@EIOCKFLG@ETW_TelCov_Trace@NNGAKEGL@
					; DATA XREF: EtwpCoverageEnsureContext()+3ACr
					; EtwpCoverageEnsureContext():loc_8AF4CCo
dword_6B373C	dd 0			; DATA XREF: EtwpCoverageEnsureContext()+3A3r
					; EtwpCoverageEnsureContext()+3BDw
dword_6B3740	dd 0			; DATA XREF: EtwpCoverageEnsureContext()+396r
		align 8
off_6B3748	dd offset ??_C@_0BB@OBDPMNIP@ETW_TelCov_Reset@NNGAKEGL@
					; DATA XREF: EtwpCoverageReset(x,x)+3Er
					; EtwpCoverageReset(x,x):loc_9F0910o
dword_6B374C	dd 0			; DATA XREF: EtwpCoverageReset(x,x)+35r
					; EtwpCoverageReset(x,x)+4Dw
dword_6B3750	dd 0			; DATA XREF: EtwpCoverageReset(x,x)+28r
		align 8
off_6B3758	dd offset ??_C@_0BB@EIOCKFLG@ETW_TelCov_Trace@NNGAKEGL@
					; DATA XREF: EtwpCoverageProvEnableCallback+83A73r
					; EtwpCoverageProvEnableCallback:loc_938136o
dword_6B375C	dd 0			; DATA XREF: EtwpCoverageProvEnableCallback+83A6Ar
					; EtwpCoverageProvEnableCallback+83A81w
dword_6B3760	dd 0			; DATA XREF: EtwpCoverageProvEnableCallback+83A59r
		align 8
off_6B3768	dd offset ??_C@_0BD@JBKJLFHL@ETW_TelCov_ResetCP@NNGAKEGL@
					; DATA XREF: EtwpCoverageResetCP(x,x)+3Ar
					; EtwpCoverageResetCP(x,x):loc_9F0B04o
dword_6B376C	dd 0			; DATA XREF: EtwpCoverageResetCP(x,x)+32r
					; EtwpCoverageResetCP(x,x)+48w
dword_6B3770	dd 0			; DATA XREF: EtwpCoverageResetCP(x,x)+25r
		align 8
off_6B3778	dd offset unk_70006E	; DATA XREF: EtwpConstructIptData(x)+3o
		dd offset aRegistryMach_3 ; "\\Registry\\Machine\\System\\CurrentControl"...
unk_6B3780	db  18h			; DATA XREF: ExpUpdateComPlusPackage(x)+Bo
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset loc_404E77+1
		db  40h	; @
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
unk_6B3798	db  18h			; DATA XREF: ExpReadComPlusPackage()+22o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset loc_404E77+1
		db  40h	; @
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
unk_6B37B0	db  16h			; DATA XREF: ExpReadComPlusPackage()+4Ao
					; ExpUpdateComPlusPackage(x)+59o
		db    0
		db  18h
		db    0
		dd offset aEnable64bit	; "Enable64Bit"
off_6B37B8	dd offset _GUID_SYSMAIN_SDB
					; DATA XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+3Do
dword_6B37BC	dd 80030000h		; DATA XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+9Dr
dword_6B37C0	dd 0			; DATA XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+A9r
dword_6B37C4	dd 1			; DATA XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+A3r
		dd offset _GUID_MSIMAIN_SDB
		db    0
		db    0
		db    2
		db  80h	; 
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset _GUID_DRVMAIN_SDB
		db    0
		db    0
		db    4
		db  80h	; 
		db    1
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
_TokenAttributeLookupTable dd offset loc_404F57+1
					; DATA XREF: AuthzBasepFindTokenAttribute(x):loc_696221r
					; AuthzBasepFindTokenAttribute(x)+37o
		db    1
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		dd offset _AttributeTokenIntegrityLevel
		db    2
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		dd offset loc_404F5F+1
		db    3
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		dd offset loc_404F67+1
		db    4
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		dd offset _DEVPKEY_DeviceClass_Name
		dd offset _DEVPKEY_DeviceClass_ClassName
off_6B3820	dd offset _DEVPKEY_DeviceClass_UpperFilters ; DATA XREF: .text:00404FC4o
		dd offset _DEVPKEY_DeviceClass_UpperFilterCache
off_6B3828	dd offset _DEVPKEY_DeviceClass_LowerFilters ; DATA XREF: .text:00404FD0o
		dd offset _DEVPKEY_DeviceClass_LowerFilterCache
off_6B3830	dd offset _DEVPKEY_DeviceInterfaceClass_Name ; DATA XREF: .text:off_404FDCo
off_6B3834	dd offset _DEVPKEY_NODE	; DATA XREF: DrvDbGetDeviceIdMappedPropertyKeys(x,x,x,x,x,x)+5Bo
		dd offset _DEVPKEY_DeviceId_DriverInfMatches
		dd offset _DEVPKEY_DeviceId_DriverInfNames
off_6B3840	dd offset _DEVPKEY_NODE	; DATA XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+1Eo
		dd offset _DEVPKEY_DriverPackage_ProcessorArchitecture
		dd offset _DEVPKEY_DriverPackage_Locale
		dd offset _DEVPKEY_DriverPackage_Inbox
		dd offset _DEVPKEY_DriverPackage_Published
		dd offset _DEVPKEY_DriverPackage_ClassGuid
		dd offset _DEVPKEY_DriverPackage_DriverDate
		dd offset _DEVPKEY_DriverPackage_DriverVersion
		dd offset _DEVPKEY_DriverPackage_ConfigurableFlags
		dd offset _DEVPKEY_DriverPackage_Configurable
		dd offset _DEVPKEY_DriverPackage_FamilyId
		dd offset _DEVPKEY_DriverPackage_DriverPackageId
		dd offset _DEVPKEY_DriverPackage_Integrated
		dd offset _DEVPKEY_DriverPackage_Primitive
off_6B3878	dd offset _DEVPKEY_NODE	; DATA XREF: DrvDbGetDriverInfFileMappedPropertyKeys(x,x,x,x,x,x)+21o
off_6B387C	dd offset _DEVPKEY_NODE	; DATA XREF: DrvDbGetDriverFileMappedPropertyKeys(x,x,x,x,x,x)+21o
_UartHardwareAccess dd offset _ReadPort8@4 ; DATA XREF:	ReadPortWithIndex8+16r
					; ReadPort8(x)
off_6B3884	dd offset _WritePort8@8	; DATA XREF: WritePortWithIndex8+19r
					; WritePort8(x,x)
off_6B3888	dd offset _ReadPort16@4	; DATA XREF: ReadPortWithIndex16+16r
					; ReadPort16(x)
off_6B388C	dd offset _WritePort16@8 ; DATA	XREF: WritePortWithIndex16+1Br
					; WritePort16(x,x)
off_6B3890	dd offset _ReadPort32@4	; DATA XREF: ReadPortWithIndex32+16r
					; ReadPort32(x)
off_6B3894	dd offset _WritePort32@8 ; DATA	XREF: WritePortWithIndex32+1Br
					; WritePort32(x,x)
off_6B3898	dd offset _ReadRegister8@4 ; DATA XREF:	ReadRegisterWithIndex8+16r
					; ReadRegister8(x)
off_6B389C	dd offset _WriteRegister8@8 ; DATA XREF: WriteRegisterWithIndex8+19r
					; WriteRegister8(x,x)
off_6B38A0	dd offset _ReadRegister16@4 ; DATA XREF: ReadRegisterWithIndex16+16r
					; ReadRegister16(x)
off_6B38A4	dd offset _WriteRegister16@8 ; DATA XREF: WriteRegisterWithIndex16+1Br
					; WriteRegister16(x,x)
off_6B38A8	dd offset _ReadRegister32@4 ; DATA XREF: SpiInit(x,x,x,x)+Fr
					; SpiInit(x,x,x,x)+1Cr	...
					; ReadRegister32(x)
off_6B38AC	dd offset _WriteRegister32@8 ; DATA XREF: SpiInit(x,x,x,x)+42r
					; SpiInit(x,x,x,x)+50r	...
					; WriteRegister32(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_Uart16550HardwareDriver dd offset _Uart16550InitializePort@20 ; DATA XREF: .text:00405124o
					; Uart16550InitializePort(x,x,x,x,x)
		dd offset _Uart16550SetBaud@8 ;	Uart16550SetBaud(x,x)
		dd offset _Uart16550GetByte@8 ;	Uart16550GetByte(x,x)
		dd offset _Uart16550PutByte@12 ; Uart16550PutByte(x,x,x)
		dd offset _Uart16550RxReady@4 ;	Uart16550RxReady(x)
_MM16550HardwareDriver dd offset _Uart16550MmInitializePort@20 ; DATA XREF: .text:00405168o
					; Uart16550MmInitializePort(x,x,x,x,x)
		dd offset _Uart16550SetBaud@8 ;	Uart16550SetBaud(x,x)
		dd offset _Uart16550GetByte@8 ;	Uart16550GetByte(x,x)
		dd offset _Uart16550PutByte@12 ; Uart16550PutByte(x,x,x)
		dd offset _Uart16550RxReady@4 ;	Uart16550RxReady(x)
_Legacy16550HardwareDriver dd offset _Uart16550LegacyInitializePort@20
					; DATA XREF: .text:_UartHardwareDriverso
					; Uart16550LegacyInitializePort(x,x,x,x,x)
		dd offset _Uart16550SetBaud@8 ;	Uart16550SetBaud(x,x)
		dd offset _Uart16550GetByte@8 ;	Uart16550GetByte(x,x)
		dd offset _Uart16550PutByte@12 ; Uart16550PutByte(x,x,x)
		dd offset _Uart16550RxReady@4 ;	Uart16550RxReady(x)
_SpiMax311HardwareDriver dd offset _SpiMax311InitializePort@20 ; DATA XREF: .text:00405128o
					; SpiMax311InitializePort(x,x,x,x,x)
		dd offset _SpiMax311SetBaud@8 ;	SpiMax311SetBaud(x,x)
		dd offset _SpiMax311GetByte@8 ;	SpiMax311GetByte(x,x)
		dd offset _SpiMax311PutByte@12 ; SpiMax311PutByte(x,x,x)
		dd offset _SpiMax311RxReady@4 ;	SpiMax311RxReady(x)
_UsifHardwareDriver dd offset _UsifInitializePort@20 ; DATA XREF: .text:0040514Co
					; UsifInitializePort(x,x,x,x,x)
		dd offset _UsifSetBaud@8 ; UsifSetBaud(x,x)
		dd offset _UsifGetByte@8 ; UsifGetByte(x,x)
		dd offset _UsifPutByte@12 ; UsifPutByte(x,x,x)
		dd offset _UsifRxReady@4 ; UsifRxReady(x)
		align 10h
_KiCommonDataArea db	0
		db    0
		db    0
		db    0
_KiAbiosPresent	db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
aNtvdmEncount_4	db 'NTVDM: Encountered override prefix ES %lx at address %lx',0Ah
					; DATA XREF: OpcodeESPrefixV86+Co
		db 0Dh,0
aNtvdmEncount_2	db 'NTVDM: Encountered override prefix CS %lx at address %lx',0Ah
					; DATA XREF: OpcodeCSPrefixV86+Co
		db 0Dh,0
aNtvdmEncount_1	db 'NTVDM: Encountered override prefix SS %lx at address %lx',0Ah
					; DATA XREF: OpcodeSSPrefixV86+Co
		db 0Dh,0
aNtvdmEncount_3	db 'NTVDM: Encountered override prefix DS %lx at address %lx',0Ah
					; DATA XREF: OpcodeDSPrefixV86+Co
		db 0Dh,0
aNtvdmEncount_6	db 'NTVDM: Encountered override prefix FS %lx at address %lx',0Ah
					; DATA XREF: OpcodeFSPrefixV86+Co
		db 0Dh,0
aNtvdmEncount_7	db 'NTVDM: Encountered override prefix GS %lx at address %lx',0Ah
					; DATA XREF: OpcodeGSPrefixV86+Co
		db 0Dh,0
aNtvdmEncount_5	db 'NTVDM: Encountered override prefix OPER32 %lx at address %lx',0Ah
					; DATA XREF: OpcodeOPER32PrefixV86+Co
		db 0Dh,0
aNtvdmEncount_9	db 'NTVDM: Encountered override prefix ADDR32 %lx at address %lx',0Ah
					; DATA XREF: OpcodeADDR32PrefixV86+Co
		db 0Dh,0
aNtvdmEncount_8	db 'NTVDM: Encountered override prefix LOCK %lx at address %lx',0Ah
					; DATA XREF: OpcodeLOCKPrefixV86+Co
		db 0Dh,0
aNtvdmEncount_0	db 'NTVDM: Encountered override prefix REPNE %lx at address %lx',0Ah
					; DATA XREF: OpcodeREPNEPrefixV86+Co
		db 0Dh,0
aNtvdmEncounter	db 'NTVDM: Encountered override prefix REP %lx at address %lx',0Ah
					; DATA XREF: OpcodeREPPrefixV86+Co
		db 0Dh,0
		align 10h
aCos		db 'cos',0              ; DATA XREF: sub_58302F+2Fo
					; sub_58302F+84o
		align 10h
off_6B3BE0	dd offset unk_6E6973	; DATA XREF: sub_5830EF+2Fo
					; sub_5830EF+84o
		align 10h
aSqrt		db 'sqrt',0             ; DATA XREF: sub_58319D+33o
					; sub_58319D:loc_58322Do
		align 4
__NLG_Destination db  20h		; DATA XREF: __NLG_Notify1+2o
					; __NLG_Notify+2o
		db    5
		db  93h	; 
		db  19h
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B3C10	dd 1			; DATA XREF: _randr _rand+Fw ...
		align 10h
__indefinite	dt -1.7845972430358476476e4932 ; DATA XREF: sub_58302F+67r
					; sub_5830EF+67r ...
__piby2		db  35h	; 5
		db 0C2h	; 
		db  68h	; h
		db  21h	; !
		db 0A2h	; 
		db 0DAh	; 
		db  0Fh
		db 0C9h	; 
		db 0FFh
		db  3Fh	; ?
dbl_6B3C34	dq 1.0			; DATA XREF: __tosnan1+24r
__cpower	db    1
unk_6B3C3D	db    8			; DATA XREF: __trandisp1+28o
					; __trandisp2+28o
		db    4
		db    8
		db    8
		db    8
		db    4
		db    8
		db    8
		db    0
		db    4
		db  0Ch
		db    8
		db    0
		db    4
		db  0Ch
		db    8
		db    0
		db    0
		db    0
tbyte_6B3C50	dt 2.3562723457267347066e313 ; DATA XREF: __set_statfp+19r
					; __set_statfp+2Br
		align 4
tbyte_6B3C5C	dt 1.9149954921904370718e-1233 ; DATA XREF: __set_statfp+3Dr
		align 10h
; size_t __mb_cur_max
___mb_cur_max	dd 1			; DATA XREF: __wctomb_s_l+4Dr
					; _wctomb+12r ...
__matherr_flag	dd 2694h		; DATA XREF: __87except+EDr
_g_SymCryptCpuFeaturesNotPresent dd 0FFFFFFFFh
					; DATA XREF: SymCryptInitEnvWindowsKernelmodeWin8_1nLater(x)+93w
					; SymCryptInitEnvWindowsKernelmodeWin8_1nLater(x):loc_58DBDAw ...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_CcMaxVacbLevelsSeen dd	1		; DATA XREF: CcExtendVacbArray+2A8r
					; CcExtendVacbArray+3B9w ...
_CmSIDMappingCacheHit dd 0FFFFFFFFh	; DATA XREF: CmpGetMappingHiveForString+24r
					; CmpGetMappingHiveForString+B8w
_ObpDefaultSecurityDescriptorLength dd 100h
					; DATA XREF: ObpAllocateAndQuerySecurityDescriptorInfo+45r
					; PAGE:loc_816B5Ar ...
_PopFxVSyncEnabled db 1			; DATA XREF: PoNotifyVSyncChange(x)+12w
					; PopFxGetLatencyLimitWithoutResiliency()+12r
_PpmIdleVetoBias db 1			; DATA XREF: PoIdle(x):loc_48A486r
					; PpmIdleRemoveVetoBias()w ...
		align 10h
_PpmDripsStateIndex dd 0FFFFFFFFh	; DATA XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+847r
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+100Dr ...
_PopDiskIdleTimeout dd 0FFFFFFFFh	; DATA XREF: PopUpdateDiskIdleTimeoutSetting+11r
					; PopHardDiskPowerSettingCallback:loc_886C59r ...
_PopDiskCoalescingTimeout dd 0FFFFFFFFh	; DATA XREF: PopUpdateDiskIdleTimeoutSetting+Ar
					; PopCoalescingPowerSettingCallback:loc_8B562Fr ...
_PopLidOpened	db 1			; DATA XREF: PopPowerSourceChangeCallback+59r
					; NtPowerInformation+FFEr ...
		align 10h
_PopGlobalUserPresenceState dd 3	; DATA XREF: PopEvaluateGlobalUserStatus:loc_841524r
					; PopEvaluateGlobalUserStatus+52w
_PspJobTimeLimitsCount dd 7		; DATA XREF: PsEnforceExecutionLimits()+Dr
					; PsEnforceExecutionLimits()+19w ...
_ExpLastRequestedTime dd 0FFFFFFFFh	; DATA XREF: ExpUpdateTimerResolution+34r
					; ExpUpdateTimerResolution:loc_4308CDr	...
_ExpSystemIsInCmosMode db 1		; DATA XREF: ExpSetSystemTime+986Dr
					; ExpRefreshTimeZoneInformation(x)+1A2w ...
		align 10h
_KiClockPollCycle db 64h		; DATA XREF: KeAccumulateTicks:loc_48C417w
					; KeAccumulateTicks+1F9w ...
		align 8
_PopSystemIdleContext dd 0		; DATA XREF: PopSnapSystemIdleContext(x,x)+44o
					; PopSystemIdleWorker()+72r ...
dword_6B3D3C	dd 0			; DATA XREF: PopSystemIdleWorker()+54r
					; PopUpdateSystemIdleContext(x)+57r ...
unk_6B3D40	db    0			; DATA XREF: PopUpdateLastUserInputTime()+11o
		db    0
		db    0
		db    0
unk_6B3D44	db    0			; DATA XREF: PopUpdateLastUserInputTime()+24o
		db    0
		db    0
		db    0
dword_6B3D48	dd 0			; DATA XREF: PopUpdateSystemIdleConsoleDisplayState(x)+37w
					; PopUpdateLastUserInputTime()+9r
		align 10h
unk_6B3D50	db    0			; DATA XREF: PopSystemIdleWorker()+66o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B3D58	dd 0			; DATA XREF: PopPulseSystemIdleEvent(x)+22w
dword_6B3D5C	dd 0			; DATA XREF: PopPulseSystemIdleEvent(x)+28w
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B3D70	dd 0			; DATA XREF: PopSnapSystemIdleContext(x,x)+7Br
dword_6B3D74	dd 0			; DATA XREF: PopSnapSystemIdleContext(x,x)+87r
dword_6B3D78	dd 0			; DATA XREF: PopSnapSystemIdleContext(x,x)+75r
dword_6B3D7C	dd 0			; DATA XREF: PopSnapSystemIdleContext(x,x)+81r
byte_6B3D80	db 0			; DATA XREF: PopSnapSystemIdleContext(x,x):loc_9B6153r
		align 4
dword_6B3D84	dd 0			; DATA XREF: PopSnapSystemIdleContext(x,x)+62r
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B3E30	dd 0			; DATA XREF: PopSystemIdleWorker()+78w
					; PopSystemIdleWorker()+BAr ...
		align 8
unk_6B3E38	db    0			; DATA XREF: PopSystemIdleWorker()+C2o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
unk_6B3E50	db    0			; DATA XREF: PopSystemIdleWorker()+5Eo
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B3E5C	dd 0			; DATA XREF: PopSnapSystemIdleContext(x,x)+4Fr
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B3E68	dd 0			; DATA XREF: PopUpdateSystemIdleContext(x)+F3w
dword_6B3E6C	dd 0			; DATA XREF: PopUpdateSystemIdleContext(x)+FCw
dword_6B3E70	dd 0			; DATA XREF: PopUpdateSystemIdleContext(x)+11Bw
dword_6B3E74	dd 0			; DATA XREF: PopUpdateSystemIdleContext(x)+121w
dword_6B3E78	dd 0			; DATA XREF: PopUpdateSystemIdleContext(x)+106w
		align 10h
_PopHibernatePowerStateHandlerType dd 7	; DATA XREF: PopTransitionToSleep+EBw
					; PopTransitionToSleep+FEw ...
_PopBootStatCheckpointAvailable	db 1	; DATA XREF: PopCheckpointSystemSleepr
					; PAGELK:0071F232w ...
		align 4
_PopBatteryTriggerCachedFlags dd 0FFFFFFFFh ; DATA XREF: PopDiagTraceBatteryTriggerFlags+43r
					; PopDiagTraceBatteryTriggerFlags:loc_869397w
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
_PopBatteryCachedFlags dd 0FFFFFFFFh	; DATA XREF: PopBatteryApplyCompositeState+14Bw
					; PopBatteryApplyCompositeState+A042Br	...
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
dword_6B3EA8	dd 1			; DATA XREF: BiGetFirmwareType()+26r
					; BiGetFirmwareType():loc_862C6Dw
word_6B3EAC	dw 0E051h		; DATA XREF: AnFwpProgressAnimationManual:loc_A74384r
					; AnFwpProgressAnimationManual+DFr ...
		align 10h
dword_6B3EB0	dd 64h			; DATA XREF: AnFwDisplayFade+4A4w
					; AnFwpFadeAnimationTimer+5Ar ...
dword_6B3EB4	dd 0			; DATA XREF: AnFwDisplayFade+450w
					; AnFwpFadeAnimationTimer+4Er ...
dword_6B3EB8	dd 0			; DATA XREF: AnFwDisplayFade+457w
					; AnFwpFadeAnimationTimer+49r
dword_6B3EBC	dd 0			; DATA XREF: AnFwDisplayFade+460w
					; AnFwpFadeAnimationTimer+66r
byte_6B3EC0	db 0			; DATA XREF: AnFwDisplayFade+469w
					; AnFwpFadeAnimationTimer+6Fr ...
byte_6B3EC1	db 0			; DATA XREF: AnFwDisplayFade+472w
					; AnFwpFadeAnimationTimer+78r ...
byte_6B3EC2	db 0			; DATA XREF: AnFwDisplayFade+47Bw
					; AnFwpFadeAnimationTimer+81r ...
		align 4
dword_6B3EC4	dd 0			; DATA XREF: AnFwFadeCompletion+3Br
					; AnFwFadeCompletion:loc_A756E4w ...
dword_6B3EC8	dd 0			; DATA XREF: AnFwDisplayFade+B6o
					; AnFwDisplayFade+1D7r	...
dword_6B3ECC	dd 0			; DATA XREF: AnFwDisplayFade+1E6r
					; TxtpAddCacheEntry+1E8Cr ...
dword_6B3ED0	dd 0			; DATA XREF: AnFwDisplayFade+1D2r
					; AnFwDisplayFade:loc_A7599Co
dword_6B3ED4	dd 0			; DATA XREF: AnFwDisplayFade+1E1r
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B3EE4	dd 0			; DATA XREF: AnFwFadeCompletion:loc_A756EAr
					; AnFwFadeCompletion:loc_A756FEw ...
dword_6B3EE8	dd 0			; DATA XREF: AnFwFadeCompletion:loc_A75704r
					; AnFwFadeCompletion:loc_A75718w ...
dword_6B3EEC	dd 0			; DATA XREF: AnFwFadeCompletion:loc_A7571Er
					; AnFwFadeCompletion:loc_A75732w ...
dword_6B3EF0	dd 0			; DATA XREF: AnFwDisplayFade+C3o
					; AnFwDisplayFade:loc_A75969r ...
dword_6B3EF4	dd 0			; DATA XREF: AnFwDisplayFade+208r
					; TxtpAddCacheEntry+1F8Aw
dword_6B3EF8	dd 0			; DATA XREF: AnFwDisplayFade+203r
					; AnFwDisplayFade+282o
dword_6B3EFC	dd 0			; DATA XREF: AnFwDisplayFade+214r
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B3F0C	dd 0			; DATA XREF: AnFwFadeCompletion:loc_A75738r
					; AnFwDisplayFade+4B4w	...
dword_6B3F10	dd 0			; DATA XREF: AnFwFadeCompletion:loc_A75746r
					; AnFwDisplayFade+4BAw	...
		align 8
dword_6B3F18	dd 0FFFFFFFFh		; DATA XREF: LogFwInitialize()+Cw
					; LogFwStat+70r ...
dword_6B3F1C	dd 7FFFFFFFh		; DATA XREF: LogFwInitialize()+5Bw
					; LogFwStat:loc_A76164r ...
dword_6B3F20	dd 0			; DATA XREF: LogFwInitialize()+27w
					; LogFwReport+1Do ...
dword_6B3F24	dd 1			; DATA XREF: LogFwInitialize()+31w
					; LogFwReport+6Cr ...
dword_6B3F28	dd 0FFFFFFFFh		; DATA XREF: LogFwInitialize()+18w
					; LogFwStat+13Dr ...
dword_6B3F2C	dd 7FFFFFFFh		; DATA XREF: LogFwInitialize()+A2w
					; LogFwStat:loc_A76235r ...
_PopEstimateSpoiledUntilTime dd	0FFFFFFFFh ; DATA XREF:	PopBatteryWorker+34Cw
					; PopBatteryWorker:loc_86909Bw	...
dword_6B3F34	dd 0FFFFFFFFh		; DATA XREF: PopBatteryWorker+356w
					; PopBatteryWorker+370w ...
___security_cookie dd 0BB40E64Eh	; DATA XREF: .text:00403984o
					; PoTraceSystemTimerResolutionUpdate+8r ...
___security_cookie_complement dd 44BF19B1h ; DATA XREF:	__security_check_cookie(x)+2552Fr
					; ___report_rangecheckfailure+2r ...
_CcUnmapBehindLength dd	8		; DATA XREF: CcGetVirtualAddress+3CDr
					; INIT:loc_AC3480r ...
_CcRemoteFileDPInlineFlushThreshold dd 140000h ; DATA XREF: sub_47C052:loc_47C090r
					; INIT:00AC343Fr ...
_CcMaxLazyWritePages dd	100h		; DATA XREF: CcCalculatePagesToWrite(x,x,x,x,x)+3Cr
					; CcCanIWriteStreamEx+1BAr ...
_CmpPreloadedHivesCount	dd 1		; DATA XREF: HvHiveCleanup+1AEw
					; HvpDropPagedBins+C6w	...
_CmpAccessBitForPhase db 1		; DATA XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+95Fr
					; CmpTrimHiver	...
_CmpVEEnabled	db 1			; DATA XREF: CmpDoQueryKeyName+10Cr
					; CmDoVirtualTestr ...
		align 4
_FsRtlVirtualDiskMaxTreeDepth dd 0FFFFFFFFh
					; DATA XREF: FsRtlQueryMaximumVirtualDiskNestingLevel()r
					; FsRtlQueryMaximumVirtualDiskNestingLevel()+Fw ...
_ShowProgressBar db 1			; DATA XREF: DisplayBootBitmap:loc_57A171w
					; BvgaUpdateProgressBar(x)+5r
_CapsuleDumpAllowed db 1		; DATA XREF: IoConfigureCrashDump:loc_5F5DC6r
					; IoInitializeCrashDump:loc_92DD41r ...
		align 4
_IopDiskIoAttributionBaseIoSize	dd 2000h ; DATA	XREF: IopRecordIoAttribution+19Br
					; IopRecordIoAttribution+1A1r ...
_PnpBootOptions	dd 1			; DATA XREF: IopInitializeSystemDrivers+1B2r
					; IoInitSystem+32r ...
_PnpBootMode	db 1			; DATA XREF: PiProcessNewDeviceNode:loc_873DE0r
					; PnpBootPhaseComplete+15w ...
		align 4
_PnpFindBestConfigurationTimeout dd 1388h ; DATA XREF: PnpFindBestConfigurationWorker+45r
					; IopInitializePlugPlayServices(x,x)+3C7w
_PassiveInterruptRealtimeWorkerCount db	4
					; DATA XREF: IopCreatePassiveInterruptRealtimeThreads(x,x)+36r
					; IopCreatePassiveInterruptRealtimeThreads(x,x):loc_8AFDF6r ...
		align 10h
_PnpDefaultInterfaceType dd 1		; DATA XREF: IopInitializePlugPlayServices(x,x)+232w
_PnpAsyncOptions dd 80000003h		; DATA XREF: PipEnumerateDevice+17r
					; PipProcessDevNodeTree+211r ...
_KdpTimeSlipPending dd 1		; DATA XREF: KdExitDebugger(x)+101o
					; KdpTimeSlipDpcRoutine(x,x,x,x)+3w ...
_KdPitchDebugger db 1			; DATA XREF: KiDispatchException:loc_4B46AEr
					; KeInsertQueue:loc_4FF1F0r ...
		align 10h
_KdVersionBlock	dw 0			; DATA XREF: KdInitSystem+DCw
					; KdInitSystem+11Ao ...
word_6B3F82	dw 0			; DATA XREF: KdInitSystem+D3w
		db    6
		db    0
word_6B3F86	dw 2			; DATA XREF: KdInitSystem+107w
		db  4Ch	; L
		db    1
		db  0Ch
word_6B3F8B	dw 0			; DATA XREF: KdInitSystem+FEw
		align 10h
dword_6B3F90	dd 0			; DATA XREF: KdInitSystem+146w
					; KdInitSystem:loc_A4A211r ...
dword_6B3F94	dd 0			; DATA XREF: KdInitSystem+150w
					; KdRegisterDebuggerDataBlock+4F5w
dword_6B3F98	dd 0			; DATA XREF: KdInitSystem+E8w
dword_6B3F9C	dd 0			; DATA XREF: KdInitSystem+EFw
dword_6B3FA0	dd 0			; DATA XREF: KdInitSystem+F6w
dword_6B3FA4	dd 0			; DATA XREF: KdInitSystem+114w
_KiMtrrMaskBase	dd 0FFFFF000h		; DATA XREF: MiCheckPhysicalAddressRange(x,x,x):loc_63397Cr
					; KiGetFeatureBits+508w ...
dword_6B3FAC	dd 0Fh			; DATA XREF: MiCheckPhysicalAddressRange(x,x,x)+24r
					; KiGetFeatureBits+50Dw ...
_KiMtrrMaskMask	dd 0FFFFF000h		; DATA XREF: KiGetFeatureBits+513w
					; KiGetFeatureBits+451Ew ...
dword_6B3FB4	dd 0Fh			; DATA XREF: KiGetFeatureBits+518w
					; KiGetFeatureBits+4524w ...
_KiMtrrMaxRangeShift db	24h		; DATA XREF: KiMaskToLength(x,x):loc_724E87r
					; KiGetFeatureBits:loc_726C55w	...
		align 4
_KePrefetchNTAGranularity dd 20h	; DATA XREF: RtlPrefetchMemoryNonTemporal(x,x)r
					; KiGetCacheInformation:loc_726344w ...
_KiSsbdMsr	dd 48h			; DATA XREF: KiUpdateSpeculationControl(x)+11Dr
					; KiSetHardwareSpeculationControlFeatures(x,x,x)+79w ...
		align 8
_KiSsbdBit	dd 4			; DATA XREF: KiSetHardwareSpeculationControlFeatures(x,x,x)+98w
					; KiDetectAmdNonArchSsbdSupport(x,x)+103w ...
dword_6B3FCC	dd 0			; DATA XREF: KiSetHardwareSpeculationControlFeatures(x,x,x)+9Ew
					; KiDetectAmdNonArchSsbdSupport(x,x)+109w ...
_PopFxActiveIdleThreshold dd 1F4h	; DATA XREF: PopFxIdleComponent+118r
					; PopFxResidentTimeoutRoutine(x)+E8r ...
; int PopIdleScanInterval
_PopIdleScanInterval dd	0FFFFFFFFh	; DATA XREF: PopCheckForIdleness(x,x,x,x)+116r
					; PopScanIdleList(x,x,x):loc_596DDAr ...
_BatteryChargeTrajectoryThresholdMilliPercent dd 3E8h
					; DATA XREF: PopBatteryCheckCompositeCapacity+A088Cr
					; PopBatteryInitPhaseTwo()+26o	...
_WeakChargerChargeDropMilliPercent dd 3E8h
					; DATA XREF: PopBatteryCheckCompositeCapacity:loc_909D1Cr
					; PopBatteryInitPhaseTwo()+Ao ...
_PpmIntSteerLoadMax dd 32h		; DATA XREF: PpmParkSteerInterrupts+244r
					; PpmParkSteerInterrupts+24Ar ...
		align 8
_PpmIntSteerTriggerMax dd 64h		; DATA XREF: PpmParkSteerInterrupts+197r
					; PopIntSteerSetTimeUnparkTrigger(x,x,x,x)+17w
dword_6B3FEC	dd 0			; DATA XREF: PpmParkSteerInterrupts+189r
					; PopIntSteerSetTimeUnparkTrigger(x,x,x,x)+Ew
_SepAdtMinListLength dd	2000h		; DATA XREF: SepAdtDetermineInsertQueue+7F08Ar
					; SepAdtInitializeBounds()+50w
_SepAdtMaxListLength dd	3000h		; DATA XREF: SepAdtDetermineInsertQueue+37r
					; SepAdtInitializeBounds()+4Aw
byte_6B3FF8	db 0			; DATA XREF: LookupSidInTable:loc_7EC750o
					; LookupSidInTable+1239E8r
		align 2
off_6B3FFA	dd offset loc_410043+1	; DATA XREF: LookupSidInTable+C1r
					; LookupSidInTable+123A06r
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B4004	dd 2			; DATA XREF: LookupSidInTable:loc_7EC75Fr
					; LookupSidInTable+123A00r
dword_6B4008	dd 0			; DATA XREF: LookupSidInTable+86r
					; LookupSidInTable+1239F4r ...
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
unk_6B4014	db    0			; DATA XREF: InitializeSidLookupTable+18o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  44h	; D
		db    0
		db  47h	; G
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  44h	; D
		db    0
		db  55h	; U
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    1
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  44h	; D
		db    0
		db  44h	; D
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    4
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  44h	; D
		db    0
		db  43h	; C
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    3
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  53h	; S
		db    0
		db  41h	; A
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    6
		db    2
		db    0
		db    0
		db    7
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  45h	; E
		db    0
		db  41h	; A
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    7
		db    2
		db    0
		db    0
		db    7
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  43h	; C
		db    0
		db  41h	; A
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    5
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  41h	; A
		db    0
		db  4Fh	; O
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  24h	; $
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  42h	; B
		db    0
		db  4Fh	; O
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  27h	; '
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  50h	; P
		db    0
		db  4Fh	; O
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  26h	; &
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  53h	; S
		db    0
		db  4Fh	; O
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  25h	; %
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  52h	; R
		db    0
		db  45h	; E
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  28h	; (
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  52h	; R
		db    0
		db  53h	; S
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  29h	; )
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  41h	; A
		db    0
		db  55h	; U
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  0Bh
		db    0
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  50h	; P
		db    0
		db  53h	; S
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  0Ah
		db    0
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  43h	; C
		db    0
		db  4Fh	; O
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  4Fh	; O
		db    0
		db  57h	; W
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  43h	; C
		db    0
		db  47h	; G
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  53h	; S
		db    0
		db  59h	; Y
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  12h
		db    0
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  49h	; I
		db    0
		db  55h	; U
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  4Eh	; N
		db    0
		db  55h	; U
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  53h	; S
		db    0
		db  55h	; U
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  45h	; E
		db    0
		db  44h	; D
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    9
		db    0
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  52h	; R
		db    0
		db  43h	; C
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  0Ch
		db    0
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  57h	; W
		db    0
		db  52h	; R
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  21h	; !
		db    0
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  41h	; A
		db    0
		db  4Eh	; N
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    7
		db    0
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  4Ch	; L
		db    0
		db  41h	; A
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0F4h	; 
		db    1
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  4Ch	; L
		db    0
		db  47h	; G
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0F5h	; 
		db    1
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  42h	; B
		db    0
		db  41h	; A
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  20h
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  43h	; C
		db    0
		db  59h	; Y
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  39h	; 9
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  42h	; B
		db    0
		db  47h	; G
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  22h	; "
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  42h	; B
		db    0
		db  55h	; U
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  21h	; !
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  50h	; P
		db    0
		db  55h	; U
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  23h	; #
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  57h	; W
		db    0
		db  44h	; D
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  50h	; P
		db    0
		db  41h	; A
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  52h	; R
		db    0
		db  55h	; U
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  2Ah	; *
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  4Ch	; L
		db    0
		db  53h	; S
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  13h
		db    0
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  4Eh	; N
		db    0
		db  53h	; S
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  14h
		db    0
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  52h	; R
		db    0
		db  44h	; D
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  2Bh	; +
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  4Eh	; N
		db    0
		db  4Fh	; O
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  2Ch	; ,
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  4Dh	; M
		db    0
		db  55h	; U
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  2Eh	; .
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  4Ch	; L
		db    0
		db  55h	; U
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  2Fh	; /
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  49h	; I
		db    0
		db  53h	; S
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  38h	; 8
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  4Ch	; L
		db    0
		db  57h	; W
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  4Dh	; M
		db    0
		db  45h	; E
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  20h
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  4Dh	; M
		db    0
		db  50h	; P
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  21h	; !
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  48h	; H
		db    0
		db  49h	; I
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  30h	; 0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  53h	; S
		db    0
		db  49h	; I
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  40h	; @
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  43h	; C
		db    0
		db  59h	; Y
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  39h	; 9
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  45h	; E
		db    0
		db  52h	; R
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  3Dh	; =
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  52h	; R
		db    0
		db  4Fh	; O
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0F2h	; 
		db    1
		db    0
		db    0
		db    7
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  43h	; C
		db    0
		db  44h	; D
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  3Eh	; >
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  41h	; A
		db    0
		db  43h	; C
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db    9
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  52h	; R
		db    0
		db  41h	; A
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  3Fh	; ?
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  45h	; E
		db    0
		db  53h	; S
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  40h	; @
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  4Dh	; M
		db    0
		db  53h	; S
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  41h	; A
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  55h	; U
		db    0
		db  44h	; D
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  54h	; T
		db    0
		db    0
		db    0
		db  0Ah
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  48h	; H
		db    0
		db  41h	; A
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  42h	; B
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  41h	; A
		db    0
		db  41h	; A
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  43h	; C
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  52h	; R
		db    0
		db  4Dh	; M
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  44h	; D
		db    2
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  41h	; A
		db    0
		db  53h	; S
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  0Bh
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  53h	; S
		db    0
		db  53h	; S
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db  0Bh
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_VfVerifyMode	dd 0FFFFFFFFh		; DATA XREF: VerifierBugCheckIfAppropriate(x,x,x,x,x):loc_A61267r
					; VeAllocatePoolWithTagPriority(x,x,x,x,x)+81r	...
_EtwpCoverageEntryCount	dd 1000h	; DATA XREF: EtwpCoverageEnsureContext():loc_8AF128r
					; EtwpCoverageEnsureContext()+5Cw ...
_EtwpCoverageFlushPeriod dd 493E0h	; DATA XREF: EtwpCoverageEnsureContext()+62r
					; EtwpCoverageEnsureContext()+6Aw ...
_EtwpCoverageResetPeriod dd 5265C00h	; DATA XREF: EtwpCoverageEnsureContext()+74r
					; EtwpCoverageEnsureContext()+7Cw ...
		align 8
_EtwpDebuggerData db  28h ; (		; DATA XREF: .data:006B1DB8o
		db    3
		db  2Ch	; ,
		db    8
		db    4
		db  38h	; 8
		db  0Ch
		db 0A0h	; 
		db  7Ch	; |
		db    0
		db  48h	; H
		db    8
		db  5Ch	; \
		db  0Ch
		db    4
		db  40h	; @
dword_6B58B8	dd 0			; DATA XREF: EtwInitializeSiloState+1FBw
dword_6B58BC	dd 0			; DATA XREF: EtwInitializeSiloState+201w
dword_6B58C0	dd 0			; DATA XREF: EtwInitializeSiloState+207w
dword_6B58C4	dd 0			; DATA XREF: EtwInitializeSiloState+20Dw
		db    0
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_ExpDebuggerWork dd 4			; DATA XREF: ExQueueDebuggerWorker()+4o
					; MiDbgMarkPfnModified(x,x,x)+229o ...
		align 8
unk_6B58D8	db  12h			; DATA XREF: BcpGetCharacterMaxResourceProfile(x,x,x,x)+Do
					; BcpDisplayErrorInformation(x,x,x,x,x,x)+44o ...
		db    0
		db    0
		db    0
		db  16h
		db    0
		db    0
		db    0
dword_6B58E0	dd 1Ah			; DATA XREF: BcpDisplayProgress(x,x):loc_6998F0r
					; BcpDisplayProgress(x,x)+69r ...
dword_6B58E4	dd 78h			; DATA XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+F7r
dword_6B58E8	dd 50h			; DATA XREF: BcpDisplayCriticalString(x,x,x,x):loc_6993E9r
					; BcpDisplayCriticalString(x,x,x,x):loc_699406r ...
dword_6B58EC	dd 2Dh			; DATA XREF: BgpDisplaySafeToPowerOffScreen()+71r
					; BgpFwDisplayBugCheckScreen(x,x,x,x,x)+D3r
dword_6B58F0	dd 1D6h			; DATA XREF: BcpDisplayCriticalString(x,x,x,x)+51r
					; BcpDisplayProgress(x,x)+107r
		db 0B9h	; 
		db    0
		db    0
		db    0
dword_6B58F8	dd 7			; DATA XREF: BcpDisplayCriticalString(x,x,x,x)+34r
					; BcpDisplayCriticalString(x,x,x,x)+57r ...
dword_6B58FC	dd 3			; DATA XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+122r
dword_6B5900	dd 1			; DATA XREF: BcpDisplayCriticalString(x,x,x,x)+1B2r
					; BcpDisplayCriticalString(x,x,x,x)+22Ar
dword_6B5904	dd 14h			; DATA XREF: BcpGetComponentOffsets(x,x,x,x,x,x)+42r
					; BcpGetComponentOffsets(x,x,x,x,x,x)+4Br ...
		db  1Eh
		db    0
		db    0
		db    0
dword_6B590C	dd 28h			; DATA XREF: BcpGetComponentOffsets(x,x,x,x,x,x)+FBr
dword_6B5910	dd 0Ah			; DATA XREF: BcpGetComponentOffsets(x,x,x,x,x,x)+10Cr
dword_6B5914	dd 22h			; DATA XREF: BcpGetComponentOffsets(x,x,x,x,x,x)+11Dr
		align 10h
		db  12h
		db    0
		db    0
		db    0
		db  16h
		db    0
		db    0
		db    0
		db  20h
		db    0
		db    0
		db    0
		db 0A0h	; 
		db    0
		db    0
		db    0
		db  69h	; i
		db    0
		db    0
		db    0
		db  3Ch	; <
		db    0
		db    0
		db    0
		db 0FEh	; 
		db    1
		db    0
		db    0
		db 0FAh	; 
		db    0
		db    0
		db    0
		db  0Ah
		db    0
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db  16h
		db    0
		db    0
		db    0
		db  28h	; (
		db    0
		db    0
		db    0
		db  2Ch	; ,
		db    0
		db    0
		db    0
		db  0Fh
		db    0
		db    0
		db    0
		db  26h	; &
		db    0
		db    0
		db    0
dword_6B5960	dd 281h			; DATA XREF: BcpGetDisplayType(x,x,x):loc_699B8Br
dword_6B5964	dd 1E1h			; DATA XREF: BcpGetDisplayType(x,x,x)+18r
		db  12h
		db    0
		db    0
		db    0
		db  16h
		db    0
		db    0
		db    0
		db  28h	; (
		db    0
		db    0
		db    0
		db 0C8h	; 
		db    0
		db    0
		db    0
		db  87h	; 
		db    0
		db    0
		db    0
		db  4Bh	; K
		db    0
		db    0
		db    0
		db  5Ch	; \
		db    3
		db    0
		db    0
		db  36h	; 6
		db    1
		db    0
		db    0
		db  0Ch
		db    0
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db  18h
		db    0
		db    0
		db    0
		db  32h	; 2
		db    0
		db    0
		db    0
		db  30h	; 0
		db    0
		db    0
		db    0
		db  11h
		db    0
		db    0
		db    0
		db  2Ah	; *
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db  18h
		db    0
		db    0
		db    0
		db  1Eh
		db    0
		db    0
		db    0
		db  38h	; 8
		db    0
		db    0
		db    0
		db  18h
		db    1
		db    0
		db    0
		db 0BEh	; 
		db    0
		db    0
		db    0
		db  69h	; i
		db    0
		db    0
		db    0
		db 0D4h	; 
		db    3
		db    0
		db    0
		db 0B8h	; 
		db    1
		db    0
		db    0
		db  11h
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		db  22h	; "
		db    0
		db    0
		db    0
		db  46h	; F
		db    0
		db    0
		db    0
		db  44h	; D
		db    0
		db    0
		db    0
		db  14h
		db    0
		db    0
		db    0
		db  3Ch	; <
		db    0
		db    0
		db    0
		db  80h	; 
		db    7
		db    0
		db    0
		db  38h	; 8
		db    4
		db    0
		db    0
		db  22h	; "
		db    0
		db    0
		db    0
		db  28h	; (
		db    0
		db    0
		db    0
		db  48h	; H
		db    0
		db    0
		db    0
		db  68h	; h
		db    1
		db    0
		db    0
		db 0F5h	; 
		db    0
		db    0
		db    0
		db  87h	; 
		db    0
		db    0
		db    0
		db 0E2h	; 
		db    4
		db    0
		db    0
		db  62h	; b
		db    2
		db    0
		db    0
		db  16h
		db    0
		db    0
		db    0
		db  0Bh
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db  31h	; 1
		db    0
		db    0
		db    0
		db  5Ah	; Z
		db    0
		db    0
		db    0
		db  62h	; b
		db    0
		db    0
		db    0
		db  19h
		db    0
		db    0
		db    0
		db  56h	; V
		db    0
		db    0
		db    0
		db    0
		db  0Ah
		db    0
		db    0
		db 0A0h	; 
		db    5
		db    0
		db    0
_Cc5MicroSeconds db 0CEh ; 		; DATA XREF: CcWaitForCurrentLazyWriterActivityInternal(x)+D1o
					; BgpBcInitializeCriticalMode+257o
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
_CmFcFeatureConfigMapping db	0	; DATA XREF: CmUpdateFeatureConfiguration(x,x,x)+51o
					; CmUpdateFeatureUsageSubscription(x,x,x)+50o ...
		db    0
		db    2
		db    0
		db    3
		db    0
		db    2
		db    0
		db    0
		db    0
		db    2
		db    0
		db    3
		db    0
		db  1Fh
		db    0
_KiClockCheckPending dd	10001h		; DATA XREF: KiUpdateTime+1C1w
dword_6B5A5C	dd 0			; DATA XREF: KiUpdateTime+1CBw
dword_6B5A60	dd 0			; DATA XREF: KiUpdateTime+1B9r
					; KiUpdateTime+1D5w ...
_KiClockCheckReady db	 1
		db    0
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B5A6C	dd 0			; DATA XREF: KiCheckKeepAlive(x)+14r
					; KiCheckKeepAlive(x):loc_500374w
_KiGroupSchedulingOverQuotaMask	db    1	; DATA XREF: KiForwardTick+104o
					; KiComputeGroupSchedulingRank+16B680o	...
		db    0
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B5A78	dd 0			; DATA XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+B8r
					; KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x)+10Ar
_KiSystemFullyCoherent dd 1		; DATA XREF: KeFlushIoBuffers+27r
					; KeReportCacheIncoherentDevice()w ...
_KiVerwClearErrataVersions db  11h	; DATA XREF: KiIsTsaMitigationSupported(x)+33o
		db  0Fh
		db 0A1h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db  54h	; T
		db  11h
		db  10h
		db  0Ah
		db    0
		db    0
		db    0
		db    0
		db  12h
		db  0Fh
		db 0A1h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db  4Fh	; O
		db  12h
		db  10h
		db  0Ah
		db    0
		db    0
		db    0
		db    0
		db  11h
		db  0Fh
		db 0A0h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0DBh	; 
		db  11h
		db    0
		db  0Ah
		db    0
		db    0
		db    0
		db    0
		db  12h
		db  0Fh
		db 0A0h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db  44h	; D
		db  12h
		db    0
		db  0Ah
		db    0
		db    0
		db    0
		db    0
		db  82h	; 
		db  0Fh
		db 0A0h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db  0Fh
		db  82h	; 
		db    0
		db  0Ah
		db    0
		db    0
		db    0
		db    0
		db  10h
		db  0Fh
		db 0A2h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db  30h	; 0
		db  10h
		db  20h
		db  0Ah
		db    0
		db    0
		db    0
		db    0
		db  12h
		db  0Fh
		db 0A2h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db  13h
		db  12h
		db  20h
		db  0Ah
		db    0
		db    0
		db    0
		db    0
		db  41h	; A
		db  0Fh
		db 0A4h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db  0Ah
		db  41h	; A
		db  40h	; @
		db  0Ah
		db    0
		db    0
		db    0
		db    0
		db    0
		db  0Fh
		db 0A5h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db  14h
		db    0
		db  50h	; P
		db  0Ah
		db    0
		db    0
		db    0
		db    0
		db  81h	; 
		db  0Fh
		db 0A1h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db  0Ch
		db  81h	; 
		db  10h
		db  0Ah
		db    0
		db    0
		db    0
		db    0
		db  12h
		db  0Fh
		db 0A6h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db  0Ch
		db  12h
		db  60h	; `
		db  0Ah
		db    0
		db    0
		db    0
		db    0
		db  41h	; A
		db  0Fh
		db 0A7h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db  0Ah
		db  41h	; A
		db  70h	; p
		db  0Ah
		db    0
		db    0
		db    0
		db    0
		db  52h	; R
		db  0Fh
		db 0A7h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db  0Ah
		db  52h	; R
		db  70h	; p
		db  0Ah
		db    0
		db    0
		db    0
		db    0
		db  80h	; 
		db  0Fh
		db 0A7h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db  0Ah
		db  80h	; 
		db  70h	; p
		db  0Ah
		db    0
		db    0
		db    0
		db    0
		db 0C0h	; 
		db  0Fh
		db 0A7h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db  0Ah
		db 0C0h	; 
		db  70h	; p
		db  0Ah
		db    0
		db    0
		db    0
		db    0
_PopFxSystemLatencyLimit dd 0FFFFFFFFh	; DATA XREF: PoFxSendSystemLatencyUpdate:loc_43D6DAr
					; PoFxSendSystemLatencyUpdate:loc_43D718w ...
_PopLogFxDefaultPepWorkerOrphaned db	1 ; DATA XREF: PopDiagTraceFxDefaultPepWorkerEnd+9Bo
		db    0
		db    0
		db    0
; unsigned char	(* `public: static enum	 _ST_COMPACTION_CHECK_RESULT __stdcall ST_STORE<struct SM_TRAITS>::StDmCheckForCompaction(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, unsigned long)'::`2'::ThresholdShiftTableInMem)[2]
?ThresholdShiftTableInMem@?1??StDmCheckForCompaction@?$ST_STORE@USM_TRAITS@@@@SG?AW4_ST_COMPACTION_CHECK_RESULT@@PAU_ST_DATA_MGR@2@K@Z@4PAY01EA	db    4
					; DATA XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction+49o
		db    5
		db    0
		db    2
_EtwpWdfNotifyRoutines db  10h		; DATA XREF: WmiQueryTraceInformation+134o
		db    0
		db    0
		db    0
dword_6B5B80	dd 0			; DATA XREF: EtwpEnableKernelTrace+129A32w
					; EtwpDisableKernelTrace:loc_90D377w
dword_6B5B84	dd 0			; DATA XREF: EtwpDisableKernelTrace:loc_7E3AA7w
					; EtwpEnableKernelTrace+129A45w
dword_6B5B88	dd 0			; DATA XREF: EtwpDisableKernelTrace:loc_7E3AAFw
					; EtwpEnableKernelTrace+129A56w
		align 10h
_ExpLuid	dd 3E9h			; DATA XREF: ExAllocateLocallyUniqueId(x)+Br
					; ExAllocateLocallyUniqueId(x)+31o ...
dword_6B5B94	dd 0			; DATA XREF: ExAllocateLocallyUniqueId(x)+13r
					; SepCreateAccessStateFromSubjectContext(x,x,x,x,x)+ACr ...
_CmpHoldLazyFlush dd 1			; DATA XREF: CmpArmLazyWriter+1Cr
					; CmpLazyFlushDpcRoutine+16r ...
unk_6B5B9C	db    1			; DATA XREF: BgkNotifyDisplayOwnershipChange+60o
					; BgkpTryEnableConsole()+14o ...
		db    0
		db    0
		db    0
_PopFxSystemLatencyHint	dd 0FFFFFFFFh	; DATA XREF: PoFxSendSystemLatencyUpdate+44w
					; PpmIdleSelectStates+8Dr
_PpmCheckRegistered dd 10001h		; DATA XREF: PpmCheckSnapAllDeliveredPerformance+1Ar
					; PpmCheckMakeupSkippedChecks+45o ...
dword_6B5BA8	dd 0			; DATA XREF: PpmCheckSnapAllDeliveredPerformance+22r
dword_6B5BAC	dd 0			; DATA XREF: PpmCheckSnapAllUtility()+13r
					; PpmCheckSnapAllDeliveredPerformance+2Ar ...
_PpmPerfCoreParkingMask	db    1		; DATA XREF: PpmParkReportMask+12A06Ao
					; PpmParkComputeDiff()+70o ...
		db    0
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B5BB8	dd 0			; DATA XREF: PpmParkSteerInterrupts+A8r
					; PpmParkReportMask:loc_5B8908r ...
		align 10h
_PsNextSecurityDomain dd 0		; DATA XREF: MiCombiningInProgress(x,x,x):loc_64058Fr
					; MiCombiningInProgress(x,x,x)+47o ...
dword_6B5BC4	dd 1			; DATA XREF: MiCombiningInProgress(x,x,x)+4Cr
					; PspInitializeProcessSecurity+15Dr ...
_WheapHardwareErrorGuid	db  8Dh	; 	; DATA XREF: WheapProcessEfiBadMemoryPage+1Fo
					; WheapPersistPageForMemoryError(x)+47o
		db  58h	; X
		db  4Ch	; L
		db  78h	; x
		db 0A4h	; 
		db 0A2h	; 
		db 0B6h	; 
		db  4Ch	; L
		db  98h	; 
		db 0B2h	; 
		db  2Eh	; .
		db  44h	; D
		db  2Ah	; *
		db  83h	; 
		db 0DAh	; 
		db 0D9h	; 
_PopPagingEnabled db	1		; DATA XREF: PoBroadcastSystemState+290o
					; PoBroadcastSystemState+485o ...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_PpmPerfStatesRegistered db    1	; DATA XREF: PpmUpdateProcessorPolicy+DAo
					; PpmRegisterPerfStates:loc_8A053Fo ...
		db    0
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B5BE8	dd 0			; DATA XREF: PpmRegisterPerfStates+1A4r
					; PpmRegisterPerfStates:loc_8A0593r ...
		align 10h
_VrpHardCodedSdBlob db	  1		; DATA XREF: VRegSetup+7Ao
		db    0
		db    4
		db  90h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  14h
		db    0
		db    0
		db    0
		db    2
		db    0
		db  5Ch	; \
		db    0
		db    3
		db    0
		db    0
		db    0
		db    0
		db    0
		db  14h
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    1
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    5
		db  12h
		db    0
		db    0
		db    0
		db    0
		db    0
		db  18h
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    1
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    5
		db  20h
		db    0
		db    0
		db    0
		db  20h
		db    2
		db    0
		db    0
		db    0
		db    0
		db  28h	; (
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    1
		db    6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    5
		db  50h	; P
		db    0
		db    0
		db    0
		db  0Ah
		db 0D8h	; 
		db  62h	; b
		db  3Ah	; :
		db 0D9h	; 
		db 0C6h	; 
		db  0Fh
		db  18h
		db  1Bh
		db  65h	; e
		db 0B5h	; 
		db 0EBh	; 
		db 0D6h	; 
		db  6Dh	; m
		db  2Fh	; /
		db  8Bh	; 
		db  78h	; x
		db  83h	; 
		db  39h	; 9
		db  5Ch	; \
_PnpDriverInitPhaseActivityId db  5Fh ;	_ ; DATA XREF: PnpCompleteSystemStartProcess()+76o
					; PnpDiagnosticTraceDriverInitPhaseStart(x)+16o
		db 0F2h	; 
		db 0B4h	; 
		db  13h
		db  6Bh	; k
		db 0E3h	; 
		db 0A7h	; 
		db  46h	; F
		db  87h	; 
		db  6Ch	; l
		db  8Ah	; 
		db 0B4h	; 
		db 0E1h	; 
		db  5Fh	; _
		db  8Eh	; 
		db  67h	; g
_Kd_WIN2000_Mask dd 1			; DATA XREF: NtQueryDebugFilterState(x,x):loc_53F2D5r
					; NtSetDebugFilterState+25o ...
_ObpLUIDDeviceMapsEnabled db	1	; DATA XREF: ObInitSystem+54Do
		db    0
		db    0
		db    0
_ObpTraceDepth	db  10h			; DATA XREF: ObpInitStackTrace+21o
		db    0
		db    0
		db    0
_ObpMaxStacks	db 0FDh	; 		; DATA XREF: ObpInitStackTrace+15o
		db  3Fh	; ?
		db    0
		db    0
_ObpObjectBuckets db  91h ; 		; DATA XREF: ObpInitStackTrace+Co
		db    1
		db    0
		db    0
_ObpStackBuckets db  10h		; DATA XREF: ObpInitStackTrace+2Bo
		db    0
		db    0
		db    0
_ObpStacksPerBucket db	  0		; DATA XREF: ObpInitStackTrace+36o
		db    4
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_PopModernStandbyTransitionInfo	dd 0	; DATA XREF: PopGetModernStandbyTransitionReason(x,x)+12o
					; PopGetModernStandbyTransitionReason(x,x)+4Fo	...
byte_6B5C94	db 0			; DATA XREF: PopSetModernStandbyTransitionReason(x,x)+2Dr
					; PopSetModernStandbyTransitionReason(x,x)+35w
		align 4
dword_6B5C98	dd 33h			; DATA XREF: PopGetModernStandbyTransitionReason(x,x)+22r
					; PopSetModernStandbyTransitionReason(x,x)+3Fw
dword_6B5C9C	dd 33h			; DATA XREF: PopGetModernStandbyTransitionReason(x,x):loc_65636Dr
					; PopSetModernStandbyTransitionReason(x,x)+4Aw
dword_6B5CA0	dd 0			; DATA XREF: PopGetModernStandbyTransitionReason(x,x)+34r
					; PopSetModernStandbyTransitionReason(x,x)+50w
dword_6B5CA4	dd 0			; DATA XREF: PopGetModernStandbyTransitionReason(x,x)+3Ar
					; PopSetModernStandbyTransitionReason(x,x)+56w
_PopIdleWakeSourceDeviceBucketLimitsQpc	db    0
					; DATA XREF: PopIdleWakeStopActiveIntervalAccounting(x,x,x)+1C7o
					; PopIdleWakeInitialize()+5Bo
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0A3h	; 
		db 0E1h	; 
		db  11h
		db    0
		db    0
		db    0
		db    0
		db    0
		db  46h	; F
		db 0C3h	; 
		db  23h	; #
		db    0
		db    0
		db    0
		db    0
		db    0
		db  8Ch	; 
		db  86h	; 
		db  47h	; G
		db    0
		db    0
		db    0
		db    0
		db    0
		db  5Eh	; ^
		db 0D0h	; 
		db 0B2h	; 
		db    0
		db    0
		db    0
		db    0
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
_PopIdleWakeSourceActivatorBucketLimitsQpc db	 0
					; DATA XREF: PopIdleWakeStopActiveIntervalAccounting(x,x,x)+1A4o
					; PopIdleWakeInitialize()+4Bo
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0A3h	; 
		db 0E1h	; 
		db  11h
		db    0
		db    0
		db    0
		db    0
		db    0
		db  46h	; F
		db 0C3h	; 
		db  23h	; #
		db    0
		db    0
		db    0
		db    0
		db    0
		db  8Ch	; 
		db  86h	; 
		db  47h	; G
		db    0
		db    0
		db    0
		db    0
		db    0
		db  5Eh	; ^
		db 0D0h	; 
		db 0B2h	; 
		db    0
		db    0
		db    0
		db    0
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
_PopIdleWakeSourceActiveBucketLimitsQpc	db    0
					; DATA XREF: PopIdleWakeStopActiveIntervalAccounting(x,x,x)+167o
					; PopIdleWakeInitialize()+3Bo
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0A3h	; 
		db 0E1h	; 
		db  11h
		db    0
		db    0
		db    0
		db    0
		db    0
		db  46h	; F
		db 0C3h	; 
		db  23h	; #
		db    0
		db    0
		db    0
		db    0
		db    0
		db  8Ch	; 
		db  86h	; 
		db  47h	; G
		db    0
		db    0
		db    0
		db    0
		db    0
		db  5Eh	; ^
		db 0D0h	; 
		db 0B2h	; 
		db    0
		db    0
		db    0
		db    0
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
_PopIdleSpuriousWakeBucketLimitsQpc db	  0
					; DATA XREF: PopIdleWakeNotifyIdleResiliencyState(x)+B5o
					; PopIdleWakeInitialize()+26o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  40h	; @
		db  4Bh	; K
		db  4Ch	; L
		db    0
		db    0
		db    0
		db    0
		db    0
		db  80h	; 
		db  96h	; 
		db  98h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db  80h	; 
		db 0F0h	; 
		db 0FAh	; 
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0E1h	; 
		db 0F5h	; 
		db    5
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0A3h	; 
		db 0E1h	; 
		db  11h
		db    0
		db    0
		db    0
		db    0
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
_PopIdleWakePeriodAccountingBucketLimitsMs db	 0 ; DATA XREF:	PopIdleWakeInitialize()+99o
					; PopIdleWakeTraceWakeSourceDiagnostic(x,x,x)+39Co
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0F4h	; 
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0A0h	; 
		db  0Fh
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  98h	; 
		db  3Ah	; :
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  60h	; `
		db 0EAh	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0E0h	; 
		db  93h	; 
		db    4
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0A0h	; 
		db 0BBh	; 
		db  0Dh
		db    0
		db    0
		db    0
		db    0
		db    0
		db  40h	; @
		db  77h	; w
		db  1Bh
		db    0
		db    0
		db    0
		db    0
		db    0
		db  80h	; 
		db 0EEh	; 
		db  36h	; 6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0BAh	; 
		db 0DBh	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  2Eh	; .
		db  93h	; 
		db    2
		db    0
		db    0
		db    0
		db    0
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
_PopIdleWakeIdleAccountingBucketLimitsMs db    0 ; DATA	XREF: PopIdleWakeInitialize()+7Fo
					; PopIdleWakeTraceWakeSourceDiagnostic(x,x,x)+366o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0F4h	; 
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0A0h	; 
		db  0Fh
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  60h	; `
		db 0EAh	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0E0h	; 
		db  93h	; 
		db    4
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0A0h	; 
		db 0BBh	; 
		db  0Dh
		db    0
		db    0
		db    0
		db    0
		db    0
		db  40h	; @
		db  77h	; w
		db  1Bh
		db    0
		db    0
		db    0
		db    0
		db    0
		db  80h	; 
		db 0EEh	; 
		db  36h	; 6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0BAh	; 
		db 0DBh	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
_PopIdleWakeSourceExcessBucketLimitsQpc	db    0	; DATA XREF: PopIdleWakeInitialize()+6Bo
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0A3h	; 
		db 0E1h	; 
		db  11h
		db    0
		db    0
		db    0
		db    0
		db    0
		db  8Ch	; 
		db  86h	; 
		db  47h	; G
		db    0
		db    0
		db    0
		db    0
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
_RtlpHeapFailureInfo db	   2		; DATA XREF: RtlHpGlobalsInitialize()+23o
		db    0
		db    0
		db    0
		db 0D0h	; 
		db    3
		db    0
		db    0
dword_6B5E48	dd 0			; DATA XREF: RtlpLogHeapFailure(x,x,x,x,x,x)+25w
					; RtlpHeapHandleError(x)r ...
dword_6B5E4C	dd 0			; DATA XREF: RtlpLogHeapFailure(x,x,x,x,x,x)+6r
					; RtlpLogHeapFailure(x,x,x,x,x,x)+2Bw ...
dword_6B5E50	dd 0			; DATA XREF: RtlpLogHeapFailure(x,x,x,x,x,x)+31w
					; RtlpHeapHandleError(x):loc_669D05r
dword_6B5E54	dd 0			; DATA XREF: RtlpLogHeapFailure(x,x,x,x,x,x)+14w
dword_6B5E58	dd 0			; DATA XREF: RtlpLogHeapFailure(x,x,x,x,x,x)+1Cw
dword_6B5E5C	dd 0			; DATA XREF: RtlpLogHeapFailure(x,x,x,x,x,x)+37w
dword_6B5E60	dd 0			; DATA XREF: RtlpLocateRelatedBlocks(x,x)+FCw
dword_6B5E64	dd 0			; DATA XREF: RtlpLocateRelatedBlocks(x,x)+102w
dword_6B5E68	dd 0			; DATA XREF: RtlpLocateRelatedBlocks(x,x)+182w
					; RtlpLocateRelatedBlocks(x,x)+1C6r
dword_6B5E6C	dd 0			; DATA XREF: RtlpLocateRelatedBlocks(x,x)+1A4w
					; RtlpLocateRelatedBlocks(x,x)+1E5r
; void unk_6B5E70
unk_6B5E70	db    0			; DATA XREF: RtlpHpHeapHandleError(x,x,x)+17o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
unk_6B5EF4	db    0			; DATA XREF: RtlpHeapExceptionFilter(x,x)+21o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
unk_6B5F44	db    0			; DATA XREF: RtlpHeapExceptionFilter(x,x)+31o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_SepAllowAccessUponLogoff db 1		; DATA XREF: SeAccessCheckWithHintWithAdminlessChecks:loc_51BED3r
					; SeAccessCheckByTypeWithAdminlessChecks+544r ...
		align 4
_MS_Kernel_BootDiagnostics_UserProxy_Provider db 0ABh ;	
					; DATA XREF: PerfDiagInitialize()+47o
		db  2Ch	; ,
		db  93h	; 
		db  41h	; A
		db  12h
		db  7Eh	; ~
		db 0D6h	; 
		db  40h	; @
		db 0A7h	; 
		db  28h	; (
		db  62h	; b
		db 0D3h	; 
		db  0Eh
		db    5
		db  45h	; E
		db  93h	; 
_MS_Kernel_SecondaryLogonDiagnostics_Proxy_Provider db	15h
					; DATA XREF: PerfDiagInitialize()+5Co
		db  2Ch	; ,
		db  7Ah	; z
		db 0B2h	; 
		db 0F4h	; 
		db  40h	; @
		db 0A3h	; 
		db  4Eh	; N
		db  96h	; 
		db  37h	; 7
		db  62h	; b
		db  8Fh	; 
		db 0C6h	; 
		db  12h
		db 0A1h	; 
		db 0D0h	; 
_MS_Kernel_ShutdownDiagnostics_Proxy_Provider db  10h ;	DATA XREF: PerfDiagInitialize()+71o
		db  7Ah	; z
		db  5Ch	; \
		db 0ADh	; 
		db    8
		db  4Eh	; N
		db 0E1h	; 
		db  45h	; E
		db  81h	; 
		db 0B5h	; 
		db 0CBh	; 
		db  5Eh	; ^
		db 0B6h	; 
		db 0ECh	; 
		db  89h	; 
		db  17h
_MS_Kernel_BootDiagnostics_SystemProxy_Provider	db 0B3h	; 
					; DATA XREF: PerfDiagInitialize()+20o
		db  4Ah	; J
		db 0FEh	; 
		db  7Eh	; ~
		db  0Dh
		db  99h	; 
		db  50h	; P
		db  43h	; C
		db 0A8h	; 
		db  78h	; x
		db 0CDh	; 
		db  87h	; 
		db  72h	; r
		db  88h	; 
		db  81h	; 
		db  99h	; 
_WmipRegWorkItemCount dd 1		; DATA XREF: WmipQueueRegWork(x,x)+5Dw
					; WmipRegistrationWorker(x)+97w ...
_CcIdleDelay	dd 0FF676980h		; DATA XREF: CcRescheduleLazyWriteScan:loc_505B2Br
					; CcRescheduleLazyWriteScan:loc_505B8Ar ...
dword_6B625C	dd 0FFFFFFFFh		; DATA XREF: CcRescheduleLazyWriteScan+3Cr
					; CcRescheduleLazyWriteScan+9Br
_VrpAllowContainerNesting dd 1		; DATA XREF: .data:006B1EFCo
					; VrpIoctlDeviceDispatch:loc_8CA5E4r
_PopProcessorThrottleLogInterval dd 3E8h
					; DATA XREF: PpmPerfSnapDeliveredPerformance:loc_489A32r
					; PpmPerfSnapDeliveredPerformance+12DC9Cr ...
unk_6B6268	db    2			; DATA XREF: .data:006B204Co
					; .data:006B2064o
		db    3
		db    7
		db    8
		db  0Dh
		db  0Eh
		db  0Fh
		db  10h
unk_6B6270	db  15h			; DATA XREF: .data:006B2034o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
word_6B6278	dw 6001h		; DATA XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x):loc_5980C2r
					; SdbpCheckApplicationTypeAttributes(x,x,x,x)+C0r ...
word_6B627A	dw 6001h		; DATA XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+5Er
		db  29h	; )
		db  60h	; `
		db  29h	; )
		db  60h	; `
		db  2Ah	; *
		db  60h	; `
		db  2Ah	; *
		db  60h	; `
		db  45h	; E
		db  40h	; @
		db  45h	; E
		db  40h	; @
		db  2Bh	; +
		db  60h	; `
		db  2Bh	; +
		db  60h	; `
		db  14h
		db  50h	; P
		db  14h
		db  50h	; P
		db  15h
		db  50h	; P
		db  14h
		db  50h	; P
		db  16h
		db  50h	; P
		db  14h
		db  50h	; P
		db  17h
		db  50h	; P
		db  17h
		db  50h	; P
		db  18h
		db  50h	; P
		db  17h
		db  50h	; P
		db  19h
		db  50h	; P
		db  17h
		db  50h	; P
		db  42h	; B
		db  60h	; `
		db  42h	; B
		db  60h	; `
		db  48h	; H
		db  60h	; `
		db  48h	; H
		db  60h	; `
		db  11h
		db  60h	; `
		db  11h
		db  60h	; `
		db  46h	; F
		db  60h	; `
		db  11h
		db  60h	; `
		db  44h	; D
		db  60h	; `
		db  11h
		db  60h	; `
; Exported entry 1502. NtBuildNumber
		public _NtBuildNumber
_NtBuildNumber	dd 0F0004A61h		; DATA XREF: PsGetVersion:loc_550F05r
					; PsGetVersion:loc_5DDF92r ...
_CmpReorganizeLimit dd 100000h		; DATA XREF: CmCheckRegistry(x,x,x)+E6r
					; INIT:00AF5030o
_CmpDelayedCloseSize dd	800h		; DATA XREF: PAGE:007C6C7Ar
					; PAGE:00805479r ...
_CmpReorganizeDelayDays	dd 7		; DATA XREF: CmpReorganizeHive:loc_749EBEr
					; INIT:00AF5048o
_CmpLazyFlushIntervalInSeconds dd 3Ch	; DATA XREF: HvpMarkDirty+BAr
					; HvMarkBaseBlockDirty(x)+3Fr ...
_IoCountOperations dd 1			; DATA XREF: IopUpdateWriteTransferCount(x,x)r
					; IopUpdateWriteOperationCount()+3r ...
_IopCaseInsensitive dd 1		; DATA XREF: IoCreateDevice+C1r
					; IoGetDeviceObjectPointer+8r ...
_IopRequireDeviceAccessCheck dd	1	; DATA XREF: IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)+2Ar
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+838r ...
_IopFailZeroAccessCreate dd 1		; DATA XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x):loc_7A3B6Cr
					; INIT:00AF4D30o
_ObpCaseInsensitive dd 1		; DATA XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+DEr
					; INIT:00AF4C88o
_PopFxWatchdogWorkOrderTimeout dd 493E0h ; DATA	XREF: PopFxDispatchPluginWorkOnce+67r
					; INIT:00AF48F8o
_PopFxActiveIdleTimeout	dd 3E8h		; DATA XREF: PopFxArmResidentTimer(x)+31r
					; INIT:00AF4880o
_PopFxActiveIdleLevel dd 1		; DATA XREF: PopFxIdleComponent+6Ar
					; PopFxIdleComponent:loc_4DA0D8r ...
_PopDirectedDripsDfxEnforcementPolicy dd 1
					; DATA XREF: PopFxEnforceDirectedPowerTransition(x,x,x):loc_596A1Ar
					; PopFxEnforceDirectedPowerTransition(x,x,x)+50r ...
_PopPreSleepNotificationSeconds	dd 12Ch	; DATA XREF: PopCheckForIdleness(x,x,x,x)+133r
					; PopInitializePreSleepNotificationsr ...
_PopPdcIdlePhaseDefaultWatchdogTimeoutSeconds dd 1Eh
					; DATA XREF: PopArmIdlePhaseWatchdog(x)+81r
					; INIT:00AF44A8o
_PopWin32kCalloutWatchdogTimeoutSeconds	dd 1Eh ; DATA XREF: PopInvokeWin32Callout+B3r
					; INIT:00AF4490o
_PopEsMode	dd 2			; DATA XREF: PopTraceEsState(x,x,x,x,x,x,x,x)+36r
					; PopTraceEsSetting(x,x,x)+19r	...
_EtwpProfileInterval dd	2710h		; DATA XREF: EtwpTimeProfileInit()r
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+210r ...
_ExMinimumLookasideDepth dw 4		; DATA XREF: ExInitializeLookasideListExInternal+ACr
					; ExInitializeLookasideListExInternal+119r ...
		align 4
_ExpWorkerFactoryThreadIdleTimeoutInSeconds dd 43h ; DATA XREF:	NtCreateWorkerFactory+153r
					; ExpWorkerFactoryInitialization:loc_ADA1D9r ...
; char ExCovMaxPagedPoolToUse
_ExCovMaxPagedPoolToUse	dd 400000h	; DATA XREF: ExCovAddInfoToLoaderEntry+15r
					; ExpCovCreateUnloadedModuleEntry(x)+A7r ...
_PopThermalTelemetryVerbosity dd 1	; DATA XREF: PopTraceThermalZonePassiveHistogram+53r
					; PopTraceThermalRequestPassiveHistogram+B1r ...
		align 8
_NtBuildQfe	dd 1938h		; DATA XREF: CmpSetVersionData+9A675w
					; EtwpTraceSystemInitialization+2Br
_CmSelfHeal	dd 1			; DATA XREF: CmpInitializeSystemHive+BCr
					; CmpInitializePreloadedHive+1E0r ...
_CmFastBoot	dd 1			; DATA XREF: CmCompleteRegistryInitialization:loc_885303r
					; CmpFinishSystemHivesLoad(x)+368r ...
_CmVEEnabled	dd 1			; DATA XREF: CmpInitVirtualEngine()+9r
					; INIT:00AF5078o
_CmFreezeThawTimeoutInSeconds dd 3Ch	; DATA XREF: CmpInitializeFreezeThaw+Cr
					; CmpInitializeNameCache:loc_929A8Fw ...
_CmpLazyLocalizeIntervalInSeconds dd 3Ch ; DATA	XREF: CmpInitializeLazyWriters+23r
					; INIT:00AF4FE8o
_CmpLazyReconcileIntervalInSeconds dd 0E10h ; DATA XREF: CmpInitializeLazyWriters+16r
					; INIT:00AF4FD0o
_CmpEnableLazyFlushBootDelayInterval dd	3Ch ; DATA XREF: CmpCmdInit+44r
					; CmpCmdInit+A16AEw ...
_PassiveInterruptRealtimeWorkerPriority	db 10h
					; DATA XREF: IopCreatePassiveInterruptRealtimeThreads(x,x)+92r
					; IopQueryPassiveInterruptRegistryOptions+48r ...
		align 4
_KeTimerCheckFlags db 1			; DATA XREF: KeCheckForTimer(x,x)+8r
					; INIT:00AF40A0o
		align 10h
_KeXSavePolicyId dd 1			; DATA XREF: KiIntersectFeaturesWithPolicy+50r
					; KiIntersectFeaturesWithPolicy:loc_72B05Dr ...
_KiPassiveWatchdogTimeout dd 12Ch	; DATA XREF: KiInvokeInterruptServiceRoutine(x,x,x)+BAr
					; KiInvokeInterruptServiceRoutine(x,x,x)+F0r ...
_KseZeroPoolShimGuid db	 29h ; )	; DATA XREF: .data:006B2E2Co
		db  74h	; t
		db  84h	; 
		db  6Bh	; k
		db  30h	; 0
		db 0C4h	; 
		db  82h	; 
		db  46h	; F
		db 0B5h	; 
		db  5Fh	; _
		db 0FDh	; 
		db  11h
		db 0A7h	; 
		db 0B5h	; 
		db  54h	; T
		db  65h	; e
_Win7VersionLieShimGuid	db 0D1h	; 	; DATA XREF: .data:006B2E48o
		db 0B2h	; 
		db  28h	; (
		db  3Eh	; >
		db  33h	; 3
		db 0E6h	; 
		db  8Ch	; 
		db  40h	; @
		db  8Eh	; 
		db  9Bh	; 
		db  2Ah	; *
		db 0FAh	; 
		db  6Fh	; o
unk_6B6365	db  47h	; G		; DATA XREF: .text:loc_42297Do
					; .text:00422A1Co ...
		db 0FCh	; 
		db 0C3h	; 
_Win81VersionLieShimGuid db  58h ; X	; DATA XREF: .data:006B2E80o
		db 0FBh	; 
		db 0C4h	; 
		db  21h	; !
		db  77h	; w
		db 0D4h	; 
		db  39h	; 9
		db  48h	; H
		db 0A7h	; 
		db 0EAh	; 
		db 0ADh	; 
		db  69h	; i
		db  18h
		db 0FBh	; 
		db 0C5h	; 
		db  18h
_Win8VersionLieShimGuid	db  55h	; U	; DATA XREF: .data:006B2E64o
		db  2Fh	; /
		db  71h	; q
		db  47h	; G
		db  93h	; 
		db 0BDh	; 
		db 0FCh	; 
		db  43h	; C
		db  92h	; 
		db  48h	; H
		db 0B9h	; 
		db 0A8h	; 
		db  37h	; 7
		db  10h
		db    6
		db  6Eh	; n
_KseDsShimGuid	db  45h	; E		; DATA XREF: .data:006B2E9Co
		db 0ABh	; 
		db    4
		db 0BCh	; 
		db  7Eh	; ~
		db 0EAh	; 
		db  11h
		db  4Ah	; J
		db 0A7h	; 
		db 0BBh	; 
		db  97h	; 
		db  76h	; v
		db  15h
		db 0F4h	; 
		db 0CAh	; 
		db 0AEh	; 
_KseSkipDriverUnloadShimGuid db	0A6h ;  ; DATA	XREF: .data:006B2EB8o
		db  2Ch	; ,
		db  8Ch	; 
		db  3Eh	; >
		db 0E2h	; 
		db  34h	; 4
		db 0E6h	; 
		db  4Dh	; M
		db  8Ah	; 
		db  1Eh
		db  96h	; 
		db  92h	; 
		db 0DDh	; 
		db  3Eh	; >
		db  31h	; 1
		db  6Bh	; k
_MmSpecialPurposeMemoryStartPageValueSize db	8 ; DATA XREF: INIT:00AF3CB4o
		db    0
		db    0
		db    0
_ObpUnsecureGlobalNamesLength db    0	; DATA XREF: INIT:00AF408Co
		db    1
		db    0
		db    0
_ObpObjectSecurityMode dd 1		; DATA XREF: PAGE:007805CAr
					; INIT:00AF3500o
_ObpTracePoolTagsLength	db  80h	; 	; DATA XREF: INIT:00AF402Co
		db    0
		db    0
		db    0
_ObpTraceProcessNameLength db  80h ; 	; DATA XREF: INIT:00AF4044o
		db    0
		db    0
		db    0
_PopFxRuntimeLogNumberEntries dd 40h	; DATA XREF: PAGE:loc_89ADF3r
					; INIT:00AF4B80o
_PopFxDirectedFxDefaultTimeout dd 78h	; DATA XREF: PoFxRegisterDevice+1BEr
					; PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+134r ...
_PopDirectedDripsWaitWakeTimeoutSeconds	dd 5
					; DATA XREF: PopDirectedDripsInitializePhase0(x)+56r
					; INIT:00AF49D0o
_PopDirectedDripsSurprisePowerOnTimeoutSeconds dd 5
					; DATA XREF: PopDirectedDripsInitializePhase0(x)+69r
					; INIT:00AF49E8o
_PopDirectedDripsOverride dd 0FFFFFFFFh	; DATA XREF: PopDirectedDripsQueryPs4Support+Cr
					; PopDirectedDripsQueryPs4Support+21r ...
_PopDisableInboxPepGeneratedConstraintsOverride	dd 0FFFFFFFFh
					; DATA XREF: PopPowerInformationInternal+171BA7r
					; INIT:00AF4C70o
_PopCoalescingTimerInterval dd 5DCh	; DATA XREF: PopCoalescingSetTimer()+16r
					; PopDiagTraceIoCoalescingOn(x,x,x,x)+1Br ...
_PopCoalescingFlushInterval dd 3Ch	; DATA XREF: PopCoalescingCheck(x,x,x,x)+13r
					; PopDiagTraceIoCoalescingOn(x,x,x,x)+15r ...
; void PopCurrentDiskIdleTimeout
_PopCurrentDiskIdleTimeout dd 0FFFFFFFFh
					; DATA XREF: PopUpdateDiskIdleTimeoutSetting:loc_884AD6r
					; PopUpdateDiskIdleTimeoutSetting:loc_92609Eo ...
_PopCheckPowerSourceAfterRtcWakeTime dd	1Eh
					; DATA XREF: PopCheckPowerSourceAfterRtcWakeSet()+2Ar
					; INIT:00AF4A60o
_PopSleepStudyDeviceAccountingLevel dd 4 ; DATA	XREF: PoFxInitPowerManagement+E7r
					; INIT:00AF40E8o
_PopEnableInputSuppressionOverride dd 0FFFFFFFFh ; DATA	XREF: PoInitSystem+238AFr
					; INIT:00AF4850o
_PopLidStateForInputSuppressionOverride	dd 0FFFFFFFFh ;	DATA XREF: PoInitSystem+2388Ar
					; INIT:00AF4868o
_PopPepIdleStateTimeout	dd 1F4h		; DATA XREF: PopPepArmIdleTimer(x)r
					; PopPepArmIdleTimer(x)+38r ...
_PopDripsWatchdogDebounceInterval dd 78h
					; DATA XREF: PopDripsWatchdogInitializeCallbackTimer(x)+39r
					; INIT:00AF4928o
_SeAdminlessEnableWatsonThrottling db	 1 ; DATA XREF:	INIT:00AF65D8o
		db    0
		db    0
		db    0
_SeLpacEnableWatsonThrottling dd 1	; DATA XREF: SepLogLpacAccessFailure(x):loc_66E305r
					; INIT:00AF6590o
_ViLwspPoolTagsSize db	28h ; (		; DATA XREF: INIT:00AF3A74o
		db    0
		db    0
		db    0
_VerifierFaultApplicationsBufferSize dd	100h ; DATA XREF: ViFaultsInitializeAppsList()+4Fr
					; INIT:00AF3A44o
_VerifierFaultTagsBufferSize dd	100h	; DATA XREF: ViFaultsInitializeTagsList()+55r
					; INIT:00AF3A5Co
_VfFaultInjectionProbability dd	258h	; DATA XREF: VfFaultsInjectResourceFailure(x):loc_A67A85r
					; VfFaultsSetParameters(x):loc_A67C0Dw	...
_VfFaultInjectionBootMinutes dd	8	; DATA XREF: VfFaultsInitPhase0()r
					; INIT:00AF3A28o
_VfRuleClassesSize db	 8		; DATA XREF: INIT:00AF399Co
		db    0
		db    0
		db    0
; char ViVerifyTriage
_ViVerifyTriage	dd 0FFFFFFFFh		; DATA XREF: VfTriageSystem+Br
					; VfTriageSystem+3Cr ...
_MmVerifyDriverLevel dd	0FFFFFFFFh	; DATA XREF: VfInitSystemNoRebootNeeded(x,x):loc_A5A4AFr
					; VfInitSystemNoRebootNeeded(x,x)+89w ...
_IovIrpTracesLength dd 4000h		; DATA XREF: IoVerifierCheckForSettingsChange(x)+22r
					; IoVerifierCheckForSettingsChange(x)+3Ew ...
_VfHandleTracingEntries	dd 4000h	; DATA XREF: ViSettingsEnableKernelHandleChecking(x):loc_A6AEA3r
					; INIT:00AF3938o
_EtwpMemInfoInterval dd	1F4h		; DATA XREF: EtwpEnableKernelTrace:loc_90D060r
					; INIT:00AF6200o
_EtwpStackCaptureTimeout dd 190h	; DATA XREF: EtwpTraceThreadRundownWithStack(x,x)+87r
					; EtwpReadConfigParameters:loc_AD9E52w	...
_ExpMaxTimeSeperationBeforeCorrect dd 3Ch
					; DATA XREF: ExUpdateSystemTimeFromCmos:loc_72976Fr
					; INIT:00AF5180o
_ExResourceCheckFlags db 3		; DATA XREF: ExpCheckForResource(x,x)+3Br
					; INIT:00AF4DF0o
		align 4
_ExpMaximumKernelWorkerThreads dd 1000h	; DATA XREF: ExpPartitionInitialize+130r
					; ExpPartitionInitialize+14Cr ...
_ExpWorkerThreadTimeoutInSeconds dd 258h ; DATA	XREF: ExpWorkQueueManagerThread+82r
					; ExpWorkQueueManagerThread+C2r ...
_ExpWorkerFactoryThreadCreationTimeoutInSeconds	dd 0Ah
					; DATA XREF: ExpWorkerFactoryInitialization+8r
					; ExpWorkerFactoryInitialization:loc_AEA105w ...
_WheapRegPolicyCmciThresholdPollCount dd 0FFFFFFFFh
					; DATA XREF: WheapSetPolicyValue(x,x):loc_A12DE5r
					; PAGE:00A41C5Co ...
_WheapRegPolicyRestoreCmciMaxAttempts dd 0FFFFFFFFh
					; DATA XREF: WheapSetPolicyValue(x,x):loc_A12DC5r
					; PAGE:00A41C1Co ...
_WheapRegPolicyRestoreCmciErrorLimit dd	0FFFFFFFFh
					; DATA XREF: WheapSetPolicyValue(x,x):loc_A12DCDr
					; PAGE:00A41C2Co ...
_WheapRegPolicyCmciThresholdCount dd 0FFFFFFFFh
					; DATA XREF: WheapSetPolicyValue(x,x):loc_A12DD5r
					; PAGE:00A41C3Co ...
_WheapRegPolicyCmciThresholdTime dd 0FFFFFFFFh
					; DATA XREF: WheapSetPolicyValue(x,x):loc_A12DDDr
					; PAGE:00A41C4Co ...
_WheaRegPolicyMemPfaThreshold dd 0FFFFFFFFh ; DATA XREF: PAGE:00A41BDCo
					; WheapLoadPolicy:loc_AD88E1r ...
_WheaRegPolicyMemPfaTimeout dd 0FFFFFFFFh ; DATA XREF: PAGE:00A41BECo
					; WheapLoadPolicy:loc_AD8903r ...
_WheaRegPolicyIgnoreDummyWrite dd 0FFFFFFFFh ; DATA XREF: PAGE:00A129F3w
					; WheapGetPolicyValue(x,x)+63r	...
_WheapRegPolicyRestoreCmciEnabled dd 0FFFFFFFFh
					; DATA XREF: WheapSetPolicyValue(x,x):loc_A12DBDr
					; PAGE:00A41C0Co ...
_WheaRegPolicyDisableOffline dd	0FFFFFFFFh ; DATA XREF:	PAGE:off_A41B9Co
					; WheapLoadPolicy+1Dr ...
_WheaRegPolicyMemPersistOffline	dd 0FFFFFFFFh ;	DATA XREF: PAGE:00A41BACo
					; WheapLoadPolicy:loc_AD8860r ...
_WheaRegPolicyMemPfaDisable dd 0FFFFFFFFh ; DATA XREF: PAGE:00A41BBCo
					; WheapLoadPolicy:loc_AD88ADr ...
_WheaRegPolicyMemPfaPageCount dd 0FFFFFFFFh ; DATA XREF: PAGE:00A41BCCo
					; WheapLoadPolicy:loc_AD88BAr ...
_WheapSingleBitEccErrorThreshold dd 0FFFFFFFFh ; DATA XREF: WheapLoadPolicy+BCr
					; WheapLoadPolicy:loc_AD89F4r ...
_WheapMaxCorrectedMCEOutstanding dd 0FFFFFFFFh ; DATA XREF: WheapLoadPolicy+9Ar
					; WheapLoadPolicy:loc_AD89FCr ...
_WheapPolicyRestoreCmciErrorLimit dd 10h ; DATA	XREF: PAGE:00A12A3Cw
					; WheapGetPolicyValue(x,x):loc_A12C1Fr	...
_WheapPolicyMemPfaPageCount dd 40h	; DATA XREF: PAGE:00A129A5w
					; WheapGetPolicyValue(x,x):loc_A12BDCr	...
_WheapPolicyRestoreCmciMaxAttempts dd 0BB8h ; DATA XREF: PAGE:00A12A26w
					; WheapGetPolicyValue(x,x):loc_A12C18r	...
_WheapPolicyRestoreCmciEnabled db 1	; DATA XREF: PAGE:00A12A0Cw
					; WheapGetPolicyValue(x,x)+6Dr	...
		align 10h
_WheapPolicyMemPfaThreshold dd 10h	; DATA XREF: PAGE:00A129B8w
					; WheapGetPolicyValue(x,x):loc_A12BE3r	...
word_6B6494	dw 0			; DATA XREF: AslImageFileToArchitecture:loc_92EBE9r
word_6B6496	dw 14Ch			; DATA XREF: AslImageFileToArchitecture:loc_89CC74r
		db    9
		db    0
		db  64h	; d
		db  86h	; 
		db    5
		db    0
		db 0C4h	; 
		db    1
		db  0Ch
		db    0
		db  64h	; d
		db 0AAh	; 
unk_6B64A4	db    0			; DATA XREF: .data:off_6B34A8o
		db    0
		db    0
		db    0
		db  0Ch
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
; size_t dword_6B64B4
dword_6B64B4	dd 10h			; DATA XREF: IoQueryVhdBootInformation+13r
					; VhdInitialize+F7DCw
_Cc10Milliseconds db  60h ; `		; DATA XREF: CcInitializeCacheMapEx+117079o
					; CcCrossPartitionDrainSectionDeletion():loc_5FC090o
		db  79h	; y
		db 0FEh	; 
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
_Cc5Milliseconds db 0B0h ; 		; DATA XREF: CcMapAndCopyInToCache+138455o
					; CcDeleteSectionsForPartition(x,x)+BEo
		db  3Ch	; <
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
_CcCollisionDelay db 0C0h ; 		; DATA XREF: CcPurgeCacheSection+E06B0o
		db 0BDh	; 
		db 0F0h	; 
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
_CcRandomSeed	db 0ADh	; 		; DATA XREF: CcGetRandomVacbArrayWithReference():loc_5FD967o
					; CcUnmapInactiveViewsInternal(x,x,x,x):loc_5FDE92o
		db 0ADh	; 
		db    0
		db    0
_CmpPeriodicBackupFlushHiveCount dd 7	; DATA XREF: CmpSyncNextBackupHive():loc_941EE6r
					; CmpSyncNextBackupHive()+88o
_CmpFirstReorganize db 1		; DATA XREF: CmpReorganizeHive+184D91r
					; CmpReorganizeHive+184DB6w
		align 10h
_SQM_INCREMENT_DWORD db	   6		; DATA XREF: DbgkpLkmdSqmIncrementDword(x,x,x,x)+39o
		db    0
		db    0
		db    0
		db    4
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db  80h	; 
byte_6B64F0	db 1			; DATA XREF: HvlGetLpIndexFromProcessorIndex(x)+5r
					; HvlpEnableRootVirtualProcessor+44w
		align 8
unk_6B64F8	db    5			; DATA XREF: HvlpGetRegister64(x,x):loc_6071F5o
					; HvlpSetRegister64(x,x,x):loc_6072B0o
		db    0
		db    0
		db 0C0h	; 
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_MainPalette	db    0			; DATA XREF: FadePalette(x)+10o
unk_6B6549	db    0			; DATA XREF: FadePalette(x)+16o
		db    0
		db    0
		db  15h
		db  1Ah
		db  20h
		db    0
		db  46h	; F
		db  46h	; F
		db  46h	; F
		db    0
		db 0D2h	; 
		db  3Eh	; >
		db  2Dh	; -
		db    0
		db    1
		db  65h	; e
		db  53h	; S
		db    0
		db    5
		db  35h	; 5
		db 0B2h	; 
		db    0
		db  7Eh	; ~
		db  7Eh	; ~
		db  7Eh	; ~
		db    0
		db    0
		db  92h	; 
		db  89h	; 
		db    0
		db 0FCh	; 
		db  7Fh	; 
		db  5Eh	; ^
		db    0
		db  20h
		db  6Bh	; k
		db 0F7h	; 
		db    0
		db 0FFh
		db 0A6h	; 
		db  8Dh	; 
		db    0
		db    4
		db 0DCh	; 
		db  8Eh	; 
		db    0
		db  1Bh
		db 0BCh	; 
		db 0F3h	; 
		db    0
		db 0BCh	; 
		db 0BCh	; 
		db 0BCh	; 
		db    0
		db 0FCh	; 
		db 0FCh	; 
		db 0FCh	; 
		db    0
		db 0FFh
		db 0FFh
		db 0FFh
		db    0
_BvgaTerminalBkgdColor dd 28h		; DATA XREF: BvgaSolidColorFill(x,x,x,x,x)+39w
					; FadePalette(x)+5Co
_BvgaTerminalTextColor dd 25h		; DATA XREF: BvgaSetTextColor(x)+Ew
_BufferChunkSizeInBytes	dd 200000h	; DATA XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+8Cr
					; IoCaptureLiveDump(x,x,x,x,x,x,x)+94w	...
_BufferChunkSizeInPages	dd 200h		; DATA XREF: IopLiveDumpGetCapturePages(x,x,x,x,x,x)+7r
					; IoCaptureLiveDump(x,x,x,x,x,x,x)+9Cw	...
_KiVirtualHeteroClockRequest db	   0	; DATA XREF: KiSetVirtualHeteroClockIntervalRequest(x)+1Co
					; KiSetVirtualHeteroClockIntervalRequest(x)+3Bo
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
byte_6B65A4	db 0			; DATA XREF: KiSetVirtualHeteroClockIntervalRequest(x)+13r
					; KiSetVirtualHeteroClockIntervalRequest(x):loc_61B7C8r
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  51h	; Q
		db  6Fh	; o
		db  53h	; S
		db  75h	; u
_KiForceIdleUnparkRestoreMask db    1	; DATA XREF: KiForceIdleParkUnparkProcessor(x,x)+1Co
					; KiForceIdleParkUnparkProcessor(x,x):loc_62188Bo ...
		db    0
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_KiForceIdleSoftParkRestoreMask	db    1	; DATA XREF: KiForceIdleParkUnparkProcessor(x,x)+32o
					; KiForceIdleParkUnparkProcessor(x,x)+8Eo ...
		db    0
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_KiFreezeTimeout dd 28h			; DATA XREF: KeFreezeExecution(x,x)+1EDr
					; KeFreezeExecution(x,x)+1FAr
_KiNmiInProgress db    1
		db    0
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B65D4	dd 0			; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+462r
unk_6B65D8	db    5			; DATA XREF: Ki386CheckDivideByZeroTrap(x)+10Fo
		db    4
		db  20h
		db    4
		db 0FFh
		db    4
		db 0FFh
		db    1
		db 0FFh
		db    4
		db 0FFh
		db    4
		db 0FFh
		db 0FFh
		db    0
		db    0
byte_6B65E8	db 40h			; DATA XREF: Ki386CheckDivideByZeroTrap(x)+31o
					; Ki386CheckDivideByZeroTrap(x)+169r ...
		db  3Ch	; <
		db  38h	; 8
		db  5Ch	; \
		db  74h	; t
		db  60h	; `
		db  58h	; X
		db  54h	; T
unk_6B65F0	db  40h	; @		; DATA XREF: Ki386CheckDivideByZeroTrap(x)+12Eo
		db  3Ch	; <
		db  38h	; 8
		db  5Ch	; \
		db  41h	; A
		db  3Dh	; =
		db  39h	; 9
		db  5Dh	; ]
_MmVerifierTrimFrequency dd 1		; DATA XREF: MmVerifierTrimMemory()+1Fr
					; VerifierInitSystem:loc_AE6A8Aw
_ViTrimSpaces	dd 1			; DATA XREF: MmVerifierTrimMemory()+54r
_PopDiagCachedAggregatorAction dd 6	; DATA XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+311w
_PopCachedValidBatteryCount dd 0FFFFFFFFh ; DATA XREF: PopBatteryApplyCompositeState+A03ABr
					; PopBatteryApplyCompositeState+A03CBw
_PpmParkNewSoftParkingMask dw 1		; DATA XREF: PpmParkReportParkedCores+129EB0o
					; PpmParkComputeDiff()+26w
word_6B660A	dw 1			; DATA XREF: PpmParkComputeDiff()+2Cw
dword_6B660C	dd 0			; DATA XREF: PpmParkComputeDiff()+32w
dword_6B6610	dd 0			; DATA XREF: PpmParkComputeDiff()+38w
					; PpmParkComputeDiff()+5Bw ...
_PpmParkSoftParkingMask	db    1		; DATA XREF: PpmParkReportParkedCores+129EB6o
					; PpmParkReportParkedCore(x)+60o ...
		db    0
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_PpmPerfNewUnparkedMask	dw 1		; DATA XREF: PpmParkReportUnparkedCores:loc_5B85DAo
					; PpmParkUnblockIdle+129F80o ...
word_6B6622	dw 1			; DATA XREF: PpmParkUnblockIdle+12A061w
dword_6B6624	dd 0			; DATA XREF: PpmParkUnblockIdle:loc_5B8884w
dword_6B6628	dd 0			; DATA XREF: PpmParkReportUnparkedCores+129E32r
					; PpmParkReportUnparkedCores+129E77r ...
_PpmPerfReportedCoreParkingMask	db    1	; DATA XREF: PpmParkReportMask+12A06Fo
		db    0
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B6634	dd 0			; DATA XREF: PpmParkReportMask+12A055r
_PpmPerfChangedCoreParkingMask db    1	; DATA XREF: PpmParkReportUnparkedCores+129E1Fo
					; PpmParkReportParkedCores+129E95o ...
		db    0
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_PpmPerfNewCoreParkingMask dw 1		; DATA XREF: PpmParkReportUnparkedCores+129E1Ao
					; PpmParkReportParkedCores+129E8Eo ...
word_6B6646	dw 1			; DATA XREF: PpmParkComputeDiff()+1Aw
dword_6B6648	dd 0			; DATA XREF: PpmParkComputeDiff()+5w
dword_6B664C	dd 0			; DATA XREF: PpmParkComputeDiff()+20w
					; PpmParkComputeDiff()+4Dw
_PspLastUpdateAffinityMask db	 1	; DATA XREF: PspSetProcessAffinityUpdateMode(x,x)+CFo
					; PsUpdateActiveProcessAffinity()+22o ...
		db    0
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B6658	dd 0			; DATA XREF: PspSetProcessAffinityUpdateMode(x,x)+C6r
_TelemetryEventThrottle	dw 1		; DATA XREF: RtlpLogCapabilityCheckLatency(x,x,x,x,x,x)+6Aw
					; RtlpLogCapabilityCheckLatency(x,x,x,x,x,x)+163o
		align 10h
aDeallocated:				; DATA XREF: SepGetSidManagementActionName(x,x)+22o
		unicode	0, <Deallocated>,0
aAssignedNewOwn:			; DATA XREF: SepGetSidManagementActionName(x,x)+52o
		unicode	0, <Assigned New Own>,0
		align 4
aAssignedNewSha:			; DATA XREF: SepGetSidManagementActionName(x,x)+5Eo
		unicode	0, <Assigned New Shared>,0
off_6B66C4	dd offset unk_6E0055	; DATA XREF: SepGetSidManagementActionName(x,x)+3Ao
aAssignedFromTo:
		unicode	0, <assigned from Token>,0
off_6B66F0	dd offset unk_6E0055	; DATA XREF: SepGetSidManagementActionName(x,x)+2Eo
aAssignedFromLo:
		unicode	0, <assigned from Logon	Session>,0
aAssignedExisti:			; DATA XREF: SepGetSidManagementActionName(x,x)+46o
		unicode	0, <Assigned Existing Shared>,0
		align 10h
_SepAdtLastAuditFailStatus dd 0C00000E5h ; DATA	XREF: SepAdtLogAuditRecord(x)+1CFw
					; SepAdtLogAuditRecord(x)+204r	...
; unsigned char	(* `public: static enum	 _ST_COMPACTION_CHECK_RESULT __stdcall ST_STORE<struct SM_TRAITS>::StDmCheckForCompaction(struct ST_STORE<struct SM_TRAITS>::_ST_DATA_MGR *, unsigned long)'::`2'::ThresholdShiftTableFile)[2]
?ThresholdShiftTableFile@?1??StDmCheckForCompaction@?$ST_STORE@USM_TRAITS@@@@SG?AW4_ST_COMPACTION_CHECK_RESULT@@PAU_ST_DATA_MGR@2@K@Z@4PAY01EA db    3
					; DATA XREF: ST_STORE_SM_TRAITS___StDmCheckForCompaction:loc_5C718Co
		db    4
		db    0
		db  1Fh
unk_6B6768	db  28h	; (		; DATA XREF: SmKmSqmAddToStream(x,x,x,x,x)+7Fo
		db 0BAh	; 
		db 0BAh	; 
		db  95h	; 
		db  26h	; &
		db 0EDh	; 
		db 0C9h	; 
		db  49h	; I
		db 0B7h	; 
		db  4Fh	; O
		db  93h	; 
		db 0B1h	; 
		db  70h	; p
		db 0E1h	; 
		db 0B8h	; 
		db  49h	; I
_VfFaultInjectionMaxProbability	dd 2710h ; DATA	XREF: VfFaultsInjectResourceFailure(x)+81r
					; VfFaultsSetParameters(x)+52w	...
_ViPendingProbability dd 32h		; DATA XREF: VfPendingShouldForce(x,x,x,x,x,x)+6Ar
_VfForcedPendingLogLength dd 1000h	; DATA XREF: VfPendingCheckForChanges(x)+17r
					; VfPendingCheckForChanges(x)+1Fw ...
unk_6B6784	db 0FFh			; DATA XREF: VfCheckImageCompliance(x)+149o
					; VfCheckImageCompliance(x)+16Bo
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6788	db 0FFh			; DATA XREF: VfCheckImageCompliance(x)+1EBo
					; VfCheckImageCompliance(x)+207o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B678C	db 0FFh			; DATA XREF: VfCheckPagePriority(x,x)+1Fo
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6790	db 0FFh			; DATA XREF: VfCheckImageCompliance(x)+C3o
					; VfCheckImageCompliance(x)+CDo
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6794	db 0FFh			; DATA XREF: VfCheckPageProtection(x,x)+1Co
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6798	db 0FFh			; DATA XREF: VfCheckPoolType(x,x,x)+38o
					; VfCheckPoolType(x,x,x)+49o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B679C	db 0FFh			; DATA XREF: ViCopyDeviceDescription(x,x,x)+14o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67A0	db 0FFh			; DATA XREF: VfMapTransferEx(x,x,x,x,x,x,x,x,x,x,x,x)+51o
					; VfMapTransferEx(x,x,x,x,x,x,x,x,x,x,x,x)+5Bo
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67A4	db 0FFh			; DATA XREF: VERIFY_BUFFER_LOCKED(x)+28o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67A8	db 0FFh			; DATA XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+325o
					; VfGetScatterGatherList(x,x,x,x,x,x,x,x)+32Fo
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67AC	db 0FFh			; DATA XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+2A3o
					; VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+2ADo
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67B0	db 0FFh			; DATA XREF: INCREASE_MAPPED_TRANSFER_BYTE_COUNT(x,x,x)+27o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67B4	db 0FFh			; DATA XREF: SUBTRACT_MAP_REGISTERS(x,x)+1Co
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67B8	db 0FFh			; DATA XREF: DECREMENT_COMMON_BUFFERS(x)+1Do
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67BC	db 0FFh			; DATA XREF: DECREMENT_ADAPTER_CHANNELS(x)+21o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67C0	db 0FFh			; DATA XREF: DECREMENT_SCATTER_GATHER_LISTS(x)+1Bo
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67C4	db 0FFh			; DATA XREF: INCREMENT_ADAPTER_CHANNELS(x)+26o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67C8	db 0FFh			; DATA XREF: VF_ASSERT_IRQL(x)+1Do
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67CC	db 0FFh			; DATA XREF: VF_ASSERT_MAX_IRQL(x)+Fo
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67D0	db 0FFh			; DATA XREF: ViGetMdlBufferSa(x,x)+76o
					; ViGetMdlBufferSa(x,x)+80o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67D4	db 0FFh			; DATA XREF: ViGetMdlBufferSa(x,x)+45o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67D8	db 0FFh			; DATA XREF: ADD_MAP_REGISTERS(x,x,x)+67o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67DC	db 0FFh			; DATA XREF: ADD_MAP_REGISTERS(x,x,x)+2Do
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67E0	db 0FFh			; DATA XREF: ViCheckTag(x,x,x,x)+37o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67E4	db 0FFh			; DATA XREF: ViCheckTag(x,x,x,x)+8Bo
					; ViCheckTag(x,x,x,x)+95o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67E8	db 0FFh			; DATA XREF: ViAllocateMapRegistersFromFile(x,x,x,x,x)+10Ao
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67EC	db 0FFh			; DATA XREF: ViCheckPadding(x,x,x,x)+100o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67F0	db 0FFh			; DATA XREF: ViCheckPadding(x,x,x,x)+34o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67F4	db 0FFh			; DATA XREF: ViCheckPadding(x,x,x,x)+CBo
					; ViCheckPadding(x,x,x,x)+D5o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67F8	db 0FFh			; DATA XREF: ViMapDoubleBuffer(x,x,x,x,x)+1D8o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B67FC	db 0FFh			; DATA XREF: ViMapDoubleBuffer(x,x,x,x,x)+220o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6800	db 0FFh			; DATA XREF: ViMapDoubleBuffer(x,x,x,x,x)+7Bo
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6804	db 0FFh			; DATA XREF: ViMapDoubleBuffer(x,x,x,x,x)+A9o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6808	db 0FFh			; DATA XREF: ViFlushDoubleBuffer(x,x,x,x,x)+BCo
					; ViFlushDoubleBuffer(x,x,x,x,x)+C6o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B680C	db 0FFh			; DATA XREF: ViAllocateMapRegistersFromFile(x,x,x,x,x)+9Eo
					; ViAllocateMapRegistersFromFile(x,x,x,x,x)+B0o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6810	db 0FFh			; DATA XREF: ViFlushDoubleBuffer(x,x,x,x,x)+3Eo
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6814	db 0FFh			; DATA XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+7Do
					; VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+87o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6818	db 0FFh			; DATA XREF: VfMapTransfer(x,x,x,x,x,x)+69o
					; VfMapTransfer(x,x,x,x,x,x)+73o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B681C	db 0FFh			; DATA XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+7Do
					; VfGetScatterGatherList(x,x,x,x,x,x,x,x)+87o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6820	db 0FFh			; DATA XREF: ViMapDoubleBuffer(x,x,x,x,x)+21o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6824	db 0FFh			; DATA XREF: VfLegacyGetAdapter(x,x)+3Fo
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6828	db 0FFh			; DATA XREF: VfPutDmaAdapter(x)+AAo
					; VfPutDmaAdapter(x)+BFo
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B682C	db 0FFh			; DATA XREF: VfPutDmaAdapter(x)+E5o
					; VfPutDmaAdapter(x)+FAo
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6830	db 0FFh			; DATA XREF: VfPutDmaAdapter(x)+6Eo
					; VfPutDmaAdapter(x)+78o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6834	db 0FFh			; DATA XREF: VfFlushAdapterBuffers(x,x,x,x,x,x)+89o
					; VfFlushAdapterBuffers(x,x,x,x,x,x)+98o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6838	db 0FFh			; DATA XREF: VfPutDmaAdapter(x)+11Bo
					; VfPutDmaAdapter(x)+125o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B683C	db 0FFh			; DATA XREF: VfPutDmaAdapter(x)+14Do
					; VfPutDmaAdapter(x)+157o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6840	db 0FFh			; DATA XREF: ViReleaseDmaAdapter(x)+ABo
					; ViReleaseDmaAdapter(x)+B5o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6844	db 0FFh			; DATA XREF: ViGetAdapterInformationInternal(x,x)+C0o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6848	db 0FFh			; DATA XREF: ViGetRealDmaOperation(x,x)+16o
		db 0FFh
		db 0FFh
		db 0FFh
_ViInternalTriageRules db  0Ah		; DATA XREF: VfTriageSystem+1A3DCo
					; VfTriageSystem+1A40Eo
		db    0
		db    1
		db    0
		db  91h	; 
		db    0
		db    0
		db    0
		db 0D1h	; 
		db    0
		db    1
		db    0
		db  91h	; 
		db    0
		db    0
		db    0
		db  19h
		db    0
		db    1
		db    0
		db  91h	; 
		db    0
		db    0
		db    0
		db 0C2h	; 
		db    0
		db    1
		db    0
		db  91h	; 
		db    0
		db    0
		db    0
		db 0C5h	; 
		db    0
		db    1
		db    0
		db  91h	; 
		db    0
		db    0
		db    0
		db 0D0h	; 
		db    0
		db    1
		db    0
		db  91h	; 
		db    0
		db    0
		db    0
unk_6B687C	db 0FFh			; DATA XREF: ViDeadlockRemoveResource(x,x,x)+4Bo
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6880	db 0FFh			; DATA XREF: VfDeadlockReleaseResource(x,x,x,x)+26Do
					; VfDeadlockReleaseResource(x,x,x,x)+28Bo
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6884	db 0FFh			; DATA XREF: ViDeadlockRemoveThread(x,x)+3Ao
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6888	db 0FFh			; DATA XREF: ViDeadlockAddResource(x,x,x,x,x,x)+7Bo
					; ViDeadlockAddResource(x,x,x,x,x,x)+85o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B688C	db 0FFh			; DATA XREF: ViDeadlockAddResource(x,x,x,x,x,x)+47o
					; ViDeadlockAddResource(x,x,x,x,x,x)+51o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6890	db 0FFh			; DATA XREF: VfDeadlockReleaseResource(x,x,x,x)+1A2o
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6894	db 0FFh			; DATA XREF: VfDeadlockReleaseResource(x,x,x,x)+157o
					; VfDeadlockReleaseResource(x,x,x,x)+16Co
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B6898	db 0FFh			; DATA XREF: VfDeadlockAcquireResource(x,x,x,x,x)+206o
					; VfDeadlockAcquireResource(x,x,x,x,x)+21Do
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B689C	db 0FFh			; DATA XREF: VfDeadlockAcquireResource(x,x,x,x,x)+2AEo
					; VfDeadlockAcquireResource(x,x,x,x,x)+2BDo
		db 0FFh
		db 0FFh
		db 0FFh
unk_6B68A0	db 0FFh			; DATA XREF: ViDeadlockAnalyze(x,x,x,x,x)+19Co
		db 0FFh
		db 0FFh
		db 0FFh
_EtwpExecutiveResourceContentionSampleRate dd 1
					; DATA XREF: PerfLogExecutiveResourceRelease(x,x,x,x)+10Cr
					; PerfLogExecutiveResourceRelease(x,x,x,x)+123r ...
_EtwpExecutiveResourceTimeout dd 1	; DATA XREF: PerfLogExecutiveResourceWait(x,x,x)+CDr
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+379r ...
_EtwpExecutiveResourceReleaseSampleRate	dd 3E8h
					; DATA XREF: PerfLogExecutiveResourceRelease(x,x,x,x)+13Br
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+369r ...
_EtwpStackMatchId dd 1			; DATA XREF: EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+97o
					; EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x):loc_67BD3Fr ...
dword_6B68B4	dd 0			; DATA XREF: EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+A6r
					; EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)+124r ...
_ExShortTime	db  60h	; `		; DATA XREF: ExpExpandResourceOwnerTable:loc_5C886Ao
		db  79h	; y
		db 0FEh	; 
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
; void ExpUnknownDeviceGuid
_ExpUnknownDeviceGuid db 0C5h ;		; DATA XREF: ExpIsDevicePathForRemovableMedia(x)+31o
		db 0FAh	; 
		db  31h	; 1
		db 0CFh	; 
		db  4Eh	; N
		db 0C2h	; 
		db 0D2h	; 
		db  11h
		db  85h	; 
		db 0F3h	; 
		db    0
		db 0A0h	; 
		db 0C9h	; 
		db  3Eh	; >
		db 0C9h	; 
		db  3Bh	; ;
_CMFFirstAccess	db 1			; DATA XREF: NtMapCMFModule(x,x,x,x,x,x)+32Er
					; NtMapCMFModule(x,x,x,x,x,x)+33Fw
		align 4
_CMFCacheIndex	dd 2710h		; DATA XREF: CMFFlushHitsFile(x,x):loc_A101E0r
					; CMFSystemThreadRoutine(x)+50Dr ...
_WheapPolicyIgnoreDummyWrite db	1	; DATA XREF: WheaReportHwError(x):loc_690233r
					; WheaReportHwError(x)+360w ...
		align 4
_WheapPolicyCmciThresholdTime dd 3Ch	; DATA XREF: PAGE:00A12A68w
					; WheapGetPolicyValue(x,x):loc_A12C2Dr	...
_WheapPolicyCmciThresholdPollCount dd 0FFFFFFFFh ; DATA	XREF: PAGE:00A12A7Ew
					; WheapGetPolicyValue(x,x):loc_A12C34r	...
		align 8
_WheapPolicyMemPfaTimeout dd 2A69C000h	; DATA XREF: PAGE:00A129D2w
					; WheapGetPolicyValue(x,x)+54r	...
dword_6B68EC	dd 0C9h			; DATA XREF: PAGE:00A129D7w
					; WheapGetPolicyValue(x,x)+4Er	...
_WheapPolicyCmciThresholdCount dd 64h	; DATA XREF: PAGE:00A12A52w
					; WheapGetPolicyValue(x,x):loc_A12C26r	...
word_6B68F4	dw 6029h		; DATA XREF: SdbpCheckPackageAttributes(x,x,x,x,x,x,x):loc_A1FDFEr
					; SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+B8r
word_6B68F6	dw 6029h		; DATA XREF: SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+5Dr
		db  2Ah	; *
		db  60h	; `
		db  2Ah	; *
		db  60h	; `
		db  45h	; E
		db  40h	; @
		db  45h	; E
		db  40h	; @
		db  2Bh	; +
		db  60h	; `
		db  2Bh	; +
		db  60h	; `
		db  14h
		db  50h	; P
		db  14h
		db  50h	; P
		db  15h
		db  50h	; P
		db  14h
		db  50h	; P
		db  16h
		db  50h	; P
		db  14h
		db  50h	; P
		db  17h
		db  50h	; P
		db  17h
		db  50h	; P
		db  18h
		db  50h	; P
		db  17h
		db  50h	; P
		db  19h
		db  50h	; P
		db  17h
		db  50h	; P
		db    0
		db    0
		db    0
		db    0
_g_rgAttributeTags db	 1
		db  40h	; @
		db    0
		db    0
unk_6B6924	db    0			; DATA XREF: SdbpCheckAllAttributes(x,x,x,x,x):loc_A216B6o
		db    0
		db    0
		db    0
		db  20h
		db  50h	; P
		db    0
		db    0
		db  20h
		db    0
		db    0
		db    0
		db  43h	; C
		db  40h	; @
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db    3
		db  40h	; @
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    2
		db  50h	; P
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		db    3
		db  50h	; P
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db  11h
		db  60h	; `
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		db  12h
		db  60h	; `
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    9
		db  60h	; `
		db    0
		db    0
		db    7
		db    0
		db    0
		db    0
		db  10h
		db  60h	; `
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db  13h
		db  60h	; `
		db    0
		db    0
		db    9
		db    0
		db    0
		db    0
		db  14h
		db  60h	; `
		db    0
		db    0
		db  0Ah
		db    0
		db    0
		db    0
		db  15h
		db  60h	; `
		db    0
		db    0
		db  0Bh
		db    0
		db    0
		db    0
		db  16h
		db  60h	; `
		db    0
		db    0
		db  0Ch
		db    0
		db    0
		db    0
		db    7
		db  40h	; @
		db    0
		db    0
		db  0Dh
		db    0
		db    0
		db    0
		db    8
		db  40h	; @
		db    0
		db    0
		db  0Eh
		db    0
		db    0
		db    0
		db    9
		db  40h	; @
		db    0
		db    0
		db  0Fh
		db    0
		db    0
		db    0
		db  0Ah
		db  40h	; @
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		db    6
		db  40h	; @
		db    0
		db    0
		db  11h
		db    0
		db    0
		db    0
		db  0Bh
		db  40h	; @
		db    0
		db    0
		db  12h
		db    0
		db    0
		db    0
		db  1Ch
		db  40h	; @
		db    0
		db    0
		db  13h
		db    0
		db    0
		db    0
		db  17h
		db  60h	; `
		db    0
		db    0
		db  14h
		db    0
		db    0
		db    0
		db  20h
		db  60h	; `
		db    0
		db    0
		db  15h
		db    0
		db    0
		db    0
		db  13h
		db  50h	; P
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		db  12h
		db  50h	; P
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db  0Dh
		db  50h	; P
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		db    6
		db  50h	; P
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db  1Dh
		db  40h	; @
		db    0
		db    0
		db  16h
		db    0
		db    0
		db    0
		db  33h	; 3
		db  40h	; @
		db    0
		db    0
		db  16h
		db    0
		db    0
		db    0
		db  1Eh
		db  40h	; @
		db    0
		db    0
		db  16h
		db    0
		db    0
		db    0
		db  24h	; $
		db  60h	; `
		db    0
		db    0
		db  17h
		db    0
		db    0
		db    0
		db  12h
		db  40h	; @
		db    0
		db    0
		db  18h
		db    0
		db    0
		db    0
		db  31h	; 1
		db  40h	; @
		db    0
		db    0
		db  19h
		db    0
		db    0
		db    0
		db  4Ah	; J
		db  40h	; @
		db    0
		db    0
		db  1Ah
		db    0
		db    0
		db    0
		db  46h	; F
		db  60h	; `
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		db  44h	; D
		db  60h	; `
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		db  47h	; G
		db  60h	; `
		db    0
		db    0
		db    9
		db    0
		db    0
		db    0
		db  45h	; E
		db  60h	; `
		db    0
		db    0
		db    9
		db    0
		db    0
		db    0
unk_6B6A50	db 0FFh			; DATA XREF: ConstraintEval:loc_8F542Bo
		db    0
		db    0
		db    0
_TriageImagePageSize dd	0FFFFFFFFh	; DATA XREF: TriageGetLoaderEntry(x,x)+11r
					; TriageGetMmInformation(x)+Er	...
		align 10h
___fastflag	dd 0			; DATA XREF: sub_58302F:loc_58304Cr
					; sub_58302F:loc_5830A1r ...
dword_6B6A64	dd 0			; DATA XREF: __get_printf_count_output+Br
_g_SymCryptCpuFeaturesPresentCheck dd 0	; DATA XREF: SymCryptInitEnvCommon(x)+41w
_g_SymCryptFlags db 0			; DATA XREF: SymCryptInitEnvWindowsKernelmodeWin8_1nLater(x)+2Er
					; SymCryptInitEnvCommon(x)+1Co
		align 10h
_gbl_errno	dd 0			; DATA XREF: strtoxlX+195w
					; strtoxq:loc_582E72w ...
		align 10h
_g_SymCryptCpuid1 db	0		; DATA XREF: .text:0058FA59o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_SbiVmbusArrivalEvent db    0		; DATA XREF: SbpVmbusNotificationHandler(x,x)+21o
					; SbpWaitForVmbus()+Do
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_UartHardwareDriver dd 0		; DATA XREF: InbvPortGetByte(x,x)+30r
					; InbvPortInitialize(x,x,x,x,x,x,x,x)+6Dw ...
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUwverxvhUwiewyUpnlwvUlyquivUrDIGUkivxlnkOlyq@drvdb db    0
		db    0
		db    0
		db    0
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUwverxvhUkmkigoUmgkmkUpnlwvUlyquivUrDIGUkivxlnkOlyq@ntpnp db	   0
		db    0
		db    0
		db    0
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUwverxvhUkmkigoUivtigoUpnlwvUlyquivUrDIGUkivxlnkOlyq@regrtl db    0
		db    0
		db    0
		db    0
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUwverxvhUkmkigoUhbhxgcUpnlwvUlyquivUrDIGUkivxlnkOlyq@sysctx db    0
		db    0
		db    0
		db    0
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUwverxvhUkmkigoUkmkigoUpnlwvUlyquivUrDIGUkivxlnkOlyq@pnprtl db    0
		db    0
		db    0
		db    0
_RasterizerInitialized db 0		; DATA XREF: ResFwFreeContext+1Ar
					; AnFwpDisableProgressTimer()+43r ...
		align 10h
_RaspBitmapCache dd 0			; DATA XREF: BgpRasPrintGlyph+C3o
					; RaspGetXExtent+61o ...
dword_6B6AC4	dd 0			; DATA XREF: BgpRasInitializeRasterizer(x)+192w
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_6B6ADC	dd 0			; DATA XREF: BgpRasInitializeRasterizer(x)+19Cw
dword_6B6AE0	dd 0			; DATA XREF: RaspClearCache(x)+2Fw
					; BgpRasInitializeRasterizer(x)+186w
		align 8
_BcpLastProgressUpdateTicks dd 0	; DATA XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+66r
					; BgpFwDisplayBugCheckProgressUpdate(x,x,x)+18Fw ...
dword_6B6AEC	dd 0			; DATA XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+6Dr
					; BgpFwDisplayBugCheckProgressUpdate(x,x,x)+194w ...
_BcpStartTicks	dd 0			; DATA XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+54r
					; BgpFwDisplayBugCheckScreen(x,x,x,x,x)+2D0w
dword_6B6AF4	dd 0			; DATA XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+60r
					; BgpFwDisplayBugCheckScreen(x,x,x,x,x)+2D5w
		align 10h
_BcpErrorMessageOffset dd 0		; DATA XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+206o
					; BgpFwDisplayBugCheckScreen(x,x,x,x,x)+235r
dword_6B6B04	dd 0			; DATA XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+247r
dword_6B6B08	dd 0			; DATA XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+253r
		align 10h
_BcpProgressEnd	dd 0			; DATA XREF: BcpCursorLessThan(x,x)+Fr
					; BcpDisplayProgress(x,x)+172o	...
dword_6B6B14	dd 0			; DATA XREF: BcpCursorLessThan(x,x)+3r
					; BcpGetComponentOffsets(x,x,x,x,x,x)+8Cr
		align 10h
_BcpWorkspace	dd 0			; DATA XREF: BgpFoGetStringAdvanceWidth(x,x,x,x,x):loc_699174o
					; BcpDisplayCriticalCharacter(x,x,x)+34o ...
dword_6B6B24	dd 0			; DATA XREF: BgpBcInitializeCriticalMode+2A5w
dword_6B6B28	dd 0			; DATA XREF: BgpBcInitializeCriticalMode+288w
		align 10h
_BcpProgressOffset dd 0			; DATA XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+14Fr
					; BgpFwDisplayBugCheckScreen(x,x,x,x,x)+217o ...
dword_6B6B34	dd 0			; DATA XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+161r
					; BgpFwDisplayBugCheckScreen(x,x,x,x,x)+2A8r
dword_6B6B38	dd 0			; DATA XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x)+16Dr
					; BgpFwDisplayBugCheckScreen(x,x,x,x,x)+2B2r
_BcpLastProgressDisplayed dd 0		; DATA XREF: BgpFwDisplayBugCheckProgressUpdate(x,x,x):loc_699E50r
					; BgpFwDisplayBugCheckProgressUpdate(x,x,x)+19Aw ...
_FopFontFileListHead dd	0		; DATA XREF: BgpFoGetFontHandle+2Er
					; BgpFoGetFontHandle+34o ...
dword_6B6B44	dd 0			; DATA XREF: BgpFoInitialize+26w
_FontLibraryInitialized	db 0		; DATA XREF: BgpFoGetFontHandle+1Dr
					; TxtpAddCacheEntry+E8Ar ...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_BgInternal	dw 0			; DATA XREF: BgpFwLibraryEnable+57o
					; GxpWriteFrameBufferPixels+EDr ...
byte_6B6B62	db 0			; DATA XREF: GxpWriteFrameBufferPixels+126r
					; GxpAdjustRectangleToFrameBuffer+8r ...
		align 4
dword_6B6B64	dd 0			; DATA XREF: BgpGetResolution()+10r
					; GxpWriteFrameBufferPixels+76r ...
dword_6B6B68	dd 0			; DATA XREF: BgpGetResolution()+8r
					; GxpWriteFrameBufferPixels+6Br ...
dword_6B6B6C	dd 0			; DATA XREF: BgpGetResolution()+19r
					; GxpWriteFrameBufferPixels+81r ...
dword_6B6B70	dd 0			; DATA XREF: BgpFwLibraryEnable+5Er
					; BgpGetBitsPerPixel()r ...
		align 8
dword_6B6B78	dd 0			; DATA XREF: GxpWriteFrameBufferPixels+131r
					; GxpWriteFrameBufferPixels:loc_5E1414r ...
dword_6B6B7C	dd 0			; DATA XREF: BgpFwLibraryEnable+33r
					; BgpFwLibraryEnable+C0r ...
dword_6B6B80	dd 0			; DATA XREF: BgpFwLibraryEnable+87E86r
					; BgpFwLibraryEnable+87ECDr
dword_6B6B84	dd 0			; DATA XREF: BgpFwLibraryEnable:loc_5E1167r
					; BgpFwLibraryEnable+87EDCr
dword_6B6B88	dd 0			; DATA XREF: BgpFwLibraryEnable+87E80r
					; BgpFwLibraryEnable+87E95r ...
dword_6B6B8C	dd 0			; DATA XREF: BgpFwLibraryEnable+87E69r
					; BgpFwLibraryEnable+87EBEr
		db    0
		db    0
		db    0
		db    0
dword_6B6B94	dd 0			; DATA XREF: BgpFwLibraryEnable+87EA0r
					; BgpFwLibraryEnable+87EF7r ...
dword_6B6B98	dd 0			; DATA XREF: BgpFwQueryBootGraphicsInformation+1Do
					; BgpFwSetBootGraphicsInformation(x,x)+16o ...
dword_6B6B9C	dd 0			; DATA XREF: BgpFwLibraryInitialize+1C0w
dword_6B6BA0	dd 0			; DATA XREF: BgpFwLibraryInitialize+1A7w
dword_6B6BA4	dd 0			; DATA XREF: BgpFwLibraryInitialize+1B1w
dword_6B6BA8	dd 0			; DATA XREF: BgpFwLibraryInitialize+1BBw
		align 10h
dword_6B6BB0	dd 0			; DATA XREF: BgpFwLibraryInitialize+1DAw
					; TxtpAddCacheEntry:loc_A78171w ...
		align 8
dword_6B6BB8	dd 0			; DATA XREF: BgLibraryEnable+28r
					; BgpFwLibraryEnable+9r ...
dword_6B6BBC	dd 0			; DATA XREF: BgpFwLibraryInitialize+550w
					; AnFwpFadeAnimationTimer+54r
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
; char dword_6B6BD4
dword_6B6BD4	dd 0			; DATA XREF: ResFwGetContext+2Br
					; AnFwDisplayFade+519w	...
; char dword_6B6BD8
dword_6B6BD8	dd 0			; DATA XREF: ResFwGetContext+25r
					; AnFwConfigureProgressResources(x)+93w ...
dword_6B6BDC	dd 0			; DATA XREF: AnFwConfigureProgressResources(x)+8Ew
dword_6B6BE0	dd 0			; DATA XREF: ResFwGetContext:loc_A74248r
					; AnFwConfigureProgressResources(x)+A1w
dword_6B6BE4	dd 0			; DATA XREF: ResFwGetContext+40r
					; ResFwConfigureDisplayStringResources+69w
dword_6B6BE8	dd 0			; DATA XREF: ResFwGetContext+9Cr
					; BgpFwLibraryInitialize+292w ...
unk_6B6BEC	db    0			; DATA XREF: TxtpAddCacheEntry:loc_A780C4o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
; void *dword_6B6BFC
dword_6B6BFC	dd 0			; DATA XREF: BgpFwQueryBootGraphicsInformation:loc_5E1AC4r
					; BgpFwQueryBootGraphicsInformation+85E04r ...
; void *dword_6B6C00
dword_6B6C00	dd ?			; DATA XREF: BgpFwQueryBootGraphicsInformation+85DD2r
					; BgpFwQueryBootGraphicsInformation:loc_5E1AD4r ...
; size_t dword_6B6C04
dword_6B6C04	dd ?			; DATA XREF: BgpFwQueryBootGraphicsInformation+85DBBr
					; BgpFwQueryBootGraphicsInformation+85DDFr ...
dword_6B6C08	dd ?			; DATA XREF: BgpFwLibraryInitialize+3FEw
					; AnFwDisplayFade+195r	...
dword_6B6C0C	dd ?			; DATA XREF: BgpFwLibraryInitialize+406w
					; AnFwDisplayFade+1B3r	...
dword_6B6C10	dd ?			; DATA XREF: AnFwDisplayFade+19Er
dword_6B6C14	dd ?			; DATA XREF: AnFwDisplayFade+1C3r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6B6C30	dd ?			; DATA XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x):loc_69A185r
					; BgpFwDisplayBugCheckScreen(x,x,x,x,x)+27Cr ...
dword_6B6C34	dd ?			; DATA XREF: TxtpAddCacheEntry+1D32w
					; TxtpAddCacheEntry+1D5Er ...
		align 10h
dword_6B6C40	dd ?			; DATA XREF: BgpFwLibraryInitialize+571w
					; TxtpAddCacheEntry+2511r ...
dword_6B6C44	dd ?			; DATA XREF: BgpFwLibraryInitialize+57Cw
					; TxtpAddCacheEntry+2505r ...
dword_6B6C48	dd ?			; DATA XREF: BgConsoleGetInterface(x)+13r
					; BgpFwLibraryInitialize:loc_A753A1w ...
dword_6B6C4C	dd ?			; DATA XREF: BgpFwLibraryInitialize+2FDw
					; BgpFwLibraryInitialize+36Aw ...
dword_6B6C50	dd ?			; DATA XREF: BgpFwLibraryInitialize:loc_A752E7w
					; BgpFwLibraryInitialize+3B6w ...
dword_6B6C54	dd ?			; DATA XREF: ResFwFreeContext+76w
					; ResFwGetContext+D0r ...
dword_6B6C58	dd ?			; DATA XREF: ResFwFreeContext+80w
					; ResFwGetContext+DAr ...
dword_6B6C5C	dd ?			; DATA XREF: BgpFwAllocateMemory+CCr
					; BgpFwAllocateMemory+D5o ...
dword_6B6C60	dd ?			; DATA XREF: BgpFwLibraryInitialize+114w
unk_6B6C64	db    ?	;		; DATA XREF: BgpFwQueryBootGraphicsInformation+74o
					; BgpFwLibraryInitialize+1EDo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6B6CE4	dd ?			; DATA XREF: GxpWriteFrameBufferPixels:loc_559977r
					; BgfxGrowDirtyRect+76r ...
dword_6B6CE8	dd ?			; DATA XREF: BgpFwLibraryInitialize+4C4w
					; TxtpAddCacheEntry+ACCr ...
dword_6B6CEC	dd ?			; DATA XREF: BgfxGrowDirtyRect+17r
					; BgfxGrowDirtyRect+30r ...
dword_6B6CF0	dd ?			; DATA XREF: BgfxGrowDirtyRect+Br
					; BgfxGrowDirtyRect+84r ...
byte_6B6CF4	db ?			; DATA XREF: ResFwConfigureDisplayStringResources+2Cr
					; BgpFwLibraryInitialize+4A0o ...
		align 4
dword_6B6CF8	dd ?			; DATA XREF: AnFwConfigureProgressResources(x)+3Fr
					; AnFwDisplayFade+2D1r	...
dword_6B6CFC	dd ?			; DATA XREF: AnFwConfigureProgressResources(x)+4Ar
					; TxtpAddCacheEntry+1A89r
_BcdMutantHandle dd ?			; DATA XREF: BiReleaseBcdSyncMutant(x)+4r
					; BiAcquireBcdSyncMutant+Dr ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AdtpSourceModuleLock db    ? ;		; DATA XREF: AdtpObjsInitialize+1Co
					; AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+1EDo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AdtpAccessIdsStringBuffer db	 ? ;	; DATA XREF: AdtpObjsInitialize+45o
					; AdtpObjsInitialize+9Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6B6E75	db    ?	;		; DATA XREF: INIT:00AFCB6Eo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AdtpSourceModules dd ?			; DATA XREF: AdtpObjsInitialize+39w
					; AdtpObjsInitialize+1D0r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AdtpEventIdStringStandard db	 ? ;	; DATA XREF: AdtpObjsInitialize+51o
					; AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+133o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6B6FC8	db    ?	;		; DATA XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+185o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AdtpEventIdStringSpecific db	 ? ;	; DATA XREF: AdtpObjsInitialize+A3o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AdtpKnownPrivilege dd ?		; DATA XREF: AdtpDbInitializePrivilegeObject()+Eo
					; AdtpLookupKnownPrivilegeNameQuickly(x,x)+1Ar
dword_6B7064	dd ?			; DATA XREF: AdtpLookupKnownPrivilegeNameQuickly(x,x)+22r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AdtpWellKnownPrivilegeMaxLen dw ?	; DATA XREF: AdtpDbInitializePrivilegeObject()+8w
					; AdtpDbInitializePrivilegeObject()+2Dr ...
		align 4
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUzkkxlnkzgUhszivwUorypUlyquivUrDIGUxlnkzghszivwxlivkOlyq@compatsharedcorek db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
_g_AslLogPfnVPrintf dd ?		; DATA XREF: AslLogCallPrintf+5r
_g_ExpandCallback dd ?			; DATA XREF: SdbpOpenCompressedDatabase(x,x,x)+1Fr
					; SdbpOpenCompressedDatabase(x,x,x)+E1r
_g_ExpectedAlgorithm dd	?		; DATA XREF: SdbpOpenCompressedDatabase(x,x,x)+7Dr
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUzkkxlnkzgUhwyzkrUorypUlyquivUrDIGUhwyzkrkOlyq@sdbapik db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6B72C0	db    ?	;		; DATA XREF: sub_787DE0+759o
					; sub_787DE0+7EFo ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6B72C4	dd ?			; DATA XREF: sub_A1894B+110r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6B72E0	db    ?	;		; DATA XREF: sub_787DE0+725o
					; sub_787DE0+8E8o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUzkknlwvoUfmolxpUpvimvoUlyquivUrDIGUpkivxlnkOlyq@KAppModelUnlock db	  ? ;
		db    ?	;
		db    ?	;
		db    ?	;
_WheapDispatchPtr dd ?			; DATA XREF: WheaWmiInit()+8o
					; WheaWmiInit()+Dw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_WheapLiveDumpLock dd ?			; DATA XREF: WheapCreateLiveDumpFromPreviousSession(x):loc_730D19o
					; WheapSaveRecordForLiveDump(x)+69o ...
dword_6B7324	dd ?			; DATA XREF: WheaInitializeServices()+2Fw
dword_6B7328	dd ?			; DATA XREF: WheaInitializeServices()+36w
unk_6B732C	db    ?	;		; DATA XREF: WheaInitializeServices()+3Eo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_WheapLiveDumpRecordList dd ?		; DATA XREF: WheapSaveRecordForLiveDump(x)+7Ao
					; WheaCrashDumpInitializationComplete()+15o ...
dword_6B7344	dd ?			; DATA XREF: WheapSaveRecordForLiveDump(x)+75r
					; WheapSaveRecordForLiveDump(x)+91w ...
		align 10h
_WheapHighIrqlLogSelHandler dd ?	; DATA XREF: WheaHighIrqlLogSelEventHandlerRegister(x,x)+5r
					; WheaHighIrqlLogSelEventHandlerRegister(x,x)+19r ...
unk_6B7354	db    ?	;		; DATA XREF: WheaHighIrqlLogSelEventHandlerRegister(x,x)+3Eo
					; WheaHighIrqlLogSelEventHandlerUnregister()+12o ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6B7358	dd ?			; DATA XREF: WheaHighIrqlLogSelEventHandlerRegister(x,x)+25w
					; WheaHighIrqlLogSelEventHandlerUnregister()+17w ...
dword_6B735C	dd ?			; DATA XREF: WheaHighIrqlLogSelEventHandlerRegister(x,x)+2Dw
					; WheaHighIrqlLogSelEventHandlerUnregister()+1Cw ...
_WheapIpmiLogEntryList dd ?		; DATA XREF: WheapInitializeEventing:loc_AD4A98w
					; WheapInitializeEventing+8Co
dword_6B7364	dd ?			; DATA XREF: WheapInitializeEventing+73w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void WheapIpmiLogEntry
_WheapIpmiLogEntry db	 ? ;		; DATA XREF: WheapInitializeEventing+6Eo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_WheapEtwHandle	dd ?			; DATA XREF: WheaLogInternalEvent+81r
					; WheapGenerateETWEvents(x)+96r ...
dword_6B9384	dd ?			; DATA XREF: WheaLogInternalEvent+77r
					; WheapGenerateETWEvents(x)+8Dr ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_WheapDeferredEventBuffer dd ?		; DATA XREF: WheaLogInternalEvent+80F86r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_WheapDeferredInternalLogsEventLock db	  ? ; ;	DATA XREF: WheaLogInternalEvent+80F5Fo
					; WheaLogInternalEvent+80FC5o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_WheapSelBuffer	dd ?			; DATA XREF: WheapLogIpmiSELEvent(x,x,x)+3Dw
					; WheapLogIpmiSELEventHighIrql(x)+1Do
dword_6BA3C4	dd ?			; DATA XREF: WheapLogIpmiSELEvent(x,x,x)+51w
dword_6BA3C8	dd ?			; DATA XREF: WheapLogIpmiSELEvent(x,x,x)+47w
dword_6BA3CC	dd ?			; DATA XREF: WheapLogIpmiSELEvent(x,x,x)+5Bw
dword_6BA3D0	dd ?			; DATA XREF: WheapLogIpmiSELEvent(x,x,x)+60w
; void unk_6BA3D4
unk_6BA3D4	db    ?	;		; DATA XREF: WheapLogIpmiSELEvent(x,x,x)+1Co
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_WheapDeferredInternalLogs dd ?		; DATA XREF: WheaLogInternalEvent+80F9Bo
					; PAGE:008B417Eo ...
dword_6BB3C4	dd ?			; DATA XREF: WheaLogInternalEvent+80FA8r
					; WheaLogInternalEvent+80FBDw ...
_WheapEventingInitialized dd ?		; DATA XREF: WheaLogInternalEvent+1Cr
					; WheaReportHwError(x)+30Fr ...
		align 10h
_WheapWaitingETWEvents dd ?		; DATA XREF: WheapProcessWorkQueueItem(x,x)+8Do
					; PAGE:008B413Do ...
dword_6BB3D4	dd ?			; DATA XREF: WheapProcessWorkQueueItem(x,x)+88r
					; WheapProcessWorkQueueItem(x,x)+A5w ...
		align 10h
_WheapWaitingETWEventLock db	? ;	; DATA XREF: WheapProcessWorkQueueItem(x,x)+79o
					; PAGE:008B4146o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_WheapConfigTableLock dd ?		; DATA XREF: WheaConfigureErrorSource+1Bo
					; WheaConfigureErrorSource+2Fo	...
		align 8
_WheapPrevErrList dd ?			; DATA XREF: INIT:loc_AC42A7o
					; INIT:00AC42B2w
dword_6BB3FC	dd ?			; DATA XREF: INIT:00AC42ACw
; void WheapWorkQueue
_WheapWorkQueue	dd ?			; DATA XREF: WheapInitializeWorkQueue(x,x)+7o
					; WheapInitializeWorkQueue(x,x)+22w ...
dword_6BB404	dd ?			; DATA XREF: WheapInitializeWorkQueue(x,x)+1Cw
dword_6BB408	dd ?			; DATA XREF: WheapInitializeWorkQueue(x,x)+12w
		align 10h
unk_6BB410	db    ?	;		; DATA XREF: WheapInitializeWorkQueue(x,x)+2Eo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BB430	dd ?			; DATA XREF: WheapInitializeWorkQueue(x,x)+38w
		align 8
dword_6BB438	dd ?			; DATA XREF: WheapInitializeWorkQueue(x,x)+45w
dword_6BB43C	dd ?			; DATA XREF: WheapInitializeWorkQueue(x,x)+3Fw
dword_6BB440	dd ?			; DATA XREF: WheapInitializeWorkQueue(x,x)+4Fw
		align 10h
_WheapStatus	dd ?			; DATA XREF: WheaInitializeProcessor(x,x)+26w
					; INIT:00AC41B6o ...
dword_6BB454	dd ?			; DATA XREF: WheaInitializeProcessor(x,x)+31w
					; WheapQueryPshedForErrorSources+205AAw ...
dword_6BB458	dd ?			; DATA XREF: WheapQueryPshedForErrorSources+205C3w
_ExpCrossVmIntExtensionHostRoot	dd ?	; DATA XREF: ExpCrossVmWnfPush(x,x,x,x,x,x)+13r
_ExpCrossVmIntExtensionHostGuest dd ?	; DATA XREF: ExpWnfPopulateStateData:loc_7A232Dr
					; ExpCrossVmWnfPush(x,x,x,x,x,x)+6r
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUvcUnkUlyquivUrDIGUvckOlyq@ex db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
_ExSaNonPagedSlotAllocator dd ?		; DATA XREF: ExpSaInitialize+39w
					; ExpSaInitialize+178w	...
_ExSaPageGroupDescriptorArrayLock dd ?	; DATA XREF: ExpSaInitialize+14w
					; ExpSaPageGroupDescriptorAllocate(x,x)+B8o ...
_ExSaPageGroupDescriptorArray dd ?	; DATA XREF: ExpSaInitialize+21w
					; ExpSaInitialize+53w ...
_ExSaPageArrays	dd ?			; DATA XREF: ExpSaInitialize+27w
					; ExpSaInitialize+AAw ...
_ExSaPagedSlotAllocator	dd ?		; DATA XREF: ExpSaInitialize+48w
					; ExpSaInitialize+1ADw	...
_ExpHpGCScheduledPaged dd ?		; DATA XREF: ExpHpCompactionRoutine(x)+15Cw
					; RtlpHpScheduleCompaction(x):loc_49E321o ...
_ExpHpGCScheduledNonPaged dd ?		; DATA XREF: ExpHpCompactionRoutine(x):loc_49CCEAw
					; RtlpHpScheduleCompaction(x)+2Co ...
_ExpHpGCInitialized dd ?		; DATA XREF: RtlpHpScheduleCompaction(x)+16r
					; ExpHeapGCInitialization()+40w
_ExpHpGCTimerPaged dd ?			; DATA XREF: RtlpHpScheduleCompaction(x)+60r
					; ExpHeapGCInitialization()+15w
_ExpHpGCTimerNonPaged dd ?		; DATA XREF: RtlpHpScheduleCompaction(x)+37r
					; ExpHeapGCInitialization()+29w
_ExpHpGCWorkItemPaged db    ? ;		; DATA XREF: ExpHpGCTimerCallback(x,x)+12o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpHpGCWorkItemNonPaged db    ? ;	; DATA XREF: ExpHpGCTimerCallback(x,x)+8o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpProfileStateMutex db    ? ;		; DATA XREF: NtStartProfile(x)+44o
					; NtStartProfile(x)+A4o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpCritSecOutOfMemoryEvent dd ?	; DATA XREF: NtReleaseKeyedEvent(x,x,x,x)+86r
					; NtWaitForKeyedEvent(x,x,x,x)+8Cr ...
		align 8
_ExpCovUnloadedModuleList dd ?		; DATA XREF: MiUnloadSystemImage+14B586r
					; MiUnloadSystemImage+14B591o ...
dword_6BB4EC	dd ?			; DATA XREF: ExpCovCreateUnloadedModuleEntry(x)+171r
					; ExpCovCreateUnloadedModuleEntry(x)+191w ...
_ExpCovPushLock	dd ?			; DATA XREF: MiUnloadSystemImage+14B57Co
					; MiUnloadSystemImage:loc_8DF6F4o ...
		align 8
_ExpTimeout	dd ?			; DATA XREF: ExpWaitForResource+A9r
					; ExpInitSystemPhase0()+1Dw
dword_6BB4FC	dd ?			; DATA XREF: ExpWaitForResource+B1r
					; ExpInitSystemPhase0()+7w
_ExpSecurityCookieRandomData dd	?	; DATA XREF: ExRngInitializeSystem+D3w
					; KiInitializeGSCookieValue()+2r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpLeftoverBootRngData	dd ?		; DATA XREF: .text:00485770r
					; .text:00485777o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpRemainingLeftoverBootRngData dd ?	; DATA XREF: .text:004856FBr
					; .text:0048577Ew ...
_ExpLFGRngLock	dd ?			; DATA XREF: .text:004856E8o
					; ExRngInitializeSystem+1Fw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpLFGRngState	db    ?	;		; DATA XREF: .text:0048570Bo
					; ExRngInitializeSystem+2Eo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpRNGAuxiliarySeed dd	?		; DATA XREF: .text:00485737r
					; INIT:00AF4010o
_ExpForceEnableMutantAutoboost dd ?	; DATA XREF: NtCreateMutant(x,x,x,x)+D2r
					; INIT:00AF3D88o
_ExpWorkerFactoryDeferredLongTimeout dd	?
					; DATA XREF: ExpSetWorkerFactoryDeferredCreateTimer:loc_8F89C6r
					; ExpWorkerFactoryInitialization+5Fw
dword_6BBA34	dd ?			; DATA XREF: ExpSetWorkerFactoryDeferredCreateTimer+11B037r
					; ExpWorkerFactoryInitialization+64w
_ExpWorkerFactoryDeferredMediumTimeout dd ?
					; DATA XREF: ExpSetWorkerFactoryDeferredCreateTimer:loc_7DDA08r
					; ExpWorkerFactoryInitialization+6Aw
dword_6BBA3C	dd ?			; DATA XREF: ExpSetWorkerFactoryDeferredCreateTimer+74r
					; ExpWorkerFactoryInitialization:loc_ADA1EFw
_ExpWorkerFactoryDeferredShortTimeout dd ?
					; DATA XREF: ExpSetWorkerFactoryDeferredCreateTimer+24r
					; ExpWorkerFactoryInitialization+74w
dword_6BBA44	dd ?			; DATA XREF: ExpSetWorkerFactoryDeferredCreateTimer+2Ar
					; ExpWorkerFactoryInitialization+4Fw
_ExpWorkerFactoryThreadCreationList dd ? ; DATA	XREF: ExpWorkerFactoryCheckCreate+26Do
					; ExpWorkerFactoryDeferredThreadCreation()+Ao ...
dword_6BBA4C	dd ?			; DATA XREF: ExpWorkerFactoryInitialization+84w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpWorkerFactoryThreadCreationTimer db	   ? ;
					; DATA XREF: ExpWorkerFactoryManagerThread+184o
					; ExpSetWorkerFactoryDeferredCreateTimer+5Fo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpWorkerFactoryThreadCreationBlock db	   ? ;
					; DATA XREF: ExpWorkerFactoryManagerThread+21o
					; ExpWorkerFactoryManagerThread+17Ao ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpWorkerFactoryManagerQueue db    ? ;	; DATA XREF: ExpTryEnterWorkerFactoryAwayMode(x)+5Fo
					; ExpWorkerFactoryManagerThread+17o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpWorkerFactoryThreadCreationState dd	?
					; DATA XREF: ExpWorkerFactoryDeferredThreadCreation()+16w
					; ExpSetWorkerFactoryDeferredCreateTimer:loc_7DD9CDr ...
_ExpSvmWorkQueues dd ?			; DATA XREF: ExpSvmDpcRoutine(x,x,x,x)+Br
					; ExpSvmFaultRoutine(x)+5r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpSvmAgents	dd ?			; DATA XREF: ExpAllocateAsid():loc_68C051r
					; ExpAllocateAsid()+B3r ...
dword_6BBB04	dd ?			; DATA XREF: ExpAllocateAsid()+35r
					; ExpAllocateAsid()+111r ...
dword_6BBB08	dd ?			; DATA XREF: ExpAllocateAsid()+42r
					; ExpAllocateAsid()+1DCr ...
; void *dword_6BBB0C
dword_6BBB0C	dd ?			; DATA XREF: ExpAllocateAsid()+119r
					; ExpAllocateAsid()+156w ...
dword_6BBB10	dd ?			; DATA XREF: ExpAllocateAsid()+19o
					; ExpAllocateAsid()+107o ...
		align 8
_ExpSvmIommuSystemContext dd ?		; DATA XREF: ExFlushTb(x,x,x)+1Er
					; ExShareAddressSpaceWithDevice(x,x)+37r ...
		align 10h
_ExpSvmStaticWorkQueue db    ? ;	; DATA XREF: ExpInitializeSvm:loc_ADAB92o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpSvmNumberOfWorkQueues dd ?		; DATA XREF: ExpInitializeSvm:loc_ADABA0w
_ExpSvmDevices	dd ?			; DATA XREF: ExShareAddressSpaceWithDevice(x,x):loc_68B204r
					; ExShareAddressSpaceWithDevice(x,x)+4E6o ...
dword_6BBB5C	dd ?			; DATA XREF: ExpInitializeSvm+C8w
_ExpSvmDeviceListLock dd ?		; DATA XREF: ExShareAddressSpaceWithDevice(x,x):loc_68B094o
					; ExShareAddressSpaceWithDevice(x,x)+3BDo ...
_ExCriticalWorkerThreads dd ?		; DATA XREF: CcInitializePartition+1E3r
					; ExpLegacyWorkerInitialization+2Cw ...
_ExWorkerQueue	dd ?			; DATA XREF: ExpLegacyWorkerInitialization+60w
					; KiAttemptFastRemovePriQueue+E6A92r ...
_IoWorkerQueue	dd ?			; DATA XREF: ExpLegacyWorkerInitialization+86w
					; PnpBugcheckPowerTimeout(x)+47r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpDebuggerDpc	db    ?	;		; DATA XREF: ExQueueDebuggerWorker()+18o
					; ExpWorkerInitialization+C7o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpDebuggerWorkItem dd	?		; DATA XREF: ExpDebuggerDpcRoutine(x,x,x,x)+2o
					; ExpWorkerInitialization+E1w
		align 8
dword_6BBBA8	dd ?			; DATA XREF: ExpWorkerInitialization+D1w
dword_6BBBAC	dd ?			; DATA XREF: ExpWorkerInitialization+DBw
_ExpWorkersCanSwap db ?			; DATA XREF: ExpWorkerThread+7Dr
					; ExSwapinWorkerThreads(x)+56w	...
		align 4
_ExpDebuggerProcessKill	dd ?		; DATA XREF: KdRegisterDebuggerDataBlock+A8r
					; KdRegisterDebuggerDataBlock+DFw
_ExpDebuggerProcessAttach dd ?		; DATA XREF: KdRegisterDebuggerDataBlock+95r
					; KdRegisterDebuggerDataBlock+EAw
_ExpDebuggerPageIn dd ?			; DATA XREF: KdRegisterDebuggerDataBlock+C3r
					; KdRegisterDebuggerDataBlock+F0w
_ExDelayedWorkerThreads	dd ?		; DATA XREF: ExpLegacyWorkerInitialization+37w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpWorkerSwapinMutex dd ?		; DATA XREF: ExSwapinWorkerThreads(x)+46o
					; ExSwapinWorkerThreads(x):loc_85D50Eo	...
dword_6BBBE4	dd ?			; DATA XREF: ExpWorkerInitialization+Bw
dword_6BBBE8	dd ?			; DATA XREF: ExpWorkerInitialization+1Dw
unk_6BBBEC	db    ?	;		; DATA XREF: ExpWorkerInitialization+12o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpAdditionalDelayedWorkerThreads dd ?	; DATA XREF: ExpLegacyWorkerInitialization:loc_5784CAr
					; ExpLegacyWorkerInitialization+80EEFw	...
_ExpAdditionalCriticalWorkerThreads dd ? ; DATA	XREF: ExpLegacyWorkerInitializationr
					; ExpLegacyWorkerInitialization+80EE3w	...
_ExpWorkerQueueTestFlags dd ?		; DATA XREF: ExpWorkQueueManagerThread+91ED4r
					; INIT:00AF3D40o
_ExpTestSigningEnabled db ?		; DATA XREF: ExpInitExpCheckTestSigningInfo(x,x,x)+32w
					; ExpCheckTestsigningEnabled()+16r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpEnvironmentLock dd ?		; DATA XREF: ExpGetFirmwareEnvironmentVariable(x,x,x,x,x,x)+47o
					; ExpGetFirmwareEnvironmentVariable(x,x,x,x,x,x)+61o ...
dword_6BBC24	dd ?			; DATA XREF: ExpInitSystemPhase0()+29w
dword_6BBC28	dd ?			; DATA XREF: ExpInitSystemPhase0()+4Aw
unk_6BBC2C	db    ?	;		; DATA XREF: ExpInitSystemPhase0()+3Bo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExSystemLookasideListHead dd ?		; DATA XREF: ExInitializeProcessor+23o
					; ExpGetLookasideInformation(x,x,x):loc_684EF8r ...
dword_6BBC44	dd ?			; DATA XREF: ExInitPoolLookasidePointers()+B6w
_ExPoolLookasideListHead dd ?		; DATA XREF: ExpGetLookasideInformation(x,x,x)+56o
					; ExpGetLookasideInformation(x,x,x)+5Br ...
dword_6BBC4C	dd ?			; DATA XREF: ExInitPoolLookasidePointers()+96w
_ExPagedLookasideListHead dd ?		; DATA XREF: ExAdjustLookasideDepth()+48o
					; ExInitializeLookasideListExInternal+96o ...
dword_6BBC54	dd ?			; DATA XREF: .text:loc_509B8Ar
					; .text:00509BAEw ...
_ExPagedLookasideLock dd ?		; DATA XREF: ExAdjustLookasideDepth():loc_4E7C09o
					; ExDeletePagedLookasideList(x)+8o ...
		align 10h
_ExNPagedLookasideListHead dd ?		; DATA XREF: ExAdjustLookasideDepth()+20o
					; ExInitializeLookasideListExInternal:loc_4FF444o ...
dword_6BBC64	dd ?			; DATA XREF: ExInitializeNPagedLookasideListInternal:loc_54FDC3r
					; ExInitializeNPagedLookasideListInternal+AFw ...
_ExNPagedLookasideLock dd ?		; DATA XREF: ExAdjustLookasideDepth():loc_4E7BE1o
					; ExDeleteLookasideListEx(x)+9o ...
		align 10h
_ExpWakeTimerList dd ?			; DATA XREF: .text:0053E66Co
					; .text:0053E678o ...
dword_6BBC74	dd ?			; DATA XREF: .text:0053E666r
					; .text:0053E683w ...
_ExpWakeTimerLock dd ?			; DATA XREF: .text:0053D1FAo
					; .text:0053D2BCo ...
		align 10h
_ExpSystemResourcesList	dd ?		; DATA XREF: ExInitializeResourceLite+B4o
					; ExInitializeResourceLite+BCo	...
dword_6BBC84	dd ?			; DATA XREF: ExInitializeResourceLite:loc_537DAFr
					; ExInitializeResourceLite+CEw	...
_ExpResourceEnforceOwnerTransfer dd ?	; DATA XREF: ExDeleteResourceLite+DCr
					; ExReinitializeResourceLite+5Er ...
_PoolTrackTable	dd ?			; DATA XREF: ExpInsertPoolTrackerExpansion+2A9r
					; ExpInsertPoolTrackerExpansion+2F6r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void *ExPoolTagTables
_ExPoolTagTables dd ?			; DATA XREF: ExpGetPoolTagInfoTarget+48r
					; ExpGetPoolTagInfoTarget:loc_44C430r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PoolTrackTableMask dd ?		; DATA XREF: ExInsertPoolTag+99r
					; ExRemovePoolTag+10Cr	...
; void *PoolTrackTableExpansion
_PoolTrackTableExpansion dd ?		; DATA XREF: ExpGetPoolTagInfoTarget+162B3Dr
					; ExpInsertPoolTrackerExpansion+DF3FAr	...
_ExpSessionPoolTrackTableSize dd ?	; DATA XREF: ExGetSessionPoolTagInfo+43r
					; ExpInsertPoolTrackerExpansion+3Fr ...
; void *ExpSessionPoolTrackTable
_ExpSessionPoolTrackTable dd ?		; DATA XREF: ExGetSessionPoolTagInfo+3Ar
					; ExpInsertPoolTrackerExpansion+44r ...
_ExpSpecialAllocations dd ?		; DATA XREF: ExReturnPoolQuotar
					; ExAllocatePoolWithQuotaTag+68r ...
_ExpBigTableExpansionFailed dd ?	; DATA XREF: ExpAddTagForBigPages:loc_5EFAEBw
_ExpSessionPoolTrackTableMask dd ?	; DATA XREF: ExInsertPoolTag+19Ar
					; ExFreeHeapPool+6C9r ...
_ExpTaggedPoolLock dd ?			; DATA XREF: ExGetSessionPoolTagInfo+52o
					; ExGetSessionPoolTagInfo+1FCo	...
_ExpLargePoolTableLock dd ?		; DATA XREF: ExProtectPoolEx+4Bo
					; ExProtectPoolEx:loc_4A0683o ...
_PoolTrackTableExpansionSize dd	?	; DATA XREF: ExpInsertPoolTrackerExpansion+DF3F4r
					; ExpInsertPoolTrackerExpansion+DF53Ew	...
_PoolBigPageTable dd ?			; DATA XREF: ExProtectPoolEx+94r
					; ExProtectPoolEx+E0r ...
_PoolBigPageTableSize dd ?		; DATA XREF: ExProtectPoolEx+80r
					; ExRemovePoolTag+26r ...
_ExPoolFailures	dd ?			; DATA XREF: ExpAllocatePoolWithTagFromNode:loc_5EEE77w
_PoolTrackTableSize dd ?		; DATA XREF: ExInsertPoolTag+A6r
					; ExAllocateHeapPool+348r ...
		align 10h
_ExBootDevicesRemovedEvent db	 ? ;	; DATA XREF: ExNotifyBootDeviceRemoval(x)+34o
					; ExpWaitForBootDevices(x)+16o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExExternalBootSupportInitializationEvent db	? ;
					; DATA XREF: ExRegisterBootDevice(x,x)+10o
					; ExInitializeExternalBootSupport()+34o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExNumMissingBootDevices dd ?		; DATA XREF: ExNotifyBootDeviceRemoval(x)+22w
					; ExpWaitForBootDevices(x)+95w	...
_ExBootDeviceRemovalHandler dd ?	; DATA XREF: ExRegisterBootDevice(x,x)+25r
					; ExRegisterBootDevice(x,x)+8Fw ...
_ExBootDeviceList dd ?			; DATA XREF: ExRegisterBootDevice(x,x)+155o
					; ExpWaitForBootDevices(x):loc_686336o	...
dword_6BBD8C	dd ?			; DATA XREF: ExRegisterBootDevice(x,x)+14Fr
					; ExRegisterBootDevice(x,x)+178w ...
_ExBootDeviceListSpinLock dd ?		; DATA XREF: ExRegisterBootDevice(x,x)+13Fo
					; ExpWaitForBootDevices(x)+9o ...
		align 8
_ExpCallbackListHead dd	?		; DATA XREF: ExCreateCallback(x,x,x,x)+107o
					; ExpInitializeCallbacks()+Do ...
dword_6BBD9C	dd ?			; DATA XREF: ExCreateCallback(x,x,x,x)+FEr
					; ExCreateCallback(x,x,x,x)+11Ew ...
_ExpCallbackListLock dd	?		; DATA XREF: ExCreateCallback(x,x,x,x)+F4o
					; ExCreateCallback(x,x,x,x)+119o ...
		align 10h
_ExpCallbackEvent db	? ;		; DATA XREF: ExNotifyWithProcessing+16E3F9o
					; ExUnregisterCallback:loc_5DE243o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpCallBackFlush db	? ;		; DATA XREF: ExReferenceCallBackBlock:loc_4489EFo
					; ExReferenceCallBackBlock:loc_448A0Eo	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExKsrInterface	dd ?			; DATA XREF: BapdpKsrInitiateScenarioPhase0(x,x)+18r
					; BapdpKsrpInitiateScenario(x,x)+18r ...
dword_6BBDD4	dd ?			; DATA XREF: BapdpKsrCompleteScenarioPhase0(x,x)+18r
dword_6BBDD8	dd ?			; DATA XREF: BapdpKsrCancelScenario(x,x)+16r
dword_6BBDDC	dd ?			; DATA XREF: BapdpKsrCompleteScenario(x,x)+16r
_ExCbProcessorAdd dd ?			; DATA XREF: KiDynamicProcessorAddNotification(x,x,x,x,x,x)+41r
					; PAGE:00A41590o
_ExCbEnlightenmentState	dd ?		; DATA XREF: HvlPhase2Initialize:loc_5FB369r
					; PAGE:_ExpInitializeCallbacko
_ExCbPowerState	dd ?			; DATA XREF: PopUnlockAfterSleepWorker(x)+1Dr
					; PopNotifyCallbacksPreSleep()+19r ...
_ExCbSeImageVerificationDriverInfo dd ?	; DATA XREF: SepImageVerificationCallbackWorker(x)+8r
					; SeRegisterImageVerificationCallback(x,x,x,x,x,x)+1Dr	...
_ExCbPhase1InitComplete	dd ?		; DATA XREF: PAGE:00A41598o
					; INIT:00ABFD2Dr
_ExCbSetSystemTime dd ?			; DATA XREF: PoNotifySystemTimeSet(x,x,x)+3Dr
					; PAGE:00A41578o
_ExCbSetSystemState db	  ? ;		; DATA XREF: PAGE:00A41580o
		db    ?	;
		db    ?	;
		db    ?	;
; void *ExpSysDbgPulledFileTable
_ExpSysDbgPulledFileTable dd ?		; DATA XREF: ExpKdPullRemoteFileForUser(x)+126r
					; ExpKdPullRemoteFileForUser(x)+175r ...
_ExpIRTimerExpiryCounts	dd ?		; DATA XREF: ExRecordOneTimerExpiry(x,x,x,x)+3r
					; ExStartRecordingIRTimerExpiries()+45o ...
_ExpSysDbgLock	dd ?			; DATA XREF: ExpKdPullRemoteFileForUser(x)+143o
					; ExpKdPullRemoteFileForUser(x):loc_A0ED97o ...
_ExpTickCountMultiplier	dd ?		; DATA XREF: _KiGetTickCount+Dr
					; INIT:00ACD332w
		align 10h
_ExpProductTypeIoSb db	  ? ;		; DATA XREF: ExpWatchProductTypeWork+2EEo
					; ExpWatchProductTypeInitialization+348o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpWatchProductTypeWorkItem dd	?	; DATA XREF: ExpWatchProductTypeWork+2F5o
					; ExpWatchProductTypeInitialization+1A1w ...
		align 8
dword_6BBE28	dd ?			; DATA XREF: ExpWatchProductTypeInitialization+192w
dword_6BBE2C	dd ?			; DATA XREF: ExpWatchProductTypeInitialization+19Cw
_ExpProductTypeValueInfo dd ?		; DATA XREF: ExpWatchProductTypeWork:loc_7D7969r
					; ExpWatchProductTypeWork+254r	...
_ExpProductTypeChangeBuffer db	  ? ;	; DATA XREF: ExpWatchProductTypeWork+2E3o
					; ExpWatchProductTypeInitialization+33Do
		db    ?	;
		db    ?	;
		db    ?	;
; size_t KdDumpEnableOffset
_KdDumpEnableOffset dd ?		; DATA XREF: ExpMutantInitialization()+38r
					; ExpStringCheck:loc_AE6A6Cw
_ExpSetupModeDetected db ?		; DATA XREF: ExpWatchProductTypeWork+BCr
					; ExpWatchProductTypeWork+322r	...
		align 10h
_ExpLicenseInfo	dd ?			; DATA XREF: ExpWatchProductTypeInitialization+14A16w
					; ExpWatchProductTypeInitialization+14B07r ...
_ExpLicenseInfoCount dd	?		; DATA XREF: ExpWatchProductTypeInitialization+149E5w
					; ExpWatchProductTypeInitialization+14A20r
; int ExpProductTypeKey
_ExpProductTypeKey dd ?			; DATA XREF: ExShutdownSystem(x):loc_730197r
					; ExShutdownSystem(x)+A4w ...
_ExpKeyManipLock dd ?			; DATA XREF: ExShutdownSystem(x):loc_73015Fo
					; NtDeleteKey:loc_74D5F4o ...
_ExpControlKey	dd ?			; DATA XREF: ExShutdownSystem(x)+6Ar
					; ExShutdownSystem(x)+79w ...
dword_6BBE54	dd ?			; DATA XREF: ExShutdownSystem(x):loc_730182r
					; ExShutdownSystem(x)+8Ew ...
_ExLeapSecondData dd ?			; DATA XREF: RtlpTimeFieldsToTime+Ar
					; RtlpTimeToTimeFields+17r ...
		align 10h
_ExpTimeRefreshWorkItem	dd ?		; DATA XREF: ExpTimeRefreshDpcRoutine(x,x,x,x)+16o
					; ExInitializeTimeRefresh+7Aw
		align 8
dword_6BBE68	dd ?			; DATA XREF: ExInitializeTimeRefresh+62w
dword_6BBE6C	dd ?			; DATA XREF: ExInitializeTimeRefresh+72w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpTimeRefreshLock db	  ? ;		; DATA XREF: ExpReadLeapSecondData(x,x)+176o
					; ExpTimeZoneInitSiloState(x)+A4o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpTimeRefreshDpc db	 ? ;		; DATA XREF: ExpTimeRefreshCallback(x,x)+7o
					; ExInitializeTimeRefresh+51o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpTimeRefreshTimer db	   ? ;		; DATA XREF: ExpTimeRefreshWork(x)+73o
					; ExInitializeTimeRefresh+5Do
		db    ?	;
word_6BBEE2	dw ?			; DATA XREF: ExInitializeTimeRefresh+80w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpOkToTimeRefresh dd ?		; DATA XREF: ExpTimeRefreshWork(x)+43w
					; ExInitializeTimeRefresh:loc_ABBD85o
		align 10h
_ExpClockIntervalRequest db    ? ;	; DATA XREF: ExpInsertTimerResolutionEntry+9Eo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpSystemSetupInProgress db ?		; DATA XREF: ExInitLicenseData:loc_882CDBr
					; ExInitializeTimeRefresh+13r ...
		align 10h
_ExpTimerResolutionListHead dd ?	; DATA XREF: ExpUpdateTimerResolution:loc_430937r
					; ExpUpdateTimerResolution+C8o	...
dword_6BBF64	dd ?			; DATA XREF: ExInitializeTimeRefresh+CCw
_ExpKernelResolutionCount dd ?		; DATA XREF: ExpUpdateTimerResolution:loc_430921r
					; ExSetTimerResolution(x,x)+47r ...
_ExpKernelRequestedTimerResolution dd ?	; DATA XREF: ExpUpdateTimerResolution:loc_5A897Cr
					; ExSetTimerResolution(x,x)+78r ...
_ExpTimeRefreshInterval	dd ?		; DATA XREF: ExpTimeRefreshWork(x)+69r
					; ExInitializeTimeRefresh+A5w
dword_6BBF74	dd ?			; DATA XREF: ExpTimeRefreshWork(x)+5Fr
					; ExInitializeTimeRefresh+ABw
_ExpKernelResolutionLock db    ? ;	; DATA XREF: ExpUpdateTimerResolution+11o
					; ExpInsertTimerResolutionEntry+10o ...
		db    ?	;
		db    ?	;
		db    ?	;
; int ExpSetupKey
_ExpSetupKey	dd ?			; DATA XREF: ExShutdownSystem(x):loc_7301ADr
					; ExShutdownSystem(x)+BAw ...
_CriticalProcessExceptionData dd ?	; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+8BBr
					; KeBugCheck2(x,x,x,x,x,x)+8C7o ...
		align 10h
word_6BBF90	dw ?			; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+8D1r
		align 4
dword_6BBF94	dd ?			; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+8DCr
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpBootEnvironmentInformation dd ?	; DATA XREF: PAGE:00780BE4r
					; ExpInitializeBootEnvironment(x)+Fo
dword_6BBFC4	dd ?			; DATA XREF: PAGE:00780BF2r
dword_6BBFC8	dd ?			; DATA XREF: PAGE:00780BFBr
dword_6BBFCC	dd ?			; DATA XREF: PAGE:00780C04r
dword_6BBFD0	dd ?			; DATA XREF: ExGetFirmwareType()r
					; PAGE:00780C0Dr ...
		align 8
dword_6BBFD8	dd ?			; DATA XREF: ExIsSoftBoot()r
					; PopHiberCheckResume+101w ...
dword_6BBFDC	dd ?			; DATA XREF: PopHiberCheckResume+111w
					; PAGE:00780C39r ...
_ExpManufacturingInformation dd	?	; DATA XREF: PAGE:007819D5r
					; PnpGetServiceStartType+1Br ...
word_6BBFE4	dw ?			; DATA XREF: PAGE:007819DDr
					; PAGE:007819F3r ...
word_6BBFE6	dw ?			; DATA XREF: PAGE:loc_78199Dr
					; PAGE:007819E8r ...
dword_6BBFE8	dd ?			; DATA XREF: PAGE:00781A08r
					; IopInitializeSystemDrivers+4Dr ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpFirmwareTableResource db	? ;	; DATA XREF: ExpGetSystemFirmwareTableInformation+58o
					; ExpGetSystemFirmwareTableInformation:loc_7BF437o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpFirmwareTableProviderListHead dd ?	; DATA XREF: ExpGetSystemFirmwareTableInformation+62r
					; ExpGetSystemFirmwareTableInformation+6Eo ...
dword_6BC03C	dd ?			; DATA XREF: ExpRegisterFirmwareTableInformationHandler+A1r
					; ExpRegisterFirmwareTableInformationHandler+B6w ...
_ExpFirmwarePageProtectionSupported db ? ; DATA	XREF: PAGE:loc_781C41r
					; ExpInitSystemPhase0()+B5w
		align 10h
_EtwpMdlTable	dd ?			; DATA XREF: EtwpRegisterPartitionPages(x,x,x)+5Er
					; EtwpRegisterPartitionPages(x,x,x)+D5o ...
dword_6BC054	dd ?			; DATA XREF: EtwpRegisterPartitionPages(x,x,x)+4Cr
					; EtwpRegisterPartitionPages(x,x,x):loc_683D52r ...
dword_6BC058	dd ?			; DATA XREF: EtwpRegisterPartitionPages(x,x,x):loc_683D6Fr
					; EtwpRegisterPartitionPages(x,x,x):loc_683DE6r ...
dword_6BC05C	dd ?			; DATA XREF: EtwpRegisterPartitionPages(x,x,x)+3Co
					; EtwpRegisterPartitionPages(x,x,x):loc_683E6Fo ...
_EtwpHwTraceExtensionHost dd ?		; DATA XREF: EtwpInitializeProcessorTrace()+12o
					; EtwpInitializeProcessorTrace():loc_896E61w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_EtwpCovSampGlobals dd ?		; DATA XREF: EtwpCoverageSamplerClose(x,x,x,x)+22o
					; EtwpCoverageSamplerStart(x)+39o ...
dword_6BC084	dd ?			; DATA XREF: EtwpCoverageSamplerClose(x,x,x,x)+39w
					; EtwpCoverageSamplerClose(x,x,x,x):loc_A0058Ew ...
dword_6BC088	dd ?			; DATA XREF: EtwpQueryCoverageSamplerInformation(x,x,x,x)+C0r
					; EtwpSetCoverageSamplerInformation(x,x,x)+CBr	...
dword_6BC08C	dd ?			; DATA XREF: EtwpCovSampAcquireSamplerRundown(x):loc_9FD162r
					; EtwpCovSampImageNotify(x,x,x)+33r ...
unk_6BC090	db    ?	;		; DATA XREF: EtwpCovSampAcquireSamplerRundown(x)+11o
					; EtwpCovSampCaptureBufferMapAddressesAndQueue(x,x)+D9o ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BC094	dd ?			; DATA XREF: EtwpCovSampCaptureApc(x,x,x,x,x):loc_682603r
					; EtwpCovSampCaptureApcRelease(x)+3r ...
; int EtwpMutableSecurityKeyHandle
_EtwpMutableSecurityKeyHandle dd ?	; DATA XREF: EtwpGetGuidSecurityDescriptor+54r
					; EtwpInitializeSecurity+C0w ...
; int EtwpSecurityKeyHandle
_EtwpSecurityKeyHandle dd ?		; DATA XREF: EtwpGetGuidSecurityDescriptor+4Er
					; EtwpInitializeSecurity+64o ...
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUvgdUnkUlyquivUrDIGUvgdkOlyq@etw db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_EtwpBugCheckCallback db    ? ;		; DATA XREF: EtwpInitialize+1F3o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6BC0D8	db ?			; DATA XREF: EtwpInitialize+1F8w
		align 10h
_EtwpDumpCallbackContext dd ?		; DATA XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+28o
					; EtwpBugCheckMultiPartCallback(x,x,x,x)+2Dw
dword_6BC0E4	dd ?			; DATA XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+32w
_EtwpCoverageLock dd ?			; DATA XREF: EtwpCoverageFlushWorkItemCallback(x)+38o
					; EtwpCoverageFlushWorkItemCallback(x)+B9o ...
_EtwpReplyListLock dd ?			; DATA XREF: EtwpDeleteRegistrationObject+18Fo
					; EtwpDeleteRegistrationObject+1AFo ...
_EtwpReplyListHead dd ?			; DATA XREF: EtwpCreateUmReplyObject+BEr
					; EtwpCreateUmReplyObject+C3o ...
dword_6BC0F4	dd ?			; DATA XREF: EtwpInitializeRegistration()+31w
		align 10h
_EtwpGlobalMutex db    ? ;		; DATA XREF: EtwpDisableTraceProviders+8Eo
					; EtwpDisableTraceProviders+ADo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_EtwThreatIntProvRegHandle dd ?		; DATA XREF: KeInsertQueueApc+1Dr
					; .text:00524B18r ...
dword_6BC124	dd ?			; DATA XREF: KeInsertQueueApc+17r
					; EtwTiLogInsertQueueUserApc(x,x,x,x,x,x,x)+21r ...
_EtwKernelProvRegHandle	dd ?		; DATA XREF: SeLogAccessFailure+9Er
					; SeLogAccessFailure+D61D2r ...
dword_6BC12C	dd ?			; DATA XREF: SeLogAccessFailure+A3r
					; SeLogAccessFailure+D61CCr ...
_EtwpPagingDisabled db ?		; DATA XREF: .text:005286A0r
					; .text:00528897r ...
_EtwpInitialized db ?			; DATA XREF: EtwAdjustTraceBuffers()r
					; EtwGetProcessorBuffer(x,x,x)+8r ...
		align 10h
_EtwpAdjustBuffersWorkItem dd ?		; DATA XREF: EtwAdjustTraceBuffers()+31o
					; EtwpInitialize+18Aw
		align 8
dword_6BC148	dd ?			; DATA XREF: EtwpInitialize+176w
dword_6BC14C	dd ?			; DATA XREF: EtwpInitialize+180w
_EtwPerfFreq	dd ?			; DATA XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+64r
					; EtwpAddLogHeader:loc_7B8D65r	...
dword_6BC154	dd ?			; DATA XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+6Cr
					; EtwpAddLogHeader+195r ...
_EtwCPUSpeedInMHz dd ?			; DATA XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+5Cr
					; EtwpAddLogHeader+167r ...
		align 10h
_EtwpRefTimePerfCounter	dd ?		; DATA XREF: EtwpInitializeTimeStamp+105r
					; EtwpInitialize+8Dw ...
dword_6BC164	dd ?			; DATA XREF: EtwpInitializeTimeStamp+110r
					; EtwpInitialize+92w ...
_EtwpRefTimeCycle dd ?			; DATA XREF: EtwpInitializeTimeStamp:loc_7DC168r
					; EtwpInitialize+A0w
dword_6BC16C	dd ?			; DATA XREF: EtwpInitializeTimeStamp+163r
					; EtwpInitialize+A5w
_EtwpRefTimeSystem dd ?			; DATA XREF: EtwpInitializeTimeStamp:loc_7DC0E3r
					; EtwpInitializeTimeStamp:loc_7DC134r ...
dword_6BC174	dd ?			; DATA XREF: EtwpInitializeTimeStamp+DAr
					; EtwpInitializeTimeStamp+12Fr
_EtwpBufferAdjustmentCount dd ?		; DATA XREF: EtwAdjustTraceBuffers()+9w
					; EtwAdjustTraceBuffers()+15w ...
		align 10h
_EtwpNetProvRegHandle dd ?		; DATA XREF: EtwpNetProvTraceNetwork(x,x)+F7r
					; EtwpInitialize+277o
dword_6BC184	dd ?			; DATA XREF: EtwpNetProvTraceNetwork(x,x)+F1r
_EtwpPsProvRegHandle dd	?		; DATA XREF: EtwTraceThreadWorkOnBehalfUpdate+14r
					; PsImpersonateContainerOfThread+178r ...
dword_6BC18C	dd ?			; DATA XREF: EtwTraceThreadWorkOnBehalfUpdate+1Dr
					; PsImpersonateContainerOfThread:loc_53A852r ...
_EtwpBootTime	dd ?			; DATA XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+4Cr
					; EtwpAddLogHeader+1FCr ...
dword_6BC194	dd ?			; DATA XREF: EtwpBugCheckMultiPartCallback(x,x,x,x)+54r
					; EtwpAddLogHeader+207r ...
_EtwpRefQpcDelta dd ?			; DATA XREF: EtwpInitializeTimeStamp+E2r
					; EtwpInitialize+71w ...
dword_6BC19C	dd ?			; DATA XREF: EtwpInitializeTimeStamp+EDr
					; EtwpInitialize+77w ...
_EtwpGlobalSequence db	  ? ;		; DATA XREF: EtwpInitLoggerContext:loc_926CC3o
		db    ?	;
		db    ?	;
		db    ?	;
_EtwpBufferAdjustmentActive db	  ? ;	; DATA XREF: EtwAdjustTraceBuffers()+20o
					; EtwpAdjustTraceBuffers+68o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_EtwpObjectTypeFilter db    ? ;		; DATA XREF: EtwTraceObjectOperation(x,x,x,x)+86o
					; EtwpStartLogger+A1Eo	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_EtwpPoolTagFilter dw ?			; DATA XREF: EtwpCheckPoolTagFilters(x,x)+11r
					; EtwpCheckForPoolTagFilterExtension+2Fo ...
		align 4
dword_6BC264	dd ?			; DATA XREF: EtwpCheckPoolTagFilters(x,x)+1Cr
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+5A9r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_EtwpMemoryProvRegHandle dd ?		; DATA XREF: EtwTraceMemoryAcg+1Dr
					; MiAllocatePagesForMdl+10Br ...
dword_6BC304	dd ?			; DATA XREF: EtwTraceMemoryAcg+14r
					; MiAllocatePagesForMdl+105r ...
_EtwpEventTracingProvRegHandle dd ?	; DATA XREF: .text:00528C2Fr
					; EtwpTransitionToRealtime(x,x)+119r ...
dword_6BC30C	dd ?			; DATA XREF: .text:00528C29r
					; EtwpTransitionToRealtime(x,x)+113r ...
_EtwpFileProvRegHandle dd ?		; DATA XREF: EtwpTraceFileName(x,x,x,x,x,x)+D1r
					; EtwpTraceFileName(x,x,x,x,x,x)+121r ...
dword_6BC314	dd ?			; DATA XREF: EtwpTraceFileName(x,x,x,x,x,x)+CBr
					; EtwpTraceFileName(x,x,x,x,x,x)+11Br ...
_EtwpDiskProvRegHandle dd ?		; DATA XREF: EtwpDiskProvTraceDisk(x,x,x,x)+16r
					; EtwpInitialize+28Co
		align 10h
_EtwSecurityMitigationsRegHandle dd ?	; DATA XREF: EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)+2F6r
					; EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+7AEr ...
dword_6BC324	dd ?			; DATA XREF: EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)+2F0r
					; EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+7A8r ...
_EtwAdminlessProvRegHandle dd ?		; DATA XREF: EtwTraceAdminlessAccessFailure(x,x,x,x):loc_9FB6C7r
					; EtwTraceAdminlessAccessFailure(x,x,x,x)+382r	...
dword_6BC32C	dd ?			; DATA XREF: EtwTraceAdminlessAccessFailure(x,x,x,x)+338r
					; EtwTraceAdminlessAccessFailure(x,x,x,x)+374r
_EtwLpacProvRegHandle dd ?		; DATA XREF: EtwTraceLpacAccessFailure(x)+12r
					; EtwTraceLpacAccessFailure(x)+5Cr ...
dword_6BC334	dd ?			; DATA XREF: EtwTraceLpacAccessFailure(x)+1Dr
					; EtwTraceLpacAccessFailure(x)+4Fr
_EtwCVEAuditProvRegHandle dd ?		; DATA XREF: SeEtwWriteKMCveEvent(x,x)+AAr
					; EtwpInitialize+302o
dword_6BC33C	dd ?			; DATA XREF: SeEtwWriteKMCveEvent(x,x)+A4r
; void EtwpProfileObject
_EtwpProfileObject db	 ? ;		; DATA XREF: EtwpDisableKernelTrace:loc_90D395o
					; EtwpTimeProfileInit()+10o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_EtwpSecurityLock dd ?			; DATA XREF: EtwpReferenceLoggerSecurityDescriptor+11ED6Ao
					; EtwpReferenceLoggerSecurityDescriptor+11ED8Do ...
		align 10h
_EtwpCrimsonMaskMutex db    ? ;		; DATA XREF: EtwpCrimsonProvEnableCallback+1Eo
					; EtwpCrimsonProvEnableCallback+140o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_EtwpPmcProfile	dd ?			; DATA XREF: EtwpDisableKernelTrace:loc_90D3A7r
					; EtwpDisableKernelTrace+129A5Fr ...
dword_6BC3A4	dd ?			; DATA XREF: EtwpDisableKernelTrace:loc_90D3B1r
					; EtwpPmcProfileInit():loc_9F2697r ...
_EtwpProviderTraitsKmTree dd ?		; DATA XREF: EtwpReleaseProviderTraitsReference(x)+58o
					; EtwpSetProviderTraitsKm(x,x,x)+67o ...
dword_6BC3AC	dd ?			; DATA XREF: EtwpInitializeProviderTraits()+1Aw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_EtwpProviderTraitsKmMutex db	 ? ;	; DATA XREF: EtwpReleaseProviderTraitsReference(x):loc_835911o
					; EtwpSetProviderTraitsKm(x,x,x)+6Co ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_EtwpGroupMaskMutex db	  ? ;		; DATA XREF: EtwpUpdateGlobalGroupMasks+44o
					; EtwpUpdateGlobalGroupMasks+150o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_EtwpProviderTraitsUmTree dd ?		; DATA XREF: EtwpSetProviderTraitsUm(x,x,x)+F7o
					; EtwpReleaseProviderTraitsReference(x)+21o ...
dword_6BC404	dd ?			; DATA XREF: EtwpInitializeProviderTraits()+2Bw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_EtwpProviderTraitsUmMutex db	 ? ;	; DATA XREF: EtwpSetProviderTraitsUm(x,x,x)+FCo
					; EtwpReleaseProviderTraitsReference(x)+1Co ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_EtwpStackLookAsideList	dd ?		; DATA XREF: .text:005285C2o
					; EtwpAdjustTraceBuffers:loc_5E84C2o ...
dword_6BC444	dd ?			; DATA XREF: EtwpInitializeStackLookasideList()+7w
dword_6BC448	dd ?			; DATA XREF: EtwpAdjustTraceBuffers+2Er
					; EtwpAdjustTraceBuffers+D3FDDr ...
dword_6BC44C	dd ?			; DATA XREF: EtwpAdjustTraceBuffers+34r
					; EtwpAdjustTraceBuffers+D3FCFw ...
_EtwpLastBranchLookAsideList dd	?	; DATA XREF: EtwpAdjustTraceBuffers:loc_5E8501o
					; EtwpTraceLastBranchRecord(x,x,x,x)+B4o ...
dword_6BC454	dd ?			; DATA XREF: EtwpInitializeLastBranchTracing+14w
dword_6BC458	dd ?			; DATA XREF: EtwpAdjustTraceBuffers+4Dr
					; EtwpAdjustTraceBuffers+D401Cr ...
dword_6BC45C	dd ?			; DATA XREF: EtwpAdjustTraceBuffers+53r
					; EtwpAdjustTraceBuffers+D400Ew ...
_EtwpWmitraceParams dd ?		; DATA XREF: EtwWmitraceWorker()+110r
					; EtwWmitraceWorker()+2A7w ...
dword_6BC464	dd ?			; DATA XREF: EtwWmitraceWorker()+2Cr
dword_6BC468	dd ?			; DATA XREF: EtwWmitraceWorker()+107r
					; EtwWmitraceWorker()+1F5o
dword_6BC46C	dd ?			; DATA XREF: EtwWmitraceWorker()+101r
dword_6BC470	dd ?			; DATA XREF: EtwWmitraceWorker()+FBr
dword_6BC474	dd ?			; DATA XREF: EtwWmitraceWorker()+F5r
dword_6BC478	dd ?			; DATA XREF: EtwWmitraceWorker():loc_9F8814r
unk_6BC47C	db    ?	;		; DATA XREF: EtwWmitraceWorker()+117o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6BC48C	db ?			; DATA XREF: EtwWmitraceWorker()+EEr
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6BC4A9	db ?			; DATA XREF: EtwWmitraceWorker()+24Er
					; EtwWmitraceWorker()+256o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BC52C	dd ?			; DATA XREF: EtwWmitraceWorker()+246r
dword_6BC530	dd ?			; DATA XREF: EtwWmitraceWorker()+218r
dword_6BC534	dd ?			; DATA XREF: EtwWmitraceWorker()+223r
dword_6BC538	dd ?			; DATA XREF: EtwWmitraceWorker()+22Br
dword_6BC53C	dd ?			; DATA XREF: EtwWmitraceWorker()+236r
dword_6BC540	dd ?			; DATA XREF: EtwWmitraceWorker()+23Er
		align 8
dword_6BC548	dd ?			; DATA XREF: EtwWmitraceWorker():loc_9F89F2w
		align 10h
_EtwWmitraceWork db ?			; DATA XREF: EtwWmitraceWorker():loc_9F87AEr
					; EtwWmitraceWorker()+CBr ...
		align 10h
_EtwpMemInfoTimer db	? ;		; DATA XREF: EtwpEnableKernelTrace+12994Eo
					; EtwpDisableKernelTrace+129A7Fo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_EtwpStopTraceCount dd ?		; DATA XREF: EtwShutdown:loc_85CFACw
					; EtwShutdown+A6328w ...
		align 10h
_EtwpAppStateChangeSequenceNumber dd ?	; DATA XREF: EtwpInitStateChangeInfo:loc_753336r
					; EtwpInitStateChangeInfo+7Do
dword_6BC5C4	dd ?			; DATA XREF: EtwpInitStateChangeInfo+68r
_EtwAppCompatProvRegHandle dd ?		; DATA XREF: CmpPublishEventForPcaResolver+14r
					; CmpPublishEventForPcaResolver+CEr ...
dword_6BC5CC	dd ?			; DATA XREF: CmpPublishEventForPcaResolver+2Ar
					; CmpPublishEventForPcaResolver+C5r
_EtwApiCallsProvRegHandle dd ?		; DATA XREF: PspLogAuditOpenThreadEvent(x,x,x,x)+49r
					; NtCreateSymbolicLinkObject+1C3r ...
dword_6BC5D4	dd ?			; DATA XREF: PspLogAuditOpenThreadEvent(x,x,x,x)+40r
					; NtCreateSymbolicLinkObject+1CBr ...
_WmipRegistryPath db	? ;		; DATA XREF: WmipQueryWmiRegInfo(x,x,x,x)+17o
					; WmipDriverEntry+7Co
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_WmipSMMutex	db    ?	;		; DATA XREF: WmipFindRegEntryByDevice+11o
					; WmipFindRegEntryByDevice+5Eo	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_WmipServiceDeviceObject dd ?		; DATA XREF: IoWMIWriteEvent+9r
					; WmipForwardWmiIrp+A2r ...
_WmipEventWorkItems dd ?		; DATA XREF: IoWMIWriteEvent+AFw
					; WmipEventNotification(x)+45w
		align 10h
_WmipEventWorkQueueItem	dd ?		; DATA XREF: IoWMIWriteEvent+BEo
					; WmipDriverEntry+4Dw
		align 8
dword_6BC618	dd ?			; DATA XREF: WmipDriverEntry+3Dw
dword_6BC61C	dd ?			; DATA XREF: WmipDriverEntry+47w
_WmipNPNotificationSpinlock dd ?	; DATA XREF: IoWMIWriteEvent+9Co
					; WmipEventNotification(x):loc_86CD41o	...
		align 8
_WmipDSHead	dd ?			; DATA XREF: WmipInitializeDataStructs+12o
					; WmipInitializeDataStructs+30w
dword_6BC62C	dd ?			; DATA XREF: WmipInitializeDataStructs+28w
_WmipMRHeadPtr	dd ?			; DATA XREF: WmipEnumerateMofResources+2Ar
					; WmipEnumerateMofResources+74r ...
_WmipDSHeadPtr	dd ?			; DATA XREF: WmipLinkDataSourceToList+8Dr
					; WmipFindDSByProviderId(x)+17r ...
_WmipMRHead	dd ?			; DATA XREF: WmipInitializeDataStructs+4Bo
					; WmipInitializeDataStructs+74w
dword_6BC63C	dd ?			; DATA XREF: WmipInitializeDataStructs+6Fw
_WmipGEHead	dd ?			; DATA XREF: WmipInitializeDataStructs+35o
					; WmipInitializeDataStructs+46w
dword_6BC644	dd ?			; DATA XREF: WmipInitializeDataStructs+41w
_WmipGEHeadPtr	dd ?			; DATA XREF: WmipOpenBlock+146r
					; WmipFindGEByGuid(x,x)+1Er ...
		align 10h
_WmipRegWorkQueue dd ?			; DATA XREF: WmipQueueRegWork(x,x)+73o
					; WmipInitializeRegistration(x)+44w ...
		align 8
dword_6BC658	dd ?			; DATA XREF: WmipInitializeRegistration(x):loc_AC60F5w
dword_6BC65C	dd ?			; DATA XREF: WmipInitializeRegistration(x)+3Ew
_WmipCancelSpinLock dd ?		; DATA XREF: WmipCompleteGuidIrpWithError+15o
					; WmipReceiveNotifications+1C7o ...
_WmipRegistrationSpinLock dd ?		; DATA XREF: WmipFindRegEntryByDevice+21o
					; WmipFindRegEntryByDevice+45o	...
_WmipSysIdRead	db ?			; DATA XREF: WmipGetSysIds(x,x,x,x)+2Br
					; WmipGetSysIds(x,x,x,x)+1E7w
		align 4
_WmipSysIdUuidCount dd ?		; DATA XREF: WmipGetSysIds(x,x,x,x)+E6w
					; WmipGetSysIds(x,x,x,x)+167w ...
_WmipSysIdUuid	dd ?			; DATA XREF: WmipGetSysIds(x,x,x,x)+DDw
					; WmipGetSysIds(x,x,x,x)+171w ...
_WmipSysIdStatus dd ?			; DATA XREF: WmipGetSysIds(x,x,x,x)+1EEw
					; WmipGetSysIds(x,x,x,x)+1FFr
_WmipSysId1394Count dd ?		; DATA XREF: WmipGetSysIds(x,x,x,x)+F6w
					; WmipGetSysIds(x,x,x,x)+13Aw ...
		align 10h
_WmipSMBiosLock	db    ?	;		; DATA XREF: WmipGetSMBiosTableData+2Co
					; WmipGetSMBiosTableData:loc_7BF5AEo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_WmipSysId1394	dd ?			; DATA XREF: WmipGetSysIds(x,x,x,x)+EEw
					; WmipGetSysIds(x,x,x,x)+134w ...
_WmipInstIdChunkHead dd	?		; DATA XREF: IoWMIAllocateInstanceIds(x,x,x)+2Fr
					; IoWMIAllocateInstanceIds(x,x,x)+9Dw
_WdipTimeoutWorkItem dd	?		; DATA XREF: WdipTimeoutTimerRoutine(x,x)+2o
					; WdipSemStartTimeoutCheck()+3Eo ...
		align 8
dword_6BC6C8	dd ?			; DATA XREF: WdipSemStartTimeoutCheck()+4Fw
dword_6BC6CC	dd ?			; DATA XREF: WdipSemStartTimeoutCheck()+59w
_WdipTimeoutTimer dd ?			; DATA XREF: WdipTimeoutCheckRoutine+85r
					; WdipSemStartTimeoutCheck()+25w
		align 10h
_WdipTimeoutTimerParameters dd ?	; DATA XREF: WdipTimeoutCheckRoutine+7Ao
					; WdipSemStartTimeoutCheck()+43w
dword_6BC6E4	dd ?			; DATA XREF: WdipSemStartTimeoutCheck()+49w
dword_6BC6E8	dd ?			; DATA XREF: WdipSemStartTimeoutCheck()+2Ew
dword_6BC6EC	dd ?			; DATA XREF: WdipSemStartTimeoutCheck()+35w
_WdipTimeoutWorkEnabled	db ?		; DATA XREF: WdipSemStartTimeoutCheck()r
					; WdipSemStartTimeoutCheck()+Aw
		align 10h
_PerfDiagGlobals db    ? ;		; DATA XREF: PerfDiagInitialize()+15o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BC708	db    ?	;		; DATA XREF: PerfDiagInitialize()+3Co
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BC710	db    ?	;		; DATA XREF: PerfDiagInitialize()+51o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BC718	db    ?	;		; DATA XREF: PerfDiagInitialize()+66o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BC720	dd ?			; DATA XREF: PerfDiagpProxyWorker+35o
					; PerfDiagInitialize()+2Bw
dword_6BC724	dd ?			; DATA XREF: PerfDiagpProxyWorker+50r
					; PerfDiagpProxyWorker:loc_7DFDACw ...
unk_6BC728	db    ?	;		; DATA XREF: PerfDiagpInitializeLoggerInfo(x,x)+2Do
					; PerfDiagpSaveActiveDCLLogFileName+46o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void dword_6BC748
dword_6BC748	dd ?			; DATA XREF: PerfDiagpProxyWorker+8Co
					; PerfDiagpProxyWorker+92r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BC774	dd ?			; DATA XREF: PerfDiagpInitializeLoggerInfo(x,x)+3Bw
					; PerfDiagpSaveActiveDCLLogFileName+3Cw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BC790	dd ?			; DATA XREF: PerfDiagpInitializeLoggerInfo(x,x)+23w
					; PerfDiagpInitializeLoggerInfo(x,x)+32w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
word_6BC7C8	dw ?			; DATA XREF: PerfDiagpSaveActiveDCLLogFileName+9Dr
word_6BC7CA	dw ?			; DATA XREF: PerfDiagpSaveActiveDCLLogFileName+6Dw
dword_6BC7CC	dd ?			; DATA XREF: PerfDiagpSaveActiveDCLLogFileName+67w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BC7D8	db    ?	;		; DATA XREF: PerfDiagpInitializeLoggerInfo(x,x)+57o
					; PerfDiagpSaveActiveDCLLogFileName+58o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
word_6BC7F8	dw ?			; DATA XREF: PerfDiagpInitializeLoggerInfo(x,x)+78w
					; PerfDiagpInitializeLoggerInfo(x,x)+9Dw
word_6BC7FA	dw ?			; DATA XREF: PerfDiagpInitializeLoggerInfo(x,x)+6Ew
					; PerfDiagpInitializeLoggerInfo(x,x)+8Dw
word_6BC7FC	dw ?			; DATA XREF: PerfDiagpInitializeLoggerInfo(x,x)+93w
word_6BC7FE	dw ?			; DATA XREF: PerfDiagpInitializeLoggerInfo(x,x)+87w
; void unk_6BC800
unk_6BC800	db    ?	;		; DATA XREF: PerfDiagpUpdatePerfDiagLoggerEnableFlags(x,x)+81o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_WdipSemEnabled	db ?			; DATA XREF: WdipSemEndScenario(x,x,x)+10r
					; WdipSemDisableScenario+45r ...
		align 4
_WdipSemDisabledScenarioTable dd ?	; DATA XREF: WdipSemCleanupGroupPolicyr
					; WdipSemLoadScenarioTable+196r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void WdipSemFrequentScenarioTable
_WdipSemFrequentScenarioTable dd ?	; DATA XREF: WdipSemClearFrequentScenarioTable()+7o
					; WdipSemSqmLogInflightLimitExceededDataPoints:loc_8F83A8r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BCA40	dd ?			; DATA XREF: WdipSemSqmLogInflightLimitExceededDataPoints+35r
					; WdipSemSqmLogInflightLimitExceededDataPoints+45r ...
dword_6BCA44	dd ?			; DATA XREF: WdipSemClearFrequentScenarioTable()+11w
					; WdipSemSqmLogInflightLimitExceededDataPoints+2Bo ...
_WdipSemTimeoutEnabled db ?		; DATA XREF: WdipTimeoutCheckRoutine+21r
					; WdipSemLoadConfigInfo:loc_898CC6w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void *WdipSemScenarioTable
_WdipSemScenarioTable dd ?		; DATA XREF: WdipSemQueryScenarioTable(x,x):loc_86C91Ar
					; WdipSemAddScenarioToTable:loc_89A1A6r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BCB60	dd ?			; DATA XREF: WdipSemQueryScenarioTable(x,x)+16r
					; WdipSemLoadScenarioTable+28Cr ...
_WdipSemInitialized db ?		; DATA XREF: WdipSemInitializeGlobalState()+89w
					; WdipSemUpdate()+3r
		align 4
_WdipSemTimeoutValue dd	?		; DATA XREF: WdipTimeoutCheckRoutine:loc_7DC80Cr
					; WdipSemLoadConfigInfo+86w ...
		align 10h
_WdipSemRegHandle dd ?			; DATA XREF: WdipSemDisableScenario+9Ar
					; WdipSemDisableScenario+F6r ...
dword_6BCB74	dd ?			; DATA XREF: WdipSemDisableScenario+94r
					; WdipSemDisableScenario+F0r ...
		align 10h
; void *WdipSemProviderTable
_WdipSemProviderTable dd ?		; DATA XREF: WdipSemUpdateProviderTableWithEvent+78w
					; WdipSemQueryProviderTable(x):loc_89A089r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BDB80	dd ?			; DATA XREF: WdipSemLoadScenarioTable+299r
					; WdipSemUpdateProviderTableWithEvent:loc_899FFEr ...
dword_6BDB84	dd ?			; DATA XREF: WdipSemDisableContextProvider+26o
					; WdipSemDisableContextProvider+82o ...
		align 10h
_WdipSemEnabledInstanceTable dd	?	; DATA XREF: WdipSemQueryEnabledInstanceTable(x)+Dr
					; WdipSemQueryEnabledInstanceTable(x):loc_7DA621o ...
dword_6BDB94	dd ?			; DATA XREF: WdipSemReserveInstanceTableEntry+55r
					; WdipSemReserveInstanceTableEntry+70w	...
dword_6BDB98	dd ?			; DATA XREF: WdipSemDeleteTransitionalInstance(x)+37w
					; WdipSemReserveInstanceTableEntry+2Br	...
dword_6BDB9C	dd ?			; DATA XREF: WdipSemMarkInstanceForDeletion(x)+15o
					; WdipSemDeleteTransitionalInstance(x)+12o ...
_WdipSemPushLock dd ?			; DATA XREF: WdipSemDisableScenario+28o
					; WdipSemDisableScenario:loc_7DA555o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void WdipSemPool
_WdipSemPool	dd ?			; DATA XREF: WdipSemAllocatePool(x)+7Do
					; WdipSemInitializePool()+7o ...
dword_6BDBC4	dd ?			; DATA XREF: WdipSemAllocatePool(x)+77r
					; WdipSemAllocatePool(x)+92w ...
dword_6BDBC8	dd ?			; DATA XREF: WdipSemAllocatePool(x)+27r
					; WdipSemAllocatePool(x)+39w ...
dword_6BDBCC	dd ?			; DATA XREF: WdipSemAllocatePool(x):loc_86CBFFr
					; WdipSemAllocatePool(x)+42w ...
dword_6BDBD0	dd ?			; DATA XREF: WdipSemAllocatePool(x)+19o
					; WdipSemInitializePool()+12w
		align 8
; void unk_6BDBD8
unk_6BDBD8	db    ?	;		; DATA XREF: WdipSemLoadNextScenario:loc_899B22o
					; WdipSemLoadNextScenario+45Ao	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BDBE0	db    ?	;		; DATA XREF: WdipSemLoadScenarioTable:loc_899558o
					; WdipSemFreeScenario(x)+25o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BDBE8	db    ?	;		; DATA XREF: WdipSemUpdateProviderTableWithEvent+3Bo
					; WdipSemRollBackProviderTable(x)+1Bo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BDBF0	db    ?	;		; DATA XREF: WdipSemDeleteTransitionalInstance(x)+51o
					; WdipSemBuildScenarioInstance(x,x)+1Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BDBF8	db    ?	;		; DATA XREF: WdipSemWriteSemActionsEvent+12Fo
					; WdipSemWriteSemActionsEvent+20Co
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BDC00	db    ?	;		; DATA XREF: WdipSemSqmLogInflightLimitExceededDataPoints+11BB3Ao
					; WdipSemFreeInflightScenarioTable(x)+1Bo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_WdipDiagLoggerId dd ?			; DATA XREF: WdipSemGetLoggerIds():loc_7DA680o
					; WdipSemEnableSemProvider()+7r ...
_WdipContextLoggerId dd	?		; DATA XREF: WdipSemCaptureState+1Cr
					; WdipSemCaptureState+22o ...
_VmpTraceLoggingProvider dd ?		; DATA XREF: VmColdPagesHint(x,x,x,x)+149r
					; VmpFillSlat(x,x,x,x,x,x)+108r ...
_VmpExtensionHost dd ?			; DATA XREF: VmpPrefetchVirtualAddresses(x,x,x):loc_67A25Dr
					; VmpPrefetchVirtualAddresses(x,x,x):loc_67A3EDr ...
_ViDeadlockDatabaseOwner dd ?		; DATA XREF: ViDeadlockDetectionTryConvertSharedToExclusive()+18w
					; ViDeadlockCanProceed(x,x)+3Er ...
_ViDeadlockDatabaseLock	dd ?		; DATA XREF: ViDeadlockDetectionTryConvertSharedToExclusive()+3o
					; VfDeadlockInitialize(x,x)+85w ...
_ViDeadlockIssue dd ?			; DATA XREF: ViDeadlockPreprocessOptions(x,x,x,x,x,x)+45w
dword_6BDC24	dd ?			; DATA XREF: ViDeadlockPreprocessOptions(x,x,x,x,x,x)+4Ew
dword_6BDC28	dd ?			; DATA XREF: ViDeadlockPreprocessOptions(x,x,x,x,x,x)+54w
dword_6BDC2C	dd ?			; DATA XREF: ViDeadlockPreprocessOptions(x,x,x,x,x,x)+5Fw
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUevirurviUnkUlyquivUrDIGUeukxsOlyq@verifier db	  ? ;
		db    ?	;
		db    ?	;
		db    ?	;
_VerifierIsTrackingPool	db ?		; DATA XREF: VerifierFreeTrackedPool(x,x,x,x)+5r
					; ViPostPoolAllocation(x,x)+19w
		align 4
_pXdvIRP_MJ_WRITE db	? ;		; DATA XREF: PAGEVRFD:00AA8A80o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_READ db    ? ;		; DATA XREF: PAGEVRFD:00AA8A70o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_CLOSE db	? ;		; DATA XREF: PAGEVRFD:00AA8A60o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_CREATE_NAMED_PIPE db    ? ;	; DATA XREF: PAGEVRFD:00AA8A50o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_SET_EA db	 ? ;		; DATA XREF: PAGEVRFD:00AA8AC0o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_QUERY_EA db	   ? ;		; DATA XREF: PAGEVRFD:00AA8AB0o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_SET_INFORMATION db	  ? ;	; DATA XREF: PAGEVRFD:00AA8AA0o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_QUERY_INFORMATION db    ? ;	; DATA XREF: PAGEVRFD:00AA8A90o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvAddDevice	dd ?			; DATA XREF: ViDifCaptureIoCallbacks(x)+75r
					; PAGEVRFD:00AA8C10o
_pXdvDriverEntry dd ?			; DATA XREF: ViDifCaptureDriverEntry(x)+11r
					; PAGEVRFD:00AA8C00o
_pXdvIRP_MJ_CREATE db	 ? ;		; DATA XREF: PAGEVRFD:off_AA8A40o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvDriverCancel dd ?			; DATA XREF: IovpCancelRoutine(x,x,x)+32r
					; PAGEVRFD:00AA8C40o
_pXdvDriverUnload dd ?			; DATA XREF: ViDifCaptureIoCallbacks(x)+68r
					; PAGEVRFD:00AA8C30o
_pXdvDriverStartIo dd ?			; DATA XREF: ViDifCaptureIoCallbacks(x)+59r
					; PAGEVRFD:00AA8C20o
_pXdvIRP_MJ_QUERY_SECURITY db	 ? ;	; DATA XREF: PAGEVRFD:00AA8B80o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_CREATE_MAILSLOT db	  ? ;	; DATA XREF: PAGEVRFD:00AA8B70o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_CLEANUP db	  ? ;		; DATA XREF: PAGEVRFD:00AA8B60o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_LOCK_CONTROL db    ? ;	; DATA XREF: PAGEVRFD:00AA8B50o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_DEVICE_CHANGE db	? ;	; DATA XREF: PAGEVRFD:00AA8BC0o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_SYSTEM_CONTROL db	 ? ;	; DATA XREF: PAGEVRFD:00AA8BB0o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_POWER db	? ;		; DATA XREF: PAGEVRFD:00AA8BA0o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_SET_SECURITY db    ? ;	; DATA XREF: PAGEVRFD:00AA8B90o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_DIRECTORY_CONTROL db    ? ;	; DATA XREF: PAGEVRFD:00AA8B00o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_SET_VOLUME_INFORMATION db	 ? ; ; DATA XREF: PAGEVRFD:00AA8AF0o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_QUERY_VOLUME_INFORMATION db	   ? ; ; DATA XREF: PAGEVRFD:00AA8AE0o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_FLUSH_BUFFERS db	? ;	; DATA XREF: PAGEVRFD:00AA8AD0o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_SHUTDOWN db	   ? ;		; DATA XREF: PAGEVRFD:00AA8B40o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_INTERNAL_DEVICE_CONTROL db	  ? ; ;	DATA XREF: PAGEVRFD:00AA8B30o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_DEVICE_CONTROL db	 ? ;	; DATA XREF: PAGEVRFD:00AA8B20o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_FILE_SYSTEM_CONTROL	db    ?	; ; DATA XREF: PAGEVRFD:00AA8B10o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_PNP	db    ?	;		; DATA XREF: PAGEVRFD:00AA8BF0o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_SET_QUOTA db    ? ;		; DATA XREF: PAGEVRFD:00AA8BE0o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIRP_MJ_QUERY_QUOTA	db    ?	;	; DATA XREF: PAGEVRFD:00AA8BD0o
		db    ?	;
		db    ?	;
		db    ?	;
_KernelVerifier	dd ?			; DATA XREF: ViDifCheckCallbackInterceptionr
					; .data:006B1CC8o ...
_VerifierTriageActionTaken dd ?		; DATA XREF: VfTriageActionTaken()+Er
					; .data:006B1CB8o ...
_IovIrpTraces	dd ?			; DATA XREF: IoVerifierCheckForSettingsChange(x)+19r
					; IoVerifierCheckForSettingsChange(x)+57w ...
_IovIrpTracesIndex dd ?			; DATA XREF: IovpLogStackTrace(x)+12w
_VfClearanceFlag dd ?			; DATA XREF: VfClearVerifierSettings()+2FAr
					; VerifierCrashEvent(x):loc_6776D8r ...
_VerifierTipDisable dd ?		; DATA XREF: VfUtilCheckRuleEnforcement(x)r
					; INIT:00AF38F0o
_VfOptionFlags	dd ?			; DATA XREF: VfClearVerifierSettings()+8r
					; VerifierCrashEvent(x)+67r ...
_VerifierNewRuleWorkaround dd ?		; DATA XREF: VerifierMmBuildMdlForNonPagedPool(x)+55r
					; INIT:00AF3908o
_VfFlightOptions dd ?			; DATA XREF: VfClearVerifierSettings():loc_677180r
					; VerifierCrashEvent(x)+6Fr ...
_VerifierFaultTagsBuffer db    ? ;	; DATA XREF: ViFaultsInitializeTagsList()+6Do
					; INIT:00AF3A58o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_VerifierFaultApplicationsBuffer db    ? ; ; DATA XREF:	ViFaultsInitializeAppsList()+67o
					; INIT:00AF3A40o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViTipControlLimitDenominator dd ?	; DATA XREF: VfUtilFillPluginRequestedData(x)+11r
					; INIT:00AF3AA0o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViLwspPoolTags	dd ?			; DATA XREF: VfUtilFillPluginRequestedSubData(x)+9r
					; VfUtilFillPluginRequestedSubData(x)+1Fr ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_VfTriageContext dd ?			; DATA XREF: VfSuspectDriversGetVerifierInformation(x,x,x,x,x)+9Ar
					; INIT:00AF3AE8o
_ViTipControlSparseness	dd ?		; DATA XREF: VfUtilFillPluginRequestedData(x):loc_A59F45r
					; INIT:00AF3AD0o
_ViTipControlLimitNumerator dd ?	; DATA XREF: VfUtilFillPluginRequestedData(x):loc_A59F38r
					; INIT:00AF3AB8o
		align 8
_VfRuleClassesRecord dd	?		; DATA XREF: VerifierCrashEvent(x)+1Ar
					; VerifierCrashEvent(x)+56r ...
dword_6BDF3C	dd ?			; DATA XREF: ViInitSystemPhase0+1A3CAw
_ViForceAllDriversSuspect dd ?		; DATA XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+1DCr
					; ViInitSystemPhase0+1A0F9w
_ViVerifyAllDrivers dd ?		; DATA XREF: VfInitSystemNoRebootNeeded(x,x)+81w
					; VfInitSystemNoRebootNeeded(x,x)+C5r ...
_ViDriverXDVImageSize dd ?		; DATA XREF: VfCheckUserHandle(x)+C2r
					; ViLogAndLoadXdv(x)+39w
_ViDriverXDVBase dd ?			; DATA XREF: VfCheckUserHandle(x)+B5r
					; ViLogAndLoadXdv(x)+31w
_ViDriverKernelEnd dd ?			; DATA XREF: VfDriverIsKernelImageAddress(x)+Dr
					; VfDriverLoadBootDrivers(x)+17w ...
_ViDriverKernelBase dd ?		; DATA XREF: VfDriverIsKernelImageAddress(x)r
					; VfDriverLoadBootDrivers(x)+11w ...
_ViFullyInitialized dd ?		; DATA XREF: VfInitSystemNoRebootNeeded(x,x)+9r
					; VfInitSystemNoRebootNeeded(x,x):loc_A5A546w ...
		align 10h
_ViFaultTagsList dd ?			; DATA XREF: ViFaultsAddTagNoDuplicates(x,x)+82o
					; ViFaultsInitializeTagsList()+25o ...
dword_6BDF64	dd ?			; DATA XREF: ViFaultsAddTagNoDuplicates(x,x):loc_A67FD4r
					; ViFaultsAddTagNoDuplicates(x,x)+A1w ...
_ViFaultApplicationsList dd ?		; DATA XREF: ViFaultsAddAppNoDuplicates(x,x)+89o
					; ViFaultsInitializeAppsList()+25o ...
dword_6BDF6C	dd ?			; DATA XREF: ViFaultsAddAppNoDuplicates(x,x):loc_A67F09r
					; ViFaultsAddAppNoDuplicates(x,x)+9Ew ...
_VfSafeMode	dd ?			; DATA XREF: VfTargetDriversAdd+19r
					; VfTargetDriversRemove+17r ...
_ViFaultInjectionLock dd ?		; DATA XREF: VfFaultsInitPhase0()+Aw
					; VfFaultsInjectPoolAllocationFailure(x)+40o ...
_ViFaultsForceAllAPIs dd ?		; DATA XREF: VfFaultsInjectResourceFailure(x)+A4r
_ViHaveFaultTags dd ?			; DATA XREF: VfFaultsInjectResourceFailure(x)+9Cr
					; ViFaultsAddTagNoDuplicates(x,x)+87w ...
_VfFilterDriverObject dd ?		; DATA XREF: VfFilterAttach(x,x):loc_A6E3BFr
					; VfFilterAttach(x,x)+DEr ...
_VfForcedPendingLog dd ?		; DATA XREF: VfPendingCheckForChanges(x)+9r
					; VfPendingCheckForChanges(x)+3Cw ...
_VfForcedPendingIrps dd	?		; DATA XREF: VfPendingStartLogging(x)+Dw
_ViDriversLoadLockOwner	dd ?		; DATA XREF: MmIsDriverSuspectForVerifier(x)+29w
					; VfDriverEnableVerifier(x,x,x)+131w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViDriversLoadLock db	 ? ;		; DATA XREF: MmIsDriverSuspectForVerifier(x)+22o
					; VfDriverEnableVerifier(x,x,x)+12Co ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_VerifierModifyableOptions dd ?		; DATA XREF: VfInitSystemNoRebootNeeded(x,x)+64w
					; VfDriverEnableVerifier(x,x,x):loc_A5B5EDr ...
_VfInitializedWithoutReboot dd ?	; DATA XREF: VfLookasideInitializeInternalNPagedList(x,x,x,x,x,x,x)+Ar
					; VfInitSystemNoRebootNeeded(x,x)+2Dw ...
_ViDdiInitialized dd ?			; DATA XREF: VfFailDeviceNode+5r
					; VfIsVerificationEnabled+5r ...
		align 10h
_VfXdvExcludedDriversList dd ?		; DATA XREF: VfSuspectDriversLoadCallback(x,x,x,x,x):loc_A6A91Br
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+72o ...
dword_6BDFD4	dd ?			; DATA XREF: ViInitSystemPhase0+7Bw
					; VfSuspectDriversParseRegistryString()+2E8r ...
_VfExcludedDriversList dd ?		; DATA XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+25r
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+2Bo ...
dword_6BDFDC	dd ?			; DATA XREF: ViInitSystemPhase0+6Cw
					; VfSuspectDriversParseRegistryString()+162r ...
_VfIrpDatabaseInitialized dd ?		; DATA XREF: ViSettingsIoCheckForChanges(x)r
					; VfIrpDatabaseCheckExFreePool(x)+6r ...
_ViIrpDatabaseLock dd ?			; DATA XREF: ViIrpDatabaseAcquireLockExclusive(x)+3o
					; ViIrpDatabaseAcquireLockShared(x)+3o	...
_ViIrpDatabaseAddressRanges dd ?	; DATA XREF: VfIrpDatabaseCheckExFreePool(x)+27r
					; VfIrpDatabaseEntryDereference(x,x)+3Ar ...
_ViIrpLogDatabaseLock dd ?		; DATA XREF: VfIrpLogDeleteDeviceLogs(x)+Eo
					; VfIrpLogDeleteDeviceLogs(x)+64o ...
_ViIrpLogDatabase dd ?			; DATA XREF: ViIrpLogDatabaseFindPointer(x,x)r
					; VfIrpLogInit()+18w ...
_ViPendingWorkersBusyCount dd ?		; DATA XREF: ViPendingTryReserveWorker(x)+48w
_ViPendingWorkerIndexHint dd ?		; DATA XREF: ViPendingTryReserveWorker(x)+11r
					; ViPendingTryReserveWorker(x):loc_6782DDw
_ViPendingWorkersCount dd ?		; DATA XREF: ViPendingTryReserveWorker(x)+7r
					; ViPendingTryReserveWorker(x)+30r ...
_ViIrpDatabase	dd ?			; DATA XREF: VfIrpDatabaseEntryInsertAndLock(x,x,x)+46r
					; VfIrpDatabaseEntryReleaseLock(x)+80r	...
_IovUtilVerifierEnabled	dd ?		; DATA XREF: IovUtilWatermarkIrp(x,x)r
					; IovUtilMarkStack+Er ...
_ViVerifyDma	dd ?			; DATA XREF: VfDisableHalVerifier()r
					; VfDisableHalVerifier()+9w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViPendingWorkers dd ?			; DATA XREF: VfPendingInitPhase1()+11o
					; ViPendingQueuePassiveLevelCompletion(x)+4Br
unk_6BE024	db    ?	;		; DATA XREF: ViPendingTryReserveWorker(x)+21o
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BE028	dd ?			; DATA XREF: ViPendingQueuePassiveLevelCompletion(x)+5Ar
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViTriageCrashData db	 ? ;		; DATA XREF: VfTriageSystem+1A37Co
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViVerifyTargets db    ? ;		; DATA XREF: ViMakeVerifierSettings(x,x)+B0o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_VfThunksExtended db ?			; DATA XREF: VfThunkAddDriverThunks(x,x,x)+22w
					; VfThunkAddSpecialDriverThunks(x,x,x,x):loc_A65686w
		align 4
_ViVerifierSpecialThunkTables dd ?	; DATA XREF: VfDriverUnloadImage+1D65w
					; VfThunkAddSpecialDriverThunks(x,x,x,x)+97w ...
_ViActiveVerifierThunks	dd ?		; DATA XREF: VfDriverInitStarting()r
					; VfDriverUnloadImage:loc_A569EEr ...
_ViInjectInPagePathOnly	dd ?		; DATA XREF: VfFaultsInjectResourceFailure(x)+45r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViKernelVerifierOriginalCalls dd ?	; DATA XREF: VerifierKfRaiseIrql(x)+41r
					; MiInitSystem+2A797r ...
dword_6BE344	dd ?			; DATA XREF: VerifierKfLowerIrql(x)+1Cr
dword_6BE348	dd ?			; DATA XREF: VerifierKeRaiseIrql(x,x)+2Fr
dword_6BE34C	dd ?			; DATA XREF: VerifierKeRaiseIrqlToDpcLevel()+3Fr
dword_6BE350	dd ?			; DATA XREF: VerifierKeLowerIrql(x)+16r
		align 8
_ViVerifierDriverAddedSpecialThunkListHead dd ?	; DATA XREF: VfDriverUnloadImage+1D2Br
					; VfDriverUnloadImage:loc_A58745o ...
dword_6BE35C	dd ?			; DATA XREF: VfInitSystemNoRebootNeeded(x,x)+B1w
_VfWdCancelTimeoutTicks	dd ?		; DATA XREF: IovpCallDriver1(x)+3CCr
					; VfWdCheckForSettingsChange(x)+38r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViTargetDriversAvl db	  ? ;		; DATA XREF: VfTargetDriversAdd+3Co
					; VfTargetDriversAdd+80o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BE388	dd ?			; DATA XREF: VfAvlEnumerateNodes(x,x,x,x):loc_A6AFD0r
					; VfAvlEnumerateNodes(x,x,x,x):loc_A6AFF1r ...
dword_6BE38C	dd ?			; DATA XREF: VfAvlEnumerateNodes(x,x,x,x):loc_A6AFC0r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BE394	dd ?			; DATA XREF: VfTargetDriversRemove:loc_54AB18r
dword_6BE398	dd ?			; DATA XREF: VfTargetDriversRemove:loc_54AB30w
					; VfTargetDriversAdd+922BFw ...
dword_6BE39C	dd ?			; DATA XREF: ViTargetRemovingCheckEtwWmi(x,x)+FAw
					; VerifierMmFreeContiguousMemory(x)+5r	...
_ViAvlInitialized dd ?			; DATA XREF: VfAvlInitializeTreeEx:loc_A585DAr
					; VfInitBootDriversLoaded+3Fo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_VfPoolDelayFreeData db	   ? ;		; DATA XREF: VfPoolDelayFreeIfPossible+Fo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BE3D8	db    ?	;		; DATA XREF: VfPoolIsInternalFree()+7o
					; VfPoolInitPhase1():loc_A6A4C2o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViTargetAllocationFailures db	  ? ;	; DATA XREF: VfTargetDriversAdd:loc_5DC6F3o
					; ViTargetDriversAllocateVerifiedData(x)+24o ...
		db    ?	;
		db    ?	;
		db    ?	;
_ViTargetInitialized dd	?		; DATA XREF: VfTargetDriversAdd+25r
					; VfTargetDriversRemove+25r ...
_ViVerifierDriverAddedThunkListHead dd ? ; DATA	XREF: VfQueryDispatchTable(x,x)+7r
					; VfDriverLoadImage:loc_A566F8r ...
dword_6BE42C	dd ?			; DATA XREF: VfInitSystemNoRebootNeeded(x,x)+A2w
					; VfThunkAddDriverThunks(x,x,x)+34r ...
_ViVerifierEnabled dd ?			; DATA XREF: IoCancelIrp+5r
					; IoCancelIrp+45r ...
		align 8
unk_6BE438	db    ?	;		; DATA XREF: VfPoolIsInternalFree()+13o
					; VfPoolInitPhase1()+A1o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViNotifyEvent	dd ?			; DATA XREF: VfNotifyVerifierOfEvent(x):loc_A59B1Bw
dword_6BE444	dd ?			; DATA XREF: VfNotifyVerifierOfEvent(x):loc_A59B12w
dword_6BE448	dd ?			; DATA XREF: VfNotifyVerifierOfEvent(x):loc_A59AF1w
dword_6BE44C	dd ?			; DATA XREF: VfNotifyVerifierOfEvent(x):loc_A59AE4w
dword_6BE450	dd ?			; DATA XREF: VfNotifyVerifierOfEvent(x):loc_A59AD7w
dword_6BE454	dd ?			; DATA XREF: VfNotifyVerifierOfEvent(x)+31w
		align 10h
; void ViSystemPartitionMemoryInfo
_ViSystemPartitionMemoryInfo db	   ? ;	; DATA XREF: VfUtilGetAvailableSystemPages(x)+44o
					; VfNotifyDifPlugins(x,x)+68o
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BE464	dd ?			; DATA XREF: VfUtilGetAvailableSystemPages(x)+4Fw
					; VfNotifyDifPlugins(x,x)+73w
dword_6BE468	dd ?			; DATA XREF: VfUtilGetAvailableSystemPages(x)+59w
					; VfNotifyDifPlugins(x,x)+7Dw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BE484	dd ?			; DATA XREF: VfUtilGetAvailableSystemPages(x)+6Dr
					; VfNotifyDifPlugins(x,x)+94r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViSystemPartition dd ?			; DATA XREF: VfUtilGetAvailableSystemPages(x)+1Co
					; VfUtilGetAvailableSystemPages(x)+2Dr	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_VfSuspectDriversList dd ?		; DATA XREF: ViIsDriverSuspectForVerifier(x)+4r
					; ViIsDriverSuspectForVerifier(x)+Ao ...
dword_6BE524	dd ?			; DATA XREF: VfDriverEnableVerifier(x,x,x):loc_A5B622r
					; VfDriverEnableVerifier(x,x,x)+F7w ...
_VfIoSwitchedOffNoReboot dd ?		; DATA XREF: ViSettingsIoCheckForChanges(x)+22o
					; VfPnpVerifyIrpStackUpward(x,x,x,x,x,x):loc_A6CB4Cr ...
_VdmBopCount	dd ?			; DATA XREF: VdmDispatchBop(x):loc_9E900Br
					; VdmDispatchBop(x)+A4w ...
_VdmpMaxPMCliTime dd ?			; DATA XREF: VdmCheckPMCliTimeStamp()+49r
					; NtVdmControl(x,x)+C5w
_SepRmAuditProcessCommandLine db ?	; DATA XREF: SepRmProcessCreationCommandLineAuditSettingsWrkr(x,x)+1Cw
					; SeAuditProcessCreation+154r
_SepRmEnforceCap db ?			; DATA XREF: SeAccessCheckWithHintWithAdminlessChecks:loc_51BF4Er
					; SeAccessCheckWithHintWithAdminlessChecks+3CFr ...
		align 4
_SepRmAuditingEnabled dd ?		; DATA XREF: SepRmProcessCreationCommandLineAuditSettingsWrkr(x,x)+8w
					; SepRmCallLsa+2Er ...
_SepRmCapTableLock dd ?			; DATA XREF: SepRmReferenceCapTable()+10o
					; SepRmCapUpdateWrkr+3Fo ...
_SeAuditingStateByCategory dd ?		; DATA XREF: SepAdtAuditThisEventByCategoryWithContext+1Dr
					; SepRmSetAuditEventWrkr+2Co
		align 8
dword_6BE548	dd ?			; DATA XREF: SeOpenObjectAuditAlarmWithTransaction+AFr
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SepTokenPolicyCounterByCategory dd ?	; DATA XREF: SepAdtAuditThisEventByCategoryWithContext+2Fr
					; SepModifyTokenPolicyCounter(x,x)+25o
		align 8
dword_6BE588	dd ?			; DATA XREF: SeOpenObjectAuditAlarmWithTransaction+C2r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SepTokenPolicyCounter db    ? ;	; DATA XREF: SepModifyTokenPolicyCounter(x,x)+74o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6BE5F8	db ?			; DATA XREF: SepAuditingEnabledForSubcategory(x,x,x)+5r
					; SepAuditingForSubCategory(x,x)+4r ...
byte_6BE5F9	db ?			; DATA XREF: SepAuditingEnabledForSubcategory(x,x,x):loc_4D92CFr
					; SepAuditingForSubCategory(x,x):loc_4D92FEr ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BE63C	dd ?			; DATA XREF: SepAdtAuditPrivilegeUseWithContext+42r
dword_6BE640	dd ?			; DATA XREF: SepAdtAuditPrivilegeUseWithContext+72r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void SeAuditingState
_SeAuditingState db    ? ;		; DATA XREF: SepRmSetAuditEventWrkr+5Do
					; SepRmDbInitialization()+87o
unk_6BE6C1	db    ?	;		; DATA XREF: SepRmSetAuditEventWrkr+68o
		db    ?	;
		db    ?	;
byte_6BE6C4	db ?			; DATA XREF: SeAuditingFileEvents(x,x)+5r
					; SeAuditingHardLinkEvents(x,x)+2Fr
byte_6BE6C5	db ?			; DATA XREF: SeAuditingFileEvents(x,x):loc_9D857Cr
					; SeAuditingHardLinkEvents(x,x):loc_9D86D2r
byte_6BE6C6	db ?			; DATA XREF: SeAuditingFileEvents(x,x):loc_9D8589r
byte_6BE6C7	db ?			; DATA XREF: SeAuditingFileEvents(x,x):loc_9D8596r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6BE6E2	db ?			; DATA XREF: SeAuditHeaderRequired(x):loc_5257EBr
byte_6BE6E3	db ?			; DATA XREF: SeAuditHeaderRequired(x)+14r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6BE6FA	db ?			; DATA XREF: SeAuditHeaderRequired(x)+1Dr
byte_6BE6FB	db ?			; DATA XREF: SeAuditHeaderRequired(x)+26r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6BE704	db ?			; DATA XREF: SepRmDbInitialization()+9Aw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SepAdtCrashOnAuditFailWorkItem	dd ?	; DATA XREF: SepAuditFailedRaisedIrql(x):loc_6701C6w
					; SepAuditFailedRaisedIrql(x)+27o
		align 8
dword_6BE748	dd ?			; DATA XREF: SepAuditFailedRaisedIrql(x)+2Cw
dword_6BE74C	dd ?			; DATA XREF: SepAuditFailedRaisedIrql(x)+36w
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUhvUnkUlyquivUrDIGUkxsOlyq@se db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SepSingletonGlobalData	db    ?	;	; DATA XREF: .data:_SepSingletonGlobalo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void *g_SecureBootActivePlatformManifest
_g_SecureBootActivePlatformManifest dd ?
					; DATA XREF: SeSecureBootQueryInformation:loc_8F9177r
					; SeQuerySecureBootPlatformManifest(x,x)+5r ...
; size_t g_SecureBootActivePlatformManifestSize
_g_SecureBootActivePlatformManifestSize	dd ?
					; DATA XREF: SeSecureBootQueryInformation:loc_8F918Br
					; SeSecureBootRegisterPolicy+10B69w
		align 10h
_SepMandatoryObjectTypePolicy dd ?	; DATA XREF: SeComputeAutoInheritByObjectTypeEx+58o
					; SeRegisterObjectTypeMandatoryPolicy+4Do ...
dword_6BE784	dd ?			; DATA XREF: SeComputeAutoInheritByObjectTypeEx+71r
					; SeRegisterObjectTypeMandatoryPolicy+7Cw ...
dword_6BE788	dd ?			; DATA XREF: SeComputeAutoInheritByObjectTypeEx+7Dr
					; SeRegisterObjectTypeMandatoryPolicy+9Dw
dword_6BE78C	dd ?			; DATA XREF: SeComputeAutoInheritByObjectTypeEx+84r
					; SeRegisterObjectTypeMandatoryPolicy+75w ...
dword_6BE790	dd ?			; DATA XREF: SeComputeAutoInheritByObjectTypeEx:loc_5F0588r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SepMandatoryObjectTypePolicyLock dd ?	; DATA XREF: SeComputeAutoInheritByObjectTypeEx+42o
					; SeComputeAutoInheritByObjectTypeEx+9Eo ...
_SepAuthExtensionHost dd ?		; DATA XREF: LsaFreeReturnBuffer(x)+5r
					; LsaFreeReturnBuffer(x)+20r ...
_SepBCryptExtensionHost	dd ?		; DATA XREF: BCryptCloseAlgorithmProvider(x,x)+Br
					; BCryptCloseAlgorithmProvider(x,x)+20r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SeCiCallbacks	dd ?			; DATA XREF: SepInitializeCodeIntegrity()+1Ew
					; SepInitializeCodeIntegrity()+6Do
; void dword_6BEA24
dword_6BEA24	dd ?			; DATA XREF: NtSetCachedSigningLevel2+28r
					; NtSetCachedSigningLevel2+13Ar ...
dword_6BEA28	dd ?			; DATA XREF: SeGetCachedSigningLevel(x,x,x,x,x,x)+5r
dword_6BEA2C	dd ?			; DATA XREF: SeCodeIntegrityQueryInformation(x,x,x)+5r
					; SeCodeIntegrityQueryInformation(x,x,x)+2Dr
dword_6BEA30	dd ?			; DATA XREF: SeValidateImageHeader+13r
					; SeValidateImageHeader+50r
dword_6BEA34	dd ?			; DATA XREF: SeValidateImageData(x,x,x,x,x,x,x)+5r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BEA3C	dd ?			; DATA XREF: SeGetImageRequiredSigningLevel(x,x,x,x,x)+C4r
dword_6BEA40	dd ?			; DATA XREF: MiValidateExistingImage(x):loc_78C79Cr
					; MiValidateExistingImage(x):loc_78C7EEr ...
dword_6BEA44	dd ?			; DATA XREF: SeValidateFileAsImageType(x,x,x)+5r
					; ExpQueryCodeIntegrityCertificateInfo(x,x):loc_A04087r
dword_6BEA48	dd ?			; DATA XREF: SepParseElamCertResources:loc_8A2D23r
		align 10h
dword_6BEA50	dd ?			; DATA XREF: SeCodeIntegrityInitializePolicy(x)+44r
dword_6BEA54	dd ?			; DATA XREF: SeReleaseImageValidationContext(x)r
dword_6BEA58	dd ?			; DATA XREF: SeGetImageRequiredSigningLevel(x,x,x,x,x)+18r
dword_6BEA5C	dd ?			; DATA XREF: MiGetSectionStrongImageReference(x)+Br
dword_6BEA60	dd ?			; DATA XREF: MiRelocateImageAgain+151AB7r
					; MiRelocateImage+14E15Er ...
dword_6BEA64	dd ?			; DATA XREF: SeCodeIntegrityQueryPolicyInformation(x,x,x,x,x,x)+5r
dword_6BEA68	dd ?			; DATA XREF: MmChangeImageProtection(x,x,x,x):loc_793ED4r
dword_6BEA6C	dd ?			; DATA XREF: SeQuerySecurityPolicy(x,x,x,x,x,x)+6r
dword_6BEA70	dd ?			; DATA XREF: MiValidateExistingImage(x)+1A2r
dword_6BEA74	dd ?			; DATA XREF: SeCodeIntegritySetInformation(x,x,x)+5r
dword_6BEA78	dd ?			; DATA XREF: SeCodeIntegritySetInformationProcess(x,x,x,x)+10r
					; SeCodeIntegritySetInformationProcess(x,x,x,x)+5Fr
dword_6BEA7C	dd ?			; DATA XREF: SeCodeIntegrityGetBuildExpiryTime+5r
dword_6BEA80	dd ?			; DATA XREF: PsTestProtectedProcessIncompatibility(x,x,x)+3Ar
dword_6BEA84	dd ?			; DATA XREF: SeGetCodeIntegrityOriginClaimForFileObject(x,x)r
dword_6BEA88	dd ?			; DATA XREF: SeDeleteCodeIntegrityOriginClaimMembers(x)r
dword_6BEA8C	dd ?			; DATA XREF: SeDeleteCodeIntegrityOriginClaimForFileObject(x)r
dword_6BEA90	dd ?			; DATA XREF: SepInitializeCodeIntegrity()+28w
_SeProcTrustLiteAppSid dd ?		; DATA XREF: SepSidFromProcessProtection:loc_5EDA22r
					; SepVariableInitialization()+91Cw ...
_SeProcTrustNoneSid dd ?		; DATA XREF: SepVariableInitialization()+92Aw
					; SepVariableInitialization()+CFEr ...
_SeProcTrustLiteWinTcbSid dd ?		; DATA XREF: SepSidFromProcessProtection:loc_529C2Dr
					; SepVariableInitialization()+8FAw ...
_SeProcTrustLiteWinSid dd ?		; DATA XREF: SepSidFromProcessProtection:loc_529C27r
					; SepVariableInitialization()+90Bw ...
; void *SeConstrainedImpersonationCapabilitySid
_SeConstrainedImpersonationCapabilitySid dd ? ;	DATA XREF: PAGE:0081787Br
					; SepIsImpersonationAllowedDueToCapability+11AD7Ar ...
_SeSessionImpersonationCapabilityGroupSid dd ?
					; DATA XREF: SepIsImpersonationAllowedDueToCapability+11ACBCr
					; SepVariableInitialization()+96Aw ...
_SeConstrainedImpersonationCapabilityGroupSid dd ?
					; DATA XREF: SepIsImpersonationAllowedDueToCapability+11AD17r
					; SepVariableInitialization()+94Aw ...
_SeHighMandatorySid dd ?		; DATA XREF: SepAdjustPrivileges+E9r
					; SepVariableInitialization()+711w ...
_SeSystemMandatorySid dd ?		; DATA XREF: SeMakeSystemToken+84r
					; SepVariableInitialization()+726w ...
_SeUntrustedMandatorySid dd ?		; DATA XREF: SepCopyTokenIntegrity(x,x):loc_4D9245r
					; SepCreateTokenEx+21Br ...
_SeMediumMandatorySid dd ?		; DATA XREF: SepAdjustPrivileges:loc_79CE8Ar
					; SepInitializationPhase0()+88r ...
_SeProcTrustAuthenticodeSid dd ?	; DATA XREF: SepSidFromProcessProtection:loc_5EDA28r
					; SepVariableInitialization()+8D8w ...
_SeProcTrustLiteAntimalwareSid dd ?	; DATA XREF: SepSidFromProcessProtection:loc_529C21r
					; SepVariableInitialization()+8E9w ...
_SeProcTrustWinTcbSid dd ?		; DATA XREF: SepCreateTokenEx:loc_51355Fr
					; SepSidFromProcessProtection:loc_529C39r ...
_SeProcTrustWinSid dd ?			; DATA XREF: SepSidFromProcessProtection:loc_529C33r
					; SepVariableInitialization()+8C7w ...
_SeRegistryReadCapabilitySid dd	?	; DATA XREF: PAGEDATA:00A93D10o
					; SepVariableInitialization()+7EEw ...
_SeLpacServicesManagementCapabilitySid dd ? ; DATA XREF: PAGEDATA:00A93D14o
					; SepVariableInitialization()+7FCw ...
_SeLpacMediaCapabilitySid dd ?		; DATA XREF: PAGEDATA:00A93D08o
					; SepVariableInitialization()+7D2w ...
_SeLpacPnpNotificationsCapabilitySid dd	? ; DATA XREF: PAGEDATA:00A93D0Co
					; SepVariableInitialization()+7E0w ...
_SeLpacWebPlatformCapabilitySid	dd ?	; DATA XREF: PAGEDATA:00A93D20o
					; SepVariableInitialization()+826w ...
_SeLpacPaymentsCapabilitySid dd	?	; DATA XREF: PAGEDATA:00A93D24o
					; SepVariableInitialization()+834w ...
_SeLpacSessionManagementCapabilitySid dd ? ; DATA XREF:	PAGEDATA:00A93D18o
					; SepVariableInitialization()+80Aw ...
_SeLpacPrintingCapabilitySid dd	?	; DATA XREF: PAGEDATA:00A93D1Co
					; SepVariableInitialization()+818w ...
_SeLpacAppExperienceCapabilitySid dd ?	; DATA XREF: PAGEDATA:_SeLpacCapabilitySidso
					; SepVariableInitialization()+77Ew ...
_SeLpacComCapabilitySid	dd ?		; DATA XREF: PAGEDATA:00A93CF4o
					; SepVariableInitialization()+78Cw ...
_SeSessionImpersonationCapabilitySid dd	? ; DATA XREF: SepVariableInitialization()+97Cw
					; SepVariableInitialization()+1479r
_SeDefaultAccountAliasSid dd ?		; DATA XREF: SepIsImpersonationAllowedDueToCapability+11AC64r
					; SepVariableInitialization()+93Bw ...
_SeLpacInstrumentationCapabilitySid dd ? ; DATA	XREF: PAGEDATA:00A93D00o
					; SepVariableInitialization()+7B4w ...
_SeLpacEnterprisePolicyChangeNotificationsCapabilitySid	dd ? ; DATA XREF: PAGEDATA:00A93D04o
					; SepVariableInitialization()+7C4w ...
_SeLpacCryptoServicesCapabilitySid dd ?	; DATA XREF: PAGEDATA:00A93CF8o
					; SepVariableInitialization()+79Aw ...
_SeLpacIdentityServicesCapabilitySid dd	? ; DATA XREF: PAGEDATA:00A93CFCo
					; SepVariableInitialization()+7A8w ...
_SeLpacPackageManagerOperationCapabilitySid dd ? ; DATA	XREF: PAGEDATA:00A93D30o
					; SepVariableInitialization()+863w ...
_SeLpacDeviceAccessCapabilitySid dd ?	; DATA XREF: PAGEDATA:00A93D34o
					; SepVariableInitialization()+87Aw ...
_SeLpacClipboardCapabilitySid dd ?	; DATA XREF: PAGEDATA:00A93D28o
					; SepVariableInitialization()+842w ...
_SeLpacImeCapabilitySid	dd ?		; DATA XREF: PAGEDATA:00A93D2Co
					; SepVariableInitialization()+850w ...
_SeLowMandatorySid dd ?			; DATA XREF: CmpGenerateAppHiveSecurityDescriptor(x)+151r
					; IopCreateSecurityDescriptorPerType:loc_7EE76Fr ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_RtlpLowFragHeapRandomData dd ?		; DATA XREF: RtlpUpdateLfhRandomDataArray()+2Ew
					; RtlpHpLfhSlotAllocate+E3r ...
dword_6BEB44	dd ?			; DATA XREF: RtlpUpdateLfhRandomDataArray()+35w
					; RtlpHpLfhContextInitialize(x,x,x,x,x,x,x)+DFw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_RtlpHpLfhPerfFlags dd ?		; DATA XREF: RtlpHpLfhSubsegmentCreate+10r
					; RtlpHpLfhSubsegmentCreate+89r ...
_NormalizationListLock db    ? ;	; DATA XREF: NormalizationList__Lock()+10o
					; NormalizationList__Unlock()+1Do ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_RtlpHpHeapGlobals dd ?			; DATA XREF: RtlpHpLfhSubsegmentCreate+DEr
					; RtlpHpLfhSubsegmentCreate+122r ...
dword_6BEC64	dd ?			; DATA XREF: RtlpHpLfhSubsegmentInitialize(x,x,x,x,x)+8Dr
					; RtlpHpLfhSubsegmentInitialize(x,x,x,x,x)+1DDr ...
dword_6BEC68	dd ?			; DATA XREF: RtlHpGlobalsInitialize()+23w
dword_6BEC6C	dd ?			; DATA XREF: RtlpHpHeapCheckCommitLimit+14r
					; RtlpHpHeapCheckCommitLimit+1Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BEC74	dd ?			; DATA XREF: ExAllocateHeapPool+152r
					; RtlpHpAllocateHeap+3Cr ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_RtlpCtPublishInProgress db    ? ;	; DATA XREF: RtlRaiseCustomSystemEventTrigger(x)+8Eo
					; RtlRaiseCustomSystemEventTrigger(x)+1DDo ...
		db    ?	;
		db    ?	;
		db    ?	;
_RtlpHpLegacyEnvHandle dd ?		; DATA XREF: RtlpHpLegacyGetEnvHandle()r
					; ExpInitSystemPhase0()+F5w
dword_6BEC84	dd ?			; DATA XREF: RtlpHpLegacyGetEnvHandle()+5r
					; ExpInitSystemPhase0()+E7w
_BootStatFileHandle dd ?		; DATA XREF: RtlBootStatusDisableFlushing(x)+29r
					; RtlInitializeBootStatDataCache()+34r	...
_BootStatFileHandleAcquired db ?	; DATA XREF: RtlBootStatusDisableFlushing(x)+21r
					; RtlpGetSetBootStatusData+92r	...
_BootStatKeepHandleOpen	db ?		; DATA XREF: RtlUnlockBootStatusData(x)+41r
					; RtlLockBootStatusData(x):loc_7D73AFw	...
		align 10h
_BootStatDataCache dd ?			; DATA XREF: RtlInitializeBootStatDataCache()+14r
					; RtlInitializeBootStatDataCache()+60w	...
_BootStatDisableFlush db ?		; DATA XREF: RtlBootStatusDisableFlushing(x)+Fr
					; RtlBootStatusDisableFlushing(x)+17w ...
		align 4
_BootStatReferenceCount	dd ?		; DATA XREF: RtlUnlockBootStatusData(x)+1Br
					; RtlUnlockBootStatusData(x)+30w ...
_RtlpStackTraceDatabase	dd ?		; DATA XREF: RtlLogStackBackTraceEx(x)+3r
					; ExpGetStackTraceInformation(x,x,x)+Cr ...
_MuiLockInitCount dd ?			; DATA XREF: LdrpInitMuiCrits+18o
					; LdrpInitMuiCrits+28r	...
; void *AlternateResourceModules
_AlternateResourceModules dd ?		; DATA XREF: LdrpGetAlternateResourceModuleHandleEx+4Ar
					; LdrpGetAlternateResourceModuleHandleEx+87r ...
_AltResMemBlockCount dd	?		; DATA XREF: LdrpSetAlternateResourceModuleHandle+A4r
					; LdrpSetAlternateResourceModuleHandle+22Ew ...
_AlternateResourceModuleCount dd ?	; DATA XREF: LdrpGetAlternateResourceModuleHandleEx+32r
					; LdrpGetAlternateResourceModuleHandleEx:loc_541198r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_MuiMutex	db    ?	;		; DATA XREF: LdrpGetAlternateResourceModuleHandleEx+20o
					; sub_5411D3+4o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_RtlpExceptionLogCount dd ?		; DATA XREF: RtlpLogExceptionDispatch(x,x)+1Er
					; RtlpLogExceptionDispatch(x,x)+31o ...
		align 8
_RawMountedQueue dd ?			; DATA XREF: RawMountVolume+16Er
					; RawMountVolume+173o ...
dword_6BECEC	dd ?			; DATA XREF: RawInitialize+15Dw
_RawDismountedQueue dd ?		; DATA XREF: .text:005ABA17o
					; RawScanDeletedList+3o ...
dword_6BECF4	dd ?			; DATA XREF: .text:005ABA20r
					; .text:005ABA39w ...
		align 10h
_RawGlobalLock	dd ?			; DATA XREF: .text:0043DF70o
					; .text:005AB9F2o ...
dword_6BED04	dd ?			; DATA XREF: RawInitialize+157w
dword_6BED08	dd ?			; DATA XREF: RawInitialize+179w
unk_6BED0C	db    ?	;		; DATA XREF: RawInitialize+181o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_RawDeviceDiskObject dd	?		; DATA XREF: RawShutdown(x,x)+Ar
					; RawShutdown(x,x)+41r	...
_RawDeviceCdRomObject dd ?		; DATA XREF: RawShutdown(x,x)+15r
					; RawShutdown(x,x)+36r	...
_RawDeviceTapeObject dd	?		; DATA XREF: RawShutdown(x,x)+20r
					; RawShutdown(x,x)+2Br	...
		align 10h
_PspStorageExpansionBitmap dd ?		; DATA XREF: PspStorageAllocSlot+9E6F1o
					; PspStorageFreeSlot(x)+4Eo ...
dword_6BED34	dd ?			; DATA XREF: PspGetStorageArray:loc_7B05B6r
					; PspInitializeStorageStructures()+25w
_PspStorageBitmap dd ?			; DATA XREF: PspStorageAllocSlot+1Do
					; PspStorageFreeSlot(x)+Co ...
dword_6BED3C	dd ?			; DATA XREF: PspGetStorageArray+27r
					; PspInitializeStorageStructures()+11w
_PspStorageBitmapLock dd ?		; DATA XREF: PspStorageAllocSlot+Eo
					; PspStorageAllocSlot:loc_88A202o ...
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUkhUnkUlyquivUrDIGUkhkOlyq@ps db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_LdtMutex	db    ?	;		; DATA XREF: PsSetLdtEntries(x,x,x,x,x,x)+9Bo
					; PsSetLdtEntries(x,x,x,x,x,x)+F8o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_VdmIoListCreationResource db	 ? ;	; DATA XREF: Psp386CreateVdmIoListHead(x)+30o
					; Psp386CreateVdmIoListHead(x)+A3o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PspActivePartitionListLock db	  ? ;	; DATA XREF: PsGetNextPartitionUnsafe(x)+Ao
					; PsGetNextPartitionUnsafe(x):loc_4EADADo ...
		db    ?	;
		db    ?	;
		db    ?	;
_PspFreezeTimeBiasAddress dd ?		; DATA XREF: PsThawProcess+B7r
					; PsThawProcess+BEr ...
_PsWin32CallBack db    ? ;		; DATA XREF: MmSessionGetWin32Callouts()+1Fo
					; PsEstablishWin32Callouts+1Ao	...
		db    ?	;
		db    ?	;
		db    ?	;
_PsWin32NullCallBack db	   ? ;		; DATA XREF: MmSessionGetWin32Callouts():loc_448A9Co
					; .data:006B1E68o ...
		db    ?	;
		db    ?	;
		db    ?	;
_PspPicoRegistrationDisabled db	?	; DATA XREF: PsRegisterPicoProvider(x,x)+37r
					; PipInitializeCoreDriversAndElam(x)+23w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PspPicoProviderRoutines db    ? ;	; DATA XREF: .data:_PsKernelRangeListo
					; PsRegisterPicoProvider(x,x)+4Bo
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BEDE4	dd ?			; DATA XREF: PsPicoSystemCallDispatch(x)+10r
dword_6BEDE8	dd ?			; DATA XREF: PspThreadDelete+1C9r
dword_6BEDEC	dd ?			; DATA XREF: PspProcessDelete+17E27Br
dword_6BEDF0	dd ?			; DATA XREF: KiDispatchException+10DE3Fr
					; MiDeliverPicoExceptionForProbedPage(x,x)+4Er
dword_6BEDF4	dd ?			; DATA XREF: PspTerminateProcess:loc_8D557Cr
dword_6BEDF8	dd ?			; DATA XREF: PsPicoWalkUserStack(x,x)+1Er
					; PsPicoWalkUserStack(x,x)+5Er
		align 10h
dword_6BEE00	dd ?			; DATA XREF: PsGetAllocatedFullProcessImageNameEx:loc_8D896Cr
					; ExpGetProcessInformation:loc_91E2AAr
dword_6BEE04	dd ?			; DATA XREF: PspProcessOpen(x,x,x,x,x,x)+61r
dword_6BEE08	dd ?			; DATA XREF: PspThreadOpen+1395BAr
dword_6BEE0C	dd ?			; DATA XREF: PAGE:0083EF63r
					; NtQueryInformationThread+F5D33r
_PsAltSystemCallRegistrationLock dd ?	; DATA XREF: PsRegisterAltSystemCallHandler(x,x)+40o
					; PsRegisterAltSystemCallHandler(x,x)+4Eo ...
_PspSiloMonitorLock dd ?		; DATA XREF: PsStartSiloMonitor+3Bo
					; PsStartSiloMonitor+11Eo ...
_PspSiloMonitorList dd ?		; DATA XREF: PsStartSiloMonitor+103o
					; PspNotifyServerSiloCreation(x):loc_9CB7F8r ...
dword_6BEE1C	dd ?			; DATA XREF: PsStartSiloMonitor+FEr
					; PsStartSiloMonitor+115w ...
_PsVmProcessorHostTransitionEvent dd ?	; DATA XREF: PsSetVmProcessorHostProcess(x)+74o
					; PsSetVmProcessorHostProcess(x)+146r ...
_PspThreadWorkOnBehalfLock dd ?		; DATA XREF: CcMapAndCopyInToCache:loc_47BFDAo
					; CcMapAndCopyInToCache:loc_47C006o ...
_PspNetRateControlExtensionHost	dd ?	; DATA XREF: PspNetRateControlDispatch(x)+5r
					; PspNetRateControlDispatch(x)+1Er ...
		align 10h
_PspJobTimeLimitsWorkItem dd ?		; DATA XREF: PsEnforceExecutionLimits()+3Do
					; PspScheduleEnforcementWorker(x)+2Do ...
		align 8
dword_6BEE38	dd ?			; DATA XREF: PspInitializeJobStructures+45w
dword_6BEE3C	dd ?			; DATA XREF: PspInitializeJobStructures+4Fw
_PspJobTimeLimitsRequest dd ?		; DATA XREF: PsEnforceExecutionLimits()r
					; PspUpdateEnforcementTimer(x):loc_7D44EDr ...
dword_6BEE44	dd ?			; DATA XREF: PsEnforceExecutionLimits()+5r
					; PspUpdateEnforcementTimer(x)+11r ...
_PspJobTimeLimitsWorkItemFlags db    ? ; ; DATA	XREF: PsEnforceExecutionLimits()+25o
					; PspJobTimeLimitsWork(x)+Co ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PspJobNotificationItem	dd ?		; DATA XREF: PspRequestDeferredJobNotification(x,x)+42o
					; PspInitializeJobStructures+40w
		align 8
dword_6BEE58	dd ?			; DATA XREF: PspInitializeJobStructures+31w
dword_6BEE5C	dd ?			; DATA XREF: PspInitializeJobStructures+3Bw
_PspJobNotificationList	dd ?		; DATA XREF: PspRequestDeferredJobNotification(x,x)+20r
					; PspRequestDeferredJobNotification(x,x)+2Fo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PspQuotaExpansionDescriptors db    ? ;	; DATA XREF: PspReturnResourceQuota+17o
					; PspExpandQuota+1Do ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BEE84	dd ?			; DATA XREF: PspReturnQuota+55r
					; PspReturnQuota+E8r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BEE9C	db    ?	;		; DATA XREF: PsInitializeQuotaSystem(x)+E1o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; Exported entry 1917. PsSiloContextNonPagedType
		public _PsSiloContextNonPagedType
_PsSiloContextNonPagedType dd ?		; DATA XREF: PspIsSiloContext(x)+1Fr
					; PsCreateSiloContext+21r ...
; Exported entry 1918. PsSiloContextPagedType
		public _PsSiloContextPagedType
_PsSiloContextPagedType	dd ?		; DATA XREF: PspIsSiloContext(x):loc_7B05EEr
					; PsCreateSiloContext:loc_7B06CDr ...
_PsReaperWorkItem dd ?			; DATA XREF: KeTerminateThread+102o
					; KeTerminateThread+1685D3o ...
		align 8
dword_6BEEC8	dd ?			; DATA XREF: PspInitPhase0+693w
dword_6BEECC	dd ?			; DATA XREF: KeTerminateThread:loc_444EBEr
					; KeTerminateThread:loc_5AD32Ao ...
_PsReaperListHead dd ?			; DATA XREF: KeTerminateThread:loc_444E59r
					; KeTerminateThread+ECo ...
		align 8
_PsActiveProcessHead dd	?		; DATA XREF: IoFillDumpHeader(x,x,x,x,x,x,x,x)+82o
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+170o ...
dword_6BEEDC	dd ?			; DATA XREF: PspInsertProcess+79r
					; PspInsertProcess+9Fw	...
_PspProcessSequenceNumber dd ?		; DATA XREF: PspInsertProcess+99r
					; PspInsertProcess+AFw
dword_6BEEE4	dd ?			; DATA XREF: PspInsertProcess+A7r
					; PspInsertProcess+BDw
		align 10h
_PspProcessRundownCacheWorkItem	dd ?	; DATA XREF: PspRundownProcess+4Ao
					; PspInitPhase0+6CFw
		align 8
dword_6BEEF8	dd ?			; DATA XREF: PspInitPhase0+6BFw
dword_6BEEFC	dd ?			; DATA XREF: PspInitPhase0+6C9w
_PspProcessRundownWorkItem dd ?		; DATA XREF: PspRundownProcess+B36C9o
					; PspInitPhase0+6B9w
		align 8
dword_6BEF08	dd ?			; DATA XREF: PspInitPhase0+6A9w
dword_6BEF0C	dd ?			; DATA XREF: PspInitPhase0+6B3w
_PspWorkingSetChangeHead dd ?		; DATA XREF: PspAddProcessToWorkingSetChangeList(x)+41o
					; PspApplyWorkingSetLimits(x,x)+2Ao ...
dword_6BEF14	dd ?			; DATA XREF: PspAddProcessToWorkingSetChangeList(x)+58r
					; PspAddProcessToWorkingSetChangeList(x)+6Ew ...
dword_6BEF18	dd ?			; DATA XREF: PspUnlockWorkingSetChangeExclusiveUnsafe()+Bo
					; PspUnlockWorkingSetChangeExclusiveUnsafe()+29o ...
		align 10h
_TtmpSessionLock db    ? ;		; DATA XREF: TtmInit:loc_8B4F1Do
					; TtmNotifyDeviceArrival(x,x,x,x,x,x)+20Do ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SshpWnfSubscriptionInitialized	db ?	; DATA XREF: SshpSubscribeCallbacks()+3Fw
					; SshpUnsubscribeCallbacks():loc_AEF9EDr ...
		align 4
_SshpPowerSettingHandle	dd ?		; DATA XREF: SSHSupportRegisterPowerSettingCallback(x,x,x,x,x)o
					; SSHSupportUnregisterPowerSettingCallback(x)+7r
_SshpIdleResiliencyEngaged db ?		; DATA XREF: SshpPowerSettingCallback(x,x,x,x)+25r
					; SshpPowerSettingCallback(x,x,x,x)+39w
		align 4
_SshpWnfSubscription dd	?		; DATA XREF: SshpSubscribeCallbacks()+2Ao
					; SshpUnsubscribeCallbacks()+21r
_SshpPowerSettingHandleInitialized db ?	; DATA XREF: SshpSubscribeCallbacks()+15w
					; SshpUnsubscribeCallbacks()+3r ...
		align 10h
; void SshpSessionGuid
_SshpSessionGuid db    ? ;		; DATA XREF: SshpWriteBlocker(x,x,x)+DCo
					; SshpSendSessionData()+FFo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SshpSessionId	dd ?			; DATA XREF: SshpWriteBlocker(x,x,x)+119r
					; SshpWriteBlocker(x,x,x)+1B1o	...
dword_6BEF84	dd ?			; DATA XREF: SshpWriteBlocker(x,x,x)+26Cr
					; SshpWnfCallback(x,x,x,x,x,x)+7Aw ...
_SshpSessionStartTime dd ?		; DATA XREF: SshpSendSessionData()+51r
					; SshpWnfCallback(x,x,x,x,x,x)+88w
dword_6BEF8C	dd ?			; DATA XREF: SshpSendSessionData()+5Fr
					; SshpWnfCallback(x,x,x,x,x,x)+8Dw
_SshpSessionThresholdHns dd ?		; DATA XREF: SshpWriteBlocker(x,x,x)+206r
					; SshpQueryRegistryValues()+46w
dword_6BEF94	dd ?			; DATA XREF: SshpWriteBlocker(x,x,x):loc_65E082r
					; SshpQueryRegistryValues()+3Fw
_SshpLibraryList dd ?			; DATA XREF: SleepstudyHelperCreateLibrary+6Bo
					; SshpSendSessionData()+59r ...
dword_6BEF9C	dd ?			; DATA XREF: SleepstudyHelperCreateLibrary+66r
					; SleepstudyHelperCreateLibrary+80w ...
_SshpTraceHandleRegistered db ?		; DATA XREF: SshpWriteBlocker(x,x,x)+F7r
					; SshpFlushBlockerDataCache(x)+2Dr ...
		align 8
_SshpTraceHandle dd ?			; DATA XREF: SshpWriteBlocker(x,x,x)+196r
					; SSHSupportEtwWrite(x,x,x,x,x,x)+10r ...
dword_6BEFAC	dd ?			; DATA XREF: SshpWriteBlocker(x,x,x)+18Dr
					; SSHSupportEtwWrite(x,x,x,x,x,x)+8r ...
_SshpLibraryListLock db	   ? ;		; DATA XREF: SleepstudyHelperCreateLibrary+3Do
					; SleepstudyHelperCreateLibrary+76o ...
		db    ?	;
		db    ?	;
		db    ?	;
_SshpActiveThresholdPercent dd ?	; DATA XREF: SshpWriteBlocker(x,x,x):loc_65E09Cr
					; SshpQueryRegistryValues()+2Ew
_SshpTelemetryHandleRegistered db ?	; DATA XREF: SshpWriteBlocker(x,x,x):loc_65E0B4r
					; SshInitialize+96w ...
_SshpInitialized db ?			; DATA XREF: SleepstudyHelperCreateLibrary+12r
					; SshInitialize+52w ...
		align 10h
_SshpBlockerCollections	db    ?	;	; DATA XREF: SleepstudyHelperBuildBlocker+12Do
					; SshpSendSessionData()+1B6o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BEFC8	db    ?	;		; DATA XREF: SshInitialize+24o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BEFD0	db    ?	;		; DATA XREF: SshSetPdcPhaseActive:loc_939196o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BEFE0	db    ?	;		; DATA XREF: SshSetPdcPhaseActive:loc_93918Co
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BEFF0	db    ?	;		; DATA XREF: SshSetPdcPhaseActive:loc_939182o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BF000	db    ?	;		; DATA XREF: SshSetPdcPhaseActive:loc_939178o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BF010	db    ?	;		; DATA XREF: SshSetPdcPhaseActive:loc_93916Eo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BF020	db    ?	;		; DATA XREF: SshSetPdcPhaseActive:loc_939164o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopSleepstudySessionContext db	?	; DATA XREF: PopSleepstudyStartNextSession+A6CC2r
					; PopSleepstudyStartNextSession+A6D1Ew	...
		align 8
unk_6BF048	db    ?	;		; DATA XREF: PopSleepstudyStartNextSession+A6D09o
					; PopSleepstudyInitialize()+38o
		db    ?	;
word_6BF04A	dw ?			; DATA XREF: PopSleepstudyInitialize()+5Ew
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BF0A0	dd ?			; DATA XREF: PopSleepstudyScenarioStopTimerCallback(x,x)+2o
					; PopSleepstudyInitialize()+58w
		align 8
dword_6BF0A8	dd ?			; DATA XREF: PopSleepstudyInitialize()+48w
dword_6BF0AC	dd ?			; DATA XREF: PopSleepstudyInitialize()+52w
dword_6BF0B0	dd ?			; DATA XREF: PopSleepstudyStartNextSession+77r
					; PopSleepstudyStartNextSession+8Fw ...
		align 8
dword_6BF0B8	dd ?			; DATA XREF: PopSleepstudyStartNextSession+7Fo
					; PopSleepstudyStartNextSession+97r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BF100	dd ?			; DATA XREF: PopSleepstudySnapModernStandbySessionData()+4Dw
dword_6BF104	dd ?			; DATA XREF: PopSleepstudySnapModernStandbySessionData()+56w
dword_6BF108	dd ?			; DATA XREF: PopSleepstudySnapModernStandbySessionData()+5Fw
dword_6BF10C	dd ?			; DATA XREF: PopSleepstudySnapModernStandbySessionData()+68w
dword_6BF110	dd ?			; DATA XREF: PopSleepstudySnapModernStandbySessionData()+77w
dword_6BF114	dd ?			; DATA XREF: PopSleepstudySnapModernStandbySessionData()+7Dw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopSleepstudySessionLock dd ?		; DATA XREF: PopSleepstudyStartNextSession+62o
					; PopSleepstudyStartNextSession+1D6o ...
dword_6BF3BC	dd ?			; DATA XREF: PopSleepstudyStartNextSession+72w
					; PopSleepstudyStartNextSession:loc_85BB42r ...
_PpmCachedSystemAllowedCpuSet db    ? ;	; DATA XREF: PpmParkSteerInterrupts+B3o
					; PpmCheckContinueExecution+15o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BF3C8	dd ?			; DATA XREF: PpmParkSteerInterrupts+BFr
					; PpmCheckContinueExecution+2Cr ...
		align 10h
_PpmCachedSystemAllowedCpuSetVersion db	   ? ; ; DATA XREF: PpmParkSteerInterrupts+AEo
					; PpmCheckContinueExecution+Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PpmIntSteerTrigger dd ?		; DATA XREF: PpmParkSteerInterrupts+89r
					; PpmParkSteerInterrupts+147r ...
		align 10h
_PopDirectedDripsUmLock	dd ?		; DATA XREF: PopDirectedDripsUmInitialize()+15w
					; PopDirectedDripsUmDirectedFxAddTestDevice(x,x)+7Eo ...
dword_6BF3E4	dd ?			; DATA XREF: PopDirectedDripsUmInitialize()+1Bw
					; PopDirectedDripsUmDirectedFxAddTestDevice(x,x)+95w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PopDirectedDripsUmTestDeviceTable
_PopDirectedDripsUmTestDeviceTable db	 ? ; ; DATA XREF: PopDirectedDripsUmInitialize()+21o
					; PopDirectedDripsUmDirectedFxAddTestDevice(x,x)+A2o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopDirectedDripsUmTestDeviceCount dd ?	; DATA XREF: PopDirectedDripsUmInitialize()+26w
					; PopDirectedDripsUmDirectedFxAddTestDevice(x,x):loc_9BD4A8w ...
_PopDirectedDripsUmTestPermissive db ?	; DATA XREF: PopDirectedDripsUmInitialize()+31w
					; PopDirectedDripsUmDirectedFxSetMode(x,x)+3Dw	...
		align 10h
; void PowerRequestStatsDatabase
_PowerRequestStatsDatabase db	 ? ;	; DATA XREF: PopAvlFindOrMakeStatsForPowerRequest+54o
					; PopAvlDeleteStatsForPowerRequest(x)+2Co ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void ExecutionRequiredStopWatchCollection
_ExecutionRequiredStopWatchCollection dd ?
					; DATA XREF: PopStatsNotifyPowerRequestBlocking(x)+35o
					; PopStatsNotifyPowerRequestBlocking(x)+8Fo ...
dword_6BF484	dd ?			; DATA XREF: PopStatsInitPowerRequestLibrary()+23w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PowerReqestStatsLock dd ?		; DATA XREF: PopStatsMarkPowerRequestActive(x,x)+1Fo
					; PopStatsMarkPowerRequestInactive(x,x)+1Fo ...
dword_6BF4B4	dd ?			; DATA XREF: PopStatsMarkPowerRequestActive(x,x)+33w
					; PopStatsMarkPowerRequestActive(x,x)+64r ...
_PopPowerPlane	dd ?			; DATA XREF: PopPlRegisterComponent+15r
					; PopPlRegisterDevice+18r ...
		align 10h
_PopDirectedDripsDiagEmptyString db    ? ;
					; DATA XREF: PopDirectedDripsDiagExtractDeviceDescription(x,x,x,x,x,x,x)+9o
					; PopDirectedDripsDiagInitialize(x)+Co
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopDirectedDripsDiagTraceHandleRegistered db ?
					; DATA XREF: PopDirectedDripsDiagNotifySessionStop(x,x,x)+6Dr
					; PopDirectedDripsDiagInitialize(x)+6Cw ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopDirectedDripsDiagEventData dd ?	; DATA XREF: PopDirectedDripsDiagRundownDevices()+4D6w
					; PopDirectedDripsDiagRundownDevices()+657o ...
dword_6BF4E4	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+4DDw
					; PopDirectedDripsDiagRundownDevices()+7D9w
dword_6BF4E8	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+4EBw
					; PopDirectedDripsDiagRundownDevices()+7E5w
dword_6BF4EC	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+4F5w
					; PopDirectedDripsDiagRundownDevices()+7EFw
dword_6BF4F0	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+4E6w
					; PopDirectedDripsDiagRundownDevices()+7D3w
dword_6BF4F4	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+4FBw
					; PopDirectedDripsDiagRundownDevices()+7F5w
dword_6BF4F8	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+50Aw
					; PopDirectedDripsDiagRundownDevices()+7FBw
dword_6BF4FC	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+501w
					; PopDirectedDripsDiagRundownDevices()+805w
dword_6BF500	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+521w
dword_6BF504	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+526w
dword_6BF508	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+52Cw
dword_6BF50C	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+532w
					; PopDirectedDripsDiagRundownDevices()+6F4o
dword_6BF510	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+544w
dword_6BF514	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+550w
dword_6BF518	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+54Bw
dword_6BF51C	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+556w
dword_6BF520	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+56Dw
dword_6BF524	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+572w
dword_6BF528	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+578w
dword_6BF52C	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+582w
dword_6BF530	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+594w
					; PopDirectedDripsDiagRundownDevices()+7CEo
dword_6BF534	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+5A0w
dword_6BF538	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+59Bw
dword_6BF53C	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+5A6w
dword_6BF540	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+5BDw
dword_6BF544	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+5C2w
dword_6BF548	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+5C8w
dword_6BF54C	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+5D2w
dword_6BF550	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+5E4w
dword_6BF554	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+5F0w
dword_6BF558	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+5EBw
dword_6BF55C	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+5F6w
dword_6BF560	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+60Dw
dword_6BF564	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+612w
dword_6BF568	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+618w
dword_6BF56C	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+622w
dword_6BF570	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+62Ew
dword_6BF574	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+63Dw
dword_6BF578	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+635w
dword_6BF57C	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+643w
dword_6BF580	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+649w
dword_6BF584	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+64Ew
dword_6BF588	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+662w
dword_6BF58C	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+684w
dword_6BF590	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+668w
dword_6BF594	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+68Aw
dword_6BF598	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+690w
dword_6BF59C	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+696w
dword_6BF5A0	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+67Cw
dword_6BF5A4	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+69Cw
dword_6BF5A8	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+6A2w
dword_6BF5AC	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+6A8w
dword_6BF5B0	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+6AEw
dword_6BF5B4	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+6B3w
dword_6BF5B8	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+6B9w
dword_6BF5BC	dd ?			; DATA XREF: PopDirectedDripsDiagRundownDevices()+6BFw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PopDirectedDripsDiagSessionContext
_PopDirectedDripsDiagSessionContext dd ?
					; DATA XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+52r
					; PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+64o ...
dword_6BF644	dd ?			; DATA XREF: PopDirectedDripsDiagBroadcastTreeBegin(x,x,x)+ADr
					; PopDirectedDripsDiagBroadcastTreeBegin(x,x,x)+C2w ...
dword_6BF648	dd ?			; DATA XREF: PopDirectedDripsDiagCreateDeviceDiagnostic(x)+50o
					; PopDirectedDripsDiagRundownDevices():loc_9BBBC7r ...
dword_6BF64C	dd ?			; DATA XREF: PopDirectedDripsDiagCreateDeviceDiagnostic(x)+55r
					; PopDirectedDripsDiagCreateDeviceDiagnostic(x)+6Aw ...
dword_6BF650	dd ?			; DATA XREF: PopDirectedDripsDiagNotifySessionStart(x,x,x)+23w
dword_6BF654	dd ?			; DATA XREF: PopDirectedDripsDiagNotifySessionStart(x,x,x)+2Bw
dword_6BF658	dd ?			; DATA XREF: PopDirectedDripsDiagNotifySessionStart(x,x,x)+33w
dword_6BF65C	dd ?			; DATA XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+12o
					; PopDirectedDripsDiagNotifyPnpActionQueueEvent+66o ...
dword_6BF660	dd ?			; DATA XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent:loc_54F4F2w
					; PopDirectedDripsDiagNotifyPnpActionQueueEvent:loc_54F52Ew ...
dword_6BF664	dd ?			; DATA XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+33w
					; PopDirectedDripsDiagNotifyPnpActionQueueEvent:loc_54F551w ...
dword_6BF668	dd ?			; DATA XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+4Cw
					; PopDirectedDripsDiagNotifyPnpActionQueueEvent:loc_54F537w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6BF6D0	db ?			; DATA XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+39r
					; PopDirectedDripsDiagNotifyPnpActionQueueEvent+53r ...
		align 8
dword_6BF6D8	dd ?			; DATA XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+8E588w
					; PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe(x,x)+6Aw ...
dword_6BF6DC	dd ?			; DATA XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+8E594w
					; PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe(x,x)+76w ...
dword_6BF6E0	dd ?			; DATA XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent:loc_5DDA22r
					; PopDirectedDripsDiagNotifyPnpActionQueueEvent+8E57Cw	...
dword_6BF6E4	dd ?			; DATA XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+8E582r
					; PopDirectedDripsDiagNotifyPnpActionQueueEvent+8E58Ew	...
dword_6BF6E8	dd ?			; DATA XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent:loc_5DD9E7r
					; PopDirectedDripsDiagNotifyPnpActionQueueEvent+8E555w	...
dword_6BF6EC	dd ?			; DATA XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+8E541r
					; PopDirectedDripsDiagNotifyPnpActionQueueEvent+8E55Bw	...
; void dword_6BF6F0
dword_6BF6F0	dd ?			; DATA XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+8E547w
					; PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe(x,x)+36w ...
dword_6BF6F4	dd ?			; DATA XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent+8E54Ew
					; PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe(x,x)+3Dw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void dword_6BF7C0
dword_6BF7C0	dd ?			; DATA XREF: PopDirectedDripsDiagNotifyPnpActionQueueEvent:loc_5DDA4Bw
					; PopDirectedDripsDiagPnpActionQueueAccountingUpdateUnsafe(x,x)+82w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BF828	dd ?			; DATA XREF: PopDirectedDripsDiagCreateDeviceDiagnostic(x)+2Br
					; PopDirectedDripsDiagCreateDeviceDiagnostic(x)+37w ...
dword_6BF82C	dd ?			; DATA XREF: PopDirectedDripsDiagBroadcastTreeBegin(x,x,x)+49r
					; PopDirectedDripsDiagBroadcastTreeBegin(x,x,x)+51w ...
dword_6BF830	dd ?			; DATA XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+B1r
					; PopDirectedDripsDiagBroadcastTreeBegin(x,x,x)+D9r ...
		align 8
_PopDirectedDripsDiagLock dd ?		; DATA XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+3Fo
					; PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+14Do	...
_PopFxAcpiPepRegistered	db ?		; DATA XREF: PoFxPlatformRequestHandler+24r
					; PopFxRegisterPluginEx(x,x,x,x)+3C3w
		align 10h
_PopFxPlatformInterface	dd ?		; DATA XREF: PopFxAcpiForwardPepAcpiNotifyRequest(x,x)+43r
					; PopFxAcpiForwardPepWorkRequest(x,x)+52r ...
dword_6BF844	dd ?			; DATA XREF: PopFxAcpiForwardPepAcpiNotifyRequest(x,x):loc_65BA87r
					; PopFxAcpiForwardPepWorkRequest(x,x):loc_65BB00r ...
unk_6BF848	db    ?	;		; DATA XREF: PopFxPlatformRegisterInterface(x,x)+1Do
		db    ?	;
		db    ?	;
		db    ?	;
_PpmIsParkingEnabled dd	?		; DATA XREF: PpmParkReportUnparkedCores+12r
					; PpmParkReportParkedCores+2Dr	...
_PpmParkGranularity db ?		; DATA XREF: PpmParkRegisterParking+14Cw
					; PpmParkRegisterParking+1FBw ...
		align 4
_PpmParkHistograms dd ?			; DATA XREF: PpmParkRegisterParking+6Br
					; PpmParkRegisterParking+A0w ...
_PpmParkCoreMask db ?			; DATA XREF: PpmParkRegisterParking+159w
					; PpmParkRegisterParking:loc_5737B0r ...
_PpmParkUnparkCores db ?		; DATA XREF: PpmParkRegisterParking+15Fw
					; PpmParkCalculateUnparkCount+129CF7r
		align 4
_PpmParkNumNodes dd ?			; DATA XREF: PpmParkSnapNodeStatistics+Dr
					; PpmParkSnapNodeStatistics+49r ...
_PpmParkNodes	dd ?			; DATA XREF: PpmParkSnapNodeStatistics+1Fr
					; PpmParkDistributeAllUtility():loc_4862CEr ...
_PpmProfileCount db ?			; DATA XREF: PpmSetProfilePolicySetting:loc_766ED6r
					; PpmSetProfilePolicySetting+29Fr ...
		align 4
_PpmProfiles	dd ?			; DATA XREF: PpmSetProfilePolicySetting:loc_766EEBr
					; PpmRegisterProfiles+19Cw ...
_PpmProfileStatus dd ?			; DATA XREF: PpmRegisterProfiles+1EFw
					; PdcPoPpmResetProfile(x,x)+5r	...
_PpmLowPowerProfile dd ?		; DATA XREF: PpmPerfSelectProcessorState+75r
					; PpmMediaBufferingWorker+9Ar ...
_PpmEntryLevelPerfProfile dd ?		; DATA XREF: PpmPerfCalculateQosClassPolicies:loc_561789r
					; PopInitializeHeteroProcessors(x)+23r	...
_PpmBackgroundProfile dd ?		; DATA XREF: PpmPerfCalculateQosClassPolicies:loc_56192Fr
					; PopInitializeHeteroProcessors(x)+10r	...
_PpmMultimediaQosProfile dd ?		; DATA XREF: PpmPerfCalculateQosClassPolicies+76r
					; PpmPerfCalculateQosClassPolicies+21Cr ...
_PpmDefaultProfile dd ?			; DATA XREF: .data:_PpmCurrentProfileo
					; PpmSetProfilePolicySetting+201o ...
byte_6BF884	db ?			; DATA XREF: PpmSetProfilePolicySetting+1E8r
		align 4
unk_6BF888	db    ?	;		; DATA XREF: PpmInitPolicyConfiguration()+67o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BF898	dd ?			; DATA XREF: PpmInitPolicyConfiguration()+76w
		align 10h
dword_6BF8A0	dd ?			; DATA XREF: PpmResetProfileSettings(x)+6o
					; PpmPerfSelectProcessorState+12A39Cr ...
dword_6BF8A4	dd ?			; DATA XREF: PpmSetProfilePolicySetting+170w
					; PpmInitPolicyConfiguration()+3Aw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BF8B4	dd ?			; DATA XREF: PpmPerfInitialize+1Cw
byte_6BF8B8	db ?			; DATA XREF: PpmPerfInitialize:loc_AD5D51w
		align 2
byte_6BF8BA	db ?			; DATA XREF: PpmPerfInitialize+53w
		align 4
byte_6BF8BC	db ?			; DATA XREF: PpmPerfInitialize+5Fw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6BF8C6	db ?			; DATA XREF: PpmPerfInitialize+45w
		align 4
byte_6BF8C8	db ?			; DATA XREF: PpmPerfInitialize+37w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BF8D4	dd ?			; DATA XREF: PpmPerfInitialize+75w
dword_6BF8D8	dd ?			; DATA XREF: PpmPerfInitialize+87w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6BF919	db ?			; DATA XREF: PpmInitCoreParkingPolicy()+20w
		align 4
word_6BF91C	dw ?			; DATA XREF: PpmInitCoreParkingPolicy()+57w
byte_6BF91E	db ?			; DATA XREF: PpmInitCoreParkingPolicy()+69w
		align 10h
word_6BF920	dw ?			; DATA XREF: PpmInitCoreParkingPolicy()+34w
		align 4
dword_6BF924	dd ?			; DATA XREF: PpmInitCoreParkingPolicy()+4Dw
dword_6BF928	dd ?			; DATA XREF: PpmInitCoreParkingPolicy()+43w
byte_6BF92C	db ?			; DATA XREF: PpmInitCoreParkingPolicy()+2w
		align 2
byte_6BF92E	db ?			; DATA XREF: PpmInitCoreParkingPolicy():loc_ADB6B4w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
word_6BF934	dw ?			; DATA XREF: PpmInitIdlePolicy+48w
		align 4
dword_6BF938	dd ?			; DATA XREF: PpmInitIdlePolicy+19w
byte_6BF93C	db ?			; DATA XREF: PpmInitIdlePolicy+5Fw
word_6BF93D	dw ?			; DATA XREF: PpmInitIdlePolicy+Dw
byte_6BF93F	db ?			; DATA XREF: PpmInitHeteroPolicy()+43w
		db    ?	;
byte_6BF941	db ?			; DATA XREF: PpmInitHeteroPolicy()+2Ew
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6BF961	db ?			; DATA XREF: PpmInitHeteroPolicy()+19w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
word_6BF981	dw ?			; DATA XREF: PpmInitHeteroPolicy()+51w
		align 4
dword_6BF984	dd ?			; DATA XREF: PpmInitHeteroPolicy()+6Dw
dword_6BF988	dd ?			; DATA XREF: PpmInitHeteroPolicy()+63w
		align 10h
dword_6BF990	dd ?			; DATA XREF: PpmResetProfileSettings(x)+1Bo
					; PpmInitPolicyConfiguration()+40w
dword_6BF994	dd ?			; DATA XREF: PpmInitPolicyConfiguration()+46w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BF9A4	dd ?			; DATA XREF: PpmPerfInitialize+21w
byte_6BF9A8	db ?			; DATA XREF: PpmPerfInitialize+30w
		align 2
byte_6BF9AA	db ?			; DATA XREF: PpmPerfInitialize+59w
		align 4
byte_6BF9AC	db ?			; DATA XREF: PpmPerfInitialize+65w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6BF9B6	db ?			; DATA XREF: PpmPerfInitialize+4Cw
		align 4
byte_6BF9B8	db ?			; DATA XREF: PpmPerfInitialize+3Ew
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BF9C4	dd ?			; DATA XREF: PpmPerfInitialize+7Bw
dword_6BF9C8	dd ?			; DATA XREF: PpmPerfInitialize+8Dw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6BFA09	db ?			; DATA XREF: PpmInitCoreParkingPolicy()+26w
		align 4
word_6BFA0C	dw ?			; DATA XREF: PpmInitCoreParkingPolicy()+60w
byte_6BFA0E	db ?			; DATA XREF: PpmInitCoreParkingPolicy()+70w
		align 10h
word_6BFA10	dw ?			; DATA XREF: PpmInitCoreParkingPolicy()+3Cw
		align 4
dword_6BFA14	dd ?			; DATA XREF: PpmInitCoreParkingPolicy()+52w
dword_6BFA18	dd ?			; DATA XREF: PpmInitCoreParkingPolicy()+48w
byte_6BFA1C	db ?			; DATA XREF: PpmInitCoreParkingPolicy()+9w
		align 2
byte_6BFA1E	db ?			; DATA XREF: PpmInitCoreParkingPolicy()+19w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
word_6BFA24	dw ?			; DATA XREF: PpmInitIdlePolicy+4Fw
		align 4
dword_6BFA28	dd ?			; DATA XREF: PpmInitIdlePolicy+27w
byte_6BFA2C	db ?			; DATA XREF: PpmInitIdlePolicy+66w
word_6BFA2D	dw ?			; DATA XREF: PpmInitIdlePolicy+56w
byte_6BFA2F	db ?			; DATA XREF: PpmInitHeteroPolicy()+4Aw
		db    ?	;
byte_6BFA31	db ?			; DATA XREF: PpmInitHeteroPolicy()+34w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6BFA51	db ?			; DATA XREF: PpmInitHeteroPolicy()+1Fw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
word_6BFA71	dw ?			; DATA XREF: PpmInitHeteroPolicy()+5Aw
		align 4
dword_6BFA74	dd ?			; DATA XREF: PpmInitHeteroPolicy()+72w
dword_6BFA78	dd ?			; DATA XREF: PpmInitHeteroPolicy()+68w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BFA98	dd ?			; DATA XREF: PpmInitPolicyConfiguration()+54w
dword_6BFA9C	dd ?			; DATA XREF: PpmInitPolicyConfiguration()+60w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopCadLoadReason db	? ;		; DATA XREF: PopCadTriggerDriverLoad(x)+10o
		db    ?	;
		db    ?	;
		db    ?	;
_PopIdleAoAcDozeS4Lock dd ?		; DATA XREF: PopGetDozeTimerSource+10o
					; PopIdleCancelAoAcDozeS4Timer+13o ...
_PopIdleAoAcDozeS4WorkItem dd ?		; DATA XREF: PopIdleAoAcDozeS4TimerCallback(x,x)+65o
					; PopIdleInitAoAcDozeS4Timer()+4Fw
		align 8
dword_6BFAB8	dd ?			; DATA XREF: PopIdleInitAoAcDozeS4Timer()+3Fw
dword_6BFABC	dd ?			; DATA XREF: PopIdleInitAoAcDozeS4Timer()+49w
_PopIdleAoAcDozeS4Timer	db    ?	;	; DATA XREF: sub_5E6C7E+1o
					; PopIdleArmAoAcDozeS4Timer()+89o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopPreSleepNotifyWorkItem dd ?		; DATA XREF: PopCheckForIdleness(x,x,x,x)+164o
					; PopInitializePreSleepNotifications+2Cw ...
		align 8
dword_6BFB28	dd ?			; DATA XREF: PopInitializePreSleepNotifications+33w
dword_6BFB2C	dd ?			; DATA XREF: PopInitializePreSleepNotifications+25w
unk_6BFB30	db    ?	;		; DATA XREF: PopInitializePreSleepNotifications+1Co
		db    ?	;
		db    ?	;
		db    ?	;
_PopIsAboutToSleep db ?			; DATA XREF: PopResetIdleTime(x)+1Dw
					; PopCheckForIdleness(x,x,x,x)+151r ...
		align 4
_PopPreSleepWnfPayload dd ?		; DATA XREF: PopPreSleepNotifyWorker(x)w
					; PopPreSleepNotifyWorker(x)+Eo
dword_6BFB3C	dd ?			; DATA XREF: PopInitializePreSleepNotifications:loc_8B6127w
_PopAdaptiveLockConsoleTimeout dd ?	; DATA XREF: PopAdaptivePowerSettingCallback+7Bw
					; PopDiagTracePolicyChange+12r	...
_PopDisplayTimeout dd ?			; DATA XREF: PopGetDisplayTimeout(x)+19r
					; PopAdaptivePowerSettingCallback+AFw ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopLazyContext	db ?			; DATA XREF: PopReleaseAdaptiveLock+2Cr
					; PopReleaseAdaptiveLock+E5640o ...
		align 4
dword_6BFB64	dd ?			; DATA XREF: PopAcquireAdaptiveLock+E56A1w
dword_6BFB68	dd ?			; DATA XREF: PopAdaptivePowerSettingCallback+A1435w
					; PopCheckConsoleTimeouts()+7Ew ...
dword_6BFB6C	dd ?			; DATA XREF: PopActiveLockScreenPowerRequest(x,x,x)+6Fw
					; PopCheckConsoleTimeouts()+F1w ...
word_6BFB70	dw ?			; DATA XREF: PopCheckConsoleTimeouts()+84w
					; PopLazySensorActiveInput(x,x)+DAw ...
byte_6BFB72	db ?			; DATA XREF: PopLazySensorActiveInput(x,x)+17w
byte_6BFB73	db ?			; DATA XREF: PopAdaptivePowerSettingCallback:loc_927ED6w
dword_6BFB74	dd ?			; DATA XREF: PopLazySensorActiveInput(x,x)+29w
_PopConsoleSession db ?			; DATA XREF: PopSessionConnected(x,x,x)+2Dw
					; PopAdaptivePowerSettingCallback+21r
		align 10h
_PopConnectionBitmap dd	?		; DATA XREF: PopEvaluateGlobalUserStatus+24o
					; PopExtendConnectionState+53w
dword_6BFB84	dd ?			; DATA XREF: PopSetGlobalUserStatus(x,x)+1Fr
					; PopExtendConnectionState+58w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopConsoleContext dd ?			; DATA XREF: PopSessionInputChange(x,x,x):loc_840F83r
					; PopSessionInputChange(x,x,x)+45r ...
dword_6BFBA4	dd ?			; DATA XREF: PopUpdateTimeouts(x,x,x)+B0w
					; PopCheckConsoleTimeouts():loc_9B9880r ...
dword_6BFBA8	dd ?			; DATA XREF: PopUpdateTimeouts(x,x,x)+B8w
					; PopCheckConsoleTimeouts()+5Dr ...
dword_6BFBAC	dd ?			; DATA XREF: PopConsoleSessionPassiveInput(x,x,x)+3Fr
					; PopUpdateTimeouts(x,x,x)+9Dw	...
dword_6BFBB0	dd ?			; DATA XREF: PopUpdateTimeouts(x,x,x)+A5w
					; PopCheckConsoleTimeouts():loc_9B98DDr ...
byte_6BFBB4	db ?			; DATA XREF: PopActiveLockScreenPowerRequest(x,x,x)+35r
					; PopSessionWinlogonNotification(x,x)+77w ...
byte_6BFBB5	db ?			; DATA XREF: PopActiveLockScreenPowerRequest(x,x,x)+22w
					; PopActiveLockScreenPowerRequest(x,x,x):loc_9B97F6w ...
byte_6BFBB6	db ?			; DATA XREF: PopGetLockConsoleTimeout+3r
					; PopActiveLockScreenPowerRequest(x,x,x)+3Dw ...
		align 4
dword_6BFBB8	dd ?			; DATA XREF: PopConsoleSessionPassiveInput(x,x,x)+2Ew
					; PopConsoleSessionActiveInput(x,x,x)+51w ...
dword_6BFBBC	dd ?			; DATA XREF: PopUpdateTimeouts(x,x,x)+118w
					; PopCheckConsoleTimeouts()+ACr
dword_6BFBC0	dd ?			; DATA XREF: PopSetSessionUserStatus(x,x)+1Aw
					; PopSessionDisconnected(x,x)+37w ...
byte_6BFBC4	db ?			; DATA XREF: PopConsoleSessionPassiveInput(x,x,x)+1Ew
					; PopConsoleSessionActiveInput(x,x,x)+46w ...
		align 4
_PopConnectionState dd ?		; DATA XREF: PopExtendConnectionState+32r
					; PopExtendConnectionState+45w	...
_PopMaximumConnectionSessions dd ?	; DATA XREF: PopSetGlobalUserStatus(x,x)+3r
					; PopSetGlobalUserStatus(x,x):loc_8414B0r ...
_PopInputTimeout dd ?			; DATA XREF: PopSessionInputChange(x,x,x)+C6r
					; PopSessionConnected(x,x,x)+C9r ...
		align 10h
_PopAdpmLock	db    ?	;		; DATA XREF: PopReleaseAdaptiveLock:loc_84106Eo
					; PopAcquireAdaptiveLock+3Co ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopUserPresentOverrideCount dd	?	; DATA XREF: PopEvaluateGlobalUserStatus+Cr
					; PopUserPresentOverride(x)+13r ...
_PopIdleWakeContext dd ?		; DATA XREF: PopIdleWakeNotifyDevicesActive(x)+28r
					; PopIdleWakeNotifyIdleResiliencyState(x)+2Fr ...
_PopIdleWakeContextLock	dd ?		; DATA XREF: PopIdleWakeNotifyDevicesActive(x)+1Ao
					; PopIdleWakeNotifyDevicesActive(x)+80o ...
		align 8
_PopIdleWakeSourceSpuriousThresholdQpc dd ?
					; DATA XREF: PopIdleWakeNotifyIdleResiliencyState(x)+A2r
					; PopIdleWakeInitialize()+2Fw
dword_6BFC2C	dd ?			; DATA XREF: PopIdleWakeNotifyIdleResiliencyState(x)+98r
					; PopIdleWakeInitialize()+20w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopIdleWakeIdleAccountingBucketLimitsQpc db	? ;
					; DATA XREF: PopIdleWakeStopActiveIntervalAccounting(x,x,x):loc_65A923o
					; PopIdleWakeInitialize()+85o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BFC88	dd ?			; DATA XREF: PopIdleWakeInitialize()+92w
dword_6BFC8C	dd ?			; DATA XREF: PopIdleWakeInitialize()+9Ew
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopIdleWakePeriodAccountingBucketLimitsQpc db	  ? ;
					; DATA XREF: PopIdleWakeStopActiveIntervalAccounting(x,x,x)+109o
					; PopIdleWakeInitialize()+A7o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BFCF8	dd ?			; DATA XREF: PopIdleWakeInitialize()+B4w
dword_6BFCFC	dd ?			; DATA XREF: PopIdleWakeInitialize()+BBw
_PpmEtwHandle	dd ?			; DATA XREF: PpmCheckStart+53r
					; PpmPerfSnapDeliveredPerformance+25Fr	...
dword_6BFD04	dd ?			; DATA XREF: PpmCheckStart+4Dr
					; PpmPerfSnapDeliveredPerformance+3FDr	...
_PopErrataDisablePrimaryDeviceFastResume db ? ;	DATA XREF: PopSystemIrpCompletion+15r
					; PoFxRegisterPrimaryDevice(x,x,x)+A5r	...
_PopErrataSkipMemoryOverwriteRequestControlLockAction db ?
					; DATA XREF: PopSetMemoryOverwriteRequestAction(x,x)+16r
					; PopReadErrataSkipMemoryOverwriteRequestControlLockAction()+1Ew ...
		align 4
_PopWatchdogLock dd ?			; DATA XREF: PopSetWatchdog+36o
					; PopSetWatchdog+A6o ...
_PopWatchdogList dd ?			; DATA XREF: PopSetWatchdog+1DFr
					; PopSetWatchdog+1E4o ...
dword_6BFD14	dd ?			; DATA XREF: PopWatchdogInit()+Aw
_PopEsWnfSubscriptionOverride db    ? ;	; DATA XREF: PopEsWorker+1B8o
		db    ?	;
		db    ?	;
		db    ?	;
; int PopEsWnfSubscriptionOpportunisticCs
_PopEsWnfSubscriptionOpportunisticCs dd	? ; DATA XREF: PopEsInStandbyEvaluate()+61r
					; PopEsInit+230F9o
_PopEsEnabledOnHost db ?		; DATA XREF: PopEsEvaluateNextState:loc_86E197r
					; PopEsHostStateChange(x)+2Bw
		align 8
_PopEsLock	dd ?			; DATA XREF: PopEsEnterSleepShutdown()+2Ao
					; PopEsExitSleep()+Fo ...
dword_6BFD2C	dd ?			; DATA XREF: PopEsEnterSleepShutdown()+41w
					; PopEsEnterSleepShutdown()+57r ...
_PopAlpcMonitorServerPort dd ?		; DATA XREF: SmProcessConfigRequest+1A0r
					; SmProcessConfigRequest+84524r ...
_PopAlpcMonitorClientPort dd ?		; DATA XREF: SmProcessConfigRequest:loc_936F48o
					; SmProcessConfigRequest+844C3r ...
_PopAlpcServerPort dd ?			; DATA XREF: PopUmpoProcessMessages+86r
					; PopUmpoProcessMessage+D0r ...
_PopUmpoAlpcClientConnected db ?	; DATA XREF: PopUmpoProcessMessage+B3r
					; PopUmpoProcessMessage+EAw ...
		align 10h
_PopAlpcClientPort dd ?			; DATA XREF: PopUmpoSendPowerMessage+3Fr
					; PopUmpoSendPowerMessage+92r ...
_PopUmpoPushLock dd ?			; DATA XREF: PopReleaseUmpoPushLock()+2o
					; PopAcquireUmpoPushLock(x)+12o ...
_PopBlackBoxLock dd ?			; DATA XREF: PopBlackBoxUpdate+50o
					; PopBlackBoxUpdate:loc_7660A8o ...
_PopBootStatLock dd ?			; DATA XREF: PopBootStatSet+53o
					; PopBootStatSet+11Co ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PopPowerButtonTriageBlock
_PopPowerButtonTriageBlock dd ?		; DATA XREF: PopPowerButtonWorkCallback(x)+1F0o
					; PopInitializePowerButtonHold(x)+117o	...
dword_6BFD64	dd ?			; DATA XREF: PopUpdatePowerButtonHoldState(x)+1Fr
					; PopUpdatePowerButtonHoldState(x)+69w	...
dword_6BFD68	dd ?			; DATA XREF: PopUpdatePowerButtonHoldState(x)+27r
					; PopUpdatePowerButtonHoldState(x)+50w	...
		align 10h
dword_6BFD70	dd ?			; DATA XREF: PopUpdatePowerButtonHoldState(x)+42w
					; PopUpdatePowerButtonHoldState(x)+5Cw	...
dword_6BFD74	dd ?			; DATA XREF: PopUpdatePowerButtonHoldState(x)+49w
					; PopUpdatePowerButtonHoldState(x)+62w	...
dword_6BFD78	dd ?			; DATA XREF: PopRecordPhysicalPowerButton(x)+37r
					; PopRecordPhysicalPowerButton(x)+F9w ...
dword_6BFD7C	dd ?			; DATA XREF: PopRecordPhysicalPowerButton(x)+3Dr
					; PopRecordPhysicalPowerButton(x)+135w	...
dword_6BFD80	dd ?			; DATA XREF: PopRecordPhysicalPowerButton(x)+9Fw
					; PopRecordPhysicalPowerButton(x)+129w	...
dword_6BFD84	dd ?			; DATA XREF: PopRecordPhysicalPowerButton(x)+F3w
					; PopRecordPhysicalPowerButton(x)+12Fw	...
dword_6BFD88	dd ?			; DATA XREF: PopRecordPhysicalPowerButton(x)+B1w
dword_6BFD8C	dd ?			; DATA XREF: PopRecordPhysicalPowerButton(x)+B9w
dword_6BFD90	dd ?			; DATA XREF: PopRecordPhysicalPowerButton(x)+141w
dword_6BFD94	dd ?			; DATA XREF: PopRecordPhysicalPowerButton(x)+147w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6BFDA8	db ?			; DATA XREF: PopPowerButtonWorkCallback(x)+9Bw
					; PopRecordPhysicalPowerButton(x):loc_9A6E54w ...
		align 4
dword_6BFDAC	dd ?			; DATA XREF: PoClearTransitionMarker()+E3w
					; PopRecordLidStateWorker(x)+70w ...
dword_6BFDB0	dd ?			; DATA XREF: PopQueryPowerButtonBugcheckConfiguration+89AE2w
					; PopQueryPowerButtonBugcheckConfiguration:loc_5F47B7w	...
dword_6BFDB4	dd ?			; DATA XREF: PopQueryPowerButtonBugcheckConfiguration+A7w
					; PopQueryPowerButtonBugcheckConfiguration:loc_5F47C6w	...
byte_6BFDB8	db ?			; DATA XREF: PopDiagTracePowerButtonBugcheck(x)+12Fr
					; PopDiagTracePowerButtonBugcheck(x)+2F0r ...
		align 10h
dword_6BFDC0	dd ?			; DATA XREF: PopInitializePowerButtonHold(x)+144w
dword_6BFDC4	dd ?			; DATA XREF: PopInitializePowerButtonHold(x)+14Fw
dword_6BFDC8	dd ?			; DATA XREF: PopInitializePowerButtonHold(x)+155w
		align 10h
_PopAcpiPdttSupportEnabled dd ?		; DATA XREF: PopPowerButtonWorkCallback(x)+145r
					; PoClearTransitionMarker()+13Cw ...
_PopPowerButtonBugcheckConfig dd ?	; DATA XREF: PopPowerButtonBugcheckConfigure+6Aw
					; PopPowerButtonBugcheckConfigure:loc_889348w ...
		align 10h
_PopPowerButtonBugcheckWatchWorkItem dd	? ; DATA XREF: PopPowerButtonBugcheckConfigure+1Co
					; PopInitializePowerButtonHold(x)+D7w
		align 8
dword_6BFDE8	dd ?			; DATA XREF: PopInitializePowerButtonHold(x)+C7w
dword_6BFDEC	dd ?			; DATA XREF: PopInitializePowerButtonHold(x)+D1w
_PopPowerButtonBugcheckLock dd ?	; DATA XREF: PopPowerButtonBugcheckConfigure+45o
					; PopQueryPowerButtonBugcheckEnabled()+19o ...
		align 10h
_PopPowerButtonHold dd ?		; DATA XREF: PopPowerButtonTimerCallback(x,x)+6o
					; PopPowerButtonWorkCallback(x)+2Fo ...
; void unk_6BFE04
unk_6BFE04	db    ?	;		; DATA XREF: PopInitializePowerButtonHold(x)+F5o
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BFE08	db    ?	;		; DATA XREF: PopPowerButtonWorkCallback(x)+A9o
					; PopPowerButtonWorkCallback(x)+ECo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BFE60	db    ?	;		; DATA XREF: PopPowerButtonTimerCallback(x,x)+3Co
					; PopUpdatePowerButtonHoldState(x):loc_65825Eo	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BFE70	db    ?	;		; DATA XREF: PopPowerButtonWorkCallback(x)+19Bo
		db    ?	;
		db    ?	;
		db    ?	;
dword_6BFE74	dd ?			; DATA XREF: PopPowerButtonTimerCallback(x,x)+12r
					; PopPowerButtonTimerCallback(x,x)+36w	...
dword_6BFE78	dd ?			; DATA XREF: PopPowerButtonTimerCallback(x,x)+1Fr
					; PopPowerButtonWorkCallback(x)+48r ...
dword_6BFE7C	dd ?			; DATA XREF: PopPowerButtonWorkCallback(x)+74r
					; PopPowerButtonWorkCallback(x)+8Fw ...
dword_6BFE80	dd ?			; DATA XREF: PopPowerButtonWorkCallback(x)+80r
					; PopPowerButtonWorkCallback(x)+DAw
dword_6BFE84	dd ?			; DATA XREF: PopPowerButtonWorkCallback(x)+E7w
					; PopPowerButtonWorkCallback(x)+162r
_PopNetBIRequestActive db ?		; DATA XREF: PopDiagTraceCsResiliencyEnter(x,x,x)+87r
					; PopNetCheckOpportunisticDs:loc_90C7A9r ...
		align 4
_PopNetBIServiceSid dd ?		; DATA XREF: PopNetUpdateStandbyRequest(x)+7r
					; PopNetInitialize+103w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopNetEvaluationTimer db    ? ;	; DATA XREF: PopNetArmDsEvaluationTimer()+70o
					; PopNetResiliencyStateChanged(x)+2Eo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BFEF8	db    ?	;		; DATA XREF: PopNetEvaluationTimerCallback(x,x)+19o
					; PopNetSetConnectivityConstraint+30o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BFF08	db    ?	;		; DATA XREF: PopNetEvaluationWorkerCallback+10Do
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopNetDeferLogRequest db ?		; DATA XREF: PopNetEvaluationWorkerCallback:loc_5FA20Fw
					; PopNetInitialize+22r
		align 4
_PopNetStandbyStateMask	dd ?		; DATA XREF: PopNetSetConnectivityConstraintr
					; PopNetSetConnectivityConstraint+Aw ...
_PopNetResiliencyEngaged db ?		; DATA XREF: PopNetEvaluationWorkerCallback:loc_57B42Dr
					; PopNetEvaluateStateMask:loc_9363FEr ...
		align 4
_PopNetCompliantNicCount dd ?		; DATA XREF: PopNetUpdateCsConsumptionFlags+85672r
					; PopNetCompliantNicUpdate(x)r	...
_PopNetStandbyStatePublished db	?	; DATA XREF: PopNetPublishWnfStateUpdate(x)+33w
					; PopNetInitialize:loc_AE4BE1r
		align 4
_PopNetInLpePhase dd ?			; DATA XREF: PopNetRefreshTimerWorkerCallback(x)+5r
					; PopNetWnfLowPowerEpochCallback(x,x,x,x,x,x)+4Dw ...
_PopNetNonCompliantDeviceCount dd ?	; DATA XREF: PopNetNonCompliantDeviceUpdate(x,x):loc_9B6FE5r
					; PopNetNonCompliantDeviceUpdate(x,x)+1Cw ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopNetRefreshTimer db	  ? ;		; DATA XREF: PopNetArmRefreshTimer(x,x,x)+2Fo
					; PopNetWnfLowPowerEpochCallback(x,x,x,x,x,x)+9Ao ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6BFF98	db    ?	;		; DATA XREF: PopNetRefreshTimerCallback(x,x)+19o
					; PopNetRefreshTimerWorkerCallback(x):loc_9B707Eo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopNetRefreshIntervalActive db	?	; DATA XREF: PopNetDisengageNetworkRefresh()+27w
					; PopNetEngageNetworkRefresh()+27w ...
		align 10h
_PpmWmiIdleAccountingDpc db    ? ;	; DATA XREF: PpmWmiDispatch+893AEo
					; PpmWmiInit()+13o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PpmWmiIdleAccountingTimer db	 ? ;	; DATA XREF: PpmWmiDispatch+8937Eo
					; PpmWmiDispatch+893BAo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopHeteroLegacyOverride dd ?		; DATA XREF: PopConfigureHeteroPolicies(x,x)+1DAw
					; PopConfigureHeteroPolicies(x,x)+2BEw	...
dword_6C0024	dd ?			; DATA XREF: PopConfigureHeteroPolicies(x,x)+1CCo
					; PopConfigureHeteroPolicies(x,x):loc_8A125Er
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C004C	dd ?			; DATA XREF: PopConfigureHeteroPolicies(x,x)+1EBw
					; PopConfigureHeteroPolicies(x,x):loc_8A1286r
dword_6C0050	dd ?			; DATA XREF: PopConfigureHeteroPolicies(x,x)+1F1w
					; PopConfigureHeteroPolicies(x,x):loc_8A1292r
dword_6C0054	dd ?			; DATA XREF: PopConfigureHeteroPolicies(x,x)+1D3w
					; PopConfigureHeteroPolicies(x,x):loc_8A129Er
		align 10h
_PopIrpThreadList dd ?			; DATA XREF: PopIrpWorker+8Co
					; PopIrpWatchdogBugcheck(x)+96o ...
dword_6C0064	dd ?			; DATA XREF: PopIrpWorker+87r
					; PopIrpWorker+B7w ...
_PopIrpWorkerCount dd ?			; DATA XREF: PopRunMaximumIrpWorkers()+33r
					; PopIrpWorker+97w ...
		align 10h
_PopIrpWorkerControlEvent db	? ;	; DATA XREF: PopIrpWorkerControl+17o
					; PopIrpWorker+85117o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopIrpWorkerMutex dd ?			; DATA XREF: PopRunNormalIrpWorkers()+3o
					; PopRunMaximumIrpWorkers()+10o ...
dword_6C0084	dd ?			; DATA XREF: PopInitializeIrpWorkers()+71w
dword_6C0088	dd ?			; DATA XREF: PopInitializeIrpWorkers()+77w
unk_6C008C	db    ?	;		; DATA XREF: PopInitializeIrpWorkers()+66o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopIrpWorkerInFlightCount dd ?		; DATA XREF: PopIrpWorker+124r
					; PopIrpWorker+132w ...
_PopIrpWorkerRequested db ?		; DATA XREF: PopIrpWorkerControl+2Aw
					; PopIrpWorker+85106r ...
		align 4
_PopIrpWorkerPendingCount dd ?		; DATA XREF: PopRunMaximumIrpWorkers()+21r
					; PopRunMaximumIrpWorkers()+3Dw ...
_PopCreateIrpWorkerAllowed db ?		; DATA XREF: PopRunNormalIrpWorkers()+11w
					; PopRunMaximumIrpWorkers()+2Dw ...
		align 10h
_PopDeepSleepDisengageReasonMask dd ?	; DATA XREF: PopDeepSleepSetDisengageReason+1Dr
					; PopDeepSleepSetDisengageReason+28w ...
_PopDeepSleepDisengageReasonLock dd ?	; DATA XREF: PopDeepSleepSetDisengageReason+11o
					; PopDeepSleepSetDisengageReason+51o ...
_PopIdleResiliencyIsEngagedWithoutDeepSleep db ?
					; DATA XREF: PopCheckResiliencyScenarios+17212Br
					; PopCheckResiliencyScenarios+172133w
_PopDeepSleepIsEngaged db ?		; DATA XREF: PpmIdlePrepare+440r
					; PoFxSendSystemLatencyUpdate:loc_5AB79Dr ...
		align 10h
_PopMaxDynamicTickDurationOriginalValue	dd ? ; DATA XREF: PopEnforceDeepSleep+17o
					; PopEnforceDeepSleep+A5FA1r
dword_6C00C4	dd ?			; DATA XREF: PopEnforceDeepSleep+A5F9Br
_PopDeepSleepEvaluateWorkItemQueued db ?
					; DATA XREF: PopDeepSleepSetDisengageReason:loc_5AB5EEr
					; PopDeepSleepSetDisengageReason+16E17Aw ...
_PopDeepSleepIsEnabled db ?		; DATA XREF: PopDeepSleepEnabled()r
					; PpmIdlePrepare:loc_48C1C1r ...
		align 10h
_PopDeepSleepEvaluateWorkItem dd ?	; DATA XREF: PopDeepSleepSetDisengageReason+16E175o
					; PopDeepSleepClearDisengageReason+16E14Co ...
		align 8
dword_6C00D8	dd ?			; DATA XREF: PopDeepSleepInitialize(x)+1Aw
dword_6C00DC	dd ?			; DATA XREF: PopDeepSleepInitialize(x)+4w
_PopSystemIdleLock dd ?			; DATA XREF: PopDiagTraceControlCallback+23Fo
					; PopUpdateSystemIdleConsoleDisplayState(x)+12o ...
dword_6C00E4	dd ?			; DATA XREF: PopDiagTraceControlCallback+253w
					; PopDiagTraceControlCallback+25Dr ...
_PopPendingSystemIdleResetMask dd ?	; DATA XREF: PopHandleSystemIdleReset(x)+26o
					; PopProcessPendingSystemIdleResets()+Ao ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopPowerEventTrace db	  ? ;		; DATA XREF: PopTriggerMonitorPowerEvent(x,x)+9Fo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopPowerEventTraceCount dd ?		; DATA XREF: PopTriggerMonitorPowerEvent(x,x)+8Dr
					; PopTriggerMonitorPowerEvent(x,x)+A9w
		align 8
_PopPowerEventLock dd ?			; DATA XREF: PopDiagTraceControlCallback+1F7o
					; PopTriggerMonitorPowerEvent(x,x)+5Fo	...
dword_6C040C	dd ?			; DATA XREF: PopDiagTraceControlCallback+20Bw
					; PopDiagTraceControlCallback+215r ...
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUklUnkUlyquivUrDIGUklkOlyq@po db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
_PpmCheckPipeline dd ?			; DATA XREF: PpmCheckStart+76w
					; PpmCheckStart+ECr ...
_PpmCheckPipelineIndex dd ?		; DATA XREF: PpmCheckStart+8Fw
					; PpmCheckStart:loc_487167r ...
_PpmCheckArmed	db ?			; DATA XREF: PpmCheckArmPeriod:loc_573BC0r
					; PpmCheckArmPeriod+B3w ...
_PpmCheckForceDisarm db	?		; DATA XREF: PpmCheckResumePpmEngineFromSx():loc_558F12w
					; PpmCheckPausePpmEngineForSx()+1Dw ...
		align 10h
_PpmCheckStartDpc db	? ;		; DATA XREF: PoExecutePerfCheck()+EEo
					; PpmCheckInit()+22o
byte_6C0421	db ?			; DATA XREF: PpmCheckInit()+33w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PpmCheckDpc	db    ?	;		; DATA XREF: PpmCheckContinueExecution+5Bo
					; PpmCheckInit()+7o
byte_6C0441	db ?			; DATA XREF: PpmCheckInit()+27w
word_6C0442	dw ?			; DATA XREF: PpmCheckContinueExecution+50w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C045C	dd ?			; DATA XREF: PpmCheckContinueExecution:loc_48E6CCr
_PpmCheckTime	dd ?			; DATA XREF: PpmCheckStart+25w
					; PpmParkSteerInterrupts+12F955r ...
dword_6C0464	dd ?			; DATA XREF: PpmCheckStart+3Cw
					; PpmParkSteerInterrupts+12F94Er ...
_PpmCheckMakeupCount dd	?		; DATA XREF: PpmCheckPeriodicStart(x,x,x,x)+2Ew
					; PpmPerfRecordUtility+15r ...
_PpmCheckPipelines dd ?			; DATA XREF: PpmCheckStart:loc_4870EDr
					; PpmCheckMaintainArtificialDomain:loc_5FB42Dr	...
_PpmCheckPollForFeedback db ?		; DATA XREF: PpmCheckReInit()+43r
					; PpmRegisterPerfStates:loc_92FC4Bw
		align 8
_PpmCheckMinimumPeriod dd ?		; DATA XREF: PpmCheckArmPeriod+3Br
					; PpmCheckArmPeriod:loc_5F73A5r ...
dword_6C047C	dd ?			; DATA XREF: PpmCheckArmPeriod+25r
					; PpmRegisterPerfStates+4ADr ...
_PpmCheckCurrentPipelineId dd ?		; DATA XREF: PpmCheckStart+1Aw
					; PpmPerfRecordUtility:loc_48ED6Fr ...
_PpmCheckLatencyBoostActive dd ?	; DATA XREF: PpmCheckStart:loc_487157r
					; PpmCheckStart:loc_4871E1w ...
_PpmCheckDeadlineBoostActive dd	?	; DATA XREF: PpmCheckStart+DFr
					; PpmCheckStart+167w ...
_PpmCheckCount	dd ?			; DATA XREF: PpmPerfAction(x,x,x,x)+41w
					; PpmCheckSnapAllDeliveredPerformance+BDw ...
_PpmCheckPeriod	dd ?			; DATA XREF: PoExecutePerfCheck()+3Dr
					; PoExecutePerfCheck():loc_487AA7r ...
dword_6C0494	dd ?			; DATA XREF: PoExecutePerfCheck()+2Ar
					; PoLatencySensitivityHint+93r	...
_PpmCheckLastExecutionTime dd ?		; DATA XREF: PpmCheckStart+2Ar
					; PpmCheckPeriodicStart(x,x,x,x):loc_4873E8r ...
dword_6C049C	dd ?			; DATA XREF: PpmCheckStart+2Fr
					; PpmCheckPeriodicStart(x,x,x,x)+44r ...
_PopKsrPrepared	db ?			; DATA XREF: PopKsrCallback(x,x,x):loc_656720w
					; PopKsrCallback(x,x,x):loc_656729w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopCheckPowerSourceAfterRtcWakeTimer db    ? ;
					; DATA XREF: PopCheckPowerSourceAfterRtcWakeInitialize()+11o
					; PopCheckPowerSourceAfterRtcWakeCancel+880E6o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C0518	db    ?	;		; DATA XREF: PopCheckPowerSourceAfterRtcWakeTimerCallback(x,x)+2o
					; PopCheckPowerSourceAfterRtcWakeTimerWorker(x):loc_72FFC5o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopCheckPowerSourceAfterRtcWakeCompleted db	? ;
					; DATA XREF: PopCheckPowerSourceAfterRtcWakeCancel+12o
					; PopCheckPowerSourceAfterRtcWakeInitialize()+1Fo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopSpoilEstimatesOnPowerStateTransitionWorkItem dd ? ;	DATA XREF: PAGELK:0071F2C6o
					; PAGELK:0071F2DBw
		align 8
dword_6C0548	dd ?			; DATA XREF: PAGELK:0071F2CBw
dword_6C054C	dd ?			; DATA XREF: PAGELK:0071F2D5w
_PopShutdownWorkItem dd	?		; DATA XREF: PAGELK:0071F9DBo
					; PAGELK:0071F9F0w
		align 8
dword_6C0558	dd ?			; DATA XREF: PAGELK:0071F9E0w
dword_6C055C	dd ?			; DATA XREF: PAGELK:0071F9EAw
_PopUnlockAfterSleepWorkItem dd	?	; DATA XREF: PAGELK:0071EBF8w
					; PAGELK:0071EC1Fo ...
		align 8
dword_6C0568	dd ?			; DATA XREF: PAGELK:0071EBE8w
dword_6C056C	dd ?			; DATA XREF: PAGELK:0071EBF2w
_PopTransitionLockAcquireReason	dd ?	; DATA XREF: PopAcquireTransitionLock(x)+25w
					; PopReleaseTransitionLock(x)+13w
		align 10h
_PopHibernationErrorSubstitutionString db    ? ; ; DATA	XREF: PAGELK:0071F961o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopTransitionLockOwnerThread dd ?	; DATA XREF: PopPowerActionWatchdog(x,x,x,x)+53r
					; PopAcquireTransitionLock(x)+36w ...
		align 10h
_PopTransitionLock db	 ? ;		; DATA XREF: PopAcquireTransitionLock(x)+1Bo
					; PopReleaseTransitionLock(x)+9o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopPdcDeviceListLock dd ?		; DATA XREF: PopPdcCsDeviceNotification(x)+2Fo
					; PopPdcCsDeviceNotification(x):loc_9B542Bo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopPdcIdlePhaseWatchdogContext	dd ?	; DATA XREF: PopArmIdlePhaseWatchdog(x)+Dr
					; PopArmIdlePhaseWatchdog(x)+D3o ...
unk_6C06C4	db    ?	;		; DATA XREF: PopIdlePhaseWatchdogCallback(x,x,x,x,x,x)+3Ao
					; PopArmIdlePhaseWatchdog(x)+4Do ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C06CC	dd ?			; DATA XREF: PopIdlePhaseWatchdogCallback(x,x,x,x,x,x)+46r
					; PopIdlePhaseWatchdogCallback(x,x,x,x,x,x)+53w ...
dword_6C06D0	dd ?			; DATA XREF: PopIdlePhaseWatchdogCallback(x,x,x,x,x,x)+59w
					; PopArmIdlePhaseWatchdog(x)+67w ...
		align 10h
_PopDripsWatchdogContext db    ? ;	; DATA XREF: PopDripsWatchdogNotifySessionStart(x)+17o
					; PopDripsWatchdogStartWatchdog()+29o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C0718	dd ?			; DATA XREF: PopDripsWatchdogStartWatchdog()+33r
					; PopDripsWatchdogStartWatchdog()+128w	...
dword_6C071C	dd ?			; DATA XREF: PopDripsWatchdogInitializeActions(x):loc_AEF872w
unk_6C0720	db    ?	;		; DATA XREF: PopDripsWatchdogStartWatchdog()+B5o
					; PopDripsWatchdogInitializeCallbackTimer(x)+2Fo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C0790	dd ?			; DATA XREF: PopDripsWatchdogInitializeCallbackTimer(x)+1Dw
dword_6C0794	dd ?			; DATA XREF: PopDripsWatchdogStartWatchdog()+67r
					; PopDripsWatchdogInitializeCallbackTimer(x):loc_AEF8DCw
dword_6C0798	dd ?			; DATA XREF: PopDripsWatchdogStartWatchdog()+AEw
dword_6C079C	dd ?			; DATA XREF: PopDripsWatchdogStartWatchdog()+BAw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C07A4	dd ?			; DATA XREF: PopDripsWatchdogNotifySessionStart(x)+29w
					; PopDripsWatchdogStartWatchdog()+84w
dword_6C07A8	dd ?			; DATA XREF: PopDripsWatchdogNotifySessionStart(x)+30w
					; PopDripsWatchdogStartWatchdog()+A2w
		align 10h
dword_6C07B0	dd ?			; DATA XREF: PopDripsWatchdogStartWatchdog()+8Bw
dword_6C07B4	dd ?			; DATA XREF: PopDripsWatchdogStartWatchdog()+95w
dword_6C07B8	dd ?			; DATA XREF: PopDripsWatchdogStartWatchdog()+C1w
dword_6C07BC	dd ?			; DATA XREF: PopDripsWatchdogStartWatchdog()+CAw
byte_6C07C0	db ?			; DATA XREF: PopDripsWatchdogNotifySessionStart(x)+35w
		align 8
unk_6C07C8	db    ?	;		; DATA XREF: PopDripsWatchdogStartWatchdog()+9Bo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C07E8	db    ?	;		; DATA XREF: PopDripsWatchdogStartWatchdog()+110o
					; PopDripsWatchdogInitializeDiagnosticTimer(x)+19o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C0858	dd ?			; DATA XREF: PopDripsWatchdogInitializeDiagnosticTimer(x)+Aw
dword_6C085C	dd ?			; DATA XREF: PopDripsWatchdogStartWatchdog():loc_9B4CBDr
					; PopDripsWatchdogInitializeDiagnosticTimer(x)+2Aw
; void unk_6C0860
unk_6C0860	db    ?	;		; DATA XREF: PopDripsWatchdogStartWatchdog()+E1o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C0884	dd ?			; DATA XREF: PopDripsWatchdogStartWatchdog()+F7w
dword_6C0888	dd ?			; DATA XREF: PopDripsWatchdogStartWatchdog()+10Bw
dword_6C088C	dd ?			; DATA XREF: PopDripsWatchdogStartWatchdog()+11Aw
unk_6C0890	db    ?	;		; DATA XREF: PopDripsWatchdogStartWatchdog()+101o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C08B8	dd ?			; DATA XREF: PopDripsWatchdogStartWatchdog()+12Fw
dword_6C08BC	dd ?			; DATA XREF: PopDripsWatchdogStartWatchdog()+135w
_PopDripsWatchdogDebounceTickInterval dd ?
					; DATA XREF: PopDripsWatchdogCallbackWorker(x)+8Cr
					; PopDripsWatchdogCallbackWorker(x)+E7r ...
		align 8
_PopPepDeviceList dd ?			; DATA XREF: PopPepWork+4Bo
					; PopPepWork+124o ...
dword_6C08CC	dd ?			; DATA XREF: PopPepInsertDevice:loc_571967r
					; PopPepInsertDevice+70w ...
_PopPepDeviceListLock dd ?		; DATA XREF: PopPepWork+33o
					; PopPepWork+195o ...
_PopPepLowPowerEpoch db	?		; DATA XREF: PopPepComponentGetResidencyIdleState(x,x,x)+5r
					; PopFxLowPowerEpochCallback+70w
		align 4
_PopPepVetoMaskReadyLock dd ?		; DATA XREF: PopPepInsertDevice+2Eo
					; PopPepInsertDevice+1A4o ...
_PopPepIdleTimerLock db	   ? ;		; DATA XREF: PopPepArmIdleTimer(x)+Do
		db    ?	;
		db    ?	;
		db    ?	;
_PopPepIdleTimerArmed db ?		; DATA XREF: PopPepArmIdleTimer(x)+1Ew
					; PopPepArmIdleTimer(x):loc_65467Br ...
		align 4
_PopPepPoweredIdleComponentCount dd ?	; DATA XREF: PopPepCompleteActivity+EF972w
					; PopPepGetComponentPreferedIdleState+EF712w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopPepIdleTimer db    ? ;		; DATA XREF: PopPepArmIdleTimer(x)+5Eo
					; PopPepEntry()+42o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopPepIdleDpc	db    ?	;		; DATA XREF: PopPepArmIdleTimer(x)+54o
					; PopPepEntry()+20o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopPepIdleWorkItem dd ?		; DATA XREF: PopPepIdleTimeoutDpcRoutine(x,x,x,x)+2o
					; PopPepEntry()+35w
		align 8
dword_6C0968	dd ?			; DATA XREF: PopPepEntry()+5w
dword_6C096C	dd ?			; DATA XREF: PopPepEntry()+2Fw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopExternalMonitorUpdatedWorkItem db	 ? ;
					; DATA XREF: PopUpdateExternalDisplayState(x)+19o
					; PopExternalMonitorUpdatedWorker+82ED3o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopInputSuppressionLock dd ?		; DATA XREF: PopEvaluateInputSuppressionAction()+3Eo
					; PopEvaluateInputSuppressionAction()+179o ...
dword_6C099C	dd ?			; DATA XREF: PopEvaluateInputSuppressionAction()+5Ew
					; PopEvaluateInputSuppressionAction():loc_9B43E2r ...
_PopPowerAggregatorLock	dd ?		; DATA XREF: PopPowerAggregatorNotifySuspendResume(x)+25o
					; PopPowerAggregatorWorker(x)+10o ...
dword_6C09A4	dd ?			; DATA XREF: PopPowerAggregatorNotifySuspendResume(x)+3Bw
					; PopPowerAggregatorNotifySuspendResume(x):loc_85AE8Cr	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PopPowerAggregatorContext
_PopPowerAggregatorContext dd ?		; DATA XREF: PopPowerAggregatorHandleIntentUnsafe(x,x,x)+34r
					; PopPowerAggregatorHandleIntentUnsafe(x,x,x)+6Fw ...
dword_6C09C4	dd ?			; DATA XREF: PopPowerAggregatorHandleIntentUnsafe(x,x,x)+1Dr
					; PopPowerAggregatorHandleIntentUnsafe(x,x,x)+4Bw
dword_6C09C8	dd ?			; DATA XREF: PopPowerAggregatorCachePoPolicy(x)+5o
					; PopPowerAggregatorCachePoPolicy(x)+12w
dword_6C09CC	dd ?			; DATA XREF: PopPowerAggregatorCachePoPolicy(x)+23w
					; PopPowerAggregatorCachePoPolicy(x):loc_870B71w
dword_6C09D0	dd ?			; DATA XREF: PopPowerAggregatorCachePoPolicy(x)+3Aw
					; PopPowerAggregatorCachePoPolicy(x):loc_870B58r ...
dword_6C09D4	dd ?			; DATA XREF: PopPowerAggregatorWorker(x)+48w
					; PopPowerAggregatorWorker(x):loc_85B158r ...
dword_6C09D8	dd ?			; DATA XREF: PopPowerAggregatorHandleIntentUnsafe(x,x,x)+29o
					; PopPowerAggregatorHandleIntentUnsafe(x,x,x)+AFo ...
		align 10h
dword_6C09E0	dd ?			; DATA XREF: PopPowerAggregatorInitialize(x)+2Cw
		align 8
dword_6C09E8	dd ?			; DATA XREF: PopPowerAggregatorIsAtTargetState+A702Cr
dword_6C09EC	dd ?			; DATA XREF: PopPowerAggregatorIsAtTargetState+A703Dr
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6C0A00	db ?			; DATA XREF: PopPowerAggregatorNotifyResiliencyReached()+34w
		align 8
dword_6C0A08	dd ?			; DATA XREF: PopPowerAggregatorInvokeStateMachine(x)+1Co
					; PopPowerAggregatorInvokeStateMachine(x)+2Bo ...
		align 10h
dword_6C0A10	dd ?			; DATA XREF: PopPowerAggregatorIsAtTargetState+A7027r
dword_6C0A14	dd ?			; DATA XREF: PopPowerAggregatorIsAtTargetState+A7038r
byte_6C0A18	db ?			; DATA XREF: PopPowerAggregatorNotifyDisplayPoweredOn+A5DBAw
		align 10h
byte_6C0A20	db ?			; DATA XREF: PopPowerAggregatorNotifyPdcSleepTransition(x,x)+49w
					; PopPowerAggregatorNotifyPdcSleepTransition(x,x):loc_9B3C88w ...
		align 4
dword_6C0A24	dd ?			; DATA XREF: PopPowerAggregatorNotifyPdcSleepTransition(x,x)+50w
					; PopPowerAggregatorNotifyPdcSleepTransition(x,x)+5Ew ...
unk_6C0A28	db    ?	;		; DATA XREF: PopPowerAggregatorSessionSwitchWorker(x)+45w
byte_6C0A29	db ?			; DATA XREF: PopPowerAggregatorSessionSwitchWorker(x)+31r
					; PopPowerAggregatorSessionSwitchWorker(x):loc_9B418Dw
		align 4
dword_6C0A2C	dd ?			; DATA XREF: PopPowerAggregatorSessionSwitchTimerCallback(x,x)+2o
					; PopPowerAggregatorInitialize(x)+6Fw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C0A34	dd ?			; DATA XREF: PopPowerAggregatorInitialize(x)+5Fw
dword_6C0A38	dd ?			; DATA XREF: PopPowerAggregatorInitialize(x)+69w
		align 10h
unk_6C0A40	db    ?	;		; DATA XREF: PopPowerAggregatorSessionSwitchWorker(x)+AEo
					; PopPowerAggregatorInitialize(x)+41o
		db    ?	;
word_6C0A42	dw ?			; DATA XREF: PopPowerAggregatorInitialize(x)+75w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C0A98	db    ?	;		; DATA XREF: PopPowerAggregatorNotifySuspendResume(x)+C4o
					; PopPowerAggregatorInitialize(x)+83o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C0AA8	dd ?			; DATA XREF: PopPowerAggregatorNotifySuspendResume(x)+40r
					; PopPowerAggregatorNotifySuspendResume(x)+84r	...
dword_6C0AAC	dd ?			; DATA XREF: PopPowerAggregatorRecordIntent+23r
unk_6C0AB0	db    ?	;		; DATA XREF: PopPowerAggregatorRecordIntent+32o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C1CB0	dd ?			; DATA XREF: PopPowerAggregatorInitialize(x)+59w
		align 8
dword_6C1CB8	dd ?			; DATA XREF: PopPowerAggregatorInitialize(x)+46w
dword_6C1CBC	dd ?			; DATA XREF: PopPowerAggregatorInitialize(x)+50w
dword_6C1CC0	dd ?			; DATA XREF: PopPowerAggregatorWorker(x)+3Ew
					; PopPowerAggregatorWorker(x)+5Ew
		align 8
_PopPowerAggregatorOneWayEntry dd ?	; DATA XREF: PopPowerAggregatorHandleModernStandbyIntent(x,x,x):loc_9B39A6r
					; INIT:00AF47F0o
		align 10h
_PopBatteryEtwHandle dd	?		; DATA XREF: PopBatteryTraceSystemBatteryStatus+26r
					; PopBatteryTracePercentageRemaining(x,x,x,x)+54r ...
dword_6C1CD4	dd ?			; DATA XREF: PopBatteryTraceSystemBatteryStatus+2Dr
					; PopBatteryTracePercentageRemaining(x,x,x,x)+43r
		align 10h
_PopBatteryWorkItem dd ?		; DATA XREF: PopBatteryQueueWork(x)+1Bo
					; PopBatteryInit()+A2w
		align 8
dword_6C1CE8	dd ?			; DATA XREF: PopBatteryInit()+5w
dword_6C1CEC	dd ?			; DATA XREF: PopBatteryInit()+9Cw
_PopBatteryWorkRequests	db    ?	;	; DATA XREF: PopBatteryQueueWork(x)+3o
					; PopBatteryWorker:loc_868E02o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopPostSpoilingRefresh	db    ?	;	; DATA XREF: PopBatteryWorker+351o
					; PopBatteryInit()+10Bo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C1D20	db    ?	;		; DATA XREF: PopBatteryWorker+340o
					; PopBatteryWorker+377o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_OsStateChangeEnergyCounter db	  ? ;	; DATA XREF: PopTransitionTelemetryOsState:loc_86E673o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CsSessionEnergyCounter	db    ?	;	; DATA XREF: PopCalculateCsSummary(x,x):loc_65096Co
					; PopCaptureSleepStudyStatistics(x,x,x,x)+286o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopDiagHandle	dd ?			; DATA XREF: PoTraceSystemTimerResolutionUpdate+31r
					; PopDiagTraceClearDeepSleepConstraint+2Cr ...
dword_6C1D74	dd ?			; DATA XREF: PoTraceSystemTimerResolutionUpdate+25r
					; PopDiagTraceClearDeepSleepConstraint+20r ...
_PopTriggerDiagHandle dd ?		; DATA XREF: PopDiagInitialize()+6Co
					; PopTriggerDiagTraceAoAcCapability(x)+29r
dword_6C1D7C	dd ?			; DATA XREF: PopTriggerDiagTraceAoAcCapability(x)+1Dr
_PopWnfCsEnterScenarioId dd ?		; DATA XREF: PpmIdleCaptureCsVetoAccounting(x,x,x,x)+15r
					; PpmSnapDripsAccountingSnapshot(x,x,x,x,x,x)+1Br ...
dword_6C1D84	dd ?			; DATA XREF: PpmIdleCaptureCsVetoAccounting(x,x,x,x)+20r
					; PpmSnapDripsAccountingSnapshot(x,x,x,x,x,x)+15r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopWdiScenarioStopEventData db	   ? ;	; DATA XREF: PopSleepstudyStartNextSession+A6CECo
					; PopDiagTraceSleepStudyStop()+67o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C1DA8	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+34Bo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C1DB0	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+35Eo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C1DB8	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+1CCo
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C1DBC	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+17Eo
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C1DC0	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+162o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C1DC8	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+ECo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C1DF8	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+1E8o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C1E00	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+19Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C1E08	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+291o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C1E18	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+204o
		db    ?	;
		db    ?	;
		db    ?	;
byte_6C1E1C	db ?			; DATA XREF: PopDiagTraceSleepStudyStop()+44r
byte_6C1E1D	db ?			; DATA XREF: PopDiagTraceSleepStudyStop()+4Dr
		align 10h
unk_6C1E20	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+10Eo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C1E28	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+12Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C1E30	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+146o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C1E40	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+1B6o
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C1E44	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+2BFo
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C1E48	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+2DBo
		db    ?	;
		db    ?	;
		db    ?	;
byte_6C1E4C	db ?			; DATA XREF: PopDiagTraceSleepStudyStop()+A2r
		align 10h
unk_6C1E50	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+2F7o
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C1E54	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+313o
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C1E58	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+32Fo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C1E68	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+36Eo
		db    ?	;
		db    ?	;
		db    ?	;
byte_6C1E6C	db ?			; DATA XREF: PopDiagTraceSleepStudyStop()+95r
byte_6C1E6D	db ?			; DATA XREF: PopDiagTraceSleepStudyStop()+88r
		align 10h
unk_6C1E70	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+387o
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C1E74	db    ?	;		; DATA XREF: PopDiagTraceSleepStudyStop()+397o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopSleepstudyStopReason dd ?		; DATA XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+4EBr
					; PopSleepstudyStartNextSession+A6CA4w
		align 10h
_PopDiagDeviceRundownWorkItem dd ?	; DATA XREF: PopDiagTraceControlCallback+1B2o
					; PopDiagInitialize()+61w
		align 8
dword_6C1EF8	dd ?			; DATA XREF: PopDiagInitialize()+4Cw
dword_6C1EFC	dd ?			; DATA XREF: PopDiagInitialize()+5Bw
_PopDiagDeviceRundownRequests db    ? ;	; DATA XREF: PopDiagDeviceRundownWorker(x)+2o
					; PopDiagTraceControlCallback+1A0o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopTelemetryOsState dd	?		; DATA XREF: PopGetTransitionsToOnCount()+10o
					; PopTransitionTelemetryOsState+D1o ...
dword_6C1F24	dd ?			; DATA XREF: PopGetTransitionsToOnCount()+2Aw
					; PopGetTransitionsToOnCount()+33w ...
dword_6C1F28	dd ?			; DATA XREF: PopTransitionTelemetryOsState+1AEr
					; PopTransitionTelemetryOsState+1FBw ...
dword_6C1F2C	dd ?			; DATA XREF: PopTransitionTelemetryOsState+1B9r
					; PopTransitionTelemetryOsState+201w
dword_6C1F30	dd ?			; DATA XREF: PopTransitionTelemetryOsState+28Br
					; PopDiagInitialize()+8Do
dword_6C1F34	dd ?			; DATA XREF: PopTransitionTelemetryOsState+280r
dword_6C1F38	dd ?			; DATA XREF: PopTransitionTelemetryOsState+12Br
					; PopDiagInitialize()+AAw
dword_6C1F3C	dd ?			; DATA XREF: PopTransitionTelemetryOsState+133r
					; PopDiagInitialize()+AFw
dword_6C1F40	dd ?			; DATA XREF: PopTransitionTelemetryOsState+FEr
					; PopDiagInitialize()+C4w
dword_6C1F44	dd ?			; DATA XREF: PopTransitionTelemetryOsState+106r
					; PopDiagInitialize()+BAw
dword_6C1F48	dd ?			; DATA XREF: PopTransitionTelemetryOsState+14Dr
					; PopTransitionTelemetryOsState+1CAw
dword_6C1F4C	dd ?			; DATA XREF: PopTransitionTelemetryOsState+15Br
					; PopTransitionTelemetryOsState+1D5w
dword_6C1F50	dd ?			; DATA XREF: PopTransitionTelemetryOsState+161r
					; PopTransitionTelemetryOsState+1E0w
dword_6C1F54	dd ?			; DATA XREF: PopTransitionTelemetryOsState+16Dr
					; PopTransitionTelemetryOsState+1EBw
dword_6C1F58	dd ?			; DATA XREF: PopTransitionTelemetryOsState:loc_86E5A7r
					; PopTransitionTelemetryOsState+1A9w
dword_6C1F5C	dd ?			; DATA XREF: PopTransitionTelemetryOsState+1F5w
					; PopTransitionTelemetryOsState+21Er
dword_6C1F60	dd ?			; DATA XREF: PopGetTransitionsToOnCount()+24r
					; PopTransitionTelemetryOsState+E2r ...
byte_6C1F64	db ?			; DATA XREF: PopTransitionTelemetryOsState+59r
					; PopDiagInitialize()+CAw
		align 4
_PopDiagSleepStudyHandle dd ?		; DATA XREF: PopDiagTraceSleepStudyBlocker(x,x)+14r
					; PopDiagSleepStudyInitialize()+15o ...
dword_6C1F6C	dd ?			; DATA XREF: PopDiagTraceSleepStudyBlocker(x,x)+Dr
					; PopDiagTraceSleepStudyBlockerData(x,x)+16r ...
_PopSleepStudyTaskClientActivator dd ?	; DATA XREF: PdcTaskClientRegister(x,x)+15w
					; PdcTaskClientRegister(x,x)+5Ew ...
_PopWdiCurrentScenario dd ?		; DATA XREF: PopMonitorInvocation+A944Cr
					; PopDiagTraceSleepStudyStart()+5Dr ...
_PopWdiCurrentScenarioInstanceId dd ?	; DATA XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+4ACr
					; PopMonitorInvocation+A9485r ...
dword_6C1F7C	dd ?			; DATA XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+4B9r
					; PopMonitorInvocation+A9492r ...
_PopSystemThermalInfo dd ?		; DATA XREF: PopThermalSxEntry()+11o
					; PopCheckAndHandleThermalConditions+829DAo ...
dword_6C1F84	dd ?			; DATA XREF: PopThermalSxEntry()+28w
					; PopThermalSxEntry()+34r ...
word_6C1F88	dw ?			; DATA XREF: PopCheckAndHandleThermalConditions+82B62r
					; PopCheckAndHandleThermalConditions+82B79w ...
		align 4
dword_6C1F8C	dd ?			; DATA XREF: PopCheckAndHandleThermalConditions+82B06r
					; PopCheckAndHandleThermalConditions+82B0Cw ...
dword_6C1F90	dd ?			; DATA XREF: PopCheckAndHandleThermalConditions+82B16r
					; PopCheckAndHandleThermalConditions+82B22w ...
byte_6C1F94	db ?			; DATA XREF: PopThermalStandbyEndTracking+Dr
					; PopThermalStandbyEndTracking+18w ...
byte_6C1F95	db ?			; DATA XREF: PopThermalStandbyEndTracking+6r
					; PopThermalStandbyEndTracking:loc_5DFB31w ...
		align 4
dword_6C1F98	dd ?			; DATA XREF: PopThermalStandbyEndTracking+8967Ar
					; PopThermalCsEntry(x)+4Bw
dword_6C1F9C	dd ?			; DATA XREF: PopThermalStandbyEndTracking+89682r
					; PopThermalCsEntry(x)+50w
dword_6C1FA0	dd ?			; DATA XREF: PopUpdateOverThrottledCount(x,x)+24r
					; PopUpdateOverThrottledCount(x,x)+2Dw	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopThermalTelemetryTimer db	? ;	; DATA XREF: PopThermalUpdateTelemetryClientCount+8Fo
					; PopThermalUpdateTelemetryClientCount+8B53Co ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C2018	db    ?	;		; DATA XREF: PopThermalCsEntry(x)+8Bo
					; PopThermalCsExit()+89o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C2028	db    ?	;		; DATA XREF: PopThermalTelemetryWorker(x)+D9o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopThermalTelemetryClientCount	dd ?	; DATA XREF: PopThermalUpdateTelemetryClientCount+41r
					; PopThermalUpdateTelemetryClientCount+47w ...
_PopThermalCriticalShutdownEnabled db ?	; DATA XREF: PopCheckAndHandleThermalConditions+82AAFr
					; PoEnableCriticalShutdown+17w
_PoPowerResetActionInProgress db ?	; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+9CEr
					; PAGELK:0071ECF5w ...
_PoModernStandbyActionInProgress db ?	; DATA XREF: KeBugCheck2(x,x,x,x,x,x):loc_61C582r
					; PopPowerAggregatorDisplayPoweringOnStateHandler(x)+31w
_PoPowerDownActionInProgress db	?	; DATA XREF: RtlQueryFeatureConfiguration(x,x,x,x)+33r
					; NtSetTimer+3Ar ...
_PoHiberInProgress db ?			; DATA XREF: V86_kit3_a+2BEr
					; KdEnableDebuggerWithLock(x)+D9w ...
		align 10h
_PopPolicyDeviceLock dd	?		; DATA XREF: PopThermalTraceRundownEvents()+5o
					; PopThermalSxEntry()+60o ...
dword_6C2044	dd ?			; DATA XREF: PopThermalSxEntry():loc_555EEDr
					; PopThermalSxEntry():loc_555F10w ...
_PopFanLock	dd ?			; DATA XREF: PopFanUpdateCsState(x)+12o
					; PopFanUpdateRunningState(x)+12o ...
dword_6C204C	dd ?			; DATA XREF: PopFanUpdateCsState(x)+26w
					; PopFanUpdateCsState(x):loc_9B67DAr ...
_PopThermalTelemetryLock dd ?		; DATA XREF: PopThermalUpdateTelemetryClientCount+1Eo
					; PopThermalInit()+2Bw
dword_6C2054	dd ?			; DATA XREF: PopThermalUpdateTelemetryClientCount+34w
					; PopThermalUpdateTelemetryClientCount:loc_568673r ...
_PopAwaymodeLockExclusiveThread	dd ?	; DATA XREF: PopReleaseAwaymodeLock()r
					; PopReleaseAwaymodeLock()+Ew ...
_PopWorkerPending dd ?			; DATA XREF: PopCheckForWork+Ar
					; PopPolicyWorkerThread:loc_4C5090r ...
_PopNotifyEvents dd ?			; DATA XREF: PopSetNotificationWork(x)r
					; PopSetNotificationWork(x):loc_50F4A0o ...
_PopPdcIoCoalescing db ?		; DATA XREF: PopCheckResiliencyScenarios+1720C6r
					; PdcPoResiliencyClient(x,x,x)+38w
		align 4
_PpmHighPerfDeferredEndTime dd ?	; DATA XREF: PpmEndHighPerfRequest+75r
					; PpmEndHighPerfRequest+86w ...
dword_6C206C	dd ?			; DATA XREF: PpmEndHighPerfRequest+62r
					; PpmEndHighPerfRequest+8Ew ...
_PpmHighPerfDeferredEndCount dd	?	; DATA XREF: PpmEndHighPerfRequest+3Fw
					; PpmHighPerfRequestExpiration+36r ...
_PpmHighPerfDeferredEndDisabled	db ?	; DATA XREF: PpmEndHighPerfRequest+32r
					; PpmDisableHighPerfRequestDeferredExpiration(x)+7Aw
		align 4
_PopThermalZoneCount dd	?		; DATA XREF: PopThermalZoneAdd+B2r
					; PopThermalZoneAdd+CAw ...
_PopThermalZoneNextId dd ?		; DATA XREF: PopThermalZoneAdd+54r
					; PopThermalZoneAdd+61w
_PopThermalCriticalShutdownInitiated db	?
					; DATA XREF: PopCheckAndHandleThermalConditions:loc_5F8725r
					; PopCheckAndHandleThermalConditions+82AB6w ...
_PopThermalCriticalShutdownReported db ?
					; DATA XREF: PopThermalWriteShutdownToRegistry(x,x)+7Fr
					; PopThermalWriteShutdownToRegistry(x,x):loc_6505C4w
_PopThermalHibernateInitiated db ?	; DATA XREF: PopThermalSxExit+14r
					; sub_5DF8EC+Bw ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6C209F	db ?			; DATA XREF: PopThermalUpdatePassiveTimeTracking(x,x):loc_85E853r
_PopThermalTrackingThresholds db ?	; DATA XREF: PopTraceThermalZonePassiveHistogram+89974o
					; PopTraceThermalRequestPassiveHistogram+898C4o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopThermalPollingWakesAllowed db ?	; DATA XREF: PopThermalPollingPowerSettingCallback:loc_5FB1EEr
					; PopThermalPollingPowerSettingCallback+7DD54w	...
		align 10h
_PopFanTracking	dd ?			; DATA XREF: PopFanUpdateRunningState(x)+2Fw
					; PopFanUpdateRunningState(x):loc_9B6831w ...
byte_6C20C4	db ?			; DATA XREF: PopFanUpdateCsState(x)+59r
					; PopFanUpdateRunningState(x)+47r ...
byte_6C20C5	db ?			; DATA XREF: PopFanUpdateCsState(x)+2Fr
					; PopFanUpdateCsState(x)+37w ...
		align 4
dword_6C20C8	dd ?			; DATA XREF: PopFanEndCsFanPeriod()+17r
					; PopFanUpdateRunningState(x)+5Bw ...
dword_6C20CC	dd ?			; DATA XREF: PopFanEndCsFanPeriod()+7r
					; PopFanUpdateRunningState(x)+60w ...
dword_6C20D0	dd ?			; DATA XREF: PopFanEndCsFanPeriod()+27r
					; PopFanEndCsFanPeriod():loc_9B66DFr ...
dword_6C20D4	dd ?			; DATA XREF: PopFanEndCsFanPeriod()+Cr
					; PopFanEndCsFanPeriod()+4Dr ...
		align 10h
_PopDisplayOnPerformance dd ?		; DATA XREF: PopCalculateCsSummary(x,x)+65Br
					; PopCaptureSleepStudyStatistics(x,x,x,x)+250w	...
dword_6C20E4	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+666r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+256w	...
dword_6C20E8	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+62Cr
					; PopCaptureSleepStudyStatistics(x,x,x,x)+238w	...
dword_6C20EC	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+638r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+23Ew	...
dword_6C20F0	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+644r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+244w	...
dword_6C20F4	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+650r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+24Aw	...
dword_6C20F8	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+61Do
					; PopCaptureSleepStudyStatistics(x,x,x,x)+227o	...
dword_6C20FC	dd ?			; DATA XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+25Fw
					; PopCaptureSleepStudyStatistics(x,x,x,x)+5CBw	...
_PopIsForceIdleSet db ?			; DATA XREF: PopDeepSleepSetDisengageReason:loc_5AB5D9r
					; PopDeepSleepSetDisengageReason+16E15Fw ...
_PopSleepReliabilityDetailedDiagEnabled	db ? ; DATA XREF: PAGELK:loc_71F220r
					; PopEnableSystemSleepCheckpoint()+31w	...
		align 4
_PopCheckpointSystemSleepEnabled dd ?	; DATA XREF: PopInvokeSystemStateHandler+CFr
					; PopCheckpointSystemSleep+21r	...
_PopAggressiveStandbyAppliedActions dd ?
					; DATA XREF: PopDeepSleepClearDisengageReason:loc_5AB620r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+472r	...
_PopShutdownEventCode db    ? ;		; DATA XREF: PopExecutePowerAction:loc_90299Co
					; PopExecutePowerAction+A6CE8o	...
		db    ?	;
		db    ?	;
		db    ?	;
_PopPolicyLockThread dd	?		; DATA XREF: PopCheckForWork+1Ar
					; PopPowerActionWatchdog(x,x,x,x)+5Cr ...
_PopSleepCheckpoint dd ?		; DATA XREF: PopPowerActionWatchdog(x,x,x,x)+6Cr
					; PopCheckpointSystemSleep+12w	...
_PoPowerSequence dd ?			; DATA XREF: MiSessionRemoveImage+89194r
					; PopInvokeSystemStateHandler+37Dw
_PoResumeFromHibernate db ?		; DATA XREF: PopThermalSxExit+7r
					; PopInvokeSystemStateHandler+39Br ...
		align 10h
_PopPendingUserPresenceDuringSystemSleep dd ? ;	DATA XREF: PopDiagTraceRtcWakeInfo+DAr
					; PopUserPresentSet+81BF2o ...
_PopPendingUserPresenceMonitorOnReason dd ? ; DATA XREF: PopUserPresentSet+81BFBo
					; PopInvokeSystemStateHandler+38Fw ...
		align 10h
_PopUserPresentWorkItem	dd ?		; DATA XREF: PopUserPresentSet+5Co
					; PopUserPresentSet+71w
		align 8
dword_6C2138	dd ?			; DATA XREF: PopUserPresentSet+61w
dword_6C213C	dd ?			; DATA XREF: PopUserPresentSet+6Bw
_PopAwaymodeExitReason dd ?		; DATA XREF: PipCslStateChangeCallback+9B8B0w
					; PopSetSystemAwayMode(x)+B7r
		align 8
_PopPowerSettings dd ?			; DATA XREF: PopGetListHead(x)+11o
					; PopDispatchNotifications(x)+Ao ...
dword_6C214C	dd ?			; DATA XREF: PopInitializePowerSettings()+57w
_PopSessionSpecificLists db    ? ;	; DATA XREF: PopGetListHead(x)+34o
					; PopDispatchNotifications(x)+16o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopPendingPowerSettingUpdateLock dd ?	; DATA XREF: PopIncrementPowerSettingPendingUpdates+Fo
					; PopDecrementPowerSettingPendingUpdates+Fo ...
		align 8
_PopRegisteredPowerSettingCallbacks dd ? ; DATA	XREF: PopSetPowerSettingValue+28Er
					; PopSetPowerSettingValue+294o	...
dword_6C216C	dd ?			; DATA XREF: PoRegisterPowerSettingCallback:loc_7E28FCr
					; PoRegisterPowerSettingCallback+1AFw ...
_PopPendingPowerSettingUpdateTime dd ?	; DATA XREF: PopIncrementPowerSettingPendingUpdates+39w
					; PopDecrementPowerSettingPendingUpdates+35w ...
dword_6C2174	dd ?			; DATA XREF: PopIncrementPowerSettingPendingUpdates+3Ew
					; PopDecrementPowerSettingPendingUpdates+3Bw ...
_PopPendingPowerSettingUpdates dd ?	; DATA XREF: PopIncrementPowerSettingPendingUpdates+1Dw
					; PopIncrementPowerSettingPendingUpdates:loc_43D3C6r ...
_PopPendingPowerSettingUpdatesQueued dd	?
					; DATA XREF: PopIncrementPowerSettingPendingUpdates:loc_43D404w
					; PopDecrementPowerSettingPendingUpdates:loc_43D46Fr ...
_PopPowerStateNotifyHandler dd ?	; DATA XREF: PopInvokeSystemStateHandler+66o
					; NtPowerInformation+1250r ...
dword_6C2184	dd ?			; DATA XREF: NtPowerInformation+1266w
_PopNoMoreInput	db ?			; DATA XREF: PopInvokeSystemStateHandler+373w
					; NtPowerInformation+F8Co ...
		align 10h
_PopThermalLock	dd ?			; DATA XREF: PopThermalCoolingPowerSettingCallback+14o
					; PopThermalPollingPowerSettingCallback+11o ...
dword_6C2194	dd ?			; DATA XREF: PopThermalCoolingPowerSettingCallback+2Dw
					; PopThermalCoolingPowerSettingCallback:loc_564D91r ...
_PopWakeAlarmTimeOverride dd ?		; DATA XREF: PAGELK:0071F0F7r
					; PAGELK:0071FA60w ...
dword_6C219C	dd ?			; DATA XREF: PAGELK:0071F0FFr
					; PAGELK:0071FA66w ...
_PopCoolingExtensionLock dd ?		; DATA XREF: PopCoolingSxTransition+Bo
					; PopCoolingSxTransition:loc_556138o ...
dword_6C21A4	dd ?			; DATA XREF: PopCoolingTelemetryWorker()+29w
					; PopCoolingTelemetryWorker()+D2r ...
_PopCoolingExtensionList dd ?		; DATA XREF: PopCoolingSxTransition+16r
					; PopCoolingSxTransition:loc_5560CAo ...
dword_6C21AC	dd ?			; DATA XREF: PopAssociateThermalRequest+FFr
					; PopAssociateThermalRequest+11Fw ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PpmDripsAccountingSnapshot dd ?	; DATA XREF: PpmResetDripsAccountingSnapshot()+2Cw
					; PpmSnapDripsAccountingSnapshot(x,x,x,x,x,x)+5Ar
dword_6C21C4	dd ?			; DATA XREF: PpmResetDripsAccountingSnapshot()+35w
					; PpmSnapDripsAccountingSnapshot(x,x,x,x,x,x)+63r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopSIdle	dd ?			; DATA XREF: PopCheckForIdleness(x,x,x,x)+105w
					; PopScanIdleList(x,x,x)+2B5r
dword_6C22A4	dd ?			; DATA XREF: PopCheckForIdleness(x,x,x,x)+FFw
					; NtPowerInformation+B59r
dword_6C22A8	dd ?			; DATA XREF: PopHandleSystemRequiredPowerRequestsUpdate:loc_43CADFr
					; PopResetIdleTime(x)+22w ...
dword_6C22AC	dd ?			; DATA XREF: PopCheckForIdleness(x,x,x,x)+10Dr
					; PopCheckForIdleness(x,x,x,x)+139r ...
dword_6C22B0	dd ?			; DATA XREF: PopIdleCheckForUserInput()+7r
					; PopIdleCheckForUserInput()+14w
; void Source1
Source1		dd ?			; DATA XREF: PopPolicySystemIdle()+CCr
					; PopPolicySystemIdle()+11Cr ...
dword_6C22B8	dd ?			; DATA XREF: PopInitSIdle+D6r
		align 10h
dword_6C22C0	dd ?			; DATA XREF: PopPolicySystemIdle()+D5r
					; PopPolicySystemIdle()+10Dr ...
dword_6C22C4	dd ?			; DATA XREF: PopHandleSystemRequiredPowerRequestsUpdate+39r
					; PopHandleSystemRequiredPowerRequestsUpdate:loc_43CA7Cw ...
dword_6C22C8	dd ?			; DATA XREF: PopIdleChooseDozeS4Time(x,x)+68r
					; PopIdleChooseDozeS4Time(x,x)+DEr ...
dword_6C22CC	dd ?			; DATA XREF: PopIdleChooseDozeS4Time(x,x):loc_65AD18r
					; PopIdleChooseDozeS4Time(x,x)+EBr ...
dword_6C22D0	dd ?			; DATA XREF: PopIdleChooseDozeS4Time(x,x)+3Cr
					; PopIdleGlobalUserPresenceCallback(x,x,x,x)+52w ...
byte_6C22D4	db ?			; DATA XREF: PopInitSIdle+129w
byte_6C22D5	db ?			; DATA XREF: PopCheckForIdleness(x,x,x,x)+4Ar
					; PopCheckForIdleness(x,x,x,x)+60w ...
		align 4
dword_6C22D8	dd ?			; DATA XREF: PopCheckForIdleness(x,x,x,x)+31r
					; PopCheckForIdleness(x,x,x,x)+171w
dword_6C22DC	dd ?			; DATA XREF: PopCheckForIdleness(x,x,x,x)+179w
dword_6C22E0	dd ?			; DATA XREF: PopHandleSystemRequiredPowerRequestsUpdate+AAw
					; PopResetIdleTime(x)+2Cw ...
byte_6C22E4	db ?			; DATA XREF: PopGetDozeTimerSource+1Er
					; PopIdleCancelAoAcDozeS4Timer+22r ...
		align 4
dword_6C22E8	dd ?			; DATA XREF: PopGetDozeTimerSource:loc_547064r
					; PopIdleArmAoAcDozeS4Timer()+A0w ...
unk_6C22EC	db    ?	;		; DATA XREF: PopIdleAoAcDozeS4TimerCallback(x,x)+46o
					; PopIdleAoAcDozeToS4(x)+E5o
		db    ?	;
		db    ?	;
		db    ?	;
byte_6C22F0	db ?			; DATA XREF: PopResetIdleTime(x)+27w
					; PopPolicySystemIdle():loc_7951FEw
byte_6C22F1	db ?			; DATA XREF: PopUpdateSystemIdleContext(x)+DEr
					; PopIdleCsStateChanged(x)+Aw ...
		align 8
dword_6C22F8	dd ?			; DATA XREF: PopIdleChooseDozeS4Time(x,x)+8Cr
					; PopIdleCsStateChanged(x)+20w	...
dword_6C22FC	dd ?			; DATA XREF: PopIdleChooseDozeS4Time(x,x)+97r
					; PopIdleCsStateChanged(x)+28w	...
_PoAllProcIntrDisabled db ?		; DATA XREF: MiQueuePinDriverAddressLog+8r
					; KiFreezeTargetExecution(x,x)+9Dr ...
		align 10h
_PopCurrentBroadcast db	?		; DATA XREF: PopRequestPowerIrp:loc_55CAF8r
					; PopRequestPowerIrp+D1r ...
		align 4
dword_6C2314	dd ?			; DATA XREF: PopIsNotifyForDirectedPowerTransition+2r
					; PopCompleteNotifyTransitionCommon+24r ...
dword_6C2318	dd ?			; DATA XREF: PopRequestPowerIrp+EBr
					; PoBroadcastSystemState+A8w ...
dword_6C231C	dd ?			; DATA XREF: PopWakeDeviceList+85r
					; PopSleepDeviceList+C6r ...
_PopCurrentIrpSequenceID dd ?		; DATA XREF: PopAllocateIrp+14Aw
_PopPendingSetPowerDeviceIrps dd ?	; DATA XREF: PopDequeueQuerySetIrp+F4w
					; PopQueueQuerySetIrp+11Dw
_PopInrushIrp	dd ?			; DATA XREF: PopDequeueQuerySetIrp+7Cr
					; PopIrpWorker:loc_55D64Cr ...
		align 10h
_PopIrpWorkerList dd ?			; DATA XREF: PopIrpWorker+EAr
					; PopIrpWorker+F0o ...
dword_6C2334	dd ?			; DATA XREF: PopDispatchQuerySetIrp+2Er
					; PopDispatchQuerySetIrp+3Fw ...
		align 10h
_PopIrpWorkerSemaphore db    ? ;	; DATA XREF: PopIrpWorker+C7o
					; PopDispatchQuerySetIrp+4Ao ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopPdcIdleResiliency db ?		; DATA XREF: PopThermalPollingPowerSettingCallback+2Br
					; PoFxSendSystemLatencyUpdate+16E0DAr ...
		align 10h
; void PopCsResiliencyStats
_PopCsResiliencyStats db ?		; DATA XREF: PopNetEvaluationWorkerCallback+8Fr
					; PopEsUpdateState+81E79r ...
byte_6C2361	db ?			; DATA XREF: PopDiagTraceCsResiliencyEnter(x,x,x)+6Aw
					; PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x):loc_651D9Fr
byte_6C2362	db ?			; DATA XREF: PopDiagTraceCsResiliencyEnter(x,x,x)+60w
					; PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x):loc_651D94r
byte_6C2363	db ?			; DATA XREF: PopWnfBluetoothChargingCallback(x,x,x,x,x,x)+61r
					; PopWnfBluetoothChargingCallback(x,x,x,x,x,x)+6Aw ...
dword_6C2364	dd ?			; DATA XREF: PopDiagTraceCsResiliencyEnter(x,x,x)+B8w
					; PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+4Dr
byte_6C2368	db ?			; DATA XREF: PopDiagTraceCsResiliencyEnter(x,x,x)+BDw
					; PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+2Ar
		align 10h
dword_6C2370	dd ?			; DATA XREF: PopDiagTraceCsResiliencyEnter(x,x,x)+48o
					; PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+68r ...
		align 8
dword_6C2378	dd ?			; DATA XREF: PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+60r
dword_6C237C	dd ?			; DATA XREF: PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+74r
dword_6C2380	dd ?			; DATA XREF: PopDiagTraceCsResiliencyEnter(x,x,x)+96w
					; PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+FDr
dword_6C2384	dd ?			; DATA XREF: PopDiagTraceCsResiliencyEnter(x,x,x)+A0w
					; PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+105r
dword_6C2388	dd ?			; DATA XREF: PopEsUpdateState:loc_5E4DA5w
					; PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+F5r
dword_6C238C	dd ?			; DATA XREF: PopNetEvaluationWorkerCallback:loc_5FA1E2r
					; PopNetEvaluationWorkerCallback+7EE21w ...
byte_6C2390	db ?			; DATA XREF: PopDiagTraceCsResiliencyEnter(x,x,x)+B2w
					; PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x):loc_651DD0r
byte_6C2391	db ?			; DATA XREF: PopDiagTraceCsResiliencyEnter(x,x,x)+8Cw
					; PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x):loc_651DC4r
		align 8
dword_6C2398	dd ?			; DATA XREF: PopNetUpdateDsAccounting(x)+2Fw
					; PopNetUpdateDsAccounting(x):loc_657ECCr ...
dword_6C239C	dd ?			; DATA XREF: PopNetUpdateDsAccounting(x)+34w
					; PopNetUpdateDsAccounting(x)+41r ...
dword_6C23A0	dd ?			; DATA XREF: PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+10Dr
					; PopNetUpdateDsAccounting(x)+65w
dword_6C23A4	dd ?			; DATA XREF: PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+115r
					; PopNetUpdateDsAccounting(x)+6Bw
unk_6C23A8	db    ?	;		; DATA XREF: PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+30o
					; PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+1C9o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C23D0	dd ?			; DATA XREF: PopFxAccumulateDeviceIRPhaseAccounting(x,x)+8r
					; PopFxAccumulateDeviceIRPhaseAccounting(x,x)+63w ...
dword_6C23D4	dd ?			; DATA XREF: PopFxAccumulateDeviceIRPhaseAccounting(x,x)+11r
					; PopFxAccumulateDeviceIRPhaseAccounting(x,x)+6Aw ...
byte_6C23D8	db ?			; DATA XREF: PopFxBeginDeviceIRPhaseAccounting(x,x)+2Fw
					; PopFxEndDeviceIRPhaseAccounting(x,x)+3Bw ...
		align 10h
dword_6C23E0	dd ?			; DATA XREF: PopFxAccumulateDeviceIRPhaseAccounting(x,x)+2Dr
					; PopFxAccumulateDeviceIRPhaseAccounting(x,x):loc_6485E8w ...
dword_6C23E4	dd ?			; DATA XREF: PopFxAccumulateDeviceIRPhaseAccounting(x,x)+23r
					; PopFxAccumulateDeviceIRPhaseAccounting(x,x)+3Aw ...
dword_6C23E8	dd ?			; DATA XREF: PopFxAccumulateDeviceIRPhaseAccounting(x,x)+4Ar
					; PopFxAccumulateDeviceIRPhaseAccounting(x,x):loc_648605w ...
dword_6C23EC	dd ?			; DATA XREF: PopFxAccumulateDeviceIRPhaseAccounting(x,x):loc_6485F3r
					; PopFxAccumulateDeviceIRPhaseAccounting(x,x)+57w ...
dword_6C23F0	dd ?			; DATA XREF: PopFxAccumulateDeviceIRPhaseAccounting(x,x)+17w
					; PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+1AFr
dword_6C23F4	dd ?			; DATA XREF: PopFxAccumulateDeviceIRPhaseAccounting(x,x)+1Dw
					; PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+1A9r
dword_6C23F8	dd ?			; DATA XREF: PopFxAccumulateDeviceIRPhaseAccounting(x,x):loc_648610w
					; PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+1CEr
dword_6C23FC	dd ?			; DATA XREF: PopDeepSleepResiliencyPhaseAccountingUpdate+2Ar
					; PopDeepSleepResiliencyPhaseAccountingBegin(x,x):loc_6572A5w ...
dword_6C2400	dd ?			; DATA XREF: PopDeepSleepResiliencyPhaseAccountingUpdate+16E102o
					; PopDeepSleepResiliencyPhaseAccountingBegin(x,x)+55w ...
dword_6C2404	dd ?			; DATA XREF: PopDeepSleepResiliencyPhaseAccountingBegin(x,x)+5Cw
					; PopDeepSleepResiliencyPhaseAccountingEnd(x,x)+7Ar ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C2450	dd ?			; DATA XREF: PopDeepSleepResiliencyPhaseAccountingUpdate+16E110w
					; PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+1FAr ...
dword_6C2454	dd ?			; DATA XREF: PopDeepSleepResiliencyPhaseAccountingUpdate+16E119w
					; PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)+1F4r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PopHiberInfo
_PopHiberInfo	dd ?			; DATA XREF: PopInternalAddToDumpFile(x,x,x)+44o
					; PAGELK:loc_71ECFCr ...
dword_6C24A4	dd ?			; DATA XREF: PAGELK:0071ED04r
					; PAGELK:0071ED15r ...
dword_6C24A8	dd ?			; DATA XREF: PopWriteHiberPages+A2r
					; PopRequestWrite+275r	...
dword_6C24AC	dd ?			; DATA XREF: PopWriteHiberPages+94r
					; PopRequestWrite+267r	...
; void *dword_6C24B0
dword_6C24B0	dd ?			; DATA XREF: PopRestoreHiberContext+11Cr
					; PopSaveHiberContext+2F3r ...
; size_t dword_6C24B4
dword_6C24B4	dd ?			; DATA XREF: PopMarkHiberPhase(x)+8Fr
					; PopWriteImageHeader(x,x,x,x,x)+4Er ...
dword_6C24B8	dd ?			; DATA XREF: PopDecompressHiberBlocks+3D5r
					; PAGELK:0071F158w ...
dword_6C24BC	dd ?			; DATA XREF: PopHiberEarlyCleanup(x)+7r
					; PopAllocateHiberContext:loc_85DDFAr ...
dword_6C24C0	dd ?			; DATA XREF: PopBuildMemoryImageHeader(x,x)+72r
					; PopEnableHiberFile(x,x)+362w
		align 10h
byte_6C24D0	db ?			; DATA XREF: PopDecompressHiberBlocks+4F5r
					; PoBroadcastSystemState:loc_71E775r ...
byte_6C24D1	db ?			; DATA XREF: PopInvokeSystemStateHandler+4F4r
					; PopDecompressHiberBlocks:loc_71D22Er	...
		align 4
dword_6C24D4	dd ?			; DATA XREF: PopRestoreHiberContext:loc_71CDC1w
					; PopHiberReadChecksums+C7C0r ...
; void *dword_6C24D8
dword_6C24D8	dd ?			; DATA XREF: PopAllocateHiberContext+33r
					; PopEnableHiberFile(x,x)+156r	...
; void dword_6C24DC
dword_6C24DC	dd ?			; DATA XREF: PopMarkHiberPhase(x)+23r
					; PopFreeHiberContext+107r ...
dword_6C24E0	dd ?			; DATA XREF: PopMarkHiberPhase(x)+1Dr
					; PopFreeHiberContext+101r ...
dword_6C24E4	dd ?			; DATA XREF: PopAllocateHiberContext+8Br
					; PopPreallocateHibernateMemory+D3w
dword_6C24E8	dd ?			; DATA XREF: PopAllocateHiberContext+11Br
					; PopPreallocateHibernateMemory+D9w
dword_6C24EC	dd ?			; DATA XREF: PopAllocateHiberContext+78r
					; PopPreallocateHibernateMemory+102w
dword_6C24F0	dd ?			; DATA XREF: PopAllocateHiberContext+83r
					; PopPreallocateHibernateMemory+108w
dword_6C24F4	dd ?			; DATA XREF: PopAllocateHiberContext+C2r
					; PopPreallocateHibernateMemory+F2w
dword_6C24F8	dd ?			; DATA XREF: PopAllocateHiberContext+C9r
					; PopPreallocateHibernateMemory+F8w
dword_6C24FC	dd ?			; DATA XREF: PopAllocateHiberContext+A1r
					; PopPreallocateHibernateMemory+110w
; void *dword_6C2500
dword_6C2500	dd ?			; DATA XREF: PopCountDataAsProduced(x,x,x,x,x,x)+Cr
					; PopRestoreHiberContext+62r ...
dword_6C2504	dd ?			; DATA XREF: PopHiberInitializeResources+23Ar
					; PopPreallocateHibernateMemory+133w ...
; void *dword_6C2508
dword_6C2508	dd ?			; DATA XREF: PopPreallocateHibernateMemory+13Dw
					; PopHiberInitializeResources:loc_9032FDr
dword_6C250C	dd ?			; DATA XREF: PopAllocateHiberContext+96r
					; PopPreallocateHibernateMemory+147w
dword_6C2510	dd ?			; DATA XREF: PopAllocateHiberContext+B7r
					; PopPreallocateHibernateMemory+E7w ...
dword_6C2514	dd ?			; DATA XREF: PopAllocateHiberContext+ACr
					; PopPreallocateHibernateMemory+11Ew ...
dword_6C2518	dd ?			; DATA XREF: PopSaveHiberContext:loc_728E5Bw
					; PopSaveHiberContext:loc_728E6Ew ...
dword_6C251C	dd ?			; DATA XREF: PopPowerActionWatchdog(x,x,x,x)+2Fr
					; PAGELK:0071F8B3w ...
_PopCB		dd ?			; DATA XREF: PopInternalAddToDumpFile(x,x,x)+8Ao
					; PopBatteryWorker+80o	...
dword_6C2524	dd ?			; DATA XREF: PopBatteryWorker+90w
					; PopBatteryWorker:loc_869009r	...
dword_6C2528	dd ?			; DATA XREF: PopCapturePlatformRole+17141Dr
					; PopBatteryWorker+A029Br ...
; void dword_6C252C
dword_6C252C	dd ?			; DATA XREF: PopBatteryTraceSystemBatteryStatus+827BEr
					; PopTracePowerReconfig()+A3r ...
byte_6C2530	db ?			; DATA XREF: PopBatteryApplyCompositeState:loc_86914Br
					; PopBatteryApplyCompositeState+98r ...
		align 4
dword_6C2534	dd ?			; DATA XREF: .data:006B2F38o
					; PopBatteryWorker:loc_868E4Ar	...
dword_6C2538	dd ?			; DATA XREF: PopBatteryInit()+1Bw
dword_6C253C	dd ?			; DATA XREF: PopBatteryWorker+9Ar
					; PopBatteryWorker+A0o	...
dword_6C2540	dd ?			; DATA XREF: PopBatteryInitialize(x)+C5r
					; PopBatteryInitialize(x)+E5w ...
; char dword_6C2544
dword_6C2544	dd ?			; DATA XREF: PopBatteryTraceSystemBatteryStatus:loc_5E3540r
					; PopTracePowerReconfig()+1Dr ...
dword_6C2548	dd ?			; DATA XREF: PopBatteryTraceSystemBatteryStatus+827D8r
					; PopTracePowerReconfig()+3Br ...
dword_6C254C	dd ?			; DATA XREF: PopBatteryApplyCompositeState+CBr
					; PopBatteryWorker+A04ABr ...
dword_6C2550	dd ?			; DATA XREF: PopBatteryApplyCompositeState+BFr
					; PopBatteryWorker+A04BFr ...
dword_6C2554	dd ?			; DATA XREF: PopBatteryApplyCompositeState+C5w
					; PopBatteryApplyCompositeState+A0685r
dword_6C2558	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+141r
					; PopBatteryGetEnergyDrainFromDischage(x,x)+2r	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C2564	dd ?			; DATA XREF: PopBatteryCheckTriggerArmed()r
					; PopCalculateCsSummary(x,x)+11Fr ...
dword_6C2568	dd ?			; DATA XREF: PopBatteryCheckTriggerArmed()+9r
					; PopCalculateCsSummary(x,x)+12Fr ...
dword_6C256C	dd ?			; DATA XREF: PopBatteryApplyCompositeState+A068Fr
dword_6C2570	dd ?			; DATA XREF: PopBatteryApplyCompositeState+A0699r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C257C	dd ?			; DATA XREF: PopBatteryApplyCompositeState+1D6r
					; PopBatteryWorker+9FE2Aw ...
dword_6C2580	dd ?			; DATA XREF: PopBatteryApplyCompositeState+185r
					; PopBatteryApplyCompositeState:loc_90968Dr ...
		align 8
unk_6C2588	db    ?	;		; DATA XREF: PopIgnoreBatteryStatusChange+2o
					; MiFreePrivateFixupEntryForSystemImage+C7o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C2590	db    ?	;		; DATA XREF: PopIgnoreBatteryStatusChange:loc_5E1075o
					; PopQueueBatteryStatusTimeout()+24o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C25B8	db    ?	;		; DATA XREF: PopQueueBatteryStatusTimeout()+1Bo
					; PopBatteryInit()+CDo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C25D8	db    ?	;		; DATA XREF: MiFreePrivateFixupEntryForSystemImage+BBo
					; PopIgnoreBatteryStatusChange+881D5o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6C25E8	db ?			; DATA XREF: PopIgnoreBatteryStatusChange:loc_558EC9w
					; MiFreePrivateFixupEntryForSystemImage+A4w ...
		align 10h
dword_6C25F0	dd ?			; DATA XREF: PopBatteryApplyCompositeState+130r
					; PopResetCBTriggers(x)+1Dr ...
dword_6C25F4	dd ?			; DATA XREF: PopBatteryApplyCompositeState+162w
					; PopResetCBTriggers(x)+17w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C25FC	dd ?			; DATA XREF: PopRecalculateCBTriggerLevels(x)+32w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6C2630	db ?			; DATA XREF: PopTracePowerReconfig()+F6r
					; PopBatteryCheckCompositeCapacity+6Br	...
		align 4
dword_6C2634	dd ?			; DATA XREF: PopDiagTraceBatteryTriggerFlags+1Er
					; PopBatteryApplyCompositeState:loc_909792r ...
dword_6C2638	dd ?			; DATA XREF: PopBatteryApplyCompositeState+A070Ar
					; PopBatteryApplyCompositeState+A0765w
dword_6C263C	dd ?			; DATA XREF: PopBatteryApplyCompositeState+A0712r
					; PopBatteryApplyCompositeState+A0770w
dword_6C2640	dd ?			; DATA XREF: PopBatteryCheckCompositeCapacity:loc_8694F8w
					; PopBatteryCheckCompositeCapacity:loc_909CEAw	...
byte_6C2644	db ?			; DATA XREF: PopTracePowerReconfig()+E0r
					; PopBatteryCheckCompositeCapacity+59r	...
		align 4
dword_6C2648	dd ?			; DATA XREF: PopTracePowerReconfig()+125r
					; PopBatteryWorker:loc_868F25r	...
byte_6C264C	db ?			; DATA XREF: PopTracePowerReconfig()+10Cr
					; PopBatteryWorker+9FDBAr ...
		align 10h
dword_6C2650	dd ?			; DATA XREF: PopBatteryWorker+C9o
					; PopBatteryWorker+1FFo ...
dword_6C2654	dd ?			; DATA XREF: PopBatteryWorker+9FDB5w
					; PopBatteryWorker+9FDD5r ...
dword_6C2658	dd ?			; DATA XREF: PopBatteryCheckCompositeCapacity+4Dw
					; PopBatteryCheckCompositeCapacity+A0840w ...
		align 10h
dword_6C2660	dd ?			; DATA XREF: PopBatteryUpdateCurrentState(x)+19r
					; PopBatteryUpdateCurrentState(x)+5Do ...
dword_6C2664	dd ?			; DATA XREF: PopBatteryUpdateCurrentState(x)+21r
					; PopBatteryUpdateCurrentState(x)+7Fr ...
dword_6C2668	dd ?			; DATA XREF: PopBatteryUpdateCurrentState(x)+65o
					; PopBatteryWorker+23Dr ...
dword_6C266C	dd ?			; DATA XREF: PopCurrentPowerState(x)+13o
					; PopBatteryApplyCompositeState+1B1o ...
dword_6C2670	dd ?			; DATA XREF: PopCurrentPowerState(x)+2Br
					; PopCurrentPowerState(x):loc_76596Bw ...
byte_6C2674	db ?			; DATA XREF: PopCurrentPowerState(x)+24o
					; PopBatteryApplyCompositeState+1C5o ...
byte_6C2675	db ?			; DATA XREF: PopBatteryApplyCompositeState+A0645w
byte_6C2676	db ?			; DATA XREF: PopBatteryApplyCompositeState+A0653w
byte_6C2677	db ?			; DATA XREF: PopBatteryApplyCompositeState+A069Ew
		db    ?	;
		db    ?	;
		db    ?	;
byte_6C267B	db ?			; DATA XREF: PopBatteryApplyCompositeState+1E1w
dword_6C267C	dd ?			; DATA XREF: PopBatteryApplyCompositeState+A066Cw
dword_6C2680	dd ?			; DATA XREF: PopBatteryApplyCompositeState+A0676w
dword_6C2684	dd ?			; DATA XREF: PopBatteryApplyCompositeState+A0680w
dword_6C2688	dd ?			; DATA XREF: PopBatteryApplyCompositeState+A068Aw
dword_6C268C	dd ?			; DATA XREF: PopBatteryApplyCompositeState+A0694w
dword_6C2690	dd ?			; DATA XREF: PopBatteryApplyCompositeState+A06A4w
		align 8
dword_6C2698	dd ?			; DATA XREF: PopAccountCbEnergyChange:loc_86947Fr
					; PopGetEnergyCounter(x)+21o ...
		align 10h
dword_6C26A0	dd ?			; DATA XREF: PopAccountCbEnergyChange+6Dr
					; PopAccountCbEnergyChange+A0549r
dword_6C26A4	dd ?			; DATA XREF: PopAccountCbEnergyChange+79r
					; PopAccountCbEnergyChange+A0555r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopAction	db ?			; DATA XREF: PopInternalAddToDumpFile(x,x,x)+53o
					; PAGELK:0071ED72r ...
byte_6C26C1	db ?			; DATA XREF: PopSetPowerActionState(x)+3r
					; PopSetPowerActionState(x)+Dw	...
byte_6C26C2	db ?			; DATA XREF: PAGELK:loc_71EDD7w
					; PAGELK:loc_71EF0Ar ...
		align 4
dword_6C26C4	dd ?			; DATA XREF: PopActionRetrieveInitialState+5r
					; PAGELK:0071ECD3w ...
dword_6C26C8	dd ?			; DATA XREF: PAGELK:0071EDB2o
					; PAGELK:0071EE76r ...
dword_6C26CC	dd ?			; DATA XREF: PopActionRetrieveInitialState+5Dr
					; PopActionRetrieveInitialState:loc_5588DAr ...
dword_6C26D0	dd ?			; DATA XREF: PopPolicyWorkerAction+85w
					; PopExecutePowerAction+3C0w ...
dword_6C26D4	dd ?			; DATA XREF: PopActionRetrieveInitialState+69r
					; PAGELK:0071EAF0r ...
dword_6C26D8	dd ?			; DATA XREF: PAGELK:0071EFF8r
					; PopIssueActionRequest+114r ...
byte_6C26DC	db ?			; DATA XREF: PAGELK:0071EF4Cw
					; PAGELK:loc_71F094w ...
byte_6C26DD	db ?			; DATA XREF: PAGELK:loc_71F1CFw
					; PopSetDevicesSystemState+12r	...
		align 10h
dword_6C26E0	dd ?			; DATA XREF: PopPowerActionWatchdog(x,x,x,x)+72r
					; PopInvokeSystemStateHandler+1A7r ...
dword_6C26E4	dd ?			; DATA XREF: PAGELK:0071EE5Bo
					; PAGELK:0071EE68w ...
dword_6C26E8	dd ?			; DATA XREF: PoBroadcastSystemState+274r
					; PoBroadcastSystemState:loc_71E81Cr ...
dword_6C26EC	dd ?			; DATA XREF: PAGELK:loc_71F8DCw
					; PAGELK:0071F8FFr ...
dword_6C26F0	dd ?			; DATA XREF: PoBroadcastSystemState+B1E0r
					; PopGracefulShutdown(x)+47r ...
dword_6C26F4	dd ?			; DATA XREF: PopInternalAddToDumpFile(x,x,x)+5Dr
					; PAGELK:0071EC91w ...
dword_6C26F8	dd ?			; DATA XREF: PoSetHiberRange+2Fr
					; PopGenerateMdl(x)+31r ...
		align 10h
dword_6C2700	dd ?			; DATA XREF: PopDiagTraceRtcWakeInfo+BEr
					; PAGELK:0071F1B4w ...
dword_6C2704	dd ?			; DATA XREF: PopDiagTraceRtcWakeInfo+B2r
					; PAGELK:0071F1B9w ...
dword_6C2708	dd ?			; DATA XREF: PAGELK:0071F16Bw
					; NtPowerInformation+1075o
dword_6C270C	dd ?			; DATA XREF: PAGELK:0071F178w
dword_6C2710	dd ?			; DATA XREF: PAGELK:0071FA38r
					; PAGELK:0071FA4Aw ...
dword_6C2714	dd ?			; DATA XREF: PAGELK:0071FA3Dr
					; PAGELK:0071FA54w ...
dword_6C2718	dd ?			; DATA XREF: PAGELK:0071F30Ar
					; PAGELK:0071F4CFw ...
		align 10h
dword_6C2720	dd ?			; DATA XREF: PAGELK:0071F4C2o
					; PAGELK:0071F4EFw ...
dword_6C2724	dd ?			; DATA XREF: PAGELK:0071F4FAw
					; PAGELK:0071F5B9w ...
dword_6C2728	dd ?			; DATA XREF: PopDiagTraceRtcWakeInfo+45r
					; PAGELK:0071F324r ...
dword_6C272C	dd ?			; DATA XREF: PopDiagTraceRtcWakeInfo+3Cr
					; PAGELK:0071F32Fr ...
dword_6C2730	dd ?			; DATA XREF: PAGELK:0071F34Fr
					; PAGELK:0071F4E4w ...
		align 8
dword_6C2738	dd ?			; DATA XREF: PAGELK:0071F510w
					; PAGELK:0071F5D8w ...
dword_6C273C	dd ?			; DATA XREF: PAGELK:0071F51Bw
					; PAGELK:0071F5E3w ...
dword_6C2740	dd ?			; DATA XREF: PopDiagTraceRtcWakeInfo+A7r
					; PAGELK:0071F7A2w ...
dword_6C2744	dd ?			; DATA XREF: PopDiagTraceRtcWakeInfo+9Br
					; PAGELK:0071F7A8w ...
dword_6C2748	dd ?			; DATA XREF: PAGELK:0071F505w
					; PAGELK:0071F61Dw ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6C2768	db ?			; DATA XREF: PAGELK:0071F0C6r
					; PAGELK:0071F0D3w ...
		align 10h
dword_6C2770	dd ?			; DATA XREF: PAGELK:0071F32Aw
					; PAGELK:loc_71F622r ...
dword_6C2774	dd ?			; DATA XREF: PAGELK:0071F335w
					; PAGELK:0071F62Ar ...
dword_6C2778	dd ?			; DATA XREF: PAGELK:0071F404r
					; PAGELK:0071F415w ...
dword_6C277C	dd ?			; DATA XREF: PAGELK:0071F409r
					; PAGELK:0071F41Bw ...
unk_6C2780	db    ?	;		; DATA XREF: PAGELK:0071EC3Bo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6C2788	db ?			; DATA XREF: PopFastS4Check+A604Ar
		align 4
byte_6C278C	db ?			; DATA XREF: PAGELK:0071EE3Er
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6C2791	db ?			; DATA XREF: PopFastS4Check+A603Dr
		db    ?	;
byte_6C2793	db ?			; DATA XREF: PAGELK:0071EE46r
		db    ?	;
		db    ?	;
byte_6C2796	db ?			; DATA XREF: PopFastS4Check+A6057r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6C279E	db ?			; DATA XREF: PAGELK:loc_71EE36r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C27CC	dd ?			; DATA XREF: PopSetPowerActionWatchdogState+25o
					; PopSetPowerActionWatchdogState:loc_552F9Fo ...
unk_6C27D0	db    ?	;		; DATA XREF: PopSetPowerActionWatchdogState+9Fo
					; PopWatchdogInit()+3Co
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C27F0	db    ?	;		; DATA XREF: PopSetPowerActionWatchdogState+44o
					; PopSetPowerActionWatchdogState+84o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6C2818	db ?			; DATA XREF: PopWatchdogInit()+46w
		align 4
dword_6C281C	dd ?			; DATA XREF: PopSetPowerActionWatchdogState+34r
					; PopSetPowerActionWatchdogState+62w ...
dword_6C2820	dd ?			; DATA XREF: PopSetPowerActionWatchdogState+56w
					; PopSetPowerActionWatchdogState+89w
dword_6C2824	dd ?			; DATA XREF: PopSetPowerActionWatchdogState+5Cw
					; PopSetPowerActionWatchdogState+7Ew
dword_6C2828	dd ?			; DATA XREF: PopPowerActionWatchdog(x,x,x,x)+38r
					; PopPolicyWorkerAction+27w ...
dword_6C282C	dd ?			; DATA XREF: PopPowerActionWatchdog(x,x,x,x)+41r
					; PopPolicyWorkerActionPromote+Bw ...
dword_6C2830	dd ?			; DATA XREF: PopPowerActionWatchdog(x,x,x,x)+4Ar
					; PopUnlockAfterSleepWorker(x)+8w ...
		align 8
_PopShutdownPowerOffPolicy db ?		; DATA XREF: PopReadShutdownPolicy()+A1w
					; PoBroadcastSystemState:loc_729585r ...
		align 4
_PopSleepCheckpointStatus dd ?		; DATA XREF: PopEnableSystemSleepCheckpoint()+2Co
					; PopEnableSystemSleepCheckpoint()+E9o	...
; void PopSleepStats
_PopSleepStats	db ?			; DATA XREF: PopCheckPowerSourceAfterRtcWakeTimerWorker(x)+17r
					; NtPowerInformation+13C5r ...
		align 8
dword_6C2848	dd ?			; DATA XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+40o
					; PopIssueActionRequest+12Fw ...
dword_6C284C	dd ?			; DATA XREF: PopIssueActionRequest+134w
dword_6C2850	dd ?			; DATA XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+3Bo
					; PAGELK:0071F822w
dword_6C2854	dd ?			; DATA XREF: PAGELK:0071F827w
dword_6C2858	dd ?			; DATA XREF: PopUmpoSendFlushSleepStudyLoggerNotification()+10w
dword_6C285C	dd ?			; DATA XREF: PopUmpoSendFlushSleepStudyLoggerNotification()+15w
dword_6C2860	dd ?			; DATA XREF: PopUmpoSendFlushSleepStudyLoggerNotification()+4Cw
dword_6C2864	dd ?			; DATA XREF: PopUmpoSendFlushSleepStudyLoggerNotification()+51w
dword_6C2868	dd ?			; DATA XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+58o
					; PAGELK:0071F1A5w ...
dword_6C286C	dd ?			; DATA XREF: PAGELK:0071F19Cw
dword_6C2870	dd ?			; DATA XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+53o
					; PopIssueActionRequest+2D4w ...
dword_6C2874	dd ?			; DATA XREF: PopIssueActionRequest+2D9w
dword_6C2878	dd ?			; DATA XREF: PoBroadcastSystemState+2DDw
					; PopDiagTraceHiberStats+9Ao
dword_6C287C	dd ?			; DATA XREF: PoBroadcastSystemState+2E2w
dword_6C2880	dd ?			; DATA XREF: PoBroadcastSystemState+362w
					; PopDiagTraceHiberStats+A5o
dword_6C2884	dd ?			; DATA XREF: PoBroadcastSystemState+367w
dword_6C2888	dd ?			; DATA XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+76o
					; PopInvokeSystemStateHandler+D020w ...
dword_6C288C	dd ?			; DATA XREF: PopInvokeSystemStateHandler+D025w
					; PopDiagTraceFirmwareS3Stats()+131r ...
dword_6C2890	dd ?			; DATA XREF: PopResumeApps(x,x)+20w
					; PopDiagTracePerfTrackData+B7o
dword_6C2894	dd ?			; DATA XREF: PopResumeApps(x,x)+25w
dword_6C2898	dd ?			; DATA XREF: PopResumeApps(x,x)+4Ew
					; PopDiagTracePerfTrackData+ACo
dword_6C289C	dd ?			; DATA XREF: PopResumeApps(x,x)+53w
dword_6C28A0	dd ?			; DATA XREF: PopResumeServices(x,x)+21w
					; PopDiagTracePerfTrackData+8Do
dword_6C28A4	dd ?			; DATA XREF: PopResumeServices(x,x)+26w
dword_6C28A8	dd ?			; DATA XREF: PopResumeServices(x,x)+50w
					; PopDiagTracePerfTrackData+96o
dword_6C28AC	dd ?			; DATA XREF: PopResumeServices(x,x)+55w
dword_6C28B0	dd ?			; DATA XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+E7r
					; PopCheckpointSystemSleep+34w
dword_6C28B4	dd ?			; DATA XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+E1r
					; PopCheckpointSystemSleep+3Bw
dword_6C28B8	dd ?			; DATA XREF: PopWriteHiberPages+1F3w
					; PopRequestWrite+18Aw	...
dword_6C28BC	dd ?			; DATA XREF: PopWriteHiberPages+1FFw
					; PopRequestWrite+190w
dword_6C28C0	dd ?			; DATA XREF: PopRequestWrite+149w
					; PopRequestWrite+35Bw	...
dword_6C28C4	dd ?			; DATA XREF: PopRequestWrite+14Fw
					; PopRequestWrite+361w	...
dword_6C28C8	dd ?			; DATA XREF: PopGenerateMdl(x)+5Aw
					; PopSaveHiberContext+232w ...
dword_6C28CC	dd ?			; DATA XREF: PopGenerateMdl(x)+63w
					; PopSaveHiberContext+238w ...
dword_6C28D0	dd ?			; DATA XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+A2r
					; PopWriteImageHeader(x,x,x,x,x)+46w ...
dword_6C28D4	dd ?			; DATA XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+9Cr
					; PopWriteImageHeader(x,x,x,x,x)+57w ...
dword_6C28D8	dd ?			; DATA XREF: PopWriteImageHeader(x,x,x,x,x)+A8w
dword_6C28DC	dd ?			; DATA XREF: PopWriteImageHeader(x,x,x,x,x)+B2w
dword_6C28E0	dd ?			; DATA XREF: PopRequestWrite+1B8w
					; PopWriteImageHeader(x,x,x,x,x)+C2w
dword_6C28E4	dd ?			; DATA XREF: PopRequestWrite+1BEw
					; PopWriteImageHeader(x,x,x,x,x)+CCw
dword_6C28E8	dd ?			; DATA XREF: PopHiberChecksumHiberFileData+166w
dword_6C28EC	dd ?			; DATA XREF: PopHiberChecksumHiberFileData+16Dw
dword_6C28F0	dd ?			; DATA XREF: PopWriteChecksumPages(x)+9Dw
dword_6C28F4	dd ?			; DATA XREF: PopWriteChecksumPages(x)+A3w
dword_6C28F8	dd ?			; DATA XREF: PopDiagTracePerfTrackData+E1r
					; PopDiagTraceHiberStats+F1w
dword_6C28FC	dd ?			; DATA XREF: PopDiagTraceHiberStats+DEw
dword_6C2900	dd ?			; DATA XREF: PopWriteImageHeader(x,x,x,x,x)+6Cw
					; PopDiagTraceHiberStats+C4o ...
dword_6C2904	dd ?			; DATA XREF: PopWriteImageHeader(x,x,x,x,x)+71w
dword_6C2908	dd ?			; DATA XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+8Br
					; NtPowerInformation+138Er ...
		align 10h
dword_6C2910	dd ?			; DATA XREF: PopDiagTraceHiberStats+2B0r
		align 8
dword_6C2918	dd ?			; DATA XREF: PopDiagComputeEarlyHiberStats()+9Bw
					; PopHiberCheckResume+145w ...
dword_6C291C	dd ?			; DATA XREF: PopDiagComputeEarlyHiberStats()+ADw
					; PopHiberCheckResume+14Bw ...
dword_6C2920	dd ?			; DATA XREF: PopDiagComputeEarlyHiberStats()+65r
					; PopHiberCheckResume+12Cr
dword_6C2924	dd ?			; DATA XREF: PopDiagComputeEarlyHiberStats()+70r
					; PopHiberCheckResume+138r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C2940	dd ?			; DATA XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+B6r
dword_6C2944	dd ?			; DATA XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+C2r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C2988	dd ?			; DATA XREF: PopDiagComputeEarlyHiberStats()+48r
					; PopDiagComputeEarlyHiberStats()+57w ...
dword_6C298C	dd ?			; DATA XREF: PopDiagComputeEarlyHiberStats()+50r
					; PopDiagComputeEarlyHiberStats()+6Bw ...
dword_6C2990	dd ?			; DATA XREF: PopDiagComputeEarlyHiberStats()+38w
					; PopDiagTraceHiberStats+62r ...
dword_6C2994	dd ?			; DATA XREF: PopDiagComputeEarlyHiberStats()+3Dw
					; PopDiagTraceHiberStats+56r ...
dword_6C2998	dd ?			; DATA XREF: PopDiagTraceHiberStats+88w
					; PopDiagTraceHiberStats+294r ...
dword_6C299C	dd ?			; DATA XREF: PopDiagTraceHiberStats+9Fw
					; PopDiagTraceHiberStats+289r ...
dword_6C29A0	dd ?			; DATA XREF: PopHandleNextState(x,x)+185w
					; PopDiagComputeEarlyHiberStats()+88w
dword_6C29A4	dd ?			; DATA XREF: PopHandleNextState(x,x)+18Dw
					; PopDiagComputeEarlyHiberStats()+8Fw
unk_6C29A8	db    ?	;		; DATA XREF: PopInvokeSystemStateHandler+466o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C29B0	dd ?			; DATA XREF: PopInvokeSystemStateHandler+461o
					; PopDiagComputeEarlyHiberStats()+76r ...
dword_6C29B4	dd ?			; DATA XREF: PopDiagComputeEarlyHiberStats()+82r
					; PopDiagTraceHiberStats+5Cr
dword_6C29B8	dd ?			; DATA XREF: PopDiagComputeEarlyHiberStats()+5Fw
					; PopDiagTraceHiberStats+74r
dword_6C29BC	dd ?			; DATA XREF: PopDiagComputeEarlyHiberStats()+7Cw
					; PopDiagTraceHiberStats+80r
dword_6C29C0	dd ?			; DATA XREF: PopDiagComputeEarlyHiberStats()+95w
					; PopTransitionToSleep+113w
dword_6C29C4	dd ?			; DATA XREF: PopDiagComputeEarlyHiberStats()+A1w
					; PopTransitionToSleep+11Cw
dword_6C29C8	dd ?			; DATA XREF: PopDiagComputeEarlyHiberStats()+Cw
					; PopDiagComputeEarlyHiberStats()+A7w ...
dword_6C29CC	dd ?			; DATA XREF: PopDiagComputeEarlyHiberStats()+11w
					; PopDiagComputeEarlyHiberStats()+B2w ...
dword_6C29D0	dd ?			; DATA XREF: PAGELK:0071FB49w
					; PopDiagTraceHiberStats+94w ...
dword_6C29D4	dd ?			; DATA XREF: PAGELK:0071FB4Ew
					; PopDiagTraceHiberStats+AAw ...
dword_6C29D8	dd ?			; DATA XREF: PopRestoreHiberContext+3C7w
dword_6C29DC	dd ?			; DATA XREF: PopRestoreHiberContext+3CFw
dword_6C29E0	dd ?			; DATA XREF: PopRestoreHiberContext+287w
dword_6C29E4	dd ?			; DATA XREF: PopRestoreHiberContext+291w
dword_6C29E8	dd ?			; DATA XREF: PopRequestRead+1B2w
					; PopRestoreHiberContext+C226r
dword_6C29EC	dd ?			; DATA XREF: PopRequestRead+1B8w
					; PopRestoreHiberContext:loc_728C46r
dword_6C29F0	dd ?			; DATA XREF: PopRestoreHiberContext+2A1w
dword_6C29F4	dd ?			; DATA XREF: PopRestoreHiberContext+2ABw
dword_6C29F8	dd ?			; DATA XREF: PopRequestRead+11Aw
dword_6C29FC	dd ?			; DATA XREF: PopRequestRead+124w
dword_6C2A00	dd ?			; DATA XREF: PopRestoreHiberContext+158w
					; PopRestoreHiberContext+3B2r
dword_6C2A04	dd ?			; DATA XREF: PopRestoreHiberContext+160w
					; PopRestoreHiberContext+3BEr
dword_6C2A08	dd ?			; DATA XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+BCr
					; PopRestoreHiberContext+3AAw ...
dword_6C2A0C	dd ?			; DATA XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+C7r
					; PopRestoreHiberContext+3B8w ...
dword_6C2A10	dd ?			; DATA XREF: PopDecompressHiberBlocks+431r
					; PopDecompressHiberBlocks:loc_71D2B2r	...
dword_6C2A14	dd ?			; DATA XREF: PopDecompressHiberBlocks+43Cr
					; PopDecompressHiberBlocks+452r ...
dword_6C2A18	dd ?			; DATA XREF: PopRestoreHiberContext+2BBw
					; PopRequestRead+1DEw
dword_6C2A1C	dd ?			; DATA XREF: PopRestoreHiberContext+2C5w
					; PopRequestRead+1E8w
dword_6C2A20	dd ?			; DATA XREF: PopRestoreHiberContext+3EEw
					; PopDecompressHiberBlocks+418w
dword_6C2A24	dd ?			; DATA XREF: PopRestoreHiberContext+3F7w
					; PopDecompressHiberBlocks+41Ew
dword_6C2A28	dd ?			; DATA XREF: PopHiberChecksumHiberFileData+125w
dword_6C2A2C	dd ?			; DATA XREF: PopHiberChecksumHiberFileData+12Bw
dword_6C2A30	dd ?			; DATA XREF: PopHiberReadChecksums+1A9w
dword_6C2A34	dd ?			; DATA XREF: PopHiberReadChecksums+1AFw
dword_6C2A38	dd ?			; DATA XREF: PopDecompressHiberBlocks+74r
					; PopDecompressHiberBlocks+509w ...
dword_6C2A3C	dd ?			; DATA XREF: PopDecompressHiberBlocks+79r
					; PopDecompressHiberBlocks+50Ew ...
dword_6C2A40	dd ?			; DATA XREF: PoBroadcastSystemState+3D8w
					; PAGELK:0071F149o ...
dword_6C2A44	dd ?			; DATA XREF: PoBroadcastSystemState+3DDw
					; PAGELK:0071F13Ew
dword_6C2A48	dd ?			; DATA XREF: PopDiagTraceHiberStats+C9w
					; PopDiagTracePowerTransitionTime()+F6o ...
		align 10h
dword_6C2A50	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+13r
dword_6C2A54	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+1Dr
dword_6C2A58	dd ?			; DATA XREF: PopSaveHiberContext+3ABw
					; PopSaveHiberContext+B948w ...
dword_6C2A5C	dd ?			; DATA XREF: PopSaveHiberContext+3B5w
					; PopSaveHiberContext+B952w ...
dword_6C2A60	dd ?			; DATA XREF: PopSaveHiberContext+3BFw
					; PopRecordHibernateDiagnosticInfo(x)+63r ...
dword_6C2A64	dd ?			; DATA XREF: PopSaveHiberContext+3C9w
					; PopRecordHibernateDiagnosticInfo(x)+6Dr ...
dword_6C2A68	dd ?			; DATA XREF: PopSaveHiberContext+B97Cw
					; PopRecordHibernateDiagnosticInfo(x)+4Fr ...
dword_6C2A6C	dd ?			; DATA XREF: PopSaveHiberContext+B986w
					; PopRecordHibernateDiagnosticInfo(x)+59r ...
dword_6C2A70	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+8Br
					; PopWriteImageHeader(x,x,x,x,x)+F9w
dword_6C2A74	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+95r
					; PopWriteImageHeader(x,x,x,x,x)+105w
dword_6C2A78	dd ?			; DATA XREF: PopSaveHiberContext+B990w
					; PopRecordHibernateDiagnosticInfo(x)+3Br ...
dword_6C2A7C	dd ?			; DATA XREF: PopSaveHiberContext+B998w
					; PopRecordHibernateDiagnosticInfo(x)+45r ...
dword_6C2A80	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+77r
					; PopWriteImageHeader(x,x,x,x,x)+111w ...
dword_6C2A84	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+81r
					; PopWriteImageHeader(x,x,x,x,x)+E1w ...
dword_6C2A88	dd ?			; DATA XREF: PopRequestWrite+1CAw
					; PopSaveHiberContext:loc_728F27r ...
dword_6C2A8C	dd ?			; DATA XREF: PopRequestWrite+1D6w
					; PopSaveHiberContext+B981r ...
dword_6C2A90	dd ?			; DATA XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+82r
					; PopWriteHiberPages+205w ...
dword_6C2A94	dd ?			; DATA XREF: PopWriteImageHeader(x,x,x,x,x)+5Fw
dword_6C2A98	dd ?			; DATA XREF: PopDiagTraceHiberStats+BAw
dword_6C2A9C	dd ?			; DATA XREF: PopDiagTraceHiberStats+B0w
dword_6C2AA0	dd ?			; DATA XREF: NtPowerInformation+1399r
					; PopDiagTracePerfTrackData+119r ...
dword_6C2AA4	dd ?			; DATA XREF: NtPowerInformation+13A4r
					; PopDiagTraceHiberStats+2BDw
dword_6C2AA8	dd ?			; DATA XREF: NtPowerInformation+13AFr
					; PopDiagTraceHiberStats+3AEw ...
dword_6C2AAC	dd ?			; DATA XREF: NtPowerInformation+13BAr
					; PopDiagTraceHiberStats+3B7w
dword_6C2AB0	dd ?			; DATA XREF: PopCheckPowerSourceAfterRtcWakeTimerWorker(x)+5Dr
					; PopIssueActionRequest+2F4w
dword_6C2AB4	dd ?			; DATA XREF: PopCheckPowerSourceAfterRtcWakeTimerWorker(x)+57r
					; PopIssueActionRequest+309w
_PopOsInitPhase	dd ?			; DATA XREF: PopInitilizeAcDcSettings+62r
					; PopSetPowerSettingValue+D1r ...
_PopIrpLock	dd ?			; DATA XREF: PoQueryWatchdogTime+34o
					; PopFreeIrp(x)+16o ...
_PopIrpList	dd ?			; DATA XREF: PopAllocateIrp+1A4o
					; PopIrpWatchdogBugcheck(x)+71o ...
dword_6C2AC4	dd ?			; DATA XREF: PopAllocateIrp+19Fr
					; PopAllocateIrp+1BBw ...
_PopInrushIrpList dd ?			; DATA XREF: PopDequeueQuerySetIrp:loc_5E1CA5r
					; PopDequeueQuerySetIrp:loc_5E1D48o ...
dword_6C2ACC	dd ?			; DATA XREF: PopQueueQuerySetIrp:loc_5E2341r
					; PopQueueQuerySetIrp+85405w ...
_PopCsResiliencyStatsLock dd ?		; DATA XREF: PopDeepSleepResiliencyPhaseAccountingUpdate+1Do
					; PopDeepSleepResiliencyPhaseAccountingUpdate+41o ...
_PopIrpSerialLock dd ?			; DATA XREF: PoSetPowerState+19o
					; PoSetPowerState+5Bo ...
_PpmIdlePolicyLock dd ?			; DATA XREF: PpmIdleUsingStateSelection()+10o
					; PoGetIdleTimes(x,x,x)+49o ...
dword_6C2ADC	dd ?			; DATA XREF: PpmIdleUsingStateSelection():loc_43D78Er
					; PpmIdleUsingStateSelection():loc_43D7AEw ...
_PpmIdleVetoLock dd ?			; DATA XREF: PpmInstallNewIdleStates:loc_574A01o
					; PpmInstallNewIdleStates+304o	...
_PpmParkStateLock dd ?			; DATA XREF: PpmParkRegisterParking+2Ao
					; PpmParkRegisterParking+70o ...
_PopWorkerLock	dd ?			; DATA XREF: PoInitSystem+222w
		align 10h
_PowerStateDisableReasonListHead dd ?	; DATA XREF: PopCheckDisabledState(x)r
					; PopCheckDisabledState(x)+8o ...
dword_6C2AF4	dd ?			; DATA XREF: PopLogSleepDisabled:loc_8B0A14r
					; PopLogSleepDisabled+97w ...
_PopDopeGlobalLock dd ?			; DATA XREF: PopDisksRegisteredForIdle+18o
					; PoRegisterDeviceForIdleDetection+25o	...
		align 10h
_PopIdleDetectList dd ?			; DATA XREF: PopDisksRegisteredForIdle+26r
					; PopDisksRegisteredForIdle+2Bo ...
dword_6C2B04	dd ?			; DATA XREF: PoRegisterDeviceForIdleDetection+D419Cr
					; PoRegisterDeviceForIdleDetection+D41ADw ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PpmPerfPolicyLock dd ?			; DATA XREF: PpmCheckStart:loc_48719Eo
					; PpmCheckRun(x,x,x,x):loc_48E730o ...
unk_6C2B24	db    ?	;		; DATA XREF: PpmCheckPeriodicStart(x,x,x,x)+13o
					; PpmTryAcquireLock(x)+1Fo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopIrpSerialList dd ?			; DATA XREF: PoInitSystem+21Do
					; PoInitSystem+22Fw
dword_6C2B3C	dd ?			; DATA XREF: PoInitSystem+22Aw
_PopRequestedIrps dd ?			; DATA XREF: PoInitSystem+234o
					; PoInitSystem+245w
dword_6C2B44	dd ?			; DATA XREF: PoInitSystem+240w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopVolumeLock	db    ?	;		; DATA XREF: IoDeleteDevice+D4183o
					; IoDeleteDevice+D41FAo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopVolumeDevices dd ?			; DATA XREF: PopFlushVolumes+EAr
					; PopFlushVolumes:loc_722ACAo ...
dword_6C2B84	dd ?			; DATA XREF: PopFlushVolumeWorker+81r
					; PopFlushVolumeWorker+A2w ...
_PopSwitches	dd ?			; DATA XREF: PoInitSystem+33Fo
					; PoInitSystem+349w
dword_6C2B8C	dd ?			; DATA XREF: PoInitSystem+344w
_PopFans	dd ?			; DATA XREF: .data:006B2FC4o
					; PoInitSystem+34Eo ...
dword_6C2B94	dd ?			; DATA XREF: PoInitSystem+356w
_PopThermal	dd ?			; DATA XREF: PopThermalTraceRundownEvents()+11r
					; PopThermalTraceRundownEvents()+17o ...
dword_6C2B9C	dd ?			; DATA XREF: PoInitSystem+360w
_PopActionWaiters dd ?			; DATA XREF: PopPolicyWorkerAction+90r
					; PopPolicyWorkerAction:loc_85B6EEo ...
dword_6C2BA4	dd ?			; DATA XREF: PopExecutePowerAction+363r
					; PopExecutePowerAction+37Fw ...
_PopWorkerSpinLock dd ?			; DATA XREF: PopCheckForWork+2Ao
					; PopPolicyWorkerThread+12o ...
		align 10h
_PopPolicyWorker dd ?			; DATA XREF: PopCheckForWork+4Ao
					; PoInitSystem+304w
		align 8
dword_6C2BB8	dd ?			; DATA XREF: PoInitSystem+2F0w
dword_6C2BBC	dd ?			; DATA XREF: PoInitSystem+2FAw
_PopWorkerStatus dd ?			; DATA XREF: PopCheckForWork+5r
					; PopCheckForWork+38r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopPolicyLock	db    ?	;		; DATA XREF: PopAcquirePolicyLock()+1Eo
					; PopReleasePolicyLock()+Ao ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopAwaymodeLock dd ?			; DATA XREF: PopReleaseAwaymodeLock()+17o
					; PopAcquireAwaymodeLock()+10o	...
; void *PopPolicy
_PopPolicy	dd ?			; DATA XREF: PopActionRetrieveInitialState+39r
					; PopVideoPowerSettingCallback(x,x,x,x)+3Er ...
_PopPowerSettingValues db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
; void unk_6C2C24
unk_6C2C24	db    ?	;		; DATA XREF: NtPowerInformation:loc_8D5F7Eo
					; PoInitSystem+385o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; int dword_6C2D0C
dword_6C2D0C	dd ?			; DATA XREF: PpmParkDistributeAllUtility()+6r
					; PoIdle(x)+24r ...
byte_6C2D10	db ?			; DATA XREF: PopIssueActionRequest+43r
					; PopReadSystemAwayModePolicy+87w ...
byte_6C2D11	db ?			; DATA XREF: NtPowerInformation+FA2r
					; PopIssueActionRequest+4Fr ...
byte_6C2D12	db ?			; DATA XREF: PopReadSystemAwayModePolicy+44r
					; PopAllowAwayModeSettingCallback+3Fw ...
		align 4
unk_6C2D14	db    ?	;		; DATA XREF: PopUserPresentSet+32o
					; PopUserPresentSetWorker+29o ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C2D18	dd ?			; DATA XREF: PopIssueActionRequest:loc_90226Ar
					; PipCslStateChangeCallback+9B87Do
byte_6C2D1C	db ?			; DATA XREF: PopSleepPowerSettingCallback+152w
					; PopFastS4Check:loc_905BF8r
byte_6C2D1D	db ?			; DATA XREF: PopFilterCapabilities:loc_7956C5r
					; PopSleepPowerSettingCallback+175w
		align 10h
dword_6C2D20	dd ?			; DATA XREF: PopPolicySystemIdle()+7Br
					; PopInitSIdle+55r ...
dword_6C2D24	dd ?			; DATA XREF: PopScanIdleList(x,x,x)+21r
					; PopHardDiskPowerSettingCallback+C2w
dword_6C2D28	dd ?			; DATA XREF: PopScanIdleList(x,x,x)+19r
					; PopDeviceIdlePolicySettingCallback(x,x,x,x)+2Fw
dword_6C2D2C	dd ?			; DATA XREF: PopVideoBrightnessSettingsCallback+A9w
					; NtPowerInformation+FBCr ...
dword_6C2D30	dd ?			; DATA XREF: PopVideoBrightnessSettingsCallback+C4w
					; NtPowerInformation+FC7r ...
dword_6C2D34	dd ?			; DATA XREF: PopVideoBrightnessSettingsCallback+EDw
					; NtPowerInformation+FD2r ...
dword_6C2D38	dd ?			; DATA XREF: NtPowerInformation+FDDr
					; PoInitSystem+4B6w
dword_6C2D3C	dd ?			; DATA XREF: PopVideoBrightnessSettingsCallback+108w
					; NtPowerInformation+FE8r ...
dword_6C2D40	dd ?			; DATA XREF: PopVideoBrightnessSettingsCallback+123w
					; NtPowerInformation+FF3r ...
byte_6C2D44	db ?			; DATA XREF: PopSwitchForcedShutdownSettingCallback(x,x,x,x)+37w
					; PopExecutePowerAction+A6C09r
		align 4
dword_6C2D48	dd ?			; DATA XREF: PopThermalCoolingPowerSettingCallback:loc_564D80r
					; PopThermalCoolingPowerSettingCallback+91w
byte_6C2D4C	db ?			; DATA XREF: PpmMediaBufferingWorker+32r
					; PpmMediaBufferingWorker+3Ew ...
byte_6C2D4D	db ?			; DATA XREF: PopWnfAudioCallback+48w
					; PopWnfAudioCallback:loc_858608r ...
byte_6C2D4E	db ?			; DATA XREF: PopFxGetLatencyLimitWithoutResiliency()r
					; PopWnfFullscreenVideoCallback(x,x,x,x,x,x)+4Ar ...
		align 10h
dword_6C2D50	dd ?			; DATA XREF: PopEsSnapTelemetry+9Fr
					; PopEsWorker+126r ...
byte_6C2D54	db ?			; DATA XREF: PopEsEvaluateNextState:loc_86E18Ar
					; PopEsPowerSettingPolicyCallback+5Ar ...
byte_6C2D55	db ?			; DATA XREF: PopEsSnapTelemetry+A9r
					; PopEsWorker+11Br ...
		align 4
dword_6C2D58	dd ?			; DATA XREF: PopNetCheckOpportunisticDs+3r
					; PopNetCheckUserConnectivityPolicy()r	...
dword_6C2D5C	dd ?			; DATA XREF: PopPowerAggregatorCachePoPolicy(x)+Dr
					; PopNetDisconnectedStandbyModeCallback(x,x,x,x)+1Ew
dword_6C2D60	dd ?			; DATA XREF: PopUserPresencePredictionModeCallback+42w
					; PopUserPresencePredictionModeCallback+835C7w
byte_6C2D64	db ?			; DATA XREF: PopWnfAirplaneModeCallback+5Bw
					; PopDiagTraceCsResiliencyEnter(x,x,x)+39r
byte_6C2D65	db ?			; DATA XREF: PopWnfBluetoothChargingCallback(x,x,x,x,x,x)+55w
					; PopDiagTraceCsResiliencyEnter(x,x,x)+65r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PopAdminPolicy
_PopAdminPolicy	dd ?			; DATA XREF: PopVerifySystemPowerPolicy:loc_88740Br
					; NtPowerInformation:loc_8D5FF6o ...
dword_6C2D84	dd ?			; DATA XREF: PopVerifySystemPowerPolicy:loc_887419r
					; PoInitSystem+3A9w
dword_6C2D88	dd ?			; DATA XREF: PopVerifySystemPowerPolicy+8Cr
					; PoInitSystem+3B3w
dword_6C2D8C	dd ?			; DATA XREF: PopVerifySystemPowerPolicy:loc_88743Ar
					; PoInitSystem+395w
dword_6C2D90	dd ?			; DATA XREF: PopVerifySystemPowerPolicy+AEr
					; PoInitSystem+3B9w
dword_6C2D94	dd ?			; DATA XREF: PopVerifySystemPowerPolicy:loc_88745Cr
					; PoInitSystem+39Cw
; int PopFullWake
_PopFullWake	dd ?			; DATA XREF: PopUserPresentSet+45r
					; PopUserPresentSet:loc_563F54o ...
		align 10h
_PopPowerStateHandlers dd ?		; DATA XREF: PopInvokeSystemStateHandler+95r
					; NtPowerInformation:loc_765131r
byte_6C2DA4	db ?			; DATA XREF: NtPowerInformation+1173r
word_6C2DA5	dw ?			; DATA XREF: NtPowerInformation+DFBw
byte_6C2DA7	db ?			; DATA XREF: NtPowerInformation+E04w
dword_6C2DA8	dd ?			; DATA XREF: PopInvokeSystemStateHandler+9Fr
					; PAGELK:0071EEF7r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C2DE0	dd ?			; DATA XREF: PoInitSystem+44Bw
byte_6C2DE4	db ?			; DATA XREF: PoInitSystem+455w
		align 4
dword_6C2DE8	dd ?			; DATA XREF: PopShutdownSystem(x)+77w
					; NtPowerInformation+11DFr ...
		align 10h
unk_6C2DF0	db    ?	;		; DATA XREF: PopInvokeSystemStateHandler+CEECo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C2DF8	dd ?			; DATA XREF: PopInvokeSystemStateHandler+CEE5r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopCapabilities db ?			; DATA XREF: PopCheckAndHandleThermalConditions+829CCo
					; PopCaptureSleepStudyStatistics(x,x,x,x)+3A3o	...
unk_6C2E21	db    ?	;		; DATA XREF: PdcPoReportButton+A1412r
					; PdcPoReportButton+A141Fw ...
byte_6C2E22	db ?			; DATA XREF: PdcPoReportButton+A144Ar
					; PdcPoReportButton+A1457w ...
byte_6C2E23	db ?			; DATA XREF: PopVerifySystemPowerState+76r
					; PopVerifySystemPowerState+93r ...
word_6C2E24	dw ?			; DATA XREF: PopVerifySystemPowerState+A4r
					; NtPowerInformation+171E00o ...
byte_6C2E26	db ?			; DATA XREF: NtPowerInformation+120Do
					; PopVerifySystemPowerState:loc_86CCC1r ...
byte_6C2E27	db ?			; DATA XREF: NtPowerInformation+E3Bo
					; PopSleepPowerSettingCallback+A1292r ...
byte_6C2E28	db ?			; DATA XREF: PopUnlockAfterSleepWorker(x)+64r
					; PopVerifySystemPowerState+5Ar ...
byte_6C2E29	db ?			; DATA XREF: NtPowerInformation+8E2w
byte_6C2E2A	db ?			; DATA XREF: PopVideoBrightnessSettingsCallback+7F44Bw
		db    ?	;
		db    ?	;
byte_6C2E2D	db ?			; DATA XREF: PopThermalZoneAdd+D9r
					; PopThermalZoneAdd+E2w ...
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C2E31	db    ?	;		; DATA XREF: NtPowerInformation+1166o
					; PoInitSystem+2384Dw
byte_6C2E32	db ?			; DATA XREF: PopEnableHiberFile(x,x)+150w
					; PopEnableHiberFile(x,x)+3DAw
byte_6C2E33	db ?			; DATA XREF: .text:loc_5F28DDr
					; PopNotifyPolicyDevice+A19DCr	...
byte_6C2E34	db ?			; DATA XREF: PoFxSendSystemLatencyUpdate+Ar
					; PopPowerRequestCleanUp(x)+62r ...
byte_6C2E35	db ?			; DATA XREF: NtPowerInformation+8ECw
byte_6C2E36	db ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+7r
					; PopAdjustHiberFile(x)+49w ...
byte_6C2E37	db ?			; DATA XREF: PopPdcCsCheckSystemVolumeDevice+F636w
					; PopPdcCsCheckSystemVolumeDevice:loc_AEB611w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6C2E3E	db ?			; DATA XREF: PopBatteryAdd(x)+2Cr
					; PopBatteryAdd(x)+35w	...
byte_6C2E3F	db ?			; DATA XREF: PopBatteryUpdateCompositeInformation()+D2r
					; PopBatteryUpdateCompositeInformation()+DBw
dword_6C2E40	dd ?			; DATA XREF: PoInitSystem+237F2w
dword_6C2E44	dd ?			; DATA XREF: PoInitSystem+237FCw
dword_6C2E48	dd ?			; DATA XREF: PoInitSystem+23806w
dword_6C2E4C	dd ?			; DATA XREF: PoInitSystem+23810w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6C2E58	db ?			; DATA XREF: PopDiagTraceDozeDeferralDecision(x,x,x,x,x,x,x,x,x)+22Fr
		align 10h
dword_6C2E60	dd ?			; DATA XREF: .text:loc_53E4D9r
					; NtPowerInformation+1180r ...
		align 8
dword_6C2E68	dd ?			; DATA XREF: PoInitSystem+23824w
_PopAggressiveStandbyEnabledActions dd ?
					; DATA XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+468r
					; PopPowerAggregatorEngageAggressiveStandbyActions(x,x)+35r ...
_PopTimeBrokerServiceSid dd ?		; DATA XREF: PopPowerInformationInternal+2B4r
					; PopCreateTimebrokerServiceSid+78w
_PpmHighPerfRequestLock	dd ?		; DATA XREF: PpmEndHighPerfRequest+16o
					; PpmEndHighPerfRequest+BDo ...
		align 10h
_PpmHighPerfEndDpc db	 ? ;		; DATA XREF: PpmEndHighPerfRequest+ACo
					; PopInitializeHighPerfPowerRequest+12o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PpmHighPerfEndTimer db	   ? ;		; DATA XREF: PpmEndHighPerfRequest+B3o
					; PpmDisableHighPerfRequestDeferredExpiration(x)+23o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PpmHighPerfPowerRequest dd ?		; DATA XREF: PpmEndHighPerfRequest:loc_5646F3r
					; PpmHighPerfRequestExpiration:loc_5651D6r ...
		align 10h
_PoHiberFileRoot dd ?			; DATA XREF: IopLoadCrashdumpDriver+6Fo
					; PopValidateHiberFileSize+9Co	...
; void *dword_6C2ED4
dword_6C2ED4	dd ?			; DATA XREF: PopBcdSetupResumeObject+54r
_PopShutdownCleanly dd ?		; DATA XREF: PoBroadcastSystemState+B20Dr
					; MiShutdownSystem():loc_72EDB7r ...
_PopSleepStudyDisabled dd ?		; DATA XREF: PoFxInitPowerManagement+FAr
					; INIT:00AF40D0o
_PopThermalPollingMode dd ?		; DATA XREF: PopThermalPollingPowerSettingCallback:loc_57D4DDr
					; PopThermalZoneAdd+13r ...
_PopCheckpointSystemSleepEnabledReg dd ? ; DATA	XREF: PopEnableSystemSleepCheckpoint()+42r
					; INIT:00AF4B98o
_PopCheckpointSystemSleepSimulateFlags dd ?
					; DATA XREF: PopCheckpointSystemSleep:loc_729472r
					; PopClearSystemSleepCheckpoint:loc_903281r ...
_PopSimulate	dd ?			; DATA XREF: PopDisksRegisteredForIdle+5r
					; PopWakeDeviceList+119r ...
_PopSimulateHiberBugcheck dd ?		; DATA XREF: KeBugCheck2(x,x,x,x,x,x):loc_61BD84r
					; PopInvokeSystemStateHandler+263r ...
_PopUserShutdownInProgress db ?		; DATA XREF: PopPolicySystemIdle()+9Er
					; PopTraceSystemIdleUpdate(x,x,x,x,x,x,x,x,x,x,x,x)+4Ar ...
		align 4
_PopUserShutdown db    ? ;		; DATA XREF: PopPowerActionWatchdog(x,x,x,x)+86o
					; PopUserShutdownDelayWorkerCallback(x)+2o
		db    ?	;
		db    ?	;
		db    ?	;
byte_6C2EFC	db ?			; DATA XREF: PoUserShutdownInitiated+59r
					; PoUserShutdownInitiated+94w
		align 10h
_PopUserShutdownDelayDpc db    ? ;	; DATA XREF: PoUserShutdownInitiated+8Ao
					; PoUserShutdownInitiated+B2o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopUserShutdownDelayTimer db	 ? ;	; DATA XREF: PoUserShutdownInitiated+60o
					; PopUserShutdownCancelled(x)+16o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopUserShutdownDelayWorker dd ?	; DATA XREF: PopPowerActionWatchdog(x,x,x,x)+94o
					; PoUserShutdownInitiated+79w
		align 8
dword_6C2F58	dd ?			; DATA XREF: PoUserShutdownInitiated+69w
dword_6C2F5C	dd ?			; DATA XREF: PoUserShutdownInitiated+73w
_PopTtmIsSxCompleteNotificationPending db ? ; DATA XREF: PopIssueActionRequest+A78BAr
					; PopIssueActionRequest+A78D9w	...
_PopTtmIsSxTransitionInProgress	db ?	; DATA XREF: PopIssueActionRequest+A78B4w
					; PopExecutePowerAction:loc_902990w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopAwayModeUserPresenceDpcObject db	? ; ; DATA XREF: PipCslStateChangeCallback+9B88Co
					; PopSetSystemAwayMode(x)+70o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; int PopUserPresentSetStatus
_PopUserPresentSetStatus dd ?		; DATA XREF: PopUserPresentSet+28o
					; PopUserPresentSet+81BCBr ...
		align 10h
_PopUserPresentCompletedEvent db    ? ;	; DATA XREF: PopUserPresentSet+81C1Ao
					; PopUserPresentSetWorker+9B751o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopBgkResumePrepared db ?		; DATA XREF: PopFreeHiberContext:loc_85D841r
					; PopFreeHiberContext+14Cw ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PopHibernateDiagnosticInfo
_PopHibernateDiagnosticInfo db ?	; DATA XREF: PopWriteHiberPages+CF0Eo
					; PopRequestWrite+C55Fo ...
		align 8
dword_6C2FE8	dd ?			; DATA XREF: PopEnlargeHiberFile(x)+24w
dword_6C2FEC	dd ?			; DATA XREF: PopEnlargeHiberFile(x)+2Ew
dword_6C2FF0	dd ?			; DATA XREF: PopEnlargeHiberFile(x)+73w
dword_6C2FF4	dd ?			; DATA XREF: PopEnlargeHiberFile(x)+79w
dword_6C2FF8	dd ?			; DATA XREF: PopEnlargeHiberFile(x)+63w
dword_6C2FFC	dd ?			; DATA XREF: PopEnlargeHiberFile(x)+6Bw
dword_6C3000	dd ?			; DATA XREF: PopEnlargeHiberFile(x)+7Fw
dword_6C3004	dd ?			; DATA XREF: PopEnlargeHiberFile(x)+84w
dword_6C3008	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+18w
dword_6C300C	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+22w
dword_6C3010	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+2Cw
dword_6C3014	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+36w
dword_6C3018	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+40w
dword_6C301C	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+4Aw
dword_6C3020	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+54w
dword_6C3024	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+5Ew
dword_6C3028	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+68w
dword_6C302C	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+72w
dword_6C3030	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+7Cw
dword_6C3034	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+86w
dword_6C3038	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+90w
dword_6C303C	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+9Aw
dword_6C3040	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+A4w
dword_6C3044	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+B0w
dword_6C3048	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+BAw
dword_6C304C	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+CBw
					; PopRecordHibernateDiagnosticInfo(x)+EEw
dword_6C3050	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+D1w
					; PopRecordHibernateDiagnosticInfo(x)+FFw
dword_6C3054	dd ?			; DATA XREF: PopRecordHibernateDiagnosticInfo(x)+C6w
dword_6C3058	dd ?			; DATA XREF: PopTransitionToSleep+C5w
byte_6C305C	db ?			; DATA XREF: PopTransitionToSleep+B9w
byte_6C305D	db ?			; DATA XREF: PopTransitionToSleep+BFw
		align 10h
_PopHiberScratchPages dd ?		; DATA XREF: PopWriteHeaderPages+3Cr
					; PopWriteHeaderPages+86r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PoWakeState	db    ?	;		; DATA XREF: PopSaveHiberContextWrapper(x)+Eo
					; PopSaveHiberContext+19Fo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopWatchdogTimerCount dd ?		; DATA XREF: PopWriteHiberPages+45r
					; PopWriteHiberPages:loc_71B7A8w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopHibernateSystemContext dd ?		; DATA XREF: PopInvokeSystemStateHandler+128w
					; PopInvokeSystemStateHandler+172o ...
dword_6C33C4	dd ?			; DATA XREF: PopInvokeSystemStateHandler+136w
dword_6C33C8	dd ?			; DATA XREF: PopInvokeSystemStateHandler+16Cw
dword_6C33CC	dd ?			; DATA XREF: PopInvokeSystemStateHandler+177w
dword_6C33D0	dd ?			; DATA XREF: PopInvokeSystemStateHandler+13Fw
dword_6C33D4	dd ?			; DATA XREF: PopInvokeSystemStateHandler+148w
byte_6C33D8	db ?			; DATA XREF: PopInvokeSystemStateHandler+151w
		align 4
dword_6C33DC	dd ?			; DATA XREF: PopInvokeSystemStateHandler+15Aw
					; PAGELK:00720B13w
dword_6C33E0	dd ?			; DATA XREF: PAGELK:00720B68r
					; PAGELK:loc_720B85r
dword_6C33E4	dd ?			; DATA XREF: PopInvokeSystemStateHandler+17Dw
					; PAGELK:00720B21w
dword_6C33E8	dd ?			; DATA XREF: PopInvokeSystemStateHandler+163w
					; PAGELK:00720B18w
		align 10h
dword_6C33F0	dd ?			; DATA XREF: PopInvokeSystemStateHandler+12Do
					; PAGELK:00720B32w ...
dword_6C33F4	dd ?			; DATA XREF: PAGELK:00720B38w
_PopSecureLaunched db ?			; DATA XREF: PopBuildMemoryImageHeader(x,x)+BBr
					; PoInitSystem+237DAw
		align 4
_PopHiberLoaderScratchPages dd ?	; DATA XREF: PopAllocateHiberContext+52r
					; PoInitSystem+7A3w
_PopHiberResumeXhciHandoffSkip db ?	; DATA XREF: PopWriteHeaderPages+A6r
					; PoInitSystem+7B0w
		align 4
_PopForceMinimalHiberFile dd ?		; DATA XREF: PopTransitionToSleep:loc_72061Br
					; INIT:00AF43B8o
_PopEnableMinimalHiberFile dd ?		; DATA XREF: PopTransitionToSleep:loc_729944r
					; PopDiagTracePerfTrackData:loc_9030ADr ...
		align 10h
_PopWakeSourceAvailable	db    ?	;	; DATA XREF: PopNewWakeInfo+94o
					; PopHandleWakeSources+70E9o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopWakeSourceWorkInProgress db	?	; DATA XREF: PopTimeoutWakeTracking+5Ar
					; PopUpdateWakeSource(x)+8Cr ...
		align 8
_PopWakeSourceWorkList dd ?		; DATA XREF: PopTimeoutWakeTracking+88D90o
					; PopUpdateWakeSource(x)+76o ...
dword_6C342C	dd ?			; DATA XREF: PopTimeoutWakeTracking:loc_5E0013r
					; PopUpdateWakeSource(x)+71r ...
_PopWakeSourceWorkItem dd ?		; DATA XREF: PopUpdateWakeSource(x)+A0o
					; PopWakeSourceInit()+4Aw
		align 8
dword_6C3438	dd ?			; DATA XREF: PopWakeSourceInit()+5Aw
dword_6C343C	dd ?			; DATA XREF: PopWakeSourceInit()+44w
_PopFixedWakeSourceMask	dd ?		; DATA XREF: PopDiagTraceRtcWakeInfo+15r
					; PopHandleWakeSources+11r ...
_PopWakeInfoCount dd ?			; DATA XREF: PopTimeoutWakeTracking+D9w
					; PopGetCurrentWakeInfos+24r ...
_PopWakeInfoList dd ?			; DATA XREF: PopTimeoutWakeTracking+C6r
					; PopTimeoutWakeTracking+CBo ...
dword_6C344C	dd ?			; DATA XREF: PopHandleWakeSources+71CBr
					; PopHandleWakeSources+71E9w ...
_PopCurrentWakeInfo dd ?		; DATA XREF: PopTimeoutWakeTracking+48r
					; PopTimeoutWakeTracking+54w ...
_PopPendingWakeInfo dd ?		; DATA XREF: PopTimeoutWakeTracking+61w
					; PopTimeoutWakeTracking+BEr ...
_PopWakeSourceLock dd ?			; DATA XREF: PopTimeoutWakeTracking+38o
					; PopTimeoutWakeTracking:loc_557336o ...
		align 10h
_PopSettingLock	dd ?			; DATA XREF: PopGetPowerSettingValue(x,x,x,x,x,x)+Ao
					; PopInitilizeAcDcSettings+3Bo	...
dword_6C3464	dd ?			; DATA XREF: PopInitializePowerSettings()+1Fw
dword_6C3468	dd ?			; DATA XREF: PopInitializePowerSettings()+31w
unk_6C346C	db    ?	;		; DATA XREF: PopInitializePowerSettings()+27o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopPrimaryDisplayVisibleStateErratum dd ?
					; DATA XREF: PoRegisterPowerSettingCallback:loc_908A6Fo
					; PopInitializePowerSettings()+41o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopPowerSettingCallbackReturned db    ? ; ; DATA XREF:	.text:005DE347o
					; PoUnregisterPowerSettingCallback+A950Co ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopCoalescingRegistration dd ?		; DATA XREF: PopCoalescingCallbackWorker(x):loc_9ABD72r
					; PopCoalescingInitialize()+15o
		align 10h
_PopCoalescingTimer db	  ? ;		; DATA XREF: PopCoalescingSetActiveState(x)+4Do
					; PopCoalescingSetTimer()+1Bo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopCoalescingTimerDpc db    ? ;	; DATA XREF: PopCoalescingSetTimer()+2Do
					; PopCoalescingInitialize()+46o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopCoalescingCallbackWorkItem dd ?	; DATA XREF: PopEnsureCoalescingWorkerWillRun()+Do
					; PopCoalescingInitialize()+26w
		align 8
dword_6C3528	dd ?			; DATA XREF: PopCoalescingInitialize()+Aw
dword_6C352C	dd ?			; DATA XREF: PopCoalescingInitialize()+20w
_PopCoalescingLastFlushTime dd ?	; DATA XREF: PopCoalescingCheck(x,x,x,x)+3Ar
					; PopCoalescingSetActiveState(x)+2Dw ...
dword_6C3534	dd ?			; DATA XREF: PopCoalescingCheck(x,x,x,x)+40r
					; PopCoalescingSetActiveState(x)+32w ...
_PopCoalescingState db ?		; DATA XREF: PopCoalescingSetActiveState(x):loc_64FAA9w
					; PopCoalescingSetActiveState(x):loc_64FACCw ...
		align 10h
_PopCoalRegistrationListLock dd	?	; DATA XREF: PoIssueCoalescingNotification(x,x,x)+30o
					; PoIssueCoalescingNotification(x,x,x)+A4o ...
dword_6C3544	dd ?			; DATA XREF: PoIssueCoalescingNotification(x,x,x)+92r
					; PoIssueCoalescingNotification(x,x,x)+9Bw ...
		align 10h
_PopShutdownEvent db	? ;		; DATA XREF: PopGracefulShutdown(x)+70o
					; PoRequestShutdownEvent(x)+24o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopShutdownListMutex dd ?		; DATA XREF: PopGracefulShutdown(x)+7Ao
					; PopRequestShutdownWait+2Ao ...
dword_6C3564	dd ?			; DATA XREF: PopInitShutdownList()+38w
dword_6C3568	dd ?			; DATA XREF: PopInitShutdownList()+3Ew
unk_6C356C	db    ?	;		; DATA XREF: PopInitShutdownList()+1Fo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopShutdownThreadList dd ?		; DATA XREF: PopGracefulShutdown(x):loc_72F513r
					; PopGracefulShutdown(x)+CEw ...
		align 8
_PopShutdownQueue dd ?			; DATA XREF: PopGracefulShutdown(x)+93o
					; PopGracefulShutdown(x)+A6w ...
dword_6C358C	dd ?			; DATA XREF: PoQueueShutdownWorkItem(x)+1Cr
					; PoQueueShutdownWorkItem(x)+3Cw ...
_PopIdleBackgroundIgnoreCount dd ?	; DATA XREF: PopScanIdleList(x,x,x)+1F4r
					; PopScanIdleList(x,x,x)+1FFw ...
_PopBackgroundTaskIgnoreCount dd ?	; DATA XREF: PopScanIdleList(x,x,x):loc_596F33r
					; PopScanIdleList(x,x,x)+20Fw ...
_PopTimeBrokerExpirationDueTime	dd ?	; DATA XREF: PopDiagGetTimeBrokerExpirationReason(x,x)+5r
					; PopPowerInformationInternal+171346w
dword_6C359C	dd ?			; DATA XREF: PopDiagGetTimeBrokerExpirationReason(x,x)+Dr
					; PopPowerInformationInternal+171351w
_PopTimeBrokerExpirationReason dw ?	; DATA XREF: PopDiagGetTimeBrokerExpirationReason(x,x):loc_651697o
					; PopPowerInformationInternal+17132Eo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PoRtcWakeAllowed db ?			; DATA XREF: ExGetNextWakeTimeForDeepSleep()+7r
					; PopRtcWakeSettingCallback(x,x,x,x)+38w
		align 8
_PopShutdownButtonPressTime dd ?	; DATA XREF: PopIssueActionRequest+2FDw
					; PopDiagTracePerfTrackData+12Ar ...
dword_6C362C	dd ?			; DATA XREF: PopIssueActionRequest+303w
					; PopDiagTracePerfTrackData+12Fr ...
_PopMonitorOffDueToSleep db ?		; DATA XREF: PopConnectedStandbySettingCallback+9FEA7r
					; PopConnectedStandbySettingCallback+9FEAFw ...
		align 10h
_PopRecordLidStateWorkItem db	 ? ;	; DATA XREF: PopRecordLidStateWorker(x)o
					; PopLidSwitchChangeCallback(x,x,x,x)+54o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopDisableSleepMutex dd ?		; DATA XREF: PopLogDisabledSleepReason+6o
					; PopLogDisabledSleepReason:loc_795639o ...
dword_6C3664	dd ?			; DATA XREF: PoInitSystem+254w
dword_6C3668	dd ?			; DATA XREF: PoInitSystem+267w
unk_6C366C	db    ?	;		; DATA XREF: PoInitSystem+26Fo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopDisableSleepList dd	?		; DATA XREF: PopLogDisabledSleepReason+1Dr
					; PopLogDisabledSleepReason+22o ...
dword_6C3684	dd ?			; DATA XREF: PoDisableSleepStates(x,x,x)+42r
					; PoDisableSleepStates(x,x,x)+5Ew ...
_PopVideoInitialized db	?		; DATA XREF: PopPowerInformationInternal+3FEw
					; PopPowerInformationInternal+40Bo ...
_PopVideoHighPrecisionBrightnessEnabled	db ?
					; DATA XREF: PopPowerInformationInternal+1714AAr
					; PopPowerInformationInternal+1714BDw ...
		align 4
_PopDisableDisplayBurstOnPowerSourceChange dd ?
					; DATA XREF: PopPowerSourceChangeCallback:loc_5F4965r
					; INIT:00AF4C58o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopDirectedDripsState dd ?		; DATA XREF: PopDirectedDripsClearDisengageReason(x)+23o
					; PopDirectedDripsSetDisengageReason(x)+1Fo ...
		align 8
dword_6C36A8	dd ?			; DATA XREF: PopQueueDirectedDripsWork(x,x,x):loc_54F607r
					; PopQueueDirectedDripsWork(x,x,x)+26o
dword_6C36AC	dd ?			; DATA XREF: PopQueueDirectedDripsWork(x,x,x)+11r
unk_6C36B0	db    ?	;		; DATA XREF: PopDirectedDripsInitializePhase3+67o
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C36B4	db    ?	;		; DATA XREF: PopQueueDirectedDripsWork(x,x,x)+46o
					; PopDirectedDripsInitializePhase0(x)+8o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C36C4	dd ?			; DATA XREF: PopDirectedDripsEngage(x,x)+20r
					; PopDirectedDripsQueryMitigationStatus(x,x,x)+7r ...
dword_6C36C8	dd ?			; DATA XREF: PopDirectedDripsNotify:loc_90C5EBw
					; PopDirectedDripsNotify+9C374r ...
dword_6C36CC	dd ?			; DATA XREF: PopDirectedDripsEngage(x,x)+3Fo
					; PopDisengageDirectedDrips(x)+1Eo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C3710	dd ?			; DATA XREF: PopDirectedDripsNotify:loc_90C529w
					; PopDirectedDripsNotify+9C2C9r
		align 8
unk_6C3718	db    ?	;		; DATA XREF: PopDirectedDripsClearDisengageReason(x)+Eo
					; PopDirectedDripsSetDisengageReason(x)+7o
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C371C	dd ?			; DATA XREF: PopDirectedDripsNotify:loc_87030Fo
					; PopDirectedDripsNotify:loc_870347o ...
word_6C3720	dw ?			; DATA XREF: PopDirectedDripsInitializePhase0(x)+3Ew
					; PopDirectedDripsIdleResiliencyCallback(x,x)+41w
		align 4
dword_6C3724	dd ?			; DATA XREF: PopDirectedDripsIdleResiliencyCallback(x,x)+47w
					; PopDirectedDripsInitializePhase0(x)+45w
byte_6C3728	db ?			; DATA XREF: PopDirectedDripsIdleResiliencyCallback(x,x)+4Dw
					; PopDirectedDripsInitializePhase0(x)+4Bw
		align 4
unk_6C372C	db    ?	;		; DATA XREF: PopDirectedDripsInitializePhase0(x)+29o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C3740	dd ?			; DATA XREF: PopDirectedDripsNotify+4Fw
					; PopDirectedDripsNotify+87r ...
		align 8
unk_6C3748	db    ?	;		; DATA XREF: PopDirectedDripsStartDisengageTimer(x)+11o
					; PopDirectedDripsInitializePhase0(x)+5Co
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C37B8	db    ?	;		; DATA XREF: PopDirectedDripsInitializePhase0(x)+6Fo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C3828	dd ?			; DATA XREF: PopDirectedDripsNotify+9C271w
					; PopDirectedDripsNotify+9C2D7w ...
dword_6C382C	dd ?			; DATA XREF: PopDirectedDripsNotify+9C279w
					; PopDirectedDripsNotify+9C2DEw ...
dword_6C3830	dd ?			; DATA XREF: PopDirectedDripsEngage(x,x)+Cw
					; PopDirectedDripsNotify+9C354r ...
dword_6C3834	dd ?			; DATA XREF: PopDirectedDripsInitializePhase0(x)+18w
dword_6C3838	dd ?			; DATA XREF: PnpRequestDeviceAction+130o
					; .text:0054F083o ...
dword_6C383C	dd ?			; DATA XREF: PnpRequestDeviceAction+13Cr
					; PnpRequestDeviceAction+143w ...
byte_6C3840	db ?			; DATA XREF: PopFxCompleteDirectedPowerTransition(x,x)+FAr
					; PopDirectedDripsNotifyTransitionFailed(x):loc_9AB2DEw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopExecutionRequiredContext db	?	; DATA XREF: PopHandleExecutionRequiredPowerRequestUpdate(x)+34r
					; PopPowerRequestNotifyAudioStateChanged:loc_85869Dr ...
byte_6C3861	db ?			; DATA XREF: PopPowerRequestNotifyAudioStateChanged:loc_901F55r
					; PopExecutionRequiredSettingCallback:loc_9377CBr ...
byte_6C3862	db ?			; DATA XREF: PopPowerRequestNotifyAudioStateChanged+2Fw
					; PopPowerRequestNotifyAudioStateChanged+A98FFr ...
byte_6C3863	db ?			; DATA XREF: PopPowerRequestNotifyAudioStateChanged+45r
					; PopExecutionRequiredSettingCallback+76r ...
		align 8
dword_6C3868	dd ?			; DATA XREF: PopPowerRequestNotifyAudioStateChanged+A9921r
					; PopExecutionRequiredSettingCallback+83E04r ...
dword_6C386C	dd ?			; DATA XREF: PopPowerRequestNotifyAudioStateChanged+A9931r
					; PopExecutionRequiredSettingCallback+83E14r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopPowerRequestObjectCount dd ?	; DATA XREF: PopPowerRequestCleanUp(x):loc_53F761w
					; PopInsertPowerRequestObject+16w ...
_PopSpecialPowerRequestObjectCount dd ?	; DATA XREF: PopPowerRequestCleanUp(x)+B3w
					; PopInsertPowerRequestObject+E3B9Cw ...
_PopPowerRequestLock dd	?		; DATA XREF: PopHandleConvergedPowerRequestUpdate(x,x)+15o
					; PopDiagTraceControlCallback+68o ...
dword_6C3884	dd ?			; DATA XREF: PopHandleConvergedPowerRequestUpdate(x,x)+2Bw
					; PopHandleConvergedPowerRequestUpdate(x,x)+35r ...
_PopPowerRequestId dd ?			; DATA XREF: PopCreatePowerRequestObject+3Aw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PopPowerRequestTable
_PopPowerRequestTable db    ? ;		; DATA XREF: PopHandleExecutionRequiredPowerRequestUpdate(x)+Fo
					; PopNotifySessionUserPowerRequestCreated+3Eo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopExecutionRequiredTimer db	 ? ;	; DATA XREF: PopExecutionRequiredSettingCallback+55o
					; PopSetExecutionRequiredTimer+83DB4o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopPowerRequestObjectList dd ?		; DATA XREF: PopDiagTraceControlCallback+72r
					; PopDiagTraceControlCallback+78o ...
dword_6C390C	dd ?			; DATA XREF: PopInsertPowerRequestObject+8r
					; PopInsertPowerRequestObject+23w ...
_PopSpecialPowerRequestObjectList dd ?	; DATA XREF: PopInsertPowerRequestObject+E3B8Fo
					; PopPowerRequestNotificationsBegin()+39o ...
dword_6C3914	dd ?			; DATA XREF: PopInsertPowerRequestObject:loc_9268DCr
					; PopInsertPowerRequestObject+E3BA9w ...
_PopPowerRequestCallbacks dd ?		; DATA XREF: PopQueuePowerRequestCallbacks(x,x)+29r
					; PopQueuePowerRequestCallbacks(x,x)+32o ...
dword_6C391C	dd ?			; DATA XREF: PopPowerRequestCallbackWorker(x)+36r
					; PopPowerRequestCallbackWorker(x)+47w	...
_PopCallbackWorkItemScheduled db ?	; DATA XREF: PopQueuePowerRequestCallbacks(x,x):loc_5401CEr
					; PopQueuePowerRequestCallbacks(x,x)+64w ...
		align 10h
_PopCallbackWorkItem dd	?		; DATA XREF: PopQueuePowerRequestCallbacks(x,x)+5Fo
					; PopPowerRequestInit()+F3w
		align 8
dword_6C3938	dd ?			; DATA XREF: PopPowerRequestInit()+B1w
dword_6C393C	dd ?			; DATA XREF: PopPowerRequestInit()+EDw
_PopExecutionRequiredTimeoutDpc	db    ?	; ; DATA XREF: PopSetExecutionRequiredTimer+83DABo
					; PopPowerRequestInit()+125o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopExecutionRequiredTimeoutWorker dd ?	; DATA XREF: PopExecutionRequiredTimeoutCallback(x,x,x,x)+12o
					; PopPowerRequestInit()+13Fw
		align 8
dword_6C3968	dd ?			; DATA XREF: PopPowerRequestInit()+12Fw
dword_6C396C	dd ?			; DATA XREF: PopPowerRequestInit()+139w
_PopExecutionRequiredWorkRequested dd ?	; DATA XREF: PopExecutionRequiredTimeoutCallback(x,x,x,x)+3w
					; PopExecutionRequiredTimeoutWorkerRoutine(x)+6o
_PopPowerRequestNotificationsEnabled db	? ; DATA XREF: PoClearPowerRequestInternal+A7r
					; PoSetPowerRequestInternal+86r ...
		align 4
_PopPowerRequestSpinLock dd ?		; DATA XREF: PopHandleSystemRequiredPowerRequestsUpdate+26o
					; PoClearPowerRequestInternal+B8o ...
		align 10h
_PopFxAcpiDeviceList dd	?		; DATA XREF: PopFxFindAcpiDeviceByUniqueId+3Ar
					; PopFxFindAcpiDeviceByUniqueId:loc_57206Eo ...
dword_6C3984	dd ?			; DATA XREF: PopFxInsertAcpiDevice(x,x,x)+38r
					; PopFxInsertAcpiDevice(x,x,x)+5Cw ...
_PopFxDeviceListLock dd	?		; DATA XREF: PopFxResidentTimeoutRoutine(x)+18o
					; PopFxResidentTimeoutRoutine(x)+ACo ...
_PopFxDeviceRegisterHead dd ?		; DATA XREF: PopFxRegisterPluginEx(x,x,x,x)+146r
					; PopFxRegisterPluginEx(x,x,x,x)+16Fw ...
_PopFxPluginList dd ?			; DATA XREF: PoFxSystemLatencyNotify+28r
					; PoFxSystemLatencyNotify+2Eo ...
dword_6C3994	dd ?			; DATA XREF: PoFxInitPowerManagement+42w
_PopFxDirectedPowerUpTimeoutMs dd ?	; DATA XREF: PopFxHandleDirectedPowerTransition(x)+2Dr
					; PoFxInitPowerManagement+124w	...
_PopFxDirectedPowerDownTimeoutMs dd ?	; DATA XREF: PopFxHandleDirectedPowerTransition(x)+37r
					; PoFxInitPowerManagement+14Ew	...
_PopFxDeviceList dd ?			; DATA XREF: PopFxResidentTimeoutRoutine(x)+26o
					; PopFxResidentTimeoutRoutine(x)+2Br ...
dword_6C39A4	dd ?			; DATA XREF: PopFxInsertDevice+38r
					; PopFxInsertDevice+58w ...
		align 10h
_PopFxResidentWorkItem dd ?		; DATA XREF: PopFxResidentTimeoutDpcRoutine(x,x,x,x)+2o
					; PoFxInitPowerManagement+7Cw
		align 8
dword_6C39B8	dd ?			; DATA XREF: PoFxInitPowerManagement+9w
dword_6C39BC	dd ?			; DATA XREF: PoFxInitPowerManagement+76w
_PopFxBlockingDeviceListLock dd	?	; DATA XREF: PopFxBuildDirectedDripsCandidateDeviceList(x)+33o
					; PopFxBuildDripsBlockingDeviceList(x,x,x)+DDo	...
		align 8
_SocSubsystemsList dd ?			; DATA XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+328o
					; PopFxLookupSocSubsystemsByPlatformIdleState(x)r ...
dword_6C39CC	dd ?			; DATA XREF: PopFxInitializeSocSubsystemStaticInfo(x,x):loc_9A7DC3r
					; PopFxInitializeSocSubsystemStaticInfo(x,x)+33Dw ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopFxUpdateDripsConstraintContext dd ?	; DATA XREF: PopFxNotifySxTransitionState+6o
					; PopFxUpdateVetoMaskWork(x)+Bo ...
dword_6C39E4	dd ?			; DATA XREF: PopFxNotifySxTransitionState+54o
					; PopFxNotifySxTransitionState:loc_85B5A7r ...
dword_6C39E8	dd ?			; DATA XREF: PopFxUpdateVetoMaskWork(x)+28r
					; PopFxUpdateVetoMaskWork(x)+43w ...
byte_6C39EC	db ?			; DATA XREF: PopFxNotifySxTransitionState+17w
					; PopFxNotifySxTransitionState+4Dw ...
		align 10h
dword_6C39F0	dd ?			; DATA XREF: PopFxUpdateVetoMaskWork(x):loc_9A8B8Dw
					; PopFxUpdateVetoMaskWork(x)+C9w
unk_6C39F4	db    ?	;		; DATA XREF: PopFxNotifySxTransitionState+3Ao
					; PopFxUpdateVetoMaskWork(x)+54o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopFxDeviceAccountingPaused db	?	; DATA XREF: PopFxIsDripsBlockingDevice(x,x,x,x)+4Br
					; PopFxIsDripsBlockingDevice(x,x,x,x)+D3r ...
		align 4
_PopFxDeviceAccountingLevel dd ?	; DATA XREF: PopFxClearDeviceConstraints(x)+96o
					; PopFxIsDripsBlockingDevice(x,x,x,x)+15r ...
_PopFxPluginLock dd ?			; DATA XREF: PoFxSystemLatencyNotify+1Ao
					; PopDiagTraceFxRundown+11o ...
_PopFxResidentTimerLock	db    ?	;	; DATA XREF: PopFxArmResidentTimer(x)+4o
		db    ?	;
		db    ?	;
		db    ?	;
_PopFxResidentTimerArmed db ?		; DATA XREF: PopFxArmResidentTimer(x)+17w
					; PopFxArmResidentTimer(x):loc_4F8210r	...
		align 4
_PopFxResidentComponentCount dd	?	; DATA XREF: PopFxIdleComponent+1B1w
					; PopFxResidentTimeoutRoutine(x)+FEw ...
		align 10h
_PopFxResidentTimer db	  ? ;		; DATA XREF: PopFxArmResidentTimer(x)+59o
					; PoFxInitPowerManagement+AEo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopFxResidentDpc db	? ;		; DATA XREF: PopFxArmResidentTimer(x)+4Do
					; PoFxInitPowerManagement+A3o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopFxGlobalDeviceAccountingLock dd ?	; DATA XREF: PopFxBeginDeviceIRPhaseAccounting(x,x)+Eo
					; PopFxSetDripsBlockedByDeviceActivity(x)+Fo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopFxGlobalDeviceAccountingInfo db ?	; DATA XREF: PopFxBeginDeviceIRPhaseAccounting(x,x)+28r
					; PopFxSetDripsBlockedByDeviceActivity(x)+26r ...
; void byte_6C3AA1
byte_6C3AA1	db ?			; DATA XREF: PopFxSetDripsBlockedByDeviceActivity(x)+1Dr
					; PopFxSetGlobalDeviceAccountingEnabled(x)+6Aw	...
		align 8
dword_6C3AA8	dd ?			; DATA XREF: PopFxSetDripsBlockedByDeviceActivity(x)+37w
					; PopFxSetGlobalDeviceAccountingEnabled(x)+2Fw	...
dword_6C3AAC	dd ?			; DATA XREF: PopFxSetDripsBlockedByDeviceActivity(x)+3Cw
					; PopFxSetGlobalDeviceAccountingEnabled(x)+34w	...
dword_6C3AB0	dd ?			; DATA XREF: PopFxStartDeviceAccounting()+160w
					; PopFxStopDeviceAccounting()+1D0r ...
dword_6C3AB4	dd ?			; DATA XREF: PopFxStartDeviceAccounting()+166w
					; PopFxStopDeviceAccounting()+1E5r ...
dword_6C3AB8	dd ?			; DATA XREF: PopFxStartDeviceAccounting()+16Cw
					; PopFxStopDeviceAccounting()+1F4r ...
dword_6C3ABC	dd ?			; DATA XREF: PopFxStartDeviceAccounting()+172w
					; PopFxStopDeviceAccounting()+1FDr ...
; void dword_6C3AC0
dword_6C3AC0	dd ?			; DATA XREF: PopFxSetGlobalDeviceAccountingEnabled(x):loc_64B87Dw
					; PopFxStartDeviceAccounting()+15Bo ...
dword_6C3AC4	dd ?			; DATA XREF: PopFxSetGlobalDeviceAccountingEnabled(x)+43w
					; PopFxUpdateGlobalDeviceAccountingInfo(x,x,x,x)+7Bw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C3AE8	dd ?			; DATA XREF: PopFxStopDeviceAccounting()+1EAo
					; PopFxUpdateGlobalDeviceAccountingInfo(x,x,x,x)+83w
dword_6C3AEC	dd ?			; DATA XREF: PopFxUpdateGlobalDeviceAccountingInfo(x,x,x,x)+8Aw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopWorkOrderList dd ?			; DATA XREF: PopFxEnableWorkOrderWatchdog+7Do
					; PopRecordPepWorkorderBlackboxInformation()+2Cr ...
dword_6C3B14	dd ?			; DATA XREF: PopFxEnableWorkOrderWatchdog+77r
					; PopFxEnableWorkOrderWatchdog+94w ...
_PopWorkOrderLock dd ?			; DATA XREF: PopFxDispatchPluginWorkOnce+A4o
					; PopFxDisableWorkOrderWatchdog+25o ...
		align 10h
_PopFxSystemWorkPool db	   ? ;		; DATA XREF: KiAttemptFastRemovePriQueue+99o
					; PoFxInitPowerManagement+109o
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C3B24	db    ?	;		; DATA XREF: PopFxQueueWorkOrder:loc_5E59BCo
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C3B28	db    ?	;		; DATA XREF: PopFxQueueWorkOrder+81E39o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C3B30	db    ?	;		; DATA XREF: PopFxQueueWorkOrder+81E49o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopFxSystemLatencyLock	db    ?	;	; DATA XREF: PoNotifyVSyncChange(x)+6o
					; PpmClearExitLatencySamplingPercentage()+7o ...
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C3BC4	db    ?	;		; DATA XREF: PoInitSystem+491o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PpmPerfLatencyBoostExpiration dd ?	; DATA XREF: PpmCheckStart:loc_487103r
					; PoLatencySensitivityHint+99o
dword_6C3BDC	dd ?			; DATA XREF: PpmCheckStart+89r
_PpmPerfDeadlineBoostExpiration	dd ?	; DATA XREF: PpmCheckStart:loc_487132r
					; PoLatencySensitivityHint+82051o
dword_6C3BE4	dd ?			; DATA XREF: PpmCheckStart+B8r
		align 10h
_PpmPerfLatencyBoostWorkItem dd	?	; DATA XREF: PoLatencySensitivityHint+820A5o
					; PpmPerfInitialize+BFw
		align 8
dword_6C3BF8	dd ?			; DATA XREF: PpmPerfInitialize+AFw
dword_6C3BFC	dd ?			; DATA XREF: PpmPerfInitialize+B9w
_PpmPerfLatencyBoostQueued dd ?		; DATA XREF: PoLatencySensitivityHint+82093o
					; PpmPerfLatencySensitivityHintWorker(x)+Dw
_PpmPdcMediaEngaged db ?		; DATA XREF: PpmMediaBufferingWorker:loc_546C1Br
					; PpmMediaBufferingWorker+9512Fw
_PpmPerfMaxOverrideEnabled db ?		; DATA XREF: PpmPerfApplyDomainState:loc_490360r
					; PpmPerfCalculateQosClassPolicies:loc_561821r	...
		align 4
_PpmPerfControlCommitPerformance dd ?	; DATA XREF: PpmPerfCommitPerformance()r
					; PpmRegisterPerfStates:loc_8A047Br ...
_PpmParkPreferenceHandler dd ?		; DATA XREF: PpmParkSteerInterrupts+266r
					; PpmParkComputeUnparkMask(x,x,x,x,x,x,x,x,x,x,x)+BCr ...
_PpmParkMaskHandler dd ?		; DATA XREF: PpmParkReportMask:loc_5B893Fr
					; PpmRegisterPerfStates:loc_8A04A3r ...
_PpmCheckCompleteHandler dd ?		; DATA XREF: PpmCheckReportCompleter
					; PpmRegisterPerfStates:loc_8A04B7r ...
_PpmPerfControlStartPolicyUpdate dd ?	; DATA XREF: PpmUpdateProcessorPolicy+8Er
					; PpmRegisterPerfStates:loc_8A04CBr ...
_PpmPerfControlCompletePolicyUpdate dd ? ; DATA	XREF: PpmUpdateProcessorPolicy+E4r
					; PpmRegisterPerfStates:loc_8A04DCr ...
_PpmMediaBufferingWork dd ?		; DATA XREF: PpmMediaBufferingWorker+14o
					; PpmMediaBufferingWorker:loc_546BB3o ...
byte_6C3C24	db ?			; DATA XREF: PpmMediaBufferingWorker+C8w
					; PoNotifyMediaBuffering+1Er ...
byte_6C3C25	db ?			; DATA XREF: PpmMediaBufferingWorker+2Cr
					; PoNotifyMediaBuffering+3Aw
		align 4
dword_6C3C28	dd ?			; DATA XREF: PoNotifyMediaBuffering+7Do
					; PpmPerfInitialize+A9w
		align 10h
dword_6C3C30	dd ?			; DATA XREF: PpmPerfInitialize+99w
dword_6C3C34	dd ?			; DATA XREF: PpmPerfInitialize+A3w
_PpmPerfMultimediaQosSupported db ?	; DATA XREF: PoLatencySensitivityHint:loc_5E3B2Dr
					; PpmPerfUpdateDomainPolicy+CEw ...
		align 4
_PpmAllowedActions dd ?			; DATA XREF: PpmUpdateTargetProcessorPolicy:loc_5E5559r
					; PpmPerfReApplyStates()+14o ...
_PpmPerfTimeWindow dd ?			; DATA XREF: PpmUpdateTargetProcessorPolicy+81DC9r
					; PpmUpdateProcessorPolicy:loc_86F277w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PpmPerfTelemetryTimer db    ? ;	; DATA XREF: PpmRegisterPerfStates+732o
					; PpmPerfInitialize+DEo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C3CB8	db    ?	;		; DATA XREF: PpmPerfTelemetryCallback(x,x)+2o
					; PpmPerfTelemetryWorker(x):loc_9A74F7o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PpmPerfGlobalContext dd ?		; DATA XREF: PpmCheckReportComplete+129E61r
					; PpmRegisterPerfStates:loc_8A0440r ...
_PpmPerfControlReadFeedback dd ?	; DATA XREF: PpmPerfReadFeedback+3r
					; PpmRegisterPerfStates:loc_8A0451r ...
_PpmPerfControlAcquirePerformance dd ?	; DATA XREF: PpmCheckAcquireProcessorPerformance():loc_48E8FEr
					; PpmRegisterPerfStates:loc_8A0467r ...
_PopComputeEnergy dd ?			; DATA XREF: PpmCheckComputeEnergy+12r
					; PpmCheckComputeEnergy+15Cr ...
_PopSnapEnergyCounters dd ?		; DATA XREF: PpmSnapPerformanceAccumulation+192r
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+A57r	...
_PopEnergyEstimationEnabled db ?	; DATA XREF: IopQueueWorkItemProlog+78r
					; PoEnergyEstimationEnabled()r	...
		align 4
_PopTransitionCheckpoints dd ?		; DATA XREF: PopTransitionCheckpoint(x,x)+3Bo
					; PopTransitionCheckpoint(x,x)+7Co ...
dword_6C3CEC	dd ?			; DATA XREF: PopTransitionCheckpoint(x,x)+84r
					; PopTransitionCheckpoint(x,x)+94w ...
_PopTransitionCheckpointsSequenceNumber	dd ? ; DATA XREF: PopTransitionCheckpoint(x,x)+65r
					; PopTransitionCheckpoint(x,x):loc_85B7E6r ...
		align 8
_PopTransitionCheckpointLock dd	?	; DATA XREF: PopTransitionCheckpoint(x,x)+2Bo
					; PopTransitionCheckpoint(x,x)+C9o ...
dword_6C3CFC	dd ?			; DATA XREF: PopTransitionCheckpoint(x,x)+45w
					; PopTransitionCheckpoint(x,x)+A5r ...
_PopBsdTransitionLatestCheckpointId dd ? ; DATA	XREF: PopTransitionCheckpoint(x,x)+ACw
					; PopRecordPhysicalPowerButton(x)+D2r
_PopBsdTransitionLatestCheckpointType dd ? ; DATA XREF:	PopTransitionCheckpoint(x,x)+B2w
					; PopRecordPhysicalPowerButton(x)+DCr
_PopBsdTransitionLatestCheckpointSeqNumber dd ?
					; DATA XREF: PopTransitionCheckpoint(x,x)+9Fw
					; PopRecordPhysicalPowerButton(x)+E6r
_PopBsdUpdateRequests dd ?		; DATA XREF: PopBsdHandleRequest(x):loc_5968B9w
					; PopBsdUpdateWorker(x)+9Dw ...
_PopSetupInProgressStatusBlock db    ? ; ; DATA	XREF: PopUpdateUpgradeInProgress(x)+DBo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopSetupInProgressUpdateWorkItem dd ?	; DATA XREF: PopUpdateUpgradeInProgress(x)+E2o
					; PopUpdateUpgradeInProgress(x)+F8w
		align 8
dword_6C3D28	dd ?			; DATA XREF: PopUpdateUpgradeInProgress(x)+E9w
dword_6C3D2C	dd ?			; DATA XREF: PopUpdateUpgradeInProgress(x)+F3w
_PopTimeChangeInfo dd ?			; DATA XREF: PoNotifySystemTimeSet(x,x,x)+14w
					; PopPolicyTimeChange()+Fo
dword_6C3D34	dd ?			; DATA XREF: PoNotifySystemTimeSet(x,x,x)+1Cw
dword_6C3D38	dd ?			; DATA XREF: PoNotifySystemTimeSet(x,x,x)+23w
dword_6C3D3C	dd ?			; DATA XREF: PoNotifySystemTimeSet(x,x,x)+2Bw
_PopSetUserShutdownMarkerWorkItem db	? ; ; DATA XREF: PoUserShutdownInitiated+25o
					; PopSetUserShutdownMarkerWorker(x)+37o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopClearUserShutdownMarkerWorkItem db	  ? ; ;	DATA XREF: PoUserShutdownCancelled()+Eo
					; PopDispatchFullWake(x)+9Do ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopBsdUpdateWorkItem db    ? ;		; DATA XREF: PopBsdHandleRequest(x)+24o
					; PopBsdUpdateWorker(x)+F9o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopBsdSkipLogging db ?			; DATA XREF: PopClearConnectedStandbyMarker(x)r
					; PopSetConnectedStandbyMarker(x,x,x)r	...
		align 4
_PopBsdUpdateLock dd ?			; DATA XREF: PopWriteBsdPoInfo(x,x)+50o
					; PopWriteBsdPoInfo(x,x):loc_59693Eo ...
dword_6C3D9C	dd ?			; DATA XREF: PopRecordSleepCheckpoint(x)+29w
					; PopRecordSleepCheckpoint(x)+39r ...
_PoOffCrashConfigTable dd ?		; DATA XREF: PopCheckForAbnormalReset+Er
					; IopInitializeOfflineCrashDump+7E28Co	...
dword_6C3DA4	dd ?			; DATA XREF: PopCheckForAbnormalReset+7DCEFr
					; PopCheckForAbnormalReset:loc_5FB7F8r	...
dword_6C3DA8	dd ?			; DATA XREF: IopInitializeOfflineCrashDump+7E304r
					; PAGE:00781801r ...
		align 10h
dword_6C3DB0	dd ?			; DATA XREF: PAGE:0078180Ar
dword_6C3DB4	dd ?			; DATA XREF: PAGE:00781813r
dword_6C3DB8	dd ?			; DATA XREF: PAGE:0078181Cr
		align 10h
_PopIdleScanTimer db	? ;		; DATA XREF: PopInitializeSystemIdleDetection()+45o
					; PopInitializeSystemIdleDetection()+7Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopIdleScanDpc	db    ?	;		; DATA XREF: PopInitializeSystemIdleDetection()+3Ao
					; PopInitializeSystemIdleDetection()+67o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUlyUnkUlyquivUrDIGUlykOlyq@ob db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
_ObpTypeObjectType dd ?			; DATA XREF: .data:006B1B28o
					; ObpRemoveObjectRoutine+31r ...
_ObpRootDirectoryObject	dd ?		; DATA XREF: OBP_GET_SILO_ROOT_DIRECTORY_FROM_SILO(x)+25r
					; .data:006B1B20o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C3E3C	dd ?			; DATA XREF: ObCreateObjectTypeEx+3C6w
_ObpObjectTypes	dd ?			; DATA XREF: NtQueryObject+ECF9Br
					; NtQueryObject+ECFCAr
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ObpInvalidOpenByPointer dd ?		; DATA XREF: ObOpenObjectByPointer:loc_920EDAw
		align 10h
_ObpDefaultObject db	? ;		; DATA XREF: ObGetAssociatedWaitObject(x)+Ao
					; ObCreateObjectTypeEx+365o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ObpRemoveObjectWait dd	?		; DATA XREF: ObpProcessRemoveObjectQueue+6Ar
					; ObpProcessRemoveObjectQueue+134ECAo ...
_ObpRemoveObjectList dd	?		; DATA XREF: ObpDeferObjectDeletion+4r
					; ObpDeferObjectDeletion+Ao ...
_ObpTypeDirectoryObject	dd ?		; DATA XREF: ObpInitializeRootNamespace+FFw
					; ObCreateObjectTypeEx:loc_889806r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ObpRemoveObjectDpc db	  ? ;		; DATA XREF: ObpDeferObjectDeletion+D5D2Ao
					; ObInitSystem+171o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ObpRemoveObjectWorkItem dd ?		; DATA XREF: ObpDeferObjectDeletion+45o
					; ObpProcessRemoveObjectDpcWorker(x,x,x,x)+2o ...
		align 8
dword_6C42A8	dd ?			; DATA XREF: ObInitSystem+176w
dword_6C42AC	dd ?			; DATA XREF: ObInitSystem+180w
_ObpKernelHandleTable dd ?		; DATA XREF: ObpCloseHandle+3Br
					; ObpCloseHandle+94r ...
_ObpDirectoryObjectType	dd ?		; DATA XREF: ObpDeleteNameCheck+171r
					; ObpCreateDirectoryObject:loc_799931r	...
_ObpSymbolicLinkObjectType dd ?		; DATA XREF: ObpDeleteNameCheck+144r
					; PAGE:loc_7BD405r ...
_ObpRuntimeTraceFlags dd ?		; DATA XREF: ObpStartRuntimeStackTrace(x)+2E2w
					; ObpStopRuntimeStackTrace()+96w
_ObpRegTraceFlags dd ?			; DATA XREF: ObpStopRuntimeStackTrace()+9Br
					; ObpInitStackTrace+F814w
_ObpTraceProcessName dd	?		; DATA XREF: ObCheckRefTraceProcess+14A96Cr
					; ObpStartRuntimeStackTrace(x)+30Fw ...
_ObpRuntimeTraceProcessName dd ?	; DATA XREF: ObQueryRefTraceInformation(x,x,x)+A7r
					; ObQueryRefTraceInformation(x,x,x)+113r ...
; void *dword_6C42CC
dword_6C42CC	dd ?			; DATA XREF: ObQueryRefTraceInformation(x,x,x)+132r
					; ObpStartRuntimeStackTrace(x)+2ACr ...
_ObpRegTraceProcessName	dw ?		; DATA XREF: ObpStopRuntimeStackTrace()+CBo
					; ObpInitStackTrace+F75Bw ...
word_6C42D2	dw ?			; DATA XREF: ObpInitStackTrace+F762w
dword_6C42D4	dd ?			; DATA XREF: ObpInitStackTrace+F74Bw
					; ObpInitStackTrace+F862r
_ObpTracePoolTags dd ?			; DATA XREF: ObpIsObjectPoolTagTraced(x):loc_9A4C7Dr
					; ObpStartRuntimeStackTrace(x)+2FBw ...
		align 10h
; void ObpRuntimeTracePoolTags
_ObpRuntimeTracePoolTags dd ?		; DATA XREF: ObQueryRefTraceInformation(x,x,x)+C2r
					; ObQueryRefTraceInformation(x,x,x)+19Dr ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void ObpRegTracePoolTags
_ObpRegTracePoolTags db	   ? ;		; DATA XREF: ObpStopRuntimeStackTrace()+BAo
					; ObpInitStackTrace+1Co ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ObpPushStackInfoWorkItem dd ?		; DATA XREF: ObpDeferPushRefDerefInfo(x,x,x,x,x,x)+6Do
					; ObpInitStackTrace+53w
		align 8
dword_6C4368	dd ?			; DATA XREF: ObpInitStackTrace+43w
dword_6C436C	dd ?			; DATA XREF: ObpInitStackTrace+4Dw
_ObpStackTraceLock dd ?			; DATA XREF: ObCheckRefTraceProcess+14A953o
					; ObDisableEtwReferenceTrace()+Fo ...
_ObpStackTable	dd ?			; DATA XREF: ObpGetTraceIndex(x)+35r
					; ObpGetTraceIndex(x)+8Cr ...
_ObpObjectTable	dd ?			; DATA XREF: ObpDeregisterObject(x)+8Cr
					; ObpGetObjectRefInfo(x,x)+20r	...
_ObpStackSequence dd ?			; DATA XREF: ObpPushStackInfo(x,x,x,x):loc_647CA0w
					; ObpStopRuntimeStackTrace()+125w ...
_ObpNumTracedObjects dd	?		; DATA XREF: ObpRegisterObject(x)+F4w
					; ObpStopRuntimeStackTrace()+12Aw ...
_ObpPushStackInfoList dd ?		; DATA XREF: ObpDeferPushRefDerefInfo(x,x,x,x,x,x)+47r
					; ObpDeferPushRefDerefInfo(x,x,x,x,x,x)+4Do ...
_ObpWorkItemFreeList dd	?		; DATA XREF: ObpDeferPushRefDerefInfo(x,x,x,x,x,x)+Co
					; ObpFreeWorkItemBlock(x)+39o ...
dword_6C438C	dd ?			; DATA XREF: ObpFreeWorkItemBlock(x)+2Er
					; ObpInitStackAndObjectTables()+B9w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ObpTraceProcessNameBuffer dw ?		; DATA XREF: ObpInitStackTrace+80r
					; ObpInitStackTrace:loc_AEAE33o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ObpTracePoolTagsBuffer	dw ?		; DATA XREF: ObpInitStackTrace:loc_ADB7A7r
					; ObpInitStackTrace:loc_AEAE9Eo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C44A6	db    ?	;		; DATA XREF: ObpInitStackTrace+F7B3o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ObpTracePermanent dd ?			; DATA XREF: ObpInitStackTrace:loc_AEAF16r
					; INIT:00AF4058o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_g_SessionLowboxArray dd ?		; DATA XREF: SepInitializeSessionLowboxStructures()+10w
					; SepDereferenceLowBoxNumberEntry+20o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C45CC	dd ?			; DATA XREF: SepInitializeSessionLowboxStructures()+Aw
byte_6C45D0	db ?			; DATA XREF: SepInitializeSessionLowboxStructures():loc_56EE50w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_g_SessionLowboxMap dd ?		; DATA XREF: SepDeleteSessionLowboxEntries+8r
					; SepInitializeSessionLowboxStructures()+24w ...
_LowboxSessionMapLock dd ?		; DATA XREF: SepInitializeSessionLowboxStructures()+1Ew
					; SepDeleteSessionLowboxEntries+81AEAo	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ObpInfoMaskToOffset db	?		; DATA XREF: ObpDereferenceNamedObject(x)+12r
					; OBJECT_HEADER_TO_HANDLE_INFO(x)+Dr ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ObpPendingObjectDirectoryListLock dd ?	; DATA XREF: ObpRemovePendingDirectoryItem+13o
					; ObpAddToPendingDirectoryList(x)+12o ...
_ObpPendingObjectDirectoryList dd ?	; DATA XREF: ObpRemovePendingDirectoryItem+21r
					; ObpRemovePendingDirectoryItem+E5C78w	...
_ObpAuditBaseObjects dd	?		; DATA XREF: ObInitSystem+3D9r
					; ObInitSystem:loc_AE4D15r ...
_ObpAuditBaseDirectories dd ?		; DATA XREF: ObInitSystem+3C6r
					; ObInitSystem+217C4r ...
_ObpProtectionMode db ?			; DATA XREF: ObpGetDosDevicesProtection+1Cr
		align 10h
_MiPinDriverAddressLog dd ?		; DATA XREF: MiQueuePinDriverAddressLog+1CCw
					; MiLogPinDriverAddressesWorker:loc_86AA3Fr ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C6760	dd ?			; DATA XREF: MiCheckLogPinDriverAddresses+13r
					; MiCheckLogPinDriverAddresses+1Er ...
dword_6C6764	dd ?			; DATA XREF: MiCheckLogPinDriverAddresses+3Cr
					; MiQueuePinDriverAddressLog+64r ...
unk_6C6768	db    ?	;		; DATA XREF: MiInitNucleus(x)+4Do
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C6868	db    ?	;		; DATA XREF: MiCheckLogPinDriverAddresses+7Do
					; MiQueuePinDriverAddressLog+8281Do
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C686C	db    ?	;		; DATA XREF: MiLogPinDriverAddressesWorker+3Bo
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C6870	db    ?	;		; DATA XREF: MiQueuePinDriverAddressLog+82805o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C68A8	dd ?			; DATA XREF: MiCheckLogPinDriverAddresses+D7w
					; MiCheckLogPinDriverAddresses+DEo
		align 10h
dword_6C68B0	dd ?			; DATA XREF: MiCheckLogPinDriverAddresses+E3w
dword_6C68B4	dd ?			; DATA XREF: MiCheckLogPinDriverAddresses+D1w
unk_6C68B8	db    ?	;		; DATA XREF: MiCheckLogPinDriverAddresses+C2o
					; MiLogPinDriverAddressesWorker+7Bo
		db    ?	;
word_6C68BA	dw ?			; DATA XREF: MiQueuePinDriverAddressLog+4Cr
					; MiInitNucleus(x)+3Bw
		align 10h
_MiZeroThreadStats dd ?			; DATA XREF: MiAddZeroingThreads+7F367w
dword_6C68C4	dd ?			; DATA XREF: MiAddZeroingThreads+2Aw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C68CC	dd ?			; DATA XREF: MiReassessZeroThreads:loc_5063E8w
dword_6C68D0	dd ?			; DATA XREF: MiReassessZeroThreads:loc_5064ACw
dword_6C68D4	dd ?			; DATA XREF: MiComputeRunTimeZeroComparisons:loc_566FFEw
dword_6C68D8	dd ?			; DATA XREF: MiComputeRunTimeZeroComparisons:loc_5C533Fw
dword_6C68DC	dd ?			; DATA XREF: MiTimeSingleLargePageZero+238w
dword_6C68E0	dd ?			; DATA XREF: MiLogZeroPageDecision+A1w
dword_6C68E4	dd ?			; DATA XREF: MiLogZeroPageDecision:loc_50662Dw
dword_6C68E8	dd ?			; DATA XREF: .text:loc_46F228w
dword_6C68EC	dd ?			; DATA XREF: MiScheduleZeroPageThreads+4Fw
dword_6C68F0	dd ?			; DATA XREF: MiScheduleZeroPageThreads:loc_5C8FADw
dword_6C68F4	dd ?			; DATA XREF: MiScheduleZeroPageThreads:loc_4D4A67w
dword_6C68F8	dd ?			; DATA XREF: MiScheduleZeroPageThreads:loc_5C8FB8w
dword_6C68FC	dd ?			; DATA XREF: MiScheduleZeroPageThreads:loc_4D4A4Dw
dword_6C6900	dd ?			; DATA XREF: MiScheduleZeroPageThreads+113w
		align 8
dword_6C6908	dd ?			; DATA XREF: MiZeroPage(x,x)+268w
dword_6C690C	dd ?			; DATA XREF: MiZeroPage(x,x)+2A0w
dword_6C6910	dd ?			; DATA XREF: .text:0046F71Aw
					; MiMapPagesToZero(x,x,x)+84w
dword_6C6914	dd ?			; DATA XREF: MiZeroPage(x,x)+252w
dword_6C6918	dd ?			; DATA XREF: MiZeroPage(x,x)+76w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C6924	dd ?			; DATA XREF: MiZeroPage(x,x):loc_46FD01w
		align 10h
dword_6C6930	dd ?			; DATA XREF: MiZeroPage(x,x)+24Bw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C6948	dd ?			; DATA XREF: MiZeroPage(x,x):loc_46FB08w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_MmPerProcessorZeroCalibrationBytes dd ? ; DATA	XREF: MiZeroPageCalibrate+47r
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUnnUnkUlyquivUrDIGUnrOlyq@mm db	   ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_MmSpecialPurposeMemoryStartPage db    ? ; ; DATA XREF:	INIT:00AF3CB0o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_MmSpecialPurposeMemoryPages db	   ? ;	; DATA XREF: INIT:00AF3CC8o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_MiTriageDumpData dd ?			; DATA XREF: MmSnapTriageDumpInformation(x,x,x,x)+13w
					; MmSnapTriageDumpInformation(x,x,x,x)+10Fo
dword_6C69A4	dd ?			; DATA XREF: MmSnapTriageDumpInformation(x,x,x,x)+1Dw
dword_6C69A8	dd ?			; DATA XREF: MmSnapTriageDumpInformation(x,x,x,x)+27w
dword_6C69AC	dd ?			; DATA XREF: MmSnapTriageDumpInformation(x,x,x,x)+31w
dword_6C69B0	dd ?			; DATA XREF: MmSnapTriageDumpInformation(x,x,x,x)+3Bw
dword_6C69B4	dd ?			; DATA XREF: MmSnapTriageDumpInformation(x,x,x,x)+45w
dword_6C69B8	dd ?			; DATA XREF: MmSnapTriageDumpInformation(x,x,x,x)+51w
dword_6C69BC	dd ?			; DATA XREF: MmSnapTriageDumpInformation(x,x,x,x)+6Dw
dword_6C69C0	dd ?			; DATA XREF: MmSnapTriageDumpInformation(x,x,x,x)+5Bw
					; MmSnapTriageDumpInformation(x,x,x,x)+8Fw
dword_6C69C4	dd ?			; DATA XREF: MmSnapTriageDumpInformation(x,x,x,x)+61w
					; MmSnapTriageDumpInformation(x,x,x,x)+99w
dword_6C69C8	dd ?			; DATA XREF: MmSnapTriageDumpInformation(x,x,x,x)+72w
dword_6C69CC	dd ?			; DATA XREF: MmSnapTriageDumpInformation(x,x,x,x)+67w
					; MmSnapTriageDumpInformation(x,x,x,x)+9Ew ...
dword_6C69D0	dd ?			; DATA XREF: MmSnapTriageDumpInformation(x,x,x,x)+78w
					; MmSnapTriageDumpInformation(x,x,x,x)+C7w ...
dword_6C69D4	dd ?			; DATA XREF: MmSnapTriageDumpInformation(x,x,x,x)+7Ew
					; MmSnapTriageDumpInformation(x,x,x,x)+CFw ...
_ExPoolCodeStart dd ?			; DATA XREF: KeBugCheck2(x,x,x,x,x,x):loc_61C109r
					; MiLocateKernelSections(x)+5Cw
_ExPoolCodeEnd	dd ?			; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+566r
					; MiLocateKernelSections(x)+6Ew
_MmUnloadedDrivers dd ?			; DATA XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x):loc_60B0F5r
					; MmLocateUnloadedDriver(x)+3r	...
_MmLastUnloadedDriver dd ?		; DATA XREF: MmLocateUnloadedDriver(x)+Er
					; MmAddUnloadedDriverInformationToCrashDump(x)+2Ar ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_MmLargePageDriverBuffer db    ? ;	; DATA XREF: MiInitializeDriverImages+2A441o
					; MiInitializeDriverImages+2A448o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; Exported entry 1863. PsLoadedModuleResource
		public _PsLoadedModuleResource
_PsLoadedModuleResource	db    ?	;	; DATA XREF: MiLookupDataTableEntry(x,x)+98o
					; MiLookupDataTableEntry(x,x)+A9o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; Exported entry 1862. PsLoadedModuleList
		public _PsLoadedModuleList
_PsLoadedModuleList dd ?		; DATA XREF: RtlpxLookupFunctionTable:loc_4E0C2Br
					; RtlpxLookupFunctionTable+64o	...
dword_6C6E3C	dd ?			; DATA XREF: MiProcessLoaderEntry(x,x)+3Fr
					; MiProcessLoaderEntry(x,x)+5Ew ...
_MmVerifierData	dd ?			; DATA XREF: IoReuseIrp(x,x)+18r
					; IoInitializeIrp+6r ...
dword_6C6E44	dd ?			; DATA XREF: VerifierKfRaiseIrql(x)+19w
					; VerifierKeRaiseIrql(x,x)+5w ...
dword_6C6E48	dd ?			; DATA XREF: VerifierKeAcquireQueuedSpinLock(x)+5w
					; VerifierKeAcquireInStackQueuedSpinLockAtDpcLevelCommon(x,x,x)+5w ...
dword_6C6E4C	dd ?			; DATA XREF: VerifierKeSynchronizeExecution(x,x,x)+5w
					; VfSuspectDriversGetVerifierInformation(x,x,x,x,x)+DEr
dword_6C6E50	dd ?			; DATA XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+93w
					; VfSuspectDriversGetVerifierInformation(x,x,x,x,x)+E6r
dword_6C6E54	dd ?			; DATA XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x):loc_A62867w
					; VfSuspectDriversGetVerifierInformation(x,x,x,x,x)+EEr
dword_6C6E58	dd ?			; DATA XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+238w
					; VeAllocatePoolWithTagPriority(x,x,x,x,x)+249w ...
dword_6C6E5C	dd ?			; DATA XREF: VerifierExAllocatePool3(x,x,x,x,x,x)+137w
					; VerifierExAllocatePoolWithQuota(x,x)+4Aw ...
dword_6C6E60	dd ?			; DATA XREF: MmVerifierTrimMemory()+4Bw
					; VfSuspectDriversGetVerifierInformation(x,x,x,x,x)+106r
dword_6C6E64	dd ?			; DATA XREF: MmVerifierTrimMemory()+78w
					; VfSuspectDriversGetVerifierInformation(x,x,x,x,x)+10Er
dword_6C6E68	dd ?			; DATA XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+1BCw
					; VfSuspectDriversGetVerifierInformation(x,x,x,x,x)+116r
dword_6C6E6C	dd ?			; DATA XREF: ViFaultsInjectionNotification(x)+6w
					; VfSuspectDriversGetVerifierInformation(x,x,x,x,x)+11Er
dword_6C6E70	dd ?			; DATA XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+2A1w
dword_6C6E74	dd ?			; DATA XREF: VfSuspectDriversUnloadCallback(x):loc_A6ACC9w
dword_6C6E78	dd ?			; DATA XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x):loc_A627C3w
					; VfSuspectDriversGetVerifierInformation(x,x,x,x,x)+D6r
dword_6C6E7C	dd ?			; DATA XREF: MmVerifierTrimMemory()+92w
dword_6C6E80	dd ?			; DATA XREF: ViFreeTrackedPool(x,x,x,x)+166o
					; ViPostPoolAllocation(x,x):loc_A632B3w
dword_6C6E84	dd ?			; DATA XREF: ViFreeTrackedPool(x,x,x,x):loc_A63104o
					; ViPostPoolAllocation(x,x):loc_A63307w
dword_6C6E88	dd ?			; DATA XREF: ViPostPoolAllocation(x,x)+106r
					; ViPostPoolAllocation(x,x)+10Ew
dword_6C6E8C	dd ?			; DATA XREF: ViPostPoolAllocation(x,x)+15Ar
					; ViPostPoolAllocation(x,x)+162w
unk_6C6E90	db    ?	;		; DATA XREF: ViFreeTrackedPool(x,x,x,x)+16Bo
					; ViPostPoolAllocation(x,x)+E5o
		db    ?	;
		db    ?	;
		db    ?	;
unk_6C6E94	db    ?	;		; DATA XREF: ViFreeTrackedPool(x,x,x,x)+179o
					; ViPostPoolAllocation(x,x)+139o
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C6E98	dd ?			; DATA XREF: ViPostPoolAllocation(x,x)+F0r
					; ViPostPoolAllocation(x,x)+F8w
dword_6C6E9C	dd ?			; DATA XREF: ViPostPoolAllocation(x,x)+144r
					; ViPostPoolAllocation(x,x)+14Cw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C6EA4	dd ?			; DATA XREF: MmVerifierTrimMemory()+AEw
dword_6C6EA8	dd ?			; DATA XREF: VfDriverEnableVerifier(x,x,x):loc_A5B65Cw
					; VfTargetEtwUnregister(x,x,x)+74r ...
dword_6C6EAC	dd ?			; DATA XREF: VfSetVerifierRunningMode(x)+10w
					; ViInitSystemPhase0+A6w
dword_6C6EB0	dd ?			; DATA XREF: VfSetVerifierInformationEx(x)+78r
					; VfSetVerifierInformationEx(x)+8Dw
dword_6C6EB4	dd ?			; DATA XREF: VfSetVerifierInformationEx(x)+81r
					; VfSetVerifierInformationEx(x)+95w
dword_6C6EB8	dd ?			; DATA XREF: VfCheckPoolType(x,x,x):loc_A5AF3Ew
dword_6C6EBC	dd ?			; DATA XREF: VfCheckPageProtection(x,x):loc_A5AEBAw
dword_6C6EC0	dd ?			; DATA XREF: VfCheckPagePriority(x,x):loc_A5AE51w
dword_6C6EC4	dd ?			; DATA XREF: VfCheckImageCompliance(x):loc_A5AC80w
dword_6C6EC8	dd ?			; DATA XREF: VfCheckImageCompliance(x):loc_A5ADBAw
dword_6C6ECC	dd ?			; DATA XREF: VfCheckImageCompliance(x):loc_A5AD24w
_AlpcHandleDataTypeCounters db	  ? ;	; DATA XREF: .text:00401510o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AlpcpLogLock	db    ?	;		; DATA XREF: AlpcRegisterLogRoutine(x):loc_995920o
					; AlpcUnregisterLogRoutine(x)+5o ...
		db    ?	;
		db    ?	;
		db    ?	;
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUokxUzokxUnkUlyquivUrDIGUzokxkOlyq@alpc	db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AlpcConnectionTypeCounters db	  ? ;	; DATA XREF: .text:004011E8o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AlpcReserveTypeCounters db    ? ;	; DATA XREF: .text:00401108o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AlpcRegionTypeCounters	db    ?	;	; DATA XREF: .text:00403C64o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AlpcSectionTypeCounters db    ? ;	; DATA XREF: .text:0040112Co
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AlpcViewTypeCounters db    ? ;		; DATA XREF: .text:00403C88o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AlpcpPortListLock dd ?			; DATA XREF: AlpcpDestroyPort(x)+Bo
					; AlpcpInitializePort(x,x,x)+A3o ...
		align 10h
_AlpcpPortList	dd ?			; DATA XREF: AlpcpInitializePort(x,x,x)+BCo
					; AlpcpInitSystem+64o ...
dword_6C6F14	dd ?			; DATA XREF: AlpcpInitializePort(x,x,x)+B7r
					; AlpcpInitializePort(x,x,x)+CFw ...
		align 10h
_AlpcpCompletionListDatabase dd	?	; DATA XREF: AlpcpRegisterCompletionListDatabase+7o
					; PAGE:007CC252o ...
dword_6C6F24	dd ?			; DATA XREF: AlpcpRegisterCompletionListDatabase+37w
					; PAGE:007CC276w
dword_6C6F28	dd ?			; DATA XREF: AlpcpRegisterCompletionListDatabase+15r
					; AlpcpRegisterCompletionListDatabase+1Bo ...
dword_6C6F2C	dd ?			; DATA XREF: AlpcpInitSystem+206w
_AlpcMessageTypeCounters db    ? ;	; DATA XREF: .text:00403C40o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AlpcpMessageLogEnabled	dd ?		; DATA XREF: AlpcpDisconnectPort:loc_774A59r
					; AlpcpCancelMessagesByRequestor:loc_774C64r ...
_AlpcpMessageLogLookupTable dd ?	; DATA XREF: AlpcpInitializeMessageLog+85609w
					; AlpcpInitializeMessageLog+85651r ...
_AlpcpFreeMessageSnapshotListHead dd ?	; DATA XREF: AlpcpInitSystem+1ECo
					; AlpcpInitSystem+1F6w	...
dword_6C6F44	dd ?			; DATA XREF: AlpcpInitSystem+1F1w
					; AlpcpInitializeMessageLog+39w ...
_AlpcpFreeMessageLogListHead dd	?	; DATA XREF: AlpcpInitSystem+1DDo
					; AlpcpInitSystem+1E7w	...
dword_6C6F4C	dd ?			; DATA XREF: AlpcpInitSystem+1E2w
					; AlpcpInitializeMessageLog+21w ...
_AlpcpMessageLogListHead dd ?		; DATA XREF: AlpcpInitSystem+1C8o
					; AlpcpInitSystem+1D8w	...
dword_6C6F54	dd ?			; DATA XREF: AlpcpInitSystem+1D3w
					; AlpcpInitializeMessageLog+Dw	...
_AlpcpMessageLogLock dd	?		; DATA XREF: AlpcpInitSystem+1CDw
					; AlpcpInitializeMessageLog+33w ...
		align 10h
_AlpcSecurityTypeCounters db	? ;	; DATA XREF: .text:00401150o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KsepCounters	db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C6F90	dd ?			; DATA XREF: KseShimDatabaseOpen+41w
dword_6C6F94	dd ?			; DATA XREF: KseShimDatabaseOpen+B6w
dword_6C6F98	dd ?			; DATA XREF: KseShimDatabaseOpen+C9w
dword_6C6F9C	dd ?			; DATA XREF: KseShimDatabaseOpen+AF716w
dword_6C6FA0	dd ?			; DATA XREF: KsepPoolAllocatePaged(x)+19w
dword_6C6FA4	dd ?			; DATA XREF: KsepPoolFreePaged(x)+Fw
					; KsepEvntLogShimsApplied(x,x,x)+1D5w ...
dword_6C6FA8	dd ?			; DATA XREF: KsepPoolAllocateNonPaged(x)+1Cw
dword_6C6FAC	dd ?			; DATA XREF: KsepPoolFreeNonPaged+92260w
					; KsepCompletionSafeWrapper(x,x,x)+4Cw
dword_6C6FB0	dd ?			; DATA XREF: KsepPoolAllocatePaged(x):loc_54A2E1w
dword_6C6FB4	dd ?			; DATA XREF: KsepPoolAllocateNonPaged(x):loc_622D58w
dword_6C6FB8	dd ?			; DATA XREF: KsepRegistryOpenKey+B8w
					; KsepRegistryCreateKey(x,x,x)+1B5w
dword_6C6FBC	dd ?			; DATA XREF: KsepRegistryCloseKey(x)+Aw
					; KsepDbQueryRegistryDeviceData+6B837w	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KsepHistoryErrorsIndex	dd ?		; DATA XREF: KsepSdbMapToMemory+75w
					; KsepShimDatabaseTime+82w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KsepHistoryErrors dw ?			; DATA XREF: KsepSdbMapToMemory+9Fw
					; KsepShimDatabaseTime+AAw ...
word_6C7022	dw ?			; DATA XREF: KsepSdbMapToMemory+8Bw
					; KsepShimDatabaseTime+96w ...
dword_6C7024	dd ?			; DATA XREF: KsepSdbMapToMemory+98w
					; KsepShimDatabaseTime+A3w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KsepHistoryMessagesIndex dd ?		; DATA XREF: KseShimDriverIoCallbacks+A6w
					; KseDriverLoadImage(x)+E3w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KsepHistoryMessages dw	?		; DATA XREF: KseShimDriverIoCallbacks+D5w
					; KseDriverLoadImage(x)+10Ew ...
word_6C7242	dw ?			; DATA XREF: KseShimDriverIoCallbacks+C8w
					; KseDriverLoadImage(x)+101w ...
dword_6C7244	dd ?			; DATA XREF: KseShimDriverIoCallbacks+C0w
					; KseDriverLoadImage(x)+F2w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KsepShimDbLock	dd ?			; DATA XREF: KsepShimDbChanged+27o
					; KsepShimDbChanged+9Co ...
_KsepShimDbRefCount dd ?		; DATA XREF: KseShimDatabaseClose+5Ar
					; KseShimDatabaseClose+64w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void KsepShimDb
_KsepShimDb	db    ?	;		; DATA XREF: KseShimDatabaseClose:loc_84DB11o
					; KseShimDatabaseOpen+74o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C7478	dd ?			; DATA XREF: KsepShimDbChanged+4Br
					; KsepShimDbChanged+257w ...
dword_6C747C	dd ?			; DATA XREF: KsepShimDbChanged+53r
					; KsepShimDbChanged:loc_5680B2w
dword_6C7480	dd ?			; DATA XREF: KseShimDatabaseOpen:loc_8FE14Fr
					; KseShimDatabaseBootInitialize+FACBr
		align 8
unk_6C7488	db    ?	;		; DATA XREF: KseShimDatabaseClose+77o
					; KseShimDatabaseOpen+8Do ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6C74A0	dd ?			; DATA XREF: KsepShimDbChanged:loc_5DC858r
					; KsepShimDbChanged+74A1Cw ...
dword_6C74A4	dd ?			; DATA XREF: KsepShimDbChanged+74A0Er
					; KsepShimDbChanged:loc_5DC897w
dword_6C74A8	dd ?			; DATA XREF: KseShimDatabaseOpen+AF6EEr
					; KseShimDatabaseBootInitialize+FAD0r
		align 10h
_KsepShimDbDuringBoot dd ?		; DATA XREF: KseShimDatabaseClose:loc_84DACAr
					; KseShimDatabaseOpen+21r ...
_KsepShimDbHandle dd ?			; DATA XREF: KseShimDatabaseClose+1Ar
					; KseShimDatabaseClose:loc_84DAF5r ...
		align 10h
_KsepMatchMachineInfo dd ?		; DATA XREF: KsepDbGetDriverShims+5Ao
					; KsepDbCacheReadDevice+60o ...
dword_6C74C4	dd ?			; DATA XREF: KsepMatchInitMachineInfo+49w
dword_6C74C8	dd ?			; DATA XREF: KsepMatchInitMachineInfo+53w
dword_6C74CC	dd ?			; DATA XREF: KsepMatchInitMachineInfo+5Dw
_KiSanitizedProfileInterval dd ?	; DATA XREF: KiMonitorCacheErrata(x,x)+2Er
					; KiSanitizeProfileInterval(x):loc_6221ECw
_KiTimelineBitmapTime dd ?		; DATA XREF: PsUpdateComponentPower+8Er
					; KiRetireDpcList+18Er	...
_KiStackProtectTime dd ?		; DATA XREF: KiOutSwapKernelStacks+32r
					; KeBalanceSetManager+2Dw
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUpvUnkUlyquivUrDIGUprOlyq@ke db	   ? ;
		db    ?	;
		db    ?	;
		db    ?	;
_KiIntTrackSpinlock dd ?		; DATA XREF: PpmParkSteerInterrupts+365o
					; KeIntSteerSnapPerf+87o ...
		align 8
_KiIntTrackRootList dd ?		; DATA XREF: KiIntSteerCalculateDistribution+5Br
					; KiIntSteerCalculateDistribution+64o ...
dword_6C74EC	dd ?			; DATA XREF: KiIntSteerConnect:loc_55E71Ar
					; KiIntSteerConnect+1DCw ...
_KiIntTrackRootEnabled dd ?		; DATA XREF: PpmParkSteerInterrupts+72r
					; KiIntSteerEnable(x,x)+3Eo
_KiIntTrackRootCount dd	?		; DATA XREF: KiIntSteerCalculateDistribution:loc_4865A9r
					; KiIntSteerCalculateDistribution+B0r ...
		align 10h
_KiIntSteerAffinitizedInterrupts dw ?	; DATA XREF: KeGetAffinitizedInterruptsInfo(x)+13o
					; KiIntSteerInit()+31w
word_6C7502	dw ?			; DATA XREF: KiIntSteerInit()+37w
dword_6C7504	dd ?			; DATA XREF: KiIntSteerInit()+56w
dword_6C7508	dd ?			; DATA XREF: KiIntSteerChooseInitialTargetProcessors(x,x,x,x,x,x,x)+8Ew
					; KiIntSteerConnect+84878w ...
_KiInterruptControllerInfo dd ?		; DATA XREF: KeIntSteerGetSteeringMode(x,x,x,x,x)+27r
					; KiIntSteerInit()+41o
_KiIntSteerLoadPercent dd ?		; DATA XREF: KeIntSteerSnapPerf+56r
					; KeIntSteerSnapPerf+1FEw ...
_KiIntSteerMaskCount dd	?		; DATA XREF: PpmParkSteerInterrupts+39Cw
					; PpmParkSteerInterrupts+12FA5Co ...
		align 10h
_KiIntSteerMask	dd ?			; DATA XREF: PpmParkSteerInterrupts+383w
					; PpmParkSteerInterrupts+12FA78o ...
dword_6C7524	dd ?			; DATA XREF: PpmParkSteerInterrupts+38Cw
					; KiIntSteerInit()+50w
dword_6C7528	dd ?			; DATA XREF: PpmParkSteerInterrupts+397w
					; KiIntSteerChooseInitialTargetProcessors(x,x,x,x,x,x,x)+5Br ...
_KiIntSteerEnabled db ?			; DATA XREF: KeIntSteerIsSteeringEnabled()r
					; KeIntSteerGetSteeringMode(x,x,x,x,x)+7r ...
		align 10h
_KiFeatureSimulations dd ?		; DATA XREF: KiIsKvaLeakSimulated()r
					; KiInitializeKernel(x,x,x,x,x,x)+81w
_KiFeatureSettings dd ?			; DATA XREF: KiIsKvaShadowDisabled()r
					; KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+268r ...
_KiXMMIZeroingEnable dd	?		; DATA XREF: KiInitMachineDependent+70r
					; KiInitMachineDependent:loc_AE4741r ...
		align 10h
_KiHwCounters	dd ?			; DATA XREF: KiBeginCounterAccumulation(x,x)+53r
					; KiEndCounterAccumulation(x)+47r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiDebuggerOwner dd ?			; DATA XREF: KiFreezeTargetExecution(x,x):loc_5925E9r
					; KeSwitchFrozenProcessor(x):loc_61F0AEr ...
_KiFreezeStallOwner dd ?		; DATA XREF: KiCheckStall(x,x)+11r
					; KiSetDebuggerOwner(x):loc_61F4AEw
_KiLastStallTick dd ?			; DATA XREF: KiCheckStall(x,x)+34r
					; KiCheckStall(x,x)+74w
dword_6C758C	dd ?			; DATA XREF: KiCheckStall(x,x)+44r
					; KiCheckStall(x,x)+7Cw
_KiFreezeOwner	dd ?			; DATA XREF: KiFreezeTargetExecution(x,x)+151r
					; KeFreezeExecution(x,x)+1D0w
_KiOldIrql	db ?			; DATA XREF: KeFreezeExecution(x,x)+299w
					; KeThawExecution(x)+57r
		align 4
_KdDebuggerLockMaxWaitTime dd ?		; DATA XREF: KeFreezeExecution(x,x):loc_61EDFDr
					; KeFreezeExecution(x,x)+17Dw
		align 10h
_KiMtrrInfo	dd ?			; DATA XREF: KeLoadMTRR+B0r
					; KiInitializeMTRR+87r	...
dword_6C75A4	dd ?			; DATA XREF: KeLoadMTRR:loc_723698r
					; KiInitializeMTRR+93r	...
dword_6C75A8	dd ?			; DATA XREF: KiMarkMtrrHiberPhase()+16r
					; KeLoadMTRR+C6r ...
dword_6C75AC	dd ?			; DATA XREF: KiInitializeMTRR+74r
					; KiInitializeMTRR+1BDw ...
byte_6C75B0	db ?			; DATA XREF: KeLoadMTRR+12r
					; KeRestoreMtrrBroadcast()+10r	...
byte_6C75B1	db ?			; DATA XREF: KiWriteFixedMtrr+9r
					; KiWriteFixedMtrr+AEr	...
		align 4
dword_6C75B4	dd ?			; DATA XREF: KiMarkMtrrHiberPhase()r
					; KeLoadMTRR:loc_7236D0r ...
dword_6C75B8	dd ?			; DATA XREF: KiMarkMtrrHiberPhase():loc_720F7Br
					; KeLoadMTRR:loc_723627r ...
_KiTargetPhase	db    ?	;		; DATA XREF: KeRestoreMtrrBroadcast()+3Do
		db    ?	;
		db    ?	;
		db    ?	;
_KeMtrrComparisonFailed	db ?		; DATA XREF: PAGELK:0071F0B0w
					; PAGELK:0071F931r ...
		align 4
_KiSynchPacket	dd ?			; DATA XREF: KiCallInterruptServiceRoutine:loc_4DE86Er
					; KiCallInterruptServiceRoutine+366r ...
_KeI386CpuType	dd ?			; DATA XREF: KiInitializeKernel(x,x,x,x,x,x)+262w
					; KiInitializeKernel(x,x,x,x,x,x)+3DBr	...
_KeI386CpuStep	dd ?			; DATA XREF: KiInitializeKernel(x,x,x,x,x,x)+26Dw
					; KiInitializeKernel(x,x,x,x,x,x)+4A4r	...
_KiSupervisorXStateFeaturesLock	db    ?	; ; DATA XREF: KiStartSavingSupervisorState()+10o
		db    ?	;
		db    ?	;
		db    ?	;
_KiSupervisorStateExtensionHost	dd ?	; DATA XREF: KeGetSupervisorStateExtensionHost()r
					; INIT:00AC0069o ...
		align 10h
_KeSleepingProcessors dw ?		; DATA XREF: KiIpiSendRequest+12A154o
					; KiInitPrcb(x,x)+307w
word_6C75E2	dw ?			; DATA XREF: KiInitPrcb(x,x)+30Dw
dword_6C75E4	dd ?			; DATA XREF: KiInitPrcb(x,x)+313w
dword_6C75E8	dd ?			; DATA XREF: KiIpiSendRequest+2F3r
					; KiInitPrcb(x,x)+319w
_KiGlobalSecondaryIDT dd ?		; DATA XREF: KiDisconnectInterruptCommon+895C8r
					; KiConnectSecondaryInterrupt(x)+6Ar ...
_KiSecondarySignalDpcRunning db	?	; DATA XREF: KiDisconnectSecondaryInterruptInternal(x,x)+CCr
					; KiDisconnectSecondaryInterruptInternal(x,x)+DAw ...
		align 8
_KiSecondarySignalList dd ?		; DATA XREF: KiDisconnectSecondaryInterruptInternal(x,x)+91r
					; KiDisconnectSecondaryInterruptInternal(x,x)+97o ...
dword_6C75FC	dd ?			; DATA XREF: KiDisconnectSecondaryInterruptInternal(x,x)+9Cr
					; KiDisconnectSecondaryInterruptInternal(x,x)+BEw ...
_KiSecondarySignalListLock dd ?		; DATA XREF: KiDisconnectSecondaryInterruptInternal(x,x)+83o
					; KiProcessSecondarySignalList(x,x,x,x)+22o ...
_KiSecondaryInterruptServicesEnabled db	? ; DATA XREF: KiIsInterruptTypeSecondaryr
					; KiConnectSecondaryInterrupt(x)+6r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiSecondarySignalDpc db    ? ;		; DATA XREF: KiDisconnectSecondaryInterruptInternal(x,x)+E6o
					; KeInitializeSecondaryInterruptServices(x)+61o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiCurrentErrLogBufferBase dd ?		; DATA XREF: KiSaveCurrentEtwTraceBuffer()+ACw
					; KiSaveCurrentEtwTraceBuffer()+CFo
_KiCurrentErrLogBufferOffset dd	?	; DATA XREF: KiSaveCurrentEtwTraceBuffer()+B4w
					; KiSaveCurrentEtwTraceBuffer()+DCo
_KiCurrentEtwBufferBase	dd ?		; DATA XREF: KiSaveCurrentEtwTraceBuffer()+3Bw
					; KiSaveCurrentEtwTraceBuffer()+5Eo
_KiCurrentEtwBufferOffset dd ?		; DATA XREF: KiSaveCurrentEtwTraceBuffer()+43w
					; KiSaveCurrentEtwTraceBuffer()+6Bo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void KiPreBugcheckStackSaveArea
_KiPreBugcheckStackSaveArea db	  ? ;	; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+1BEo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiBugCheckActive dd ?			; DATA XREF: KeQueryCurrentStackInformationEx+8r
					; KiGetIsrStackToSwitch(x):loc_4F1EC3r	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; Exported entry 1327. KiBugCheckData
		public _KiBugCheckData
; char KiBugCheckData
_KiBugCheckData	dd ?			; DATA XREF: Dr_kite_a+462r
					; KeBugCheck2(x,x,x,x,x,x)+2AEw ...
dword_6CA684	dd ?			; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+2B4w
					; KeBugCheck2(x,x,x,x,x,x)+478r ...
dword_6CA688	dd ?			; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+2BAw
					; KeBugCheck2(x,x,x,x,x,x)+48Ar ...
dword_6CA68C	dd ?			; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+2C0w
					; KeBugCheck2(x,x,x,x,x,x)+3D5w ...
dword_6CA690	dd ?			; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+2C6w
					; KeBugCheck2(x,x,x,x,x,x)+472r ...
_KiHardwareTrigger dd ?			; DATA XREF: KiBugCheck2(x,x,x,x,x,x):loc_5803DEw
					; V86_kit3_a+2C7w ...
_KiNumaQueryProcessorNode dd ?		; DATA XREF: KiQueryProcessorNode+23r
					; KeNumaInitialize()+3Aw
_KiNumaQueryProximityId	dd ?		; DATA XREF: KiPerformGroupConfiguration:loc_ABEAF1r
					; KeNumaInitialize()+5Aw
_KiNumaQueryProximityNode dd ?		; DATA XREF: KiQueryProximityNode(x,x)+6r
					; KiPerformGroupConfiguration+AFr ...
_KiHwPolicyDriverImageBase dd ?		; DATA XREF: INIT:00ACD51Cw
					; KeHwPolicyLocateResource+5r ...
_KiHwPolicyDriverNotPresent db ?	; DATA XREF: KeHwPolicyLocateResource+12r
					; KeHwPolicyLocateResource:loc_AE891Aw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_VdmStringIoMutex db	? ;		; DATA XREF: VdmDispatchStringIoToHandler(x,x,x,x,x,x,x)+19o
					; VdmDispatchStringIoToHandler(x,x,x,x,x,x,x)+D9o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void VdmStringIoBuffer
_VdmStringIoBuffer db	 ? ;		; DATA XREF: VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+FEo
					; VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+11Do	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiProcessorStartData dd ?		; DATA XREF: KiProcessorStart+56r
					; KiProcessorStart+74w	...
dword_6CAAE4	dd ?			; DATA XREF: KiProcessorStart+47r
					; KiProcessorStart+7Dw	...
dword_6CAAE8	dd ?			; DATA XREF: KiProcessorStart+86w
dword_6CAAEC	dd ?			; DATA XREF: KiProcessorStart+8Fw
					; KeStartAllProcessors+3C7r
; void *KiBootProcessorIdt
_KiBootProcessorIdt dd ?		; DATA XREF: KiInitializeProcessorState(x,x,x,x,x,x,x,x,x,x)+9Ar
					; KiSaveBootProcessorIdt()+30w
_KiSMTProcessorsPresent	db ?		; DATA XREF: KiConfigureNodeSchedulingInformation(x)+8r
					; KiAdjustSimultaneousMultiThreadingCharacteristics+8r	...
		align 4
; size_t KiBootProcessorIdtSize
_KiBootProcessorIdtSize	dd ?		; DATA XREF: KeMarkHiberPhase+5Eo
					; KiInitializeProcessorState(x,x,x,x,x,x,x,x,x,x)+94r ...
_KiNmiCallbackListHead dd ?		; DATA XREF: KiDeregisterNmiSxCallback(x,x,x)+37r
					; KiDeregisterNmiSxCallback(x,x,x)+3Do	...
_KiNmiCallbackListLock db    ? ;	; DATA XREF: KiDeregisterNmiSxCallback(x,x,x)+28o
					; KiRegisterNmiSxCallback(x,x,x,x)+32o
		db    ?	;
		db    ?	;
		db    ?	;
_KiBoundsCallback dd ?			; DATA XREF: KeDeregisterBoundCallback(x)+1Ao
					; KeDeregisterBoundCallback(x)+38o ...
_KiCpuTracingFlags dd ?			; DATA XREF: _SwapContext_SaveIpt+D3r
					; _SwapContext_NoNpxLoad:loc_5A20CBr ...
_KiSystemCallExitAdjusted db ?		; DATA XREF: KiEnableFastSyscallReturn+7r
					; KiEnableFastSyscallReturn+32w
_KiFastSystemCallIsIA32	db ?		; DATA XREF: KiLoadFastSyscallMachineSpecificRegistersr
					; KiGetFeatureBits+28Cw
		align 10h
_KiSystemCallExitAdjust	dd ?		; DATA XREF: KeRestoreProcessorSpecificFeatures()+1Bw
					; KiEnableFastSyscallReturnr ...
_KeI386FastSystemCallReturn dd ?	; DATA XREF: RtlWalkFrameChain+21Ar
					; KiFastCallEntryCommon+Dr ...
_KiClockTimerOwner dd ?			; DATA XREF: ExpUpdateTimerConfiguration(x,x,x)+12r
					; PoIdle(x)+49Ar ...
_KiDynamicTickCancellations dd ?	; DATA XREF: KePrepareClockTimerForIdle(x,x,x,x,x):loc_591E3Cw
					; KePrepareClockTimerForIdle(x,x,x,x,x):loc_591E6Fr ...
_KiClockTimerOneShotEndTime dd ?	; DATA XREF: KeResumeClockTimerFromIdle+155w
					; KePrepareClockTimerForIdle(x,x,x,x,x)+152r ...
dword_6CAB24	dd ?			; DATA XREF: KeResumeClockTimerFromIdle+14Bw
					; KePrepareClockTimerForIdle(x,x,x,x,x)+158r ...
_KiClockTimerOneShotStartTime dd ?	; DATA XREF: KeResumeClockTimerFromIdle+1B7r
					; KePrepareClockTimerForIdle(x,x,x,x,x)+13Dr ...
dword_6CAB2C	dd ?			; DATA XREF: KeResumeClockTimerFromIdle+1C2r
					; KePrepareClockTimerForIdle(x,x,x,x,x)+145r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiClockStats	dd ?			; DATA XREF: KeClockTimerPowerChange(x)w
dword_6CAB44	dd ?			; DATA XREF: KiResumeClockTimer+D6955w
dword_6CAB48	dd ?			; DATA XREF: KiSuspendClockTimer():loc_552A56w
dword_6CAB4C	dd ?			; DATA XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+91w
dword_6CAB50	dd ?			; DATA XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+367w
dword_6CAB54	dd ?			; DATA XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+370w
dword_6CAB58	dd ?			; DATA XREF: KeResumeClockTimerFromIdle:loc_48CD7Cw
dword_6CAB5C	dd ?			; DATA XREF: KeResumeClockTimerFromIdle+338w
dword_6CAB60	dd ?			; DATA XREF: KeResumeClockTimerFromIdle+1F7r
					; KeResumeClockTimerFromIdle:loc_48CDCFw
dword_6CAB64	dd ?			; DATA XREF: KeResumeClockTimerFromIdle:loc_48CC39r
					; KeResumeClockTimerFromIdle+384w
dword_6CAB68	dd ?			; DATA XREF: KeResumeClockTimerFromIdle+1DDr
					; KeResumeClockTimerFromIdle:loc_48CDDFw ...
dword_6CAB6C	dd ?			; DATA XREF: KeResumeClockTimerFromIdle+1CFr
					; KeResumeClockTimerFromIdle+394w ...
dword_6CAB70	dd ?			; DATA XREF: KiSetClockTickRate:loc_4FE976r
					; KiSetClockTickRate:loc_5D516Dw ...
dword_6CAB74	dd ?			; DATA XREF: KiSetClockTickRate+B4r
					; KiSetClockTickRate:loc_4FE9F1w ...
dword_6CAB78	dd ?			; DATA XREF: KiSetClockTickRate:loc_4FE98Ar
					; KiSetClockTickRate:loc_4FEA04w ...
dword_6CAB7C	dd ?			; DATA XREF: KiSetClockTickRate:loc_4FE982r
					; KiSetClockTickRate:loc_4FE9FCw ...
dword_6CAB80	dd ?			; DATA XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+39Er
					; KePrepareClockTimerForIdle(x,x,x,x,x):loc_592072w
dword_6CAB84	dd ?			; DATA XREF: KePrepareClockTimerForIdle(x,x,x,x,x):loc_592060r
					; KePrepareClockTimerForIdle(x,x,x,x,x)+3ACw
dword_6CAB88	dd ?			; DATA XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+380r
					; KePrepareClockTimerForIdle(x,x,x,x,x):loc_592054w ...
dword_6CAB8C	dd ?			; DATA XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+376r
					; KePrepareClockTimerForIdle(x,x,x,x,x)+38Ew ...
dword_6CAB90	dd ?			; DATA XREF: KeClockInterruptNotify:loc_5B6975w
dword_6CAB94	dd ?			; DATA XREF: KeClockInterruptNotify+12EAF5w
dword_6CAB98	dd ?			; DATA XREF: KeClockInterruptNotify:loc_5B69FDw
dword_6CAB9C	dd ?			; DATA XREF: KeClockInterruptNotify+12EB74w
_KiClockTimerNextTickTime dd ?		; DATA XREF: KeClockInterruptNotify+1CCw
					; KeResumeClockTimerFromIdle+250r ...
dword_6CABA4	dd ?			; DATA XREF: KeClockInterruptNotify+1D4w
					; KeResumeClockTimerFromIdle+242r ...
_KiClockIncrementTraceCount dd ?	; DATA XREF: KiSetClockTickRate:loc_4FE992r
					; KiSetClockTickRate+ECw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiClockIncrementTrace db    ? ;	; DATA XREF: KiSetClockTickRate+E2o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiDefaultClockIntervalRequest db    ? ; ; DATA	XREF: KeInitializeClock:loc_AE68D5o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6CADCC	db ?			; DATA XREF: KeInitializeClock+1ABB9w
		align 10h
dword_6CADD0	dd ?			; DATA XREF: KeInitializeClock+1AB82w
		align 8
_KiForceIdleReset db ?			; DATA XREF: KeResumeClockTimerFromIdle:loc_48CD18r
					; KePrepareClockTimerForIdle(x,x,x,x,x)+353w ...
		align 4
_KiLastRequestedTimeIncrement dd ?	; DATA XREF: KeResumeClockTimerFromIdle+236r
					; KiSetClockIntervalToMinimumRequested()+63r ...
_KiClockLatencyMeasurementEnabled db ?	; DATA XREF: KeResumeClockTimerFromIdle+195r
					; KeResumeClockTimerFromIdle+1C8w ...
		align 8
_KiClockOwnerAllowedCpuSetVersion db	? ; ; DATA XREF: KiGetNextClockOwner+12o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiClockOwnerOneShotRequest dd ?	; DATA XREF: KeClockInterruptNotify+244w
					; KiCheckForTimerExpiration:loc_48C7BDr ...
dword_6CADF4	dd ?			; DATA XREF: KeClockInterruptNotify+24Ew
					; KiCheckForTimerExpiration+225r ...
_KiConsiderTimerRebasing db ?		; DATA XREF: KeResumeClockTimerFromIdle:loc_48CC53r
					; KePrepareClockTimerForIdle(x,x,x,x,x)+3B8w ...
		align 10h
_KiClockOwnerAllowedCpuSet db	 ? ;	; DATA XREF: KiGetNextClockOwner+17o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CAE08	dd ?			; DATA XREF: KiGetNextClockOwner+21r
_KiClockTickSkipTraceIndex dd ?		; DATA XREF: KeClockInterruptNotify+12EAEEr
					; KeClockInterruptNotify+12EB09w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiClockTickSkipTraces db    ? ;	; DATA XREF: KeClockInterruptNotify+12EB00o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiClockTickTraceIndex dd ?		; DATA XREF: KeClockInterruptNotify:loc_487F95r
					; KeClockInterruptNotify+129w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiClockTickTraces dd ?			; DATA XREF: KeClockInterruptNotify+17Cw
dword_6CAF44	dd ?			; DATA XREF: KeClockInterruptNotify+188w
dword_6CAF48	dd ?			; DATA XREF: KeClockInterruptNotify+14Cw
dword_6CAF4C	dd ?			; DATA XREF: KeClockInterruptNotify+153w
dword_6CAF50	dd ?			; DATA XREF: KeClockInterruptNotify+1DAw
dword_6CAF54	dd ?			; DATA XREF: KeClockInterruptNotify+1E1w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiClockOwnerOneShotRequestState dd ?	; DATA XREF: KeClockInterruptNotify:loc_487FD5r
					; KeClockInterruptNotify+16Ar ...
_KiProcessNodeSeed dw ?			; DATA XREF: KeSelectNodeForAffinity:loc_5CE6F1r
					; KeSelectNodeForAffinity+E3E09w ...
		align 4
_KiProcessListHead dd ?			; DATA XREF: KiInitializeKernel(x,x,x,x,x,x)+328o
					; KiInitializeKernel(x,x,x,x,x,x)+332w
dword_6CB0CC	dd ?			; DATA XREF: KiInitializeKernel(x,x,x,x,x,x)+32Dw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KeThreadSwitchCounters	dd ?		; DATA XREF: PAGE:0077FBB3r
dword_6CB0E4	dd ?			; DATA XREF: PAGE:0077FBC5r
dword_6CB0E8	dd ?			; DATA XREF: PAGE:0077FBBCr
dword_6CB0EC	dd ?			; DATA XREF: PAGE:0077FBCEr
dword_6CB0F0	dd ?			; DATA XREF: PAGE:0077FBD7r
dword_6CB0F4	dd ?			; DATA XREF: PAGE:0077FBE9r
dword_6CB0F8	dd ?			; DATA XREF: PAGE:0077FBE0r
dword_6CB0FC	dd ?			; DATA XREF: PAGE:0077FBF2r
dword_6CB100	dd ?			; DATA XREF: PAGE:0077FBFBr
dword_6CB104	dd ?			; DATA XREF: PAGE:0077FC04r
dword_6CB108	dd ?			; DATA XREF: PAGE:0077FC0Dr
_KiFreezeFlag	dd ?			; DATA XREF: Dr_kite_a:loc_5A04ADr
					; KeFreezeExecution(x,x)+4Ew ...
_KiProfileAlignmentFixupInterval dd ?	; DATA XREF: KeQueryIntervalProfile(x):loc_849042r
					; KeSetIntervalProfile(x,x)+59w
		align 8
_KiSchedulingGroupList dd ?		; DATA XREF: .text:0050FC71o
					; KeRemoveSchedulingGroup+F0o ...
dword_6CB11C	dd ?			; DATA XREF: .text:0050FC6Cr
					; .text:0050FC85w ...
_KiGroupSchedulingTotalWeight dd ?	; DATA XREF: .text:loc_50FD73w
					; KiAssignSchedulingGroupWeights+1Fr ...
_KiGroupSchedulingMinimumRate dd ?	; DATA XREF: .text:0050FDD9r
					; .text:0050FE06w ...
_KiGroupSchedulingMinimumWeight	dd ?	; DATA XREF: .text:0050FD5Cr
					; .text:0050FD6Dw ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiTimer2Collections db	   ? ;		; DATA XREF: KiInsertTimer2WithCollectionLockHeld+5Do
					; KiInsertTimer2WithCollectionLockHeld+8Co ...
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CB144	db    ?	;		; DATA XREF: KiTimer2Expiration+91o
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CB148	db    ?	;		; DATA XREF: KiRemoveTimer2+117o
					; KiGetNextTimer2ExpirationDueTime+49o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CB158	dd ?			; DATA XREF: KiCheckForTimerExpiration+191o
					; KiCheckForTimerExpiration+1DDo ...
dword_6CB15C	dd ?			; DATA XREF: KiAdjustTimer2DueTimes:loc_55EE8Ar
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CB164	db    ?	;		; DATA XREF: KiTimer2Expiration+B2o
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CB168	db    ?	;		; DATA XREF: KiCheckForTimerExpiration+3CEo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CB178	db    ?	;		; DATA XREF: KiCheckForTimerExpiration+379o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CB180	db    ?	;		; DATA XREF: KiGetPastDueIRTimerInfo(x,x,x,x):loc_621D0Fo
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CB184	dd ?			; DATA XREF: KiGetPastDueIRTimerInfo(x,x,x,x):loc_621CFBr
dword_6CB188	dd ?			; DATA XREF: KiGetPastDueIRTimerInfo(x,x,x,x)+18r
dword_6CB18C	dd ?			; DATA XREF: KiGetPastDueIRTimerInfo(x,x,x,x)+Br
_KiNextTimer2DueTime dd	?		; DATA XREF: KiCheckForTimerExpiration+2CBo
					; KiTimer2Expiration+29o ...
dword_6CB194	dd ?			; DATA XREF: KiInsertTimer2WithCollectionLockHeld+C7r
					; KiInsertTimer2WithCollectionLockHeld+E1r ...
_KiCpuSetLock	db    ?	;		; DATA XREF: KeSetSystemAllowedCpuSets+34o
					; KeCpuSetReportParkedProcessors+12o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiForceIdleActiveLastStartTime	dd ?	; DATA XREF: KeClockInterruptNotify+12EAC3r
					; KiForceIdleStartDpcRoutine(x,x,x,x)+54w ...
dword_6CB1A4	dd ?			; DATA XREF: KeClockInterruptNotify+12EAD1r
					; KiForceIdleStartDpcRoutine(x,x,x,x)+59w ...
_KiForceIdlePendingDpcCount dd ?	; DATA XREF: KiForceIdleParkUnparkDpcRoutine(x,x,x,x)+14w
					; KiForceIdleUpdateSchedulerParkState(x):loc_6219BAr ...
_KiHrTimerActiveCount dd ?		; DATA XREF: KiInsertTimer2WithCollectionLockHeld+158w
					; KiRemoveTimer2:loc_4D8AB4w ...
_KiForceIdleWatchdogResetCount dd ?	; DATA XREF: KeClockInterruptNotify+12EAA9r
					; KeClockInterruptNotify+12EAC9w ...
_KiForceIdleState dd ?			; DATA XREF: KeIsForceIdleEngaged()+9r
					; KiUpdateTime:loc_487B9Ar ...
		align 10h
_KiForceIdleStopDpc db	  ? ;		; DATA XREF: KiResetForceIdle(x,x)+BCo
					; KiInitializeForceIdle+5Bo
byte_6CB1C1	db ?			; DATA XREF: KiInitializeForceIdle+6Cw
word_6CB1C2	dw ?			; DATA XREF: KiResetForceIdle(x,x)+B2w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CB1DC	dd ?			; DATA XREF: KiResetForceIdle(x,x)+A6r
_KeSoftParkedQueueThreshold dd ?	; DATA XREF: KiChooseTargetProcessor+260r
					; PpmParkApplyPolicy:loc_573FE9w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiDynamicProcessorLock	dd ?		; DATA XREF: KeRegisterProcessorChangeCallback+90o
					; KeRegisterProcessorChangeCallback:loc_8ACC0Bo ...
dword_6CB204	dd ?			; DATA XREF: KiInitSystem+13Dw
dword_6CB208	dd ?			; DATA XREF: KiInitSystem+143w
unk_6CB20C	db    ?	;		; DATA XREF: KiInitSystem+132o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiForegroundState db	 ? ;		; DATA XREF: KiProcessPendingForegroundBoosts+140o
					; KiTriggerForegroundBoostDpc(x,x,x,x)+39o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CB278	db    ?	;		; DATA XREF: KiForegroundTimerCallback(x,x)+7o
					; KiCompleteKernelInit+106o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CB298	db    ?	;		; DATA XREF: KiScheduleNextForegroundBoost+69o
					; KiCompleteKernelInit+116o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CB2B8	dd ?			; DATA XREF: KiProcessPendingForegroundBoosts+38r
					; KiProcessPendingForegroundBoosts:loc_4421EAo	...
dword_6CB2BC	dd ?			; DATA XREF: KiScheduleNextForegroundBoost+29r
					; KiScheduleNextForegroundBoost+47w ...
dword_6CB2C0	dd ?			; DATA XREF: KiProcessPendingForegroundBoosts+1Do
					; KiProcessPendingForegroundBoosts+9Fo	...
		align 8
_KiUpdateVpThreadPriorityListHead dd ?	; DATA XREF: KiCompleteKernelInit+136o
					; KiCompleteKernelInit+147w
dword_6CB2CC	dd ?			; DATA XREF: KiCompleteKernelInit+142w
_KiUpdateVpThreadPriorityLock dd ?	; DATA XREF: KiCompleteKernelInit+130w
		align 10h
_KiUpdateVpThreadPriorityDpc db	   ? ;	; DATA XREF: KiCompleteKernelInit+126o
byte_6CB2E1	db ?			; DATA XREF: KiCompleteKernelInit+13Bw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KeBugCheckCallbackLock	dd ?		; DATA XREF: KeRegisterBugCheckReasonCallback+14o
					; KeRegisterBugCheckReasonCallback:loc_5608BCo	...
		align 8
_KiProfileListHead dd ?			; DATA XREF: KeProfileInterruptWithSource(x,x)+2Do
					; KiStartProfileTarget(x)+76o ...
dword_6CB30C	dd ?			; DATA XREF: KiStartProfileTarget(x):loc_61F915r
					; KiStartProfileTarget(x)+8Aw ...
_KiStackInSwapListHead dd ?		; DATA XREF: KiReadyThread+9Ar
					; KiReadyThread+AEo ...
_KiProcessInSwapListHead dd ?		; DATA XREF: KiOutSwapProcesses:loc_44CAACr
					; KiOutSwapProcesses+1C9o ...
_KiProcessOutSwapListHead dd ?		; DATA XREF: KiDecrementProcessStackCount(x):loc_4F7009r
					; KiDecrementProcessStackCount(x)+7Co ...
		align 10h
_KiProfileSourceListHead dd ?		; DATA XREF: KiStartProfileTarget(x)+90r
					; KiStartProfileTarget(x)+96o ...
dword_6CB324	dd ?			; DATA XREF: KiInitSystem+84w
		align 10h
_KiSwapEvent	db    ?	;		; DATA XREF: KiOutSwapProcesses:loc_44CAD7o
					; KiOutSwapProcesses+1FBo ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CB334	dd ?			; DATA XREF: KiOutSwapProcesses+1F1w
		align 10h
_KiSetVirtualHeteroClockIntervalRequestDpc db	 ? ;
					; DATA XREF: KeUpdatePendingQosRequest(x)+66o
					; KiInitSystem+154o
byte_6CB341	db ?			; DATA XREF: KiInitSystem+160w
word_6CB342	dw ?			; DATA XREF: KeUpdatePendingQosRequest(x)+59w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CB35C	dd ?			; DATA XREF: KeUpdatePendingQosRequest(x):loc_61A8B0r
_KiStackProtectNotifyEvent db	 ? ;	; DATA XREF: KeBalanceSetManager+123o
					; KiInitSystem+108o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiBalanceSetManagerPeriodicEvent db	? ; ; DATA XREF: KeBalanceSetManager+40o
					; KiInitSystem+E0o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiForceIdleLock dd ?			; DATA XREF: KiUpdateTime+9Fo
					; KeClockInterruptNotify+75o ...
		align 8
_KiForceIdleStartTime dd ?		; DATA XREF: KiUpdateTime+AFr
					; KiCheckAndRearmForceIdle+CCC5Bw ...
dword_6CB38C	dd ?			; DATA XREF: KiUpdateTime+BAr
					; KiCheckAndRearmForceIdle+CCC63w ...
_KiBalanceSetManagerCount dd ?		; DATA XREF: KiUpdateTime:loc_487C26w
					; KiUpdateTime+221w ...
		align 10h
_KiBalanceSetManagerPeriodicDpc	db    ?	; ; DATA XREF: KiUpdateTime+21Co
					; KiInitSystem+F1o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiForceIdleStartDpc db	   ? ;		; DATA XREF: KiUpdateTime+12EDBEo
					; KiCheckAndRearmForceIdle+CCC23o ...
byte_6CB3C1	db ?			; DATA XREF: KiInitializeForceIdle+65w
word_6CB3C2	dw ?			; DATA XREF: KiUpdateTime+12EDB0w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CB3DC	dd ?			; DATA XREF: KiUpdateTime+12EDA4r
_KiGenerationEndTick dd	?		; DATA XREF: KiTransitionSchedulingGroupGeneration:loc_444035r
					; KiUpdateTime+194r ...
dword_6CB3E4	dd ?			; DATA XREF: KiTransitionSchedulingGroupGeneration+71r
					; KiUpdateTime+185r ...
_KeBugCheckCallbackListHead dd ?	; DATA XREF: KeRegisterBugCheckCallback+2Co
					; KeRegisterBugCheckCallback+5Bo ...
dword_6CB3EC	dd ?			; DATA XREF: KiScanBugCheckCallbackList()+1Er
					; KiInitSystem+1Fw
_KeBugCheckAddRemovePagesCallbackListHead dd ?
					; DATA XREF: KeRegisterBugCheckReasonCallback:loc_5E33F3o
					; IopDumpCallAddPagesCallbacks(x)+19r ...
dword_6CB3F4	dd ?			; DATA XREF: KiInitSystem+41w
_KeBugCheckReasonCallbackListHead dd ?	; DATA XREF: KeRegisterBugCheckReasonCallback+3Fo
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+19Fo ...
dword_6CB3FC	dd ?			; DATA XREF: KiInvokeBugCheckAddTriageDumpDataCallbacks()+2Fr
					; KiInvokeBugCheckEntryCallbacks(x,x,x)+1Er ...
_KeBugCheckTriageDumpDataArrayListHead dd ?
					; DATA XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+1ABo
					; KiInvokeBugCheckAddTriageDumpDataCallbacks()+EBo ...
dword_6CB404	dd ?			; DATA XREF: KiInvokeBugCheckAddTriageDumpDataCallbacks()+E5r
					; KiInvokeBugCheckAddTriageDumpDataCallbacks()+103w ...
; void *KiNodeGraph
_KiNodeGraph	dd ?			; DATA XREF: KiComputeNumaCosts+25229w
					; KiComputeNumaCosts+25706r ...
; void *KiActualNodeCost
_KiActualNodeCost dd ?			; DATA XREF: KiComputeNumaCosts+25215w
					; KiComputeNumaCosts+252ABr ...
_KiDisableFgBoostDecayRegistryChangeIoStatus db	   ? ;
					; DATA XREF: KiRegisterForDisableFgBoostDecayRegistryNotification+26o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiDisableFgBoostDecayRegistryHandle dd	?
					; DATA XREF: KiRegisterForDisableFgBoostDecayRegistryNotification+33r
					; KiIsDisableFgBoostDecayFeatureStateSet()+23r	...
		align 10h
_KiDisableFgBoostDecayRegistryChangeWork dd ?
					; DATA XREF: KiRegisterForDisableFgBoostDecayRegistryNotification+2Do
					; KiRegisterForDisableFgBoostDecayRegistryNotification+3Fw
		align 8
dword_6CB428	dd ?			; DATA XREF: KiRegisterForDisableFgBoostDecayRegistryNotification+17w
dword_6CB42C	dd ?			; DATA XREF: KiRegisterForDisableFgBoostDecayRegistryNotification+39w
_KiForceSymbolReferencesTrigger	dd ?	; DATA XREF: KiInitSystem+6r
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUpwGEUnkUlyquivUrDIGUpwkOlyq@kd	db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KdDebuggerEnteredCount	dd ?		; DATA XREF: KdEnterDebugger(x,x):loc_A4B437w
		align 10h
_KdIgnoredSavingSupervisorXStateFeatures dd ? ;	DATA XREF: KdEnterDebugger(x,x)+CCr
dword_6CB444	dd ?			; DATA XREF: KdEnterDebugger(x,x)+B3r
_KdDebuggerEnteredWithoutLock dd ?	; DATA XREF: KdEnterDebugger(x,x)+158w
_KdpContextSent	db ?			; DATA XREF: KdpGetContextEx(x,x,x):loc_617264w
					; KdpSetContextEx(x,x,x)+3Dr ...
		align 10h
_KdUmBreakPid	dd ?			; DATA XREF: NtSystemDebugControl+833A9r
					; NtSystemDebugControl:loc_938B4Ew
_KdUmAttachPid	dd ?			; DATA XREF: NtSystemDebugControl:loc_938AEFw
					; NtSystemDebugControl+83403r
_KdResetUmAttachPid db ?		; DATA XREF: NtSystemDebugControl+83439r
		align 4
_KdUmBreakMarker dd ?			; DATA XREF: NtSystemDebugControl:loc_938AE3w
_KdResetUmBreakPid db ?			; DATA XREF: NtSystemDebugControl+833DFr
		align 4
; Exported entry 1073. KdEnteredDebugger
		public _KdEnteredDebugger
_KdEnteredDebugger dd ?			; DATA XREF: MiQueuePinDriverAddressLog+28r
					; KdEnterDebugger(x,x)+152w ...
_KdpOweBreakpoint db ?			; DATA XREF: Dr_kite_a:loc_5A03E7r
					; KdSetOwedBreakpoints(x)+Er ...
		align 4
_KdDebugDevice	dd ?			; DATA XREF: KdGetDebugDevice()o
					; KdInitSystem:loc_A4A08Cr
_KdAutoEnableOnEvent db	?		; DATA XREF: KiDispatchException:loc_5C231Dr
					; KeInsertQueue:loc_5D531Dr ...
		align 4
_KdpLoaderDebuggerBlock	dd ?		; DATA XREF: KdInitSystem+14Bo
					; KdInitSystem+157w ...
_KdPageDebuggerSection db ?		; DATA XREF: MmImageSectionPagable:loc_8DF51Fr
					; KdInitSystem+1BAw ...
_KdIgnoreUmExceptions db ?		; DATA XREF: KiDispatchException+34Ar
					; PAGE:0077F9A3r ...
		align 10h
_KdLogBuffer	dd ?			; DATA XREF: sub_5FB8A3+28r
					; sub_5FB8A3+CEr ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KdBlockEnable	db ?			; DATA XREF: KdChangeOption(x,x,x,x,x,x)+34r
					; KdChangeOption(x,x,x,x,x,x)+49w ...
_KdEventLoggingPresent db ?		; DATA XREF: .text:loc_52965Cr
					; EtwpTraceMessageVa:loc_5AE2DDr ...
_KdLocalDebugEnabled db	?		; DATA XREF: DbgkCaptureLiveKernelDump(x)+6Dr
					; NtSystemDebugControl+3Cr ...
; Exported entry 1068. KdDebuggerEnabled
		public _KdDebuggerEnabled
_KdDebuggerEnabled db ?			; DATA XREF: KiForwardTick:loc_48750Cr
					; KeAccumulateTicks:loc_48C371r ...
; Exported entry 1069. KdDebuggerNotPresent
		public _KdDebuggerNotPresent
_KdDebuggerNotPresent db ?		; DATA XREF: .text:0052964Ar
					; KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x):loc_592393r	...
		align 10h
_KdpContext	dd ?			; DATA XREF: KdPowerTransitionEx(x,x)+8Eo
					; KdPowerTransitionEx(x,x):loc_6170EAo	...
byte_6CB514	db ?			; DATA XREF: sub_5FB8A3:loc_5FB8FBr
					; sub_5FB8A3+63w ...
		align 4
dword_6CB518	dd ?			; DATA XREF: KdInitSystem+87w
		align 10h
; Exported entry 1074. KdEventLoggingEnabled
		public _KdEventLoggingEnabled
_KdEventLoggingEnabled db ?		; DATA XREF: KeAccumulateTicks+14Ar
					; KdCheckForDebugBreak:loc_5529FFr ...
_KdBreakAfterSymbolLoad	db ?		; DATA XREF: KdInitSystem+54w
					; KdRegisterDebuggerDataBlock+6D8w ...
		align 8
_PipDgqListHead	dd ?			; DATA XREF: PiDmaGuardQueueRemoveEntry(x)+22r
					; PiDmaGuardQueueRemoveEntry(x)+28o ...
dword_6CB52C	dd ?			; DATA XREF: PipDgqInsertEntry(x)+22r
					; PipDgqInsertEntry(x)+3Ew ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PipDgqListLock	db    ?	;		; DATA XREF: PiDmaGuardQueueRemoveEntry(x)+17o
					; PiDmaGuardQueueFlush(x)+17o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiDrvDbNodeList dd ?			; DATA XREF: PiDrvDbFindNode(x,x)+9r
					; PiDrvDbFindNode(x,x)+1Ao ...
dword_6CB57C	dd ?			; DATA XREF: PiDrvDbInit(x)+39w
					; PiDrvDbCreateNode+1C6r ...
_PnpKsrNotifyList dd ?			; DATA XREF: PiRegisterKernelSoftRestartNotification(x,x,x,x)+93o
					; PipKsrNotifyDrivers(x)+38r ...
dword_6CB584	dd ?			; DATA XREF: PiRegisterKernelSoftRestartNotification(x,x,x,x)+8Er
					; PiRegisterKernelSoftRestartNotification(x,x,x,x)+AAw	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpKsrNotifyLock dd ?			; DATA XREF: PiRegisterKernelSoftRestartNotification(x,x,x,x)+5Do
					; PiRegisterKernelSoftRestartNotification(x,x,x,x)+82o	...
dword_6CB5A4	dd ?			; DATA XREF: PiKsrNotifyInitialize()+2Fw
dword_6CB5A8	dd ?			; DATA XREF: PiKsrNotifyInitialize()+35w
unk_6CB5AC	db    ?	;		; DATA XREF: PiKsrNotifyInitialize()+22o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpKsrCallbackObject dd ?		; DATA XREF: PiKsrNotifyInitialize()+61o
					; PiKsrNotifyInitialize()+8Ar
_PnpKsrPrepared	db ?			; DATA XREF: PiRegisterKernelSoftRestartNotification(x,x,x,x):loc_9880F9r
					; PipKsrCallback(x,x,x):loc_9881D5r ...
_PnpKsrEnabled	db ?			; DATA XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+18Cr
					; PiRegisterKernelSoftRestartNotification(x,x,x,x)+6r ...
		align 4
_PipCslConsoleLockState	dd ?		; DATA XREF: PAGE:00871040o
					; PiCslIsConsoleLocked():loc_986D85r ...
_PipCslCallbackObject dd ?		; DATA XREF: NtPowerInformation+F2Cr
					; PiCslInitialize()+1Fr ...
_PipCslUnlockCallback dd ?		; DATA XREF: PiDmaGuardInitialize:loc_5F4D39w
					; PAGE:loc_871056r
_PipCslInitialized db ?			; DATA XREF: PipCslStateChangeCallback+5r
					; PiCslIsConsoleLocked()+2r ...
		align 4
_PipDmaGuardPolicy dd ?			; DATA XREF: PiDmaGuardInitialize:loc_56BF57r
					; PipCallDriverAddDevice+6D3r ...
_PipHalIommuSecurityEnabled db ?	; DATA XREF: PipProcessStartPhase1:loc_89B6E1r
					; PiDmaGuardProcessPostRemove(x,x,x)+1Ar ...
		align 10h
; void FastIoDispatch
_FastIoDispatch	dd ?			; DATA XREF: PiDaDriverEntry+1Eo
					; PiDaDriverEntry+3Bw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CB608	dd ?			; DATA XREF: PiDaDriverEntry+45w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PiSwBusRelationsTable
_PiSwBusRelationsTable db    ? ;	; DATA XREF: PiSwFindBusRelations(x)+24o
					; PiSwBusRelationAdd(x,x)+56o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiSwGlobalPdoAssociationList dd ?	; DATA XREF: PiSwAddPdoAssociation(x,x,x)+59o
					; PiSwProcessParentRemoveIrp(x)+44r ...
dword_6CB69C	dd ?			; DATA XREF: PiSwAddPdoAssociation(x,x,x)+5Er
					; PiSwAddPdoAssociation(x,x,x)+72w ...
_PiSwLockObj	db    ?	;		; DATA XREF: PiSwIrpCancelStartCreate(x,x)+82o
					; PiSwIrpCancelStartCreate(x,x):loc_616278o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PiSwDeviceInstanceTable
_PiSwDeviceInstanceTable db    ? ;	; DATA XREF: PiSwIrpStartCreateWorker+9Do
					; PiSwIrpStartCreateWorker+99878o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiSwDeviceDriverObject	dd ?		; DATA XREF: PipEnumerateCompleted+108r
					; PiSwGetChildPdo+8Dr ...
_PnprContext	dd ?			; DATA XREF: PnprCopyReservedMapping()+1Cr
					; PnprCopyReservedMapping():loc_615948r ...
_PnpReplaceEvent db    ? ;		; DATA XREF: PnpReplacePartitionUnit(x)+42o
					; PnpReplacePartitionUnit(x)+999o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpEventQueueEmpty db	  ? ;		; DATA XREF: PAGE:00763EF8o
					; PnpInsertEventInQueue+A0o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpNotificationInProgressLock dd ?	; DATA XREF: PnpUnregisterPlugPlayNotification+14o
					; PnpUnregisterPlugPlayNotification:loc_56360Co ...
dword_6CB744	dd ?			; DATA XREF: PnpInitializeDeviceEvents()+65w
dword_6CB748	dd ?			; DATA XREF: PnpInitializeDeviceEvents()+6Bw
unk_6CB74C	db    ?	;		; DATA XREF: PnpInitializeDeviceEvents()+5Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpWatchdogTimeoutSecondChance	dd ?	; DATA XREF: PnpQueryWatchdogTimeout(x)+10r
					; PnpQueryWatchdogTimeoutConfiguration:loc_AD1E7Cw ...
_PnpWatchdogBugcheckConfig dd ?		; DATA XREF: PnpIsWatchdogBugcheckEnabled():loc_43CF34r
					; PnpWatchdogBugcheckConfigure:loc_AD1E2Dw
_PnpWatchdogTimeoutFirstChance dd ?	; DATA XREF: PnpAllocateWatchdog+3Ar
					; PnpQueryWatchdogTimeout(x):loc_43CF13r ...
_PiProfileDevicesInTransition dd ?	; DATA XREF: PpProfileCancelHardwareProfileTransition()+25w
					; PpProfileCancelTransitioningDock(x,x)+29w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiProfileChangeSemaphore db	? ;	; DATA XREF: PpProfileBeginHardwareProfileTransition(x)+Ao
					; PpProfileCancelHardwareProfileTransition()+59o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiProfileChangeCancelRequired db ?	; DATA XREF: PpProfileCancelHardwareProfileTransition()+3Er
					; PpProfileCommitTransitioningDock(x,x):loc_97ED58r ...
		align 4
_PiProfileDeviceCount dd ?		; DATA XREF: PnpProfileUpdateHardwareProfile(x)+BEo
					; PnpProfileUpdateHardwareProfile(x):loc_97EADCr ...
		align 10h
_PiProfileDeviceListLock dd ?		; DATA XREF: PnpProfileUpdateHardwareProfile(x)+Fo
					; PnpProfileUpdateHardwareProfile(x)+138o ...
dword_6CB7A4	dd ?			; DATA XREF: PpProfileInit()+Aw
dword_6CB7A8	dd ?			; DATA XREF: PpProfileInit()+2Bw
unk_6CB7AC	db    ?	;		; DATA XREF: PpProfileInit()+1Co
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiProfileDeviceListHead dd ?		; DATA XREF: PnpProfileUpdateHardwareProfile(x)+118r
					; PnpProfileUpdateHardwareProfile(x)+11Fo ...
dword_6CB7C4	dd ?			; DATA XREF: PpProfileInit()+21w
		align 10h
_PnpDeviceEnumerationWorkItem dd ?	; DATA XREF: PnpUnlockDeviceActionQueue+62o
					; PnpUnlockDeviceActionQueue+77w ...
		align 8
dword_6CB7D8	dd ?			; DATA XREF: PnpUnlockDeviceActionQueue+67w
					; PnpRequestDeviceAction+22Fw
dword_6CB7DC	dd ?			; DATA XREF: PnpUnlockDeviceActionQueue+71w
					; PnpRequestDeviceAction+239w
_PnpEnumerationLock db	  ? ;		; DATA XREF: PnpLockDeviceActionQueue+30o
					; PnpUnlockDeviceActionQueue+2Bo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpEnumerationInProgress db ?		; DATA XREF: PnpLockDeviceActionQueue+23r
					; PnpLockDeviceActionQueue+35w	...
		align 8
_PnpEnumerationRequestList dd ?		; DATA XREF: PnpUnlockDeviceActionQueue+1Do
					; PnpRequestDeviceAction+18Fo ...
dword_6CB7FC	dd ?			; DATA XREF: PnpRequestDeviceAction+18Ar
					; PnpRequestDeviceAction+1A3w ...
_PnpSpinLock	dd ?			; DATA XREF: PnpLockDeviceActionQueue+7o
					; PnpUnlockDeviceActionQueue+Do ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PiDqDeviceInterfaceClassManager
_PiDqDeviceInterfaceClassManager db    ? ;
					; DATA XREF: PiDqGetObjectManagerForPnpObjectType:loc_857077o
					; PiDqQueryGetObjectManager:loc_9134E4o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PiDqDeviceContainerManager
_PiDqDeviceContainerManager db	  ? ;	; DATA XREF: PiDqQueryGetObjectManager:loc_7FA6F2o
					; PiDqGetObjectManagerForPnpObjectType+2Bo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PiDqDeviceManager
_PiDqDeviceManager db	 ? ;		; DATA XREF: PiDqQueryGetObjectManager+1Bo
					; PiDqGetObjectManagerForPnpObjectType+7o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PiDqDeviceInterfaceManager
_PiDqDeviceInterfaceManager db	  ? ;	; DATA XREF: PiDqQueryGetObjectManager:loc_7FA6EBo
					; PiDqGetObjectManagerForPnpObjectType+17o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiDqSequenceNumber dd ?		; DATA XREF: PiDqQueryCreate:loc_7FADF0r
					; PiDqQueryCreate+49o ...
dword_6CBA8C	dd ?			; DATA XREF: PiDqQueryCreate+4Er
					; PiDqObjectActionQueueEntryCreate(x,x)+40r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PiDqDeviceInstallerClassManager
_PiDqDeviceInstallerClassManager db    ? ;
					; DATA XREF: PiDqGetObjectManagerForPnpObjectType:loc_85707Do
					; PiDqQueryGetObjectManager:loc_9134DAo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PiDqDevicePanelManager
_PiDqDevicePanelManager	db    ?	;	; DATA XREF: PiDqGetObjectManagerForPnpObjectType+AA830o
					; PiDqQueryGetObjectManager+118E08o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PiDcUpdateProperties
_PiDcUpdateProperties db    ? ;		; DATA XREF: PiDcHandleDeviceEvent+63o
					; PiDcInitUpdateProperties+1E8o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PipDmaGuardTestMode db	?		; DATA XREF: PipDmgInitPhaseZero+15r
					; PiDmaGuardProcessRegistry+15928w
		align 10h
_PiDmDeviceInterfaceClassManager db    ? ;
					; DATA XREF: PiDmGetObjectManagerForObjectType+22o
					; PiDmInit()+24o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiDmDeviceContainerManager db	  ? ;	; DATA XREF: PiDmGetObjectManagerForObjectType+31o
					; PiDmInit()+31o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiDmDeviceManager db	 ? ;		; DATA XREF: PiDmGetObjectManagerForObjectType+7o
					; PiDmInit()+6o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiDmDeviceInterfaceManager db	  ? ;	; DATA XREF: PiDmGetObjectManagerForObjectType+17o
					; PiDmInit()+17o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiDmDeviceInstallerClassManager db    ? ;
					; DATA XREF: PiDmGetObjectManagerForObjectType:loc_801C01o
					; PiDmInit()+3Do
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiDmDevicePanelManager	db    ?	;	; DATA XREF: PiDmGetObjectManagerForObjectType+118306o
					; PiDmInit()+4Co
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiPnpRtlActiveOperationsLock db    ? ;	; DATA XREF: PiPnpRtlBeginOperation+9Ao
					; PiPnpRtlEndOperation+44o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiPnpRtlActiveOperations dd ?		; DATA XREF: PiPnpRtlBeginOperation+A5r
					; PiPnpRtlBeginOperation+ABo ...
dword_6CBF5C	dd ?			; DATA XREF: PiPnpRtlInit+33w
_PiPnpRtlRemoveOperationDispatchLock db	   ? ; ; DATA XREF: PiPnpRtlEndOperation+29o
					; PiPnpRtlCacheObjectBaseKey(x,x,x,x)+40o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopRootBusNumberArbiter db    ? ;	; DATA XREF: IopPnPDispatch+377o
					; IopBusNumberInitialize()+Do
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CBFDC	dd ?			; DATA XREF: IopBusNumberInitialize()+12w
dword_6CBFE0	dd ?			; DATA XREF: IopBusNumberInitialize()+1Cw
dword_6CBFE4	dd ?			; DATA XREF: IopBusNumberInitialize()+26w
dword_6CBFE8	dd ?			; DATA XREF: IopBusNumberInitialize()+30w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopRootIrqArbiter db	 ? ;		; DATA XREF: IopPnPDispatch:loc_87B26Fo
					; IopIrqInitialize()+10o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CC09C	dd ?			; DATA XREF: IopIrqInitialize()+15w
dword_6CC0A0	dd ?			; DATA XREF: IopIrqInitialize()+1Fw
dword_6CC0A4	dd ?			; DATA XREF: IopIrqInitialize()+29w
dword_6CC0A8	dd ?			; DATA XREF: IopIrqInitialize()+33w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopRootDmaArbiter db	 ? ;		; DATA XREF: IopPnPDispatch+353o
					; IopDmaInitialize()+Do
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CC15C	dd ?			; DATA XREF: IopDmaInitialize()+12w
dword_6CC160	dd ?			; DATA XREF: IopDmaInitialize()+1Cw
dword_6CC164	dd ?			; DATA XREF: IopDmaInitialize()+26w
dword_6CC168	dd ?			; DATA XREF: IopDmaInitialize()+30w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CC1A8	dd ?			; DATA XREF: IopDmaInitialize()+3Aw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopRootPortArbiter db	  ? ;		; DATA XREF: IopPnPDispatch:loc_87B27Bo
					; IopPortInitialize()+10o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CC21C	dd ?			; DATA XREF: IopPortInitialize()+33w
dword_6CC220	dd ?			; DATA XREF: IopPortInitialize()+3Dw
dword_6CC224	dd ?			; DATA XREF: IopPortInitialize()+47w
dword_6CC228	dd ?			; DATA XREF: IopPortInitialize()+51w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CC25C	dd ?			; DATA XREF: IopPortInitialize()+15w
dword_6CC260	dd ?			; DATA XREF: IopPortInitialize()+1Fw
dword_6CC264	dd ?			; DATA XREF: IopPortInitialize()+29w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopRootMemArbiter db	 ? ;		; DATA XREF: IopPnPDispatch:loc_87B263o
					; IopMemInitialize()+Eo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CC2B4	dd ?			; DATA XREF: IopMemInitialize()+6Ar
					; IopMemInitialize()+79r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CC2DC	dd ?			; DATA XREF: IopMemInitialize()+13w
dword_6CC2E0	dd ?			; DATA XREF: IopMemInitialize()+21w
dword_6CC2E4	dd ?			; DATA XREF: IopMemInitialize()+2Bw
dword_6CC2E8	dd ?			; DATA XREF: IopMemInitialize()+35w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CC304	dd ?			; DATA XREF: IopMemInitialize()+49w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CC31C	dd ?			; DATA XREF: IopMemInitialize()+3Fw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopAllocateBootResourcesRoutine dd ?	; DATA XREF: PiQueryAndAllocateBootResources+12Br
					; IopInitializeDeviceInstanceKey+906BFr ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopLegacyBusInformationTable db    ? ;	; DATA XREF: IopFindLegacyBusDeviceNode(x,x):loc_879F84o
					; IopInsertLegacyBusDeviceNode+3Eo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopLegacyDeviceNode dd	?		; DATA XREF: IopFindLegacyDeviceNode(x,x,x,x):loc_96CA1Fr
					; IopFindLegacyDeviceNode(x,x,x,x)+11Ar ...
		align 10h
_PiDDBLock	db    ?	;		; DATA XREF: PpCheckInDriverDatabase+55o
					; PpCheckInDriverDatabase:loc_84C433o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpDeviceCompletionQueue dd ?		; DATA XREF: PnpDeviceCompletionQueueIsEmpty+1Eo
					; PnpDeviceCompletionQueueAddDispatchedRequest+28o ...
dword_6CC444	dd ?			; DATA XREF: PnpDeviceCompletionQueueAddDispatchedRequest+20r
					; PnpDeviceCompletionQueueAddDispatchedRequest+4Ew ...
dword_6CC448	dd ?			; DATA XREF: PnpDeviceCompletionQueueDispatchedEntryCompleted+31w
					; PnpDeviceCompletionQueueAddDispatchedRequest+41w ...
dword_6CC44C	dd ?			; DATA XREF: PnpDeviceCompletionQueueAddCompletedRequest(x,x)+5o
					; PnpDeviceCompletionQueueIsEmpty+2Ao ...
dword_6CC450	dd ?			; DATA XREF: PnpDeviceCompletionQueueAddCompletedRequest(x,x)r
					; PnpDeviceCompletionQueueAddCompletedRequest(x,x)+20w	...
unk_6CC454	db    ?	;		; DATA XREF: PnpDeviceCompletionQueueAddCompletedRequest(x,x)+1Bo
					; PnpDeviceCompletionQueueRemoveCompletedRequest+10o ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CC458	dd ?			; DATA XREF: PnpDeviceCompletionProcessCompletedRequests(x,x,x):loc_864BE4r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CC468	dd ?			; DATA XREF: PnpDeviceCompletionQueueDispatchedEntryCompleted+10o
					; PnpDeviceCompletionQueueDispatchedEntryCompleted+43o	...
_IopNumberDeviceNodes dd ?		; DATA XREF: PnpProcessAssignResources+8r
					; PipAllocateDeviceNode+28w ...
_PnPInitialized	db ?			; DATA XREF: PnpCompleteSystemStartProcess()+3Aw
					; IoGetLegacyVetoList+20r ...
		align 10h
_PpRegistrySemaphore db	   ? ;		; DATA XREF: PnpProcessRebalance(x)+84o
					; IopAllocateBootResources(x,x,x)+18o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopDeviceTreeLock db	 ? ;		; DATA XREF: PpDevNodeUnlockTree+8o
					; PpDevNodeUnlockTree:loc_795E46o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopSurpriseRemoveListLock db	 ? ;	; DATA XREF: PnpChainDereferenceComplete(x,x)+20o
					; PnpChainDereferenceComplete(x,x):loc_96A58Do	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopPendingEjects dd ?			; DATA XREF: PnpProcessRelation(x,x,x,x,x):loc_96B20Dr
					; PnpProcessRelation(x,x,x,x,x)+47Ao ...
dword_6CC51C	dd ?			; DATA XREF: PnpQueuePendingEject(x)+Dr
					; PnpQueuePendingEject(x)+2Aw ...
_IopPendingSurpriseRemovals dd ?	; DATA XREF: PnpChainDereferenceComplete(x,x)+2Ar
					; PnpChainDereferenceComplete(x,x):loc_96A585o	...
dword_6CC524	dd ?			; DATA XREF: PnpQueuePendingSurpriseRemoval(x,x,x,x)+115r
					; PnpQueuePendingSurpriseRemoval(x,x,x,x)+132w	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpRebuildPowerRelationsQueueLock dd ?	; DATA XREF: PipProcessRebuildPowerRelationsQueue()+9o
					; PipProcessRebuildPowerRelationsQueue()+A9o ...
dword_6CC544	dd ?			; DATA XREF: IopInitializePlugPlayServices(x,x)+659w
dword_6CC548	dd ?			; DATA XREF: IopInitializePlugPlayServices(x,x)+65Fw
unk_6CC54C	db    ?	;		; DATA XREF: IopInitializePlugPlayServices(x,x)+64Eo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiResourceListLock db	  ? ;		; DATA XREF: IoGetDeviceProperty:loc_79623Fo
					; IoGetDeviceProperty:loc_796294o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiEngineLock	db    ?	;		; DATA XREF: PpDevNodeUnlockTree+2Co
					; PpDevNodeLockTree+34o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopRootDeviceNode dd ?			; DATA XREF: PnpRequestDeviceAction:loc_54EDF7r
					; .text:loc_54F191r ...
_PnpDriverObject dd ?			; DATA XREF: IopCreateRootEnumeratedDeviceObject(x)+1Ar
					; IopDestroyDeviceNode+14A6B4r	...
_IopWarmEjectPdo dd ?			; DATA XREF: IoBuildPoDeviceNotifyList+3DCo
					; IopWarmEjectDevice(x,x)+23w ...
		align 10h
_IopWarmEjectLock db	? ;		; DATA XREF: IopWarmEjectDevice(x,x)+Do
					; IopWarmEjectDevice(x,x)+7Ao ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpShutdownEvent db	? ;		; DATA XREF: PAGE:008D5AE8o
					; PnpShutdownDevices()+1Co ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CC5E4	dd ?			; DATA XREF: PnpRequestDeviceAction+22r
					; .text:0054EFA2r ...
		align 10h
_PnPBootDriversInitialized db ?		; DATA XREF: LdrpResSearchResourceMappedFile+31Er
					; .text:0054F197r ...
_PnPBootDriversLoaded db ?		; DATA XREF: PnpRequestDeviceAction:loc_54EDA0r
					; IopInitializeBootDrivers+3F6w
_IopBootConfigsReserved	db ?		; DATA XREF: PipProcessStartPhase2+34r
					; PnpAllocateResources+A0r ...
		align 10h
_PnpRegistryDeviceResource db	 ? ;	; DATA XREF: PiGetRelatedDevice+E2o
					; PiGetRelatedDevice:loc_795B72o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUrlUkmkntiUnkUlyquivUrDIGUkmkntikOlyq@pnpmgr db	   ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiUEventClientRegistrationListLock dd ?
					; DATA XREF: PnpDisableUserModeNotifications(x,x)+Eo
					; PnpDisableUserModeNotifications(x,x)+59o ...
dword_6CC644	dd ?			; DATA XREF: PiUEventInit(x)+11w
dword_6CC648	dd ?			; DATA XREF: PiUEventInit(x)+19w
unk_6CC64C	db    ?	;		; DATA XREF: PiUEventInit(x)+20o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiUEventDevInterfaceClientList	dd ?	; DATA XREF: PiUEventHandleRegistration:loc_7EEE08o
					; PiUEventNotifyDeviceInterfaceChange(x)+50o ...
dword_6CC664	dd ?			; DATA XREF: PiUEventInit(x)+77w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CC6C8	db    ?	;		; DATA XREF: PiUEventNotifyDeviceInterfaceChange(x)+47o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiUEventDevInstancePropertyClientList dd ?
					; DATA XREF: PiUEventNotifyDeviceInstancePropertyChange+31o
					; PiUEventHandleRegistration:loc_910860o ...
dword_6CC6E4	dd ?			; DATA XREF: PiUEventInit(x)+93w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CC748	db    ?	;		; DATA XREF: PiUEventNotifyDeviceInstancePropertyChange+2Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiUEventDevInstanceClientList dd ?	; DATA XREF: PiUEventHandleRegistration:loc_7EEF6Co
					; PiUEventNotifyDeviceInstanceChange+3Do ...
dword_6CC764	dd ?			; DATA XREF: PiUEventInit(x)+85w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CC7C8	db    ?	;		; DATA XREF: PiUEventNotifyDeviceInstanceChange+36o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiUEventBroadcastEventQueue dd	?	; DATA XREF: PiUEventBroadcastEventWorker+1Ar
					; PiUEventBroadcastEventWorker+49r ...
dword_6CC7D4	dd ?			; DATA XREF: PiUEventQueueBroadcastEventEntry(x)+2Ar
					; PiUEventQueueBroadcastEventEntry(x)+3Fw ...
_PiUEventUsermodeEventQueue dd ?	; DATA XREF: PAGE:00763C31o
					; PAGE:00763C36r ...
dword_6CC7DC	dd ?			; DATA XREF: PAGE:00763C2Cr
					; PAGE:00763C50w ...
_PiUEventBroadcastEventQueueLock dd ?	; DATA XREF: PiUEventBroadcastEventWorker+Eo
					; PiUEventQueueBroadcastEventEntry(x)+6o ...
dword_6CC7E4	dd ?			; DATA XREF: PiUEventInit(x)+5Bw
dword_6CC7E8	dd ?			; DATA XREF: PiUEventInit(x)+61w
unk_6CC7EC	db    ?	;		; DATA XREF: PiUEventInit(x)+50o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiUEventUsermodeEventQueueLock	dd ?	; DATA XREF: PAGE:00763C22o
					; PAGE:00763C46o ...
dword_6CC804	dd ?			; DATA XREF: PiUEventInit(x)+3Dw
dword_6CC808	dd ?			; DATA XREF: PiUEventInit(x)+43w
unk_6CC80C	db    ?	;		; DATA XREF: PiUEventInit(x)+32o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiUEventDevHandleClientList dd	?	; DATA XREF: PnpDisableUserModeNotifications(x,x)+18o
					; PiUEventHandleRegistration+20Bo ...
dword_6CC824	dd ?			; DATA XREF: PiUEventInit(x)+A1w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpDelayedRemoveWorkItem dd ?		; DATA XREF: PnpDisableUserModeNotifications(x,x)+51o
					; PnpChainDereferenceComplete(x,x)+EEw	...
		align 8
dword_6CC898	dd ?			; DATA XREF: PnpChainDereferenceComplete(x,x)+FCw
dword_6CC89C	dd ?			; DATA XREF: PnpChainDereferenceComplete(x,x):loc_96A5F5w
_PnpDelayedRemoveWorkerThread dd ?	; DATA XREF: PnpBugcheckPowerTimeout(x)+5r
					; PnpInitializeTriageBlock(x)+2Fr ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpDevicePropertyLock db    ? ;	; DATA XREF: PnpGetDevicePropertyData+8Do
					; PnpGetDevicePropertyData:loc_7E26E1o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpBusTypeGuidCountMax	dd ?		; DATA XREF: PnpBusTypeGuidGetIndex:loc_877CD9r
					; PnpBusTypeGuidGetIndex+6C1D9w ...
		align 10h
_PnpBusTypeGuidLock dd ?		; DATA XREF: PnpBusTypeGuidGet(x,x)+7o
					; PnpBusTypeGuidGetIndex+Bo ...
dword_6CC904	dd ?			; DATA XREF: PnpBusTypeGuidInitialize+41w
dword_6CC908	dd ?			; DATA XREF: PnpBusTypeGuidInitialize+46w
unk_6CC90C	db    ?	;		; DATA XREF: PnpBusTypeGuidInitialize+37o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void *PnpBusTypeGuidArray
_PnpBusTypeGuidArray dd	?		; DATA XREF: PnpBusTypeGuidGet(x,x)+24r
					; PnpBusTypeGuidGetIndex:loc_877C9Ar ...
_PnpBusTypeGuidCount dd	?		; DATA XREF: PnpBusTypeGuidGet(x,x)+19r
					; PnpBusTypeGuidGetIndex+1Ar ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PnpDeviceReferenceTable
_PnpDeviceReferenceTable db    ? ;	; DATA XREF: PnpDeviceObjectFromDeviceInstanceWithTag(x,x)+25o
					; PnpMapDeviceObjectToDeviceInstance(x,x)+23o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpDeviceReferenceTableLock dd	?	; DATA XREF: PnpDeviceObjectFromDeviceInstanceWithTag(x,x)+Do
					; PnpFreeDeviceInstancePath+7o	...
dword_6CC984	dd ?			; DATA XREF: PnpInitializeDeviceReferenceTable()+8w
dword_6CC988	dd ?			; DATA XREF: PnpInitializeDeviceReferenceTable()+1Aw
unk_6CC98C	db    ?	;		; DATA XREF: PnpInitializeDeviceReferenceTable()+10o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PassiveInterruptRealtimeWorkQueue db	 ? ; ; DATA XREF: IopPassiveInterruptDpc(x,x,x,x)+Co
					; IopCreatePassiveInterruptRealtimeThreads(x,x)+40o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PassiveInterruptList dd ?		; DATA XREF: IopFindPassiveInterruptBlockLocked(x)r
					; IopFindPassiveInterruptBlockLocked(x)+8o ...
dword_6CC9CC	dd ?			; DATA XREF: IopInsertPassiveInterruptBlock(x,x)+37r
					; IopInsertPassiveInterruptBlock(x,x)+52w ...
_PassiveInterruptListLock dd ?		; DATA XREF: IopDereferencePassiveInterruptBlock(x)+18o
					; IopDereferencePassiveInterruptBlock(x)+85o ...
		align 10h
_ActiveConnectListLock db    ? ;	; DATA XREF: IopAcquireReleaseConnectLockInternal(x,x,x)+11o
					; IopInitializeActiveConnectList()+9o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ActiveConnectList dd ?			; DATA XREF: IopInsertActiveConnectListLocked(x)r
					; IopInsertActiveConnectListLocked(x)+6o ...
dword_6CC9F4	dd ?			; DATA XREF: IopInsertActiveConnectListLocked(x):loc_867197r
					; IopInsertActiveConnectListLocked(x)+1Fw ...
_PnpResetRetryInterval dd ?		; DATA XREF: IopDeviceRemovalForResetComplete(x)+BDr
					; PnpTraceDeviceRemovalForResetComplete(x,x)+F0r ...
dword_6CC9FC	dd ?			; DATA XREF: IopDeviceRemovalForResetComplete(x)+B8r
					; PnpTraceDeviceRemovalForResetComplete(x,x)+F9r ...
_PnpResetMaximumRetryAttempts dd ?	; DATA XREF: IopDeviceRemovalForResetComplete(x)+79r
					; IopQueryDeviceResetRegistrySettings+53w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpHwProfileNotifyLock	dd ?		; DATA XREF: IoRegisterPlugPlayNotification+2CEo
					; IoRegisterPlugPlayNotification+2FAo ...
dword_6CCA24	dd ?			; DATA XREF: PnpInitializeNotification()+83w
dword_6CCA28	dd ?			; DATA XREF: PnpInitializeNotification()+89w
unk_6CCA2C	db    ?	;		; DATA XREF: PnpInitializeNotification()+78o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpDeferredRegistrationLock dd	?	; DATA XREF: PnpUnregisterPlugPlayNotification:loc_5E546Bo
					; PnpUnregisterPlugPlayNotification+81F04o ...
dword_6CCA44	dd ?			; DATA XREF: PnpInitializeNotification()+A1w
dword_6CCA48	dd ?			; DATA XREF: PnpInitializeNotification()+A7w
unk_6CCA4C	db    ?	;		; DATA XREF: PnpInitializeNotification()+96o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpDeviceClassNotifyLock dd ?		; DATA XREF: PnpNotifyDeviceClassChange+35o
					; PnpNotifyDeviceClassChange+96o ...
dword_6CCA64	dd ?			; DATA XREF: PnpInitializeNotification()+47w
dword_6CCA68	dd ?			; DATA XREF: PnpInitializeNotification()+4Dw
unk_6CCA6C	db    ?	;		; DATA XREF: PnpInitializeNotification()+38o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpTargetDeviceNotifyLock dd ?		; DATA XREF: PnpNotifyTargetDeviceChange:loc_76386Co
					; PnpNotifyTargetDeviceChange:loc_7638AEo ...
dword_6CCA84	dd ?			; DATA XREF: PnpInitializeNotification()+65w
dword_6CCA88	dd ?			; DATA XREF: PnpInitializeNotification()+6Bw
unk_6CCA8C	db    ?	;		; DATA XREF: PnpInitializeNotification()+5Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpBootDriverCallbackRegistrationClosed db ?
					; DATA XREF: IoRegisterBootDriverCallback(x,x)+Er
					; PipInitializeCoreDriversAndElam(x)+49w
		align 8
_PiDependencyNodeListHead dd ?		; DATA XREF: PipQueryBindingResolution+1Fr
					; PipQueryBindingResolution:loc_878071o ...
dword_6CCAAC	dd ?			; DATA XREF: PipCreateDependencyNode+50r
					; PipCreateDependencyNode+60w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiDependencyRelationsLock db	 ? ;	; DATA XREF: PnpReleaseDependencyRelationsLock()+3o
					; PnpAcquireDependencyRelationsLock(x)+Eo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PiDependencyEdgeWriteLock dd ?		; DATA XREF: PipFindDependencyNodePath+17o
					; PipFindDependencyNodePath+3Ao ...
		align 10h
_PiRebuildPowerRelationsQueue dd ?	; DATA XREF: PipProcessRebuildPowerRelationsQueue()+92r
					; PipProcessRebuildPowerRelationsQueue():loc_874EA8o ...
dword_6CCB04	dd ?			; DATA XREF: PipAddtoRebuildPowerRelationsQueue(x)+3Cr
					; PipAddtoRebuildPowerRelationsQueue(x)+4Cw ...
_PiDependencyNodeEmptyList dd ?		; DATA XREF: PiGetProviderList(x):loc_864CA1o
					; PiGetDependentList(x):loc_874E05o ...
dword_6CCB0C	dd ?			; DATA XREF: PiDeviceDependencyInit()+2Fw
_IopGroupIndex	dd ?			; DATA XREF: IopInitializeBootDrivers+1D3w
					; IopInitializeBootDrivers+206r ...
_IopGroupTable	dd ?			; DATA XREF: IopInitializeBootDrivers+1F8w
					; IopInitializeBootDrivers+354r ...
_IopGroupListHead dd ?			; DATA XREF: IopInitializeSystemDrivers+1D1r
					; PipLookupGroupName(x,x)+8r ...
		align 10h
_PnpSetupWorkItem dd ?			; DATA XREF: PipUpdateSetupInProgressNotify(x,x)+2Bo
					; IopInitializePlugPlayServices(x,x)+4FBw
		align 8
dword_6CCB28	dd ?			; DATA XREF: IopInitializePlugPlayServices(x,x)+4EBw
dword_6CCB2C	dd ?			; DATA XREF: IopInitializePlugPlayServices(x,x)+4F5w
_PnpSetupIoStatusBlock db    ? ;	; DATA XREF: PipUpdateSetupInProgressNotify(x,x)+24o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpCoreDriverGroupLoadPhase dd	?	; DATA XREF: SeQueryTrustedPlatformModuleInformation(x,x,x):loc_66FCD5r
					; PipInitializeCoreDriversByGroup+4Bw ...
		align 10h
_PnpSystemDeviceEnumerationComplete db	  ? ;
					; DATA XREF: PnpCompleteSystemStartProcess()+35o
					; PnpSerializeBoot()+14o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpTearDownPnpStacksOnShutdown	db ?	; DATA XREF: PnpShutdownDevices()+3Ar
		align 4
_IovDriverListHead dd ?			; DATA XREF: IovUnloadDrivers():loc_A591D1w
					; IovUnloadDrivers():loc_A591E3r ...
_IopSysEnvOverrideFlags	dd ?		; DATA XREF: IopInitializeSystemVariableService+7E095w
					; IopOpenSystemVariableDevice(x,x,x)+Fr
_ErrorLogSessionOpened db ?		; DATA XREF: IopErrorLogRequeueEntry(x)+48w
					; KiSaveCurrentEtwTraceBuffer():loc_61D2B2r ...
_IopErrorLogDisabledThisBoot db	?	; DATA XREF: .text:0056479Cr
					; INIT:00AC2A70w ...
_IopErrorLogSessionPending db ?		; DATA XREF: .text:005607EAw
					; .text:005647DAr ...
		align 10h
_IopErrorLogWorkItem dd	?		; DATA XREF: .text:005647F7w
					; .text:00564800o ...
		align 8
dword_6CCB68	dd ?			; DATA XREF: .text:0056480Cw
					; IopErrorLogDpc(x,x,x,x)+2Aw ...
dword_6CCB6C	dd ?			; DATA XREF: .text:005647F0w
					; IopErrorLogDpc(x,x,x,x):loc_6104DAw ...
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUrlUrlntiUnkUlyquivUrDIGUrlntiOlyq@iomgr db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PerformanceFrequency dd ?		; DATA XREF: IopLiveDumpGetMillisecondCounter(x)+22r
					; IopLiveDumpCaptureMemoryPages(x)+B6r	...
dword_6CCB7C	dd ?			; DATA XREF: IopLiveDumpGetMillisecondCounter(x)+1Cr
					; IopLiveDumpCaptureMemoryPages(x)+AEr	...
_IopLiveDumpLock db    ? ;		; DATA XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+BFo
					; IoCaptureLiveDump(x,x,x,x,x,x,x)+3F1o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopPerfDriverUniqueMatchId dd ?	; DATA XREF: IopPerfCallDriver(x,x)+51w
					; IopPerfCompleteRequest(x,x)+EBw
_IopSessionCallbackObject dd ?		; DATA XREF: IopSessionChangeWorker(x)+Cr
					; NtNotifyChangeSession+1AFr ...
_IoOtherOperationCount dd ?		; DATA XREF: ExpQuerySystemPerformanceInformation+BBr
; Exported entry 1063. IoWriteOperationCount
		public _IoWriteOperationCount
_IoWriteOperationCount dd ?		; DATA XREF: ExpQuerySystemPerformanceInformation+8Fr
; Exported entry 1065. IoWriteTransferCount
		public _IoWriteTransferCount
_IoWriteTransferCount dd ?		; DATA XREF: ExpQuerySystemPerformanceInformation+99r
dword_6CCBCC	dd ?			; DATA XREF: ExpQuerySystemPerformanceInformation+A4r
; Exported entry 933. IoReadTransferCount
		public _IoReadTransferCount
_IoReadTransferCount dd	?		; DATA XREF: ExpQuerySystemPerformanceInformation+54r
dword_6CCBD4	dd ?			; DATA XREF: ExpQuerySystemPerformanceInformation+72r
; Exported entry 931. IoReadOperationCount
		public _IoReadOperationCount
_IoReadOperationCount dd ?		; DATA XREF: ExpQuerySystemPerformanceInformation+7Dr
		align 10h
_IopStaticRevocationExtension db    ? ;	; DATA XREF: .data:_IopRevocationExtensiono
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IoOtherTransferCount dd ?		; DATA XREF: ExpQuerySystemPerformanceInformation+61r
dword_6CCC14	dd ?			; DATA XREF: ExpQuerySystemPerformanceInformation+B6r
_IopSessionNotificationLock dd ?	; DATA XREF: IopCleanupNotifications+15o
					; IopCleanupNotifications+30o ...
		align 10h
_IopSessionNotificationQueueHead dd ?	; DATA XREF: IopCleanupNotifications+1Fr
					; IopCleanupNotifications+25o ...
dword_6CCC24	dd ?			; DATA XREF: IoRegisterContainerNotification(x,x,x,x,x)+1A0r
					; IoRegisterContainerNotification(x,x,x,x,x)+1B5w ...
_IopIoRateExtensionHost	dd ?		; DATA XREF: IopIoRateStartRateControl+48r
					; IopIoRateStartRateControl:loc_430E28r ...
_IopMediumIrpStackLocations dd ?	; DATA XREF: IoMakeAssociatedIrpPriv+8Br
					; IopProcessIrpStackProfiler+17r ...
_IopLargeIrpStackLocations dd ?		; DATA XREF: IoMakeAssociatedIrpPriv+7Cr
					; IopProcessIrpStackProfiler+20r ...
_IopErrorLogAllocation db    ? ;	; DATA XREF: IopAllocateErrorLogEntry+1Fo
					; IopAllocateErrorLogEntry:loc_5E64E9o	...
		db    ?	;
		db    ?	;
		db    ?	;
_IoPagingReadLowPriorityBumpedCount dd ? ; DATA	XREF: IoPageReadEx+1F3w
					; IoQueryLowPriorityIoInformation+3Br
_IoPagingReadLowPriorityCount dd ?	; DATA XREF: IoPageReadEx:loc_4AE388w
					; IoQueryLowPriorityIoInformation+33r
_IopFsRegistrationOps dd ?		; DATA XREF: IopMountVolume+252r
					; IopMountVolume+34Cr ...
_IopCurrentHardError dd	?		; DATA XREF: IoRaiseInformationalHardError(x,x,x):loc_609063r
					; IopCheckHardErrorEmpty()+1Dw	...
_IoPagingWriteLowPriorityCount dd ?	; DATA XREF: IoSynchronousPageWriteEx:loc_4E4EC8w
					; IoQueryLowPriorityIoInformation+43r
_IoPagingWriteLowPriorityBumpedCount dd	? ; DATA XREF: IoSynchronousPageWriteEx+144w
					; IoQueryLowPriorityIoInformation+4Br
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopUpdatePriorityCallbackRoutine dd ?	; DATA XREF: IoBoostThreadIoPriority:loc_512370r
					; IoBoostThreadIoPriority:loc_512526r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IoBlanketBoostCount dd	?		; DATA XREF: IoBoostThreadIoPriority+213w
					; IoQueryLowPriorityIoInformation+63r
_IoBoostedThreadedIrpCount dd ?		; DATA XREF: IoBoostThreadIoPriority+D55DFw
					; IoQueryLowPriorityIoInformation+53r
_IoLowPriorityWriteOperationCount dd ?	; DATA XREF: IopCallDriverReference:loc_5CDF45w
					; IoQueryLowPriorityIoInformation+23r ...
_IoLowPriorityReadOperationCount dd ?	; DATA XREF: IopCallDriverReference:loc_5CDF50w
					; IoQueryLowPriorityIoInformation+1Cr ...
_IoBoostedPagingIrpCount dd ?		; DATA XREF: IoBoostThreadIoPriority+51Cw
					; IoQueryLowPriorityIoInformation+5Br
_IopDiskIoAttributionLock db	? ;	; DATA XREF: IoSetDiskIoAttributionOnProcess(x,x)+2Bo
					; IoSetDiskIoAttributionOnProcess(x,x)+3Do ...
		db    ?	;
		db    ?	;
		db    ?	;
_IoKernelIssuedIoBoostedCount dd ?	; DATA XREF: IopCallDriverReference+EFw
					; IoQueryLowPriorityIoInformation+2Br ...
_IopDiskIoAttributionKey dd ?		; DATA XREF: IoDiskIoAttributionAllocate+41w
_IopDatabaseResource db	   ? ;		; DATA XREF: IoShutdownSystem(x)+F4o
					; IopMountVolume+B4o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopDriverLoadResource db    ? ;	; DATA XREF: IopLoadDriver+1E4o
					; IopLoadDriver+32Do ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopSecurityResource db	   ? ;		; DATA XREF: IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)+49o
					; IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)+10Do ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopIrpStackProfilerFlags dd ?		; DATA XREF: IoMakeAssociatedIrpPriv:loc_4E4971r
					; IopIrpStackProfilerDpcRoutine(x,x,x,x)+152o ...
		align 10h
_IopNetworkFileSystemQueueHead dd ?	; DATA XREF: IoRegisterFileSystem:loc_88CEDFo
					; IoRegisterFsRegistrationChangeMountAware+F6o	...
dword_6CCD64	dd ?			; DATA XREF: INIT:00AC276Dw
_IopTapeFileSystemQueueHead dd ?	; DATA XREF: IoShutdownSystem(x)+112o
					; IoRegisterFileSystem+13Ao ...
dword_6CCD6C	dd ?			; DATA XREF: INIT:00AC275Ew
_IopDriverReinitializeQueueHead	dd ?	; DATA XREF: IopCallDriverReinitializationRoutines(x)+15o
					; IoRegisterDriverReinitialization(x,x,x)+2Bo ...
dword_6CCD74	dd ?			; DATA XREF: INIT:00AC278Bw
_IopBootDriverReinitializeQueueHead dd ?
					; DATA XREF: IoRegisterBootDriverReinitialization(x,x,x)+34o
					; INIT:00AC2777o ...
dword_6CCD7C	dd ?			; DATA XREF: INIT:00AC277Cw
_IopFilesystemDatabaseShutdownRundown db    ? ;	; DATA XREF: IoShutdownSystem(x)+E9o
					; IopMountVolume+5Bo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopCdRomFileSystemQueueHead dd	?	; DATA XREF: IoShutdownSystem(x)+108o
					; IoRegisterFileSystem:loc_88CED5o ...
dword_6CCD8C	dd ?			; DATA XREF: INIT:00AC274Fw
_IopDiskFileSystemQueueHead dd ?	; DATA XREF: IoShutdownSystem(x)+FEo
					; IopMountVolume:loc_7AE75Fo ...
dword_6CCD94	dd ?			; DATA XREF: INIT:00AC2740w
_IopPerfIoTrackingLock dd ?		; DATA XREF: IopProcessIoTracking(x,x,x):loc_60EC89o
					; IopProcessIoTracking(x,x,x):loc_60ED3Eo ...
		align 10h
_IopDiskIoAttributionTree dd ?		; DATA XREF: IoStartDiskIoAttributionForContext(x)+1Cr
					; IoStartDiskIoAttributionForContext(x)+2Eo ...
dword_6CCDA4	dd ?			; DATA XREF: IoStartDiskIoAttributionForContext(x)+16r
					; IopFindDiskIoAttribution(x)+22r ...
_IopFunctionPointerLock	dd ?		; DATA XREF: IopIrpExtensionControl(x,x)+18o
					; IopUpdateFunctionPointers(x,x,x)+21o	...
		align 10h
_IopNotifyLastChanceShutdownQueueHead dd ? ; DATA XREF:	IoShutdownSystem(x):loc_72B592o
					; IoUnregisterShutdownNotification(x)+68r ...
dword_6CCDB4	dd ?			; DATA XREF: INIT:00AC27A9w
_IopNotifyShutdownQueueHead dd ?	; DATA XREF: IoShutdownSystem(x):loc_72B4BDo
					; IoUnregisterShutdownNotification(x)+1Cr ...
dword_6CCDBC	dd ?			; DATA XREF: INIT:00AC279Aw
_IopPerfIoTrackingListHead dd ?		; DATA XREF: IopProcessIoTracking(x,x,x):loc_60EDFFr
					; IopProcessIoTracking(x,x,x)+1E6o ...
dword_6CCDC4	dd ?			; DATA XREF: IoRegisterIoTracking(x,x)+5Br
					; IoRegisterIoTracking(x,x)+78w ...
_IopFsNotifyChangeQueueHead dd ?	; DATA XREF: IoEnumerateRegisteredFiltersList:loc_7DF273r
					; IoEnumerateRegisteredFiltersList+30o	...
dword_6CCDCC	dd ?			; DATA XREF: IoRegisterFsRegistrationChangeMountAware+6Dr
					; IoRegisterFsRegistrationChangeMountAware+CBr	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void *IopReserveIrps
_IopReserveIrps	dd ?			; DATA XREF: IopAllocateReserveIrp(x,x,x)+7Br
					; IopAllocateReserveIrp(x,x,x)+86r ...
dword_6CCDE4	dd ?			; DATA XREF: IopAllocateReserveIrp(x,x,x)+3Bo
					; IopAllocateReserveIrp(x,x,x)+58o ...
unk_6CCDE8	db    ?	;		; DATA XREF: IopAllocateReserveIrp(x,x,x)+4Co
					; IopFreeReserveIrp(x,x)+19o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void *dword_6CCDF8
dword_6CCDF8	dd ?			; DATA XREF: IopAllocateReserveIrp(x,x,x)+10Dr
					; IopAllocateReserveIrp(x,x,x)+118r ...
dword_6CCDFC	dd ?			; DATA XREF: IopAllocateReserveIrp(x,x,x)+CFo
					; IopAllocateReserveIrp(x,x,x)+ECo ...
unk_6CCE00	db    ?	;		; DATA XREF: IopAllocateReserveIrp(x,x,x)+E0o
					; IopFreeReserveIrp(x,x)+35o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void *dword_6CCE10
dword_6CCE10	dd ?			; DATA XREF: IopAllocateReserveIrp(x,x,x)+1BAr
					; IopAllocateReserveIrp(x,x,x)+1C5r ...
dword_6CCE14	dd ?			; DATA XREF: IopAllocateReserveIrp(x,x,x)+162o
					; IopAllocateReserveIrp(x,x,x)+197o ...
unk_6CCE18	db    ?	;		; DATA XREF: IopAllocateReserveIrp(x,x,x)+17Eo
					; IopFreeReserveIrp(x,x)+51o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void *dword_6CCE28
dword_6CCE28	dd ?			; DATA XREF: IopAllocateBackpocketIrp(x,x,x):loc_609BC1r
					; IopFreeBackpocketIrp(x,x)r ...
dword_6CCE2C	dd ?			; DATA XREF: IopAllocateBackpocketIrp(x,x,x)+4Eo
					; IopAllocateBackpocketIrp(x,x,x)+8Do ...
dword_6CCE30	dd ?			; DATA XREF: IopAllocateBackpocketIrp(x,x,x)+2Ar
					; IopAllocateBackpocketIrp(x,x,x)+CCw ...
unk_6CCE34	db    ?	;		; DATA XREF: IopAllocateBackpocketIrp(x,x,x)+63o
					; IopFreeBackpocketIrp(x,x)+1Fo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void *dword_6CCE44
dword_6CCE44	dd ?			; DATA XREF: IopAllocateBackpocketIrp(x,x,x):loc_609CCBr
					; IopFreeBackpocketIrp(x,x):loc_60A317r ...
dword_6CCE48	dd ?			; DATA XREF: IopAllocateBackpocketIrp(x,x,x)+158o
					; IopAllocateBackpocketIrp(x,x,x)+197o	...
dword_6CCE4C	dd ?			; DATA XREF: IopAllocateBackpocketIrp(x,x,x):loc_609C5Dr
					; IopAllocateBackpocketIrp(x,x,x)+1D6w	...
unk_6CCE50	db    ?	;		; DATA XREF: IopAllocateBackpocketIrp(x,x,x)+16Do
					; IopFreeBackpocketIrp(x,x)+45o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void *dword_6CCE60
dword_6CCE60	dd ?			; DATA XREF: IopAllocateBackpocketIrp(x,x,x):loc_609C09r
					; IopAllocateBackpocketIrp(x,x,x)+F1w ...
byte_6CCE64	db ?			; DATA XREF: IopAllocateBackpocketIrp(x,x,x)+14r
					; IopAllocateReserveIrp(x,x,x)+14r ...
		align 4
_IopErrorLogListHead dd	?		; DATA XREF: .text:005607D9r
					; .text:005607DFo ...
dword_6CCE6C	dd ?			; DATA XREF: .text:005647C8r
					; .text:005647E8w ...
_IopUniqueDriverObjectNumber dd	?	; DATA XREF: IoCreateDriver+9DE91w
					; INIT:00AC2814w
_IopUniqueDeviceObjectNumber dd	?	; DATA XREF: IoCreateDevice+38Cw
					; INIT:00AC27FDw
_IopIrpStackProfilerSampleSize dd ?	; DATA XREF: IopIrpStackProfilerDpcRoutine(x,x,x,x):loc_501D5Dr
					; IopIrpStackProfilerDpcRoutine(x,x,x,x):loc_501DC2r ...
_IopIrpStackProfilerMinSizeThreshold dd	?
					; DATA XREF: IopIrpStackProfilerDpcRoutine(x,x,x,x):loc_501D75r
					; IopIrpStackProfilerDpcRoutine(x,x,x,x)+EDr ...
_IopIrpStackProfilerDpc	db    ?	;	; DATA XREF: IopAllocateIrpPrivate+242o
					; INIT:00AC29B0o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopTimer	db    ?	;		; DATA XREF: IopDisableTimer(x)+7Co
					; IopEnableTimer(x)+41o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopDeadIrps	dd ?			; DATA XREF: .text:00525054r
					; .text:00525061o ...
dword_6CCECC	dd ?			; DATA XREF: IopDisassociateThreadIrp()+DEr
					; IopDisassociateThreadIrp()+F3w ...
_IopTimerCount	dd ?			; DATA XREF: IopRemoveTimerFromTimerList(x)+39w
					; IopDisableTimer(x)+2Aw ...
		align 8
_IopTimerQueueHead dd ?			; DATA XREF: IopTimerDispatch(x,x,x,x)+4Ar
					; IopTimerDispatch(x,x,x,x)+54o ...
dword_6CCEDC	dd ?			; DATA XREF: INIT:00AC2A9Ew
_IopTimerDpc	db    ?	;		; DATA XREF: IopEnableTimer(x)+2Eo
					; INIT:00AC2A99o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopLinkTrackingPacket dd ?		; DATA XREF: IopSendMessageToTrackService(x,x,x)+97o
					; IopSendMessageToTrackService(x,x,x)+B1w
		align 8
dword_6CCF08	dd ?			; DATA XREF: IopSendMessageToTrackService(x,x,x)+9Cw
dword_6CCF0C	dd ?			; DATA XREF: IopSendMessageToTrackService(x,x,x)+ABw
unk_6CCF10	db    ?	;		; DATA XREF: IopSendMessageToTrackService(x,x,x)+A6o
					; IopSendMessageToTrackService(x,x,x)+CDo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CCF20	dd ?			; DATA XREF: IopSendMessageToTrackService(x,x,x)+E9r
		align 10h
_IopMountCompletionEvent db    ? ;	; DATA XREF: IopMountVolume+13C9E9o
					; IoRegisterFsRegistrationChangeMountAware+85FF9o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopHardError	dd ?			; DATA XREF: IoRaiseInformationalHardError(x,x,x)+25Bo
					; INIT:00AC2AEAw
		align 8
dword_6CCF48	dd ?			; DATA XREF: INIT:00AC2ABBw
dword_6CCF4C	dd ?			; DATA XREF: INIT:00AC2ACAw
dword_6CCF50	dd ?			; DATA XREF: IoRaiseInformationalHardError(x,x,x):loc_60909Cr
					; IoRaiseInformationalHardError(x,x,x)+196o ...
dword_6CCF54	dd ?			; DATA XREF: IoRaiseInformationalHardError(x,x,x):loc_6090EBr
					; IoRaiseInformationalHardError(x,x,x)+245w ...
dword_6CCF58	dd ?			; DATA XREF: IoRaiseInformationalHardError(x,x,x)+12Co
					; IoRaiseInformationalHardError(x,x,x)+1F6o ...
unk_6CCF5C	db    ?	;		; DATA XREF: IoRaiseInformationalHardError(x,x,x)+240o
					; IopHardErrorThread(x)+18o ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CCF60	dd ?			; DATA XREF: IoRaiseInformationalHardError(x,x,x)+58r
					; IoRaiseInformationalHardError(x,x,x)+13Ar
		align 10h
byte_6CCF70	db ?			; DATA XREF: IoRaiseInformationalHardError(x,x,x)+250r
					; IoRaiseInformationalHardError(x,x,x)+260w ...
		align 4
dword_6CCF74	dd ?			; DATA XREF: IoRaiseInformationalHardError(x,x,x):loc_608F6Dr
					; IoRaiseInformationalHardError(x,x,x)+FAw ...
		align 10h
_IopKeepAliveTracker dd	?		; DATA XREF: IoDecrementKeepAliveCount(x,x)+9Bo
					; IoIncrementKeepAliveCount(x,x)+BEo ...
		align 8
dword_6CCF88	dd ?			; DATA XREF: INIT:00AC2B0Aw
dword_6CCF8C	dd ?			; DATA XREF: INIT:00AC2B2Fw
dword_6CCF90	dd ?			; DATA XREF: IoDecrementKeepAliveCount(x,x)+71o
					; IoIncrementKeepAliveCount(x,x)+8Dr ...
dword_6CCF94	dd ?			; DATA XREF: IoDecrementKeepAliveCount(x,x)+6Cr
					; IoDecrementKeepAliveCount(x,x)+86w ...
dword_6CCF98	dd ?			; DATA XREF: IopDeleteFileObjectExtension+EE2C1o
					; IopDeleteFileObjectExtension+EE2F6o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6CCFB0	db ?			; DATA XREF: IoDecrementKeepAliveCount(x,x)+90r
					; IoDecrementKeepAliveCount(x,x)+A0w ...
		align 4
dword_6CCFB4	dd ?			; DATA XREF: IoDecrementKeepAliveCount(x,x):loc_60DB18r
					; IopKeepAliveWorker(x)+1Fw ...
		align 10h
_IopLinkTrackingPortObject db	 ? ;	; DATA XREF: IopSendMessageToTrackService(x,x,x)+29o
					; IopSendMessageToTrackService(x,x,x)+1D0o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IoTraceHandle	dd ?			; DATA XREF: IoReuseIrp(x,x)+1E3r
					; IoTransferActivityId(x,x)+2Ar ...
dword_6CCFD4	dd ?			; DATA XREF: IoReuseIrp(x,x)+1D2r
					; IoTransferActivityId(x,x)+24r ...
_IoMgrTraceHandle dd ?			; DATA XREF: IopAttachDeviceToDeviceStackSafe+D40B6r
					; IopAttachDeviceToDeviceStackSafe+D412Br ...
dword_6CCFDC	dd ?			; DATA XREF: IopAttachDeviceToDeviceStackSafe+D40B0r
					; IopAttachDeviceToDeviceStackSafe+D4125r ...
_IoStatusBlockRangeTableLock dd	?	; DATA XREF: IopCleanupFileObjectIosbRange(x)+27o
					; IopCleanupFileObjectIosbRange(x):loc_95CA11o	...
dword_6CCFE4	dd ?			; DATA XREF: INIT:00AC2DE7w
dword_6CCFE8	dd ?			; DATA XREF: INIT:00AC2DF9w
unk_6CCFEC	db    ?	;		; DATA XREF: INIT:00AC2DEEo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IoStatusBlockRangeTable db    ? ;	; DATA XREF: IopCleanupFileObjectIosbRange(x)+38o
					; IopCleanupFileObjectIosbRange(x)+A9o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopTriageDumpDataBlocks dd ?		; DATA XREF: IoAddTriageDumpDataBlock+22o
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+228o ...
dword_6CD044	dd ?			; DATA XREF: IoMarkTriageDumpBlock()+14r
					; IopInitializeTriageDumpData+85r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopNumTriageDumpDataBlocks dd ?	; DATA XREF: IoAddTriageDumpDataBlock+8r
					; IoAddTriageDumpDataBlock+3Aw	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopCrashDumpLock db	? ;		; DATA XREF: IoConfigureCrashDump+66o
					; IoConfigureCrashDump+867F4o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IoPageReadIrpAllocationFailure	dd ?	; DATA XREF: IoPageReadEx+112FE5w
_IoAsynchronousPageWriteIrpAllocationFailure dd	?
					; DATA XREF: IoAsynchronousPageWrite+E8DBFw
_IoPageReadNonPagefileIrpAllocationFailure dd ?	; DATA XREF: IoPageReadEx:loc_5C11D6w
_IoSynchronousPageWriteIrpAllocationFailure dd ?
					; DATA XREF: IoSynchronousPageWriteEx+E85AEw
_IoAsynchronousPageWriteNonPagefileIrpAllocationFailure	dd ?
					; DATA XREF: IoAsynchronousPageWrite:loc_5CD1B0w
_IoSynchronousPageWriteNonPagefileIrpAllocationFailure dd ?
					; DATA XREF: IoSynchronousPageWriteEx:loc_5CD377w
_IopInitFailCode dd ?			; DATA XREF: IoInitSystem+Ao
					; INIT:00AC2985w ...
_IopReportBugCheckProgress dd ?		; DATA XREF: IopLoadCrashdumpDriver+82r
					; IoInitializeBugCheckProgress(x,x)+9Cr ...
_Microsoft_Windows_Kernel_PnPEnableBits	db    ?	; ; DATA XREF: .data:006B23ECo
byte_6CD8B9	db ?			; DATA XREF: PnpLogActionQueueEvent+8E5EFr
					; PnpLogActionQueueEvent+8E617r ...
byte_6CD8BA	db ?			; DATA XREF: PiDqQueryRelease+14r
					; PiDqIrpQueryCreate:loc_7FAFB0r ...
byte_6CD8BB	db ?			; DATA XREF: PnpLogActionQueueEvent+3Er
					; PnpLogActionQueueEvent+5Cr ...
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUrlUnkUlyquivUrDIGUrlkOlyq@io dd ?
					; DATA XREF: BvgaReleaseResources+33w
					; BvgaDriverInitialize:loc_ACCDC8o ...
_ResourceSize	db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CD8DC	dd ?			; DATA XREF: BvgaReleaseResources:loc_57A1B7r
					; BvgaReleaseResources+20r ...
_ResourceList	db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_BvgaOldIrql	db ?			; DATA XREF: BvgaAcquireLock()+33w
					; BvgaReleaseLock()+Dr
		align 10h
_BootDriverLock	dd ?			; DATA XREF: BvgaAcquireLock()+Co
					; BvgaReleaseLock()+18o ...
		align 10h
_BvgaProgressState dd ?			; DATA XREF: BvgaSetProgressBarSubset(x,x)+Cw
					; BvgaUpdateProgressBar(x)+2Fr	...
dword_6CD914	dd ?			; DATA XREF: BvgaSetProgressBarSubset(x,x)+1Dw
					; BvgaDriverInitialize+9Ew
dword_6CD918	dd ?			; DATA XREF: BvgaSetProgressBarSubset(x,x)+17w
					; BvgaUpdateProgressBar(x)+20r	...
_ProgressBarLeft dd ?			; DATA XREF: BvgaUpdateProgressBar(x)+4Fr
_ProgressBarTop	dd ?			; DATA XREF: BvgaUpdateProgressBar(x)+49r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Square1	db    ?	;		; DATA XREF: RotBarInit()+3Co
					; RotBarUpdate()+78o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PaletteBmp	db    ?	;		; DATA XREF: RotBarUpdate()+1F1o
					; .data:_pbiho
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CD9A8	db    ?	;		; DATA XREF: .data:_PalettePtro
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Square3	db    ?	;		; DATA XREF: RotBarInit()+7Ao
					; RotBarUpdate()+AEo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PaletteNum	dd ?			; DATA XREF: RotBarInit()+2Aw
					; RotBarUpdate():loc_6080B0r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Square2	db    ?	;		; DATA XREF: RotBarInit()+69o
					; RotBarUpdate()+93o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUehoUnkUlyquivUrDIGUehokOlyq@vsl db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
_HvlVpStartDisabled dd ?		; DATA XREF: HvlHalVpStartEnabled()r
					; INIT:00AF6470o
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUuhigoUnkUlyquivUrDIGUuhigokOlyq@FsRtl db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
_StackOverflowFallbackSerialEvent db	? ; ; DATA XREF: FsRtlStackOverflowRead(x)+2Eo
					; FsRtlpPostStackOverflow(x,x,x,x)+3Co	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_StackOverflowFallback db    ? ;	; DATA XREF: FsRtlStackOverflowRead(x)+24o
					; FsRtlpPostStackOverflow(x,x,x,x)+46o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_FsRtlWorkerQueues dd ?			; DATA XREF: FsRtlWorkerThread+1Dr
					; FsRtlpPostStackOverflow(x,x,x,x)+6Eo	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Microsoft_Windows_Storage_Tiering_IoHeatEnableBits db ?
					; DATA XREF: McGenControlCallbackV2:loc_5F8DDCr
					; .data:006B34E4o ...
		align 10h
_FsRtlTieringHeatData dd ?		; DATA XREF: McGenControlCallbackV2+DAr
					; McGenControlCallbackV2+E0o ...
dword_6CDB04	dd ?			; DATA XREF: FsRtlInitializeTieringHeat()+Dw
unk_6CDB08	db    ?	;		; DATA XREF: McGenControlCallbackV2+CFo
					; FsRtlInitializeTieringHeat()+8o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AcquireOpsEvent db    ? ;		; DATA XREF: FsFilterInit+46o
					; FsFilterAllocateCompletionStack(x,x,x)+6Ao ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AcquireOpsReservePool dd ?		; DATA XREF: FsFilterInit+1Bw
					; FsFilterInit+805B3r ...
		align 10h
_ReleaseOpsEvent db    ? ;		; DATA XREF: FsFilterInit+52o
					; FsFilterAllocateCompletionStack(x,x,x)+77o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ReleaseOpsReservePool dd ?		; DATA XREF: FsFilterInit+34w
					; FsFilterAllocateCompletionStack(x,x,x):loc_602EFCr
		align 10h
_FsRtlpUncSemaphore db	  ? ;		; DATA XREF: FsRtlpRegisterUncProvider+51o
					; FsRtlpRegisterUncProvider+99o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_FsRtlCreateLockInfo dd	?		; DATA XREF: FsRtlPrivateInitializeFileLock+16o
					; sub_4E374Do ...
dword_6CDBA4	dd ?			; DATA XREF: FsRtlInitializeFileLocks()+95w
dword_6CDBA8	dd ?			; DATA XREF: FsRtlInitializeFileLocks()+9Cw
unk_6CDBAC	db    ?	;		; DATA XREF: FsRtlInitializeFileLocks()+A4o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_FsRtlFileLockCancelCollideLock	dd ?	; DATA XREF: FsRtlUninitializeFileLock+23o
					; FsRtlUninitializeFileLock+76o ...
_FsRtlFileLockCancelCollideList	dd ?	; DATA XREF: FsRtlUninitializeFileLock+CC293r
					; FsRtlUninitializeFileLock+CC29Aw ...
_FsRtlPagingIoResources	dd ?		; DATA XREF: FsRtlAllocateResource()+Er
					; FsRtlInitSystem()+25w ...
		align 10h
_SmssEventWorkItem dd ?			; DATA XREF: FsRtlInitializeSmssEvent()+83o
					; FsRtlInitializeSmssEvent()+97w
		align 8
dword_6CDBD8	dd ?			; DATA XREF: FsRtlInitializeSmssEvent()+88w
dword_6CDBDC	dd ?			; DATA XREF: FsRtlInitializeSmssEvent()+92w
_EmBuiltinProviderHandle db    ? ;	; DATA XREF: EmInitSystem+27Eo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PersistBadS3PageWorkItem dd ?		; DATA XREF: EmRemoveBadS3PagesCallback(x,x,x,x,x,x,x)+1Bw
					; EmRemoveBadS3PagesCallback(x,x,x,x,x,x,x)+24o
		align 8
dword_6CDBF8	dd ?			; DATA XREF: EmRemoveBadS3PagesCallback(x,x,x,x,x,x,x)+2Ew
dword_6CDBFC	dd ?			; DATA XREF: EmRemoveBadS3PagesCallback(x,x,x,x,x,x,x)+14w
_EmpCachedBiosDate dd ?			; DATA XREF: EmProviderRegisterEntry(x,x,x,x)+1B3r
					; EmpCacheBiosDate+1Ew	...
_EmpBadS3Page	dd ?			; DATA XREF: EmRemoveBadS3PagesCallback(x,x,x,x,x,x,x)+29w
					; EmpRemoveBadS3PageWorker(x)r
_EmpTargetRuleListHead dd ?		; DATA XREF: EmpSearchTargetRuleList(x)r
					; EmInitSystem+20Fw ...
_EmpWorkerBusy	dd ?			; DATA XREF: EmpQueueRuleUpdateState+6Br
					; EmpQueueRuleUpdateState+1E0o	...
_EmpParseLock	dd ?			; DATA XREF: EmInitSystem+1ECw
					; EmpParseInfDatabase+22o ...
_EmpRuleListHead dd ?			; DATA XREF: EmpSearchRuleDatabase(x)+4r
					; EmInitSystem+20Aw ...
_EmpRuleUpdateQueue dd ?		; DATA XREF: EmpQueueRuleUpdateState+2Dr
					; EmpQueueRuleUpdateState+64r ...
_EmpEntryListHead dd ?			; DATA XREF: EmpSearchEntryDatabase(x)+4r
					; EmInitSystem+200w ...
_EmpPagingLock	dd ?			; DATA XREF: EmpAcquirePagingReference()+4o
					; EmpReleasePagingReference+3o	...
_EmpDatabaseLock dd ?			; DATA XREF: EmpRuleUpdateWorkerThread+171o
					; EmpRuleUpdateWorkerThread+1B6o ...
_EmpCallbackListHead dd	?		; DATA XREF: EmpSearchCallbackDatabase(x)+4r
					; EmInitSystem+205w ...
		align 10h
_EmpRuleUpdateWorker dd	?		; DATA XREF: EmpQueueRuleUpdateState+1E8o
					; EmInitSystem+22Dw
		align 8
dword_6CDC38	dd ?			; DATA XREF: EmInitSystem+21Ew
dword_6CDC3C	dd ?			; DATA XREF: EmInitSystem+228w
_EmpPagingStatus dd ?			; DATA XREF: EmpReleasePagingReference+2Fr
					; EmPowerPagingEnabled+A701Cw ...
dword_6CDC44	dd ?			; DATA XREF: EmpAcquirePagingReference()+14r
					; EmpAcquirePagingReference()+2Cw ...
_EmpEvaluationQueueLock	dd ?		; DATA XREF: EmpQueueRuleUpdateState+23o
					; EmpQueueRuleUpdateState+81o ...
_DbgkpWerDeferredWriteTimeoutSeconds dd	? ; DATA XREF: DbgkpWerDeferredWriteRoutine(x)+35r
					; DbgkpInitializePhase1()+32w
_DbgkpWerDefaultPolicy dd ?		; DATA XREF: DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x):loc_95692Br
					; DbgkpInitializePhase1()+28w
_DbgkpBusy	dd ?			; DATA XREF: DbgkCaptureLiveKernelDump(x)+99o
					; DbgkCaptureLiveKernelDump(x)+2BAo ...
_DbgkWerReportExceptionWorker dd ?	; DATA XREF: DbgkUserReportWorkRoutine(x)+11Dr
					; INIT:00AF6B4Co
		align 10h
_DbgkpProcessDebugPortMutex dd ?	; DATA XREF: DbgkClearProcessDebugObject+Fo
					; DbgkClearProcessDebugObject:loc_85EEDFo ...
dword_6CDC64	dd ?			; DATA XREF: DbgkpInitializePhase0()+32w
dword_6CDC68	dd ?			; DATA XREF: DbgkpInitializePhase0()+3Aw
unk_6CDC6C	db    ?	;		; DATA XREF: DbgkpInitializePhase0()+48o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_gLoadedDiffHivesLock dd ?		; DATA XREF: VrpDereferenceDiffHiveEntry+2Co
					; VrpFindDiffHiveEntryForMountPoint(x)+12o ...
		align 10h
_gLoadedDiffHives dd ?			; DATA XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+14Dw
					; VrpDereferenceDiffHiveEntryWithLock+8Bw ...
dword_6CDC94	dd ?			; DATA XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+FDr
					; VrpDereferenceDiffHiveEntryWithLock+23r ...
dword_6CDC98	dd ?			; DATA XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+13Fr
					; VrpDereferenceDiffHiveEntryWithLock+63r ...
_VrpSiloContextSlot dd ?		; DATA XREF: VrpHandleIoctlUnloadDynamicallyLoadedHives+76r
					; VrpHandleIoctlCreateNamespaceNode+13Fr ...
_VrpActiveSilosLock dd ?		; DATA XREF: VrpIncrementSiloCount+19o
					; VRegSetup+8Dw ...
		align 8
_VrpCallbackCookie dd ?			; DATA XREF: VrpPostOpenOrCreate(x,x)+18Co
					; VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+28Do	...
dword_6CDCAC	dd ?			; DATA XREF: VrpDecrementSiloCount()+26r
_CmpForceFlushWorkItem dd ?		; DATA XREF: CmpCmdInit+2Ew
					; CmpForceFlushForCoalescing()+2Fo
		align 8
dword_6CDCB8	dd ?			; DATA XREF: CmpCmdInit+18w
dword_6CDCBC	dd ?			; DATA XREF: CmpCmdInit+27w
_CmpEnableLazyFlushDpc db    ? ;	; DATA XREF: CmSetLazyFlushState+56o
					; CmpCmdInit+22o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpEnableLazyFlushTimer db    ? ;	; DATA XREF: CmSetLazyFlushState+5Fo
					; CmpCmdInit+3Ao ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpForceFlushPending dd ?		; DATA XREF: CmpForceFlushForCoalescing()+12r
					; CmpForceFlushForCoalescing()+1Do ...
_CmpCoalescingRegistration dd ?		; DATA XREF: CmpCmdInit+A4o
					; CmpIssueNewDirtyCallback+18541Cr
_CmpPrevIdleProcessingState dd ?	; DATA XREF: CmSetLazyFlushState+2Ew
					; CmSetLazyFlushState+3Br
_CmpDirtySectorCount db	   ? ;		; DATA XREF: HvResetDirtyData(x)+1Co
					; HvpMarkDirty+16Ao ...
		db    ?	;
		db    ?	;
		db    ?	;
_CmpLogFileSizeCap dd ?			; DATA XREF: HvGetEffectiveLogSizeCapForHive:loc_741E70r
					; INIT:00AF5018o
		align 10h
_CmpUnsupportedOperationHits db	   ? ;	; DATA XREF: CmpFlushUnsupportedOperationTelemetry()+7o
					; CmpLogUnsupportedOperation(x)+1Co
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpDelayFreeRMListHead	dd ?		; DATA XREF: CmpDelayFreeCmRm(x)+18o
					; CmpFlushUnsupportedOperationTelemetry()+18o ...
dword_6CDD94	dd ?			; DATA XREF: CmpDelayFreeCmRm(x)+13r
					; CmpDelayFreeCmRm(x)+2Fw ...
		align 10h
_CmpDelayFreeRMLock dd ?		; DATA XREF: CmpDelayFreeCmRm(x)+7o
					; CmpDelayFreeRMWorker(x)+5o ...
dword_6CDDA4	dd ?			; DATA XREF: CmpInitializeTransactions()+B6w
dword_6CDDA8	dd ?			; DATA XREF: CmpInitializeTransactions()+BCw
unk_6CDDAC	db    ?	;		; DATA XREF: CmpInitializeTransactions()+A7o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpRmListHead	dd ?			; DATA XREF: CmpInitCmRM+59Ao
					; CmpIsCmRm(x)+2Eo ...
dword_6CDDC4	dd ?			; DATA XREF: CmpInitCmRM+595r
					; CmpInitCmRM+5AEw ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpRmListLock	dd ?			; DATA XREF: CmpRunDownCmRM+A6o
					; CmpRunDownCmRM:loc_73FD9Fo ...
dword_6CDDE4	dd ?			; DATA XREF: CmpInitializeTransactions()+Aw
dword_6CDDE8	dd ?			; DATA XREF: CmpInitializeTransactions()+2Bw
unk_6CDDEC	db    ?	;		; DATA XREF: CmpInitializeTransactions()+1Co
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpDelayFreeRMDpc db	 ? ;		; DATA XREF: CmpDelayFreeCmRm(x)+3Eo
					; CmpInitializeTransactions()+CDo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpDelayFreeRMWorkItem	dd ?		; DATA XREF: CmpDelayFreeRMDpcRoutine(x,x,x,x)+2o
					; CmpInitializeTransactions()+E2w
		align 8
dword_6CDE28	dd ?			; DATA XREF: CmpInitializeTransactions()+D2w
dword_6CDE2C	dd ?			; DATA XREF: CmpInitializeTransactions()+DCw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpDelayFreeRMTimer db	   ? ;		; DATA XREF: CmpDelayFreeCmRm(x)+4Eo
					; CmpInitializeTransactions()+EEo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpUserPresent	db ?			; DATA XREF: CmpUserPresenceCallback(x,x,x,x)+Bw
					; CmpIsHiveEligibleForLazyReconcile(x)+1Er ...
		align 4
_CmpSiloContextSlot dd ?		; DATA XREF: CmGetRootKeyObjectForSilo+Fr
					; CmpGetOrCreateContextForSiloNoRef+32r ...
_CmpDummyThreadEvent db	   ? ;		; DATA XREF: CmpInitializeRegistryProcess()+E8o
					; CmpDummyThreadRoutine(x)+9o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpRegistryProcess dd ?		; DATA XREF: CmSiProcessTupleInitialize(x)w
					; CmSiProcessTupleStartFromHandle+37w ...
dword_6CDE84	dd ?			; DATA XREF: CmSiProcessTupleInitialize(x)+7w
					; CmSiProcessTupleStartFromHandle+3Dw ...
_CmRegistryTransactionType dd ?		; DATA XREF: NtCommitRegistryTransaction+73r
					; NtOpenKeyTransactedEx+48r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpTransactionListLock	dd ?		; DATA XREF: CmpRunDownCmRM+39o
					; CmpRunDownCmRM:loc_73FD1Do ...
dword_6CDEA4	dd ?			; DATA XREF: CmpInitializeTransactions()+43w
dword_6CDEA8	dd ?			; DATA XREF: CmpInitializeTransactions()+49w
unk_6CDEAC	db    ?	;		; DATA XREF: CmpInitializeTransactions()+38o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpTransactionInitializingEvent dd ?	; DATA XREF: CmpTransInitializeTransaction+C8r
					; CmpTransInitializeTransaction+D2o ...
		align 8
_CmpLightTransactionList dd ?		; DATA XREF: CmpTransSearchAddLightWeightTrans+ADo
					; CmpInitializeTransactions()+F8o ...
dword_6CDECC	dd ?			; DATA XREF: CmpTransSearchAddLightWeightTrans+B2r
					; CmpTransSearchAddLightWeightTrans+C2w ...
_CmpLazyCommitListHead dd ?		; DATA XREF: CmpRunDownCmRM+43r
					; CmpRunDownCmRM+49o ...
dword_6CDED4	dd ?			; DATA XREF: CmpLazyCommitWorker(x)+178r
					; CmpLazyCommitWorker(x)+189w ...
		align 10h
_CmpLazyCommitWorkItem dd ?		; DATA XREF: CmpLazyCommitDpcRoutine(x,x,x,x)+Bo
					; CmpInitializeTransactions()+7Aw
		align 8
dword_6CDEE8	dd ?			; DATA XREF: CmpInitializeTransactions()+6Aw
dword_6CDEEC	dd ?			; DATA XREF: CmpInitializeTransactions()+74w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpLazyCommitTimer db	  ? ;		; DATA XREF: CmpLazyCommitWorker(x)+1B3o
					; CmpInitializeTransactions()+90o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpLazyCommitDpc db	? ;		; DATA XREF: CmpLazyCommitWorker(x)+1AAo
					; CmpInitializeTransactions()+65o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpKeyLockTracker dd ?			; DATA XREF: CmpInitializeGlobalKeyLockTracker()w
					; CmpGlobalLockKeyForWrite+17o	...
dword_6CDF64	dd ?			; DATA XREF: CmpInitializeGlobalKeyLockTracker()+7o
					; CmpInitializeGlobalKeyLockTracker()+11w ...
dword_6CDF68	dd ?			; DATA XREF: CmpInitializeGlobalKeyLockTracker()+Cw
					; CmpGlobalLockKeyForWrite+85r	...
_CmpGlobalFlushControlFlags dd ?	; DATA XREF: CmpGenerateFlushControlData+91r
					; CmpValidateGlobalFlushControlFlags()r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpFreezeThawTimer db	  ? ;		; DATA XREF: CmpCmdInit+87o
					; CmFreezeRegistry(x)+157o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpFreezeThawDpc db	? ;		; DATA XREF: CmpCmdInit+7Co
					; CmFreezeRegistry(x)+15Eo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpFreezeThawWaitListHead dd ?		; DATA XREF: CmpInitializeFreezeThaw+7o
					; CmpInitializeFreezeThaw+1Bw ...
dword_6CDFE4	dd ?			; DATA XREF: CmpInitializeFreezeThaw+16w
					; CmpLockRegistryFreezeAware+17FA11r ...
_CmpFreezeListLock dd ?			; DATA XREF: CmpInitializeFreezeThaww
					; CmpLockRegistryFreezeAware:loc_8D0724o ...
		align 10h
_CmpFreezeThawWorkItem dd ?		; DATA XREF: CmpFreezeThawDpcRoutine(x,x,x,x)+14o
					; CmpCmdInit+B0w
		align 8
dword_6CDFF8	dd ?			; DATA XREF: CmpCmdInit+9Aw
dword_6CDFFC	dd ?			; DATA XREF: CmpCmdInit+AAw
_CmpDelayCloseWorkItem dd ?		; DATA XREF: CmpArmDelayedCloseTimer()+10o
					; CmpInitializeDelayedCloseTable()+Cw
		align 8
dword_6CE008	dd ?			; DATA XREF: CmpInitializeDelayedCloseTable()+13w
dword_6CE00C	dd ?			; DATA XREF: CmpInitializeDelayedCloseTable()w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpDelayedCloseTableLock db	? ;	; DATA XREF: CmpRemoveFromDelayedClose(x)+Bo
					; PAGE:007C6C27o ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CE024	dd ?			; DATA XREF: CmpPerformCompleteKcbCacheLookup+4DEw
					; CmpPerformCompleteKcbCacheLookup+555w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CE03C	dd ?			; DATA XREF: CmpPerformCompleteKcbCacheLookup+4EAw
					; CmpPerformCompleteKcbCacheLookup:loc_811E4Ar	...
_CmpDelayedLRUListHead dd ?		; DATA XREF: PAGE:007C6C3Cr
					; PAGE:007C6C42o ...
dword_6CE044	dd ?			; DATA XREF: PAGE:loc_8055BAr
					; PAGE:008055D2w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpSIDMappingLock db	 ? ;		; DATA XREF: CmpVERemoveHiveFromSIDMappingTable(x):loc_742944o
					; CmpVERemoveHiveFromSIDMappingTable(x)+7Bo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpPostLock	dd ?			; DATA XREF: CmpNotifyTriggerCheck(x,x,x)+Co
					; CmpNotifyTriggerCheck(x,x,x):loc_74F1CBo ...
dword_6CE084	dd ?			; DATA XREF: CmInitSystem1(x)+10Cw
dword_6CE088	dd ?			; DATA XREF: CmInitSystem1(x)+113w
unk_6CE08C	db    ?	;		; DATA XREF: CmInitSystem1(x)+11Bo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpNameCacheTable dd ?			; DATA XREF: CmpCleanUpKcbCacheWithLock+79r
					; CmpCleanUpKcbCacheWithLock+B0r ...
_CmpAppHiveLoadListLock	dd ?		; DATA XREF: CmpUnlockAppHiveLoadList()+2o
					; CmpLockAppHiveLoadList()+10o	...
_CmpAppHiveLoadList dd ?		; DATA XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+27Fr
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x)+285o	...
dword_6CE0AC	dd ?			; DATA XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x):loc_74FAF1r
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x)+324w	...
_CmpActiveAppHiveUnloadEvent dd	?	; DATA XREF: CmpDecrementAppHiveUnloadCount+1Br
					; CmpDecrementAppHiveUnloadCount+1765B7o ...
		align 10h
_CmpWorkerEngineWorkItem dd ?		; DATA XREF: CmWorkerEngineQueueWorkItem(x)+4Eo
					; CmInitSystem1(x)+14Ew
		align 8
dword_6CE0C8	dd ?			; DATA XREF: CmInitSystem1(x)+12Fw
dword_6CE0CC	dd ?			; DATA XREF: CmInitSystem1(x)+148w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpWorkerEngineLock db	   ? ;		; DATA XREF: CmpWaitForLateUnloadWorker()+7o
					; CmpWorkerEngineWorker:loc_7427DCo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpWorkerEngineListHead dd ?		; DATA XREF: CmpWorkerEngineWorker+9o
					; CmpWorkerEngineWorker+18r ...
dword_6CE104	dd ?			; DATA XREF: CmWorkerEngineQueueWorkItem(x)+15r
					; CmWorkerEngineQueueWorkItem(x)+2Aw ...
_CmpWorkerEngineFinishedEvent dd ?	; DATA XREF: CmpWaitForLateUnloadWorker()+38o
					; CmpWorkerEngineWorker+77r ...
_CmpActiveAppHiveUnloadCount dd	?	; DATA XREF: CmpDecrementAppHiveUnloadCount+6w
					; CmpLateUnloadHiveWorker+7Cw ...
_CmpShutdownRundown dd ?		; DATA XREF: CmUnloadKey:loc_740574r
					; CmDeleteKey:loc_74D7E1r ...
_CmpActiveHiveRundownEvent dd ?		; DATA XREF: CmpTryToRundownHive+85r
					; CmpTryToRundownHive+18Co ...
		align 10h
; void CmFcSystemManager
_CmFcSystemManager dd ?			; DATA XREF: CmFcManagerDrainAllFeatureUsageNotifications(x)+1Eo
					; CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+121r ...
unk_6CE124	db    ?	;		; DATA XREF: CmFcManagerQueryFeatureConfigurationSectionInformation+46o
					; CmFcManagerQueryFeatureConfigurationSectionInformation+91o ...
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CE128	db    ?	;		; DATA XREF: CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+81o
					; CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x):loc_94DE3Co ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CE12C	dd ?			; DATA XREF: RtlQueryFeatureConfigurationChangeStamp()o
					; CmFcManagerQueryFeatureConfigurationSectionInformation+50r ...
dword_6CE130	dd ?			; DATA XREF: CmFcManagerQueryFeatureConfigurationSectionInformation+5Ar
					; CmFcManagerStartBootPhase(x,x,x,x,x,x,x)+19r
		align 8
dword_6CE138	dd ?			; DATA XREF: CmFcManagerQueryFeatureConfigurationSectionInformation+65r
					; CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+258o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CE158	dd ?			; DATA XREF: CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+1E0r
					; CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+1F7w
dword_6CE15C	dd ?			; DATA XREF: CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+1E9r
					; CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+226w
dword_6CE160	dd ?			; DATA XREF: CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+20Dr
					; CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+212w
dword_6CE164	dd ?			; DATA XREF: CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+220r
					; CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+230w
; void unk_6CE168
unk_6CE168	db    ?	;		; DATA XREF: CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+8Fo
					; CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+222o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void unk_6CE178
unk_6CE178	db    ?	;		; DATA XREF: CmFcManagerInitialize(x)+61o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CE1E8	db    ?	;		; DATA XREF: CmFcManagerStartRuntimePhase(x)+2AAo
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CE1EC	db    ?	;		; DATA XREF: CmFcManagerNotifyFeatureUsage(x,x):loc_5FFD1Do
					; CmFcManagerNotifyFeatureUsage(x,x)+61o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CE1F8	db    ?	;		; DATA XREF: CmFcManagerDrainAllFeatureUsageNotifications(x)+10o
					; CmFcManagerInitialize(x)+78o
		db    ?	;
		db    ?	;
		db    ?	;
byte_6CE1FC	db ?			; DATA XREF: CmFcManagerNotifyFeatureUsage(x,x)+6Br
		align 2
byte_6CE1FE	db ?			; DATA XREF: CmFcpManagerAllocateChangeSubscription(x,x,x)+8r
					; CmFcManagerStartRuntimePhase(x)+59w
		align 10h
dword_6CE200	dd ?			; DATA XREF: CmFcpManagerAllocateChangeSubscription(x,x,x)+18w
dword_6CE204	dd ?			; DATA XREF: CmFcManagerNotifyFeatureUsage(x,x)+40r
					; CmFcManagerStartBootPhase(x,x,x,x,x,x,x)+91w	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CE20C	db    ?	;		; DATA XREF: CmFcManagerNotifyFeatureUsage(x,x)+8Co
					; CmFcManagerInitialize(x)+88o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CE22C	db    ?	;		; DATA XREF: CmFcManagerNotifyFeatureUsage(x,x)+7Co
					; CmFcManagerInitialize(x)+98o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CE24C	db    ?	;		; DATA XREF: CmFcpManagerAllocateChangeSubscription(x,x,x)+2Do
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CE250	dd ?			; DATA XREF: CmFcManagerStartRuntimePhase(x)+281w
unk_6CE254	db    ?	;		; DATA XREF: CmFcManagerInitialize(x)+A8o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CE278	db    ?	;		; DATA XREF: CmFcManagerRegisterFeatureConfigurationChangeNotification(x,x,x,x,x)+2Eo
					; CmFcManagerUnregisterFeatureConfigurationChangeNotification(x,x)+12o	...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CE27C	dd ?			; DATA XREF: CmFcManagerRegisterFeatureConfigurationChangeNotification(x,x,x,x,x)+41o
					; CmFcpManagerPublishChangeNotifications(x,x,x)+1Er ...
dword_6CE280	dd ?			; DATA XREF: CmFcManagerRegisterFeatureConfigurationChangeNotification(x,x,x,x,x)+3Cr
					; CmFcManagerRegisterFeatureConfigurationChangeNotification(x,x,x,x,x)+59w ...
unk_6CE284	db    ?	;		; DATA XREF: CmFcManagerUnregisterFeatureConfigurationChangeNotification(x,x)+6Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CE32C	db    ?	;		; DATA XREF: CmFcManagerUnregisterFeatureConfigurationChangeNotification(x,x)+72o
		db    ?	;
		db    ?	;
		db    ?	;
_CmFcFeatureConfigSecurityDescriptor dd	?
					; DATA XREF: CmUpdateFeatureConfiguration(x,x,x)+5Fr
					; CmUpdateFeatureUsageSubscription(x,x,x)+5Er ...
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUxlmurtUnkUlyquivUrDIGUxnkOlyq@config db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpMachineHiveCallbackEvent db	   ? ;	; DATA XREF: CmpInitializeMachineHiveLoadedCallbacks()+9o
					; CmpMachineHiveLoadedWorkItem+87B6Ao ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpCallbackListLock dd	?		; DATA XREF: CmSetCallbackObjectContext+45o
					; CmSetCallbackObjectContext+144o ...
		align 8
_CallbackListHead dd ?			; DATA XREF: CmSetCallbackObjectContext+8Er
					; CmSetCallbackObjectContext+94o ...
dword_6CE35C	dd ?			; DATA XREF: CmpInitCallbacks()+1Aw
_CmpContextListLock dd ?		; DATA XREF: CmSetCallbackObjectContext+5Fo
					; CmSetCallbackObjectContext+12Co ...
_CallbackListDeleteEvent dd ?		; DATA XREF: CmpInitCallbacks()+30w
					; CmpFreeCallbackObjectContexts+18CDA0r ...
_CmpCallbackContextSList dd ?		; DATA XREF: CmpFreeCallbackContext(x)+22o
					; CmpCallCallBacksEx+114o ...
dword_6CE36C	dd ?			; DATA XREF: CmpFreeCallbackContext(x):loc_5FF146r
					; CmpCallCallBacksEx:loc_812281r ...
_CmpCallbackCookie dd ?			; DATA XREF: CmpInsertCallbackInListByAltitude+2Ar
					; CmpInsertCallbackInListByAltitude+32w ...
dword_6CE374	dd ?			; DATA XREF: CmpInsertCallbackInListByAltitude+37w
					; CmpInsertCallbackInListByAltitude+40r
		align 10h
_CmpDeviceIndexTable dw	?		; DATA XREF: CmpAddProcessorConfigurationEntry+117o
					; CmpAddProcessorConfigurationEntry+1B9o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmProcessorMismatch db	?		; DATA XREF: INIT:00ABFC92r
					; INIT:00ABFCB1r ...
		align 4
_CmpPreloadedHivesList dd ?		; DATA XREF: CmpMountPreloadedHives+BBr
					; CmpMountPreloadedHives:loc_890A93o ...
dword_6CE3DC	dd ?			; DATA XREF: CmpInitializePreloadedHives+18w
					; CmpInitializePreloadedHive+27Er ...
; void CmpEditionVersion
_CmpEditionVersion dd ?			; DATA XREF: CmpSetVersionData+33o
					; CmpSetVersionData+1DFo ...
dword_6CE3E4	dd ?			; DATA XREF: CmpSetVersionData+9A670r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CE5BC	db    ?	;		; DATA XREF: MiMakeSystemRangeAvailable+4Do
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpLoadWorkerEvent db	  ? ;		; DATA XREF: CmpInitializeSystemHivesLoad+24o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpLoadWorkerDebugEvent db    ? ;	; DATA XREF: CmpInitializeSystemHivesLoad+3Bo
					; PAGE:00888736o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpHiveListHeadLock dd	?		; DATA XREF: CmpDeleteHive(x)+11o
					; CmpGetLastHive+6o ...
_CmpShutdownLock dd ?			; DATA XREF: UnlockShutdown()+2o
					; LockShutdownShared()+10o ...
_CmpLoadHiveLock dd ?			; DATA XREF: UNLOCK_HIVE_LOAD()+13o
					; LOCK_HIVE_LOAD()+14o	...
_CmpWasSetupBoot db ?			; DATA XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+2CDr
					; CmpCmdInit+C6w
		align 10h
_CmpBootPageFilesCreated db    ? ;	; DATA XREF: CmpHandlePageFileOpenNotification+20o
		db    ?	;
		db    ?	;
		db    ?	;
_CmpBootType	dd ?			; DATA XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+295r
					; CmpCheckRegistry2(x,x,x,x,x,x,x,x):loc_80A73Ar ...
_CmIoFileObjectType dd ?		; DATA XREF: CmpAdjustFileCFSafety(x,x):loc_58FEEEr
					; CmpVolumeManagerGetContextForFile+34r ...
___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUxzxsvUnkUlyquivUrDIGUxxOlyq@cache db	 ? ;
		db    ?	;
		db    ?	;
		db    ?	;
_CcTestControlData db	 ? ;		; DATA XREF: INIT:00AC34E8o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CcNumberOfFreeVacbs dd	?		; DATA XREF: CcGetVirtualAddress:loc_45DBEBr
					; CcGetVirtualAddress+2F5r ...
_CcMinimumFreeHighPriorityVacbs	dd ?	; DATA XREF: CcUnmapVacbArray+35Cr
					; CcInitializePartitionVacbs+17r ...
_CcVacbArrays	dd ?			; DATA XREF: CcReferenceVacbArrayr
					; CcInsertVacbArray:loc_5700B4r ...
_CcVacbArraysAllocated dd ?		; DATA XREF: CcInitializePartitionVacbs+10Fr
					; CcInsertVacbArray+8r	...
_CcVacbFreeList	dd ?			; DATA XREF: CcSetVacbInFreeList(x,x,x)+17r
					; CcSetVacbInFreeList(x,x,x)+1Do ...
dword_6CE66C	dd ?			; DATA XREF: CcInsertVacbArray+47r
					; CcInsertVacbArray+66w ...
_CcDbgNumberOfFailedHighPriorityMappingsDueToMmResources dd ?
					; DATA XREF: CcGetVacbMiss+117DCEw
					; CcInitializeVacbs+11w
_CcDbgNumberOfFailedHighPriorityMappingsDueToCcResources dd ?
					; DATA XREF: CcGetVacbMiss+117D79w
					; CcInitializeVacbs+17w
; Exported entry 196. CcFastMdlReadWait
		public _CcFastMdlReadWait
_CcFastMdlReadWait dd ?			; DATA XREF: ExpQuerySystemPerformanceInformation+44Ar
		align 10h
_CcNoDelay	db    ?	;		; DATA XREF: CcWriteBehindInternal+20Bo
					; .text:004AC927o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CcFlushForImageSection	db    ?	;	; DATA XREF: .text:004AC98Do
					; .text:loc_4ACB29o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CcNumberOfExternalCaches dd ?		; DATA XREF: CcQueueLazyWriteScanThread+E4r
					; .text:005FC38Fr ...
_CcChangeSharedCacheMapFileLock	dd ?	; DATA XREF: CcSlowReferenceSharedCacheMapFileObject(x)+6o
					; CcChangeBackingFileObject+2Bo ...
_CcMaxNestingLevel dd ?			; DATA XREF: CcAsyncCopyRead+198r
					; CcInitializeAsyncRead+19r ...
_CcMaxAsyncReadWorkerThreads dd	?	; DATA XREF: CcShouldSpinAsyncReadWorkerThread+2Cr
					; CcInitializeAsyncRead+199r ...
_CcMaxCachemapUninitWorkerThreads dd ?	; DATA XREF: CcInitializePartition+1EFr
					; INIT:00AC3222w ...
_CcGlobalPartitionLock dd ?		; DATA XREF: CcForEachPartition+2Eo
					; CcForEachPartition+6Bo ...
_CcPartitionCount dw ?			; DATA XREF: CcDeletePartition(x)+7Ew
					; INIT:00AC32B6w
		align 4
_CcIdleDelayTick dd ?			; DATA XREF: .text:004AD15Dr
					; .text:loc_4AD16Ar ...
_CcVolumeCacheMapList dd ?		; DATA XREF: CcScanLogHandleList+44r
					; CcScanLogHandleList+4Co ...
dword_6CE6B4	dd ?			; DATA XREF: .text:loc_4FBD60r
					; .text:004FBD7Bw ...
		align 10h
_CcBcbTrimNotificationListLock dd ?	; DATA XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+51Do
					; CcUnmapInactiveViewsInternal(x,x,x,x)+539o ...
dword_6CE6C4	dd ?			; DATA XREF: INIT:00AC32E3w
dword_6CE6C8	dd ?			; DATA XREF: INIT:00AC32E9w
unk_6CE6CC	db    ?	;		; DATA XREF: INIT:00AC32CEo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CcBcbTrimNotificationList dd ?		; DATA XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+52Ar
					; CcUnmapInactiveViewsInternal(x,x,x,x)+551o ...
dword_6CE6E4	dd ?			; DATA XREF: INIT:00AC3303w
_CcAggressiveZeroThreshold dd ?		; DATA XREF: CcZeroDataOnDisk(x,x,x,x)+68r
					; INIT:00AC32F9w
_CcAggressiveZeroCount dd ?		; DATA XREF: CcZeroDataOnDisk(x,x,x,x)+5Fw
					; CcZeroDataOnDisk(x,x,x,x)+70w ...
_CcCoalescingFlushEvent	db    ?	;	; DATA XREF: INIT:00AC336Co
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CcMaxWorklessLazywriteScans dd	?	; DATA XREF: CcComputeNextScanTime:loc_50C136r
					; INIT:00AC33A1w
_CcDbgNumberOfFailedWorkQueueEntryAllocations dd ?
					; DATA XREF: CcQueueLazyWriteScanThread:loc_5F5722w
					; INIT:00AC33EEw
_CcDbgNumberOfFailedBitmapAllocations dd ? ; DATA XREF:	.text:loc_5BF291w
					; INIT:00AC3409w
_CcExternalCacheListLock dd ?		; DATA XREF: .text:005FC368o
					; CcNotifyExternalCaches(x)+1Fo ...
_CcExternalCacheList dd	?		; DATA XREF: CcQueueLazyWriteScanThread:loc_5F56AFo
					; .text:005FC37Co ...
dword_6CE714	dd ?			; DATA XREF: .text:005FC376r
					; .text:005FC399w ...
_CcDbgNumberOfAbortedTeardowns dd ?	; DATA XREF: CcCancelMmWaitForUninitializeCacheMap(x)+2Bw
_InitIsWinPEMode db ?			; DATA XREF: ExpReducedLicenseData()+9r
					; PpCheckInDriverDatabase+Dr ...
		align 10h
_CmNtSpBuildNumber dd ?			; DATA XREF: CmpSetVersionData:loc_88FFBFr
					; INIT:00ACD447r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_BurnMemoryDescriptor db    ? ;		; DATA XREF: INIT:00ACD184o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_RtlpMultiUsersInSessionSupported dd ?	; DATA XREF: InitSkuSessionParameters:loc_ADA6E5r
					; INIT:00AF6440o
; Exported entry 1651. POGOBuffer
		public _POGOBuffer
_POGOBuffer	db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_InitializationPhase dd	?		; DATA XREF: MiGetPage:loc_46EEDDr
					; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)+BFr ...
_KernelVersionBump db	 ? ;		; DATA XREF: INIT:00AF6650o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmCSDVersionString dd ?		; DATA XREF: PsGetVersion:loc_5DDFA0r
					; CmpSetVersionData+2FAr ...
dword_6CE76C	dd ?			; DATA XREF: PsGetVersion+8D0D1r
					; CmpSetVersionData:loc_890076r ...
_BBTBuffer	dd ?			; DATA XREF: .data:006B1EA8o
					; MmCreateTeb+BAr ...
; int CmNtCSDVersion
_CmNtCSDVersion	dd ?			; DATA XREF: IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)+8r
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+297r ...
; Exported entry 731. InitSafeBootMode
		public _InitSafeBootMode
_InitSafeBootMode dd ?			; DATA XREF: NtGetMUIRegistryInfo+46r
					; ExpReducedLicenseData()r ...
		align 10h
_CmVersionString dw ?			; DATA XREF: CmpSetVersionData:loc_88FE98r
					; INIT:00ACD83Eo
		align 4
dword_6CE784	dd ?			; DATA XREF: CmpSetVersionData+1FFr
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void NtBuildLabEx
_NtBuildLabEx	db    ?	;		; DATA XREF: .data:006B1C90o
					; EtwpAddDebugInfoEvents+5Do ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; Exported entry 1530. NtGlobalFlag
		public _NtGlobalFlag
_NtGlobalFlag	dd ?			; DATA XREF: RtlDispatchException+58r
					; ExInitializeResourceLite+5Ar	...
_KiHrIncrement	dd ?			; DATA XREF: INIT:00ABFE1Ar
					; INIT:loc_ABFE31w ...
_CmNtCSDReleaseType dd ?		; DATA XREF: INIT:00ACD45Dr
					; INIT:00AF4F10o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; Exported entry 1501. NtBuildLab
		public _NtBuildLab
_NtBuildLab	db    ?	;		; DATA XREF: InitializeBuildStrings(x)+6o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_BBTMemoryDescriptor db	   ? ;		; DATA XREF: INIT:00ACD140o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_NtGlobalFlag2	dd ?			; DATA XREF: PAGE:0075B6E4r
					; PAGE:0077EE69r ...
_CcDbgSkippedReductions	dd ?		; DATA XREF: CcLazyWriteScan+7EEw
_CcDbgAdditionalPagesQueuedCount dd ?	; DATA XREF: CcScanLogHandleList+162w
_CcDbgLsnLargerThanHint	dd ?		; DATA XREF: CcAcquireByteRangeForWrite+9AFw
					; CcAcquireByteRangeForWrite+114F20w
		align 8
_CcSectionDeletionSequencePhase2 dd ?	; DATA XREF: CcDeleteSharedCacheMap+1C2w
					; CcCrossPartitionDrainSectionDeletion():loc_5FC0A8r
dword_6CE9AC	dd ?			; DATA XREF: CcDeleteSharedCacheMap+1C8w
					; CcCrossPartitionDrainSectionDeletion()+1Er ...
_CcDbgNumberOfNoopedReadAheads dd ?	; DATA XREF: CcUninitializeCacheMap+44Ew
		align 8
_CcSectionDeletionSequencePhase1 dd ?	; DATA XREF: CcDeleteSharedCacheMap+91w
					; CcInitializeCacheMapEx+116798r ...
dword_6CE9BC	dd ?			; DATA XREF: CcDeleteSharedCacheMap+97w
					; CcInitializeCacheMapEx+1167A5r ...
_CcNumberOfMappedVacbs dd ?		; DATA XREF: CcSetVacbInFreeList(x,x,x)+5w
					; CcGetVacbFromFreeList+23w ...
		align 8
_CcNumberAsyncReadPrefetches dd	?	; DATA XREF: CcAsyncReadPrefetch+152r
					; CcAsyncReadPrefetch+162w
dword_6CE9CC	dd ?			; DATA XREF: CcAsyncReadPrefetch+157r
					; CcAsyncReadPrefetch+167w
_CmpWorkerEngineWorkItemActive db ?	; DATA XREF: CmpWaitForLateUnloadWorker()+13r
					; CmpWaitForLateUnloadWorker()+32o ...
		align 4
_CmpSIDToHiveMappingCount dd ?		; DATA XREF: CmpVERemoveHiveFromSIDMappingTable(x)+1Er
					; CmpVERemoveHiveFromSIDMappingTable(x)+53r ...
_CmpSIDToHiveMappingSize dd ?		; DATA XREF: CmpAddStringToMapping+2Cr
					; CmpAddStringToMapping+F0w
_CmpSIDToHiveMapping dd	?		; DATA XREF: CmpVERemoveHiveFromSIDMappingTable(x)+2Ar
					; CmpVERemoveHiveFromSIDMappingTable(x):loc_74296Er ...
_CmpDelayedCloseElements dd ?		; DATA XREF: CmpRemoveFromDelayedClose(x)+33w
					; PAGE:007C6C62r ...
_CmpDelayFreeRMWorkItemActive db ?	; DATA XREF: CmpDelayFreeCmRm(x)+21r
					; CmpDelayFreeCmRm(x)+47w ...
		align 4
_CmRmSystem	dd ?			; DATA XREF: CmpInitCmRM:loc_7D9780w
					; CmKtmNotification(x,x,x,x,x,x,x)+142r ...
_VrpNumActiveSilos dd ?			; DATA XREF: VrpIncrementSiloCount+27r
					; VrpIncrementSiloCount:loc_73DECDw ...
_DbgkpWerInitialized db	?		; DATA XREF: DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x):loc_95685Dr
					; DbgkpInitializePhase1()+15r ...
		align 8
_HvlGlobalSystemEventsHandle dd	?	; DATA XREF: HvlPhase2Initialize+7DDA1r
					; HvlPhase2Initialize+7DDACw ...
dword_6CE9FC	dd ?			; DATA XREF: HvlPhase2Initialize+7DD9Br
					; HvlPhase2Initialize+7DDB2w ...
_PiUEventDevHandleClientCount dd ?	; DATA XREF: PiUEventShouldQueueEvent(x):loc_43CCABr
					; PAGE:007DE38Fw ...
_PiUEventDevInterfaceClientCount dd ?	; DATA XREF: PiUEventShouldQueueEvent(x):loc_43CCA2r
					; PAGE:007DE30Dw ...
_PiUEventDevInstanceClientCount	dd ?	; DATA XREF: PiUEventShouldQueueEvent(x):loc_43CC96r
					; PAGE:007DE3B1w ...
_PiUEventBroadcastSubscriberPresent db ? ; DATA	XREF: PiUEventShouldQueueEvent(x)+3r
					; ExpWnfDispatchKernelSubscription:PiUEventMetaNotificationCallback(x,x,x,x,x,x)w ...
		align 10h
_PnpDeviceEventThread dd ?		; DATA XREF: PnpBugcheckPowerTimeout(x)+18r
					; PnpInitializeTriageBlock(x)+Fr ...
_PpvUtilVerifierEnabled	db ?		; DATA XREF: PpvUtilTestStartedPdoStack(x)r
					; PpvUtilCallAddDevice+6r ...
_KiClockCheckSlot db ?			; DATA XREF: KeAccumulateTicks+1FEr
					; KeAccumulateTicks+227w
		align 4
_KiLastForwardedHand dd	?		; DATA XREF: KiForwardTick+FCw
					; KiForwardTick:loc_5B6552r
		align 10h
_KiLastPseudoHrTimerExpiration dd ?	; DATA XREF: KiUpdateTime+11Br
					; KiUpdateTime+133w ...
dword_6CEA24	dd ?			; DATA XREF: KiUpdateTime+139w
					; KeResumeClockTimerFromIdle+308w
_KiLastNonHrTimerExpiration dd ?	; DATA XREF: KiUpdateTime+EEr
					; KiUpdateTime+10Bw ...
dword_6CEA2C	dd ?			; DATA XREF: KiUpdateTime+111w
					; KiCheckForTimerExpiration+467r ...
_KiIntSteerPreviousPerfSnap dd ?	; DATA XREF: KeIntSteerSnapPerf+29r
					; KeIntSteerSnapPerf+70w
dword_6CEA34	dd ?			; DATA XREF: KeIntSteerSnapPerf+3Ar
					; KeIntSteerSnapPerf+75w
_KiLastProcessor dd ?			; DATA XREF: KiOutSwapKernelStacks+1Fr
					; KiOutSwapKernelStacks+F3w ...
_PfSnNumActiveTraces dd	?		; DATA XREF: PfSnActivateTrace+5Bw
					; PfSnDeactivateTrace+85w ...
_PopBsdShutdownInProgress dd ?		; DATA XREF: PopClearShutdownMarker()w
					; PoUserShutdownInitiated:loc_85BC88w ...
_PopBackgroundTaskAllowed db ?		; DATA XREF: PopScanIdleList(x,x,x):loc_596F6Dw
					; PopScanIdleList(x,x,x):loc_596F76w ...
		align 4
_PopPopPowerSettingSetChangeNotification dd ?
					; DATA XREF: PopGetSettingNotificationName:loc_7663ADr
					; PopGetSettingNotificationName+214w ...
dword_6CEA4C	dd ?			; DATA XREF: PopGetSettingNotificationName+1ECr
					; PopGetSettingNotificationName:loc_7663C4r ...
_PopInputSuppressionRequired dd	?	; DATA XREF: PopEvaluateInputSuppressionAction()+C2r
					; PopEvaluateInputSuppressionAction()+D6w ...
_PopGlobalUserPresenceStateTransitions dd ?
					; DATA XREF: PopDiagTraceSessionStateCounted(x,x,x,x)+1Dr
					; PopEvaluateGlobalUserStatus:loc_841530r ...
_PsWatchEnabled	db ?			; DATA XREF: Dr_kite_a+37Br
					; PAGE:loc_7A7050w
byte_6CEA59	db ?			; DATA XREF: RtlGetPersistedStateLocation:loc_7BB85Br
					; RtlGetPersistedStateLocation+108w
		align 4
dword_6CEA5C	dd ?			; DATA XREF: RtlpGetTimeZoneInfoHandle+26r
					; RtlpGetTimeZoneInfoHandle+82w ...
_RtlpDebugPrintCallbacksActive db ?	; DATA XREF: vDbgPrintExWithPrefixInternal+D0r
					; DbgpInsertDebugPrintCallback(x)+6Dw ...
		align 4
_SepDefaultMandatorySid	dd ?		; DATA XREF: SepMandatoryIntegrityCheck:loc_51CCF3r
					; SepMandatoryIntegrityCheck:loc_5EB564r ...
_EtwpDiskIoNotifyRoutines dd ?		; DATA XREF: WmiQueryTraceInformation+DDo
					; EtwpEnableKernelTrace+201w ...
dword_6CEA6C	dd ?			; DATA XREF: EtwpEnableKernelTrace+129985w
					; EtwpDisableKernelTrace:loc_90D2F5w
dword_6CEA70	dd ?			; DATA XREF: EtwpEnableKernelTrace+12999Aw
					; EtwpDisableKernelTrace:loc_90D300w
dword_6CEA74	dd ?			; DATA XREF: EtwpEnableKernelTrace+1299B2w
					; EtwpDisableKernelTrace:loc_90D30Ew
_ExpResourceIoBoostedShared dd ?	; DATA XREF: ExpApplyPriorityBoost+59Bw
_ExpResourceIoBoosted dd ?		; DATA XREF: ExpApplyPriorityBoost+556w
_ExpScanCount	dd ?			; DATA XREF: ExAdjustLookasideDepth()r
					; ExAdjustLookasideDepth():loc_4E7BF0r	...
_ExpPoolScanCount dd ?			; DATA XREF: ExpScanSystemLookasideList()+Er
					; ExpScanSystemLookasideList()+24r ...
; size_t MUIRegistryInfoSize
_MUIRegistryInfoSize dd	?		; DATA XREF: NtGetMUIRegistryInfo+113r
					; NtGetMUIRegistryInfo+139r ...
; void *MUIRegistryInfo
_MUIRegistryInfo dd ?			; DATA XREF: NtGetMUIRegistryInfo+E7r
					; NtGetMUIRegistryInfo+19Br ...
byte_6CEA90	db ?			; DATA XREF: ResFwFreeContext+2Ar
					; AnFwDisplayFade+E1r ...
		align 4
_BcpCursor	dd ?			; DATA XREF: BcpDisplayCriticalCharacter(x,x,x)+Dr
					; BcpDisplayCriticalCharacter(x,x,x)+75w ...
dword_6CEA98	dd ?			; DATA XREF: BcpDisplayCriticalCharacter(x,x,x)+18r
					; BcpDisplayCriticalCharacter(x,x,x)+6Fw ...
dword_6CEA9C	dd ?			; DATA XREF: BcpDisplayCriticalCharacter(x,x,x)+2Er
					; BcpDisplayCriticalCharacter(x,x,x)+7Aw ...
dword_6CEAA0	dd ?			; DATA XREF: SpiMax311GetByte(x,x)+16r
					; SpiMax311InitializePort(x,x,x,x,x)+14w ...
dword_6CEAA4	dd ?			; DATA XREF: SpiMax311GetByte(x,x)+11r
					; SpiMax311GetByte(x,x)+2Br ...
word_6CEAA8	dw ?			; DATA XREF: SpiMax311InitializePort(x,x,x,x,x)+20w
					; SpiSend16(x,x)r
word_6CEAAA	dw ?			; DATA XREF: SpiMax311GetByte(x,x)+1Er
					; SpiMax311PutByte(x,x,x)+54w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CF272	db    ?	;		; DATA XREF: .text:004088A5o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SecureDmpEncryptionContext dd ?	; DATA XREF: SecureDump_GetSecureDumpSettings+4r
					; SecureDump_PrepareForInit:loc_57BEDCw ...
byte_6CF2C4	db ?			; DATA XREF: SecureDump_GetSecureDumpSettings+11r
					; SecureDump_Init+1Dw ...
		align 4
dword_6CF2C8	dd ?			; DATA XREF: SecureDump_PrepareForInit+58o
					; SecureDump_PrepareForInit+7E7ABw ...
dword_6CF2CC	dd ?			; DATA XREF: SecureDump_Init+11r
					; SecureDump_PrepareForInit+7E7D3w ...
dword_6CF2D0	dd ?			; DATA XREF: SecureDump_PrepareForInit+7E7EBo
					; SecureDump_PrepareForInit:loc_5FA653r ...
dword_6CF2D4	dd ?			; DATA XREF: SecureDump_PrepareForInit+7E7E6o
					; SecureDump_EncryptSymmetricKeyWithPublicKey()+BFr
; size_t dword_6CF2D8
dword_6CF2D8	dd ?			; DATA XREF: SecureDump_PrepareForInit+7E80Ao
					; SecureDump_Init+7E335r ...
; void *dword_6CF2DC
dword_6CF2DC	dd ?			; DATA XREF: SecureDump_PrepareForInit+7E80Fo
					; SecureDump_Init:loc_5FAA02r ...
; void *dword_6CF2E0
dword_6CF2E0	dd ?			; DATA XREF: SecureDump_Init:loc_5FA9ECr
					; SecureDump_Init+7E3B0w ...
; size_t dword_6CF2E4
dword_6CF2E4	dd ?			; DATA XREF: SecureDump_Init+7E33Fr
					; SecureDump_EncryptSymmetricKeyWithPublicKey()+11Bo ...
dword_6CF2E8	dd ?			; DATA XREF: SecureDump_GetSecureDumpSettings+18r
					; SecureDump_Encrypt_DmpData(x,x,x,x,x,x,x):loc_6107C3r ...
dword_6CF2EC	dd ?			; DATA XREF: SecureDump_Init+7E370r
					; SecureDump_Init+7E385w ...
dword_6CF2F0	dd ?			; DATA XREF: SecureDump_Init:loc_5FA9D7r
					; SecureDump_Init+7E39Aw ...
dword_6CF2F4	dd ?			; DATA XREF: SecureDump_GetSecureDumpSettings+20r
					; SecureDump_Get_SecureDumpHeader(x,x,x)+EBr ...
dword_6CF2F8	dd ?			; DATA XREF: SecureDump_EncryptSymmetricKeyWithPublicKey()+41w
					; SecureDump_Get_SecureDumpHeader(x,x,x)+111r
dword_6CF2FC	dd ?			; DATA XREF: SecureDump_GetSecureDumpSettings+2Dr
					; SecureDump_Init+7E34Aw ...
_KiTickOffset	dd ?			; DATA XREF: KiUpdateTimeAssist:loc_487638r
					; KiUpdateTimeAssist+143w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_MiState	dd ?			; DATA XREF: MiInitializeNonPagedPoolThresholds+46w
dword_6CF344	dd ?			; DATA XREF: MiCountSystemPool+Co
					; MiFreePoolPagesLeft+29r ...
dword_6CF348	dd ?			; DATA XREF: MmGetDumpRange(x,x,x):loc_62DE0Dr
dword_6CF34C	dd ?			; DATA XREF: MiRetryNonPagedAllocation+121A7Br
					; MiRetryNonPagedAllocation+121B12w
byte_6CF350	db ?			; DATA XREF: MiRetryNonPagedAllocation:loc_5BC45Br
					; MiRetryNonPagedAllocation+121A8Cw ...
		align 4
dword_6CF354	dd ?			; DATA XREF: MiBuildPagedPool()+4Bw
					; MiBuildPagedPool()+66w ...
dword_6CF358	dd ?			; DATA XREF: MiBuildPagedPool()+6Ew
					; MiBuildPagedPool()+83w ...
unk_6CF35C	db    ?	;		; DATA XREF: MmManageFaultRange:loc_56002Fo
					; MmManageFaultRange:loc_56008Do ...
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CF360	db    ?	;		; DATA XREF: MmManageFaultRange:loc_560101o
					; MiGenerateAccessViolation(x)+1Co ...
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CF364	db    ?	;		; DATA XREF: MmManageFaultRange:loc_5600AEo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CF370	db    ?	;		; DATA XREF: MmManageFaultRange+2Bo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CF38C	dd ?			; DATA XREF: MmReturnPoolQuota(x,x)+Ew
					; MmRaisePoolQuota(x,x,x,x)+32r ...
dword_6CF390	dd ?			; DATA XREF: MmReturnPoolQuota(x,x):loc_500C7Cw
					; MmRaisePoolQuota(x,x,x,x)+78r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CF3C0	dd ?			; CODE XREF: CcMapAndCopyInToCache+873p
					; DATA XREF: CcSetDirtyPinnedData+74o ...
dword_6CF3C4	dd ?			; DATA XREF: MiSectionDelete+F7E78o
					; MiFinishCreateSection+F7769o	...
dword_6CF3C8	dd ?			; DATA XREF: MiDereferenceExtendInfo+25o
					; MiDereferenceExtendInfo+4Ao ...
dword_6CF3CC	dd ?			; DATA XREF: MiUnlinkUnusedControlArea+3Co
					; MiInsertUnusedSubsection(x,x)+49o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CF3D4	dd ?			; DATA XREF: MiFinishCreateSection+F771Fr
					; MiFinishCreateSection+F7764r	...
; void dword_6CF3D8
dword_6CF3D8	dd ?			; DATA XREF: MiSectionInitialization+105o
					; MiSectionInitialization+128w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void dword_6CF430
dword_6CF430	dd ?			; DATA XREF: MiSectionInitialization+F4o
					; MiSectionInitialization+139w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CF43C	dd ?			; DATA XREF: MiSectionInitialization+140w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CF44C	dd ?			; DATA XREF: MiSectionInitialization+115w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CF480	dd ?			; DATA XREF: MiInsertPageInList(x,x):loc_473E61o
					; MiInsertPageInList(x,x):loc_473EB6o ...
		align 8
dword_6CF488	dd ?			; DATA XREF: MiPurgeBadFileOnlyPages():loc_6316FCr
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CF494	dd ?			; DATA XREF: MiDeleteExtentPfns(x):loc_631337r
					; MiDeleteExtentPfns(x)+5Fr ...
dword_6CF498	dd ?			; DATA XREF: MiWakeFileOnlyReaper()+9w
					; MiWakeFileOnlyReaper()+12o
		align 10h
dword_6CF4A0	dd ?			; DATA XREF: MiWakeFileOnlyReaper()+17w
dword_6CF4A4	dd ?			; DATA XREF: MiWakeFileOnlyReaper()+21w
dword_6CF4A8	dd ?			; DATA XREF: MiDeleteExtentPfns(x)+14o
					; MiWaitForExtentDeletions(x)+15o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6CF4BC	db ?			; DATA XREF: MiAddPhysicalMemory(x,x,x,x,x)+200w
byte_6CF4BD	db ?			; DATA XREF: MiDeleteExtentPfns(x)+6Dr
					; MiWakeExtentDeletionWaiters(x)+19w ...
byte_6CF4BE	db ?			; DATA XREF: MiWorkingSetManager(x,x)+258r
					; MiPurgeBadFileOnlyPages()+64w ...
		align 10h
dword_6CF4C0	dd ?			; DATA XREF: MiReferencePfBackedSection+2Ar
					; MiUpdateSystemProtoPtesTree(x,x)+2Ar	...
unk_6CF4C4	db    ?	;		; DATA XREF: MiReferencePfBackedSection:loc_4AA690o
					; MiReferencePfBackedSection:loc_4AA703o ...
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CF4C8	db    ?	;		; DATA XREF: MiObtainRelocationBits+22o
					; MiObtainRelocationBits:loc_791F4Co ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CF4CC	dd ?			; DATA XREF: MiSelectImageBase+7Do
					; MiReturnImageBase(x)+49o ...
dword_6CF4D0	dd ?			; DATA XREF: MiInitializeRelocations()+27w
dword_6CF4D4	dd ?			; DATA XREF: MiSelectImageBase+78r
					; MiInitializeRelocations()+34w
dword_6CF4D8	dd ?			; DATA XREF: MiSelectOverflowDllBase+2Fr
					; MiInitializeRelocations()+51w
dword_6CF4DC	dd ?			; DATA XREF: MiSelectOverflowDllBase+4Cr
					; MiSelectOverflowDllBase+63w ...
dword_6CF4E0	dd ?			; DATA XREF: MmMapApiSetView+32r
					; MiInitializeApiSets+8Ew
dword_6CF4E4	dd ?			; DATA XREF: MmQueryApiSetSchema(x,x)o
					; MiInitializeApiSets+97w
dword_6CF4E8	dd ?			; DATA XREF: MmQueryApiSetSchema(x,x)+6o
					; MiInitializeApiSets+A9w
dword_6CF4EC	dd ?			; DATA XREF: MiNoPagesLastChance(x,x)+3F6w
dword_6CF4F0	dd ?			; DATA XREF: MiNoPagesLastChance(x,x)+31Aw
dword_6CF4F4	dd ?			; DATA XREF: .text:00478E4Bw
					; MiValidateStrongCodeDriverImage(x,x):loc_62C00Dw ...
dword_6CF4F8	dd ?			; DATA XREF: MiCfgInitializeProcess(x)+22r
					; MiUpdateCfgSystemWideBitmap(x,x,x):loc_78ABDDr ...
dword_6CF4FC	dd ?			; DATA XREF: MiZeroCfgSystemWideBitmap(x,x)+6r
					; MiIncludeSharedCommit(x)+Er ...
dword_6CF500	dd ?			; DATA XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x):loc_79284Bw
					; MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x):loc_79285Aw ...
dword_6CF504	dd ?			; DATA XREF: MiMapViewOfImageSection+4Br
					; MiVerifyImageHeader+152r
dword_6CF508	dd ?			; DATA XREF: MiMapViewOfImageSection:loc_8DA5A8r
					; MiVerifyImageHeader:loc_8DEB46r
dword_6CF50C	dd ?			; DATA XREF: MiMapViewOfImageSection+16356Br
					; MiVerifyImageHeader+14EC5Cr
dword_6CF510	dd ?			; DATA XREF: MiValidateImagePfn:loc_7BFEFCw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CF51C	dd ?			; DATA XREF: MiDeleteBootRange:loc_5F4743r
					; MiBytesToMapSystemImage(x)+Fr ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CF540	dd ?			; DATA XREF: MiSystemImageHasPrivateFixups(x,x,x)+8o
					; MiSystemImageHasPrivateFixups(x,x,x)+58r ...
dword_6CF544	dd ?			; DATA XREF: .text:00563554r
					; .text:0056356Ew ...
dword_6CF548	dd ?			; DATA XREF: MmReleaseLoadLock(x)+17o
					; MmAcquireLoadLock()+1Co ...
dword_6CF54C	dd ?			; DATA XREF: MmReleaseLoadLock(x)+Cw
					; MmAcquireLoadLock()+Ar ...
dword_6CF550	dd ?			; DATA XREF: MmReleaseLoadLock(x)w
					; MmAcquireLoadLock()+2Cw ...
unk_6CF554	db    ?	;		; DATA XREF: MiSystemImageHasPrivateFixups(x,x,x)+49o
					; MiSystemImageHasPrivateFixups(x,x,x):loc_4B150Bo ...
		db    ?	;
		db    ?	;
		db    ?	;
byte_6CF558	db ?			; DATA XREF: MiCreateSectionForDriver+Fw
					; MmCallDllInitialize+154r
byte_6CF559	db ?			; DATA XREF: MiUseLargeDriverPage+1Ar
					; MiInitializeDriverImages:loc_AE212Fw
		align 4
dword_6CF55C	dd ?			; DATA XREF: MiLockCode(x,x,x,x)+30Dr
					; MiAllocateDriverPage+59r ...
dword_6CF560	dd ?			; DATA XREF: MiUseLargeDriverPage+23r
					; MiUseLargeDriverPage+29o ...
dword_6CF564	dd ?			; DATA XREF: MiInitializeDriverImages+20w
					; MiInitializeDriverImages+2A529r ...
dword_6CF568	dd ?			; DATA XREF: MiLogStrongCodeDriverLoadFailure(x,x)+15Ao
					; MiFlushStrongCodeDriverLoadFailures:loc_AB79C7r ...
dword_6CF56C	dd ?			; DATA XREF: MiLogStrongCodeDriverLoadFailure(x,x)+17Ar
					; MiLogStrongCodeDriverLoadFailure(x,x)+18Fw ...
dword_6CF570	dd ?			; DATA XREF: MiCheckLargePageOk+74w
		align 8
dword_6CF578	dd ?			; DATA XREF: .text:0044A7C5r
					; .text:00478797r ...
dword_6CF57C	dd ?			; DATA XREF: MiUnlockDriverMappings+Bo
					; MiUnlockDriverMappings+4Eo ...
dword_6CF580	dd ?			; DATA XREF: MiReleaseDriverPtes+2Fo
					; MiReserveDriverPtes+24r ...
		align 8
dword_6CF588	dd ?			; DATA XREF: MiAllocateDriverPage+6Cr
					; MiAllocateDriverPage+75w
dword_6CF58C	dd ?			; DATA XREF: .text:loc_459BE8w
					; MiAddWorkingSetEntries:loc_46D9E0w ...
dword_6CF590	dd ?			; DATA XREF: .text:00459B39w
					; MiAddWorkingSetEntries+348w ...
unk_6CF594	db    ?	;		; DATA XREF: MiRemoveSystemImagePage:loc_5C4725o
					; MiSetPagingOfDriver:loc_5C475Do
		db    ?	;
		db    ?	;
		db    ?	;
unk_6CF598	db    ?	;		; DATA XREF: MiRemoveSystemImagePage:loc_4C209Eo
					; MiSetPagingOfDriver+1D8o ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6CF59C	dd ?			; DATA XREF: MiUnlockImageSection+67r
					; MiUnlockImageSection+86o ...
dword_6CF5A0	dd ?			; DATA XREF: MiAddWorkingSetEntries+2F0r
					; MiLookupDataTableEntry(x,x):loc_4BE5C2r ...
unk_6CF5A4	db    ?	;		; DATA XREF: MiRemoveFromSystemSpace+47o
					; MiRemoveFromSystemSpace+2B2o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6CF5B8	db ?			; DATA XREF: MiDbgMarkPfnModified(x,x,x):loc_634154w
		align 4
dword_6CF5BC	dd ?			; DATA XREF: MiReturnSystemVa(x,x,x,x):loc_4326BDr
					; MiObtainSessionVa+11Do
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D0008	db    ?	;		; DATA XREF: IoVolumeDeviceNameToGuidPath+12Fo
					; IoVolumeDeviceNameToGuidPath+1C1o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D0030	db    ?	;		; DATA XREF: IoVolumeDeviceToDosName+125o
					; IoVolumeDeviceToDosName+1B3o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D0072	db    ?	;		; DATA XREF: .text:005A7438o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D05BC	dd ?			; DATA XREF: MiSessionCreate+5Dr
					; MiInitializeSessionGlobals+A4w
dword_6D05C0	dd ?			; DATA XREF: MiSessionCreateInternal(x)+4Eo
					; MiSessionCreateInternal(x)+121o ...
dword_6D05C4	dd ?			; DATA XREF: MiInitializeSessionGlobals:loc_867E45r
					; MiInitializeSessionGlobals+5Cr ...
dword_6D05C8	dd ?			; DATA XREF: MmAcquireSessionPoolRundown+2Bo
					; MmAcquireSessionPoolRundown+4Bo ...
dword_6D05CC	dd ?			; DATA XREF: MiInitializeSystemWorkingSetList:loc_86763Fr
					; MiInitializeSessionGlobals+B1w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D05D4	dd ?			; DATA XREF: MiActivePageClaimCandidate(x,x,x,x)+495r
					; MiDetachProcessFromSession+26r ...
dword_6D05D8	dd ?			; DATA XREF: MmGetSessionById(x):loc_537936r
					; MmIsSessionInCurrentServerSilo(x)+65r ...
unk_6D05DC	db    ?	;		; DATA XREF: MiMarkSessionDeletePending+89DCCo
					; MiInitializeSessionIds+81o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D05EC	dd ?			; DATA XREF: MiMarkSessionDeletePending+89DDCr
					; MiMarkSessionDeletePending:loc_5DF7C4w ...
dword_6D05F0	dd ?			; DATA XREF: MmGetSectionInformation(x,x,x)+117r
					; MmGetSectionInformation(x,x,x)+173r ...
dword_6D05F4	dd ?			; DATA XREF: MmCreateProcessAddressSpace+50o
					; MiInitSystem+25Dw
dword_6D05F8	dd ?			; DATA XREF: PAGE:0075B664w
		align 10h
dword_6D0600	dd ?			; DATA XREF: PAGE:0075B6EFr
					; MiInitializeBootDefaults+D7w
dword_6D0604	dd ?			; DATA XREF: PAGE:0075B6F7r
					; MiInitializeBootDefaults+10Cw
dword_6D0608	dd ?			; DATA XREF: MiInsertNewProcess+30o
					; MiReplicatePteChange+96o ...
dword_6D060C	dd ?			; DATA XREF: MiInsertNewProcess+24r
					; MiInsertNewProcess+40w ...
dword_6D0610	dd ?			; DATA XREF: MiInPagePageTable:loc_466917r
					; MiCheckProtoAccess:loc_466B35r ...
dword_6D0614	dd ?			; DATA XREF: MiCheckProtoAccess:loc_466B98r
					; MmAccessFault+5C0r ...
dword_6D0618	dd ?			; DATA XREF: MiDeleteFinalPageTables:loc_437E19r
					; MiInPagePageTable+D2r ...
dword_6D061C	dd ?			; DATA XREF: MmSecureVirtualMemoryAgainstWrites+157r
					; MiMapViewOfImageSection+637r	...
dword_6D0620	dd ?			; DATA XREF: MiPaeAllocate+Ar
					; MiPaeAllocatePage+4Cr ...
dword_6D0624	dd ?			; DATA XREF: MiPaeInitializeProcessShadow(x,x)+2Dr
					; MiInSwapPageDirectories(x,x)+129r ...
dword_6D0628	dd ?			; DATA XREF: MiReadWriteAnyLevelShadowPte+9Ar
					; MiInitializeBootPageDirectoryPages+179w
dword_6D062C	dd ?			; DATA XREF: MiPaeAllocate+66r
					; MiPaeAllocate+D3w ...
dword_6D0630	dd ?			; DATA XREF: MiPaeAllocate:loc_436D28r
					; MiPaeAllocate+E6o ...
dword_6D0634	dd ?			; DATA XREF: MiPaeAllocatePage:loc_549953r
					; MiPaeAllocatePage+8Cw ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D0650	dd ?			; DATA XREF: MiPaeAllocatePage+E1w
					; MiPaeFreePage(x)+9w
dword_6D0654	dd ?			; DATA XREF: MiPaeAllocate+5Co
					; MiPaeAllocatePage+47o ...
dword_6D0658	dd ?			; DATA XREF: MiPaeAllocate:loc_436C69o
					; MiPaeAllocate+168o ...
dword_6D065C	dd ?			; DATA XREF: MiPaeFree+1Ar
					; MiPaeInitialize()+24w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D0680	dd ?			; DATA XREF: .text:0046F368r
					; .text:0046F376r ...
dword_6D0684	dd ?			; DATA XREF: MiUnlinkFreeOrZeroedPage+6Br
					; .text:00470536r ...
dword_6D0688	dd ?			; DATA XREF: MiUnlinkFreeOrZeroedPage+53r
					; .text:00470546r ...
byte_6D068C	db ?			; DATA XREF: MiCopyOnWrite(x,x,x,x)+3C8r
					; MiMigratePfn(x,x,x,x)+C6r ...
byte_6D068D	db ?			; DATA XREF: MiCopyOnWrite(x,x,x,x):loc_450002r
					; MiGetPageChain(x,x,x,x,x,x,x):loc_46DAC2r ...
		align 10h
dword_6D0690	dd ?			; DATA XREF: MiSearchChannelTable(x)+7r
					; MiSearchChannelTable(x):loc_634B3Dw
dword_6D0694	dd ?			; DATA XREF: MiSearchChannelTable(x)r
					; MiSearchChannelTable(x):loc_634B0Dr ...
dword_6D0698	dd ?			; DATA XREF: MiMigratePfn(x,x,x,x)+120r
					; MiMigratePfn(x,x,x,x)+29Cr ...
dword_6D069C	dd ?			; DATA XREF: MiGetPoolPages+26r
					; MiReturnPhysicalPoolPages:loc_4A171Dr ...
unk_6D06A0	db    ?	;		; DATA XREF: MiInitNucleus(x)+4C5o
					; MiInitializeNumaRangesTemporary:loc_ADC39Bo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D06A8	dd ?			; DATA XREF: MiInitializeNumaRangesTemporary+Dw
		align 10h
; void *dword_6D06B0
dword_6D06B0	dd ?			; DATA XREF: MiUnlinkFreeOrZeroedPage+7Cr
					; .text:00470550r ...
; void *dword_6D06B4
dword_6D06B4	dd ?			; DATA XREF: MiRestrictRangeToNode:loc_567C0Fr
					; MiSearchChannelTable(x)+14r ...
dword_6D06B8	dd ?			; DATA XREF: MiInitializeCacheSizes+1Aw
					; MiInitializeCacheFlushing+15Cr
dword_6D06BC	dd ?			; DATA XREF: MiInitializeCacheSizes+AFw
					; MiInitializeCacheSizes+C7r ...
dword_6D06C0	dd ?			; DATA XREF: IopInitializePlugPlayServices(x,x)+21Br
					; MiInitializeSystemDefaults+13w
dword_6D06C4	dd ?			; DATA XREF: MiZeroInParallel(x)+38r
					; MiReduceZeroingThreads+2Cr ...
byte_6D06C8	db ?			; DATA XREF: MiFlushDirtyBitsToPfn+3Cr
					; MiFlushFileOnlyMdl(x,x,x,x)+2Fr ...
		align 4
dword_6D06CC	dd ?			; DATA XREF: MiAddPhysicalMemory(x,x,x,x,x)+217r
					; MiMemoryLicense+27w
dword_6D06D0	dd ?			; DATA XREF: MiGetPageChain(x,x,x,x,x,x,x)+354r
					; MiUnlinkFreeOrZeroedPage+ABr	...
dword_6D06D4	dd ?			; DATA XREF: MiWalkPageTablesRecursively(x,x,x)+1BCr
					; .text:004707E0r ...
dword_6D06D8	dd ?			; DATA XREF: .text:0047DB0Bw
					; MiChangePageAttributeBatch:loc_4B9130w ...
dword_6D06DC	dd ?			; DATA XREF: MiChangePageAttributeContiguous(x,x,x)+D0w
					; MiFlushCacheMdl(x,x,x)+2Bw ...
dword_6D06E0	dd ?			; DATA XREF: MiChangePageAttributeBatch+E7w
					; MiChangePageAttribute+C6w ...
dword_6D06E4	dd ?			; DATA XREF: MiChangePageAttributeBatch+98r
					; MiChangePageAttributeContiguous(x,x,x)+C0r ...
dword_6D06E8	dd ?			; DATA XREF: MiScheduleZeroPageThreads+B6r
					; MiZeroBootLargePages+20o
dword_6D06EC	dd ?			; DATA XREF: MiScheduleZeroPageThreads+B0r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D0700	dd ?			; DATA XREF: .text:00431F43r
					; .text:00431F8Er ...
dword_6D0704	dd ?			; DATA XREF: .text:00431F3Dr
					; .text:loc_431F87r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D0740	dd ?			; DATA XREF: MiInsertLargePageInNodeList(x)+EDr
					; MiUnlinkNodeLargePageHelper(x,x,x,x,x)+15Er ...
dword_6D0744	dd ?			; DATA XREF: MiInitializeRebuildCandidateCounts(x,x)+8r
					; MiInitializeCacheSizes:loc_AB73CCw
dword_6D0748	dd ?			; DATA XREF: MiFlushTbListEarly(x,x)+4r
					; .text:00453E5Cr ...
dword_6D074C	dd ?			; DATA XREF: MiZeroPhysicalPage+41r
					; MiZeroAndConvertPage(x,x,x,x)+83r ...
dword_6D0750	dd ?			; DATA XREF: .text:0046F75Dr
					; MiMapPagesToZero(x,x,x)+C0r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D077C	dd ?			; DATA XREF: MiInitializeZeroingAttributes():loc_AD9382w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D0788	dd ?			; DATA XREF: MiInitializeZeroingAttributes()+2Dw
byte_6D078C	db ?			; DATA XREF: MiGetPageChain(x,x,x,x,x,x,x)+419r
					; MiPfnZeroingNeeded(x,x)+29r
		align 10h
dword_6D0790	dd ?			; DATA XREF: MiComputeOptimalZeroPath+1A2w
dword_6D0794	dd ?			; DATA XREF: MiComputeOptimalZeroPath+1ABw
dword_6D0798	dd ?			; DATA XREF: MiComputeOptimalZeroPath+1B4w
dword_6D079C	dd ?			; DATA XREF: MiComputeOptimalZeroPath+1BDw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D07B0	dd ?			; DATA XREF: .text:00448FF7r
					; .text:00449078r ...
dword_6D07B4	dd ?			; DATA XREF: MiFreePagesFromMdl(x,x)+1BEw
					; MiInitializeMdlPfn(x,x)+8Cw ...
word_6D07B8	dw ?			; DATA XREF: .text:loc_45D4ADr
					; .text:loc_45D4C2r ...
		align 10h
unk_6D07C0	db    ?	;		; DATA XREF: MiUpdateLargePageBitMap+EAo
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D07C4	dd ?			; DATA XREF: MiObtainSessionVa:loc_4C3E1Br
					; MiObtainSystemVa:loc_4C4B3Fr	...
dword_6D07C8	dd ?			; DATA XREF: MiObtainSessionVa+DFr
					; MiObtainSessionVa:loc_4C3F5Bw ...
dword_6D07CC	dd ?			; DATA XREF: MiMapViewOfImageSection+6B2r
					; MiInitializeBootDefaults+2Aw	...
dword_6D07D0	dd ?			; DATA XREF: PspStorageEmptyArrayNonReadonly+81r
					; PspStorageEmptyArrayNonReadonly+1F2r	...
unk_6D07D4	db    ?	;		; DATA XREF: MiReleaseSystemCacheView+5Eo
					; MiObtainSystemCacheView+15Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D0BD4	dd ?			; DATA XREF: MiRecycleSystemRegionVa(x,x)+20r
					; MiRecycleSystemRegionVa(x,x)+30w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D1BD4	dd ?			; DATA XREF: MiReturnSystemVa(x,x,x,x):loc_432645w
					; MiObtainSystemVa+DCo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D2BD4	dd ?			; DATA XREF: MiShadowTopLevelPxes+7Ar
					; MiReplicatePteChange+39Ar ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D2C54	db    ?	;		; DATA XREF: MiMakeSystemAddressValid+308o
					; MiMakeSystemAddressValid+32Fo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D2DD4	db    ?	;		; DATA XREF: MiMakeSystemAddressValid+37Co
					; .text:loc_45303Fo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D2E54	db    ?	;		; DATA XREF: .text:0045302Fo
					; .text:00453191o ...
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D2E58	db    ?	;		; DATA XREF: .text:0045301Bo
					; .text:00453183o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D2E64	dd ?			; DATA XREF: MiReturnSystemVa(x,x,x,x):loc_432617o
					; MiReturnSystemVa(x,x,x,x):loc_432651o ...
dword_6D2E68	dd ?			; DATA XREF: MiDeleteWsleRange(x,x,x,x)+40r
					; MiCopyOnWrite(x,x,x,x)+2E5r ...
dword_6D2E6C	dd ?			; DATA XREF: MiInitializeSessionGlobals+86r
unk_6D2E70	db    ?	;		; DATA XREF: MiInitializeDynamicVa+81o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D2E78	dd ?			; DATA XREF: MiWalkPageTables:loc_456C3Ar
					; MiInitializeWalkBounds:loc_5C5852r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D2E88	dd ?			; DATA XREF: MiCopyTopLevelMappings(x,x)+18r
					; MiGetNextPageTable:loc_437884r ...
dword_6D2E8C	dd ?			; DATA XREF: MiCopyTopLevelMappings(x,x)+23r
					; MiGetNextPageTable+ECr ...
dword_6D2E90	dd ?			; DATA XREF: MiHyperSpaceSizer
					; MiWalkPageTables:loc_456AB7r	...
unk_6D2E94	db    ?	;		; DATA XREF: MiDereferenceSegmentThread+46o
					; MiReclaimSystemVa+FFEB4o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D2EA4	dd ?			; DATA XREF: MiInitializeDynamicVa+Ew
dword_6D2EA8	dd ?			; DATA XREF: MiReleaseSystemCacheView+3Do
					; MiObtainSystemCacheView+A7o ...
dword_6D2EAC	dd ?			; DATA XREF: MiInitializeSystemWorkingSetList+3Br
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D2F80	db    ?	;		; DATA XREF: .text:004AFEEDo
					; .text:loc_4AFF49o ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D2F84	dd ?			; DATA XREF: .text:loc_4AFEDFr
					; MiPageCombiningActive(x)+4r ...
dword_6D2F88	dd ?			; DATA XREF: .text:004AFEF7r
					; MiRaisedIrqlFault+9529Br ...
		align 10h
dword_6D2F90	dd ?			; DATA XREF: MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+3Dr
					; MiCombiningInProgress(x,x,x)+81w ...
dword_6D2F94	dd ?			; DATA XREF: MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+44r
					; MiCombiningInProgress(x,x,x)+8Aw ...
dword_6D2F98	dd ?			; DATA XREF: MiCombiningInProgress(x,x,x)+39r
					; MiCombiningInProgress(x,x,x)+7Cw
		align 10h
unk_6D2FA0	db    ?	;		; DATA XREF: MiZeroPage(x,x):loc_46FC3Co
					; MiLockAllMemoryLists()+17o ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D2FA4	dd ?			; DATA XREF: MiZeroPage(x,x)+1A1o
					; MiMirrorDiscardPageContents:loc_55475Br ...
unk_6D2FA8	db    ?	;		; DATA XREF: MiZeroPage(x,x)+18Eo
					; MiBeginPageAccessor+4Do ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D2FAC	dd ?			; DATA XREF: MiZeroPage(x,x)+193o
					; MiBeginPageAccessor+8Cr ...
unk_6D2FB0	db    ?	;		; DATA XREF: MiCreateInitialLargeLeafPfns(x,x,x,x,x,x)+25o
					; MiInitNucleus(x)+181o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D2FCC	db    ?	;		; DATA XREF: MiInitializeAllResidentPageBasePfns(x,x,x,x,x,x,x)+Eo
					; MiInitNucleus(x)+193o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6D2FE2	db ?			; DATA XREF: MiInitNucleus(x)+19Ar
					; MiInitNucleus(x)+1ABw
		align 8
dword_6D2FE8	dd ?			; DATA XREF: MiGetPartitionLargePageListCount()r
					; MiGetPartitionLargePageListCount()+2Cw ...
		align 10h
dword_6D2FF0	dd ?			; DATA XREF: MiMakePartitionActive+15o
					; MiSetSlabAllocatorPolicy+7DD9Eo ...
dword_6D2FF4	dd ?			; DATA XREF: MmDuplicateMemory(x)+10Eo
					; MmDuplicateMemory(x)+325o ...
byte_6D2FF8	db ?			; DATA XREF: MiInitializePartitions(x)+13r
					; MiInitializePartitions(x)+23w ...
		align 10h
dword_6D3000	dd ?			; DATA XREF: MiInitializePartitions(x)+29o
					; MiInitializePartitions(x)+48w
dword_6D3004	dd ?			; DATA XREF: MiInitializePartitions(x)+42w
dword_6D3008	dd ?			; DATA XREF: MiIterateOverPartitions:loc_553757r
					; MiAddPartitionDataToCrashDump(x)+3Dr	...
dword_6D300C	dd ?			; DATA XREF: MiExpandPartitionIds()+158o
					; MiInitializePartitions(x)+1Ew ...
dword_6D3010	dd ?			; DATA XREF: MiInitializePartitions(x)+2Ew
dword_6D3014	dd ?			; DATA XREF: MiExpandPartitionIds()+1Bo
					; MiExpandPartitionIds()+D9o ...
dword_6D3018	dd ?			; DATA XREF: ExpGetSystemBasicInformation+CAr
					; ExpGetSystemBasicInformation+DAr ...
dword_6D301C	dd ?			; DATA XREF: MiInsertPartitionPages(x,x,x,x,x)+AAo
					; MiInsertPartitionPages(x,x,x,x,x)+FEo ...
dword_6D3020	dd ?			; DATA XREF: MiCreateImageOrDataSection+F7CC2w
byte_6D3024	db ?			; DATA XREF: MiAllocatePartitionId(x)+52w
		align 4
byte_6D3028	db ?			; DATA XREF: MiCreatePagingFile:loc_897D8Dr
					; MiCreatePagingFile+590w
byte_6D3029	db ?			; DATA XREF: MmLowPowerEpochCallback(x,x,x,x)+2Bw
					; MiCheckTrimUnusedPageFileRegions:loc_5C8FFFr
byte_6D302A	db ?			; DATA XREF: MiShutdownSystem()+7Dr
					; MmZeroPageFileAtShutdown()+B3w
		align 4
dword_6D302C	dd ?			; DATA XREF: MiNoPagesLastChance(x,x):loc_63AE74r
					; MiShutdownSystem()+10r ...
dword_6D3030	dd ?			; DATA XREF: MiFlushAllFilesystemPages(x)+57w
dword_6D3034	dd ?			; DATA XREF: .text:0045F3D2r
					; MiUnlinkFreeOrZeroedPage+151r ...
unk_6D3038	db    ?	;		; DATA XREF: MiFinishResume(x)+71o
					; MmDuplicateMemory(x)+CEo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3048	dd ?			; DATA XREF: MmDuplicateMemory(x)+2F0o
					; MiInitializeMirroring+47w
		align 10h
dword_6D3050	dd ?			; DATA XREF: MiInitializeMirroring+35w
dword_6D3054	dd ?			; DATA XREF: MiFinishResume(x)+66w
					; MmDuplicateMemory(x)+2F5w ...
dword_6D3058	dd ?			; DATA XREF: MiChangePageAttribute+1Ar
					; MiAssignInitialPageAttribute(x,x)+6r	...
dword_6D305C	dd ?			; DATA XREF: MiMirrorReduceBlackWrites(x,x)+1AFo
					; MiMirrorPerformBrownWrites:loc_554008r ...
dword_6D3060	dd ?			; DATA XREF: MiMirrorPerformBrownWrites+43r
					; MiMirrorPerformBrownWrites+DCr ...
dword_6D3064	dd ?			; DATA XREF: MiMirrorPerformBlackWrites:loc_554274r
					; MiMirrorPerformBlackWrites+B7r ...
dword_6D3068	dd ?			; DATA XREF: .text:0045F3E7r
					; MiUnlinkNodeLargePageHelper(x,x,x,x,x)+1A6r ...
dword_6D306C	dd ?			; DATA XREF: MmMapMemoryDumpMdl(x)+5r
					; MmInvalidateDumpAddresses(x,x):loc_71B1F5r ...
dword_6D3070	dd ?			; DATA XREF: MiPageNotZero(x,x)+10Cw
					; MiPageNotZero(x,x)+11Co
unk_6D3074	db    ?	;		; DATA XREF: MiPageNotZero(x,x)+D3o
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3078	dd ?			; DATA XREF: MiPageNotZero(x,x)+107w
		align 10h
dword_6D3080	dd ?			; DATA XREF: MiPageNotZero(x,x)+F2w
dword_6D3084	dd ?			; DATA XREF: MiPageNotZero(x,x)+101w
dword_6D3088	dd ?			; DATA XREF: MiPageNotZero(x,x)+FCo
					; MiPageNotZero(x,x)+126w
		align 10h
dword_6D3090	dd ?			; DATA XREF: MiPageNotZero(x,x)+112w
dword_6D3094	dd ?			; DATA XREF: MiPageNotZero(x,x)+11Cw
dword_6D3098	dd ?			; DATA XREF: MiValidatePagefilePageHash+8FB13w
					; MiAddRangeToCrashDump(x,x,x,x,x)+31Fr
dword_6D309C	dd ?			; DATA XREF: MmProbeAndLockSelectedPages+177809w
					; MiProbeAndLockPrepare:loc_5B1A21w
dword_6D30A0	dd ?			; DATA XREF: .text:loc_464DE6w
					; MiLockPageLeafPageTable:loc_4730AAw ...
dword_6D30A4	dd ?			; DATA XREF: MiProbeLeafPteAccess(x,x)+3B3w
dword_6D30A8	dd ?			; DATA XREF: MiLockPageLeafPageTable+140957w
dword_6D30AC	dd ?			; DATA XREF: MiProbeLeafPteAccess(x,x)+47w
dword_6D30B0	dd ?			; DATA XREF: MiProbeLockFrame(x):loc_4656CBw
dword_6D30B4	dd ?			; DATA XREF: MiProbeLockFrame(x):loc_4656A3w
dword_6D30B8	dd ?			; DATA XREF: MiProbeLockFrame(x)+374w
dword_6D30BC	dd ?			; DATA XREF: MiProbeLockFrame(x):loc_465701w
dword_6D30C0	dd ?			; DATA XREF: MiProbeLockFrame(x)+4DAw
dword_6D30C4	dd ?			; DATA XREF: .text:004651ECw
					; MiProbeAndLockComplete+177713w
		align 10h
dword_6D30D0	dd ?			; DATA XREF: MiProbeLeafPteAccess(x,x)+4DEw
dword_6D30D4	dd ?			; DATA XREF: MiProbeLeafPteAccess(x,x)+2CEw
					; MiProbeLeafPteAccess(x,x):loc_465CCCw
dword_6D30D8	dd ?			; DATA XREF: MiProbeLeafPteAccess(x,x):loc_4658DDw
dword_6D30DC	dd ?			; DATA XREF: MiProbeLeafPteAccess(x,x):loc_46587Dw
dword_6D30E0	dd ?			; DATA XREF: MiChargeCommit+14DB29w
dword_6D30E4	dd ?			; DATA XREF: MiChargeCommit+14DAB5w
dword_6D30E8	dd ?			; DATA XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+444w
dword_6D30EC	dd ?			; DATA XREF: MiValidatePagefilePageHash+8FB06w
					; MmSnapTriageDumpInformation(x,x,x,x)+40r
dword_6D30F0	dd ?			; DATA XREF: .text:004703C3r
					; .text:004703C9w ...
dword_6D30F4	dd ?			; DATA XREF: MmSnapTriageDumpInformation(x,x,x,x)+22r
					; MiPageNotZero(x,x)+81w
dword_6D30F8	dd ?			; DATA XREF: MmSnapTriageDumpInformation(x,x,x,x)+18r
					; MiPageNotZero(x,x)+10w
dword_6D30FC	dd ?			; DATA XREF: MmSnapTriageDumpInformation(x,x,x,x)+2Cr
					; MmScrubMemory(x,x,x)+14Ew
dword_6D3100	dd ?			; DATA XREF: MmSnapTriageDumpInformation(x,x,x,x)+36r
					; MiMakePageBad(x,x):loc_646D68w
dword_6D3104	dd ?			; DATA XREF: NtMapViewOfSection:loc_829522w
					; NtMapViewOfSection:loc_829546w ...
dword_6D3108	dd ?			; DATA XREF: NtMapViewOfSection+18Aw
					; MmMapViewOfSection:loc_8D46E7w ...
dword_6D310C	dd ?			; DATA XREF: MiAllocateVirtualMemoryCommon+F4w
dword_6D3110	dd ?			; DATA XREF: MiAllocateVirtualMemoryCommon:loc_77B40Cw
dword_6D3114	dd ?			; DATA XREF: MiChargePartitionResidentAvailable:loc_5D4F01w
dword_6D3118	dd ?			; DATA XREF: MiChargePartitionResidentAvailable:loc_5D4F7Dw
byte_6D311C	db ?			; DATA XREF: MmMarkPhysicalMemoryAsBad(x,x)+3C6w
					; MmGetDumpRange(x,x,x):loc_62DF54r
		align 2
byte_6D311E	db ?			; DATA XREF: MiInitNucleus(x)+152w
					; MiInitNucleus(x)+1CBw ...
byte_6D311F	db ?			; DATA XREF: MiShowBadMapper(x,x)+13r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3140	dd ?			; DATA XREF: MiTrimOrAgeWorkingSet+2D2r
					; MiTrimOrAgeWorkingSet+2DCo ...
dword_6D3144	dd ?			; DATA XREF: MmSetAccessLogging+99o
					; MmSetAccessLogging+AEw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D314C	dd ?			; DATA XREF: MmSetAccessLogging+9Ew
dword_6D3150	dd ?			; DATA XREF: MiEmptyAccessLogs+51w
					; MiEmptyAccessLogs+154r ...
dword_6D3154	dd ?			; DATA XREF: MiIssueHardFault(x,x):loc_44854Er
					; MiCopyOnWrite(x,x,x,x)+840r ...
dword_6D3158	dd ?			; DATA XREF: MiIssueHardFault(x,x)+555r
					; MiCopyOnWrite(x,x,x,x)+84Dr ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3180	dd ?			; DATA XREF: MiRestoreTransitionPte(x,x)+47Do
					; MiRestoreTransitionPte(x,x)+48Fo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6D31C0	db ?			; DATA XREF: MiValidatePagefilePageHash:loc_5DD375r
					; MiDbgTranslatePhysicalAddress(x,x,x,x)+2C4w ...
byte_6D31C1	db ?			; DATA XREF: MiDbgMarkPfnModified(x,x,x):loc_63415Bw
		align 4
dword_6D31C4	dd ?			; DATA XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+1Ar
					; MiDbgTranslatePhysicalAddress(x,x,x,x)+2ACr ...
dword_6D31C8	dd ?			; DATA XREF: MiDbgTranslatePhysicalAddress(x,x,x,x)+EDw
					; MiDbgTranslatePhysicalAddress(x,x,x,x)+29Cw
dword_6D31CC	dd ?			; DATA XREF: MiDbgReleaseAddress(x,x,x)+47w
					; MiDbgReleaseAddress(x,x,x):loc_6342C7w ...
unk_6D31D0	db    ?	;		; DATA XREF: MmDbgMarkPfnModifiedWorker+Bo
					; MiDbgMarkPfnModified(x,x,x)+1CAo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3250	dd ?			; DATA XREF: .text:0045EE1Dr
					; .text:0045EF58r ...
		align 8
dword_6D3258	dd ?			; DATA XREF: MiDecayPfnFullyInitialized+11Eo
					; MiDeleteParentDecayNode(x)+4Do ...
dword_6D325C	dd ?			; DATA XREF: MiInitializeDecayPfns()+11w
dword_6D3260	dd ?			; DATA XREF: MiRestoreTransitionPte(x,x)+469r
					; MiRestoreTransitionPte(x,x):loc_4D5717r ...
unk_6D3264	db    ?	;		; DATA XREF: MiRestoreTransitionPte(x,x)+58Bo
					; MmSetAccessLogging+7Ao ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3288	dd ?			; DATA XREF: MiFreeTransitionPageHeatList(x)+Co
					; MiReplenishTransitionPageHeatList()+27o ...
dword_6D328C	dd ?			; DATA XREF: MiFreeTransitionPageHeatList(x)r
					; MiReplenishTransitionPageHeatList():loc_6448D7r ...
unk_6D3290	db    ?	;		; DATA XREF: MiReplenishTransitionPageHeatList()+3Fo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D32C0	db    ?	;		; DATA XREF: MiAddMdlTracker(x,x,x)+50o
					; MiFreeMdlTracker(x,x)+FFo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3380	dd ?			; DATA XREF: MiInsertPteTracker(x,x,x,x)+24o
					; MiRemovePteTracker(x,x,x)+178o ...
dword_6D3384	dd ?			; DATA XREF: MiInsertPteTracker(x,x,x,x)+Er
					; MiInitNucleus(x)+93w
dword_6D3388	dd ?			; DATA XREF: MiInsertPteTracker(x,x,x,x)+15Co
					; MiRemovePteTracker(x,x,x)+21o ...
unk_6D338C	db    ?	;		; DATA XREF: MiInitializeSystemPtes+25409o
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3390	dd ?			; DATA XREF: MiExpandPtes+100801r
					; MiCheckPteRelease(x,x)+65r ...
dword_6D3394	dd ?			; DATA XREF: MiCreatePfnDatabase(x)+BFw
					; MiCreatePfnDatabase(x)+132w ...
dword_6D3398	dd ?			; DATA XREF: MiCreatePfnDatabase(x)+C8w
					; MiCreatePfnDatabase(x)+138w ...
unk_6D339C	db    ?	;		; DATA XREF: MiRemoveFromSystemSpace+2C1o
					; MiInsertInSystemSpace+67o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D33D0	db    ?	;		; DATA XREF: MiDeleteKernelStack(x,x)+ECo
					; MmCreateKernelStack+2A8o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D33DC	dd ?			; DATA XREF: MiInitializeKernelStacks()+AEw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D33FC	dd ?			; DATA XREF: MiInitializeKernelStacks()+B6w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3404	dd ?			; DATA XREF: MmGrowKernelStackEx:loc_5D7ED5w
byte_6D3408	db ?			; DATA XREF: MiDeleteKernelStack(x,x)+20r
					; MmCreateKernelStack+39r ...
byte_6D3409	db ?			; DATA XREF: MiGetHighestPteConsumer(x)+1Dr
					; MiInsertPteTracker(x,x,x,x)+75w ...
byte_6D340A	db ?			; DATA XREF: MiAdjustPteBins()+6Br
					; MiAdjustPteBins()+72w
		align 4
unk_6D340C	db    ?	;		; DATA XREF: MmMapLockedPagesWithReservedMapping+23o
					; MmMapLockedPagesWithReservedMapping+6Fo ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3410	dd ?			; DATA XREF: MmMapLockedPagesWithReservedMapping+35r
					; MiRemoveMappingNode+19r ...
dword_6D3414	dd ?			; DATA XREF: MiUnmapMdlCommon(x,x,x,x,x)+9Fr
					; MiUnmapMdlCommon(x,x,x,x,x)+BDw
dword_6D3418	dd ?			; DATA XREF: MiKernelStackVaToStackNode(x)+11r
unk_6D341C	db    ?	;		; DATA XREF: MiKernelStackVaToStackNode(x)+5o
					; MiKernelStackVaToStackNode(x):loc_546D60o
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3420	dd ?			; DATA XREF: MiInitializeSystemPtes+1A7w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D3440	db    ?	;		; DATA XREF: MiWorkingSetManager(x,x)+95o
					; MiWorkingSetManager(x,x)+123o ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3444	dd ?			; DATA XREF: MiDereferenceIoPages+18o
					; MiReferenceIoPages+79o ...
dword_6D3448	dd ?			; DATA XREF: MiLookupIoPageNode(x)+11r
					; MiMakeIoRangePermanent(x):loc_62CB71r ...
dword_6D344C	dd ?			; DATA XREF: MiWorkingSetManager(x,x)+ECo
					; MiDereferenceIoPages+3Co ...
dword_6D3450	dd ?			; DATA XREF: MiWorkingSetManager(x,x)+57o
					; MiWorkingSetManager(x,x):loc_4D46C0r	...
dword_6D3454	dd ?			; DATA XREF: MiDereferenceIoPages:loc_4F59A0r
					; MiDereferenceIoPages+DCE7Ew ...
dword_6D3458	dd ?			; DATA XREF: MiWorkingSetManager(x,x)+7Ar
					; MiDereferenceIoPages+249w ...
dword_6D345C	dd ?			; DATA XREF: MiWorkingSetManager(x,x)+FFw
					; MiRemoveUnmappedIoNode+87w ...
dword_6D3460	dd ?			; DATA XREF: MiReferenceIoPages+2D7w
dword_6D3464	dd ?			; DATA XREF: MiReferenceIoPages:loc_4F5CC0w
dword_6D3468	dd ?			; DATA XREF: MiReferenceIoPages+35Aw
					; MiReferenceIoPages+DCC71w
dword_6D346C	dd ?			; DATA XREF: MiReferenceIoPages:loc_4F5CCBw
dword_6D3470	dd ?			; DATA XREF: MiReferenceIoPages+30Dw
dword_6D3474	dd ?			; DATA XREF: MiMakeIoRangePermanent(x):loc_62CC13w
dword_6D3478	dd ?			; DATA XREF: MiMakeIoRangePermanent(x):loc_62CCE7w
dword_6D347C	dd ?			; DATA XREF: MiIoSpaceIsConstantr
					; MiMakeIoRangePermanent(x):loc_62CCAFr ...
dword_6D3480	dd ?			; DATA XREF: MmIsFileObjectAPagingFile(x)+16r
					; MiUpdatePageFileList+3Br ...
unk_6D3484	db    ?	;		; DATA XREF: MmIsFileObjectAPagingFile(x)+9o
					; MiUpdatePageFileList+14o ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3488	dd ?			; DATA XREF: MiPfAllocateMdls+7Cr
					; MiPfAllocateMdls+DEr	...
dword_6D348C	dd ?			; DATA XREF: .text:00449414r
					; .text:loc_44942Bw ...
dword_6D3490	dd ?			; DATA XREF: MiGetInPageSupportBlock(x)+Eo
					; MiInsertInPageBlock(x)+33o ...
dword_6D3494	dd ?			; DATA XREF: MiInsertInPageBlock(x)+29r
					; MiInitializePageFaultResources()+15w
		align 10h
dword_6D34A0	dd ?			; DATA XREF: MiGetInPageSupportBlock(x):loc_44D90Do
					; MiInsertInPageBlock(x):loc_4BC042o ...
dword_6D34A4	dd ?			; DATA XREF: MiInitializePageFaultResources()+27w
		align 10h
byte_6D34B0	db ?			; DATA XREF: MiInsertInPageBlock(x):loc_4BC01Er
					; MiInitializePageFaultResources()+40w
		align 4
dword_6D34B4	dd ?			; DATA XREF: MiInsertInPageBlock(x)+10r
					; MiInitializePageFaultResources()+53w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D34BC	dd ?			; DATA XREF: MiInsertInPageBlock(x)+19r
					; MiInitializePageFaultResources()+74w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D34C4	dd ?			; DATA XREF: MiInitializePageFaultResources()+B8w
					; MiReleaseFaultPte(x)+33r ...
dword_6D34C8	dd ?			; DATA XREF: MiInitializePageFaultResources()+B1w
					; MiReleaseFaultPte(x)+44o ...
unk_6D34CC	db    ?	;		; DATA XREF: MiReleaseFaultPte(x)+3Co
					; MiReserveFaultPte()+16o
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D34D0	dd ?			; DATA XREF: .text:loc_46767Cr
					; .text:loc_467CA9r ...
dword_6D34D4	dd ?			; DATA XREF: MiPickClusterForMappedFileFault+2B4r
					; MiPickClusterForMappedFileFault:loc_4B8A03r ...
byte_6D34D8	db ?			; DATA XREF: MmAdvanceMdl(x,x)+20w
					; MiRemovePteTracker(x,x,x)+9Cr
		align 10h
dword_6D34E0	dd ?			; DATA XREF: .text:loc_44A713r
					; MiGetPageForWriteCluster(x,x,x,x,x,x,x,x)+9Fr ...
dword_6D34E4	dd ?			; DATA XREF: MiBuildReservationCluster(x,x,x,x)+577r
					; MiBuildReservationCluster(x,x,x,x)+6F2r ...
dword_6D34E8	dd ?			; DATA XREF: MiFinishHardFault(x,x,x,x)+2F3r
					; MiInitializeReadInProgressPfn(x,x,x,x,x,x)+64r ...
dword_6D34EC	dd ?			; DATA XREF: MiBuildMdlForMappedFileFault(x,x,x,x,x,x,x,x,x,x):loc_44F773r
					; MiPfPutPagesInTransition:loc_47CF31r	...
dword_6D34F0	dd ?			; DATA XREF: MiZeroPageWrite:loc_4ED767r
					; MmMdlPagesAreZero(x)+3Fr ...
dword_6D34F4	dd ?			; DATA XREF: MiCopyToCfgBitMap+38Ar
					; MiCopyToCfgBitMap:loc_779732r ...
dword_6D34F8	dd ?			; DATA XREF: MiCopyToCfgBitMap+8Cr
					; MiMapDummyPages+EAw
		align 10h
dword_6D3500	dd ?			; DATA XREF: MiSharePages(x,x,x,x,x)+744r
					; MiSharePages(x,x,x,x,x):loc_642E80r ...
dword_6D3504	dd ?			; DATA XREF: MiSharePages(x,x,x,x,x)+756r
					; MiSharePages(x,x,x,x,x)+7C0r	...
dword_6D3508	dd ?			; DATA XREF: MiCombineIdenticalPages(x,x,x,x,x,x)+18Er
					; MiMapDummyPages+F5w
dword_6D350C	dd ?			; DATA XREF: MiCombineIdenticalPages(x,x,x,x,x,x)+197r
					; MiMapDummyPages+FCw
dword_6D3510	dd ?			; DATA XREF: MiComputePxeWalkAction+118r
					; MiPfnsWorthTrying(x,x,x,x,x):loc_4B7470r ...
		align 8
dword_6D3518	dd ?			; DATA XREF: MiComputePxeWalkAction+FDr
					; MiComputePxeWalkAction:loc_457C7Ar ...
dword_6D351C	dd ?			; DATA XREF: MiComputePxeWalkAction+18Fr
					; MiReplacePfnWithGapMapping+20r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3540	dd ?			; DATA XREF: MiMakeSystemRangeAvailable+102o
					; MmEnforceWorkingSetLimit+92o	...
dword_6D3544	dd ?			; DATA XREF: MiTrimAllSystemPagableMemory(x,x)+61w
					; MiTrimAllSystemPagableMemory(x,x):loc_63029Cw ...
unk_6D3548	db    ?	;		; DATA XREF: MiWorkingSetManager(x,x)+1D7o
					; MiInitializeWorkingSetManagerParameters+174o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3558	dd ?			; DATA XREF: MiTrimAllSystemPagableMemory(x,x)+2Cr
					; MiTrimAllSystemPagableMemory(x,x)+9Do
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3580	dd ?			; DATA XREF: MiIsPfnEnclave+3r
					; .text:00464F12r ...
dword_6D3584	dd ?			; DATA XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x):loc_635CDCr
					; MiDecommitHardwareEnclavePages(x,x,x,x,x)+51Er ...
dword_6D3588	dd ?			; DATA XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x):loc_635BEDr
					; MiDecommitHardwareEnclavePages(x,x,x,x,x)+3B6r ...
dword_6D358C	dd ?			; DATA XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x)+404o
					; MiDecommitHardwareEnclavePages(x,x,x,x,x)+695o ...
dword_6D3590	dd ?			; DATA XREF: MiDecommitHardwareEnclavePages(x,x,x,x,x):loc_635D28o
					; MiDecommitHardwareEnclavePages(x,x,x,x,x)+50Do ...
dword_6D3594	dd ?			; DATA XREF: MiDeleteAllHardwareEnclaves()+55r
					; MiDeleteAllHardwareEnclaves()+5Bo ...
dword_6D3598	dd ?			; DATA XREF: MiCreateHardwareEnclave(x,x,x,x,x)+192r
					; MiCreateHardwareEnclave(x,x,x,x,x)+1B2w ...
dword_6D359C	dd ?			; DATA XREF: MiDeleteAllHardwareEnclaves()+4Bo
					; MiDeleteAllHardwareEnclaves()+7Do ...
unk_6D35A0	db    ?	;		; DATA XREF: MiDeleteAllHardwareEnclaves()+37o
					; MiCreateHardwareEnclave(x,x,x,x,x)+3Fo ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D35A4	dd ?			; DATA XREF: MiDeleteCachedKernelStack+3r
					; MmCreateKernelStack+B7r ...
dword_6D35A8	dd ?			; DATA XREF: MmFreeBootRegistry()+Co
					; MmFreeBootRegistry()+7Ew ...
dword_6D35AC	dd ?			; DATA XREF: .text:0046F1FAr
					; MiFinishResume(x):loc_554931w ...
byte_6D35B0	db ?			; DATA XREF: MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x):loc_4B7153r
					; MiSwapStackPage(x,x,x,x,x,x,x)+9Fr ...
byte_6D35B1	db ?			; DATA XREF: MmSetSystemVaInformation(x,x,x):loc_9A285Cr
					; MiInitSystem:loc_AE1C8Dr ...
		align 4
dword_6D35B4	dd ?			; DATA XREF: MiInitializeUnusablePfns(x,x,x,x,x,x,x)+2C4o
					; MiCreateInitialPfns(x,x,x)+55o ...
dword_6D35B8	dd ?			; DATA XREF: .text:00450984r
					; .text:00451750r ...
dword_6D35BC	dd ?			; DATA XREF: MiLogProcessWorkingSetsStart+17r
					; MiLogProcessWorkingSetsStop+14r ...
dword_6D35C0	dd ?			; DATA XREF: MiGetNextSession(x,x)+57r
					; MiGetNextSession(x,x):loc_4C5A43o ...
dword_6D35C4	dd ?			; DATA XREF: MiInsertSessionWorkingSet(x)+6r
					; MiInsertSessionWorkingSet(x)+28w ...
dword_6D35C8	dd ?			; DATA XREF: MiSessionCreateInternal(x)+5Cr
					; MiSessionCreateInternal(x)+77r ...
dword_6D35CC	dd ?			; DATA XREF: MmResourcesAvailable(x,x,x)+171o
					; MmResourcesAvailable(x,x,x)+193o ...
dword_6D35D0	dd ?			; DATA XREF: MiFreePoolPagesLeft:loc_4D70FCr
					; MiFreePoolPagesLeft+5Er ...
dword_6D35D4	dd ?			; DATA XREF: MiCountSystemPool+48o
					; MiFreePoolPagesLeft+56r ...
dword_6D35D8	dd ?			; DATA XREF: MmGetMaximumNonPagedPoolInBytes()r
					; MiInitializeNonPagedPoolThresholds+30r ...
dword_6D35DC	dd ?			; DATA XREF: MmWriteTriageInformation(x)+50r
					; MiBuildPagedPool()+1Ew ...
dword_6D35E0	dd ?			; DATA XREF: MiDeleteProcessShadow+1A3o
					; MiCopyToUserVa(x,x,x,x)+364o	...
dword_6D35E4	dd ?			; DATA XREF: MiCheckProcessorPteCache+22Er
					; MiCheckProcessorPteCache:loc_480881r	...
dword_6D35E8	dd ?			; DATA XREF: MiCheckProcessorPteCache+104r
					; MiCheckPteRelease(x,x)+5Fr ...
dword_6D35EC	dd ?			; DATA XREF: MiInitializeSystemPtes+D6w
					; MiInitializeSystemPtes+186w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D35F8	dd ?			; DATA XREF: MmMapLockedPagesSpecifyCache+134E5Cw
unk_6D35FC	db    ?	;		; DATA XREF: MiCheckProcessorPteCache+13419Do
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D3600	db    ?	;		; DATA XREF: MiInitializeSystemPtes+16Do
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3604	dd ?			; DATA XREF: MiCheckProcessorPteCache+201r
					; MiCheckProcessorPteCache+39Bw
dword_6D3608	dd ?			; DATA XREF: MiCheckProcessorPteCache:loc_4807A7r
					; MiCheckProcessorPteCache+1341F7r ...
dword_6D360C	dd ?			; DATA XREF: MiInitializeSystemPtes+DDw
dword_6D3610	dd ?			; DATA XREF: MiCheckProcessorPteCache+38Ao
					; MmGetNumberOfFreeSystemPtes()+10r ...
unk_6D3614	db    ?	;		; DATA XREF: MiObtainPoolCharges(x,x)+23o
					; MiReturnPoolCharges(x,x)+38o	...
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D3618	db    ?	;		; DATA XREF: MiObtainPoolCharges(x,x):loc_49AA86o
					; MiReturnPoolCharges(x,x):loc_4A17EDo
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D361C	dd ?			; DATA XREF: MiDeleteBootRange+1C9w
					; MiInitializeCommitment+112w ...
dword_6D3620	dd ?			; DATA XREF: MiFreePagesFromMdl(x,x)+29Ao
					; MiFreePagesFromMdl(x,x)+31Do	...
unk_6D3624	db    ?	;		; DATA XREF: MiReturnSystemCharges(x,x,x)+27o
					; MiObtainSystemCharges+47o
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D3628	db    ?	;		; DATA XREF: MiDeleteKernelStack(x,x)+CCo
					; MmCreateKernelStack+314o ...
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D362C	db    ?	;		; DATA XREF: MiFreeInitializationCode+DEo
					; MmLoadSystemImageEx(x,x,x,x,x,x)+29Fo ...
		db    ?	;
		db    ?	;
		db    ?	;
byte_6D3630	db ?			; DATA XREF: MiInitializeSystemDefaults+Cw
		align 4
dword_6D3634	dd ?			; DATA XREF: MiReturnSystemCharges(x,x,x):loc_497564o
					; MiObtainSystemCharges:loc_49A7C6o ...
		align 10h
unk_6D3640	db    ?	;		; DATA XREF: MiGetAnyMultiplexedVm(x)+14o
					; MmGetWorkingSetLeafSize(x)+23o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3690	dd ?			; DATA XREF: MiInitializeSystemWorkingSetList+A0FC3r
		align 10h
byte_6D36A0	db ?			; DATA XREF: MiInitializeSystemCache(x)+24r
					; MiInitializeSystemCache(x)+34w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D3740	db    ?	;		; DATA XREF: MiReturnSystemVa(x,x,x,x)+163o
					; MiGetNextPageTable:loc_437898o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6D37A0	db ?			; DATA XREF: .text:loc_4BFFEBr
					; MiDeleteBootRange+50r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D37C0	db    ?	;		; DATA XREF: MiDeleteBootRange+3Eo
					; MiDeleteBootRange+BFo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D3840	db    ?	;		; DATA XREF: MiReturnSystemVa(x,x,x,x):loc_4326F3o
					; MiMakeSystemAddressValid:loc_44D7D2o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D3940	db    ?	;		; DATA XREF: MiReturnSystemVa(x,x,x,x):loc_432612o
					; MiMakeZeroedPageTablesEx:loc_4C476Ao	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3994	dd ?			; DATA XREF: PspStorageEmptyArrayNonReadonly+95r
					; PspStorageEmptyArrayNonReadonly+A9r ...
		align 10h
byte_6D39A0	db ?			; DATA XREF: MiInitializeSystemPtes+E2r
					; MiInitializeSystemPtes+F2w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D3A40	db    ?	;		; DATA XREF: MiReturnSystemVa(x,x,x,x)+1A0o
					; MiProbeAndLockPrepare+306o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D3B40	db    ?	;		; DATA XREF: MiReturnSystemVa(x,x,x,x)+66o
					; MiProbeAndLockPrepare+25Co ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D3C40	db    ?	;		; DATA XREF: MmEnforceWorkingSetLimit+70o
					; MiDeleteProcessShadow+4Bo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D3C48	db    ?	;		; DATA XREF: MmQueryCommitReleaseState+D4015o
					; MiReleaseCommitForResetPages(x)+3Fo
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D3C4C	db    ?	;		; DATA XREF: MmQueryCommitReleaseState+D400Do
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D3C50	db    ?	;		; DATA XREF: MmOutSwapWorkingSet+F70C2o
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D3C54	db    ?	;		; DATA XREF: MiIssueHardFault(x,x)+1E5o
					; .text:004490E0o ...
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D3C58	db    ?	;		; DATA XREF: MiAllocateAccessLog:loc_535BA8o
					; MiEmptyAccessLogs+A4o
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D3C5C	db    ?	;		; DATA XREF: MiUpdateChargedWsles(x,x)+7o
					; MiMakeZeroedPageTablesEx+26Fo ...
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D3C60	db    ?	;		; DATA XREF: MiDeleteWsleRange(x,x,x,x)+1Do
					; MiAllocateWsle(x,x,x,x,x,x,x,x)+384o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D3C80	db    ?	;		; DATA XREF: MiCopyOnWrite(x,x,x,x)+552o
					; MiAgePte(x,x,x)+61o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3CC0	dd ?			; DATA XREF: MmMapViewInSystemCache:loc_5BE51Ew
					; MmMapViewInSystemCache+117BF5w ...
dword_6D3CC4	dd ?			; DATA XREF: MiGetFileHashPage+6Dw
					; MiFreePageFileHashPfns(x)+C8o ...
unk_6D3CC8	db    ?	;		; DATA XREF: MiGetHighestPteConsumer(x)+2Co
					; MiGetHighestPteConsumer(x)+7Eo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3D48	dd ?			; DATA XREF: MiGetHighestPteConsumer(x)+E0o
					; MiInsertPteTracker(x,x,x,x)+18Cw ...
dword_6D3D4C	dd ?			; DATA XREF: MiInsertPteTracker(x,x,x,x)+192r
					; MiInsertPteTracker(x,x,x,x)+198w ...
dword_6D3D50	dd ?			; DATA XREF: MiInsertPteTracker(x,x,x,x)+19Dr
					; MiInsertPteTracker(x,x,x,x)+1A5w
dword_6D3D54	dd ?			; DATA XREF: MiRecycleSystemRegionVa(x,x)+57w
					; MiObtainSystemVa+ACw	...
dword_6D3D58	dd ?			; DATA XREF: MiObtainSessionVa+CDr
					; MiObtainSessionVa+DAw ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3D68	dd ?			; DATA XREF: MiAllocateAccessLog+3Cr
					; MiShouldTrimUnusedSegments()+27r
dword_6D3D6C	dd ?			; DATA XREF: MiShouldTrimUnusedSegments()+34r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D3D94	dd ?			; DATA XREF: MiCopyTopLevelMappings(x,x):loc_436905r
					; MiObtainSessionVa+66r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D3F9C	db    ?	;		; DATA XREF: MiInitializeDynamicVa+99o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4194	dd ?			; DATA XREF: MiObtainSystemVa+FFF57w
					; MiObtainSystemVa:loc_5C4ACAw	...
dword_6D4198	dd ?			; DATA XREF: MiObtainSessionVa+100A31w
					; MiObtainSessionVa+100AA0w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D41D4	dd ?			; DATA XREF: MiObtainSystemVa+4Dr
					; MiFreePoolPagesLeft+6r ...
dword_6D41D8	dd ?			; DATA XREF: MiObtainSessionVa+48r
					; MiSessionPoolVaRemaining()+1Fr
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D41E8	dd ?			; DATA XREF: MiAllocateAccessLog+36r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4214	dd ?			; DATA XREF: MiObtainSystemVa:loc_4C4BA8r
					; MiObtainSystemVa:loc_4C4C0Cw	...
dword_6D4218	dd ?			; DATA XREF: MiObtainSessionVa:loc_4C3EADr
					; MiObtainSessionVa:loc_4C3F51w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4254	dd ?			; DATA XREF: MiRecycleSystemRegionVa(x,x)+5Ew
					; MmMapLockedPagesSpecifyCache:loc_47F86Dr ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PfTGlobals
_PfTGlobals	db    ?	;		; DATA XREF: ExInitializeNPagedLookasideListInternal+101o
					; ExInitializeNPagedLookasideListInternal+13Eo	...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4284	dd ?			; DATA XREF: PfProcessCreateNotification+15r
					; PfSetSuperfetchInformation+4C5r ...
dword_6D4288	dd ?			; DATA XREF: PfTSetTracingPriority(x)+24r
unk_6D428C	db    ?	;		; DATA XREF: PfTSetTracingPriority(x)+12o
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D4290	db    ?	;		; DATA XREF: PfpCopyEvent+EAo
					; PfpFlushBuffers:loc_76B055o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D42A0	dd ?			; DATA XREF: PfpFlushBuffers:loc_76AFF5r
					; PfpFlushBuffers+2EAr	...
		align 8
unk_6D42A8	db    ?	;		; DATA XREF: PfpLogPageAccess:loc_76B5DDo
					; PfpLogPageAccess:loc_76B5FCo	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D42B8	dd ?			; DATA XREF: PfpCopyEvent+B2r
					; PfpLogPageAccess:loc_76B0F0r	...
dword_6D42BC	dd ?			; DATA XREF: PfTCreateTraceDump+21r
					; PfTCreateTraceDump+71r ...
dword_6D42C0	dd ?			; DATA XREF: ExInitializeNPagedLookasideListInternal+10Fr
					; PfPowerActionNotify+E8o ...
unk_6D42C4	db    ?	;		; DATA XREF: PfTReplaceCurrentBuffer+42o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D42F8	dd ?			; DATA XREF: PfTGenerateTrace()+29w
					; PfTLoggingWorker+6Ew	...
dword_6D42FC	dd ?			; DATA XREF: PfTGenerateTrace()+2Ew
					; PfTLoggingWorker+75w	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D4320	db    ?	;		; DATA XREF: PfFileInfoNotify+3B9o
					; PfFileInfoNotify+643o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D4380	db    ?	;		; DATA XREF: PfLogEvent+28o
					; PfFileInfoNotify+183o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D4388	db    ?	;		; DATA XREF: PfFileInfoNotify:loc_4AF260o
					; PfFileInfoNotify+112BA2o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D4390	db    ?	;		; DATA XREF: PfFileInfoNotify:loc_4AEF40o
					; PfFileInfoNotify+112B3Do
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D43B8	dd ?			; DATA XREF: PfFileInfoNotify+112B2Fr
dword_6D43BC	dd ?			; DATA XREF: PfFileInfoNotify+112B5Cr
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D43C4	dd ?			; DATA XREF: PfFileInfoNotify:loc_5C1944w
dword_6D43C8	dd ?			; DATA XREF: PfFileInfoNotify+112BBAw
		align 10h
unk_6D43D0	db    ?	;		; DATA XREF: PfTFullEventListAdd+5o
					; PfpFlushEventBuffers+1Ao
		db    ?	;
		db    ?	;
		db    ?	;
word_6D43D4	dw ?			; DATA XREF: PfpEventHandleFullBuffer(x)+1Cr
					; PfTFullEventListAdd:loc_43FCB3r
		align 4
dword_6D43D8	dd ?			; DATA XREF: PfTFullEventListAdd+18r
unk_6D43DC	db    ?	;		; DATA XREF: PfGetCompletedTrace:loc_76D7D1o
					; PAGE:0076D85Co ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D43E4	db    ?	;		; DATA XREF: PfGetCompletedTrace+4Do
					; PAGE:0076D8F0o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D43EC	dd ?			; DATA XREF: PFP_CAN_DO_ACCESS_LOGGING()r
					; PfGetCompletedTrace+18Eo ...
dword_6D43F0	dd ?			; DATA XREF: PFP_CAN_DO_ACCESS_LOGGING()+5r
					; PAGE:0076D861r ...
dword_6D43F4	dd ?			; DATA XREF: PfFileInfoNotify+46r
					; PfFileInfoNotify:loc_4AEE1Er	...
dword_6D43F8	dd ?			; DATA XREF: PfFileInfoNotify+4Br
					; PfFileInfoNotify+93r	...
dword_6D43FC	dd ?			; DATA XREF: PfGetCompletedTrace+2Fr
					; PfGetCompletedTrace:loc_76D7E9w ...
unk_6D4400	db    ?	;		; DATA XREF: PfGetCompletedTrace+23o
					; PfGetCompletedTrace+150o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4420	dd ?			; DATA XREF: PAGE:0076D8BFr
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D4480	db    ?	;		; DATA XREF: MiQueuePageAccessLog(x)+8Eo
					; MiEmptyPageAccessLog+44Fo ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4484	dd ?			; DATA XREF: PfLogEvent+92o
					; PfpEventHandleOutOfBuffers(x)+16w ...
dword_6D4488	dd ?			; DATA XREF: PAGE:loc_8D8A0Cw
dword_6D448C	dd ?			; DATA XREF: PfpSectInfoHandleFullBuffer(x)+5Ar
					; PAGE:loc_8D8A01w
unk_6D4490	db    ?	;		; DATA XREF: PfTTraceListTrim(x,x,x)+2Do
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4494	dd ?			; DATA XREF: PfFileInfoNotify+51Fw
					; PfpSectInfoHandleFullBuffer(x)+62r ...
		align 10h
dword_6D44A0	dd ?			; DATA XREF: PfTGenerateTrace()+19w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopCsConsumption dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+F2r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+11Bw	...
		align 8
dword_6D44C8	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+6Er
					; PopCalculateCsSummary(x,x)+AAr ...
dword_6D44CC	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+78r
					; PopCalculateCsSummary(x,x)+9Dr ...
dword_6D44D0	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+164r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+123w
dword_6D44D4	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+183r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+12Bw
dword_6D44D8	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+1B8r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+13Bw
dword_6D44DC	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+1ACr
					; PopCaptureSleepStudyStatistics(x,x,x,x)+143w
dword_6D44E0	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+198r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+133w
		align 8
dword_6D44E8	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+379r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+18Aw
dword_6D44EC	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+381r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+190w
dword_6D44F0	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+3C7r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+196w
dword_6D44F4	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+3B8r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+19Cw
dword_6D44F8	dd ?			; DATA XREF: PopPdcIdleResiliencyCallback(x,x)+5Aw
					; PopPdcIdleResiliencyCallback(x,x)+97r
dword_6D44FC	dd ?			; DATA XREF: PopPdcIdleResiliencyCallback(x,x)+60w
					; PopPdcIdleResiliencyCallback(x,x)+9Er
dword_6D4500	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+251r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+17Ew	...
dword_6D4504	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+248r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+184w	...
dword_6D4508	dd ?			; DATA XREF: PdcPoCurrentPdcPhase(x,x,x)+57w
					; PdcPoCurrentPdcPhase(x,x,x):loc_65627Br
dword_6D450C	dd ?			; DATA XREF: PdcPoCurrentPdcPhase(x,x,x)+4Ew
					; PdcPoCurrentPdcPhase(x,x,x)+77r
dword_6D4510	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+25Cr
					; PopCalculateCsSummary(x,x)+27Br ...
dword_6D4514	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+270r
					; PopCalculateCsSummary(x,x)+284r ...
dword_6D4518	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+293r
					; PopAudioAccountingCallback:loc_8586F6w ...
dword_6D451C	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+267r
					; PopAudioAccountingCallback+33w ...
dword_6D4520	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+2A0r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+1C6w	...
dword_6D4524	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+28Ar
					; PopCaptureSleepStudyStatistics(x,x,x,x)+1CCw	...
dword_6D4528	dd ?			; DATA XREF: PopDripsWatchdogStartWatchdog()+FCr
					; PopPdcIdleResiliencyCallback(x,x)+3Bo
dword_6D452C	dd ?			; DATA XREF: PopDripsWatchdogStartWatchdog()+115r
dword_6D4530	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+300r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+1D2w	...
dword_6D4534	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+2F7r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+1D8w
unk_6D4538	db    ?	;		; DATA XREF: PopUpdateNonAttributedCpuTimeReference(x)+4Bo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4540	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+320r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+1DEw	...
dword_6D4544	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+317r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+1E4w
dword_6D4548	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+5D5r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+1AEw	...
dword_6D454C	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+5E0r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+1B4w	...
dword_6D4550	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+5EBr
					; PopCaptureSleepStudyStatistics(x,x,x,x)+1BAw	...
dword_6D4554	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+5F6r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+1C0w	...
dword_6D4558	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+19Er
					; PopCaptureSleepStudyStatistics(x,x,x,x)+14Bw
dword_6D455C	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+189r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+153w
dword_6D4560	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+373r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+15Bw
dword_6D4564	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+390r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+163w
dword_6D4568	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+39Fr
					; PopCaptureSleepStudyStatistics(x,x,x,x)+16Bw
dword_6D456C	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+3ABr
					; PopCaptureSleepStudyStatistics(x,x,x,x)+173w
dword_6D4570	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+53Er
					; PopCaptureSleepStudyStatistics(x,x,x,x)+358w
dword_6D4574	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+549r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+374w
byte_6D4578	db ?			; DATA XREF: PopCalculateCsSummary(x,x)+554r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+37Cw
		align 4
dword_6D457C	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+55Fr
					; PopCaptureSleepStudyStatistics(x,x,x,x)+39Ew
byte_6D4580	db ?			; DATA XREF: PopCalculateCsSummary(x,x)+33Dr
					; PopCaptureSleepStudyStatistics(x,x,x,x)+296r	...
byte_6D4581	db ?			; DATA XREF: PopCalculateCsSummary(x,x)+511r
					; PopCalculateCsSummary(x,x)+521r ...
		align 4
dword_6D4584	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+56Ar
					; PopCaptureSleepStudyStatistics(x,x,x,x)+46Dw
dword_6D4588	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+575r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+477w
byte_6D458C	db ?			; DATA XREF: PopCalculateCsSummary(x,x)+580r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+20Ew	...
		align 10h
dword_6D4590	dd ?			; DATA XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+217w
					; PopDiagTraceCsEnterReason(x,x,x)+2Cr	...
byte_6D4594	db ?			; DATA XREF: PopCalculateCsSummary(x,x)+5A3r
					; PopCaptureSleepStudyStatistics(x,x,x,x):loc_651426w
byte_6D4595	db ?			; DATA XREF: PopCalculateCsSummary(x,x)+5AEr
					; PopCaptureSleepStudyStatistics(x,x,x,x)+3ADw
		align 4
dword_6D4598	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+5B9r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+3ECw
dword_6D459C	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+5C4r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+408w
dword_6D45A0	dd ?			; DATA XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+1EAw
dword_6D45A4	dd ?			; DATA XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+1F0w
dword_6D45A8	dd ?			; DATA XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+1F6w
dword_6D45AC	dd ?			; DATA XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+1FCw
dword_6D45B0	dd ?			; DATA XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+202w
dword_6D45B4	dd ?			; DATA XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+208w
dword_6D45B8	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+3F4r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+4DAw
dword_6D45BC	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+601r
					; PopCaptureSleepStudyStatistics(x,x,x,x)+300w
dword_6D45C0	dd ?			; DATA XREF: PopCalculateCsSummary(x,x)+60Cr
					; PopCaptureSleepStudyStatistics(x,x,x,x)+306w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4600	dd ?			; DATA XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+B34r
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+B59o	...
dword_6D4604	dd ?			; DATA XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+B3Ar
					; PopCalculateCsSummary(x,x)+1E1r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4640	dd ?			; DATA XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+B46r
					; PopFxEnablePlatformStates(x)+18o ...
dword_6D4644	dd ?			; DATA XREF: PopUpdateNonAttributedCpuTimeReference(x)+25r
					; PopUpdateNonAttributedCpuTimeReference(x)+2Cw ...
dword_6D4648	dd ?			; DATA XREF: PopUpdateNonAttributedCpuTimeReference(x)+10o
					; PoInitSystem+212w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PfGlobals
_PfGlobals	db    ?	;		; DATA XREF: PfpPrefetchSharedStart(x)+C6o
					; PfpPrefetchSharedCleanup(x)+18o ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4684	dd ?			; DATA XREF: PfSetSuperfetchInformation+137531r
					; PfInitializeSuperfetch()+78r
unk_6D4688	db    ?	;		; DATA XREF: PfInitializeSuperfetch()+90o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D4690	db    ?	;		; DATA XREF: PfInitializeSuperfetch()+97o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D46A0	db    ?	;		; DATA XREF: PfInitializeSuperfetch()+85o
		db    ?	;
		db    ?	;
		db    ?	;
byte_6D46A4	db ?			; DATA XREF: PAGE:0077D43Eo
					; PfTStart+20r	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D46AC	dd ?			; DATA XREF: PfTStart+1B4r
dword_6D46B0	dd ?			; DATA XREF: PfTStart+18Cr
dword_6D46B4	dd ?			; DATA XREF: PfPowerActionNotify:loc_729765r
dword_6D46B8	dd ?			; DATA XREF: PfPowerActionNotify+10Fr
dword_6D46BC	dd ?			; DATA XREF: PfPowerActionNotify+118r
dword_6D46C0	dd ?			; DATA XREF: PfSnCheckScenario(x,x)r
					; PfSnQueryPrefetcherInformation+C3o ...
dword_6D46C4	dd ?			; DATA XREF: PfTStart+8B21Er
					; PfSnDetermineEnablePrefetcher+82ED4w
unk_6D46C8	db    ?	;		; DATA XREF: PfSnBeginTrace+123o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D46E8	dd ?			; DATA XREF: PfSnBeginTrace+13r
					; PfSnBeginScenario+72r
dword_6D46EC	dd ?			; DATA XREF: PfSnEndTrace+FEr
unk_6D46F0	db    ?	;		; DATA XREF: PfSnGetPrefetchInstructions+69o
					; PfSnGetPrefetchInstructions+ADo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; wchar_t word_6D4750
word_6D4750	dw ?			; DATA XREF: PfSnIsHostingApplication+3Bo
					; PfSnIsHostingApplication+53o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4850	dd ?			; DATA XREF: PfSnEndTrace:loc_76A918r
					; KiSchedulerApcTerminate+84r ...
dword_6D4854	dd ?			; DATA XREF: PfSnTraceTimerRoutine+95r
					; PfSnEndTrace+52r
unk_6D4858	db    ?	;		; DATA XREF: PfSnGetPrefetchInstructions+5Fo
					; PfSnGetPrefetchInstructions+C3o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D486C	dd ?			; DATA XREF: PFP_TICKS_TO_TIME(x,x)+33r
					; PfFileInfoNotify+195r ...
; void unk_6D4870
unk_6D4870	db    ?	;		; DATA XREF: PfPowerActionNotify:loc_71FC63o
					; PfPowerActionNotify+130o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D488C	dd ?			; DATA XREF: PfPowerActionNotify+89r
					; PfPowerActionNotify+109r ...
dword_6D4890	dd ?			; DATA XREF: PfPowerActionNotify+9B69r
					; PfpProcessScenarioPhase+85r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D48A8	dd ?			; DATA XREF: PfpServiceMainThreadUnboost:loc_553069r
					; PfpServiceMainThreadUnboost+37w ...
dword_6D48AC	dd ?			; DATA XREF: PfpServiceMainThreadUnboost+31r
unk_6D48B0	db    ?	;		; DATA XREF: PfpServiceMainThreadUnboost+10o
					; PfpServiceMainThreadUnboost+4Bo ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D48B4	dd ?			; DATA XREF: PfpPowerActionDpcRoutine+25r
					; PfpServiceMainThreadUnboost:loc_5DE954r
dword_6D48B8	dd ?			; DATA XREF: PfpPowerActionDpcRoutine:loc_5586FFr
					; PfpStartLoggingHardFaultEvents+3Er ...
		align 10h
; void unk_6D48C0
unk_6D48C0	db    ?	;		; DATA XREF: PfFileInfoNotify+386o
					; PfFileInfoNotify+5CCo ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D48C4	dd ?			; DATA XREF: PfCheckDeprioritizeFile+3Ar
dword_6D48C8	dd ?			; DATA XREF: PfCheckDeprioritizeFile+85r
dword_6D48CC	dd ?			; DATA XREF: PfCheckDeprioritizeFile+2Fr
					; PfCheckDeprioritizeFile+B2w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D48DC	db    ?	;		; DATA XREF: PfCheckDeprioritizeFile+1Do
					; PfCheckDeprioritizeFile+BBo ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D48E0	dd ?			; DATA XREF: PfCheckDeprioritizeFile+147r
dword_6D48E4	dd ?			; DATA XREF: PfCheckDeprioritizeFile+135r
dword_6D48E8	dd ?			; DATA XREF: PfCheckDeprioritizeFile+FFr
		align 10h
dword_6D48F0	dd ?			; DATA XREF: PfCheckDeprioritizeFile+E1r
					; PfCheckDeprioritizeFile+1E8w
unk_6D48F4	db    ?	;		; DATA XREF: PfCheckDeprioritizeFile+EDo
					; PfCheckDeprioritizeFile+168o
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D48F8	dd ?			; DATA XREF: PfCheckDeprioritizeImage(x)+77r
dword_6D48FC	dd ?			; DATA XREF: PfCheckDeprioritizeImage(x)+68r
dword_6D4900	dd ?			; DATA XREF: PfCheckDeprioritizeImage(x)+33r
		align 8
unk_6D4908	db    ?	;		; DATA XREF: PfCheckDeprioritizeImage(x)+25o
					; PfCheckDeprioritizeImage(x):loc_789F16o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D4910	db    ?	;		; DATA XREF: PfpParametersPropagate(x)+8Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4918	dd ?			; DATA XREF: PfGetCompletedTrace+F1r
					; PfCheckDeprioritizeFile+159o
dword_6D491C	dd ?			; DATA XREF: PfGetCompletedTrace+FAr
dword_6D4920	dd ?			; DATA XREF: PfProcessCreateNotification+2Br
					; PfProcessCreateNotification:loc_76CF6Er ...
		align 8
dword_6D4928	dd ?			; DATA XREF: PfFileInfoNotify+789r
					; PfFileInfoNotify+973w ...
unk_6D492C	db    ?	;		; DATA XREF: PfSnActivateTrace+9o
					; PfFileInfoNotify+96Eo ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4930	dd ?			; DATA XREF: PfFileInfoNotify+778o
					; PfFileInfoNotify+987o ...
dword_6D4934	dd ?			; DATA XREF: PfFileInfoNotify+7A4o
					; PfFileInfoNotify+7CFo ...
dword_6D4938	dd ?			; DATA XREF: PfFileInfoNotify+11256Ar
					; PfFileInfoNotify+11256Fo ...
dword_6D493C	dd ?			; DATA XREF: PfInitializeSuperfetch()+52w
dword_6D4940	dd ?			; DATA XREF: PfFileInfoNotify+7B2w
					; PfFileInfoNotify+112563w ...
dword_6D4944	dd ?			; DATA XREF: PfpPrefetchSharedConflictNotifyStart(x,x,x)+9w
dword_6D4948	dd ?			; DATA XREF: PAGE:0077D359r
					; PfpUpdateRepurposedByPrefetch(x,x):loc_7F59BCo
		align 10h
_PfSnGlobals	dd ?			; DATA XREF: PfSnActivateTrace+52o
					; PfSnActiveTraceGetNext:loc_4F9F1Do ...
dword_6D4954	dd ?			; DATA XREF: PfSnActivateTrace+49r
					; PfSnActivateTrace+6Aw ...
dword_6D4958	dd ?			; DATA XREF: PfSnActivateTrace+2Ao
					; PfSnActivateTrace+76o ...
dword_6D495C	dd ?			; DATA XREF: PfSnEndTrace+D9o
					; PfSnEndTrace:loc_76A779r ...
dword_6D4960	dd ?			; DATA XREF: PfSnEndTrace+D4r
					; PfSnEndTrace+F2w ...
dword_6D4964	dd ?			; DATA XREF: PfSnEndTrace+BBo
					; PfSnEndTrace:loc_76A72Co ...
dword_6D4968	dd ?			; DATA XREF: PfSnInitializePrefetcher()+47w
dword_6D496C	dd ?			; DATA XREF: PfSnInitializePrefetcher()+4Dw
unk_6D4970	db    ?	;		; DATA XREF: PfSnInitializePrefetcher()+29o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4984	dd ?			; DATA XREF: PfSnEndTrace+EDr
					; PfSnEndTrace:loc_76A71Fw ...
dword_6D4988	dd ?			; DATA XREF: PfSnEndTrace+C7r
					; PfSnCheckScenario(x,x):loc_76D13Cr ...
dword_6D498C	dd ?			; DATA XREF: PfSnEndTrace+110r
					; sub_8FA803+4Br ...
dword_6D4990	dd ?			; DATA XREF: PfSnEndTrace+391w
					; PfSnBeginScenario+69w ...
; void unk_6D4994
unk_6D4994	db    ?	;		; DATA XREF: KiSchedulerApcTerminate+24Eo
					; PfSnPrefetchCacheEntryUpdate(x)+AEo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D49A4	dd ?			; DATA XREF: PfSnPrefetchCacheEntryUpdate(x)+88r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D49AC	db    ?	;		; DATA XREF: KiSchedulerApcTerminate+237o
					; KiSchedulerApcTerminate:loc_76C416o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D49E8	dd ?			; DATA XREF: PfSnBeginBootPhase:loc_71B13Bo
					; PfSnLogPrefetchSectionsStop+40r ...
dword_6D49EC	dd ?			; DATA XREF: PfSnLogPrefetchSectionsStop+48r
					; PfSnLogGetReadListsStop+25r ...
dword_6D49F0	dd ?			; DATA XREF: PfFileInfoNotify+B66r
					; PfSnUpdatePrefetcherFlags+20r ...
unk_6D49F4	db    ?	;		; DATA XREF: PfSnPowerBoostUpdate(x)+9o
		db    ?	;
		db    ?	;
		db    ?	;
_PopBsdPowerTransition dd ?		; DATA XREF: PopBsdHandleRequest(x)+Eo
					; PopBsdUpdateWorker(x)+61o ...
dword_6D49FC	dd ?			; DATA XREF: PopClearSleepMarker()+2Aw
					; PopClearConnectedStandbyMarker(x)+3Cw ...
byte_6D4A00	db ?			; DATA XREF: PopSetSleepMarker(x)+4Cr
					; PopSetSleepMarker(x)+5Fw ...
		align 2
byte_6D4A02	db ?			; DATA XREF: PopRecordBatteryLevel(x)+2Er
					; PopRecordBatteryLevel(x)+3Aw	...
byte_6D4A03	db ?			; DATA XREF: PoClearTransitionMarker()+D1r
					; PoClearTransitionMarker()+D8w ...
word_6D4A04	dw ?			; DATA XREF: PopSetSleepMarker(x)+58w
byte_6D4A06	db ?			; DATA XREF: PopSetSleepMarker(x)+64r
					; PopSetSleepMarker(x)+70w ...
byte_6D4A07	db ?			; DATA XREF: PopRecordAcDcState(x)+2Er
					; PopRecordAcDcState(x)+3Aw ...
unk_6D4A08	db    ?	;		; DATA XREF: PopUpdateBsdPowerTransitionReferenceTime()+3o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4A10	dd ?			; DATA XREF: PopUpdateBsdPowerTransitionReferenceTime()+18w
dword_6D4A14	dd ?			; DATA XREF: PoClearTransitionMarker()+CCw
_PopBsdPhysicalPowerButtonInfo dd ?	; DATA XREF: PopBsdUpdateWorker(x)+8Do
					; PopRecordLongPowerButtonPressDetected(x)+67o	...
dword_6D4A1C	dd ?			; DATA XREF: PopRecordPhysicalPowerButton(x)+80w
dword_6D4A20	dd ?			; DATA XREF: PopRecordPhysicalPowerButton(x)+99w
word_6D4A24	dw ?			; DATA XREF: PopRecordPhysicalPowerButton(x)+8Ew
byte_6D4A26	db ?			; DATA XREF: PopRecordPhysicalPowerButton(x)+A5w
byte_6D4A27	db ?			; DATA XREF: PopRecordLongPowerButtonPressDetected(x)+3Dr
					; PopRecordLongPowerButtonPressDetected(x)+4Ew	...
dword_6D4A28	dd ?			; DATA XREF: PopRecordPhysicalPowerButton(x)+111w
dword_6D4A2C	dd ?			; DATA XREF: PopRecordPhysicalPowerButton(x)+117w
dword_6D4A30	dd ?			; DATA XREF: PopRecordPhysicalPowerButton(x)+123w
word_6D4A34	dw ?			; DATA XREF: PopRecordPhysicalPowerButton(x)+13Bw
word_6D4A36	dw ?			; DATA XREF: PopWriteBsdPoInfo(x,x)+5Ar
					; PopWriteBsdPoInfo(x,x)+6Cw
byte_6D4A38	db ?			; DATA XREF: PopRecordPhysicalPowerButton(x)+CDw
		align 4
dword_6D4A3C	dd ?			; DATA XREF: PopRecordPhysicalPowerButton(x)+D7w
dword_6D4A40	dd ?			; DATA XREF: PopRecordPhysicalPowerButton(x)+E1w
dword_6D4A44	dd ?			; DATA XREF: PopRecordPhysicalPowerButton(x)+EBw
_PopDeviceIdleSync dd ?			; DATA XREF: PopPrepChildWake+8A444w
					; PopDeviceIdleCompletion(x,x,x,x,x)+24r ...
dword_6D4A4C	dd ?			; DATA XREF: PopPrepChildWake+157r
					; PopScanIdleList(x,x,x)+18Bw ...
byte_6D4A50	db ?			; DATA XREF: PopPrepChildWake+150w
					; PopResumeDeviceIdle+22w ...
		align 4
_PopHiberBootForceMonitorOff db	?	; DATA XREF: NtPowerInformation+F96o
					; NtPowerInformation+132Bw ...
		align 4
_EtwpCoverageLockOwner dd ?		; DATA XREF: EtwpCoverageFlushWorkItemCallback(x)+52w
					; EtwpCoverageFlushWorkItemCallback(x):loc_7E175Fw ...
_CCSwapNumLoggersPerClockType dd ?	; DATA XREF: EtwpCCSwapStop(x,x)+47w
					; EtwpCCSwapInitializeProcessor:loc_88A438r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopInitSystemCompletedEnoughForReInitRoutines db ?
					; DATA XREF: IoRaiseInformationalHardError(x,x,x)+5r
					; IopCallDriverReinitializationRoutines(x)+Br ...
		align 4
_KseEngine	dd ?			; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+264o
					; KseShimDriverIoCallbacks+4Br	...
dword_6D4A78	dd ?			; DATA XREF: KseShimDriverIoCallbacks+42r
					; KseDriverLoadImage(x)+3Er ...
dword_6D4A7C	dd ?			; DATA XREF: KseDriverLoadImage(x)+C1w
					; KseInitialize+2021Ew	...
unk_6D4A80	db    ?	;		; DATA XREF: KseRegisterShimEx+96o
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4A84	dd ?			; DATA XREF: KseRegisterShimEx+AAr
					; KseRegisterShimEx+C1w
unk_6D4A88	db    ?	;		; DATA XREF: KsepGetShimsForDriver+AFC60o
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4A8C	dd ?			; DATA XREF: KsepGetShimsForDriver+AFC5Ar
					; KsepGetShimsForDriver+AFC7Dw
unk_6D4A90	db    ?	;		; DATA XREF: KsepIsModuleShimmed+33o
					; KsepIsModuleShimmed+50o ...
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D4A94	db    ?	;		; DATA XREF: KseRegisterShimEx+E6o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4A9C	dd ?			; DATA XREF: KsepDbCacheQueryDevice+2Fr
					; KsepDbCacheQueryDevice+44r ...
dword_6D4AA0	dd ?			; DATA XREF: KseAddHardwareId+9r
					; KseLookupHardwareId(x)+Ar
dword_6D4AA4	dd ?			; DATA XREF: KseDriverLoadImage(x)+CEw
dword_6D4AA8	dd ?			; DATA XREF: BgkpLockBgfxCodeSection+39w
					; BgkpUnlockBgfxCodeSection+26r ...
dword_6D4AAC	dd ?			; DATA XREF: BgkNotifyDisplayOwnershipChange+BEr
					; BgkNotifyDisplayOwnershipChange+F3w ...
dword_6D4AB0	dd ?			; DATA XREF: BgkpLockBgfxCodeSection+26r
					; BgkpLockBgfxCodeSection+3Er ...
dword_6D4AB4	dd ?			; DATA XREF: BgkResumeInitialize()+3r
					; PopInvokeSystemStateHandler+506r ...
byte_6D4AB8	db ?			; DATA XREF: BgkNotifyDisplayOwnershipChange+17r
					; BgkResumeInitialize()+9w ...
		align 4
_CrashdmpCallTable dd ?			; DATA XREF: IopLoadCrashdumpDriver+8Do
					; IopLoadCrashdumpDriver+ABw
dword_6D4AC0	dd ?			; DATA XREF: IopLoadCrashdumpDriver+B5w
dword_6D4AC4	dd ?			; DATA XREF: IopInitializeCrashDump+7Er
dword_6D4AC8	dd ?			; DATA XREF: IoGetDumpStack(x,x,x,x)+1Fr
dword_6D4ACC	dd ?			; DATA XREF: IoInitializeDumpStack(x,x)+Er
dword_6D4AD0	dd ?			; DATA XREF: PopFreeHiberContext+D4r
dword_6D4AD4	dd ?			; DATA XREF: IopDisableCrashDump()+Ar
dword_6D4AD8	dd ?			; DATA XREF: IoNotifyDump(x)r
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+F4r
dword_6D4ADC	dd ?			; DATA XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+3C3r
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+427r ...
dword_6D4AE0	dd ?			; DATA XREF: IoUpdateDumpPhysicalRanges()+41r
dword_6D4AE4	dd ?			; DATA XREF: IoDumpStackResumeCapable(x)+Br
dword_6D4AE8	dd ?			; DATA XREF: IoGetDumpStackTransferSizes+Dr
		align 10h
dword_6D4AF0	dd ?			; DATA XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+101r
dword_6D4AF4	dd ?			; DATA XREF: IopInitializeCrashDump:loc_92DD69r
_CrashdmpImageBase dd ?			; DATA XREF: IoGetDumpHiberRanges:loc_5533B8r
					; IoGetDumpHiberRanges+67r ...
_CrashdmpImageEntry dd ?		; DATA XREF: IoDumpStackResumeCapable(x)+2r
					; IoInitializeDumpStack(x,x)r ...
_KiInterruptTimeErrorAccumulator dd ?	; DATA XREF: KiComputeNewInterruptTime+9Fr
					; KiComputeNewInterruptTime+B6w ...
dword_6D4B04	dd ?			; DATA XREF: KiComputeNewInterruptTime+ACr
					; KiComputeNewInterruptTime+BEw ...
_KiSystemTimeErrorAccumulator dd ?	; DATA XREF: KiComputeNewSystemTime+89r
					; KiComputeNewSystemTime+9Fw ...
dword_6D4B0C	dd ?			; DATA XREF: KiComputeNewSystemTime+95r
					; KiComputeNewSystemTime+A7w ...
_KiFastCallCopyDoneOnce	db ?		; DATA XREF: KiEnableFastSyscallReturn+3Ew
					; KiEnableFastSyscallReturn:loc_5E6796r
		align 4
_PopSleeperHandoff dd ?			; DATA XREF: PopTransitionToSleep+F1w
					; PopTransitionToSleep+108w ...
_PopDebugCount	dd ?			; DATA XREF: PopHiberCheckForDebugBreak()+Fr
					; PopHiberCheckForDebugBreak()+15w ...
_PopNumberOfPagesForHibernateProcess dd	? ; DATA XREF: PopAllocatePagesw
					; PopAllocateHiberContext+D9w
_PopEsLastStateChangeTimeStamp dd ?	; DATA XREF: PopEsEnterSleepShutdown()+4Dw
					; PopEsSnapTelemetry:loc_85F423r ...
dword_6D4B24	dd ?			; DATA XREF: PopEsEnterSleepShutdown()+52w
					; PopEsSnapTelemetry+5Cr ...
_PopConsoleDisplayState	dd ?		; DATA XREF: PopThermalCoolingPowerSettingCallback:loc_5E668Cr
					; PopCheckResiliencyScenarios+40r ...
dword_6D4B2C	dd ?			; DATA XREF: GetGlobalizationUserModelTyper
					; GetGlobalizationUserModelType:loc_5659B5w
byte_6D4B30	db ?			; DATA XREF: BiGetFirmwareType()+1Er
					; BiGetFirmwareType()+5Fw
		align 4
_BgpTextRegionSave dd ?			; DATA XREF: ResFwFreeContext+7Br
					; ResFwGetContext+DFw ...
_BgpAnimationRegionSave	dd ?		; DATA XREF: ResFwFreeContext:loc_A740BEr
					; ResFwGetContext+D5w ...
byte_6D4B3C	db ?			; DATA XREF: AnFwProgressIndicatorTransition()r
					; AnFwpDisableProgressTimer()r	...
		align 10h
dword_6D4B40	dd ?			; DATA XREF: AnFwpProgressAnimationManual+4Dr
					; AnFwpProgressAnimationManual+129w ...
dword_6D4B44	dd ?			; DATA XREF: AnFwpProgressAnimationManual+5Br
					; AnFwpProgressAnimationManual+12Fw ...
byte_6D4B48	db ?			; DATA XREF: AnFwDisplayFade+4E7w
					; AnFwpFadeAnimationTimer+25r ...
		align 10h
dword_6D4B50	dd ?			; DATA XREF: LogFwInitialize()+96w
					; LogFwStat+14Fr ...
dword_6D4B54	dd ?			; DATA XREF: LogFwInitialize()+9Cw
					; LogFwStat:loc_A76247r ...
dword_6D4B58	dd ?			; DATA XREF: LogFwInitialize()+7Ew
					; LogFwReport+61r ...
dword_6D4B5C	dd ?			; DATA XREF: LogFwInitialize()+84w
					; LogFwReport+56r ...
dword_6D4B60	dd ?			; DATA XREF: LogFwInitialize()+10Dw
					; LogFwReport+D2w ...
; char dword_6D4B64
dword_6D4B64	dd ?			; DATA XREF: LogFwInitialize()+F5w
					; LogFwStat+17Aw ...
dword_6D4B68	dd ?			; DATA XREF: LogFwInitialize()+37w
					; LogFwStat+8Ar ...
dword_6D4B6C	dd ?			; DATA XREF: LogFwInitialize()+3Dw
					; LogFwStat:loc_A7617Er ...
dword_6D4B70	dd ?			; DATA XREF: LogFwInitialize()+EFw
					; LogFwReport+46w ...
		align 8
dword_6D4B78	dd ?			; DATA XREF: LogFwInitialize()+66w
					; LogFwStat:loc_A76198w ...
dword_6D4B7C	dd ?			; DATA XREF: LogFwInitialize()+6Cw
					; LogFwStat+9Cw ...
dword_6D4B80	dd ?			; DATA XREF: LogFwInitialize()+8Aw
					; LogFwStat:loc_A76264w ...
dword_6D4B84	dd ?			; DATA XREF: LogFwInitialize()+90w
					; LogFwStat+168w ...
dword_6D4B88	dd ?			; DATA XREF: LogFwInitialize()+A7w
					; LogFwStat:loc_A761AAw ...
dword_6D4B8C	dd ?			; DATA XREF: LogFwInitialize()+ADw
					; LogFwStat+AEw ...
dword_6D4B90	dd ?			; DATA XREF: LogFwInitialize()+B3w
					; LogFwStat+13w ...
dword_6D4B94	dd ?			; DATA XREF: LogFwInitialize()+B9w
					; LogFwStat+18w ...
; char dword_6D4B98
dword_6D4B98	dd ?			; DATA XREF: LogFwInitialize()+E3w
					; LogFwReport+37o ...
dword_6D4B9C	dd ?			; DATA XREF: LogFwInitialize()+E9w
					; TxtpAddCacheEntry+409r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4BA8	dd ?			; DATA XREF: LogFwInitialize()+43w
					; LogFwStat+1F4w ...
dword_6D4BAC	dd ?			; DATA XREF: LogFwInitialize()+49w
					; LogFwStat+1FFw ...
dword_6D4BB0	dd ?			; DATA XREF: LogFwInitialize()+107w
					; LogFwReport+B2w ...
		align 8
dword_6D4BB8	dd ?			; DATA XREF: LogFwInitialize()+72w
					; LogFwStat+1C8w ...
dword_6D4BBC	dd ?			; DATA XREF: LogFwInitialize()+78w
					; LogFwStat+1D3w ...
; char dword_6D4BC0
dword_6D4BC0	dd ?			; DATA XREF: LogFwInitialize()+60w
					; LogFwStat:loc_A761A4w ...
		align 8
dword_6D4BC8	dd ?			; DATA XREF: LogFwInitialize()+4Fw
					; LogFwStat+FCw ...
dword_6D4BCC	dd ?			; DATA XREF: LogFwInitialize()+55w
					; LogFwStat+102w ...
dword_6D4BD0	dd ?			; DATA XREF: LogFwInitialize()+FBw
					; LogFwReport+5Cw ...
		align 8
dword_6D4BD8	dd ?			; DATA XREF: LogFwInitialize()+D7w
					; LogFwReport+B7r ...
dword_6D4BDC	dd ?			; DATA XREF: LogFwInitialize()+DDw
					; LogFwReport+ACr ...
dword_6D4BE0	dd ?			; DATA XREF: LogFwInitialize()+CBw
					; LogFwReport+92r ...
dword_6D4BE4	dd ?			; DATA XREF: LogFwInitialize()+D1w
					; LogFwReport+87r ...
dword_6D4BE8	dd ?			; DATA XREF: LogFwInitialize()+BFw
					; LogFwStat+44w
dword_6D4BEC	dd ?			; DATA XREF: LogFwInitialize()+C5w
					; LogFwStat+50w
; char dword_6D4BF0
dword_6D4BF0	dd ?			; DATA XREF: LogFwInitialize()+101w
					; LogFwReport+8Dw ...
		align 8
dword_6D4BF8	dd ?			; DATA XREF: BgpFwFreeMemory(x)+7Ar
					; BgpFwReserveAllocate+40r ...
dword_6D4BFC	dd ?			; DATA XREF: BgpFwReservePoolSwap(x,x,x,x)+3Ar
					; BgpFwReservePoolSwap(x,x,x,x)+56w
dword_6D4C00	dd ?			; DATA XREF: BgpFwReservePoolSwap(x,x,x,x)+30r
					; BgpFwReservePoolSwap(x,x,x,x)+7Ew
dword_6D4C04	dd ?			; DATA XREF: BgpFwFreeMemory(x)+8Er
					; BgpFwFreeMemory(x):loc_55A126w ...
dword_6D4C08	dd ?			; DATA XREF: BgpFwReservePoolSwap(x,x,x,x)+12r
					; BgpFwReservePoolSwap(x,x,x,x)+60w
dword_6D4C0C	dd ?			; DATA XREF: BgpFwFreeMemory(x)+84o
					; BgpFwReserveAllocate+Do ...
dword_6D4C10	dd ?			; DATA XREF: BgpFwReservePoolSwap(x,x,x,x)+2Bw
					; BgpFwReservePoolSwap(x,x,x,x)+6Fr ...
dword_6D4C14	dd ?			; DATA XREF: BgpFwReserveAllocate+21r
					; BgpFwReserveAllocate+86333r ...
byte_6D4C18	db ?			; DATA XREF: BgpFwReleaseLock+1Dr
					; BgpFwAcquireLock()+2Cw
		align 4
dword_6D4C1C	dd ?			; DATA XREF: BgpFwReservePoolSwap(x,x,x,x)+1Cr
					; BgpFwReservePoolSwap(x,x,x,x)+6Aw
dword_6D4C20	dd ?			; DATA XREF: BgpFwReservePoolSwap(x,x,x,x)+26r
					; BgpFwReservePoolSwap(x,x,x,x)+74w
		align 8
; void dword_6D4C28
dword_6D4C28	dd ?			; DATA XREF: LogFwInitialize()+22o
					; LogFwStat+22w ...
dword_6D4C2C	dd ?			; DATA XREF: LogFwStat+29w
					; LogFwStat+49r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpDoIdleProcessing dd	?		; DATA XREF: CmSetLazyFlushState:loc_85D3BAr
					; CmSetLazyFlushState+27w ...
dword_6D4C74	dd ?			; DATA XREF: BgkNotifyDisplayOwnershipChange+8Er
					; BgkNotifyDisplayOwnershipChange+A9w ...
byte_6D4C78	db ?			; DATA XREF: BgkNotifyDisplayOwnershipChange+9Aw
					; BgkSetVirtualFrameBuffer+120w ...
byte_6D4C79	db ?			; DATA XREF: BgkNotifyDisplayOwnershipChange+6Dw
					; BgkDisplayStringEx(x)+4Cr ...
byte_6D4C7A	db ?			; DATA XREF: BgkNotifyDisplayOwnershipChange+67w
					; BgkDisplayStringEx(x)+44r ...
byte_6D4C7B	db ?			; DATA XREF: BgkNotifyDisplayOwnershipChange:loc_559128r
					; BgkNotifyDisplayOwnershipChange+94w ...
		align 10h
_PopBsdPowerTransitionExtension	db ?	; DATA XREF: PopBsdUpdateWorker(x)+7Ao
					; PopClearSystemShutdownMarker()+32w ...
byte_6D4C81	db ?			; DATA XREF: PoClearTransitionMarker()+C5w
					; PopRecordLongPowerButtonPressDetected(x)+53r	...
byte_6D4C82	db ?			; DATA XREF: PopRecordSleepCheckpoint(x)+2Ew
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4C98	dd ?			; DATA XREF: PopSetConnectedStandbyMarker(x,x,x)+50w
					; PopCheckShutdownMarker+273DEr
dword_6D4C9C	dd ?			; DATA XREF: PopSetConnectedStandbyMarker(x,x,x)+58w
					; PopCheckShutdownMarker+273D5r
_PopBatteryInitiateIgnoreStatusDuringBoot db ?
					; DATA XREF: MiFreePrivateFixupEntryForSystemImage+A9r
					; MiFreePrivateFixupEntryForSystemImage+B3w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_InitWinPEModeType dd ?			; DATA XREF: IoIsDeviceEjectable(x)+7r
					; Phase1InitializationDiscard(x)+2D6w ...
_CcRegistryWatchInitComplete dd	?	; DATA XREF: .text:004FBDB1r
					; CcRegistryChangeCallback:loc_578D6Br	...
_CcInitializationComplete dd ?		; DATA XREF: CcNotifyWriteBehindInternalr
					; CcRegisterExternalCache(x,x)+9r ...
_CcAzure_LazyWriterPercentageOfNumProcs	dd ? ; DATA XREF: CcInitializePartition+209r
					; CcInitializePartition+866E6r	...
_CcAzure_SoftThrottleLargeWriteAtPct dd	? ; DATA XREF: CcCanIWriteStreamEx+D0r
					; CcUpdateDynamicRegistrySettings+80B22w ...
_CcAzure_LargeWriteSize	dd ?		; DATA XREF: CcCanIWrite:loc_5C020Dr
					; CcCanIWriteStreamEx:loc_5C04FDr ...
_CcMaxZeroTransferSize dd ?		; DATA XREF: CcZeroDataOnDisk(x,x,x,x)+24r
					; CcZeroDataOnDisk(x,x,x,x):loc_4ED61Cr ...
; char CcSoftThrottleDelay
_CcSoftThrottleDelay dd	?		; DATA XREF: CcCanIWrite+1165A0r
					; CcUpdateDynamicRegistrySettings+80B45w ...
_CcExtraWBThreadDelay dd ?		; DATA XREF: CcWorkerThread:loc_492A19r
					; CcWorkerThread:loc_492BBFr ...
_CcSystemPartitionDirtyPageThresholds dd ?
					; DATA XREF: ExpQuerySystemPerformanceInformation+7BEr
					; INIT:00AC32AAw
_CcSystemPartitionDirtyPageStatistics dd ?
					; DATA XREF: ExpQuerySystemPerformanceInformation:loc_7996A6r
					; INIT:00AC329Fw
_CcMaxNumberCompleteAsyncReadExWorkItems dd ? ;	DATA XREF: CcPostWorkQueueAsyncRead+E2r
					; CcPostWorkQueueAsyncRead+16EA75r ...
_CmpLoadingSystemHivesActive db	?	; DATA XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+AB1r
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x):loc_8150F1r	...
		align 4
_CmpMountThread	dd ?			; DATA XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+ABEr
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+CAAr ...
_CmpInitRmLogOnLoad db ?		; DATA XREF: CmpInitializeSystemHivesLoad+14Br
					; CmCompleteRegistryInitialization+73r	...
		align 4
_CmpCallBackCount dd ?			; DATA XREF: CmpDoQueryKeyName+62r
					; CmpFreeCallbackContext(x)+6r	...
_CmpSystemHiveHysteresisHighSeen db ?	; DATA XREF: CmRegisterSystemHiveLimitCallback:loc_8B56B2w
					; CmpUpdateSystemHiveHysteresis:loc_8CBEB1r ...
_CmpSystemHiveHysteresisLowSeen	db ?	; DATA XREF: CmRegisterSystemHiveLimitCallback+55w
					; CmpUpdateSystemHiveHysteresis+18B2D8r ...
		align 4
_CmpSystemHiveHysteresisCallback dd ?	; DATA XREF: CmpUpdateSystemHiveHysteresis:loc_740BFBr
					; CmRegisterSystemHiveLimitCallback:loc_8B5675r ...
_CmpSystemHiveHysteresisContext	dd ?	; DATA XREF: CmRegisterSystemHiveLimitCallback+46w
					; CmpSystemHiveHysteresisWorker(x)+1Er
_CmpSystemHiveHysteresisHigh dd	?	; DATA XREF: CmpUpdateSystemHiveHysteresis+38r
					; CmRegisterSystemHiveLimitCallback+40w
_CmpSystemHiveHysteresisLow dd ?	; DATA XREF: CmRegisterSystemHiveLimitCallback+36w
					; CmpUpdateSystemHiveHysteresis+18B310r
_CmSystemHiveLimitSize dd ?		; DATA XREF: CmpUpdateSystemHiveHysteresis+29r
					; CmpCanGrowHive+1Fr ...
_CmpAdminSystemFileSecurityDescriptor dd ? ; DATA XREF:	.text:0058FDD3r
					; .text:0058FDFAr ...
_CmpTransactionInitializingCount dd ?	; DATA XREF: CmpTransSearchAddTrans+144w
					; CmpTransInitializeTransaction+B1w ...
_CmpCoalescingCallbackActive db	?	; DATA XREF: CmpCmdInit+DBw
					; CmpIssueNewDirtyCallback:loc_8CE29Er
		align 4
_CmpEnableLazyFlushTimerInitialized dd ? ; DATA	XREF: CmSetLazyFlushState+Cr
					; CmSetLazyFlushState:loc_85D3CCr ...
_VrpDriverObject dd ?			; DATA XREF: CmRegisterInternalCallback(x,x,x,x,x,x)r
					; VRegSetup+87w
_EmpNumberOfRules dd ?			; DATA XREF: EmInitSystem+241w
					; EmpParseRules+14Ew
_EmpNumberOfStrings dd ?		; DATA XREF: EmInitSystem+246w
					; EmpParseStrings+9Fr ...
_EmpNumberOfTargetRules	dd ?		; DATA XREF: EmInitSystem+24Bw
					; EmpParseTargetRules+166w
_EmpNumberOfEntryTypes dd ?		; DATA XREF: EmInitSystem+237w
					; EmpParseEntryTypes+C7w
_EmpStringTable	dd ?			; DATA XREF: EmpEvaluateTargetRule+EFr
					; EmInitSystem+232w ...
_EmpNumberOfCallbacks dd ?		; DATA XREF: EmInitSystem+23Cw
					; EmpParseCallbacks+126w
dword_6D4D44	dd ?			; DATA XREF: InbvSetFunction(x)r
					; InbvSetFunction(x)+3Dw ...
byte_6D4D48	db ?			; DATA XREF: InbvDisplayString+5r
					; InbvEnableDisplayString(x)+8r ...
		align 4
dword_6D4D4C	dd ?			; DATA XREF: InbvNotifyDisplayOwnershipChange(x,x)+5r
					; InbvSetProgressBarSubset(x,x)r ...
dword_6D4D50	dd ?			; DATA XREF: InbvInstallDisplayStringFilter(x)+8w
					; InbvDisplayString:loc_5F48E1r ...
dword_6D4D54	dd ?			; DATA XREF: BgkNotifyDisplayOwnershipChange+4Dr
					; BgkNotifyDisplayOwnershipChange:loc_5591F5r ...
byte_6D4D58	db ?			; DATA XREF: BgkQueryBootGraphicsInformation(x,x)r
					; TxtpAddCacheEntry:BgkDestroyr ...
_BvgaBootDriverInstalled db ?		; DATA XREF: BvgaIsBootDriverInstalled()r
					; BvgaBitBlt(x,x,x)+5r	...
_BvgaBootDriverFullyInitialized	db ?	; DATA XREF: BvgaEnableBootDriver(x)+5r
					; BvgaDriverInitialize+9r ...
		align 4
_BvgaDisplayState dd ?			; DATA XREF: BvgaGetDisplayState()r
					; BvgaSetDisplayOwnership(x):loc_56EAA0w ...
_ResourceCount	dd ?			; DATA XREF: BvgaGetResourceAddress(x)+8r
					; BvgaDriverInitialize+63w ...
_SpecialMemoryRanges dd	?		; DATA XREF: IoSetBugCheckProgressAndFlag(x,x):loc_60B7A6r
					; INIT:00AB53B8w
_InMemData	db    ?	;		; DATA XREF: IopConstructInMemoryDumpHeader()+5o
					; IopConstructInMemoryDumpHeader()+A6o	...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4D6C	dd ?			; DATA XREF: IopConstructInMemoryDumpHeader()+20r
					; IopInitializeInMemoryDumpData():loc_60CC15w
dword_6D4D70	dd ?			; DATA XREF: IopConstructInMemoryDumpHeader()+33r
					; IopConstructInMemoryDumpHeader()+43r	...
		align 8
; size_t dword_6D4D78
dword_6D4D78	dd ?			; DATA XREF: IopInitializeInMemoryDumpData():loc_60CB52w
					; IopInitializeInMemoryDumpData()+CAr ...
dword_6D4D7C	dd ?			; DATA XREF: IopConstructInMemoryDumpHeader()+29r
					; IopConstructInMemoryDumpHeader()+92w	...
dword_6D4D80	dd ?			; DATA XREF: IopConstructInMemoryDumpHeader()+68r
					; IopInitializeInMemoryDumpData()+124w	...
dword_6D4D84	dd ?			; DATA XREF: IopConstructInMemoryDumpHeader()+73r
					; IopInitializeInMemoryDumpData()+12Cw	...
dword_6D4D88	dd ?			; DATA XREF: IopInitializeOfflineCrashDump+2Aw
					; IopInitializeOfflineCrashDump:loc_57C629w ...
dword_6D4D8C	dd ?			; DATA XREF: IopInitializeInMemoryDumpData()+78w
					; IopInitializeInMemoryDumpData()+161w	...
dword_6D4D90	dd ?			; DATA XREF: IopConstructInMemoryDumpHeader()+19w
					; IopConstructInMemoryDumpHeader():loc_60C5FFw
		align 8
_CapsuleTriageDumpBlockInitialized db ?	; DATA XREF: IopRemoveDumpCapsuleSupport()r
					; IopRemoveDumpCapsuleSupport():loc_56F648w ...
		align 4
_CapsuleTriageDumpBlock	dd ?		; DATA XREF: IopRemoveDumpCapsuleSupport():loc_56F630r
					; IopRemoveDumpCapsuleSupport()+1Dw ...
_CrashdmpInitialized db	?		; DATA XREF: IopDisableCrashDump()+14r
					; IopDisableCrashDump()+29w ...
		align 4
_CrashdmpDumpBlock dd ?			; DATA XREF: IopDisableCrashDump()+22w
					; IoInitializeBugCheckProgress(x,x)+60r ...
_IopBugCheckTriageDumpDataCallbackRecord db    ? ;
					; DATA XREF: IopInitializeTriageDumpData+B1o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6D4DC0	db ?			; DATA XREF: IopInitializeTriageDumpData+B6w
		align 4
_IopTriageDumpDataArray	dd ?		; DATA XREF: IoAddTriageDumpDataBlock+40r
					; IoBugCheckTriageDumpDataCallback(x,x,x,x)+5r	...
_IopAutoReboot	dd ?			; DATA XREF: IopReadDumpRegistry(x,x)+65w
					; KeBugCheck2(x,x,x,x,x,x)+56r	...
_IopBootDriverReinitCompleted db ?	; DATA XREF: IoRegisterBootDriverReinitialization(x,x,x)+5r
					; IopCallBootDriverReinitializationRoutines()+67w
_IopFsRegistrationInProgress db	?	; DATA XREF: WmipAllocRegEntry+D9w
					; IopGetFsRegistrationInProgress()+1Fr
		align 10h
_IopIrpCompletionTimeoutInSeconds dd ?	; DATA XREF: IoCancelThreadIo:loc_7719B4r
					; INIT:loc_AC2851r ...
_PnpDeviceOverrideHashList dd ?		; DATA XREF: PiQueryRemovableDeviceOverride+54r
					; PipFindDeviceOverrideEntry+D3r ...
_PnpDeviceOverrideHashListSize dd ?	; DATA XREF: PipFindDeviceOverrideEntry+CDr
					; PipInitDeviceOverrideCache+D3w ...
_PnpCurrentHardwareConfigurationIndex dd ? ; DATA XREF:	PipProcessStartPhase3+271o
					; PiProcessNewDeviceNode+3D8o ...
_PnpSetupInProgress db ?		; DATA XREF: PnpIsWatchdogBugcheckEnabled()+12r
					; PopRecordLongPowerButtonPressDetected(x)+5Cr	...
_PnpSetupOOBEInProgress	db ?		; DATA XREF: PnpIsWatchdogBugcheckEnabled()+Ar
					; PnpBootPhaseComplete+1Br ...
_PnpSetupUpgradeInProgress db ?		; DATA XREF: PiIsDriverBlocked+AFED6r
					; PiDevCfgEnforceDevicePolicy(x,x,x)+42Ar ...
_PnpSetupRollbackActiveInProgress db ?	; DATA XREF: PiIsDriverBlocked+AFEDFr
					; IopInitializePlugPlayServices(x,x)+4B7w
_PiInitGroupOrderTable dd ?		; DATA XREF: PiInitReleaseCachedGroupInformation()r
					; PiInitReleaseCachedGroupInformation()+16w ...
_PiInitGroupOrderTableCount dw ?	; DATA XREF: PiInitReleaseCachedGroupInformation()+Ar
					; PiInitReleaseCachedGroupInformation()+1Fw ...
		align 10h
_PnpEtwHandle	dd ?			; DATA XREF: PnpDiagnosticTraceObject(x,x)+14r
					; PnpDiagnosticTraceObjectWithStatus(x,x,x)+14r ...
dword_6D4DF4	dd ?			; DATA XREF: PnpDiagnosticTraceObject(x,x)+1Dr
					; PnpDiagnosticTraceObjectWithStatus(x,x,x)+1Dr ...
_PnpSystemHiveLimits dd	?		; DATA XREF: IopInitializePlugPlayServices(x,x)+85o
					; IopInitializePlugPlayServices(x,x)+90w
dword_6D4DFC	dd ?			; DATA XREF: IopInitializePlugPlayServices(x,x)+9Aw
_PnpSystemHiveTooLarge db ?		; DATA XREF: PpSystemHiveLimitCallback(x,x)+10w
					; PpSystemHiveLimitCallback(x,x)+1Cw ...
		align 4
_PnpQueryProximityNode dd ?		; DATA XREF: PipCallDriverAddDevice:loc_8650E5r
					; PipCallDriverAddDevice+A1883r ...
_PiAuLocalSystemSecurityObject dd ?	; DATA XREF: ExpWnfCreateProcessContext+11Br
					; PiAuCreateLocalSystemSecurityObject+117w
_PiAuSecurityObject dd ?		; DATA XREF: PiAuDoesClientHaveAccess(x)+6r
					; PiAuCreateStandardSecurityObject+2E6w
_KdpDebugRoutineSelect dd ?		; DATA XREF: KiDispatchException+285r
					; KeInsertQueue+D3r ...
_KiDpcWatchdogProfileArrayLength dd ?	; DATA XREF: KiExecuteAllDpcs+12E47Er
					; KeAccumulateTicks+12BABDr ...
_KiDpcWatchdogProfileCumulativeDpcThreshold dd ? ; DATA	XREF: KiInitializeProcessor+1A1r
					; INIT:00ABFFABw ...
_KiDpcWatchdogProfileSingleDpcThreshold	dd ? ; DATA XREF: KiInitializeProcessor+1DDr
					; INIT:00ABFFD6w ...
_KiProcessorStartControl dd ?		; DATA XREF: KiProcessorStart:loc_5A3295r
					; KiProcessorStart+94w	...
_KeI386VirtualIntExtensions dd ?	; DATA XREF: VdmpQueueIntApcRoutine(x,x,x,x,x)+252r
					; NtVdmControl(x,x)+11Fr ...
word_6D4E28	dw ?			; DATA XREF: KiGetCurrentGroupCount()r
					; KiCommitNodeAssignment+1Er ...
_KiNxForceEnable db ?			; DATA XREF: KeForceEnableNx()r
					; KiTryForceEnableNx()+4Ew
		align 4
; Exported entry 1162. KeI386MachineType
		public _KeI386MachineType
_KeI386MachineType dd ?			; DATA XREF: KiInitializeMachineType()+Cw
_KiVirtFlags	db ?			; DATA XREF: KiInitializeKernel(x,x,x,x,x,x)+6B8r
					; KiGetFeatureBits+5F5w ...
_KiKvaLeakage	db ?			; DATA XREF: KiEnableKvaShadowing(x,x):loc_724B27r
					; PAGELK:007264CAr ...
		align 10h
_MiSystemPartition dd ?			; DATA XREF: MiDeleteProcessShadow+1C4o
					; MiDereferenceControlAreaPfnList+197o	...
dword_6D4E44	dd ?			; DATA XREF: .text:loc_45F59Cr
					; .text:004706C6r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6D4E4C	db ?			; DATA XREF: MiInitializeDynamicPfns(x,x,x,x,x,x)+E9w
					; MiPerformMemoryChange(x,x,x,x,x):loc_627E2Fw
		align 10h
dword_6D4E50	dd ?			; DATA XREF: MiMigratePfn(x,x,x,x)+162r
					; MiUnlinkFreeOrZeroedPage+1B1r ...
		align 8
dword_6D4E58	dd ?			; DATA XREF: MiPerformMemoryChange(x,x,x,x,x)+2Ar
					; MiPerformMemoryChange(x,x,x,x,x)+56r	...
dword_6D4E5C	dd ?			; DATA XREF: MiDereferencePageRunsEx:loc_4AB38Dw
					; MiReferencePageRuns+41w ...
dword_6D4E60	dd ?			; DATA XREF: MiFreeUnusedPfnPagesDpc+85EA0o
					; MiFreeUnusedPfnPagesDpc+85EB9w ...
		align 8
dword_6D4E68	dd ?			; DATA XREF: MiFreeUnusedPfnPagesDpc+85EA5w
					; MiRemovePhysicalMemory(x,x,x)+218w
dword_6D4E6C	dd ?			; DATA XREF: MiFreeUnusedPfnPagesDpc+85EAFw
					; MiRemovePhysicalMemory(x,x,x)+222w
dword_6D4E70	dd ?			; DATA XREF: MiRemovePhysicalMemory(x,x,x)+1ECr
					; MiRemovePhysicalMemory(x,x,x)+1F5w
dword_6D4E74	dd ?			; DATA XREF: MiDereferencePageRunsEx+5Er
					; MiDereferencePageRunsEx+64w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D4E7C	db    ?	;		; DATA XREF: MiShutdownSystem()+73o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4E9C	dd ?			; DATA XREF: MiZeroAllPageFiles()+56r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4EA4	dd ?			; DATA XREF: CcSetDirtyPinnedData+CFr
					; CcGetVirtualAddress+D6r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D4EAC	db    ?	;		; DATA XREF: .text:004710EDo
					; .text:0047110Eo ...
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D4EB0	db    ?	;		; DATA XREF: MiDereferencePageRunsEx:loc_4AB3A3o
					; MiReferencePageRuns+Co ...
		db    ?	;
		db    ?	;
		db    ?	;
byte_6D4EB4	db ?			; DATA XREF: MiFreedUnusedPfnPagesWorker+13w
					; MiFreeUnusedPfnPagesDpc+85EC3w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4ED0	dd ?			; DATA XREF: MmResourcesAvailable(x,x,x)+17Br
					; MiInitializePagedPoolEvents+6Cr ...
dword_6D4ED4	dd ?			; DATA XREF: MiInitializePagedPoolEvents+55r
					; MiInitializePagedPoolEvents:loc_AE2571r
dword_6D4ED8	dd ?			; DATA XREF: MmResourcesAvailable(x,x,x)+D3r
					; MiSignalNonPagedPoolWatchers:loc_56639Cr
dword_6D4EDC	dd ?			; DATA XREF: MiSignalNonPagedPoolWatchers+20r
					; MiSignalNonPagedPoolWatchers+49r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D4EF4	dd ?			; DATA XREF: MiPageNotZero(x,x)+BBr
dword_6D4EF8	dd ?			; DATA XREF: MiAddPhysicalMemory(x,x,x,x,x)+452r
					; MiRemovePhysicalMemory(x,x,x)+263r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6D4FB7	db ?			; DATA XREF: MiProbeLockFrame(x)+256w
					; .text:00471FD8w ...
		align 10h
dword_6D4FC0	dd ?			; DATA XREF: MiFlushAllFilesystemPages(x)+9Ar
					; MiFlushAllFilesystemPages(x)+D7r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D4FF4	db    ?	;		; DATA XREF: MiZeroAllPageFiles()+9Eo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5008	dd ?			; DATA XREF: MiFlushAllFilesystemPages(x):loc_62BE78w
					; MiFlushAllFilesystemPages(x):loc_62BEE0w
unk_6D500C	db    ?	;		; DATA XREF: MiInsertPageInList(x,x)+5F8o
					; MiFlushAllFilesystemPages(x)+A6o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D5050	db    ?	;		; DATA XREF: MiInsertPageInList(x,x)+7EDo
					; MiFlushAllHintedStorePages(x)+D0o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D50A0	db    ?	;		; DATA XREF: .text:0045F567o
					; MiUnlinkFreeOrZeroedPage+144D0Do
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D50B4	dd ?			; DATA XREF: .text:loc_475108r
dword_6D50B8	dd ?			; DATA XREF: MiShutdownSystem()+37o
					; MiZeroAllPageFiles()+43o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D50EC	db    ?	;		; DATA XREF: MmOutSwapVirtualAddresses+D5o
					; MmOutSwapVirtualAddresses+291o ...
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D50F0	db    ?	;		; DATA XREF: MiOutPageSingleKernelStack:loc_498175o
					; MiOutPageSingleKernelStack:loc_4981A2o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D50F8	db    ?	;		; DATA XREF: MiFlushAllHintedStorePages(x)+42o
					; MiFlushAllHintedStorePages(x):loc_4D1E49o
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D50FC	dd ?			; DATA XREF: .text:0045E554r
					; .text:0045F20Br ...
dword_6D5100	dd ?			; DATA XREF: .text:0045F55Ar
					; .text:loc_46802Fr ...
dword_6D5104	dd ?			; DATA XREF: MiResolvePageFileFault+261r
					; MmStoreRegister+Fw ...
dword_6D5108	dd ?			; DATA XREF: MmStoreFlushOutstandingEvictions()+10r
					; MmStoreFlushOutstandingEvictions():loc_4C7316w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D5118	db    ?	;		; DATA XREF: MmStoreFlushOutstandingEvictions()+5o
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D511C	dd ?			; DATA XREF: MmStoreRegister+18Ew
unk_6D5120	db    ?	;		; DATA XREF: MmStoreFlushOutstandingEvictions()+3Eo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D5130	db    ?	;		; DATA XREF: SmIoRequestComplete(x,x,x,x)+41o
		db    ?	;
		db    ?	;
		db    ?	;
word_6D5134	dw ?			; DATA XREF: SmIoRequestComplete(x,x,x,x)+36r
		align 4
unk_6D5138	db    ?	;		; DATA XREF: MmStoreFlushOutstandingEvictions()+19o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5148	dd ?			; DATA XREF: MmStoreRegister+148w
dword_6D514C	dd ?			; DATA XREF: .text:00467648r
					; MiResolveDemandZeroFault+138r ...
dword_6D5150	dd ?			; DATA XREF: MiWriteComplete+1C1r
					; MmStoreRegister+196w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D5180	db    ?	;		; DATA XREF: MiDereferenceControlAreaPfnList+13Eo
					; MiDereferenceControlAreaPfnList+177o	...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5184	dd ?			; DATA XREF: MiUnlinkUnusedControlArea:loc_5C072Fw
					; .text:005C077Ew
dword_6D5188	dd ?			; DATA XREF: MiDereferenceControlAreaPfnList:loc_43A560r
					; MiDereferenceControlAreaPfnList+116o	...
dword_6D518C	dd ?			; DATA XREF: MiDereferenceControlAreaPfnList+11Br
unk_6D5190	db    ?	;		; DATA XREF: MiDeleteControlArea+20o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D51A0	db    ?	;		; DATA XREF: MiInsertUnusedSubsection(x,x)+FDo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D51C0	dd ?			; DATA XREF: MiInsertUnusedSubsection(x,x)+DEr
					; MiInsertUnusedSubsection(x,x)+E6w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D51F8	db    ?	;		; DATA XREF: MiDereferenceControlAreaPfnList+188o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D520C	db    ?	;		; DATA XREF: MiDereferenceControlAreaPfnList+151o
					; MiDereferenceControlAreaPfnList+160o
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5210	dd ?			; DATA XREF: MiDereferenceControlAreaPfnList+148r
					; MiDereferenceControlAreaPfnList+16Bw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D5224	db    ?	;		; DATA XREF: .text:005C076Ao
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5228	dd ?			; DATA XREF: .text:loc_5C0764r
					; .text:005C078Bw
		align 10h
unk_6D5230	db    ?	;		; DATA XREF: MiUnlinkUnusedControlArea+115E30o
					; .text:005C07ABo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6D5258	db ?			; DATA XREF: MiUnlinkUnusedControlArea+115E3Aw
					; .text:005C0784r ...
		align 4
dword_6D525C	dd ?			; DATA XREF: MiDoesControlAreaHaveUserWritableReferences:loc_5AAAAEr
					; MiDeleteCachedSubsection(x)+1C1w ...
dword_6D5260	dd ?			; DATA XREF: MiUnlinkUnusedControlArea+41w
					; MiInsertUnusedSubsection(x,x)+4Ew ...
unk_6D5264	db    ?	;		; DATA XREF: .text:004AAAD4o
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5268	dd ?			; DATA XREF: .text:004AAACEr
					; .text:004AAAE4w
unk_6D526C	db    ?	;		; DATA XREF: MiInsertUnusedSubsection(x,x)+68o
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5270	dd ?			; DATA XREF: MiInsertUnusedSubsection(x,x)+62r
					; MiInsertUnusedSubsection(x,x)+7Cw
unk_6D5274	db    ?	;		; DATA XREF: MiInsertUnusedSubsection(x,x)+C9o
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5278	dd ?			; DATA XREF: MiInsertUnusedSubsection(x,x):loc_4AAA25r
					; MiInsertUnusedSubsection(x,x)+D9w
unk_6D527C	db    ?	;		; DATA XREF: MiQueueControlAreaDelete(x)+37o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D528C	dd ?			; DATA XREF: MiQueueControlAreaDelete(x)+15r
					; MiQueueControlAreaDelete(x)+20w
unk_6D5290	db    ?	;		; DATA XREF: MiReleaseSystemCacheView+6Fo
					; MiReleaseSystemCacheView+F7o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5380	dd ?			; DATA XREF: MiUnlinkFreeOrZeroedPage+CAr
					; .text:00470A51r ...
dword_6D5384	dd ?			; DATA XREF: MiFreeListPageContentsChanged(x)+3Dr
					; MiCreatePfnDatabase(x)+57w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D53C0	dd ?			; DATA XREF: .text:004703B9o
					; MiInsertLargePageInNodeList(x)+334o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5400	dd ?			; DATA XREF: .text:loc_47041Ao
					; MiInsertLargePageInNodeList(x)+33Bo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D5440	db    ?	;		; DATA XREF: MiInsertPageInList(x,x)+99o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D5480	db    ?	;		; DATA XREF: .text:0045EEC2o
					; MiInsertPageInList(x,x)+169o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D5490	db    ?	;		; DATA XREF: MiInsertAndUnlockStandbyPages+199o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D54E4	dd ?			; DATA XREF: MiInsertProtectedStandbyPage(x,x)+31Ew
					; MiAgeWorkingSet+1BAo	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D54F4	db    ?	;		; DATA XREF: MiDecayPfnFullyInitialized+24o
					; MiInsertProtectedStandbyPage(x,x)+81o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D5540	db    ?	;		; DATA XREF: .text:0045F216o
					; .text:0045F223o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5580	dd ?			; DATA XREF: .text:0045F23Co
					; MiInsertPageInList(x,x)+4BDo	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D56C0	db    ?	;		; DATA XREF: .text:0045F267o
					; MiInsertPageInList(x,x)+4F7o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5740	dd ?			; DATA XREF: MiInsertPageInList(x,x)+D5o
					; MmSnapTriageDumpInformation(x,x,x,x)+Er ...
		align 8
dword_6D5748	dd ?			; DATA XREF: MiUnlinkPageFromBadList(x,x):loc_63A8CCw
					; MmEnumerateBadPages(x)+D8r
dword_6D574C	dd ?			; DATA XREF: MiUnlinkPageFromBadList(x,x):loc_63A8B5w
unk_6D5750	db    ?	;		; DATA XREF: MiInsertPageInList(x,x)+68Co
					; MiInsertPageInList(x,x)+69Eo	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D5780	db    ?	;		; DATA XREF: MiInsertPageInList(x,x)+C0o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D5790	db    ?	;		; DATA XREF: MiInsertPageInList(x,x)+635o
					; MiInsertPageInList(x,x)+647o	...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5794	dd ?			; DATA XREF: .text:004706EFo
					; .text:004707E5o ...
dword_6D5798	dd ?			; DATA XREF: .text:00470829o
					; .text:00470CC0o ...
dword_6D579C	dd ?			; DATA XREF: .text:0045EDEAr
					; MiUnlinkFreeOrZeroedPage+147r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D57A8	dd ?			; DATA XREF: MiZeroCfgSystemWideBitmapWorker+40Fr
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D57BC	db    ?	;		; DATA XREF: MiRestoreTransitionPte(x,x):loc_4D56BBo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D57FC	dd ?			; DATA XREF: MiAddWorkingSetEntries+25Fr
					; MiAddWorkingSetEntries+3DFw ...
dword_6D5800	dd ?			; DATA XREF: .text:0045EEE7w
					; .text:0045F191o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D585C	dd ?			; DATA XREF: MiRemoveDecayClusterTimer(x)+21r
					; MiRemoveDecayClusterTimer(x)+32w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D586C	dd ?			; DATA XREF: MiInsertDecayClusterTimer(x)+6r
byte_6D5870	db ?			; DATA XREF: .text:loc_45F12Ar
byte_6D5871	db ?			; DATA XREF: MiUnlinkFreeOrZeroedPage+1DFr
					; MiUnlinkNodeLargePageHelper(x,x,x,x,x)+247r
byte_6D5872	db ?			; DATA XREF: .text:loc_45EE4Br
					; MiMigratePfn(x,x,x,x)+Br ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D58C0	db    ?	;		; DATA XREF: .text:0047084Do
					; .text:00470985o ...
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D58C4	db    ?	;		; DATA XREF: .text:00470976o
					; MiInsertPageInList(x,x)+1EFo	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D58D8	db    ?	;		; DATA XREF: .text:0047086Ao
					; MiInsertPageInList(x,x)+1CBo	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D58E8	dd ?			; DATA XREF: MiRetryNonPagedAllocation+121A80r
					; MiRetryNonPagedAllocation+121B07r
unk_6D58EC	db    ?	;		; DATA XREF: .text:00470963o
					; MiInsertPageInList(x,x)+1DCo	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5900	dd ?			; DATA XREF: MiInitializeMirroring+70w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5940	dd ?			; DATA XREF: .text:loc_45EEF0w
					; .text:0045F198o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D594C	dd ?			; DATA XREF: MiCreatePfnDatabase(x)+84w
					; MiCreatePfnDatabase(x)+120w
dword_6D5950	dd ?			; DATA XREF: MiUpdateLargePageCandidates(x,x,x)+16r
					; MiUpdateLargePageCandidates(x,x,x)+29r ...
		align 8
dword_6D5958	dd ?			; DATA XREF: MiUpdateLargePageCandidates(x,x,x)+48r
unk_6D595C	db    ?	;		; DATA XREF: MiInsertLargePageInNodeList(x)+436o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D596C	dd ?			; DATA XREF: .text:0045F50Br
					; MiUnlinkFreeOrZeroedPage+24Fr ...
dword_6D5970	dd ?			; DATA XREF: .text:0045F513r
					; MiUnlinkFreeOrZeroedPage+25Br ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D5BB8	db    ?	;		; DATA XREF: MiAllocateSlabEntry(x,x,x)+F8o
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5BBC	dd ?			; DATA XREF: .text:0045EE54r
					; MiMigratePfn(x,x,x,x)+43r ...
dword_6D5BC0	dd ?			; DATA XREF: MmWriteTriageInformation(x)+68r
dword_6D5BC4	dd ?			; DATA XREF: MiMaximumCommitmentAvailable(x)r
					; MmResourcesAvailable(x,x,x)+7Er ...
		align 10h
dword_6D5BD0	dd ?			; DATA XREF: MiUnlockMdlWritePages:loc_474928r
					; .text:loc_4799D9r
dword_6D5BD4	dd ?			; DATA XREF: MiUnlockMdlWritePages+146r
					; .text:004799C7r
unk_6D5BD8	db    ?	;		; DATA XREF: .text:0047991Do
					; MiUnlockMdlWritePages+13EE1Eo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5BE0	dd ?			; DATA XREF: MiUnlockMdlWritePages+7Er
					; .text:00479912r
unk_6D5BE4	db    ?	;		; DATA XREF: .text:00470E95o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6D5BF5	db ?			; DATA XREF: .text:loc_470DAEr
		align 4
dword_6D5BF8	dd ?			; DATA XREF: .text:0047070Fr
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5C10	dd ?			; DATA XREF: .text:loc_470D14r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D5C34	db    ?	;		; DATA XREF: MiGetOptimalProcessorWriteCount(x,x):loc_4CF545o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5C58	dd ?			; DATA XREF: MiInitSystem+149w
		align 10h
dword_6D5C60	dd ?			; DATA XREF: .text:00455A5Ar
					; MiDeleteSystemPagableVm(x,x,x,x,x,x):loc_49F64Br ...
dword_6D5C64	dd ?			; DATA XREF: MiAbortCombineScan+109F81r
					; MiAbortCombineScan:loc_5C31D9o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5C6C	dd ?			; DATA XREF: MiFreeCombineBlock(x)+A8r
					; MiFreeCombineBlock(x)+B2w
dword_6D5C70	dd ?			; DATA XREF: MiFreeCombineBlock(x)+BDw
					; MiFreeCombineBlock(x)+C5o
		align 8
dword_6D5C78	dd ?			; DATA XREF: MiFreeCombineBlock(x)+CAw
dword_6D5C7C	dd ?			; DATA XREF: MiFreeCombineBlock(x)+D4w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5C84	dd ?			; DATA XREF: MiFreeCombineBlock(x):loc_641C83r
					; MiFreeCombineBlock(x)+EAo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D5C8C	db    ?	;		; DATA XREF: MiFreeCombineBlock(x)+70o
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D5C90	db    ?	;		; DATA XREF: MiFreeCombineBlock(x)+43o
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D5C94	db    ?	;		; DATA XREF: MiFreeCombineBlock(x)+30o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5D18	dd ?			; DATA XREF: MmLogQueryCombineStats(x,x,x)+41r
dword_6D5D1C	dd ?			; DATA XREF: MmLogQueryCombineStats(x,x,x)+4Dr
dword_6D5D20	dd ?			; DATA XREF: MmLogQueryCombineStats(x,x,x)+47r
dword_6D5D24	dd ?			; DATA XREF: MmLogQueryCombineStats(x,x,x)+52r
dword_6D5D28	dd ?			; DATA XREF: MmLogQueryCombineStats(x,x,x)+5Er
dword_6D5D2C	dd ?			; DATA XREF: MmLogQueryCombineStats(x,x,x)+66r
dword_6D5D30	dd ?			; DATA XREF: MmLogQueryCombineStats(x,x,x)+39r
dword_6D5D34	dd ?			; DATA XREF: MiFreeCombineBlock(x)+155o
					; MmLogQueryCombineStats(x,x,x)+6Er
dword_6D5D38	dd ?			; DATA XREF: .text:005438E5o
					; .text:00543D0Bo ...
		align 10h
dword_6D5D40	dd ?			; DATA XREF: MmCanThreadFault()+39r
					; .text:loc_4599A8r ...
dword_6D5D44	dd ?			; DATA XREF: MiReturnWsToExpansionList+7o
					; .text:00459BA3o ...
dword_6D5D48	dd ?			; DATA XREF: MiReturnWsToExpansionList+15r
					; MiReturnWsToExpansionList+26w ...
dword_6D5D4C	dd ?			; DATA XREF: MiAttachSession+6Dr
					; MiDetachProcessFromSession+83w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5D80	dd ?			; DATA XREF: .data:_MiVisiblePartitiono
					; MiSwitchToPfns+30r ...
dword_6D5D84	dd ?			; DATA XREF: .text:0045F5C7r
					; MiAllocateMostlyContiguousPagesForMdl+8r ...
dword_6D5D88	dd ?			; DATA XREF: MiAllocateWsle(x,x,x,x,x,x,x,x)+11Er
					; MmResourcesAvailable(x,x,x)+10Cr ...
dword_6D5D8C	dd ?			; DATA XREF: MiGetKernelStackSwapSupport+8r
					; MiVaIsPageFileHash(x,x)+5r ...
dword_6D5D90	dd ?			; DATA XREF: MmQuerySystemWorkingSetInformation+27r
					; MmGetWorkingSetLeafSize(x)+5r ...
dword_6D5D94	dd ?			; DATA XREF: .text:0047359Cr
					; .text:004767BAr ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D5DC0	db    ?	;		; DATA XREF: .text:loc_47C581o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5E00	dd ?			; DATA XREF: .text:0045F502w
					; MmAccessFault:loc_4674D1r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5E40	dd ?			; DATA XREF: MiDeleteProcessShadow:loc_438112o
					; .text:loc_45C972o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D5E80	db    ?	;		; DATA XREF: MmUnmapViewInSystemCache+C6o
					; MmUnmapViewInSystemCache+284o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5E8C	dd ?			; DATA XREF: .text:0045CAD2r
					; .text:0045CC3Er ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6D5EE0	db ?			; DATA XREF: MmUnmapViewInSystemCache:loc_45B6A0r
					; MmUnmapViewInSystemCache:loc_45B6F0r	...
		align 4
unk_6D5EE4	db    ?	;		; DATA XREF: .text:00478406o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5EFC	dd ?			; DATA XREF: MiUnlockMdlWritePages+13Bo
					; .text:004799BCo ...
dword_6D5F00	dd ?			; DATA XREF: .text:0045C9F8o
					; .text:0046765Cr ...
		align 10h
unk_6D5F10	db    ?	;		; DATA XREF: .text:0047251Ao
					; .text:0047252Co ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D5F40	db    ?	;		; DATA XREF: MiInsertPageInList(x,x)+B1o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5F54	dd ?			; DATA XREF: MiDeleteSystemPageTableTail(x)+44r
					; MiObtainPoolCharges(x,x)r ...
dword_6D5F58	dd ?			; DATA XREF: .text:loc_45F1EBw
					; MiInsertPageInList(x,x):loc_473CBEw ...
unk_6D5F5C	db    ?	;		; DATA XREF: MiFreePhysicalPageChain(x,x,x)+29Co
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D5F60	dd ?			; DATA XREF: MiCopyOnWrite(x,x,x,x)+479w
					; NtLockVirtualMemory(x,x,x,x):loc_4A205Fw ...
dword_6D5F64	dd ?			; DATA XREF: MiDeleteSegmentPages+9Eo
					; MiUpdateControlAreaCommitCount(x,x)+Eo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D5FA0	db    ?	;		; DATA XREF: .text:loc_45CAE1o
					; .text:loc_45CC59o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PspSystemQuotaBlock dd	?		; DATA XREF: PspReturnQuota:loc_5ECD56o
					; PspReturnQuota+C74E2r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D69C0	db    ?	;		; DATA XREF: PsInitializeQuotaSystem(x)+Do
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D6B80	dd ?			; DATA XREF: PsInitializeQuotaSystem(x)+18w
dword_6D6B84	dd ?			; DATA XREF: PsInitializeQuotaSystem(x)+1Ew
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D6BC0	db    ?	;		; DATA XREF: WbRemoveWarbirdProcess+50o
					; WbFindWarbirdProcess+19o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D6BD8	db    ?	;		; DATA XREF: WbRemoveWarbirdProcess+1Fo
					; sub_A1B500+25o ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D6BDC	dd ?			; DATA XREF: sub_8820B8+1Cw
					; sub_A1CBC6+42r
dword_6D6BE0	dd ?			; DATA XREF: sub_8820B8+3Ao
					; sub_A1AD6F+Dr ...
		align 8
unk_6D6BE8	db    ?	;		; DATA XREF: .text:_BcpStringsAndSizeso
					; BgpFwDisplayBugCheckScreen(x,x,x,x,x)+180o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D6BF0	db    ?	;		; DATA XREF: .text:00404B60o
					; BcpDisplayErrorInformation(x,x,x,x,x,x)+94o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D6BF8	db    ?	;		; DATA XREF: .text:00404B68o
					; BgpFwDisplayBugCheckProgressUpdate(x,x,x):loc_699F47o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D6C00	db    ?	;		; DATA XREF: .text:00404B70o
					; BgpFwDisplayBugCheckProgressUpdate(x,x,x)+21Co ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D6C08	db    ?	;		; DATA XREF: .text:00404B78o
					; BgpFwDisplayBugCheckScreen(x,x,x,x,x):loc_69A16Ao ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D6C10	db    ?	;		; DATA XREF: .text:00404B80o
					; BgpFwDisplayBugCheckScreen(x,x,x,x,x)+1BDo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D6C18	db    ?	;		; DATA XREF: .text:00404B88o
					; BcpDisplayProgress(x,x)+32o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D6C20	db    ?	;		; DATA XREF: .text:00404B90o
					; BcpDisplayProgress(x,x)+7Do ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D6C28	db    ?	;		; DATA XREF: .text:00404B98o
					; BcpDisplayProgress(x,x)+3Bo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D6C30	db    ?	;		; DATA XREF: .text:00404BA0o
					; BcpDisplayProgress(x,x)+84o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D6C38	db    ?	;		; DATA XREF: .text:00404BA8o
					; BcpDisplayErrorInformation(x,x,x,x,x,x)+115o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D6C40	db    ?	;		; DATA XREF: .text:00404BB0o
					; BcpDisplayErrorInformation(x,x,x,x,x,x)+B9o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D6C48	db    ?	;		; DATA XREF: .text:00404BC0o
					; BcpDisplayErrorInformation(x,x,x,x,x,x)+51o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D6C50	db    ?	;		; DATA XREF: .text:00404BB8o
					; BcpDisplayErrorInformation(x,x,x,x,x,x)+68o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D6C58	db    ?	;		; DATA XREF: .text:00404BC8o
					; BgpFwDisplayBugCheckScreen(x,x,x,x,x)+179o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D6C60	db    ?	;		; DATA XREF: .text:00404BD0o
					; BgpFwDisplayBugCheckScreen(x,x,x,x,x)+14Fo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D6C68	db    ?	;		; DATA XREF: .text:00404BD8o
					; BgpFwDisplayBugCheckScreen(x,x,x,x,x)+1A3o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D6C70	db    ?	;		; DATA XREF: .text:00404BE0o
					; BgpDisplaySafeToPowerOffScreen()+91o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D6C78	dd ?			; DATA XREF: BcpDisplayCriticalCharacter(x,x,x)+7r
					; BcpDisplayCriticalCharacter(x,x,x)+29r ...
		align 10h
unk_6D6C80	db    ?	;		; DATA XREF: DbgkLkmdRegisterCallback+12o
					; DbgkLkmdUnregisterCallback(x)+Ao ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D6C84	dd ?			; DATA XREF: DbgkLkmdRegisterCallback+5Ew
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D6CC0	dd ?			; DATA XREF: KsepMatchInitMachineInfo+3Do
					; KsepMatchInitAcpiOemInfo(x,x,x)+35w ...
dword_6D6CC4	dd ?			; DATA XREF: KsepMatchInitAcpiOemInfo(x,x,x)+3Bw
					; KsepMatchInitAcpiOemInfo(x,x,x)+C2w
dword_6D6CC8	dd ?			; DATA XREF: KsepMatchInitAcpiOemInfo(x,x,x)+41w
dword_6D6CCC	dd ?			; DATA XREF: KsepMatchInitAcpiOemInfo(x,x,x)+47w
dword_6D6CD0	dd ?			; DATA XREF: KsepMatchInitAcpiOemInfo(x,x,x)+4Dw
dword_6D6CD4	dd ?			; DATA XREF: KsepMatchInitAcpiOemInfo(x,x,x)+53w
dword_6D6CD8	dd ?			; DATA XREF: KsepMatchInitAcpiOemInfo(x,x,x)+59w
dword_6D6CDC	dd ?			; DATA XREF: KsepMatchInitAcpiOemInfo(x,x,x)w
					; KsepMatchInitAcpiOemInfo(x,x,x)+D0w
dword_6D6CE0	dd ?			; DATA XREF: KsepMatchInitAcpiOemInfo(x,x,x)+9w
					; KsepMatchInitAcpiOemInfo(x,x,x)+D8w
		align 8
word_6D6CE8	dw ?			; DATA XREF: KsepMatchInitBiosInfo+C6o
					; KsepMatchInitBiosInfo:loc_AD40E7r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
word_6D6EEE	dw ?			; DATA XREF: KsepMatchInitBiosInfo+E1w
dword_6D6EF0	dd ?			; DATA XREF: ExpWatchProductTypeWork+28Cr
					; ExpWatchProductTypeWork+2A9r	...
_PopPlatformAoAc db ?			; DATA XREF: PopResetIdleTime(x)+Br
					; PopCheckForIdleness(x,x,x,x):loc_50F5AEr ...
		align 4
_PopPlatformRole dd ?			; DATA XREF: PopCapturePlatformRoler
					; PopCapturePlatformRole+171427o ...
		align 10h
_PopBsdPhysicalPowerButtonInfoAtBoot dd	? ; DATA XREF: PopPowerInformationInternal+171461o
					; PopCheckShutdownMarker+72o ...
dword_6D6F04	dd ?			; DATA XREF: PopCheckShutdownMarker+272DDr
dword_6D6F08	dd ?			; DATA XREF: PopCheckShutdownMarker+81r
					; PopCheckShutdownMarker+DCr
dword_6D6F0C	dd ?			; DATA XREF: PopCheckShutdownMarker+27132r
					; PopCheckShutdownMarker:loc_AE319Br
unk_6D6F10	db    ?	;		; DATA XREF: PopCheckShutdownMarker+27251o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D6F1C	dd ?			; DATA XREF: PopCheckShutdownMarker+2718Br
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopFirmwareResetReason	db ?		; DATA XREF: PopPowerInformationInternal+171472o
					; PopRecordFirmwareResetReason+Fw
		align 8
dword_6D6F38	dd ?			; DATA XREF: PopRecordFirmwareResetReason+F36Aw
dword_6D6F3C	dd ?			; DATA XREF: PopRecordFirmwareResetReason+F381w
unk_6D6F40	db    ?	;		; DATA XREF: PopRecordFirmwareResetReason+F36Fo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopBsdPowerTransitionExtensionAtBoot db    ? ;
					; DATA XREF: PopPowerInformationInternal+171893o
					; PopCheckShutdownMarker+9Co
byte_6D6F61	db ?			; DATA XREF: PopCheckShutdownMarker+27359r
					; PopCheckShutdownMarker+27362w ...
byte_6D6F62	db ?			; DATA XREF: PopCheckShutdownMarker+27352w
					; PopCheckShutdownMarker+27382r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D6F78	dd ?			; DATA XREF: PopCheckShutdownMarker+27311w
dword_6D6F7C	dd ?			; DATA XREF: PopCheckShutdownMarker+27316w
_PopBsdPowerTransitionAtBoot dd	?	; DATA XREF: PopPowerInformationInternal+545o
					; PopCheckShutdownMarker+ABo ...
dword_6D6F84	dd ?			; DATA XREF: PopCheckShutdownMarker+272E2w
					; PopCheckShutdownMarker+273C3r
byte_6D6F88	db ?			; DATA XREF: PopEnableSystemSleepCheckpoint()+67r
					; PopEnableHiberFile(x,x):loc_886412r ...
		align 4
dword_6D6F8C	dd ?			; DATA XREF: PopCheckShutdownMarker:loc_ABBFAEr
					; PopCheckShutdownMarker+272FDw ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopLastBootSucceeded db ?		; DATA XREF: PopPowerInformationInternal:loc_8D71CBr
					; PopCheckShutdownMarker+87w
_PopAutoChkCausedReboot	db ?		; DATA XREF: PopPowerInformationInternal+171A0Cr
					; PopCheckShutdownMarker+F8w
_PopFxLowPowerEpoch db ?		; DATA XREF: PopFxIdleComponent+10Fr
					; PopFxLowPowerEpochCallback+30w ...
_PopShutdownListAvailable db ?		; DATA XREF: PopGracefulShutdown(x)+88w
					; PopRequestShutdownWait+36r ...
		align 8
_PoPdcCallbacks	dd ?			; DATA XREF: PopPolicyWorkerAction+B8r
					; PopPdcRegister+23o ...
dword_6D6FAC	dd ?			; DATA XREF: PoUserShutdownInitiated+32r
					; PoUserShutdownInitiated+A5r
dword_6D6FB0	dd ?			; DATA XREF: PopUserShutdownCancelled(x)+34r
dword_6D6FB4	dd ?			; DATA XREF: PoInitHiberServices+12Fr
dword_6D6FB8	dd ?			; DATA XREF: PopPdcInvocation(x,x)+1Fr
dword_6D6FBC	dd ?			; DATA XREF: NtPowerInformation+D16r
dword_6D6FC0	dd ?			; DATA XREF: PopPowerAggregatorSystemTransitionEnterStateHandler+61r
					; PopPowerAggregatorSystemTransitionExitStateHandler(x)+83r ...
dword_6D6FC4	dd ?			; DATA XREF: PopSuspendResumeInvocation(x)+19r
dword_6D6FC8	dd ?			; DATA XREF: PopUpdatePdcSystemIdleState(x)+Ar
dword_6D6FCC	dd ?			; DATA XREF: PpmPdcNotifyMediaBufferingUpdate(x)r
dword_6D6FD0	dd ?			; DATA XREF: PopNetEvaluationWorkerCallback:loc_5FA1C3r
					; PopNetSetResiliencyPhaseBias(x)+Ar
dword_6D6FD4	dd ?			; DATA XREF: PopQueryBootSessionStandbyActivationInfo(x)+5r
dword_6D6FD8	dd ?			; DATA XREF: PopSleepstudyCaptureSessionStatistics(x,x,x,x,x)+130r
dword_6D6FDC	dd ?			; DATA XREF: PopPowerAggregatorScreenOffEnterStateHandler(x)+DCr
dword_6D6FE0	dd ?			; DATA XREF: PopPdcDisengagePhases()r
dword_6D6FE4	dd ?			; DATA XREF: PopSleepstudyCaptureResiliencyStatistics(x,x,x,x)+D0r
dword_6D6FE8	dd ?			; DATA XREF: PopPowerAggregatorScreenOffExitStateHandler(x)+BEr
					; PopArmIdlePhaseWatchdog(x)+2Fr
dword_6D6FEC	dd ?			; DATA XREF: PopPdcCompleteResiliencyCallback(x,x)+5r
dword_6D6FF0	dd ?			; DATA XREF: PopPdcSnapDiagnosticContext(x)r
dword_6D6FF4	dd ?			; DATA XREF: PopPowerAggregatorDisengageModernStandby(x)+C9r
					; PopPowerAggregatorScreenOffEnterStateHandler(x)+1BFr
dword_6D6FF8	dd ?			; DATA XREF: PopUpdatePowerRequestProcessWakeCounter(x,x)+10r
					; PopUpdatePowerRequestProcessWakeCounter(x,x)+20r ...
dword_6D6FFC	dd ?			; DATA XREF: PopPowerAggregatorNotifyDisplayPoweredOnr
_PopCoolingMode	dd ?			; DATA XREF: PopThermalCoolingPowerSettingCallback:loc_564D85r
					; PopThermalCoolingPowerSettingCallback:loc_5E66A1w ...
_PopTriggerDiagHandleRegistered	db ?	; DATA XREF: PopDiagTraceDirectedDripsInitialization+1Cr
					; PoDiagTraceDirectedDripsCandidateDevice(x)+15r ...
_PopDiagHandleRegistered db ?		; DATA XREF: PoTraceSystemTimerResolutionUpdate+12r
					; PopDiagTraceClearDeepSleepConstraint+12r ...
_PopDiagSleepStudyHandleRegistered db ?	; DATA XREF: PopDiagTraceSleepStudyBlocker(x,x)r
					; PopDiagSleepStudyInitialize()+6r ...
_PopBatteryEtwRegistered db ?		; DATA XREF: PopBatteryTraceSystemBatteryStatus:loc_560D8Cr
					; PopBatteryTracePercentageRemaining(x,x,x,x)+22r ...
_PopNetStandbyReason dd	?		; DATA XREF: PopNetEvaluationWorkerCallback:loc_57B3EBr
					; PopNetEvaluationWorkerCallback+96w ...
_PopNetStandbyState dd ?		; DATA XREF: PopNetEvaluationWorkerCallback+26r
					; PopNetEvaluationWorkerCallback+CDw ...
_PopEtGlobals	dd ?			; DATA XREF: PopEtEnergyContextSetState(x,x)+148r
					; PopEtAggregateKeyCleanup(x)+14r ...
_PpmEtwRegistered db ?			; DATA XREF: PpmCheckStart+35r
					; PpmPerfSnapDeliveredPerformance:loc_489978r ...
_PopConsoleExternalDisplayConnected db ?
					; DATA XREF: PopPowerSourceChangeCallback:loc_5F4940r
					; PopUpdateExternalDisplayState(x)+Cw ...
		align 4
_PpmIntSteerMode dd ?			; DATA XREF: PpmParkSteerInterrupts:loc_486AF7r
					; PopIntSteerSetMode(x,x,x,x)+15w
_PpmIntSteerDisabled dd	?		; DATA XREF: PpmParkSteerInterrupts+5Cr
					; PopIntSteerSetMode(x,x,x,x)+21w ...
_PsWin32CalloutsEstablished db ?	; DATA XREF: PopGetConsoleDisplayRequestCount()+17r
					; PopEventCalloutDispatch+Br ...
		align 4
_RtlpHeapKey	dd ?			; DATA XREF: RtlpDeCommitFreeBlock(x,x,x,x)+1Dr
					; RtlpFindAndCommitPages(x,x)+7Fr ...
_SeInteractiveSid dd ?			; DATA XREF: IopCreateDefaultDeviceSecurityDescriptor+121EEEr
					; IopCreateDefaultDeviceSecurityDescriptor+121F5Cr ...
_SeAllRestrictedAppPackagesSid dd ?	; DATA XREF: MiCreateMemoryEventSD+1Dr
					; MiCreateMemoryEventSD+118r ...
_SeCreatorOwnerSid dd ?			; DATA XREF: ObpGetDosDevicesProtection+41r
					; ObpGetDosDevicesProtection+12Cr ...
_SeAllAppPackagesSid dd	?		; DATA XREF: CmpGenerateAppHiveSecurityDescriptor(x)+100r
					; PopCreateNotificationName(x)+91r ...
; void *SeWorldSid
_SeWorldSid	dd ?			; DATA XREF: SepInitProcessAuditSd:loc_5F5960r
					; SeFastTraverseCheck(x,x,x,x)+5Fr ...
_SeNetworkSid	dd ?			; DATA XREF: SepVariableInitialization()+55Bw
					; SepVariableInitialization()+99Ar ...
_SeBatchSid	dd ?			; DATA XREF: SepVariableInitialization()+56Aw
					; SepVariableInitialization()+9ADr ...
_SeCreatorGroupServerSid dd ?		; DATA XREF: SepVariableInitialization()+3AAw
					; SepVariableInitialization()+451r
_SeCreatorOwnerServerSid dd ?		; DATA XREF: SepVariableInitialization()+395w
					; SepVariableInitialization()+438r
_SeUserModeDriversSid dd ?		; DATA XREF: SepVariableInitialization()+88Fw
					; SepVariableInitialization()+C74r ...
_SePackagePrefixSid dd ?		; DATA XREF: SepMaximumAccessCheck+30Ar
					; SepIsPackageSid(x)+6r ...
_SeCapabilityPrefixSid dd ?		; DATA XREF: SepMaximumAccessCheck+334r
					; SepIsCapabilitySid+6r ...
_SeOwnerRightsSid dd ?			; DATA XREF: SepSidInTokenSidHash+55r
					; SepMaximumAccessCheck:loc_4DFBDEr ...
_SepLearningModeSettings dd ?		; DATA XREF: SeEtwEnableCallback+21w
					; SeEtwEnableCallback+7DCBAw
byte_6D7060	db ?			; DATA XREF: SeLogAccessFailure+ABr
					; RtlpAllowsLowBoxAccess(x):loc_509CD9r ...
byte_6D7061	db ?			; DATA XREF: SeEtwEnableCallback+2Aw
		align 4
_SepTokenSidManagementLoggingEnabled db	? ; DATA XREF: SeEtwEnableCallback:loc_57D72Aw
					; SepLogTokenSidManagement(x,x,x,x,x)+4Cr
		align 4
_SeCreatorGroupSid dd ?			; DATA XREF: SepVariableInitialization()+380w
					; SepVariableInitialization()+427r ...
_SePrincipalSelfSid dd ?		; DATA XREF: SepSidInTokenSidHash+82r
					; SepMaximumAccessCheck:loc_4DFC38r ...
_SepTokenCapabilitySidSharingEnabled db	? ; DATA XREF: SepFreeTokenCapabilitiesr
					; NtCreateTokenEx+5F1r	...
_SepOsLoaderTpmDriverLoaded db ?	; DATA XREF: SeQueryTrustedPlatformModuleInformation(x,x,x)+67r
					; SepVariableInitialization()+309w
		align 8
_SepLsaDeletedLogonQueueInfo dd	?	; DATA XREF: SepInformLsaOfDeletedLogon+1Eo
					; SepRmCommandServerThread+8CA6Co ...
dword_6D707C	dd ?			; DATA XREF: SepInitializeWorkList()+65w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D7088	db    ?	;		; DATA XREF: SepRmCommandServerThread+8CA61o
					; SepInitializeWorkList()+3Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D70E0	dd ?			; DATA XREF: SepRmCommandServerThread+8CA7Cw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D70EC	dd ?			; DATA XREF: SepInitializeWorkList()+5Fw
word_6D70F0	dw ?			; DATA XREF: SepInitializeWorkList()+72w
		align 4
_SepTokenSidSharingEnabled db ?		; DATA XREF: SepCreateTokenEx+417r
					; SepCreateTokenEx:loc_513240r	...
		align 4
; void *SeTrustedInstallerSid
_SeTrustedInstallerSid dd ?		; DATA XREF: SepCheckForCriticalAceRemoval(x,x,x,x,x)+64r
					; PiAuGetServiceStateSecurityObject(x)+44r ...
_SeLocalSid	dd ?			; DATA XREF: DbgkpCreateNotificationEvent+95r
					; DbgkpCreateNotificationEvent+ECr ...
_SeLocalSystemSid dd ?			; DATA XREF: SeReportSecurityEventWithSubCategory+D8CBEr
					; SepInitProcessAuditSd+86BE6r	...
_SepMandatoryObjectTypePolicyCount dd ?	; DATA XREF: SeComputeAutoInheritByObjectTypeEx+4Cr
					; SeRegisterObjectTypeMandatoryPolicy+41r ...
_g_SecureBootPolicyBlobHeader db    ? ;	; DATA XREF: SeSecureBootRegisterPolicy+51o
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D710C	dd ?			; DATA XREF: SeSecureBootQueryInformation+60r
					; SeSecureBootQueryInformation+69r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SepLsaAuditQueueInfo dd ?		; DATA XREF: SepAdtLogAuditRecord(x)+177o
					; SepRmCommandServerThread+8CA2Do ...
dword_6D7124	dd ?			; DATA XREF: SepInitializeWorkList()+19w
dword_6D7128	dd ?			; DATA XREF: SepAdtInitLsaDeadEventForNonPagedList(x)+22o
					; SepInitializeWorkList()+28o ...
dword_6D712C	dd ?			; DATA XREF: SepInitializeWorkList()+2Fw
unk_6D7130	db    ?	;		; DATA XREF: SepRmCommandServerThread+8CA22o
					; SepInitializeWorkList()+3o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D7168	dd ?			; DATA XREF: SepAdtInitLsaDeadEventForNonPagedList(x)+16o
					; SepInitializeWorkList()+Dw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D717C	dd ?			; DATA XREF: SepAdtDetermineInsertQueue:loc_57B0BCr
					; SepAdtDetermineInsertQueue:loc_5FA10Fr
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D7188	dd ?			; DATA XREF: SepRmCommandServerThread+8CA3Dw
dword_6D718C	dd ?			; DATA XREF: SepAdtInitLsaDeadEventForNonPagedList(x)+2Cw
dword_6D7190	dd ?			; DATA XREF: SepInitializeWorkList()+45w
dword_6D7194	dd ?			; DATA XREF: SepInitializeWorkList()+3Fw
word_6D7198	dw ?			; DATA XREF: SepInitializeWorkList()+4Fw
		align 4
_SepCrashOnAuditFail db	?		; DATA XREF: SepAdtDetermineInsertQueue+Fr
					; SepAuditFailedRaisedIrql(x)r	...
		align 10h
_WmipInUseRegEntryCount	dd ?		; DATA XREF: WmipBuildTraceDeviceList+38r
					; WmipAllocRegEntry+6Aw ...
_EtwpCoverageContext dd	?		; DATA XREF: EtwTelemetryCoverageReport(x)+A6r
					; EtwSetProcessTelemetryCoverage+1Ar ...
_EtwpCoverageCoreTracingEnabled	dd ?	; DATA XREF: EtwTelemetryCoverageReport(x):loc_54DD67r
					; EtwpCoverageRecord(x,x):loc_850AD7r ...
_EtwpCoverageNonPagedContext dd	?	; DATA XREF: EtwTelemetryCoverageReport(x):loc_54DB2Er
					; EtwTelemetryCoverageReport(x):loc_54DB53r ...
_ExpSpinCycleCount dd ?			; DATA XREF: ExTimedWaitForUnblockPushLock+1Dr
					; ExfAcquirePushLockSharedEx+EAr ...
_ExBootLoaderMetadata dd ?		; DATA XREF: PAGE:loc_78143Cr
					; PAGE:0078149Er ...
_ExSoftRebootFlags dd ?			; DATA XREF: BapdpKsrCancelScenario(x,x)+2Cw
					; BapdpKsrComplete(x,x)+2Aw ...
_ExSoftRebootState dd ?			; DATA XREF: ExpSetSoftRebootFlags(x)+147o
					; ExpSetSoftRebootFlags(x)+1D9o ...
_ExReadyForErrors db ?			; DATA XREF: NtSetDefaultHardErrorPort+85w
					; CmpCanGrowHive+18AA1Br ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExPoolState	db    ?	;		; DATA XREF: RtlpHpEnvGetHeapManager(x,x)+Eo
					; RtlHpKInitializeHeapManager()+2Co ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6D8E70	dd ?			; DATA XREF: ExpHpCompactionRoutine(x)+39r
					; ExpHpCompactionRoutine(x)+F3r ...
		align 10h
dword_6D8E80	dd ?			; DATA XREF: ExpHpCompactionRoutine(x)+45o
					; ExHeapQueryPoolUsage(x,x,x,x,x,x,x,x)+24o ...
dword_6D8E84	dd ?			; DATA XREF: ExpHeapQueryPoolPages(x,x,x,x)+6r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D8EC0	db    ?	;		; DATA XREF: ExHeapLookasideRebalance()+16o
					; ExInitializePagedHeaps()+1Eo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6D9F00	db    ?	;		; DATA XREF: ExInitializePoolHeapManagement+46o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6DC044	db    ?	;		; DATA XREF: IopAssignBootDriveLetter+80o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6E0055	db    ?	;		; DATA XREF: .data:off_6B66C4o
					; .data:off_6B66F0o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6E6973	db    ?	;		; DATA XREF: .data:off_6B3BE0o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6E6F69	db    ?	;		; DATA XREF: PAGE:008BC13Co
					; PAGEVRFY:00A54CDCo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6E7053	db ?			; DATA XREF: .text:00422C7Ew
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db ?
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6F7649	db    ?	;		; DATA XREF: IovpBuildDriverObjectList(x,x,x,x,x)+15o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6F9A80	dd ?			; DATA XREF: ExpHpCompactionRoutine(x)+10Br
					; ExGetHeapFromType:loc_4F1CE3r ...
dword_6F9A84	dd ?			; DATA XREF: ExInitializePoolHeapManagement+11Dw
dword_6F9A88	dd ?			; DATA XREF: ExInitializePagedHeaps()+E5w
dword_6F9A8C	dd ?			; DATA XREF: ExInitializePagedHeaps()+109w
					; ExGetHeapFromType:loc_5D0D47r
unk_6F9A90	db    ?	;		; DATA XREF: ExpHpIsSpecialPoolHeap(x)+4Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpWnfDispatcher dd ?			; DATA XREF: ExpWnfStartKernelDispatcher(x)+7r
					; ExpWnfStartKernelDispatcher(x)+15r ...
_WheapPreviousSessionFailure db	?	; DATA XREF: WheapProcessWorkQueueItem(x,x)+9r
					; INIT:00AC41DEw
_WheapInitializationComplete db	?	; DATA XREF: WheaConfigureErrorSource+C8r
					; WheaAddErrorSource+95r ...
		align 4
_WheapErrorSourceTable dd ?		; DATA XREF: WheaGetErrorSource(x)+8o
					; WheapAttemptArchitecturalErrorRecovery(x)+2Bo ...
dword_6F9ACC	dd ?			; DATA XREF: .text:0056BEBDw
					; WheapInitializeDeferredErrorSources(x)r ...
dword_6F9AD0	dd ?			; DATA XREF: .text:0056BE9Ar
					; .text:0056BEC4w
dword_6F9AD4	dd ?			; DATA XREF: .text:0056BE9Fo
					; WheapInitializeDeferredErrorSources(x)+7r ...
dword_6F9AD8	dd ?			; DATA XREF: .text:0056BEA7r
					; .text:0056BEB7w ...
unk_6F9ADC	db    ?	;		; DATA XREF: .text:0056BE89o
					; INIT:00AC4238o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_WheapPolicyMemPersistOffline db ?	; DATA XREF: WheapAttemptPhysicalPageOffline(x,x,x,x,x,x):loc_A12799r
					; PAGE:00A12974w ...
_WheapCrashDumpInitialized db ?		; DATA XREF: WheapCreateLiveDumpFromPreviousSession(x)+39r
					; WheaCrashDumpInitializationComplete()+1Fw
_WheapPfaInitialized db	?		; DATA XREF: WheapPredictiveFailureAnalysis(x)+27r
					; WheaInitializeServices()+43w
		align 10h
dword_6F9AF0	dd ?			; DATA XREF: TxtpAddCacheEntry+A59w
					; TxtpAddCacheEntry+AFDr ...
_ArbMmConfigRange dd ?			; DATA XREF: ArbAddMmConfigRangeAsBootReserved+20r
					; ArbAddMmConfigRangeAsBootReserved+124w ...
_Feature_Servicing_Dcr_23_07_NonSec__private_featureState db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_TestUx32__private_featureState	db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_03_NonSec__private_featureState db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_24_01_NonSec__private_featureState db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_ValConf__private_featureState db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_24_05_NonSec__private_featureState db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Standalone_24_10_NonSec__private_featureState db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_02_NonSec__private_featureState db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Standalone_24_06_NonSec__private_featureState db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_10_NonSec__private_featureState db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Standalone_24_05_NonSec__private_featureState db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_UxSettingTest__private_featureState db	   ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Opnum_Filter__private_featureState dd ?
					; DATA XREF: Feature_Servicing_Opnum_Filter__private_IsEnabledDeviceUsage()+7r
		align 10h
_Feature_Servicing_Dcr_23_01_NonSec__private_featureState db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Standalone_24_09_NonSec__private_featureState db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_05_NonSec__private_featureState db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_24_04_NonSec__private_featureState db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Standalone_24_08_NonSec__private_featureState db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_PerfTestCen2__private_featureState db	  ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Standalone_24_04_NonSec__private_featureState db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_UxConfTest__private_featureState db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_08_NonSec__private_featureState db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_04_NonSec__private_featureState db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_11_NonSec__private_featureState db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_12_NonSec__private_featureState db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_24_02_NonSec__private_featureState db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_24_06_NonSec__private_featureState db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_HibernateRelaxVBSPolicy__private_featureState dd ?
					; DATA XREF: Feature_Servicing_HibernateRelaxVBSPolicy__private_IsEnabledNoReporting()+7r
		align 8
_Feature_Servicing_Dcr_22_12_NonSec__private_featureState db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_24_03_NonSec__private_featureState db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_06_NonSec__private_featureState db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Standalone_24_07_NonSec__private_featureState db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_SettingsDel__private_featureState db	 ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_09_NonSec__private_featureState db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_CopyFileMoveFileEventLeak__private_featureState dd ?
					; DATA XREF: Feature_Servicing_CopyFileMoveFileEventLeak__private_IsEnabledDeviceUsage()+Ar
		align 10h
_Feature_TestConfVar__private_featureState db	 ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_2543631672__private_featureState dd ?
					; DATA XREF: Feature_2543631672__private_IsEnabledDeviceUsage()+Ar
		align 10h
_Feature_1148767544__private_featureState dd ?
					; DATA XREF: Feature_1148767544__private_IsEnabledDeviceUsage()+Ar
					; .text:_Feature_1148767544__private_descriptoro
		align 8
_Feature_693672248__private_featureState dd ?
					; DATA XREF: Feature_693672248__private_IsEnabledDeviceUsage()+7r
					; .text:_Feature_693672248__private_descriptoro
		align 10h
_Feature_3401902395__private_featureState dd ?
					; DATA XREF: Feature_3401902395__private_IsEnabledDeviceUsage()+Ar
					; .text:_Feature_3401902395__private_descriptoro
		align 8
_Feature_3257204026__private_featureState dd ?
					; DATA XREF: Feature_3257204026__private_IsEnabledDeviceUsage()+7r
		align 10h
_Feature_1445264698__private_featureState dd ?
					; DATA XREF: Feature_1445264698__private_IsEnabledDeviceUsage()+7r
		align 8
_Feature_SchedulerQosPreemption__private_featureState dd ?
					; DATA XREF: Feature_SchedulerQosPreemption__private_ReportDeviceUsage()+7r
					; .text:_Feature_SchedulerQosPreemption__private_descriptoro
		align 10h
_Feature_SchedulerFavoredCoreRotation__private_featureState dd ?
					; DATA XREF: Feature_SchedulerFavoredCoreRotation__private_ReportDeviceUsage()+7r
					; .text:_Feature_SchedulerFavoredCoreRotation__private_descriptoro
		align 8
_Feature_BamQosGrouping__private_featureState dd ?
					; DATA XREF: .text:_Feature_BamQosGrouping__private_descriptoro
					; KeInitializeVelocity()+7r
		align 10h
_Feature_SchedulerAssistLongSpinWait__private_featureState dd ?
					; DATA XREF: Feature_SchedulerAssistLongSpinWait__private_ReportDeviceUsage()+7r
		align 8
_Feature_SchedulerAssistAllowRealTime__private_featureState dd ?
					; DATA XREF: Feature_SchedulerAssistAllowRealTime__private_ReportDeviceUsage()+7r
					; .text:_Feature_SchedulerAssistAllowRealTime__private_descriptoro
		align 10h
_Feature_SchedulerAggressiveForegroundBoost__private_featureState dd ?
					; DATA XREF: Feature_SchedulerAggressiveForegroundBoost__private_ReportDeviceUsage()+7r
					; .text:_Feature_SchedulerAggressiveForegroundBoost__private_descriptoro
		align 8
_Feature_SchedulerAssistHRTimer__private_featureState dd ?
					; DATA XREF: Feature_SchedulerAssistHRTimer__private_ReportDeviceUsage()+7r
		align 10h
_Feature_SchedulerAssistSpinLock__private_featureState dd ?
					; DATA XREF: Feature_SchedulerAssistSpinLock__private_ReportDeviceUsage()+7r
		align 8
_Feature_SchedulerAssistEnableBAM__private_featureState	dd ?
					; DATA XREF: Feature_SchedulerAssistEnableBAM__private_ReportDeviceUsage()+7r
					; .text:_Feature_SchedulerAssistEnableBAM__private_descriptoro
		align 10h
_Feature_SchedulerAssistForegroundBoostBias__private_featureState dd ?
					; DATA XREF: Feature_SchedulerAssistForegroundBoostBias__private_ReportDeviceUsage()+7r
		align 8
_Feature_SchedulerAssistThreadFlag__private_featureState dd ?
					; DATA XREF: Feature_SchedulerAssistThreadFlag__private_ReportDeviceUsage()+7r
		align 10h
_Feature_SchedulerAssistPreemptionPriorityKick__private_featureState dd	?
					; DATA XREF: Feature_SchedulerAssistPreemptionPriorityKick__private_ReportDeviceUsage()+7r
		align 8
_Feature_SchedulerAssistReflectPriority__private_featureState dd ?
					; DATA XREF: KiInitializeVelocity()+7r
		align 10h
_Feature_DisableLowQosTimerResolution__private_featureState dd ?
					; DATA XREF: Feature_DisableLowQosTimerResolution__private_ReportDeviceUsage()+7r
					; .text:_Feature_DisableLowQosTimerResolution__private_descriptoro
		align 8
_Feature_ReduceTimerWakes__private_featureState	dd ?
					; DATA XREF: Feature_ReduceTimerWakes__private_ReportDeviceUsage()+7r
		align 10h
_Feature_Leap_Seconds_Sixty_Second__private_featureState dd ?
					; DATA XREF: Feature_Leap_Seconds_Sixty_Second__private_ReportDeviceUsage()+Ar
					; .text:_Feature_Leap_Seconds_Sixty_Second__private_descriptoro
		align 8
_Feature_PdttSupport__private_featureState dd ?	; DATA XREF: PoClearTransitionMarker()+127r
		align 10h
_Feature_PowerButtonBugcheck__private_featureState dd ?
					; DATA XREF: .text:_Feature_PowerButtonBugcheck__private_descriptoro
					; PopQueryPowerButtonBugcheckEnabled()+5Fr
		align 8
_Feature_DirectedFx__private_featureState dd ?
					; DATA XREF: .text:_Feature_DirectedFx__private_descriptoro
					; PopDirectedDripsQueryEnabledMitigations(x):loc_8ADF80r
		align 10h
_Feature_SleepReliabilityDetailedDiagnostics__private_featureState dd ?
					; DATA XREF: Feature_SleepReliabilityDetailedDiagnostics__private_IsEnabledDeviceUsage()+7r
		align 8
_Feature_PPLEnforcement__private_featureState dd ?
					; DATA XREF: Feature_PPLEnforcement__private_ReportDeviceUsage()+Ar
					; .text:_Feature_PPLEnforcement__private_descriptoro
		align 10h
_Feature_SModeAdminless__private_featureState dd ?
					; DATA XREF: Feature_SModeAdminless__private_ReportDeviceUsage()+Ar
		align 8
_Feature_WCOSDeveloperMode__private_featureState dd ?
					; DATA XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+78r
		align 10h
_Feature_WldpDeveloperMode__private_featureState dd ?
					; DATA XREF: Feature_WldpDeveloperMode__private_ReportDeviceUsage()+7r
					; .text:_Feature_WldpDeveloperMode__private_descriptoro
		align 8
_Feature_RelaxTcbForUWP__private_featureState dd ?
					; DATA XREF: Feature_RelaxTcbForUWP__private_ReportDeviceUsage()+Ar
					; .text:_Feature_RelaxTcbForUWP__private_descriptoro
		align 10h
_Feature_LogErrorRecords__private_featureState dd ?
					; DATA XREF: WheaReportHwError(x):loc_68FF88r
		align 8
_wil_details_featureChangeNotification dd ?
					; DATA XREF: wil_details_RegisterFeatureStagingChangeNotification(x,x)+3o
					; wil_details_RegisterFeatureStagingChangeNotification(x,x)+1Aw
		align 10h
dword_6F9D20	dd ?			; DATA XREF: sub_597FFE+Ar
					; .text:off_6AB514o
		align 8
_Feature_CompatBuildInVb__private_featureState dd ?
					; DATA XREF: Feature_CompatBuildInVb__private_IsEnabledDeviceUsage()+Ar
					; .text:_Feature_CompatBuildInVb__private_descriptoro
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmHiveIdentity	dd ?			; DATA XREF: CmpLinkHiveToMaster+25Ew
_CmpActiveHiveRundownCount dd ?		; DATA XREF: CmpTryToRundownHive+6Fw
					; CmpTryToRundownHive+BDw ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpKcbLookaside db    ? ;		; DATA XREF: CmpFreeKeyControlBlock+A0o
					; CmpFreeKeyControlBlock+EEo ...
		db    ?	;
		db    ?	;
		db    ?	;
word_6F9D84	dw ?			; DATA XREF: CmpFreeKeyControlBlock+89r
		align 4
word_6F9D88	dw ?			; DATA XREF: CmpFreeKeyControlBlock+95r
		align 4
dword_6F9D8C	dd ?			; DATA XREF: CmpCreateKeyControlBlock+F9w
					; CmpAllocateKeyControlBlock()+3Cw
dword_6F9D90	dd ?			; DATA XREF: CmpCreateKeyControlBlock+475w
					; CmpAllocateKeyControlBlock()+57w
dword_6F9D94	dd ?			; DATA XREF: CmpFreeKeyControlBlock+8Fw
dword_6F9D98	dd ?			; DATA XREF: CmpFreeKeyControlBlock:loc_740208w
dword_6F9D9C	dd ?			; DATA XREF: CmpCreateKeyControlBlock+487r
					; CmpAllocateKeyControlBlock()+6Ar
dword_6F9DA0	dd ?			; DATA XREF: CmpCreateKeyControlBlock:loc_808DC0r
					; CmpAllocateKeyControlBlock()+5Er
dword_6F9DA4	dd ?			; DATA XREF: CmpCreateKeyControlBlock+481r
					; CmpAllocateKeyControlBlock()+64r
dword_6F9DA8	dd ?			; DATA XREF: CmpCreateKeyControlBlock+48Dr
					; CmpAllocateKeyControlBlock()+70r
dword_6F9DAC	dd ?			; DATA XREF: CmpFreeKeyControlBlock+F4r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_FsRtlEcpListLookaside db    ? ;	; DATA XREF: FsRtlAllocateExtraCreateParameterList+1Fo
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B25o ...
		db    ?	;
		db    ?	;
		db    ?	;
word_6F9E04	dw ?			; DATA XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B05r
					; FsRtlpCleanupEcps+CFr
		align 4
word_6F9E08	dw ?			; DATA XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B0Br
					; FsRtlpCleanupEcps+DBr
		align 4
dword_6F9E0C	dd ?			; DATA XREF: FsRtlAllocateExtraCreateParameterList+19w
dword_6F9E10	dd ?			; DATA XREF: FsRtlAllocateExtraCreateParameterList+55w
dword_6F9E14	dd ?			; DATA XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+AFFw
					; FsRtlpCleanupEcps+D5w
dword_6F9E18	dd ?			; DATA XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B14w
					; FsRtlpCleanupEcps:loc_7F7199w
dword_6F9E1C	dd ?			; DATA XREF: FsRtlAllocateExtraCreateParameterList+62r
dword_6F9E20	dd ?			; DATA XREF: FsRtlAllocateExtraCreateParameterList:loc_7A28F0r
dword_6F9E24	dd ?			; DATA XREF: FsRtlAllocateExtraCreateParameterList+5Cr
dword_6F9E28	dd ?			; DATA XREF: FsRtlAllocateExtraCreateParameterList+68r
dword_6F9E2C	dd ?			; DATA XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B1Br
					; FsRtlpCleanupEcps+100r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_RtlLznt1DecompressChunkLookaside db	? ;
					; DATA XREF: LZNT1DecompressChunkNewThread(x,x,x,x,x,x)+2Fo
					; LZNT1DecompressChunkWorkItem+38o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6F9F80	db    ?	;		; DATA XREF: TxtpAddCacheEntry:loc_A77B6Do
					; TxtpAddCacheEntry:loc_A782EEo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpDelayCloseWorkItemActive db	   ? ;	; DATA XREF: CmpArmDelayedCloseTimer()+2o
					; PAGE:0080544Do ...
		db    ?	;
		db    ?	;
		db    ?	;
_CmpHiveFileListHandle dd ?		; DATA XREF: CmpAddToHiveFileList+28r
					; CmpAddToHiveFileList+A1r ...
_PcwpSynchNumaCounterSet dd ?		; DATA XREF: ExpPcwHostCallback+9Fo
					; ExpPcwHostCallback:loc_92D753r ...
_PcwpEventTracingSessionCounterSet dd ?	; DATA XREF: EtwRegisterCounters()+6Eo
					; EtwUnregisterCounters()r ...
_PcwpThermalCounterSet dd ?		; DATA XREF: ExpPcwHostCallback+186o
					; ExpPcwHostCallback:loc_92D792r ...
_PcwpFileSystemDiskIOCounterSet	dd ?	; DATA XREF: ExpPcwHostCallback+13Ao
					; ExpPcwHostCallback:loc_92D77Dr ...
_PcwpProcessorCounterSet dd ?		; DATA XREF: ExpPcwHostCallback+E2o
					; ExpPcwHostCallback:loc_92D768r ...
_PcwpEventTracingCounterSet dd ?	; DATA XREF: EtwRegisterCounters()+26o
					; EtwUnregisterCounters():loc_A3EEEBr ...
_PcwpSynchCounterSet dd	?		; DATA XREF: ExpPcwHostCallback+5Co
					; ExpPcwHostCallback+96564r ...
_IopMountsInProgress dd	?		; DATA XREF: IopMountVolume+269w
					; IopMountVolume+2A2w ...
_PpmExitLatencySamplingPercentage dd ?	; DATA XREF: PpmGetExitSamplingCountdown()r
					; PpmCancelExitLatencyTrace(x)+15r ...
_PpmNonInterruptibleCount dd ?		; DATA XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+80Aw
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+11B1w ...
_PopPowerSettingChangeStamp dd ?	; DATA XREF: PopSetPowerSettingValue+19Aw
_PopInputSuppressionActionCount	dd ?	; DATA XREF: PopEvaluateInputSuppressionAction():loc_9B438Fw
					; PopQueryInputSuppressionCount(x)+2o
_RtlpBootStatHandleLock	db    ?	;	; DATA XREF: RtlpAcquireBootStatusLock()+7o
					; RtlpReleaseBootStatusLock()+6o
		db    ?	;
		db    ?	;
		db    ?	;
_RtlpDebugPrintCallbackLock db	  ? ;	; DATA XREF: vDbgPrintExWithPrefixInternal:loc_5F3225o
					; vDbgPrintExWithPrefixInternal+B4089o	...
		db    ?	;
		db    ?	;
		db    ?	;
_SeILSigningPolicyRuntime db ?		; DATA XREF: SepGetSystemSigningLevel()+9r
					; SeQuerySigningPolicy+1Dr ...
		align 4
_ExpCheckTestSigningInit db    ? ;	; DATA XREF: ExpCheckTestsigningEnabled()+Co
					; ExpFirmwareAccessAppContainerCheck(x)+107o
		db    ?	;
		db    ?	;
		db    ?	;
_MUIRegistryLock dd ?			; DATA XREF: NtGetMUIRegistryInfo+BDr
					; NtGetMUIRegistryInfo+D9r ...
unk_6F9FF4	db    ?	;		; DATA XREF: TlgRegisterAggregateProviderEx+64o
					; TlgRegisterAggregateProviderEx+70o ...
		db    ?	;
		db    ?	;
		db    ?	;
_g_AhcDeviceObject dd ?			; DATA XREF: NtApphelpCacheControl:loc_83A438r
					; NtApphelpCacheControl+96r ...
		align 10h
_CcVacbLevelWithBcbListHeadsLookasideList db	? ; ; DATA XREF: CcAllocateVacbLevel+C6o
					; CcDeallocateVacbLevel(x,x)+2o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CcVacbLevelLookasideList db	? ;	; DATA XREF: CcFreeUnusedVacbLevels+6o
					; CcAllocateVacbLevel:loc_5047BEo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CcBitmapLookasideList db    ? ;	; DATA XREF: CcDeleteMbcb:loc_49727Do
					; .text:loc_4A83EFo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CcMasterLock	dd ?			; DATA XREF: CcWriteBehindInternal+32Bo
					; CcDeleteSharedCacheMap+1B5o ...
_HvSymcryptSeed	db    ?	;		; DATA XREF: HvpGenerateLogEntryChecksums:loc_74215Ao
					; HvpGenerateLogEntryChecksums+70o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpBounceBufferLookaside db	? ;	; DATA XREF: CmpBounceContextCleanup(x)+2Do
					; CmpBounceContextCleanup(x)+3Do ...
		db    ?	;
		db    ?	;
		db    ?	;
word_6FA284	dw ?			; DATA XREF: CmpBounceContextCleanup(x)+18r
		align 4
word_6FA288	dw ?			; DATA XREF: CmpBounceContextCleanup(x)+24r
		align 4
dword_6FA28C	dd ?			; DATA XREF: CmpBounceContextStart+88w
dword_6FA290	dd ?			; DATA XREF: CmpBounceContextStart+E5w
dword_6FA294	dd ?			; DATA XREF: CmpBounceContextCleanup(x)+1Ew
dword_6FA298	dd ?			; DATA XREF: CmpBounceContextCleanup(x):loc_818BD7w
dword_6FA29C	dd ?			; DATA XREF: CmpBounceContextStart+F7r
dword_6FA2A0	dd ?			; DATA XREF: CmpBounceContextStart:loc_818D10r
dword_6FA2A4	dd ?			; DATA XREF: CmpBounceContextStart+F1r
dword_6FA2A8	dd ?			; DATA XREF: CmpBounceContextStart+FDr
dword_6FA2AC	dd ?			; DATA XREF: CmpBounceContextCleanup(x)+43r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_TunnelLookasideList db	   ? ;		; DATA XREF: .text:005CC889o
					; PAGE:loc_8EAF2Ao ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_FsRtlFastMutexLookasideList db	   ? ;	; DATA XREF: FsRtlInitializeLargeMcb+1Ao
					; FsRtlUninitializeLargeMcb(x)+Fo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_FsRtlFirstNonPagedMappingLookasideList	db    ?	;
					; DATA XREF: FsRtlInitializeBaseMcbEx:loc_4D7455o
					; FsRtlUninitializeBaseMcb(x):loc_4DCAAAo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_FsRtlFirstPagedMappingLookasideList db	   ? ; ; DATA XREF: FsRtlInitializeBaseMcbEx+22o
					; FsRtlUninitializeBaseMcb(x)+18o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_FsRtlExclusiveLockLookasideList db    ? ; ; DATA XREF:	FsRtlPrivateFastUnlockAll+2A4o
					; FsRtlPrivateInsertLock:loc_4E27D1o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_FsRtlSharedLockLookasideList db    ? ;	; DATA XREF: FsRtlPrivateFastUnlockAll+1F7o
					; FsRtlPrivateInsertLock+19o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_FsRtlFileLockLookasideList db	  ? ;	; DATA XREF: FsRtlAllocateFileLock(x,x)+5o
					; FsRtlFreeFileLock(x)+10o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_FsRtlLockInfoLookasideList db	  ? ;	; DATA XREF: FsRtlPrivateInitializeFileLock+28o
					; FsRtlUninitializeFileLock+93o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_FsRtlLockTreeNodeLookasideList	db    ?	; ; DATA XREF: FsRtlPrivateFastUnlockAll+26Ao
					; FsRtlPrivateInsertSharedLock+3Ao ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_FsRtlWaitingLockLookasideList db    ? ; ; DATA	XREF: FsRtlPrivateFastUnlockAll+EA98Bo
					; FsRtlPrivateLock+EA3B1o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopSymlinkInfoLookasideList db	   ? ;	; DATA XREF: IopSymlinkAllocateAndAddECP+2Bo
					; IopSymlinkPropagateToExtensionIfNeeded+FE91Fo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopOplockFoExtLookasideList db	   ? ;	; DATA XREF: IopDeleteFileObjectExtension+6Fo
					; IoSetOplockPrivateFoExt:loc_53C677o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiAbTreeArray	dd ?			; DATA XREF: KiAbEntryGetLockedHeadEntry+7Br
					; KiAbEntryRemoveFromTree+60r ...
dword_6FAC04	dd ?			; DATA XREF: KiInitSystem+11Aw
dword_6FAC08	dd ?			; DATA XREF: KiAbEntryGetLockedHeadEntry+81r
					; KiAbEntryRemoveFromTree+5Ar ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AlpcpLookasides db    ? ;		; DATA XREF: AlpcpDereferenceBlobEx+77o
					; AlpcpAllocateBlob(x,x,x)+87o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6FB00C	dd ?			; DATA XREF: PAGE:008308AAw
dword_6FB010	dd ?			; DATA XREF: PAGE:008308BEw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6FB01C	dd ?			; DATA XREF: PAGE:008308D0r
dword_6FB020	dd ?			; DATA XREF: PAGE:008308C4r
dword_6FB024	dd ?			; DATA XREF: PAGE:008308CAr
dword_6FB028	dd ?			; DATA XREF: AlpcpAllocateBlob(x,x,x)+74r
					; PAGE:008308D6r
dword_6FB02C	dd ?			; DATA XREF: AlpcpDereferenceBlobEx+62r
					; AlpcpDestroyBlob(x,x)+70r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6FB0C0	db    ?	;		; DATA XREF: AlpcpInitSystem+164o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6FB180	db    ?	;		; DATA XREF: AlpcAddHandleTableEntry(x,x)+B5o
					; AlpcInitializeHandleTable(x,x)+5o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AlpcpNPLookasides db	 ? ;		; DATA XREF: AlpcpDestroyPort(x)+59o
					; AlpcpInitializePort(x,x,x)+FDo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ObpWaitBlockLookaside db    ? ;	; DATA XREF: ObWaitForMultipleObjects+53Bo
					; ObInitSystem+38Fo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PfKernelGlobals
_PfKernelGlobals dd ?			; DATA XREF: MiTrimOrAgeWorkingSet+303r
					; MiDrainOldAccessBuffers+87r ...
dword_6FB604	dd ?			; DATA XREF: MiTrimOrAgeWorkingSet+2F5r
					; MiDrainOldAccessBuffers+7Dr ...
unk_6FB608	db    ?	;		; DATA XREF: MiQueuePageAccessLog(x)+1Fo
					; MiQueuePageAccessLog(x):loc_43C90Ao ...
		db    ?	;
		db    ?	;
		db    ?	;
unk_6FB60C	db    ?	;		; DATA XREF: MiQueuePageAccessLog(x)+7Fo
					; PfpEventHandleFullBuffer(x)+38o ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_6FB610	dd ?			; DATA XREF: MiQueuePageAccessLog(x):loc_43C91Dr
					; PfpEventHandleFullBuffer(x)+Dr ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6FB61C	dd ?			; DATA XREF: MiQueuePageAccessLog(x)+46r
					; MiEmptyPageAccessLog+14Er ...
unk_6FB620	db    ?	;		; DATA XREF: MiQueuePageAccessLog(x)+50o
					; MiEmptyPageAccessLog+15Co ...
		db    ?	;
		db    ?	;
		db    ?	;
word_6FB624	dw ?			; DATA XREF: MiQueuePageAccessLog(x)+3Fr
					; MiEmptyPageAccessLog+147r ...
		align 4
dword_6FB628	dd ?			; DATA XREF: MiQueuePageAccessLog(x)+2Dr
					; PfHardFaultLog+73r ...
byte_6FB62C	db ?			; DATA XREF: PfHardFaultRecord+5Cr
					; MiIssueHardFault(x,x)+186r ...
		align 10h
dword_6FB630	dd ?			; DATA XREF: MiLogRelocationRva+4Fr
					; MiLogRelocationRva+8Cr ...
		align 10h
_ViAvlNodeLookaside db	  ? ;		; DATA XREF: VfAvlReserveNode:loc_5DC761o
					; VfTargetDriversRemove+91F77o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6FB700	dd ?			; DATA XREF: BgpFwReleaseLock+2Bo
					; BgpFwAcquireLock()+1Ao ...
_IopIrpCreditsEnabled dd ?		; DATA XREF: IopAllocateIrpPrivate:loc_52688Fr
					; KeBalanceSetManager+64r ...
_KiClockIntervalRequests dd ?		; DATA XREF: KiSetClockInterval+Bo
					; KiSetClockInterval+2Cr ...
dword_6FB70C	dd ?			; DATA XREF: KiSetClockInterval+26r
					; KiSetClockIntervalToMinimumRequested()+5r ...
_PopDiagActivityId db	 ? ;		; DATA XREF: PopDiagTraceDeviceVerboseRundown+258o
					; PopDiagTracePowerTransitionEnd(x)+45o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopBootStat	dd ?			; DATA XREF: PopBootStatSet+B6r
					; PopBootStatGet+14Br
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PspLoadImageNotifyRoutine db	 ? ;	; DATA XREF: PsCallImageNotifyRoutines+BDo
					; PsRemoveLoadImageNotifyRoutine+1Do ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PspCreateThreadNotifyRoutine db    ? ;	; DATA XREF: PspCallThreadNotifyRoutines+3Bo
					; PspCallThreadNotifyRoutines:loc_778174o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PspCreateProcessNotifyRoutine db    ? ; ; DATA	XREF: PspCallProcessNotifyRoutines+116o
					; PspSetCreateProcessNotifyRoutine+45o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6FBAD0	dd ?			; DATA XREF: SeValidateImageHeader+6Eo
					; SeUnregisterImageVerificationCallback(x)+5w ...
		align 8
_SepRmDbLock	dd ?			; DATA XREF: SepReferenceLogonSessionSilo(x,x,x)+39r
					; SepUpdateLogonSessionTrack+2Er ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SepRmGlobalSaclLock db	   ? ;		; DATA XREF: SepExamineGlobalSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+46o
					; SepExamineGlobalSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x):loc_66F906o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpUuidLock	dd ?			; DATA XREF: NtAllocateUuids+C5o
					; NtAllocateUuids+D1o ...
_CmLegacyAltitude db	? ;		; DATA XREF: CmRegisterCallback(x,x,x)+12o
					; CmpInitCallbacks()+Fo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpDeviceActionThread dd ?		; DATA XREF: .text:0054EEB5o
					; .text:0054F15Ao ...
_IopErrorLogSession dw ?		; DATA XREF: KiSaveCurrentEtwTraceBuffer()+88r
					; EtwWriteErrorLogEntry+2Cr ...
		align 8
_KiIntSteerEtwHandle dd	?		; DATA XREF: KiIntSteerEtwEventEnabled(x)r
					; KiIntSteerConnect+26r ...
dword_6FBC0C	dd ?			; DATA XREF: KiIntSteerEtwEventEnabled(x)+9r
					; KiIntSteerConnect+2Br ...
_PopEstimateSpoilerMask	dd ?		; DATA XREF: PopSpoilBatteryEstimate(x,x)+2Ao
					; PopSpoilBatteryEstimate(x,x):loc_868CA7r ...
_PopDebugFlags	dd ?			; DATA XREF: PopInvokeSystemStateHandler:loc_71BCF1r
					; PoBroadcastSystemState+37Fr ...
_WmiPerfStateEventEnabled dd ?		; DATA XREF: PpmEventLegacyProcessorPerfStateChange:loc_5626CAr
					; PpmWmiDispatch+892D6o
_WmiPerfStateDomainEventEnabled	dd ?	; DATA XREF: PpmEventDomainPerfStateChange+3Ar
					; PpmWmiDispatch+892F3o
_PopEsWorkItemDue db	? ;		; DATA XREF: PopEsWorkItemSchedule(x)+9o
					; PopEsWorker+19o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6FBC28	db    ?	;		; DATA XREF: BgpFwLibraryInitialize+139o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6FC428	db    ?	;		; DATA XREF: AnFwProgressIndicatorTransition()+20o
					; AnFwDisplayProgressIndicator+119o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6FC448	db    ?	;		; DATA XREF: AnFwDisplayFade+4D7o
					; AnFwDisplayFade+4F5o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6FC468	db    ?	;		; DATA XREF: AnFwProgressIndicatorTransition()+Eo
					; AnFwpDisableProgressTimer()+34o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6FC490	db    ?	;		; DATA XREF: AnFwDisplayFade+4C6o
					; AnFwDisplayFade+501o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6FC4B8	db    ?	;		; DATA XREF: AnFwConfigureProgressResources(x)+14o
					; AnFwFadeCompletion+2Co ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6FC4C8	dd ?			; DATA XREF: LogFwReport+CDo
					; LogFwReport+E7w
		align 10h
dword_6FC4D0	dd ?			; DATA XREF: LogFwReport+D7w
dword_6FC4D4	dd ?			; DATA XREF: LogFwReport+E1w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopIrpDataLookaside db	   ? ;		; DATA XREF: PopFreeIrp(x)+5Fo
					; PopAllocateIrp+B0o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopDynamicIrpWorkerLookaside db    ? ;	; DATA XREF: PopCreateDynamicIrpWorker+6o
					; PopIrpWorker+57o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6FC680	dd ?			; DATA XREF: BgkpLockBgfxCodeSection+18o
					; BgkpUnlockBgfxCodeSection+Fo	...
_PopEsWorkItem	dd ?			; DATA XREF: PopEsWorkItemSchedule(x)+21o
					; PoInitSystem+554w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6FC68C	dd ?			; DATA XREF: PoInitSystem+544w
					; PopEsInit+Cw
dword_6FC690	dd ?			; DATA XREF: PoInitSystem+54Ew
					; PopEsInit+22w
_SepRmNotifyMutex dd ?			; DATA XREF: SepNotifyFileSystems+16o
					; SepNotifyFileSystems:loc_870660o ...
dword_6FC698	dd ?			; DATA XREF: SepRmDbInitialization()+2Aw
dword_6FC69C	dd ?			; DATA XREF: SepRmDbInitialization()+3Cw
unk_6FC6A0	db    ?	;		; DATA XREF: SepRmDbInitialization()+32o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CcCoalescingRegistration db	? ;	; DATA XREF: INIT:00AC34E1o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CcTwilightLookasideList db    ? ;	; DATA XREF: CcInitializeProcessor(x)+1Do
					; CcInitializeProcessor(x):loc_889E4Eo	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopSafeCompletionLookasideList	db    ?	; ; DATA XREF: INIT:00AC2900o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopMdlLookasideList db	   ? ;		; DATA XREF: IoInitializeProcessor+148o
					; INIT:00AC28E1o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopMediumIrpLookasideList db	 ? ;	; DATA XREF: IoInitializeProcessor+D1o
					; INIT:00AC28B1o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopSmallIrpLookasideList db	? ;	; DATA XREF: IoInitializeProcessor+10Do
					; INIT:00AC28C9o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopCompletionLookasideList db	  ? ;	; DATA XREF: IoInitializeProcessor+5Do
					; INIT:00AC2882o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopLargeIrpLookasideList db	? ;	; DATA XREF: IoInitializeProcessor+95o
					; INIT:00AC2899o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ObpCreateInfoLookasideList db	  ? ;	; DATA XREF: ObInitializeProcessor+12o
					; ObInitializeProcessor:loc_92886Bo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ObpNameBufferLookasideList db	  ? ;	; DATA XREF: ObInitializeProcessor+7Fo
					; ObInitSystem+D3o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_RtlpRangeListEntryLookasideList db    ? ;
					; DATA XREF: RtlpCreateRangeListEntry(x,x,x,x,x,x,x)+8o
					; RtlpFreeRangeListEntry(x)+12o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_VmpLargeFaultBatchLookasideList db    ? ; ; DATA XREF:	VmAccessFault(x,x,x,x,x,x,x)+96o
					; VmAccessFault(x,x,x,x,x,x,x)+ACo ...
		db    ?	;
		db    ?	;
		db    ?	;
word_6FCC84	dw ?			; DATA XREF: VmAccessFault(x,x,x,x,x,x,x)+268r
		align 4
word_6FCC88	dw ?			; DATA XREF: VmAccessFault(x,x,x,x,x,x,x)+274r
		align 4
dword_6FCC8C	dd ?			; DATA XREF: VmAccessFault(x,x,x,x,x,x,x):loc_9EAE56w
dword_6FCC90	dd ?			; DATA XREF: VmAccessFault(x,x,x,x,x,x,x)+A6w
dword_6FCC94	dd ?			; DATA XREF: VmAccessFault(x,x,x,x,x,x,x)+26Ew
dword_6FCC98	dd ?			; DATA XREF: VmAccessFault(x,x,x,x,x,x,x)+27Dw
dword_6FCC9C	dd ?			; DATA XREF: VmAccessFault(x,x,x,x,x,x,x)+BDr
dword_6FCCA0	dd ?			; DATA XREF: VmAccessFault(x,x,x,x,x,x,x)+B1r
dword_6FCCA4	dd ?			; DATA XREF: VmAccessFault(x,x,x,x,x,x,x)+B7r
dword_6FCCA8	dd ?			; DATA XREF: VmAccessFault(x,x,x,x,x,x,x)+C3r
dword_6FCCAC	dd ?			; DATA XREF: VmAccessFault(x,x,x,x,x,x,x)+289r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_WmipRegLookaside db	? ;		; DATA XREF: WmipAllocRegEntry+Eo
					; .text:0067B081o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_WmipGEChunkInfoLookaside db	? ;	; DATA XREF: .data:_WmipGEChunkInfoo
					; WmipInitializeAllocs()+25o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_WmipDSChunkInfoLookaside db	? ;	; DATA XREF: .data:_WmipDSChunkInfoo
					; WmipInitializeAllocs()+10o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_WmipMRChunkInfoLookaside db	? ;	; DATA XREF: .data:_WmipMRChunkInfoo
					; WmipInitializeAllocs()+4Fo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_WmipISChunkInfoLookaside db	? ;	; DATA XREF: .data:_WmipISChunkInfoo
					; WmipInitializeAllocs()+3Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void ExpFullProcessInformationSid
_ExpFullProcessInformationSid db    ? ;	; DATA XREF: ExpInitFullProcessSecurityInfo(x,x,x)+96o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpScratchBufferLookasideList db    ? ; ; DATA	XREF: ExInitPoolLookasidePointers()+11o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6FD1C0	dd ?			; DATA XREF: BgkNotifyDisplayOwnershipLost(x)+1Dr
					; BgkpResetDisplay(x,x,x)+16r ...
unk_6FD1C4	db    ?	;		; DATA XREF: KsepMatchInitAcpiOemInfo(x,x,x)+A8o
					; KsepMatchInitAcpiOemInfo(x,x,x)+C2o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6FD1D0	db    ?	;		; DATA XREF: KsepMatchInitAcpiOemInfo(x,x,x)+8Fo
					; KsepMatchInitAcpiOemInfo(x,x,x)+E3o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6FD1E8	db    ?	;		; DATA XREF: KsepMatchInitCpuInfo(x)+2Bo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6FD3F4	dd ?			; DATA XREF: KsepMatchInitMachineInfo+49o
					; KsepMatchInitAcpiOemInfo(x,x,x)+17o ...
dword_6FD3F8	dd ?			; DATA XREF: KsepMatchInitAcpiOemInfo(x,x,x)+E3w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6FD410	dd ?			; DATA XREF: KsepMatchInitAcpiOemInfo(x,x,x)+28w
					; KsepMatchInitAcpiOemInfo(x,x,x)+F0w
		align 8
dword_6FD418	dd ?			; DATA XREF: KsepMatchInitMachineInfo+53o
					; KsepMatchInitBiosInfo+24o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6FD430	dd ?			; DATA XREF: KsepMatchInitBiosInfo+1DAw
					; KsepMatchInitBiosInfo+146C0w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6FD43C	db    ?	;		; DATA XREF: KsepMatchInitAcpiOemInfo(x,x,x)+74o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6FD44C	dd ?			; DATA XREF: KsepMatchInitMachineInfo+5Do
					; KsepMatchInitCpuInfo(x)+10o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6FD45C	dd ?			; DATA XREF: KsepMatchInitCpuInfo(x)+50w
dword_6FD460	dd ?			; DATA XREF: KsepMatchInitCpuInfo(x)+46w
		align 10h
dword_6FD470	dd ?			; DATA XREF: BapdpMarshallBootDataToRegistry+26r
					; BapdpMarshallBootDataToRegistry:loc_57577Co ...
dword_6FD474	dd ?			; DATA XREF: BootApplicationPersistentDataInitialize+Dw
					; BootApplicationPersistentDataInitialize+87r ...
_CmpLoadWorkerIncrement	dd ?		; DATA XREF: PAGE:00888D67w
_CmpWorkerDataInitialized db ?		; DATA XREF: CmpArmLazyWriter+7r
					; CmpCmdInit+BBw ...
		align 10h
_VrpJobContextType dd ?			; DATA XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x):loc_73DAC7r
					; VRegSetup+FDo
_VrpDeviceObject dd ?			; DATA XREF: VRegSetup+5Do
					; VRegSetup+81r ...
_FltMgrCallbacks dd ?			; DATA XREF: FsRtlGetSupportedFeatures(x,x)+Cr
					; EtwpTraceImageUnloadApc+2Cr ...
_ForceDumpDisabled db ?			; DATA XREF: SecureDump_PrepareForInit+42w
					; SecureDump_PrepareForInit+AAw ...
		align 10h
_IopUpdatePriorityCallbackRoutineCount dd ? ; DATA XREF: IoRegisterPriorityCallback+5Fw
					; IoUnregisterPriorityCallback(x)+54w
_IopSymlinkEnabledTypes	dd ?		; DATA XREF: IopSymlinkEnforceEnabledTypes+8r
					; IopSymlinkQueryEnabledClasses(x)+DFo	...
_IopLiveDumpEtwEnabled dd ?		; DATA XREF: IopLiveDumpTracingControlCallback(x,x,x,x,x,x,x,x,x)+7o
					; IopLiveDumpIsTracingEnabled()+Dr
		align 10h
_IopLiveDumpEtwRegHandle dd ?		; DATA XREF: IoInitializeLiveDump()+3o
					; IopLiveDumpIsTracingEnabled()r ...
dword_6FD4A4	dd ?			; DATA XREF: IopLiveDumpIsTracingEnabled()+5r
					; IopLiveDumpTrace(x)+Fr ...
_PnpCurrentHardwareConfigurationGuidString dw ?	; DATA XREF: PipHardwareConfigInit+10Co
					; PipHardwareConfigInit+135r ...
		align 4
dword_6FD4AC	dd ?			; DATA XREF: PipHardwareConfigInit+14Ar
_PnpRundownEtwHandle dd	?		; DATA XREF: PnpDiagRundownForEachDevice(x,x)+B9r
					; PnpDiagRundownParentDevNodeForEachDevice(x,x)+7Br ...
dword_6FD4B4	dd ?			; DATA XREF: PnpDiagRundownForEachDevice(x,x)+AFr
					; PnpDiagRundownParentDevNodeForEachDevice(x,x)+72r ...
_PiUEventMetaNotificationHandle	db    ?	; ; DATA XREF: PiUEventInit(x)+D3o
		db    ?	;
		db    ?	;
		db    ?	;
_PiPnpRtlCtx	dd ?			; DATA XREF: PipUpdateDeviceProducts+19r
					; PiRebalanceOptOut(x)+35r ...
_PiDrvDbCtx	dd ?			; DATA XREF: PiCMOpenObjectKey:loc_7C6704r
					; PiCMGetObjectList:loc_7FCC3Dr ...
_KdpDataSpinLock db    ? ;		; DATA XREF: KdRegisterDebuggerDataBlock+10o
		db    ?	;
		db    ?	;
		db    ?	;
_KdpPowerSpinLock dd ?			; DATA XREF: KdDeregisterPowerHandler(x)+10o
					; KdRegisterPowerHandler(x,x,x)+3Ao ...
_KiStackOutSwapRequest db    ? ;	; DATA XREF: KeSwapProcessOrStack(x)+49o
					; KeBalanceSetManager+104o
		db    ?	;
		db    ?	;
		db    ?	;
_KseEtwHandle	dd ?			; DATA XREF: KsepLogEtwMessage(x,x,x,x)+15r
					; KsepLogEtwMessage(x,x,x,x)+C6r ...
dword_6FD4D4	dd ?			; DATA XREF: KsepLogEtwMessage(x,x,x,x)+1Ar
					; KsepLogEtwMessage(x,x,x,x)+C0r ...
_ObpUnsecureGlobalNamesBuffer dw ?	; DATA XREF: ObpIsUnsecureName(x,x)+10r
					; ObpIsUnsecureName(x,x)+22o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PpmPlatformIdleHint dd	?		; DATA XREF: PpmIdlePrepare+2AFr
					; PpmComputeIdleDurationHint+4Cr ...
dword_6FD5DC	dd ?			; DATA XREF: PpmIdlePrepare+2B4r
					; PpmComputeIdleDurationHint+52r ...
_PopAwayModeUserPresenceTimer db    ? ;	; DATA XREF: PipCslStateChangeCallback+9B8A3o
					; PopSetSystemAwayMode(x)+86o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopNetGracePeriodState	db    ?	;	; DATA XREF: PopNetEvaluationTimerCallback(x,x)+5o
					; PopNetSetConnectivityConstraint+1Co ...
		db    ?	;
		db    ?	;
		db    ?	;
; void PopEsState
_PopEsState	dd ?			; DATA XREF: PopEsUpdateState+3Cr
					; PopEsUpdateState+81E83w ...
_PspSecExtensionHost dd	?		; DATA XREF: PspInitializeSecExtensionHost()+1Fo
					; PspInitializeSecExtensionHost():loc_ACE2C9w
_PspOctExtensionHost dd	?		; DATA XREF: PspInitializeOctagonExtensionHost()+19o
					; PspInitializeOctagonExtensionHost():loc_ACE27Bw
_SepAdtLsaRegWatchWorkItem dd ?		; DATA XREF: SepAdtRegNotificationCallback(x)+1Fo
					; SepAdtOpenRegAndSetupNotification(x,x,x,x)+30o ...
		align 10h
dword_6FD620	dd ?			; DATA XREF: SepAdtOpenRegAndSetupNotification(x,x,x,x)+39w
dword_6FD624	dd ?			; DATA XREF: SepAdtOpenRegAndSetupNotification(x,x,x,x)+43w
_SepAdtIoStatusBlock db	   ? ;		; DATA XREF: SepAdtRegNotificationCallback(x)+18o
					; SepAdtOpenRegAndSetupNotification(x,x,x,x)+29o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_EtwpSplitIoNotifyRoutines dd ?		; DATA XREF: EtwGetNotifyRoutineGroup(x,x)+24o
					; EtwpEnableKernelTrace+1299C6w ...
_EtwpDefaultTraceSecurityDescriptor dd ? ; DATA	XREF: EtwpFreeSecurityDescriptor(x)+Br
					; EtwpGetSecurityDescriptorByGuid(x,x)+80r ...
_ExpPlatformFlushCapabilities dd ?	; DATA XREF: ExpGetSystemFlushInformation+B1w
					; ExpGetSystemFlushInformation:loc_8B44C2r
dword_6FD63C	dd ?			; DATA XREF: ExpGetSystemFlushInformation+B8w
					; ExpGetSystemFlushInformation+CCr
_ExpPlatformCapabilitiesCached db ?	; DATA XREF: ExpGetSystemFlushInformation:loc_8B4465r
					; ExpGetSystemFlushInformation+BDw
		align 8
_KitEtwHandle	dd ?			; DATA XREF: KitLogFeatureUsage(x,x,x)+15r
					; KitLogFeatureUsage(x,x,x)+152r ...
dword_6FD64C	dd ?			; DATA XREF: KitLogFeatureUsage(x,x,x)+1Dr
					; KitLogFeatureUsage(x,x,x)+146r ...
_MUIRefreshCachedUILock	dd ?		; DATA XREF: NtFlushInstallUILanguage+4Cr
					; NtFlushInstallUILanguage+55o	...
		align 8
_WheapErrorRecordId dd ?		; DATA XREF: WheaInitializeRecordHeader(x):loc_6914ECr
					; WheaInitializeRecordHeader(x)+6Co ...
dword_6FD65C	dd ?			; DATA XREF: WheaInitializeRecordHeader(x)+57r
_WheapSourceConfiguration dd ?		; DATA XREF: WheaConfigureErrorSource+20o
					; WheaUnconfigureErrorSource(x)+25o ...
byte_6FD664	db ?			; DATA XREF: WheapInitializeErrorSourceTable(x,x)+95r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6FD66C	dd ?			; DATA XREF: WheapGetErrorSourceFunction(x,x,x)+C5r
					; WheapSetDefaultErrorSourceConfiguration()+Aw
dword_6FD670	dd ?			; DATA XREF: WheapGetErrorSourceFunction(x,x,x)+AAr
					; INIT:00AC4270r ...
dword_6FD674	dd ?			; DATA XREF: WheapGetErrorSourceFunction(x,x,x)+8Fr
					; WheapSetDefaultErrorSourceConfiguration()+1Ew
dword_6FD678	dd ?			; DATA XREF: WheapGetErrorSourceFunction(x,x,x)+83r
					; WheapSetDefaultErrorSourceConfiguration()+28w
dword_6FD67C	dd ?			; DATA XREF: WheapGetErrorSourceFunction(x,x,x)+77r
					; WheapSetDefaultErrorSourceConfiguration()+32w
dword_6FD680	dd ?			; DATA XREF: WheapSetDefaultErrorSourceConfiguration()+3Cw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6FD8A4	db ?			; DATA XREF: WheaAddErrorSourceDeviceDriver+43r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_WheapPfaLock	dd ?			; DATA XREF: WheapPfaReset()+5o
					; WheapPredictiveFailureAnalysis(x):loc_A1338Fo ...
_WheapPfaList	dd ?			; DATA XREF: WheapPfaMemoryCheck(x,x)+4Er
					; WheapPfaMemoryCheck(x,x)+56o	...
dword_6FD8CC	dd ?			; DATA XREF: WheapPfaMemoryCheck(x,x):loc_A130FCr
					; WheaInitializeServices()+12w
_WindowsSystemAttributes dd ?		; DATA XREF: AuthzBasepFindSystemSecurityAttribute+7r
					; AuthzBasepInitializeSystemSecurityAttributes(x)+87o
dword_6FD8D4	dd ?			; DATA XREF: TlgRegisterAggregateProviderEx:loc_87FEF6r
					; TlgRegisterAggregateProviderEx:loc_87FEFFo ...
_Feature_Servicing_HibernateRelaxVBSPolicy__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_24_02_NonSec__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_03_NonSec__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_UxConfTest__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_02_NonSec__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_04_NonSec__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_09_NonSec__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_12_NonSec__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_05_NonSec__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Standalone_24_10_NonSec__private_reporting db	  ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Opnum_Filter__private_reporting db	 ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Standalone_24_09_NonSec__private_reporting db	  ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Standalone_24_08_NonSec__private_reporting db	  ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Standalone_24_05_NonSec__private_reporting db	  ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_PerfTestCen2__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Standalone_24_06_NonSec__private_reporting db	  ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_ValConf__private_reporting db	  ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_24_06_NonSec__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_24_03_NonSec__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Standalone_24_07_NonSec__private_reporting db	  ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_SettingsDel__private_reporting	db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_24_05_NonSec__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_TestConfVar__private_reporting	db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_CopyFileMoveFileEventLeak__private_reporting	db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_10_NonSec__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_01_NonSec__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_08_NonSec__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Standalone_24_04_NonSec__private_reporting db	  ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_11_NonSec__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_24_04_NonSec__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_24_01_NonSec__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_22_12_NonSec__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_07_NonSec__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_Servicing_Dcr_23_06_NonSec__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_UxSettingTest__private_reporting db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_TestUx32__private_reporting db	   ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CcDbgDisableDAX db ?			; DATA XREF: CcInitializeCacheMapEx+5Er
		align 4
_Feature_2543631672__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_1148767544__private_reporting db    ? ; ; DATA	XREF: .text:006AB230o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_693672248__private_reporting db    ? ;	; DATA XREF: .text:006AB248o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_3401902395__private_reporting db    ? ; ; DATA	XREF: .text:006AB260o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_3257204026__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_1445264698__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpFreezeThawState dd ?		; DATA XREF: CmpLockRegistryFreezeAware:loc_750D58r
					; CmpLockRegistryFreezeAware:loc_8D0786r ...
_RotBarSelection dd ?			; DATA XREF: DisplayBootBitmap+7F9FAw
					; DisplayBootBitmap+7FB28w ...
_IopMountCompletionWaiters dd ?		; DATA XREF: IopMountVolume+2A9r
					; IoRegisterFsRegistrationChangeMountAware:loc_936031w	...
_IopIrpExtensionStatus dd ?		; DATA XREF: IopIsActivityTracingEnabled:loc_5CD349r
					; IopAllocateIrpPrivate:loc_5ED17Er ...
dword_6FDA3C	dd ?			; DATA XREF: IopIrpExtensionControl(x,x)+43w
					; IopIrpExtensionControl(x,x)+5Fw
dword_6FDA40	dd ?			; DATA XREF: IopIrpExtensionControl(x,x)+4Ew
					; IopIrpExtensionControl(x,x)+74w
_IopFunctionPointerMask	dd ?		; DATA XREF: IopIsActivityTracingEnabledr
					; IopAllocateIrpPrivate+1DEr ...
_PiUEventDevInstancePropertyClientCount	dd ? ; DATA XREF: PiUEventShouldQueueEvent(x)+2Ar
					; PAGE:008F9A3Ew ...
unk_6FDA4C	db    ?	;		; DATA XREF: .text:004016E4o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KdPreviouslyEnabled db	?		; DATA XREF: KiDispatchException+10DF16r
					; KeInsertQueue+D6236r	...
		align 4
_Feature_SchedulerQosPreemption__private_reporting db	 ? ; ; DATA XREF: .text:006AB2A8o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_SchedulerFavoredCoreRotation__private_reporting db    ? ;
					; DATA XREF: .text:006AB2C0o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_BamQosGrouping__private_reporting db	 ? ; ; DATA XREF: .text:006AB2D8o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_SchedulerAssistLongSpinWait__private_reporting	db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_SchedulerAssistAllowRealTime__private_reporting db    ? ;
					; DATA XREF: .text:006AB308o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_SchedulerAggressiveForegroundBoost__private_reporting db    ? ;
					; DATA XREF: .text:006AB320o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_SchedulerAssistHRTimer__private_reporting db	 ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_SchedulerAssistSpinLock__private_reporting db	  ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_SchedulerAssistEnableBAM__private_reporting db	   ? ; ; DATA XREF: .text:006AB368o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_SchedulerAssistForegroundBoostBias__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_SchedulerAssistThreadFlag__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_SchedulerAssistPreemptionPriorityKick__private_reporting db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_SchedulerAssistReflectPriority__private_reporting db	 ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_DisableLowQosTimerResolution__private_reporting db    ? ;
					; DATA XREF: .text:006AB3E0o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_ReduceTimerWakes__private_reporting db	   ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AlpcpLogEnabled db ?			; DATA XREF: AlpcpWaitForSingleObject(x,x,x,x,x)+31r
					; AlpcpSignalAndWait+106r ...
		align 4
_Feature_Leap_Seconds_Sixty_Second__private_reporting db    ? ;	; DATA XREF: .text:006AB410o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopBsdLastPowerWatchdogStage dd ?	; DATA XREF: PopPowerInformationInternal+171416w
					; PopRecordPhysicalPowerButton(x)+94r
_PopBsdPowerWatchdogArmed dd ?		; DATA XREF: PopPowerInformationInternal+17140Cw
					; PopPowerInformationInternal:loc_8D6D94w ...
_PopBsdCurrentCsPhase dd ?		; DATA XREF: PdcPoCurrentPdcPhase(x,x,x)+9w
					; PopRecordPhysicalPowerButton(x)+C8r
_Feature_PdttSupport__private_reporting	db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_PowerButtonBugcheck__private_reporting	db    ?	; ; DATA XREF: .text:006AB440o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_DirectedFx__private_reporting db    ? ; ; DATA	XREF: .text:006AB458o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_SleepReliabilityDetailedDiagnostics__private_reporting	db    ?	;
					; DATA XREF: .text:006AB470o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PopIgnoreLidStateForInputSuppression db ?
					; DATA XREF: PopTraceInputSuppressionActionUpdate(x,x,x,x,x,x,x)+43r
					; PopEvaluateInputSuppressionAction()+8Er ...
_PopEnableInputSuppression db ?		; DATA XREF: PopTraceInputSuppressionActionUpdate(x,x,x,x,x,x,x)+9Er
					; PopEvaluateInputSuppressionAction():loc_9B4327r ...
_PopErrataReportingIncorrectLidState db	? ; DATA XREF: NtPowerInformation+172580r
					; PopRecordLidStateWorker(x)+Ar ...
		align 4
_RtlpExceptionLog2 dd ?			; DATA XREF: RtlpLogExceptionDispatch(x,x)+7r
					; RtlpLogExceptionDispatch(x,x)+6Cr ...
_Feature_PPLEnforcement__private_reporting db	 ? ; ; DATA XREF: .text:006AB4A0o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_SModeAdminless__private_reporting db	 ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SeCiDebugOptions dd ?			; DATA XREF: SeQuerySigningPolicy:loc_7A2547r
					; SepIsMinTCB+CEr ...
_Feature_WCOSDeveloperMode__private_reporting db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_WldpDeveloperMode__private_reporting db    ? ;	; DATA XREF: .text:006AB4D0o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_RelaxTcbForUWP__private_reporting db	 ? ; ; DATA XREF: .text:006AB4E8o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6FDB3C	db    ?	;		; DATA XREF: .data:006B201Co
		db    ?	;
		db    ?	;
		db    ?	;
dword_6FDB40	dd ?			; DATA XREF: EtwpUpdateFileInfoDriverState:loc_7E3AE3r
					; EtwpUpdateFileInfoDriverState+38r ...
_ExpTooLateForErrors db	?		; DATA XREF: ExShutdownSystem(x)+25w
					; ExRaiseHardError(x,x,x,x,x,x)+4Ar
		align 4
_Feature_LogErrorRecords__private_reporting db	  ? ;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6FDB50	db    ?	;		; DATA XREF: .text:006AB518o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Feature_CompatBuildInVb__private_reporting db	  ? ; ;	DATA XREF: .text:006AB530o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmStateSeparationEnabled dd ?		; DATA XREF: CmIsStateSeparationEnabled()r
					; VfClearVerifierSettings()+3Br ...
_IopDisableBufferedIoInit dd ?		; DATA XREF: PAGE:007F65B6r
					; PAGE:007F770Ar ...
_IopSessionZeroAccessCheckEnabled dd ?	; DATA XREF: IopCheckSessionDeviceAccess(x)+51r
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+23Fr ...
_IopBlockLegacyFsFilters dd ?		; DATA XREF: IopAttachDeviceToDeviceStackSafe+85r
					; IopAttachDeviceToDeviceStackSafe:loc_5E7E10r	...
_Kd_STORAGECLASSMEMORY_Mask db	  ? ;	; DATA XREF: .text:004045B4o
					; INIT:00AF6050o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_FSLIB_Mask	db    ?	;		; DATA XREF: .text:004045B8o
					; INIT:00AF6068o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_REFS_Mask	db    ?	;		; DATA XREF: .text:004045A4o
					; INIT:00AF5FF0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_WER_Mask	db    ?	;		; DATA XREF: .text:004045A8o
					; INIT:00AF6008o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_CAPIMG_Mask	db    ?	;		; DATA XREF: .text:004045ACo
					; INIT:00AF6020o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_VPCI_Mask	db    ?	;		; DATA XREF: .text:004045B0o
					; INIT:00AF6038o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_DRIVEEXTENDER_Mask db    ? ;	; DATA XREF: .text:00404594o
					; INIT:00AF5F90o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_POWER_Mask	db    ?	;		; DATA XREF: .text:00404598o
					; INIT:00AF5FA8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_CRASHDUMPXHCI_Mask db    ? ;	; DATA XREF: .text:0040459Co
					; INIT:00AF5FC0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_GPIO_Mask	db    ?	;		; DATA XREF: .text:004045A0o
					; INIT:00AF5FD8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_EXFAT_Mask	db    ?	;		; DATA XREF: .text:00404584o
					; INIT:00AF5F30o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_FILETRACE_Mask db	 ? ;		; DATA XREF: .text:00404588o
					; INIT:00AF5F48o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_XSAVE_Mask	db    ?	;		; DATA XREF: .text:0040458Co
					; INIT:00AF5F60o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_SE_Mask	db    ?	;		; DATA XREF: .text:00404590o
					; INIT:00AF5F78o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_STORVSP_Mask db    ? ;		; DATA XREF: .text:00404574o
					; INIT:00AF5ED0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_LSASS_Mask	db    ?	;		; DATA XREF: .text:00404578o
					; INIT:00AF5EE8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_SSPICLI_Mask db    ? ;		; DATA XREF: .text:0040457Co
					; INIT:00AF5F00o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_CNG_Mask	db    ?	;		; DATA XREF: .text:00404580o
					; INIT:00AF5F18o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_MPIO_Mask	db    ?	;		; DATA XREF: .text:00404564o
					; INIT:00AF5E70o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_MSDSM_Mask	db    ?	;		; DATA XREF: .text:00404568o
					; INIT:00AF5E88o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_UDFS_Mask	db    ?	;		; DATA XREF: .text:0040456Co
					; INIT:00AF5EA0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_PSHED_Mask	db    ?	;		; DATA XREF: .text:00404570o
					; INIT:00AF5EB8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_CFR_Mask	db    ?	;		; DATA XREF: .text:00404554o
					; INIT:00AF5E10o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_TXF_Mask	db    ?	;		; DATA XREF: .text:00404558o
					; INIT:00AF5E28o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_KSECDD_Mask	db    ?	;		; DATA XREF: .text:0040455Co
					; INIT:00AF5E40o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_FLTREGRESS_Mask db	  ? ;		; DATA XREF: .text:00404560o
					; INIT:00AF5E58o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_SBP2PORT_Mask db	? ;		; DATA XREF: .text:00404544o
					; INIT:00AF5DB0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_COVERAGE_Mask db	? ;		; DATA XREF: .text:00404548o
					; INIT:00AF5DC8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_CACHEMGR_Mask db	? ;		; DATA XREF: .text:0040454Co
					; INIT:00AF5DE0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_MOUNTMGR_Mask db	? ;		; DATA XREF: .text:00404550o
					; INIT:00AF5DF8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_NVCTRACE_Mask db	? ;		; DATA XREF: .text:00404534o
					; INIT:00AF5D50o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_LUAFV_Mask	db    ?	;		; DATA XREF: .text:00404538o
					; INIT:00AF5D68o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_APPCOMPAT_Mask db	 ? ;		; DATA XREF: .text:0040453Co
					; INIT:00AF5D80o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_USBSTOR_Mask db    ? ;		; DATA XREF: .text:00404540o
					; INIT:00AF5D98o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_EMS_Mask	db    ?	;		; DATA XREF: .text:00404524o
					; INIT:00AF5CF0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_WDT_Mask	db    ?	;		; DATA XREF: .text:00404528o
					; INIT:00AF5D08o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_FVEVOL_Mask	db    ?	;		; DATA XREF: .text:0040452Co
					; INIT:00AF5D20o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_NDIS_Mask	db    ?	;		; DATA XREF: .text:00404530o
					; INIT:00AF5D38o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_MMCSS_Mask	db    ?	;		; DATA XREF: .text:00404514o
					; INIT:00AF5C90o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_TPM_Mask	db    ?	;		; DATA XREF: .text:00404518o
					; INIT:00AF5CA8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_THREADORDER_Mask db	   ? ;		; DATA XREF: .text:0040451Co
					; INIT:00AF5CC0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_ENVIRON_Mask db    ? ;		; DATA XREF: .text:00404520o
					; INIT:00AF5CD8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_IOSTRESS_Mask db	? ;		; DATA XREF: .text:00404504o
					; INIT:00AF5C30o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_HEAP_Mask	db    ?	;		; DATA XREF: .text:00404508o
					; INIT:00AF5C48o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_WHEA_Mask	db    ?	;		; DATA XREF: .text:0040450Co
					; INIT:00AF5C60o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_USERGDI_Mask db    ? ;		; DATA XREF: .text:00404510o
					; INIT:00AF5C78o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_ALPC_Mask	db    ?	;		; DATA XREF: .text:004044F4o
					; INIT:00AF5BD0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_WDI_Mask	db    ?	;		; DATA XREF: .text:004044F8o
					; INIT:00AF5BE8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_PERFLIB_Mask db    ? ;		; DATA XREF: .text:004044FCo
					; INIT:00AF5C00o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_KTM_Mask	db    ?	;		; DATA XREF: .text:00404500o
					; INIT:00AF5C18o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_DEFAULT_Mask db    ? ;		; DATA XREF: .text:off_4044E4o
					; INIT:00AF5B70o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_MM_Mask	db    ?	;		; DATA XREF: .text:004044E8o
					; INIT:00AF5B88o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_DFSC_Mask	db    ?	;		; DATA XREF: .text:004044ECo
					; INIT:00AF5BA0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_WOW64_Mask	db    ?	;		; DATA XREF: .text:004044F0o
					; INIT:00AF5BB8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_VDSDYNDR_Mask db	? ;		; DATA XREF: .text:004044D4o
					; INIT:00AF5B10o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_VDSLDR_Mask	db    ?	;		; DATA XREF: .text:004044D8o
					; INIT:00AF5B28o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_VDSUTIL_Mask db    ? ;		; DATA XREF: .text:004044DCo
					; INIT:00AF5B40o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_DFRGIFC_Mask db    ? ;		; DATA XREF: .text:004044E0o
					; INIT:00AF5B58o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_VERIFIER_Mask db	? ;		; DATA XREF: .text:004044C4o
					; INIT:00AF5AB0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_VDS_Mask	db    ?	;		; DATA XREF: .text:004044C8o
					; INIT:00AF5AC8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_VDSBAS_Mask	db    ?	;		; DATA XREF: .text:004044CCo
					; INIT:00AF5AE0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_VDSDYN_Mask	db    ?	;		; DATA XREF: .text:004044D0o
					; INIT:00AF5AF8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_STORPORT_Mask db	? ;		; DATA XREF: .text:004044B4o
					; INIT:00AF5A50o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_STORMINIPORT_Mask db    ? ;		; DATA XREF: .text:004044B8o
					; INIT:00AF5A68o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_PRINTSPOOLER_Mask db    ? ;		; DATA XREF: .text:004044BCo
					; INIT:00AF5A80o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_VSSDYNDISK_Mask db	  ? ;		; DATA XREF: .text:004044C0o
					; INIT:00AF5A98o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_LDR_Mask	db    ?	;		; DATA XREF: .text:004044A4o
					; INIT:00AF59F0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_TCPIP6_Mask	db    ?	;		; DATA XREF: .text:004044A8o
					; INIT:00AF5A08o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_ISAPNP_Mask	db    ?	;		; DATA XREF: .text:004044ACo
					; INIT:00AF5A20o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_SHPC_Mask	db    ?	;		; DATA XREF: .text:004044B0o
					; INIT:00AF5A38o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_IHVSTREAMING_Mask db    ? ;		; DATA XREF: .text:00404494o
					; INIT:00AF5990o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_IHVBUS_Mask	db    ?	;		; DATA XREF: .text:00404498o
					; INIT:00AF59A8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_HPS_Mask	db    ?	;		; DATA XREF: .text:0040449Co
					; INIT:00AF59C0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_RTLTHREADPOOL_Mask db    ? ;	; DATA XREF: .text:004044A0o
					; INIT:00AF59D8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_IHVDRIVER_Mask db	 ? ;		; DATA XREF: .text:00404484o
					; INIT:00AF5930o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_IHVVIDEO_Mask db	? ;		; DATA XREF: .text:00404488o
					; INIT:00AF5948o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_IHVAUDIO_Mask db	? ;		; DATA XREF: .text:0040448Co
					; INIT:00AF5960o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_IHVNETWORK_Mask db	  ? ;		; DATA XREF: .text:00404490o
					; INIT:00AF5978o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_PROCESSOR_Mask db	 ? ;		; DATA XREF: .text:00404474o
					; INIT:00AF58D0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_DMSERVER_Mask db	? ;		; DATA XREF: .text:00404478o
					; INIT:00AF58E8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_SR_Mask	db    ?	;		; DATA XREF: .text:0040447Co
					; INIT:00AF5900o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_INFINIBAND_Mask db	  ? ;		; DATA XREF: .text:00404480o
					; INIT:00AF5918o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_DMADMIN_Mask db    ? ;		; DATA XREF: .text:00404464o
					; INIT:00AF5870o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_WSOCKTRANSPORT_Mask	db    ?	;	; DATA XREF: .text:00404468o
					; INIT:00AF5888o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_VSS_Mask	db    ?	;		; DATA XREF: .text:0040446Co
					; INIT:00AF58A0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_PNPMEM_Mask	db    ?	;		; DATA XREF: .text:00404470o
					; INIT:00AF58B8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_FCPORT_Mask	db    ?	;		; DATA XREF: .text:00404454o
					; INIT:00AF5810o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_PCI_Mask	db    ?	;		; DATA XREF: .text:00404458o
					; INIT:00AF5828o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_DMIO_Mask	db    ?	;		; DATA XREF: .text:0040445Co
					; INIT:00AF5840o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_DMCONFIG_Mask db	? ;		; DATA XREF: .text:00404460o
					; INIT:00AF5858o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_TERMSRV_Mask db    ? ;		; DATA XREF: .text:00404444o
					; INIT:00AF57B0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_W32TIME_Mask db    ? ;		; DATA XREF: .text:00404448o
					; INIT:00AF57C8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_PREFETCHER_Mask db	  ? ;		; DATA XREF: .text:0040444Co
					; INIT:00AF57E0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_RSFILTER_Mask db	? ;		; DATA XREF: .text:00404450o
					; INIT:00AF57F8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_IDEP_Mask	db    ?	;		; DATA XREF: .text:00404434o
					; INIT:00AF5750o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_PCIIDE_Mask	db    ?	;		; DATA XREF: .text:00404438o
					; INIT:00AF5768o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_FLOPPY_Mask	db    ?	;		; DATA XREF: .text:0040443Co
					; INIT:00AF5780o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_FDC_Mask	db    ?	;		; DATA XREF: .text:00404440o
					; INIT:00AF5798o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_IDLETASK_Mask db	? ;		; DATA XREF: .text:00404424o
					; INIT:00AF56F0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_SOFTPCI_Mask db    ? ;		; DATA XREF: .text:00404428o
					; INIT:00AF5708o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_TAPE_Mask	db    ?	;		; DATA XREF: .text:0040442Co
					; INIT:00AF5720o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_MCHGR_Mask	db    ?	;		; DATA XREF: .text:00404430o
					; INIT:00AF5738o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_BURNENG_Mask db    ? ;		; DATA XREF: .text:00404414o
					; INIT:00AF5690o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_IMAPI_Mask	db    ?	;		; DATA XREF: .text:00404418o
					; INIT:00AF56A8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_SXS_Mask	db    ?	;		; DATA XREF: .text:0040441Co
					; INIT:00AF56C0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_FUSION_Mask	db    ?	;		; DATA XREF: .text:00404420o
					; INIT:00AF56D8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_UNIMODEM_Mask db	? ;		; DATA XREF: .text:00404404o
					; INIT:00AF5630o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_SIS_Mask	db    ?	;		; DATA XREF: .text:00404408o
					; INIT:00AF5648o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_FLTMGR_Mask	db    ?	;		; DATA XREF: .text:0040440Co
					; INIT:00AF5660o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_WMICORE_Mask db    ? ;		; DATA XREF: .text:00404410o
					; INIT:00AF5678o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_UHCD_Mask	db    ?	;		; DATA XREF: .text:004043F4o
					; INIT:00AF55D0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_RPCPROXY_Mask db	? ;		; DATA XREF: .text:004043F8o
					; INIT:00AF55E8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_AUTOCHK_Mask db    ? ;		; DATA XREF: .text:004043FCo
					; INIT:00AF5600o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_DCOMSS_Mask	db    ?	;		; DATA XREF: .text:00404400o
					; INIT:00AF5618o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_SCSERVER_Mask db	? ;		; DATA XREF: .text:004043E4o
					; INIT:00AF5570o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_SCCLIENT_Mask db	? ;		; DATA XREF: .text:004043E8o
					; INIT:00AF5588o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_SERIAL_Mask	db    ?	;		; DATA XREF: .text:004043ECo
					; INIT:00AF55A0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_SERENUM_Mask db    ? ;		; DATA XREF: .text:004043F0o
					; INIT:00AF55B8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_FASTFAT_Mask db    ? ;		; DATA XREF: .text:004043D4o
					; INIT:00AF5510o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_SAMSS_Mask	db    ?	;		; DATA XREF: .text:004043D8o
					; INIT:00AF5528o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_PNPMGR_Mask	db    ?	;		; DATA XREF: .text:004043DCo
					; INIT:00AF5540o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_NETAPI_Mask	db    ?	;		; DATA XREF: .text:004043E0o
					; INIT:00AF5558o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_VIDEOPRT_Mask db	? ;		; DATA XREF: .text:004043C4o
					; INIT:00AF54B0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_TCPIP_Mask	db    ?	;		; DATA XREF: .text:004043C8o
					; INIT:00AF54C8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_DMSYNTH_Mask db    ? ;		; DATA XREF: .text:004043CCo
					; INIT:00AF54E0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_NTOSPNP_Mask db    ? ;		; DATA XREF: .text:004043D0o
					; INIT:00AF54F8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_AMLI_Mask	db    ?	;		; DATA XREF: .text:004043B4o
					; INIT:00AF5450o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_HALIA64_Mask db    ? ;		; DATA XREF: .text:004043B8o
					; INIT:00AF5468o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_VIDEO_Mask	db    ?	;		; DATA XREF: .text:004043BCo
					; INIT:00AF5480o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_SVCHOST_Mask db    ? ;		; DATA XREF: .text:004043C0o
					; INIT:00AF5498o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_MOUCLASS_Mask db	? ;		; DATA XREF: .text:004043A4o
					; INIT:00AF53F0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_TWOTRACK_Mask db	? ;		; DATA XREF: .text:004043A8o
					; INIT:00AF5408o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_WMILIB_Mask	db    ?	;		; DATA XREF: .text:004043ACo
					; INIT:00AF5420o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_ACPI_Mask	db    ?	;		; DATA XREF: .text:004043B0o
					; INIT:00AF5438o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_LSERMOUS_Mask db	? ;		; DATA XREF: .text:00404394o
					; INIT:00AF5390o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_KBDHID_Mask	db    ?	;		; DATA XREF: .text:00404398o
					; INIT:00AF53A8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_MOUHID_Mask	db    ?	;		; DATA XREF: .text:0040439Co
					; INIT:00AF53C0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_KBDCLASS_Mask db	? ;		; DATA XREF: .text:004043A0o
					; INIT:00AF53D8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_SCSIMINIPORT_Mask db    ? ;		; DATA XREF: .text:00404384o
					; INIT:00AF5330o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_CONFIG_Mask	db    ?	;		; DATA XREF: .text:00404388o
					; INIT:00AF5348o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_I8042PRT_Mask db	? ;		; DATA XREF: .text:0040438Co
					; INIT:00AF5360o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_SERMOUSE_Mask db	? ;		; DATA XREF: .text:00404390o
					; INIT:00AF5378o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_DISK_Mask	db    ?	;		; DATA XREF: .text:00404374o
					; INIT:00AF52D0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_REDBOOK_Mask db    ? ;		; DATA XREF: .text:00404378o
					; INIT:00AF52E8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_STORPROP_Mask db	? ;		; DATA XREF: .text:0040437Co
					; INIT:00AF5300o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_SCSIPORT_Mask db	? ;		; DATA XREF: .text:00404380o
					; INIT:00AF5318o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_CRASHDUMP_Mask db	 ? ;		; DATA XREF: .text:00404364o
					; INIT:00AF5270o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_CDAUDIO_Mask db    ? ;		; DATA XREF: .text:00404368o
					; INIT:00AF5288o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_CDROM_Mask	db    ?	;		; DATA XREF: .text:0040436Co
					; INIT:00AF52A0o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_CLASSPNP_Mask db	? ;		; DATA XREF: .text:00404370o
					; INIT:00AF52B8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_SMSS_Mask	db    ?	;		; DATA XREF: .text:00404354o
					; INIT:00AF5210o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_SETUP_Mask	db    ?	;		; DATA XREF: .text:00404358o
					; INIT:00AF5228o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_NTFS_Mask	db    ?	;		; DATA XREF: .text:0040435Co
					; INIT:00AF5240o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_FSTUB_Mask	db    ?	;		; DATA XREF: .text:00404360o
					; INIT:00AF5258o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_SYSTEM_Mask	db    ?	;		; DATA XREF: .text:_KdComponentTableo
					; INIT:00AF51F8o
		db    ?	;
		db    ?	;
		db    ?	;
_Kd_ENDOFTABLE_Mask db	  ? ;		; DATA XREF: .text:004045BCo
		db    ?	;
		db    ?	;
		db    ?	;
_ObpObjectSecurityInheritance dd ?	; DATA XREF: ObpInsertOrLocateNamedObject+179r
					; ObpInsertOrLocateNamedObject+1D1r ...
_PopShutdownNotificationCallback dd ?	; DATA XREF: PopMarkComponentsBootPhase+11Fr
					; PopSaveHiberContext+BBCFr ...
_PspOutSwapSharedPages dd ?		; DATA XREF: PspChangeProcessExecutionState+1E0r
					; SmProcessConfigRequest+84410w ...
_RtlpDisableIFEOCaching	dd ?		; DATA XREF: RtlpOpenImageFileOptionsKeyEx+5Dr
					; RtlpOpenBaseImageFileOptionsKey(x)+2Cr ...
_SeAdminlessEnforcementModeEnabled dd ?	; DATA XREF: SepIsAdminlessEnforcementModeEnabled()+3r
					; INIT:00AF65F0o
dword_6FDDF4	dd ?			; DATA XREF: SeSecureBootQueryInformation:loc_7DDC31r
					; SeQuerySecureBootPolicyValue+Fr ...
_SepTokenSingletonAttributesConfig dd ?	; DATA XREF: SeSetSecurityAttributesTokenEx(x,x,x,x,x,x,x)+2Er
					; SepGetProcUniqueLuidAndIndexFromAttributeInfo(x,x,x)+12r ...
_VfRuleClasses	dd ?			; DATA XREF: IopBuildDeviceIoControlRequest:loc_53DD0Br
					; IopVerifierExAllocatePool:loc_5C4F10r ...
dword_6FDE00	dd ?			; DATA XREF: IopVerifierExAllocatePool+5EE3Cr
					; IoCancelIrp+E2F2Cr ...
_ExpRealTimeIsUniversal	dd ?		; DATA XREF: ExRealTimeIsUniversal()r
					; ExLogTimeZoneInformation()+89r ...
_ExTbFlushActive dd ?			; DATA XREF: KeFlushMultipleRangeTb:loc_451F72r
					; MiTerminateWsleCluster:loc_456283r ...
_ExResourceTimeoutCount	dd ?		; DATA XREF: ExpWaitForResource+B9r
					; ExpWaitForResource+E2872r ...
_HeadlessGlobals dd ?			; DATA XREF: HeadlessKernelAddLogEntry+3r
					; HeadlessDispatch+6r ...
		align 8
_PopEsLastBatteryThreshold dd ?		; DATA XREF: PopTraceEsState(x,x,x,x,x,x,x,x)+2Fr
					; PopEsSnapTelemetry+A4w ...
_PopEsAcOnline	db ?			; DATA XREF: PopTraceEsState(x,x,x,x,x,x,x,x)+28r
					; PopEsSnapTelemetry+9Aw ...
		align 10h
_PopEsLastBatteryCharge	dd ?		; DATA XREF: PopEsSnapTelemetry+71r
					; PopEsSnapTelemetry+8Bw ...
_PopEsReason	dd ?			; DATA XREF: PopTraceEsState(x,x,x,x,x,x,x,x)+22r
					; PopEsUpdateState+28r	...
_PopEsLastUserAwaySetting db ?		; DATA XREF: PopTraceEsState(x,x,x,x,x,x,x,x)+1Cr
					; PopEsSnapTelemetry+B5w ...
		align 10h
dword_6FDE30	dd ?			; DATA XREF: TxtpAddCacheEntry+930r
					; TxtpAddCacheEntry+1A42r ...
dword_6FDE34	dd ?			; DATA XREF: TxtpAddCacheEntry+92Ar
					; TxtpAddCacheEntry+1A3Cr ...
_PopPoFxSystemIrpWaitForReportDevicePoweredReg dd ?
					; DATA XREF: PoFxReportDevicePoweredOn+F7r
					; PopFxActivateDevice:loc_55C26Br ...
_PopDisableBatteryDischargeEstimator dd	? ; DATA XREF: PopBatteryWorker:loc_868FC5r
					; INIT:00AF4790o
_PopUserBatteryChargingEstimator dd ?	; DATA XREF: PopBatteryWorker+276r
					; INIT:00AF47A8o
_PopFxPerfQueryOnDevicePowerChanges dd ? ; DATA	XREF: PopPepDeviceDState+112r
					; INIT:00AF4AC0o
byte_6FDE48	db ?			; DATA XREF: DisplayBootBitmap+Fr
					; DisplayBootBitmap:loc_5F9C35r ...
		align 4
_CcAzure_SoftThrottleDelayInMs dd ?	; DATA XREF: INIT:loc_AC3349r
					; INIT:00AF3C68o
_CcMaxLazyWritePagesOverride dd	?	; DATA XREF: INIT:00AC3334r
					; INIT:00AF3BD8o
_CcAzure_TopBottomDPTEqual dd ?		; DATA XREF: CcAdjustTopBottomThresholds:loc_5D698Br
					; CcInitializePartition:loc_5F5DECr ...
_CcVacbArraysHighestUsedIndex dd ?	; DATA XREF: CcInsertVacbArray+28r
					; CcInsertVacbArray:loc_570120w ...
_CmpVolatileBoot dd ?			; DATA XREF: PAGE:00888C71r
					; CmInitSystem1(x):loc_AC79FFr	...
_CmStateSeparationDevMode dd ?		; DATA XREF: CmIsStateSeparationDevModeEnabled()r
					; CmpInitializeSystemHive:loc_AE5542r ...
_CmStateSeparationAllHivesVolatile dd ?	; DATA XREF: CmpUpdateStateSeparationHiveOptions()r
					; INIT:00AF5150o
_CmpNoMoreTx	db ?			; DATA XREF: CmTmCreateEnlistment(x,x,x,x)+8r
					; CmShutdownSystem(x)+2Bw
		align 10h
_CmpReorganizeTotalBytesSaved dd ?	; DATA XREF: CmpUpdateReorganizeRegistryValues+2Er
					; CmpReorganizeHive+184D9Fw ...
dword_6FDE74	dd ?			; DATA XREF: CmpUpdateReorganizeRegistryValues+33r
					; CmpReorganizeHive+184DA5w ...
_IopAllowLoadCrashDumpDriver db	   ? ;	; DATA XREF: INIT:00AF4D60o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KeTestRemovedFeatureMask dd ?		; DATA XREF: KiIntersectFeaturesWithTestr
					; KiParseLoadOptions+3720w
dword_6FDE84	dd ?			; DATA XREF: KiIntersectFeaturesWithTest+9r
					; KiParseLoadOptions+371Aw
_KeTestDisableXSave db ?		; DATA XREF: KiIntersectFeaturesWithTest:loc_727E0Br
					; KiParseLoadOptions:loc_72B39Aw
		align 4
_KiBugCheckUnexpectedInterrupts	dd ?	; DATA XREF: V86_kira_a:loc_59B27Er
					; INIT:00AF6338o
_KiDebuggerIsStallOwner	dd ?		; DATA XREF: KiSetDebuggerOwner(x)r
					; INIT:00AF6350o
_KiI386PentiumLockErrataPresent	db ?	; DATA XREF: Dr_kite_a+33Fr
					; KiGetFeatureBits+41BBw ...
_PopFxEnableShutdownActiveBias db ?	; DATA XREF: PoFxStartDevicePowerManagement+C5r
					; PopFxPrepareDevicesForShutdown()+3Bw
		align 4
_PpmIdleVetoList dd ?			; DATA XREF: PpmInstallNewIdleStates+CCr
					; PpmInstallNewIdleStates:loc_5749ADr ...
_PopDiagFxAccountingTelemetryDisabled dd ?
					; DATA XREF: PopDiagTraceFxDeviceAccounting(x,x,x,x,x,x)+109r
					; PopDiagTraceFxGlobalDeviceAccounting(x,x,x,x,x,x)+15r ...
_PopIgnoreCsComplianceCheck dd ?	; DATA XREF: PopNetNonCompliantDeviceUpdate(x,x)+4r
					; INIT:00AF4AA8o
_WmiThermalPolicyEventEnabled dd ?	; DATA XREF: PopThermalWorker+32Ar
					; PpmWmiDispatch+8935Bo
_PpmParkLpiCap	dd ?			; DATA XREF: PpmParkApplyPolicy:loc_573D6Fr
					; PpmParkCalculateCoreParkingMask+12A3DDr ...
_PpmParkThermalCap dd ?			; DATA XREF: PpmParkApplyPolicy+8Dr
					; PpmParkSetLpiCap(x,x,x):loc_65B563r ...
_SeAdminlessEnableEventLogging dd ?	; DATA XREF: EtwTraceAdminlessAccessFailure(x,x,x,x)+340r
					; INIT:00AF6668o
_SeAdminlessEnableWatsonReporting dd ?	; DATA XREF: SepIsAdminlessAuditModeEnabled()r
					; INIT:00AF65C0o
_SeDeviceOwnerProtectionDowngradeAllowed dd ?
					; DATA XREF: SepIsDeviceOwnerProtectionDowngradeAllowed()r
					; INIT:00AF6608o
_SeLpacEnableWatsonReporting dd	?	; DATA XREF: SepLogLpacAccessFailure(x)+56r
					; INIT:00AF6578o
_SepAdtDiscardingAudits	db ?		; DATA XREF: SepAdtDetermineInsertQueue+26r
					; SepAdtDetermineInsertQueue+7F092w ...
		align 4
_SepAdtAuditFailureCount dd ?		; DATA XREF: SepAdtLogAuditRecord(x)+1D5w
					; SepAdtLogAuditRecord(x):loc_5744FDr ...
_EtwpTdiIoNotify dd ?			; DATA XREF: EtwGetNotifyRoutineGroup(x,x):loc_88B8F6r
					; EtwpEnableKernelTrace+129AAFw
		align 10h
_g_wil_details_subscribeFeatureStateCacheToConfigurationChanges	dd ?
					; DATA XREF: wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState(x,x,x,x)+AFr
byte_6FDED4	db ?			; DATA XREF: DisplayFilter(x)+5r
					; DisplayFilter(x)+4Bw
		align 4
_g_wil_details_recordFeatureUsage dd ?	; DATA XREF: wil_details_FeatureReporting_ReportUsageToServiceDirect(x,x,x,x,x)+40r
_g_wil_details_ensureSubscribedToFeatureConfigurationChanges dd	?
					; DATA XREF: wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState(x,x,x,x)+Br
_g_wil_details_pfnFeatureLoggingHook dd	?
					; DATA XREF: wil_details_FeatureReporting_ReportUsageToService(x,x,x,x,x)+34r
_CcDbgForcedLogPercentFull dd ?		; DATA XREF: CcIsFatalWriteError+1259FAw
_gCcTrace	db ?			; DATA XREF: CcAcquireByteRangeForWrite:loc_4ABF56r
		align 10h
_CcSectionDeletionSequencePhase3 dd ?	; DATA XREF: CcInitializeCacheMapEx+116793r
					; CcCrossPartitionDrainSectionDeletion()+5Fr ...
dword_6FDEF4	dd ?			; DATA XREF: CcInitializeCacheMapEx+1167A0r
					; CcCrossPartitionDrainSectionDeletion()+55r ...
_CcEnableReadAheadInAsyncRead db ?	; DATA XREF: CcAsyncReadPrefetch+170r
					; CcAsyncCopyRead+5Dr
		align 10h
_CcNumberAsyncReadCacheHits dd ?	; DATA XREF: CcAsyncReadPrefetch:loc_5AAFC2r
					; CcAsyncReadPrefetch+16EDD8w
dword_6FDF04	dd ?			; DATA XREF: CcAsyncReadPrefetch+16EDCDr
					; CcAsyncReadPrefetch+16EDDDw
_CcNumberAsyncReadRefaulted dd ?	; DATA XREF: sub_50690F:loc_5D7E30r
					; sub_50690F+D1530w
dword_6FDF0C	dd ?			; DATA XREF: sub_50690F+D1526r
					; sub_50690F+D1535w
_CcDbgRandomFailed dd ?			; DATA XREF: CcUnmapInactiveViewsInternal(x,x,x,x)+11Bw
_CcDbgNumberOfCcUnmapInactiveViews dd ?	; DATA XREF: CcUnmapInactiveViewsInternal(x,x,x,x):loc_5FE32Aw
_CcDbgFoundAsyncReadThreadListEmpty dd ?
					; DATA XREF: CcShouldSpinAsyncReadWorkerThread+16E9AFw
_CmpSystemHiveHysteresisHitRatio dd ?	; DATA XREF: CmpDoQueueSystemHiveHysteresis(x)+20w
					; CmpSystemHiveHysteresisWorker(x)+18r
_CmpBackupCount	dd ?			; DATA XREF: CmpSyncNextBackupHive()+F5w
					; CmpSyncNextBackupHive()+FEo
_CmpFreezeThawPending dd ?		; DATA XREF: CmpFreezeThawDpcRoutine(x,x,x,x)+2o
					; CmpFreezeThawWorker(x)w
_CmpLazyCommitWorkItemActive db	?	; DATA XREF: CmpLazyCommitDpcRoutine(x,x,x,x)r
					; CmpLazyCommitWorker(x)+116w
		align 10h
_CmpReorganizeLastRun dd ?		; DATA XREF: CmpReorganizeHive+184DABw
					; CmpUpdateReorganizeRegistryValues+85090o
dword_6FDF34	dd ?			; DATA XREF: CmpReorganizeHive+184DB1w
_CmpHiveRedirectionFileListHandle dd ?	; DATA XREF: CmpQueryHiveRedirectionFileList+11B6F6r
					; CmpQueryHiveRedirectionFileList+11B76Co ...
_CmpFailPrimarySave dd ?		; DATA XREF: HvWriteHivePrimaryFile+5Dr
					; HvWriteHivePrimaryFile+95r ...
_VrpHostLoadedHives dd ?		; DATA XREF: VrpHandleIoctlLoadDifferencingHiveForHost(x,x,x,x,x,x)+172r
					; VrpHandleIoctlLoadDifferencingHiveForHost(x,x,x,x,x,x)+17Cw ...
_VrpHostLoadedHivesLock	db    ?	;	; DATA XREF: VrpHandleIoctlLoadDifferencingHiveForHost(x,x,x,x,x,x)+164o
					; VrpHandleIoctlUnloadDifferencingHiveForHost(x,x,x,x,x,x)+80o	...
		db    ?	;
		db    ?	;
		db    ?	;
_DbgkpLkmdLiveDumpDiagnosticInformation	db    ?	;
					; DATA XREF: DbgkCaptureLiveDump(x,x,x,x)+34Fo
		db    ?	;
		db    ?	;
		db    ?	;
_HvlpWheaErrorNotificationCallback dd ?	; DATA XREF: HvlInvokeWheaErrorNotificationCallback(x,x,x)+5r
					; HvlRegisterWheaErrorNotification(x)+8o ...
_PltRotBarStatus dd ?			; DATA XREF: FinalizeBootLogo():loc_607E05w
					; RotBarInit()+58w ...
_AnimBarPos	dd ?			; DATA XREF: RotBarInit()+30w
					; RotBarUpdate():loc_607F33r ...
dword_6FDF58	dd ?			; DATA XREF: BgkNotifyDisplayOwnershipLost(x)+Cw
					; BgkpResetDisplay(x,x,x)+1Fr
dword_6FDF5C	dd ?			; DATA XREF: BgkNotifyDisplayOwnershipChange+87FAFr
					; BgkInitialize+60r
_BvgaResetDisplayParameters dd ?	; DATA XREF: BvgaAcquireDisplayOwnership()r
					; BvgaNotifyDisplayOwnershipLost(x)+2Fw ...
_BugCheckProgressEFICalled dd ?		; DATA XREF: IoInitializeBugCheckProgress(x,x)+54r
					; IoInitializeBugCheckProgress(x,x)+66w ...
_OfflineDumpEnabled db ?		; DATA XREF: IopInitializeOfflineCrashDump+7E2E6w
					; IopInitializeOfflineCrashDump+7E2FCw	...
		align 4
_AttemptOfflineStallCount dd ?		; DATA XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+52Dw
_DumpPolicyAttemptOffline dd ?		; DATA XREF: IopInitializeOfflineCrashDump+7E38Ew
					; IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x):loc_60BE53r
_IopPerfStatus	dd ?			; DATA XREF: IopPerfCallDriver(x,x)+10r
					; IopPerfCallDriver(x,x):loc_60E676r ...
dword_6FDF78	dd ?			; DATA XREF: IoPerfInit(x)+41w
					; IoPerfReset(x)+26w
dword_6FDF7C	dd ?			; DATA XREF: IoPerfInit(x)+4Ew
					; IoPerfReset(x)+3Dw
dword_6FDF80	dd ?			; DATA XREF: IopLiveDumpGetMillisecondCounter(x)+3Fr
					; IopLiveDumpGetMillisecondCounter(x):loc_60F20Ew
dword_6FDF84	dd ?			; DATA XREF: IopLiveDumpGetMillisecondCounter(x)+4Br
					; IopLiveDumpGetMillisecondCounter(x)+69w
dword_6FDF88	dd ?			; DATA XREF: IopLiveDumpGetMillisecondCounter(x):loc_60F1F2r
					; IopLiveDumpGetMillisecondCounter(x)+5Cw
dword_6FDF8C	dd ?			; DATA XREF: IopLiveDumpGetMillisecondCounter(x)+45r
					; IopLiveDumpGetMillisecondCounter(x)+63w
dword_6FDF90	dd ?			; DATA XREF: IopLiveDumpEndMirroringCallback(x)+65r
					; IopLiveDumpEndMirroringCallback(x)+85r ...
dword_6FDF94	dd ?			; DATA XREF: IopLiveDumpEndMirroringCallback(x)+73r
					; IopLiveDumpEndMirroringCallback(x)+91r ...
_SaveSupervisorState db	?		; DATA XREF: IopLiveDumpCaptureMemoryPages(x)+4Aw
					; IopLiveDumpCaptureMemoryPages(x)+153w ...
		align 4
_IptInterface	dd ?			; DATA XREF: IopLiveDumpGenerateIptSecondaryData()+49r
					; IopLiveDumpGenerateIptSecondaryData()+E1r ...
_IopLiveDumpContext dd ?		; DATA XREF: IopLiveDumpTraceMirroringStart(x)+6r
					; IopLiveDumpEndMirroringCallback(x)+1Dr ...
_IopAmbiguousSystemDisk	db ?		; DATA XREF: IoQuerySystemDeviceName:loc_8F1681r
					; IopStoreArcInformation:loc_AD9B04w
		align 4
_IovpDisabledWithoutReboot dd ?		; DATA XREF: IovCompleteRequest(x,x)+38r
					; IovCompleteRequest(x,x)+CAr ...
_IovpEnabledInThePast dd ?		; DATA XREF: IovCallDriver(x,x,x)+13r
					; IoVerifierCheckForSettingsChange(x)+9o
_AvailablePagesForPartialDump dd ?	; DATA XREF: IopAddPageDumpRange(x,x)+A8o
					; IoAddPagesForPartialKernelDump(x,x,x,x,x,x,x,x)+1Cw ...
_PipResetDeviceBreakOnReset db ?	; DATA XREF: PipResetDevice(x,x)+47r
		align 4
_PnpSetupWnfSubscription db    ? ;	; DATA XREF: CmpInitializeSystemHivesLoad+A1F11o
		db    ?	;
		db    ?	;
		db    ?	;
_PassiveInterruptForceCriticalWorker db	?
					; DATA XREF: IopQueryPassiveInterruptRegistryOptions+24r
_PnpDelayedRemovePending db ?		; DATA XREF: PnpChainDereferenceComplete(x,x):loc_96A5AAr
					; PnpChainDereferenceComplete(x,x)+AEw	...
		align 10h
dword_6FDFC0	dd ?			; DATA XREF: PnpGetServiceStartType:loc_8E3187r
					; PnpGetServiceStartType:loc_8E319Fo ...
dword_6FDFC4	dd ?			; DATA XREF: PnpGetServiceStartType:loc_8E3235r
					; PnpGetServiceStartType+6CF5Fo ...
dword_6FDFC8	dd ?			; DATA XREF: PnprGetMillisecondCounter(x)+41r
					; PnprGetMillisecondCounter(x):loc_72D549w
dword_6FDFCC	dd ?			; DATA XREF: PnprGetMillisecondCounter(x)+3Br
					; PnprGetMillisecondCounter(x)+50w
_KdpDataBlockEncoded db	?		; DATA XREF: KdCopyDataBlock(x)r
		align 8
_KdpTimeSlipTimer db	? ;		; DATA XREF: KdRegisterDebuggerDataBlock+56Co
					; KdpTimeSlipWork(x)+7Co
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KdpTimeSlipDpc	db    ?	;		; DATA XREF: KdRegisterDebuggerDataBlock+550o
					; KdExitDebugger(x)+10Eo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KdpTimeSlipWorkItem dd	?		; DATA XREF: KdRegisterDebuggerDataBlock+58Bw
					; KdpTimeSlipDpcRoutine(x,x,x,x)+12o
		align 8
dword_6FE028	dd ?			; DATA XREF: KdRegisterDebuggerDataBlock+578w
dword_6FE02C	dd ?			; DATA XREF: KdRegisterDebuggerDataBlock+584w
_KdPortLocked	db ?			; DATA XREF: KeFreezeExecution(x,x):loc_61EDF7w
					; KeThawExecution(x)+1Er ...
		align 4
_KdpTimeSlipEventLock db    ? ;		; DATA XREF: KdUpdateTimeSlipEvent(x)+1Ao
					; KdpTimeSlipWork(x)+26o
		db    ?	;
		db    ?	;
		db    ?	;
_KdpTimeSlipEvent dd ?			; DATA XREF: KdUpdateTimeSlipEvent(x)+28r
					; KdUpdateTimeSlipEvent(x)+3Ew	...
		align 10h
_KdpPrintSpinLock dd ?			; DATA XREF: KdSetDbgPrintBufferSize(x)+6Co
					; KdSetDbgPrintBufferSize(x)+75r ...
dword_6FE044	dd ?			; DATA XREF: KdSetDbgPrintBufferSize(x)+7Br
					; KdLogDbgPrint(x):loc_A4D911w	...
dword_6FE048	dd ?			; DATA XREF: KdSetDbgPrintBufferSize(x)+BFw
					; KdSetDbgPrintBufferSize(x)+183w ...
		align 10h
_TraceDataBufferFilled db ?		; DATA XREF: PotentialNewSymbol(x)+6r
					; PotentialNewSymbol(x)+2Aw ...
		align 4
_KdDisableCount	dd ?			; DATA XREF: KdDisableDebuggerWithLock(x)+3Er
					; KdDisableDebuggerWithLock(x):loc_616E7Cw ...
_KiPollSlot	dd ?			; DATA XREF: KeAccumulateTicks:loc_48C387r
					; KiForwardTick+12F1BAw ...
_KiPollSlotNext	dd ?			; DATA XREF: KiForwardTick:loc_5B6602r
					; KiForwardTick+12F1C0w ...
_KiPendingVirtualHeteroRequest dd ?	; DATA XREF: KeUpdatePendingQosRequest(x)+Fw
					; KeUpdatePendingQosRequest(x)+30w ...
unk_6FE064	db    ?	;		; DATA XREF: KeEnterKernelDebugger()+27o
		db    ?	;
		db    ?	;
		db    ?	;
_KiHypervisorInitiatedCrashDump	db ?	; DATA XREF: KeBugCheck2(x,x,x,x,x,x):loc_61C292r
					; KeBugCheck2(x,x,x,x,x,x)+7BAr ...
		align 4
_KiBugCheckDriver dd ?			; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+495r
					; KeBugCheck2(x,x,x,x,x,x)+50Ew ...
_KiHwCountersCount dd ?			; DATA XREF: KiBeginCounterAccumulation(x,x)+29r
					; KiEndCounterAccumulation(x)+21r ...
_KiAccessBitErrata dd ?			; DATA XREF: KiDetectAccessBitErrata:loc_727D6Dw
					; KiDetectAccessBitErrata+36A0w ...
_KsepDebugFlag	db ?			; DATA XREF: KseShimDriverIoCallbacks+B7r
					; KseDriverLoadImage(x)+FAr ...
		align 4
_PopSimulateManual dd ?			; DATA XREF: PopInitializePowerPolicySimulate+4Br
_PopFxProcessorPlugin dd ?		; DATA XREF: PopProcessorSetPep+7E087w
					; PopPluginRequestComponentIdleConstraints(x,x,x,x)+15r ...
_PopFxParkingFallback db ?		; DATA XREF: PopProcessorParkNotification(x,x):loc_64C886r
					; PopProcessorParkNotification(x,x)+52w ...
_PpmExitLatencySamplingPercentageSet db	?
					; DATA XREF: PpmClearExitLatencySamplingPercentage()+1Cw
					; PpmSetExitLatencySamplingPercentage(x)+1Ar ...
		align 4
_PopDiagCachedAggregatorIntent dd ?	; DATA XREF: PopCaptureSleepStudyStatistics(x,x,x,x):loc_65134Br
					; PopCaptureSleepStudyStatistics(x,x,x,x)+30Bw
		align 10h
_PopMaxChargeRate dd ?			; DATA XREF: PopBatteryWorker+9FF5Bw
					; PopBatteryApplyCompositeState+A0369w	...
dword_6FE094	dd ?			; DATA XREF: PopBatteryWorker+9FF61w
					; PopBatteryApplyCompositeState+A036Fw	...
_PopCsDeviceCompliance dd ?		; DATA XREF: sub_926398:loc_9263A7o
					; PopS0LowPowerIdleInfo(x)+3Fr	...
dword_6FE09C	dd ?			; DATA XREF: PopS0LowPowerIdleInfo(x)+51r
dword_6FE0A0	dd ?			; DATA XREF: PopS0LowPowerIdleInfo(x)+67r
		align 8
dword_6FE0A8	dd ?			; DATA XREF: PopS0LowPowerIdleInfo(x)+7Dr
		align 10h
_PopLastStandbyExitScenarioId dd ?	; DATA XREF: PopMonitorInvocation:loc_902175r
					; PopMonitorInvocation+A94C1w
dword_6FE0B4	dd ?			; DATA XREF: PopMonitorInvocation+A948Dr
					; PopMonitorInvocation+A94D0w
_WmiThermalEventEnabled	dd ?		; DATA XREF: PpmEventThermalCapChange(x,x):loc_6594E8r
					; PpmWmiDispatch+89341o
_WmiIdleAccntEventEnabled db	? ;	; DATA XREF: PpmWmiDispatch+89327o
					; PpmWmiDispatch+89372o ...
		db    ?	;
		db    ?	;
		db    ?	;
_WmiIdleStateEventEnabled db	? ;	; DATA XREF: PpmWmiDispatch+8930Do
		db    ?	;
		db    ?	;
		db    ?	;
_PopNetRefreshTimerState db    ? ;	; DATA XREF: PopNetRefreshTimerCallback(x,x)+5o
					; PopNetRefreshTimerWorkerCallback(x)+1Ao ...
		db    ?	;
		db    ?	;
		db    ?	;
_PopEsBgActivityPolicy dd ?		; DATA XREF: PopEsEvaluateNextState+9DB56r
					; PopTraceEsBgActivityPolicyUpdate(x,x)+19r ...
_PpmParkLpiEngaged dd ?			; DATA XREF: PpmParkCalculateCoreParkingMask+12A3E7r
					; PpmParkCalculateCoreParkingMask:loc_5B964Ew ...
_PpmParkLpiCapChanged dd ?		; DATA XREF: PpmParkCalculateCoreParkingMask+12A3EFr
					; PpmParkCalculateCoreParkingMask+12A404w ...
_TtmpDeviceCalloutCrashDumpEnabled db ?	; DATA XREF: TtmpCalloutWatchdogCallback(x,x,x,x,x,x)+2Fr
					; TtmpInitializeWatchdogTimeouts()+4Dw
_TtmpDeviceCalloutTimeoutsSet db ?	; DATA XREF: TtmpStartCallout(x,x,x,x,x,x)+6r
					; TtmpStartCallout(x,x,x,x,x,x)+1Ew
		align 4
dword_6FE0D8	dd ?			; DATA XREF: RtlCreateHeap:loc_8F8B3Ar
					; RtlCreateHeap+11B057w
dword_6FE0DC	dd ?			; DATA XREF: RtlCreateHeap+11B035w
					; RtlCreateHeap+11B06Br
_RtlpCapChkTelemetryRunOnceCtx db    ? ;
					; DATA XREF: RtlpLogCapabilityCheckLatency(x,x,x,x,x,x)+23o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_RtlpPerformanceCounterFrequency dd ?	; DATA XREF: RtlpCapChkTelemetryRunOnce(x,x,x)+Eo
					; RtlpLogCapabilityCheckLatency(x,x,x,x,x,x)+55r ...
dword_6FE0EC	dd ?			; DATA XREF: RtlpLogCapabilityCheckLatency(x,x,x,x,x,x)+5Ar
					; RtlpLogCapabilityCheckLatency(x,x,x,x,x,x)+BDr
_RtlpHeapErrorHandlerThreshold dd ?	; DATA XREF: RtlpCreateUCREntry(x,x,x,x,x,x):loc_663565r
					; RtlpDeCommitFreeBlock(x,x,x,x)+1ABr ...
_SepTokenLeakProcessCid	dd ?		; DATA XREF: SepCreateTokenEx+D5138r
					; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+8C0r ...
_SepTokenLeakMethodWatch dd ?		; DATA XREF: SepCreateTokenEx:loc_5E7C6Fr
					; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+8ACr ...
_SepTokenLeakToken dd ?			; DATA XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+323r
					; ObInsertObjectEx(x,x,x,x,x,x,x)+33Er	...
_SepTokenLeakMethodCount dd ?		; DATA XREF: SepCreateTokenEx+D5143w
					; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+8CBw ...
_SepTokenLeakBreakCount	dd ?		; DATA XREF: SepCreateTokenEx+D5162r
					; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+8E8r ...
unk_6FE108	db    ?	;		; DATA XREF: SepLogLpacAccessFailure(x)+7Eo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6FE128	db    ?	;		; DATA XREF: SepLogTokenSidManagement(x,x,x,x,x)+105o
		db    ?	;
		db    ?	;
		db    ?	;
dword_6FE12C	dd ?			; DATA XREF: SeQuerySecureBootPolicyValue+82DBDr
					; NtFilterBootOption(x,x,x,x,x)+19Ar ...
dword_6FE130	dd ?			; DATA XREF: NtFilterBootOption(x,x,x,x,x)+8Dr
					; NtFilterBootOption(x,x,x,x,x)+D0r ...
unk_6FE134	db    ?	;		; DATA XREF: NtFilterBootOption(x,x,x,x,x)+21Do
		db    ?	;
		db    ?	;
		db    ?	;
dword_6FE138	dd ?			; DATA XREF: SepSecureBootFindMatchingRegistryRule(x,x,x)+16r
					; SepSecureBootBuildRules()+55w
dword_6FE13C	dd ?			; DATA XREF: NtFilterBootOption(x,x,x,x,x)+17Er
					; SepSecureBootCorrectBcd():loc_9DF4E8r ...
_SepAdtCountEventsDiscarded dd ?	; DATA XREF: SepAdtDetermineInsertQueue+7F0ADr
					; SepAdtDetermineInsertQueue+7F0D9r ...
_SepAdtAuditFailureEventLogged db ?	; DATA XREF: SepAdtLogAuditFailureEvent(x,x)+32r
					; SepAdtLogAuditFailureEvent(x,x):loc_9DB462w
		align 4
_SepRmGlobalSaclHead dd	?		; DATA XREF: SepRmGlobalSaclSetWrkr+8CA26w
					; SepRmGlobalSaclSetWrkr+8CAD4r ...
		align 10h
; struct _SMKM_GLOBALS SmKmGlobals
?SmKmGlobals@@3U_SMKM_GLOBALS@@A dd ?	; DATA XREF: SmKmFileInfoDuplicate(x,x)+2Br
					; SmGlobalsInitialize(x)+48w
dword_6FE154	dd ?			; DATA XREF: HvlQueryProcessorTopologyHighestId(x,x)+1Cr
					; HvlpDiscoverTopologyComplete()+3Cr ...
dword_6FE158	dd ?			; DATA XREF: HvlQueryProcessorTopologyHighestId(x,x)+2Ar
					; HvlpDiscoverTopologyComplete()+50r ...
dword_6FE15C	dd ?			; DATA XREF: HvlGetLogicalProcessorRunTime(x,x,x)+1Br
					; HvlpInitializePowerStatistics()+7Eo
dword_6FE160	dd ?			; DATA XREF: HvlGetLogicalProcessorRunTime(x,x,x)+11r
					; HvlGetPpmStatsForProcessor(x,x,x)+C0r
dword_6FE164	dd ?			; DATA XREF: HvlGetIdleGenerationCounter(x,x)+6r
dword_6FE168	dd ?			; DATA XREF: HvlGetPpmStatsForProcessor(x,x,x)+23r
dword_6FE16C	dd ?			; DATA XREF: HvlGetPpmStatsForProcessor(x,x,x)+3Fr
					; HvlGetPpmStatsForProcessor(x,x,x)+D7r
dword_6FE170	dd ?			; DATA XREF: HvlGetPpmStatsForProcessor(x,x,x)+6Fr
dword_6FE174	dd ?			; DATA XREF: HvlReadPerformanceStateCounters(x,x,x,x)+20r
dword_6FE178	dd ?			; DATA XREF: HvlReadPerformanceStateCounters(x,x,x,x)+28r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_6FE198	dd ?			; DATA XREF: KdEnterDebugger(x,x)+E6w
					; KdExitDebugger(x)+A1r ...
dword_6FE19C	dd ?			; DATA XREF: KdEnterDebugger(x,x)+D6w
					; KdExitDebugger(x)+9Br ...
dword_6FE1A0	dd ?			; DATA XREF: KdpSetContextEx(x,x,x)+87r
					; KdpSetContextEx(x,x,x)+C8o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6FF1A0	db    ?	;		; DATA XREF: RtlLCIDToCultureName(x,x)+2Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6FF220	db ?			; DATA XREF: EtwpStartLogger:loc_9112D2r
					; EtwpStartLogger+1209A5w
		align 8
unk_6FF228	db    ?	;		; DATA XREF: OpenGlobalizationUserSettingsKey_ForSingleUserModel+1Ao
					; OpenGlobalizationUserSettingsKey_ForSingleUserModel+1B9o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_6FF2D8	db    ?	;		; DATA XREF: BgpClearScreen(x)+ADo
					; BgpClearScreen(x)+D0o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_6FF2E8	db ?			; DATA XREF: BgpClearScreen(x)+112r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_700000	db    ?	;		; DATA XREF: AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+26Fo
					; AdtpBuildStagingReasonAuditStringInternal(x,x,x,x,x,x,x,x,x)+161o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_700053	db    ?	;		; DATA XREF: PAGE:??_C@_1BM@KEFGLAAA@?$AAS?$AAp?$AAu?$AAr?$AAi?$AAo?$AAu?$AAs?$AA?5?$AAW?$AAa?$AAk?$AAe@LBKOJDO@o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_70006E	db    ?	;		; DATA XREF: .text:off_404B44o
					; .data:off_6B3778o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		dd ?
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_7000AF	db ?			; DATA XREF: INIT:00AF331Bw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_7012D8	db    ?	;		; DATA XREF: TxtpAddCacheEntry+25ADo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViIrpLogDdiLock dd ?			; DATA XREF: VfIrpLogRecordEvent(x,x,x)+43r
					; VfIrpLogRecordEvent(x,x,x)+4Eo ...
_EtwpEthreadSyncTrackingSequence dd ?	; DATA XREF: EtwpGetTrackingLockSlotForThread(x,x)+28r
					; EtwpEnableKernelTrace:loc_7E395Bw
_ExBootAppFailureStatus	dd ?		; DATA XREF: BapdWriteEtwEvents+90E7Cw
					; PopDiagTraceDirtyTransition(x,x,x,x,x,x,x,x,x,x,x,x)+1Cr
_ExpCovCurrentPagedPoolInUse dd	?	; DATA XREF: ExpCovCreateUnloadedModuleEntry(x)+5Dr
					; ExpCovCreateUnloadedModuleEntry(x)+19Aw ...
_ExpCurrentProfileUsage	dd ?		; DATA XREF: NtStartProfile(x)+6Ar
					; NtStartProfile(x)+18Fw ...
		align 10h
_CMFHitsLastFlushTime dd ?		; DATA XREF: NtMapCMFModule(x,x,x,x,x,x)+49Dw
					; NtMapCMFModule(x,x,x,x,x,x)+688r ...
dword_701314	dd ?			; DATA XREF: NtMapCMFModule(x,x,x,x,x,x)+4A5w
					; NtMapCMFModule(x,x,x,x,x,x)+690r
_CMFFlagsCache	dd ?			; DATA XREF: CMFFlushHitsFile(x,x):loc_A10198r
					; CMFSystemThreadRoutine(x)+523w ...
_CMFHitsSectionPointer dd ?		; DATA XREF: CMFUnmapModules(x)+6Dr
					; CMFUnmapModules(x)+79o ...
_CMFLock	dd ?			; DATA XREF: NtMapCMFModule(x,x,x,x,x,x):loc_A1101Co
					; NtMapCMFModule(x,x,x,x,x,x)+F3r ...
_CMFSegmentSectionPointer dd ?		; DATA XREF: CMFUnmapModules(x)+Cr
					; CMFUnmapModules(x)+14o ...
_CMFDirectorySectionPointer dd ?	; DATA XREF: CMFUnmapModules(x)+45r
					; CMFUnmapModules(x)+51o ...
_CMFSecurityDescriptor dd ?		; DATA XREF: CMFCheckAccess(x,x,x)+89r
					; CMFCheckAccess(x,x,x)+BDo ...
dword_701330	dd ?			; DATA XREF: OpenGlobalizationUserSettingsKey_ForSingleUserModel+12r
					; OpenGlobalizationUserSettingsKey_ForSingleUserModel+1D7w ...
_WheapDeferredEventTotalBytes dd ?	; DATA XREF: WheaLogInternalEvent+80F69r
					; WheaLogInternalEvent+80FA0w
_WheapPolicyMemPfaDisable db ?		; DATA XREF: PAGE:00A12989w
					; WheapGetPolicyValue(x,x)+31r	...
		align 4
_WheaRegistryKeysPresent dd ?		; DATA XREF: PAGE:00A12966w
					; PAGE:00A1297Bw ...
_WheapPolicyDisableOffline db ?		; DATA XREF: PAGE:00A1295Fw
					; WheapGetPolicyValue(x,x)+1Ar	...
		align 4
_WheapLiveDumpsCreated dd ?		; DATA XREF: WheapCreateLiveDumpFromPreviousSession(x)+18w
___@@_PchSym_@00@KxulyqvxgPillgKxunrmrlUhvxfirgbUorxvmhrmtUhkxzooUoryUyfrowPhvieviPpnUlyquivUrDIGUhgwzucOlyq@spcall_server_km db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
___@@_PchSym_@00@KxulyqvxgPillgKxunrmrlUhvxfirgbUorxvmhrmtUdziyriwUoryUpnlwvUlyquivUrDIGUhgwzucOlyq@kwarbirdruntime db	  ? ;
		db    ?	;
		db    ?	;
		db    ?	;
_BcpTextBoxLeftEdgeOverride dd ?	; DATA XREF: BcpDisplayCriticalString(x,x,x,x)+1Cr
					; BcpDisplayErrorInformation(x,x,x,x,x,x)+56w ...
_BcpDisplayParameters db ?		; DATA XREF: BcpDisplayErrorInformation(x,x,x,x,x,x)+1A8r
					; BgpBcInitializeCriticalMode:loc_AF2D44w
		align 4
_BcpTextBoxRightEdgeOverride dd	?	; DATA XREF: BcpDisplayCriticalString(x,x,x,x):loc_6993F5r
					; BcpDisplayProgress(x,x):loc_6999A0r
byte_70135C	db ?			; DATA XREF: NtOpenKeyTransacted_Stub(x,x,x,x)+5r
					; NtOpenKeyTransacted_Stub(x,x,x,x)+13w
		align 10h
dword_701360	dd ?			; DATA XREF: NtOpenKeyTransacted_Stub(x,x,x,x)+1Aw
					; NtOpenKeyTransacted_Stub(x,x,x,x):loc_A3814Er
byte_701364	db ?			; DATA XREF: NtOpenKeyTransactedEx_Stub(x,x,x,x,x)+5r
					; NtOpenKeyTransactedEx_Stub(x,x,x,x,x)+13w
		align 4
dword_701368	dd ?			; DATA XREF: InbvPortInitialize(x,x,x,x,x,x,x,x)+25r
					; NtOpenKeyTransactedEx_Stub(x,x,x,x,x)+1Aw ...
dword_70136C	dd ?			; DATA XREF: InbvPortInitialize(x,x,x,x,x,x,x,x)+ACw
					; NtCreateKeyTransacted_Stub(x,x,x,x,x,x,x,x)+5r ...
dword_701370	dd ?			; DATA XREF: NtCreateKeyTransacted_Stub(x,x,x,x,x,x,x,x)+1Aw
					; NtCreateKeyTransacted_Stub(x,x,x,x,x,x,x,x):loc_A380C3r
unk_701374	db    ?	;		; DATA XREF: ConstraintEval+1209FBo
		db    ?	;
		db    ?	;
		db    ?	;
unk_701378	db    ?	;		; DATA XREF: ConstraintEval+120A21o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_Ports		dd ?			; DATA XREF: InbvPortGetByte(x,x)+8r
					; InbvPortPollOnly(x)+Br ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_701394	dd ?			; DATA XREF: InbvPortGetByte(x,x)+1Cr
					; InbvPortPollOnly(x)+20r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_NtVhdBootFile	dd ?			; DATA XREF: VhdiVerifyBootDisk(x)+27r
					; VhdiVerifyBootDisk(x)+B3r ...
dword_7013E4	dd ?			; DATA XREF: VhdiMountVhdFile(x)+32Do
					; VhdiMountVhdFile(x)+350r
_data		ends

; Section 5. (virtual address 00302000)
; Virtual size			: 00002322 (   8994.)
; Section size in file		: 00002400 (   9216.)
; Offset to raw	data for section: 002B4200
; Flags	48000040: Data Not pageable Readable
; Alignment	: default
;
; Imports from BOOTVID.dll
;
; 

; Segment type:	Pure data
; Segment permissions: Read
_idata		segment	para public 'DATA' use32
		assume cs:_idata
		;org 702000h
; __declspec(dllimport)	__stdcall VidInitialize(x, x)
__imp__VidInitialize@8 dd ?		; DATA XREF: BvgaDriverInitialize+35r
; __declspec(dllimport)	__stdcall VidBufferToScreenBlt(x, x, x,	x, x, x)
__imp__VidBufferToScreenBlt@24 dd ?	; DATA XREF: RotBarUpdate()+6Ar
					; RotBarUpdate()+F2r ...
; __declspec(dllimport)	__stdcall VidScreenToBufferBlt(x, x, x,	x, x, x)
__imp__VidScreenToBufferBlt@24 dd ?	; DATA XREF: RotBarInit()+36r
; __declspec(dllimport)	__stdcall VidBitBlt(x, x, x)
__imp__VidBitBlt@12 dd ?		; DATA XREF: RotBarUpdate()+1F6r
					; BvgaBitBlt(x,x,x)+25r
; __declspec(dllimport)	__stdcall VidResetDisplay(x)
__imp__VidResetDisplay@4 dd ?		; DATA XREF: BgkpResetDisplay(x,x,x)+37r
					; BvgaResetDisplay()+14r
; __declspec(dllimport)	__stdcall VidCleanUp()
__imp__VidCleanUp@0 dd ?		; DATA XREF: BvgaEnableBootDriver(x)+25r
					; BvgaNotifyDisplayOwnershipLost(x)+1Cr
; __declspec(dllimport)	__stdcall VidSetTextColor(x)
__imp__VidSetTextColor@4 dd ?		; DATA XREF: BvgaSetTextColor(x)+2Dr
; __declspec(dllimport)	__stdcall VidSetScrollRegion(x,	x, x, x)
__imp__VidSetScrollRegion@16 dd	?	; DATA XREF: BvgaSetScrollRegion(x,x,x,x)r
; __declspec(dllimport)	__stdcall VidSolidColorFill(x, x, x, x,	x)
__imp__VidSolidColorFill@20 dd ?	; DATA XREF: FinalizeBootLogo()+1Br
					; RotBarInit()+88r ...
; __declspec(dllimport)	__stdcall VidDisplayString(x)
__imp__VidDisplayString@4 dd ?		; DATA XREF: BvgaDisplayString(x)+1Fr
; __declspec(dllimport)	__stdcall VidBitBltEx(x, x, x, x, x)
__imp__VidBitBltEx@20 dd ?		; DATA XREF: BgkpVgaBltRoutine(x,x,x)+35r
_BOOTVID_NULL_THUNK_DATA dd 0
;
; Imports from CI.dll
;
; __declspec(dllimport)	__stdcall CiInitialize(x, x, x,	x)
__imp__CiInitialize@16 dd ?		; DATA XREF: SepInitializeCodeIntegrity()+74r
_CI_NULL_THUNK_DATA dd 0
;
; Imports from HAL.dll
;
; __declspec(dllimport)	__fastcall HalClearSoftwareInterrupt(x)
__imp_@HalClearSoftwareInterrupt@4 dd ?	; DATA XREF: KiIdleLoop()+27r
					; KiIdleLoop()+43r
; __declspec(dllimport)	__stdcall READ_PORT_USHORT(x)
__imp__READ_PORT_USHORT@4 dd ?		; DATA XREF: ReadPort16(x)+6r
					; KdpSysReadIoSpace(x,x,x,x,x,x,x,x)+7Ar
; __declspec(dllimport)	__stdcall READ_PORT_UCHAR(x)
__imp__READ_PORT_UCHAR@4 dd ?		; DATA XREF: ReadPort8(x)+6r
					; KdpSysReadIoSpace(x,x,x,x,x,x,x,x)+94r
; __declspec(dllimport)	__stdcall HalSetBusDataByOffset(x, x, x, x, x, x)
__imp__HalSetBusDataByOffset@24	dd ?	; DATA XREF: KdpSysWriteBusData(x,x,x,x,x,x,x)+22r
; __declspec(dllimport)	__stdcall HalGetBusDataByOffset(x, x, x, x, x, x)
__imp__HalGetBusDataByOffset@24	dd ?	; DATA XREF: KdpSysReadBusData(x,x,x,x,x,x,x)+22r
; __declspec(dllimport)	__stdcall HalReturnToFirmware(x)
__imp__HalReturnToFirmware@4 dd	?	; DATA XREF: KeBugCheck2(x,x,x,x,x,x)+288r
					; KeBugCheck2(x,x,x,x,x,x):loc_61C598r	...
; __declspec(dllimport)	__stdcall HalGetProcessorIdByNtNumber(x, x)
__imp__HalGetProcessorIdByNtNumber@8 dd	? ; DATA XREF: PnprQuiesceProcessorDpc(x,x,x,x)+12Er
					; KeRegisterProcessorChangeCallback+11Fr ...
; __declspec(dllimport)	__stdcall HalGetMessageRoutingInfo(x, x)
__imp__HalGetMessageRoutingInfo@8 dd ?	; DATA XREF: IopConnectMessageBasedInterrupt+244r
; __declspec(dllimport)	__stdcall HalGetVectorInput(x, x, x, x,	x)
__imp__HalGetVectorInput@20 dd ?	; DATA XREF: IopConnectInterruptFullySpecified+AAr
; __declspec(dllimport)	__stdcall HalTranslateBusAddress(x, x, x, x, x,	x)
__imp__HalTranslateBusAddress@24 dd ?	; DATA XREF: IopTranslateBusAddress+2Er
					; HeadlessTerminalAddResources+84F03r
; __declspec(dllimport)	__stdcall HalQueryEnvironmentVariableInfoEx(x, x, x, x)
__imp__HalQueryEnvironmentVariableInfoEx@16 dd ?
					; DATA XREF: IopQueryEnvironmentVariableInfoHal(x,x,x,x,x,x)+11r
; __declspec(dllimport)	__stdcall HalGetEnvironmentVariableEx(x, x, x, x, x)
__imp__HalGetEnvironmentVariableEx@20 dd ? ; DATA XREF:	WheapProcessEfiBadMemoryPage+2Br
					; IoInitializeBugCheckProgress(x,x)+C5r ...
; __declspec(dllimport)	__stdcall HalAllocateAdapterChannel(x, x, x, x)
__imp__HalAllocateAdapterChannel@16 dd ?
					; DATA XREF: IoAllocateAdapterChannel(x,x,x,x,x)+24r
; __declspec(dllimport)	__stdcall HalSetEnvironmentVariableEx(x, x, x, x, x)
__imp__HalSetEnvironmentVariableEx@20 dd ? ; DATA XREF:	WheapProcessEfiBadMemoryPage+7DFDDr
					; WheapPersistPageForMemoryError(x)+54r ...
; __declspec(dllimport)	__stdcall KeStallExecutionProcessor(x)
__imp__KeStallExecutionProcessor@4 dd ?	; DATA XREF: IoWriteCrashDump(x,x,x,x,x,x,x,x,x,x)+527r
					; KeBugCheck2(x,x,x,x,x,x)+7F9r ...
; __declspec(dllimport)	__stdcall HalEnumerateProcessors(x)
__imp__HalEnumerateProcessors@4	dd ?	; DATA XREF: HvlpSelectLpSet(x,x,x)+E5r
					; KeStartAllProcessors+65r
; __declspec(dllimport)	__stdcall HalQueryMaximumProcessorCount()
__imp__HalQueryMaximumProcessorCount@0 dd ? ; DATA XREF: PpmParkSteerInterrupts:loc_486D32r
					; RtlpHpHeapCreate+2Er	...
_KdHvComPortInUse dd ?			; DATA XREF: HvlDebuggerSupportInitialize+7DC2Dr
					; HvlDebuggerSupportInitialize:loc_5FB5DFr ...
; __declspec(dllimport)	__stdcall HalGetInterruptVector(x, x, x, x, x, x)
__imp__HalGetInterruptVector@24	dd ?	; DATA XREF: HalGetInterruptVector(x,x,x,x,x,x)r
					; IopIrqTranslateOrdering+34r ...
; __declspec(dllimport)	__stdcall HalRegisterErrataCallbacks()
__imp__HalRegisterErrataCallbacks@0 dd ? ; DATA	XREF: EmInitSystem+278r
; __declspec(dllimport)	__fastcall KfLowerIrql(x)
__imp_@KfLowerIrql@4 dd	?		; DATA XREF: ExpUpdateTimerResolution+85r
					; ExpInsertTimerResolutionEntry+5Ar ...
; __declspec(dllimport)	__fastcall KfRaiseIrql(x)
__imp_@KfRaiseIrql@4 dd	?		; DATA XREF: ExpInsertTimerResolutionEntry+84r
					; ExpUnblockPushLock+87r ...
; __declspec(dllimport)	__stdcall HalAcpiGetTableEx(x, x, x, x)
__imp__HalAcpiGetTableEx@16 dd ?	; DATA XREF: CmpGetAcpiBiosVersion(x,x,x)+13r
					; CmpGetAcpiBiosVersion(x,x,x)+25r ...
; __declspec(dllimport)	__stdcall KeGetCurrentIrql()
__imp__KeGetCurrentIrql@0 dd ?		; DATA XREF: MmCanThreadFault()+9r
					; CcSetDirtyPinnedData+34Fr ...
; __declspec(dllimport)	__stdcall HalWheaUpdateCmciPolicy(x, x)
__imp__HalWheaUpdateCmciPolicy@8 dd ?	; DATA XREF: PAGE:00A12928r
					; WheapLoadPolicy+119r
; __declspec(dllimport)	__stdcall HalSetEnvironmentVariable(x, x)
__imp__HalSetEnvironmentVariable@8 dd ?	; DATA XREF: NtSetSystemEnvironmentValue(x,x)+1F2r
; __declspec(dllimport)	__stdcall HalGetEnvironmentVariable(x, x, x)
__imp__HalGetEnvironmentVariable@12 dd ?
					; DATA XREF: NtQuerySystemEnvironmentValue(x,x,x,x)+1A7r
; __declspec(dllimport)	__stdcall KeLowerIrql(x)
__imp__KeLowerIrql@4 dd	?		; DATA XREF: KeLowerIrql(x)r
; __declspec(dllimport)	__stdcall KeRaiseIrql(x, x)
__imp__KeRaiseIrql@8 dd	?		; DATA XREF: KeRaiseIrql(x,x)r
; __declspec(dllimport)	__stdcall HalGetAdapter(x, x)
__imp__HalGetAdapter@8 dd ?		; DATA XREF: HalGetAdapter(x,x)r
					; VfLegacyGetAdapter(x,x)+1Br
; __declspec(dllimport)	__stdcall HalReadDmaCounter(x)
__imp__HalReadDmaCounter@4 dd ?		; DATA XREF: HalReadDmaCounter(x)r
; __declspec(dllimport)	__stdcall IoMapTransfer(x, x, x, x, x, x)
__imp__IoMapTransfer@24	dd ?		; DATA XREF: IoMapTransfer(x,x,x,x,x,x)r
; __declspec(dllimport)	__stdcall IoFreeMapRegisters(x,	x, x)
__imp__IoFreeMapRegisters@12 dd	?	; DATA XREF: IoFreeMapRegisters(x,x,x)r
; __declspec(dllimport)	__stdcall IoFreeAdapterChannel(x)
__imp__IoFreeAdapterChannel@4 dd ?	; DATA XREF: IoFreeAdapterChannel(x)r
; __declspec(dllimport)	__stdcall IoFlushAdapterBuffers(x, x, x, x, x, x)
__imp__IoFlushAdapterBuffers@24	dd ?	; DATA XREF: IoFlushAdapterBuffers(x,x,x,x,x,x)r
; __declspec(dllimport)	__stdcall HalFreeCommonBuffer(x, x, x, x, x, x)
__imp__HalFreeCommonBuffer@24 dd ?	; DATA XREF: HalFreeCommonBuffer(x,x,x,x,x,x)r
; __declspec(dllimport)	__stdcall HalAllocateCommonBuffer(x, x,	x, x)
__imp__HalAllocateCommonBuffer@16 dd ?	; DATA XREF: HalAllocateCommonBuffer(x,x,x,x)r
; __declspec(dllimport)	__stdcall HalInitializeOnResume(x, x)
__imp__HalInitializeOnResume@8 dd ?	; DATA XREF: PopHiberCheckResume+E0r
; __declspec(dllimport)	__stdcall HalAllocateCrashDumpRegisters(x, x)
__imp__HalAllocateCrashDumpRegisters@8 dd ? ; DATA XREF: PopMarkComponentsBootPhase+31r
					; VfAllocateCrashDumpRegisters(x,x)+28r
; __declspec(dllimport)	__stdcall HalGetMemoryCachingRequirements(x, x,	x, x, x)
__imp__HalGetMemoryCachingRequirements@20 dd ?
					; DATA XREF: PopGetHwConfigurationSignature+BBr
; __declspec(dllimport)	__stdcall HalGetInterruptTargetInformation(x, x, x)
__imp__HalGetInterruptTargetInformation@12 dd ?	; DATA XREF: PoInitSystem+69Ar
; __declspec(dllimport)	__stdcall KeFlushWriteBuffer()
__imp__KeFlushWriteBuffer@0 dd ?	; DATA XREF: NtFlushWriteBuffer()r
; __declspec(dllimport)	__stdcall HalRequestIpiSpecifyVector(x,	x, x)
__imp__HalRequestIpiSpecifyVector@12 dd	?
					; DATA XREF: KiIntRedirectQueueRequestOnProcessor+33r
; __declspec(dllimport)	__stdcall HalProcessorIdle()
__imp__HalProcessorIdle@0 dd ?		; DATA XREF: PoIdle(x):loc_48A1A1r
					; PoIdle(x):loc_48A395r ...
; __declspec(dllimport)	__stdcall HalInitSystem(x, x)
__imp__HalInitSystem@8 dd ?		; DATA XREF: InitOtherProcessors()+9r
					; Phase1InitializationDiscard(x)+24Ar ...
; __declspec(dllimport)	__stdcall HalStopProfileInterrupt(x)
__imp__HalStopProfileInterrupt@4 dd ?	; DATA XREF: KiStopProfileTarget(x)+11Fr
; __declspec(dllimport)	__stdcall HalStartProfileInterrupt(x)
__imp__HalStartProfileInterrupt@4 dd ?	; DATA XREF: KiStartProfileTarget(x)+170r
; __declspec(dllimport)	__stdcall HalEnableInterrupt(x)
__imp__HalEnableInterrupt@4 dd ?	; DATA XREF: KeConnectInterrupt+B0r
; __declspec(dllimport)	__fastcall HalRequestSoftwareInterrupt(x)
__imp_@HalRequestSoftwareInterrupt@4 dd	? ; DATA XREF: KiCheckForKernelApcDelivery()+3Dr
					; KiQueueReadyThread+225r ...
; __declspec(dllimport)	__stdcall HalDisableInterrupt(x)
__imp__HalDisableInterrupt@4 dd	?	; DATA XREF: KiDisconnectInterruptInternal+53r
					; KiDisconnectSecondaryInterrupt(x,x)+78r
; __declspec(dllimport)	__stdcall HalpMcaExceptionHandler()
__imp__HalpMcaExceptionHandler@0 dd ?	; DATA XREF: sub_5A18E7+42r
; __declspec(dllimport)	__stdcall HalEndSystemInterrupt(x, x, x, x)
__imp__HalEndSystemInterrupt@16	dd ?	; DATA XREF: V86_kira_a+79Ar
; __declspec(dllimport)	__stdcall HalBeginSystemInterrupt(x, x,	x)
__imp__HalBeginSystemInterrupt@12 dd ?	; DATA XREF: V86_kira_a+815r
					; KiChainedDispatch()+Cr ...
; __declspec(dllimport)	__stdcall HalHandleNMI(x)
__imp__HalHandleNMI@4 dd ?		; DATA XREF: sub_59C2E7+AEr
; __declspec(dllimport)	__stdcall HalSendSoftwareInterrupt(x, x)
__imp__HalSendSoftwareInterrupt@8 dd ?	; DATA XREF: KiInsertQueueDpc+2ACr
					; KiSendSoftwareInterrupt(x,x)+21r ...
; __declspec(dllimport)	__stdcall HalRequestIpi(x, x)
__imp__HalRequestIpi@8 dd ?		; DATA XREF: PoIdle(x)+561r
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+1249r ...
; __declspec(dllimport)	__stdcall HalStartDynamicProcessor(x, x, x, x)
__imp__HalStartDynamicProcessor@16 dd ?	; DATA XREF: KiStartDynamicProcessor(x,x,x,x)+3AFr
; __declspec(dllimport)	__stdcall HalRegisterDynamicProcessor(x, x)
__imp__HalRegisterDynamicProcessor@8 dd	? ; DATA XREF: KiStartDynamicProcessor(x,x,x,x)+E1r
; __declspec(dllimport)	__stdcall HalStartNextProcessor(x, x, x)
__imp__HalStartNextProcessor@12	dd ?	; DATA XREF: KeStartAllProcessors+3A2r
; __declspec(dllimport)	__stdcall HalCalibratePerformanceCounter(x, x, x)
__imp__HalCalibratePerformanceCounter@12 dd ? ;	DATA XREF: KiCalibrateTimeAdjustment+93r
; __declspec(dllimport)	__stdcall KeRaiseIrqlToSynchLevel()
__imp__KeRaiseIrqlToSynchLevel@0 dd ?	; DATA XREF: KeSynchronizeAddressPolicy(x)+17r
					; KeFlushMultipleRangeTb+27r ...
; __declspec(dllimport)	__fastcall HalRequestClockInterrupt(x, x)
__imp_@HalRequestClockInterrupt@8 dd ?	; DATA XREF: KiForwardTick:loc_487543r
					; KiSendClockInterruptToClockOwner()+33r
; __declspec(dllimport)	__stdcall HalInitializeProcessor(x, x)
__imp__HalInitializeProcessor@8	dd ?	; DATA XREF: KiSystemStartup(x)+195r
; __declspec(dllimport)	__stdcall WRITE_PORT_ULONG(x, x)
__imp__WRITE_PORT_ULONG@8 dd ?		; DATA XREF: WritePort32(x,x)r
					; KdpSysWriteIoSpace(x,x,x,x,x,x,x,x)+5Dr
; __declspec(dllimport)	__stdcall WRITE_PORT_USHORT(x, x)
__imp__WRITE_PORT_USHORT@8 dd ?		; DATA XREF: WritePort16(x,x)r
					; KdpSysWriteIoSpace(x,x,x,x,x,x,x,x)+81r
; __declspec(dllimport)	__stdcall WRITE_PORT_UCHAR(x, x)
__imp__WRITE_PORT_UCHAR@8 dd ?		; DATA XREF: WritePort8(x,x)r
					; KdpSysWriteIoSpace(x,x,x,x,x,x,x,x)+9Cr
; __declspec(dllimport)	__stdcall KeRaiseIrqlToDpcLevel()
__imp__KeRaiseIrqlToDpcLevel@0 dd ?	; DATA XREF: ExpUpdateTimerResolution+1Er
					; ExpInsertTimerResolutionEntry+Ar ...
; __declspec(dllimport)	__stdcall KeQueryPerformanceCounter(x)
__imp__KeQueryPerformanceCounter@4 dd ?	; DATA XREF: KeQuerySchedulingGroupHistory+6Cr
					; PopGetIdleTimesCallback+9Dr ...
; __declspec(dllimport)	__stdcall HalQueryRealTimeClock(x)
__imp__HalQueryRealTimeClock@4 dd ?	; DATA XREF: ExUpdateSystemTimeFromCmos+5Br
					; ExpRefreshSystemTime()+4Cr ...
; __declspec(dllimport)	__stdcall HalAllProcessorsStarted()
__imp__HalAllProcessorsStarted@0 dd ?	; DATA XREF: Phase1InitializationDiscard(x):loc_AC0A5Br
; __declspec(dllimport)	__stdcall HalReportResourceUsage(x)
__imp__HalReportResourceUsage@4	dd ?	; DATA XREF: Phase1InitializationDiscard(x)+7EAr
					; Phase1InitializationDiscard(x)+C34r ...
; __declspec(dllimport)	__stdcall HalSetRealTimeClock(x)
__imp__HalSetRealTimeClock@4 dd	?	; DATA XREF: ExpSetSystemTime+98B5r
					; ExpRefreshSystemTime()+B4r ...
; __declspec(dllimport)	__stdcall HalInitializeBios(x, x)
__imp__HalInitializeBios@8 dd ?		; DATA XREF: HalInitializeBios(x,x)r
					; INIT:00ACD531r
; __declspec(dllimport)	__stdcall READ_PORT_ULONG(x)
__imp__READ_PORT_ULONG@4 dd ?		; DATA XREF: ReadPort32(x)+6r
					; KdpSysReadIoSpace(x,x,x,x,x,x,x,x)+58r
_HAL_NULL_THUNK_DATA dd	0
;
; Imports from PSHED.dll
;
; __declspec(dllimport)	__stdcall PshedFreeMemory(x)
__imp__PshedFreeMemory@4 dd ?		; DATA XREF: INIT:00AC428Fr
					; INIT:00AC446Dr
; __declspec(dllimport)	__stdcall PshedReadErrorRecord(x, x, x,	x, x, x)
__imp__PshedReadErrorRecord@24 dd ?	; DATA XREF: WheapCheckForAndReportErrorsFromPreviousSession+54r
; __declspec(dllimport)	__stdcall PshedClearErrorRecord(x, x, x)
__imp__PshedClearErrorRecord@12	dd ?	; DATA XREF: WheapCheckForAndReportErrorsFromPreviousSession+7DFF2r
; __declspec(dllimport)	__stdcall PshedAllocateMemory(x)
__imp__PshedAllocateMemory@4 dd	?	; DATA XREF: WheapQueryPshedForErrorSources+39r
; __declspec(dllimport)	__stdcall PshedGetBootErrorPacket(x, x)
__imp__PshedGetBootErrorPacket@8 dd ?	; DATA XREF: WheapCheckForAndReportErrorsFromPreviousSession+28r
; __declspec(dllimport)	__stdcall PshedIsSystemWheaEnabled()
__imp__PshedIsSystemWheaEnabled@0 dd ?	; DATA XREF: INIT:00AC44F7r
; __declspec(dllimport)	__stdcall PshedInitialize(x, x)
__imp__PshedInitialize@8 dd ?		; DATA XREF: INIT:00AC41EAr
					; INIT:00AC42BDr
; __declspec(dllimport)	__stdcall PshedGetAllErrorSources(x, x,	x)
__imp__PshedGetAllErrorSources@12 dd ?	; DATA XREF: WheapQueryPshedForErrorSources+25r
					; WheapQueryPshedForErrorSources+56r
; __declspec(dllimport)	__stdcall PshedAttemptErrorRecovery(x)
__imp__PshedAttemptErrorRecovery@4 dd ?	; DATA XREF: WheapAttemptErrorRecovery(x)+1Fr
; __declspec(dllimport)	__stdcall PshedWriteErrorRecord(x, x, x)
__imp__PshedWriteErrorRecord@12	dd ?	; DATA XREF: WheaReportHwError(x)+34Er
					; WheaReportHwError(x)+398r ...
; __declspec(dllimport)	__stdcall PshedBugCheckSystem(x, x)
__imp__PshedBugCheckSystem@8 dd	?	; DATA XREF: WheaReportHwError(x)+424r
; __declspec(dllimport)	__stdcall PshedFinalizeErrorRecord(x, x)
__imp__PshedFinalizeErrorRecord@8 dd ?	; DATA XREF: WheaReportHwError(x)+37Cr
					; WheaReportHwError(x)+3DEr ...
; __declspec(dllimport)	__stdcall PshedRetrieveErrorInfo(x, x)
__imp__PshedRetrieveErrorInfo@8	dd ?	; DATA XREF: WheaHwErrorReportSubmitDeviceDriver(x)+AEr
; __declspec(dllimport)	__stdcall PshedArePluginsPresent()
__imp__PshedArePluginsPresent@0	dd ?	; DATA XREF: PopSaveHiberContext:loc_71D70Ar
; __declspec(dllimport)	__stdcall PshedDoPfa(x)
__imp__PshedDoPfa@4 dd ?		; DATA XREF: WheapPredictiveFailureAnalysis(x)+Br
; __declspec(dllimport)	__stdcall PshedEnableErrorSource(x)
__imp__PshedEnableErrorSource@4	dd ?	; DATA XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+DDr
; __declspec(dllimport)	__stdcall PshedDisableErrorSource(x)
__imp__PshedDisableErrorSource@4 dd ?	; DATA XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+98r
; __declspec(dllimport)	__stdcall PshedGetInjectionCapabilities(x)
__imp__PshedGetInjectionCapabilities@4 dd ?
					; DATA XREF: WheapWmiExecuteErrorInjectionMethod(x,x,x,x,x)+ADr
; __declspec(dllimport)	__stdcall PshedInjectError(x, x, x, x, x, x, x,	x, x)
__imp__PshedInjectError@36 dd ?		; DATA XREF: WheapWmiExecuteErrorInjectionMethod(x,x,x,x,x)+86r
; __declspec(dllimport)	__stdcall PshedSetErrorSourceInfo(x)
__imp__PshedSetErrorSourceInfo@4 dd ?	; DATA XREF: WheapWmiExecuteErrorSourceMethod(x,x,x,x,x)+12Dr
_PSHED_NULL_THUNK_DATA dd 0
;
; Imports from cng.sys
;
; __declspec(dllimport)	__stdcall BCryptExportKey(x, x,	x, x, x, x, x)
__imp__BCryptExportKey@28 dd ?		; DATA XREF: SecureDump_EncryptSymmetricKeyWithPublicKey()+4Br
					; SecureDump_EncryptSymmetricKeyWithPublicKey()+94r
_cng_NULL_THUNK_DATA dd	0
;
; Imports from ext-ms-win-fs-clfs-l1-1-0.dll
;
; __declspec(dllimport)	__stdcall ClfsCloseLogFileObject(x)
__imp__ClfsCloseLogFileObject@4	dd ?	; DATA XREF: CmpInitCmRM+475r
					; CmpStopRMLog+18BBFBr	...
; __declspec(dllimport)	__stdcall ClfsCreateLogFile(x, x, x, x,	x, x, x, x, x, x, x)
__imp__ClfsCreateLogFile@44 dd ?	; DATA XREF: CmpInitCmRM+2D1r
					; CmpStartCLFSLog+108r	...
; __declspec(dllimport)	__stdcall ClfsMgmtInstallPolicy(x, x, x)
__imp__ClfsMgmtInstallPolicy@12	dd ?	; DATA XREF: CmpInitCmRM+3A6r
; __declspec(dllimport)	__stdcall ClfsLsnDifference(x, x, x, x,	x)
__imp__ClfsLsnDifference@20 dd ?	; DATA XREF: CmpComputeLogFillLevel+95r
; __declspec(dllimport)	__stdcall ClfsRemoveLogContainer(x, x, x)
__imp__ClfsRemoveLogContainer@12 dd ?	; DATA XREF: CmpAddRemoveContainerToCLFSLog(x,x,x,x,x,x,x,x)+1CAr
; __declspec(dllimport)	__stdcall ClfsAddLogContainer(x, x, x)
__imp__ClfsAddLogContainer@12 dd ?	; DATA XREF: CmpAddRemoveContainerToCLFSLog(x,x,x,x,x,x,x,x)+1BFr
; __declspec(dllimport)	__stdcall ClfsCreateMarshallingArea(x, x, x, x,	x, x, x, x)
__imp__ClfsCreateMarshallingArea@32 dd ? ; DATA	XREF: CmpStartCLFSLog+16Er
; __declspec(dllimport)	__stdcall ClfsLsnLess(x, x)
__imp__ClfsLsnLess@8 dd	?		; DATA XREF: CmpLogCheckpoint+75593r
; __declspec(dllimport)	__stdcall ClfsLsnContainer(x)
__imp__ClfsLsnContainer@4 dd ?		; DATA XREF: CmpLogCheckpoint+75561r
					; CmpLogCheckpoint+7556Ar
; __declspec(dllimport)	__stdcall ClfsFlushToLsn(x, x, x)
__imp__ClfsFlushToLsn@12 dd ?		; DATA XREF: CmLogTmRmAction(x,x,x)+7Ar
; __declspec(dllimport)	__stdcall ClfsLsnInvalid(x)
__imp__ClfsLsnInvalid@4	dd ?		; DATA XREF: CmAddLogForAction(x,x)+519r
					; CmAddLogForAction(x,x)+548r ...
; __declspec(dllimport)	__stdcall ClfsReserveAndAppendLog(x, x,	x, x, x, x, x, x, x)
__imp__ClfsReserveAndAppendLog@36 dd ?	; DATA XREF: CmpAccountForLogReservation(x,x,x)+58r
					; CmpTransWriteLog+75429r ...
; __declspec(dllimport)	__stdcall ClfsDeleteMarshallingArea(x)
__imp__ClfsDeleteMarshallingArea@4 dd ?	; DATA XREF: CmpStopRMLog+18BBD7r
					; CmpStartRMLog+758C7r
; __declspec(dllimport)	__stdcall ClfsDeleteLogByPointer(x)
__imp__ClfsDeleteLogByPointer@4	dd ?	; DATA XREF: CmpStopRMLog+18BBF2r
					; CmpStartRMLog+758BCr
; __declspec(dllimport)	__stdcall ClfsWriteRestartArea(x, x, x,	x, x, x, x)
__imp__ClfsWriteRestartArea@28 dd ?	; DATA XREF: CmpStartRMLog+2B8r
					; CmpLogCheckpoint+184r
; __declspec(dllimport)	__stdcall ClfsTerminateReadLog(x)
__imp__ClfsTerminateReadLog@4 dd ?	; DATA XREF: CmpStartRMLog+268r
					; CmpStartRMLog+276r ...
; __declspec(dllimport)	__stdcall ClfsReadNextLogRecord(x, x, x, x, x, x, x, x)
__imp__ClfsReadNextLogRecord@32	dd ?	; DATA XREF: CmpDoReadTxRBigLogRecord(x,x,x,x,x)+D4r
					; CmpStartRMLog+240r ...
; __declspec(dllimport)	__stdcall ClfsReadLogRecord(x, x, x, x,	x, x, x, x, x)
__imp__ClfsReadLogRecord@36 dd ?	; DATA XREF: CmpStartRMLog+216r
					; CmpRmAnalysisPhase(x,x,x)+7Fr ...
; __declspec(dllimport)	__stdcall ClfsLsnEqual(x, x)
__imp__ClfsLsnEqual@8 dd ?		; DATA XREF: CmpStartRMLog+1BEr
					; CmpStartRMLog+28Dr ...
; __declspec(dllimport)	__stdcall ClfsReadRestartArea(x, x, x, x, x)
__imp__ClfsReadRestartArea@20 dd ?	; DATA XREF: CmpStartRMLog+18Fr
; __declspec(dllimport)	__stdcall ClfsGetLogFileInformation(x, x, x)
__imp__ClfsGetLogFileInformation@12 dd ? ; DATA	XREF: CmAddLogForAction(x,x)+586r
					; CmpStartRMLog+13Dr ...
; __declspec(dllimport)	__stdcall ClfsMgmtDeregisterManagedClient(x)
__imp__ClfsMgmtDeregisterManagedClient@4 dd ? ;	DATA XREF: CmpInitCmRM+486r
					; CmpInitCmRM+11D60Ar ...
; __declspec(dllimport)	__stdcall ClfsMgmtRegisterManagedClient(x, x, x)
__imp__ClfsMgmtRegisterManagedClient@12	dd ? ; DATA XREF: CmpInitCmRM+32Ar
_ext_ms_win_fs_clfs_l1_1_0_NULL_THUNK_DATA dd 0
;
; Imports from ext-ms-win-ntos-clipsp-l1-1-0.dll
;
; __declspec(dllimport)	__stdcall ClipSpInitialize(x, x)
__imp__ClipSpInitialize@8 dd ?		; DATA XREF: ClipInitHandles()+32r
_ext_ms_win_ntos_clipsp_l1_1_0_NULL_THUNK_DATA dd 0
;
; Imports from ext-ms-win-ntos-kcminitcfg-l1-1-0.dll
;
; __declspec(dllimport)	__stdcall CmCompleteInitMachineConfig(x)
__imp__CmCompleteInitMachineConfig@4 dd	? ; DATA XREF: CmCompleteRegistryInitialization+3Fr
; __declspec(dllimport)	__stdcall CmSetInitMachineConfig(x)
__imp__CmSetInitMachineConfig@4	dd ?	; DATA XREF: CmInitSystem1(x)+5F4r
_ext_ms_win_ntos_kcminitcfg_l1_1_0_NULL_THUNK_DATA dd 0
;
; Imports from ext-ms-win-ntos-ksecurity-l1-1-1.dll
;
; __declspec(dllimport)	__stdcall QueryUpdateFileEaAllowedExt(x)
__imp__QueryUpdateFileEaAllowedExt@4 dd	? ; DATA XREF: sub_785212+1940r
_ext_ms_win_ntos_ksecurity_l1_1_1_NULL_THUNK_DATA dd 0
;
; Imports from ext-ms-win-ntos-ksr-l1-1-3.dll
;
; __declspec(dllimport)	__stdcall KsrGetFirmwareInformation(x)
__imp__KsrGetFirmwareInformation@4 dd ?	; DATA XREF: EtwpInitialize+1C0r
					; PopSetupKsrCallbacks+1Br ...
; __declspec(dllimport)	__stdcall KsrFreePersistedMemory(x, x)
__imp__KsrFreePersistedMemory@8	dd ?	; DATA XREF: EtwpSavePersistedLoggersWorker()+B3r
; __declspec(dllimport)	__stdcall KsrInitPageDatabase(x, x)
__imp__KsrInitPageDatabase@8 dd	?	; DATA XREF: BapdpProcessBootMetadata+14D7Br
; __declspec(dllimport)	__stdcall KsrCleanupPageDatabase(x)
__imp__KsrCleanupPageDatabase@4	dd ?	; DATA XREF: BapdpKsrComplete(x,x)+20r
; __declspec(dllimport)	__stdcall KsrFreePersistedMemoryBlock(x, x, x, x)
__imp__KsrFreePersistedMemoryBlock@16 dd ? ; DATA XREF:	IoFreeKsrPersistentMemory(x)+48r
					; PipGetPersistentMemory(x,x,x,x,x)+230r ...
; __declspec(dllimport)	__stdcall KsrClaimPersistedMemory(x, x,	x, x, x, x, x)
__imp__KsrClaimPersistedMemory@28 dd ?	; DATA XREF: PipGetPersistentMemory(x,x,x,x,x)+227r
					; EtwpQueryPersistedMemory(x,x,x,x,x)+22r ...
; __declspec(dllimport)	__stdcall KsrQueryMetadata(x, x, x, x, x, x)
__imp__KsrQueryMetadata@24 dd ?		; DATA XREF: PipGetPersistentMemory(x,x,x,x,x)+21Dr
					; EtwpSavePersistedLoggersWorker()+78r
; __declspec(dllimport)	__stdcall KsrEnumeratePersistedMemory(x, x, x)
__imp__KsrEnumeratePersistedMemory@12 dd ?
					; DATA XREF: PipGetPersistentMemory(x,x,x,x,x)+199r
					; EtwpSavePersistedLoggersWorker()+49r
; __declspec(dllimport)	__stdcall KsrInitSystem(x, x, x, x)
__imp__KsrInitSystem@16	dd ?		; DATA XREF: Phase1InitializationDiscard(x)+AB0r
; __declspec(dllimport)	__stdcall KsrMdlToMemoryRuns(x,	x, x, x)
__imp__KsrMdlToMemoryRuns@16 dd	?	; DATA XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+39Cr
					; IoReserveKsrPersistentMemory(x,x,x,x,x)+3D6r	...
; __declspec(dllimport)	__stdcall KsrPersistMemoryWithMetadata(x, x, x,	x, x, x)
__imp__KsrPersistMemoryWithMetadata@24 dd ?
					; DATA XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+402r
					; EtwpPreserveMdlList(x,x,x,x)+90r
_ext_ms_win_ntos_ksr_l1_1_3_NULL_THUNK_DATA dd 0
;
; Imports from ext-ms-win-ntos-processparameters-l1-1-0.dll
;
; __declspec(dllimport)	__stdcall PsDestroyProcessParameterOverrides(x)
__imp__PsDestroyProcessParameterOverrides@4 dd ?
					; DATA XREF: PspDeleteCreateProcessContext+15Er
					; PspGetProcessParameterOverrides+120D26r
; __declspec(dllimport)	__stdcall PsGetProcessParameterOverrides(x, x)
__imp__PsGetProcessParameterOverrides@8	dd ?
					; DATA XREF: PspGetProcessParameterOverrides+2Ar
_ext_ms_win_ntos_processparameters_l1_1_0_NULL_THUNK_DATA dd 0
;
; Imports from ext-ms-win-ntos-stateseparation-l1-1-0.dll
;
; __declspec(dllimport)	__stdcall ExpInitializeStateSeparationPhase1(x)
__imp__ExpInitializeStateSeparationPhase1@4 dd ? ; DATA	XREF: INIT:00ABFC1Ar
; __declspec(dllimport)	__stdcall ExpInitializeStateSeparationPhase0(x)
__imp__ExpInitializeStateSeparationPhase0@4 dd ? ; DATA	XREF: INIT:00AC2C8Br
; __declspec(dllimport)	__stdcall ExpInitializeStateSeparationPhase2(x,	x, x)
__imp__ExpInitializeStateSeparationPhase2@12 dd	?
					; DATA XREF: ExpWnfGetNameStoreRegistryRoot+100r
_ext_ms_win_ntos_stateseparation_l1_1_0_NULL_THUNK_DATA	dd 0
;
; Imports from ext-ms-win-ntos-tm-l1-1-0.dll
;
; __declspec(dllimport)	__stdcall NtReadOnlyEnlistment(x, x)
__imp__NtReadOnlyEnlistment@8 dd ?	; DATA XREF: NtReadOnlyEnlistment(x,x)r
; __declspec(dllimport)	__stdcall NtQueryInformationTransactionManager(x, x, x,	x, x)
__imp__NtQueryInformationTransactionManager@20 dd ?
					; DATA XREF: NtQueryInformationTransactionManager(x,x,x,x,x)r
; __declspec(dllimport)	__stdcall NtQueryInformationTransaction(x, x, x, x, x)
__imp__NtQueryInformationTransaction@20	dd ?
					; DATA XREF: NtQueryInformationTransaction(x,x,x,x,x)r
; __declspec(dllimport)	__stdcall NtQueryInformationResourceManager(x, x, x, x,	x)
__imp__NtQueryInformationResourceManager@20 dd ?
					; DATA XREF: NtQueryInformationResourceManager(x,x,x,x,x)r
; __declspec(dllimport)	__stdcall NtQueryInformationEnlistment(x, x, x,	x, x)
__imp__NtQueryInformationEnlistment@20 dd ?
					; DATA XREF: NtQueryInformationEnlistment(x,x,x,x,x)r
; __declspec(dllimport)	__stdcall NtPropagationFailed(x, x, x)
__imp__NtPropagationFailed@12 dd ?	; DATA XREF: NtPropagationFailed(x,x,x)r
; __declspec(dllimport)	__stdcall NtPropagationComplete(x, x, x, x)
__imp__NtPropagationComplete@16	dd ?	; DATA XREF: NtPropagationComplete(x,x,x,x)r
; __declspec(dllimport)	__stdcall NtPrepareEnlistment(x, x)
__imp__NtPrepareEnlistment@8 dd	?	; DATA XREF: NtPrepareEnlistment(x,x)r
; __declspec(dllimport)	__stdcall NtPrepareComplete(x, x)
__imp__NtPrepareComplete@8 dd ?		; DATA XREF: NtPrepareComplete(x,x)r
; __declspec(dllimport)	__stdcall NtPrePrepareEnlistment(x, x)
__imp__NtPrePrepareEnlistment@8	dd ?	; DATA XREF: NtPrePrepareEnlistment(x,x)r
; __declspec(dllimport)	__stdcall NtPrePrepareComplete(x, x)
__imp__NtPrePrepareComplete@8 dd ?	; DATA XREF: NtPrePrepareComplete(x,x)r
; __declspec(dllimport)	__stdcall NtOpenTransactionManager(x, x, x, x, x, x)
__imp__NtOpenTransactionManager@24 dd ?	; DATA XREF: NtOpenTransactionManager(x,x,x,x,x,x)r
; __declspec(dllimport)	__stdcall NtOpenTransaction(x, x, x, x,	x)
__imp__NtOpenTransaction@20 dd ?	; DATA XREF: NtOpenTransaction(x,x,x,x,x)r
; __declspec(dllimport)	__stdcall NtOpenResourceManager(x, x, x, x, x)
__imp__NtOpenResourceManager@20	dd ?	; DATA XREF: NtOpenResourceManager(x,x,x,x,x)r
; __declspec(dllimport)	__stdcall NtOpenEnlistment(x, x, x, x, x)
__imp__NtOpenEnlistment@20 dd ?		; DATA XREF: NtOpenEnlistment(x,x,x,x,x)r
; __declspec(dllimport)	__stdcall NtGetNotificationResourceManager(x, x, x, x, x, x, x)
__imp__NtGetNotificationResourceManager@28 dd ?
					; DATA XREF: NtGetNotificationResourceManager(x,x,x,x,x,x,x)r
; __declspec(dllimport)	__stdcall NtFreezeTransactions(x, x)
__imp__NtFreezeTransactions@8 dd ?	; DATA XREF: NtFreezeTransactions(x,x)r
; __declspec(dllimport)	__stdcall NtEnumerateTransactionObject(x, x, x,	x, x)
__imp__NtEnumerateTransactionObject@20 dd ?
					; DATA XREF: NtEnumerateTransactionObject(x,x,x,x,x)r
; __declspec(dllimport)	__stdcall NtCreateTransactionManager(x,	x, x, x, x, x)
__imp__NtCreateTransactionManager@24 dd	?
					; DATA XREF: NtCreateTransactionManager(x,x,x,x,x,x)r
; __declspec(dllimport)	__stdcall NtCreateTransaction(x, x, x, x, x, x,	x, x, x, x)
__imp__NtCreateTransaction@40 dd ?	; DATA XREF: NtCreateTransaction(x,x,x,x,x,x,x,x,x,x)r
; __declspec(dllimport)	__stdcall NtCreateResourceManager(x, x,	x, x, x, x, x)
__imp__NtCreateResourceManager@28 dd ?	; DATA XREF: NtCreateResourceManager(x,x,x,x,x,x,x)r
; __declspec(dllimport)	__stdcall NtCreateEnlistment(x,	x, x, x, x, x, x, x)
__imp__NtCreateEnlistment@32 dd	?	; DATA XREF: NtCreateEnlistment(x,x,x,x,x,x,x,x)r
; __declspec(dllimport)	__stdcall NtCommitTransaction(x, x)
__imp__NtCommitTransaction@8 dd	?	; DATA XREF: NtCommitTransaction(x,x)r
; __declspec(dllimport)	__stdcall NtCommitEnlistment(x,	x)
__imp__NtCommitEnlistment@8 dd ?	; DATA XREF: NtCommitEnlistment(x,x)r
; __declspec(dllimport)	__stdcall NtCommitComplete(x, x)
__imp__NtCommitComplete@8 dd ?		; DATA XREF: NtCommitComplete(x,x)r
; __declspec(dllimport)	__stdcall TmInitSystem(x, x, x,	x)
__imp__TmInitSystem@16 dd ?		; DATA XREF: TmInitSystem(x,x,x,x)r
					; Phase1InitializationDiscard(x)+83Br
; __declspec(dllimport)	__stdcall NtRollbackTransaction(x, x)
__imp__NtRollbackTransaction@8 dd ?	; DATA XREF: NtRollbackTransaction(x,x)r
; __declspec(dllimport)	__stdcall NtSetInformationEnlistment(x,	x, x, x)
__imp__NtSetInformationEnlistment@16 dd	? ; DATA XREF: NtSetInformationEnlistment(x,x,x,x)r
; __declspec(dllimport)	__stdcall TmShutdownSystem()
__imp__TmShutdownSystem@0 dd ?		; DATA XREF: PopGracefulShutdown(x):loc_72F54Br
; __declspec(dllimport)	__stdcall NtRecoverEnlistment(x, x)
__imp__NtRecoverEnlistment@8 dd	?	; DATA XREF: NtRecoverEnlistment(x,x)r
; __declspec(dllimport)	__stdcall NtRecoverResourceManager(x)
__imp__NtRecoverResourceManager@4 dd ?	; DATA XREF: NtRecoverResourceManager(x)r
; __declspec(dllimport)	__stdcall NtRegisterProtocolAddressInformation(x, x, x,	x, x)
__imp__NtRegisterProtocolAddressInformation@20 dd ?
					; DATA XREF: NtRegisterProtocolAddressInformation(x,x,x,x,x)r
; __declspec(dllimport)	__stdcall NtRenameTransactionManager(x,	x)
__imp__NtRenameTransactionManager@8 dd ? ; DATA	XREF: NtRenameTransactionManager(x,x)r
; __declspec(dllimport)	__stdcall NtRollforwardTransactionManager(x, x)
__imp__NtRollforwardTransactionManager@8 dd ?
					; DATA XREF: NtRollforwardTransactionManager(x,x)r
; __declspec(dllimport)	__stdcall NtSetInformationResourceManager(x, x,	x, x)
__imp__NtSetInformationResourceManager@16 dd ?
					; DATA XREF: NtSetInformationResourceManager(x,x,x,x)r
; __declspec(dllimport)	__stdcall NtSetInformationTransaction(x, x, x, x)
__imp__NtSetInformationTransaction@16 dd ?
					; DATA XREF: NtSetInformationTransaction(x,x,x,x)r
; __declspec(dllimport)	__stdcall NtThawTransactions()
__imp__NtThawTransactions@0 dd ?	; DATA XREF: NtThawTransactions()r
; __declspec(dllimport)	__stdcall TmCancelPropagationRequest(x)
__imp__TmCancelPropagationRequest@4 dd ? ; DATA	XREF: TmCancelPropagationRequest(x)r
; __declspec(dllimport)	__stdcall TmCommitComplete(x, x)
__imp__TmCommitComplete@8 dd ?		; DATA XREF: TmCommitComplete(x,x)r
					; CmKtmNotification(x,x,x,x,x,x,x)+10Fr ...
; __declspec(dllimport)	__stdcall TmCommitEnlistment(x,	x)
__imp__TmCommitEnlistment@8 dd ?	; DATA XREF: TmCommitEnlistment(x,x)r
; __declspec(dllimport)	__stdcall TmCommitTransaction(x, x)
__imp__TmCommitTransaction@8 dd	?	; DATA XREF: TmCommitTransaction(x,x)r
; __declspec(dllimport)	__stdcall TmCreateEnlistment(x,	x, x, x, x, x, x, x, x)
__imp__TmCreateEnlistment@36 dd	?	; DATA XREF: TmCreateEnlistment(x,x,x,x,x,x,x,x,x)r
					; CmTmCreateEnlistment(x,x,x,x)+43r
; __declspec(dllimport)	__stdcall TmCurrentTransaction(x)
__imp__TmCurrentTransaction@4 dd ?	; DATA XREF: TmCurrentTransaction(x)r
					; CmCheckNoTxContext()+Er ...
; __declspec(dllimport)	__stdcall TmDereferenceEnlistmentKey(x,	x)
__imp__TmDereferenceEnlistmentKey@8 dd ? ; DATA	XREF: TmDereferenceEnlistmentKey(x,x)r
					; CmKtmNotification(x,x,x,x,x,x,x)+1B6r ...
; __declspec(dllimport)	__stdcall TmEnableCallbacks(x, x, x)
__imp__TmEnableCallbacks@12 dd ?	; DATA XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+290r
					; TmEnableCallbacks(x,x,x)r ...
; __declspec(dllimport)	__stdcall TmEndPropagationRequest(x)
__imp__TmEndPropagationRequest@4 dd ?	; DATA XREF: TmEndPropagationRequest(x)r
; __declspec(dllimport)	__stdcall TmFreezeTransactions(x, x, x)
__imp__TmFreezeTransactions@12 dd ?	; DATA XREF: TmFreezeTransactions(x,x,x)r
; __declspec(dllimport)	__stdcall TmGetTransactionId(x,	x)
__imp__TmGetTransactionId@8 dd ?	; DATA XREF: TmGetTransactionId(x,x)r
; __declspec(dllimport)	__stdcall TmInitializeTransactionManager(x, x, x, x)
__imp__TmInitializeTransactionManager@16 dd ?
					; DATA XREF: TmInitializeTransactionManager(x,x,x,x)r
; __declspec(dllimport)	__stdcall TmIsKTMCommitCoordinator(x)
__imp__TmIsKTMCommitCoordinator@4 dd ?	; DATA XREF: TmIsKTMCommitCoordinator(x)r
; __declspec(dllimport)	__stdcall TmIsTransactionActive(x)
__imp__TmIsTransactionActive@4 dd ?	; DATA XREF: TmIsTransactionActive(x)r
					; CmpTransIsTransActive(x)+1Fr	...
; __declspec(dllimport)	__stdcall NtSetInformationTransactionManager(x,	x, x, x)
__imp__NtSetInformationTransactionManager@16 dd	?
					; DATA XREF: NtSetInformationTransactionManager(x,x,x,x)r
; __declspec(dllimport)	__stdcall NtSinglePhaseReject(x, x)
__imp__NtSinglePhaseReject@8 dd	?	; DATA XREF: NtSinglePhaseReject(x,x)r
; __declspec(dllimport)	__stdcall TmThawTransactions()
__imp__TmThawTransactions@0 dd ?	; DATA XREF: TmThawTransactions()r
; __declspec(dllimport)	__stdcall TmSinglePhaseReject(x, x)
__imp__TmSinglePhaseReject@8 dd	?	; DATA XREF: TmSinglePhaseReject(x,x)r
; __declspec(dllimport)	__stdcall TmSetCurrentTransaction(x)
__imp__TmSetCurrentTransaction@4 dd ?	; DATA XREF: TmSetCurrentTransaction(x)r
; __declspec(dllimport)	__stdcall TmRollbackTransaction(x, x)
__imp__TmRollbackTransaction@8 dd ?	; DATA XREF: TmRollbackTransaction(x,x)r
; __declspec(dllimport)	__stdcall TmRollbackEnlistment(x, x)
__imp__TmRollbackEnlistment@8 dd ?	; DATA XREF: TmRollbackEnlistment(x,x)r
					; CmpAbortRollbackPacket(x,x)+44r ...
; __declspec(dllimport)	__stdcall TmRollbackComplete(x,	x)
__imp__TmRollbackComplete@8 dd ?	; DATA XREF: TmRollbackComplete(x,x)r
					; CmKtmNotification(x,x,x,x,x,x,x)+F6r	...
; __declspec(dllimport)	__stdcall TmRequestOutcomeEnlistment(x,	x)
__imp__TmRequestOutcomeEnlistment@8 dd ? ; DATA	XREF: TmRequestOutcomeEnlistment(x,x)r
; __declspec(dllimport)	__stdcall TmRenameTransactionManager(x,	x)
__imp__TmRenameTransactionManager@8 dd ? ; DATA	XREF: TmRenameTransactionManager(x,x)r
; __declspec(dllimport)	__stdcall TmReferenceEnlistmentKey(x, x)
__imp__TmReferenceEnlistmentKey@8 dd ?	; DATA XREF: TmReferenceEnlistmentKey(x,x)r
					; CmKtmNotification(x,x,x,x,x,x,x)+B7r
; __declspec(dllimport)	__stdcall NtRecoverTransactionManager(x)
__imp__NtRecoverTransactionManager@4 dd	? ; DATA XREF: NtRecoverTransactionManager(x)r
; __declspec(dllimport)	__stdcall NtRollbackComplete(x,	x)
__imp__NtRollbackComplete@8 dd ?	; DATA XREF: NtRollbackComplete(x,x)r
; __declspec(dllimport)	__stdcall TmInitSystemPhase2()
__imp__TmInitSystemPhase2@0 dd ?	; DATA XREF: TmInitSystemPhase2()r
					; INIT:loc_ABFC4Er
; __declspec(dllimport)	__stdcall NtRollbackEnlistment(x, x)
__imp__NtRollbackEnlistment@8 dd ?	; DATA XREF: NtRollbackEnlistment(x,x)r
; __declspec(dllimport)	__stdcall TmPrePrepareComplete(x, x)
__imp__TmPrePrepareComplete@8 dd ?	; DATA XREF: TmPrePrepareComplete(x,x)r
; __declspec(dllimport)	__stdcall TmPrePrepareEnlistment(x, x)
__imp__TmPrePrepareEnlistment@8	dd ?	; DATA XREF: TmPrePrepareEnlistment(x,x)r
; __declspec(dllimport)	__stdcall TmPrepareComplete(x, x)
__imp__TmPrepareComplete@8 dd ?		; DATA XREF: TmPrepareComplete(x,x)r
					; CmKtmNotification(x,x,x,x,x,x,x)+128r ...
; __declspec(dllimport)	__stdcall TmPrepareEnlistment(x, x)
__imp__TmPrepareEnlistment@8 dd	?	; DATA XREF: TmPrepareEnlistment(x,x)r
; __declspec(dllimport)	__stdcall TmPropagationComplete(x, x, x, x)
__imp__TmPropagationComplete@16	dd ?	; DATA XREF: TmPropagationComplete(x,x,x,x)r
; __declspec(dllimport)	__stdcall TmPropagationFailed(x, x, x)
__imp__TmPropagationFailed@12 dd ?	; DATA XREF: TmPropagationFailed(x,x,x)r
; __declspec(dllimport)	__stdcall TmReadOnlyEnlistment(x, x)
__imp__TmReadOnlyEnlistment@8 dd ?	; DATA XREF: TmReadOnlyEnlistment(x,x)r
					; CmKtmNotification(x,x,x,x,x,x,x)+323r
; __declspec(dllimport)	__stdcall TmRecoverEnlistment(x, x)
__imp__TmRecoverEnlistment@8 dd	?	; DATA XREF: TmRecoverEnlistment(x,x)r
; __declspec(dllimport)	__stdcall TmRecoverResourceManager(x)
__imp__TmRecoverResourceManager@4 dd ?	; DATA XREF: TmRecoverResourceManager(x)r
; __declspec(dllimport)	__stdcall TmRecoverTransactionManager(x, x)
__imp__TmRecoverTransactionManager@8 dd	? ; DATA XREF: TmRecoverTransactionManager(x,x)r
_ext_ms_win_ntos_tm_l1_1_0_NULL_THUNK_DATA dd 0
;
; Imports from ext-ms-win-ntos-ucode-l1-1-0.dll
;
; __declspec(dllimport)	__stdcall ExpMicrocodeInformationUnload()
__imp__ExpMicrocodeInformationUnload@0 dd ?
					; DATA XREF: ExpSetProcessorMicrocodeUpdateInformation(x,x,x)+67r
; __declspec(dllimport)	__stdcall ExpMicrocodeInformationLoad()
__imp__ExpMicrocodeInformationLoad@0 dd	?
					; DATA XREF: ExpSetProcessorMicrocodeUpdateInformation(x,x,x)+59r
; __declspec(dllimport)	__stdcall ExpMicrocodeInitialization(x)
__imp__ExpMicrocodeInitialization@4 dd ? ; DATA	XREF: ExpInitSystemPhase1+146r
					; ExInitSystemPhase2()+18r
_ext_ms_win_ntos_ucode_l1_1_0_NULL_THUNK_DATA dd 0
;
; Imports from ext-ms-win-ntos-werkernel-l1-1-1.dll
;
; __declspec(dllimport)	__stdcall WerLiveKernelInitSystem()
__imp__WerLiveKernelInitSystem@0 dd ?	; DATA XREF: IoInitSystem+1Fr
; __declspec(dllimport)	__stdcall WerLiveKernelCloseHandle(x)
__imp__WerLiveKernelCloseHandle@4 dd ?	; DATA XREF: DbgkpWerCleanupContext(x)+115r
					; LkmdTelCreateReport(x,x,x,x,x,x)+180r ...
; __declspec(dllimport)	__stdcall WerLiveKernelOpenDumpFile(x, x)
__imp__WerLiveKernelOpenDumpFile@8 dd ?	; DATA XREF: DbgkpWerCaptureLiveFullDump(x,x)+B1r
					; DbgkpWerWriteTriageDump(x)+1Fr ...
; __declspec(dllimport)	__stdcall WerLiveKernelCancelReport(x)
__imp__WerLiveKernelCancelReport@4 dd ?	; DATA XREF: DbgkpWerCleanupContext(x)+F6r
					; LkmdTelCreateReport(x,x,x,x,x,x)+15Dr ...
; __declspec(dllimport)	__stdcall WerLiveKernelCreateReport(x, x, x)
__imp__WerLiveKernelCreateReport@12 dd ?
					; DATA XREF: DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+153r
					; LkmdTelCreateReport(x,x,x,x,x,x)+B6r
; __declspec(dllimport)	__stdcall WerLiveKernelSubmitReport(x, x)
__imp__WerLiveKernelSubmitReport@8 dd ?	; DATA XREF: DbgkpWerCaptureLiveTriageDump(x)+EBr
					; DbgkpWerDeferredWriteRoutine(x)+80r ...
_ext_ms_win_ntos_werkernel_l1_1_1_NULL_THUNK_DATA dd 0
;
; Imports from kdcom.dll
;
; __declspec(dllimport)	__stdcall KdPower(x, x)
__imp__KdPower@8 dd ?			; DATA XREF: KdPowerTransitionEx(x,x)+97r
					; KdPowerTransitionEx(x,x)+E1r
; __declspec(dllimport)	__stdcall KdSetHiberRange(x)
__imp__KdSetHiberRange@4 dd ?		; DATA XREF: PopMarkComponentsBootPhase+8688r
; __declspec(dllimport)	__stdcall KdInitialize(x, x, x)
__imp__KdInitialize@12 dd ?		; DATA XREF: PAGE:007B4784r
					; KdRegisterDebuggerDataBlock+513r ...
; __declspec(dllimport)	__stdcall KdSendPacket(x, x, x,	x)
__imp__KdSendPacket@16 dd ?		; DATA XREF: KdpGetContextEx(x,x,x)+99r
					; KdpSetContextEx(x,x,x)+104r ...
; __declspec(dllimport)	__stdcall KdReceivePacket(x, x,	x, x, x)
__imp__KdReceivePacket@20 dd ?		; DATA XREF: sub_5FB8A3+9Cr
					; KdpPollBreakInWithPortLock()+22r ...
_kdcom_NULL_THUNK_DATA dd 0
;
; Imports from msrpc.sys
;
; RPC_STATUS __stdcall MesHandleFree(handle_t Handle)
__imp__MesHandleFree@4 dd ?		; DATA XREF: PiDqQueryRelease+42r
					; PiDqQuerySerializeActionQueue+23Dr ...
; RPC_STATUS __stdcall MesEncodeIncrementalHandleCreate(void *UserState,MIDL_ES_ALLOC AllocFn,MIDL_ES_WRITE WriteFn,handle_t *pHandle)
__imp__MesEncodeIncrementalHandleCreate@16 dd ?
					; DATA XREF: PiDqQuerySerializeActionQueue+9Dr
; RPC_STATUS __stdcall MesIncrementalHandleReset(handle_t Handle,void *UserState,MIDL_ES_ALLOC AllocFn,MIDL_ES_WRITE WriteFn,MIDL_ES_READ ReadFn,MIDL_ES_CODE Operation)
__imp__MesIncrementalHandleReset@24 dd ? ; DATA	XREF: PiDqQuerySerializeActionQueue+C0r
; __declspec(dllimport)	__stdcall NdrMesTypeDecode2(x, x, x, x,	x)
__imp__NdrMesTypeDecode2@20 dd ?	; DATA XREF: PiDqIrpQueryCreate+E1r
					; PiSwIrpPropertySet+62r ...
; __declspec(dllimport)	__stdcall NdrMesTypeEncode2(x, x, x, x,	x)
__imp__NdrMesTypeEncode2@20 dd ?	; DATA XREF: PiDqQuerySerializeActionQueue+133r
; RPC_STATUS __stdcall MesDecodeBufferHandleCreate(char	*pBuffer,unsigned __int32 BufferSize,handle_t *pHandle)
__imp__MesDecodeBufferHandleCreate@12 dd ? ; DATA XREF:	PiDqIrpQueryCreate+B4r
					; PiSwIrpPropertySet+39r ...
; __declspec(dllimport)	__stdcall RpcExceptionFilter(x)
__imp__RpcExceptionFilter@4 dd ?	; DATA XREF: sub_905F6C+Br
					; sub_9136C7+Br ...
_msrpc_NULL_THUNK_DATA dd 0
___guard_check_icall_fptr dd offset @SymCryptFatalIntercept@4 ;	DATA XREF: .text:00403990o
					; SymCryptFatalIntercept(x)
__IMPORT_DESCRIPTOR_ext_ms_win_ntos_processparameters_l1_1_0 db	0F8h ; 
		db  27h	; '
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0F4h	; 
		db  29h	; )
		db  30h	; 0
		db    0
		db  6Ch	; l
		db  22h	; "
		db  30h	; 0
		db    0
__IMPORT_DESCRIPTOR_ext_ms_win_ntos_tm_l1_1_0 db  14h
		db  28h	; (
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0C6h	; 
		db  31h	; 1
		db  30h	; 0
		db    0
		db  88h	; 
		db  22h	; "
		db  30h	; 0
		db    0
__IMPORT_DESCRIPTOR_HAL	db 0C4h	; 
		db  25h	; %
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0E6h	; 
		db  38h	; 8
		db  30h	; 0
		db    0
		db  38h	; 8
		db  20h
		db  30h	; 0
		db    0
__IMPORT_DESCRIPTOR_PSHED db 0F0h ; 
		db  26h	; &
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0D2h	; 
		db  3Ah	; :
		db  30h	; 0
		db    0
		db  64h	; d
		db  21h	; !
		db  30h	; 0
		db    0
__IMPORT_DESCRIPTOR_BOOTVID db	8Ch ; 
		db  25h	; %
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0A6h	; 
		db  3Bh	; ;
		db  30h	; 0
		db    0
		db    0
		db  20h
		db  30h	; 0
		db    0
__IMPORT_DESCRIPTOR_ext_ms_win_ntos_clipsp_l1_1_0 db 0ACh ; 
		db  27h	; '
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0C6h	; 
		db  3Bh	; ;
		db  30h	; 0
		db    0
		db  20h
		db  22h	; "
		db  30h	; 0
		db    0
__IMPORT_DESCRIPTOR_kdcom db  74h ; t
		db  29h	; )
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  36h	; 6
		db  3Ch	; <
		db  30h	; 0
		db    0
		db 0E8h	; 
		db  23h	; #
		db  30h	; 0
		db    0
__IMPORT_DESCRIPTOR_ext_ms_win_ntos_kcminitcfg_l1_1_0 db 0B4h ;	
		db  27h	; '
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  78h	; x
		db  3Ch	; <
		db  30h	; 0
		db    0
		db  28h	; (
		db  22h	; "
		db  30h	; 0
		db    0
__IMPORT_DESCRIPTOR_ext_ms_win_ntos_ksr_l1_1_3 db 0C8h ; 
		db  27h	; '
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0B4h	; 
		db  3Dh	; =
		db  30h	; 0
		db    0
		db  3Ch	; <
		db  22h	; "
		db  30h	; 0
		db    0
__IMPORT_DESCRIPTOR_ext_ms_win_ntos_ksecurity_l1_1_1 db	0C0h ; 
		db  27h	; '
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0F2h	; 
		db  3Dh	; =
		db  30h	; 0
		db    0
		db  34h	; 4
		db  22h	; "
		db  30h	; 0
		db    0
__IMPORT_DESCRIPTOR_ext_ms_win_ntos_werkernel_l1_1_1 db	 58h ; X
		db  29h	; )
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0BEh	; 
		db  3Eh	; >
		db  30h	; 0
		db    0
		db 0CCh	; 
		db  23h	; #
		db  30h	; 0
		db    0
__IMPORT_DESCRIPTOR_ext_ms_win_ntos_ucode_l1_1_0 db  48h ; H
		db  29h	; )
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  40h	; @
		db  3Fh	; ?
		db  30h	; 0
		db    0
		db 0BCh	; 
		db  23h	; #
		db  30h	; 0
		db    0
__IMPORT_DESCRIPTOR_ext_ms_win_ntos_stateseparation_l1_1_0 db	 4
		db  28h	; (
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0D4h	; 
		db  3Fh	; ?
		db  30h	; 0
		db    0
		db  78h	; x
		db  22h	; "
		db  30h	; 0
		db    0
__IMPORT_DESCRIPTOR_ext_ms_win_fs_clfs_l1_1_0 db  4Ch ;	L
		db  27h	; '
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  1Ch
		db  42h	; B
		db  30h	; 0
		db    0
		db 0C0h	; 
		db  21h	; !
		db  30h	; 0
		db    0
__IMPORT_DESCRIPTOR_CI db 0BCh ; 
		db  25h	; %
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  4Ah	; J
		db  42h	; B
		db  30h	; 0
		db    0
		db  30h	; 0
		db  20h
		db  30h	; 0
		db    0
__IMPORT_DESCRIPTOR_msrpc db  8Ch ; 
		db  29h	; )
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0FEh	; 
		db  42h	; B
		db  30h	; 0
		db    0
		db    0
		db  24h	; $
		db  30h	; 0
		db    0
__IMPORT_DESCRIPTOR_cng	db  44h	; D
		db  27h	; '
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  1Ah
		db  43h	; C
		db  30h	; 0
		db    0
		db 0B8h	; 
		db  21h	; !
		db  30h	; 0
		db    0
__NULL_IMPORT_DESCRIPTOR db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  60h	; `
		db  3Bh	; ;
		db  30h	; 0
		db    0
		db 0F0h	; 
		db  3Ah	; :
		db  30h	; 0
		db    0
		db    8
		db  3Bh	; ;
		db  30h	; 0
		db    0
		db  20h
		db  3Bh	; ;
		db  30h	; 0
		db    0
		db  2Ch	; ,
		db  3Bh	; ;
		db  30h	; 0
		db    0
		db  98h	; 
		db  3Bh	; ;
		db  30h	; 0
		db    0
		db  86h	; 
		db  3Bh	; ;
		db  30h	; 0
		db    0
		db  70h	; p
		db  3Bh	; ;
		db  30h	; 0
		db    0
		db 0DCh	; 
		db  3Ah	; :
		db  30h	; 0
		db    0
		db  4Ch	; L
		db  3Bh	; ;
		db  30h	; 0
		db    0
		db  3Eh	; >
		db  3Bh	; ;
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  3Ah	; :
		db  42h	; B
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0ECh	; 
		db  36h	; 6
		db  30h	; 0
		db    0
		db 0BEh	; 
		db  34h	; 4
		db  30h	; 0
		db    0
		db 0ACh	; 
		db  34h	; 4
		db  30h	; 0
		db    0
		db  94h	; 
		db  34h	; 4
		db  30h	; 0
		db    0
		db  7Ch	; |
		db  34h	; 4
		db  30h	; 0
		db    0
		db  66h	; f
		db  34h	; 4
		db  30h	; 0
		db    0
		db  48h	; H
		db  34h	; 4
		db  30h	; 0
		db    0
		db  2Ch	; ,
		db  34h	; 4
		db  30h	; 0
		db    0
		db  18h
		db  34h	; 4
		db  30h	; 0
		db    0
		db 0FEh	; 
		db  33h	; 3
		db  30h	; 0
		db    0
		db 0DAh	; 
		db  33h	; 3
		db  30h	; 0
		db    0
		db 0BCh	; 
		db  33h	; 3
		db  30h	; 0
		db    0
		db 0A0h	; 
		db  33h	; 3
		db  30h	; 0
		db    0
		db  82h	; 
		db  33h	; 3
		db  30h	; 0
		db    0
		db  66h	; f
		db  33h	; 3
		db  30h	; 0
		db    0
		db  4Ch	; L
		db  33h	; 3
		db  30h	; 0
		db    0
		db  2Ch	; ,
		db  33h	; 3
		db  30h	; 0
		db    0
		db  18h
		db  33h	; 3
		db  30h	; 0
		db    0
		db    0
		db  33h	; 3
		db  30h	; 0
		db    0
		db 0E2h	; 
		db  32h	; 2
		db  30h	; 0
		db    0
		db 0D4h	; 
		db  32h	; 2
		db  30h	; 0
		db    0
		db 0C6h	; 
		db  32h	; 2
		db  30h	; 0
		db    0
		db 0B2h	; 
		db  32h	; 2
		db  30h	; 0
		db    0
		db  9Eh	; 
		db  32h	; 2
		db  30h	; 0
		db    0
		db 0CCh	; 
		db  38h	; 8
		db  30h	; 0
		db    0
		db 0B0h	; 
		db  38h	; 8
		db  30h	; 0
		db    0
		db  94h	; 
		db  38h	; 8
		db  30h	; 0
		db    0
		db  86h	; 
		db  38h	; 8
		db  30h	; 0
		db    0
		db  78h	; x
		db  38h	; 8
		db  30h	; 0
		db    0
		db  68h	; h
		db  38h	; 8
		db  30h	; 0
		db    0
		db  54h	; T
		db  38h	; 8
		db  30h	; 0
		db    0
		db  44h	; D
		db  38h	; 8
		db  30h	; 0
		db    0
		db  2Eh	; .
		db  38h	; 8
		db  30h	; 0
		db    0
		db  16h
		db  38h	; 8
		db  30h	; 0
		db    0
		db 0FEh	; 
		db  37h	; 7
		db  30h	; 0
		db    0
		db 0E8h	; 
		db  37h	; 7
		db  30h	; 0
		db    0
		db 0CEh	; 
		db  37h	; 7
		db  30h	; 0
		db    0
		db 0B6h	; 
		db  37h	; 7
		db  30h	; 0
		db    0
		db  96h	; 
		db  37h	; 7
		db  30h	; 0
		db    0
		db  74h	; t
		db  37h	; 7
		db  30h	; 0
		db    0
		db  50h	; P
		db  37h	; 7
		db  30h	; 0
		db    0
		db  3Ah	; :
		db  37h	; 7
		db  30h	; 0
		db    0
		db  1Ch
		db  37h	; 7
		db  30h	; 0
		db    0
		db    8
		db  37h	; 7
		db  30h	; 0
		db    0
		db  8Eh	; 
		db  32h	; 2
		db  30h	; 0
		db    0
		db 0D2h	; 
		db  36h	; 6
		db  30h	; 0
		db    0
		db 0B6h	; 
		db  36h	; 6
		db  30h	; 0
		db    0
		db 0A0h	; 
		db  36h	; 6
		db  30h	; 0
		db    0
		db  82h	; 
		db  36h	; 6
		db  30h	; 0
		db    0
		db  6Ch	; l
		db  36h	; 6
		db  30h	; 0
		db    0
		db  52h	; R
		db  36h	; 6
		db  30h	; 0
		db    0
		db  3Ah	; :
		db  36h	; 6
		db  30h	; 0
		db    0
		db  20h
		db  36h	; 6
		db  30h	; 0
		db    0
		db  10h
		db  36h	; 6
		db  30h	; 0
		db    0
		db 0F4h	; 
		db  35h	; 5
		db  30h	; 0
		db    0
		db 0E4h	; 
		db  35h	; 5
		db  30h	; 0
		db    0
		db 0C8h	; 
		db  35h	; 5
		db  30h	; 0
		db    0
		db 0AAh	; 
		db  35h	; 5
		db  30h	; 0
		db    0
		db  92h	; 
		db  35h	; 5
		db  30h	; 0
		db    0
		db  70h	; p
		db  35h	; 5
		db  30h	; 0
		db    0
		db  56h	; V
		db  35h	; 5
		db  30h	; 0
		db    0
		db  3Ah	; :
		db  35h	; 5
		db  30h	; 0
		db    0
		db  20h
		db  35h	; 5
		db  30h	; 0
		db    0
		db  0Ch
		db  35h	; 5
		db  30h	; 0
		db    0
		db 0F8h	; 
		db  34h	; 4
		db  30h	; 0
		db    0
		db 0E4h	; 
		db  34h	; 4
		db  30h	; 0
		db    0
		db 0E4h	; 
		db  31h	; 1
		db  30h	; 0
		db    0
		db 0FCh	; 
		db  31h	; 1
		db  30h	; 0
		db    0
		db  18h
		db  32h	; 2
		db  30h	; 0
		db    0
		db  30h	; 0
		db  32h	; 2
		db  30h	; 0
		db    0
		db  4Ah	; J
		db  32h	; 2
		db  30h	; 0
		db    0
		db  64h	; d
		db  32h	; 2
		db  30h	; 0
		db    0
		db  7Ah	; z
		db  32h	; 2
		db  30h	; 0
		db    0
		db 0D2h	; 
		db  34h	; 4
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0EEh	; 
		db  38h	; 8
		db  30h	; 0
		db    0
		db    0
		db  39h	; 9
		db  30h	; 0
		db    0
		db  18h
		db  39h	; 9
		db  30h	; 0
		db    0
		db  30h	; 0
		db  39h	; 9
		db  30h	; 0
		db    0
		db  46h	; F
		db  39h	; 9
		db  30h	; 0
		db    0
		db  60h	; `
		db  39h	; 9
		db  30h	; 0
		db    0
		db  7Ch	; |
		db  39h	; 9
		db  30h	; 0
		db    0
		db  8Eh	; 
		db  39h	; 9
		db  30h	; 0
		db    0
		db 0A8h	; 
		db  39h	; 9
		db  30h	; 0
		db    0
		db 0C4h	; 
		db  39h	; 9
		db  30h	; 0
		db    0
		db 0DCh	; 
		db  39h	; 9
		db  30h	; 0
		db    0
		db 0F2h	; 
		db  39h	; 9
		db  30h	; 0
		db    0
		db  0Eh
		db  3Ah	; :
		db  30h	; 0
		db    0
		db  28h	; (
		db  3Ah	; :
		db  30h	; 0
		db    0
		db  42h	; B
		db  3Ah	; :
		db  30h	; 0
		db    0
		db  50h	; P
		db  3Ah	; :
		db  30h	; 0
		db    0
		db  6Ah	; j
		db  3Ah	; :
		db  30h	; 0
		db    0
		db  84h	; 
		db  3Ah	; :
		db  30h	; 0
		db    0
		db 0A4h	; 
		db  3Ah	; :
		db  30h	; 0
		db    0
		db 0B8h	; 
		db  3Ah	; :
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db  43h	; C
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  4Ch	; L
		db  40h	; @
		db  30h	; 0
		db    0
		db    0
		db  40h	; @
		db  30h	; 0
		db    0
		db  34h	; 4
		db  40h	; @
		db  30h	; 0
		db    0
		db    8
		db  42h	; B
		db  30h	; 0
		db    0
		db 0EEh	; 
		db  41h	; A
		db  30h	; 0
		db    0
		db 0D8h	; 
		db  41h	; A
		db  30h	; 0
		db    0
		db 0BCh	; 
		db  41h	; A
		db  30h	; 0
		db    0
		db 0AEh	; 
		db  41h	; A
		db  30h	; 0
		db    0
		db  9Ah	; 
		db  41h	; A
		db  30h	; 0
		db    0
		db  88h	; 
		db  41h	; A
		db  30h	; 0
		db    0
		db  76h	; v
		db  41h	; A
		db  30h	; 0
		db    0
		db  5Ch	; \
		db  41h	; A
		db  30h	; 0
		db    0
		db  40h	; @
		db  41h	; A
		db  30h	; 0
		db    0
		db  26h	; &
		db  41h	; A
		db  30h	; 0
		db    0
		db  0Eh
		db  41h	; A
		db  30h	; 0
		db    0
		db 0F6h	; 
		db  40h	; @
		db  30h	; 0
		db    0
		db 0DEh	; 
		db  40h	; @
		db  30h	; 0
		db    0
		db 0CAh	; 
		db  40h	; @
		db  30h	; 0
		db    0
		db 0BAh	; 
		db  40h	; @
		db  30h	; 0
		db    0
		db 0A4h	; 
		db  40h	; @
		db  30h	; 0
		db    0
		db  88h	; 
		db  40h	; @
		db  30h	; 0
		db    0
		db  66h	; f
		db  40h	; @
		db  30h	; 0
		db    0
		db  14h
		db  40h	; @
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0B2h	; 
		db  3Bh	; ;
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  5Ah	; Z
		db  3Ch	; <
		db  30h	; 0
		db    0
		db  40h	; @
		db  3Ch	; <
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0D4h	; 
		db  3Dh	; =
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  4Eh	; N
		db  3Dh	; =
		db  30h	; 0
		db    0
		db  6Ah	; j
		db  3Dh	; =
		db  30h	; 0
		db    0
		db  84h	; 
		db  3Dh	; =
		db  30h	; 0
		db    0
		db  9Ah	; 
		db  3Dh	; =
		db  30h	; 0
		db    0
		db 0FAh	; 
		db  3Ch	; <
		db  30h	; 0
		db    0
		db 0E0h	; 
		db  3Ch	; <
		db  30h	; 0
		db    0
		db 0CCh	; 
		db  3Ch	; <
		db  30h	; 0
		db    0
		db 0AEh	; 
		db  3Ch	; <
		db  30h	; 0
		db    0
		db  9Eh	; 
		db  3Ch	; <
		db  30h	; 0
		db    0
		db  18h
		db  3Dh	; =
		db  30h	; 0
		db    0
		db  2Eh	; .
		db  3Dh	; =
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0CEh	; 
		db  29h	; )
		db  30h	; 0
		db    0
		db 0ACh	; 
		db  29h	; )
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  62h	; b
		db  3Fh	; ?
		db  30h	; 0
		db    0
		db  88h	; 
		db  3Fh	; ?
		db  30h	; 0
		db    0
		db 0AEh	; 
		db  3Fh	; ?
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0BAh	; 
		db  2Ch	; ,
		db  30h	; 0
		db    0
		db  92h	; 
		db  2Ch	; ,
		db  30h	; 0
		db    0
		db  72h	; r
		db  2Ch	; ,
		db  30h	; 0
		db    0
		db  4Eh	; N
		db  2Ch	; ,
		db  30h	; 0
		db    0
		db  2Eh	; .
		db  2Ch	; ,
		db  30h	; 0
		db    0
		db  18h
		db  2Ch	; ,
		db  30h	; 0
		db    0
		db    0
		db  2Ch	; ,
		db  30h	; 0
		db    0
		db 0EAh	; 
		db  2Bh	; +
		db  30h	; 0
		db    0
		db 0D6h	; 
		db  2Bh	; +
		db  30h	; 0
		db    0
		db 0BCh	; 
		db  2Bh	; +
		db  30h	; 0
		db    0
		db 0A4h	; 
		db  2Bh	; +
		db  30h	; 0
		db    0
		db  88h	; 
		db  2Bh	; +
		db  30h	; 0
		db    0
		db  74h	; t
		db  2Bh	; +
		db  30h	; 0
		db    0
		db  5Ch	; \
		db  2Bh	; +
		db  30h	; 0
		db    0
		db  48h	; H
		db  2Bh	; +
		db  30h	; 0
		db    0
		db  24h	; $
		db  2Bh	; +
		db  30h	; 0
		db    0
		db  0Ch
		db  2Bh	; +
		db  30h	; 0
		db    0
		db 0ECh	; 
		db  2Ah	; *
		db  30h	; 0
		db    0
		db 0CEh	; 
		db  2Ah	; *
		db  30h	; 0
		db    0
		db 0B8h	; 
		db  2Ah	; *
		db  30h	; 0
		db    0
		db  9Eh	; 
		db  2Ah	; *
		db  30h	; 0
		db    0
		db  88h	; 
		db  2Ah	; *
		db  30h	; 0
		db    0
		db  72h	; r
		db  2Ah	; *
		db  30h	; 0
		db    0
		db  5Ch	; \
		db  2Ah	; *
		db  30h	; 0
		db    0
		db  48h	; H
		db  2Ah	; *
		db  30h	; 0
		db    0
		db  38h	; 8
		db  2Ah	; *
		db  30h	; 0
		db    0
		db  50h	; P
		db  2Dh	; -
		db  30h	; 0
		db    0
		db  68h	; h
		db  2Dh	; -
		db  30h	; 0
		db    0
		db 0B2h	; 
		db  31h	; 1
		db  30h	; 0
		db    0
		db 0D2h	; 
		db  2Ch	; ,
		db  30h	; 0
		db    0
		db 0E8h	; 
		db  2Ch	; ,
		db  30h	; 0
		db    0
		db  8Ah	; 
		db  31h	; 1
		db  30h	; 0
		db    0
		db  6Ch	; l
		db  31h	; 1
		db  30h	; 0
		db    0
		db  4Ah	; J
		db  31h	; 1
		db  30h	; 0
		db    0
		db  86h	; 
		db  2Dh	; -
		db  30h	; 0
		db    0
		db 0A8h	; 
		db  2Dh	; -
		db  30h	; 0
		db    0
		db 0C6h	; 
		db  2Dh	; -
		db  30h	; 0
		db    0
		db 0DCh	; 
		db  2Dh	; -
		db  30h	; 0
		db    0
		db 0FAh	; 
		db  2Dh	; -
		db  30h	; 0
		db    0
		db  0Eh
		db  2Eh	; .
		db  30h	; 0
		db    0
		db  24h	; $
		db  2Eh	; .
		db  30h	; 0
		db    0
		db  3Ah	; :
		db  2Eh	; .
		db  30h	; 0
		db    0
		db  50h	; P
		db  2Eh	; .
		db  30h	; 0
		db    0
		db  68h	; h
		db  2Eh	; .
		db  30h	; 0
		db    0
		db  86h	; 
		db  2Eh	; .
		db  30h	; 0
		db    0
		db  9Ah	; 
		db  2Eh	; .
		db  30h	; 0
		db    0
		db 0B4h	; 
		db  2Eh	; .
		db  30h	; 0
		db    0
		db 0CCh	; 
		db  2Eh	; .
		db  30h	; 0
		db    0
		db 0E2h	; 
		db  2Eh	; .
		db  30h	; 0
		db    0
		db    4
		db  2Fh	; /
		db  30h	; 0
		db    0
		db  20h
		db  2Fh	; /
		db  30h	; 0
		db    0
		db  24h	; $
		db  31h	; 1
		db  30h	; 0
		db    0
		db  0Eh
		db  31h	; 1
		db  30h	; 0
		db    0
		db 0F8h	; 
		db  30h	; 0
		db  30h	; 0
		db    0
		db 0E2h	; 
		db  30h	; 0
		db  30h	; 0
		db    0
		db 0C8h	; 
		db  30h	; 0
		db  30h	; 0
		db    0
		db 0B0h	; 
		db  30h	; 0
		db  30h	; 0
		db    0
		db  98h	; 
		db  30h	; 0
		db  30h	; 0
		db    0
		db  82h	; 
		db  30h	; 0
		db  30h	; 0
		db    0
		db  64h	; d
		db  30h	; 0
		db  30h	; 0
		db    0
		db  46h	; F
		db  30h	; 0
		db  30h	; 0
		db    0
		db  2Ah	; *
		db  30h	; 0
		db  30h	; 0
		db    0
		db    4
		db  2Dh	; -
		db  30h	; 0
		db    0
		db  22h	; "
		db  2Dh	; -
		db  30h	; 0
		db    0
		db  22h	; "
		db  2Ah	; *
		db  30h	; 0
		db    0
		db  38h	; 8
		db  2Dh	; -
		db  30h	; 0
		db    0
		db  38h	; 8
		db  2Fh	; /
		db  30h	; 0
		db    0
		db  50h	; P
		db  2Fh	; /
		db  30h	; 0
		db    0
		db  6Ah	; j
		db  2Fh	; /
		db  30h	; 0
		db    0
		db  7Eh	; ~
		db  2Fh	; /
		db  30h	; 0
		db    0
		db  94h	; 
		db  2Fh	; /
		db  30h	; 0
		db    0
		db 0ACh	; 
		db  2Fh	; /
		db  30h	; 0
		db    0
		db 0C2h	; 
		db  2Fh	; /
		db  30h	; 0
		db    0
		db 0DAh	; 
		db  2Fh	; /
		db  30h	; 0
		db    0
		db 0F0h	; 
		db  2Fh	; /
		db  30h	; 0
		db    0
		db  0Ch
		db  30h	; 0
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db  3Fh	; ?
		db  30h	; 0
		db    0
		db 0E4h	; 
		db  3Eh	; >
		db  30h	; 0
		db    0
		db  22h	; "
		db  3Fh	; ?
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0A4h	; 
		db  3Eh	; >
		db  30h	; 0
		db    0
		db  88h	; 
		db  3Eh	; >
		db  30h	; 0
		db    0
		db  6Ch	; l
		db  3Eh	; >
		db  30h	; 0
		db    0
		db  50h	; P
		db  3Eh	; >
		db  30h	; 0
		db    0
		db  34h	; 4
		db  3Eh	; >
		db  30h	; 0
		db    0
		db  18h
		db  3Eh	; >
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  1Ah
		db  3Ch	; <
		db  30h	; 0
		db    0
		db  24h	; $
		db  3Ch	; <
		db  30h	; 0
		db    0
		db 0E8h	; 
		db  3Bh	; ;
		db  30h	; 0
		db    0
		db 0F8h	; 
		db  3Bh	; ;
		db  30h	; 0
		db    0
		db    8
		db  3Ch	; <
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  86h	; 
		db  42h	; B
		db  30h	; 0
		db    0
		db  96h	; 
		db  42h	; B
		db  30h	; 0
		db    0
		db 0BAh	; 
		db  42h	; B
		db  30h	; 0
		db    0
		db 0D6h	; 
		db  42h	; B
		db  30h	; 0
		db    0
		db 0EAh	; 
		db  42h	; B
		db  30h	; 0
		db    0
		db  52h	; R
		db  42h	; B
		db  30h	; 0
		db    0
		db  70h	; p
		db  42h	; B
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    1
		db    0
		db  50h	; P
		db  73h	; s
		db  47h	; G
		db  65h	; e
		db  74h	; t
		db  50h	; P
		db  72h	; r
		db  6Fh	; o
		db  63h	; c
		db  65h	; e
		db  73h	; s
		db  73h	; s
		db  50h	; P
		db  61h	; a
		db  72h	; r
		db  61h	; a
		db  6Dh	; m
		db  65h	; e
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  4Fh	; O
		db  76h	; v
		db  65h	; e
		db  72h	; r
		db  72h	; r
		db  69h	; i
		db  64h	; d
		db  65h	; e
		db  73h	; s
		db    0
		db    0
		db    0
		db    0
		db  50h	; P
		db  73h	; s
		db  44h	; D
		db  65h	; e
		db  73h	; s
		db  74h	; t
		db  72h	; r
		db  6Fh	; o
		db  79h	; y
		db  50h	; P
		db  72h	; r
		db  6Fh	; o
		db  63h	; c
		db  65h	; e
		db  73h	; s
		db  73h	; s
		db  50h	; P
		db  61h	; a
		db  72h	; r
		db  61h	; a
		db  6Dh	; m
		db  65h	; e
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  4Fh	; O
		db  76h	; v
		db  65h	; e
		db  72h	; r
		db  72h	; r
		db  69h	; i
		db  64h	; d
		db  65h	; e
		db  73h	; s
		db    0
		db    0
		db  65h	; e
		db  78h	; x
		db  74h	; t
		db  2Dh	; -
		db  6Dh	; m
		db  73h	; s
		db  2Dh	; -
		db  77h	; w
		db  69h	; i
		db  6Eh	; n
		db  2Dh	; -
		db  6Eh	; n
		db  74h	; t
		db  6Fh	; o
		db  73h	; s
		db  2Dh	; -
		db  70h	; p
		db  72h	; r
		db  6Fh	; o
		db  63h	; c
		db  65h	; e
		db  73h	; s
		db  73h	; s
		db  70h	; p
		db  61h	; a
		db  72h	; r
		db  61h	; a
		db  6Dh	; m
		db  65h	; e
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  73h	; s
		db  2Dh	; -
		db  6Ch	; l
		db  31h	; 1
		db  2Dh	; -
		db  31h	; 1
		db  2Dh	; -
		db  30h	; 0
		db  2Eh	; .
		db  64h	; d
		db  6Ch	; l
		db  6Ch	; l
		db    0
		db    0
		db  34h	; 4
		db    0
		db  54h	; T
		db  6Dh	; m
		db  49h	; I
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  53h	; S
		db  79h	; y
		db  73h	; s
		db  74h	; t
		db  65h	; e
		db  6Dh	; m
		db  50h	; P
		db  68h	; h
		db  61h	; a
		db  73h	; s
		db  65h	; e
		db  32h	; 2
		db    0
		db    0
		db  33h	; 3
		db    0
		db  54h	; T
		db  6Dh	; m
		db  49h	; I
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  53h	; S
		db  79h	; y
		db  73h	; s
		db  74h	; t
		db  65h	; e
		db  6Dh	; m
		db    0
		db    0
		db    0
		db    0
		db  4Eh	; N
		db  74h	; t
		db  43h	; C
		db  6Fh	; o
		db  6Dh	; m
		db  6Dh	; m
		db  69h	; i
		db  74h	; t
		db  43h	; C
		db  6Fh	; o
		db  6Dh	; m
		db  70h	; p
		db  6Ch	; l
		db  65h	; e
		db  74h	; t
		db  65h	; e
		db    0
		db    0
		db    1
		db    0
		db  4Eh	; N
		db  74h	; t
		db  43h	; C
		db  6Fh	; o
		db  6Dh	; m
		db  6Dh	; m
		db  69h	; i
		db  74h	; t
		db  45h	; E
		db  6Eh	; n
		db  6Ch	; l
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db    0
		db    0
		db    2
		db    0
		db  4Eh	; N
		db  74h	; t
		db  43h	; C
		db  6Fh	; o
		db  6Dh	; m
		db  6Dh	; m
		db  69h	; i
		db  74h	; t
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db    0
		db    3
		db    0
		db  4Eh	; N
		db  74h	; t
		db  43h	; C
		db  72h	; r
		db  65h	; e
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  45h	; E
		db  6Eh	; n
		db  6Ch	; l
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db    0
		db    0
		db    4
		db    0
		db  4Eh	; N
		db  74h	; t
		db  43h	; C
		db  72h	; r
		db  65h	; e
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  52h	; R
		db  65h	; e
		db  73h	; s
		db  6Fh	; o
		db  75h	; u
		db  72h	; r
		db  63h	; c
		db  65h	; e
		db  4Dh	; M
		db  61h	; a
		db  6Eh	; n
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  72h	; r
		db    0
		db    5
		db    0
		db  4Eh	; N
		db  74h	; t
		db  43h	; C
		db  72h	; r
		db  65h	; e
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db    0
		db    6
		db    0
		db  4Eh	; N
		db  74h	; t
		db  43h	; C
		db  72h	; r
		db  65h	; e
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  4Dh	; M
		db  61h	; a
		db  6Eh	; n
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  72h	; r
		db    0
		db    0
		db    7
		db    0
		db  4Eh	; N
		db  74h	; t
		db  45h	; E
		db  6Eh	; n
		db  75h	; u
		db  6Dh	; m
		db  65h	; e
		db  72h	; r
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  4Fh	; O
		db  62h	; b
		db  6Ah	; j
		db  65h	; e
		db  63h	; c
		db  74h	; t
		db    0
		db    0
		db    8
		db    0
		db  4Eh	; N
		db  74h	; t
		db  46h	; F
		db  72h	; r
		db  65h	; e
		db  65h	; e
		db  7Ah	; z
		db  65h	; e
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  73h	; s
		db    0
		db    0
		db    9
		db    0
		db  4Eh	; N
		db  74h	; t
		db  47h	; G
		db  65h	; e
		db  74h	; t
		db  4Eh	; N
		db  6Fh	; o
		db  74h	; t
		db  69h	; i
		db  66h	; f
		db  69h	; i
		db  63h	; c
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  52h	; R
		db  65h	; e
		db  73h	; s
		db  6Fh	; o
		db  75h	; u
		db  72h	; r
		db  63h	; c
		db  65h	; e
		db  4Dh	; M
		db  61h	; a
		db  6Eh	; n
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  72h	; r
		db    0
		db    0
		db  0Ah
		db    0
		db  4Eh	; N
		db  74h	; t
		db  4Fh	; O
		db  70h	; p
		db  65h	; e
		db  6Eh	; n
		db  45h	; E
		db  6Eh	; n
		db  6Ch	; l
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db    0
		db    0
		db  0Bh
		db    0
		db  4Eh	; N
		db  74h	; t
		db  4Fh	; O
		db  70h	; p
		db  65h	; e
		db  6Eh	; n
		db  52h	; R
		db  65h	; e
		db  73h	; s
		db  6Fh	; o
		db  75h	; u
		db  72h	; r
		db  63h	; c
		db  65h	; e
		db  4Dh	; M
		db  61h	; a
		db  6Eh	; n
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  72h	; r
		db    0
		db  0Ch
		db    0
		db  4Eh	; N
		db  74h	; t
		db  4Fh	; O
		db  70h	; p
		db  65h	; e
		db  6Eh	; n
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db    0
		db  0Dh
		db    0
		db  4Eh	; N
		db  74h	; t
		db  4Fh	; O
		db  70h	; p
		db  65h	; e
		db  6Eh	; n
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  4Dh	; M
		db  61h	; a
		db  6Eh	; n
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  72h	; r
		db    0
		db    0
		db  0Eh
		db    0
		db  4Eh	; N
		db  74h	; t
		db  50h	; P
		db  72h	; r
		db  65h	; e
		db  50h	; P
		db  72h	; r
		db  65h	; e
		db  70h	; p
		db  61h	; a
		db  72h	; r
		db  65h	; e
		db  43h	; C
		db  6Fh	; o
		db  6Dh	; m
		db  70h	; p
		db  6Ch	; l
		db  65h	; e
		db  74h	; t
		db  65h	; e
		db    0
		db    0
		db  0Fh
		db    0
		db  4Eh	; N
		db  74h	; t
		db  50h	; P
		db  72h	; r
		db  65h	; e
		db  50h	; P
		db  72h	; r
		db  65h	; e
		db  70h	; p
		db  61h	; a
		db  72h	; r
		db  65h	; e
		db  45h	; E
		db  6Eh	; n
		db  6Ch	; l
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db    0
		db    0
		db  10h
		db    0
		db  4Eh	; N
		db  74h	; t
		db  50h	; P
		db  72h	; r
		db  65h	; e
		db  70h	; p
		db  61h	; a
		db  72h	; r
		db  65h	; e
		db  43h	; C
		db  6Fh	; o
		db  6Dh	; m
		db  70h	; p
		db  6Ch	; l
		db  65h	; e
		db  74h	; t
		db  65h	; e
		db    0
		db  11h
		db    0
		db  4Eh	; N
		db  74h	; t
		db  50h	; P
		db  72h	; r
		db  65h	; e
		db  70h	; p
		db  61h	; a
		db  72h	; r
		db  65h	; e
		db  45h	; E
		db  6Eh	; n
		db  6Ch	; l
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db    0
		db  12h
		db    0
		db  4Eh	; N
		db  74h	; t
		db  50h	; P
		db  72h	; r
		db  6Fh	; o
		db  70h	; p
		db  61h	; a
		db  67h	; g
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  43h	; C
		db  6Fh	; o
		db  6Dh	; m
		db  70h	; p
		db  6Ch	; l
		db  65h	; e
		db  74h	; t
		db  65h	; e
		db    0
		db  13h
		db    0
		db  4Eh	; N
		db  74h	; t
		db  50h	; P
		db  72h	; r
		db  6Fh	; o
		db  70h	; p
		db  61h	; a
		db  67h	; g
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  46h	; F
		db  61h	; a
		db  69h	; i
		db  6Ch	; l
		db  65h	; e
		db  64h	; d
		db    0
		db  14h
		db    0
		db  4Eh	; N
		db  74h	; t
		db  51h	; Q
		db  75h	; u
		db  65h	; e
		db  72h	; r
		db  79h	; y
		db  49h	; I
		db  6Eh	; n
		db  66h	; f
		db  6Fh	; o
		db  72h	; r
		db  6Dh	; m
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  45h	; E
		db  6Eh	; n
		db  6Ch	; l
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db    0
		db    0
		db  15h
		db    0
		db  4Eh	; N
		db  74h	; t
		db  51h	; Q
		db  75h	; u
		db  65h	; e
		db  72h	; r
		db  79h	; y
		db  49h	; I
		db  6Eh	; n
		db  66h	; f
		db  6Fh	; o
		db  72h	; r
		db  6Dh	; m
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  52h	; R
		db  65h	; e
		db  73h	; s
		db  6Fh	; o
		db  75h	; u
		db  72h	; r
		db  63h	; c
		db  65h	; e
		db  4Dh	; M
		db  61h	; a
		db  6Eh	; n
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  72h	; r
		db    0
		db  16h
		db    0
		db  4Eh	; N
		db  74h	; t
		db  51h	; Q
		db  75h	; u
		db  65h	; e
		db  72h	; r
		db  79h	; y
		db  49h	; I
		db  6Eh	; n
		db  66h	; f
		db  6Fh	; o
		db  72h	; r
		db  6Dh	; m
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db    0
		db  17h
		db    0
		db  4Eh	; N
		db  74h	; t
		db  51h	; Q
		db  75h	; u
		db  65h	; e
		db  72h	; r
		db  79h	; y
		db  49h	; I
		db  6Eh	; n
		db  66h	; f
		db  6Fh	; o
		db  72h	; r
		db  6Dh	; m
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  4Dh	; M
		db  61h	; a
		db  6Eh	; n
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  72h	; r
		db    0
		db    0
		db  18h
		db    0
		db  4Eh	; N
		db  74h	; t
		db  52h	; R
		db  65h	; e
		db  61h	; a
		db  64h	; d
		db  4Fh	; O
		db  6Eh	; n
		db  6Ch	; l
		db  79h	; y
		db  45h	; E
		db  6Eh	; n
		db  6Ch	; l
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db    0
		db    0
		db  19h
		db    0
		db  4Eh	; N
		db  74h	; t
		db  52h	; R
		db  65h	; e
		db  63h	; c
		db  6Fh	; o
		db  76h	; v
		db  65h	; e
		db  72h	; r
		db  45h	; E
		db  6Eh	; n
		db  6Ch	; l
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db    0
		db  1Ah
		db    0
		db  4Eh	; N
		db  74h	; t
		db  52h	; R
		db  65h	; e
		db  63h	; c
		db  6Fh	; o
		db  76h	; v
		db  65h	; e
		db  72h	; r
		db  52h	; R
		db  65h	; e
		db  73h	; s
		db  6Fh	; o
		db  75h	; u
		db  72h	; r
		db  63h	; c
		db  65h	; e
		db  4Dh	; M
		db  61h	; a
		db  6Eh	; n
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  72h	; r
		db    0
		db    0
		db  1Bh
		db    0
		db  4Eh	; N
		db  74h	; t
		db  52h	; R
		db  65h	; e
		db  63h	; c
		db  6Fh	; o
		db  76h	; v
		db  65h	; e
		db  72h	; r
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  4Dh	; M
		db  61h	; a
		db  6Eh	; n
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  72h	; r
		db    0
		db  1Eh
		db    0
		db  4Eh	; N
		db  74h	; t
		db  52h	; R
		db  6Fh	; o
		db  6Ch	; l
		db  6Ch	; l
		db  62h	; b
		db  61h	; a
		db  63h	; c
		db  6Bh	; k
		db  43h	; C
		db  6Fh	; o
		db  6Dh	; m
		db  70h	; p
		db  6Ch	; l
		db  65h	; e
		db  74h	; t
		db  65h	; e
		db    0
		db    0
		db  1Fh
		db    0
		db  4Eh	; N
		db  74h	; t
		db  52h	; R
		db  6Fh	; o
		db  6Ch	; l
		db  6Ch	; l
		db  62h	; b
		db  61h	; a
		db  63h	; c
		db  6Bh	; k
		db  45h	; E
		db  6Eh	; n
		db  6Ch	; l
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db    0
		db    0
		db  20h
		db    0
		db  4Eh	; N
		db  74h	; t
		db  52h	; R
		db  6Fh	; o
		db  6Ch	; l
		db  6Ch	; l
		db  62h	; b
		db  61h	; a
		db  63h	; c
		db  6Bh	; k
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db    0
		db  22h	; "
		db    0
		db  4Eh	; N
		db  74h	; t
		db  53h	; S
		db  65h	; e
		db  74h	; t
		db  49h	; I
		db  6Eh	; n
		db  66h	; f
		db  6Fh	; o
		db  72h	; r
		db  6Dh	; m
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  45h	; E
		db  6Eh	; n
		db  6Ch	; l
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db    0
		db    0
		db  23h	; #
		db    0
		db  4Eh	; N
		db  74h	; t
		db  53h	; S
		db  65h	; e
		db  74h	; t
		db  49h	; I
		db  6Eh	; n
		db  66h	; f
		db  6Fh	; o
		db  72h	; r
		db  6Dh	; m
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  52h	; R
		db  65h	; e
		db  73h	; s
		db  6Fh	; o
		db  75h	; u
		db  72h	; r
		db  63h	; c
		db  65h	; e
		db  4Dh	; M
		db  61h	; a
		db  6Eh	; n
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  72h	; r
		db    0
		db  24h	; $
		db    0
		db  4Eh	; N
		db  74h	; t
		db  53h	; S
		db  65h	; e
		db  74h	; t
		db  49h	; I
		db  6Eh	; n
		db  66h	; f
		db  6Fh	; o
		db  72h	; r
		db  6Dh	; m
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db    0
		db  27h	; '
		db    0
		db  4Eh	; N
		db  74h	; t
		db  54h	; T
		db  68h	; h
		db  61h	; a
		db  77h	; w
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  73h	; s
		db    0
		db    0
		db  28h	; (
		db    0
		db  54h	; T
		db  6Dh	; m
		db  43h	; C
		db  61h	; a
		db  6Eh	; n
		db  63h	; c
		db  65h	; e
		db  6Ch	; l
		db  50h	; P
		db  72h	; r
		db  6Fh	; o
		db  70h	; p
		db  61h	; a
		db  67h	; g
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  52h	; R
		db  65h	; e
		db  71h	; q
		db  75h	; u
		db  65h	; e
		db  73h	; s
		db  74h	; t
		db    0
		db    0
		db  29h	; )
		db    0
		db  54h	; T
		db  6Dh	; m
		db  43h	; C
		db  6Fh	; o
		db  6Dh	; m
		db  6Dh	; m
		db  69h	; i
		db  74h	; t
		db  43h	; C
		db  6Fh	; o
		db  6Dh	; m
		db  70h	; p
		db  6Ch	; l
		db  65h	; e
		db  74h	; t
		db  65h	; e
		db    0
		db    0
		db  2Ah	; *
		db    0
		db  54h	; T
		db  6Dh	; m
		db  43h	; C
		db  6Fh	; o
		db  6Dh	; m
		db  6Dh	; m
		db  69h	; i
		db  74h	; t
		db  45h	; E
		db  6Eh	; n
		db  6Ch	; l
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db    0
		db    0
		db  2Bh	; +
		db    0
		db  54h	; T
		db  6Dh	; m
		db  43h	; C
		db  6Fh	; o
		db  6Dh	; m
		db  6Dh	; m
		db  69h	; i
		db  74h	; t
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db    0
		db  2Ch	; ,
		db    0
		db  54h	; T
		db  6Dh	; m
		db  43h	; C
		db  72h	; r
		db  65h	; e
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  45h	; E
		db  6Eh	; n
		db  6Ch	; l
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db    0
		db    0
		db  2Dh	; -
		db    0
		db  54h	; T
		db  6Dh	; m
		db  43h	; C
		db  75h	; u
		db  72h	; r
		db  72h	; r
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db    0
		db    0
		db  2Eh	; .
		db    0
		db  54h	; T
		db  6Dh	; m
		db  44h	; D
		db  65h	; e
		db  72h	; r
		db  65h	; e
		db  66h	; f
		db  65h	; e
		db  72h	; r
		db  65h	; e
		db  6Eh	; n
		db  63h	; c
		db  65h	; e
		db  45h	; E
		db  6Eh	; n
		db  6Ch	; l
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db  4Bh	; K
		db  65h	; e
		db  79h	; y
		db    0
		db    0
		db  2Fh	; /
		db    0
		db  54h	; T
		db  6Dh	; m
		db  45h	; E
		db  6Eh	; n
		db  61h	; a
		db  62h	; b
		db  6Ch	; l
		db  65h	; e
		db  43h	; C
		db  61h	; a
		db  6Ch	; l
		db  6Ch	; l
		db  62h	; b
		db  61h	; a
		db  63h	; c
		db  6Bh	; k
		db  73h	; s
		db    0
		db  30h	; 0
		db    0
		db  54h	; T
		db  6Dh	; m
		db  45h	; E
		db  6Eh	; n
		db  64h	; d
		db  50h	; P
		db  72h	; r
		db  6Fh	; o
		db  70h	; p
		db  61h	; a
		db  67h	; g
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  52h	; R
		db  65h	; e
		db  71h	; q
		db  75h	; u
		db  65h	; e
		db  73h	; s
		db  74h	; t
		db    0
		db  31h	; 1
		db    0
		db  54h	; T
		db  6Dh	; m
		db  46h	; F
		db  72h	; r
		db  65h	; e
		db  65h	; e
		db  7Ah	; z
		db  65h	; e
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  73h	; s
		db    0
		db    0
		db  32h	; 2
		db    0
		db  54h	; T
		db  6Dh	; m
		db  47h	; G
		db  65h	; e
		db  74h	; t
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  49h	; I
		db  64h	; d
		db    0
		db    0
		db  35h	; 5
		db    0
		db  54h	; T
		db  6Dh	; m
		db  49h	; I
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  69h	; i
		db  61h	; a
		db  6Ch	; l
		db  69h	; i
		db  7Ah	; z
		db  65h	; e
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  4Dh	; M
		db  61h	; a
		db  6Eh	; n
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  72h	; r
		db    0
		db    0
		db  36h	; 6
		db    0
		db  54h	; T
		db  6Dh	; m
		db  49h	; I
		db  73h	; s
		db  4Bh	; K
		db  54h	; T
		db  4Dh	; M
		db  43h	; C
		db  6Fh	; o
		db  6Dh	; m
		db  6Dh	; m
		db  69h	; i
		db  74h	; t
		db  43h	; C
		db  6Fh	; o
		db  6Fh	; o
		db  72h	; r
		db  64h	; d
		db  69h	; i
		db  6Eh	; n
		db  61h	; a
		db  74h	; t
		db  6Fh	; o
		db  72h	; r
		db    0
		db    0
		db  37h	; 7
		db    0
		db  54h	; T
		db  6Dh	; m
		db  49h	; I
		db  73h	; s
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  41h	; A
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  76h	; v
		db  65h	; e
		db    0
		db  38h	; 8
		db    0
		db  54h	; T
		db  6Dh	; m
		db  50h	; P
		db  72h	; r
		db  65h	; e
		db  50h	; P
		db  72h	; r
		db  65h	; e
		db  70h	; p
		db  61h	; a
		db  72h	; r
		db  65h	; e
		db  43h	; C
		db  6Fh	; o
		db  6Dh	; m
		db  70h	; p
		db  6Ch	; l
		db  65h	; e
		db  74h	; t
		db  65h	; e
		db    0
		db    0
		db  39h	; 9
		db    0
		db  54h	; T
		db  6Dh	; m
		db  50h	; P
		db  72h	; r
		db  65h	; e
		db  50h	; P
		db  72h	; r
		db  65h	; e
		db  70h	; p
		db  61h	; a
		db  72h	; r
		db  65h	; e
		db  45h	; E
		db  6Eh	; n
		db  6Ch	; l
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db    0
		db    0
		db  3Ah	; :
		db    0
		db  54h	; T
		db  6Dh	; m
		db  50h	; P
		db  72h	; r
		db  65h	; e
		db  70h	; p
		db  61h	; a
		db  72h	; r
		db  65h	; e
		db  43h	; C
		db  6Fh	; o
		db  6Dh	; m
		db  70h	; p
		db  6Ch	; l
		db  65h	; e
		db  74h	; t
		db  65h	; e
		db    0
		db  3Bh	; ;
		db    0
		db  54h	; T
		db  6Dh	; m
		db  50h	; P
		db  72h	; r
		db  65h	; e
		db  70h	; p
		db  61h	; a
		db  72h	; r
		db  65h	; e
		db  45h	; E
		db  6Eh	; n
		db  6Ch	; l
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db    0
		db  3Ch	; <
		db    0
		db  54h	; T
		db  6Dh	; m
		db  50h	; P
		db  72h	; r
		db  6Fh	; o
		db  70h	; p
		db  61h	; a
		db  67h	; g
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  43h	; C
		db  6Fh	; o
		db  6Dh	; m
		db  70h	; p
		db  6Ch	; l
		db  65h	; e
		db  74h	; t
		db  65h	; e
		db    0
		db  3Dh	; =
		db    0
		db  54h	; T
		db  6Dh	; m
		db  50h	; P
		db  72h	; r
		db  6Fh	; o
		db  70h	; p
		db  61h	; a
		db  67h	; g
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  46h	; F
		db  61h	; a
		db  69h	; i
		db  6Ch	; l
		db  65h	; e
		db  64h	; d
		db    0
		db  3Eh	; >
		db    0
		db  54h	; T
		db  6Dh	; m
		db  52h	; R
		db  65h	; e
		db  61h	; a
		db  64h	; d
		db  4Fh	; O
		db  6Eh	; n
		db  6Ch	; l
		db  79h	; y
		db  45h	; E
		db  6Eh	; n
		db  6Ch	; l
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db    0
		db    0
		db  3Fh	; ?
		db    0
		db  54h	; T
		db  6Dh	; m
		db  52h	; R
		db  65h	; e
		db  63h	; c
		db  6Fh	; o
		db  76h	; v
		db  65h	; e
		db  72h	; r
		db  45h	; E
		db  6Eh	; n
		db  6Ch	; l
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db    0
		db  40h	; @
		db    0
		db  54h	; T
		db  6Dh	; m
		db  52h	; R
		db  65h	; e
		db  63h	; c
		db  6Fh	; o
		db  76h	; v
		db  65h	; e
		db  72h	; r
		db  52h	; R
		db  65h	; e
		db  73h	; s
		db  6Fh	; o
		db  75h	; u
		db  72h	; r
		db  63h	; c
		db  65h	; e
		db  4Dh	; M
		db  61h	; a
		db  6Eh	; n
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  72h	; r
		db    0
		db    0
		db  41h	; A
		db    0
		db  54h	; T
		db  6Dh	; m
		db  52h	; R
		db  65h	; e
		db  63h	; c
		db  6Fh	; o
		db  76h	; v
		db  65h	; e
		db  72h	; r
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  4Dh	; M
		db  61h	; a
		db  6Eh	; n
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  72h	; r
		db    0
		db  42h	; B
		db    0
		db  54h	; T
		db  6Dh	; m
		db  52h	; R
		db  65h	; e
		db  66h	; f
		db  65h	; e
		db  72h	; r
		db  65h	; e
		db  6Eh	; n
		db  63h	; c
		db  65h	; e
		db  45h	; E
		db  6Eh	; n
		db  6Ch	; l
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db  4Bh	; K
		db  65h	; e
		db  79h	; y
		db    0
		db    0
		db  43h	; C
		db    0
		db  54h	; T
		db  6Dh	; m
		db  52h	; R
		db  65h	; e
		db  6Eh	; n
		db  61h	; a
		db  6Dh	; m
		db  65h	; e
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  4Dh	; M
		db  61h	; a
		db  6Eh	; n
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  72h	; r
		db    0
		db    0
		db  44h	; D
		db    0
		db  54h	; T
		db  6Dh	; m
		db  52h	; R
		db  65h	; e
		db  71h	; q
		db  75h	; u
		db  65h	; e
		db  73h	; s
		db  74h	; t
		db  4Fh	; O
		db  75h	; u
		db  74h	; t
		db  63h	; c
		db  6Fh	; o
		db  6Dh	; m
		db  65h	; e
		db  45h	; E
		db  6Eh	; n
		db  6Ch	; l
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db    0
		db    0
		db  45h	; E
		db    0
		db  54h	; T
		db  6Dh	; m
		db  52h	; R
		db  6Fh	; o
		db  6Ch	; l
		db  6Ch	; l
		db  62h	; b
		db  61h	; a
		db  63h	; c
		db  6Bh	; k
		db  43h	; C
		db  6Fh	; o
		db  6Dh	; m
		db  70h	; p
		db  6Ch	; l
		db  65h	; e
		db  74h	; t
		db  65h	; e
		db    0
		db    0
		db  46h	; F
		db    0
		db  54h	; T
		db  6Dh	; m
		db  52h	; R
		db  6Fh	; o
		db  6Ch	; l
		db  6Ch	; l
		db  62h	; b
		db  61h	; a
		db  63h	; c
		db  6Bh	; k
		db  45h	; E
		db  6Eh	; n
		db  6Ch	; l
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db    0
		db    0
		db  47h	; G
		db    0
		db  54h	; T
		db  6Dh	; m
		db  52h	; R
		db  6Fh	; o
		db  6Ch	; l
		db  6Ch	; l
		db  62h	; b
		db  61h	; a
		db  63h	; c
		db  6Bh	; k
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db    0
		db  48h	; H
		db    0
		db  54h	; T
		db  6Dh	; m
		db  53h	; S
		db  65h	; e
		db  74h	; t
		db  43h	; C
		db  75h	; u
		db  72h	; r
		db  72h	; r
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db    0
		db  4Ah	; J
		db    0
		db  54h	; T
		db  6Dh	; m
		db  53h	; S
		db  69h	; i
		db  6Eh	; n
		db  67h	; g
		db  6Ch	; l
		db  65h	; e
		db  50h	; P
		db  68h	; h
		db  61h	; a
		db  73h	; s
		db  65h	; e
		db  52h	; R
		db  65h	; e
		db  6Ah	; j
		db  65h	; e
		db  63h	; c
		db  74h	; t
		db    0
		db  4Bh	; K
		db    0
		db  54h	; T
		db  6Dh	; m
		db  54h	; T
		db  68h	; h
		db  61h	; a
		db  77h	; w
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  73h	; s
		db    0
		db    0
		db  26h	; &
		db    0
		db  4Eh	; N
		db  74h	; t
		db  53h	; S
		db  69h	; i
		db  6Eh	; n
		db  67h	; g
		db  6Ch	; l
		db  65h	; e
		db  50h	; P
		db  68h	; h
		db  61h	; a
		db  73h	; s
		db  65h	; e
		db  52h	; R
		db  65h	; e
		db  6Ah	; j
		db  65h	; e
		db  63h	; c
		db  74h	; t
		db    0
		db  25h	; %
		db    0
		db  4Eh	; N
		db  74h	; t
		db  53h	; S
		db  65h	; e
		db  74h	; t
		db  49h	; I
		db  6Eh	; n
		db  66h	; f
		db  6Fh	; o
		db  72h	; r
		db  6Dh	; m
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  4Dh	; M
		db  61h	; a
		db  6Eh	; n
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  72h	; r
		db    0
		db    0
		db  21h	; !
		db    0
		db  4Eh	; N
		db  74h	; t
		db  52h	; R
		db  6Fh	; o
		db  6Ch	; l
		db  6Ch	; l
		db  66h	; f
		db  6Fh	; o
		db  72h	; r
		db  77h	; w
		db  61h	; a
		db  72h	; r
		db  64h	; d
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  4Dh	; M
		db  61h	; a
		db  6Eh	; n
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  72h	; r
		db    0
		db  1Dh
		db    0
		db  4Eh	; N
		db  74h	; t
		db  52h	; R
		db  65h	; e
		db  6Eh	; n
		db  61h	; a
		db  6Dh	; m
		db  65h	; e
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  61h	; a
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  4Dh	; M
		db  61h	; a
		db  6Eh	; n
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  72h	; r
		db    0
		db    0
		db  1Ch
		db    0
		db  4Eh	; N
		db  74h	; t
		db  52h	; R
		db  65h	; e
		db  67h	; g
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  50h	; P
		db  72h	; r
		db  6Fh	; o
		db  74h	; t
		db  6Fh	; o
		db  63h	; c
		db  6Fh	; o
		db  6Ch	; l
		db  41h	; A
		db  64h	; d
		db  64h	; d
		db  72h	; r
		db  65h	; e
		db  73h	; s
		db  73h	; s
		db  49h	; I
		db  6Eh	; n
		db  66h	; f
		db  6Fh	; o
		db  72h	; r
		db  6Dh	; m
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db    0
		db    0
		db  49h	; I
		db    0
		db  54h	; T
		db  6Dh	; m
		db  53h	; S
		db  68h	; h
		db  75h	; u
		db  74h	; t
		db  64h	; d
		db  6Fh	; o
		db  77h	; w
		db  6Eh	; n
		db  53h	; S
		db  79h	; y
		db  73h	; s
		db  74h	; t
		db  65h	; e
		db  6Dh	; m
		db    0
		db    0
		db  65h	; e
		db  78h	; x
		db  74h	; t
		db  2Dh	; -
		db  6Dh	; m
		db  73h	; s
		db  2Dh	; -
		db  77h	; w
		db  69h	; i
		db  6Eh	; n
		db  2Dh	; -
		db  6Eh	; n
		db  74h	; t
		db  6Fh	; o
		db  73h	; s
		db  2Dh	; -
		db  74h	; t
		db  6Dh	; m
		db  2Dh	; -
		db  6Ch	; l
		db  31h	; 1
		db  2Dh	; -
		db  31h	; 1
		db  2Dh	; -
		db  30h	; 0
		db  2Eh	; .
		db  64h	; d
		db  6Ch	; l
		db  6Ch	; l
		db    0
		db  5Fh	; _
		db    0
		db  4Bh	; K
		db  65h	; e
		db  52h	; R
		db  61h	; a
		db  69h	; i
		db  73h	; s
		db  65h	; e
		db  49h	; I
		db  72h	; r
		db  71h	; q
		db  6Ch	; l
		db  54h	; T
		db  6Fh	; o
		db  44h	; D
		db  70h	; p
		db  63h	; c
		db  4Ch	; L
		db  65h	; e
		db  76h	; v
		db  65h	; e
		db  6Ch	; l
		db    0
		db  5Dh	; ]
		db    0
		db  4Bh	; K
		db  65h	; e
		db  51h	; Q
		db  75h	; u
		db  65h	; e
		db  72h	; r
		db  79h	; y
		db  50h	; P
		db  65h	; e
		db  72h	; r
		db  66h	; f
		db  6Fh	; o
		db  72h	; r
		db  6Dh	; m
		db  61h	; a
		db  6Eh	; n
		db  63h	; c
		db  65h	; e
		db  43h	; C
		db  6Fh	; o
		db  75h	; u
		db  6Eh	; n
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db    0
		db  31h	; 1
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  51h	; Q
		db  75h	; u
		db  65h	; e
		db  72h	; r
		db  79h	; y
		db  52h	; R
		db  65h	; e
		db  61h	; a
		db  6Ch	; l
		db  54h	; T
		db  69h	; i
		db  6Dh	; m
		db  65h	; e
		db  43h	; C
		db  6Ch	; l
		db  6Fh	; o
		db  63h	; c
		db  6Bh	; k
		db    0
		db    6
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  41h	; A
		db  6Ch	; l
		db  6Ch	; l
		db  50h	; P
		db  72h	; r
		db  6Fh	; o
		db  63h	; c
		db  65h	; e
		db  73h	; s
		db  73h	; s
		db  6Fh	; o
		db  72h	; r
		db  73h	; s
		db  53h	; S
		db  74h	; t
		db  61h	; a
		db  72h	; r
		db  74h	; t
		db  65h	; e
		db  64h	; d
		db    0
		db  35h	; 5
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  52h	; R
		db  65h	; e
		db  70h	; p
		db  6Fh	; o
		db  72h	; r
		db  74h	; t
		db  52h	; R
		db  65h	; e
		db  73h	; s
		db  6Fh	; o
		db  75h	; u
		db  72h	; r
		db  63h	; c
		db  65h	; e
		db  55h	; U
		db  73h	; s
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db    0
		db    0
		db  42h	; B
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  53h	; S
		db  65h	; e
		db  74h	; t
		db  52h	; R
		db  65h	; e
		db  61h	; a
		db  6Ch	; l
		db  54h	; T
		db  69h	; i
		db  6Dh	; m
		db  65h	; e
		db  43h	; C
		db  6Ch	; l
		db  6Fh	; o
		db  63h	; c
		db  6Bh	; k
		db    0
		db  29h	; )
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  49h	; I
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  69h	; i
		db  61h	; a
		db  6Ch	; l
		db  69h	; i
		db  7Ah	; z
		db  65h	; e
		db  42h	; B
		db  69h	; i
		db  6Fh	; o
		db  73h	; s
		db    0
		db  28h	; (
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  49h	; I
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  53h	; S
		db  79h	; y
		db  73h	; s
		db  74h	; t
		db  65h	; e
		db  6Dh	; m
		db    0
		db  5Bh	; [
		db    0
		db  4Bh	; K
		db  65h	; e
		db  47h	; G
		db  65h	; e
		db  74h	; t
		db  43h	; C
		db  75h	; u
		db  72h	; r
		db  72h	; r
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db  49h	; I
		db  72h	; r
		db  71h	; q
		db  6Ch	; l
		db    0
		db    0
		db    3
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  41h	; A
		db  63h	; c
		db  70h	; p
		db  69h	; i
		db  47h	; G
		db  65h	; e
		db  74h	; t
		db  54h	; T
		db  61h	; a
		db  62h	; b
		db  6Ch	; l
		db  65h	; e
		db  45h	; E
		db  78h	; x
		db    0
		db  69h	; i
		db    0
		db  4Bh	; K
		db  66h	; f
		db  52h	; R
		db  61h	; a
		db  69h	; i
		db  73h	; s
		db  65h	; e
		db  49h	; I
		db  72h	; r
		db  71h	; q
		db  6Ch	; l
		db    0
		db  68h	; h
		db    0
		db  4Bh	; K
		db  66h	; f
		db  4Ch	; L
		db  6Fh	; o
		db  77h	; w
		db  65h	; e
		db  72h	; r
		db  49h	; I
		db  72h	; r
		db  71h	; q
		db  6Ch	; l
		db    0
		db  34h	; 4
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  52h	; R
		db  65h	; e
		db  67h	; g
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  45h	; E
		db  72h	; r
		db  72h	; r
		db  61h	; a
		db  74h	; t
		db  61h	; a
		db  43h	; C
		db  61h	; a
		db  6Ch	; l
		db  6Ch	; l
		db  62h	; b
		db  61h	; a
		db  63h	; c
		db  6Bh	; k
		db  73h	; s
		db    0
		db    0
		db  22h	; "
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  47h	; G
		db  65h	; e
		db  74h	; t
		db  49h	; I
		db  6Eh	; n
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  72h	; r
		db  75h	; u
		db  70h	; p
		db  74h	; t
		db  56h	; V
		db  65h	; e
		db  63h	; c
		db  74h	; t
		db  6Fh	; o
		db  72h	; r
		db    0
		db  53h	; S
		db    0
		db  4Bh	; K
		db  64h	; d
		db  48h	; H
		db  76h	; v
		db  43h	; C
		db  6Fh	; o
		db  6Dh	; m
		db  50h	; P
		db  6Fh	; o
		db  72h	; r
		db  74h	; t
		db  49h	; I
		db  6Eh	; n
		db  55h	; U
		db  73h	; s
		db  65h	; e
		db    0
		db    0
		db  30h	; 0
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  51h	; Q
		db  75h	; u
		db  65h	; e
		db  72h	; r
		db  79h	; y
		db  4Dh	; M
		db  61h	; a
		db  78h	; x
		db  69h	; i
		db  6Dh	; m
		db  75h	; u
		db  6Dh	; m
		db  50h	; P
		db  72h	; r
		db  6Fh	; o
		db  63h	; c
		db  65h	; e
		db  73h	; s
		db  73h	; s
		db  6Fh	; o
		db  72h	; r
		db  43h	; C
		db  6Fh	; o
		db  75h	; u
		db  6Eh	; n
		db  74h	; t
		db    0
		db  18h
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  45h	; E
		db  6Eh	; n
		db  75h	; u
		db  6Dh	; m
		db  65h	; e
		db  72h	; r
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  50h	; P
		db  72h	; r
		db  6Fh	; o
		db  63h	; c
		db  65h	; e
		db  73h	; s
		db  73h	; s
		db  6Fh	; o
		db  72h	; r
		db  73h	; s
		db    0
		db    0
		db  64h	; d
		db    0
		db  4Bh	; K
		db  65h	; e
		db  53h	; S
		db  74h	; t
		db  61h	; a
		db  6Ch	; l
		db  6Ch	; l
		db  45h	; E
		db  78h	; x
		db  65h	; e
		db  63h	; c
		db  75h	; u
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  50h	; P
		db  72h	; r
		db  6Fh	; o
		db  63h	; c
		db  65h	; e
		db  73h	; s
		db  73h	; s
		db  6Fh	; o
		db  72h	; r
		db    0
		db  40h	; @
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  53h	; S
		db  65h	; e
		db  74h	; t
		db  45h	; E
		db  6Eh	; n
		db  76h	; v
		db  69h	; i
		db  72h	; r
		db  6Fh	; o
		db  6Eh	; n
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db  56h	; V
		db  61h	; a
		db  72h	; r
		db  69h	; i
		db  61h	; a
		db  62h	; b
		db  6Ch	; l
		db  65h	; e
		db  45h	; E
		db  78h	; x
		db    0
		db    7
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  41h	; A
		db  6Ch	; l
		db  6Ch	; l
		db  6Fh	; o
		db  63h	; c
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  41h	; A
		db  64h	; d
		db  61h	; a
		db  70h	; p
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  43h	; C
		db  68h	; h
		db  61h	; a
		db  6Eh	; n
		db  6Eh	; n
		db  65h	; e
		db  6Ch	; l
		db    0
		db  20h
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  47h	; G
		db  65h	; e
		db  74h	; t
		db  45h	; E
		db  6Eh	; n
		db  76h	; v
		db  69h	; i
		db  72h	; r
		db  6Fh	; o
		db  6Eh	; n
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db  56h	; V
		db  61h	; a
		db  72h	; r
		db  69h	; i
		db  61h	; a
		db  62h	; b
		db  6Ch	; l
		db  65h	; e
		db  45h	; E
		db  78h	; x
		db    0
		db  2Fh	; /
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  51h	; Q
		db  75h	; u
		db  65h	; e
		db  72h	; r
		db  79h	; y
		db  45h	; E
		db  6Eh	; n
		db  76h	; v
		db  69h	; i
		db  72h	; r
		db  6Fh	; o
		db  6Eh	; n
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db  56h	; V
		db  61h	; a
		db  72h	; r
		db  69h	; i
		db  61h	; a
		db  62h	; b
		db  6Ch	; l
		db  65h	; e
		db  49h	; I
		db  6Eh	; n
		db  66h	; f
		db  6Fh	; o
		db  45h	; E
		db  78h	; x
		db    0
		db  48h	; H
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  6Ch	; l
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  42h	; B
		db  75h	; u
		db  73h	; s
		db  41h	; A
		db  64h	; d
		db  64h	; d
		db  72h	; r
		db  65h	; e
		db  73h	; s
		db  73h	; s
		db    0
		db    0
		db  26h	; &
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  47h	; G
		db  65h	; e
		db  74h	; t
		db  56h	; V
		db  65h	; e
		db  63h	; c
		db  74h	; t
		db  6Fh	; o
		db  72h	; r
		db  49h	; I
		db  6Eh	; n
		db  70h	; p
		db  75h	; u
		db  74h	; t
		db    0
		db  24h	; $
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  47h	; G
		db  65h	; e
		db  74h	; t
		db  4Dh	; M
		db  65h	; e
		db  73h	; s
		db  73h	; s
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  52h	; R
		db  6Fh	; o
		db  75h	; u
		db  74h	; t
		db  69h	; i
		db  6Eh	; n
		db  67h	; g
		db  49h	; I
		db  6Eh	; n
		db  66h	; f
		db  6Fh	; o
		db    0
		db    0
		db  25h	; %
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  47h	; G
		db  65h	; e
		db  74h	; t
		db  50h	; P
		db  72h	; r
		db  6Fh	; o
		db  63h	; c
		db  65h	; e
		db  73h	; s
		db  73h	; s
		db  6Fh	; o
		db  72h	; r
		db  49h	; I
		db  64h	; d
		db  42h	; B
		db  79h	; y
		db  4Eh	; N
		db  74h	; t
		db  4Eh	; N
		db  75h	; u
		db  6Dh	; m
		db  62h	; b
		db  65h	; e
		db  72h	; r
		db    0
		db  3Ah	; :
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  52h	; R
		db  65h	; e
		db  74h	; t
		db  75h	; u
		db  72h	; r
		db  6Eh	; n
		db  54h	; T
		db  6Fh	; o
		db  46h	; F
		db  69h	; i
		db  72h	; r
		db  6Dh	; m
		db  77h	; w
		db  61h	; a
		db  72h	; r
		db  65h	; e
		db    0
		db  1Eh
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  47h	; G
		db  65h	; e
		db  74h	; t
		db  42h	; B
		db  75h	; u
		db  73h	; s
		db  44h	; D
		db  61h	; a
		db  74h	; t
		db  61h	; a
		db  42h	; B
		db  79h	; y
		db  4Fh	; O
		db  66h	; f
		db  66h	; f
		db  73h	; s
		db  65h	; e
		db  74h	; t
		db    0
		db  3Dh	; =
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  53h	; S
		db  65h	; e
		db  74h	; t
		db  42h	; B
		db  75h	; u
		db  73h	; s
		db  44h	; D
		db  61h	; a
		db  74h	; t
		db  61h	; a
		db  42h	; B
		db  79h	; y
		db  4Fh	; O
		db  66h	; f
		db  66h	; f
		db  73h	; s
		db  65h	; e
		db  74h	; t
		db    0
		db  6Eh	; n
		db    0
		db  52h	; R
		db  45h	; E
		db  41h	; A
		db  44h	; D
		db  5Fh	; _
		db  50h	; P
		db  4Fh	; O
		db  52h	; R
		db  54h	; T
		db  5Fh	; _
		db  55h	; U
		db  43h	; C
		db  48h	; H
		db  41h	; A
		db  52h	; R
		db    0
		db  70h	; p
		db    0
		db  52h	; R
		db  45h	; E
		db  41h	; A
		db  44h	; D
		db  5Fh	; _
		db  50h	; P
		db  4Fh	; O
		db  52h	; R
		db  54h	; T
		db  5Fh	; _
		db  55h	; U
		db  53h	; S
		db  48h	; H
		db  4Fh	; O
		db  52h	; R
		db  54h	; T
		db    0
		db    0
		db  6Fh	; o
		db    0
		db  52h	; R
		db  45h	; E
		db  41h	; A
		db  44h	; D
		db  5Fh	; _
		db  50h	; P
		db  4Fh	; O
		db  52h	; R
		db  54h	; T
		db  5Fh	; _
		db  55h	; U
		db  4Ch	; L
		db  4Fh	; O
		db  4Eh	; N
		db  47h	; G
		db    0
		db  74h	; t
		db    0
		db  57h	; W
		db  52h	; R
		db  49h	; I
		db  54h	; T
		db  45h	; E
		db  5Fh	; _
		db  50h	; P
		db  4Fh	; O
		db  52h	; R
		db  54h	; T
		db  5Fh	; _
		db  55h	; U
		db  43h	; C
		db  48h	; H
		db  41h	; A
		db  52h	; R
		db    0
		db    0
		db  76h	; v
		db    0
		db  57h	; W
		db  52h	; R
		db  49h	; I
		db  54h	; T
		db  45h	; E
		db  5Fh	; _
		db  50h	; P
		db  4Fh	; O
		db  52h	; R
		db  54h	; T
		db  5Fh	; _
		db  55h	; U
		db  53h	; S
		db  48h	; H
		db  4Fh	; O
		db  52h	; R
		db  54h	; T
		db    0
		db  75h	; u
		db    0
		db  57h	; W
		db  52h	; R
		db  49h	; I
		db  54h	; T
		db  45h	; E
		db  5Fh	; _
		db  50h	; P
		db  4Fh	; O
		db  52h	; R
		db  54h	; T
		db  5Fh	; _
		db  55h	; U
		db  4Ch	; L
		db  4Fh	; O
		db  4Eh	; N
		db  47h	; G
		db    0
		db    0
		db  2Bh	; +
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  49h	; I
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  69h	; i
		db  61h	; a
		db  6Ch	; l
		db  69h	; i
		db  7Ah	; z
		db  65h	; e
		db  50h	; P
		db  72h	; r
		db  6Fh	; o
		db  63h	; c
		db  65h	; e
		db  73h	; s
		db  73h	; s
		db  6Fh	; o
		db  72h	; r
		db    0
		db    0
		db  36h	; 6
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  52h	; R
		db  65h	; e
		db  71h	; q
		db  75h	; u
		db  65h	; e
		db  73h	; s
		db  74h	; t
		db  43h	; C
		db  6Ch	; l
		db  6Fh	; o
		db  63h	; c
		db  6Bh	; k
		db  49h	; I
		db  6Eh	; n
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  72h	; r
		db  75h	; u
		db  70h	; p
		db  74h	; t
		db    0
		db    0
		db  60h	; `
		db    0
		db  4Bh	; K
		db  65h	; e
		db  52h	; R
		db  61h	; a
		db  69h	; i
		db  73h	; s
		db  65h	; e
		db  49h	; I
		db  72h	; r
		db  71h	; q
		db  6Ch	; l
		db  54h	; T
		db  6Fh	; o
		db  53h	; S
		db  79h	; y
		db  6Eh	; n
		db  63h	; c
		db  68h	; h
		db  4Ch	; L
		db  65h	; e
		db  76h	; v
		db  65h	; e
		db  6Ch	; l
		db    0
		db  0Eh
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  43h	; C
		db  61h	; a
		db  6Ch	; l
		db  69h	; i
		db  62h	; b
		db  72h	; r
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  50h	; P
		db  65h	; e
		db  72h	; r
		db  66h	; f
		db  6Fh	; o
		db  72h	; r
		db  6Dh	; m
		db  61h	; a
		db  6Eh	; n
		db  63h	; c
		db  65h	; e
		db  43h	; C
		db  6Fh	; o
		db  75h	; u
		db  6Eh	; n
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db    0
		db    0
		db  44h	; D
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  53h	; S
		db  74h	; t
		db  61h	; a
		db  72h	; r
		db  74h	; t
		db  4Eh	; N
		db  65h	; e
		db  78h	; x
		db  74h	; t
		db  50h	; P
		db  72h	; r
		db  6Fh	; o
		db  63h	; c
		db  65h	; e
		db  73h	; s
		db  73h	; s
		db  6Fh	; o
		db  72h	; r
		db    0
		db  33h	; 3
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  52h	; R
		db  65h	; e
		db  67h	; g
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  44h	; D
		db  79h	; y
		db  6Eh	; n
		db  61h	; a
		db  6Dh	; m
		db  69h	; i
		db  63h	; c
		db  50h	; P
		db  72h	; r
		db  6Fh	; o
		db  63h	; c
		db  65h	; e
		db  73h	; s
		db  73h	; s
		db  6Fh	; o
		db  72h	; r
		db    0
		db  43h	; C
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  53h	; S
		db  74h	; t
		db  61h	; a
		db  72h	; r
		db  74h	; t
		db  44h	; D
		db  79h	; y
		db  6Eh	; n
		db  61h	; a
		db  6Dh	; m
		db  69h	; i
		db  63h	; c
		db  50h	; P
		db  72h	; r
		db  6Fh	; o
		db  63h	; c
		db  65h	; e
		db  73h	; s
		db  73h	; s
		db  6Fh	; o
		db  72h	; r
		db    0
		db    0
		db  37h	; 7
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  52h	; R
		db  65h	; e
		db  71h	; q
		db  75h	; u
		db  65h	; e
		db  73h	; s
		db  74h	; t
		db  49h	; I
		db  70h	; p
		db  69h	; i
		db    0
		db  3Bh	; ;
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  53h	; S
		db  65h	; e
		db  6Eh	; n
		db  64h	; d
		db  53h	; S
		db  6Fh	; o
		db  66h	; f
		db  74h	; t
		db  77h	; w
		db  61h	; a
		db  72h	; r
		db  65h	; e
		db  49h	; I
		db  6Eh	; n
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  72h	; r
		db  75h	; u
		db  70h	; p
		db  74h	; t
		db    0
		db    0
		db  27h	; '
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  48h	; H
		db  61h	; a
		db  6Eh	; n
		db  64h	; d
		db  6Ch	; l
		db  65h	; e
		db  4Eh	; N
		db  4Dh	; M
		db  49h	; I
		db    0
		db    0
		db  0Ch
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  42h	; B
		db  65h	; e
		db  67h	; g
		db  69h	; i
		db  6Eh	; n
		db  53h	; S
		db  79h	; y
		db  73h	; s
		db  74h	; t
		db  65h	; e
		db  6Dh	; m
		db  49h	; I
		db  6Eh	; n
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  72h	; r
		db  75h	; u
		db  70h	; p
		db  74h	; t
		db    0
		db  16h
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  45h	; E
		db  6Eh	; n
		db  64h	; d
		db  53h	; S
		db  79h	; y
		db  73h	; s
		db  74h	; t
		db  65h	; e
		db  6Dh	; m
		db  49h	; I
		db  6Eh	; n
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  72h	; r
		db  75h	; u
		db  70h	; p
		db  74h	; t
		db    0
		db  4Ah	; J
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  70h	; p
		db  4Dh	; M
		db  63h	; c
		db  61h	; a
		db  45h	; E
		db  78h	; x
		db  63h	; c
		db  65h	; e
		db  70h	; p
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  48h	; H
		db  61h	; a
		db  6Eh	; n
		db  64h	; d
		db  6Ch	; l
		db  65h	; e
		db  72h	; r
		db    0
		db  11h
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  44h	; D
		db  69h	; i
		db  73h	; s
		db  61h	; a
		db  62h	; b
		db  6Ch	; l
		db  65h	; e
		db  49h	; I
		db  6Eh	; n
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  72h	; r
		db  75h	; u
		db  70h	; p
		db  74h	; t
		db    0
		db  39h	; 9
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  52h	; R
		db  65h	; e
		db  71h	; q
		db  75h	; u
		db  65h	; e
		db  73h	; s
		db  74h	; t
		db  53h	; S
		db  6Fh	; o
		db  66h	; f
		db  74h	; t
		db  77h	; w
		db  61h	; a
		db  72h	; r
		db  65h	; e
		db  49h	; I
		db  6Eh	; n
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  72h	; r
		db  75h	; u
		db  70h	; p
		db  74h	; t
		db    0
		db  15h
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  45h	; E
		db  6Eh	; n
		db  61h	; a
		db  62h	; b
		db  6Ch	; l
		db  65h	; e
		db  49h	; I
		db  6Eh	; n
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  72h	; r
		db  75h	; u
		db  70h	; p
		db  74h	; t
		db    0
		db    0
		db  45h	; E
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  53h	; S
		db  74h	; t
		db  61h	; a
		db  72h	; r
		db  74h	; t
		db  50h	; P
		db  72h	; r
		db  6Fh	; o
		db  66h	; f
		db  69h	; i
		db  6Ch	; l
		db  65h	; e
		db  49h	; I
		db  6Eh	; n
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  72h	; r
		db  75h	; u
		db  70h	; p
		db  74h	; t
		db    0
		db    0
		db  46h	; F
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  53h	; S
		db  74h	; t
		db  6Fh	; o
		db  70h	; p
		db  50h	; P
		db  72h	; r
		db  6Fh	; o
		db  66h	; f
		db  69h	; i
		db  6Ch	; l
		db  65h	; e
		db  49h	; I
		db  6Eh	; n
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  72h	; r
		db  75h	; u
		db  70h	; p
		db  74h	; t
		db    0
		db  0Fh
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  43h	; C
		db  6Ch	; l
		db  65h	; e
		db  61h	; a
		db  72h	; r
		db  53h	; S
		db  6Fh	; o
		db  66h	; f
		db  74h	; t
		db  77h	; w
		db  61h	; a
		db  72h	; r
		db  65h	; e
		db  49h	; I
		db  6Eh	; n
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  72h	; r
		db  75h	; u
		db  70h	; p
		db  74h	; t
		db    0
		db  2Dh	; -
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  50h	; P
		db  72h	; r
		db  6Fh	; o
		db  63h	; c
		db  65h	; e
		db  73h	; s
		db  73h	; s
		db  6Fh	; o
		db  72h	; r
		db  49h	; I
		db  64h	; d
		db  6Ch	; l
		db  65h	; e
		db    0
		db    0
		db  38h	; 8
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  52h	; R
		db  65h	; e
		db  71h	; q
		db  75h	; u
		db  65h	; e
		db  73h	; s
		db  74h	; t
		db  49h	; I
		db  70h	; p
		db  69h	; i
		db  53h	; S
		db  70h	; p
		db  65h	; e
		db  63h	; c
		db  69h	; i
		db  66h	; f
		db  79h	; y
		db  56h	; V
		db  65h	; e
		db  63h	; c
		db  74h	; t
		db  6Fh	; o
		db  72h	; r
		db    0
		db    0
		db  5Ah	; Z
		db    0
		db  4Bh	; K
		db  65h	; e
		db  46h	; F
		db  6Ch	; l
		db  75h	; u
		db  73h	; s
		db  68h	; h
		db  57h	; W
		db  72h	; r
		db  69h	; i
		db  74h	; t
		db  65h	; e
		db  42h	; B
		db  75h	; u
		db  66h	; f
		db  66h	; f
		db  65h	; e
		db  72h	; r
		db    0
		db    0
		db  21h	; !
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  47h	; G
		db  65h	; e
		db  74h	; t
		db  49h	; I
		db  6Eh	; n
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  72h	; r
		db  75h	; u
		db  70h	; p
		db  74h	; t
		db  54h	; T
		db  61h	; a
		db  72h	; r
		db  67h	; g
		db  65h	; e
		db  74h	; t
		db  49h	; I
		db  6Eh	; n
		db  66h	; f
		db  6Fh	; o
		db  72h	; r
		db  6Dh	; m
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db    0
		db    0
		db  23h	; #
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  47h	; G
		db  65h	; e
		db  74h	; t
		db  4Dh	; M
		db  65h	; e
		db  6Dh	; m
		db  6Fh	; o
		db  72h	; r
		db  79h	; y
		db  43h	; C
		db  61h	; a
		db  63h	; c
		db  68h	; h
		db  69h	; i
		db  6Eh	; n
		db  67h	; g
		db  52h	; R
		db  65h	; e
		db  71h	; q
		db  75h	; u
		db  69h	; i
		db  72h	; r
		db  65h	; e
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db  73h	; s
		db    0
		db    9
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  41h	; A
		db  6Ch	; l
		db  6Ch	; l
		db  6Fh	; o
		db  63h	; c
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  43h	; C
		db  72h	; r
		db  61h	; a
		db  73h	; s
		db  68h	; h
		db  44h	; D
		db  75h	; u
		db  6Dh	; m
		db  70h	; p
		db  52h	; R
		db  65h	; e
		db  67h	; g
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  73h	; s
		db    0
		db  2Ah	; *
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  49h	; I
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  69h	; i
		db  61h	; a
		db  6Ch	; l
		db  69h	; i
		db  7Ah	; z
		db  65h	; e
		db  4Fh	; O
		db  6Eh	; n
		db  52h	; R
		db  65h	; e
		db  73h	; s
		db  75h	; u
		db  6Dh	; m
		db  65h	; e
		db    0
		db    8
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  41h	; A
		db  6Ch	; l
		db  6Ch	; l
		db  6Fh	; o
		db  63h	; c
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  43h	; C
		db  6Fh	; o
		db  6Dh	; m
		db  6Dh	; m
		db  6Fh	; o
		db  6Eh	; n
		db  42h	; B
		db  75h	; u
		db  66h	; f
		db  66h	; f
		db  65h	; e
		db  72h	; r
		db    0
		db  1Ah
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  46h	; F
		db  72h	; r
		db  65h	; e
		db  65h	; e
		db  43h	; C
		db  6Fh	; o
		db  6Dh	; m
		db  6Dh	; m
		db  6Fh	; o
		db  6Eh	; n
		db  42h	; B
		db  75h	; u
		db  66h	; f
		db  66h	; f
		db  65h	; e
		db  72h	; r
		db    0
		db  4Bh	; K
		db    0
		db  49h	; I
		db  6Fh	; o
		db  46h	; F
		db  6Ch	; l
		db  75h	; u
		db  73h	; s
		db  68h	; h
		db  41h	; A
		db  64h	; d
		db  61h	; a
		db  70h	; p
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  42h	; B
		db  75h	; u
		db  66h	; f
		db  66h	; f
		db  65h	; e
		db  72h	; r
		db  73h	; s
		db    0
		db  4Ch	; L
		db    0
		db  49h	; I
		db  6Fh	; o
		db  46h	; F
		db  72h	; r
		db  65h	; e
		db  65h	; e
		db  41h	; A
		db  64h	; d
		db  61h	; a
		db  70h	; p
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  43h	; C
		db  68h	; h
		db  61h	; a
		db  6Eh	; n
		db  6Eh	; n
		db  65h	; e
		db  6Ch	; l
		db    0
		db    0
		db  4Dh	; M
		db    0
		db  49h	; I
		db  6Fh	; o
		db  46h	; F
		db  72h	; r
		db  65h	; e
		db  65h	; e
		db  4Dh	; M
		db  61h	; a
		db  70h	; p
		db  52h	; R
		db  65h	; e
		db  67h	; g
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  73h	; s
		db    0
		db    0
		db  4Eh	; N
		db    0
		db  49h	; I
		db  6Fh	; o
		db  4Dh	; M
		db  61h	; a
		db  70h	; p
		db  54h	; T
		db  72h	; r
		db  61h	; a
		db  6Eh	; n
		db  73h	; s
		db  66h	; f
		db  65h	; e
		db  72h	; r
		db    0
		db  32h	; 2
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  52h	; R
		db  65h	; e
		db  61h	; a
		db  64h	; d
		db  44h	; D
		db  6Dh	; m
		db  61h	; a
		db  43h	; C
		db  6Fh	; o
		db  75h	; u
		db  6Eh	; n
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db    0
		db  1Ch
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  47h	; G
		db  65h	; e
		db  74h	; t
		db  41h	; A
		db  64h	; d
		db  61h	; a
		db  70h	; p
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db    0
		db  5Eh	; ^
		db    0
		db  4Bh	; K
		db  65h	; e
		db  52h	; R
		db  61h	; a
		db  69h	; i
		db  73h	; s
		db  65h	; e
		db  49h	; I
		db  72h	; r
		db  71h	; q
		db  6Ch	; l
		db    0
		db  5Ch	; \
		db    0
		db  4Bh	; K
		db  65h	; e
		db  4Ch	; L
		db  6Fh	; o
		db  77h	; w
		db  65h	; e
		db  72h	; r
		db  49h	; I
		db  72h	; r
		db  71h	; q
		db  6Ch	; l
		db    0
		db  1Fh
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  47h	; G
		db  65h	; e
		db  74h	; t
		db  45h	; E
		db  6Eh	; n
		db  76h	; v
		db  69h	; i
		db  72h	; r
		db  6Fh	; o
		db  6Eh	; n
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db  56h	; V
		db  61h	; a
		db  72h	; r
		db  69h	; i
		db  61h	; a
		db  62h	; b
		db  6Ch	; l
		db  65h	; e
		db    0
		db  3Fh	; ?
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  53h	; S
		db  65h	; e
		db  74h	; t
		db  45h	; E
		db  6Eh	; n
		db  76h	; v
		db  69h	; i
		db  72h	; r
		db  6Fh	; o
		db  6Eh	; n
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db  56h	; V
		db  61h	; a
		db  72h	; r
		db  69h	; i
		db  61h	; a
		db  62h	; b
		db  6Ch	; l
		db  65h	; e
		db    0
		db  49h	; I
		db    0
		db  48h	; H
		db  61h	; a
		db  6Ch	; l
		db  57h	; W
		db  68h	; h
		db  65h	; e
		db  61h	; a
		db  55h	; U
		db  70h	; p
		db  64h	; d
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  43h	; C
		db  6Dh	; m
		db  63h	; c
		db  69h	; i
		db  50h	; P
		db  6Fh	; o
		db  6Ch	; l
		db  69h	; i
		db  63h	; c
		db  79h	; y
		db    0
		db  48h	; H
		db  41h	; A
		db  4Ch	; L
		db  2Eh	; .
		db  64h	; d
		db  6Ch	; l
		db  6Ch	; l
		db    0
		db    9
		db    0
		db  50h	; P
		db  73h	; s
		db  68h	; h
		db  65h	; e
		db  64h	; d
		db  46h	; F
		db  72h	; r
		db  65h	; e
		db  65h	; e
		db  4Dh	; M
		db  65h	; e
		db  6Dh	; m
		db  6Fh	; o
		db  72h	; r
		db  79h	; y
		db    0
		db  16h
		db    0
		db  50h	; P
		db  73h	; s
		db  68h	; h
		db  65h	; e
		db  64h	; d
		db  52h	; R
		db  65h	; e
		db  61h	; a
		db  64h	; d
		db  45h	; E
		db  72h	; r
		db  72h	; r
		db  6Fh	; o
		db  72h	; r
		db  52h	; R
		db  65h	; e
		db  63h	; c
		db  6Fh	; o
		db  72h	; r
		db  64h	; d
		db    0
		db    0
		db    4
		db    0
		db  50h	; P
		db  73h	; s
		db  68h	; h
		db  65h	; e
		db  64h	; d
		db  43h	; C
		db  6Ch	; l
		db  65h	; e
		db  61h	; a
		db  72h	; r
		db  45h	; E
		db  72h	; r
		db  72h	; r
		db  6Fh	; o
		db  72h	; r
		db  52h	; R
		db  65h	; e
		db  63h	; c
		db  6Fh	; o
		db  72h	; r
		db  64h	; d
		db    0
		db    0
		db    0
		db  50h	; P
		db  73h	; s
		db  68h	; h
		db  65h	; e
		db  64h	; d
		db  41h	; A
		db  6Ch	; l
		db  6Ch	; l
		db  6Fh	; o
		db  63h	; c
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  4Dh	; M
		db  65h	; e
		db  6Dh	; m
		db  6Fh	; o
		db  72h	; r
		db  79h	; y
		db    0
		db  0Bh
		db    0
		db  50h	; P
		db  73h	; s
		db  68h	; h
		db  65h	; e
		db  64h	; d
		db  47h	; G
		db  65h	; e
		db  74h	; t
		db  42h	; B
		db  6Fh	; o
		db  6Fh	; o
		db  74h	; t
		db  45h	; E
		db  72h	; r
		db  72h	; r
		db  6Fh	; o
		db  72h	; r
		db  50h	; P
		db  61h	; a
		db  63h	; c
		db  6Bh	; k
		db  65h	; e
		db  74h	; t
		db    0
		db  14h
		db    0
		db  50h	; P
		db  73h	; s
		db  68h	; h
		db  65h	; e
		db  64h	; d
		db  49h	; I
		db  73h	; s
		db  53h	; S
		db  79h	; y
		db  73h	; s
		db  74h	; t
		db  65h	; e
		db  6Dh	; m
		db  57h	; W
		db  68h	; h
		db  65h	; e
		db  61h	; a
		db  45h	; E
		db  6Eh	; n
		db  61h	; a
		db  62h	; b
		db  6Ch	; l
		db  65h	; e
		db  64h	; d
		db    0
		db    0
		db  12h
		db    0
		db  50h	; P
		db  73h	; s
		db  68h	; h
		db  65h	; e
		db  64h	; d
		db  49h	; I
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  69h	; i
		db  61h	; a
		db  6Ch	; l
		db  69h	; i
		db  7Ah	; z
		db  65h	; e
		db    0
		db  0Ah
		db    0
		db  50h	; P
		db  73h	; s
		db  68h	; h
		db  65h	; e
		db  64h	; d
		db  47h	; G
		db  65h	; e
		db  74h	; t
		db  41h	; A
		db  6Ch	; l
		db  6Ch	; l
		db  45h	; E
		db  72h	; r
		db  72h	; r
		db  6Fh	; o
		db  72h	; r
		db  53h	; S
		db  6Fh	; o
		db  75h	; u
		db  72h	; r
		db  63h	; c
		db  65h	; e
		db  73h	; s
		db    0
		db    2
		db    0
		db  50h	; P
		db  73h	; s
		db  68h	; h
		db  65h	; e
		db  64h	; d
		db  41h	; A
		db  74h	; t
		db  74h	; t
		db  65h	; e
		db  6Dh	; m
		db  70h	; p
		db  74h	; t
		db  45h	; E
		db  72h	; r
		db  72h	; r
		db  6Fh	; o
		db  72h	; r
		db  52h	; R
		db  65h	; e
		db  63h	; c
		db  6Fh	; o
		db  76h	; v
		db  65h	; e
		db  72h	; r
		db  79h	; y
		db    0
		db  1Dh
		db    0
		db  50h	; P
		db  73h	; s
		db  68h	; h
		db  65h	; e
		db  64h	; d
		db  57h	; W
		db  72h	; r
		db  69h	; i
		db  74h	; t
		db  65h	; e
		db  45h	; E
		db  72h	; r
		db  72h	; r
		db  6Fh	; o
		db  72h	; r
		db  52h	; R
		db  65h	; e
		db  63h	; c
		db  6Fh	; o
		db  72h	; r
		db  64h	; d
		db    0
		db    3
		db    0
		db  50h	; P
		db  73h	; s
		db  68h	; h
		db  65h	; e
		db  64h	; d
		db  42h	; B
		db  75h	; u
		db  67h	; g
		db  43h	; C
		db  68h	; h
		db  65h	; e
		db  63h	; c
		db  6Bh	; k
		db  53h	; S
		db  79h	; y
		db  73h	; s
		db  74h	; t
		db  65h	; e
		db  6Dh	; m
		db    0
		db    8
		db    0
		db  50h	; P
		db  73h	; s
		db  68h	; h
		db  65h	; e
		db  64h	; d
		db  46h	; F
		db  69h	; i
		db  6Eh	; n
		db  61h	; a
		db  6Ch	; l
		db  69h	; i
		db  7Ah	; z
		db  65h	; e
		db  45h	; E
		db  72h	; r
		db  72h	; r
		db  6Fh	; o
		db  72h	; r
		db  52h	; R
		db  65h	; e
		db  63h	; c
		db  6Fh	; o
		db  72h	; r
		db  64h	; d
		db    0
		db    0
		db  18h
		db    0
		db  50h	; P
		db  73h	; s
		db  68h	; h
		db  65h	; e
		db  64h	; d
		db  52h	; R
		db  65h	; e
		db  74h	; t
		db  72h	; r
		db  69h	; i
		db  65h	; e
		db  76h	; v
		db  65h	; e
		db  45h	; E
		db  72h	; r
		db  72h	; r
		db  6Fh	; o
		db  72h	; r
		db  49h	; I
		db  6Eh	; n
		db  66h	; f
		db  6Fh	; o
		db    0
		db    0
		db    1
		db    0
		db  50h	; P
		db  73h	; s
		db  68h	; h
		db  65h	; e
		db  64h	; d
		db  41h	; A
		db  72h	; r
		db  65h	; e
		db  50h	; P
		db  6Ch	; l
		db  75h	; u
		db  67h	; g
		db  69h	; i
		db  6Eh	; n
		db  73h	; s
		db  50h	; P
		db  72h	; r
		db  65h	; e
		db  73h	; s
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db    0
		db    0
		db    6
		db    0
		db  50h	; P
		db  73h	; s
		db  68h	; h
		db  65h	; e
		db  64h	; d
		db  44h	; D
		db  6Fh	; o
		db  50h	; P
		db  66h	; f
		db  61h	; a
		db    0
		db    0
		db    7
		db    0
		db  50h	; P
		db  73h	; s
		db  68h	; h
		db  65h	; e
		db  64h	; d
		db  45h	; E
		db  6Eh	; n
		db  61h	; a
		db  62h	; b
		db  6Ch	; l
		db  65h	; e
		db  45h	; E
		db  72h	; r
		db  72h	; r
		db  6Fh	; o
		db  72h	; r
		db  53h	; S
		db  6Fh	; o
		db  75h	; u
		db  72h	; r
		db  63h	; c
		db  65h	; e
		db    0
		db    0
		db    5
		db    0
		db  50h	; P
		db  73h	; s
		db  68h	; h
		db  65h	; e
		db  64h	; d
		db  44h	; D
		db  69h	; i
		db  73h	; s
		db  61h	; a
		db  62h	; b
		db  6Ch	; l
		db  65h	; e
		db  45h	; E
		db  72h	; r
		db  72h	; r
		db  6Fh	; o
		db  72h	; r
		db  53h	; S
		db  6Fh	; o
		db  75h	; u
		db  72h	; r
		db  63h	; c
		db  65h	; e
		db    0
		db  0Eh
		db    0
		db  50h	; P
		db  73h	; s
		db  68h	; h
		db  65h	; e
		db  64h	; d
		db  47h	; G
		db  65h	; e
		db  74h	; t
		db  49h	; I
		db  6Eh	; n
		db  6Ah	; j
		db  65h	; e
		db  63h	; c
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  43h	; C
		db  61h	; a
		db  70h	; p
		db  61h	; a
		db  62h	; b
		db  69h	; i
		db  6Ch	; l
		db  69h	; i
		db  74h	; t
		db  69h	; i
		db  65h	; e
		db  73h	; s
		db    0
		db  13h
		db    0
		db  50h	; P
		db  73h	; s
		db  68h	; h
		db  65h	; e
		db  64h	; d
		db  49h	; I
		db  6Eh	; n
		db  6Ah	; j
		db  65h	; e
		db  63h	; c
		db  74h	; t
		db  45h	; E
		db  72h	; r
		db  72h	; r
		db  6Fh	; o
		db  72h	; r
		db    0
		db    0
		db  19h
		db    0
		db  50h	; P
		db  73h	; s
		db  68h	; h
		db  65h	; e
		db  64h	; d
		db  53h	; S
		db  65h	; e
		db  74h	; t
		db  45h	; E
		db  72h	; r
		db  72h	; r
		db  6Fh	; o
		db  72h	; r
		db  53h	; S
		db  6Fh	; o
		db  75h	; u
		db  72h	; r
		db  63h	; c
		db  65h	; e
		db  49h	; I
		db  6Eh	; n
		db  66h	; f
		db  6Fh	; o
		db    0
		db  50h	; P
		db  53h	; S
		db  48h	; H
		db  45h	; E
		db  44h	; D
		db  2Eh	; .
		db  64h	; d
		db  6Ch	; l
		db  6Ch	; l
		db    0
		db  0Bh
		db    0
		db  56h	; V
		db  69h	; i
		db  64h	; d
		db  53h	; S
		db  6Fh	; o
		db  6Ch	; l
		db  69h	; i
		db  64h	; d
		db  43h	; C
		db  6Fh	; o
		db  6Ch	; l
		db  6Fh	; o
		db  72h	; r
		db  46h	; F
		db  69h	; i
		db  6Ch	; l
		db  6Ch	; l
		db    0
		db    2
		db    0
		db  56h	; V
		db  69h	; i
		db  64h	; d
		db  42h	; B
		db  75h	; u
		db  66h	; f
		db  66h	; f
		db  65h	; e
		db  72h	; r
		db  54h	; T
		db  6Fh	; o
		db  53h	; S
		db  63h	; c
		db  72h	; r
		db  65h	; e
		db  65h	; e
		db  6Eh	; n
		db  42h	; B
		db  6Ch	; l
		db  74h	; t
		db    0
		db    0
		db    8
		db    0
		db  56h	; V
		db  69h	; i
		db  64h	; d
		db  53h	; S
		db  63h	; c
		db  72h	; r
		db  65h	; e
		db  65h	; e
		db  6Eh	; n
		db  54h	; T
		db  6Fh	; o
		db  42h	; B
		db  75h	; u
		db  66h	; f
		db  66h	; f
		db  65h	; e
		db  72h	; r
		db  42h	; B
		db  6Ch	; l
		db  74h	; t
		db    0
		db    0
		db    0
		db    0
		db  56h	; V
		db  69h	; i
		db  64h	; d
		db  42h	; B
		db  69h	; i
		db  74h	; t
		db  42h	; B
		db  6Ch	; l
		db  74h	; t
		db    0
		db    7
		db    0
		db  56h	; V
		db  69h	; i
		db  64h	; d
		db  52h	; R
		db  65h	; e
		db  73h	; s
		db  65h	; e
		db  74h	; t
		db  44h	; D
		db  69h	; i
		db  73h	; s
		db  70h	; p
		db  6Ch	; l
		db  61h	; a
		db  79h	; y
		db    0
		db    1
		db    0
		db  56h	; V
		db  69h	; i
		db  64h	; d
		db  42h	; B
		db  69h	; i
		db  74h	; t
		db  42h	; B
		db  6Ch	; l
		db  74h	; t
		db  45h	; E
		db  78h	; x
		db    0
		db    4
		db    0
		db  56h	; V
		db  69h	; i
		db  64h	; d
		db  44h	; D
		db  69h	; i
		db  73h	; s
		db  70h	; p
		db  6Ch	; l
		db  61h	; a
		db  79h	; y
		db  53h	; S
		db  74h	; t
		db  72h	; r
		db  69h	; i
		db  6Eh	; n
		db  67h	; g
		db    0
		db    0
		db    6
		db    0
		db  56h	; V
		db  69h	; i
		db  64h	; d
		db  49h	; I
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  69h	; i
		db  61h	; a
		db  6Ch	; l
		db  69h	; i
		db  7Ah	; z
		db  65h	; e
		db    0
		db    9
		db    0
		db  56h	; V
		db  69h	; i
		db  64h	; d
		db  53h	; S
		db  65h	; e
		db  74h	; t
		db  53h	; S
		db  63h	; c
		db  72h	; r
		db  6Fh	; o
		db  6Ch	; l
		db  6Ch	; l
		db  52h	; R
		db  65h	; e
		db  67h	; g
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db    0
		db    0
		db  0Ah
		db    0
		db  56h	; V
		db  69h	; i
		db  64h	; d
		db  53h	; S
		db  65h	; e
		db  74h	; t
		db  54h	; T
		db  65h	; e
		db  78h	; x
		db  74h	; t
		db  43h	; C
		db  6Fh	; o
		db  6Ch	; l
		db  6Fh	; o
		db  72h	; r
		db    0
		db    3
		db    0
		db  56h	; V
		db  69h	; i
		db  64h	; d
		db  43h	; C
		db  6Ch	; l
		db  65h	; e
		db  61h	; a
		db  6Eh	; n
		db  55h	; U
		db  70h	; p
		db    0
		db    0
		db  42h	; B
		db  4Fh	; O
		db  4Fh	; O
		db  54h	; T
		db  56h	; V
		db  49h	; I
		db  44h	; D
		db  2Eh	; .
		db  64h	; d
		db  6Ch	; l
		db  6Ch	; l
		db    0
		db    0
		db    0
		db  43h	; C
		db  6Ch	; l
		db  69h	; i
		db  70h	; p
		db  53h	; S
		db  70h	; p
		db  49h	; I
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  69h	; i
		db  61h	; a
		db  6Ch	; l
		db  69h	; i
		db  7Ah	; z
		db  65h	; e
		db    0
		db    0
		db  65h	; e
		db  78h	; x
		db  74h	; t
		db  2Dh	; -
		db  6Dh	; m
		db  73h	; s
		db  2Dh	; -
		db  77h	; w
		db  69h	; i
		db  6Eh	; n
		db  2Dh	; -
		db  6Eh	; n
		db  74h	; t
		db  6Fh	; o
		db  73h	; s
		db  2Dh	; -
		db  63h	; c
		db  6Ch	; l
		db  69h	; i
		db  70h	; p
		db  73h	; s
		db  70h	; p
		db  2Dh	; -
		db  6Ch	; l
		db  31h	; 1
		db  2Dh	; -
		db  31h	; 1
		db  2Dh	; -
		db  30h	; 0
		db  2Eh	; .
		db  64h	; d
		db  6Ch	; l
		db  6Ch	; l
		db    0
		db    0
		db    0
		db  4Bh	; K
		db  64h	; d
		db  49h	; I
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  69h	; i
		db  61h	; a
		db  6Ch	; l
		db  69h	; i
		db  7Ah	; z
		db  65h	; e
		db    0
		db    0
		db    3
		db    0
		db  4Bh	; K
		db  64h	; d
		db  53h	; S
		db  65h	; e
		db  6Eh	; n
		db  64h	; d
		db  50h	; P
		db  61h	; a
		db  63h	; c
		db  6Bh	; k
		db  65h	; e
		db  74h	; t
		db    0
		db    0
		db    2
		db    0
		db  4Bh	; K
		db  64h	; d
		db  52h	; R
		db  65h	; e
		db  63h	; c
		db  65h	; e
		db  69h	; i
		db  76h	; v
		db  65h	; e
		db  50h	; P
		db  61h	; a
		db  63h	; c
		db  6Bh	; k
		db  65h	; e
		db  74h	; t
		db    0
		db    1
		db    0
		db  4Bh	; K
		db  64h	; d
		db  50h	; P
		db  6Fh	; o
		db  77h	; w
		db  65h	; e
		db  72h	; r
		db    0
		db    4
		db    0
		db  4Bh	; K
		db  64h	; d
		db  53h	; S
		db  65h	; e
		db  74h	; t
		db  48h	; H
		db  69h	; i
		db  62h	; b
		db  65h	; e
		db  72h	; r
		db  52h	; R
		db  61h	; a
		db  6Eh	; n
		db  67h	; g
		db  65h	; e
		db    0
		db  6Bh	; k
		db  64h	; d
		db  63h	; c
		db  6Fh	; o
		db  6Dh	; m
		db  2Eh	; .
		db  64h	; d
		db  6Ch	; l
		db  6Ch	; l
		db    0
		db    1
		db    0
		db  43h	; C
		db  6Dh	; m
		db  53h	; S
		db  65h	; e
		db  74h	; t
		db  49h	; I
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  4Dh	; M
		db  61h	; a
		db  63h	; c
		db  68h	; h
		db  69h	; i
		db  6Eh	; n
		db  65h	; e
		db  43h	; C
		db  6Fh	; o
		db  6Eh	; n
		db  66h	; f
		db  69h	; i
		db  67h	; g
		db    0
		db    0
		db    0
		db    0
		db  43h	; C
		db  6Dh	; m
		db  43h	; C
		db  6Fh	; o
		db  6Dh	; m
		db  70h	; p
		db  6Ch	; l
		db  65h	; e
		db  74h	; t
		db  65h	; e
		db  49h	; I
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  4Dh	; M
		db  61h	; a
		db  63h	; c
		db  68h	; h
		db  69h	; i
		db  6Eh	; n
		db  65h	; e
		db  43h	; C
		db  6Fh	; o
		db  6Eh	; n
		db  66h	; f
		db  69h	; i
		db  67h	; g
		db    0
		db  65h	; e
		db  78h	; x
		db  74h	; t
		db  2Dh	; -
		db  6Dh	; m
		db  73h	; s
		db  2Dh	; -
		db  77h	; w
		db  69h	; i
		db  6Eh	; n
		db  2Dh	; -
		db  6Eh	; n
		db  74h	; t
		db  6Fh	; o
		db  73h	; s
		db  2Dh	; -
		db  6Bh	; k
		db  63h	; c
		db  6Dh	; m
		db  69h	; i
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  63h	; c
		db  66h	; f
		db  67h	; g
		db  2Dh	; -
		db  6Ch	; l
		db  31h	; 1
		db  2Dh	; -
		db  31h	; 1
		db  2Dh	; -
		db  30h	; 0
		db  2Eh	; .
		db  64h	; d
		db  6Ch	; l
		db  6Ch	; l
		db    0
		db  0Ah
		db    0
		db  4Bh	; K
		db  73h	; s
		db  72h	; r
		db  49h	; I
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  53h	; S
		db  79h	; y
		db  73h	; s
		db  74h	; t
		db  65h	; e
		db  6Dh	; m
		db    0
		db    3
		db    0
		db  4Bh	; K
		db  73h	; s
		db  72h	; r
		db  45h	; E
		db  6Eh	; n
		db  75h	; u
		db  6Dh	; m
		db  65h	; e
		db  72h	; r
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  50h	; P
		db  65h	; e
		db  72h	; r
		db  73h	; s
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  65h	; e
		db  64h	; d
		db  4Dh	; M
		db  65h	; e
		db  6Dh	; m
		db  6Fh	; o
		db  72h	; r
		db  79h	; y
		db    0
		db  15h
		db    0
		db  4Bh	; K
		db  73h	; s
		db  72h	; r
		db  51h	; Q
		db  75h	; u
		db  65h	; e
		db  72h	; r
		db  79h	; y
		db  4Dh	; M
		db  65h	; e
		db  74h	; t
		db  61h	; a
		db  64h	; d
		db  61h	; a
		db  74h	; t
		db  61h	; a
		db    0
		db    0
		db    0
		db    0
		db  4Bh	; K
		db  73h	; s
		db  72h	; r
		db  43h	; C
		db  6Ch	; l
		db  61h	; a
		db  69h	; i
		db  6Dh	; m
		db  50h	; P
		db  65h	; e
		db  72h	; r
		db  73h	; s
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  65h	; e
		db  64h	; d
		db  4Dh	; M
		db  65h	; e
		db  6Dh	; m
		db  6Fh	; o
		db  72h	; r
		db  79h	; y
		db    0
		db    6
		db    0
		db  4Bh	; K
		db  73h	; s
		db  72h	; r
		db  46h	; F
		db  72h	; r
		db  65h	; e
		db  65h	; e
		db  50h	; P
		db  65h	; e
		db  72h	; r
		db  73h	; s
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  65h	; e
		db  64h	; d
		db  4Dh	; M
		db  65h	; e
		db  6Dh	; m
		db  6Fh	; o
		db  72h	; r
		db  79h	; y
		db  42h	; B
		db  6Ch	; l
		db  6Fh	; o
		db  63h	; c
		db  6Bh	; k
		db    0
		db  0Bh
		db    0
		db  4Bh	; K
		db  73h	; s
		db  72h	; r
		db  4Dh	; M
		db  64h	; d
		db  6Ch	; l
		db  54h	; T
		db  6Fh	; o
		db  4Dh	; M
		db  65h	; e
		db  6Dh	; m
		db  6Fh	; o
		db  72h	; r
		db  79h	; y
		db  52h	; R
		db  75h	; u
		db  6Eh	; n
		db  73h	; s
		db    0
		db    0
		db  13h
		db    0
		db  4Bh	; K
		db  73h	; s
		db  72h	; r
		db  50h	; P
		db  65h	; e
		db  72h	; r
		db  73h	; s
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  4Dh	; M
		db  65h	; e
		db  6Dh	; m
		db  6Fh	; o
		db  72h	; r
		db  79h	; y
		db  57h	; W
		db  69h	; i
		db  74h	; t
		db  68h	; h
		db  4Dh	; M
		db  65h	; e
		db  74h	; t
		db  61h	; a
		db  64h	; d
		db  61h	; a
		db  74h	; t
		db  61h	; a
		db    0
		db    0
		db    7
		db    0
		db  4Bh	; K
		db  73h	; s
		db  72h	; r
		db  47h	; G
		db  65h	; e
		db  74h	; t
		db  46h	; F
		db  69h	; i
		db  72h	; r
		db  6Dh	; m
		db  77h	; w
		db  61h	; a
		db  72h	; r
		db  65h	; e
		db  49h	; I
		db  6Eh	; n
		db  66h	; f
		db  6Fh	; o
		db  72h	; r
		db  6Dh	; m
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db    0
		db    5
		db    0
		db  4Bh	; K
		db  73h	; s
		db  72h	; r
		db  46h	; F
		db  72h	; r
		db  65h	; e
		db  65h	; e
		db  50h	; P
		db  65h	; e
		db  72h	; r
		db  73h	; s
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  65h	; e
		db  64h	; d
		db  4Dh	; M
		db  65h	; e
		db  6Dh	; m
		db  6Fh	; o
		db  72h	; r
		db  79h	; y
		db    0
		db    0
		db    9
		db    0
		db  4Bh	; K
		db  73h	; s
		db  72h	; r
		db  49h	; I
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  50h	; P
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  44h	; D
		db  61h	; a
		db  74h	; t
		db  61h	; a
		db  62h	; b
		db  61h	; a
		db  73h	; s
		db  65h	; e
		db    0
		db    1
		db    0
		db  4Bh	; K
		db  73h	; s
		db  72h	; r
		db  43h	; C
		db  6Ch	; l
		db  65h	; e
		db  61h	; a
		db  6Eh	; n
		db  75h	; u
		db  70h	; p
		db  50h	; P
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  44h	; D
		db  61h	; a
		db  74h	; t
		db  61h	; a
		db  62h	; b
		db  61h	; a
		db  73h	; s
		db  65h	; e
		db    0
		db    0
		db  65h	; e
		db  78h	; x
		db  74h	; t
		db  2Dh	; -
		db  6Dh	; m
		db  73h	; s
		db  2Dh	; -
		db  77h	; w
		db  69h	; i
		db  6Eh	; n
		db  2Dh	; -
		db  6Eh	; n
		db  74h	; t
		db  6Fh	; o
		db  73h	; s
		db  2Dh	; -
		db  6Bh	; k
		db  73h	; s
		db  72h	; r
		db  2Dh	; -
		db  6Ch	; l
		db  31h	; 1
		db  2Dh	; -
		db  31h	; 1
		db  2Dh	; -
		db  33h	; 3
		db  2Eh	; .
		db  64h	; d
		db  6Ch	; l
		db  6Ch	; l
		db    0
		db    0
		db    0
		db    0
		db  51h	; Q
		db  75h	; u
		db  65h	; e
		db  72h	; r
		db  79h	; y
		db  55h	; U
		db  70h	; p
		db  64h	; d
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  46h	; F
		db  69h	; i
		db  6Ch	; l
		db  65h	; e
		db  45h	; E
		db  61h	; a
		db  41h	; A
		db  6Ch	; l
		db  6Ch	; l
		db  6Fh	; o
		db  77h	; w
		db  65h	; e
		db  64h	; d
		db  45h	; E
		db  78h	; x
		db  74h	; t
		db    0
		db  65h	; e
		db  78h	; x
		db  74h	; t
		db  2Dh	; -
		db  6Dh	; m
		db  73h	; s
		db  2Dh	; -
		db  77h	; w
		db  69h	; i
		db  6Eh	; n
		db  2Dh	; -
		db  6Eh	; n
		db  74h	; t
		db  6Fh	; o
		db  73h	; s
		db  2Dh	; -
		db  6Bh	; k
		db  73h	; s
		db  65h	; e
		db  63h	; c
		db  75h	; u
		db  72h	; r
		db  69h	; i
		db  74h	; t
		db  79h	; y
		db  2Dh	; -
		db  6Ch	; l
		db  31h	; 1
		db  2Dh	; -
		db  31h	; 1
		db  2Dh	; -
		db  31h	; 1
		db  2Eh	; .
		db  64h	; d
		db  6Ch	; l
		db  6Ch	; l
		db    0
		db    0
		db    5
		db    0
		db  57h	; W
		db  65h	; e
		db  72h	; r
		db  4Ch	; L
		db  69h	; i
		db  76h	; v
		db  65h	; e
		db  4Bh	; K
		db  65h	; e
		db  72h	; r
		db  6Eh	; n
		db  65h	; e
		db  6Ch	; l
		db  53h	; S
		db  75h	; u
		db  62h	; b
		db  6Dh	; m
		db  69h	; i
		db  74h	; t
		db  52h	; R
		db  65h	; e
		db  70h	; p
		db  6Fh	; o
		db  72h	; r
		db  74h	; t
		db    0
		db    2
		db    0
		db  57h	; W
		db  65h	; e
		db  72h	; r
		db  4Ch	; L
		db  69h	; i
		db  76h	; v
		db  65h	; e
		db  4Bh	; K
		db  65h	; e
		db  72h	; r
		db  6Eh	; n
		db  65h	; e
		db  6Ch	; l
		db  43h	; C
		db  72h	; r
		db  65h	; e
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  52h	; R
		db  65h	; e
		db  70h	; p
		db  6Fh	; o
		db  72h	; r
		db  74h	; t
		db    0
		db    0
		db    0
		db  57h	; W
		db  65h	; e
		db  72h	; r
		db  4Ch	; L
		db  69h	; i
		db  76h	; v
		db  65h	; e
		db  4Bh	; K
		db  65h	; e
		db  72h	; r
		db  6Eh	; n
		db  65h	; e
		db  6Ch	; l
		db  43h	; C
		db  61h	; a
		db  6Eh	; n
		db  63h	; c
		db  65h	; e
		db  6Ch	; l
		db  52h	; R
		db  65h	; e
		db  70h	; p
		db  6Fh	; o
		db  72h	; r
		db  74h	; t
		db    0
		db    4
		db    0
		db  57h	; W
		db  65h	; e
		db  72h	; r
		db  4Ch	; L
		db  69h	; i
		db  76h	; v
		db  65h	; e
		db  4Bh	; K
		db  65h	; e
		db  72h	; r
		db  6Eh	; n
		db  65h	; e
		db  6Ch	; l
		db  4Fh	; O
		db  70h	; p
		db  65h	; e
		db  6Eh	; n
		db  44h	; D
		db  75h	; u
		db  6Dh	; m
		db  70h	; p
		db  46h	; F
		db  69h	; i
		db  6Ch	; l
		db  65h	; e
		db    0
		db    1
		db    0
		db  57h	; W
		db  65h	; e
		db  72h	; r
		db  4Ch	; L
		db  69h	; i
		db  76h	; v
		db  65h	; e
		db  4Bh	; K
		db  65h	; e
		db  72h	; r
		db  6Eh	; n
		db  65h	; e
		db  6Ch	; l
		db  43h	; C
		db  6Ch	; l
		db  6Fh	; o
		db  73h	; s
		db  65h	; e
		db  48h	; H
		db  61h	; a
		db  6Eh	; n
		db  64h	; d
		db  6Ch	; l
		db  65h	; e
		db    0
		db    0
		db    3
		db    0
		db  57h	; W
		db  65h	; e
		db  72h	; r
		db  4Ch	; L
		db  69h	; i
		db  76h	; v
		db  65h	; e
		db  4Bh	; K
		db  65h	; e
		db  72h	; r
		db  6Eh	; n
		db  65h	; e
		db  6Ch	; l
		db  49h	; I
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  53h	; S
		db  79h	; y
		db  73h	; s
		db  74h	; t
		db  65h	; e
		db  6Dh	; m
		db    0
		db  65h	; e
		db  78h	; x
		db  74h	; t
		db  2Dh	; -
		db  6Dh	; m
		db  73h	; s
		db  2Dh	; -
		db  77h	; w
		db  69h	; i
		db  6Eh	; n
		db  2Dh	; -
		db  6Eh	; n
		db  74h	; t
		db  6Fh	; o
		db  73h	; s
		db  2Dh	; -
		db  77h	; w
		db  65h	; e
		db  72h	; r
		db  6Bh	; k
		db  65h	; e
		db  72h	; r
		db  6Eh	; n
		db  65h	; e
		db  6Ch	; l
		db  2Dh	; -
		db  6Ch	; l
		db  31h	; 1
		db  2Dh	; -
		db  31h	; 1
		db  2Dh	; -
		db  31h	; 1
		db  2Eh	; .
		db  64h	; d
		db  6Ch	; l
		db  6Ch	; l
		db    0
		db    0
		db    0
		db    0
		db  45h	; E
		db  78h	; x
		db  70h	; p
		db  4Dh	; M
		db  69h	; i
		db  63h	; c
		db  72h	; r
		db  6Fh	; o
		db  63h	; c
		db  6Fh	; o
		db  64h	; d
		db  65h	; e
		db  49h	; I
		db  6Eh	; n
		db  66h	; f
		db  6Fh	; o
		db  72h	; r
		db  6Dh	; m
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  4Ch	; L
		db  6Fh	; o
		db  61h	; a
		db  64h	; d
		db    0
		db    1
		db    0
		db  45h	; E
		db  78h	; x
		db  70h	; p
		db  4Dh	; M
		db  69h	; i
		db  63h	; c
		db  72h	; r
		db  6Fh	; o
		db  63h	; c
		db  6Fh	; o
		db  64h	; d
		db  65h	; e
		db  49h	; I
		db  6Eh	; n
		db  66h	; f
		db  6Fh	; o
		db  72h	; r
		db  6Dh	; m
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  55h	; U
		db  6Eh	; n
		db  6Ch	; l
		db  6Fh	; o
		db  61h	; a
		db  64h	; d
		db    0
		db    2
		db    0
		db  45h	; E
		db  78h	; x
		db  70h	; p
		db  4Dh	; M
		db  69h	; i
		db  63h	; c
		db  72h	; r
		db  6Fh	; o
		db  63h	; c
		db  6Fh	; o
		db  64h	; d
		db  65h	; e
		db  49h	; I
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  69h	; i
		db  61h	; a
		db  6Ch	; l
		db  69h	; i
		db  7Ah	; z
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db    0
		db    0
		db  65h	; e
		db  78h	; x
		db  74h	; t
		db  2Dh	; -
		db  6Dh	; m
		db  73h	; s
		db  2Dh	; -
		db  77h	; w
		db  69h	; i
		db  6Eh	; n
		db  2Dh	; -
		db  6Eh	; n
		db  74h	; t
		db  6Fh	; o
		db  73h	; s
		db  2Dh	; -
		db  75h	; u
		db  63h	; c
		db  6Fh	; o
		db  64h	; d
		db  65h	; e
		db  2Dh	; -
		db  6Ch	; l
		db  31h	; 1
		db  2Dh	; -
		db  31h	; 1
		db  2Dh	; -
		db  30h	; 0
		db  2Eh	; .
		db  64h	; d
		db  6Ch	; l
		db  6Ch	; l
		db    0
		db    0
		db    1
		db    0
		db  45h	; E
		db  78h	; x
		db  70h	; p
		db  49h	; I
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  69h	; i
		db  61h	; a
		db  6Ch	; l
		db  69h	; i
		db  7Ah	; z
		db  65h	; e
		db  53h	; S
		db  74h	; t
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  53h	; S
		db  65h	; e
		db  70h	; p
		db  61h	; a
		db  72h	; r
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  50h	; P
		db  68h	; h
		db  61h	; a
		db  73h	; s
		db  65h	; e
		db  31h	; 1
		db    0
		db    0
		db    0
		db    0
		db  45h	; E
		db  78h	; x
		db  70h	; p
		db  49h	; I
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  69h	; i
		db  61h	; a
		db  6Ch	; l
		db  69h	; i
		db  7Ah	; z
		db  65h	; e
		db  53h	; S
		db  74h	; t
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  53h	; S
		db  65h	; e
		db  70h	; p
		db  61h	; a
		db  72h	; r
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  50h	; P
		db  68h	; h
		db  61h	; a
		db  73h	; s
		db  65h	; e
		db  30h	; 0
		db    0
		db    0
		db    2
		db    0
		db  45h	; E
		db  78h	; x
		db  70h	; p
		db  49h	; I
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  69h	; i
		db  61h	; a
		db  6Ch	; l
		db  69h	; i
		db  7Ah	; z
		db  65h	; e
		db  53h	; S
		db  74h	; t
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  53h	; S
		db  65h	; e
		db  70h	; p
		db  61h	; a
		db  72h	; r
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  50h	; P
		db  68h	; h
		db  61h	; a
		db  73h	; s
		db  65h	; e
		db  32h	; 2
		db    0
		db    0
		db  65h	; e
		db  78h	; x
		db  74h	; t
		db  2Dh	; -
		db  6Dh	; m
		db  73h	; s
		db  2Dh	; -
		db  77h	; w
		db  69h	; i
		db  6Eh	; n
		db  2Dh	; -
		db  6Eh	; n
		db  74h	; t
		db  6Fh	; o
		db  73h	; s
		db  2Dh	; -
		db  73h	; s
		db  74h	; t
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  73h	; s
		db  65h	; e
		db  70h	; p
		db  61h	; a
		db  72h	; r
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  2Dh	; -
		db  6Ch	; l
		db  31h	; 1
		db  2Dh	; -
		db  31h	; 1
		db  2Dh	; -
		db  30h	; 0
		db  2Eh	; .
		db  64h	; d
		db  6Ch	; l
		db  6Ch	; l
		db    0
		db    0
		db    7
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  43h	; C
		db  72h	; r
		db  65h	; e
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  4Ch	; L
		db  6Fh	; o
		db  67h	; g
		db  46h	; F
		db  69h	; i
		db  6Ch	; l
		db  65h	; e
		db    0
		db  25h	; %
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  4Dh	; M
		db  67h	; g
		db  6Dh	; m
		db  74h	; t
		db  52h	; R
		db  65h	; e
		db  67h	; g
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  4Dh	; M
		db  61h	; a
		db  6Eh	; n
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  64h	; d
		db  43h	; C
		db  6Ch	; l
		db  69h	; i
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db    0
		db  23h	; #
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  4Dh	; M
		db  67h	; g
		db  6Dh	; m
		db  74h	; t
		db  49h	; I
		db  6Eh	; n
		db  73h	; s
		db  74h	; t
		db  61h	; a
		db  6Ch	; l
		db  6Ch	; l
		db  50h	; P
		db  6Fh	; o
		db  6Ch	; l
		db  69h	; i
		db  63h	; c
		db  79h	; y
		db    0
		db    6
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  43h	; C
		db  6Ch	; l
		db  6Fh	; o
		db  73h	; s
		db  65h	; e
		db  4Ch	; L
		db  6Fh	; o
		db  67h	; g
		db  46h	; F
		db  69h	; i
		db  6Ch	; l
		db  65h	; e
		db  4Fh	; O
		db  62h	; b
		db  6Ah	; j
		db  65h	; e
		db  63h	; c
		db  74h	; t
		db    0
		db    0
		db  21h	; !
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  4Dh	; M
		db  67h	; g
		db  6Dh	; m
		db  74h	; t
		db  44h	; D
		db  65h	; e
		db  72h	; r
		db  65h	; e
		db  67h	; g
		db  69h	; i
		db  73h	; s
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db  4Dh	; M
		db  61h	; a
		db  6Eh	; n
		db  61h	; a
		db  67h	; g
		db  65h	; e
		db  64h	; d
		db  43h	; C
		db  6Ch	; l
		db  69h	; i
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db    0
		db  14h
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  47h	; G
		db  65h	; e
		db  74h	; t
		db  4Ch	; L
		db  6Fh	; o
		db  67h	; g
		db  46h	; F
		db  69h	; i
		db  6Ch	; l
		db  65h	; e
		db  49h	; I
		db  6Eh	; n
		db  66h	; f
		db  6Fh	; o
		db  72h	; r
		db  6Dh	; m
		db  61h	; a
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db    0
		db  30h	; 0
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  52h	; R
		db  65h	; e
		db  61h	; a
		db  64h	; d
		db  52h	; R
		db  65h	; e
		db  73h	; s
		db  74h	; t
		db  61h	; a
		db  72h	; r
		db  74h	; t
		db  41h	; A
		db  72h	; r
		db  65h	; e
		db  61h	; a
		db    0
		db  1Bh
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  4Ch	; L
		db  73h	; s
		db  6Eh	; n
		db  45h	; E
		db  71h	; q
		db  75h	; u
		db  61h	; a
		db  6Ch	; l
		db    0
		db    0
		db  2Dh	; -
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  52h	; R
		db  65h	; e
		db  61h	; a
		db  64h	; d
		db  4Ch	; L
		db  6Fh	; o
		db  67h	; g
		db  52h	; R
		db  65h	; e
		db  63h	; c
		db  6Fh	; o
		db  72h	; r
		db  64h	; d
		db    0
		db  2Eh	; .
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  52h	; R
		db  65h	; e
		db  61h	; a
		db  64h	; d
		db  4Eh	; N
		db  65h	; e
		db  78h	; x
		db  74h	; t
		db  4Ch	; L
		db  6Fh	; o
		db  67h	; g
		db  52h	; R
		db  65h	; e
		db  63h	; c
		db  6Fh	; o
		db  72h	; r
		db  64h	; d
		db    0
		db  39h	; 9
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  54h	; T
		db  65h	; e
		db  72h	; r
		db  6Dh	; m
		db  69h	; i
		db  6Eh	; n
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  52h	; R
		db  65h	; e
		db  61h	; a
		db  64h	; d
		db  4Ch	; L
		db  6Fh	; o
		db  67h	; g
		db    0
		db    0
		db  3Ah	; :
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  57h	; W
		db  72h	; r
		db  69h	; i
		db  74h	; t
		db  65h	; e
		db  52h	; R
		db  65h	; e
		db  73h	; s
		db  74h	; t
		db  61h	; a
		db  72h	; r
		db  74h	; t
		db  41h	; A
		db  72h	; r
		db  65h	; e
		db  61h	; a
		db    0
		db    0
		db  0Ah
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  44h	; D
		db  65h	; e
		db  6Ch	; l
		db  65h	; e
		db  74h	; t
		db  65h	; e
		db  4Ch	; L
		db  6Fh	; o
		db  67h	; g
		db  42h	; B
		db  79h	; y
		db  50h	; P
		db  6Fh	; o
		db  69h	; i
		db  6Eh	; n
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db    0
		db    0
		db  0Ch
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  44h	; D
		db  65h	; e
		db  6Ch	; l
		db  65h	; e
		db  74h	; t
		db  65h	; e
		db  4Dh	; M
		db  61h	; a
		db  72h	; r
		db  73h	; s
		db  68h	; h
		db  61h	; a
		db  6Ch	; l
		db  6Ch	; l
		db  69h	; i
		db  6Eh	; n
		db  67h	; g
		db  41h	; A
		db  72h	; r
		db  65h	; e
		db  61h	; a
		db    0
		db  33h	; 3
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  52h	; R
		db  65h	; e
		db  73h	; s
		db  65h	; e
		db  72h	; r
		db  76h	; v
		db  65h	; e
		db  41h	; A
		db  6Eh	; n
		db  64h	; d
		db  41h	; A
		db  70h	; p
		db  70h	; p
		db  65h	; e
		db  6Eh	; n
		db  64h	; d
		db  4Ch	; L
		db  6Fh	; o
		db  67h	; g
		db    0
		db  1Dh
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  4Ch	; L
		db  73h	; s
		db  6Eh	; n
		db  49h	; I
		db  6Eh	; n
		db  76h	; v
		db  61h	; a
		db  6Ch	; l
		db  69h	; i
		db  64h	; d
		db    0
		db    0
		db  10h
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  46h	; F
		db  6Ch	; l
		db  75h	; u
		db  73h	; s
		db  68h	; h
		db  54h	; T
		db  6Fh	; o
		db  4Ch	; L
		db  73h	; s
		db  6Eh	; n
		db    0
		db    0
		db  18h
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  4Ch	; L
		db  73h	; s
		db  6Eh	; n
		db  43h	; C
		db  6Fh	; o
		db  6Eh	; n
		db  74h	; t
		db  61h	; a
		db  69h	; i
		db  6Eh	; n
		db  65h	; e
		db  72h	; r
		db    0
		db    0
		db  1Eh
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  4Ch	; L
		db  73h	; s
		db  6Eh	; n
		db  4Ch	; L
		db  65h	; e
		db  73h	; s
		db  73h	; s
		db    0
		db    8
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  43h	; C
		db  72h	; r
		db  65h	; e
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db  4Dh	; M
		db  61h	; a
		db  72h	; r
		db  73h	; s
		db  68h	; h
		db  61h	; a
		db  6Ch	; l
		db  6Ch	; l
		db  69h	; i
		db  6Eh	; n
		db  67h	; g
		db  41h	; A
		db  72h	; r
		db  65h	; e
		db  61h	; a
		db    0
		db    0
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  41h	; A
		db  64h	; d
		db  64h	; d
		db  4Ch	; L
		db  6Fh	; o
		db  67h	; g
		db  43h	; C
		db  6Fh	; o
		db  6Eh	; n
		db  74h	; t
		db  61h	; a
		db  69h	; i
		db  6Eh	; n
		db  65h	; e
		db  72h	; r
		db    0
		db  31h	; 1
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  52h	; R
		db  65h	; e
		db  6Dh	; m
		db  6Fh	; o
		db  76h	; v
		db  65h	; e
		db  4Ch	; L
		db  6Fh	; o
		db  67h	; g
		db  43h	; C
		db  6Fh	; o
		db  6Eh	; n
		db  74h	; t
		db  61h	; a
		db  69h	; i
		db  6Eh	; n
		db  65h	; e
		db  72h	; r
		db    0
		db    0
		db  1Ah
		db    0
		db  43h	; C
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  4Ch	; L
		db  73h	; s
		db  6Eh	; n
		db  44h	; D
		db  69h	; i
		db  66h	; f
		db  66h	; f
		db  65h	; e
		db  72h	; r
		db  65h	; e
		db  6Eh	; n
		db  63h	; c
		db  65h	; e
		db    0
		db  65h	; e
		db  78h	; x
		db  74h	; t
		db  2Dh	; -
		db  6Dh	; m
		db  73h	; s
		db  2Dh	; -
		db  77h	; w
		db  69h	; i
		db  6Eh	; n
		db  2Dh	; -
		db  66h	; f
		db  73h	; s
		db  2Dh	; -
		db  63h	; c
		db  6Ch	; l
		db  66h	; f
		db  73h	; s
		db  2Dh	; -
		db  6Ch	; l
		db  31h	; 1
		db  2Dh	; -
		db  31h	; 1
		db  2Dh	; -
		db  30h	; 0
		db  2Eh	; .
		db  64h	; d
		db  6Ch	; l
		db  6Ch	; l
		db    0
		db    0
		db    0
		db  43h	; C
		db  69h	; i
		db  49h	; I
		db  6Eh	; n
		db  69h	; i
		db  74h	; t
		db  69h	; i
		db  61h	; a
		db  6Ch	; l
		db  69h	; i
		db  7Ah	; z
		db  65h	; e
		db    0
		db    0
		db  43h	; C
		db  49h	; I
		db  2Eh	; .
		db  64h	; d
		db  6Ch	; l
		db  6Ch	; l
		db    0
		db    0
		db  0Bh
		db    0
		db  4Dh	; M
		db  65h	; e
		db  73h	; s
		db  44h	; D
		db  65h	; e
		db  63h	; c
		db  6Fh	; o
		db  64h	; d
		db  65h	; e
		db  42h	; B
		db  75h	; u
		db  66h	; f
		db  66h	; f
		db  65h	; e
		db  72h	; r
		db  48h	; H
		db  61h	; a
		db  6Eh	; n
		db  64h	; d
		db  6Ch	; l
		db  65h	; e
		db  43h	; C
		db  72h	; r
		db  65h	; e
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db    0
		db  39h	; 9
		db    0
		db  52h	; R
		db  70h	; p
		db  63h	; c
		db  45h	; E
		db  78h	; x
		db  63h	; c
		db  65h	; e
		db  70h	; p
		db  74h	; t
		db  69h	; i
		db  6Fh	; o
		db  6Eh	; n
		db  46h	; F
		db  69h	; i
		db  6Ch	; l
		db  74h	; t
		db  65h	; e
		db  72h	; r
		db    0
		db    0
		db  10h
		db    0
		db  4Dh	; M
		db  65h	; e
		db  73h	; s
		db  48h	; H
		db  61h	; a
		db  6Eh	; n
		db  64h	; d
		db  6Ch	; l
		db  65h	; e
		db  46h	; F
		db  72h	; r
		db  65h	; e
		db  65h	; e
		db    0
		db  0Fh
		db    0
		db  4Dh	; M
		db  65h	; e
		db  73h	; s
		db  45h	; E
		db  6Eh	; n
		db  63h	; c
		db  6Fh	; o
		db  64h	; d
		db  65h	; e
		db  49h	; I
		db  6Eh	; n
		db  63h	; c
		db  72h	; r
		db  65h	; e
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db  61h	; a
		db  6Ch	; l
		db  48h	; H
		db  61h	; a
		db  6Eh	; n
		db  64h	; d
		db  6Ch	; l
		db  65h	; e
		db  43h	; C
		db  72h	; r
		db  65h	; e
		db  61h	; a
		db  74h	; t
		db  65h	; e
		db    0
		db    0
		db  11h
		db    0
		db  4Dh	; M
		db  65h	; e
		db  73h	; s
		db  49h	; I
		db  6Eh	; n
		db  63h	; c
		db  72h	; r
		db  65h	; e
		db  6Dh	; m
		db  65h	; e
		db  6Eh	; n
		db  74h	; t
		db  61h	; a
		db  6Ch	; l
		db  48h	; H
		db  61h	; a
		db  6Eh	; n
		db  64h	; d
		db  6Ch	; l
		db  65h	; e
		db  52h	; R
		db  65h	; e
		db  73h	; s
		db  65h	; e
		db  74h	; t
		db    0
		db  28h	; (
		db    0
		db  4Eh	; N
		db  64h	; d
		db  72h	; r
		db  4Dh	; M
		db  65h	; e
		db  73h	; s
		db  54h	; T
		db  79h	; y
		db  70h	; p
		db  65h	; e
		db  44h	; D
		db  65h	; e
		db  63h	; c
		db  6Fh	; o
		db  64h	; d
		db  65h	; e
		db  32h	; 2
		db    0
		db  2Ah	; *
		db    0
		db  4Eh	; N
		db  64h	; d
		db  72h	; r
		db  4Dh	; M
		db  65h	; e
		db  73h	; s
		db  54h	; T
		db  79h	; y
		db  70h	; p
		db  65h	; e
		db  45h	; E
		db  6Eh	; n
		db  63h	; c
		db  6Fh	; o
		db  64h	; d
		db  65h	; e
		db  32h	; 2
		db    0
		db  6Dh	; m
		db  73h	; s
		db  72h	; r
		db  70h	; p
		db  63h	; c
		db  2Eh	; .
		db  73h	; s
		db  79h	; y
		db  73h	; s
		db    0
		db  10h
		db    0
		db  42h	; B
		db  43h	; C
		db  72h	; r
		db  79h	; y
		db  70h	; p
		db  74h	; t
		db  45h	; E
		db  78h	; x
		db  70h	; p
		db  6Fh	; o
		db  72h	; r
		db  74h	; t
		db  4Bh	; K
		db  65h	; e
		db  79h	; y
		db    0
		db  63h	; c
		db  6Eh	; n
		db  67h	; g
		db  2Eh	; .
		db  73h	; s
		db  79h	; y
		db  73h	; s
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_idata		ends

; Section 6. (virtual address 00305000)
; Virtual size			: 0000A018 (  40984.)
; Section size in file		: 00001000 (   4096.)
; Offset to raw	data for section: 002B6600
; Flags	C8000040: Data Not pageable Readable Writable
; Alignment	: default
; 

; Segment type:	Pure data
; Segment permissions: Read/Write
ALMOSTRO	segment	para public 'DATA' use32
		assume cs:ALMOSTRO
		;org 705000h
_DbgkpMaxModuleMsgs dd 0		; DATA XREF: DbgkpPostModuleMessages(x,x,x)+47r
					; DbgkpInitializePhase0()+C7r ...
_DbgkDebugObjectType dd	0		; DATA XREF: PspInsertProcess+14AAA9r
					; DbgkOpenProcessDebugPort(x,x,x)+74r ...
_DbgkEnableWerUserReporting dd 1	; DATA XREF: DbgkQueueUserExceptionReport(x,x,x)+2Cr
					; INIT:00AF65A8o
_DbgkErrorPortStartTimeout dd 3A98h	; DATA XREF: PAGE:00781736r
					; DbgkpSendErrorMessage+CBr ...
_DbgkErrorPortCommTimeout dd 2710h	; DATA XREF: PAGE:00781744r
					; INIT:00AF63C8o
_HvlpComponentName db  48h ; H		; DATA XREF: HvlPhase1Initialize+86BBFo
		db  76h	; v
		db  6Ch	; l
		db    0
_HvlpHypervisorStatsPage dd 0		; DATA XREF: HvlPhase1Initialize+86C29w
_HvlpInterruptCallback dd offset _KeSetDmaIoCoherency@4
					; DATA XREF: HvlRegisterInterruptCallback(x,x,x)+21o
					; HvlUnregisterInterruptCallback(x,x)+Do
					; KeSetDmaIoCoherency(x)
		dd offset _KeSetDmaIoCoherency@4 ; KeSetDmaIoCoherency(x)
		dd offset _KeSetDmaIoCoherency@4 ; KeSetDmaIoCoherency(x)
		dd offset _KeSetDmaIoCoherency@4 ; KeSetDmaIoCoherency(x)
		dd offset _KeSetDmaIoCoherency@4 ; KeSetDmaIoCoherency(x)
_HvlpHypercallCodeVa dd	0		; DATA XREF: HvlQueryConnection+5r
					; HvlpTryConfigureInterface:loc_56AE3Ew ...
_HvlpVirtualProcessorsIdentityMapped db	1 ; DATA XREF: HvlEnlightenProcessor+8189Cw
					; HvlGetProcessorIndexFromVpIndex(x)+5r ...
_HvlEnableIdleYield db 1		; DATA XREF: KiIdleLoop():loc_5A2459r
					; HvlpDetermineEnlightenments()+41w
_KiForegrounBoostVelocityFlag db 0	; DATA XREF: KiTryScheduleNextForegroundBoost(x)r
					; KiComputeNewPriority+14r ...
_KiCetCapable	db    0
_HvlLongSpinCountMask dd 0FFFFFFFFh	; DATA XREF: ExpWaitForSpinLockExclusiveAndAcquire+26r
					; KeYieldProcessorEx+4r ...
_KeKernelStackSize dd 3000h		; DATA XREF: RtlWalkFrameChain+3A4r
					; KiInitializeContextThread+266r ...
_KiCacheAwareScheduling	db 7		; DATA XREF: KiSearchForNewThreadOnNode(x,x)+43r
					; KeSelectIdealProcessor(x,x,x,x)+22r ...
		align 4
_KiRebalanceMinPriority	dd 1		; DATA XREF: KiQueueReadyThread+78r
					; INIT:00AF6560o
_KiDebugPollInterval dd	7D0h		; DATA XREF: KiGetNextTimerExpirationDueTime(x,x,x,x,x,x,x,x):loc_5923B1r
					; INIT:00AF6368o
_KiPowerOffFrozenProcessors db	  1	; DATA XREF: INIT:00AF6380o
		db    0
		db    0
		db    0
_KiTimerRebaseThresholdOnDripsExit dd 3Ch
					; DATA XREF: KiAdjustTimersAfterDripsExit(x,x,x)+3Ar
					; INIT:00AF4B68o
_KiForceIdleGracePeriodInSec dd	5	; DATA XREF: KiCheckAndRearmForceIdle+CCC4Dr
					; KeSetForceIdle()+51r	...
_KiMaxDynamicTickDuration dd 0FFFFFFFFh	; DATA XREF: KiSetupTimeIncrement+67r
					; KiSetupTimeIncrement+71w ...
dword_70505C	dd 0FFFFFFFFh		; DATA XREF: KiSetupTimeIncrement:loc_56E3D8r
					; KiSetupTimeIncrement+77w ...
_KiMaxDynamicTickDurationSize db    8	; DATA XREF: INIT:00AF3F84o
		db    0
		db    0
		db    0
_KiVpThreadSystemWorkPriority dd 0Fh	; DATA XREF: KeInitializeSchedulerAssist:loc_ADC526r
					; KeInitializeSchedulerAssist:loc_ADC53Fw ...
_KiIdealDpcRate	dd 14h			; DATA XREF: KeAccumulateTicks+28Er
					; PAGE:0077FD38r ...
_KiSerializeTimerExpiration dd 1	; DATA XREF: KiTimerExpiration+22r
					; KiExpireTimerTable+3Ar ...
_KiMaximumDpcQueueDepth	dd 4		; DATA XREF: KeAccumulateTicks+2EBr
					; KiCompleteKernelInit:loc_725907r ...
_KiMinimumDpcRate dd 3			; DATA XREF: KiCompleteKernelInit+B4r
					; KiInitPrcb(x,x)+13Fr	...
_KiMaximumSharedReadyQueueSize dd 104h	; DATA XREF: KiConfigureSchedulingInformation(x,x)+BBr
					; INIT:00AF3E60o
_KiAdjustDpcThreshold dd 14h		; DATA XREF: KeAccumulateTicks+269r
					; KeAccumulateTicks:loc_48C509r ...
_KeVerifierDpcScalingFactor dd 1	; DATA XREF: INIT:00ABFF1Er
					; INIT:00ABFF2Dw ...
_KeThreadDpcEnable dd 1			; DATA XREF: KiInitializeProcessor+Er
					; KiInitializeDynamicProcessor(x)+24r ...
_KiI386SEHOPEnabled dd 1		; DATA XREF: KeI386InitializeSEHOP+6r
					; INIT:00AF3E18o
_KiDPCTimeout	dd 4E20h		; DATA XREF: KiInitializeProcessor:loc_725000r
					; INIT:00ABFEB4w ...
_KeDpcWatchdogPeriod dd	1D4C0h		; DATA XREF: KiInitializeProcessor+3Dr
					; KiInitializeProcessor+88r ...
_KeDpcWatchdogProfileGlobalTriageBlock db 0DEh ;  ; DATA XREF:	KeAccumulateTicks+12BA19o
					; KeAccumulateTicks+12BA9Eo
		db 0CEh	; 
		db 0BEh	; 
		db 0AEh	; 
		db    1
		db    0
		db  10h
		db    0
		db  60h	; `
		db  40h	; @
		db    0
		db    0
dword_7050A0	dd 0			; DATA XREF: IopUpdateMinidumpContext(x,x,x,x,x,x,x,x)+228r
					; IopMarkPagesForDpcData(x)+37r ...
_KeNumberNodes	dw 1			; DATA XREF: KeQueryHighestNodeNumber()r
					; KeQueryNodeActiveAffinity(x,x,x)+21r	...
_KiProfileIrql	db 1Bh			; DATA XREF: KiStartProfileTarget(x)+8r
					; KiStopProfileTarget(x)+8r ...
_KiClockKeepAliveCycle db 64h		; DATA XREF: KeAccumulateTicks+1F4r
					; KeAccumulateTicks+12B98Br ...
_KeProcessorArchitecture dw 0FFFFh	; DATA XREF: ExpGetSystemProcessorInformation+13r
					; PopBuildMemoryImageHeader(x,x)+91r ...
_KeTimeSynchronization db 1		; DATA XREF: ExpInsertTimerResolutionEntry+F3w
					; ExpTimeRefreshWork(x)+12r ...
_VmTbFlushEnabled db 0			; DATA XREF: KeFlushMultipleRangeTb:loc_451F65r
					; MiTerminateWsleCluster:loc_456276r ...
_KeNodeDistance	dd offset _KiNonNumaDistance ; DATA XREF: PAGE:007807D7r
					; KiPerformGroupConfiguration+128r ...
_KiFlushIpi	db    1
		db    0
		db    0
		db    0
_KiForegroundBoostTicks	dd 2		; DATA XREF: KiProcessPendingForegroundBoosts+5Ar
					; KiProcessPendingForegroundBoosts:loc_4422B8r	...
_KiProcessPolicyToQosMappingTable dd 5	; DATA XREF: KeIsProcessPowerThrottled(x,x)+9r
					; KeGetProcessQosFromPolicy(x)r ...
		db    2
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_KeXStateLength	dd 200h			; DATA XREF: KeSaveExtendedAndSupervisorState+209r
					; KeRestoreIptStateAfterProcessorComesOnline+8CB26r ...
_KiXSaveAreaLength dd 200h		; DATA XREF: KiInitializeContextThread+30r
					; KiRestoreIptState(x)+7r ...
_KiDynamicHeteroCpuPolicyExpectedCycles	dd 5F5E100h
					; DATA XREF: KiGetHeteroThreadQos(x,x,x)+BAr
					; KeConfigureHeteroPolicy+E5w
_KiDynamicHeteroCpuPolicyExpectedRuntime dd 1450h ; DATA XREF: KeConfigureHeteroPolicy+6Dr
					; KeConfigureHeteroPolicy+D1w ...
_KiDynamicHeteroCpuPolicyImportantPriority dd 8
					; DATA XREF: KiGetHeteroThreadQos(x,x,x)+146r
					; KeConfigureHeteroPolicy+5Br ...
_KiQueuedLockTableSize db  11h		; DATA XREF: KiInitSystem+18o
		db    0
		db    0
		db    0
_KiTimerTableSize db	0		; DATA XREF: KiInitSystem+77o
		db    1
		db    0
		db    0
_KiBalanceSetManagerPeriod dd 3Ch	; DATA XREF: KiUpdateTime:loc_487CDFr
					; KiSetupTimeIncrement+151w
_KiDefaultHeteroCpuPolicy dd 5		; DATA XREF: KeQueryHeteroCpuPolicyThread(x,x)+10r
					; KiSetHeteroPolicyThread(x,x,x,x)+99r	...
_KiDesiredHeteroCpuPolicy dd 5		; DATA XREF: KeConfigureHeteroPolicy+53r
					; KeConfigureHeteroPolicy+B7w ...
_KiDynamicHeteroCpuPolicy dd 3		; DATA XREF: KiConvertDynamicHeteroPolicy(x,x,x)+37r
					; KeConfigureHeteroPolicy:loc_8A14C5o ...
unk_705104	db    2			; DATA XREF: PpmEventHeteroPolicy+8EF09o
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
unk_705114	db    4			; DATA XREF: PpmEventHeteroPolicy+8EEEFo
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
_KiDynamicHeteroCpuPolicyMask dd 7	; DATA XREF: KiGetHeteroThreadQos(x,x,x)+93r
					; KiGetHeteroThreadQos(x,x,x)+FCr ...
_KiPeriodicCountThreshold db 0B8h ; 
		db  0Bh
		db    0
		db    0
_KiMxCsrMask	dd 0FFBFh		; DATA XREF: KiContextToNpxFrame+42r
					; KiConfigureDynamicProcessor():loc_72EACAr ...
_KiGroupSchedulingNumerator dd 32h	; DATA XREF: KiTransitionSchedulingGroupGeneration:loc_4442ADr
					; KeUpdateGroupSchedulingConstants+A4w
_KiCycleDivisorLongTerm	dd 0F4240h	; DATA XREF: KeUpdateGroupSchedulingConstants+73w
					; KiComputeGroupSchedulingRank+16B5C2r
dword_70513C	dd 0			; DATA XREF: KeUpdateGroupSchedulingConstants+78w
					; KiComputeGroupSchedulingRank:loc_5AC279r
_KiCycleDivisorShortTerm dd 0F4240h	; DATA XREF: KiRecomputeGroupSchedulingRank(x,x,x)+23r
					; .text:0050FC02r ...
dword_705144	dd 0			; DATA XREF: KiRecomputeGroupSchedulingRank(x,x,x)+17r
					; .text:0050FC08r ...
_KiCyclesPerGeneration dd 5F5E100h	; DATA XREF: KiUpdateCpuTargetByWeight+30r
					; KiUpdateCpuTargetByWeight:loc_51057Fr ...
dword_70514C	dd 0			; DATA XREF: KiUpdateCpuTargetByWeight+2Ar
					; KiUpdateCpuTargetByWeight+79r ...
_KiCyclesPerClockQuantum dd 0F4240h	; DATA XREF: KiComputeQuantumTargetThread(x,x,x,x,x)+8r
					; KiDirectSwitchThread+962r ...
_KiMaximumGroupSize dd 20h		; DATA XREF: HvlStartBootLogicalProcessors+Br
					; KiConfigureInitialNodes(x)r ...
_KiMinDynamicTickDuration dd 3E8h	; DATA XREF: KiSetupTimeIncrement:loc_56E3C4r
					; KePrepareClockTimerForIdle(x,x,x,x,x):loc_591F23r ...
_KiDynamicTickDisableReason dd 0	; DATA XREF: PoIdle(x):loc_48A553r
					; KeResumeClockTimerFromIdle+15r ...
_KiLargestCacheSize dd 10000h		; DATA XREF: KeInvalidateRangeAllCachesNoIpi+8r
					; KeInvalidateRangeAllCaches(x,x)+1Cr ...
_KiClockLatencyMaxDynamicTickDuration dd 2710h
					; DATA XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+29Dr
_KiDispatchInterruptCost db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
_KiI386ExceptionChainTerminator	dd 0FFFFFFFFh
					; DATA XREF: KeI386GetExceptionChainTerminator()r
					; KiInitializeContextThread+1EEr ...
_KeLargestCacheLine dd 40h		; DATA XREF: KeGetRecommendedSharedDataAlignment()r
					; KiFlushRangeAllCaches(x,x,x,x,x)+19r	...
_KiActiveGroups	dw 1			; DATA XREF: KeQueryActiveProcessorCountEx(x):loc_48CEFCr
					; KeQueryLogicalProcessorRelationship:loc_4C396Dr ...
_ExpAeCycleCountScaler db 0		; DATA XREF: ExpAeUpdateStatsAfterMeasurement(x,x,x)+13r
					; ExpAeThresholdInitialization+13Ew ...
		align 4
_KiMaximumGroups dw 1			; DATA XREF: KeQueryMaximumGroupCount()r
					; KeQueryLogicalProcessorRelationship+237r ...
		align 10h
_LpcWaitablePortObjectType dd 0		; DATA XREF: LpcInitSystem()+20w
_LpcLegacyMaxMessageLength dd 0		; DATA XREF: AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+13Er
					; AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+15Dr ...
; Exported entry 1350. LpcPortObjectType
		public _LpcPortObjectType
_LpcPortObjectType dd 0			; DATA XREF: PAGE:007A764Fr
					; NtRegisterThreadTerminatePort+25r ...
_AlpcpSecondaryMessageTables dd	0	; DATA XREF: AlpcpFreeMessageFunction:loc_8E9C5Cr
					; AlpcpLookupMessage:loc_923BB8r ...
_AlpcpWakePolicyDefault	dd 1		; DATA XREF: AlpcpCompleteDispatchMessage+B5r
					; AlpcpCompleteDispatchMessage+83Dr ...
_MiMaximumWorkingSet dd	7FFF0h		; DATA XREF: MiCheckWsLimits:loc_507C4Br
					; MiInitializeBootDefaults+FD54w
_MmPageValidationAction	db 0		; DATA XREF: MiPageNotZero(x,x)+A3r
					; INIT:00AF3890o
		align 4
_MmPageValidationFrequency dd 0		; DATA XREF: .text:004703CEr
					; MiInsertLargePageInNodeList(x)+A1r ...
_MiVisibleState	dd offset dword_6D35C0	; DATA XREF: MiInitNucleus(x)+27o
_MmSpecialPoolCatchOverruns dd 1	; DATA XREF: PAGE:00780CD4r
					; PAGE:007B40E7w ...
_MmRegistryState dd 1			; DATA XREF: MiRelocateImage:loc_791705r
					; INIT:00AF36C8o
byte_7051AC	db 0			; DATA XREF: MiLockCode(x,x,x,x)+CEr
					; MmPageEntireDriver(x)+26r ...
		align 10h
byte_7051B0	db 0			; DATA XREF: MiCombineIdenticalPages(x,x,x,x,x,x):loc_9A062Ar
					; INIT:00AF3728o
		align 4
dword_7051B4	dd 0			; DATA XREF: MmUnmapLockedPages:loc_47A9AEr
					; .text:0047AA5Ar ...
dword_7051B8	dd 0			; DATA XREF: MiWritePageFileHash+95r
					; MiResolvePageFileFault:loc_54BB48r ...
dword_7051BC	dd 0			; DATA XREF: MmCreateMirror():loc_9983DCr
					; MiInitializeMirroring+D2r ...
unk_7051C0	db    0			; DATA XREF: INIT:00AF3758o
		db    0
		db    0
		db    0
dword_7051C4	dd 0			; DATA XREF: MiGatherPagefilePages+127r
					; MiGatherPagefilePages:loc_483615r ...
dword_7051C8	dd 0			; DATA XREF: MiComputeProcessUserVa:loc_7613C5r
					; INIT:00AF3680o
dword_7051CC	dd 278D00h		; DATA XREF: MiInitializeBootDefaults+C3r
					; INIT:00AF4E20o
dword_7051D0	dd 0			; DATA XREF: PAGE:0075B6FFr
					; INIT:00AF3B78o
dword_7051D4	dd 0			; DATA XREF: PnpIsWatchdogBugcheckEnabled()+2r
					; CcLazyWriteScan:loc_4912E5r ...
dword_7051D8	dd 1000h		; DATA XREF: PAGE:0075B715r
					; RtlCreateHeap+11B006r ...
dword_7051DC	dd 10000h		; DATA XREF: PAGE:0075B70Ar
					; RtlCreateHeap+11B021r ...
dword_7051E0	dd 2000h		; DATA XREF: PAGE:0075B44Ar
					; RtlCreateHeap+11AFEBr ...
dword_7051E4	dd 100000h		; DATA XREF: PAGE:0075B43Cr
					; RtlCreateHeap+11AFD0r ...
dword_7051E8	dd 0			; DATA XREF: MiInitializeWorkingSetManagerParameters+187r
					; INIT:00AF36F8o
dword_7051EC	dd 0			; DATA XREF: MiInitializeWorkingSetManagerParameters+1AAr
					; INIT:00AF3710o
dword_7051F0	dd 0			; DATA XREF: MmQueryCommitReleaseState+89r
					; MiReAcquireOutSwappedProcessCommit(x)+4Dr ...
dword_7051F4	dd 0			; DATA XREF: MiSetSlabAllocatorPolicy+14r
unk_7051F8	db    0			; DATA XREF: INIT:00AF3C98o
		db    0
		db    0
		db    0
_ObpTraceFlags	dd 0			; DATA XREF: PsGetThreadProperty+D9r
					; ObReferenceObjectByPointer+37r ...
_PpmIdleIntervalLimits dd 0		; DATA XREF: PoIdle(x)+1CEr
					; PpmUpdateProcessorIdleAccounting+5Er	...
dword_705204	dd 0			; DATA XREF: PoIdle(x):loc_48A280r
					; PpmUpdateProcessorIdleAccounting:loc_574D48r	...
dword_705208	dd 3E8h			; DATA XREF: PopDiagTraceDripsHistogram(x,x,x,x,x,x,x,x)+BAr
					; PpmEventTraceAccountingBucketIntervalsRundown():loc_9B7CEEr ...
dword_70520C	dd 0			; DATA XREF: PopDiagTraceDripsHistogram(x,x,x,x,x,x,x,x)+C3r
					; PpmEventTraceAccountingBucketIntervalsRundown()+5Er ...
a100us		db '100us',0
		align 4
dword_705218	dd 0			; DATA XREF: PoIdle(x)+1E8r
dword_70521C	dd 0			; DATA XREF: PoIdle(x):loc_48A29Ar
		db 0C4h	; 
		db    9
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  32h	; 2
		db  35h	; 5
		db  30h	; 0
		db  75h	; u
		db  73h	; s
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  88h	; 
		db  13h
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  35h	; 5
		db  30h	; 0
		db  30h	; 0
		db  75h	; u
		db  73h	; s
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  4Ch	; L
		db  1Dh
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  37h	; 7
		db  35h	; 5
		db  30h	; 0
		db  75h	; u
		db  73h	; s
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  10h
		db  27h	; '
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  31h	; 1
		db  6Dh	; m
		db  73h	; s
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  20h
		db  4Eh	; N
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  32h	; 2
		db  6Dh	; m
		db  73h	; s
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  40h	; @
		db  9Ch	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  34h	; 4
		db  6Dh	; m
		db  73h	; s
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  80h	; 
		db  38h	; 8
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db  38h	; 8
		db  6Dh	; m
		db  73h	; s
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  71h	; q
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db  31h	; 1
		db  36h	; 6
		db  6Dh	; m
		db  73h	; s
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0E2h	; 
		db    4
		db    0
		db    0
		db    0
		db    0
		db    0
		db  33h	; 3
		db  32h	; 2
		db  6Dh	; m
		db  73h	; s
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0C4h	; 
		db    9
		db    0
		db    0
		db    0
		db    0
		db    0
		db  36h	; 6
		db  34h	; 4
		db  6Dh	; m
		db  73h	; s
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  88h	; 
		db  13h
		db    0
		db    0
		db    0
		db    0
		db    0
		db  31h	; 1
		db  32h	; 2
		db  38h	; 8
		db  6Dh	; m
		db  73h	; s
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  10h
		db  27h	; '
		db    0
		db    0
		db    0
		db    0
		db    0
		db  32h	; 2
		db  35h	; 5
		db  36h	; 6
		db  6Dh	; m
		db  73h	; s
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  20h
		db  4Eh	; N
		db    0
		db    0
		db    0
		db    0
		db    0
		db  35h	; 5
		db  31h	; 1
		db  32h	; 2
		db  6Dh	; m
		db  73h	; s
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  80h	; 
		db  96h	; 
		db  98h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db  31h	; 1
		db  73h	; s
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  2Dh	; -
		db  31h	; 1
		db    1
		db    0
		db    0
		db    0
		db    0
		db  32h	; 2
		db  73h	; s
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  5Ah	; Z
		db  62h	; b
		db    2
		db    0
		db    0
		db    0
		db    0
		db  34h	; 4
		db  73h	; s
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0B4h	; 
		db 0C4h	; 
		db    4
		db    0
		db    0
		db    0
		db    0
		db  38h	; 8
		db  73h	; s
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  68h	; h
		db  89h	; 
		db    9
		db    0
		db    0
		db    0
		db    0
		db  31h	; 1
		db  36h	; 6
		db  73h	; s
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0D0h	; 
		db  12h
		db  13h
		db    0
		db    0
		db    0
		db    0
		db  33h	; 3
		db  32h	; 2
		db  73h	; s
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  46h	; F
		db 0C3h	; 
		db  23h	; #
		db    0
		db    0
		db    0
		db    0
		db  31h	; 1
		db  6Dh	; m
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  8Ch	; 
		db  86h	; 
		db  47h	; G
		db    0
		db    0
		db    0
		db    0
		db  32h	; 2
		db  6Dh	; m
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  18h
		db  0Dh
		db  8Fh	; 
		db    0
		db    0
		db    0
		db    0
		db  34h	; 4
		db  6Dh	; m
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  30h	; 0
		db  1Ah
		db  1Eh
		db    1
		db    0
		db    0
		db    0
		db  38h	; 8
		db  6Dh	; m
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  60h	; `
		db  34h	; 4
		db  3Ch	; <
		db    2
		db    0
		db    0
		db    0
		db  31h	; 1
		db  36h	; 6
		db  6Dh	; m
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db  3Eh	; >
		db  20h
		db  31h	; 1
		db  36h	; 6
		db  6Dh	; m
		db    0
		db    0
		db    0
_PopPowerRequestObjectType dd 0		; DATA XREF: PopCreatePowerRequestObject+59r
					; PopPowerRequestActionInfo+31r ...
_PpmPerfQosTransitionHysteresisOverride	dd 0FFFFFFFFh
					; DATA XREF: PpmRegisterPerfStates+1FDr
					; PopConfigureHeteroPolicies(x,x):loc_8A12F3r ...
_PpmPerfQosManageIdleProcessors	dd 0FFFFFFFFh
					; DATA XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+3A5r
					; PpmRegisterPerfStates+478r ...
_PopEnableHibernateMemoryMapValidationOverride dd 0FFFFFFFFh
					; DATA XREF: PopHiberEvaluateSkippingMemoryMapValidation()r
					; INIT:00AF4C28o
_PopEnforceConsoleLockScreenTimeout dd 0 ; DATA	XREF: PopGetLockConsoleTimeoutUnsafe(x)+23r
					; INIT:00AF4AD8o
_PopDeepIoCoalescingEnabled dd 0	; DATA XREF: PdcPoResiliencyClient(x,x,x)+1Cr
					; PdcPoResiliencyClient(x,x,x)+2Cr ...
; int PopDripsSwHwDivergenceThreshold
_PopDripsSwHwDivergenceThreshold dd 10Eh
					; DATA XREF: PopDiagTraceCsDripsDivergence(x,x,x,x,x,x)+19r
					; PopDripsWatchdogCheckHwDivergence(x,x,x,x)+40r ...
_PopDripsSwHwDivergenceEnableLiveDump dd 0
					; DATA XREF: PopDripsWatchdogCheckHwDivergence(x,x,x,x)+76r
					; INIT:00AF4A90o
_PpmExitLatencyCheckEnabled dd 1	; DATA XREF: PoInitSystem:loc_AE49B8w
					; INIT:00AF4A30o
_PopDirectedDripsDebounceInterval db  78h ; x ;	DATA XREF: INIT:00AF49A0o
		db    0
		db    0
		db    0
_PopDirectedDripsAction	db    3		; DATA XREF: INIT:00AF49B8o
		db    0
		db    0
		db    0
_PopDripsWatchdogTimeout dd 12Ch	; DATA XREF: PopDirectedDripsQueryPs4Support+877C4r
					; PopDripsWatchdogInitializeDiagnosticTimer(x)r ...
_PopDripsWatchdogAction	db 0C6h		; DATA XREF: PopDripsWatchdogInitializeActions(x)+6r
					; INIT:00AF4958o
		align 4
_PopDirectedDripsTimeout dd 12Ch	; DATA XREF: PopDirectedDripsQueryPs4Support:loc_935764r
					; PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+26r ...
_PopDripsCallbackInterval dd 23h	; DATA XREF: PopDirectedDripsQueryPs4Support:loc_935754r
					; PopDripsWatchdogInitializeCallbackTimer(x)+3r ...
_PopStandbyConnectivityGracePeriod dd 0	; DATA XREF: PopNetArmDsEvaluationTimer()+24r
					; INIT:00AF47C0o
_PpmPerfBootHeteroPolicyOverrideEnabled	dd 1 ; DATA XREF: PpmPerfClearBootOverridesr
					; PpmPerfClearBootOverrides:loc_561B06w ...
_PopEnforceDisconnectedStandby dd 0	; DATA XREF: PopNetInitialize:loc_AC1D4Er
					; PopNetInitialize:loc_AE4C05r	...
_PpmHighPerfDuration dd	15F90h		; DATA XREF: PpmEndHighPerfRequest+24r
					; PpmEndHighPerfRequest+4Ar ...
unk_7054BC	db  88h	; 		; DATA XREF: INIT:00AF46E8o
		db  13h
		db    0
		db    0
unk_7054C0	db  90h	; 		; DATA XREF: INIT:00AF4700o
		db  5Fh	; _
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
_PpmIdleDurationExpirationTimeoutMs dd 4 ; DATA	XREF: PpmInstallNewIdleStates:loc_5F7D97r
					; PpmIdleEnableIdleDurationExpirationTimeout()r ...
_PpmIdleDisableStatesAtBoot dd 0FFFFFFFFh ; DATA XREF: PpmInstallNewIdleStates:loc_574B3Br
					; PpmInstallCoordinatedIdleStates(x)+1DEr ...
_PpmHeteroImplementationGeneration dd 1	; DATA XREF: PpmParkDistributeUtility:loc_486387r
					; PpmParkDistributeUtility+12FC56r ...
_PpmPerfArtificialDomainSetting	dd 0FFFFFFFFh
					; DATA XREF: PopInitializeHeteroProcessors(x):loc_8A0E8Br
					; PoInitSystem+60Br ...
_PpmParkUseCoreGranularity dd 1		; DATA XREF: PpmParkRegisterParking+142r
					; PpmEventStaticPolicyRundown()+D3o ...
_PpmParkMultiparkGranularity dd	8	; DATA XREF: PpmParkRegisterParking+38Br
					; PpmEventStaticPolicyRundown()+E3o ...
_PpmLatencyToleranceLimit dd 186A0h	; DATA XREF: PopFxGetLatencyLimitWithoutResiliency():loc_43D74Er
					; INIT:00AF45C8o
dword_7054E4	dd 32C9h		; DATA XREF: PopFxGetLatencyLimitWithoutResiliency()+19r
					; INIT:00AF45E0o
dword_7054E8	dd 4E20h		; DATA XREF: PopFxGetLatencyLimitWithoutResiliency():loc_43D754r
					; INIT:00AF45F8o
dword_7054EC	dd 16E360h		; DATA XREF: PoFxSendSystemLatencyUpdate:loc_5AB7AAr
					; INIT:00AF4610o
_PpmPerfIdealAggressiveIncreaseThreshold db 5Ah
					; DATA XREF: PpmPerfSelectProcessorState:loc_48F469r
					; PpmEventStaticPolicyRundown()+7Bo ...
		align 4
_PpmPerfSingleStepSize dd 5		; DATA XREF: PpmPerfSelectProcessorState+1FFr
					; PpmPerfSelectProcessorState:loc_5B9814r ...
_PpmPerfCalculateActualUtilization dd 1	; DATA XREF: PpmPerfSelectProcessorState:loc_48F488r
					; PpmEventStaticPolicyRundown()+AAo ...
_PpmMfOverridesDisabled	db    1		; DATA XREF: INIT:00AF45B0o
		db    0
		db    0
		db    0
_PopPlatformRoleOverride dd 0FFFFFFFFh	; DATA XREF: PopInitPlatformSettings:loc_AD7E14r
					; INIT:00AF4538o
_PopPlatformAoAcOverride dd 0FFFFFFFFh	; DATA XREF: PopInitPlatformSettings:loc_AD7E22r
					; PopDripsWatchdogInitializeActions(x)r ...
_PopPowerActionTransitioningWatchdogTimeoutDefault dd 258h
					; DATA XREF: PopUpdatePowerActionWatchdogTimeouts():loc_85BBD2r
					; INIT:00AF44D8o
_PopPowerActionResumingWatchdogTimeoutDefault dd 12Ch
					; DATA XREF: PopUpdatePowerActionWatchdogTimeouts()+2Cr
					; INIT:00AF44F0o
_PopSmartUserPresenceAction dd 0	; DATA XREF: PopIdleChooseDozeS4Time(x,x):loc_65AD36r
					; PopUpdateSmartUserPresencePredictions(x,x,x):loc_9BA0B7r ...
_PopDozeDeferralMaxSeconds dd 3F480h	; DATA XREF: PopDiagTraceDozeDeferralDecision(x,x,x,x,x,x,x,x,x)+116r
					; PopDeferDoze(x,x,x)+24r ...
_PopDozeDeferralChecksToIgnore dd 0	; DATA XREF: PopDeferDoze(x,x,x):loc_9B58B6r
					; INIT:00AF4478o
_PopSmartUserPresenceGracePeriod dd 708h ; DATA	XREF: PopIdleChooseDozeS4Time(x,x)+A0r
					; INIT:00AF4400o
_PopSmartUserPresenceWakeOffset	dd 12Ch	; DATA XREF: PopIdleChooseDozeS4Time(x,x):loc_65AD82r
					; PAGELK:0071F47Er ...
_PopSmartUserPresenceCheckTimeout dd 2A30h ; DATA XREF:	PopIdleAoAcDozeToS4(x)+85r
					; INIT:00AF4430o
_PopHiberChecksummingEnabledReg	dd 1	; DATA XREF: PopHiberInitializeResources+BAr
					; PopHiberInitializeResources+15Ar ...
_PopHiberFileTypeReg dd	0FFFFFFFFh	; DATA XREF: PoInitHiberServices:loc_885F2Cr
					; PopSetHiberFileType(x,x)+CFw	...
_PopHiberFileTypeDefaultReg dd 0FFFFFFFFh ; DATA XREF: PoInitHiberServices+55r
					; INIT:00AF4208o
_PopHiberEnabledReg dd 0FFFFFFFFh	; DATA XREF: PoInitHiberServices+22r
					; PopSaveHibernateEnabled()+2Cw ...
_PopHiberFileBucket db	  0		; DATA XREF: PopCalculateHiberFileSize(x,x):loc_87015Do
		db    0
		db    0
		db  40h	; @
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
unk_705544	db  14h			; DATA XREF: INIT:00AF4238o
		db    0
		db    0
		db    0
unk_705548	db  28h	; (		; DATA XREF: INIT:00AF4220o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  80h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
unk_70555C	db  14h			; DATA XREF: INIT:00AF4268o
		db    0
		db    0
		db    0
unk_705560	db  28h	; (		; DATA XREF: INIT:00AF4250o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
unk_705574	db  14h			; DATA XREF: INIT:00AF4298o
		db    0
		db    0
		db    0
unk_705578	db  28h	; (		; DATA XREF: INIT:00AF4280o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
unk_70558C	db  14h			; DATA XREF: INIT:00AF42C8o
		db    0
		db    0
		db    0
unk_705590	db  28h	; (		; DATA XREF: INIT:00AF42B0o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
unk_7055A4	db  14h			; DATA XREF: INIT:00AF42F8o
		db    0
		db    0
		db    0
unk_7055A8	db  28h	; (		; DATA XREF: INIT:00AF42E0o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
unk_7055BC	db  14h			; DATA XREF: INIT:00AF4328o
		db    0
		db    0
		db    0
unk_7055C0	db  28h	; (		; DATA XREF: INIT:00AF4310o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db    0
		db    0
		db    0
		db    0
unk_7055D4	db  14h			; DATA XREF: INIT:00AF4358o
		db    0
		db    0
		db    0
unk_7055D8	db  28h	; (		; DATA XREF: INIT:00AF4340o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_PopHiberEnabledDefaultReg dd 0FFFFFFFFh ; DATA	XREF: PoInitHiberServices+36r
					; INIT:00AF4190o
_PopHiberFileSizePercent dd 64h		; DATA XREF: PopCalculateHiberFileSize(x,x)+3Br
					; PopSetHiberFileSize(x,x)+2Er	...
_PopWatchdogResumeTimeout dd 258h	; DATA XREF: PopComputeWatchdogTimeout(x):loc_55D1C8r
					; PoFxInitPowerManagement+132r	...
_PopSkipTickPolicy dd 1			; DATA XREF: PopNewProcessorCallback(x,x,x)+19r
					; PoInitSystem+675r ...
_PopWatchdogSleepTimeout dd 258h	; DATA XREF: PopComputeWatchdogTimeout(x):loc_55D1BCr
					; PnpBugcheckPowerTimeout(x)+Er ...
_PopHiberFileType dd 2			; DATA XREF: PopCalculateHiberFileSize(x,x)+4Er
					; PoInitHiberServices:loc_927DA9w ...
_PopDripsWakePeriodAccountingBucketLimitsHns dd	0
					; DATA XREF: PopInitDripsWakeAccounting()+5Ar
dword_7055FC	dd 0			; DATA XREF: PopInitDripsWakeAccounting()+54r
		db  40h	; @
		db  4Bh	; K
		db  4Ch	; L
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  5Ah	; Z
		db  62h	; b
		db    2
		db    0
		db    0
		db    0
		db    0
		db  80h	; 
		db 0D1h	; 
		db 0F0h	; 
		db    8
		db    0
		db    0
		db    0
		db    0
		db    0
		db  46h	; F
		db 0C3h	; 
		db  23h	; #
		db    0
		db    0
		db    0
		db    0
		db    0
		db  5Eh	; ^
		db 0D0h	; 
		db 0B2h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db  1Ah
		db  71h	; q
		db  18h
		db    2
		db    0
		db    0
		db    0
		db    0
		db  34h	; 4
		db 0E2h	; 
		db  30h	; 0
		db    4
		db    0
		db    0
		db    0
		db    0
		db  68h	; h
		db 0C4h	; 
		db  61h	; a
		db    8
		db    0
		db    0
		db    0
		db    0
		db 0A0h	; 
		db  11h
		db  87h	; 
		db  21h	; !
		db    0
		db    0
		db    0
		db    0
		db 0E0h	; 
		db  34h	; 4
		db  95h	; 
		db  64h	; d
		db    0
		db    0
		db    0
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
_PopDripsWakeIdleAccountingBucketLimitsMs dd 0 ; DATA XREF: PopInitDripsWakeAccounting()+1Er
dword_70565C	dd 0			; DATA XREF: PopInitDripsWakeAccounting()+18r
		db 0F4h	; 
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0A0h	; 
		db  0Fh
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  60h	; `
		db 0EAh	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0E0h	; 
		db  93h	; 
		db    4
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0A0h	; 
		db 0BBh	; 
		db  0Dh
		db    0
		db    0
		db    0
		db    0
		db    0
		db  40h	; @
		db  77h	; w
		db  1Bh
		db    0
		db    0
		db    0
		db    0
		db    0
		db  80h	; 
		db 0EEh	; 
		db  36h	; 6
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0BAh	; 
		db 0DBh	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
_PopApicMode	dd 4			; DATA XREF: PopCheckSkipTickr
					; PoInitSystem+6ABw
_PpmPerfQosTransitionHysteresis	dd 0	; DATA XREF: PpmRegisterPerfStates+156w
					; PpmRegisterPerfStates+208r ...
_PpmHeteroPolicy dd 4			; DATA XREF: PpmParkRegisterParking:loc_573B60r
					; PpmParkApplyPolicy:loc_573F3Dr ...
_PpmHeteroDesiredPolicy	dd 4		; DATA XREF: PopInitializeHeteroProcessors(x):loc_8A0E81r
					; PopPpmHeteroPolicyCallback+44r ...
_PoSkipTickMode	dd 2			; DATA XREF: KiForwardTick+8r
					; KiForwardTick+A4r ...
_PopPepPlatformState dd	0		; DATA XREF: PopPepDeviceStarted+43r
					; PopPepUpdateIdleStateRefCount+8494Fr	...
; void PpmPolicyConfigTable
_PpmPolicyConfigTable dd offset	aPerfdecreasepo
					; DATA XREF: PpmInitPolicyConfiguration()+A7o
					; "PerfDecreasePolicy"
off_7056C4	dd offset _GUID_PROCESSOR_PERF_DECREASE_POLICY
					; DATA XREF: PpmSetProfilePolicySetting:loc_766D20o
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
dword_7056D0	dd 22h			; DATA XREF: PpmCompareAndApplyPolicySettings(x,x,x)+DBr
					; PpmInfoTraceProfileSettings()+2Do
dword_7056D4	dd 2			; DATA XREF: PpmCompareAndApplyPolicySettings(x,x,x):loc_9B5B79r
					; PpmInitPolicyConfiguration():loc_AD4D40w
byte_7056D8	db 2			; DATA XREF: PpmCompareAndApplyPolicySettings(x,x,x)+9Fr
					; PpmInitPolicyConfiguration():loc_AD4C95r
byte_7056D9	db 15h			; DATA XREF: PpmCompareAndApplyPolicySettings(x,x,x)+ABr
					; PpmInitPolicyConfiguration()+24r
		align 4
		dd offset aPerfincreasepo ; "PerfIncreasePolicy"
		dd offset loc_4105AB+1
		align 8
		db    3
		db    0
		db    0
		db    0
		db  24h	; $
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    3
		db  15h
		db    0
		db    0
		dd offset aPerfdecreaseti ; "PerfDecreaseTime"
		dd offset loc_410579+3
		db    1
		db    0
		db    0
		db    0
		db  64h	; d
		db    0
		db    0
		db    0
		db  1Eh
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    5
		db    0
		db    0
		dd offset loc_41064C
		dd offset _GUID_PROCESSOR_PERF_INCREASE_TIME
		db    1
		db    0
		db    0
		db    0
		db  64h	; d
		db    0
		db    0
		db    0
		db  20h
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    1
		db    5
		db    0
		db    0
		dd offset loc_410660
		dd offset _GUID_PROCESSOR_PERF_DECREASE_THRESHOLD
		db    1
		db    0
		db    0
		db    0
		db  64h	; d
		db    0
		db    0
		db    0
		db  26h	; &
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    4
		db    5
		db    0
		db    0
		dd offset loc_410677+1
		dd offset loc_41063A+2
		db    1
		db    0
		db    0
		db    0
		db  64h	; d
		db    0
		db    0
		db    0
		db  28h	; (
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    5
		db    5
		db    0
		db    0
		dd offset loc_41068F+1
		dd offset _GUID_PROCESSOR_THROTTLE_MINIMUM
		db    0
		db    0
		db    0
		db    0
		db  64h	; d
		db    0
		db    0
		db    0
		db  1Ah
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    6
		db  25h	; %
		db    0
		db    0
		dd offset aPerfmaxpolicy ; "PerfMaxPolicy"
		dd offset loc_41062A+2
		align 10h
		db  64h	; d
		db    0
		db    0
		db    0
		db  1Ch
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    7
		db  25h	; %
		db    0
		db    0
		dd offset aPerftimecheck ; "PerfTimeCheck"
		dd offset _GUID_PROCESSOR_PERF_TIME_CHECK
		db    1
		db    0
		db    0
		db    0
		db  88h	; 
		db  13h
		db    0
		db    0
		db  14h
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db    8
		db    1
		db    0
		db    0
		dd offset aPerfboostpolic ; "PerfBoostPolicy"
		dd offset _GUID_PROCESSOR_PERF_BOOST_POLICY
		align 8
		db  64h	; d
		db    0
		db    0
		db    0
		db  34h	; 4
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db    9
		db    1
		db    0
		db    0
		dd offset aPerfboostmode ; "PerfBoostMode"
		dd offset loc_41059B+1
		db    0
		db    0
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db  38h	; 8
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db  0Ah
		db  21h	; !
		db    0
		db    0
		dd offset aEnergyperfpref ; "EnergyPerfPreference"
		dd offset _GUID_PROCESSOR_PERF_ENERGY_PERFORMANCE_PREFERENCE
		align 10h
		db 0FFh
		db    0
		db    0
		db    0
		db  40h	; @
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db  26h	; &
		db  25h	; %
		db    0
		db    0
		dd offset aAutonomousacti ; "AutonomousActivityWindow"
		dd offset loc_4104D9+3
		db    0
		db    0
		db    0
		db    0
		db  80h	; 
		db 0A9h	; 
		db 0B2h	; 
		db  4Bh	; K
		db  48h	; H
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db  27h	; '
		db  21h	; !
		db    0
		db    0
		dd offset aAutonomouspref ; "AutonomousPreference"
		dd offset _GUID_PROCESSOR_PERF_AUTONOMOUS_MODE
		align 8
		db    1
		db    0
		db    0
		db    0
		db  4Ch	; L
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  28h	; (
		db  21h	; !
		db    0
		db    0
		dd offset aThrottlingpoli ; "ThrottlingPolicy"
		dd offset _GUID_PROCESSOR_ALLOW_THROTTLING
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  0Bh
		db    1
		db    0
		db    0
		dd offset aParkingperfsta ; "ParkingPerfState"
		dd offset _GUID_PROCESSOR_PARKING_PERF_STATE
		align 10h
		db    2
		db    0
		db    0
		db    0
		db  79h	; y
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db  0Dh
		db    5
		db    0
		db    0
		dd offset aPerfhistorycou ; "PerfHistoryCount"
		dd offset locret_4103FA+2
		db    1
		db    0
		db    0
		db    0
		db  80h	; 
		db    0
		db    0
		db    0
		db  18h
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db  0Ch
		db    5
		db    0
		db    0
		dd offset aLatencyhintper ; "LatencyHintPerf"
		dd offset _GUID_PROCESSOR_PERF_LATENCY_HINT_PERF
		align 8
		db  64h	; d
		db    0
		db    0
		db    0
		db  4Dh	; M
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db  0Eh
		db    5
		db    0
		db    0
		dd offset aLatencyhintunp ; "LatencyHintUnpark"
		dd offset _GUID_PROCESSOR_LATENCY_HINT_MIN_UNPARK
		db    0
		db    0
		db    0
		db    0
		db  64h	; d
		db    0
		db    0
		db    0
		db  4Fh	; O
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db  0Fh
		db    5
		db    0
		db    0
		dd offset aDutycycling	; "DutyCycling"
		dd offset _GUID_PROCESSOR_DUTY_CYCLING
		align 10h
		db    1
		db    0
		db    0
		db    0
		db  78h	; x
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  29h	; )
		db    1
		db    0
		db    0
		dd offset aFrequencycap	; "FrequencyCap"
		dd offset _GUID_PROCESSOR_FREQUENCY_LIMIT
		db    0
		db    0
		db    0
		db    0
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db  2Ch	; ,
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db  2Ah	; *
		db  25h	; %
		db    0
		db    0
		dd offset aCpdecreasepoli ; "CPDecreasePolicy"
		dd offset loc_4105CA+2
		align 8
		db    3
		db    0
		db    0
		db    0
		db  80h	; 
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  12h
		db    1
		db    0
		db    0
		dd offset aCpincreasepoli ; "CPIncreasePolicy"
		dd offset loc_410528+4
		db    0
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		db  81h	; 
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  13h
		db    1
		db    0
		db    0
		dd offset aCpmincores_1	; "CPMinCores"
		dd offset _GUID_PROCESSOR_CORE_PARKING_MIN_CORES
		align 10h
		db  64h	; d
		db    0
		db    0
		db    0
		db  8Ch	; 
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db  10h
		db    5
		db    0
		db    0
		dd offset aCpmaxcores_1	; "CPMaxCores"
		dd offset loc_41050A+2
		db    0
		db    0
		db    0
		db    0
		db  64h	; d
		db    0
		db    0
		db    0
		db  8Eh	; 
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db  11h
		db    5
		db    0
		db    0
		dd offset aCpdecreaseti_1 ; "CPDecreaseTime"
		dd offset loc_41047B+1
		db    1
		db    0
		db    0
		db    0
		db  64h	; d
		db    0
		db    0
		db    0
		db  84h	; 
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db  14h
		db    1
		db    0
		db    0
		dd offset aCpincreaseti_1 ; "CPIncreaseTime"
		dd offset loc_410489+3
		db    1
		db    0
		db    0
		db    0
		db  64h	; d
		db    0
		db    0
		db    0
		db  88h	; 
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db  15h
		db    1
		db    0
		db    0
		dd offset aCpoverutilizat ; "CPOverUtilizationThreshold"
		dd offset _GUID_PROCESSOR_CORE_PARKING_OVER_UTILIZATION_THRESHOLD
		db    5
		db    0
		db    0
		db    0
		db  64h	; d
		db    0
		db    0
		db    0
		db  7Ch	; |
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  16h
		db    1
		db    0
		db    0
		dd offset aCpdistributeut ; "CPDistributeUtility"
		dd offset loc_41039B+1
		db    0
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  7Bh	; {
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  17h
		db    1
		db    0
		db    0
		dd offset aCpconcurrencyt ; "CPConcurrencyThreshold"
		dd offset loc_41046A+2
		db    5
		db    0
		db    0
		db    0
		db  64h	; d
		db    0
		db    0
		db    0
		db  7Dh	; }
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  18h
		db    1
		db    0
		db    0
		dd offset aCpheadroomthre ; "CPHeadroomThreshold"
		dd offset _GUID_PROCESSOR_PARKING_HEADROOM_THRESHOLD
		db    0
		db    0
		db    0
		db    0
		db  64h	; d
		db    0
		db    0
		db    0
		db  7Eh	; ~
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  19h
		db    1
		db    0
		db    0
		dd offset aCpdistributeth ; "CPDistributeThreshold"
		dd offset _GUID_PROCESSOR_PARKING_DISTRIBUTION_THRESHOLD
		align 10h
		db  64h	; d
		db    0
		db    0
		db    0
		db  7Fh	; 
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  1Ah
		db    1
		db    0
		db    0
		dd offset aSoftparklatenc ; "SoftParkLatency"
		dd offset _GUID_PROCESSOR_SOFT_PARKING_LATENCY
		db    0
		db    0
		db    0
		db    0
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db  90h	; 
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db  34h	; 4
		db    1
		db    0
		db    0
		dd offset aIdleallowscali ; "IdleAllowScaling"
		dd offset _GUID_PROCESSOR_IDLE_ALLOW_SCALING
		align 8
		db    1
		db    0
		db    0
		db    0
		db  94h	; 
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  1Bh
		db    2
		db    0
		db    0
		dd offset aIdledisable	; "IdleDisable"
		dd offset loc_4105DB+1
		db    0
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  95h	; 
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  1Ch
		db    2
		db    0
		db    0
		dd offset aIdletimecheck ; "IdleTimeCheck"
		dd offset loc_4105E9+3
		db    1
		db    0
		db    0
		db    0
		db  40h	; @
		db  0Dh
		db    3
		db    0
		db  98h	; 
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db  1Dh
		db    2
		db    0
		db    0
		dd offset aIdledemotethre ; "IdleDemoteThreshold"
		dd offset loc_41053B+1
		db    0
		db    0
		db    0
		db    0
		db  64h	; d
		db    0
		db    0
		db    0
		db  9Ch	; 
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  1Eh
		db    2
		db    0
		db    0
		dd offset aIdlepromotethr ; "IdlePromoteThreshold"
		dd offset _GUID_PROCESSOR_IDLE_PROMOTE_THRESHOLD
		align 8
		db  64h	; d
		db    0
		db    0
		db    0
		db  9Dh	; 
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  1Fh
		db    2
		db    0
		db    0
		dd offset aIdlestatemax	; "IdleStateMax"
		dd offset loc_41058B+1
		db    0
		db    0
		db    0
		db    0
		db  14h
		db    0
		db    0
		db    0
		db  9Eh	; 
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  2Dh	; -
		db    2
		db    0
		db    0
		dd offset aHeterodecrease ; "HeteroDecreaseTime"
		dd offset _GUID_PROCESSOR_HETERO_DECREASE_TIME
		align 10h
		db  64h	; d
		db    0
		db    0
		db    0
		db  9Fh	; 
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  20h
		db    1
		db    0
		db    0
		dd offset aHeteroincrease ; "HeteroIncreaseTime"
		dd offset loc_4103DB+1
		db    0
		db    0
		db    0
		db    0
		db  64h	; d
		db    0
		db    0
		db    0
		db 0A0h	; 
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  21h	; !
		db    1
		db    0
		db    0
		dd offset aHeterodecrea_1 ; "HeteroDecreaseThreshold"
		dd offset _GUID_PROCESSOR_HETERO_DECREASE_THRESHOLD
		db    1
		db    0
		db    0
		db    0
		db  64h	; d
		db    0
		db    0
		db    0
		db 0A1h	; 
		db    0
		db    0
		db    0
		db  20h
		db    0
		db    0
		db    0
		db  22h	; "
		db    9
		db    0
		db    0
		dd offset aHeteroincrea_1 ; "HeteroIncreaseThreshold"
		dd offset _GUID_PROCESSOR_HETERO_INCREASE_THRESHOLD
		db    1
		db    0
		db    0
		db    0
		db 0FFh
		db    0
		db    0
		db    0
		db 0C1h	; 
		db    0
		db    0
		db    0
		db  20h
		db    0
		db    0
		db    0
		db  23h	; #
		db    9
		db    0
		db    0
		dd offset aClass0floorper ; "Class0FloorPerformance"
		dd offset _GUID_PROCESSOR_CLASS0_FLOOR_PERF
		align 10h
		db  64h	; d
		db    0
		db    0
		db    0
		db 0E1h	; 
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  24h	; $
		db    1
		db    0
		db    0
		dd offset aClass1initialp ; "Class1InitialPerformance"
		dd offset loc_410358+4
		db    0
		db    0
		db    0
		db    0
		db  64h	; d
		db    0
		db    0
		db    0
		db 0E2h	; 
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db  25h	; %
		db    1
		db    0
		db    0
		dd offset aSchedulingpoli ; "SchedulingPolicy"
		dd offset _GUID_PROCESSOR_THREAD_SCHEDULING_POLICY
		align 8
		db    5
		db    0
		db    0
		db    0
		db 0E8h	; 
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db  2Bh	; +
		db    1
		db    0
		db    0
		dd offset aShortschedulin ; "ShortSchedulingPolicy"
		dd offset _GUID_PROCESSOR_SHORT_THREAD_SCHEDULING_POLICY
		db    0
		db    0
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		db 0E4h	; 
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db  2Ch	; ,
		db    1
		db    0
		db    0
		dd offset aResponsivene_3 ; "ResponsivenessDisableThreshold"
		dd offset loc_410389+3
		align 10h
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db  54h	; T
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db  2Eh	; .
		db    5
		db    0
		db    0
		dd offset aResponsivene_2 ; "ResponsivenessEnableThreshold"
		dd offset _GUID_PROCESSOR_RESPONSIVENESS_ENABLE_THRESHOLD
		db    0
		db    0
		db    0
		db    0
		db 0FFh
		db 0FFh
		db 0FFh
		db 0FFh
		db  5Ch	; \
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db  2Fh	; /
		db    5
		db    0
		db    0
		dd offset aResponsivene_5 ; "ResponsivenessDisableTime"
		dd offset _GUID_PROCESSOR_RESPONSIVENESS_DISABLE_TIME
		db    1
		db    0
		db    0
		db    0
		db  64h	; d
		db    0
		db    0
		db    0
		db  64h	; d
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db  30h	; 0
		db    5
		db    0
		db    0
		dd offset aResponsivene_0 ; "ResponsivenessEnableTime"
		dd offset _GUID_PROCESSOR_RESPONSIVENESS_ENABLE_TIME
		db    1
		db    0
		db    0
		db    0
		db  64h	; d
		db    0
		db    0
		db    0
		db  66h	; f
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db  31h	; 1
		db    5
		db    0
		db    0
		dd offset aResponsiveness ; "ResponsivenessEppCeiling"
		dd offset _GUID_PROCESSOR_RESPONSIVENESS_EPP_CEILING
		align 10h
		db  64h	; d
		db    0
		db    0
		db    0
		db  68h	; h
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db  32h	; 2
		db    5
		db    0
		db    0
		dd offset aResponsivene_1 ; "ResponsivenessPerfFloor"
		dd offset _GUID_PROCESSOR_RESPONSIVENESS_PERF_FLOOR
		db    0
		db    0
		db    0
		db    0
		db  64h	; d
		db    0
		db    0
		db    0
		db  70h	; p
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db  33h	; 3
		db    5
		db    0
		db    0
_PpmInfoDefaultProfileName:		; DATA XREF: PpmInitPolicyConfiguration()+6Co
		unicode	0, <Default>,0
_PsDfssShortTermSharingMS dd 1Eh	; DATA XREF: KeUpdateGroupSchedulingConstants+40r
					; KeUpdateGroupSchedulingConstants+4Cr	...
_PopMonitorEventMapping	dd 0		; DATA XREF: PopGetMonitorReasonFromPowerEventId(x):loc_553032r
					; PopGetPowerEventIdFromMonitorReason(x):loc_9B5EC4r
dword_705CA4	dd 1			; DATA XREF: PopGetMonitorReasonFromPowerEventId(x):loc_553021r
					; PopGetPowerEventIdFromMonitorReason(x):loc_9B5ED5r
		db    1
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db  1Ah
		db    0
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		db    7
		db    0
		db    0
		db    0
		db    7
		db    0
		db    0
		db    0
		db    9
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		db  0Ah
		db    0
		db    0
		db    0
		db    9
		db    0
		db    0
		db    0
		db  0Bh
		db    0
		db    0
		db    0
		db  0Ah
		db    0
		db    0
		db    0
		db  0Ch
		db    0
		db    0
		db    0
		db  0Bh
		db    0
		db    0
		db    0
		db  0Dh
		db    0
		db    0
		db    0
		db  0Ch
		db    0
		db    0
		db    0
		db  0Eh
		db    0
		db    0
		db    0
		db  0Dh
		db    0
		db    0
		db    0
		db  0Fh
		db    0
		db    0
		db    0
		db  0Eh
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		db  0Fh
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		db  11h
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  12h
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  13h
		db    0
		db    0
		db    0
		db  13h
		db    0
		db    0
		db    0
		db  14h
		db    0
		db    0
		db    0
		db  14h
		db    0
		db    0
		db    0
		db  15h
		db    0
		db    0
		db    0
		db  15h
		db    0
		db    0
		db    0
		db  16h
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  17h
		db    0
		db    0
		db    0
		db  12h
		db    0
		db    0
		db    0
		db  18h
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  19h
		db    0
		db    0
		db    0
		db  17h
		db    0
		db    0
		db    0
		db  1Ah
		db    0
		db    0
		db    0
		db  18h
		db    0
		db    0
		db    0
		db  1Bh
		db    0
		db    0
		db    0
		db  24h	; $
		db    0
		db    0
		db    0
		db  1Ch
		db    0
		db    0
		db    0
		db  2Bh	; +
		db    0
		db    0
		db    0
		db  1Dh
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  1Eh
		db    0
		db    0
		db    0
		db  19h
		db    0
		db    0
		db    0
		db  1Fh
		db    0
		db    0
		db    0
		db  1Bh
		db    0
		db    0
		db    0
		db  20h
		db    0
		db    0
		db    0
		db  1Ch
		db    0
		db    0
		db    0
		db  21h	; !
		db    0
		db    0
		db    0
		db  1Dh
		db    0
		db    0
		db    0
		db  22h	; "
		db    0
		db    0
		db    0
		db  1Eh
		db    0
		db    0
		db    0
		db  23h	; #
		db    0
		db    0
		db    0
		db  1Fh
		db    0
		db    0
		db    0
		db  24h	; $
		db    0
		db    0
		db    0
		db  20h
		db    0
		db    0
		db    0
		db  25h	; %
		db    0
		db    0
		db    0
		db  21h	; !
		db    0
		db    0
		db    0
		db  26h	; &
		db    0
		db    0
		db    0
		db  22h	; "
		db    0
		db    0
		db    0
		db  27h	; '
		db    0
		db    0
		db    0
		db  23h	; #
		db    0
		db    0
		db    0
		db  28h	; (
		db    0
		db    0
		db    0
		db  25h	; %
		db    0
		db    0
		db    0
		db  29h	; )
		db    0
		db    0
		db    0
		db  26h	; &
		db    0
		db    0
		db    0
		db  2Ah	; *
		db    0
		db    0
		db    0
		db  27h	; '
		db    0
		db    0
		db    0
		db  2Bh	; +
		db    0
		db    0
		db    0
		db  28h	; (
		db    0
		db    0
		db    0
		db  2Ch	; ,
		db    0
		db    0
		db    0
		db  29h	; )
		db    0
		db    0
		db    0
		db  2Dh	; -
		db    0
		db    0
		db    0
		db  2Ah	; *
		db    0
		db    0
		db    0
		db  2Eh	; .
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  2Fh	; /
		db    0
		db    0
		db    0
		db  2Ch	; ,
		db    0
		db    0
		db    0
		db  30h	; 0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  31h	; 1
		db    0
		db    0
		db    0
		db  2Eh	; .
		db    0
		db    0
		db    0
		db  32h	; 2
		db    0
		db    0
		db    0
		db  2Fh	; /
		db    0
		db    0
		db    0
_PpmPolicyAliasList dd offset loc_428CB3+1 ; DATA XREF:	PpmAllocateQueryTable(x):loc_9BA369r
					; PpmPolicyNameToGuid(x,x)+Eo
		dd offset loc_41062A+2
		dd offset aProcthrottlemi ; "procthrottlemin"
		dd offset _GUID_PROCESSOR_THROTTLE_MINIMUM
		dd offset aPerfdecthresho ; "perfdecthreshold"
		dd offset _GUID_PROCESSOR_PERF_DECREASE_THRESHOLD
		dd offset aPerfincthresho ; "perfincthreshold"
		dd offset loc_41063A+2
		dd offset aCpmaxcores	; "cpmaxcores"
		dd offset loc_41050A+2
		dd offset aCpmincores	; "cpmincores"
		dd offset _GUID_PROCESSOR_CORE_PARKING_MIN_CORES
		dd offset aCpdecreasetime ; "cpdecreasetime"
		dd offset loc_41047B+1
		dd offset aCpincreasetime ; "cpincreasetime"
		dd offset loc_410489+3
		dd offset aPerfdectime	; "perfdectime"
		dd offset loc_410579+3
		dd offset aPerfinctime	; "perfinctime"
		dd offset _GUID_PROCESSOR_PERF_INCREASE_TIME
		dd offset aThrottling	; "throttling"
		dd offset _GUID_PROCESSOR_ALLOW_THROTTLING
		dd offset aLatencyhintp_1 ; "latencyhintperf"
		dd offset _GUID_PROCESSOR_PERF_LATENCY_HINT_PERF
		dd offset aPerfcheck	; "perfcheck"
		dd offset _GUID_PROCESSOR_PERF_TIME_CHECK
		dd offset aCpconcurrency ; "cpconcurrency"
		dd offset loc_41046A+2
		dd offset aCpheadroom	; "cpheadroom"
		dd offset _GUID_PROCESSOR_PARKING_HEADROOM_THRESHOLD
		dd offset aDistributeutil ; "distributeutil"
		dd offset loc_41039B+1
		dd offset aPerfincpol	; "perfincpol"
		dd offset loc_4105AB+1
		dd offset aPerfincreasehi ; "perfincreasehistory"
		dd offset _GUID_PROCESSOR_PERF_INCREASE_HISTORY
		dd offset aPerfdecreasehi ; "perfdecreasehistory"
		dd offset loc_428356+2
		dd offset aPerfcoreparkin ; "perfcoreparkinghistory"
		dd offset loc_428376+2
_PsDfssLongTermSharingMS dd 0Fh		; DATA XREF: KeUpdateGroupSchedulingConstants+61r
					; KeUpdateGroupSchedulingConstants+6Br	...
_PsDfssLongTermFraction1024 dd 200h	; DATA XREF: KeUpdateGroupSchedulingConstants+9Er
					; ALMOSTRO:00705F18o
_PsDfssGenerationLengthMS dd 258h	; DATA XREF: KeQuerySchedulingGroupHistory+61r
					; KeUpdateGroupSchedulingConstants+80r	...
_PspSystemMitigationAuditOptionsLength dd 18h ;	DATA XREF: PspInitPhase0+1A0r
					; INIT:00AF3FCCo
_PspSehValidationPolicy	dd 2		; DATA XREF: PspInitPhase2(x)+E7r
					; INIT:00AF3F98o
_PspSystemMitigationOptionsLength dd 18h ; DATA	XREF: PspInitPhase0+126r
					; PspInitPhase0+14Cw ...
_PspCurDirDevicesSkippedForDlls	dd 0	; DATA XREF: PspInitPhase2(x)+10Ar
					; INIT:00AF35D8o
_PspDfssConfigValues dd	offset _PsDfssShortTermSharingMS
					; DATA XREF: PspReadDfssConfigurationValues()+74r
					; PspReadDfssConfigurationValues()+8Br
off_705EF8	dd offset aDfssshortterms ; DATA XREF: PspReadDfssConfigurationValues()+7Cr
					; "DfssShortTermSharingMS"
dword_705EFC	dd 1Eh			; DATA XREF: PspReadDfssConfigurationValues()+95r
		dd offset _PsDfssLongTermSharingMS
		dd offset aDfsslongtermsh ; "DfssLongTermSharingMS"
		db  0Fh
		db    0
		db    0
		db    0
		dd offset _PsDfssGenerationLengthMS
		dd offset aDfssgeneration ; "DfssGenerationLengthMS"
		db  58h	; X
		db    2
		db    0
		db    0
		dd offset _PsDfssLongTermFraction1024
		dd offset aDfsslongtermfr ; "DfssLongTermFraction1024"
		db    0
		db    2
		db    0
		db    0
_PsObjectDirectoryTeardownSlot dd 0FFFFFFFFh
					; DATA XREF: ObCreateSiloRootDirectory(x,x)+1DBr
					; PspInitializeSiloStructures+70o ...
_PsSystemRootSiloContextSlot dd	0FFFFFFFFh ; DATA XREF:	PspAssignSiloSystemRootPath(x,x)+95r
					; PspSiloInitializeSystemRootBuffer(x)+Fr ...
_PsObjectDirectorySiloContextSlot dd 0FFFFFFFFh
					; DATA XREF: OBP_GET_SILO_ROOT_DIRECTORY_FROM_SILO(x)+6r
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+3B4r ...
_PspSystemNoWakeChargeLimit dd 0C8h	; DATA XREF: PspEnforceLimitsJobPostCallback+211r
					; PspInitializeJobStructures:loc_ADAF2Cr ...
_PspJobNoWakeChargeLimit dd 32h		; DATA XREF: PspEnforceLimitsJobPostCallback+22Er
					; PspInitializeJobStructures+5Er ...
unk_705F38	db    0			; DATA XREF: VmInitSystem(x)+77o
		db    0
		db    0
		db    0
		dd offset loc_4250BA+3
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_VmPauseOutswapSizeCapMB dd 200h	; DATA XREF: VmpPauseResumeNotify(x,x)+180r
					; INIT:00AF3BA8o
_EtwpSpinLockHoldThreshold dd 0		; DATA XREF: PerfLogSpinLockRelease(x,x,x,x):loc_68004Fr
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+32Fr ...
_EtwpSpinLockSpinThreshold dd 1		; DATA XREF: PerfLogSpinLockRelease(x,x,x,x)+A4r
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+30Fr ...
_EtwpSpinLockAcquireSampleRate dd 3E8h	; DATA XREF: PerfLogSpinLockRelease(x,x,x,x)+D7r
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+317r ...
_EtwpSpinLockContentionSampleRate dd 1	; DATA XREF: PerfLogSpinLockRelease(x,x,x,x)+B4r
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+31Fr ...
; int EtwpHostSiloState
_EtwpHostSiloState dd 0			; DATA XREF: EtwTraceKernelEvent(x,x,x,x,x)+Br
					; EtwTraceKernelEvent(x,x,x,x,x)+24r ...
_EtwpRealTimeConnectionObjectType dd 0	; DATA XREF: EtwpRealtimeConnect+196r
					; EtwpRealtimeDisconnectConsumerByHandle(x)+25r ...
_PoolHitTag	dd 0FFFFFF0Fh		; DATA XREF: ExpInsertPoolTrackerExpansion+1CBr
					; ExInsertPoolTag+68r ...
; Exported entry 429. ExSemaphoreObjectType
		public _ExSemaphoreObjectType
_ExSemaphoreObjectType dd 0		; DATA XREF: NtSignalAndWaitForSingleObject(x,x,x,x):loc_647AB6r
					; NtCreateSemaphore+65r ...
_ExpWorkerFactoryObjectType dd 0	; DATA XREF: NtReleaseWorkerFactoryWorker+37r
					; NtWorkerFactoryWorkerReady+36r ...
_ExMutantObjectType dd 0		; DATA XREF: NtSignalAndWaitForSingleObject(x,x,x,x):loc_647A69r
					; NtOpenMutant:loc_7C725Er ...
_ExpKeyedEventObjectType dd 0		; DATA XREF: NtCreateKeyedEvent+43r
					; NtOpenKeyedEvent(x,x,x)+4Fr ...
_ExProfileObjectType dd	0		; DATA XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+2F8r
					; NtStartProfile(x)+1Br ...
_ExpAeSamplingPeriodMask dd 0F00000h	; DATA XREF: ExReleaseAutoExpandPushLockShared+C1r
					; ExpAeThresholdInitialization+152w
_ExpAeCycleCountThreshold dd 0		; DATA XREF: ExReleaseAutoExpandPushLockShared+A1r
					; ExpAeThresholdInitialization:loc_ACBBF4w
_HvcallCodeVa	dd offset _HvcallpNoHypervisorPresent@0
					; DATA XREF: HvcallInitiateHypercall(x,x,x,x,x,x)+1Br
					; HvlpTryConfigureInterface+89ABCw
					; HvcallpNoHypervisorPresent()
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
; Exported entry 2573. TmTransactionObjectType
		public _TmTransactionObjectType
_TmTransactionObjectType dd 0		; DATA XREF: NtOpenKeyTransactedEx+CAr
					; NtCreateKeyTransacted+83r ...
; Exported entry 2565. TmResourceManagerObjectType
		public _TmResourceManagerObjectType
_TmResourceManagerObjectType dd	0	; DATA XREF: CmpInitCmRM+549r
					; Phase1InitializationDiscard(x)+836o
; Exported entry 2544. TmEnlistmentObjectType
		public _TmEnlistmentObjectType
_TmEnlistmentObjectType	db    0		; DATA XREF: Phase1InitializationDiscard(x)+831o
		db    0
		db    0
		db    0
; Exported entry 2572. TmTransactionManagerObjectType
		public _TmTransactionManagerObjectType
_TmTransactionManagerObjectType	dd 0	; DATA XREF: CmpInitCmRM:loc_7D963Br
					; Phase1InitializationDiscard(x)+82Co
; Exported entry 256. CmKeyObjectType
		public _CmKeyObjectType
_CmKeyObjectType dd 0			; DATA XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+260r
					; CmpDoBuildVirtualStack(x,x,x,x,x)+101r ...
_HvlpSchedulerType dd 0			; DATA XREF: HvlIsCoreSharingPossible()+10r
					; HvlpLogHypervisorSchedulerType()+21o	...
_HvlpHypervisorVersion db    0		; DATA XREF: HvlPhase0Initialize+9F5B1o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_HvlpMinrootConfigurationError db 0	; DATA XREF: HvlPhase2Initialize:loc_5FB353r
					; HvlpSelectVpSet(x,x,x)+2Aw ...
_HvlHypervisorConnected	db 0		; DATA XREF: HvlMarkHiberPhase()r
					; HvlEnlightenProcessor+20r ...
_HvlpCpuVendor	db 0			; DATA XREF: HvlStartBootLogicalProcessors+8A6D0w
					; HvlpDiscoverTopologyWorker+5r
_HvlHyperVRootPartition	db 0		; DATA XREF: HvlpDetermineEnlightenments()+260w
_HvlEnlightenments dd 0			; DATA XREF: KeFlushProcessTb+3r
					; KeFlushMultipleRangeTb+12r ...
_HvlpRootFlags	dd 0			; DATA XREF: HvlDebuggerSupportInitialize+23r
					; HvlStartBootLogicalProcessors+8A79Dr	...
_HvlpEnlightenments dd 0		; DATA XREF: HvlRescindEnlightenments(x)+16o
					; HvlRestoreEnlightenment(x)+Ar ...
; size_t HvlpLogicalProcessorCount
_HvlpLogicalProcessorCount dd 0		; DATA XREF: HvlStartBootLogicalProcessors+8A6E0w
					; HvlStartBootLogicalProcessors+8A71Dw	...
_HvlpGuestStateScrubbingStatus dd 0	; DATA XREF: HvlpLogGuestStateScrubbingStatus()+34w
					; HvlpLogGuestStateScrubbingStatus()+A7w ...
_HvlpHvIdentityInfoCallbackRecord db	? ; ; DATA XREF: HvlPhase1Initialize+86BCBo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_706018	db ?			; DATA XREF: HvlPhase1Initialize+86BD0w
		align 4
_HvlpFlags	dd ?			; DATA XREF: HvlStartBootLogicalProcessors+1Dr
					; KiQueryProcessorNode:loc_56A675r ...
; void HvlpLogicalProcessorRegions
_HvlpLogicalProcessorRegions dd	?	; DATA XREF: HvlStartBootLogicalProcessors+8A6E7w
					; HvlStartBootLogicalProcessors+8A7B3o	...
dword_706024	dd ?			; DATA XREF: HvlStartBootLogicalProcessors+8A661w
					; HvlStartBootLogicalProcessors+8A7CAo	...
dword_706028	dd ?			; DATA XREF: HvlStartBootLogicalProcessors+8A668o
					; HvlStartBootLogicalProcessors+8A690r	...
word_70602C	dw ?			; DATA XREF: HvlStartBootLogicalProcessors+8A672o
					; HvlStartBootLogicalProcessors+8A686r
word_70602E	dw ?			; DATA XREF: HvlStartBootLogicalProcessors+8A6AEw
unk_706030	db    ?	;		; DATA XREF: HvlStartBootLogicalProcessors+8A6A2o
					; HvlpDiscoverTopologyComplete()+77o
		db    ?	;
		db    ?	;
		db    ?	;
unk_706034	db    ?	;		; DATA XREF: HvlStartBootLogicalProcessors+8A696o
		db    ?	;
		db    ?	;
		db    ?	;
dword_706038	dd ?			; DATA XREF: HvlStartBootLogicalProcessors+8A6C5w
dword_70603C	dd ?			; DATA XREF: HvlStartBootLogicalProcessors+8A6BAw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db ?
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_706C65	db    ?	;		; DATA XREF: PAGEHDLS:??_C@_04PCJFHION@help@CIFEBFPJ@o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_HvlpQueryProcessorNode	dd ?		; DATA XREF: HvlStartBootLogicalProcessors+8A5EDw
					; HvlStartBootLogicalProcessors:loc_5F4242w ...
_HvlpPackageCount dd ?			; DATA XREF: HvlQueryProcessorTopologyCount(x,x)+1Cr
					; HvlpDiscoverTopologyComplete():loc_AEC855w
_HvlpQueryProximityId dd ?		; DATA XREF: HvlStartBootLogicalProcessors+8A5F5w
					; HvlStartBootLogicalProcessors+8A612w	...
_HvlpCoreCount	dd ?			; DATA XREF: HvlQueryProcessorTopologyCount(x,x)+2Ar
					; HvlpDiscoverTopologyComplete()+AEw
_HvlpVirtualProcessorMapping db	?	; DATA XREF: HvlEnlightenProcessor+8187Ew
					; HvlGetProcessorIndexFromVpIndex(x):loc_6079A9r ...
byte_70E231	db ?			; DATA XREF: HvlEnlightenProcessor+8188Bw
					; HvlGetProcessorIndexFromVpIndex(x)+40r ...
		db    ?	;
unk_70E233	db    ?	;		; DATA XREF: HvlpAffinityToVirtualAffinity(x)+21o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_HvlPartitionId	dd ?			; DATA XREF: HvlpDepositPages(x,x,x)+E5r
					; HvlpDetermineEnlightenments()+335w ...
dword_70E274	dd ?			; DATA XREF: HvlpDepositPages(x,x,x)+FCr
					; HvlpDetermineEnlightenments()+340w ...
_HvlpQueryNodeDistance dd ?		; DATA XREF: HvlStartBootLogicalProcessors+8A605w
					; HvlStartBootLogicalProcessors+8A61Ew	...
_HvlpActiveProcessorCount dd ?		; DATA XREF: HvlStartBootLogicalProcessors+8A782w
					; HvlQueryActiveHypervisorProcessorCount(x)+18r ...
_HvlpQueryProximityNode	dd ?		; DATA XREF: HvlStartBootLogicalProcessors+8A5FDw
					; HvlStartBootLogicalProcessors+8A618w	...
_HvlpReferenceTscPage dd ?		; DATA XREF: RtlGetMultiTimePrecise+42r
					; HvlGetQpcBias()r ...
_HvlpRescindedEnlightenments dd	?	; DATA XREF: HvlRescindEnlightenments(x)+2o
					; HvlpDetermineEnlightenments():loc_607737r
_IopWaitCompletionPacketObjectType dd ?	; DATA XREF: NtCancelWaitCompletionPacket+37r
					; NtAssociateWaitCompletionPacket+47r ...
; Exported entry 780. IoCompletionObjectType
		public _IoCompletionObjectType
_IoCompletionObjectType	dd ?		; DATA XREF: .text:0052243Er
					; .text:00522532r ...
_IoControllerObjectType	dd ?		; DATA XREF: IoCreateController(x)+14r
					; IoCreateObjectTypes+84o
; Exported entry 821. IoDriverObjectType
		public _IoDriverObjectType
_IoDriverObjectType dd ?		; DATA XREF: IopGetDriverPathInformation(x,x,x)+41r
					; IopGetLegacyVetoListDrivers+125r ...
; Exported entry 818. IoDeviceObjectType
		public _IoDeviceObjectType
_IoDeviceObjectType dd ?		; DATA XREF: ObpCreateSymbolicLinkName+22Dr
					; IoCreateDevice+11Cr ...
; Exported entry 736. IoAdapterObjectType
		public _IoAdapterObjectType
_IoAdapterObjectType db	   ? ;		; DATA XREF: IoCreateObjectTypes+5Bo
		db    ?	;
		db    ?	;
		db    ?	;
_IopDispatchFreeIrp dd ?		; DATA XREF: .text:005248DDr
					; IoFreeIrp(x)+8r ...
_IopDispatchCompleteRequest dd ?	; DATA XREF: IofCompleteRequest+8r
					; IopUpdateFunctionPointers(x,x,x)+62o	...
_IopDispatchCallDriver dd ?		; DATA XREF: IofCallDriver+8r
					; IofCallDriverSpecifyReturn+5r ...
_IopDispatchAllocateIrp	dd ?		; DATA XREF: IoAllocateIrp+5r
					; IopAllocateIrpExReturn+5r ...
; Exported entry 816. IoDeviceHandlerObjectSize
		public _IoDeviceHandlerObjectSize
_IoDeviceHandlerObjectSize db	 ? ;
		db    ?	;
		db    ?	;
		db    ?	;
; Exported entry 817. IoDeviceHandlerObjectType
		public _IoDeviceHandlerObjectType
_IoDeviceHandlerObjectType db	 ? ;
		db    ?	;
		db    ?	;
		db    ?	;
; Exported entry 827. IoFileObjectType
		public _IoFileObjectType
_IoFileObjectType dd ?			; DATA XREF: IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)+66r
					; IopReferenceFileObject+6r ...
_KiHeteroSchedulerOptions dd ?		; DATA XREF: KiChooseTargetProcessor+2F1r
					; KiIsQosGroupingActive()r ...
_KiInterruptSteeringDisabled dd	?	; DATA XREF: KiIntSteerDetermineSteeringEnabledr
					; INIT:00AF64A0o
_KiDisableLightWeightSuspend dd	?	; DATA XREF: KiSuspendThread:loc_446738r
					; INIT:00AF6398o
_KiTLBCOverride	dd ?			; DATA XREF: KeRestoreProcessorSpecificFeatures()+8r
					; KiDisableCacheErrataSource()+19r ...
_KiPerfIsoEnabled dd ?			; DATA XREF: KiSelectLowestRankedThread+6r
					; KiDeferredReadySingleThread+1F8r ...
_KiCacheIsoBitmap db	? ;		; DATA XREF: INIT:00AF3F20o
		db    ?	;
		db    ?	;
		db    ?	;
_KiSchedulerAssistThreadFlagOverride dd	?
					; DATA XREF: KeInitializeSchedulerAssist:loc_AEB90Er
					; INIT:00AF3EA8o
_KiDisableTsx	dd ?			; DATA XREF: KeQuerySpeculationControlInformation(x,x,x)+2DDr
					; INIT:00ABFDBFr ...
_KeDpcWatchdogProfileOffset dd ?	; DATA XREF: INIT:00ABFF6Dr
					; INIT:00ABFF86w ...
; int KeLoaderBlock
_KeLoaderBlock	dd ?			; DATA XREF: KiStartDynamicProcessor(x,x,x,x)+34Ar
					; KiStartDynamicProcessor(x,x,x,x)+36Dw ...
_KeBootTime	dd ?			; DATA XREF: KeQueryBootTimeValues:loc_50A1D8r
					; KiUpdateSystemTime+C1w ...
dword_70E2EC	dd ?			; DATA XREF: KeQueryBootTimeValues+4Ar
					; KiUpdateSystemTime+C7w ...
; Exported entry 1129. KeDynamicPartitioningSupported
		public _KeDynamicPartitioningSupported
_KeDynamicPartitioningSupported	db ?	; DATA XREF: KeQueryMaximumProcessorCountEx+5r
					; HvlStartBootLogicalProcessors+8A827r	...
_KeRootProcNumaNodeLpsSpecified	db ?	; DATA XREF: HvlpSelectLpSet(x,x,x)+5Dw
					; HvlpSelectLpSet(x,x,x)+86w ...
_KeForceGroupAwareness db ?		; DATA XREF: KiAddProcessorToGroupDatabase+4Er
					; KeRevertToUserAffinityThreadEx(x)+18r ...
_KiGroupSchedulingEnabled db ?		; DATA XREF: KiQuantumEnd:loc_44325Fr
					; KiUpdateTime+17Cr ...
_KeNumprocSpecified dd ?		; DATA XREF: HvlpSelectLpSet(x,x,x):loc_60479Cr
					; KiStartDynamicProcessor(x,x,x,x)+C2r	...
_KeRootProcNumaNodes dw	?		; DATA XREF: HvlpSelectVpSet(x,x,x):loc_604A66r
					; HvlpSelectVpSet(x,x,x)+165r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiBugCodeMessages dd ?			; DATA XREF: KeGetBugMessageText(x,x)+16r
					; KeGetBugMessageText(x,x)+3Ar	...
_KeBootprocSpecified dd	?		; DATA XREF: HvlpSelectLpSet(x,x,x):loc_60478Fr
					; KeStartAllProcessors:loc_ABE40Er ...
_KeActiveProcessors dd ?		; DATA XREF: KeRevertToUserGroupAffinityThread:loc_43FFF6r
					; KeSetSystemGroupAffinityThread+1Ar ...
dword_70E324	dd ?			; DATA XREF: KeQuerySystemAllowedCpuSetAffinity+72r
					; KiForwardTick+E3r ...
dword_70E328	dd ?			; DATA XREF: KeRevertToUserGroupAffinityThread+E4r
					; KeSetSystemGroupAffinityThread+30r ...
_KeRootProcNumaNodesSpecified dd ?	; DATA XREF: HvlpSelectLpSet(x,x,x)+4Bw
					; HvlpSelectLpSet(x,x,x)+70w ...
; int KeMaximumProcessors
_KeMaximumProcessors dd	?		; DATA XREF: .text:0050FBB2r
					; KiUpdateCpuTargetByWeight+98r ...
_KeRootProcSpecified dd	?		; DATA XREF: HvlpSelectLpSet(x,x,x)+45w
					; HvlpSelectLpSet(x,x,x)+6Aw ...
_KeRootProcPerNodeSpecified dd ?	; DATA XREF: HvlpSelectLpSet(x,x,x)+51w
					; HvlpSelectLpSet(x,x,x)+76w ...
_KeHypervisorNumprocSpecified dd ?	; DATA XREF: HvlpSelectLpSet(x,x,x)+3Fw
					; HvlpSelectLpSet(x,x,x):loc_6047A9r ...
_KiProcessorBlock dd ?			; DATA XREF: KeQueryValuesThread+19Fr
					; KeQueryValuesThread+21Er ...
dword_70E344	dd ?			; DATA XREF: KiSetDebuggerOwner(x):loc_61F4A5r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KeRootProcNumaNodeLps dd ?		; DATA XREF: HvlpSelectVpSet(x,x,x)+1FDr
					; HvlpSelectVpSet(x,x,x)+3CFr ...
dword_70E3C4	dd ?			; DATA XREF: HvlpSelectVpSet(x,x,x)+204r
					; HvlpSelectVpSet(x,x,x)+3D6r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KeMaximumIncrement dd ?		; DATA XREF: ExpUpdateTimerResolution+40r
					; ExpUpdateTimerResolution+B4r	...
; char KeNumberProcessors
_KeNumberProcessors dd ?		; DATA XREF: KeQuerySchedulingGroupHistory+36r
					; RtlBackoff(x)+Fr ...
_KeRegisteredProcessors	dd ?		; DATA XREF: HvlpSelectLpSet(x,x,x):loc_604659r
					; HvlpSelectLpSet(x,x,x)+266r ...
_KeRootProcPerCoreSpecified dd ?	; DATA XREF: HvlpSelectLpSet(x,x,x)+57w
					; HvlpSelectLpSet(x,x,x)+7Cw ...
_KeTimeIncrement dd ?			; DATA XREF: ExpUpdateTimerResolution+6Cr
					; PoTraceSystemTimerResolutionUpdate+19r ...
_KeProcessorLevel dw ?			; DATA XREF: ExpGetSystemProcessorInformation+1Cr
					; KdpSetCommonState(x,x,x)+6r ...
_KeDisableLowQosTimerResolution	db ?	; DATA XREF: PspSetProcessPpmPolicy+2Ar
_KiMaximumIncrementShiftCount db ?	; DATA XREF: KiSetupTimeIncrement+B6w
_KiTsxSupported	dd ?			; DATA XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x):loc_56B5D9r
					; KeQuerySpeculationControlInformation(x,x,x):loc_991B07r ...
_KeSmapEnabled	dd ?			; DATA XREF: KiPublishProcessorFeatures(x):loc_ADC164w
_KiTsxSupportedAtBoot dd ?		; DATA XREF: KiInitializeKernel(x,x,x,x,x,x)+1DFw
					; KeQuerySpeculationControlInformation(x,x,x)+34Er
_KiVelocityFlags dd ?			; DATA XREF: KiFindNextTimerDueTime+17r
					; KiRetireDpcList:loc_4886FEr ...
_KiForceIdleDisabled dd	?		; DATA XREF: KeIsForceIdleEngaged()r
					; KeClockInterruptNotify+1Dr ...
_KiSchedulerAssistThreadFlagEnabled dd ? ; DATA	XREF: KiInitializeIdleThread(x,x,x,x)+C0r
					; PspAllocateThread:loc_770D61r ...
_KiDynamicTraceCallouts	db    ?	;	; DATA XREF: .data:006B1E98o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiDynamicTraceEnabled db    ? ;	; DATA XREF: .data:006B1E90o
		db    ?	;
		db    ?	;
		db    ?	;
_KiFavoredCoreCycleTimeBits dd ?	; DATA XREF: KiHeteroChooseTargetProcessor(x,x,x,x)+278r
					; INIT:00AC013Bw ...
_KiCacheErrataMonitor dd ?		; DATA XREF: KiMonitorCacheErrata(x,x)+Fr
					; KeKeepProcessorAlive(x,x)+9r	...
_KiNonNumaDistance db	 ? ;		; DATA XREF: ALMOSTRO:_KeNodeDistanceo
		db    ?	;
		db    ?	;
		db    ?	;
_KiIptMsrMask	dd ?			; DATA XREF: KeRestoreIptStateAfterProcessorComesOnliner
					; KeSaveIptStateBeforeProcessorGoesOffliner ...
_KiIptSaveAreaLength dd	?		; DATA XREF: KiGetSavedIptState(x,x,x)+61r
					; KeMarkHiberPhase+8517r ...
_KiQosHysteresisTimerPeriod dd ?	; DATA XREF: KiSetVirtualHeteroClockIntervalRequest(x)+31r
					; KeConfigureHeteroPolicy+A3w
_KiIa32MiscEnable dd ?			; DATA XREF: KiRestoreFeatureBits()+24r
					; KiInitMachineDependent+1F0w
dword_70E4BC	dd ?			; DATA XREF: KiRestoreFeatureBits()+29r
					; KiInitMachineDependent+1F5w
_KeHeteroSystemVirtual dd ?		; DATA XREF: KiIdleSchedule:loc_5AC4E6r
					; KiSwapThread:loc_5EE444r ...
_KeHeteroSystem	dd ?			; DATA XREF: KiIdleSchedule+44r
					; KiSwapThread+51Ar ...
_KiEfficiencyClassSystem dd ?		; DATA XREF: KiRetireDpcList:loc_4883F7r
					; KiDirectSwitchThread:loc_48D5BCr ...
_KeHeteroSystemQos dd ?			; DATA XREF: KiChooseTargetProcessor+30Ar
					; PsImpersonateContainerOfThread+124r ...
_KiLockQuantumTarget dd	?		; DATA XREF: KiSetLockOwnershipQuantum(x,x,x):loc_53BB10r
					; KiSetLockOwnershipQuantum(x,x,x):loc_53BB2Br	...
_KiDirectQuantumTarget dd ?		; DATA XREF: KiDirectSwitchThread+5FAr
					; INIT:00AC0110w
_KiMicrocodeTrackerEnabled dd ?		; DATA XREF: KiSetHardwareSpeculationControlFeatures(x,x,x)+B6w
					; KiCheckMicrocode+1Fr	...
_KiGenerationTicks dd ?			; DATA XREF: KiTransitionSchedulingGroupGeneration:loc_444008r
					; KiUpdateTime:loc_487CC5r ...
_KiMicrocodeTracker dd ?		; DATA XREF: KiCheckMicrocode:loc_723B59r
					; KiCheckMicrocode+F2w
dword_70E4E4	dd ?			; DATA XREF: KiCheckMicrocode+B0r
					; KiCheckMicrocode+100w
dword_70E4E8	dd ?			; DATA XREF: KiCheckMicrocode+B8r
					; KiCheckMicrocode+106w
dword_70E4EC	dd ?			; DATA XREF: KiCheckMicrocode+C0r
					; KiCheckMicrocode+10Cw
dword_70E4F0	dd ?			; DATA XREF: KiCheckMicrocode+CFr
					; KiCheckMicrocode+112w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiProcessorIndexToNumberMappingTable dd ?
					; DATA XREF: KeGetProcessorNumberFromIndex(x,x)+20r
					; KiAddProcessorToGroupDatabase+84w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiProcessorNumberToIndexMappingTable dd ? ; DATA XREF:	KiAddProcessorToGroupDatabase+8Bw
					; KiRemoveProcessorFromGroupDatabase(x)+4Aw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiPendingTimerBitmaps dd ?		; DATA XREF: KiFindNextTimerDueTime:loc_47F2A0r
					; KiFindNextTimerDueTime+1351CDr ...
dword_70E644	dd ?			; DATA XREF: KiExpireTimerTable+19Er
					; KiFindNextTimerDueTime+117r ...
_KiShortExecutionCycles	dd ?		; DATA XREF: KiTryLocalThreadSchedule+32r
					; KiReduceByEffectiveIdleSmtSet+A9D56r	...
_KeUserPopEntrySListFault dd ?		; DATA XREF: MiDispatchFault:loc_46849Dr
					; MiResolveProtoPteFault(x,x,x):loc_469775r ...
_KeUserPopEntrySListEnd	dd ?		; DATA XREF: KiCheckForSListAddress(x):loc_4E0803r
					; INIT:00AF6B24o
_KiBarrierWait	dd ?			; DATA XREF: KiIpiGenericCallTarget+1Fr
					; KiStartDynamicProcessor(x,x,x,x)+33Bw ...
_KeUserPopEntrySListResume dd ?		; DATA XREF: KiCheckForSListAddress(x):loc_4E07D9r
					; KiPreprocessAccessViolation+E36C4r ...
_KiBootProcessorsStarted dd ?		; DATA XREF: KiCheckMicrocode+34r
					; KeStartAllProcessors+4B6w
_KiBootProcessorCount dd ?		; DATA XREF: KiCheckMicrocode+43r
					; KeStartAllProcessors+4C1w
_KeNonHrTimeIncrement dd ?		; DATA XREF: KiUpdateTime+FCr
					; KiCheckForTimerExpiration+42Cr ...
_KiMaximumIncrementReciprocal dd ?	; DATA XREF: KiSetupTimeIncrement+ACw
dword_70E66C	dd ?			; DATA XREF: KiSetupTimeIncrement+BDw
_KeUserApcDispatcher dd	?		; DATA XREF: KiInitializeUserApc(x,x,x,x,x,x,x)+1B9r
					; INIT:00AF6B0Co
_KeUserExceptionDispatcher dd ?		; DATA XREF: KiDispatchException+569r
_KeUserCallbackDispatcher dd ?		; DATA XREF: sub_5808E5+1Er
					; sub_5808E5+91r ...
_KeProcessorRevision dw	?		; DATA XREF: ExpGetSystemProcessorInformation+26r
					; KiInitializeKernel(x,x,x,x,x,x):loc_7253A4w ...
_KiCpuSetCount	db ?			; DATA XREF: KiCreateCpuSetForProcessor+4Ew
_KiDynamicTickInitialized db ?		; DATA XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+3Cr
					; KeInitializeClock+94w
; Exported entry 1283. KeServiceDescriptorTable
		public _KeServiceDescriptorTable
_KeServiceDescriptorTable dd ?		; DATA XREF: PAGELK:0071A5CBo
					; PsConvertToGuiThread+27o ...
		align 8
dword_70E688	dd ?			; DATA XREF: KiInitSystem+9Fw
dword_70E68C	dd ?			; DATA XREF: KiInitSystem+B8w
dword_70E690	dd ?			; DATA XREF: KeAddSystemServiceTable(x,x,x,x,x)+17r
					; KeRemoveSystemServiceTable(x):loc_98FA95r
		align 8
dword_70E698	dd ?			; DATA XREF: KiInitSystem+C2w
		align 10h
_KeRaiseUserExceptionDispatcher	dd ?	; DATA XREF: KeRaiseUserException(x)+A4r
					; INIT:00AF6B1Co
_KePseudoHrTimeIncrement dd ?		; DATA XREF: KiSetClockInterval+9Aw
					; KiFindNextTimerDueTime+31r ...
; size_t KiCpuSetAffinitySize
_KiCpuSetAffinitySize dd ?		; DATA XREF: KeCpuSetReportParkedProcessors:loc_4EA450r
					; KiAllocateCpuSetData(x)+43w
_KiTotalCpuSetCount dd ?		; DATA XREF: KiCreateCpuSetForProcessor+54w
					; KeQueryCpuSetInformation+35r
_KiSystemAllowedCpuSets	dd ?		; DATA XREF: KiComputeCpuSetAffinity+1Fr
					; KiComputeCpuSetAffinity+26r ...
		align 8
_KiNonParkedCpuSets dd ?		; DATA XREF: KiComputeCpuSetAffinity:loc_4452C1r
					; KeCpuSetReportParkedProcessors+4Fr ...
_KiReservedCpuSets dd ?			; DATA XREF: KeSetSystemAllowedCpuSets:loc_4EA319r
					; KeAddSystemServiceTable(x,x,x,x,x)+76w ...
_KeServiceDescriptorTableFilter	db    ?	; ; DATA XREF: PsConvertToGuiThread:loc_7C8AB1o
					; KiInitSystem+D3o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_70E6D0	dd ?			; DATA XREF: KeAddSystemServiceTable(x,x,x,x,x):loc_8B4FC2r
					; KeRemoveSystemServiceTable(x)+3Ar
		align 10h
_KiCpuSetData	dd ?			; DATA XREF: KiGetCpuSetData(x,x)+3r
					; KiConfigureCpuSetSchedulingInformation+3Fr ...
_KiRestrictedSystemCpuSetsActive dd ?	; DATA XREF: KiComputeCpuSetAffinity+5Cr
					; KeQuerySystemAllowedCpuSetAffinity:loc_486DFAr ...
_KiClockTimerPerCpu db ?		; DATA XREF: KeResumeClockTimerFromIdle:loc_48CB37r
					; KeResumeClockTimerFromIdle:loc_48CCACr ...
; Exported entry 1207. KeNumberProcessors
		public _KeNumberProcessorsGroup0
_KeNumberProcessorsGroup0 db ?		; DATA XREF: KiSystemStartup(x)+1A7w
					; KiUpdateProcessorCount(x,x)+2Aw
_KiClockTimerAlwaysOnPresent db	?	; DATA XREF: KeInitializeClock:loc_ACBE8Fw
_KiClockTimerHighLatency db ?		; DATA XREF: KePrepareClockTimerForIdle(x,x,x,x,x)+134r
					; KeInitializeClock:loc_ACBE87w
; void *KiCpuSetAffinitiesShadow
_KiCpuSetAffinitiesShadow dd ?		; DATA XREF: KeCpuSetReportParkedProcessors:loc_4EA3E4r
					; KeCpuSetReportParkedProcessors+E2r ...
_KiCpuSetSequence dd ?			; DATA XREF: KiQueueReadyThread:loc_4407DFr
					; KiCheckThreadAffinity(x)r ...
dword_70E6F4	dd ?			; DATA XREF: KeQuerySystemAllowedCpuSetAffinity+28r
					; KeQuerySystemAllowedCpuSetAffinity+87r ...
; void *KiCpuSetAffinities
_KiCpuSetAffinities dd ?		; DATA XREF: KiComputeCpuSetAffinity:loc_4452D1r
					; KeCpuSetReportParkedProcessors+E8r ...
; Exported entry 1205. KeLoaderBlock
		public _KeLoaderBlockExported
_KeLoaderBlockExported db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
_KeServiceDescriptorTableShadow	dd ?	; DATA XREF: PsConvertToGuiThread+BAo
					; KeAddSystemServiceTable(x,x,x,x,x)+36w ...
		align 8
dword_70E708	dd ?			; DATA XREF: KeAddSystemServiceTable(x,x,x,x,x)+3Fw
					; KeRemoveSystemServiceTable(x)+59w ...
dword_70E70C	dd ?			; DATA XREF: KeAddSystemServiceTable(x,x,x,x,x)+48w
					; KeRemoveSystemServiceTable(x)+5Fw ...
dword_70E710	dd ?			; DATA XREF: _KiEndUnexpectedRange+1Bo
					; KeAddSystemServiceTable(x,x,x,x,x)+20r ...
		align 8
dword_70E718	dd ?			; DATA XREF: PspQueryLastCallThread(x,x,x,x)+B9r
unk_70E71C	db    ?	;		; DATA XREF: PspQueryLastCallThread(x,x,x,x)+BEo
		db    ?	;
		db    ?	;
		db    ?	;
_KeTimeAdjustmentFrequency dd ?		; DATA XREF: KiSetupTimeIncrement+D6w
					; KeSetTimeAdjustment(x,x)+1Dr	...
dword_70E724	dd ?			; DATA XREF: KiSetupTimeIncrement+DCw
					; KeSetTimeAdjustment(x,x)+25r	...
_KeMinimumIncrement dd ?		; DATA XREF: ExpUpdateTimerResolution:loc_4308C0r
					; KiUpdateTime+F4r ...
_KeEnableWatchdogTimeout db ?		; DATA XREF: KeAccumulateTicks:loc_5B7B91r
					; KeAccumulateTicks:loc_5B7BFCr ...
_KiMaximizeGroupsCreated db ?		; DATA XREF: KiPerformGroupConfiguration:loc_ABED09w
					; KiPerformGroupConfiguration+2550Bw ...
_KiIsKvaShadowConfigDisabled db	?	; DATA XREF: KiEnableKvaShadowing(x,x)+Ew
_KiKvaLeakageSimulate db ?		; DATA XREF: KiEnableKvaShadowing(x,x)+46w
					; KiEnableKvaShadowing(x,x)+55r ...
_KiClockStateUpdateTimeout dd ?		; DATA XREF: KeInitializeClock+1AAEBw
dword_70E734	dd ?			; DATA XREF: KeInitializeClock+1AAF7w
_KeBootTimeBias	dd ?			; DATA XREF: KeQueryBootTimeValues+52r
					; KiUpdateSystemTime+CDw ...
dword_70E73C	dd ?			; DATA XREF: KeQueryBootTimeValues+59r
					; KiUpdateSystemTime+D3w ...
_KiEntropyTimingRoutine	dd ?		; DATA XREF: KiEntropyDpcRoutine(x,x,x,x)+2Cr
					; KiEntropyQueueDpc(x)r ...
_KiCpu0HardwareFlags dd	?		; DATA XREF: KiSetHardwareSpeculationControlFeatures(x,x,x)+81w
					; KiSetHardwareSpeculationControlFeatures(x,x,x):loc_56B182r
_KiI386FinalExceptionRegistration dd ?	; DATA XREF: KeI386InitializeSEHOP+31w
					; KeI386InitializeSEHOP+4Co
dword_70E74C	dd ?			; DATA XREF: KeI386InitializeSEHOP+40w
_KeFeatureBits	dd ?			; DATA XREF: KiInitializeContextThread+79r
					; KiInitializeContextThread+2A8r ...
dword_70E754	dd ?			; DATA XREF: KeInvalidateRangeAllCachesNoIpi+24r
					; KeSaveExtendedProcessorState+7r ...
_KiGroupBlock	dd ?			; DATA XREF: KiAddProcessorToGroupDatabase+24r
					; KiAddProcessorToGroupDatabase+47w ...
dword_70E75C	dd ?			; DATA XREF: KeCpuSetReportParkedProcessors:loc_5CE466r
					; KiConfigureHeteroProcessorsTarget(x,x,x,x)+A1w ...
_KiSpeculationFeatures dd ?		; DATA XREF: KiUpdateSpeculationControl(x)+Br
					; KiUpdateSpeculationControl(x):loc_4DE05Ar ...
dword_70E764	dd ?			; DATA XREF: KiUpdateSpeculationControl(x)+14r
					; KiUpdateSpeculationControl(x)+AFr ...
dword_70E768	dd ?			; DATA XREF: KiUpdateSpeculationControl(x)+1Dr
					; KiSetHardwareSpeculationControlFeatures(x,x,x)+73w
dword_70E76C	dd ?			; DATA XREF: KiUpdateSpeculationControl(x)+26r
					; KiSetHardwareSpeculationControlFeatures(x,x,x)+93w ...
dword_70E770	dd ?			; DATA XREF: KiUpdateSpeculationControl(x)+30r
					; KiSetHardwareSpeculationControlFeatures(x,x,x)+87w
dword_70E774	dd ?			; DATA XREF: KiUpdateSpeculationControl(x)+3Cr
					; KiSetHardwareSpeculationControlFeatures(x,x,x)+8Dw
_KeFeatureBits2	dd ?			; DATA XREF: KiRestoreFeatureBits()+74r
					; KiRestoreFeatureBits()+92r ...
dword_70E77C	dd ?			; DATA XREF: KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+46Ar
					; KiIsRfdsPresent(x)+9r ...
_KiKvaShadowMode dd ?			; DATA XREF: KeKvaShadowingActive()r
					; KiDetectHardwareSpecControlFeatures(x,x,x,x,x)+243r ...
_KiImplementedPhysicalBits dd ?		; DATA XREF: KeQueryImplementedPhysicalBits()r
					; PAGELK:007265A6r ...
_KiFlushPcid	db ?			; DATA XREF: KiStackAttachProcess+1C4r
					; KiAttachProcess+136r	...
; Exported entry 1362. Mm64BitPhysicalAddress
		public _Mm64BitPhysicalAddress
_Mm64BitPhysicalAddress	db ?		; DATA XREF: MiMemoryLicense:loc_AE757Fw
_PpmIdleRespectIdleStateMax db ?	; DATA XREF: PpmIdlePrepare+20Cr
					; PpmIdleEvaluateConstraints+ADr ...
_PopHiberEnabled db ?			; DATA XREF: PopEnableHiberFile(x,x)+D1w
					; PopEnableHiberFile(x,x):loc_8862E2r ...
_KiFpuLeakage	dd ?			; DATA XREF: KiInitializeKernel(x,x,x,x,x,x)+2E7w
_AlpcPortObjectType dd ?		; DATA XREF: ExpWorkerFactoryStartDeferredWork(x,x)+68r
					; NtAlpcCreateSecurityContext:loc_775AA2r ...
_AlpcMessageTable dd ?			; DATA XREF: AlpcpFreeMessageFunction+37r
					; AlpcpAllocateMessageFunction+2Dr ...
_AlpcpViewGranularity dd ?		; DATA XREF: AlpcpCreateRegion(x,x,x,x)+37r
					; AlpcpMapLegacyPortView(x,x,x)+ACr ...
_AlpcpDummyEvent dd ?			; DATA XREF: AlpcpInitializePort(x,x,x):loc_79B73Fr
					; AlpcpInitSystem+4Ew
_AlpcpRegionGranularity	dd ?		; DATA XREF: AlpcpCreateRegion(x,x,x,x)+3Cr
					; AlpcpCreateSection(x,x,x,x,x,x)+6Cr ...
_ExPageLockHandle dd ?			; DATA XREF: IoDeleteDevice:loc_5E80C2r
					; IoDeleteDevice+D4204r ...
_MmSystemCacheLimit dd ?		; DATA XREF: MiInitSystem+45Br
					; MiInitSystem+2A82Bo ...
_MmSystemPtesLimit dd ?			; DATA XREF: MiInitSystem+455r
					; MiInitSystem+2A832o ...
_MmSessionSpaceLimit dd	?		; DATA XREF: MiInitSystem+450r
					; MiInitSystem+2A839o ...
_MmNonPagedPoolLimit dd	?		; DATA XREF: MiInitSystem+467r
					; MiInitSystem+2A81Do ...
_MmPagedPoolLimit dd ?			; DATA XREF: MiInitSystem+461r
					; MiInitSystem+2A824o ...
_MmSizeOfPagedPoolInBytes dd ?		; DATA XREF: .data:006B1BC8o
					; CmpUpdateGlobalQuotaAllowed+Dr ...
; Exported entry 1466. MmSectionObjectType
		public _MmSectionObjectType
_MmSectionObjectType dd	?		; DATA XREF: MiReferenceAweHandle(x,x,x,x,x)+30r
					; ExpGetGlobalLocaleSection+17Er ...
; Exported entry 1488. MmUserProbeAddress
		public _MmUserProbeAddress
; void *MmUserProbeAddress
_MmUserProbeAddress dd ?		; DATA XREF: MmProbeAndLockSelectedPages+EEr
					; RtlWalkFrameChain+31Fr ...
_MmPfnDatabase	dd ?			; DATA XREF: MiComputePageCommitment(x,x,x,x,x,x)+1ACr
					; MiInitializeWorkingSetList(x,x,x,x)+73r ...
; Exported entry 1417. MmHighestUserAddress
		public _MmHighestUserAddress
_MmHighestUserAddress dd ?		; DATA XREF: RtlpImageDirectoryEntryToData32(x,x,x,x,x,x)+22r
					; KeContextToKframes+3BAr ...
; Exported entry 1474. MmSystemRangeStart
		public _MmSystemRangeStart
_MmSystemRangeStart dd ?		; DATA XREF: RtlWalkFrameChain+146r
					; ExpGetBilledProcess+22r ...
; Exported entry 1382. MmBadPointer
		public _MmBadPointer
_MmBadPointer	dd ?			; DATA XREF: MiUnlinkWorkingSet:loc_438304r
					; MiFindFreePageFileSpace+1Br ...
_MiFlags	dd ?			; DATA XREF: MiShadowTopLevelPxes+1Er
					; MiDeleteProcessShadow+10r ...
_MxPfnAllocation dd ?			; DATA XREF: MiPfnRangeIsZero+18r
					; MmIdentifyPhysicalMemory(x,x,x,x)+1BAr ...
; void *MmPhysicalMemoryBlock
_MmPhysicalMemoryBlock dd ?		; DATA XREF: MmCanThreadFault()+30r
					; .text:00470F90r ...
_MmDynamicPfn	dd ?			; DATA XREF: MiFindLargestLoaderDescriptor+C8r
					; MiFindLargestLoaderDescriptor+D7w ...
_MmTrackLockedPages dd ?		; DATA XREF: MiProbeAndLockComplete+10r
					; .text:004651B2r ...
_PsNtosImageBase dd ?			; DATA XREF: .text:loc_459ADAr
					; MiAddWorkingSetEntries+27Br ...
_PsHalImageBase	dd ?			; DATA XREF: .text:loc_459BF3r
					; MiAddWorkingSetEntries:loc_46D9EBr ...
_PsNtosImageEnd	dd ?			; DATA XREF: .text:00459AE3r
					; MiAddWorkingSetEntries+284r ...
_PsHalImageEnd	dd ?			; DATA XREF: .text:loc_459AEFr
					; MiAddWorkingSetEntries:loc_46D840r ...
_MmSpecialPoolTag dd ?			; DATA XREF: ExAllocateHeapPool+7Fr
					; MmWriteTriageInformation(x)+8r ...
_MmProtectFreedNonPagedPool dd ?	; DATA XREF: MmUnmapLockedPages:loc_47A9A1r
					; MmMapLockedPagesSpecifyCache:loc_47F879r ...
_MmSessionObjectType dd	?		; DATA XREF: PsSetCpuQuotaInformation(x,x,x):loc_65EAADr
					; MiSessionObjectCreate+148r ...
_ObHeaderCookie	dd ?			; DATA XREF: PspValidateThread(x)+27r
					; PsGetThreadProperty+48r ...
_PpmHeteroFavoredCoreFallback db    ? ;	; DATA XREF: INIT:00AF6518o
		db    ?	;
		db    ?	;
		db    ?	;
_ObTypeIndexTable dd ?			; DATA XREF: PspValidateThread(x)+30r
					; PsGetThreadProperty+51r ...
dword_70E814	dd ?			; DATA XREF: ObInitSystem+19Dw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_70E81C	db    ?	;		; DATA XREF: ObpAllocateTypeIndex(x)+8o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PpmPerfQosGroupPolicyDisable dd ?	; DATA XREF: PpmPerfCalculateQosClassPolicies:loc_5617D6r
					; PopInitializeHeteroProcessors(x)+68r	...
_PopAggressiveStandbyActionsRegValue dd	? ; DATA XREF: PoInitSystem:loc_AC176Cr
					; INIT:00AF4BB0o
_PopEnableDsNetRefresh dd ?		; DATA XREF: PopNetIsNetworkRefreshEnabled()+10r
					; INIT:00AF4BC8o
_PpmDisableVsyncLatencyUpdate dd ?	; DATA XREF: PopFxGetLatencyLimitWithoutResiliency()+9r
					; INIT:00AF4A18o
_PopEventProcessorEnabled dd ?		; DATA XREF: PopArmIdlePhaseWatchdog(x)+A1r
					; INIT:00AF47D8o
_PopPromoteHibernateToShutdown dd ?	; DATA XREF: PopVerifyPowerActionPolicy+D7r
					; PopIsDozeSupported:loc_8DFAD2r ...
_PpmParkInitialClass1UnParkCount dd ?	; DATA XREF: PpmParkApplyPolicy:loc_573FFAr
					; INIT:00AF46B8o
_PpmPerfBoostAtGuaranteed dd ?		; DATA XREF: PpmPerfSelectProcessorState+14Ar
					; PpmPerfApplyDomainState+33Dr	...
_PpmIpiLastClockOwnerDisable dd	?	; DATA XREF: PoIdle(x)+4A9r
					; INIT:00AF4580o
_PpmMfBufferingThreshold dd ?		; DATA XREF: PpmPerfSelectProcessorState+15r
					; INIT:00AF4598o
_PopModernStandbyDisabled dd ?		; DATA XREF: PopInitPlatformSettings+11A6Ar
					; INIT:00AF4520o
_PopHiberbootEnabledReg	db    ?	;	; DATA XREF: INIT:00AF4370o
		db    ?	;
		db    ?	;
		db    ?	;
_PopHiberForceDisabledReg dd ?		; DATA XREF: PoInitHiberServices:loc_885FD8r
					; INIT:00AF41A8o
unk_70EC44	db    ?	;		; DATA XREF: INIT:00AF41C0o
		db    ?	;
		db    ?	;
		db    ?	;
_PopFlushPolicy	dd ?			; DATA XREF: PopFlushVolumes:loc_729CD6r
					; INIT:00AF4148o
_PopHeteroSystem dd ?			; DATA XREF: PpmPerfCalculateQosClassPolicies+C2r
					; PpmPerfClearBootOverrides+11r ...
_PopDripsWakePeriodAccountingBucketLimitsMs dd ?
					; DATA XREF: PopInitDripsWakeAccounting()+65w
dword_70EC54	dd ?			; DATA XREF: PopInitDripsWakeAccounting()+6Bw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_70ECA8	dd ?			; DATA XREF: PopInitDripsWakeAccounting()+79w
dword_70ECAC	dd ?			; DATA XREF: PopInitDripsWakeAccounting()+80w
_PopDripsWakeIdleAccountingBucketLimitsQpc dd ?
					; DATA XREF: PopInitDripsWakeAccounting()+29w
dword_70ECB4	dd ?			; DATA XREF: PopInitDripsWakeAccounting()+2Fw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_70ECF8	dd ?			; DATA XREF: PopInitDripsWakeAccounting()+3Dw
dword_70ECFC	dd ?			; DATA XREF: PopInitDripsWakeAccounting()+44w
_PopCoordinatedIdleExitTimeout dd ?	; DATA XREF: PpmExitCoordinatedIdleState(x,x)+19r
					; PpmInitIdlePolicy+85w ...
dword_70ED04	dd ?			; DATA XREF: PpmExitCoordinatedIdleState(x,x)+28r
					; PpmInitIdlePolicy+8Bw ...
_PopIdleTransitionTimeout dd ?		; DATA XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+299r
					; PoInitiateProcessorWake(x)+10Fr ...
dword_70ED0C	dd ?			; DATA XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+2A4r
					; PoInitiateProcessorWake(x)+11Cr ...
_PopFirmwarePlatformRole dd ?		; DATA XREF: PopDiagTracePlatformRoleRundown()+3Eo
					; PopInitPlatformSettings+ADw ...
_PpmPerfArtificialDomainEnabled	dd ?	; DATA XREF: PpmPerfApplyDomainStates+9r
					; PpmPerfApplyDomainState+A2r ...
_PpmHvPerformanceDistributionShift dd ?	; DATA XREF: PpmCapturePerformanceDistributionCallback(x,x,x)+DCr
					; PoInitSystem+8Fo
_PpmHvPerformanceCounterShift dd ?	; DATA XREF: PpmGetThroughputInfoCallback(x,x,x)+66r
					; PoInitSystem+8Ao
_PpmPerformanceDistributionShift dd ?	; DATA XREF: PpmCapturePerformanceDistributionCallback(x,x,x)+EBr
					; PoInitSystem+75o
_PpmPerformanceCounterShift dd ?	; DATA XREF: PpmGetThroughputInfoCallback(x,x,x)+6Er
					; PoInitSystem+65o
_PopQpcFrequency dd ?			; DATA XREF: PopGetIdleTimesCallback+19Fr
					; PopGetIdleTimesCallback+1E0r	...
dword_70ED2C	dd ?			; DATA XREF: PopGetIdleTimesCallback+199r
					; PopGetIdleTimesCallback+1DAr	...
_PpmPerfQosDisableReasons dd ?		; DATA XREF: PpmPerfUpdateQosDisableReasons+50r
					; PpmPerfUpdateQosDisableReasons+77r ...
_PpmPerfQosDisableRefcount dd ?		; DATA XREF: PpmPerfCalculateQosClassPolicies:loc_561830r
					; PopPowerInformationInternal+171597r ...
_PpmPerfQosDisableAccounting dd	?	; DATA XREF: PpmPerfUpdateQosDisableReasons+25r
					; PpmPerfUpdateQosDisableReasons+68r ...
dword_70ED3C	dd ?			; DATA XREF: PpmPerfUpdateQosDisableReasons+2Br
					; PpmPerfUpdateQosDisableReasons+6Dr ...
dword_70ED40	dd ?			; DATA XREF: PpmPerfUpdateQosDisableReasons+31w
					; PpmPerfTelemetryWorker(x)+30r
dword_70ED44	dd ?			; DATA XREF: PpmPerfUpdateQosDisableReasons+37w
					; PpmPerfTelemetryWorker(x)+3Br
dword_70ED48	dd ?			; DATA XREF: PpmPerfTelemetryWorker(x)+43r
					; PpmPerfTelemetryWorker(x)+5Bw
dword_70ED4C	dd ?			; DATA XREF: PpmPerfTelemetryWorker(x)+4Dr
					; PpmPerfTelemetryWorker(x)+75w
dword_70ED50	dd ?			; DATA XREF: PpmPerfUpdateQosDisableReasons:loc_5E387Aw
					; PpmPerfTelemetryWorker(x)+61r
dword_70ED54	dd ?			; DATA XREF: PpmPerfUpdateQosDisableReasons+82274w
					; PpmPerfTelemetryWorker(x)+7Br
dword_70ED58	dd ?			; DATA XREF: PpmPerfTelemetryWorker(x)+69r
					; PpmPerfTelemetryWorker(x)+9Cw
dword_70ED5C	dd ?			; DATA XREF: PpmPerfTelemetryWorker(x)+83r
					; PpmPerfTelemetryWorker(x)+A4w
dword_70ED60	dd ?			; DATA XREF: PpmPerfUpdateQosDisableReasons:loc_5616A6w
					; PpmPerfTelemetryWorker(x):loc_9A73DDr
dword_70ED64	dd ?			; DATA XREF: PpmPerfUpdateQosDisableReasons+A1w
					; PpmPerfTelemetryWorker(x)+BCr
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_70EDA8	dd ?			; DATA XREF: PpmPerfTelemetryWorker(x)+B6r
					; PpmPerfTelemetryWorker(x)+E4w
dword_70EDAC	dd ?			; DATA XREF: PpmPerfTelemetryWorker(x)+C4r
					; PpmPerfTelemetryWorker(x)+DCw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_70EDF0	db ?			; DATA XREF: PpmCheckResumePpmEngineFromSx()+55w
					; PpmCheckPausePpmEngineForSx()+16w ...
		align 8
_PpmPerfSchedulerDirectedPerfStatesSupported db	?
					; DATA XREF: PpmPerfCalculateQosClassPolicies:loc_5617E2r
					; PopInitializeHeteroProcessors(x):loc_8A0BEFr	...
_PpmPerfVmQosSupported db ?		; DATA XREF: PoSetProcessorQoS(x,x):loc_6481E5r
					; PpmPerfUpdateDomainPolicy:loc_86B036r ...
_PpmPerfQosEnabled db ?			; DATA XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+399r
					; PpmPerfUpdateQosDisableReasons+3Dr ...
_PpmPerfAutonomousActivityWindowViaPerfControl db ?
					; DATA XREF: PpmPerfCalculateQosClassPolicies:loc_5619E0r
					; PpmGetPolicyAction+12Fr ...
_PpmPerfEppViaPerfControl db ?		; DATA XREF: PpmPerfCalculateQosClassPolicies+287r
					; PpmRegisterPerfStates:loc_92FC33w ...
_PpmIdleCoordinatedMode	db ?		; DATA XREF: PpmIdleSelectCoordinatedProcessorDependency(x,x,x,x,x,x,x)+34r
					; PpmInstallCoordinatedIdleStates(x)+52Bw ...
_PpmPerfQosSupportedAndConfigured db ?	; DATA XREF: PopInitializeHeteroProcessors(x):loc_8A0E5Dw
					; PopPowerInformationInternal+171618r
_PopCoalescingEnforced db ?		; DATA XREF: PopCoalescingSetActiveState(x)+9r
					; PopCoalescingSetActiveState(x)+68r ...
_PpmHeteroQosBias dd ?			; DATA XREF: PpmPerfCalculateQosClassPolicies+387r
					; PopConfigureHeteroPolicies(x,x)+4B2r	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PpmPerfDomainCount dd ?		; DATA XREF: PpmRegisterPerfStates+64Bw
					; PpmHeteroComputeRelativePerformance+17r ...
_PpmPerfQosIdleExpirationTimeout dd ?	; DATA XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+626r
					; PopConfigureHeteroPolicies(x,x)+3DCw	...
dword_70EE1C	dd ?			; DATA XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+62Er
					; PopConfigureHeteroPolicies(x,x)+3D6w	...
_PpmPerfDomainHead dd ?			; DATA XREF: PpmCheckStart:loc_4871BBr
					; PpmCheckStart+141o ...
dword_70EE24	dd ?			; DATA XREF: PpmRegisterPerfStates:loc_8A04F5r
					; PpmRegisterPerfStates+668w ...
_PpmPlatformStates dd ?			; DATA XREF: PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+B23r
					; PpmIdleExecuteTransition(x,x,x,x,x,x,x,x,x,x,x)+B77r	...
_PopCurrentCoalescingSpindownTimeout dd	? ; DATA XREF: PopScanIdleList(x,x,x)+45r
					; PopCoalescingSetActiveState(x)+23w ...
_PpmIdleLastIdleDurationExpirationTime dd ? ; DATA XREF: PoExecuteIdleCheck:loc_5B672Dr
					; PoExecuteIdleCheck+12EE34w
dword_70EE34	dd ?			; DATA XREF: PoExecuteIdleCheck+12EE01r
					; PoExecuteIdleCheck+12EE3Bw
_PpmIdleDurationExpirationTimeout dd ?	; DATA XREF: PoExecuteIdleCheck+12r
					; PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x):loc_596BB1r ...
dword_70EE3C	dd ?			; DATA XREF: PoExecuteIdleCheck+1Cr
					; PpmEstimateIdleDuration(x,x,x,x,x,x,x,x,x,x,x)+128r ...
_PopDppeCoalescingSpindownTimeout dd ?	; DATA XREF: PopCoalescingSetActiveState(x)+17r
					; PopCheckResiliencyScenarios+64r ...
_PopEnforcedCoalescingSpindownTimeout dd ? ; DATA XREF:	PopCoalescingSetActiveState(x)+10r
					; PopEnforceResiliencyScenarios+A5F69w	...
_PopHiberSkipMemoryMapValidation db ?	; DATA XREF: PopBuildMemoryImageHeader(x,x)+1D4r
					; PopHiberEvaluateSkippingMemoryMapValidation():loc_ADC42Fw
_PopCriticalShutdownInProgress db ?	; DATA XREF: PAGELK:0071F9B7w
					; PoEnableCriticalShutdown+A1D46w ...
_PopAutomaticDebuggerTransitions db ?	; DATA XREF: PopPepInitializeDebuggerMasks(x,x)+5Cw
					; PopFxDebuggerPowerCriticalTransitionCallback(x,x,x)+5r
_PpmPerfQosSupportedAndAllowed db ?	; DATA XREF: PopInitializeHeteroProcessors(x)+20Dr
					; PopInitializeHeteroProcessors(x)+2F9w
_PopPowerActionResumingWatchdogTimeout dd ?
					; DATA XREF: PopGetPowerActionWatchdogTimeout(x)+17r
					; PopUpdatePowerActionWatchdogTimeouts()+16w ...
_PopPowerActionTransitioningWatchdogTimeout dd ?
					; DATA XREF: PopGetPowerActionWatchdogTimeout(x)+5r
					; PopUpdatePowerActionWatchdogTimeouts()+Cw ...
_PpmParkSoftParkingEnabled db ?		; DATA XREF: PpmParkApplyPolicy+2D9w
					; PpmParkCalculateCoreParkingMask+12A31Ar ...
_PpmHeteroHgsHeteroCoreTypes db	?	; DATA XREF: PpmHeteroDetectHgsCores:loc_5F762Cr
					; PpmHeteroHgsProcessorInit+7E1E4w
_PpmHeteroHighestPerformanceClasses db ? ; DATA	XREF: PopInitializeHeteroProcessors(x)+F8r
					; PpmHeteroComputeRelativePerformance+8ED0Ew
_PpmHeteroNominalPerformanceClasses db ?
					; DATA XREF: PpmPerfSelectProcessorState:loc_48F373r
					; PpmGetPerfPolicyClass+4r ...
_PpmHeteroHgsDisabled dd ?		; DATA XREF: PpmHeteroInitializeHgsSupport+16r
_PpmHeteroCapabilityTest dd ?		; DATA XREF: PopInitializeHeteroProcessors(x)+83r
					; PpmInitHeteroEngine+49w
; void *PpmHeteroCapability
_PpmHeteroCapability dd	?		; DATA XREF: PopInitializeHeteroProcessors(x)+1A0r
					; PopInitializeHeteroProcessors(x)+1DBr ...
_PpmHeteroMinRelativePerformance dd ?	; DATA XREF: PpmHeteroUtilityGreaterThanOrEqualThreshold(x,x,x,x,x,x,x)+6r
					; PpmHeteroComputeRelativePerformance+8EB9Dw ...
_PpmHeteroParkBias dd ?			; DATA XREF: PpmHeteroDistributeUtility()+A7r
					; PopConfigureHeteroPolicies(x,x)+49Er	...
_PpmHeteroHgsUpdateQueued dd ?		; DATA XREF: PpmHeteroDispatchHgsInterrupt()+7o
					; PpmHeteroHgsUpdateWorker(x)+Cw
_PpmHeteroHgsUpdateWorkItem dd ?	; DATA XREF: PpmHeteroInitializeHgsSupport+7E8F5w
					; PpmHeteroHgsUpdateDpcRoutine(x,x,x,x)+2o
		align 8
dword_70EE78	dd ?			; DATA XREF: PpmHeteroInitializeHgsSupport+7E8E5w
dword_70EE7C	dd ?			; DATA XREF: PpmHeteroInitializeHgsSupport+7E8EFw
_PpmHeteroHgsUpdateDpc db    ? ;	; DATA XREF: PpmHeteroInitializeHgsSupport+7E8CAo
					; PpmHeteroDispatchHgsInterrupt()+18o
byte_70EE81	db ?			; DATA XREF: PpmHeteroInitializeHgsSupport+7E8DEw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PpmHeteroHgsTableMdl dd ?		; DATA XREF: PpmCheckResumePpmEngineFromSx()+1Dr
					; PpmHeteroInitializeHgsSupport+7E8FBw
_PpmHeteroHgsInterface dd ?		; DATA XREF: PpmHeteroUpdateHgsConfiguration+83690r
					; PpmHeteroUpdateHgsConfiguration+83854r ...
_PpmHeteroHgsPopulated db ?		; DATA XREF: PpmHeteroDetectHgsCores:loc_5F76B9r
					; PpmHeteroUpdateHgsConfiguration+83642w
_PpmHeteroHgsEnabled db	?		; DATA XREF: PpmHeteroGetHgsEnablementStatus()r
					; PpmCheckResumePpmEngineFromSx()+14r ...
_PopDeepSleepEnforced db ?		; DATA XREF: PopDeepSleepEvaluateCallback(x)+1Fr
					; PopCheckResiliencyScenarios+13r ...
_PsCpuFairShareEnabled db ?		; DATA XREF: PsQueryCpuQuotaInformation+11r
					; PsSetCpuQuotaInformation(x,x,x)+13r ...
_PsIdleProcess	dd ?			; DATA XREF: PsUpdateComponentPower+19r
					; PfpLogApplicationEvent+17Fr ...
_PsDisableDiskCounters dd ?		; DATA XREF: PsIsDiskCountersEnabled()r
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+283r ...
_PspAlwaysTrackIoBoosting dd ?		; DATA XREF: .text:0051EC53r
					; INIT:00AF40B8o
_PspDisableControlFlowGuardExportSuppression dd	?
					; DATA XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+2FFr
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+361r ...
_PspHwTraceExtensionHost dd ?		; DATA XREF: PsSetProcessFaultInformation:loc_84784Br
					; PsSetProcessFaultInformation+B398Er ...
_PspSystemMitigationOptions dd ?	; DATA XREF: .data:006B1E70o
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+12F6o ...
dword_70EEC4	dd ?			; DATA XREF: PspInitPhase0+193w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void PspSystemMitigationAuditOptions
_PspSystemMitigationAuditOptions dd ?	; DATA XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1328o
					; PspInitPhase0+1B5o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PspDamExtensionHost dd	?		; DATA XREF: PspCallProcessNotifyRoutines+19r
					; PspCallProcessNotifyRoutines+162B0Br	...
_PspBamExtensionHost dd	?		; DATA XREF: PsQueryActivityModerationUserSettings(x)+Er
					; PsQueryActivityModerationUserSettings(x):loc_65ED18r	...
_PspDfssConfigurationNotify dd ?	; DATA XREF: PspReadDfssConfigurationValues()+B2r
					; PspReadDfssConfigurationValues()+C7w	...
_PspDfssConfigurationKey dd ?		; DATA XREF: PspReadDfssConfigurationValues()+19r
					; PspReadDfssConfigurationValues()+DFw	...
_PspHardenedMitigationOptionsMap dd ?	; DATA XREF: PspHardenMitigationOptions(x)+2Eo
					; PspInitPhase0+33o ...
dword_70EF04	dd ?			; DATA XREF: PspInitPhase0+101r
					; PspInitPhase0+113w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PspMmcssExtensionHost dd ?		; DATA XREF: PspChangeProcessExecutionState+1A2r
					; PspChangeProcessExecutionState+1BBr ...
_PspActivityReferenceObjectType	dd ?	; DATA XREF: PspCreateActivityReference(x,x)+44r
					; PspInitPhase0+5C9o
_PspMemoryReserveObjectTypes dd	?	; DATA XREF: NtQueueApcThreadEx2(x,x,x,x,x,x,x)+81r
					; NtAllocateReserveObject+59r ...
dword_70EF24	dd ?			; DATA XREF: NtSetIoCompletionEx+5Dr
; Exported entry 1868. PsPartitionType
		public _PsPartitionType
_PsPartitionType dd ?			; DATA XREF: PsReferencePartitionByHandle(x,x,x,x,x,x)+4Br
					; KsepCacheDeviceInsertData+A3r ...
; Exported entry 1860. PsJobType
		public _PsJobType
_PsJobType	dd ?			; DATA XREF: PsGetJobProperty(x,x)+37r
					; PsSetJobProperty(x,x,x)+32r ...
; Exported entry 1923. PsThreadType
		public _PsThreadType
_PsThreadType	dd ?			; DATA XREF: PspValidateThread(x)+37r
					; PsGetThreadProperty+58r ...
; Exported entry 1869. PsProcessType
		public _PsProcessType
_PsProcessType	dd ?			; DATA XREF: SmRereferenceProcessObject(x,x,x,x)+6r
					; IopCheckInitiatorHint(x,x)+79r ...
; Exported entry 1839. PsInitialSystemProcess
		public _PsInitialSystemProcess
_PsInitialSystemProcess	dd ?		; DATA XREF: PsUpdateComponentPower:loc_434E71r
					; PsReturnProcessPagedPoolQuota(x,x)+8r ...
_PspCidTable	dd ?			; DATA XREF: .data:006B1AE0o
					; PspProcessDelete+17Ar ...
_PsPrioritySeparation dd ?		; DATA XREF: KiApplyForegroundBoostThread+7Fr
					; KeStartThread+279r ...
_PspSystemPartition dd ?		; DATA XREF: ExQueueWorkItemEx(x,x,x):loc_446610r
					; ExQueueWorkItem:loc_44DB63r ...
_PspResourceFlags db ?			; DATA XREF: PspChargeQuota(x,x,x,x)+11r
					; ExAllocatePoolWithQuotaTag+D4r ...
		align 4
dword_70EF4C	dd ?			; DATA XREF: PspChargeQuota(x,x,x,x)+118r
					; PspRegisterResource+Fw ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PsAltSystemCallHandlers dd ?		; DATA XREF: .data:006B1EB0o
					; PspSanitizeResourceLimits+2Ao ...
		align 10h
_PspSystemPartitionHandle db	? ;	; DATA XREF: PspInitPhase1()+3o
		db    ?	;
		db    ?	;
		db    ?	;
_WmipGuidObjectType dd ?		; DATA XREF: WmipReceiveNotifications+9Er
					; WmipQueryAllData+77r	...
_WmipDefaultAccessSd dd	?		; DATA XREF: WmipCreateGuidObject(x,x,x,x)+1C1r
					; WmipGetGuidSecurityDescriptor:loc_7BAC2Ar ...
_EtwpLastBranchSupportedOptions	dd ?	; DATA XREF: EtwpInitializeLastBranchTracing+82EA9w
					; EtwpUpdateLastBranchTracingConfiguration(x,x)r ...
_WmipDefaultAccessSecurityDescriptor db	   ? ; ; DATA XREF: WmipInitializeSecurity+11Do
					; WmipInitializeSecurity+148o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_EtwpLastBranchStackSize dd ?		; DATA XREF: EtwpTraceLastBranchRecord(x,x,x,x)+ADr
					; EtwpInitializeLastBranchTracing+82EA1w ...
_EtwpSiloAllowedGroupMask dd ?		; DATA XREF: EtwpCheckSiloGroupMasks(x)+3o
					; EtwpInitializeSiloAllowedGroupMask()w ...
dword_70EF9C	dd ?			; DATA XREF: EtwpInitializeSiloAllowedGroupMask()+Fw
dword_70EFA0	dd ?			; DATA XREF: EtwpInitializeSiloAllowedGroupMask()+19w
		align 10h
dword_70EFB0	dd ?			; DATA XREF: EtwpInitializeSiloAllowedGroupMask()+23w
		align 8
_EtwpRegistrationObjectType dd ?	; DATA XREF: .text:00446FEFr
					; FsRtlInsertPerFileContext+C3r ...
_EtwpSessionDemuxObjectType dd ?	; DATA XREF: EtwpInitializePrivateSessionDemuxObject()+69o
					; EtwpQuerySessionDemuxObject(x,x)+6r ...
_PerfGlobalGroupMask dd	?		; DATA XREF: PfHardFaultRecord+3Ar
					; MiIssueHardFault(x,x):loc_44818Ar ...
byte_70EFC4	db ?			; DATA XREF: PspStorageEmptyArrayNonReadonly:loc_4314D2r
					; PspStorageEmptyArrayNonReadonly:loc_43154Cr ...
		db    ?	;
byte_70EFC6	db ?			; DATA XREF: ExpUpdateTimerResolution+65r
					; ExpInsertTimerResolutionEntry+3Cr ...
		align 4
dword_70EFC8	dd ?			; DATA XREF: CmpRemoveHiveFromNamespace(x,x,x)+64r
					; KiResumeThread+254r ...
		align 10h
dword_70EFD0	dd ?			; DATA XREF: CcScheduleReadAheadEx:loc_438A53r
					; CcScheduleReadAheadEx+298r ...
byte_70EFD4	db ?			; DATA XREF: PAGELK:loc_720A97r
		align 10h
_ExCallbackObjectType dd ?		; DATA XREF: ExCreateCallback(x,x,x,x)+3Dr
					; ExCreateCallback(x,x,x,x):loc_7DD7C1r ...
_ExpCacheLineSize dd ?			; DATA XREF: ExAllocateHeapPool:loc_53370Ar
					; ExAllocateHeapPool:loc_53372Br ...
_ExpPoolFlags	dd ?			; DATA XREF: ExpFreePoolChecks+6r
					; ExpFreePoolChecks:loc_505FAAr ...
_ExpPoolQuotaCookie dd ?		; DATA XREF: ExReturnPoolQuota:loc_503F6Er
					; ExpGetBilledProcess+18r ...
; Exported entry 316. ExActivationObjectType
		public _ExActivationObjectType
_ExActivationObjectType	dd ?		; DATA XREF: ExpWin32OpenProcedure+53r
					; ExpWin32OkayToCloseProcedure+5Er ...
; Exported entry 336. ExCoreMessagingObjectType
		public _ExCoreMessagingObjectType
_ExCoreMessagingObjectType dd ?		; DATA XREF: ExpWin32OpenProcedure+5Fr
					; ExpWin32OkayToCloseProcedure+6Ar ...
; Exported entry 410. ExRawInputManagerObjectType
		public _ExRawInputManagerObjectType
_ExRawInputManagerObjectType dd	?	; DATA XREF: ExpWin32OpenProcedure+67r
					; ExpWin32OkayToCloseProcedure+72r ...
; Exported entry 332. ExCompositionObjectType
		public _ExCompositionObjectType
_ExCompositionObjectType dd ?		; DATA XREF: ExpWin32OpenProcedure+6Fr
					; ExpWin32OkayToCloseProcedure+7Ar ...
; Exported entry 344. ExDesktopObjectType
		public _ExDesktopObjectType
_ExDesktopObjectType dd	?		; DATA XREF: ExpWin32OpenProcedure+77r
					; ExpWin32OkayToCloseProcedure+82r ...
; Exported entry 457. ExWindowStationObjectType
		public _ExWindowStationObjectType
_ExWindowStationObjectType dd ?		; DATA XREF: ExpWin32OpenProcedure+7Fr
					; ExpWin32OkayToCloseProcedure+8Ar ...
_ExpTimerFreedCookie db	?		; DATA XREF: ExpCheckForFreedEnhancedTimer+3r
					; ExAllocateTimer:loc_43CEC3r ...
		align 4
_ExpIRTimerObjectType dd ?		; DATA XREF: ExpSetTimer2+A8r
					; .text:0053D1B9r ...
; Exported entry 444. ExTimerObjectType
		public _ExTimerObjectType
_ExTimerObjectType dd ?			; DATA XREF: .text:0053D1C5r
					; ExpSetTimer+53r ...
; Exported entry 354. ExEventObjectType
		public _ExEventObjectType
_ExEventObjectType dd ?			; DATA XREF: .text:0059157Br
					; DbgkCaptureLiveKernelDump(x)+10Er ...
ALMOSTRO	ends

; Section 7. (virtual address 00310000)
; Virtual size			: 00000001 (	  1.)
; Section size in file		: 00000200 (	512.)
; Offset to raw	data for section: 002B7600
; Flags	C8000040: Data Not pageable Readable Writable
; Alignment	: default
; 

; Segment type:	Pure data
; Segment permissions: Read/Write
CFGRO		segment	para public 'DATA' use32
		assume cs:CFGRO
		;org 710000h
_KiKvaShadow	db 0			; DATA XREF: KiFlushTb+3r
					; KiFlushCurrentTbOnlyr ...
		align 200h
CFGRO		ends

; Section 8. (virtual address 00311000)
; Virtual size			: 00007744 (  30532.)
; Section size in file		: 00000200 (	512.)
; Offset to raw	data for section: 002B7800
; Flags	C8000040: Data Not pageable Readable Writable
; Alignment	: default
; 

; Segment type:	Pure data
; Segment permissions: Read/Write
CACHEALI	segment	para public 'DATA' use32
		assume cs:CACHEALI
		;org 711000h
_KiClockState	dd 4			; DATA XREF: KeClockInterruptNotify:loc_488043r
					; KeClockInterruptNotify+21Co ...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_CmpRegistryLock db    0		; DATA XREF: CmpDoQueryKeyName+6Eo
					; CmpIsRegistryLockContended()+3o ...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
word_71104E	dw 0			; DATA XREF: ExTryConvertSharedToExclusiveLite(x)r
					; ExpTryConvertSharedToExclusiveLite(x)+41w
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_711058	dd 0			; DATA XREF: ExpTryConvertSharedToExclusiveLite(x)+71o
					; ExpTryConvertSharedToExclusiveLite(x)+7Bw
dword_71105C	dd 0			; DATA XREF: ExpTryConvertSharedToExclusiveLite(x)+89w
dword_711060	dd 0			; DATA XREF: ExpTryConvertSharedToExclusiveLite(x)+2Br
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
unk_711074	db    0			; DATA XREF: ExpTryConvertSharedToExclusiveLite(x)+12o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_KeNodeBlock	dd 0			; DATA XREF: KeQueryNodeActiveAffinity(x,x,x)+31r
					; KeStartThread+107r ...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_KiInitialProcess db	0		; DATA XREF: KeQueryValuesThread+3Co
					; KeQueryPriorityThread(x)+8o ...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
byte_711134	db 0			; DATA XREF: KiEnableKvaShadowing(x,x)+A5w
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
unk_7111B8	db    0			; DATA XREF: KiInitializeIdleThread(x,x,x,x)+129o
					; INIT:00ABFE4Bo
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_711290	dd ?			; DATA XREF: KiInitializeIdleThread(x,x,x,x)+7Fo
					; KiInitializeIdleThread(x,x,x,x)+123w
dword_711294	dd ?			; DATA XREF: KiInitializeIdleThread(x,x,x,x)+ECr
					; KiInitializeIdleThread(x,x,x,x)+FFw ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_711468	db    ?	;		; DATA XREF: KiEnableKvaShadowing(x,x)+A0o
					; KiInitializeIdleThread(x,x,x,x)+136o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExNode0	db    ?	;		; DATA XREF: KiConfigureInitialNodes(x)+16o
					; KePerformGroupConfiguration(x)+1Bo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_711608	dd ?			; DATA XREF: KiConfigureInitialNodes(x)+39w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_711654	dd ?			; DATA XREF: KiConfigureInitialNodes(x)+24w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_711664	db ?			; DATA XREF: KiConfigureInitialNodes(x)+11w
					; KePerformGroupConfiguration(x)+9w
byte_711665	db ?			; DATA XREF: KiConfigureInitialNodes(x)+5w
					; KePerformGroupConfiguration(x)w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiPendingTimersMask0 db    ? ;		; DATA XREF: KeInitializeTimerTable+BDo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiInitialThread db    ? ;		; DATA XREF: KiSystemStartup(x)+29o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopTimerLock	dd ?			; DATA XREF: IopRemoveTimerFromTimerList(x)+10o
					; IopRemoveTimerFromTimerList(x)+46o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopErrorLogLock dd ?			; DATA XREF: .text:005607CAo
					; .text:005647BAo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; Exported entry 1014. IoStatisticsLock
		public _IoStatisticsLock
_IoStatisticsLock dd ?			; DATA XREF: INIT:00AC27E5w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KdDebuggerLock	db    ?	;		; DATA XREF: sub_5FB8A3+73o
					; KdAcquireDebuggerLock(x)+12o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiReverseStallIpiLock dd ?		; DATA XREF: KeInvalidateAllCaches+3Eo
					; KeInvalidateAllCaches+77o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopCancelSpinLock dd ?			; DATA XREF: KiInitPrcb(x,x)+215o
					; KiInitPrcb(x,x)+2DDw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_NonPagedPoolLock dd ?			; DATA XREF: KiInitPrcb(x,x)+20Bo
					; KiInitPrcb(x,x)+2F5w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopDatabaseLock dd ?			; DATA XREF: KiInitPrcb(x,x)+229o
					; KiInitPrcb(x,x)+2E9w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopVpbSpinLock	dd ?			; DATA XREF: KiInitPrcb(x,x)+21Fo
					; KiInitPrcb(x,x)+2EFw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_NtfsStructLock	dd ?			; DATA XREF: KiInitPrcb(x,x)+23Do
					; KiInitPrcb(x,x)+2FBw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IopCompletionLock dd ?			; DATA XREF: KiInitPrcb(x,x)+233o
					; KiInitPrcb(x,x)+2E3w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AfdWorkQueueSpinLock dd ?		; DATA XREF: KiInitPrcb(x,x)+247o
					; KiInitPrcb(x,x)+301w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CcBcbSpinLock	dd ?			; DATA XREF: KiInitPrcb(x,x)+1EDo
					; KiInitPrcb(x,x)+2CBw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CcVacbSpinLock	dd ?			; DATA XREF: KiInitPrcb(x,x)+201o
					; KiInitPrcb(x,x)+2D7w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CcMasterSpinLock dd ?			; DATA XREF: KiInitPrcb(x,x)+1F7o
					; KiInitPrcb(x,x)+2D1w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiFreezeExecutionLock dd ?		; DATA XREF: KiFreezeTargetExecution(x,x)+2Er
					; KeFreezeExecution(x,x)+9Cr ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpResourceSpinLock dd	?		; DATA XREF: ExDeleteResourceLite+2Eo
					; ExDeleteResourceLite:loc_49734Br ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiObjectRundownLocks db    ? ;		; DATA XREF: KiAcquireReleaseObjectRundownLockExclusive(x)+Eo
					; KiActivateWaiterQueueWithNoLocks+16o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiFreezeLockBackup dd ?		; DATA XREF: KiFreezeTargetExecution(x,x)+37r
					; KeFreezeExecution(x,x)+12Do ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiTimer2CollectionLock	db    ?	;	; DATA XREF: KeCancelTimer2+58o
					; KeDisableTimer2+11Do	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PsLoadedModuleSpinLock	dd ?		; DATA XREF: MiAddWorkingSetEntries:loc_46D896o
					; MiAddWorkingSetEntries:loc_46D8D3o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiSchedulingGroupLock db    ? ;	; DATA XREF: KeQuerySchedulingGroupHistory+23o
					; KeSetSchedulingGroupWeights+19o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AlpcpNextCallbackId dd	?		; DATA XREF: AlpcpAllocateMessage(x,x,x)+78w
					; AlpcpSendLegacySynchronousRequest(x,x,x,x)+11Cw ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ObsSecurityDescriptorCache dd ?	; DATA XREF: PAGE:00816D70o
					; PAGE:00817090o ...
dword_7171C4	dd ?			; DATA XREF: ObpInitSecurityDescriptorCache()+9w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PspTimeZoneStateBuffer	db    ?	;	; DATA XREF: INIT:00ACD0AFo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_717B74	dd ?			; DATA XREF: INIT:00ACD06Aw
					; INIT:00AF3560o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PspHostSiloGlobals db	  ? ;		; DATA XREF: EtwGetKernelTraceTimestampSilo+26o
					; PsGetCurrentServerSiloGlobals():loc_490B89o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_717EF0	dd ?			; DATA XREF: KiExecuteAllDpcs+198r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_717F48	db    ?	;		; DATA XREF: StartFirstUserProcess+A6o
		db    ?	;
word_717F4A	dw ?			; DATA XREF: StartFirstUserProcess:loc_AD5644r
					; StartFirstUserProcess+99r
		align 10h
unk_717F50	db    ?	;		; DATA XREF: StartFirstUserProcess+E9o
		db    ?	;
word_717F52	dw ?			; DATA XREF: StartFirstUserProcess+2Fr
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_717F61	db ?			; DATA XREF: INIT:00ACD0AAw
		align 8
dword_717F68	dd ?			; DATA XREF: INIT:00ACD0AFw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_717F7C	dd ?			; DATA XREF: PsGetSiloContext(x,x,x)+8r
					; PsGetPermanentSiloContext+Cr	...
dword_717F80	dd ?			; DATA XREF: INIT:00ACD0A5w
dword_717F84	dd ?			; DATA XREF: INIT:00ACD076w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_717F8C	dd ?			; DATA XREF: PspInitializeSiloStructures+31w
					; PspInitializeSiloStructures+48r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void SmGlobals
?SmGlobals@@3U_SM_GLOBALS@@A dd	?	; DATA XREF: ST_STORE_SM_TRAITS___StWorkItemProcess+B9o
					; ST_STORE_SM_TRAITS___StWorkItemProcess+122o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_7180B0	db    ?	;		; DATA XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+6Ao
					; SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+9Ao ...
		db    ?	;
		db    ?	;
		db    ?	;
unk_7180B4	db    ?	;		; DATA XREF: SMKM_STORE_MGR_SM_TRAITS___SmFeEvictInitiate+7Ao
					; SMKM_STORE_MGR<SM_TRAITS>::SmFeSetEvictFailed(SMKM_STORE_MGR<SM_TRAITS> *,_SM_PAGE_KEY *,ulong,ulong)+79o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_7182C0	db    ?	;		; DATA XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+12Bo
					; SMKM_STORE_MGR_SM_TRAITS___SmPageRead:loc_54BEA2o
		db    ?	;
		db    ?	;
		db    ?	;
word_7182C4	dw ?			; DATA XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+11Er
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_718320	db    ?	;		; DATA XREF: SMKM_STORE_MGR_SM_TRAITS___SmWorkItemFree+6Bo
					; MiWriteComplete+4E7o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_718328	db    ?	;		; DATA XREF: SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict+55o
					; SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict+88o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_71836C	db    ?	;		; DATA XREF: SMKM_STORE_MGR_SM_TRAITS___SmPageRead+C3o
					; SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+122D34o
		db    ?	;
		db    ?	;
		db    ?	;
unk_718370	db    ?	;		; DATA XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+122D6Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_71839E	db ?			; DATA XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+122D50r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_7183AC	dd ?			; DATA XREF: SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+8Fr
					; SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete+122D5Fo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_718424	dd ?			; DATA XREF: SMKM_STORE_MGR_SM_TRAITS___SmpPageEvict+5Cr
					; SMKM_STORE_MGR_SM_TRAITS___SmIoCtxWorkItemComplete:loc_4993F0r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_718438	db    ?	;		; DATA XREF: SmcCacheManagerStart(x,x)+30o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_718440	dd ?			; DATA XREF: SmStoreCreate(x,x,x)+52r
					; SmStoreDelete(x,x)+46r ...
		align 10h
dword_718450	dd ?			; DATA XREF: SmFirstTimeInit:loc_4CFE07r
					; SmFirstTimeInit:loc_4CFE24r ...
dword_718454	dd ?			; DATA XREF: SmFirstTimeInit:loc_4CFE3Cr
					; SmFirstTimeInit+46Cw
dword_718458	dd ?			; DATA XREF: SmFirstTimeInit+68r
					; SmFirstTimeInit+2D1w	...
dword_71845C	dd ?			; DATA XREF: SmFirstTimeInit:loc_4CFE14r
					; SmFirstTimeInit+38Ew	...
dword_718460	dd ?			; DATA XREF: SmFirstTimeInit+394w
					; SmFirstTimeInit+4AEr	...
unk_718464	db    ?	;		; DATA XREF: SmFirstTimeInit+5Eo
					; SmFirstTimeInit+E6o ...
		db    ?	;
		db    ?	;
		db    ?	;
byte_718468	db ?			; DATA XREF: SmUpdateMemoryCondition(x,x)+6r
					; SmUpdateMemoryCondition(x,x)+26w ...
byte_718469	db ?			; DATA XREF: SmUpdateMemoryCondition(x,x)+16r
					; SmUpdateMemoryCondition(x,x)+2Fw
		align 4
dword_71846C	dd ?			; DATA XREF: SmFirstTimeInit+478o
					; SMKM_STORE_MGR_SM_TRAITS___SmAsyncReadQueueInsert+E6r
dword_718470	dd ?			; DATA XREF: SmAcquireReleaseResAvailForRead+11r
					; SmAcquireReleaseResAvailForRead+54o ...
dword_718474	dd ?			; DATA XREF: SmFirstTimeInit:loc_4D022Cr
					; SmProcessCreateNotification(x,x)r ...
unk_718478	db    ?	;		; DATA XREF: SmStoreExistsForProcess(x)+10o
					; SmpPageWrite(x,x,x,x,x,x,x)+32o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_718490	dd ?			; DATA XREF: SmpPageWrite(x,x,x,x,x,x,x)+54r
					; SmpProcessQueryStoreStats(x,x):loc_546208r ...
unk_718494	db    ?	;		; DATA XREF: SmProcessConfigRequest+101o
					; MiCreatePagingFile+961DDo
		db    ?	;
		db    ?	;
		db    ?	;
unk_718498	db    ?	;		; DATA XREF: SmQueryStoreInformation+A0o
					; SmSetStoreInformation+135EC9o ...
		db    ?	;
		db    ?	;
		db    ?	;
unk_71849C	db    ?	;		; DATA XREF: SmcVolumePnpNotification(x,x)+70o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_7184A4	db    ?	;		; DATA XREF: SmcVolumePnpNotification(x,x):loc_9E834Bo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_7185B0	dd ?			; DATA XREF: SmFirstTimeInit:loc_4D0065o
					; SmGetRegistrationInfo+49o ...
unk_7185B4	db    ?	;		; DATA XREF: SMKM_STORE_SM_TRAITS___SmStStart:loc_5C7D12o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_7185C0	db    ?	;		; DATA XREF: SMKM_STORE_SM_TRAITS___SmStStart+1B8o
					; SmFirstTimeInit+432o	...
		db    ?	;
		db    ?	;
		db    ?	;
unk_7185C4	db    ?	;		; DATA XREF: SmFirstTimeInit+F8353o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_718604	db    ?	;		; DATA XREF: SmFirstTimeInit+454o
					; SMKM_STORE_SM_TRAITS___SmStReadThread+FEo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_718648	db    ?	;		; DATA XREF: SmEtwEnabled(x)+3Eo
					; ST_STORE_SM_TRAITS___StDmpSinglePageInsert+FB8DBo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_718650	dd ?			; DATA XREF: SmInitSystem(x)+26w
dword_718654	dd ?			; DATA XREF: ST_STORE_SM_TRAITS___StDmpSinglePageInsert+1B0r
					; SmEtwEnabled(x)+2Fr ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_718664	dd ?			; DATA XREF: ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR *,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+206w
					; ST_STORE<SM_TRAITS>::StDmHandleDecompressionFailure(ST_STORE<SM_TRAITS>::_ST_DATA_MGR	*,char *,char *,ST_STORE<SM_TRAITS>::_ST_PAGE_LOCATION *,ST_STORE<SM_TRAITS>::_STDM_READ_CONTEXT *)+20Dr
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpPoolBigEntriesInUse	dd ?		; DATA XREF: ExRemovePoolTag:loc_505E61w
					; ExFreeHeapPool+5B0o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; Exported entry 1319. KeTickCount
		public _KeTickCount
_KeTickCount	dd ?			; DATA XREF: KeQueryValuesThread:loc_435F9Er
					; KeQueryValuesThread:loc_436231r ...
dword_7186C4	dd ?			; DATA XREF: KiGroupSchedulingQuantumEnd+12r
					; SMKM_STORE_SM_TRAITS___SmStWorkItemGet+102r ...
dword_7186C8	dd ?			; DATA XREF: KiGroupSchedulingQuantumEnd:loc_443748r
					; SMKM_STORE_SM_TRAITS___SmStWorkItemGet+118r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiCacheFlushTimeStamp dd ?		; DATA XREF: MiWorkingSetManager(x,x)+73r
					; MiDereferenceIoPages+234r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KiTbFlushTimeStamp dd ?		; DATA XREF: .text:00431EE3r
					; .text:00432197r ...
CACHEALI	ends

; Section 9. (virtual address 00319000)
; Virtual size			: 00000001 (	  1.)
; Section size in file		: 00000200 (	512.)
; Offset to raw	data for section: 002B7A00
; Flags	48000040: Data Not pageable Readable
; Alignment	: default
; 

; Segment type:	Pure data
; Segment permissions: Read
PROTDATA	segment	para public 'DATA' use32
		assume cs:PROTDATA
		;org 719000h
_SeILSigningPolicy db 0			; DATA XREF: .data:_SeILSigningPolicyPtro
					; SepGetSystemSigningLevel()r ...
		align 200h
PROTDATA	ends

; Section 10. (virtual address 0031A000)
; Virtual size			: 00017058 (  94296.)
; Section size in file		: 00017200 (  94720.)
; Offset to raw	data for section: 002B7C00
; Flags	60000020: Text Executable Readable
; Alignment	: default
; 

; Segment type:	Pure code
; Segment permissions: Read/Execute
PAGELK		segment	para public 'CODE' use32
		assume cs:PAGELK
		;org 71A000h
		assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSystemStartup(x)
		public _KiSystemStartup@4
_KiSystemStartup@4 proc	near		; DATA XREF: KiInitializeProcessorState(x,x,x,x,x,x,x,x,x,x)+1E5o

var_E4		= dword	ptr -0E4h
var_20		= byte ptr -20h
var_18		= dword	ptr -18h
var_14		= byte ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	ebx, [ebp+arg_0]
		mov	ds:_KeLoaderBlock, ebx
		mov	ecx, ds:_KeNumberProcessors
		mov	[ebp+var_18], ecx
		or	ecx, ecx
		jnz	short loc_71A07E
		push	ds:_KeLoaderBlock
		push	0FFFFFFFFh
		call	KdInitSystem
		mov	dword ptr [ebx+54h], offset _KiInitialThread
		sgdt	fword ptr [esp+20h+var_20]
		mov	edx, dword ptr [esp+20h+var_20+2]
		add	edx, 30h
		mov	dword ptr [edx+4], offset dword_409200
		mov	eax, [ebx+4Ch]
		sub	eax, 120h
		mov	[edx+2], ax
		shr	eax, 10h
		mov	[edx+4], al
		mov	[edx+7], ah
		mov	word ptr [edx],	6020h
		push	30h
		pop	fs
		assume fs:nothing
		mov	eax, cr0
		and	eax, 0FFFFFFF3h
		or	eax, 22h
		mov	cr0, eax
		mov	eax, cr4
		or	eax, 600h
		mov	cr4, eax
		mov	large fs:4ECh, ecx

loc_71A07E:				; CODE XREF: KiSystemStartup(x)+1Aj
		mov	large dword ptr	fs:8, 1F80h
		ldmxcsr	large dword ptr	fs:8
		mov	eax, [ebx+54h]
		mov	dword ptr [ebp+var_20],	eax
		lea	ecx, [eax+70h]
		mov	[eax+70h], ecx
		mov	[eax+74h], ecx
		mov	eax, [ebx+48h]
		mov	dword ptr [ebp+var_20+4], eax
		call	_KiInitializeMachineType@0 ; KiInitializeMachineType()
		cmp	[ebp+var_18], 0
		jnz	loc_71A140
		call	GetMachineBootPointers@0
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], edx
		mov	[ebp+var_10], eax
		lea	ecx, [edi+28h]
		mov	byte ptr [ecx+5], 89h
		push	ecx
		push	[ebp+var_C]
		call	_KiInitializeTRTSS@8 ; KiInitializeTRTSS(x,x)
		mov	cx, 28h
		ltr	cx
		push	[ebp+var_4]
		push	[ebp+var_10]
		push	[ebp+arg_0]
		call	_KiInitializeIdtGates@12 ; KiInitializeIdtGates(x,x,x)
		push	0
		push	0
		push	dword ptr [ebp+var_20]
		push	[ebp+var_C]
		push	[ebp+var_4]
		push	[ebp+var_10]
		push	[ebp+var_8]
		push	[ebp+var_18]
		call	_KiInitializePcr@32 ; KiInitializePcr(x,x,x,x,x,x,x,x)
		mov	edx, dword ptr [ebp+var_20]
		mov	ecx, offset _KiInitialProcess
		mov	[edx+80h], ecx
		mov	large dword ptr	fs:18h,	0
		mov	large dword ptr	fs:424h, 0
		mov	large dword ptr	fs:428h, 0
		mov	eax, 23h
		db	66h
		mov	ds, ax
		assume ds:nothing
		db	66h
		mov	es, ax
		assume es:nothing

loc_71A140:				; CODE XREF: KiSystemStartup(x)+AFj
		call	KiProcessorStart
		mov	ecx, [ebp+var_18]
		mov	large fs:51h, cl
		mov	eax, 1
		shl	eax, cl
		mov	large fs:48h, eax
		mov	large fs:14h, eax
		mov	large fs:4E8h, eax
		cmp	[ebp+var_18], 0
		jnz	short loc_71A18A
		push	ds:_KeLoaderBlock
		push	0FFFFFFFFh
		call	_HalInitializeBios@8 ; HalInitializeBios(x,x)
		push	0
		push	ds:_KeLoaderBlock
		push	0FFFFFFFFh
		call	_InbvDriverInitialize@12 ; InbvDriverInitialize(x,x,x)

loc_71A18A:				; CODE XREF: KiSystemStartup(x)+16Cj
		call	_KiInitializeNXSupport@0 ; KiInitializeNXSupport()
		push	[ebp+arg_0]
		push	[ebp+var_18]
		call	ds:__imp__HalInitializeProcessor@8 ; HalInitializeProcessor(x,x)
		cmp	[ebp+var_18], 0
		jnz	short loc_71A1AD
		inc	ds:_KeNumberProcessors
		inc	ds:_KeNumberProcessorsGroup0

loc_71A1AD:				; CODE XREF: KiSystemStartup(x)+19Fj
		cmp	[ebp+var_18], 0
		jnz	short loc_71A1D0
		push	ds:_KeLoaderBlock
		push	0
		call	KdInitSystem
		call	KdPollBreakIn
		or	al, al
		jz	short loc_71A1D0
		push	1
		call	_DbgBreakPointWithStatus@4 ; DbgBreakPointWithStatus(x)

loc_71A1D0:				; CODE XREF: KiSystemStartup(x)+1B1j
					; KiSystemStartup(x)+1C7j
		nop
		push	[ebp+var_18]
		push	ds:_KeLoaderBlock
		call	KiInitializeXSave
		mov	ecx, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_14], al
		mov	ebx, dword ptr [ebp+var_20]
		mov	edx, dword ptr [ebp+var_20+4]
		mov	eax, [ebp+var_18]
		xor	ebp, ebp
		mov	esp, edx
		sub	esp, ds:_KiXSaveAreaLength
		and	esp, 0FFFFFFC0h
		lea	esp, [esp-0B0h]
		push	ds:_KeLoaderBlock
		push	eax
		push	large dword ptr	fs:20h
		push	edx
		push	ebx
		push	offset _KiInitialProcess
		call	_KiInitializeKernel@24 ; KiInitializeKernel(x,x,x,x,x,x)
		cmp	large byte ptr fs:51h, 0
		jnz	short loc_71A233
		call	_KiInitializeGSCookieValue@0 ; KiInitializeGSCookieValue()

loc_71A233:				; CODE XREF: KiSystemStartup(x)+22Cj
		sti
		mov	ecx, 2
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, large fs:1Ch

loc_71A246:				; CODE XREF: KiSystemStartup(x)+24Fj
		cmp	ds:_KiBarrierWait, 0
		pause
		jnz	short loc_71A246
		push	0
		jmp	@KiIdleLoop@0	; KiIdleLoop()
_KiSystemStartup@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiDetectFpuLeakage()
_KiDetectFpuLeakage@0 proc near		; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+2E2p

var_200		= dword	ptr -200h
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h

		push	ebp
		mov	ebp, esp
		sub	esp, 200h
		and	esp, 0FFFFFFC0h
		fxsave	[esp+200h+var_200]
		fnclex
		ffree	st(7)
		fild	[esp+200h+var_200]
		xor	edx, edx
		dec	edx
		mov	[esp+200h+var_1F8], edx
		fxrstor	[esp+200h+var_200]
		fnsave	byte ptr [esp+200h+var_200]
		mov	ecx, [esp+200h+var_1F4]
		xor	eax, eax
		cmp	edx, ecx
		jz	short loc_71A288
		inc	eax

loc_71A288:				; CODE XREF: KiDetectFpuLeakage()+2Dj
		mov	esp, ebp
		pop	ebp
		retn
_KiDetectFpuLeakage@0 endp


;  S U B	R O U T	I N E 


; __stdcall Ki386EnableGlobalPage(x)
_Ki386EnableGlobalPage@4 proc near	; DATA XREF: KiInitMachineDependent+38o

arg_0		= dword	ptr  10h

		push	esi
		push	edi
		push	ebx
		mov	edx, [esp+arg_0]
		pushf
		cli
		lock dec dword ptr [edx]

loc_71A298:				; CODE XREF: Ki386EnableGlobalPage(x)+11j
		pause
		cmp	dword ptr [edx], 0
		jnz	short loc_71A298
		cmp	large byte ptr fs:51h, 0
		jnz	short loc_71A2C1
		mov	edi, offset _KeFlushCurrentTb@0	; KeFlushCurrentTb()
		mov	esi, offset loc_5A242F
		mov	ecx, 19h
		rep movsb
		mov	ds:byte_5A2447,	0

loc_71A2C1:				; CODE XREF: Ki386EnableGlobalPage(x)+1Bj
					; Ki386EnableGlobalPage(x)+3Cj
		cmp	ds:byte_5A2447,	0
		jnz	short loc_71A2C1
		mov	eax, cr4
		mov	ecx, cr3
		mov	cr3, ecx
		or	al, 80h
		mov	cr4, eax
		popf
		pop	ebx
		pop	edi
		pop	esi
		retn	4
_Ki386EnableGlobalPage@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall Ki386EnableDE(x)
_Ki386EnableDE@4 proc near		; CODE XREF: KiConfigureDynamicProcessor()+6p
					; DATA XREF: KiInitMachineDependent+63o
		mov	eax, cr4
		or	eax, 8
		mov	cr4, eax
		retn	4
_Ki386EnableDE@4 endp


;  S U B	R O U T	I N E 


; __stdcall Ki386EnableCurrentLargePage(x, x)
_Ki386EnableCurrentLargePage@8 proc near
		mov	eax, eax
		retn	8
_Ki386EnableCurrentLargePage@8 endp

; 
_Ki386EnableCurrentLargePageEnd	db 3 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

GetMachineBootPointers@0 proc near	; CODE XREF: KiSystemStartup(x)+B5p

var_8		= byte ptr -8

		push	ebp
		mov	ebp, esp
		sub	esp, 8
		sgdt	fword ptr [ebp+var_8]
		mov	edi, dword ptr [ebp+var_8+2]
		mov	cx, fs
		and	cx, 0FFFCh
		movzx	ecx, cx
		add	ecx, edi
		mov	dh, [ecx+7]
		mov	dl, [ecx+4]
		shl	edx, 10h
		mov	dx, [ecx+2]
		mov	esi, edx
		db	66h
		str	cx
		movzx	ecx, cx
		add	ecx, edi
		mov	dh, [ecx+7]
		mov	dl, [ecx+4]
		shl	edx, 10h
		mov	dx, [ecx+2]
		sidt	fword ptr [ebp+var_8]
		mov	eax, dword ptr [ebp+var_8+2]
		mov	esp, ebp
		pop	ebp
		retn
GetMachineBootPointers@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KiSetProcessorType()
_KiSetProcessorType@0 proc near		; CODE XREF: KiInitializeKernel(x,x,x,x,x,x):loc_72518Cp
		mov	large byte ptr fs:135h,	0
		push	edi
		push	esi
		push	ebx
		xor	ecx, ecx
		xor	eax, eax
		cpuid
		cmp	ebx, 756E6547h
		jnz	short loc_71A38C
		cmp	ecx, 6C65746Eh
		jnz	short loc_71A38C
		cmp	edx, 49656E69h
		jnz	short loc_71A38C

loc_71A369:				; CODE XREF: KiSetProcessorType()+64j
		mov	eax, 1
		cpuid
		mov	ebx, eax
		mov	edx, eax
		mov	ecx, eax
		and	edx, 0F00h
		cmp	edx, 600h
		jnz	short loc_71A3B9
		and	ebx, 0F00h
		jmp	short loc_71A3CC
; 

loc_71A38C:				; CODE XREF: KiSetProcessorType()+17j
					; KiSetProcessorType()+1Fj ...
		cmp	ebx, 746E6543h
		jnz	short loc_71A3A6
		cmp	ecx, 736C7561h
		jnz	short loc_71A3A6
		cmp	edx, 48727561h
		jnz	short loc_71A3A6
		jmp	short loc_71A369
; 

loc_71A3A6:				; CODE XREF: KiSetProcessorType()+52j
					; KiSetProcessorType()+5Aj ...
		mov	eax, 1
		cpuid
		mov	ebx, eax
		mov	edx, eax
		mov	ecx, eax
		and	edx, 0F00h

loc_71A3B9:				; CODE XREF: KiSetProcessorType()+42j
		cmp	edx, 0F00h
		jnz	short loc_71A3DA
		and	ebx, 0FF00000h
		shr	ebx, 0Ch
		add	ebx, edx

loc_71A3CC:				; CODE XREF: KiSetProcessorType()+4Aj
		mov	ah, al
		shr	eax, 4
		mov	al, cl
		and	eax, 0FF0Fh
		jmp	short loc_71A3EF
; 

loc_71A3DA:				; CODE XREF: KiSetProcessorType()+7Fj
		and	eax, 0F0h
		shl	eax, 4
		mov	al, bl
		and	eax, 0F0Fh
		and	ebx, 0F00h

loc_71A3EF:				; CODE XREF: KiSetProcessorType()+98j
		mov	large byte ptr fs:135h,	1
		mov	large fs:134h, bh
		mov	large fs:136h, ax
		pop	ebx
		pop	esi
		pop	edi
		retn
_KiSetProcessorType@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSaveHiberContextWrapper(x)
_PopSaveHiberContextWrapper@4 proc near	; DATA XREF: PopInvokeSystemStateHandler+EFo

arg_0		= dword	ptr  8

		push	ebp
		mov	ebp, esp
		push	edi
		cmp	large byte ptr fs:51h, 0
		jnz	short loc_71A43F
		mov	edi, offset _PoWakeState
		mov	ecx, 320h
		xor	eax, eax
		push	edi
		rep stosb
		call	_KeSaveStateForHibernate
		add	esp, 4
		call	PopHiberCheckResume
		test	al, al
		mov	eax, 40000294h
		jnz	short loc_71A447

loc_71A43F:				; CODE XREF: PopSaveHiberContextWrapper(x)+Cj
		push	[ebp+arg_0]
		call	PopSaveHiberContext

loc_71A447:				; CODE XREF: PopSaveHiberContextWrapper(x)+31j
		pop	edi
		pop	ebp
		retn	4
_PopSaveHiberContextWrapper@4 endp ; sp	= -4

; 

; __stdcall KiRemoveModelSpecificUnsupportedFeatures(x,	x)
_KiRemoveModelSpecificUnsupportedFeatures@8: ; CODE XREF: PAGELK:0072749Ep
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	eax, ecx
		mov	ebx, edx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp-4], eax
		xor	edi, edi
		cmp	byte ptr [eax+3BEh], 2
		jnz	short loc_71A47B
		mov	cl, [eax+14h]
		cmp	cl, 10h
		jz	short loc_71A476
		cmp	cl, 12h
		jnz	short loc_71A47B

loc_71A476:				; CODE XREF: PAGELK:0071A46Fj
		push	40h
		xor	esi, esi
		pop	edi

loc_71A47B:				; CODE XREF: PAGELK:0071A467j
					; PAGELK:0071A474j
		cmp	dword ptr [eax+3CCh], 0
		jz	short loc_71A49F
		xor	ecx, ecx
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, [eax+3D50h]
		mov	eax, [eax+3D54h]
		and	ecx, esi
		and	eax, edi
		or	ecx, eax
		jnz	short loc_71A4AD

loc_71A49F:				; CODE XREF: PAGELK:0071A482j
		not	esi
		not	edi
		and	[ebx], esi
		and	[ebx+4], edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_71A4AD:				; CODE XREF: PAGELK:0071A49Dj
		mov	eax, [ebp-4]
		xor	ecx, ecx
		push	dword ptr [eax+3CCh]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		push	dword ptr [eax+3D50h]
		push	esi
		push	4D535546h
		push	5Dh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dd 4 dup(0CCCCCCCCh)

;  S U B	R O U T	I N E 


; __stdcall PopAcquirePolicyLock()
_PopAcquirePolicyLock@0	proc near	; CODE XREF: PopHandleSystemRequiredPowerRequestsUpdate:loc_43CA58p
					; PopThermalSxExit+Fp ...
		mov	ecx, large fs:124h
		xor	dl, dl
		call	_PsBoostThreadIo@8 ; PsBoostThreadIo(x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PopPolicyLock
		call	ExAcquireResourceExclusiveLite
		mov	eax, large fs:124h
		mov	ds:_PopPolicyLockThread, eax
		retn
_PopAcquirePolicyLock@0	endp


;  S U B	R O U T	I N E 


; __stdcall PopReleasePolicyLock()
_PopReleasePolicyLock@0	proc near	; CODE XREF: PopHandleSystemRequiredPowerRequestsUpdate+88p
					; PopThermalSxExit:loc_555F38p	...
		mov	edi, edi
		push	ecx
		and	ds:_PopPolicyLockThread, 0
		mov	ecx, offset _PopPolicyLock
		call	ExReleaseResourceLite
		call	PopCheckForWork
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, large fs:124h
		mov	dl, 1
		call	_PsBoostThreadIo@8 ; PsBoostThreadIo(x,x)
		pop	ecx
		retn
_PopReleasePolicyLock@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlCompressWorkSpaceSizeLZNT1 proc near	; DATA XREF: .text:00403FB8o

arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0072835C SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jnz	loc_72835C
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 8010h

loc_71A55B:				; CODE XREF: RtlCompressWorkSpaceSizeLZNT1+DE2Ej
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 1000h
		xor	eax, eax

loc_71A566:				; CODE XREF: RtlCompressWorkSpaceSizeLZNT1:loc_72837Aj
		pop	ebp
		retn	0Ch
RtlCompressWorkSpaceSizeLZNT1 endp

; 

KeInitThread:				; CODE XREF: KiInitializeIdleThread(x,x,x,x)+1Dp
					; PspAllocateThread+398p
		push	10h
		push	offset dword_6A0CE8
		call	__SEH_prolog4
		mov	ebx, edx
		mov	edi, ecx
		mov	[ebp-1Ch], edi
		lea	eax, [edi+8]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edi+1DCh]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edi+0ECh]
		push	4
		pop	ecx

loc_71A599:				; CODE XREF: PAGELK:0071A5A1j
		mov	[eax], edi
		lea	eax, [eax+18h]
		sub	ecx, 1
		jnz	short loc_71A599
		mov	edx, [ebp+1Ch]
		mov	ecx, [edx+64h]
		and	ecx, 1
		or	ecx, 8010h
		shl	ecx, 2
		mov	eax, [edi+5Ch]
		and	eax, 0FFFFFFFBh
		or	ecx, eax
		mov	[edi+5Ch], ecx
		mov	eax, ds:_KiShortExecutionCycles
		shl	eax, 4
		mov	[edi+44h], eax
		mov	dword ptr [edi+3Ch], offset _KeServiceDescriptorTable
		lea	eax, [edi+70h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edi+78h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[edi+80h], edx
		mov	[edi+150h], edx
		mov	eax, [edi+58h]
		or	eax, 4000h
		mov	[edi+58h], eax
		cmp	dword ptr [ebp+14h], 0
		jz	loc_71A722

loc_71A603:				; CODE XREF: PAGELK:0071A72Aj
		push	edi
		push	0
		push	offset KiSchedulerApc
		push	offset _KeSetDmaIoCoherency@4 ;	KeSetDmaIoCoherency(x)
		push	offset _KiSchedulerApcNop@20 ; KiSchedulerApcNop(x,x,x,x,x)
		push	0
		push	edi
		lea	eax, [edi+190h]
		push	eax
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		push	1
		push	0
		lea	eax, [edi+1C4h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	esi, [edi+0B8h]
		push	0
		push	esi
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		and	dword ptr [esi+20h], 0
		lea	eax, [edi+128h]
		mov	dword ptr [eax+8], 1020401h
		add	esi, 8
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	loc_71A738
		mov	[eax], ecx
		mov	[eax+4], esi
		mov	[ecx+4], eax
		mov	[esi], eax
		mov	eax, [ebp+18h]
		mov	[edi+0A8h], eax
		mov	byte ptr [edi],	6
		mov	byte ptr [ebp+1Bh], 0
		test	ebx, ebx
		jnz	short loc_71A6BB
		mov	eax, large fs:124h
		movzx	ecx, word ptr [eax+168h]
		mov	eax, [ebp+20h]
		test	eax, eax
		jnz	loc_71A72F
		mov	eax, ecx
		mov	ecx, [ebp+1Ch]
		movzx	eax, word ptr [ecx+eax*2+70h]

loc_71A6A1:				; CODE XREF: PAGELK:0071A733j
		push	edi
		movzx	edx, ax
		push	8
		pop	ecx
		call	MmCreateKernelStack
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_72837F
		mov	byte ptr [ebp+1Bh], 1

loc_71A6BB:				; CODE XREF: PAGELK:0071A67Dj
		mov	[edi+20h], ebx
		mov	[edi+28h], ebx
		sub	ebx, ds:_KeKernelStackSize
		mov	[edi+24h], ebx
		mov	al, [edi+62h]
		and	al, 88h
		or	al, 8
		mov	[edi+62h], al
		cmp	ds:_KeHeteroSystem, 0
		jnz	loc_728389

loc_71A6E1:				; CODE XREF: PAGELK:00728391j
		mov	ecx, edi
		call	_KeAbInitializeThreadState@4 ; KeAbInitializeThreadState(x)
		mov	dword ptr [edi+228h], 1
		and	dword ptr [ebp-4], 0
		push	dword ptr [ebp+14h]
		push	dword ptr [ebp+10h]
		push	dword ptr [ebp+0Ch]
		mov	edx, [ebp+8]
		call	KiInitializeContextThread
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	eax, eax

loc_71A710:				; CODE XREF: PAGELK:00728384j
					; PAGELK:007283C9j
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_71A722:				; CODE XREF: PAGELK:0071A5FDj
		or	eax, 400h
		mov	[edi+58h], eax
		jmp	loc_71A603
; 

loc_71A72F:				; CODE XREF: PAGELK:0071A691j
		dec	eax
		movzx	eax, ax
		jmp	loc_71A6A1
; 

loc_71A738:				; CODE XREF: PAGELK:0071A65Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		db 2 dup(0CCh)
; Exported entry 277. EmClientQueryRuleState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EmClientQueryRuleState(void *,int)
		public EmClientQueryRuleState
EmClientQueryRuleState proc near	; CODE XREF: PopFilterCapabilities+64p
					; PoInitHiberServices+6Bp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 007283CE SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		push	edi
		cmp	[ebp+arg_0], esi
		jz	loc_7283D8
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	loc_7283D8
		mov	dword ptr [edi], 1
		call	_EmpAcquirePagingReference@0 ; EmpAcquirePagingReference()
		test	al, al
		jz	loc_7283CE
		push	ebx
		xor	edx, edx
		mov	ecx, offset _EmpDatabaseLock
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+arg_0] ; void	*
		call	_EmpSearchRuleDatabase@4 ; EmpSearchRuleDatabase(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_71A7D7
		mov	ecx, ebx
		call	_EmpSearchTargetRuleList@4 ; EmpSearchTargetRuleList(x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_71A7D7
		lock inc dword ptr [eax]
		xor	edx, edx
		call	EmpUpdateRuleState
		mov	eax, [ebp+arg_0]
		lock dec dword ptr [eax]
		mov	eax, [ebx+10h]
		mov	[edi], eax

loc_71A7B0:				; CODE XREF: EmClientQueryRuleState+9Aj
		or	eax, 0FFFFFFFFh
		mov	edi, offset _EmpDatabaseLock
		lock xadd [edi], eax
		and	al, 6
		pop	ebx
		cmp	al, 2
		jz	short loc_71A7DE

loc_71A7C3:				; CODE XREF: EmClientQueryRuleState+A3j
		mov	ecx, edi
		call	KeAbPostRelease
		call	EmpReleasePagingReference

loc_71A7CF:				; CODE XREF: EmClientQueryRuleState+DC91j
					; EmClientQueryRuleState+DC9Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
; 

loc_71A7D7:				; CODE XREF: EmClientQueryRuleState+49j
					; EmClientQueryRuleState+57j
		mov	esi, 0C0000225h
		jmp	short loc_71A7B0
; 

loc_71A7DE:				; CODE XREF: EmClientQueryRuleState+7Fj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_71A7C3
EmClientQueryRuleState endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 279. EmClientRuleEvaluate

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EmClientRuleEvaluate(void *,int,int,int)
		public EmClientRuleEvaluate
EmClientRuleEvaluate proc near		; CODE XREF: PopPepInitializeVetoMasks(x,x)+F5p
					; PoRegisterPowerSettingCallback+234p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 007283E2 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	esi
		push	edi
		jz	loc_7283E2
		cmp	[ebp+arg_4], 0
		jz	loc_7283E2
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jz	loc_7283E2
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	loc_7283E2
		mov	dword ptr [esi], 1
		call	_EmpAcquirePagingReference@0 ; EmpAcquirePagingReference()
		test	al, al
		jz	short loc_71A891
		push	ebx
		mov	ebx, offset _EmpDatabaseLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+arg_0] ; void	*
		call	_EmpSearchRuleDatabase@4 ; EmpSearchRuleDatabase(x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_71A898
		call	_EmpSearchTargetRuleList@4 ; EmpSearchTargetRuleList(x)
		test	eax, eax
		jz	short loc_71A898
		cmp	edi, [ecx+28h]
		jnz	short loc_71A89F
		mov	edx, [ebp+arg_4]
		mov	ecx, eax
		push	edi
		call	EmpEvaluateTargetRule
		mov	[esi], eax
		xor	esi, esi

loc_71A866:				; CODE XREF: EmClientRuleEvaluate+B1j
					; EmClientRuleEvaluate+B8j
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_71A888

loc_71A873:				; CODE XREF: EmClientRuleEvaluate+A3j
		mov	ecx, ebx
		call	KeAbPostRelease
		call	EmpReleasePagingReference
		pop	ebx

loc_71A880:				; CODE XREF: EmClientRuleEvaluate+AAj
					; EmClientRuleEvaluate+DBFBj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	10h
; 

loc_71A888:				; CODE XREF: EmClientRuleEvaluate+85j
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_71A873
; 

loc_71A891:				; CODE XREF: EmClientRuleEvaluate+3Ej
		mov	esi, 0C0000006h
		jmp	short loc_71A880
; 

loc_71A898:				; CODE XREF: EmClientRuleEvaluate+5Bj
					; EmClientRuleEvaluate+64j
		mov	esi, 0C0000225h
		jmp	short loc_71A866
; 

loc_71A89F:				; CODE XREF: EmClientRuleEvaluate+69j
		mov	esi, 0C000000Dh
		jmp	short loc_71A866
EmClientRuleEvaluate endp


;  S U B	R O U T	I N E 


; __stdcall EmpAcquirePagingReference()
_EmpAcquirePagingReference@0 proc near	; CODE XREF: EmClientQueryRuleState+23p
					; EmClientRuleEvaluate+37p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, offset _EmpPagingLock
		xor	edx, edx
		mov	ecx, esi
		xor	bl, bl
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, ds:dword_6CDC44
		test	ecx, ecx
		jns	short loc_71A8D8
		lea	eax, [ecx+1]
		xor	eax, ecx
		and	eax, 7FFFFFFFh
		xor	ecx, eax
		inc	bl
		mov	ds:dword_6CDC44, ecx

loc_71A8D8:				; CODE XREF: EmpAcquirePagingReference()+1Cj
		or	edx, 0FFFFFFFFh
		lock xadd [esi], edx
		and	dl, 6
		cmp	dl, 2
		jz	short loc_71A8F3

loc_71A8E7:				; CODE XREF: EmpAcquirePagingReference()+54j
		mov	ecx, esi
		call	KeAbPostRelease
		pop	esi
		mov	al, bl
		pop	ebx
		retn
; 

loc_71A8F3:				; CODE XREF: EmpAcquirePagingReference()+3Fj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_71A8E7
_EmpAcquirePagingReference@0 endp


;  S U B	R O U T	I N E 


EmpReleasePagingReference proc near	; CODE XREF: EmClientQueryRuleState+88p
					; EmClientRuleEvaluate+8Ep

; FUNCTION CHUNK AT 007283EC SIZE 0000000F BYTES

		mov	edi, edi
		push	esi
		mov	esi, offset _EmpPagingLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, ds:dword_6CDC44
		mov	edx, 7FFFFFFFh
		lea	eax, [ecx-1]
		xor	eax, ecx
		and	eax, edx
		xor	ecx, eax
		mov	ds:dword_6CDC44, ecx
		test	ecx, edx
		jnz	short loc_71A938
		mov	eax, ds:_EmpPagingStatus
		test	eax, eax
		jnz	loc_7283EC

loc_71A938:				; CODE XREF: EmpReleasePagingReference+2Dj
					; EmpReleasePagingReference+DAFAj
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_71A94D

loc_71A945:				; CODE XREF: EmpReleasePagingReference+58j
		mov	ecx, esi
		pop	esi
		jmp	KeAbPostRelease
; 

loc_71A94D:				; CODE XREF: EmpReleasePagingReference+47j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_71A945
EmpReleasePagingReference endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlCompressBufferLZNT1 proc near	; DATA XREF: .text:00403FCCo

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 007283FB SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_8]
		mov	eax, [ebp+arg_10]
		mov	ecx, [ebp+arg_C]
		add	eax, ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	bl, 1
		add	edx, edi
		mov	[ebp+arg_4], eax
		cmp	word ptr [ebp+arg_0], 0
		mov	[ebp+arg_8], edx
		jnz	loc_7283FB
		mov	eax, offset _LZNT1FindMatchStandard@8 ;	LZNT1FindMatchStandard(x,x)

loc_71A98B:				; CODE XREF: RtlCompressBufferLZNT1+DAB5j
		mov	[ebp+arg_0], eax
		mov	esi, ecx
		cmp	edi, edx
		jnb	short loc_71A9C9

loc_71A994:				; CODE XREF: RtlCompressBufferLZNT1+6Ej
		push	[ebp+arg_1C]
		lea	ecx, [ebp+var_4]
		push	ecx
		push	[ebp+arg_4]
		mov	ecx, eax
		push	esi
		push	edx
		mov	edx, edi
		call	LZNT1CompressChunk
		test	eax, eax
		js	short loc_71A9EB
		test	bl, bl
		jnz	short loc_71A9F2

loc_71A9B1:				; CODE XREF: RtlCompressBufferLZNT1+A1j
		xor	bl, bl

loc_71A9B3:				; CODE XREF: RtlCompressBufferLZNT1+A5j
		add	esi, [ebp+var_4]
		add	edi, 1000h
		mov	edx, [ebp+arg_8]
		mov	eax, [ebp+arg_0]
		cmp	edi, edx
		jb	short loc_71A994
		mov	ecx, [ebp+arg_C]

loc_71A9C9:				; CODE XREF: RtlCompressBufferLZNT1+3Cj
		mov	eax, [ebp+arg_4]
		add	eax, 0FFFFFFFEh
		cmp	esi, eax
		ja	short loc_71A9D8
		mov	word ptr [esi],	0

loc_71A9D8:				; CODE XREF: RtlCompressBufferLZNT1+7Bj
		mov	eax, [ebp+arg_18]
		sub	esi, ecx
		mov	[eax], esi
		movzx	eax, bl
		neg	eax
		sbb	eax, eax
		and	eax, 117h

loc_71A9EB:				; CODE XREF: RtlCompressBufferLZNT1+55j
					; RtlCompressBufferLZNT1+DABFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
; 

loc_71A9F2:				; CODE XREF: RtlCompressBufferLZNT1+59j
		cmp	eax, 117h
		jnz	short loc_71A9B1
		mov	bl, 1
		jmp	short loc_71A9B3
RtlCompressBufferLZNT1 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LZNT1CompressChunk proc	near		; CODE XREF: RtlCompressBufferLZNT1+4Ep

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0072841A SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, edx
		mov	[ebp+var_30], ecx
		xor	ch, ch
		mov	[ebp+var_14], esi
		xor	edx, edx
		mov	[ebp+var_2], ch
		push	edi
		lea	eax, [esi+1000h]
		mov	[ebp+var_10], edx
		cmp	eax, ebx
		jnb	short loc_71AA2F
		mov	ebx, eax
		mov	[ebp+arg_0], ebx

loc_71AA2F:				; CODE XREF: LZNT1CompressChunk+28j
		mov	edx, [ebp+arg_4]
		mov	edi, [ebp+arg_8]
		lea	eax, [edx+0FFFh]
		mov	[ebp+var_1C], eax
		cmp	eax, edi
		jnb	loc_72841A

loc_71AA46:				; CODE XREF: LZNT1CompressChunk+DA1Dj
		lea	eax, [edx+2]
		mov	[ebp+var_18], 0
		mov	edi, eax
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_10]
		mov	edx, esi
		mov	[ebp+var_28], edi
		xor	cl, cl
		inc	edi
		mov	[ebp+var_1], cl
		cmp	edx, ebx
		mov	[eax], edx
		mov	edx, 0
		mov	[eax+4], ebx
		mov	dword ptr [eax+8], 1002h
		jnb	short loc_71AAF2
		mov	eax, offset _FormatMaxDisplacement
		mov	[ebp+var_2C], eax

loc_71AA80:				; CODE XREF: LZNT1CompressChunk+E2j
		mov	eax, [eax]
		add	eax, [ebp+var_14]
		cmp	eax, esi
		jb	loc_71AC80

loc_71AA8D:				; CODE XREF: LZNT1CompressChunk+2A4j
		lea	eax, [esi+3]
		cmp	eax, ebx
		ja	short loc_71AAA5
		push	[ebp+arg_10]
		push	esi
		call	[ebp+var_30]
		mov	ecx, eax
		test	ecx, ecx
		jnz	loc_71AB34

loc_71AAA5:				; CODE XREF: LZNT1CompressChunk+92j
		cmp	edi, [ebp+var_1C]
		jnb	short loc_71AAE4
		mov	al, [esi]
		mov	ecx, 1
		or	[ebp+var_2], al
		movzx	edx, [ebp+var_1]
		mov	[edi], al
		mov	eax, [ebp+var_18]
		btr	edx, eax

loc_71AAC0:				; CODE XREF: LZNT1CompressChunk+221j
		add	esi, ecx
		inc	edi
		mov	ecx, [ebp+var_18]
		mov	eax, edi
		inc	ecx
		and	ecx, 7
		mov	[ebp+var_18], ecx
		mov	cl, dl
		mov	[ebp+var_1], cl
		jz	loc_71AC26

loc_71AADA:				; CODE XREF: LZNT1CompressChunk+242j
		cmp	esi, ebx

loc_71AADC:				; CODE XREF: LZNT1CompressChunk+22Dj
		mov	edx, [ebp+var_10]
		mov	eax, [ebp+var_2C]
		jb	short loc_71AA80

loc_71AAE4:				; CODE XREF: LZNT1CompressChunk+A8j
					; LZNT1CompressChunk+13Dj
		cmp	esi, ebx
		jb	loc_71AD2C
		mov	cl, [ebp+var_1]
		mov	ch, [ebp+var_2]

loc_71AAF2:				; CODE XREF: LZNT1CompressChunk+76j
		mov	eax, [ebp+var_28]
		cmp	eax, [ebp+var_1C]
		jnb	loc_728439
		mov	[eax], cl

loc_71AB00:				; CODE XREF: LZNT1CompressChunk+DA3Aj
		mov	edx, [ebp+arg_4]
		sub	edi, edx
		mov	eax, [ebp+arg_C]
		mov	[eax], edi
		lea	eax, [edi-3]
		and	eax, 0FFFh
		or	ah, 0B0h
		test	dl, 1
		jnz	loc_71AD02
		mov	[edx], ax

loc_71AB21:				; CODE XREF: LZNT1CompressChunk+30Aj
		test	ch, ch
		jz	loc_71ACF4

loc_71AB29:				; CODE XREF: LZNT1CompressChunk+DA2Aj
		xor	eax, eax

loc_71AB2B:				; CODE XREF: LZNT1CompressChunk+DA34j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_71AB34:				; CODE XREF: LZNT1CompressChunk+9Fj
		lea	eax, [edi+1]
		mov	[ebp+var_34], eax
		cmp	eax, [ebp+var_1C]
		jnb	short loc_71AAE4
		mov	eax, [ebp+var_18]
		mov	ebx, [ebp+arg_10]
		movzx	edx, [ebp+var_1]
		bts	edx, eax
		mov	ax, si
		sub	ax, [ebx+0Ch]
		dec	ax
		movzx	ebx, cx
		cmp	[ebp+var_10], 0
		movzx	eax, ax
		mov	[ebp+var_20], ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_C], eax
		jz	loc_71ACDD
		cmp	[ebp+var_10], 1
		movzx	eax, ax
		mov	[ebp+var_C], eax
		jz	loc_71AD0F
		cmp	[ebp+var_10], 2
		movzx	eax, ax
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_20]
		movzx	ebx, ax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_24], ebx
		mov	ebx, [ebp+arg_0]
		jz	loc_71ACC6
		cmp	[ebp+var_10], 3
		movzx	eax, ax
		mov	[ebp+var_20], eax
		jz	loc_71ACA9
		cmp	[ebp+var_10], 4
		movzx	eax, ax
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_24]
		movzx	ebx, ax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_20], ebx
		mov	ebx, [ebp+arg_0]
		jz	loc_71AC6E
		cmp	[ebp+var_10], 5
		mov	ebx, [ebp+var_20]
		movzx	ebx, bx
		movzx	eax, ax
		mov	[ebp+var_20], ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_24], eax
		jz	short loc_71AC5C
		movzx	eax, ax
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_20]
		add	eax, 0FFFFFFFDh
		movzx	eax, ax
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_10]
		cmp	eax, 6
		jz	short loc_71AC50
		cmp	eax, 7
		mov	eax, [ebp+var_24]
		jz	short loc_71AC47
		shl	eax, 4
		and	[ebp+var_C], 0Fh

loc_71AC0D:				; CODE XREF: LZNT1CompressChunk+24Ej
					; LZNT1CompressChunk+25Aj
		or	eax, [ebp+var_C]

loc_71AC10:				; CODE XREF: LZNT1CompressChunk+26Cj
					; LZNT1CompressChunk+27Ej ...
		mov	[edi], al
		mov	edi, [ebp+var_34]
		mov	word ptr [ebp+var_8], ax
		mov	eax, [ebp+var_8]
		shr	eax, 8
		mov	[edi], al
		jmp	loc_71AAC0
; 

loc_71AC26:				; CODE XREF: LZNT1CompressChunk+D4j
		mov	[ebp+var_1], dl
		mov	edi, eax
		cmp	esi, ebx
		jnb	loc_71AADC
		mov	ecx, [ebp+var_28]
		lea	edi, [eax+1]
		mov	[ebp+var_1], 0
		mov	[ebp+var_28], eax
		mov	[ecx], dl
		jmp	loc_71AADA
; 

loc_71AC47:				; CODE XREF: LZNT1CompressChunk+204j
		shl	eax, 5
		and	[ebp+var_C], 1Fh
		jmp	short loc_71AC0D
; 

loc_71AC50:				; CODE XREF: LZNT1CompressChunk+1FCj
		mov	eax, [ebp+var_24]
		shl	eax, 6
		and	[ebp+var_C], 3Fh
		jmp	short loc_71AC0D
; 

loc_71AC5C:				; CODE XREF: LZNT1CompressChunk+1E2j
		mov	eax, [ebp+var_20]
		shl	[ebp+var_24], 7
		add	eax, 0FFFFFFFDh
		and	eax, 7Fh
		or	eax, [ebp+var_24]
		jmp	short loc_71AC10
; 

loc_71AC6E:				; CODE XREF: LZNT1CompressChunk+1C6j
		mov	eax, [ebp+var_20]
		shl	[ebp+var_C], 8
		add	eax, 0FFFFFFFDh
		movzx	eax, al
		or	eax, [ebp+var_C]
		jmp	short loc_71AC10
; 

loc_71AC80:				; CODE XREF: LZNT1CompressChunk+87j
					; LZNT1CompressChunk+299j
		mov	ecx, ds:dword_731038[edx*4]
		inc	edx
		lea	eax, _FormatMaxDisplacement[edx*4]
		mov	[ebp+var_2C], eax
		mov	eax, [eax]
		add	eax, [ebp+var_14]
		cmp	eax, esi
		jb	short loc_71AC80
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_10], edx
		mov	[eax+8], ecx
		jmp	loc_71AA8D
; 

loc_71ACA9:				; CODE XREF: LZNT1CompressChunk+1A7j
		mov	ebx, [ebp+var_24]
		shl	[ebp+var_20], 9
		movzx	eax, bx
		mov	ebx, [ebp+arg_0]
		add	eax, 0FFFFFFFDh
		and	eax, 1FFh
		or	eax, [ebp+var_20]
		jmp	loc_71AC10
; 

loc_71ACC6:				; CODE XREF: LZNT1CompressChunk+197j
		mov	eax, [ebp+var_24]
		shl	[ebp+var_C], 0Ah
		add	eax, 0FFFFFFFDh
		and	eax, 3FFh
		or	eax, [ebp+var_C]
		jmp	loc_71AC10
; 

loc_71ACDD:				; CODE XREF: LZNT1CompressChunk+168j
		mov	eax, [ebp+var_20]
		shl	[ebp+var_C], 0Ch
		add	eax, 0FFFFFFFDh
		and	eax, 0FFFh
		or	eax, [ebp+var_C]
		jmp	loc_71AC10
; 

loc_71ACF4:				; CODE XREF: LZNT1CompressChunk+123j
		pop	edi
		pop	esi
		mov	eax, 117h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_71AD02:				; CODE XREF: LZNT1CompressChunk+118j
		mov	[edx], al
		shr	eax, 8
		mov	[edx+1], al
		jmp	loc_71AB21
; 

loc_71AD0F:				; CODE XREF: LZNT1CompressChunk+178j
		mov	ebx, [ebp+var_20]
		shl	[ebp+var_C], 0Bh
		movzx	eax, bx
		mov	ebx, [ebp+arg_0]
		add	eax, 0FFFFFFFDh
		and	eax, 7FFh
		or	eax, [ebp+var_C]
		jmp	loc_71AC10
; 

loc_71AD2C:				; CODE XREF: LZNT1CompressChunk+E6j
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+var_14]
		add	eax, 2
		sub	ebx, ecx
		add	eax, ebx
		cmp	eax, [ebp+arg_8]
		ja	loc_72842F
		push	ebx		; size_t
		push	ecx		; void *
		push	[ebp+var_38]	; void *
		call	_memcpy
		mov	eax, [ebp+arg_C]
		lea	ecx, [ebx+2]
		add	esp, 0Ch
		mov	[eax], ecx
		add	ecx, 0FFFFFFFDh
		mov	eax, [ebp+arg_4]
		and	ecx, 0FFFh
		or	ch, 30h
		test	al, 1
		jnz	loc_728422
		pop	edi
		pop	esi
		mov	[eax], cx
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
LZNT1CompressChunk endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LZNT1FindMatchStandard(x, x)
_LZNT1FindMatchStandard@8 proc near	; DATA XREF: RtlCompressBufferLZNT1+30o

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	edx, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	eax, [edx]
		mov	[ebp+var_10], eax
		mov	al, [ebx]
		mov	cl, [ebx+2]
		mov	ah, [ebx+1]
		mov	[ebp+var_1], cl
		movzx	ecx, al
		mov	[ebp+var_2], al
		mov	[ebp+var_3], ah
		movzx	eax, ah
		shl	ecx, 4
		xor	ecx, eax
		mov	esi, [edx+8]
		movzx	eax, [ebp+var_1]
		shl	ecx, 4
		xor	ecx, eax
		imul	eax, ecx, 0FFFF9E5Fh
		lea	ecx, [edx+10h]
		push	edi
		mov	edi, [edx+4]
		xor	edx, edx
		sar	eax, 4
		and	eax, 0FFFh
		lea	ecx, [ecx+eax*8]
		lea	eax, ds:14h[eax*8]
		mov	[ebp+var_18], ecx
		add	eax, [ebp+arg_4]
		mov	ecx, [ecx]
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], ecx
		mov	eax, [eax]
		mov	[ebp+var_8], eax
		xor	eax, eax
		cmp	ecx, [ebp+var_10]
		jb	short loc_71AE46
		cmp	ecx, ebx
		jnb	short loc_71AE46
		mov	bl, [ebp+var_2]
		cmp	[ecx], bl
		mov	ebx, [ebp+arg_0]
		jnz	short loc_71AE46
		mov	bl, [ebp+var_3]
		cmp	[ecx+1], bl
		mov	ebx, [ebp+arg_0]
		jnz	short loc_71AE46
		mov	bl, [ebp+var_1]
		cmp	[ecx+2], bl
		mov	ebx, [ebp+arg_0]
		jnz	short loc_71AE46
		mov	edx, 3
		cmp	esi, edx
		jbe	short loc_71AE46
		lea	eax, [ebx+3]
		mov	ebx, ecx
		sub	ebx, [ebp+arg_0]
		lea	ecx, [ecx+0]

loc_71AE30:				; CODE XREF: LZNT1FindMatchStandard(x,x)+BFj
		cmp	eax, edi
		jnb	short loc_71AE41
		mov	cl, [eax]
		cmp	cl, [ebx+eax]
		jnz	short loc_71AE41
		inc	edx
		inc	eax
		cmp	edx, esi
		jb	short loc_71AE30

loc_71AE41:				; CODE XREF: LZNT1FindMatchStandard(x,x)+B2j
					; LZNT1FindMatchStandard(x,x)+B9j
		mov	ebx, [ebp+arg_0]
		xor	eax, eax

loc_71AE46:				; CODE XREF: LZNT1FindMatchStandard(x,x)+76j
					; LZNT1FindMatchStandard(x,x)+7Aj ...
		mov	ecx, [ebp+var_8]
		cmp	ecx, [ebp+var_10]
		mov	ecx, [ebp+var_C]
		jnb	short loc_71AE74

loc_71AE51:				; CODE XREF: LZNT1FindMatchStandard(x,x)+F7j
					; LZNT1FindMatchStandard(x,x)+107j ...
		mov	esi, [ebp+var_14]
		pop	edi
		mov	[esi], ecx
		mov	esi, [ebp+var_18]
		mov	[esi], ebx
		pop	esi
		pop	ebx
		cmp	edx, eax
		jb	loc_71AEE2
		mov	eax, [ebp+arg_4]
		mov	[eax+0Ch], ecx
		mov	eax, edx

loc_71AE6E:				; CODE XREF: LZNT1FindMatchStandard(x,x)+16Bj
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_71AE74:				; CODE XREF: LZNT1FindMatchStandard(x,x)+CFj
		cmp	[ebp+var_8], ebx
		jnb	short loc_71AE51
		mov	ebx, [ebp+var_8]
		mov	cl, [ebp+var_2]
		cmp	[ebx], cl
		mov	ecx, [ebp+var_C]
		mov	ebx, [ebp+arg_0]
		jnz	short loc_71AE51
		mov	ecx, [ebp+var_8]
		mov	bl, [ebp+var_3]
		cmp	[ecx+1], bl
		mov	ecx, [ebp+var_C]
		mov	ebx, [ebp+arg_0]
		jnz	short loc_71AE51
		mov	ebx, [ebp+var_8]
		mov	cl, [ebp+var_1]
		cmp	[ebx+2], cl
		mov	ecx, [ebp+var_C]
		mov	ebx, [ebp+arg_0]
		jnz	short loc_71AE51
		mov	eax, 3
		mov	[ebp+var_10], eax
		cmp	esi, eax
		jbe	short loc_71AE51
		lea	ecx, [ebx+3]
		mov	ebx, [ebp+var_8]
		sub	ebx, [ebp+arg_0]

loc_71AEC0:				; CODE XREF: LZNT1FindMatchStandard(x,x)+155j
		cmp	ecx, edi
		jnb	short loc_71AED7
		mov	al, [ecx]
		cmp	al, [ebx+ecx]
		mov	eax, [ebp+var_10]
		jnz	short loc_71AED7
		inc	eax
		inc	ecx
		mov	[ebp+var_10], eax
		cmp	eax, esi
		jb	short loc_71AEC0

loc_71AED7:				; CODE XREF: LZNT1FindMatchStandard(x,x)+142j
					; LZNT1FindMatchStandard(x,x)+14Cj
		mov	ecx, [ebp+var_C]
		mov	ebx, [ebp+arg_0]
		jmp	loc_71AE51
; 

loc_71AEE2:				; CODE XREF: LZNT1FindMatchStandard(x,x)+E0j
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+var_8]
		mov	[ecx+0Ch], edx
		jmp	loc_71AE6E
_LZNT1FindMatchStandard@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	KiCloneDescriptor(void *)
KiCloneDescriptor proc near		; CODE XREF: KiInitializeProcessorState(x,x,x,x,x,x,x,x,x,x)+68p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		movzx	esi, word ptr [ecx+2]
		inc	esi
		push	esi		; size_t
		push	dword ptr [ecx+4] ; void *
		lea	eax, [esi-1]
		mov	[edx+2], ax
		mov	eax, [ebp+arg_0]
		push	eax		; void *
		mov	[edx+4], eax
		call	_memcpy
		add	esp, 0Ch
		pop	esi
		pop	ebp
		retn	4
KiCloneDescriptor endp


;  S U B	R O U T	I N E 


; __stdcall KiComputeProcessorDataSize(x)
_KiComputeProcessorDataSize@4 proc near	; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+F7p
					; KeStartAllProcessors+103p
		shl	ecx, 5
		lea	eax, [ecx+603Fh]
		and	eax, 0FFFFFFC0h
		add	eax, 680h
		retn
_KiComputeProcessorDataSize@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopStartMirroring()
_PopStartMirroring@0 proc near		; DATA XREF: PopTransitionToSleep+57o
		xor	eax, eax
		retn
_PopStartMirroring@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall WheapDefaultErrSrcInitialize(x, x, x)
_WheapDefaultErrSrcInitialize@12 proc near ; DATA XREF:	WheaUnconfigureErrorSource(x)+8Fo
					; WheapSetDefaultErrorSourceConfiguration()+14o
		xor	eax, eax
		retn	0Ch
_WheapDefaultErrSrcInitialize@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall xHalDpUnmaskLevelTriggeredInterrupts()
_xHalDpUnmaskLevelTriggeredInterrupts@0	proc near ; CODE XREF: PnprQuiesceProcessors()+E4p
					; PnprWakeProcessors()+BBj
					; DATA XREF: ...
		mov	eax, 0C00000BBh
		retn
_xHalDpUnmaskLevelTriggeredInterrupts@0	endp


;  S U B	R O U T	I N E 


; __stdcall xHalDpReplaceControl(x, x)
_xHalDpReplaceControl@8	proc near	; CODE XREF: PnprEndMirroring(x)+40p
					; PnprInitiateReplaceOperation()+1C0p ...
		mov	eax, 0C00000BBh
		retn	8
_xHalDpReplaceControl@8	endp


;  S U B	R O U T	I N E 


; __stdcall xHalLocateHiberRanges(x)
_xHalLocateHiberRanges@4 proc near	; CODE XREF: PopMarkComponentsBootPhase+C8p
					; PopHiberCheckResume+59p ...
		retn	4
_xHalLocateHiberRanges@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall xHalDpReplayInterrupts(x)
_xHalDpReplayInterrupts@4 proc near	; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+2E0p
					; DATA XREF: .data:off_6B12C0o
		mov	eax, 0C00000BBh
		retn	4
_xHalDpReplayInterrupts@4 endp


;  S U B	R O U T	I N E 


; __stdcall xHalPciEarlyRestore(x)
_xHalPciEarlyRestore@4 proc near	; CODE XREF: PopHiberCheckResume+8Ep
					; DATA XREF: .data:off_6B1328o
		xor	eax, eax
		retn	4
_xHalPciEarlyRestore@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall xHalPciMarkHiberPhase()
_xHalPciMarkHiberPhase@0 proc near	; DATA XREF: .data:006B1348o
		retn	0
_xHalPciMarkHiberPhase@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall xHalPciMultiStageResumeCapable()
_xHalPciMultiStageResumeCapable@0 proc near ; CODE XREF: PopSaveHiberContext:loc_71D718p
					; DATA XREF: .data:off_6B1370o
		mov	al, 1
		retn
_xHalPciMultiStageResumeCapable@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall xHalSetWakeAlarm(x,	x, x, x)
_xHalSetWakeAlarm@16 proc near		; CODE XREF: PAGELK:0071F255p
					; PAGELK:0071F859p
					; DATA XREF: ...
		mov	eax, 0C00000BBh
		retn	10h
_xHalSetWakeAlarm@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpScenCtxScenarioSet proc near		; CODE XREF: PfPowerActionNotify+A0p
					; PfPowerActionNotify+ACp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0072843F SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_4], edx
		push	edi
		mov	edi, [ebp+arg_0]
		inc	ebx
		mov	esi, ecx
		cmp	edi, 5
		jz	loc_71B069
		cmp	edi, ebx
		jz	loc_71B069
		cmp	edi, 2
		jz	loc_71B069

loc_71AF9E:				; CODE XREF: PfpScenCtxScenarioSet+10Bj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		test	edi, edi
		jnz	short loc_71AFF9
		mov	eax, [ebp+var_4]
		cmp	[esi+1Ch], eax
		jz	short loc_71AFF9

loc_71AFC1:				; CODE XREF: PfpScenCtxScenarioSet+CFj
					; PfpScenCtxScenarioSet+F2j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_71B05D

loc_71AFD2:				; CODE XREF: PfpScenCtxScenarioSet+FEj
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	[ebp+var_C], 0
		jnz	loc_72843F

loc_71AFE8:				; CODE XREF: PfpScenCtxScenarioSet+D4E1j
		cmp	[ebp+var_8], 0
		jnz	loc_72844C

loc_71AFF2:				; CODE XREF: PfpScenCtxScenarioSet+D4F0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_71AFF9:				; CODE XREF: PfpScenCtxScenarioSet+51j
					; PfpScenCtxScenarioSet+59j
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	short loc_71B076
		push	ebx
		push	0
		mov	edx, eax
		mov	ecx, esi
		call	PfpScenCtxPrefetchStateSet
		mov	ecx, esi
		call	PfpScenCtxWaiterTimedOut
		mov	eax, [esi+1Ch]
		and	dword ptr [esi+18h], 0
		and	dword ptr [esi+4], 0FFFFFFF3h
		test	eax, eax
		jz	short loc_71B076

loc_71B022:				; CODE XREF: PfpScenCtxScenarioSet+112j
		mov	ecx, ebx

loc_71B024:				; CODE XREF: PfpScenCtxScenarioSet+116j
		mov	[esi+1Ch], edi
		test	edi, edi
		jz	short loc_71B02E
		inc	dword ptr [esi+20h]

loc_71B02E:				; CODE XREF: PfpScenCtxScenarioSet+C3j
		cmp	edi, 3
		jz	short loc_71B07E

loc_71B033:				; CODE XREF: PfpScenCtxScenarioSet+11Ej
		test	ecx, ecx
		jz	short loc_71AFC1
		test	edi, edi
		jz	short loc_71B04D
		cmp	[ebp+var_C], 0
		jz	short loc_71B086
		lea	edx, [ebp+var_C]
		mov	ecx, esi
		call	PfpServiceMainThreadBoost
		xor	ebx, ebx

loc_71B04D:				; CODE XREF: PfpScenCtxScenarioSet+D3j
					; PfpScenCtxScenarioSet+123j
		push	0
		push	ebx
		push	dword ptr [esi+28h]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_71AFC1
; 

loc_71B05D:				; CODE XREF: PfpScenCtxScenarioSet+66j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_71AFD2
; 

loc_71B069:				; CODE XREF: PfpScenCtxScenarioSet+21j
					; PfpScenCtxScenarioSet+29j ...
		lea	edx, [ebp+var_C]
		call	PfpServiceMainThreadBoostPrep
		jmp	loc_71AF9E
; 

loc_71B076:				; CODE XREF: PfpScenCtxScenarioSet+98j
					; PfpScenCtxScenarioSet+BAj
		test	edi, edi
		jnz	short loc_71B022
		xor	ecx, ecx
		jmp	short loc_71B024
; 

loc_71B07E:				; CODE XREF: PfpScenCtxScenarioSet+CBj
		mov	eax, [ebp+arg_4]
		mov	[esi+24h], eax
		jmp	short loc_71B033
; 

loc_71B086:				; CODE XREF: PfpScenCtxScenarioSet+D9j
		push	4
		pop	ebx
		jmp	short loc_71B04D
PfpScenCtxScenarioSet endp

; 
		align 4

;  S U B	R O U T	I N E 


MmPerformMemoryListCommand proc	near	; CODE XREF: PfPowerActionNotify+D9p
					; PfpPowerActionStartScenarioTracing(x)+1Cp ...

; FUNCTION CHUNK AT 0072845B SIZE 0000004C BYTES

		mov	edi, edi
		push	ecx
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		sub	ecx, 0
		jz	short loc_71B0B0
		sub	ecx, 1
		jnz	loc_72845B
		xor	edx, edx
		inc	edx

loc_71B0A5:				; CODE XREF: MmPerformMemoryListCommand+26j
		mov	ecx, eax
		call	_MiCaptureAllWorkingSetAccessBits@8 ; MiCaptureAllWorkingSetAccessBits(x,x)

loc_71B0AC:				; CODE XREF: MmPerformMemoryListCommand+D3F9j
					; MmPerformMemoryListCommand+D40Aj ...
		xor	eax, eax
		pop	ecx
		retn
; 

loc_71B0B0:				; CODE XREF: MmPerformMemoryListCommand+Bj
		xor	edx, edx
		jmp	short loc_71B0A5
MmPerformMemoryListCommand endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnBeginBootPhase proc	near		; CODE XREF: PfPowerActionNotify+95p
					; PfSnSetPrefetcherInformation+14Dp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 007284A7 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		push	esi
		push	edi
		cmp	ecx, 5
		jnb	loc_7284A7
		xor	esi, esi
		sub	ecx, esi
		jz	short loc_71B13B
		sub	ecx, 1
		jz	short loc_71B134
		sub	ecx, 1
		jnz	short loc_71B0F6
		xor	edx, edx
		push	4
		inc	edx
		pop	ecx
		call	PfSnUpdatePrefetcherFlags
		push	11h
		xor	edx, edx
		pop	ecx

loc_71B0E9:				; CODE XREF: PfSnBeginBootPhase+85j
		call	PfSnUpdatePrefetcherFlags

loc_71B0EE:				; CODE XREF: PfSnBeginBootPhase+4Ej
					; PfSnBeginBootPhase+5Cj ...
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_71B0F6:				; CODE XREF: PfSnBeginBootPhase+23j
		sub	ecx, 1
		jz	loc_7284B1
		sub	ecx, 1
		jnz	short loc_71B0EE
		push	10h
		pop	ecx
		call	_PfSnAllocateEnablePrefetcherTimer@4 ; PfSnAllocateEnablePrefetcherTimer(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_71B0EE
		xor	edx, edx
		push	10h
		inc	edx
		pop	ecx
		call	PfSnUpdatePrefetcherFlags
		push	0FFFFFFFFh
		push	0DC3CBA00h
		lea	eax, [edi+28h]
		xor	edx, edx
		push	eax
		push	esi
		mov	ecx, edi
		call	KiSetTimerEx
		jmp	short loc_71B0EE
; 

loc_71B134:				; CODE XREF: PfSnBeginBootPhase+1Ej
					; PfSnBeginBootPhase+D410j
		xor	ecx, ecx
		xor	edx, edx
		inc	ecx
		jmp	short loc_71B0E9
; 

loc_71B13B:				; CODE XREF: PfSnBeginBootPhase+19j
		push	offset dword_6D49E8
		push	esi
		push	esi
		push	offset _MS_Kernel_Prefetch_Provider
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		call	PfSnDetermineEnablePrefetcher
		xor	edx, edx
		push	3
		inc	edx
		pop	ecx
		call	PfSnUpdatePrefetcherFlags
		or	[esp+10h+var_4], 0FFFFFFFFh
		lea	ecx, [esp+10h+var_8]
		mov	[esp+10h+var_8], 4D2FA200h
		call	_PfSnQueueEnablePrefetcherTimer@4 ; PfSnQueueEnablePrefetcherTimer(x)
		jmp	loc_71B0EE
PfSnBeginBootPhase endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PopHiberEarlyCleanup(x)
_PopHiberEarlyCleanup@4	proc near	; CODE XREF: PopInvokeSystemStateHandler+314p
		mov	edi, edi
		push	esi
		push	13h
		mov	esi, ecx
		mov	ecx, ds:dword_6C24BC
		pop	edx
		call	_MmInvalidateDumpAddresses@8 ; MmInvalidateDumpAddresses(x,x)
		mov	ecx, [esi+0C0h]
		test	ecx, ecx
		jz	short loc_71B1AC
		mov	edx, [esi+0A4h]
		shl	edx, 4
		pop	esi
		jmp	_MmInvalidateDumpAddresses@8 ; MmInvalidateDumpAddresses(x,x)
; 

loc_71B1AC:				; CODE XREF: PopHiberEarlyCleanup(x)+1Bj
		pop	esi
		retn
_PopHiberEarlyCleanup@4	endp


;  S U B	R O U T	I N E 


; __stdcall MmInvalidateDumpAddresses(x, x)
_MmInvalidateDumpAddresses@8 proc near	; CODE XREF: PopHiberEarlyCleanup(x)+Ep
					; PopHiberEarlyCleanup(x)+27j
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	edx, eax
		test	esi, esi
		jz	short loc_71B1F5
		mov	ebx, esi

loc_71B1C4:				; CODE XREF: MmInvalidateDumpAddresses(x,x)+2Dj
		mov	ecx, ds:_ZeroPte
		mov	[edx], ecx
		nop
		mov	eax, ds:dword_40F9FC
		lea	edx, [edx+8]
		mov	[edx-4], eax
		sub	ebx, 1
		jnz	short loc_71B1C4
		test	esi, esi
		jz	short loc_71B1F5

loc_71B1E1:				; CODE XREF: MmInvalidateDumpAddresses(x,x)+45j
		xor	edx, edx
		mov	ecx, edi
		call	KeFlushSingleCurrentTb
		add	edi, 1000h
		sub	esi, 1
		jnz	short loc_71B1E1

loc_71B1F5:				; CODE XREF: MmInvalidateDumpAddresses(x,x)+12j
					; MmInvalidateDumpAddresses(x,x)+31j
		mov	ecx, ds:dword_6D306C
		push	20h
		pop	edx

loc_71B1FE:				; CODE XREF: MmInvalidateDumpAddresses(x,x)+66j
		mov	eax, ds:_ZeroPte
		mov	[ecx], eax
		nop
		mov	eax, ds:dword_40F9FC
		lea	ecx, [ecx+8]
		mov	[ecx-4], eax
		sub	edx, 1
		jnz	short loc_71B1FE
		pop	edi
		pop	esi
		pop	ebx
		retn
_MmInvalidateDumpAddresses@8 endp


;  S U B	R O U T	I N E 


; __stdcall BgkResumeInitialize()
_BgkResumeInitialize@0 proc near	; CODE XREF: PopRestoreHiberContext+3E0p
		mov	edi, edi
		push	ecx
		mov	ecx, ds:dword_6D4AB4
		mov	ds:byte_6D4AB8,	0
		test	ecx, ecx
		jz	short loc_71B241
		or	edx, 0FFFFFFFFh
		call	_BgLibraryInitialize@8 ; BgLibraryInitialize(x,x)
		test	eax, eax
		js	short loc_71B241
		mov	ds:byte_6D4AB8,	1

loc_71B241:				; CODE XREF: BgkResumeInitialize()+12j
					; BgkResumeInitialize()+1Ej
		pop	ecx
		retn
_BgkResumeInitialize@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiCalibrateTimeAdjustment proc near	; DATA XREF: KeAdjustInterruptTime(x,x,x)+56o

var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 007284C9 SIZE 000000CA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, large fs:20h
		push	edi
		xor	edi, edi
		mov	[ebp+var_20], ebx
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_3C], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edi
		mov	eax, [esi+3CCh]
		mov	[ebp+var_24], esi
		cmp	eax, [ebx+4]
		jz	loc_71B31A
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	[ebp+var_15], al

loc_71B297:				; CODE XREF: KiCalibrateTimeAdjustment+5Dj
		call	KiPollFreezeExecution
		mov	ecx, [ebx+1Ch]
		test	ecx, ecx
		jnz	short loc_71B297

loc_71B2A3:				; CODE XREF: KiCalibrateTimeAdjustment+24Aj
		mov	dl, 1
		mov	ecx, esi
		call	_KiSelectActiveTimerTable@8 ; KiSelectActiveTimerTable(x,x)
		test	eax, eax
		jnz	loc_71B493

loc_71B2B4:				; CODE XREF: KiCalibrateTimeAdjustment+290j
		mov	eax, ds:_KeTickCount
		mov	[esi+2240h], eax
		cmp	byte ptr [ebx],	0
		mov	eax, [ebx+0Ch]
		mov	edi, [ebx+8]
		mov	[ebp+var_20], eax
		jz	short loc_71B2F5
		push	dword ptr [ebx+14h]
		lea	eax, [ebx+18h]
		push	dword ptr [ebx+10h]
		push	eax
		call	ds:__imp__HalCalibratePerformanceCounter@12 ; HalCalibratePerformanceCounter(x,x,x)
		call	_KeRebaselineInterruptTime@0 ; KeRebaselineInterruptTime()
		test	ds:dword_70EFD0, 8000h
		jnz	loc_7284F4

loc_71B2F2:				; CODE XREF: KiCalibrateTimeAdjustment+D2ECj
		mov	eax, [ebp+var_20]

loc_71B2F5:				; CODE XREF: KiCalibrateTimeAdjustment+87j
		cmp	byte ptr [esi+3D0h], 0
		jnz	loc_71B4D9

loc_71B302:				; CODE XREF: KiCalibrateTimeAdjustment+2A1j
		cmp	[ebp+var_15], 0
		pop	edi
		pop	esi
		pop	ebx
		jz	short loc_71B30C
		sti

loc_71B30C:				; CODE XREF: KiCalibrateTimeAdjustment+C5j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_71B31A:				; CODE XREF: KiCalibrateTimeAdjustment+45j
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	esi, [ebx+0Ch]
		mov	edi, [ebx+8]
		mov	[ebp+var_15], al
		mov	[ebp+var_4C], esi
		call	KeQueryInterruptTime
		mov	ecx, eax
		mov	eax, edx
		add	ecx, edi
		mov	[ebp+var_44], ecx
		adc	eax, esi
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_30]
		push	eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		cmp	byte ptr [ebx],	0
		mov	[ebp+var_48], eax
		mov	[ebp+var_1C], edx
		jz	short loc_71B3B9
		mov	ebx, [ebp+var_4C]
		mov	eax, edi
		mul	[ebp+var_30]
		mov	[ebp+var_28], eax
		mov	ecx, edx
		mov	eax, edi
		mul	[ebp+var_2C]
		mov	edi, eax
		mov	esi, edx
		mov	eax, ebx
		mul	[ebp+var_30]
		add	edi, eax
		adc	esi, edx
		add	edi, ecx
		adc	esi, 0
		imul	ebx, [ebp+var_2C]
		push	ebx
		push	0
		push	(offset	loc_98967E+2)
		add	esi, ebx
		push	esi
		push	edi
		call	__aulldvrm
		mov	[ebp+var_4C], ebx
		pop	ebx
		nop
		mov	ebx, [ebp+var_20]
		push	0
		push	(offset	loc_98967E+2)
		push	ecx
		push	[ebp+var_28]
		mov	[ebp+var_4C], edx
		mov	[ebx+14h], eax
		call	__aulldiv
		mov	[ebx+10h], eax
		mov	eax, [ebp+var_48]
		add	[ebx+10h], eax
		mov	eax, [ebp+var_1C]
		adc	[ebx+14h], eax

loc_71B3B9:				; CODE XREF: KiCalibrateTimeAdjustment+10Dj
		lea	eax, [ebp+var_3C]
		push	eax
		push	ds:_KeMaximumIncrement
		push	[ebp+var_40]
		push	[ebp+var_44]
		call	_RtlExtendedLargeIntegerDivide@16 ; RtlExtendedLargeIntegerDivide(x,x,x,x)
		mov	ecx, ds:_KeMaximumIncrement
		mov	edi, edx
		sub	ecx, [ebp+var_3C]
		mov	ds:_KiTickOffset, ecx
		mov	esi, ds:0FFDF03B0h
		add	esi, [ebx+8]
		mov	ecx, ds:0FFDF03B4h
		adc	ecx, [ebx+0Ch]
		mov	[ebp+var_28], eax
		mov	eax, 0FFDF03B0h
		mov	ds:0FFDF03B0h, esi
		mov	ds:0FFDF03B4h, ecx
		mov	ecx, [eax]
		mov	eax, [eax+4]
		test	eax, eax
		jg	short loc_71B41C
		jl	loc_71B4EA
		test	ecx, ecx
		jb	loc_71B4EA

loc_71B41C:				; CODE XREF: KiCalibrateTimeAdjustment+1C8j
		mov	esi, 0FFDF0340h
		mov	ecx, esi
		call	RtlWriteAcquireTickLock
		mov	eax, [ebp+var_40]
		mov	ecx, [ebp+var_44]
		mov	ds:0FFDF0010h, eax
		mov	ds:0FFDF0008h, ecx
		mov	ecx, esi
		mov	ds:0FFDF000Ch, eax
		mov	eax, [ebp+var_28]
		mov	ds:dword_7186C8, edi
		mov	ds:_KeTickCount, eax
		mov	ds:dword_7186C4, edi
		mov	ds:0FFDF0328h, edi
		mov	ds:0FFDF0320h, eax
		mov	eax, [ebp+var_48]
		mov	ds:0FFDF0324h, edi
		xor	edi, edi
		mov	ds:0FFDF0350h, eax
		mov	eax, [ebp+var_1C]
		mov	ds:0FFDF0354h, eax
		mov	ds:_KiInterruptTimeErrorAccumulator, edi
		mov	ds:dword_6D4B04, edi
		call	_RtlWriteReleaseTickLock@4 ; RtlWriteReleaseTickLock(x)
		mov	esi, [ebp+var_24]
		mov	[ebx+1Ch], edi
		jmp	loc_71B2A3
; 

loc_71B493:				; CODE XREF: KiCalibrateTimeAdjustment+6Aj
		mov	[ebp+var_54], edi
		mov	edi, ds:0FFDF000Ch
		mov	eax, ds:0FFDF0008h
		mov	[ebp+var_1C], eax
		cmp	edi, ds:0FFDF0010h
		jnz	loc_7284C9

loc_71B4B0:				; CODE XREF: KiCalibrateTimeAdjustment+D2ABj
		add	esi, 4080h
		push	esi
		call	_KeRemoveQueueDpc@4 ; KeRemoveQueueDpc(x)
		mov	eax, [ebp+var_1C]
		shrd	eax, edi, 12h
		push	0
		sub	eax, 100h
		push	eax
		push	esi
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)
		mov	esi, [ebp+var_24]
		jmp	loc_71B2B4
; 

loc_71B4D9:				; CODE XREF: KiCalibrateTimeAdjustment+B8j
		push	eax
		push	edi
		push	3
		pop	edx
		xor	ecx, ecx
		call	KiUpdateSystemTime
		jmp	loc_71B302
; 

loc_71B4EA:				; CODE XREF: KiCalibrateTimeAdjustment+1CAj
					; KiCalibrateTimeAdjustment+1D2j
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

MiUpdateUserMappings:			; CODE XREF: PopInvokeSystemStateHandler+26Fp
					; PopInvokeSystemStateHandler+335p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	ecx, ecx
		call	_MiGetPdeAddress@4 ; MiGetPdeAddress(x)
		mov	ecx, ds:_MmHighestUserAddress
		mov	esi, eax
		call	_MiGetPdeAddress@4 ; MiGetPdeAddress(x)
		mov	ebx, eax
		cmp	esi, ebx
		ja	short loc_71B54D
		push	edi

loc_71B513:				; CODE XREF: KiCalibrateTimeAdjustment+306j
		mov	edi, [esi]
		nop
		mov	edx, [esi+4]
		mov	ecx, esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_71B530
		push	edx
		push	edi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	edi, eax

loc_71B530:				; CODE XREF: KiCalibrateTimeAdjustment+2E1j
		mov	ecx, edi
		and	ecx, 1
		or	ecx, 0
		jnz	short loc_71B551
		mov	eax, edi
		and	eax, 400h
		or	eax, ecx
		jnz	short loc_71B560

loc_71B545:				; CODE XREF: KiCalibrateTimeAdjustment+31Aj
					; KiCalibrateTimeAdjustment+338j ...
		add	esi, 8
		cmp	esi, ebx
		jbe	short loc_71B513
		pop	edi

loc_71B54D:				; CODE XREF: KiCalibrateTimeAdjustment+2CCj
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_71B551:				; CODE XREF: KiCalibrateTimeAdjustment+2F4j
		push	edx
		push	edi
		call	_MiMakeQuasiPte@8 ; MiMakeQuasiPte(x,x)
		mov	[esi], eax
		nop
		mov	[esi+4], edx
		jmp	short loc_71B545
; 

loc_71B560:				; CODE XREF: KiCalibrateTimeAdjustment+2FFj
		push	edx
		push	edi
		call	_MiRevertQuasiPte@8 ; MiRevertQuasiPte(x,x)
		xor	edi, edi
		mov	ecx, eax
		cmp	[ebp+var_4], edi
		jnz	loc_728535

loc_71B574:				; CODE XREF: KiCalibrateTimeAdjustment+D304j
					; KiCalibrateTimeAdjustment+D322j ...
		mov	[esi+4], edx
		nop
		mov	[esi], ecx
		test	edi, edi
		jz	short loc_71B545
		jmp	loc_728585
KiCalibrateTimeAdjustment endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopWriteHeaderPages proc near		; CODE XREF: PopSaveHiberContext+31Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00728593 SIZE 00000069 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	[ebp+var_C], edi
		mov	eax, [edi+6Ch]
		mov	ecx, [edi+68h]
		and	dword ptr [edi+7Ch], 0
		shl	eax, 0Ch
		push	eax		; size_t
		push	0		; int
		push	ecx		; void *
		mov	[ebp+var_4], ecx
		call	_memset
		mov	eax, [edi+54h]
		add	esp, 0Ch
		test	eax, eax
		jz	loc_7285F2
		mov	eax, [eax+14h]
		mov	esi, ds:_PopHiberScratchPages
		shr	eax, 0Ch
		mov	[ebx+3Ch], eax
		cmp	eax, esi
		jb	loc_7285F2
		mov	eax, [edi+54h]
		shl	esi, 2
		add	eax, 1Ch
		push	esi		; size_t
		push	eax		; void *
		push	[ebp+var_4]	; void *
		call	_memcpy
		mov	eax, [edi+0A0h]
		add	esp, 0Ch
		add	eax, 2
		mov	ecx, edi
		push	eax
		lea	eax, [esi+0FFFh]
		mov	esi, [ebp+var_4]
		shr	eax, 0Ch
		mov	edx, esi
		push	eax
		call	PopWriteHiberPages
		mov	eax, ds:_PopHiberScratchPages
		mov	[ebx+3Ch], eax
		lea	eax, ds:0FFFh[eax*4]
		and	eax, 0FFFFF000h
		push	eax
		push	esi
		push	0
		call	_tcpxsum@12	; tcpxsum(x,x,x)
		mov	[ebx+40h], eax
		mov	al, ds:_PopHiberResumeXhciHandoffSkip
		mov	[ebx+336h], al
		cmp	dword ptr [edi+9Ch], 0
		jz	short loc_71B6B9
		mov	eax, [edi+6Ch]
		shl	eax, 0Ch
		push	eax		; size_t
		push	0		; int
		push	esi		; void *
		mov	dword ptr [edi+7Ch], 1
		call	_memset
		mov	esi, [edi+0A0h]
		add	esp, 0Ch
		shl	esi, 0Ch
		push	esi		; size_t
		push	dword ptr [edi+9Ch] ; void *
		push	[ebp+var_4]	; void *
		call	_memcpy
		add	esp, 0Ch
		push	esi
		push	[ebp+var_4]
		push	0
		call	_tcpxsum@12	; tcpxsum(x,x,x)
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		mov	[ebx+2D4h], eax
		mov	eax, [edi+0A0h]
		push	2
		push	eax
		mov	[ebx+2D8h], eax
		call	PopWriteHiberPages
		push	esi
		mov	esi, [ebp+var_4]
		push	esi
		push	0
		call	_tcpxsum@12	; tcpxsum(x,x,x)
		mov	ecx, [ebx+2D4h]
		mov	[ebp+var_8], eax
		cmp	ecx, eax
		jnz	loc_728593

loc_71B6B9:				; CODE XREF: PopWriteHeaderPages+B8j
		mov	eax, [edi+6Ch]
		shl	eax, 0Ch
		push	eax		; size_t
		push	0		; int
		push	esi		; void *
		mov	dword ptr [edi+7Ch], 2
		call	_memset
		mov	esi, [edi+78h]
		add	esp, 0Ch
		mov	edi, [ebp+var_4]
		mov	ecx, 0C8h
		rep movsd
		mov	esi, [ebp+var_4]
		mov	edi, 320h
		push	edi
		push	esi
		push	0
		call	_tcpxsum@12	; tcpxsum(x,x,x)
		mov	ecx, [ebp+var_C]
		mov	edx, esi
		push	1
		push	1
		mov	[ebx+44h], eax
		call	PopWriteHiberPages
		push	edi
		push	esi
		push	0
		call	_tcpxsum@12	; tcpxsum(x,x,x)
		mov	edi, eax
		mov	eax, [ebx+44h]
		cmp	eax, edi
		jnz	loc_7285B2
		push	1000h
		push	esi
		push	0
		call	_tcpxsum@12	; tcpxsum(x,x,x)
		mov	esi, eax
		mov	eax, [ebx+44h]
		cmp	eax, esi
		jnz	loc_7285CE
		xor	eax, eax

loc_71B733:				; CODE XREF: PopWriteHeaderPages+D073j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PopWriteHeaderPages endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopWriteHiberPages proc	near		; CODE XREF: PopWriteHeaderPages+81p
					; PopWriteHeaderPages+113p ...

var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= word ptr -0A4h
var_A2		= word ptr -0A2h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 007285FC SIZE 000000A8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0E4h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	0A0h		; size_t
		xor	ebx, ebx
		mov	[ebp+var_B0], edx
		lea	eax, [ebp+var_A8]
		mov	esi, ecx
		push	ebx		; int
		push	eax		; void *
		mov	edi, edx
		mov	[ebp+var_BC], esi
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_C8], ebx
		test	byte ptr ds:_PopWatchdogTimerCount, 1Fh
		mov	[ebp+var_C4], ebx
		mov	[ebp+var_D0], ebx
		mov	[ebp+var_CC], ebx
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_DC], ebx
		jz	loc_71B991

loc_71B7A8:				; CODE XREF: PopWriteHiberPages+25Fj
		inc	ds:_PopWatchdogTimerCount
		cmp	[esi+80h], ebx
		jl	loc_71B980
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		mov	edx, [ebp+arg_4]
		lea	ecx, [ebx+edx]
		shld	eax, ecx, 0Ch
		shl	ecx, 0Ch
		cmp	eax, ds:dword_6C24AC
		jb	short loc_71B7E6
		ja	loc_7285FC
		cmp	ecx, ds:dword_6C24A8
		ja	loc_7285FC

loc_71B7E6:				; CODE XREF: PopWriteHiberPages+9Aj
		cmp	ebx, 0FFFFFh
		ja	loc_72866B
		mov	eax, [esi+70h]
		xor	ecx, ecx
		shld	ecx, edx, 0Ch
		mov	[ebp+var_DC], eax
		shl	edx, 0Ch
		shl	ebx, 0Ch
		mov	[ebp+var_B8], ecx
		mov	[ebp+arg_4], edx
		mov	[ebp+arg_0], ebx

loc_71B813:				; CODE XREF: PopWriteHiberPages+243j
		test	ebx, ebx
		jz	loc_71B980
		push	ecx
		push	edx
		lea	edx, [ebp+var_C8]
		mov	ecx, eax
		call	PopGetIoLocation
		mov	[ebp+var_D0], eax
		xor	eax, eax
		mov	[ebp+var_CC], edx
		cmp	eax, [ebp+var_C4]
		jb	short loc_71B852
		mov	ecx, [ebp+var_C8]
		mov	[ebp+var_AC], ecx
		ja	short loc_71B85A
		cmp	ebx, ecx
		ja	short loc_71B85A

loc_71B852:				; CODE XREF: PopWriteHiberPages+106j
		mov	ecx, ebx
		mov	[ebp+var_AC], ebx

loc_71B85A:				; CODE XREF: PopWriteHiberPages+114j
					; PopWriteHiberPages+118j
		mov	edx, edi
		lea	esi, [ecx+0FFFh]
		and	edx, 0FFFh
		add	esi, edx
		shr	esi, 0Ch
		mov	[ebp+var_B4], esi
		cmp	esi, 10h
		ja	loc_728675

loc_71B87C:				; CODE XREF: PopWriteHiberPages+CF56j
		mov	[ebp+var_A8], eax
		lea	eax, [ecx+0FFFh]
		add	eax, edx
		mov	[ebp+var_9C], edi
		shr	eax, 0Ch
		mov	[ebp+var_90], edx
		mov	[ebp+var_94], ecx
		lea	eax, ds:1Ch[eax*4]
		mov	[ebp+var_A4], ax
		mov	eax, edi
		and	eax, 0FFFFF000h
		mov	[ebp+var_98], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_A2], ax
		xor	eax, eax
		mov	edi, eax
		test	esi, esi
		jz	short loc_71B8F1
		mov	ebx, [ebp+var_B0]

loc_71B8D2:				; CODE XREF: PopWriteHiberPages+1B4j
		push	ebx
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		shrd	eax, edx, 0Ch
		add	ebx, 1000h
		mov	[ebp+edi*4+var_8C], eax
		inc	edi
		cmp	edi, esi
		jb	short loc_71B8D2
		mov	ebx, [ebp+arg_0]

loc_71B8F1:				; CODE XREF: PopWriteHiberPages+192j
		rdtsc
		mov	esi, eax
		mov	edi, edx
		mov	eax, [ebp+var_BC]
		mov	ecx, [eax+74h]
		lea	eax, [ebp+var_A8]
		push	eax
		lea	eax, [ebp+var_D0]
		push	eax
		call	dword ptr [ecx+30h]
		mov	ecx, [ebp+var_B8]
		mov	[ebp+var_D8], eax
		rdtsc
		sub	eax, esi
		mov	esi, [ebp+var_D8]
		push	0
		sbb	edx, edi
		add	ds:dword_6C28B8, eax
		mov	eax, [ebp+var_B4]
		adc	ds:dword_6C28BC, edx
		add	ds:dword_6C2A90, eax
		mov	eax, [ebp+var_AC]
		sub	ebx, eax
		mov	edx, [ebp+arg_4]
		add	edx, eax
		mov	[ebp+arg_0], ebx
		pop	edi
		adc	ecx, edi
		mov	[ebp+arg_4], edx
		mov	edi, [ebp+var_B0]
		add	edi, eax
		mov	[ebp+var_B8], ecx
		mov	[ebp+var_B0], edi
		test	esi, esi
		js	loc_728693
		mov	eax, [ebp+var_DC]
		jmp	loc_71B813
; 

loc_71B980:				; CODE XREF: PopWriteHiberPages+7Cj
					; PopWriteHiberPages+DDj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_71B991:				; CODE XREF: PopWriteHiberPages+6Aj
		call	ds:off_6B13A8	; SymCryptFatalIntercept(x)
		jmp	loc_71B7A8
PopWriteHiberPages endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopInvokeSystemStateHandler proc near	; CODE XREF: PopTransitionToSleep+9376p
					; PopShutdownSystem(x)+5Fp ...

var_132		= byte ptr -132h
var_131		= byte ptr -131h
var_130		= dword	ptr -130h
var_12A		= byte ptr -12Ah
var_129		= byte ptr -129h
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= byte ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_B8		= dword	ptr -0B8h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0071BECB SIZE 00000002 BYTES
; FUNCTION CHUNK AT 007286A4 SIZE 00000337 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 12Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+12Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	8
		mov	ebx, ecx
		mov	[esp+13Ch+var_110], 0C0000001h
		pop	ecx
		mov	esi, edx
		mov	[esp+138h+var_114], ebx
		xor	edx, edx
		mov	[esp+138h+var_108], esi
		xor	eax, eax
		mov	[esp+138h+var_100], edx
		lea	edi, [esp+138h+var_B8]
		mov	[esp+138h+var_FC], edx
		push	38h		; size_t
		rep stosd
		push	edx		; int
		lea	eax, [esp+140h+var_F8]
		mov	[esp+140h+var_129], dl
		push	eax		; void *
		mov	[esp+144h+var_128], edx
		mov	[esp+144h+var_124], edx
		call	_memset
		xor	eax, eax
		mov	[esp+144h+var_E8], offset _PopPowerStateNotifyHandler
		lea	edi, [esp+144h+var_14]
		mov	[esp+144h+var_E4], ebx
		stosd
		add	esp, 0Ch
		stosd
		stosd
		stosd
		lea	eax, [esp+138h+var_14]
		mov	[esp+138h+var_F8], eax
		cmp	ebx, 7
		jz	short loc_71BA48
		mov	ecx, ebx
		shl	ecx, 4
		lea	eax, _PopPowerStateHandlers[ecx]
		mov	[esp+138h+var_F8], eax
		cmp	ds:dword_6C2DA8[ecx], 0
		jz	loc_7286A4

loc_71BA48:				; CODE XREF: PopInvokeSystemStateHandler+8Ej
		mov	eax, ds:_KeNumberProcessors
		mov	[esp+138h+var_DC], eax
		mov	eax, ds:_KeNumberProcessors
		mov	[esp+138h+var_D0], eax
		xor	eax, eax
		inc	eax
		mov	[esp+138h+var_D4], eax
		cmp	ebx, 4
		jz	short loc_71BA78
		cmp	ebx, 5
		jz	short loc_71BA78
		cmp	ds:_PopCheckpointSystemSleepEnabled, 0
		jnz	loc_7286AE

loc_71BA78:				; CODE XREF: PopInvokeSystemStateHandler+C8j
					; PopInvokeSystemStateHandler+CDj ...
		cmp	ebx, 3
		jnz	loc_7286BE

loc_71BA81:				; CODE XREF: PopInvokeSystemStateHandler+CD25j
		test	esi, esi
		jz	loc_7286C7
		mov	edi, esi
		mov	[esp+138h+var_F4], offset _PopSaveHiberContextWrapper@4	; PopSaveHiberContextWrapper(x)
		mov	ebx, esi
		mov	[esp+138h+var_EC], edi
		mov	[esp+138h+var_F0], ebx

loc_71BA9D:				; CODE XREF: PopInvokeSystemStateHandler+CD33j
		push	50h		; size_t
		lea	eax, [esp+13Ch+var_68]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		jz	loc_7286D4
		mov	eax, [esp+138h+var_F8]
		lea	edx, [esp+138h+var_20]
		mov	ds:_PopHibernateSystemContext, eax
		mov	ecx, offset dword_6C33F0
		mov	eax, [esp+138h+var_F4]
		mov	ds:dword_6C33C4, eax
		mov	eax, [esp+138h+var_E8]
		mov	ds:dword_6C33D0, eax
		mov	eax, [esp+138h+var_E4]
		mov	ds:dword_6C33D4, eax
		mov	al, [esp+138h+var_E0]
		mov	ds:byte_6C33D8,	al
		mov	eax, [esp+138h+var_DC]
		mov	ds:dword_6C33DC, eax
		mov	eax, [esp+138h+var_D0]
		mov	ds:dword_6C33E8, eax
		mov	eax, [esp+138h+var_D4]
		mov	ds:dword_6C33C8, ebx
		mov	ebx, offset _PopHibernateSystemContext
		mov	ds:dword_6C33CC, edi
		mov	ds:dword_6C33E4, eax
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_71BB23:				; CODE XREF: PopInvokeSystemStateHandler+CDDCj
		push	2
		lea	edx, [esp+13Ch+var_68]
		mov	ecx, ebx
		call	_PopIssueNextState@12 ;	PopIssueNextState(x,x,x)
		push	3
		lea	edx, [esp+13Ch+var_68]
		mov	ecx, ebx
		call	_PopIssueNextState@12 ;	PopIssueNextState(x,x,x)
		cmp	ds:dword_6C26E0, 4
		jz	loc_72877D
		mov	eax, ds:dword_70ED2C
		mov	edi, ds:_PopQpcFrequency
		push	0
		mov	[esp+13Ch+var_10C], eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, eax
		mov	[esp+13Ch+var_11C], edx
		mov	eax, [esp+13Ch+var_110]
		mov	[esp+13Ch+var_120], ecx

loc_71BB75:				; CODE XREF: PopInvokeSystemStateHandler+CE05j
		test	ds:dword_70EFD0, 8000h
		jnz	loc_7287A6

loc_71BB85:				; CODE XREF: PopInvokeSystemStateHandler+CE6Dj
		push	4
		lea	edx, [esp+140h+var_6C]
		mov	ecx, ebx
		call	_PopIssueNextState@12 ;	PopIssueNextState(x,x,x)
		test	esi, esi
		jz	short loc_71BBAD
		mov	ds:_RtlpDebugPrintCallbacksActive, 0
		call	_VfIsVerifierEnabled@0 ; VfIsVerifierEnabled()
		test	eax, eax
		jnz	loc_72880E

loc_71BBAD:				; CODE XREF: PopInvokeSystemStateHandler+1FBj
					; PopInvokeSystemStateHandler+CE79j
		push	11h
		pop	ecx
		mov	ds:_PoAllProcIntrDisabled, 1
		call	PopCheckpointSystemSleep
		cmp	[esp+13Ch+var_2C], 0
		jl	loc_72885E
		push	0Ch
		lea	edx, [esp+140h+var_6C]
		mov	byte ptr [ebx+18h], 1
		mov	ecx, ebx
		call	_PopIssueNextState@12 ;	PopIssueNextState(x,x,x)
		mov	eax, [esp+13Ch+var_118]
		cmp	eax, 3
		jnz	loc_72881A

loc_71BBEB:				; CODE XREF: PopInvokeSystemStateHandler+CE81j
					; PopInvokeSystemStateHandler+CE8Dj
		test	esi, esi
		jz	short loc_71BC20
		push	5
		lea	edx, [esp+140h+var_6C]
		mov	ecx, ebx
		call	_PopIssueNextState@12 ;	PopIssueNextState(x,x,x)
		test	ds:_PopSimulateHiberBugcheck, 100h
		jnz	short loc_71BC10
		call	MiUpdateUserMappings

loc_71BC10:				; CODE XREF: PopInvokeSystemStateHandler+26Dj
		push	0Ah
		lea	edx, [esp+13Ch+var_68]
		mov	ecx, ebx
		call	_PopIssueNextState@12 ;	PopIssueNextState(x,x,x)

loc_71BC20:				; CODE XREF: PopInvokeSystemStateHandler+251j
		push	12h
		pop	ecx
		call	PopCheckpointSystemSleep
		push	6
		lea	edx, [esp+13Ch+var_68]
		mov	ecx, ebx
		call	_PopIssueNextState@12 ;	PopIssueNextState(x,x,x)
		push	1Ah
		pop	ecx
		call	PopCheckpointSystemSleep
		mov	edi, [esp+138h+var_28]
		mov	[esp+138h+var_110], edi
		call	_KeRebaselineInterruptTime@0 ; KeRebaselineInterruptTime()
		call	ds:off_6B13A4	; SymCryptFatalIntercept(x)
		test	esi, esi
		jz	short loc_71BC72
		cmp	edi, 40000294h
		jnz	short loc_71BC72
		push	7
		lea	edx, [esp+13Ch+var_68]
		mov	ecx, ebx
		call	_PopIssueNextState@12 ;	PopIssueNextState(x,x,x)

loc_71BC72:				; CODE XREF: PopInvokeSystemStateHandler+2BCj
					; PopInvokeSystemStateHandler+2C4j
		push	8
		lea	edx, [esp+13Ch+var_68]
		mov	ecx, ebx
		call	_PopIssueNextState@12 ;	PopIssueNextState(x,x,x)
		test	esi, esi
		jz	short loc_71BCF1
		cmp	edi, 40000294h
		jnz	short loc_71BCAE
		push	1Bh
		pop	ecx
		call	PopCheckpointSystemSleep
		push	9
		lea	edx, [esp+13Ch+var_68]
		mov	ecx, ebx
		call	_PopIssueNextState@12 ;	PopIssueNextState(x,x,x)
		push	20h
		pop	ecx
		call	PopCheckpointSystemSleep

loc_71BCAE:				; CODE XREF: PopInvokeSystemStateHandler+2F0j
		mov	ecx, esi
		call	_PopHiberEarlyCleanup@4	; PopHiberEarlyCleanup(x)
		push	0Ah
		lea	edx, [esp+13Ch+var_68]
		mov	ecx, ebx
		call	_PopIssueNextState@12 ;	PopIssueNextState(x,x,x)
		test	ds:_PopSimulateHiberBugcheck, 100h
		jnz	short loc_71BCDD
		call	MiUpdateUserMappings
		xor	ecx, ecx
		call	_MiConvertHiberPhasePages@4 ; MiConvertHiberPhasePages(x)

loc_71BCDD:				; CODE XREF: PopInvokeSystemStateHandler+333j
		push	0Bh
		lea	edx, [esp+138h+var_64]
		mov	byte ptr [esi+3], 0
		mov	ecx, ebx
		call	_PopIssueNextState@12 ;	PopIssueNextState(x,x,x)

loc_71BCF1:				; CODE XREF: PopInvokeSystemStateHandler+2E8j
		mov	eax, ds:_PopDebugFlags
		xor	ecx, ecx
		inc	ecx
		mov	[esp+134h+var_110], eax
		test	al, cl
		jnz	loc_72882E

loc_71BD05:				; CODE XREF: PopInvokeSystemStateHandler+CE99j
					; PopInvokeSystemStateHandler+CEACj
		test	al, 2
		jnz	loc_72884D
		xor	edx, edx
		mov	ds:_PopNoMoreInput, dl
		test	edi, edi
		js	short loc_71BD52
		inc	ds:_PoPowerSequence
		mov	ds:_PopFullWake, edx
		mov	ds:_PopPendingUserPresenceDuringSystemSleep, edx
		mov	ds:_PopPendingUserPresenceMonitorOnReason, edx
		mov	ds:dword_6C22A8, ecx
		cmp	ds:_PoResumeFromHibernate, dl
		jz	short loc_71BD52
		mov	eax, offset _PopPendingUserPresenceDuringSystemSleep
		lock or	[eax], ecx
		push	19h
		pop	ecx
		mov	eax, offset _PopPendingUserPresenceMonitorOnReason
		lock or	[eax], ecx

loc_71BD52:				; CODE XREF: PopInvokeSystemStateHandler+37Bj
					; PopInvokeSystemStateHandler+3A1j
		mov	[ebx+18h], dl
		mov	ecx, ebx
		push	0Ch
		lea	edx, [esp+138h+var_64]
		call	_PopIssueNextState@12 ;	PopIssueNextState(x,x,x)

loc_71BD65:				; CODE XREF: PopInvokeSystemStateHandler+CEC7j
		test	esi, esi
		jz	short loc_71BDB6
		cmp	edi, 0C00000C0h
		jz	loc_728868
		mov	ds:_PoHiberInProgress, 0
		cmp	byte ptr [esi],	0
		mov	[esi+80h], edi
		jnz	loc_72887D

loc_71BD8B:				; CODE XREF: PopInvokeSystemStateHandler+CF0Cj
		call	_VfIsVerifierEnabled@0 ; VfIsVerifierEnabled()
		test	eax, eax
		jnz	loc_7288AD

loc_71BD98:				; CODE XREF: PopInvokeSystemStateHandler+CF18j
		cmp	ds:_RtlpDebugPrintCallbackList,	offset _RtlpDebugPrintCallbackList
		jnz	short loc_71BDAC
		xor	eax, eax
		inc	eax
		mov	ds:_RtlpDebugPrintCallbacksActive, al

loc_71BDAC:				; CODE XREF: PopInvokeSystemStateHandler+406j
		mov	dword ptr [esi+80h], 40000294h

loc_71BDB6:				; CODE XREF: PopInvokeSystemStateHandler+3CBj
		call	_KeRebaselineInterruptTime@0 ; KeRebaselineInterruptTime()
		call	_KeRebaselineSystemTime@0 ; KeRebaselineSystemTime()
		push	21h
		pop	ecx
		call	PopCheckpointSystemSleep
		push	0Dh
		lea	edx, [esp+138h+var_64]
		mov	ds:_PoAllProcIntrDisabled, 0
		mov	ecx, ebx
		call	_PopIssueNextState@12 ;	PopIssueNextState(x,x,x)
		test	edi, edi
		js	short loc_71BE30
		cmp	ds:dword_6C26E0, 4
		jz	loc_7288B9

loc_71BDF0:				; CODE XREF: PopInvokeSystemStateHandler+CF24j
		push	0
		mov	byte ptr [esp+138h+var_128+2], 0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		push	offset dword_6C29B0
		push	offset unk_6C29A8
		mov	[esp+140h+var_128], eax
		mov	[esp+140h+var_124], edx
		call	ds:off_6B1298	; xHalpIsInterruptTypeSecondary(x,x)

loc_71BE15:				; CODE XREF: PopInvokeSystemStateHandler+CF40j
					; PopInvokeSystemStateHandler+CF50j
		test	ds:dword_70EFD0, 8000h
		jnz	loc_7288F1

loc_71BE25:				; CODE XREF: PopInvokeSystemStateHandler+CFABj
		cmp	[esp+140h+var_132], 0
		jnz	loc_72894C

loc_71BE30:				; CODE XREF: PopInvokeSystemStateHandler+445j
					; PopInvokeSystemStateHandler+D02Bj
		push	0Eh
		lea	edx, [esp+144h+var_70]
		mov	ecx, ebx
		call	_PopIssueNextState@12 ;	PopIssueNextState(x,x,x)
		push	0Fh
		lea	edx, [esp+144h+var_70]
		mov	ecx, ebx
		call	_PopIssueNextState@12 ;	PopIssueNextState(x,x,x)
		push	10h
		lea	edx, [esp+144h+var_70]
		mov	ecx, ebx
		call	_PopIssueNextState@12 ;	PopIssueNextState(x,x,x)
		cmp	[esp+140h+var_30], 0
		jl	short loc_71BE80
		mov	ecx, [ebx]
		and	[esp+140h+var_30], 0
		mov	al, [ecx+5]
		cmp	al, 0FFh
		jz	short loc_71BE80
		inc	al
		mov	[ecx+5], al

loc_71BE80:				; CODE XREF: PopInvokeSystemStateHandler+4CCj
					; PopInvokeSystemStateHandler+4DDj
		test	esi, esi
		jz	loc_7289CC
		cmp	edi, 40000294h
		jnz	short loc_71BEAF
		cmp	ds:byte_6C24D1,	0
		jnz	short loc_71BEAF
		cmp	ds:byte_6D4AB8,	0
		jz	short loc_71BEAF
		mov	ecx, ds:dword_6D4AB4
		xor	edx, edx
		call	_BgLibraryInitialize@8 ; BgLibraryInitialize(x,x)

loc_71BEAF:				; CODE XREF: PopInvokeSystemStateHandler+4F2j
					; PopInvokeSystemStateHandler+4FBj ...
		mov	eax, [esp+140h+var_30]

loc_71BEB6:				; CODE XREF: PopInvokeSystemStateHandler+CD0Dj
		mov	ecx, [esp+140h+var_C]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
PopInvokeSystemStateHandler endp

; 
; START	OF FUNCTION CHUNK FOR PopInvokeSystemStateHandler

loc_71BECB:				; CODE XREF: PopInvokeSystemStateHandler:loc_71BECBj
					; PopInvokeSystemStateHandler+CED6j
		jmp	short loc_71BECB
; END OF FUNCTION CHUNK	FOR PopInvokeSystemStateHandler
; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIssueNextState(x, x, x)
_PopIssueNextState@12 proc near		; CODE XREF: PopInvokeSystemStateHandler+192p
					; PopInvokeSystemStateHandler+1A2p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	eax, eax
		lea	ebx, [edi+20h]
		xchg	eax, [ebx]
		mov	esi, [ebp+arg_0]
		lea	eax, [edi+24h]
		xchg	esi, [eax]
		and	dword ptr [edx], 0
		call	_PopHandleNextState@8 ;	PopHandleNextState(x,x)
		and	[ebp+arg_0], 0
		jmp	short loc_71BEFD
; 

loc_71BEF5:				; CODE XREF: PopIssueNextState(x,x,x)+34j
		lea	ecx, [ebp+arg_0]
		call	KeYieldProcessorEx

loc_71BEFD:				; CODE XREF: PopIssueNextState(x,x,x)+25j
		mov	eax, [ebx]
		cmp	eax, [edi+1Ch]
		jnz	short loc_71BEF5
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PopIssueNextState@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopInvokeStateHandlerTargetProcessor(x, x, x, x)
_PopInvokeStateHandlerTargetProcessor@16 proc near ; DATA XREF:	PAGELK:00720B2Co
					; PopInvokeSystemStateHandler+CD66o

var_58		= dword	ptr -58h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+5Ch+var_4], eax
		push	esi
		mov	esi, [ebp+arg_4]
		lea	eax, [esp+60h+var_58]
		push	50h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [esi+30h]
		lea	edx, [esp+60h+var_10]
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_71BF43:				; CODE XREF: PopInvokeStateHandlerTargetProcessor(x,x,x,x)+47j
		lea	edx, [esp+60h+var_58]
		mov	ecx, esi
		call	_PopHandleNextState@8 ;	PopHandleNextState(x,x)
		cmp	[esp+60h+var_58], 10h
		jnz	short loc_71BF43
		mov	ecx, [esp+60h+var_4]
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_PopInvokeStateHandlerTargetProcessor@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopHandleNextState(x, x)
_PopHandleNextState@8 proc near		; CODE XREF: PopIssueNextState(x,x,x)+1Cp
					; PopInvokeStateHandlerTargetProcessor(x,x,x,x)+3Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	esi, edx
		mov	ecx, large fs:20h
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], ecx
		mov	eax, [ebx+24h]
		cmp	eax, [esi]
		jnz	short loc_71BFB8

loc_71BF92:				; CODE XREF: PopHandleNextState(x,x)+43j
		inc	edi
		test	ds:_HvlLongSpinCountMask, edi
		jnz	short loc_71BFAC
		test	byte ptr ds:_HvlEnlightenments,	40h
		jz	short loc_71BFAC
		push	edi
		call	_HvlNotifyLongSpinWait@4 ; HvlNotifyLongSpinWait(x)
		jmp	short loc_71BFAE
; 

loc_71BFAC:				; CODE XREF: PopHandleNextState(x,x)+29j
					; PopHandleNextState(x,x)+32j
		pause

loc_71BFAE:				; CODE XREF: PopHandleNextState(x,x)+3Aj
		mov	eax, [ebx+24h]
		cmp	eax, [esi]
		jz	short loc_71BF92
		mov	ecx, [ebp+var_4]

loc_71BFB8:				; CODE XREF: PopHandleNextState(x,x)+20j
		mov	eax, [ebx+24h]
		mov	[esi], eax
		add	eax, 0FFFFFFFEh	; switch 14 cases
		cmp	eax, 0Dh
		ja	loc_71C1B9	; default
		jmp	ds:off_71C1C4[eax*4] ; switch jump

loc_71BFD0:				; DATA XREF: PAGELK:off_71C1C4o
		mov	eax, ds:dword_6C26E0 ; case 0x2
		mov	dl, 1
		push	eax
		call	PopFxNotifySystemStateTransition
		jmp	loc_71C1B9	; default
; 

loc_71BFE2:				; CODE XREF: PopHandleNextState(x,x)+59j
					; DATA XREF: PAGELK:off_71C1C4o
		call	KeSaveIptStateBeforeProcessorGoesOffline ; case	0x3
		mov	byte ptr [esi+5], 0
		lea	ecx, [esi+8]
		mov	edx, ds:0FFDF03D8h
		mov	eax, ds:0FFDF03DCh
		or	edx, ds:0FFDF05F0h
		or	eax, ds:0FFDF05F4h
		or	edx, 3
		push	eax
		push	edx
		call	KeSaveExtendedAndSupervisorState
		test	eax, eax
		setns	al
		mov	[esi+5], al
		mov	eax, large fs:1Ch
		mov	[esi+44h], eax
		jmp	loc_71C1B9	; default
; 

loc_71C025:				; CODE XREF: PopHandleNextState(x,x)+59j
					; DATA XREF: PAGELK:off_71C1C4o
		mov	cl, 1Fh		; case 0x4
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esi+7], al
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	[esi+4], al
		call	_KeSuspendClockTimer@0 ; KeSuspendClockTimer()
		jmp	loc_71C1B9	; default
; 

loc_71C042:				; CODE XREF: PopHandleNextState(x,x)+59j
					; DATA XREF: PAGELK:off_71C1C4o
		mov	eax, large fs:124h ; case 0x5
		mov	eax, [eax+80h]
		cmp	eax, ds:_PsInitialSystemProcess
		jz	loc_71C1B9	; default
		mov	byte ptr [esi+6], 1
		lea	edx, [esi+28h]
		mov	ecx, ds:_PsInitialSystemProcess
		push	1
		call	KeForceAttachProcess
		jmp	loc_71C1B9	; default
; 

loc_71C073:				; CODE XREF: PopHandleNextState(x,x)+59j
					; DATA XREF: PAGELK:off_71C1C4o
		test	ds:_PopSimulate, 800000h ; case	0x6
		jz	short loc_71C096
		cmp	dword ptr [ebx+4], 0
		jz	short loc_71C096
		xor	eax, eax
		mov	ds:_PoResumeFromHibernate, 1
		mov	[esi+40h], eax
		jmp	loc_71C1B9	; default
; 

loc_71C096:				; CODE XREF: PopHandleNextState(x,x)+10Dj
					; PopHandleNextState(x,x)+113j
		cmp	dword ptr [ecx+3CCh], 0
		jnz	short loc_71C0AC
		cmp	dword ptr [ebx+4], 0
		jnz	short loc_71C0AC
		push	4
		call	_KdPowerTransition@4 ; KdPowerTransition(x)

loc_71C0AC:				; CODE XREF: PopHandleNextState(x,x)+12Dj
					; PopHandleNextState(x,x)+133j
		mov	ecx, [ebx]
		lea	eax, [ebx+28h]
		push	eax
		mov	eax, [ebx+1Ch]
		push	eax
		mov	eax, [ebx+8]
		push	eax
		mov	eax, [ebx+4]
		push	eax
		mov	eax, [ecx+0Ch]
		push	eax
		mov	eax, [ecx+8]
		call	eax
		mov	edi, [ebp+var_4]
		mov	[ebp+var_8], eax
		mov	ecx, [edi+3CCh]
		test	ecx, ecx
		jnz	short loc_71C103
		cmp	ds:_PoResumeFromHibernate, cl
		jnz	short loc_71C0EF
		push	1
		call	_KdPowerTransition@4 ; KdPowerTransition(x)
		mov	ecx, [edi+3CCh]
		mov	eax, [ebp+var_8]

loc_71C0EF:				; CODE XREF: PopHandleNextState(x,x)+16Dj
		test	ecx, ecx
		jnz	short loc_71C103
		rdtsc
		mov	ds:dword_6C29A0, eax
		mov	eax, [ebp+var_8]
		mov	ds:dword_6C29A4, edx

loc_71C103:				; CODE XREF: PopHandleNextState(x,x)+165j
					; PopHandleNextState(x,x)+181j
		mov	[esi+40h], eax
		jmp	loc_71C1B9	; default
; 

loc_71C10B:				; CODE XREF: PopHandleNextState(x,x)+59j
					; DATA XREF: PAGELK:off_71C1C4o
		mov	ecx, [ebx+0Ch]	; case 0x9
		call	PopRestoreHiberContext
		jmp	loc_71C1B9	; default
; 

loc_71C118:				; CODE XREF: PopHandleNextState(x,x)+59j
					; DATA XREF: PAGELK:off_71C1C4o
		call	_KeFlushCurrentTbImmediately@0 ; case 0xA
		nop
		wbinvd
		jmp	loc_71C1B9	; default
; 

loc_71C125:				; CODE XREF: PopHandleNextState(x,x)+59j
					; DATA XREF: PAGELK:off_71C1C4o
		cmp	byte ptr [esi+6], 0 ; case 0xB
		jz	loc_71C1B9	; default
		lea	ecx, [esi+28h]
		mov	edx, 1
		call	_KeForceDetachProcess@8	; KeForceDetachProcess(x,x)
		mov	byte ptr [esi+6], 0
		jmp	short loc_71C1B9 ; default
; 

loc_71C142:				; CODE XREF: PopHandleNextState(x,x)+59j
					; DATA XREF: PAGELK:off_71C1C4o
		mov	ecx, [ebx+10h]	; case 0xC
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_71C1B9 ; default
		movzx	eax, byte ptr [ebx+18h]
		push	eax
		mov	eax, [ecx+4]
		push	eax
		mov	eax, [ebx+14h]
		push	eax
		call	edx
		jmp	short loc_71C1B9 ; default
; 

loc_71C15C:				; CODE XREF: PopHandleNextState(x,x)+59j
					; DATA XREF: PAGELK:off_71C1C4o
		mov	cl, 1		; case 0x7
		call	HvlEnlightenProcessor
		jmp	short loc_71C1B9 ; default
; 

loc_71C165:				; CODE XREF: PopHandleNextState(x,x)+59j
					; DATA XREF: PAGELK:off_71C1C4o
		call	_KeRestoreProcessorSpecificFeatures@0 ;	case 0x8
		jmp	short loc_71C1B9 ; default
; 

loc_71C16C:				; CODE XREF: PopHandleNextState(x,x)+59j
					; DATA XREF: PAGELK:off_71C1C4o
		call	_KeResumeClockTimer@0 ;	case 0xD
		mov	ecx, [ebp+var_4]
		xor	dl, dl
		call	_PpmResetPerfEngineForProcessorEx@8 ; PpmResetPerfEngineForProcessorEx(x,x)
		cmp	byte ptr [esi+4], 0
		jz	short loc_71C182
		sti

loc_71C182:				; CODE XREF: PopHandleNextState(x,x)+20Fj
		mov	cl, [esi+7]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	short loc_71C1B9 ; default
; 

loc_71C18D:				; CODE XREF: PopHandleNextState(x,x)+59j
					; DATA XREF: PAGELK:off_71C1C4o
		mov	eax, ds:dword_6C26E0 ; case 0xE
		xor	dl, dl
		push	eax
		call	PopFxNotifySystemStateTransition
		jmp	short loc_71C1B9 ; default
; 

loc_71C19C:				; CODE XREF: PopHandleNextState(x,x)+59j
					; DATA XREF: PAGELK:off_71C1C4o
		cmp	byte ptr [esi+5], 0 ; case 0xF
		jz	short loc_71C1AA
		lea	ecx, [esi+8]
		call	KeRestoreExtendedAndSupervisorState

loc_71C1AA:				; CODE XREF: PopHandleNextState(x,x)+230j
		call	KeRestoreIptStateAfterProcessorComesOnline
		mov	ecx, [ebp+var_4]
		mov	dl, 1
		call	_PpmResetPerfEngineForProcessorEx@8 ; PpmResetPerfEngineForProcessorEx(x,x)

loc_71C1B9:				; CODE XREF: PopHandleNextState(x,x)+53j
					; PopHandleNextState(x,x)+6Dj ...
		lock inc dword ptr [ebx+20h] ; default
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PopHandleNextState@8 endp

; 
off_71C1C4	dd offset loc_71BFD0	; DATA XREF: PopHandleNextState(x,x)+59r
		dd offset loc_71BFE2	; jump table for switch	statement
		dd offset loc_71C025
		dd offset loc_71C042
		dd offset loc_71C073
		dd offset loc_71C15C
		dd offset loc_71C165
		dd offset loc_71C10B
		dd offset loc_71C118
		dd offset loc_71C125
		dd offset loc_71C142
		dd offset loc_71C16C
		dd offset loc_71C18D
		dd offset loc_71C19C

;  S U B	R O U T	I N E 


; __stdcall KiRestoreXSaveSupport()
_KiRestoreXSaveSupport@0 proc near	; CODE XREF: KeRestoreProcessorSpecificFeatures()+2Ap
		jmp	KiEnableXSave
_KiRestoreXSaveSupport@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopCreateDumpMdl proc near		; CODE XREF: PopSaveHiberContext+2ABp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 007289DB SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:20h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, ecx
		mov	eax, [eax+3CCh]
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], eax
		mov	edx, [ebp+arg_0]
		cmp	edx, esi
		jnb	loc_7289DB
		mov	eax, [ebx+0B4h]
		sub	esi, edx
		cmp	esi, eax
		jnb	short loc_71C2A2

loc_71C238:				; CODE XREF: PopCreateDumpMdl+A2j
		and	dword ptr [edi], 0
		mov	ecx, esi
		shl	ecx, 0Ch
		mov	eax, ecx
		mov	[edi+14h], ecx
		shr	eax, 0Ch
		lea	eax, ds:1Ch[eax*4]
		mov	[edi+4], ax
		xor	eax, eax
		and	[edi+10h], eax
		and	[edi+18h], eax
		mov	[edi+6], ax
		lea	eax, [edi+1Ch]
		test	esi, esi
		jz	short loc_71C271

loc_71C266:				; CODE XREF: PopCreateDumpMdl+6Dj
		mov	[eax], edx
		inc	edx
		lea	eax, [eax+4]
		sub	esi, 1
		jnz	short loc_71C266

loc_71C271:				; CODE XREF: PopCreateDumpMdl+62j
		imul	ecx, [ebp+var_4], 70h
		xor	esi, esi
		mov	eax, [ebx+0A8h]
		push	esi
		push	edi
		push	dword ptr [ebx+0B4h]
		push	dword ptr [eax+ecx+4]
		call	_MmMapMemoryDumpMdlEx@16 ; MmMapMemoryDumpMdlEx(x,x,x,x)
		test	dword ptr [edi+14h], 0FFFh
		jnz	loc_7289E5
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_71C2A2:				; CODE XREF: PopCreateDumpMdl+34j
		mov	esi, eax
		jmp	short loc_71C238
PopCreateDumpMdl endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopHiberReadChecksums proc near		; CODE XREF: PopRestoreHiberContext+189p

var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00728A0E SIZE 000000B5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		xor	eax, eax
		mov	esi, ecx
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_40], eax
		mov	eax, [esi+128h]
		mov	[ebp+var_14], eax
		push	edi
		test	eax, eax
		jz	loc_71C45B
		mov	ecx, [esi+88h]
		rdtsc
		mov	[ebp+var_28], eax
		mov	eax, [esi+0C8h]
		mov	ebx, [ecx+58h]
		mov	[ebp+var_4], eax
		mov	eax, [ecx+60h]
		mov	[ebp+var_2C], edx
		xor	edx, edx
		shld	edx, ebx, 0Ch
		mov	[ebp+var_24], ecx
		shl	ebx, 0Ch
		lea	eax, ds:0FFFh[eax*2]
		and	eax, 0FFFFF000h
		mov	[ebp+var_20], edx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], eax
		jz	loc_71C435

loc_71C313:				; CODE XREF: PopHiberReadChecksums+186j
		mov	ecx, [esi+70h]
		push	edx
		push	ebx
		lea	edx, [ebp+var_40]
		call	PopGetIoLocation
		mov	edi, [ebp+var_40]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_34], edx
		mov	[ebp+var_8], edi
		cmp	eax, edi
		jnb	short loc_71C338
		mov	edi, eax
		mov	[ebp+var_8], eax

loc_71C338:				; CODE XREF: PopHiberReadChecksums+8Bj
		mov	eax, [esi+6Ch]
		shl	eax, 0Ch
		cmp	edi, eax
		jb	short loc_71C347
		mov	edi, eax
		mov	[ebp+var_8], edi

loc_71C347:				; CODE XREF: PopHiberReadChecksums+9Aj
		mov	eax, [esi+110h]
		shl	eax, 0Ch
		cmp	edi, eax
		jnb	loc_728A04

loc_71C358:				; CODE XREF: PopCreateDumpMdl+C807j
		mov	edx, [esi+68h]
		mov	ecx, edx
		mov	eax, [ebp+var_4]
		and	ecx, 0FFFh
		and	edx, 0FFFFF000h
		and	dword ptr [eax], 0
		lea	ebx, [ecx+0FFFh]
		add	ebx, edi
		shr	ebx, 0Ch
		mov	[ebp+var_1C], ebx
		lea	eax, ds:1Ch[ebx*4]
		mov	ebx, [ebp+var_4]
		mov	[ebx+4], ax
		xor	ebx, ebx
		mov	eax, [ebp+var_4]
		and	[ebp+var_18], ebx
		mov	[eax+18h], ecx
		mov	ecx, [ebp+var_4]
		mov	[eax+6], bx
		mov	[eax+10h], edx
		mov	[eax+14h], edi
		mov	eax, [esi+68h]
		mov	[ecx+0Ch], eax
		xor	eax, eax
		inc	eax
		cmp	[ebp+var_1C], ebx
		mov	ebx, [ebp+var_10]
		mov	[ecx+6], ax
		jbe	short loc_71C3EA
		xor	ebx, ebx
		mov	edi, ecx

loc_71C3BC:				; CODE XREF: PopHiberReadChecksums+139j
		mov	eax, [esi+68h]
		add	eax, ebx
		push	eax
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		mov	ecx, [ebp+var_18]
		add	ebx, 1000h
		shrd	eax, edx, 0Ch
		mov	[edi+ecx*4+1Ch], eax
		inc	ecx
		mov	[ebp+var_18], ecx
		cmp	ecx, [ebp+var_1C]
		jb	short loc_71C3BC
		mov	edi, [ebp+var_8]
		mov	ebx, [ebp+var_10]
		mov	ecx, [ebp+var_4]

loc_71C3EA:				; CODE XREF: PopHiberReadChecksums+110j
		mov	eax, [esi+74h]
		push	ecx
		lea	ecx, [ebp+var_38]
		push	ecx
		push	0
		call	dword ptr [eax+6Ch]
		mov	[ebp+var_1C], eax
		test	eax, eax
		js	loc_728A0E
		push	edi		; size_t
		push	dword ptr [esi+68h] ; void *
		push	[ebp+var_14]	; void *
		call	_memcpy
		mov	eax, [ebp+var_C]
		add	esp, 0Ch
		mov	edx, [ebp+var_20]
		sub	eax, edi
		add	ebx, edi
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], ebx
		adc	edx, 0
		add	[ebp+var_14], edi
		mov	[ebp+var_20], edx
		test	eax, eax
		jnz	loc_71C313
		mov	ecx, [ebp+var_24]

loc_71C435:				; CODE XREF: PopHiberReadChecksums+67j
		mov	eax, [ecx+60h]
		mov	[esi+118h], eax
		mov	eax, [ecx+64h]
		mov	[esi+11Ch], eax
		rdtsc
		sub	eax, [ebp+var_28]
		sbb	edx, [ebp+var_2C]
		add	ds:dword_6C2A30, eax
		adc	ds:dword_6C2A34, edx

loc_71C45B:				; CODE XREF: PopHiberReadChecksums+23j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PopHiberReadChecksums endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopAddPagesToCompressedPageSet(int,void	*,int,int,int)
PopAddPagesToCompressedPageSet proc near ; CODE	XREF: PopSaveHiberContext+101p
					; PopSaveHiberContext+4D4p ...

var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_18], ecx
		xor	ebx, ebx
		shl	eax, 0Ch
		mov	[ebp+var_10], esi
		mov	[ebp+var_8], ebx
		mov	ecx, [esi+0Ch]
		mov	[ebp+var_4], ecx
		mov	[ebp+arg_C], eax
		test	ecx, ecx
		jz	loc_71C51E
		push	edi
		cmp	byte ptr [ebp+arg_8], bl
		jz	loc_728A33
		mov	ecx, [esi]
		push	eax		; size_t
		push	[ebp+arg_4]	; void *
		mov	[ebp+arg_8], ecx
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_71C4AA:				; CODE XREF: PopHiberReadChecksums+C818j
		push	ecx
		push	[ebp+var_18]
		rdtsc
		push	[ebp+arg_10]
		mov	esi, eax
		mov	edi, edx
		mov	eax, [ebp+var_10]
		mov	edx, [ebp+arg_8]
		push	dword ptr [eax+8]
		lea	eax, [ebp+var_8]
		push	eax
		push	ecx
		push	[ebp+var_4]
		mov	cx, ds:_PopCompressMethodMap[ebx*2]
		push	[ebp+arg_C]
		call	RtlCompressBufferProgress
		mov	ecx, eax
		rdtsc
		sub	eax, esi
		mov	esi, [ebp+var_10]
		sbb	edx, edi
		pop	edi
		add	[esi+18h], eax
		adc	[esi+1Ch], edx
		test	ecx, ecx
		js	short loc_71C526
		imul	eax, [ebp+arg_C], 7
		shr	eax, 3
		cmp	[ebp+var_8], eax
		jnb	short loc_71C526
		mov	eax, [ebp+var_8]

loc_71C4FD:				; CODE XREF: PopAddPagesToCompressedPageSet+C4j
					; PopAddPagesToCompressedPageSet+CFj
		mov	edx, [ebp+arg_0]
		shl	eax, 8
		shl	ebx, 1Eh
		pop	esi
		movzx	ecx, byte ptr [edx]
		or	ecx, eax
		mov	eax, [ebp+var_4]
		and	ecx, 3FFFFFFFh
		or	ecx, ebx
		mov	[edx], ecx
		pop	ebx
		leave
		retn	14h
; 

loc_71C51E:				; CODE XREF: PopAddPagesToCompressedPageSet+28j
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_4], ecx
		jmp	short loc_71C4FD
; 

loc_71C526:				; CODE XREF: PopAddPagesToCompressedPageSet+8Cj
					; PopAddPagesToCompressedPageSet+98j
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		jmp	short loc_71C4FD
PopAddPagesToCompressedPageSet endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCountDataAsProduced(x, x, x, x, x, x)
_PopCountDataAsProduced@24 proc	near	; CODE XREF: PopSaveHiberContext+11Ap
					; PopSaveHiberContext+4F1p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, ds:dword_6C2500
		push	esi
		mov	eax, [eax]
		movzx	esi, al
		shr	eax, 8
		and	eax, 3FFFFFh
		mov	[ebp+var_C], ecx
		push	edi
		push	[ebp+arg_C]
		shl	esi, 2
		lea	ecx, [eax+4]
		mov	[ebp+var_4], edx
		mov	eax, [ebp+arg_8]
		add	ecx, esi
		shl	eax, 0Ch
		mov	edx, ecx
		mov	[ebp+var_8], ecx
		mov	ecx, ebx
		push	eax
		call	ProducerGetBuffer
		mov	edi, eax
		mov	[ebp+arg_C], edi
		test	edi, edi
		jz	short loc_71C5E7
		mov	ecx, [ebp+arg_0] ; int
		push	edi		; void *
		push	ebx		; int
		push	4
		pop	edx
		call	_ProducerConsumerCopyToContextBuffer@16	; ProducerConsumerCopyToContextBuffer(x,x,x,x)
		mov	ecx, [ebp+arg_4] ; int
		lea	eax, [edi+4]
		push	eax		; void *
		push	ebx		; int
		mov	edx, esi	; size_t
		call	_ProducerConsumerCopyToContextBuffer@16	; ProducerConsumerCopyToContextBuffer(x,x,x,x)
		mov	ecx, [ebp+var_4] ; int
		lea	eax, [esi+4]
		add	eax, edi
		push	eax		; void *
		mov	eax, [ebp+arg_0]
		push	ebx		; int
		mov	edx, [eax]
		shr	edx, 8
		and	edx, 3FFFFFh	; size_t
		call	_ProducerConsumerCopyToContextBuffer@16	; ProducerConsumerCopyToContextBuffer(x,x,x,x)
		push	[ebp+var_8]
		rdtsc
		push	[ebp+arg_C]
		mov	edi, edx
		mov	ecx, ebx
		lea	edx, [ebx+18h]
		mov	esi, eax
		call	_ProducerConsumerBufferComplete@16 ; ProducerConsumerBufferComplete(x,x,x,x)
		mov	ecx, [ebp+var_C]
		rdtsc
		sub	eax, esi
		sbb	edx, edi
		add	[ecx+40h], eax
		mov	al, 1
		adc	[ecx+44h], edx

loc_71C5E0:				; CODE XREF: PopCountDataAsProduced(x,x,x,x,x,x)+B7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_71C5E7:				; CODE XREF: PopCountDataAsProduced(x,x,x,x,x,x)+4Cj
		xor	al, al
		jmp	short loc_71C5E0
_PopCountDataAsProduced@24 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ProducerConsumerCopyToContextBuffer(int,size_t,int,void *)
_ProducerConsumerCopyToContextBuffer@16	proc near
					; CODE XREF: PopCountDataAsProduced(x,x,x,x,x,x)+56p
					; PopCountDataAsProduced(x,x,x,x,x,x)+65p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	[ebp+var_4], ecx
		mov	ecx, [eax+4]
		mov	esi, [eax]
		push	edi
		mov	edi, edx
		mov	edx, [ebp+arg_4]
		lea	eax, [esi+ecx]
		cmp	edx, eax
		jnb	short loc_71C650

loc_71C60C:				; CODE XREF: ProducerConsumerCopyToContextBuffer(x,x,x,x)+66j
		mov	ebx, edx
		sub	ebx, esi
		xor	esi, esi
		lea	eax, [ebx+edi]
		cmp	eax, ecx
		ja	short loc_71C632

loc_71C619:				; CODE XREF: ProducerConsumerCopyToContextBuffer(x,x,x,x)+4Ej
		mov	ebx, [ebp+var_4]
		push	edi		; size_t
		push	ebx		; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		test	esi, esi
		jnz	short loc_71C63C

loc_71C62B:				; CODE XREF: ProducerConsumerCopyToContextBuffer(x,x,x,x)+62j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_71C632:				; CODE XREF: ProducerConsumerCopyToContextBuffer(x,x,x,x)+2Bj
		mov	esi, ebx
		sub	esi, ecx
		add	esi, edi
		sub	edi, esi
		jmp	short loc_71C619
; 

loc_71C63C:				; CODE XREF: ProducerConsumerCopyToContextBuffer(x,x,x,x)+3Dj
		push	esi		; size_t
		lea	eax, [ebx+edi]
		push	eax		; void *
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax]	; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_71C62B
; 

loc_71C650:				; CODE XREF: ProducerConsumerCopyToContextBuffer(x,x,x,x)+1Ej
		sub	edx, ecx
		jmp	short loc_71C60C
_ProducerConsumerCopyToContextBuffer@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopRequestWrite	proc near		; CODE XREF: PopSaveHiberContext+47Dp
					; PopCompressCallback(x)+10p ...

var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00728AC3 SIZE 00000132 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		xor	eax, eax
		mov	[esp+40h+var_2C], edx
		mov	ebx, ecx
		mov	[esp+40h+var_20], eax
		push	esi
		push	edi
		mov	[esp+48h+var_14], ebx
		mov	esi, [ebx+0C8h]
		mov	[esp+48h+var_8], eax
		mov	[esp+48h+var_4], eax
		mov	[esp+48h+var_34], esi
		mov	[esp+48h+var_1C], eax
		mov	[esp+48h+var_C], eax
		mov	[esp+48h+var_38], eax
		mov	[esp+48h+var_3C], eax

loc_71C694:				; CODE XREF: PopRequestWrite+171j
					; PopRequestWrite+228j
		mov	ecx, [ebx+0CCh]
		sub	ecx, eax
		jnz	loc_71C76A
		test	byte ptr ds:_PopWatchdogTimerCount, 1Fh
		jz	loc_71CA0C

loc_71C6AF:				; CODE XREF: PopRequestWrite+3BEj
		push	dword ptr [ebx+0FCh]
		mov	ecx, [ebx+70h]
		lea	edx, [esp+4Ch+var_8]
		push	dword ptr [ebx+0F8h]
		inc	ds:_PopWatchdogTimerCount
		lea	esi, [ebx+0F0h]
		call	PopGetIoLocation
		mov	edi, [ebx+110h]
		mov	ecx, edi
		mov	[esi], eax
		xor	eax, eax
		shld	eax, ecx, 0Ch
		mov	[esi+4], edx
		push	eax
		shl	ecx, 0Ch
		push	ecx
		push	dword ptr [ebx+0DCh]
		push	dword ptr [ebx+0D8h]
		call	__aullrem
		mov	ecx, eax
		mov	esi, edx
		mov	eax, edi
		mov	edx, 1000h
		mul	edx
		mov	edi, eax
		mov	eax, edx
		sub	edi, ecx
		mov	[esp+48h+var_24], edi
		sbb	eax, esi
		mov	[esp+48h+var_10], edi
		mov	[esp+48h+var_30], eax
		mov	[esp+48h+var_C], eax
		cmp	eax, [esp+48h+var_4]
		jb	short loc_71C737
		ja	loc_728AC3
		cmp	edi, [esp+48h+var_8]
		jnb	loc_728AC3

loc_71C737:				; CODE XREF: PopRequestWrite+D1j
					; PopRequestWrite+C487j
		push	[ebp+arg_0]
		mov	ecx, [esp+4Ch+var_2C]
		lea	edx, [esp+4Ch+var_10]
		call	ConsumerGetBuffer
		mov	esi, eax
		test	esi, esi
		jnz	loc_71C881
		mov	eax, [esp+48h+var_10]
		or	eax, [esp+48h+var_C]
		jz	loc_728BED

loc_71C75F:				; CODE XREF: PopRequestWrite+163j
		xor	eax, eax

loc_71C761:				; CODE XREF: PopRequestWrite+C59Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_71C76A:				; CODE XREF: PopRequestWrite+48j
		rdtsc
		mov	edi, eax
		mov	[esp+48h+var_38], edi
		sub	ecx, 1
		jnz	short loc_71C7CA
		mov	ecx, [ebx+74h]
		lea	eax, [ebx+0F0h]
		push	0
		push	esi
		push	eax
		push	2
		mov	[esp+58h+var_3C], edx
		call	dword ptr [ecx+54h]
		mov	[esp+58h+var_34], eax
		rdtsc
		sub	eax, edi
		mov	edi, [esp+58h+var_34]
		sbb	edx, [esp+58h+var_4C]
		add	ds:dword_6C28C0, eax
		adc	ds:dword_6C28C4, edx
		test	edi, edi
		js	loc_728B2A
		cmp	edi, 103h
		jz	short loc_71C75F
		mov	dword ptr [ebx+0CCh], 2

loc_71C7C3:				; CODE XREF: PopRequestWrite+3B3j
		xor	eax, eax
		jmp	loc_71C694
; 

loc_71C7CA:				; CODE XREF: PopRequestWrite+121j
		mov	eax, edx
		mov	ecx, edi
		sub	ecx, [ebx+0D0h]
		mov	[esp+48h+var_3C], eax
		sbb	eax, [ebx+0D4h]
		add	ds:dword_6C28B8, ecx
		adc	ds:dword_6C28BC, eax
		mov	eax, [esp+48h+var_2C]
		mov	ecx, eax
		push	dword ptr [ebx+0E8h]
		push	dword ptr [ebx+100h]
		lea	edx, [eax+28h]
		call	_ProducerConsumerBufferComplete@16 ; ProducerConsumerBufferComplete(x,x,x,x)
		rdtsc
		sub	eax, edi
		sbb	edx, [esp+48h+var_3C]
		add	ds:dword_6C28E0, eax
		adc	ds:dword_6C28E4, edx
		mov	eax, [ebx+0E8h]
		add	ds:dword_6C2A88, eax
		mov	eax, [ebx+0ECh]
		adc	ds:dword_6C2A8C, eax
		mov	eax, [ebx+0E0h]
		add	eax, 0FFFh
		shr	eax, 0Ch
		add	ds:dword_6C2A90, eax
		mov	eax, [ebx+0E0h]
		add	[ebx+0F8h], eax
		mov	ecx, [ebx+0E4h]
		adc	[ebx+0FCh], ecx
		add	[ebx+0D8h], eax
		adc	[ebx+0DCh], ecx
		xor	eax, eax
		mov	[ebx+0E0h], eax
		mov	[ebx+0E4h], eax
		mov	[ebx+0CCh], eax
		jmp	loc_71C694
; 

loc_71C881:				; CODE XREF: PopRequestWrite+F7j
		mov	eax, [esp+48h+var_C]
		mov	ecx, [ebx+0FCh]
		mov	edx, [esp+48h+var_10]
		mov	[ebx+0ECh], eax
		mov	eax, [ebx+0F8h]
		mov	[esp+48h+var_28], ecx
		mov	ecx, eax
		mov	[esp+48h+var_18], eax
		add	ecx, edi
		mov	eax, [esp+48h+var_28]
		adc	eax, [esp+48h+var_30]
		mov	[ebx+100h], esi
		mov	[ebx+0E8h], edx
		cmp	eax, ds:dword_6C24AC
		jb	short loc_71C8D5
		ja	loc_728BD6
		cmp	ecx, ds:dword_6C24A8
		ja	loc_728BD6

loc_71C8D5:				; CODE XREF: PopRequestWrite+26Dj
		push	edx
		push	esi
		push	[esp+50h+var_28]
		xor	eax, eax
		mov	ecx, ebx
		push	[esp+54h+var_18]
		lea	edx, [eax+1]
		call	PopHiberChecksumHiberFileData
		mov	edx, [esp+48h+var_34]
		mov	ecx, esi
		and	[esp+48h+var_18], 0
		and	ecx, 0FFFh
		and	dword ptr [edx], 0
		lea	eax, [ecx+0FFFh]
		mov	[edx+18h], ecx
		add	eax, edi
		mov	[edx+14h], edi
		shr	eax, 0Ch
		mov	[esp+48h+var_28], eax
		mov	[edx+0Ch], esi
		lea	eax, ds:1Ch[eax*4]
		mov	[edx+4], ax
		mov	eax, esi
		and	eax, 0FFFFF000h
		mov	[edx+10h], eax
		xor	eax, eax
		inc	eax
		cmp	[esp+48h+var_28], 0
		mov	[edx+6], ax
		jbe	short loc_71C964
		mov	edi, [esp+48h+var_18]
		mov	ebx, edx

loc_71C940:				; CODE XREF: PopRequestWrite+306j
		push	esi
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		shrd	eax, edx, 0Ch
		mov	[ebx+edi*4+1Ch], eax
		mov	eax, 1000h
		inc	edi
		add	esi, eax
		cmp	edi, [esp+48h+var_28]
		jb	short loc_71C940
		mov	ebx, [esp+48h+var_14]
		mov	edi, [esp+48h+var_24]

loc_71C964:				; CODE XREF: PopRequestWrite+2E4j
		cmp	byte ptr [ebx+104h], 0
		mov	eax, [esp+48h+var_30]
		mov	esi, [esp+48h+var_34]
		mov	[ebx+0E0h], edi
		mov	[ebx+0E4h], eax
		jz	loc_71CA20
		rdtsc
		push	0
		push	esi
		mov	[esp+50h+var_38], eax
		lea	ecx, [ebx+0F0h]
		mov	eax, [ebx+74h]
		push	ecx
		push	1
		mov	[esp+58h+var_3C], edx
		call	dword ptr [eax+54h]
		mov	ecx, [esp+58h+var_4C]
		mov	edi, eax
		rdtsc
		sub	eax, [esp+58h+var_48]
		sbb	edx, ecx
		add	ds:dword_6C28C0, eax
		adc	ds:dword_6C28C4, edx
		cmp	edi, 0C00000BBh
		jz	short loc_71CA17
		test	edi, edi
		js	loc_728B2A
		cmp	ds:_PopSimulateHiberBugcheck, 2
		jz	loc_728B2A
		xor	eax, eax
		cmp	edi, 103h
		setnz	al
		inc	eax
		mov	[ebx+0CCh], eax

loc_71C9EA:				; CODE XREF: PopRequestWrite+3CAj
					; PopRequestWrite+3D0j
		cmp	byte ptr [ebx+104h], 0
		jz	loc_728AE0
		mov	edi, [esp+58h+var_48]

loc_71C9FB:				; CODE XREF: PopRequestWrite+C4D1j
		mov	[ebx+0D0h], edi
		mov	[ebx+0D4h], ecx
		jmp	loc_71C7C3
; 

loc_71CA0C:				; CODE XREF: PopRequestWrite+55j
		call	ds:off_6B13A8	; SymCryptFatalIntercept(x)
		jmp	loc_71C6AF
; 

loc_71CA17:				; CODE XREF: PopRequestWrite+36Dj
		mov	byte ptr [ebx+104h], 0
		jmp	short loc_71C9EA
; 

loc_71CA20:				; CODE XREF: PopRequestWrite+32Bj
		mov	ecx, [esp+48h+var_3C]
		jmp	short loc_71C9EA
PopRequestWrite	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopRestoreHiberContext proc near	; CODE XREF: PopHandleNextState(x,x)+19Ep

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00728BF5 SIZE 000000C9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_48]
		mov	[ebp+var_10], ebx
		stosd
		stosd
		stosd
		stosd
		mov	eax, large fs:20h
		mov	eax, [eax+3CCh]
		mov	[ebp+var_38], eax
		cmp	eax, [ebx+0A4h]
		jnb	loc_71CC34
		imul	ecx, eax, 70h
		xor	esi, esi
		add	ecx, [ebx+0A8h]
		mov	[ebp+var_C], ecx
		mov	[ecx+40h], esi
		mov	[ecx+44h], esi
		cmp	eax, [ebx+84h]
		jz	loc_71CE00

loc_71CA7A:				; CODE XREF: PopRestoreHiberContext+400j
		test	eax, eax
		jnz	loc_71CC1C
		mov	edi, [ebx+88h]
		mov	eax, ds:dword_6C2500
		mov	[ebp+var_2C], eax
		rdtsc
		mov	ecx, [edi+48h]
		mov	[ebp+var_24], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_34], eax
		mov	[ebp+var_38], edx
		cmp	ecx, [edi+208h]
		jnz	loc_728BF5
		mov	eax, [edi+4Ch]
		cmp	eax, [edi+20Ch]
		jnz	loc_728BF5
		mov	eax, [edi+220h]
		mov	ecx, [edi+224h]
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], ecx

loc_71CACE:				; CODE XREF: PopRestoreHiberContext+C1D9j
		mov	edi, [ebp+var_10]
		mov	[ebx+108h], eax
		mov	[ebx+10Ch], ecx
		mov	eax, ds:dword_6C2500
		mov	ebx, [ebx+0B0h]
		mov	edi, [edi+0ACh]
		push	38h		; size_t
		push	esi		; int
		push	eax		; void *
		mov	[ebp+var_30], eax
		call	_memset
		mov	eax, [ebp+var_30]
		add	esp, 0Ch
		mov	ecx, [ebp+var_20]
		mov	[eax+4], ebx
		mov	ebx, [ebp+var_10]
		mov	[eax+8], ecx
		mov	ecx, [ebp+var_1C]
		mov	[eax+0Ch], ecx
		push	2
		mov	[eax+10h], esi
		mov	[eax], edi
		pop	ecx
		mov	byte ptr [ebx+4], 1
		call	_IoNotifyDump@4	; IoNotifyDump(x)
		mov	eax, [ebx+108h]
		or	eax, [ebx+10Ch]
		jz	loc_71CC51
		lea	eax, [ebp+var_48]
		mov	dword ptr [ebx+7Ch], 9
		mov	[ebx+70h], eax
		mov	eax, ds:dword_6C24B0
		push	esi
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], esi
		call	ds:off_6B1374	; KeSetDmaIoCoherency(x)
		mov	ecx, [ebx+74h]
		call	_IoInitializeDumpStack@8 ; IoInitializeDumpStack(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_728C04
		cmp	ds:_PopSimulateHiberBugcheck, 4
		jz	loc_728C04
		rdtsc
		sub	eax, [ebp+var_34]
		mov	ds:dword_6C2A00, eax
		sbb	edx, [ebp+var_38]
		mov	ds:dword_6C2A04, edx
		mov	eax, [ebx+74h]
		mov	[ebx+0CCh], esi
		mov	[ebx+0D8h], esi
		mov	[ebx+0DCh], esi
		cmp	[eax+54h], esi
		jz	short loc_71CBAD
		mov	byte ptr [ebx+104h], 1

loc_71CBAD:				; CODE XREF: PopRestoreHiberContext+17Ej
		mov	ecx, ebx
		call	PopHiberReadChecksums
		mov	eax, [ebx+88h]
		xor	ecx, ecx
		mov	edi, [ebp+var_C]
		mov	dword ptr [ebx+7Ch], 0Ah
		mov	eax, [eax+54h]
		shld	ecx, eax, 0Ch
		shl	eax, 0Ch
		mov	[ebx+0F8h], eax
		mov	[ebx+0FCh], ecx

loc_71CBDC:				; CODE XREF: PopRestoreHiberContext+1E6j
					; PopRestoreHiberContext+1EEj ...
		mov	eax, [ebx+108h]
		mov	ecx, ebx
		or	eax, [ebx+10Ch]
		jz	short loc_71CC39
		mov	edx, [ebp+var_2C]
		push	1
		call	PopRequestRead
		push	offset _PopDecompressCallback@4	; PopDecompressCallback(x)
		push	esi
		push	1
		mov	edx, edi
		mov	ecx, ebx
		call	PopDecompressHiberBlocks
		cmp	eax, 80000022h
		jnz	short loc_71CBDC
		cmp	[ebx+0CCh], esi
		jnz	short loc_71CBDC
		pause
		jmp	short loc_71CBDC
; 

loc_71CC1A:				; CODE XREF: PopRestoreHiberContext+1FBj
		pause

loc_71CC1C:				; CODE XREF: PopRestoreHiberContext+56j
		mov	al, [ebx+4]
		test	al, al
		jz	short loc_71CC1A
		push	esi
		push	1
		mov	edx, ecx
		mov	ecx, ebx
		push	esi
		call	PopDecompressHiberBlocks
		lock inc dword ptr [ebx+10h]

loc_71CC34:				; CODE XREF: PopRestoreHiberContext+2Ej
					; PopRestoreHiberContext+3D5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_71CC39:				; CODE XREF: PopRestoreHiberContext+1C4j
		push	esi
		push	1
		push	1
		mov	edx, edi
		call	PopDecompressHiberBlocks
		mov	eax, [ebx+74h]
		mov	eax, [eax+34h]
		test	eax, eax
		jz	short loc_71CC51
		call	eax

loc_71CC51:				; CODE XREF: PopRestoreHiberContext+109j
					; PopRestoreHiberContext+227j
		push	3
		pop	ecx
		call	_IoNotifyDump@4	; IoNotifyDump(x)
		push	1
		call	ds:off_6B1374	; KeSetDmaIoCoherency(x)
		lea	edx, [ebx+10h]
		lock inc dword ptr [edx]
		mov	eax, [edx]
		mov	ecx, [ebx+0A4h]
		mov	[ebp+var_4], ecx
		cmp	eax, ecx
		jnz	loc_728C2B

loc_71CC7A:				; CODE XREF: PopRestoreHiberContext+C21Bj
		mov	[ebp+var_18], esi
		mov	edi, esi
		mov	[ebp+var_14], esi
		mov	eax, esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_30], edi
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_2C], esi
		test	ecx, ecx
		jz	loc_71CD71
		mov	ecx, [ebx+0A8h]
		mov	edx, esi

loc_71CCA9:				; CODE XREF: PopRestoreHiberContext+33Dj
		mov	eax, [edx+ecx+30h]
		add	ds:dword_6C29E0, eax
		mov	eax, [edx+ecx+34h]
		adc	ds:dword_6C29E4, eax
		mov	ecx, [ebx+0A8h]
		mov	eax, [edx+ecx+38h]
		add	ds:dword_6C29F0, eax
		mov	eax, [edx+ecx+3Ch]
		adc	ds:dword_6C29F4, eax
		mov	ecx, [ebx+0A8h]
		mov	eax, [edx+ecx+40h]
		add	ds:dword_6C2A18, eax
		mov	eax, [edx+ecx+44h]
		adc	ds:dword_6C2A1C, eax
		mov	ecx, [ebx+0A8h]
		mov	eax, [edx+ecx+38h]
		add	eax, [edx+ecx+30h]
		mov	esi, [edx+ecx+3Ch]
		adc	esi, [edx+ecx+34h]
		cmp	esi, [ebp+var_28]
		jb	short loc_71CD19
		ja	short loc_71CD13
		cmp	eax, [ebp+var_24]
		jbe	short loc_71CD19

loc_71CD13:				; CODE XREF: PopRestoreHiberContext+2E6j
		mov	[ebp+var_24], eax
		mov	[ebp+var_28], esi

loc_71CD19:				; CODE XREF: PopRestoreHiberContext+2E4j
					; PopRestoreHiberContext+2EBj
		mov	eax, [edx+ecx+48h]
		add	[ebp+var_18], eax
		mov	eax, [edx+ecx+4Ch]
		adc	[ebp+var_14], eax
		mov	eax, [edx+ecx+50h]
		add	[ebp+var_20], eax
		mov	eax, [edx+ecx+54h]
		adc	[ebp+var_1C], eax
		add	edi, [edx+ecx+58h]
		mov	eax, [edx+ecx+5Ch]
		adc	[ebp+var_C], eax
		mov	eax, [edx+ecx+60h]
		add	[ebp+var_8], eax
		mov	eax, [edx+ecx+64h]
		adc	[ebp+var_10], eax
		add	edx, 70h
		mov	eax, [ebp+var_2C]
		mov	esi, [ebx+0A4h]
		inc	eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_4], esi
		cmp	eax, esi
		jb	loc_71CCA9
		mov	eax, [ebp+var_C]
		xor	esi, esi
		mov	[ebp+var_30], edi

loc_71CD71:				; CODE XREF: PopRestoreHiberContext+275j
		mov	ebx, [ebp+var_30]
		mov	ecx, ebx
		add	ecx, 1
		adc	eax, esi
		push	eax
		push	ecx
		push	[ebp+var_14]
		push	[ebp+var_18]
		call	__alldiv
		mov	edi, [ebp+var_8]
		mov	ecx, [ebp+var_10]
		add	edi, 1
		mov	[ebp+var_30], eax
		adc	ecx, esi
		mov	[ebp+var_18], edx
		push	ecx
		push	edi
		push	[ebp+var_1C]
		push	[ebp+var_20]
		call	__alldiv
		mov	edi, eax
		mov	eax, edx
		mov	[ebp+var_2C], eax
		cmp	eax, [ebp+var_18]
		jl	short loc_71CDC1
		jg	loc_728C46
		cmp	edi, [ebp+var_30]
		ja	loc_728C46

loc_71CDC1:				; CODE XREF: PopRestoreHiberContext+38Aj
		mov	ds:dword_6C24D4, 1

loc_71CDCB:				; CODE XREF: PopRestoreHiberContext+C288j
					; PopRestoreHiberContext+C293j
		rdtsc
		sub	eax, [ebp+var_34]
		mov	ds:dword_6C2A08, eax
		sbb	edx, [ebp+var_38]
		sub	eax, ds:dword_6C2A00
		mov	ds:dword_6C2A0C, edx
		sbb	edx, ds:dword_6C2A04
		sub	eax, [ebp+var_24]
		mov	ds:dword_6C29D8, eax
		sbb	edx, [ebp+var_28]
		mov	ds:dword_6C29DC, edx
		jmp	loc_71CC34
; 

loc_71CE00:				; CODE XREF: PopRestoreHiberContext+4Ej
		rdtsc
		mov	edi, eax
		mov	ebx, edx
		call	_BgkResumeInitialize@0 ; BgkResumeInitialize()
		mov	ecx, [ebp+var_C]
		rdtsc
		sub	eax, edi
		sbb	edx, ebx
		add	ds:dword_6C2A20, eax
		mov	ebx, [ebp+var_10]
		adc	ds:dword_6C2A24, edx
		mov	eax, [ebp+var_38]
		jmp	loc_71CA7A
PopRestoreHiberContext endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopHiberPeekRangeTable(void *,int,int)
_PopHiberPeekRangeTable@12 proc	near	; CODE XREF: ConsumerPeekAndConsumeBuffer+6Cp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_4] ; int
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_0] ; void	*
		and	[ebp+var_4], 0
		push	0		; char
		push	[ebp+arg_8]	; int
		push	ds:dword_6C2500	; int
		push	eax		; int
		call	_PopReadProducerConsumerBuffer@24 ; PopReadProducerConsumerBuffer(x,x,x,x,x,x)
		mov	ecx, [eax]
		movzx	eax, cl
		shr	ecx, 8
		and	ecx, 3FFFFFh
		inc	eax
		lea	eax, [ecx+eax*4]
		leave
		retn	0Ch
_PopHiberPeekRangeTable@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDecompressHiberBlocks proc near	; CODE XREF: PopRestoreHiberContext+1DCp
					; PopRestoreHiberContext+205p ...

var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= word ptr -0A8h
var_A6		= word ptr -0A6h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_4C		= dword	ptr -4Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00728CBE SIZE 00000089 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0F8h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		push	5Ch		; size_t
		mov	[ebp+var_E0], eax
		mov	edi, edx
		lea	eax, [ebp+var_AC]
		mov	[ebp+var_C4], edi
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_C8], ecx
		mov	[ebp+var_F4], esi
		call	_memset
		mov	eax, ds:dword_6C2500
		add	esp, 0Ch
		mov	[ebp+var_F0], ebx
		mov	[ebp+var_E8], ebx
		mov	[ebp+var_EC], ebx
		mov	[ebp+var_C0], eax
		mov	[ebp+var_E4], ebx

loc_71CED5:				; CODE XREF: PopDecompressHiberBlocks+3AFj
		call	_PopHiberCheckForDebugBreak@0 ;	PopHiberCheckForDebugBreak()
		mov	eax, ds:dword_6C2A38
		or	eax, ds:dword_6C2A3C
		jz	loc_71D33C

loc_71CEEB:				; CODE XREF: PopDecompressHiberBlocks+4EFj
					; PopDecompressHiberBlocks+4FCj ...
		mov	ecx, large fs:20h
		mov	eax, [ebp+var_C8]
		mov	eax, [eax+84h]
		cmp	eax, [ecx+3CCh]
		jz	loc_71D22E

loc_71CF0A:				; CODE XREF: PopDecompressHiberBlocks+3CFj
					; PopDecompressHiberBlocks+424j ...
		push	edi
		push	ecx
		mov	ecx, [ebp+var_C0]
		lea	edx, [ebp+var_D8]
		push	esi
		mov	[ebp+var_D8], 4
		call	ConsumerPeekAndConsumeBuffer
		mov	[ebp+var_CC], eax
		test	eax, eax
		jz	loc_71D2D5
		push	1		; char
		push	edi		; int
		push	[ebp+var_C0]	; int
		lea	ecx, [ebp+var_F0]
		push	ecx		; int
		push	4
		pop	edx
		mov	ecx, eax	; void *
		call	_PopReadProducerConsumerBuffer@24 ; PopReadProducerConsumerBuffer(x,x,x,x,x,x)
		mov	edx, [ebp+var_C4]
		mov	ecx, eax
		mov	eax, [ebp+var_CC]
		push	1		; char
		push	edx		; int
		movzx	edi, byte ptr [ecx]
		add	eax, 4
		push	[ebp+var_C0]	; int
		mov	[ebp+var_D0], ecx
		lea	ecx, [ebp+var_4C]
		shl	edi, 2
		push	ecx		; int
		mov	edx, edi	; int
		mov	[ebp+var_B8], eax
		mov	ecx, eax	; void *
		call	_PopReadProducerConsumerBuffer@24 ; PopReadProducerConsumerBuffer(x,x,x,x,x,x)
		add	[ebp+var_B8], edi
		mov	ecx, eax
		lea	eax, [ebp+var_90]
		mov	[ebp+var_BC], ecx
		mov	[ebp+var_B4], eax
		mov	edx, ebx
		mov	eax, [ebp+var_D0]
		mov	edi, ebx
		movzx	eax, byte ptr [eax]
		mov	[ebp+var_B0], eax
		test	eax, eax
		jz	short loc_71CFFF
		mov	esi, [ebp+var_B4]
		mov	ebx, eax

loc_71CFC2:				; CODE XREF: PopDecompressHiberBlocks+18Fj
		mov	eax, [ecx+edi*4]
		mov	ecx, eax
		and	eax, 0Fh
		shr	ecx, 4
		inc	eax
		add	eax, ecx
		mov	[ebp+var_B4], eax
		sub	eax, ecx
		add	edx, eax
		mov	eax, [ebp+var_B4]
		jmp	short loc_71CFE8
; 

loc_71CFE2:				; CODE XREF: PopDecompressHiberBlocks+184j
		mov	[esi], ecx
		inc	ecx
		add	esi, 4

loc_71CFE8:				; CODE XREF: PopDecompressHiberBlocks+17Aj
		cmp	ecx, eax
		jb	short loc_71CFE2
		mov	ecx, [ebp+var_BC]
		inc	edi
		cmp	edi, ebx
		jb	short loc_71CFC2
		mov	esi, [ebp+var_F4]
		xor	ebx, ebx

loc_71CFFF:				; CODE XREF: PopDecompressHiberBlocks+152j
		mov	edi, [ebp+var_C8]
		cmp	edx, [edi+0B4h]
		ja	loc_728CF9
		mov	edi, [ebp+var_C4]
		shl	edx, 0Ch
		mov	eax, edx
		mov	[ebp+var_DC], edx
		shr	eax, 0Ch
		mov	ecx, [edi+4]
		push	1
		mov	[ebp+var_AC], ebx
		lea	eax, ds:1Ch[eax*4]
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_A8], ax
		xor	eax, eax
		mov	[ebp+var_A6], ax
		lea	eax, [ebp+var_AC]
		push	eax
		mov	[ebp+var_94], ebx
		mov	[ebp+var_98], edx
		call	_MmMapMemoryDumpMdlEx2@16 ; MmMapMemoryDumpMdlEx2(x,x,x,x)
		mov	eax, [ebp+var_D0]
		push	[ebp+var_B8]	; void *
		mov	ecx, [eax]
		rdtsc
		mov	[ebp+var_BC], edx
		mov	edx, [ebp+var_C0]
		mov	[ebp+var_D4], eax
		shr	ecx, 8
		and	ecx, 3FFFFFh
		lea	eax, [edx+28h]
		mov	[ebp+var_B0], eax
		mov	eax, [ebp+var_DC]
		push	edx		; int
		cmp	ecx, eax
		jz	loc_71D2DF
		mov	edx, ecx	; size_t
		mov	ecx, [edi+0Ch]	; int
		call	_ProducerConsumerCopyFromContextBuffer@16 ; ProducerConsumerCopyFromContextBuffer(x,x,x,x)
		push	[ebp+var_D8]
		rdtsc
		push	[ebp+var_CC]
		mov	ecx, edx
		mov	[ebp+var_B8], eax
		sub	eax, [ebp+var_D4]
		mov	edx, edi
		mov	[ebp+var_B4], ecx
		sbb	ecx, [ebp+var_BC]
		add	[edx+38h], eax
		mov	edx, [ebp+var_B0]
		adc	[edi+3Ch], ecx
		mov	ecx, [ebp+var_C0]
		call	_ProducerConsumerBufferComplete@16 ; ProducerConsumerBufferComplete(x,x,x,x)
		rdtsc
		sub	eax, [ebp+var_B8]
		sbb	edx, [ebp+var_B4]
		add	[edi+40h], eax
		mov	eax, [ebp+var_E0]
		adc	[edi+44h], edx
		test	eax, eax
		jnz	loc_71D28F

loc_71D115:				; CODE XREF: PopDecompressHiberBlocks+447j
		rdtsc
		mov	[ebp+var_D4], eax
		mov	eax, [ebp+var_D0]
		mov	[ebp+var_CC], edx
		mov	edx, [ebp+var_A0]
		mov	ecx, [eax]
		lea	eax, [ebp+var_E4]
		push	ecx
		push	[ebp+var_C8]
		push	[ebp+var_E0]
		push	dword ptr [edi+8]
		mov	edi, ecx
		shr	ecx, 1Eh
		push	eax
		shr	edi, 8
		and	edi, 3FFFFFh
		mov	cx, ds:_PopCompressMethodMap[ecx*2]
		push	edi
		mov	edi, [ebp+var_C4]
		push	dword ptr [edi+0Ch]
		push	[ebp+var_DC]
		call	RtlDecompressBufferProgress
		mov	ecx, eax
		rdtsc
		mov	[ebp+var_B0], eax
		mov	[ebp+var_BC], edx
		test	ecx, ecx
		js	loc_728CD0
		mov	edx, [ebp+var_DC]
		cmp	[ebp+var_E4], edx
		jnz	loc_728CD0
		mov	ecx, [edi+30h]
		sub	ecx, [ebp+var_D4]
		mov	eax, [edi+34h]
		sbb	eax, [ebp+var_CC]
		add	ecx, [ebp+var_B0]
		mov	[edi+30h], ecx
		adc	eax, [ebp+var_BC]
		cmp	[ebp+var_E0], 0
		mov	[edi+34h], eax
		jnz	loc_71D2B2

loc_71D1CE:				; CODE XREF: PopDecompressHiberBlocks+46Aj
		mov	eax, [ebp+var_D0]
		mov	ecx, [eax]
		shr	ecx, 1Eh
		cmp	ecx, 2
		sbb	eax, eax
		and	eax, 0FFFFFFF8h
		add	[eax+edi+60h], edx
		mov	edx, [ebp+var_BC]
		adc	[eax+edi+64h], ebx
		cmp	ecx, 2
		mov	ecx, [ebp+var_B0]
		sbb	eax, eax
		and	eax, 0FFFFFFF8h
		sub	ecx, [ebp+var_B8]
		sbb	edx, [ebp+var_B4]
		add	[eax+edi+50h], ecx
		adc	[eax+edi+54h], edx

loc_71D211:				; CODE XREF: PopDecompressHiberBlocks+4D1j
		cmp	[ebp+arg_4], 0
		jnz	loc_71CED5

loc_71D21B:				; CODE XREF: PopDecompressHiberBlocks+474j
		mov	ecx, [ebp+var_8]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_71D22E:				; CODE XREF: PopDecompressHiberBlocks+9Ej
		cmp	ds:byte_6C24D1,	0
		jnz	loc_71CF0A
		cmp	ds:dword_6C24B8, 640h
		jbe	loc_728CBE

loc_71D24B:				; CODE XREF: PopDecompressHiberBlocks+BE5Fj
		cmp	ds:byte_6D4AB8,	0
		rdtsc
		mov	[ebp+var_B4], eax
		mov	[ebp+var_B0], edx
		jz	short loc_71D270
		mov	cl, 1
		call	_BgDisplayProgressIndicator@4 ;	BgDisplayProgressIndicator(x)
		mov	ds:byte_6D4C7A,	1

loc_71D270:				; CODE XREF: PopDecompressHiberBlocks+3FAj
		rdtsc
		sub	eax, [ebp+var_B4]
		sbb	edx, [ebp+var_B0]
		add	ds:dword_6C2A20, eax
		adc	ds:dword_6C2A24, edx
		jmp	loc_71CF0A
; 

loc_71D28F:				; CODE XREF: PopDecompressHiberBlocks+2A9j
		push	[ebp+var_C8]
		call	eax
		mov	eax, ds:dword_6C2A10
		mov	[ebp+var_E8], eax
		mov	eax, ds:dword_6C2A14
		mov	[ebp+var_EC], eax
		jmp	loc_71D115
; 

loc_71D2B2:				; CODE XREF: PopDecompressHiberBlocks+362j
		sub	ecx, ds:dword_6C2A10
		sbb	eax, ds:dword_6C2A14
		add	ecx, [ebp+var_E8]
		mov	[edi+30h], ecx
		adc	eax, [ebp+var_EC]
		mov	[edi+34h], eax
		jmp	loc_71D1CE
; 

loc_71D2D5:				; CODE XREF: PopDecompressHiberBlocks+CAj
		mov	ebx, 80000022h
		jmp	loc_71D21B	; int
; 

loc_71D2DF:				; CODE XREF: PopDecompressHiberBlocks+23Cj
		mov	ecx, [ebp+var_A0] ; int
		mov	edx, eax	; size_t
		call	_ProducerConsumerCopyFromContextBuffer@16 ; ProducerConsumerCopyFromContextBuffer(x,x,x,x)
		push	[ebp+var_D8]
		mov	ecx, [ebp+var_C0]
		push	[ebp+var_CC]
		rdtsc
		sub	eax, [ebp+var_D4]
		sbb	edx, [ebp+var_BC]
		add	[edi+38h], eax
		adc	[edi+3Ch], edx
		rdtsc
		mov	ebx, edx
		mov	edi, eax
		mov	edx, [ebp+var_B0]
		call	_ProducerConsumerBufferComplete@16 ; ProducerConsumerBufferComplete(x,x,x,x)
		rdtsc
		sub	eax, edi
		mov	edi, [ebp+var_C4]
		sbb	edx, ebx
		add	[edi+40h], eax
		adc	[edi+44h], edx
		xor	ebx, ebx
		jmp	loc_71D211
; 

loc_71D33C:				; CODE XREF: PopDecompressHiberBlocks+7Fj
		mov	ecx, large fs:20h
		mov	eax, [ebp+var_C8]
		mov	eax, [eax+84h]
		cmp	eax, [ecx+3CCh]
		jnz	loc_71CEEB
		cmp	ds:byte_6C24D0,	0
		jz	loc_71CEEB
		push	ebx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ds:dword_6C2A38, eax
		mov	ds:dword_6C2A3C, edx
		jmp	loc_71CEEB
PopDecompressHiberBlocks endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PopReadProducerConsumerBuffer(void *,int,int,int,int,char)
_PopReadProducerConsumerBuffer@24 proc near ; CODE XREF: PopHiberPeekRangeTable(x,x,x)+1Fp
					; PopDecompressHiberBlocks+E5p	...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	[ebp+arg_C], 0
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_4], edx
		jz	short loc_71D3C2

loc_71D393:				; CODE XREF: PopReadProducerConsumerBuffer(x,x,x,x,x,x)+4Bj
		push	esi
		push	edi
		rdtsc
		push	ecx		; void *
		push	ebx		; int
		mov	ebx, [ebp+arg_0]
		mov	edi, edx
		mov	edx, [ebp+var_4] ; size_t
		mov	ecx, ebx	; int
		mov	esi, eax
		call	_ProducerConsumerCopyFromContextBuffer@16 ; ProducerConsumerCopyFromContextBuffer(x,x,x,x)
		mov	ecx, [ebp+arg_8]
		rdtsc
		sub	eax, esi
		sbb	edx, edi
		add	[ecx+38h], eax
		pop	edi
		adc	[ecx+3Ch], edx
		pop	esi

loc_71D3BB:				; CODE XREF: PopReadProducerConsumerBuffer(x,x,x,x,x,x)+4Fj
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
; 

loc_71D3C2:				; CODE XREF: PopReadProducerConsumerBuffer(x,x,x,x,x,x)+11j
		mov	eax, ecx
		sub	eax, [ebx]
		add	eax, edx
		cmp	eax, [ebx+4]
		ja	short loc_71D393
		mov	ebx, ecx
		jmp	short loc_71D3BB
_PopReadProducerConsumerBuffer@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ProducerConsumerCopyFromContextBuffer(int,size_t,int,void *)
_ProducerConsumerCopyFromContextBuffer@16 proc near
					; CODE XREF: PopDecompressHiberBlocks+247p
					; PopDecompressHiberBlocks+481p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		mov	ecx, [eax+4]
		mov	edx, ebx
		sub	edx, [eax]
		xor	esi, esi
		cmp	edx, ecx
		jnb	short loc_71D431

loc_71D3F3:				; CODE XREF: ProducerConsumerCopyFromContextBuffer(x,x,x,x)+63j
		lea	eax, [edx+edi]
		cmp	eax, ecx
		ja	short loc_71D413

loc_71D3FA:				; CODE XREF: ProducerConsumerCopyFromContextBuffer(x,x,x,x)+49j
		push	edi		; size_t
		push	ebx		; void *
		mov	ebx, [ebp+var_4]
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		test	esi, esi
		jnz	short loc_71D41D

loc_71D40C:				; CODE XREF: ProducerConsumerCopyFromContextBuffer(x,x,x,x)+5Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_71D413:				; CODE XREF: ProducerConsumerCopyFromContextBuffer(x,x,x,x)+26j
		mov	esi, edx
		sub	esi, ecx
		add	esi, edi
		sub	edi, esi
		jmp	short loc_71D3FA
; 

loc_71D41D:				; CODE XREF: ProducerConsumerCopyFromContextBuffer(x,x,x,x)+38j
		mov	eax, [ebp+arg_0]
		push	esi		; size_t
		push	dword ptr [eax]	; void *
		lea	eax, [ebx+edi]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_71D40C
; 

loc_71D431:				; CODE XREF: ProducerConsumerCopyFromContextBuffer(x,x,x,x)+1Fj
		sub	edx, ecx
		sub	ebx, ecx
		jmp	short loc_71D3F3
_ProducerConsumerCopyFromContextBuffer@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ConsumerPeekAndConsumeBuffer proc near	; CODE XREF: PopDecompressHiberBlocks+BDp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00728D47 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], edi
		mov	ecx, 1
		lea	ebx, [esi+10h]
		lock cmpxchg [ebx], ecx
		test	eax, eax
		jnz	loc_71D500
		jmp	short loc_71D470
; 
		align 10h

loc_71D470:				; CODE XREF: ConsumerPeekAndConsumeBuffer+2Bj
					; ConsumerPeekAndConsumeBuffer+DBj ...
		mov	edx, [esi+20h]
		mov	ebx, [esi+28h]
		sub	edx, ebx
		mov	eax, [esi+8]
		or	eax, [esi+0Ch]
		mov	ecx, [esi+2Ch]
		mov	edi, [edi]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edx
		jz	short loc_71D4E5

loc_71D48B:				; CODE XREF: ConsumerPeekAndConsumeBuffer+B7j
		cmp	edi, edx
		ja	short loc_71D4DB
		test	edi, edi
		jz	short loc_71D4E1
		mov	eax, [esi+4]
		push	0
		push	eax
		push	ecx
		push	ebx
		call	__aullrem
		push	[ebp+arg_8]	; int
		mov	ecx, [esi]
		add	ecx, eax
		push	edi		; int
		push	ecx		; void *
		mov	[ebp+var_8], ecx
		call	_PopHiberPeekRangeTable@12 ; PopHiberPeekRangeTable(x,x,x)
		mov	edi, eax
		cmp	edi, [ebp+var_C]
		ja	short loc_71D4DB
		mov	eax, [ebp+var_4]
		mov	[eax], edi
		test	edi, edi
		jz	short loc_71D4E1
		add	[esi+28h], edi
		mov	eax, [ebp+var_8]
		adc	dword ptr [esi+2Ch], 0

loc_71D4CB:				; CODE XREF: ConsumerPeekAndConsumeBuffer+A3j
		mov	dword ptr [esi+10h], 0
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_71D4DB:				; CODE XREF: ConsumerPeekAndConsumeBuffer+4Dj
					; ConsumerPeekAndConsumeBuffer+76j
		test	[ebp+arg_0], 1
		jz	short loc_71D523

loc_71D4E1:				; CODE XREF: ConsumerPeekAndConsumeBuffer+51j
					; ConsumerPeekAndConsumeBuffer+7Fj
		xor	eax, eax
		jmp	short loc_71D4CB
; 

loc_71D4E5:				; CODE XREF: ConsumerPeekAndConsumeBuffer+49j
		mov	eax, [esi+18h]
		sub	eax, ebx
		cmp	edi, eax
		jnb	loc_71D5A8

loc_71D4F2:				; CODE XREF: ConsumerPeekAndConsumeBuffer+16Aj
		mov	eax, [ebp+var_4]
		mov	[eax], edi
		jmp	short loc_71D48B
; 
		align 10h

loc_71D500:				; CODE XREF: ConsumerPeekAndConsumeBuffer+25j
					; ConsumerPeekAndConsumeBuffer+CEj ...
		call	KePollFreezeExecution
		call	_PopHiberCheckForDebugBreak@0 ;	PopHiberCheckForDebugBreak()
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_71D500
		mov	ecx, 1
		lock cmpxchg [ebx], ecx
		test	eax, eax
		jz	loc_71D470
		jmp	short loc_71D500
; 

loc_71D523:				; CODE XREF: ConsumerPeekAndConsumeBuffer+9Fj
		mov	dword ptr [esi+10h], 0
		lea	ebx, [ebx+0]

loc_71D530:				; CODE XREF: ConsumerPeekAndConsumeBuffer+12Aj
		call	KePollFreezeExecution
		mov	eax, large fs:20h
		cmp	dword ptr [eax+3CCh], 0
		jz	loc_728D22

loc_71D548:				; CODE XREF: PopDecompressHiberBlocks+BEC9j
					; PopDecompressHiberBlocks+BEDCj
		mov	ecx, [esi+20h]
		mov	edx, [esi+28h]
		sub	ecx, edx
		mov	eax, [esi+8]
		or	eax, [esi+0Ch]
		jz	loc_728D47

loc_71D55C:				; CODE XREF: ConsumerPeekAndConsumeBuffer+B90Ej
					; ConsumerPeekAndConsumeBuffer+B916j
		cmp	edx, ebx
		jnz	short loc_71D56C
		mov	eax, [esi+2Ch]
		cmp	edi, ecx
		jbe	short loc_71D56C
		cmp	eax, [ebp+var_10]
		jz	short loc_71D530

loc_71D56C:				; CODE XREF: ConsumerPeekAndConsumeBuffer+11Ej
					; ConsumerPeekAndConsumeBuffer+125j
		mov	ecx, 1
		lea	ebx, [esi+10h]
		xor	eax, eax
		lock cmpxchg [ebx], ecx
		mov	edi, [ebp+var_4]
		test	eax, eax
		jz	loc_71D470

loc_71D585:				; CODE XREF: ConsumerPeekAndConsumeBuffer+153j
					; ConsumerPeekAndConsumeBuffer+166j
		call	KePollFreezeExecution
		call	_PopHiberCheckForDebugBreak@0 ;	PopHiberCheckForDebugBreak()
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_71D585
		mov	ecx, 1
		lock cmpxchg [ebx], ecx
		test	eax, eax
		jz	loc_71D470
		jmp	short loc_71D585
; 

loc_71D5A8:				; CODE XREF: ConsumerPeekAndConsumeBuffer+ACj
		mov	edi, eax
		jmp	loc_71D4F2
ConsumerPeekAndConsumeBuffer endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopSaveHiberContext proc near		; CODE XREF: PopSaveHiberContextWrapper(x)+36p
					; DATA XREF: PopMarkComponentsBootPhase+1Fo

var_36A		= byte ptr -36Ah
var_369		= byte ptr -369h
var_368		= dword	ptr -368h
var_364		= dword	ptr -364h
var_360		= dword	ptr -360h
var_35C		= dword	ptr -35Ch
var_358		= dword	ptr -358h
var_354		= dword	ptr -354h
var_350		= dword	ptr -350h
var_34C		= dword	ptr -34Ch
var_348		= dword	ptr -348h
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_33C		= dword	ptr -33Ch
var_338		= dword	ptr -338h
var_328		= dword	ptr -328h
var_31C		= dword	ptr -31Ch
var_2C8		= dword	ptr -2C8h
var_2BC		= dword	ptr -2BCh
var_268		= dword	ptr -268h
var_25C		= dword	ptr -25Ch
var_208		= dword	ptr -208h
var_1FC		= dword	ptr -1FCh
var_1A8		= dword	ptr -1A8h
var_19C		= dword	ptr -19Ch
var_194		= dword	ptr -194h
var_108		= dword	ptr -108h
var_C8		= dword	ptr -0C8h
var_88		= dword	ptr -88h
var_48		= dword	ptr -48h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00728D5B SIZE 000004B1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 36Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+36Ch+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi		; struct _exception *
		lea	edi, [esp+378h+var_338]
		stosd
		push	0A0h		; size_t
		push	0		; int
		stosd
		stosd
		stosd
		lea	eax, [esp+380h+var_1A8]
		push	eax		; void *
		call	_memset
		mov	eax, large fs:20h
		add	esp, 0Ch
		mov	[esp+378h+var_344], 0
		mov	ebx, [eax+3CCh]
		test	ebx, ebx
		jz	loc_71DAC2
		test	byte ptr ds:_HvlpFlags,	2
		jnz	loc_728D5B

loc_71D61C:				; CODE XREF: PopSaveHiberContext+51Cj
					; PopSaveHiberContext+B7DFj ...
		cmp	ebx, [esi+0A4h]
		jnb	loc_728DA5
		test	ebx, ebx
		jz	loc_71D6D1
		mov	al, [esi+4]
		test	al, al
		jnz	short loc_71D643

loc_71D637:				; CODE XREF: PopSaveHiberContext+91j
		call	KePollFreezeExecution
		mov	al, [esi+4]
		test	al, al
		jz	short loc_71D637

loc_71D643:				; CODE XREF: PopSaveHiberContext+85j
		mov	edi, [esi+0A8h]
		imul	eax, ebx, 70h
		push	5Ch		; size_t
		push	0		; int
		mov	[esp+380h+var_368], eax
		add	edi, eax
		lea	eax, [esp+380h+var_328]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+378h+var_360], 0
		jmp	short loc_71D670
; 
		align 10h

loc_71D670:				; CODE XREF: PopSaveHiberContext+BBj
					; PopSaveHiberContext+11Fj
		mov	eax, [edi+4]
		lea	edx, [esp+378h+var_360]
		push	eax
		push	1
		lea	eax, [esp+380h+var_328]
		mov	ecx, esi
		push	eax
		lea	eax, [esp+384h+var_108]
		push	eax
		call	PopGetNextTable
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_728DAC
		add	[edi+28h], ebx
		lea	eax, [esp+378h+var_360]
		push	0		; int
		adc	dword ptr [edi+2Ch], 0
		mov	edx, edi
		push	ebx		; int
		push	1		; int
		push	[esp+384h+var_31C] ; void *
		mov	ecx, esi
		push	eax		; int
		call	PopAddPagesToCompressedPageSet
		push	0
		push	ebx
		lea	ecx, [esp+380h+var_108]
		mov	edx, eax
		push	ecx
		lea	ecx, [esp+384h+var_360]
		push	ecx
		mov	ecx, edi
		call	_PopCountDataAsProduced@24 ; PopCountDataAsProduced(x,x,x,x,x,x)
		jmp	short loc_71D670
; 

loc_71D6D1:				; CODE XREF: PopSaveHiberContext+7Aj
		mov	ds:_PopWatchdogTimerCount, 0
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		test	al, al
		jnz	loc_728E4C
		test	byte ptr ds:_PopSimulateHiberBugcheck, 80h
		jnz	loc_728E56
		lea	ecx, [esp+378h+var_344]
		call	_IoDumpStackResumeCapable@4 ; IoDumpStackResumeCapable(x)
		mov	[esp+378h+var_369], al
		test	al, al
		jz	loc_728E5B

loc_71D70A:				; CODE XREF: PopSaveHiberContext+B8B9j
		call	ds:__imp__PshedArePluginsPresent@0 ; PshedArePluginsPresent()
		test	eax, eax
		jnz	loc_728E6E

loc_71D718:				; CODE XREF: PopSaveHiberContext+B8CCj
		call	ds:off_6B1370	; xHalPciMultiStageResumeCapable()
		test	al, al
		jz	loc_728E81

loc_71D726:				; CODE XREF: PopSaveHiberContext+B8DFj
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		test	eax, eax
		jnz	loc_728E94

loc_71D733:				; CODE XREF: PopSaveHiberContext+B8F2j
		cmp	ds:_HvlHypervisorConnected, 0
		lea	eax, [esp+378h+var_338]
		mov	ebx, [esi+88h]
		mov	[esp+378h+var_358], ebx
		mov	[esi+70h], eax
		mov	byte ptr [esi+2], 1
		mov	dword ptr [esi+78h], offset _PoWakeState
		jnz	loc_728EA7

loc_71D75C:				; CODE XREF: PopSaveHiberContext+B904j
		inc	dword ptr [ebx]
		xor	edi, edi
		test	dword ptr [esi+28h], 0FFFFFFE0h
		lea	ebx, [esi+28h]
		mov	ecx, [esi+2Ch]
		mov	edx, [esi+24h]
		jbe	short loc_71D787

loc_71D772:				; CODE XREF: PopSaveHiberContext+1D5j
		mov	eax, [edx]
		lea	ecx, [ecx+4]
		or	[ecx-4], eax
		lea	edx, [edx+4]
		mov	eax, [ebx]
		inc	edi
		shr	eax, 5
		cmp	edi, eax
		jb	short loc_71D772

loc_71D787:				; CODE XREF: PopSaveHiberContext+1C0j
		cmp	ds:byte_6C24D1,	0
		lea	eax, [esi+20h]
		jnz	loc_728EB9
		push	0
		push	eax
		push	ebx
		call	RtlCopyBitMap

loc_71D7A0:				; CODE XREF: PopSaveHiberContext+B90Bj
		push	ebx
		call	_RtlSetAllBits@4 ; RtlSetAllBits(x)
		mov	edx, [esi+74h]
		mov	dword ptr [esi+7Ch], 8
		call	IoGetDumpHiberRanges
		cmp	ds:byte_6C24D1,	0
		jnz	short loc_71D7C8
		mov	ecx, 1
		call	_IoNotifyDump@4	; IoNotifyDump(x)

loc_71D7C8:				; CODE XREF: PopSaveHiberContext+20Cj
		mov	ecx, [esi+74h]
		rdtsc
		mov	edi, eax
		mov	ebx, edx
		call	_IoInitializeDumpStack@8 ; IoInitializeDumpStack(x,x)
		mov	ecx, eax
		rdtsc
		sub	eax, edi
		mov	[esp+378h+var_348], ecx
		sbb	edx, ebx
		add	ds:dword_6C28C8, eax
		adc	ds:dword_6C28CC, edx
		test	ecx, ecx
		js	loc_7291C7
		cmp	ds:_PopSimulateHiberBugcheck, 1
		jz	loc_7291C7
		mov	ecx, esi
		call	PopMarkComponentsBootPhase
		lea	eax, [esi+30h]
		mov	ds:_PoHiberInProgress, 1
		mov	edi, [eax]
		cmp	edi, eax
		jz	short loc_71D899
		lea	ebx, [ebx+0]

loc_71D820:				; CODE XREF: PopSaveHiberContext+2E7j
		mov	ecx, [edi+14h]
		lea	eax, [edi]
		mov	ebx, [eax+0Ch]
		mov	edi, [edi]
		mov	[esp+378h+var_368], ecx
		mov	ecx, [eax+10h]
		mov	eax, ecx
		sub	eax, ebx
		mov	[esp+378h+var_364], edi
		add	[esi+40h], eax
		mov	[esp+378h+var_35C], ecx
		adc	dword ptr [esi+44h], 0
		cmp	ebx, ecx
		jnb	short loc_71D892
		mov	edi, ecx
		lea	ebx, [ebx+0]

loc_71D850:				; CODE XREF: PopSaveHiberContext+2DCj
		push	edi
		push	ebx
		lea	edx, [esp+380h+var_1A8]
		mov	ecx, esi
		call	PopCreateDumpMdl
		push	[esp+378h+var_194] ; size_t
		push	[esp+37Ch+var_19C] ; void *
		push	[esp+380h+var_368] ; void *
		call	_memcpy
		mov	eax, [esp+384h+var_194]
		add	esp, 0Ch
		add	[esp+378h+var_368], eax
		shr	eax, 0Ch
		add	ebx, eax
		cmp	ebx, edi
		jb	short loc_71D850
		mov	edi, [esp+378h+var_364]

loc_71D892:				; CODE XREF: PopSaveHiberContext+296j
		lea	eax, [esi+30h]
		cmp	edi, eax
		jnz	short loc_71D820

loc_71D899:				; CODE XREF: PopSaveHiberContext+268j
		mov	ecx, esi
		call	_PopResetRangeEnum@4 ; PopResetRangeEnum(x)
		mov	ecx, [esi+70h]
		mov	eax, ds:dword_6C24B0
		mov	ebx, [esp+378h+var_358]
		mov	[ecx], eax
		mov	[ecx+4], eax
		rdtsc
		mov	dword ptr [ecx+8], 0
		mov	dword ptr [ecx+0Ch], 0
		mov	ecx, esi
		mov	[esp+378h+var_340], edx
		mov	edx, ebx
		mov	[esp+378h+var_33C], eax
		call	PopWriteHeaderPages
		mov	edi, eax
		test	edi, edi
		js	loc_72915B
		mov	eax, [ebx+44h]
		mov	[esp+378h+var_348], eax
		lea	eax, [esi+28h]
		push	eax
		mov	dword ptr [esi+7Ch], 4
		mov	[esi+48h], eax
		call	_RtlNumberOfClearBits@4	; RtlNumberOfClearBits(x)
		mov	ebx, [esi+44h]
		mov	ecx, 1000h
		mov	edi, [esi+0ACh]
		mul	ecx
		mov	ecx, [esi+40h]
		shld	ebx, ecx, 0Ch
		push	38h		; size_t
		shl	ecx, 0Ch
		add	ecx, eax
		mov	eax, ds:dword_6C2500
		push	0		; int
		adc	ebx, edx
		mov	[esp+380h+var_35C], ecx
		mov	[esp+380h+var_368], ebx
		mov	ebx, [esi+0B0h]
		push	eax		; void *
		mov	[esp+384h+var_364], eax
		call	_memset
		mov	eax, [esp+384h+var_364]
		add	esp, 0Ch
		cmp	[esp+378h+var_369], 0
		mov	ecx, [esp+378h+var_35C]
		mov	[eax+8], ecx
		mov	ecx, [esp+378h+var_368]
		mov	dword ptr [eax+10h], 0
		mov	[eax], edi
		mov	[eax+4], ebx
		mov	[eax+0Ch], ecx
		mov	ds:dword_6C2A58, 0
		mov	ds:dword_6C2A5C, 0
		mov	ds:dword_6C2A60, 0
		mov	ds:dword_6C2A64, 0
		mov	dword ptr [esi+0CCh], 0
		mov	dword ptr [esi+0D8h], 0
		mov	dword ptr [esi+0DCh], 0
		jz	short loc_71D9B3
		mov	eax, [esi+74h]
		cmp	dword ptr [eax+54h], 0
		jz	short loc_71D9B3
		mov	byte ptr [esi+104h], 1

loc_71D9B3:				; CODE XREF: PopSaveHiberContext+3F1j
					; PopSaveHiberContext+3FAj
		mov	eax, ds:_PopHiberScratchPages
		push	5Ch		; size_t
		push	0		; int
		lea	ecx, ds:0FFFh[eax*4]
		mov	eax, [esi+0A0h]
		add	eax, 2
		shr	ecx, 0Ch
		add	ecx, eax
		mov	eax, [esp+380h+var_358]
		mov	[eax+50h], ecx
		xor	eax, eax
		shld	eax, ecx, 0Ch
		mov	[esi+0FCh], eax
		lea	eax, [esp+380h+var_268]
		shl	ecx, 0Ch
		mov	[esi+0F8h], ecx
		push	eax		; void *
		mov	byte ptr [esi+4], 1
		call	_memset
		mov	eax, ds:dword_6C2500
		add	esp, 0Ch
		mov	edi, [esi+0A8h]
		xor	ebx, ebx
		mov	[esp+378h+var_350], 0
		mov	[esp+378h+var_364], eax
		mov	[esp+378h+var_368], ebx
		mov	edi, edi

loc_71DA20:				; CODE XREF: PopSaveHiberContext+507j
		call	_PopHiberCheckForDebugBreak@0 ;	PopHiberCheckForDebugBreak()
		mov	edx, [esp+378h+var_364]
		mov	ecx, esi
		push	1
		call	PopRequestWrite
		mov	[esp+378h+var_369], al
		mov	eax, [esp+378h+var_368]
		test	eax, eax
		jnz	short loc_71DA8D
		mov	ecx, [edi+4]
		lea	eax, [esp+378h+var_268]
		push	ecx
		push	1
		push	eax
		lea	eax, [esp+384h+var_88]
		mov	ecx, esi
		push	eax
		lea	edx, [esp+388h+var_350]
		call	PopGetNextTable
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_71DAB2
		add	[edi+28h], ebx
		lea	eax, [esp+378h+var_350]
		push	offset _PopCompressCallback@4 ;	int
		adc	dword ptr [edi+2Ch], 0
		mov	edx, edi
		push	ebx		; int
		push	1		; int
		push	[esp+384h+var_25C] ; void *
		mov	ecx, esi
		push	eax		; int
		call	PopAddPagesToCompressedPageSet
		mov	[esp+378h+var_368], eax

loc_71DA8D:				; CODE XREF: PopSaveHiberContext+48Cj
		push	1
		push	ebx
		lea	ecx, [esp+380h+var_88]
		mov	edx, eax
		push	ecx
		lea	ecx, [esp+384h+var_350]
		push	ecx
		mov	ecx, edi
		call	_PopCountDataAsProduced@24 ; PopCountDataAsProduced(x,x,x,x,x,x)
		test	al, al
		jz	short loc_71DAB2
		mov	[esp+378h+var_368], 0

loc_71DAB2:				; CODE XREF: PopSaveHiberContext+4B3j
					; PopSaveHiberContext+4F8j
		cmp	[esp+378h+var_369], 0
		jz	loc_71DA20
		jmp	loc_728EC0
; 

loc_71DAC2:				; CODE XREF: PopSaveHiberContext+59j
		mov	ecx, 13h
		call	PopCheckpointSystemSleep
		jmp	loc_71D61C
PopSaveHiberContext endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDecompressCallback(x)
_PopDecompressCallback@4 proc near	; DATA XREF: PopRestoreHiberContext+1D0o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, ds:dword_6C2500
		mov	ecx, [ebp+arg_0]
		push	1
		call	PopRequestRead
		pop	ecx
		pop	ebp
		retn	4
_PopDecompressCallback@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopRequestRead	proc near		; CODE XREF: PopRestoreHiberContext+1CBp
					; PopDecompressCallback(x)+11p

var_36		= byte ptr -36h
var_35		= byte ptr -35h
var_2A		= byte ptr -2Ah
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0072920C SIZE 000000D4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		and	[esp+2Ch+var_8], 0
		and	[esp+2Ch+var_4], 0
		push	ebx
		mov	ebx, ecx
		mov	[esp+30h+var_24], edx
		push	esi
		push	edi
		mov	[esp+38h+var_20], ebx
		mov	eax, [ebx+108h]
		or	eax, [ebx+10Ch]
		mov	esi, [ebx+0C8h]
		mov	[esp+38h+var_28], esi
		jz	loc_71DBFA
		mov	ecx, [ebx+0CCh]
		xor	edx, edx
		inc	edx

loc_71DB35:				; CODE XREF: PopRequestRead+262j
		sub	ecx, 0
		jnz	loc_71DC03
		call	_PopHiberCheckForDebugBreak@0 ;	PopHiberCheckForDebugBreak()
		push	dword ptr [ebx+0FCh]
		mov	ecx, [ebx+70h]
		lea	edx, [esp+3Ch+var_8]
		push	dword ptr [ebx+0F8h]
		lea	esi, [ebx+0F0h]
		call	PopGetIoLocation
		mov	edi, [ebx+110h]
		xor	ecx, ecx
		mov	[esi+4], edx
		mov	edx, edi
		shld	ecx, edx, 0Ch
		mov	[esi], eax
		push	ecx
		shl	edx, 0Ch
		push	edx
		push	dword ptr [ebx+0DCh]
		push	dword ptr [ebx+0D8h]
		call	__aullrem
		mov	ecx, eax
		mov	esi, edx
		mov	eax, edi
		mov	edx, 1000h
		mul	edx
		mov	edi, eax
		mov	eax, edx
		sub	edi, ecx
		mov	[esp+38h+var_10], edi
		sbb	eax, esi
		mov	[esp+38h+var_C], eax
		cmp	eax, [esp+38h+var_4]
		jb	short loc_71DBBD
		ja	loc_7291F7
		cmp	edi, [esp+38h+var_8]
		jnb	loc_7291F7

loc_71DBBD:				; CODE XREF: PopRequestRead+BDj
					; PopSaveHiberContext+BC57j
		mov	edx, [ebx+10Ch]
		mov	ecx, [ebx+108h]
		cmp	eax, edx
		jb	short loc_71DBDB
		ja	loc_71DEC2
		cmp	edi, ecx
		jnb	loc_71DEC2

loc_71DBDB:				; CODE XREF: PopRequestRead+DDj
		mov	ecx, edi
		mov	[esp+38h+var_14], eax

loc_71DBE1:				; CODE XREF: PopRequestRead+3D8j
		push	[ebp+arg_0]
		mov	edx, edi
		push	ecx
		mov	ecx, [esp+40h+var_24]
		call	ProducerGetBuffer
		mov	esi, eax
		test	esi, esi
		jnz	loc_71DD5B

loc_71DBFA:				; CODE XREF: PopRequestRead+38j
					; PopRequestRead+165j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_71DC03:				; CODE XREF: PopRequestRead+4Aj
		sub	ecx, 1
		jnz	short loc_71DC65
		add	ds:dword_6C29F8, edx
		push	[esp+38h+var_28]
		adc	ds:dword_6C29FC, ecx
		lea	ecx, [ebx+0F0h]
		mov	esi, [ebx+74h]
		rdtsc
		push	ecx
		push	2
		mov	edi, eax
		mov	[esp+44h+var_C], edx
		call	dword ptr [esi+6Ch]
		mov	esi, eax
		test	esi, esi
		js	loc_729243
		rdtsc
		sub	eax, edi
		sbb	edx, [esp+44h+var_18]
		add	ds:dword_6C2A10, eax
		adc	ds:dword_6C2A14, edx
		cmp	esi, 103h
		jz	short loc_71DBFA

loc_71DC55:				; CODE XREF: PopRequestRead+3A2j
					; PopRequestRead+3AAj
		push	2
		pop	edx
		mov	ecx, edx
		mov	[ebx+0CCh], edx
		jmp	loc_71DD41
; 

loc_71DC65:				; CODE XREF: PopRequestRead+118j
		push	dword ptr [ebx+0E8h]
		xor	dl, dl
		mov	ecx, ebx
		push	dword ptr [ebx+100h]
		push	dword ptr [ebx+0FCh]
		push	dword ptr [ebx+0F8h]
		call	PopHiberChecksumHiberFileData
		rdtsc
		mov	edi, eax
		mov	ebx, edx
		mov	eax, [esp+38h+var_20]
		mov	esi, edi
		mov	ecx, ebx
		sub	esi, [eax+0D0h]
		sbb	ecx, [eax+0D4h]
		add	ds:dword_6C29E8, esi
		adc	ds:dword_6C29EC, ecx
		mov	ecx, [esp+38h+var_24]
		push	dword ptr [eax+0E8h]
		push	dword ptr [eax+100h]
		lea	esi, [ecx+18h]
		mov	edx, esi
		call	_ProducerConsumerBufferComplete@16 ; ProducerConsumerBufferComplete(x,x,x,x)
		rdtsc
		sub	eax, edi
		sbb	edx, ebx
		add	ds:dword_6C2A18, eax
		mov	ebx, [esp+38h+var_20]
		adc	ds:dword_6C2A1C, edx
		mov	eax, [ebx+0E8h]
		sub	[ebx+108h], eax
		mov	eax, [ebx+0ECh]
		mov	ecx, [ebx+108h]
		sbb	[ebx+10Ch], eax
		or	ecx, [ebx+10Ch]
		jz	loc_71DEAE

loc_71DD06:				; CODE XREF: PopRequestRead+3CFj
		mov	eax, [ebx+0E0h]
		add	[ebx+0F8h], eax
		mov	ecx, [ebx+0E4h]
		adc	[ebx+0FCh], ecx
		add	[ebx+0D8h], eax
		adc	[ebx+0DCh], ecx
		and	dword ptr [ebx+0E0h], 0
		and	dword ptr [ebx+0E4h], 0
		and	dword ptr [ebx+0CCh], 0
		xor	ecx, ecx

loc_71DD41:				; CODE XREF: PopRequestRead+172j
		xor	edx, edx
		inc	edx

loc_71DD44:				; CODE XREF: PopRequestRead+3BBj
		mov	eax, [ebx+108h]
		or	eax, [ebx+10Ch]
		jnz	loc_71DB35
		jmp	loc_71DBFA
; 

loc_71DD5B:				; CODE XREF: PopRequestRead+106j
		mov	edx, [esp+38h+var_28]
		lea	eax, [edi+0FFFh]
		and	[esp+38h+var_18], 0
		mov	ecx, esi
		and	ecx, 0FFFh
		mov	[ebx+100h], esi
		add	eax, ecx
		and	dword ptr [edx], 0
		shr	eax, 0Ch
		mov	[esp+38h+var_1C], eax
		mov	[edx+18h], ecx
		mov	[edx+14h], edi
		lea	eax, ds:1Ch[eax*4]
		mov	[edx+0Ch], esi
		mov	[edx+4], ax
		mov	eax, esi
		and	eax, 0FFFFF000h
		mov	[edx+10h], eax
		xor	eax, eax
		inc	eax
		cmp	[esp+38h+var_1C], 0
		mov	[edx+6], ax
		jbe	short loc_71DDE0
		mov	edi, [esp+38h+var_1C]
		mov	ebx, edx

loc_71DDB6:				; CODE XREF: PopRequestRead+2E8j
		push	esi
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		mov	ecx, [esp+38h+var_18]
		shrd	eax, edx, 0Ch
		mov	[ebx+ecx*4+1Ch], eax
		inc	ecx
		mov	eax, 1000h
		mov	[esp+38h+var_18], ecx
		add	esi, eax
		cmp	ecx, edi
		jb	short loc_71DDB6
		mov	ebx, [esp+38h+var_20]
		mov	edi, [esp+38h+var_10]

loc_71DDE0:				; CODE XREF: PopRequestRead+2C0j
		mov	al, [ebx+104h]
		mov	esi, [esp+38h+var_28]
		mov	ecx, [ebx+74h]
		mov	[esp+38h+var_29], al
		rdtsc
		mov	[ebx+0D0h], eax
		lea	eax, [ebx+0F0h]
		push	esi
		push	eax
		xor	eax, eax
		mov	[ebx+0D4h], edx
		cmp	[esp+40h+var_29], al
		setnz	al
		push	eax
		call	dword ptr [ecx+6Ch]
		mov	ecx, eax
		mov	[esp+44h+var_1C], ecx
		cmp	ecx, 0C00000BBh
		jz	loc_72920C

loc_71DE26:				; CODE XREF: PopRequestRead+B750j
		test	ecx, ecx
		js	loc_72926B
		cmp	ds:_PopSimulateHiberBugcheck, 8
		jz	loc_72926B
		rdtsc
		sub	eax, [ebx+0D0h]
		sbb	edx, [ebx+0D4h]
		add	ds:dword_6C2A10, eax
		mov	eax, [esp+44h+var_18]
		adc	ds:dword_6C2A14, edx
		mov	esi, [ebx+10Ch]
		mov	edx, [ebx+108h]
		cmp	eax, esi
		jb	short loc_71DE6F
		ja	short loc_71DE73
		cmp	edi, edx
		jnb	short loc_71DE73

loc_71DE6F:				; CODE XREF: PopRequestRead+379j
		mov	edx, edi
		mov	esi, eax

loc_71DE73:				; CODE XREF: PopRequestRead+37Bj
					; PopRequestRead+37Fj
		cmp	[esp+44h+var_35], 0
		mov	[ebx+0E8h], edx
		mov	[ebx+0ECh], esi
		mov	[ebx+0E0h], edi
		mov	[ebx+0E4h], eax
		jz	loc_71DC55
		test	ecx, ecx
		jz	loc_71DC55
		xor	edx, edx
		inc	edx
		mov	[ebx+0CCh], edx
		mov	ecx, edx
		jmp	loc_71DD44
; 

loc_71DEAE:				; CODE XREF: PopRequestRead+212j
		mov	ecx, [esp+38h+var_24]
		mov	eax, [ecx+20h]
		mov	[esi], eax
		mov	eax, [ecx+24h]
		mov	[esi+4], eax
		jmp	loc_71DD06
; 

loc_71DEC2:				; CODE XREF: PopRequestRead+DFj
					; PopRequestRead+E7j
		mov	[esp+38h+var_14], edx
		jmp	loc_71DBE1
PopRequestRead	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ProducerGetBuffer proc near		; CODE XREF: PopCountDataAsProduced(x,x,x,x,x,x)+40p
					; PopRequestRead+FDp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	edi
		xor	esi, esi
		xor	eax, eax
		inc	esi
		lea	edi, [ebx+10h]
		mov	[ebp+var_8], edi
		lock cmpxchg [edi], esi

loc_71DEEA:				; CODE XREF: ProducerGetBuffer+92j
		test	eax, eax
		jnz	short loc_71DF47

loc_71DEEE:				; CODE XREF: PopRequestRead+B7EDj
		mov	eax, [ebx+30h]
		sub	eax, [ebx+18h]
		mov	ecx, [ebx+4]
		add	eax, ecx
		cmp	[ebp+var_4], eax
		jbe	short loc_71DF17
		test	[ebp+arg_4], 1
		jz	loc_729299
		xor	eax, eax

loc_71DF0A:				; CODE XREF: ProducerGetBuffer+79j
		mov	dword ptr [edi], 0
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_71DF17:				; CODE XREF: ProducerGetBuffer+30j
		mov	esi, [ebx+1Ch]
		mov	edi, [ebx+18h]
		push	0
		push	ecx
		push	esi
		push	edi
		call	__aullrem
		add	eax, [ebx]
		xor	ecx, ecx
		mov	edx, [ebp+var_4]
		add	edx, edi
		mov	edi, [ebp+var_8]
		mov	[ebx+18h], edx
		adc	ecx, esi
		mov	[ebx+1Ch], ecx
		mov	ecx, [ebp+arg_0]
		sub	[ebx+8], ecx
		sbb	dword ptr [ebx+0Ch], 0
		jmp	short loc_71DF0A
; 

loc_71DF47:				; CODE XREF: ProducerGetBuffer+20j
					; ProducerGetBuffer+89j
		call	KePollFreezeExecution
		call	_PopHiberCheckForDebugBreak@0 ;	PopHiberCheckForDebugBreak()
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_71DF47
		xor	ecx, ecx
		inc	ecx
		lock cmpxchg [edi], ecx
		jmp	short loc_71DEEA
ProducerGetBuffer endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopGetIoLocation proc near		; CODE XREF: PopWriteHiberPages+EDp
					; PopHiberReadChecksums+75p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 007292E0 SIZE 000000C2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1C], edx
		mov	ecx, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		mov	eax, [esi+0Ch]
		mov	ebx, [esi+8]
		mov	edx, [esi+4]
		mov	[ebp+var_14], esi
		mov	[ebp+var_8], eax
		cmp	edi, eax
		ja	short loc_71DF97
		jb	loc_7292E0
		cmp	ecx, ebx
		jb	loc_7292E0

loc_71DF97:				; CODE XREF: PopGetIoLocation+27j
		mov	eax, [edx]
		mov	[ebp+arg_4], eax
		mov	eax, [edx+4]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		add	eax, ebx
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_4]
		adc	eax, [ebp+var_8]
		cmp	edi, eax
		jb	short loc_71DFC3
		ja	loc_7292E0
		cmp	ecx, [ebp+var_10]
		jnb	loc_7292E0

loc_71DFC3:				; CODE XREF: PopGetIoLocation+52j
					; PopGetIoLocation+B3D3j ...
		mov	eax, [edx+8]
		sub	ecx, ebx
		mov	edx, [edx+0Ch]
		sbb	edi, [ebp+var_8]
		add	eax, ecx
		mov	ebx, [ebp+arg_4]
		mov	esi, [ebp+var_1C]
		adc	edx, edi
		sub	ebx, ecx
		mov	ecx, [ebp+var_4]
		sbb	ecx, edi
		pop	edi
		mov	[esi], ebx
		mov	[esi+4], ecx
		pop	esi
		pop	ebx
		leave
		retn	8
PopGetIoLocation endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopHiberCheckForDebugBreak()
_PopHiberCheckForDebugBreak@0 proc near	; CODE XREF: PopDecompressHiberBlocks:loc_71CED5p
					; ConsumerPeekAndConsumeBuffer+C5p ...
		mov	eax, large fs:20h
		cmp	dword ptr [eax+3CCh], 0
		jnz	short locret_71E00A
		mov	eax, ds:_PopDebugCount
		inc	eax
		mov	ds:_PopDebugCount, eax
		test	al, 3Fh
		jz	short loc_71E00B

locret_71E00A:				; CODE XREF: PopHiberCheckForDebugBreak()+Dj
		retn
; 

loc_71E00B:				; CODE XREF: PopHiberCheckForDebugBreak()+1Cj
		call	KdCheckForDebugBreak
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		retn
_PopHiberCheckForDebugBreak@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ProducerConsumerBufferComplete(x, x, x, x)
_ProducerConsumerBufferComplete@16 proc	near
					; CODE XREF: PopCountDataAsProduced(x,x,x,x,x,x)+98p
					; PopRequestWrite+1ABp	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, edx
		xor	eax, eax
		mov	edx, ecx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_4], edx
		lea	edi, [edx+10h]
		inc	esi
		mov	[ebp+var_C], edi
		lock cmpxchg [edi], esi
		test	eax, eax
		jnz	loc_71E0E2

loc_71E043:				; CODE XREF: ProducerConsumerBufferComplete(x,x,x,x)+E6j
		mov	esi, [ebp+arg_0]
		sub	esi, [edx]
		mov	edx, [edx+4]
		mov	eax, [ebx+0Ch]
		mov	ecx, [ebx+8]
		push	0
		push	edx
		push	eax
		push	ecx
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], edx
		call	__aullrem
		cmp	eax, esi
		ja	loc_71E117

loc_71E06C:				; CODE XREF: ProducerConsumerBufferComplete(x,x,x,x)+100j
		mov	edx, [ebp+var_8]
		sub	esi, eax
		xor	ecx, ecx
		add	esi, [ebp+arg_0]
		adc	ecx, edx
		mov	[ebp+var_4], ecx
		cmp	esi, [ebp+arg_0]
		jnz	short loc_71E0A1
		cmp	ecx, edx
		jnz	short loc_71E0A1

loc_71E084:				; CODE XREF: ProducerConsumerBufferComplete(x,x,x,x)+C4j
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		add	eax, [ebp+arg_0]
		mov	[ebx+8], eax
		adc	ecx, edx
		mov	[ebx+0Ch], ecx
		mov	dword ptr [edi], 0
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_71E0A1:				; CODE XREF: ProducerConsumerBufferComplete(x,x,x,x)+64j
					; ProducerConsumerBufferComplete(x,x,x,x)+68j ...
		mov	dword ptr [edi], 0
		mov	edi, [ebp+var_4]

loc_71E0AA:				; CODE XREF: ProducerConsumerBufferComplete(x,x,x,x)+9Dj
					; ProducerConsumerBufferComplete(x,x,x,x)+A2j
		call	KePollFreezeExecution
		call	_PopHiberCheckForDebugBreak@0 ;	PopHiberCheckForDebugBreak()
		cmp	esi, [ebx+8]
		jnz	short loc_71E0AA
		cmp	edi, [ebx+0Ch]
		jnz	short loc_71E0AA
		mov	edi, [ebp+var_C]

loc_71E0C1:				; CODE XREF: ProducerConsumerBufferComplete(x,x,x,x)+F9j
		xor	ecx, ecx
		xor	eax, eax
		inc	ecx
		lock cmpxchg [edi], ecx
		test	eax, eax
		jnz	short loc_71E105
		mov	eax, [ebx+8]
		mov	edx, [ebx+0Ch]
		mov	[ebp+arg_0], eax
		cmp	esi, eax
		jnz	short loc_71E0A1
		cmp	[ebp+var_4], edx
		jz	short loc_71E084
		jmp	short loc_71E0A1
; 

loc_71E0E2:				; CODE XREF: ProducerConsumerBufferComplete(x,x,x,x)+23j
					; ProducerConsumerBufferComplete(x,x,x,x)+D6j ...
		call	KePollFreezeExecution
		call	_PopHiberCheckForDebugBreak@0 ;	PopHiberCheckForDebugBreak()
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_71E0E2
		xor	ecx, ecx
		inc	ecx
		lock cmpxchg [edi], ecx
		test	eax, eax
		jnz	short loc_71E0E2
		mov	edx, [ebp+var_4]
		jmp	loc_71E043
; 

loc_71E105:				; CODE XREF: ProducerConsumerBufferComplete(x,x,x,x)+B2j
					; ProducerConsumerBufferComplete(x,x,x,x)+FBj
		call	KePollFreezeExecution
		call	_PopHiberCheckForDebugBreak@0 ;	PopHiberCheckForDebugBreak()
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_71E0C1
		jmp	short loc_71E105
; 

loc_71E117:				; CODE XREF: ProducerConsumerBufferComplete(x,x,x,x)+4Cj
		add	esi, [ebp+var_4]
		jmp	loc_71E06C
_ProducerConsumerBufferComplete@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopHiberChecksumHiberFileData proc near	; CODE XREF: PopRequestWrite+292p
					; PopRequestRead+193p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 007293A2 SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		cmp	dword ptr [ecx+128h], 0
		push	ebx
		mov	bl, dl
		mov	[ebp+var_10], ecx
		rdtsc
		push	esi
		push	edi
		mov	[ebp+var_1], bl
		mov	[ebp+var_18], eax
		mov	[ebp+var_1C], edx
		jz	loc_71E251
		test	bl, bl
		jnz	loc_71E262
		mov	eax, [ecx+118h]
		mov	edx, [ecx+11Ch]

loc_71E15C:				; CODE XREF: PopHiberChecksumHiberFileData+14Cj
		mov	esi, [ebp+arg_0]
		mov	ebx, [ebp+arg_4]
		shrd	esi, ebx, 9
		mov	[ebp+var_C], edx
		shr	ebx, 9
		mov	[ebp+var_8], eax
		cmp	ebx, edx
		jb	short loc_71E181
		ja	loc_71E251
		cmp	esi, eax
		jnb	loc_71E251

loc_71E181:				; CODE XREF: PopHiberChecksumHiberFileData+51j
		mov	edx, [ebp+arg_C]
		xor	edi, edi
		mov	eax, edx
		and	eax, 1FFh
		mov	[ebp+arg_4], eax
		or	eax, edi
		jnz	loc_71E29A

loc_71E198:				; CODE XREF: PopHiberChecksumHiberFileData+18Ej
		shrd	edx, edi, 9
		shr	edi, 9
		add	edx, esi
		mov	[ebp+var_14], edx
		adc	edi, ebx
		mov	[ebp+arg_4], edi
		cmp	edi, [ebp+var_C]
		jb	short loc_71E1BF
		ja	loc_71E2B3
		mov	eax, [ebp+var_8]
		cmp	edx, eax
		jnb	loc_71E2B6

loc_71E1BF:				; CODE XREF: PopHiberChecksumHiberFileData+8Cj
		mov	eax, [ebp+arg_4]

loc_71E1C2:				; CODE XREF: PopHiberChecksumHiberFileData+1A1j
		xor	edi, edi
		cmp	ebx, eax
		jb	short loc_71E1D0
		ja	short loc_71E235
		cmp	esi, edx
		jnb	short loc_71E235
		mov	edi, edi

loc_71E1D0:				; CODE XREF: PopHiberChecksumHiberFileData+A6j
					; PopHiberChecksumHiberFileData+10Cj ...
		mov	eax, [ecx+128h]
		lea	eax, [eax+esi*2]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_C]
		sub	eax, edi
		cmp	eax, 200h
		jbe	short loc_71E1ED
		mov	eax, 200h

loc_71E1ED:				; CODE XREF: PopHiberChecksumHiberFileData+C6j
		push	eax
		mov	eax, [ebp+arg_8]
		add	eax, edi
		push	eax
		push	0
		call	_tcpxsum@12	; tcpxsum(x,x,x)
		cmp	[ebp+var_1], 0
		mov	edx, eax
		mov	ecx, [ebp+var_C]
		jnz	short loc_71E25A
		movzx	ecx, word ptr [ecx]
		cmp	ecx, edx
		jnz	loc_7293A2
		mov	eax, ecx

loc_71E213:				; CODE XREF: PopHiberChecksumHiberFileData+140j
		mov	ecx, [ebp+var_10]
		add	edi, 200h
		add	esi, 1
		adc	ebx, 0
		mov	[ecx+120h], ax
		cmp	ebx, [ebp+arg_4]
		jb	short loc_71E1D0
		ja	short loc_71E235
		cmp	esi, [ebp+var_14]
		jb	short loc_71E1D0

loc_71E235:				; CODE XREF: PopHiberChecksumHiberFileData+A8j
					; PopHiberChecksumHiberFileData+ACj ...
		cmp	[ebp+var_1], 0
		jnz	short loc_71E271

loc_71E23B:				; CODE XREF: PopHiberChecksumHiberFileData+15Dj
		rdtsc
		jnz	short loc_71E27F
		sub	eax, [ebp+var_18]
		sbb	edx, [ebp+var_1C]
		add	ds:dword_6C2A28, eax
		adc	ds:dword_6C2A2C, edx

loc_71E251:				; CODE XREF: PopHiberChecksumHiberFileData+22j
					; PopHiberChecksumHiberFileData+53j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_71E25A:				; CODE XREF: PopHiberChecksumHiberFileData+E4j
		movzx	eax, dx
		mov	[ecx], ax
		jmp	short loc_71E213
; 

loc_71E262:				; CODE XREF: PopHiberChecksumHiberFileData+2Aj
		mov	eax, [ecx+12Ch]
		shr	eax, 1
		xor	edx, edx
		jmp	loc_71E15C
; 

loc_71E271:				; CODE XREF: PopHiberChecksumHiberFileData+119j
		mov	[ecx+118h], esi
		mov	[ecx+11Ch], ebx
		jmp	short loc_71E23B
; 

loc_71E27F:				; CODE XREF: PopHiberChecksumHiberFileData+11Dj
		sub	eax, [ebp+var_18]
		pop	edi
		sbb	edx, [ebp+var_1C]
		add	ds:dword_6C28E8, eax
		pop	esi
		adc	ds:dword_6C28EC, edx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_71E29A:				; CODE XREF: PopHiberChecksumHiberFileData+72j
		mov	ecx, 200h
		mov	eax, edi
		sub	ecx, [ebp+arg_4]
		sbb	eax, 0
		add	edx, ecx
		mov	ecx, [ebp+var_10]
		adc	edi, eax
		jmp	loc_71E198
; 

loc_71E2B3:				; CODE XREF: PopHiberChecksumHiberFileData+8Ej
		mov	eax, [ebp+var_8]

loc_71E2B6:				; CODE XREF: PopHiberChecksumHiberFileData+99j
		mov	edx, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_14], edx
		mov	[ebp+arg_4], eax
		jmp	loc_71E1C2
PopHiberChecksumHiberFileData endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCompressCallback(x)
_PopCompressCallback@4 proc near	; DATA XREF: PopSaveHiberContext+4BCo
					; PopSaveHiberContext+BAD7o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, ds:dword_6C2500
		mov	ecx, [ebp+arg_0]
		push	1
		call	PopRequestWrite
		pop	ebp
		retn	4
_PopCompressCallback@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ConsumerGetBuffer proc near		; CODE XREF: PopRequestWrite+EEp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 007293F3 SIZE 0000007F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, edx
		xor	eax, eax
		mov	edx, ecx
		mov	[ebp+var_8], ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_4], edx
		lea	edi, [edx+10h]
		inc	esi
		mov	[ebp+var_C], edi
		lock cmpxchg [edi], esi
		test	eax, eax
		jnz	loc_7293D0

loc_71E30C:				; CODE XREF: PopHiberChecksumHiberFileData+B2CEj
					; ConsumerGetBuffer+B16Cj
		mov	esi, [edx+20h]
		mov	ecx, [edx+28h]
		sub	esi, ecx
		mov	eax, [edx+8]
		or	eax, [edx+0Ch]
		mov	ebx, [ebx]
		jz	loc_7293F3

loc_71E322:				; CODE XREF: ConsumerGetBuffer+B123j
		cmp	ebx, esi
		jbe	short loc_71E33F
		test	[ebp+arg_0], 1
		jz	loc_729408

loc_71E330:				; CODE XREF: ConsumerGetBuffer+61j
		xor	eax, eax

loc_71E332:				; CODE XREF: ConsumerGetBuffer+88j
		mov	dword ptr [edi], 0
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_71E33F:				; CODE XREF: ConsumerGetBuffer+44j
		test	ebx, ebx
		jz	short loc_71E330
		mov	esi, [edx+2Ch]
		mov	edi, ecx
		push	0
		push	dword ptr [edx+4]
		push	esi
		push	edi
		call	__aullrem
		mov	edx, [ebp+var_4]
		xor	ecx, ecx
		add	eax, [edx]
		add	ebx, edi
		mov	edi, [ebp+var_C]
		adc	ecx, esi
		mov	[edx+28h], ebx
		mov	[edx+2Ch], ecx
		jmp	short loc_71E332
ConsumerGetBuffer endp


;  S U B	R O U T	I N E 


PopCheckpointSystemSleep proc near	; CODE XREF: PopPrepareSleep(x,x)+Dp
					; PopPrepareSleep(x,x)+2Bj ...

; FUNCTION CHUNK AT 00729472 SIZE 0000006C BYTES

		cmp	ds:_PopBootStatCheckpointAvailable, 0
		push	ebx
		push	esi
		rdtsc
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	edi, eax
		mov	ds:_PopSleepCheckpoint,	esi
		jz	short loc_71E389
		call	_PopRecordSleepCheckpoint@4 ; PopRecordSleepCheckpoint(x)

loc_71E389:				; CODE XREF: PopCheckpointSystemSleep+18j
		xor	edx, edx
		cmp	ds:_PopCheckpointSystemSleepEnabled, edx
		jnz	loc_729472

loc_71E397:				; CODE XREF: PopCheckpointSystemSleep+B116j
					; PopCheckpointSystemSleep+B16Fj
		rdtsc
		sub	eax, edi
		pop	edi
		sbb	edx, ebx
		add	ds:dword_6C28B0, eax
		pop	esi
		adc	ds:dword_6C28B4, edx
		pop	ebx
		retn
PopCheckpointSystemSleep endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoBroadcastSystemState proc near	; CODE XREF: PopSetDevicesSystemState+6Ap
					; PnprQuiesceDevices(x)+E6p ...

var_5C		= dword	ptr -5Ch
var_42		= byte ptr -42h
var_41		= byte ptr -41h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 007294DE SIZE 0000022A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+44h+var_4], eax
		push	ebx
		push	esi
		mov	esi, ds:dword_6C231C
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	dl, [edi+19h]
		mov	al, [edi+1Ah]
		mov	[esi], al
		mov	eax, [edi+4]
		mov	[esi+4], eax
		mov	[esi+0F8h], ebx
		mov	[esi+0FCh], ebx
		mov	[esi+101h], bx
		mov	[esi+103h], bl
		mov	[esi+100h], dl
		mov	ds:dword_6C2314, ebx
		mov	ecx, [edi]
		and	ecx, 0Fh
		mov	[esp+50h+var_41], dl
		shl	ecx, 10h
		mov	ds:dword_6C2314, ecx
		test	dl, dl
		jnz	loc_71E74A
		mov	eax, [edi+8]
		and	eax, 0Fh
		shl	eax, 8
		or	eax, ecx
		mov	ds:dword_6C2314, eax
		mov	ecx, [edi+4]
		and	ecx, 0Fh
		shl	ecx, 0Ch
		or	ecx, eax
		mov	ds:dword_6C2314, ecx
		cmp	dword ptr [edi+10h], 5
		jz	loc_7294DE

loc_71E449:				; CODE XREF: PoBroadcastSystemState+3A8j
		test	ds:dword_70EFD0, 8000h
		mov	eax, [edi+10h]
		mov	ds:dword_6C2318, eax
		mov	ds:_PopCurrentBroadcast, 1
		jnz	loc_7294F5

loc_71E468:				; CODE XREF: PoBroadcastSystemState+B19Bj
		cmp	byte ptr [edi+1Ah], 2
		mov	eax, 4000000h
		jnz	short loc_71E47F
		test	[edi+14h], eax
		jnz	short loc_71E47F
		mov	byte ptr [esi+102h], 1

loc_71E47F:				; CODE XREF: PoBroadcastSystemState+C3j
					; PoBroadcastSystemState+C8j
		cmp	[edi+18h], bl
		jnz	loc_72954E

loc_71E488:				; CODE XREF: PoBroadcastSystemState+B1A4j
					; PoBroadcastSystemState+B1B1j
		mov	ebx, [edi+14h]
		test	ebx, 8000000h
		jnz	loc_729564

loc_71E497:				; CODE XREF: PoBroadcastSystemState+B1C3j
		and	ebx, eax
		mov	[esp+50h+var_3C], ebx
		jnz	loc_729576

loc_71E4A3:				; CODE XREF: PoBroadcastSystemState+B1D2j
		test	dl, dl
		jnz	loc_71E5BB
		cmp	byte ptr [edi+1Ah], 2
		jnz	short loc_71E4B8
		mov	cl, 1
		call	PopFxNotifySxTransitionState

loc_71E4B8:				; CODE XREF: PoBroadcastSystemState+101j
		cmp	dword ptr [esi+0F8h], 0
		jl	loc_71E5A7
		mov	ecx, esi
		call	_PopSetupSleepNotifies@4 ; PopSetupSleepNotifies(x)
		mov	edx, ds:dword_6C2314
		mov	eax, edx
		shr	eax, 0Ch
		shr	edx, 8
		and	eax, 0Fh
		and	edx, 0Fh
		cmp	byte ptr [edi+1Ah], 3
		push	eax
		setz	cl
		call	_PopDiagTraceDevicesSuspend@12 ; PopDiagTraceDevicesSuspend(x,x,x)
		xor	ecx, ecx
		cmp	byte ptr [edi+1Ah], 3
		setz	cl
		dec	ecx
		and	ecx, 3
		add	ecx, 0Bh
		call	PopCheckpointSystemSleep
		mov	eax, [edi+10h]
		push	4
		pop	ebx
		cmp	eax, ebx
		jz	loc_729585

loc_71E510:				; CODE XREF: PoBroadcastSystemState+B1E7j
		and	[esp+50h+var_40], 0
		cmp	eax, 2
		jnz	loc_7295A4

loc_71E51E:				; CODE XREF: PoBroadcastSystemState+B1FFj
		cmp	byte ptr [esi],	2
		jz	loc_71E75B

loc_71E527:				; CODE XREF: PoBroadcastSystemState+1D2j
					; PoBroadcastSystemState+3B5j ...
		cmp	ebx, 1
		jz	loc_71E60D

loc_71E530:				; CODE XREF: PoBroadcastSystemState+263j
					; PoBroadcastSystemState+26Ej ...
		movzx	eax, byte ptr [esi]
		xor	edx, edx
		push	1
		push	eax
		mov	ecx, ebx
		call	_PopDiagTraceDevicesLevel@16 ; PopDiagTraceDevicesLevel(x,x,x,x)
		imul	eax, ebx, 28h
		lea	edx, [esi+24h]
		add	edx, eax
		cmp	dword ptr [edx], 0
		jbe	short loc_71E55F
		cmp	dword ptr [edi+14h], 0
		jge	short loc_71E558
		mov	eax, [esi+20h]
		and	dword ptr [eax], 0

loc_71E558:				; CODE XREF: PoBroadcastSystemState+1A2j
		mov	ecx, esi
		call	PopSleepDeviceList

loc_71E55F:				; CODE XREF: PoBroadcastSystemState+19Cj
		movzx	eax, byte ptr [esi]
		xor	edx, edx
		push	0
		push	eax
		mov	ecx, ebx
		call	_PopDiagTraceDevicesLevel@16 ; PopDiagTraceDevicesLevel(x,x,x,x)
		cmp	dword ptr [esi+0F8h], 0
		jl	loc_7295D8
		dec	ebx
		cmp	ebx, [esp+50h+var_40]
		jge	short loc_71E527
		mov	ebx, [esp+50h+var_3C]

loc_71E586:				; CODE XREF: PoBroadcastSystemState+B275j
					; PoBroadcastSystemState+B286j
		cmp	byte ptr [esi],	2
		jnz	short loc_71E593
		test	ebx, ebx
		jnz	loc_729639

loc_71E593:				; CODE XREF: PoBroadcastSystemState+1DBj
					; PoBroadcastSystemState+B290j
		mov	ecx, offset _POP_ETW_EVENT_DEVICESSUSPEND_END
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		cmp	byte ptr [edi+1Ah], 3
		jz	loc_71E768

loc_71E5A7:				; CODE XREF: PoBroadcastSystemState+111j
					; PoBroadcastSystemState+3C2j
		test	ds:_PopSimulate, 20000h
		jnz	loc_729643

loc_71E5B7:				; CODE XREF: PoBroadcastSystemState+B299j
		mov	dl, [esp+50h+var_41]

loc_71E5BB:				; CODE XREF: PoBroadcastSystemState+F7j
					; PoBroadcastSystemState+B2BAj
		mov	[esi+100h], dl
		test	dl, dl
		jnz	loc_71E662

loc_71E5C9:				; CODE XREF: PoBroadcastSystemState+397j
		test	ds:dword_70EFD0, 8000h
		jnz	loc_7296C4

loc_71E5D9:				; CODE XREF: PoBroadcastSystemState+B355j
		cmp	[esp+50h+var_41], 0
		jnz	loc_71E84D

loc_71E5E4:				; CODE XREF: PoBroadcastSystemState+4A3j
					; PoBroadcastSystemState+4B0j
		and	ds:dword_6C2314, 0FF7FFFFFh
		mov	ecx, [esp+50h+var_4]
		pop	edi
		mov	ds:_PopCurrentBroadcast, 0
		mov	eax, [esi+0F8h]
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_71E60D:				; CODE XREF: PoBroadcastSystemState+17Cj
		cmp	byte ptr [edi+1Ah], 2
		jnz	loc_71E530
		cmp	[esp+50h+var_3C], 0
		jnz	loc_71E530
		cmp	ds:dword_6C26E8, 5
		jnz	short loc_71E630
		call	_WmiAcquireSmbiosLockExclusive@0 ; WmiAcquireSmbiosLockExclusive()

loc_71E630:				; CODE XREF: PoBroadcastSystemState+27Bj
		xor	cl, cl
		call	EmPowerPagingEnabled
		call	PopVerifierFlushMemoryBeforeSleep
		xor	eax, eax
		mov	ecx, offset _PopPagingEnabled
		xchg	eax, [ecx]
		cmp	byte ptr [edi+18h], 0
		jnz	loc_7295B2
		mov	cl, 1
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		mov	byte ptr [esi+104h], 1
		jmp	loc_71E530
; 

loc_71E662:				; CODE XREF: PoBroadcastSystemState+215j
		mov	byte ptr [esi+102h], 1
		mov	byte ptr [esi],	2
		mov	dword ptr [esi+4], 1
		cmp	byte ptr [edi+1Ah], 2
		jnz	short loc_71E69B
		mov	ecx, (offset loc_4252B4+4)
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ds:dword_6C2878, eax
		mov	ds:dword_6C287C, edx
		cmp	byte ptr [esi],	2
		jnz	short loc_71E6A3

loc_71E69B:				; CODE XREF: PoBroadcastSystemState+2C9j
		test	ebx, ebx
		jnz	loc_72966D

loc_71E6A3:				; CODE XREF: PoBroadcastSystemState+2EBj
					; PoBroadcastSystemState+B2C7j
		xor	ebx, ebx

loc_71E6A5:				; CODE XREF: PoBroadcastSystemState+34Cj
		cmp	ds:_PoResumeFromHibernate, 0
		jz	short loc_71E6B6
		test	ebx, ebx
		jz	loc_71E775

loc_71E6B6:				; CODE XREF: PoBroadcastSystemState+2FEj
					; PoBroadcastSystemState+3EAj ...
		movzx	eax, byte ptr [esi]
		xor	edx, edx
		push	1
		push	eax
		inc	edx
		mov	ecx, ebx
		call	_PopDiagTraceDevicesLevel@16 ; PopDiagTraceDevicesLevel(x,x,x,x)
		imul	eax, ebx, 28h
		lea	edx, [esi+24h]
		add	edx, eax
		mov	eax, [eax+esi+28h]
		cmp	eax, [edx]
		jnb	short loc_71E6DD
		mov	ecx, esi
		call	PopWakeDeviceList

loc_71E6DD:				; CODE XREF: PoBroadcastSystemState+326j
		movzx	eax, byte ptr [esi]
		xor	edx, edx
		push	0
		push	eax
		inc	edx
		mov	ecx, ebx
		call	_PopDiagTraceDevicesLevel@16 ; PopDiagTraceDevicesLevel(x,x,x,x)
		cmp	ebx, 1
		jz	loc_71E7B6

loc_71E6F6:				; CODE XREF: PoBroadcastSystemState+40Cj
					; PoBroadcastSystemState+417j ...
		inc	ebx
		cmp	ebx, 4
		jle	short loc_71E6A5
		cmp	byte ptr [edi+1Ah], 2
		jnz	short loc_71E73A
		call	_PopFxIdleDevicesFromSx@4 ; PopFxIdleDevicesFromSx(x)
		xor	ebx, ebx
		push	ebx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ds:dword_6C2880, eax
		mov	ds:dword_6C2884, edx
		call	_PopDiagTraceDevicesWakeEnd@0 ;	PopDiagTraceDevicesWakeEnd()
		push	24h
		pop	ecx
		call	PopCheckpointSystemSleep
		call	PopHandleWakeSources
		mov	eax, ds:_PopDebugFlags
		test	al, 8
		jnz	loc_72969B

loc_71E73A:				; CODE XREF: PoBroadcastSystemState+352j
		mov	al, [edi+1Ah]
		mov	[esi], al
		mov	eax, [edi+4]
		mov	[esi+4], eax
		jmp	loc_71E5C9
; 

loc_71E74A:				; CODE XREF: PoBroadcastSystemState+6Aj
		or	ecx, 1100h

loc_71E750:				; CODE XREF: PoBroadcastSystemState+B142j
		mov	ds:dword_6C2314, ecx
		jmp	loc_71E449
; 

loc_71E75B:				; CODE XREF: PoBroadcastSystemState+173j
		xor	ecx, ecx
		inc	ecx
		call	_PopFxActivateDevicesForSx@4 ; PopFxActivateDevicesForSx(x)
		jmp	loc_71E527
; 

loc_71E768:				; CODE XREF: PoBroadcastSystemState+1F3j
		push	0Ch
		pop	ecx
		call	PopCheckpointSystemSleep
		jmp	loc_71E5A7
; 

loc_71E775:				; CODE XREF: PoBroadcastSystemState+302j
		cmp	ds:byte_6C24D0,	0
		jz	short loc_71E791
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ds:dword_6C2A40, eax
		mov	ds:dword_6C2A44, edx

loc_71E791:				; CODE XREF: PoBroadcastSystemState+3CEj
		cmp	ds:byte_6D4AB8,	0
		jz	loc_71E6B6
		call	_BgDisplayFade@0 ; BgDisplayFade()
		mov	ds:byte_6D4C7A,	0
		mov	ds:byte_6D4C79,	0
		jmp	loc_71E6B6
; 

loc_71E7B6:				; CODE XREF: PoBroadcastSystemState+342j
		cmp	byte ptr [edi+1Ah], 2
		jnz	loc_71E6F6
		cmp	[esp+54h+var_40], 0
		jnz	loc_71E6F6
		cmp	byte ptr [esi+104h], 0
		jz	short loc_71E7E0
		mov	byte ptr [esi+104h], 0
		call	_ExReleaseTimeRefreshLock@0 ; ExReleaseTimeRefreshLock()

loc_71E7E0:				; CODE XREF: PoBroadcastSystemState+424j
		cmp	ds:_PoResumeFromHibernate, 0
		jz	short loc_71E81C
		call	_PopBootLoaderSiDataProcess@0 ;	PopBootLoaderSiDataProcess()
		mov	eax, ds:dword_6C26F8
		mov	eax, [eax+88h]
		push	dword ptr [eax+32Ch]
		mov	dl, [eax+335h]
		push	dword ptr [eax+328h]
		mov	cl, [eax+334h]
		push	dword ptr [eax+330h]
		call	_PopUpdateSmbiosData@20	; PopUpdateSmbiosData(x,x,x,x,x)

loc_71E81C:				; CODE XREF: PoBroadcastSystemState+439j
		cmp	ds:dword_6C26E8, 5
		jnz	short loc_71E82A
		call	_WmiReleaseSmbiosLockExclusive@0 ; WmiReleaseSmbiosLockExclusive()

loc_71E82A:				; CODE XREF: PoBroadcastSystemState+475j
		mov	cl, 1
		call	EmPowerPagingEnabled
		xor	eax, eax
		mov	ecx, offset _PopPagingEnabled
		inc	eax
		xchg	eax, [ecx]
		mov	eax, ds:_PopDebugFlags
		test	al, 4
		jz	loc_71E6F6
		jmp	loc_72967A
; 

loc_71E84D:				; CODE XREF: PoBroadcastSystemState+230j
		cmp	byte ptr [edi+1Ah], 2
		jnz	loc_71E5E4
		xor	cl, cl
		call	PopFxNotifySxTransitionState
		jmp	loc_71E5E4
PoBroadcastSystemState endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceDevicesLevel(x,	x, x, x)
_PopDiagTraceDevicesLevel@16 proc near	; CODE XREF: PoBroadcastSystemState+18Cp
					; PoBroadcastSystemState+1BBp ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	[ebp+var_28], ecx
		push	esi
		test	edx, edx
		jnz	short loc_71E8FA
		cmp	[ebp+arg_4], dl
		jnz	short loc_71E8F3
		mov	esi, offset _POP_ETW_EVENT_DEVICESSUSPENDLEVEL_END

loc_71E888:				; CODE XREF: PopDiagTraceDevicesLevel(x,x,x,x)+94j
					; PopDiagTraceDevicesLevel(x,x,x,x)+9Fj ...
		cmp	ds:_PopDiagHandleRegistered, 0
		jz	short loc_71E8E4
		push	ebx
		mov	ebx, ds:_PopDiagHandle
		push	edi
		mov	edi, ds:dword_6C1D74
		push	esi
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jz	short loc_71E8E2
		lea	eax, [ebp+var_28]
		mov	[ebp+var_1C], 4
		mov	[ebp+var_24], eax
		xor	ecx, ecx
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	ecx
		push	esi
		push	edi
		push	ebx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], 1
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_71E8E2:				; CODE XREF: PopDiagTraceDevicesLevel(x,x,x,x)+45j
		pop	edi
		pop	ebx

loc_71E8E4:				; CODE XREF: PopDiagTraceDevicesLevel(x,x,x,x)+2Bj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_71E8F3:				; CODE XREF: PopDiagTraceDevicesLevel(x,x,x,x)+1Dj
		mov	esi, offset _POP_ETW_EVENT_DEVICESSUSPENDLEVEL
		jmp	short loc_71E888
; 

loc_71E8FA:				; CODE XREF: PopDiagTraceDevicesLevel(x,x,x,x)+18j
		cmp	[ebp+arg_4], 0
		mov	esi, offset _POP_ETW_EVENT_DEVICESWAKELEVEL
		jnz	short loc_71E888
		mov	esi, offset _POP_ETW_EVENT_DEVICESWAKELEVEL_END
		jmp	loc_71E888
_PopDiagTraceDevicesLevel@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopNotifyDevice	proc near		; CODE XREF: PopWakeDeviceList+112p
					; PopSleepDeviceList+153p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00729708 SIZE 00000039 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		cmp	byte ptr [esi+100h], 0
		mov	eax, [esi+20h]
		mov	[ebp+var_C], eax
		jnz	short loc_71E941
		mov	eax, [eax]
		cmp	eax, [edi+20h]
		jz	loc_729708

loc_71E941:				; CODE XREF: PopNotifyDevice+24j
		mov	al, 1

loc_71E943:				; CODE XREF: PopNotifyDevice+ADFAj
		mov	ecx, ds:dword_6C2318
		mov	edx, [esi+4]
		push	eax
		call	PopMapInternalActionToIrpAction
		mov	[ebp+var_10], eax
		mov	ebx, edx
		cmp	eax, 7
		jz	loc_72970F

loc_71E960:				; CODE XREF: PopNotifyDevice+AE07j
					; PopNotifyDevice+AE10j ...
		mov	ecx, [edi+18h]
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	1
		push	ebx
		push	eax
		movzx	eax, byte ptr [esi]
		push	eax
		call	PopAllocateIrp
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+var_8]
		mov	[eax+84h], edi
		mov	byte ptr [eax+88h], 0
		mov	ecx, [edx+60h]
		mov	eax, [ebp+var_10]
		and	dword ptr [ecx-1Ch], 0
		mov	[ecx-18h], ebx
		mov	[ecx-14h], eax
		mov	eax, ds:dword_6C2314
		mov	[ecx-20h], eax
		mov	eax, [edx+60h]
		mov	ecx, [ebp+var_4]
		mov	dword ptr [eax-8], offset PopSystemIrpCompletion
		mov	[eax-4], ecx
		mov	byte ptr [eax-21h], 0E0h
		test	ds:dword_70EFD0, 8000h
		jnz	loc_729731

loc_71E9CC:				; CODE XREF: PopNotifyDevice+AE2Cj
		mov	al, [esi]
		cmp	al, 2
		jnz	short loc_71EA08

loc_71E9D2:				; CODE XREF: PopNotifyDevice+FAj
		cmp	ebx, 1
		jle	short loc_71E9FB
		mov	ecx, [edi+18h]
		mov	edx, 72496F50h
		call	IoGetDeviceAttachmentBaseRefWithTag
		cmp	byte ptr [esi],	2
		mov	ecx, eax
		setz	dl
		call	_PoFxActivateDeviceForSystemTransition@8 ; PoFxActivateDeviceForSystemTransition(x,x)
		mov	eax, [ebp+var_4]
		mov	byte ptr [eax+88h], 1

loc_71E9FB:				; CODE XREF: PopNotifyDevice+C5j
					; PopNotifyDevice+FCj
		mov	ecx, [ebp+var_8]
		call	PopQueueQuerySetIrp
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_71EA08:				; CODE XREF: PopNotifyDevice+C0j
		cmp	al, 3
		jz	short loc_71E9D2
		jmp	short loc_71E9FB
PopNotifyDevice	endp

; 

; __stdcall PopTransitionSystemPowerStateEx(x)
_PopTransitionSystemPowerStateEx@4:	; CODE XREF: NtSetSystemPowerState(x,x,x)+49p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		inc	ecx
		push	edi
		push	8
		mov	[esi+84h], ecx
		mov	edx, ecx
		mov	[esi+88h], ecx
		mov	[esi+0E8h], cl
		mov	[esi+140h], ecx
		mov	[esi+18h], bl
		mov	[esi+24h], bl
		mov	[esi+28h], ebx
		mov	[esi+50h], ebx
		mov	[esi+54h], ebx
		mov	[esi+38h], ebx
		mov	[esi+3Ch], ebx
		mov	[esi+6Ch], ebx
		mov	[esi+0DCh], ebx
		mov	[esi+0C8h], ebx
		mov	[esi+0CCh], ebx
		mov	[esi+0D0h], ebx
		mov	[esi+128h], ebx
		mov	[esi+12Ch], ebx
		mov	[esi+148h], bl
		mov	[esi+138h], ebx
		mov	[esi+13Ch], ebx
		mov	[esi+144h], ebx
		mov	[esi+0D4h], ebx
		mov	[esi+0D8h], ebx
		mov	eax, ds:_PopSimulate
		and	eax, 10000h
		mov	[esi+60h], ebx
		neg	eax
		pop	ecx
		sbb	eax, eax
		and	eax, 0EE1E5D00h
		add	eax, 23C34600h
		mov	[esi+14Ch], eax
		call	_PopTransitionCheckpoint@8 ; PopTransitionCheckpoint(x,x)
		mov	eax, [esi+4]
		dec	eax
		cmp	eax, 5
		ja	loc_71FB59
		mov	ecx, [esi]
		lea	eax, [ecx-1]
		cmp	eax, 6
		ja	loc_71FB59
		test	dword ptr [esi+8], 0CFFFFC0h
		jnz	loc_71FB59
		cmp	ecx, 4
		jge	short loc_71EAFD
		cmp	ds:dword_6C26D4, 10h
		jge	loc_71FB59

loc_71EAFD:				; CODE XREF: PAGELK:0071EAEEj
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	cl, al
		mov	[esi+48h], al
		test	cl, cl
		jz	short loc_71EB44
		push	ecx
		push	ds:dword_A949BC
		push	ds:_SeShutdownPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_71EB32
		mov	eax, 0C0000061h
		jmp	loc_71FB5E
; 

loc_71EB32:				; CODE XREF: PAGELK:0071EB26j
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		call	_ZwSetSystemPowerState@12 ; ZwSetSystemPowerState(x,x,x)
		jmp	loc_71FB5E
; 

loc_71EB44:				; CODE XREF: PAGELK:0071EB10j
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		mov	edi, [esi]
		push	eax
		mov	[esi+5Ch], eax
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jnz	short loc_71EB90
		lea	eax, [edi-4]
		cmp	eax, 2
		ja	short loc_71EB81
		xor	eax, eax
		cmp	edi, 5
		setz	al
		dec	eax
		and	eax, 400002BAh
		add	eax, 80000031h
		push	eax
		mov	[esi+20h], eax
		push	dword ptr [esi+5Ch]
		call	_PsTerminateServerSilo@8 ; PsTerminateServerSilo(x,x)
		jmp	short loc_71EB86
; 

loc_71EB81:				; CODE XREF: PAGELK:0071EB5Ej
		mov	ebx, 0C00000BBh

loc_71EB86:				; CODE XREF: PAGELK:0071EB7Fj
		mov	[esi+60h], ebx
		mov	eax, ebx
		jmp	loc_71FB5E
; 

loc_71EB90:				; CODE XREF: PAGELK:0071EB56j
		cmp	edi, 4
		jnz	short loc_71EB9A
		call	_PopReadShutdownPolicy@0 ; PopReadShutdownPolicy()

loc_71EB9A:				; CODE XREF: PAGELK:0071EB93j
		mov	[esi+14h], ebx
		lea	ecx, [esi+70h]
		mov	eax, [esi]
		mov	edi, ecx
		mov	[esi+0Ch], eax
		mov	eax, [esi+8]
		mov	[esi+10h], eax
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		mov	eax, ds:dword_6C26D4
		cmp	eax, 10h
		jl	short loc_71EBC5
		mov	dword ptr [ecx], 5
		jmp	short loc_71EBC7
; 

loc_71EBC5:				; CODE XREF: PAGELK:0071EBBBj
		mov	[ecx], eax

loc_71EBC7:				; CODE XREF: PAGELK:0071EBC3j
		xor	ecx, ecx
		mov	dword ptr [esi+74h], 80h
		inc	ecx
		call	_PopAcquireTransitionLock@4 ; PopAcquireTransitionLock(x)
		push	ds:_ExPageLockHandle
		call	_MmLockPagableSectionByHandle@4	; MmLockPagableSectionByHandle(x)
		call	_PopRunMaximumIrpWorkers@0 ; PopRunMaximumIrpWorkers()
		xor	cl, cl
		mov	ds:dword_6C0568, offset	_PopUnlockAfterSleepWorker@4 ; PopUnlockAfterSleepWorker(x)
		mov	ds:dword_6C056C, ebx
		mov	ds:_PopUnlockAfterSleepWorkItem, ebx
		call	CmSetLazyFlushState
		call	_PopNotifyCallbacksPreSleep@0 ;	PopNotifyCallbacksPreSleep()
		xor	cl, cl
		call	_ExSwapinWorkerThreads@4 ; ExSwapinWorkerThreads(x)
		xor	ecx, ecx
		call	PoInitializeBroadcast
		mov	[esi+60h], eax
		test	eax, eax
		jns	short loc_71EC31
		push	1
		push	offset _PopUnlockAfterSleepWorkItem
		call	ExQueueWorkItem

loc_71EC29:				; CODE XREF: PAGELK:0071FB54j
		mov	eax, [esi+60h]
		jmp	loc_71FB5E
; 

loc_71EC31:				; CODE XREF: PAGELK:0071EC1Bj
		call	PopCheckPowerSourceAfterRtcWakeCancel
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	edx, offset unk_6C2780
		mov	byte ptr [esi+40h], 1
		mov	ecx, offset _PopCapabilities
		call	PopFilterCapabilities
		mov	al, ds:byte_6C26C1
		test	al, al
		jz	short loc_71EC7B
		cmp	al, 2
		jz	short loc_71EC80
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		call	_PoClearBroadcast@0 ; PoClearBroadcast()
		push	1
		push	offset _PopUnlockAfterSleepWorkItem
		call	ExQueueWorkItem
		mov	eax, 0C0000021h
		jmp	loc_71FB5E
; 

loc_71EC7B:				; CODE XREF: PAGELK:0071EC55j
		call	_PopResetActionDefaults@0 ; PopResetActionDefaults()

loc_71EC80:				; CODE XREF: PAGELK:0071EC59j
		mov	cl, 3
		call	_PopSetPowerActionState@4 ; PopSetPowerActionState(x)
		mov	eax, ds:dword_6C231C
		lea	ecx, [esi+70h]
		push	1
		mov	ds:dword_6C26F4, eax
		xor	edx, edx
		push	dword ptr [esi+4]
		lea	eax, [esi+0Ch]
		push	eax
		call	PopExecutePowerAction
		call	PopIgnoreBatteryStatusChange
		call	PopCheckResiliencyScenarios
		lea	ecx, [esi+0E0h]
		call	PopEnforceResiliencyScenarios
		push	ebx
		push	ebx
		mov	edx, offset _PpmStopIllegalProcessorThrottleLogging@12 ; PpmStopIllegalProcessorThrottleLogging(x,x,x)
		mov	ecx, offset _KeActiveProcessors
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)
		mov	eax, [esi]
		push	6
		pop	ecx
		cmp	eax, ecx
		jnz	short loc_71ECDB
		mov	ds:dword_6C26C4, ecx
		mov	eax, [esi]

loc_71ECDB:				; CODE XREF: PAGELK:0071ECD1j
		cmp	eax, 4
		jz	short loc_71ECE9
		cmp	eax, 5
		jz	short loc_71ECE9
		cmp	eax, ecx
		jnz	short loc_71ED26

loc_71ECE9:				; CODE XREF: PAGELK:0071ECDEj
					; PAGELK:0071ECE3j
		mov	ds:_PoPowerDownActionInProgress, 1
		cmp	eax, 5
		jnz	short loc_71ECFC
		mov	ds:_PoPowerResetActionInProgress, 1

loc_71ECFC:				; CODE XREF: PAGELK:0071ECF3j
		cmp	ds:_PopHiberInfo, ebx
		jz	short loc_71ED26
		cmp	ds:dword_6C24A4, ebx
		jz	short loc_71ED26
		call	_MmZeroPageFileAtShutdown@0 ; MmZeroPageFileAtShutdown()
		test	eax, eax
		jz	short loc_71ED26
		mov	edx, ds:dword_6C24A4
		mov	ecx, ds:_PopHiberInfo
		call	_PopZeroHiberFile@8 ; PopZeroHiberFile(x,x)

loc_71ED26:				; CODE XREF: PAGELK:0071ECE7j
					; PAGELK:0071ED02j ...
		mov	eax, [esi]
		lea	edi, [esi+58h]
		mov	[edi], bl
		lea	ecx, [esi+1Ch]
		mov	[ecx], ebx
		cmp	eax, 2
		jz	short loc_71ED3C
		cmp	eax, 3
		jnz	short loc_71ED43

loc_71ED3C:				; CODE XREF: PAGELK:0071ED35j
		mov	ds:_PoPowerDownActionInProgress, 1

loc_71ED43:				; CODE XREF: PAGELK:0071ED3Aj
		mov	dword ptr [esi+60h], 0C0000120h
		mov	[esi+68h], bl

loc_71ED4D:				; CODE XREF: PAGELK:0071EF8Ej
					; PAGELK:0071EF9Dj ...
		cmp	[esi+40h], bl
		jnz	short loc_71ED5E
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	byte ptr [esi+40h], 1
		lea	ecx, [esi+1Ch]

loc_71ED5E:				; CODE XREF: PAGELK:0071ED50j
		mov	eax, ds:__imp__KeQueryPerformanceCounter@4 ; KeQueryPerformanceCounter(x)
		mov	[ebp-8], eax
		cmp	ds:dword_6C26C4, ebx
		jz	loc_71FA11
		mov	al, ds:_PopAction
		mov	[esi+80h], al
		mov	ds:_PopAction, bl
		mov	eax, [esi+60h]
		cmp	eax, 0C0000120h
		jnz	short loc_71EDEB
		test	byte ptr [esi+80h], 2
		jz	short loc_71EDAF
		test	ds:dword_6C26CC, 80000000h
		jnz	short loc_71EDAF
		test	byte ptr ds:dword_6C26CC, 3
		jnz	loc_71F128

loc_71EDAF:				; CODE XREF: PAGELK:0071ED94j
					; PAGELK:0071EDA0j
		push	edi
		mov	edx, ecx
		mov	ecx, offset dword_6C26C8
		push	offset dword_6C26E0
		call	PopActionRetrieveInitialState
		mov	eax, ds:dword_6C26C4
		cmp	eax, 4
		jz	short loc_71EDD7
		cmp	eax, 5
		jz	short loc_71EDD7
		push	6
		pop	ecx
		cmp	eax, ecx
		jnz	short loc_71EDE6

loc_71EDD7:				; CODE XREF: PAGELK:0071EDC9j
					; PAGELK:0071EDCEj
		mov	ds:byte_6C26C2,	1
		mov	eax, [esi+8]
		mov	ds:dword_6C26CC, eax

loc_71EDE6:				; CODE XREF: PAGELK:0071EDD5j
		mov	[esi+60h], ebx
		mov	eax, ebx

loc_71EDEB:				; CODE XREF: PAGELK:0071ED8Bj
		test	eax, eax
		js	loc_71F130
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		lea	ecx, [esi+140h]
		mov	[esi+40h], bl
		lea	eax, [esi+144h]
		mov	dword ptr [ecx], 1
		mov	edx, ecx
		mov	[eax], ebx
		push	eax
		mov	ecx, (offset loc_408D2F+1)
		call	_PopQueryPowerSettingUlong@12 ;	PopQueryPowerSettingUlong(x,x,x)
		test	ds:dword_6C26CC, 40000000h
		lea	eax, [esi+144h]
		jz	short loc_71EE36
		mov	[esi+140h], ebx
		mov	[eax], ebx

loc_71EE36:				; CODE XREF: PAGELK:0071EE2Cj
		cmp	ds:byte_6C279E,	bl
		jnz	short loc_71EE50
		cmp	ds:byte_6C278C,	bl
		jnz	short loc_71EE50
		cmp	ds:byte_6C2793,	bl
		jnz	short loc_71EE50
		mov	[eax], ebx

loc_71EE50:				; CODE XREF: PAGELK:0071EE3Cj
					; PAGELK:0071EE44j ...
		call	PopInitializePowerPolicySimulate
		mov	edx, ds:dword_6C26CC
		mov	ecx, offset dword_6C26E4
		mov	eax, ds:dword_6C26E0
		shr	edx, 1Bh
		mov	ds:dword_6C26E4, eax
		and	edx, 2
		mov	[esi+64h], edx
		push	dword ptr [esi+1Ch]
		push	ds:dword_6C26C8
		call	PopAdvanceSystemPowerState
		test	byte ptr [esi+8], 8
		jz	short loc_71EEA9
		mov	ds:byte_6C24D0,	1
		mov	[esi+24h], bl
		mov	ds:dword_6C26E8, 5
		mov	dword ptr [esi+2Ch], 6
		mov	eax, ds:dword_6C26E0
		jmp	short loc_71EEDD
; 

loc_71EEA9:				; CODE XREF: PAGELK:0071EE85j
		call	PopFastS4Check
		test	al, al
		mov	eax, ds:dword_6C26E0
		jz	short loc_71EECD
		mov	[esi+2Ch], eax
		push	6
		mov	ds:dword_6C26E8, 5
		mov	byte ptr [esi+24h], 1
		pop	eax
		jmp	short loc_71EEE4
; 

loc_71EECD:				; CODE XREF: PAGELK:0071EEB5j
		mov	ds:dword_6C26E8, eax
		mov	[esi+2Ch], eax
		mov	eax, ds:dword_6C26E0
		mov	[esi+24h], bl

loc_71EEDD:				; CODE XREF: PAGELK:0071EEA7j
		mov	eax, ds:_PopPowerStateHandlerLookup[eax*4]

loc_71EEE4:				; CODE XREF: PAGELK:0071EECBj
		mov	[esi+44h], eax
		test	eax, eax
		js	loc_71EF71
		cmp	eax, 7
		jge	short loc_71EF71
		shl	eax, 4
		cmp	ds:dword_6C2DA8[eax], ebx
		jz	short loc_71EF71
		test	byte ptr [esi+8], 8
		jz	short loc_71EF0A
		push	6
		pop	ecx
		jmp	short loc_71EF18
; 

loc_71EF0A:				; CODE XREF: PAGELK:0071EF03j
		cmp	ds:byte_6C26C2,	bl
		jnz	short loc_71EF1F
		mov	ecx, ds:dword_6C26E0

loc_71EF18:				; CODE XREF: PAGELK:0071EF08j
		call	_PopSetSleepMarker@4 ; PopSetSleepMarker(x)
		jmp	short loc_71EF24
; 

loc_71EF1F:				; CODE XREF: PAGELK:0071EF10j
		call	_PopSetShutdownMarker@0	; PopSetShutdownMarker()

loc_71EF24:				; CODE XREF: PAGELK:0071EF1Dj
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		test	ds:_PopAction, 6
		jz	short loc_71EF3F
		mov	byte ptr [esi+40h], 1
		mov	dword ptr [esi+60h], 0C0000120h
		jmp	short loc_71EF8B
; 

loc_71EF3F:				; CODE XREF: PAGELK:0071EF30j
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		push	0Ah
		pop	ecx
		call	PopCheckpointSystemSleep
		mov	ds:byte_6C26DC,	3
		mov	cl, [edi]
		call	_PopDiagTraceKernelQueriesAllowed@4 ; PopDiagTraceKernelQueriesAllowed(x)
		cmp	[edi], bl
		jz	short loc_71EF97
		call	PopSetDevicesSystemState
		mov	[esi+60h], eax
		test	eax, eax
		jns	short loc_71EF93
		cmp	eax, 0C0000120h
		jz	short loc_71EF97

loc_71EF71:				; CODE XREF: PAGELK:0071EEE9j
					; PAGELK:0071EEF2j ...
		mov	dl, [esi+24h]
		mov	ecx, [esi+1Ch]
		push	edi
		call	_PopFindNextSystemPowerState@12	; PopFindNextSystemPowerState(x,x,x)
		mov	[esi+30h], al
		test	al, al
		jz	loc_71F130
		mov	[esi+60h], ebx

loc_71EF8B:				; CODE XREF: PAGELK:0071EF3Dj
					; PAGELK:0071F0C0j
		lea	ecx, [esi+1Ch]
		jmp	loc_71ED4D
; 

loc_71EF93:				; CODE XREF: PAGELK:0071EF68j
		mov	byte ptr [esi+68h], 1

loc_71EF97:				; CODE XREF: PAGELK:0071EF5Cj
					; PAGELK:0071EF6Fj
		lea	ecx, [esi+1Ch]
		cmp	[esi+60h], ebx
		jl	loc_71ED4D
		push	0Dh
		pop	ecx
		call	PopCheckpointSystemSleep
		call	PopAllocateHiberContext
		mov	[esi+60h], eax
		lea	ecx, [esi+1Ch]
		test	eax, eax
		js	loc_71ED4D
		mov	edx, ds:dword_6C26E0
		mov	ecx, ds:dword_6C26C4
		push	1
		push	dword ptr [esi+8]
		push	ds:dword_6C26E8
		call	PopNotifyTelemetryOsState
		push	9
		xor	edx, edx
		mov	[esi+6Ch], eax
		pop	ecx
		call	_PopTransitionCheckpoint@8 ; PopTransitionCheckpoint(x,x)
		cmp	ds:byte_6C26C2,	bl
		jnz	short loc_71F019
		push	dword ptr [esi+6Ch]
		mov	edx, ds:dword_6C26E8
		push	ds:dword_6C26D8
		mov	ecx, [esi+2Ch]
		push	ds:dword_6C26D4
		call	_PopDiagTracePreSleepNotification@20 ; PopDiagTracePreSleepNotification(x,x,x,x,x)
		push	10h
		pop	ecx
		call	PopCheckpointSystemSleep
		call	_PopUmpoSendFlushSleepStudyLoggerNotification@0	; PopUmpoSendFlushSleepStudyLoggerNotification()

loc_71F019:				; CODE XREF: PAGELK:0071EFEDj
		call	_PopEsEnterSleepShutdown@0 ; PopEsEnterSleepShutdown()
		call	_PopThermalSxEntry@0 ; PopThermalSxEntry()
		cmp	[esi+18h], bl
		jnz	short loc_71F06D
		cmp	ds:byte_6C26C2,	bl
		jz	short loc_71F069
		lea	eax, [ebp-1]
		mov	byte ptr [ebp-1], 1
		push	ebx
		mov	[ebp-28h], eax
		lea	eax, [ebp-2Ch]
		push	2
		push	eax
		mov	dword ptr [ebp-2Ch], 5
		mov	dword ptr [ebp-24h], 1
		mov	dword ptr [ebp-20h], 0Bh
		mov	dword ptr [ebp-1Ch], 0FFDF02C4h
		mov	dword ptr [ebp-18h], 4
		call	_RtlSetSystemBootStatusEx@12 ; RtlSetSystemBootStatusEx(x,x,x)

loc_71F069:				; CODE XREF: PAGELK:0071F02Ej
		mov	byte ptr [esi+18h], 1

loc_71F06D:				; CODE XREF: PAGELK:0071F026j
		cmp	[esi+24h], bl
		jz	short loc_71F077
		push	5
		pop	ecx
		jmp	short loc_71F07D
; 

loc_71F077:				; CODE XREF: PAGELK:0071F070j
		mov	ecx, ds:dword_6C26E0

loc_71F07D:				; CODE XREF: PAGELK:0071F075j
		call	PopFlushVolumes
		mov	eax, ds:dword_6C26E0
		cmp	ds:dword_6C26E8, eax
		jge	short loc_71F094
		mov	ds:dword_6C26E8, eax

loc_71F094:				; CODE XREF: PAGELK:0071F08Dj
		mov	ds:byte_6C26DC,	2
		cmp	ds:byte_6C26C2,	bl
		jnz	loc_71F99B
		mov	ecx, [esi+44h]
		lea	edx, [esi+0ECh]
		mov	ds:_KeMtrrComparisonFailed, bl
		call	_PopInitSystemSleeperThread@8 ;	PopInitSystemSleeperThread(x,x)
		mov	[esi+60h], eax
		test	eax, eax
		js	loc_71EF8B
		cmp	ds:byte_6C2768,	bl
		jnz	short loc_71F0DA
		call	ExWakeTimersPause
		mov	ds:byte_6C2768,	1

loc_71F0DA:				; CODE XREF: PAGELK:0071F0CCj
		call	KeQueryInterruptTime
		mov	[esi+0B0h], eax
		lea	eax, [esi+0B8h]
		push	eax
		mov	[esi+0B4h], edx
		call	KeQuerySystemTime
		mov	ecx, ds:_PopWakeAlarmTimeOverride
		mov	eax, ecx
		mov	edx, ds:dword_6C219C
		or	eax, edx
		mov	[esi+0D0h], ebx
		jz	loc_71F394
		mov	[esi+0CCh], edx
		mov	dword ptr [esi+0D0h], 0FFFFFFFDh
		jmp	loc_71F4B9
; 

loc_71F128:				; CODE XREF: PAGELK:0071EDA9j
		push	2
		pop	ecx
		call	PopGetPolicyWorker

loc_71F130:				; CODE XREF: PAGELK:0071EDEDj
					; PAGELK:0071EF82j ...
		mov	eax, [ebp-8]

loc_71F133:				; CODE XREF: PAGELK:0071FA14j
		cmp	ds:byte_6C24D0,	bl
		jz	short loc_71F15D
		push	ebx
		call	eax
		mov	ds:dword_6C2A44, edx
		mov	ecx, offset dword_6C2A38
		mov	edx, offset dword_6C2A40
		mov	ds:dword_6C2A40, eax
		call	PopQpcTimeInMs
		mov	ds:dword_6C24B8, eax

loc_71F15D:				; CODE XREF: PAGELK:0071F139j
		cmp	[esi+60h], ebx
		jl	short loc_71F1CF
		mov	eax, [esi+128h]
		xor	edx, edx
		inc	edx
		mov	ds:dword_6C2708, eax
		mov	eax, [esi+12Ch]
		mov	cl, dl
		mov	ds:dword_6C270C, eax
		call	ExUpdateSystemTimeFromCmos
		push	1
		call	ds:off_6B13EC	; xHalTimerQueryAndResetRtcErrors(x)
		test	al, al
		jz	short loc_71F195
		mov	byte ptr [esi+0C0h], 1

loc_71F195:				; CODE XREF: PAGELK:0071F18Cj
		push	ebx
		call	dword ptr [ebp-8]
		push	ebx
		push	2
		mov	ds:dword_6C286C, edx
		xor	edx, edx
		pop	ecx
		mov	ds:dword_6C2868, eax
		call	PfPowerActionNotify
		call	KeQueryInterruptTime
		mov	ds:dword_6C2700, eax
		mov	ds:dword_6C2704, edx
		call	_PopDiagComputeEarlyHiberStats@0 ; PopDiagComputeEarlyHiberStats()
		cmp	dword ptr [esi+28h], 4
		jnz	short loc_71F1CF
		call	_PopDiagTraceFirmwareS3Stats@0 ; PopDiagTraceFirmwareS3Stats()

loc_71F1CF:				; CODE XREF: PAGELK:0071F160j
					; PAGELK:0071F1C8j
		mov	ds:byte_6C26DD,	1
		mov	ds:_PoPowerDownActionInProgress, bl
		mov	ds:_PoPowerResetActionInProgress, bl
		cmp	[esi+68h], bl
		jz	short loc_71F203
		push	ebx
		push	3
		xor	edx, edx
		pop	ecx
		call	PfPowerActionNotify
		call	PopSetDevicesSystemState
		push	ebx
		xor	edx, edx
		push	3
		inc	edx
		pop	ecx
		call	PfPowerActionNotify

loc_71F203:				; CODE XREF: PAGELK:0071F1E5j
		call	_PpmCheckResumePpmEngineFromSx@0 ; PpmCheckResumePpmEngineFromSx()
		cmp	[esi+0C0h], bl
		jz	short loc_71F220
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _WNF_BOOT_INVALID_TIME_SOURCE
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)

loc_71F220:				; CODE XREF: PAGELK:0071F20Ej
		cmp	ds:_PopSleepReliabilityDetailedDiagEnabled, bl
		jnz	short loc_71F22F
		mov	cl, 1
		call	_RtlBootStatusDisableFlushing@4	; RtlBootStatusDisableFlushing(x)

loc_71F22F:				; CODE XREF: PAGELK:0071F226j
		push	38h
		pop	ecx
		mov	ds:_PopBootStatCheckpointAvailable, 1
		call	PopCheckpointSystemSleep
		lea	edi, [esi+0DCh]
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_71F251
		call	_ExDeleteWakeTimerInfo@4 ; ExDeleteWakeTimerInfo(x)
		mov	[edi], ebx

loc_71F251:				; CODE XREF: PAGELK:0071F248j
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		call	ds:off_6B1228	; xHalSetWakeAlarm(x,x,x,x)
		mov	edx, ds:dword_6C26E0
		mov	ecx, ds:dword_6C26C4
		push	ebx
		push	dword ptr [esi+8]
		push	ds:dword_6C26E8
		call	PopNotifyTelemetryOsState
		mov	[esi+6Ch], eax
		call	_PopQueueBatteryStatusTimeout@0	; PopQueueBatteryStatusTimeout()
		push	ebx
		push	ebx
		mov	edx, offset _PpmStartIllegalProcessorThrottleLogging@12	; PpmStartIllegalProcessorThrottleLogging(x,x,x)
		mov	ecx, offset _KeActiveProcessors
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)
		cmp	[esi+40h], bl
		jz	short loc_71F29C
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		mov	[esi+40h], bl

loc_71F29C:				; CODE XREF: PAGELK:0071F292j
		call	_PoClearBroadcast@0 ; PoClearBroadcast()
		mov	ds:dword_6C26F4, ebx
		call	_PopEsExitSleep@0 ; PopEsExitSleep()
		lea	ecx, [esi+8Ch]
		xor	edx, edx
		call	_PopCurrentPowerStatePrecise@8 ; PopCurrentPowerStatePrecise(x,x)
		mov	eax, ds:dword_6C2D0C
		mov	[esi+88h], eax
		push	1
		push	offset _PopSpoilEstimatesOnPowerStateTransitionWorkItem
		mov	ds:dword_6C0548, offset	_PopSpoilEstimatesOnPowerStateTransitionWorker@4 ; PopSpoilEstimatesOnPowerStateTransitionWorker(x)
		mov	ds:dword_6C054C, ebx
		mov	ds:_PopSpoilEstimatesOnPowerStateTransitionWorkItem, ebx
		call	ExQueueWorkItem
		call	PopThermalSxExit
		cmp	[esi+40h], bl
		jnz	short loc_71F2F9
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	byte ptr [esi+40h], 1

loc_71F2F9:				; CODE XREF: PAGELK:0071F2EEj
		cmp	[esi+60h], ebx
		jl	loc_71FABA
		xor	ecx, ecx
		inc	ecx
		call	PopInitSIdle
		mov	edi, ds:dword_6C2718
		mov	dl, bl
		mov	ds:_PopAction, dl
		cmp	edi, 3
		jnb	loc_71FABA
		imul	ecx, edi, 18h
		mov	eax, ds:dword_6C2728[ecx]
		mov	ds:dword_6C2770, eax
		mov	eax, ds:dword_6C272C[ecx]
		mov	ds:dword_6C2774, eax
		imul	eax, edi, 18h
		mov	ds:_PopFullWake, ebx
		mov	ds:_PopPendingUserPresenceDuringSystemSleep, ebx
		mov	ds:_PopPendingUserPresenceMonitorOnReason, ebx
		mov	eax, ds:dword_6C2730[eax]
		cmp	eax, 0FFFFFFFFh
		jnz	loc_71FA33
		mov	edx, [esi+144h]
		lea	eax, [esi+8Ch]
		mov	ecx, [esi+140h]
		push	eax
		call	_PopDeferDoze@12 ; PopDeferDoze(x,x,x)
		test	al, al
		jz	loc_71FA19
		mov	eax, [esi]
		mov	ds:dword_6C26C4, eax
		mov	eax, [esi+4]
		or	ds:_PopAction, 2
		jmp	loc_71FA92
; 

loc_71F394:				; CODE XREF: PAGELK:0071F10Dj
		mov	eax, ds:_PopPolicy
		mov	[ebp-0Ch], eax
		cmp	[eax+58h], ebx
		jz	loc_71F426
		cmp	ds:dword_6C26E0, 5
		jz	short loc_71F426
		mov	ecx, offset _PopCapabilities
		call	PopIsDozeSupported
		test	al, al
		jz	short loc_71F426
		test	ds:dword_6C26CC, 40000000h
		jnz	short loc_71F426
		mov	eax, [ebp-0Ch]
		mov	edx, 989680h
		mov	ecx, [esi+0B0h]
		mov	edi, [esi+0B4h]
		mov	[esi+0C8h], ecx
		mov	[esi+0CCh], edi
		mov	eax, [eax+58h]
		mul	edx
		add	eax, ecx
		mov	[esi+0C8h], eax
		adc	edx, edi
		or	dword ptr [esi+0D0h], 0FFFFFFFFh
		mov	[esi+0CCh], edx
		mov	eax, ds:dword_6C2778
		or	eax, ds:dword_6C277C
		jnz	loc_71F4BF
		mov	ds:dword_6C2778, ecx
		mov	ds:dword_6C277C, edi
		jmp	loc_71F4BF
; 

loc_71F426:				; CODE XREF: PAGELK:0071F39Fj
					; PAGELK:0071F3ACj ...
		cmp	ds:byte_6C2E34,	bl
		jz	loc_71F4BF
		cmp	ds:dword_6C26E0, 5
		jnz	loc_71F4BF
		cmp	ds:byte_6C24D0,	bl
		jnz	short loc_71F4BF
		mov	edi, ds:dword_6C22C8
		mov	eax, edi
		mov	ecx, ds:dword_6C22CC
		or	eax, ecx
		jz	short loc_71F4BF
		cmp	ds:dword_6C26D4, 0Bh
		jnz	short loc_71F4BF
		lea	eax, [esi+0B8h]
		mov	edx, 989680h
		sub	edi, [eax]
		mov	[esi+130h], edi
		sbb	ecx, [eax+4]
		mov	[esi+134h], ecx
		mov	eax, ds:_PopSmartUserPresenceWakeOffset
		mul	edx
		mov	dword ptr [esi+0D0h], 0FFFFFFFEh
		sub	edi, eax
		mov	eax, [esi+0B4h]
		mov	[esi+130h], edi
		sbb	ecx, edx
		mov	[ebp-0Ch], ecx
		mov	[esi+134h], ecx
		mov	ecx, [esi+0B0h]
		add	ecx, edi
		adc	eax, [ebp-0Ch]
		mov	[esi+0CCh], eax

loc_71F4B9:				; CODE XREF: PAGELK:0071F123j
		mov	[esi+0C8h], ecx

loc_71F4BF:				; CODE XREF: PAGELK:0071F40Fj
					; PAGELK:0071F421j ...
		push	48h
		push	ebx
		push	offset dword_6C2720
		call	_memset
		add	esp, 0Ch
		mov	ds:dword_6C2718, 3
		push	0FFFFFFFDh
		pop	eax
		cmp	[esi+0D0h], eax
		jnz	short loc_71F525
		mov	ds:dword_6C2730, eax
		mov	eax, [esi+0C8h]
		mov	ds:dword_6C2720, eax
		mov	eax, [esi+0CCh]
		mov	ds:dword_6C2724, eax
		mov	eax, [esi+0D0h]
		mov	ds:dword_6C2748, eax
		mov	eax, [esi+0C8h]
		mov	ds:dword_6C2738, eax
		mov	eax, [esi+0CCh]
		mov	ds:dword_6C273C, eax
		jmp	loc_71F74A
; 

loc_71F525:				; CODE XREF: PAGELK:0071F4E2j
		cmp	ds:byte_6C24D0,	bl
		jnz	loc_71F74A
		cmp	ds:dword_6C26D4, 0Eh
		jz	loc_71F74A
		cmp	ds:dword_6C26E0, 5
		lea	edi, [esi+140h]
		jnz	short loc_71F594
		cmp	dword ptr [edi], 1
		jz	short loc_71F594
		cmp	dword ptr [esi+144h], 1
		jz	short loc_71F594
		lea	edi, [esi+0D8h]
		mov	ecx, offset _GUID_LEGACY_RTC_MITIGATION
		push	edi
		lea	edx, [esi+0D4h]
		call	_PopQueryPowerSettingUlong@12 ;	PopQueryPowerSettingUlong(x,x,x)
		cmp	[esi+0D4h], ebx
		jnz	short loc_71F57E
		cmp	[edi], ebx
		jz	short loc_71F58E

loc_71F57E:				; CODE XREF: PAGELK:0071F578j
		lea	edi, [esi+140h]
		mov	[esi+144h], ebx
		mov	[edi], ebx
		jmp	short loc_71F594
; 

loc_71F58E:				; CODE XREF: PAGELK:0071F57Cj
		lea	edi, [esi+140h]

loc_71F594:				; CODE XREF: PAGELK:0071F54Bj
					; PAGELK:0071F550j ...
		mov	ecx, [esi+0C8h]
		mov	eax, ecx
		mov	edx, [esi+0CCh]
		or	eax, edx
		jz	short loc_71F622
		cmp	dword ptr [esi+0D0h], 0FFFFFFFEh
		jnz	short loc_71F5EA
		cmp	[edi], ebx
		jz	short loc_71F5CA
		mov	ds:dword_6C2720, ecx
		mov	ds:dword_6C2724, edx
		mov	eax, [esi+0D0h]
		mov	ds:dword_6C2730, eax

loc_71F5CA:				; CODE XREF: PAGELK:0071F5B1j
		cmp	[esi+144h], ebx
		jz	short loc_71F622
		mov	eax, [esi+0C8h]
		mov	ds:dword_6C2738, eax
		mov	eax, [esi+0CCh]
		mov	ds:dword_6C273C, eax
		jmp	short loc_71F617
; 

loc_71F5EA:				; CODE XREF: PAGELK:0071F5ADj
		mov	ds:dword_6C2720, ecx
		mov	ds:dword_6C2724, edx
		mov	eax, [esi+0C8h]
		mov	ds:dword_6C2738, eax
		mov	eax, [esi+0CCh]
		mov	ds:dword_6C273C, eax
		mov	eax, [esi+0D0h]
		mov	ds:dword_6C2730, eax

loc_71F617:				; CODE XREF: PAGELK:0071F5E8j
		mov	eax, [esi+0D0h]
		mov	ds:dword_6C2748, eax

loc_71F622:				; CODE XREF: PAGELK:0071F5A4j
					; PAGELK:0071F5D0j
		mov	eax, ds:dword_6C2770
		mov	[esi+50h], eax
		mov	eax, ds:dword_6C2774
		mov	edx, eax
		mov	edi, [esi+50h]
		mov	[esi+54h], eax
		mov	eax, edi
		or	eax, edx
		jz	short loc_71F660
		mov	eax, [esi+0B0h]
		mov	ecx, [esi+0B4h]
		add	eax, 1312D00h
		adc	ecx, ebx
		cmp	edx, ecx
		ja	short loc_71F660
		jb	short loc_71F65A
		cmp	edi, eax
		jnb	short loc_71F660

loc_71F65A:				; CODE XREF: PAGELK:0071F654j
		mov	[esi+50h], eax
		mov	[esi+54h], ecx

loc_71F660:				; CODE XREF: PAGELK:0071F63Bj
					; PAGELK:0071F652j ...
		mov	eax, [esi+140h]
		test	eax, eax
		jz	short loc_71F6D7
		cmp	eax, 2
		jnz	short loc_71F67D
		test	ds:_PopSimulate, 80000000h
		mov	cl, 1
		jz	short loc_71F67F

loc_71F67D:				; CODE XREF: PAGELK:0071F66Dj
		mov	cl, bl

loc_71F67F:				; CODE XREF: PAGELK:0071F67Bj
		mov	[esi+0C1h], cl
		lea	eax, [esi+0DCh]
		mov	edx, [esi+50h]
		lea	edi, [esi+38h]
		push	eax
		push	dword ptr [esi+0CCh]
		mov	eax, [esi+54h]
		add	edx, 1
		push	dword ptr [esi+0C8h]
		adc	eax, ebx
		push	eax
		push	edx
		mov	edx, edi
		call	_ExGetNextWakeTime@28 ;	ExGetNextWakeTime(x,x,x,x,x,x,x)
		mov	[esi+148h], al
		lea	edx, [esi+0DCh]
		test	al, al
		jz	short loc_71F6E0
		mov	eax, [edi]
		mov	ds:dword_6C2720, eax
		mov	eax, [edi+4]
		mov	ds:dword_6C2724, eax
		mov	eax, [edx]
		mov	ds:dword_6C2730, eax
		jmp	short loc_71F6E0
; 

loc_71F6D7:				; CODE XREF: PAGELK:0071F668j
		lea	edi, [esi+38h]
		lea	edx, [esi+0DCh]

loc_71F6E0:				; CODE XREF: PAGELK:0071F6BDj
					; PAGELK:0071F6D5j
		mov	eax, [esi+144h]
		test	eax, eax
		jz	short loc_71F74A
		cmp	eax, 2
		jnz	short loc_71F6FD
		test	ds:_PopSimulate, 80000000h
		mov	cl, 1
		jz	short loc_71F6FF

loc_71F6FD:				; CODE XREF: PAGELK:0071F6EDj
		mov	cl, bl

loc_71F6FF:				; CODE XREF: PAGELK:0071F6FBj
		push	edx
		mov	[esi+0C1h], cl
		push	dword ptr [esi+0CCh]
		mov	edx, [esi+50h]
		push	dword ptr [esi+0C8h]
		mov	eax, [esi+54h]
		add	edx, 1
		adc	eax, ebx
		push	eax
		push	edx
		mov	edx, edi
		call	_ExGetNextWakeTime@28 ;	ExGetNextWakeTime(x,x,x,x,x,x,x)
		mov	[esi+148h], al
		test	al, al
		jz	short loc_71F74A
		mov	eax, [edi]
		mov	ds:dword_6C2738, eax
		mov	eax, [edi+4]
		mov	ds:dword_6C273C, eax
		mov	eax, [esi+0DCh]
		mov	ds:dword_6C2748, eax

loc_71F74A:				; CODE XREF: PAGELK:0071F520j
					; PAGELK:0071F52Bj ...
		mov	edi, ds:dword_6C2720
		mov	eax, edi
		mov	edx, ds:dword_6C2724
		or	eax, edx
		mov	ds:dword_6C2728, edi
		mov	ds:dword_6C272C, edx
		jz	short loc_71F792
		mov	eax, [esi+14Ch]
		add	eax, [esi+0B0h]
		push	0
		pop	ecx
		adc	ecx, [esi+0B4h]
		cmp	edx, ecx
		ja	short loc_71F792
		jb	short loc_71F787
		cmp	edi, eax
		jnb	short loc_71F792

loc_71F787:				; CODE XREF: PAGELK:0071F781j
		mov	ds:dword_6C2728, eax
		mov	ds:dword_6C272C, ecx

loc_71F792:				; CODE XREF: PAGELK:0071F766j
					; PAGELK:0071F77Fj ...
		mov	edi, ds:dword_6C2738
		mov	eax, edi
		mov	edx, ds:dword_6C273C
		or	eax, edx
		mov	ds:dword_6C2740, edi
		mov	ds:dword_6C2744, edx
		jz	short loc_71F7DA
		mov	eax, [esi+14Ch]
		add	eax, [esi+0B0h]
		push	0
		pop	ecx
		adc	ecx, [esi+0B4h]
		cmp	edx, ecx
		ja	short loc_71F7DA
		jb	short loc_71F7CF
		cmp	edi, eax
		jnb	short loc_71F7DA

loc_71F7CF:				; CODE XREF: PAGELK:0071F7C9j
		mov	ds:dword_6C2740, eax
		mov	ds:dword_6C2744, ecx

loc_71F7DA:				; CODE XREF: PAGELK:0071F7AEj
					; PAGELK:0071F7C7j ...
		mov	eax, ds:dword_6C2730
		test	eax, eax
		jz	short loc_71F7F5
		cmp	eax, 0FFFFFFFFh
		jz	short loc_71F7F5
		cmp	eax, 0FFFFFFFEh
		jz	short loc_71F7F5
		cmp	eax, 0FFFFFFFDh
		jz	short loc_71F7F5
		mov	eax, [eax+4]

loc_71F7F5:				; CODE XREF: PAGELK:0071F7E1j
					; PAGELK:0071F7E6j ...
		mov	[esi+138h], eax
		mov	eax, ds:dword_6C2748
		test	eax, eax
		jz	short loc_71F816
		cmp	eax, 0FFFFFFFFh
		jz	short loc_71F816
		cmp	eax, 0FFFFFFFEh
		jz	short loc_71F816
		cmp	eax, 0FFFFFFFDh
		jz	short loc_71F816
		mov	eax, [eax+4]

loc_71F816:				; CODE XREF: PAGELK:0071F802j
					; PAGELK:0071F807j ...
		push	ebx
		mov	[esi+13Ch], eax
		call	dword ptr [ebp-8]
		mov	cl, 1
		mov	ds:dword_6C2850, eax
		mov	ds:dword_6C2854, edx
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		xor	edx, edx
		inc	edx
		mov	cl, dl
		call	ExUpdateSystemTimeFromCmos
		call	_ExReleaseTimeRefreshLock@0 ; ExReleaseTimeRefreshLock()
		push	ds:dword_6C2744
		push	ds:dword_6C2740
		push	ds:dword_6C272C
		push	ds:dword_6C2728
		call	ds:off_6B1228	; xHalSetWakeAlarm(x,x,x,x)
		mov	ds:_PopBootStatCheckpointAvailable, bl
		call	_PpmCheckPausePpmEngineForSx@0 ; PpmCheckPausePpmEngineForSx()
		call	PopSetDevicesSystemState
		mov	byte ptr [esi+68h], 1
		call	PopNewWakeInfo
		call	KeQueryInterruptTime
		mov	[esi+128h], eax
		mov	[esi+12Ch], edx
		mov	eax, ds:dword_6C2D0C
		push	1
		mov	[esi+84h], eax
		lea	eax, [esi+0FCh]
		push	ebx
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esi+10Ch]
		push	eax
		call	KeWaitForSingleObject
		mov	ds:dword_6C251C, ebx
		mov	eax, [esi+120h]
		push	2
		pop	ecx
		mov	[esi+60h], eax
		call	PopSetPowerActionWatchdogState
		mov	eax, ds:dword_6C26E8
		cmp	ds:_PoResumeFromHibernate, bl
		jnz	short loc_71F8DC
		mov	eax, ds:dword_6C26E0

loc_71F8DC:				; CODE XREF: PAGELK:0071F8D5j
		mov	ds:dword_6C26EC, eax
		test	byte ptr [esi+8], 8
		jz	short loc_71F8EF
		push	6
		pop	ecx
		mov	[esi+2Ch], ecx
		jmp	short loc_71F8F9
; 

loc_71F8EF:				; CODE XREF: PAGELK:0071F8E5j
		mov	eax, ds:dword_6C26E0
		mov	ecx, eax
		mov	[esi+2Ch], eax

loc_71F8F9:				; CODE XREF: PAGELK:0071F8EDj
		push	dword ptr [esi+13Ch]
		mov	eax, ds:dword_6C26EC
		push	dword ptr [esi+138h]
		mov	[esi+28h], eax
		push	ds:dword_6C2744
		mov	edx, ds:dword_6C26E8
		push	ds:dword_6C2740
		push	ds:dword_6C272C
		push	ds:dword_6C2728
		push	eax
		call	PopDiagTracePostSleepNotification
		cmp	ds:_KeMtrrComparisonFailed, bl
		jz	short loc_71F93E
		call	_PopDiagTraceMtrrError@0 ; PopDiagTraceMtrrError()

loc_71F93E:				; CODE XREF: PAGELK:0071F937j
		mov	eax, [esi+60h]
		test	eax, eax
		jns	loc_71F130
		cmp	ds:dword_6C26E0, 5
		jnz	loc_71F130
		push	eax
		push	offset ??_C@_19PCNJIDGC@?$AA0?$AAx?$AA?$CF?$AAx@OKHAJAOM@
		push	80h
		mov	edi, offset _PopHibernationErrorSubstitutionString
		mov	[ebp-14h], ebx
		push	edi
		mov	[ebp-10h], ebx
		call	StringCchPrintfW
		add	esp, 10h
		lea	eax, [ebp-14h]
		push	edi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		lea	eax, [ebp-14h]
		push	eax
		push	0C0000411h
		call	_IoRaiseInformationalHardError@12 ; IoRaiseInformationalHardError(x,x,x)
		mov	ecx, [esi+60h]
		call	_PopDiagTraceHibernateErrorStatus@4 ; PopDiagTraceHibernateErrorStatus(x)
		jmp	loc_71F130
; 

loc_71F99B:				; CODE XREF: PAGELK:0071F0A1j
		call	_PopFxPrepareDevicesForShutdown@0 ; PopFxPrepareDevicesForShutdown()
		mov	ecx, ds:dword_6C26F4
		lea	ecx, [ecx+1Ch]
		call	_IoFreePoDeviceNotifyList@4 ; IoFreePoDeviceNotifyList(x)
		cmp	ds:dword_6C26D4, 2
		jnz	short loc_71F9BE
		mov	ds:_PopCriticalShutdownInProgress, 1

loc_71F9BE:				; CODE XREF: PAGELK:0071F9B5j
		push	2
		pop	edx
		push	8
		pop	ecx
		call	_PopTransitionCheckpoint@8 ; PopTransitionCheckpoint(x,x)
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		push	ebx
		cmp	eax, ds:_PsInitialSystemProcess
		jz	loc_71FB63
		push	offset _PopShutdownWorkItem
		mov	ds:dword_6C0558, offset	_PopGracefulShutdown@4 ; PopGracefulShutdown(x)
		mov	ds:dword_6C055C, ebx
		mov	ds:_PopShutdownWorkItem, ebx
		call	ExQueueWorkItem
		mov	ecx, large fs:124h
		call	KeSuspendThread
		mov	eax, 0C00002EBh
		jmp	loc_71FB5E
; 

loc_71FA11:				; CODE XREF: PAGELK:0071ED6Cj
		mov	[esi+60h], ebx
		jmp	loc_71F133
; 

loc_71FA19:				; CODE XREF: PAGELK:0071F378j
		push	2
		pop	eax
		or	ds:_PopAction, al
		mov	ds:dword_6C26C4, eax
		mov	ds:dword_6C26C8, 5
		jmp	short loc_71FA97
; 

loc_71FA33:				; CODE XREF: PAGELK:0071F358j
		cmp	eax, 0FFFFFFFEh
		jnz	short loc_71FA5B
		mov	eax, ds:dword_6C2710
		or	eax, ds:dword_6C2714
		jnz	short loc_71FABA
		mov	eax, ds:dword_6C2700
		mov	ds:dword_6C2710, eax
		mov	eax, ds:dword_6C2704
		mov	ds:dword_6C2714, eax
		jmp	short loc_71FABA
; 

loc_71FA5B:				; CODE XREF: PAGELK:0071FA36j
		cmp	eax, 0FFFFFFFDh
		jnz	short loc_71FA6E
		mov	ds:_PopWakeAlarmTimeOverride, ebx
		mov	ds:dword_6C219C, ebx
		jmp	short loc_71FABA
; 

loc_71FA6E:				; CODE XREF: PAGELK:0071FA5Ej
		cmp	ds:dword_6C2D0C, 1
		jnz	short loc_71FA9F
		cmp	[esi+144h], ebx
		jnz	short loc_71FABA
		mov	eax, [esi]
		or	dl, 2
		mov	ds:dword_6C26C4, eax
		mov	eax, [esi+4]
		mov	ds:_PopAction, dl

loc_71FA92:				; CODE XREF: PAGELK:0071F38Fj
		mov	ds:dword_6C26C8, eax

loc_71FA97:				; CODE XREF: PAGELK:0071FA31j
		mov	[esi+0E8h], bl
		jmp	short loc_71FABA
; 

loc_71FA9F:				; CODE XREF: PAGELK:0071FA75j
		cmp	[esi+144h], ebx
		jnz	short loc_71FABA
		mov	eax, [esi+84h]
		cmp	eax, [esi+88h]
		jnz	short loc_71FABA
		call	_PopCheckPowerSourceAfterRtcWakeSet@0 ;	PopCheckPowerSourceAfterRtcWakeSet()

loc_71FABA:				; CODE XREF: PAGELK:0071F2FCj
					; PAGELK:0071F31Bj ...
		cmp	ds:byte_6C2768,	bl
		jz	short loc_71FAE1
		cmp	[esi+0E8h], bl
		jz	short loc_71FAE1
		call	ExWakeTimersResume
		mov	ds:byte_6C2768,	bl
		mov	ds:dword_6C2770, ebx
		mov	ds:dword_6C2774, ebx

loc_71FAE1:				; CODE XREF: PAGELK:0071FAC0j
					; PAGELK:0071FAC8j
		cmp	ds:_PoResumeFromHibernate, bl
		jz	short loc_71FAF4
		call	_PopBootLoaderTraceProcess@0 ; PopBootLoaderTraceProcess()
		mov	ds:_PoResumeFromHibernate, bl

loc_71FAF4:				; CODE XREF: PAGELK:0071FAE7j
		mov	ds:byte_6C24D0,	bl
		call	_PopResetActionDefaults@0 ; PopResetActionDefaults()
		mov	cl, 2
		call	_PopSetPowerActionState@4 ; PopSetPowerActionState(x)
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		mov	eax, ds:_PopPendingUserPresenceDuringSystemSleep
		test	eax, eax
		jz	short loc_71FB1F
		mov	eax, ds:_PopPendingUserPresenceMonitorOnReason
		push	eax
		call	PoSetUserPresent

loc_71FB1F:				; CODE XREF: PAGELK:0071FB12j
		push	1
		push	offset _PopUnlockAfterSleepWorkItem
		call	ExQueueWorkItem
		call	PopCheckForWork
		cmp	[esi+60h], ebx
		jl	short loc_71FB3A
		call	_PpmPerfReApplyStates@0	; PpmPerfReApplyStates()

loc_71FB3A:				; CODE XREF: PAGELK:0071FB33j
		mov	ds:dword_6C26D4, 10h
		call	_PopCaptureTimeOnProcZero@0 ; PopCaptureTimeOnProcZero()
		mov	ds:dword_6C29D0, eax
		mov	ds:dword_6C29D4, edx
		jmp	loc_71EC29
; 

loc_71FB59:				; CODE XREF: PAGELK:0071EACAj
					; PAGELK:0071EAD8j ...
		mov	eax, 0C000000Dh

loc_71FB5E:				; CODE XREF: PAGELK:0071EB2Dj
					; PAGELK:0071EB3Fj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_71FB63:				; CODE XREF: PAGELK:0071F9D5j
		call	_PopGracefulShutdown@4 ; PopGracefulShutdown(x)
; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopSetDevicesSystemState proc near	; CODE XREF: PAGELK:0071EF5Ep
					; PAGELK:0071F1F2p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_7		= byte ptr -7
var_6		= byte ptr -6
var_5		= byte ptr -5
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00729741 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	al, ds:byte_6C26DD
		mov	ecx, ds:dword_6C26CC
		mov	[ebp+var_7], al
		mov	al, ds:byte_6C26C2
		mov	[ebp+var_8], al
		mov	al, ds:byte_6C26DC
		mov	[ebp+var_6], al
		mov	eax, ds:dword_6C26EC
		mov	[ebp+var_20], eax
		mov	eax, ds:dword_6C26E8
		mov	[ebp+var_5], 0
		mov	[ebp+var_1C], eax
		test	cl, 8
		jz	loc_729741
		mov	[ebp+var_18], 6

loc_71FBBE:				; CODE XREF: PopSetDevicesSystemState+9BDFj
		mov	eax, ds:dword_6C26E4
		mov	[ebp+var_14], eax
		mov	eax, ds:dword_6C26C4
		mov	[ebp+var_C], ecx
		lea	ecx, [ebp+var_20]
		mov	[ebp+var_10], eax
		call	PoBroadcastSystemState
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopSetDevicesSystemState endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfPowerActionNotify proc near		; CODE XREF: PAGELK:0071F1AAp
					; PAGELK:0071F1EDp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_34		= dword	ptr  3Ch

; FUNCTION CHUNK AT 0072974E SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		xor	ebx, ebx
		lea	eax, [ecx+ecx]
		push	esi
		xor	esi, esi
		mov	[esp+14h+var_8], eax
		inc	ebx
		mov	[esp+14h+var_4], esi
		push	edi
		test	dl, bl
		jnz	short loc_71FC4B

loc_71FC08:				; CODE XREF: PfPowerActionNotify+6Bj
		sub	ecx, esi
		jz	loc_71FD30
		sub	ecx, 1
		jz	loc_71FCB2
		sub	ecx, 1
		jz	short loc_71FC63
		sub	ecx, 5
		jz	short loc_71FC53

loc_71FC23:				; CODE XREF: PfPowerActionNotify+76j
					; PfPowerActionNotify+C4j ...
		call	_PFP_GET_CURRENT_TICK_COUNT_MS@0 ; PFP_GET_CURRENT_TICK_COUNT_MS()
		mov	[esp+18h+var_4], eax

loc_71FC2C:				; CODE XREF: PfPowerActionNotify+145j
		push	8		; size_t
		lea	eax, [esp+1Ch+var_8]
		push	eax		; void *
		call	_PFP_GET_CURRENT_TIME@0	; PFP_GET_CURRENT_TIME()
		push	1Ch
		mov	edx, eax
		pop	ecx
		call	PfLogEvent

loc_71FC42:				; CODE XREF: PfPowerActionNotify+CAj
					; PfPowerActionNotify+D5j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_71FC4B:				; CODE XREF: PfPowerActionNotify+20j
		or	eax, ebx
		mov	[esp+18h+var_8], eax
		jmp	short loc_71FC08
; 

loc_71FC53:				; CODE XREF: PfPowerActionNotify+3Bj
		mov	eax, [ebp+arg_0]
		add	eax, 0FFFFFFFEh
		cmp	eax, 2
		ja	short loc_71FC23
		jmp	loc_72974E
; 

loc_71FC63:				; CODE XREF: PfPowerActionNotify+36j
		mov	edi, offset unk_6D4870
		mov	ecx, edi
		call	_PfpPowerActionStartScenarioTracing@4 ;	PfpPowerActionStartScenarioTracing(x)
		cmp	ds:dword_6D488C, 5
		jnz	short loc_71FC80
		push	4
		pop	ecx
		call	PfSnBeginBootPhase

loc_71FC80:				; CODE XREF: PfPowerActionNotify+90j
		push	esi
		push	esi
		mov	edx, ebx
		mov	ecx, edi
		call	PfpScenCtxScenarioSet
		push	esi
		push	esi
		push	2
		pop	edx
		mov	ecx, edi
		call	PfpScenCtxScenarioSet
		push	esi
		push	esi
		push	5
		pop	edx
		mov	ecx, edi
		call	PfpScenCtxScenarioSet
		call	PfpStartLoggingHardFaultEvents
		test	eax, eax
		jns	loc_71FC23
		jmp	short loc_71FC42
; 

loc_71FCB2:				; CODE XREF: PfPowerActionNotify+2Dj
		mov	esi, [ebp+arg_0]
		lea	eax, [esi-2]
		cmp	eax, 3
		ja	short loc_71FC42
		mov	ecx, ebx
		call	MmPerformMemoryListCommand
		push	10h
		pop	ecx
		call	PfTSetTraceWorkerPriority
		mov	edx, ebx
		mov	ecx, offset dword_6D42C0
		mov	edi, eax
		call	PfGenerateTrace
		cmp	edi, 1Fh
		jg	short loc_71FCE6
		mov	ecx, edi
		call	PfTSetTraceWorkerPriority

loc_71FCE6:				; CODE XREF: PfPowerActionNotify+F7j
		cmp	esi, 5
		jnz	loc_729765
		mov	ecx, ds:dword_6D488C
		mov	eax, ds:dword_6D46B8
		cmp	ecx, esi
		jnz	short loc_71FD03
		mov	eax, ds:dword_6D46BC

loc_71FD03:				; CODE XREF: PfPowerActionNotify+116j
		xor	ebx, ebx
		cmp	ecx, 5
		setz	bl
		dec	ebx
		and	ebx, 0FFFFFFFDh
		add	ebx, 5

loc_71FD12:				; CODE XREF: PfPowerActionNotify+9B84j
		push	ecx
		push	eax
		mov	edx, ebx
		mov	ecx, offset unk_6D4870
		call	PfpScenCtxPrefetchWait
		push	0
		mov	[esp-24h+arg_34], eax
		call	PfpServiceMainThreadUnboost
		jmp	loc_71FC2C
; 

loc_71FD30:				; CODE XREF: PfPowerActionNotify+24j
		mov	ecx, [ebp+arg_0]
		lea	eax, [ecx-2]
		cmp	eax, 2
		jbe	short loc_71FD54
		cmp	ecx, 5
		jnz	loc_71FC42
		and	dl, 4
		movzx	ebx, dl
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 3
		add	ebx, 2

loc_71FD54:				; CODE XREF: PfPowerActionNotify+153j
		push	esi
		push	ebx
		xor	edx, edx
		mov	ecx, offset unk_6D4870
		call	PfpScenCtxScenarioSet
		jmp	loc_71FC42
PfPowerActionNotify endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopSetupSleepNotifies(x)
_PopSetupSleepNotifies@4 proc near	; CODE XREF: PoBroadcastSystemState+119p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	4
		pop	edi
		lea	esi, [ecx+0CCh]

loc_71FD76:				; CODE XREF: PopSetupSleepNotifies(x)+78j
		lea	ebx, [esi+8]
		mov	ecx, esi
		mov	edx, ebx
		call	_PopMoveList@8	; PopMoveList(x,x)
		lea	edx, [ebx+10h]
		mov	ecx, esi
		call	_PopMoveList@8	; PopMoveList(x,x)
		lea	edx, [ebx+8]
		mov	ecx, esi
		call	_PopMoveList@8	; PopMoveList(x,x)
		mov	edx, [esi]

loc_71FD98:				; CODE XREF: PopSetupSleepNotifies(x)+46j
					; PopSetupSleepNotifies(x)+6Aj
		cmp	edx, esi
		jz	short loc_71FDD4
		mov	ecx, edx
		mov	edx, [edx]
		mov	eax, [ecx+34h]
		mov	[ecx+38h], eax
		mov	eax, [ecx+2Ch]
		mov	[ecx+30h], eax
		test	eax, eax
		jnz	short loc_71FD98
		cmp	[edx+4], ecx
		jnz	short loc_71FDE6
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	short loc_71FDE6
		mov	[eax], edx
		mov	[edx+4], eax
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jnz	short loc_71FDE6
		mov	[ecx], ebx
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	[ebx+4], ecx
		jmp	short loc_71FD98
; 

loc_71FDD4:				; CODE XREF: PopSetupSleepNotifies(x)+32j
		mov	eax, [esi-8]
		mov	[esi-4], eax
		sub	esi, 28h
		sub	edi, 1
		jns	short loc_71FD76
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_71FDE6:				; CODE XREF: PopSetupSleepNotifies(x)+4Bj
					; PopSetupSleepNotifies(x)+52j	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_PopSetupSleepNotifies@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopMoveList(x, x)
_PopMoveList@8	proc near		; CODE XREF: PopSetupSleepNotifies(x)+15p
					; PopSetupSleepNotifies(x)+1Fp	...
		mov	edi, edi
		push	esi

loc_71FDEF:				; CODE XREF: PopMoveList(x,x)+2Bj
		mov	eax, [edx]
		cmp	eax, edx
		jz	short loc_71FE19
		cmp	[eax+4], edx
		jnz	short loc_71FE1B
		mov	esi, [eax]
		cmp	[esi+4], eax
		jnz	short loc_71FE1B
		mov	[edx], esi
		mov	[esi+4], edx
		mov	esi, [ecx+4]
		cmp	[esi], ecx
		jnz	short loc_71FE1B
		mov	[eax], ecx
		mov	[eax+4], esi
		mov	[esi], eax
		mov	[ecx+4], eax
		jmp	short loc_71FDEF
; 

loc_71FE19:				; CODE XREF: PopMoveList(x,x)+7j
		pop	esi
		retn
; 

loc_71FE1B:				; CODE XREF: PopMoveList(x,x)+Cj
					; PopMoveList(x,x)+13j	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PopMoveList@8	endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExUpdateSystemTimeFromCmos proc	near	; CODE XREF: PAGELK:0071F17Dp
					; PAGELK:0071F837p ...

var_36		= byte ptr -36h
var_32		= byte ptr -32h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0072976F SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		xor	eax, eax
		mov	[esp+3], cl
		mov	[esp+34h+var_20], eax
		mov	[esp+34h+var_1C], eax
		mov	[esp+34h+var_28], eax
		mov	[esp+34h+var_24], eax
		mov	[esp+34h+var_30], eax
		mov	[esp+34h+var_2C], eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+40h+var_14]
		stosd
		stosd
		stosd
		stosd
		test	edx, edx
		jz	loc_72976F

loc_71FE67:				; CODE XREF: ExUpdateSystemTimeFromCmos+9955j
		mov	eax, edx
		mov	ecx, (offset loc_98967E+2)
		mul	ecx
		mov	ebx, eax
		mov	[esp+40h+var_18], edx
		lea	eax, [esp+40h+var_14]
		push	eax
		call	ds:__imp__HalQueryRealTimeClock@4 ; HalQueryRealTimeClock(x)
		test	al, al
		jz	short loc_71FF00
		lea	eax, [esp+44h+var_2C]
		push	eax
		lea	eax, [esp+48h+var_18]
		push	eax
		call	_RtlTimeFieldsToTime@8 ; RtlTimeFieldsToTime(x,x)
		test	al, al
		jz	short loc_71FF00
		cmp	ds:_ExpRealTimeIsUniversal, 0
		jnz	loc_72977A
		lea	eax, [esp+44h+var_24]
		push	eax
		lea	eax, [esp+48h+var_2C]
		push	eax
		call	_ExLocalTimeToSystemTime@8 ; ExLocalTimeToSystemTime(x,x)
		mov	edi, [esp+44h+var_20]
		mov	esi, [esp+44h+var_24]

loc_71FEBC:				; CODE XREF: ExUpdateSystemTimeFromCmos+9962j
		lea	eax, [esp+10h]
		push	eax
		call	KeQuerySystemTime
		cmp	edi, [esp+44h+var_30]
		jl	short loc_71FF12
		jg	short loc_71FED4
		cmp	esi, [esp+10h]
		jbe	short loc_71FF12

loc_71FED4:				; CODE XREF: ExUpdateSystemTimeFromCmos+ACj
		mov	eax, esi
		mov	ecx, edi
		sub	eax, [esp+10h]
		sbb	ecx, [esp+44h+var_30]

loc_71FEE0:				; CODE XREF: ExUpdateSystemTimeFromCmos+FEj
		cmp	ecx, [esp+44h+var_1C]
		jb	short loc_71FF00
		ja	short loc_71FEEC
		cmp	eax, ebx
		jbe	short loc_71FF00

loc_71FEEC:				; CODE XREF: ExUpdateSystemTimeFromCmos+C6j
		mov	dl, [esp+0Fh]
		lea	eax, [esp+10h]
		push	edi
		push	esi
		push	eax
		push	2
		xor	cl, cl
		call	ExpSetSystemTime

loc_71FF00:				; CODE XREF: ExUpdateSystemTimeFromCmos+63j
					; ExUpdateSystemTimeFromCmos+76j ...
		mov	ecx, [esp+44h+var_8]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_71FF12:				; CODE XREF: ExUpdateSystemTimeFromCmos+AAj
					; ExUpdateSystemTimeFromCmos+B2j
		mov	eax, [esp+10h]
		mov	ecx, [esp+44h+var_30]
		sub	eax, esi
		sbb	ecx, edi
		jmp	short loc_71FEE0
ExUpdateSystemTimeFromCmos endp


;  S U B	R O U T	I N E 


; __stdcall PopDiagTraceFlushSleepStudyLoggerEnd()
_PopDiagTraceFlushSleepStudyLoggerEnd@0	proc near
					; CODE XREF: PopUmpoSendFlushSleepStudyLoggerNotification()+57p
		mov	ecx, offset _POP_ETW_EVENT_FLUSHSLEEPSTUDYLOGGER_STOP
		jmp	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
_PopDiagTraceFlushSleepStudyLoggerEnd@0	endp


;  S U B	R O U T	I N E 


; __stdcall PopDiagTraceFlushSleepStudyLogger()
_PopDiagTraceFlushSleepStudyLogger@0 proc near
					; CODE XREF: PopUmpoSendFlushSleepStudyLoggerNotification()+1Bp
		mov	ecx, offset _POP_ETW_EVENT_FLUSHSLEEPSTUDYLOGGER_START
		jmp	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
_PopDiagTraceFlushSleepStudyLogger@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpSetSystemTime proc near		; CODE XREF: ExUpdateSystemTimeFromCmos+DBp
					; NtSetSystemTime(x,x)+152p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00729787 SIZE 0000006D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		and	[esp+24h+var_20], 0
		xor	eax, eax
		and	[esp+24h+var_1C], 0
		cmp	ds:_ExpRealTimeIsUniversal, 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	bl, dl
		push	edi
		lea	edi, [esp+30h+var_14]
		mov	bh, cl
		stosd
		stosd
		stosd
		stosd
		jnz	loc_729787
		lea	eax, [esp+30h+var_20]
		push	eax
		lea	eax, [ebp+arg_8]
		push	eax
		call	_ExSystemTimeToLocalTime@8 ; ExSystemTimeToLocalTime(x,x)

loc_71FF83:				; CODE XREF: ExpSetSystemTime+9861j
		movzx	eax, bl
		lea	ecx, [ebp+arg_8]
		neg	eax
		mov	edx, esi
		sbb	eax, eax
		and	eax, 3
		push	eax
		call	_KeSetSystemTime@12 ; KeSetSystemTime(x,x,x)
		test	bh, bh
		jnz	loc_72979A

loc_71FFA0:				; CODE XREF: ExpSetSystemTime+9874j
					; ExpSetSystemTime+98BBj
		push	[ebp+arg_0]
		mov	edx, esi
		lea	ecx, [ebp+arg_8]
		call	_PoNotifySystemTimeSet@12 ; PoNotifySystemTimeSet(x,x,x)
		mov	ecx, [esp+30h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
ExpSetSystemTime endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpScenCtxPrefetchWait proc near	; CODE XREF: PfPowerActionNotify+135p
					; PfpProcessScenarioPhase+ACC62p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 007297F4 SIZE 000000AE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		xor	eax, eax
		mov	[ebp+var_18], edx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_28], eax
		push	edi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_24], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_4], eax
		call	_PFP_CAN_DO_ACCESS_LOGGING@0 ; PFP_CAN_DO_ACCESS_LOGGING()
		mov	edi, eax
		neg	edi
		sbb	edi, edi
		and	edi, 7D0h
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_8], edi

loc_71FFFA:				; CODE XREF: PfpScenCtxPrefetchWait+98DBj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_18]
		cmp	[ebx+1Ch], eax
		jnz	short loc_72004F
		mov	eax, [ebx+4]
		and	al, 0Ch
		cmp	al, 8
		jz	short loc_72004F
		cmp	[ebp+var_10], 0
		jnz	short loc_72007B
		lea	eax, [ebx+8]
		push	eax
		mov	[ebp+var_1C], eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	ecx, [ebx+4]
		xor	edx, edx
		mov	eax, ecx
		inc	edx
		and	eax, 3
		cmp	eax, edx
		jz	loc_7297F4
		test	eax, eax
		jz	loc_729803

loc_72004F:				; CODE XREF: PfpScenCtxPrefetchWait+55j
					; PfpScenCtxPrefetchWait+5Ej ...
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_720063
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_720063:				; CODE XREF: PfpScenCtxPrefetchWait+98j
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebp+var_4]

loc_720072:				; CODE XREF: PfpScenCtxPrefetchWait+98C6j
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	8
; 

loc_72007B:				; CODE XREF: PfpScenCtxPrefetchWait+64j
					; PfpScenCtxPrefetchWait+9843j
		mov	ecx, ebx
		call	PfpScenCtxWaiterTimedOut
		jmp	short loc_72004F
PfpScenCtxPrefetchWait endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpStartLoggingHardFaultEvents proc near ; CODE	XREF: PfPowerActionNotify+BDp

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 007298A2 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		push	44506650h
		push	60h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_7298A2
		xor	ebx, ebx
		push	esi
		mov	[edi+58h], ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset unk_6D48B0
		mov	[ebp+var_1], al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, ds:dword_6D48B8
		mov	eax, offset byte_6FB62C
		inc	edx
		mov	ds:dword_6D48B8, edx
		mov	[edi+5Ch], edx
		xor	edx, edx
		inc	edx
		lock or	[eax], edx
		test	ds:byte_70EFC6,	dl
		jnz	loc_7298AC
		xor	eax, eax
		lock and [esi],	eax

loc_7200EE:				; CODE XREF: PfpStartLoggingHardFaultEvents+9832j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	ebx
		lea	esi, [edi+20h]
		push	esi
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	edi
		push	offset PfpPowerActionDpcRoutine
		push	edi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	0FFFFFFFFh
		push	0F4143E00h
		push	edi
		push	ebx
		xor	edx, edx
		mov	ecx, esi
		call	KiSetTimerEx
		pop	esi

loc_720120:				; CODE XREF: PfpStartLoggingHardFaultEvents+9823j
		pop	edi
		mov	eax, ebx
		pop	ebx
		leave
		retn
PfpStartLoggingHardFaultEvents endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfpPowerActionStartScenarioTracing(x)
_PfpPowerActionStartScenarioTracing@4 proc near	; CODE XREF: PfPowerActionNotify+84p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, offset _PfTGlobals
		push	4
		mov	ecx, edi
		call	_PfTAccessTracingCleanup@12 ; PfTAccessTracingCleanup(x,x,x)
		xor	ecx, ecx
		inc	ecx
		call	MmPerformMemoryListCommand
		push	4
		mov	edx, offset _PfKernelGlobals
		mov	ecx, edi
		call	_PfTAccessTracingStart@12 ; PfTAccessTracingStart(x,x,x)
		mov	eax, [esi+1Ch]
		xor	ecx, ecx
		mov	[ebp+var_8], eax
		and	ecx, 0FFFC0000h
		movzx	eax, word ptr [esi+20h]
		shl	eax, 2
		or	eax, ecx
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_8]
		push	8		; size_t
		push	eax		; void *
		call	_PFP_GET_CURRENT_TIME@0	; PFP_GET_CURRENT_TIME()
		push	1Bh
		mov	edx, eax
		pop	ecx
		call	PfLogEvent
		pop	edi
		pop	esi
		leave
		retn
_PfpPowerActionStartScenarioTracing@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfTAccessTracingCleanup(x, x, x)
_PfTAccessTracingCleanup@12 proc near	; CODE XREF: PfpPowerActionStartScenarioTracing(x)+14p
					; PAGE:008D8A30p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		cmp	esi, 4
		push	edi
		setz	byte ptr [ebp+arg_0+3]
		mov	edi, ecx
		dec	word ptr [eax+13Ch]
		nop
		lea	ebx, [edi+0Ch]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		or	[edi+8], esi
		call	_MmGetDefaultPagePriority@0 ; MmGetDefaultPagePriority()
		mov	edx, eax
		xor	ecx, ecx
		call	MmSetAccessLogging
		and	ds:dword_6FB61C, 0
		mov	ecx, offset unk_6FB608
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	ecx, offset unk_6FB620
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7201FD
		mov	bl, byte ptr [ebp+arg_0+3]

loc_7201EB:				; CODE XREF: PfTAccessTracingCleanup(x,x,x)+70j
		mov	ecx, esi
		mov	dl, bl
		mov	esi, [esi]
		call	_MmFreeAccessPfnBuffer@8 ; MmFreeAccessPfnBuffer(x,x)
		test	esi, esi
		jnz	short loc_7201EB
		lea	ebx, [edi+0Ch]

loc_7201FD:				; CODE XREF: PfTAccessTracingCleanup(x,x,x)+5Ej
		xor	cl, cl
		call	_MmEnablePeriodicAccessClearing@4 ; MmEnablePeriodicAccessClearing(x)
		and	ds:dword_6FB61C, 0
		xor	eax, eax
		mov	ecx, offset unk_6FB608
		xchg	eax, [ecx]
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_720228
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_720228:				; CODE XREF: PfTAccessTracingCleanup(x,x,x)+97j
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PfTAccessTracingCleanup@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopDiagComputeEarlyHiberStats()
_PopDiagComputeEarlyHiberStats@0 proc near ; CODE XREF:	PAGELK:0071F1BFp
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		call	_PopCaptureTimeOnProcZero@0 ; PopCaptureTimeOnProcZero()
		xor	ecx, ecx
		mov	ds:dword_6C29C8, eax
		mov	ds:dword_6C29CC, edx
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	dl, 1
		mov	ecx, eax
		call	_KeQueryCycleCounterFrequency@8	; KeQueryCycleCounterFrequency(x,x)
		mov	ecx, eax
		mov	edi, 3E8h
		mov	eax, edx
		mul	edi
		mov	esi, eax
		mov	eax, ecx
		mul	edi
		add	esi, edx
		mov	ds:dword_6C2990, eax
		mov	ds:dword_6C2994, esi
		call	_HvlQueryHypervisorTscAdjustment@0 ; HvlQueryHypervisorTscAdjustment()
		mov	ecx, ds:dword_6C2988
		mov	esi, eax
		mov	eax, ds:dword_6C298C
		sub	ecx, esi
		mov	ds:dword_6C2988, ecx
		sbb	eax, edx
		mov	ds:dword_6C29B8, esi
		sub	ecx, ds:dword_6C2920
		mov	ds:dword_6C298C, eax
		sbb	eax, ds:dword_6C2924
		add	esi, ds:dword_6C29B0
		mov	ds:dword_6C29BC, edx
		adc	edx, ds:dword_6C29B4
		sub	ds:dword_6C29A0, esi
		pop	edi
		sbb	ds:dword_6C29A4, edx
		sub	ds:dword_6C29C0, esi
		mov	ds:dword_6C2918, ecx
		sbb	ds:dword_6C29C4, edx
		sub	ds:dword_6C29C8, esi
		mov	ds:dword_6C291C, eax
		sbb	ds:dword_6C29CC, edx
		pop	esi
		pop	ecx
		retn
_PopDiagComputeEarlyHiberStats@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopQpcTimeInMs	proc near		; CODE XREF: PopPowerTransitionTimesInMs(x,x,x,x,x,x)+45p
					; PopPowerTransitionTimesInMs(x,x,x,x,x,x)+5Dp	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 007298BB SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [edx+4]
		push	esi
		push	edi
		mov	edi, [edx]
		xor	esi, esi
		mov	eax, edi
		mov	[ebp+var_8], esi
		or	eax, ebx
		mov	[ebp+var_4], esi
		jz	short loc_72034B
		sub	edi, [ecx]
		push	esi
		sbb	ebx, [ecx+4]
		lea	ecx, [ebp+var_8]
		push	3E8h
		push	ebx
		push	edi
		call	_RtlULongLongMult@20 ; RtlULongLongMult(x,x,x,x,x)
		test	eax, eax
		js	loc_7298BB
		push	ds:dword_70ED2C
		push	ds:_PopQpcFrequency
		push	[ebp+var_4]
		push	[ebp+var_8]

loc_720344:				; CODE XREF: PopQpcTimeInMs+95DEj
		call	__aulldiv
		mov	esi, eax

loc_72034B:				; CODE XREF: PopQpcTimeInMs+1Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
PopQpcTimeInMs	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCaptureTimeOnProcZero()
_PopCaptureTimeOnProcZero@0 proc near	; CODE XREF: PAGELK:0071FB44p
					; PopDiagComputeEarlyHiberStats()+5p ...

var_38		= dword	ptr -38h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		xor	esi, esi
		push	8
		pop	ecx
		push	esi
		stosd
		push	1
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_38]
		rep stosd
		lea	eax, [ebp+var_18]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	esi
		push	offset _PopTimestampTargetProcessor@16 ; PopTimestampTargetProcessor(x,x,x,x)
		lea	eax, [ebp+var_38]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	eax, [ebp+var_1C]
		mov	byte ptr [ebp+var_38+1], 2
		test	eax, eax
		jnz	short loc_7203A4
		push	20h
		pop	eax
		mov	word ptr [ebp+var_38+2], ax

loc_7203A4:				; CODE XREF: PopCaptureTimeOnProcZero()+49j
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)
		push	esi
		push	esi
		push	esi
		push	esi
		lea	eax, [ebp+var_18]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_4]
		pop	edi
		pop	esi
		leave
		retn
_PopCaptureTimeOnProcZero@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopReleaseAwaymodeLock()
_PopReleaseAwaymodeLock@0 proc near	; CODE XREF: PopIssueActionRequest:loc_85AAFDp
					; PopIssueActionRequest:loc_9022A7p ...
		mov	eax, ds:_PopAwaymodeLockExclusiveThread
		cmp	eax, large fs:124h
		jnz	short loc_7203E1
		and	ds:_PopAwaymodeLockExclusiveThread, 0

loc_7203E1:				; CODE XREF: PopReleaseAwaymodeLock()+Cj
		xor	edx, edx
		mov	ecx, offset _PopAwaymodeLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_PopReleaseAwaymodeLock@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopAcquireAwaymodeLock()
_PopAcquireAwaymodeLock@0 proc near	; CODE XREF: PopIssueActionRequest+39p
					; PopAwayModePowerRequest(x,x,x)+5p
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopAwaymodeLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ds:_PopAwaymodeLockExclusiveThread, eax
		retn
_PopAcquireAwaymodeLock@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiConvertHiberPhasePages(x)
_MiConvertHiberPhasePages@4 proc near	; CODE XREF: PopInvokeSystemStateHandler+33Cp
					; PopMarkComponentsBootPhase+166p

var_58		= dword	ptr -58h
var_52		= byte ptr -52h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	4Ch		; size_t
		lea	eax, [ebp+var_58]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_18], offset MiConvertHiberPhasePte
		mov	eax, 0B01h
		mov	word ptr [ebp+var_58], ax
		push	3
		pop	ecx
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		or	[ebp+var_40], 0FFFFFFFFh
		lea	ecx, [ebp+var_58]
		mov	[ebp+var_48], eax
		mov	eax, ds:_MmSystemRangeStart
		mov	[ebp+var_52], 21h
		mov	[ebp+var_44], eax
		mov	[ebp+var_10], esi
		call	MiWalkPageTables
		test	esi, esi
		jz	short loc_720486
		xor	ecx, ecx
		call	KeFlushCurrentTbOnly

loc_720486:				; CODE XREF: MiConvertHiberPhasePages(x)+5Dj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiConvertHiberPhasePages@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall BgkResumeFinished()
_BgkResumeFinished@0 proc near		; CODE XREF: BgkNotifyDisplayOwnershipChange+E6p
					; PopFreeHiberContext+147p
		mov	edi, edi
		push	ecx
		cmp	ds:dword_6D4AB4, 0
		jnz	short loc_7204A7
		call	BgkpUnlockBgfxCodeSection
		pop	ecx
		retn
; 

loc_7204A7:				; CODE XREF: BgkResumeFinished()+Aj
		call	_BgFreeContext@4 ; BgFreeContext(x)
		and	ds:dword_6D4AB4, 0
		call	BgkpUnlockBgfxCodeSection
		mov	ds:byte_6D4AB8,	0
		pop	ecx
		retn
_BgkResumeFinished@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopUnlockAfterSleepWorker(x)
_PopUnlockAfterSleepWorker@4 proc near	; DATA XREF: PAGELK:0071EBE8o
		mov	eax, large fs:124h
		mov	cl, 1
		mov	ds:dword_6C2830, eax
		call	CmSetLazyFlushState
		mov	cl, 1
		call	_ExSwapinWorkerThreads@4 ; ExSwapinWorkerThreads(x)
		push	1
		push	3
		push	ds:_ExCbPowerState
		call	_ExNotifyCallback@12 ; ExNotifyCallback(x,x,x)
		call	_PopRunNormalIrpWorkers@0 ; PopRunNormalIrpWorkers()
		push	ds:_ExPageLockHandle
		call	_MmUnlockPagableImageSection@4 ; MmUnlockPagableImageSection(x)
		xor	cl, cl
		call	_RtlBootStatusDisableFlushing@4	; RtlBootStatusDisableFlushing(x)
		call	_PopClearTransitionCheckpoints@0 ; PopClearTransitionCheckpoints()
		call	_PopClearSleepMarker@0 ; PopClearSleepMarker()
		xor	cl, cl
		call	PopClearSystemSleepCheckpoint
		call	_PopClearShutdownMarker@0 ; PopClearShutdownMarker()
		call	_PopClearSystemShutdownMarker@0	; PopClearSystemShutdownMarker()
		call	PopFreeHiberContext
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		cmp	ds:byte_6C2E28,	0
		jz	short loc_720534
		call	_PopAdjustHiberFile@4 ;	PopAdjustHiberFile(x)

loc_720534:				; CODE XREF: PopUnlockAfterSleepWorker(x)+6Bj
		call	_PopClearHibernateDiagnosticInfo@0 ; PopClearHibernateDiagnosticInfo()
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		and	ds:dword_6C2830, 0
		xor	ecx, ecx
		inc	ecx
		call	_PopReleaseTransitionLock@4 ; PopReleaseTransitionLock(x)
		retn	4
_PopUnlockAfterSleepWorker@4 endp


;  S U B	R O U T	I N E 


; __stdcall IoMarkTriageDumpBlock()
_IoMarkTriageDumpBlock@0 proc near	; CODE XREF: PopMarkComponentsBootPhase+11Ap
		mov	edi, edi
		push	esi
		xor	esi, esi
		cmp	ds:_IopNumTriageDumpDataBlocks,	esi
		jbe	short loc_720589

loc_72055D:				; CODE XREF: IoMarkTriageDumpBlock()+37j
		mov	ecx, ds:_IopTriageDumpDataBlocks[esi*8]
		mov	eax, ds:dword_6CD044[esi*8]
		push	42706D44h
		sub	eax, ecx
		push	eax
		push	ecx
		push	10000h
		push	0
		call	PoSetHiberRange
		inc	esi
		cmp	esi, ds:_IopNumTriageDumpDataBlocks
		jb	short loc_72055D

loc_720589:				; CODE XREF: IoMarkTriageDumpBlock()+Bj
		pop	esi
		retn
_IoMarkTriageDumpBlock@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopTransitionToSleep proc near		; DATA XREF: PopInitSystemSleeperThread(x,x)+3Co

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 007298DB SIZE 0000008A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		xor	eax, eax
		xor	ebx, ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [ebp+var_18]
		mov	byte ptr [ebp+var_1], bl
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	edi, [esi+30h]
		mov	eax, large fs:124h
		mov	ds:dword_6C251C, eax
		cmp	edi, 3
		jnz	loc_7298DB

loc_7205C0:				; CODE XREF: PopTransitionToSleep+9352j
		test	byte ptr ds:_PopSimulateHiberBugcheck, 20h
		jnz	loc_72990C
		lea	ecx, [ebp+var_1]
		call	_PopEnlargeHiberFile@4 ; PopEnlargeHiberFile(x)
		test	eax, eax
		mov	al, 1
		js	short loc_7205DE
		mov	al, byte ptr [ebp+var_1]

loc_7205DE:				; CODE XREF: PopTransitionToSleep+4Dj
		mov	[ebp+var_C], ebx
		xor	bh, bh
		mov	[ebp+var_18], offset _PopStartMirroring@0 ; PopStartMirroring()
		mov	[ebp+var_14], offset _PopEndMirroring@4	; PopEndMirroring(x)
		mov	[ebp+var_10], offset _PopMirrorPhysicalMemory@16 ; PopMirrorPhysicalMemory(x,x,x,x)
		mov	[ebp+var_8], 10h
		mov	[ebp+arg_0], 3Ch
		test	al, al
		jnz	loc_729929
		test	byte ptr ds:dword_6C26CC, 20h
		jnz	loc_729944

loc_72061B:				; CODE XREF: PopTransitionToSleep+93BFj
		cmp	ds:_PopForceMinimalHiberFile, 0
		jnz	loc_729951
		cmp	edi, 6
		jz	loc_729934
		push	14h
		mov	bl, 1
		mov	[ebp+arg_0], 8
		pop	eax

loc_72063D:				; CODE XREF: PopTransitionToSleep+93B3j
					; PopTransitionToSleep+93D4j
		mov	ecx, offset _POP_ETW_EVENT_FLUSHALLPAGES
		mov	[ebp+var_8], eax
		mov	ds:byte_6C305C,	bl
		mov	ds:byte_6C305D,	bh
		mov	ds:dword_6C3058, eax
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		test	bl, bl
		jz	short loc_72066A
		mov	edx, [ebp+arg_0]
		push	ecx
		mov	cl, bh
		call	_MmFlushAllPagesEx@12 ;	MmFlushAllPagesEx(x,x,x)

loc_72066A:				; CODE XREF: PopTransitionToSleep+D1j
		mov	ecx, offset _POP_ETW_EVENT_FLUSHALLPAGES_END ; "e"
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		lea	ecx, [ebp+var_18]
		mov	ds:_PopHibernatePowerStateHandlerType, edi
		mov	ds:_PopSleeperHandoff, esi
		call	_MmDuplicateMemory@4 ; MmDuplicateMemory(x)
		xor	ebx, ebx
		mov	ds:_PopHibernatePowerStateHandlerType, 7
		mov	ds:_PopSleeperHandoff, ebx

loc_72069A:				; CODE XREF: PopTransitionToSleep+937Bj
		mov	ecx, eax

loc_72069C:				; CODE XREF: PopTransitionToSleep+9398j
		rdtsc
		push	ebx
		mov	ds:dword_6C29C0, eax
		lea	eax, [esi+20h]
		push	ebx
		mov	ds:dword_6C29C4, edx
		push	eax
		mov	[esi+34h], ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
PopTransitionToSleep endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmDuplicateMemory(x)
_MmDuplicateMemory@4 proc near		; CODE XREF: PopTransitionToSleep+F7p
					; IopLiveDumpCaptureMemoryPages(x)+96p	...

var_36		= byte ptr -36h
var_35		= byte ptr -35h
var_32		= byte ptr -32h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		push	esi
		push	edi
		lea	edi, [esp+40h+var_14]
		mov	[esp+40h+var_24], ebx
		stosd
		xor	edx, edx
		push	21h
		mov	[esp+44h+var_20], edx
		mov	[esp+44h+var_1C], edx
		stosd
		stosd
		stosd
		stosd
		pop	eax
		mov	[esp+40h+var_28], eax
		mov	[esp+40h+var_31], al
		mov	eax, [ebx+10h]
		mov	[esp+40h+var_10], eax
		test	al, 1
		jz	short loc_720704
		test	eax, 404h
		jnz	short loc_72073F

loc_720704:				; CODE XREF: MmDuplicateMemory(x)+3Dj
		test	al, 8
		jz	short loc_720711
		and	eax, 0FFFFFBFAh
		mov	[esp+40h+var_10], eax

loc_720711:				; CODE XREF: MmDuplicateMemory(x)+48j
		mov	cl, byte ptr [esp+40h+var_10]
		mov	esi, 400h
		test	eax, esi
		jz	short loc_720723
		test	cl, 4
		jnz	short loc_72073F

loc_720723:				; CODE XREF: MmDuplicateMemory(x)+5Ej
		test	cl, 0C0h
		jz	short loc_720749
		test	eax, 0FFFFFC2Eh
		jnz	short loc_72073F
		and	eax, 11h
		cmp	al, 11h
		jnz	short loc_72073F
		test	cl, 40h
		jz	short loc_720749
		test	cl, cl
		jns	short loc_720749

loc_72073F:				; CODE XREF: MmDuplicateMemory(x)+44j
					; MmDuplicateMemory(x)+63j ...
		mov	eax, 0C000000Dh
		jmp	loc_720A1D
; 

loc_720749:				; CODE XREF: MmDuplicateMemory(x)+68j
					; MmDuplicateMemory(x)+7Bj ...
		test	cl, 0Ah
		jnz	short loc_720755
		call	_CcNotifyWriteBehind@4 ; CcNotifyWriteBehind(x)
		xor	edx, edx

loc_720755:				; CODE XREF: MmDuplicateMemory(x)+8Ej
		mov	edi, large fs:124h
		lea	ecx, [esp+40h+var_20]
		mov	eax, [esp+40h+var_10]
		and	eax, 200h
		mov	[esp+40h+var_14], ebx
		neg	eax
		mov	[esp+40h+var_C], 8
		mov	[esp+40h+var_4], dl
		sbb	eax, eax
		mov	[esp+40h+var_2C], edx
		and	eax, ecx
		mov	[esp+40h+var_30], edi
		push	eax
		push	edx
		push	edx
		push	12h
		push	offset unk_6D3038
		call	KeWaitForSingleObject
		test	eax, eax
		js	loc_720A1D
		mov	ecx, 102h
		cmp	eax, ecx
		jnz	short loc_7207AE
		mov	eax, ecx
		jmp	loc_720A1D
; 

loc_7207AE:				; CODE XREF: MmDuplicateMemory(x)+E7j
		test	byte ptr ds:_MiFlags, 4
		jnz	short loc_7207C2
		push	ds:_ExPageLockHandle
		call	_MmLockPagableSectionByHandle@4	; MmLockPagableSectionByHandle(x)

loc_7207C2:				; CODE XREF: MmDuplicateMemory(x)+F7j
		dec	word ptr [edi+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset dword_6D2FF4
		call	ExAcquirePushLockExclusiveEx
		mov	edx, edi
		mov	ecx, offset _MiSystemPartition
		call	_MiLockDynamicMemoryExclusive@8	; MiLockDynamicMemoryExclusive(x,x)
		lock inc ds:dword_6D35AC
		call	_MiUpdateMirrorBitmaps@0 ; MiUpdateMirrorBitmaps()
		test	eax, eax
		jnz	short loc_7207FC
		mov	esi, 0C000009Ah
		jmp	loc_72095A
; 

loc_7207FC:				; CODE XREF: MmDuplicateMemory(x)+132j
		xor	edx, edx
		mov	ecx, offset dword_6D3064
		inc	edx
		call	_MiActOnMirrorBitmap@8 ; MiActOnMirrorBitmap(x,x)
		mov	al, byte ptr [esp+40h+var_10]
		xor	edi, edi
		xor	ecx, ecx
		inc	edi
		mov	[esp+40h+var_8], ecx
		test	al, 1
		jz	short loc_720824
		mov	[esp+40h+var_8], 3
		jmp	short loc_720848
; 

loc_720824:				; CODE XREF: MmDuplicateMemory(x)+15Aj
		test	[esp+40h+var_10], esi
		jnz	short loc_72083C
		test	al, 4
		jz	short loc_720838
		mov	[esp+40h+var_C], 7
		jmp	short loc_720840
; 

loc_720838:				; CODE XREF: MmDuplicateMemory(x)+16Ej
		test	al, 8
		jz	short loc_72084A

loc_72083C:				; CODE XREF: MmDuplicateMemory(x)+16Aj
		mov	[esp+40h+var_C], ecx

loc_720840:				; CODE XREF: MmDuplicateMemory(x)+178j
		mov	[esp+40h+var_8], 2

loc_720848:				; CODE XREF: MmDuplicateMemory(x)+164j
		mov	edi, ecx

loc_72084A:				; CODE XREF: MmDuplicateMemory(x)+17Cj
		call	dword ptr [ebx]
		mov	esi, eax
		test	esi, esi
		js	loc_720956
		xor	ebx, ebx
		lea	ecx, [esp+40h+var_14]
		inc	ebx
		mov	ds:dword_6D3034, ebx
		call	_MiMirrorBrownPhase@4 ;	MiMirrorBrownPhase(x)
		mov	esi, eax
		test	esi, esi
		js	loc_720956
		test	byte ptr [esp+40h+var_10], 2
		jnz	short loc_72088B
		cmp	[esp+40h+var_4], bl
		jnz	short loc_72088B
		lock dec ds:dword_6D34D0
		mov	[esp+40h+var_4], 0

loc_72088B:				; CODE XREF: MmDuplicateMemory(x)+1B9j
					; MmDuplicateMemory(x)+1BFj
		mov	ebx, ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		call	ebx
		mov	ecx, [esp+40h+var_24]
		push	0
		mov	byte ptr [esp+44h+var_28], al
		call	dword ptr [ecx+4]
		mov	esi, eax
		test	esi, esi
		js	loc_720956
		call	ebx
		mov	ebx, [esp+44h+var_28]
		mov	[esp+44h+var_35], al
		cmp	dword ptr [ebx+0Ch], 0
		jz	short loc_7208CB
		xor	edx, edx
		mov	ecx, offset dword_6D305C
		inc	edx
		call	_MiActOnMirrorBitmap@8 ; MiActOnMirrorBitmap(x,x)
		mov	al, [esp+44h+var_35]

loc_7208CB:				; CODE XREF: MmDuplicateMemory(x)+1FAj
		cmp	al, 2
		jnb	short loc_7208DB
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esp+44h+var_35], al

loc_7208DB:				; CODE XREF: MmDuplicateMemory(x)+20Fj
		call	_MiLockAllMemoryLists@0	; MiLockAllMemoryLists()
		cmp	byte ptr [esp+44h+var_8], 1
		mov	eax, [esp+10h]
		mov	ds:dword_6D3058, eax
		jnz	short loc_7208FC
		lock dec ds:dword_6D34D0
		mov	byte ptr [esp+44h+var_8], 0

loc_7208FC:				; CODE XREF: MmDuplicateMemory(x)+230j
		lea	ecx, [esp+44h+var_18]
		mov	ds:dword_6D3034, 2
		call	_MiMirrorBlackPhase@4 ;	MiMirrorBlackPhase(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_720956
		mov	ecx, ebx
		call	MiMirrorVerify
		mov	esi, eax
		test	esi, esi
		js	short loc_720956
		push	1
		call	dword ptr [ebx+4]
		and	ds:dword_6D3058, 0
		mov	esi, eax
		cmp	esi, 40000294h
		jnz	short loc_720956
		test	edi, edi
		jnz	short loc_72094C
		mov	ecx, [esp+48h+var_14]
		xor	esi, esi
		call	_MiResumeFromHibernate@4 ; MiResumeFromHibernate(x)
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_720950
; 

loc_72094C:				; CODE XREF: MmDuplicateMemory(x)+27Cj
		mov	ebx, [esp+14h]

loc_720950:				; CODE XREF: MmDuplicateMemory(x)+28Cj
		mov	edi, [esp+10h]
		jmp	short loc_72095E
; 

loc_720956:				; CODE XREF: MmDuplicateMemory(x)+192j
					; MmDuplicateMemory(x)+1AEj ...
		mov	edi, [esp+40h+var_30]

loc_72095A:				; CODE XREF: MmDuplicateMemory(x)+139j
		mov	ebx, [esp+40h+var_2C]

loc_72095E:				; CODE XREF: MmDuplicateMemory(x)+296j
		and	ds:dword_6D3034, 0
		cmp	[esp+40h+var_4], 1
		jnz	short loc_720973
		lock dec ds:dword_6D34D0

loc_720973:				; CODE XREF: MmDuplicateMemory(x)+2ACj
		cmp	ds:dword_6D3058, 0
		jz	short loc_720983
		and	ds:dword_6D3058, 0

loc_720983:				; CODE XREF: MmDuplicateMemory(x)+2BCj
		mov	eax, [esp+40h+var_28]
		cmp	al, 21h
		jz	short loc_7209A3
		cmp	[esp+40h+var_31], 21h
		jz	short loc_72099B
		call	_MiUnlockAllMemoryLists@0 ; MiUnlockAllMemoryLists()
		mov	eax, [esp+40h+var_28]

loc_72099B:				; CODE XREF: MmDuplicateMemory(x)+2D2j
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_7209A3:				; CODE XREF: MmDuplicateMemory(x)+2CBj
		cmp	ebx, 1
		jnz	short loc_7209BF
		mov	eax, [esp+40h+var_C]
		push	2
		push	offset dword_6D3048
		mov	ds:dword_6D3054, eax
		call	ExQueueWorkItem
		jmp	short loc_7209D4
; 

loc_7209BF:				; CODE XREF: MmDuplicateMemory(x)+2E8j
		lock dec ds:dword_6D35AC
		push	0
		push	0
		push	offset unk_6D3038
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_7209D4:				; CODE XREF: MmDuplicateMemory(x)+2FFj
		mov	edx, edi
		mov	ecx, offset _MiSystemPartition
		call	MiUnlockDynamicMemoryExclusive
		or	eax, 0FFFFFFFFh
		mov	ebx, offset dword_6D2FF4
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_7209F9
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_7209F9:				; CODE XREF: MmDuplicateMemory(x)+332j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		test	byte ptr ds:_MiFlags, 4
		jnz	short loc_720A1B
		push	ds:_ExPageLockHandle
		call	_MmUnlockPagableImageSection@4 ; MmUnlockPagableImageSection(x)

loc_720A1B:				; CODE XREF: MmDuplicateMemory(x)+350j
		mov	eax, esi

loc_720A1D:				; CODE XREF: MmDuplicateMemory(x)+86j
					; MmDuplicateMemory(x)+DAj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MmDuplicateMemory@4 endp

; 

; __stdcall PopEndMirroring(x)
_PopEndMirroring@4:			; DATA XREF: PopTransitionToSleep+5Eo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+28h]
		push	8
		pop	ecx
		mov	[esp+1Ah], ax
		xor	ebx, ebx
		rep stosd
		mov	eax, [ebp+8]
		mov	[esp+0Ch], ebx
		sub	eax, ebx
		jz	short loc_720A97
		sub	eax, 1
		jnz	loc_720BBE
		mov	edx, ds:dword_6C26F8
		mov	esi, [edx+80h]
		test	esi, esi
		js	loc_720BC3
		mov	ecx, ds:_PopHibernatePowerStateHandlerType
		call	_PopSleepSystem@8 ; PopSleepSystem(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_720BC3
		cmp	ds:_PoResumeFromHibernate, bl
		jz	loc_720BA1
		mov	esi, 40000294h
		jmp	loc_720BA1
; 

loc_720A97:				; CODE XREF: PAGELK:00720A4Dj
		test	ds:byte_70EFD4,	1
		jz	short loc_720AA5
		call	_EtwKernelMemoryRundown@0 ; EtwKernelMemoryRundown()

loc_720AA5:				; CODE XREF: PAGELK:00720A9Ej
		xor	edi, edi
		inc	edi
		push	edi
		push	ebx
		push	ds:_PopSleeperHandoff
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	eax, ds:_PopSleeperHandoff
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		add	eax, 10h
		push	eax
		call	KeWaitForSingleObject
		mov	ecx, ds:dword_6C26F8
		xor	edx, edx
		call	_PopBuildMemoryImageHeader@8 ; PopBuildMemoryImageHeader(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_720BC3
		push	ebx
		lea	eax, [esp+20h]
		mov	[esp+24h], ebx
		push	eax
		mov	[esp+2Ch], ebx
		mov	[esp+24h], edi
		call	KeSetSystemGroupAffinityThread
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	38h
		push	ebx
		mov	edi, offset _PopHibernateSystemContext
		push	edi
		call	_memset
		mov	eax, ds:_KeNumberProcessors
		add	esp, 0Ch
		mov	ds:dword_6C33DC, eax
		mov	ds:dword_6C33E8, eax
		lea	eax, [esp+28h]
		mov	ds:dword_6C33E4, 1
		push	edi
		push	offset _PopInvokeStateHandlerTargetProcessor@16	; PopInvokeStateHandlerTargetProcessor(x,x,x,x)
		push	eax
		mov	ds:dword_6C33F0, ebx
		mov	ds:dword_6C33F4, ebx
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		xor	eax, eax
		mov	byte ptr [esp+29h], 2
		mov	[esp+18h], ax
		mov	eax, ds:dword_70E328
		mov	[esp+14h], eax
		mov	dword ptr [esp+10h], offset _KeActiveProcessors
		jmp	short loc_720B8E
; 

loc_720B62:				; CODE XREF: PAGELK:00720B9Fj
		cmp	[esp+0Ch], ebx
		jz	short loc_720B8E
		mov	edi, ds:dword_6C33E0
		lea	ecx, [esp+28h]
		mov	edx, [esp+0Ch]
		call	_KeSetTargetProcessorIndexDpc@8	; KeSetTargetProcessorIndexDpc(x,x)
		push	ebx
		push	ebx
		mov	eax, ecx
		push	eax
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)

loc_720B85:				; CODE XREF: PAGELK:00720B8Cj
		mov	eax, ds:dword_6C33E0
		cmp	edi, eax
		jz	short loc_720B85

loc_720B8E:				; CODE XREF: PAGELK:00720B60j
					; PAGELK:00720B66j
		lea	eax, [esp+10h]
		push	eax
		lea	eax, [esp+10h]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jz	short loc_720B62

loc_720BA1:				; CODE XREF: PAGELK:00720A87j
					; PAGELK:00720A92j
		mov	eax, esi
		lea	esi, [eax-40000294h]
		neg	esi
		sbb	esi, esi
		not	esi
		and	esi, eax
		jl	short loc_720BC3
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_720BBE:				; CODE XREF: PAGELK:00720A52j
		mov	esi, 0C0000001h

loc_720BC3:				; CODE XREF: PAGELK:00720A66j
					; PAGELK:00720A7Bj ...
		mov	edx, 178h
		mov	ecx, offset _PopAction
		call	IoAddTriageDumpDataBlock
		mov	ecx, ds:dword_6C26F4
		test	ecx, ecx
		jz	short loc_720BE6
		mov	edx, 108h
		call	IoAddTriageDumpDataBlock

loc_720BE6:				; CODE XREF: PAGELK:00720BDAj
		mov	ecx, ds:dword_6C26F8
		test	ecx, ecx
		jz	short loc_720C29
		mov	edx, 138h
		call	IoAddTriageDumpDataBlock
		mov	eax, ds:dword_6C26F8
		mov	ecx, [eax+74h]
		test	ecx, ecx
		jz	short loc_720C10
		mov	edx, 100h
		call	IoAddTriageDumpDataBlock

loc_720C10:				; CODE XREF: PAGELK:00720C04j
		mov	eax, ds:dword_6C26F8
		mov	ecx, [eax+88h]
		test	ecx, ecx
		jz	short loc_720C29
		mov	edx, 340h
		call	IoAddTriageDumpDataBlock

loc_720C29:				; CODE XREF: PAGELK:00720BEEj
					; PAGELK:00720C1Dj
		push	ebx
		push	dword ptr [ebp+8]
		push	esi
		push	9
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 


BgkResumePrepare proc near		; CODE XREF: PopMarkComponentsBootPhase+106p
					; PopAllocateHiberContext+32Cp

; FUNCTION CHUNK AT 00729965 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, ecx
		xor	esi, esi
		push	edi
		test	ebx, ebx
		jz	short loc_720C84
		call	BgkpLockBgfxCodeSection
		call	_BgGetContext@0	; BgGetContext()
		mov	edi, eax
		test	edi, edi
		jz	loc_729965
		mov	eax, [edi+8]
		test	eax, eax
		jz	short loc_720C78
		push	4B494742h
		push	dword ptr [edi+0Ch]
		push	eax
		push	8000h
		push	ebx
		call	PoSetHiberRange

loc_720C78:				; CODE XREF: BgkResumePrepare+26j
		mov	ds:dword_6D4AB4, edi

loc_720C7E:				; CODE XREF: BgkResumePrepare+7Cj
					; BgkResumePrepare+83j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_720C84:				; CODE XREF: BgkResumePrepare+Bj
		mov	edi, ds:dword_6D4AB4
		test	edi, edi
		jz	short loc_720CBA
		push	esi
		push	dword ptr [edi]
		mov	ebx, 10000h
		push	edi
		push	ebx
		push	esi
		call	PoSetHiberRange
		mov	eax, [edi+8]
		test	eax, eax
		jz	short loc_720CB1
		push	esi
		push	dword ptr [edi+0Ch]
		push	eax
		push	ebx
		push	esi
		call	PoSetHiberRange

loc_720CB1:				; CODE XREF: BgkResumePrepare+67j
		call	_BgMarkHiberPhase@0 ; BgMarkHiberPhase()
		mov	esi, eax
		jmp	short loc_720C7E
; 

loc_720CBA:				; CODE XREF: BgkResumePrepare+50j
					; BgkResumePrepare+8D2Ej
		mov	esi, 0C000009Ah
		jmp	short loc_720C7E
BgkResumePrepare endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGatherHiberRange(x, x, x,	x)
_MiGatherHiberRange@16 proc near	; DATA XREF: MmMarkHiberPhase()+22o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 2
		jnz	short loc_720CFB
		xor	eax, eax
		inc	eax

loc_720CD0:				; CODE XREF: MiGatherHiberRange(x,x,x,x)+3Fj
		push	74706D4Dh
		push	eax
		push	[ebp+arg_4]
		xor	eax, eax
		cmp	[ebp+arg_C], 2
		setz	al
		dec	eax
		and	eax, 0FFFFC000h
		add	eax, 14000h
		push	eax
		push	0
		call	PoSetHiberRange
		xor	eax, eax
		pop	ebp
		retn	10h
; 

loc_720CFB:				; CODE XREF: MiGatherHiberRange(x,x,x,x)+9j
		mov	eax, [ebp+arg_8]
		shl	eax, 0Ch
		jmp	short loc_720CD0
_MiGatherHiberRange@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBuildMemoryImageHeader(x, x)
_PopBuildMemoryImageHeader@8 proc near	; CODE XREF: PAGELK:00720ACFp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		test	edx, edx
		jnz	loc_720EF3
		mov	edi, [ebx+88h]
		push	676D694Dh
		push	340h
		push	edi
		push	8000h
		push	ebx
		mov	[ebp+var_8], edi
		call	PoSetHiberRange
		mov	esi, 1000h
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[edi+14h], esi
		mov	dword ptr [edi+0Ch], 340h
		push	edi
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		shrd	eax, edx, 0Ch
		mov	[edi+10h], eax
		lea	eax, [edi+18h]
		push	eax
		call	KeQuerySystemTime
		call	KeQueryInterruptTime
		mov	[edi+20h], eax
		xor	ecx, ecx
		mov	[edi+24h], edx
		mov	eax, ds:dword_6C24C0
		mov	[edi+38h], eax
		mov	dword ptr [edi+34h], 0Ah
		mov	eax, ds:_KeFeatureBits
		mov	[edi+28h], eax
		mov	eax, ds:dword_70E754
		mov	[edi+2Ch], eax
		movzx	eax, ds:_KeProcessorArchitecture
		mov	[edi+4], eax
		mov	al, [ebx+1]
		mov	[edi+30h], al
		mov	byte ptr [edi+31h], 0CAh
		mov	al, ds:byte_6C24D0
		mov	[edi+2DCh], al
		call	_MmGetHighestPhysicalPage@4 ; MmGetHighestPhysicalPage(x)
		mov	[edi+310h], eax
		mov	al, ds:_PopSecureLaunched
		mov	[edi+2DDh], al
		mov	al, [ebx+134h]
		mov	[edi+2DEh], al
		mov	eax, [ebx+54h]
		test	eax, eax
		jz	short loc_720DE6
		mov	eax, [eax+14h]
		shr	eax, 0Ch
		mov	[edi+3Ch], eax

loc_720DE6:				; CODE XREF: PopBuildMemoryImageHeader(x,x)+D7j
		mov	eax, [ebx+0C4h]
		test	eax, eax
		jz	short loc_720E0D
		push	3
		mov	[edi+314h], eax
		lea	ecx, [edi+318h]
		pop	edx

loc_720DFF:				; CODE XREF: PopBuildMemoryImageHeader(x,x)+107j
		mov	eax, [ecx-4]
		inc	eax
		mov	[ecx], eax
		lea	ecx, [ecx+4]
		sub	edx, 1
		jnz	short loc_720DFF

loc_720E0D:				; CODE XREF: PopBuildMemoryImageHeader(x,x)+EAj
		xor	esi, esi
		mov	edx, edi
		mov	ecx, ebx
		mov	[edi+308h], esi
		mov	[edi+30Ch], esi
		call	_PopBootLoaderTraceCopyPfnList@8 ; PopBootLoaderTraceCopyPfnList(x,x)
		mov	ecx, [ebx+94h]
		test	ecx, ecx
		jz	short loc_720E96
		mov	eax, [ecx+14h]
		mov	esi, eax
		and	esi, 0FFFh
		neg	esi
		sbb	esi, esi
		shr	eax, 0Ch
		neg	esi
		add	esi, eax
		cmp	esi, 1
		jbe	short loc_720E4C
		xor	esi, esi
		inc	esi

loc_720E4C:				; CODE XREF: PopBuildMemoryImageHeader(x,x)+143j
		mov	eax, esi
		add	ecx, 1Ch
		shl	eax, 2
		push	eax		; size_t
		push	ecx		; void *
		lea	eax, [edi+264h]
		mov	[ebp+var_4], ecx
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[edi+260h], esi
		test	esi, esi
		jz	short loc_720E9C
		mov	edi, [ebp+var_4]

loc_720E75:				; CODE XREF: PopBuildMemoryImageHeader(x,x)+18Bj
		push	644D6946h
		push	1
		push	dword ptr [edi]
		push	0C000h
		push	ebx
		call	PoSetHiberRange
		lea	edi, [edi+4]
		sub	esi, 1
		jnz	short loc_720E75
		mov	edi, [ebp+var_8]
		jmp	short loc_720E9C
; 

loc_720E96:				; CODE XREF: PopBuildMemoryImageHeader(x,x)+128j
		mov	[edi+260h], esi

loc_720E9C:				; CODE XREF: PopBuildMemoryImageHeader(x,x)+16Cj
					; PopBuildMemoryImageHeader(x,x)+190j
		lea	ecx, [ebx+30h]
		mov	eax, [ecx]
		jmp	short loc_720EC8
; 

loc_720EA3:				; CODE XREF: PopBuildMemoryImageHeader(x,x)+1C6j
		lea	esi, [eax]
		mov	eax, [eax]
		mov	edx, [esi+10h]
		sub	edx, [esi+0Ch]
		push	ecx
		shl	edx, 0Ch
		mov	ecx, ebx
		mov	[ebp+var_8], eax
		call	PopAllocateOwnMemory
		mov	[esi+14h], eax
		test	eax, eax
		jz	short loc_720EFE
		mov	eax, [ebp+var_8]
		lea	ecx, [ebx+30h]

loc_720EC8:				; CODE XREF: PopBuildMemoryImageHeader(x,x)+19Dj
		cmp	eax, ecx
		jnz	short loc_720EA3
		mov	eax, [ebx+130h]
		mov	[edi+324h], eax
		mov	al, ds:_PopHiberSkipMemoryMapValidation
		mov	[edi+33Ah], al
		call	_Feature_Servicing_HibernateRelaxVBSPolicy__private_IsEnabledNoReporting@0 ; Feature_Servicing_HibernateRelaxVBSPolicy__private_IsEnabledNoReporting()
		test	eax, eax
		jz	short loc_720EF3
		mov	byte ptr [edi+33Bh], 1

loc_720EF3:				; CODE XREF: PopBuildMemoryImageHeader(x,x)+Fj
					; PopBuildMemoryImageHeader(x,x)+1E6j
		mov	eax, [ebx+80h]

loc_720EF9:				; CODE XREF: PopBuildMemoryImageHeader(x,x)+1FFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_720EFE:				; CODE XREF: PopBuildMemoryImageHeader(x,x)+1BCj
		mov	eax, 0C000009Ah
		jmp	short loc_720EF9
_PopBuildMemoryImageHeader@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


PopAllocateOwnMemory proc near		; CODE XREF: PopBuildMemoryImageHeader(x,x)+1B2p

; FUNCTION CHUNK AT 0072996F SIZE 0000000F BYTES

		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		and	esi, 0FFFh
		neg	esi
		push	edi
		sbb	esi, esi
		shr	edx, 0Ch
		neg	esi
		add	esi, edx
		mov	ecx, esi
		call	PopAllocatePages
		mov	edi, eax
		test	edi, edi
		jz	loc_72996F
		push	436C6F6Eh
		shl	esi, 0Ch
		push	esi
		push	edi
		push	8000h
		push	ebx
		call	PoSetHiberRange

loc_720F47:				; CODE XREF: PopAllocateOwnMemory+8A73j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		retn	4
PopAllocateOwnMemory endp


;  S U B	R O U T	I N E 


; __stdcall KiMarkMtrrHiberPhase()
_KiMarkMtrrHiberPhase@0	proc near	; CODE XREF: KeMarkHiberPhase:loc_72174Ap
		mov	ecx, ds:dword_6C75B4
		push	esi
		mov	esi, 7272744Dh
		push	edi
		mov	edi, 10000h
		test	ecx, ecx
		jz	short loc_720F7B
		movzx	eax, byte ptr ds:dword_6C75A8
		push	esi
		shl	eax, 4
		push	eax
		push	ecx
		push	edi
		push	0
		call	PoSetHiberRange

loc_720F7B:				; CODE XREF: KiMarkMtrrHiberPhase()+14j
		mov	eax, ds:dword_6C75B8
		test	eax, eax
		jz	short loc_720F90
		push	esi
		push	58h
		push	eax
		push	edi
		push	0
		call	PoSetHiberRange

loc_720F90:				; CODE XREF: KiMarkMtrrHiberPhase()+32j
		pop	edi
		pop	esi
		retn
_KiMarkMtrrHiberPhase@0	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopMarkHiberPhase(x)
_PopMarkHiberPhase@4 proc near		; CODE XREF: PopMarkComponentsBootPhase+D0p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edi, ecx
		push	ebx
		push	138h
		push	edi
		mov	esi, 10000h
		push	esi
		push	ebx
		call	PoSetHiberRange
		push	ebx
		push	ds:dword_6C24E0
		push	ds:dword_6C24DC
		push	esi
		push	ebx
		call	PoSetHiberRange
		mov	eax, [edi+0B8h]
		test	eax, eax
		jz	short loc_720FDD
		push	ebx
		push	dword ptr [edi+0BCh]
		push	eax
		push	esi
		push	ebx
		call	PoSetHiberRange

loc_720FDD:				; CODE XREF: PopMarkHiberPhase(x)+38j
		mov	eax, [edi+6Ch]
		push	ebx
		shl	eax, 0Ch
		push	eax
		push	dword ptr [edi+68h]
		push	esi
		push	ebx
		call	PoSetHiberRange
		mov	esi, [edi+54h]
		push	ebx
		push	dword ptr [esi+14h]
		push	ebx
		call	_MmSizeOfMdl@8	; MmSizeOfMdl(x,x)
		push	eax
		push	esi
		mov	esi, 10000h
		push	esi
		push	ebx
		call	PoSetHiberRange
		mov	eax, [edi+0A0h]
		push	ebx
		shl	eax, 0Ch
		push	eax
		push	dword ptr [edi+9Ch]
		push	esi
		push	ebx
		call	PoSetHiberRange
		push	ebx
		push	ds:dword_6C24B4
		push	ds:dword_6C24B0
		push	esi
		push	ebx
		call	PoSetHiberRange
		add	edi, 30h
		mov	esi, [edi]
		jmp	short loc_721050
; 

loc_72103D:				; CODE XREF: PopMarkHiberPhase(x)+BEj
		push	ebx
		push	18h
		mov	eax, esi
		mov	esi, [esi]
		push	eax
		push	10000h
		push	ebx
		call	PoSetHiberRange

loc_721050:				; CODE XREF: PopMarkHiberPhase(x)+A7j
		cmp	esi, edi
		jnz	short loc_72103D
		pop	edi
		pop	esi
		pop	ebx
		retn
_PopMarkHiberPhase@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmMarkHiberPhase()
_MmMarkHiberPhase@0 proc near		; CODE XREF: PopMarkComponentsBootPhase+115p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	esi
		xor	esi, esi
		push	edi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		call	_MiMarkKernelPageTablePages@0 ;	MiMarkKernelPageTablePages()
		mov	eax, ds:_PsInitialSystemProcess
		mov	[ebp+var_1C], offset _MiGatherHiberRange@16 ; MiGatherHiberRange(x,x,x,x)
		mov	[ebp+var_18], esi
		mov	[ebp+var_4], esi
		mov	edi, [eax+194h]

loc_72108D:				; CODE XREF: MmMarkHiberPhase()+76j
		mov	esi, [edi]
		nop
		mov	edx, [edi+4]
		mov	ecx, edi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_7210A7
		push	edx
		push	esi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	esi, eax

loc_7210A7:				; CODE XREF: MmMarkHiberPhase()+44j
		push	2
		shrd	esi, edx, 0Ch
		push	1
		and	esi, 1FFFFFFh
		lea	eax, [ebp+var_1C]
		push	esi
		push	eax
		add	edi, 8
		call	[ebp+var_1C]
		test	eax, eax
		js	short loc_7210E7
		mov	edx, [ebp+var_4]
		inc	edx
		mov	[ebp+var_4], edx
		cmp	edx, 4
		jb	short loc_72108D
		mov	eax, ds:_PsInitialSystemProcess
		push	2
		push	1
		mov	eax, [eax+18h]
		shr	eax, 0Ch
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	[ebp+var_1C]

loc_7210E7:				; CODE XREF: MmMarkHiberPhase()+6Aj
		imul	edx, ds:dword_6D5D84, 1Ch
		mov	ecx, ds:_MmPfnDatabase
		push	200h
		add	edx, 1Bh
		add	edx, ecx
		call	_MiMarkNonPagedHiberPhasePages@12 ; MiMarkNonPagedHiberPhasePages(x,x,x)
		push	61676D4Dh
		push	1
		push	ds:dword_6D3518
		xor	edi, edi
		push	14000h
		push	edi
		call	PoSetHiberRange
		mov	eax, ds:dword_6D35B4
		mov	esi, 10000h
		push	62706D4Dh
		push	edi
		pop	ecx
		test	al, 1Fh
		setnz	cl
		shr	eax, 5
		add	ecx, eax
		shl	ecx, 2
		push	ecx
		push	ds:dword_6D35B8
		push	esi
		push	edi
		call	PoSetHiberRange
		mov	eax, large fs:124h
		push	62706D4Dh
		push	500h
		push	dword ptr [eax+80h]
		push	esi
		push	edi
		call	PoSetHiberRange
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+304h]
		test	eax, eax
		jz	short loc_72118E
		push	62706D4Dh
		push	1000h
		push	eax
		push	esi
		push	edi
		call	PoSetHiberRange

loc_72118E:				; CODE XREF: MmMarkHiberPhase()+122j
		push	edi
		or	edx, 0FFFFFFFFh
		mov	ecx, 0FFC00000h
		call	_MiMarkNonPagedHiberPhasePages@12 ; MiMarkNonPagedHiberPhasePages(x,x,x)
		push	64736D4Dh
		push	1000h
		push	0FFDF0000h
		push	esi
		push	edi
		call	PoSetHiberRange
		push	64736D4Dh
		push	4B0h
		push	ds:_MmUnloadedDrivers
		push	esi
		push	edi
		call	PoSetHiberRange
		mov	esi, edi

loc_7211CB:				; CODE XREF: MmMarkHiberPhase()+189j
		mov	eax, ds:_MmUnloadedDrivers
		mov	ecx, [esi+eax+4]
		test	ecx, ecx
		jnz	short loc_7211F0

loc_7211D8:				; CODE XREF: MmMarkHiberPhase()+1AEj
		add	esi, 18h
		cmp	esi, 4B0h
		jb	short loc_7211CB
		push	4
		pop	edi

loc_7211E6:				; CODE XREF: MmMarkHiberPhase()+208j
		mov	eax, ds:dword_6D3444[edi]
		xor	esi, esi
		jmp	short loc_72120C
; 

loc_7211F0:				; CODE XREF: MmMarkHiberPhase()+17Ej
		movzx	eax, word ptr [esi+eax]
		push	64736D4Dh
		push	eax
		push	ecx
		push	10000h
		push	edi
		call	PoSetHiberRange
		jmp	short loc_7211D8
; 

loc_721208:				; CODE XREF: MmMarkHiberPhase()+1B6j
		mov	esi, eax
		mov	eax, [eax]

loc_72120C:				; CODE XREF: MmMarkHiberPhase()+196j
		test	eax, eax
		jnz	short loc_721208
		jmp	short loc_72123B
; 

loc_721212:				; CODE XREF: MmMarkHiberPhase()+1F0j
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_721224

loc_72121A:				; CODE XREF: MmMarkHiberPhase()+1CAj
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_72121A

loc_721224:				; CODE XREF: MmMarkHiberPhase()+1C0j
					; MmMarkHiberPhase()+1F8j ...
		push	6F496D4Dh
		push	420h
		push	edx
		push	10000h
		push	0
		call	PoSetHiberRange

loc_72123B:				; CODE XREF: MmMarkHiberPhase()+1B8j
		test	esi, esi
		jz	short loc_72125A
		mov	eax, [esi+4]
		mov	edx, esi
		mov	ecx, esi
		test	eax, eax
		jnz	short loc_721212

loc_72124A:				; CODE XREF: MmMarkHiberPhase()+200j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jz	short loc_721224
		cmp	[esi], ecx
		jz	short loc_721224
		mov	ecx, esi
		jmp	short loc_72124A
; 

loc_72125A:				; CODE XREF: MmMarkHiberPhase()+1E5j
		add	edi, 4
		cmp	edi, 8
		jbe	short loc_7211E6
		call	_MiMarkHiberNotCachedPages@0 ; MiMarkHiberNotCachedPages()
		pop	edi
		pop	esi
		leave
		retn
_MmMarkHiberPhase@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMarkHiberNotCachedPte	proc near	; DATA XREF: MiMarkHiberNotCachedPages()+22o

var_8		= dword	ptr -8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0072997E SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ecx]
		nop
		mov	edx, [ecx+4]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_721290
		push	edx
		push	esi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	esi, eax

loc_721290:				; CODE XREF: MiMarkHiberNotCachedPte+19j
		mov	ecx, esi
		xor	ebx, ebx
		and	ecx, 1
		or	ecx, ebx
		jnz	short loc_7212A3

loc_72129B:				; CODE XREF: MiMarkHiberNotCachedPte+4Dj
					; MiMarkHiberNotCachedPte+7Ej
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	0Ch
; 

loc_7212A3:				; CODE XREF: MiMarkHiberNotCachedPte+2Dj
		mov	ecx, esi
		and	ecx, 10h
		mov	eax, ecx
		or	eax, ebx
		jnz	short loc_7212B7
		mov	eax, esi
		and	eax, 8
		or	eax, ebx
		jnz	short loc_7212BB

loc_7212B7:				; CODE XREF: MiMarkHiberNotCachedPte+40j
		or	ecx, ebx
		jz	short loc_72129B

loc_7212BB:				; CODE XREF: MiMarkHiberNotCachedPte+49j
		push	edi
		mov	edi, esi
		nop
		lea	ecx, [ebp+var_8]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_7212D4
		push	edx
		push	edi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	edi, eax

loc_7212D4:				; CODE XREF: MiMarkHiberNotCachedPte+5Dj
		shrd	edi, edx, 0Ch
		and	edi, 1FFFFFFh
		mov	ecx, edi
		call	_MiIsPfn@4	; MiIsPfn(x)
		test	eax, eax
		jnz	short loc_7212EC

loc_7212E9:				; CODE XREF: MiMarkHiberNotCachedPte+91j
					; MiMarkHiberNotCachedPte+98j ...
		pop	edi
		jmp	short loc_72129B
; 

loc_7212EC:				; CODE XREF: MiMarkHiberNotCachedPte+7Bj
		and	esi, 80h
		or	esi, ebx
		jnz	loc_72997E
		cmp	[ebp+arg_8], ebx
		jnz	short loc_7212E9
		xor	eax, eax
		inc	eax

loc_721302:				; CODE XREF: MiMarkHiberNotCachedPte+872Cj
		test	eax, eax
		jz	short loc_7212E9

loc_721306:				; CODE XREF: MiMarkHiberNotCachedPte+871Dj
		push	636E6D4Dh
		push	eax
		push	edi
		push	14000h
		push	ebx
		call	PoSetHiberRange
		jmp	short loc_7212E9
MiMarkHiberNotCachedPte	endp


;  S U B	R O U T	I N E 


PopMarkComponentsBootPhase proc	near	; CODE XREF: PopSaveHiberContext+255p

; FUNCTION CHUNK AT 0072999D SIZE 000000BB BYTES

		cmp	ds:byte_6C24D1,	0
		push	edi
		mov	edi, ecx
		jnz	loc_721489
		push	ebx
		push	esi
		push	6E72654Bh
		xor	ebx, ebx
		mov	esi, 10000h
		push	ebx
		push	offset PopSaveHiberContext
		push	esi
		push	ebx
		call	PoSetHiberRange
		push	6348616Ch
		push	ebx
		push	ds:__imp__HalAllocateCrashDumpRegisters@8 ; HalAllocateCrashDumpRegisters(x,x)
		push	esi
		push	ebx
		call	PoSetHiberRange
		mov	esi, ds:_PsLoadedModuleList

loc_72135E:				; CODE XREF: PopMarkComponentsBootPhase+A9j
		cmp	esi, offset _PsLoadedModuleList
		jz	short loc_7213C5
		push	6E72654Bh
		push	5Ch
		push	esi
		push	10000h
		push	ebx
		call	PoSetHiberRange
		push	dword ptr [esi+30h]
		call	_MmIsAddressValid@4 ; MmIsAddressValid(x)
		test	al, al
		jz	short loc_72139D
		movzx	eax, word ptr [esi+2Eh]
		push	6E72654Bh
		push	eax
		push	dword ptr [esi+30h]
		push	10000h
		push	ebx
		call	PoSetHiberRange

loc_72139D:				; CODE XREF: PopMarkComponentsBootPhase+69j
		push	dword ptr [esi+28h]
		call	_MmIsAddressValid@4 ; MmIsAddressValid(x)
		test	al, al
		jz	short loc_7213C1
		movzx	eax, word ptr [esi+26h]
		push	6E72654Bh
		push	eax
		push	dword ptr [esi+28h]
		push	10000h
		push	ebx
		call	PoSetHiberRange

loc_7213C1:				; CODE XREF: PopMarkComponentsBootPhase+8Dj
		mov	esi, [esi]
		jmp	short loc_72135E
; 

loc_7213C5:				; CODE XREF: PopMarkComponentsBootPhase+4Aj
		push	offset dword_6C33F0
		call	_FirstEntrySList@4 ; FirstEntrySList(x)
		mov	esi, eax
		jmp	short loc_7213DD
; 

loc_7213D3:				; CODE XREF: PopMarkComponentsBootPhase+C5j
		mov	ecx, [esi-4]
		call	KeMarkHiberPhase
		mov	esi, [esi]

loc_7213DD:				; CODE XREF: PopMarkComponentsBootPhase+B7j
		test	esi, esi
		jnz	short loc_7213D3
		push	ebx
		call	ds:off_6B121C	; xHalLocateHiberRanges(x)
		mov	ecx, edi
		call	_PopMarkHiberPhase@4 ; PopMarkHiberPhase(x)
		push	626C644Bh
		push	ebx
		push	offset _KdPitchDebugger
		push	10000h
		push	ebx
		call	PoSetHiberRange
		cmp	ds:_KdPitchDebugger, bl
		jz	loc_72999D

loc_721411:				; CODE XREF: PopMarkComponentsBootPhase+8696j
					; PopMarkComponentsBootPhase+86C6j
		call	_VfIsVerifierEnabled@0 ; VfIsVerifierEnabled()
		test	eax, eax
		jnz	loc_7299E5

loc_72141E:				; CODE XREF: PopMarkComponentsBootPhase+86FBj
					; PopMarkComponentsBootPhase+8708j ...
		xor	ecx, ecx
		call	BgkResumePrepare
		call	_RtlMarkHiberPhase@0 ; RtlMarkHiberPhase()
		call	_HvlMarkHiberPhase@0 ; HvlMarkHiberPhase()
		call	_MmMarkHiberPhase@0 ; MmMarkHiberPhase()
		call	_IoMarkTriageDumpBlock@0 ; IoMarkTriageDumpBlock()
		mov	esi, ds:_PopShutdownNotificationCallback
		test	esi, esi
		jnz	loc_729A3B

loc_721447:				; CODE XREF: PopMarkComponentsBootPhase+8739j
		mov	esi, ds:_PopThermal
		jmp	short loc_721467
; 

loc_72144F:				; CODE XREF: PopMarkComponentsBootPhase+153j
		push	6D726854h
		push	3A0h
		push	esi
		push	10000h
		push	ebx
		call	PoSetHiberRange
		mov	esi, [esi]

loc_721467:				; CODE XREF: PopMarkComponentsBootPhase+133j
		cmp	esi, offset _PopThermal
		jnz	short loc_72144F
		test	ds:_PopSimulateHiberBugcheck, 100h
		pop	esi
		pop	ebx
		jnz	short loc_721485
		lea	ecx, [edi+20h]
		call	_MiConvertHiberPhasePages@4 ; MiConvertHiberPhasePages(x)

loc_721485:				; CODE XREF: PopMarkComponentsBootPhase+161j
		mov	byte ptr [edi+3], 1

loc_721489:				; CODE XREF: PopMarkComponentsBootPhase+Aj
		mov	byte ptr [edi+1Ch], 1
		pop	edi
		retn
PopMarkComponentsBootPhase endp	; sp = -4

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMarkNonPagedHiberPhasePte proc near	; DATA XREF: MiMarkNonPagedHiberPhasePages(x,x,x)+30o

var_8		= dword	ptr -8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00729A58 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ecx]
		nop
		mov	edx, [ecx+4]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_7214B4
		push	edx
		push	esi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	esi, eax

loc_7214B4:				; CODE XREF: MiMarkNonPagedHiberPhasePte+19j
		xor	ebx, ebx
		mov	ecx, esi
		inc	ebx
		and	ecx, ebx
		or	ecx, 0
		jnz	short loc_7214C8

loc_7214C0:				; CODE XREF: MiMarkNonPagedHiberPhasePte+A8j
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	0Ch
; 

loc_7214C8:				; CODE XREF: MiMarkNonPagedHiberPhasePte+2Ej
		push	edi
		mov	edi, esi
		nop
		lea	ecx, [ebp+var_8]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_7214E1
		push	edx
		push	edi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	edi, eax

loc_7214E1:				; CODE XREF: MiMarkNonPagedHiberPhasePte+46j
		shrd	edi, edx, 0Ch
		and	edi, 1FFFFFFh
		mov	ecx, edi
		call	_MiIsPfn@4	; MiIsPfn(x)
		test	eax, eax
		jz	short loc_721537
		and	esi, 80h
		or	esi, 0
		jnz	short loc_72153A
		cmp	[ebp+arg_8], esi
		jnz	short loc_721537
		imul	ecx, edi, 1Ch
		add	ecx, ds:_MmPfnDatabase
		cmp	[ecx+14h], bx
		ja	short loc_72151E
		call	_MiIsPfnTradable@4 ; MiIsPfnTradable(x)
		test	eax, eax
		jnz	short loc_72154C

loc_72151E:				; CODE XREF: MiMarkNonPagedHiberPhasePte+83j
					; MiMarkNonPagedHiberPhasePte+C2j
		mov	eax, ebx

loc_721520:				; CODE XREF: MiMarkNonPagedHiberPhasePte+85D0j
		test	eax, eax
		jz	short loc_721537

loc_721524:				; CODE XREF: MiMarkNonPagedHiberPhasePte+B4j
		push	6C64704Eh
		push	eax
		push	edi
		push	14000h
		push	0
		call	PoSetHiberRange

loc_721537:				; CODE XREF: MiMarkNonPagedHiberPhasePte+64j
					; MiMarkNonPagedHiberPhasePte+74j ...
		pop	edi
		jmp	short loc_7214C0
; 

loc_72153A:				; CODE XREF: MiMarkNonPagedHiberPhasePte+6Fj
		mov	ecx, [ebp+arg_8]
		mov	eax, 200h
		cmp	ecx, ebx
		jle	short loc_721524
		dec	ecx
		jmp	loc_729A58
; 

loc_72154C:				; CODE XREF: MiMarkNonPagedHiberPhasePte+8Cj
		test	byte ptr [ecx+17h], 8
		jz	short loc_721537
		jmp	short loc_72151E
MiMarkNonPagedHiberPhasePte endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeMarkHiberPhase proc near		; CODE XREF: PopMarkComponentsBootPhase+BCp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00729A65 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	6370654Bh
		mov	edi, ecx
		push	6020h
		push	edi
		push	10000h
		mov	ebx, [edi+20h]
		mov	esi, [edi+40h]
		push	0
		call	PoSetHiberRange
		push	6370654Bh
		push	5F00h
		push	ebx
		push	10000h
		push	0
		call	PoSetHiberRange
		push	6370654Bh
		push	20ACh
		push	esi
		push	10000h
		push	0
		call	PoSetHiberRange
		mov	esi, 6370654Bh
		push	esi
		push	0
		push	offset _KiBootProcessorIdtSize
		push	10000h
		push	0
		call	PoSetHiberRange
		mov	edx, [edi+3Ch]
		push	esi
		push	68h
		movzx	ecx, byte ptr [edx+0A7h]
		movzx	eax, byte ptr [edx+0A4h]
		shl	ecx, 8
		add	ecx, eax
		movzx	eax, word ptr [edx+0A2h]
		shl	ecx, 10h
		add	ecx, eax
		push	ecx
		push	10000h
		push	0
		call	PoSetHiberRange
		mov	edx, [edi+3Ch]
		push	esi
		push	68h
		movzx	ecx, byte ptr [edx+5Fh]
		movzx	eax, byte ptr [edx+5Ch]
		shl	ecx, 8
		add	ecx, eax
		movzx	eax, word ptr [edx+5Ah]
		shl	ecx, 10h
		add	ecx, eax
		push	ecx
		push	10000h
		push	0
		call	PoSetHiberRange
		mov	ecx, [edi+3Ch]
		mov	edi, 6370654Bh
		push	edi
		push	68h
		movzx	esi, byte ptr [ecx+57h]
		movzx	eax, byte ptr [ecx+54h]
		shl	esi, 8
		add	esi, eax
		movzx	eax, word ptr [ecx+52h]
		shl	esi, 10h
		add	esi, eax
		push	esi
		push	10000h
		push	0
		call	PoSetHiberRange
		mov	eax, [esi+4]
		mov	ecx, 3000h
		push	edi
		push	ecx
		sub	eax, ecx
		push	eax
		push	10000h
		xor	edi, edi
		push	edi
		call	PoSetHiberRange
		movzx	eax, word ptr [ebx+316h]
		mov	esi, 7370654Bh
		push	esi
		push	eax
		push	dword ptr [ebx+318h]
		push	10000h
		push	edi
		call	PoSetHiberRange
		movzx	eax, word ptr [ebx+30Eh]
		push	esi
		push	eax
		push	dword ptr [ebx+310h]
		mov	esi, 10000h
		push	esi
		push	edi
		call	PoSetHiberRange
		mov	eax, [ebx+2210h]
		mov	ecx, ds:_KeKernelStackSize
		add	eax, 0FFFh
		push	7473654Bh
		push	ecx
		and	eax, 0FFFFF000h
		sub	eax, ecx
		push	eax
		push	esi
		push	edi
		call	PoSetHiberRange
		push	2
		pop	eax
		lea	edi, [ebx+21E0h]
		mov	[ebp+var_4], eax

loc_7216D2:				; CODE XREF: KeMarkHiberPhase+191j
		mov	esi, [edi]
		test	esi, esi
		jnz	loc_7217CE

loc_7216DC:				; CODE XREF: KeMarkHiberPhase+29Aj
		add	edi, 18h
		sub	eax, 1
		mov	[ebp+var_4], eax
		jnz	short loc_7216D2
		mov	eax, ds:_KeFeatureBits
		xor	esi, esi
		and	eax, 400000h
		mov	ecx, 2CCh
		or	eax, esi
		jz	short loc_721708
		mov	ecx, ds:_KeXStateLength
		add	ecx, 123h

loc_721708:				; CODE XREF: KeMarkHiberPhase+1A6j
		push	7873654Bh
		push	ecx
		push	dword ptr [ebx+4168h]
		mov	edi, 10000h
		push	edi
		push	esi
		call	PoSetHiberRange
		mov	edx, [ebx+47B8h]
		test	edx, edx
		jnz	loc_729A65

loc_72172E:				; CODE XREF: KeMarkHiberPhase+8535j
		mov	eax, [ebx+3D70h]
		test	eax, eax
		jz	short loc_72174A
		push	7349654Bh
		push	150h
		push	eax
		push	edi
		push	esi
		call	PoSetHiberRange

loc_72174A:				; CODE XREF: KeMarkHiberPhase+1E2j
		call	_KiMarkMtrrHiberPhase@0	; KiMarkMtrrHiberPhase()
		mov	eax, [ebx+4]
		xor	ebx, ebx
		push	6874654Bh
		push	4E0h
		push	eax
		mov	edi, [eax+24h]
		mov	esi, [eax+28h]
		add	edi, 0FFFh
		push	10000h
		and	edi, 0FFFFF000h
		push	ebx
		sub	esi, edi
		call	PoSetHiberRange
		push	7473654Bh
		push	esi
		push	edi
		mov	edi, 10000h
		push	edi
		push	ebx
		call	PoSetHiberRange
		mov	esi, ds:_KeBugCheckReasonCallbackListHead
		jmp	short loc_7217AA
; 

loc_721799:				; CODE XREF: KeMarkHiberPhase+25Cj
		push	7473654Bh
		push	1Ch
		push	esi
		push	edi
		push	ebx
		call	PoSetHiberRange
		mov	esi, [esi]

loc_7217AA:				; CODE XREF: KeMarkHiberPhase+243j
		cmp	esi, offset _KeBugCheckReasonCallbackListHead
		jnz	short loc_721799
		push	706C7845h
		push	1000h
		push	ds:_ExLeapSecondData
		push	edi
		push	ebx
		call	PoSetHiberRange
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7217CE:				; CODE XREF: KeMarkHiberPhase+182j
					; KeMarkHiberPhase+295j
		push	7064654Bh
		push	20h
		lea	eax, [esi-4]
		push	eax
		push	10000h
		push	0
		call	PoSetHiberRange
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_7217CE
		mov	eax, [ebp+var_4]
		jmp	loc_7216DC
KeMarkHiberPhase endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetBootPhaseRange(x, x, x, x)
_PopSetBootPhaseRange@16 proc near	; CODE XREF: PopSetRange+32p

var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	[ebp+var_8], edi
		mov	esi, edi
		lea	ecx, [edi+eax]
		cmp	edi, ecx
		jnb	short loc_721834
		mov	edi, ecx

loc_721813:				; CODE XREF: PopSetBootPhaseRange(x,x,x,x)+38j
		mov	eax, [ebx+24h]
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		sar	eax, cl
		test	al, 1
		jz	short loc_721846

loc_721829:				; CODE XREF: PopSetBootPhaseRange(x,x,x,x)+67j
		inc	esi
		cmp	esi, edi
		jb	short loc_721813
		mov	edi, [ebp+var_8]
		mov	eax, [ebp+arg_0]

loc_721834:				; CODE XREF: PopSetBootPhaseRange(x,x,x,x)+1Bj
		push	eax
		push	edi
		lea	eax, [ebx+20h]
		push	eax
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_721846:				; CODE XREF: PopSetBootPhaseRange(x,x,x,x)+33j
		mov	edx, esi
		mov	eax, esi
		shr	edx, 3
		and	eax, 7
		add	edx, [ebx+2Ch]
		movsx	ecx, byte ptr [edx]
		btr	ecx, eax
		mov	[edx], cl
		jmp	short loc_721829
_PopSetBootPhaseRange@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiscardRange(x, x, x, x)
_PopDiscardRange@16 proc near		; CODE XREF: PopSetRange+43p
					; PopAllocateHiberContext+A5806p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		lea	eax, [ecx+20h]
		push	edx
		push	eax
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		pop	ebp
		retn	8
_PopDiscardRange@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopCloneRange	proc near		; CODE XREF: PopSetRange+53p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00729A8E SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, edx
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_4], eax
		push	esi
		push	eax
		lea	eax, [ebx+20h]
		push	eax
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		mov	edx, [ebp+var_4]
		xor	edi, edi
		lea	eax, [edx+esi]
		mov	[ebp+arg_0], eax
		lea	eax, [ebx+30h]
		mov	esi, [eax]
		cmp	esi, eax
		jz	loc_721955

loc_7218AA:				; CODE XREF: PopCloneRange+67j
		mov	eax, esi
		mov	esi, [esi]
		mov	ecx, [eax+0Ch]
		cmp	edx, ecx
		jb	short loc_7218BA
		cmp	edx, [eax+10h]
		jbe	short loc_721924

loc_7218BA:				; CODE XREF: PopCloneRange+3Fj
		mov	edx, [ebp+var_4]
		cmp	[ebp+arg_0], ecx
		jb	short loc_7218CD
		mov	edx, [ebp+arg_0]
		cmp	edx, [eax+10h]
		mov	edx, [ebp+var_4]
		jbe	short loc_721924

loc_7218CD:				; CODE XREF: PopCloneRange+4Cj
		cmp	edx, ecx
		jbe	short loc_7218DD

loc_7218D1:				; CODE XREF: PopCloneRange+70j
					; PopCloneRange+DCj ...
		lea	eax, [ebx+30h]
		cmp	esi, eax
		jz	short loc_7218E9
		mov	edx, [ebp+var_4]
		jmp	short loc_7218AA
; 

loc_7218DD:				; CODE XREF: PopCloneRange+5Bj
		cmp	ecx, [ebp+arg_0]
		jbe	short loc_721924
		cmp	edx, ecx
		jnb	short loc_7218D1
		mov	esi, [esi+4]

loc_7218E9:				; CODE XREF: PopCloneRange+62j
		test	edi, edi
		jz	short loc_721955

loc_7218ED:				; CODE XREF: PopCloneRange+F6j
		xor	eax, eax
		mov	[edi], eax
		mov	[edi+4], eax
		mov	[edi+14h], eax
		mov	eax, [ebp+arg_4]
		mov	[edi+8], eax
		mov	eax, [ebp+var_4]
		mov	[edi+0Ch], eax
		mov	eax, [ebp+arg_0]
		mov	[edi+10h], eax
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_72197B
		mov	[edi], esi
		mov	[edi+4], eax
		mov	[eax], edi
		mov	[esi+4], edi
		inc	dword ptr [ebx+38h]

loc_72191D:				; CODE XREF: PopCloneRange+8231j
					; PopCloneRange+8241j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_721924:				; CODE XREF: PopCloneRange+44j
					; PopCloneRange+57j ...
		cmp	edx, ecx
		ja	short loc_721976

loc_721928:				; CODE XREF: PopCloneRange+105j
		mov	ecx, [eax+10h]
		cmp	[ebp+arg_0], ecx
		jb	short loc_721971

loc_721930:				; CODE XREF: PopCloneRange+100j
		dec	dword ptr [ebx+38h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_72197B
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_72197B
		mov	[ecx], edx
		mov	[edx+4], ecx
		test	edi, edi
		jnz	loc_729A8E
		mov	edi, eax
		jmp	loc_7218D1
; 

loc_721955:				; CODE XREF: PopCloneRange+30j
					; PopCloneRange+77j
		push	70616D48h
		push	18h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_7218ED
		jmp	loc_729A9E
; 

loc_721971:				; CODE XREF: PopCloneRange+BAj
		mov	[ebp+arg_0], ecx
		jmp	short loc_721930
; 

loc_721976:				; CODE XREF: PopCloneRange+B2j
		mov	[ebp+var_4], ecx
		jmp	short loc_721928
; 

loc_72197B:				; CODE XREF: PopCloneRange+9Aj
					; PopCloneRange+C4j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
PopCloneRange	endp			; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall MmMarkImageForHiberPhase(x)
_MmMarkImageForHiberPhase@4 proc near	; CODE XREF: PoSetHiberRange+1A0p
		mov	edi, edi
		push	ecx
		push	2
		pop	edx
		call	_MiLookupDataTableEntry@8 ; MiLookupDataTableEntry(x,x)
		push	0
		mov	edx, [eax+20h]
		mov	ecx, [eax+18h]
		dec	edx
		add	edx, ecx
		call	_MiMarkNonPagedHiberPhasePages@12 ; MiMarkNonPagedHiberPhasePages(x,x,x)
		pop	ecx
		retn
_MmMarkImageForHiberPhase@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMarkNonPagedHiberPhasePages(x, x,	x)
_MiMarkNonPagedHiberPhasePages@12 proc near ; CODE XREF: MmMarkHiberPhase()+A6p
					; MmMarkHiberPhase()+13Fp ...

var_50		= dword	ptr -50h
var_4A		= byte ptr -4Ah
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	4Ch		; size_t
		lea	eax, [ebp+var_50]
		mov	edi, edx
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		or	eax, 901h
		mov	[ebp+var_10], offset MiMarkNonPagedHiberPhasePte
		mov	word ptr [ebp+var_50], ax
		push	3
		pop	ecx
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		lea	ecx, [ebp+var_50]
		mov	[ebp+var_40], eax
		mov	[ebp+var_4A], 21h
		mov	[ebp+var_3C], esi
		mov	[ebp+var_38], edi
		call	MiWalkPageTables
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_MiMarkNonPagedHiberPhasePages@12 endp


;  S U B	R O U T	I N E 


PopAllocatePages proc near		; CODE XREF: PopAllocateOwnMemory+1Dp
					; PopAllocateHiberContext+264p	...

; FUNCTION CHUNK AT 00729ABA SIZE 00000015 BYTES

		add	ds:_PopNumberOfPagesForHibernateProcess, ecx
		push	esi
		xor	esi, esi
		call	_PopGenerateMdl@4 ; PopGenerateMdl(x)
		test	eax, eax
		jz	loc_729ABA
		push	40000020h
		push	1
		push	esi
		push	1
		push	esi
		push	eax
		call	MmMapLockedPagesSpecifyCache
		mov	esi, eax
		test	esi, esi
		jz	loc_729ABA
		mov	ecx, ds:dword_6C26F8
		cmp	dword ptr [ecx+80h], 0
		jl	loc_729ABA

loc_721A4A:				; CODE XREF: PopAllocatePages+80C4j
		mov	eax, esi
		pop	esi
		retn
PopAllocatePages endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMirrorBrownPhase(x)
_MiMirrorBrownPhase@4 proc near		; CODE XREF: MmDuplicateMemory(x)+1A5p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, [esi+4]
		test	al, 0C0h
		jnz	loc_721B2A
		and	[ebp+var_8], 0
		test	al, 0Ah
		push	0
		pop	eax
		setz	al
		xor	ecx, ecx
		mov	[ebp+var_C], eax
		jmp	loc_721B1B
; 

loc_721A7C:				; CODE XREF: MiMirrorBrownPhase(x)+D6j
		test	dword ptr [esi+4], 100h
		mov	eax, [edi]
		mov	[ebp+var_4], eax
		jz	short loc_721A95
		cmp	eax, offset _MiSystemPartition
		jnz	loc_721B19

loc_721A95:				; CODE XREF: MiMirrorBrownPhase(x)+3Aj
		xor	ebx, ebx

loc_721A97:				; CODE XREF: MiMirrorBrownPhase(x)+C0j
		push	2
		pop	edx
		mov	ecx, offset dword_6D305C
		call	_MiActOnMirrorBitmap@8 ; MiActOnMirrorBitmap(x,x)
		cmp	ebx, [ebp+var_C]
		jnz	short loc_721ABA
		cmp	byte ptr [esi+10h], 0
		jnz	short loc_721ABA
		mov	byte ptr [esi+10h], 1
		lock inc ds:dword_6D34D0

loc_721ABA:				; CODE XREF: MiMirrorBrownPhase(x)+59j
					; MiMirrorBrownPhase(x)+5Fj
		mov	eax, [esi+4]
		test	eax, 400h
		jnz	short loc_721AC8
		test	al, 4
		jz	short loc_721ACD

loc_721AC8:				; CODE XREF: MiMirrorBrownPhase(x)+74j
		mov	eax, [esi+8]
		jmp	short loc_721ADB
; 

loc_721ACD:				; CODE XREF: MiMirrorBrownPhase(x)+78j
		test	al, 10h
		jnz	short loc_721AD9
		mov	ecx, [ebp+var_4]
		call	_MiEmptyAllWorkingSets@4 ; MiEmptyAllWorkingSets(x)

loc_721AD9:				; CODE XREF: MiMirrorBrownPhase(x)+81j
		xor	eax, eax

loc_721ADB:				; CODE XREF: MiMirrorBrownPhase(x)+7Dj
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		push	eax
		push	dword ptr [esi+0Ch]
		call	MiMirrorGatherBrownPages
		mov	edx, [esi+4]
		lea	eax, [ebp+var_8]
		mov	ecx, [esi]
		push	eax
		call	MiMirrorPerformBrownWrites
		mov	[ebp+var_10], eax
		test	eax, eax
		js	short loc_721B3A
		cmp	byte ptr [esi+10h], 1
		jz	short loc_721B10
		cmp	[ebp+var_8], 400h
		jb	short loc_721B10
		inc	ebx
		jmp	short loc_721A97
; 

loc_721B10:				; CODE XREF: MiMirrorBrownPhase(x)+B4j
					; MiMirrorBrownPhase(x)+BDj
		test	dword ptr [esi+4], 100h
		jnz	short loc_721B31

loc_721B19:				; CODE XREF: MiMirrorBrownPhase(x)+41j
		mov	ecx, edi

loc_721B1B:				; CODE XREF: MiMirrorBrownPhase(x)+29j
		call	_PsGetNextPartition@4 ;	PsGetNextPartition(x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_721A7C

loc_721B2A:				; CODE XREF: MiMirrorBrownPhase(x)+12j
					; MiMirrorBrownPhase(x)+EAj
		xor	eax, eax

loc_721B2C:				; CODE XREF: MiMirrorBrownPhase(x)+F6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_721B31:				; CODE XREF: MiMirrorBrownPhase(x)+C9j
		mov	ecx, edi
		call	_PsQuitNextPartition@4 ; PsQuitNextPartition(x)
		jmp	short loc_721B2A
; 

loc_721B3A:				; CODE XREF: MiMirrorBrownPhase(x)+AEj
		mov	ecx, edi
		call	_PsQuitNextPartition@4 ; PsQuitNextPartition(x)
		mov	eax, [ebp+var_10]
		jmp	short loc_721B2C
_MiMirrorBrownPhase@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopMirrorPhysicalMemory(x, x, x, x)
_PopMirrorPhysicalMemory@16 proc near	; DATA XREF: PopTransitionToSleep+65o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ds:dword_6C26F8
		xor	esi, esi
		test	edi, edi
		jz	short loc_721B8C
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+arg_C]
		add	ecx, 0FFFh
		adc	eax, esi
		shrd	ecx, eax, 0Ch
		test	ecx, ecx
		jz	short loc_721B93

loc_721B6F:				; CODE XREF: PopMirrorPhysicalMemory(x,x,x,x)+50j
		mov	edx, [ebp+arg_0]
		push	ecx
		mov	ecx, [ebp+arg_4]
		shrd	edx, ecx, 0Ch
		lea	ecx, [edi+28h]
		push	edx
		push	ecx
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)

loc_721B84:				; CODE XREF: PopMirrorPhysicalMemory(x,x,x,x)+4Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	10h
; 

loc_721B8C:				; CODE XREF: PopMirrorPhysicalMemory(x,x,x,x)+11j
		mov	esi, 0C000009Ah
		jmp	short loc_721B84
; 

loc_721B93:				; CODE XREF: PopMirrorPhysicalMemory(x,x,x,x)+27j
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_721B6F
_PopMirrorPhysicalMemory@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBootLoaderTraceCopyPfnList(x, x)
_PopBootLoaderTraceCopyPfnList@8 proc near ; CODE XREF:	PopBuildMemoryImageHeader(x,x)+11Bp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	eax, ecx
		mov	ebx, edx
		push	esi
		push	edi
		mov	[ebp+var_4], eax
		mov	edi, [eax+90h]
		test	edi, edi
		jz	short loc_721BFC
		mov	esi, [edi+14h]
		add	edi, 1Ch
		shr	esi, 0Ch
		mov	eax, esi
		shl	eax, 2
		push	eax		; size_t
		lea	eax, [ebx+270h]
		push	edi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebx+26Ch], esi
		test	esi, esi
		jz	short loc_721C03
		mov	ebx, [ebp+var_4]

loc_721BDE:				; CODE XREF: PopBootLoaderTraceCopyPfnList(x,x)+60j
		push	644D6946h
		push	1
		push	dword ptr [edi]
		push	0C000h
		push	ebx
		call	PoSetHiberRange
		lea	edi, [edi+4]
		sub	esi, 1
		jnz	short loc_721BDE
		jmp	short loc_721C03
; 

loc_721BFC:				; CODE XREF: PopBootLoaderTraceCopyPfnList(x,x)+18j
		and	dword ptr [ebx+26Ch], 0

loc_721C03:				; CODE XREF: PopBootLoaderTraceCopyPfnList(x,x)+41j
					; PopBootLoaderTraceCopyPfnList(x,x)+62j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopBootLoaderTraceCopyPfnList@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMarkHiberNotCachedPages()
_MiMarkHiberNotCachedPages@0 proc near	; CODE XREF: MmMarkHiberPhase()+20Ap

var_50		= dword	ptr -50h
var_4A		= byte ptr -4Ah
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	4Ch		; size_t
		lea	eax, [ebp+var_50]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_10], offset MiMarkHiberNotCachedPte
		mov	eax, 0B01h
		mov	word ptr [ebp+var_50], ax
		push	3
		pop	ecx
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		or	[ebp+var_38], 0FFFFFFFFh
		lea	ecx, [ebp+var_50]
		mov	[ebp+var_40], eax
		mov	eax, ds:_MmSystemRangeStart
		mov	[ebp+var_4A], 21h
		mov	[ebp+var_3C], eax
		call	MiWalkPageTables
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiMarkHiberNotCachedPages@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMarkKernelPageTablePages()
_MiMarkKernelPageTablePages@0 proc near	; CODE XREF: MmMarkHiberPhase()+18p

var_50		= dword	ptr -50h
var_4A		= byte ptr -4Ah
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	4Ch		; size_t
		lea	eax, [ebp+var_50]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, 901h
		mov	[ebp+var_10], offset _MiMarkKernelPageTablePte@12 ; MiMarkKernelPageTablePte(x,x,x)
		mov	word ptr [ebp+var_50], ax
		add	esp, 0Ch
		mov	al, byte ptr [ebp+var_50+2]
		xor	ecx, ecx
		and	al, 0E7h
		inc	ecx
		or	al, 4
		mov	byte ptr [ebp+var_50+2], al
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		or	[ebp+var_38], 0FFFFFFFFh
		lea	ecx, [ebp+var_50]
		mov	[ebp+var_40], eax
		mov	eax, ds:_MmSystemRangeStart
		mov	[ebp+var_4A], 21h
		mov	[ebp+var_3C], eax
		call	MiWalkPageTables
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiMarkKernelPageTablePages@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopGenerateUnHibernatedMdl(x, x)
_PopGenerateUnHibernatedMdl@8 proc near	; CODE XREF: PopAllocateHiberContext+2FBp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		rdtsc
		push	ebx
		mov	[ebp+var_C], edx
		mov	edx, ds:_PopHiberScratchPages
		push	esi
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], eax
		call	_PopGenerateScratchMdl@8 ; PopGenerateScratchMdl(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_721D36
		mov	ecx, [ebx+14h]
		mov	esi, ecx
		and	esi, 0FFFh
		neg	esi
		push	edi
		sbb	esi, esi
		shr	ecx, 0Ch
		neg	esi
		push	0
		pop	edi
		add	esi, ecx
		jz	short loc_721D35
		mov	eax, [ebp+var_4]
		add	eax, 20h
		mov	[ebp+var_4], eax

loc_721D21:				; CODE XREF: PopGenerateUnHibernatedMdl(x,x)+5Dj
		push	1
		push	dword ptr [ebx+edi*4+1Ch]
		push	eax
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		mov	eax, [ebp+var_4]
		inc	edi
		cmp	edi, esi
		jb	short loc_721D21

loc_721D35:				; CODE XREF: PopGenerateUnHibernatedMdl(x,x)+40j
		pop	edi

loc_721D36:				; CODE XREF: PopGenerateUnHibernatedMdl(x,x)+24j
		rdtsc
		sub	eax, [ebp+var_8]
		pop	esi
		sbb	edx, [ebp+var_C]
		add	ds:dword_6C28C8, eax
		mov	eax, ebx
		pop	ebx
		adc	ds:dword_6C28CC, edx
		leave
		retn
_PopGenerateUnHibernatedMdl@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopGetBitlockerKeyLocation proc	near	; CODE XREF: PopAllocateHiberContext+1F7p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00729ACF SIZE 00000093 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_38], ecx
		lea	edi, [ebp+var_14]
		xor	ebx, ebx
		stosd
		push	offset ??_C@_1GG@KMAKALDL@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@OKHAJAOM@
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ebx
		stosd
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_1C], ebx
		stosd
		mov	[ebp+var_18], ebx
		stosd
		lea	eax, [ebp+var_40]
		mov	edi, ebx
		push	eax
		mov	[ebp+var_2C], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_40]
		mov	[ebp+var_58], 18h
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	20019h
		lea	eax, [ebp+var_18]
		mov	[ebp+var_54], ebx
		push	eax
		mov	[ebp+var_4C], 240h
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_721E8A
		push	(offset	loc_727F43+1)
		lea	eax, [ebp+var_34]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_1C]
		push	eax
		push	10h
		lea	eax, [ebp+var_14]
		push	eax
		push	2
		lea	eax, [ebp+var_34]
		push	eax
		push	[ebp+var_18]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_28], esi
		test	esi, esi
		jns	short loc_721E08
		cmp	esi, 80000005h
		jnz	short loc_721E4E

loc_721E08:				; CODE XREF: PopGetBitlockerKeyLocation+AEj
		cmp	[ebp+var_10], 1
		jnz	loc_729ACF
		mov	esi, [ebp+var_1C]
		push	66756263h
		lea	eax, [esi+2]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_2C], edi
		test	edi, edi
		jz	loc_729AD9
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		push	edi
		push	2
		lea	eax, [ebp+var_34]
		push	eax
		push	[ebp+var_18]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_28], eax

loc_721E4E:				; CODE XREF: PopGetBitlockerKeyLocation+B6j
		test	esi, esi
		js	short loc_721E7B
		mov	eax, [edi+8]
		xor	ecx, ecx
		push	offset ??_C@_1BC@KEMNALNF@?$AAF?$AAV?$AAE?$AAB?$AAO?$AAO?$AAT?$AA?$DN@OKHAJAOM@	; wchar_t *
		mov	[eax+edi+0Ch], cx
		lea	eax, [edi+0Ch]
		push	eax		; wchar_t *
		call	_wcsstr
		pop	ecx
		pop	ecx
		mov	ecx, eax
		test	ecx, ecx
		jnz	loc_729AE3

loc_721E76:				; CODE XREF: PopGetBitlockerKeyLocation+7DFCj
		mov	esi, 0C0000001h

loc_721E7B:				; CODE XREF: PopGetBitlockerKeyLocation+100j
					; PopGetBitlockerKeyLocation+7E0Dj
		test	edi, edi
		jz	short loc_721E8A
		push	66756263h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_721E8A:				; CODE XREF: PopGetBitlockerKeyLocation+7Bj
					; PopGetBitlockerKeyLocation+12Dj ...
		cmp	[ebp+var_18], 0
		jz	short loc_721E98
		push	[ebp+var_18]
		call	_ZwClose@4	; ZwClose(x)

loc_721E98:				; CODE XREF: PopGetBitlockerKeyLocation+13Ej
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopGetBitlockerKeyLocation endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopGetHwConfigurationSignature proc near ; CODE	XREF: PopAllocateHiberContext+1E2p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00729B62 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	4
		pop	ebx
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_18], 41435049h
		push	eax
		push	14h
		xor	esi, esi
		mov	[ebp+var_14], 1
		lea	eax, [ebp+var_18]
		mov	[ebp+var_20], esi
		push	eax
		push	4Ch
		mov	[ebp+var_8], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_10], 50434146h
		mov	[ebp+var_C], esi
		mov	[ebp+var_1C], esi
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	loc_721FA8
		push	206D654Dh
		push	[ebp+var_1C]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_721FA8
		mov	dword ptr [edi], 41435049h
		mov	dword ptr [edi+4], 1
		mov	dword ptr [edi+8], 50434146h
		mov	eax, [ebp+var_1C]
		add	eax, 0FFFFFFF0h
		mov	[edi+0Ch], eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_1C]
		push	edi
		push	4Ch
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_721F91
		cmp	byte ptr [edi+18h], 5
		jb	short loc_721F91
		mov	eax, [edi+34h]
		lea	ecx, [ebp+var_20]
		push	ecx
		push	esi
		push	40h
		push	esi
		push	eax
		mov	[ebp+var_28], eax
		call	ds:__imp__HalGetMemoryCachingRequirements@20 ; HalGetMemoryCachingRequirements(x,x,x,x,x)
		cmp	[ebp+var_20], 1
		jnz	loc_729B62

loc_721F75:				; CODE XREF: PopGetHwConfigurationSignature+7CCEj
		push	ebx
		push	40h
		push	esi
		push	[ebp+var_28]
		call	_MmMapIoSpaceEx@16 ; MmMapIoSpaceEx(x,x,x,x)
		mov	esi, eax
		cmp	dword ptr [esi], 53434146h
		jnz	short loc_721F91
		mov	eax, [esi+8]
		mov	[ebp+var_24], eax

loc_721F91:				; CODE XREF: PopGetHwConfigurationSignature+A4j
					; PopGetHwConfigurationSignature+AAj ...
		push	206D654Dh
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jz	short loc_721FA8
		push	40h
		push	esi
		call	MmUnmapIoSpace

loc_721FA8:				; CODE XREF: PopGetHwConfigurationSignature+54j
					; PopGetHwConfigurationSignature+70j ...
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_24]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopGetHwConfigurationSignature endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiConvertHiberPhasePte proc near	; DATA XREF: MiConvertHiberPhasePages(x)+25o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00729B7D SIZE 00000062 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [esi]
		nop
		mov	ebx, [esi+4]
		mov	ecx, esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	short loc_721FED
		push	ebx
		push	edi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	edi, eax
		mov	ebx, edx

loc_721FED:				; CODE XREF: MiConvertHiberPhasePte+20j
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], ebx
		cmp	dword ptr [eax+48h], 0
		jz	loc_7220A1
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	loc_7220AD
		cmp	[ebp+arg_8], 0
		jnz	loc_7220AD
		mov	edx, edi
		nop
		lea	ecx, [ebp+var_8]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	loc_729B7D
		push	ebx
		push	edx
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	[ebp+arg_4], eax
		mov	eax, edx
		mov	edx, [ebp+arg_4]

loc_72203A:				; CODE XREF: MiConvertHiberPhasePte+7BBFj
		shrd	edx, eax, 0Ch
		and	edx, 1FFFFFFh
		mov	ecx, edx
		mov	[ebp+arg_4], edx
		call	_MiIsPfn@4	; MiIsPfn(x)
		test	eax, eax
		jz	short loc_7220AD
		mov	edx, [ebp+arg_4]
		cmp	edx, ds:dword_6D34E4
		jz	short loc_7220AD
		cmp	edx, ds:dword_6D34F0
		jz	short loc_7220AD
		mov	eax, [ebp+arg_0]
		mov	ecx, edx
		shr	ecx, 5
		and	edx, 1Fh
		mov	eax, [eax+48h]
		mov	eax, [eax+4]
		mov	eax, [eax+ecx*4]
		mov	ecx, edx
		sar	eax, cl
		test	al, 1
		jnz	short loc_7220AD
		and	edi, 0FFFFFFFEh
		mov	[ebp+var_4], ebx
		or	edi, 404h
		mov	[ebp+var_8], edi
		mov	[esi], edi
		nop
		pop	edi
		mov	[esi+4], ebx
		xor	eax, eax
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7220A1:				; CODE XREF: MiConvertHiberPhasePte+3Aj
		lea	ecx, [ebp+var_8]
		call	_MI_CHECK_HIBER_VERIFY_PTE@4 ; MI_CHECK_HIBER_VERIFY_PTE(x)
		test	eax, eax
		jnz	short loc_7220B8

loc_7220AD:				; CODE XREF: MiConvertHiberPhasePte+48j
					; MiConvertHiberPhasePte+52j ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7220B8:				; CODE XREF: MiConvertHiberPhasePte+EBj
		and	edi, 0FFFFFBFBh
		mov	[ebp+var_4], ebx
		mov	ecx, edi
		xor	edx, edx
		or	ecx, 1
		mov	[ebp+var_8], ecx
		cmp	[ebp+arg_4], edx
		jnz	loc_729B84

loc_7220D4:				; CODE XREF: MiConvertHiberPhasePte+7BD9j
					; MiConvertHiberPhasePte+7BFBj	...
		mov	[esi+4], ebx
		nop
		mov	[esi], ecx
		test	edx, edx
		jz	short loc_7220AD
		jmp	loc_729BD1
MiConvertHiberPhasePte endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopSystemIrpCompletion proc near	; CODE XREF: PoFxReportDevicePoweredOn+892C6p
					; DATA XREF: PopNotifyDevice+9Eo

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00729BDF SIZE 00000072 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		mov	cl, ds:_PopErrataDisablePrimaryDeviceFastResume
		push	ebx
		push	esi
		mov	ebx, [eax+84h]
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_24], edi
		mov	[ebp+var_1D], cl
		movsx	eax, byte ptr [edi+22h]
		add	eax, 3
		imul	eax, 24h
		test	ds:dword_70EFD0, 8000h
		mov	esi, [eax+edi]
		mov	esi, [esi+70h]
		jnz	loc_729BDF

loc_722131:				; CODE XREF: PopSystemIrpCompletion+7B36j
		cmp	ds:_PopPoFxSystemIrpWaitForReportDevicePoweredReg, 0
		jnz	short loc_72213E
		test	cl, cl
		jz	short loc_722147

loc_72213E:				; CODE XREF: PopSystemIrpCompletion+54j
		cmp	esi, 1
		jz	loc_7221CC

loc_722147:				; CODE XREF: PopSystemIrpCompletion+58j
					; PopSystemIrpCompletion+10Aj
		mov	esi, ds:dword_6C2314
		and	esi, (offset loc_7FFFFF+1)
		neg	esi
		sbb	esi, esi
		not	esi
		and	esi, [edi+18h]
		jl	loc_729C42
		and	[ebp+var_24], 0

loc_722166:				; CODE XREF: PopSystemIrpCompletion+7B68j
		mov	ecx, edi
		call	PopDequeueQuerySetIrp
		mov	ecx, edi
		call	_PopFreeIrp@4	; PopFreeIrp(x)
		mov	edi, ds:dword_6C231C
		mov	al, [edi]
		cmp	al, 2
		jnz	short loc_7221F3

loc_722180:				; CODE XREF: PopSystemIrpCompletion+111j
		cmp	dword ptr [edi+4], 1
		jle	short loc_72219B
		mov	ecx, [ebx-4Ch]
		call	_PopFxIncrementDeviceSleepCount@4 ; PopFxIncrementDeviceSleepCount(x)
		mov	ecx, [ebx-4Ch]
		mov	edx, 72496F50h
		call	ObfDereferenceObjectWithTag

loc_72219B:				; CODE XREF: PopSystemIrpCompletion+A0j
					; PopSystemIrpCompletion+113j
		push	[ebp+var_24]
		mov	edx, ebx
		mov	ecx, edi
		push	esi
		call	PopCompleteNotifyTransitionCommon
		push	0
		push	1
		push	0
		push	dword ptr [edi+18h]
		call	KeReleaseSemaphore

loc_7221B6:				; CODE XREF: PopSystemIrpCompletion+7B59j
		mov	ecx, [ebp+var_8]
		mov	eax, 0C0000016h
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_7221CC:				; CODE XREF: PopSystemIrpCompletion+5Dj
		lea	esi, [ebx-30h]
		push	esi
		call	ExAcquireSpinLockExclusive
		mov	ecx, [ebx-34h]
		mov	[ebp+var_1D], al
		test	ecx, ecx
		jnz	short loc_7221F9

loc_7221DF:				; CODE XREF: PopSystemIrpCompletion+119j
					; PopSystemIrpCompletion+134j
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_722147
; 

loc_7221F3:				; CODE XREF: PopSystemIrpCompletion+9Aj
		cmp	al, 3
		jz	short loc_722180
		jmp	short loc_72219B
; 

loc_7221F9:				; CODE XREF: PopSystemIrpCompletion+F9j
		cmp	dword ptr [ecx+48h], 0
		jz	short loc_7221DF
		add	ecx, 10h
		xor	edi, edi
		mov	eax, [ecx]

loc_722206:				; CODE XREF: PopSystemIrpCompletion+12Aj
		mov	edx, eax
		or	edx, edi
		lock cmpxchg [ecx], edx
		jnz	short loc_722206
		mov	edi, [ebp+var_24]
		test	eax, 800h
		jz	short loc_7221DF
		jmp	loc_729C1F
PopSystemIrpCompletion endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopBuildDeviceNotifyList proc near	; CODE XREF: PopGracefulShutdown(x)+23Dp
					; PoInitializeBroadcast+A1p

var_58		= dword	ptr -58h
var_30		= dword	ptr -30h
var_10		= dword	ptr -10h

; FUNCTION CHUNK AT 00729C51 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		push	8
		mov	ebx, ecx
		lea	edi, [ebp+var_30]
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_10]
		mov	esi, edx
		stosd
		push	0Ah
		pop	ecx
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_58]
		rep stosd
		xor	edi, edi
		lea	eax, [ebp+var_10]
		push	edi
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		lea	eax, [ebp+var_58]
		push	eax
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		lea	eax, [ebp+var_10]
		push	eax
		push	offset _PopBuildDeviceNotifyListWatchdog@16 ; PopBuildDeviceNotifyListWatchdog(x,x,x,x)
		lea	eax, [ebp+var_30]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	eax, ds:_PopWatchdogSleepTimeout
		test	eax, eax
		jz	short loc_722295
		mov	ecx, 0FF676980h
		imul	ecx
		lea	ecx, [ebp+var_58]
		push	edx
		push	eax
		lea	eax, [ebp+var_30]
		xor	edx, edx
		push	eax
		push	edi
		call	KiSetTimerEx

loc_722295:				; CODE XREF: PopBuildDeviceNotifyList+5Bj
		mov	ecx, offset _POP_ETW_EVENT_BUILDNOTIFYLIST
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		mov	edx, esi
		mov	ecx, ebx
		call	IoBuildPoDeviceNotifyList
		mov	ecx, (offset loc_40673F+1)
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		cmp	ds:_PopWatchdogSleepTimeout, edi
		jz	short loc_7222CB
		lea	eax, [ebp+var_58]
		push	eax
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		test	al, al
		jz	loc_729C51

loc_7222CB:				; CODE XREF: PopBuildDeviceNotifyList+98j
					; PopBuildDeviceNotifyList+7A3Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PopBuildDeviceNotifyList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoBuildPoDeviceNotifyList proc near	; CODE XREF: PopBuildDeviceNotifyList+83p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00729C63 SIZE 00000052 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		lea	eax, [ebp+var_10]
		mov	ebx, edx
		mov	[ebp+var_C], eax
		mov	esi, ecx
		mov	[ebp+var_4], esi
		push	edi
		mov	edi, eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_10], edi
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], eax
		test	bl, 1
		jnz	short loc_722303
		call	PnpLockDeviceActionQueue
		mov	edi, [ebp+var_10]

loc_722303:				; CODE XREF: IoBuildPoDeviceNotifyList+29j
		push	0D0h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+0D0h], ebx
		lea	ecx, [esi+1Ch]
		push	5
		pop	edx

loc_72231F:				; CODE XREF: IoBuildPoDeviceNotifyList+74j
		lea	eax, [ecx-0Ch]
		mov	[ecx-8], eax
		mov	[eax], eax
		lea	eax, [ecx-4]
		mov	[ecx], eax
		mov	[eax], eax
		lea	eax, [ecx+4]
		mov	[ecx+8], eax
		mov	[eax], eax
		lea	eax, [ecx+0Ch]
		mov	[ecx+10h], eax
		lea	ecx, [ecx+28h]
		mov	[eax], eax
		sub	edx, 1
		jnz	short loc_72231F
		mov	esi, ds:_IopRootDeviceNode
		jmp	short loc_722350
; 

loc_72234E:				; CODE XREF: IoBuildPoDeviceNotifyList+85j
		mov	esi, eax

loc_722350:				; CODE XREF: IoBuildPoDeviceNotifyList+7Cj
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_72234E
		cmp	esi, ds:_IopRootDeviceNode
		jz	loc_7223F6

loc_722363:				; CODE XREF: IoBuildPoDeviceNotifyList+D4j
		mov	ecx, esi
		call	_IopPrepareDeviceNotify@4 ; IopPrepareDeviceNotify(x)
		mov	edi, eax
		mov	edx, 2000h
		mov	ecx, edi
		mov	byte ptr [edi+1Ch], 0
		call	_IopCheckDeviceFlags@8 ; IopCheckDeviceFlags(x,x)
		test	al, al
		jz	short loc_722384
		or	byte ptr [edi+1Ch], 2

loc_722384:				; CODE XREF: IoBuildPoDeviceNotifyList+AEj
		lea	ecx, [esi+8]
		mov	eax, [ecx]
		cmp	eax, ds:_IopRootDeviceNode
		jz	short loc_7223B0

loc_722391:				; CODE XREF: IoBuildPoDeviceNotifyList+E7j
					; IoBuildPoDeviceNotifyList+F0j ...
		mov	esi, [esi]
		test	esi, esi
		jz	short loc_7223A8

loc_722397:				; CODE XREF: IoBuildPoDeviceNotifyList+DEj
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_7223AC

loc_72239E:				; CODE XREF: IoBuildPoDeviceNotifyList+DAj
		cmp	esi, ds:_IopRootDeviceNode
		jnz	short loc_722363
		jmp	short loc_7223F3
; 

loc_7223A8:				; CODE XREF: IoBuildPoDeviceNotifyList+C5j
		mov	esi, [ecx]
		jmp	short loc_72239E
; 

loc_7223AC:				; CODE XREF: IoBuildPoDeviceNotifyList+CCj
		mov	esi, eax
		jmp	short loc_722397
; 

loc_7223B0:				; CODE XREF: IoBuildPoDeviceNotifyList+BFj
		cmp	dword ptr [esi+12Ch], 0
		jz	short loc_722391
		test	byte ptr [esi+10Ch], 4
		jnz	short loc_722391
		mov	eax, [ebp+var_C]
		lea	edx, [ebp+var_10]
		cmp	[eax], edx
		jnz	loc_722719
		mov	[edi], edx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	[ebp+var_C], edi
		jmp	short loc_722391
; 

loc_7223DC:				; CODE XREF: IoBuildPoDeviceNotifyList+121j
		or	byte ptr [eax+78h], 1
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_722431

loc_7223E6:				; CODE XREF: IoBuildPoDeviceNotifyList+11Dj
		mov	eax, ecx
		mov	ecx, [eax+4]
		test	ecx, ecx
		jnz	short loc_7223E6

loc_7223EF:				; CODE XREF: IoBuildPoDeviceNotifyList+158j
					; IoBuildPoDeviceNotifyList+164j
		cmp	eax, edi
		jnz	short loc_7223DC

loc_7223F3:				; CODE XREF: IoBuildPoDeviceNotifyList+D6j
		mov	edi, [ebp+var_10]

loc_7223F6:				; CODE XREF: IoBuildPoDeviceNotifyList+8Dj
		lea	eax, [ebp+var_10]
		cmp	edi, eax
		jz	short loc_722436
		cmp	[edi+4], eax
		jnz	loc_722719
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	loc_722719
		mov	[ebp+var_10], eax
		lea	ecx, [ebp+var_10]
		mov	[eax+4], ecx
		or	byte ptr [edi+1Ch], 1
		add	edi, 0FFFFFFA4h
		mov	eax, edi
		mov	ecx, [edi+4]

loc_722426:				; CODE XREF: IoBuildPoDeviceNotifyList+15Fj
		test	ecx, ecx
		jz	short loc_7223EF
		mov	eax, ecx
		mov	ecx, [eax+4]
		jmp	short loc_722426
; 

loc_722431:				; CODE XREF: IoBuildPoDeviceNotifyList+114j
		mov	eax, [eax+8]
		jmp	short loc_7223EF
; 

loc_722436:				; CODE XREF: IoBuildPoDeviceNotifyList+12Bj
					; IoBuildPoDeviceNotifyList+20Dj
		mov	ecx, ds:_IopRootDeviceNode
		xor	bh, bh
		jmp	short loc_722442
; 

loc_722440:				; CODE XREF: IoBuildPoDeviceNotifyList+177j
		mov	ecx, eax

loc_722442:				; CODE XREF: IoBuildPoDeviceNotifyList+16Ej
		mov	eax, [ecx+4]
		test	eax, eax
		jnz	short loc_722440
		jmp	short loc_722467
; 

loc_72244B:				; CODE XREF: IoBuildPoDeviceNotifyList+182j
		mov	eax, edx
		mov	edx, [eax+4]

loc_722450:				; CODE XREF: IoBuildPoDeviceNotifyList+1ABj
		test	edx, edx
		jnz	short loc_72244B

loc_722454:				; CODE XREF: IoBuildPoDeviceNotifyList+1C3j
					; IoBuildPoDeviceNotifyList+1CAj
		cmp	eax, ecx
		jnz	short loc_722482

loc_722458:				; CODE XREF: IoBuildPoDeviceNotifyList+1A4j
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_72247D

loc_72245E:				; CODE XREF: IoBuildPoDeviceNotifyList+195j
		mov	ecx, eax
		mov	eax, [ecx+4]
		test	eax, eax
		jnz	short loc_72245E

loc_722467:				; CODE XREF: IoBuildPoDeviceNotifyList+179j
					; IoBuildPoDeviceNotifyList+1B0j
		mov	eax, ds:_IopRootDeviceNode
		cmp	ecx, eax
		jz	short loc_72249E
		test	byte ptr [ecx+78h], 2
		jz	short loc_722458
		mov	edx, [ecx+4]
		mov	eax, ecx
		jmp	short loc_722450
; 

loc_72247D:				; CODE XREF: IoBuildPoDeviceNotifyList+18Cj
		mov	ecx, [ecx+8]
		jmp	short loc_722467
; 

loc_722482:				; CODE XREF: IoBuildPoDeviceNotifyList+186j
		or	byte ptr [eax+78h], 2
		mov	edx, [eax]
		test	edx, edx
		jz	short loc_722497

loc_72248C:				; CODE XREF: IoBuildPoDeviceNotifyList+1C5j
		mov	eax, edx
		mov	edx, [eax+4]
		test	edx, edx
		jz	short loc_722454
		jmp	short loc_72248C
; 

loc_722497:				; CODE XREF: IoBuildPoDeviceNotifyList+1BAj
		mov	eax, [eax+8]
		jmp	short loc_722454
; 

loc_72249C:				; CODE XREF: IoBuildPoDeviceNotifyList+1D3j
		mov	eax, ecx

loc_72249E:				; CODE XREF: IoBuildPoDeviceNotifyList+19Ej
		mov	ecx, [eax+4]
		test	ecx, ecx
		jnz	short loc_72249C
		mov	edi, ds:_IopRootDeviceNode
		cmp	eax, edi
		jz	short loc_7224EC

loc_7224AF:				; CODE XREF: IoBuildPoDeviceNotifyList+209j
		test	byte ptr [eax+78h], 2
		jz	short loc_7224C2
		lea	edx, [eax+64h]
		mov	ecx, [edx]

loc_7224BA:				; CODE XREF: IoBuildPoDeviceNotifyList+79A8j
		cmp	ecx, edx
		jnz	loc_729C63

loc_7224C2:				; CODE XREF: IoBuildPoDeviceNotifyList+1E3j
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_7224E5

loc_7224C8:				; CODE XREF: IoBuildPoDeviceNotifyList+1FFj
		mov	eax, ecx
		mov	ecx, [eax+4]
		test	ecx, ecx
		jnz	short loc_7224C8

loc_7224D1:				; CODE XREF: IoBuildPoDeviceNotifyList+218j
		mov	edi, ds:_IopRootDeviceNode
		cmp	eax, edi
		jnz	short loc_7224AF
		test	bh, bh
		jnz	loc_722436
		jmp	short loc_7224EC
; 

loc_7224E5:				; CODE XREF: IoBuildPoDeviceNotifyList+1F6j
		mov	eax, [eax+8]
		jmp	short loc_7224D1
; 

loc_7224EA:				; CODE XREF: IoBuildPoDeviceNotifyList+221j
		mov	edi, eax

loc_7224EC:				; CODE XREF: IoBuildPoDeviceNotifyList+1DDj
					; IoBuildPoDeviceNotifyList+213j
		mov	eax, [edi+4]
		test	eax, eax
		jnz	short loc_7224EA
		jmp	short loc_722515
; 

loc_7224F5:				; CODE XREF: IoBuildPoDeviceNotifyList+254j
		inc	al
		lea	ecx, [edi+5Ch]
		mov	[edi+78h], al
		call	_IopCheckDeviceType@8 ;	IopCheckDeviceType(x,x)
		test	al, al
		jnz	short loc_72252D

loc_722506:				; CODE XREF: IoBuildPoDeviceNotifyList+256j
					; IoBuildPoDeviceNotifyList+26Cj ...
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_722528

loc_72250C:				; CODE XREF: IoBuildPoDeviceNotifyList+243j
		mov	edi, eax
		mov	eax, [edi+4]
		test	eax, eax
		jnz	short loc_72250C

loc_722515:				; CODE XREF: IoBuildPoDeviceNotifyList+223j
					; IoBuildPoDeviceNotifyList+25Bj
		mov	esi, ds:_IopRootDeviceNode
		cmp	edi, esi
		jz	short loc_722543
		mov	al, [edi+78h]
		test	al, 2
		jnz	short loc_7224F5
		jmp	short loc_722506
; 

loc_722528:				; CODE XREF: IoBuildPoDeviceNotifyList+23Aj
		mov	edi, [edi+8]
		jmp	short loc_722515
; 

loc_72252D:				; CODE XREF: IoBuildPoDeviceNotifyList+234j
		mov	edx, 100h
		lea	ecx, [edi+5Ch]
		call	_IopCheckDeviceFlags@8 ; IopCheckDeviceFlags(x,x)
		test	al, al
		jz	short loc_722506
		jmp	loc_729C7D
; 

loc_722543:				; CODE XREF: IoBuildPoDeviceNotifyList+24Dj
					; IoBuildPoDeviceNotifyList+2EAj
		xor	bh, bh
		jmp	short loc_722549
; 

loc_722547:				; CODE XREF: IoBuildPoDeviceNotifyList+27Ej
		mov	esi, eax

loc_722549:				; CODE XREF: IoBuildPoDeviceNotifyList+275j
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_722547
		jmp	short loc_722554
; 

loc_722552:				; CODE XREF: IoBuildPoDeviceNotifyList+2A6j
		mov	esi, [edx]

loc_722554:				; CODE XREF: IoBuildPoDeviceNotifyList+280j
					; IoBuildPoDeviceNotifyList+2ADj
		mov	eax, ds:_IopRootDeviceNode
		cmp	esi, eax
		jz	short loc_722585
		lea	edx, [esi+8]
		mov	ecx, [edx]
		cmp	ecx, eax
		jz	short loc_722572
		mov	al, [esi+78h]
		cmp	[ecx+78h], al
		ja	loc_729C86

loc_722572:				; CODE XREF: IoBuildPoDeviceNotifyList+294j
					; IoBuildPoDeviceNotifyList+79B9j
		mov	esi, [esi]
		test	esi, esi
		jz	short loc_722552

loc_722578:				; CODE XREF: IoBuildPoDeviceNotifyList+2B1j
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_722554
		mov	esi, eax
		jmp	short loc_722578
; 

loc_722583:				; CODE XREF: IoBuildPoDeviceNotifyList+2BAj
		mov	eax, ecx

loc_722585:				; CODE XREF: IoBuildPoDeviceNotifyList+28Bj
		mov	ecx, [eax+4]
		test	ecx, ecx
		jnz	short loc_722583
		mov	esi, ds:_IopRootDeviceNode
		cmp	eax, esi
		jz	short loc_7225BC

loc_722596:				; CODE XREF: IoBuildPoDeviceNotifyList+2E6j
		lea	edx, [eax+6Ch]
		mov	ecx, [edx]

loc_72259B:				; CODE XREF: IoBuildPoDeviceNotifyList+307j
		cmp	ecx, edx
		jnz	short loc_7225C6
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_7225C1

loc_7225A5:				; CODE XREF: IoBuildPoDeviceNotifyList+2DCj
		mov	eax, ecx
		mov	ecx, [eax+4]
		test	ecx, ecx
		jnz	short loc_7225A5

loc_7225AE:				; CODE XREF: IoBuildPoDeviceNotifyList+2F4j
		mov	esi, ds:_IopRootDeviceNode
		cmp	eax, esi
		jnz	short loc_722596
		test	bh, bh
		jnz	short loc_722543

loc_7225BC:				; CODE XREF: IoBuildPoDeviceNotifyList+2C4j
		mov	[ebp+var_8], esi
		jmp	short loc_7225DE
; 

loc_7225C1:				; CODE XREF: IoBuildPoDeviceNotifyList+2D3j
		mov	eax, [eax+8]
		jmp	short loc_7225AE
; 

loc_7225C6:				; CODE XREF: IoBuildPoDeviceNotifyList+2CDj
		mov	esi, [ecx+14h]
		mov	bl, [eax+78h]
		cmp	[esi+1Ch], bl
		ja	loc_729C8E

loc_7225D5:				; CODE XREF: IoBuildPoDeviceNotifyList+79C3j
		mov	ecx, [ecx]
		jmp	short loc_72259B
; 

loc_7225D9:				; CODE XREF: IoBuildPoDeviceNotifyList+313j
		mov	esi, eax
		mov	[ebp+var_8], eax

loc_7225DE:				; CODE XREF: IoBuildPoDeviceNotifyList+2EFj
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_7225D9
		cmp	esi, ds:_IopRootDeviceNode
		jz	loc_72269E
		mov	ebx, [ebp+var_4]

loc_7225F4:				; CODE XREF: IoBuildPoDeviceNotifyList+3C8j
		mov	ecx, [ebx+0D0h]
		lea	edi, [esi+5Ch]
		mov	edx, edi
		call	IopIsNotifyInBroadcast
		test	al, al
		jz	loc_729C98
		movzx	eax, byte ptr [edi+1Ch]
		mov	ecx, [ebp+var_4]
		imul	eax, 28h
		inc	dword ptr [eax+ecx+8]
		mov	edx, [esi+8]
		cmp	edx, ds:_IopRootDeviceNode
		jz	short loc_722646
		mov	ecx, [ecx+0D0h]
		add	edx, 5Ch
		call	IopIsNotifyInBroadcast
		mov	ecx, [ebp+var_4]
		test	al, al
		jz	short loc_722646
		inc	dword ptr [edi+34h]
		mov	eax, [esi+8]
		inc	dword ptr [eax+88h]

loc_722646:				; CODE XREF: IoBuildPoDeviceNotifyList+353j
					; IoBuildPoDeviceNotifyList+368j
		lea	eax, [edi+10h]
		mov	ebx, [eax]
		cmp	ebx, eax
		jnz	short loc_7226C7

loc_72264F:				; CODE XREF: IoBuildPoDeviceNotifyList+41Bj
		lea	eax, [edi+8]
		mov	ebx, [eax]
		cmp	ebx, eax
		jnz	loc_7226F0

loc_72265C:				; CODE XREF: IoBuildPoDeviceNotifyList+444j
		movzx	eax, byte ptr [edi+1Ch]
		mov	ebx, [ebp+var_4]
		imul	eax, 28h
		add	eax, 10h
		add	eax, ebx
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_722719
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi

loc_722680:				; CODE XREF: IoBuildPoDeviceNotifyList+79E0j
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_7226B8
		mov	esi, eax
		mov	[ebp+var_8], esi

loc_72268B:				; CODE XREF: IoBuildPoDeviceNotifyList+3F5j
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_7226C0

loc_722692:				; CODE XREF: IoBuildPoDeviceNotifyList+3EEj
		cmp	esi, ds:_IopRootDeviceNode
		jnz	loc_7225F4

loc_72269E:				; CODE XREF: IoBuildPoDeviceNotifyList+31Bj
		lea	ecx, [ebp+var_18]
		call	_IopFreePoDeviceNotifyListHead@4 ; IopFreePoDeviceNotifyListHead(x)
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		mov	dword ptr [eax+4], offset _IopWarmEjectPdo
		mov	byte ptr [eax],	1
		leave
		retn
; 

loc_7226B8:				; CODE XREF: IoBuildPoDeviceNotifyList+3B4j
		mov	esi, [esi+8]
		mov	[ebp+var_8], esi
		jmp	short loc_722692
; 

loc_7226C0:				; CODE XREF: IoBuildPoDeviceNotifyList+3C0j
		mov	esi, eax
		mov	[ebp+var_8], eax
		jmp	short loc_72268B
; 

loc_7226C7:				; CODE XREF: IoBuildPoDeviceNotifyList+37Dj
		lea	esi, [edi+10h]

loc_7226CA:				; CODE XREF: IoBuildPoDeviceNotifyList+416j
		mov	edx, [ebx+14h]
		mov	ecx, [ecx+0D0h]
		call	IopIsNotifyInBroadcast
		test	al, al
		jz	short loc_7226DF
		inc	dword ptr [edi+34h]

loc_7226DF:				; CODE XREF: IoBuildPoDeviceNotifyList+40Aj
		mov	ebx, [ebx]
		mov	ecx, [ebp+var_4]
		cmp	ebx, esi
		jnz	short loc_7226CA
		mov	esi, [ebp+var_8]
		jmp	loc_72264F
; 

loc_7226F0:				; CODE XREF: IoBuildPoDeviceNotifyList+386j
		lea	esi, [edi+8]

loc_7226F3:				; CODE XREF: IoBuildPoDeviceNotifyList+43Fj
		mov	eax, [ebp+var_4]
		mov	edx, [ebx-4]
		mov	ecx, [eax+0D0h]
		call	IopIsNotifyInBroadcast
		test	al, al
		jz	short loc_72270B
		inc	dword ptr [edi+2Ch]

loc_72270B:				; CODE XREF: IoBuildPoDeviceNotifyList+436j
		mov	ebx, [ebx]
		cmp	ebx, esi
		jnz	short loc_7226F3
		mov	esi, [ebp+var_8]
		jmp	loc_72265C
; 

loc_722719:				; CODE XREF: IoBuildPoDeviceNotifyList+FAj
					; IoBuildPoDeviceNotifyList+130j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
IoBuildPoDeviceNotifyList endp		; AL = character to display


;  S U B	R O U T	I N E 


IopIsNotifyInBroadcast proc near	; CODE XREF: IoBuildPoDeviceNotifyList+32Fp
					; IoBuildPoDeviceNotifyList+35Ep ...

; FUNCTION CHUNK AT 00729CB5 SIZE 00000019 BYTES

		test	cl, 1
		jnz	loc_729CB5
		mov	al, 1
		retn
IopIsNotifyInBroadcast endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCheckDeviceFlags(x, x)
_IopCheckDeviceFlags@8 proc near	; CODE XREF: IoBuildPoDeviceNotifyList+A7p
					; IoBuildPoDeviceNotifyList+265p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+18h]
		mov	esi, edx
		mov	edx, 70506F50h
		mov	[ebp+var_4], esi
		mov	ecx, edi
		xor	bl, bl
		call	ObfReferenceObjectWithTag
		test	edi, edi
		jz	short loc_722775

loc_72274D:				; CODE XREF: IopCheckDeviceFlags(x,x)+49j
		mov	edx, 70506F50h
		mov	ecx, edi
		test	[edi+1Ch], esi
		jnz	short loc_72277C
		call	IoGetLowerDeviceObjectWithTag
		mov	edx, 70506F50h
		mov	ecx, edi
		mov	esi, eax
		call	ObfDereferenceObjectWithTag
		mov	edi, esi
		test	esi, esi
		mov	esi, [ebp+var_4]
		jnz	short loc_72274D

loc_722775:				; CODE XREF: IopCheckDeviceFlags(x,x)+21j
					; IopCheckDeviceFlags(x,x)+59j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_72277C:				; CODE XREF: IopCheckDeviceFlags(x,x)+2Dj
		mov	bl, 1
		call	ObfDereferenceObjectWithTag
		jmp	short loc_722775
_IopCheckDeviceFlags@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IopPrepareDeviceNotify(x)
_IopPrepareDeviceNotify@4 proc near	; CODE XREF: IoBuildPoDeviceNotifyList+95p
		xor	eax, eax
		push	esi
		lea	esi, [ecx+5Ch]
		mov	[esi+1Ch], al
		mov	[esi+2Ch], eax
		mov	[esi+30h], eax
		mov	[esi+34h], eax
		mov	[esi+38h], eax
		mov	eax, [ecx+10h]
		mov	[esi+20h], eax
		push	dword ptr [ecx+10h]
		call	IoGetAttachedDeviceReference
		mov	[esi+18h], eax
		mov	ecx, [eax+8]
		call	_IopCaptureObjectName@4	; IopCaptureObjectName(x)
		mov	ecx, [esi+18h]
		mov	[esi+28h], eax
		call	_IopCaptureObjectName@4	; IopCaptureObjectName(x)
		mov	ecx, [esi+20h]
		mov	[esi+24h], eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, esi
		pop	esi
		retn
_IopPrepareDeviceNotify@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCaptureObjectName(x)
_IopCaptureObjectName@4	proc near	; CODE XREF: IopPrepareDeviceNotify(x)+29p
					; IopPrepareDeviceNotify(x)+34p

var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 208h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		lea	eax, [ebp+var_208]
		mov	edi, 200h
		push	eax
		push	edi
		lea	eax, [ebp+var_204]
		xor	esi, esi
		push	eax
		push	ecx
		mov	[ebp+var_208], esi
		call	_ObQueryNameString@16 ;	ObQueryNameString(x,x,x,x)
		test	eax, eax
		js	short loc_722855
		cmp	[ebp+var_200], esi
		jz	short loc_722855
		movzx	eax, word ptr [ebp+var_204]
		push	72775044h
		add	eax, 2
		push	eax
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_722855
		movzx	ecx, word ptr [ebp+var_204]
		push	ecx		; size_t
		push	[ebp+var_200]	; void *
		push	esi		; void *
		call	_memcpy
		movzx	eax, word ptr [ebp+var_204]
		add	esp, 0Ch
		shr	eax, 1
		xor	ecx, ecx
		mov	[esi+eax*2], cx

loc_722855:				; CODE XREF: IopCaptureObjectName(x)+3Bj
					; IopCaptureObjectName(x)+43j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IopCaptureObjectName@4	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IopCheckDeviceType(x, x)
_IopCheckDeviceType@8 proc near		; CODE XREF: IoBuildPoDeviceNotifyList+22Dp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+18h]
		mov	edx, 70506F50h
		mov	ecx, edi
		xor	bl, bl
		call	ObfReferenceObjectWithTag
		test	edi, edi
		jz	short loc_7228A6

loc_722880:				; CODE XREF: IopCheckDeviceType(x,x)+3Ej
		cmp	dword ptr [edi+2Ch], 7
		mov	edx, 70506F50h
		mov	ecx, edi
		jz	short loc_7228AC
		call	IoGetLowerDeviceObjectWithTag
		mov	edx, 70506F50h
		mov	ecx, edi
		mov	esi, eax
		call	ObfDereferenceObjectWithTag
		mov	edi, esi
		test	esi, esi
		jnz	short loc_722880

loc_7228A6:				; CODE XREF: IopCheckDeviceType(x,x)+18j
					; IopCheckDeviceType(x,x)+4Dj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		retn
; 

loc_7228AC:				; CODE XREF: IopCheckDeviceType(x,x)+25j
		mov	bl, 1
		call	ObfDereferenceObjectWithTag
		jmp	short loc_7228A6
_IopCheckDeviceType@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IoFreePoDeviceNotifyList(x)
_IoFreePoDeviceNotifyList@4 proc near	; CODE XREF: PAGELK:0071F9A9p
					; PoClearBroadcast()+22p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		cmp	byte ptr [esi],	0
		jz	short loc_7228F9
		push	5
		lea	edi, [esi+18h]
		pop	ebx

loc_7228C8:				; CODE XREF: IoFreePoDeviceNotifyList(x)+37j
		lea	ecx, [edi-8]
		call	_IopFreePoDeviceNotifyListHead@4 ; IopFreePoDeviceNotifyListHead(x)
		mov	ecx, edi
		call	_IopFreePoDeviceNotifyListHead@4 ; IopFreePoDeviceNotifyListHead(x)
		lea	ecx, [edi+8]
		call	_IopFreePoDeviceNotifyListHead@4 ; IopFreePoDeviceNotifyListHead(x)
		lea	ecx, [edi+10h]
		call	_IopFreePoDeviceNotifyListHead@4 ; IopFreePoDeviceNotifyListHead(x)
		add	edi, 28h
		sub	ebx, 1
		jnz	short loc_7228C8
		mov	[esi], bl
		pop	edi
		pop	esi
		pop	ebx
		jmp	PnpUnlockDeviceActionQueue
; 

loc_7228F9:				; CODE XREF: IoFreePoDeviceNotifyList(x)+Aj
		pop	edi
		pop	esi
		pop	ebx
		retn
_IoFreePoDeviceNotifyList@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IopFreePoDeviceNotifyListHead(x)
_IopFreePoDeviceNotifyListHead@4 proc near ; CODE XREF:	IoBuildPoDeviceNotifyList+3D1p
					; IoFreePoDeviceNotifyList(x)+15p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, 72775044h

loc_72290A:				; CODE XREF: IopFreePoDeviceNotifyListHead(x)+3Fj
					; IopFreePoDeviceNotifyListHead(x)+48j
		mov	esi, [edi]
		cmp	esi, edi
		jz	short loc_722951
		cmp	[esi+4], edi
		jnz	short loc_722955
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_722955
		mov	[edi], eax
		mov	[eax+4], edi
		mov	ecx, [esi+20h]
		call	ObfDereferenceObject
		mov	ecx, [esi+18h]
		call	ObfDereferenceObject
		mov	eax, [esi+24h]
		test	eax, eax
		jnz	short loc_722948

loc_722938:				; CODE XREF: IopFreePoDeviceNotifyListHead(x)+51j
		mov	eax, [esi+28h]
		test	eax, eax
		jz	short loc_72290A
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_72290A
; 

loc_722948:				; CODE XREF: IopFreePoDeviceNotifyListHead(x)+38j
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_722938
; 

loc_722951:				; CODE XREF: IopFreePoDeviceNotifyListHead(x)+10j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_722955:				; CODE XREF: IopFreePoDeviceNotifyListHead(x)+15j
					; IopFreePoDeviceNotifyListHead(x)+1Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_IopFreePoDeviceNotifyListHead@4 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSetSwappingKernelApc(x, x, x, x,	x)
_ExpSetSwappingKernelApc@20 proc near	; DATA XREF: ExSwapinWorkerThreads(x)+94o

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		push	esi
		mov	esi, [eax]
		mov	eax, large fs:124h
		test	byte ptr [eax+300h], 1
		jz	short loc_722980
		mov	eax, [ebp+arg_8]
		movzx	eax, byte ptr [eax]
		push	eax
		call	_KeSetKernelStackSwapEnable@4 ;	KeSetKernelStackSwapEnable(x)

loc_722980:				; CODE XREF: ExpSetSwappingKernelApc(x,x,x,x,x)+18j
		push	0
		push	0
		push	esi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	esi
		pop	ebp
		retn	14h
_ExpSetSwappingKernelApc@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFlushVolumes	proc near		; CODE XREF: PAGELK:loc_71F07Dp

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00729CCE SIZE 000000D6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_28]
		push	6
		pop	ecx
		xor	eax, eax
		rep stosd
		xor	edi, edi
		mov	ecx, offset _POP_ETW_EVENT_FLUSHVOLUMES_START
		mov	[ebp+var_8], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_4], edi
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		lea	eax, [ebp+var_48]
		mov	[ebp+var_40], edi
		push	edi
		mov	[ebp+var_44], eax
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_3C]
		push	edi
		push	eax
		mov	[ebp+var_3C], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		cmp	esi, 6
		jz	loc_729CCE
		cmp	ds:byte_6C24D0,	0
		jz	loc_729CD6
		push	3
		pop	ebx

loc_7229FE:				; CODE XREF: PopFlushVolumes+734Cj
		cmp	esi, 5
		jnz	short loc_722A06
		or	ebx, 10h

loc_722A06:				; CODE XREF: PopFlushVolumes+71j
					; PopFlushVolumes+7341j
		test	bl, 4
		jnz	loc_729CE1

loc_722A0F:				; CODE XREF: PopFlushVolumes+7355j
		test	bl, 8
		jnz	loc_729CEA

loc_722A18:				; CODE XREF: PopFlushVolumes+735Ej
		test	bl, 1
		jz	short loc_722A6E
		push	offset ??_C@_1BE@BNJCNEJN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy@OKHAJAOM@ ; "\\Registry"
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_10]
		mov	[ebp+var_28], 18h
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_24], edi
		push	eax
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_722A6E
		push	[ebp+var_4]
		call	_ZwFlushKey@4	; ZwFlushKey(x)
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_722A6E:				; CODE XREF: PopFlushVolumes+8Bj
					; PopFlushVolumes+CCj
		mov	ecx, offset _PopVolumeLock
		mov	esi, edi
		call	ExAcquireFastMutex
		mov	ecx, ds:_PopVolumeDevices
		jmp	short loc_722ACA
; 

loc_722A82:				; CODE XREF: PopFlushVolumes+150j
		test	dword ptr [eax+20h], 10006h
		jnz	short loc_722ACA
		mov	eax, [edi+0Ch]
		test	eax, eax
		jz	short loc_722A98
		test	byte ptr [eax+20h], 4
		jnz	short loc_722ACA

loc_722A98:				; CODE XREF: PopFlushVolumes+100j
		cmp	[ecx+4], edx
		jnz	loc_722B7A
		mov	eax, [edx+4]
		cmp	[eax], edx
		jnz	loc_722B7A
		mov	[eax], ecx
		lea	edi, [ebp+var_48]
		mov	[ecx+4], eax
		mov	eax, [ebp+var_44]
		cmp	[eax], edi
		jnz	loc_722B7A
		mov	[edx], edi
		inc	esi
		mov	[edx+4], eax
		mov	[eax], edx
		mov	[ebp+var_44], edx

loc_722ACA:				; CODE XREF: PopFlushVolumes+F0j
					; PopFlushVolumes+F9j ...
		cmp	ecx, offset _PopVolumeDevices
		jz	short loc_722AE4
		mov	eax, [ecx-1Ch]
		mov	edx, ecx
		mov	ecx, [ecx]
		mov	edi, [eax+24h]
		test	byte ptr [edi+4], 1
		jnz	short loc_722A82
		jmp	short loc_722ACA
; 

loc_722AE4:				; CODE XREF: PopFlushVolumes+140j
		test	bl, 2
		jz	loc_729CF3

loc_722AED:				; CODE XREF: PopFlushVolumes+73F9j
		mov	ebx, offset _PopVolumeLock
		mov	ecx, ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	esi, esi
		jz	short loc_722B6B
		cmp	esi, 8
		jg	short loc_722B7F

loc_722B02:				; CODE XREF: PopFlushVolumes+1F2j
		xor	edi, edi
		mov	[ebp+var_28], 18h
		mov	[ebp+var_24], edi
		mov	[ebp+var_1C], 200h
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_40], esi

loc_722B21:				; CODE XREF: PopFlushVolumes+1C3j
		dec	esi
		test	esi, esi
		jle	short loc_722B55
		lea	eax, [ebp+var_48]
		push	eax
		push	offset PopFlushVolumeWorker
		push	edi
		push	edi
		lea	eax, [ebp+var_28]
		push	eax
		push	1FFFFFh
		lea	eax, [ebp+var_8]
		push	eax
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_729D8E
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_722B21
; 

loc_722B55:				; CODE XREF: PopFlushVolumes+194j
					; PopFlushVolumes+740Fj
		lea	eax, [ebp+var_48]
		push	eax
		call	PopFlushVolumeWorker
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_3C]
		push	eax
		call	KeWaitForSingleObject

loc_722B6B:				; CODE XREF: PopFlushVolumes+16Bj
		mov	ecx, offset _POP_ETW_EVENT_FLUSHVOLUMES_STOP
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_722B7A:				; CODE XREF: PopFlushVolumes+10Bj
					; PopFlushVolumes+116j	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_722B7F:				; CODE XREF: PopFlushVolumes+170j
		push	8
		pop	esi
		jmp	loc_722B02
PopFlushVolumes	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFlushVolumeWorker proc near		; CODE XREF: PopFlushVolumes+1C9p
					; DATA XREF: PopFlushVolumes+19Ao

var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00729DA4 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 234h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+234h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		mov	[esp+240h+var_224], ebx
		lea	edi, [esp+240h+var_220]
		mov	[esp+240h+var_22C], ebx
		push	200h		; size_t
		rep stosd
		lea	eax, [esp+244h+var_208]
		mov	[esp+244h+var_228], ebx
		push	ebx		; int
		push	eax		; void *
		mov	[esp+24Ch+var_230], ebx
		call	_memset
		add	esp, 0Ch

loc_722BDA:				; CODE XREF: PopFlushVolumeWorker+C6j
					; PopFlushVolumeWorker+CCj ...
		mov	ecx, offset _PopVolumeLock
		call	ExAcquireFastMutex
		mov	edi, [esi]
		cmp	edi, esi
		jz	loc_722CD7
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	loc_722D0B
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	loc_722D0B
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	eax, ds:dword_6C2B84
		cmp	dword ptr [eax], offset	_PopVolumeDevices
		jnz	loc_722D0B
		mov	dword ptr [edi], offset	_PopVolumeDevices
		mov	ecx, offset _PopVolumeLock
		mov	[edi+4], eax
		mov	[eax], edi
		mov	ds:dword_6C2B84, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		lea	eax, [esp+240h+var_224]
		push	eax
		push	200h
		lea	eax, [esp+248h+var_208]
		push	eax
		push	dword ptr [edi-1Ch]
		call	_ObQueryNameString@16 ;	ObQueryNameString(x,x,x,x)
		test	eax, eax
		js	short loc_722BDA
		cmp	[esp+240h+var_204], ebx
		jz	short loc_722BDA
		push	ebx
		push	ebx
		push	20h
		push	1
		push	3
		push	0C0000000h
		lea	eax, [esp+258h+var_208]
		mov	[esp+258h+var_220], 18h
		mov	[esp+258h+var_218], eax
		lea	eax, [esp+258h+var_22C]
		push	ebx
		push	eax
		lea	eax, [esp+260h+var_220]
		mov	[esp+260h+var_21C], ebx
		push	eax
		push	100003h
		lea	eax, [esp+268h+var_230]
		mov	[esp+268h+var_214], 240h
		push	eax
		mov	[esp+26Ch+var_210], ebx
		mov	[esp+26Ch+var_20C], ebx
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_722BDA
		cmp	[esi+1Ch], bl
		jnz	loc_729DA4
		lea	eax, [esp+240h+var_22C]
		cmp	[esi+1Dh], bl
		jnz	loc_729DB6
		push	eax
		push	[esp+244h+var_230]
		call	_ZwFlushBuffersFile@8 ;	ZwFlushBuffersFile(x,x)

loc_722CC9:				; CODE XREF: PopFlushVolumeWorker+7229j
					; PopFlushVolumeWorker+7244j
		push	[esp+240h+var_230]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_722BDA
; 

loc_722CD7:				; CODE XREF: PopFlushVolumeWorker+60j
		sub	dword ptr [esi+8], 1
		jz	short loc_722CFE

loc_722CDD:				; CODE XREF: PopFlushVolumeWorker+181j
		mov	ecx, offset _PopVolumeLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, [esp+240h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_722CFE:				; CODE XREF: PopFlushVolumeWorker+153j
		push	ebx
		push	ebx
		lea	eax, [esi+0Ch]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_722CDD
; 

loc_722D0B:				; CODE XREF: PopFlushVolumeWorker+6Bj
					; PopFlushVolumeWorker+76j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
PopFlushVolumeWorker endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopHandleWakeSources proc near		; CODE XREF: PoBroadcastSystemState+37Ap

var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 00729DD1 SIZE 0000016D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	edx, ds:_PopSimulate
		xor	eax, eax
		push	ebx
		mov	ebx, ds:_PopFixedWakeSourceMask
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		mov	byte ptr [ebp+var_1], 0
		stosd
		stosd
		stosd
		xor	edi, edi
		bt	edx, 15h
		mov	[ebp+var_8], edi
		setnb	cl
		test	bl, 1
		setz	al
		test	cl, al
		jz	loc_729DEA
		bt	edx, 16h
		setnb	cl
		test	bl, 2
		setz	al
		test	cl, al
		jz	loc_729DE5
		lea	ecx, [ebp+var_1]
		call	PopValidateRTCWake
		test	al, al
		jnz	loc_729DD1

loc_722D72:				; CODE XREF: PopHandleWakeSources+70CBj
					; PopHandleWakeSources+70E0j
		lea	ecx, [ebp+var_14]
		call	_PopAcquireWakeSourceSpinLock@4	; PopAcquireWakeSourceSpinLock(x)
		mov	esi, ds:_PopCurrentWakeInfo
		test	esi, esi
		jz	short loc_722D8F
		test	edi, edi
		jnz	short loc_722D8F
		mov	ecx, esi
		call	_PopWakeInfoReference@4	; PopWakeInfoReference(x)

loc_722D8F:				; CODE XREF: PopHandleWakeSources+72j
					; PopHandleWakeSources+76j
		lea	ecx, [ebp+var_14]
		call	PopReleaseWakeSourceSpinLock
		test	esi, esi
		jz	loc_729DF5
		test	edi, edi
		jnz	loc_729E08
		xor	ebx, ebx
		lea	edi, [esi+18h]
		push	ebx
		push	offset _PopWakeSourceTimeoutDpc@16 ; PopWakeSourceTimeoutDpc(x,x,x,x)
		push	edi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	ebx
		add	esi, 38h
		push	esi
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	0FFFFFFFFh
		push	0FECED300h
		push	edi
		push	ebx
		xor	edx, edx
		mov	ecx, esi
		call	KiSetTimerEx

loc_722DD4:				; CODE XREF: PopHandleWakeSources+70F3j
					; PopHandleWakeSources+71FBj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PopHandleWakeSources endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopNewWakeInfo	proc near		; CODE XREF: PAGELK:0071F873p

var_C		= dword	ptr -0Ch

; FUNCTION CHUNK AT 00729F3E SIZE 00000064 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		push	206D654Dh
		push	60h
		push	200h
		stosd
		stosd
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		xor	edi, edi
		test	esi, esi
		jz	short loc_722E28
		push	50h		; size_t
		lea	ecx, [esi+10h]
		push	edi		; int
		push	ecx		; void *
		call	_memset
		lea	eax, [esi+0Ch]
		mov	dword ptr [esi+8], 1
		add	esp, 0Ch
		mov	[esi+4], esi
		mov	[esi], esi
		mov	[eax+4], eax
		mov	[eax], eax

loc_722E28:				; CODE XREF: PopNewWakeInfo+29j
		lea	ecx, [ebp+var_C]
		call	_PopAcquireWakeSourceSpinLock@4	; PopAcquireWakeSourceSpinLock(x)
		mov	eax, ds:_PopPendingWakeInfo
		mov	edx, offset _PopWakeInfoList
		test	eax, eax
		jnz	loc_729F15

loc_722E42:				; CODE XREF: PopHandleWakeSources+7229j
		mov	eax, ds:_PopCurrentWakeInfo
		test	eax, eax
		jnz	loc_729F3E

loc_722E4F:				; CODE XREF: PopNewWakeInfo+7188j
		test	esi, esi
		jz	short loc_722E66
		cmp	ds:_PopWakeInfoCount, 1
		mov	ds:_PopCurrentWakeInfo,	esi
		jz	loc_729F67

loc_722E66:				; CODE XREF: PopNewWakeInfo+77j
					; PopNewWakeInfo+71B5j
		lea	ecx, [ebp+var_C]
		call	PopReleaseWakeSourceSpinLock
		push	offset _PopWakeSourceAvailable
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	ds:_PopFixedWakeSourceMask, edi
		pop	edi
		pop	esi
		leave
		retn
PopNewWakeInfo	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopValidateRTCWake proc	near		; CODE XREF: PopHandleWakeSources+55p

var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 00729FA2 SIZE 000000E0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		xor	eax, eax
		xor	ebx, ebx
		and	[ebp+var_8], eax
		inc	ebx
		and	[ebp+var_18], eax
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_1], al
		push	edi
		mov	[esi], al
		mov	eax, ds:_PopFixedWakeSourceMask
		and	eax, 18h
		cmp	eax, 10h
		jz	loc_729F99
		cmp	eax, 8
		jz	short loc_722EF4
		test	eax, eax
		jnz	loc_729FA2

loc_722EC0:				; CODE XREF: PopValidateRTCWake+7134j
		mov	eax, ds:dword_6C2718
		test	eax, eax
		js	short loc_722ED0
		xor	edi, edi
		cmp	eax, 3
		jb	short loc_722EFD

loc_722ED0:				; CODE XREF: PopValidateRTCWake+45j
		test	byte ptr ds:_PopFixedWakeSourceMask, 4
		jnz	short loc_722EDB
		mov	[esi], bl

loc_722EDB:				; CODE XREF: PopValidateRTCWake+55j
		mov	edx, ds:dword_6C2740
		mov	eax, edx
		mov	ecx, ds:dword_6C2744
		or	eax, ecx
		jnz	loc_729FBB

loc_722EF1:				; CODE XREF: PopValidateRTCWake+713Fj
					; PopValidateRTCWake+714Fj
		mov	byte ptr [esi],	0

loc_722EF4:				; CODE XREF: PopValidateRTCWake+34j
		mov	edi, ebx
		xor	eax, eax

loc_722EF8:				; CODE XREF: PopNewWakeInfo+71C3j
		mov	ds:dword_6C2718, eax

loc_722EFD:				; CODE XREF: PopValidateRTCWake+4Cj
		imul	eax, 18h
		mov	ecx, ds:dword_6C2728[eax]
		mov	edx, ds:dword_6C272C[eax]
		mov	eax, ecx
		or	eax, edx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], edx
		jnz	loc_729FD6
		mov	edx, [ebp+var_C]
		push	3
		pop	eax
		mov	ds:dword_6C2718, eax
		mov	eax, ebx
		mov	byte ptr [esi],	0

loc_722F2C:				; CODE XREF: PopValidateRTCWake+71FBj
		push	[ebp+var_8]
		movzx	ecx, byte ptr [esi]
		push	edx
		movzx	edx, [ebp+var_1]
		push	edi
		push	ebx
		push	ecx
		push	eax
		call	PopDiagTraceRtcWakeInfo
		mov	al, [ebp+var_1]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PopValidateRTCWake endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagInterruptTimeToSystemTime(x,	x, x)
_PopDiagInterruptTimeToSystemTime@12 proc near ; CODE XREF: PopDiagTraceRtcWakeInfo+96p
					; PopDiagTraceRtcWakeInfo+ADp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		call	KeQueryInterruptTime
		mov	ebx, eax
		mov	[ebp+var_4], edx
		lea	eax, [ebp+var_C]
		push	eax
		call	KeQuerySystemTime
		mov	ecx, [ebp+arg_4]
		mov	esi, [ebp+arg_0]
		test	ecx, ecx
		jg	short loc_722F80
		jl	short loc_722F97
		test	esi, esi
		jb	short loc_722F97

loc_722F80:				; CODE XREF: PopDiagInterruptTimeToSystemTime(x,x,x)+30j
		sub	esi, ebx
		sbb	ecx, [ebp+var_4]

loc_722F85:				; CODE XREF: PopDiagInterruptTimeToSystemTime(x,x,x)+56j
		add	esi, [ebp+var_C]
		mov	[edi], esi
		adc	ecx, [ebp+var_8]
		mov	[edi+4], ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_722F97:				; CODE XREF: PopDiagInterruptTimeToSystemTime(x,x,x)+32j
					; PopDiagInterruptTimeToSystemTime(x,x,x)+36j
		neg	esi
		adc	ecx, 0
		neg	ecx
		jmp	short loc_722F85
_PopDiagInterruptTimeToSystemTime@12 endp


;  S U B	R O U T	I N E 


PfpScenCtxQueryScenarioInformation proc	near ; CODE XREF: PfpQueryScenarioInformation+65p

; FUNCTION CHUNK AT 0072A082 SIZE 00000014 BYTES

		mov	edi, edi
		push	ecx
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+1Ch]
		mov	[edi+4], eax
		mov	eax, [esi+20h]
		mov	[edi+0Ch], eax
		cmp	dword ptr [esi+1Ch], 3
		jz	short loc_722FFE

loc_722FD0:				; CODE XREF: PfpScenCtxQueryScenarioInformation+64j
		push	dword ptr [esi+28h]
		call	_KeResetEvent@4	; KeResetEvent(x)
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_72A082

loc_722FE7:				; CODE XREF: PfpScenCtxQueryScenarioInformation+70E4j
					; PfpScenCtxQueryScenarioInformation+70F1j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_722FFE:				; CODE XREF: PfpScenCtxQueryScenarioInformation+2Ej
		mov	eax, [esi+24h]
		mov	[edi+14h], eax
		jmp	short loc_722FD0
PfpScenCtxQueryScenarioInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopHiberCheckResume proc near		; CODE XREF: PopSaveHiberContextWrapper(x)+25p

var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= word ptr -0BCh
var_BA		= word ptr -0BAh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0072A096 SIZE 000000B1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0BCh
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+0BCh+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	0A0h		; size_t
		xor	ebx, ebx
		lea	eax, [esp+0CCh+var_A8]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	esi, ds:dword_6C26F8
		add	esp, 0Ch
		mov	[esp+0C8h+var_B8], esi
		mov	edi, [esi+88h]
		mov	[esp+0C8h+var_B4], edi
		cmp	[edi], ebx
		jz	loc_72315B
		push	19h
		pop	ecx
		call	PopCheckpointSystemSleep
		push	ebx
		call	ds:off_6B1364	; xHalLocateHiberRanges(x)
		rdtsc
		push	5
		mov	[esp+0D0h+var_B4], eax
		mov	[esp+0D0h+var_B0], edx
		mov	ds:_PoResumeFromHibernate, 1
		call	ds:off_6B12A8	; KeSetDmaIoCoherency(x)
		push	1
		call	ds:off_6B1364	; xHalLocateHiberRanges(x)
		cmp	ds:_HvlHypervisorConnected, bl
		jnz	loc_72A096

loc_723092:				; CODE XREF: PopHiberCheckResume+709Bj
		push	5
		call	ds:off_6B1328	; xHalPciEarlyRestore(x)
		cmp	ds:_HvlHypervisorConnected, bl
		jnz	loc_72A0A6

loc_7230A6:				; CODE XREF: PopHiberCheckResume+70A7j
		cmp	ds:_KdDebuggerEnabled, bl
		jnz	loc_72A0B2

loc_7230B2:				; CODE XREF: PopHiberCheckResume+70B2j
		cmp	ds:_KdEventLoggingEnabled, bl
		jnz	loc_72A0BE

loc_7230BE:				; CODE XREF: PopHiberCheckResume+70C5j
		cmp	ds:_KdDebuggerEnabled, bl
		jnz	loc_72A0D0

loc_7230CA:				; CODE XREF: PopHiberCheckResume+70D0j
					; PopHiberCheckResume+70D7j
		test	ds:_PopSimulate, 40000000h
		jnz	loc_72A0E2

loc_7230DA:				; CODE XREF: PopHiberCheckResume+70DDj
		push	dword ptr [esi+98h]
		push	dword ptr [esi+94h]
		call	ds:__imp__HalInitializeOnResume@8 ; HalInitializeOnResume(x,x)
		lea	esi, [edi+314h]
		cmp	[esi], ebx
		jnz	loc_72A0E8

loc_7230FA:				; CODE XREF: PopHiberCheckResume+713Cj
		mov	eax, [edi+300h]
		lea	esi, [edi+68h]
		mov	edx, [esp+0E0h+var_C4]
		mov	ds:dword_6BBFD8, eax
		mov	eax, [edi+304h]
		mov	edi, offset dword_6C28B8
		mov	ds:dword_6BBFDC, eax
		mov	eax, [esp+0E0h+var_D0]
		push	7Eh
		pop	ecx
		rep movsd
		mov	ecx, [esp+0E0h+var_C8]
		mov	[eax+4], bl
		mov	ds:dword_6C2988, ecx
		sub	ecx, ds:dword_6C2920
		mov	ds:dword_6C298C, edx
		sbb	edx, ds:dword_6C2924
		test	byte ptr ds:_HvlpFlags,	2
		mov	ds:dword_6C2918, ecx
		mov	ds:dword_6C291C, edx
		jnz	short loc_723172

loc_723159:				; CODE XREF: PopHiberCheckResume+16Fj
		mov	bl, 1

loc_72315B:				; CODE XREF: PopHiberCheckResume+4Aj
		mov	ecx, [esp+0E0h+var_1C]
		mov	al, bl
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_723172:				; CODE XREF: PopHiberCheckResume+151j
		mov	[eax+14h], ebx
		jmp	short loc_723159
PopHiberCheckResume endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTracePostSleepNotification proc near ; CODE XREF: PAGELK:0071F92Cp

var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 0072A147 SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 9Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_14]
		push	esi
		push	edi
		push	4
		xor	esi, esi
		mov	[ebp+var_80], ecx
		mov	[ebp+var_84], edx
		mov	[ebp+var_94], esi
		mov	[ebp+var_90], esi
		mov	[ebp+var_9C], esi
		mov	[ebp+var_98], esi
		pop	edi
		push	5
		pop	ecx
		cmp	eax, 0FFFFFFFFh
		jz	loc_72A147
		cmp	eax, 0FFFFFFFEh
		jz	loc_72A14E
		cmp	eax, 0FFFFFFFDh
		jz	loc_72A155

loc_7231D6:				; CODE XREF: PopDiagTracePostSleepNotification+6FD1j
					; PopDiagTracePostSleepNotification+6FD8j ...
		mov	[ebp+var_88], eax
		mov	eax, [ebp+arg_18]
		cmp	eax, 0FFFFFFFFh
		jz	loc_72A15D
		cmp	eax, 0FFFFFFFEh
		jz	short loc_7231F8
		cmp	eax, 0FFFFFFFDh
		jz	loc_72A164
		mov	ecx, eax

loc_7231F8:				; CODE XREF: PopDiagTracePostSleepNotification+73j
					; PopDiagTracePostSleepNotification+6FE7j ...
		mov	eax, [ebp+arg_4]
		or	eax, [ebp+arg_8]
		mov	[ebp+var_8C], ecx
		jnz	loc_72A16C

loc_72320A:				; CODE XREF: PopDiagTracePostSleepNotification+7005j
		mov	eax, [ebp+arg_C]
		or	eax, [ebp+arg_10]
		jnz	loc_72A182

loc_723216:				; CODE XREF: PopDiagTracePostSleepNotification+701Bj
		cmp	ds:_PopDiagHandleRegistered, 0
		jz	loc_7232BB
		lea	eax, [ebp+var_80]
		mov	[ebp+var_78], esi
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_94]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_88]
		push	8
		pop	ecx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_7C]
		push	eax
		push	7
		push	esi
		push	offset _POP_ETW_EVENT_POSTSLEEP_NOTIFICATION
		push	ds:dword_6C1D74
		mov	[ebp+var_74], edi
		push	ds:_PopDiagHandle
		mov	[ebp+var_70], esi
		mov	[ebp+var_68], esi
		mov	[ebp+var_64], edi
		mov	[ebp+var_60], esi
		mov	[ebp+var_58], esi
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], esi
		mov	[ebp+var_48], esi
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], esi
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_7232BB:				; CODE XREF: PopDiagTracePostSleepNotification+A5j
		mov	ecx, [ebp+var_8]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
PopDiagTracePostSleepNotification endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTraceSystemTimeChange proc near	; CODE XREF: PoNotifySystemTimeSet(x,x,x)+30p

var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0072A198 SIZE 0000011E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 104h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+104h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+110h+var_100], ecx
		push	2
		mov	word ptr [esp+114h+var_F0], ax
		mov	ebx, edx
		pop	eax
		mov	word ptr [esp+110h+var_F0+2], ax
		mov	eax, large fs:124h
		mov	[esp+110h+var_EC], offset ??_C@_11LOCGONAA@@OKHAJAOM@
		mov	esi, [eax+80h]
		push	esi
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		mov	edi, eax
		mov	[esp+110h+var_F4], edi
		mov	esi, [esi+1C0h]
		test	esi, esi
		jz	short loc_723331
		xor	eax, eax
		cmp	ax, [esi]
		jnz	short loc_723335

loc_723331:				; CODE XREF: EtwTraceSystemTimeChange+5Cj
		lea	esi, [esp+110h+var_F0]

loc_723335:				; CODE XREF: EtwTraceSystemTimeChange+63j
		xor	ecx, ecx
		cmp	ds:dword_6B2A40, 5
		jbe	short loc_72335A
		push	4000h
		push	ecx
		mov	ecx, offset dword_6B2A40
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_72A198

loc_723358:				; CODE XREF: EtwTraceSystemTimeChange+6FE5j
		xor	ecx, ecx

loc_72335A:				; CODE XREF: EtwTraceSystemTimeChange+72j
		mov	edx, ds:_EtwKernelProvRegHandle
		mov	eax, edx
		mov	edi, ds:dword_6BC12C
		or	eax, edi
		jz	loc_7233FF
		mov	eax, [esp+110h+var_100]
		push	8
		mov	[esp+114h+var_D8], eax
		pop	eax
		push	4
		mov	[esp+114h+var_D0], eax
		mov	[esp+114h+var_C0], eax
		lea	eax, [ebp+arg_0]
		mov	[esp+114h+var_C8], ebx
		pop	ebx
		mov	[esp+110h+var_B8], eax
		mov	[esp+110h+var_D4], ecx
		mov	[esp+110h+var_CC], ecx
		mov	[esp+110h+var_C4], ecx
		mov	[esp+110h+var_BC], ecx
		mov	[esp+110h+var_B4], ecx
		mov	[esp+110h+var_B0], ebx
		mov	[esp+110h+var_AC], ecx
		movzx	ecx, word ptr [esi+2]
		mov	eax, [esi+4]
		xor	esi, esi
		mov	[esp+110h+var_A8], eax
		mov	eax, ecx
		mov	[esp+110h+var_A0], eax
		lea	eax, [esp+110h+var_F4]
		mov	[esp+110h+var_98], eax
		lea	eax, [esp+110h+var_D8]
		push	eax
		push	5
		push	esi
		push	offset _KernelSystemTimeChange
		push	edi
		push	edx
		mov	[esp+128h+var_A4], esi
		mov	[esp+128h+var_9C], esi
		mov	[esp+128h+var_94], esi
		mov	[esp+128h+var_90], ebx
		mov	[esp+128h+var_8C], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_7233FF:				; CODE XREF: EtwTraceSystemTimeChange+9Ej
		mov	ecx, [esp+110h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
EtwTraceSystemTimeChange endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpScenCtxPrefetchStateSet proc	near	; CODE XREF: PfpScenCtxScenarioSet+A1p
					; PfSetSuperfetchInformation+446p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0072A2B6 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		jnz	short loc_72343C
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx

loc_72343C:				; CODE XREF: PfpScenCtxPrefetchStateSet+Fj
		cmp	[esi+1Ch], edi
		jnz	short loc_723497
		cmp	[ebp+arg_0], 1
		jz	loc_72A2B6

loc_72344B:				; CODE XREF: PfpScenCtxPrefetchStateSet+6EA7j
		mov	ecx, [esi+4]
		xor	edi, edi
		mov	eax, ecx
		and	al, 0Ch
		cmp	al, 4
		jz	loc_72A2CD

loc_72345C:				; CODE XREF: PfpScenCtxPrefetchStateSet+6EC9j
		mov	eax, ecx
		xor	eax, [ebp+arg_0]
		and	eax, 3
		xor	eax, ecx
		mov	[esi+4], eax

loc_723469:				; CODE XREF: PfpScenCtxPrefetchStateSet+86j
					; PfpScenCtxPrefetchStateSet+6EB2j
		cmp	[ebp+arg_4], 0
		jnz	short loc_72348F
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_723483
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_723483:				; CODE XREF: PfpScenCtxPrefetchStateSet+64j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_72348F:				; CODE XREF: PfpScenCtxPrefetchStateSet+57j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_723497:				; CODE XREF: PfpScenCtxPrefetchStateSet+29j
		mov	edi, 0C0000059h
		jmp	short loc_723469
PfpScenCtxPrefetchStateSet endp


;  S U B	R O U T	I N E 


; __stdcall PopBootLoaderSiDataProcess()
_PopBootLoaderSiDataProcess@0 proc near	; CODE XREF: PoBroadcastSystemState+43Bp
		mov	edi, edi
		push	ecx
		mov	eax, ds:dword_6C26F8
		test	eax, eax
		jz	short loc_7234B9
		mov	ecx, [eax+90h]
		test	ecx, ecx
		jz	short loc_7234B9
		call	_PopBootLoaderSiData@4 ; PopBootLoaderSiData(x)

loc_7234B9:				; CODE XREF: PopBootLoaderSiDataProcess()+Aj
					; PopBootLoaderSiDataProcess()+14j
		pop	ecx
		retn
_PopBootLoaderSiDataProcess@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopBootLoaderSiData(x)
_PopBootLoaderSiData@4 proc near	; CODE XREF: PopBootLoaderSiDataProcess()+16p
		mov	edi, edi
		push	ebx
		mov	ebx, [ecx+10h]
		push	esi
		push	edi
		cmp	dword ptr [ebx], 4C626948h
		jnz	short loc_7234EC
		xor	esi, esi
		lea	edi, [ebx+10h]
		inc	esi

loc_7234D2:				; CODE XREF: PopBootLoaderSiData(x)+2Ej
		mov	edx, [edi+4]
		test	edx, edx
		jz	short loc_7234E3
		mov	ecx, [edi]
		push	esi
		add	ecx, ebx
		call	_BapdRegisterSiData@12 ; BapdRegisterSiData(x,x,x)

loc_7234E3:				; CODE XREF: PopBootLoaderSiData(x)+1Bj
		inc	esi
		add	edi, 8
		cmp	esi, 2
		jbe	short loc_7234D2

loc_7234EC:				; CODE XREF: PopBootLoaderSiData(x)+Ej
		pop	edi
		pop	esi
		pop	ebx
		retn
_PopBootLoaderSiData@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSetSystemPowerState(x, x,	x)
_NtSetSystemPowerState@12 proc near	; CODE XREF: NtShutdownSystem(x)+31p
					; DATA XREF: .text:00580C6Co

var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 158h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+158h+var_4], eax
		push	144h		; size_t
		lea	eax, [esp+15Ch+var_14C]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+arg_0]
		lea	ecx, [esp+164h+var_158]
		mov	[esp+164h+var_158], eax
		add	esp, 0Ch
		mov	eax, [ebp+arg_4]
		mov	[esp+158h+var_154], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+158h+var_150], eax
		call	_PopTransitionSystemPowerStateEx@4 ; PopTransitionSystemPowerStateEx(x)
		mov	ecx, [esp+158h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_NtSetSystemPowerState@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpScenCtxPrefetchAbortSet proc	near	; CODE XREF: PfpPrefetchRequestPerform+136861p
					; PfpPrefetchRequestPerform+13695Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0072A2E4 SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	ebx, ebx
		jz	loc_72A2E4

loc_723569:				; CODE XREF: PfpScenCtxPrefetchAbortSet+6DA7j
		cmp	[esi+1Ch], edi
		jnz	short loc_723598
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	loc_72A2FE

loc_723579:				; CODE XREF: PfpScenCtxPrefetchAbortSet+6DB3j
		neg	ecx
		sbb	ecx, ecx
		not	ecx
		and	ecx, [ebp+arg_0]
		xor	edi, edi
		mov	[esi+18h], ecx

loc_723587:				; CODE XREF: PfpScenCtxPrefetchAbortSet+4Bj
					; PfpScenCtxPrefetchAbortSet+6DBEj
		test	ebx, ebx
		jz	loc_72A315

loc_72358F:				; CODE XREF: PfpScenCtxPrefetchAbortSet+6DE3j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_723598:				; CODE XREF: PfpScenCtxPrefetchAbortSet+1Aj
		mov	edi, 0C0000059h
		jmp	short loc_723587
PfpScenCtxPrefetchAbortSet endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopVerifierFlushMemoryBeforeSleep proc near ; CODE XREF: PoBroadcastSystemState+289p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0072A33A SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	eax
		call	MmIsVerifierEnabled
		mov	eax, [ebp+var_4]
		shr	eax, 1
		and	al, 1
		test	byte ptr ds:_PopSimulate, 80h
		jnz	short loc_7235CB

loc_7235C4:				; CODE XREF: PopVerifierFlushMemoryBeforeSleep+2Dj
		test	al, al
		jnz	short loc_7235CF

loc_7235C8:				; CODE XREF: PopVerifierFlushMemoryBeforeSleep+6DBFj
		pop	esi
		leave
		retn
; 

loc_7235CB:				; CODE XREF: PopVerifierFlushMemoryBeforeSleep+22j
		mov	al, 1
		jmp	short loc_7235C4
; 

loc_7235CF:				; CODE XREF: PopVerifierFlushMemoryBeforeSleep+26j
		push	2
		pop	esi
		jmp	loc_72A33A
PopVerifierFlushMemoryBeforeSleep endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1721. PoSetFixedWakeSource

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoSetFixedWakeSource(x)
		public _PoSetFixedWakeSource@4
_PoSetFixedWakeSource@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		or	ds:_PopFixedWakeSourceMask, eax
		pop	ebp
		retn	4
_PoSetFixedWakeSource@4	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1204. KeLoadMTRR

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeLoadMTRR
KeLoadMTRR	proc near		; CODE XREF: KiLoadMTRRTarget(x)+8p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_5D		= byte ptr -5Dh
var_5C		= dword	ptr -5Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0072A364 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:byte_6C75B0,	0
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_7C], ebx
		jz	loc_723755
		call	_KiCompareVarMtrr@0 ; KiCompareVarMtrr()
		test	al, al
		jz	loc_72A364

loc_723627:				; CODE XREF: KeLoadMTRR+6D77j
		cmp	ds:dword_6C75B8, 0
		jz	short loc_72364E
		lea	ecx, [ebp+var_5C]
		call	KiReadFixedMtrr
		mov	ecx, ds:dword_6C75B8
		lea	edx, [ebp+var_5C]
		call	_KiCompareFixedMtrr@8 ;	KiCompareFixedMtrr(x,x)
		test	al, al
		jz	loc_72A370

loc_72364E:				; CODE XREF: KeLoadMTRR+3Aj
					; KeLoadMTRR+6D83j
		push	edi
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	ecx, ebx
		mov	[ebp+var_5D], al
		call	_KiLockStepExecution@4 ; KiLockStepExecution(x)
		mov	eax, cr0
		mov	ecx, eax
		mov	[ebp+var_78], eax
		and	ecx, 0DFFFFFFFh
		or	ecx, 40000000h
		mov	cr0, ecx
		mov	edi, cr4
		mov	ebx, edi
		mov	[ebp+var_6C], edi
		and	ebx, 80h
		wbinvd
		mov	[ebp+var_70], ebx
		jz	loc_72A37C
		mov	eax, edi
		and	eax, 0FFFFFF7Fh
		mov	cr4, eax

loc_723698:				; CODE XREF: KeLoadMTRR+6D8Dj
		mov	edx, ds:dword_6C75A4
		mov	ecx, 2FFh
		push	esi
		mov	esi, ds:_KiMtrrInfo
		and	esi, 0FFFFF7FFh
		mov	[ebp+var_74], edx
		mov	eax, esi
		mov	[ebp+var_68], esi
		wrmsr
		movzx	eax, byte ptr ds:dword_6C75A8
		xor	ecx, ecx
		cmp	eax, ecx
		jbe	short loc_72370F
		mov	edi, ecx
		mov	ebx, 201h
		mov	esi, ecx

loc_7236D0:				; CODE XREF: KeLoadMTRR+110j
		mov	edx, ds:dword_6C75B4
		lea	ecx, [ebx-1]
		inc	esi
		mov	eax, [edi+edx]
		lea	edi, [edi+10h]
		mov	edx, [edi+edx-0Ch]
		wrmsr
		mov	edx, ds:dword_6C75B4
		mov	ecx, ebx
		add	ebx, 2
		mov	eax, [edi+edx-8]
		mov	edx, [edi+edx-4]
		wrmsr
		movzx	eax, byte ptr ds:dword_6C75A8
		cmp	esi, eax
		jb	short loc_7236D0
		mov	esi, [ebp+var_68]
		mov	edi, [ebp+var_6C]
		mov	ebx, [ebp+var_70]

loc_72370F:				; CODE XREF: KeLoadMTRR+D1j
		mov	ecx, ds:dword_6C75B8
		test	ecx, ecx
		jz	short loc_72371E
		call	KiWriteFixedMtrr

loc_72371E:				; CODE XREF: KeLoadMTRR+123j
		mov	edx, [ebp+var_74]
		or	esi, 800h
		mov	ecx, 2FFh
		mov	eax, esi
		wrmsr
		wbinvd
		call	_KeFlushCurrentTbImmediately@0 ; KeFlushCurrentTbImmediately()
		mov	eax, [ebp+var_78]
		mov	cr0, eax
		pop	esi
		test	ebx, ebx
		jz	short loc_723745
		mov	cr4, edi

loc_723745:				; CODE XREF: KeLoadMTRR+14Cj
		mov	ecx, [ebp+var_7C]
		call	_KiLockStepExecution@4 ; KiLockStepExecution(x)
		cmp	[ebp+var_5D], 0
		pop	edi
		jz	short loc_723755
		sti

loc_723755:				; CODE XREF: KeLoadMTRR+20j
					; KeLoadMTRR+15Ej
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
KeLoadMTRR	endp


;  S U B	R O U T	I N E 


; __stdcall KiLockStepExecution(x)
_KiLockStepExecution@4 proc near	; CODE XREF: KeLoadMTRR+65p
					; KeLoadMTRR+154p
		mov	eax, large fs:20h
		mov	edx, [ecx+0Ch]
		mov	eax, [eax+3CCh]
		cmp	eax, [ecx]
		jz	short loc_72378A
		mov	eax, [edx]
		lock inc dword ptr [ecx+8]
		jmp	short loc_723783
; 

loc_723781:				; CODE XREF: KiLockStepExecution(x)+1Fj
		pause

loc_723783:				; CODE XREF: KiLockStepExecution(x)+19j
		cmp	[edx], eax
		jz	short loc_723781
		retn
; 

loc_723788:				; CODE XREF: KiLockStepExecution(x)+2Aj
		pause

loc_72378A:				; CODE XREF: KiLockStepExecution(x)+11j
		mov	eax, [ecx+8]
		cmp	eax, [ecx+4]
		jnz	short loc_723788
		mov	dword ptr [ecx+8], 0
		lock inc dword ptr [edx]
		retn
_KiLockStepExecution@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSetPageAttributesTable()
_KiSetPageAttributesTable@0 proc near	; CODE XREF: KeRestoreProcessorSpecificFeatures()+3p
					; KiInitializeKernel(x,x,x,x,x,x):loc_7253FEp ...

var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	[ebp+var_C], 70106h
		xor	ebx, ebx
		mov	[ebp+var_8], 70106h
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	ecx, 277h
		mov	[ebp+var_15], al
		rdmsr
		mov	[ebp+var_14], eax
		mov	ecx, ebx
		mov	[ebp+var_10], edx

loc_7237D8:				; CODE XREF: KiSetPageAttributesTable()+4Cj
		mov	al, byte ptr [ebp+ecx+var_14]
		cmp	al, 6
		jz	short loc_723823

loc_7237E0:				; CODE XREF: KiSetPageAttributesTable()+8Aj
		cmp	al, byte ptr [ebp+ecx+var_C]
		jnz	short loc_72382F

loc_7237E6:				; CODE XREF: KiSetPageAttributesTable()+94j
		inc	ecx
		cmp	ecx, 8
		jb	short loc_7237D8

loc_7237EC:				; CODE XREF: KiSetPageAttributesTable()+8Fj
		test	ebx, ebx
		jz	short loc_723810
		and	ebx, 2
		jnz	short loc_723834

loc_7237F5:				; CODE XREF: KiSetPageAttributesTable()+98j
		call	_KeFlushCurrentTbImmediately@0 ; KeFlushCurrentTbImmediately()
		mov	eax, [ebp+var_C]
		mov	ecx, 277h
		mov	edx, [ebp+var_8]
		wrmsr
		test	ebx, ebx
		jnz	short loc_723838

loc_72380B:				; CODE XREF: KiSetPageAttributesTable()+9Cj
		call	_KeFlushCurrentTbImmediately@0 ; KeFlushCurrentTbImmediately()

loc_723810:				; CODE XREF: KiSetPageAttributesTable()+50j
		cmp	[ebp+var_15], 0
		pop	ebx
		jnz	short loc_72383C

loc_723817:				; CODE XREF: KiSetPageAttributesTable()+9Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_723823:				; CODE XREF: KiSetPageAttributesTable()+40j
		cmp	byte ptr [ebp+ecx+var_C], 6
		jz	short loc_7237E0
		push	3
		pop	ebx
		jmp	short loc_7237EC
; 

loc_72382F:				; CODE XREF: KiSetPageAttributesTable()+46j
		or	ebx, 1
		jmp	short loc_7237E6
; 

loc_723834:				; CODE XREF: KiSetPageAttributesTable()+55j
		wbinvd
		jmp	short loc_7237F5
; 

loc_723838:				; CODE XREF: KiSetPageAttributesTable()+6Bj
		wbinvd
		jmp	short loc_72380B
; 

loc_72383C:				; CODE XREF: KiSetPageAttributesTable()+77j
		sti
		jmp	short loc_723817
_KiSetPageAttributesTable@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 


KiWriteFixedMtrr proc near		; CODE XREF: KeLoadMTRR+125p

; FUNCTION CHUNK AT 0072A386 SIZE 0000005B BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		xor	edi, edi
		cmp	ds:byte_6C75B1,	1
		mov	ebx, ecx
		mov	ecx, 0C0010010h
		jz	loc_72A386
		mov	eax, large fs:20h
		cmp	byte ptr [eax+3BEh], 2
		jz	loc_72A39A

loc_723870:				; CODE XREF: KiWriteFixedMtrr+6B6Bj
					; KiWriteFixedMtrr+6B80j
		mov	eax, [ebx]
		mov	ecx, 250h
		mov	edx, [ebx+4]
		wrmsr
		mov	eax, [ebx+8]
		add	ecx, 8
		mov	edx, [ebx+0Ch]
		wrmsr
		mov	eax, [ebx+10h]
		mov	ecx, 259h
		mov	edx, [ebx+14h]
		wrmsr
		mov	eax, [ebx+18h]
		add	ecx, 0Fh
		mov	edx, [ebx+1Ch]
		wrmsr
		mov	eax, [ebx+20h]
		mov	ecx, 269h
		mov	edx, [ebx+24h]
		wrmsr
		mov	eax, [ebx+28h]
		inc	ecx
		mov	edx, [ebx+2Ch]
		wrmsr
		mov	eax, [ebx+30h]
		mov	ecx, 26Bh
		mov	edx, [ebx+34h]
		wrmsr
		mov	eax, [ebx+38h]
		inc	ecx
		mov	edx, [ebx+3Ch]
		wrmsr
		mov	eax, [ebx+40h]
		mov	ecx, 26Dh
		mov	edx, [ebx+44h]
		wrmsr
		mov	eax, [ebx+48h]
		inc	ecx
		mov	edx, [ebx+4Ch]
		wrmsr
		mov	eax, [ebx+50h]
		mov	ecx, 26Fh
		mov	edx, [ebx+54h]
		wrmsr
		cmp	ds:byte_6C75B1,	1
		jz	loc_72A3C5

loc_7238FB:				; CODE XREF: KiWriteFixedMtrr+6B9Cj
		pop	edi
		pop	esi
		pop	ebx
		retn
KiWriteFixedMtrr endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KiCompareFixedMtrr(x, x)
_KiCompareFixedMtrr@8 proc near		; CODE XREF: KeLoadMTRR+4Dp
		mov	eax, large fs:20h
		push	esi
		xor	esi, esi
		cmp	[eax+3CCh], esi
		jz	short loc_723915

loc_723911:				; CODE XREF: KiCompareFixedMtrr(x,x)+30j
		mov	al, 1
		pop	esi
		retn
; 

loc_723915:				; CODE XREF: KiCompareFixedMtrr(x,x)+Fj
		sub	ecx, edx

loc_723917:				; CODE XREF: KiCompareFixedMtrr(x,x)+2Ej
		mov	eax, [ecx+edx]
		cmp	eax, [edx]
		jnz	short loc_723932
		mov	eax, [ecx+edx+4]
		cmp	eax, [edx+4]
		jnz	short loc_723932
		inc	esi
		add	edx, 8
		cmp	esi, 0Bh
		jb	short loc_723917
		jmp	short loc_723911
; 

loc_723932:				; CODE XREF: KiCompareFixedMtrr(x,x)+1Cj
					; KiCompareFixedMtrr(x,x)+25j
		xor	al, al
		pop	esi
		retn
_KiCompareFixedMtrr@8 endp


;  S U B	R O U T	I N E 


KiReadFixedMtrr	proc near		; CODE XREF: KeLoadMTRR+3Fp
					; KiInitializeMTRR+D6p

; FUNCTION CHUNK AT 0072A3E1 SIZE 00000047 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		xor	edi, edi
		cmp	ds:byte_6C75B1,	1
		mov	ebx, ecx
		mov	ecx, 0C0010010h
		jz	loc_72A3E1
		mov	eax, large fs:20h
		cmp	byte ptr [eax+3BEh], 2
		jz	loc_72A3EF

loc_723966:				; CODE XREF: KiReadFixedMtrr+6AC7j
					; KiReadFixedMtrr+6AD7j
		mov	ecx, 250h
		rdmsr
		add	ecx, 8
		mov	[ebx], eax
		mov	[ebx+4], edx
		rdmsr
		mov	[ebx+8], eax
		mov	ecx, 259h
		mov	[ebx+0Ch], edx
		rdmsr
		add	ecx, 0Fh
		mov	[ebx+10h], eax
		mov	[ebx+14h], edx
		rdmsr
		mov	[ebx+18h], eax
		mov	ecx, 269h
		mov	[ebx+1Ch], edx
		rdmsr
		inc	ecx
		mov	[ebx+20h], eax
		mov	[ebx+24h], edx
		rdmsr
		mov	[ebx+28h], eax
		mov	ecx, 26Bh
		mov	[ebx+2Ch], edx
		rdmsr
		inc	ecx
		mov	[ebx+30h], eax
		mov	[ebx+34h], edx
		rdmsr
		mov	[ebx+38h], eax
		mov	ecx, 26Dh
		mov	[ebx+3Ch], edx
		rdmsr
		inc	ecx
		mov	[ebx+40h], eax
		mov	[ebx+44h], edx
		rdmsr
		mov	[ebx+48h], eax
		mov	ecx, 26Fh
		mov	[ebx+4Ch], edx
		rdmsr
		mov	[ebx+50h], eax
		mov	[ebx+54h], edx
		cmp	ds:byte_6C75B1,	1
		jz	loc_72A412

loc_7239F1:				; CODE XREF: KiReadFixedMtrr+6AEDj
		pop	edi
		pop	esi
		pop	ebx
		retn
KiReadFixedMtrr	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiCompareVarMtrr()
_KiCompareVarMtrr@0 proc near		; CODE XREF: KeLoadMTRR+26p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:20h
		sub	esp, 1Ch
		xor	ecx, ecx
		push	ebx
		push	esi
		push	edi
		cmp	[eax+3CCh], ecx
		jz	short loc_723A18

loc_723A11:				; CODE XREF: KiCompareVarMtrr()+30j
					; KiCompareVarMtrr()+AFj
		mov	al, 1

loc_723A13:				; CODE XREF: KiCompareVarMtrr()+B6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_723A18:				; CODE XREF: KiCompareVarMtrr()+19j
		movzx	eax, byte ptr ds:dword_6C75A8
		mov	edi, ecx
		mov	[ebp+var_1C], eax
		cmp	eax, ecx
		jbe	short loc_723A11
		mov	esi, ds:dword_6C75B4
		mov	ebx, 201h
		add	esi, 8

loc_723A36:				; CODE XREF: KiCompareVarMtrr()+ADj
		lea	ecx, [ebx-1]
		rdmsr
		mov	[ebp+var_10], eax
		mov	ecx, ebx
		mov	[ebp+var_14], edx
		rdmsr
		mov	ecx, [esi]
		mov	[ebp+var_8], eax
		mov	eax, edx
		mov	edx, [ebp+var_8]
		mov	[ebp+var_4], ecx
		mov	ecx, [esi+4]
		mov	[ebp+var_18], eax
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+var_4]
		shrd	edx, eax, 0Bh
		mov	eax, [ebp+var_C]
		shrd	ecx, eax, 0Bh
		and	edx, 1
		and	ecx, 1
		cmp	edx, ecx
		jnz	short loc_723AAA
		xor	ecx, ecx
		or	edx, ecx
		jz	short loc_723A99
		mov	eax, [ebp+var_10]
		cmp	eax, [esi-8]
		jnz	short loc_723AAA
		mov	eax, [ebp+var_14]
		cmp	eax, [esi-4]
		jnz	short loc_723AAA
		mov	eax, [ebp+var_4]
		cmp	[ebp+var_8], eax
		jnz	short loc_723AAA
		mov	eax, [ebp+var_C]
		cmp	[ebp+var_18], eax
		jnz	short loc_723AAA

loc_723A99:				; CODE XREF: KiCompareVarMtrr()+81j
		inc	edi
		add	ebx, 2
		add	esi, 10h
		cmp	edi, [ebp+var_1C]
		jb	short loc_723A36
		jmp	loc_723A11
; 

loc_723AAA:				; CODE XREF: KiCompareVarMtrr()+7Bj
					; KiCompareVarMtrr()+89j ...
		xor	al, al
		jmp	loc_723A13
_KiCompareVarMtrr@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiCheckMicrocode proc near		; CODE XREF: KiRestoreFeatureBits()+FDp
					; KiInitializeKernel(x,x,x,x,x,x)+1FFp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0072A428 SIZE 00000067 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+30h+var_18], ecx
		cmp	ds:_KiMicrocodeTrackerEnabled, 0
		lea	edi, [esp+30h+var_14]
		stosd
		stosd
		stosd
		stosd
		jz	loc_723B8F
		cmp	ds:_KiBootProcessorsStarted, 0
		jz	short loc_723B01
		mov	eax, [ecx+3CCh]
		cmp	eax, ds:_KiBootProcessorCount
		jnb	loc_723B8F

loc_723B01:				; CODE XREF: KiCheckMicrocode+3Bj
		mov	al, [ecx+3BEh]
		cmp	al, 2
		jz	loc_72A428
		cmp	al, 1
		jnz	short loc_723B8F
		xor	eax, eax
		lea	edi, [esp+30h+var_14]
		xor	edx, edx
		mov	ecx, 8Bh
		wrmsr
		inc	eax
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	ecx, 8Bh
		mov	[edi+0Ch], edx
		rdmsr
		push	17h
		pop	ecx
		mov	ebx, edx
		rdmsr
		mov	[esp+30h+var_20], eax
		mov	[esp+30h+var_24], edx

loc_723B4D:				; CODE XREF: KiCheckMicrocode+69AAj
		mov	edi, [esp+30h+var_14]
		xor	esi, esi
		mov	edx, [esp+30h+var_20]
		xor	ecx, ecx

loc_723B59:				; CODE XREF: KiCheckMicrocode+121j
		cmp	ds:_KiMicrocodeTracker[ecx], 0
		jz	short loc_723BA1
		cmp	ds:dword_70E4E4[ecx], edi
		jnz	short loc_723BCC
		cmp	ds:dword_70E4E8[ecx], edx
		jnz	short loc_723BCC
		mov	eax, ds:dword_70E4EC[ecx]
		cmp	eax, [esp+30h+var_24]
		jnz	short loc_723BCC
		imul	eax, esi, 18h
		mov	ecx, ds:dword_70E4F0[eax]
		cmp	ecx, ebx
		jnz	loc_72A461

loc_723B8F:				; CODE XREF: KiCheckMicrocode+2Ej
					; KiCheckMicrocode+49j	...
		mov	ecx, [esp+30h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_723BA1:				; CODE XREF: KiCheckMicrocode+AEj
		imul	eax, esi, 18h
		mov	ds:_KiMicrocodeTracker[ecx], 1
		mov	ecx, [esp+30h+var_24]
		mov	ds:dword_70E4E4[eax], edi
		mov	ds:dword_70E4E8[eax], edx
		mov	ds:dword_70E4EC[eax], ecx
		mov	ds:dword_70E4F0[eax], ebx
		jmp	short loc_723B8F
; 

loc_723BCC:				; CODE XREF: KiCheckMicrocode+B6j
					; KiCheckMicrocode+BEj	...
		add	ecx, 18h
		inc	esi
		cmp	ecx, 60h
		jb	short loc_723B59
		jmp	short loc_723B8F
KiCheckMicrocode endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BapdRegisterSiData(x, x, x)
_BapdRegisterSiData@12 proc near	; CODE XREF: PopBootLoaderSiData(x)+22p
					; BapdpRegisterWbclData(x)+93p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_C], edx
		mov	esi, ecx
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		push	edi
		test	esi, esi
		jz	loc_723DF1
		lea	ecx, [ebp+var_8]
		call	_BapdGetISRegistryKey@4	; BapdGetISRegistryKey(x)
		test	eax, eax
		js	loc_723DE3
		mov	ebx, [ebp+arg_0]
		lea	edi, [esi+4]
		test	edi, edi
		jz	short loc_723C46
		cmp	dword ptr [esi], 0
		jz	short loc_723C46
		mov	eax, offset ??_C@_1BC@GMFALMFC@?$AAW?$AAB?$AAC?$AAL?$AAD?$AAr?$AAt?$AAm@OKHAJAOM@
		cmp	ebx, 2
		jz	short loc_723C29
		mov	eax, offset ??_C@_19HEALFAGP@?$AAW?$AAB?$AAC?$AAL@OKHAJAOM@

loc_723C29:				; CODE XREF: BapdRegisterSiData(x,x,x)+4Aj
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	dword ptr [esi]
		lea	eax, [ebp+var_14]
		push	edi
		push	3
		push	0
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_723C46:				; CODE XREF: BapdRegisterSiData(x,x,x)+3Bj
					; BapdRegisterSiData(x,x,x)+40j
		cmp	ebx, 2
		jz	loc_723DE3
		mov	edi, [esi]
		lea	eax, [edi+34h]
		cmp	[ebp+var_C], eax
		jb	loc_723DE3
		cmp	dword ptr [edi+esi+4], 30h
		ja	loc_723DE3
		cmp	dword ptr [edi+esi+8], 2
		ja	loc_723DE3
		push	offset ??_C@_1BG@CBMDEONI@?$AAE?$AAv?$AAe?$AAn?$AAt?$AAC?$AAo?$AAu?$AAn?$AAt@OKHAJAOM@ ; "E"
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	8
		lea	eax, [esi+0Ch]
		add	eax, edi
		push	eax
		push	0Bh
		push	0
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BE@PMCPENL@?$AAB?$AAo?$AAo?$AAt?$AAC?$AAo?$AAu?$AAn?$AAt@OKHAJAOM@
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	8
		lea	eax, [esi+14h]
		add	eax, edi
		push	eax
		push	0Bh
		push	0
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BE@PLFCIJJC@?$AAC?$AAo?$AAu?$AAn?$AAt?$AAe?$AAr?$AAI?$AAd@OKHAJAOM@
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	8
		lea	eax, [esi+1Ch]
		add	eax, edi
		push	eax
		push	0Bh
		push	0
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		cmp	dword ptr [edi+esi+8], 2
		jnz	loc_723D70
		cmp	dword ptr [edi+esi+4], 30h
		jnz	short loc_723D70
		cmp	byte ptr [edi+esi+24h],	0
		jz	short loc_723D70
		push	(offset	loc_728289+1)
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [esi+2Ch]
		add	eax, edi
		push	eax
		push	4
		push	0
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	(offset	loc_728231+1)
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [esi+30h]
		add	eax, edi
		push	eax
		push	4
		push	0
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BO@KBGBBKMI@?$AAT?$AAP?$AAM?$AAD?$AAi?$AAg?$AAe?$AAs?$AAt?$AAA?$AAl?$AAg?$AAI?$AAD@OKHAJAOM@
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [esi+28h]
		add	eax, edi
		push	eax
		push	4
		push	0
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_723D70:				; CODE XREF: BapdRegisterSiData(x,x,x)+112j
					; BapdRegisterSiData(x,x,x)+11Dj ...
		test	ebx, ebx
		jnz	short loc_723DE3
		push	(offset	loc_7281EB+1)
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	8
		lea	eax, [esi+0Ch]
		add	eax, edi
		push	eax
		push	0Bh
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	(offset	loc_72820F+1)
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	8
		lea	eax, [esi+14h]
		add	eax, edi
		push	eax
		push	0Bh
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1CC@KBCDAIDG@?$AAI?$AAn?$AAi?$AAt?$AAi?$AAa?$AAl?$AAC?$AAo?$AAu?$AAn?$AAt?$AAe?$AAr?$AAI@OKHAJAOM@
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	8
		lea	eax, [esi+1Ch]
		add	eax, edi
		push	eax
		push	0Bh
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_723DE3:				; CODE XREF: BapdRegisterSiData(x,x,x)+2Dj
					; BapdRegisterSiData(x,x,x)+71j ...
		cmp	[ebp+var_8], 0
		jz	short loc_723DF1
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_723DF1:				; CODE XREF: BapdRegisterSiData(x,x,x)+1Dj
					; BapdRegisterSiData(x,x,x)+20Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_BapdRegisterSiData@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BapdGetISRegistryKey(x)
_BapdGetISRegistryKey@4	proc near	; CODE XREF: BapdRegisterSiData(x,x,x)+26p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_C]
		push	offset ??_C@_1GG@IBGAEKLO@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@OKHAJAOM@
		push	eax
		mov	edi, ecx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_C]
		mov	[ebp+var_24], 18h
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_20], ebx
		push	eax
		mov	[ebp+var_18], 240h
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_723E9F
		push	offset ??_C@_1CE@KCLMNKNL@?$AAI?$AAn?$AAt?$AAe?$AAg?$AAr?$AAi?$AAt?$AAy?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc@OKHAJAOM@
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_4]
		push	ebx
		push	1
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_C]
		push	ebx
		push	ebx
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	6001Fh
		push	edi
		mov	[ebp+var_24], 18h
		mov	[ebp+var_18], 240h
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)

loc_723E9F:				; CODE XREF: BapdGetISRegistryKey(x)+59j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_BapdGetISRegistryKey@4	endp

; 

KiEnableXSave:				; CODE XREF: KiRestoreXSaveSupport()j
					; KiInitializeKernel(x,x,x,x,x,x)+30Bp	...
		mov	eax, ds:_KeFeatureBits
		and	eax, 400000h
		or	eax, 0
		mov	ecx, cr4
		jz	loc_72A479
		mov	eax, 40000h
		test	ecx, eax
		jz	short loc_723F03

loc_723EC5:				; CODE XREF: PAGELK:00723F08j
		mov	eax, ds:0FFDF03D8h
		xor	ecx, ecx
		mov	edx, ds:0FFDF03DCh
; 
		dw 10Fh
; 
		shl	dword ptr [ecx-20FA10h], 1
		mov	ecx, eax
		mov	edx, ds:0FFDF05F4h
		or	ecx, edx
		jnz	short loc_723F0A

loc_723EE6:				; CODE XREF: PAGELK:00723F11j
		mov	ecx, large fs:20h
		lea	eax, [ecx+18h]
		cmp	[ecx+4168h], eax
		jz	short nullsub_7
		or	dword ptr [ecx+416Ch], 10040h
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_7. PRESS KEYPAD "+" TO EXPAND]
; 

loc_723F03:				; CODE XREF: PAGELK:00723EC3j
		or	ecx, eax
		mov	cr4, ecx
		jmp	short loc_723EC5
; 

loc_723F0A:				; CODE XREF: PAGELK:00723EE4j
		mov	ecx, 0DA0h
		wrmsr
		jmp	short loc_723EE6
; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfTAccessTracingStart(x, x,	x)
_PfTAccessTracingStart@12 proc near	; CODE XREF: PfpPowerActionStartScenarioTracing(x)+2Ap
					; PfTStart+1A9p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	ebx, edx
		mov	esi, ecx
		nop
		lea	edi, [esi+0Ch]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+arg_0]
		not	eax
		and	[esi+8], eax
		jnz	short loc_723F61
		mov	dword ptr [ebx+1Ch], 100h
		call	_MmGetDefaultPagePriority@0 ; MmGetDefaultPagePriority()
		xor	ecx, ecx
		mov	edx, eax
		inc	ecx
		call	MmSetAccessLogging
		mov	cl, 1
		call	_MmEnablePeriodicAccessClearing@4 ; MmEnablePeriodicAccessClearing(x)

loc_723F61:				; CODE XREF: PfTAccessTracingStart(x,x,x)+2Ej
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_723F81

loc_723F6E:				; CODE XREF: PfTAccessTracingStart(x,x,x)+74j
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_723F81:				; CODE XREF: PfTAccessTracingStart(x,x,x)+58j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_723F6E
_PfTAccessTracingStart@12 endp


;  S U B	R O U T	I N E 


; __stdcall MmEnablePeriodicAccessClearing(x)
_MmEnablePeriodicAccessClearing@4 proc near ; CODE XREF: PfTAccessTracingCleanup(x,x,x)+77p
					; PfTAccessTracingStart(x,x,x)+48p
		mov	edi, edi
		push	ebx
		mov	bl, cl
		xor	ecx, ecx

loc_723F91:				; CODE XREF: MmEnablePeriodicAccessClearing(x)+1Fj
		call	_PsGetNextPartition@4 ;	PsGetNextPartition(x)
		test	eax, eax
		jnz	short loc_723F9C
		pop	ebx
		retn
; 

loc_723F9C:				; CODE XREF: MmEnablePeriodicAccessClearing(x)+Ej
		mov	ecx, [eax]
		mov	ecx, [ecx+0F00h]
		mov	[ecx+2Fh], bl
		mov	ecx, eax
		jmp	short loc_723F91
_MmEnablePeriodicAccessClearing@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PfSnAllocateEnablePrefetcherTimer(x)
_PfSnAllocateEnablePrefetcherTimer@4 proc near ; CODE XREF: PfSnBeginBootPhase+53p
					; PfSnQueueEnablePrefetcherTimer(x)+9p
		mov	edi, edi
		push	esi
		push	edi
		push	77506343h
		push	50h
		push	200h
		mov	edi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_723FE3
		push	0
		push	esi
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	esi
		push	offset _PfSnEnablePrefetcherTimerRoutine@16 ; PfSnEnablePrefetcherTimerRoutine(x,x,x,x)
		lea	ecx, [esi+28h]
		push	ecx
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	[esi+48h], edi

loc_723FE3:				; CODE XREF: PfSnAllocateEnablePrefetcherTimer(x)+1Bj
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_PfSnAllocateEnablePrefetcherTimer@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1146. KeForceEnableNx

;  S U B	R O U T	I N E 


; __stdcall KeForceEnableNx()
		public _KeForceEnableNx@0
_KeForceEnableNx@0 proc	near
		mov	al, ds:_KiNxForceEnable
		retn
_KeForceEnableNx@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BapdRecordFirmwareBootStats proc near	; CODE XREF: PopBootLoaderTraceProcess()+Dp
					; INIT:00AC2D0Fp

var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0072AF38 SIZE 00000125 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 12Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		mov	edi, eax
		mov	[ebp+var_F8], eax
		mov	ebx, eax
		mov	[ebp+var_F4], eax
		push	eax
		mov	ecx, offset dword_6B2B58
		mov	[ebp+var_100], eax
		mov	[ebp+var_FC], eax
		mov	esi, eax
		mov	[ebp+var_F0], eax
		mov	[ebp+var_EC], eax
		mov	[ebp+var_108], eax
		mov	[ebp+var_104], eax
		mov	[ebp+var_E8], eax
		mov	[ebp+var_E4], eax
		mov	[ebp+var_D8], edi
		mov	[ebp+var_D4], ebx
		mov	[ebp+var_CC], eax
		mov	[ebp+var_E0], eax
		mov	[ebp+var_DC], eax
		call	_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 ; TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)
		call	_ExIsSoftBoot@0	; ExIsSoftBoot()
		test	al, al
		jnz	loc_724225
		lea	eax, [ebp+var_D8]
		mov	dl, 1
		push	eax
		mov	ecx, offset _BOOTENV_ETW_PROVIDER
		call	_BapdRegisterEtwProvider@12 ; BapdRegisterEtwProvider(x,x,x)
		test	eax, eax
		js	loc_72B04C
		lea	eax, [ebp+var_CC]
		push	eax
		push	ebx
		push	ebx
		push	22h
		call	ds:off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		cmp	eax, 0C0000004h
		jnz	loc_72B04C
		cmp	[ebp+var_CC], ebx
		jz	loc_72B04C
		push	73627746h
		push	[ebp+var_CC]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_72B04C
		lea	eax, [ebp+var_CC]
		push	eax
		push	esi
		push	[ebp+var_CC]
		push	22h
		call	ds:off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	loc_72B04C
		push	ebx
		mov	edi, 0F4240h
		push	edi
		push	dword ptr [esi+14h]
		push	dword ptr [esi+10h]
		call	__aulldiv
		push	ebx
		push	edi
		mov	[ebp+var_E8], eax
		mov	[ebp+var_E4], edx
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		call	__aulldiv
		push	ebx
		push	edi
		mov	[ebp+var_F0], eax
		mov	[ebp+var_EC], edx
		push	dword ptr [esi+24h]
		push	dword ptr [esi+20h]
		call	__aulldiv
		push	ebx
		push	edi
		mov	[ebp+var_E0], eax
		mov	[ebp+var_DC], edx
		push	dword ptr [esi+2Ch]
		push	dword ptr [esi+28h]
		call	__aulldiv
		push	ebx
		push	edi
		mov	[ebp+var_F8], eax
		mov	[ebp+var_F4], edx
		push	dword ptr [esi+34h]
		push	dword ptr [esi+30h]
		call	__aulldiv
		mov	[ebp+var_100], eax
		lea	eax, [ebp+var_E8]
		mov	edi, [ebp+var_D8]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_F0]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_E0]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_F8]
		push	8
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_100]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	5
		push	ebx
		push	(offset	loc_408507+1)
		mov	[ebp+var_54], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], ebx
		mov	ebx, [ebp+var_D4]
		push	ebx
		push	edi
		mov	[ebp+var_FC], edx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_10], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		cmp	ds:dword_6B2B58, 4
		jbe	short loc_724225
		push	4000h
		push	0
		mov	ecx, offset dword_6B2B58
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_72AF38

loc_724225:				; CODE XREF: BapdRecordFirmwareBootStats+8Ej
					; BapdRecordFirmwareBootStats+216j ...
		push	offset ??_C@_1BG@FGILHOGJ@?$AAF?$AAw?$AAP?$AAO?$AAS?$AAT?$AAT?$AAi?$AAm?$AAe@OKHAJAOM@ ; "FwPOSTTime"
		lea	eax, [ebp+var_108]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_108]
		push	eax
		lea	ecx, [ebp+var_E0]
		call	_BapdpWriteEventDataToRegistry@12 ; BapdpWriteEventDataToRegistry(x,x,x)
		test	esi, esi
		jz	short loc_724258
		push	[ebp+var_CC]
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_724258:				; CODE XREF: BapdRecordFirmwareBootStats+256j
		mov	eax, edi
		or	eax, ebx
		jz	short loc_724265
		push	ebx
		push	edi
		call	EtwUnregister

loc_724265:				; CODE XREF: BapdRecordFirmwareBootStats+268j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
BapdRecordFirmwareBootStats endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BapdpWriteEventDataToRegistry(x, x,	x)
_BapdpWriteEventDataToRegistry@12 proc near ; CODE XREF: BapdWriteEtwEvents+219p
					; BapdWriteEtwEvents+90E9Bp ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_14]
		push	offset ??_C@_1GG@IBGAEKLO@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@OKHAJAOM@
		push	eax
		mov	edi, ecx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	18h
		pop	esi
		lea	eax, [ebp+var_14]
		mov	[ebp+var_2C], esi
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_8]
		mov	[ebp+var_28], ebx
		push	eax
		mov	[ebp+var_20], 240h
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_724336
		push	offset ??_C@_1CM@JGIJKPEK@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@OKHAJAOM@
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_8]
		push	ebx
		push	ebx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_14]
		push	ebx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		push	ebx
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_C]
		mov	[ebp+var_2C], esi
		push	eax
		mov	[ebp+var_20], 240h
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		push	[ebp+var_8]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_724336
		push	4
		push	edi
		push	4
		push	ebx
		push	[ebp+arg_0]
		push	[ebp+var_C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_724336:				; CODE XREF: BapdpWriteEventDataToRegistry(x,x,x)+59j
					; BapdpWriteEventDataToRegistry(x,x,x)+A7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_BapdpWriteEventDataToRegistry@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiConfigureSchedulingInformation(x,	x)
_KiConfigureSchedulingInformation@8 proc near
					; CODE XREF: KiInitializeDynamicProcessorDpc(x,x,x,x)+CEp
					; KiInitializeDynamicProcessorDpc(x,x,x,x)+F4p	...

var_30		= dword	ptr -30h
var_2C		= word ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_1A		= word ptr -1Ah
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		and	[ebp+var_C], 0
		xor	eax, eax
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_1A], ax
		lea	edi, [ebp+var_30]
		stosd
		mov	ebx, ecx
		mov	[ebp+var_1], dl
		mov	[ebp+var_18], ebx
		mov	ecx, [ebx+4010h]
		stosd
		stosd
		test	ecx, ecx
		jz	short loc_72437E
		mov	eax, [ebx+ecx*4+4034h]
		mov	[ebx+4034h], eax
		jmp	short loc_724384
; 

loc_72437E:				; CODE XREF: KiConfigureSchedulingInformation(x,x)+2Fj
		mov	eax, [ebx+4034h]

loc_724384:				; CODE XREF: KiConfigureSchedulingInformation(x,x)+3Ej
		test	eax, eax
		jnz	short loc_724394
		mov	eax, [ebx+3C8h]
		mov	[ebx+4034h], eax

loc_724394:				; CODE XREF: KiConfigureSchedulingInformation(x,x)+48j
		movzx	edi, byte ptr [ebx+3C4h]
		xor	eax, eax
		test	ecx, ecx
		jz	short loc_7243D1
		mov	esi, [ebx+402Ch]
		lea	edx, [ebx+4038h]
		not	esi

loc_7243AF:				; CODE XREF: KiConfigureSchedulingInformation(x,x)+7Bj
		test	[edx], esi
		jnz	short loc_7243BD
		inc	eax
		add	edx, 4
		cmp	eax, ecx
		jb	short loc_7243AF
		jmp	short loc_7243D1
; 

loc_7243BD:				; CODE XREF: KiConfigureSchedulingInformation(x,x)+73j
		mov	eax, [ebx+eax*4+4038h]
		and	[ebp+var_14], 0
		bsf	edi, eax
		mov	[ebx+4030h], eax

loc_7243D1:				; CODE XREF: KiConfigureSchedulingInformation(x,x)+61j
					; KiConfigureSchedulingInformation(x,x)+7Dj
		cmp	[ebp+var_1], 0
		mov	esi, [ebx+338h]
		mov	[ebx+404Ch], edi
		jnz	loc_7245E8
		mov	eax, [ebx+3CCh]
		cmp	eax, [esi+9Ch]
		jnz	loc_7245E8
		mov	edi, ds:_KiMaximumSharedReadyQueueSize
		test	edi, edi
		jnz	short loc_724404
		inc	edi

loc_724404:				; CODE XREF: KiConfigureSchedulingInformation(x,x)+C3j
		test	edi, 100h
		jz	short loc_72441D
		and	edi, 0FFFFFEFFh
		call	_KeDoesSystemHaveHeterogeneousCoreTypes@0 ; KeDoesSystemHaveHeterogeneousCoreTypes()
		test	eax, eax
		jz	short loc_72441D
		add	edi, edi

loc_72441D:				; CODE XREF: KiConfigureSchedulingInformation(x,x)+CCj
					; KiConfigureSchedulingInformation(x,x)+DBj
		cmp	edi, 20h
		jbe	short loc_724425
		push	20h
		pop	edi

loc_724425:				; CODE XREF: KiConfigureSchedulingInformation(x,x)+E2j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		movzx	ecx, word ptr [esi+8Ah]
		and	dword ptr [esi+90h], 0
		mov	[ebp+var_1], al
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		push	ecx
		call	_KeQueryNodeActiveAffinity@12 ;	KeQueryNodeActiveAffinity(x,x,x)
		movzx	esi, word ptr [ebp+var_C]
		xor	edx, edx
		and	[ebp+var_10], 0
		and	[ebp+var_24], 0
		lea	eax, [esi-1]
		add	eax, edi
		div	edi
		xor	edx, edx
		mov	edi, [ebx+4024h]
		mov	ecx, eax
		mov	eax, esi
		div	ecx
		mov	[ebp+var_14], eax
		mov	ax, [ebp+var_2C]
		mov	[ebp+var_1C], ax
		mov	eax, [ebp+var_30]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_C], edx
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	loc_724559
		mov	ebx, [ebp+var_10]

loc_724499:				; CODE XREF: KiConfigureSchedulingInformation(x,x)+212j
		mov	eax, [ebp+var_8]
		mov	esi, ds:_KiProcessorBlock[eax*4]
		movzx	eax, byte ptr [edi+12Bh]
		cmp	ebx, eax
		jnz	short loc_7244B4
		mov	edi, [esi+4024h]

loc_7244B4:				; CODE XREF: KiConfigureSchedulingInformation(x,x)+16Ej
		mov	ecx, ebx
		sub	ecx, eax
		neg	ecx
		sbb	ecx, ecx
		and	ecx, ebx
		jnz	short loc_7244DC
		mov	edx, [ebp+var_C]
		mov	eax, [ebp+var_14]
		mov	[edi+12Bh], al
		test	edx, edx
		jz	short loc_7244DC
		inc	al
		dec	edx
		mov	[edi+12Bh], al
		mov	[ebp+var_C], edx

loc_7244DC:				; CODE XREF: KiConfigureSchedulingInformation(x,x)+180j
					; KiConfigureSchedulingInformation(x,x)+190j
		mov	eax, [esi+3C8h]
		lea	ebx, [ecx+1]
		mov	[esi+4024h], edi
		or	[edi+130h], eax
		movzx	eax, byte ptr [edi+129h]
		movzx	ecx, byte ptr [esi+3C4h]
		sub	ecx, eax
		lea	eax, [ecx+108h]
		add	eax, edi
		mov	[esi+33Ch], eax
		mov	eax, [esi+8]
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	short loc_72451F
		mov	eax, [esi+4]
		mov	[ebp+var_10], eax

loc_72451F:				; CODE XREF: KiConfigureSchedulingInformation(x,x)+1D9j
		mov	edx, esi
		mov	ecx, eax
		call	KiIsThreadRankNonZero
		test	al, al
		jz	short loc_724530
		mov	cl, 1
		jmp	short loc_724539
; 

loc_724530:				; CODE XREF: KiConfigureSchedulingInformation(x,x)+1ECj
		mov	eax, [ebp+var_10]
		mov	cl, [eax+87h]

loc_724539:				; CODE XREF: KiConfigureSchedulingInformation(x,x)+1F0j
		mov	eax, [esi+33Ch]
		mov	[eax], cl
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jz	loc_724499
		mov	ebx, [ebp+var_18]

loc_724559:				; CODE XREF: KiConfigureSchedulingInformation(x,x)+152j
		mov	ax, [ebp+var_2C]
		and	[ebp+var_24], 0
		mov	[ebp+var_1C], ax
		mov	eax, [ebp+var_30]
		mov	[ebp+var_20], eax
		jmp	short loc_7245CE
; 

loc_72456D:				; CODE XREF: KiConfigureSchedulingInformation(x,x)+29Fj
		mov	eax, [ebp+var_8]
		mov	edx, ds:_KiProcessorBlock[eax*4]
		mov	ecx, [edx+4024h]
		cmp	byte ptr [ecx+12Bh], 1
		jbe	short loc_724592
		mov	eax, [ecx+130h]
		mov	[edx+4020h], eax

loc_724592:				; CODE XREF: KiConfigureSchedulingInformation(x,x)+246j
		mov	al, [edx+3C4h]
		cmp	al, [ecx+129h]
		jnz	short loc_7245CE
		cmp	byte ptr [ecx+12Bh], 1
		jbe	short loc_7245CE
		mov	dword ptr [edx+4028h], 1
		mov	[ecx+12Ch], al
		bsr	eax, [ecx+130h]
		sub	al, [ecx+129h]
		inc	al
		mov	[ecx+128h], al

loc_7245CE:				; CODE XREF: KiConfigureSchedulingInformation(x,x)+22Dj
					; KiConfigureSchedulingInformation(x,x)+260j ...
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jz	short loc_72456D
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_7245E8:				; CODE XREF: KiConfigureSchedulingInformation(x,x)+A3j
					; KiConfigureSchedulingInformation(x,x)+B5j
		mov	ecx, ebx
		call	KiConfigureCpuSetSchedulingInformation
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KiConfigureSchedulingInformation@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAdjustSimultaneousMultiThreadingCharacteristics proc near
					; CODE XREF: KiConfigureProcessorBlock:loc_72A504p
					; KiAllProcessorsStarted+Ap

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0072A48F SIZE 00000061 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		cmp	ds:_KiSMTProcessorsPresent, 0
		jz	locret_724816
		push	ebx
		push	esi
		push	edi
		mov	edi, ds:_KiProcessorBlock
		xor	ebx, ebx
		inc	ebx
		mov	esi, ebx
		mov	edx, [edi+344h]
		lea	eax, ds:0FFFFFFFFh[edx*2]
		bsr	ecx, eax
		shl	esi, cl
		dec	esi
		not	esi
		mov	[ebp+var_4], esi
		cmp	edx, ebx
		jbe	short loc_72466B
		movzx	edx, byte ptr [edi+3D49h]
		mov	ecx, ebx
		and	edx, esi
		cmp	ds:_KeNumberProcessors,	ebx
		jbe	short loc_72466B

loc_724646:				; CODE XREF: KiAdjustSimultaneousMultiThreadingCharacteristics+75j
		mov	eax, ds:_KiProcessorBlock[ecx*4]
		cmp	[eax+3D38h], ebx
		jz	short loc_724662
		movzx	eax, byte ptr [eax+3D49h]
		and	eax, esi
		cmp	eax, edx
		jz	short loc_72466B

loc_724662:				; CODE XREF: KiAdjustSimultaneousMultiThreadingCharacteristics+5Fj
		inc	ecx
		cmp	ecx, ds:_KeNumberProcessors
		jb	short loc_724646

loc_72466B:				; CODE XREF: KiAdjustSimultaneousMultiThreadingCharacteristics+3Dj
					; KiAdjustSimultaneousMultiThreadingCharacteristics+50j ...
		xor	ebx, ebx
		mov	edx, ebx
		mov	[ebp+var_C], ebx
		cmp	ds:_KeNumberProcessors,	ebx
		jbe	loc_724813

loc_72467E:				; CODE XREF: KiAdjustSimultaneousMultiThreadingCharacteristics+1F2j
		mov	esi, ds:_KiProcessorBlock[edx*4]
		mov	eax, [esi+3D38h]
		cmp	eax, 1
		jz	loc_7247DC
		lea	eax, ds:0FFFFFFFFh[eax*2]
		bsr	ecx, eax
		xor	eax, eax
		inc	eax
		shl	eax, cl
		movzx	ecx, byte ptr [esi+3D49h]
		dec	eax
		mov	ebx, ecx
		not	eax
		and	ecx, [ebp+var_4]
		and	ebx, eax
		mov	[ebp+var_18], ebx
		mov	[esi+4068h], ebx
		xor	ebx, ebx
		mov	[ebp+var_1C], ecx
		inc	ebx
		mov	ecx, [esi+3CCh]
		shl	ebx, cl
		lea	ecx, [edx+1]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], ebx

loc_7246D4:				; CODE XREF: KiAdjustSimultaneousMultiThreadingCharacteristics+192j
		mov	[ebp+var_14], ecx
		cmp	ecx, ds:_KeNumberProcessors
		jnb	loc_72478B
		mov	edi, ds:_KiProcessorBlock[ecx*4]
		cmp	dword ptr [edi+3D38h], 1
		jz	loc_724785
		movzx	eax, byte ptr [edi+3D49h]
		and	eax, [ebp+var_10]
		cmp	eax, [ebp+var_18]
		jnz	short loc_724772
		mov	eax, [edi+401Ch]
		bts	eax, edx
		mov	[edi+401Ch], eax
		mov	eax, [esi+401Ch]
		bts	eax, ecx
		mov	[esi+401Ch], eax
		mov	ebx, [edi+401Ch]
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		movzx	eax, cl
		cmp	eax, [edi+3D38h]
		ja	loc_72A48F
		mov	edx, [ebp+var_C]
		mov	ebx, [ebp+var_8]
		mov	ecx, [ebp+var_14]

loc_724772:				; CODE XREF: KiAdjustSimultaneousMultiThreadingCharacteristics+110j
		movzx	eax, byte ptr [edi+3D49h]
		and	eax, [ebp+var_4]
		cmp	eax, [ebp+var_1C]
		jz	loc_724818

loc_724785:				; CODE XREF: KiAdjustSimultaneousMultiThreadingCharacteristics+FDj
					; KiAdjustSimultaneousMultiThreadingCharacteristics+230j ...
		inc	ecx
		jmp	loc_7246D4
; 

loc_72478B:				; CODE XREF: KiAdjustSimultaneousMultiThreadingCharacteristics+E9j
		mov	ebx, [esi+401Ch]
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		movzx	eax, cl
		cmp	eax, [esi+3D38h]
		ja	loc_72A49F
		mov	eax, [ebp+var_8]
		or	[esi+402Ch], eax
		mov	edx, [ebp+var_C]

loc_7247DC:				; CODE XREF: KiAdjustSimultaneousMultiThreadingCharacteristics+9Aj
		inc	edx
		mov	[ebp+var_C], edx
		cmp	edx, ds:_KeNumberProcessors
		jb	loc_72467E
		xor	ebx, ebx
		cmp	ds:_KeNumberProcessors,	ebx
		jbe	short loc_724813

loc_7247F6:				; CODE XREF: KiAdjustSimultaneousMultiThreadingCharacteristics+21Dj
		mov	edx, ds:_KiProcessorBlock[ebx*4]
		cmp	byte ptr [edx+3BEh], 2
		jz	loc_72A4B4

loc_72480A:				; CODE XREF: KiAdjustSimultaneousMultiThreadingCharacteristics+5EC4j
					; KiAdjustSimultaneousMultiThreadingCharacteristics+5ED1j ...
		inc	ebx
		cmp	ebx, ds:_KeNumberProcessors
		jb	short loc_7247F6

loc_724813:				; CODE XREF: KiAdjustSimultaneousMultiThreadingCharacteristics+84j
					; KiAdjustSimultaneousMultiThreadingCharacteristics+200j
		pop	edi
		pop	esi
		pop	ebx

locret_724816:				; CODE XREF: KiAdjustSimultaneousMultiThreadingCharacteristics+Fj
		leave
		retn
; 

loc_724818:				; CODE XREF: KiAdjustSimultaneousMultiThreadingCharacteristics+18Bj
		mov	eax, [edi+338h]
		cmp	eax, [esi+338h]
		jnz	loc_724785
		mov	eax, [edi+3CCh]
		bts	ebx, eax
		or	[edi+402Ch], ebx
		mov	[ebp+var_8], ebx
		jmp	loc_724785
KiAdjustSimultaneousMultiThreadingCharacteristics endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiInitializePrcbContext	proc near	; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+279p
					; KeStartAllProcessors+12Ep ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0072A4F0 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_KeFeatureBits
		push	ebx
		push	esi
		mov	esi, ds:_KeXStateLength
		and	eax, 400000h
		or	eax, 0
		push	edi
		mov	edi, ecx
		jz	loc_72A4F0
		add	esi, 165h
		mov	bl, 1
		add	esi, ds:_KiXSaveAreaLength

loc_724874:				; CODE XREF: KiInitializePrcbContext+5CB3j
		test	esi, esi
		jz	short loc_7248A5
		mov	ecx, esi
		call	_MmAllocateIndependentPages@8 ;	MmAllocateIndependentPages(x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_72A4FA
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		add	eax, 3Fh
		and	eax, 0FFFFFFC0h
		mov	[edi+4170h], eax

loc_7248A5:				; CODE XREF: KiInitializePrcbContext+34j
		test	bl, bl
		jz	short loc_7248FD
		mov	esi, ds:_KiXSaveAreaLength
		mov	eax, ds:_KeXStateLength
		add	esi, 3
		add	esi, [edi+4170h]
		add	eax, 0FFFFFE00h
		and	esi, 0FFFFFFFCh
		lea	edx, [esi+2CCh]
		lea	ecx, [edx+57h]
		mov	[edx+14h], eax
		and	ecx, 0FFFFFFC0h
		mov	dword ptr [edx+8], 0FFFFFD34h
		sub	ecx, edx
		mov	dword ptr [edx+0Ch], 2CCh
		add	eax, 2CCh
		mov	[edx+10h], ecx
		add	eax, ecx
		mov	dword ptr [edx], 0FFFFFD34h
		mov	[edx+4], eax
		mov	[edi+4168h], esi

loc_7248FD:				; CODE XREF: KiInitializePrcbContext+65j
		mov	dword ptr [edi+416Ch], 1002Fh
		test	bl, bl
		jz	short loc_724914
		cmp	dword ptr [edi+3CCh], 0
		jz	short loc_72491B

loc_724914:				; CODE XREF: KiInitializePrcbContext+C7j
					; KiInitializePrcbContext+E3j
		xor	eax, eax

loc_724916:				; CODE XREF: KiInitializePrcbContext+5CBDj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_72491B:				; CODE XREF: KiInitializePrcbContext+D0j
		mov	dword ptr [edi+416Ch], 1006Fh
		jmp	short loc_724914
KiInitializePrcbContext	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KiUpdateProcessorCount(x, x)
_KiUpdateProcessorCount@8 proc near	; CODE XREF: KiUpdateNumberProcessorsIpi(x)+3Bp
					; KeStartAllProcessors+45Ep
		mov	edi, edi
		push	esi
		call	_KiGetCurrentGroupCount@0 ; KiGetCurrentGroupCount()
		mov	ds:_KiActiveGroups, ax
		cli
		xor	esi, esi
		inc	esi
		add	ds:_KeNumberProcessors,	esi
		mov	eax, ds:dword_70E328
		bts	eax, ecx
		mov	ds:dword_70E328, eax
		sti
		test	edx, edx
		jnz	short loc_724958
		inc	ds:_KeNumberProcessorsGroup0

loc_724958:				; CODE XREF: KiUpdateProcessorCount(x,x)+28j
		add	ds:0FFDF03C0h, esi
		add	ds:0FFDF036Ah, si
		mov	al, byte ptr ds:_KiActiveGroups
		mov	ds:0FFDF03C4h, al
		pop	esi
		retn
_KiUpdateProcessorCount@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiConfigureProcessorBlock proc near	; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+257p
					; KiInitializeDynamicProcessorDpc(x,x,x,x)+47p	...

; FUNCTION CHUNK AT 0072A504 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+3CCh]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+338h]
		mov	esi, [edi+84h]
		bts	esi, eax
		bsr	eax, esi
		bsf	ecx, esi
		mov	[edi+0A0h], eax
		movzx	eax, cx
		mov	[edi+84h], esi
		mov	[edi+9Ch], ecx
		mov	[edi+58h], ax
		mov	[edi+5Ah], ax
		test	dl, dl
		jnz	loc_72A504

loc_7249BB:				; CODE XREF: KiConfigureProcessorBlock+5B9Dj
		movzx	ebx, word ptr [edi+8Ah]
		lea	eax, [esi-1]
		test	eax, esi
		jz	short loc_7249CE

loc_7249C9:				; CODE XREF: KiConfigureProcessorBlock+6Bj
					; KiConfigureProcessorBlock+97j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7249CE:				; CODE XREF: KiConfigureProcessorBlock+55j
		movzx	edi, ds:_KeNumberNodes
		xor	eax, eax
		mov	esi, eax
		mov	ecx, eax
		test	edi, edi
		jz	short loc_7249C9

loc_7249DF:				; CODE XREF: KiConfigureProcessorBlock+99j
		mov	edx, ds:_KeNodeBlock[ecx*4]
		cmp	[edx+88h], ax
		jnz	short loc_724A06
		test	esi, esi
		jnz	short loc_7249F5
		mov	esi, edx

loc_7249F5:				; CODE XREF: KiConfigureProcessorBlock+7Fj
		mov	eax, [esi+80h]
		bts	eax, ebx
		mov	[edx+80h], eax
		xor	eax, eax

loc_724A06:				; CODE XREF: KiConfigureProcessorBlock+7Bj
		inc	ecx
		cmp	ecx, edi
		jnb	short loc_7249C9
		jmp	short loc_7249DF
KiConfigureProcessorBlock endp

; 
		align 2

;  S U B	R O U T	I N E 


KiStartWaitAcknowledge proc near	; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+3D9p
					; KeStartAllProcessors+3BAp ...

; FUNCTION CHUNK AT 0072A514 SIZE 00000016 BYTES

		mov	edi, edi

loc_724A10:				; CODE XREF: KiStartWaitAcknowledge+5B14j
		mov	eax, ds:_KiProcessorStartControl
		cmp	eax, 1
		jnz	loc_72A514
		mov	al, al
		retn
KiStartWaitAcknowledge endp

; 
		align 2

;  S U B	R O U T	I N E 


MmInitializeProcessor proc near		; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+25Fp
					; MiInitNucleus(x)+2E2p ...

; FUNCTION CHUNK AT 0072A52A SIZE 0000000B BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	dword ptr [esi+3CCh], 0
		jz	short loc_724A37
		or	dword ptr [esi+406Ch], 0FFFFFFFFh

loc_724A37:				; CODE XREF: MmInitializeProcessor+Cj
		mov	edx, 100h
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		test	eax, eax
		jz	loc_72A531
		shl	eax, 9
		mov	edx, 20206D4Dh
		push	0
		mov	[esi+3D34h], eax
		mov	ecx, 2830h
		mov	eax, ds:dword_6D06D0
		push	40h
		mov	[esi+4CCh], eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_72A52A
		lea	ecx, [edx+10h]
		mov	dword ptr [edx+0Ch], 200h
		mov	[edx], ecx
		lea	eax, [ecx+818h]
		mov	[edx+4], eax
		lea	eax, [ecx+1818h]
		mov	[edx+8], eax
		mov	eax, [esi+338h]
		movzx	eax, word ptr [eax+8Ah]
		imul	ecx, eax, 280h
		add	ecx, ds:dword_6D4E50
		mov	al, [ecx+1E4h]
		mov	[esi+4C1h], al
		mov	eax, [ecx+1E0h]
		mov	[esi+4C8h], eax
		xor	eax, eax
		mov	[esi+4D4h], edx
		inc	eax
		pop	esi
		retn
MmInitializeProcessor endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiEnableKvaShadowing(x, x)
_KiEnableKvaShadowing@8	proc near	; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+1CDp
					; KiInitializeProcessorState(x,x,x,x,x,x,x,x,x,x)+271p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_KiIsKvaShadowDisabled@0 ; KiIsKvaShadowDisabled()
		test	al, al
		jz	short loc_724AF4
		mov	ds:_KiIsKvaShadowConfigDisabled, 1
		jmp	loc_724BDC
; 

loc_724AF4:				; CODE XREF: KiEnableKvaShadowing(x,x)+Cj
		mov	eax, ds:_KeFeatureBits2
		xor	ecx, ecx
		and	eax, 18000h
		cmp	eax, 8000h
		jnz	short loc_724B17
		mov	dword ptr [esi+3F38h], 3
		mov	[esi+3F3Ch], ecx

loc_724B17:				; CODE XREF: KiEnableKvaShadowing(x,x)+2Bj
		call	_KiIsKvaLeakSimulated@0	; KiIsKvaLeakSimulated()
		test	al, al
		jz	short loc_724B27
		mov	ds:_KiKvaLeakageSimulate, 1

loc_724B27:				; CODE XREF: KiEnableKvaShadowing(x,x)+44j
		cmp	ds:_KiKvaLeakage, cl
		jnz	short loc_724B3B
		cmp	ds:_KiKvaLeakageSimulate, cl
		jz	loc_724BDC

loc_724B3B:				; CODE XREF: KiEnableKvaShadowing(x,x)+53j
		mov	eax, cr3
		mov	[esi+4EE0h], eax
		lea	eax, [edx+6000h]
		mov	[edx+404h], eax
		cmp	[esi+3CCh], ecx
		jnz	short loc_724BB3
		lea	ecx, [edx+3000h]
		mov	dl, 1
		call	_KiInitializeIdt@8 ; KiInitializeIdt(x,x)
		mov	eax, large fs:124h
		mov	ecx, 4000h
		mov	eax, [eax+80h]
		mov	byte ptr [eax+74h], 1
		mov	eax, offset unk_711468
		mov	ds:byte_711134,	1
		lock or	[eax], ecx
		xor	ecx, ecx
		inc	ecx
		call	_KiSetAddressPolicy@4 ;	KiSetAddressPolicy(x)
		push	10h
		pop	eax
		mov	[esi+4F08h], ax
		call	_HvlRescindEnlightenments@4 ; HvlRescindEnlightenments(x)
		mov	ds:_KiKvaShadow, 1
		mov	ds:_KiKvaShadowMode, 2
		jmp	short loc_724BDC
; 

loc_724BB3:				; CODE XREF: KiEnableKvaShadowing(x,x)+7Cj
		mov	ecx, esi
		call	KiShadowProcessorAllocation
		test	eax, eax
		jnz	short loc_724BC0
		pop	esi
		retn
; 

loc_724BC0:				; CODE XREF: KiEnableKvaShadowing(x,x)+E2j
		xor	ecx, ecx
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ax, [eax+4F08h]
		or	dword ptr [esi+4EECh], 2
		mov	[esi+4F08h], ax

loc_724BDC:				; CODE XREF: KiEnableKvaShadowing(x,x)+15j
					; KiEnableKvaShadowing(x,x)+5Bj ...
		xor	eax, eax
		inc	eax
		pop	esi
		retn
_KiEnableKvaShadowing@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiShadowProcessorAllocation proc near	; CODE XREF: .text:00569E39p
					; KiEnableKvaShadowing(x,x)+DBp

; FUNCTION CHUNK AT 0072A547 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		cmp	ds:_KiKvaShadow, 0
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jz	short loc_724C4B
		lea	ecx, [esi+4000h]
		mov	edx, 1000h
		push	2
		and	ecx, 0FFFFF000h
		call	MmSetPageProtection
		mov	edx, 7000h
		mov	ecx, esi
		call	MmCreateShadowMapping
		test	eax, eax
		jz	loc_72A557
		lea	ecx, [edi+4EE0h]
		mov	edx, 1000h
		xor	ebx, ebx
		call	MmCreateShadowMapping
		test	eax, eax
		jz	loc_72A55E
		inc	ebx
		cmp	dword ptr [edi+3CCh], 0
		jz	short loc_724C55

loc_724C4B:				; CODE XREF: KiShadowProcessorAllocation+17j
					; KiShadowProcessorAllocation+B7j
		xor	eax, eax
		inc	eax

loc_724C4E:				; CODE XREF: KiShadowProcessorAllocation+5977j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_724C55:				; CODE XREF: KiShadowProcessorAllocation+67j
		push	400000h
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	ecx, eax
		mov	eax, offset _KiTrap00Shadow
		sub	eax, 400000h
		push	eax
		call	RtlSectionTableFromVirtualAddress
		mov	edx, [eax+8]
		mov	ecx, [eax+10h]
		cmp	edx, ecx
		ja	short loc_724C7D
		mov	edx, ecx

loc_724C7D:				; CODE XREF: KiShadowProcessorAllocation+97j
		mov	ecx, [eax+0Ch]
		add	edx, 0FFFh
		and	edx, 0FFFFF000h
		add	ecx, 400000h
		call	MmCreateShadowMapping
		test	eax, eax
		jnz	short loc_724C4B
		jmp	loc_72A55E
KiShadowProcessorAllocation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInitializePcr(x, x, x, x,	x, x, x, x)
_KiInitializePcr@32 proc near		; CODE XREF: KiSystemStartup(x)+101p
					; KiInitializeProcessorState(x,x,x,x,x,x,x,x,x,x)+232p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	dword ptr [ebx+8], 0
		push	esi
		push	edi
		mov	edi, [ebx+1Ch]
		jnz	short loc_724D00
		mov	edx, ds:_KeLoaderBlock
		mov	ecx, [edx+84h]
		call	_InitializeBuildStrings@4 ; InitializeBuildStrings(x)
		mov	ecx, [edx+58h]
		mov	ds:_KeKernelStackSize, ecx
		add	ecx, 1000h
		mov	eax, [edx+48h]
		add	eax, ecx
		mov	[ebp+var_4], eax
		add	eax, 4000h
		mov	[ebp+var_8], eax
		call	ExRngInitializeSystem
		lock bts dword ptr [edi], 15h
		jmp	short loc_724D28
; 

loc_724D00:				; CODE XREF: KiInitializePcr(x,x,x,x,x,x,x,x)+22j
		call	_PoEnergyEstimationEnabled@0 ; PoEnergyEstimationEnabled()
		test	al, al
		jz	short loc_724D1C
		lock bts dword ptr [edi], 15h
		mov	edx, [ebx+24h]
		mov	ecx, [ebx+20h]
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], ecx
		jmp	short loc_724D28
; 

loc_724D1C:				; CODE XREF: KiInitializePcr(x,x,x,x,x,x,x,x)+67j
		mov	eax, [ebx+24h]
		mov	[ebp+var_8], eax
		mov	eax, [ebx+20h]
		mov	[ebp+var_4], eax

loc_724D28:				; CODE XREF: KiInitializePcr(x,x,x,x,x,x,x,x)+5Ej
					; KiInitializePcr(x,x,x,x,x,x,x,x)+7Aj
		mov	esi, [ebx+0Ch]
		lea	eax, [esi+4900h]
		mov	[esi+4144h], eax
		lea	edx, [esi+120h]
		xor	eax, eax
		inc	eax
		mov	[esi+44h], ax
		mov	[esi+46h], ax
		mov	[esi+122h], ax
		mov	[edx], ax
		xor	eax, eax
		mov	[esi+132h], ax
		mov	eax, ds:_KiProcessorBlock
		test	eax, eax
		jz	short loc_724D70
		mov	eax, [eax+3C0h]
		mov	[esi+4E0h], eax

loc_724D70:				; CODE XREF: KiInitializePcr(x,x,x,x,x,x,x,x)+C2j
		mov	ecx, [ebx+8]
		test	ecx, ecx
		jnz	short loc_724D7E
		mov	byte ptr ds:0FFDF027Dh,	1

loc_724D7E:				; CODE XREF: KiInitializePcr(x,x,x,x,x,x,x,x)+D5j
		mov	[esi+1Ch], esi
		mov	[esi+20h], edx
		mov	eax, ds:_KiI386ExceptionChainTerminator
		and	dword ptr [esi+4], 0
		and	dword ptr [esi+18h], 0
		mov	[esi], eax
		mov	[esi+124h], edi
		mov	eax, ds:_KeLoaderBlock
		mov	eax, [eax+50h]
		mov	[edi+80h], eax
		lea	eax, [edi+70h]
		mov	[eax+4], eax
		mov	[eax], eax
		test	ecx, ecx
		jnz	short loc_724DBB
		call	_CmInitBootFeatureConfigurations@4 ; CmInitBootFeatureConfigurations(x)
		mov	ecx, [ebx+8]

loc_724DBB:				; CODE XREF: KiInitializePcr(x,x,x,x,x,x,x,x)+111j
		and	dword ptr [esi+4A40h], 0
		xor	edx, edx
		movzx	eax, cl
		inc	edx
		mov	[esi+4ECh], eax
		mov	eax, edx
		shl	eax, cl
		mov	[esi+4E8h], eax
		mov	eax, [esi+20h]
		mov	ds:_KiProcessorBlock[ecx*4], eax
		xor	ecx, ecx
		mov	eax, [ebx+14h]
		mov	[esi+3Ch], eax
		mov	eax, [ebx+10h]
		mov	[esi+38h], eax
		mov	eax, [ebx+18h]
		mov	[esi+40h], eax
		mov	[esi+0Ch], eax
		mov	eax, [ebp+var_4]
		mov	[esi+2330h], eax
		mov	eax, [ebp+var_8]
		mov	[esi+43BCh], eax
		mov	eax, [esi+4E8h]
		mov	[esi+4134h], dx
		mov	[esi+4136h], dx
		mov	[esi+4138h], ecx
		mov	[esi+413Ch], eax
		mov	[esi+24h], cl
		mov	[esi+414Ch], eax
		cmp	[esi+4288h], ecx
		jnz	short loc_724E52
		lea	eax, [esi+138h]
		mov	dword ptr [esi+428Ch], 1002Fh
		mov	[esi+4288h], eax

loc_724E52:				; CODE XREF: KiInitializePcr(x,x,x,x,x,x,x,x)+19Aj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	20h
_KiInitializePcr@32 endp ; sp =	 4

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiMaskToLength(x, x)
_KiMaskToLength@8 proc near		; CODE XREF: KiInitializeMTRR+134p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		or	eax, [ebp+arg_4]
		jz	short loc_724E87
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_RtlFindLeastSignificantBit@8 ;	RtlFindLeastSignificantBit(x,x)
		movsx	ecx, al

loc_724E79:				; CODE XREF: KiMaskToLength(x,x)+30j
		xor	eax, eax
		xor	edx, edx
		inc	eax
		call	__allshl
		pop	ebp
		retn	8
; 

loc_724E87:				; CODE XREF: KiMaskToLength(x,x)+Bj
		movzx	ecx, ds:_KiMtrrMaxRangeShift
		jmp	short loc_724E79
_KiMaskToLength@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRestoreMtrrBroadcast()
_KeRestoreMtrrBroadcast@0 proc near	; CODE XREF: PnprWakeProcessors():loc_72E5CFp
					; KiInitializeDynamicProcessorDpc(x,x,x,x)+B3p	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10h
		and	[esp+10h+var_8], 0
		cmp	ds:byte_6C75B0,	0
		jz	short loc_724EDA
		push	0FFFFh
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		and	[esp+10h+var_10], 0
		dec	eax
		mov	[esp+10h+var_C], eax
		lea	eax, [esp+10h+var_10]
		push	eax
		push	offset _KiLoadMTRRTarget@4 ; KiLoadMTRRTarget(x)
		mov	[esp+18h+var_8], 0
		mov	[esp+18h+var_4], offset	_KiTargetPhase
		call	KeIpiGenericCall

loc_724EDA:				; CODE XREF: KeRestoreMtrrBroadcast()+17j
		mov	esp, ebp
		pop	ebp
		retn
_KeRestoreMtrrBroadcast@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiInitializeProcessor proc near		; CODE XREF: KiInitializeDynamicProcessorDpc(x,x,x,x)+3Ep
					; INIT:00AC0015p

; FUNCTION CHUNK AT 0072A570 SIZE 00000031 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		push	edi
		cmp	ds:_KeThreadDpcEnable, ebx
		jz	short loc_724F18
		lea	ecx, [esi+2228h]
		call	@KeInitializeGate@8 ; KeInitializeGate(x,x)
		lea	ecx, [esi+21F8h]
		call	_KiInitializeDpcList@4 ; KiInitializeDpcList(x)
		mov	[esi+2200h], ebx
		mov	[esi+2204h], ebx

loc_724F18:				; CODE XREF: KiInitializeProcessor+14j
		mov	edx, 2710h
		cmp	ds:_KeDpcWatchdogPeriod, ebx
		jz	loc_725000
		push	dword ptr [esi+3CCh]
		lea	edi, [esi+3F78h]
		push	offset _KiDpcWatchdog@16 ; KiDpcWatchdog(x,x,x,x)
		push	edi
		call	_KeInitializeThreadedDpc@12 ; KeInitializeThreadedDpc(x,x,x)
		mov	ecx, [esi+3CCh]
		mov	byte ptr [esi+3F79h], 2
		mov	eax, [edi+1Ch]
		test	eax, eax
		jnz	short loc_724F5B
		lea	eax, [ecx+20h]
		mov	[edi+2], ax

loc_724F5B:				; CODE XREF: KiInitializeProcessor+72j
		lea	eax, [esi+3F98h]
		push	ebx
		push	eax
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		mov	eax, ds:_KeDpcWatchdogPeriod
		mov	ecx, 2710h
		mov	ebx, ds:_KeMaximumIncrement
		mul	ecx
		push	0
		add	eax, ebx
		push	ebx
		adc	edx, 0
		add	eax, 0FFFFFFFFh
		adc	edx, 0FFFFFFFFh
		push	edx
		push	eax
		call	__aulldiv
		xor	ecx, ecx
		cmp	edx, ecx
		ja	loc_72A570
		cmp	eax, 0FFFFFFFFh
		ja	loc_72A570

loc_724FA2:				; CODE XREF: KiInitializeProcessor+5695j
		push	edx
		push	eax
		push	ecx
		push	ebx
		mov	[esi+3B08h], eax
		mov	[esi+3B0Ch], ecx
		mov	[esi+3BDCh], ecx
		call	__allmul
		push	0
		mov	ecx, 2710h
		push	ecx
		push	edx
		push	eax
		call	__aulldiv
		shrd	eax, edx, 1
		shr	edx, 1
		jnz	loc_72A57A
		cmp	eax, 0FFFFFFFFh
		ja	loc_72A57A

loc_724FE1:				; CODE XREF: KiInitializeProcessor+569Dj
		push	edi
		push	0FAh
		push	eax
		push	0
		neg	ebx
		lea	eax, [esi+3F98h]
		push	ebx
		push	eax
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)
		xor	ebx, ebx
		mov	edx, 2710h

loc_725000:				; CODE XREF: KiInitializeProcessor+43j
		mov	eax, ds:_KiDPCTimeout
		test	eax, eax
		jz	short loc_72503B
		mov	ecx, ds:_KeMaximumIncrement
		mul	edx
		push	ebx
		add	eax, ecx
		push	ecx
		adc	edx, ebx
		add	eax, 0FFFFFFFFh
		adc	edx, 0FFFFFFFFh
		push	edx
		push	eax
		call	__aulldiv
		cmp	edx, ebx
		ja	loc_72A582
		cmp	eax, 0FFFFFFFFh
		ja	loc_72A582

loc_725035:				; CODE XREF: KiInitializeProcessor+56A5j
		mov	[esi+4D0h], eax

loc_72503B:				; CODE XREF: KiInitializeProcessor+127j
		mov	eax, ds:_KiDpcWatchdogProfileArrayLength
		test	eax, eax
		jz	loc_7250E6
		push	5057694Bh
		shl	eax, 2
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esi+4060h], ecx
		test	ecx, ecx
		jz	loc_72A58A
		mov	eax, ds:_KiDpcWatchdogProfileArrayLength
		shl	eax, 2
		push	eax		; size_t
		push	ebx		; int
		push	ecx		; void *
		mov	[esi+4064h], ecx
		call	_memset
		mov	eax, ds:_KiDpcWatchdogProfileCumulativeDpcThreshold
		mov	ecx, 2710h
		mov	edi, ds:_KeMaximumIncrement
		add	esp, 0Ch
		mul	ecx
		push	ebx
		add	eax, edi
		push	edi
		adc	edx, ebx
		add	eax, 0FFFFFFFFh
		adc	edx, 0FFFFFFFFh
		push	edx
		push	eax
		call	__aulldiv
		cmp	edx, ebx
		ja	short loc_7250ED
		cmp	eax, 0FFFFFFFFh
		ja	short loc_7250ED

loc_7250B2:				; CODE XREF: KiInitializeProcessor+210j
		mov	[esi+3B14h], eax
		mov	ecx, 2710h
		mov	eax, ds:_KiDpcWatchdogProfileSingleDpcThreshold
		mul	ecx
		push	ebx
		add	eax, edi
		push	edi
		adc	edx, ebx
		add	eax, 0FFFFFFFFh
		adc	edx, 0FFFFFFFFh
		push	edx
		push	eax
		call	__aulldiv
		cmp	edx, ebx
		ja	short loc_7250F2
		cmp	eax, 0FFFFFFFFh
		ja	short loc_7250F2

loc_7250E0:				; CODE XREF: KiInitializeProcessor+215j
		mov	[esi+3F74h], eax

loc_7250E6:				; CODE XREF: KiInitializeProcessor+162j
					; KiInitializeProcessor+56BCj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
; 

loc_7250ED:				; CODE XREF: KiInitializeProcessor+1CBj
					; KiInitializeProcessor+1D0j
		or	eax, 0FFFFFFFFh
		jmp	short loc_7250B2
; 

loc_7250F2:				; CODE XREF: KiInitializeProcessor+1F9j
					; KiInitializeProcessor+1FEj
		or	eax, 0FFFFFFFFh
		jmp	short loc_7250E0
KiInitializeProcessor endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInitializeKernel(x, x, x,	x, x, x)
_KiInitializeKernel@24 proc near	; CODE XREF: KiSystemStartup(x)+21Fp

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h
arg_14		= dword	ptr  1Ch

		push	60h
		push	offset dword_6A7218
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_54], eax
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_44], edi
		mov	ecx, [ebp+arg_14]
		mov	[ebp+var_48], ecx
		mov	[ebp+var_34], 20000000h
		xor	esi, esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], 1000000h
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], 2
		xor	ebx, ebx
		inc	ebx
		cmp	[ebp+arg_10], 0
		jnz	short loc_72518C
		mov	word ptr ds:_KeActiveProcessors, bx
		mov	word ptr ds:_KeActiveProcessors+2, bx
		mov	ds:dword_70E324, esi
		mov	ds:dword_70E328, ebx
		mov	ecx, [ecx+84h]
		mov	eax, [ecx+0CA4h]
		mov	ds:_KiFeatureSettings, eax
		mov	eax, [ecx+54h]
		shr	eax, 15h
		and	eax, 3Fh
		mov	ds:_KiFeatureSimulations, eax
		cmp	[ebp+arg_10], 0
		jnz	short loc_72518C
		mov	ecx, [ebp+var_48]
		call	HvlPhase0Initialize

loc_72518C:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+4Bj
					; KiInitializeKernel(x,x,x,x,x,x)+8Aj
		call	_KiSetProcessorType@0 ;	KiSetProcessorType()
		call	KiGetCpuVendor
		mov	[ebp+var_40], eax
		cmp	eax, ebx
		jnz	short loc_7251BC
		mov	al, [edi+14h]
		cmp	al, 0Fh
		jge	short loc_7251AE
		cmp	al, 6
		jnz	short loc_7251BC
		cmp	byte ptr [edi+17h], 0Dh
		jbe	short loc_7251BC

loc_7251AE:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+AAj
		mov	ecx, 1A0h
		rdmsr
		and	eax, 0FFBFFFFFh
		wrmsr

loc_7251BC:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+A3j
					; KiInitializeKernel(x,x,x,x,x,x)+AEj ...
		mov	eax, cr0
		or	eax, 10000h
		mov	cr0, eax
		cmp	[ebp+var_40], 2
		jnz	short loc_725211
		mov	al, [edi+14h]
		cmp	al, 0Fh
		jle	short loc_725211
		cmp	al, 11h
		jz	short loc_725211
		call	HviIsAnyHypervisorPresent
		test	al, al
		jnz	short loc_725211
		mov	[ebp+ms_exc.disabled], esi
		mov	ecx, 0C0011029h
		rdmsr
		or	eax, 2
		or	edx, esi
		wrmsr
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_725211
; 

loc_7251FB:				; DATA XREF: .text:006A722Co
		xor	eax, eax
		inc	eax
		retn
; 

loc_7251FF:				; DATA XREF: .text:006A7230o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	esi, esi
		xor	ebx, ebx
		inc	ebx
		mov	edi, [ebp+var_44]

loc_725211:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+D3j
					; KiInitializeKernel(x,x,x,x,x,x)+DAj ...
		mov	ecx, edi
		call	PoInitializePrcb
		mov	[edi+4078h], esi
		lea	eax, [edi+407Ch]
		mov	[eax], eax
		cmp	byte ptr [edi+14h], 3
		jz	loc_725845
		call	KiGetFeatureBits
		mov	ecx, eax
		mov	[ebp+var_38], ecx
		cmp	[ebp+arg_10], 0
		jnz	short loc_72526C
		mov	ecx, edi
		call	KiDetectAccessBitErrata
		mov	ecx, [ebp+var_38]
		mov	[ebp+var_3C], edx
		cmp	byte ptr ds:0FFDF0280h,	0
		jz	short loc_72525E
		or	ecx, 80000000h
		jmp	short loc_72527D
; 

loc_72525E:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+15Cj
		and	ecx, 7FFFFFFFh
		or	ecx, 40000000h
		jmp	short loc_72527D
; 

loc_72526C:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+146j
		mov	eax, ds:_KeFeatureBits
		and	eax, 0C0000000h
		or	ecx, eax
		or	edx, esi
		mov	[ebp+var_3C], edx

loc_72527D:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+164j
					; KiInitializeKernel(x,x,x,x,x,x)+172j
		mov	[ebp+var_38], ecx
		mov	[edi+3D50h], ecx
		mov	[edi+3D54h], edx
		mov	al, [edi+3BEh]
		cmp	al, bl
		jz	short loc_72529E
		cmp	al, 2
		jz	short loc_72529E
		cmp	al, 5
		jnz	short loc_7252A7

loc_72529E:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+19Cj
					; KiInitializeKernel(x,x,x,x,x,x)+1A0j
		push	edx
		push	ecx
		mov	ecx, edi
		call	_KiSetHardwareSpeculationControlFeatures@12 ; KiSetHardwareSpeculationControlFeatures(x,x,x)

loc_7252A7:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+1A4j
		mov	ecx, edi
		call	_KiDetectKvaLeakage@4 ;	KiDetectKvaLeakage(x)
		cmp	[ebp+arg_10], 0
		jnz	short loc_7252CA
		mov	eax, large fs:1Ch
		mov	edx, [eax+38h]
		sub	edx, 3000h
		mov	ecx, edi
		call	_KiEnableKvaShadowing@8	; KiEnableKvaShadowing(x,x)

loc_7252CA:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+1BAj
		cmp	[edi+3CCh], esi
		jnz	short loc_7252DC
		call	_KiDetectTsx@0	; KiDetectTsx()
		mov	ds:_KiTsxSupportedAtBoot, eax

loc_7252DC:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+1D8j
		mov	eax, [edi+3F38h]
		mov	edx, [edi+3F3Ch]
		mov	ecx, eax
		or	ecx, edx
		jz	short loc_7252F5
		mov	ecx, 122h
		wrmsr

loc_7252F5:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+1F4j
		mov	ecx, edi
		call	KiCheckMicrocode
		lea	eax, [edi+18h]
		push	eax
		call	_KiSaveProcessorControlState@4 ; KiSaveProcessorControlState(x)
		mov	ebx, [ebp+var_40]
		mov	ecx, ebx
		call	KiGetCacheInformation
		mov	[edi+4010h], esi
		sub	ebx, 1
		jz	short loc_725328
		sub	ebx, 1
		jz	loc_725458
		sub	ebx, 3
		jnz	short loc_72532F

loc_725328:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+220j
		mov	ecx, edi
		call	_KiSetCacheInformationIntel@4 ;	KiSetCacheInformationIntel(x)

loc_72532F:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+22Ej
					; KiInitializeKernel(x,x,x,x,x,x)+367j
		mov	bl, [ebp+arg_10]
		movsx	edx, bl
		mov	ecx, edi
		call	_KiInitPrcb@8	; KiInitPrcb(x,x)
		test	bl, bl
		jnz	loc_725495
		mov	ecx, edi
		call	_KiConfigureInitialNodes@4 ; KiConfigureInitialNodes(x)
		xor	dl, dl
		mov	ecx, edi
		call	KiConfigureProcessorBlock
		mov	cl, [edi+14h]
		movsx	eax, cl
		mov	ds:_KeI386CpuType, eax
		movzx	edx, word ptr [edi+16h]
		mov	eax, edx
		mov	ds:_KeI386CpuStep, eax
		xor	eax, eax
		mov	ds:_KeProcessorArchitecture, ax
		movsx	ax, cl
		mov	ds:_KeProcessorLevel, ax
		mov	eax, edx
		cmp	[edi+15h], bl
		jnz	short loc_7253A4
		shr	ax, 4
		sub	ax, 60h
		mov	ecx, 0FFF0h
		and	ax, cx
		and	edx, 0Fh
		or	ax, dx
		mov	ecx, 0FF00h
		or	ax, cx
		movzx	eax, ax

loc_7253A4:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+289j
		mov	ds:_KeProcessorRevision, ax
		mov	esi, [ebp+var_38]
		mov	ds:_KeFeatureBits, esi
		mov	ecx, [ebp+var_3C]
		mov	ds:dword_70E754, ecx
		mov	eax, esi
		mov	ecx, 20013CB6h
		and	eax, ecx
		cmp	eax, ecx
		jnz	loc_725464
		xor	ebx, ebx
		mov	eax, cr4
		or	eax, 600h
		mov	cr4, eax
		call	_KiDetectFpuLeakage@0 ;	KiDetectFpuLeakage()
		mov	ds:_KiFpuLeakage, eax
		test	eax, eax
		jz	short loc_7253FE
		mov	eax, [ebp+var_3C]
		or	eax, 10h
		mov	ds:_KeFeatureBits, esi
		mov	ds:dword_70E754, eax
		call	_KiEnableX87Clearing@0 ; KiEnableX87Clearing()

loc_7253FE:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+2EEj
		call	_KiSetPageAttributesTable@0 ; KiSetPageAttributesTable()
		call	KiEnableXSave
		call	KiEnableNpxStateSwitching
		mov	cl, 1
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ds:_KiFreezeExecutionLock, ebx
		call	KiInitSystem
		mov	eax, offset _KiProcessListHead
		mov	ds:dword_6CB0CC, eax
		mov	ds:_KiProcessListHead, eax
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_64], 1
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_64]
		push	eax
		xor	edx, edx
		mov	esi, [ebp+var_50]
		mov	ecx, esi
		call	_KeInitializeProcess@24	; KeInitializeProcess(x,x,x,x,x,x)
		mov	byte ptr [esi+69h], 7Fh
		jmp	loc_725604
; 

loc_725458:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+225j
		mov	ecx, edi
		call	_KiSetCacheInformationAmd@4 ; KiSetCacheInformationAmd(x)
		jmp	loc_72532F
; 

loc_725464:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+2CFj
		lea	esi, [edi+3D3Ch]
		lea	edi, [ebp+var_70]
		movsd
		movsd
		movsd
		push	[ebp+var_68]
		push	[ebp+var_6C]
		push	[ebp+var_70]
		mov	eax, [ebp+var_44]
		movsx	ecx, byte ptr [eax+14h]
		or	ecx, 300h
		shl	ecx, 10h
		movzx	eax, word ptr [eax+16h]
		or	ecx, eax
		push	ecx
		jmp	loc_72584D
; 

loc_725495:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+246j
		mov	eax, ds:dword_70E754
		and	eax, 10h
		xor	ebx, ebx
		mov	esi, [ebp+var_38]
		or	esi, ebx
		or	[ebp+var_3C], eax
		mov	eax, esi
		mov	ecx, 20013CB6h
		and	eax, ecx
		cmp	eax, ecx
		jnz	loc_725838
		call	_KiSetPageAttributesTable@0 ; KiSetPageAttributesTable()
		mov	eax, cr4
		or	eax, 600h
		mov	cr4, eax
		call	KiEnableXSave
		mov	dl, [edi+14h]
		movsx	eax, dl
		cmp	eax, ds:_KeI386CpuType
		jnb	short loc_7254EA
		mov	ds:_KeI386CpuType, eax
		movsx	ax, dl
		mov	ds:_KeProcessorLevel, ax

loc_7254EA:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+3E1j
		mov	ecx, ds:_KeFeatureBits
		mov	[ebp+var_4C], ecx
		mov	eax, ecx
		mov	edx, 400h
		and	eax, edx
		or	eax, ebx
		jz	short loc_725513
		mov	eax, esi
		and	eax, edx
		or	eax, ebx
		jnz	short loc_725513

loc_725508:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+447j
					; KiInitializeKernel(x,x,x,x,x,x)+45Ej
		push	ebx
		push	ebx
		push	ebx
		push	edx

loc_72550C:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+432j
					; KiInitializeKernel(x,x,x,x,x,x)+4DDj	...
		push	3Eh
		jmp	loc_72584F
; 

loc_725513:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+406j
					; KiInitializeKernel(x,x,x,x,x,x)+40Ej
		mov	eax, ecx
		and	eax, 40h
		or	eax, ebx
		jz	short loc_72552C
		mov	eax, esi
		and	eax, 40h
		or	eax, ebx
		jnz	short loc_72552C
		push	ebx
		push	ebx
		push	ebx
		push	40h
		jmp	short loc_72550C
; 

loc_72552C:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+422j
					; KiInitializeKernel(x,x,x,x,x,x)+42Bj
		mov	edx, 40000h
		and	ecx, edx
		mov	eax, ecx
		or	eax, ebx
		jz	short loc_725541
		mov	eax, esi
		and	eax, edx
		or	eax, ebx
		jz	short loc_725508

loc_725541:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+43Fj
		or	ecx, ebx
		jz	short loc_725558
		mov	eax, ds:_KiProcessorBlock
		mov	eax, [eax+3B8h]
		cmp	eax, [edi+3B8h]
		jnz	short loc_725508

loc_725558:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+44Bj
		mov	edx, ebx

loc_72555A:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+49Cj
		mov	ecx, [ebp+edx*8+var_34]
		mov	[ebp+var_38], ecx
		mov	eax, [ebp+edx*8+var_30]
		mov	[ebp+var_40], eax
		and	ecx, [ebp+var_4C]
		mov	edi, ds:dword_70E754
		mov	[ebp+var_58], edi
		and	eax, edi
		or	ecx, eax
		mov	edi, [ebp+var_44]
		mov	ecx, [ebp+var_3C]
		jz	short loc_725590
		and	[ebp+var_38], esi
		mov	eax, [ebp+var_40]
		and	eax, ecx
		or	[ebp+var_38], eax
		mov	eax, [ebp+var_38]
		jz	short loc_7255CC

loc_725590:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+486j
		inc	edx
		cmp	edx, 3
		jb	short loc_72555A
		movzx	edx, word ptr [edi+16h]
		mov	eax, edx
		cmp	eax, ds:_KeI386CpuStep
		jnb	short loc_7255E1
		mov	ds:_KeI386CpuStep, eax
		cmp	[edi+15h], bl
		jnz	short loc_7255DA
		shr	ax, 8
		add	ax, 41h
		and	edx, 0Fh
		or	ax, dx
		mov	edx, 0FF00h
		or	ax, dx
		mov	ds:_KeProcessorRevision, ax
		jmp	short loc_7255E1
; 

loc_7255CC:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+496j
		push	ebx
		push	ebx
		push	[ebp+var_40]
		push	[ebp+edx*8+var_34]
		jmp	loc_72550C
; 

loc_7255DA:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+4B4j
		mov	ds:_KeProcessorRevision, dx

loc_7255E1:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+4AAj
					; KiInitializeKernel(x,x,x,x,x,x)+4D2j
		mov	eax, [ebp+var_4C]
		and	eax, esi
		mov	ds:_KeFeatureBits, eax
		mov	eax, [ebp+var_58]
		and	eax, ecx
		mov	ds:dword_70E754, eax
		mov	cl, 2
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	cl, cl
		call	HvlEnlightenProcessor

loc_725604:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+35Bj
		mov	eax, ds:_KeFeatureBits
		mov	esi, 100h
		and	eax, esi
		or	eax, ebx
		jz	short loc_72561B
		xor	edx, edx
		inc	edx
		mov	al, dl
		jmp	short loc_725620
; 

loc_72561B:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+51Aj
		mov	al, bl
		xor	edx, edx
		inc	edx

loc_725620:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+521j
		mov	ds:0FFDF0277h, al
		mov	ds:0FFDF0276h, dl
		mov	ds:0FFDF027Ah, dl
		mov	eax, ds:_KeFeatureBits
		and	eax, 10000h
		or	eax, ebx
		mov	al, dl
		jnz	short loc_725643
		mov	al, bl

loc_725643:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+547j
		mov	ds:0FFDF027Eh, al
		mov	eax, ds:_KeFeatureBits
		and	eax, 80000h
		or	eax, ebx
		mov	al, dl
		jnz	short loc_72565A
		mov	al, bl

loc_72565A:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+55Ej
		mov	ds:0FFDF0281h, al
		mov	eax, ds:_KeFeatureBits
		and	eax, 4000h
		or	eax, ebx
		mov	al, dl
		jnz	short loc_725671
		mov	al, bl

loc_725671:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+575j
		mov	ds:0FFDF027Bh, al
		mov	ds:0FFDF027Ch, dl
		mov	eax, ds:_KeFeatureBits
		and	eax, 400000h
		or	eax, ebx
		mov	al, dl
		jnz	short loc_72568E
		mov	al, bl

loc_72568E:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+592j
		mov	ds:0FFDF0285h, al
		mov	eax, ds:_KeFeatureBits
		and	eax, 4000000h
		or	eax, ebx
		mov	al, dl
		jnz	short loc_7256A5
		mov	al, bl

loc_7256A5:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+5A9j
		mov	ds:0FFDF0288h, al
		mov	eax, ds:_KeFeatureBits
		and	eax, 8000000h
		or	eax, ebx
		mov	al, dl
		jnz	short loc_7256BC
		mov	al, bl

loc_7256BC:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+5C0j
		mov	ds:0FFDF0289h, al
		mov	eax, ds:_KeFeatureBits
		and	eax, 2000000h
		or	eax, ebx
		mov	al, dl
		jnz	short loc_7256D3
		mov	al, bl

loc_7256D3:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+5D7j
		mov	ds:0FFDF0290h, al
		mov	ecx, ds:dword_70E754
		and	ecx, edx
		mov	eax, ebx
		or	eax, ecx
		mov	al, dl
		jnz	short loc_7256EA
		mov	al, bl

loc_7256EA:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+5EEj
		mov	ds:0FFDF0294h, al
		mov	ecx, ds:dword_70E754
		and	ecx, 40h
		mov	eax, ebx
		or	eax, ecx
		mov	al, dl
		jnz	short loc_725702
		mov	al, bl

loc_725702:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+606j
		mov	ds:0FFDF0298h, al
		mov	ecx, ds:dword_70E754
		and	ecx, 80h
		mov	eax, ebx
		or	eax, ecx
		mov	al, dl
		jnz	short loc_72571D
		mov	al, bl

loc_72571D:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+621j
		mov	ds:0FFDF0299h, al
		mov	ecx, ds:dword_70E754
		and	ecx, esi
		mov	eax, ebx
		or	eax, ecx
		mov	al, dl
		jnz	short loc_725734
		mov	al, bl

loc_725734:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+638j
		mov	ds:0FFDF029Ah, al
		mov	ecx, ds:dword_70E754
		and	ecx, 200h
		mov	eax, ebx
		or	eax, ecx
		jz	short loc_725759
		mov	eax, ds:0FFDF03D8h
		and	eax, 4
		or	eax, ebx
		mov	al, dl
		jnz	short loc_72575B

loc_725759:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+651j
		mov	al, bl

loc_72575B:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+65Fj
		mov	ds:0FFDF029Bh, al
		mov	ecx, ds:dword_70E754
		and	ecx, 400h
		mov	eax, ebx
		or	eax, ecx
		jz	short loc_725780
		mov	eax, ds:0FFDF03D8h
		and	eax, 4
		or	eax, ebx
		mov	al, dl
		jnz	short loc_725782

loc_725780:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+678j
		mov	al, bl

loc_725782:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+686j
		mov	ds:0FFDF029Ch, al
		mov	ecx, ds:dword_70E754
		and	ecx, 800h
		mov	eax, ebx
		or	eax, ecx
		jz	short loc_7257A9
		mov	eax, ds:0FFDF03D8h
		and	eax, 0E0h
		or	eax, ebx
		mov	al, dl
		jnz	short loc_7257AB

loc_7257A9:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+69Fj
		mov	al, bl

loc_7257AB:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+6AFj
		mov	ds:0FFDF029Dh, al
		mov	al, ds:_KiVirtFlags
		mov	ds:0FFDF02EDh, al
		push	edi
		push	[ebp+var_50]
		mov	edx, [ebp+arg_8]
		mov	esi, [ebp+var_54]
		mov	ecx, esi
		call	_KiInitializeIdleThread@16 ; KiInitializeIdleThread(x,x,x,x)
		mov	[edi+4], esi
		mov	[edi+8], ebx
		mov	[edi+0Ch], esi
		mov	[ebp+ms_exc.disabled], 1
		cmp	[ebp+arg_10], 0
		jnz	short loc_7257EB
		mov	ecx, [ebp+var_48]
		call	_InitBootProcessor@4 ; InitBootProcessor(x)
		jmp	short loc_7257F0
; 

loc_7257EB:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+6E7j
		call	_InitOtherProcessors@0 ; InitOtherProcessors()

loc_7257F0:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+6F1j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_725809
; 
		retn
; 

loc_7257FA:				; DATA XREF: .text:006A723Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	edi, [ebp+var_44]

loc_725809:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+6FFj
		movsx	eax, [ebp+arg_10]
		push	eax
		mov	edx, [ebp+var_54]
		mov	ecx, edi
		call	KiCompleteKernelInit
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	eax, [ebp+var_48]
		mov	[eax+4Ch], ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_725838:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+3BAj
		push	ebx
		push	ebx
		push	ebx
		not	esi
		and	esi, ecx
		push	esi
		jmp	loc_72550C
; 

loc_725845:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+132j
		push	esi
		push	esi
		push	esi
		push	386h

loc_72584D:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+398j
		push	5Dh

loc_72584F:				; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+416j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_725854:				; DATA XREF: .text:006A7238o
		mov	edx, [ebp+ms_exc.exc_ptr]
		push	78h
		pop	ecx
		call	_KiFatalFilter@8 ; KiFatalFilter(x,x)
		int	3		; Trap to Debugger
_KiInitializeKernel@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiCompleteKernelInit proc near		; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+71Bp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0072A5A1 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, edx
		mov	esi, ecx
		test	edi, edi
		jz	loc_725907

loc_725878:				; CODE XREF: KiCompleteKernelInit+D0j
		push	ds:_PsInitialSystemProcess
		call	KeAttachProcess
		test	edi, edi
		jz	loc_725935

loc_72588B:				; CODE XREF: KiCompleteKernelInit+14Cj
		mov	eax, [esi+338h]
		movzx	ecx, byte ptr [esi+3C4h]
		add	eax, 48h
		lock bts [eax],	ecx
		mov	eax, [esi+338h]
		movzx	ecx, byte ptr [esi+3C4h]
		add	eax, 50h
		lock bts [eax],	ecx
		and	[ebp+var_4], 0
		lea	edi, [esi+2224h]
		mov	byte ptr [ebp+arg_0], 0

loc_7258C1:				; CODE XREF: KiCompleteKernelInit+4D4Fj
		lock bts dword ptr [edi], 0
		jb	loc_72A5A1
		xor	edx, edx
		inc	edx
		cmp	dword ptr [esi+8], 0
		mov	[esi+2238h], dl
		jnz	short loc_7258E6
		push	edx
		mov	ecx, esi
		mov	byte ptr [ebp+arg_0], dl
		call	KiSetProcessorIdle

loc_7258E6:				; CODE XREF: KiCompleteKernelInit+79j
		push	[ebp+arg_0]
		mov	edx, ebx
		mov	ecx, esi
		push	0
		call	_KiUpdateThreadPriority@16 ; KiUpdateThreadPriority(x,x,x,x)
		xor	eax, eax
		lock and [edi],	eax
		mov	ecx, esi
		call	KiCreateCpuSetForProcessor
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_725907:				; CODE XREF: KiCompleteKernelInit+12j
		mov	eax, ds:_KiMaximumDpcQueueDepth
		mov	cl, 2
		mov	[esi+2214h], eax
		mov	eax, ds:_KiMinimumDpcRate
		mov	[esi+221Ch], eax
		mov	eax, ds:_KiAdjustDpcThreshold
		mov	[esi+4B8h], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		jmp	loc_725878
; 

loc_725935:				; CODE XREF: KiCompleteKernelInit+25j
		and	ds:dword_6CB2C0, 0
		mov	eax, offset dword_6CB2B8
		push	8
		push	0
		push	offset _KiForegroundTimerCallback@8 ; KiForegroundTimerCallback(x,x)
		push	offset _KiForegroundState
		mov	ds:dword_6CB2BC, eax
		mov	ds:dword_6CB2B8, eax
		call	_KeInitializeTimer2@16 ; KeInitializeTimer2(x,x,x,x)
		xor	edi, edi
		push	edi
		push	offset KiProcessPendingForegroundBoosts
		push	offset unk_6CB278
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	edi
		push	offset _KiTriggerForegroundBoostDpc@16 ; KiTriggerForegroundBoostDpc(x,x,x,x)
		push	offset unk_6CB298
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	edi
		push	offset _KiInvalidateRangeAllCachesTarget@16 ; KiInvalidateRangeAllCachesTarget(x,x,x,x)
		push	offset _KiUpdateVpThreadPriorityDpc
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		and	ds:_KiUpdateVpThreadPriorityLock, edi
		mov	eax, offset _KiUpdateVpThreadPriorityListHead
		mov	ds:byte_6CB2E1,	2
		mov	ds:dword_6CB2CC, eax
		mov	ds:_KiUpdateVpThreadPriorityListHead, eax
		jmp	loc_72588B
KiCompleteKernelInit endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiCreateCpuSetForProcessor proc	near	; CODE XREF: KiCompleteKernelInit+9Bp
					; KiAllocateCpuSetData(x)+5Ep

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 0072A5B4 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	ds:_KiCpuSetAffinities,	0
		push	ebx
		mov	ebx, ecx
		jz	loc_725A82
		push	esi
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		movzx	edi, byte ptr [ebx+3C5h]
		mov	ecx, offset _KiCpuSetLock
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, offset _KiCpuSetSequence
		call	RtlWriteAcquireTickLock
		movzx	esi, byte ptr [ebx+3C4h]
		mov	eax, ds:_KiCpuSetAffinities
		mov	ecx, [ebx+3C8h]
		inc	ds:_KiCpuSetCount[edi]
		inc	ds:_KiTotalCpuSetCount
		mov	[eax+esi*4], ecx
		mov	eax, ds:_KiCpuSetAffinitiesShadow
		mov	ecx, [ebx+3C8h]
		mov	[eax+esi*4], ecx
		mov	ecx, offset _KiCpuSetSequence
		mov	eax, ds:_KiSystemAllowedCpuSets[edi*8]
		mov	edx, ds:_PsInitialSystemProcess
		bts	eax, esi
		mov	ds:_KiSystemAllowedCpuSets[edi*8], eax
		mov	eax, ds:_KiNonParkedCpuSets[edi*4]
		bts	eax, esi
		mov	ds:_KiNonParkedCpuSets[edi*4], eax
		mov	eax, [edx+edi*4+428h]
		bts	eax, esi
		mov	[edx+edi*4+428h], eax
		call	_RtlWriteReleaseTickLock@4 ; RtlWriteReleaseTickLock(x)
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _KiCpuSetLock
		pop	edi
		pop	esi
		jnz	loc_72A5B4
		xor	eax, eax
		lock and [ecx],	eax

loc_725A79:				; CODE XREF: KiCreateCpuSetForProcessor+4C0Aj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_725A82:				; CODE XREF: KiCreateCpuSetForProcessor+10j
		pop	ebx
		leave
		retn
KiCreateCpuSetForProcessor endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInitializeIdleThread(x, x, x, x)
_KiInitializeIdleThread@16 proc	near	; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+6CEp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		push	edi
		push	ebx
		push	edi
		push	edi
		push	edi
		push	edi
		push	offset @KiIdleLoop@0 ; KiIdleLoop()
		mov	[esi+40h], edi
		call	KeInitThread
		and	dword ptr [esi+58h], 0FFFFBFFFh
		xor	edx, edx
		push	edi
		mov	ecx, esi
		call	KeStartThread
		mov	edi, [ebp+arg_4]
		mov	eax, [edi+3CCh]
		mov	[esi+148h], eax
		mov	byte ptr [esi+90h], 2
		movzx	edx, byte ptr [edi+3C5h]
		mov	[esi+158h], dx
		mov	eax, [edi+3C8h]
		mov	[esi+154h], eax
		mov	ecx, [edi+3CCh]
		or	dword ptr [esi+58h], 8
		mov	[esi+164h], eax
		mov	eax, offset @KiIdleLoop@0 ; KiIdleLoop()
		mov	[esi+168h], dx
		mov	edx, offset dword_711290
		mov	[esi+88h], ecx
		mov	[esi+16Ch], ecx
		mov	byte ptr [esi+55h], 1
		mov	byte ptr [esi+92h], 2
		mov	[esi+298h], eax
		mov	[esi+2DCh], eax
		mov	eax, [edi+33Ch]
		mov	byte ptr [eax],	7Fh
		mov	byte ptr [esi+87h], 7Fh
		cmp	dword ptr [edi+3CCh], 0
		jz	short loc_725B9E
		cmp	ds:_KiSchedulerAssistThreadFlagEnabled,	0
		jnz	short loc_725BC6

loc_725B4F:				; CODE XREF: KiInitializeIdleThread(x,x,x,x)+13Ej
					; KiInitializeIdleThread(x,x,x,x)+145j
		lea	eax, [esi+33Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+344h]
		mov	[eax+4], eax
		mov	[eax], eax
		and	dword ptr [esi+34Ch], 0
		add	esi, 2E4h
		mov	eax, ds:dword_711294
		cmp	[eax], edx
		jnz	short loc_725BCD
		mov	[esi+4], eax
		mov	[esi], edx
		mov	[eax], esi
		lea	eax, [ebx+58h]
		mov	ds:dword_711294, esi
		push	dword ptr [edi+3CCh]
		push	eax
		call	_KeInterlockedSetProcessorAffinityEx@8 ; KeInterlockedSetProcessorAffinityEx(x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_725B9E:				; CODE XREF: KiInitializeIdleThread(x,x,x,x)+BEj
		mov	ds:dword_711294, edx
		mov	ecx, 8000h
		mov	ds:dword_711290, edx
		mov	eax, offset unk_7111B8
		lock or	[eax], ecx
		mov	ecx, 400000h
		mov	eax, offset unk_711468
		lock or	[eax], ecx
		jmp	short loc_725B4F
; 

loc_725BC6:				; CODE XREF: KiInitializeIdleThread(x,x,x,x)+C7j
		lock bts dword ptr [esi], 16h
		jmp	short loc_725B4F
; 

loc_725BCD:				; CODE XREF: KiInitializeIdleThread(x,x,x,x)+F3j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_KiInitializeIdleThread@16 endp		; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall KiInitPrcb(x, x)
_KiInitPrcb@8	proc near		; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+23Fp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		push	edi
		inc	eax
		mov	ebx, edx
		xor	edx, edx
		push	20h
		mov	[esi+3B18h], eax
		lea	eax, [esi+3BE0h]
		mov	[esi+3B20h], edx
		mov	[esi+3B38h], edx
		mov	[esi+3B88h], edx
		mov	[esi+3B8Ch], edx
		mov	[esi+3B1Ch], edx
		pop	ecx

loc_725C0D:				; CODE XREF: KiInitPrcb(x,x)+46j
		mov	[eax+4], eax
		mov	[eax], eax
		add	eax, 8
		sub	ecx, 1
		jnz	short loc_725C0D
		mov	eax, [esi+4024h]
		mov	[eax], edx
		mov	eax, [esi+4024h]
		mov	[eax+4], edx
		mov	eax, [esi+4024h]
		mov	[eax+134h], edx
		mov	eax, [esi+4024h]
		mov	[eax+138h], edx
		mov	[eax+13Ch], edx

loc_725C49:				; CODE XREF: KiInitPrcb(x,x)+90j
		mov	eax, [esi+4024h]
		add	eax, 8
		add	eax, edx
		add	edx, 8
		mov	[eax+4], eax
		mov	[eax], eax
		cmp	edx, 100h
		jb	short loc_725C49
		mov	edi, [esi+4024h]
		mov	edx, 108h
		push	8
		pop	ecx
		mov	eax, 7F7F7F7Fh
		add	edi, edx
		rep stosd
		mov	eax, [esi+4024h]
		mov	byte ptr [eax+128h], 1
		mov	ecx, [esi+4024h]
		mov	al, [esi+3C4h]
		mov	[ecx+129h], al
		mov	eax, [esi+4024h]
		mov	byte ptr [eax+12Ah], 1
		mov	eax, [esi+4024h]
		mov	byte ptr [eax+12Bh], 1
		mov	ecx, [esi+4024h]
		mov	eax, [esi+3C8h]
		mov	[ecx+130h], eax
		lea	ecx, [esi+21E0h]
		mov	eax, [esi+4024h]
		add	eax, edx
		mov	[esi+33Ch], eax
		call	_KiInitializeDpcList@4 ; KiInitializeDpcList(x)
		xor	ecx, ecx
		lea	edi, [esi+3AE0h]
		mov	[esi+21E8h], ecx
		mov	[esi+21ECh], ecx
		mov	[esi+21F0h], ecx
		mov	[esi+223Ch], ecx
		mov	[esi+223Ah], cl
		mov	eax, ds:_KiMaximumDpcQueueDepth
		push	ecx
		mov	[esi+2214h], eax
		mov	eax, ds:_KiMinimumDpcRate
		push	offset _KiDpcWatchdog@16 ; KiDpcWatchdog(x,x,x,x)
		mov	[esi+221Ch], eax
		mov	eax, ds:_KiAdjustDpcThreshold
		push	edi
		mov	[esi+4B8h], eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	eax, [edi+1Ch]
		movzx	ecx, bx
		test	eax, eax
		jnz	short loc_725D43
		lea	eax, [ecx+20h]
		mov	[edi+2], ax

loc_725D43:				; CODE XREF: KiInitPrcb(x,x)+168j
		mov	byte ptr [esi+3AE1h], 2
		mov	eax, ecx
		xor	ecx, ecx
		movzx	edi, ax
		mov	[esi+3F64h], ecx
		lea	eax, [esi+3B2Ch]
		mov	[eax+4], eax
		xor	edx, edx
		mov	[eax], eax
		inc	edx
		mov	[esi+3F60h], edx
		mov	[esi+4058h], ecx
		mov	[esi+405Ch], ecx
		mov	[esi+488h], ecx
		mov	[esi+440h], ecx
		mov	[esi+438h], ecx
		mov	[esi+448h], ecx
		mov	[esi+450h], ecx
		mov	[esi+460h], ecx
		mov	[esi+468h], ecx
		mov	[esi+470h], ecx
		mov	[esi+478h], ecx
		mov	[esi+480h], ecx
		mov	[esi+498h], ecx
		mov	[esi+49Ch], ecx
		mov	dword ptr [esi+48Ch], offset _CcBcbSpinLock
		mov	dword ptr [esi+444h], offset _CcMasterSpinLock
		mov	dword ptr [esi+43Ch], offset _CcVacbSpinLock
		mov	dword ptr [esi+44Ch], offset _NonPagedPoolLock
		mov	dword ptr [esi+454h], offset _IopCancelSpinLock
		mov	dword ptr [esi+464h], offset _IopVpbSpinLock
		mov	dword ptr [esi+46Ch], offset _IopDatabaseLock
		mov	dword ptr [esi+474h], offset _IopCompletionLock
		mov	dword ptr [esi+47Ch], offset _NtfsStructLock
		mov	dword ptr [esi+484h], offset _AfdWorkQueueSpinLock
		imul	eax, ebx, 3
		mov	[esi+2224h], ecx
		mov	[esi+3B28h], ecx
		lea	ecx, [esi+4174h]
		push	ecx
		push	offset _KiEntropyDpcRoutine@16 ; KiEntropyDpcRoutine(x,x,x,x)
		and	eax, 3FFh
		mov	[esi+3B00h], edx
		mov	[ecx], eax
		lea	eax, [esi+4278h]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		test	ebx, ebx
		jz	short loc_725E88

loc_725E5B:				; CODE XREF: KiInitPrcb(x,x)+31Fj
		mov	ecx, esi
		call	_KiIntSteerInitPrcb@4 ;	KiIntSteerInitPrcb(x)
		xor	ecx, ecx
		add	esi, 45E8h
		push	ecx
		push	offset _KiAbDeferredProcessingWorker@16	; KiAbDeferredProcessingWorker(x,x,x,x)
		push	esi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	eax, [esi+1Ch]
		test	eax, eax
		jnz	short loc_725E84
		lea	eax, [edi+20h]
		mov	[esi+2], ax

loc_725E84:				; CODE XREF: KiInitPrcb(x,x)+2A9j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_725E88:				; CODE XREF: KiInitPrcb(x,x)+287j
		mov	al, ds:_KiClockKeepAliveCycle
		xor	ecx, ecx
		mov	ds:_KiClockPollCycle, al
		xor	eax, eax
		inc	eax
		mov	ds:_KiReverseStallIpiLock, ecx
		mov	ds:_CcBcbSpinLock, ecx
		mov	ds:_CcMasterSpinLock, ecx
		mov	ds:_CcVacbSpinLock, ecx
		mov	ds:_IopCancelSpinLock, ecx
		mov	ds:_IopCompletionLock, ecx
		mov	ds:_IopDatabaseLock, ecx
		mov	ds:_IopVpbSpinLock, ecx
		mov	ds:_NonPagedPoolLock, ecx
		mov	ds:_NtfsStructLock, ecx
		mov	ds:_AfdWorkQueueSpinLock, ecx
		mov	ds:_KeSleepingProcessors, ax
		mov	ds:word_6C75E2,	ax
		mov	ds:dword_6C75E4, ecx
		mov	ds:dword_6C75E8, ecx
		jmp	loc_725E5B
_KiInitPrcb@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSetCacheInformationIntel(x)
_KiSetCacheInformationIntel@4 proc near	; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+232p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+1Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+28h+var_18], ecx
		lea	edi, [esp+28h+var_14]
		xor	ecx, ecx
		stosd
		push	ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		cpuid
		mov	esi, ebx
		lea	edi, [esp+2Ch+var_14]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	eax, [esp+28h+var_14]
		add	eax, 0FFFFFFFCh
		cmp	eax, 7FFFFFFBh
		ja	short loc_725F51
		mov	ecx, [esp+28h+var_18]
		push	4
		pop	edx
		call	KiSetStandardizedCacheInformation

loc_725F51:				; CODE XREF: KiSetCacheInformationIntel(x)+4Dj
		mov	ecx, [esp+28h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_KiSetCacheInformationIntel@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSetStandardizedCacheInformation proc near ; CODE XREF: KiSetCacheInformationIntel(x)+56p
					; KiSetCacheInformationAmd(x)+8Cp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0072A5C1 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		lea	eax, [ecx+3FD4h]
		mov	[ebp+var_2C], ecx
		xor	ecx, ecx
		mov	[ebp+var_30], edx
		and	[ebp+var_20], ecx
		push	esi
		push	edi
		mov	[ebp+var_18], eax
		mov	[ebp+var_28], ecx
		mov	[ebp+var_1C], 4038h
		mov	[ebp+var_24], eax

loc_725F9A:				; CODE XREF: KiSetStandardizedCacheInformation+16Dj
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, edx
		cpuid
		mov	esi, ebx
		lea	edi, [ebp+var_14]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	ecx, [ebp+var_14]
		mov	edx, ecx
		mov	eax, [ebp+var_10]
		mov	edi, [ebp+var_C]
		shl	edx, 1Bh
		sar	edx, 1Bh
		test	edx, edx
		jz	loc_726113
		sub	edx, 1
		jz	loc_726104
		sub	edx, 1
		jz	loc_7260F5
		sub	edx, 1
		jnz	loc_72A5C1
		mov	ebx, [ebp+var_18]
		and	[ebx+8], edx

loc_725FF4:				; CODE XREF: KiSetStandardizedCacheInformation+19Bj
					; KiSetStandardizedCacheInformation+1AAj ...
		test	ecx, 200h
		jnz	loc_72A5DA
		mov	edx, eax
		shr	edx, 16h
		inc	dl

loc_726007:				; CODE XREF: KiSetStandardizedCacheInformation+4679j
		mov	[ebx+1], dl
		mov	esi, eax
		mov	edx, ecx
		shr	esi, 0Ch
		shr	edx, 5
		and	esi, 3FFh
		and	dl, 7
		shr	ecx, 0Eh
		mov	[ebx], dl
		mov	edx, eax
		and	edx, 0FFFh
		inc	edx
		inc	esi
		mov	[ebx+2], dx
		mov	edx, eax
		and	edx, 0FFFh
		shr	eax, 16h
		inc	edx
		imul	esi, edx
		inc	eax
		mov	edx, [ebp+var_2C]
		imul	esi, eax
		lea	eax, [edi+1]
		imul	esi, eax
		mov	[ebx+4], esi
		mov	ebx, [edx+3C8h]
		and	ecx, 0FFFh
		jbe	short loc_7260A8
		lea	eax, [ecx+1]
		xor	edi, edi
		lea	eax, ds:0FFFFFFFFh[eax*2]
		bsr	ecx, eax
		mov	al, 1
		shl	al, cl
		movzx	esi, al
		movzx	eax, byte ptr [edx+3D49h]
		dec	esi
		not	esi
		and	eax, esi
		mov	[ebp+var_18], eax
		cmp	ds:_KeNumberProcessors,	edi
		jbe	short loc_7260A8

loc_72608A:				; CODE XREF: KiSetStandardizedCacheInformation+142j
		mov	ecx, ds:_KiProcessorBlock[edi*4]
		movzx	eax, byte ptr [ecx+3D49h]
		and	eax, esi
		cmp	eax, [ebp+var_18]
		jz	short loc_7260D9

loc_72609F:				; CODE XREF: KiSetStandardizedCacheInformation+181j
					; KiSetStandardizedCacheInformation+18Fj
		inc	edi
		cmp	edi, ds:_KeNumberProcessors
		jb	short loc_72608A

loc_7260A8:				; CODE XREF: KiSetStandardizedCacheInformation+F7j
					; KiSetStandardizedCacheInformation+124j
		mov	eax, [ebp+var_1C]
		inc	[ebp+var_20]
		mov	[eax+edx], ebx
		mov	eax, [ebp+var_24]
		add	eax, 0Ch
		mov	[ebp+var_24], eax
		mov	[ebp+var_18], eax

loc_7260BD:				; CODE XREF: KiSetStandardizedCacheInformation+4661j
		mov	ecx, [ebp+var_28]
		add	[ebp+var_1C], 4
		inc	ecx
		mov	eax, [ebp+var_20]
		mov	edx, [ebp+var_30]
		mov	[ebp+var_28], ecx
		cmp	eax, 5
		jb	loc_725F9A
		jmp	short loc_726116
; 

loc_7260D9:				; CODE XREF: KiSetStandardizedCacheInformation+139j
		mov	eax, [ecx+338h]
		cmp	eax, [edx+338h]
		jnz	short loc_72609F
		mov	eax, [ebp+var_1C]
		or	ebx, [ecx+3C8h]
		or	[eax+ecx], ebx
		jmp	short loc_72609F
; 

loc_7260F5:				; CODE XREF: KiSetStandardizedCacheInformation+7Bj
		mov	ebx, [ebp+var_18]
		mov	dword ptr [ebx+8], 1
		jmp	loc_725FF4
; 

loc_726104:				; CODE XREF: KiSetStandardizedCacheInformation+72j
		mov	ebx, [ebp+var_18]
		mov	dword ptr [ebx+8], 2
		jmp	loc_725FF4
; 

loc_726113:				; CODE XREF: KiSetStandardizedCacheInformation+69j
		mov	eax, [ebp+var_20]

loc_726116:				; CODE XREF: KiSetStandardizedCacheInformation+173j
		mov	ecx, [ebp+var_2C]
		pop	edi
		pop	esi
		pop	ebx
		mov	[ecx+4010h], eax
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
KiSetStandardizedCacheInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiGetCacheInformation proc near		; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+212p

var_8E		= byte ptr -8Eh
var_8D		= byte ptr -8Dh
var_8C		= dword	ptr -8Ch
var_85		= byte ptr -85h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_54		= dword	ptr -54h
var_4C		= byte ptr -4Ch
var_44		= dword	ptr -44h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0072A5E2 SIZE 000002AF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 94h
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+94h+var_4], eax
		mov	edx, large fs:1Ch
		push	ebx
		xor	ebx, ebx
		mov	[esp+98h+var_84], 40h
		mov	[esp+98h+var_80], ebx
		mov	eax, ebx
		mov	[esp+98h+var_8C], eax
		mov	[esp+98h+var_8D], bl
		mov	[esp+98h+var_78], edx
		mov	[edx+90h], ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	loc_726318
		sub	ecx, 1
		jnz	loc_72A5E2

loc_726187:				; CODE XREF: KiGetCacheInformation+44BCj
		xor	eax, eax
		lea	edi, [esp+0A0h+var_24]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		cpuid
		mov	esi, ebx
		lea	edi, [esp+0A4h+var_24]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		push	2
		pop	ecx
		mov	[edi+0Ch], edx
		cmp	[esp+0A0h+var_24], ecx
		jb	loc_726300
		and	[esp+0A0h+var_7C], 0
		mov	[esp+0A0h+var_85], 1

loc_7261C5:				; CODE XREF: KiGetCacheInformation+1CCj
		xor	eax, eax
		lea	edi, [esp+0A0h+var_74]
		stosd
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, ecx
		xor	ecx, ecx
		lea	edi, [esp+0A4h+var_74]
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		cmp	[esp+0A0h+var_85], 0
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	eax, [esp+0A0h+var_70]
		mov	ecx, [esp+0A0h+var_74]
		mov	[esp+0A0h+var_10], eax
		mov	eax, [esp+0A0h+var_6C]
		mov	[esp+0A0h+var_C], eax
		mov	eax, [esp+0A0h+var_68]
		mov	[esp+0A0h+var_14], ecx
		mov	[esp+0A0h+var_8], eax
		jz	loc_72A723
		movzx	edi, cl
		mov	byte ptr [esp+0A0h+var_14], 0

loc_72622B:				; CODE XREF: KiGetCacheInformation+45F9j
		mov	[esp+0A0h+var_85], 0
		xor	esi, esi

loc_726232:				; CODE XREF: KiGetCacheInformation+1BCj
		mov	ecx, [esp+esi*4+0A0h+var_14]
		mov	[esp+0A0h+var_7C], ecx
		test	ecx, ecx
		js	loc_7262E6
		jz	loc_7262E6

loc_72624B:				; CODE XREF: KiGetCacheInformation+1B2j
		shr	[esp+0A0h+var_7C], 8
		test	cl, cl
		jz	loc_7262DA
		cmp	cl, 47h
		jbe	loc_726350

loc_726261:				; CODE XREF: KiGetCacheInformation+225j
		cmp	cl, 7Ch
		jbe	loc_72632D

loc_72626A:				; CODE XREF: KiGetCacheInformation+202j
		lea	eax, [ecx+7Fh]
		cmp	al, 4
		jbe	loc_72A72C
		lea	eax, [ecx-22h]
		cmp	al, 7
		jbe	loc_72A768
		cmp	cl, 69h
		jb	loc_72633B

loc_726289:				; CODE XREF: KiGetCacheInformation+210j
		cmp	cl, 0F0h
		jz	loc_726344
		cmp	cl, 2Ch
		jz	loc_726344
		cmp	cl, 0F1h
		jz	loc_72A801
		cmp	cl, 4Ch
		jbe	loc_72635E

loc_7262AD:				; CODE XREF: KiGetCacheInformation+233j
		cmp	cl, 78h
		jz	loc_72A810
		cmp	cl, 7Dh
		jz	loc_72A810
		cmp	cl, 7Fh
		jz	loc_72A810
		cmp	cl, 86h
		jz	loc_72A810
		cmp	cl, 87h
		jz	loc_72A810

loc_7262DA:				; CODE XREF: KiGetCacheInformation+124j
					; KiGetCacheInformation+220j ...
		mov	ecx, [esp+0A0h+var_7C]
		test	ecx, ecx
		jnz	loc_72624B

loc_7262E6:				; CODE XREF: KiGetCacheInformation+111j
					; KiGetCacheInformation+117j
		inc	esi
		cmp	esi, 4
		jb	loc_726232
		sub	edi, 1
		push	2
		mov	[esp+0A4h+var_7C], edi
		pop	ecx
		jnz	loc_7261C5

loc_726300:				; CODE XREF: KiGetCacheInformation+87j
					; KiGetCacheInformation+44F7j ...
		mov	eax, [esp+0A0h+var_8C]

loc_726304:				; CODE XREF: KiGetCacheInformation+44C2j
					; KiGetCacheInformation+45F0j
		mov	ecx, [esp+0A0h+var_84]
		cmp	ecx, ds:_KeLargestCacheLine
		ja	short loc_72636C

loc_726310:				; CODE XREF: KiGetCacheInformation+244j
		cmp	eax, ds:_KiLargestCacheSize
		ja	short loc_726374

loc_726318:				; CODE XREF: KiGetCacheInformation+4Aj
					; KiGetCacheInformation+24Bj
		mov	ecx, [esp+0A0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_72632D:				; CODE XREF: KiGetCacheInformation+136j
		cmp	cl, 78h
		jbe	loc_72626A
		jmp	loc_72A72C
; 

loc_72633B:				; CODE XREF: KiGetCacheInformation+155j
		cmp	cl, 65h
		jbe	loc_726289

loc_726344:				; CODE XREF: KiGetCacheInformation+15Ej
					; KiGetCacheInformation+167j
		mov	ds:_KePrefetchNTAGranularity, 40h
		jmp	short loc_7262DA
; 

loc_726350:				; CODE XREF: KiGetCacheInformation+12Dj
		cmp	cl, 40h
		jbe	loc_726261
		jmp	loc_72A72C
; 

loc_72635E:				; CODE XREF: KiGetCacheInformation+179j
		cmp	cl, 4Ah
		jb	loc_7262AD
		jmp	loc_72A810
; 

loc_72636C:				; CODE XREF: KiGetCacheInformation+1E0j
		mov	ds:_KeLargestCacheLine,	ecx
		jmp	short loc_726310
; 

loc_726374:				; CODE XREF: KiGetCacheInformation+1E8j
		mov	ds:_KiLargestCacheSize,	eax
		jmp	short loc_726318
KiGetCacheInformation endp

; 
		align 4

; __stdcall KiDetectKvaLeakage(x)
_KiDetectKvaLeakage@4:			; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+1B1p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+28h], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+24h]
		stosd
		xor	ebx, ebx
		mov	[esp+14h], ebx
		stosd
		stosd
		stosd
		mov	edi, ecx
		call	_KiIsKvaShadowNeededForBranchConfusion@4 ; KiIsKvaShadowNeededForBranchConfusion(x)
		test	eax, eax
		jnz	loc_7264D7
		mov	ecx, edi
		call	_KiIsKvaShadowNeededForTsa@4 ; KiIsKvaShadowNeededForTsa(x)
		test	eax, eax
		jnz	loc_7264D7
		mov	al, [edi+3BEh]
		cmp	al, 1
		jz	short loc_7263E1
		cmp	al, 5
		jnz	loc_7265D9
		cmp	byte ptr [edi+14h], 6
		jnz	short loc_726412
		cmp	byte ptr [edi+17h], 0Dh
		jmp	short loc_72640C
; 

loc_7263E1:				; CODE XREF: PAGELK:007263CBj
		cmp	byte ptr [edi+14h], 6
		jnz	short loc_726412
		mov	al, [edi+17h]
		cmp	al, 1Ch
		jz	loc_7265D9
		cmp	al, 26h
		jz	loc_7265D9
		cmp	al, 27h
		jz	loc_7265D9
		cmp	al, 36h
		jz	loc_7265D9
		cmp	al, 35h

loc_72640C:				; CODE XREF: PAGELK:007263DFj
		jz	loc_7265D9

loc_726412:				; CODE XREF: PAGELK:007263D9j
					; PAGELK:007263E5j
		xor	eax, eax
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		lea	ebx, [esp+24h]
		mov	[ebx], eax
		mov	[ebx+4], esi
		mov	[ebx+8], ecx
		mov	[ebx+0Ch], edx
		xor	ebx, ebx
		cmp	dword ptr [esp+24h], 7
		mov	[esp+10h], ebx
		jb	loc_7264C2
		push	7
		pop	eax
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		lea	ebx, [esp+24h]
		mov	[ebx], eax
		mov	[ebx+4], esi
		mov	[ebx+8], ecx
		mov	[ebx+0Ch], edx
		test	dword ptr [esp+30h], 20000000h
		jz	short loc_72646B
		mov	ecx, 10Ah
		rdmsr
		jmp	short loc_72646F
; 

loc_72646B:				; CODE XREF: PAGELK:00726460j
		mov	eax, [esp+10h]

loc_72646F:				; CODE XREF: PAGELK:00726469j
		xor	ecx, ecx
		xor	ebx, ebx
		inc	ecx
		and	eax, ecx
		or	eax, ebx
		jz	short loc_7264C2
		mov	edx, ds:_KeFeatureBits2
		mov	eax, edx
		mov	ds:_KiMicrocodeTrackerEnabled, ecx
		and	eax, 20h
		or	eax, ebx
		mov	cl, bl
		mov	[esp+0Fh], cl
		jnz	short loc_7264A4
		mov	eax, edx
		and	eax, 8
		or	eax, ebx
		jz	short loc_7264A4
		mov	cl, 1
		mov	[esp+0Fh], cl

loc_7264A4:				; CODE XREF: PAGELK:00726493j
					; PAGELK:0072649Cj
		mov	eax, 380000h
		and	edx, eax
		cmp	edx, eax
		jz	short loc_7264BA
		call	_KiIsFbClearSupported@0	; KiIsFbClearSupported()
		mov	cl, [esp+0Fh]
		or	cl, al

loc_7264BA:				; CODE XREF: PAGELK:007264ADj
		test	cl, cl
		jz	loc_7265D9

loc_7264C2:				; CODE XREF: PAGELK:00726437j
					; PAGELK:00726478j
		cmp	[edi+3CCh], ebx
		jz	short loc_7264D7
		cmp	ds:_KiKvaLeakage, 0
		jz	loc_7265EB

loc_7264D7:				; CODE XREF: PAGELK:007263AEj
					; PAGELK:007263BDj ...
		mov	ds:_KiKvaLeakage, 1
		cmp	byte ptr [edi+3BEh], 1
		jnz	loc_7265CA
		mov	eax, ds:_KeFeatureBits2
		and	eax, 10h
		or	eax, ebx
		jnz	loc_7265CA
		lea	ecx, [esp+14h]
		call	_HvlGetImplementedPhysicalBits@4 ; HvlGetImplementedPhysicalBits(x)
		test	al, al
		jnz	loc_726598
		mov	edx, [edi+21C4h]
		mov	ecx, ebx
		movzx	esi, byte ptr [edi+3BEh]
		push	2Eh
		pop	eax

loc_72651E:				; CODE XREF: PAGELK:00726539j
		cmp	ds:_KiCpuTable[ecx], esi
		jnz	short loc_72652E
		cmp	ds:dword_4183A4[ecx], edx
		jz	short loc_72653D

loc_72652E:				; CODE XREF: PAGELK:00726524j
		inc	ebx
		imul	ecx, ebx, 14h
		cmp	ds:dword_4183A8[ecx], 13h
		jnz	short loc_72651E
		jmp	short loc_72659C
; 

loc_72653D:				; CODE XREF: PAGELK:0072652Cj
		imul	eax, ebx, 14h
		mov	eax, ds:dword_4183AC[eax]
		test	eax, eax
		jnz	short loc_72659C
		mov	eax, 80000000h
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		lea	ebx, [esp+24h]
		mov	[ebx], eax
		mov	eax, 80000008h
		mov	[ebx+4], esi
		mov	[ebx+8], ecx
		mov	[ebx+0Ch], edx
		cmp	[esp+24h], eax
		jb	short loc_726590
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		lea	ebx, [esp+24h]
		mov	[ebx], eax
		mov	[ebx+4], esi
		mov	[ebx+8], ecx
		mov	[ebx+0Ch], edx
		mov	eax, [esp+24h]
		jmp	short loc_726593
; 

loc_726590:				; CODE XREF: PAGELK:00726570j
		push	24h
		pop	eax

loc_726593:				; CODE XREF: PAGELK:0072658Ej
		movzx	eax, al
		jmp	short loc_72659C
; 

loc_726598:				; CODE XREF: PAGELK:00726506j
		mov	eax, [esp+14h]

loc_72659C:				; CODE XREF: PAGELK:0072653Bj
					; PAGELK:00726548j ...
		mov	edx, [edi+3CCh]
		test	edx, edx
		jz	short loc_7265C3
		mov	ecx, ds:_KiImplementedPhysicalBits
		cmp	eax, ecx
		jz	short loc_7265D9
		cmp	ds:_KiKvaLeakageSimulate, 0
		jnz	short loc_7265D9
		push	ecx
		push	eax
		push	edx
		push	4C315446h
		jmp	short loc_7265F3
; 

loc_7265C3:				; CODE XREF: PAGELK:007265A4j
		mov	ds:_KiImplementedPhysicalBits, eax
		jmp	short loc_7265D9
; 

loc_7265CA:				; CODE XREF: PAGELK:007264E5j
					; PAGELK:007264F5j
		cmp	[edi+3CCh], ebx
		jnz	short loc_7265D9
		or	ds:_KiImplementedPhysicalBits, 0FFFFFFFFh

loc_7265D9:				; CODE XREF: PAGELK:007263CFj
					; PAGELK:007263ECj ...
		mov	ecx, [esp+34h]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7265EB:				; CODE XREF: PAGELK:007264D1j
		push	ebx
		push	ebx
		push	ebx
		push	4B56414Ch

loc_7265F3:				; CODE XREF: PAGELK:007265C1j
		push	5Dh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiInitializeXSave proc near		; CODE XREF: KiSystemStartup(x)+1DAp

var_35C		= dword	ptr -35Ch
var_358		= dword	ptr -358h
var_348		= dword	ptr -348h
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_33C		= dword	ptr -33Ch
var_32C		= byte ptr -32Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0072A891 SIZE 00000050 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+34Ch+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		xor	edi, edi
		mov	[esp+358h+var_344], edi
		mov	[esp+358h+var_348], edi
		test	esi, esi
		jz	loc_726704

loc_726633:				; CODE XREF: KiInitializeXSave+110j
		push	338h		; size_t
		lea	eax, [esp+35Ch+var_340]
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [esp+358h+var_340]
		call	KiGetXSaveSupportedFeatures
		lea	edx, [esp+358h+var_348]
		lea	ecx, [esp+358h+var_344]
		call	KiGetIptInfo
		test	esi, esi
		jz	loc_726711
		mov	ecx, ds:0FFDF03D8h
		mov	eax, ecx
		mov	esi, ds:0FFDF03DCh
		mov	edx, esi
		and	eax, [esp+358h+var_340]
		and	edx, [esp+358h+var_33C]
		cmp	eax, ecx
		jnz	loc_72A8BC
		cmp	edx, esi
		jnz	loc_72A8BC
		mov	ecx, ds:0FFDF05F0h
		mov	eax, ecx
		mov	esi, ds:0FFDF05F4h
		mov	edx, esi
		and	eax, [esp+358h+var_128]
		and	edx, [esp+358h+var_124]
		cmp	eax, ecx
		jnz	loc_72A8BC
		cmp	edx, esi
		jnz	loc_72A8BC
		test	[esp+358h+var_32C], 1
		jz	loc_72A8AF

loc_7266C5:				; CODE XREF: KiInitializeXSave+42BAj
		test	[esp+358h+var_32C], 2
		jnz	short loc_7266D9
		test	byte ptr ds:0FFDF03ECh,	2
		jnz	loc_72A8BC

loc_7266D9:				; CODE XREF: KiInitializeXSave+CEj
		mov	ecx, ds:_KiIptMsrMask
		mov	eax, ecx
		and	eax, [esp+358h+var_348]
		cmp	eax, ecx
		jnz	loc_72A8D0

loc_7266ED:				; CODE XREF: KiInitializeXSave+16Bj
					; KiInitializeXSave+42AEj
		mov	ecx, [esp+358h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_726704:				; CODE XREF: KiInitializeXSave+31j
		mov	ecx, [ebx+78h]	; char *
		call	KiParseLoadOptions
		jmp	loc_726633
; 

loc_726711:				; CODE XREF: KiInitializeXSave+62j
		lea	edx, [esp+358h+var_340]
		mov	ecx, ebx
		call	_KiIntersectFeaturesWithLoader@8 ; KiIntersectFeaturesWithLoader(x,x)
		mov	ecx, ebx
		call	KiIntersectFeaturesWithPolicy
		lea	ecx, [esp+358h+var_340]
		call	KiIntersectFeaturesWithTest
		call	KiUpdateXSaveSizeAndVolatileFeatures
		mov	ecx, 0CEh
		lea	esi, [esp+358h+var_340]
		mov	edi, 0FFDF03D8h
		rep movsd
		mov	eax, [esp+358h+var_340]
		or	eax, [esp+358h+var_33C]
		jz	short loc_72675A
		mov	eax, ds:0FFDF0600h
		mov	ds:_KeXStateLength, eax
		mov	ds:_KiXSaveAreaLength, eax

loc_72675A:				; CODE XREF: KiInitializeXSave+14Dj
		mov	eax, [ebx+84h]
		test	byte ptr [eax+0A60h], 20h
		jz	short loc_7266ED
		jmp	loc_72A891
KiInitializeXSave endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiGetFeatureBits proc near		; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+138p

var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_122		= byte ptr -122h
var_121		= byte ptr -121h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_E4		= dword	ptr -0E4h
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_C4		= dword	ptr -0C4h
var_B4		= dword	ptr -0B4h
var_AC		= dword	ptr -0ACh
var_A4		= dword	ptr -0A4h
var_9C		= dword	ptr -9Ch
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_84		= dword	ptr -84h
var_74		= dword	ptr -74h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_54		= dword	ptr -54h
var_4C		= byte ptr -4Ch
var_44		= dword	ptr -44h
var_34		= dword	ptr -34h
var_28		= byte ptr -28h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0072A8E1 SIZE 000004FC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 12Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+12Ch+var_4], eax
		push	ebx
		mov	ebx, large fs:20h
		push	esi
		push	edi
		mov	[esp+138h+var_121], 1
		mov	[esp+138h+var_11C], ebx
		call	KiGetCpuVendor
		mov	[esp+138h+var_118], eax
		mov	[ebx+3BEh], al
		test	eax, eax
		jz	loc_72A8E1
		xor	eax, eax
		lea	edi, [esp+138h+var_104]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		inc	eax
		lea	edi, [esp+13Ch+var_104]
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	ebx, [esp+138h+var_11C]
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	ecx, [esp+138h+var_100]
		mov	eax, ecx
		mov	edi, [esp+138h+var_104]
		mov	edx, edi
		mov	esi, [esp+138h+var_F8]
		shr	eax, 18h
		mov	[ebx+3D49h], al
		mov	eax, ecx
		shr	ecx, 10h
		shr	eax, 5
		and	eax, 7F8h
		mov	[esp+138h+var_110], ecx
		mov	ecx, ebx
		mov	[esp+138h+var_120], esi
		mov	[ebx+3B8h], eax
		call	_KiSetProcessorSignature@8 ; KiSetProcessorSignature(x,x)
		mov	edx, [ebx+3D50h]
		mov	ecx, [ebx+3D54h]
		or	edx, 200h
		xor	ebx, ebx
		mov	[esp+138h+var_128], edx
		cmp	[esp+138h+var_118], 2
		mov	[esp+138h+var_12C], ecx
		jz	loc_72A8ED

loc_72683F:				; CODE XREF: KiGetFeatureBits+419Bj
					; KiGetFeatureBits+41AEj
		xor	eax, eax
		lea	edi, [esp+138h+var_D4]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		cpuid
		mov	esi, ebx
		lea	edi, [esp+13Ch+var_D4]
		pop	ebx
		nop
		mov	[edi], eax
		xor	eax, eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	[esp+138h+var_114], eax
		cmp	[esp+138h+var_121], al
		jz	short loc_7268AC
		lea	edi, [esp+138h+var_F4]
		xor	ecx, ecx
		stosd
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, 80000000h
		cpuid
		mov	esi, ebx
		lea	edi, [esp+13Ch+var_F4]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	eax, [esp+138h+var_F4]
		and	eax, 0FFFFFF00h
		cmp	eax, 80000000h
		jnz	short loc_7268AC
		mov	eax, [esp+138h+var_F4]
		mov	[esp+138h+var_114], eax

loc_7268AC:				; CODE XREF: KiGetFeatureBits+FFj
					; KiGetFeatureBits+134j
		mov	eax, [esp+138h+var_118]
		mov	edi, [esp+138h+var_11C]
		cmp	eax, 1
		jnz	loc_72A979
		mov	edx, [esp+138h+var_128]
		mov	al, [edi+14h]
		or	edx, (offset loc_7FFFFF+1)
		mov	ecx, [esp+138h+var_12C]
		mov	[esp+138h+var_128], edx
		mov	[esp+138h+var_12C], ecx
		cmp	al, 6
		jl	loc_72A921
		xor	eax, eax
		lea	edi, [esp+138h+var_E4]
		xor	edx, edx
		mov	ecx, 8Bh
		wrmsr
		stosd
		push	ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		inc	eax
		lea	edi, [esp+13Ch+var_E4]
		xor	ecx, ecx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	ecx, 8Bh
		mov	[edi+0Ch], edx
		mov	edi, [esp+138h+var_11C]
		mov	esi, [esp+138h+var_D8]
		rdmsr
		mov	ecx, [esp+138h+var_12C]
		mov	[edi+3D5Ch], edx
		mov	edx, [esp+138h+var_128]
		mov	[esp+138h+var_120], esi
		mov	[edi+3D58h], eax

loc_726933:				; CODE XREF: KiGetFeatureBits+41B5j
					; KiGetFeatureBits+41C2j
		mov	eax, [esp+138h+var_104]
		mov	esi, eax
		and	esi, 0FF0h
		cmp	esi, 610h
		jz	loc_72A935

loc_72694B:				; CODE XREF: KiGetFeatureBits+41D2j
		cmp	esi, 630h
		jz	loc_72A945

loc_726957:				; CODE XREF: KiGetFeatureBits+41DBj
					; KiGetFeatureBits+41EFj
		cmp	byte ptr [edi+14h], 6
		jl	loc_72A962
		jnz	short loc_726972
		mov	eax, 303h
		cmp	[edi+16h], ax
		jb	loc_72A962

loc_726972:				; CODE XREF: KiGetFeatureBits+1F3j
					; KiGetFeatureBits+4231j
		mov	eax, [esp+138h+var_118]

loc_726976:				; CODE XREF: KiGetFeatureBits+420Ej
					; KiGetFeatureBits+4218j
		mov	edx, [esp+138h+var_120]

loc_72697A:				; CODE XREF: KiGetFeatureBits+4206j
		mov	esi, [esp+138h+var_128]
		mov	ebx, [esp+138h+var_12C]
		test	dl, 2
		jz	short loc_726992
		or	esi, 5
		mov	[esp+138h+var_12C], ebx
		mov	[esp+138h+var_128], esi

loc_726992:				; CODE XREF: KiGetFeatureBits+217j
		test	dl, 8
		jz	short loc_7269A2
		or	esi, 24h
		mov	[esp+138h+var_12C], ebx
		mov	[esp+138h+var_128], esi

loc_7269A2:				; CODE XREF: KiGetFeatureBits+227j
		test	dl, 10h
		jz	short loc_7269B2
		or	esi, 2
		mov	[esp+138h+var_12C], ebx
		mov	[esp+138h+var_128], esi

loc_7269B2:				; CODE XREF: KiGetFeatureBits+237j
		test	edx, 80000h
		jz	short loc_7269C8
		or	esi, 40000h
		mov	[esp+138h+var_12C], ebx
		mov	[esp+138h+var_128], esi

loc_7269C8:				; CODE XREF: KiGetFeatureBits+24Aj
		mov	ecx, 100h
		test	edx, ecx
		jz	loc_72A9A4

loc_7269D5:				; CODE XREF: KiGetFeatureBits+42ADj
		or	esi, 80h
		mov	[esp+138h+var_12C], ebx
		mov	[esp+138h+var_128], esi

loc_7269E3:				; CODE XREF: KiGetFeatureBits+42A7j
		mov	eax, 1000h
		test	edx, 800h
		jz	short loc_726A01
		or	esi, eax
		mov	[esp+138h+var_12C], ebx
		mov	[esp+138h+var_128], esi
		mov	ds:_KiFastSystemCallIsIA32, 1

loc_726A01:				; CODE XREF: KiGetFeatureBits+280j
		test	edx, eax
		jz	short loc_726A10
		or	esi, 40h
		mov	[esp+138h+var_12C], ebx
		mov	[esp+138h+var_128], esi

loc_726A10:				; CODE XREF: KiGetFeatureBits+295j
		mov	edi, 2000h
		test	edx, edi
		jz	short loc_726A24
		or	esi, 14h
		mov	[esp+138h+var_12C], ebx
		mov	[esp+138h+var_128], esi

loc_726A24:				; CODE XREF: KiGetFeatureBits+2A9j
		test	edx, 8000h
		jz	short loc_726A37
		or	esi, 8
		mov	[esp+138h+var_12C], ebx
		mov	[esp+138h+var_128], esi

loc_726A37:				; CODE XREF: KiGetFeatureBits+2BCj
		mov	eax, 10000h
		test	edx, eax
		jz	short loc_726A4E
		or	esi, 400h
		mov	[esp+138h+var_12C], ebx
		mov	[esp+138h+var_128], esi

loc_726A4E:				; CODE XREF: KiGetFeatureBits+2D0j
		test	edx, (offset loc_7FFFFF+1)
		jz	short loc_726A60
		or	esi, ecx
		mov	[esp+138h+var_12C], ebx
		mov	[esp+138h+var_128], esi

loc_726A60:				; CODE XREF: KiGetFeatureBits+2E6j
		test	edx, 1000000h
		jz	short loc_726A76
		or	esi, 800h
		mov	[esp+138h+var_12C], ebx
		mov	[esp+138h+var_128], esi

loc_726A76:				; CODE XREF: KiGetFeatureBits+2F8j
		test	edx, 2000000h
		jz	short loc_726A88
		or	esi, edi
		mov	[esp+138h+var_12C], ebx
		mov	[esp+138h+var_128], esi

loc_726A88:				; CODE XREF: KiGetFeatureBits+30Ej
		test	edx, 4000000h
		jz	short loc_726A9A
		or	esi, eax
		mov	[esp+138h+var_12C], ebx
		mov	[esp+138h+var_128], esi

loc_726A9A:				; CODE XREF: KiGetFeatureBits+320j
		xor	eax, eax
		mov	ecx, 80000008h
		cmp	[esp+138h+var_118], 2
		jz	loc_72AA26
		cmp	[esp+138h+var_D4], 4
		jb	loc_72AA20
		lea	edi, [esp+138h+var_C4]
		xor	ecx, ecx
		stosd
		push	4
		stosd
		stosd
		stosd
		pop	eax
		push	ebx
		cpuid
		mov	esi, ebx
		lea	edi, [esp+13Ch+var_C4]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	eax, [esp+138h+var_C4]
		shr	eax, 1Ah

loc_726AE1:				; CODE XREF: KiGetFeatureBits+4311j
		inc	eax

loc_726AE2:				; CODE XREF: KiGetFeatureBits+4309j
		mov	edx, [esp+138h+var_120]

loc_726AE6:				; CODE XREF: KiGetFeatureBits+42B3j
		mov	edi, [esp+138h+var_114]

loc_726AEA:				; CODE XREF: KiGetFeatureBits+42BFj
		mov	esi, [esp+138h+var_11C]
		lea	eax, ds:0FFFFFFFFh[eax*2]
		bsr	ecx, eax
		mov	eax, [esp+138h+var_118]
		xor	ebx, ebx
		inc	ebx
		shl	ebx, cl
		xor	ecx, ecx
		inc	ecx
		mov	[esp+138h+var_120], ebx
		mov	[esi+340h], ebx
		cmp	eax, ecx
		jnz	loc_72AA84

loc_726B16:				; CODE XREF: KiGetFeatureBits+4319j
		test	edx, 10000000h
		jz	loc_72AB88
		mov	eax, [esp+138h+var_110]
		xor	edx, edx
		movzx	eax, al
		inc	edx
		lea	eax, ds:0FFFFFFFFh[eax*2]
		bsr	ecx, eax
		mov	al, dl
		shl	al, cl
		movzx	eax, al
		mov	[esi+3D38h], eax
		cmp	eax, edx
		jbe	loc_72AB7B
		mov	ds:_KiSMTProcessorsPresent, dl

loc_726B51:				; CODE XREF: KiGetFeatureBits+4415j
		xor	edx, edx
		div	ebx
		mov	[esi+344h], eax
		mov	cl, al

loc_726B5D:				; CODE XREF: KiGetFeatureBits+4400j
					; KiGetFeatureBits+4426j
		mov	al, [esi+340h]
		mov	[esi+3BCh], al
		mov	[esi+3BDh], cl
		call	KiIsNXSupported
		mov	ebx, [esp+138h+var_12C]
		test	al, al
		jz	short loc_726B88
		or	[esp+138h+var_128], 20000000h
		mov	[esp+138h+var_12C], ebx

loc_726B88:				; CODE XREF: KiGetFeatureBits+40Cj
		mov	ecx, ebx
		xor	eax, eax
		and	ecx, 1
		or	eax, ecx
		jz	short loc_726BBD
		movzx	eax, byte ptr [esi+3C5h]
		mov	ecx, 0C0000103h
		cdq
		mov	esi, eax
		mov	edi, edx
		mov	eax, [esp+138h+var_11C]
		shld	edi, esi, 8
		shl	esi, 8
		movzx	eax, byte ptr [eax+3C4h]
		cdq
		or	eax, esi
		or	edx, edi
		wrmsr

loc_726BBD:				; CODE XREF: KiGetFeatureBits+423j
		mov	ecx, 80000001h
		cmp	[esp+138h+var_114], ecx
		jb	loc_726C8C
		xor	eax, eax
		lea	edi, [esp+138h+var_74]
		stosd
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, ecx
		xor	ecx, ecx
		lea	edi, [esp+13Ch+var_74]
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		xor	eax, eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	ecx, [esp+138h+var_11C]
		mov	[edi+0Ch], edx
		cmp	[ecx+3CCh], eax
		jz	loc_726DD6

loc_726C08:				; CODE XREF: KiGetFeatureBits+66Fj
					; KiGetFeatureBits+443Fj ...
		mov	eax, [esp+138h+var_118]
		sub	eax, 1
		jnz	loc_72AC03

loc_726C15:				; CODE XREF: KiGetFeatureBits+449Dj
		mov	edx, 80000008h
		cmp	[esp+138h+var_114], edx
		jb	loc_72AC11
		xor	eax, eax
		lea	edi, [esp+138h+var_64]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, edx
		cpuid
		mov	esi, ebx
		lea	edi, [esp+13Ch+var_64]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	eax, [esp+138h+var_64]

loc_726C55:				; CODE XREF: KiGetFeatureBits+44E8j
		mov	ds:_KiMtrrMaxRangeShift, al
		xor	edx, edx
		movzx	ecx, al
		xor	eax, eax
		inc	eax
		call	__allshl
		mov	ebx, [esp+138h+var_12C]
		sub	eax, 1
		sbb	edx, 0
		and	eax, 0FFFFF000h
		mov	ds:_KiMtrrMaskBase, eax
		mov	ds:dword_6B3FAC, edx
		mov	ds:_KiMtrrMaskMask, eax
		mov	ds:dword_6B3FB4, edx

loc_726C8C:				; CODE XREF: KiGetFeatureBits+458j
		mov	ecx, [esp+138h+var_11C]

loc_726C90:				; CODE XREF: KiGetFeatureBits+44A7j
					; KiGetFeatureBits+44FCj ...
		mov	eax, ds:0FFDF03D8h
		or	eax, ds:0FFDF03DCh
		jz	short loc_726CA9
		or	[esp+138h+var_128], 400000h
		mov	[esp+138h+var_12C], ebx

loc_726CA9:				; CODE XREF: KiGetFeatureBits+52Dj
		mov	al, [ecx+3BEh]
		mov	[esp+138h+var_121], al
		cmp	al, 1
		jnz	loc_72ACB0
		xor	eax, eax
		lea	edi, [esp+138h+var_54]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		inc	eax
		lea	edi, [esp+13Ch+var_54]
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		test	[esp+138h+var_4C], 20h
		jz	loc_726DE8
		mov	ecx, 482h
		xor	ebx, ebx
		rdmsr
		cmp	edx, ebx
		jl	short loc_726D0F
		jg	loc_72AC9C
		cmp	eax, ebx
		jnb	loc_72AC9C

loc_726D0F:				; CODE XREF: KiGetFeatureBits+591j
		mov	esi, [esp+138h+var_128]
		mov	ecx, 48Bh
		rdmsr
		mov	eax, ebx
		and	edx, 2
		or	eax, edx
		mov	ebx, [esp+138h+var_12C]
		jz	short loc_726D35
		or	esi, 4000000h
		mov	[esp+138h+var_12C], ebx
		mov	[esp+138h+var_128], esi

loc_726D35:				; CODE XREF: KiGetFeatureBits+5B7j
					; KiGetFeatureBits+4536j
		push	3Ah
		pop	ecx
		rdmsr
		mov	edi, eax
		mov	ecx, edi
		and	ecx, 5
		cmp	ecx, 5
		jnz	loc_72ACA9
		xor	ecx, ecx
		mov	[esp+138h+var_12C], ebx
		or	esi, 8000000h
		mov	[esp+138h+var_128], esi

loc_726D5A:				; CODE XREF: KiGetFeatureBits+453Dj
		mov	eax, edi
		and	eax, 4
		or	eax, ecx
		jz	short loc_726D6A
		or	ds:_KiVirtFlags, 1

loc_726D6A:				; CODE XREF: KiGetFeatureBits+5F3j
		mov	al, [esp+138h+var_121]
		and	edi, 1
		or	edi, ecx
		jz	short loc_726D7C
		or	ds:_KiVirtFlags, 2

loc_726D7C:				; CODE XREF: KiGetFeatureBits+605j
					; KiGetFeatureBits+67Ej ...
		cmp	al, 1
		jnz	short loc_726DB9
		xor	eax, eax
		lea	edi, [esp+138h+var_24]
		stosd
		xor	ecx, ecx
		push	7
		stosd
		stosd
		stosd
		pop	eax
		push	ebx
		cpuid
		mov	esi, ebx
		lea	edi, [esp+13Ch+var_24]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		test	[esp+138h+var_20], 4
		jnz	loc_72AD79

loc_726DB9:				; CODE XREF: KiGetFeatureBits+610j
					; KiGetFeatureBits+4619j
		mov	eax, [esp+138h+var_128]
		mov	edx, [esp+138h+var_12C]

loc_726DC1:				; CODE XREF: KiGetFeatureBits+417Aj
					; KiGetFeatureBits+465Aj ...
		mov	ecx, [esp+138h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_726DD6:				; CODE XREF: KiGetFeatureBits+494j
		cmp	byte ptr [ecx+3BEh], 2
		jnz	loc_726C08
		jmp	loc_72AB99
; 

loc_726DE8:				; CODE XREF: KiGetFeatureBits+580j
		mov	al, [esp+138h+var_121]
		jmp	short loc_726D7C
KiGetFeatureBits endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiIsNXSupported	proc near		; CODE XREF: KiGetFeatureBits+401p
					; KiInitializeNxSupportDiscard+6Dp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0072ADDD SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, 80000000h
		cpuid
		mov	esi, ebx
		lea	edi, [ebp+var_14]
		pop	ebx
		nop
		mov	[edi], eax
		mov	eax, 80000001h
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		cmp	[ebp+var_14], eax
		jb	short loc_726E64
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		test	[ebp+var_8], 100000h
		jz	loc_72ADDD

loc_726E53:				; CODE XREF: KiIsNXSupported+401Dj
		mov	al, 1

loc_726E55:				; CODE XREF: KiIsNXSupported+78j
					; KiIsNXSupported+4026j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_726E64:				; CODE XREF: KiIsNXSupported+42j
		xor	eax, eax
		jmp	short loc_726E55
KiIsNXSupported	endp

; 

; __stdcall KiSetProcessorSignature(x, x)
_KiSetProcessorSignature@8:		; CODE XREF: KiGetFeatureBits+A5p
		push	70h
		push	offset dword_6A7240
		call	__SEH_prolog4_GS
		mov	[ebp-6Ch], edx
		mov	[ebp-38h], ecx
		mov	[ebp-80h], ecx
		xor	eax, eax
		lea	edi, [ebp-30h]
		stosd
		stosd
		stosd
		stosd
		lea	edi, [ebp-30h]
		mov	eax, 80000000h
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	edi, [ebp-30h]
		mov	[ebp-68h], edi
		xor	eax, eax
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		lea	ebx, [ebp-30h]
		mov	[ebx], eax
		mov	[ebx+4], esi
		mov	[ebx+8], ecx
		mov	[ebx+0Ch], edx
		mov	eax, [ebp-30h]
		mov	[ebp-78h], eax
		and	dword ptr [ebp-54h], 0
		and	dword ptr [ebp-50h], 0
		xor	esi, esi
		mov	[ebp-4Ch], esi
		and	[ebp-48h], esi
		and	[ebp-58h], esi
		xor	ecx, ecx
		mov	[ebp-44h], ecx
		xor	ebx, ebx
		mov	[ebp-40h], ebx

loc_726EE4:				; CODE XREF: PAGELK:00727089j
		mov	eax, ds:dword_40A178[ebx]
		mov	[ebp-34h], eax
		test	al, 2
		jnz	loc_727171
		mov	edx, eax
		shr	edx, 18h
		test	edx, edx
		jz	short loc_726F1A
		xor	eax, eax
		inc	eax
		mov	edi, [ebp-38h]
		mov	cl, [edi+3BEh]
		shl	eax, cl
		mov	ecx, [ebp-44h]
		test	eax, edx
		jz	loc_727074
		mov	edi, [ebp-68h]

loc_726F1A:				; CODE XREF: PAGELK:00726EFCj
		mov	eax, ds:_KiCpuFeatureTable[ebx]
		cmp	eax, [ebp-58h]
		jnz	short loc_726F2D
		cmp	ds:dword_40A16C[ebx], ecx
		jz	short loc_726F6F

loc_726F2D:				; CODE XREF: PAGELK:00726F23j
		mov	[ebp-58h], eax
		mov	ecx, ds:dword_40A16C[ebx]
		mov	[ebp-44h], ecx
		cmp	eax, 80000000h
		jb	short loc_726F44
		cmp	eax, edi
		jbe	short loc_726F49

loc_726F44:				; CODE XREF: PAGELK:00726F3Ej
		cmp	eax, [ebp-78h]
		ja	short loc_726F66

loc_726F49:				; CODE XREF: PAGELK:00726F42j
		lea	edi, [ebp-30h]
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	ebx, [ebp-40h]
		mov	esi, [ebp-4Ch]
		jmp	short loc_726F6F
; 

loc_726F66:				; CODE XREF: PAGELK:00726F47j
		xor	eax, eax
		lea	edi, [ebp-30h]
		stosd
		stosd
		stosd
		stosd

loc_726F6F:				; CODE XREF: PAGELK:00726F2Bj
					; PAGELK:00726F64j
		and	dword ptr [ebp-40h], 0
		mov	edi, ds:dword_40A174[ebx]
		mov	[ebp-5Ch], edi
		mov	ecx, ds:dword_40A170[ebx]
		mov	[ebp-3Ch], ecx
		mov	eax, [ebp-34h]
		mov	edx, eax
		and	edx, 8
		test	[ebp+edi*4-30h], ecx
		jnz	short loc_726FBD
		mov	[ebp-64h], edx
		test	edx, edx
		jz	short loc_726FE5
		mov	ecx, ds:dword_40A180[ebx]
		mov	edx, ds:dword_40A184[ebx]
		mov	[ebp-60h], edx
		mov	eax, ecx
		and	eax, [ebp-54h]
		and	edx, [ebp-50h]
		cmp	eax, ecx
		jnz	short loc_726FE2
		cmp	edx, [ebp-60h]
		jnz	short loc_726FE2
		mov	edx, [ebp-64h]

loc_726FBD:				; CODE XREF: PAGELK:00726F91j
					; PAGELK:00727021j
		mov	ecx, [ebp-34h]
		and	ecx, 10h
		test	edx, edx
		jz	loc_7270C2
		mov	eax, ds:dword_40A180[ebx]
		or	[ebp-54h], eax
		mov	eax, ds:dword_40A184[ebx]
		or	[ebp-50h], eax
		jmp	loc_7270D8
; 

loc_726FE2:				; CODE XREF: PAGELK:00726FB3j
					; PAGELK:00726FB8j
		mov	eax, [ebp-34h]

loc_726FE5:				; CODE XREF: PAGELK:00726F98j
		mov	ecx, eax
		and	ecx, 10h
		mov	[ebp-7Ch], ecx
		jz	short loc_727018
		mov	ecx, ds:dword_40A180[ebx]
		mov	edx, ds:dword_40A184[ebx]
		mov	[ebp-60h], edx
		mov	eax, ecx
		and	eax, esi
		and	edx, [ebp-48h]
		cmp	eax, ecx
		mov	eax, [ebp-34h]
		jnz	short loc_727018
		cmp	edx, [ebp-60h]
		jnz	short loc_727018
		mov	dword ptr [ebp-40h], 1

loc_727018:				; CODE XREF: PAGELK:00726FEDj
					; PAGELK:0072700Aj ...
		mov	ecx, [ebp-64h]
		mov	edx, ecx
		cmp	dword ptr [ebp-40h], 0
		jnz	short loc_726FBD
		test	al, 1
		jnz	loc_727179
		mov	edi, [ebp-38h]
		test	al, 4
		jz	short loc_727071
		cmp	dword ptr [edi+3CCh], 0
		jz	short loc_727071
		test	ecx, ecx
		jz	short loc_72708E
		mov	edx, ds:dword_40A180[ebx]
		mov	eax, ds:dword_40A184[ebx]
		mov	[ebp-40h], eax
		mov	ecx, edx
		and	ecx, ds:_KeFeatureBits
		mov	[ebp-34h], eax
		mov	eax, ds:dword_70E754
		and	[ebp-34h], eax
		cmp	ecx, edx
		jnz	short loc_727071
		mov	eax, [ebp-40h]
		cmp	[ebp-34h], eax

loc_72706B:				; CODE XREF: PAGELK:007270C0j
		jz	loc_727512

loc_727071:				; CODE XREF: PAGELK:00727030j
					; PAGELK:00727039j ...
		mov	ecx, [ebp-44h]

loc_727074:				; CODE XREF: PAGELK:00726F11j
					; PAGELK:00727174j
		add	ebx, 20h
		mov	[ebp-40h], ebx
		cmp	ebx, 5E0h
		jnb	loc_7271B2
		mov	edi, [ebp-68h]
		jmp	loc_726EE4
; 

loc_72708E:				; CODE XREF: PAGELK:0072703Dj
		cmp	dword ptr [ebp-7Ch], 0
		jz	short loc_727071
		mov	edx, ds:dword_40A180[ebx]
		mov	eax, ds:dword_40A184[ebx]
		mov	[ebp-40h], eax
		mov	ecx, edx
		and	ecx, ds:_KeFeatureBits2
		mov	[ebp-34h], eax
		mov	eax, ds:dword_70E77C
		and	[ebp-34h], eax
		cmp	ecx, edx
		jnz	short loc_727071
		mov	eax, [ebp-40h]
		cmp	[ebp-34h], eax
		jmp	short loc_72706B
; 

loc_7270C2:				; CODE XREF: PAGELK:00726FC5j
		test	ecx, ecx
		jz	short loc_7270D8
		or	esi, ds:dword_40A180[ebx]
		mov	[ebp-4Ch], esi
		mov	eax, ds:dword_40A184[ebx]
		or	[ebp-48h], eax

loc_7270D8:				; CODE XREF: PAGELK:00726FDDj
					; PAGELK:007270C4j
		mov	edi, [ebp-38h]
		test	byte ptr [ebp-34h], 4
		jz	short loc_727071
		cmp	dword ptr [edi+3CCh], 0
		jz	short loc_727071
		test	edx, edx
		jz	short loc_727139
		mov	edx, ds:dword_40A180[ebx]
		mov	eax, ds:dword_40A184[ebx]
		mov	[ebp-40h], eax
		mov	ecx, edx
		and	ecx, ds:_KeFeatureBits
		mov	[ebp-34h], eax
		mov	eax, ds:dword_70E754
		and	[ebp-34h], eax
		cmp	ecx, edx
		jnz	short loc_727120
		mov	eax, [ebp-40h]
		cmp	[ebp-34h], eax
		jz	loc_727071

loc_727120:				; CODE XREF: PAGELK:00727112j
					; PAGELK:0072713Bj ...
		push	ds:dword_40A174[ebx]
		push	ds:dword_40A170[ebx]
		push	ds:_KiCpuFeatureTable[ebx]
		push	0FFFFFFFDh
		jmp	loc_727521
; 

loc_727139:				; CODE XREF: PAGELK:007270ECj
		test	ecx, ecx
		jz	short loc_727120
		mov	edx, ds:dword_40A180[ebx]
		mov	eax, ds:dword_40A184[ebx]
		mov	[ebp-40h], eax
		mov	ecx, edx
		and	ecx, ds:_KeFeatureBits2
		mov	[ebp-34h], eax
		mov	eax, ds:dword_70E77C
		and	[ebp-34h], eax
		cmp	ecx, edx
		jnz	short loc_727120
		mov	eax, [ebp-40h]
		cmp	[ebp-34h], eax
		jz	loc_727071
		jmp	short loc_727120
; 

loc_727171:				; CODE XREF: PAGELK:00726EEFj
		mov	edi, [ebp-38h]
		jmp	loc_727074
; 

loc_727179:				; CODE XREF: PAGELK:00727025j
		mov	ecx, [ebp-38h]
		cmp	dword ptr [ecx+3CCh], 0
		jnz	short loc_7271A0
		push	ds:_KeLoaderBlock
		push	0
		call	KdInitSystem
		mov	edi, ds:dword_40A174[ebx]
		mov	eax, ds:dword_40A170[ebx]
		jmp	short loc_7271A3
; 

loc_7271A0:				; CODE XREF: PAGELK:00727183j
		mov	eax, [ebp-3Ch]

loc_7271A3:				; CODE XREF: PAGELK:0072719Ej
		push	edi
		push	eax
		push	ds:_KiCpuFeatureTable[ebx]
		push	0FFFFFFFFh
		jmp	loc_727521
; 

loc_7271B2:				; CODE XREF: PAGELK:00727080j
		and	dword ptr [ebp-58h], 0

loc_7271B6:				; CODE XREF: PAGELK:007273FBj
		mov	eax, [ebp-58h]
		cmp	eax, 2
		jnb	loc_72744D
		imul	ebx, eax, 18h
		add	ebx, offset _KiMsrFeatureTable
		mov	[ebp-5Ch], ebx
		mov	edx, [ebx+4]
		test	dl, 2
		jnz	loc_7273F8
		mov	esi, edx
		shr	esi, 18h
		test	esi, esi
		jz	short loc_7271F6
		xor	eax, eax
		inc	eax
		mov	cl, [edi+3BEh]
		shl	eax, cl
		test	eax, esi
		jz	loc_7273F8

loc_7271F6:				; CODE XREF: PAGELK:007271E1j
		test	dl, 8
		jz	short loc_727203
		mov	edx, [ebp-54h]
		mov	esi, [ebp-50h]
		jmp	short loc_727212
; 

loc_727203:				; CODE XREF: PAGELK:007271F9j
		test	dl, 10h
		jz	loc_7273F8
		mov	edx, [ebp-4Ch]
		mov	esi, [ebp-48h]

loc_727212:				; CODE XREF: PAGELK:00727201j
		mov	ecx, [ebx+10h]
		mov	eax, [ebx+14h]
		mov	[ebp-3Ch], eax
		mov	eax, ecx
		and	eax, edx
		mov	edx, [ebp-3Ch]
		and	edx, esi
		cmp	eax, ecx
		jnz	loc_7273F8
		cmp	edx, [ebp-3Ch]
		jnz	loc_7273F8
		and	dword ptr [ebp-4], 0
		mov	ecx, [ebx]
		rdmsr
		mov	[ebp-74h], eax
		mov	[ebp-70h], edx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_727268
; 

loc_72724C:				; DATA XREF: .text:006A7254o
		xor	eax, eax
		inc	eax
		retn
; 

loc_727250:				; DATA XREF: .text:006A7258o
		mov	esp, [ebp-18h]
		and	dword ptr [ebp-74h], 0
		and	dword ptr [ebp-70h], 0
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-5Ch]
		mov	edi, [ebp-80h]

loc_727268:				; CODE XREF: PAGELK:0072724Aj
		mov	esi, [ebx+8]
		jmp	loc_7273E5
; 

loc_727270:				; CODE XREF: PAGELK:007273F2j
		mov	edx, [esi+8]
		test	dl, 2
		jnz	loc_7273E2
		mov	eax, edx
		shr	eax, 18h
		mov	[ebp-5Ch], eax
		test	eax, eax
		jz	short loc_72729C
		xor	eax, eax
		inc	eax
		mov	cl, [edi+3BEh]
		shl	eax, cl
		test	[ebp-5Ch], eax
		jz	loc_7273E2

loc_72729C:				; CODE XREF: PAGELK:00727286j
		mov	ecx, [ebp-38h]
		and	ecx, [ebp-74h]
		mov	eax, [ebp-34h]
		and	eax, [ebp-70h]
		or	ecx, eax
		jnz	loc_727346
		test	dl, 1
		jnz	loc_727400
		test	dl, 4
		jz	loc_7273E2
		cmp	[edi+3CCh], ecx
		jz	loc_7273E2
		test	dl, 8
		jz	short loc_7272F9
		mov	ecx, [esi+10h]
		mov	eax, [esi+14h]
		mov	[ebp-3Ch], eax
		mov	eax, ds:_KeFeatureBits
		and	eax, ecx
		mov	edx, ds:dword_70E754
		and	edx, [ebp-3Ch]
		cmp	eax, ecx
		jnz	loc_7273E2
		cmp	edx, [ebp-3Ch]
		jmp	short loc_72732C
; 

loc_7272F9:				; CODE XREF: PAGELK:007272D1j
		test	dl, 10h
		jz	loc_7273E2
		mov	edx, [esi+10h]
		mov	eax, [esi+14h]
		mov	[ebp-3Ch], eax
		mov	ecx, edx
		and	ecx, ds:_KeFeatureBits2
		mov	[ebp-44h], eax
		mov	eax, ds:dword_70E77C
		and	[ebp-44h], eax
		cmp	ecx, edx
		jnz	loc_7273E2
		mov	eax, [ebp-3Ch]
		cmp	[ebp-44h], eax

loc_72732C:				; CODE XREF: PAGELK:007272F7j
		jnz	loc_7273E2
		mov	eax, [ebp-38h]
		mov	[ebp-4Ch], eax
		push	dword ptr [ebp-34h]
		push	dword ptr [esi]
		push	dword ptr [ebx]
		push	0FFFFFFFBh
		jmp	loc_727521
; 

loc_727346:				; CODE XREF: PAGELK:007272AAj
		mov	eax, edx
		and	eax, 8
		mov	[ebp-3Ch], eax
		mov	ecx, edx
		and	ecx, 10h
		test	eax, eax
		jz	short loc_727365
		mov	eax, [esi+10h]
		or	[ebp-54h], eax
		mov	eax, [esi+14h]
		or	[ebp-50h], eax
		jmp	short loc_727375
; 

loc_727365:				; CODE XREF: PAGELK:00727355j
		test	ecx, ecx
		jz	short loc_727378
		mov	eax, [esi+10h]
		or	[ebp-4Ch], eax
		mov	eax, [esi+14h]
		or	[ebp-48h], eax

loc_727375:				; CODE XREF: PAGELK:00727363j
		mov	eax, [ebp-3Ch]

loc_727378:				; CODE XREF: PAGELK:00727367j
		test	dl, 4
		jz	short loc_7273E2
		cmp	dword ptr [edi+3CCh], 0
		jz	short loc_7273E2
		test	eax, eax
		jz	short loc_7273B6
		mov	edx, [esi+10h]
		mov	eax, [esi+14h]
		mov	[ebp-3Ch], eax
		mov	ecx, edx
		and	ecx, ds:_KeFeatureBits
		mov	[ebp-38h], eax
		mov	eax, ds:dword_70E754
		and	[ebp-38h], eax
		cmp	ecx, edx
		jnz	loc_727435
		mov	eax, [ebp-3Ch]
		cmp	[ebp-38h], eax
		jmp	short loc_7273E0
; 

loc_7273B6:				; CODE XREF: PAGELK:00727388j
		test	ecx, ecx
		jz	short loc_727435
		mov	edx, [esi+10h]
		mov	eax, [esi+14h]
		mov	[ebp-3Ch], eax
		mov	ecx, edx
		and	ecx, ds:_KeFeatureBits2
		mov	[ebp-38h], eax
		mov	eax, ds:dword_70E77C
		and	[ebp-38h], eax
		cmp	ecx, edx
		jnz	short loc_727435
		mov	eax, [ebp-3Ch]
		cmp	[ebp-38h], eax

loc_7273E0:				; CODE XREF: PAGELK:007273B4j
		jnz	short loc_727435

loc_7273E2:				; CODE XREF: PAGELK:00727276j
					; PAGELK:00727296j ...
		add	esi, 18h

loc_7273E5:				; CODE XREF: PAGELK:0072726Bj
		mov	eax, [esi]
		mov	ecx, [esi+4]
		mov	[ebp-38h], eax
		or	eax, ecx
		mov	[ebp-34h], ecx
		jnz	loc_727270

loc_7273F8:				; CODE XREF: PAGELK:007271D4j
					; PAGELK:007271F0j ...
		inc	dword ptr [ebp-58h]
		jmp	loc_7271B6
; 

loc_727400:				; CODE XREF: PAGELK:007272B3j
		mov	eax, [ebp-38h]
		mov	[ebp-4Ch], eax
		cmp	dword ptr [edi+3CCh], 0
		jnz	short loc_727426
		push	ds:_KeLoaderBlock
		push	0
		call	KdInitSystem
		mov	eax, [esi]
		mov	[ebp-4Ch], eax
		mov	eax, [esi+4]
		jmp	short loc_727429
; 

loc_727426:				; CODE XREF: PAGELK:0072740Dj
		mov	eax, [ebp-34h]

loc_727429:				; CODE XREF: PAGELK:00727424j
		push	eax
		push	dword ptr [esi]
		push	dword ptr [ebx]
		push	0FFFFFFFCh
		jmp	loc_727521
; 

loc_727435:				; CODE XREF: PAGELK:007273A8j
					; PAGELK:007273B8j ...
		mov	eax, [esi]
		mov	edx, [esi+4]
		mov	cl, 20h
		call	__aullshr
		push	eax
		push	dword ptr [esi]
		push	dword ptr [ebx]
		push	0FFFFFFFAh
		jmp	loc_727521
; 

loc_72744D:				; CODE XREF: PAGELK:007271BCj
		xor	ecx, ecx
		movzx	edx, byte ptr [edi+3BEh]
		xor	eax, eax

loc_727458:				; CODE XREF: PAGELK:00727476j
		cmp	ds:_KiCpuTable[eax], edx
		jnz	short loc_72746B
		mov	eax, ds:dword_4183A4[eax]
		cmp	eax, [ebp-6Ch]
		jz	short loc_72747A

loc_72746B:				; CODE XREF: PAGELK:0072745Ej
		inc	ecx
		imul	eax, ecx, 14h
		cmp	ds:dword_4183A8[eax], 13h
		jnz	short loc_727458
		jmp	short loc_727489
; 

loc_72747A:				; CODE XREF: PAGELK:00727469j
		imul	eax, ecx, 14h
		mov	eax, ds:dword_4183B0[eax]
		mov	[edi+21C8h], eax

loc_727489:				; CODE XREF: PAGELK:00727478j
		cmp	dword ptr [edi+3CCh], 0
		jz	short loc_727499
		xor	ecx, ecx
		call	_KeGetPrcb@4	; KeGetPrcb(x)

loc_727499:				; CODE XREF: PAGELK:00727490j
		lea	edx, [ebp-54h]
		mov	ecx, edi
		call	_KiRemoveModelSpecificUnsupportedFeatures@8 ; KiRemoveModelSpecificUnsupportedFeatures(x,x)
		mov	eax, [ebp-6Ch]
		mov	[edi+21C4h], eax
		mov	eax, [ebp-54h]
		or	[edi+3D50h], eax
		mov	eax, [ebp-50h]
		or	[edi+3D54h], eax
		mov	ecx, [edi+3CCh]
		mov	eax, ds:_KeFeatureBits2
		test	ecx, ecx
		jnz	short loc_7274F9
		or	eax, [ebp-4Ch]
		mov	ds:_KeFeatureBits2, eax
		mov	eax, ds:dword_70E77C
		or	eax, [ebp-48h]
		mov	ds:dword_70E77C, eax
		mov	ecx, edi
		call	_KiPublishProcessorFeatures@4 ;	KiPublishProcessorFeatures(x)

loc_7274E9:				; CODE XREF: PAGELK:00727509j
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7274F9:				; CODE XREF: PAGELK:007274CBj
		mov	edx, ds:dword_70E77C
		mov	esi, [ebp-4Ch]
		cmp	esi, eax
		jnz	short loc_72750B
		cmp	[ebp-48h], edx
		jz	short loc_7274E9

loc_72750B:				; CODE XREF: PAGELK:00727504j
		push	ecx
		push	eax
		push	esi
		push	0FFFFFFF7h
		jmp	short loc_727521
; 

loc_727512:				; CODE XREF: PAGELK:loc_72706Bj
		push	dword ptr [ebp-5Ch]
		mov	eax, [ebp-3Ch]
		push	eax
		push	ds:_KiCpuFeatureTable[ebx]
		push	0FFFFFFFEh

loc_727521:				; CODE XREF: PAGELK:00727134j
					; PAGELK:007271ADj ...
		push	5Dh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiGetCpuVendor	proc near		; CODE XREF: KiGetIptInfo+32p
					; KiInitializeKernel(x,x,x,x,x,x)+99p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0072AE19 SIZE 00000106 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, large fs:20h
		xor	ecx, ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_28], eax
		lea	edi, [ebp+var_14]
		xor	eax, eax
		stosd
		push	ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		cpuid
		mov	esi, ebx
		lea	edi, [ebp+var_14]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		lea	esi, [ebp+var_24]
		mov	[edi+8], ecx
		xor	ecx, ecx
		mov	[edi+0Ch], edx
		mov	edx, offset _CmpIntelID	; "GenuineIntel"
		mov	eax, [ebp+var_10]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+var_28]
		mov	[ebp+var_18], ecx
		push	2
		lea	edi, [eax+3D3Ch]
		mov	[eax+3D48h], cl
		movsd
		lea	eax, [ebp+var_24]
		movsd
		movsd
		pop	esi

loc_7275A1:				; CODE XREF: KiGetCpuVendor+92j
		mov	bl, [eax]
		xor	edi, edi
		inc	edi
		cmp	bl, [edx]
		jnz	short loc_7275D9
		test	bl, bl
		jz	short loc_7275BE
		mov	bl, [eax+1]
		cmp	bl, [edx+1]
		jnz	short loc_7275D9
		add	eax, esi
		add	edx, esi
		test	bl, bl
		jnz	short loc_7275A1

loc_7275BE:				; CODE XREF: KiGetCpuVendor+82j
		mov	eax, ecx

loc_7275C0:				; CODE XREF: KiGetCpuVendor+B3j
		test	eax, eax
		jnz	loc_72AE19
		mov	eax, edi

loc_7275CA:				; CODE XREF: KiGetCpuVendor+391Fj
					; KiGetCpuVendor+3959j	...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_7275D9:				; CODE XREF: KiGetCpuVendor+7Ej
					; KiGetCpuVendor+8Aj
		sbb	eax, eax
		or	eax, edi
		jmp	short loc_7275C0
KiGetCpuVendor	endp

; 
		align 10h

;  S U B	R O U T	I N E 


PoInitializePrcb proc near		; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+11Bp

; FUNCTION CHUNK AT 0072AF1F SIZE 00000019 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		push	1A8h		; size_t
		push	0		; int
		lea	edi, [esi+3D70h]
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [edi+0D0h], offset PpmWmiDispatch
		lea	ebx, [edi+0F8h]
		mov	byte ptr [edi+0D8h], 1
		mov	byte ptr [edi+0C0h], 2
		push	64h
		pop	eax
		push	esi
		push	offset _PpmPerfAction@16 ; PpmPerfAction(x,x,x,x)
		push	ebx
		mov	[edi+152h], ax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	eax, [ebx+1Ch]
		mov	ecx, [esi+3CCh]
		test	eax, eax
		jnz	short loc_727645
		lea	eax, [ecx+20h]
		mov	[ebx+2], ax

loc_727645:				; CODE XREF: PoInitializePrcb+5Cj
		mov	byte ptr [edi+0F9h], 3
		call	PpmHvUseNativeAlgorithms
		test	al, al
		jz	loc_72AF1F
		and	dword ptr [edi+0C8h], 0

loc_727660:				; CODE XREF: PoInitializePrcb+3953j
		pop	edi
		pop	esi
		pop	ebx
		retn
PoInitializePrcb endp


;  S U B	R O U T	I N E 


; __stdcall InitOtherProcessors()
_InitOtherProcessors@0 proc near	; CODE XREF: KiInitializeKernel(x,x,x,x,x,x):loc_7257EBp
		call	_ExInitPoolLookasidePointers@0 ; ExInitPoolLookasidePointers()
		push	0
		push	1
		call	ds:__imp__HalInitSystem@8 ; HalInitSystem(x,x)
		test	al, al
		jz	short loc_72767A
		xor	eax, eax
		retn
; 

loc_72767A:				; CODE XREF: InitOtherProcessors()+11j
		push	5Ch
		call	_KeBugCheck@4	; KeBugCheck(x)
		int	3		; Trap to Debugger
_InitOtherProcessors@0 endp


;  S U B	R O U T	I N E 


; __stdcall ExInitPoolLookasidePointers()
_ExInitPoolLookasidePointers@0 proc near ; CODE	XREF: InitOtherProcessors()p
					; INIT:00ACD0D9p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, large fs:20h
		mov	ebx, offset _ExPoolLookasideListHead
		push	edi
		mov	edi, offset _ExpScratchBufferLookasideList
		cmp	dword ptr [esi+3CCh], 0
		jz	short loc_727713

loc_7276A1:				; CODE XREF: ExInitPoolLookasidePointers()+C5j
		mov	[esi+5E4h], edi
		mov	[esi+5E0h], edi
		add	esi, 620h
		push	8
		pop	edi

loc_7276B6:				; CODE XREF: ExInitPoolLookasidePointers()+8Bj
		push	ebx
		push	100h
		push	4C6F6F50h
		push	edi
		lea	ecx, [esi+900h]
		xor	edx, edx
		call	_ExInitializeSystemLookasideList@24 ; ExInitializeSystemLookasideList(x,x,x,x,x,x)
		push	ebx
		push	100h
		push	4C6F6F50h
		push	edi
		mov	edx, 200h
		mov	ecx, esi
		call	_ExInitializeSystemLookasideList@24 ; ExInitializeSystemLookasideList(x,x,x,x,x,x)
		push	ebx
		push	100h
		push	4C6F6F50h
		xor	edx, edx
		lea	ecx, [esi+1200h]
		push	edi
		inc	edx
		call	_ExInitializeSystemLookasideList@24 ; ExInitializeSystemLookasideList(x,x,x,x,x,x)
		add	edi, 8
		add	esi, 48h
		cmp	edi, 108h
		jb	short loc_7276B6
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_727713:				; CODE XREF: ExInitPoolLookasidePointers()+1Dj
		mov	eax, offset _ExSystemLookasideListHead
		mov	ds:dword_6BBC4C, ebx
		push	eax
		push	20h
		push	66626353h
		push	2DCh
		mov	edx, 200h
		mov	ds:_ExPoolLookasideListHead, ebx
		mov	ecx, edi
		mov	ds:dword_6BBC44, eax
		mov	ds:_ExSystemLookasideListHead, eax
		call	_ExInitializeSystemLookasideList@24 ; ExInitializeSystemLookasideList(x,x,x,x,x,x)
		jmp	loc_7276A1
_ExInitPoolLookasidePointers@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExInitializeSystemLookasideList(x, x, x, x,	x, x)
_ExInitializeSystemLookasideList@24 proc near ;	CODE XREF: ExInitializeProcessor+3Bp
					; ExInitPoolLookasidePointers()+48p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		mov	[ecx], esi
		mov	[ecx+4], esi
		push	2
		pop	eax
		mov	[ecx+8], ax
		mov	ax, [ebp+arg_8]
		mov	[ecx+0Ah], ax
		mov	eax, [ebp+arg_4]
		mov	[ecx+20h], eax
		mov	eax, [ebp+arg_0]
		mov	[ecx+24h], eax
		mov	eax, [ebp+arg_C]
		mov	[ecx+0Ch], esi
		mov	[ecx+10h], esi
		mov	[ecx+14h], esi
		mov	[ecx+18h], esi
		mov	[ecx+38h], esi
		mov	[ecx+3Ch], esi
		mov	dword ptr [ecx+28h], offset _ExAllocatePoolWithTag@12 ;	ExAllocatePoolWithTag(x,x,x)
		mov	dword ptr [ecx+2Ch], offset _ExFreePool@4 ; ExFreePool(x)
		mov	[ecx+1Ch], edx
		add	ecx, 30h
		mov	edx, [eax+4]
		pop	esi
		cmp	[edx], eax
		jnz	short loc_7277B3
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		pop	ebp
		retn	10h
; 

loc_7277B3:				; CODE XREF: ExInitializeSystemLookasideList(x,x,x,x,x,x)+57j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ExInitializeSystemLookasideList@24 endp ; AL =	character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfTAccessTracingInitialize(x, x, x)
_PfTAccessTracingInitialize@12 proc near ; CODE	XREF: PfTInitialize+E8p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, edx
		test	eax, eax
		jnz	short loc_7277D4
		mov	[ecx+0Ch], edi
		mov	dword ptr [ecx+8], 3

loc_7277D4:				; CODE XREF: PfTAccessTracingInitialize(x,x,x)+10j
		mov	[esi+1Ch], edi
		lea	ecx, [esi+8]
		test	eax, eax
		jnz	short loc_7277FA
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		push	edi
		push	edi
		lea	eax, [esi+0Ch]
		mov	[esi+20h], edi
		push	eax
		mov	[esi+24h], edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)

loc_7277F4:				; CODE XREF: PfTAccessTracingInitialize(x,x,x)+46j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_7277FA:				; CODE XREF: PfTAccessTracingInitialize(x,x,x)+24j
		xor	eax, eax
		xchg	eax, [ecx]
		jmp	short loc_7277F4
_PfTAccessTracingInitialize@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiIntersectFeaturesWithPolicy proc near	; CODE XREF: KiInitializeXSave+122p

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0072B05D SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		lea	edi, [ebp+var_20]
		mov	esi, ecx
		mov	[ebp+var_4C], ebx
		push	6
		xor	eax, eax
		pop	ecx
		rep stosd
		mov	eax, [ebx]
		xor	edi, edi
		or	eax, [ebx+4]
		mov	[ebp+var_30], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_3C], edi
		mov	[ebp+var_34], edi
		jz	loc_72796F
		lea	eax, [ebp+var_40]
		mov	[ebp+var_28], edi
		push	eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_40], edi
		push	eax
		push	ds:_KeXSavePolicyId
		push	65h
		push	esi
		call	KeHwPolicyLocateResource
		xor	ecx, ecx
		inc	ecx
		test	eax, eax
		js	loc_72B05D

loc_727869:				; CODE XREF: KiIntersectFeaturesWithPolicy+3863j
					; KiIntersectFeaturesWithPolicy+3880j
		cmp	eax, 0C000026Ch
		jz	loc_72B085
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		lea	edx, [ebp+var_14]
		lea	ecx, [ebp+var_20]
		call	_KiGetProcessorInformation@16 ;	KiGetProcessorInformation(x,x,x,x)
		mov	ecx, large fs:20h
		mov	edx, [ebx]
		mov	edi, [ebx+21Ch]
		mov	esi, [ebx+4]
		mov	eax, [ecx+3D58h]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+3D5Ch]
		mov	[ebp+var_C], eax
		mov	eax, [ebx+218h]
		mov	ecx, eax
		or	ecx, edx
		mov	[ebp+var_58], eax
		mov	[ebp+var_5C], edi
		mov	eax, ecx
		or	edi, esi
		mov	[ebp+var_50], edx
		or	eax, edi
		mov	[ebp+var_54], esi
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_34], edi
		jz	short loc_72794C
		mov	ebx, [ebp+var_24]

loc_7278D2:				; CODE XREF: KiIntersectFeaturesWithPolicy+141j
		cmp	ebx, 40h
		jnb	short loc_727943
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_727930
		xor	eax, eax
		xor	edx, edx
		inc	eax
		mov	ecx, ebx
		call	__allshl
		mov	ecx, eax
		mov	[ebp+var_48], edx
		mov	eax, [ebp+var_28]
		mov	[ebp+var_44], ecx
		mov	esi, [eax+10h]
		and	esi, ecx
		mov	ecx, [eax+14h]
		and	ecx, edx
		or	esi, ecx
		jz	short loc_72792D
		mov	ecx, [eax+18h]
		xor	esi, esi
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jz	short loc_72792D
		mov	edi, [ebp+var_28]
		add	eax, 20h
		mov	[ebp+var_24], eax

loc_72791B:				; CODE XREF: KiIntersectFeaturesWithPolicy+128j
		cmp	[eax], ebx
		jz	short loc_72797E

loc_72791F:				; CODE XREF: KiIntersectFeaturesWithPolicy+1A2j
		inc	esi
		add	eax, 10h
		mov	[ebp+var_24], eax
		cmp	esi, ecx
		jb	short loc_72791B
		mov	edi, [ebp+var_34]

loc_72792D:				; CODE XREF: KiIntersectFeaturesWithPolicy+104j
					; KiIntersectFeaturesWithPolicy+110j
		mov	ecx, [ebp+var_2C]

loc_727930:				; CODE XREF: KiIntersectFeaturesWithPolicy+DFj
		shrd	ecx, edi, 1
		shr	edi, 1
		mov	eax, ecx
		inc	ebx
		mov	[ebp+var_2C], ecx
		or	eax, edi
		mov	[ebp+var_34], edi
		jnz	short loc_7278D2

loc_727943:				; CODE XREF: KiIntersectFeaturesWithPolicy+D5j
		mov	ebx, [ebp+var_4C]
		mov	edx, [ebp+var_50]
		mov	esi, [ebp+var_54]

loc_72794C:				; CODE XREF: KiIntersectFeaturesWithPolicy+CDj
		and	edx, [ebp+var_38]
		and	esi, [ebp+var_3C]
		mov	eax, [ebp+var_5C]
		mov	[ebx], edx
		mov	edx, [ebp+var_58]
		and	edx, [ebp+var_38]
		and	eax, [ebp+var_3C]
		mov	[ebx+4], esi
		mov	[ebx+218h], edx
		mov	[ebx+21Ch], eax

loc_72796F:				; CODE XREF: KiIntersectFeaturesWithPolicy+3Cj
					; KiIntersectFeaturesWithPolicy+389Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_72797E:				; CODE XREF: KiIntersectFeaturesWithPolicy+11Dj
		lea	eax, [ebp+var_20]
		mov	edx, esi
		push	eax		; void *
		push	ecx		; int
		mov	ecx, edi
		call	KiIsXSaveFeatureAllowed
		mov	ecx, [ebp+var_30]
		test	al, al
		jz	short loc_72799F
		mov	eax, [ebp+var_44]
		or	[ebp+var_38], eax
		mov	eax, [ebp+var_48]
		or	[ebp+var_3C], eax

loc_72799F:				; CODE XREF: KiIntersectFeaturesWithPolicy+191j
		mov	eax, [ebp+var_24]
		jmp	loc_72791F
KiIntersectFeaturesWithPolicy endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	KiIsXSaveFeatureAllowed(int,void *)
KiIsXSaveFeatureAllowed	proc near	; CODE XREF: KiIntersectFeaturesWithPolicy+187p

arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0072B09F SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		add	edx, edx
		push	ebx
		push	esi
		push	edi
		mov	esi, [ecx+edx*8+28h]
		xor	edi, edi
		add	esi, ecx
		mov	ebx, [esi]
		test	ebx, ebx
		jz	short loc_7279F6
		add	esi, 8

loc_7279C3:				; CODE XREF: KiIsXSaveFeatureAllowed+36FDj
		push	0Ch		; size_t
		push	[ebp+arg_4]	; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_72B09F
		cmp	[esi+30h], eax
		jz	short loc_7279ED
		mov	edx, [ebp+arg_4]
		lea	ecx, [esi+10h]
		call	KiDoesProcessorMatchErrata
		test	al, al
		jnz	short loc_7279F6

loc_7279ED:				; CODE XREF: KiIsXSaveFeatureAllowed+34j
		mov	al, 1

loc_7279EF:				; CODE XREF: KiIsXSaveFeatureAllowed+50j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_7279F6:				; CODE XREF: KiIsXSaveFeatureAllowed+16j
					; KiIsXSaveFeatureAllowed+43j ...
		xor	al, al
		jmp	short loc_7279EF
KiIsXSaveFeatureAllowed	endp


;  S U B	R O U T	I N E 


KiDoesProcessorMatchErrata proc	near	; CODE XREF: KiIsXSaveFeatureAllowed+3Cp

; FUNCTION CHUNK AT 0072B0B0 SIZE 0000005D BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [ebx+0Ch]
		mov	eax, esi
		shr	eax, 0Ch
		and	eax, 3
		cmp	al, [edi]
		jnz	short loc_727A33
		mov	edx, esi
		mov	eax, esi
		shr	edx, 0Ah
		shr	eax, 4
		and	edx, 0F0h
		and	eax, 0Fh
		add	edx, eax
		movzx	eax, word ptr [edi+4]
		cmp	edx, eax
		jz	loc_72B0B0

loc_727A33:				; CODE XREF: KiDoesProcessorMatchErrata+16j
					; KiDoesProcessorMatchErrata+36D1j ...
		xor	al, al

loc_727A35:				; CODE XREF: KiDoesProcessorMatchErrata+370Ej
		pop	edi
		pop	esi
		pop	ebx
		retn
KiDoesProcessorMatchErrata endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2612. WheaConfigureErrorSource

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public WheaConfigureErrorSource
WheaConfigureErrorSource proc near	; CODE XREF: WheaAddErrorSourceDeviceDriver+52p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0072B10D SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	edi
		mov	edi, [ebp+arg_0]
		cmp	edi, 10h
		ja	loc_72B147
		push	esi
		imul	esi, edi, 24h
		xor	edx, edx
		push	0
		mov	ecx, offset _WheapConfigTableLock
		add	esi, offset _WheapSourceConfiguration
		call	KeAbPreAcquire
		push	11h
		mov	ebx, eax
		mov	edx, offset _WheapConfigTableLock
		pop	ecx
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	loc_727B5A

loc_727A81:				; CODE XREF: WheaConfigureErrorSource+12Bj
		test	ebx, ebx
		jz	short loc_727A89
		or	byte ptr [ebx+0Eh], 1

loc_727A89:				; CODE XREF: WheaConfigureErrorSource+45j
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	ebx, eax
		lock bts dword ptr [esi], 0
		jb	loc_72B10D

loc_727AA1:				; CODE XREF: WheaConfigureErrorSource+36D9j
		test	ebx, ebx
		jz	short loc_727AA9
		or	byte ptr [ebx+0Eh], 1

loc_727AA9:				; CODE XREF: WheaConfigureErrorSource+65j
		cmp	byte ptr [esi+4], 0
		jnz	short loc_727B12
		mov	ecx, [ebp+arg_4]
		mov	eax, [ecx]
		mov	[esi+8], eax
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_727AC1
		mov	[esi+0Ch], eax

loc_727AC1:				; CODE XREF: WheaConfigureErrorSource+7Ej
		mov	eax, [ecx+8]
		test	eax, eax
		jz	short loc_727ACB
		mov	[esi+10h], eax

loc_727ACB:				; CODE XREF: WheaConfigureErrorSource+88j
		mov	eax, [ecx+0Ch]
		test	eax, eax
		jz	short loc_727AD5
		mov	[esi+14h], eax

loc_727AD5:				; CODE XREF: WheaConfigureErrorSource+92j
		mov	eax, [ecx+10h]
		test	eax, eax
		jnz	loc_72B11C
		cmp	edi, 0Ch
		jz	short loc_727B51
		cmp	edi, 0Fh
		jge	short loc_727B51
		cmp	edi, 0Dh
		jz	short loc_727B51

loc_727AEF:				; CODE XREF: WheaConfigureErrorSource+11Aj
					; WheaConfigureErrorSource+36E1j
		mov	eax, [ecx+14h]
		test	eax, eax
		jnz	short loc_727B6E

loc_727AF6:				; CODE XREF: WheaConfigureErrorSource+133j
		and	[ebp+arg_0], 0
		lea	eax, [ebp+arg_0]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	byte ptr [esi+4], 1
		cmp	ds:_WheapInitializationComplete, cl
		jnz	loc_72B124

loc_727B12:				; CODE XREF: WheaConfigureErrorSource+6Fj
		mov	ebx, 0C0000001h

loc_727B17:				; CODE XREF: WheaConfigureErrorSource+36EFj
		or	ecx, 0FFFFFFFFh
		lock xadd [esi], ecx
		test	cl, 2
		jnz	loc_72B132

loc_727B27:				; CODE XREF: WheaConfigureErrorSource+36F7j
					; WheaConfigureErrorSource+3704j
		mov	ecx, esi
		call	KeAbPostRelease
		push	11h
		xor	edx, edx
		mov	esi, offset _WheapConfigTableLock
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_727B73

loc_727B41:				; CODE XREF: WheaConfigureErrorSource+13Cj
		mov	ecx, esi
		call	KeAbPostRelease
		pop	esi

loc_727B49:				; CODE XREF: WheaConfigureErrorSource+370Ej
		pop	edi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	8
; 

loc_727B51:				; CODE XREF: WheaConfigureErrorSource+A5j
					; WheaConfigureErrorSource+AAj	...
		mov	dword ptr [esi+18h], offset _WheapGenericErrSrcRecover@8 ; WheapGenericErrSrcRecover(x,x)
		jmp	short loc_727AEF
; 

loc_727B5A:				; CODE XREF: WheaConfigureErrorSource+3Dj
		mov	eax, offset _WheapConfigTableLock
		mov	edx, ebx
		push	eax
		mov	ecx, eax
		call	ExfAcquirePushLockSharedEx
		jmp	loc_727A81
; 

loc_727B6E:				; CODE XREF: WheaConfigureErrorSource+B6j
		mov	[esi+1Ch], eax
		jmp	short loc_727AF6
; 

loc_727B73:				; CODE XREF: WheaConfigureErrorSource+101j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_727B41
WheaConfigureErrorSource endp


;  S U B	R O U T	I N E 


Ke386ConfigureCyrixProcessor proc near	; CODE XREF: KeOptimizeProcessorControlState(x,x)p

; FUNCTION CHUNK AT 0072B151 SIZE 0000009E BYTES

		mov	edi, edi
		push	esi
		call	Ke386CyrixId
		mov	esi, eax
		test	esi, esi
		jnz	loc_72B151
		pop	esi
		retn
Ke386ConfigureCyrixProcessor endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiUpdateXSaveSizeAndVolatileFeatures proc near ; CODE XREF: KiInitializeXSave+130p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0072B1EF SIZE 0000013E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	edx, ecx
		mov	eax, 240h
		push	ebx
		push	esi
		push	edi
		test	byte ptr [edx+14h], 2
		mov	edi, [edx]
		mov	esi, [edx+4]
		mov	[edx+10h], eax
		mov	[edx+228h], eax
		mov	[ebp+var_C], edi
		mov	[ebp+var_14], esi
		jnz	loc_72B1EF
		mov	ecx, edi
		mov	ebx, esi
		mov	eax, ecx
		mov	[ebp+var_10], ecx
		or	eax, ebx
		jz	short loc_727C07
		lea	edi, [edx+1Ch]
		xor	esi, esi

loc_727BD2:				; CODE XREF: KiUpdateXSaveSizeAndVolatileFeatures+6Fj
		cmp	esi, 40h
		jnb	short loc_727C01
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_727BEE
		mov	eax, [edi]
		add	eax, [edi-4]
		mov	ecx, [ebp+var_10]
		cmp	[edx+10h], eax
		jb	short loc_727C3C

loc_727BEE:				; CODE XREF: KiUpdateXSaveSizeAndVolatileFeatures+4Fj
					; KiUpdateXSaveSizeAndVolatileFeatures+AFj
		shrd	ecx, ebx, 1
		add	edi, 8
		shr	ebx, 1
		mov	eax, ecx
		inc	esi
		mov	[ebp+var_10], ecx
		or	eax, ebx
		jnz	short loc_727BD2

loc_727C01:				; CODE XREF: KiUpdateXSaveSizeAndVolatileFeatures+45j
		mov	esi, [ebp+var_14]
		mov	edi, [ebp+var_C]

loc_727C07:				; CODE XREF: KiUpdateXSaveSizeAndVolatileFeatures+3Bj
		mov	eax, [edx+10h]
		mov	[edx+228h], eax

loc_727C10:				; CODE XREF: KiUpdateXSaveSizeAndVolatileFeatures+371Fj
					; KiUpdateXSaveSizeAndVolatileFeatures+3732j ...
		mov	eax, [edx+218h]
		and	edi, 0FFFFFFEFh
		and	esi, 0BFFFFFFFh
		mov	[edx+8], edi
		pop	edi
		mov	[edx+0Ch], esi
		and	eax, 800h
		and	dword ptr [edx+334h], 0
		pop	esi
		mov	[edx+330h], eax
		pop	ebx
		leave
		retn
; 

loc_727C3C:				; CODE XREF: KiUpdateXSaveSizeAndVolatileFeatures+5Cj
		mov	[edx+10h], eax
		jmp	short loc_727BEE
KiUpdateXSaveSizeAndVolatileFeatures endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiInitializeNXSupport()
_KiInitializeNXSupport@0 proc near	; CODE XREF: KiSystemStartup(x):loc_71A18Ap
		cmp	large byte ptr fs:51h, 0
		jz	KiInitializeNxSupportDiscard
		retn
_KiInitializeNXSupport@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall KiParseLoadOptions(char *)
KiParseLoadOptions proc	near		; CODE XREF: KiInitializeXSave+10Bp

; FUNCTION CHUNK AT 0072B32D SIZE 00000077 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_727C9F
		push	offset ??_C@_0M@PBCNBANJ@XSAVEPOLICY@OKHAJAOM@ ; "XSAVEPOLICY"
		push	esi		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_72B32D

loc_727C75:				; CODE XREF: KiParseLoadOptions+36DFj
					; KiParseLoadOptions+36F4j
		push	offset ??_C@_0BD@PHOHJOGM@XSAVEREMOVEFEATURE@OKHAJAOM@ ; "XSAVEREMOVEFEATURE"
		push	esi		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_72B34B

loc_727C8A:				; CODE XREF: KiParseLoadOptions+36FDj
					; KiParseLoadOptions+3711j ...
		push	offset ??_C@_0N@IJHAALLK@XSAVEDISABLE@OKHAJAOM@	; "XSAVEDISABLE"
		push	esi		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_72B37C

loc_727C9F:				; CODE XREF: KiParseLoadOptions+Cj
					; KiParseLoadOptions+372Ej ...
		pop	esi
		leave
		retn
KiParseLoadOptions endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpScenCtxServiceThreadSet proc	near	; CODE XREF: PfSetSuperfetchInformation+4F0p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0072B3A4 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		test	edx, edx
		jz	short loc_727D19
		mov	esi, large fs:124h
		push	esi
		call	_PsGetThreadId@4 ; PsGetThreadId(x)
		mov	ebx, eax
		mov	eax, [esi+280h]
		mov	esi, [esi+284h]
		mov	[ebp+var_4], eax

loc_727CCF:				; CODE XREF: PfpScenCtxServiceThreadSet+7Ej
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_4]
		mov	[edi+30h], eax
		or	eax, 0FFFFFFFFh
		mov	[edi+2Ch], ebx
		mov	[edi+34h], esi
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_72B3A4

loc_727D01:				; CODE XREF: PfpScenCtxServiceThreadSet+3704j
					; PfpScenCtxServiceThreadSet+3711j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_727D19:				; CODE XREF: PfpScenCtxServiceThreadSet+Dj
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		mov	esi, ebx
		jmp	short loc_727CCF
PfpScenCtxServiceThreadSet endp


;  S U B	R O U T	I N E 


KiDetectAccessBitErrata	proc near	; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+14Ap

; FUNCTION CHUNK AT 0072B3B8 SIZE 00000015 BYTES

		cmp	dword ptr [ecx+3CCh], 0
		jnz	short locret_727D66
		mov	al, [ecx+3BEh]
		cmp	al, 2
		jz	loc_72B3B8
		cmp	al, 1
		jnz	short locret_727D66
		cmp	byte ptr [ecx+14h], 6
		jnz	short locret_727D66
		mov	al, [ecx+17h]
		cmp	al, 1Ch
		jz	short loc_727D6D
		cmp	al, 26h
		jz	short loc_727D6D
		cmp	al, 27h
		jz	short loc_727D6D
		cmp	al, 36h
		jz	short loc_727D6D
		cmp	al, 35h
		jz	short loc_727D6D
		cmp	al, 37h
		jz	short loc_727D67
		cmp	al, 4Ah
		jz	short loc_727D67
		cmp	al, 4Dh
		jz	short loc_727D67

locret_727D66:				; CODE XREF: KiDetectAccessBitErrata+7j
					; KiDetectAccessBitErrata+19j ...
		retn
; 

loc_727D67:				; CODE XREF: KiDetectAccessBitErrata+3Aj
					; KiDetectAccessBitErrata+3Ej ...
		cmp	byte ptr [ecx+16h], 7
		ja	short locret_727D66

loc_727D6D:				; CODE XREF: KiDetectAccessBitErrata+26j
					; KiDetectAccessBitErrata+2Aj ...
		mov	ds:_KiAccessBitErrata, 2
		retn
KiDetectAccessBitErrata	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiLoadMTRRTarget(x)
_KiLoadMTRRTarget@4 proc near		; DATA XREF: KeRestoreMtrrBroadcast()+30o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		call	KeLoadMTRR
		xor	eax, eax
		pop	ebp
		retn	4
_KiLoadMTRRTarget@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KiIntersectFeaturesWithLoader(x, x)
_KiIntersectFeaturesWithLoader@8 proc near ; CODE XREF:	KiInitializeXSave+11Bp
		mov	ecx, [ecx+84h]
		push	ebx
		push	esi
		mov	esi, [edx]
		mov	eax, esi
		mov	ebx, [ecx+0A60h]
		push	edi
		mov	edi, [edx+4]
		or	eax, edi
		jz	short loc_727DD1
		mov	eax, [ecx+0A58h]
		and	esi, eax
		mov	ecx, [ecx+0A5Ch]
		and	edi, ecx
		and	[edx+218h], eax
		and	[edx+21Ch], ecx
		mov	[edx], esi
		mov	[edx+4], edi
		test	bl, 10h
		jz	short loc_727DD5

loc_727DCC:				; CODE XREF: KiIntersectFeaturesWithLoader(x,x)+4Dj
		test	bl, 8
		jz	short loc_727DDB

loc_727DD1:				; CODE XREF: KiIntersectFeaturesWithLoader(x,x)+18j
					; KiIntersectFeaturesWithLoader(x,x)+53j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_727DD5:				; CODE XREF: KiIntersectFeaturesWithLoader(x,x)+3Ej
		and	dword ptr [edx+14h], 0FFFFFFFDh
		jmp	short loc_727DCC
; 

loc_727DDB:				; CODE XREF: KiIntersectFeaturesWithLoader(x,x)+43j
		and	dword ptr [edx+14h], 0FFFFFFFEh
		jmp	short loc_727DD1
_KiIntersectFeaturesWithLoader@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiInitializeMachineType()
_KiInitializeMachineType@0 proc	near	; CODE XREF: KiSystemStartup(x)+A6p
		mov	eax, ds:_KeLoaderBlock
		movzx	eax, byte ptr [eax+8Ch]
		mov	ds:_KeI386MachineType, eax
		retn
_KiInitializeMachineType@0 endp


;  S U B	R O U T	I N E 


KiIntersectFeaturesWithTest proc near	; CODE XREF: KiInitializeXSave+12Bp

; FUNCTION CHUNK AT 0072B3CD SIZE 00000032 BYTES

		mov	edx, ds:_KeTestRemovedFeatureMask
		mov	eax, edx
		push	esi
		mov	esi, ds:dword_6FDE84
		or	eax, esi
		jnz	loc_72B3CD

loc_727E0B:				; CODE XREF: KiIntersectFeaturesWithTest+35EEj
		cmp	ds:_KeTestDisableXSave,	0
		pop	esi
		jnz	loc_72B3E7
		retn
KiIntersectFeaturesWithTest endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	KiCloneSelector(int,void *)
KiCloneSelector	proc near		; CODE XREF: KiInitializeProcessorState(x,x,x,x,x,x,x,x,x,x)+B6p
					; KiInitializeProcessorState(x,x,x,x,x,x,x,x,x,x)+F2p ...

var_C		= byte ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0072A535 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	dword ptr [ebp+var_C], 0
		and	dword ptr [ebp+var_C+4], 0
		push	ebx
		push	esi
		push	edi
		sgdt	fword ptr [ebp+var_C+2]
		shr	ecx, 3
		mov	esi, ecx
		mov	ecx, dword ptr [ebp+var_C+4]
		movzx	edi, byte ptr [ecx+esi*8+7]
		lea	eax, [edx+esi*8]
		mov	[ebp+var_4], eax
		movzx	eax, byte ptr [ecx+esi*8+4]
		shl	edi, 8
		or	edi, eax
		movzx	eax, word ptr [ecx+esi*8+2]
		shl	edi, 10h
		or	edi, eax
		mov	dword ptr [ebp+var_C+4], edi
		movzx	eax, word ptr [ecx+esi*8]
		mov	word ptr [ebp+var_C+2],	ax
		mov	edx, eax
		test	dword ptr [ecx+esi*8+4], (offset loc_7FFFFF+1)
		jnz	loc_72A535

loc_727E73:				; CODE XREF: KiCloneSelector+2728j
		mov	ecx, [ebp+arg_0]
		mov	ebx, [ebp+arg_4]
		movzx	edx, ax
		inc	edx
		push	edx		; size_t
		push	edi		; void *
		push	ebx		; void *
		lea	eax, [edx-1]
		mov	[ecx+4], ebx
		mov	[ecx+2], ax
		call	_memcpy
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		mov	eax, ebx
		shr	eax, 10h
		mov	[ecx+2], bx
		pop	edi
		shr	ebx, 18h
		pop	esi
		mov	[ecx+7], bl
		mov	[ecx+4], al
		pop	ebx
		leave
		retn	8
KiCloneSelector	endp

; 

??_C@_00CNPNBAHC@@OKHAJAOM@:		; DATA XREF: IopLiveDumpCallRemovePagesCallbacks(x)+37o
					; IopLiveDumpCallRemovePagesCallbacks(x)+D7o ...
		add	ah, cl
; 
; char ??_C[]
??_C@_0M@PBCNBANJ@XSAVEPOLICY@OKHAJAOM@	db 'XSAVEPOLICY',0
					; DATA XREF: KiParseLoadOptions+Eo
; char ??_C[]
??_C@_0N@IJHAALLK@XSAVEDISABLE@OKHAJAOM@ db 'XSAVEDISABLE',0
					; DATA XREF: KiParseLoadOptions:loc_727C8Ao
		align 2
; char ??_C[]
??_C@_0BD@PHOHJOGM@XSAVEREMOVEFEATURE@OKHAJAOM@	db 'XSAVEREMOVEFEATURE',0
					; DATA XREF: KiParseLoadOptions:loc_727C75o
		align 2

;  S U B	R O U T	I N E 


??_C@_1GG@KMAKALDL@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@OKHAJAOM@ proc	near
					; DATA XREF: PopGetBitlockerKeyLocation+20o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+0], ch

loc_727F43:				; DATA XREF: PopGetBitlockerKeyLocation+81o
		add	[ebx+0], dl
??_C@_1GG@KMAKALDL@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@OKHAJAOM@ endp

		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	ebx
		add	[eax+eax+61h], dh
		add	[edx+0], dh
		jz	short $+2
		dec	edi
		add	[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1BC@KEMNALNF@?$AAF?$AAV?$AAE?$AAB?$AAO?$AAO?$AAT?$AA?$DN@OKHAJAOM@:
					; DATA XREF: PopGetBitlockerKeyLocation+107o
		inc	esi
		add	[esi+0], dl
		inc	ebp
		add	[edx+0], al
		dec	edi
		add	[edi+0], cl
		push	esp
; 
		db 0
		dd 3Dh
??_C@_1DM@KHNCPJJB@?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy?$AAO?$AAv?$AAe?$AAr?$AAw?$AAr?$AAi?$AAt?$AAe@OKHAJAOM@:
					; DATA XREF: PopSetMemoryOverwriteRequestAction(x,x)+4Eo
		unicode	0, <MemoryOverwriteRequestControl>,0
; 

??_C@_0DK@KBBGNMAD@Checksum?5for?5resume?5context?5pag@OKHAJAOM@:
					; DATA XREF: PopWriteHeaderPages+D011o
		inc	ebx
		push	736B6365h
		jnz	short near ptr loc_72802C+1
		and	[esi+6Fh], ah
		jb	short loc_727FE5
		jb	short loc_72802C
		jnb	short loc_72803E
		insd
		and	gs:[ebx+6Fh], ah
		outsb
		jz	short near ptr loc_728035+1
		js	short near ptr loc_728045+2
		and	[eax+61h], dh
		and	gs:[bp+di+68h],	ah
		popa
		outsb
		db	65h
		and	fs:[bp+72h], ah
		outsd
		insd

loc_727FE5:				; CODE XREF: PAGELK:00727FC3j
		and	ds:7420786Ch, ah
		outsd
		and	ds:0A786Ch, ah

??_C@_0DD@LILHCBDB@Checksum?5for?5context?5page?5chang@OKHAJAOM@:
					; DATA XREF: PopWriteHeaderPages+D030o
		inc	ebx
		push	736B6365h
		jnz	short loc_728067
		and	[esi+6Fh], ah
		jb	short loc_72801F
		arpl	[edi+6Eh], bp
		jz	short loc_728069
		js	short near ptr loc_728078+2
		and	[eax+61h], dh
		and	gs:[bp+di+68h],	ah
		popa
		outsb
		db	65h
		and	fs:[bp+72h], ah
		outsd
		insd
		and	ds:7420786Ch, ah
		outsd

loc_72801F:				; CODE XREF: PAGELK:00727FFDj
		and	ds:0A786Ch, ah
		int	3		; Trap to Debugger

??_C@_0DO@NIFPPBDC@Checksum?5for?5partial?5context?5pa@OKHAJAOM@:
					; DATA XREF: PopWriteHeaderPages+D04Co
		inc	ebx
		push	736B6365h

loc_72802C:				; CODE XREF: PAGELK:00727FC5j
					; PAGELK:00727FBEj
		jnz	short near ptr byte_72809B
		and	[esi+6Fh], ah
		jb	short near ptr loc_728052+1
		jo	short near ptr loc_728095+1

loc_728035:				; CODE XREF: PAGELK:00727FCFj
		jb	short near ptr ??_C@_1BE@BNJCNEJN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy@OKHAJAOM@+0Fh
		imul	esp, [ecx+6Ch],	6E6F6320h

loc_72803E:				; CODE XREF: PAGELK:00727FC7j
		jz	short near ptr ??_C@_1BE@BNJCNEJN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy@OKHAJAOM@+9
		js	short loc_7280B6
		and	[eax+61h], dh

loc_728045:				; CODE XREF: PAGELK:00727FD1j
		and	gs:[di], ah
		insb
		js	short near ptr loc_72806A+2
		outs	dx, dword ptr fs:[esi]
		db	65h
		jnb	short loc_7280BF
		daa

loc_728052:				; CODE XREF: PAGELK:00728031j
		jz	short near ptr loc_728073+1
		insd
		popa
		jz	short loc_7280BB
		push	6C756620h
		insb
		and	ds:0A786Ch, ah

??_C@_0DG@CFOFHJKB@MemImage?9?$DOWakeCheck?5?$CFlx?5doesn?8t@OKHAJAOM@:
					; DATA XREF: PopWriteImageHeader(x,x,x,x,x)+1Do
		dec	ebp
		db	65h
		insd

loc_728067:				; CODE XREF: PAGELK:00727FF8j
		dec	ecx
		insd

loc_728069:				; CODE XREF: PAGELK:00728002j
		popa

loc_72806A:				; CODE XREF: PAGELK:0072804Aj
		db	67h, 65h
		sub	eax, 6B61573Eh
		db	65h
		inc	ebx

loc_728073:				; CODE XREF: PAGELK:loc_728052j
		push	206B6365h

loc_728078:				; CODE XREF: PAGELK:00728004j
		and	eax, 6420786Ch
		outsd
		db	65h
		jnb	short near ptr ??_C@_1BG@FGILHOGJ@?$AAF?$AAw?$AAP?$AAO?$AAS?$AAT?$AAT?$AAi?$AAm?$AAe@OKHAJAOM@+0Bh
		daa
		jz	short near ptr ??_C@_1BE@BNJCNEJN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy@OKHAJAOM@+8
		insd
		popa
		imul	esp, [ebp+20h],	50h
		outsd
		push	edi
		popa
		imul	esp, [ebp+43h],	68h
		arpl	gs:[ebx+20h], bp

loc_728095:				; CODE XREF: PAGELK:00728033j
		and	eax, 0A786Ch
; 
??_C@_11LOCGONAA@@OKHAJAOM@ db 0	; DATA XREF: EtwTraceSystemTimeChange+3Ao
					; PopDiagTraceDriverVeto(x,x):loc_72FB2Do
byte_72809B	db 0			; CODE XREF: PAGELK:loc_72802Cj
??_C@_1BE@BNJCNEJN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy@OKHAJAOM@:
					; CODE XREF: PAGELK:00728082j
					; PAGELK:loc_72803Ej ...
		unicode	0, <\Registry>,0
; 

??_C@_0CK@OKBBFLMB@po?3?5POP_WAKE_DEVICE_AFTER_SLEEP@OKHAJAOM@:
					; DATA XREF: PoBroadcastSystemState+B29Fo
		jo	short near ptr loc_72811F+2
		cmp	ah, [eax]
		push	eax
		dec	edi

loc_7280B6:				; CODE XREF: PAGELK:00728040j
		push	eax
		pop	edi
		push	edi
		inc	ecx
		dec	ebx

loc_7280BB:				; CODE XREF: PAGELK:00728056j
		inc	ebp
		pop	edi
		inc	esp
		inc	ebp

loc_7280BF:				; CODE XREF: PAGELK:0072804Ej
		push	esi
		dec	ecx
		inc	ebx
		inc	ebp
		pop	edi
		inc	ecx
		inc	esi
		push	esp
		inc	ebp
		push	edx
		pop	edi
		push	ebx
		dec	esp
		inc	ebp
		inc	ebp
		push	eax
		and	[ebp+6Eh], ah
		popa
		bound	ebp, [ebp+64h]
		or	al, cs:[eax]

??_C@_19PCNJIDGC@?$AA0?$AAx?$AA?$CF?$AAx@OKHAJAOM@: ; DATA XREF: PAGELK:0071F957o
		xor	[eax], al
		js	short $+2
		and	eax, 7800h
; 
		db 0
??_C@_1BG@FGILHOGJ@?$AAF?$AAw?$AAP?$AAO?$AAS?$AAT?$AAT?$AAi?$AAm?$AAe@OKHAJAOM@:
					; CODE XREF: PAGELK:0072807Ej
					; DATA XREF: BapdRecordFirmwareBootStats:loc_724225o
		unicode	0, <FwPOSTTime>,0
??_C@_1BG@CBMDEONI@?$AAE?$AAv?$AAe?$AAn?$AAt?$AAC?$AAo?$AAu?$AAn?$AAt@OKHAJAOM@	db 'E',0
					; DATA XREF: BapdRegisterSiData(x,x,x)+9Bo
aVentcount:
		unicode	0, <ventCount>,0
; 

??_C@_1BE@PMCPENL@?$AAB?$AAo?$AAo?$AAt?$AAC?$AAo?$AAu?$AAn?$AAt@OKHAJAOM@:
					; DATA XREF: BapdRegisterSiData(x,x,x)+C1o
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+43h], dh
		add	[edi+0], ch
		jnz	short $+2
		outsb

loc_72811F:				; CODE XREF: PAGELK:??_C@_0CK@OKBBFLMB@po?3?5POP_WAKE_DEVICE_AFTER_SLEEP@OKHAJAOM@j
		add	[eax+eax+0], dh
; 
		db 0
; 

??_C@_1BC@GMFALMFC@?$AAW?$AAB?$AAC?$AAL?$AAD?$AAr?$AAt?$AAm@OKHAJAOM@:
					; DATA XREF: BapdRegisterSiData(x,x,x)+42o
		push	edi
		add	[edx+0], al
		inc	ebx
		add	[eax+eax+44h], cl
		add	[edx+0], dh
		jz	short $+2
		insd
; 
		db 0
		db 2 dup(0)
; 

??_C@_19HEALFAGP@?$AAW?$AAB?$AAC?$AAL@OKHAJAOM@: ; DATA	XREF: BapdRegisterSiData(x,x,x)+4Co
		push	edi
		add	[edx+0], al
		inc	ebx
		add	[eax+eax+0], cl
; 
		db 0
; 

??_C@_1GG@IBGAEKLO@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@OKHAJAOM@:
					; DATA XREF: BapdGetISRegistryKey(x)+10o
					; BapdpWriteEventDataToRegistry(x,x,x)+10o
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+0], ch
; 
		db 0
; 

??_C@_1CE@KCLMNKNL@?$AAI?$AAn?$AAt?$AAe?$AAg?$AAr?$AAi?$AAt?$AAy?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc@OKHAJAOM@:
					; DATA XREF: BapdGetISRegistryKey(x)+5Bo
		dec	ecx
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edi+0], ah
		jb	short $+2
		imul	eax, [eax], 790074h
		push	ebx
		add	[ebp+0], ah
		jb	short $+2
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1CC@KBCDAIDG@?$AAI?$AAn?$AAi?$AAt?$AAi?$AAa?$AAl?$AAC?$AAo?$AAu?$AAn?$AAt?$AAe?$AAr?$AAI@OKHAJAOM@:
					; DATA XREF: BapdRegisterSiData(x,x,x)+1E6o
		dec	ecx
		add	[esi+0], ch
		imul	eax, [eax], 690074h
		popa
		add	[eax+eax+43h], ch
		add	[edi+0], ch
		jnz	short $+2
		outsb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		dec	ecx
		add	[eax+eax+0], ah

loc_7281EB:				; DATA XREF: BapdRegisterSiData(x,x,x)+19Co
		add	[ecx+0], cl
		outsb
		add	[ecx+0], ch
		jz	short $+2
		imul	eax, [eax], 6C0061h
		inc	ebp
		add	[esi+0], dh
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		jnz	short $+2
		outsb
		add	[eax+eax+0], dh

loc_72820F:				; DATA XREF: BapdRegisterSiData(x,x,x)+1C1o
		add	[ecx+0], cl
		outsb
		add	[ecx+0], ch
		jz	short $+2
		imul	eax, [eax], 6C0061h
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+43h], dh
		add	[edi+0], ch
		jnz	short $+2
		outsb
		add	[eax+eax+0], dh

loc_728231:				; DATA XREF: BapdRegisterSiData(x,x,x)+14Co
		add	[eax+eax+50h], dl
		add	[ebp+0], cl
		inc	ecx
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 650076h
		dec	esp
		add	[edi+0], ch
		add	[bp+0],	al
		outsd
		add	[edx+0], dh
		insd
		add	[ecx+0], ah
		jz	short $+2
; 
		dw 0
; 

??_C@_1BO@KBGBBKMI@?$AAT?$AAP?$AAM?$AAD?$AAi?$AAg?$AAe?$AAs?$AAt?$AAA?$AAl?$AAg?$AAI?$AAD@OKHAJAOM@:
					; DATA XREF: BapdRegisterSiData(x,x,x)+172o
		push	esp
		add	[eax+0], dl
		dec	ebp
		add	[eax+eax+69h], al
		add	[edi+0], ah
		add	gs:[ebx+0], dh
		jz	short $+2
		inc	ecx
		add	[eax+eax+67h], ch
		add	[ecx+0], cl
		inc	esp
; 
		db 0
		db 2 dup(0)
; 

??_C@_1BE@PLFCIJJC@?$AAC?$AAo?$AAu?$AAn?$AAt?$AAe?$AAr?$AAI?$AAd@OKHAJAOM@:
					; DATA XREF: BapdRegisterSiData(x,x,x)+E7o
		inc	ebx
		add	[edi+0], ch
		jnz	short $+2
		outsb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		dec	ecx
		add	[eax+eax+0], ah

loc_728289:				; DATA XREF: BapdRegisterSiData(x,x,x)+126o
		add	[eax+eax+50h], dl
		add	[ebp+0], cl
		inc	ecx
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 650076h
		push	eax
		add	[ebx+0], al
		push	edx
		add	[edx+0], al
		popa
		add	[esi+0], ch
		imul	eax, [eax], 73h
; 
		db 0
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_1CM@JGIJKPEK@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@OKHAJAOM@ proc near
					; DATA XREF: BapdpWriteEventDataToRegistry(x,x,x)+5Bo
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
??_C@_1CM@JGIJKPEK@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@OKHAJAOM@ endp

		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[eax+0], dl
		outsd
		add	[edi+0], dh
		add	gs:[edx+0], dh
; 
		db 2 dup(0)
; 

; char ??_C
??_C@_0P@PKJHNMNM@?6STOP?3?5?$CFlx?5?$CFs?6@OKHAJAOM@:
					; DATA XREF: ExpSystemErrorHandler(x,x,x,x,x)+3CDo
		or	dl, [ebx+54h]
		dec	edi
		push	eax
		cmp	ah, [eax]
		and	eax, 2520786Ch
		jnb	short loc_7282F2
		add	ah, cl

; char ??_C
??_C@_0BA@CEBBANEO@?6HardError?5?$CFlx?6@OKHAJAOM@:
					; DATA XREF: ExpSystemErrorHandler(x,x,x,x,x)+41Do
		or	cl, [eax+61h]
		jb	short near ptr ??_C@_0DM@CMMHDKIJ@Exception?5Processing?5Message?5?$CFl@OKHAJAOM@+33h
		inc	ebp
		jb	short near ptr loc_728361+3

loc_7282F2:				; CODE XREF: PAGELK:007282E6j
		outsd
		jb	short near ptr loc_728313+2
		and	eax, 0A786Ch

??_C@_03KHOJPICI@?5?$CFx@OKHAJAOM@:	; DATA XREF: ExpSystemErrorHandler(x,x,x,x,x):loc_730692o
					; ExpSystemErrorHandler(x,x,x,x,x):loc_7306ABo
		and	ds:0A0078h, ah

??_C@_03EEBNCBOD@?5?$CFs@OKHAJAOM@:	; DATA XREF: ExpSystemErrorHandler(x,x,x,x,x)+F3o
					; ExpSystemErrorHandler(x,x,x,x,x):loc_730685o
		and	ds:3F0073h, ah
		aas
		add	[edi], bh
; 
		db 3 dup(0)

;  S U B	R O U T	I N E 


??_C@_0BD@EFJJCAGA@Unknown?5Hard?5Error@OKHAJAOM@ proc near
					; DATA XREF: ExpSystemErrorHandler(x,x,x,x,x)+1A8o
					; ExpSystemErrorHandler(x,x,x,x,x)+3A3o ...
		push	ebp
		outsb
??_C@_0BD@EFJJCAGA@Unknown?5Hard?5Error@OKHAJAOM@ endp

		imul	ebp, [esi+6Fh],	77h
		outsb

loc_728313:				; CODE XREF: PAGELK:007282F3j
		and	[eax+61h], cl
		jb	short near ptr loc_72837A+2
		and	[ebp+72h], al
		jb	short near ptr loc_728389+3
		jb	short $+2
		int	3		; Trap to Debugger
; 
; char ??_C[]
??_C@_0DM@CMMHDKIJ@Exception?5Processing?5Message?5?$CFl@OKHAJAOM@ db 'Exception Processing Message %lx Parameters %Ix %Ix %Ix %Ix',0
					; DATA XREF: ExpSystemErrorHandler(x,x,x,x,x)+54Bo
; 
; START	OF FUNCTION CHUNK FOR RtlCompressWorkSpaceSizeLZNT1

loc_72835C:				; CODE XREF: RtlCompressWorkSpaceSizeLZNT1+Aj
		mov	eax, 100h

loc_728361:				; CODE XREF: PAGELK:007282F0j
		cmp	[ebp+arg_0], ax
		jnz	short loc_728375
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 10h
		jmp	loc_71A55B
; 

loc_728375:				; CODE XREF: RtlCompressWorkSpaceSizeLZNT1+DE23j
		mov	eax, 0C00000BBh

loc_72837A:				; CODE XREF: PAGELK:00728316j
		jmp	loc_71A566
; END OF FUNCTION CHUNK	FOR RtlCompressWorkSpaceSizeLZNT1
; 

loc_72837F:				; CODE XREF: PAGELK:0071A6B1j
		mov	eax, 0C000009Ah
		jmp	loc_71A710
; 

loc_728389:				; CODE XREF: PAGELK:0071A6DBj
					; PAGELK:0072831Bj
		mov	al, byte ptr ds:_KiDefaultHeteroCpuPolicy
		mov	[edi+61h], al
		jmp	loc_71A6E1
; 

loc_728396:				; DATA XREF: .text:006A0CFCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7283A4:				; DATA XREF: .text:006A0D00o
		mov	esp, [ebp-18h]
		cmp	byte ptr [ebp+1Bh], 0
		jz	short loc_7283BF
		push	2
		pop	edx
		mov	esi, [ebp-1Ch]
		mov	ecx, [esi+28h]
		call	_MmDeleteKernelStack@8 ; MmDeleteKernelStack(x,x)
		and	dword ptr [esi+20h], 0

loc_7283BF:				; CODE XREF: PAGELK:007283ABj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_71A710
; 
; START	OF FUNCTION CHUNK FOR EmClientQueryRuleState

loc_7283CE:				; CODE XREF: EmClientQueryRuleState+2Aj
		mov	esi, 0C0000006h
		jmp	loc_71A7CF
; 

loc_7283D8:				; CODE XREF: EmClientQueryRuleState+Cj
					; EmClientQueryRuleState+17j
		mov	esi, 0C000000Dh
		jmp	loc_71A7CF
; END OF FUNCTION CHUNK	FOR EmClientQueryRuleState
; 
; START	OF FUNCTION CHUNK FOR EmClientRuleEvaluate

loc_7283E2:				; CODE XREF: EmClientRuleEvaluate+Bj
					; EmClientRuleEvaluate+15j ...
		mov	esi, 0C000000Dh
		jmp	loc_71A880
; END OF FUNCTION CHUNK	FOR EmClientRuleEvaluate
; 
; START	OF FUNCTION CHUNK FOR EmpReleasePagingReference

loc_7283EC:				; CODE XREF: EmpReleasePagingReference+36j
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_71A938
; END OF FUNCTION CHUNK	FOR EmpReleasePagingReference
; 
; START	OF FUNCTION CHUNK FOR RtlCompressBufferLZNT1

loc_7283FB:				; CODE XREF: RtlCompressBufferLZNT1+2Aj
		mov	eax, 100h
		cmp	word ptr [ebp+arg_0], ax
		jnz	short loc_728410
		mov	eax, offset _LZNT1FindMatchMaximum@8 ; LZNT1FindMatchMaximum(x,x)
		jmp	loc_71A98B
; 

loc_728410:				; CODE XREF: RtlCompressBufferLZNT1+DAAEj
		mov	eax, 0C00000BBh
		jmp	loc_71A9EB
; END OF FUNCTION CHUNK	FOR RtlCompressBufferLZNT1
; 
; START	OF FUNCTION CHUNK FOR LZNT1CompressChunk

loc_72841A:				; CODE XREF: LZNT1CompressChunk+40j
		mov	[ebp+var_1C], edi
		jmp	loc_71AA46
; 

loc_728422:				; CODE XREF: LZNT1CompressChunk+368j
		mov	[eax], cl
		shr	ecx, 8
		mov	[eax+1], cl
		jmp	loc_71AB29
; 

loc_72842F:				; CODE XREF: LZNT1CompressChunk+33Cj
		mov	eax, 0C0000023h
		jmp	loc_71AB2B
; 

loc_728439:				; CODE XREF: LZNT1CompressChunk+F8j
		dec	edi
		jmp	loc_71AB00
; END OF FUNCTION CHUNK	FOR LZNT1CompressChunk
; 
; START	OF FUNCTION CHUNK FOR PfpScenCtxScenarioSet

loc_72843F:				; CODE XREF: PfpScenCtxScenarioSet+7Cj
		push	[ebp+var_C]
		call	_ObDereferenceObjectDeferDelete@4 ; ObDereferenceObjectDeferDelete(x)
		jmp	loc_71AFE8
; 

loc_72844C:				; CODE XREF: PfpScenCtxScenarioSet+86j
		push	0
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_71AFF2
; END OF FUNCTION CHUNK	FOR PfpScenCtxScenarioSet
; 
; START	OF FUNCTION CHUNK FOR MmPerformMemoryListCommand

loc_72845B:				; CODE XREF: MmPerformMemoryListCommand+10j
		sub	ecx, 1
		jz	short loc_72849B
		sub	ecx, 1
		jz	short loc_72848A
		sub	ecx, 1
		jz	short loc_72847B
		sub	ecx, 1
		jz	short loc_728476
		mov	eax, 0C00000BBh
		pop	ecx
		retn
; 

loc_728476:				; CODE XREF: MmPerformMemoryListCommand+D3E1j
		xor	edx, edx
		inc	edx
		jmp	short loc_72847E
; 

loc_72847B:				; CODE XREF: MmPerformMemoryListCommand+D3DCj
		push	8
		pop	edx

loc_72847E:				; CODE XREF: MmPerformMemoryListCommand+D3EDj
		mov	ecx, eax
		call	MiPurgePartitionStandby
		jmp	loc_71B0AC
; 

loc_72848A:				; CODE XREF: MmPerformMemoryListCommand+D3D7j
		push	ecx
		push	8
		xor	dl, dl
		mov	ecx, eax
		call	MiFlushAllPages
		jmp	loc_71B0AC
; 

loc_72849B:				; CODE XREF: MmPerformMemoryListCommand+D3D2j
		mov	ecx, eax
		call	_MiEmptyAllWorkingSets@4 ; MiEmptyAllWorkingSets(x)
		jmp	loc_71B0AC
; END OF FUNCTION CHUNK	FOR MmPerformMemoryListCommand
; 
; START	OF FUNCTION CHUNK FOR PfSnBeginBootPhase

loc_7284A7:				; CODE XREF: PfSnBeginBootPhase+Fj
		mov	esi, 0C000000Dh
		jmp	loc_71B0EE
; 

loc_7284B1:				; CODE XREF: PfSnBeginBootPhase+45j
		xor	edx, edx
		push	8
		inc	edx
		pop	ecx
		call	PfSnUpdatePrefetcherFlags
		test	al, 4
		jz	loc_71B0EE
		jmp	loc_71B134
; END OF FUNCTION CHUNK	FOR PfSnBeginBootPhase
; 
; START	OF FUNCTION CHUNK FOR KiCalibrateTimeAdjustment

loc_7284C9:				; CODE XREF: KiCalibrateTimeAdjustment+266j
		mov	ebx, 0FFDF000Ch
		lea	esi, [ebx-4]

loc_7284D1:				; CODE XREF: KiCalibrateTimeAdjustment+D2A3j
		lea	ecx, [ebp+var_54]
		call	KeYieldProcessorEx
		mov	edi, [ebx]
		mov	eax, [esi]
		mov	[ebp+var_1C], eax
		mov	eax, 0FFDF0010h
		cmp	edi, [eax]
		jnz	short loc_7284D1
		mov	ebx, [ebp+var_20]
		mov	esi, [ebp+var_24]
		jmp	loc_71B4B0
; 

loc_7284F4:				; CODE XREF: KiCalibrateTimeAdjustment+A8j
		xor	ebx, ebx
		push	ebx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		push	offset byte_401802
		mov	[ebp+var_34], edx
		lea	ecx, [ebp+var_14]
		mov	[ebp+var_38], eax
		xor	edx, edx
		push	1232h
		lea	eax, [ebp+var_38]
		mov	[ebp+var_10], ebx
		push	80008000h
		inc	edx
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], 8
		mov	[ebp+var_8], ebx
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_71B2F2
; 

loc_728535:				; CODE XREF: KiCalibrateTimeAdjustment+32Aj
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_728550
		xor	edi, edi
		inc	edi
		cmp	byte ptr ds:word_6D07B8+1, 0
		jnz	loc_71B574
		jmp	short loc_72856C
; 

loc_728550:				; CODE XREF: KiCalibrateTimeAdjustment+D2F8j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_71B574

loc_72856C:				; CODE XREF: KiCalibrateTimeAdjustment+D30Aj
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_71B574
		or	edx, 80000000h
		jmp	loc_71B574
; 

loc_728585:				; CODE XREF: KiCalibrateTimeAdjustment+33Aj
		push	edx
		push	ecx
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_71B545
; END OF FUNCTION CHUNK	FOR KiCalibrateTimeAdjustment
; 
; START	OF FUNCTION CHUNK FOR PopWriteHeaderPages

loc_728593:				; CODE XREF: PopWriteHeaderPages+12Fj
		push	eax
		push	ecx
		push	offset ??_C@_0DK@KBBGNMAD@Checksum?5for?5resume?5context?5pag@OKHAJAOM@
		call	_DbgPrint
		add	esp, 0Ch
		push	1CE2h
		push	[ebp+var_8]
		push	dword ptr [ebx+2D4h]
		jmp	short loc_7285CA
; 

loc_7285B2:				; CODE XREF: PopWriteHeaderPages+18Dj
		push	edi
		push	eax
		push	offset ??_C@_0DD@LILHCBDB@Checksum?5for?5context?5page?5chang@OKHAJAOM@
		call	_DbgPrint
		add	esp, 0Ch
		push	1CF8h
		push	edi
		push	dword ptr [ebx+44h]

loc_7285CA:				; CODE XREF: PopWriteHeaderPages+D02Cj
		push	3
		jmp	short loc_7285E8
; 

loc_7285CE:				; CODE XREF: PopWriteHeaderPages+1A7j
		push	esi
		push	eax
		push	offset ??_C@_0DO@NIFPPBDC@Checksum?5for?5partial?5context?5pa@OKHAJAOM@
		call	_DbgPrint
		add	esp, 0Ch
		push	1CFFh
		push	esi
		push	dword ptr [ebx+44h]
		push	4

loc_7285E8:				; CODE XREF: PopWriteHeaderPages+D048j
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_7285F2:				; CODE XREF: PopWriteHeaderPages+33j
					; PopWriteHeaderPages+4Aj
		mov	eax, 0C0000017h
		jmp	loc_71B733
; END OF FUNCTION CHUNK	FOR PopWriteHeaderPages
; 
; START	OF FUNCTION CHUNK FOR PopWriteHiberPages

loc_7285FC:				; CODE XREF: PopWriteHiberPages+9Cj
					; PopWriteHiberPages+A8j
		push	16h
		pop	ecx
		call	PopCheckpointSystemSleep
		mov	eax, [esi+7Ch]
		cmp	eax, 4
		jz	short loc_728611
		cmp	eax, 5
		jnz	short loc_72861E

loc_728611:				; CODE XREF: PopWriteHiberPages+CED2j
		mov	ecx, esi
		call	_PopGetRemainingHibernateRangeDataSize@4 ; PopGetRemainingHibernateRangeDataSize(x)
		mov	[ebp+var_AC], eax

loc_72861E:				; CODE XREF: PopWriteHiberPages+CED7j
		xor	edi, edi
		push	edi
		call	_MmGetNumberOfPhysicalPages@4 ;	MmGetNumberOfPhysicalPages(x)
		push	4
		pop	edx
		lea	ecx, [ebp+var_D4]
		mov	[ebp+var_D4], eax
		call	IoAddTriageDumpDataBlock
		mov	ecx, esi
		call	_PopRecordHibernateDiagnosticInfo@4 ; PopRecordHibernateDiagnosticInfo(x)
		mov	edx, 80h
		mov	ecx, offset _PopHibernateDiagnosticInfo
		call	IoAddTriageDumpDataBlock
		push	[ebp+var_AC]
		push	dword ptr [esi+7Ch]
		push	ds:dword_6C24A8
		push	0Bh
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_72866B:				; CODE XREF: PopWriteHiberPages+B4j
		mov	ecx, 0A2044h
		call	@_PopInternalError@4 ; _PopInternalError(x)

loc_728675:				; CODE XREF: PopWriteHiberPages+13Ej
		lea	eax, [esi-10h]
		shl	eax, 0Ch
		push	10h
		sub	ecx, eax
		xor	eax, eax
		pop	esi
		mov	[ebp+var_AC], ecx
		mov	[ebp+var_B4], esi
		jmp	loc_71B87C
; 

loc_728693:				; CODE XREF: PopWriteHiberPages+237j
		mov	eax, [ebp+var_BC]
		mov	[eax+80h], esi
		jmp	loc_71B980
; END OF FUNCTION CHUNK	FOR PopWriteHiberPages
; 
; START	OF FUNCTION CHUNK FOR PopInvokeSystemStateHandler

loc_7286A4:				; CODE XREF: PopInvokeSystemStateHandler+A6j
		mov	eax, 0C00000C0h
		jmp	loc_71BEB6
; 

loc_7286AE:				; CODE XREF: PopInvokeSystemStateHandler+D6j
		mov	eax, [esp+138h+var_F8]
		or	dword ptr [eax+0Ch], 40000h
		jmp	loc_71BA78
; 

loc_7286BE:				; CODE XREF: PopInvokeSystemStateHandler+DFj
		cmp	ebx, 6
		jz	loc_71BA81

loc_7286C7:				; CODE XREF: PopInvokeSystemStateHandler+E7j
		mov	edi, [esp+138h+var_EC]
		mov	ebx, [esp+138h+var_F0]
		jmp	loc_71BA9D
; 

loc_7286D4:				; CODE XREF: PopInvokeSystemStateHandler+117j
		xor	ebx, ebx
		mov	[esp+138h+var_104], 1
		push	ebx
		lea	eax, [esp+13Ch+var_104]
		mov	[esp+13Ch+var_100], ebx
		push	eax
		mov	[esp+140h+var_FC], ebx
		call	KeSetSystemGroupAffinityThread
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[esp+138h+var_129], al
		lea	eax, [esp+138h+var_F8]
		push	eax
		push	offset _PopInvokeStateHandlerTargetProcessor@16	; PopInvokeStateHandlerTargetProcessor(x,x,x,x)
		lea	eax, [esp+140h+var_B8]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	edi, ebx
		mov	byte ptr [esp+138h+var_B8+1], 2
		cmp	ds:_KeNumberProcessors,	ebx
		jbe	short loc_728774

loc_728726:				; CODE XREF: PopInvokeSystemStateHandler+CDD6j
		mov	eax, large fs:20h
		cmp	edi, [eax+3CCh]
		jz	short loc_72876B
		mov	ebx, [esp+138h+var_D8]
		mov	eax, [esp+138h+var_9C]
		test	eax, eax
		jnz	short loc_72874E
		lea	eax, [edi+20h]
		mov	word ptr [esp+138h+var_B8+2], ax

loc_72874E:				; CODE XREF: PopInvokeSystemStateHandler+CDA5j
		push	0
		push	0
		lea	eax, [esp+140h+var_B8]
		push	eax
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)
		jmp	short loc_728763
; 

loc_728761:				; CODE XREF: PopInvokeSystemStateHandler+CDCDj
		pause

loc_728763:				; CODE XREF: PopInvokeSystemStateHandler+CDC3j
		mov	eax, [esp+138h+var_D8]
		cmp	ebx, eax
		jz	short loc_728761

loc_72876B:				; CODE XREF: PopInvokeSystemStateHandler+CD96j
		inc	edi
		cmp	edi, ds:_KeNumberProcessors
		jb	short loc_728726

loc_728774:				; CODE XREF: PopInvokeSystemStateHandler+CD88j
		lea	ebx, [esp+138h+var_F8]
		jmp	loc_71BB23
; 

loc_72877D:				; CODE XREF: PopInvokeSystemStateHandler+1AEj
		xor	ecx, ecx
		xor	dl, dl
		mov	[esp+138h+var_11C], ecx
		mov	[esp+138h+var_118], ecx
		mov	ecx, large fs:20h
		call	_KeQueryCycleCounterFrequency@8	; KeQueryCycleCounterFrequency(x,x)
		mov	ecx, [esp+138h+var_11C]
		mov	edi, eax
		mov	eax, edx
		mov	edx, [esp+138h+var_118]
		jmp	loc_71BB75
; 

loc_7287A6:				; CODE XREF: PopInvokeSystemStateHandler+1E3j
		and	[esp+13Ch+var_88], 0
		and	[esp+13Ch+var_80], 0
		push	offset byte_401802
		mov	[esp+140h+var_98], edx
		xor	edx, edx
		mov	[esp+140h+var_90], eax
		inc	edx
		push	1230h
		mov	[esp+144h+var_9C], ecx
		lea	eax, [esp+144h+var_9C]
		push	80008000h
		lea	ecx, [esp+148h+var_8C]
		mov	[esp+148h+var_94], edi
		mov	[esp+148h+var_8C], eax
		mov	[esp+148h+var_84], 10h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_71BB85
; 

loc_72880E:				; CODE XREF: PopInvokeSystemStateHandler+20Bj
		mov	cl, 1
		call	_VfNotifyOfHibernate@4 ; VfNotifyOfHibernate(x)
		jmp	loc_71BBAD
; 

loc_72881A:				; CODE XREF: PopInvokeSystemStateHandler+249j
		cmp	eax, 6
		jz	loc_71BBEB
		call	ds:off_6B13AC	; SymCryptFatalIntercept(x)
		jmp	loc_71BBEB
; 

loc_72882E:				; CODE XREF: PopInvokeSystemStateHandler+363j
		cmp	ds:_KdDebuggerEnabled, 0
		jz	loc_71BD05
		push	edi
		call	_DbgBreakPointWithStatus@4 ; DbgBreakPointWithStatus(x)
		mov	eax, [esp+138h+var_114]
		xor	ecx, ecx
		inc	ecx
		jmp	loc_71BD05
; 

loc_72884D:				; CODE XREF: PopInvokeSystemStateHandler+36Bj
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	0Ah
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_72885E:				; CODE XREF: PopInvokeSystemStateHandler+228j
		mov	edi, 0C0000001h
		jmp	loc_71BD65
; 

loc_728868:				; CODE XREF: PopInvokeSystemStateHandler+3D3j
		test	ds:_PopSimulate, 1000h
		jz	loc_71BECB
		xor	eax, eax
		inc	eax
		mov	[esi], al

loc_72887D:				; CODE XREF: PopInvokeSystemStateHandler+3E9j
		and	dword ptr [ebx+0Ch], 0
		cmp	ds:dword_6C2DF8, 0
		mov	dword ptr [ebx], offset	unk_6C2DF0
		jz	short loc_7288A0
		push	6
		lea	edx, [esp+138h+var_64]
		mov	ecx, ebx
		call	_PopIssueNextState@12 ;	PopIssueNextState(x,x,x)

loc_7288A0:				; CODE XREF: PopInvokeSystemStateHandler+CEF2j
		push	3
		call	ds:__imp__HalReturnToFirmware@4	; HalReturnToFirmware(x)
		jmp	loc_71BD8B
; 

loc_7288AD:				; CODE XREF: PopInvokeSystemStateHandler+3F6j
		xor	cl, cl
		call	_VfNotifyOfHibernate@4 ; VfNotifyOfHibernate(x)
		jmp	loc_71BD98
; 

loc_7288B9:				; CODE XREF: PopInvokeSystemStateHandler+44Ej
		cmp	ds:_PoResumeFromHibernate, 0
		jnz	loc_71BDF0
		xor	eax, eax
		inc	eax
		mov	byte ptr [esp+134h+var_128+2], al
		lea	eax, [esp+134h+var_124]
		push	0
		push	eax
		call	ds:off_6B1298	; xHalpIsInterruptTypeSecondary(x,x)
		test	al, al
		jnz	loc_71BE15
		and	dword ptr [esp+10h], 0
		and	[esp+13Ch+var_128], 0
		jmp	loc_71BE15
; 

loc_7288F1:				; CODE XREF: PopInvokeSystemStateHandler+483j
		mov	eax, [esp+140h+var_130]
		lea	ecx, [esp+140h+var_80]
		and	[esp+140h+var_7C], 0
		and	[esp+140h+var_74], 0
		mov	[esp+140h+var_C8], eax
		mov	eax, [esp+14h]
		mov	[esp+140h+var_C4], eax
		lea	eax, [esp+140h+var_C8]
		mov	[esp+140h+var_80], eax
		xor	eax, eax
		push	offset byte_401802
		push	1231h
		push	80008000h
		lea	edx, [eax+1]
		mov	[esp+14Ch+var_78], 8
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_71BE25
; 

loc_72894C:				; CODE XREF: PopInvokeSystemStateHandler+48Ej
		mov	ecx, large fs:20h
		xor	eax, eax
		lea	edx, [eax+1]
		call	_KeQueryCycleCounterFrequency@8	; KeQueryCycleCounterFrequency(x,x)
		mov	esi, eax
		mov	edi, 3E8h
		mov	eax, edx
		mul	edi
		mov	ecx, eax
		mov	eax, esi
		mul	edi
		add	ecx, edx
		push	ecx
		push	eax
		push	dword ptr [esp+1Ch]
		push	[esp+14Ch+var_130]
		call	__aulldiv
		push	0
		push	3E8h
		push	ds:dword_70ED2C
		mov	edi, eax
		mov	esi, edx
		push	ds:_PopQpcFrequency
		call	__aulldiv
		push	edx
		push	eax
		push	esi
		push	edi
		call	__allmul
		mov	esi, [esp+140h+var_110]
		mov	edi, [esp+140h+var_118]
		mov	[esp+140h+var_130], eax
		sub	eax, [esp+140h+var_124]
		mov	[esp+14h], edx
		sbb	edx, [esp+140h+var_120]
		mov	ds:dword_6C2888, eax
		mov	ds:dword_6C288C, edx
		jmp	loc_71BE30
; 

loc_7289CC:				; CODE XREF: PopInvokeSystemStateHandler+4E6j
		mov	cl, [esp+140h+var_131]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_71BEAF
; END OF FUNCTION CHUNK	FOR PopInvokeSystemStateHandler
; 
; START	OF FUNCTION CHUNK FOR PopCreateDumpMdl

loc_7289DB:				; CODE XREF: PopCreateDumpMdl+24j
		mov	ecx, 0A1482h
		call	@_PopInternalError@4 ; _PopInternalError(x)

loc_7289E5:				; CODE XREF: PopCreateDumpMdl+93j
		push	esi
		push	1Ch
		pop	edx
		mov	ecx, edi
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		push	esi
		push	edi
		push	0Ah
		push	106h
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_728A04:				; CODE XREF: PopHiberReadChecksums+ACj
		mov	edi, eax
		mov	[ebp+var_8], edi
		jmp	loc_71C358
; END OF FUNCTION CHUNK	FOR PopCreateDumpMdl
; 
; START	OF FUNCTION CHUNK FOR PopHiberReadChecksums

loc_728A0E:				; CODE XREF: PopHiberReadChecksums+156j
		mov	ecx, [esi+74h]
		mov	edx, 100h
		push	0
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		push	[ebp+var_1C]
		push	esi
		push	0Ah
		push	10Ah
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_728A33:				; CODE XREF: PopAddPagesToCompressedPageSet+32j
		mov	ecx, ds:dword_6C2500
		mov	eax, [ebp+arg_4]
		mov	edx, [esi+68h]
		mov	[ebp+arg_8], eax
		mov	edi, [ecx+20h]
		sub	edi, [ecx+30h]
		mov	eax, [ecx+24h]
		sbb	eax, [ecx+34h]
		mov	[ebp+arg_4], eax
		mov	[ebp+var_C], edx
		test	edx, edx
		jz	short loc_728AA5
		mov	eax, [esi+6Ch]
		xor	edx, edx
		mov	[ebp+var_14], eax
		imul	eax, 64h
		div	[ebp+var_C]
		cmp	eax, ds:dword_6C24D4
		jg	short loc_728AA2
		mov	edx, [ecx+4]
		mov	eax, edx
		mov	ecx, [ebp+arg_4]
		shr	eax, 1
		cmp	ecx, ebx
		jg	short loc_728A82
		jl	short loc_728AB7
		cmp	edi, eax
		jb	short loc_728AB7

loc_728A82:				; CODE XREF: PopHiberReadChecksums+C7D4j
		mov	eax, [ebp+var_14]
		imul	edx, 3
		shr	edx, 2
		inc	eax
		mov	[esi+6Ch], eax
		cmp	ecx, ebx
		jg	short loc_728A9D
		jl	short loc_728A99
		cmp	edi, edx
		jnb	short loc_728A9D

loc_728A99:				; CODE XREF: PopHiberReadChecksums+C7EDj
		push	2
		jmp	short loc_728A9F
; 

loc_728A9D:				; CODE XREF: PopHiberReadChecksums+C7EBj
					; PopHiberReadChecksums+C7F1j
		push	3

loc_728A9F:				; CODE XREF: PopHiberReadChecksums+C7F5j
		pop	ebx
		jmp	short loc_728AB7
; 

loc_728AA2:				; CODE XREF: PopHiberReadChecksums+C7C6j
		mov	eax, [ebp+arg_4]

loc_728AA5:				; CODE XREF: PopHiberReadChecksums+C7B0j
		mov	ecx, [ecx+4]
		shr	ecx, 1
		cmp	eax, ebx
		jg	short loc_728AB4
		jl	short loc_728AB7
		cmp	edi, ecx
		jb	short loc_728AB7

loc_728AB4:				; CODE XREF: PopHiberReadChecksums+C806j
		xor	ebx, ebx
		inc	ebx

loc_728AB7:				; CODE XREF: PopHiberReadChecksums+C7D6j
					; PopHiberReadChecksums+C7DAj ...
		mov	eax, [ebp+var_C]
		inc	eax
		mov	[esi+68h], eax
		jmp	loc_71C4AA
; END OF FUNCTION CHUNK	FOR PopHiberReadChecksums
; 
; START	OF FUNCTION CHUNK FOR PopRequestWrite

loc_728AC3:				; CODE XREF: PopRequestWrite+D3j
					; PopRequestWrite+DDj
		mov	edi, [esp+48h+var_8]
		mov	eax, [esp+48h+var_4]
		mov	[esp+48h+var_24], edi
		mov	[esp+48h+var_10], edi
		mov	[esp+48h+var_30], eax
		mov	[esp+48h+var_C], eax
		jmp	loc_71C737
; 

loc_728AE0:				; CODE XREF: PopRequestWrite+39Dj
		rdtsc
		mov	edi, eax
		mov	[esp+58h+var_4C], edx
		mov	eax, [ebx+74h]
		lea	ecx, [ebx+0F0h]
		push	esi
		push	ecx
		mov	[esp+60h+var_48], edi
		call	dword ptr [eax+30h]
		mov	ecx, [esp+60h+var_54]
		mov	[esp+60h+var_3C], eax
		rdtsc
		sub	eax, edi
		sbb	edx, ecx
		add	ds:dword_6C28C0, eax
		adc	ds:dword_6C28C4, edx
		cmp	[esp+60h+var_3C], 0
		jl	short loc_728B52
		mov	dword ptr [ebx+0CCh], 2
		jmp	loc_71C9FB
; 

loc_728B2A:				; CODE XREF: PopRequestWrite+157j
					; PopRequestWrite+371j	...
		push	15h
		pop	ecx
		call	PopCheckpointSystemSleep
		push	0
		mov	edx, 138h
		mov	ecx, ebx
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		mov	ecx, [ebx+74h]
		mov	edx, 100h
		push	0
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		push	edi
		jmp	short loc_728B7B
; 

loc_728B52:				; CODE XREF: PopRequestWrite+C4C5j
		push	15h
		pop	ecx
		call	PopCheckpointSystemSleep
		push	0
		mov	edx, 138h
		mov	ecx, ebx
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		mov	ecx, [ebx+74h]
		mov	edx, 100h
		push	0
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		push	[esp+60h+var_3C]

loc_728B7B:				; CODE XREF: PopRequestWrite+C4FCj
		push	ebx
		push	0Ah
		push	10Ah
		jmp	short loc_728BCC
; 

loc_728B85:				; CODE XREF: PopRequestWrite+C590j
					; PopRequestWrite+C597j
		mov	ecx, ebx
		call	_PopGetRemainingHibernateRangeDataSize@4 ; PopGetRemainingHibernateRangeDataSize(x)
		mov	[esp+70h+var_44], eax

loc_728B90:				; CODE XREF: PopRequestWrite+C595j
		push	0
		call	_MmGetNumberOfPhysicalPages@4 ;	MmGetNumberOfPhysicalPages(x)
		push	4
		pop	edx
		lea	ecx, [esp+70h+var_48]
		mov	[esp+70h+var_48], eax
		call	IoAddTriageDumpDataBlock
		mov	ecx, ebx
		call	_PopRecordHibernateDiagnosticInfo@4 ; PopRecordHibernateDiagnosticInfo(x)
		mov	edx, 80h
		mov	ecx, offset _PopHibernateDiagnosticInfo
		call	IoAddTriageDumpDataBlock
		push	[esp+70h+var_44]
		push	dword ptr [ebx+7Ch]
		push	ds:dword_6C24A8
		push	0Bh

loc_728BCC:				; CODE XREF: PopRequestWrite+C52Fj
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_728BD6:				; CODE XREF: PopRequestWrite+26Fj
					; PopRequestWrite+27Bj
		push	16h
		pop	ecx
		call	PopCheckpointSystemSleep
		mov	eax, [ebx+7Ch]
		cmp	eax, 4
		jz	short loc_728B85
		cmp	eax, 5
		jnz	short loc_728B90
		jmp	short loc_728B85
; 

loc_728BED:				; CODE XREF: PopRequestWrite+105j
		xor	eax, eax
		inc	eax
		jmp	loc_71C761
; END OF FUNCTION CHUNK	FOR PopRequestWrite
; 
; START	OF FUNCTION CHUNK FOR PopRestoreHiberContext

loc_728BF5:				; CODE XREF: PopRestoreHiberContext+81j
					; PopRestoreHiberContext+90j
		mov	eax, esi
		mov	[ebp+var_20], esi
		mov	ecx, esi
		mov	[ebp+var_1C], esi
		jmp	loc_71CACE
; 

loc_728C04:				; CODE XREF: PopRestoreHiberContext+140j
					; PopRestoreHiberContext+14Dj
		push	1Ch
		pop	ecx
		call	PopCheckpointSystemSleep
		mov	ecx, [ebx+74h]
		mov	edx, 100h
		push	esi
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		push	esi
		push	dword ptr [ebx+74h]
		push	edi
		push	0Ch
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_728C2B:				; CODE XREF: PopRestoreHiberContext+24Ej
					; PopRestoreHiberContext+C214j
		pause
		mov	eax, [edx]
		mov	esi, [ebx+0A4h]
		mov	[ebp+var_4], esi
		cmp	eax, esi
		jnz	short loc_728C2B
		mov	ecx, [ebp+var_4]
		xor	esi, esi
		jmp	loc_71CC7A
; 

loc_728C46:				; CODE XREF: PopRestoreHiberContext+38Cj
					; PopRestoreHiberContext+395j
		push	ds:dword_6C29EC
		push	ds:dword_6C29E8
		push	esi
		push	[ebp+var_4]
		call	__allmul
		add	ebx, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		adc	ecx, [ebp+var_10]
		add	ebx, 1
		adc	ecx, esi
		push	ecx
		push	ebx
		push	edx
		push	eax
		call	__alldiv
		sub	eax, [ebp+var_30]
		push	esi
		sbb	edx, [ebp+var_18]
		push	64h
		push	edx
		push	eax
		call	__allmul
		sub	edi, [ebp+var_30]
		mov	ecx, [ebp+var_2C]
		sbb	ecx, [ebp+var_18]
		push	ecx
		push	edi
		push	edx
		push	eax
		call	__alldiv
		mov	ecx, eax
		cmp	edx, esi
		jl	short loc_728CA3
		push	63h
		pop	eax
		jg	short loc_728CB4
		cmp	ecx, eax
		ja	short loc_728CB4

loc_728CA3:				; CODE XREF: PopRestoreHiberContext+C272j
		xor	eax, eax
		mov	ds:dword_6C24D4, ecx
		inc	eax
		cmp	ecx, eax
		jge	loc_71CDCB

loc_728CB4:				; CODE XREF: PopRestoreHiberContext+C277j
					; PopRestoreHiberContext+C27Bj
		mov	ds:dword_6C24D4, eax
		jmp	loc_71CDCB
; END OF FUNCTION CHUNK	FOR PopRestoreHiberContext
; 
; START	OF FUNCTION CHUNK FOR PopDecompressHiberBlocks

loc_728CBE:				; CODE XREF: PopDecompressHiberBlocks+3DFj
		cmp	ds:byte_6C24D0,	0
		jz	loc_71D24B
		jmp	loc_71CF0A
; 

loc_728CD0:				; CODE XREF: PopDecompressHiberBlocks+31Fj
					; PopDecompressHiberBlocks+331j
		mov	esi, [ebp+var_C8]
		push	1Fh
		pop	ecx
		mov	dword ptr [esi+80h], 0C0000242h
		call	PopCheckpointSystemSleep
		push	ebx
		mov	edx, 138h
		mov	ecx, esi
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		push	ebx
		push	esi
		jmp	short loc_728D10
; 

loc_728CF9:				; CODE XREF: PopDecompressHiberBlocks+1A5j
		push	1Fh
		pop	ecx
		call	PopCheckpointSystemSleep
		push	ebx
		mov	edx, 138h
		mov	ecx, edi
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		push	ebx
		push	edi

loc_728D10:				; CODE XREF: PopDecompressHiberBlocks+BE91j
		push	0Ah
		push	107h
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_728D22:				; CODE XREF: ConsumerPeekAndConsumeBuffer+102j
		mov	eax, ds:_PopDebugCount
		inc	eax
		mov	ds:_PopDebugCount, eax
		test	al, 3Fh
		jnz	loc_71D548
		call	KdCheckForDebugBreak
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		jmp	loc_71D548
; END OF FUNCTION CHUNK	FOR PopDecompressHiberBlocks
; 
; START	OF FUNCTION CHUNK FOR ConsumerPeekAndConsumeBuffer

loc_728D47:				; CODE XREF: ConsumerPeekAndConsumeBuffer+116j
		mov	eax, [esi+18h]
		sub	eax, edx
		cmp	edi, eax
		jb	loc_71D55C
		mov	edi, eax
		jmp	loc_71D55C
; END OF FUNCTION CHUNK	FOR ConsumerPeekAndConsumeBuffer
; 
; START	OF FUNCTION CHUNK FOR PopSaveHiberContext

loc_728D5B:				; CODE XREF: PopSaveHiberContext+66j
		lea	edi, [esi+14h]
		lock inc dword ptr [edi]
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_728D72

loc_728D67:				; CODE XREF: PopSaveHiberContext+B7C0j
		call	KePollFreezeExecution
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_728D67

loc_728D72:				; CODE XREF: PopSaveHiberContext+B7B5j
		cmp	ds:_PoResumeFromHibernate, 0
		jz	short loc_728D85
		mov	edi, 40000294h
		jmp	loc_7291AE
; 

loc_728D85:				; CODE XREF: PopSaveHiberContext+B7C9j
		lea	edi, [esi+18h]
		lock inc dword ptr [edi]
		mov	eax, [edi]
		test	eax, eax
		jz	loc_71D61C

loc_728D95:				; CODE XREF: PopSaveHiberContext+B7EEj
		call	KePollFreezeExecution
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_728D95
		jmp	loc_71D61C
; 

loc_728DA5:				; CODE XREF: PopSaveHiberContext+72j
					; PopSaveHiberContext+B85Ej
		xor	edi, edi
		jmp	loc_7291AE
; 

loc_728DAC:				; CODE XREF: PopSaveHiberContext+E2j
		lea	edi, [esi+0Ch]
		lock inc dword ptr [edi]
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_728DC3

loc_728DB8:				; CODE XREF: PopSaveHiberContext+B811j
		call	KePollFreezeExecution
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_728DB8

loc_728DC3:				; CODE XREF: PopSaveHiberContext+B806j
		mov	edi, [esi+0A8h]
		lea	eax, [esp+378h+var_2C8]
		add	edi, [esp+378h+var_368]
		push	5Ch		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+378h+var_354], 0

loc_728DE9:				; CODE XREF: PopSaveHiberContext+B89Aj
		mov	eax, [edi+4]
		lea	edx, [esp+378h+var_354]
		push	eax
		push	0
		lea	eax, [esp+380h+var_2C8]
		mov	ecx, esi
		push	eax
		lea	eax, [esp+384h+var_C8]
		push	eax
		call	PopGetNextTable
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_728DA5
		add	[edi+28h], ebx
		lea	eax, [esp+378h+var_354]
		push	0		; int
		adc	dword ptr [edi+2Ch], 0
		mov	edx, edi
		push	ebx		; int
		push	0		; int
		push	[esp+384h+var_2BC] ; void *
		mov	ecx, esi
		push	eax		; int
		call	PopAddPagesToCompressedPageSet
		push	0
		push	ebx
		lea	ecx, [esp+380h+var_C8]
		mov	edx, eax
		push	ecx
		lea	ecx, [esp+384h+var_354]
		push	ecx
		mov	ecx, edi
		call	_PopCountDataAsProduced@24 ; PopCountDataAsProduced(x,x,x,x,x,x)
		jmp	short loc_728DE9
; 

loc_728E4C:				; CODE XREF: PopSaveHiberContext+132j
		mov	ecx, 0A18E0h
		call	@_PopInternalError@4 ; _PopInternalError(x)

loc_728E56:				; CODE XREF: PopSaveHiberContext+13Fj
		mov	[esp+378h+var_369], 0

loc_728E5B:				; CODE XREF: PopSaveHiberContext+154j
		or	ds:dword_6C2518, 4
		mov	ds:byte_6C24D1,	1
		jmp	loc_71D70A
; 

loc_728E6E:				; CODE XREF: PopSaveHiberContext+162j
		or	ds:dword_6C2518, 8
		mov	ds:byte_6C24D1,	1
		jmp	loc_71D718
; 

loc_728E81:				; CODE XREF: PopSaveHiberContext+170j
		or	ds:dword_6C2518, 1
		mov	ds:byte_6C24D1,	1
		jmp	loc_71D726
; 

loc_728E94:				; CODE XREF: PopSaveHiberContext+17Dj
		or	ds:dword_6C2518, 40h
		mov	ds:byte_6C24D1,	1
		jmp	loc_71D733
; 

loc_728EA7:				; CODE XREF: PopSaveHiberContext+1A6j
		xor	ecx, ecx
		call	_HvlDisableEnlightenment@4 ; HvlDisableEnlightenment(x)
		call	ds:off_6B1318	; xHalSaveAndDisableHvEnlightenment()
		jmp	loc_71D75C
; 

loc_728EB9:				; CODE XREF: PopSaveHiberContext+1E1j
		mov	ebx, eax
		jmp	loc_71D7A0
; 

loc_728EC0:				; CODE XREF: PopSaveHiberContext+50Dj
		lea	ebx, [esi+0Ch]
		lock inc dword ptr [ebx]
		mov	eax, [ebx]
		mov	ecx, [esi+0A4h]
		cmp	eax, ecx
		jz	short loc_728EE3

loc_728ED2:				; CODE XREF: PopSaveHiberContext+B931j
		call	KePollFreezeExecution
		mov	eax, [ebx]
		mov	ecx, [esi+0A4h]
		cmp	eax, ecx
		jnz	short loc_728ED2

loc_728EE3:				; CODE XREF: PopSaveHiberContext+B920j
		xor	edi, edi
		test	ecx, ecx
		jz	short loc_728F27
		xor	edx, edx

loc_728EEB:				; CODE XREF: PopSaveHiberContext+B975j
		mov	ecx, [esi+0A8h]
		lea	edx, [edx+70h]
		mov	eax, [ecx+edx-48h]
		add	ds:dword_6C2A58, eax
		mov	eax, [ecx+edx-44h]
		adc	ds:dword_6C2A5C, eax
		inc	edi
		mov	eax, [esi+0A8h]
		mov	dword ptr [eax+edx-48h], 0
		mov	dword ptr [eax+edx-44h], 0
		cmp	edi, [esi+0A4h]
		jb	short loc_728EEB

loc_728F27:				; CODE XREF: PopSaveHiberContext+B937j
		mov	eax, ds:dword_6C2A88
		mov	ds:dword_6C2A68, eax
		mov	eax, ds:dword_6C2A8C
		mov	ds:dword_6C2A6C, eax
		mov	eax, ds:dword_6C2A90
		mov	ds:dword_6C2A78, eax
		lea	eax, [esi+20h]
		mov	ds:dword_6C2A7C, 0
		mov	ds:dword_6C2A88, 0
		mov	ds:dword_6C2A8C, 0
		mov	ds:dword_6C2A90, 0
		push	eax
		mov	dword ptr [esi+7Ch], 5
		mov	[esi+48h], eax
		mov	dword ptr [esi+50h], 0
		call	_RtlNumberOfClearBits@4	; RtlNumberOfClearBits(x)
		mov	ebx, [esi+0B0h]
		xor	ecx, ecx
		mov	edi, [esi+0ACh]
		shld	ecx, eax, 0Ch
		push	38h		; size_t
		mov	[esp+37Ch+var_368], ecx
		mov	ecx, ds:dword_6C2500
		shl	eax, 0Ch
		push	0		; int
		push	ecx		; void *
		mov	[esp+384h+var_35C], eax
		mov	[esp+384h+var_364], ecx
		call	_memset
		mov	eax, [esp+384h+var_364]
		add	esp, 0Ch
		mov	ecx, [esp+378h+var_35C]
		mov	[eax+8], ecx
		mov	ecx, [esp+378h+var_368]
		mov	[eax+0Ch], ecx
		mov	ecx, [esp+378h+var_358]
		mov	dword ptr [eax+10h], 0
		mov	[eax], edi
		mov	[eax+4], ebx
		mov	eax, [esi+0F8h]
		add	eax, 0FFFh
		shr	eax, 0Ch
		mov	[ecx+54h], eax
		lea	eax, [esp+378h+var_208]
		push	5Ch		; size_t
		push	0		; int
		push	eax		; void *
		mov	dword ptr [esi+0Ch], 0
		mov	dword ptr [esi+0D8h], 0
		mov	dword ptr [esi+0DCh], 0
		call	_memset
		mov	eax, ds:dword_6C2500
		add	esp, 0Ch
		mov	edi, [esi+0A8h]
		xor	ebx, ebx
		xor	ecx, ecx
		mov	[esp+378h+var_34C], 0
		mov	[esp+378h+var_364], eax
		mov	[esp+378h+var_360], ecx

loc_72903C:				; CODE XREF: PopSaveHiberContext+BB23j
		call	_PopHiberCheckForDebugBreak@0 ;	PopHiberCheckForDebugBreak()
		mov	edx, [esp+378h+var_364]
		mov	ecx, esi
		push	1
		call	PopRequestWrite
		mov	[esp+378h+var_369], al
		mov	eax, [esp+378h+var_360]
		test	eax, eax
		jnz	short loc_7290A8
		mov	ecx, [edi+4]
		lea	edx, [esp+378h+var_34C]
		push	ecx
		push	eax
		lea	eax, [esp+380h+var_208]
		mov	ecx, esi
		push	eax
		lea	eax, [esp+384h+var_48]
		push	eax
		call	PopGetNextTable
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_7290CE
		add	[edi+28h], ebx
		lea	eax, [esp+378h+var_34C]
		push	offset _PopCompressCallback@4 ;	int
		adc	dword ptr [edi+2Ch], 0
		mov	edx, edi
		push	ebx		; int
		push	0		; int
		push	[esp+384h+var_1FC] ; void *
		mov	ecx, esi
		push	eax		; int
		call	PopAddPagesToCompressedPageSet
		mov	[esp+378h+var_360], eax

loc_7290A8:				; CODE XREF: PopSaveHiberContext+BAA8j
		push	1
		push	ebx
		lea	ecx, [esp+380h+var_48]
		mov	edx, eax
		push	ecx
		lea	ecx, [esp+384h+var_34C]
		push	ecx
		mov	ecx, edi
		call	_PopCountDataAsProduced@24 ; PopCountDataAsProduced(x,x,x,x,x,x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	[esp+378h+var_360], eax

loc_7290CE:				; CODE XREF: PopSaveHiberContext+BACEj
		cmp	[esp+378h+var_369], 0
		jz	loc_72903C
		mov	ecx, esi
		mov	dword ptr [esi+7Ch], 7
		call	_PopWriteChecksumPages@4 ; PopWriteChecksumPages(x)
		push	[esp+378h+var_340]
		mov	edx, [esp+37Ch+var_358]
		mov	ecx, esi
		push	[esp+37Ch+var_33C]
		mov	dword ptr [esi+7Ch], 6
		push	[esp+380h+var_348]
		call	_PopWriteImageHeader@20	; PopWriteImageHeader(x,x,x,x,x)
		mov	edi, [esi+80h]
		test	edi, edi
		js	short loc_72915B
		mov	eax, ds:dword_6C26E0
		cmp	eax, ds:dword_6C26E8
		jnz	short loc_729136
		test	ds:_PopSimulate, 8000h
		jnz	short loc_729136
		push	0
		mov	edx, 0FFFFFFFEh
		xor	ecx, ecx
		call	_DbgUnLoadImageSymbols@12 ; DbgUnLoadImageSymbols(x,x,x)

loc_729136:				; CODE XREF: PopSaveHiberContext+BB6Aj
					; PopSaveHiberContext+BB76j
		test	ds:_PopSimulate, 1000h
		jz	short loc_729149
		mov	edi, 0C00000C0h
		jmp	short loc_729163
; 

loc_729149:				; CODE XREF: PopSaveHiberContext+BB90j
		xor	edi, edi
		test	byte ptr ds:_PopSimulateHiberBugcheck, 10h
		jz	short loc_729163
		mov	edi, 40000294h
		jmp	short loc_72919E
; 

loc_72915B:				; CODE XREF: PopSaveHiberContext+326j
					; PopSaveHiberContext+BB5Dj
		cmp	edi, 40000294h
		jz	short loc_72916A

loc_729163:				; CODE XREF: PopSaveHiberContext+BB97j
					; PopSaveHiberContext+BBA2j
		push	4
		call	_KdPowerTransition@4 ; KdPowerTransition(x)

loc_72916A:				; CODE XREF: PopSaveHiberContext+BBB1j
		test	edi, edi
		js	short loc_72919E
		cmp	edi, 40000294h
		jz	short loc_72919E
		cmp	ds:dword_6C26E0, 5
		jnz	short loc_72919E
		mov	ecx, ds:_PopShutdownNotificationCallback
		test	ecx, ecx
		jz	short loc_729192
		mov	eax, [ecx+8]
		push	eax
		mov	eax, [ecx+4]
		call	eax

loc_729192:				; CODE XREF: PopSaveHiberContext+BBD7j
		xor	cl, cl
		call	_HvlConfigureMemoryZeroingOnReset@4 ; HvlConfigureMemoryZeroingOnReset(x)
		call	_PopSetMemoryOverwriteRequestAction@8 ;	PopSetMemoryOverwriteRequestAction(x,x)

loc_72919E:				; CODE XREF: PopSaveHiberContext+BBA9j
					; PopSaveHiberContext+BBBCj ...
		mov	ecx, 18h
		call	PopCheckpointSystemSleep
		call	ds:off_6B13AC	; SymCryptFatalIntercept(x)

loc_7291AE:				; CODE XREF: PopSaveHiberContext+B7D0j
					; PopSaveHiberContext+B7F7j
		mov	ecx, [esp+37Ch+var_8]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7291C7:				; CODE XREF: PopSaveHiberContext+240j
					; PopSaveHiberContext+24Dj
		mov	ecx, 14h
		call	PopCheckpointSystemSleep
		mov	ecx, [esi+74h]
		mov	edx, 100h
		push	0
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		mov	eax, [esi+74h]
		push	0
		push	eax
		push	[esp+380h+var_348]
		push	0Ch
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_7291F7:				; CODE XREF: PopRequestRead+BFj
					; PopRequestRead+C9j
		mov	edi, [esp+38Ch+var_35C]
		mov	eax, [esp+38Ch+var_358]
		mov	[esp+38Ch+var_364], edi
		mov	[esp+38Ch+var_360], eax
		jmp	loc_71DBBD
; END OF FUNCTION CHUNK	FOR PopSaveHiberContext
; 
; START	OF FUNCTION CHUNK FOR PopRequestRead

loc_72920C:				; CODE XREF: PopRequestRead+332j
		cmp	[esp+44h+var_35], 0
		jz	short loc_72926B
		rdtsc
		push	esi
		mov	[ebx+0D0h], eax
		lea	ecx, [ebx+0F0h]
		mov	eax, [ebx+74h]
		push	ecx
		push	0
		mov	byte ptr [ebx+104h], 0
		mov	[ebx+0D4h], edx
		call	dword ptr [eax+6Ch]
		mov	ecx, eax
		mov	[esp+50h+var_28], eax
		jmp	loc_71DE26
; 

loc_729243:				; CODE XREF: PopRequestRead+145j
		push	1Dh
		pop	ecx
		call	PopCheckpointSystemSleep
		push	0
		mov	edx, 138h
		mov	ecx, ebx
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		mov	ecx, [ebx+74h]
		mov	edx, 100h
		push	0
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		push	esi
		jmp	short loc_729286
; 

loc_72926B:				; CODE XREF: PopRequestRead+33Aj
					; PopRequestRead+347j ...
		push	1Dh
		pop	ecx
		call	PopCheckpointSystemSleep
		mov	ecx, [ebx+74h]
		mov	edx, 100h
		push	0
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		push	[esp+44h+var_1C]

loc_729286:				; CODE XREF: PopRequestRead+B77Bj
		push	ebx
		push	0Ah
		push	10Ah
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_729299:				; CODE XREF: ProducerGetBuffer+36j
		mov	dword ptr [edi], 0
		mov	edi, [ebp+var_4]

loc_7292A2:				; CODE XREF: PopRequestRead+B7C9j
		call	KePollFreezeExecution
		call	_PopHiberCheckForDebugBreak@0 ;	PopHiberCheckForDebugBreak()
		mov	eax, [ebx+30h]
		sub	eax, [ebx+18h]
		add	eax, [ebx+4]
		cmp	edi, eax
		ja	short loc_7292A2
		lea	edi, [ebx+10h]
		jmp	short loc_7292CE
; 

loc_7292BE:				; CODE XREF: PopRequestRead+B7DEj
					; PopRequestRead+B7EBj
		call	KePollFreezeExecution
		call	_PopHiberCheckForDebugBreak@0 ;	PopHiberCheckForDebugBreak()
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_7292BE

loc_7292CE:				; CODE XREF: PopRequestRead+B7CEj
		xor	ecx, ecx
		xor	eax, eax
		inc	ecx
		lock cmpxchg [edi], ecx
		test	eax, eax
		jnz	short loc_7292BE
		jmp	loc_71DEEE
; END OF FUNCTION CHUNK	FOR PopRequestRead
; 
; START	OF FUNCTION CHUNK FOR PopGetIoLocation

loc_7292E0:				; CODE XREF: PopGetIoLocation+29j
					; PopGetIoLocation+31j	...
		mov	esi, [ebp+var_8]
		mov	eax, edx
		mov	[ebp+var_10], esi
		cmp	edi, esi
		mov	esi, [ebp+var_14]
		mov	eax, ebx
		mov	[ebp+var_C], edx
		ja	short loc_72930D
		jb	short loc_7292FA
		cmp	ecx, ebx
		jnb	short loc_72930D

loc_7292FA:				; CODE XREF: PopGetIoLocation+B394j
		mov	edx, [esi]
		xor	eax, eax
		mov	[esi+4], edx
		mov	[esi+8], eax
		mov	[esi+0Ch], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], edx

loc_72930D:				; CODE XREF: PopGetIoLocation+B392j
					; PopGetIoLocation+B398j
		mov	ebx, [edx]
		mov	esi, [ebp+var_10]
		mov	[ebp+arg_4], ebx
		mov	ebx, [edx+4]
		mov	[ebp+var_8], esi
		mov	esi, [ebp+arg_4]
		add	esi, eax
		mov	[ebp+var_4], ebx
		mov	ebx, eax
		mov	[ebp+var_18], esi
		mov	eax, [ebp+var_4]
		adc	eax, [ebp+var_10]
		mov	esi, [ebp+var_14]
		cmp	edi, eax
		jb	loc_71DFC3
		ja	short loc_729344
		cmp	ecx, [ebp+var_18]
		jb	loc_71DFC3

loc_729344:				; CODE XREF: PopGetIoLocation+B3D9j
		mov	eax, [ebp+var_C]
		mov	ebx, [eax]
		mov	eax, [eax+4]
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_4], eax

loc_729352:				; CODE XREF: PopGetIoLocation+B430j
					; PopGetIoLocation+B43Bj
		mov	ebx, [esi+8]
		add	ebx, [ebp+arg_4]
		mov	eax, [esi+0Ch]
		adc	eax, [ebp+var_4]
		mov	edx, [ebp+var_C]
		mov	[ebp+var_8], eax
		add	edx, 10h
		mov	[esi+0Ch], eax
		mov	eax, edx
		mov	[ebp+var_C], eax
		mov	[esi+4], eax
		mov	[esi+8], ebx
		mov	eax, [edx]
		mov	[ebp+arg_4], eax
		mov	eax, [edx+4]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		add	eax, ebx
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_4]
		adc	eax, [ebp+var_8]
		cmp	edi, eax
		ja	short loc_729352
		jb	loc_71DFC3
		cmp	ecx, [ebp+var_18]
		jnb	short loc_729352
		jmp	loc_71DFC3
; END OF FUNCTION CHUNK	FOR PopGetIoLocation
; 
; START	OF FUNCTION CHUNK FOR PopHiberChecksumHiberFileData

loc_7293A2:				; CODE XREF: PopHiberChecksumHiberFileData+EBj
		mov	ecx, 1Eh
		call	PopCheckpointSystemSleep
		mov	ecx, [ebp+var_10]
		movzx	eax, word ptr [ecx+120h]
		push	eax
		mov	eax, [ebp+var_C]
		movzx	eax, word ptr [eax]
		push	eax
		push	0Ah
		push	10Eh
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_7293D0:				; CODE XREF: ConsumerGetBuffer+26j
					; PopHiberChecksumHiberFileData+B2BEj ...
		call	KePollFreezeExecution
		call	_PopHiberCheckForDebugBreak@0 ;	PopHiberCheckForDebugBreak()
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_7293D0
		xor	ecx, ecx
		inc	ecx
		lock cmpxchg [edi], ecx
		test	eax, eax
		jnz	short loc_7293D0

loc_7293EB:				; CODE XREF: ConsumerGetBuffer+B18Dj
		mov	edx, [ebp-4]
		jmp	loc_71E30C
; END OF FUNCTION CHUNK	FOR PopHiberChecksumHiberFileData
; 
; START	OF FUNCTION CHUNK FOR ConsumerGetBuffer

loc_7293F3:				; CODE XREF: ConsumerGetBuffer+3Cj
		mov	eax, [edx+18h]
		sub	eax, ecx
		cmp	ebx, eax
		jb	short loc_7293FE
		mov	ebx, eax

loc_7293FE:				; CODE XREF: ConsumerGetBuffer+B11Aj
		mov	eax, [ebp+var_8]
		mov	[eax], ebx
		jmp	loc_71E322
; 

loc_729408:				; CODE XREF: ConsumerGetBuffer+4Aj
		mov	ebx, [ebp+var_8]
		mov	dword ptr [edi], 0

loc_729411:				; CODE XREF: ConsumerGetBuffer+B15Fj
		call	KePollFreezeExecution
		call	_PopHiberCheckForDebugBreak@0 ;	PopHiberCheckForDebugBreak()
		mov	edx, [ebp+var_4]
		mov	esi, [edx+20h]
		mov	ecx, [edx+28h]
		sub	esi, ecx
		mov	eax, [edx+8]
		or	eax, [edx+0Ch]
		jnz	short loc_72943D
		mov	eax, [edx+18h]
		sub	eax, ecx
		mov	ecx, [ebx]
		cmp	ecx, eax
		jb	short loc_72943B
		mov	ecx, eax

loc_72943B:				; CODE XREF: ConsumerGetBuffer+B157j
		mov	[ebx], ecx

loc_72943D:				; CODE XREF: ConsumerGetBuffer+B14Cj
		cmp	[ebx], esi
		ja	short loc_729411
		xor	ecx, ecx
		xor	eax, eax
		inc	ecx
		lock cmpxchg [edi], ecx
		test	eax, eax
		jz	loc_71E30C

loc_729452:				; CODE XREF: ConsumerGetBuffer+B180j
					; ConsumerGetBuffer+B18Bj
		call	KePollFreezeExecution
		call	_PopHiberCheckForDebugBreak@0 ;	PopHiberCheckForDebugBreak()
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_729452
		xor	ecx, ecx
		inc	ecx
		lock cmpxchg [edi], ecx
		test	eax, eax
		jnz	short loc_729452
		jmp	loc_7293EB
; END OF FUNCTION CHUNK	FOR ConsumerGetBuffer
; 
; START	OF FUNCTION CHUNK FOR PopCheckpointSystemSleep

loc_729472:				; CODE XREF: PopCheckpointSystemSleep+27j
		mov	eax, ds:_PopCheckpointSystemSleepSimulateFlags
		test	al, 1
		jz	short loc_729486
		shr	eax, 18h
		cmp	esi, eax
		ja	loc_71E397

loc_729486:				; CODE XREF: PopCheckpointSystemSleep+B10Fj
		cmp	ds:_PoAllProcIntrDisabled, dl
		jnz	short loc_7294B5
		xor	eax, eax
		mov	ecx, offset _PopPagingEnabled
		lock xadd [ecx], eax
		test	eax, eax
		jnz	short loc_7294D2
		push	edx
		push	edx
		jmp	short loc_7294A5
; 

loc_7294A1:				; CODE XREF: PopCheckpointSystemSleep+B166j
		push	0
		push	2

loc_7294A5:				; CODE XREF: PopCheckpointSystemSleep+B135j
					; PopCheckpointSystemSleep+B15Cj
		push	esi
		push	10Fh
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_7294B5:				; CODE XREF: PopCheckpointSystemSleep+B122j
		mov	eax, large fs:20h
		cmp	[eax+3CCh], edx
		jz	short loc_7294C8
		push	edx
		push	1
		jmp	short loc_7294A5
; 

loc_7294C8:				; CODE XREF: PopCheckpointSystemSleep+B157j
		call	ds:off_6B13E8	; KeIsCetCapable()
		test	al, al
		jnz	short loc_7294A1

loc_7294D2:				; CODE XREF: PopCheckpointSystemSleep+B131j
		mov	ecx, esi
		call	_PopCheckpointSystemSleepUnsafe@4 ; PopCheckpointSystemSleepUnsafe(x)
		jmp	loc_71E397
; END OF FUNCTION CHUNK	FOR PopCheckpointSystemSleep
; 
; START	OF FUNCTION CHUNK FOR PoBroadcastSystemState

loc_7294DE:				; CODE XREF: PoBroadcastSystemState+95j
		movzx	eax, ds:_PopKsrPrepared
		neg	eax
		sbb	eax, eax
		and	eax, 400000h
		or	ecx, eax
		jmp	loc_71E750
; 

loc_7294F5:				; CODE XREF: PoBroadcastSystemState+B4j
		mov	eax, [esi+4]
		lea	ecx, [esp+50h+var_28]
		mov	[esp+50h+var_38], eax
		mov	al, [edi+1Ah]
		mov	[esp+50h+var_34], ebx
		mov	byte ptr [esp+50h+var_34+2], al
		mov	al, [edi+18h]
		push	offset byte_401802
		mov	byte ptr [esp+54h+var_34], dl
		xor	edx, edx
		mov	byte ptr [esp+54h+var_34+1], al
		inc	edx
		push	1224h
		lea	eax, [esp+58h+var_38]
		mov	[esp+58h+var_24], ebx
		push	80008000h
		mov	[esp+5Ch+var_28], eax
		mov	[esp+5Ch+var_20], 8
		mov	[esp+5Ch+var_1C], ebx
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	dl, [esp+50h+var_41]
		jmp	loc_71E468
; 

loc_72954E:				; CODE XREF: PoBroadcastSystemState+D4j
		cmp	byte ptr [edi+1Ah], 3
		jnz	loc_71E488
		mov	byte ptr [esi+103h], 1
		jmp	loc_71E488
; 

loc_729564:				; CODE XREF: PoBroadcastSystemState+E3j
		or	ds:dword_6C2314, 200000h
		mov	ebx, [edi+14h]
		jmp	loc_71E497
; 

loc_729576:				; CODE XREF: PoBroadcastSystemState+EFj
		or	ds:dword_6C2314, 800000h
		jmp	loc_71E4A3
; 

loc_729585:				; CODE XREF: PoBroadcastSystemState+15Cj
		cmp	ds:_PopShutdownPowerOffPolicy, 0
		jnz	short loc_72959B
		cmp	ds:dword_6C26F0, 0
		jz	loc_71E510

loc_72959B:				; CODE XREF: PoBroadcastSystemState+B1DEj
		mov	[esp+50h+var_40], ebx
		jmp	loc_71E527
; 

loc_7295A4:				; CODE XREF: PoBroadcastSystemState+16Aj
		cmp	eax, 3
		jnz	loc_71E527
		jmp	loc_71E51E
; 

loc_7295B2:				; CODE XREF: PoBroadcastSystemState+29Bj
		mov	dl, 1
		xor	ecx, ecx
		call	IoConfigureCrashDump
		test	byte ptr ds:_PopShutdownCleanly, 10h
		jz	short loc_7295CC
		xor	ecx, ecx
		inc	ecx
		call	_ObShutdownSystem@4 ; ObShutdownSystem(x)

loc_7295CC:				; CODE XREF: PoBroadcastSystemState+B214j
		push	1
		call	_MmShutdownSystem@4 ; MmShutdownSystem(x)
		jmp	loc_71E530
; 

loc_7295D8:				; CODE XREF: PoBroadcastSystemState+1C7j
		mov	eax, [esi+0FCh]
		mov	[esp+50h+var_41], 1
		mov	[esp+50h+var_40], eax
		test	eax, eax
		jz	short loc_72961D
		cmp	dword ptr [edi+0Ch], 1
		jnz	short loc_72961D
		mov	ecx, [edi+10h]
		xor	ebx, ebx
		mov	edx, [esi+4]
		push	ebx
		call	PopMapInternalActionToIrpAction
		cmp	eax, 7
		jnz	short loc_72960B
		mov	ecx, [esi+20h]
		mov	ebx, [ecx]
		jmp	short loc_729610
; 

loc_72960B:				; CODE XREF: PoBroadcastSystemState+B254j
		cmp	[edi+14h], ebx
		jl	short loc_72961D

loc_729610:				; CODE XREF: PoBroadcastSystemState+B25Bj
		push	[esp+50h+var_40]
		mov	edx, ebx
		mov	ecx, eax
		call	_IoNotifyPowerOperationVetoed@12 ; IoNotifyPowerOperationVetoed(x,x,x)

loc_72961D:				; CODE XREF: PoBroadcastSystemState+B23Bj
					; PoBroadcastSystemState+B241j	...
		mov	ebx, [esp+50h+var_3C]
		test	ebx, ebx
		jz	loc_71E586
		mov	ecx, [esi+0FCh]
		call	_PopDirectedDripsNotifyTransitionFailed@4 ; PopDirectedDripsNotifyTransitionFailed(x)
		jmp	loc_71E586
; 

loc_729639:				; CODE XREF: PoBroadcastSystemState+1DFj
		call	_PopFxIdleDevicesFromSx@4 ; PopFxIdleDevicesFromSx(x)
		jmp	loc_71E593
; 

loc_729643:				; CODE XREF: PoBroadcastSystemState+203j
		cmp	byte ptr [edi+1Ah], 2
		jnz	loc_71E5B7
		push	offset ??_C@_0CK@OKBBFLMB@po?3?5POP_WAKE_DEVICE_AFTER_SLEEP@OKHAJAOM@
		call	_DbgPrint
		mov	dl, 1
		mov	dword ptr [esi+0F8h], 0C0000001h
		pop	ecx
		mov	[esp+50h+var_41], dl
		jmp	loc_71E5BB
; 

loc_72966D:				; CODE XREF: PoBroadcastSystemState+2EFj
		xor	ecx, ecx
		inc	ecx
		call	_PopFxActivateDevicesForSx@4 ; PopFxActivateDevicesForSx(x)
		jmp	loc_71E6A3
; 

loc_72967A:				; CODE XREF: PoBroadcastSystemState+49Aj
		or	[esp+54h+var_30], 0FFFFFFFFh
		lea	eax, [esp+54h+var_34]
		push	eax
		xor	ebx, ebx
		mov	[esp+58h+var_34], 0FD050F80h
		push	ebx
		push	ebx
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		push	ebx
		push	ebx
		push	1
		jmp	short loc_7296B8
; 

loc_72969B:				; CODE XREF: PoBroadcastSystemState+386j
		or	[esp+58h+var_34], 0FFFFFFFFh
		lea	eax, [esp+58h+var_38]
		push	eax
		push	ebx
		push	ebx
		mov	[esp+64h+var_38], 0FD050F80h
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		push	ebx
		push	ebx
		push	2

loc_7296B8:				; CODE XREF: PoBroadcastSystemState+B2EBj
		push	0Ah
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_7296C4:				; CODE XREF: PoBroadcastSystemState+225j
		mov	eax, [esi+0F8h]
		lea	ecx, [esp+6Ch+var_34]
		and	[esp+6Ch+var_30], 0
		xor	edx, edx
		and	[esp+6Ch+var_28], 0
		inc	edx
		push	offset byte_401802
		mov	[esp+70h+var_5C], eax
		lea	eax, [esp+70h+var_5C]
		push	1225h
		push	80008000h
		mov	[esp+78h+var_34], eax
		mov	[esp+78h+var_2C], 4
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_71E5D9
; END OF FUNCTION CHUNK	FOR PoBroadcastSystemState
; 
; START	OF FUNCTION CHUNK FOR PopNotifyDevice

loc_729708:				; CODE XREF: PopNotifyDevice+2Bj
		xor	al, al
		jmp	loc_71E943
; 

loc_72970F:				; CODE XREF: PopNotifyDevice+4Aj
		mov	eax, [ebp+var_C]
		mov	ecx, [eax]
		cmp	ecx, [edi+20h]
		jnz	loc_71E960
		cmp	byte ptr [esi],	2
		jnz	loc_71E960
		and	dword ptr [eax], 0
		mov	ebx, [esi+4]
		jmp	loc_71E960
; 

loc_729731:				; CODE XREF: PopNotifyDevice+B6j
		mov	ecx, [edi+18h]
		push	edx
		mov	edx, edi
		call	_PopLogNotifyDevice@12 ; PopLogNotifyDevice(x,x,x)
		jmp	loc_71E9CC
; END OF FUNCTION CHUNK	FOR PopNotifyDevice
; 
; START	OF FUNCTION CHUNK FOR PopSetDevicesSystemState

loc_729741:				; CODE XREF: PopSetDevicesSystemState+47j
		mov	eax, ds:dword_6C26E0
		mov	[ebp+var_18], eax
		jmp	loc_71FBBE
; END OF FUNCTION CHUNK	FOR PopSetDevicesSystemState
; 
; START	OF FUNCTION CHUNK FOR PfPowerActionNotify

loc_72974E:				; CODE XREF: PfPowerActionNotify+78j
		push	esi
		push	ds:dword_6D4890
		mov	ecx, ebx
		push	ebx
		push	2
		pop	edx
		call	_PfpLogScenarioEvent@20	; PfpLogScenarioEvent(x,x,x,x,x)
		jmp	loc_71FC23
; 

loc_729765:				; CODE XREF: PfPowerActionNotify+103j
		mov	eax, ds:dword_6D46B4
		jmp	loc_71FD12
; END OF FUNCTION CHUNK	FOR PfPowerActionNotify
; 
; START	OF FUNCTION CHUNK FOR ExUpdateSystemTimeFromCmos

loc_72976F:				; CODE XREF: ExUpdateSystemTimeFromCmos+41j
		mov	edx, ds:_ExpMaxTimeSeperationBeforeCorrect
		jmp	loc_71FE67
; 

loc_72977A:				; CODE XREF: ExUpdateSystemTimeFromCmos+7Fj
		mov	esi, [esp+44h+var_2C]
		mov	edi, [esp+44h+var_28]
		jmp	loc_71FEBC
; END OF FUNCTION CHUNK	FOR ExUpdateSystemTimeFromCmos
; 
; START	OF FUNCTION CHUNK FOR ExpSetSystemTime

loc_729787:				; CODE XREF: ExpSetSystemTime+3Bj
		mov	eax, [ebp+arg_8]
		mov	[esp+30h+var_20], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+30h+var_1C], eax
		jmp	loc_71FF83
; 

loc_72979A:				; CODE XREF: ExpSetSystemTime+66j
		xor	cl, cl
		call	_ExpRefreshTimeZoneInformation@4 ; ExpRefreshTimeZoneInformation(x)
		cmp	ds:_ExpSystemIsInCmosMode, 0
		jnz	loc_71FFA0
		cmp	ds:_ExpRealTimeIsUniversal, 0
		jnz	short loc_7297C7
		lea	eax, [esp+30h+var_20]
		push	eax
		lea	eax, [ebp+arg_8]
		push	eax
		call	_ExSystemTimeToLocalTime@8 ; ExSystemTimeToLocalTime(x,x)
		jmp	short loc_7297D5
; 

loc_7297C7:				; CODE XREF: ExpSetSystemTime+9881j
		mov	eax, [ebp+arg_8]
		mov	[esp+30h+var_20], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+30h+var_1C], eax

loc_7297D5:				; CODE XREF: ExpSetSystemTime+9891j
		lea	eax, [esp+30h+var_14]
		push	eax
		lea	eax, [esp+34h+var_20]
		push	eax
		call	_RtlTimeToTimeFields@8 ; RtlTimeToTimeFields(x,x)
		lea	eax, [esp+30h+var_14]
		push	eax
		call	ds:__imp__HalSetRealTimeClock@4	; HalSetRealTimeClock(x)
		jmp	loc_71FFA0
; END OF FUNCTION CHUNK	FOR ExpSetSystemTime
; 
; START	OF FUNCTION CHUNK FOR PfpScenCtxPrefetchWait

loc_7297F4:				; CODE XREF: PfpScenCtxPrefetchWait+7Fj
		mov	edi, [ebp+arg_0]
		sub	edi, [ebp+var_4]
		mov	[ebp+var_C], 2
		jmp	short loc_729812
; 

loc_729803:				; CODE XREF: PfpScenCtxPrefetchWait+87j
		test	edi, edi
		jz	loc_72007B
		and	[ebp+var_8], 0
		mov	[ebp+var_C], edx

loc_729812:				; CODE XREF: PfpScenCtxPrefetchWait+983Fj
		and	ecx, 0FFFFFFF7h
		mov	eax, esi
		or	ecx, 4
		mov	[ebx+4], ecx
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_72982E
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_72982E:				; CODE XREF: PfpScenCtxPrefetchWait+9863j
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	esi
		push	0FFFFD8F0h
		push	0
		push	edi
		call	__allmul
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], edx
		call	_PFP_GET_CURRENT_TICK_COUNT_MS@0 ; PFP_GET_CURRENT_TICK_COUNT_MS()
		mov	ebx, eax
		lea	eax, [ebp+var_28]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	[ebp+var_1C]
		call	KeWaitForSingleObject
		mov	edi, eax
		call	_PFP_GET_CURRENT_TICK_COUNT_MS@0 ; PFP_GET_CURRENT_TICK_COUNT_MS()
		mov	ecx, [ebp+var_4]
		sub	eax, ebx
		add	ecx, eax
		mov	[ebp+var_4], ecx
		cmp	edi, 102h
		jz	short loc_729890
		cmp	ecx, [ebp+arg_0]
		jnb	short loc_729890
		cmp	[ebp+var_C], 2
		jz	loc_720072
		jmp	short loc_729897
; 

loc_729890:				; CODE XREF: PfpScenCtxPrefetchWait+98BBj
					; PfpScenCtxPrefetchWait+98C0j
		mov	[ebp+var_10], 1

loc_729897:				; CODE XREF: PfpScenCtxPrefetchWait+98CCj
		mov	ebx, [ebp+var_14]
		mov	edi, [ebp+var_8]
		jmp	loc_71FFFA
; END OF FUNCTION CHUNK	FOR PfpScenCtxPrefetchWait
; 
; START	OF FUNCTION CHUNK FOR PfpStartLoggingHardFaultEvents

loc_7298A2:				; CODE XREF: PfpStartLoggingHardFaultEvents+1Dj
		mov	ebx, 0C000009Ah
		jmp	loc_720120
; 

loc_7298AC:				; CODE XREF: PfpStartLoggingHardFaultEvents+5Fj
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_7200EE
; END OF FUNCTION CHUNK	FOR PfpStartLoggingHardFaultEvents
; 
; START	OF FUNCTION CHUNK FOR PopQpcTimeInMs

loc_7298BB:				; CODE XREF: PopQpcTimeInMs+34j
		push	esi
		push	3E8h
		push	ds:dword_70ED2C
		push	ds:_PopQpcFrequency
		call	__aulldiv
		push	edx
		push	eax
		push	ebx
		push	edi
		jmp	loc_720344
; END OF FUNCTION CHUNK	FOR PopQpcTimeInMs
; 
; START	OF FUNCTION CHUNK FOR PopTransitionToSleep

loc_7298DB:				; CODE XREF: PopTransitionToSleep+2Ej
		cmp	edi, 6
		jz	loc_7205C0
		push	1
		push	ebx
		push	esi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esi+10h]
		push	eax
		call	KeWaitForSingleObject
		mov	edx, ds:dword_6C26F8
		mov	ecx, edi
		call	PopInvokeSystemStateHandler
		jmp	loc_72069A
; 

loc_72990C:				; CODE XREF: PopTransitionToSleep+3Bj
		push	1
		push	ebx
		push	esi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esi+10h]
		push	eax
		call	KeWaitForSingleObject
		mov	ecx, ebx
		jmp	loc_72069C
; 

loc_729929:				; CODE XREF: PopTransitionToSleep+7Cj
		call	_MmEmptyAllWorkingSets@0 ; MmEmptyAllWorkingSets()
		mov	bl, 1
		mov	bh, bl
		jmp	short loc_729939
; 

loc_729934:				; CODE XREF: PopTransitionToSleep+9Fj
		call	_MmTrimFilePagesFromWorkingSets@0 ; MmTrimFilePagesFromWorkingSets()

loc_729939:				; CODE XREF: PopTransitionToSleep+93A6j
		mov	eax, [ebp+var_8]
		or	eax, 1
		jmp	loc_72063D
; 

loc_729944:				; CODE XREF: PopTransitionToSleep+89j
		cmp	ds:_PopEnableMinimalHiberFile, 0
		jz	loc_72061B

loc_729951:				; CODE XREF: PopTransitionToSleep+96j
		call	_MmEmptyAllWorkingSets@0 ; MmEmptyAllWorkingSets()
		mov	eax, [ebp+var_8]
		mov	bl, 1
		mov	bh, bl
		or	eax, 4
		jmp	loc_72063D
; END OF FUNCTION CHUNK	FOR PopTransitionToSleep
; 
; START	OF FUNCTION CHUNK FOR BgkResumePrepare

loc_729965:				; CODE XREF: BgkResumePrepare+1Bj
		call	BgkpUnlockBgfxCodeSection
		jmp	loc_720CBA
; END OF FUNCTION CHUNK	FOR BgkResumePrepare
; 
; START	OF FUNCTION CHUNK FOR PopAllocateOwnMemory

loc_72996F:				; CODE XREF: PopAllocateOwnMemory+26j
		mov	dword ptr [ebx+80h], 0C000009Ah
		jmp	loc_720F47
; END OF FUNCTION CHUNK	FOR PopAllocateOwnMemory
; 
; START	OF FUNCTION CHUNK FOR MiMarkHiberNotCachedPte

loc_72997E:				; CODE XREF: MiMarkHiberNotCachedPte+88j
		mov	ecx, [ebp+arg_8]
		mov	eax, 200h
		cmp	ecx, 1
		jle	loc_721306
		dec	ecx

loc_729990:				; CODE XREF: MiMarkHiberNotCachedPte+872Aj
		shl	eax, 9
		sub	ecx, 1
		jnz	short loc_729990
		jmp	loc_721302
; END OF FUNCTION CHUNK	FOR MiMarkHiberNotCachedPte
; 
; START	OF FUNCTION CHUNK FOR PopMarkComponentsBootPhase

loc_72999D:				; CODE XREF: PopMarkComponentsBootPhase+F1j
		push	offset _KdpContext
		call	ds:__imp__KdSetHiberRange@4 ; KdSetHiberRange(x)
		mov	esi, ebx
		cmp	ds:_KeNumberProcessors,	ebx
		jbe	loc_721411

loc_7299B6:				; CODE XREF: PopMarkComponentsBootPhase+86C4j
		mov	eax, ds:_KdLogBuffer[esi*4]
		test	eax, eax
		jz	short loc_7299D7
		push	626C644Bh
		push	1000h
		push	eax
		push	10000h
		push	ebx
		call	PoSetHiberRange

loc_7299D7:				; CODE XREF: PopMarkComponentsBootPhase+86A5j
		inc	esi
		cmp	esi, ds:_KeNumberProcessors
		jb	short loc_7299B6
		jmp	loc_721411
; 

loc_7299E5:				; CODE XREF: PopMarkComponentsBootPhase+FEj
		mov	esi, 72696656h
		cmp	ds:_ViTrackIrqlQueue, ebx
		jz	short loc_729A0D
		mov	eax, ds:_ViTrackIrqlQueueLength
		push	esi
		shl	eax, 5
		push	eax
		push	ds:_ViTrackIrqlQueue
		push	10000h
		push	ebx
		call	PoSetHiberRange

loc_729A0D:				; CODE XREF: PopMarkComponentsBootPhase+86D6j
		call	_VfIsVerifierExtensionEnabled@0	; VfIsVerifierExtensionEnabled()
		cmp	eax, 1
		jnz	loc_72141E
		mov	eax, ds:_ViFnExtensionHiberFunc
		test	eax, eax
		jz	loc_72141E
		push	esi
		push	ebx
		push	eax
		push	10000h
		push	ebx
		call	PoSetHiberRange
		jmp	loc_72141E
; 

loc_729A3B:				; CODE XREF: PopMarkComponentsBootPhase+127j
		push	6E72654Bh
		push	0Ch
		push	esi
		push	10000h
		push	ebx
		call	PoSetHiberRange
		push	dword ptr [esi+8]
		call	dword ptr [esi]
		jmp	loc_721447
; END OF FUNCTION CHUNK	FOR PopMarkComponentsBootPhase
; 
; START	OF FUNCTION CHUNK FOR MiMarkNonPagedHiberPhasePte

loc_729A58:				; CODE XREF: MiMarkNonPagedHiberPhasePte+B7j
					; MiMarkNonPagedHiberPhasePte+85CEj
		shl	eax, 9
		sub	ecx, 1
		jnz	short loc_729A58
		jmp	loc_721520
; END OF FUNCTION CHUNK	FOR MiMarkNonPagedHiberPhasePte
; 
; START	OF FUNCTION CHUNK FOR KeMarkHiberPhase

loc_729A65:				; CODE XREF: KeMarkHiberPhase+1D4j
		mov	ecx, ds:0FFDF0600h
		mov	eax, ds:_KiIptSaveAreaLength
		sub	ecx, ds:0FFDF03E8h
		add	eax, 40h
		push	7373654Bh
		add	eax, ecx
		push	eax
		push	edx
		push	edi
		push	esi
		call	PoSetHiberRange
		jmp	loc_72172E
; END OF FUNCTION CHUNK	FOR KeMarkHiberPhase
; 
; START	OF FUNCTION CHUNK FOR PopCloneRange

loc_729A8E:				; CODE XREF: PopCloneRange+D4j
		push	70616D48h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7218D1
; 

loc_729A9E:				; CODE XREF: PopCloneRange+F8j
		cmp	dword ptr [ebx+80h], 0
		jl	loc_72191D
		mov	dword ptr [ebx+80h], 0C000009Ah
		jmp	loc_72191D
; END OF FUNCTION CHUNK	FOR PopCloneRange
; 
; START	OF FUNCTION CHUNK FOR PopAllocatePages

loc_729ABA:				; CODE XREF: PopAllocatePages+10j
					; PopAllocatePages+2Bj	...
		mov	ecx, ds:dword_6C26F8
		mov	dword ptr [ecx+80h], 0C000009Ah
		jmp	loc_721A4A
; END OF FUNCTION CHUNK	FOR PopAllocatePages
; 
; START	OF FUNCTION CHUNK FOR PopGetBitlockerKeyLocation

loc_729ACF:				; CODE XREF: PopGetBitlockerKeyLocation+BCj
		mov	esi, 0C000000Dh
		jmp	loc_721E8A
; 

loc_729AD9:				; CODE XREF: PopGetBitlockerKeyLocation+DFj
		mov	esi, 0C0000017h
		jmp	loc_721E8A
; 

loc_729AE3:				; CODE XREF: PopGetBitlockerKeyLocation+120j
		add	ecx, 10h
		mov	[ebp+var_24], 30h
		mov	[ebp+var_20], ebx
		movzx	eax, word ptr [ecx]
		mov	edx, eax
		cmp	ax, word ptr [ebp+var_24]
		jb	short loc_729B43
		mov	edi, eax
		mov	esi, ebx

loc_729AFF:				; CODE XREF: PopGetBitlockerKeyLocation+7DE8j
		movzx	edx, di
		cmp	di, 39h
		ja	short loc_729B3A
		push	0Ah
		mov	eax, esi
		pop	edx
		mul	edx
		push	0Ah
		mov	esi, eax
		mov	eax, ebx
		pop	edx
		mul	edx
		add	esi, edx
		mov	ebx, eax
		movzx	eax, di
		cdq
		add	ebx, eax
		adc	esi, edx
		add	ebx, 0FFFFFFD0h
		adc	esi, 0FFFFFFFFh
		add	ecx, 2
		movzx	eax, word ptr [ecx]
		mov	edi, eax
		mov	edx, eax
		cmp	ax, word ptr [ebp+var_24]
		jnb	short loc_729AFF

loc_729B3A:				; CODE XREF: PopGetBitlockerKeyLocation+7DB6j
		mov	edi, [ebp+var_2C]
		mov	[ebp+var_20], esi
		mov	esi, [ebp+var_28]

loc_729B43:				; CODE XREF: PopGetBitlockerKeyLocation+7DA9j
		test	dx, dx
		jz	short loc_729B52
		cmp	dx, 20h
		jnz	loc_721E76

loc_729B52:				; CODE XREF: PopGetBitlockerKeyLocation+7DF6j
		mov	ecx, [ebp+var_38]
		mov	eax, [ebp+var_20]
		mov	[ecx], ebx
		mov	[ecx+4], eax
		jmp	loc_721E7B
; END OF FUNCTION CHUNK	FOR PopGetBitlockerKeyLocation
; 
; START	OF FUNCTION CHUNK FOR PopGetHwConfigurationSignature

loc_729B62:				; CODE XREF: PopGetHwConfigurationSignature+C5j
		xor	ebx, ebx
		cmp	[ebp+var_20], 2
		setnz	bl
		dec	ebx
		and	ebx, 200h
		add	ebx, 204h
		jmp	loc_721F75
; END OF FUNCTION CHUNK	FOR PopGetHwConfigurationSignature
; 
; START	OF FUNCTION CHUNK FOR MiConvertHiberPhasePte

loc_729B7D:				; CODE XREF: MiConvertHiberPhasePte+65j
		mov	eax, ebx
		jmp	loc_72203A
; 

loc_729B84:				; CODE XREF: MiConvertHiberPhasePte+10Ej
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_729BA5
		cmp	byte ptr ds:word_6D07B8+1, 0
		mov	edx, 1
		jnz	loc_7220D4
		mov	ecx, edi
		or	ecx, edx
		jmp	short loc_729BC6
; 

loc_729BA5:				; CODE XREF: MiConvertHiberPhasePte+7BCBj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_7220D4
		mov	ecx, edi
		or	ecx, 1

loc_729BC6:				; CODE XREF: MiConvertHiberPhasePte+7BE3j
		or	ebx, 80000000h
		jmp	loc_7220D4
; 

loc_729BD1:				; CODE XREF: MiConvertHiberPhasePte+11Ej
		push	ebx
		push	ecx
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_7220AD
; END OF FUNCTION CHUNK	FOR MiConvertHiberPhasePte
; 
; START	OF FUNCTION CHUNK FOR PopSystemIrpCompletion

loc_729BDF:				; CODE XREF: PopSystemIrpCompletion+47j
		mov	eax, [edi+18h]
		lea	ecx, [ebp+var_1C]
		and	[ebp+var_18], 0
		xor	edx, edx
		and	[ebp+var_10], 0
		inc	edx
		push	offset byte_401802
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_2C]
		push	1227h
		push	80008000h
		mov	[ebp+var_2C], edi
		mov	[ebp+var_1C], eax
		mov	[ebp+var_14], 8
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	cl, [ebp+var_1D]
		jmp	loc_722131
; 

loc_729C1F:				; CODE XREF: PopSystemIrpCompletion+136j
		mov	eax, 400h
		lock or	[ecx], eax
		mov	ecx, edi
		call	_PopDiagTraceIrpPended@4 ; PopDiagTraceIrpPended(x)
		push	esi
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		mov	cl, [ebp+var_1D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_7221B6
; 

loc_729C42:				; CODE XREF: PopSystemIrpCompletion+78j
		mov	ecx, edi
		call	_IoFindDeviceThatFailedIrp@4 ; IoFindDeviceThatFailedIrp(x)
		mov	[ebp+var_24], eax
		jmp	loc_722166
; END OF FUNCTION CHUNK	FOR PopSystemIrpCompletion
; 
; START	OF FUNCTION CHUNK FOR PopBuildDeviceNotifyList

loc_729C51:				; CODE XREF: PopBuildDeviceNotifyList+A5j
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_10]
		push	eax
		call	KeWaitForSingleObject
		jmp	loc_7222CB
; END OF FUNCTION CHUNK	FOR PopBuildDeviceNotifyList
; 
; START	OF FUNCTION CHUNK FOR IoBuildPoDeviceNotifyList

loc_729C63:				; CODE XREF: IoBuildPoDeviceNotifyList+1ECj
		mov	esi, [ecx-4]
		mov	bl, [esi+1Ch]
		test	bl, 2
		jnz	short loc_729C76
		or	bl, 2
		mov	bh, 1
		mov	[esi+1Ch], bl

loc_729C76:				; CODE XREF: IoBuildPoDeviceNotifyList+799Cj
		mov	ecx, [ecx]
		jmp	loc_7224BA
; 

loc_729C7D:				; CODE XREF: IoBuildPoDeviceNotifyList+26Ej
		mov	byte ptr [edi+78h], 2
		jmp	loc_722506
; 

loc_729C86:				; CODE XREF: IoBuildPoDeviceNotifyList+29Cj
		mov	[ecx+78h], al
		jmp	loc_722572
; 

loc_729C8E:				; CODE XREF: IoBuildPoDeviceNotifyList+2FFj
		mov	bh, 1
		mov	[esi+1Ch], bl
		jmp	loc_7225D5
; 

loc_729C98:				; CODE XREF: IoBuildPoDeviceNotifyList+336j
		mov	eax, [ebp+var_14]
		lea	ecx, [ebp+var_18]
		cmp	[eax], ecx
		jnz	loc_722719
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	[ebp+var_14], edi
		jmp	loc_722680
; END OF FUNCTION CHUNK	FOR IoBuildPoDeviceNotifyList
; 
; START	OF FUNCTION CHUNK FOR IopIsNotifyInBroadcast

loc_729CB5:				; CODE XREF: IopIsNotifyInBroadcast+3j
		push	esi
		xor	esi, esi
		add	edx, 4Ch
		mov	eax, [edx]

loc_729CBD:				; CODE XREF: IopIsNotifyInBroadcast+75A7j
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_729CBD
		shr	eax, 8
		and	al, 1
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR IopIsNotifyInBroadcast
; 
; START	OF FUNCTION CHUNK FOR PopFlushVolumes

loc_729CCE:				; CODE XREF: PopFlushVolumes+58j
		push	2
		pop	ebx
		jmp	loc_722A06
; 

loc_729CD6:				; CODE XREF: PopFlushVolumes+65j
		mov	ebx, ds:_PopFlushPolicy
		jmp	loc_7229FE
; 

loc_729CE1:				; CODE XREF: PopFlushVolumes+79j
		mov	byte ptr [ebp+var_2C], 1
		jmp	loc_722A0F
; 

loc_729CEA:				; CODE XREF: PopFlushVolumes+82j
		mov	byte ptr [ebp+var_2C+1], 1
		jmp	loc_722A18
; 

loc_729CF3:				; CODE XREF: PopFlushVolumes+157j
		mov	ecx, [ebp+var_48]
		jmp	loc_729D7E
; 

loc_729CFB:				; CODE XREF: PopFlushVolumes+73F3j
		mov	edi, [ecx-1Ch]
		mov	edx, ecx
		mov	ecx, [ecx]
		test	byte ptr [edi+20h], 1
		jnz	short loc_729D7E
		mov	eax, [edi+24h]
		mov	eax, [eax+0Ch]
		test	eax, eax
		jz	short loc_729D18
		test	byte ptr [eax+20h], 1
		jnz	short loc_729D7E

loc_729D18:				; CODE XREF: PopFlushVolumes+7380j
		test	bl, 10h
		jz	short loc_729D45
		mov	edi, [edi+1Ch]
		test	edi, 200000h
		jz	short loc_729D30
		test	edi, 100h
		jz	short loc_729D7E

loc_729D30:				; CODE XREF: PopFlushVolumes+7396j
		test	eax, eax
		jz	short loc_729D45
		mov	eax, [eax+1Ch]
		test	eax, 200000h
		jz	short loc_729D45
		test	eax, 100h
		jz	short loc_729D7E

loc_729D45:				; CODE XREF: PopFlushVolumes+738Bj
					; PopFlushVolumes+73A2j ...
		cmp	[ecx+4], edx
		jnz	loc_722B7A
		mov	eax, [edx+4]
		cmp	[eax], edx
		jnz	loc_722B7A
		mov	[eax], ecx
		mov	edi, offset _PopVolumeDevices
		mov	[ecx+4], eax
		mov	eax, ds:dword_6C2B84
		cmp	[eax], edi
		jnz	loc_722B7A
		mov	[edx], edi
		dec	esi
		mov	[edx+4], eax
		mov	[eax], edx
		mov	ds:dword_6C2B84, edx

loc_729D7E:				; CODE XREF: PopFlushVolumes+7366j
					; PopFlushVolumes+7376j ...
		lea	eax, [ebp+var_48]
		cmp	ecx, eax
		jnz	loc_729CFB
		jmp	loc_722AED
; 

loc_729D8E:				; CODE XREF: PopFlushVolumes+1B5j
		mov	ecx, ebx
		call	ExAcquireFastMutex
		sub	[ebp+var_40], esi
		mov	ecx, ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	loc_722B55
; END OF FUNCTION CHUNK	FOR PopFlushVolumes
; 
; START	OF FUNCTION CHUNK FOR PopFlushVolumeWorker

loc_729DA4:				; CODE XREF: PopFlushVolumeWorker+124j
		mov	ecx, [esp+240h+var_230]
		lea	edx, [esp+240h+var_22C]
		call	_PopFlushAndHold@8 ; PopFlushAndHold(x,x)
		jmp	loc_722CC9
; 

loc_729DB6:				; CODE XREF: PopFlushVolumeWorker+131j
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset loc_53C004
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	[esp+264h+var_230]
		call	_NtDeviceIoControlFile@40 ; NtDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		jmp	loc_722CC9
; END OF FUNCTION CHUNK	FOR PopFlushVolumeWorker
; 
; START	OF FUNCTION CHUNK FOR PopHandleWakeSources

loc_729DD1:				; CODE XREF: PopHandleWakeSources+5Cj
		test	ds:_PopSimulate, 100000h
		jnz	loc_722D72
		push	4
		jmp	short loc_729DE7
; 

loc_729DE5:				; CODE XREF: PopHandleWakeSources+4Cj
		push	2

loc_729DE7:				; CODE XREF: PopHandleWakeSources+70D3j
		pop	edi
		jmp	short loc_729DED
; 

loc_729DEA:				; CODE XREF: PopHandleWakeSources+37j
		xor	edi, edi
		inc	edi

loc_729DED:				; CODE XREF: PopHandleWakeSources+70D8j
		mov	[ebp+var_8], edi
		jmp	loc_722D72
; 

loc_729DF5:				; CODE XREF: PopHandleWakeSources+89j
		push	0
		push	0
		push	offset _PopWakeSourceAvailable
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_722DD4
; 

loc_729E08:				; CODE XREF: PopHandleWakeSources+91j
		mov	eax, ds:dword_6C2718
		test	eax, eax
		js	short loc_729E21
		cmp	eax, 3
		jnb	short loc_729E21
		imul	eax, 18h
		mov	ebx, ds:dword_6C2730[eax]
		jmp	short loc_729E23
; 

loc_729E21:				; CODE XREF: PopHandleWakeSources+70FFj
					; PopHandleWakeSources+7104j
		xor	ebx, ebx

loc_729E23:				; CODE XREF: PopHandleWakeSources+710Fj
		push	4
		pop	eax
		cmp	edi, eax
		jnz	short loc_729E46
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_729E49
		cmp	ebx, 0FFFFFFFEh
		jz	short loc_729E49
		cmp	ebx, 0FFFFFFFDh
		jz	short loc_729E49
		xor	eax, eax
		cmp	byte ptr [ebp+var_1], al
		setnz	al
		add	eax, 2
		jmp	short loc_729E49
; 

loc_729E46:				; CODE XREF: PopHandleWakeSources+7118j
		xor	eax, eax
		inc	eax

loc_729E49:				; CODE XREF: PopHandleWakeSources+711Dj
					; PopHandleWakeSources+7122j ...
		mov	ecx, eax
		call	_PopNewWakeSource@4 ; PopNewWakeSource(x)
		lea	ecx, [ebp+var_14]
		mov	edi, eax
		call	_PopAcquireWakeSourceSpinLock@4	; PopAcquireWakeSourceSpinLock(x)
		and	ds:_PopCurrentWakeInfo,	0
		lea	ecx, [ebp+var_14]
		call	PopReleaseWakeSourceSpinLock
		mov	ecx, esi
		call	_PopUnlinkWakeSources@4	; PopUnlinkWakeSources(x)
		test	edi, edi
		jz	short loc_729ED3
		mov	eax, [edi+8]
		push	2
		pop	ecx
		cmp	eax, ecx
		jz	short loc_729EAE
		cmp	eax, 3
		jz	short loc_729EAE
		cmp	ebx, 0FFFFFFFFh
		jnz	short loc_729E8E
		and	dword ptr [edi+0Ch], 0
		jmp	short loc_729EB8
; 

loc_729E8E:				; CODE XREF: PopHandleWakeSources+7176j
		cmp	ebx, 0FFFFFFFEh
		jnz	short loc_729E9C
		mov	dword ptr [edi+0Ch], 1
		jmp	short loc_729EB8
; 

loc_729E9C:				; CODE XREF: PopHandleWakeSources+7181j
		cmp	ebx, 0FFFFFFFDh
		jnz	short loc_729EA6
		mov	[edi+0Ch], ecx
		jmp	short loc_729EB8
; 

loc_729EA6:				; CODE XREF: PopHandleWakeSources+718Fj
		mov	eax, [ebp+var_8]
		mov	[edi+0Ch], eax
		jmp	short loc_729EB8
; 

loc_729EAE:				; CODE XREF: PopHandleWakeSources+716Cj
					; PopHandleWakeSources+7171j
		lea	edx, [edi+0Ch]
		mov	ecx, ebx
		call	_ExCopyWakeTimerInfo@8 ; ExCopyWakeTimerInfo(x,x)

loc_729EB8:				; CODE XREF: PopHandleWakeSources+717Cj
					; PopHandleWakeSources+718Aj ...
		lea	eax, [esi+0Ch]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_729F10
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi
		mov	dword ptr [esi+14h], 1

loc_729ED3:				; CODE XREF: PopHandleWakeSources+7162j
		lea	ecx, [ebp+var_14]
		call	_PopAcquireWakeSourceSpinLock@4	; PopAcquireWakeSourceSpinLock(x)
		mov	eax, ds:dword_6C344C
		mov	ecx, offset _PopWakeInfoList
		cmp	[eax], ecx
		jnz	short loc_729F10
		inc	ds:_PopWakeInfoCount
		mov	[esi], ecx
		lea	ecx, [ebp+var_14]
		mov	[esi+4], eax
		mov	[eax], esi
		mov	ds:dword_6C344C, esi
		call	PopReleaseWakeSourceSpinLock
		mov	ecx, esi
		call	PopFinalizeWakeInfo
		jmp	loc_722DD4
; 

loc_729F10:				; CODE XREF: PopHandleWakeSources+71B0j
					; PopHandleWakeSources+71D7j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_729F15:				; CODE XREF: PopNewWakeInfo+62j
		mov	ecx, ds:_PopWakeInfoList
		cmp	[ecx+4], edx
		jnz	short loc_729F94
		inc	ds:_PopWakeInfoCount
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[ecx+4], eax
		mov	ds:_PopWakeInfoList, eax
		mov	ds:_PopPendingWakeInfo,	edi
		jmp	loc_722E42
; END OF FUNCTION CHUNK	FOR PopHandleWakeSources
; 
; START	OF FUNCTION CHUNK FOR PopNewWakeInfo

loc_729F3E:				; CODE XREF: PopNewWakeInfo+6Fj
		mov	ecx, ds:_PopWakeInfoList
		cmp	[ecx+4], edx
		jnz	short loc_729F94
		inc	ds:_PopWakeInfoCount
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[ecx+4], eax
		mov	ds:_PopWakeInfoList, eax
		mov	ds:_PopCurrentWakeInfo,	edi
		jmp	loc_722E4F
; 

loc_729F67:				; CODE XREF: PopNewWakeInfo+86j
		mov	ecx, ds:dword_6C344C
		cmp	[ecx], edx
		jnz	short loc_729F94
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	short loc_729F94
		mov	ds:dword_6C344C, eax
		mov	[eax], edx
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		call	PopWakeInfoDereference
		dec	ds:_PopWakeInfoCount
		jmp	loc_722E66
; 

loc_729F94:				; CODE XREF: PopHandleWakeSources+720Ej
					; PopNewWakeInfo+716Dj	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_729F99:				; CODE XREF: PopValidateRTCWake+2Bj
					; PopValidateRTCWake+7145j ...
		mov	eax, ebx
		xor	edi, edi
		jmp	loc_722EF8
; END OF FUNCTION CHUNK	FOR PopNewWakeInfo
; 
; START	OF FUNCTION CHUNK FOR PopValidateRTCWake

loc_729FA2:				; CODE XREF: PopValidateRTCWake+38j
		xor	edx, edx
		lea	ecx, [ebp+var_38]
		call	_PopCurrentPowerStatePrecise@8 ; PopCurrentPowerStatePrecise(x,x)
		mov	eax, ds:dword_6C2D0C
		mov	ds:dword_6C2718, eax
		jmp	loc_722EC0
; 

loc_729FBB:				; CODE XREF: PopValidateRTCWake+69j
		cmp	ds:dword_6C272C, ecx
		jb	loc_722EF1
		ja	short loc_729F99
		cmp	ds:dword_6C2728, edx
		ja	short loc_729F99
		jmp	loc_722EF1
; 

loc_729FD6:				; CODE XREF: PopValidateRTCWake+94j
		mov	eax, ds:dword_6C2700
		mov	[ebp+var_C], eax
		mov	eax, ds:dword_6C2704
		mov	[ebp+var_8], eax
		call	_PopCalculateWakeTimeAdjustment@0 ; PopCalculateWakeTimeAdjustment()
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_14]
		imul	eax, 2710h
		sub	edx, eax
		mov	eax, ecx
		sbb	[ebp+var_8], 0
		add	eax, 0FA0A1F00h
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_10]
		adc	eax, 0FFFFFFFFh
		cmp	eax, [ebp+var_8]
		jb	short loc_72A029
		ja	short loc_72A019
		cmp	[ebp+var_C], edx
		jb	short loc_72A029

loc_72A019:				; CODE XREF: PopValidateRTCWake+7190j
		push	3
		pop	eax
		push	2
		mov	ds:dword_6C2718, eax
		mov	byte ptr [esi],	0
		pop	eax
		jmp	short loc_72A07B
; 

loc_72A029:				; CODE XREF: PopValidateRTCWake+718Ej
					; PopValidateRTCWake+7195j
		mov	eax, [ebp+var_8]
		cmp	eax, [ebp+var_10]
		jb	short loc_72A075
		ja	short loc_72A037
		cmp	edx, ecx
		jbe	short loc_72A075

loc_72A037:				; CODE XREF: PopValidateRTCWake+71AFj
		mov	eax, ds:_PopPendingUserPresenceDuringSystemSleep
		mov	ecx, 47868C00h
		and	[ebp+var_C], 0
		test	eax, eax
		jz	short loc_72A04E
		mov	ecx, 5F5E100h

loc_72A04E:				; CODE XREF: PopValidateRTCWake+71C5j
		mov	eax, edx
		sub	eax, [ebp+var_14]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_8]
		sbb	eax, [ebp+var_10]
		cmp	eax, [ebp+var_C]
		jb	short loc_72A075
		ja	short loc_72A068
		cmp	[ebp+var_14], ecx
		jb	short loc_72A075

loc_72A068:				; CODE XREF: PopValidateRTCWake+71DFj
		push	3
		pop	eax
		mov	ds:dword_6C2718, eax
		mov	byte ptr [esi],	0
		jmp	short loc_72A07B
; 

loc_72A075:				; CODE XREF: PopValidateRTCWake+71ADj
					; PopValidateRTCWake+71B3j ...
		mov	eax, [ebp+var_18]
		mov	[ebp+var_1], bl

loc_72A07B:				; CODE XREF: PopValidateRTCWake+71A5j
					; PopValidateRTCWake+71F1j
		xor	ebx, ebx
		jmp	loc_722F2C
; END OF FUNCTION CHUNK	FOR PopValidateRTCWake
; 
; START	OF FUNCTION CHUNK FOR PfpScenCtxQueryScenarioInformation

loc_72A082:				; CODE XREF: PfpScenCtxQueryScenarioInformation+41j
		test	al, 4
		jnz	loc_722FE7
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_722FE7
; END OF FUNCTION CHUNK	FOR PfpScenCtxQueryScenarioInformation
; 
; START	OF FUNCTION CHUNK FOR PopHiberCheckResume

loc_72A096:				; CODE XREF: PopHiberCheckResume+86j
		call	_HvlRestoreEnlightenment@4 ; HvlRestoreEnlightenment(x)
		call	ds:off_6B131C	; xHalSaveAndDisableHvEnlightenment()
		jmp	loc_723092
; 

loc_72A0A6:				; CODE XREF: PopHiberCheckResume+9Aj
		mov	cl, 1
		call	_HvlConfigureMemoryZeroingOnReset@4 ; HvlConfigureMemoryZeroingOnReset(x)
		jmp	loc_7230A6
; 

loc_72A0B2:				; CODE XREF: PopHiberCheckResume+A6j
		cmp	ds:_KdPitchDebugger, bl
		jnz	loc_7230B2

loc_72A0BE:				; CODE XREF: PopHiberCheckResume+B2j
		push	ebx
		push	ebx
		mov	ds:_KdDebuggerEnabled, bl
		call	KdInitSystem
		jmp	loc_7230BE
; 

loc_72A0D0:				; CODE XREF: PopHiberCheckResume+BEj
		cmp	dword ptr [edi], 504B5242h
		jnz	loc_7230CA
		int	3		; Trap to Debugger
		jmp	loc_7230CA
; 

loc_72A0E2:				; CODE XREF: PopHiberCheckResume+CEj
		int	3		; Trap to Debugger
		jmp	loc_7230DA
; 

loc_72A0E8:				; CODE XREF: PopHiberCheckResume+EEj
		push	2Ch
		pop	eax
		mov	[esp+0E0h+var_BC], ax
		lea	edi, [esp+0E0h+var_A4]
		xor	eax, eax
		mov	[esp+0E0h+var_B0], ebx
		mov	[esp+0E0h+var_BA], ax
		lea	eax, [esp+0E0h+var_C0]
		mov	[esp+0E0h+var_A8], ebx
		mov	[esp+0E0h+var_AC], 4000h
		movsd
		push	1
		push	eax
		movsd
		movsd
		movsd
		mov	esi, [esp+0E8h+var_D0]
		mov	ecx, [esi+0A8h]
		mov	ecx, [ecx+4]
		call	_MmMapMemoryDumpMdlEx2@16 ; MmMapMemoryDumpMdlEx2(x,x,x,x)
		mov	eax, [esi+0A8h]
		mov	ecx, 4000h
		mov	eax, [eax+4]

loc_72A136:				; CODE XREF: PopHiberCheckResume+7136j
		mov	[eax], bl
		inc	eax
		sub	ecx, 1
		jnz	short loc_72A136
		mov	edi, [esp+0E0h+var_CC]
		jmp	loc_7230FA
; END OF FUNCTION CHUNK	FOR PopHiberCheckResume
; 
; START	OF FUNCTION CHUNK FOR PopDiagTracePostSleepNotification

loc_72A147:				; CODE XREF: PopDiagTracePostSleepNotification+46j
		mov	eax, edi
		jmp	loc_7231D6
; 

loc_72A14E:				; CODE XREF: PopDiagTracePostSleepNotification+4Fj
		mov	eax, ecx
		jmp	loc_7231D6
; 

loc_72A155:				; CODE XREF: PopDiagTracePostSleepNotification+58j
		push	6
		pop	eax
		jmp	loc_7231D6
; 

loc_72A15D:				; CODE XREF: PopDiagTracePostSleepNotification+6Aj
		mov	ecx, edi
		jmp	loc_7231F8
; 

loc_72A164:				; CODE XREF: PopDiagTracePostSleepNotification+78j
		push	6
		pop	ecx
		jmp	loc_7231F8
; 

loc_72A16C:				; CODE XREF: PopDiagTracePostSleepNotification+8Cj
		push	[ebp+arg_8]
		lea	ecx, [ebp+var_94]
		push	[ebp+arg_4]
		call	_PopDiagInterruptTimeToSystemTime@12 ; PopDiagInterruptTimeToSystemTime(x,x,x)
		jmp	loc_72320A
; 

loc_72A182:				; CODE XREF: PopDiagTracePostSleepNotification+98j
		push	[ebp+arg_10]
		lea	ecx, [ebp+var_9C]
		push	[ebp+arg_C]
		call	_PopDiagInterruptTimeToSystemTime@12 ; PopDiagInterruptTimeToSystemTime(x,x,x)
		jmp	loc_723216
; END OF FUNCTION CHUNK	FOR PopDiagTracePostSleepNotification
; 
; START	OF FUNCTION CHUNK FOR EtwTraceSystemTimeChange

loc_72A198:				; CODE XREF: EtwTraceSystemTimeChange+86j
		mov	ecx, [esp+110h+var_100]
		push	8
		pop	edx
		mov	[esp+110h+var_60], edx
		mov	eax, [ecx]
		mov	[esp+110h+var_E8], eax
		mov	eax, [ecx+4]
		xor	ecx, ecx
		mov	[esp+110h+var_E4], eax
		lea	eax, [esp+110h+var_E8]
		mov	[esp+110h+var_68], eax
		mov	eax, [ebx]
		mov	[esp+110h+var_E0], eax
		mov	eax, [ebx+4]
		mov	[esp+110h+var_DC], eax
		lea	eax, [esp+110h+var_E0]
		mov	[esp+110h+var_58], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+110h+var_FC], eax
		lea	eax, [esp+110h+var_FC]
		mov	[esp+110h+var_48], eax
		lea	eax, [esp+110h+var_20]
		mov	[esp+110h+var_38], eax
		mov	eax, [esi+4]
		mov	[esp+110h+var_28], eax
		movzx	eax, word ptr [esi]
		mov	[esp+110h+var_20], eax
		lea	eax, [esp+110h+var_F8]
		mov	[esp+110h+var_18], eax
		lea	eax, [esp+110h+var_88]
		push	eax
		push	edx
		push	ecx
		push	ecx
		push	(offset	loc_422F18+6)
		push	offset dword_6B2A40
		mov	[esp+128h+var_64], ecx
		mov	[esp+128h+var_5C], ecx
		mov	[esp+128h+var_54], ecx
		mov	[esp+128h+var_50], edx
		mov	[esp+128h+var_4C], ecx
		mov	[esp+128h+var_44], ecx
		mov	[esp+128h+var_40], 4
		mov	[esp+128h+var_3C], ecx
		mov	[esp+128h+var_34], ecx
		mov	[esp+128h+var_30], 2
		mov	[esp+128h+var_2C], ecx
		mov	[esp+128h+var_24], ecx
		mov	[esp+128h+var_1C], ecx
		mov	[esp+128h+var_F8], edi
		mov	[esp+128h+var_14], ecx
		mov	[esp+128h+var_10], 4
		mov	[esp+128h+var_C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_723358
; END OF FUNCTION CHUNK	FOR EtwTraceSystemTimeChange
; 
; START	OF FUNCTION CHUNK FOR PfpScenCtxPrefetchStateSet

loc_72A2B6:				; CODE XREF: PfpScenCtxPrefetchStateSet+2Fj
		mov	eax, [esi+4]
		and	al, 0Ch
		cmp	al, 8
		jnz	loc_72344B
		mov	edi, 0C0000189h
		jmp	loc_723469
; 

loc_72A2CD:				; CODE XREF: PfpScenCtxPrefetchStateSet+40j
		push	edi
		push	1
		lea	eax, [esi+8]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [esi+4]
		and	ecx, 0FFFFFFF3h
		jmp	loc_72345C
; END OF FUNCTION CHUNK	FOR PfpScenCtxPrefetchStateSet
; 
; START	OF FUNCTION CHUNK FOR PfpScenCtxPrefetchAbortSet

loc_72A2E4:				; CODE XREF: PfpScenCtxPrefetchAbortSet+11j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		jmp	loc_723569
; 

loc_72A2FE:				; CODE XREF: PfpScenCtxPrefetchAbortSet+21j
		mov	eax, [esi+4]
		and	al, 0Ch
		cmp	al, 8
		jnz	loc_723579
		mov	edi, 0C0000189h
		jmp	loc_723587
; 

loc_72A315:				; CODE XREF: PfpScenCtxPrefetchAbortSet+37j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_72A329
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_72A329:				; CODE XREF: PfpScenCtxPrefetchAbortSet+6DCEj
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_72358F
; END OF FUNCTION CHUNK	FOR PfpScenCtxPrefetchAbortSet
; 
; START	OF FUNCTION CHUNK FOR PopVerifierFlushMemoryBeforeSleep

loc_72A33A:				; CODE XREF: PopVerifierFlushMemoryBeforeSleep+32j
					; PopVerifierFlushMemoryBeforeSleep+6DB5j
		push	2
		pop	ecx
		call	MmPerformMemoryListCommand
		push	3
		pop	ecx
		call	MmPerformMemoryListCommand
		push	3
		pop	ecx
		call	MmPerformMemoryListCommand
		sub	esi, 1
		jnz	short loc_72A33A
		push	4
		pop	ecx
		call	MmPerformMemoryListCommand
		jmp	loc_7235C8
; END OF FUNCTION CHUNK	FOR PopVerifierFlushMemoryBeforeSleep
; 
; START	OF FUNCTION CHUNK FOR KeLoadMTRR

loc_72A364:				; CODE XREF: KeLoadMTRR+2Dj
		mov	ds:_KeMtrrComparisonFailed, 1
		jmp	loc_723627
; 

loc_72A370:				; CODE XREF: KeLoadMTRR+54j
		mov	ds:_KeMtrrComparisonFailed, 1
		jmp	loc_72364E
; 

loc_72A37C:				; CODE XREF: KeLoadMTRR+94j
		call	_KeFlushCurrentTbImmediately@0 ; KeFlushCurrentTbImmediately()
		jmp	loc_723698
; END OF FUNCTION CHUNK	FOR KeLoadMTRR
; 
; START	OF FUNCTION CHUNK FOR KiWriteFixedMtrr

loc_72A386:				; CODE XREF: KiWriteFixedMtrr+17j
		rdmsr
		mov	esi, eax
		mov	edi, edx
		and	esi, 0FFFBFFFFh
		or	esi, 80000h
		jmp	short loc_72A3BC
; 

loc_72A39A:				; CODE XREF: KiWriteFixedMtrr+2Aj
		rdmsr
		mov	esi, eax
		mov	edi, edx
		mov	ecx, esi
		and	ecx, 0C0000h
		or	ecx, 0
		jz	loc_723870
		and	esi, 0FFF3FFFFh
		mov	ecx, 0C0010010h

loc_72A3BC:				; CODE XREF: KiWriteFixedMtrr+6B58j
		mov	eax, esi
		wrmsr
		jmp	loc_723870
; 

loc_72A3C5:				; CODE XREF: KiWriteFixedMtrr+B5j
		and	esi, 0FFF7FFFFh
		mov	ecx, 0C0010010h
		or	esi, 40000h
		mov	edx, edi
		mov	eax, esi
		wrmsr
		jmp	loc_7238FB
; END OF FUNCTION CHUNK	FOR KiWriteFixedMtrr
; 
; START	OF FUNCTION CHUNK FOR KiReadFixedMtrr

loc_72A3E1:				; CODE XREF: KiReadFixedMtrr+17j
		rdmsr
		mov	esi, eax
		mov	edi, edx
		or	esi, 80000h
		jmp	short loc_72A409
; 

loc_72A3EF:				; CODE XREF: KiReadFixedMtrr+2Aj
		rdmsr
		mov	esi, eax
		mov	edi, edx
		and	eax, 0C0000h
		or	eax, 0
		jz	loc_723966
		and	esi, 0FFF3FFFFh

loc_72A409:				; CODE XREF: KiReadFixedMtrr+6AB7j
		mov	eax, esi
		wrmsr
		jmp	loc_723966
; 

loc_72A412:				; CODE XREF: KiReadFixedMtrr+B5j
		and	esi, 0FFF7FFFFh
		mov	ecx, 0C0010010h
		mov	eax, esi
		mov	edx, edi
		wrmsr
		jmp	loc_7239F1
; END OF FUNCTION CHUNK	FOR KiReadFixedMtrr
; 
; START	OF FUNCTION CHUNK FOR KiCheckMicrocode

loc_72A428:				; CODE XREF: KiCheckMicrocode+57j
		and	[esp+30h+var_20], 0
		lea	edi, [esp+30h+var_14]
		and	[esp+30h+var_24], 0
		mov	ecx, 8Bh
		rdmsr
		mov	[esp+30h+var_1C], eax
		xor	eax, eax
		inc	eax
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	ebx, [esp+30h+var_1C]
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		jmp	loc_723B4D
; 

loc_72A461:				; CODE XREF: KiCheckMicrocode+D7j
		mov	eax, [esp+30h+var_18]
		push	dword ptr [eax+3CCh]
		push	ebx
		push	ecx
		push	edi
		push	17Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_72A479:				; CODE XREF: PAGELK:00723EB6j
		test	ecx, 40000h
		jz	nullsub_7
		and	ecx, 0FFFBFFFFh
		mov	cr4, ecx
		retn
; END OF FUNCTION CHUNK	FOR KiCheckMicrocode
; 
; START	OF FUNCTION CHUNK FOR KiAdjustSimultaneousMultiThreadingCharacteristics

loc_72A48F:				; CODE XREF: KiAdjustSimultaneousMultiThreadingCharacteristics+16Fj
		push	dword ptr [edi+344h]
		push	dword ptr [edi+340h]
		push	eax
		push	edi
		jmp	short loc_72A4AD
; 

loc_72A49F:				; CODE XREF: KiAdjustSimultaneousMultiThreadingCharacteristics+1D6j
		push	dword ptr [esi+344h]
		push	dword ptr [esi+340h]
		push	eax
		push	esi

loc_72A4AD:				; CODE XREF: KiAdjustSimultaneousMultiThreadingCharacteristics+5EA9j
		push	3Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_72A4B4:				; CODE XREF: KiAdjustSimultaneousMultiThreadingCharacteristics+210j
		cmp	byte ptr [edx+14h], 15h
		jg	loc_72480A
		cmp	dword ptr [edx+4010h], 4
		jb	loc_72480A
		movzx	eax, byte ptr [edx+3C5h]
		mov	ecx, [edx+338h]
		mov	eax, [edx+eax*4+401Ch]
		and	eax, [ecx+84h]
		mov	[edx+4044h], eax
		jmp	loc_72480A
; END OF FUNCTION CHUNK	FOR KiAdjustSimultaneousMultiThreadingCharacteristics
; 
; START	OF FUNCTION CHUNK FOR KiInitializePrcbContext

loc_72A4F0:				; CODE XREF: KiInitializePrcbContext+1Ej
		xor	bl, bl
		add	esi, 3Fh
		jmp	loc_724874
; 

loc_72A4FA:				; CODE XREF: KiInitializePrcbContext+42j
		mov	eax, 0C000009Ah
		jmp	loc_724916
; END OF FUNCTION CHUNK	FOR KiInitializePrcbContext
; 
; START	OF FUNCTION CHUNK FOR KiConfigureProcessorBlock

loc_72A504:				; CODE XREF: KiConfigureProcessorBlock+43j
		call	KiAdjustSimultaneousMultiThreadingCharacteristics
		mov	esi, [edi+84h]
		jmp	loc_7249BB
; END OF FUNCTION CHUNK	FOR KiConfigureProcessorBlock
; 
; START	OF FUNCTION CHUNK FOR KiStartWaitAcknowledge

loc_72A514:				; CODE XREF: KiStartWaitAcknowledge+Aj
		cmp	ds:_KiProcessorStartControl, 0FFh
		jz	short loc_72A527
		pause
		jmp	loc_724A10
; 

loc_72A527:				; CODE XREF: KiStartWaitAcknowledge+5B10j
		xor	al, al
		retn
; END OF FUNCTION CHUNK	FOR KiStartWaitAcknowledge
; 
; START	OF FUNCTION CHUNK FOR MmInitializeProcessor

loc_72A52A:				; CODE XREF: MmInitializeProcessor+57j
		mov	ecx, esi
		call	_MmDeleteProcessor@4 ; MmDeleteProcessor(x)

loc_72A531:				; CODE XREF: MmInitializeProcessor+26j
		xor	eax, eax
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR MmInitializeProcessor
; 
; START	OF FUNCTION CHUNK FOR KiCloneSelector

loc_72A535:				; CODE XREF: KiCloneSelector+53j
		shl	edx, 0Ch
		lea	eax, [edx-1]
		mov	word ptr [ebp+var_C+2],	ax
		movzx	eax, ax
		jmp	loc_727E73
; END OF FUNCTION CHUNK	FOR KiCloneSelector
; 
; START	OF FUNCTION CHUNK FOR KiShadowProcessorAllocation

loc_72A547:				; CODE XREF: KiShadowProcessorAllocation+598Cj
		mov	edx, 1000h
		lea	ecx, [edi+4EE0h]
		call	_MmDeleteShadowMapping@8 ; MmDeleteShadowMapping(x,x)

loc_72A557:				; CODE XREF: KiShadowProcessorAllocation+3Fj
					; KiShadowProcessorAllocation+598Aj
		xor	eax, eax
		jmp	loc_724C4E
; 

loc_72A55E:				; CODE XREF: KiShadowProcessorAllocation+59j
					; KiShadowProcessorAllocation+B9j
		mov	edx, 7000h
		mov	ecx, esi
		call	_MmDeleteShadowMapping@8 ; MmDeleteShadowMapping(x,x)
		test	ebx, ebx
		jz	short loc_72A557
		jmp	short loc_72A547
; END OF FUNCTION CHUNK	FOR KiShadowProcessorAllocation
; 
; START	OF FUNCTION CHUNK FOR KiInitializeProcessor

loc_72A570:				; CODE XREF: KiInitializeProcessor+B3j
					; KiInitializeProcessor+BCj
		or	eax, 0FFFFFFFFh
		mov	edx, ecx
		jmp	loc_724FA2
; 

loc_72A57A:				; CODE XREF: KiInitializeProcessor+F2j
					; KiInitializeProcessor+FBj
		or	eax, 0FFFFFFFFh
		jmp	loc_724FE1
; 

loc_72A582:				; CODE XREF: KiInitializeProcessor+146j
					; KiInitializeProcessor+14Fj
		or	eax, 0FFFFFFFFh
		jmp	loc_725035
; 

loc_72A58A:				; CODE XREF: KiInitializeProcessor+185j
		mov	[esi+3B14h], ebx
		mov	[esi+3F74h], ebx
		mov	[esi+4064h], ebx
		jmp	loc_7250E6
; END OF FUNCTION CHUNK	FOR KiInitializeProcessor
; 
; START	OF FUNCTION CHUNK FOR KiCompleteKernelInit

loc_72A5A1:				; CODE XREF: KiCompleteKernelInit+66j
					; KiCompleteKernelInit+4D4Dj
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_72A5A1
		jmp	loc_7258C1
; END OF FUNCTION CHUNK	FOR KiCompleteKernelInit
; 
; START	OF FUNCTION CHUNK FOR KiCreateCpuSetForProcessor

loc_72A5B4:				; CODE XREF: KiCreateCpuSetForProcessor+BCj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_725A79
; END OF FUNCTION CHUNK	FOR KiCreateCpuSetForProcessor
; 
; START	OF FUNCTION CHUNK FOR KiSetStandardizedCacheInformation

loc_72A5C1:				; CODE XREF: KiSetStandardizedCacheInformation+84j
		dec	edx
		sub	edx, 1
		jnz	loc_7260BD
		mov	ebx, [ebp+var_18]
		mov	dword ptr [ebx+8], 3
		jmp	loc_725FF4
; 

loc_72A5DA:				; CODE XREF: KiSetStandardizedCacheInformation+96j
		or	dl, 0FFh
		jmp	loc_726007
; END OF FUNCTION CHUNK	FOR KiSetStandardizedCacheInformation
; 
; START	OF FUNCTION CHUNK FOR KiGetCacheInformation

loc_72A5E2:				; CODE XREF: KiGetCacheInformation+53j
		sub	ecx, 1
		jz	short loc_72A5F5
		sub	ecx, 3
		jz	loc_726187
		jmp	loc_726304
; 

loc_72A5F5:				; CODE XREF: KiGetCacheInformation+44B7j
		xor	eax, eax
		lea	edi, [esp+0A0h+var_64]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, 80000000h
		cpuid
		mov	esi, ebx
		lea	edi, [esp+0A4h+var_64]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	ecx, 80000005h
		mov	[edi+0Ch], edx
		cmp	[esp+0A0h+var_64], ecx
		jb	loc_726300
		xor	eax, eax
		lea	edi, [esp+0A0h+var_54]
		stosd
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, ecx
		xor	ecx, ecx
		lea	edi, [esp+0A4h+var_54]
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		xor	eax, eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		lea	edi, [esp+0A0h+var_44]
		movzx	ecx, [esp+0A0h+var_4C]
		stosd
		mov	ds:_KePrefetchNTAGranularity, ecx
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, 80000000h
		cpuid
		mov	esi, ebx
		lea	edi, [esp+0A4h+var_44]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	ecx, 80000006h
		mov	[edi+0Ch], edx
		cmp	[esp+0A0h+var_44], ecx
		jb	loc_726300
		xor	eax, eax
		lea	edi, [esp+0A0h+var_34]
		stosd
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, ecx
		xor	ecx, ecx
		lea	edi, [esp+0A4h+var_34]
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	eax, [esp+0A0h+var_2C]
		movzx	ecx, al
		mov	[esp+0A0h+var_84], ecx
		mov	ecx, eax
		shr	ecx, 0Ch
		push	2
		and	ecx, 0Fh
		pop	edx
		sub	ecx, edx
		jz	short loc_72A6ED
		sub	ecx, edx
		jz	short loc_72A6EB
		sub	ecx, edx
		jz	short loc_72A6E7
		sub	ecx, edx
		jz	short loc_72A6E3
		sub	ecx, 7
		jz	short loc_72A6E3
		mov	dl, 1
		jmp	short loc_72A6ED
; 

loc_72A6E3:				; CODE XREF: KiGetCacheInformation+45AAj
					; KiGetCacheInformation+45AFj
		mov	dl, 10h
		jmp	short loc_72A6ED
; 

loc_72A6E7:				; CODE XREF: KiGetCacheInformation+45A6j
		mov	dl, 8
		jmp	short loc_72A6ED
; 

loc_72A6EB:				; CODE XREF: KiGetCacheInformation+45A2j
		mov	dl, 4

loc_72A6ED:				; CODE XREF: KiGetCacheInformation+459Ej
					; KiGetCacheInformation+45B3j ...
		mov	ecx, [esp+0A0h+var_78]
		shr	eax, 6
		and	eax, 3FFFC00h
		cmp	byte ptr [ecx+134h], 6
		jnz	short loc_72A715
		mov	esi, 300h
		cmp	[ecx+136h], si
		jnz	short loc_72A715
		mov	eax, 10000h

loc_72A715:				; CODE XREF: KiGetCacheInformation+45D2j
					; KiGetCacheInformation+45E0j
		mov	[ecx+53h], dl
		mov	[ecx+90h], eax
		jmp	loc_726304
; 

loc_72A723:				; CODE XREF: KiGetCacheInformation+ECj
		mov	edi, [esp+0A0h+var_7C]
		jmp	loc_72622B
; 

loc_72A72C:				; CODE XREF: KiGetCacheInformation+141j
					; KiGetCacheInformation+208j ...
		cmp	cl, 79h
		mov	al, cl
		sbb	dl, dl
		and	al, 0F8h
		and	dl, 0FCh
		add	dl, 8
		mov	[esp+0A0h+var_8D], dl
		cmp	al, 78h
		jnz	short loc_72A752
		mov	eax, 80h
		cmp	[esp+0A0h+var_84], eax
		jnb	short loc_72A752
		mov	[esp+0A0h+var_84], eax

loc_72A752:				; CODE XREF: KiGetCacheInformation+4613j
					; KiGetCacheInformation+461Ej
		movzx	ecx, cl
		mov	ebx, 10000h
		and	ecx, 7
		shl	ebx, cl
		mov	[esp+0A0h+var_8C], ebx
		movzx	ecx, dl
		jmp	short loc_72A7D7
; 

loc_72A768:				; CODE XREF: KiGetCacheInformation+14Cj
		mov	eax, 80h
		cmp	[esp+0A0h+var_84], eax
		jnb	short loc_72A777
		mov	[esp+0A0h+var_84], eax

loc_72A777:				; CODE XREF: KiGetCacheInformation+4643j
		movzx	ecx, cl
		mov	al, 8
		mov	[esp+0A0h+var_8D], al
		sub	ecx, 22h
		jz	short loc_72A7AE
		sub	ecx, 1
		jz	short loc_72A7A7
		dec	ecx
		sub	ecx, 1
		jz	short loc_72A7A0
		sub	ecx, 4
		jz	short loc_72A799
		xor	ebx, ebx
		jmp	short loc_72A7C6
; 

loc_72A799:				; CODE XREF: KiGetCacheInformation+4665j
		mov	ebx, 400000h
		jmp	short loc_72A7C6
; 

loc_72A7A0:				; CODE XREF: KiGetCacheInformation+4660j
		mov	ebx, 200000h
		jmp	short loc_72A7C6
; 

loc_72A7A7:				; CODE XREF: KiGetCacheInformation+465Aj
		mov	ebx, 100000h
		jmp	short loc_72A7C6
; 

loc_72A7AE:				; CODE XREF: KiGetCacheInformation+4655j
		mov	al, 4
		jmp	short loc_72A7B4
; 

loc_72A7B2:				; CODE XREF: KiGetCacheInformation+4745j
		mov	al, 2

loc_72A7B4:				; CODE XREF: KiGetCacheInformation+4682j
		mov	ebx, 80000h
		jmp	short loc_72A7C2
; 

loc_72A7BB:				; CODE XREF: KiGetCacheInformation+46FCj
		mov	ebx, 400000h

loc_72A7C0:				; CODE XREF: KiGetCacheInformation+473Dj
					; KiGetCacheInformation+475Ej
		mov	al, 8

loc_72A7C2:				; CODE XREF: KiGetCacheInformation+468Bj
					; KiGetCacheInformation+471Bj ...
		mov	[esp+0A0h+var_8D], al

loc_72A7C6:				; CODE XREF: KiGetCacheInformation+4669j
					; KiGetCacheInformation+4670j ...
		mov	[esp+0A0h+var_8C], ebx
		jmp	short loc_72A7D4
; 

loc_72A7CC:				; CODE XREF: KiGetCacheInformation+470Bj
					; KiGetCacheInformation+4753j
		mov	al, [esp+0A0h+var_8D]
		mov	ebx, [esp+0A0h+var_8C]

loc_72A7D4:				; CODE XREF: KiGetCacheInformation+469Cj
		movzx	ecx, al

loc_72A7D7:				; CODE XREF: KiGetCacheInformation+4638j
		xor	edx, edx
		mov	eax, ebx
		div	ecx
		cmp	eax, [esp+0A0h+var_80]
		jbe	loc_7262DA
		mov	ecx, [esp+0A0h+var_78]
		mov	[esp+0A0h+var_80], eax
		mov	al, [esp+0A0h+var_8D]
		mov	[ecx+90h], ebx
		mov	[ecx+53h], al
		jmp	loc_7262DA
; 

loc_72A801:				; CODE XREF: KiGetCacheInformation+170j
		mov	ds:_KePrefetchNTAGranularity, 80h
		jmp	loc_7262DA
; 

loc_72A810:				; CODE XREF: KiGetCacheInformation+182j
					; KiGetCacheInformation+18Bj ...
		push	40h
		pop	eax
		cmp	[esp+0A0h+var_84], eax
		jnb	short loc_72A81D
		mov	[esp+0A0h+var_84], eax

loc_72A81D:				; CODE XREF: KiGetCacheInformation+46E9j
		movzx	eax, cl
		cmp	eax, 7Dh
		ja	short loc_72A870
		jz	short loc_72A866
		sub	eax, 4Ah
		jz	short loc_72A7BB
		sub	eax, 1
		jz	short loc_72A85A
		sub	eax, 1
		jz	short loc_72A84E
		sub	eax, 2Ch
		jnz	short loc_72A7CC
		mov	ebx, 100000h
		jmp	short loc_72A847
; 

loc_72A842:				; CODE XREF: KiGetCacheInformation+474Ej
		mov	ebx, 80000h

loc_72A847:				; CODE XREF: KiGetCacheInformation+4712j
		mov	al, 4
		jmp	loc_72A7C2
; 

loc_72A84E:				; CODE XREF: KiGetCacheInformation+4706j
		mov	ebx, 800000h
		mov	al, 10h
		jmp	loc_72A7C2
; 

loc_72A85A:				; CODE XREF: KiGetCacheInformation+4701j
		mov	ebx, 600000h
		mov	al, 0Ch
		jmp	loc_72A7C2
; 

loc_72A866:				; CODE XREF: KiGetCacheInformation+46F7j
		mov	ebx, 200000h
		jmp	loc_72A7C0
; 

loc_72A870:				; CODE XREF: KiGetCacheInformation+46F5j
		sub	eax, 7Fh
		jz	loc_72A7B2
		sub	eax, 7
		jz	short loc_72A842
		sub	eax, 1
		jnz	loc_72A7CC
		mov	ebx, 100000h
		jmp	loc_72A7C0
; END OF FUNCTION CHUNK	FOR KiGetCacheInformation
; 
; START	OF FUNCTION CHUNK FOR KiInitializeXSave

loc_72A891:				; CODE XREF: KiInitializeXSave+16Dj
		mov	ecx, [esp+358h+var_344]
		mov	eax, [esp+358h+var_348]
		add	ds:_KiXSaveAreaLength, ecx
		mov	ds:_KiIptSaveAreaLength, ecx
		mov	ds:_KiIptMsrMask, eax
		jmp	loc_7266ED
; 

loc_72A8AF:				; CODE XREF: KiInitializeXSave+C3j
		test	byte ptr ds:0FFDF03ECh,	1
		jz	loc_7266C5

loc_72A8BC:				; CODE XREF: KiInitializeXSave+82j
					; KiInitializeXSave+8Aj ...
		push	edi
		push	1
		push	0FFDF03D8h
		lea	eax, [esp+364h+var_340]
		push	eax

loc_72A8C9:				; CODE XREF: KiInitializeXSave+42E3j
		push	3Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_72A8D0:				; CODE XREF: KiInitializeXSave+EBj
		push	[esp+36Ch+var_35C]
		push	[esp+370h+var_358]
		push	ecx
		push	ds:_KiIptSaveAreaLength
		jmp	short loc_72A8C9
; END OF FUNCTION CHUNK	FOR KiInitializeXSave
; 
; START	OF FUNCTION CHUNK FOR KiGetFeatureBits

loc_72A8E1:				; CODE XREF: KiGetFeatureBits+40j
		mov	eax, 200h
		xor	edx, edx
		jmp	loc_726DC1
; 

loc_72A8ED:				; CODE XREF: KiGetFeatureBits+CBj
		mov	eax, edi
		and	eax, 0F00h
		cmp	eax, 500h
		jb	short loc_72A90E
		or	edx, 100000h
		mov	[esp+138h+var_12C], ecx
		mov	[esp+138h+var_128], edx
		jmp	loc_72683F
; 

loc_72A90E:				; CODE XREF: KiGetFeatureBits+418Bj
		and	esi, 0FFFF5FF7h
		mov	[esp+138h+var_121], bl
		mov	[esp+138h+var_120], esi
		jmp	loc_72683F
; 

loc_72A921:				; CODE XREF: KiGetFeatureBits+16Aj
		cmp	al, 5
		jnz	loc_726933
		mov	ds:_KiI386PentiumLockErrataPresent, 1
		jmp	loc_726933
; 

loc_72A935:				; CODE XREF: KiGetFeatureBits+1D7j
		and	eax, 0Fh
		cmp	al, 9
		jbe	short loc_72A94F
		mov	eax, [esp+138h+var_104]
		jmp	loc_72694B
; 

loc_72A945:				; CODE XREF: KiGetFeatureBits+1E3j
		and	al, 0Fh
		cmp	al, 4
		ja	loc_726957

loc_72A94F:				; CODE XREF: KiGetFeatureBits+41CCj
		and	edx, 0FFFFFDFFh
		mov	[esp+138h+var_12C], ecx
		mov	[esp+138h+var_128], edx
		jmp	loc_726957
; 

loc_72A962:				; CODE XREF: KiGetFeatureBits+1EDj
					; KiGetFeatureBits+1FEj
		mov	edx, [esp+138h+var_120]
		mov	eax, [esp+138h+var_118]
		and	edx, 0FFFFF7FFh
		mov	[esp+138h+var_120], edx
		jmp	loc_72697A
; 

loc_72A979:				; CODE XREF: KiGetFeatureBits+149j
		cmp	eax, 2
		jnz	loc_726976
		cmp	byte ptr [edi+14h], 0Fh
		jl	loc_726976
		mov	ecx, 8Bh
		rdmsr
		mov	[edi+3D58h], eax
		mov	[edi+3D5Ch], edx
		jmp	loc_726972
; 

loc_72A9A4:				; CODE XREF: KiGetFeatureBits+261j
		cmp	eax, 4
		jnz	short loc_72A9F3
		cmp	byte ptr [edi+14h], 5
		jl	short loc_72AA13
		mov	eax, 402h
		cmp	[edi+16h], ax
		jb	short loc_72AA13
		mov	ecx, 80860004h
		rdmsr
		or	eax, 100h
		jmp	short loc_72A9E6
; 

loc_72A9C8:				; CODE XREF: KiGetFeatureBits+4298j
		push	0FFFFFFFEh
		pop	edi

loc_72A9CB:				; CODE XREF: KiGetFeatureBits+4296j
		xor	ecx, ecx
		cmp	al, 6
		setnl	cl
		dec	ecx
		and	ecx, 0FFFFF000h
		add	ecx, 1107h
		rdmsr
		or	eax, 2
		and	eax, edi

loc_72A9E6:				; CODE XREF: KiGetFeatureBits+4258j
		wrmsr
		mov	edx, [esp+138h+var_120]
		mov	ecx, 100h
		jmp	short loc_72AA0D
; 

loc_72A9F3:				; CODE XREF: KiGetFeatureBits+4239j
		cmp	eax, 5
		jnz	short loc_72AA08
		mov	al, [edi+14h]
		cmp	al, 5
		jl	short loc_72AA13
		or	edi, 0FFFFFFFFh
		cmp	al, 6
		jl	short loc_72A9CB
		jmp	short loc_72A9C8
; 

loc_72AA08:				; CODE XREF: KiGetFeatureBits+4288j
		cmp	eax, 6
		jnz	short loc_72AA13

loc_72AA0D:				; CODE XREF: KiGetFeatureBits+4283j
		or	edx, ecx
		mov	[esp+138h+var_120], edx

loc_72AA13:				; CODE XREF: KiGetFeatureBits+423Fj
					; KiGetFeatureBits+424Aj ...
		test	edx, ecx
		jz	loc_7269E3
		jmp	loc_7269D5
; 

loc_72AA20:				; CODE XREF: KiGetFeatureBits+343j
		inc	eax
		jmp	loc_726AE6
; 

loc_72AA26:				; CODE XREF: KiGetFeatureBits+338j
		mov	edi, [esp+138h+var_114]
		inc	eax
		cmp	edi, ecx
		jb	loc_726AEA
		xor	eax, eax
		lea	edi, [esp+138h+var_B4]
		stosd
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, ecx
		xor	ecx, ecx
		lea	edi, [esp+13Ch+var_B4]
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	ecx, [esp+138h+var_AC]
		test	ecx, 0F000h
		jz	short loc_72AA7C
		shr	ecx, 0Ch
		xor	eax, eax
		and	ecx, 0Fh
		inc	eax
		shl	eax, cl
		jmp	loc_726AE2
; 

loc_72AA7C:				; CODE XREF: KiGetFeatureBits+42FCj
		movzx	eax, cl
		jmp	loc_726AE1
; 

loc_72AA84:				; CODE XREF: KiGetFeatureBits+3A2j
		cmp	eax, 5
		jz	loc_726B16
		cmp	eax, 2
		jnz	loc_72AB73
		test	edx, 10000000h
		jz	short loc_72AAAC
		mov	eax, [esp+138h+var_110]
		cmp	al, cl
		jbe	short loc_72AAAC
		mov	ds:_KiSMTProcessorsPresent, cl

loc_72AAAC:				; CODE XREF: KiGetFeatureBits+432Ej
					; KiGetFeatureBits+4336j
		mov	[esi+344h], ecx
		cmp	edi, 8000001Eh
		jb	loc_72AB4A
		xor	eax, eax
		lea	edi, [esp+138h+var_A4]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, 80000001h
		cpuid
		mov	esi, ebx
		lea	edi, [esp+13Ch+var_A4]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		xor	ecx, ecx
		mov	[edi+0Ch], edx
		inc	ecx
		test	[esp+138h+var_9C], 400000h
		jz	short loc_72AB42
		xor	eax, eax
		lea	edi, [esp+138h+var_94]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, 8000001Eh
		cpuid
		mov	esi, ebx
		lea	edi, [esp+13Ch+var_94]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	esi, [esp+138h+var_11C]
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	eax, [esp+138h+var_90]
		shr	eax, 8
		movzx	ecx, al
		inc	ecx
		mov	[esi+344h], ecx
		jmp	short loc_72AB46
; 

loc_72AB42:				; CODE XREF: KiGetFeatureBits+438Bj
		mov	esi, [esp+138h+var_11C]

loc_72AB46:				; CODE XREF: KiGetFeatureBits+43D2j
		mov	ebx, [esp+138h+var_120]

loc_72AB4A:				; CODE XREF: KiGetFeatureBits+434Aj
		cmp	ecx, 1
		jbe	short loc_72AB56
		mov	ds:_KiSMTProcessorsPresent, 1

loc_72AB56:				; CODE XREF: KiGetFeatureBits+43DFj
		mov	eax, ebx
		mov	[esi+3D38h], ebx
		xor	edx, edx
		div	ecx
		mov	cl, [esi+344h]
		mov	[esi+340h], eax
		jmp	loc_726B5D
; 

loc_72AB73:				; CODE XREF: KiGetFeatureBits+4322j
		mov	[esi+3D38h], ebx
		jmp	short loc_72AB8E
; 

loc_72AB7B:				; CODE XREF: KiGetFeatureBits+3D7j
		mov	[esi+3D38h], edx
		mov	eax, edx
		jmp	loc_726B51
; 

loc_72AB88:				; CODE XREF: KiGetFeatureBits+3AEj
		mov	[esi+3D38h], ecx

loc_72AB8E:				; CODE XREF: KiGetFeatureBits+440Bj
		mov	[esi+344h], ecx
		jmp	loc_726B5D
; 

loc_72AB99:				; CODE XREF: KiGetFeatureBits+675j
		mov	bl, [ecx+14h]
		mov	al, [ecx+17h]
		mov	dl, [ecx+16h]
		cmp	bl, 0Fh
		jnz	short loc_72ABC8
		cmp	al, 6Bh
		jz	short loc_72ABB3
		cmp	al, 68h
		jnz	loc_726C08

loc_72ABB3:				; CODE XREF: KiGetFeatureBits+443Bj
		cmp	dl, 1
		jnz	loc_726C08
		or	ds:_KiCacheErrataMonitor, 1
		jmp	loc_726C08
; 

loc_72ABC8:				; CODE XREF: KiGetFeatureBits+4437j
		cmp	bl, 10h
		jnz	loc_726C08
		test	al, al
		jnz	short loc_72ABDA
		cmp	dl, 2
		jbe	short loc_72ABF7

loc_72ABDA:				; CODE XREF: KiGetFeatureBits+4465j
		cmp	al, 2
		jnz	short loc_72ABE7
		cmp	dl, al
		jbe	short loc_72ABF7
		cmp	dl, 0Ah
		jz	short loc_72ABF7

loc_72ABE7:				; CODE XREF: KiGetFeatureBits+446Ej
		cmp	al, 4
		jnz	loc_726C08
		test	dl, dl
		jnz	loc_726C08

loc_72ABF7:				; CODE XREF: KiGetFeatureBits+446Aj
					; KiGetFeatureBits+4472j ...
		or	ds:_KiCacheErrataMonitor, 2
		jmp	loc_726C08
; 

loc_72AC03:				; CODE XREF: KiGetFeatureBits+4A1j
		sub	eax, 1
		jz	short loc_72AC1A
		sub	eax, 3
		jz	loc_726C15

loc_72AC11:				; CODE XREF: KiGetFeatureBits+4B0j
		mov	ebx, [esp+138h+var_12C]
		jmp	loc_726C90
; 

loc_72AC1A:				; CODE XREF: KiGetFeatureBits+4498j
		mov	edx, 80000008h
		cmp	[esp+138h+var_114], edx
		jb	short loc_72AC5B
		xor	eax, eax
		lea	edi, [esp+138h+var_84]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, edx
		cpuid
		mov	esi, ebx
		lea	edi, [esp+13Ch+var_84]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	eax, [esp+138h+var_84]
		jmp	loc_726C55
; 

loc_72AC5B:				; CODE XREF: KiGetFeatureBits+44B5j
		test	[esp+138h+var_68], 100000h
		mov	ebx, [esp+138h+var_12C]
		jz	loc_726C90
		mov	edx, 0FFFFF000h
		mov	ds:_KiMtrrMaxRangeShift, 28h
		mov	eax, 0FFh
		mov	ds:_KiMtrrMaskBase, edx
		mov	ds:dword_6B3FAC, eax
		mov	ds:_KiMtrrMaskMask, edx
		mov	ds:dword_6B3FB4, eax
		jmp	loc_726C90
; 

loc_72AC9C:				; CODE XREF: KiGetFeatureBits+593j
					; KiGetFeatureBits+59Bj
		mov	esi, [esp+138h+var_128]
		mov	ebx, [esp+138h+var_12C]
		jmp	loc_726D35
; 

loc_72ACA9:				; CODE XREF: KiGetFeatureBits+5D6j
		xor	ecx, ecx
		jmp	loc_726D5A
; 

loc_72ACB0:				; CODE XREF: KiGetFeatureBits+547j
		cmp	al, 2
		jnz	loc_726D7C
		xor	eax, eax
		lea	edi, [esp+138h+var_44]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, 80000000h
		cpuid
		mov	esi, ebx
		lea	edi, [esp+13Ch+var_44]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	ecx, 8000000Ah
		mov	[edi+0Ch], edx
		cmp	[esp+138h+var_44], ecx
		jb	short loc_72AD3F
		xor	eax, eax
		lea	edi, [esp+138h+var_34]
		stosd
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, ecx
		xor	ecx, ecx
		lea	edi, [esp+13Ch+var_34]
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	ebx, [esp+138h+var_12C]
		mov	[edi], eax
		mov	[edi+4], esi
		mov	esi, [esp+138h+var_128]
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		test	[esp+138h+var_28], 1
		jz	short loc_72AD47
		or	esi, 4000000h
		mov	[esp+138h+var_12C], ebx
		mov	[esp+138h+var_128], esi
		jmp	short loc_72AD47
; 

loc_72AD3F:				; CODE XREF: KiGetFeatureBits+4583j
		mov	ebx, [esp+138h+var_12C]
		mov	esi, [esp+138h+var_128]

loc_72AD47:				; CODE XREF: KiGetFeatureBits+45BFj
					; KiGetFeatureBits+45CFj
		mov	ecx, 0C0010114h
		rdmsr
		and	eax, 10h
		xor	ecx, ecx
		or	eax, ecx
		mov	al, [esp+138h+var_121]
		jnz	loc_726D7C
		or	esi, 8000000h
		mov	[esp+138h+var_12C], ebx
		or	ds:_KiVirtFlags, 1
		mov	[esp+138h+var_128], esi
		jmp	loc_726D7C
; 

loc_72AD79:				; CODE XREF: KiGetFeatureBits+645j
		push	3Ah
		pop	ecx
		rdmsr
		mov	ecx, 40001h
		and	eax, ecx
		cmp	eax, ecx
		jnz	loc_726DB9
		xor	eax, eax
		lea	edi, [esp+138h+var_14]
		stosd
		xor	ecx, ecx
		push	12h
		stosd
		stosd
		stosd
		pop	eax
		push	ebx
		cpuid
		mov	esi, ebx
		lea	edi, [esp+13Ch+var_14]
		pop	ebx
		nop
		mov	[edi], eax
		mov	eax, [esp+138h+var_128]
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		test	byte ptr [esp+138h+var_14], 1
		mov	edx, [esp+138h+var_12C]
		jz	loc_726DC1
		or	edx, 8
		or	dword ptr ds:0FFDF036Ch, 2
		jmp	loc_726DC1
; END OF FUNCTION CHUNK	FOR KiGetFeatureBits
; 
; START	OF FUNCTION CHUNK FOR KiIsNXSupported

loc_72ADDD:				; CODE XREF: KiIsNXSupported+5Fj
		xor	eax, eax
		lea	edi, [ebp+var_14]
		mov	[ebp+var_18], eax
		xor	ecx, ecx
		inc	eax
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		test	[ebp+var_8], 4000000h
		jz	short loc_72AE11
		call	KiGetCpuVendor
		cmp	eax, 2
		jz	loc_726E53

loc_72AE11:				; CODE XREF: KiIsNXSupported+4013j
		mov	eax, [ebp+var_18]
		jmp	loc_726E55
; END OF FUNCTION CHUNK	FOR KiIsNXSupported
; 
; START	OF FUNCTION CHUNK FOR KiGetCpuVendor

loc_72AE19:				; CODE XREF: KiGetCpuVendor+98j
		mov	edx, offset _CmpAmdID
		lea	eax, [ebp+var_24]

loc_72AE21:				; CODE XREF: KiGetCpuVendor+390Fj
		mov	bl, [eax]
		cmp	bl, [edx]
		jnz	short loc_72AE3F
		test	bl, bl
		jz	short loc_72AE3B
		mov	bl, [eax+1]
		cmp	bl, [edx+1]
		jnz	short loc_72AE3F
		add	eax, esi
		add	edx, esi
		test	bl, bl
		jnz	short loc_72AE21

loc_72AE3B:				; CODE XREF: KiGetCpuVendor+38FFj
		mov	eax, ecx
		jmp	short loc_72AE43
; 

loc_72AE3F:				; CODE XREF: KiGetCpuVendor+38FBj
					; KiGetCpuVendor+3907j
		sbb	eax, eax
		or	eax, edi

loc_72AE43:				; CODE XREF: KiGetCpuVendor+3913j
		test	eax, eax
		jnz	short loc_72AE4E
		mov	eax, esi
		jmp	loc_7275CA
; 

loc_72AE4E:				; CODE XREF: KiGetCpuVendor+391Bj
		mov	edx, offset _CmpCyrixID	; "CyrixInstead"
		lea	eax, [ebp+var_24]

loc_72AE56:				; CODE XREF: KiGetCpuVendor+3944j
		mov	bl, [eax]
		cmp	bl, [edx]
		jnz	short loc_72AE74
		test	bl, bl
		jz	short loc_72AE70
		mov	bl, [eax+1]
		cmp	bl, [edx+1]
		jnz	short loc_72AE74
		add	eax, esi
		add	edx, esi
		test	bl, bl
		jnz	short loc_72AE56

loc_72AE70:				; CODE XREF: KiGetCpuVendor+3934j
		mov	eax, ecx
		jmp	short loc_72AE78
; 

loc_72AE74:				; CODE XREF: KiGetCpuVendor+3930j
					; KiGetCpuVendor+393Cj
		sbb	eax, eax
		or	eax, edi

loc_72AE78:				; CODE XREF: KiGetCpuVendor+3948j
		test	eax, eax
		jnz	short loc_72AE88
		push	3
		jmp	short loc_72AE82
; 

loc_72AE80:				; CODE XREF: KiGetCpuVendor+39BCj
		push	5

loc_72AE82:				; CODE XREF: KiGetCpuVendor+3954j
					; KiGetCpuVendor+398Ej
		pop	eax
		jmp	loc_7275CA
; 

loc_72AE88:				; CODE XREF: KiGetCpuVendor+3950j
		mov	edx, offset _CmpTransmetaID
		lea	eax, [ebp+var_24]

loc_72AE90:				; CODE XREF: KiGetCpuVendor+397Ej
		mov	bl, [eax]
		cmp	bl, [edx]
		jnz	short loc_72AEAE
		test	bl, bl
		jz	short loc_72AEAA
		mov	bl, [eax+1]
		cmp	bl, [edx+1]
		jnz	short loc_72AEAE
		add	eax, esi
		add	edx, esi
		test	bl, bl
		jnz	short loc_72AE90

loc_72AEAA:				; CODE XREF: KiGetCpuVendor+396Ej
		mov	eax, ecx
		jmp	short loc_72AEB2
; 

loc_72AEAE:				; CODE XREF: KiGetCpuVendor+396Aj
					; KiGetCpuVendor+3976j
		sbb	eax, eax
		or	eax, edi

loc_72AEB2:				; CODE XREF: KiGetCpuVendor+3982j
		test	eax, eax
		jnz	short loc_72AEBA
		push	4
		jmp	short loc_72AE82
; 

loc_72AEBA:				; CODE XREF: KiGetCpuVendor+398Aj
		mov	edx, offset _CmpCentaurID
		lea	eax, [ebp+var_24]

loc_72AEC2:				; CODE XREF: KiGetCpuVendor+39B0j
		mov	bl, [eax]
		cmp	bl, [edx]
		jnz	short loc_72AEE0
		test	bl, bl
		jz	short loc_72AEDC
		mov	bl, [eax+1]
		cmp	bl, [edx+1]
		jnz	short loc_72AEE0
		add	eax, esi
		add	edx, esi
		test	bl, bl
		jnz	short loc_72AEC2

loc_72AEDC:				; CODE XREF: KiGetCpuVendor+39A0j
		mov	eax, ecx
		jmp	short loc_72AEE4
; 

loc_72AEE0:				; CODE XREF: KiGetCpuVendor+399Cj
					; KiGetCpuVendor+39A8j
		sbb	eax, eax
		or	eax, edi

loc_72AEE4:				; CODE XREF: KiGetCpuVendor+39B4j
		test	eax, eax
		jz	short loc_72AE80
		mov	edx, offset _CmpRiseID
		lea	eax, [ebp+var_24]

loc_72AEF0:				; CODE XREF: KiGetCpuVendor+39DEj
		mov	bl, [eax]
		cmp	bl, [edx]
		jnz	short loc_72AF0C
		test	bl, bl
		jz	short loc_72AF10
		mov	bl, [eax+1]
		cmp	bl, [edx+1]
		jnz	short loc_72AF0C
		add	eax, esi
		add	edx, esi
		test	bl, bl
		jnz	short loc_72AEF0
		jmp	short loc_72AF10
; 

loc_72AF0C:				; CODE XREF: KiGetCpuVendor+39CAj
					; KiGetCpuVendor+39D6j
		sbb	ecx, ecx
		or	ecx, edi

loc_72AF10:				; CODE XREF: KiGetCpuVendor+39CEj
					; KiGetCpuVendor+39E0j
		xor	eax, eax
		test	ecx, ecx
		setnz	al
		add	eax, 6
		jmp	loc_7275CA
; END OF FUNCTION CHUNK	FOR KiGetCpuVendor
; 
; START	OF FUNCTION CHUNK FOR PoInitializePrcb

loc_72AF1F:				; CODE XREF: PoInitializePrcb+73j
		test	byte ptr ds:_HvlpFlags,	2
		push	0
		pop	eax
		setnz	al
		inc	eax
		mov	[edi+0C8h], eax
		jmp	loc_727660
; END OF FUNCTION CHUNK	FOR PoInitializePrcb
; 
; START	OF FUNCTION CHUNK FOR BapdRecordFirmwareBootStats

loc_72AF38:				; CODE XREF: BapdRecordFirmwareBootStats+22Bj
		mov	eax, [ebp+var_E8]
		xor	ecx, ecx
		mov	[ebp+var_D8], eax
		mov	eax, [ebp+var_E4]
		mov	[ebp+var_D4], eax
		lea	eax, [ebp+var_D8]
		mov	[ebp+var_A8], eax
		mov	eax, [ebp+var_F0]
		mov	[ebp+var_110], eax
		mov	eax, [ebp+var_EC]
		mov	[ebp+var_10C], eax
		lea	eax, [ebp+var_110]
		mov	[ebp+var_98], eax
		mov	eax, [ebp+var_E0]
		mov	[ebp+var_118], eax
		mov	eax, [ebp+var_DC]
		mov	[ebp+var_114], eax
		lea	eax, [ebp+var_118]
		mov	[ebp+var_88], eax
		mov	eax, [ebp+var_F8]
		mov	[ebp+var_120], eax
		mov	eax, [ebp+var_F4]
		mov	[ebp+var_11C], eax
		lea	eax, [ebp+var_120]
		mov	[ebp+var_78], eax
		mov	eax, [ebp+var_100]
		push	8
		pop	edx
		mov	[ebp+var_128], eax
		mov	eax, [ebp+var_FC]
		mov	[ebp+var_124], eax
		lea	eax, [ebp+var_128]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_C8]
		push	eax
		push	7
		push	ecx
		push	ecx
		push	offset loc_4249BA
		push	offset dword_6B2B58
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_A0], edx
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_94], ecx
		mov	[ebp+var_90], edx
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_84], ecx
		mov	[ebp+var_80], edx
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_70], edx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_724225
; 

loc_72B04C:				; CODE XREF: BapdRecordFirmwareBootStats+A9j
					; BapdRecordFirmwareBootStats+C5j ...
		mov	ebx, [ebp+var_D4]
		mov	edi, [ebp+var_D8]
		jmp	loc_724225
; END OF FUNCTION CHUNK	FOR BapdRecordFirmwareBootStats
; 
; START	OF FUNCTION CHUNK FOR KiIntersectFeaturesWithPolicy

loc_72B05D:				; CODE XREF: KiIntersectFeaturesWithPolicy+63j
		cmp	ds:_KeXSavePolicyId, ecx
		jz	loc_727869
		lea	eax, [ebp+var_40]
		mov	ds:_KeXSavePolicyId, ecx
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		push	ecx
		push	65h
		push	esi
		call	KeHwPolicyLocateResource
		jmp	loc_727869
; 

loc_72B085:				; CODE XREF: KiIntersectFeaturesWithPolicy+6Ej
		and	dword ptr [ebx+14h], 0FFFFFFFCh
		mov	[ebx], edi
		mov	[ebx+4], edi
		mov	[ebx+218h], edi
		mov	[ebx+21Ch], edi
		jmp	loc_72796F
; END OF FUNCTION CHUNK	FOR KiIntersectFeaturesWithPolicy
; 
; START	OF FUNCTION CHUNK FOR KiIsXSaveFeatureAllowed

loc_72B09F:				; CODE XREF: KiIsXSaveFeatureAllowed+2Bj
		inc	edi
		add	esi, 38h
		cmp	edi, ebx
		jb	loc_7279C3
		jmp	loc_7279F6
; END OF FUNCTION CHUNK	FOR KiIsXSaveFeatureAllowed
; 
; START	OF FUNCTION CHUNK FOR KiDoesProcessorMatchErrata

loc_72B0B0:				; CODE XREF: KiDoesProcessorMatchErrata+33j
		mov	ecx, esi
		mov	eax, esi
		shr	ecx, 0Eh
		shr	eax, 8
		and	ecx, 0FF0h
		and	eax, 0Fh
		add	ecx, eax
		movzx	eax, word ptr [edi+2]
		cmp	ecx, eax
		jnz	loc_727A33
		and	esi, 0Fh
		cmp	si, [edi+6]
		jnz	loc_727A33
		mov	ecx, [edi+10h]
		mov	eax, ecx
		mov	edx, [edi+14h]
		or	eax, edx
		jz	loc_727A33
		mov	eax, [ebx+14h]
		cmp	eax, edx
		ja	loc_727A33
		jb	short loc_72B106
		mov	eax, [ebx+10h]
		cmp	eax, ecx
		ja	loc_727A33

loc_72B106:				; CODE XREF: KiDoesProcessorMatchErrata+36FFj
		mov	al, 1
		jmp	loc_727A35
; END OF FUNCTION CHUNK	FOR KiDoesProcessorMatchErrata
; 
; START	OF FUNCTION CHUNK FOR WheaConfigureErrorSource

loc_72B10D:				; CODE XREF: WheaConfigureErrorSource+5Dj
		push	esi
		mov	edx, ebx
		mov	ecx, esi
		call	ExfAcquirePushLockExclusiveEx
		jmp	loc_727AA1
; 

loc_72B11C:				; CODE XREF: WheaConfigureErrorSource+9Cj
		mov	[esi+18h], eax
		jmp	loc_727AEF
; 

loc_72B124:				; CODE XREF: WheaConfigureErrorSource+CEj
		mov	ecx, edi
		call	_WheapInitializeDeferredErrorSources@4 ; WheapInitializeDeferredErrorSources(x)
		mov	ebx, eax
		jmp	loc_727B17
; 

loc_72B132:				; CODE XREF: WheaConfigureErrorSource+E3j
		test	cl, 4
		jnz	loc_727B27
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_727B27
; 

loc_72B147:				; CODE XREF: WheaConfigureErrorSource+Dj
		mov	ebx, 0C000000Dh
		jmp	loc_727B49
; END OF FUNCTION CHUNK	FOR WheaConfigureErrorSource
; 
; START	OF FUNCTION CHUNK FOR Ke386ConfigureCyrixProcessor

loc_72B151:				; CODE XREF: Ke386ConfigureCyrixProcessor+Cj
		push	ds:_ExPageLockHandle
		call	_MmLockPagableSectionByHandle@4	; MmLockPagableSectionByHandle(x)
		or	cl, 0FFh
		dec	esi
		call	ReadCyrixRegister
		movzx	ecx, al
		cmp	esi, 20h
		jb	short loc_72B172
		cmp	esi, 27h
		jbe	short loc_72B182

loc_72B172:				; CODE XREF: Ke386ConfigureCyrixProcessor+35EFj
		mov	eax, esi
		and	eax, 0F0h
		cmp	al, 30h
		jnz	short loc_72B18F
		cmp	ecx, 17h
		jnb	short loc_72B18F

loc_72B182:				; CODE XREF: Ke386ConfigureCyrixProcessor+35F4j
		cli
		mov	eax, cr0
		or	eax, 20000000h
		mov	cr0, eax
		sti

loc_72B18F:				; CODE XREF: Ke386ConfigureCyrixProcessor+35FFj
					; Ke386ConfigureCyrixProcessor+3604j
		cmp	esi, 4
		jb	short loc_72B1E2
		cmp	esi, 7
		jbe	short loc_72B1B9
		lea	eax, [esi-1Ah]
		cmp	eax, 1
		ja	short loc_72B1E2
		mov	cl, 0C1h
		call	ReadCyrixRegister
		or	al, 10h
		cmp	ds:_KeNumberProcessors,	1
		jbe	short loc_72B1B5
		and	al, 0EFh

loc_72B1B5:				; CODE XREF: Ke386ConfigureCyrixProcessor+3635j
		mov	dl, al
		jmp	short loc_72B1DD
; 

loc_72B1B9:				; CODE XREF: Ke386ConfigureCyrixProcessor+361Bj
		mov	cl, 0C0h
		call	ReadCyrixRegister
		and	al, 0FEh
		or	al, 12h
		mov	dl, al
		call	WriteCyrixRegister
		xor	dl, dl
		mov	cl, 0C4h
		call	WriteCyrixRegister
		mov	cl, 0C5h
		call	WriteCyrixRegister
		mov	cl, 0C6h

loc_72B1DD:				; CODE XREF: Ke386ConfigureCyrixProcessor+363Bj
		call	WriteCyrixRegister

loc_72B1E2:				; CODE XREF: Ke386ConfigureCyrixProcessor+3616j
					; Ke386ConfigureCyrixProcessor+3623j
		push	ds:_ExPageLockHandle
		call	_MmUnlockPagableImageSection@4 ; MmUnlockPagableImageSection(x)
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR Ke386ConfigureCyrixProcessor
; 
; START	OF FUNCTION CHUNK FOR KiUpdateXSaveSizeAndVolatileFeatures

loc_72B1EF:				; CODE XREF: KiUpdateXSaveSizeAndVolatileFeatures+2Aj
		mov	ecx, [edx+220h]
		mov	ebx, [edx+224h]
		shrd	edi, esi, 2
		push	2
		pop	eax
		shrd	ecx, ebx, 2
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, edi
		shr	esi, 2
		shr	ebx, 2
		or	eax, esi
		mov	[ebp+var_4], ecx
		jz	short loc_72B272
		lea	eax, [edx+2Ch]
		mov	[ebp+var_C], eax

loc_72B221:				; CODE XREF: KiUpdateXSaveSizeAndVolatileFeatures+36E0j
		cmp	[ebp+var_8], 40h
		jnb	short loc_72B272
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	short loc_72B256
		mov	eax, [ebp+var_4]
		mov	ecx, [edx+10h]
		and	eax, 1
		or	eax, 0
		jz	short loc_72B248
		add	ecx, 3Fh
		and	ecx, 0FFFFFFC0h
		mov	[edx+10h], ecx

loc_72B248:				; CODE XREF: KiUpdateXSaveSizeAndVolatileFeatures+36ADj
		mov	eax, [ebp+var_C]
		mov	[eax-4], ecx
		mov	eax, [eax]
		add	[edx+10h], eax
		mov	ecx, [ebp+var_4]

loc_72B256:				; CODE XREF: KiUpdateXSaveSizeAndVolatileFeatures+369Fj
		add	[ebp+var_C], 8
		shrd	edi, esi, 1
		shrd	ecx, ebx, 1
		shr	esi, 1
		mov	eax, edi
		shr	ebx, 1
		inc	[ebp+var_8]
		or	eax, esi
		mov	[ebp+var_4], ecx
		jnz	short loc_72B221

loc_72B272:				; CODE XREF: KiUpdateXSaveSizeAndVolatileFeatures+3689j
					; KiUpdateXSaveSizeAndVolatileFeatures+3695j
		mov	eax, [edx+220h]
		mov	ecx, [edx+218h]
		mov	ebx, [edx+21Ch]
		mov	edi, [edx]
		or	ecx, edi
		mov	esi, [edx+4]
		or	ebx, esi
		mov	[ebp+var_4], eax
		mov	eax, [edx+224h]
		shrd	[ebp+var_4], eax, 2
		shrd	ecx, ebx, 2
		shr	eax, 2
		mov	[ebp+var_14], eax
		mov	eax, ecx
		shr	ebx, 2
		or	eax, ebx
		mov	[ebp+var_8], ecx
		jz	loc_727C10
		lea	eax, [edx+234h]
		mov	[ebp+var_C], eax

loc_72B2BE:				; CODE XREF: KiUpdateXSaveSizeAndVolatileFeatures+3796j
		cmp	[ebp+var_10], 40h
		jnb	loc_727C10
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_72B2FF
		mov	eax, [ebp+var_4]
		mov	ecx, [edx+228h]
		and	eax, 1
		or	eax, 0
		jz	short loc_72B2EF
		add	ecx, 3Fh
		and	ecx, 0FFFFFFC0h
		mov	[edx+228h], ecx

loc_72B2EF:				; CODE XREF: KiUpdateXSaveSizeAndVolatileFeatures+3751j
		mov	eax, [ebp+var_C]
		mov	eax, [eax]
		add	eax, ecx
		mov	ecx, [ebp+var_8]
		mov	[edx+228h], eax

loc_72B2FF:				; CODE XREF: KiUpdateXSaveSizeAndVolatileFeatures+3740j
		mov	eax, [ebp+var_4]
		add	[ebp+var_C], 4
		mov	[ebp+var_4], eax
		mov	eax, [ebp+var_14]
		shrd	[ebp+var_4], eax, 1
		shrd	ecx, ebx, 1
		shr	eax, 1
		mov	[ebp+var_14], eax
		mov	eax, ecx
		shr	ebx, 1
		inc	[ebp+var_10]
		or	eax, ebx
		mov	[ebp+var_8], ecx
		jnz	short loc_72B2BE
		jmp	loc_727C10
; END OF FUNCTION CHUNK	FOR KiUpdateXSaveSizeAndVolatileFeatures
; 
; START	OF FUNCTION CHUNK FOR KiParseLoadOptions

loc_72B32D:				; CODE XREF: KiParseLoadOptions+1Dj
		cmp	byte ptr [eax+0Bh], 3Dh
		jnz	loc_727C75
		add	eax, 0Ch
		push	eax		; char *
		call	__atoi64
		pop	ecx
		mov	ds:_KeXSavePolicyId, eax
		jmp	loc_727C75
; 

loc_72B34B:				; CODE XREF: KiParseLoadOptions+32j
		cmp	byte ptr [eax+12h], 3Dh
		jnz	loc_727C8A
		add	eax, 13h
		push	eax		; char *
		call	__atoi64
		pop	ecx
		mov	ecx, eax
		or	ecx, edx
		jz	loc_727C8A
		and	eax, 0FFFFFFFCh
		mov	ds:dword_6FDE84, edx
		mov	ds:_KeTestRemovedFeatureMask, eax
		jmp	loc_727C8A
; 

loc_72B37C:				; CODE XREF: KiParseLoadOptions+47j
		cmp	byte ptr [eax+0Ch], 3Dh
		jnz	loc_727C9F
		add	eax, 0Dh
		push	eax		; char *
		call	__atoi64
		or	eax, edx
		pop	ecx
		jz	short loc_72B398
		mov	al, 1
		jmp	short loc_72B39A
; 

loc_72B398:				; CODE XREF: KiParseLoadOptions+3740j
		xor	al, al

loc_72B39A:				; CODE XREF: KiParseLoadOptions+3744j
		mov	ds:_KeTestDisableXSave,	al
		jmp	loc_727C9F
; END OF FUNCTION CHUNK	FOR KiParseLoadOptions
; 
; START	OF FUNCTION CHUNK FOR PfpScenCtxServiceThreadSet

loc_72B3A4:				; CODE XREF: PfpScenCtxServiceThreadSet+59j
		test	al, 4
		jnz	loc_727D01
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_727D01
; END OF FUNCTION CHUNK	FOR PfpScenCtxServiceThreadSet
; 
; START	OF FUNCTION CHUNK FOR KiDetectAccessBitErrata

loc_72B3B8:				; CODE XREF: KiDetectAccessBitErrata+11j
		cmp	byte ptr [ecx+14h], 17h
		jnz	locret_727D66
		mov	ds:_KiAccessBitErrata, 1
		retn
; END OF FUNCTION CHUNK	FOR KiDetectAccessBitErrata
; 
; START	OF FUNCTION CHUNK FOR KiIntersectFeaturesWithTest

loc_72B3CD:				; CODE XREF: KiIntersectFeaturesWithTest+11j
		not	edx
		not	esi
		and	[ecx], edx
		and	[ecx+4], esi
		and	[ecx+218h], edx
		and	[ecx+21Ch], esi
		jmp	loc_727E0B
; 

loc_72B3E7:				; CODE XREF: KiIntersectFeaturesWithTest+1Fj
		and	dword ptr [ecx+14h], 0FFFFFFFCh
		xor	eax, eax
		mov	[ecx], eax
		mov	[ecx+4], eax
		mov	[ecx+218h], eax
		mov	[ecx+21Ch], eax
		retn
; END OF FUNCTION CHUNK	FOR KiIntersectFeaturesWithTest

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall xHalDpGetInterruptReplayState(x, x)
_xHalDpGetInterruptReplayState@8 proc near
					; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+171p
					; DATA XREF: .data:off_6B12BCo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_72B40E
		and	dword ptr [eax], 0

loc_72B40E:				; CODE XREF: xHalDpGetInterruptReplayState(x,x)+Aj
		mov	eax, 0C00000BBh
		pop	ebp
		retn	8
_xHalDpGetInterruptReplayState@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoShutdownSystem(x)
_IoShutdownSystem@4 proc near		; CODE XREF: PopGracefulShutdown(x)+116p
					; PopGracefulShutdown(x)+1D0p

var_1C		= dword	ptr -1Ch
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		stosd
		xor	ebx, ebx
		mov	esi, ecx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		stosd
		stosd
		stosd
		call	_VfIsVerifierEnabled@0 ; VfIsVerifierEnabled()
		test	eax, eax
		jz	short loc_72B446
		xor	ecx, ecx
		inc	ecx
		call	_VfNotifyVerifierOfEvent@4 ; VfNotifyVerifierOfEvent(x)

loc_72B446:				; CODE XREF: IoShutdownSystem(x)+25j
		push	ebx
		push	ebx
		lea	eax, [ebp+var_1C]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		test	esi, esi
		jnz	loc_72B4F7
		call	_PnpShutdownDevices@0 ;	PnpShutdownDevices()
		jmp	short loc_72B4BD
; 

loc_72B460:				; CODE XREF: IoShutdownSystem(x)+B4j
		push	dword ptr [esi+8]
		call	IoGetAttachedDeviceReference
		mov	edi, eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	edi
		push	10h
		call	_IoBuildSynchronousFsdRequest@28 ; IoBuildSynchronousFsdRequest(x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_72B49E
		mov	edx, eax
		mov	ecx, edi
		call	IofCallDriver
		cmp	eax, 103h
		jnz	short loc_72B49E
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_1C]
		push	eax
		call	KeWaitForSingleObject

loc_72B49E:				; CODE XREF: IoShutdownSystem(x)+68j
					; IoShutdownSystem(x)+78j
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	ecx, [esi+8]
		call	ObfDereferenceObject
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lea	eax, [ebp+var_1C]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_72B4BD:				; CODE XREF: IoShutdownSystem(x)+47j
		mov	ecx, offset _IopNotifyShutdownQueueHead
		call	IopInterlockedRemoveHeadList
		mov	esi, eax
		test	esi, esi
		jnz	short loc_72B460
		test	byte ptr ds:_MmVerifierData, 10h
		jz	short loc_72B4DB
		call	_IovUnloadDrivers@0 ; IovUnloadDrivers()

loc_72B4DB:				; CODE XREF: IoShutdownSystem(x)+BDj
		push	4
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], 2
		push	eax
		push	97h
		call	_ZwSetSystemInformation@12 ; ZwSetSystemInformation(x,x,x)
		jmp	loc_72B5A2
; 

loc_72B4F7:				; CODE XREF: IoShutdownSystem(x)+3Cj
		cmp	esi, 1
		jnz	loc_72B5A2
		mov	ecx, offset _IopFilesystemDatabaseShutdownRundown
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		push	esi
		push	offset _IopDatabaseResource
		call	ExAcquireResourceExclusiveLite
		mov	ecx, offset _IopDiskFileSystemQueueHead
		call	_IopShutdownBaseFileSystems@4 ;	IopShutdownBaseFileSystems(x)
		mov	ecx, offset _IopCdRomFileSystemQueueHead
		call	_IopShutdownBaseFileSystems@4 ;	IopShutdownBaseFileSystems(x)
		mov	ecx, offset _IopTapeFileSystemQueueHead
		call	_IopShutdownBaseFileSystems@4 ;	IopShutdownBaseFileSystems(x)
		jmp	short loc_72B592
; 

loc_72B535:				; CODE XREF: IoShutdownSystem(x)+189j
		push	dword ptr [esi+8]
		call	IoGetAttachedDeviceReference
		mov	edi, eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	edi
		push	10h
		call	_IoBuildSynchronousFsdRequest@28 ; IoBuildSynchronousFsdRequest(x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_72B573
		mov	edx, eax
		mov	ecx, edi
		call	IofCallDriver
		cmp	eax, 103h
		jnz	short loc_72B573
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_1C]
		push	eax
		call	KeWaitForSingleObject

loc_72B573:				; CODE XREF: IoShutdownSystem(x)+13Dj
					; IoShutdownSystem(x)+14Dj
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	ecx, [esi+8]
		call	ObfDereferenceObject
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lea	eax, [ebp+var_1C]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_72B592:				; CODE XREF: IoShutdownSystem(x)+11Cj
		mov	ecx, offset _IopNotifyLastChanceShutdownQueueHead
		call	IopInterlockedRemoveHeadList
		mov	esi, eax
		test	esi, esi
		jnz	short loc_72B535

loc_72B5A2:				; CODE XREF: IoShutdownSystem(x)+DBj
					; IoShutdownSystem(x)+E3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IoShutdownSystem@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1033. IoUnregisterShutdownNotification

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoUnregisterShutdownNotification(x)
		public _IoUnregisterShutdownNotification@4
_IoUnregisterShutdownNotification@4 proc near ;	CODE XREF: IoDeleteDevice+D415Ap

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	ds:_ExPageLockHandle
		call	_MmLockPagableSectionByHandle@4	; MmLockPagableSectionByHandle(x)
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	esi, ds:_IopNotifyShutdownQueueHead
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_1], al
		jmp	short loc_72B60C
; 

loc_72B5D6:				; CODE XREF: IoUnregisterShutdownNotification(x)+66j
		mov	ebx, esi
		cmp	[esi+8], edi
		jnz	short loc_72B60A
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_72B676
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_72B676
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	ecx, edi
		mov	esi, [esi+4]
		call	ObfDereferenceObject
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_72B60A:				; CODE XREF: IoUnregisterShutdownNotification(x)+2Fj
		mov	esi, [esi]

loc_72B60C:				; CODE XREF: IoUnregisterShutdownNotification(x)+28j
		cmp	esi, offset _IopNotifyShutdownQueueHead
		jnz	short loc_72B5D6
		mov	esi, ds:_IopNotifyLastChanceShutdownQueueHead
		jmp	short loc_72B64A
; 

loc_72B61C:				; CODE XREF: IoUnregisterShutdownNotification(x)+A4j
		mov	ebx, esi
		cmp	[esi+8], edi
		jnz	short loc_72B648
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_72B676
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_72B676
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	ecx, edi
		mov	esi, [esi+4]
		call	ObfDereferenceObject
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_72B648:				; CODE XREF: IoUnregisterShutdownNotification(x)+75j
		mov	esi, [esi]

loc_72B64A:				; CODE XREF: IoUnregisterShutdownNotification(x)+6Ej
		cmp	esi, offset _IopNotifyLastChanceShutdownQueueHead
		jnz	short loc_72B61C
		mov	dl, [ebp+var_1]
		push	0Ah
		pop	ecx
		call	KeReleaseQueuedSpinLock
		push	ds:_ExPageLockHandle
		call	_MmUnlockPagableImageSection@4 ; MmUnlockPagableImageSection(x)
		and	dword ptr [edi+1Ch], 0FFFFF7FFh
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_72B676:				; CODE XREF: IoUnregisterShutdownNotification(x)+36j
					; IoUnregisterShutdownNotification(x)+41j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_IoUnregisterShutdownNotification@4 endp ; AL =	character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopShutdownBaseFileSystems(x)
_IopShutdownBaseFileSystems@4 proc near	; CODE XREF: IoShutdownSystem(x)+103p
					; IoShutdownSystem(x)+10Dp ...

var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		mov	ebx, ecx
		stosd
		stosd
		stosd
		xor	eax, eax
		push	eax
		push	eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	esi, [ebx]
		cmp	[esi+4], ebx
		jnz	loc_72B761
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_72B761
		mov	[ebx], eax
		mov	[eax+4], ebx
		jmp	loc_72B754
; 

loc_72B6C4:				; CODE XREF: IopShutdownBaseFileSystems(x)+DBj
		and	dword ptr [esi], 0
		lea	edi, [esi-34h]
		and	dword ptr [edi+38h], 0
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	dl, 1
		mov	ecx, edi
		call	IopIncrementDeviceObjectRefCount
		cmp	dword ptr [edi+10h], 0
		mov	esi, edi
		jz	short loc_72B6EE
		push	edi
		call	_IoGetAttachedDevice@4 ; IoGetAttachedDevice(x)
		mov	esi, eax

loc_72B6EE:				; CODE XREF: IopShutdownBaseFileSystems(x)+69j
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	esi
		push	10h
		call	_IoBuildSynchronousFsdRequest@28 ; IoBuildSynchronousFsdRequest(x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_72B726
		mov	edx, eax
		mov	ecx, esi
		call	IofCallDriver
		cmp	eax, 103h
		jnz	short loc_72B726
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	KeWaitForSingleObject

loc_72B726:				; CODE XREF: IopShutdownBaseFileSystems(x)+8Aj
					; IopShutdownBaseFileSystems(x)+9Aj
		mov	esi, [ebx]
		cmp	[esi+4], ebx
		jnz	short loc_72B761
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_72B761
		mov	[ebx], eax
		mov	[eax+4], ebx
		lea	eax, [ebp+var_18]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		push	1
		xor	dl, dl
		mov	ecx, edi
		call	IopDecrementDeviceObjectRef
		mov	ecx, edi
		call	ObfDereferenceObject

loc_72B754:				; CODE XREF: IopShutdownBaseFileSystems(x)+44j
		cmp	esi, ebx
		jnz	loc_72B6C4
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_72B761:				; CODE XREF: IopShutdownBaseFileSystems(x)+2Ej
					; IopShutdownBaseFileSystems(x)+39j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall IopLiveDumpAddTriageDumpData(x, x)
_IopLiveDumpAddTriageDumpData@8:	; CODE XREF: IopLiveDumpMarkImportantDumpData(x,x)+D1p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		mov	esi, ds:_KeBugCheckReasonCallbackListHead
		xor	eax, eax
		and	[ebp+var_4], eax
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		mov	[ebp+var_10], ebx
		push	edi
		lea	edi, [ebp+var_30]
		push	8
		pop	ecx
		rep stosd
		test	esi, esi
		jz	loc_72B87E
		cmp	ds:dword_6CB3FC, eax
		jz	loc_72B87E
		mov	eax, offset _KeBugCheckReasonCallbackListHead
		mov	[ebp+var_C], eax
		cmp	esi, eax
		jz	loc_72B87E

loc_72B7B0:				; CODE XREF: IopShutdownBaseFileSystems(x)+1FDj
		lea	eax, [ebp+var_C]
		mov	ecx, esi
		push	eax
		push	7
		pop	edx
		call	_KeValidateBugCheckCallbackRecord@12 ; KeValidateBugCheckCallbackRecord(x,x,x)
		test	al, al
		jz	loc_72B86A
		mov	eax, [ebx]
		and	[ebp+var_30], 0
		mov	[ebp+var_24], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_20], eax
		mov	eax, [ebx+8]
		mov	[ebp+var_1C], eax
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_18], eax
		mov	eax, [ebx+10h]
		push	20h
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		push	7
		mov	[ebp+var_28], 2000000h
		call	dword ptr [esi+8]
		mov	ecx, [ebp+var_30]
		test	ecx, ecx
		jz	short loc_72B870
		push	2000000h
		call	KiValidateTriageDumpDataArray
		test	al, al
		jz	short loc_72B870
		mov	ecx, [esi+0Ch]
		lea	edx, [ebp+var_4]
		call	_KiValidateComponentName@8 ; KiValidateComponentName(x,x)
		test	al, al
		jz	short loc_72B870
		mov	eax, [ebp+var_30]
		cmp	dword ptr [eax+8], 0
		jbe	short loc_72B870
		mov	eax, [ebp+var_4]
		mov	edx, [esi+0Ch]
		inc	eax
		mov	ecx, [ebp+var_8]
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		mov	eax, [ebp+var_30]
		xor	edi, edi
		cmp	[eax+8], edi
		jbe	short loc_72B870
		mov	ebx, [ebp+var_8]

loc_72B844:				; CODE XREF: IopShutdownBaseFileSystems(x)+1E8j
		mov	edx, [eax+edi*8+20h]
		test	edx, edx
		jz	short loc_72B85F
		mov	ecx, [eax+edi*8+24h]
		test	ecx, ecx
		jz	short loc_72B85F
		push	ecx
		mov	ecx, ebx
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		mov	eax, [ebp+var_30]

loc_72B85F:				; CODE XREF: IopShutdownBaseFileSystems(x)+1CFj
					; IopShutdownBaseFileSystems(x)+1D7j
		inc	edi
		cmp	edi, [eax+8]
		jb	short loc_72B844
		mov	ebx, [ebp+var_10]
		jmp	short loc_72B870
; 

loc_72B86A:				; CODE XREF: IopShutdownBaseFileSystems(x)+145j
		cmp	[ebp+var_C], 0
		jz	short loc_72B87E

loc_72B870:				; CODE XREF: IopShutdownBaseFileSystems(x)+184j
					; IopShutdownBaseFileSystems(x)+192j ...
		mov	esi, [esi]
		cmp	esi, offset _KeBugCheckReasonCallbackListHead
		jnz	loc_72B7B0

loc_72B87E:				; CODE XREF: IopShutdownBaseFileSystems(x)+113j
					; IopShutdownBaseFileSystems(x)+11Fj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopShutdownBaseFileSystems@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpBufferDumpData(x, x)
_IopLiveDumpBufferDumpData@8 proc near	; CODE XREF: IopLiveDumpProcessCorralStateChange(x,x)+DEp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	ecx, [ecx]
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, [edx]
		lea	ebx, [ecx+1C0h]
		mov	[ebp+var_1C], ebx
		cmp	edi, [ecx+200h]
		jnb	loc_72B9AF
		cmp	edi, [ecx+29Ch]
		jnb	loc_72B9AF
		mov	eax, [ecx+2A0h]
		mov	eax, [eax+edi*4]
		mov	[ebp+var_14], eax
		mov	eax, [ecx+204h]
		mov	[ebp+var_4], eax
		mov	eax, [eax+edi*8+4]
		add	eax, 1Ch
		mov	[ebp+var_18], eax
		lea	eax, [ecx+178h]
		mov	[ebp+var_20], eax
		jmp	short loc_72B8E8
; 

loc_72B8E5:				; CODE XREF: IopLiveDumpBufferDumpData(x,x)+9Aj
					; IopLiveDumpBufferDumpData(x,x)+127j
		mov	ebx, [ebp+var_1C]

loc_72B8E8:				; CODE XREF: IopLiveDumpBufferDumpData(x,x)+60j
		lea	ecx, [ebp+var_10]
		mov	edx, ebx
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		push	ecx
		push	[ebp+var_14]
		mov	ecx, eax
		call	_IopLiveDumpGetCapturePages@24 ; IopLiveDumpGetCapturePages(x,x,x,x,x,x)
		mov	esi, [ebp+var_C]
		test	esi, esi
		jz	loc_72B9AF
		mov	ecx, [ebx+24h]
		xor	edx, edx
		mov	eax, [ebp+var_10]
		xor	ebx, ebx
		mov	eax, [ecx+eax*4]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_20]
		test	esi, esi
		jz	short loc_72B8E5
		mov	ecx, [ebp+var_18]

loc_72B922:				; CODE XREF: IopLiveDumpBufferDumpData(x,x)+11Ej
		mov	eax, [ebp+var_14]
		mov	eax, [eax+ebx*4]
		mov	[ecx+edx*4], eax
		inc	edx
		cmp	edx, 10h
		jz	short loc_72B93C
		test	edx, edx
		jz	short loc_72B99E
		lea	eax, [esi-1]
		cmp	ebx, eax
		jnz	short loc_72B99E

loc_72B93C:				; CODE XREF: IopLiveDumpBufferDumpData(x,x)+ACj
		mov	ecx, [ebp+var_4]
		mov	esi, edx
		shl	esi, 0Ch
		mov	eax, esi
		shr	eax, 0Ch
		mov	ecx, [ecx+edi*8+4]
		lea	eax, ds:1Ch[eax*4]
		and	dword ptr [ecx], 0
		mov	[ecx+4], ax
		xor	eax, eax
		push	eax
		mov	[ecx+6], ax
		mov	[ecx+10h], eax
		mov	[ecx+18h], eax
		mov	eax, [ebp+var_4]
		mov	[ecx+14h], esi
		push	dword ptr [eax+edi*8+4]
		push	edx
		push	dword ptr [eax+edi*8]
		call	_MmMapMemoryDumpMdlEx@16 ; MmMapMemoryDumpMdlEx(x,x,x,x)
		mov	eax, esi
		shr	eax, 2
		push	eax
		mov	eax, [ebp+var_4]
		push	[ebp+var_8]
		mov	eax, [eax+edi*8+4]
		push	dword ptr [eax+0Ch]
		call	_READ_REGISTER_BUFFER_ULONG@12 ; READ_REGISTER_BUFFER_ULONG(x,x,x)
		add	[ebp+var_8], esi
		xor	edx, edx
		mov	esi, [ebp+var_C]
		mov	ecx, [ebp+var_18]

loc_72B99E:				; CODE XREF: IopLiveDumpBufferDumpData(x,x)+B0j
					; IopLiveDumpBufferDumpData(x,x)+B7j
		inc	ebx
		cmp	ebx, esi
		jb	loc_72B922
		mov	eax, [ebp+var_20]
		jmp	loc_72B8E5
; 

loc_72B9AF:				; CODE XREF: IopLiveDumpBufferDumpData(x,x)+26j
					; IopLiveDumpBufferDumpData(x,x)+32j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopLiveDumpBufferDumpData@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpCallRemovePagesCallbacks(x)
_IopLiveDumpCallRemovePagesCallbacks@4 proc near
					; CODE XREF: IopLiveDumpEstimateMemoryPages(x)+45p

var_90		= dword	ptr -90h
var_88		= dword	ptr -88h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_36		= byte ptr -36h
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
ms_exc		= CPPEH_RECORD ptr -18h

		push	80h
		push	offset dword_6A8230
		call	__SEH_prolog4_GS
		mov	[ebp+var_4C], ecx
		xor	eax, eax
		lea	edi, [ebp+var_68]
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	ebx, ebx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_6C], ebx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_90]
		rep stosd
		xor	edi, edi
		inc	edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], offset ??_C@_00CNPNBAHC@@OKHAJAOM@
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		mov	[ebp+var_36], al
		test	al, al
		jz	short loc_72BA17
		push	ebx
		push	ebx
		push	ebx
		push	offset _LIVEDUMP_EVENT_SIZING_WORKFLOW_REMOVEPAGES_CALLBACKS_START
		push	ds:dword_6FD4A4
		push	ds:_IopLiveDumpEtwRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_72BA17:				; CODE XREF: IopLiveDumpCallRemovePagesCallbacks(x)+48j
		mov	esi, ds:_KeBugCheckAddRemovePagesCallbackListHead
		mov	[ebp+var_50], offset _KeBugCheckAddRemovePagesCallbackListHead

loc_72BA24:				; CODE XREF: IopLiveDumpCallRemovePagesCallbacks(x)+270j
		mov	[ebp+var_54], esi
		cmp	esi, offset _KeBugCheckAddRemovePagesCallbackListHead
		jz	loc_72BC29
		mov	[ebp+var_74], esi
		lea	eax, [ebp+var_50]
		push	eax
		push	6
		pop	edx
		mov	ecx, esi
		call	_KeValidateBugCheckCallbackRecord@12 ; KeValidateBugCheckCallbackRecord(x,x,x)
		test	al, al
		jz	loc_72BC1C
		cmp	[ebp+var_36], 0
		jz	short loc_72BAC0
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_72BA89
		push	eax
		call	_MmIsAddressValid@4 ; MmIsAddressValid(x)
		test	al, al
		jz	short loc_72BA89
		mov	eax, [esi+0Ch]
		mov	[ebp+var_48], eax
		lea	ecx, [ebp+var_40]
		push	ecx
		mov	edx, 101h
		mov	ecx, eax
		call	_RtlStringCbLengthA@12 ; RtlStringCbLengthA(x,x,x)
		test	eax, eax
		js	short loc_72BA89
		mov	eax, [ebp+var_48]
		mov	[ebp+var_3C], eax
		mov	ecx, [ebp+var_40]
		inc	ecx
		jmp	short loc_72BA92
; 

loc_72BA89:				; CODE XREF: IopLiveDumpCallRemovePagesCallbacks(x)+A3j
					; IopLiveDumpCallRemovePagesCallbacks(x)+ADj ...
		mov	ecx, edi
		mov	[ebp+var_3C], offset ??_C@_00CNPNBAHC@@OKHAJAOM@

loc_72BA92:				; CODE XREF: IopLiveDumpCallRemovePagesCallbacks(x)+D3j
		mov	[ebp+var_40], ecx
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ebx
		lea	eax, [ebp+var_34]
		push	eax
		push	edi
		push	ebx
		push	offset _LIVEDUMP_EVENT_SIZING_WORKFLOW_REMOVEPAGES_CALLBACK_START
		push	ds:dword_6FD4A4
		push	ds:_IopLiveDumpEtwRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_72BAC0:				; CODE XREF: IopLiveDumpCallRemovePagesCallbacks(x)+9Cj
		mov	[ebp+var_68], ebx
		mov	eax, [ebp+var_4C]
		mov	eax, [eax]
		mov	[ebp+var_60], eax
		mov	[ebp+var_44], ebx

loc_72BACE:				; CODE XREF: IopLiveDumpCallRemovePagesCallbacks(x)+21Cj
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_35], bl
		mov	[ebp+ms_exc.disabled], ebx
		push	14h
		lea	eax, [ebp+var_68]
		push	eax
		mov	eax, [ebp+var_74]
		push	eax
		push	6
		call	dword ptr [eax+8]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_44]
		jmp	short loc_72BB1E
; 

loc_72BAF8:				; DATA XREF: .text:006A8244o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_78], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_72BB06:				; DATA XREF: .text:006A8248o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_78]
		mov	[ebp+var_44], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		xor	edi, edi
		inc	edi
		mov	esi, [ebp+var_54]

loc_72BB1E:				; CODE XREF: IopLiveDumpCallRemovePagesCallbacks(x)+142j
		test	eax, eax
		js	loc_72BBCC
		mov	ecx, [ebp+var_58]
		test	ecx, ecx
		jz	loc_72BBCC
		mov	edx, [ebp+var_64]
		test	edx, 80000003h
		jz	loc_72BBCC
		test	ecx, ecx
		jz	loc_72BBCC
		mov	eax, edx
		and	eax, 80000000h
		jz	short loc_72BB5A
		and	edx, 7FFFFFFFh
		mov	[ebp+var_64], edx

loc_72BB5A:				; CODE XREF: IopLiveDumpCallRemovePagesCallbacks(x)+19Bj
		test	eax, eax
		setnz	[ebp+var_35]
		lea	eax, [edx-1]
		test	eax, edx
		jnz	short loc_72BBAB
		and	edx, edi
		mov	eax, [ebp+var_5C]
		jnz	short loc_72BB71
		shr	eax, 0Ch

loc_72BB71:				; CODE XREF: IopLiveDumpCallRemovePagesCallbacks(x)+1B8j
		mov	[ebp+var_48], eax
		mov	ecx, [ebp+var_4C]
		mov	eax, [ecx+188h]
		mov	[ebp+var_70], eax
		mov	eax, [ecx+18Ch]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_88], eax
		xor	edx, edi
		add	edx, edx
		push	edx
		push	[ebp+var_58]
		push	[ebp+var_48]
		lea	eax, [ebp+var_90]
		push	eax
		call	_IoFreeDumpRange@16 ; IoFreeDumpRange(x,x,x,x)
		jmp	short loc_72BBB0
; 

loc_72BBAB:				; CODE XREF: IopLiveDumpCallRemovePagesCallbacks(x)+1B1j
		mov	eax, 0C000000Dh

loc_72BBB0:				; CODE XREF: IopLiveDumpCallRemovePagesCallbacks(x)+1F5j
		mov	cl, [ebp+var_35]
		mov	[ebp+var_35], cl
		test	eax, eax
		jns	short loc_72BBC9
		mov	[ebp+var_35], bl
		push	eax
		mov	edx, [ebp+var_40]
		mov	ecx, [ebp+var_3C]
		call	_IopLiveDumpTraceRemovePagesCallbackFailure@12 ; IopLiveDumpTraceRemovePagesCallbackFailure(x,x,x)

loc_72BBC9:				; CODE XREF: IopLiveDumpCallRemovePagesCallbacks(x)+204j
		mov	eax, [ebp+var_44]

loc_72BBCC:				; CODE XREF: IopLiveDumpCallRemovePagesCallbacks(x)+16Cj
					; IopLiveDumpCallRemovePagesCallbacks(x)+177j ...
		cmp	[ebp+var_35], 0
		jnz	loc_72BACE
		test	eax, eax
		jns	short loc_72BBE6
		push	eax
		mov	edx, [ebp+var_40]
		mov	ecx, [ebp+var_3C]
		call	_IopLiveDumpTraceRemovePagesCallbackFailure@12 ; IopLiveDumpTraceRemovePagesCallbackFailure(x,x,x)

loc_72BBE6:				; CODE XREF: IopLiveDumpCallRemovePagesCallbacks(x)+224j
		cmp	[ebp+var_36], 0
		jz	short loc_72BC22
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], ebx
		mov	eax, [ebp+var_40]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], ebx
		lea	eax, [ebp+var_34]
		push	eax
		push	edi
		push	ebx
		push	offset _LIVEDUMP_EVENT_SIZING_WORKFLOW_REMOVEPAGES_CALLBACK_END
		push	ds:dword_6FD4A4
		push	ds:_IopLiveDumpEtwRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	short loc_72BC22
; 

loc_72BC1C:				; CODE XREF: IopLiveDumpCallRemovePagesCallbacks(x)+92j
		cmp	[ebp+var_50], 0
		jz	short loc_72BC29

loc_72BC22:				; CODE XREF: IopLiveDumpCallRemovePagesCallbacks(x)+236j
					; IopLiveDumpCallRemovePagesCallbacks(x)+266j
		mov	esi, [esi]
		jmp	loc_72BA24
; 

loc_72BC29:				; CODE XREF: IopLiveDumpCallRemovePagesCallbacks(x)+79j
					; IopLiveDumpCallRemovePagesCallbacks(x)+26Cj
		cmp	[ebp+var_36], 0
		jz	short loc_72BC48
		push	ebx
		push	ebx
		push	ebx
		push	offset _LIVEDUMP_EVENT_SIZING_WORKFLOW_REMOVEPAGES_CALLBACKS_END
		push	ds:dword_6FD4A4
		push	ds:_IopLiveDumpEtwRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_72BC48:				; CODE XREF: IopLiveDumpCallRemovePagesCallbacks(x)+279j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopLiveDumpCallRemovePagesCallbacks@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpCaptureMemoryPages(x)
_IopLiveDumpCaptureMemoryPages@4 proc near
					; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+363p

var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ECh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_B0], 0
		and	[ebp+var_AC], 0
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	KeQueryInterruptTime
		mov	cl, [esi+14h]
		lea	ebx, [esi+0B8h]
		mov	[ebp+var_9C], eax
		and	cl, 4
		movzx	eax, cl
		neg	eax
		mov	[ebp+var_A4], edx
		mov	ds:_SaveSupervisorState, 1
		sbb	eax, eax
		mov	[ebp+var_BC], offset _IopLiveDumpStartMirroringCallback@0 ; IopLiveDumpStartMirroringCallback()
		and	eax, 40h
		mov	[ebp+var_B8], offset _IopLiveDumpEndMirroringCallback@4	; IopLiveDumpEndMirroringCallback(x)
		add	eax, 251h
		mov	[ebp+var_B4], offset _IopLiveDumpMirrorPhysicalMemoryCallback@16 ; IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)
		test	byte ptr [esi+30h], 20h
		mov	[ebp+var_AC], eax
		jz	short loc_72BCE8
		or	eax, 100h
		mov	[ebp+var_AC], eax

loc_72BCE8:				; CODE XREF: IopLiveDumpCaptureMemoryPages(x)+83j
		lea	ecx, [ebp+var_BC]
		call	_MmDuplicateMemory@4 ; MmDuplicateMemory(x)
		test	byte ptr [esi+30h], 80h
		mov	edi, eax
		jz	short loc_72BD38
		mov	eax, [esi+154h]
		mov	ecx, 3E8h
		push	ds:dword_6CCB7C
		mul	ecx
		push	ds:_PerformanceFrequency
		mov	ecx, eax
		mov	edx, 3E8h
		mov	eax, [esi+150h]
		mul	edx
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		mov	[esi+158h], eax
		mov	[esi+15Ch], edx

loc_72BD38:				; CODE XREF: IopLiveDumpCaptureMemoryPages(x)+A1j
		test	edi, edi
		js	short loc_72BD79
		cmp	edi, 102h
		jz	short loc_72BD79
		call	KeQueryInterruptTime
		sub	eax, [ebp+var_9C]
		sbb	edx, [ebp+var_A4]
		xor	ebx, ebx
		push	ebx
		push	2710h
		push	edx
		push	eax
		call	__aulldiv
		mov	ecx, esi
		mov	[esi+138h], eax
		mov	[esi+13Ch], edx
		call	_IopLiveDumpTraceCaptureMemoryPages@4 ;	IopLiveDumpTraceCaptureMemoryPages(x)
		jmp	short loc_72BDA4
; 

loc_72BD79:				; CODE XREF: IopLiveDumpCaptureMemoryPages(x)+E2j
					; IopLiveDumpCaptureMemoryPages(x)+EAj
		test	byte ptr [ebx+4], 1
		jz	short loc_72BD88
		mov	dl, 1
		mov	ecx, ebx
		call	_IopLiveDumpUncorralProcessors@8 ; IopLiveDumpUncorralProcessors(x,x)

loc_72BD88:				; CODE XREF: IopLiveDumpCaptureMemoryPages(x)+125j
		mov	edx, edi
		mov	ecx, esi
		call	_IopLiveDumpTraceMmDuplicateMemoryFailure@8 ; IopLiveDumpTraceMmDuplicateMemoryFailure(x,x)
		cmp	edi, 102h
		jnz	short loc_72BDA2
		or	dword ptr [esi+30h], 40h
		mov	edi, 0C0000476h

loc_72BDA2:				; CODE XREF: IopLiveDumpCaptureMemoryPages(x)+13Fj
		xor	ebx, ebx

loc_72BDA4:				; CODE XREF: IopLiveDumpCaptureMemoryPages(x)+11Fj
		cmp	ds:dword_6B2CE0, 5
		mov	ds:_SaveSupervisorState, bl
		jbe	loc_72BF1E
		push	2000h
		push	ebx
		mov	ecx, offset dword_6B2CE0
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_72BF1E
		mov	eax, [esi+138h]
		mov	[ebp+var_A8], eax
		mov	eax, [esi+13Ch]
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_78], eax
		mov	eax, [esi+140h]
		mov	[ebp+var_A0], eax
		mov	eax, [esi+144h]
		mov	[ebp+var_9C], eax
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_68], eax
		mov	eax, [esi+148h]
		mov	[ebp+var_C8], eax
		mov	eax, [esi+14Ch]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_58], eax
		mov	eax, [esi+158h]
		mov	[ebp+var_D0], eax
		mov	eax, [esi+15Ch]
		mov	[ebp+var_CC], eax
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_48], eax
		mov	eax, [esi+160h]
		mov	[ebp+var_D8], eax
		mov	eax, [esi+164h]
		mov	[ebp+var_D4], eax
		lea	eax, [ebp+var_D8]
		mov	[ebp+var_38], eax
		mov	eax, [esi+168h]
		mov	[ebp+var_E0], eax
		mov	eax, [esi+16Ch]
		mov	[ebp+var_DC], eax
		lea	eax, [ebp+var_E0]
		mov	[ebp+var_28], eax
		mov	eax, [esi+170h]
		mov	[ebp+var_E8], eax
		mov	eax, [esi+174h]
		push	8
		pop	ecx
		mov	[ebp+var_E4], eax
		lea	eax, [ebp+var_E8]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_98]
		push	eax
		push	9
		lea	eax, [esi+220h]
		mov	[ebp+var_74], ebx
		push	eax
		lea	eax, [esi+230h]
		mov	[ebp+var_70], ecx
		push	eax
		push	offset loc_41BD4B
		push	offset dword_6B2CE0
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_72BF1E:				; CODE XREF: IopLiveDumpCaptureMemoryPages(x)+159j
					; IopLiveDumpCaptureMemoryPages(x)+171j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IopLiveDumpCaptureMemoryPages@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpCorralDpc(x, x, x, x)
_IopLiveDumpCorralDpc@16 proc near	; DATA XREF: IopLiveDumpCorralProcessors(x)+A7o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:20h
		and	[ebp+var_4], 0
		and	[ebp+var_8], 0
		push	esi
		mov	esi, large fs:20h
		mov	eax, [eax+3CCh]
		mov	[ebp+var_C], eax
		push	dword ptr [esi+4168h]
		call	_RtlCaptureContext@4 ; RtlCaptureContext(x)
		lea	eax, [esi+18h]
		push	eax
		call	_KiSaveProcessorControlState@4 ; KiSaveProcessorControlState(x)
		pop	esi

loc_72BF6B:				; CODE XREF: IopLiveDumpCorralDpc(x,x,x,x)+4Bj
		mov	ecx, [ebp+arg_4]
		lea	edx, [ebp+var_C]
		call	_IopLiveDumpProcessCorralStateChange@8 ; IopLiveDumpProcessCorralStateChange(x,x)
		cmp	[ebp+var_8], 0FFFFFFFFh
		jnz	short loc_72BF6B
		leave
		retn	10h
_IopLiveDumpCorralDpc@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpCorralProcessors(x)
_IopLiveDumpCorralProcessors@4 proc near
					; CODE XREF: IopLiveDumpEndMirroringCallback(x)+2B9p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= word ptr -3Ch
var_3A		= word ptr -3Ah
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		push	ebx
		xor	ebx, ebx
		xor	eax, eax
		push	esi
		mov	esi, ecx
		mov	[ebp+var_3A], ax
		push	edi
		mov	[ebp+var_8], ebx
		mov	[ebp+var_10], ebx
		mov	eax, [esi]
		lea	edi, [esi+44h]
		mov	[esi+4], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ebx
		mov	[esi+8], ebx
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[esi+0Ch], ebx
		mov	[esi+10h], ebx
		stosd
		mov	[ebp+var_1C], esi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_18], ebx
		stosd
		stosd
		call	_IopLiveDumpLockPages@0	; IopLiveDumpLockPages()
		lea	eax, [esi+38h]
		mov	[ebp+var_4C], ebx
		push	eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_48], ebx
		push	eax
		mov	[ebp+var_50], 1
		call	KeSetSystemGroupAffinityThread
		mov	edi, [ebp+var_4]
		mov	ecx, edi
		mov	[esi+48h], ebx
		mov	[esi+44h], ebx
		mov	dword ptr [esi+8], 1
		call	_IopLiveDumpTraceSystemQuiesceStart@4 ;	IopLiveDumpTraceSystemQuiesceStart(x)
		test	byte ptr [edi+30h], 80h
		jz	short loc_72C018
		xor	cl, cl
		call	_IopLiveDumpGetMillisecondCounter@4 ; IopLiveDumpGetMillisecondCounter(x)
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], edx

loc_72C018:				; CODE XREF: IopLiveDumpCorralProcessors(x)+89j
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		push	esi
		mov	[esi+34h], al
		lea	eax, [esi+14h]
		push	offset _IopLiveDumpCorralDpc@16	; IopLiveDumpCorralDpc(x,x,x,x)
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		xor	eax, eax
		mov	byte ptr [esi+15h], 2
		mov	[ebp+var_3C], ax
		lea	edi, [esi+0Ch]
		mov	eax, ds:dword_70E328
		mov	[ebp+var_40], eax
		mov	[ebp+var_44], offset _KeActiveProcessors

loc_72C04E:				; CODE XREF: IopLiveDumpCorralProcessors(x)+EAj
					; IopLiveDumpCorralProcessors(x)+115j ...
		lea	eax, [ebp+var_44]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_72C0AD
		mov	eax, [ebp+var_8]
		cmp	eax, [esi+44h]
		jnz	short loc_72C06C
		lock inc dword ptr [edi]
		jmp	short loc_72C04E
; 

loc_72C06C:				; CODE XREF: IopLiveDumpCorralProcessors(x)+E5j
		mov	eax, [edi]
		lea	ecx, [esi+14h]
		mov	[ebp+var_C], eax
		mov	eax, [ecx+1Ch]
		test	eax, eax
		jnz	short loc_72C085
		mov	eax, [ebp+var_8]
		add	eax, 20h
		mov	[ecx+2], ax

loc_72C085:				; CODE XREF: IopLiveDumpCorralProcessors(x)+F9j
		push	ebx
		push	ebx
		push	ecx
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)
		mov	eax, [edi]
		mov	[ebp+var_10], ebx
		cmp	[ebp+var_C], eax
		jnz	short loc_72C04E
		mov	esi, [ebp+var_C]

loc_72C09A:				; CODE XREF: IopLiveDumpCorralProcessors(x)+126j
		lea	ecx, [ebp+var_10]
		call	KeYieldProcessorEx
		mov	eax, [edi]
		cmp	esi, eax
		jz	short loc_72C09A
		mov	esi, [ebp+var_1C]
		jmp	short loc_72C04E
; 

loc_72C0AD:				; CODE XREF: IopLiveDumpCorralProcessors(x)+DDj
		mov	eax, [edi]
		mov	[esi+10h], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+30h]
		test	al, al
		jns	short loc_72C0D5
		xor	cl, cl
		call	_IopLiveDumpGetMillisecondCounter@4 ; IopLiveDumpGetMillisecondCounter(x)
		mov	ebx, eax
		mov	edi, edx
		mov	eax, [ebp+var_4]
		sub	ebx, [ebp+var_14]
		sbb	edi, [ebp+var_18]
		mov	eax, [eax+30h]
		jmp	short loc_72C0D7
; 

loc_72C0D5:				; CODE XREF: IopLiveDumpCorralProcessors(x)+13Aj
		mov	edi, ebx

loc_72C0D7:				; CODE XREF: IopLiveDumpCorralProcessors(x)+153j
		test	eax, 100h
		jnz	short loc_72C0EC
		lea	eax, [ebp+var_38]
		mov	ecx, esi
		push	eax
		push	2
		pop	edx
		call	_IopLiveDumpInitiateCorralStateChange@12 ; IopLiveDumpInitiateCorralStateChange(x,x,x)

loc_72C0EC:				; CODE XREF: IopLiveDumpCorralProcessors(x)+15Cj
		lea	eax, [ebp+var_30]
		mov	ds:_PoAllProcIntrDisabled, 1
		push	eax
		push	7
		pop	edx
		mov	ecx, esi
		call	_IopLiveDumpInitiateCorralStateChange@12 ; IopLiveDumpInitiateCorralStateChange(x,x,x)
		lea	eax, [ebp+var_28]
		mov	ecx, esi
		push	eax
		push	3
		pop	edx
		call	_IopLiveDumpInitiateCorralStateChange@12 ; IopLiveDumpInitiateCorralStateChange(x,x,x)
		mov	eax, [ebp+var_4]
		or	dword ptr [esi+4], 1
		test	byte ptr [eax+30h], 80h
		jz	short loc_72C137
		push	[ebp+var_24]
		mov	ecx, [esi]
		push	[ebp+var_28]
		push	[ebp+var_2C]
		push	[ebp+var_30]
		push	[ebp+var_34]
		push	[ebp+var_38]
		push	edi
		push	ebx
		call	_IopLiveDumpTraceCorralProcessorsDuration@36 ; IopLiveDumpTraceCorralProcessorsDuration(x,x,x,x,x,x,x,x,x)

loc_72C137:				; CODE XREF: IopLiveDumpCorralProcessors(x)+19Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopLiveDumpCorralProcessors@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpEndMirroringCallback(x)
_IopLiveDumpEndMirroringCallback@4 proc	near
					; DATA XREF: IopLiveDumpCaptureMemoryPages(x)+60o
					; IopLiveDumpEstimateMemoryPages(x)+5Eo

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	[esp+14h+var_4], ecx
		mov	[esp+14h+var_10], ecx
		mov	[esp+14h+var_C], ecx
		push	ebx
		mov	ebx, ds:_IopLiveDumpContext
		push	esi
		push	edi
		sub	eax, ecx
		jz	loc_72C3E0
		sub	eax, 1
		jz	short loc_72C178
		mov	esi, 0C00000E5h
		jmp	loc_72C412
; 

loc_72C178:				; CODE XREF: IopLiveDumpEndMirroringCallback(x)+30j
		mov	ecx, ebx
		call	_IopLiveDumpTraceMirroringPhase1End@4 ;	IopLiveDumpTraceMirroringPhase1End(x)
		mov	edx, [ebx+30h]
		test	dl, dl
		jns	short loc_72C1D9
		xor	cl, cl
		call	_IopLiveDumpGetMillisecondCounter@4 ; IopLiveDumpGetMillisecondCounter(x)
		mov	edi, edx
		mov	esi, eax
		mov	edx, [ebx+30h]
		mov	[esp+20h+var_10], esi
		mov	[esp+20h+var_C], edi
		test	dl, 1
		jz	short loc_72C1BD
		sub	esi, ds:dword_6FDF90
		mov	ecx, edi
		mov	[ebx+118h], esi
		sbb	ecx, ds:dword_6FDF94
		mov	[ebx+11Ch], ecx
		jmp	short loc_72C1D9
; 

loc_72C1BD:				; CODE XREF: IopLiveDumpEndMirroringCallback(x)+63j
		mov	ecx, esi
		mov	eax, edi
		sub	ecx, ds:dword_6FDF90
		mov	[ebx+148h], ecx
		sbb	eax, ds:dword_6FDF94
		mov	[ebx+14Ch], eax

loc_72C1D9:				; CODE XREF: IopLiveDumpEndMirroringCallback(x)+48j
					; IopLiveDumpEndMirroringCallback(x)+7Fj
		mov	esi, large fs:20h
		push	dword ptr [esi+4168h]
		test	dl, 1
		jz	short loc_72C1FB
		call	_RtlCaptureContext@4 ; RtlCaptureContext(x)
		lea	eax, [esi+18h]
		push	eax
		call	_KiSaveProcessorControlState@4 ; KiSaveProcessorControlState(x)
		jmp	short loc_72C268
; 

loc_72C1FB:				; CODE XREF: IopLiveDumpEndMirroringCallback(x)+ADj
		mov	edi, [ebx+180h]
		call	_RtlCaptureContext@4 ; RtlCaptureContext(x)
		lea	eax, [esi+18h]
		push	eax
		call	_KiSaveProcessorControlState@4 ; KiSaveProcessorControlState(x)
		add	edi, 320h
		jz	short loc_72C235
		push	4B0h		; size_t
		xor	eax, eax
		push	eax		; int
		push	edi		; void *
		call	_memset
		mov	esi, [esi+4168h]
		mov	ecx, 0B3h
		add	esp, 0Ch
		rep movsd

loc_72C235:				; CODE XREF: IopLiveDumpEndMirroringCallback(x)+D9j
		cmp	ds:_SaveSupervisorState, 0
		jz	short loc_72C268
		mov	ecx, large fs:20h
		mov	eax, ds:0FFDF05F0h
		push	dword ptr ds:0FFDF05F4h
		or	eax, 100h
		mov	ecx, [ecx+47B8h]
		push	eax
		call	_KeSaveSupervisorState@12 ; KeSaveSupervisorState(x,x,x)
		mov	byte ptr [ebx+105h], 1

loc_72C268:				; CODE XREF: IopLiveDumpEndMirroringCallback(x)+BDj
					; IopLiveDumpEndMirroringCallback(x)+100j
		mov	ecx, [ebx+30h]
		test	cl, cl
		jns	short loc_72C28A
		xor	cl, cl
		call	_IopLiveDumpGetMillisecondCounter@4 ; IopLiveDumpGetMillisecondCounter(x)
		sub	eax, [esp+24h+var_14]
		mov	ecx, ebx
		sbb	edx, [esp+24h+var_10]
		push	edx
		push	eax
		call	_IopLiveDumpTraceCaptureProcessorContextDuration@12 ; IopLiveDumpTraceCaptureProcessorContextDuration(x,x,x)
		mov	ecx, [ebx+30h]

loc_72C28A:				; CODE XREF: IopLiveDumpEndMirroringCallback(x)+131j
		and	cl, 1
		lea	eax, [ebx+1C4h]
		movzx	edi, cl
		mov	ecx, ebx
		neg	edi
		sbb	edi, edi
		not	edi
		and	edi, eax
		mov	edx, edi
		call	_IopLiveDumpMarkRequiredDumpData@8 ; IopLiveDumpMarkRequiredDumpData(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_72C38C
		test	byte ptr [ebx+30h], 1
		jz	short loc_72C334
		lea	eax, [ebx+178h]
		push	eax
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	ecx, [ebx+30h]
		mov	esi, eax
		mov	[ebx+3Ch], esi
		test	ecx, 200h
		jz	short loc_72C334
		mov	eax, [ebx+2B4h]
		mov	edx, [ebx+2B0h]
		mov	[esp+24h+var_C], eax
		mov	eax, edx
		and	eax, 0FFFh
		or	eax, 0
		jz	short loc_72C2FB
		mov	[esp+24h+var_10], 1
		xor	eax, eax
		jmp	short loc_72C301
; 

loc_72C2FB:				; CODE XREF: IopLiveDumpEndMirroringCallback(x)+1B1j
		xor	eax, eax
		mov	[esp+24h+var_10], eax

loc_72C301:				; CODE XREF: IopLiveDumpEndMirroringCallback(x)+1BDj
		mov	[esp+24h+var_14], eax
		mov	eax, [esp+24h+var_C]
		shrd	edx, eax, 0Ch
		shr	eax, 0Ch
		add	edx, [esp+24h+var_10]
		adc	eax, [esp+24h+var_14]
		cmp	[esp+24h+var_8], eax
		jb	short loc_72C334
		ja	short loc_72C324
		cmp	esi, edx
		jbe	short loc_72C334

loc_72C324:				; CODE XREF: IopLiveDumpEndMirroringCallback(x)+1E2j
		or	ecx, 400h
		mov	esi, 0C000009Ah
		mov	[ebx+30h], ecx
		jmp	short loc_72C38C
; 

loc_72C334:				; CODE XREF: IopLiveDumpEndMirroringCallback(x)+179j
					; IopLiveDumpEndMirroringCallback(x)+195j ...
		mov	edx, edi
		mov	ecx, ebx
		call	_IopLiveDumpMarkImportantDumpData@8 ; IopLiveDumpMarkImportantDumpData(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_72C38C
		test	byte ptr [ebx+30h], 1
		jz	short loc_72C352
		mov	ecx, ebx
		call	_IopLiveDumpPopulateBitmapForDump@4 ; IopLiveDumpPopulateBitmapForDump(x)
		jmp	short loc_72C388
; 

loc_72C352:				; CODE XREF: IopLiveDumpEndMirroringCallback(x)+20Bj
		mov	eax, large fs:124h
		mov	ecx, [ebx+180h]
		push	eax
		push	dword ptr [ebx+10h]
		push	dword ptr [ebx+0Ch]
		push	dword ptr [ebx+8]
		push	dword ptr [ebx+4]
		push	dword ptr [ebx]
		push	6
		pop	edx
		call	_IoFillDumpHeader@32 ; IoFillDumpHeader(x,x,x,x,x,x,x,x)
		call	_IopLiveDumpGenerateIptSecondaryData@0 ; IopLiveDumpGenerateIptSecondaryData()
		mov	ecx, ebx
		call	_IopLiveDumpPopulateBitmapForDump@4 ; IopLiveDumpPopulateBitmapForDump(x)
		mov	ecx, ebx
		call	_IopLiveDumpStartDumpDataBuffering@4 ; IopLiveDumpStartDumpDataBuffering(x)

loc_72C388:				; CODE XREF: IopLiveDumpEndMirroringCallback(x)+214j
		xor	eax, eax
		mov	esi, eax

loc_72C38C:				; CODE XREF: IopLiveDumpEndMirroringCallback(x)+16Fj
					; IopLiveDumpEndMirroringCallback(x)+1F6j ...
		lea	ecx, [ebx+0B8h]
		xor	dl, dl
		call	_IopLiveDumpUncorralProcessors@8 ; IopLiveDumpUncorralProcessors(x,x)
		test	byte ptr [ebx+30h], 80h
		jz	short loc_72C412
		xor	cl, cl
		call	_IopLiveDumpGetMillisecondCounter@4 ; IopLiveDumpGetMillisecondCounter(x)
		test	byte ptr [ebx+30h], 1
		jz	short loc_72C3C6
		sub	eax, ds:dword_6FDF90
		mov	[ebx+110h], eax
		sbb	edx, ds:dword_6FDF94
		mov	[ebx+114h], edx
		jmp	short loc_72C412
; 

loc_72C3C6:				; CODE XREF: IopLiveDumpEndMirroringCallback(x)+26Ej
		sub	eax, ds:dword_6FDF90
		mov	[ebx+140h], eax
		sbb	edx, ds:dword_6FDF94
		mov	[ebx+144h], edx
		jmp	short loc_72C412
; 

loc_72C3E0:				; CODE XREF: IopLiveDumpEndMirroringCallback(x)+27j
		mov	ecx, ebx
		call	_IopLiveDumpTraceMirroringPhase0End@4 ;	IopLiveDumpTraceMirroringPhase0End(x)
		xor	esi, esi
		lea	ecx, [ebx+0B8h]
		mov	[ebx+78h], esi
		mov	[ebx+7Ch], esi
		call	_IopLiveDumpCorralProcessors@4 ; IopLiveDumpCorralProcessors(x)
		test	byte ptr [ebx+30h], 80h
		jz	short loc_72C412
		xor	cl, cl
		call	_IopLiveDumpGetMillisecondCounter@4 ; IopLiveDumpGetMillisecondCounter(x)
		mov	ds:dword_6FDF90, eax
		mov	ds:dword_6FDF94, edx

loc_72C412:				; CODE XREF: IopLiveDumpEndMirroringCallback(x)+37j
					; IopLiveDumpEndMirroringCallback(x)+261j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_IopLiveDumpEndMirroringCallback@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpEstimateMemoryPages(x)
_IopLiveDumpEstimateMemoryPages@4 proc near
					; CODE XREF: IopLiveDumpAllocAndInitResources(x)+2F9p

var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D4h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_A0], 0
		and	[ebp+var_9C], 0
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	KeQueryInterruptTime
		or	dword ptr [esi+30h], 1
		lea	ebx, [esi+0B8h]
		mov	ecx, esi
		mov	[ebp+var_8C], eax
		mov	[ebp+var_94], edx
		call	_IopLiveDumpCallRemovePagesCallbacks@4 ; IopLiveDumpCallRemovePagesCallbacks(x)
		mov	al, [esi+14h]
		and	al, 4
		mov	[ebp+var_AC], offset _IopLiveDumpStartMirroringCallback@0 ; IopLiveDumpStartMirroringCallback()
		movzx	eax, al
		neg	eax
		mov	[ebp+var_A8], offset _IopLiveDumpEndMirroringCallback@4	; IopLiveDumpEndMirroringCallback(x)
		mov	[ebp+var_A4], offset _IopLiveDumpMirrorPhysicalMemoryCallback@16 ; IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)
		sbb	eax, eax
		and	eax, 40h
		add	eax, 251h
		test	byte ptr [esi+30h], 20h
		mov	[ebp+var_9C], eax
		jz	short loc_72C4B0
		or	eax, 100h
		mov	[ebp+var_9C], eax

loc_72C4B0:				; CODE XREF: IopLiveDumpEstimateMemoryPages(x)+86j
		lea	ecx, [ebp+var_AC]
		call	_MmDuplicateMemory@4 ; MmDuplicateMemory(x)
		test	byte ptr [esi+30h], 80h
		mov	edi, eax
		jz	short loc_72C500
		mov	eax, [esi+124h]
		mov	ecx, 3E8h
		push	ds:dword_6CCB7C
		mul	ecx
		push	ds:_PerformanceFrequency
		mov	ecx, eax
		mov	edx, 3E8h
		mov	eax, [esi+120h]
		mul	edx
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		mov	[esi+128h], eax
		mov	[esi+12Ch], edx

loc_72C500:				; CODE XREF: IopLiveDumpEstimateMemoryPages(x)+A4j
		test	edi, edi
		js	short loc_72C52F
		cmp	edi, 102h
		jz	short loc_72C52F
		lea	eax, [esi+178h]
		push	eax
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	ecx, eax
		shr	ecx, 4
		add	ecx, eax
		xor	ebx, ebx
		mov	[esi+38h], ecx
		mov	[esi+48h], ebx
		mov	[esi+4Ch], ebx
		mov	[esi+50h], ebx
		jmp	short loc_72C566
; 

loc_72C52F:				; CODE XREF: IopLiveDumpEstimateMemoryPages(x)+E5j
					; IopLiveDumpEstimateMemoryPages(x)+EDj
		test	byte ptr [ebx+4], 1
		jz	short loc_72C53E
		mov	dl, 1
		mov	ecx, ebx
		call	_IopLiveDumpUncorralProcessors@8 ; IopLiveDumpUncorralProcessors(x,x)

loc_72C53E:				; CODE XREF: IopLiveDumpEstimateMemoryPages(x)+116j
		xor	ebx, ebx
		mov	edx, edi
		mov	ecx, esi
		mov	[esi+38h], ebx
		mov	[esi+48h], ebx
		mov	[esi+4Ch], ebx
		mov	[esi+50h], ebx
		call	_IopLiveDumpTraceMmDuplicateMemoryFailure@8 ; IopLiveDumpTraceMmDuplicateMemoryFailure(x,x)
		cmp	edi, 102h
		jnz	short loc_72C566
		or	dword ptr [esi+30h], 40h
		mov	edi, 0C0000476h

loc_72C566:				; CODE XREF: IopLiveDumpEstimateMemoryPages(x)+110j
					; IopLiveDumpEstimateMemoryPages(x)+13Ej
		call	KeQueryInterruptTime
		sub	eax, [ebp+var_8C]
		push	ebx
		sbb	edx, [ebp+var_94]
		push	2710h
		push	edx
		push	eax
		call	__aulldiv
		mov	ecx, esi
		mov	[esi+108h], eax
		mov	[esi+10Ch], edx
		call	_IopLiveDumpTraceBufferEstimation@4 ; IopLiveDumpTraceBufferEstimation(x)
		lea	eax, [esi+178h]
		push	eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		lea	eax, [esi+194h]
		push	eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		lea	eax, [esi+1B0h]
		push	eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		and	dword ptr [esi+30h], 0FFFFFFFEh
		cmp	ds:dword_6B2CE0, 5
		jbe	loc_72C708
		push	2000h
		push	ebx
		mov	ecx, offset dword_6B2CE0
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_72C708
		mov	eax, [esi+108h]
		mov	[ebp+var_98], eax
		mov	eax, [esi+10Ch]
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_98]
		mov	[ebp+var_68], eax
		mov	eax, [esi+110h]
		mov	[ebp+var_90], eax
		mov	eax, [esi+114h]
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_90]
		mov	[ebp+var_58], eax
		mov	eax, [esi+118h]
		mov	[ebp+var_B8], eax
		mov	eax, [esi+11Ch]
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_48], eax
		mov	eax, [esi+128h]
		mov	[ebp+var_C0], eax
		mov	eax, [esi+12Ch]
		mov	[ebp+var_BC], eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_38], eax
		mov	eax, [esi+130h]
		mov	[ebp+var_C8], eax
		mov	eax, [esi+134h]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_28], eax
		mov	eax, [esi+0A8h]
		mov	[ebp+var_D0], eax
		mov	eax, [esi+0ACh]
		push	8
		pop	ecx
		mov	[ebp+var_CC], eax
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_88]
		push	eax
		push	ecx
		lea	eax, [esi+220h]
		mov	[ebp+var_64], ebx
		push	eax
		lea	eax, [esi+230h]
		mov	[ebp+var_60], ecx
		push	eax
		push	offset loc_41BC3F
		push	offset dword_6B2CE0
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_72C708:				; CODE XREF: IopLiveDumpEstimateMemoryPages(x)+1A9j
					; IopLiveDumpEstimateMemoryPages(x)+1C1j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IopLiveDumpEstimateMemoryPages@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpGenerateIptSecondaryData()
_IopLiveDumpGenerateIptSecondaryData@0 proc near
					; CODE XREF: IopLiveDumpEndMirroringCallback(x)+239p

var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	esi, ds:_IopLiveDumpContext
		xor	ebx, ebx
		push	edi
		push	8
		xor	eax, eax
		mov	[ebp+var_C], esi
		test	byte ptr [esi+30h], 80h
		lea	edi, [ebp+var_2C]
		pop	ecx
		rep stosd
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ebx
		jz	short loc_72C752
		xor	cl, cl
		call	_IopLiveDumpGetMillisecondCounter@4 ; IopLiveDumpGetMillisecondCounter(x)
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], edx

loc_72C752:				; CODE XREF: IopLiveDumpGenerateIptSecondaryData()+2Aj
		lea	edi, [esi+270h]
		mov	ecx, [edi]
		test	ecx, ecx
		jz	loc_72C876
		mov	eax, ds:_IptInterface
		push	24h
		push	edi
		push	ebx
		push	2
		mov	[esi+28Ch], ecx
		mov	[esi+290h], ebx
		call	dword ptr [eax+14h]
		mov	eax, [esi+290h]
		test	eax, eax
		jz	short loc_72C7B5
		cmp	[esi+274h], eax
		jb	short loc_72C7B5
		mov	ecx, [edi]
		mov	edx, [esi+28Ch]
		cmp	ecx, edx
		jz	short loc_72C7C3
		push	eax		; size_t
		push	edx		; void *
		push	ecx		; void *
		call	_memcpy
		mov	eax, [edi]
		add	esp, 0Ch
		mov	[esi+28Ch], eax
		mov	eax, [esi+290h]
		jmp	short loc_72C7C3
; 

loc_72C7B5:				; CODE XREF: IopLiveDumpGenerateIptSecondaryData()+6Bj
					; IopLiveDumpGenerateIptSecondaryData()+73j
		mov	[esi+28Ch], ebx
		mov	eax, ebx
		mov	[esi+290h], ebx

loc_72C7C3:				; CODE XREF: IopLiveDumpGenerateIptSecondaryData()+7Fj
					; IopLiveDumpGenerateIptSecondaryData()+9Aj
		test	eax, eax
		jz	loc_72C876
		cmp	[esi+24Ch], ebx
		jz	loc_72C876
		mov	eax, [esi]
		mov	[ebp+var_20], eax
		mov	eax, [esi+4]
		mov	[ebp+var_1C], eax
		mov	eax, [esi+8]
		mov	[ebp+var_18], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_14], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_2C]
		push	20h
		push	eax
		mov	eax, ds:_IptInterface
		push	ebx
		push	7
		mov	[ebp+var_24], 2000000h
		call	dword ptr [eax+10h]
		mov	ecx, [ebp+var_2C]
		test	ecx, ecx
		jz	short loc_72C876
		mov	eax, [ecx+8]
		lea	eax, ds:0Ch[eax*8]
		cmp	eax, [esi+250h]
		ja	short loc_72C876
		mov	ebx, [esi+24Ch]
		lea	edi, [esi+258h]
		mov	[esi+26Ch], eax
		mov	[esi+268h], ebx
		mov	esi, offset _GUID_TRIAGEDUMP_DATA
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ecx+8]
		mov	[ebx], eax
		shl	eax, 3
		push	eax		; size_t
		mov	dword ptr [ebx+4], 4
		mov	eax, [ebp+var_2C]
		add	eax, 20h
		push	eax		; void *
		lea	eax, [ebx+8]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebx]
		add	esp, 0Ch
		mov	esi, [ebp+var_C]
		mov	dword ptr [ebx+eax*8+8], offset	loc_545049

loc_72C876:				; CODE XREF: IopLiveDumpGenerateIptSecondaryData()+43j
					; IopLiveDumpGenerateIptSecondaryData()+ACj ...
		test	byte ptr [esi+30h], 80h
		jz	short loc_72C892
		xor	cl, cl
		call	_IopLiveDumpGetMillisecondCounter@4 ; IopLiveDumpGetMillisecondCounter(x)
		sub	eax, [ebp+var_4]
		mov	ecx, esi
		sbb	edx, [ebp+var_8]
		push	edx
		push	eax
		call	_IopLiveDumpTraceCaptureGenerateIptSecondaryDataDuration@12 ; IopLiveDumpTraceCaptureGenerateIptSecondaryDataDuration(x,x,x)

loc_72C892:				; CODE XREF: IopLiveDumpGenerateIptSecondaryData()+161j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopLiveDumpGenerateIptSecondaryData@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpGetCapturePages(x, x, x,	x, x, x)
_IopLiveDumpGetCapturePages@24 proc near ; CODE	XREF: IopLiveDumpBufferDumpData(x,x)+75p

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ds:_BufferChunkSizeInPages
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		lea	ecx, [edi+10h]
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		push	[ebp+arg_C]
		mov	edx, edi
		mov	ecx, ebx
		push	[ebp+arg_8]
		push	esi
		push	[ebp+arg_0]
		call	_IopLiveDumpGetCapturePagesNoLock@24 ; IopLiveDumpGetCapturePagesNoLock(x,x,x,x,x,x)
		test	ds:byte_70EFC6,	1
		jz	short loc_72C8DA
		mov	edx, [ebp+4]
		lea	ecx, [edi+10h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_72C8E2
; 

loc_72C8DA:				; CODE XREF: IopLiveDumpGetCapturePages(x,x,x,x,x,x)+34j
		xor	ecx, ecx
		lea	eax, [edi+10h]
		lock and [eax],	ecx

loc_72C8E2:				; CODE XREF: IopLiveDumpGetCapturePages(x,x,x,x,x,x)+41j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
_IopLiveDumpGetCapturePages@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpGetCapturePagesNoLock(x,	x, x, x, x, x)
_IopLiveDumpGetCapturePagesNoLock@24 proc near
					; CODE XREF: IopLiveDumpGetCapturePages(x,x,x,x,x,x)+28p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_C], ecx
		xor	ebx, ebx
		or	esi, 0FFFFFFFFh
		mov	[eax], ebx
		mov	ecx, [edi+18h]
		mov	[ebp+var_4], ecx
		cmp	ecx, esi
		jz	short loc_72C967
		xor	edx, edx
		inc	edx
		cmp	[ebp+arg_4], ebx
		jbe	short loc_72C95B

loc_72C915:				; CODE XREF: IopLiveDumpGetCapturePagesNoLock(x,x,x,x,x,x)+64j
		push	ecx
		push	edx
		push	[ebp+var_C]
		call	RtlFindSetBits
		mov	edx, eax
		cmp	edx, [ebp+var_4]
		jb	short loc_72C954
		cmp	edx, esi
		jz	short loc_72C954
		mov	eax, [ebp+arg_8]
		push	1
		mov	ecx, [eax]
		mov	eax, [ebp+arg_0]
		mov	[eax+ecx*4], edx
		inc	ecx
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_8], ecx
		mov	[eax], ecx
		lea	ecx, [edx+1]
		mov	edx, [ebp+arg_4]
		cmp	[ebp+var_8], edx
		mov	[ebp+var_4], ecx
		pop	edx
		jb	short loc_72C915
		mov	ebx, [ebp+var_8]
		jmp	short loc_72C95B
; 

loc_72C954:				; CODE XREF: IopLiveDumpGetCapturePagesNoLock(x,x,x,x,x,x)+3Bj
					; IopLiveDumpGetCapturePagesNoLock(x,x,x,x,x,x)+3Fj
		mov	eax, [ebp+arg_8]
		mov	dl, bl
		mov	ebx, [eax]

loc_72C95B:				; CODE XREF: IopLiveDumpGetCapturePagesNoLock(x,x,x,x,x,x)+2Aj
					; IopLiveDumpGetCapturePagesNoLock(x,x,x,x,x,x)+69j
		test	dl, dl
		jz	short loc_72C967
		mov	ecx, [ebp+arg_0]
		mov	esi, [ecx+ebx*4-4]
		inc	esi

loc_72C967:				; CODE XREF: IopLiveDumpGetCapturePagesNoLock(x,x,x,x,x,x)+22j
					; IopLiveDumpGetCapturePagesNoLock(x,x,x,x,x,x)+74j
		mov	[edi+18h], esi
		mov	edx, [eax]
		test	edx, edx
		jz	short loc_72C981
		mov	ecx, [edi+1Ch]
		mov	eax, [ebp+arg_C]
		mov	[edi+14h], edx
		mov	[eax], ecx
		lea	eax, [ecx+1]
		mov	[edi+1Ch], eax

loc_72C981:				; CODE XREF: IopLiveDumpGetCapturePagesNoLock(x,x,x,x,x,x)+85j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_IopLiveDumpGetCapturePagesNoLock@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpInitiateCorralStateChange(x, x, x)
_IopLiveDumpInitiateCorralStateChange@12 proc near
					; CODE XREF: IopLiveDumpCorralProcessors(x)+167p
					; IopLiveDumpCorralProcessors(x)+17Cp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], edx
		xor	ecx, ecx
		push	edi
		mov	[ebp+var_4], ecx
		mov	eax, [esi]
		mov	[ebp+var_8], ecx
		mov	[ebp+var_10], eax
		mov	[ebx], ecx
		test	byte ptr [eax+30h], 80h
		mov	[ebx+4], ecx
		jz	short loc_72C9C3
		xor	cl, cl
		call	_IopLiveDumpGetMillisecondCounter@4 ; IopLiveDumpGetMillisecondCounter(x)
		mov	[ebp+var_8], edx
		mov	edx, [ebp+var_C]
		mov	[ebp+var_4], eax

loc_72C9C3:				; CODE XREF: IopLiveDumpInitiateCorralStateChange(x,x,x)+29j
		lea	edi, [esi+0Ch]
		xor	ecx, ecx
		xchg	ecx, [edi]
		mov	ecx, edx
		lea	eax, [esi+8]
		xchg	ecx, [eax]
		cmp	edx, 7
		jz	short loc_72C9E2
		lea	edx, [esi+44h]
		mov	ecx, esi
		call	_IopLiveDumpProcessCorralStateChange@8 ; IopLiveDumpProcessCorralStateChange(x,x)
		jmp	short loc_72C9E5
; 

loc_72C9E2:				; CODE XREF: IopLiveDumpInitiateCorralStateChange(x,x,x)+4Cj
		lock inc dword ptr [edi]

loc_72C9E5:				; CODE XREF: IopLiveDumpInitiateCorralStateChange(x,x,x)+58j
		and	[ebp+arg_0], 0
		jmp	short loc_72C9F3
; 

loc_72C9EB:				; CODE XREF: IopLiveDumpInitiateCorralStateChange(x,x,x)+70j
		lea	ecx, [ebp+arg_0]
		call	KeYieldProcessorEx

loc_72C9F3:				; CODE XREF: IopLiveDumpInitiateCorralStateChange(x,x,x)+61j
		mov	eax, [edi]
		cmp	eax, [esi+10h]
		jnz	short loc_72C9EB
		mov	eax, [ebp+var_10]
		test	byte ptr [eax+30h], 80h
		jz	short loc_72CA15
		xor	cl, cl
		call	_IopLiveDumpGetMillisecondCounter@4 ; IopLiveDumpGetMillisecondCounter(x)
		sub	eax, [ebp+var_4]
		mov	[ebx], eax
		sbb	edx, [ebp+var_8]
		mov	[ebx+4], edx

loc_72CA15:				; CODE XREF: IopLiveDumpInitiateCorralStateChange(x,x,x)+79j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_IopLiveDumpInitiateCorralStateChange@12 endp


;  S U B	R O U T	I N E 


; __stdcall IopLiveDumpMarkDeviceNode(x, x)
_IopLiveDumpMarkDeviceNode@8 proc near	; CODE XREF: IopLiveDumpMarkRequiredDumpData(x,x)+14Bp
					; IopLiveDumpMarkRequiredDumpData(x,x)+160p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		push	2Ch
		mov	esi, edx
		mov	edi, ecx
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_72CA58
		movzx	eax, word ptr [esi+14h]
		mov	ecx, edi
		mov	edx, [esi+18h]
		add	eax, 2
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_72CA58
		movzx	eax, word ptr [esi+1Ch]
		mov	ecx, edi
		mov	edx, [esi+20h]
		add	eax, 2
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)

loc_72CA58:				; CODE XREF: IopLiveDumpMarkDeviceNode(x,x)+12j
					; IopLiveDumpMarkDeviceNode(x,x)+28j
		pop	edi
		pop	esi
		pop	ecx
		retn
_IopLiveDumpMarkDeviceNode@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpMarkImportantDumpData(x,	x)
_IopLiveDumpMarkImportantDumpData@8 proc near
					; CODE XREF: IopLiveDumpEndMirroringCallback(x)+1FCp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_10], edx
		push	esi
		xor	esi, esi
		mov	ecx, esi
		mov	[ebp+var_30], esi
		test	byte ptr [ebx+30h], 80h
		push	edi
		mov	[ebp+var_28], ecx
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], esi
		jz	short loc_72CA92
		xor	cl, cl
		call	_IopLiveDumpGetMillisecondCounter@4 ; IopLiveDumpGetMillisecondCounter(x)
		mov	ecx, [ebp+var_28]
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], edx

loc_72CA92:				; CODE XREF: IopLiveDumpMarkImportantDumpData(x,x)+24j
		xor	eax, eax
		mov	[ebp+var_4], esi
		lea	edi, [ebp+var_24]
		mov	[ebp+var_18], esi
		stosd
		or	ecx, 1
		mov	[ebp+var_28], ecx
		lea	ecx, [ebp+var_3C]
		mov	[ebp+var_14], esi
		mov	[ebp+var_3C], offset _IoSetDumpRange@16	; IoSetDumpRange(x,x,x,x)
		stosd
		mov	[ebp+var_38], esi
		stosd
		lea	eax, [ebx+178h]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+var_10]
		mov	[ebp+var_2C], eax
		call	_ExAddPrivateDataToCrashDump@8 ; ExAddPrivateDataToCrashDump(x,x)
		test	eax, eax
		jns	short loc_72CADB
		cmp	eax, 0C0000023h
		jz	loc_72CB9D
		mov	esi, eax

loc_72CADB:				; CODE XREF: IopLiveDumpMarkImportantDumpData(x,x)+70j
		mov	edi, ds:_PsActiveProcessHead
		jmp	short loc_72CB06
; 

loc_72CAE3:				; CODE XREF: IopLiveDumpMarkImportantDumpData(x,x)+B3j
		push	500h
		lea	edx, [edi-0E8h]
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		jns	short loc_72CB04
		cmp	eax, 0C0000023h
		jz	loc_72CB9D
		mov	esi, eax

loc_72CB04:				; CODE XREF: IopLiveDumpMarkImportantDumpData(x,x)+99j
		mov	edi, [edi]

loc_72CB06:				; CODE XREF: IopLiveDumpMarkImportantDumpData(x,x)+85j
		lea	ecx, [ebp+var_3C]
		cmp	edi, offset _PsActiveProcessHead
		jnz	short loc_72CAE3
		push	10h
		pop	edx
		call	_MmAddPrivateDataToCrashDump@8 ; MmAddPrivateDataToCrashDump(x,x)
		mov	edi, 0C0000023h
		test	eax, eax
		jns	short loc_72CB28
		cmp	eax, edi
		jz	short loc_72CB9D
		mov	esi, eax

loc_72CB28:				; CODE XREF: IopLiveDumpMarkImportantDumpData(x,x)+C4j
		lea	edx, [ebp+var_3C]
		mov	ecx, ebx
		call	_IopLiveDumpAddTriageDumpData@8	; IopLiveDumpAddTriageDumpData(x,x)
		xor	edx, edx
		lea	ecx, [ebp+var_3C]
		inc	edx
		call	_MmAddPrivateDataToCrashDump@8 ; MmAddPrivateDataToCrashDump(x,x)
		test	eax, eax
		jns	short loc_72CB47
		cmp	eax, edi
		jz	short loc_72CB9D
		mov	esi, eax

loc_72CB47:				; CODE XREF: IopLiveDumpMarkImportantDumpData(x,x)+E3j
		cmp	ds:_IptInterface, 0
		jz	short loc_72CBA1
		mov	eax, ds:dword_70E328
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], offset _KeActiveProcessors

loc_72CB5F:				; CODE XREF: IopLiveDumpMarkImportantDumpData(x,x)+125j
					; IopLiveDumpMarkImportantDumpData(x,x)+137j ...
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_72CBA1
		lea	eax, [ebp+var_18]
		push	eax
		mov	eax, ds:_IptInterface
		push	[ebp+var_4]
		call	dword ptr [eax+8]
		test	eax, eax
		js	short loc_72CB5F
		push	[ebp+var_14]
		mov	edx, [ebp+var_18]
		lea	ecx, [ebp+var_3C]
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		jns	short loc_72CB5F
		cmp	eax, edi
		jz	short loc_72CB9D
		mov	esi, eax
		jmp	short loc_72CB5F
; 

loc_72CB9D:				; CODE XREF: IopLiveDumpMarkImportantDumpData(x,x)+77j
					; IopLiveDumpMarkImportantDumpData(x,x)+A0j ...
		xor	eax, eax
		jmp	short loc_72CBBF
; 

loc_72CBA1:				; CODE XREF: IopLiveDumpMarkImportantDumpData(x,x)+F2j
					; IopLiveDumpMarkImportantDumpData(x,x)+112j
		test	byte ptr [ebx+30h], 80h
		jz	short loc_72CBBD
		xor	cl, cl
		call	_IopLiveDumpGetMillisecondCounter@4 ; IopLiveDumpGetMillisecondCounter(x)
		sub	eax, [ebp+var_8]
		mov	ecx, ebx
		sbb	edx, [ebp+var_C]
		push	edx
		push	eax
		call	_IopLiveDumpTraceMarkImportantDumpDataDuration@12 ; IopLiveDumpTraceMarkImportantDumpDataDuration(x,x,x)

loc_72CBBD:				; CODE XREF: IopLiveDumpMarkImportantDumpData(x,x)+149j
		mov	eax, esi

loc_72CBBF:				; CODE XREF: IopLiveDumpMarkImportantDumpData(x,x)+143j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopLiveDumpMarkImportantDumpData@8 endp


;  S U B	R O U T	I N E 


; __stdcall IopLiveDumpMarkLoadedModuleList(x)
_IopLiveDumpMarkLoadedModuleList@4 proc	near
					; CODE XREF: IopLiveDumpMarkRequiredDumpData(x,x)+93p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, offset _PsLoadedModuleList
		mov	edi, ecx
		push	8
		mov	edx, ebx
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_72CC41
		mov	esi, ds:_PsLoadedModuleList
		jmp	short loc_72CC3D
; 

loc_72CBE5:				; CODE XREF: IopLiveDumpMarkLoadedModuleList(x)+7Bj
		push	5Ch
		mov	edx, esi
		mov	ecx, edi
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_72CC41
		movzx	eax, word ptr [esi+2Ch]
		mov	ecx, edi
		mov	edx, [esi+30h]
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_72CC41
		movzx	eax, word ptr [esi+24h]
		mov	ecx, edi
		mov	edx, [esi+28h]
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_72CC41
		mov	edx, [esi+14h]
		mov	ecx, edi
		push	20h
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_72CC41
		push	dword ptr [esi+20h]
		mov	edx, [esi+18h]
		mov	ecx, edi
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_72CC41
		mov	esi, [esi]

loc_72CC3D:				; CODE XREF: IopLiveDumpMarkLoadedModuleList(x)+1Fj
		cmp	esi, ebx
		jnz	short loc_72CBE5

loc_72CC41:				; CODE XREF: IopLiveDumpMarkLoadedModuleList(x)+17j
					; IopLiveDumpMarkLoadedModuleList(x)+2Ej ...
		pop	edi
		pop	esi
		pop	ebx
		retn
_IopLiveDumpMarkLoadedModuleList@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopLiveDumpMarkProcessorData(x, x)
_IopLiveDumpMarkProcessorData@8	proc near
					; CODE XREF: IopLiveDumpMarkRequiredDumpData(x,x)+CCp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ds:_KiProcessorBlock[edx*4]
		push	edi
		push	6020h
		mov	edi, ecx
		lea	edx, [esi-20h]
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	loc_72CD17
		mov	edx, [esi+4]
		mov	ecx, edi
		push	4E0h
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	loc_72CD17
		mov	eax, [esi+4]
		mov	ecx, edi
		push	500h
		mov	edx, [eax+80h]
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_72CD17
		mov	edx, [esi+4168h]
		mov	ecx, edi
		push	2CCh
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_72CD17
		mov	eax, [esi+4168h]
		mov	ebx, 2000h
		push	ebx
		mov	ecx, edi
		mov	edx, [eax+0C4h]
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_72CD17
		mov	eax, [esi+4168h]
		mov	ecx, edi
		push	ebx
		mov	edx, [eax+0B8h]
		sub	edx, 1000h
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_72CD17
		movzx	eax, word ptr [esi+30Eh]
		mov	ecx, edi
		mov	edx, [esi+310h]
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_72CD17
		movzx	eax, word ptr [esi+316h]
		mov	ecx, edi
		mov	edx, [esi+318h]
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)

loc_72CD17:				; CODE XREF: IopLiveDumpMarkProcessorData(x,x)+1Dj
					; IopLiveDumpMarkProcessorData(x,x)+34j ...
		pop	edi
		pop	esi
		pop	ebx
		retn
_IopLiveDumpMarkProcessorData@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpMarkRequiredDumpData(x, x)
_IopLiveDumpMarkRequiredDumpData@8 proc	near
					; CODE XREF: IopLiveDumpEndMirroringCallback(x)+166p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= word ptr -0Ch
var_A		= word ptr -0Ah
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		and	[ebp+var_20], 0
		xor	eax, eax
		and	[ebp+var_4], eax
		and	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_18], eax
		xor	ecx, ecx
		xor	ebx, ebx
		mov	esi, edx
		mov	[ebp+var_A], cx
		test	byte ptr [edi+30h], 80h
		jz	short loc_72CD56
		xor	cl, cl
		call	_IopLiveDumpGetMillisecondCounter@4 ; IopLiveDumpGetMillisecondCounter(x)
		mov	ebx, eax
		mov	[ebp+var_8], edx
		mov	eax, [ebp+var_18]

loc_72CD56:				; CODE XREF: IopLiveDumpMarkRequiredDumpData(x,x)+2Aj
		and	[ebp+var_28], 0
		lea	ecx, [edi+178h]
		mov	[ebp+var_24], ecx
		or	eax, 1
		push	380h
		mov	edx, offset _KdDebuggerDataBlock
		mov	[ebp+var_1C], esi
		lea	ecx, [ebp+var_2C]
		mov	[ebp+var_2C], offset _IoSetDumpRange@16	; IoSetDumpRange(x,x,x,x)
		mov	[ebp+var_18], eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	loc_72CEA3
		mov	eax, ds:_KeNumberProcessors
		lea	ecx, [ebp+var_2C]
		shl	eax, 2
		mov	edx, offset _KiProcessorBlock
		push	eax
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	loc_72CEA3
		lea	ecx, [ebp+var_2C]
		call	_IopLiveDumpMarkLoadedModuleList@4 ; IopLiveDumpMarkLoadedModuleList(x)
		test	eax, eax
		js	loc_72CEA3
		xor	eax, eax
		mov	[ebp+var_C], ax
		mov	eax, ds:dword_70E328
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], offset _KeActiveProcessors

loc_72CDD0:				; CODE XREF: IopLiveDumpMarkRequiredDumpData(x,x)+D3j
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		lea	ecx, [ebp+var_2C]
		test	eax, eax
		jnz	short loc_72CDF5
		mov	edx, [ebp+var_4]
		call	_IopLiveDumpMarkProcessorData@8	; IopLiveDumpMarkProcessorData(x,x)
		test	eax, eax
		jns	short loc_72CDD0
		jmp	loc_72CEA3
; 

loc_72CDF5:				; CODE XREF: IopLiveDumpMarkRequiredDumpData(x,x)+C7j
		push	2
		pop	edx
		call	_MmAddPrivateDataToCrashDump@8 ; MmAddPrivateDataToCrashDump(x,x)
		test	eax, eax
		js	loc_72CEA3
		push	720h
		mov	edx, 0FFDF0000h
		lea	ecx, [ebp+var_2C]
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	loc_72CEA3
		push	4
		pop	edx
		lea	ecx, [ebp+var_2C]
		call	_MmAddPrivateDataToCrashDump@8 ; MmAddPrivateDataToCrashDump(x,x)
		test	eax, eax
		js	short loc_72CEA3
		push	8
		pop	edx
		lea	ecx, [ebp+var_2C]
		call	_MmAddPrivateDataToCrashDump@8 ; MmAddPrivateDataToCrashDump(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_72CEA1
		cmp	dword ptr [edi], 15Fh
		jnz	short loc_72CE86
		cmp	dword ptr [edi+4], 2
		jnz	short loc_72CE86
		mov	esi, [edi+8]
		lea	ecx, [ebp+var_2C]
		push	20h
		mov	edx, esi
		call	_MmAddRangeToCrashDump@12 ; MmAddRangeToCrashDump(x,x,x)
		test	eax, eax
		js	short loc_72CEA3
		mov	edx, [esi+1Ch]
		lea	ecx, [ebp+var_2C]
		call	_IopLiveDumpMarkDeviceNode@8 ; IopLiveDumpMarkDeviceNode(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_72CEA1
		mov	edx, [edi+10h]
		test	edx, edx
		jz	short loc_72CE86
		lea	ecx, [ebp+var_2C]
		call	_IopLiveDumpMarkDeviceNode@8 ; IopLiveDumpMarkDeviceNode(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_72CEA1

loc_72CE86:				; CODE XREF: IopLiveDumpMarkRequiredDumpData(x,x)+12Aj
					; IopLiveDumpMarkRequiredDumpData(x,x)+130j ...
		test	byte ptr [edi+30h], 80h
		jz	short loc_72CEA1
		xor	cl, cl
		call	_IopLiveDumpGetMillisecondCounter@4 ; IopLiveDumpGetMillisecondCounter(x)
		sub	eax, ebx
		mov	ecx, edi
		sbb	edx, [ebp+var_8]
		push	edx
		push	eax
		call	_IopLiveDumpTraceMarkRequiredDumpDataDuration@12 ; IopLiveDumpTraceMarkRequiredDumpDataDuration(x,x,x)

loc_72CEA1:				; CODE XREF: IopLiveDumpMarkRequiredDumpData(x,x)+122j
					; IopLiveDumpMarkRequiredDumpData(x,x)+154j ...
		mov	eax, esi

loc_72CEA3:				; CODE XREF: IopLiveDumpMarkRequiredDumpData(x,x)+6Cj
					; IopLiveDumpMarkRequiredDumpData(x,x)+8Aj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopLiveDumpMarkRequiredDumpData@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpMirrorPhysicalMemoryCallback(x, x, x, x)
_IopLiveDumpMirrorPhysicalMemoryCallback@16 proc near
					; DATA XREF: IopLiveDumpCaptureMemoryPages(x)+6Fo
					; IopLiveDumpEstimateMemoryPages(x)+68o

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		mov	esi, ds:_IopLiveDumpContext
		xor	ebx, ebx
		push	edi
		mov	[esp+48h+var_34], ebx
		mov	[esp+48h+var_24], ebx
		test	byte ptr [esi+30h], 80h
		mov	[esp+48h+var_20], ebx
		jz	short loc_72CEDF
		push	ebx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	[esp+4Ch+var_28], eax
		mov	[esp+4Ch+var_24], edx

loc_72CEDF:				; CODE XREF: IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+26j
		mov	edx, [ebp+arg_8]
		mov	eax, edx
		mov	edi, [ebp+arg_0]
		and	eax, 0FFFh
		mov	ecx, [ebp+arg_4]
		shrd	edi, ecx, 0Ch
		or	eax, ebx
		mov	[esp+4Ch+var_2C], edi
		jz	short loc_72CF00
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_72CF02
; 

loc_72CF00:				; CODE XREF: IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+51j
		mov	ecx, ebx

loc_72CF02:				; CODE XREF: IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+56j
		mov	eax, [ebp+arg_C]
		mov	ebx, edx
		shrd	ebx, eax, 0Ch
		lea	eax, [edi-1]
		add	ebx, ecx
		mov	ecx, [esi+188h]
		add	eax, ebx
		mov	[esp+4Ch+var_3C], ebx
		cmp	edi, ecx
		jnb	loc_72D013
		cmp	eax, ecx
		jb	short loc_72CF34
		lea	eax, [ecx-1]
		mov	ebx, eax
		sub	ebx, edi
		inc	ebx
		mov	[esp+4Ch+var_3C], ebx

loc_72CF34:				; CODE XREF: IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+7Ej
		test	ebx, ebx
		jz	loc_72D013
		inc	eax
		mov	[esp+4Ch+var_1C], eax
		mov	eax, [esi+18Ch]
		mov	[esp+4Ch+var_18], eax

loc_72CF4B:				; CODE XREF: IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+165j
		lea	eax, [esp+4Ch+var_38]
		push	eax
		push	edi
		lea	eax, [esp+54h+var_1C]
		push	eax
		call	RtlFindNextForwardRunClear
		mov	edx, eax
		mov	[esp+4Ch+var_20], edx
		test	edx, edx
		jnz	short loc_72CF6D
		mov	ecx, ebx
		mov	[esp+4Ch+var_30], ebx
		jmp	short loc_72CF77
; 

loc_72CF6D:				; CODE XREF: IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+BBj
		mov	ecx, [esp+4Ch+var_38]
		sub	ecx, edi
		mov	[esp+4Ch+var_30], ecx

loc_72CF77:				; CODE XREF: IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+C3j
		test	ecx, ecx
		jz	short loc_72CFED
		mov	ebx, edi
		mov	[esp+4Ch+var_34], ecx

loc_72CF81:				; CODE XREF: IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+133j
		test	byte ptr [esi+14h], 4
		jnz	short loc_72CF8F

loc_72CF87:				; CODE XREF: IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+10Aj
		lea	eax, [esi+194h]
		jmp	short loc_72CFCC
; 

loc_72CF8F:				; CODE XREF: IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+DDj
		xor	eax, eax
		lea	edi, [esp+4Ch+var_14]
		stosd
		lea	edx, [esp+4Ch+var_14]
		mov	ecx, ebx
		stosd
		stosd
		stosd
		call	_MmTryIdentifyPage@8 ; MmTryIdentifyPage(x,x)
		test	eax, eax
		jz	short loc_72CFD5
		mov	eax, [esp+4Ch+var_8]
		cmp	eax, ds:_MmSystemRangeStart
		jnb	short loc_72CF87
		test	byte ptr [esi+14h], 4
		jz	short loc_72CFD5
		test	eax, eax
		jz	short loc_72CFD5
		cmp	eax, ds:_MmHighestUserAddress
		ja	short loc_72CFD5
		lea	eax, [esi+1B0h]

loc_72CFCC:				; CODE XREF: IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+E5j
		push	1
		push	ebx
		push	eax
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)

loc_72CFD5:				; CODE XREF: IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+FEj
					; IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+110j ...
		inc	ebx
		sub	[esp+4Ch+var_34], 1
		jnz	short loc_72CF81
		mov	ebx, [esp+4Ch+var_3C]
		mov	edi, [esp+4Ch+var_2C]
		mov	ecx, [esp+4Ch+var_30]
		mov	edx, [esp+4Ch+var_20]

loc_72CFED:				; CODE XREF: IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+D1j
		lea	eax, [ecx+edx]
		cmp	ebx, eax
		jbe	short loc_72D005
		mov	edi, [esp+4Ch+var_38]
		lea	eax, [ecx+edx]
		add	edi, edx
		sub	ebx, eax
		mov	[esp+4Ch+var_2C], edi
		jmp	short loc_72D007
; 

loc_72D005:				; CODE XREF: IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+14Aj
		xor	ebx, ebx

loc_72D007:				; CODE XREF: IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+15Bj
		mov	[esp+4Ch+var_3C], ebx
		test	ebx, ebx
		jnz	loc_72CF4B

loc_72D013:				; CODE XREF: IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+76j
					; IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+8Ej
		test	byte ptr [esi+30h], 80h
		jz	short loc_72D06A
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		sub	eax, [esp+50h+var_2C]
		mov	ecx, [ebp+arg_8]
		sbb	edx, [esp+50h+var_28]
		test	byte ptr [esi+30h], 1
		jz	short loc_72D04F
		add	[esi+130h], ecx
		mov	ecx, [ebp+arg_C]
		adc	[esi+134h], ecx
		add	[esi+120h], eax
		adc	[esi+124h], edx
		jmp	short loc_72D06A
; 

loc_72D04F:				; CODE XREF: IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+188j
		add	[esi+160h], ecx
		mov	ecx, [ebp+arg_C]
		adc	[esi+164h], ecx
		add	[esi+150h], eax
		adc	[esi+154h], edx

loc_72D06A:				; CODE XREF: IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+16Fj
					; IopLiveDumpMirrorPhysicalMemoryCallback(x,x,x,x)+1A5j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_IopLiveDumpMirrorPhysicalMemoryCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpPopulateBitmapForDump(x)
_IopLiveDumpPopulateBitmapForDump@4 proc near
					; CODE XREF: IopLiveDumpEndMirroringCallback(x)+20Fp
					; IopLiveDumpEndMirroringCallback(x)+240p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_28], edi
		test	byte ptr [esi+30h], 80h
		mov	[ebp+var_24], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_1C], edi
		jz	short loc_72D0AC
		xor	cl, cl
		call	_IopLiveDumpGetMillisecondCounter@4 ; IopLiveDumpGetMillisecondCounter(x)
		mov	[ebp+var_18], eax
		mov	[ebp+var_1C], edx

loc_72D0AC:				; CODE XREF: IopLiveDumpPopulateBitmapForDump(x)+28j
		mov	eax, [esi+178h]
		mov	ecx, esi
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_30]
		push	eax
		call	_IopLiveDumpRemoveSystemCacheFromDump@12 ; IopLiveDumpRemoveSystemCacheFromDump(x,x,x)
		lea	ebx, [esi+194h]
		jmp	loc_72D1AD
; 

loc_72D0CB:				; CODE XREF: IopLiveDumpPopulateBitmapForDump(x)+13Aj
		push	edi
		push	1
		push	ebx
		call	RtlFindSetBits
		mov	edi, eax
		cmp	edi, 0FFFFFFFFh
		jz	loc_72D18F

loc_72D0DF:				; CODE XREF: IopLiveDumpPopulateBitmapForDump(x)+114j
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		push	ebx
		call	RtlFindNextForwardRunClear
		mov	[ebp+var_20], eax
		test	eax, eax
		mov	eax, [ebp+var_8]
		jnz	short loc_72D0F7
		mov	eax, [ebp+var_14]

loc_72D0F7:				; CODE XREF: IopLiveDumpPopulateBitmapForDump(x)+7Dj
		sub	eax, edi
		test	byte ptr [esi+30h], 1
		mov	[ebp+var_10], eax
		jz	short loc_72D112
		push	eax
		push	edi
		lea	eax, [esi+178h]
		push	eax
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		jmp	short loc_72D17C
; 

loc_72D112:				; CODE XREF: IopLiveDumpPopulateBitmapForDump(x)+8Bj
		add	eax, edi
		mov	[ebp+var_28], eax
		mov	eax, [esi+17Ch]
		mov	[ebp+var_24], eax
		mov	eax, edi
		mov	[ebp+var_4], eax

loc_72D125:				; CODE XREF: IopLiveDumpPopulateBitmapForDump(x)+105j
		lea	ecx, [ebp+var_4]
		push	ecx
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		call	RtlFindNextForwardRunClear
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	short loc_72D17C
		mov	eax, [esi+1C4h]
		cmp	ecx, eax
		jbe	short loc_72D14F
		or	dword ptr [esi+30h], 2
		mov	ecx, eax
		mov	[ebp+var_C], ecx

loc_72D14F:				; CODE XREF: IopLiveDumpPopulateBitmapForDump(x)+CFj
		test	ecx, ecx
		jz	short loc_72D169
		push	ecx
		push	[ebp+var_4]
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		mov	ecx, [ebp+var_C]
		sub	[esi+1C4h], ecx

loc_72D169:				; CODE XREF: IopLiveDumpPopulateBitmapForDump(x)+DCj
		test	byte ptr [esi+30h], 2
		jnz	short loc_72D1D7
		mov	eax, [ebp+var_4]
		add	eax, ecx
		mov	[ebp+var_4], eax
		cmp	eax, [ebp+var_28]
		jb	short loc_72D125

loc_72D17C:				; CODE XREF: IopLiveDumpPopulateBitmapForDump(x)+9Bj
					; IopLiveDumpPopulateBitmapForDump(x)+C5j
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+var_20]
		add	eax, ecx
		add	edi, eax
		cmp	edi, [ebp+var_14]
		jb	loc_72D0DF

loc_72D18F:				; CODE XREF: IopLiveDumpPopulateBitmapForDump(x)+64j
		lea	eax, [esi+194h]
		cmp	ebx, eax
		jnz	short loc_72D1A9
		test	byte ptr [esi+14h], 4
		jz	short loc_72D1A9
		lea	ebx, [esi+1B0h]
		xor	edi, edi
		jmp	short loc_72D1AD
; 

loc_72D1A9:				; CODE XREF: IopLiveDumpPopulateBitmapForDump(x)+122j
					; IopLiveDumpPopulateBitmapForDump(x)+128j
		xor	edi, edi
		mov	ebx, edi

loc_72D1AD:				; CODE XREF: IopLiveDumpPopulateBitmapForDump(x)+51j
					; IopLiveDumpPopulateBitmapForDump(x)+132j
		test	ebx, ebx
		jnz	loc_72D0CB
		test	byte ptr [esi+30h], 80h
		jz	short loc_72D1D7
		xor	cl, cl
		call	_IopLiveDumpGetMillisecondCounter@4 ; IopLiveDumpGetMillisecondCounter(x)
		push	[ebp+var_2C]
		sub	eax, [ebp+var_18]
		mov	ecx, esi
		push	[ebp+var_30]
		sbb	edx, [ebp+var_1C]
		push	edx
		push	eax
		call	_IopLiveDumpTracePopulateBitmapForDumpDuration@20 ; IopLiveDumpTracePopulateBitmapForDumpDuration(x,x,x,x,x)

loc_72D1D7:				; CODE XREF: IopLiveDumpPopulateBitmapForDump(x)+F8j
					; IopLiveDumpPopulateBitmapForDump(x)+144j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopLiveDumpPopulateBitmapForDump@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpProcessCorralStateChange(x, x)
_IopLiveDumpProcessCorralStateChange@8 proc near
					; CODE XREF: IopLiveDumpCorralDpc(x,x,x,x)+42p
					; IopLiveDumpInitiateCorralStateChange(x,x,x)+53p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		and	[esp+8+var_4], 0
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jmp	short loc_72D1FC
; 

loc_72D1F3:				; CODE XREF: IopLiveDumpProcessCorralStateChange(x,x)+26j
		lea	ecx, [esp+10h+var_4]
		call	KeYieldProcessorEx

loc_72D1FC:				; CODE XREF: IopLiveDumpProcessCorralStateChange(x,x)+15j
		mov	eax, [edi+8]
		cmp	eax, [esi+4]
		jz	short loc_72D1F3
		mov	eax, [edi+8]
		mov	[esi+4], eax
		dec	eax
		sub	eax, 1
		jz	loc_72D2C8
		sub	eax, 1
		jz	loc_72D2C1
		sub	eax, 1
		jz	loc_72D2B6
		sub	eax, 1
		jz	loc_72D2AF
		sub	eax, 1
		jz	short loc_72D2A6
		sub	eax, 1
		jz	short loc_72D274
		sub	eax, 1
		jnz	loc_72D2D0
		cmp	[esi+9], al
		jz	loc_72D2D0
		mov	ecx, large fs:20h
		mov	eax, ds:0FFDF05F0h
		push	dword ptr ds:0FFDF05F4h
		or	eax, 100h
		mov	ecx, [ecx+47B8h]
		push	eax
		call	_KeRestoreSupervisorState@12 ; KeRestoreSupervisorState(x,x,x)
		mov	byte ptr [esi+9], 0
		jmp	short loc_72D2D0
; 

loc_72D274:				; CODE XREF: IopLiveDumpProcessCorralStateChange(x,x)+5Bj
		cmp	ds:_SaveSupervisorState, 0
		jz	short loc_72D2D0
		mov	ecx, large fs:20h
		mov	eax, ds:0FFDF05F0h
		push	dword ptr ds:0FFDF05F4h
		or	eax, 100h
		mov	ecx, [ecx+47B8h]
		push	eax
		call	_KeSaveSupervisorState@12 ; KeSaveSupervisorState(x,x,x)
		mov	byte ptr [esi+9], 1
		jmp	short loc_72D2D0
; 

loc_72D2A6:				; CODE XREF: IopLiveDumpProcessCorralStateChange(x,x)+56j
		cmp	byte ptr [esi+8], 0
		jz	short loc_72D2D0
		sti
		jmp	short loc_72D2D0
; 

loc_72D2AF:				; CODE XREF: IopLiveDumpProcessCorralStateChange(x,x)+4Dj
		call	_KeResumeClockTimerSafe@0 ; KeResumeClockTimerSafe()
		jmp	short loc_72D2D0
; 

loc_72D2B6:				; CODE XREF: IopLiveDumpProcessCorralStateChange(x,x)+44j
		mov	edx, esi
		mov	ecx, edi
		call	_IopLiveDumpBufferDumpData@8 ; IopLiveDumpBufferDumpData(x,x)
		jmp	short loc_72D2D0
; 

loc_72D2C1:				; CODE XREF: IopLiveDumpProcessCorralStateChange(x,x)+3Bj
		call	_KeSuspendClockTimerSafe@0 ; KeSuspendClockTimerSafe()
		jmp	short loc_72D2D0
; 

loc_72D2C8:				; CODE XREF: IopLiveDumpProcessCorralStateChange(x,x)+32j
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	[esi+8], al

loc_72D2D0:				; CODE XREF: IopLiveDumpProcessCorralStateChange(x,x)+60j
					; IopLiveDumpProcessCorralStateChange(x,x)+69j	...
		lock inc dword ptr [edi+0Ch]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_IopLiveDumpProcessCorralStateChange@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpRemoveSystemCacheFromDump(x, x, x)
_IopLiveDumpRemoveSystemCacheFromDump@12 proc near
					; CODE XREF: IopLiveDumpPopulateBitmapForDump(x)+46p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	edx, edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_14], edx
		mov	eax, edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], eax
		mov	ebx, edx
		mov	[esi], edx
		test	byte ptr [edi+30h], 80h
		mov	[esi+4], edx
		jz	short loc_72D315
		xor	cl, cl
		call	_IopLiveDumpGetMillisecondCounter@4 ; IopLiveDumpGetMillisecondCounter(x)
		mov	ebx, eax
		mov	[ebp+var_8], edx
		mov	eax, [ebp+var_C]
		xor	edx, edx

loc_72D315:				; CODE XREF: IopLiveDumpRemoveSystemCacheFromDump(x,x,x)+28j
		lea	ecx, [edi+194h]
		mov	[ebp+var_10], edx
		mov	[ebp+var_18], ecx
		or	eax, 1
		lea	ecx, [ebp+var_20]
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], offset _IoFreeDumpRange@16 ; IoFreeDumpRange(x,x,x,x)
		mov	[ebp+var_C], eax
		call	_MmRemoveSystemCacheFromDump@4 ; MmRemoveSystemCacheFromDump(x)
		test	byte ptr [edi+30h], 80h
		jz	short loc_72D350
		xor	cl, cl
		call	_IopLiveDumpGetMillisecondCounter@4 ; IopLiveDumpGetMillisecondCounter(x)
		sub	eax, ebx
		mov	[esi], eax
		sbb	edx, [ebp+var_8]
		mov	[esi+4], edx

loc_72D350:				; CODE XREF: IopLiveDumpRemoveSystemCacheFromDump(x,x,x)+63j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_IopLiveDumpRemoveSystemCacheFromDump@12 endp


;  S U B	R O U T	I N E 


; __stdcall IopLiveDumpResetCorralContext(x)
_IopLiveDumpResetCorralContext@4 proc near
					; CODE XREF: IopLiveDumpAllocAndInitResources(x)+5Ap
		xor	eax, eax
		mov	[ecx+4], eax
		push	edi
		mov	[ecx+8], eax
		lea	edi, [ecx+44h]
		mov	[ecx+0Ch], eax
		mov	[ecx+10h], eax
		stosd
		stosd
		stosd
		pop	edi
		retn
_IopLiveDumpResetCorralContext@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpStartDumpDataBuffering(x)
_IopLiveDumpStartDumpDataBuffering@4 proc near
					; CODE XREF: IopLiveDumpEndMirroringCallback(x)+247p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx
		mov	ecx, offset _LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_BUFFERING_START
		call	_IopLiveDumpTrace@4 ; IopLiveDumpTrace(x)
		lea	eax, [ebp+var_8]
		push	eax
		push	4
		lea	ecx, [esi+0B8h]
		pop	edx
		call	_IopLiveDumpInitiateCorralStateChange@12 ; IopLiveDumpInitiateCorralStateChange(x,x,x)
		mov	ecx, offset _LIVEDUMP_EVENT_CAPTURE_PAGES_WORKFLOW_BUFFERING_END
		call	_IopLiveDumpTrace@4 ; IopLiveDumpTrace(x)
		test	byte ptr [esi+30h], 80h
		jz	short loc_72D3C6
		mov	eax, [ebp+var_8]
		mov	ecx, esi
		mov	[esi+170h], eax
		mov	eax, [ebp+var_4]
		mov	[esi+174h], eax
		call	_IopLiveDumpTraceCaptureDumpDataBufferingDuration@4 ; IopLiveDumpTraceCaptureDumpDataBufferingDuration(x)

loc_72D3C6:				; CODE XREF: IopLiveDumpStartDumpDataBuffering(x)+3Dj
		pop	esi
		leave
		retn
_IopLiveDumpStartDumpDataBuffering@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopLiveDumpStartMirroringCallback()
_IopLiveDumpStartMirroringCallback@0 proc near
					; DATA XREF: IopLiveDumpCaptureMemoryPages(x)+53o
					; IopLiveDumpEstimateMemoryPages(x)+4Fo
		call	_IopLiveDumpTraceMirroringStart@4 ; IopLiveDumpTraceMirroringStart(x)
		xor	eax, eax
		retn
_IopLiveDumpStartMirroringCallback@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpUncorralProcessors(x, x)
_IopLiveDumpUncorralProcessors@8 proc near
					; CODE XREF: IopLiveDumpCaptureMemoryPages(x)+12Bp
					; IopLiveDumpEndMirroringCallback(x)+258p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		xor	eax, eax
		mov	[ebp+var_1], dl
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_28], eax
		mov	edi, eax
		mov	[ebp+var_24], eax
		mov	ebx, eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	eax, [esi]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	5
		pop	edx
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], ebx
		call	_IopLiveDumpInitiateCorralStateChange@12 ; IopLiveDumpInitiateCorralStateChange(x,x,x)
		lea	eax, [ebp+var_20]
		mov	ecx, esi
		push	eax
		push	8
		pop	edx
		call	_IopLiveDumpInitiateCorralStateChange@12 ; IopLiveDumpInitiateCorralStateChange(x,x,x)
		mov	eax, [ebp+var_8]
		test	dword ptr [eax+30h], 100h
		jnz	short loc_72D43E
		lea	eax, [ebp+var_10]
		mov	ecx, esi
		push	eax
		push	6
		pop	edx
		call	_IopLiveDumpInitiateCorralStateChange@12 ; IopLiveDumpInitiateCorralStateChange(x,x,x)
		mov	ebx, [ebp+var_C]
		mov	edi, [ebp+var_10]

loc_72D43E:				; CODE XREF: IopLiveDumpUncorralProcessors(x,x)+57j
		lea	eax, [ebp+var_28]
		mov	ds:_PoAllProcIntrDisabled, 0
		push	eax
		or	edx, 0FFFFFFFFh
		mov	ecx, esi
		call	_IopLiveDumpInitiateCorralStateChange@12 ; IopLiveDumpInitiateCorralStateChange(x,x,x)
		lea	eax, [esi+38h]
		push	eax
		call	KeRevertToUserGroupAffinityThread
		cmp	[ebp+var_1], 1
		jnz	short loc_72D46B
		mov	cl, [esi+34h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_72D46B:				; CODE XREF: IopLiveDumpUncorralProcessors(x,x)+8Fj
		call	_IopLiveDumpUnLockPages@0 ; IopLiveDumpUnLockPages()
		mov	ecx, [ebp+var_8]
		and	dword ptr [esi+4], 0FFFFFFFEh
		call	_IopLiveDumpTraceSystemQuiesceEnd@4 ; IopLiveDumpTraceSystemQuiesceEnd(x)
		mov	eax, [ebp+var_8]
		test	byte ptr [eax+30h], 80h
		jz	short loc_72D4A0
		push	[ebp+var_14]
		mov	ecx, [esi]
		push	[ebp+var_18]
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	ebx
		push	edi
		push	[ebp+var_24]
		push	[ebp+var_28]
		call	_IopLiveDumpTraceUncorralProcessorsDuration@36 ; IopLiveDumpTraceUncorralProcessorsDuration(x,x,x,x,x,x,x,x,x)

loc_72D4A0:				; CODE XREF: IopLiveDumpUncorralProcessors(x,x)+B2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopLiveDumpUncorralProcessors@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprEndMirroring(x)
_PnprEndMirroring@4 proc near		; DATA XREF: PnprInitiateReplaceOperation()+121o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		cmp	[ebp+arg_0], esi
		jnz	short loc_72D4C7
		mov	eax, ds:_PnprContext
		mov	byte ptr [eax+9Ch], 1
		call	_PnprQuiesce@0	; PnprQuiesce()
		mov	esi, eax
		jmp	short loc_72D4F9
; 

loc_72D4C7:				; CODE XREF: PnprEndMirroring(x)+Bj
		cmp	[ebp+arg_0], 1
		jnz	short loc_72D4F9
		call	_PnprSwap@0	; PnprSwap()
		mov	esi, eax
		test	esi, esi
		jns	short loc_72D4EB
		mov	eax, ds:_PnprContext
		push	dword ptr [eax+224h]
		push	3
		call	ds:off_6B128C	; xHalDpReplaceControl(x,x)

loc_72D4EB:				; CODE XREF: PnprEndMirroring(x)+31j
		call	_PnprWakeProcessors@0 ;	PnprWakeProcessors()
		test	esi, esi
		js	short loc_72D4F9
		mov	esi, 40000294h

loc_72D4F9:				; CODE XREF: PnprEndMirroring(x)+20j
					; PnprEndMirroring(x)+26j ...
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_PnprEndMirroring@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprGetMillisecondCounter(x)
_PnprGetMillisecondCounter@4 proc near	; CODE XREF: PnprMirrorPhysicalMemory(x,x,x,x)+2Ep
					; PnprSwapFinalize()+3Ep ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		lea	eax, [ebp+var_8]
		xor	esi, esi
		push	eax
		mov	bl, cl
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		push	esi
		push	3E8h
		push	edx
		push	eax
		call	__allmul
		push	[ebp+var_4]
		push	[ebp+var_8]
		push	edx
		push	eax
		call	__alldiv
		test	bl, bl
		jnz	short loc_72D549
		mov	esi, ds:dword_6FDFCC
		sub	esi, ds:dword_6FDFC8
		add	esi, eax

loc_72D549:				; CODE XREF: PnprGetMillisecondCounter(x)+39j
		mov	ds:dword_6FDFC8, eax
		mov	eax, esi
		mov	ds:dword_6FDFCC, esi
		pop	esi
		pop	ebx
		leave
		retn
_PnprGetMillisecondCounter@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprInitiateReplaceOperation()
_PnprInitiateReplaceOperation@0	proc near ; CODE XREF: PnpReplacePartitionUnit(x)+868p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ds:_PnprContext
		lea	edi, [ebp+var_18]
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		push	eax
		push	eax
		mov	[ebp+var_1], al
		mov	bl, al
		mov	edi, eax
		lea	eax, [esi+1DCh]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		lea	eax, [esi+1ECh]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		lea	eax, [esi+1FCh]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		lea	eax, [esi+20Ch]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		test	byte ptr [esi+30h], 20h
		jnz	short loc_72D61F
		push	51706E50h
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_72D60A
		mov	eax, ds:_PnprContext
		mov	esi, 0C000009Ah
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_72D5EC
		mov	ecx, 67Fh

loc_72D5EC:				; CODE XREF: PnprInitiateReplaceOperation()+8Bj
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_72D5FF
		push	0Ah

loc_72D5FE:				; CODE XREF: PnprInitiateReplaceOperation()+18Cj
		pop	ecx

loc_72D5FF:				; CODE XREF: PnprInitiateReplaceOperation()+A0j
					; PnprInitiateReplaceOperation()+F2j ...
		mov	[eax+264h], ecx
		jmp	loc_72D788
; 

loc_72D60A:				; CODE XREF: PnprInitiateReplaceOperation()+77j
		and	dword ptr [edi], 0
		push	0
		push	edi
		mov	dword ptr [edi+8], offset _PnprQuiesceWorker@4 ; PnprQuiesceWorker(x)
		mov	[edi+0Ch], edi
		call	ExQueueWorkItem

loc_72D61F:				; CODE XREF: PnprInitiateReplaceOperation()+60j
		call	_PnprReplaceStart@0 ; PnprReplaceStart()
		mov	esi, eax
		test	esi, esi
		jns	short loc_72D651
		mov	eax, ds:_PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_72D63E
		mov	ecx, 68Eh

loc_72D63E:				; CODE XREF: PnprInitiateReplaceOperation()+DDj
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_72D5FF
		inc	ecx
		jmp	short loc_72D5FF
; 

loc_72D651:				; CODE XREF: PnprInitiateReplaceOperation()+CEj
		mov	ecx, ds:_PnprContext
		xor	ebx, ebx
		inc	ebx
		mov	eax, [ecx+14h]
		cmp	dword ptr [eax+4], 0
		jz	loc_72D6EB
		test	byte ptr [ecx+30h], 8
		jnz	short loc_72D6AA
		and	[ebp+var_C], 0
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_18], offset _PnprStartMirroring@0 ; PnprStartMirroring()
		mov	[ebp+var_14], offset _PnprEndMirroring@4 ; PnprEndMirroring(x)
		mov	[ebp+var_10], offset _PnprMirrorPhysicalMemory@16 ; PnprMirrorPhysicalMemory(x,x,x,x)
		mov	[ebp+var_8], 8
		call	_MmDuplicateMemory@4 ; MmDuplicateMemory(x)
		mov	esi, eax
		cmp	esi, 40000294h
		jnz	loc_72D788
		xor	esi, esi
		jmp	loc_72D788
; 

loc_72D6AA:				; CODE XREF: PnprInitiateReplaceOperation()+111j
		push	dword ptr [ecx+228h]
		call	dword ptr [ecx+250h]
		mov	esi, eax
		test	esi, esi
		jns	short loc_72D6EB
		mov	eax, ds:_PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_72D6D0
		mov	ecx, 6D2h

loc_72D6D0:				; CODE XREF: PnprInitiateReplaceOperation()+16Fj
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	loc_72D5FF
		push	8
		jmp	loc_72D5FE
; 

loc_72D6EB:				; CODE XREF: PnprInitiateReplaceOperation()+107j
					; PnprInitiateReplaceOperation()+160j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[ebp+var_2], al
		call	_PnprQuiesce@0	; PnprQuiesce()
		mov	esi, eax
		test	esi, esi
		js	short loc_72D753
		mov	[ebp+var_1], bl
		call	_PnprSwap@0	; PnprSwap()
		mov	esi, eax
		test	esi, esi
		jns	short loc_72D74C
		mov	eax, ds:_PnprContext
		push	dword ptr [eax+224h]
		push	3
		call	ds:off_6B128C	; xHalDpReplaceControl(x,x)
		mov	eax, ds:_PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_72D734
		mov	ecx, 6E9h

loc_72D734:				; CODE XREF: PnprInitiateReplaceOperation()+1D3j
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_72D746
		mov	ecx, ebx

loc_72D746:				; CODE XREF: PnprInitiateReplaceOperation()+1E8j
		mov	[eax+264h], ecx

loc_72D74C:				; CODE XREF: PnprInitiateReplaceOperation()+1B1j
		call	_PnprWakeProcessors@0 ;	PnprWakeProcessors()
		jmp	short loc_72D77F
; 

loc_72D753:				; CODE XREF: PnprInitiateReplaceOperation()+1A3j
		mov	eax, ds:_PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_72D767
		mov	ecx, 6F3h

loc_72D767:				; CODE XREF: PnprInitiateReplaceOperation()+206j
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_72D779
		mov	ecx, ebx

loc_72D779:				; CODE XREF: PnprInitiateReplaceOperation()+21Bj
		mov	[eax+264h], ecx

loc_72D77F:				; CODE XREF: PnprInitiateReplaceOperation()+1F7j
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_72D788:				; CODE XREF: PnprInitiateReplaceOperation()+ABj
					; PnprInitiateReplaceOperation()+143j ...
		mov	eax, ds:_PnprContext
		test	byte ptr [eax+30h], 20h
		jz	short loc_72D7A0
		cmp	[ebp+var_1], 0
		jz	short loc_72D7CB
		call	_PnprCompleteWake@0 ; PnprCompleteWake()
		jmp	short loc_72D7CB
; 

loc_72D7A0:				; CODE XREF: PnprInitiateReplaceOperation()+237j
		test	edi, edi
		jz	short loc_72D7CB
		push	0
		push	0
		add	eax, 1FCh
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	eax, ds:_PnprContext
		push	0
		push	0
		push	0
		push	0
		add	eax, 20Ch
		push	eax
		call	KeWaitForSingleObject

loc_72D7CB:				; CODE XREF: PnprInitiateReplaceOperation()+23Dj
					; PnprInitiateReplaceOperation()+244j ...
		mov	eax, ds:_PnprContext
		mov	eax, [eax+224h]
		test	eax, eax
		jz	short loc_72D7E1
		push	eax
		call	ds:off_6B1290	; PopPdcCallback(x)

loc_72D7E1:				; CODE XREF: PnprInitiateReplaceOperation()+27Ej
		test	bl, bl
		jz	short loc_72D806
		mov	ecx, ds:_PnprContext
		mov	eax, [ecx+14h]
		cmp	dword ptr [eax+4], 0
		jz	short loc_72D806
		push	dword ptr [ecx+228h]
		call	dword ptr [ecx+240h]
		test	esi, esi
		js	short loc_72D806
		mov	esi, eax

loc_72D806:				; CODE XREF: PnprInitiateReplaceOperation()+289j
					; PnprInitiateReplaceOperation()+298j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PnprInitiateReplaceOperation@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprMapPhysicalPages(x, x, x, x, x)
_PnprMapPhysicalPages@20 proc near	; CODE XREF: PnprMapTargetSparePhysicalPages(x,x,x,x,x,x,x)+3Bp
					; PnprMapTargetSparePhysicalPages(x,x,x,x,x,x,x)+97p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ds:_PnprContext
		mov	ebx, edx
		push	edi
		mov	[ebp+var_4], ebx
		mov	edi, ecx
		test	byte ptr [esi+30h], 4
		jnz	short loc_72D85C
		mov	eax, [esi+260h]
		test	eax, eax
		jnz	short loc_72D839
		mov	eax, 0FE7h

loc_72D839:				; CODE XREF: PnprMapPhysicalPages(x,x,x,x,x)+25j
		mov	[esi+260h], eax
		mov	eax, [esi+264h]
		test	eax, eax
		jnz	short loc_72D84C
		push	8
		pop	eax

loc_72D84C:				; CODE XREF: PnprMapPhysicalPages(x,x,x,x,x)+3Aj
		mov	[esi+264h], eax
		mov	eax, 0C000001Ah
		jmp	loc_72D9AA
; 

loc_72D85C:				; CODE XREF: PnprMapPhysicalPages(x,x,x,x,x)+1Bj
		mov	edx, [ebp+arg_4]
		mov	eax, edx
		and	eax, 0FFFh
		or	eax, 0
		jnz	loc_72D97D
		mov	ecx, [ebp+var_4]
		mov	ebx, [ebx]
		mov	eax, ebx
		mov	ecx, [ecx+4]
		or	eax, ecx
		jz	loc_72D97D
		mov	eax, ebx
		and	eax, 0FFFh
		or	eax, 0
		jnz	loc_72D97D
		mov	eax, 10000h
		test	ecx, ecx
		jnz	short loc_72D89E
		cmp	ebx, eax
		jbe	short loc_72D8A4

loc_72D89E:				; CODE XREF: PnprMapPhysicalPages(x,x,x,x,x)+8Bj
		mov	ebx, eax
		xor	esi, esi
		jmp	short loc_72D8A6
; 

loc_72D8A4:				; CODE XREF: PnprMapPhysicalPages(x,x,x,x,x)+8Fj
		mov	esi, ecx

loc_72D8A6:				; CODE XREF: PnprMapPhysicalPages(x,x,x,x,x)+95j
		mov	ecx, [edi]
		test	byte ptr [ecx+6], 1
		jz	short loc_72D8C1
		push	ecx
		push	51706E50h
		push	dword ptr [edi+4]
		call	_MmUnmapReservedMapping@12 ; MmUnmapReservedMapping(x,x,x)
		mov	ecx, [edi]
		mov	edx, [ebp+arg_4]

loc_72D8C1:				; CODE XREF: PnprMapPhysicalPages(x,x,x,x,x)+9Fj
		and	dword ptr [ecx], 0
		lea	eax, [ebx+0FFFh]
		shr	eax, 0Ch
		mov	[ecx+14h], ebx
		lea	eax, ds:1Ch[eax*4]
		mov	[ecx+4], ax
		xor	eax, eax
		and	[ecx+10h], eax
		and	[ecx+18h], eax
		mov	[ecx+6], ax
		mov	ecx, [edi]
		lea	eax, [ecx+1Ch]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		shrd	edx, eax, 0Ch
		mov	[ebp+arg_8], ebx
		mov	eax, esi
		shrd	[ebp+arg_8], eax, 0Ch
		cmp	[ebp+arg_8], 0
		jz	short loc_72D919
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+arg_8]

loc_72D90C:				; CODE XREF: PnprMapPhysicalPages(x,x,x,x,x)+108j
		mov	[eax], edx
		inc	edx
		lea	eax, [eax+4]
		sub	ecx, 1
		jnz	short loc_72D90C
		mov	ecx, [edi]

loc_72D919:				; CODE XREF: PnprMapPhysicalPages(x,x,x,x,x)+F7j
		mov	ax, [edi+8]
		or	[ecx+6], ax
		push	1
		push	dword ptr [edi]
		push	51706E50h
		push	dword ptr [edi+4]
		call	MmMapLockedPagesWithReservedMapping
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_72D96C
		mov	eax, ds:_PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_72D94C
		mov	ecx, 1026h

loc_72D94C:				; CODE XREF: PnprMapPhysicalPages(x,x,x,x,x)+138j
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_72D95F
		push	0Ah
		pop	ecx

loc_72D95F:				; CODE XREF: PnprMapPhysicalPages(x,x,x,x,x)+14Dj
		mov	[eax+264h], ecx
		mov	eax, 0C000009Ah
		jmp	short loc_72D9AA
; 

loc_72D96C:				; CODE XREF: PnprMapPhysicalPages(x,x,x,x,x)+129j
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	eax, [ebp+var_4]
		mov	[eax], ebx
		mov	[eax+4], esi
		xor	eax, eax
		jmp	short loc_72D9AA
; 

loc_72D97D:				; CODE XREF: PnprMapPhysicalPages(x,x,x,x,x)+5Cj
					; PnprMapPhysicalPages(x,x,x,x,x)+6Ej ...
		mov	eax, [esi+260h]
		test	eax, eax
		jnz	short loc_72D98C
		mov	eax, 0FEFh

loc_72D98C:				; CODE XREF: PnprMapPhysicalPages(x,x,x,x,x)+178j
		mov	[esi+260h], eax
		mov	eax, [esi+264h]
		test	eax, eax
		jnz	short loc_72D99F
		push	8
		pop	eax

loc_72D99F:				; CODE XREF: PnprMapPhysicalPages(x,x,x,x,x)+18Dj
		mov	[esi+264h], eax
		mov	eax, 0C000000Dh

loc_72D9AA:				; CODE XREF: PnprMapPhysicalPages(x,x,x,x,x)+4Aj
					; PnprMapPhysicalPages(x,x,x,x,x)+15Dj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PnprMapPhysicalPages@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprMapTargetSparePhysicalPages(x, x, x, x,	x, x, x)
_PnprMapTargetSparePhysicalPages@28 proc near ;	DATA XREF: PnprReplaceStart()+EDo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, large byte	ptr fs:51h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		imul	edi, eax, 0Ch
		cmp	[ebp+arg_0], 0FFFFFFFFh
		mov	ebx, 7FFFFFFFh
		jnz	short loc_72D9D6
		cmp	[ebp+arg_4], ebx
		jz	short loc_72DA27

loc_72D9D6:				; CODE XREF: PnprMapTargetSparePhysicalPages(x,x,x,x,x,x,x)+1Ej
		push	[ebp+arg_4]
		mov	eax, ds:_PnprContext
		push	[ebp+arg_0]
		mov	edx, [ebp+arg_10]
		push	[ebp+arg_14]
		mov	ecx, [eax+68h]
		add	ecx, edi
		call	_PnprMapPhysicalPages@20 ; PnprMapPhysicalPages(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_72DA27
		mov	ecx, ds:_PnprContext
		mov	edx, [ecx+260h]
		test	edx, edx
		jnz	short loc_72DA0C
		mov	edx, 107Fh

loc_72DA0C:				; CODE XREF: PnprMapTargetSparePhysicalPages(x,x,x,x,x,x,x)+54j
		mov	eax, [ecx+264h]
		mov	[ecx+260h], edx
		test	eax, eax
		jnz	short loc_72DA1F
		push	0Ah
		pop	eax

loc_72DA1F:				; CODE XREF: PnprMapTargetSparePhysicalPages(x,x,x,x,x,x,x)+69j
		mov	[ecx+264h], eax
		jmp	short loc_72DA80
; 

loc_72DA27:				; CODE XREF: PnprMapTargetSparePhysicalPages(x,x,x,x,x,x,x)+23j
					; PnprMapTargetSparePhysicalPages(x,x,x,x,x,x,x)+44j
		cmp	[ebp+arg_8], 0FFFFFFFFh
		jnz	short loc_72DA32
		cmp	[ebp+arg_C], ebx
		jz	short loc_72DA80

loc_72DA32:				; CODE XREF: PnprMapTargetSparePhysicalPages(x,x,x,x,x,x,x)+7Aj
		push	[ebp+arg_C]
		mov	eax, ds:_PnprContext
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_10]
		push	[ebp+arg_18]
		mov	ecx, [eax+6Ch]
		add	ecx, edi
		call	_PnprMapPhysicalPages@20 ; PnprMapPhysicalPages(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_72DA80
		mov	eax, ds:_PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_72DA67
		mov	ecx, 108Bh

loc_72DA67:				; CODE XREF: PnprMapTargetSparePhysicalPages(x,x,x,x,x,x,x)+AFj
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_72DA7A
		push	0Ah
		pop	ecx

loc_72DA7A:				; CODE XREF: PnprMapTargetSparePhysicalPages(x,x,x,x,x,x,x)+C4j
		mov	[eax+264h], ecx

loc_72DA80:				; CODE XREF: PnprMapTargetSparePhysicalPages(x,x,x,x,x,x,x)+74j
					; PnprMapTargetSparePhysicalPages(x,x,x,x,x,x,x)+7Fj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	1Ch
_PnprMapTargetSparePhysicalPages@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprMarkOrMirrorPages(x, x,	x, x, x)
_PnprMarkOrMirrorPages@20 proc near	; CODE XREF: PnprMirrorPhysicalMemory(x,x,x,x)+45p
					; PnprRecopyAddress(x,x)+2Dp ...

var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	edx, [ebp+arg_8]
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [esp+30h+var_C]
		mov	[esp+30h+var_1D], cl
		mov	ecx, ds:_PnprContext
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_4]
		shrd	esi, eax, 0Ch
		mov	eax, [ebp+arg_C]
		shrd	edx, eax, 0Ch
		lea	eax, [ecx+70h]
		mov	[esp+30h+var_10], esi
		mov	edi, [eax]
		dec	edx
		add	edx, esi
		mov	[esp+30h+var_1C], edx
		jmp	loc_72DB9D
; 

loc_72DAD3:				; CODE XREF: PnprMarkOrMirrorPages(x,x,x,x,x)+11Aj
		mov	eax, [edi+0Ch]
		mov	ebx, [edi+8]
		dec	eax
		add	eax, ebx
		cmp	edx, ebx
		jb	loc_72DBA9
		cmp	esi, ebx
		ja	short loc_72DAEA
		mov	esi, ebx

loc_72DAEA:				; CODE XREF: PnprMarkOrMirrorPages(x,x,x,x,x)+5Dj
		cmp	edx, eax
		jnb	short loc_72DAF0
		mov	eax, edx

loc_72DAF0:				; CODE XREF: PnprMarkOrMirrorPages(x,x,x,x,x)+63j
		cmp	esi, eax
		ja	loc_72DB8E
		sub	eax, esi
		inc	eax
		cmp	[esp+30h+var_1D], 0
		mov	[esp+30h+var_18], eax
		jz	short loc_72DB65
		mov	ebx, [esp+30h+var_18]
		xor	eax, eax
		mov	ecx, [ecx+244h]
		xor	edx, edx
		shld	eax, ebx, 0Ch
		shld	edx, esi, 0Ch
		push	eax
		mov	eax, [esp+34h+var_14]
		shl	ebx, 0Ch
		push	ebx
		push	edx
		shl	esi, 0Ch
		push	esi
		push	dword ptr [eax+228h]
		call	ecx
		test	eax, eax
		jns	short loc_72DB8A
		mov	eax, ds:_PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_72DB4A
		mov	ecx, 0D60h

loc_72DB4A:				; CODE XREF: PnprMarkOrMirrorPages(x,x,x,x,x)+BAj
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_72DB5D
		push	8
		pop	ecx

loc_72DB5D:				; CODE XREF: PnprMarkOrMirrorPages(x,x,x,x,x)+CFj
		mov	[eax+264h], ecx
		jmp	short loc_72DB8A
; 

loc_72DB65:				; CODE XREF: PnprMarkOrMirrorPages(x,x,x,x,x)+7Bj
		add	ecx, 78h
		lea	edx, [esp+30h+var_C]
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		push	[esp+30h+var_18]
		sub	esi, ebx
		lea	eax, [edi+10h]
		push	esi
		push	eax
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		lea	ecx, [esp+30h+var_C]
		call	KeReleaseInStackQueuedSpinLock

loc_72DB8A:				; CODE XREF: PnprMarkOrMirrorPages(x,x,x,x,x)+ABj
					; PnprMarkOrMirrorPages(x,x,x,x,x)+DAj
		mov	edx, [esp+30h+var_1C]

loc_72DB8E:				; CODE XREF: PnprMarkOrMirrorPages(x,x,x,x,x)+69j
		mov	ecx, ds:_PnprContext
		mov	edi, [edi]
		mov	esi, [esp+30h+var_10]
		lea	eax, [ecx+70h]

loc_72DB9D:				; CODE XREF: PnprMarkOrMirrorPages(x,x,x,x,x)+45j
		mov	[esp+30h+var_14], ecx
		cmp	edi, eax
		jnz	loc_72DAD3

loc_72DBA9:				; CODE XREF: PnprMarkOrMirrorPages(x,x,x,x,x)+55j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_PnprMarkOrMirrorPages@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprMirrorMarkedPages()
_PnprMirrorMarkedPages@0 proc near	; CODE XREF: PnprSwap():loc_615FD1p
					; PnprQuiesceProcessorDpc(x,x,x,x):loc_72E0B0p

var_2E		= byte ptr -2Eh
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+28h+var_C]
		stosd
		xor	esi, esi
		mov	[esp+28h+var_18], esi
		stosd
		stosd
		movzx	eax, large byte	ptr fs:51h
		mov	edx, ds:_PnprContext
		imul	ecx, eax, 0Ch
		mov	[esp+28h+var_14], eax
		mov	eax, [edx+68h]
		cmp	[ecx+eax], esi
		jz	loc_72DD2B
		mov	eax, [edx+244h]
		mov	[esp+28h+var_10], eax
		mov	eax, [esp+28h+var_14]
		cmp	eax, [edx+80h]
		setz	byte ptr [esp+0Fh]

loc_72DC0B:				; CODE XREF: PnprMirrorMarkedPages()+13Aj
		mov	ecx, ds:_PnprContext
		lea	eax, [ecx+70h]
		mov	ebx, [eax]
		jmp	loc_72DCE0
; 

loc_72DC1B:				; CODE XREF: PnprMirrorMarkedPages()+12Ej
		add	ecx, 78h
		lea	edx, [esp+28h+var_C]
		call	@KeAcquireInStackQueuedSpinLockAtDpcLevel@8 ; KeAcquireInStackQueuedSpinLockAtDpcLevel(x,x)
		lea	ecx, [esp+28h+var_18]
		lea	eax, [ebx+10h]
		push	ecx
		push	eax
		call	RtlFindFirstRunClear
		jmp	short loc_72DC97
; 

loc_72DC37:				; CODE XREF: PnprMirrorMarkedPages()+10Dj
		mov	esi, [ebx+8]
		xor	eax, eax
		add	esi, [esp+28h+var_18]
		mov	ecx, edi
		shld	eax, ecx, 0Ch
		xor	edx, edx
		push	eax
		mov	eax, ds:_PnprContext
		shld	edx, esi, 0Ch
		shl	ecx, 0Ch
		push	ecx
		push	edx
		shl	esi, 0Ch
		push	esi
		push	dword ptr [eax+228h]
		call	[esp+3Ch+var_10]
		mov	esi, eax
		test	esi, esi
		js	loc_72DCFE
		mov	ecx, ds:_PnprContext
		lea	edx, [esp+3Ch+var_20]
		add	[esp+3Ch+var_2C], edi
		add	ecx, 78h
		call	@KeAcquireInStackQueuedSpinLockAtDpcLevel@8 ; KeAcquireInStackQueuedSpinLockAtDpcLevel(x,x)
		lea	eax, [esp+3Ch+var_2C]
		push	eax
		push	[esp+40h+var_2C]
		lea	eax, [ebx+10h]
		push	eax
		call	RtlFindNextForwardRunClear

loc_72DC97:				; CODE XREF: PnprMirrorMarkedPages()+81j
		mov	edi, eax
		test	edi, edi
		jz	short loc_72DCB6
		mov	eax, 140h
		cmp	edi, eax
		jb	short loc_72DCA8
		mov	edi, eax

loc_72DCA8:				; CODE XREF: PnprMirrorMarkedPages()+F0j
		push	edi
		push	[esp+40h+var_2C]
		lea	eax, [ebx+10h]
		push	eax
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)

loc_72DCB6:				; CODE XREF: PnprMirrorMarkedPages()+E7j
		lea	ecx, [esp+3Ch+var_20]
		call	KeReleaseInStackQueuedSpinLockFromDpcLevel
		test	edi, edi
		jnz	loc_72DC37
		mov	eax, ds:_PnprContext
		cmp	dword ptr [eax+94h], 3
		jz	short loc_72DCF6
		mov	ecx, ds:_PnprContext
		mov	ebx, [ebx]
		lea	eax, [ecx+70h]

loc_72DCE0:				; CODE XREF: PnprMirrorMarkedPages()+62j
		cmp	ebx, eax
		jnz	loc_72DC1B
		mov	al, [esp+3Ch+var_2D]

loc_72DCEC:				; CODE XREF: PnprMirrorMarkedPages()+148j
		test	al, al
		jz	loc_72DC0B
		jmp	short loc_72DD2B
; 

loc_72DCF6:				; CODE XREF: PnprMirrorMarkedPages()+11Fj
		mov	al, 1
		mov	[esp+3Ch+var_2D], al
		jmp	short loc_72DCEC
; 

loc_72DCFE:				; CODE XREF: PnprMirrorMarkedPages()+B5j
		mov	eax, ds:_PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_72DD12
		mov	ecx, 0DF0h

loc_72DD12:				; CODE XREF: PnprMirrorMarkedPages()+157j
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_72DD25
		push	8
		pop	ecx

loc_72DD25:				; CODE XREF: PnprMirrorMarkedPages()+16Cj
		mov	[eax+264h], ecx

loc_72DD2B:				; CODE XREF: PnprMirrorMarkedPages()+38j
					; PnprMirrorMarkedPages()+140j
		mov	eax, ds:_PnprContext
		mov	ecx, [esp+3Ch+var_28]
		cmp	ecx, [eax+80h]
		jz	short loc_72DD4E
		jmp	short loc_72DD45
; 

loc_72DD3E:				; CODE XREF: PnprMirrorMarkedPages()+198j
		pause
		mov	eax, ds:_PnprContext

loc_72DD45:				; CODE XREF: PnprMirrorMarkedPages()+188j
		cmp	dword ptr [eax+94h], 3
		jl	short loc_72DD3E

loc_72DD4E:				; CODE XREF: PnprMirrorMarkedPages()+186j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PnprMirrorMarkedPages@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprQuiesceDevices(x)
_PnprQuiesceDevices@4 proc near		; CODE XREF: PnprQuiesceWorker(x)+60p
					; PnpReplacePartitionUnit(x)+53Dp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	cl, cl
		push	edi
		call	_PnprGetMillisecondCounter@4 ; PnprGetMillisecondCounter(x)
		mov	edx, ds:_PnprContext
		push	3Ch		; size_t
		push	0		; int
		push	esi		; void *
		mov	[edx+288h], eax
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [esi+28h], 2
		mov	eax, 88000000h
		mov	dword ptr [esi+2Ch], 5
		lea	ebx, [esi+24h]
		mov	[esi], eax
		mov	ecx, ebx
		mov	[esi+30h], eax
		call	PoBlockConsoleSwitch
		mov	ecx, ebx
		mov	[esi+20h], eax
		call	_PoStartPowerStateTasks@4 ; PoStartPowerStateTasks(x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_72DDEA
		mov	ecx, ds:_PnprContext
		mov	edx, [ecx+260h]
		test	edx, edx
		jnz	short loc_72DDCC
		mov	edx, 7B3h

loc_72DDCC:				; CODE XREF: PnprQuiesceDevices(x)+6Ej
		mov	eax, [ecx+264h]
		mov	[ecx+260h], edx
		test	eax, eax
		jnz	short loc_72DDDF
		push	7
		pop	eax

loc_72DDDF:				; CODE XREF: PnprQuiesceDevices(x)+83j
		mov	[ecx+264h], eax
		jmp	loc_72DE80
; 

loc_72DDEA:				; CODE XREF: PnprQuiesceDevices(x)+5Ej
		mov	edx, [esi+20h]
		mov	ecx, ebx
		call	_PoStartPartitionReplace@8 ; PoStartPartitionReplace(x,x)
		xor	eax, eax
		mov	dword ptr [esi+14h], 2
		inc	eax
		lea	ebx, [esi+4]
		push	5
		pop	ecx
		mov	[ebx], eax
		mov	[esi+8], ecx
		mov	[esi+0Ch], ecx
		xor	ecx, ecx
		mov	[esi+10h], eax
		mov	eax, [esi]
		mov	[esi+18h], eax
		call	PoInitializeBroadcast
		mov	edi, eax
		test	edi, edi
		jns	short loc_72DE37
		mov	eax, ds:_PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_72DE67
		mov	ecx, 7CAh
		jmp	short loc_72DE67
; 

loc_72DE37:				; CODE XREF: PnprQuiesceDevices(x)+C8j
		mov	ecx, ebx
		mov	byte ptr [esi+1Eh], 3
		call	PoBroadcastSystemState
		mov	ecx, ebx
		mov	byte ptr [esi+1Eh], 2
		call	PoBroadcastSystemState
		mov	edi, eax
		test	edi, edi
		jns	short loc_72DE80
		mov	eax, ds:_PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_72DE67
		mov	ecx, 7DCh

loc_72DE67:				; CODE XREF: PnprQuiesceDevices(x)+D7j
					; PnprQuiesceDevices(x)+DEj ...
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_72DE7A
		push	7
		pop	ecx

loc_72DE7A:				; CODE XREF: PnprQuiesceDevices(x)+11Ej
		mov	[eax+264h], ecx

loc_72DE80:				; CODE XREF: PnprQuiesceDevices(x)+8Ej
					; PnprQuiesceDevices(x)+FAj
		xor	cl, cl
		call	_PnprGetMillisecondCounter@4 ; PnprGetMillisecondCounter(x)
		mov	ecx, ds:_PnprContext
		mov	[ecx+28Ch], eax
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PnprQuiesceDevices@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprQuiesceProcessorDpc(x, x, x, x)
_PnprQuiesceProcessorDpc@16 proc near	; DATA XREF: PnprQuiesceProcessors()+4Eo

var_62		= byte ptr -62h
var_61		= byte ptr -61h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_3C		= dword	ptr -3Ch
var_36		= byte ptr -36h
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		push	8
		xor	eax, eax
		lea	edi, [esp+4Ch+var_20]
		pop	ecx
		rep stosd
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		xor	ebx, ebx
		mov	[esp+48h+var_34], ecx
		inc	ebx
		mov	[esp+48h+var_30], ecx
		mov	[esp+48h+var_36], bl
		mov	[eax], bl
		mov	eax, ds:_PnprContext
		mov	[esp+48h+var_28], ecx
		lock inc dword ptr [eax+84h]
		mov	esi, [ebp+arg_8]
		jmp	short loc_72DEE2
; 

loc_72DEE0:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+51j
		pause

loc_72DEE2:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+42j
		mov	eax, ds:_PnprContext
		cmp	[eax+84h], esi
		jl	short loc_72DEE0
		mov	eax, ds:_PnprContext
		test	byte ptr [eax+30h], 20h
		jz	short loc_72DF2D
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	ecx, ds:_PnprContext
		mov	[esp+48h+var_36], al
		lock inc dword ptr [ecx+8Ch]
		mov	ecx, ds:_PnprContext
		cmp	[ecx+8Ch], esi
		jge	short loc_72DF2D

loc_72DF1E:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+8Fj
		pause
		mov	eax, ds:_PnprContext
		cmp	[eax+8Ch], esi
		jl	short loc_72DF1E

loc_72DF2D:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+5Cj
					; PnprQuiesceProcessorDpc(x,x,x,x)+80j
		mov	edi, [ebp+arg_C]
		lea	eax, [esp+48h+var_34]
		push	eax
		push	edi
		call	_KeGetProcessorNumberFromIndex@8 ; KeGetProcessorNumberFromIndex(x,x)
		test	eax, eax
		js	loc_72E1A8
		mov	cl, byte ptr [esp+48h+var_34+2]
		mov	edx, ebx
		movzx	eax, word ptr [esp+48h+var_34]
		shl	edx, cl
		mov	ecx, ds:_PnprContext
		mov	[esp+48h+var_2C], eax
		mov	esi, eax
		mov	[esp+48h+var_24], edx
		mov	eax, [ecx+10h]
		mov	eax, [eax]
		test	[eax+esi*4], edx
		mov	esi, [ebp+arg_8]
		jz	loc_72E082
		cmp	[ecx+94h], ebx
		jge	short loc_72DF88

loc_72DF79:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+EAj
		pause
		mov	eax, ds:_PnprContext
		cmp	[eax+94h], ebx
		jl	short loc_72DF79

loc_72DF88:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+DBj
		call	_KeSuspendClockTimerSafe@0 ; KeSuspendClockTimerSafe()
		call	KeSaveIptStateBeforeProcessorGoesOffline
		mov	ecx, ds:0FFDF03D8h
		mov	eax, ds:0FFDF03DCh
		or	ecx, ds:0FFDF05F0h
		or	eax, ds:0FFDF05F4h
		or	ecx, 3
		push	eax
		push	ecx
		lea	ecx, [esp+50h+var_20]
		mov	[esp+50h+var_35], 0
		call	KeSaveExtendedAndSupervisorState
		test	eax, eax
		js	short loc_72DFC4
		mov	[esp+48h+var_35], bl

loc_72DFC4:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+122j
		lea	eax, [esp+48h+var_30]
		push	eax
		push	edi
		call	ds:__imp__HalGetProcessorIdByNtNumber@8	; HalGetProcessorIdByNtNumber(x,x)
		test	eax, eax
		js	loc_72E1A8
		mov	eax, ds:_PnprContext
		test	byte ptr [eax+234h], 2
		jz	short loc_72DFF7
		push	ebx
		push	dword ptr [esp+1Ch]
		push	dword ptr [eax+228h]
		call	dword ptr [eax+248h]

loc_72DFF7:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+148j
		mov	eax, ds:_PnprContext
		test	byte ptr [eax+30h], 20h
		jz	short loc_72E013
		lea	ecx, [esp+5Ch+var_3C]
		push	ecx
		push	dword ptr [eax+224h]
		call	ds:off_6B12BC	; xHalDpGetInterruptReplayState(x,x)

loc_72E013:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+164j
		mov	eax, ds:_PnprContext
		push	dword ptr [eax+224h]
		call	ds:off_6B1288	; xHalLocateHiberRanges(x)
		mov	eax, ds:_PnprContext
		test	byte ptr [eax+234h], 2
		jz	short loc_72E044
		push	0
		push	[esp+6Ch+var_50]
		push	dword ptr [eax+228h]
		call	dword ptr [eax+248h]

loc_72E044:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+194j
		call	_KeResumeClockTimerSafe@0 ; KeResumeClockTimerSafe()
		mov	eax, ds:_PnprContext
		test	byte ptr [eax+30h], 20h
		jz	short loc_72E05C
		cmp	[esp+74h+var_62], 0
		jz	short loc_72E05C
		sti

loc_72E05C:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+1B6j
					; PnprQuiesceProcessorDpc(x,x,x,x)+1BDj
		call	_KeRestoreProcessorSpecificFeatures@0 ;	KeRestoreProcessorSpecificFeatures()
		cmp	[esp+74h+var_61], 0
		jz	short loc_72E071
		lea	ecx, [esp+74h+var_4C]
		call	KeRestoreExtendedAndSupervisorState

loc_72E071:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+1CAj
		call	KeRestoreIptStateAfterProcessorComesOnline
		mov	eax, ds:_PnprContext
		lock inc dword ptr [eax+98h]

loc_72E082:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+CFj
		mov	ecx, ds:_PnprContext
		mov	eax, [ecx+14h]
		cmp	dword ptr [eax+4], 0
		jz	short loc_72E0F5
		test	byte ptr [ecx+30h], 8
		jnz	short loc_72E0F5
		cmp	dword ptr [ecx+94h], 2
		jge	short loc_72E0B0

loc_72E0A0:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+212j
		pause
		mov	eax, ds:_PnprContext
		cmp	dword ptr [eax+94h], 2
		jl	short loc_72E0A0

loc_72E0B0:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+202j
		call	_PnprMirrorMarkedPages@0 ; PnprMirrorMarkedPages()
		test	eax, eax
		jns	short loc_72E0E5
		mov	eax, ds:_PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_72E0CD
		mov	ecx, 8D2h

loc_72E0CD:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+22Aj
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jz	short loc_72E0DF
		mov	ebx, ecx

loc_72E0DF:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+23Fj
		mov	[eax+264h], ebx

loc_72E0E5:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+21Bj
		mov	eax, ds:_PnprContext
		lock inc dword ptr [eax+98h]
		jmp	short loc_72E0F5
; 

loc_72E0F3:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+265j
		pause

loc_72E0F5:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+1F3j
					; PnprQuiesceProcessorDpc(x,x,x,x)+1F9j ...
		mov	eax, ds:_PnprContext
		cmp	dword ptr [eax+94h], 4
		jl	short loc_72E0F3
		mov	eax, ds:_PnprContext
		lea	edx, [edi+48h]
		lea	ecx, [eax+0A0h]
		lea	edx, [eax+edx*4]
		lea	ecx, [ecx+edi*4]
		call	_PnprGetStackLimits@8 ;	PnprGetStackLimits(x,x)
		mov	eax, ds:_PnprContext
		lock inc dword ptr [eax+98h]
		jmp	short loc_72E12C
; 

loc_72E12A:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+29Cj
		pause

loc_72E12C:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+28Cj
		mov	eax, ds:_PnprContext
		cmp	dword ptr [eax+94h], 5
		jl	short loc_72E12A
		mov	eax, ds:_PnprContext
		test	byte ptr [eax+30h], 20h
		jz	short loc_72E182
		jmp	short loc_72E14E
; 

loc_72E147:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+2B9j
		pause
		mov	eax, ds:_PnprContext

loc_72E14E:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+2A9j
		cmp	dword ptr [eax+94h], 6
		jl	short loc_72E147
		mov	eax, ds:_PnprContext
		mov	edx, [esp+74h+var_58]
		mov	ecx, [esp+74h+var_50]
		mov	eax, [eax+10h]
		mov	eax, [eax]
		test	[eax+edx*4], ecx
		jnz	short loc_72E178
		cmp	[esp+74h+var_62], 0
		jz	short loc_72E182
		sti
		jmp	short loc_72E182
; 

loc_72E178:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+2D0j
		push	[esp+74h+var_54]
		call	ds:off_6B12C0	; xHalDpReplayInterrupts(x)

loc_72E182:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+2A7j
					; PnprQuiesceProcessorDpc(x,x,x,x)+2D7j ...
		mov	eax, ds:_PnprContext
		lock inc dword ptr [eax+88h]
		jmp	short loc_72E192
; 

loc_72E190:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+301j
		pause

loc_72E192:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+2F2j
		mov	eax, ds:_PnprContext
		cmp	[eax+88h], esi
		jl	short loc_72E190
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_72E1A8:				; CODE XREF: PnprQuiesceProcessorDpc(x,x,x,x)+A1j
					; PnprQuiesceProcessorDpc(x,x,x,x)+136j
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PnprQuiesceProcessorDpc@16 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprQuiesceProcessors()
_PnprQuiesceProcessors@0 proc near	; CODE XREF: PnprQuiesce():loc_615D3Ep

var_45		= dword	ptr -45h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+58h+var_10]
		stosd
		push	8
		pop	ecx
		stosd
		stosd
		xor	eax, eax
		and	[esp+58h+var_45+1], eax
		lea	edi, [esp+58h+var_30]
		rep stosd
		mov	[esp+58h+var_34], eax
		mov	cl, 2
		mov	eax, ds:_PnprContext
		mov	ebx, [eax+7Ch]
		mov	[esp+58h+var_40], ebx
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		lea	eax, [esp+58h+var_45]
		push	eax
		push	offset _PnprQuiesceProcessorDpc@16 ; PnprQuiesceProcessorDpc(x,x,x,x)
		lea	eax, [esp+60h+var_30]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	eax, ds:_PnprContext
		lea	edi, [esp+58h+var_10]
		mov	esi, offset _KeActiveProcessors
		mov	byte ptr [esp+58h+var_30+1], 2
		movsd
		movsd
		movsd
		mov	eax, [eax+80h]
		mov	ecx, [esp+58h+var_8]
		btr	ecx, eax
		mov	[esp+58h+var_8], ecx
		mov	eax, [esp+58h+var_8]
		mov	[esp+58h+var_38], eax
		lea	eax, [esp+58h+var_10]
		mov	[esp+58h+var_3C], eax

loc_72E241:				; CODE XREF: PnprQuiesceProcessors()+D7j
		lea	eax, [esp+58h+var_3C]
		push	eax
		lea	eax, [esp+5Ch+var_45+1]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_72E286
		mov	eax, [esp+58h+var_14]
		mov	ecx, [esp+58h+var_45+1]
		test	eax, eax
		jnz	short loc_72E268
		lea	eax, [ecx+20h]
		mov	word ptr [esp+58h+var_30+2], ax

loc_72E268:				; CODE XREF: PnprQuiesceProcessors()+B1j
		push	ecx
		push	ebx
		lea	eax, [esp+60h+var_30]
		mov	byte ptr [esp+60h+var_45], 0
		push	eax
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)
		jmp	short loc_72E27D
; 

loc_72E27B:				; CODE XREF: PnprQuiesceProcessors()+D5j
		pause

loc_72E27D:				; CODE XREF: PnprQuiesceProcessors()+CCj
		cmp	byte ptr [esp+58h+var_45], 0
		jz	short loc_72E27B
		jmp	short loc_72E241
; 

loc_72E286:				; CODE XREF: PnprQuiesceProcessors()+A5j
		mov	eax, ds:_PnprContext
		test	byte ptr [eax+30h], 20h
		jz	short loc_72E2D7
		call	ds:off_6B12B4	; xHalDpUnmaskLevelTriggeredInterrupts()
		test	eax, eax
		jns	short loc_72E2D7
		mov	eax, ds:_PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_72E2AF
		mov	ecx, 98Fh

loc_72E2AF:				; CODE XREF: PnprQuiesceProcessors()+FBj
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_72E2C0
		inc	ecx

loc_72E2C0:				; CODE XREF: PnprQuiesceProcessors()+110j
		mov	[eax+264h], ecx

loc_72E2C6:				; CODE XREF: PnprQuiesceProcessors()+26Dj
		mov	edi, offset _KeActiveProcessors
		lea	esi, [esp+58h+var_10]
		movsd
		movsd
		movsd
		jmp	loc_72E44D
; 

loc_72E2D7:				; CODE XREF: PnprQuiesceProcessors()+E2j
					; PnprQuiesceProcessors()+ECj
		mov	eax, ds:_PnprContext
		push	dword ptr [eax+224h]
		push	0
		call	ds:off_6B128C	; xHalDpReplaceControl(x,x)
		call	_KeSuspendClockTimerSafe@0 ; KeSuspendClockTimerSafe()
		xor	cl, cl
		call	_PnprGetMillisecondCounter@4 ; PnprGetMillisecondCounter(x)
		mov	ecx, ds:_PnprContext
		and	dword ptr [ecx+26Ch], 0
		mov	[ecx+268h], eax
		lock inc dword ptr [ecx+84h]
		jmp	short loc_72E314
; 

loc_72E312:				; CODE XREF: PnprQuiesceProcessors()+172j
		pause

loc_72E314:				; CODE XREF: PnprQuiesceProcessors()+163j
		mov	eax, ds:_PnprContext
		cmp	[eax+84h], ebx
		jl	short loc_72E312
		mov	ecx, ds:_PnprContext
		xor	ebx, ebx
		inc	ebx
		test	byte ptr [ecx+30h], 20h
		jz	short loc_72E371
		lock inc dword ptr [ecx+8Ch]
		mov	ecx, [esp+18h]
		jmp	short loc_72E33F
; 

loc_72E33D:				; CODE XREF: PnprQuiesceProcessors()+19Dj
		pause

loc_72E33F:				; CODE XREF: PnprQuiesceProcessors()+18Ej
		mov	eax, ds:_PnprContext
		cmp	[eax+8Ch], ecx
		jl	short loc_72E33D
		mov	eax, ds:_PnprContext
		push	ebx
		push	dword ptr [eax+228h]
		call	dword ptr [eax+25Ch]
		xor	cl, cl
		call	_PnprGetMillisecondCounter@4 ; PnprGetMillisecondCounter(x)
		mov	ecx, ds:_PnprContext
		mov	[ecx+270h], eax

loc_72E371:				; CODE XREF: PnprQuiesceProcessors()+181j
		mov	esi, offset _KeActiveProcessors
		lea	edi, [esp+68h+var_20]
		movsd
		movsd
		movsd
		mov	edx, [ecx+10h]
		xor	ecx, ecx
		cmp	[edx+4], ecx
		jbe	short loc_72E39B

loc_72E387:				; CODE XREF: PnprQuiesceProcessors()+1ECj
		mov	eax, [edx]
		mov	eax, [eax+ecx*4]
		not	eax
		and	ds:dword_70E328[ecx*4],	eax
		inc	ecx
		cmp	ecx, [edx+4]
		jb	short loc_72E387

loc_72E39B:				; CODE XREF: PnprQuiesceProcessors()+1D8j
		mov	ecx, ds:_PnprContext
		mov	eax, [ecx+10h]
		mov	dword ptr [ecx+98h], 0
		mov	[ecx+94h], ebx
		cmp	dword ptr [eax+0Ch], 0
		jz	short loc_72E41F
		xor	cl, cl
		call	_PnprGetMillisecondCounter@4 ; PnprGetMillisecondCounter(x)
		mov	ecx, ds:_PnprContext
		push	dword ptr [ecx+224h]
		mov	[ecx+274h], eax
		push	ebx
		call	ds:off_6B128C	; xHalDpReplaceControl(x,x)
		xor	cl, cl
		mov	esi, eax
		call	_PnprGetMillisecondCounter@4 ; PnprGetMillisecondCounter(x)
		mov	ecx, ds:_PnprContext
		mov	[ecx+278h], eax
		test	esi, esi
		jns	short loc_72E41F
		mov	eax, [ecx+260h]
		test	eax, eax
		jnz	short loc_72E402
		mov	eax, 9E4h

loc_72E402:				; CODE XREF: PnprQuiesceProcessors()+24Ej
		mov	[ecx+260h], eax
		mov	eax, [ecx+264h]
		test	eax, eax
		jz	short loc_72E414
		mov	ebx, eax

loc_72E414:				; CODE XREF: PnprQuiesceProcessors()+263j
		mov	[ecx+264h], ebx
		jmp	loc_72E2C6
; 

loc_72E41F:				; CODE XREF: PnprQuiesceProcessors()+20Bj
					; PnprQuiesceProcessors()+244j
		mov	edi, offset _KeActiveProcessors
		lea	esi, [esp+68h+var_20]
		movsd
		movsd
		movsd
		mov	ecx, [ecx+98h]
		jmp	short loc_72E440
; 

loc_72E433:				; CODE XREF: PnprQuiesceProcessors()+29Ej
		pause
		mov	eax, ds:_PnprContext
		mov	ecx, [eax+98h]

loc_72E440:				; CODE XREF: PnprQuiesceProcessors()+284j
		mov	eax, ds:_PnprContext
		mov	eax, [eax+10h]
		cmp	ecx, [eax+0Ch]
		jl	short loc_72E433

loc_72E44D:				; CODE XREF: PnprQuiesceProcessors()+125j
		mov	ecx, [esp+68h+var_14]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_PnprQuiesceProcessors@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprQuiesceWorker(x)
_PnprQuiesceWorker@4 proc near		; DATA XREF: PnprInitiateReplaceOperation()+B6o

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, [ebp+var_40]
		push	3Ch		; size_t
		xor	ebx, ebx
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	ecx, ds:_PnprContext
		add	esp, 0Ch
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ecx+1DCh]
		push	ebx
		mov	[ebp+var_48], eax
		lea	eax, [ecx+1FCh]
		push	ebx
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_48]
		push	1
		push	eax
		push	2
		call	KeWaitForMultipleObjects
		cmp	eax, 1
		jz	short loc_72E506
		push	esi
		call	_PnprLockPagesForReplace@0 ; PnprLockPagesForReplace()
		lea	ecx, [ebp+var_40]
		call	_PnprQuiesceDevices@4 ;	PnprQuiesceDevices(x)
		mov	ecx, ds:_PnprContext
		mov	esi, eax
		push	ebx
		push	ebx
		mov	[ecx+21Ch], esi
		add	ecx, 1ECh
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		test	esi, esi
		pop	esi
		js	short loc_72E501
		mov	eax, ds:_PnprContext
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		add	eax, 1FCh
		push	eax
		call	KeWaitForSingleObject
		lea	ecx, [ebp+var_40]
		call	_PnprWakeDevices@4 ; PnprWakeDevices(x)

loc_72E501:				; CODE XREF: PnprQuiesceWorker(x)+84j
		call	_PnprCompleteWake@0 ; PnprCompleteWake()

loc_72E506:				; CODE XREF: PnprQuiesceWorker(x)+55j
		mov	eax, ds:_PnprContext
		push	ebx
		push	ebx
		add	eax, 20Ch
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	51706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PnprQuiesceWorker@4 endp


;  S U B	R O U T	I N E 


; __stdcall PnprWakeDevices(x)
_PnprWakeDevices@4 proc	near		; CODE XREF: PnprQuiesceWorker(x)+9Dp
					; PnpReplacePartitionUnit(x)+545p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		xor	cl, cl
		call	_PnprGetMillisecondCounter@4 ; PnprGetMillisecondCounter(x)
		mov	edx, ds:_PnprContext
		lea	ecx, [edi+4]
		mov	[edx+290h], eax
		mov	byte ptr [edi+1Dh], 1
		call	PoBroadcastSystemState
		call	_PoClearBroadcast@0 ; PoClearBroadcast()
		mov	edx, [edi+20h]
		lea	esi, [edi+24h]
		mov	ecx, esi
		call	_PoEndPartitionReplace@8 ; PoEndPartitionReplace(x,x)
		mov	ecx, esi
		call	_PoEndPowerStateTasks@4	; PoEndPowerStateTasks(x)
		mov	edx, [edi+20h]
		mov	ecx, esi
		call	_PoUnblockConsoleSwitch@8 ; PoUnblockConsoleSwitch(x,x)
		xor	cl, cl
		call	_PnprGetMillisecondCounter@4 ; PnprGetMillisecondCounter(x)
		mov	ecx, ds:_PnprContext
		pop	edi
		pop	esi
		mov	[ecx+294h], eax
		xor	eax, eax
		pop	ecx
		retn
_PnprWakeDevices@4 endp


;  S U B	R O U T	I N E 


; __stdcall PnprWakeProcessors()
_PnprWakeProcessors@0 proc near		; CODE XREF: PnprEndMirroring(x):loc_72D4EBp
					; PnprInitiateReplaceOperation():loc_72D74Cp
		mov	eax, ds:_PnprContext
		push	ebx
		push	esi
		xor	ebx, ebx
		test	byte ptr [eax+30h], 20h
		push	edi
		jz	short loc_72E5CF
		push	ebx
		push	dword ptr [eax+228h]
		call	dword ptr [eax+25Ch]
		xor	cl, cl
		call	_PnprGetMillisecondCounter@4 ; PnprGetMillisecondCounter(x)
		mov	ecx, ds:_PnprContext
		mov	[ecx+284h], eax
		mov	dword ptr [ecx+94h], 6

loc_72E5CF:				; CODE XREF: PnprWakeProcessors()+Ej
		call	_KeRestoreMtrrBroadcast@0 ; KeRestoreMtrrBroadcast()
		push	ebx
		push	ebx
		call	ds:off_6B12A0	; xHalTscSynchronization(x,x)
		call	_KeResumeClockTimerSafe@0 ; KeResumeClockTimerSafe()
		mov	eax, ds:_PnprContext
		push	dword ptr [eax+224h]
		push	2
		call	ds:off_6B128C	; xHalDpReplaceControl(x,x)
		xor	cl, cl
		call	_PnprGetMillisecondCounter@4 ; PnprGetMillisecondCounter(x)
		mov	edi, ds:_PnprContext
		mov	esi, eax
		mov	ecx, 2710h
		sub	esi, [edi+268h]
		sbb	ebx, [edi+26Ch]
		mov	eax, ebx
		mul	ecx
		mov	edx, 2710h
		mov	ecx, eax
		mov	eax, esi
		mul	edx
		add	ecx, edx
		mov	[edi+268h], eax
		mov	[edi+26Ch], ecx
		mov	dword ptr [edi+94h], 7
		lock inc dword ptr [edi+88h]
		mov	eax, ds:_PnprContext
		test	byte ptr [eax+30h], 20h
		jz	short loc_72E656
		pop	edi
		pop	esi
		pop	ebx
		jmp	ds:off_6B12B8	; xHalDpUnmaskLevelTriggeredInterrupts()
; 

loc_72E656:				; CODE XREF: PnprWakeProcessors()+B6j
		pop	edi
		pop	esi
		pop	ebx
		retn
_PnprWakeProcessors@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInitializeDynamicProcessor(x)
_KiInitializeDynamicProcessor@4	proc near ; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+3F6p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		lea	eax, [ebp+var_8]
		mov	esi, ecx
		xor	ebx, ebx
		mov	[ebp+var_8], esi
		push	eax
		mov	[ebp+var_4], ebx
		push	offset _KiInitializeDynamicProcessorDpc@16 ; KiInitializeDynamicProcessorDpc(x,x,x,x)
		mov	byte ptr [ebp+var_4], bl
		call	_KeGenericCallDpc@8 ; KeGenericCallDpc(x,x)
		cmp	ds:_KeThreadDpcEnable, ebx
		jz	short loc_72E69C
		mov	ecx, esi
		call	KiStartDpcThread
		test	eax, eax
		jns	short loc_72E69C
		push	ebx
		push	ebx
		push	ebx
		push	eax
		push	33h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_72E69C:				; CODE XREF: KiInitializeDynamicProcessor(x)+2Aj
					; KiInitializeDynamicProcessor(x)+35j
		pop	esi
		pop	ebx
		leave
		retn
_KiInitializeDynamicProcessor@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInitializeDynamicProcessorDpc(x, x, x, x)
_KiInitializeDynamicProcessorDpc@16 proc near
					; DATA XREF: KiInitializeDynamicProcessor(x)+17o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	[ebp+arg_C]
		call	_KeSignalCallDpcSynchronize@4 ;	KeSignalCallDpcSynchronize(x)
		xor	ebx, ebx
		inc	ebx
		test	eax, eax
		jnz	short loc_72E6CA
		mov	eax, [ebp+arg_4]
		jmp	short loc_72E6BF
; 

loc_72E6BD:				; CODE XREF: KiInitializeDynamicProcessorDpc(x,x,x,x)+23j
		pause

loc_72E6BF:				; CODE XREF: KiInitializeDynamicProcessorDpc(x,x,x,x)+1Bj
		cmp	byte ptr [eax+4], 0
		jz	short loc_72E6BD
		jmp	loc_72E78B
; 

loc_72E6CA:				; CODE XREF: KiInitializeDynamicProcessorDpc(x,x,x,x)+16j
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	ecx, [esi]
		mov	ecx, [ecx+3CCh]
		call	_KiUpdateNumberProcessors@4 ; KiUpdateNumberProcessors(x)
		mov	ecx, [esi]
		call	KiInitializeProcessor
		mov	ecx, [esi]
		mov	dl, bl
		call	KiConfigureProcessorBlock
		push	ecx
		mov	ecx, ds:_PsInitialSystemProcess
		xor	edx, edx
		push	offset _KeActiveProcessors
		call	KeSetAffinityProcess
		mov	eax, [esi]
		xor	ecx, ecx
		xor	edi, edi
		mov	word ptr [ebp+var_C], bx
		mov	word ptr [ebp+var_C+2],	bx
		mov	[ebp+var_8], edi
		mov	eax, [eax+3CCh]
		bts	ecx, eax
		mov	[ebp+var_4], ecx
		call	ds:__imp__KeRaiseIrqlToSynchLevel@0 ; KeRaiseIrqlToSynchLevel()
		push	edi
		push	edi
		push	edi
		push	offset _KiInitDynamicProcessorIpi@16 ; KiInitDynamicProcessorIpi(x,x,x,x)
		lea	edx, [ebp+var_C]
		xor	ecx, ecx
		mov	bl, al
		call	_KiIpiSendPacket@24 ; KiIpiSendPacket(x,x,x,x,x,x)
		mov	ecx, large fs:20h
		jmp	short loc_72E741
; 

loc_72E73F:				; CODE XREF: KiInitializeDynamicProcessorDpc(x,x,x,x)+A9j
		pause

loc_72E741:				; CODE XREF: KiInitializeDynamicProcessorDpc(x,x,x,x)+9Dj
		mov	eax, [ecx+2120h]
		test	eax, eax
		jnz	short loc_72E73F
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		call	_KeRestoreMtrrBroadcast@0 ; KeRestoreMtrrBroadcast()
		mov	eax, [esi]
		add	eax, 3CCh
		push	eax
		push	edi
		call	ds:off_6B12A0	; xHalTscSynchronization(x,x)
		mov	ecx, [esi]
		xor	ebx, ebx
		inc	ebx
		mov	dl, bl
		call	_KiConfigureSchedulingInformation@8 ; KiConfigureSchedulingInformation(x,x)
		mov	edx, [esi]
		mov	ecx, [edx+338h]
		call	_KiReconfigureNodeSchedulingInformation@8 ; KiReconfigureNodeSchedulingInformation(x,x)
		mov	ds:_KiBarrierWait, edi
		pop	edi
		mov	[esi+4], bl
		pop	esi

loc_72E78B:				; CODE XREF: KiInitializeDynamicProcessorDpc(x,x,x,x)+25j
		mov	ecx, large fs:20h
		mov	dl, bl
		call	_KiConfigureSchedulingInformation@8 ; KiConfigureSchedulingInformation(x,x)
		mov	eax, [ebp+arg_8]
		lock dec dword ptr [eax]
		pop	ebx
		leave
		retn	10h
_KiInitializeDynamicProcessorDpc@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiUpdateNumberProcessors(x)
_KiUpdateNumberProcessors@4 proc near	; CODE XREF: KiInitializeDynamicProcessorDpc(x,x,x,x)+37p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		movzx	eax, large byte	ptr fs:51h
		xor	edx, edx
		mov	[ebp+var_14], eax
		mov	eax, ds:_KeNumberProcessors
		dec	eax
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_10]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	offset _KiUpdateNumberProcessorsIpi@4 ;	KiUpdateNumberProcessorsIpi(x)
		mov	[ebp+var_8], edx
		call	KeIpiGenericCall
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_KiUpdateNumberProcessors@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiUpdateNumberProcessorsIpi(x)
_KiUpdateNumberProcessorsIpi@4 proc near ; DATA	XREF: KiUpdateNumberProcessors(x)+3Eo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, large byte	ptr fs:51h
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	ecx, [esi]
		cmp	[esi+4], eax
		jz	short loc_72E829
		lock dec dword ptr [esi+8]
		xor	edi, edi
		jmp	short loc_72E81E
; 

loc_72E81C:				; CODE XREF: KiUpdateNumberProcessorsIpi(x)+26j
		pause

loc_72E81E:				; CODE XREF: KiUpdateNumberProcessorsIpi(x)+1Fj
		cmp	[esi+10h], edi
		jz	short loc_72E81C
		lock dec dword ptr [esi+0Ch]
		jmp	short loc_72E84B
; 

loc_72E829:				; CODE XREF: KiUpdateNumberProcessorsIpi(x)+17j
		xor	edi, edi
		jmp	short loc_72E82F
; 

loc_72E82D:				; CODE XREF: KiUpdateNumberProcessorsIpi(x)+37j
		pause

loc_72E82F:				; CODE XREF: KiUpdateNumberProcessorsIpi(x)+30j
		cmp	[esi+8], edi
		jnz	short loc_72E82D
		xor	edx, edx
		call	_KiUpdateProcessorCount@8 ; KiUpdateProcessorCount(x,x)
		mov	dword ptr [esi+10h], 1
		jmp	short loc_72E846
; 

loc_72E844:				; CODE XREF: KiUpdateNumberProcessorsIpi(x)+4Ej
		pause

loc_72E846:				; CODE XREF: KiUpdateNumberProcessorsIpi(x)+47j
		cmp	[esi+0Ch], edi
		jnz	short loc_72E844

loc_72E84B:				; CODE XREF: KiUpdateNumberProcessorsIpi(x)+2Cj
		pop	edi
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	4
_KiUpdateNumberProcessorsIpi@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiQueryIptSupport(x, x)
_KiQueryIptSupport@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_72E89E
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_72E89E
		call	_KiXSavesManagesIpt@0 ;	KiXSavesManagesIpt()
		test	al, al
		jz	short loc_72E87C
		mov	dword ptr [ecx], 1
		mov	eax, ds:0FFDF0624h
		jmp	short loc_72E890
; 

loc_72E87C:				; CODE XREF: KiQueryIptSupport(x,x)+1Aj
		cmp	ds:_KiIptMsrMask, 0
		jz	short loc_72E894
		mov	eax, ds:_KiIptSaveAreaLength
		mov	dword ptr [ecx], 2

loc_72E890:				; CODE XREF: KiQueryIptSupport(x,x)+27j
		mov	[edx], eax
		jmp	short loc_72E89A
; 

loc_72E894:				; CODE XREF: KiQueryIptSupport(x,x)+30j
		and	dword ptr [ecx], 0
		and	dword ptr [edx], 0

loc_72E89A:				; CODE XREF: KiQueryIptSupport(x,x)+3Fj
		xor	eax, eax
		jmp	short loc_72E8A3
; 

loc_72E89E:				; CODE XREF: KiQueryIptSupport(x,x)+Aj
					; KiQueryIptSupport(x,x)+11j
		mov	eax, 0C000000Dh

loc_72E8A3:				; CODE XREF: KiQueryIptSupport(x,x)+49j
		pop	ebp
		retn	8
_KiQueryIptSupport@8 endp


;  S U B	R O U T	I N E 


; __stdcall KiStartSavingSupervisorState()
_KiStartSavingSupervisorState@0	proc near
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _KiSupervisorXStateFeaturesLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		call	_KiUpdateSavedSupervisorState@0	; KiUpdateSavedSupervisorState()
		mov	esi, eax
		or	edx, 0FFFFFFFFh
		lock xadd [edi], edx
		and	dl, 6
		cmp	dl, 2
		jnz	short loc_72E8E2
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_72E8E2:				; CODE XREF: KiStartSavingSupervisorState()+32j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_KiStartSavingSupervisorState@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiUpdateSavedSupervisorState()
_KiUpdateSavedSupervisorState@0	proc near ; CODE XREF: KiStartSavingSupervisorState()+1Ep

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ds:_KeNumberProcessors
		push	ebx
		push	esi
		push	4
		pop	ecx
		mov	[ebp+var_8], eax
		xor	ebx, ebx
		mul	ecx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_14], ebx
		push	edx
		push	eax
		mov	[ebp+var_10], ebx
		mov	[ebp+var_4], ebx
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_72E9E5
		push	edi
		push	65687358h
		push	[ebp+var_4]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_72E953
		mov	esi, 0C000009Ah
		jmp	loc_72E9E4
; 

loc_72E953:				; CODE XREF: KiUpdateSavedSupervisorState()+4Dj
		mov	ecx, ds:0FFDF0600h
		sub	ecx, ds:0FFDF03E8h
		mov	edx, ds:_KiIptSaveAreaLength
		add	edx, 7Fh
		add	edx, ecx
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_4], edx
		test	ecx, ecx
		jz	short loc_72E9C6
		mov	eax, offset _KiProcessorBlock
		mov	esi, edi
		sub	eax, edi
		mov	[ebp+var_C], eax

loc_72E980:				; CODE XREF: KiUpdateSavedSupervisorState()+CAj
		mov	eax, [eax+esi]
		cmp	dword ptr [eax+47B8h], 0
		jz	short loc_72E991
		and	dword ptr [esi], 0
		jmp	short loc_72E9BB
; 

loc_72E991:				; CODE XREF: KiUpdateSavedSupervisorState()+90j
		push	65707553h
		push	edx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi], eax
		test	eax, eax
		jz	short loc_72E9EB
		push	[ebp+var_4]	; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+var_8]
		add	esp, 0Ch
		mov	edx, [ebp+var_4]

loc_72E9BB:				; CODE XREF: KiUpdateSavedSupervisorState()+95j
		mov	eax, [ebp+var_C]
		inc	ebx
		add	esi, 4
		cmp	ebx, ecx
		jb	short loc_72E980

loc_72E9C6:				; CODE XREF: KiUpdateSavedSupervisorState()+78j
		lea	eax, [ebp+var_14]
		mov	[ebp+var_14], edi
		push	eax
		push	offset _KiIpiUpdateExtendedSupervisorState@4 ; KiIpiUpdateExtendedSupervisorState(x)
		mov	[ebp+var_10], ecx
		call	KeIpiGenericCall
		xor	esi, esi

loc_72E9DC:				; CODE XREF: KiUpdateSavedSupervisorState()+110j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_72E9E4:				; CODE XREF: KiUpdateSavedSupervisorState()+54j
		pop	edi

loc_72E9E5:				; CODE XREF: KiUpdateSavedSupervisorState()+30j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_72E9EB:				; CODE XREF: KiUpdateSavedSupervisorState()+ABj
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_72EA05

loc_72E9F1:				; CODE XREF: KiUpdateSavedSupervisorState()+109j
		mov	eax, [edi+esi*4]
		test	eax, eax
		jz	short loc_72EA00
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_72EA00:				; CODE XREF: KiUpdateSavedSupervisorState()+FCj
		inc	esi
		cmp	esi, ebx
		jb	short loc_72E9F1

loc_72EA05:				; CODE XREF: KiUpdateSavedSupervisorState()+F5j
		mov	esi, 0C000009Ah
		jmp	short loc_72E9DC
_KiUpdateSavedSupervisorState@0	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1326. KeWriteProtectPAT

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeWriteProtectPAT(x)
		public _KeWriteProtectPAT@4
_KeWriteProtectPAT@4 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, 277h
		rdmsr
		mov	[ebp+var_C], eax
		xor	eax, eax
		mov	[ebp+var_8], edx
		cmp	[ebp+arg_0], al
		jz	short loc_72EA4B

loc_72EA37:				; CODE XREF: KeWriteProtectPAT(x)+36j
		cmp	byte ptr [ebp+eax+var_C], 6
		jnz	short loc_72EA43
		mov	byte ptr [ebp+eax+var_C], 5

loc_72EA43:				; CODE XREF: KeWriteProtectPAT(x)+2Bj
		inc	eax
		cmp	eax, 8
		jb	short loc_72EA37
		jmp	short loc_72EA5D
; 

loc_72EA4B:				; CODE XREF: KeWriteProtectPAT(x)+24j
					; KeWriteProtectPAT(x)+4Aj
		cmp	byte ptr [ebp+eax+var_C], 5
		jnz	short loc_72EA57
		mov	byte ptr [ebp+eax+var_C], 6

loc_72EA57:				; CODE XREF: KeWriteProtectPAT(x)+3Fj
		inc	eax
		cmp	eax, 8
		jb	short loc_72EA4B

loc_72EA5D:				; CODE XREF: KeWriteProtectPAT(x)+38j
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+var_8]
		wrmsr
		call	_KeFlushCurrentTb@0 ; KeFlushCurrentTb()
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_KeWriteProtectPAT@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiConfigureDynamicProcessor()
_KiConfigureDynamicProcessor@0 proc near ; CODE	XREF: KiInitDynamicProcessorIpi(x,x,x,x)p
		mov	edi, edi
		push	esi
		xor	esi, esi
		push	esi
		call	_Ki386EnableDE@4 ; Ki386EnableDE(x)
		mov	eax, ds:_KeFeatureBits
		mov	ecx, cr4
		and	eax, 1000000h
		or	ecx, 600h
		or	eax, esi
		jz	short loc_72EAA0
		or	ecx, 100000h

loc_72EAA0:				; CODE XREF: KiConfigureDynamicProcessor()+20j
		mov	cr4, ecx
		call	KiEnableXSave
		call	KiLoadFastSyscallMachineSpecificRegisters
		mov	eax, large fs:124h
		mov	eax, [eax+4Ch]
		mov	[eax+1Ch], esi
		nop
		fxsave	dword ptr [eax]
		nop
		mov	eax, [eax+1Ch]
		test	eax, eax
		jnz	short loc_72EACA
		mov	eax, 0FFBFh

loc_72EACA:				; CODE XREF: KiConfigureDynamicProcessor()+4Bj
		mov	ecx, ds:_KiMxCsrMask
		cmp	ecx, eax
		jz	short loc_72EAE3
		push	esi
		push	eax
		push	ecx
		push	800h
		push	3Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_72EAE3:				; CODE XREF: KiConfigureDynamicProcessor()+5Aj
		pop	esi
		retn
_KiConfigureDynamicProcessor@0 endp ; sp = -14h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSetCacheInformationAmd(x)
_KiSetCacheInformationAmd@4 proc near	; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+362p

var_46		= byte ptr -46h
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ds:___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+58h+var_40], ecx
		lea	edi, [esp+58h+var_34]
		xor	ecx, ecx
		stosd
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, 80000000h
		cpuid
		mov	esi, ebx
		lea	edi, [esp+5Ch+var_34]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		cmp	[esp+58h+var_34], 80000006h
		jb	loc_72ECE0
		xor	eax, eax
		lea	edi, [esp+58h+var_34]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, 80000001h
		cpuid
		mov	esi, ebx
		lea	edi, [esp+5Ch+var_34]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		test	[esp+58h+var_2C], 400000h
		jz	short loc_72EB7B
		mov	ecx, [esp+58h+var_40]
		mov	edx, 8000001Dh
		call	KiSetStandardizedCacheInformation
		jmp	loc_72ECE0
; 

loc_72EB7B:				; CODE XREF: KiSetCacheInformationAmd(x)+81j
		mov	eax, [esp+58h+var_40]
		add	eax, 3FD4h
		xor	edx, edx
		mov	[esp+58h+var_3C], eax
		mov	[esp+58h+var_44], edx

loc_72EB8E:				; CODE XREF: KiSetCacheInformationAmd(x)+1F5j
		cmp	edx, 1
		jbe	loc_72EC4B
		cmp	edx, 2
		jz	short loc_72EBFC
		cmp	edx, 3
		jnz	loc_72ECD2
		xor	eax, eax
		lea	edi, [esp+58h+var_24]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, 80000006h
		cpuid
		mov	esi, ebx
		lea	edi, [esp+5Ch+var_24]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		xor	esi, esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	ebx, [esp+58h+var_18]
		mov	eax, ebx
		shr	eax, 8
		shr	al, 4
		mov	cl, al
		mov	[esp+58h+var_45], 3
		movzx	edi, bl
		call	_KiGetL2L3AssociativityAmd@4 ; KiGetL2L3AssociativityAmd(x)
		shr	ebx, 12h
		shl	ebx, 13h
		test	ebx, ebx
		jz	loc_72ECCE
		jmp	loc_72ECA6
; 

loc_72EBFC:				; CODE XREF: KiSetCacheInformationAmd(x)+B5j
		xor	eax, eax
		lea	edi, [esp+58h+var_14]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, 80000006h
		cpuid
		mov	esi, ebx
		lea	edi, [esp+5Ch+var_14]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		xor	esi, esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	ecx, [esp+58h+var_C]
		mov	ebx, ecx
		movzx	eax, cl
		shr	ecx, 8
		mov	edi, eax
		shr	ebx, 6
		shr	cl, 4
		and	ebx, 3FFFC00h
		mov	[esp+58h+var_45], 2
		call	_KiGetL2L3AssociativityAmd@4 ; KiGetL2L3AssociativityAmd(x)
		jmp	short loc_72ECA6
; 

loc_72EC4B:				; CODE XREF: KiSetCacheInformationAmd(x)+ACj
		xor	eax, eax
		lea	edi, [esp+58h+var_34]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, 80000005h
		cpuid
		mov	esi, ebx
		lea	edi, [esp+5Ch+var_34]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	edx, [esp+58h+var_44]
		mov	eax, [esp+58h+var_2C]
		mov	[esp+58h+var_45], 1
		test	edx, edx
		jz	short loc_72EC87
		mov	eax, [esp+58h+var_28]

loc_72EC87:				; CODE XREF: KiSetCacheInformationAmd(x)+19Cj
		mov	ebx, eax
		movzx	edi, al
		shr	ebx, 0Eh
		xor	ecx, ecx
		and	ebx, 3FC00h
		shr	eax, 10h
		test	edx, edx
		setz	cl
		inc	ecx
		mov	[esp+58h+var_38], ecx
		mov	esi, ecx

loc_72ECA6:				; CODE XREF: KiSetCacheInformationAmd(x)+112j
					; KiSetCacheInformationAmd(x)+164j
		mov	ecx, [esp+58h+var_3C]
		mov	dl, [esp+58h+var_45]
		mov	[ecx+1], al
		mov	eax, [esp+58h+var_40]
		mov	[ecx+8], esi
		mov	[ecx], dl
		mov	[ecx+2], di
		mov	[ecx+4], ebx
		add	ecx, 0Ch
		inc	dword ptr [eax+4010h]
		mov	[esp+58h+var_3C], ecx

loc_72ECCE:				; CODE XREF: KiSetCacheInformationAmd(x)+10Cj
		mov	edx, [esp+58h+var_44]

loc_72ECD2:				; CODE XREF: KiSetCacheInformationAmd(x)+BAj
		inc	edx
		mov	[esp+58h+var_44], edx
		cmp	edx, 4
		jb	loc_72EB8E

loc_72ECE0:				; CODE XREF: KiSetCacheInformationAmd(x)+4Cj
					; KiSetCacheInformationAmd(x)+91j
		mov	ecx, [esp+58h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_KiSetCacheInformationAmd@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1440. MmMapUserAddressesToPage

;  S U B	R O U T	I N E 


; __stdcall MmMapUserAddressesToPage(x,	x, x)
		public _MmMapUserAddressesToPage@12
_MmMapUserAddressesToPage@12 proc near
		mov	eax, 0C00000BBh
		retn	0Ch
_MmMapUserAddressesToPage@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiShutdownSystem()
_MiShutdownSystem@0 proc near		; CODE XREF: MmShutdownSystem(x)+Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		cmp	ds:dword_6D302C, edi
		jnz	loc_72EDB7
		call	_CcNotifyWriteBehind@4 ; CcNotifyWriteBehind(x)
		xor	ecx, ecx
		call	_MiFlushAllFilesystemPages@4 ; MiFlushAllFilesystemPages(x)
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		mov	ebx, offset dword_6D50B8
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	ds:dword_6D302C, 1
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_72ED62
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_72ED62:				; CODE XREF: MiShutdownSystem()+5Aj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		push	edi
		push	edi
		push	offset unk_6D4E7C
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		cmp	ds:byte_6D302A,	1
		jnz	short loc_72EDB2
		test	byte ptr ds:_MiFlags, 4
		jnz	short loc_72ED99
		push	ds:_ExPageLockHandle
		call	_MmLockPagableSectionByHandle@4	; MmLockPagableSectionByHandle(x)

loc_72ED99:				; CODE XREF: MiShutdownSystem()+8Dj
		call	_MiZeroAllPageFiles@0 ;	MiZeroAllPageFiles()
		test	byte ptr ds:_MiFlags, 4
		jnz	short loc_72EDB2
		push	ds:_ExPageLockHandle
		call	_MmUnlockPagableImageSection@4 ; MmUnlockPagableImageSection(x)

loc_72EDB2:				; CODE XREF: MiShutdownSystem()+84j
					; MiShutdownSystem()+A6j
		call	_MiDeleteAllHardwareEnclaves@0 ; MiDeleteAllHardwareEnclaves()

loc_72EDB7:				; CODE XREF: MiShutdownSystem()+16j
		cmp	ds:_PopShutdownCleanly,	edi
		jz	loc_72EE59
		call	_MmAcquireLoadLock@0 ; MmAcquireLoadLock()
		mov	esi, ds:_PsLoadedModuleList
		mov	[esp+18h+var_4], eax
		jmp	short loc_72EE35
; 

loc_72EDD4:				; CODE XREF: MiShutdownSystem()+13Cj
		mov	ebx, [esi+4Ch]
		cmp	ebx, 1
		jz	short loc_72EE22
		cmp	ebx, 0FFFFFFFEh
		jz	short loc_72EE22
		test	bl, 1
		jnz	short loc_72EE22
		mov	eax, [ebx]
		mov	edx, 54446D4Dh
		push	edi
		push	40h
		lea	eax, ds:4[eax*4]
		mov	ecx, eax
		mov	[esp+20h+var_8], eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_72EE3F
		push	[esp+18h+var_8]	; size_t
		push	ebx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, ebx
		call	_MiFreeLoadedImportList@4 ; MiFreeLoadedImportList(x)
		mov	[esi+4Ch], edi
		xor	edi, edi

loc_72EE22:				; CODE XREF: MiShutdownSystem()+DBj
					; MiShutdownSystem()+E0j ...
		mov	eax, [esi+28h]
		test	eax, eax
		jz	short loc_72EE33
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+28h], edi

loc_72EE33:				; CODE XREF: MiShutdownSystem()+128j
		mov	esi, [esi]

loc_72EE35:				; CODE XREF: MiShutdownSystem()+D3j
		cmp	esi, offset _PsLoadedModuleList
		jnz	short loc_72EDD4
		jmp	short loc_72EE46
; 

loc_72EE3F:				; CODE XREF: MiShutdownSystem()+107j
		and	ds:_PopShutdownCleanly,	0

loc_72EE46:				; CODE XREF: MiShutdownSystem()+13Ej
		mov	ecx, [esp+18h+var_4]
		call	_MmReleaseLoadLock@4 ; MmReleaseLoadLock(x)
		mov	ecx, offset _MiSystemPartition
		call	_MiDeletePagingFiles@4 ; MiDeletePagingFiles(x)

loc_72EE59:				; CODE XREF: MiShutdownSystem()+BEj
		pop	edi
		pop	esi
		mov	al, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiShutdownSystem@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiZeroAllPageFiles()
_MiZeroAllPageFiles@0 proc near		; CODE XREF: MiShutdownSystem():loc_72ED99p

var_2CC		= dword	ptr -2CCh
var_2C8		= dword	ptr -2C8h
var_158		= dword	ptr -158h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2CCh
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	40h		; size_t
		lea	eax, [ebp+var_48]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	esi, large fs:124h
		add	esp, 0Ch
		mov	ds:_VfZeroAllPagesRunning, 1
		dec	word ptr [esi+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset dword_6D50B8
		call	ExAcquirePushLockExclusiveEx
		mov	ebx, ds:dword_6D5D8C
		or	eax, 0FFFFFFFFh
		mov	edi, ds:dword_6D4E9C
		mov	ecx, offset dword_6D50B8
		mov	[ebp+var_2CC], ebx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_72EEDD
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset dword_6D50B8

loc_72EEDD:				; CODE XREF: MiZeroAllPageFiles()+6Fj
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		test	edi, edi
		jz	loc_72EFB5
		test	ebx, ebx
		jz	loc_72EFB5
		xor	esi, esi
		push	esi
		push	esi
		push	esi
		push	1Ah
		push	offset unk_6D4FF4
		call	KeWaitForSingleObject
		mov	edi, ebx

loc_72EF0C:				; CODE XREF: MiZeroAllPageFiles()+12Cj
		mov	eax, edi
		add	eax, eax
		push	esi
		push	esi
		lea	ebx, [ebp+eax*8+var_158]
		push	ebx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, ds:dword_6D5D90[edi*4]
		mov	[ebp+edi*4+var_4C], ebx
		test	byte ptr [eax+74h], 40h
		jnz	short loc_72EF83
		push	esi
		push	40h
		push	18h
		mov	edx, 775A6D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_72EF81
		mov	eax, ds:dword_6D5D90[edi*4]
		mov	[esi+10h], eax
		mov	[esi+14h], ebx
		push	0
		cmp	edi, 1
		jz	short loc_72EF71
		and	dword ptr [esi], 0
		push	esi
		mov	dword ptr [esi+8], offset _MiZeroPageFile@4 ; MiZeroPageFile(x)
		mov	[esi+0Ch], esi
		call	ExQueueWorkItem

loc_72EF6D:				; CODE XREF: MiZeroAllPageFiles()+11Dj
		xor	esi, esi
		jmp	short loc_72EF8B
; 

loc_72EF71:				; CODE XREF: MiZeroAllPageFiles()+F6j
		push	0
		push	ebx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	esi
		call	_MiZeroPageFile@4 ; MiZeroPageFile(x)
		jmp	short loc_72EF6D
; 

loc_72EF81:				; CODE XREF: MiZeroAllPageFiles()+E2j
		xor	esi, esi

loc_72EF83:				; CODE XREF: MiZeroAllPageFiles()+CCj
		push	esi
		push	esi
		push	ebx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_72EF8B:				; CODE XREF: MiZeroAllPageFiles()+10Dj
		sub	edi, 1
		jnz	loc_72EF0C
		mov	ecx, [ebp+var_2CC]
		cmp	ecx, 1
		jbe	short loc_72EFB5
		lea	eax, [ebp+var_2C8]
		push	eax
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		lea	edx, [ebp+var_48]
		push	edx
		push	ecx
		call	KeWaitForMultipleObjects

loc_72EFB5:				; CODE XREF: MiZeroAllPageFiles()+89j
					; MiZeroAllPageFiles()+91j ...
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		and	ds:_VfZeroAllPagesRunning, 0
		xor	ecx, ebp
		pop	edi
		pop	esi
		inc	eax
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiZeroAllPageFiles@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmShutdownSystem(x)
_MmShutdownSystem@4 proc near		; CODE XREF: PoBroadcastSystemState+B220p
					; PopGracefulShutdown(x)+1A7p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	[ebp+arg_0], 0
		push	esi
		push	edi
		jnz	short loc_72EFE3
		call	_MiShutdownSystem@0 ; MiShutdownSystem()
		jmp	short loc_72F047
; 

loc_72EFE3:				; CODE XREF: MmShutdownSystem(x)+Cj
		cmp	[ebp+arg_0], 1
		jnz	short loc_72F035
		push	2
		pop	eax
		cmp	ds:dword_6D302C, eax
		jnb	short loc_72F045
		mov	ds:dword_6D302C, eax
		test	byte ptr ds:_PopShutdownCleanly, al
		jz	short loc_72F045
		push	1
		call	_MmTrimAllSystemPagableMemory@4	; MmTrimAllSystemPagableMemory(x)
		mov	edi, ds:dword_6D5D8C
		xor	esi, esi
		test	edi, edi
		jz	short loc_72F045

loc_72F014:				; CODE XREF: MmShutdownSystem(x)+63j
		mov	ecx, ds:dword_6D5D94[esi*4]
		mov	eax, 840h
		test	[ecx+74h], ax
		jnz	short loc_72F02E
		mov	ecx, [ecx+1Ch]
		call	ObfDereferenceObject

loc_72F02E:				; CODE XREF: MmShutdownSystem(x)+56j
		inc	esi
		cmp	esi, edi
		jb	short loc_72F014
		jmp	short loc_72F045
; 

loc_72F035:				; CODE XREF: MmShutdownSystem(x)+19j
		push	3
		pop	eax
		cmp	ds:dword_6D302C, eax
		jnb	short loc_72F045
		mov	ds:dword_6D302C, eax

loc_72F045:				; CODE XREF: MmShutdownSystem(x)+24j
					; MmShutdownSystem(x)+31j ...
		mov	al, 1

loc_72F047:				; CODE XREF: MmShutdownSystem(x)+13j
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
_MmShutdownSystem@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteAllHardwareEnclaves()
_MiDeleteAllHardwareEnclaves@0 proc near ; CODE	XREF: MiShutdownSystem():loc_72EDB2p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		rep stosd
		mov	edi, large fs:124h
		mov	ecx, offset unk_6D35A0
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)

loc_72F08F:				; CODE XREF: MiDeleteAllHardwareEnclaves()+FAj
		dec	word ptr [edi+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset dword_6D359C
		call	ExAcquirePushLockExclusiveEx
		mov	esi, ds:dword_6D3594
		cmp	esi, offset dword_6D3594
		jz	loc_72F14D
		mov	eax, [esi-4]
		mov	ecx, eax
		mov	[ebp+var_20], eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	esi, [esi-38h]
		or	eax, 0FFFFFFFFh
		shl	esi, 0Ch
		mov	ecx, offset dword_6D359C
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_72F0E4
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset dword_6D359C

loc_72F0E4:				; CODE XREF: MiDeleteAllHardwareEnclaves()+8Aj
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_20]
		call	KeStackAttachProcess
		lea	eax, [ebp+var_24]
		xor	edx, edx
		push	eax
		mov	ecx, esi
		call	MiObtainReferencedVadEx
		mov	esi, eax
		test	esi, esi
		jz	short loc_72F137
		mov	ecx, [esi+1Ch]
		and	ecx, 3100000h
		cmp	ecx, 2100000h
		jnz	short loc_72F130
		test	byte ptr [esi+28h], 1
		jz	short loc_72F130
		mov	ecx, [ebp+var_20]
		mov	edx, esi
		call	_MiDeleteEnclavePages@8	; MiDeleteEnclavePages(x,x)

loc_72F130:				; CODE XREF: MiDeleteAllHardwareEnclaves()+D0j
					; MiDeleteAllHardwareEnclaves()+D6j
		mov	ecx, esi
		call	MiUnlockAndDereferenceVad

loc_72F137:				; CODE XREF: MiDeleteAllHardwareEnclaves()+BFj
		lea	eax, [ebp+var_1C]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObject
		jmp	loc_72F08F
; 

loc_72F14D:				; CODE XREF: MiDeleteAllHardwareEnclaves()+61j
		or	eax, 0FFFFFFFFh
		mov	esi, offset dword_6D359C
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_72F166
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_72F166:				; CODE XREF: MiDeleteAllHardwareEnclaves()+10Fj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, ds:dword_6D3584
		test	eax, eax
		jz	short loc_72F183
		push	eax
		call	_KeRemoveEnclavePage@4 ; KeRemoveEnclavePage(x)

loc_72F183:				; CODE XREF: MiDeleteAllHardwareEnclaves()+12Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_MiDeleteAllHardwareEnclaves@0 endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteEnclavePages(x, x)
_MiDeleteEnclavePages@8	proc near	; CODE XREF: MiDeleteVad(x,x,x)+104p
					; MiDeleteAllHardwareEnclaves()+DDp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, edx
		xor	ebx, ebx
		push	edi
		mov	eax, [esi+28h]
		test	al, 1
		jz	short loc_72F1B5
		cmp	[esi+44h], ebx
		jz	loc_72F29F

loc_72F1B5:				; CODE XREF: MiDeleteEnclavePages(x,x)+14j
		test	al, 4
		jz	short loc_72F1C8
		mov	eax, [ecx+24Ch]
		add	eax, 70h
		lock dec dword ptr [eax]
		mov	eax, [esi+28h]

loc_72F1C8:				; CODE XREF: MiDeleteEnclavePages(x,x)+21j
		test	al, 8
		jnz	short loc_72F1D1
		call	_MiTerminateHardwareEnclave@8 ;	MiTerminateHardwareEnclave(x,x)

loc_72F1D1:				; CODE XREF: MiDeleteEnclavePages(x,x)+34j
		mov	ecx, [esi+30h]
		mov	edi, [ecx]
		nop
		mov	edx, [ecx+4]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_72F1EC
		push	edx
		push	edi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	edi, eax

loc_72F1EC:				; CODE XREF: MiDeleteEnclavePages(x,x)+4Bj
		and	edi, 1
		or	edi, ebx
		jz	short loc_72F21E
		mov	eax, [esi+30h]
		shl	eax, 9
		push	eax
		call	_KeRemoveEnclavePage@4 ; KeRemoveEnclavePage(x)
		test	eax, eax
		jns	short loc_72F214
		push	ebx
		push	eax
		push	dword ptr [esi+30h]
		push	18011544h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_72F214:				; CODE XREF: MiDeleteEnclavePages(x,x)+6Bj
		mov	ecx, [esi+30h]
		xor	edx, edx
		call	_MiDeleteEnclavePage@8 ; MiDeleteEnclavePage(x,x)

loc_72F21E:				; CODE XREF: MiDeleteEnclavePages(x,x)+5Bj
		mov	edx, [esi+30h]
		mov	ecx, offset dword_6D35E0
		push	1
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		mov	eax, [esi+34h]
		test	eax, eax
		jz	short loc_72F23B
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_72F23B:				; CODE XREF: MiDeleteEnclavePages(x,x)+9Cj
		or	edx, 0FFFFFFFFh
		mov	ecx, esi
		call	_MiReturnReservedEnclavePages@8	; MiReturnReservedEnclavePages(x,x)
		mov	edi, large fs:124h
		dec	word ptr [edi+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset dword_6D359C
		call	ExAcquirePushLockExclusiveEx
		add	esi, 44h
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_72F2A4
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_72F2A4
		mov	[eax], ecx
		mov	[ecx+4], eax
		or	eax, 0FFFFFFFFh
		mov	[esi], ebx
		mov	esi, offset dword_6D359C
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_72F291
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_72F291:				; CODE XREF: MiDeleteEnclavePages(x,x)+F2j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_72F29F:				; CODE XREF: MiDeleteEnclavePages(x,x)+19j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_72F2A4:				; CODE XREF: MiDeleteEnclavePages(x,x)+D2j
					; MiDeleteEnclavePages(x,x)+D9j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_MiDeleteEnclavePages@8	endp		; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall MiRemoveEnclavePagesFromMirror(x)
_MiRemoveEnclavePagesFromMirror@4 proc near ; CODE XREF: MiMirrorBlackPhase(x)+12p
		mov	edi, edi
		push	ecx
		mov	eax, ds:dword_6D3580
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		jmp	short loc_72F2BD
; 

loc_72F2B9:				; CODE XREF: MiRemoveEnclavePagesFromMirror(x)+16j
		mov	esi, eax
		mov	eax, [eax]

loc_72F2BD:				; CODE XREF: MiRemoveEnclavePagesFromMirror(x)+Ej
		test	eax, eax
		jnz	short loc_72F2B9
		jmp	short loc_72F2FB
; 

loc_72F2C3:				; CODE XREF: MiRemoveEnclavePagesFromMirror(x)+54j
		push	dword ptr [esi+10h]
		mov	edx, [esi+0Ch]
		mov	ecx, edi
		call	MiMirrorOmitPagesFromCopy
		mov	eax, [esi+4]
		mov	ecx, esi
		test	eax, eax
		jz	short loc_72F2F3
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_72F2FB

loc_72F2E1:				; CODE XREF: MiRemoveEnclavePagesFromMirror(x)+40j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_72F2E1
		jmp	short loc_72F2FB
; 

loc_72F2ED:				; CODE XREF: MiRemoveEnclavePagesFromMirror(x)+50j
		cmp	[esi], ecx
		jz	short loc_72F2FB
		mov	ecx, esi

loc_72F2F3:				; CODE XREF: MiRemoveEnclavePagesFromMirror(x)+2Ej
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_72F2ED

loc_72F2FB:				; CODE XREF: MiRemoveEnclavePagesFromMirror(x)+18j
					; MiRemoveEnclavePagesFromMirror(x)+36j ...
		test	esi, esi
		jnz	short loc_72F2C3
		pop	edi
		pop	esi
		pop	ecx
		retn
_MiRemoveEnclavePagesFromMirror@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiReturnReservedEnclavePages(x, x)
_MiReturnReservedEnclavePages@8	proc near ; CODE XREF: MiAddPagesToEnclave(x,x,x,x,x)+365p
					; MiDeleteEnclavePages(x,x)+AAp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	edx, edx
		jz	short loc_72F332

loc_72F30C:				; CODE XREF: MiReturnReservedEnclavePages(x,x)+2Dj
		mov	ecx, [esi+38h]
		test	ecx, ecx
		jz	short loc_72F332
		call	_MiGetPfnLink@4	; MiGetPfnLink(x)
		mov	[esi+38h], eax
		sub	ecx, ds:_MmPfnDatabase
		mov	eax, ecx
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, eax
		call	_MiReturnEnclavePage@4 ; MiReturnEnclavePage(x)
		jmp	short loc_72F30C
; 

loc_72F332:				; CODE XREF: MiReturnReservedEnclavePages(x,x)+7j
					; MiReturnReservedEnclavePages(x,x)+Ej
		and	dword ptr [esi+3Ch], 0
		pop	esi
		retn
_MiReturnReservedEnclavePages@8	endp


;  S U B	R O U T	I N E 


; __stdcall MiTerminateHardwareEnclave(x, x)
_MiTerminateHardwareEnclave@8 proc near	; CODE XREF: MiDeleteEnclavePages(x,x)+36p
					; NtTerminateEnclave(x,x)+71p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		push	1
		mov	ecx, [edi+10h]
		shl	ecx, 0Ch
		or	ecx, 0FFFh
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, [edi+0Ch]
		push	eax
		shl	ecx, 0Ch
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		push	eax
		mov	ecx, esi
		call	_MiDecommitHardwareEnclavePages@20 ; MiDecommitHardwareEnclavePages(x,x,x,x,x)
		or	dword ptr [edi+28h], 8
		pop	edi
		pop	esi
		pop	ecx
		retn
_MiTerminateHardwareEnclave@8 endp


;  S U B	R O U T	I N E 


; __stdcall PfTSetTracingPriority(x)
_PfTSetTracingPriority@4 proc near	; CODE XREF: PfpLogEventRequest:loc_905B5Dp
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset unk_6D428C
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		xor	ecx, ecx
		mov	edx, esi
		cmp	ds:dword_6D4288, ecx
		setz	cl
		call	MmSetAccessLogging
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_72F3B6
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_72F3B6:				; CODE XREF: PfTSetTracingPriority(x)+3Dj
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PfTSetTracingPriority@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetMemoryOverwriteRequestAction(x, x)
_PopSetMemoryOverwriteRequestAction@8 proc near	; CODE XREF: PopSaveHiberContext+BBE9p
					; PopShutdownSystem(x)+1Dp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_15		= dword	ptr -15h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_20], 0
		cmp	ds:_PopErrataSkipMemoryOverwriteRequestControlLockAction, 0
		push	esi
		push	edi
		mov	[ebp+var_15+1],	0E20939BEh
		mov	[ebp+var_10], 41BE32D4h
		mov	[ebp+var_C], 7F8950A1h
		mov	[ebp+var_8], 2998D485h
		jnz	short loc_72F447
		lea	eax, [ebp+var_20]
		mov	byte ptr [ebp+var_15], 0FFh
		push	eax
		lea	eax, [ebp+var_1C]
		xor	esi, esi
		push	eax
		lea	eax, [ebp+var_15]
		mov	edi, offset ??_C@_1DM@KHNCPJJB@?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy?$AAO?$AAv?$AAe?$AAr?$AAw?$AAr?$AAi?$AAt?$AAe@OKHAJAOM@ ; "MemoryOverwriteRequestControl"
		push	eax
		lea	eax, [ebp+var_15+1]
		inc	esi
		push	eax
		push	edi
		mov	[ebp+var_1C], esi
		call	ds:__imp__HalGetEnvironmentVariableEx@20 ; HalGetEnvironmentVariableEx(x,x,x,x,x)
		test	eax, eax
		js	short loc_72F447
		cmp	[ebp+var_1C], esi
		jnz	short loc_72F447
		push	[ebp+var_20]
		and	byte ptr [ebp+var_15], 0EEh
		lea	eax, [ebp+var_15]
		push	esi
		push	eax
		lea	eax, [ebp+var_15+1]
		push	eax
		push	edi
		call	ds:__imp__HalSetEnvironmentVariableEx@20 ; HalSetEnvironmentVariableEx(x,x,x,x,x)

loc_72F447:				; CODE XREF: PopSetMemoryOverwriteRequestAction(x,x)+3Bj
					; PopSetMemoryOverwriteRequestAction(x,x)+65j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopSetMemoryOverwriteRequestAction@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopGracefulShutdown(x)
_PopGracefulShutdown@4 proc near	; CODE XREF: PAGELK:loc_71FB63p
					; DATA XREF: PAGELK:0071F9E0o

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ebx
		push	esi
		xor	edx, edx
		push	0Ah
		inc	edx
		pop	ecx
		call	_PopTransitionCheckpoint@8 ; PopTransitionCheckpoint(x,x)
		mov	ecx, offset _POP_ETW_EVENT_GRACEFULSHUTDOWN_START
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		mov	ecx, large fs:124h
		mov	eax, ds:dword_6C26F4
		mov	[eax+0Ch], ecx
		mov	ecx, offset _POP_ETW_EVENT_ZEROPAGEFILE_START
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		call	_MmZeroPageFileAtShutdown@0 ; MmZeroPageFileAtShutdown()
		mov	ecx, offset _POP_ETW_EVENT_ZEROPAGEFILE_STOP
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		cmp	ds:dword_6C26F0, 0
		jnz	short loc_72F4AB
		call	ds:off_6B2C0C	; xHalSaveAndDisableHvEnlightenment()

loc_72F4AB:				; CODE XREF: PopGracefulShutdown(x)+4Ej
		call	_VfShutdownScheduleWatchdog@0 ;	VfShutdownScheduleWatchdog()
		xor	ebx, ebx
		cmp	ds:_PopShutdownCleanly,	ebx
		jz	loc_72F54B
		call	_PsShutdownSystem@0 ; PsShutdownSystem()
		push	ebx
		push	ebx
		push	offset _PopShutdownEvent
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	esi, offset _PopShutdownListMutex
		mov	ecx, esi
		call	@KeAcquireGuardedMutex@4 ; KeAcquireGuardedMutex(x)
		mov	ecx, esi
		mov	ds:_PopShutdownListAvailable, bl
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	esi, offset _PopShutdownQueue
		jmp	short loc_72F50A
; 

loc_72F4EF:				; CODE XREF: PopGracefulShutdown(x)+BCj
		cmp	[eax+4], esi
		jnz	short loc_72F546
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_72F546
		mov	ds:_PopShutdownQueue, ecx
		mov	[ecx+4], esi
		push	dword ptr [eax+0Ch]
		call	dword ptr [eax+8]

loc_72F50A:				; CODE XREF: PopGracefulShutdown(x)+98j
		mov	eax, ds:_PopShutdownQueue
		cmp	eax, esi
		jnz	short loc_72F4EF

loc_72F513:				; CODE XREF: PopGracefulShutdown(x)+EFj
		mov	esi, ds:_PopShutdownThreadList
		test	esi, esi
		jz	short loc_72F54B
		mov	eax, [esi]
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		mov	ds:_PopShutdownThreadList, eax
		push	dword ptr [esi+4]
		call	KeWaitForSingleObject
		mov	ecx, [esi+4]
		mov	edx, 64536F50h
		call	ObfDereferenceObjectWithTag
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_72F513
; 

loc_72F546:				; CODE XREF: PopGracefulShutdown(x)+9Dj
					; PopGracefulShutdown(x)+A4j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_72F54B:				; CODE XREF: PopGracefulShutdown(x)+63j
					; PopGracefulShutdown(x)+C6j
		call	ds:__imp__TmShutdownSystem@0 ; TmShutdownSystem()
		xor	ecx, ecx
		call	_CmShutdownSystem@4 ; CmShutdownSystem(x)
		xor	ecx, ecx
		call	_ExShutdownSystem@4 ; ExShutdownSystem(x)
		mov	ecx, offset _POP_ETW_EVENT_IOSHUTDOWNSYSTEM_START
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		xor	ecx, ecx
		call	_IoShutdownSystem@4 ; IoShutdownSystem(x)
		mov	ecx, offset _POP_ETW_EVENT_IOSHUTDOWNSYSTEM_STOP
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		cmp	ds:_PopShutdownCleanly,	ebx
		jz	short loc_72F59B
		mov	ecx, offset _POP_ETW_EVENT_WAITFORPROCESSES_START
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		call	_PsWaitForAllProcesses@0 ; PsWaitForAllProcesses()
		mov	ecx, offset _POP_ETW_EVENT_WAITFORPROCESSES_STOP
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)

loc_72F59B:				; CODE XREF: PopGracefulShutdown(x)+12Bj
		test	byte ptr ds:_PopShutdownCleanly, 10h
		jz	short loc_72F5AB
		xor	ecx, ecx
		call	_ObShutdownSystem@4 ; ObShutdownSystem(x)

loc_72F5AB:				; CODE XREF: PopGracefulShutdown(x)+14Dj
		mov	ecx, offset _POP_ETW_EVENT_CMSHUTDOWNSYSTEM_START
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		xor	ecx, ecx
		inc	ecx
		call	_CmShutdownSystem@4 ; CmShutdownSystem(x)
		mov	ecx, offset _POP_ETW_EVENT_CMSHUTDOWNSYSTEM_STOP
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		cmp	ds:_PopDiagHandleRegistered, bl
		jz	short loc_72F5EC
		push	ebx
		push	ebx
		push	offset _PopShutdownDiagnosticsScenarioGuid
		push	offset _POP_ETW_EVENT_GRACEFULSHUTDOWN_STOP
		push	ds:dword_6C1D74
		push	ds:_PopDiagHandle
		call	_EtwWriteEndScenario@24	; EtwWriteEndScenario(x,x,x,x,x,x)

loc_72F5EC:				; CODE XREF: PopGracefulShutdown(x)+178j
		xor	cl, cl
		call	EtwShutdown
		xor	ecx, ecx
		inc	ecx
		call	_ExShutdownSystem@4 ; ExShutdownSystem(x)
		push	ebx
		call	_MmShutdownSystem@4 ; MmShutdownSystem(x)
		call	_PopSetCleanShutdownMarker@0 ; PopSetCleanShutdownMarker()
		push	2
		pop	esi
		push	0Ah
		mov	edx, esi
		pop	ecx
		call	_PopTransitionCheckpoint@8 ; PopTransitionCheckpoint(x,x)
		call	_PnpWaitForEmptyDeviceActionQueue@0 ; PnpWaitForEmptyDeviceActionQueue()
		mov	ecx, offset _POP_ETW_EVENT_IOSHUTDOWN_FILE_SYSTEMS_START
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		xor	ecx, ecx
		inc	ecx
		call	_IoShutdownSystem@4 ; IoShutdownSystem(x)
		mov	ecx, offset _POP_ETW_EVENT_IOSHUTDOWN_FILE_SYSTEMS_STOP
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		call	_CcWaitForCurrentLazyWriterActivity@0 ;	CcWaitForCurrentLazyWriterActivity()
		mov	eax, ds:dword_6C26F0
		test	eax, eax
		jz	short loc_72F676
		mov	eax, [eax+4]
		test	eax, eax
		jz	short loc_72F64F
		push	eax
		call	KeAttachProcess

loc_72F64F:				; CODE XREF: PopGracefulShutdown(x)+1F2j
		mov	ecx, ds:dword_6C26F0
		push	24h
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, ds:dword_6C26F0
		push	dword ptr [eax+20h]
		push	dword ptr [eax+1Ch]
		push	dword ptr [eax+18h]
		push	dword ptr [eax+14h]
		push	dword ptr [eax+10h]
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_72F676:				; CODE XREF: PopGracefulShutdown(x)+1EBj
		mov	eax, ds:dword_6C26F4
		xor	edx, edx
		mov	ds:_PopBootStatCheckpointAvailable, bl
		mov	[eax+0F8h], ebx
		mov	ecx, ds:dword_6C26F4
		lea	ecx, [ecx+1Ch]
		call	PopBuildDeviceNotifyList
		call	PopSetDevicesSystemState
		mov	ecx, esi
		call	_ExShutdownSystem@4 ; ExShutdownSystem(x)
		test	byte ptr ds:_PopShutdownCleanly, 10h
		jz	short loc_72F6B3
		mov	ecx, esi
		call	_ObShutdownSystem@4 ; ObShutdownSystem(x)

loc_72F6B3:				; CODE XREF: PopGracefulShutdown(x)+255j
		push	esi
		call	_MmShutdownSystem@4 ; MmShutdownSystem(x)
		mov	ecx, ds:dword_6C26C4
		call	_PopShutdownSystem@4 ; PopShutdownSystem(x)
		int	3		; Trap to Debugger

; __stdcall PopGetRemainingHibernateRangeDataSize(x)
_PopGetRemainingHibernateRangeDataSize@4: ; CODE XREF: PopWriteHiberPages+CEDBp
					; PopRequestWrite+C533p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edi
		mov	ebx, edi
		mov	ecx, [esi+4Ch]
		lea	eax, [esi+30h]
		cmp	ecx, eax
		jmp	short loc_72F6F9
; 

loc_72F6E1:				; CODE XREF: PopGracefulShutdown(x)+2A9j
		mov	eax, [ecx+10h]
		sub	eax, [ecx+0Ch]
		mul	edx
		add	edi, eax
		mov	eax, [ecx]
		mov	ecx, eax
		adc	ebx, edx
		mov	[esi+4Ch], ecx
		lea	edx, [esi+30h]
		cmp	eax, edx

loc_72F6F9:				; CODE XREF: PopGracefulShutdown(x)+28Aj
		mov	edx, 1000h
		jnz	short loc_72F6E1
		mov	eax, [esi+50h]

loc_72F703:				; CODE XREF: PopGracefulShutdown(x)+2CFj
		lea	ecx, [ebp+var_4]
		push	ecx
		push	eax
		push	dword ptr [esi+48h]
		call	RtlFindNextForwardRunClear
		mov	ecx, eax
		mov	edx, 1000h
		mul	edx
		add	edi, eax
		mov	eax, [ebp+var_4]
		adc	ebx, edx
		add	eax, ecx
		test	ecx, ecx
		jnz	short loc_72F703
		lea	eax, [esi+20h]
		cmp	[esi+48h], eax
		jnz	short loc_72F742
		lea	ecx, [esi+28h]
		push	ecx
		call	_RtlNumberOfClearBits@4	; RtlNumberOfClearBits(x)
		mov	ecx, 1000h
		mul	ecx
		add	edi, eax
		adc	ebx, edx

loc_72F742:				; CODE XREF: PopGracefulShutdown(x)+2D7j
		mov	eax, edi
		mov	edx, ebx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopGracefulShutdown@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopRecordHibernateDiagnosticInfo(x)
_PopRecordHibernateDiagnosticInfo@4 proc near ;	CODE XREF: PopWriteHiberPages+CF04p
					; PopRequestWrite+C555p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	al, ds:byte_6C2E36
		xor	edx, edx
		mov	ds:_PopHibernateDiagnosticInfo,	al
		mov	eax, ds:dword_6C2A50
		mov	ds:dword_6C3008, eax
		mov	eax, ds:dword_6C2A54
		mov	ds:dword_6C300C, eax
		mov	eax, ds:dword_6C2A58
		mov	ds:dword_6C3010, eax
		mov	eax, ds:dword_6C2A5C
		mov	ds:dword_6C3014, eax
		mov	eax, ds:dword_6C2A78
		mov	ds:dword_6C3018, eax
		mov	eax, ds:dword_6C2A7C
		mov	ds:dword_6C301C, eax
		mov	eax, ds:dword_6C2A68
		mov	ds:dword_6C3020, eax
		mov	eax, ds:dword_6C2A6C
		mov	ds:dword_6C3024, eax
		mov	eax, ds:dword_6C2A60
		mov	ds:dword_6C3028, eax
		mov	eax, ds:dword_6C2A64
		mov	ds:dword_6C302C, eax
		mov	eax, ds:dword_6C2A80
		mov	ds:dword_6C3030, eax
		mov	eax, ds:dword_6C2A84
		mov	ds:dword_6C3034, eax
		mov	eax, ds:dword_6C2A70
		mov	ds:dword_6C3038, eax
		mov	eax, ds:dword_6C2A74
		mov	ds:dword_6C303C, eax
		mov	eax, ds:dword_6C2A88
		mov	ds:dword_6C3040, eax
		mov	ebx, edx
		mov	eax, ds:dword_6C2A8C
		mov	ds:dword_6C3044, eax
		mov	eax, ds:dword_6C2A90
		mov	ds:dword_6C3048, eax
		mov	edi, edx
		mov	eax, ds:dword_6C24D4
		mov	ds:dword_6C3054, eax
		mov	ds:dword_6C304C, edx
		mov	ds:dword_6C3050, edi
		cmp	[esi+0A4h], edx
		jbe	short loc_72F858
		mov	ecx, edx

loc_72F82C:				; CODE XREF: PopRecordHibernateDiagnosticInfo(x)+10Bj
		mov	eax, [esi+0A8h]
		lea	ecx, [ecx+70h]
		add	edx, [ecx+eax-8]
		mov	ds:dword_6C304C, edx
		mov	eax, [esi+0A8h]
		add	edi, [ecx+eax-4]
		inc	ebx
		mov	ds:dword_6C3050, edi
		cmp	ebx, [esi+0A4h]
		jb	short loc_72F82C

loc_72F858:				; CODE XREF: PopRecordHibernateDiagnosticInfo(x)+DDj
		pop	edi
		pop	esi
		pop	ebx
		retn
_PopRecordHibernateDiagnosticInfo@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopWriteChecksumPages(x)
_PopWriteChecksumPages@4 proc near	; CODE XREF: PopSaveHiberContext+BB32p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ecx+118h]
		push	ebx
		push	esi
		push	edi
		lea	eax, ds:0FFFh[eax*2]
		mov	[ebp+var_4], ecx
		shr	eax, 0Ch
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_72F905
		mov	ecx, [ecx+0F8h]
		add	ecx, 0FFFh
		shr	ecx, 0Ch
		mov	[ebp+var_8], ecx
		add	ecx, eax
		xor	eax, eax
		shld	eax, ecx, 0Ch
		shl	ecx, 0Ch
		cmp	eax, ds:dword_6C24AC
		ja	short loc_72F905
		jb	short loc_72F8B4
		cmp	ecx, ds:dword_6C24A8
		ja	short loc_72F905

loc_72F8B4:				; CODE XREF: PopWriteChecksumPages(x)+4Ej
		rdtsc
		mov	ebx, edx
		mov	edi, eax
		mov	edx, [ebp+var_4]
		mov	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_C]
		mov	esi, [edx+88h]
		mov	ecx, [edx+118h]
		mov	[esi+60h], ecx
		mov	ecx, [edx+11Ch]
		mov	[esi+64h], ecx
		mov	ecx, [edx+88h]
		mov	[ecx+58h], eax
		mov	edx, [edx+128h]
		mov	ecx, [ebp+var_4]
		call	PopWriteHiberPages
		rdtsc
		sub	eax, edi
		sbb	edx, ebx
		add	ds:dword_6C28F0, eax
		adc	ds:dword_6C28F4, edx

loc_72F905:				; CODE XREF: PopWriteChecksumPages(x)+23j
					; PopWriteChecksumPages(x)+4Cj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopWriteChecksumPages@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopWriteImageHeader(x, x, x, x, x)
_PopWriteImageHeader@20	proc near	; CODE XREF: PopSaveHiberContext+BB50p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, edx
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, [ebx+44h]
		mov	[ebp+var_4], esi
		cmp	eax, [ebp+arg_0]
		jz	short loc_72F94B
		push	[ebp+arg_0]
		push	eax
		push	offset ??_C@_0DG@CFOFHJKB@MemImage?9?$DOWakeCheck?5?$CFlx?5doesn?8t@OKHAJAOM@
		call	_DbgPrint
		add	esp, 0Ch
		push	[ebp+arg_0]
		push	dword ptr [ebx+44h]
		push	0Ah
		push	109h
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_72F94B:				; CODE XREF: PopWriteImageHeader(x,x,x,x,x)+17j
		rdtsc
		sub	eax, [ebp+arg_4]
		mov	ds:dword_6C28D0, eax
		sbb	edx, [ebp+arg_8]
		mov	eax, ds:dword_6C24B4
		shr	eax, 4
		dec	eax
		mov	ds:dword_6C28D4, edx
		push	0
		mov	ds:dword_6C2A94, eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		xor	edi, edi
		mov	ds:dword_6C2900, eax
		mov	ds:dword_6C2904, edx
		cmp	[esi+0A4h], edi
		jbe	short loc_72F9E5
		xor	edx, edx

loc_72F98B:				; CODE XREF: PopWriteImageHeader(x,x,x,x,x)+D9j
		mov	ecx, [esi+0A8h]
		lea	edx, [edx+70h]
		mov	eax, [ecx+edx-48h]
		add	ds:dword_6C2A60, eax
		mov	eax, [ecx+edx-44h]
		adc	ds:dword_6C2A64, eax
		mov	ecx, [esi+0A8h]
		mov	eax, [ecx+edx-58h]
		add	ds:dword_6C28D8, eax
		mov	eax, [ecx+edx-54h]
		adc	ds:dword_6C28DC, eax
		mov	ecx, [esi+0A8h]
		mov	eax, [ecx+edx-30h]
		add	ds:dword_6C28E0, eax
		mov	eax, [ecx+edx-2Ch]
		adc	ds:dword_6C28E4, eax
		inc	edi
		cmp	edi, [esi+0A4h]
		jb	short loc_72F98B

loc_72F9E5:				; CODE XREF: PopWriteImageHeader(x,x,x,x,x)+7Dj
		mov	edx, ds:dword_6C2A88
		and	ds:dword_6C2A84, 0
		mov	esi, ds:dword_6C2A8C
		mov	ecx, ds:dword_6C2A90
		mov	eax, ds:dword_6C2A58
		mov	ds:dword_6C2A70, edx
		add	edx, ds:dword_6C2A68
		mov	ds:dword_6C2A74, esi
		adc	esi, ds:dword_6C2A6C
		mov	ds:dword_6C2A80, ecx
		add	ecx, ds:dword_6C2A78
		mov	ds:dword_6C2A88, edx
		mov	ds:dword_6C2A8C, esi
		mov	ds:dword_6C2A90, ecx
		mov	[ebx+48h], eax
		mov	eax, ds:dword_6C2A5C
		mov	[ebx+4Ch], eax
		cmp	ds:byte_6C24D1,	0
		jz	short loc_72FA5D
		mov	eax, ds:dword_6C2A60
		add	[ebx+48h], eax
		mov	eax, ds:dword_6C2A64
		adc	[ebx+4Ch], eax

loc_72FA5D:				; CODE XREF: PopWriteImageHeader(x,x,x,x,x)+141j
		push	7Eh
		pop	ecx
		push	340h
		push	ebx
		lea	edi, [ebx+68h]
		mov	esi, offset dword_6C28B8
		rep movsd
		push	0
		mov	dword ptr [ebx], 52424948h
		call	_tcpxsum@12	; tcpxsum(x,x,x)
		mov	esi, [ebp+var_4]
		mov	edx, ebx
		push	0
		push	1
		mov	ecx, esi
		mov	[ebx+8], eax
		call	PopWriteHiberPages
		mov	eax, [esi+74h]
		mov	eax, [eax+34h]
		test	eax, eax
		jz	short loc_72FA9C
		call	eax

loc_72FA9C:				; CODE XREF: PopWriteImageHeader(x,x,x,x,x)+18Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PopWriteImageHeader@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceDriverVeto(x, x)
_PopDiagTraceDriverVeto@8 proc near	; CODE XREF: PopCompleteNotifyTransitionCommon+8A69Fp

var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_84		= dword	ptr -84h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D8h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_CC], 0
		and	[ebp+var_C8], 0
		cmp	ds:_PopDiagHandleRegistered, 0
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		jz	loc_72FC3C
		push	offset _POP_ETW_EVENT_DRIVERVETO
		push	ds:dword_6C1D74
		push	ds:_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_72FC3C
		push	ecx
		lea	edx, [ebp+var_84]
		mov	ecx, esi
		call	_PopDiagGetDriverName@12 ; PopDiagGetDriverName(x,x,x)
		test	eax, eax
		js	short loc_72FB2D
		lea	eax, [ebp+var_84]
		push	eax
		lea	eax, [ebp+var_CC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, [ebp+var_CC]
		mov	ax, cx
		shr	ax, 1
		movzx	esi, ax
		jmp	short loc_72FB46
; 

loc_72FB2D:				; CODE XREF: PopDiagTraceDriverVeto(x,x)+64j
		push	offset ??_C@_11LOCGONAA@@OKHAJAOM@
		lea	eax, [ebp+var_CC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, [ebp+var_CC]
		xor	esi, esi

loc_72FB46:				; CODE XREF: PopDiagTraceDriverVeto(x,x)+88j
		and	[ebp+var_C0], 0
		xor	edx, edx
		and	[ebp+var_B8], 0
		inc	edx
		movzx	eax, si
		mov	[ebp+var_D0], eax
		movzx	eax, word ptr [ebx-48h]
		push	edi
		mov	di, ax
		mov	[ebp+var_D8], eax
		shr	di, 1
		movzx	eax, di
		mov	[ebp+var_D4], eax
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_C4], eax
		mov	[ebp+var_BC], 2
		test	si, si
		jz	short loc_72FBBD
		mov	eax, [ebp+var_C8]
		xor	esi, esi
		mov	[ebp+var_B4], eax
		movzx	eax, cx
		push	2
		mov	[ebp+var_B0], esi
		mov	[ebp+var_AC], eax
		mov	[ebp+var_A8], esi
		pop	edx
		jmp	short loc_72FBBF
; 

loc_72FBBD:				; CODE XREF: PopDiagTraceDriverVeto(x,x)+F0j
		xor	esi, esi

loc_72FBBF:				; CODE XREF: PopDiagTraceDriverVeto(x,x)+118j
		mov	eax, edx
		lea	ecx, [ebp+var_D4]
		add	eax, eax
		inc	edx
		test	di, di
		pop	edi
		mov	[ebp+eax*8+var_C4], ecx
		mov	[ebp+eax*8+var_C0], esi
		mov	[ebp+eax*8+var_BC], 2
		mov	[ebp+eax*8+var_B8], esi
		jz	short loc_72FC1D
		mov	eax, [ebx-44h]
		mov	ecx, edx
		add	ecx, ecx
		inc	edx
		mov	[ebp+ecx*8+var_C4], eax
		mov	eax, [ebp+var_D8]
		movzx	eax, ax
		mov	[ebp+ecx*8+var_C0], esi
		mov	[ebp+ecx*8+var_BC], eax
		mov	[ebp+ecx*8+var_B8], esi

loc_72FC1D:				; CODE XREF: PopDiagTraceDriverVeto(x,x)+14Bj
		lea	eax, [ebp+var_C4]
		push	eax
		push	edx
		push	esi
		push	offset _POP_ETW_EVENT_DRIVERVETO
		push	ds:dword_6C1D74
		push	ds:_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_72FC3C:				; CODE XREF: PopDiagTraceDriverVeto(x,x)+30j
					; PopDiagTraceDriverVeto(x,x)+4Ej
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceDriverVeto@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceFirmwareS3Stats()
_PopDiagTraceFirmwareS3Stats@0 proc near ; CODE	XREF: PAGELK:0071F1CAp

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		lea	eax, [ebp+var_3C]
		push	esi
		push	edi
		push	eax
		push	ebx
		push	ebx
		push	23h
		mov	[ebp+var_50], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_54], ebx
		call	ds:off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		cmp	eax, 0C0000004h
		jnz	loc_72FE5A
		cmp	[ebp+var_3C], ebx
		jz	loc_72FE5A
		push	74703353h
		push	[ebp+var_3C]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_72FE5A
		lea	eax, [ebp+var_3C]
		push	eax
		push	esi
		push	[ebp+var_3C]
		push	23h
		call	ds:off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	loc_72FE51
		mov	eax, [esi+4]
		lea	edi, [esi+8]
		add	eax, esi
		cmp	edi, eax
		jnb	loc_72FE51
		xor	ecx, ecx
		inc	ecx

loc_72FCE8:				; CODE XREF: PopDiagTraceFirmwareS3Stats()+201j
		movzx	eax, word ptr [edi]
		test	ax, ax
		jnz	loc_72FDC3
		mov	eax, [edi+4]
		push	ebx
		push	0F4240h
		mov	[ebp+var_4C], eax
		push	dword ptr [edi+0Ch]
		push	dword ptr [edi+8]
		call	__aulldiv
		push	ebx
		push	0F4240h
		mov	[ebp+var_40], eax
		push	dword ptr [edi+14h]
		push	dword ptr [edi+10h]
		call	__aulldiv
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_4C]
		push	4
		pop	ecx
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	3
		push	ebx
		push	ebx
		xor	eax, eax
		mov	[ebp+var_34], ebx
		inc	eax
		mov	[ebp+var_30], ecx
		push	eax
		push	ebx
		push	ebx
		push	offset _POP_ETW_EVENT_S3FWSTATS_RESUME
		push	ds:dword_6C1D74
		mov	[ebp+var_2C], ebx
		push	ds:_PopDiagHandle
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	EtwWriteEx
		mov	eax, ds:dword_6C2888
		or	eax, ds:dword_6C288C
		jnz	loc_72FE3B
		push	ds:dword_70ED2C
		lea	ecx, [ebp+var_48]
		push	ds:_PopQpcFrequency
		push	ebx
		push	[ebp+var_40]
		call	_RtlULongLongMult@20 ; RtlULongLongMult(x,x,x,x,x)
		push	ebx
		push	3E8h
		push	[ebp+var_44]
		push	[ebp+var_48]
		call	__aulldiv
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], edx
		mov	ds:dword_6C2888, eax
		mov	ds:dword_6C288C, edx
		jmp	short loc_72FE3B
; 

loc_72FDC3:				; CODE XREF: PopDiagTraceFirmwareS3Stats()+A4j
		cmp	ax, cx
		jnz	short loc_72FE3E
		push	ebx
		push	0F4240h
		push	dword ptr [edi+8]
		push	dword ptr [edi+4]
		call	__aulldiv
		push	ebx
		push	0F4240h
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], edx
		push	dword ptr [edi+10h]
		push	dword ptr [edi+0Ch]
		call	__aulldiv
		push	8
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_58]
		pop	ecx
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	2
		push	ebx
		push	ebx
		xor	eax, eax
		mov	[ebp+var_5C], edx
		inc	eax
		mov	[ebp+var_34], ebx
		push	eax
		push	ebx
		push	ebx
		push	offset _POP_ETW_EVENT_S3FWSTATS_SUSPEND
		push	ds:dword_6C1D74
		mov	[ebp+var_30], ecx
		push	ds:_PopDiagHandle
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		call	EtwWriteEx

loc_72FE3B:				; CODE XREF: PopDiagTraceFirmwareS3Stats()+137j
					; PopDiagTraceFirmwareS3Stats()+177j
		xor	ecx, ecx
		inc	ecx

loc_72FE3E:				; CODE XREF: PopDiagTraceFirmwareS3Stats()+17Cj
		movsx	eax, byte ptr [edi+2]
		add	edi, eax
		mov	eax, [esi+4]
		add	eax, esi
		cmp	edi, eax
		jb	loc_72FCE8

loc_72FE51:				; CODE XREF: PopDiagTraceFirmwareS3Stats()+85j
					; PopDiagTraceFirmwareS3Stats()+95j
		push	[ebp+var_3C]
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_72FE5A:				; CODE XREF: PopDiagTraceFirmwareS3Stats()+48j
					; PopDiagTraceFirmwareS3Stats()+51j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceFirmwareS3Stats@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceHibernateErrorStatus(x)
_PopDiagTraceHibernateErrorStatus@4 proc near ;	CODE XREF: PAGELK:0071F991p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		mov	[ebp+var_18], ecx
		jz	short loc_72FECE
		push	ebx
		push	esi
		mov	esi, ds:dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_HIBERNATE_STATUS
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_72FECB
		lea	eax, [ebp+var_18]
		mov	[ebp+var_C], 4
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], ecx
		push	eax
		push	1
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_72FECB:				; CODE XREF: PopDiagTraceHibernateErrorStatus(x)+3Cj
		pop	edi
		pop	esi
		pop	ebx

loc_72FECE:				; CODE XREF: PopDiagTraceHibernateErrorStatus(x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceHibernateErrorStatus@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceMtrrError()
_PopDiagTraceMtrrError@0 proc near	; CODE XREF: PAGELK:0071F939p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ds:___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:_PopDiagHandleRegistered, 0
		jz	short loc_72FF3D
		push	ebx
		push	esi
		mov	esi, ds:dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_MTRR_CHANGED
		push	edi
		mov	edi, ds:_PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_72FF3A
		lea	eax, [ebp+var_14]
		mov	[ebp+var_14], offset dword_6C26EC
		push	eax
		push	1
		xor	ecx, ecx
		mov	[ebp+var_C], 4
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_72FF3A:				; CODE XREF: PopDiagTraceMtrrError()+39j
		pop	edi
		pop	esi
		pop	ebx

loc_72FF3D:				; CODE XREF: PopDiagTraceMtrrError()+19j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceMtrrError@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopDiagTraceZeroHiberFile()
_PopDiagTraceZeroHiberFile@0 proc near	; CODE XREF: PopZeroHiberFile(x,x)+2Bp
		mov	ecx, offset _POP_ETW_EVENT_ZEROHIBERFILE_START
		jmp	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
_PopDiagTraceZeroHiberFile@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopDiagTraceZeroHiberFileEnd()
_PopDiagTraceZeroHiberFileEnd@0	proc near ; CODE XREF: PopZeroHiberFile(x,x):loc_9AC846p
		mov	ecx, offset _POP_ETW_EVENT_ZEROHIBERFILE_STOP
		jmp	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
_PopDiagTraceZeroHiberFileEnd@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCheckPowerSourceAfterRtcWakeTimerWorker(x)
_PopCheckPowerSourceAfterRtcWakeTimerWorker@4 proc near
					; DATA XREF: PopCheckPowerSourceAfterRtcWakeInitialize()+5o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		xor	eax, eax
		push	edi
		lea	edi, [esp+30h+var_20]
		push	8
		pop	ecx
		rep stosd
		cmp	ds:_PopSleepStats, al
		jz	short loc_72FFC5
		xor	edx, edx
		lea	ecx, [esp+30h+var_20]
		call	_PopCurrentPowerStatePrecise@8 ; PopCurrentPowerStatePrecise(x,x)
		cmp	byte ptr [esp+30h+var_20], 0
		jnz	short loc_72FFC5
		and	[esp+30h+var_28], 0
		lea	eax, [esp+30h+var_28]
		push	eax
		lea	edx, [esp+34h+var_24]
		mov	ecx, (offset loc_408D2F+1)
		call	_PopQueryPowerSettingUlong@12 ;	PopQueryPowerSettingUlong(x,x,x)
		cmp	[esp+30h+var_28], 0
		jnz	short loc_72FFC5
		push	1
		push	80000000h
		push	ds:dword_6C2AB4
		push	ds:dword_6C2AB0
		call	NtInitiatePowerAction

loc_72FFC5:				; CODE XREF: PopCheckPowerSourceAfterRtcWakeTimerWorker(x)+1Dj
					; PopCheckPowerSourceAfterRtcWakeTimerWorker(x)+2Fj ...
		mov	ecx, offset unk_6C0518
		call	_PopOkayToQueueNextWorkItem@4 ;	PopOkayToQueueNextWorkItem(x)
		push	0
		push	0
		push	offset _PopCheckPowerSourceAfterRtcWakeCompleted
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	edi
		mov	esp, ebp
		pop	ebp
		retn	4
_PopCheckPowerSourceAfterRtcWakeTimerWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBuildDeviceNotifyListWatchdog(x,	x, x, x)
_PopBuildDeviceNotifyListWatchdog@16 proc near ; DATA XREF: PopBuildDeviceNotifyList+46o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	0
		push	[ebp+arg_4]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		call	_PnpBugcheckPowerTimeout@4 ; PnpBugcheckPowerTimeout(x)
		int	3		; Trap to Debugger
_PopBuildDeviceNotifyListWatchdog@16 endp


;  S U B	R O U T	I N E 


; __stdcall PopShutdownHandler(x, x, x,	x, x)
_PopShutdownHandler@20 proc near	; DATA XREF: PopShutdownSystem(x)+77o
					; NtPowerInformation+11DFo ...
		mov	edi, edi
		cli
		mov	eax, large fs:20h
		cmp	dword ptr [eax+3CCh], 0
		jnz	short loc_730017
		call	_InbvAcquireDisplayOwnership@0 ; InbvAcquireDisplayOwnership()
		call	_BgDisplaySafeToPowerOffScreen@0 ; BgDisplaySafeToPowerOffScreen()

loc_730017:				; CODE XREF: PopShutdownHandler(x,x,x,x,x)+10j
					; PopShutdownHandler(x,x,x,x,x)+22j
		call	ds:off_6B1234	; xHalHaltSystem()
		jmp	short loc_730017
_PopShutdownHandler@20 endp


;  S U B	R O U T	I N E 


; __stdcall PopShutdownSystem(x)
_PopShutdownSystem@4 proc near		; CODE XREF: PopGracefulShutdown(x)+26Ap
		mov	edi, edi
		push	ecx
		mov	eax, ds:_PopShutdownNotificationCallback
		push	esi
		mov	esi, ecx
		push	edi
		test	eax, eax
		jz	short loc_730035
		push	dword ptr [eax+8]
		call	dword ptr [eax+4]

loc_730035:				; CODE XREF: PopShutdownSystem(x)+Ej
		xor	cl, cl
		call	_HvlConfigureMemoryZeroingOnReset@4 ; HvlConfigureMemoryZeroingOnReset(x)
		call	_PopSetMemoryOverwriteRequestAction@8 ;	PopSetMemoryOverwriteRequestAction(x,x)
		xor	edi, edi
		or	edx, 0FFFFFFFFh
		push	edi
		xor	ecx, ecx
		call	_DbgUnLoadImageSymbols@12 ; DbgUnLoadImageSymbols(x,x,x)
		test	ds:_PopSimulate, 800h
		push	4
		pop	ecx
		jz	short loc_730069
		cmp	esi, ecx
		jz	short loc_730066
		cmp	esi, 6
		jnz	short loc_730069

loc_730066:				; CODE XREF: PopShutdownSystem(x)+40j
		push	5
		pop	esi

loc_730069:				; CODE XREF: PopShutdownSystem(x)+3Cj
					; PopShutdownSystem(x)+45j
		sub	esi, ecx
		jz	short loc_73008D
		sub	esi, 1
		jz	short loc_730079
		sub	esi, 1
		jz	short loc_7300A0
		jmp	short loc_730083
; 

loc_730079:				; CODE XREF: PopShutdownSystem(x)+51j
		push	5
		xor	edx, edx
		pop	ecx
		call	PopInvokeSystemStateHandler

loc_730083:				; CODE XREF: PopShutdownSystem(x)+58j
		push	3
		call	ds:__imp__HalReturnToFirmware@4	; HalReturnToFirmware(x)
		jmp	short loc_7300B5
; 

loc_73008D:				; CODE XREF: PopShutdownSystem(x)+4Cj
		cmp	ds:_PopShutdownPowerOffPolicy, 0
		jz	short loc_7300A0
		mov	ds:dword_6C2DE8, offset	_PopShutdownHandler@20 ; PopShutdownHandler(x,x,x,x,x)

loc_7300A0:				; CODE XREF: PopShutdownSystem(x)+56j
					; PopShutdownSystem(x)+75j
		xor	edx, edx
		call	PopInvokeSystemStateHandler
		mov	esi, ds:__imp__HalReturnToFirmware@4 ; HalReturnToFirmware(x)
		push	1
		call	esi
		push	3
		call	esi

loc_7300B5:				; CODE XREF: PopShutdownSystem(x)+6Cj
		push	edi
		push	edi
		push	edi
		push	5
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_PopShutdownSystem@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopSleepSystem(x, x)
_PopSleepSystem@8 proc near		; CODE XREF: PAGELK:00720A72p
		jmp	PopInvokeSystemStateHandler
_PopSleepSystem@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCheckpointSystemSleepUnsafe(x)
_PopCheckpointSystemSleepUnsafe@4 proc near ; CODE XREF: PopCheckpointSystemSleep+B16Ap
					; PopEnableSystemSleepCheckpoint()+DBp

var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	ds:_PoAllProcIntrDisabled, 0
		lea	eax, [ebp-1]
		push	1
		push	1
		push	eax
		mov	[ebp+var_1], cl
		push	offset _SYSTEM_SLEEP_ETW_CHECKPOINT_GUID
		jnz	short loc_7300F6
		push	offset _PopCheckpointSystemSleepVariable
		call	_ExSetFirmwareEnvironmentVariable@20 ; ExSetFirmwareEnvironmentVariable(x,x,x,x,x)
		leave
		retn
; 

loc_7300F6:				; CODE XREF: PopCheckpointSystemSleepUnsafe(x)+1Ej
		push	offset aSystemsleepche ; "SystemSleepCheckpoint"
		call	ds:__imp__HalSetEnvironmentVariableEx@20 ; HalSetEnvironmentVariableEx(x,x,x,x,x)
		leave
		retn
_PopCheckpointSystemSleepUnsafe@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExShutdownSystem(x)
_ExShutdownSystem@4 proc near		; CODE XREF: PopGracefulShutdown(x)+105p
					; PopGracefulShutdown(x)+1A1p ...
		mov	edi, edi
		push	ecx
		push	esi
		mov	edx, ecx
		xor	ecx, ecx
		push	edi
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	esi, eax
		test	edx, edx
		jnz	loc_7301CE
		call	_ExpRecordShutdownTime@0 ; ExpRecordShutdownTime()
		mov	ecx, [esi+1FCh]
		xor	edi, edi
		mov	ds:_ExpTooLateForErrors, 1
		mov	ds:_ExpShuttingDown, 1
		test	ecx, ecx
		jz	short loc_730145
		call	ObfDereferenceObject
		mov	[esi+1FCh], edi

loc_730145:				; CODE XREF: ExShutdownSystem(x)+35j
		mov	ecx, [esi+1F8h]
		test	ecx, ecx
		jz	short loc_73015F
		mov	edx, 65487845h
		call	ObfDereferenceObjectWithTag
		mov	[esi+1F8h], edi

loc_73015F:				; CODE XREF: ExShutdownSystem(x)+4Aj
		mov	esi, offset _ExpKeyManipLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, ds:_ExpControlKey
		test	ecx, ecx
		jz	short loc_730182
		call	ObfDereferenceObject
		mov	ds:_ExpControlKey, edi

loc_730182:				; CODE XREF: ExShutdownSystem(x)+72j
		mov	ecx, ds:dword_6BBE54
		test	ecx, ecx
		jz	short loc_730197
		call	ObfDereferenceObject
		mov	ds:dword_6BBE54, edi

loc_730197:				; CODE XREF: ExShutdownSystem(x)+87j
		mov	eax, ds:_ExpProductTypeKey
		test	eax, eax
		jz	short loc_7301AD
		push	edi
		push	eax
		call	ObCloseHandle
		mov	ds:_ExpProductTypeKey, edi

loc_7301AD:				; CODE XREF: ExShutdownSystem(x)+9Bj
		mov	eax, ds:_ExpSetupKey
		test	eax, eax
		jz	short loc_7301C3
		push	edi
		push	eax
		call	ObCloseHandle
		mov	ds:_ExpSetupKey, edi

loc_7301C3:				; CODE XREF: ExShutdownSystem(x)+B1j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		jmp	short loc_7301E3
; 

loc_7301CE:				; CODE XREF: ExShutdownSystem(x)+12j
		cmp	edx, 1
		jnz	short loc_7301E3
		test	byte ptr ds:_PopShutdownCleanly, 2
		jz	short loc_7301E3
		xor	cl, cl
		call	_ExSwapinWorkerThreads@4 ; ExSwapinWorkerThreads(x)

loc_7301E3:				; CODE XREF: ExShutdownSystem(x)+C9j
					; ExShutdownSystem(x)+CEj ...
		pop	edi
		pop	esi
		pop	ecx
		retn
_ExShutdownSystem@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTimeRefreshWork(x)
_ExpTimeRefreshWork@4 proc near		; DATA XREF: ExInitializeTimeRefresh+62o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10h

loc_7301F2:				; CODE XREF: ExpTimeRefreshWork(x)+4Bj
		mov	cl, 1
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		cmp	ds:_KeTimeSynchronization, 0
		jz	short loc_73020B
		xor	edx, edx
		xor	cl, cl
		call	ExUpdateSystemTimeFromCmos

loc_73020B:				; CODE XREF: ExpTimeRefreshWork(x)+19j
		call	_ExReleaseTimeRefreshLock@0 ; ExReleaseTimeRefreshLock()
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, [eax+204h]
		mov	eax, ds:dword_A93F00
		test	eax, eax
		jz	short loc_730227
		push	ecx
		call	eax

loc_730227:				; CODE XREF: ExpTimeRefreshWork(x)+3Bj
		or	eax, 0FFFFFFFFh
		lock xadd ds:_ExpOkToTimeRefresh, eax
		jnz	short loc_7301F2
		or	[esp+14h+var_C], 0FFFFFFFFh
		lea	eax, [esp+14h+var_14]
		or	[esp+14h+var_8], 0FFFFFFFFh
		xor	ecx, ecx
		push	eax
		push	ecx
		push	ecx
		push	ds:dword_6BBF74
		mov	[esp+24h+var_14], ecx
		push	ds:_ExpTimeRefreshInterval
		mov	[esp+28h+var_10], ecx
		push	offset _ExpTimeRefreshTimer
		call	KeSetTimer2
		mov	esp, ebp
		pop	ebp
		retn	4
_ExpTimeRefreshWork@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExQuerySystemLockInformation(x, x, x)
_ExQuerySystemLockInformation@12 proc near ; CODE XREF:	ExpGetLockInformation(x,x,x)+44p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		push	4
		pop	esi
		mov	[ebp+var_C], edx
		mov	eax, ecx
		mov	[ebp+var_8], eax
		cmp	edx, esi
		jnb	short loc_73028E
		mov	edi, 0C0000004h
		jmp	loc_730351
; 

loc_73028E:				; CODE XREF: ExQuerySystemLockInformation(x,x,x)+18j
		push	ds:_ExPageLockHandle
		xor	edi, edi
		lea	ebx, [eax+4]
		and	[eax], edi
		call	_MmLockPagableSectionByHandle@4	; MmLockPagableSectionByHandle(x)
		push	offset _ExpResourceSpinLock
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	edx, ds:_ExpSystemResourcesList
		mov	[ebp+var_1], al
		cmp	edx, offset _ExpSystemResourcesList
		jz	short loc_730333
		mov	eax, [ebp+var_8]

loc_7302BE:				; CODE XREF: ExQuerySystemLockInformation(x,x,x)+C0j
		inc	dword ptr [eax]
		add	esi, 24h
		cmp	esi, 24h
		jb	short loc_73032E
		cmp	[ebp+var_C], esi
		jnb	short loc_7302D4
		mov	edi, 0C0000004h
		jmp	short loc_730322
; 

loc_7302D4:				; CODE XREF: ExQuerySystemLockInformation(x,x,x)+61j
		xor	eax, eax
		mov	[ebx], edx
		inc	eax
		lea	ecx, [edx+18h]
		mov	[ebx+4], ax
		xor	eax, eax
		mov	[ebx+6], ax
		mov	ax, [edx+30h]
		mov	[ebx+6], ax
		call	_ExpOwnerEntryToThread@4 ; ExpOwnerEntryToThread(x)
		test	eax, eax
		jz	short loc_7302FF
		mov	eax, [eax+2B0h]
		jmp	short loc_730301
; 

loc_7302FF:				; CODE XREF: ExQuerySystemLockInformation(x,x,x)+8Bj
		xor	eax, eax

loc_730301:				; CODE XREF: ExQuerySystemLockInformation(x,x,x)+93j
		mov	[ebx+8], eax
		mov	eax, [edx+20h]
		mov	[ebx+0Ch], eax
		mov	eax, [edx+24h]
		mov	[ebx+10h], eax
		mov	eax, [edx+28h]
		mov	[ebx+1Ch], eax
		mov	eax, [edx+2Ch]
		mov	[ebx+20h], eax
		add	ebx, 24h
		mov	eax, [ebp+var_8]

loc_730322:				; CODE XREF: ExQuerySystemLockInformation(x,x,x)+68j
		mov	edx, [edx]
		cmp	edx, offset _ExpSystemResourcesList
		jnz	short loc_7302BE
		jmp	short loc_730333
; 

loc_73032E:				; CODE XREF: ExQuerySystemLockInformation(x,x,x)+5Cj
		mov	edi, 0C0000095h

loc_730333:				; CODE XREF: ExQuerySystemLockInformation(x,x,x)+4Fj
					; ExQuerySystemLockInformation(x,x,x)+C2j
		push	offset _ExpResourceSpinLock
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	ds:_ExPageLockHandle
		call	_MmUnlockPagableImageSection@4 ; MmUnlockPagableImageSection(x)

loc_730351:				; CODE XREF: ExQuerySystemLockInformation(x,x,x)+1Fj
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_73035A
		mov	[ecx], esi

loc_73035A:				; CODE XREF: ExQuerySystemLockInformation(x,x,x)+ECj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ExQuerySystemLockInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExGetNextWakeTime(x, x, x, x, x, x,	x)
_ExGetNextWakeTime@28 proc near		; CODE XREF: PAGELK:0071F6AAp
					; PAGELK:0071F721p ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, [ebp+arg_8]
		and	[ebp+var_8], 0
		and	[ebp+var_38], 0
		and	[ebp+var_34], 0
		push	ebx
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_C]
		push	esi
		push	edi
		mov	[ebp+var_10], eax
		xor	edi, edi
		lea	eax, [ebp+var_38]
		mov	[ebp+var_30], edx
		push	eax
		mov	[ebp+var_1], cl
		call	KeQuerySystemTime
		call	KeQueryInterruptTime
		mov	[ebp+var_18], eax
		xor	esi, esi
		mov	eax, ds:_ExpWakeTimerList
		mov	[ebp+var_1C], edx
		mov	[ebp+var_2C], esi
		cmp	eax, offset _ExpWakeTimerList
		jz	loc_730500

loc_7303B7:				; CODE XREF: ExGetNextWakeTime(x,x,x,x,x,x,x)+14Bj
		lea	edi, [eax-94h]
		xor	ebx, ebx
		mov	eax, [eax]
		and	[ebp+var_20], ebx
		mov	[ebp+var_28], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+arg_C+3],	al
		lea	eax, [edi+28h]
		mov	ecx, eax
		mov	[ebp+var_14], eax
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [edi+90h]
		mov	[ebp+var_24], eax
		cmp	[ebp+var_1], bl
		jz	short loc_7303F4
		test	byte ptr [edi+0A8h], 4
		jz	short loc_73044F

loc_7303F4:				; CODE XREF: ExGetNextWakeTime(x,x,x,x,x,x,x)+86j
		test	byte ptr [edi+0A8h], 2
		jz	short loc_730432
		cmp	byte ptr [edi+8Ch], 1
		mov	ecx, [edi+0B0h]
		mov	edx, [edi+0B4h]
		jnz	short loc_73042E
		mov	eax, ecx
		xor	ebx, ebx
		xor	edi, edi
		or	eax, edx
		jz	short loc_73043D
		sub	ecx, [ebp+var_38]
		mov	ebx, [ebp+var_18]
		sbb	edx, [ebp+var_34]
		add	ebx, ecx
		mov	edi, [ebp+var_1C]
		adc	edi, edx
		jmp	short loc_73043D
; 

loc_73042E:				; CODE XREF: ExGetNextWakeTime(x,x,x,x,x,x,x)+ADj
		mov	ebx, ecx
		jmp	short loc_73043B
; 

loc_730432:				; CODE XREF: ExGetNextWakeTime(x,x,x,x,x,x,x)+98j
		mov	ecx, edi
		call	_KeQueryTimerDueTime@4 ; KeQueryTimerDueTime(x)
		mov	ebx, eax

loc_73043B:				; CODE XREF: ExGetNextWakeTime(x,x,x,x,x,x,x)+CDj
		mov	edi, edx

loc_73043D:				; CODE XREF: ExGetNextWakeTime(x,x,x,x,x,x,x)+B7j
					; ExGetNextWakeTime(x,x,x,x,x,x,x)+C9j
		cmp	edi, [ebp+arg_4]
		ja	short loc_730452
		jb	short loc_730449
		cmp	ebx, [ebp+arg_0]
		jnb	short loc_730452

loc_730449:				; CODE XREF: ExGetNextWakeTime(x,x,x,x,x,x,x)+DFj
		xor	ebx, ebx
		xor	edi, edi
		jmp	short loc_730452
; 

loc_73044F:				; CODE XREF: ExGetNextWakeTime(x,x,x,x,x,x,x)+8Fj
		mov	edi, [ebp+var_20]

loc_730452:				; CODE XREF: ExGetNextWakeTime(x,x,x,x,x,x,x)+DDj
					; ExGetNextWakeTime(x,x,x,x,x,x,x)+E4j	...
		test	ds:byte_70EFC6,	1
		jz	short loc_730468
		mov	edx, [ebp+4]
		mov	ecx, [ebp+var_14]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_730470
; 

loc_730468:				; CODE XREF: ExGetNextWakeTime(x,x,x,x,x,x,x)+F6j
		mov	eax, [ebp+var_14]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_730470:				; CODE XREF: ExGetNextWakeTime(x,x,x,x,x,x,x)+103j
		mov	cl, byte ptr [ebp+arg_C+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [ebp+var_C]
		mov	eax, ebx
		add	eax, 0FFFFFFFFh
		mov	ecx, edi
		mov	[ebp+arg_C], eax
		mov	eax, [ebp+var_10]
		adc	ecx, 0FFFFFFFFh
		add	edx, 0FFFFFFFFh
		adc	eax, 0FFFFFFFFh
		cmp	ecx, eax
		ja	short loc_7304A6
		jb	short loc_73049D
		cmp	[ebp+arg_C], edx
		jnb	short loc_7304A6

loc_73049D:				; CODE XREF: ExGetNextWakeTime(x,x,x,x,x,x,x)+133j
		mov	esi, [ebp+var_24]
		mov	[ebp+var_C], ebx
		mov	[ebp+var_10], edi

loc_7304A6:				; CODE XREF: ExGetNextWakeTime(x,x,x,x,x,x,x)+131j
					; ExGetNextWakeTime(x,x,x,x,x,x,x)+138j
		mov	eax, [ebp+var_28]
		cmp	eax, offset _ExpWakeTimerList
		jnz	loc_7303B7
		mov	[ebp+arg_C], esi
		test	esi, esi
		mov	esi, [ebp+var_2C]
		mov	edi, [ebp+arg_C]
		jz	short loc_730500
		push	ecx
		lea	eax, [ebp+var_8]
		xor	edx, edx
		push	eax
		mov	ecx, edi
		call	PoStoreDiagnosticContext
		mov	ebx, 53577254h
		push	ebx
		push	[ebp+var_8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_730500
		push	ecx
		lea	eax, [ebp+var_8]
		mov	edx, esi
		push	eax
		mov	ecx, edi
		call	PoStoreDiagnosticContext
		test	eax, eax
		jns	short loc_730500
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi

loc_730500:				; CODE XREF: ExGetNextWakeTime(x,x,x,x,x,x,x)+4Ej
					; ExGetNextWakeTime(x,x,x,x,x,x,x)+15Cj ...
		mov	eax, [ebp+var_30]
		test	edi, edi
		mov	ecx, [ebp+var_C]
		pop	edi
		mov	[eax], ecx
		mov	ecx, [ebp+var_10]
		mov	[eax+4], ecx
		mov	eax, [ebp+arg_10]
		mov	[eax], esi
		setnz	al
		pop	esi
		pop	ebx
		leave
		retn	14h
_ExGetNextWakeTime@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSystemErrorHandler(x, x,	x, x, x)
_ExpSystemErrorHandler@20 proc near	; CODE XREF: ExpRaiseHardError+12B742p
					; ExpRaiseHardError+12B770p

var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= byte ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= byte ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_144		= byte ptr -144h
var_40		= dword	ptr -40h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		push	18Ch
		push	offset dword_6AA7D8
		call	__SEH_prolog4_GS
		mov	esi, edx
		mov	[ebp+var_16C], esi
		mov	dword ptr [ebp+var_168], ecx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_170], eax
		xor	ebx, ebx
		mov	[ebp+var_19C], ebx
		mov	[ebp+var_198], ebx
		mov	[ebp+var_188], ebx
		mov	[ebp+var_160], ebx
		mov	[ebp+var_15C], ebx
		mov	[ebp+var_17C], ebx
		mov	[ebp+var_178], ebx
		mov	[ebp+var_184], ebx
		mov	[ebp+var_180], ebx
		mov	[ebp+var_190], ebx
		mov	[ebp+var_18C], ebx
		mov	eax, large fs:20h
		push	dword ptr [eax+4168h]
		call	_RtlCaptureContext@4 ; RtlCaptureContext(x)
		mov	eax, large fs:20h
		add	eax, 18h
		push	eax
		call	_KiSaveProcessorControlState@4 ; KiSaveProcessorControlState(x)
		push	5
		pop	eax
		cmp	esi, eax
		jbe	short loc_7305B6
		mov	[ebp+var_16C], eax

loc_7305B6:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+8Fj
		mov	byte ptr [ebp+var_40], bl
		xor	eax, eax
		lea	edi, [ebp+var_158]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ebp+var_16C]
		shl	eax, 2
		push	eax		; size_t
		push	[ebp+var_170]	; void *
		lea	eax, [ebp+var_158]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	esi, ebx

loc_7305E7:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+187j
		mov	[ebp+var_164], esi
		mov	[ebp+var_194], esi
		cmp	esi, [ebp+var_16C]
		jnb	loc_7306AB
		xor	eax, eax
		inc	eax
		mov	ecx, esi
		shl	eax, cl
		test	[ebp+arg_0], eax
		jz	loc_730692
		mov	[ebp+ms_exc.disabled], ebx
		push	offset ??_C@_03EEBNCBOD@?5?$CFs@OKHAJAOM@
		push	20h
		lea	eax, [ebp+var_40]
		push	eax
		call	_strcat_s
		add	esp, 0Ch
		push	1
		mov	eax, [ebp+var_170]
		push	dword ptr [eax+esi*4]
		lea	eax, [ebp+var_19C]
		push	eax
		call	RtlUnicodeStringToAnsiString
		mov	[ebp+var_174], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_73066C
; 

loc_73064B:				; DATA XREF: .text:006AA7ECo
		xor	eax, eax
		inc	eax
		retn
; 

loc_73064F:				; DATA XREF: .text:006AA7F0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, 0C0000001h
		mov	[ebp+var_174], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp+var_164]

loc_73066C:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+12Aj
		mov	ecx, [ebp+var_194]
		test	eax, eax
		js	short loc_730685
		mov	eax, [ebp+var_198]
		mov	dword ptr [ebp+ecx*4+var_158], eax
		jmp	short loc_7306A5
; 

loc_730685:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+155j
		mov	dword ptr [ebp+ecx*4+var_158], (offset ??_C@_03EEBNCBOD@?5?$CFs@OKHAJAOM@+4)
		jmp	short loc_7306A5
; 

loc_730692:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+EAj
		push	offset ??_C@_03KHOJPICI@?5?$CFx@OKHAJAOM@
		push	20h
		lea	eax, [ebp+var_40]
		push	eax
		call	_strcat_s
		add	esp, 0Ch

loc_7306A5:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+164j
					; ExpSystemErrorHandler(x,x,x,x,x)+171j
		inc	esi
		jmp	loc_7305E7
; 

loc_7306AB:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+DAj
		push	(offset	??_C@_03KHOJPICI@?5?$CFx@OKHAJAOM@+4)
		push	20h
		lea	eax, [ebp+var_40]
		push	eax
		call	_strcat_s
		add	esp, 0Ch
		lea	eax, [ebp+var_40]
		mov	[ebp+var_15C], eax
		mov	edi, offset ??_C@_0BD@EFJJCAGA@Unknown?5Hard?5Error@OKHAJAOM@
		mov	esi, edi
		mov	[ebp+var_160], esi
		xor	ecx, ecx
		call	_PsQuerySystemDllInfo@4	; PsQuerySystemDllInfo(x)
		test	eax, eax
		jz	loc_7308DE
		mov	edx, [eax+0Ch]
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		cmp	ecx, ds:_PsInitialSystemProcess
		jnz	short loc_7306FE
		mov	edx, [eax+10h]

loc_7306FE:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+1DAj
		mov	[ebp+ms_exc.disabled], 1
		movzx	eax, ds:_NlsMbCodePageTag
		neg	eax
		sbb	eax, eax
		and	eax, 409h
		lea	ecx, [ebp+var_188]
		push	ecx
		push	dword ptr [ebp+var_168]
		push	eax
		push	0Bh
		push	edx
		call	_RtlFindMessage@20 ; RtlFindMessage(x,x,x,x,x)
		test	eax, eax
		jns	short loc_730742
		mov	esi, edi
		mov	[ebp+var_160], esi
		mov	[ebp+var_15C], edi
		jmp	loc_7308B2
; 

loc_730742:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+20Ej
		mov	eax, [ebp+var_188]
		test	byte ptr [eax+2], 1
		jz	loc_7307DC
		add	eax, 4
		push	eax
		lea	eax, [ebp+var_184]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_184]
		push	eax
		call	_RtlxUnicodeStringToAnsiSize@4 ; RtlxUnicodeStringToAnsiSize(x)
		movzx	eax, ax
		mov	word ptr [ebp+var_17C],	ax
		push	20727245h
		add	eax, 10h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_160], esi
		test	esi, esi
		jz	short loc_7307CC
		mov	ecx, [ebp+var_17C]
		add	ecx, 10h
		mov	word ptr [ebp+var_17C+2], cx
		mov	[ebp+var_178], esi
		push	ebx
		lea	eax, [ebp+var_184]
		push	eax
		lea	eax, [ebp+var_17C]
		push	eax
		call	RtlUnicodeStringToAnsiString
		test	eax, eax
		jns	short loc_73083D
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7307CC:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+276j
		mov	esi, edi
		mov	[ebp+var_160], esi
		mov	[ebp+var_15C], edi
		jmp	short loc_73083D
; 

loc_7307DC:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+22Dj
		add	eax, 4
		mov	[ebp+var_194], eax
		mov	ecx, eax
		lea	edx, [ecx+1]

loc_7307EA:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+2D0j
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_7307EA
		sub	ecx, edx
		lea	eax, [ecx+10h]
		mov	[ebp+var_188], eax
		push	20727245h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_160], esi
		test	esi, esi
		jz	short loc_73082F
		push	[ebp+var_194]
		push	[ebp+var_188]
		push	esi
		call	_strcpy_s
		add	esp, 0Ch
		jmp	short loc_73083D
; 

loc_73082F:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+2F7j
		mov	[ebp+var_15C], edi
		mov	esi, edi
		mov	[ebp+var_160], esi

loc_73083D:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+2A4j
					; ExpSystemErrorHandler(x,x,x,x,x)+2BBj ...
		cmp	esi, edi
		jz	short loc_73089E
		mov	[ebp+var_15C], esi
		mov	ecx, esi
		lea	edx, [ecx+1]

loc_73084C:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+332j
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_73084C
		sub	ecx, edx

loc_730855:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+352j
		mov	[ebp+var_164], ecx
		test	ecx, ecx
		jz	short loc_730873
		mov	eax, [ebp+var_15C]
		cmp	byte ptr [eax],	20h
		jl	short loc_730873
		inc	[ebp+var_15C]
		dec	ecx
		jmp	short loc_730855
; 

loc_730873:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+33Ej
					; ExpSystemErrorHandler(x,x,x,x,x)+349j
		mov	eax, [ebp+var_15C]
		mov	[eax], bl

loc_73087B:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+37Dj
		inc	[ebp+var_15C]
		dec	ecx
		mov	[ebp+var_164], ecx
		test	ecx, ecx
		jz	short loc_7308A8
		mov	eax, [ebp+var_15C]
		mov	al, [eax]
		test	al, al
		jz	short loc_7308A4
		cmp	al, 20h
		jg	short loc_7308A4
		jmp	short loc_73087B
; 

loc_73089E:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+320j
		mov	ecx, [ebp+var_164]

loc_7308A4:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+377j
					; ExpSystemErrorHandler(x,x,x,x,x)+37Bj
		test	ecx, ecx
		jnz	short loc_7308B2

loc_7308A8:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+36Bj
		mov	[ebp+var_15C], offset ??_C@_00CNPNBAHC@@OKHAJAOM@

loc_7308B2:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+21Ej
					; ExpSystemErrorHandler(x,x,x,x,x)+387j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_7308DE
; 

loc_7308BB:				; DATA XREF: .text:006AA7F8o
		xor	eax, eax
		inc	eax
		retn
; 

loc_7308BF:				; DATA XREF: .text:006AA7FCo
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, offset ??_C@_0BD@EFJJCAGA@Unknown?5Hard?5Error@OKHAJAOM@
		mov	[ebp+var_15C], edi
		mov	esi, edi
		mov	[ebp+var_160], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx

loc_7308DE:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+1BEj
					; ExpSystemErrorHandler(x,x,x,x,x)+39Aj
		mov	[ebp+ms_exc.disabled], 2
		push	esi
		push	dword ptr [ebp+var_168]	; char
		push	offset ??_C@_0P@PKJHNMNM@?6STOP?3?5?$CFlx?5?$CFs?6@OKHAJAOM@ ; char *
		push	100h		; int
		lea	eax, [ebp+var_144]
		push	eax		; char *
		call	RtlStringCbPrintfA
		add	esp, 14h
		mov	[ebp+var_174], eax
		push	0FFFFFFFEh
		pop	esi
		mov	[ebp+ms_exc.disabled], esi
		jmp	short loc_730932
; 

loc_730913:				; DATA XREF: .text:006AA804o
		xor	eax, eax
		inc	eax
		retn
; 

loc_730917:				; DATA XREF: .text:006AA808o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, 0C0000001h
		mov	[ebp+var_174], eax
		push	0FFFFFFFEh
		pop	esi
		mov	[ebp+ms_exc.disabled], esi
		xor	ebx, ebx
		mov	edi, offset ??_C@_0BD@EFJJCAGA@Unknown?5Hard?5Error@OKHAJAOM@

loc_730932:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+3F2j
		test	eax, eax
		jns	short loc_730955
		push	dword ptr [ebp+var_168]	; char
		push	offset ??_C@_0BA@CEBBANEO@?6HardError?5?$CFlx?6@OKHAJAOM@ ; char *
		push	100h		; int
		lea	eax, [ebp+var_144]
		push	eax		; char *
		call	RtlStringCbPrintfA
		add	esp, 10h

loc_730955:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+415j
		push	ds:_ExPageLockHandle
		call	_MmLockPagableSectionByHandle@4	; MmLockPagableSectionByHandle(x)
		mov	[ebp+var_170], edi
		mov	[ebp+var_16C], edi
		lea	eax, [ebp+var_144]
		push	eax
		lea	eax, [ebp+var_17C]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_17C]
		push	eax
		lea	eax, [ebp+var_184]
		push	eax
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	short loc_7309E9
		lea	eax, [ebp+var_184]
		push	eax
		call	_RtlxUnicodeStringToOemSize@4 ;	RtlxUnicodeStringToOemSize(x)
		movzx	eax, ax
		mov	word ptr [ebp+var_190],	ax
		mov	word ptr [ebp+var_190+2], ax
		push	20727245h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_18C], eax
		mov	[ebp+var_170], eax
		test	eax, eax
		jz	short loc_7309E9
		push	ebx
		lea	eax, [ebp+var_184]
		push	eax
		lea	eax, [ebp+var_190]
		push	eax
		call	RtlUnicodeStringToOemString

loc_7309E9:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+477j
					; ExpSystemErrorHandler(x,x,x,x,x)+4B4j
		mov	[ebp+ms_exc.disabled], 3
		push	[ebp+var_14C]
		push	[ebp+var_150]
		push	[ebp+var_154]
		push	dword ptr [ebp+var_158]	; char
		push	[ebp+var_15C]	; char *
		push	100h		; int
		lea	eax, [ebp+var_144]
		push	eax		; char *
		call	RtlStringCbPrintfA
		add	esp, 1Ch
		mov	[ebp+var_174], eax
		mov	[ebp+ms_exc.disabled], esi
		jmp	short loc_730A48
; 

loc_730A2D:				; DATA XREF: .text:006AA810o
		xor	eax, eax
		inc	eax
		retn
; 

loc_730A31:				; DATA XREF: .text:006AA814o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, 0C0000001h
		mov	[ebp+var_174], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx

loc_730A48:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+50Cj
		test	eax, eax
		jns	short loc_730A83
		push	[ebp+var_14C]
		push	[ebp+var_150]
		push	[ebp+var_154]
		push	dword ptr [ebp+var_158]
		push	dword ptr [ebp+var_168]	; char
		push	offset ??_C@_0DM@CMMHDKIJ@Exception?5Processing?5Message?5?$CFl@OKHAJAOM@ ; "Exception Processing Message %lx Parame"...
		push	100h		; int
		lea	eax, [ebp+var_144]
		push	eax		; char *
		call	RtlStringCbPrintfA
		add	esp, 20h

loc_730A83:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+52Bj
		lea	eax, [ebp+var_144]
		push	eax
		lea	eax, [ebp+var_17C]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_17C]
		push	eax
		lea	eax, [ebp+var_184]
		push	eax
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	short loc_730B00
		lea	eax, [ebp+var_184]
		push	eax
		call	_RtlxUnicodeStringToOemSize@4 ;	RtlxUnicodeStringToOemSize(x)
		movzx	eax, ax
		mov	word ptr [ebp+var_190],	ax
		mov	word ptr [ebp+var_190+2], ax
		push	20727245h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_18C], eax
		mov	[ebp+var_16C], eax
		test	eax, eax
		jz	short loc_730B00
		push	ebx
		lea	eax, [ebp+var_184]
		push	eax
		lea	eax, [ebp+var_190]
		push	eax
		call	RtlUnicodeStringToOemString

loc_730B00:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+58Ej
					; ExpSystemErrorHandler(x,x,x,x,x)+5CBj
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		test	eax, eax
		jz	short loc_730B27
		push	dword ptr [ebp+var_168]
		push	eax
		call	_PsTerminateServerSilo@8 ; PsTerminateServerSilo(x,x)
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_730B27:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+5E8j
		push	[ebp+var_16C]
		lea	eax, [ebp+var_158]
		push	[ebp+var_170]
		push	eax
		push	dword ptr [ebp+var_168]
		push	4Ch
		cmp	[ebp+arg_8], 0
		jz	short loc_730B4F
		push	1
		call	_PoShutdownBugCheck@24 ; PoShutdownBugCheck(x,x,x,x,x,x)

loc_730B4F:				; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+627j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_ExpSystemErrorHandler@20 endp


;  S U B	R O U T	I N E 


; __stdcall WheaInitializeProcessor(x, x)
_WheaInitializeProcessor@8 proc	near	; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+2F6p
					; KiStartDynamicProcessor(x,x,x,x)+430p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		xor	edi, edi
		mov	esi, ecx
		test	ebx, ebx
		jnz	short loc_730BAC
		push	61656857h
		push	0Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_730B8F
		inc	ds:_WheapStatus
		mov	eax, 0C000009Ah
		or	ds:dword_6BB454, 10h
		jmp	short loc_730BE5
; 

loc_730B8F:				; CODE XREF: WheaInitializeProcessor(x,x)+24j
		mov	dword ptr [ecx+4], offset _WheapErrorSourceTable
		mov	eax, ds:dword_6F9ACC
		mov	[ecx], eax
		mov	dword ptr [ecx+8], offset _WheapWorkQueue
		mov	[esi+4050h], ecx
		jmp	short loc_730BE3
; 

loc_730BAC:				; CODE XREF: WheaInitializeProcessor(x,x)+Dj
		mov	esi, ds:dword_6F9AD4
		jmp	short loc_730BD2
; 

loc_730BB4:				; CODE XREF: WheaInitializeProcessor(x,x)+83j
		cmp	dword ptr [esi+5Ch], 1
		jnz	short loc_730BD0
		mov	edx, ebx
		mov	dword ptr [esi+5Ch], 2
		mov	ecx, esi
		call	_WheapCallErrorSourceInitialize@8 ; WheapCallErrorSourceInitialize(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_730BDC

loc_730BD0:				; CODE XREF: WheaInitializeProcessor(x,x)+63j
		mov	esi, [esi]

loc_730BD2:				; CODE XREF: WheaInitializeProcessor(x,x)+5Dj
		cmp	esi, offset dword_6F9AD4
		jnz	short loc_730BB4
		jmp	short loc_730BE3
; 

loc_730BDC:				; CODE XREF: WheaInitializeProcessor(x,x)+79j
		mov	dword ptr [esi+5Ch], 1

loc_730BE3:				; CODE XREF: WheaInitializeProcessor(x,x)+55j
					; WheaInitializeProcessor(x,x)+85j
		mov	eax, edi

loc_730BE5:				; CODE XREF: WheaInitializeProcessor(x,x)+38j
		pop	edi
		pop	esi
		pop	ebx
		retn
_WheaInitializeProcessor@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2632. WheaUnconfigureErrorSource

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaUnconfigureErrorSource(x)
		public _WheaUnconfigureErrorSource@4
_WheaUnconfigureErrorSource@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		cmp	eax, 10h
		ja	loc_730CE0
		push	esi
		imul	esi, eax, 24h
		xor	edx, edx
		push	edi
		push	0
		mov	ecx, offset _WheapConfigTableLock
		mov	ebx, 0C0000001h
		add	esi, offset _WheapSourceConfiguration
		call	KeAbPreAcquire
		push	11h
		mov	edi, eax
		mov	edx, offset _WheapConfigTableLock
		pop	ecx
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	short loc_730C3E
		mov	eax, edx
		mov	edx, edi
		push	eax
		mov	ecx, eax
		call	ExfAcquirePushLockSharedEx

loc_730C3E:				; CODE XREF: WheaUnconfigureErrorSource(x)+42j
		test	edi, edi
		jz	short loc_730C46
		or	byte ptr [edi+0Eh], 1

loc_730C46:				; CODE XREF: WheaUnconfigureErrorSource(x)+52j
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	edi, eax
		lock bts dword ptr [esi], 0
		jnb	short loc_730C64
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockExclusiveEx

loc_730C64:				; CODE XREF: WheaUnconfigureErrorSource(x)+6Aj
		test	edi, edi
		jz	short loc_730C6C
		or	byte ptr [edi+0Eh], 1

loc_730C6C:				; CODE XREF: WheaUnconfigureErrorSource(x)+78j
		cmp	byte ptr [esi+4], 0
		jz	short loc_730CA0
		mov	byte ptr [esi+4], 0
		mov	dword ptr [esi+0Ch], offset _xKdGetAcpiTablePhase0@8 ; xKdGetAcpiTablePhase0(x,x)
		mov	dword ptr [esi+10h], offset _WheapDefaultErrSrcInitialize@12 ; WheapDefaultErrSrcInitialize(x,x,x)
		mov	dword ptr [esi+14h], offset _WheapDefaultErrSrcCreateRecord@20 ; WheapDefaultErrSrcCreateRecord(x,x,x,x,x)
		mov	dword ptr [esi+18h], offset _xKdGetAcpiTablePhase0@8 ; xKdGetAcpiTablePhase0(x,x)
		mov	dword ptr [esi+1Ch], offset _KeSetDmaIoCoherency@4 ; KeSetDmaIoCoherency(x)
		mov	dword ptr [esi+20h], 0

loc_730CA0:				; CODE XREF: WheaUnconfigureErrorSource(x)+82j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_730CB4
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_730CB4:				; CODE XREF: WheaUnconfigureErrorSource(x)+BDj
		mov	ecx, esi
		call	KeAbPostRelease
		push	11h
		xor	edx, edx
		mov	esi, offset _WheapConfigTableLock
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_730CD5
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_730CD5:				; CODE XREF: WheaUnconfigureErrorSource(x)+DEj
		mov	ecx, esi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		jmp	short loc_730CE5
; 

loc_730CE0:				; CODE XREF: WheaUnconfigureErrorSource(x)+Cj
		mov	ebx, 0C000000Dh

loc_730CE5:				; CODE XREF: WheaUnconfigureErrorSource(x)+F0j
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	4
_WheaUnconfigureErrorSource@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapCreateLiveDumpFromPreviousSession(x)
_WheapCreateLiveDumpFromPreviousSession@4 proc near
					; CODE XREF: WheapProcessWorkQueueItem(x,x)+51p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		xor	ebx, ebx
		xor	eax, eax
		push	edi
		mov	esi, ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		inc	eax
		lock xadd ds:_WheapLiveDumpsCreated, eax
		inc	eax
		cmp	eax, 8
		jle	short loc_730D19
		mov	eax, 0C0000001h
		jmp	short loc_730D5A
; 

loc_730D19:				; CODE XREF: WheapCreateLiveDumpFromPreviousSession(x)+24j
		mov	edi, offset _WheapLiveDumpLock
		mov	ecx, edi
		call	ExAcquireFastMutex
		cmp	ds:_WheapCrashDumpInitialized, bl
		jz	short loc_730D2F
		mov	bl, 1

loc_730D2F:				; CODE XREF: WheapCreateLiveDumpFromPreviousSession(x)+3Fj
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	bl, bl
		jz	short loc_730D53
		lea	eax, [esi+1Ch]
		mov	[ebp+var_4], eax
		lea	ecx, [ebp+var_10]
		mov	eax, [esi+18h]
		mov	eax, [eax+20h]
		mov	[ebp+var_8], eax
		call	_WheapReportLiveDump@4 ; WheapReportLiveDump(x)
		jmp	short loc_730D5A
; 

loc_730D53:				; CODE XREF: WheapCreateLiveDumpFromPreviousSession(x)+4Cj
		mov	ecx, esi
		call	_WheapSaveRecordForLiveDump@4 ;	WheapSaveRecordForLiveDump(x)

loc_730D5A:				; CODE XREF: WheapCreateLiveDumpFromPreviousSession(x)+2Bj
					; WheapCreateLiveDumpFromPreviousSession(x)+65j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_WheapCreateLiveDumpFromPreviousSession@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapSaveRecordForLiveDump(x)
_WheapSaveRecordForLiveDump@4 proc near	; CODE XREF: WheapCreateLiveDumpFromPreviousSession(x)+69p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	ebx, ecx
		lea	ecx, [ebp+var_4]
		push	edi
		push	ecx
		push	10h
		mov	eax, [ebx+30h]
		mov	ecx, eax
		pop	edx
		mov	[ebp+var_8], eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_730DFB
		push	61656857h
		push	[ebp+var_4]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_730DA9
		mov	edi, 0C000009Ah
		jmp	short loc_730DFB
; 

loc_730DA9:				; CODE XREF: WheapSaveRecordForLiveDump(x)+41j
		mov	eax, [ebx+18h]
		lea	ecx, [esi+10h]
		push	[ebp+var_8]	; size_t
		mov	eax, [eax+20h]
		mov	[esi+8], eax
		lea	eax, [ebx+1Ch]
		push	eax		; void *
		push	ecx		; void *
		mov	[esi+0Ch], ecx
		call	_memcpy
		add	esp, 0Ch
		mov	ebx, offset _WheapLiveDumpLock
		mov	ecx, ebx
		call	ExAcquireFastMutex
		mov	eax, ds:dword_6B7344
		mov	ecx, offset _WheapLiveDumpRecordList
		cmp	[eax], ecx
		jz	short loc_730DE7
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_730DE7:				; CODE XREF: WheapSaveRecordForLiveDump(x)+81j
		mov	[esi], ecx
		mov	ecx, ebx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	ds:dword_6B7344, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_730DFB:				; CODE XREF: WheapSaveRecordForLiveDump(x)+29j
					; WheapSaveRecordForLiveDump(x)+48j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_WheapSaveRecordForLiveDump@4 endp

; 
		align 4

_CmpRiseID:				; DATA XREF: KiGetCpuVendor+39BEo
		push	edx
		imul	esi, [ebx+65h],	65736952h
		push	edx
		imul	esi, [ebx+65h],	0

_CmpTransmetaID:			; DATA XREF: KiGetCpuVendor:loc_72AE88o
		inc	edi
		outs	dx, byte ptr gs:[esi]
		jnz	short near ptr loc_730E7E+4
		outsb
		db	65h
		push	esp
		dec	ebp
		js	short near ptr _CmpCyrixID+3
		add	ss:[eax], al
; 
		dw 0
; 

_CmpAmdID:				; DATA XREF: KiGetCpuVendor:loc_72AE19o
		inc	ecx
		jnz	short near ptr loc_730E99+2
		push	69746E65h
		arpl	[ecx+4Dh], ax
		inc	esp
; 
		dd 0
; 

_CmpCentaurID:				; DATA XREF: KiGetCpuVendor:loc_72AEBAo
		inc	ebx
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_730E99+1
		jnz	short near ptr loc_730EAC+1
		dec	eax
		popa
		jnz	short near ptr loc_730EA9+2
		jnb	short $+2
; 
		db 3 dup(0)
_CmpIntelID	db 'GenuineIntel',0     ; DATA XREF: KiGetCpuVendor+45o
					; KiInitMachineDependent+78o
		align 4
_CmpCyrixID	db 'CyrixInstead',0     ; CODE XREF: PAGELK:00730E1Dj
					; DATA XREF: KiGetCpuVendor:loc_72AE4Eo ...
		align 4

_CmpPlatformSpecificField1:
		push	eax
		add	[eax+eax+61h], ch
		add	[eax+eax+66h], dh
		add	[edi+0], ch
		jb	short $+2
		insd
		add	[eax], ah
		add	[ebx+0], dl
		jo	short $+2
		add	gs:[ebx+0], ah

loc_730E7E:				; CODE XREF: PAGELK:00730E17j
		imul	eax, [eax], 690066h
		arpl	[eax], ax
		and	[eax], al
		inc	esi
		add	[ecx+0], ch
		add	gs:[eax+eax+64h], ch
		add	[eax], ah
		add	[ecx], dh
; 
		db 3 dup(0)
; 

_CmpPlatformSpecificField2:
		push	eax

loc_730E99:				; CODE XREF: PAGELK:00730E37j
					; PAGELK:00730E25j
		add	[eax+eax+61h], ch
		add	[eax+eax+66h], dh
		add	[edi+0], ch
		jb	short $+2
		insd
		add	[eax], ah

loc_730EA9:				; CODE XREF: PAGELK:00730E3Dj
		add	[ebx+0], dl

loc_730EAC:				; CODE XREF: PAGELK:00730E39j
		jo	short $+2
		add	gs:[ebx+0], ah
		imul	eax, [eax], 690066h
		arpl	[eax], ax
		and	[eax], al
		inc	esi
		add	[ecx+0], ch
		add	gs:[eax+eax+64h], ch
		add	[eax], ah
		add	[edx], dh
; 
		db 3 dup(0)
_CmpProcessorString2 db	'x86 Family %u Model %u Stepping %u',0
					; DATA XREF: CmpAddProcessorConfigurationEntry+DBo
		align 10h
_CmPhysicalAddressExtension:		; DATA XREF: CmpInitializeMachineDependentConfiguration+B5o
		unicode	0, <PhysicalAddressExtension>,0
		align 4
_CmpVendorID:				; DATA XREF: CmpAddProcessorConfigurationEntry:loc_88E0EDo
		unicode	0, <VendorIdentifier>,0
		align 4
_CmpFeatureBits:			; DATA XREF: CmpAddProcessorConfigurationEntry+423o
		unicode	0, <FeatureSet>,0
		align 10h
_CmpProcessorNameString	dd offset loc_72004F+1
					; DATA XREF: CmpAddProcessorConfigurationEntry+2E8o
aOcessornamestr:
		unicode	0, <ocessorNameString>,0
; 

_CmpProcessorString1:			; DATA XREF: CmpAddProcessorConfigurationEntry:loc_929B72o
		cmp	[eax], dh
		and	eax, 2D363875h
		and	eax, offset byte_782563

_CmpUpdateStatus:
		push	ebp
		add	[eax+0], dh
		add	fs:[ecx+0], ah
		jz	short $+2
		add	gs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
; 
		dw 0

;  S U B	R O U T	I N E 


_CmpUpdateRevision proc	near		; DATA XREF: CmpAddProcessorConfigurationEntry+49Bo
		push	ebp
		add	[eax+0], dh
		add	fs:[ecx+0], ah
		jz	short $+2
		add	gs:[eax], ah
		add	[edx+0], dl
		add	gs:[esi+0], dh
		imul	eax, [eax], 690073h
		outsd
_CmpUpdateRevision endp

		add	[esi+0], ch
; 
		dw 0
_CmpMHz:				; DATA XREF: CmpAddProcessorConfigurationEntry+45Eo
		unicode	0, <~MHz>,0
		align 4

_CmpPreviousUpdateRevision:
		push	eax
		add	[edx+0], dh
		add	gs:[esi+0], dh
		imul	eax, [eax], 75006Fh
		jnb	short $+2
		and	[eax], al
		push	ebp
		add	[eax+0], dh
		add	fs:[ecx+0], ah
		jz	short $+2
		add	gs:[eax], ah
		add	[edx+0], dl
		add	gs:[esi+0], dh
		imul	eax, [eax], 690073h
		outsd
		add	[esi+0], ch
; 
		dd 0
; 

_FormatMaxDisplacement:			; DATA XREF: LZNT1CompressChunk+78o
					; LZNT1CompressChunk+288o
		adc	[eax], al
; 
		dw 0
		dd 20h,	40h, 80h, 100h,	200h, 400h, 800h, 1000h
; 

_FormatMaxLength:
		add	dl, [eax]
; 
		dw 0
dword_731038	dd 802h			; DATA XREF: LZNT1CompressChunk:loc_71AC80r
		dd 402h, 202h, 102h, 82h, 42h, 22h, 12h, 6Ah dup(0)
PAGELK		ends

; 
; Section 11. (virtual address 00332000)
; Virtual size			: 003170BE (3240126.)
; Section size in file		: 00317200 (3240448.)
; Offset to raw	data for section: 002CEE00
; Flags	60000020: Text Executable Readable
; Alignment	: default
; 

; Segment type:	Pure code
; Segment permissions: Read/Execute
PAGE		segment	para public 'CODE' use32
		assume cs:PAGE
		;org 732000h
		assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing

; __stdcall CmpCaptureKeyValueArray(x, x, x, x,	x, x)
_CmpCaptureKeyValueArray@24:		; CODE XREF: PAGE:007C7569p
					; DATA XREF: .text:_SeCiPrivateApisr ...
		push	5Ch
		push	offset dword_6A78C8
		call	__SEH_prolog4
		mov	[ebp-24h], edx
		mov	[ebp-44h], ecx
		xor	ebx, ebx
		mov	esi, ebx
		mov	edi, ebx
		mov	[ebp-34h], edi
		mov	eax, ebx
		mov	[ebp-1Ch], eax
		mov	[ebp-38h], eax
		test	edx, edx
		jz	loc_73229D
		push	33384D43h
		shl	edx, 4
		call	_CmpAllocateTransientPoolWithQuotaTag@12 ; CmpAllocateTransientPoolWithQuotaTag(x,x,x)
		mov	esi, eax
		mov	[ebp-30h], esi
		test	esi, esi
		jnz	short loc_73204B

loc_732041:				; CODE XREF: PAGE:00732067j
					; PAGE:007321BAj
		mov	ebx, 0C000009Ah
		jmp	loc_73229D
; 

loc_73204B:				; CODE XREF: PAGE:0073203Fj
		cmp	[ebp+8], bl
		jz	short loc_732069
		push	33384D43h
		mov	edx, [ebp-24h]
		shl	edx, 3
		call	_CmpAllocateTransientPoolWithQuotaTag@12 ; CmpAllocateTransientPoolWithQuotaTag(x,x,x)
		mov	edi, eax
		mov	[ebp-34h], edi
		test	edi, edi
		jz	short loc_732041

loc_732069:				; CODE XREF: PAGE:0073204Ej
		mov	edx, ebx
		mov	[ebp-28h], edx
		mov	[ebp-4], ebx
		mov	ecx, ebx
		mov	[ebp-20h], ecx

loc_732076:				; CODE XREF: PAGE:00732154j
		cmp	ecx, [ebp-24h]
		jnb	loc_732188
		shl	ecx, 4
		lea	eax, [ecx+esi]
		mov	[ebp-50h], eax
		mov	eax, [ebp-44h]
		add	eax, ecx
		mov	[ebp-5Ch], eax
		mov	edx, [eax]
		mov	[ebp-60h], edx
		mov	cl, [ebp+8]
		test	cl, cl
		jz	loc_732131
		mov	eax, [ebp-20h]
		lea	eax, [edi+eax*8]
		mov	[ebp-48h], eax
		mov	[ebp-6Ch], ebx
		mov	[ebp-68h], ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_7320BA
		mov	edx, eax

loc_7320BA:				; CODE XREF: PAGE:007320B6j
		nop
		mov	eax, [edx]
		mov	[ebp-6Ch], eax
		mov	ecx, [edx+4]
		mov	[ebp-68h], ecx
		mov	eax, [ebp-6Ch]
		mov	edx, [ebp-48h]
		mov	[edx], eax
		mov	[edx+4], ecx
		movzx	ecx, word ptr [edx]
		mov	[ebp-3Ch], ecx
		movzx	eax, cx
		test	cx, cx
		jz	short loc_732116
		mov	ecx, [edx+4]
		test	cl, 1
		jnz	loc_7322D5
		mov	eax, [ebp-3Ch]
		movzx	eax, ax
		add	eax, ecx
		mov	[ebp-40h], eax
		mov	eax, ds:_MmUserProbeAddress
		mov	[ebp-4Ch], eax
		cmp	[ebp-40h], eax
		ja	short loc_732111
		mov	eax, [ebp-3Ch]
		movzx	eax, ax
		cmp	[ebp-40h], ecx
		jnb	short loc_732116
		mov	eax, [ebp-4Ch]

loc_732111:				; CODE XREF: PAGE:00732101j
		mov	[eax], bl
		movzx	eax, word ptr [edx]

loc_732116:				; CODE XREF: PAGE:007320DDj
					; PAGE:0073210Cj
		test	al, 1
		jz	short loc_73212E
		mov	ebx, 0C000000Dh

loc_73211F:				; CODE XREF: PAGE:00732186j
		mov	[ebp-2Ch], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_73229D
; 

loc_73212E:				; CODE XREF: PAGE:00732118j
		mov	cl, [ebp+8]

loc_732131:				; CODE XREF: PAGE:0073209Aj
		mov	eax, [ebp-50h]
		mov	[eax], edx
		movzx	eax, word ptr [edx]
		mov	[ebp-50h], eax
		test	ax, ax
		jnz	short loc_732159
		mov	[edx+4], ebx
		xor	eax, eax
		mov	[edx+2], ax

loc_73214A:				; CODE XREF: PAGE:00732166j
					; PAGE:0073217Fj
		mov	ecx, [ebp-20h]
		inc	ecx
		mov	[ebp-20h], ecx
		mov	edx, [ebp-28h]
		jmp	loc_732076
; 

loc_732159:				; CODE XREF: PAGE:0073213Fj
		movsx	ecx, cl
		mov	edx, [edx+4]
		call	_CmpDoesBufferRequireCapturing@8 ; CmpDoesBufferRequireCapturing(x,x)
		test	al, al
		jz	short loc_73214A
		lea	eax, [ebp-28h]
		push	eax
		mov	eax, [ebp-50h]
		movzx	edx, ax
		mov	ecx, [ebp-28h]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	[ebp-2Ch], eax
		test	eax, eax
		jns	short loc_73214A
		mov	ebx, 0C000009Ah
		jmp	short loc_73211F
; 

loc_732188:				; CODE XREF: PAGE:00732079j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	edx, edx
		jnz	short loc_7321A6
		mov	eax, [ebp+0Ch]
		mov	[eax], esi
		mov	esi, ebx
		mov	eax, [ebp+10h]
		mov	[eax], edi
		mov	edi, ebx
		jmp	loc_73229D
; 

loc_7321A6:				; CODE XREF: PAGE:00732191j
		push	33384D43h
		call	_CmpAllocateTransientPoolWithQuotaTag@12 ; CmpAllocateTransientPoolWithQuotaTag(x,x,x)
		mov	ecx, eax
		mov	[ebp-1Ch], ecx
		mov	[ebp-38h], ecx
		test	ecx, ecx
		jz	loc_732041
		mov	[ebp-28h], ebx
		mov	dword ptr [ebp-4], 1
		mov	eax, ebx
		mov	ecx, [ebp-24h]

loc_7321CF:				; CODE XREF: PAGE:0073223Cj
		mov	[ebp-20h], eax
		cmp	eax, ecx
		jnb	short loc_73223E
		add	eax, eax
		mov	eax, [esi+eax*8]
		mov	[ebp-48h], eax
		movzx	edx, word ptr [eax]
		mov	[ebp-50h], edx
		test	dx, dx
		jz	short loc_732238
		mov	eax, [eax+4]
		mov	[ebp-4Ch], eax
		movsx	ecx, byte ptr [ebp+8]
		mov	edx, eax
		call	_CmpDoesBufferRequireCapturing@8 ; CmpDoesBufferRequireCapturing(x,x)
		test	al, al
		jz	short loc_732235
		mov	esi, [ebp-28h]
		add	esi, [ebp-1Ch]
		mov	eax, [ebp-50h]
		movzx	eax, ax
		push	eax
		push	dword ptr [ebp-4Ch]
		push	esi
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [ebp-48h]
		mov	[ecx+4], esi
		mov	ax, [ecx]
		mov	[ecx+2], ax
		movzx	eax, word ptr [ecx]
		mov	edx, [ebp-28h]
		add	edx, eax
		mov	[ebp-28h], edx
		mov	[ebp-64h], edx
		mov	esi, [ebp-30h]

loc_732235:				; CODE XREF: PAGE:007321FCj
		mov	ecx, [ebp-24h]

loc_732238:				; CODE XREF: PAGE:007321E7j
		mov	eax, [ebp-20h]
		inc	eax
		jmp	short loc_7321CF
; 

loc_73223E:				; CODE XREF: PAGE:007321D4j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp+0Ch]
		mov	[eax], esi
		mov	esi, ebx
		mov	eax, [ebp+10h]
		mov	[eax], edi
		mov	edi, ebx
		mov	eax, [ebp+14h]
		mov	ecx, [ebp-1Ch]
		mov	[eax], ecx
		mov	[ebp-1Ch], ebx
		jmp	short loc_73229D
; 

loc_732260:				; DATA XREF: .text:006A78E8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-54h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_73226E:				; DATA XREF: .text:006A78ECo
		mov	ebx, [ebp-54h]
		jmp	short loc_732287
; 

loc_732273:				; DATA XREF: .text:006A78DCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-58h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_732281:				; DATA XREF: .text:006A78E0o
		mov	ebx, [ebp-58h]
		mov	[ebp-2Ch], ebx

loc_732287:				; CODE XREF: PAGE:00732271j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-38h]
		mov	[ebp-1Ch], eax
		mov	edi, [ebp-34h]
		mov	esi, [ebp-30h]

loc_73229D:				; CODE XREF: PAGE:00732025j
					; PAGE:00732046j ...
		test	esi, esi
		jz	short loc_7322A8
		mov	ecx, esi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_7322A8:				; CODE XREF: PAGE:0073229Fj
		test	edi, edi
		jz	short loc_7322B3
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_7322B3:				; CODE XREF: PAGE:007322AAj
		mov	eax, [ebp-1Ch]
		test	eax, eax
		jz	short loc_7322C1
		mov	ecx, eax
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_7322C1:				; CODE XREF: PAGE:007322B8j
		mov	eax, ebx
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7322D5:				; CODE XREF: PAGE:007320E5j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtLoadKey3(x, x, x,	x, x, x, x, x)
_NtLoadKey3@32	proc near		; DATA XREF: .text:005812E0o

var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_21		= byte ptr -21h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A78F0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		push	ecx
		push	ecx
		push	ebx
		sub	esp, 38h
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		xor	esi, esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_28], esi
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_21], al
		mov	byte ptr [ebp+var_3C], al
		mov	[ebp+var_34], esi
		mov	edx, [ebx+14h]
		mov	ecx, [ebp+var_28]
		mov	eax, [ebx+18h]

loc_73234E:				; CODE XREF: NtLoadKey3(x,x,x,x,x,x,x,x)+110j
		test	eax, eax
		jz	loc_732414
		mov	[ebp+var_4], esi
		cmp	[ebp+var_21], 1
		jnz	short loc_73237B
		mov	ecx, edx
		test	dl, 7
		jnz	loc_732456
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_732375
		mov	ecx, eax

loc_732375:				; CODE XREF: NtLoadKey3(x,x,x,x,x,x,x,x)+95j
		nop
		mov	al, [ecx]
		mov	ecx, [ebp+var_28]

loc_73237B:				; CODE XREF: NtLoadKey3(x,x,x,x,x,x,x,x)+81j
		mov	esi, edx
		lea	edi, [ebp+var_50]
		movsd
		movsd
		movsd
		movsd
		movzx	eax, byte ptr [ebp+var_50]
		xor	esi, esi
		cmp	eax, 1
		jnz	short loc_7323B0
		test	cl, 2
		jz	short loc_7323A5

loc_732394:				; CODE XREF: NtLoadKey3(x,x,x,x,x,x,x,x)+DCj
					; NtLoadKey3(x,x,x,x,x,x,x,x)+ECj ...
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, 0C00000F2h
		jmp	loc_732440
; 

loc_7323A5:				; CODE XREF: NtLoadKey3(x,x,x,x,x,x,x,x)+B6j
		mov	eax, [ebp+var_48]
		mov	[ebp+var_34], eax
		or	ecx, 2
		jmp	short loc_7323D8
; 

loc_7323B0:				; CODE XREF: NtLoadKey3(x,x,x,x,x,x,x,x)+B1j
		cmp	eax, 2
		jnz	short loc_7323C5
		test	cl, 4
		jnz	short loc_732394
		mov	eax, [ebp+var_48]
		mov	[ebp+var_30], eax
		or	ecx, 4
		jmp	short loc_7323D8
; 

loc_7323C5:				; CODE XREF: NtLoadKey3(x,x,x,x,x,x,x,x)+D7j
		cmp	eax, 3
		jnz	short loc_732394
		test	cl, 8
		jnz	short loc_732394
		mov	eax, [ebp+var_48]
		mov	[ebp+var_2C], eax
		or	ecx, 8

loc_7323D8:				; CODE XREF: NtLoadKey3(x,x,x,x,x,x,x,x)+D2j
					; NtLoadKey3(x,x,x,x,x,x,x,x)+E7j
		mov	[ebp+var_28], ecx
		mov	[ebp+var_4], 0FFFFFFFEh
		add	edx, 10h
		mov	eax, [ebx+18h]
		dec	eax
		mov	[ebx+18h], eax
		jmp	loc_73234E
; 

loc_7323F1:				; DATA XREF: .text:006A7904o
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_732402:				; DATA XREF: .text:006A7908o
		mov	ebx, [ebp-1Ch]
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-38h]
		jmp	short loc_732440
; 

loc_732414:				; CODE XREF: NtLoadKey3(x,x,x,x,x,x,x,x)+74j
		push	[ebp+var_3C]
		push	[ebp+var_2C]
		push	esi
		push	esi
		push	dword ptr [ebx+24h]
		push	dword ptr [ebx+20h]
		push	dword ptr [ebx+1Ch]
		push	[ebp+var_30]
		mov	eax, [ebp+var_34]
		push	eax
		mov	eax, [ebx+10h]
		or	eax, 8000h
		push	eax
		mov	edx, [ebx+0Ch]
		mov	ecx, [ebx+8]
		call	CmLoadDifferencingKey

loc_732440:				; CODE XREF: NtLoadKey3(x,x,x,x,x,x,x,x)+C4j
					; NtLoadKey3(x,x,x,x,x,x,x,x)+136j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	20h
; 

loc_732456:				; CODE XREF: NtLoadKey3(x,x,x,x,x,x,x,x)+88j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger

; __stdcall wil_RegisterFeatureStagingChangeNotification(x)
_wil_RegisterFeatureStagingChangeNotification@4: ; CODE	XREF: CmFcInitSystem1()+3p
		mov	edi, edi
		push	ecx
		mov	ecx, offset _wil_details_featureDescriptors_a
		jmp	short loc_73247B
; 

loc_732466:				; CODE XREF: NtLoadKey3(x,x,x,x,x,x,x,x)+1A6j
		cmp	byte ptr [eax+11h], 0
		jnz	short loc_732478
		cmp	byte ptr [eax+12h], 0
		jnz	short loc_732478
		cmp	byte ptr [eax+10h], 0
		jz	short loc_732486

loc_732478:				; CODE XREF: NtLoadKey3(x,x,x,x,x,x,x,x)+18Ej
					; NtLoadKey3(x,x,x,x,x,x,x,x)+194j
		lea	ecx, [eax+18h]

loc_73247B:				; CODE XREF: NtLoadKey3(x,x,x,x,x,x,x,x)+188j
		call	_wil_details_FeatureDescriptors_SkipPadding@4 ;	wil_details_FeatureDescriptors_SkipPadding(x)
		test	eax, eax
		jnz	short loc_732466
		pop	ecx
		retn
; 

loc_732486:				; CODE XREF: NtLoadKey3(x,x,x,x,x,x,x,x)+19Aj
		call	_wil_details_RegisterFeatureStagingChangeNotification@8	; wil_details_RegisterFeatureStagingChangeNotification(x,x)
		pop	ecx
		retn
_NtLoadKey3@32	endp ; sp = -6Ch

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall wil_details_BuildFeatureStateCacheFromQueryResults(x, x, x)
_wil_details_BuildFeatureStateCacheFromQueryResults@12 proc near
					; CODE XREF: wil_details_UpdateFeatureConfiguredStates()+58p
					; wil_details_PopulateInitialConfiguredFeatureStatesFromBuffers(x)+71p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		cmp	ecx, 80000022h
		jz	short loc_7324E2
		cmp	ecx, 0C0000225h
		jz	short loc_7324E2
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0
		test	ecx, ecx
		jz	short loc_7324C5
		cmp	ecx, 117h
		jnz	short loc_7324E9
		mov	ecx, [edx+4]
		and	ecx, 80h
		jmp	short loc_7324D7
; 

loc_7324C5:				; CODE XREF: wil_details_BuildFeatureStateCacheFromQueryResults(x,x,x)+22j
		mov	eax, [edx+4]
		mov	ecx, eax
		and	ecx, 40h
		and	eax, 0B0h
		shl	ecx, 2
		or	ecx, eax

loc_7324D7:				; CODE XREF: wil_details_BuildFeatureStateCacheFromQueryResults(x,x,x)+35j
		shl	ecx, 3
		or	ecx, 206h
		jmp	short loc_7324EE
; 

loc_7324E2:				; CODE XREF: wil_details_BuildFeatureStateCacheFromQueryResults(x,x,x)+Fj
					; wil_details_BuildFeatureStateCacheFromQueryResults(x,x,x)+17j
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0

loc_7324E9:				; CODE XREF: wil_details_BuildFeatureStateCacheFromQueryResults(x,x,x)+2Aj
		mov	ecx, 206h

loc_7324EE:				; CODE XREF: wil_details_BuildFeatureStateCacheFromQueryResults(x,x,x)+52j
		mov	[esi], ecx
		pop	esi
		pop	ebp
		retn	4
_wil_details_BuildFeatureStateCacheFromQueryResults@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall wil_details_EvaluateFeatureDependencies()
_wil_details_EvaluateFeatureDependencies@0 proc	near
					; CODE XREF: wil_details_ReevaluateOnFeatureConfigurationChange(x)+5p
					; wil_InitializeFeatureStagingFromBuffers(x)+8p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	esi
		call	_wil_details_EvaluateFeatureDependencies_UpdateFeatureDesiredStates@0 ;	wil_details_EvaluateFeatureDependencies_UpdateFeatureDesiredStates()
		mov	ecx, offset _wil_details_featureDescriptors_a
		jmp	short loc_732518
; 

loc_73250C:				; CODE XREF: wil_details_EvaluateFeatureDependencies()+2Bj
		mov	ecx, [esi]
		mov	edx, esi
		call	_wil_details_EvaluateFeatureDependencies_GetCachedFeatureEnabledState@8	; wil_details_EvaluateFeatureDependencies_GetCachedFeatureEnabledState(x,x)
		lea	ecx, [esi+18h]

loc_732518:				; CODE XREF: wil_details_EvaluateFeatureDependencies()+14j
		call	_wil_details_FeatureDescriptors_SkipPadding@4 ;	wil_details_FeatureDescriptors_SkipPadding(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_73250C
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_wil_details_EvaluateFeatureDependencies@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall wil_details_EvaluateFeatureDependencies_GetCachedFeatureEnabledState(x, x)
_wil_details_EvaluateFeatureDependencies_GetCachedFeatureEnabledState@8	proc near
					; CODE XREF: wil_details_EvaluateFeatureDependencies()+1Ap
					; wil_details_EvaluateFeatureDependencies_ReevaluateCachedFeatureEnabledState(x,x,x,x)+42p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, [ecx]
		sub	esp, 0Ch
		push	esi
		xor	esi, esi
		test	eax, 200h
		jnz	short loc_732543
		mov	edx, esi
		jmp	short loc_73254A
; 

loc_732543:				; CODE XREF: wil_details_EvaluateFeatureDependencies_GetCachedFeatureEnabledState(x,x)+15j
		push	esi
		push	eax
		call	_wil_details_EvaluateFeatureDependencies_ReevaluateCachedFeatureEnabledState@16	; wil_details_EvaluateFeatureDependencies_ReevaluateCachedFeatureEnabledState(x,x,x,x)

loc_73254A:				; CODE XREF: wil_details_EvaluateFeatureDependencies_GetCachedFeatureEnabledState(x,x)+19j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_wil_details_EvaluateFeatureDependencies_GetCachedFeatureEnabledState@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall wil_details_EvaluateFeatureDependencies_ReevaluateCachedFeatureEnabledState(x, x, x, x)
_wil_details_EvaluateFeatureDependencies_ReevaluateCachedFeatureEnabledState@16	proc near
					; CODE XREF: wil_details_EvaluateFeatureDependencies_GetCachedFeatureEnabledState(x,x)+1Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	ebx, [ebp+arg_0]

loc_73255C:				; DATA XREF: IopMarkBootPartition+70o
		mov	eax, ecx
		push	esi
		push	edi
		mov	edi, ebx
		mov	[ebp+var_4], eax
		xor	ecx, ecx
		shr	edi, 6
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		and	edi, 1
		jz	short loc_7325B4
		mov	esi, [edx+14h]
		test	esi, esi
		jz	short loc_7325B4

loc_73257C:				; CODE XREF: wil_details_EvaluateFeatureDependencies_ReevaluateCachedFeatureEnabledState(x,x,x,x)+5Fj
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_7325B1
		cmp	byte ptr [eax+12h], 0
		jnz	short loc_7325E5
		cmp	byte ptr [eax+11h], 0
		jnz	short loc_7325E5
		mov	ecx, [eax]
		mov	edx, eax
		call	_wil_details_EvaluateFeatureDependencies_GetCachedFeatureEnabledState@8	; wil_details_EvaluateFeatureDependencies_GetCachedFeatureEnabledState(x,x)
		test	edi, edi
		jz	short loc_7325A6
		test	al, 1
		jz	short loc_7325A6
		xor	edi, edi
		inc	edi
		xor	ecx, ecx
		jmp	short loc_7325AA
; 

loc_7325A6:				; CODE XREF: wil_details_EvaluateFeatureDependencies_ReevaluateCachedFeatureEnabledState(x,x,x,x)+49j
					; wil_details_EvaluateFeatureDependencies_ReevaluateCachedFeatureEnabledState(x,x,x,x)+4Dj
		xor	ecx, ecx

loc_7325A8:				; CODE XREF: wil_details_EvaluateFeatureDependencies_ReevaluateCachedFeatureEnabledState(x,x,x,x)+97j
					; wil_details_EvaluateFeatureDependencies_ReevaluateCachedFeatureEnabledState(x,x,x,x)+9Dj
		mov	edi, ecx

loc_7325AA:				; CODE XREF: wil_details_EvaluateFeatureDependencies_ReevaluateCachedFeatureEnabledState(x,x,x,x)+54j
					; wil_details_EvaluateFeatureDependencies_ReevaluateCachedFeatureEnabledState(x,x,x,x)+A2j
		add	esi, 4
		test	edi, edi
		jnz	short loc_73257C

loc_7325B1:				; CODE XREF: wil_details_EvaluateFeatureDependencies_ReevaluateCachedFeatureEnabledState(x,x,x,x)+30j
		mov	eax, [ebp+var_4]

loc_7325B4:				; CODE XREF: wil_details_EvaluateFeatureDependencies_ReevaluateCachedFeatureEnabledState(x,x,x,x)+23j
					; wil_details_EvaluateFeatureDependencies_ReevaluateCachedFeatureEnabledState(x,x,x,x)+2Aj
		mov	[ebp+var_10], ebx

loc_7325B7:				; CODE XREF: wil_details_EvaluateFeatureDependencies_ReevaluateCachedFeatureEnabledState(x,x,x,x)+93j
		mov	esi, ebx
		and	ebx, 1
		and	esi, 0FFFFFFFEh
		or	esi, edi
		cmp	ebx, edi
		jz	short loc_7325C8
		and	esi, 0FFFFFFCFh

loc_7325C8:				; CODE XREF: wil_details_EvaluateFeatureDependencies_ReevaluateCachedFeatureEnabledState(x,x,x,x)+73j
		and	esi, 0FFFFFDFFh
		lea	edx, [ebp+var_10]
		push	esi
		mov	ecx, eax
		call	_wil_atomic_uint32_compare_exchange_relaxed@12 ; wil_atomic_uint32_compare_exchange_relaxed(x,x,x)
		test	eax, eax
		jnz	short loc_7325F4
		mov	ebx, [ebp+var_10]
		mov	eax, [ebp+var_4]
		jmp	short loc_7325B7
; 

loc_7325E5:				; CODE XREF: wil_details_EvaluateFeatureDependencies_ReevaluateCachedFeatureEnabledState(x,x,x,x)+36j
					; wil_details_EvaluateFeatureDependencies_ReevaluateCachedFeatureEnabledState(x,x,x,x)+3Cj
		test	edi, edi
		jz	short loc_7325A8
		cmp	byte ptr [eax+13h], 0
		jz	short loc_7325A8
		xor	edi, edi
		inc	edi
		jmp	short loc_7325AA
; 

loc_7325F4:				; CODE XREF: wil_details_EvaluateFeatureDependencies_ReevaluateCachedFeatureEnabledState(x,x,x,x)+8Bj
		pop	edi
		mov	eax, esi
		xor	edx, edx
		pop	esi
		pop	ebx
		leave
		retn	8
_wil_details_EvaluateFeatureDependencies_ReevaluateCachedFeatureEnabledState@16	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall wil_details_EvaluateFeatureDependencies_UpdateFeatureDesiredStates()
_wil_details_EvaluateFeatureDependencies_UpdateFeatureDesiredStates@0 proc near
					; CODE XREF: wil_details_EvaluateFeatureDependencies()+Ap
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	ecx, offset _wil_details_featureDescriptors_a
		jmp	short loc_732659
; 

loc_732615:				; CODE XREF: wil_details_EvaluateFeatureDependencies_UpdateFeatureDesiredStates()+62j
		mov	ecx, [edx]
		mov	ecx, [ecx]
		test	ecx, 200h
		jz	short loc_732656
		mov	esi, ecx
		and	esi, 180h
		jnz	short loc_732635
		xor	eax, eax
		cmp	[edx+13h], al
		setnz	al
		jmp	short loc_732640
; 

loc_732635:				; CODE XREF: wil_details_EvaluateFeatureDependencies_UpdateFeatureDesiredStates()+29j
		xor	eax, eax
		cmp	esi, 100h
		setz	al

loc_732640:				; CODE XREF: wil_details_EvaluateFeatureDependencies_UpdateFeatureDesiredStates()+33j
		shl	eax, 6
		and	ecx, 40h
		xor	ecx, eax
		mov	eax, edi
		and	eax, 0FFFFFFBFh
		mov	edi, ecx
		or	edi, eax
		mov	eax, [edx]
		lock xor [eax],	edi

loc_732656:				; CODE XREF: wil_details_EvaluateFeatureDependencies_UpdateFeatureDesiredStates()+1Fj
		lea	ecx, [edx+18h]

loc_732659:				; CODE XREF: wil_details_EvaluateFeatureDependencies_UpdateFeatureDesiredStates()+13j
		call	_wil_details_FeatureDescriptors_SkipPadding@4 ;	wil_details_FeatureDescriptors_SkipPadding(x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_732615
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_wil_details_EvaluateFeatureDependencies_UpdateFeatureDesiredStates@0 endp


;  S U B	R O U T	I N E 


; __stdcall wil_details_ReevaluateOnFeatureConfigurationChange(x)
_wil_details_ReevaluateOnFeatureConfigurationChange@4 proc near
					; DATA XREF: wil_details_RegisterFeatureStagingChangeNotification(x,x)+Co
		call	_wil_details_UpdateFeatureConfiguredStates@0 ; wil_details_UpdateFeatureConfiguredStates()
		call	_wil_details_EvaluateFeatureDependencies@0 ; wil_details_EvaluateFeatureDependencies()
		retn	4
_wil_details_ReevaluateOnFeatureConfigurationChange@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall wil_details_RegisterFeatureStagingChangeNotification(x, x)
_wil_details_RegisterFeatureStagingChangeNotification@8	proc near
					; CODE XREF: NtLoadKey3(x,x,x,x,x,x,x,x):loc_732486p
		mov	edi, edi
		push	ecx
		push	offset _wil_details_featureChangeNotification
		push	0
		push	0
		push	offset _wil_details_ReevaluateOnFeatureConfigurationChange@4 ; wil_details_ReevaluateOnFeatureConfigurationChange(x)
		call	_RtlRegisterFeatureConfigurationChangeNotification@16 ;	RtlRegisterFeatureConfigurationChangeNotification(x,x,x,x)
		test	eax, eax
		jz	short loc_732699
		and	_wil_details_featureChangeNotification,	0

loc_732699:				; CODE XREF: wil_details_RegisterFeatureStagingChangeNotification(x,x)+18j
		pop	ecx
		retn
_wil_details_RegisterFeatureStagingChangeNotification@8	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall wil_details_UpdateFeatureConfiguredStates()
_wil_details_UpdateFeatureConfiguredStates@0 proc near
					; CODE XREF: wil_details_ReevaluateOnFeatureConfigurationChange(x)p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 20h
		mov	ecx, offset _wil_details_featureDescriptors_a
		push	esi
		push	edi
		jmp	short loc_73270F
; 

loc_7326B0:				; CODE XREF: wil_details_UpdateFeatureConfiguredStates()+7Cj
		cmp	byte ptr [esi+11h], 0
		jnz	short loc_73270C
		cmp	byte ptr [esi+12h], 0
		jnz	short loc_73270C
		cmp	byte ptr [esi+10h], 0
		jnz	short loc_73270C
		xor	eax, eax
		lea	edi, [esp+28h+var_C]
		stosd
		stosd
		stosd
		lea	eax, [esp+28h+var_C]
		push	eax
		lea	eax, [esp+2Ch+var_18]
		push	eax
		push	1
		push	dword ptr [esi+0Ch]
		call	_RtlQueryFeatureConfiguration@16 ; RtlQueryFeatureConfiguration(x,x,x,x)
		and	[esp+28h+var_20], 0
		lea	ecx, [esp+28h+var_20]
		and	[esp+28h+var_1C], 0
		lea	edx, [esp+28h+var_C]
		push	ecx
		mov	ecx, eax
		call	_wil_details_BuildFeatureStateCacheFromQueryResults@12 ; wil_details_BuildFeatureStateCacheFromQueryResults(x,x,x)
		mov	eax, [esi]
		mov	ecx, [eax]
		xor	ecx, [esp+28h+var_20]
		mov	eax, [esi]
		and	ecx, 0F80h
		lock xor [eax],	ecx

loc_73270C:				; CODE XREF: wil_details_UpdateFeatureConfiguredStates()+18j
					; wil_details_UpdateFeatureConfiguredStates()+1Ej ...
		lea	ecx, [esi+18h]

loc_73270F:				; CODE XREF: wil_details_UpdateFeatureConfiguredStates()+12j
		call	_wil_details_FeatureDescriptors_SkipPadding@4 ;	wil_details_FeatureDescriptors_SkipPadding(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_7326B0
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_wil_details_UpdateFeatureConfiguredStates@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCreateChild(x, x, x, x, x, x, x,	x, x)
_CmpCreateChild@36 proc	near		; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+275p
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+120Dp ...

var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2B		= byte ptr -2Bh
var_2A		= byte ptr -2Ah
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_23		= byte ptr -23h
var_22		= byte ptr -22h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		push	94h
		push	offset dword_6A7970
		call	__SEH_prolog4
		mov	esi, edx
		mov	[ebp+var_58], esi
		mov	edi, ecx
		mov	[ebp+var_64], edi
		xor	ebx, ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], ebx
		mov	al, bl
		mov	[ebp+var_23], al
		mov	[ebp+var_2A], al
		mov	[ebp+var_19], bl
		mov	[ebp+var_29], bl
		mov	[ebp+var_22], bl
		mov	[ebp+var_40], ebx
		or	ecx, 0FFFFFFFFh
		mov	eax, ecx
		mov	[ebp+var_34], eax
		mov	[ebp+var_74], eax
		mov	[ebp+var_94], ebx
		mov	[ebp+var_90], ebx
		mov	[ebp+var_94], ecx
		xor	eax, eax
		mov	word ptr [ebp+var_90], ax
		mov	[ebp+var_50], ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_70], ecx
		mov	word ptr [ebp+var_6C], ax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_9C], eax
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_88], ebx
		mov	[ebp+var_8C], ecx
		mov	word ptr [ebp+var_88], ax
		mov	[ebp+var_1A], al
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_68], ecx
		mov	eax, ebx
		mov	[ebp+var_38], eax
		mov	[ebp+var_78], eax
		mov	[ebp+var_48], eax
		mov	[ebp+var_7C], eax
		mov	[ebp+var_21], al
		mov	[ebp+var_2B], al
		mov	dx, [edi+2]
		mov	ecx, edi
		call	_CmpGetKcbAtLayerHeight@8 ; CmpGetKcbAtLayerHeight(x,x)
		mov	[ebp+var_28], eax
		mov	dx, [esi+2]
		mov	ecx, esi
		call	_CmpGetKcbAtLayerHeight@8 ; CmpGetKcbAtLayerHeight(x,x)
		mov	edi, eax
		mov	[ebp+var_54], edi
		mov	esi, [edi+10h]
		mov	[ebp+var_20], esi
		mov	[ebp+var_98], esi
		mov	edx, [ebp+arg_18]
		test	edx, edx
		jz	short loc_732820
		test	byte ptr [esi+64h], 2
		jz	short loc_732820
		mov	eax, 0C0190001h
		mov	edx, 40100h

loc_73280E:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+13Cj
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+151j ...
		mov	esi, eax
		push	eax

loc_732811:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+114j
		mov	ebx, [ebp+arg_8]

loc_732814:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+1E2j
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+28Fj ...
		mov	ecx, ebx
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_73338E
; 

loc_732820:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+DCj
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+E2j
		test	[ebp+arg_10], 0FFFFFFFCh
		jz	short loc_732836
		mov	esi, 0C000000Dh
		push	esi
		mov	edx, 40180h
		jmp	short loc_732811
; 

loc_732836:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+107j
		test	byte ptr [ebp+arg_10], 1
		jnz	short loc_732845
		test	byte ptr [esi+980h], 20h
		jz	short loc_732849

loc_732845:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+11Aj
		mov	[ebp+var_22], 1

loc_732849:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+123j
		mov	ecx, [ebp+var_28]
		test	byte ptr [ecx+4], 80h
		jz	short loc_73285E
		mov	eax, 0C0000022h
		mov	edx, 40200h
		jmp	short loc_73280E
; 

loc_73285E:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+130j
		call	_CmpIsKcbImmutable@4 ; CmpIsKcbImmutable(x)
		test	al, al
		jz	short loc_732873
		mov	eax, 0C0000022h
		mov	edx, 40300h
		jmp	short loc_73280E
; 

loc_732873:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+145j
		cmp	byte ptr [ecx+21h], 1
		jnz	short loc_732885
		mov	eax, 0C0000022h
		mov	edx, 40400h
		jmp	short loc_73280E
; 

loc_732885:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+157j
		mov	eax, [ecx+68h]
		cmp	_CmpVEEnabled, bl
		jz	short loc_7328A2
		test	eax, 1000000h
		jz	short loc_7328A2
		mov	edi, [ebp+arg_C]
		or	edi, 100h
		jmp	short loc_7328A5
; 

loc_7328A2:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+16Ej
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+175j
		mov	edi, [ebp+arg_C]

loc_7328A5:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+180j
		mov	[ebp+var_44], edi
		mov	edi, [ebp+var_54]
		test	eax, 2000000h
		jz	short loc_7328B9
		or	[ebp+var_44], 200h

loc_7328B9:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+190j
		cmp	[ebp+var_22], bl
		jz	short loc_7328D5
		mov	eax, [ebp+arg_0]
		cmp	[eax+2Ch], ebx
		jz	short loc_7328D5
		mov	eax, 0C0000022h
		mov	edx, 40500h
		jmp	loc_73280E
; 

loc_7328D5:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+19Cj
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+1A4j
		mov	ebx, [ebp+arg_8]
		mov	eax, [ebx+14h]
		and	eax, 1
		mov	[ebp+var_84], eax
		call	_CmpGetEffectiveCellType@8 ; CmpGetEffectiveCellType(x,x)
		cmp	eax, 1
		jnz	short loc_732907
		cmp	[ebp+var_84], 0
		jnz	short loc_732907
		mov	esi, 0C0000181h
		push	esi
		mov	edx, 40600h
		jmp	loc_732814
; 

loc_732907:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+1CCj
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+1D5j
		test	byte ptr [ebx+60h], 1
		jnz	short loc_732919
		lea	ecx, [ebx+64h]
		call	CmpAttachToRegistryProcess
		or	dword ptr [ebx+60h], 1

loc_732919:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+1EBj
		mov	eax, [ebp+var_44]
		and	eax, 2
		mov	[ebp+var_80], eax
		jnz	loc_7329B7
		cmp	[ebp+var_22], 0
		jz	short loc_732943
		push	0
		mov	edx, [ebp+arg_18]
		mov	ecx, [ebp+var_64]
		call	_CmpGetSecurityCacheEntryForKcbStack@12	; CmpGetSecurityCacheEntryForKcbStack(x,x,x)
		add	eax, 18h
		mov	[ebp+var_4C], eax
		jmp	short loc_7329B7
; 

loc_732943:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+20Cj
		test	dword ptr [edi+68h], 2000000h
		jz	short loc_73296B
		mov	eax, large fs:124h
		mov	cl, [eax+15Ah]
		lea	eax, [ebx+0Ch]
		push	eax
		xor	edx, edx
		call	CmpIsSystemEntity
		test	al, al
		jnz	short loc_73296B
		xor	esi, esi
		jmp	short loc_732971
; 

loc_73296B:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+22Aj
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+245j
		mov	eax, [ebp+arg_0]
		mov	esi, [eax+2Ch]

loc_732971:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+249j
		push	0
		mov	edx, [ebp+arg_18]
		mov	ecx, [ebp+var_64]
		call	_CmpGetSecurityCacheEntryForKcbStack@12	; CmpGetSecurityCacheEntryForKcbStack(x,x,x)
		mov	ecx, eax
		mov	eax, ds:_CmKeyObjectType
		push	dword ptr [eax+4Ch]
		add	eax, 34h
		push	eax
		mov	eax, [ebp+arg_0]
		add	eax, 1Ch
		push	eax
		push	1
		lea	eax, [ebp+var_4C]
		push	eax
		push	esi
		lea	eax, [ecx+18h]
		push	eax
		call	_SeAssignSecurity@28 ; SeAssignSecurity(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_7329B4
		push	esi
		mov	edx, 40800h
		jmp	loc_732814
; 

loc_7329B4:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+287j
		mov	esi, [ebp+var_20]

loc_7329B7:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+202j
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+221j
		mov	eax, [ebp+arg_18]
		test	eax, eax
		jz	short loc_7329FF
		xor	edx, edx
		mov	ecx, [ebp+var_58]
		call	CmpIsKeyStackDeleted
		test	al, al
		jnz	short loc_7329F3
		push	[ebp+var_4C]	; void *
		mov	edx, [ebp+arg_18]
		mov	ecx, edi
		call	_CmpUndoDeleteKeyForTransEx@12 ; CmpUndoDeleteKeyForTransEx(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_73338E
		mov	esi, 0C0000034h
		push	esi
		mov	edx, 40700h
		jmp	loc_732814
; 

loc_7329F3:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+2AAj
		mov	eax, [ebp+arg_18]
		test	eax, eax
		jz	short loc_7329FF
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_732A05
; 

loc_7329FF:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+29Cj
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+2D8j
		mov	ecx, [ebp+var_84]

loc_732A05:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+2DDj
		mov	[ebp+var_58], ecx
		mov	edx, [edi+14h]
		cmp	edx, 0FFFFFFFFh
		jz	loc_732CDA
		mov	eax, edx
		shr	eax, 1Fh
		cmp	ecx, eax
		jz	short loc_732A28
		push	2
		pop	ecx
		call	_CmpLogUnsupportedOperation@4 ;	CmpLogUnsupportedOperation(x)
		mov	edx, [edi+14h]

loc_732A28:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+2FBj
		mov	eax, edx
		shr	eax, 1Fh
		mov	[ebp+arg_18], eax
		cmp	byte ptr [ebp+arg_14], 0
		jnz	short loc_732A48
		mov	ecx, esi
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	al, 1
		mov	[ebp+var_19], al
		mov	[ebp+var_29], al
		mov	edx, [edi+14h]

loc_732A48:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+314j
		lea	eax, [ebp+var_94]
		push	eax
		push	edx
		push	esi
		call	dword ptr [esi+4]
		mov	esi, eax
		mov	[ebp+var_40], esi
		mov	ecx, [ebp+arg_4]
		call	_CmpNameSize@4	; CmpNameSize(x)
		cmp	ax, [esi+48h]
		jz	short loc_732A7F
		xor	ecx, ecx
		inc	ecx
		call	_CmpLogUnsupportedOperation@4 ;	CmpLogUnsupportedOperation(x)
		mov	esi, 0C0000002h
		push	esi
		mov	edx, 40900h
		jmp	loc_732814
; 

loc_732A7F:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+345j
		push	ecx
		push	0
		mov	edx, [edi+14h]
		mov	ecx, [ebp+var_20]
		call	CmpMarkKeyDirty
		test	al, al
		jnz	short loc_732AA3
		mov	eax, 0C000017Dh
		mov	esi, eax
		push	eax
		mov	edx, 40A00h
		jmp	loc_732814
; 

loc_732AA3:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+36Fj
		mov	eax, [ebp+var_28]
		mov	edx, [eax+14h]
		push	0
		push	0
		mov	ecx, [ebp+var_20]
		call	HvpMarkCellDirty
		test	al, al
		jnz	short loc_732ACB
		mov	eax, 0C000017Dh
		mov	esi, eax
		push	eax
		mov	edx, 40B00h
		jmp	loc_732814
; 

loc_732ACB:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+397j
		movzx	eax, word ptr [ebx+4]
		test	ax, ax
		jz	short loc_732B33
		lea	ecx, [ebp+var_70]
		push	ecx
		lea	ecx, [ebp+var_50]
		push	ecx
		push	[ebp+arg_18]
		mov	edx, eax
		mov	ecx, [ebp+var_20]
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	[ebp+var_30], eax
		mov	[ebp+arg_10], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_732B06
		mov	ecx, 0C000009Ah
		mov	esi, ecx
		push	ecx
		mov	edx, 40C00h
		jmp	loc_732814
; 

loc_732B06:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+3D2j
		and	[ebp+ms_exc.disabled], 0
		movzx	eax, word ptr [ebx+4]
		push	eax		; size_t
		push	dword ptr [ebx+8] ; void *
		push	[ebp+var_50]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		lea	eax, [ebp+var_70]
		push	eax
		mov	eax, [ebp+var_20]
		push	eax
		call	dword ptr [eax+8]
		and	[ebp+var_50], 0

loc_732B33:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+3B2j
		mov	ecx, [ebp+var_20]
		call	_CmLockHiveSecurityExclusive@4 ; CmLockHiveSecurityExclusive(x)
		mov	[ebp+var_1A], 1
		mov	edx, [edi+14h]
		lea	eax, [ebp+var_68]
		push	eax		; int
		push	1		; int
		push	[ebp+var_4C]	; void *
		mov	eax, edx
		shr	eax, 1Fh
		push	eax		; int
		push	esi		; int
		mov	ecx, [ebp+var_20]
		call	_CmpGetSecurityDescriptorNodeEx@28 ; CmpGetSecurityDescriptorNodeEx(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_732BDE
		push	esi
		mov	edx, 40E00h
		jmp	loc_732814
; 

loc_732B6B:				; DATA XREF: .text:006A7984o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_A0], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_732B7C:				; DATA XREF: .text:006A7988o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_A0]
		push	esi
		mov	edx, 40D00h
		mov	ebx, [ebp+arg_8]
		mov	ecx, ebx
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_74]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_30], eax
		mov	al, [ebp+var_2A]
		mov	[ebp+var_23], al
		mov	eax, [ebp+var_9C]
		mov	[ebp+var_3C], eax
		mov	al, [ebp+var_29]
		mov	[ebp+var_19], al
		mov	eax, [ebp+var_78]
		mov	[ebp+var_38], eax
		mov	edx, eax
		mov	[ebp+var_48], edx
		mov	dl, al

loc_732BCA:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+9D9j
		mov	ecx, [ebp+var_98]
		mov	[ebp+var_21], dl
		mov	[ebp+var_20], ecx
		mov	edi, [ebp+var_54]
		jmp	loc_733394
; 

loc_732BDE:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+43Ej
		mov	edx, [edi+14h]
		mov	ecx, [ebp+var_20]
		call	_CmpFreeSecurityDescriptor@8 ; CmpFreeSecurityDescriptor(x,x)
		mov	eax, [ebp+var_68]
		mov	esi, [ebp+var_40]
		mov	[esi+2Ch], eax
		mov	ecx, [ebp+var_20]
		call	_CmUnlockHiveSecurity@4	; CmUnlockHiveSecurity(x)
		mov	[ebp+var_1A], 0
		mov	eax, [ebp+var_30]
		mov	[esi+30h], eax
		mov	ax, [ebx+4]
		mov	[esi+4Ah], ax
		or	[ebp+var_30], 0FFFFFFFFh
		lea	ecx, [esi+4Ch]
		mov	edi, [ebp+arg_4]
		mov	edx, edi
		call	CmpCopyName
		or	byte ptr [esi+0Dh], 3
		mov	ecx, [ebp+var_44]
		mov	[esi+2], cx
		mov	ax, [esi+48h]
		cmp	ax, [edi]
		jnb	short loc_732C38
		or	ecx, 20h
		mov	[esi+2], cx

loc_732C38:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+50Fj
		lea	eax, [ebp+var_60]
		push	eax
		call	KeQuerySystemTime
		mov	edi, [ebp+var_60]
		mov	[esi+4], edi
		mov	esi, [ebp+var_5C]
		mov	edx, [ebp+var_40]
		mov	[edx+8], esi
		mov	ecx, [ebp+var_54]
		add	dword ptr [ecx+0A8h], 1
		push	0
		pop	eax
		adc	[ecx+0ACh], eax
		push	eax
		push	eax
		call	_CmpRebuildKcbCacheFromNode@16 ; CmpRebuildKcbCacheFromNode(x,x,x,x)
		mov	ecx, [ebp+var_28]
		mov	eax, [ecx+14h]
		lea	ecx, [ebp+var_8C]
		push	ecx
		push	eax
		mov	eax, [ebp+var_20]
		push	eax
		call	dword ptr [eax+4]
		mov	ecx, eax
		mov	[ebp+var_3C], ecx
		mov	[ecx+4], edi
		mov	[ecx+8], esi
		mov	eax, [ebp+var_28]
		mov	[eax+58h], edi
		mov	[eax+5Ch], esi
		add	dword ptr [eax+0A8h], 1
		adc	dword ptr [eax+0ACh], 0
		mov	eax, [ebp+var_40]
		movzx	eax, word ptr [eax+4Ah]
		cmp	[ecx+38h], eax
		jnb	short loc_732CB0
		mov	[ecx+38h], eax

loc_732CB0:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+58Bj
		cmp	[ebp+var_19], 0
		jz	short loc_732CBE
		mov	ecx, [ebp+var_20]
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)

loc_732CBE:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+594j
		push	0
		push	1
		xor	edx, edx
		mov	ecx, [ebp+var_64]
		call	_CmpReportNotifyForKcbStack@16 ; CmpReportNotifyForKcbStack(x,x,x,x)
		xor	esi, esi
		mov	[ebp+var_19], 0
		mov	edi, [ebp+var_54]
		jmp	loc_73338E
; 

loc_732CDA:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+2EEj
		mov	al, byte ptr [ebp+arg_14]
		test	al, al
		jnz	short loc_732CED
		mov	ecx, esi
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	al, byte ptr [ebp+arg_14]
		test	al, al

loc_732CED:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+5BFj
		setz	al
		mov	[ebp+var_19], al
		mov	byte ptr [ebp+arg_C+3],	al
		mov	esi, [ebp+arg_18]
		test	esi, esi
		jz	loc_732E0A
		call	_CmpAllocateUnitOfWork@0 ; CmpAllocateUnitOfWork()
		mov	[ebp+var_38], eax
		mov	[ebp+var_78], eax
		test	eax, eax
		jnz	short loc_732D22
		mov	ecx, 0C000009Ah
		mov	esi, ecx
		push	ecx
		mov	edx, 40F00h
		jmp	loc_732814
; 

loc_732D22:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+5EEj
		mov	edx, [ebp+var_28]
		mov	ecx, eax
		call	_CmpTransEnlistUowInKcb@8 ; CmpTransEnlistUowInKcb(x,x)
		mov	edx, esi
		mov	ecx, [ebp+var_38]
		call	CmpTransEnlistUowInCmTrans
		mov	esi, eax
		test	esi, esi
		jns	short loc_732D54
		mov	edx, 41000h

loc_732D41:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+672j
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+72Cj ...
		push	esi

loc_732D42:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+652j
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+697j ...
		mov	ecx, ebx
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)

loc_732D49:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+AE6j
		mov	al, [ebp+var_19]
		mov	[ebp+var_19], al
		jmp	loc_73338E
; 

loc_732D54:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+61Aj
		call	_CmpAllocateUnitOfWork@0 ; CmpAllocateUnitOfWork()
		mov	esi, eax
		mov	[ebp+var_48], esi
		mov	[ebp+var_7C], esi
		test	esi, esi
		jnz	short loc_732D74
		mov	ecx, 0C000009Ah
		mov	esi, ecx
		push	ecx
		mov	edx, 41100h
		jmp	short loc_732D42
; 

loc_732D74:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+643j
		mov	edx, edi
		mov	ecx, esi
		call	_CmpTransEnlistUowInKcb@8 ; CmpTransEnlistUowInKcb(x,x)
		mov	edx, [ebp+arg_18]
		mov	ecx, esi
		call	CmpTransEnlistUowInCmTrans
		mov	esi, eax
		test	esi, esi
		jns	short loc_732D94
		mov	edx, 41200h
		jmp	short loc_732D41
; 

loc_732D94:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+66Bj
		push	ecx
		mov	ecx, [ebp+var_28]
		lea	ecx, [ecx+84h]
		mov	edx, [ebp+var_38]
		call	CmpLockIXLockIntent
		test	al, al
		jnz	short loc_732DB9
		mov	eax, 0C0190001h
		mov	esi, eax
		push	eax
		mov	edx, 41300h
		jmp	short loc_732D42
; 

loc_732DB9:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+688j
		push	0
		lea	ecx, [edi+84h]
		mov	esi, [ebp+var_48]
		mov	edx, esi
		call	CmpLockIXLockExclusive
		test	al, al
		jnz	short loc_732DE1
		mov	eax, 0C0190001h
		mov	esi, eax
		push	eax
		mov	edx, 41400h
		jmp	loc_732D42
; 

loc_732DE1:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+6ADj
		push	1
		lea	ecx, [edi+8Ch]
		mov	edx, esi
		call	CmpLockIXLockExclusive
		test	al, al
		jnz	loc_732FAD
		mov	eax, 0C0190001h
		mov	esi, eax
		push	eax
		mov	edx, 41500h
		jmp	loc_732D42
; 

loc_732E0A:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+5DBj
		xor	eax, eax
		mov	ecx, [ebp+var_28]
		cmp	[ecx+80h], eax
		jz	short loc_732E78
		test	byte ptr [ebp+arg_10], 2
		jz	short loc_732E2F
		mov	eax, 0C0190001h
		mov	esi, eax
		push	eax
		mov	edx, 41580h
		jmp	loc_732D42
; 

loc_732E2F:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+6FBj
		lea	edx, [ebx+4Ch]
		lea	eax, [ebx+50h]
		push	eax
		add	ecx, 84h
		call	_CmpSnapshotTxOwnerArray@12 ; CmpSnapshotTxOwnerArray(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_732E51
		mov	edx, 41600h
		jmp	loc_732D41
; 

loc_732E51:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+725j
		push	dword ptr [ebx+4Ch]
		push	ecx
		push	6
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_28]
		call	CmpLogTransactionAbortedWithChildName
		or	dword ptr [ebx+40h], 4
		mov	eax, 0C000022Dh
		mov	esi, eax
		push	eax
		mov	edx, 41700h
		jmp	loc_732D42
; 

loc_732E78:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+6F5j
		lea	esi, [ecx+84h]
		cmp	[esi], eax
		jge	short loc_732EDF
		test	byte ptr [ebp+arg_10], 2
		jz	short loc_732E9A
		mov	eax, 0C0190001h
		mov	esi, eax
		push	eax
		mov	edx, 41780h
		jmp	loc_732D42
; 

loc_732E9A:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+766j
		lea	edx, [ebx+4Ch]
		lea	eax, [ebx+50h]
		push	eax
		mov	ecx, esi
		call	_CmpSnapshotTxOwnerArray@12 ; CmpSnapshotTxOwnerArray(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_732EB8
		mov	edx, 41800h
		jmp	loc_732D41
; 

loc_732EB8:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+78Cj
		push	dword ptr [ebx+4Ch]
		push	ecx
		push	6
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_28]
		call	CmpLogTransactionAbortedWithChildName
		or	dword ptr [ebx+40h], 4
		mov	eax, 0C000022Dh
		mov	esi, eax
		push	eax
		mov	edx, 41900h
		jmp	loc_732D42
; 

loc_732EDF:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+760j
		lea	esi, [edi+84h]
		cmp	[esi], eax
		jz	short loc_732F46
		test	byte ptr [ebp+arg_10], 2
		jz	short loc_732F01
		mov	eax, 0C0190001h
		mov	esi, eax
		push	eax
		mov	edx, 41980h
		jmp	loc_732D42
; 

loc_732F01:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+7CDj
		lea	edx, [ebx+4Ch]
		lea	eax, [ebx+50h]
		push	eax
		mov	ecx, esi
		call	_CmpSnapshotTxOwnerArray@12 ; CmpSnapshotTxOwnerArray(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_732F1F
		mov	edx, 41A00h
		jmp	loc_732D41
; 

loc_732F1F:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+7F3j
		push	dword ptr [ebx+4Ch]
		push	ecx
		push	6
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_28]
		call	CmpLogTransactionAbortedWithChildName
		or	dword ptr [ebx+40h], 4
		mov	eax, 0C000022Dh
		mov	esi, eax
		push	eax
		mov	edx, 41B00h
		jmp	loc_732D42
; 

loc_732F46:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+7C7j
		lea	esi, [edi+8Ch]
		cmp	[esi], eax
		jz	short loc_732FAD
		test	byte ptr [ebp+arg_10], 2
		jz	short loc_732F68
		mov	eax, 0C0190001h
		mov	esi, eax
		push	eax
		mov	edx, 41B80h
		jmp	loc_732D42
; 

loc_732F68:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+834j
		lea	edx, [ebx+4Ch]
		lea	eax, [ebx+50h]
		push	eax
		mov	ecx, esi
		call	_CmpSnapshotTxOwnerArray@12 ; CmpSnapshotTxOwnerArray(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_732F86
		mov	edx, 41C00h
		jmp	loc_732D41
; 

loc_732F86:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+85Aj
		push	dword ptr [ebx+4Ch]
		push	ecx
		push	6
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_28]
		call	CmpLogTransactionAbortedWithChildName
		or	dword ptr [ebx+40h], 4
		mov	eax, 0C000022Dh
		mov	esi, eax
		push	eax
		mov	edx, 41D00h
		jmp	loc_732D42
; 

loc_732FAD:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+6D2j
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+82Ej
		mov	ecx, [ebp+arg_4]
		call	_CmpNameSize@4	; CmpNameSize(x)
		movzx	eax, ax
		add	eax, 4Ch
		mov	[ebp+var_68], eax
		lea	ecx, [ebp+var_94]
		push	ecx
		lea	ecx, [ebp+var_40]
		push	ecx
		push	[ebp+var_58]
		mov	edx, eax
		mov	esi, [ebp+var_20]
		mov	ecx, esi
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	[ebp+var_34], eax
		mov	[ebp+var_74], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_732FF5
		mov	ecx, 0C000009Ah
		mov	esi, ecx
		push	ecx
		mov	edx, 41E00h
		jmp	loc_732D42
; 

loc_732FF5:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+8C1j
		movzx	eax, word ptr [ebx+4]
		test	ax, ax
		jz	short loc_73305C
		lea	ecx, [ebp+var_70]
		push	ecx
		lea	ecx, [ebp+var_50]
		push	ecx
		push	[ebp+var_58]
		mov	edx, eax
		mov	ecx, esi
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	[ebp+var_30], eax
		mov	[ebp+arg_10], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_73302F
		mov	ecx, 0C000009Ah
		mov	esi, ecx
		push	ecx
		mov	edx, 41F00h
		jmp	loc_732D42
; 

loc_73302F:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+8FBj
		mov	[ebp+ms_exc.disabled], 1
		movzx	eax, word ptr [ebx+4]
		push	eax		; size_t
		push	dword ptr [ebx+8] ; void *
		push	[ebp+var_50]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		lea	eax, [ebp+var_70]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		and	[ebp+var_50], 0

loc_73305C:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+8DCj
		push	[ebp+var_68]	; size_t
		push	0		; int
		mov	esi, [ebp+var_40]
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		cmp	word ptr [ebp+var_80], 0
		mov	eax, 6B6Ch
		jnz	short loc_73307C
		add	eax, 2

loc_73307C:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+957j
		mov	[esi], ax
		mov	al, _CmpAccessBitForPhase
		mov	[esi+0Ch], al
		mov	eax, [ebp+var_28]
		cmp	byte ptr [eax+21h], 3
		jnz	short loc_7330FE
		or	byte ptr [esi+0Dh], 3
		jmp	short loc_733102
; 

loc_733096:				; DATA XREF: .text:006A7990o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_A4], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7330A7:				; DATA XREF: .text:006A7994o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_A4]
		push	esi
		mov	edx, 42000h
		mov	ebx, [ebp+arg_8]
		mov	ecx, ebx
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	al, byte ptr [ebp+arg_C+3]
		mov	[ebp+var_19], al
		mov	eax, [ebp+var_74]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_30], eax
		mov	al, [ebp+var_2A]
		mov	[ebp+var_23], al
		mov	eax, [ebp+var_9C]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+var_78]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_7C]
		mov	[ebp+var_48], eax
		mov	dl, [ebp+var_2B]
		mov	al, dl
		jmp	loc_732BCA
; 

loc_7330FE:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+96Ej
		and	byte ptr [esi+0Dh], 0FCh

loc_733102:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+974j
		mov	eax, [ebp+var_44]
		mov	[esi+2], ax
		lea	eax, [ebp+var_60]
		push	eax
		call	KeQuerySystemTime
		mov	eax, [ebp+var_60]
		mov	[esi+4], eax
		mov	eax, [ebp+var_5C]
		mov	[esi+8], eax
		mov	ecx, [ebp+var_28]
		mov	eax, [ecx+14h]
		mov	[esi+10h], eax
		or	edx, 0FFFFFFFFh
		mov	[esi+1Ch], edx
		mov	[esi+20h], edx
		mov	[esi+28h], edx
		mov	[esi+2Ch], edx
		mov	eax, [ebp+var_30]
		mov	[esi+30h], eax
		mov	ax, [ebx+4]
		mov	[esi+4Ah], ax
		mov	[ebp+var_30], edx
		mov	eax, [ecx+68h]
		test	al, al
		jns	short loc_73315C
		shl	eax, 10h
		xor	eax, [esi+34h]
		and	eax, 0F00000h
		xor	[esi+34h], eax

loc_73315C:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+A2Cj
		lea	ecx, [esi+4Ch]
		mov	edx, [ebp+arg_4]
		call	CmpCopyName
		mov	[esi+48h], ax
		mov	ecx, [ebp+arg_4]
		cmp	ax, [ecx]
		jnb	short loc_733178
		or	word ptr [esi+2], 20h

loc_733178:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+A51j
		mov	ecx, [ebp+var_80]
		test	cx, cx
		jz	short loc_73318C
		mov	eax, [ebx+24h]
		mov	[esi+20h], eax
		mov	eax, [ebx+20h]
		mov	[esi+1Ch], eax

loc_73318C:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+A5Ej
		mov	[ebp+var_23], 1
		test	cx, cx
		jnz	short loc_7331D8
		mov	ecx, [ebp+var_20]
		call	_CmLockHiveSecurityExclusive@4 ; CmLockHiveSecurityExclusive(x)
		mov	[ebp+var_1A], 1
		lea	eax, [esi+2Ch]
		push	eax		; int
		push	0		; int
		push	[ebp+var_4C]	; void *
		mov	eax, [ebp+var_34]
		shr	eax, 1Fh
		push	eax		; int
		push	esi		; int
		mov	edx, [ebp+var_34]
		mov	ecx, [ebp+var_20]
		call	_CmpGetSecurityDescriptorNodeEx@28 ; CmpGetSecurityDescriptorNodeEx(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_7331CD
		mov	edx, 42100h
		jmp	loc_732D41
; 

loc_7331CD:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+AA1j
		mov	ecx, [ebp+var_20]
		call	_CmUnlockHiveSecurity@4	; CmUnlockHiveSecurity(x)
		mov	esi, [ebp+var_40]

loc_7331D8:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+A73j
		mov	eax, [ebp+var_28]
		mov	edx, [eax+14h]
		push	0
		push	0
		mov	ecx, [ebp+var_20]
		call	HvpMarkCellDirty
		test	al, al
		jnz	short loc_73320B
		mov	eax, 0C000017Dh
		mov	esi, eax
		push	eax
		mov	edx, 42200h

loc_7331FB:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+B16j
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+BAAj
		mov	ecx, ebx
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	[ebp+var_1A], 0
		jmp	loc_732D49
; 

loc_73320B:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+ACCj
		mov	eax, [ebp+arg_18]
		test	eax, eax
		jnz	short loc_73323B
		mov	eax, [ebp+var_28]
		mov	edx, [eax+14h]
		push	0
		push	[ebp+var_34]
		mov	ecx, [ebp+var_20]
		call	_CmpAddSubKeyEx@16 ; CmpAddSubKeyEx(x,x,x,x)
		test	al, al
		jnz	short loc_733238
		mov	ecx, 0C000009Ah
		mov	esi, ecx
		push	ecx
		mov	edx, 42300h
		jmp	short loc_7331FB
; 

loc_733238:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+B07j
		mov	eax, [ebp+arg_18]

loc_73323B:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+AF0j
		mov	[ebp+var_21], 1
		mov	ecx, [ebp+var_34]
		mov	[edi+14h], ecx
		or	[ebp+var_34], 0FFFFFFFFh
		mov	[edi+80h], eax
		test	byte ptr [ebp+var_44], 40h
		jnz	short loc_733261
		mov	eax, [esi+24h]
		mov	[edi+30h], eax
		mov	eax, [esi+28h]
		mov	[edi+34h], eax

loc_733261:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+B33j
		add	dword ptr [edi+0A8h], 1
		push	0
		pop	eax
		adc	[edi+0ACh], eax
		push	eax
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	_CmpRebuildKcbCacheFromNode@16 ; CmpRebuildKcbCacheFromNode(x,x,x,x)
		cmp	word ptr [ebp+var_80], 0
		jnz	short loc_733292
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		mov	edx, [esi+2Ch]
		mov	ecx, edi
		call	CmpAssignSecurityToKcb

loc_733292:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+B61j
		cmp	[ebp+arg_18], 0
		jz	short loc_7332D7
		mov	ecx, [ebp+var_48]
		and	dword ptr [ecx+24h], 0
		mov	eax, [ebp+var_84]
		mov	[ecx+28h], eax
		mov	edx, [ebp+var_38]
		mov	[ecx+2Ch], edx
		xor	eax, eax
		inc	eax
		mov	[edx+24h], eax
		mov	[edx+30h], edi
		mov	edx, eax
		call	_CmAddLogForAction@8 ; CmAddLogForAction(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_7332CF
		push	esi
		mov	edx, 42400h
		jmp	loc_7331FB
; 

loc_7332CF:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+BA2j
		and	[ebp+var_48], 0
		and	[ebp+var_38], 0

loc_7332D7:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+B76j
		mov	esi, [ebp+var_28]
		mov	eax, [esi+14h]
		mov	ecx, [esi+10h]
		lea	edx, [ebp+var_8C]
		push	edx
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		mov	[ebp+var_3C], eax
		push	dword ptr [esi+14h]
		mov	edx, eax
		mov	ecx, [esi+10h]
		call	_CmpUpdateKeyNodeAccessBits@12 ; CmpUpdateKeyNodeAccessBits(x,x,x)
		lea	eax, [ebp+var_60]
		push	eax
		call	KeQuerySystemTime
		mov	eax, [ebp+var_60]
		mov	ecx, [ebp+var_3C]
		mov	[ecx+4], eax
		mov	eax, [ebp+var_5C]
		mov	[ecx+8], eax
		mov	eax, [ebp+arg_4]
		movzx	edx, word ptr [eax]
		cmp	[ecx+34h], dx
		jnb	short loc_733324
		mov	[ecx+34h], dx

loc_733324:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+BFEj
		movzx	eax, word ptr [ebx+4]
		cmp	[ecx+38h], eax
		jnb	short loc_733330
		mov	[ecx+38h], eax

loc_733330:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+C0Bj
		add	dword ptr [esi+0A8h], 1
		adc	dword ptr [esi+0ACh], 0
		mov	ax, [ecx+34h]
		mov	[esi+60h], ax
		mov	eax, [ecx+4]
		mov	[esi+58h], eax
		mov	eax, [ecx+8]
		mov	[esi+5Ch], eax
		mov	dl, 1
		mov	ecx, esi
		call	CmpCleanUpSubKeyInfo
		cmp	byte ptr [ebp+arg_14], 0
		jnz	short loc_733369
		mov	ecx, [ebp+var_20]
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)

loc_733369:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+C3Fj
		push	0
		push	1
		mov	edx, [ebp+arg_18]
		mov	ecx, [ebp+var_64]
		call	_CmpReportNotifyForKcbStack@16 ; CmpReportNotifyForKcbStack(x,x,x,x)
		xor	esi, esi
		mov	[ebp+var_21], 0
		mov	[ebp+var_1A], 0
		cmp	byte ptr [ebp+arg_14], 0
		setz	al
		dec	al
		and	[ebp+var_19], al

loc_73338E:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+FBj
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+2BDj ...
		mov	al, [ebp+var_1A]
		mov	ecx, [ebp+var_20]

loc_733394:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+4B9j
		test	al, al
		jz	short loc_73339D
		call	_CmUnlockHiveSecurity@4	; CmUnlockHiveSecurity(x)

loc_73339D:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+C76j
		cmp	[ebp+var_21], 0
		jz	short loc_7333DE
		mov	eax, [edi+14h]
		mov	[ebp+var_34], eax
		or	dword ptr [edi+14h], 0FFFFFFFFh
		xor	eax, eax
		mov	[edi+30h], eax
		or	dword ptr [edi+34h], 0FFFFFFFFh
		xor	ecx, ecx
		mov	[edi+6Ah], cx
		mov	[edi+3Ch], eax
		mov	[edi+58h], eax
		mov	[edi+5Ch], eax
		mov	[edi+60h], ecx
		mov	[edi+64h], eax
		and	dword ptr [edi+68h], 0FFFFFF00h
		mov	[edi+69h], al
		mov	[edi+80h], eax
		mov	[edi+2Ch], eax

loc_7333DE:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+C81j
		mov	edi, [ebp+var_48]
		test	edi, edi
		jz	short loc_7333F7
		mov	ecx, edi
		call	CmpRundownUnitOfWork
		push	77554D43h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7333F7:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+CC3j
		mov	edi, [ebp+var_38]
		test	edi, edi
		jz	short loc_733410
		mov	ecx, edi
		call	CmpRundownUnitOfWork
		push	77554D43h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_733410:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+CDCj
		mov	eax, [ebp+var_4C]
		mov	[ebp+arg_14], eax
		test	eax, eax
		jz	short loc_733451
		cmp	[ebp+var_22], 0
		jnz	short loc_733451
		test	byte ptr [ebx],	1
		jz	short loc_733436
		test	byte ptr [ebx+14h], 4
		jz	short loc_733436
		lea	eax, [ebp+var_4C]
		push	eax
		call	_SeDeassignSecurity@4 ;	SeDeassignSecurity(x)
		jmp	short loc_733451
; 

loc_733436:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+D03j
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+D09j
		mov	eax, [ebp+arg_0]
		mov	edi, [eax+30h]
		mov	eax, [edi+2Ch]
		test	eax, eax
		jz	short loc_73344B
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_73344B:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+D21j
		mov	eax, [ebp+arg_14]
		mov	[edi+2Ch], eax

loc_733451:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+CF8j
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+CFEj ...
		cmp	[ebp+var_3C], 0
		jz	short loc_733468
		mov	eax, [ebp+var_28]
		mov	eax, [eax+10h]
		lea	ecx, [ebp+var_8C]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_733468:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+D35j
		mov	ebx, [ebp+var_20]
		cmp	[ebp+var_50], 0
		jz	short loc_733479
		lea	eax, [ebp+var_70]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]

loc_733479:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+D4Fj
		mov	eax, [ebp+var_30]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_73348A
		mov	edx, eax
		mov	ecx, ebx
		call	HvFreeCell

loc_73348A:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+D5Fj
		cmp	[ebp+var_40], 0
		jz	short loc_73349B
		lea	eax, [ebp+var_94]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]

loc_73349B:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+D6Ej
		mov	eax, [ebp+var_34]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_7334BB
		mov	edx, eax
		mov	ecx, ebx
		cmp	[ebp+var_23], 0
		jz	short loc_7334B6
		push	0
		call	CmpFreeKeyByCell
		jmp	short loc_7334BB
; 

loc_7334B6:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+D8Bj
		call	HvFreeCell

loc_7334BB:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+D81j
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+D94j
		cmp	[ebp+var_19], 0
		jz	short loc_7334C8
		mov	ecx, ebx
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)

loc_7334C8:				; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+D9Fj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_CmpCreateChild@36 endp


;  S U B	R O U T	I N E 


; __stdcall CmpDiscardKcb(x)
_CmpDiscardKcb@4 proc near		; CODE XREF: CmpRemoveHiveFromNamespace(x,x,x)+55p
					; CmDeleteLayeredKey(x,x,x)+1B2p ...
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	eax, [ebx+6Ch]
		test	eax, eax
		jz	short loc_733521
		mov	ecx, [eax+0Ch]
		test	ecx, ecx
		jz	short loc_733521
		mov	edx, [eax]
		mov	esi, [ecx+8]
		cmp	[edx+4], eax
		jnz	short loc_733572
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_733572
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	eax, [esi+6Ch]
		mov	ecx, [ebx+6Ch]
		add	eax, 18h
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_733572
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx

loc_733521:				; CODE XREF: CmpDiscardKcb(x)+Cj
					; CmpDiscardKcb(x)+13j
		add	dword ptr [ebx+0A8h], 1
		lea	edi, [ebx+8]
		mov	ecx, [ebx+10h]
		mov	edx, edi
		adc	dword ptr [ebx+0ACh], 0
		or	dword ptr [ebx+4], 20000h
		call	_CmpRemoveKeyHash@8 ; CmpRemoveKeyHash(x,x)
		mov	ecx, ebx
		call	CmpLockDeletedHashEntryExclusiveByKcb
		mov	esi, [ebx+10h]
		mov	ecx, esi
		push	dword ptr [edi]
		call	_CmpGetDeletedHashIndexInHive@8	; CmpGetDeletedHashIndexInHive(x,x)
		imul	ecx, eax, 0Ch
		add	ecx, [esi+43Ch]
		mov	eax, [ecx+8]
		mov	[edi+4], eax
		mov	[ecx+8], edi
		mov	ecx, ebx
		pop	edi
		pop	esi
		pop	ebx
		jmp	_CmpUnlockDeletedHashEntryByKcb@4 ; CmpUnlockDeletedHashEntryByKcb(x)
; 

loc_733572:				; CODE XREF: CmpDiscardKcb(x)+1Dj
					; CmpDiscardKcb(x)+24j	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_CmpDiscardKcb@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpInvalidateSubtree(x, x, x, x, x)
_CmpInvalidateSubtree@20 proc near	; CODE XREF: CmpPerformUnloadKey+2E4p
					; PAGE:00854FBAp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10h
		mov	eax, [ebp+arg_4]
		and	[esp+10h+var_C], 0
		mov	[esp+10h+var_10], edx
		lea	edx, [esp+10h+var_10]
		mov	[esp+10h+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+10h+var_8], eax
		and	al, 1
		push	edx
		push	offset _CmpInvalidateSubtreeWorker@8 ; CmpInvalidateSubtreeWorker(x,x)
		mov	dl, al
		call	CmpEnumerateAllOpenSubKeys
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_7335B8
		mov	eax, [esp+10h+var_C]
		mov	[ecx], eax

loc_7335B8:				; CODE XREF: CmpInvalidateSubtree(x,x,x,x,x)+38j
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_CmpInvalidateSubtree@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpPrepareForSubtreeInvalidation(x,	x, x)
_CmpPrepareForSubtreeInvalidation@12 proc near ; CODE XREF: CmpPerformUnloadKey+2BBp
					; PAGE:00854F90p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		mov	[ebp+var_4], edx
		mov	[ebp+var_10], eax
		xor	dl, dl
		mov	[ebp+var_C], eax
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	offset _CmpPrepareForSubtreeInvalidationWorker@8 ; CmpPrepareForSubtreeInvalidationWorker(x,x)
		call	CmpEnumerateAllOpenSubKeys
		mov	eax, [ebp+var_14]
		test	eax, eax
		js	short locret_73360A
		cmp	[ebp+var_10], 0
		jz	short loc_7335FE
		mov	eax, 0C0000121h
		jmp	short locret_73360A
; 

loc_7335FE:				; CODE XREF: CmpPrepareForSubtreeInvalidation(x,x,x)+37j
		mov	eax, [ebp+var_C]
		neg	eax
		sbb	eax, eax
		and	eax, 0C000022Dh

locret_73360A:				; CODE XREF: CmpPrepareForSubtreeInvalidation(x,x,x)+31j
					; CmpPrepareForSubtreeInvalidation(x,x,x)+3Ej
		leave
		retn	4
_CmpPrepareForSubtreeInvalidation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoBuildVirtualStack(x, x, x, x, x)
_CmpDoBuildVirtualStack@20 proc	near	; CODE XREF: CmpReplicateKeyToVirtual(x,x,x,x)+13Bp

var_254		= dword	ptr -254h
var_244		= dword	ptr -244h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_205		= dword	ptr -205h
var_13C		= dword	ptr -13Ch
var_C4		= dword	ptr -0C4h
var_B0		= dword	ptr -0B0h
var_88		= dword	ptr -88h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_48		= dword	ptr -48h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 258h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		lea	eax, [ebp+var_13C]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		push	74h		; size_t
		mov	[ebp+var_210], ecx
		mov	ecx, [ebp+arg_0]
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_218], edx
		mov	[ebp+var_224], ecx
		mov	[ebp+var_21C], ebx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_205+1]
		push	0C4h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	ecx, ecx
		xor	eax, eax
		mov	[ebp+var_228], ecx
		mov	[ebp+var_230], ecx
		or	edi, 0FFFFFFFFh
		mov	word ptr [ebp+var_228],	ax
		push	0B4h		; size_t
		mov	word ptr [ebp+var_230],	ax
		lea	eax, [ebp+var_C4]
		push	ecx		; int
		push	eax		; void *
		mov	byte ptr [ebp+var_205],	cl
		mov	[ebp+var_214], ecx
		mov	[ebp+var_22C], edi
		mov	[ebp+var_234], edi
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_88], edi
		lea	eax, [ebp+var_6C]
		xor	ecx, ecx
		mov	[ebp+var_68], eax
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_48]
		push	38h		; size_t
		push	ecx		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		lea	edi, [ebp+var_254]
		stosd
		or	ecx, 0FFFFFFFFh
		add	esp, 0Ch
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	word ptr [ebp+var_254+2], cx
		lea	edi, [ebp+var_244]
		stosd
		stosd
		stosd
		stosd
		mov	word ptr [ebp+var_244+2], cx
		lea	ecx, [ebp+var_60]
		call	CmpAttachToRegistryProcess
		mov	eax, ds:_CmKeyObjectType
		lea	edx, [ebp+var_13C]
		or	[ebp+var_64], 1
		add	eax, 34h
		push	eax		; int
		push	4		; int
		lea	eax, [ebp+var_205+1]
		mov	ecx, esi
		push	eax		; void *
		call	_SeCreateAccessStateFromSubjectContext@20 ; SeCreateAccessStateFromSubjectContext(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_733A4C
		and	[ebp+var_20C], 0
		mov	eax, [ebp+var_218]
		test	eax, eax
		jz	loc_73390D
		mov	ebx, [ebp+var_210]
		add	ebx, 18h

loc_73375A:				; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+2F3j
		mov	eax, [ebx-10h]
		lea	edi, [ebp+var_244]
		mov	[ebp+var_220], eax
		or	ecx, 0FFFFFFFFh
		xor	eax, eax
		and	[ebp+var_B0], 0
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	word ptr [ebp+var_244+2], cx
		lea	edi, [ebp+var_254]
		stosd
		stosd
		stosd
		stosd
		mov	edi, [ebp+var_220]
		mov	word ptr [ebp+var_254+2], cx
		lea	ecx, [ebp+var_244]
		mov	dx, [edi+22h]
		call	CmpStartKcbStack
		mov	esi, eax
		test	esi, esi
		js	loc_73397D
		mov	edx, edi
		lea	ecx, [ebp+var_254]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_73397D
		lea	esi, [ebx-18h]
		mov	ecx, esi
		call	_CmpHashUnicodeComponent@4 ; CmpHashUnicodeComponent(x)
		imul	ecx, [edi+8], 25h
		lea	edx, [ebp+var_C4]
		push	edx
		push	1
		push	0
		lea	edx, [ebp+var_254]
		add	ecx, eax
		push	ecx
		push	eax
		push	esi
		lea	eax, [ebp+var_205]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_244]
		push	eax
		lea	eax, [ebp+var_214]
		push	eax
		call	CmpWalkOneLevel
		mov	edi, [ebp+var_214]
		mov	esi, eax
		test	esi, esi
		js	loc_733972
		or	ecx, 0FFFFFFFFh
		cmp	[edi+14h], ecx
		jnz	loc_7338A8
		xor	ecx, ecx
		inc	ecx
		cmp	[ebx], ecx
		jz	short loc_733838
		mov	eax, [ebp+var_220]
		cmp	dword ptr [eax+14h], 0
		jge	short loc_73383E

loc_733838:				; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+21Cj
		mov	[ebp+var_B0], ecx

loc_73383E:				; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+228j
		mov	[ebp+var_C4], ecx
		lea	ecx, [ebp+var_254]
		call	_CmpLockKcbStackTopExclusiveRestShared@4 ; CmpLockKcbStackTopExclusiveRestShared(x)
		lea	ecx, [ebp+var_244]
		call	_CmpLockKcbStackTopExclusiveRestShared@4 ; CmpLockKcbStackTopExclusiveRestShared(x)
		push	0
		push	0
		push	3
		push	200h
		lea	eax, [ebp+var_C4]
		push	eax
		lea	eax, [ebx-18h]
		push	eax
		lea	eax, [ebp+var_13C]
		push	eax
		lea	edx, [ebp+var_244]
		lea	ecx, [ebp+var_254]
		call	_CmpCreateChild@36 ; CmpCreateChild(x,x,x,x,x,x,x,x,x)
		lea	ecx, [ebp+var_244]
		mov	esi, eax
		call	CmpUnlockKcbStack
		lea	ecx, [ebp+var_254]
		call	CmpUnlockKcbStack
		test	esi, esi
		js	loc_733972

loc_7338A8:				; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+211j
		mov	ecx, edi
		call	_CmpUnlockHashEntryByKcb@4 ; CmpUnlockHashEntryByKcb(x)
		mov	esi, [ebp+var_20C]
		mov	[ebx-0Ch], edi
		mov	eax, [edi+14h]
		mov	[ebx-4], eax
		mov	eax, [ebp+var_218]
		dec	eax
		cmp	esi, eax
		jnb	short loc_7338D2
		mov	[ebx+0Ch], edi
		mov	eax, [edi+14h]
		mov	[ebx+14h], eax

loc_7338D2:				; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+2B9j
		and	[ebp+var_214], 0
		lea	ecx, [ebp+var_244]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		lea	ecx, [ebp+var_254]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		mov	eax, [ebp+var_218]
		inc	esi
		add	ebx, 1Ch
		mov	[ebp+var_20C], esi
		cmp	esi, eax
		jb	loc_73375A
		mov	ebx, [ebp+var_21C]

loc_73390D:				; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+13Dj
		mov	ecx, [ebp+var_210]
		mov	edx, [ebx+14h]
		imul	eax, 1Ch
		push	0
		push	0
		mov	edi, [eax+ecx-8]
		mov	eax, [eax+ecx-10h]
		mov	ecx, [ebx+10h]
		mov	[ebp+var_21C], edi
		mov	[ebp+var_20C], eax
		call	HvpMarkCellDirty
		mov	esi, [ebp+var_224]
		mov	edx, edi
		push	0
		push	0
		mov	ecx, esi
		call	HvpMarkCellDirty
		mov	eax, [ebx+14h]
		lea	edx, [ebp+var_22C]
		mov	ecx, [ebx+10h]
		push	edx
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		mov	[ebp+var_210], eax
		test	eax, eax
		jnz	short loc_733998
		mov	esi, 0C000009Ah
		jmp	loc_733A40
; 

loc_733972:				; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+205j
					; CmpDoBuildVirtualStack(x,x,x,x,x)+294j
		test	edi, edi
		jz	short loc_73397D
		mov	ecx, edi
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)

loc_73397D:				; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+19Ej
					; CmpDoBuildVirtualStack(x,x,x,x,x)+1B5j ...
		lea	ecx, [ebp+var_244]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		lea	ecx, [ebp+var_254]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		jmp	loc_733A40
; 

loc_733998:				; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+358j
		lea	eax, [ebp+var_234]
		push	eax
		push	edi
		push	esi
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jnz	short loc_7339B1
		mov	esi, 0C000009Ah
		jmp	short loc_733A1A
; 

loc_7339B1:				; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+39Aj
		mov	edx, [ebx+10h]
		mov	ecx, esi
		call	_CmpLockTwoSecurityCachesExclusiveShared@8 ; CmpLockTwoSecurityCachesExclusiveShared(x,x)
		push	[ebp+var_21C]
		mov	edx, [ebp+var_210]
		mov	ecx, [ebx+10h]
		push	edi
		push	esi
		call	_CmpCopySaclToVirtualKey@20 ; CmpCopySaclToVirtualKey(x,x,x,x,x)
		mov	edx, [ebx+10h]
		mov	esi, eax
		mov	ecx, [ebp+var_224]
		call	_CmpUnlockTwoSecurityCaches@8 ;	CmpUnlockTwoSecurityCaches(x,x)
		test	esi, esi
		js	short loc_733A1A
		mov	esi, [ebp+var_20C]
		xor	eax, eax
		mov	edx, [edi+2Ch]
		mov	ecx, esi
		push	eax
		push	eax
		push	eax
		call	CmpAssignSecurityToKcb
		mov	eax, 100h
		or	[esi+6Ah], ax
		or	[edi+2], ax
		lea	ecx, [eax-80h]
		mov	eax, [ebp+var_210]
		or	[ebx+6Ah], cx
		or	[eax+2], cx
		xor	esi, esi

loc_733A1A:				; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+3A1j
					; CmpDoBuildVirtualStack(x,x,x,x,x)+3D5j
		mov	eax, [ebx+10h]
		lea	ecx, [ebp+var_22C]
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		test	edi, edi
		jz	short loc_733A40
		mov	eax, [ebp+var_20C]
		lea	ecx, [ebp+var_234]
		push	ecx
		mov	eax, [eax+10h]
		push	eax
		call	dword ptr [eax+8]

loc_733A40:				; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+35Fj
					; CmpDoBuildVirtualStack(x,x,x,x,x)+385j ...
		lea	eax, [ebp+var_13C]
		push	eax
		call	SeDeleteAccessState

loc_733A4C:				; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+128j
		test	byte ptr [ebp+var_64], 1
		jz	short loc_733A5F
		lea	eax, [ebp+var_60]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		and	[ebp+var_64], 0FFFFFFFEh

loc_733A5F:				; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+442j
		mov	dl, 1
		lea	ecx, [ebp+var_C4]
		call	CmpCleanupParseContext
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_CmpDoBuildVirtualStack@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFindPathByNameEx(x, x, x, x, x, x)
_CmpFindPathByNameEx@24	proc near	; CODE XREF: CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+79p
					; CmpVirtualBranchIsReplicated(x,x,x)+BBp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		or	[ebp+var_24], 0FFFFFFFFh
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	ecx, [ebp+arg_8]
		xor	esi, esi
		mov	edx, [ebp+arg_C]
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		or	dword ptr [ecx], 0FFFFFFFFh
		mov	[ebp+var_18], esi
		mov	[edx], esi
		test	eax, eax
		jz	short loc_733ABD
		push	esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, [ebp+arg_C]

loc_733ABD:				; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+2Ej
		mov	eax, [ebx]
		mov	si, ax
		mov	ebx, [ebx+4]
		mov	[ebp+var_14], eax
		test	si, si
		jnz	short loc_733AE8
		test	edi, edi
		jz	loc_733C9F
		mov	eax, [edi+10h]
		mov	[edx], eax
		mov	eax, [edi+14h]
		mov	[ecx], eax

loc_733ADF:				; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+127j
					; CmpFindPathByNameEx(x,x,x,x,x,x)+21Aj
		mov	al, 1

loc_733AE1:				; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+221j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_733AE8:				; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+4Bj
		test	edi, edi
		jz	short loc_733B05
		mov	ecx, [edi+10h]
		mov	eax, [ebp+arg_8]
		mov	[edx], ecx
		mov	edx, [edi+14h]
		mov	di, word ptr [ebp+var_14+2]
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], edx
		mov	[eax], edx
		jmp	short loc_733B61
; 

loc_733B05:				; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+6Aj
		mov	ecx, ds:_CmpMasterHive
		mov	di, word ptr [ebp+var_14+2]
		push	5Ch
		mov	[ebp+var_4], ecx
		mov	eax, [ecx+20h]
		pop	ecx
		mov	edx, [eax+24h]
		mov	eax, 0FFFEh
		mov	[ebp+var_8], edx

loc_733B23:				; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+B1j
		cmp	[ebx], cx
		jnz	short loc_733B33
		add	ebx, 2
		add	di, ax
		add	si, ax
		jnz	short loc_733B23

loc_733B33:				; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+A6j
		mov	ecx, [ebp+var_4]
		mov	word ptr [ebp+var_14], si
		mov	word ptr [ebp+var_14+2], di
		test	si, si
		jz	short loc_733B8E
		push	5Ch
		pop	ecx

loc_733B46:				; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+D4j
		cmp	[ebx], cx
		jz	short loc_733B56
		add	ebx, 2
		add	di, ax
		add	si, ax
		jnz	short loc_733B46

loc_733B56:				; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+C9j
		mov	ecx, [ebp+var_4]
		mov	word ptr [ebp+var_14], si
		mov	word ptr [ebp+var_14+2], di

loc_733B61:				; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+83j
		test	si, si
		jz	short loc_733B8E

loc_733B66:				; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+214j
		push	5Ch
		pop	edx
		push	2
		mov	eax, 0FFFEh
		pop	ecx

loc_733B71:				; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+FEj
		cmp	[ebx], dx
		jnz	short loc_733B80
		add	ebx, ecx
		add	di, ax
		add	si, ax
		jnz	short loc_733B71

loc_733B80:				; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+F4j
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_8]
		mov	word ptr [ebp+var_14], si
		mov	word ptr [ebp+var_14+2], di

loc_733B8E:				; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+C1j
					; CmpFindPathByNameEx(x,x,x,x,x,x)+E4j
		cmp	[ebp+arg_0], 0
		jz	short loc_733BA4
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_14]
		mov	[ecx], eax
		mov	eax, ecx
		mov	ecx, [ebp+var_4]
		mov	[eax+4], ebx

loc_733BA4:				; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+112j
		test	si, si
		jz	loc_733ADF
		lea	eax, [ebp+var_24]
		push	eax
		push	edx
		push	ecx
		call	dword ptr [ecx+4]
		mov	edx, eax
		mov	[ebp+var_8], edx
		test	edx, edx
		jz	loc_733C9F
		xor	ecx, ecx
		mov	[ebp+var_18], ebx
		xor	eax, eax
		mov	[ebp+var_C], ecx
		mov	word ptr [ebp+var_1C], cx
		cmp	ax, si
		jnb	short loc_733BF9
		push	5Ch
		pop	edx

loc_733BD9:				; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+171j
		movzx	eax, cx
		shr	eax, 1
		cmp	[ebx+eax*2], dx
		jz	short loc_733BF3
		push	2
		pop	eax
		add	cx, ax
		mov	word ptr [ebp+var_1C], cx
		cmp	cx, si
		jb	short loc_733BD9

loc_733BF3:				; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+162j
		mov	edx, [ebp+var_8]
		mov	[ebp+var_C], ecx

loc_733BF9:				; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+154j
		test	byte ptr [edx+2], 2
		jz	short loc_733C41
		mov	eax, [ebp+var_4]
		mov	ecx, [edx+20h]
		mov	[ebp+var_4], ecx
		mov	ecx, [edx+1Ch]
		mov	[ebp+var_8], ecx
		lea	ecx, [ebp+var_24]
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		mov	eax, [ebp+var_4]
		cmp	eax, ds:_CmpMasterHive
		jz	short loc_733C30
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_733C30
		test	[eax+980h], ecx
		jz	short loc_733C9F

loc_733C30:				; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+19Fj
					; CmpFindPathByNameEx(x,x,x,x,x,x)+1A6j
		lea	ecx, [ebp+var_24]
		push	ecx
		push	[ebp+var_8]
		push	eax
		call	dword ptr [eax+4]
		mov	edx, eax
		test	edx, edx
		jz	short loc_733C9F

loc_733C41:				; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+17Dj
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	CmpFindSubKeyByNameWithStatus
		lea	eax, [ebp+var_24]
		push	eax
		mov	eax, [ebp+var_4]
		push	eax
		call	dword ptr [eax+8]
		mov	edx, [ebp+var_8]
		mov	[ebp+var_8], edx
		cmp	edx, 0FFFFFFFFh
		jz	short loc_733C9F
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_4]
		mov	[eax], edx
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		mov	eax, [ebp+var_C]
		sub	di, ax
		sub	si, ax
		mov	word ptr [ebp+var_14+2], di
		movzx	eax, ax
		shr	eax, 1
		mov	word ptr [ebp+var_14], si
		lea	ebx, [ebx+eax*2]
		test	si, si
		jnz	loc_733B66
		jmp	loc_733ADF
; 

loc_733C9F:				; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+4Fj
					; CmpFindPathByNameEx(x,x,x,x,x,x)+13Dj ...
		xor	al, al
		jmp	loc_733AE1
_CmpFindPathByNameEx@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGetVirtualStoreRoot(x, x, x, x)
_CmpGetVirtualStoreRoot@16 proc	near	; CODE XREF: CmpReplicateKeyToVirtual(x,x,x,x)+112p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_4], edx
		push	esi
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], esi
		push	eax
		mov	edi, ecx
		mov	[ebp+var_8], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, edi
		lea	ecx, [ebp+var_C]
		call	CmpGetVirtualizationID
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_733D0E
		mov	edi, [ebp+var_4]
		lea	ecx, [ebp+var_C]
		mov	edx, edi
		call	CmpGetMappingHiveForString
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_733D0E
		mov	ecx, [edi]
		push	esi
		mov	eax, [ecx+20h]
		mov	edi, [eax+24h]
		mov	edx, edi
		call	_CmpFindKcbInHashEntryByCellIndex@12 ; CmpFindKcbInHashEntryByCellIndex(x,x,x)
		mov	esi, eax
		mov	ecx, esi
		call	CmpReferenceKeyControlBlock
		mov	ecx, [ebp+arg_0]
		mov	[ecx], edi
		mov	ecx, [ebp+arg_4]
		mov	[ecx], esi

loc_733D0E:				; CODE XREF: CmpGetVirtualStoreRoot(x,x,x,x)+30j
					; CmpGetVirtualStoreRoot(x,x,x,x)+43j
		cmp	[ebp+var_8], 0
		jz	short loc_733D1D
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_733D1D:				; CODE XREF: CmpGetVirtualStoreRoot(x,x,x,x)+6Cj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_CmpGetVirtualStoreRoot@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCheckKeyOwnerForPca(x, x)
_CmpCheckKeyOwnerForPca@8 proc near	; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+471p
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+17C3p ...

var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		cmp	ds:_CmpTrustedInstallerSid, 0
		jz	short loc_733D6C
		push	0
		call	_CmpGetSecurityCacheEntryForKcbStack@12	; CmpGetSecurityCacheEntryForKcbStack(x,x,x)
		lea	ecx, [ebp-1]
		add	eax, 18h
		push	ecx
		lea	ecx, [ebp+var_8]
		push	ecx
		push	eax
		call	_RtlGetOwnerSecurityDescriptor@12 ; RtlGetOwnerSecurityDescriptor(x,x,x)
		test	eax, eax
		js	short loc_733D6C
		cmp	[ebp+var_8], 0
		jz	short loc_733D6C
		push	[ebp+var_8]
		push	ds:_CmpTrustedInstallerSid
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		leave
		retn
; 

loc_733D6C:				; CODE XREF: CmpCheckKeyOwnerForPca(x,x)+12j
					; CmpCheckKeyOwnerForPca(x,x)+2Ej ...
		xor	al, al
		leave
		retn
_CmpCheckKeyOwnerForPca@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGetSecurityCacheEntryForKcbStack(x, x, x)
_CmpGetSecurityCacheEntryForKcbStack@12	proc near
					; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+216p
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+259p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_8], eax
		push	edi
		movzx	edx, word ptr [eax+2]
		xor	edi, edi
		test	dx, dx
		js	short loc_733DDB
		push	esi

loc_733D8C:				; CODE XREF: CmpGetSecurityCacheEntryForKcbStack(x,x,x)+68j
		movzx	ecx, dx
		mov	[ebp+var_4], ecx
		mov	ecx, eax
		call	_CmpGetKcbAtLayerHeight@8 ; CmpGetKcbAtLayerHeight(x,x)
		mov	esi, eax
		xor	edx, edx
		mov	ecx, esi
		call	_CmpGetEffectiveKcbSemantics@8 ; CmpGetEffectiveKcbSemantics(x,x)
		cmp	eax, 1
		jz	short loc_733DDA
		cmp	dword ptr [esi+14h], 0FFFFFFFFh
		jz	short loc_733DC9
		mov	edx, ebx
		call	CmRmIsKCBVisible
		test	al, al
		jz	short loc_733DC9
		xor	edx, edx
		mov	ecx, esi
		mov	edi, esi
		call	_CmpGetEffectiveKcbSemantics@8 ; CmpGetEffectiveKcbSemantics(x,x)
		test	eax, eax
		jnz	short loc_733DDA

loc_733DC9:				; CODE XREF: CmpGetSecurityCacheEntryForKcbStack(x,x,x)+3Dj
					; CmpGetSecurityCacheEntryForKcbStack(x,x,x)+48j
		mov	eax, [ebp+var_4]
		dec	eax
		movzx	eax, ax
		mov	edx, eax
		test	ax, ax
		mov	eax, [ebp+var_8]
		jns	short loc_733D8C

loc_733DDA:				; CODE XREF: CmpGetSecurityCacheEntryForKcbStack(x,x,x)+37j
					; CmpGetSecurityCacheEntryForKcbStack(x,x,x)+57j
		pop	esi

loc_733DDB:				; CODE XREF: CmpGetSecurityCacheEntryForKcbStack(x,x,x)+19j
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	short loc_733DE9
		mov	ax, [edi+22h]
		mov	[edx], ax

loc_733DE9:				; CODE XREF: CmpGetSecurityCacheEntryForKcbStack(x,x,x)+70j
		mov	edx, ebx
		mov	ecx, edi
		call	CmGetKCBCacheSecurity
		pop	edi
		pop	ebx
		leave
		retn	4
_CmpGetSecurityCacheEntryForKcbStack@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmpGetSecurityDescriptorNodeEx(int,int,void *,int,int)
_CmpGetSecurityDescriptorNodeEx@28 proc	near
					; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+435p
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+A98p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		or	[ebp+var_14], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, edx
		push	edi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_10], edi
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_733EE5
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	ebx
		call	_CmpUpdateKeyNodeAccessBits@12 ; CmpUpdateKeyNodeAccessBits(x,x,x)
		mov	edx, [ebp+arg_8]
		lea	eax, [ebp+var_C]
		push	edi
		push	eax
		push	[ebp+arg_4]
		mov	ecx, esi
		call	_CmpFindMatchingDescriptorCell@20 ; CmpFindMatchingDescriptorCell(x,x,x,x,x)
		test	al, al
		jnz	loc_733EF1
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_733E72
		test	byte ptr [esi+980h], 20h
		jz	short loc_733E72
		cmp	dword ptr [esi+4C0h], 1
		jbe	short loc_733E72
		mov	eax, 0C0000022h
		jmp	short loc_733EEA
; 

loc_733E72:				; CODE XREF: CmpGetSecurityDescriptorNodeEx(x,x,x,x,x,x,x)+5Fj
					; CmpGetSecurityDescriptorNodeEx(x,x,x,x,x,x,x)+68j ...
		mov	ecx, [ebp+arg_8]
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_4]
		call	_RtlLengthSecurityDescriptorStrict@4 ; RtlLengthSecurityDescriptorStrict(x)
		mov	ecx, esi
		lea	edx, [eax+14h]
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0FFFFFFFFh
		jz	short loc_733F10
		mov	ecx, [ebp+arg_8]
		call	_RtlLengthSecurityDescriptorStrict@4 ; RtlLengthSecurityDescriptorStrict(x)
		mov	ecx, [ebp+var_8]
		mov	edx, 6B73h
		push	eax		; size_t
		push	[ebp+arg_8]	; void *
		mov	[ecx], dx
		mov	dword ptr [ecx+0Ch], 1
		mov	[ecx+10h], eax
		lea	eax, [ecx+14h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		push	[ebp+arg_C]
		mov	edx, ebx
		mov	ecx, esi
		push	edi
		call	CmpInsertSecurityCellList
		test	al, al
		jnz	short loc_733F37
		mov	edx, edi
		mov	ecx, esi
		call	HvFreeCell

loc_733EE5:				; CODE XREF: CmpGetSecurityDescriptorNodeEx(x,x,x,x,x,x,x)+27j
					; CmpGetSecurityDescriptorNodeEx(x,x,x,x,x,x,x)+109j
		mov	eax, 0C000017Dh

loc_733EEA:				; CODE XREF: CmpGetSecurityDescriptorNodeEx(x,x,x,x,x,x,x)+78j
					; CmpGetSecurityDescriptorNodeEx(x,x,x,x,x,x,x)+11Dj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_733EF1:				; CODE XREF: CmpGetSecurityDescriptorNodeEx(x,x,x,x,x,x,x)+4Cj
		push	edi
		push	edi
		mov	edi, [ebp+var_C]
		mov	ecx, esi
		mov	edx, edi
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_733EE5
		lea	eax, [ebp+var_14]
		push	eax
		push	edi
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jnz	short loc_733F17

loc_733F10:				; CODE XREF: CmpGetSecurityDescriptorNodeEx(x,x,x,x,x,x,x)+9Cj
		mov	eax, 0C000009Ah
		jmp	short loc_733EEA
; 

loc_733F17:				; CODE XREF: CmpGetSecurityDescriptorNodeEx(x,x,x,x,x,x,x)+116j
		push	0
		push	edi
		mov	edx, esi
		mov	ecx, eax
		call	_CmpKeySecurityIncrementReferenceCount@16 ; CmpKeySecurityIncrementReferenceCount(x,x,x,x)
		mov	ecx, [esi+8]
		mov	ebx, eax
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		call	ecx
		test	ebx, ebx
		jns	short loc_733F37
		mov	eax, ebx
		jmp	short loc_733EEA
; 

loc_733F37:				; CODE XREF: CmpGetSecurityDescriptorNodeEx(x,x,x,x,x,x,x)+E2j
					; CmpGetSecurityDescriptorNodeEx(x,x,x,x,x,x,x)+139j
		mov	eax, [ebp+arg_10]
		mov	[eax], edi
		xor	eax, eax
		jmp	short loc_733EEA
_CmpGetSecurityDescriptorNodeEx@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpReferenceSecurityNode(x,	x)
_CmpReferenceSecurityNode@8 proc near	; CODE XREF: CmRenameKey(x,x,x,x)+A38p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		xor	eax, eax
		and	[ebp+var_8], 0
		or	[ebp+var_8], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		mov	word ptr [ebp+var_4], ax
		mov	esi, edx
		lea	eax, [ebp+var_8]
		mov	edi, ecx
		push	eax
		push	esi
		push	edi
		call	dword ptr [edi+4]
		mov	ebx, eax
		mov	edx, edi
		push	0
		push	esi
		mov	ecx, ebx
		call	_CmpKeySecurityIncrementReferenceCount@16 ; CmpKeySecurityIncrementReferenceCount(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_733F8A
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		xor	ebx, ebx
		xor	esi, esi

loc_733F8A:				; CODE XREF: CmpReferenceSecurityNode(x,x)+3Cj
		test	ebx, ebx
		jz	short loc_733F96
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_733F96:				; CODE XREF: CmpReferenceSecurityNode(x,x)+4Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_CmpReferenceSecurityNode@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpViewMapMakeViewRangeWriteable(x,	x, x, x, x, x)
_HvpViewMapMakeViewRangeWriteable@24 proc near
					; CODE XREF: HvpViewMapMigrateCOWData(x,x,x):loc_943E57p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		mov	eax, edx
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	[ebp+var_10], eax
		mov	edx, [eax+30h]
		sub	edx, [eax+10h]
		mov	eax, ebx
		push	esi
		mov	esi, [ebp+arg_0]
		add	edx, esi
		sub	eax, esi
		mov	[ebp+var_C], ecx
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ecx, edi
		mov	[ebp+var_8], eax
		mov	eax, esi
		cmp	edi, [ebp+arg_C]
		jg	short loc_733FEF
		jl	short loc_733FDC
		cmp	esi, ebx
		jnb	short loc_733FEF

loc_733FDC:				; CODE XREF: HvpViewMapMakeViewRangeWriteable(x,x,x,x,x,x)+38j
					; HvpViewMapMakeViewRangeWriteable(x,x,x,x,x,x)+49j ...
		add	eax, 1000h
		adc	ecx, 0
		cmp	ecx, [ebp+arg_C]
		jl	short loc_733FDC
		jg	short loc_733FEF
		cmp	eax, ebx
		jb	short loc_733FDC

loc_733FEF:				; CODE XREF: HvpViewMapMakeViewRangeWriteable(x,x,x,x,x,x)+36j
					; HvpViewMapMakeViewRangeWriteable(x,x,x,x,x,x)+3Cj ...
		lea	eax, [ebp+var_4]
		push	eax
		push	8
		push	[ebp+var_8]
		push	edx
		mov	edx, [ebp+var_C]
		mov	edx, [edx+18h]
		call	_CmSiProtectViewOfSection@24 ; CmSiProtectViewOfSection(x,x,x,x,x,x)
		cmp	edi, [ebp+arg_C]
		jg	short loc_734030
		jl	short loc_73400F
		cmp	esi, ebx
		jnb	short loc_734030

loc_73400F:				; CODE XREF: HvpViewMapMakeViewRangeWriteable(x,x,x,x,x,x)+6Bj
		mov	ecx, [ebp+var_10]

loc_734012:				; CODE XREF: HvpViewMapMakeViewRangeWriteable(x,x,x,x,x,x)+8Aj
					; HvpViewMapMakeViewRangeWriteable(x,x,x,x,x,x)+90j
		push	edi
		push	esi
		call	_HvpMappedViewGetPropertiesForFileOffset@12 ; HvpMappedViewGetPropertiesForFileOffset(x,x,x)
		or	byte ptr [eax],	8
		add	esi, 1000h
		adc	edi, 0
		cmp	edi, [ebp+arg_C]
		jl	short loc_734012
		jg	short loc_734030
		cmp	esi, ebx
		jb	short loc_734012

loc_734030:				; CODE XREF: HvpViewMapMakeViewRangeWriteable(x,x,x,x,x,x)+69j
					; HvpViewMapMakeViewRangeWriteable(x,x,x,x,x,x)+6Fj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_HvpViewMapMakeViewRangeWriteable@24 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoReadTxRBigLogRecord(x,	x, x, x, x)
_CmpDoReadTxRBigLogRecord@20 proc near	; CODE XREF: CmpRmReDoPhase(x,x,x)+B9p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= dword	ptr -5
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		mov	[ebp+var_20], ecx
		mov	eax, edx
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		push	esi
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ecx
		mov	byte ptr [ebp+var_5], cl
		mov	ecx, eax
		push	edi
		mov	[ebp+var_C], eax
		mov	[ebp+var_14], edx
		call	_CmpVerifyBigLogRecordChunk@8 ;	CmpVerifyBigLogRecordChunk(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_734147
		mov	esi, [ebp+var_C]
		xor	ecx, ecx
		push	20204D43h
		inc	ecx
		mov	ebx, [esi+4]
		mov	edx, ebx
		mov	eax, [esi+28h]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_24], ebx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_7340A7
		mov	esi, 0C000009Ah
		jmp	loc_734147
; 

loc_7340A7:				; CODE XREF: CmpDoReadTxRBigLogRecord(x,x,x,x,x)+63j
		push	ebx		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, edi
		xor	eax, eax
		mov	[ebp+var_10], ecx
		mov	[ebp+arg_0], eax
		jmp	short loc_734132
; 

loc_7340BF:				; CODE XREF: CmpDoReadTxRBigLogRecord(x,x,x,x,x)+FDj
		mov	eax, [esi+30h]
		mov	[ebp+var_18], eax
		cmp	eax, ebx
		ja	short loc_734137
		push	eax		; size_t
		lea	eax, [esi+34h]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		mov	eax, [ebp+var_18]
		add	esp, 0Ch
		add	[ebp+var_10], eax
		sub	ebx, eax
		mov	eax, [ebp+arg_0]
		inc	eax
		mov	[ebp+arg_0], eax
		cmp	eax, [ebp+var_1C]
		jnb	short loc_734150
		lea	eax, [ebp+var_2C]
		mov	byte ptr [ebp+var_5], 1
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		push	0
		lea	eax, [ebp+var_5]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+var_20]
		call	ds:__imp__ClfsReadNextLogRecord@32 ; ClfsReadNextLogRecord(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_73413C
		mov	edx, [ebp+var_14]
		mov	ecx, [ebp+var_C]
		call	_CmpVerifyBigLogRecordChunk@8 ;	CmpVerifyBigLogRecordChunk(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_73413C
		mov	esi, [ebp+var_C]
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_10]

loc_734132:				; CODE XREF: CmpDoReadTxRBigLogRecord(x,x,x,x,x)+85j
		cmp	[esi+2Ch], eax
		jz	short loc_7340BF

loc_734137:				; CODE XREF: CmpDoReadTxRBigLogRecord(x,x,x,x,x)+8Fj
					; CmpDoReadTxRBigLogRecord(x,x,x,x,x)+11Aj
		mov	esi, 0C000003Eh

loc_73413C:				; CODE XREF: CmpDoReadTxRBigLogRecord(x,x,x,x,x)+DEj
					; CmpDoReadTxRBigLogRecord(x,x,x,x,x)+EFj ...
		test	edi, edi
		jz	short loc_734147
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_734147:				; CODE XREF: CmpDoReadTxRBigLogRecord(x,x,x,x,x)+3Bj
					; CmpDoReadTxRBigLogRecord(x,x,x,x,x)+6Aj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_734150:				; CODE XREF: CmpDoReadTxRBigLogRecord(x,x,x,x,x)+B1j
		test	ebx, ebx
		jnz	short loc_734137
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+var_24]
		mov	[eax], edi
		xor	edi, edi
		mov	eax, [ebp+arg_8]
		xor	esi, esi
		mov	[eax], ecx
		jmp	short loc_73413C
_CmpDoReadTxRBigLogRecord@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpVerifyBigLogRecordChunk(x, x)
_CmpVerifyBigLogRecordChunk@8 proc near	; CODE XREF: CmpDoReadTxRBigLogRecord(x,x,x,x,x)+32p
					; CmpDoReadTxRBigLogRecord(x,x,x,x,x)+E6p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		push	34h
		mov	esi, edx
		pop	edi
		cmp	esi, edi
		jnb	short loc_734180

loc_734179:				; CODE XREF: CmpVerifyBigLogRecordChunk(x,x)+1Cj
					; CmpVerifyBigLogRecordChunk(x,x)+24j ...
		mov	eax, 0C0190030h
		jmp	short loc_7341AD
; 

loc_734180:				; CODE XREF: CmpVerifyBigLogRecordChunk(x,x)+Fj
		cmp	dword ptr [ecx+0Ch], 0
		jge	short loc_734179
		mov	eax, [ecx+2Ch]
		cmp	eax, [ecx+28h]
		jnb	short loc_734179
		mov	edx, [ecx+30h]
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, edi
		mov	[ebp+var_4], edi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_734179
		cmp	esi, [ebp+var_4]
		sbb	eax, eax
		and	eax, 0C0190030h

loc_7341AD:				; CODE XREF: CmpVerifyBigLogRecordChunk(x,x)+16j
		pop	edi
		pop	esi
		leave
		retn
_CmpVerifyBigLogRecordChunk@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpVerifyCreateOrDeleteKeyLogRecord(x)
_CmpVerifyCreateOrDeleteKeyLogRecord@4 proc near ; CODE	XREF: CmpVerifyLogRecord(x,x)+37p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		push	34h
		pop	ecx
		mov	edi, [esi+4]
		cmp	edi, ecx
		jnb	short loc_7341CD

loc_7341C6:				; CODE XREF: CmpVerifyCreateOrDeleteKeyLogRecord(x)+25j
					; CmpVerifyCreateOrDeleteKeyLogRecord(x)+2Dj
		mov	eax, 0C0190030h
		jmp	short loc_734225
; 

loc_7341CD:				; CODE XREF: CmpVerifyCreateOrDeleteKeyLogRecord(x)+12j
		mov	eax, [esi+28h]
		test	eax, eax
		jz	short loc_7341D9
		cmp	eax, 1
		jnz	short loc_7341C6

loc_7341D9:				; CODE XREF: CmpVerifyCreateOrDeleteKeyLogRecord(x)+20j
		movzx	eax, word ptr [esi+20h]
		test	al, 1
		jnz	short loc_7341C6
		push	ebx
		mov	ebx, eax
		mov	[ebp+var_4], ecx
		lea	eax, [ebp+var_4]
		mov	edx, ebx
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_7341FB
		cmp	edi, [ebp+var_4]
		jnb	short loc_734202

loc_7341FB:				; CODE XREF: CmpVerifyCreateOrDeleteKeyLogRecord(x)+42j
		mov	eax, 0C0190030h
		jmp	short loc_734224
; 

loc_734202:				; CODE XREF: CmpVerifyCreateOrDeleteKeyLogRecord(x)+47j
		sub	edi, [ebp+var_4]
		lea	eax, [esi+34h]
		push	0
		push	edi
		add	eax, ebx
		push	eax
		call	_RtlValidRelativeSecurityDescriptor@12 ; RtlValidRelativeSecurityDescriptor(x,x,x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 3FE6FFD0h
		add	eax, 0C0190030h

loc_734224:				; CODE XREF: CmpVerifyCreateOrDeleteKeyLogRecord(x)+4Ej
		pop	ebx

loc_734225:				; CODE XREF: CmpVerifyCreateOrDeleteKeyLogRecord(x)+19j
		pop	edi
		pop	esi
		leave
		retn
_CmpVerifyCreateOrDeleteKeyLogRecord@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmpVerifyLogRecord(x, x)
_CmpVerifyLogRecord@8 proc near		; CODE XREF: CmpRmReDoPhase(x,x,x)+CEp
		mov	eax, edx
		push	esi
		mov	esi, ecx
		cmp	eax, 28h
		jnb	short loc_73423B

loc_734234:				; CODE XREF: CmpVerifyLogRecord(x,x)+16j
					; CmpVerifyLogRecord(x,x)+1Bj ...
		mov	eax, 0C0190030h
		pop	esi
		retn
; 

loc_73423B:				; CODE XREF: CmpVerifyLogRecord(x,x)+8j
		mov	edx, [esi+4]
		cmp	edx, eax
		ja	short loc_734234
		cmp	edx, 28h
		jb	short loc_734234
		call	_HvBufferCheckSum@8 ; HvBufferCheckSum(x,x)
		cmp	[esi], eax
		jnz	short loc_734234
		mov	eax, [esi+0Ch]
		cmp	eax, 0Bh
		jnb	short loc_734234
		jmp	ds:off_73429E[eax*4]

loc_73425F:				; DATA XREF: PAGE:007342A2o
					; PAGE:007342A6o
		mov	ecx, esi
		call	_CmpVerifyCreateOrDeleteKeyLogRecord@4 ; CmpVerifyCreateOrDeleteKeyLogRecord(x)
		jmp	short loc_734293
; 

loc_734268:				; CODE XREF: CmpVerifyLogRecord(x,x)+2Ej
					; DATA XREF: PAGE:007342AAo ...
		mov	ecx, esi
		call	_CmpVerifySetOrDeleteValueLogRecord@4 ;	CmpVerifySetOrDeleteValueLogRecord(x)
		jmp	short loc_734293
; 

loc_734271:				; CODE XREF: CmpVerifyLogRecord(x,x)+2Ej
					; DATA XREF: PAGE:007342B6o
		mov	ecx, esi
		call	_CmpVerifySetKeyUserFlagsLogRecord@4 ; CmpVerifySetKeyUserFlagsLogRecord(x)
		jmp	short loc_734293
; 

loc_73427A:				; CODE XREF: CmpVerifyLogRecord(x,x)+2Ej
					; DATA XREF: PAGE:007342BAo
		mov	ecx, esi
		call	_CmpVerifySetLastWriteTimeLogRecord@4 ;	CmpVerifySetLastWriteTimeLogRecord(x)
		jmp	short loc_734293
; 

loc_734283:				; CODE XREF: CmpVerifyLogRecord(x,x)+2Ej
					; DATA XREF: PAGE:007342BEo ...
		mov	ecx, esi
		call	_CmpVerifySetSecurityDescriptorLogRecord@4 ; CmpVerifySetSecurityDescriptorLogRecord(x)
		jmp	short loc_734293
; 

loc_73428C:				; CODE XREF: CmpVerifyLogRecord(x,x)+2Ej
					; DATA XREF: PAGE:007342C2o
		mov	ecx, esi
		call	_CmpVerifyRenameKeyLogRecord@4 ; CmpVerifyRenameKeyLogRecord(x)

loc_734293:				; CODE XREF: CmpVerifyLogRecord(x,x)+3Cj
					; CmpVerifyLogRecord(x,x)+45j ...
		test	eax, eax
		js	short loc_734299

loc_734297:				; CODE XREF: CmpVerifyLogRecord(x,x)+2Ej
					; DATA XREF: PAGE:off_73429Eo
		xor	eax, eax

loc_734299:				; CODE XREF: CmpVerifyLogRecord(x,x)+6Bj
		pop	esi
		retn
_CmpVerifyLogRecord@8 endp

; 
		db 8Dh
		db 49h,	0
off_73429E	dd offset loc_734297	; DATA XREF: CmpVerifyLogRecord(x,x)+2Er
		dd offset loc_73425F
		dd offset loc_73425F
		dd offset loc_734268
		dd offset loc_734268
		dd offset loc_734268
		dd offset loc_734271
		dd offset loc_73427A
		dd offset loc_734283
		dd offset loc_73428C
		dd offset loc_734283

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpVerifyRenameKeyLogRecord(x)
_CmpVerifyRenameKeyLogRecord@4 proc near ; CODE	XREF: CmpVerifyLogRecord(x,x)+64p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ecx+4]
		push	edi
		push	30h
		pop	edi
		cmp	esi, edi
		jnb	short loc_7342E3

loc_7342DC:				; CODE XREF: CmpVerifyRenameKeyLogRecord(x)+1Fj
		mov	eax, 0C0190030h
		jmp	short loc_73432D
; 

loc_7342E3:				; CODE XREF: CmpVerifyRenameKeyLogRecord(x)+10j
		movzx	eax, word ptr [ecx+20h]
		test	al, 1
		jnz	short loc_7342DC
		push	ebx
		movzx	ebx, word ptr [ecx+28h]
		test	bl, 1
		jnz	short loc_73431B
		lea	edx, [ebp+var_4]
		mov	[ebp+var_4], edi
		push	edx
		mov	edx, eax
		mov	ecx, edi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_73431B
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		mov	edx, ebx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jns	short loc_734322

loc_73431B:				; CODE XREF: CmpVerifyRenameKeyLogRecord(x)+29j
					; CmpVerifyRenameKeyLogRecord(x)+3Dj
		mov	eax, 0C0190030h
		jmp	short loc_73432C
; 

loc_734322:				; CODE XREF: CmpVerifyRenameKeyLogRecord(x)+4Fj
		cmp	esi, [ebp+var_4]
		sbb	eax, eax
		and	eax, 0C0190030h

loc_73432C:				; CODE XREF: CmpVerifyRenameKeyLogRecord(x)+56j
		pop	ebx

loc_73432D:				; CODE XREF: CmpVerifyRenameKeyLogRecord(x)+17j
		pop	edi
		pop	esi
		leave
		retn
_CmpVerifyRenameKeyLogRecord@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpVerifySetKeyUserFlagsLogRecord(x)
_CmpVerifySetKeyUserFlagsLogRecord@4 proc near ; CODE XREF: CmpVerifyLogRecord(x,x)+49p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ecx+4]
		push	edi
		push	2Ch
		pop	edi
		cmp	esi, edi
		jnb	short loc_73434B

loc_734344:				; CODE XREF: CmpVerifySetKeyUserFlagsLogRecord(x)+1Fj
					; CmpVerifySetKeyUserFlagsLogRecord(x)+33j
		mov	eax, 0C0190030h
		jmp	short loc_734371
; 

loc_73434B:				; CODE XREF: CmpVerifySetKeyUserFlagsLogRecord(x)+10j
		movzx	eax, word ptr [ecx+20h]
		test	al, 1
		jnz	short loc_734344
		lea	edx, [ebp+var_4]
		mov	[ebp+var_4], edi
		push	edx
		mov	edx, eax
		mov	ecx, edi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_734344
		cmp	esi, [ebp+var_4]
		sbb	eax, eax
		and	eax, 0C0190030h

loc_734371:				; CODE XREF: CmpVerifySetKeyUserFlagsLogRecord(x)+17j
		pop	edi
		pop	esi
		leave
		retn
_CmpVerifySetKeyUserFlagsLogRecord@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpVerifySetLastWriteTimeLogRecord(x)
_CmpVerifySetLastWriteTimeLogRecord@4 proc near	; CODE XREF: CmpVerifyLogRecord(x,x)+52p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ecx+4]
		push	edi
		push	30h
		pop	edi
		cmp	esi, edi
		jnb	short loc_73438F

loc_734388:				; CODE XREF: CmpVerifySetLastWriteTimeLogRecord(x)+1Fj
					; CmpVerifySetLastWriteTimeLogRecord(x)+33j
		mov	eax, 0C0190030h
		jmp	short loc_7343B5
; 

loc_73438F:				; CODE XREF: CmpVerifySetLastWriteTimeLogRecord(x)+10j
		movzx	eax, word ptr [ecx+20h]
		test	al, 1
		jnz	short loc_734388
		lea	edx, [ebp+var_4]
		mov	[ebp+var_4], edi
		push	edx
		mov	edx, eax
		mov	ecx, edi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_734388
		cmp	esi, [ebp+var_4]
		sbb	eax, eax
		and	eax, 0C0190030h

loc_7343B5:				; CODE XREF: CmpVerifySetLastWriteTimeLogRecord(x)+17j
		pop	edi
		pop	esi
		leave
		retn
_CmpVerifySetLastWriteTimeLogRecord@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpVerifySetOrDeleteValueLogRecord(x)
_CmpVerifySetOrDeleteValueLogRecord@4 proc near	; CODE XREF: CmpVerifyLogRecord(x,x)+40p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi+4]
		cmp	edi, 3Ch
		jnb	short loc_7343D3

loc_7343CC:				; CODE XREF: CmpVerifySetOrDeleteValueLogRecord(x)+23j
					; CmpVerifySetOrDeleteValueLogRecord(x)+29j ...
		mov	eax, 0C0190030h
		jmp	short loc_734443
; 

loc_7343D3:				; CODE XREF: CmpVerifySetOrDeleteValueLogRecord(x)+10j
		cmp	dword ptr [esi+0Ch], 5
		jnz	short loc_7343E5
		cmp	dword ptr [esi+38h], 0
		jnz	short loc_7343CC
		cmp	dword ptr [esi+34h], 0
		jnz	short loc_7343CC

loc_7343E5:				; CODE XREF: CmpVerifySetOrDeleteValueLogRecord(x)+1Dj
		movzx	eax, word ptr [esi+20h]
		test	al, 1
		jnz	short loc_7343CC
		push	ebx
		movzx	ebx, word ptr [esi+28h]
		test	bl, 1
		jnz	short loc_734431
		push	34h
		pop	ecx
		lea	edx, [ebp+var_4]
		mov	[ebp+var_4], ecx
		push	edx
		mov	edx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_734431
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		mov	edx, ebx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_734431
		mov	edx, [esi+34h]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jns	short loc_734438

loc_734431:				; CODE XREF: CmpVerifySetOrDeleteValueLogRecord(x)+3Bj
					; CmpVerifySetOrDeleteValueLogRecord(x)+50j ...
		mov	eax, 0C0190030h
		jmp	short loc_734442
; 

loc_734438:				; CODE XREF: CmpVerifySetOrDeleteValueLogRecord(x)+75j
		cmp	edi, [ebp+var_4]
		sbb	eax, eax
		and	eax, 0C0190030h

loc_734442:				; CODE XREF: CmpVerifySetOrDeleteValueLogRecord(x)+7Cj
		pop	ebx

loc_734443:				; CODE XREF: CmpVerifySetOrDeleteValueLogRecord(x)+17j
		pop	edi
		pop	esi
		leave
		retn
_CmpVerifySetOrDeleteValueLogRecord@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpVerifySetSecurityDescriptorLogRecord(x)
_CmpVerifySetSecurityDescriptorLogRecord@4 proc	near
					; CODE XREF: CmpVerifyLogRecord(x,x)+5Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		push	30h
		pop	ecx
		mov	edi, [esi+4]
		cmp	edi, ecx
		jnb	short loc_734464

loc_73445D:				; CODE XREF: CmpVerifySetSecurityDescriptorLogRecord(x)+22j
					; CmpVerifySetSecurityDescriptorLogRecord(x)+37j
		mov	eax, 0C0190030h
		jmp	short loc_7344C6
; 

loc_734464:				; CODE XREF: CmpVerifySetSecurityDescriptorLogRecord(x)+13j
		movzx	eax, word ptr [esi+20h]
		test	al, 1
		jnz	short loc_73445D
		lea	edx, [ebp+var_4]
		mov	[ebp+var_4], ecx
		push	edx
		mov	edx, eax
		mov	[ebp+var_8], eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_73445D
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	ebx
		mov	ebx, [esi+28h]
		mov	edx, ebx
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_73449C
		cmp	edi, [ebp+var_4]
		jnb	short loc_7344A3

loc_73449C:				; CODE XREF: CmpVerifySetSecurityDescriptorLogRecord(x)+4Dj
		mov	eax, 0C0190030h
		jmp	short loc_7344C5
; 

loc_7344A3:				; CODE XREF: CmpVerifySetSecurityDescriptorLogRecord(x)+52j
		mov	eax, [ebp+var_8]
		push	0
		add	eax, 30h
		push	ebx
		add	eax, esi
		push	eax
		call	_RtlValidRelativeSecurityDescriptor@12 ; RtlValidRelativeSecurityDescriptor(x,x,x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 3FE6FFD0h
		add	eax, 0C0190030h

loc_7344C5:				; CODE XREF: CmpVerifySetSecurityDescriptorLogRecord(x)+59j
		pop	ebx

loc_7344C6:				; CODE XREF: CmpVerifySetSecurityDescriptorLogRecord(x)+1Aj
		pop	edi
		pop	esi
		leave
		retn
_CmpVerifySetSecurityDescriptorLogRecord@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpUnicodeStringAppendCharacter(x, x)
_CmpUnicodeStringAppendCharacter@8 proc	near
					; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+1A0p
					; CmpVEExecuteVirtualStoreParseLogic(x,x,x,x)+CAp
		movzx	edx, word ptr [ecx+2]
		push	esi
		movzx	esi, word ptr [ecx]
		lea	eax, [esi+2]
		cmp	eax, edx
		jbe	short loc_7344E0
		mov	eax, 80000005h
		pop	esi
		retn
; 

loc_7344E0:				; CODE XREF: CmpUnicodeStringAppendCharacter(x,x)+Dj
		mov	eax, [ecx+4]
		shr	esi, 1
		push	5Ch
		pop	edx
		mov	[eax+esi*2], dx
		xor	eax, eax
		add	word ptr [ecx],	2
		pop	esi
		retn
_CmpUnicodeStringAppendCharacter@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpGetEffectiveKcbSemantics(x, x)
_CmpGetEffectiveKcbSemantics@8 proc near
					; CODE XREF: CmpGetSecurityCacheEntryForKcbStack(x,x,x)+2Fp
					; CmpGetSecurityCacheEntryForKcbStack(x,x,x)+50p ...
		test	edx, edx
		jz	short loc_734515
		movzx	eax, word ptr [edx+4]
		push	esi
		movsx	esi, word ptr [ecx+22h]
		cmp	esi, eax
		pop	esi
		jnz	short loc_734515
		mov	al, [ecx+21h]
		test	al, al
		jz	short loc_734511
		movzx	eax, al
		retn
; 

loc_734511:				; CODE XREF: CmpGetEffectiveKcbSemantics(x,x)+17j
		push	2
		pop	eax
		retn
; 

loc_734515:				; CODE XREF: CmpGetEffectiveKcbSemantics(x,x)+2j
					; CmpGetEffectiveKcbSemantics(x,x)+10j
		cmp	word ptr [ecx+22h], 0
		jnz	short loc_73451F
		xor	eax, eax
		retn
; 

loc_73451F:				; CODE XREF: CmpGetEffectiveKcbSemantics(x,x)+26j
		movzx	eax, byte ptr [ecx+21h]
		retn
_CmpGetEffectiveKcbSemantics@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpPopulateKeyNodeStackFromKcbStack(x, x, x)
_CmpPopulateKeyNodeStackFromKcbStack@12	proc near
					; CODE XREF: CmpStartKeyNodeStackFromKcbStack(x,x,x)+1Fp
					; CmpSubtreeEnumeratorBeginForKcbStack(x,x)+13p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, edx
		mov	eax, ecx
		push	esi
		mov	[ebp+var_C], eax
		movzx	esi, word ptr [ebx+2]
		test	si, si
		js	short loc_734596
		push	edi

loc_73453F:				; CODE XREF: CmpPopulateKeyNodeStackFromKcbStack(x,x,x)+6Fj
		mov	edx, esi
		mov	ecx, eax
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	ecx, ebx
		mov	edi, eax
		call	_CmpGetKcbAtLayerHeight@8 ; CmpGetKcbAtLayerHeight(x,x)
		mov	[ebp+var_8], eax
		mov	ecx, [eax+14h]
		mov	[ebp+var_4], ecx
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_734578
		mov	edx, [eax+10h]
		mov	[edi+4], ecx
		lea	ecx, [edi+0Ch]
		push	ecx
		push	[ebp+var_4]
		mov	[edi], edx
		push	edx
		call	dword ptr [edx+4]
		mov	[edi+8], eax
		mov	eax, [ebp+var_8]

loc_734578:				; CODE XREF: CmpPopulateKeyNodeStackFromKcbStack(x,x,x)+39j
		cmp	[ebp+arg_0], 0
		jz	short loc_73458C
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		call	_CmpGetEffectiveKcbSemantics@8 ; CmpGetEffectiveKcbSemantics(x,x)
		test	eax, eax
		jnz	short loc_734595

loc_73458C:				; CODE XREF: CmpPopulateKeyNodeStackFromKcbStack(x,x,x)+58j
		mov	eax, [ebp+var_C]
		dec	esi
		test	si, si
		jns	short loc_73453F

loc_734595:				; CODE XREF: CmpPopulateKeyNodeStackFromKcbStack(x,x,x)+66j
		pop	edi

loc_734596:				; CODE XREF: CmpPopulateKeyNodeStackFromKcbStack(x,x,x)+18j
		pop	esi
		pop	ebx
		leave
		retn	4
_CmpPopulateKeyNodeStackFromKcbStack@12	endp


;  S U B	R O U T	I N E 


; __stdcall CmpRemoveLayerLinkForDiscardedKcb(x, x)
_CmpRemoveLayerLinkForDiscardedKcb@8 proc near
					; CODE XREF: CmpRemoveHiveFromNamespace(x,x,x)+5Fp
					; CmpCompleteUnloadKey(x,x,x)+B1p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+6Ch]
		test	eax, eax
		jz	short loc_7345D7
		mov	ecx, [eax+0Ch]
		test	ecx, ecx
		jz	short loc_7345D7
		mov	ecx, [ecx+8]
		and	dword ptr [eax+0Ch], 0
		xor	eax, eax
		mov	[esi+22h], ax
		call	_CmpDelayDerefKeyControlBlock@8	; CmpDelayDerefKeyControlBlock(x,x)
		mov	ecx, [esi+6Ch]
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_7345D9
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	short loc_7345D9
		mov	[eax], edx
		mov	[edx+4], eax

loc_7345D7:				; CODE XREF: CmpRemoveLayerLinkForDiscardedKcb(x,x)+Aj
					; CmpRemoveLayerLinkForDiscardedKcb(x,x)+11j
		pop	esi
		retn
; 

loc_7345D9:				; CODE XREF: CmpRemoveLayerLinkForDiscardedKcb(x,x)+2Dj
					; CmpRemoveLayerLinkForDiscardedKcb(x,x)+34j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_CmpRemoveLayerLinkForDiscardedKcb@8 endp ; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpStartKeyNodeStackFromKcbStack(x,	x, x)
_CmpStartKeyNodeStackFromKcbStack@12 proc near ; CODE XREF: CmQueryLayeredKey+177D00p
					; CmpGetSubKeyCountForKcbStack(x,x,x)+38p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	dx, [esi+2]
		call	_CmpStartKeyNodeStack@8	; CmpStartKeyNodeStack(x,x)
		test	eax, eax
		js	short loc_734604
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, edi
		call	_CmpPopulateKeyNodeStackFromKcbStack@12	; CmpPopulateKeyNodeStackFromKcbStack(x,x,x)
		xor	eax, eax

loc_734604:				; CODE XREF: CmpStartKeyNodeStackFromKcbStack(x,x,x)+16j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_CmpStartKeyNodeStackFromKcbStack@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmObReferenceObjectByName(x, x, x, x, x, x,	x)
_CmObReferenceObjectByName@28 proc near	; CODE XREF: NtNotifyChangeMultipleKeys+441p
					; CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+2C2p	...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_CmKeyObjectType
		and	[ebp+var_4], 0
		push	esi
		lea	esi, [ebp+var_4]
		push	esi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	eax
		push	[ebp+arg_0]
		call	ObReferenceObjectByNameEx
		mov	ecx, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	short loc_73464E
		cmp	dword ptr [ecx], 6B793032h
		jz	short loc_734645
		mov	esi, 0C0000008h
		jmp	short loc_73464E
; 

loc_734645:				; CODE XREF: CmObReferenceObjectByName(x,x,x,x,x,x,x)+32j
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx
		xor	ecx, ecx
		xor	esi, esi

loc_73464E:				; CODE XREF: CmObReferenceObjectByName(x,x,x,x,x,x,x)+2Aj
					; CmObReferenceObjectByName(x,x,x,x,x,x,x)+39j
		test	ecx, ecx
		jz	short loc_734657
		call	ObfDereferenceObject

loc_734657:				; CODE XREF: CmObReferenceObjectByName(x,x,x,x,x,x,x)+46j
		mov	eax, esi
		pop	esi
		leave
		retn	14h
_CmObReferenceObjectByName@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSplitParentKeyName(x, x,	x)
_CmpSplitParentKeyName@12 proc near	; CODE XREF: CmpDoReDoCreateKey(x,x)+30p
					; CmpDoReOpenTransKey(x,x,x,x)+137p

var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ecx
		mov	[ebp+var_8], edx
		push	ebx
		xor	edx, edx
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		cmp	[eax], dx
		jnz	short loc_734682
		mov	edi, edx
		mov	esi, edx
		mov	ecx, edx
		mov	ebx, edx
		jmp	short loc_7346F5
; 

loc_734682:				; CODE XREF: CmpSplitParentKeyName(x,x,x)+18j
		mov	ecx, [eax]
		mov	esi, [eax+4]
		mov	ebx, esi
		movzx	edx, cx
		shr	edx, 1
		sub	edx, 1
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		js	short loc_7346F1

loc_734699:				; CODE XREF: CmpSplitParentKeyName(x,x,x)+45j
		cmp	word ptr [esi+edx*2], 5Ch
		jz	short loc_7346A5
		sub	edx, 1
		jns	short loc_734699

loc_7346A5:				; CODE XREF: CmpSplitParentKeyName(x,x,x)+40j
		test	edx, edx
		js	short loc_7346F1
		lea	ecx, [edx+edx]
		mov	word ptr [ebp+var_10], cx
		mov	word ptr [ebp+var_10+2], cx
		test	cx, cx
		jnz	short loc_7346BF
		xor	edi, edi
		xor	esi, esi
		jmp	short loc_7346C2
; 

loc_7346BF:				; CODE XREF: CmpSplitParentKeyName(x,x,x)+59j
		mov	edi, [ebp+var_10]

loc_7346C2:				; CODE XREF: CmpSplitParentKeyName(x,x,x)+5Fj
		mov	eax, 0FFFEh
		sub	eax, ecx
		mov	cx, word ptr [ebp+var_18]
		add	cx, ax
		mov	eax, [ebp+var_4]
		mov	word ptr [ebp+var_18], cx
		mov	word ptr [ebp+var_18+2], cx
		mov	ebx, [eax+4]
		lea	ebx, [ebx+2]
		lea	ebx, [ebx+edx*2]
		jnz	short loc_7346EC
		xor	ecx, ecx
		xor	ebx, ebx
		jmp	short loc_7346F5
; 

loc_7346EC:				; CODE XREF: CmpSplitParentKeyName(x,x,x)+86j
		mov	ecx, [ebp+var_18]
		jmp	short loc_7346F5
; 

loc_7346F1:				; CODE XREF: CmpSplitParentKeyName(x,x,x)+39j
					; CmpSplitParentKeyName(x,x,x)+49j
		xor	edi, edi
		xor	esi, esi

loc_7346F5:				; CODE XREF: CmpSplitParentKeyName(x,x,x)+22j
					; CmpSplitParentKeyName(x,x,x)+8Cj ...
		mov	eax, [ebp+var_8]
		mov	[eax], edi
		mov	[eax+4], esi
		mov	eax, [ebp+arg_0]
		pop	edi
		pop	esi
		mov	[eax+4], ebx
		mov	[eax], ecx
		pop	ebx
		leave
		retn	4
_CmpSplitParentKeyName@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCompareInIndex(x, x, x, x, x, x)
_CmpCompareInIndex@24 proc near		; CODE XREF: CmpFindSubKeyInLeafWithStatus(x,x,x,x,x,x)+71p
					; CmpFindSubKeyInLeafWithStatus(x,x,x,x,x,x)+A4p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		or	dword ptr [ebx], 0FFFFFFFFh
		mov	[ebp+var_4], edx
		mov	edx, 666Ch
		mov	[ebp+var_8], ecx
		movzx	eax, word ptr [edi]
		cmp	ax, dx
		jz	short loc_734779
		mov	ecx, 686Ch
		cmp	ax, cx
		jz	short loc_734770
		mov	esi, [ebp+arg_4]
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		push	dword ptr [edi+esi*4+4]
		push	[ebp+arg_0]
		call	_CmpDoCompareKeyName@16	; CmpDoCompareKeyName(x,x,x,x)
		mov	edx, eax
		cmp	edx, 2
		jz	loc_73486D
		test	edx, edx
		jnz	loc_73487F
		mov	ecx, [edi+esi*4+4]
		mov	[ebx], ecx
		jmp	loc_73487F
; 

loc_734770:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+2Fj
		cmp	ax, dx
		jnz	loc_734850

loc_734779:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+25j
		mov	ebx, [ebp+arg_4]
		xor	edx, edx
		push	4
		pop	ecx
		mov	[ebp+arg_8], edx
		mov	eax, edx
		lea	esi, [edi+ebx*8]

loc_734789:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+86j
		cmp	[esi+eax+8], dl
		jz	short loc_734796
		inc	eax
		cmp	eax, ecx
		jb	short loc_734789
		jmp	short loc_734798
; 

loc_734796:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+81j
		mov	ecx, eax

loc_734798:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+88j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_7347A4
		movzx	esi, word ptr [eax]
		jmp	short loc_7347AC
; 

loc_7347A4:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+91j
		mov	esi, [ebp+var_4]
		movzx	esi, word ptr [esi]
		shr	esi, 1

loc_7347AC:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+96j
		cmp	esi, ecx
		jb	short loc_7347B2
		mov	esi, ecx

loc_7347B2:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+A2j
		test	esi, esi
		jz	loc_734856
		inc	ebx
		lea	ebx, [edi+ebx*8]
		mov	[ebp+var_10], ebx

loc_7347C1:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+130j
		test	eax, eax
		jz	short loc_7347CE
		mov	eax, [eax+4]
		movzx	ecx, byte ptr [eax+edx]
		jmp	short loc_7347D8
; 

loc_7347CE:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+B7j
		mov	eax, [ebp+var_4]
		mov	eax, [eax+4]
		movzx	ecx, word ptr [eax+edx*2]

loc_7347D8:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+C0j
		movzx	eax, byte ptr [ebx+edx]
		push	61h
		pop	edx
		push	7Ah
		cmp	cx, dx
		mov	[ebp+var_C], eax
		pop	edx
		jnb	short loc_7347EF
		movzx	ebx, cx
		jmp	short loc_73480B
; 

loc_7347EF:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+DCj
		cmp	cx, dx
		jbe	short loc_734805
		push	ecx
		call	_RtlUpcaseUnicodeChar@4	; RtlUpcaseUnicodeChar(x)
		push	7Ah
		movzx	ebx, ax
		mov	eax, [ebp+var_C]
		pop	edx
		jmp	short loc_73480B
; 

loc_734805:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+E6j
		movzx	ebx, cx
		sub	ebx, 20h

loc_73480B:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+E1j
					; CmpCompareInIndex(x,x,x,x,x,x)+F7j
		push	61h
		pop	ecx
		cmp	ax, cx
		jb	short loc_73481E
		cmp	ax, dx
		jbe	short loc_734823
		push	eax
		call	_RtlUpcaseUnicodeChar@4	; RtlUpcaseUnicodeChar(x)

loc_73481E:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+105j
		movzx	eax, ax
		jmp	short loc_734829
; 

loc_734823:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+10Aj
		movzx	eax, ax
		sub	eax, 20h

loc_734829:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+115j
		sub	ebx, eax
		jnz	short loc_734840
		mov	edx, [ebp+arg_8]
		mov	eax, [ebp+arg_0]
		inc	edx
		mov	ebx, [ebp+var_10]
		mov	[ebp+arg_8], edx
		cmp	edx, esi
		jb	short loc_7347C1
		jmp	short loc_734853
; 

loc_734840:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+11Fj
		xor	eax, eax
		test	ebx, ebx
		setnle	al
		lea	eax, ds:0FFFFFFFFh[eax*2]
		jmp	short loc_734881
; 

loc_734850:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+67j
		mov	eax, [ebp+arg_0]

loc_734853:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+132j
		mov	ebx, [ebp+arg_4]

loc_734856:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+A8j
		push	dword ptr [edi+ebx*8+4]
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		push	eax
		call	_CmpDoCompareKeyName@16	; CmpDoCompareKeyName(x,x,x,x)
		mov	edx, eax
		cmp	edx, 2
		jnz	short loc_734872

loc_73486D:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+4Bj
		push	2
		pop	eax
		jmp	short loc_734881
; 

loc_734872:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+15Fj
		test	edx, edx
		jnz	short loc_73487F
		mov	ecx, [ebp+arg_C]
		mov	eax, [edi+ebx*8+4]
		mov	[ecx], eax

loc_73487F:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+53j
					; CmpCompareInIndex(x,x,x,x,x,x)+5Fj ...
		mov	eax, edx

loc_734881:				; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+142j
					; CmpCompareInIndex(x,x,x,x,x,x)+164j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_CmpCompareInIndex@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoCompareKeyName(x, x, x, x)
_CmpDoCompareKeyName@16	proc near	; CODE XREF: CmpCompareInIndex(x,x,x,x,x,x)+41p
					; CmpCompareInIndex(x,x,x,x,x,x)+155p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		or	[ebp+var_10], 0FFFFFFFFh
		lea	eax, [ebp+var_10]
		push	ebx
		push	esi
		push	edi
		push	eax
		push	[ebp+arg_4]
		mov	edi, ecx
		xor	ebx, ebx
		push	edi
		mov	esi, edx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	dword ptr [edi+4]
		test	eax, eax
		jnz	short loc_7348BA
		push	2
		pop	eax
		jmp	short loc_734939
; 

loc_7348BA:				; CODE XREF: CmpDoCompareKeyName(x,x,x,x)+2Bj
		test	byte ptr [eax+2], 20h
		lea	edx, [eax+4Ch]
		movzx	ecx, word ptr [eax+48h]
		jz	short loc_7348EA
		mov	eax, ecx
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_7348DF
		push	eax
		push	edx
		movzx	edx, word ptr [ecx]
		mov	ecx, [ecx+4]
		call	CmpCompareTwoCompressedNames
		jmp	short loc_73491E
; 

loc_7348DF:				; CODE XREF: CmpDoCompareKeyName(x,x,x,x)+46j
		push	ebx
		push	eax
		mov	ecx, esi
		call	_CmpCompareCompressedName@16 ; CmpCompareCompressedName(x,x,x,x)
		jmp	short loc_73491E
; 

loc_7348EA:				; CODE XREF: CmpDoCompareKeyName(x,x,x,x)+3Dj
		mov	[ebp+var_4], edx
		mov	edx, [ebp+arg_0]
		mov	word ptr [ebp+var_8], cx
		mov	word ptr [ebp+var_8+2],	cx
		test	edx, edx
		jz	short loc_734912
		movzx	eax, word ptr [edx]
		lea	ecx, [ebp+var_8]
		mov	edx, [edx+4]
		push	ebx
		push	eax
		call	_CmpCompareCompressedName@16 ; CmpCompareCompressedName(x,x,x,x)
		mov	esi, eax
		neg	esi
		jmp	short loc_734920
; 

loc_734912:				; CODE XREF: CmpDoCompareKeyName(x,x,x,x)+72j
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)

loc_73491E:				; CODE XREF: CmpDoCompareKeyName(x,x,x,x)+55j
					; CmpDoCompareKeyName(x,x,x,x)+60j
		mov	esi, eax

loc_734920:				; CODE XREF: CmpDoCompareKeyName(x,x,x,x)+88j
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		test	esi, esi
		jnz	short loc_734930
		xor	eax, eax
		jmp	short loc_734939
; 

loc_734930:				; CODE XREF: CmpDoCompareKeyName(x,x,x,x)+A2j
		sar	esi, 1Fh
		and	esi, 0FFFFFFFEh
		lea	eax, [esi+1]

loc_734939:				; CODE XREF: CmpDoCompareKeyName(x,x,x,x)+30j
					; CmpDoCompareKeyName(x,x,x,x)+A6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_CmpDoCompareKeyName@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFindSubKeyInLeaf(x, x, x, x, x)
_CmpFindSubKeyInLeaf@20	proc near	; CODE XREF: CmpMarkIndexDirty+F3p
					; CmpRemoveSubKeyFromList(x,x,x)+145p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_CmpFindSubKeyInLeafWithStatus@24 ; CmpFindSubKeyInLeafWithStatus(x,x,x,x,x,x)
		mov	eax, [ebp+var_4]
		leave
		retn	0Ch
_CmpFindSubKeyInLeaf@20	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFindSubKeyInLeafWithStatus(x, x,	x, x, x, x)
_CmpFindSubKeyInLeafWithStatus@24 proc near ; CODE XREF: CmpFindSubKeyInLeaf(x,x,x,x,x)+17p
					; CmpFindSubKeyByNameWithStatus+8Bp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		movzx	eax, word ptr [edx+2]
		push	ebx
		push	esi
		push	edi
		lea	edi, [eax-1]
		mov	[ebp+var_8], edx
		mov	esi, edi
		mov	[ebp+var_C], ecx
		xor	ebx, ebx
		shr	esi, 1
		mov	[ebp+var_4], ebx
		test	ax, ax
		jnz	short loc_73499C
		mov	eax, [ebp+arg_8]
		or	dword ptr [eax], 0FFFFFFFFh
		mov	eax, [ebp+arg_C]
		mov	[eax], ebx
		mov	eax, 0C0000034h
		jmp	short loc_7349F3
; 

loc_73499C:				; CODE XREF: CmpFindSubKeyInLeafWithStatus(x,x,x,x,x,x)+24j
		push	[ebp+arg_8]
		push	edx
		jmp	short loc_7349CE
; 

loc_7349A2:				; CODE XREF: CmpFindSubKeyInLeafWithStatus(x,x,x,x,x,x)+79j
		test	eax, eax
		jz	loc_734A51
		jns	short loc_7349B3
		mov	eax, [ebp+var_4]
		mov	edi, esi
		jmp	short loc_7349B8
; 

loc_7349B3:				; CODE XREF: CmpFindSubKeyInLeafWithStatus(x,x,x,x,x,x)+46j
		mov	eax, esi
		mov	[ebp+var_4], eax

loc_7349B8:				; CODE XREF: CmpFindSubKeyInLeafWithStatus(x,x,x,x,x,x)+4Dj
		mov	ecx, [ebp+var_C]
		mov	esi, edi
		sub	esi, eax
		cmp	esi, 1
		jbe	short loc_7349FA
		push	[ebp+arg_8]
		shr	esi, 1
		push	[ebp+var_8]
		add	esi, eax

loc_7349CE:				; CODE XREF: CmpFindSubKeyInLeafWithStatus(x,x,x,x,x,x)+3Cj
		mov	edx, [ebp+arg_0]
		push	esi
		push	[ebp+arg_4]
		call	_CmpCompareInIndex@24 ;	CmpCompareInIndex(x,x,x,x,x,x)
		cmp	eax, 2
		jnz	short loc_7349A2

loc_7349DF:				; CODE XREF: CmpFindSubKeyInLeafWithStatus(x,x,x,x,x,x)+ACj
					; CmpFindSubKeyInLeafWithStatus(x,x,x,x,x,x)+DBj
		mov	eax, [ebp+arg_8]
		or	dword ptr [eax], 0FFFFFFFFh
		mov	eax, [ebp+arg_C]
		mov	dword ptr [eax], 80000000h
		mov	eax, 0C000009Ah

loc_7349F3:				; CODE XREF: CmpFindSubKeyInLeafWithStatus(x,x,x,x,x,x)+36j
					; CmpFindSubKeyInLeafWithStatus(x,x,x,x,x,x)+C3j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7349FA:				; CODE XREF: CmpFindSubKeyInLeafWithStatus(x,x,x,x,x,x)+5Ej
		mov	esi, [ebp+arg_8]
		mov	edx, [ebp+arg_0]
		push	esi
		push	[ebp+var_8]
		push	eax
		push	[ebp+arg_4]
		call	_CmpCompareInIndex@24 ;	CmpCompareInIndex(x,x,x,x,x,x)
		cmp	eax, 2
		jz	short loc_7349DF
		test	eax, eax
		jz	short loc_734A1D
		jns	short loc_734A29
		mov	ebx, 0C0000034h

loc_734A1D:				; CODE XREF: CmpFindSubKeyInLeafWithStatus(x,x,x,x,x,x)+B0j
		mov	ecx, [ebp+arg_C]
		mov	eax, ebx
		mov	esi, [ebp+var_4]
		mov	[ecx], esi
		jmp	short loc_7349F3
; 

loc_734A29:				; CODE XREF: CmpFindSubKeyInLeafWithStatus(x,x,x,x,x,x)+B2j
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_C]
		push	esi
		push	[ebp+var_8]
		push	edi
		push	[ebp+arg_4]
		call	_CmpCompareInIndex@24 ;	CmpCompareInIndex(x,x,x,x,x,x)
		cmp	eax, 2
		jz	short loc_7349DF
		mov	ecx, [ebp+arg_C]
		neg	eax
		sbb	eax, eax
		and	eax, 0C0000034h
		mov	[ecx], edi
		jmp	short loc_7349F3
; 

loc_734A51:				; CODE XREF: CmpFindSubKeyInLeafWithStatus(x,x,x,x,x,x)+40j
		mov	eax, [ebp+arg_C]
		mov	[eax], esi
		xor	eax, eax
		jmp	short loc_7349F3
_CmpFindSubKeyInLeafWithStatus@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFindSubKeyInRoot(x, x, x, x, x)
_CmpFindSubKeyInRoot@20	proc near	; CODE XREF: CmpMarkIndexDirty+170p
					; CmpRemoveSubKeyFromList(x,x,x)+D5p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		movzx	eax, word ptr [edx+2]
		or	[ebp+var_1C], 0FFFFFFFFh
		and	[ebp+var_18], 0
		dec	eax
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], esi
		mov	ebx, ecx
		mov	esi, eax
		mov	[ebp+var_14], edx
		push	edi
		shr	esi, 1
		lea	eax, [ebp+var_1C]
		push	eax
		mov	edi, [edx+esi*4+4]
		push	edi
		push	ebx
		call	dword ptr [ebx+4]
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_734BE5

loc_734A9E:				; CODE XREF: CmpFindSubKeyInRoot(x,x,x,x,x)+D9j
		mov	edx, [ebp+arg_0]
		push	ecx
		push	eax
		movzx	eax, word ptr [eax+2]
		mov	ecx, ebx
		dec	eax
		push	eax
		push	[ebp+arg_4]
		call	_CmpCompareInIndex@24 ;	CmpCompareInIndex(x,x,x,x,x,x)
		cmp	eax, 2
		jz	loc_734BE5
		test	eax, eax
		jz	loc_734BED
		jns	short loc_734AF6
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		push	[ebp+var_10]
		push	0
		push	[ebp+arg_4]
		call	_CmpCompareInIndex@24 ;	CmpCompareInIndex(x,x,x,x,x,x)
		cmp	eax, 2
		jz	loc_734BE5
		test	eax, eax
		jns	loc_734BED
		mov	edi, [ebp+var_C]
		mov	eax, esi
		mov	[ebp+var_8], eax
		jmp	short loc_734AFE
; 

loc_734AF6:				; CODE XREF: CmpFindSubKeyInRoot(x,x,x,x,x)+6Aj
		mov	eax, [ebp+var_8]
		mov	edi, esi
		mov	[ebp+var_C], edi

loc_734AFE:				; CODE XREF: CmpFindSubKeyInRoot(x,x,x,x,x)+9Aj
		lea	ecx, [ebp+var_1C]
		mov	esi, eax
		mov	eax, [ebx+8]
		sub	esi, edi
		push	ecx
		push	ebx
		call	eax
		mov	eax, [ebp+var_14]
		cmp	esi, 1
		jbe	short loc_734B38
		shr	esi, 1
		add	esi, edi
		mov	edi, [eax+esi*4+4]
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		push	ebx
		call	dword ptr [ebx+4]
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_734BE5
		mov	ecx, [ebp+arg_8]
		jmp	loc_734A9E
; 

loc_734B38:				; CODE XREF: CmpFindSubKeyInRoot(x,x,x,x,x)+B8j
		mov	edi, [eax+edi*4+4]
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		push	ebx
		call	dword ptr [ebx+4]
		mov	esi, eax
		mov	[ebp+var_10], esi
		test	esi, esi
		jz	loc_734BE5
		push	[ebp+arg_8]
		movzx	eax, word ptr [esi+2]
		mov	ecx, ebx
		mov	edx, [ebp+arg_0]
		dec	eax
		push	esi
		push	eax
		push	[ebp+arg_4]
		call	_CmpCompareInIndex@24 ;	CmpCompareInIndex(x,x,x,x,x,x)
		cmp	eax, 2
		jz	short loc_734BE5
		test	eax, eax
		jnz	short loc_734B77
		mov	esi, [ebp+var_C]
		jmp	short loc_734BED
; 

loc_734B77:				; CODE XREF: CmpFindSubKeyInRoot(x,x,x,x,x)+116j
		jns	short loc_734B9A
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		push	esi
		push	0
		push	[ebp+arg_4]
		call	_CmpCompareInIndex@24 ;	CmpCompareInIndex(x,x,x,x,x,x)
		cmp	eax, 2
		jz	short loc_734BE5
		mov	esi, [ebp+var_C]
		test	eax, eax
		jns	short loc_734BED
		jmp	short loc_734BEA
; 

loc_734B9A:				; CODE XREF: CmpFindSubKeyInRoot(x,x,x,x,x):loc_734B77j
		lea	eax, [ebp+var_1C]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		mov	eax, [ebp+var_14]
		mov	edi, [ebp+var_8]
		mov	edi, [eax+edi*4+4]
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		push	ebx
		call	dword ptr [ebx+4]
		mov	esi, eax
		mov	[ebp+var_10], esi
		test	esi, esi
		jz	short loc_734BE5
		push	[ebp+arg_8]
		movzx	eax, word ptr [esi+2]
		mov	ecx, ebx
		mov	edx, [ebp+arg_0]
		dec	eax
		push	esi
		push	eax
		push	[ebp+arg_4]
		call	_CmpCompareInIndex@24 ;	CmpCompareInIndex(x,x,x,x,x,x)
		cmp	eax, 2
		jz	short loc_734BE5
		mov	esi, [ebp+var_8]
		test	eax, eax
		jz	short loc_734BED
		js	short loc_734BED
		jmp	short loc_734BEA
; 

loc_734BE5:				; CODE XREF: CmpFindSubKeyInRoot(x,x,x,x,x)+3Ej
					; CmpFindSubKeyInRoot(x,x,x,x,x)+5Cj ...
		mov	esi, 80000000h

loc_734BEA:				; CODE XREF: CmpFindSubKeyInRoot(x,x,x,x,x)+13Ej
					; CmpFindSubKeyInRoot(x,x,x,x,x)+189j
		or	edi, 0FFFFFFFFh

loc_734BED:				; CODE XREF: CmpFindSubKeyInRoot(x,x,x,x,x)+64j
					; CmpFindSubKeyInRoot(x,x,x,x,x)+8Cj ...
		cmp	[ebp+var_10], 0
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		jz	short loc_734C00
		lea	eax, [ebp+var_1C]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]

loc_734C00:				; CODE XREF: CmpFindSubKeyInRoot(x,x,x,x,x)+19Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_CmpFindSubKeyInRoot@20	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGetSubKeyCountForKcbStack(x, x, x)
_CmpGetSubKeyCountForKcbStack@12 proc near ; CODE XREF:	CmDeleteLayeredKey(x,x,x)+C6p

var_38		= dword	ptr -38h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, [ebp+var_38]
		push	30h		; size_t
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		add	esp, 0Ch
		lea	ecx, [ebp+var_38] ; void *
		call	_CmpInitializeKeyNodeStack@4 ; CmpInitializeKeyNodeStack(x)
		push	0
		mov	edx, esi
		lea	ecx, [ebp+var_38]
		call	_CmpStartKeyNodeStackFromKcbStack@12 ; CmpStartKeyNodeStackFromKcbStack(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_734C5F
		mov	edx, edi
		lea	ecx, [ebp+var_38]
		call	_CmpGetSubKeyCountForKeyNodeStack@8 ; CmpGetSubKeyCountForKeyNodeStack(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_734C5F
		xor	esi, esi

loc_734C5F:				; CODE XREF: CmpGetSubKeyCountForKcbStack(x,x,x)+41j
					; CmpGetSubKeyCountForKcbStack(x,x,x)+51j
		lea	ecx, [ebp+var_38]
		call	CmpCleanupKeyNodeStack
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_CmpGetSubKeyCountForKcbStack@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpKeyEnumStackStartFromKcbStack(x,	x, x, x)
_CmpKeyEnumStackStartFromKcbStack@16 proc near ; CODE XREF: CmpEnumerateLayeredKey+18CC9Dp
					; CmpPartialPromoteSubkeys(x)+A0p

var_34		= dword	ptr -34h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		lea	eax, [ebp+var_34]
		push	esi
		push	edi
		push	30h		; size_t
		push	0		; int
		push	eax		; void *
		mov	esi, edx
		mov	edi, ecx
		call	_memset
		add	esp, 0Ch
		lea	ecx, [ebp+var_34] ; void *
		call	_CmpInitializeKeyNodeStack@4 ; CmpInitializeKeyNodeStack(x)
		push	0
		mov	edx, esi
		lea	ecx, [ebp+var_34]
		call	_CmpStartKeyNodeStackFromKcbStack@12 ; CmpStartKeyNodeStackFromKcbStack(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_734CE2
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_734CCF
		mov	ax, [eax+4]
		mov	[edi+2], ax

loc_734CCF:				; CODE XREF: CmpKeyEnumStackStartFromKcbStack(x,x,x,x)+4Bj
		push	ebx
		lea	edx, [ebp+var_34]
		mov	ecx, edi
		call	_CmpKeyEnumStackStartFromKeyNodeStack@12 ; CmpKeyEnumStackStartFromKeyNodeStack(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_734CE2
		xor	esi, esi

loc_734CE2:				; CODE XREF: CmpKeyEnumStackStartFromKcbStack(x,x,x,x)+44j
					; CmpKeyEnumStackStartFromKcbStack(x,x,x,x)+64j
		lea	ecx, [ebp+var_34]
		call	CmpCleanupKeyNodeStack
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_CmpKeyEnumStackStartFromKcbStack@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpValueEnumStackStartFromKcbStack(x, x, x)
_CmpValueEnumStackStartFromKcbStack@12 proc near
					; CODE XREF: CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+133p

var_38		= dword	ptr -38h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	esi
		push	edi
		push	30h		; size_t
		lea	eax, [ebp+var_38]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		add	esp, 0Ch
		lea	ecx, [ebp+var_38] ; void *
		call	_CmpInitializeKeyNodeStack@4 ; CmpInitializeKeyNodeStack(x)
		push	[ebp+arg_0]
		mov	edx, esi
		lea	ecx, [ebp+var_38]
		call	_CmpStartKeyNodeStackFromKcbStack@12 ; CmpStartKeyNodeStackFromKcbStack(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_734D53
		lea	edx, [ebp+var_38]
		mov	ecx, edi
		call	_CmpValueEnumStackStartFromKeyNodeStack@8 ; CmpValueEnumStackStartFromKeyNodeStack(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_734D53
		xor	esi, esi

loc_734D53:				; CODE XREF: CmpValueEnumStackStartFromKcbStack(x,x,x)+41j
					; CmpValueEnumStackStartFromKcbStack(x,x,x)+51j
		lea	ecx, [ebp+var_38]
		call	CmpCleanupKeyNodeStack
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_CmpValueEnumStackStartFromKcbStack@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpResetCachedSecurity(x, x)
_CmpResetCachedSecurity@8 proc near	; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+189p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	eax
		mov	esi, ecx
		call	_CmpFindSecurityCellCacheIndex@12 ; CmpFindSecurityCellCacheIndex(x,x,x)
		test	al, al
		jnz	short loc_734D8F
		mov	eax, 0C0000225h
		jmp	short loc_734DA2
; 

loc_734D8F:				; CODE XREF: CmpResetCachedSecurity(x,x)+18j
		mov	ecx, [esi+4CCh]
		mov	eax, [ebp+var_4]
		mov	eax, [ecx+eax*8+4]
		and	dword ptr [eax+14h], 0
		xor	eax, eax

loc_734DA2:				; CODE XREF: CmpResetCachedSecurity(x,x)+1Fj
		pop	esi
		leave
		retn
_CmpResetCachedSecurity@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmRmIsKcbStackVisible(x, x)
_CmRmIsKcbStackVisible@8 proc near	; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+E42p
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+153Bp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		movzx	edx, word ptr [esi+2]
		jmp	short loc_734DC2
; 

loc_734DB4:				; CODE XREF: CmRmIsKcbStackVisible(x,x)+1Fj
		mov	ecx, esi
		call	_CmpGetKcbAtLayerHeight@8 ; CmpGetKcbAtLayerHeight(x,x)
		cmp	dword ptr [eax+14h], 0FFFFFFFFh
		jnz	short loc_734DCC
		dec	edx

loc_734DC2:				; CODE XREF: CmRmIsKcbStackVisible(x,x)+Cj
		test	dx, dx
		jns	short loc_734DB4
		pop	edi
		mov	al, 1
		pop	esi
		retn
; 

loc_734DCC:				; CODE XREF: CmRmIsKcbStackVisible(x,x)+19j
		mov	edx, edi
		mov	ecx, eax
		pop	edi
		pop	esi
		jmp	CmRmIsKCBVisible
_CmRmIsKcbStackVisible@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGetEffectiveCellType(x, x)
_CmpGetEffectiveCellType@8 proc	near	; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+1C4p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		test	edx, edx
		jz	short loc_734E0A
		cmp	dword ptr [esi+80h], 0
		jz	short loc_734E0A
		and	[ebp+var_4], 0
		lea	ecx, [esi+70h]
		jmp	short loc_734DFD
; 

loc_734DF7:				; CODE XREF: CmpGetEffectiveCellType(x,x)+30j
		cmp	dword ptr [eax+24h], 0
		jz	short loc_734E13

loc_734DFD:				; CODE XREF: CmpGetEffectiveCellType(x,x)+1Dj
		push	ecx
		lea	edx, [ebp+var_4]
		call	CmListGetPrevElement
		test	eax, eax
		jnz	short loc_734DF7

loc_734E0A:				; CODE XREF: CmpGetEffectiveCellType(x,x)+Bj
					; CmpGetEffectiveCellType(x,x)+14j
		mov	eax, [esi+14h]
		shr	eax, 1Fh

loc_734E10:				; CODE XREF: CmpGetEffectiveCellType(x,x)+3Ej
		pop	esi
		leave
		retn
; 

loc_734E13:				; CODE XREF: CmpGetEffectiveCellType(x,x)+23j
		mov	eax, [eax+28h]
		jmp	short loc_734E10
_CmpGetEffectiveCellType@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmpUndoDeleteKeyForTransEx(void	*)
_CmpUndoDeleteKeyForTransEx@12 proc near ; CODE	XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+2B4p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		or	[ebp+var_44], 0FFFFFFFFh
		or	eax, 0FFFFFFFFh
		or	[ebp+var_4C], 0FFFFFFFFh
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_20], eax
		xor	ebx, ebx
		mov	[ebp+var_10], eax
		push	edi
		mov	edi, edx
		mov	[ebp+var_14], ebx
		mov	ecx, [esi+24h]
		lea	edx, [ebp+var_C]
		add	ecx, 70h
		mov	[ebp+var_1C], edi
		push	ecx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_C], ebx
		call	CmListGetPrevElement
		test	eax, eax
		jz	loc_7351F2

loc_734E66:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+64j
		cmp	dword ptr [eax+24h], 3
		jnz	short loc_734E71
		cmp	[eax+30h], esi
		jz	short loc_734E7E

loc_734E71:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+52j
		push	ecx
		lea	edx, [ebp+var_C]
		call	CmListGetPrevElement
		test	eax, eax
		jnz	short loc_734E66

loc_734E7E:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+57j
		mov	[ebp+var_2C], eax
		test	eax, eax
		jz	loc_7351F2
		push	ecx
		lea	ecx, [esi+70h]
		mov	[ebp+var_C], ebx
		lea	edx, [ebp+var_C]
		call	CmListGetPrevElement
		mov	[ebp+var_3C], eax
		test	eax, eax
		jz	loc_7351F2
		cmp	dword ptr [eax+24h], 2
		jnz	loc_7351F2
		cmp	[esi+9Ch], edi
		jnz	short loc_734EC9
		mov	edi, [esi+94h]
		mov	eax, [esi+98h]
		mov	[ebp+var_C], edi
		mov	[ebp+var_18], eax
		jmp	short loc_734EFE
; 

loc_734EC9:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+9Bj
		mov	eax, [esi+14h]
		lea	edx, [ebp+var_38]
		mov	ecx, [esi+10h]
		or	[ebp+var_38], 0FFFFFFFFh
		push	edx
		push	eax
		push	ecx
		mov	[ebp+var_34], ebx
		call	dword ptr [ecx+4]
		test	eax, eax
		jz	loc_7351EB
		mov	edi, [eax+24h]
		lea	ecx, [ebp+var_38]
		mov	eax, [eax+28h]
		mov	[ebp+var_18], eax
		mov	eax, [esi+10h]
		push	ecx
		push	eax
		mov	[ebp+var_C], edi
		call	dword ptr [eax+8]

loc_734EFE:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+AFj
		test	edi, edi
		jz	loc_734FED
		mov	eax, edi
		shl	eax, 2
		push	37344D43h
		push	eax
		push	1
		mov	[ebp+var_24], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_14], edi
		test	edi, edi
		jz	loc_7351EB
		push	[ebp+var_24]	; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		mov	eax, [esi+10h]
		lea	ecx, [ebp+var_44]
		add	esp, 0Ch
		push	ecx
		push	[ebp+var_18]
		push	eax
		call	dword ptr [eax+4]
		mov	ecx, eax
		mov	[ebp+var_18], ecx
		test	ecx, ecx
		jnz	short loc_734F56

loc_734F4C:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+15Dj
		mov	edi, 0C000009Ah
		jmp	loc_735188
; 

loc_734F56:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+132j
		mov	[ebp+var_24], ebx
		cmp	[ebp+var_C], ebx
		jbe	loc_734FE2
		mov	eax, ecx
		mov	[ebp+var_8], edi
		sub	eax, edi
		mov	[ebp+var_34], eax

loc_734F6C:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+1C8j
		call	_CmpAllocateUnitOfWork@0 ; CmpAllocateUnitOfWork()
		mov	[edi], eax
		test	eax, eax
		jz	short loc_734F4C
		mov	edx, esi
		mov	ecx, eax
		call	_CmpTransEnlistUowInKcb@8 ; CmpTransEnlistUowInKcb(x,x)
		mov	edx, [ebp+var_1C]
		mov	ecx, [edi]
		call	CmpTransEnlistUowInCmTrans
		mov	edi, eax
		test	edi, edi
		js	loc_735188
		mov	edi, [ebp+var_8]
		push	ecx
		lea	ecx, [esi+84h]
		mov	edx, [edi]
		call	CmpLockIXLockIntent
		test	al, al
		jz	short loc_735005
		mov	edx, [edi]
		lea	ecx, [esi+8Ch]
		push	1
		call	CmpLockIXLockExclusive
		test	al, al
		jz	short loc_735005
		mov	eax, [edi]
		mov	dword ptr [eax+24h], 6
		mov	ecx, [edi]
		mov	eax, [ebp+var_34]
		mov	eax, [eax+edi]
		add	edi, 4
		mov	[ecx+30h], eax
		mov	eax, [ebp+var_24]
		inc	eax
		mov	[ebp+var_8], edi
		mov	[ebp+var_24], eax
		cmp	eax, [ebp+var_C]
		jb	short loc_734F6C

loc_734FE2:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+144j
		mov	eax, [esi+10h]
		lea	ecx, [ebp+var_44]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_734FED:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+E8j
		call	_CmpAllocateUnitOfWork@0 ; CmpAllocateUnitOfWork()
		mov	edi, eax
		mov	[ebp+var_8], edi
		test	edi, edi
		jnz	short loc_73500F
		mov	edi, 0C000009Ah
		jmp	loc_735185
; 

loc_735005:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+18Fj
					; CmpUndoDeleteKeyForTransEx(x,x,x)+1A2j
		mov	edi, 0C0190001h
		jmp	loc_735188
; 

loc_73500F:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+1E1j
		mov	ecx, [esi+10h]
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	ecx, [esi+10h]
		call	_CmLockHiveSecurityExclusive@4 ; CmLockHiveSecurityExclusive(x)
		mov	edx, esi
		mov	ecx, edi
		call	_CmpTransEnlistUowInKcb@8 ; CmpTransEnlistUowInKcb(x,x)
		mov	edx, [ebp+var_1C]
		mov	ecx, edi
		call	CmpTransEnlistUowInCmTrans
		mov	edi, eax
		test	edi, edi
		js	loc_735134
		mov	edi, [ebp+var_8]
		lea	ecx, [esi+84h]
		push	ebx
		mov	edx, edi
		call	CmpLockIXLockExclusive
		test	al, al
		jnz	short loc_73505B

loc_735051:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+254j
		mov	edi, 0C0190001h
		jmp	loc_735156
; 

loc_73505B:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+237j
		push	1
		lea	ecx, [esi+8Ch]
		mov	edx, edi
		call	CmpLockIXLockExclusive
		test	al, al
		jz	short loc_735051
		or	dword ptr [edi+34h], 0FFFFFFFFh
		lea	edx, [ebp+var_4C]
		mov	dword ptr [edi+24h], 9
		mov	[edi+30h], ebx
		mov	[edi+38h], bl
		mov	eax, [esi+14h]
		mov	ecx, [esi+10h]
		push	edx
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		mov	edx, [esi+14h]
		lea	ecx, [ebp+var_10]
		push	ecx		; int
		mov	ecx, [esi+10h]
		push	1		; int
		push	[ebp+arg_0]	; void *
		mov	[ebp+var_30], eax
		push	1		; int
		push	eax		; int
		call	_CmpGetSecurityDescriptorNodeEx@28 ; CmpGetSecurityDescriptorNodeEx(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_7351E3
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_28]
		mov	ecx, [esi+10h]
		push	eax
		call	_CmpFindSecurityCellCacheIndex@12 ; CmpFindSecurityCellCacheIndex(x,x,x)
		test	al, al
		jz	loc_7351FE
		mov	eax, [esi+10h]
		or	[ebp+var_20], 0FFFFFFFFh
		mov	ecx, [eax+4CCh]
		mov	eax, [ebp+var_28]
		mov	eax, [ecx+eax*8+4]
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_8], ebx
		mov	[ecx+30h], eax
		mov	eax, [eax]
		mov	[ecx+34h], eax
		mov	eax, [ebp+var_2C]
		mov	byte ptr [ecx+38h], 1
		mov	dword ptr [eax+24h], 0Dh
		mov	eax, [ebp+var_3C]
		mov	dword ptr [eax+24h], 0Eh
		cmp	[esi+9Ch], ebx
		jz	short loc_73511E
		mov	edx, [esi+98h]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_73511E
		mov	ecx, [esi+10h]
		call	HvFreeCell

loc_73511E:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+2F1j
					; CmpUndoDeleteKeyForTransEx(x,x,x)+2FCj
		mov	eax, [ebp+var_1C]
		or	dword ptr [esi+98h], 0FFFFFFFFh
		mov	[esi+9Ch], eax
		mov	[esi+94h], ebx

loc_735134:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+21Ej
		mov	eax, [ebp+var_20]

loc_735137:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+3CEj
		cmp	eax, 0FFFFFFFFh
		jz	short loc_735146
		mov	ecx, [esi+10h]
		mov	edx, eax
		call	_CmpDereferenceSecurityNode@8 ;	CmpDereferenceSecurityNode(x,x)

loc_735146:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+322j
		cmp	[ebp+var_30], ebx
		jz	short loc_735156
		mov	eax, [esi+10h]
		lea	ecx, [ebp+var_4C]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_735156:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+23Ej
					; CmpUndoDeleteKeyForTransEx(x,x,x)+331j
		mov	ecx, [esi+10h]
		call	_CmUnlockHiveSecurity@4	; CmUnlockHiveSecurity(x)
		mov	ecx, [esi+10h]
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		mov	eax, [ebp+var_8]
		mov	[ebp+var_18], ebx
		test	eax, eax
		jz	short loc_735188
		mov	ecx, eax
		call	CmpRundownUnitOfWork
		mov	eax, [ebp+var_8]
		push	77554D43h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_735185:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+1E8j
		mov	[ebp+var_18], ebx

loc_735188:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+139j
					; CmpUndoDeleteKeyForTransEx(x,x,x)+176j ...
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_7351CE
		test	edi, edi
		jns	short loc_7351C3
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jz	short loc_7351C3

loc_73519A:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+3A9j
		mov	edx, [eax+ebx*4]
		test	edx, edx
		jz	short loc_7351BE
		mov	ecx, edx
		call	CmpRundownUnitOfWork
		mov	eax, [ebp+var_14]
		push	77554D43h
		push	dword ptr [eax+ebx*4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+var_C]

loc_7351BE:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+387j
		inc	ebx
		cmp	ebx, ecx
		jb	short loc_73519A

loc_7351C3:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+379j
					; CmpUndoDeleteKeyForTransEx(x,x,x)+380j
		push	37344D43h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7351CE:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+375j
		cmp	[ebp+var_18], 0
		jz	short loc_7351DF
		mov	eax, [esi+10h]
		lea	ecx, [ebp+var_44]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_7351DF:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+3BAj
		mov	eax, edi
		jmp	short loc_7351F7
; 

loc_7351E3:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+294j
		mov	eax, [ebp+var_10]
		jmp	loc_735137
; 

loc_7351EB:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+C9j
					; CmpUndoDeleteKeyForTransEx(x,x,x)+10Aj
		mov	eax, 0C000009Ah
		jmp	short loc_7351F7
; 

loc_7351F2:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+48j
					; CmpUndoDeleteKeyForTransEx(x,x,x)+6Bj ...
		mov	eax, 0C0000034h

loc_7351F7:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+3C9j
					; CmpUndoDeleteKeyForTransEx(x,x,x)+3D8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7351FE:				; CODE XREF: CmpUndoDeleteKeyForTransEx(x,x,x)+2ABj
		push	[ebp+var_10]
		push	esi
		push	3
		push	4
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_CmpUndoDeleteKeyForTransEx@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLightWeightCommitRecreateKeyUoW(x, x, x)
_CmpLightWeightCommitRecreateKeyUoW@12 proc near
					; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+8Fp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		or	[ebp+var_10], 0FFFFFFFFh
		mov	eax, ecx
		and	[ebp+var_C], 0
		lea	ecx, [ebp+var_10]
		push	ebx
		mov	[ebp+var_8], eax
		mov	eax, [eax+18h]
		push	esi
		push	edi
		push	ecx
		mov	esi, [eax+24h]
		mov	edi, edx
		mov	ebx, [eax+10h]
		mov	eax, [esi+14h]
		push	eax
		push	ebx
		call	dword ptr [ebx+4]
		mov	ecx, [edi]
		mov	[eax+4], ecx
		mov	ecx, [edi+4]
		mov	[eax+8], ecx
		mov	eax, [edi]
		mov	[esi+58h], eax
		mov	eax, [edi+4]
		add	dword ptr [esi+0A8h], 1
		mov	[esi+5Ch], eax
		lea	eax, [ebp+var_10]
		adc	dword ptr [esi+0ACh], 0
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		mov	esi, [ebp+var_8]
		push	1
		push	[ebp+arg_0]
		mov	ecx, [esi+18h]
		call	_CmpFlushNotifiesOnAllUnbackedHigherLayerKcbs@16 ; CmpFlushNotifiesOnAllUnbackedHigherLayerKcbs(x,x,x,x)
		mov	ecx, [esi+18h]
		push	1
		push	[ebp+arg_0]
		push	8
		pop	edx
		call	CmpFlushNotifiesOnKeyBodyList
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_CmpLightWeightCommitRecreateKeyUoW@12 endp


;  S U B	R O U T	I N E 


; __stdcall CmpLightWeightPrepareRecreateKeyUoW(x)
_CmpLightWeightPrepareRecreateKeyUoW@4 proc near
					; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+82p
		mov	eax, [ecx+18h]
		push	0
		push	0
		mov	ecx, [eax+10h]
		mov	eax, [eax+24h]
		mov	edx, [eax+14h]
		call	HvpMarkCellDirty
		movzx	eax, al
		retn
_CmpLightWeightPrepareRecreateKeyUoW@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoReDoSetEntireSecurityDescriptor(x, x)
_CmpDoReDoSetEntireSecurityDescriptor@8	proc near
					; CODE XREF: CmpDoReDoRecord(x,x):loc_951E1Cp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		mov	edi, edx
		push	eax
		push	10C0000h
		lea	edx, [edi+20h]
		call	_CmpDoReOpenTransKey@16	; CmpDoReOpenTransKey(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7352EA
		push	dword ptr [edi+2Ch]
		push	10180h
		push	[ebp+var_4]
		call	_ZwSetSecurityObject@12	; ZwSetSecurityObject(x,x,x)
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)

loc_7352EA:				; CODE XREF: CmpDoReDoSetEntireSecurityDescriptor(x,x)+24j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_CmpDoReDoSetEntireSecurityDescriptor@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpLoadDifferencingHive(x, x, x, x,	x, x, x, x)
_VrpLoadDifferencingHive@32 proc near	; CODE XREF: VrpHandleIoctlLoadDifferencingHive+1BBp
					; VrpHandleIoctlLoadDifferencingHiveForHost(x,x,x,x,x,x)+159p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_18], edx
		push	6
		pop	edx
		xor	eax, eax
		mov	[ebp+var_14], ebx
		mov	ecx, edx
		lea	edi, [ebp+var_60]
		rep stosd
		mov	ecx, edx
		lea	edi, [ebp+var_48]
		rep stosd
		mov	ecx, edx
		lea	edi, [ebp+var_78]
		rep stosd
		mov	ecx, edx
		lea	edi, [ebp+var_30]
		rep stosd
		xor	ecx, ecx
		mov	[ebp+var_1], cl
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], ecx
		cmp	[ebp+arg_10], eax
		jz	short loc_735388
		cmp	[ebp+arg_8], eax
		jz	short loc_735346
		mov	edi, 0C000000Dh
		jmp	loc_7355D1
; 

loc_735346:				; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+4Aj
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], 18h
		push	eax
		push	20019h
		lea	eax, [ebp+var_C]
		mov	[ebp+var_2C], ecx
		push	eax
		mov	[ebp+var_24], 240h
		mov	[ebp+var_28], (offset loc_403A2F+5)
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_7355B5
		mov	eax, [ebp+var_C]
		xor	ecx, ecx
		mov	[ebp+var_10], eax

loc_735388:				; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+45j
		mov	edi, ecx
		call	_VrpLockDiffHiveTableShared@0 ;	VrpLockDiffHiveTableShared()
		mov	ecx, ebx
		call	VrpFindDiffHiveEntryForMountPointWithLock
		xor	ebx, ebx
		mov	esi, eax
		inc	ebx
		test	esi, esi
		jz	short loc_7353B9

loc_73539F:				; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+FBj
		mov	eax, ebx
		lock xadd [esi+8], eax
		inc	eax
		cmp	eax, ebx
		jg	loc_735445
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_735445
; 

loc_7353B9:				; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+ADj
		call	_VrpUnlockDiffHiveTable@0 ; VrpUnlockDiffHiveTable()
		mov	esi, [ebp+var_14]
		mov	ecx, esi
		mov	edx, [ebp+var_18]
		call	_VrpAllocateDiffHiveEntry@8 ; VrpAllocateDiffHiveEntry(x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_7353DB
		mov	edi, 0C000009Ah
		jmp	loc_7355B5
; 

loc_7353DB:				; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+DFj
		call	_VrpLockDiffHiveTableExclusive@0 ; VrpLockDiffHiveTableExclusive()
		mov	ecx, esi
		call	VrpFindDiffHiveEntryForMountPointWithLock
		mov	esi, eax
		test	esi, esi
		jnz	short loc_73539F
		mov	ecx, dword_6CDC94
		or	edx, 0FFFFFFFFh
		mov	esi, ecx
		and	ecx, 1Fh
		shl	edx, cl
		and	edx, [edi+4]
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	[ebp+arg_10], edx
		imul	ecx, eax, 25h
		movzx	eax, dh
		shr	esi, 5
		add	ecx, eax
		movzx	eax, byte ptr [ebp+arg_10+2]
		imul	ecx, 25h
		lea	edx, [esi-1]
		mov	esi, edi
		add	ecx, eax
		movzx	eax, byte ptr [ebp+arg_10+3]
		imul	ecx, 25h
		add	ecx, eax
		and	edx, ecx
		mov	ecx, dword_6CDC98
		mov	eax, [ecx+edx*4]
		mov	[edi], eax
		mov	[ecx+edx*4], edi
		inc	_gLoadedDiffHives
		xor	edi, edi

loc_735445:				; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+B9j
					; VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+C4j
		call	_VrpUnlockDiffHiveTable@0 ; VrpUnlockDiffHiveTable()
		test	edi, edi
		jz	short loc_735459
		push	67655256h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_735459:				; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+15Cj
		mov	ecx, esi
		call	_VrpLockDiffHiveEntry@4	; VrpLockDiffHiveEntry(x)
		mov	ecx, esi
		call	_VrpIncrementDiffHiveEntryHardRefCount@4 ; VrpIncrementDiffHiveEntryHardRefCount(x)
		xor	edi, edi
		test	[esi+1Ch], bl
		jnz	loc_7355A7

loc_735472:				; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+1A4j
		test	[esi+1Ch], bl
		jnz	loc_735589
		mov	ecx, esi
		call	_VrpBecomeDiffHiveEntryTransitionOwner@4 ; VrpBecomeDiffHiveEntryTransitionOwner(x)
		mov	[ebp+var_1], al
		test	al, al
		jnz	short loc_7354A7
		mov	ecx, esi
		call	_VrpWaitForDiffHiveEntryTransitionOwnerToLeave@4 ; VrpWaitForDiffHiveEntryTransitionOwnerToLeave(x)
		inc	edi
		cmp	edi, 2
		jb	short loc_735472
		test	[esi+1Ch], bl
		jnz	loc_735589
		mov	edi, [esi+20h]
		jmp	loc_7355A0
; 

loc_7354A7:				; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+197j
		test	[esi+1Ch], bl
		jnz	loc_735589
		mov	ecx, esi
		call	_VrpUnlockDiffHiveEntry@4 ; VrpUnlockDiffHiveEntry(x)
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		cmp	[eax], cx
		jz	short loc_735501
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	20019h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_48], 18h
		push	eax
		mov	[ebp+var_44], ecx
		mov	[ebp+var_3C], 240h
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_735569
		cmp	[ebp+arg_8], 0
		jz	short loc_735501
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_10], ecx
		jmp	short loc_735504
; 

loc_735501:				; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+1CFj
					; VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+207j
		mov	ecx, [ebp+var_8]

loc_735504:				; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+20Fj
		mov	eax, [ebp+var_14]
		xor	edx, edx
		cmp	[ebp+arg_C], edx
		push	18h
		pop	edi
		push	edx
		push	[ebp+arg_14]
		mov	[ebp+var_70], eax
		mov	eax, [ebp+var_18]
		mov	[ebp+var_58], eax
		setnz	al
		movzx	eax, al
		push	eax
		push	ecx
		push	edx
		push	edx
		push	edx
		push	edx
		push	[ebp+var_10]
		mov	[ebp+var_74], edx
		lea	ecx, [ebp+var_78]
		push	[ebp+arg_4]
		mov	[ebp+var_68], edx
		mov	[ebp+var_64], edx
		mov	[ebp+var_5C], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], edx
		lea	edx, [ebp+var_60]
		mov	[ebp+var_78], edi
		mov	[ebp+var_6C], 240h
		mov	[ebp+var_60], edi
		mov	[ebp+var_54], 240h
		call	CmLoadDifferencingKey
		mov	edi, eax
		test	edi, edi
		js	short loc_735569
		xor	eax, eax
		mov	edi, eax

loc_735569:				; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+201j
					; VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+273j
		mov	ecx, esi
		call	_VrpLockDiffHiveEntry@4	; VrpLockDiffHiveEntry(x)
		mov	eax, [esi+1Ch]
		mov	ecx, edi
		not	ecx
		mov	[esi+20h], edi
		shr	ecx, 1Fh
		and	eax, 0FFFFFFFEh
		or	ecx, eax
		mov	[esi+1Ch], ecx
		test	edi, edi
		js	short loc_73558F

loc_735589:				; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+185j
					; VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+1A9j ...
		xor	eax, eax
		mov	edi, eax
		mov	bl, al

loc_73558F:				; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+297j
		cmp	[ebp+var_1], 0
		jz	short loc_73559C
		mov	ecx, esi
		call	_VrpRelinquishDiffHiveEntryTransitionOwner@4 ; VrpRelinquishDiffHiveEntryTransitionOwner(x)

loc_73559C:				; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+2A3j
		test	bl, bl
		jz	short loc_7355A7

loc_7355A0:				; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+1B2j
		mov	ecx, esi
		call	_VrpDecrementDiffHiveEntryHardRefCount@4 ; VrpDecrementDiffHiveEntryHardRefCount(x)

loc_7355A7:				; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+17Cj
					; VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+2AEj
		mov	ecx, esi
		call	_VrpUnlockDiffHiveEntry@4 ; VrpUnlockDiffHiveEntry(x)
		mov	ecx, esi
		call	VrpDereferenceDiffHiveEntry

loc_7355B5:				; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+8Aj
					; VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+E6j
		cmp	[ebp+var_8], 0
		jz	short loc_7355C3
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_7355C3:				; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+2C9j
		cmp	[ebp+var_C], 0
		jz	short loc_7355D1
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_7355D1:				; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+51j
					; VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+2D7j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_VrpLoadDifferencingHive@32 endp

; 
		align 10h
; Exported entry 495. FsRtlCheckOplockForFsFilterCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlCheckOplockForFsFilterCallback(x, x, x)
		public _FsRtlCheckOplockForFsFilterCallback@12
_FsRtlCheckOplockForFsFilterCallback@12	proc near

var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B5		= dword	ptr -0B5h
var_9C		= dword	ptr -9Ch
var_90		= dword	ptr -90h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	0D0h
		push	offset dword_6A7E30
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_BC], ecx
		xor	ebx, ebx
		mov	[ebp+var_C8], ebx
		mov	esi, [eax]
		mov	[ebp+var_CC], esi
		test	[ebp+arg_8], 0FFFFFFF7h
		jz	short loc_73561E
		mov	eax, 0C000000Dh
		jmp	loc_7357C8
; 

loc_73561E:				; CODE XREF: FsRtlCheckOplockForFsFilterCallback(x,x,x)+32j
		test	esi, esi
		jz	loc_7357C6
		mov	byte ptr [ebp+var_B5], bl
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, [esi+4Ch]
		call	ExAcquireFastMutexUnsafe
		mov	byte ptr [ebp+var_B5], 1
		mov	eax, [esi+48h]
		mov	[ebp+var_C4], eax
		test	eax, 7000h
		jz	loc_7357BA
		push	9
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_B5+1]
		rep stosd
		mov	byte ptr [ebp+var_B5+1], 4
		mov	ecx, [ebp+var_BC]
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_9C], eax
		cmp	byte ptr [ecx+4], 0FFh
		jnz	loc_7357BA
		cmp	dword ptr [ecx+10h], 1
		jnz	loc_7357BA
		mov	eax, [ecx+14h]
		mov	[ebp+var_C0], eax
		test	al, 44h
		jz	loc_7357BA
		cmp	dword_6B2398, 5
		jbe	loc_735774
		push	4000h
		push	ebx
		mov	edi, offset dword_6B2398
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_735774
		xor	edx, edx
		inc	edx
		mov	[ebp+var_D8], edx
		mov	[ebp+var_D4], ebx
		lea	eax, [ebp+var_D8]
		mov	[ebp+var_70], eax
		mov	[ebp+var_6C], ebx
		push	8
		pop	ecx
		mov	[ebp+var_68], ecx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_BC], edx
		lea	eax, [ebp+var_BC]
		mov	[ebp+var_60], eax
		mov	[ebp+var_5C], ebx
		push	4
		pop	edx
		mov	[ebp+var_58], edx
		mov	[ebp+var_54], ebx
		mov	eax, [ebp+var_C0]
		mov	[ebp+var_C0], eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_50], eax
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_48], edx
		mov	[ebp+var_44], ebx
		mov	eax, [ebp+var_C4]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_C4]
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_E0], 1000000h
		mov	[ebp+var_DC], ebx
		lea	eax, [ebp+var_E0]
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ebx
		lea	eax, [ebp+var_90]
		push	eax
		push	7
		push	ecx
		mov	edx, offset loc_41B5FF
		mov	ecx, edi
		call	__tlgWriteAgg@20 ; _tlgWriteAgg(x,x,x,x,x)

loc_735774:				; CODE XREF: FsRtlCheckOplockForFsFilterCallback(x,x,x)+C1j
					; FsRtlCheckOplockForFsFilterCallback(x,x,x)+DBj
		cmp	byte ptr [ebp+var_B5], 0
		jnz	short loc_73578C
		mov	ecx, [esi+4Ch]
		call	ExAcquireFastMutexUnsafe
		mov	byte ptr [ebp+var_B5], 1

loc_73578C:				; CODE XREF: FsRtlCheckOplockForFsFilterCallback(x,x,x)+19Bj
		push	ebx
		lea	eax, [ebp+var_B5]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	5000h
		push	ebx
		push	[ebp+arg_8]
		push	ebx
		lea	edx, [ebp+var_B5+1]
		mov	ecx, esi
		call	_FsRtlpOplockBreakByCacheFlags@60 ; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_C8], ebx

loc_7357BA:				; CODE XREF: FsRtlCheckOplockForFsFilterCallback(x,x,x)+6Cj
					; FsRtlCheckOplockForFsFilterCallback(x,x,x)+99j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_7357E6

loc_7357C6:				; CODE XREF: FsRtlCheckOplockForFsFilterCallback(x,x,x)+40j
		mov	eax, ebx

loc_7357C8:				; CODE XREF: FsRtlCheckOplockForFsFilterCallback(x,x,x)+39j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_FsRtlCheckOplockForFsFilterCallback@12	endp


;  S U B	R O U T	I N E 


sub_7357DA	proc near		; DATA XREF: .text:006A7E48o
		mov	ebx, [ebp-0C8h]
		mov	esi, [ebp-0CCh]
sub_7357DA	endp


;  S U B	R O U T	I N E 


sub_7357E6	proc near		; CODE XREF: FsRtlCheckOplockForFsFilterCallback(x,x,x)+1E1p
		cmp	byte ptr [ebp-0B5h], 0
		jz	short locret_7357F7
		mov	ecx, [esi+4Ch]
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)

locret_7357F7:				; CODE XREF: sub_7357E6+7j
		retn
sub_7357E6	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 764. IoCheckFileObjectOpenedAsCopyDestination

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCheckFileObjectOpenedAsCopyDestination(x)
		public _IoCheckFileObjectOpenedAsCopyDestination@4
_IoCheckFileObjectOpenedAsCopyDestination@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	40h
		pop	edx
		call	_IopCheckFileObjectExtensionFlag@8 ; IopCheckFileObjectExtensionFlag(x,x)
		pop	ebp
		retn	4
_IoCheckFileObjectOpenedAsCopyDestination@4 endp

; 
		align 8
; Exported entry 765. IoCheckFileObjectOpenedAsCopySource

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCheckFileObjectOpenedAsCopySource(x)
		public _IoCheckFileObjectOpenedAsCopySource@4
_IoCheckFileObjectOpenedAsCopySource@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	20h
		pop	edx
		call	_IopCheckFileObjectExtensionFlag@8 ; IopCheckFileObjectExtensionFlag(x,x)
		pop	ebp
		retn	4
_IoCheckFileObjectOpenedAsCopySource@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopExceptionCleanupEx(x, x,	x, x, x)
_IopExceptionCleanupEx@20 proc near	; CODE XREF: .text:00522897p
					; IopFreeCopyObjectsFromDataBuffer(x,x)+2Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_735847
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_735847:				; CODE XREF: IopExceptionCleanupEx(x,x,x,x,x)+11j
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_735854
		push	eax
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_735854:				; CODE XREF: IopExceptionCleanupEx(x,x,x,x,x)+20j
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		cmp	[ebp+arg_8], 0
		jz	short loc_735867
		mov	ecx, edi
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)

loc_735867:				; CODE XREF: IopExceptionCleanupEx(x,x,x,x,x)+32j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_735873
		call	ObfDereferenceObject

loc_735873:				; CODE XREF: IopExceptionCleanupEx(x,x,x,x,x)+40j
		cmp	[ebp+arg_4], 0
		jz	short loc_735883
		push	0
		push	[ebp+arg_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_735883:				; CODE XREF: IopExceptionCleanupEx(x,x,x,x,x)+4Bj
		mov	ecx, edi
		call	ObfDereferenceObject
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	0Ch
_IopExceptionCleanupEx@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall IopCopyOverNewPathSecure(void *,void *,int,int,int)
_IopCopyOverNewPathSecure@20 proc near	; CODE XREF: IopGraftName(x,x,x)+540p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4], 2
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edi
		test	ax, ax
		jz	short loc_7358C3
		movzx	esi, ax
		push	esi		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		shr	esi, 1
		lea	esi, [edi+esi*2]

loc_7358C3:				; CODE XREF: IopCopyOverNewPathSecure(x,x,x,x,x)+1Cj
		mov	eax, [ebp+arg_8]
		mov	ebx, [ebp+arg_4]
		test	ax, ax
		jz	short loc_735929
		movzx	ecx, word ptr [ebx+30h]
		mov	[ebp+var_8], ecx
		cmp	ax, cx
		jbe	short loc_7358E1
		mov	eax, 0C0000280h
		jmp	short loc_73595A
; 

loc_7358E1:				; CODE XREF: IopCopyOverNewPathSecure(x,x,x,x,x)+46j
		mov	ecx, [ebx+34h]
		movzx	edx, ax
		mov	eax, [ebp+var_8]
		sub	ecx, edx
		movzx	eax, ax
		add	ecx, eax
		mov	[ebp+var_C], edx
		cmp	esi, edi
		jbe	short loc_735916
		push	5Ch
		pop	ebx
		cmp	[esi-2], bx
		mov	ebx, [ebp+arg_4]
		jnz	short loc_735916
		push	5Ch
		pop	ebx
		cmp	[ecx], bx
		mov	ebx, [ebp+arg_4]
		jnz	short loc_735916
		add	esi, 0FFFFFFFEh
		and	[ebp+var_4], 0

loc_735916:				; CODE XREF: IopCopyOverNewPathSecure(x,x,x,x,x)+64j
					; IopCopyOverNewPathSecure(x,x,x,x,x)+70j ...
		push	edx		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memmove
		mov	eax, [ebp+var_C]
		add	esp, 0Ch
		shr	eax, 1
		lea	esi, [esi+eax*2]

loc_735929:				; CODE XREF: IopCopyOverNewPathSecure(x,x,x,x,x)+3Aj
		mov	eax, [ebp+arg_0]
		add	eax, [ebp+var_4]
		add	eax, [ebp+arg_8]
		mov	[ebx+32h], ax
		add	eax, 0FFFFFFFEh
		mov	[ebx+30h], ax
		xor	eax, eax
		mov	[esi], ax
		mov	eax, [ebx+34h]
		cmp	edi, eax
		jz	short loc_735958
		test	eax, eax
		jz	short loc_735955
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_735955:				; CODE XREF: IopCopyOverNewPathSecure(x,x,x,x,x)+B9j
		mov	[ebx+34h], edi

loc_735958:				; CODE XREF: IopCopyOverNewPathSecure(x,x,x,x,x)+B5j
		xor	eax, eax

loc_73595A:				; CODE XREF: IopCopyOverNewPathSecure(x,x,x,x,x)+4Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_IopCopyOverNewPathSecure@20 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1509. NtCopyFileChunk

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCopyFileChunk(x, x, x, x,	x, x, x, x, x, x)
		public _NtCopyFileChunk@40
_NtCopyFileChunk@40 proc near		; DATA XREF: .text:00581184o

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		push	74h
		push	offset dword_6A8088
		call	__SEH_prolog4
		xor	edi, edi
		mov	[ebp+var_5C], edi
		mov	[ebp+var_58], edi
		mov	[ebp+var_6C], edi
		mov	[ebp+var_68], edi
		mov	[ebp+var_44], edi
		or	[ebp+var_28], 0FFFFFFFFh
		mov	[ebp+var_34], edi
		mov	[ebp+var_48], edi
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	[ebp+var_19], bl
		mov	byte ptr [ebp+var_3C], bl
		cmp	[ebp+arg_24], edi
		jz	short loc_7359AE
		mov	eax, 0C000000Dh
		jmp	loc_735B8D
; 

loc_7359AE:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+3Cj
		mov	[ebp+var_4C], edi
		lea	eax, [ebp+var_4C]
		push	eax
		push	30h
		pop	edx
		mov	ecx, [ebp+arg_10]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		js	loc_735B8B
		test	bl, bl
		jz	short loc_735A4B
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, [ebp+arg_14]
		mov	edx, ecx
		test	cl, 3
		jnz	loc_735D74
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_7359ED
		mov	edx, eax

loc_7359ED:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+83j
		nop
		mov	al, [edx]
		mov	eax, [ecx]
		mov	[ebp+var_64], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_60], eax
		mov	ebx, [ebp+arg_C]
		mov	ecx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_735A0B
		mov	ecx, eax

loc_735A0B:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+A1j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, [ebx]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_5C], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_30], eax
		mov	[ebp+var_58], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_735A6D
; 

loc_735A29:				; DATA XREF: .text:006A809Co
		lea	edx, [ebp+var_20]
		mov	ecx, [ebp+ms_exc.exc_ptr]
		call	_IopExceptionFilter@8 ;	IopExceptionFilter(x,x)
		retn
; 

loc_735A35:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x):loc_735D38j
					; DATA XREF: .text:006A80A0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	edi, edi
		mov	esi, [ebp+var_20]
		mov	eax, edi
		jmp	loc_735B63
; 

loc_735A4B:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+69j
		mov	eax, [ebp+arg_14]
		mov	ecx, [eax]
		mov	[ebp+var_64], ecx
		mov	eax, [eax+4]
		mov	[ebp+var_60], eax
		mov	ebx, [ebp+arg_C]
		mov	eax, [ebx]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_5C], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_30], eax
		mov	[ebp+var_58], eax

loc_735A6D:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+C1j
		push	70436F49h
		mov	eax, [ebp+arg_10]
		add	eax, 30h
		push	eax
		push	edi
		push	43h
		call	_ExAllocatePool2@16 ; ExAllocatePool2(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_735A91
		mov	esi, 0C000009Ah
		jmp	loc_735B63
; 

loc_735A91:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+11Fj
		mov	[ebp+arg_24], esi
		push	30h		; size_t
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		add	esi, 30h
		mov	[ebp+arg_C], esi
		mov	[ebp+var_24], esi
		mov	eax, [ebp+var_64]
		mov	ecx, [ebp+arg_24]
		mov	[ecx+28h], eax
		mov	eax, [ebp+var_60]
		mov	[ecx+2Ch], eax
		lea	eax, [ecx+20h]
		mov	[ebp+var_50], eax
		push	edi
		push	eax
		push	[ebp+var_3C]
		xor	edx, edx
		inc	edx
		mov	ecx, [ebp+arg_0]
		call	IopReferenceFileObject
		mov	esi, eax
		test	esi, esi
		js	loc_735B60
		mov	eax, [ebp+arg_24]
		add	eax, 18h
		lea	ecx, [ebp+var_6C]
		push	ecx
		push	eax
		mov	dl, [ebp+var_19]
		mov	ecx, [ebp+arg_4]
		call	ObReferenceFileObjectForWrite
		mov	esi, eax
		test	esi, esi
		js	short loc_735B60
		mov	eax, [ebp+arg_24]
		mov	ecx, [eax+18h]
		call	IopFileObjectRevoked
		test	al, al
		jz	short loc_735B08
		mov	esi, 0C0000910h

loc_735B08:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+19Bj
		test	esi, esi
		js	short loc_735B60
		mov	edx, [ebp+arg_24]
		mov	ecx, [edx+18h]
		mov	eax, [ecx+2Ch]
		mov	esi, eax
		and	esi, 2
		mov	[ebp+arg_4], esi
		shr	eax, 2
		and	al, 1
		mov	byte ptr [ebp+var_54], al
		lea	eax, [edx+10h]
		mov	[ebp+arg_0], eax
		push	eax
		push	[ebp+var_68]
		push	[ebp+arg_20]
		push	[ebp+arg_18]
		neg	esi
		sbb	eax, eax
		not	eax
		and	eax, [ebp+arg_8]
		push	eax
		lea	eax, [edx+20h]
		push	eax
		push	ecx
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		mov	edx, ebx
		call	_IopPopulateCopyWriteWorkerData@44 ; IopPopulateCopyWriteWorkerData(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		jns	short loc_735B9F
		mov	eax, [ebp+arg_24]
		mov	[eax+18h], edi

loc_735B60:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+16Cj
					; NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+18Cj ...
		mov	eax, [ebp+arg_C]

loc_735B63:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+E0j
					; NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+126j ...
		test	eax, eax
		jz	short loc_735B70
		mov	dl, 1
		mov	ecx, eax
		call	_IopFreeCopyObjectsFromDataBuffer@8 ; IopFreeCopyObjectsFromDataBuffer(x,x)

loc_735B70:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+1FFj
		cmp	[ebp+var_28], 0FFFFFFFFh
		jz	short loc_735B7F
		push	edi
		push	[ebp+var_28]
		call	ObCloseHandle

loc_735B7F:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+20Ej
		mov	ecx, [ebp+var_34]
		test	ecx, ecx
		jz	short loc_735B8B
		call	ObfDereferenceObject

loc_735B8B:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+61j
					; NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+21Ej
		mov	eax, esi

loc_735B8D:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+43j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	28h
; 

loc_735B9F:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+1F2j
		cmp	[ebp+arg_4], 0
		jz	loc_735C5D
		mov	[ebp+var_84], 18h
		mov	[ebp+var_80], edi
		mov	[ebp+var_78], 200h
		mov	[ebp+var_7C], edi
		mov	[ebp+var_74], edi
		mov	[ebp+var_70], edi
		push	edi
		push	1
		lea	eax, [ebp+var_84]
		push	eax
		push	1F0003h
		lea	eax, [ebp+var_28]
		push	eax
		call	_ZwCreateEvent@20 ; ZwCreateEvent(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_735B60
		mov	eax, ds:_ExEventObjectType
		mov	[ebp+var_38], edi
		push	edi
		lea	ecx, [ebp+var_38]
		push	ecx
		push	edi
		push	eax
		push	edi
		push	[ebp+var_28]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	ecx, [ebp+var_38]
		mov	[ebp+var_44], ecx
		mov	[ebp+var_20], esi
		test	esi, esi
		js	loc_735B60
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		mov	[eax+2Ch], ecx
		cmp	[ebp+arg_8], 0
		jz	short loc_735C55
		mov	eax, ds:_ExEventObjectType
		mov	[ebp+var_40], edi
		push	edi
		lea	ecx, [ebp+var_40]
		push	ecx
		push	[ebp+var_3C]
		push	eax
		push	2
		push	[ebp+arg_8]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_40]
		mov	[ebp+var_34], eax
		mov	[ebp+var_20], esi
		test	esi, esi
		js	loc_735B60
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_735C55:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+2B9j
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		mov	[ebp+var_48], eax

loc_735C5D:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+23Dj
		cmp	[ebp+var_19], 0
		jz	short loc_735CA1
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_2C]
		mov	[ebx], eax
		mov	eax, [ebp+var_30]
		mov	[ebx+4], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_735CAC
; 

loc_735C7E:				; DATA XREF: .text:006A80A8o
		lea	edx, [ebp+var_20]
		mov	ecx, [ebp+ms_exc.exc_ptr]
		call	_IopExceptionFilter@8 ;	IopExceptionFilter(x,x)
		retn
; 

loc_735C8A:				; DATA XREF: .text:006A80ACo
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	edi, edi
		mov	esi, [ebp+var_20]
		mov	eax, [ebp+var_24]
		jmp	loc_735B63
; 

loc_735CA1:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+2FBj
		mov	eax, [ebp+var_2C]
		mov	[ebx], eax
		mov	eax, [ebp+var_30]
		mov	[ebx+4], eax

loc_735CAC:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+316j
		mov	esi, [ebp+var_50]
		mov	ecx, [esi]
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		push	esi
		push	40000000h
		push	[ebp+arg_1C]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	ebx
		push	edi
		push	edi
		mov	edx, [ebp+arg_8]
		mov	ecx, [esi]
		call	_IopReadFile@44	; IopReadFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, edi
		mov	[ebp+arg_C], eax
		test	esi, esi
		js	loc_735B63
		cmp	[ebp+arg_4], eax
		jz	short loc_735D62
		push	[ebp+var_44]
		push	[ebp+var_54]
		mov	dl, [ebp+var_19]
		mov	ecx, [ebp+var_48]
		call	_IopWaitForSynchronousIoEvent@16 ; IopWaitForSynchronousIoEvent(x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		js	short loc_735D4A
		cmp	[ebp+var_19], 0
		jz	short loc_735D3D
		mov	[ebp+ms_exc.disabled], 2
		call	_KeIsCetCapable@0 ; KeIsCetCapable()
		test	al, al
		mov	eax, [ebx]
		jz	short loc_735D1D
		mov	eax, [eax]

loc_735D1D:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+3B3j
		mov	[ebp+var_20], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+var_20]
		jmp	short loc_735D4A
; 

loc_735D2C:				; DATA XREF: .text:006A80B4o
		lea	edx, [ebp+var_20]
		mov	ecx, [ebp+ms_exc.exc_ptr]
		call	_IopExceptionFilter@8 ;	IopExceptionFilter(x,x)
		retn
; 

loc_735D38:				; DATA XREF: .text:006A80B8o
		jmp	loc_735A35
; 

loc_735D3D:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+3A1j
		mov	esi, [ebx]
		call	_KeIsCetCapable@0 ; KeIsCetCapable()
		test	al, al
		jz	short loc_735D4A
		mov	esi, [esi]

loc_735D4A:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+39Bj
					; NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+3C4j ...
		mov	ecx, [ebp+var_34]
		test	ecx, ecx
		jz	loc_735B60
		push	edi
		push	edi
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_735B60
; 

loc_735D62:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+381j
		test	esi, esi
		js	loc_735B63
		mov	esi, 103h
		jmp	loc_735B63
; 

loc_735D74:				; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+76j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger
_NtCopyFileChunk@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopReadFile(x, x, x, x, x, x, x, x,	x, x, x)
_IopReadFile@44	proc near		; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+36Ap
					; NtReadFile(x,x,x,x,x,x,x,x,x)+57p

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1F		= byte ptr -1Fh
var_1E		= dword	ptr -1Eh
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		push	5Ch
		push	offset dword_6A8188
		call	__SEH_prolog4
		mov	[ebp+var_3C], edx
		mov	edi, ecx
		mov	[ebp+var_24], edi
		xor	ebx, ebx
		mov	esi, ebx
		mov	[ebp+var_30], esi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_1F], 1
		mov	eax, large fs:124h
		mov	[ebp+var_4C], eax
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_1E+1], al
		mov	byte ptr [ebp+var_44], al
		test	byte ptr [edi+2Ch], 2
		jz	short loc_735DCC
		cmp	[ebp+arg_1C], ebx
		mov	byte ptr [ebp+var_2C], 1
		jge	short loc_735DCF

loc_735DCC:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+47j
		mov	byte ptr [ebp+var_2C], bl

loc_735DCF:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+50j
		mov	eax, [ebp+arg_1C]
		and	eax, 40000000h
		mov	[ebp+var_58], eax
		setz	al
		mov	byte ptr [ebp+var_5C], al
		push	edi
		call	IoGetRelatedDeviceObject
		mov	edx, eax
		mov	[ebp+arg_1C], edx
		cmp	byte ptr [ebp+var_1E+1], bl
		jz	loc_735EA9
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, [ebp+arg_8]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_735E05
		mov	ecx, eax

loc_735E05:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+87j
		mov	eax, [ecx]
		mov	[ecx], eax
		cmp	[ebp+arg_20], 0
		jnz	short loc_735E1C
		push	1
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_735E1C:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+93j
		cmp	[edi+6Ch], ebx
		jz	short loc_735E3D
		cmp	[ebp+arg_0], 0
		jz	short loc_735E3D
		mov	[ebp+var_34], 0C000000Dh
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_735E35:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+12Dj
		mov	edi, [ebp+var_34]
		jmp	loc_7362E5
; 

loc_735E3D:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+A5j
					; IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+ABj
		mov	ecx, [ebp+arg_14]
		test	ecx, ecx
		jz	short loc_735E68
		mov	edx, ecx
		test	cl, 3
		jnz	loc_7363EC
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_735E5A
		mov	edx, eax

loc_735E5A:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+DCj
		nop
		mov	al, [edx]
		mov	eax, [ecx]
		mov	[ebp+var_64], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_60], eax

loc_735E68:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+C8j
		mov	eax, [ebp+arg_18]
		test	eax, eax
		jz	short loc_735E81
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		jb	short loc_735E7B
		mov	eax, edx

loc_735E7B:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+FDj
		nop
		mov	eax, [eax]
		mov	[ebp+var_38], eax

loc_735E81:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+F3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edx, [ebp+arg_1C]
		jmp	short loc_735EC7
; 

loc_735E8D:				; DATA XREF: .text:006A819Co
		lea	edx, [ebp+var_34]
		mov	ecx, [ebp+ms_exc.exc_ptr]
		call	_IopExceptionFilter@8 ;	IopExceptionFilter(x,x)
		retn
; 

loc_735E99:				; DATA XREF: .text:006A81A0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, ebx
		jmp	short loc_735E35
; 

loc_735EA9:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+74j
		mov	ecx, [ebp+arg_14]
		test	ecx, ecx
		jz	short loc_735EBB
		mov	eax, [ecx]
		mov	[ebp+var_64], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_60], eax

loc_735EBB:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+134j
		mov	eax, [ebp+arg_18]
		test	eax, eax
		jz	short loc_735EC7
		mov	eax, [eax]
		mov	[ebp+var_38], eax

loc_735EC7:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+111j
					; IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+146j
		cmp	byte ptr [ebp+var_1E+1], 0
		jz	short loc_735F46
		test	byte ptr [edi+2Ch], 8
		jz	short loc_735F46
		movzx	eax, word ptr [edx+0ACh]
		mov	[ebp+var_40], eax
		test	ax, ax
		jz	short loc_735EF2
		movzx	edx, ax
		mov	[ebp+arg_18], edx
		lea	eax, [edx-1]
		test	[ebp+arg_10], eax
		jnz	short loc_735F05
		jmp	short loc_735EF4
; 

loc_735EF2:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+166j
		mov	edx, ebx

loc_735EF4:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+176j
		mov	[ebp+arg_18], edx
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+arg_1C]
		test	[ecx+5Ch], eax
		mov	ecx, [ebp+arg_14]
		jz	short loc_735F33

loc_735F05:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+174j
		cmp	word ptr [ebp+var_40], 0
		jz	short loc_735F18
		mov	eax, [ebp+arg_10]
		xor	edx, edx
		div	[ebp+arg_18]
		test	edx, edx
		jnz	short loc_735F29

loc_735F18:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+190j
		mov	edx, [ebp+arg_18]
		mov	eax, [ebp+arg_C]
		mov	edi, [ebp+arg_1C]
		test	[edi+5Ch], eax
		mov	edi, [ebp+var_24]
		jz	short loc_735F33

loc_735F29:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+19Cj
					; IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+1CAj ...
		mov	edi, 0C000000Dh
		jmp	loc_7362E5
; 

loc_735F33:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+189j
					; IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+1ADj
		test	ecx, ecx
		jz	short loc_735F46
		cmp	word ptr [ebp+var_40], 0
		jz	short loc_735F46
		lea	eax, [edx-1]
		test	[ebp+var_64], eax
		jnz	short loc_735F29

loc_735F46:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+151j
					; IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+157j ...
		cmp	[ebp+var_3C], 0
		jz	short loc_735F80
		mov	eax, ds:_ExEventObjectType
		mov	[ebp+var_40], ebx
		push	ebx
		lea	ecx, [ebp+var_40]
		push	ecx
		push	[ebp+var_44]
		push	eax
		push	2
		push	[ebp+var_3C]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		mov	eax, [ebp+var_40]
		mov	[ebp+var_28], eax
		test	edi, edi
		js	loc_7362E5
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	edi, [ebp+var_24]

loc_735F80:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+1D0j
		mov	eax, [ebp+arg_1C]
		mov	eax, [eax+8]
		mov	eax, [eax+28h]
		mov	[ebp+var_40], eax
		cmp	byte ptr [ebp+var_2C], 0
		jz	loc_73615B
		mov	eax, [edi+2Ch]
		and	eax, 4
		mov	[ebp+arg_18], eax
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	ebx
		lea	ecx, [edi+4Ch]
		xor	edx, edx
		call	KeAbPreAcquire
		mov	byte ptr [ebp+var_1E], bl
		xor	edx, edx
		inc	edx
		lea	ecx, [edi+44h]
		xchg	edx, [ecx]
		test	edx, edx
		jnz	short loc_735FD1
		test	eax, eax
		jz	short loc_735FC6
		or	byte ptr [eax+0Eh], 1

loc_735FC6:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+246j
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edi, ebx
		jmp	short loc_735FED
; 

loc_735FD1:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+242j
		lea	ecx, [ebp+var_1E]
		push	ecx
		push	eax
		cmp	[ebp+arg_18], 0
		setnz	al
		movzx	eax, al
		push	eax
		mov	dl, byte ptr [ebp+var_1E+1]
		mov	ecx, edi
		call	IopWaitAndAcquireFileObjectLock
		mov	edi, eax

loc_735FED:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+255j
		cmp	byte ptr [ebp+var_1E], 0
		jz	short loc_736008
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jz	loc_7362E5
		call	ObfDereferenceObject
		jmp	loc_7362E5
; 

loc_736008:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+277j
		cmp	[ebp+arg_14], 0
		jz	short loc_73601A
		cmp	[ebp+var_64], 0FFFFFFFEh
		jnz	short loc_73602B
		cmp	[ebp+var_60], 0FFFFFFFFh
		jnz	short loc_73602B

loc_73601A:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+292j
		mov	edi, [ebp+var_24]
		mov	eax, [edi+38h]
		mov	[ebp+var_64], eax
		mov	eax, [edi+3Ch]
		mov	[ebp+var_60], eax
		jmp	short loc_73602E
; 

loc_73602B:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+298j
					; IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+29Ej
		mov	edi, [ebp+var_24]

loc_73602E:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+2AFj
		cmp	[edi+18h], ebx
		jz	loc_73617F
		cmp	[ebp+arg_20], 0
		jnz	loc_73617F
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_68], ebx
		mov	eax, [ebp+var_40]
		mov	eax, [eax+8]
		mov	[ebp+var_40], eax
		cmp	[ebp+var_60], 0
		jge	short loc_73606E
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jz	short loc_736062
		call	ObfDereferenceObject

loc_736062:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+2E1j
					; IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+421j
		mov	ecx, edi
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)
		jmp	loc_735F29
; 

loc_73606E:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+2DAj
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_736081
		call	_VfFastIoSnapState@0 ; VfFastIoSnapState()
		mov	[ebp+arg_18], eax
		jmp	short loc_736084
; 

loc_736081:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+2FBj
		mov	[ebp+arg_18], ebx

loc_736084:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+305j
		push	[ebp+arg_1C]
		lea	eax, [ebp+var_6C]
		push	eax
		push	[ebp+arg_C]
		push	[ebp+var_38]
		push	1
		push	[ebp+arg_10]
		lea	eax, [ebp+var_64]
		push	eax
		push	edi
		call	[ebp+var_40]
		mov	byte ptr [ebp+arg_14+3], al
		mov	eax, [ebp+arg_18]
		test	eax, eax
		jz	short loc_7360B2
		mov	edx, [ebp+var_40]
		mov	ecx, eax
		call	_VfFastIoCheckState@8 ;	VfFastIoCheckState(x,x)

loc_7360B2:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+32Cj
		cmp	byte ptr [ebp+arg_14+3], 0
		jz	loc_73617F
		mov	eax, [ebp+var_6C]
		test	eax, eax
		jz	short loc_7360D5
		cmp	eax, 80000005h
		jz	short loc_7360D5
		cmp	eax, 0C0000011h
		jnz	loc_73617F

loc_7360D5:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+347j
					; IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+34Ej
		call	_IopUpdateReadOperationCount@0 ; IopUpdateReadOperationCount()
		xor	edx, edx
		mov	ecx, [ebp+var_68]
		call	_IopUpdateReadTransferCount@8 ;	IopUpdateReadTransferCount(x,x)
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_6C]
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		mov	eax, [ebp+var_68]
		mov	[ecx+4], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_73612B
; 

loc_736102:				; DATA XREF: .text:006A81A8o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_48], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_736110:				; DATA XREF: .text:006A81ACo
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_48]
		mov	[ebp+var_6C], eax
		xor	ebx, ebx
		mov	[ebp+var_68], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_24]
		mov	esi, [ebp+var_30]

loc_73612B:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+386j
		cmp	[ebp+var_3C], 0
		jz	short loc_73614C
		test	dword ptr [edi+2Ch], 8000000h
		jnz	short loc_736144
		push	ebx
		push	ebx
		push	[ebp+var_28]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_736144:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+3BEj
		mov	ecx, [ebp+var_28]
		call	ObfDereferenceObject

loc_73614C:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+3B5j
		mov	ecx, edi
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)
		mov	edi, [ebp+var_6C]
		jmp	loc_7362E5
; 

loc_73615B:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+216j
		cmp	[ebp+arg_14], 0
		jnz	short loc_73617F
		test	dword ptr [edi+2Ch], 280h
		jnz	short loc_73617F
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jz	loc_735F29
		call	ObfDereferenceObject
		jmp	loc_735F29
; 

loc_73617F:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+2B7j
					; IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+2C1j ...
		cmp	[ebp+var_60], 0
		jge	short loc_7361A0
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jz	short loc_736191
		call	ObfDereferenceObject

loc_736191:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+410j
		cmp	byte ptr [ebp+var_2C], 0
		jz	loc_735F29
		jmp	loc_736062
; 

loc_7361A0:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+409j
		mov	ecx, edi
		call	_IopResetEvent@4 ; IopResetEvent(x)
		push	dword ptr [ebp+4]
		mov	al, byte ptr [ebp+var_2C]
		xor	al, 1
		movzx	eax, al
		push	eax
		mov	eax, [ebp+arg_1C]
		mov	dl, [eax+30h]
		mov	ecx, eax
		call	IopAllocateIrpExReturn
		mov	esi, eax
		mov	[ebp+var_30], esi
		test	esi, esi
		jnz	short loc_7361EC
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jz	short loc_7361D5
		call	ObfDereferenceObject

loc_7361D5:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+454j
		cmp	byte ptr [ebp+var_2C], 0
		jz	short loc_7361E2
		mov	ecx, edi
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)

loc_7361E2:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+45Fj
		mov	edi, 0C000009Ah
		jmp	loc_7362E5
; 

loc_7361EC:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+44Dj
		mov	[esi+64h], edi
		mov	eax, [ebp+var_4C]
		mov	[esi+50h], eax
		mov	[esi+54h], ebx
		mov	al, byte ptr [ebp+var_1E+1]
		mov	[esi+20h], al
		mov	[esi+21h], bl
		mov	[esi+24h], bl
		mov	[esi+38h], ebx
		mov	[esi+8], ebx
		mov	eax, [ebp+var_28]
		mov	[esi+2Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[esi+28h], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+30h], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+34h], eax
		mov	eax, [esi+60h]
		sub	eax, 24h
		mov	[ebp+arg_14], eax
		push	3
		pop	ecx
		mov	[eax], ecx
		mov	[eax+18h], edi
		mov	[esi+0Ch], ebx
		mov	[esi+4], ebx
		mov	eax, [ebp+arg_1C]
		mov	eax, [eax+1Ch]
		test	al, 4
		jz	loc_736372
		cmp	[ebp+arg_10], 0
		jz	loc_736369
		cmp	[ebp+arg_20], 0
		jz	loc_73631D
		mov	eax, [ebp+arg_C]
		mov	[esi+0Ch], eax
		or	dword ptr [esi+8], 50h

loc_736265:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+5C5j
					; IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+5FAj
		mov	eax, [ebp+arg_C]
		mov	[esi+3Ch], eax

loc_73626B:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+5F3j
					; IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+604j ...
		mov	eax, [esi+8]
		or	eax, 100h
		mov	[esi+8], eax
		test	byte ptr [edi+2Ch], 8
		jz	short loc_736282
		or	eax, 1
		mov	[esi+8], eax

loc_736282:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+500j
		cmp	[ebp+var_58], 0
		jnz	short loc_736290
		or	eax, 800h
		mov	[esi+8], eax

loc_736290:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+50Cj
		mov	edx, [ebp+arg_20]
		test	edx, edx
		jz	short loc_7362B0
		mov	[esi+20h], bl
		mov	eax, [ebp+arg_C]
		mov	[esi+3Ch], eax
		mov	ecx, esi
		call	_IopSetCopyInformationExtension@8 ; IopSetCopyInformationExtension(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_7362E5
		mov	edi, [ebp+var_24]

loc_7362B0:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+51Bj
		mov	eax, [ebp+arg_10]
		mov	ecx, [ebp+arg_14]
		mov	[ecx+4], eax
		mov	eax, [ebp+var_38]
		mov	[ecx+8], eax
		mov	eax, [ebp+var_64]
		mov	[ecx+0Ch], eax
		mov	eax, [ebp+var_60]
		mov	[ecx+10h], eax
		push	ebx
		push	[ebp+var_2C]
		push	[ebp+var_44]
		push	[ebp+var_5C]
		push	edi
		mov	edx, esi
		mov	ecx, [ebp+arg_1C]
		call	_IopSynchronousServiceTail@28 ;	IopSynchronousServiceTail(x,x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_1F], bl

loc_7362E5:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+BEj
					; IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+1B4j ...
		cmp	[ebp+var_1F], 0
		jz	loc_7363D8
		cmp	[ebp+arg_20], 0
		jz	short loc_7362FF
		mov	dl, 1
		mov	ecx, [ebp+arg_C]
		call	_IopFreeCopyObjectsFromDataBuffer@8 ; IopFreeCopyObjectsFromDataBuffer(x,x)

loc_7362FF:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+579j
		mov	ecx, [ebp+var_24]
		test	esi, esi
		jz	loc_7363D3
		push	[ebp+var_2C]
		push	ebx
		push	[ebp+var_28]
		mov	edx, esi
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		jmp	loc_7363D8
; 

loc_73631D:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+4DBj
		mov	[ebp+ms_exc.disabled], 2
		mov	edx, [ebp+arg_10]
		mov	ecx, 204h
		call	sub_4F0630
		mov	[esi+0Ch], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		or	dword ptr [esi+8], 70h
		jmp	loc_736265
; 

loc_736344:				; DATA XREF: .text:006A81B4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_50], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_736352:				; DATA XREF: .text:006A81B8o
		mov	edi, [ebp+var_50]

loc_736355:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+657j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp+var_30]
		jmp	loc_7362E5
; 

loc_736369:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+4D1j
		or	dword ptr [esi+8], 50h
		jmp	loc_73626B
; 

loc_736372:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+4C7j
		test	al, 10h
		jz	loc_736265
		cmp	[ebp+arg_10], 0
		jz	loc_73626B
		mov	[ebp+ms_exc.disabled], ecx
		push	esi
		push	1
		push	ebx
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	IoAllocateMdl
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_7363F1
		push	1
		cmp	[ebp+arg_20], 0
		setnz	al
		dec	al
		and	al, byte ptr [ebp+var_1E+1]
		movzx	eax, al
		push	eax
		push	ecx
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_73626B
; 

loc_7363C0:				; DATA XREF: .text:006A81C0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_54], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7363CE:				; DATA XREF: .text:006A81C4o
		mov	edi, [ebp+var_54]
		jmp	short loc_736355
; 

loc_7363D3:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+58Aj
		call	ObfDereferenceObject

loc_7363D8:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+56Fj
					; IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+59Ej
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_7363EC:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+CFj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7363F1:				; CODE XREF: IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+620j
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger
_IopReadFile@44	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopWriteFile(x, x, x, x, x,	x, x, x, x, x, x)
_IopWriteFile@44 proc near		; CODE XREF: NtWriteFile(x,x,x,x,x,x,x,x,x)+87p

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		push	64h
		push	offset dword_6A81C8
		call	__SEH_prolog4
		mov	esi, ecx
		mov	[ebp+var_28], esi
		xor	ebx, ebx
		mov	[ebp+var_70], 10000h
		mov	[ebp+var_38], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_74], ebx
		mov	[ebp+var_6C], esi
		mov	[ebp+var_68], ebx
		mov	[ebp+var_64], ebx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_60], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_5C], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_54], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_50], eax
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ebx
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		lea	ecx, [ebp+var_74]
		call	_IopValidateAndGetWriteParameters@20 ; IopValidateAndGetWriteParameters(x,x,x,x,x)
		test	eax, eax
		js	loc_736593
		cmp	byte ptr [ebp+var_70+1], bl
		jz	loc_73656D
		cmp	[esi+18h], ebx
		jz	loc_73656D
		mov	ecx, [ebp+var_68]
		mov	eax, [ecx+8]
		mov	eax, [eax+28h]
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		mov	eax, [eax+0Ch]
		mov	[ebp+arg_0], eax
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_7364AD
		call	_VfFastIoSnapState@0 ; VfFastIoSnapState()
		mov	edi, eax
		mov	ecx, [ebp+var_68]
		mov	eax, [ebp+arg_0]
		jmp	short loc_7364AF
; 

loc_7364AD:				; CODE XREF: IopWriteFile(x,x,x,x,x,x,x,x,x,x,x)+A0j
		mov	edi, ebx

loc_7364AF:				; CODE XREF: IopWriteFile(x,x,x,x,x,x,x,x,x,x,x)+AFj
		push	ecx
		lea	ecx, [ebp+var_30]
		push	ecx
		push	[ebp+arg_C]
		push	[ebp+var_44]
		push	1
		push	[ebp+arg_10]
		lea	ecx, [ebp+var_4C]
		push	ecx
		push	esi
		call	eax
		mov	byte ptr [ebp+arg_C+3],	al
		test	edi, edi
		jz	short loc_7364DA
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_VfFastIoCheckState@8 ;	VfFastIoCheckState(x,x)
		mov	al, byte ptr [ebp+arg_C+3]

loc_7364DA:				; CODE XREF: IopWriteFile(x,x,x,x,x,x,x,x,x,x,x)+CFj
		test	al, al
		jz	loc_73656D
		cmp	[ebp+var_30], ebx
		jnz	loc_73656D
		call	_IopUpdateWriteOperationCount@0	; IopUpdateWriteOperationCount()
		xor	edx, edx
		mov	ecx, [ebp+var_2C]
		call	_IopUpdateWriteTransferCount@8 ; IopUpdateWriteTransferCount(x,x)
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+var_30]
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		mov	eax, [ebp+var_2C]
		mov	[ecx+4], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_73653A
; 

loc_736514:				; DATA XREF: .text:006A81DCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_736522:				; DATA XREF: .text:006A81E0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_24]
		mov	[ebp+var_30], eax
		xor	ebx, ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+var_28]

loc_73653A:				; CODE XREF: IopWriteFile(x,x,x,x,x,x,x,x,x,x,x)+116j
		mov	ecx, [ebp+var_64]
		test	ecx, ecx
		jz	short loc_73655A
		test	dword ptr [esi+2Ch], 8000000h
		jnz	short loc_736555
		push	ebx
		push	ebx
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [ebp+var_64]

loc_736555:				; CODE XREF: IopWriteFile(x,x,x,x,x,x,x,x,x,x,x)+14Cj
		call	ObfDereferenceObject

loc_73655A:				; CODE XREF: IopWriteFile(x,x,x,x,x,x,x,x,x,x,x)+143j
		mov	ecx, esi
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, [ebp+var_30]
		jmp	short loc_736593
; 

loc_73656D:				; CODE XREF: IopWriteFile(x,x,x,x,x,x,x,x,x,x,x)+75j
					; IopWriteFile(x,x,x,x,x,x,x,x,x,x,x)+7Ej ...
		lea	edx, [ebp+var_20]
		lea	ecx, [ebp+var_74]
		call	_IopAllocateAndPopulateWriteIrp@8 ; IopAllocateAndPopulateWriteIrp(x,x)
		test	eax, eax
		js	short loc_736593
		push	1
		push	[ebp+var_70+1]
		push	[ebp+var_70]
		push	[ebp+var_70+2]
		push	esi
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_68]
		call	_IopSynchronousServiceTail@28 ;	IopSynchronousServiceTail(x,x,x,x,x,x,x)

loc_736593:				; CODE XREF: IopWriteFile(x,x,x,x,x,x,x,x,x,x,x)+6Cj
					; IopWriteFile(x,x,x,x,x,x,x,x,x,x,x)+16Fj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
_IopWriteFile@44 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpNotifyTargetDeviceChangeNotifyEntry(x, x, x, x)
_PnpNotifyTargetDeviceChangeNotifyEntry@16 proc	near
					; CODE XREF: PnpProcessDeferredRegistrations()+13Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		or	edi, 0FFFFFFFFh
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		push	eax
		call	_PsGetServerSiloServiceSessionId@4 ; PsGetServerSiloServiceSessionId(x)
		cmp	[esi+0Ch], eax
		jz	short loc_7365D0
		mov	ecx, [esi+30h]
		call	_IopGetSessionIdFromPDO@4 ; IopGetSessionIdFromPDO(x)
		mov	edi, eax

loc_7365D0:				; CODE XREF: PnpNotifyTargetDeviceChangeNotifyEntry(x,x,x,x)+1Ej
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [esi+28h]
		call	ExAcquireResourceExclusiveLite
		cmp	edi, 0FFFFFFFFh
		jz	short loc_7365E9
		cmp	[esi+0Ch], edi
		jnz	short loc_736605

loc_7365E9:				; CODE XREF: PnpNotifyTargetDeviceChangeNotifyEntry(x,x,x,x)+3Cj
		cmp	byte ptr [esi+22h], 0
		jnz	short loc_736605
		mov	eax, [esi+2Ch]
		mov	edx, ebx
		push	[ebp+arg_4]
		mov	ecx, esi
		mov	[ebx+14h], eax
		call	PnpNotifyDriverCallback
		mov	ecx, eax
		jmp	short loc_736613
; 

loc_736605:				; CODE XREF: PnpNotifyTargetDeviceChangeNotifyEntry(x,x,x,x)+41j
					; PnpNotifyTargetDeviceChangeNotifyEntry(x,x,x,x)+47j
		mov	eax, [ebp+arg_4]
		mov	ecx, 0C0000010h
		mov	dword ptr [eax], 0C00000BBh

loc_736613:				; CODE XREF: PnpNotifyTargetDeviceChangeNotifyEntry(x,x,x,x)+5Dj
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	ecx, [esi+28h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
_PnpNotifyTargetDeviceChangeNotifyEntry@16 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PnpInsertNoopEvent(x, x)
_PnpInsertNoopEvent@8 proc near		; CODE XREF: PnpDeferNotification(x)+A4p
					; PnpSynchronizeDeviceEventQueue()+29p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	ecx, 8Ch
		call	_PnpCreateDeviceEventEntry@4 ; PnpCreateDeviceEventEntry(x)
		test	eax, eax
		jnz	short loc_73664E
		mov	eax, 0C000009Ah
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_73664E:				; CODE XREF: PnpInsertNoopEvent(x,x)+15j
		mov	[eax+10h], esi
		lea	edi, [eax+48h]
		mov	esi, offset _GUID_DEVICE_NOOP
		mov	ecx, eax
		movsd
		movsd
		movsd
		movsd
		pop	edi
		pop	esi
		mov	[eax+5Ch], ebx
		mov	dword ptr [eax+58h], 1
		mov	dword ptr [eax+64h], 44h
		pop	ebx
		jmp	PnpInsertEventInQueue
_PnpInsertNoopEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiSwCloseDescendants(x, x)
_PiSwCloseDescendants@8	proc near	; CODE XREF: PiSwCloseDescendants(x,x)+3Dp
					; PiSwIrpCleanup+99D21p ...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[esp+10h+var_1], dl
		call	_PiSwFindBusRelations@4	; PiSwFindBusRelations(x)
		test	eax, eax
		jz	short loc_7366C5
		lea	ebx, [eax+8]
		mov	esi, [ebx]
		jmp	short loc_7366C1
; 

loc_736698:				; CODE XREF: PiSwCloseDescendants(x,x)+4Bj
		lea	edi, [esi-34h]
		mov	esi, [esi]
		test	byte ptr [edi+4], 1
		jnz	short loc_7366C1
		mov	dl, [esp+10h+var_1]
		test	dl, dl
		jz	short loc_7366B2
		lea	eax, [edi+44h]
		cmp	[eax], eax
		jnz	short loc_7366C1

loc_7366B2:				; CODE XREF: PiSwCloseDescendants(x,x)+31j
		lea	ecx, [edi+28h]
		call	_PiSwCloseDescendants@8	; PiSwCloseDescendants(x,x)
		mov	ecx, edi
		call	_PiSwCloseDevice@4 ; PiSwCloseDevice(x)

loc_7366C1:				; CODE XREF: PiSwCloseDescendants(x,x)+1Ej
					; PiSwCloseDescendants(x,x)+29j ...
		cmp	esi, ebx
		jnz	short loc_736698

loc_7366C5:				; CODE XREF: PiSwCloseDescendants(x,x)+17j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PiSwCloseDescendants@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiSwStopDestroy(x, x, x, x)
_PiSwStopDestroy@16 proc near		; CODE XREF: IopRemoveDevice(x,x)+C8p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		xor	eax, eax
		mov	esi, edx
		push	edi
		mov	[esp+20h+var_8], eax
		mov	[esp+20h+var_4], eax
		mov	[esp+20h+var_10], eax
		call	_PiSwLock@0	; PiSwLock()
		push	esi
		lea	eax, [esp+24h+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	ecx, [esp+20h+var_8]
		call	_PiSwFindChildren@4 ; PiSwFindChildren(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_736713
		mov	ebx, 0C0000034h
		jmp	loc_736797
; 

loc_736713:				; CODE XREF: PiSwStopDestroy(x,x,x,x)+3Bj
		push	offset aDriverenum ; "DRIVERENUM"
		push	offset _PiSwBusName
		push	2
		lea	eax, [esp+2Ch+var_10]
		push	eax
		push	57706E50h
		push	0C8h
		call	PnpConcatPWSTR
		mov	ebx, eax
		add	esp, 18h
		test	ebx, ebx
		js	short loc_736782
		mov	esi, [edi]
		jmp	short loc_73677E
; 

loc_736740:				; CODE XREF: PiSwStopDestroy(x,x,x,x)+B4j
		push	[esp+20h+var_10] ; wchar_t *
		lea	eax, [esi-34h]
		mov	esi, [esi]
		push	dword ptr [eax+8] ; wchar_t *
		mov	[esp+28h+var_C], eax
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_73677E
		mov	eax, [esp+20h+var_C]
		test	byte ptr [eax+4], 1
		jnz	short loc_73677E
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		push	1
		call	_PiSwFindPdoAssociation@12 ; PiSwFindPdoAssociation(x,x,x)
		test	eax, eax
		jz	short loc_73677E
		mov	ecx, [esp+20h+var_C]
		call	_PiSwCloseDevice@4 ; PiSwCloseDevice(x)

loc_73677E:				; CODE XREF: PiSwStopDestroy(x,x,x,x)+72j
					; PiSwStopDestroy(x,x,x,x)+8Dj	...
		cmp	esi, edi
		jnz	short loc_736740

loc_736782:				; CODE XREF: PiSwStopDestroy(x,x,x,x)+6Ej
		cmp	[esp+20h+var_10], 0
		jz	short loc_736797
		push	57706E50h
		push	[esp+24h+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_736797:				; CODE XREF: PiSwStopDestroy(x,x,x,x)+42j
					; PiSwStopDestroy(x,x,x,x)+BBj
		call	_PiSwUnlock@0	; PiSwUnlock()
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_PiSwStopDestroy@16 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall AlpcpAvailableBufferSize(x)
_AlpcpAvailableBufferSize@4 proc near	; CODE XREF: AlpcpSetupMessageDataForDeferredCopy(x,x,x,x,x,x)+33p
					; AlpcpReadMessageData(x,x)+Ep	...
		mov	eax, [ecx+34h]
		test	eax, eax
		jnz	short loc_7367B5
		mov	eax, 100h
		retn
; 

loc_7367B5:				; CODE XREF: AlpcpAvailableBufferSize(x)+5j
		mov	eax, [eax+10h]
		sub	eax, 18h
		retn
_AlpcpAvailableBufferSize@4 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpQueryHeadCanceledQueue(x)
_AlpcpQueryHeadCanceledQueue@4 proc near ; CODE	XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+86p
		add	ecx, 0E0h
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	short loc_7367D0
		test	eax, eax
		jz	short loc_7367D0
		add	eax, 0FFFFFFD4h
		retn
; 

loc_7367D0:				; CODE XREF: AlpcpQueryHeadCanceledQueue(x)+Aj
					; AlpcpQueryHeadCanceledQueue(x)+Ej
		xor	eax, eax
		retn
_AlpcpQueryHeadCanceledQueue@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiValidateSectionSigningPolicy(x, x, x, x, x, x, x,	x, x, x, x)
_MiValidateSectionSigningPolicy@44 proc	near ; CODE XREF: MiValidateExistingImage(x)+273p
					; MiCreateNewSection(x,x)+529p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	[ebp+var_4], esi
		test	edi, edi
		jz	short loc_7367F8
		cmp	edi, 1
		jz	short loc_7367F8
		mov	eax, 0C000000Dh
		jmp	loc_7368D6
; 

loc_7367F8:				; CODE XREF: MiValidateSectionSigningPolicy(x,x,x,x,x,x,x,x,x,x,x)+13j
					; MiValidateSectionSigningPolicy(x,x,x,x,x,x,x,x,x,x,x)+18j
		mov	bh, byte ptr [ebp+arg_10]
		mov	bl, [ebp+arg_14]
		test	bh, bh
		jnz	short loc_736818
		test	bl, bl
		jnz	short loc_73680D
		xor	eax, eax
		jmp	loc_7368D6
; 

loc_73680D:				; CODE XREF: MiValidateSectionSigningPolicy(x,x,x,x,x,x,x,x,x,x,x)+30j
		mov	ecx, [ebp+arg_C]
		or	ecx, 2000000h
		jmp	short loc_73681B
; 

loc_736818:				; CODE XREF: MiValidateSectionSigningPolicy(x,x,x,x,x,x,x,x,x,x,x)+2Cj
		mov	ecx, [ebp+arg_C]

loc_73681B:				; CODE XREF: MiValidateSectionSigningPolicy(x,x,x,x,x,x,x,x,x,x,x)+42j
		push	[ebp+arg_20]
		mov	eax, large fs:124h
		push	[ebp+arg_1C]
		mov	edx, [ebp+arg_0]
		push	ecx
		push	[ebp+arg_8]
		mov	eax, [eax+80h]
		mov	ecx, esi
		push	[ebp+arg_4]
		mov	[ebp+arg_10], eax
		call	_MiValidateSectionCreate@28 ; MiValidateSectionCreate(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_736856
		xor	ecx, ecx
		cmp	edi, 1
		setnz	cl
		inc	ecx
		mov	dword_6CF4F4, ecx

loc_736856:				; CODE XREF: MiValidateSectionSigningPolicy(x,x,x,x,x,x,x,x,x,x,x)+71j
		cmp	bh, 1
		jnz	short loc_73688B
		test	esi, esi
		jns	short loc_73688B
		cmp	esi, 0C0000428h
		jnz	short loc_7368D4
		cmp	[ebp+arg_18], 1
		jnz	short loc_7368D4
		mov	eax, [ebp+var_4]
		add	eax, 30h
		push	eax
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		mov	al, [eax+0Bh]
		shr	al, 4
		movzx	eax, al
		push	eax
		push	[ebp+arg_1C]
		push	2
		pop	ecx
		jmp	short loc_7368C8
; 

loc_73688B:				; CODE XREF: MiValidateSectionSigningPolicy(x,x,x,x,x,x,x,x,x,x,x)+85j
					; MiValidateSectionSigningPolicy(x,x,x,x,x,x,x,x,x,x,x)+89j
		cmp	bl, 1
		jnz	short loc_7368D4
		test	esi, esi
		js	short loc_7368D2
		mov	ebx, [ebp+arg_0]
		push	[ebp+arg_20]
		mov	eax, [ebx]
		mov	al, [eax+0Bh]
		shr	al, 4
		movzx	eax, al
		push	eax
		call	_SeCompareSigningLevels@8 ; SeCompareSigningLevels(x,x)
		test	eax, eax
		jnz	short loc_7368D4
		mov	eax, [ebp+var_4]
		xor	ecx, ecx
		add	eax, 30h
		push	eax
		mov	eax, [ebx]
		mov	al, [eax+0Bh]
		shr	al, 4
		inc	ecx
		movzx	eax, al
		push	eax
		push	[ebp+arg_20]

loc_7368C8:				; CODE XREF: MiValidateSectionSigningPolicy(x,x,x,x,x,x,x,x,x,x,x)+B5j
		mov	edx, [ebp+arg_10]
		call	_EtwTimLogProhibitNonMicrosoftBinaries@20 ; EtwTimLogProhibitNonMicrosoftBinaries(x,x,x,x,x)
		jmp	short loc_7368D4
; 

loc_7368D2:				; CODE XREF: MiValidateSectionSigningPolicy(x,x,x,x,x,x,x,x,x,x,x)+BEj
		xor	esi, esi

loc_7368D4:				; CODE XREF: MiValidateSectionSigningPolicy(x,x,x,x,x,x,x,x,x,x,x)+91j
					; MiValidateSectionSigningPolicy(x,x,x,x,x,x,x,x,x,x,x)+97j ...
		mov	eax, esi

loc_7368D6:				; CODE XREF: MiValidateSectionSigningPolicy(x,x,x,x,x,x,x,x,x,x,x)+1Fj
					; MiValidateSectionSigningPolicy(x,x,x,x,x,x,x,x,x,x,x)+34j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
_MiValidateSectionSigningPolicy@44 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmGetImageInformation(x, x,	x, x)
_MmGetImageInformation@16 proc near	; CODE XREF: EtwpLocateDbgIdForRegEntry+3Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], edx
		cmp	esi, ds:_MmHighestUserAddress
		jbe	short loc_7368FE
		mov	eax, 0C000000Dh
		jmp	loc_73699B
; 

loc_7368FE:				; CODE XREF: MmGetImageInformation(x,x,x,x)+14j
		push	ebx
		mov	ebx, large fs:124h
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edi
		test	byte ptr [ebx+304h], 3
		mov	ecx, [ebx+80h]
		mov	[ebp+var_4], ecx
		jnz	short loc_736931
		mov	edx, ecx
		mov	[ebp+var_8], 1
		mov	ecx, ebx
		call	_LOCK_ADDRESS_SPACE_SHARED@8 ; LOCK_ADDRESS_SPACE_SHARED(x,x)
		mov	ecx, [ebp+var_4]

loc_736931:				; CODE XREF: MmGetImageInformation(x,x,x,x)+3Ej
		push	esi
		mov	edx, esi
		call	_MiCheckForConflictingVad@12 ; MiCheckForConflictingVad(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_736946
		mov	edi, 0C0000018h
		jmp	short loc_736988
; 

loc_736946:				; CODE XREF: MmGetImageInformation(x,x,x,x)+5Fj
		mov	eax, [edx+1Ch]
		and	al, 70h
		cmp	al, 20h
		jz	short loc_736956
		mov	edi, 0C0000049h
		jmp	short loc_736988
; 

loc_736956:				; CODE XREF: MmGetImageInformation(x,x,x,x)+6Fj
		mov	eax, [edx+0Ch]
		mov	ecx, [ebp+var_C]
		shl	eax, 0Ch
		mov	[ecx], eax
		mov	ecx, [edx+10h]
		sub	ecx, [edx+0Ch]
		mov	eax, [ebp+arg_0]
		inc	ecx
		shl	ecx, 0Ch
		mov	[eax], ecx
		mov	eax, [edx+2Ch]
		mov	ecx, [ebp+var_4]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	eax, [eax+24h]
		mov	esi, [eax+3Ch]
		mov	eax, [ebp+arg_4]
		and	esi, 1
		mov	[eax], esi

loc_736988:				; CODE XREF: MmGetImageInformation(x,x,x,x)+66j
					; MmGetImageInformation(x,x,x,x)+76j
		cmp	[ebp+var_8], 1
		jnz	short loc_736997
		mov	edx, ecx
		mov	ecx, ebx
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)

loc_736997:				; CODE XREF: MmGetImageInformation(x,x,x,x)+AEj
		mov	eax, edi
		pop	edi
		pop	ebx

loc_73699B:				; CODE XREF: MmGetImageInformation(x,x,x,x)+1Bj
		pop	esi
		leave
		retn	8
_MmGetImageInformation@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAllocatePartitionPhysicalPages(x,	x, x, x, x, x)
_MiAllocatePartitionPhysicalPages@24 proc near
					; CODE XREF: MmManagePartitionMoveMemory(x,x,x,x)+EDp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_20], edx
		lea	edi, [ebp+var_38]
		mov	[ebp+var_4], ecx
		stosd
		xor	esi, esi
		mov	[ebp+var_10], esi
		stosd
		stosd
		stosd
		test	ecx, ecx
		jnz	short loc_7369CB
		mov	ecx, offset _MiSystemPartition
		mov	[ebp+var_4], ecx

loc_7369CB:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+21j
		mov	ebx, [edx+4]
		mov	eax, [ebp+arg_8]
		shr	ebx, 6
		not	ebx
		mov	[ebp+var_8], esi
		and	ebx, 1
		or	ebx, 100000h
		and	eax, 4
		mov	[ebp+var_28], eax
		jz	short loc_7369F0
		or	ebx, 8000h

loc_7369F0:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+48j
		test	byte ptr [ebp+arg_8], 12h
		jnz	short loc_7369FC
		or	ebx, 4000h

loc_7369FC:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+54j
		mov	eax, [ebp+arg_8]
		mov	edi, esi
		and	eax, 200h
		mov	[ebp+var_C], eax
		jnz	short loc_736A26
		mov	edx, [ebp+arg_0]
		push	esi
		push	esi
		call	MiAcquireNonPagedResources
		test	eax, eax
		jns	short loc_736A23
		mov	eax, 0C000009Ah
		jmp	loc_736C8B
; 

loc_736A23:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+77j
		mov	eax, [ebp+var_C]

loc_736A26:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+69j
		mov	ecx, [ebp+var_4]

loc_736A29:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+142j
		mov	esi, [ebp+arg_0]
		sub	esi, edi
		cmp	esi, 200h
		jb	loc_736AFB
		xor	edx, edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], edx
		test	eax, eax
		jnz	loc_736AF7
		push	1
		push	1
		push	ebx
		push	edx
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_18]
		push	eax
		call	_MiFindLargeNodePage@28	; MiFindLargeNodePage(x,x,x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jz	loc_736AFB
		sub	eax, ds:_MmPfnDatabase
		cdq
		mov	[ebp+var_1C], 1Ch
		idiv	[ebp+var_1C]
		mov	[ebp+var_1C], eax
		call	_MiIsFreshPfnFromZeroedList@4 ;	MiIsFreshPfnFromZeroedList(x)
		test	eax, eax
		jnz	short loc_736A98
		test	bl, 1
		jnz	short loc_736A9F
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_24]
		push	1
		call	MiZeroLargePage

loc_736A98:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+E4j
		mov	[ebp+var_14], 1

loc_736A9F:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+E9j
		mov	eax, [ebp+var_18]
		lea	ecx, [ebp+var_10]
		push	[ebp+var_14]
		mov	edx, [ebp+var_1C]
		mov	eax, ds:_MiLargePageSizes[eax*4]
		push	eax
		mov	[ebp+var_18], eax
		call	_MiAddRangeToPartitionTree@16 ;	MiAddRangeToPartitionTree(x,x,x,x)
		mov	edx, [ebp+var_18]
		test	eax, eax
		jz	short loc_736AE7
		mov	ecx, [ebp+var_4]
		cmp	ecx, offset _MiSystemPartition
		jnz	short loc_736AD8
		mov	eax, edx
		mov	esi, offset dword_6D3620
		lock xadd [esi], eax

loc_736AD8:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+12Bj
		add	edi, edx
		cmp	edi, [ebp+arg_0]
		jz	short loc_736B30
		mov	eax, [ebp+var_C]
		jmp	loc_736A29
; 

loc_736AE7:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+120j
		push	[ebp+var_14]
		mov	ecx, [ebp+var_1C]
		call	_MiFreeMdlPageRun@12 ; MiFreeMdlPageRun(x,x,x)
		mov	[ebp+var_8], eax
		jmp	short loc_736AFE
; 

loc_736AF7:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+A4j
		mov	eax, edx
		jmp	short loc_736AFE
; 

loc_736AFB:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+94j
					; MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+C3j
		mov	eax, [ebp+var_8]

loc_736AFE:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+155j
					; MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+159j
		cmp	edi, [ebp+arg_0]
		jz	short loc_736B2D
		cmp	[ebp+var_C], 0
		jnz	loc_736C18
		mov	ecx, [ebp+var_4]
		sub	esi, eax
		mov	edx, esi
		call	_MiReleaseNonPagedResources@8 ;	MiReleaseNonPagedResources(x,x)
		test	byte ptr [ebp+arg_8], 0A2h
		jnz	loc_736C18
		cmp	[ebp+var_8], 0
		jnz	loc_736C18

loc_736B2D:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+161j
		mov	ecx, [ebp+var_4]

loc_736B30:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+13Dj
		xor	eax, eax
		inc	eax
		and	ebx, eax
		test	byte ptr [ebp+arg_8], al
		jnz	short loc_736B3D
		or	ebx, 2

loc_736B3D:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+198j
		or	ebx, 10h
		cmp	[ebp+var_28], 0
		jz	short loc_736B4B
		mov	[ebp+var_1C], eax
		jmp	short loc_736B4F
; 

loc_736B4B:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+1A4j
		and	[ebp+var_1C], 0

loc_736B4F:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+1A9j
		xor	eax, eax
		and	[ebp+var_14], eax
		test	byte ptr [ebp+arg_8], 10h
		mov	[ebp+var_18], eax
		jz	short loc_736B76
		mov	esi, 200h
		mov	eax, esi

loc_736B64:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+1E3j
		mov	edx, 1000h
		or	ebx, 40h
		mul	edx
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], edx
		jmp	short loc_736B93
; 

loc_736B76:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+1BBj
		test	byte ptr [ebp+arg_8], 40h
		jz	short loc_736B85

loc_736B7C:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+1ECj
		mov	eax, 200h
		mov	esi, eax
		jmp	short loc_736B64
; 

loc_736B85:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+1DAj
		test	[ebp+arg_8], 100h
		jnz	short loc_736B7C
		mov	esi, 0FFFFEh

loc_736B93:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+1D4j
		mov	[ebp+var_8], esi
		cmp	edi, [ebp+arg_0]
		jz	loc_736C1F

loc_736B9F:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+265j
		mov	edx, [ebp+arg_0]
		sub	edx, edi
		cmp	edx, esi
		jbe	short loc_736BAA
		mov	edx, esi

loc_736BAA:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+206j
		push	[ebp+var_14]
		shl	edx, 0Ch
		push	eax
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		push	[ebp+var_1C]
		push	0
		push	ebx
		push	[ebp+arg_4]
		push	1
		call	MiAllocatePagesForMdl
		mov	esi, eax
		test	esi, esi
		jnz	short loc_736BD8
		test	bl, 40h
		jz	short loc_736C18
		and	ebx, 0FFFFFFBFh
		or	ebx, 20h
		jmp	short loc_736BF7
; 

loc_736BD8:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+229j
		push	ebx
		mov	edx, esi
		lea	ecx, [ebp+var_10]
		call	_MiAddMdlToPartitionTree@12 ; MiAddMdlToPartitionTree(x,x,x)
		test	eax, eax
		jz	short loc_736C07
		mov	eax, [esi+14h]
		push	0
		shr	eax, 0Ch
		push	esi
		add	edi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_736BF7:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+236j
		cmp	edi, [ebp+arg_0]
		jz	short loc_736C1F
		mov	ecx, [ebp+var_4]
		mov	esi, [ebp+var_8]
		mov	eax, [ebp+var_18]
		jmp	short loc_736B9F
; 

loc_736C07:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+245j
		xor	edx, edx
		mov	ecx, esi
		call	_MiFreePagesFromMdl@8 ;	MiFreePagesFromMdl(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_736C18:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+167j
					; MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+17Dj ...
		mov	esi, 0C000009Ah
		jmp	short loc_736C39
; 

loc_736C1F:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+1F9j
					; MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+25Aj
		mov	ecx, [ebp+var_C]
		mov	ebx, [ebp+var_20]
		test	ecx, ecx
		jnz	short loc_736C4D
		lea	edx, [ebp+var_10]
		mov	ecx, ebx
		call	_MiUpdatePartitionLargePfnBitMap@8 ; MiUpdatePartitionLargePfnBitMap(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_736C4A

loc_736C39:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+27Dj
		mov	ecx, [ebp+var_4]
		lea	edx, [ebp+var_10]
		push	1
		push	1
		call	_MiFreePartitionTree@16	; MiFreePartitionTree(x,x,x,x)
		jmp	short loc_736C89
; 

loc_736C4A:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+297j
		mov	ecx, [ebp+var_C]

loc_736C4D:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+287j
		and	[ebp+var_34], 0
		lea	eax, [ebp+var_10]
		and	[ebp+var_30], 0
		test	byte ptr [ebp+arg_8], 8
		push	3
		mov	[ebp+var_38], eax
		pop	eax
		mov	[ebp+var_2C], eax
		jz	short loc_736C6D
		push	7
		pop	eax
		mov	[ebp+var_2C], eax

loc_736C6D:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+2C5j
		test	ecx, ecx
		jz	short loc_736C77
		or	eax, 10h
		mov	[ebp+var_2C], eax

loc_736C77:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+2CFj
		push	ecx
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_38]
		push	edi
		push	eax
		mov	edx, ebx
		call	_MiInsertPartitionPages@20 ; MiInsertPartitionPages(x,x,x,x,x)
		mov	esi, eax

loc_736C89:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+2A8j
		mov	eax, esi

loc_736C8B:				; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+7Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_MiAllocatePartitionPhysicalPages@24 endp


;  S U B	R O U T	I N E 


; __stdcall ObpUseSystemDeviceMap(x)
_ObpUseSystemDeviceMap@4 proc near	; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+4CFp
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		mov	eax, [eax+2FCh]
		test	al, 8
		jz	short loc_736CE3
		cmp	word ptr [esi],	0Eh
		jb	short loc_736CE3
		call	RtlGetNtSystemRoot
		mov	ecx, [esi+4]
		mov	edi, eax
		cmp	word ptr [ecx+0Ah], 3Ah
		jnz	short loc_736CE3
		cmp	word ptr [ecx+0Ch], 5Ch
		jnz	short loc_736CE3
		movzx	ecx, word ptr [ecx+8]
		push	ecx
		call	_RtlUpcaseUnicodeChar@4	; RtlUpcaseUnicodeChar(x)
		movzx	ecx, word ptr [edi]
		mov	si, ax
		push	ecx
		call	_RtlUpcaseUnicodeChar@4	; RtlUpcaseUnicodeChar(x)
		cmp	ax, si
		jnz	short loc_736CE3
		mov	al, 1
		jmp	short loc_736CE5
; 

loc_736CE3:				; CODE XREF: ObpUseSystemDeviceMap(x)+12j
					; ObpUseSystemDeviceMap(x)+18j	...
		xor	al, al

loc_736CE5:				; CODE XREF: ObpUseSystemDeviceMap(x)+4Fj
		pop	edi
		pop	esi
		retn
_ObpUseSystemDeviceMap@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBsdUpdateWorker(x)
_PopBsdUpdateWorker@4 proc near		; DATA XREF: PoInitSystem+162o

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+84h+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		lea	eax, [esp+94h+var_38]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	edi, [esp+90h+var_78]
		xor	eax, eax
		mov	esi, offset _PopBsdUpdateLock
		push	8
		pop	ecx
		rep stosd
		push	8
		pop	ecx
		lea	edi, [esp+90h+var_58]
		rep stosd
		jmp	loc_736DCC
; 

loc_736D36:				; CODE XREF: PopBsdUpdateWorker(x)+F3j
		mov	eax, ebx
		and	eax, 1
		mov	[esp+90h+var_80], eax
		jz	short loc_736D54
		call	_PopUpdateBsdPowerTransitionReferenceTime@0 ; PopUpdateBsdPowerTransitionReferenceTime()
		push	8
		pop	ecx
		mov	esi, offset _PopBsdPowerTransition
		lea	edi, [esp+90h+var_78]
		rep movsd

loc_736D54:				; CODE XREF: PopBsdUpdateWorker(x)+57j
		mov	eax, ebx
		and	eax, 2
		mov	[esp+90h+var_7C], eax
		jz	short loc_736D6D
		push	8
		pop	ecx
		mov	esi, offset _PopBsdPowerTransitionExtension
		lea	edi, [esp+90h+var_58]
		rep movsd

loc_736D6D:				; CODE XREF: PopBsdUpdateWorker(x)+75j
		and	ebx, 4
		jz	short loc_736D80
		push	0Ch
		pop	ecx
		mov	esi, offset _PopBsdPhysicalPowerButtonInfo
		lea	edi, [esp+90h+var_38]
		rep movsd

loc_736D80:				; CODE XREF: PopBsdUpdateWorker(x)+88j
		mov	esi, offset _PopBsdUpdateLock
		mov	_PopBsdUpdateRequests, 0
		mov	ecx, esi
		call	_PopReleaseRwLock@4 ; PopReleaseRwLock(x)
		cmp	[esp+90h+var_80], 0
		jz	short loc_736DA9
		push	7
		lea	edx, [esp+94h+var_78]
		pop	ecx
		call	_PopWriteBsdPoInfo@8 ; PopWriteBsdPoInfo(x,x)

loc_736DA9:				; CODE XREF: PopBsdUpdateWorker(x)+B3j
		cmp	[esp+90h+var_7C], 0
		jz	short loc_736DBC
		push	10h
		lea	edx, [esp+94h+var_58]
		pop	ecx
		call	_PopWriteBsdPoInfo@8 ; PopWriteBsdPoInfo(x,x)

loc_736DBC:				; CODE XREF: PopBsdUpdateWorker(x)+C6j
		test	ebx, ebx
		jz	short loc_736DCC
		push	0Eh
		lea	edx, [esp+94h+var_38]
		pop	ecx
		call	_PopWriteBsdPoInfo@8 ; PopWriteBsdPoInfo(x,x)

loc_736DCC:				; CODE XREF: PopBsdUpdateWorker(x)+49j
					; PopBsdUpdateWorker(x)+D6j
		mov	ecx, esi
		call	_PopAcquireRwLockExclusive@4 ; PopAcquireRwLockExclusive(x)
		mov	ebx, _PopBsdUpdateRequests
		test	ebx, ebx
		jnz	loc_736D36
		mov	ecx, offset _PopBsdUpdateWorkItem
		call	_PopOkayToQueueNextWorkItem@4 ;	PopOkayToQueueNextWorkItem(x)
		mov	ecx, esi
		call	_PopReleaseRwLock@4 ; PopReleaseRwLock(x)
		mov	ecx, [esp+90h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_PopBsdUpdateWorker@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUpdateUpgradeInProgress(x)
_PopUpdateUpgradeInProgress@4 proc near	; CODE XREF: PoInitSystem+6E6p
					; DATA XREF: PopUpdateUpgradeInProgress(x)+E9o

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, [ebp+arg_0]
		lea	edi, [ebp+var_44]
		xor	eax, eax
		mov	[ebp+var_20], esi
		push	6
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_1C]
		xor	ebx, ebx
		stosd
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ebx
		stosd
		stosd
		stosd
		stosd
		test	esi, esi
		jnz	short loc_736E8B
		push	offset ??_C@_1DO@PGOAJPNE@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_28]
		mov	[ebp+var_44], 18h
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	20019h
		lea	eax, [ebp+var_20]
		mov	[ebp+var_40], ebx
		push	eax
		mov	[ebp+var_38], 240h
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_736F29

loc_736E8B:				; CODE XREF: PopUpdateUpgradeInProgress(x)+3Aj
		push	offset ??_C@_1CM@DHJDDPJO@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAS?$AAe?$AAt?$AAu?$AAp?$AAI?$AAn?$AAP?$AAr@NNGAKEGL@
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_2C]
		push	eax
		push	14h
		lea	eax, [ebp+var_1C]
		push	eax
		push	2
		lea	eax, [ebp+var_28]
		push	eax
		push	[ebp+var_20]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_736F13
		cmp	[ebp+var_18], 4
		jnz	short loc_736F13
		cmp	[ebp+var_14], 4
		jnz	short loc_736F13
		cmp	[ebp+var_10], ebx
		jz	short loc_736F13
		test	esi, esi
		jnz	short loc_736EDB
		push	ebx		; int
		push	ebx		; void *
		push	8
		pop	edx
		push	0Fh
		pop	ecx
		call	PopLogSleepDisabled
		test	eax, eax
		js	short loc_736F29

loc_736EDB:				; CODE XREF: PopUpdateUpgradeInProgress(x)+BEj
		mov	eax, [ebp+var_20]
		push	1
		push	ebx
		push	ebx
		push	ebx
		push	4
		push	offset _PopSetupInProgressStatusBlock
		push	1
		push	offset _PopSetupInProgressUpdateWorkItem
		push	ebx
		push	eax
		mov	dword_6C3D28, offset _PopUpdateUpgradeInProgress@4 ; PopUpdateUpgradeInProgress(x)
		mov	dword_6C3D2C, eax
		mov	_PopSetupInProgressUpdateWorkItem, ebx
		call	_ZwNotifyChangeKey@40 ;	ZwNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_736F29
		jmp	short loc_736F36
; 

loc_736F13:				; CODE XREF: PopUpdateUpgradeInProgress(x)+A9j
					; PopUpdateUpgradeInProgress(x)+AFj ...
		test	esi, esi
		jz	short loc_736F29
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		push	0Fh
		pop	ecx
		call	PopRemoveReasonRecordByReasonCode
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_736F29:				; CODE XREF: PopUpdateUpgradeInProgress(x)+7Bj
					; PopUpdateUpgradeInProgress(x)+CFj ...
		cmp	[ebp+var_20], ebx
		jz	short loc_736F36
		push	[ebp+var_20]
		call	_ZwClose@4	; ZwClose(x)

loc_736F36:				; CODE XREF: PopUpdateUpgradeInProgress(x)+107j
					; PopUpdateUpgradeInProgress(x)+122j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopUpdateUpgradeInProgress@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleDetection(x,	x, x)
_PopIdleDetection@12 proc near		; CODE XREF: PopPolicySystemIdle()+1AFp
					; PopSystemIdleWorker()+B5p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	_PsWin32CalloutsEstablished, 0
		jz	short loc_736F61
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PopScanIdleList@12 ; PopScanIdleList(x,x,x)

loc_736F61:				; CODE XREF: PopIdleDetection(x,x,x)+Cj
		pop	ebp
		retn	8
_PopIdleDetection@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopAssessSystemIdleEvent(x,	x, x)
_PopAssessSystemIdleEvent@12 proc near	; CODE XREF: PopIsSystemIdle(x,x,x,x)+2Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		xor	edi, edi
		call	KeQueryInterruptTime
		push	edi
		push	989680h
		push	edx
		push	eax
		call	__aulldiv
		mov	ecx, edx
		mov	[ebp+var_4], eax
		mov	edx, eax
		mov	[ebp+var_8], ecx
		sub	edx, [esi+8]
		mov	al, [esi+10h]
		sbb	ecx, [esi+0Ch]
		test	al, al
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_0]
		jz	short loc_736FAF
		or	dword ptr [eax], 0FFFFFFFFh
		or	dword ptr [eax+4], 0FFFFFFFFh
		jmp	short loc_736FCA
; 

loc_736FAF:				; CODE XREF: PopAssessSystemIdleEvent(x,x,x)+3Ej
		mov	[eax], edx
		mov	[eax+4], ecx
		test	ebx, ebx
		jnz	short loc_736FBD
		push	2
		pop	edi
		jmp	short loc_736FCA
; 

loc_736FBD:				; CODE XREF: PopAssessSystemIdleEvent(x,x,x)+50j
		test	ecx, ecx
		ja	short loc_736FCA
		jb	short loc_736FC7
		cmp	edx, ebx
		jnb	short loc_736FCA

loc_736FC7:				; CODE XREF: PopAssessSystemIdleEvent(x,x,x)+5Bj
		xor	edi, edi
		inc	edi

loc_736FCA:				; CODE XREF: PopAssessSystemIdleEvent(x,x,x)+47j
					; PopAssessSystemIdleEvent(x,x,x)+55j ...
		mov	eax, [ebp+var_4]
		and	dword ptr [esi+2Ch], 0
		mov	[esi+24h], ecx
		mov	ecx, [ebp+var_C]
		push	edi
		push	ecx
		mov	[esi+18h], eax
		mov	eax, [ebp+var_8]
		mov	[esi+30h], cl
		mov	ecx, [esi]
		push	ebx
		mov	[esi+1Ch], eax
		mov	[esi+20h], edx
		mov	[esi+28h], ebx
		mov	[esi+34h], edi
		call	_PopDiagTraceSystemIdleEventAssessment@20 ; PopDiagTraceSystemIdleEventAssessment(x,x,x,x,x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopAssessSystemIdleEvent@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIsSystemIdle(x, x, x, x)
_PopIsSystemIdle@16 proc near		; CODE XREF: PopSystemIdleWorker()+6Bp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_18], 0
		or	eax, 0FFFFFFFFh
		and	[ebp+var_14], 0
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_C], edx
		mov	ebx, ecx
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		xor	edi, edi

loc_737025:				; CODE XREF: PopIsSystemIdle(x,x,x,x)+64j
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_18]
		push	eax
		mov	ecx, ebx
		call	_PopAssessSystemIdleEvent@12 ; PopAssessSystemIdleEvent(x,x,x)
		test	eax, eax
		jz	short loc_73703A
		bts	esi, edi

loc_73703A:				; CODE XREF: PopIsSystemIdle(x,x,x,x)+35j
		mov	edx, [ebp+var_8]
		cmp	edx, [ebp+var_14]
		jb	short loc_73705A
		ja	short loc_73704C
		mov	ecx, [ebp+var_4]
		cmp	ecx, [ebp+var_18]
		jb	short loc_73705D

loc_73704C:				; CODE XREF: PopIsSystemIdle(x,x,x,x)+42j
		mov	ecx, [ebp+var_18]
		mov	edx, [ebp+var_14]
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], edx
		jmp	short loc_73705D
; 

loc_73705A:				; CODE XREF: PopIsSystemIdle(x,x,x,x)+40j
		mov	ecx, [ebp+var_4]

loc_73705D:				; CODE XREF: PopIsSystemIdle(x,x,x,x)+4Aj
					; PopIsSystemIdle(x,x,x,x)+58j
		inc	edi
		add	ebx, 38h
		cmp	edi, 4
		jb	short loc_737025
		mov	eax, [ebp+arg_0]
		test	esi, esi
		setz	bl
		mov	[eax], ecx
		mov	[eax+4], edx
		call	KeQueryInterruptTime
		push	0
		push	(offset	loc_98967E+2)
		push	edx
		push	eax
		call	__aulldiv
		mov	ecx, [ebp+arg_4]
		push	ebx
		mov	[ecx], eax
		mov	eax, [ebp+var_C]
		mov	[ecx+4], edx
		mov	edx, esi
		mov	[ecx+8], eax
		mov	[ecx+0Ch], esi
		mov	[ecx+10h], bl
		mov	ecx, eax
		call	_PopDiagTraceSystemIdleAssessment@12 ; PopDiagTraceSystemIdleAssessment(x,x,x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	8
_PopIsSystemIdle@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiCreateEventQueue(x, x)
_TtmiCreateEventQueue@8	proc near	; CODE XREF: TtmpDispatchCreateEventQueue(x,x)+4Fp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	al, [eax+15Ah]
		mov	ebx, ecx
		xor	ecx, ecx
		mov	byte ptr [ebp+var_8], al
		push	ecx
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ecx
		push	eax
		push	ecx
		push	ecx
		push	60h
		mov	edi, edx
		mov	[ebp+var_1C], ecx
		mov	edx, ds:_TtmpQueueObjectType
		lea	eax, [ebp+var_20]
		push	ecx
		push	[ebp+var_8]
		mov	[edi], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		xor	cl, cl
		push	eax
		mov	[ebp+var_20], 18h
		mov	[ebp+var_14], 20h
		call	ObCreateObjectEx
		mov	esi, eax
		test	esi, esi
		jns	short loc_737124
		push	esi
		push	esi
		mov	edx, 237h
		mov	ecx, offset ??_C@_0BF@KNIHPJH@TtmiCreateEventQueue@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_73716A
; 

loc_737124:				; CODE XREF: TtmiCreateEventQueue(x,x)+61j
		mov	esi, [ebp+var_4]
		push	60h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		lea	eax, [esi+54h]
		add	esp, 0Ch
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+0Ch]
		push	eax
		call	ExInitializeResourceLite
		push	0
		push	0
		lea	eax, [esi+44h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	edx, esi
		mov	byte ptr [esi+5Ch], 1
		mov	ecx, ebx
		call	_TtmiAddQueueToSession@8 ; TtmiAddQueueToSession(x,x)
		mov	ecx, esi
		call	_TtmiLogQueueCreated@4 ; TtmiLogQueueCreated(x)
		mov	[edi], esi
		xor	esi, esi

loc_73716A:				; CODE XREF: TtmiCreateEventQueue(x,x)+74j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_TtmiCreateEventQueue@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsBlockNonCetBinaries(x, x,	x, x)
_PsBlockNonCetBinaries@16 proc near	; CODE XREF: MiAllowImageMap(x,x,x,x)+C1p

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	bl, dl
		push	esi
		call	_PsIsSystemProcess@4 ; PsIsSystemProcess(x)
		test	al, al
		jnz	short loc_7371F2
		test	byte ptr [esi+3A8h], 1
		jnz	short loc_7371F2
		mov	eax, [esi+494h]
		mov	edi, eax
		and	edi, 800000h
		test	eax, 400000h
		jz	short loc_7371C1
		mov	al, [ebp+arg_0]
		test	bl, bl
		jz	short loc_7371B2
		test	al, al
		jnz	short loc_7371F2

loc_7371B2:				; CODE XREF: PsBlockNonCetBinaries(x,x,x,x)+3Aj
		push	1
		push	[ebp+arg_4]
		movzx	eax, al
		push	eax
		movzx	eax, bl
		push	eax
		jmp	short loc_7371D8
; 

loc_7371C1:				; CODE XREF: PsBlockNonCetBinaries(x,x,x,x)+33j
		test	eax, 200000h
		jz	short loc_7371F2
		test	bl, bl
		jnz	short loc_7371F2
		movzx	eax, [ebp+arg_0]
		push	0
		push	[ebp+arg_4]
		push	eax
		push	0

loc_7371D8:				; CODE XREF: PsBlockNonCetBinaries(x,x,x,x)+4Dj
		xor	ecx, ecx
		mov	edx, esi
		test	edi, edi
		setz	cl
		inc	ecx
		call	_EtwTimLogBlockNonCetBinaries@24 ; EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)
		test	edi, edi
		jnz	short loc_7371F2
		mov	eax, 0C0000022h
		jmp	short loc_7371F4
; 

loc_7371F2:				; CODE XREF: PsBlockNonCetBinaries(x,x,x,x)+15j
					; PsBlockNonCetBinaries(x,x,x,x)+1Ej ...
		xor	eax, eax

loc_7371F4:				; CODE XREF: PsBlockNonCetBinaries(x,x,x,x)+7Ej
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
_PsBlockNonCetBinaries@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspGetRedirectionTrustPolicy(x)
_PspGetRedirectionTrustPolicy@4	proc near ; CODE XREF: PAGE:007A9D3Dp
					; PAGE:0083E3B9p

var_2		= dword	ptr -2

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		mov	byte ptr [ebp+var_2+1],	0
		push	edi
		mov	byte ptr [ebp+var_2], 0
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	esi, eax
		lea	edx, [ebp-1]
		lea	eax, [ebp+var_2]
		mov	ecx, esi
		push	eax
		call	_SeTokenGetRedirectionTrustPolicy@12 ; SeTokenGetRedirectionTrustPolicy(x,x,x)
		lea	ecx, [edi+12Ch]
		mov	edx, esi
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		cmp	byte ptr [ebp+var_2+1],	0
		pop	edi
		pop	esi
		jz	short loc_73723E
		xor	eax, eax
		inc	eax
		leave
		retn
; 

loc_73723E:				; CODE XREF: PspGetRedirectionTrustPolicy(x)+3Bj
		movzx	eax, byte ptr [ebp+var_2]
		neg	eax
		sbb	eax, eax
		and	eax, 2
		leave
		retn
_PspGetRedirectionTrustPolicy@4	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PspSetRedirectionTrustPolicy(x, x)
_PspSetRedirectionTrustPolicy@8	proc near
					; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+A6Cp
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+A96p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	esi, edx
		push	ebx
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		cmp	esi, 2
		mov	edi, eax
		mov	ecx, edi
		setz	dl
		call	_SeTokenSetRedirectionTrustPolicy@8 ; SeTokenSetRedirectionTrustPolicy(x,x)
		lea	ecx, [ebx+12Ch]
		mov	edx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
_PspSetRedirectionTrustPolicy@8	endp


;  S U B	R O U T	I N E 


; __stdcall PspApplyComponentFilterOptions(x, x)
_PspApplyComponentFilterOptions@8 proc near
					; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+152Dp
		mov	eax, [edx+120h]
		test	eax, eax
		jz	short locret_73728C
		mov	eax, [eax]
		mov	[ecx+4C8h], eax

locret_73728C:				; CODE XREF: PspApplyComponentFilterOptions(x,x)+8j
		retn
_PspApplyComponentFilterOptions@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspDecodeMitigationExecuteOptions(x, x, x, x, x, x)
_PspDecodeMitigationExecuteOptions@24 proc near
					; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+4Fp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, [ebp+arg_0]
		xor	cl, cl
		movzx	eax, dl
		and	eax, 3
		sub	eax, 1
		jz	short loc_7372C1
		sub	eax, 1
		jz	short loc_7372BD
		sub	eax, 1
		jnz	short loc_7372C3
		add	cl, 9
		jmp	short loc_7372C3
; 

loc_7372BD:				; CODE XREF: PspDecodeMitigationExecuteOptions(x,x,x,x,x,x)+23j
		mov	cl, 3Ah
		jmp	short loc_7372C3
; 

loc_7372C1:				; CODE XREF: PspDecodeMitigationExecuteOptions(x,x,x,x,x,x)+1Ej
		mov	cl, 0Dh

loc_7372C3:				; CODE XREF: PspDecodeMitigationExecuteOptions(x,x,x,x,x,x)+28j
					; PspDecodeMitigationExecuteOptions(x,x,x,x,x,x)+2Dj ...
		mov	eax, [ebp+arg_4]
		shrd	edx, eax, 4
		mov	al, dl
		and	eax, 3
		sub	eax, 1
		jz	short loc_7372DE
		sub	eax, 1
		jnz	short loc_7372E1
		or	cl, 48h
		jmp	short loc_7372E1
; 

loc_7372DE:				; CODE XREF: PspDecodeMitigationExecuteOptions(x,x,x,x,x,x)+44j
		or	cl, 8

loc_7372E1:				; CODE XREF: PspDecodeMitigationExecuteOptions(x,x,x,x,x,x)+49j
					; PspDecodeMitigationExecuteOptions(x,x,x,x,x,x)+4Ej
		mov	al, cl
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_PspDecodeMitigationExecuteOptions@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspInheritMitigationAuditOptions(x,	x, x, x, x, x, x, x, x,	x, x, x, x)
_PspInheritMitigationAuditOptions@52 proc near
					; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1334p
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+13BCp

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+64h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[esp+70h+var_54], ecx
		lea	edi, [esp+70h+var_50]
		push	6
		pop	ecx
		xor	eax, eax
		lea	esi, [ebp+arg_0]
		rep stosd
		push	6
		pop	ecx
		lea	edi, [esp+70h+var_1C]
		mov	[esp+70h+var_5C], eax
		rep movsd
		push	6
		pop	ecx
		lea	esi, [ebp+arg_18]
		lea	edi, [esp+70h+var_34]
		rep movsd

loc_737336:				; CODE XREF: PspInheritMitigationAuditOptions(x,x,x,x,x,x,x,x,x,x,x,x,x)+F7j
		mov	esi, eax
		shl	esi, 2
		mov	edi, esi
		and	esi, 3Fh
		shr	edi, 6
		mov	ecx, esi
		mov	[esp+70h+var_58], esi
		mov	eax, [esp+edi*8+70h+var_34]
		mov	edx, [esp+edi*8+70h+var_30]
		call	__aullshr
		mov	edx, [esp+edi*8+70h+var_18]
		mov	bl, al
		mov	eax, [esp+edi*8+70h+var_1C]
		mov	ecx, esi
		and	bl, 3
		call	__aullshr
		and	eax, 3
		mov	ecx, eax
		mov	[esp+70h+var_60], eax
		sub	ecx, 0
		jz	short loc_73738F
		sub	ecx, 1
		jz	short loc_737387
		sub	ecx, 1
		jz	short loc_73738F
		sub	ecx, 1
		jnz	short loc_7373A6

loc_737387:				; CODE XREF: PspInheritMitigationAuditOptions(x,x,x,x,x,x,x,x,x,x,x,x,x)+89j
		cmp	bl, 2
		setnz	al
		jmp	short loc_73739B
; 

loc_73738F:				; CODE XREF: PspInheritMitigationAuditOptions(x,x,x,x,x,x,x,x,x,x,x,x,x)+84j
					; PspInheritMitigationAuditOptions(x,x,x,x,x,x,x,x,x,x,x,x,x)+8Ej
		cmp	bl, 1
		jz	short loc_737399
		cmp	bl, 3
		jnz	short loc_7373A6

loc_737399:				; CODE XREF: PspInheritMitigationAuditOptions(x,x,x,x,x,x,x,x,x,x,x,x,x)+A0j
		xor	al, al

loc_73739B:				; CODE XREF: PspInheritMitigationAuditOptions(x,x,x,x,x,x,x,x,x,x,x,x,x)+9Bj
		test	al, al
		jnz	short loc_7373A6
		movzx	eax, bl
		mov	[esp+70h+var_60], eax

loc_7373A6:				; CODE XREF: PspInheritMitigationAuditOptions(x,x,x,x,x,x,x,x,x,x,x,x,x)+93j
					; PspInheritMitigationAuditOptions(x,x,x,x,x,x,x,x,x,x,x,x,x)+A5j ...
		push	0Fh
		pop	eax
		xor	edx, edx
		mov	ecx, esi
		call	__allshl
		mov	ecx, [esp+70h+var_58]
		mov	esi, eax
		mov	eax, [esp+70h+var_60]
		mov	ebx, edx
		not	esi
		not	ebx
		and	esi, [esp+edi*8+70h+var_50]
		xor	edx, edx
		and	ebx, [esp+edi*8+70h+var_4C]
		call	__allshl
		or	esi, eax
		or	ebx, edx
		mov	eax, [esp+70h+var_5C]
		inc	eax
		mov	[esp+edi*8+70h+var_50],	esi
		mov	[esp+edi*8+70h+var_4C],	ebx
		mov	[esp+70h+var_5C], eax
		cmp	eax, 27h
		jl	loc_737336
		mov	edi, [esp+70h+var_54]
		lea	esi, [esp+70h+var_50]
		push	6
		pop	ecx
		rep movsd
		mov	ecx, [esp+70h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	30h
_PspInheritMitigationAuditOptions@52 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspInheritMitigationOptions(x, x, x, x, x, x, x, x,	x, x, x, x, x)
_PspInheritMitigationOptions@52	proc near
					; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1302p
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1384p

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+6Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[esp+78h+var_54], ecx
		lea	edi, [esp+78h+var_50]
		push	6
		pop	ecx
		xor	eax, eax
		lea	esi, [ebp+arg_0]
		rep stosd
		push	6
		pop	ecx
		lea	edi, [esp+78h+var_34]
		mov	[esp+78h+var_64], eax
		rep movsd
		push	6
		pop	ecx
		lea	esi, [ebp+arg_18]
		lea	edi, [esp+78h+var_1C]
		rep movsd

loc_737454:				; CODE XREF: PspInheritMitigationOptions(x,x,x,x,x,x,x,x,x,x,x,x,x)+D5j
		mov	edi, eax
		mov	ebx, eax
		shr	edi, 6
		and	ebx, 3Fh
		mov	ecx, ebx
		mov	[esp+78h+var_58], ebx
		mov	eax, [esp+edi*8+78h+var_34]
		mov	edx, [esp+edi*8+78h+var_30]
		call	__aullshr
		mov	edx, [esp+edi*8+78h+var_18]
		mov	ecx, ebx
		mov	[esp+78h+var_60], eax
		mov	eax, [esp+edi*8+78h+var_1C]
		call	__aullshr
		mov	ecx, [esp+78h+var_60]
		mov	[esp+78h+var_68], eax
		test	cl, 4
		jnz	short loc_737495
		test	al, 3
		jnz	short loc_73749B

loc_737495:				; CODE XREF: PspInheritMitigationOptions(x,x,x,x,x,x,x,x,x,x,x,x,x)+7Fj
		mov	eax, ecx
		mov	[esp+78h+var_68], eax

loc_73749B:				; CODE XREF: PspInheritMitigationOptions(x,x,x,x,x,x,x,x,x,x,x,x,x)+83j
		push	0Fh
		pop	eax
		xor	edx, edx
		mov	ecx, ebx
		call	__allshl
		mov	ecx, [esp+78h+var_58]
		mov	esi, eax
		mov	eax, [esp+78h+var_68]
		mov	ebx, edx
		not	esi
		not	ebx
		and	esi, [esp+edi*8+78h+var_50]
		and	eax, 0Fh
		and	ebx, [esp+edi*8+78h+var_4C]
		xor	edx, edx
		call	__allshl
		or	esi, eax
		or	ebx, edx
		mov	eax, [esp+78h+var_64]
		add	eax, 4
		mov	[esp+edi*8+78h+var_50],	esi
		mov	[esp+edi*8+78h+var_4C],	ebx
		mov	[esp+78h+var_64], eax
		cmp	eax, 9Ch
		jl	loc_737454
		mov	edi, [esp+78h+var_54]
		lea	esi, [esp+78h+var_50]
		push	6
		pop	ecx
		rep movsd
		mov	ecx, [esp+78h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	30h
_PspInheritMitigationOptions@52	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspValidateMitigationAuditOptions(x, x, x, x, x, x)
_PspValidateMitigationAuditOptions@24 proc near
					; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+A53p
					; sub_8D4C99+Ep ...

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+7Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	0Bh
		pop	eax
		push	6
		pop	ecx
		lea	esi, [ebp+arg_0]
		mov	[esp+88h+var_4C], eax
		lea	edi, [esp+88h+var_70]
		mov	[esp+88h+var_74], eax
		xor	eax, eax
		mov	[esp+88h+var_58], 1
		rep movsd
		mov	[esp+88h+var_54], 7
		mov	edi, eax
		mov	[esp+88h+var_50], 9
		mov	ebx, 9Ch
		mov	[esp+88h+var_48], 0Ch
		xor	esi, esi
		mov	[esp+88h+var_44], 0Dh
		mov	[esp+88h+var_40], 0Eh
		mov	[esp+88h+var_3C], 11h
		mov	[esp+88h+var_38], 14h
		mov	[esp+88h+var_34], 15h
		mov	[esp+88h+var_30], 16h
		mov	[esp+88h+var_2C], 17h
		mov	[esp+88h+var_28], 18h
		mov	[esp+88h+var_24], 19h
		mov	[esp+88h+var_20], 1Ah
		mov	[esp+88h+var_1C], 1Fh
		mov	[esp+88h+var_18], 20h
		mov	[esp+88h+var_14], 21h
		mov	[esp+88h+var_10], 25h
		mov	[esp+88h+var_7C], eax
		mov	[esp+88h+var_78], eax

loc_7375DF:				; CODE XREF: PspValidateMitigationAuditOptions(x,x,x,x,x,x)+12Aj
		mov	edx, edi
		mov	ecx, edi
		shr	edx, 6
		and	ecx, 3Fh
		mov	eax, [esp+edx*8+88h+var_70]
		mov	edx, [esp+edx*8+88h+var_6C]
		call	__aullshr
		mov	cl, al
		mov	eax, [esp+88h+var_7C]
		and	cl, 3
		cmp	eax, 13h
		jnb	short loc_737611
		cmp	[esp+eax*4+88h+var_58],	esi
		jnz	short loc_737611
		inc	eax
		mov	[esp+88h+var_7C], eax
		jmp	short loc_737615
; 

loc_737611:				; CODE XREF: PspValidateMitigationAuditOptions(x,x,x,x,x,x)+F6j
					; PspValidateMitigationAuditOptions(x,x,x,x,x,x)+FCj
		test	cl, cl
		jnz	short loc_73766E

loc_737615:				; CODE XREF: PspValidateMitigationAuditOptions(x,x,x,x,x,x)+103j
		mov	eax, [esp+88h+var_78]
		cmp	eax, 1
		jnb	short loc_73762B
		cmp	[esp+eax*4+88h+var_74],	esi
		jnz	short loc_73762B
		inc	eax
		mov	[esp+88h+var_78], eax
		jmp	short loc_737630
; 

loc_73762B:				; CODE XREF: PspValidateMitigationAuditOptions(x,x,x,x,x,x)+110j
					; PspValidateMitigationAuditOptions(x,x,x,x,x,x)+116j
		cmp	cl, 3
		jz	short loc_73766E

loc_737630:				; CODE XREF: PspValidateMitigationAuditOptions(x,x,x,x,x,x)+11Dj
		add	edi, 4
		inc	esi
		cmp	edi, ebx
		jb	short loc_7375DF
		push	6
		pop	ecx
		lea	esi, [ebp+arg_0]
		lea	edi, [esp+88h+var_70]
		rep movsd

loc_737644:				; CODE XREF: PspValidateMitigationAuditOptions(x,x,x,x,x,x)+15Cj
		mov	edx, ebx
		mov	ecx, ebx
		shr	edx, 6
		and	ecx, 3Fh
		mov	eax, [esp+edx*8+88h+var_70]
		mov	edx, [esp+edx*8+88h+var_6C]
		call	__aullshr
		test	al, 3
		jnz	short loc_73766E
		add	ebx, 4
		cmp	ebx, 0C0h
		jb	short loc_737644
		xor	eax, eax
		jmp	short loc_737673
; 

loc_73766E:				; CODE XREF: PspValidateMitigationAuditOptions(x,x,x,x,x,x)+107j
					; PspValidateMitigationAuditOptions(x,x,x,x,x,x)+122j ...
		mov	eax, 0C000000Dh

loc_737673:				; CODE XREF: PspValidateMitigationAuditOptions(x,x,x,x,x,x)+160j
		mov	ecx, [esp+88h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
_PspValidateMitigationAuditOptions@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspValidateMitigationOptions(x, x, x, x, x,	x, x)
_PspValidateMitigationOptions@28 proc near
					; CODE XREF: PspReadIFEOMitigationOptions(x,x)+60p
					; PspBuildCreateProcessContext(x,x,x,x)+764p ...

var_5A		= byte ptr -5Ah
var_59		= byte ptr -59h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+5Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[esp+68h+var_59], cl
		lea	esi, [ebp+arg_0]
		push	6
		xor	eax, eax
		mov	[esp+6Ch+var_38], 1
		pop	ecx
		lea	edi, [esp+68h+var_54]
		mov	[esp+68h+var_3C], eax
		rep movsd
		mov	[esp+68h+var_34], 2
		mov	edi, eax
		mov	[esp+68h+var_30], 9
		mov	ebx, 9Ch
		mov	[esp+68h+var_2C], 0Ah
		xor	esi, esi
		mov	[esp+68h+var_28], 0Bh
		mov	[esp+68h+var_24], 0Ch
		mov	[esp+68h+var_20], 11h
		mov	[esp+68h+var_1C], 19h
		mov	[esp+68h+var_18], 1Bh
		mov	[esp+68h+var_14], 1Fh
		mov	[esp+68h+var_10], 20h
		mov	[esp+68h+var_C], 21h
		mov	[esp+68h+var_8], 26h
		mov	[esp+68h+var_58], eax

loc_73772E:				; CODE XREF: PspValidateMitigationOptions(x,x,x,x,x,x,x)+EDj
		mov	edx, edi
		mov	ecx, edi
		shr	edx, 6
		and	ecx, 3Fh
		mov	eax, [esp+edx*8+68h+var_54]
		mov	edx, [esp+edx*8+68h+var_50]
		call	__aullshr
		mov	cl, al
		and	cl, 0Fh
		cmp	[esp+68h+var_59], 0
		jnz	short loc_737756
		test	cl, 4
		jnz	short loc_7377BE

loc_737756:				; CODE XREF: PspValidateMitigationOptions(x,x,x,x,x,x,x)+C5j
		mov	eax, [esp+68h+var_58]
		cmp	eax, 0Eh
		jnb	short loc_73776C
		cmp	[esp+eax*4+68h+var_3C],	esi
		jnz	short loc_73776C
		inc	eax
		mov	[esp+68h+var_58], eax
		jmp	short loc_737771
; 

loc_73776C:				; CODE XREF: PspValidateMitigationOptions(x,x,x,x,x,x,x)+D3j
					; PspValidateMitigationOptions(x,x,x,x,x,x,x)+D9j
		cmp	cl, 3
		jz	short loc_7377BE

loc_737771:				; CODE XREF: PspValidateMitigationOptions(x,x,x,x,x,x,x)+E0j
		add	edi, 4
		inc	esi
		cmp	edi, ebx
		jb	short loc_73772E
		push	6
		pop	ecx
		lea	esi, [ebp+arg_0]
		lea	edi, [esp+68h+var_54]
		rep movsd

loc_737785:				; CODE XREF: PspValidateMitigationOptions(x,x,x,x,x,x,x)+11Fj
		mov	edx, ebx
		mov	ecx, ebx
		shr	edx, 6
		and	ecx, 3Fh
		mov	eax, [esp+edx*8+68h+var_54]
		mov	edx, [esp+edx*8+68h+var_50]
		call	__aullshr
		test	al, 0Fh
		jnz	short loc_7377BE
		add	ebx, 4
		cmp	ebx, 0C0h
		jb	short loc_737785
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+arg_C]
		shrd	ecx, eax, 0Ch
		test	cl, 3
		ja	short loc_7377BE
		xor	eax, eax
		jmp	short loc_7377C3
; 

loc_7377BE:				; CODE XREF: PspValidateMitigationOptions(x,x,x,x,x,x,x)+CAj
					; PspValidateMitigationOptions(x,x,x,x,x,x,x)+E5j ...
		mov	eax, 0C000000Dh

loc_7377C3:				; CODE XREF: PspValidateMitigationOptions(x,x,x,x,x,x,x)+132j
		mov	ecx, [esp+68h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
_PspValidateMitigationOptions@28 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQueueApcThreadEx2(x, x, x, x, x, x, x)
_NtQueueApcThreadEx2@28	proc near	; CODE XREF: NtQueueApcThread(x,x,x,x,x)+18p
					; NtQueueApcThreadEx(x,x,x,x,x,x)+2Ap
					; DATA XREF: ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		test	[ebp+arg_8], 0FFFEFFFEh
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	byte ptr [ebp+var_10], 1
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_8], al
		jnz	loc_737935
		test	byte ptr [ebp+arg_8], 1
		mov	esi, [ebp+arg_4]
		jz	short loc_737817
		test	esi, esi
		jnz	loc_737935
		mov	bl, 1
		jmp	short loc_737819
; 

loc_737817:				; CODE XREF: NtQueueApcThreadEx2(x,x,x,x,x,x,x)+31j
		xor	bl, bl

loc_737819:				; CODE XREF: NtQueueApcThreadEx2(x,x,x,x,x,x,x)+3Dj
		mov	eax, ds:_PsThreadType
		lea	ecx, [ebp+var_4]
		and	[ebp+var_4], 0
		push	0
		push	ecx
		push	[ebp+var_8]
		push	eax
		push	10h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	loc_73793A
		push	edi
		mov	edi, [ebp+var_4]
		test	dword ptr [edi+58h], 400h
		jz	short loc_737855
		mov	esi, 0C0000008h
		jmp	loc_737929
; 

loc_737855:				; CODE XREF: NtQueueApcThreadEx2(x,x,x,x,x,x,x)+71j
		test	esi, esi
		jz	short loc_7378AE
		mov	eax, ds:_PspMemoryReserveObjectTypes
		lea	ecx, [ebp+var_C]
		and	[ebp+var_C], 0
		push	0
		push	ecx
		push	[ebp+var_8]
		push	eax
		push	2
		push	esi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_737929
		mov	esi, [ebp+var_C]
		xor	ecx, ecx
		inc	ecx
		xor	eax, eax
		lock cmpxchg [esi], ecx
		test	eax, eax
		jz	short loc_73789F
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	esi, 0C00000F0h
		jmp	loc_737929
; 

loc_73789F:				; CODE XREF: NtQueueApcThreadEx2(x,x,x,x,x,x,x)+B4j
		add	esi, 4
		mov	eax, offset _PspUserApcReserveKernelRoutine@20 ; PspUserApcReserveKernelRoutine(x,x,x,x,x)
		mov	edi, offset _PspUserApcReserveRundownRoutine@4 ; PspUserApcReserveRundownRoutine(x)
		jmp	short loc_7378E5
; 

loc_7378AE:				; CODE XREF: NtQueueApcThreadEx2(x,x,x,x,x,x,x)+7Fj
		push	70617350h
		push	30h
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	esi, eax
		test	esi, esi
		jnz	short loc_7378CC
		mov	esi, 0C0000017h
		jmp	short loc_737929
; 

loc_7378CC:				; CODE XREF: NtQueueApcThreadEx2(x,x,x,x,x,x,x)+EBj
		mov	eax, offset _KeSpecialUserApcKernelRoutine@20 ;	KeSpecialUserApcKernelRoutine(x,x,x,x,x)
		test	bl, bl
		jnz	short loc_7378DA
		mov	eax, offset _IopDeallocateApc@20 ; IopDeallocateApc(x,x,x,x,x)

loc_7378DA:				; CODE XREF: NtQueueApcThreadEx2(x,x,x,x,x,x,x)+FBj
		xor	bl, 1
		mov	edi, offset _ExFreePool@4 ; ExFreePool(x)
		mov	byte ptr [ebp+var_10], bl

loc_7378E5:				; CODE XREF: NtQueueApcThreadEx2(x,x,x,x,x,x,x)+D4j
		push	[ebp+arg_10]
		push	[ebp+var_10]
		push	[ebp+arg_C]
		push	edi
		push	eax
		push	0
		push	[ebp+var_4]
		push	esi
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		test	[ebp+arg_8], 10000h
		jz	short loc_737908
		or	byte ptr [esi+1], 1

loc_737908:				; CODE XREF: NtQueueApcThreadEx2(x,x,x,x,x,x,x)+12Aj
		push	0
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	esi
		call	KeInsertQueueApc
		test	al, al
		jnz	short loc_737924
		push	esi
		call	edi ; ExFreePool(x) ; ExFreePool(x)
		mov	esi, 0C0000001h
		jmp	short loc_737926
; 

loc_737924:				; CODE XREF: NtQueueApcThreadEx2(x,x,x,x,x,x,x)+140j
		xor	esi, esi

loc_737926:				; CODE XREF: NtQueueApcThreadEx2(x,x,x,x,x,x,x)+14Aj
		mov	edi, [ebp+var_4]

loc_737929:				; CODE XREF: NtQueueApcThreadEx2(x,x,x,x,x,x,x)+78j
					; NtQueueApcThreadEx2(x,x,x,x,x,x,x)+A0j ...
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, esi
		pop	edi
		jmp	short loc_73793A
; 

loc_737935:				; CODE XREF: NtQueueApcThreadEx2(x,x,x,x,x,x,x)+24j
					; NtQueueApcThreadEx2(x,x,x,x,x,x,x)+35j
		mov	eax, 0C000000Dh

loc_73793A:				; CODE XREF: NtQueueApcThreadEx2(x,x,x,x,x,x,x)+60j
					; NtQueueApcThreadEx2(x,x,x,x,x,x,x)+15Bj
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_NtQueueApcThreadEx2@28	endp


;  S U B	R O U T	I N E 


; __stdcall RtlpFcValidateFeatureConfiguration(x)
_RtlpFcValidateFeatureConfiguration@4 proc near
					; CODE XREF: RtlpFcValidateFeatureConfigurationBuffer(x,x)+91p
		mov	edx, [ecx+4]
		mov	ecx, edx
		shr	ecx, 4
		and	ecx, 3
		call	_RtlpIsValidFeatureEnabledState@4 ; RtlpIsValidFeatureEnabledState(x)
		test	al, al
		jnz	short loc_73795A
		mov	eax, 0C000000Dh
		retn
; 

loc_73795A:				; CODE XREF: RtlpFcValidateFeatureConfiguration(x)+12j
		shr	edx, 6
		and	edx, 1
		mov	ecx, edx
		call	_RtlpIsValidFeatureEnabledStateOptions@4 ; RtlpIsValidFeatureEnabledStateOptions(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFFF3h
		add	eax, 0C000000Dh
		retn
_RtlpFcValidateFeatureConfiguration@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFcValidateFeatureConfigurationBuffer(x,	x)
_RtlpFcValidateFeatureConfigurationBuffer@8 proc near
					; CODE XREF: CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+193p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		mov	eax, ecx
		mov	[ebp+var_8], eax
		push	esi
		mov	esi, edx
		test	eax, eax
		jnz	short loc_7379A1
		neg	esi
		sbb	esi, esi
		and	esi, 0C000000Dh
		jmp	loc_737A23
; 

loc_7379A1:				; CODE XREF: RtlpFcValidateFeatureConfigurationBuffer(x,x)+16j
		cmp	esi, 4
		jnb	short loc_7379AD

loc_7379A6:				; CODE XREF: RtlpFcValidateFeatureConfigurationBuffer(x,x)+35j
		mov	esi, 0C000000Dh
		jmp	short loc_737A23
; 

loc_7379AD:				; CODE XREF: RtlpFcValidateFeatureConfigurationBuffer(x,x)+2Aj
		test	al, 3
		jnz	short loc_7379A6
		push	edi
		mov	edi, [eax]
		mov	eax, edi
		push	0Ch
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_C], edi
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_7379E3
		mov	eax, ecx
		mov	ecx, [ebp+var_4]
		push	eax
		push	4
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_7379E3
		cmp	[ebp+var_4], esi
		jbe	short loc_7379EA

loc_7379E3:				; CODE XREF: RtlpFcValidateFeatureConfigurationBuffer(x,x)+50j
					; RtlpFcValidateFeatureConfigurationBuffer(x,x)+62j
		mov	esi, 0C000000Dh
		jmp	short loc_737A22
; 

loc_7379EA:				; CODE XREF: RtlpFcValidateFeatureConfigurationBuffer(x,x)+67j
		push	ebx
		xor	ebx, ebx
		test	edi, edi
		jz	short loc_737A1F
		mov	edi, [ebp+var_8]
		add	edi, 4

loc_7379F7:				; CODE XREF: RtlpFcValidateFeatureConfigurationBuffer(x,x)+A3j
		test	ebx, ebx
		jz	short loc_737A09
		lea	ecx, [edi-0Ch]
		mov	edx, edi
		call	_RtlFcpCompareFeatureToFeature@8 ; RtlFcpCompareFeatureToFeature(x,x)
		test	eax, eax
		jns	short loc_737A28

loc_737A09:				; CODE XREF: RtlpFcValidateFeatureConfigurationBuffer(x,x)+7Fj
		mov	ecx, edi
		call	_RtlpFcValidateFeatureConfiguration@4 ;	RtlpFcValidateFeatureConfiguration(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_737A21
		inc	ebx
		add	edi, 0Ch
		cmp	ebx, [ebp+var_C]
		jb	short loc_7379F7

loc_737A1F:				; CODE XREF: RtlpFcValidateFeatureConfigurationBuffer(x,x)+75j
		xor	esi, esi

loc_737A21:				; CODE XREF: RtlpFcValidateFeatureConfigurationBuffer(x,x)+9Aj
					; RtlpFcValidateFeatureConfigurationBuffer(x,x)+B3j
		pop	ebx

loc_737A22:				; CODE XREF: RtlpFcValidateFeatureConfigurationBuffer(x,x)+6Ej
		pop	edi

loc_737A23:				; CODE XREF: RtlpFcValidateFeatureConfigurationBuffer(x,x)+22j
					; RtlpFcValidateFeatureConfigurationBuffer(x,x)+31j
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_737A28:				; CODE XREF: RtlpFcValidateFeatureConfigurationBuffer(x,x)+8Dj
		mov	esi, 0C000000Dh
		jmp	short loc_737A21
_RtlpFcValidateFeatureConfigurationBuffer@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFcValidateFeatureUsageSubscriptionBuffer(x, x)
_RtlpFcValidateFeatureUsageSubscriptionBuffer@8	proc near
					; CODE XREF: CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+12Ep

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, edx
		test	ebx, ebx
		jnz	short loc_737A50
		neg	esi
		sbb	esi, esi
		and	esi, 0C000000Dh
		jmp	short loc_737AB4
; 

loc_737A50:				; CODE XREF: RtlpFcValidateFeatureUsageSubscriptionBuffer(x,x)+12j
		cmp	esi, 4
		jnb	short loc_737A5C

loc_737A55:				; CODE XREF: RtlpFcValidateFeatureUsageSubscriptionBuffer(x,x)+2Fj
		mov	esi, 0C000000Dh
		jmp	short loc_737AB4
; 

loc_737A5C:				; CODE XREF: RtlpFcValidateFeatureUsageSubscriptionBuffer(x,x)+23j
		test	bl, 3
		jnz	short loc_737A55
		push	edi
		mov	edi, [ebx]
		mov	eax, edi
		push	10h
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_737ABA
		mov	eax, ecx
		mov	ecx, [ebp+var_4]
		push	eax
		push	4
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_737ABA
		cmp	[ebp+var_4], esi
		ja	short loc_737ABA
		xor	esi, esi
		test	edi, edi
		jz	short loc_737AB1
		lea	ecx, [ebx-0Ch]

loc_737A99:				; CODE XREF: RtlpFcValidateFeatureUsageSubscriptionBuffer(x,x)+7Fj
		test	esi, esi
		jz	short loc_737AA9
		lea	edx, [ecx+10h]
		call	_RtlpFcCompareUsageSubscriptionToUsageSubscription@8 ; RtlpFcCompareUsageSubscriptionToUsageSubscription(x,x)
		test	eax, eax
		jns	short loc_737ABA

loc_737AA9:				; CODE XREF: RtlpFcValidateFeatureUsageSubscriptionBuffer(x,x)+6Bj
		inc	esi
		add	ecx, 10h
		cmp	esi, edi
		jb	short loc_737A99

loc_737AB1:				; CODE XREF: RtlpFcValidateFeatureUsageSubscriptionBuffer(x,x)+64j
		xor	esi, esi

loc_737AB3:				; CODE XREF: RtlpFcValidateFeatureUsageSubscriptionBuffer(x,x)+8Fj
		pop	edi

loc_737AB4:				; CODE XREF: RtlpFcValidateFeatureUsageSubscriptionBuffer(x,x)+1Ej
					; RtlpFcValidateFeatureUsageSubscriptionBuffer(x,x)+2Aj
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_737ABA:				; CODE XREF: RtlpFcValidateFeatureUsageSubscriptionBuffer(x,x)+47j
					; RtlpFcValidateFeatureUsageSubscriptionBuffer(x,x)+59j ...
		mov	esi, 0C000000Dh
		jmp	short loc_737AB3
_RtlpFcValidateFeatureUsageSubscriptionBuffer@8	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall SeDeleteCodeIntegrityOriginClaimForFileObject(x)
_SeDeleteCodeIntegrityOriginClaimForFileObject@4 proc near ; CODE XREF:	PAGE:007A371Ap
		mov	eax, dword_6BEA8C
		test	eax, eax
		jz	short locret_737ACE
		push	ecx
		call	eax

locret_737ACE:				; CODE XREF: SeDeleteCodeIntegrityOriginClaimForFileObject(x)+7j
		retn
_SeDeleteCodeIntegrityOriginClaimForFileObject@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall SeDeleteCodeIntegrityOriginClaimMembers(x)
_SeDeleteCodeIntegrityOriginClaimMembers@4 proc	near
					; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+C70p
		mov	eax, dword_6BEA88
		test	eax, eax
		jz	short locret_737ADC
		push	ecx
		call	eax

locret_737ADC:				; CODE XREF: SeDeleteCodeIntegrityOriginClaimMembers(x)+7j
		retn
_SeDeleteCodeIntegrityOriginClaimMembers@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall SeGetCodeIntegrityOriginClaimForFileObject(x, x)
_SeGetCodeIntegrityOriginClaimForFileObject@8 proc near
					; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1110p
		mov	eax, dword_6BEA84
		test	eax, eax
		jnz	short loc_737AED
		mov	eax, 0C0000225h
		retn
; 

loc_737AED:				; CODE XREF: SeGetCodeIntegrityOriginClaimForFileObject(x,x)+7j
		push	edx
		push	ecx
		call	eax
		retn
_SeGetCodeIntegrityOriginClaimForFileObject@8 endp


;  S U B	R O U T	I N E 


; __stdcall SepGetSystemSigningLevel()
_SepGetSystemSigningLevel@0 proc near	; DATA XREF: .text:004037F0o
		mov	al, ds:_SeILSigningPolicy
		test	al, al
		jnz	short loc_737B00
		mov	al, _SeILSigningPolicyRuntime

loc_737B00:				; CODE XREF: SepGetSystemSigningLevel()+7j
		movzx	eax, al
		retn
_SepGetSystemSigningLevel@0 endp


;  S U B	R O U T	I N E 


; __stdcall SepFinalizeTokenAcls(x)
_SepFinalizeTokenAcls@4	proc near	; CODE XREF: SepCreateTokenEx+94Bp
					; SepCreateTokenEx+A94p ...
		mov	edi, edi
		push	esi
		push	ds:_SeAliasAdminsSid
		mov	esi, ecx
		push	8
		pop	edx
		call	SepAppendAceToTokenObjectAcl
		test	eax, eax
		js	short loc_737B23
		mov	ecx, esi
		pop	esi
		jmp	_SepSetProcessTrustLabelAceForToken@4 ;	SepSetProcessTrustLabelAceForToken(x)
; 

loc_737B23:				; CODE XREF: SepFinalizeTokenAcls(x)+15j
		pop	esi
		retn
_SepFinalizeTokenAcls@4	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall VmCheckPageCombine(x, x)
_VmCheckPageCombine@8 proc near		; CODE XREF: MiCapturePfnVm(x,x,x,x,x,x,x,x,x)+198p
		mov	eax, [ecx+3E4h]
		test	eax, eax
		jz	short loc_737B3D
		test	byte ptr [eax+2Ch], 1
		jnz	short loc_737B3A
		test	edx, edx
		jnz	short loc_737B3D

loc_737B3A:				; CODE XREF: VmCheckPageCombine(x,x)+Ej
		xor	eax, eax
		retn
; 

loc_737B3D:				; CODE XREF: VmCheckPageCombine(x,x)+8j
					; VmCheckPageCombine(x,x)+12j
		xor	eax, eax
		inc	eax
		retn
_VmCheckPageCombine@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTimLogBlockNonCetBinaries(x, x, x, x, x,	x)
_EtwTimLogBlockNonCetBinaries@24 proc near ; CODE XREF:	PsBlockNonCetBinaries(x,x,x,x)+70p

var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_E8		= dword	ptr -0E8h
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 224h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_1F8], ecx
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_210], ebx
		mov	edi, [esi+1C0h]
		mov	[ebp+var_20C], ebx
		mov	[ebp+var_218], ebx
		mov	[ebp+var_214], ebx
		test	edi, edi
		jnz	short loc_737B8B
		mov	edi, (offset loc_403A20+4)

loc_737B8B:				; CODE XREF: EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)+42j
		movzx	eax, word ptr [edi]
		mov	edx, offset ??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@NNGAKEGL@ ; "(null)"
		mov	[ebp+var_1D4], ebx
		mov	[ebp+var_204], edx
		push	0Ch
		pop	ecx
		mov	[ebp+var_1DC], ecx
		push	2
		pop	ebx
		mov	[ebp+var_1D0], ebx
		test	ax, ax
		jz	short loc_737BF8
		shr	ax, 1
		xor	edx, edx
		movzx	eax, ax
		mov	[ebp+var_1EC], eax
		lea	eax, [ebp+var_1EC]
		mov	[ebp+var_1D8], eax
		mov	[ebp+var_1CC], edx
		movzx	ecx, word ptr [edi]
		mov	eax, [edi+4]
		mov	[ebp+var_1C8], eax
		mov	eax, ecx
		mov	[ebp+var_1C4], edx
		mov	[ebp+var_1C0], eax
		mov	[ebp+var_1BC], edx
		jmp	short loc_737C2E
; 

loc_737BF8:				; CODE XREF: EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)+72j
		lea	eax, [ebp+var_1EC]
		mov	[ebp+var_1EC], 6
		mov	[ebp+var_1D8], eax
		xor	eax, eax
		mov	[ebp+var_1CC], eax
		mov	[ebp+var_1C8], edx
		mov	[ebp+var_1C4], eax
		mov	[ebp+var_1C0], ecx
		mov	[ebp+var_1BC], eax

loc_737C2E:				; CODE XREF: EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)+B4j
		lea	edx, [ebp+var_210]
		mov	ecx, esi
		call	EtwpQueryProcessCommandLine
		mov	ecx, [ebp+var_210]
		lea	edx, [ebp+var_21C]
		mov	eax, [ebp+var_20C]
		mov	[ebp+var_1FC], ecx
		mov	[ebp+var_1F0], eax
		mov	[ebp+var_1B8], edx
		mov	[ebp+var_1B0], ebx
		test	cx, cx
		jz	short loc_737C8C
		and	[ebp+var_1B4], 0
		and	[ebp+var_1AC], 0
		mov	[ebp+var_1E4], eax
		mov	ax, cx
		shr	ax, 1
		movzx	edx, cx
		movzx	eax, ax
		jmp	short loc_737CAA
; 

loc_737C8C:				; CODE XREF: EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)+126j
		and	[ebp+var_1B4], 0
		and	[ebp+var_1AC], 0
		push	0Ch
		pop	edx
		push	6
		mov	[ebp+var_1E4], offset ??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@NNGAKEGL@ ; "(null)"
		pop	eax

loc_737CAA:				; CODE XREF: EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)+148j
		and	[ebp+var_1A4], 0
		lea	ecx, [ebp+var_198]
		and	[ebp+var_19C], 0
		movzx	eax, ax
		mov	[ebp+var_21C], eax
		mov	eax, [ebp+var_1E4]
		mov	[ebp+var_1A8], eax
		lea	eax, [ebp+var_218]
		mov	[ebp+var_1A0], edx
		mov	edx, esi
		push	eax
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		lea	esi, [eax+4]
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_1E4], esi
		test	eax, eax
		jz	short loc_737D16
		movzx	ecx, word ptr [eax]
		test	cx, cx
		jz	short loc_737D16
		mov	eax, [eax+4]
		mov	[ebp+var_1DC], ecx
		shr	cx, 1
		mov	[ebp+var_204], eax
		movzx	eax, cx
		jmp	short loc_737D19
; 

loc_737D16:				; CODE XREF: EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)+1B3j
					; EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)+1BBj
		push	6
		pop	eax

loc_737D19:				; CODE XREF: EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)+1D2j
		movzx	eax, ax
		mov	edx, esi
		mov	[ebp+var_220], eax
		mov	ecx, esi
		mov	eax, [ebp+var_1E4]
		add	esi, esi
		add	eax, eax
		shl	edx, 4
		mov	[ebp+var_1F4], edx
		add	ecx, ecx
		lea	edx, [ebp+var_220]
		mov	[ebp+eax*8+var_1D8], edx
		and	[ebp+eax*8+var_1D4], 0
		mov	edx, [ebp+var_1F4]
		mov	[ebp+edx+var_1D0], ebx
		lea	edx, [ebp+arg_0]
		and	[ebp+ecx*8+var_1CC], 0
		mov	ecx, [ebp+var_1E4]
		mov	eax, [ebp+var_204]
		mov	[ebp+esi*8+var_1C8], eax
		and	[ebp+esi*8+var_1C4], 0
		mov	eax, [ebp+var_1DC]
		mov	[ebp+esi*8+var_1C0], eax
		lea	eax, [ecx+2]
		and	[ebp+esi*8+var_1BC], 0
		add	eax, eax
		xor	esi, esi
		mov	[ebp+eax*8+var_1D8], edx
		lea	edx, [ebp+arg_4]
		mov	[ebp+eax*8+var_1D4], esi
		mov	[ebp+eax*8+var_1CC], esi
		mov	[ebp+eax*8+var_1D0], 4
		lea	eax, [ecx+3]
		add	eax, eax
		mov	[ebp+eax*8+var_1D8], edx
		lea	edx, [ebp+arg_C]
		mov	[ebp+eax*8+var_1D4], esi
		mov	[ebp+eax*8+var_1CC], esi
		mov	[ebp+eax*8+var_1D0], 4
		lea	eax, [ecx+4]
		add	eax, eax
		add	ecx, 5
		mov	[ebp+eax*8+var_1D4], esi
		mov	[ebp+eax*8+var_1CC], esi
		mov	esi, [ebp+var_1F8]
		mov	[ebp+eax*8+var_1D8], edx
		mov	[ebp+eax*8+var_1D0], 4
		mov	eax, offset _MITIGATION_AUDIT_BLOCK_NON_CET_BINARIES
		cmp	esi, 1
		jz	short loc_737E27
		mov	eax, offset _MITIGATION_ENFORCE_BLOCK_NON_CET_BINARIES

loc_737E27:				; CODE XREF: EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)+2DEj
		lea	edx, [ebp+var_1D8]
		push	edx
		push	ecx
		push	0
		push	eax
		push	dword_6BC324
		push	_EtwSecurityMitigationsRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		cmp	dword_6B2A40, 5
		jbe	loc_737FF0
		push	4000h
		push	0
		mov	ecx, offset dword_6B2A40
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_737FF0
		lea	eax, [ebp+var_1F8]
		mov	[ebp+var_1F8], esi
		mov	[ebp+var_C8], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_A0]
		mov	esi, [ebp+var_1F0]
		mov	[ebp+var_B8], eax
		mov	eax, [edi+4]
		mov	[ebp+var_A8], eax
		movzx	eax, word ptr [edi]
		xor	edi, edi
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_98], eax
		mov	eax, [ebp+var_1FC]
		movzx	eax, ax
		mov	[ebp+var_80], eax
		mov	eax, [ebp+var_218]
		mov	[ebp+var_208], eax
		mov	eax, [ebp+var_214]
		mov	[ebp+var_204], eax
		lea	eax, [ebp+var_208]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_68], eax
		mov	[ebp+var_C4], ecx
		mov	[ebp+var_BC], ecx
		mov	[ebp+var_B4], ecx
		mov	[ebp+var_AC], ecx
		mov	[ebp+var_A4], ecx
		mov	ecx, [ebp+arg_8]
		push	8
		pop	edx
		push	4
		mov	eax, [ecx+4]
		mov	[ebp+var_58], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_1FC], eax
		lea	eax, [ebp+var_1FC]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_1F4], eax
		lea	eax, [ebp+var_1F4]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_1DC], eax
		lea	eax, [ebp+var_1DC]
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_1E8]
		mov	[ebp+var_C0], 4
		mov	[ebp+var_B0], ebx
		mov	[ebp+var_9C], edi
		mov	[ebp+var_94], edi
		mov	[ebp+var_90], ebx
		mov	[ebp+var_8C], edi
		mov	[ebp+var_88], esi
		mov	[ebp+var_84], edi
		mov	[ebp+var_7C], edi
		mov	[ebp+var_74], edi
		mov	[ebp+var_70], edx
		mov	[ebp+var_6C], edi
		mov	[ebp+var_64], edi
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], edi
		mov	[ebp+var_54], edi
		mov	[ebp+var_4C], edi
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_1E8], 1000000h
		mov	[ebp+var_1E4], edi
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_E8]
		mov	[ebp+var_14], edi
		push	eax
		push	0Eh
		push	edi
		push	edi
		push	offset loc_423B12
		push	offset dword_6B2A40
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	short loc_737FF8
; 

loc_737FF0:				; CODE XREF: EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)+308j
					; EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)+321j
		mov	esi, [ebp+var_1F0]
		xor	edi, edi

loc_737FF8:				; CODE XREF: EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)+4ACj
		test	esi, esi
		jz	short loc_738003
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_738003:				; CODE XREF: EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)+4B8j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_EtwTimLogBlockNonCetBinaries@24 endp


;  S U B	R O U T	I N E 


; __stdcall EtwTimLogProhibitFsctlSystemCalls(x, x)
_EtwTimLogProhibitFsctlSystemCalls@8 proc near ; CODE XREF: PAGE:0081D04Fp
		mov	edi, edi
		push	esi
		lea	esi, [edx+4D0h]
		test	byte ptr [esi],	4
		jz	short loc_738043
		mov	eax, offset _MITIGATION_AUDIT_PROHIBIT_FSCTL_SYSTEM_CALLS
		cmp	ecx, 1
		jz	short loc_738031
		mov	eax, offset _MITIGATION_ENFORCE_PROHIBIT_FSCTL_SYSTEM_CALLS

loc_738031:				; CODE XREF: EtwTimLogProhibitFsctlSystemCalls(x,x)+16j
		push	edx
		push	eax
		push	3
		mov	edx, ecx
		pop	ecx
		call	_EtwpTimLogMitigationForProcess@16 ; EtwpTimLogMitigationForProcess(x,x,x,x)
		push	0FFFFFFFBh
		pop	eax
		lock and [esi],	eax

loc_738043:				; CODE XREF: EtwTimLogProhibitFsctlSystemCalls(x,x)+Cj
		pop	esi
		retn
_EtwTimLogProhibitFsctlSystemCalls@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTimLogRedirectionTrustPolicy(x, x, x, x,	x)
_EtwTimLogRedirectionTrustPolicy@20 proc near
					; CODE XREF: IoCheckRedirectionTrustLevel(x,x,x,x,x)+107p

var_5F0		= dword	ptr -5F0h
var_5EC		= dword	ptr -5ECh
var_5D4		= dword	ptr -5D4h
var_5D0		= dword	ptr -5D0h
var_5CC		= dword	ptr -5CCh
var_5C8		= dword	ptr -5C8h
var_5C4		= dword	ptr -5C4h
var_5C0		= dword	ptr -5C0h
var_5BC		= dword	ptr -5BCh
var_5B8		= dword	ptr -5B8h
var_5B4		= dword	ptr -5B4h
var_5B0		= dword	ptr -5B0h
var_5AC		= dword	ptr -5ACh
var_5A8		= dword	ptr -5A8h
var_5A4		= dword	ptr -5A4h
var_5A0		= dword	ptr -5A0h
var_59C		= dword	ptr -59Ch
var_598		= dword	ptr -598h
var_594		= dword	ptr -594h
var_590		= dword	ptr -590h
var_58C		= dword	ptr -58Ch
var_588		= dword	ptr -588h
var_584		= dword	ptr -584h
var_580		= dword	ptr -580h
var_57C		= dword	ptr -57Ch
var_578		= dword	ptr -578h
var_574		= dword	ptr -574h
var_570		= dword	ptr -570h
var_56C		= dword	ptr -56Ch
var_568		= dword	ptr -568h
var_564		= dword	ptr -564h
var_560		= dword	ptr -560h
var_55C		= dword	ptr -55Ch
var_558		= dword	ptr -558h
var_554		= dword	ptr -554h
var_550		= dword	ptr -550h
var_54C		= dword	ptr -54Ch
var_548		= dword	ptr -548h
var_544		= dword	ptr -544h
var_53C		= dword	ptr -53Ch
var_538		= dword	ptr -538h
var_534		= dword	ptr -534h
var_52E		= byte ptr -52Eh
var_52D		= byte ptr -52Dh
var_52C		= dword	ptr -52Ch
var_528		= dword	ptr -528h
var_524		= dword	ptr -524h
var_520		= dword	ptr -520h
var_51C		= dword	ptr -51Ch
var_518		= dword	ptr -518h
var_514		= dword	ptr -514h
var_510		= dword	ptr -510h
var_50C		= dword	ptr -50Ch
var_508		= dword	ptr -508h
var_504		= dword	ptr -504h
var_500		= dword	ptr -500h
var_4FC		= dword	ptr -4FCh
var_4F8		= dword	ptr -4F8h
var_4F4		= dword	ptr -4F4h
var_4F0		= dword	ptr -4F0h
var_4EC		= dword	ptr -4ECh
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_20C		= dword	ptr -20Ch
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5F0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		push	7
		pop	eax
		mov	[ebp+var_570], ecx
		lea	edi, [ebp+var_5F0]
		mov	ecx, eax
		mov	ebx, edx
		xor	edx, edx
		mov	[ebp+var_534], ebx
		xor	eax, eax
		mov	[ebp+var_594], edx
		push	40h		; size_t
		rep stosd
		push	edx		; int
		lea	eax, [ebp+var_24C]
		mov	[ebp+var_590], edx
		push	eax		; void *
		mov	[ebp+var_560], edx
		mov	[ebp+var_56C], edx
		mov	[ebp+var_568], edx
		mov	[ebp+var_564], edx
		mov	[ebp+var_584], edx
		mov	[ebp+var_580], edx
		mov	[ebp+var_554], edx
		mov	[ebp+var_550], edx
		mov	[ebp+var_578], edx
		call	_memset
		movzx	eax, [ebp+arg_8]
		add	esp, 0Ch
		xor	edx, edx
		mov	[ebp+var_588], eax
		mov	eax, [ebx+4CCh]
		inc	edx
		mov	[ebp+var_548], eax
		xor	ecx, ecx
		push	edx
		push	10h
		pop	eax
		push	eax
		mov	[ebp+var_58C], eax
		lea	eax, [ebp+var_24C]
		push	eax
		mov	[ebp+var_52E], cl
		mov	[ebp+var_538], ecx
		mov	[ebp+var_55C], ecx
		mov	[ebp+var_52D], dl
		call	RtlWalkFrameChain
		movzx	ebx, ax
		xor	eax, eax
		push	7
		mov	[ebp+var_558], ebx
		pop	edi
		lea	ecx, [eax+1]

loc_73812C:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+107j
		mov	edx, edi
		cmp	bx, di
		ja	short loc_738136
		movzx	edx, bx

loc_738136:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+EBj
		movzx	esi, cx
		mov	[ebp-540h], esi
		cmp	esi, edx
		jnb	short loc_73814F
		mov	edx, esi
		add	eax, [ebp+edx*4+var_24C]
		inc	ecx
		jmp	short loc_73812C
; 

loc_73814F:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+FBj
		mov	esi, [ebp+var_538]
		mov	edi, esi
		mov	[ebp+var_53C], eax
		test	eax, eax
		jnz	short loc_73816A
		xor	eax, eax
		inc	eax
		mov	[ebp+var_53C], eax

loc_73816A:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+119j
					; EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+1E9j
		mov	ecx, [ebp+var_548]
		test	ecx, ecx
		jnz	short loc_7381D2
		push	6E734954h
		push	28h
		push	ecx
		push	100h
		call	_ExAllocatePool2@16 ; ExAllocatePool2(x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_738237
		mov	ebx, [ebp+var_534]
		mov	ecx, edx
		xor	eax, eax
		add	ebx, 4CCh
		lock cmpxchg [ebx], ecx
		mov	esi, [ebp+var_538]
		mov	ebx, [ebp+var_558]
		mov	[ebp+var_548], eax
		test	eax, eax
		jz	short loc_7381CA
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_548]
		jmp	short loc_7381D2
; 

loc_7381CA:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+172j
		mov	ecx, edx
		mov	[ebp+var_548], ecx

loc_7381D2:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+12Cj
					; EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+182j
		cmp	edi, 0Ah
		jnb	short loc_7381FA
		mov	eax, [ebp+var_53C]

loc_7381DD:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+1A6j
		mov	edx, [ecx+edi*4]
		test	edx, edx
		jz	short loc_7381F7
		cmp	edx, eax
		jz	short loc_7381F0
		inc	edi
		cmp	edi, 0Ah
		jb	short loc_7381DD
		jmp	short loc_7381F7
; 

loc_7381F0:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+1A0j
		mov	[ebp+var_52D], 0

loc_7381F7:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+19Cj
					; EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+1A8j
		cmp	edi, 0Ah

loc_7381FA:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+18Fj
		sbb	al, al
		and	al, [ebp+var_52D]
		mov	[ebp+var_52D], al
		mov	cl, al
		jz	short loc_738239
		mov	ecx, [ebp+var_534]
		mov	edx, [ebp+var_53C]
		mov	eax, [ecx+4CCh]
		lea	ecx, [eax+edi*4]
		xor	eax, eax
		lock cmpxchg [ecx], edx
		mov	cl, [ebp+var_52D]
		test	eax, eax
		jnz	loc_73816A
		jmp	short loc_738239
; 

loc_738237:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+144j
		xor	cl, cl

loc_738239:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+1C4j
					; EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+1EFj
		test	cl, cl
		jz	loc_738D69
		push	(offset	loc_8B7595+1)
		lea	eax, [ebp+var_554]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		test	bx, bx
		jz	loc_738386
		movzx	eax, bx
		mov	edi, 6E734954h
		mov	[ebp-540h], eax
		imul	eax, 48h
		push	edi
		push	eax
		push	0
		push	100h
		call	_ExAllocatePool2@16 ; ExAllocatePool2(x,x,x,x)
		push	edi
		push	212h
		push	0
		mov	esi, eax
		push	100h
		mov	[ebp+var_538], esi
		call	_ExAllocatePool2@16 ; ExAllocatePool2(x,x,x,x)
		mov	[ebp+var_55C], eax
		test	esi, esi
		jz	loc_738386
		test	eax, eax
		jz	loc_738386
		xor	ecx, ecx
		cmp	cx, bx
		jnb	loc_738398
		lea	ebx, [esi+8]
		mov	esi, [ebp-540h]
		lea	edi, [ebp+var_24C]
		jmp	short loc_7382CC
; 

loc_7382C6:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+332j
		mov	eax, [ebp+var_55C]

loc_7382CC:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+27Ej
		push	0
		push	210h
		push	eax
		push	2
		pop	eax
		push	eax
		push	dword ptr [edi]
		push	0FFFFFFFFh
		call	_ZwQueryVirtualMemory@24 ; ZwQueryVirtualMemory(x,x,x,x,x,x)
		test	eax, eax
		js	loc_73836A
		mov	edx, [ebp+var_55C]
		xor	ecx, ecx
		inc	ecx
		movzx	eax, word ptr [edx]
		cmp	ax, cx
		jbe	short loc_73836A
		shr	ax, 1
		dec	ax
		movzx	ecx, ax
		test	cx, cx
		jz	short loc_738322
		mov	edx, [edx+4]

loc_73830A:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+2D7j
		movzx	eax, cx
		cmp	word ptr [edx+eax*2], 5Ch
		jz	short loc_738321
		add	ecx, 0FFFFh
		test	cx, cx
		jnz	short loc_73830A
		jmp	short loc_738322
; 

loc_738321:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+2CCj
		inc	ecx

loc_738322:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+2BFj
					; EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+2D9j
		mov	eax, [ebp+var_55C]
		movzx	ecx, cx
		mov	eax, [eax+4]
		lea	eax, [eax+ecx*2]
		mov	ecx, ebx
		push	eax
		push	40h
		pop	edx
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		push	ebx
		lea	eax, [ebx-8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	0
		push	1Ch
		lea	eax, [ebp+var_5F0]
		push	eax
		push	0
		push	dword ptr [edi]
		push	0FFFFFFFFh
		call	_ZwQueryVirtualMemory@24 ; ZwQueryVirtualMemory(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_73836A
		mov	eax, [ebp+var_5EC]
		sub	[edi], eax
		jmp	short loc_73836D
; 

loc_73836A:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+29Dj
					; EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+2B2j ...
		and	dword ptr [edi], 0

loc_73836D:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+322j
		push	4
		pop	eax
		add	ebx, 48h
		add	edi, eax
		sub	esi, 1
		jnz	loc_7382C6
		mov	esi, [ebp+var_538]
		jmp	short loc_738398
; 

loc_738386:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+20Fj
					; EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+256j ...
		xor	eax, eax
		cmp	ax, bx
		jnb	short loc_738398
		movzx	ecx, bx
		lea	edi, [ebp+var_24C]
		rep stosd

loc_738398:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+269j
					; EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+33Ej ...
		xor	eax, eax
		mov	dword ptr [ebp-540h], offset _MITIGATION_AUDIT_REDIRECTION_TRUST_POLICY
		inc	eax
		cmp	[ebp+var_570], eax
		jz	short loc_7383B7
		mov	dword ptr [ebp-540h], offset _MITIGATION_ENFORCE_REDIRECTION_TRUST_POLICY

loc_7383B7:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+365j
		mov	eax, [ebp+var_534]
		mov	edi, [eax+1C0h]
		test	edi, edi
		jnz	short loc_7383CC
		mov	edi, (offset loc_403A20+4)

loc_7383CC:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+37Fj
		lea	edx, [ebp+var_568]
		mov	ecx, eax
		call	EtwpQueryProcessCommandLine
		mov	edx, [ebp+var_568]
		test	dx, dx
		jnz	short loc_7383FD
		push	(offset	loc_8B7595+1)
		lea	eax, [ebp+var_568]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, [ebp+var_568]
		jmp	short loc_738406
; 

loc_7383FD:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+39Cj
		xor	eax, eax
		inc	eax
		mov	[ebp+var_52E], al

loc_738406:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+3B5j
		cmp	[ebp+arg_4], 0
		jnz	short loc_73842C
		push	(offset	loc_8B7595+1)
		lea	eax, [ebp+var_584]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, [ebp+var_568]
		lea	eax, [ebp+var_584]
		mov	[ebp+arg_4], eax

loc_73842C:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+3C4j
		push	6
		pop	eax
		push	0Ch
		pop	ecx
		mov	[ebp+var_538], ecx
		test	edi, edi
		jz	short loc_738498
		movzx	eax, word ptr [edi]
		test	ax, ax
		jz	short loc_738495
		and	[ebp+var_528], 0
		and	[ebp+var_520], 0
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_560], eax
		lea	eax, [ebp+var_560]
		mov	[ebp+var_52C], eax
		push	2
		pop	eax
		mov	[ebp+var_524], eax
		movzx	ecx, word ptr [edi]
		mov	eax, [edi+4]
		and	[ebp+var_518], 0
		mov	[ebp+var_51C], eax
		mov	eax, ecx
		push	0Ch
		mov	[ebp+var_514], eax
		xor	eax, eax
		pop	ecx
		jmp	short loc_7384D7
; 

loc_738495:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+3FCj
		push	6
		pop	eax

loc_738498:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+3F4j
		mov	[ebp+var_560], eax
		lea	eax, [ebp+var_560]
		push	2
		mov	[ebp+var_52C], eax
		xor	eax, eax
		pop	edi
		mov	[ebp+var_528], eax
		mov	[ebp+var_524], edi
		mov	[ebp+var_520], eax
		mov	[ebp+var_51C], offset ??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@NNGAKEGL@ ; "(null)"
		mov	[ebp+var_518], eax
		mov	[ebp+var_514], ecx

loc_7384D7:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+44Dj
		mov	[ebp+var_510], eax
		mov	[ebp+var_508], eax
		mov	[ebp+var_500], eax
		push	2
		pop	edi
		mov	[ebp+var_504], edi
		test	dx, dx
		jz	short loc_738514
		mov	edi, [ebp+var_564]
		lea	ecx, [ebp+var_56C]
		mov	[ebp+var_50C], ecx
		movzx	ecx, dx
		shr	dx, 1
		movzx	edx, dx
		jmp	short loc_738528
; 

loc_738514:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+4AFj
		lea	edx, [ebp+var_56C]
		mov	edi, offset ??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@NNGAKEGL@ ; "(null)"
		push	6
		mov	[ebp+var_50C], edx
		pop	edx

loc_738528:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+4CCj
		and	[ebp+var_4F8], 0
		and	[ebp+var_4F0], 0
		movzx	eax, dx
		mov	edx, [ebp+var_534]
		mov	[ebp+var_56C], eax
		lea	eax, [ebp+var_594]
		mov	[ebp+var_4F4], ecx
		lea	ecx, [ebp+var_4EC]
		push	eax
		mov	[ebp+var_4FC], edi
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		push	4
		pop	ecx
		lea	edi, [ecx+eax]
		mov	edx, edi
		lea	eax, [ebp+arg_0]
		add	edx, edx
		and	[ebp+edx*8+var_528], 0
		and	[ebp+edx*8+var_520], 0
		mov	[ebp+edx*8+var_524], ecx
		mov	ecx, [ebp+arg_4]
		mov	[ebp+edx*8+var_52C], eax
		test	ecx, ecx
		jz	short loc_7385B7
		movzx	eax, word ptr [ecx]
		test	ax, ax
		jz	short loc_7385B7
		mov	ecx, [ecx+4]
		add	edi, 2
		mov	[ebp+var_538], eax
		shr	ax, 1
		mov	[ebp+var_534], ecx
		movzx	eax, ax
		jmp	short loc_7385C7
; 

loc_7385B7:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+54Dj
					; EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+555j
		push	6
		add	edi, 2
		mov	[ebp+var_534], offset ??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@NNGAKEGL@ ; "(null)"
		pop	eax

loc_7385C7:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+56Fj
		xor	ebx, ebx
		movzx	eax, ax
		mov	[ebp+var_578], eax
		mov	ecx, edi
		add	ecx, ecx
		lea	eax, [ebp+var_578]
		mov	[ebp+edx*8+var_51C], eax
		mov	[ebp+edx*8+var_518], ebx
		push	2
		pop	eax
		mov	[ebp+edx*8+var_514], eax
		mov	eax, [ebp+var_534]
		mov	[ebp+edx*8+var_510], ebx
		mov	[ebp+ecx*8+var_52C], eax
		and	[ebp+ecx*8+var_528], ebx
		mov	eax, [ebp+var_538]
		mov	[ebp+ecx*8+var_524], eax
		mov	eax, edi
		mov	[ebp+ecx*8+var_520], ebx
		add	eax, eax
		push	4
		pop	edx
		lea	ecx, [ebp+var_588]
		mov	[ebp+var_534], ebx
		mov	[ebp+eax*8+var_518], ebx
		mov	[ebp+eax*8+var_510], ebx
		mov	[ebp+eax*8+var_514], edx
		lea	edx, [edi+2]
		mov	edi, ebx
		mov	[ebp+eax*8+var_51C], ecx
		mov	ecx, ebx
		mov	eax, esi
		mov	ebx, [ebp+var_550]
		mov	[ebp+var_548], ebx
		mov	bx, word ptr [ebp+var_554+2]
		mov	word ptr [ebp+var_544],	bx
		mov	ebx, [ebp+var_554]
		mov	[ebp+var_574], ebx
		mov	ebx, [ebp+var_558]
		mov	[ebp+var_53C], ecx
		mov	[ebp+var_54C], eax

loc_738693:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+792j
		cmp	cx, bx
		jnb	short loc_73870D
		test	esi, esi
		jz	short loc_73870D
		test	eax, eax
		jz	short loc_7386C7
		mov	ecx, [eax+4]
		mov	[ebp+var_538], ecx
		test	ecx, ecx
		jz	short loc_7386C7
		movzx	ecx, word ptr [eax]
		test	cx, cx
		jz	short loc_7386C7
		movzx	eax, word ptr [eax+2]
		mov	edi, ecx
		lea	ecx, [edi+1]
		cmp	eax, ecx
		jbe	short loc_7386D4
		add	edi, 2
		jmp	short loc_7386D4
; 

loc_7386C7:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+658j
					; EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+665j ...
		push	0Eh
		pop	edi
		mov	[ebp+var_538], offset ??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@NNGAKEGL@ ; "(null)"

loc_7386D4:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+67Aj
					; EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+67Fj
		mov	ebx, [ebp+var_538]
		mov	ecx, edx
		shl	ecx, 4
		mov	eax, ecx
		mov	[ebp+eax+var_52C], ebx
		and	[ebp+eax+var_528], 0
		mov	ebx, [ebp+var_558]
		mov	[ebp+eax+var_524], edi
		and	[ebp+eax+var_520], 0
		mov	edi, [ebp+var_534]
		jmp	short loc_738781
; 

loc_73870D:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+650j
					; EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+654j
		cmp	[ebp+var_548], 0
		jz	short loc_738756
		mov	eax, [ebp+var_574]
		test	ax, ax
		jz	short loc_738756
		movzx	edi, ax
		movzx	eax, word ptr [ebp+var_544]
		lea	ecx, [edi+1]
		cmp	eax, ecx
		jbe	short loc_738735
		add	edi, 2

loc_738735:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+6EAj
		mov	eax, [ebp+var_548]
		mov	ecx, edx
		shl	ecx, 4
		mov	[ebp+ecx+var_524], edi
		mov	edi, [ebp+var_534]
		mov	[ebp+ecx+var_52C], eax
		jmp	short loc_738771
; 

loc_738756:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+6CEj
					; EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+6D9j
		mov	ecx, edx
		shl	ecx, 4
		mov	[ebp+ecx+var_52C], offset ??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@NNGAKEGL@ ; "(null)"
		mov	[ebp+ecx+var_524], 0Eh

loc_738771:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+70Ej
		and	[ebp+ecx+var_528], 0
		and	[ebp+ecx+var_520], 0

loc_738781:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+6C5j
		and	[ebp+ecx+var_518], 0
		lea	eax, [ebp+var_24C]
		and	[ebp+ecx+var_510], 0
		lea	eax, [eax+edi*4]
		mov	[ebp+ecx+var_51C], eax
		add	edx, 2
		push	4
		pop	eax
		mov	[ebp+ecx+var_514], eax
		mov	ecx, [ebp+var_53C]
		mov	eax, [ebp+var_54C]
		inc	ecx
		inc	edi
		mov	[ebp+var_53C], ecx
		add	eax, 48h
		mov	[ebp+var_534], edi
		mov	[ebp+var_54C], eax
		cmp	cx, word ptr [ebp+var_58C]
		jb	loc_738693
		lea	eax, [ebp+var_52C]
		push	eax
		push	edx
		push	0
		push	dword ptr [ebp-540h]
		push	dword_6BC324
		push	_EtwSecurityMitigationsRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		test	esi, esi
		jz	loc_738C04
		push	5
		pop	eax
		cmp	dword_6B2A40, eax
		jbe	loc_738D36
		push	4000h
		mov	edi, offset dword_6B2A40
		push	0
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_738D36
		push	8
		lea	eax, [ebp+var_59C]
		mov	[ebp+var_59C], 2000000h
		mov	[ebp+var_16C], eax
		xor	edx, edx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_574], eax
		lea	eax, [ebp+var_574]
		pop	ecx
		mov	[ebp+var_15C], eax
		push	4
		pop	eax
		mov	[ebp+var_154], eax
		mov	eax, [ebp+var_570]
		mov	[ebp-540h], eax
		lea	eax, [ebp-540h]
		mov	[ebp+var_14C], eax
		push	4
		pop	eax
		mov	[ebp+var_144], eax
		mov	al, [ebp+arg_8]
		mov	byte ptr [ebp+var_544+3], al
		lea	eax, [ebp+var_544+3]
		mov	[ebp+var_13C], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_598], edx
		mov	[ebp+var_168], edx
		mov	[ebp+var_164], ecx
		mov	[ebp+var_160], edx
		mov	[ebp+var_158], edx
		mov	[ebp+var_150], edx
		mov	[ebp+var_148], edx
		mov	[ebp+var_140], edx
		mov	[ebp+var_138], edx
		mov	[ebp+var_134], eax
		mov	[ebp+var_130], edx
		cmp	bx, ax
		jbe	short loc_7388F2
		cmp	[esi+4Ch], edx
		lea	edx, [esi+48h]
		jnz	short loc_7388F8

loc_7388F2:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+8A2j
		lea	edx, [ebp+var_554]

loc_7388F8:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+8AAj
		and	[ebp+var_128], 0
		lea	eax, [ebp+var_114]
		and	[ebp+var_120], 0
		and	[ebp+var_118], 0
		and	[ebp+var_110], 0
		mov	[ebp+var_12C], eax
		push	2
		pop	eax
		mov	[ebp+var_124], eax
		mov	eax, [edx+4]
		mov	[ebp+var_11C], eax
		movzx	eax, word ptr [edx]
		mov	[ebp+var_114], eax
		mov	eax, [ebp+var_248]
		cdq
		mov	[ebp+var_5A4], eax
		lea	eax, [ebp+var_5A4]
		push	2
		mov	[ebp+var_5A0], edx
		mov	[ebp+var_10C], eax
		xor	eax, eax
		pop	edx
		mov	[ebp+var_108], eax
		mov	[ebp+var_104], ecx
		mov	[ebp+var_100], eax
		cmp	bx, dx
		jbe	short loc_738984
		lea	edx, [esi+90h]
		cmp	[esi+94h], eax
		jnz	short loc_73898A

loc_738984:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+92Ej
		lea	edx, [ebp+var_554]

loc_73898A:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+93Cj
		and	[ebp+var_F8], 0
		lea	eax, [ebp+var_E4]
		and	[ebp+var_F0], 0
		and	[ebp+var_E8], 0
		and	[ebp+var_E0], 0
		mov	[ebp+var_FC], eax
		push	2
		pop	eax
		mov	[ebp+var_F4], eax
		mov	eax, [edx+4]
		mov	[ebp+var_EC], eax
		movzx	eax, word ptr [edx]
		mov	[ebp+var_E4], eax
		mov	eax, [ebp+var_244]
		cdq
		mov	[ebp+var_5AC], eax
		lea	eax, [ebp+var_5AC]
		mov	[ebp+var_DC], eax
		xor	eax, eax
		mov	[ebp+var_5A8], edx
		mov	[ebp+var_D8], eax
		mov	[ebp+var_D4], ecx
		mov	[ebp+var_D0], eax
		cmp	bx, 3
		jbe	short loc_738A14
		lea	edx, [esi+0D8h]
		cmp	[esi+0DCh], eax
		jnz	short loc_738A1A

loc_738A14:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+9BEj
		lea	edx, [ebp+var_554]

loc_738A1A:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+9CCj
		and	[ebp+var_C8], 0
		lea	eax, [ebp+var_B4]
		and	[ebp+var_C0], 0
		and	[ebp+var_B8], 0
		and	[ebp+var_B0], 0
		mov	[ebp+var_CC], eax
		push	2
		pop	eax
		mov	[ebp+var_C4], eax
		mov	eax, [edx+4]
		mov	[ebp+var_BC], eax
		movzx	eax, word ptr [edx]
		mov	[ebp+var_B4], eax
		mov	eax, [ebp+var_240]
		cdq
		mov	[ebp+var_5B4], eax
		lea	eax, [ebp+var_5B4]
		push	4
		mov	[ebp+var_5B0], edx
		mov	[ebp+var_AC], eax
		xor	eax, eax
		pop	edx
		mov	[ebp+var_A8], eax
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_A0], eax
		cmp	bx, dx
		jbe	short loc_738AA6
		lea	edx, [esi+120h]
		cmp	[esi+124h], eax
		jnz	short loc_738AAC

loc_738AA6:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+A50j
		lea	edx, [ebp+var_554]

loc_738AAC:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+A5Ej
		and	[ebp+var_98], 0
		lea	eax, [ebp+var_84]
		and	[ebp+var_90], 0
		and	[ebp+var_88], 0
		and	[ebp+var_80], 0
		mov	[ebp+var_9C], eax
		push	2
		pop	eax
		mov	[ebp+var_94], eax
		mov	eax, [edx+4]
		mov	[ebp+var_8C], eax
		movzx	eax, word ptr [edx]
		mov	[ebp+var_84], eax
		mov	eax, [ebp+var_23C]
		cdq
		mov	[ebp+var_5BC], eax
		lea	eax, [ebp+var_5BC]
		push	5
		mov	[ebp+var_5B8], edx
		mov	[ebp+var_7C], eax
		xor	eax, eax
		pop	edx
		mov	[ebp+var_78], eax
		mov	[ebp+var_74], ecx
		mov	[ebp+var_70], eax
		cmp	bx, dx
		jbe	short loc_738B29
		lea	edx, [esi+168h]
		cmp	[esi+16Ch], eax
		jnz	short loc_738B2F

loc_738B29:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+AD3j
		lea	edx, [ebp+var_554]

loc_738B2F:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+AE1j
		and	[ebp+var_68], 0
		lea	eax, [ebp+var_54]
		and	[ebp+var_60], 0
		and	[ebp+var_58], 0
		and	[ebp+var_50], 0
		and	[ebp+var_48], 0
		and	[ebp+var_40], 0
		mov	[ebp+var_6C], eax
		push	2
		pop	eax
		mov	[ebp+var_64], eax
		mov	eax, [edx+4]
		mov	[ebp+var_5C], eax
		movzx	eax, word ptr [edx]
		mov	[ebp+var_54], eax
		mov	eax, [ebp+var_238]
		cdq
		mov	[ebp+var_5C4], eax
		lea	eax, [ebp+var_5C4]
		push	6
		mov	[ebp+var_4C], eax
		pop	eax
		mov	[ebp+var_5C0], edx
		mov	[ebp+var_44], ecx
		cmp	bx, ax
		jbe	short loc_738B98
		xor	ebx, ebx
		cmp	[esi+1B4h], ebx
		jz	short loc_738B9A
		lea	edx, [esi+1B0h]
		jmp	short loc_738BA0
; 

loc_738B98:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+B3Ej
		xor	ebx, ebx

loc_738B9A:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+B48j
		lea	edx, [ebp+var_554]

loc_738BA0:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+B50j
		push	2
		lea	eax, [ebp+var_24]
		mov	[ebp+var_38], ebx
		mov	[ebp+var_3C], eax
		pop	eax
		mov	[ebp+var_34], eax
		mov	eax, [edx+4]
		mov	[ebp+var_2C], eax
		movzx	eax, word ptr [edx]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_234]
		cdq
		mov	[ebp+var_5CC], eax
		lea	eax, [ebp+var_5CC]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_18C]
		push	eax
		push	18h
		push	ebx
		push	ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_5C8], edx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ebx
		push	offset loc_423BDD

loc_738BF9:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+CEBj
		push	edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_738D38
; 

loc_738C04:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+7BBj
		xor	ebx, ebx
		cmp	dword_6B2A40, 5
		jbe	loc_738D38
		push	4000h
		mov	edi, offset dword_6B2A40
		push	ebx
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_738D38
		lea	eax, [ebp+var_5D4]
		mov	[ebp+var_5D4], 2000000h
		mov	[ebp+var_1EC], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_54C], eax
		lea	eax, [ebp+var_54C]
		mov	[ebp+var_1DC], eax
		mov	eax, [ebp+var_570]
		mov	[ebp+var_57C], eax
		lea	eax, [ebp+var_57C]
		mov	[ebp+var_1CC], eax
		mov	al, [ebp+arg_8]
		push	8
		mov	byte ptr [ebp+var_544+1], al
		lea	eax, [ebp+var_544+1]
		pop	ecx
		mov	[ebp+var_1BC], eax
		xor	eax, eax
		push	4
		pop	edx
		inc	eax
		mov	[ebp+var_5D0], ebx
		mov	[ebp+var_1B4], eax
		lea	eax, [ebp+var_194]
		push	2
		mov	[ebp+var_1AC], eax
		pop	eax
		mov	[ebp+var_1A4], eax
		mov	eax, [ebp+var_550]
		mov	[ebp+var_19C], eax
		movzx	eax, word ptr [ebp+var_554]
		mov	[ebp+var_194], eax
		lea	eax, [ebp+var_20C]
		push	eax
		push	ecx
		push	ebx
		push	ebx
		mov	[ebp+var_1E8], ebx
		mov	[ebp+var_1E4], ecx
		mov	[ebp+var_1E0], ebx
		mov	[ebp+var_1D8], ebx
		mov	[ebp+var_1D4], edx
		mov	[ebp+var_1D0], ebx
		mov	[ebp+var_1C8], ebx
		mov	[ebp+var_1C4], edx
		mov	[ebp+var_1C0], ebx
		mov	[ebp+var_1B8], ebx
		mov	[ebp+var_1B0], ebx
		mov	[ebp+var_1A8], ebx
		mov	[ebp+var_1A0], ebx
		mov	[ebp+var_198], ebx
		mov	[ebp+var_190], ebx
		push	offset loc_423CA8
		jmp	loc_738BF9
; 

loc_738D36:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+7CAj
					; EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+7E5j
		xor	ebx, ebx

loc_738D38:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+BB9j
					; EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+BC7j ...
		cmp	[ebp+var_52E], 0
		jz	short loc_738D4D
		push	ebx
		push	[ebp+var_564]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_738D4D:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+CF9j
		mov	eax, [ebp+var_55C]
		test	eax, eax
		jz	short loc_738D5E
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_738D5E:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+D0Fj
		test	esi, esi
		jz	short loc_738D69
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_738D69:				; CODE XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+1F5j
					; EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+D1Aj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_EtwTimLogRedirectionTrustPolicy@20 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCompleteBuffer(x, x)
_EtwpCompleteBuffer@8 proc near		; CODE XREF: EtwpCompressPendingBuffers(x)+6Cp
					; EtwpCompressPendingBuffers(x)+8Bp ...
		xor	eax, eax
		push	eax
		mov	[edx+34h], ax
		call	EtwpEnqueueAvailableBuffer
		retn
_EtwpCompleteBuffer@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpFindDebugId(x, x, x, x,	x)
_EtwpFindDebugId@20 proc near		; CODE XREF: EtwpLocateDbgIdForRegEntry+ABp
					; EtwpCovSampContextGetModule(x,x,x,x,x,x)+258p

var_54		= dword	ptr -54h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	44h
		push	offset dword_6A9FA0
		call	__SEH_prolog4
		mov	[ebp+var_24], edx
		mov	edi, ecx
		mov	[ebp+var_1C], edi
		xor	ebx, ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	[ebp+var_20], ebx
		lea	eax, [ebp+var_20]
		push	eax
		push	6
		push	1
		push	edi
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_30], esi
		test	esi, esi
		jz	loc_738F0C
		mov	eax, [ebp+var_20]
		push	1Ch
		pop	ecx
		cmp	eax, ecx
		jb	loc_738F0C
		xor	edx, edx
		div	ecx
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], ebx

loc_738DDD:				; CODE XREF: EtwpFindDebugId(x,x,x,x,x)+171j
		cmp	ebx, eax
		jnb	loc_738EFE
		cmp	esi, edi
		jb	loc_738F0C
		lea	ecx, [esi+1Ch]
		mov	[ebp+var_20], ecx
		mov	eax, [ebp+var_24]
		add	eax, edi
		cmp	ecx, eax
		ja	loc_738F0C
		mov	dl, [ebp+arg_0]
		test	dl, dl
		jz	short loc_738E2D
		lea	eax, [ebp+var_28]
		push	eax
		push	1Ch
		pop	edx
		mov	ecx, esi
		call	_EtwpIsValidImageAddress@12 ; EtwpIsValidImageAddress(x,x,x)
		test	al, al
		jnz	short loc_738E2A

loc_738E19:				; CODE XREF: EtwpFindDebugId(x,x,x,x,x)+F2j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000903h
		jmp	loc_738F2D
; 

loc_738E2A:				; CODE XREF: EtwpFindDebugId(x,x,x,x,x)+8Fj
		mov	dl, [ebp+arg_0]

loc_738E2D:				; CODE XREF: EtwpFindDebugId(x,x,x,x,x)+7Dj
		push	7
		pop	ecx
		lea	edi, [ebp+var_54]
		rep movsd
		mov	eax, [ebp+var_24]
		mov	ecx, [ebp+var_40]
		cmp	ecx, eax
		ja	loc_738F0C
		mov	esi, [ebp+var_44]
		cmp	esi, eax
		ja	loc_738F0C
		sub	eax, esi
		cmp	ecx, eax
		ja	loc_738F0C
		cmp	[ebp+var_48], 2
		jnz	loc_738EE9
		mov	edi, [ebp+var_1C]
		add	edi, ecx
		test	dl, dl
		jz	short loc_738E7C
		lea	eax, [ebp+var_2C]
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	_EtwpIsValidImageAddress@12 ; EtwpIsValidImageAddress(x,x,x)
		test	al, al
		jz	short loc_738E19

loc_738E7C:				; CODE XREF: EtwpFindDebugId(x,x,x,x,x)+E1j
		cmp	dword ptr [edi], 53445352h
		jnz	short loc_738EE9
		cmp	esi, 1Ch
		jnb	short loc_738E9A
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000007Bh
		jmp	loc_738F2D
; 

loc_738E9A:				; CODE XREF: EtwpFindDebugId(x,x,x,x,x)+FFj
		mov	edi, [ebp+arg_8]
		cmp	[edi], esi
		jnb	short loc_738EC7
		push	62777445h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		test	ecx, ecx
		jnz	short loc_738EC7
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000017h
		jmp	short loc_738F2D
; 

loc_738EC7:				; CODE XREF: EtwpFindDebugId(x,x,x,x,x)+117j
					; EtwpFindDebugId(x,x,x,x,x)+12Fj
		mov	[edi], esi
		push	esi		; size_t
		mov	eax, [ebp+var_40]
		add	eax, [ebp+var_1C]
		push	eax		; void *
		mov	eax, [ebp+arg_4]
		push	dword ptr [eax]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	short loc_738F2D
; 

loc_738EE9:				; CODE XREF: EtwpFindDebugId(x,x,x,x,x)+D4j
					; EtwpFindDebugId(x,x,x,x,x)+FAj
		mov	esi, [ebp+var_20]
		mov	[ebp+var_30], esi
		inc	ebx
		mov	[ebp+var_34], ebx
		mov	edi, [ebp+var_1C]
		mov	eax, [ebp+var_38]
		jmp	loc_738DDD
; 

loc_738EFE:				; CODE XREF: EtwpFindDebugId(x,x,x,x,x)+57j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000225h
		jmp	short loc_738F2D
; 

loc_738F0C:				; CODE XREF: EtwpFindDebugId(x,x,x,x,x)+37j
					; EtwpFindDebugId(x,x,x,x,x)+45j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000000Dh
		jmp	short loc_738F2D
; 

loc_738F1A:				; DATA XREF: .text:006A9FB4o
		xor	eax, eax
		inc	eax
		retn
; 

loc_738F1E:				; DATA XREF: .text:006A9FB8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, 0C0000903h
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_738F2D:				; CODE XREF: EtwpFindDebugId(x,x,x,x,x)+9Dj
					; EtwpFindDebugId(x,x,x,x,x)+10Dj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_EtwpFindDebugId@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpIsValidImageAddress(x, x, x)
_EtwpIsValidImageAddress@12 proc near	; CODE XREF: EtwpFindDebugId(x,x,x,x,x)+88p
					; EtwpFindDebugId(x,x,x,x,x)+EBp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		lea	ebx, [edx+0FFFh]
		mov	eax, esi
		and	eax, 0FFFh
		add	ebx, eax
		push	edi
		shr	ebx, 0Ch
		xor	edi, edi
		test	ebx, ebx
		jz	short loc_738F8A
		mov	eax, [ebp+arg_0]
		and	esi, 0FFFFF000h

loc_738F6B:				; CODE XREF: EtwpIsValidImageAddress(x,x,x)+48j
		cmp	[eax], esi
		jz	short loc_738F7F
		mov	ecx, esi
		call	MmIsAddressValidEx
		test	al, al
		jz	short loc_738F93
		mov	eax, [ebp+arg_0]
		mov	[eax], esi

loc_738F7F:				; CODE XREF: EtwpIsValidImageAddress(x,x,x)+2Dj
		inc	edi
		add	esi, 1000h
		cmp	edi, ebx
		jb	short loc_738F6B

loc_738F8A:				; CODE XREF: EtwpIsValidImageAddress(x,x,x)+20j
		mov	al, 1

loc_738F8C:				; CODE XREF: EtwpIsValidImageAddress(x,x,x)+55j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_738F93:				; CODE XREF: EtwpIsValidImageAddress(x,x,x)+38j
		xor	al, al
		jmp	short loc_738F8C
_EtwpIsValidImageAddress@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUpdateLevelKwFilter(x, x, x, x)
_EtwpUpdateLevelKwFilter@16 proc near	; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+1BFp
					; EtwpUpdateFilterData(x,x,x,x,x)+412p	...

var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	ebx, ebx
		mov	eax, ecx
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], eax
		cmp	[ebp+arg_0], bl
		jz	short loc_738FBC
		xor	edx, edx
		add	eax, 20h
		xchg	edx, [eax]
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		jmp	short loc_739012
; 

loc_738FBC:				; CODE XREF: EtwpUpdateLevelKwFilter(x,x,x,x)+14j
		cmp	dword ptr [esi+8], 18h
		jz	short loc_738FC9
		mov	eax, 0C000000Dh
		jmp	short loc_739014
; 

loc_738FC9:				; CODE XREF: EtwpUpdateLevelKwFilter(x,x,x,x)+28j
		mov	edx, [eax+20h]
		test	edx, edx
		jnz	short loc_738FEA
		push	46777445h
		push	18h
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_738FEA
		mov	ebx, 0C0000017h
		jmp	short loc_739012
; 

loc_738FEA:				; CODE XREF: EtwpUpdateLevelKwFilter(x,x,x,x)+36j
					; EtwpUpdateLevelKwFilter(x,x,x,x)+49j
		mov	esi, [esi]
		push	edi
		push	6
		pop	ecx
		mov	edi, edx
		rep movsd
		mov	eax, [edx]
		or	eax, [edx+4]
		pop	edi
		jnz	short loc_739003
		or	dword ptr [edx], 0FFFFFFFFh
		or	dword ptr [edx+4], 0FFFFFFFFh

loc_739003:				; CODE XREF: EtwpUpdateLevelKwFilter(x,x,x,x)+62j
		cmp	[edx+10h], bl
		jnz	short loc_73900C
		mov	byte ptr [edx+10h], 0FFh

loc_73900C:				; CODE XREF: EtwpUpdateLevelKwFilter(x,x,x,x)+6Ej
		mov	eax, [ebp+var_4]
		mov	[eax+20h], edx

loc_739012:				; CODE XREF: EtwpUpdateLevelKwFilter(x,x,x,x)+22j
					; EtwpUpdateLevelKwFilter(x,x,x,x)+50j
		mov	eax, ebx

loc_739014:				; CODE XREF: EtwpUpdateLevelKwFilter(x,x,x,x)+2Fj
		pop	esi
		pop	ebx
		leave
		retn	8
_EtwpUpdateLevelKwFilter@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpInitializeTimeChangeWorker(x, x,	x, x, x)
_ExpInitializeTimeChangeWorker@20 proc near
					; CODE XREF: ExpRefreshTimeZoneInformation(x)+AFp
					; ExpRefreshTimeZoneInformation(x)+C2p	...

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	[ebp+arg_0]
		mov	esi, ecx
		push	edx
		push	esi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	eax, [ebp+arg_8]
		and	dword ptr [esi+48h], 0
		mov	[esi+54h], eax
		lea	eax, [esi+20h]
		push	0
		push	eax
		mov	dword ptr [esi+50h], offset _ExpTimeZoneWork@4 ; ExpTimeZoneWork(x)
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		pop	esi
		pop	ebp
		retn	0Ch
_ExpInitializeTimeChangeWorker@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpReadLeapSecondData(x, x)
_ExpReadLeapSecondData@8 proc near	; CODE XREF: ExInitializeLeapSecondData+136p
					; ExpLeapSecondDataRegistryNotifyHandler(x)+8p

var_26		= byte ptr -26h
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		and	[esp+2Ch+var_24], 0
		and	[esp+2Ch+var_20], 0
		push	ebx
		push	esi
		push	edi
		mov	[esp+38h+var_25], dl
		xor	esi, esi
		mov	[esp+38h+var_1C], ecx
		xor	ebx, ebx
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	edx, edx
		mov	ecx, offset _ExpLeapSecondDataLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, ds:_ExpLeapSecondDataRegistryNotify
		test	eax, eax
		jnz	short loc_7390CA
		lea	ecx, [esp+38h+var_20]
		call	_ExpGetLeapSecondDataRegistryKeyHandle@4 ; ExpGetLeapSecondDataRegistryKeyHandle(x)
		test	eax, eax
		js	short loc_7390C1
		push	6453704Ch
		push	1Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7390C1
		mov	edi, [esp+38h+var_20]
		jmp	short loc_7390CE
; 

loc_7390C1:				; CODE XREF: ExpReadLeapSecondData(x,x)+54j
					; ExpReadLeapSecondData(x,x)+6Bj
		mov	edi, [esp+38h+var_20]
		jmp	loc_7391FE
; 

loc_7390CA:				; CODE XREF: ExpReadLeapSecondData(x,x)+47j
		mov	esi, eax
		mov	edi, [esi]

loc_7390CE:				; CODE XREF: ExpReadLeapSecondData(x,x)+71j
		push	1
		xor	edx, edx
		lea	eax, [esi+14h]
		push	edx
		push	edx
		push	edx
		push	4
		push	eax
		lea	ecx, [esi+4]
		push	1
		push	ecx
		push	edx
		push	edi
		mov	dword ptr [ecx+8], offset _ExpLeapSecondDataRegistryNotifyHandler@4 ; ExpLeapSecondDataRegistryNotifyHandler(x)
		mov	[ecx+0Ch], edx
		mov	[ecx], edx
		call	_ZwNotifyChangeKey@40 ;	ZwNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7391FE
		lea	eax, [esp+38h+var_24]
		mov	[esp+38h+var_26], 1
		push	eax
		push	14h
		lea	eax, [esp+40h+var_18]
		push	eax
		push	2
		push	(offset	loc_403D2F+1)
		push	edi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_739135
		cmp	[esp+38h+var_14], 4
		jnz	short loc_739135
		cmp	[esp+38h+var_10], 4
		jnz	short loc_739135
		cmp	[esp+38h+var_C], ebx
		setnz	al
		jmp	short loc_739139
; 

loc_739135:				; CODE XREF: ExpReadLeapSecondData(x,x)+CEj
					; ExpReadLeapSecondData(x,x)+D5j ...
		mov	al, [esp+38h+var_26]

loc_739139:				; CODE XREF: ExpReadLeapSecondData(x,x)+E5j
		mov	ecx, [esp+38h+var_1C]
		mov	[ecx], al
		mov	eax, [ecx+4]
		mov	[esp+38h+var_20], eax
		lea	eax, [esp+38h+var_24]
		push	eax
		push	0
		push	0
		push	2
		push	offset _ExpLeapSecondRegkeyValueLeapSeconds
		push	edi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_739190
		push	6453704Ch
		push	[esp+3Ch+var_24]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_7391AF
		lea	eax, [esp+38h+var_24]
		push	eax
		push	[esp+3Ch+var_24]
		push	ebx
		push	2
		push	offset _ExpLeapSecondRegkeyValueLeapSeconds
		push	edi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)

loc_739190:				; CODE XREF: ExpReadLeapSecondData(x,x)+113j
		test	eax, eax
		js	short loc_7391AF
		mov	edx, [esp+38h+var_1C]
		mov	ecx, ebx
		call	ExpParseAndUpdateLeapSecondData
		mov	ds:_ExLeapSecondDataLastParseResult, eax
		test	eax, eax
		jz	short loc_7391AF
		mov	ecx, eax
		call	_EtwTraceLeapSecondDataParseFailure@4 ;	EtwTraceLeapSecondDataParseFailure(x)

loc_7391AF:				; CODE XREF: ExpReadLeapSecondData(x,x)+129j
					; ExpReadLeapSecondData(x,x)+144j ...
		cmp	[esp+38h+var_25], 0
		jz	short loc_7391D3
		mov	cl, 1
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		xor	cl, cl
		call	_ExpRefreshTimeZoneInformation@4 ; ExpRefreshTimeZoneInformation(x)
		mov	ecx, offset _ExpTimeRefreshLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_7391D3:				; CODE XREF: ExpReadLeapSecondData(x,x)+166j
		mov	eax, [esp+38h+var_1C]
		xor	ecx, ecx
		push	[esp+38h+var_20]
		inc	ecx
		push	dword ptr [eax+4]
		movzx	edx, byte ptr [eax]
		call	EtwTraceLeapSecondDataUpdate
		cmp	ds:_ExpLeapSecondDataRegistryNotify, 0
		jnz	short loc_7391FA
		mov	ds:_ExpLeapSecondDataRegistryNotify, esi
		mov	[esi], edi

loc_7391FA:				; CODE XREF: ExpReadLeapSecondData(x,x)+1A2j
		xor	esi, esi
		xor	edi, edi

loc_7391FE:				; CODE XREF: ExpReadLeapSecondData(x,x)+77j
					; ExpReadLeapSecondData(x,x)+A8j
		or	eax, 0FFFFFFFFh
		mov	ecx, offset _ExpLeapSecondDataLock
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_73921A
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset _ExpLeapSecondDataLock

loc_73921A:				; CODE XREF: ExpReadLeapSecondData(x,x)+1C0j
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	ebx, ebx
		jz	short loc_739233
		push	6453704Ch
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_739233:				; CODE XREF: ExpReadLeapSecondData(x,x)+1D8j
		test	esi, esi
		jz	short loc_739249
		push	6453704Ch
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	ds:_ExpLeapSecondDataRegistryNotify, 0

loc_739249:				; CODE XREF: ExpReadLeapSecondData(x,x)+1E7j
		test	edi, edi
		jz	short loc_739253
		push	edi
		call	_ZwClose@4	; ZwClose(x)

loc_739253:				; CODE XREF: ExpReadLeapSecondData(x,x)+1FDj
		mov	ecx, [esp+38h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_ExpReadLeapSecondData@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpReadSiloTimeZoneMarker()
_ExpReadSiloTimeZoneMarker@0 proc near	; CODE XREF: ExpRefreshTimeZoneInformation(x)+132p
					; ExpRefreshTimeZoneInformation(x)+168p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		xor	edx, edx
		mov	ecx, offset aSilotimezonema ; "SiloTimeZoneMarker"
		call	ExpReadTimeZoneInformation
		cmp	[ebp+var_4], 0
		setnz	al
		leave
		retn
_ExpReadSiloTimeZoneMarker@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpReadTimeZoneInformation proc	near	; CODE XREF: ExpReadSiloTimeZoneMarker()+16p
					; ExpTimeZoneInitSiloState(x)+28p ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	esi
		push	38h		; size_t
		lea	eax, [ebp+var_40]
		mov	[ebp+var_8], edx
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	[ebp+var_34], eax
		mov	edx, offset aTimezoneinform ; "TimeZoneInformation"
		lea	eax, [ebp+var_8]
		mov	[ebp+var_3C], 120h
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_40]
		push	1
		push	ecx
		push	0
		push	eax
		push	2
		pop	ecx
		mov	[ebp+var_38], esi
		mov	[ebp+var_30], 4000004h
		mov	[ebp+var_28], 4
		call	RtlpQueryRegistryValues
		pop	esi
		leave
		retn	4
ExpReadTimeZoneInformation endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpRefreshTimeZoneInformation(x)
_ExpRefreshTimeZoneInformation@4 proc near ; CODE XREF:	ExpSetSystemTime+9868p
					; ExpReadLeapSecondData(x,x)+171p ...

var_438		= dword	ptr -438h
var_434		= dword	ptr -434h
var_430		= dword	ptr -430h
var_42C		= dword	ptr -42Ch
var_426		= byte ptr -426h
var_425		= byte ptr -425h
var_424		= dword	ptr -424h
var_420		= dword	ptr -420h
var_41C		= dword	ptr -41Ch
var_418		= dword	ptr -418h
var_414		= dword	ptr -414h
var_410		= dword	ptr -410h
var_40C		= dword	ptr -40Ch
var_408		= dword	ptr -408h
var_404		= dword	ptr -404h
var_400		= dword	ptr -400h
var_3FC		= dword	ptr -3FCh
var_3F4		= dword	ptr -3F4h
var_3F0		= dword	ptr -3F0h
var_3EC		= dword	ptr -3ECh
var_3E8		= dword	ptr -3E8h
var_3E4		= dword	ptr -3E4h
var_3E0		= dword	ptr -3E0h
var_3DC		= dword	ptr -3DCh
var_3D8		= dword	ptr -3D8h
var_3D4		= dword	ptr -3D4h
var_3D0		= dword	ptr -3D0h
var_3C0		= dword	ptr -3C0h
var_37A		= word ptr -37Ah
var_36C		= dword	ptr -36Ch
var_326		= word ptr -326h
var_318		= dword	ptr -318h
var_314		= word ptr -314h
var_214		= byte ptr -214h
var_210		= dword	ptr -210h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 43Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+43Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	1B0h		; size_t
		xor	ebx, ebx
		mov	[esp+44Ch+var_425], cl
		lea	eax, [esp+44Ch+var_3C0]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		mov	[esp+454h+var_410], ebx
		lea	edi, [esp+454h+var_3D0]
		mov	[esp+454h+var_40C], ebx
		stosd
		add	esp, 0Ch
		mov	[esp+448h+var_430], ebx
		mov	[esp+448h+var_42C], ebx
		mov	[esp+448h+var_3F0], ebx
		stosd
		mov	[esp+448h+var_3EC], ebx
		mov	[esp+448h+var_3E8], ebx
		mov	[esp+448h+var_3E4], ebx
		stosd
		mov	[esp+448h+var_3E0], ebx
		mov	[esp+448h+var_3DC], ebx
		mov	byte ptr [esp+448h+var_41C], bl
		stosd
		xor	eax, eax
		inc	eax
		mov	edi, ebx
		mov	byte ptr [esp+448h+var_438], al
		mov	[esp+448h+var_408], edi
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		mov	esi, eax
		mov	ecx, esi
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	ebx, [eax+268h]
		cmp	[ebx+210h], edi
		jnz	loc_73940D
		push	esi
		push	ecx
		push	esi
		lea	ecx, [ebx+1C0h]
		mov	edx, offset _ExpTimeZoneDpcRoutine@16 ;	ExpTimeZoneDpcRoutine(x,x,x,x)
		call	_ExpInitializeTimeChangeWorker@20 ; ExpInitializeTimeChangeWorker(x,x,x,x,x)
		push	esi
		push	ecx
		push	esi
		lea	ecx, [ebx+270h]
		mov	edx, offset _ExpNextYearDpcRoutine@16 ;	ExpNextYearDpcRoutine(x,x,x,x)
		call	_ExpInitializeTimeChangeWorker@20 ; ExpInitializeTimeChangeWorker(x,x,x,x,x)
		push	esi
		push	ecx
		push	esi
		lea	ecx, [ebx+218h]
		mov	edx, offset _ExpCenturyDpcRoutine@16 ; ExpCenturyDpcRoutine(x,x,x,x)
		call	_ExpInitializeTimeChangeWorker@20 ; ExpInitializeTimeChangeWorker(x,x,x,x,x)
		xor	eax, eax
		lea	edi, [ebx+2D8h]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebx+2F0h]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	edi, [esp+448h+var_408]
		inc	eax
		mov	[ebx+2DAh], ax
		mov	[ebx+2DCh], ax
		mov	[ebx+2E4h], ax
		mov	[ebx+2F4h], ax
		mov	[ebx+2F2h], ax
		mov	[ebx+2FCh], ax
		jmp	short loc_739413
; 

loc_73940D:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+9Bj
		xor	al, al
		mov	byte ptr [esp+448h+var_438], al

loc_739413:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+123j
		cmp	[esp+448h+var_425], 0
		jz	short loc_739447
		call	_ExpReadSiloTimeZoneMarker@0 ; ExpReadSiloTimeZoneMarker()
		test	al, al
		jnz	short loc_73942C
		push	0
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	edi, eax

loc_73942C:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+139j
		lea	eax, [esp+448h+var_3C0]
		push	eax
		call	_RtlQueryDynamicTimeZoneInformation@4 ;	RtlQueryDynamicTimeZoneInformation(x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_73947A
		push	edi
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		jmp	short loc_73947A
; 

loc_739447:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+130j
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jz	short loc_73946B
		call	_ExpReadSiloTimeZoneMarker@0 ; ExpReadSiloTimeZoneMarker()
		test	al, al
		jnz	short loc_73946B
		push	6Ch
		pop	ecx
		mov	esi, ebx
		lea	edi, [esp+448h+var_3C0]
		rep movsd
		xor	esi, esi
		jmp	short loc_73947A
; 

loc_73946B:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+166j
					; ExpRefreshTimeZoneInformation(x)+16Fj
		lea	eax, [esp+448h+var_3C0]
		push	eax
		call	_RtlQueryDynamicTimeZoneInformation@4 ;	RtlQueryDynamicTimeZoneInformation(x)
		mov	esi, eax

loc_73947A:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+155j
					; ExpRefreshTimeZoneInformation(x)+15Dj ...
		test	esi, esi
		jns	short loc_7394B7
		mov	dl, byte ptr [esp+448h+var_438]
		mov	ecx, esi
		inc	dword ptr [ebx+310h]
		mov	_ExpSystemIsInCmosMode,	1
		call	_ExpLogRefreshTimeZoneInformationQueryFail@8 ; ExpLogRefreshTimeZoneInformationQueryFail(x,x)
		push	[esp+448h+var_438]
		xor	ecx, ecx
		push	0
		push	dword ptr [ebx+1B0h]
		inc	ecx

loc_7394A5:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+344j
		mov	edx, [ebx+1B4h]
		call	EtwTraceTimeZoneInformationRefresh
		xor	al, al
		jmp	loc_739A1E
; 

loc_7394B7:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+194j
		lea	eax, [esp+448h+var_410]
		push	eax
		call	KeQuerySystemTime
		mov	ecx, [esp+448h+var_410]
		lea	eax, [ebx+1B8h]
		mov	edi, ecx
		mov	[esp+448h+var_408], ecx
		sub	edi, [eax]
		mov	ecx, [esp+448h+var_40C]
		mov	esi, ecx
		sbb	esi, [eax+4]
		cmp	[esp+448h+var_214], 0
		mov	[esp+448h+var_3F4], ecx
		mov	[esp+448h+var_410], edi
		mov	[esp+448h+var_40C], esi
		jnz	short loc_739527
		cmp	[esp+448h+var_314], 0
		jz	short loc_739527
		lea	eax, [esp+448h+var_3D0]
		push	eax
		lea	eax, [esp+44Ch+var_410]
		push	eax
		call	_RtlTimeToTimeFields@8 ; RtlTimeToTimeFields(x,x)
		mov	edx, [esp+448h+var_3D0]
		lea	ecx, [esp+448h+var_3C0]
		call	RtlpCheckDynamicTimeZoneInformation
		test	al, al
		jz	short loc_739527
		mov	byte ptr [esp+448h+var_41C], 1
		jmp	short loc_739594
; 

loc_739527:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+208j
					; ExpRefreshTimeZoneInformation(x)+213j ...
		cmp	byte ptr [esp+448h+var_438], 0
		jz	short loc_7395A1
		lea	eax, [esp+448h+var_404]
		push	eax		; int
		push	208h		; int
		lea	eax, [esp+450h+var_210]
		push	eax		; void *
		push	0		; int
		push	0		; void *
		push	offset ??_C@_1BK@CIGKBGGO@?$AAT?$AAa?$AAr?$AAg?$AAe?$AAt?$AAN?$AAt?$AAP?$AAa?$AAt?$AAh@NNGAKEGL@ ; "TargetNtPath"
		push	offset ??_C@_1DI@PGKLJCOI@?$AAT?$AAi?$AAm?$AAe?$AAZ?$AAo?$AAn?$AAe?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa@NNGAKEGL@	; "TimeZoneInformationSettings"
		call	RtlGetPersistedStateLocation
		test	eax, eax
		js	short loc_7395A1
		and	[esp+448h+var_434], 0
		lea	eax, [esp+448h+var_434]
		push	eax
		push	0
		lea	edx, [esp+450h+var_210]
		xor	ecx, ecx
		call	RtlpGetRegistryHandle
		cmp	eax, 0C0000034h
		jnz	short loc_73957D
		mov	byte ptr [esp+448h+var_41C], 1

loc_73957D:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+28Ej
		cmp	[esp+448h+var_434], 0
		jz	short loc_73958D
		push	[esp+448h+var_434]
		call	_ZwClose@4	; ZwClose(x)

loc_73958D:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+29Aj
		cmp	byte ptr [esp+448h+var_41C], 0
		jz	short loc_7395A1

loc_739594:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+23Dj
		lea	eax, [esp+448h+var_3C0]
		push	eax
		call	_RtlSetDynamicTimeZoneInformation@4 ; RtlSetDynamicTimeZoneInformation(x)

loc_7395A1:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+244j
					; ExpRefreshTimeZoneInformation(x)+26Dj ...
		mov	eax, [esp+448h+var_3C0]
		mov	[esp+448h+var_404], eax
		or	eax, 0FFFFFFFFh
		cmp	[esp+448h+var_37A], 0
		mov	[esp+448h+var_400], eax
		mov	[esp+448h+var_3FC], eax
		mov	[esp+448h+var_3D8], eax
		mov	[esp+448h+var_3D4], eax
		jz	loc_7397E0
		cmp	[esp+448h+var_326], 0
		jz	loc_7397E0
		push	ecx
		lea	eax, [esp+44Ch+var_410]
		push	eax
		lea	edx, [esp+450h+var_430]
		lea	ecx, [esp+0D4h]
		call	RtlCutoverTimeToSystemTime
		test	al, al
		jnz	short loc_739631
		mov	dl, byte ptr [esp+448h+var_438]
		lea	eax, [esp+448h+var_400]
		inc	dword ptr [ebx+310h]
		lea	ecx, [esp+448h+var_3C0]
		push	2
		push	eax
		mov	_ExpSystemIsInCmosMode,	1
		call	_ExpLogRefreshTimeZoneInformationCutoverFail@16	; ExpLogRefreshTimeZoneInformationCutoverFail(x,x,x,x)
		push	[esp+448h+var_438]
		push	[esp+44Ch+var_41C]
		push	dword ptr [ebx+1B0h]
		push	2

loc_73962B:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+3A7j
		pop	ecx
		jmp	loc_7394A5
; 

loc_739631:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+30Dj
		mov	eax, [esp+448h+var_430]
		lea	edx, [esp+448h+var_3F0]
		mov	ecx, [esp+448h+var_42C]
		mov	[esp+448h+var_400], eax
		lea	eax, [esp+448h+var_410]
		push	ecx
		mov	[esp+44Ch+var_3FC], ecx
		lea	ecx, [esp+124h]
		push	eax
		call	RtlCutoverTimeToSystemTime
		test	al, al
		jnz	short loc_739691
		mov	dl, byte ptr [esp+448h+var_438]
		lea	eax, [esp+448h+var_400]
		inc	dword ptr [ebx+310h]
		lea	ecx, [esp+448h+var_3C0]
		push	3
		push	eax
		mov	_ExpSystemIsInCmosMode,	1
		call	_ExpLogRefreshTimeZoneInformationCutoverFail@16	; ExpLogRefreshTimeZoneInformationCutoverFail(x,x,x,x)
		push	[esp+448h+var_438]
		push	[esp+44Ch+var_41C]
		push	dword ptr [ebx+1B0h]
		push	3
		jmp	short loc_73962B
; 

loc_739691:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+371j
		mov	ecx, [esp+448h+var_3EC]
		mov	eax, [esp+448h+var_3F0]
		mov	[esp+448h+var_3D8], eax
		mov	[esp+448h+var_3D4], ecx
		cmp	esi, ecx
		jl	short loc_7396F6
		jg	short loc_7396AB
		cmp	edi, eax
		jb	short loc_7396F6

loc_7396AB:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+3BDj
		mov	edx, [esp+448h+var_42C]
		cmp	esi, edx
		jl	short loc_7396FA
		jg	short loc_7396BB
		cmp	edi, [esp+448h+var_430]
		jb	short loc_7396FA

loc_7396BB:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+3CBj
		xor	ecx, ecx
		xor	edx, edx
		mov	[esp+448h+var_420], ecx
		mov	[esp+448h+var_414], ecx
		mov	ecx, [esp+448h+var_42C]
		mov	[esp+448h+var_424], edx
		mov	[esp+448h+var_418], edx
		cmp	ecx, [esp+448h+var_3EC]
		jl	short loc_7396E6
		jg	short loc_7396E1
		cmp	[esp+448h+var_430], eax
		jbe	short loc_7396E6

loc_7396E1:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+3F1j
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_7396E9
; 

loc_7396E6:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+3EFj
					; ExpRefreshTimeZoneInformation(x)+3F7j
		push	2
		pop	ecx

loc_7396E9:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+3FCj
		lea	eax, [ebx+1B0h]
		mov	[eax], ecx
		jmp	loc_7397CA
; 

loc_7396F6:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+3BBj
					; ExpRefreshTimeZoneInformation(x)+3C1j
		mov	edx, [esp+448h+var_42C]

loc_7396FA:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+3C9j
					; ExpRefreshTimeZoneInformation(x)+3D1j
		cmp	ecx, edx
		jg	short loc_73975C
		jl	short loc_739706
		cmp	eax, [esp+448h+var_430]
		jnb	short loc_73975C

loc_739706:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+416j
		cmp	esi, ecx
		jl	short loc_739739
		jg	short loc_739710
		cmp	edi, eax
		jb	short loc_739739

loc_739710:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+422j
		cmp	esi, edx
		jg	short loc_739739
		jl	short loc_73971C
		cmp	edi, [esp+448h+var_430]
		jnb	short loc_739739

loc_73971C:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+42Cj
		mov	ecx, [esp+448h+var_42C]
		mov	edx, [esp+448h+var_430]
		push	2
		mov	[esp+44Ch+var_420], ecx
		mov	[esp+44Ch+var_414], ecx
		mov	[esp+44Ch+var_424], edx
		mov	[esp+44Ch+var_418], edx
		pop	ecx
		jmp	short loc_73974E
; 

loc_739739:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+420j
					; ExpRefreshTimeZoneInformation(x)+426j ...
		mov	[esp+448h+var_424], eax
		mov	[esp+448h+var_418], eax
		mov	eax, ecx
		xor	ecx, ecx
		mov	[esp+448h+var_420], eax
		mov	[esp+448h+var_414], eax
		inc	ecx

loc_73974E:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+44Fj
		lea	eax, [ebx+1B0h]
		mov	[esp+448h+var_434], eax
		mov	[eax], ecx
		jmp	short loc_7397CE
; 

loc_73975C:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+414j
					; ExpRefreshTimeZoneInformation(x)+41Cj
		cmp	esi, edx
		jl	short loc_7397A5
		jg	short loc_739768
		cmp	edi, [esp+448h+var_430]
		jb	short loc_7397A5

loc_739768:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+478j
		cmp	esi, ecx
		jg	short loc_7397A5
		jl	short loc_739772
		cmp	edi, eax
		jnb	short loc_7397A5

loc_739772:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+484j
		mov	edx, eax
		mov	[esp+448h+var_420], ecx
		lea	eax, [ebx+1B0h]
		mov	[esp+448h+var_424], edx
		mov	[esp+448h+var_418], edx
		mov	[esp+448h+var_414], ecx
		mov	[esp+448h+var_434], eax
		mov	dword ptr [eax], 1

loc_739794:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+4E9j
		mov	ecx, [esp+448h+var_36C]

loc_73979B:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+4F6j
		mov	esi, [esp+448h+var_404]
		add	esi, ecx
		xor	ecx, ecx
		jmp	short loc_739810
; 

loc_7397A5:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+476j
					; ExpRefreshTimeZoneInformation(x)+47Ej ...
		mov	eax, [esp+448h+var_430]
		mov	[esp+448h+var_424], eax
		mov	[esp+448h+var_418], eax
		mov	eax, edx
		mov	[esp+448h+var_420], eax
		mov	[esp+448h+var_414], eax
		lea	eax, [ebx+1B0h]
		push	2
		mov	dword ptr [eax], 2
		pop	ecx

loc_7397CA:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+409j
		mov	[esp+448h+var_434], eax

loc_7397CE:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+472j
		cmp	ecx, 2
		jnz	short loc_739794
		mov	ecx, [esp+448h+var_318]
		mov	[esp+448h+var_434], eax
		jmp	short loc_73979B
; 

loc_7397E0:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+2E0j
					; ExpRefreshTimeZoneInformation(x)+2EFj
		lea	eax, [ebx+1E0h]
		push	eax
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		mov	esi, [esp+448h+var_404]
		lea	eax, [ebx+1B0h]
		xor	ecx, ecx
		mov	[esp+448h+var_434], eax
		mov	[eax], ecx
		mov	eax, ecx
		mov	[esp+448h+var_424], eax
		mov	[esp+448h+var_418], eax
		mov	[esp+448h+var_420], eax
		mov	[esp+448h+var_414], eax

loc_739810:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+4BBj
		cmp	[ebx+1B4h], esi
		jz	short loc_739846
		or	[esp+448h+var_3DC], 0FFFFFFFFh
		lea	eax, [esp+448h+var_3E0]
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	8
		push	eax
		push	(offset	loc_409AE7+1)
		mov	[esp+464h+var_3E0], ecx
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	edx, [ebx+1B4h]
		mov	ecx, esi
		call	_EtwTraceTimeZoneBiasChange@8 ;	EtwTraceTimeZoneBiasChange(x,x)

loc_739846:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+52Ej
		imul	eax, esi, 3Ch
		lea	ecx, [ebx+1B8h]
		mov	edx, 989680h
		mov	[ebx+1B4h], esi
		push	6Ch
		lea	esi, [esp+44Ch+var_3C0]
		mov	_ExpSystemIsInCmosMode,	0
		mov	edi, ebx
		imul	edx
		mov	[ecx+4], edx
		mov	[ecx], eax
		pop	ecx
		rep movsd
		mov	edi, [esp+448h+var_434]
		mov	edx, edi
		push	ecx
		call	_RtlSetSystemGlobalData@12 ; RtlSetSystemGlobalData(x,x,x)
		lea	eax, [esp+448h+var_3D0]
		push	eax
		lea	eax, [esp+44Ch+var_410]
		push	eax
		call	_RtlTimeToTimeFields@8 ; RtlTimeToTimeFields(x,x)
		cmp	[esp+448h+var_424], 0
		jnz	short loc_73989F
		cmp	[esp+448h+var_420], 0
		jz	short loc_7398C8

loc_73989F:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+5AEj
		lea	esi, [ebx+308h]
		push	esi
		lea	eax, [esp+44Ch+var_418]
		push	eax
		call	_ExLocalTimeToSystemTime@8 ; ExLocalTimeToSystemTime(x,x)
		lea	eax, [ebx+1C0h]
		push	eax
		push	dword ptr [esi+4]
		lea	eax, [ebx+1E0h]
		push	dword ptr [esi]
		push	eax
		call	_KeSetTimer@16	; KeSetTimer(x,x,x,x)

loc_7398C8:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+5B5j
		mov	eax, [esp+448h+var_3D0]
		lea	ecx, [ebx+2D8h]
		cwde
		push	64h
		cdq
		pop	esi
		idiv	esi
		inc	eax
		imul	eax, 64h
		mov	[ecx], ax
		lea	eax, [esp+448h+var_3E8]
		push	eax
		push	ecx
		call	_RtlTimeFieldsToTime@8 ; RtlTimeFieldsToTime(x,x)
		lea	esi, [ebx+2D0h]
		push	esi
		lea	eax, [esp+44Ch+var_3E8]
		push	eax
		call	_ExLocalTimeToSystemTime@8 ; ExLocalTimeToSystemTime(x,x)
		lea	eax, [ebx+218h]
		push	eax
		push	dword ptr [esi+4]
		lea	eax, [ebx+238h]
		push	dword ptr [esi]
		push	eax
		call	_KeSetTimer@16	; KeSetTimer(x,x,x,x)
		mov	esi, [esp+448h+var_3D0]
		lea	ecx, [ebx+2F0h]
		lea	eax, [esi+1]
		mov	[ecx], ax
		lea	eax, [esp+448h+var_3E8]
		push	eax
		push	ecx
		call	_RtlTimeFieldsToTime@8 ; RtlTimeFieldsToTime(x,x)
		lea	eax, [ebx+2E8h]
		push	eax
		lea	eax, [esp+44Ch+var_3E8]
		push	eax
		call	_ExLocalTimeToSystemTime@8 ; ExLocalTimeToSystemTime(x,x)
		lea	eax, [ebx+270h]
		push	eax
		lea	eax, [ebx+2E8h]
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		lea	eax, [ebx+290h]
		push	eax
		call	_KeSetTimer@16	; KeSetTimer(x,x,x,x)
		mov	eax, 0FFDF025Ch
		lock inc dword ptr [eax]
		lea	ecx, [ebx+1B8h]
		call	_ExpWriteTimeZoneBias@4	; ExpWriteTimeZoneBias(x)
		xor	edx, edx
		cmp	[esp+448h+var_424], edx
		jnz	short loc_739996
		cmp	[esp+448h+var_420], edx
		jnz	short loc_739996
		lea	eax, [ebx+2E8h]
		mov	ecx, [eax]
		mov	eax, [eax+4]
		sub	ecx, 2710h
		sbb	eax, edx
		push	eax
		push	ecx
		jmp	short loc_7399A2
; 

loc_739996:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+68Fj
					; ExpRefreshTimeZoneInformation(x)+695j
		push	dword ptr [ebx+30Ch]
		push	dword ptr [ebx+308h]

loc_7399A2:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+6ACj
		push	[esp+450h+var_3F4]
		push	[esp+454h+var_408]
		call	ExpWriteTimeZoneBiasStartEnd
		mov	eax, 0FFDF025Ch
		lock inc dword ptr [eax]
		cmp	_ExpRealTimeIsUniversal, 0
		jnz	short loc_7399CB
		mov	ecx, [ebx+1B4h]
		call	RtlSetActiveTimeBias

loc_7399CB:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+6D6j
		cmp	si, [ebx+300h]
		jz	short loc_7399E6
		mov	ecx, esi
		call	RtlpUpdateDynamicTimeZones
		test	al, al
		jz	short loc_7399E6
		mov	[ebx+300h], si

loc_7399E6:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+6EAj
					; ExpRefreshTimeZoneInformation(x)+6F5j
		mov	dl, byte ptr [esp+448h+var_438]
		lea	eax, [esp+448h+var_418]
		push	eax
		lea	eax, [esp+44Ch+var_3D8]
		push	eax
		lea	eax, [esp+450h+var_400]
		push	eax
		lea	ecx, [esp+454h+var_3C0]
		call	_ExpLogRefreshTimeZoneInformationSuccess@20 ; ExpLogRefreshTimeZoneInformationSuccess(x,x,x,x,x)
		push	[esp+448h+var_438]
		mov	edx, [ebx+1B4h]
		xor	ecx, ecx
		push	[esp+44Ch+var_41C]
		push	dword ptr [edi]
		call	EtwTraceTimeZoneInformationRefresh
		mov	al, 1

loc_739A1E:				; CODE XREF: ExpRefreshTimeZoneInformation(x)+1CAj
		mov	ecx, [esp+448h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_ExpRefreshTimeZoneInformation@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ExpTimeZoneCleanupSiloState(x)
_ExpTimeZoneCleanupSiloState@4 proc near
					; CODE XREF: PspDeleteExternalServerSiloState(x)+60p
		mov	edi, edi
		push	ebx
		xor	bl, bl
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		cmp	[eax+261h], bl
		jz	short loc_739AA8
		push	esi
		mov	esi, [eax+268h]
		cmp	dword ptr [esi+200h], 0
		jz	short loc_739A68
		lea	eax, [esi+1E0h]
		push	eax
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		test	al, al
		jnz	short loc_739A68
		inc	bl

loc_739A68:				; CODE XREF: ExpTimeZoneCleanupSiloState(x)+20j
					; ExpTimeZoneCleanupSiloState(x)+30j
		cmp	dword ptr [esi+258h], 0
		jz	short loc_739A83
		lea	eax, [esi+238h]
		push	eax
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		test	al, al
		jnz	short loc_739A83
		mov	bl, 1

loc_739A83:				; CODE XREF: ExpTimeZoneCleanupSiloState(x)+3Bj
					; ExpTimeZoneCleanupSiloState(x)+4Bj
		cmp	dword ptr [esi+2B0h], 0
		jz	short loc_739A9E
		lea	eax, [esi+290h]
		push	eax
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		test	al, al
		jnz	short loc_739A9E
		mov	bl, 1

loc_739A9E:				; CODE XREF: ExpTimeZoneCleanupSiloState(x)+56j
					; ExpTimeZoneCleanupSiloState(x)+66j
		pop	esi
		test	bl, bl
		jz	short loc_739AA8
		call	KeFlushQueuedDpcs

loc_739AA8:				; CODE XREF: ExpTimeZoneCleanupSiloState(x)+10j
					; ExpTimeZoneCleanupSiloState(x)+6Dj
		xor	eax, eax
		pop	ebx
		retn
_ExpTimeZoneCleanupSiloState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTimeZoneInitSiloState(x)
_ExpTimeZoneInitSiloState@4 proc near	; CODE XREF: PspInitializeServerSiloDeferred(x)+77p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		push	edi		; struct _exception *
		mov	[ebp+var_4], esi
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		push	ecx
		mov	edi, eax
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	ebx, eax
		xor	edx, edx
		lea	eax, [ebp+var_4]
		mov	ecx, offset aTimezonevirtua ; "TimeZoneVirtualizationSupported"
		push	eax
		call	ExpReadTimeZoneInformation
		cmp	[ebp+var_4], esi
		jz	loc_739B68
		push	5A547845h
		push	318h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi+268h], eax
		test	eax, eax
		jnz	short loc_739B07
		mov	esi, 0C000009Ah
		jmp	short loc_739B80
; 

loc_739B07:				; CODE XREF: ExpTimeZoneInitSiloState(x)+52j
		push	318h		; size_t
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	eax, [edi+268h]
		or	edx, 0FFFFFFFFh
		mov	byte ptr [edi+261h], 1
		add	esp, 0Ch
		mov	ecx, offset aActivetimebias ; "ActiveTimeBias"
		mov	[eax+1B0h], edx
		mov	eax, [edi+268h]
		add	eax, 1B4h
		push	eax
		call	ExpReadTimeZoneInformation
		mov	cl, 1
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		mov	cl, 1
		call	_ExpRefreshTimeZoneInformation@4 ; ExpRefreshTimeZoneInformation(x)
		mov	ecx, offset _ExpTimeRefreshLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	esi
		push	esi
		call	_ZwSetSystemTime@8 ; ZwSetSystemTime(x,x)
		jmp	short loc_739B80
; 

loc_739B68:				; CODE XREF: ExpTimeZoneInitSiloState(x)+30j
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	ecx, eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	ecx, [eax+268h]
		mov	[edi+268h], ecx

loc_739B80:				; CODE XREF: ExpTimeZoneInitSiloState(x)+59j
					; ExpTimeZoneInitSiloState(x)+BAj
		push	ebx
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_ExpTimeZoneInitSiloState@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWriteSiloTimeZoneMarker(x)
_ExpWriteSiloTimeZoneMarker@4 proc near	; CODE XREF: ExpSetTimeZoneInformation(x,x)+129p
					; ExpSetTimeZoneInformation(x,x)+17Dp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		movzx	eax, cl
		push	4
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		push	offset aSilotimezonema ; "SiloTimeZoneMarker"
		push	offset aTimezoneinform ; "TimeZoneInformation"
		push	2
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)
		leave
		retn
_ExpWriteSiloTimeZoneMarker@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExpWriteTimeZoneBias(x)
_ExpWriteTimeZoneBias@4	proc near	; CODE XREF: ExpRefreshTimeZoneInformation(x)+684p
					; ExInitializeUtcTimeZoneBias(x)+28Fp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jz	short loc_739BD7
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	edx, [eax+28Ch]
		add	edx, 250h
		jmp	short loc_739BDC
; 

loc_739BD7:				; CODE XREF: ExpWriteTimeZoneBias(x)+Cj
		mov	edx, 0FFDF0020h

loc_739BDC:				; CODE XREF: ExpWriteTimeZoneBias(x)+1Fj
		mov	eax, [esi+4]
		mov	[edx+8], eax
		mov	eax, [esi]
		mov	[edx], eax
		mov	eax, [esi+4]
		mov	[edx+4], eax
		pop	esi
		retn
_ExpWriteTimeZoneBias@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWriteTimeZoneBiasStartEnd proc near	; CODE XREF: ExpRefreshTimeZoneInformation(x)+6C2p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jz	short loc_739C15
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	eax, [eax+28Ch]
		lea	ecx, [eax+260h]
		lea	edx, [eax+268h]
		jmp	short loc_739C1D
; 

loc_739C15:				; CODE XREF: ExpWriteTimeZoneBiasStartEnd+Cj
		mov	ecx, 0FFDF03C8h
		lea	edx, [ecx+8]

loc_739C1D:				; CODE XREF: ExpWriteTimeZoneBiasStartEnd+25j
		mov	eax, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, [ebp+arg_4]
		mov	[ecx+4], eax
		mov	eax, [ebp+arg_8]
		mov	[edx], eax
		mov	eax, [ebp+arg_C]
		mov	[edx+4], eax
		pop	ebp
		retn	10h
ExpWriteTimeZoneBiasStartEnd endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckBackupApplicationAttributes(x, x, x, x, x,	x, x)
_SdbpCheckBackupApplicationAttributes@28 proc near ; DATA XREF:	.text:004046C4o
					; .text:004046D4o

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_14]
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		mov	eax, [eax+30h]
		push	eax
		push	[ebp+arg_10]
		call	_SdbpCheckApplicationTypeAttributes@16 ; SdbpCheckApplicationTypeAttributes(x,x,x,x)
		test	eax, eax
		jz	short loc_739C59
		xor	eax, eax
		inc	eax

loc_739C59:				; CODE XREF: SdbpCheckBackupApplicationAttributes(x,x,x,x,x,x,x)+1Cj
		pop	ebp
		retn	1Ch
_SdbpCheckBackupApplicationAttributes@28 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckSdbCapability(x, x, x, x, x, x, x)
_SdbpCheckSdbCapability@28 proc	near	; DATA XREF: .text:004046B4o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_10]
		mov	ecx, [ebp+arg_8]
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, esi
		push	6001h
		mov	[ebp+var_4], edi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	short loc_739CBC
		mov	ecx, [ebp+arg_8]
		mov	edx, eax
		call	SdbGetStringTagPtr
		test	eax, eax
		jnz	short loc_739CAA
		push	offset ??_C@_0CL@CODINPLA@Failed?5to?5get?5the?5string?5from?5t@NNGAKEGL@
		push	0A4Ah
		push	offset ??_C@_0BH@PEIOPMEE@SdbpCheckSdbCapability@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	short loc_739CBC
; 

loc_739CAA:				; CODE XREF: SdbpCheckSdbCapability(x,x,x,x,x,x,x)+2Fj
		mov	edx, [ebp+arg_4]
		lea	ecx, [ebp+var_4]
		push	eax
		call	_SdbpIsSdbCapabilityPresent@12 ; SdbpIsSdbCapabilityPresent(x,x,x)
		mov	edi, [ebp+var_4]
		xor	esi, esi
		inc	esi

loc_739CBC:				; CODE XREF: SdbpCheckSdbCapability(x,x,x,x,x,x,x)+21j
					; SdbpCheckSdbCapability(x,x,x,x,x,x,x)+4Aj
		mov	ecx, [ebp+arg_0]
		mov	eax, esi
		mov	[ecx], edi
		pop	edi
		pop	esi
		leave
		retn	1Ch
_SdbpCheckSdbCapability@28 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCreateSearchDBContext(x, x, x, x, x, x)
_SdbpCreateSearchDBContext@24 proc near	; CODE XREF: SdbGetDatabaseMatch+92p
					; SdbpCheckKObject+4Bp

var_428		= dword	ptr -428h
var_424		= dword	ptr -424h
var_420		= dword	ptr -420h
var_41C		= dword	ptr -41Ch
var_418		= dword	ptr -418h
var_210		= dword	ptr -210h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 42Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+42Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	208h		; size_t
		xor	esi, esi
		mov	[esp+43Ch+var_420], edx
		lea	eax, [esp+43Ch+var_210]
		mov	edi, ecx
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+438h+var_418]
		mov	ebx, esi
		push	208h		; size_t
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	eax, [esp+444h+var_420]
		add	esp, 0Ch
		test	eax, eax
		jz	loc_739E2D
		mov	eax, [eax]
		mov	ecx, eax
		mov	[esp+438h+var_424], eax
		lea	edx, [ecx+2]

loc_739D33:				; CODE XREF: SdbpCreateSearchDBContext(x,x,x,x,x,x)+72j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_739D33
		sub	ecx, edx
		sar	ecx, 1
		push	ecx
		mov	[esp+43Ch+var_41C], ecx
		lea	edx, ds:2[ecx*2]
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	ecx, eax
		mov	[esp+438h+var_428], ecx
		test	ecx, ecx
		jnz	short loc_739D7B
		push	offset ??_C@_0CN@HKBNFJHO@Unable?5to?5allocate?5memory?5for?5d@NNGAKEGL@
		push	174h
		push	(offset	loc_8C27DA+2)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_739E99
; 

loc_739D7B:				; CODE XREF: SdbpCreateSearchDBContext(x,x,x,x,x,x)+91j
		push	ecx		; int
		lea	eax, [esp+43Ch+var_210]
		mov	edx, ecx	; int
		push	eax		; int
		push	ecx		; int
		mov	ecx, [esp+444h+var_424]	; wchar_t *
		lea	eax, [esp+444h+var_418]
		push	eax		; int
		mov	eax, [esp+448h+var_41C]
		inc	eax
		push	eax		; int
		call	AslPathSplit
		test	eax, eax
		jns	short loc_739DBE
		push	[esp+438h+var_424]
		push	(offset	loc_8C27F5+1)
		push	17Fh
		push	(offset	loc_8C27DA+2)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_739E17
; 

loc_739DBE:				; CODE XREF: SdbpCreateSearchDBContext(x,x,x,x,x,x)+D3j
		push	ecx
		mov	edx, 208h
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_739DEA
		push	(offset	loc_8C27B3+1)
		push	185h
		push	(offset	loc_8C27DA+2)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	short loc_739E17
; 

loc_739DEA:				; CODE XREF: SdbpCreateSearchDBContext(x,x,x,x,x,x)+103j
		lea	eax, [esp+438h+var_418]
		mov	edx, 104h
		push	eax
		mov	ecx, ebx
		call	RtlStringCchCopyW
		test	eax, eax
		js	short loc_739E17
		lea	eax, [esp+438h+var_210]
		mov	edx, 104h
		push	eax
		mov	ecx, ebx
		call	_RtlStringCchCatW@12 ; RtlStringCchCatW(x,x,x)
		test	eax, eax
		jns	short loc_739E6A

loc_739E17:				; CODE XREF: SdbpCreateSearchDBContext(x,x,x,x,x,x)+F2j
					; SdbpCreateSearchDBContext(x,x,x,x,x,x)+11Ej ...
		mov	edx, [esp+438h+var_428]
		call	_AslFree@8	; AslFree(x,x)
		test	ebx, ebx
		jz	short loc_739E99
		mov	edx, ebx
		call	_AslFree@8	; AslFree(x,x)
		jmp	short loc_739E99
; 

loc_739E2D:				; CODE XREF: SdbpCreateSearchDBContext(x,x,x,x,x,x)+58j
		push	ecx
		push	4
		pop	edx
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		push	offset ??_C@_13JOFGPIOO@?$AA?4@NNGAKEGL@
		push	2
		pop	edx
		mov	ecx, eax
		mov	[esp+43Ch+var_428], eax
		call	RtlStringCchCopyW
		push	ecx
		push	2
		pop	edx
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	ebx, eax
		xor	eax, eax
		push	ecx
		push	2
		pop	edx
		mov	[ebx], ax
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		xor	ecx, ecx
		mov	[eax], cx
		mov	[edi+0Ch], eax

loc_739E6A:				; CODE XREF: SdbpCreateSearchDBContext(x,x,x,x,x,x)+14Bj
		mov	edx, [esp+438h+var_420]
		mov	eax, [esp+438h+var_428]
		mov	[edi+4], edx
		mov	[edi+1Ch], esi
		mov	[edi+10h], eax
		mov	[edi+14h], ebx
		mov	[edi+18h], esi
		mov	[edi+24h], esi
		mov	[edi+20h], esi
		mov	[edi+2Ch], esi
		call	_Feature_CompatBuildInVb__private_IsEnabledDeviceUsage@0 ; Feature_CompatBuildInVb__private_IsEnabledDeviceUsage()
		test	eax, eax
		jz	short loc_739E96
		mov	[edi+30h], esi

loc_739E96:				; CODE XREF: SdbpCreateSearchDBContext(x,x,x,x,x,x)+1C7j
		xor	esi, esi
		inc	esi

loc_739E99:				; CODE XREF: SdbpCreateSearchDBContext(x,x,x,x,x,x)+ACj
					; SdbpCreateSearchDBContext(x,x,x,x,x,x)+158j ...
		mov	ecx, [esp+438h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_SdbpCreateSearchDBContext@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpFindMatcher(x, x, x, x,	x)
_SdbpFindMatcher@20 proc near		; CODE XREF: SdbpMatchList(x,x,x,x,x,x,x,x)+56p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		push	edi
		call	SdbGetTagFromTagID
		cmp	[ebp+arg_8], 0
		movzx	eax, ax
		jz	short loc_739EF2
		mov	esi, [ebp+arg_0]
		xor	ecx, ecx
		mov	edx, eax

loc_739EDB:				; CODE XREF: SdbpFindMatcher(x,x,x,x,x)+3Ej
		movzx	edi, cx
		mov	eax, edi
		add	eax, eax
		cmp	edx, [esi+eax*8+1ACh]
		jz	short loc_739EFE
		inc	ecx
		cmp	cx, 20h
		jb	short loc_739EDB

loc_739EF2:				; CODE XREF: SdbpFindMatcher(x,x,x,x,x)+20j
		and	dword ptr [ebx], 0
		xor	eax, eax

loc_739EF7:				; CODE XREF: SdbpFindMatcher(x,x,x,x,x)+6Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_739EFE:				; CODE XREF: SdbpFindMatcher(x,x,x,x,x)+37j
		mov	eax, [ebp+var_4]
		mov	edx, edi
		add	edx, edx
		mov	ecx, [esi+edx*8+1B4h]
		mov	[eax], ecx
		lea	eax, [edi+1Bh]
		mov	ecx, [esi+edx*8+1B8h]
		add	eax, eax
		mov	[ebx], ecx
		mov	eax, [esi+eax*8]
		jmp	short loc_739EF7
_SdbpFindMatcher@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpFreeAppAttributes(x)
_SdbpFreeAppAttributes@4 proc near	; CODE XREF: SdbpReleaseSearchDBContext(x)+F3p
					; SdbpReleaseSearchDBContext(x)+10Bp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	edi
		mov	edi, ecx
		test	edi, edi
		jz	loc_739FE9
		mov	eax, [edi+8]
		push	ebx
		xor	ebx, ebx
		test	eax, eax
		jz	loc_739FCF
		push	esi

loc_739F42:				; CODE XREF: SdbpFreeAppAttributes(x)+A6j
		xor	esi, esi
		cmp	ebx, eax
		jnb	short loc_739F6C
		mov	eax, [edi+4]
		lea	ecx, [ebp+var_4]
		and	[ebp+var_4], esi
		mul	ebx
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_739F6A
		mov	ecx, [edi+14h]
		mov	esi, [ebp+var_4]
		add	esi, ecx
		cmp	esi, ecx
		jnb	short loc_739F6C

loc_739F6A:				; CODE XREF: SdbpFreeAppAttributes(x)+3Aj
		xor	esi, esi

loc_739F6C:				; CODE XREF: SdbpFreeAppAttributes(x)+24j
					; SdbpFreeAppAttributes(x)+46j
		movzx	ecx, word ptr [esi]
		mov	eax, 6029h
		cmp	cx, ax
		jz	short loc_739F8B
		inc	eax
		cmp	cx, ax
		jz	short loc_739F8B
		mov	edx, 602Bh
		mov	eax, ecx
		cmp	cx, dx
		jnz	short loc_739F96

loc_739F8B:				; CODE XREF: SdbpFreeAppAttributes(x)+55j
					; SdbpFreeAppAttributes(x)+5Bj
		mov	edx, [esi+8]
		call	_AslFree@8	; AslFree(x,x)
		movzx	eax, word ptr [esi]

loc_739F96:				; CODE XREF: SdbpFreeAppAttributes(x)+67j
		mov	ecx, 6001h
		cmp	ax, cx
		jz	short loc_739FBA
		add	ecx, 41h
		cmp	ax, cx
		jz	short loc_739FBA
		mov	ecx, 6048h
		cmp	ax, cx
		jz	short loc_739FBA
		add	ecx, 0FFFFFFC9h
		cmp	ax, cx
		jnz	short loc_739FC2

loc_739FBA:				; CODE XREF: SdbpFreeAppAttributes(x)+7Cj
					; SdbpFreeAppAttributes(x)+84j	...
		mov	edx, [esi+8]
		call	_AslFree@8	; AslFree(x,x)

loc_739FC2:				; CODE XREF: SdbpFreeAppAttributes(x)+96j
		mov	eax, [edi+8]
		inc	ebx
		cmp	ebx, eax
		jb	loc_739F42
		pop	esi

loc_739FCF:				; CODE XREF: SdbpFreeAppAttributes(x)+19j
		mov	eax, [edi+14h]
		pop	ebx
		test	eax, eax
		jz	short loc_739FE2
		push	72615452h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_739FE2:				; CODE XREF: SdbpFreeAppAttributes(x)+B3j
		push	6
		pop	ecx
		xor	eax, eax
		rep stosd

loc_739FE9:				; CODE XREF: SdbpFreeAppAttributes(x)+Bj
		pop	edi
		leave
		retn
_SdbpFreeAppAttributes@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpIsSdbCapabilityPresent(x, x, x)
_SdbpIsSdbCapabilityPresent@12 proc near
					; CODE XREF: SdbpCheckSdbCapability(x,x,x,x,x,x,x)+53p
					; SdbpMatchList(x,x,x,x,x,x,x,x)+F1p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= word ptr -2
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		and	dword ptr [eax], 0
		mov	edi, edx
		mov	[ebp+var_C], eax
		xor	esi, esi

loc_73A003:				; CODE XREF: SdbpIsSdbCapabilityPresent(x,x,x)+55j
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:off_4041E8[esi]

loc_73A00C:				; CODE XREF: SdbpIsSdbCapabilityPresent(x,x,x)+40j
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	short loc_73A032
		test	dx, dx
		jz	short loc_73A02E
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	short loc_73A032
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_73A00C

loc_73A02E:				; CODE XREF: SdbpIsSdbCapabilityPresent(x,x,x)+2Bj
		xor	eax, eax
		jmp	short loc_73A037
; 

loc_73A032:				; CODE XREF: SdbpIsSdbCapabilityPresent(x,x,x)+26j
					; SdbpIsSdbCapabilityPresent(x,x,x)+35j
		sbb	eax, eax
		or	eax, 1

loc_73A037:				; CODE XREF: SdbpIsSdbCapabilityPresent(x,x,x)+44j
		test	eax, eax
		jz	short loc_73A0B1
		add	esi, 4
		cmp	esi, 10h
		jb	short loc_73A003
		xor	esi, esi
		lea	edx, [edi+3ACh]

loc_73A04B:				; CODE XREF: SdbpIsSdbCapabilityPresent(x,x,x)+C1j
		mov	edi, [edx]
		mov	[ebp+var_8], edi
		test	edi, edi
		jz	short loc_73A0BA
		mov	eax, [edi]
		xor	ebx, ebx
		jmp	short loc_73A0A2
; 

loc_73A05A:				; CODE XREF: SdbpIsSdbCapabilityPresent(x,x,x)+B8j
		mov	ecx, [ebp+arg_0]

loc_73A05D:				; CODE XREF: SdbpIsSdbCapabilityPresent(x,x,x)+A3j
		mov	di, [eax]
		cmp	di, [ecx]
		mov	[ebp+var_2], di
		mov	edi, [ebp+var_8]
		jnz	short loc_73A095
		cmp	[ebp+var_2], 0
		jz	short loc_73A091
		mov	di, [eax+2]
		cmp	di, [ecx+2]
		mov	[ebp+var_2], di
		mov	edi, [ebp+var_8]
		jnz	short loc_73A095
		add	eax, 4
		add	ecx, 4
		cmp	[ebp+var_2], 0
		jnz	short loc_73A05D

loc_73A091:				; CODE XREF: SdbpIsSdbCapabilityPresent(x,x,x)+85j
		xor	eax, eax
		jmp	short loc_73A09A
; 

loc_73A095:				; CODE XREF: SdbpIsSdbCapabilityPresent(x,x,x)+7Ej
					; SdbpIsSdbCapabilityPresent(x,x,x)+96j
		sbb	eax, eax
		or	eax, 1

loc_73A09A:				; CODE XREF: SdbpIsSdbCapabilityPresent(x,x,x)+A7j
		test	eax, eax
		jz	short loc_73A0B1
		inc	ebx
		mov	eax, [edi+ebx*4]

loc_73A0A2:				; CODE XREF: SdbpIsSdbCapabilityPresent(x,x,x)+6Cj
		test	eax, eax
		jnz	short loc_73A05A
		inc	esi
		add	edx, 4
		cmp	esi, 10h
		jb	short loc_73A04B
		jmp	short loc_73A0BA
; 

loc_73A0B1:				; CODE XREF: SdbpIsSdbCapabilityPresent(x,x,x)+4Dj
					; SdbpIsSdbCapabilityPresent(x,x,x)+B0j
		mov	eax, [ebp+var_C]
		mov	dword ptr [eax], 1

loc_73A0BA:				; CODE XREF: SdbpIsSdbCapabilityPresent(x,x,x)+66j
					; SdbpIsSdbCapabilityPresent(x,x,x)+C3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_SdbpIsSdbCapabilityPresent@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpMatchList(x, x,	x, x, x, x, x, x)
_SdbpMatchList@32 proc near		; CODE XREF: SdbpCheckForMatch+4Fp
					; SdbpMatchOne(x,x,x,x,x,x,x)+36p ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		xor	eax, eax
		mov	[esp+20h+var_4], edx
		mov	edx, [ebp+arg_8]
		mov	ebx, eax
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[esp+28h+var_8], ecx
		mov	ecx, edi
		mov	[esp+28h+var_C], eax
		mov	[esp+28h+var_10], eax
		mov	[esp+28h+var_14], eax
		mov	[esp+28h+var_1C], 1
		mov	[esp+28h+var_18], ebx
		call	_SdbGetFirstChild@8 ; SdbGetFirstChild(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_73A220

loc_73A10B:				; CODE XREF: SdbpMatchList(x,x,x,x,x,x,x,x)+154j
		push	esi
		push	edi
		push	[ebp+arg_0]
		lea	edx, [esp+34h+var_14]
		lea	ecx, [esp+34h+var_10]
		call	_SdbpFindMatcher@20 ; SdbpFindMatcher(x,x,x,x,x)
		mov	ebx, eax
		call	_Feature_CompatBuildInVb__private_IsEnabledDeviceUsage@0 ; Feature_CompatBuildInVb__private_IsEnabledDeviceUsage()
		test	eax, eax
		jz	loc_73A1BF
		test	ebx, ebx
		jnz	short loc_73A14F
		cmp	[esp+28h+var_14], 2
		jnz	short loc_73A13C
		xor	eax, eax
		inc	eax
		jmp	short loc_73A149
; 

loc_73A13C:				; CODE XREF: SdbpMatchList(x,x,x,x,x,x,x,x)+73j
		cmp	[esp+28h+var_14], 3
		jnz	loc_73A207
		xor	eax, eax

loc_73A149:				; CODE XREF: SdbpMatchList(x,x,x,x,x,x,x,x)+78j
		mov	[esp+28h+var_1C], eax
		jmp	short loc_73A16D
; 

loc_73A14F:				; CODE XREF: SdbpMatchList(x,x,x,x,x,x,x,x)+6Cj
		push	[esp+28h+var_10]
		lea	eax, [esp+2Ch+var_1C]
		push	[ebp+arg_C]
		push	esi
		push	[ebp+arg_8]
		push	edi
		push	[ebp+arg_0]
		push	eax
		call	ebx
		test	eax, eax
		jz	loc_73A249

loc_73A16D:				; CODE XREF: SdbpMatchList(x,x,x,x,x,x,x,x)+8Bj
		inc	[esp+44h+var_34]
		mov	edx, esi
		push	1003h
		mov	ecx, edi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	short loc_73A190
		xor	eax, eax
		cmp	[esp+44h+var_38], eax
		setz	al
		mov	[esp+44h+var_38], eax

loc_73A190:				; CODE XREF: SdbpMatchList(x,x,x,x,x,x,x,x)+BFj
		push	603Ch
		mov	edx, esi
		mov	ecx, edi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	short loc_73A1FE
		mov	edx, eax
		mov	ecx, edi
		call	SdbGetStringTagPtr
		mov	edx, [ebp+arg_0]
		lea	ecx, [esp+44h+var_28]
		push	eax
		call	_SdbpIsSdbCapabilityPresent@12 ; SdbpIsSdbCapabilityPresent(x,x,x)
		cmp	[esp+44h+var_28], 0
		jmp	short loc_73A1ED
; 

loc_73A1BF:				; CODE XREF: SdbpMatchList(x,x,x,x,x,x,x,x)+64j
		test	ebx, ebx
		jz	short loc_73A207
		push	[esp+28h+var_10]
		lea	eax, [esp+2Ch+var_1C]
		push	[ebp+arg_C]
		push	esi
		push	[ebp+arg_8]
		push	edi
		push	[ebp+arg_0]
		push	eax
		call	ebx
		test	eax, eax
		jz	short loc_73A249
		push	1003h
		mov	edx, esi
		mov	ecx, edi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax

loc_73A1ED:				; CODE XREF: SdbpMatchList(x,x,x,x,x,x,x,x)+FBj
		jz	short loc_73A1FE
		xor	eax, eax
		cmp	[esp+44h+var_38], eax
		setz	al
		mov	[esp+44h+var_38], eax
		jmp	short loc_73A202
; 

loc_73A1FE:				; CODE XREF: SdbpMatchList(x,x,x,x,x,x,x,x)+DEj
					; SdbpMatchList(x,x,x,x,x,x,x,x):loc_73A1EDj
		mov	eax, [esp+44h+var_38]

loc_73A202:				; CODE XREF: SdbpMatchList(x,x,x,x,x,x,x,x)+13Aj
		cmp	eax, [ebp+arg_10]
		jz	short loc_73A226

loc_73A207:				; CODE XREF: SdbpMatchList(x,x,x,x,x,x,x,x)+7Fj
					; SdbpMatchList(x,x,x,x,x,x,x,x)+FFj
		mov	edx, [ebp+arg_8]
		mov	ecx, edi
		push	esi
		call	SdbGetNextChild
		mov	esi, eax
		test	esi, esi
		jnz	loc_73A10B
		mov	ebx, [esp+44h+var_34]

loc_73A220:				; CODE XREF: SdbpMatchList(x,x,x,x,x,x,x,x)+43j
		mov	eax, [esp+44h+var_38]
		jmp	short loc_73A22A
; 

loc_73A226:				; CODE XREF: SdbpMatchList(x,x,x,x,x,x,x,x)+143j
		mov	ebx, [esp+44h+var_34]

loc_73A22A:				; CODE XREF: SdbpMatchList(x,x,x,x,x,x,x,x)+162j
		mov	ecx, [esp+44h+var_24]
		mov	[ecx], eax
		call	_Feature_CompatBuildInVb__private_IsEnabledDeviceUsage@0 ; Feature_CompatBuildInVb__private_IsEnabledDeviceUsage()
		test	eax, eax
		jz	short loc_73A246
		mov	ecx, [esp+44h+var_20]
		xor	eax, eax
		inc	eax
		test	ecx, ecx
		jz	short loc_73A249
		mov	[ecx], ebx

loc_73A246:				; CODE XREF: SdbpMatchList(x,x,x,x,x,x,x,x)+175j
		xor	eax, eax
		inc	eax

loc_73A249:				; CODE XREF: SdbpMatchList(x,x,x,x,x,x,x,x)+A5j
					; SdbpMatchList(x,x,x,x,x,x,x,x)+119j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
_SdbpMatchList@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckFromStringVersion(x, x)
_SdbpCheckFromStringVersion@8 proc near	; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+24Dp
					; SdbpCheckAttribute(x,x,x,x,x)+17Ep

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], ecx
		xor	ebx, ebx
		inc	esi
		push	edi
		mov	edi, edx
		mov	edx, ebx
		mov	[ebp+var_1C], edi
		cmp	[ecx], bx
		jz	loc_73A3CC
		mov	[ebp+var_4], 30h

loc_73A27C:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+15Ej
		movzx	eax, word ptr [edi]
		mov	[ebp+var_28], eax
		test	ax, ax
		jz	loc_73A3CC
		movzx	eax, word ptr [ecx]
		xor	edx, edx
		mov	[ebp+var_20], 2Ah
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_14], edx
		cmp	word ptr [ebp+var_20], ax
		jnz	short loc_73A2B6
		mov	edx, esi
		add	ecx, 2
		mov	[ebp+var_14], edx
		jmp	short loc_73A317
; 

loc_73A2B6:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+58j
		cmp	word ptr [ebp+var_4], ax
		ja	short loc_73A31A
		mov	esi, [ebp+var_C]
		mov	edx, eax
		mov	edi, [ebp+var_10]
		push	39h
		mov	[ebp+var_8], edx
		pop	ebx

loc_73A2CA:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+B1j
		cmp	dx, bx
		ja	short loc_73A305
		mov	eax, esi
		push	0Ah
		pop	edx
		mul	edx
		push	0Ah
		mov	esi, eax
		mov	eax, edi
		pop	edx
		mul	edx
		mov	edi, eax
		add	esi, edx
		mov	eax, [ebp+var_8]
		movzx	eax, ax
		cdq
		add	edi, eax
		adc	esi, edx
		add	edi, 0FFFFFFD0h
		adc	esi, 0FFFFFFFFh
		add	ecx, 2
		movzx	eax, word ptr [ecx]
		mov	edx, eax
		mov	[ebp+var_8], edx
		cmp	word ptr [ebp+var_4], ax
		jbe	short loc_73A2CA

loc_73A305:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+7Bj
		mov	ebx, [ebp+var_24]
		mov	edx, [ebp+var_14]
		mov	[ebp+var_C], esi
		xor	esi, esi
		mov	[ebp+var_10], edi
		inc	esi
		mov	edi, [ebp+var_1C]

loc_73A317:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+62j
		mov	[ebp+var_8], ecx

loc_73A31A:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+68j
		mov	eax, [ebp+var_28]
		cmp	word ptr [ebp+var_4], ax
		ja	short loc_73A374
		mov	esi, [ebp+var_18]
		movzx	ecx, ax

loc_73A329:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+114j
		push	39h
		pop	eax
		cmp	cx, ax
		ja	short loc_73A368
		test	edx, edx
		jnz	short loc_73A35A
		mov	eax, ebx
		push	0Ah
		pop	edx
		mul	edx
		push	0Ah
		mov	ebx, eax
		mov	eax, esi
		pop	edx
		mul	edx
		add	ebx, edx
		mov	esi, eax
		movzx	eax, cx
		cdq
		add	esi, eax
		adc	ebx, edx
		mov	edx, [ebp+var_14]
		add	esi, 0FFFFFFD0h
		adc	ebx, 0FFFFFFFFh

loc_73A35A:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+E1j
		add	edi, 2
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		cmp	word ptr [ebp+var_4], ax
		jbe	short loc_73A329

loc_73A368:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+DDj
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_18], esi
		xor	esi, esi
		mov	[ebp+var_1C], edi
		inc	esi

loc_73A374:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+CFj
		test	edx, edx
		jnz	short loc_73A385
		mov	eax, [ebp+var_18]
		cmp	[ebp+var_10], eax
		jnz	short loc_73A3B8
		cmp	[ebp+var_C], ebx
		jnz	short loc_73A3BB

loc_73A385:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+124j
		movzx	eax, word ptr [ecx]
		test	ax, ax
		jz	short loc_73A3A0
		movzx	ebx, word ptr [edi]
		test	bx, bx
		jz	short loc_73A39A
		cmp	ax, bx
		jnz	short loc_73A3C8

loc_73A39A:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+141j
		add	ecx, 2
		mov	[ebp+var_8], ecx

loc_73A3A0:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+139j
		xor	ebx, ebx
		cmp	[edi], bx
		jz	short loc_73A3AD
		add	edi, 2
		mov	[ebp+var_1C], edi

loc_73A3AD:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+153j
		cmp	[ecx], bx
		jnz	loc_73A27C
		jmp	short loc_73A3CC
; 

loc_73A3B8:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+12Cj
		cmp	[ebp+var_C], ebx

loc_73A3BB:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+131j
		ja	short loc_73A3C8
		jb	short loc_73A3C4
		cmp	[ebp+var_10], eax
		jnb	short loc_73A3C8

loc_73A3C4:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+16Bj
		xor	ebx, ebx
		jmp	short loc_73A3CC
; 

loc_73A3C8:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+146j
					; SdbpCheckFromStringVersion(x,x):loc_73A3BBj ...
		xor	ebx, ebx
		mov	esi, ebx

loc_73A3CC:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+1Dj
					; SdbpCheckFromStringVersion(x,x)+33j ...
		movzx	eax, word ptr [ecx]
		test	ax, ax
		jnz	short loc_73A3D9
		cmp	[edi], bx
		jz	short loc_73A3E8

loc_73A3D9:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+180j
		test	esi, esi
		jz	short loc_73A3E6
		test	ax, ax
		jnz	short loc_73A3E6
		test	edx, edx
		jnz	short loc_73A3E8

loc_73A3E6:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+189j
					; SdbpCheckFromStringVersion(x,x)+18Ej
		mov	esi, ebx

loc_73A3E8:				; CODE XREF: SdbpCheckFromStringVersion(x,x)+185j
					; SdbpCheckFromStringVersion(x,x)+192j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_SdbpCheckFromStringVersion@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckUptoStringVersion(x, x)
_SdbpCheckUptoStringVersion@8 proc near	; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+26Cp
					; SdbpCheckAttribute(x,x,x,x,x)+159p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], ecx
		xor	ebx, ebx
		inc	esi
		push	edi
		mov	edi, edx
		mov	edx, ebx
		mov	[ebp+var_1C], edi
		cmp	[ecx], bx
		jz	loc_73A56A
		mov	[ebp+var_4], 30h

loc_73A41A:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+15Ej
		movzx	eax, word ptr [edi]
		mov	[ebp+var_28], eax
		test	ax, ax
		jz	loc_73A56A
		movzx	eax, word ptr [ecx]
		xor	edx, edx
		mov	[ebp+var_20], 2Ah
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_14], edx
		cmp	word ptr [ebp+var_20], ax
		jnz	short loc_73A454
		mov	edx, esi
		add	ecx, 2
		mov	[ebp+var_14], edx
		jmp	short loc_73A4B5
; 

loc_73A454:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+58j
		cmp	word ptr [ebp+var_4], ax
		ja	short loc_73A4B8
		mov	esi, [ebp+var_C]
		mov	edx, eax
		mov	edi, [ebp+var_10]
		push	39h
		mov	[ebp+var_8], edx
		pop	ebx

loc_73A468:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+B1j
		cmp	dx, bx
		ja	short loc_73A4A3
		mov	eax, esi
		push	0Ah
		pop	edx
		mul	edx
		push	0Ah
		mov	esi, eax
		mov	eax, edi
		pop	edx
		mul	edx
		mov	edi, eax
		add	esi, edx
		mov	eax, [ebp+var_8]
		movzx	eax, ax
		cdq
		add	edi, eax
		adc	esi, edx
		add	edi, 0FFFFFFD0h
		adc	esi, 0FFFFFFFFh
		add	ecx, 2
		movzx	eax, word ptr [ecx]
		mov	edx, eax
		mov	[ebp+var_8], edx
		cmp	word ptr [ebp+var_4], ax
		jbe	short loc_73A468

loc_73A4A3:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+7Bj
		mov	ebx, [ebp+var_24]
		mov	edx, [ebp+var_14]
		mov	[ebp+var_C], esi
		xor	esi, esi
		mov	[ebp+var_10], edi
		inc	esi
		mov	edi, [ebp+var_1C]

loc_73A4B5:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+62j
		mov	[ebp+var_8], ecx

loc_73A4B8:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+68j
		mov	eax, [ebp+var_28]
		cmp	word ptr [ebp+var_4], ax
		ja	short loc_73A512
		mov	esi, [ebp+var_18]
		movzx	ecx, ax

loc_73A4C7:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+114j
		push	39h
		pop	eax
		cmp	cx, ax
		ja	short loc_73A506
		test	edx, edx
		jnz	short loc_73A4F8
		mov	eax, ebx
		push	0Ah
		pop	edx
		mul	edx
		push	0Ah
		mov	ebx, eax
		mov	eax, esi
		pop	edx
		mul	edx
		add	ebx, edx
		mov	esi, eax
		movzx	eax, cx
		cdq
		add	esi, eax
		adc	ebx, edx
		mov	edx, [ebp+var_14]
		add	esi, 0FFFFFFD0h
		adc	ebx, 0FFFFFFFFh

loc_73A4F8:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+E1j
		add	edi, 2
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		cmp	word ptr [ebp+var_4], ax
		jbe	short loc_73A4C7

loc_73A506:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+DDj
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_18], esi
		xor	esi, esi
		mov	[ebp+var_1C], edi
		inc	esi

loc_73A512:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+CFj
		test	edx, edx
		jnz	short loc_73A523
		mov	eax, [ebp+var_18]
		cmp	[ebp+var_10], eax
		jnz	short loc_73A556
		cmp	[ebp+var_C], ebx
		jnz	short loc_73A559

loc_73A523:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+124j
		movzx	eax, word ptr [ecx]
		test	ax, ax
		jz	short loc_73A53E
		movzx	ebx, word ptr [edi]
		test	bx, bx
		jz	short loc_73A538
		cmp	ax, bx
		jnz	short loc_73A566

loc_73A538:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+141j
		add	ecx, 2
		mov	[ebp+var_8], ecx

loc_73A53E:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+139j
		xor	ebx, ebx
		cmp	[edi], bx
		jz	short loc_73A54B
		add	edi, 2
		mov	[ebp+var_1C], edi

loc_73A54B:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+153j
		cmp	[ecx], bx
		jnz	loc_73A41A
		jmp	short loc_73A56A
; 

loc_73A556:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+12Cj
		cmp	[ebp+var_C], ebx

loc_73A559:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+131j
		jb	short loc_73A566
		ja	short loc_73A562
		cmp	[ebp+var_10], eax
		jbe	short loc_73A566

loc_73A562:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+16Bj
		xor	ebx, ebx
		jmp	short loc_73A56A
; 

loc_73A566:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+146j
					; SdbpCheckUptoStringVersion(x,x):loc_73A559j ...
		xor	ebx, ebx
		mov	esi, ebx

loc_73A56A:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+1Dj
					; SdbpCheckUptoStringVersion(x,x)+33j ...
		movzx	eax, word ptr [ecx]
		test	ax, ax
		jnz	short loc_73A577
		cmp	[edi], bx
		jz	short loc_73A586

loc_73A577:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+180j
		test	esi, esi
		jz	short loc_73A584
		test	ax, ax
		jnz	short loc_73A584
		test	edx, edx
		jnz	short loc_73A586

loc_73A584:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+189j
					; SdbpCheckUptoStringVersion(x,x)+18Ej
		mov	esi, ebx

loc_73A586:				; CODE XREF: SdbpCheckUptoStringVersion(x,x)+185j
					; SdbpCheckUptoStringVersion(x,x)+192j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_SdbpCheckUptoStringVersion@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileGetNtHeaderAttributes(x, x,	x, x, x, x, x, x, x)
_AslpFileGetNtHeaderAttributes@36 proc near
					; CODE XREF: AslpFileGetHeaderAttributesPE(x,x)+B5p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h

		push	14h
		push	offset dword_6AAD60
		call	__SEH_prolog4
		mov	ebx, edx
		mov	edi, ecx
		and	[ebp+var_1C], 0
		mov	edx, [ebp+arg_18]
		lea	ecx, [ebp+var_1C]
		call	_AslpFileGetImageNtHeader@8 ; AslpFileGetImageNtHeader(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_73A5D2
		push	esi
		push	offset ??_C@_0CF@GGCNCAGG@AslpFileGetImageNtHeader?5failed@NNGAKEGL@
		push	0EDFh
		push	(offset	loc_8C5C25+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_73A686
; 

loc_73A5D2:				; CODE XREF: AslpFileGetNtHeaderAttributes(x,x,x,x,x,x,x,x,x)+23j
		and	[ebp+ms_exc.disabled], 0
		mov	edx, [ebp+var_1C]
		movzx	eax, word ptr [edx+44h]
		movzx	ecx, al
		shl	ecx, 10h
		movzx	eax, word ptr [edx+46h]
		movzx	eax, al
		add	ecx, eax
		mov	[ebx], ecx
		mov	ecx, [edx+8]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		movzx	esi, word ptr [edx+18h]
		mov	eax, [ebp+arg_10]
		mov	[eax], si
		mov	cx, [edx+4]
		mov	eax, [ebp+arg_8]
		mov	[eax], cx
		mov	eax, 10Bh
		cmp	si, ax
		jz	short loc_73A630
		mov	eax, 20Bh
		cmp	si, ax
		jz	short loc_73A630
		and	dword ptr [edi], 0
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0
		xor	ecx, ecx
		mov	esi, 0C00000BBh
		jmp	short loc_73A643
; 

loc_73A630:				; CODE XREF: AslpFileGetNtHeaderAttributes(x,x,x,x,x,x,x,x,x)+84j
					; AslpFileGetNtHeaderAttributes(x,x,x,x,x,x,x,x,x)+8Ej
		mov	eax, [edx+58h]
		mov	[edi], eax
		mov	eax, [ebp+arg_4]
		mov	ecx, [edx+50h]
		mov	[eax], ecx
		mov	cx, [edx+5Ch]
		xor	esi, esi

loc_73A643:				; CODE XREF: AslpFileGetNtHeaderAttributes(x,x,x,x,x,x,x,x,x)+A0j
		mov	eax, [ebp+arg_C]
		mov	[eax], cx
		mov	[ebp+var_20], esi
		jmp	short loc_73A67F
; 

loc_73A64E:				; DATA XREF: .text:006AAD74o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_73A65C:				; DATA XREF: .text:006AAD78o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_24]
		mov	[ebp+var_20], esi
		push	esi
		push	(offset	loc_8C4D43+3)
		push	0F32h
		push	(offset	loc_8C5C25+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_73A67F:				; CODE XREF: AslpFileGetNtHeaderAttributes(x,x,x,x,x,x,x,x,x)+BEj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_73A686:				; CODE XREF: AslpFileGetNtHeaderAttributes(x,x,x,x,x,x,x,x,x)+3Fj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_AslpFileGetNtHeaderAttributes@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileQueryExportName_Vb(x, x)
_AslpFileQueryExportName_Vb@8 proc near	; CODE XREF: AslpFileGetExportName(x,x)+39p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	18h
		push	offset dword_6AAD00
		call	__SEH_prolog4
		mov	edi, edx
		mov	ebx, ecx
		xor	eax, eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], eax
		mov	[ebx], al
		mov	[ebp+ms_exc.disabled], eax
		lea	ecx, [ebp+var_24]
		call	_AslpFileGetImageNtHeader@8 ; AslpFileGetImageNtHeader(x,x)
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		jns	short loc_73A6D8
		push	esi
		push	offset ??_C@_0CF@GGCNCAGG@AslpFileGetImageNtHeader?5failed@NNGAKEGL@
		push	10FBh
		jmp	loc_73A7D9
; 

loc_73A6D8:				; CODE XREF: AslpFileQueryExportName_Vb(x,x)+2Cj
		lea	eax, [ebp+var_20]
		push	eax
		push	0
		movzx	eax, byte ptr [edi+27h]
		push	eax
		push	dword ptr [edi+18h]
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_73A790
		cmp	[ebp+var_20], 28h
		jb	loc_73A790
		mov	eax, [edi+18h]
		cmp	edx, eax
		jb	short loc_73A77C
		mov	ecx, [edi+10h]
		add	ecx, eax
		lea	eax, [edx+28h]
		cmp	eax, ecx
		ja	short loc_73A77C
		push	dword ptr [edx+0Ch]
		lea	edx, [edi+8]
		mov	ecx, [ebp+var_24]
		call	_AslpImageRvaToVa@12 ; AslpImageRvaToVa(x,x,x)
		test	eax, eax
		jz	short loc_73A768
		mov	edx, [edi+10h]
		add	edx, [edi+18h]
		cmp	eax, edx
		jnb	short loc_73A768
		cmp	byte ptr [eax],	0
		jz	short loc_73A768
		sub	edx, eax
		mov	ecx, 100h
		cmp	edx, ecx
		jbe	short loc_73A740
		mov	edx, ecx

loc_73A740:				; CODE XREF: AslpFileQueryExportName_Vb(x,x)+A2j
		push	eax
		mov	ecx, ebx
		call	_RtlStringCchCopyA@12 ;	RtlStringCchCopyA(x,x,x)
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		jns	short loc_73A75E
		push	esi
		push	offset ??_C@_0BO@CLFDFHEN@RtlStringCchCopyA?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	112Fh
		jmp	short loc_73A7D9
; 

loc_73A75E:				; CODE XREF: AslpFileQueryExportName_Vb(x,x)+B5j
		xor	esi, esi
		mov	[ebp+var_1C], esi
		jmp	loc_73A7E8
; 

loc_73A768:				; CODE XREF: AslpFileQueryExportName_Vb(x,x)+88j
					; AslpFileQueryExportName_Vb(x,x)+92j ...
		mov	esi, 0C000007Bh
		mov	[ebp+var_1C], esi
		push	offset ??_C@_0DB@FMAOEGHG@Export?5directory?5invalid?5or?5inv@NNGAKEGL@
		push	1123h
		jmp	short loc_73A7A6
; 

loc_73A77C:				; CODE XREF: AslpFileQueryExportName_Vb(x,x)+6Aj
					; AslpFileQueryExportName_Vb(x,x)+76j
		mov	esi, 0C000007Bh
		mov	[ebp+var_1C], esi
		push	offset ??_C@_0FJ@OHHJCKPF@Export?5directory?5pointer?5invali@NNGAKEGL@
		push	111Ah
		jmp	short loc_73A7A6
; 

loc_73A790:				; CODE XREF: AslpFileQueryExportName_Vb(x,x)+55j
					; AslpFileQueryExportName_Vb(x,x)+5Fj
		mov	esi, 0C0000225h
		mov	[ebp+var_1C], esi
		test	edx, edx
		jz	short loc_73A7E8
		push	(offset	loc_8C5E6F+1)
		push	110Ch

loc_73A7A6:				; CODE XREF: AslpFileQueryExportName_Vb(x,x)+E0j
					; AslpFileQueryExportName_Vb(x,x)+F4j
		push	offset ??_C@_0BL@NLHJLBPA@AslpFileQueryExportName_Vb@NNGAKEGL@
		push	2
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	short loc_73A7E8
; 

loc_73A7B7:				; DATA XREF: .text:006AAD14o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_73A7C5:				; DATA XREF: .text:006AAD18o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_28]
		mov	[ebp+var_1C], esi
		push	esi
		push	(offset	loc_8C4D43+3)
		push	1137h

loc_73A7D9:				; CODE XREF: AslpFileQueryExportName_Vb(x,x)+39j
					; AslpFileQueryExportName_Vb(x,x)+C2j
		push	offset ??_C@_0BL@NLHJLBPA@AslpFileQueryExportName_Vb@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_73A7E8:				; CODE XREF: AslpFileQueryExportName_Vb(x,x)+C9j
					; AslpFileQueryExportName_Vb(x,x)+100j	...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AslpFileQueryExportName_Vb@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepProbeAndInsertTailList(x,	x)
_AuthzBasepProbeAndInsertTailList@8 proc near
					; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributeValues(x,x,x,x,x)+167p
					; AuthzBasepCopyoutInternalSecurityAttributes(x,x,x)+C2p

ms_exc		= CPPEH_RECORD ptr -18h

		push	0Ch
		push	offset dword_6AAE00
		call	__SEH_prolog4
		mov	esi, edx
		mov	edi, ecx
		mov	ebx, [edi+4]
		cmp	edi, ds:_MmHighestUserAddress
		ja	short loc_73A832
		and	[ebp+ms_exc.disabled], 0
		push	4
		push	8
		push	ebx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_73A832:				; CODE XREF: AuthzBasepProbeAndInsertTailList(x,x)+19j
		mov	[esi], edi
		mov	[esi+4], ebx
		mov	[ebx], esi
		mov	[edi+4], esi
		xor	eax, eax

loc_73A83E:				; CODE XREF: sub_73A85C+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AuthzBasepProbeAndInsertTailList@8 endp


;  S U B	R O U T	I N E 


sub_73A84E	proc near		; DATA XREF: .text:006AAE14o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_73A84E	endp


;  S U B	R O U T	I N E 


sub_73A85C	proc near		; DATA XREF: .text:006AAE18o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	short loc_73A83E
sub_73A85C	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VrpCleanupNamespace proc near		; CODE XREF: VrpHandleIoctlUnloadDynamicallyLoadedHives+E6p
					; VrpJobContextDelete(x)+11p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CA281 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		xor	esi, esi
		mov	dword ptr [ebx+34h], 1
		lea	edi, [ebx+18h]

loc_73A88C:				; CODE XREF: VrpCleanupNamespace+56j
		mov	eax, [ebx+20h]
		test	eax, eax
		jz	loc_8CA281
		mov	edx, esi
		test	eax, eax
		jz	short loc_73A8BD
		push	esi
		push	esi
		lea	ecx, [esp+20h+var_8]
		mov	[esp+20h+var_8], esi
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_73A90B
		mov	ecx, [ebx+2Ch]
		mov	edx, [esp+18h+var_8]
		add	edx, ecx
		cmp	edx, ecx
		jb	short loc_73A90B

loc_73A8BD:				; CODE XREF: VrpCleanupNamespace+2Bj
					; VrpCleanupNamespace+9Dj
		mov	edx, [edx]
		mov	ecx, ebx
		call	VrpDestroyNamespaceNode
		jmp	short loc_73A88C
; 

loc_73A8C8:				; CODE XREF: VrpCleanupNamespace+92j
					; VrpCleanupNamespace+18FA2Aj
		mov	esi, [ebx+14h]
		test	esi, esi
		jz	short loc_73A904
		mov	eax, [esi]
		lea	ecx, [esp+18h+var_8]
		and	[esp+18h+var_8], 0
		mov	[ebx+14h], eax
		lea	eax, [esi+6]
		mov	[esp+18h+var_4], eax
		mov	ax, [esi+4]
		mov	word ptr [esp+18h+var_8+2], ax
		mov	word ptr [esp+18h+var_8], ax
		call	VrpUnloadDifferencingHive
		push	67655256h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_73A8C8
; 

loc_73A904:				; CODE XREF: VrpCleanupNamespace+5Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_73A90B:				; CODE XREF: VrpCleanupNamespace+3Ej
					; VrpCleanupNamespace+4Bj
		mov	edx, esi
		jmp	short loc_73A8BD
VrpCleanupNamespace endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VrpUnloadDifferencingHive proc near	; CODE XREF: VrpCleanupNamespace+82p
					; VrpHandleIoctlLoadDifferencingHive+18D561p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 008CA29F SIZE 00000062 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_1C]
		push	6
		pop	ecx
		rep stosd
		mov	ecx, ebx
		call	_VrpFindDiffHiveEntryForMountPoint@4 ; VrpFindDiffHiveEntryForMountPoint(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8CA29F
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	edi, [esi+0Ch]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		sub	dword ptr [esi+10h], 1
		push	0FFFFFFFFh
		pop	eax
		jnz	loc_73AA22
		mov	ecx, esi
		call	VrpDereferenceDiffHiveEntryUnsafe
		mov	ecx, esi
		call	_VrpBecomeDiffHiveEntryTransitionOwner@4 ; VrpBecomeDiffHiveEntryTransitionOwner(x)
		and	dword ptr [esi+1Ch], 0FFFFFFFEh
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_1], al
		lock xadd [edi], ecx
		test	cl, 2
		jnz	loc_8CA2A9

loc_73A984:				; CODE XREF: VrpUnloadDifferencingHive+18F99Cj
					; VrpUnloadDifferencingHive+18F9A9j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	eax, eax
		mov	[ebp+var_1C], 18h
		mov	[ebp+var_18], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_1C]
		push	eax
		mov	[ebp+var_10], 240h
		mov	[ebp+var_14], ebx
		call	_ZwUnloadKey@4	; ZwUnloadKey(x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8CA2BE

loc_73A9C6:				; CODE XREF: VrpUnloadDifferencingHive+18F9BBj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		test	ebx, ebx
		js	loc_8CA2D0

loc_73A9E5:				; CODE XREF: VrpUnloadDifferencingHive+18F9CBj
					; VrpUnloadDifferencingHive+18F9D8j
		cmp	[ebp+var_1], 0
		jz	short loc_73A9F2
		mov	ecx, esi
		call	_VrpRelinquishDiffHiveEntryTransitionOwner@4 ; VrpRelinquishDiffHiveEntryTransitionOwner(x)

loc_73A9F2:				; CODE XREF: VrpUnloadDifferencingHive+D9j
		or	eax, 0FFFFFFFFh

loc_73A9F5:				; CODE XREF: VrpUnloadDifferencingHive+114j
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_8CA2ED

loc_73AA01:				; CODE XREF: VrpUnloadDifferencingHive+18F9DFj
					; VrpUnloadDifferencingHive+18F9ECj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, esi
		call	VrpDereferenceDiffHiveEntry

loc_73AA1B:				; CODE XREF: VrpUnloadDifferencingHive+18F994j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_73AA22:				; CODE XREF: VrpUnloadDifferencingHive+49j
		xor	ebx, ebx
		jmp	short loc_73A9F5
VrpUnloadDifferencingHive endp


;  S U B	R O U T	I N E 


VrpDereferenceDiffHiveEntryUnsafe proc near ; CODE XREF: VrpUnloadDifferencingHive+51p
					; VrpDecrementDiffHiveEntryHardRefCount(x)+Ep

; FUNCTION CHUNK AT 008CA301 SIZE 00000021 BYTES

		mov	edi, edi
		push	esi
		lea	esi, [ecx+8]
		mov	ecx, [esi]
		lea	edx, [ecx-1]

loc_73AA31:				; CODE XREF: VrpDereferenceDiffHiveEntryUnsafe+24j
		test	edx, edx
		jle	loc_8CA301
		mov	eax, ecx
		lock cmpxchg [esi], edx
		mov	edx, eax
		cmp	edx, ecx
		jnz	short loc_73AA47
		pop	esi
		retn
; 

loc_73AA47:				; CODE XREF: VrpDereferenceDiffHiveEntryUnsafe+1Dj
		mov	ecx, edx
		dec	edx
		jmp	short loc_73AA31
VrpDereferenceDiffHiveEntryUnsafe endp


;  S U B	R O U T	I N E 


VrpDereferenceDiffHiveEntry proc near	; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+2C0p
					; VrpUnloadDifferencingHive+106p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		lea	edi, [ebx+8]
		mov	esi, [edi]
		lea	edx, [esi-1]

loc_73AA5B:				; CODE XREF: VrpDereferenceDiffHiveEntryUnsafe+18F8F3j
		test	edx, edx
		jz	short loc_73AA6A
		jg	loc_8CA30A
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_73AA6A:				; CODE XREF: VrpDereferenceDiffHiveEntry+11j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _gLoadedDiffHivesLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, ebx
		call	VrpDereferenceDiffHiveEntryWithLock
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
VrpDereferenceDiffHiveEntry endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VrpDereferenceDiffHiveEntryWithLock proc near ;	CODE XREF: VrpDereferenceDiffHiveEntry+3Cp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CA322 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		or	edx, 0FFFFFFFFh
		push	edi
		mov	edi, ecx
		mov	eax, edx
		lock xadd [edi+8], eax
		dec	eax
		test	eax, eax
		jg	loc_73AB45
		jnz	loc_8CA322
		push	esi
		mov	esi, dword_6CDC94
		mov	ecx, esi
		and	ecx, 1Fh
		shr	esi, 5
		shl	edx, cl
		and	edx, [edi+4]
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	[ebp+var_4], edx
		imul	ecx, eax, 25h
		movzx	eax, dh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+3]
		imul	edx, ecx, 25h
		lea	ecx, [esi-1]
		mov	esi, 80000002h
		add	edx, eax
		mov	eax, dword_6CDC98
		and	ecx, edx
		xor	edx, edx
		lea	ecx, [eax+ecx*4]
		mov	eax, [edi]
		and	eax, esi
		cmp	eax, esi
		jnz	short loc_73AB1F
		mov	eax, [edx]

loc_73AB1F:				; CODE XREF: VrpDereferenceDiffHiveEntryWithLock+75j
					; VrpDereferenceDiffHiveEntryWithLock+85j
		mov	eax, [ecx]
		test	al, 1
		jnz	short loc_73AB48
		cmp	eax, edi
		jz	short loc_73AB2D
		mov	ecx, eax
		jmp	short loc_73AB1F
; 

loc_73AB2D:				; CODE XREF: VrpDereferenceDiffHiveEntryWithLock+81j
		mov	eax, [edi]
		mov	[ecx], eax
		dec	_gLoadedDiffHives
		or	[edi], esi

loc_73AB39:				; CODE XREF: VrpDereferenceDiffHiveEntryWithLock+A4j
		push	67655256h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi

loc_73AB45:				; CODE XREF: VrpDereferenceDiffHiveEntryWithLock+16j
					; VrpDereferenceDiffHiveEntryWithLock+18F881j
		pop	edi
		leave
		retn
; 

loc_73AB48:				; CODE XREF: VrpDereferenceDiffHiveEntryWithLock+7Dj
		mov	eax, [edx]
		jmp	short loc_73AB39
VrpDereferenceDiffHiveEntryWithLock endp


;  S U B	R O U T	I N E 


; __stdcall VrpRelinquishDiffHiveEntryTransitionOwner(x)
_VrpRelinquishDiffHiveEntryTransitionOwner@4 proc near
					; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+2A7p
					; VrpUnloadDifferencingHive+DDp
		mov	edi, edi
		push	esi
		lea	esi, [ecx+14h]
		xor	edx, edx
		and	dword ptr [esi], 0
		add	ecx, 18h
		push	0
		call	KeWakeWaitChain
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		pop	esi
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_VrpRelinquishDiffHiveEntryTransitionOwner@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall VrpBecomeDiffHiveEntryTransitionOwner(x)
_VrpBecomeDiffHiveEntryTransitionOwner@4 proc near
					; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+18Dp
					; VrpUnloadDifferencingHive+58p
		mov	edi, edi
		push	ecx
		add	ecx, 14h
		cmp	dword ptr [ecx], 0
		jnz	short loc_73ABAC
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, large fs:124h
		xor	edx, edx
		push	0
		mov	[ecx], eax
		call	KeAbPreAcquire
		test	eax, eax
		jz	short loc_73ABA8
		or	byte ptr [eax+0Eh], 1

loc_73ABA8:				; CODE XREF: VrpBecomeDiffHiveEntryTransitionOwner(x)+2Cj
		mov	al, 1
		pop	ecx
		retn
; 

loc_73ABAC:				; CODE XREF: VrpBecomeDiffHiveEntryTransitionOwner(x)+9j
		xor	al, al
		pop	ecx
		retn
_VrpBecomeDiffHiveEntryTransitionOwner@4 endp


;  S U B	R O U T	I N E 


; __stdcall VrpFindDiffHiveEntryForMountPoint(x)
_VrpFindDiffHiveEntryForMountPoint@4 proc near ; CODE XREF: VrpUnloadDifferencingHive+19p
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _gLoadedDiffHivesLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	ecx, esi
		call	VrpFindDiffHiveEntryForMountPointWithLock
		mov	esi, eax
		test	esi, esi
		jz	short loc_73ABEB
		xor	edx, edx
		inc	edx
		lock xadd [esi+8], edx
		inc	edx
		cmp	edx, 1
		jle	short loc_73AC05

loc_73ABEB:				; CODE XREF: VrpFindDiffHiveEntryForMountPoint(x)+2Bj
					; VrpFindDiffHiveEntryForMountPoint(x)+5Aj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_73AC05:				; CODE XREF: VrpFindDiffHiveEntryForMountPoint(x)+39j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_73ABEB
_VrpFindDiffHiveEntryForMountPoint@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VrpFindDiffHiveEntryForMountPointWithLock proc near
					; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+A1p
					; VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+F2p	...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CA32C SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ecx
		push	ebx
		push	esi
		mov	[ebp+var_C], eax
		mov	ebx, 4CB2Fh
		mov	esi, [eax+4]
		movzx	eax, word ptr [eax]
		shr	eax, 1
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], ebx
		mov	[ebp+var_14], edi
		lea	eax, [esi+eax*2]
		mov	[ebp+var_10], edi
		cmp	esi, eax
		jnb	short loc_73AC65
		mov	edi, eax

loc_73AC3D:				; CODE XREF: VrpFindDiffHiveEntryForMountPointWithLock+52j
		movzx	eax, word ptr [esi]
		push	eax
		call	_RtlUpcaseUnicodeChar@4	; RtlUpcaseUnicodeChar(x)
		imul	ecx, ebx, 25h
		add	esi, 2
		movzx	edx, ax
		movzx	eax, dl
		add	ecx, eax
		movzx	eax, dh
		imul	ebx, ecx, 25h
		add	ebx, eax
		cmp	esi, edi
		jb	short loc_73AC3D
		mov	[ebp+var_4], ebx
		xor	edi, edi

loc_73AC65:				; CODE XREF: VrpFindDiffHiveEntryForMountPointWithLock+2Dj
		mov	esi, dword_6CDC94
		or	eax, 0FFFFFFFFh
		mov	ecx, esi
		shr	esi, 5
		and	ecx, 1Fh
		shl	eax, cl
		mov	ebx, eax
		mov	[ebp+var_8], eax
		and	ebx, [ebp+var_4]
		mov	[ebp+var_4], ebx
		test	esi, esi
		jz	short loc_73ACD0
		movzx	eax, bl
		add	eax, offset unk_B15DCB
		imul	ecx, eax, 25h
		movzx	eax, bh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+3]
		imul	edx, ecx, 25h
		lea	ecx, [esi-1]
		add	edx, eax
		mov	eax, dword_6CDC98
		and	ecx, edx
		lea	esi, [eax+ecx*4]
		mov	ecx, [ebp+var_8]

loc_73ACB9:				; CODE XREF: VrpFindDiffHiveEntryForMountPointWithLock+BEj
		mov	esi, [esi]
		test	esi, 1
		jnz	short loc_73AD07
		mov	eax, [esi+4]
		and	eax, ecx
		cmp	ebx, eax
		jnz	short loc_73ACB9

loc_73ACCC:				; CODE XREF: VrpFindDiffHiveEntryForMountPointWithLock+FDj
					; VrpFindDiffHiveEntryForMountPointWithLock+18F735j
		test	esi, esi
		jnz	short loc_73ACD7

loc_73ACD0:				; CODE XREF: VrpFindDiffHiveEntryForMountPointWithLock+79j
					; VrpFindDiffHiveEntryForMountPointWithLock+F1j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_73ACD7:				; CODE XREF: VrpFindDiffHiveEntryForMountPointWithLock+C2j
		lea	eax, [esi+28h]
		mov	[ebp+var_10], eax
		mov	ax, [esi+24h]
		mov	word ptr [ebp+var_14], ax
		mov	word ptr [ebp+var_14+2], ax
		lea	eax, [ebp+var_14]
		push	1
		push	eax
		push	[ebp+var_C]
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_73ACFF
		mov	edi, esi
		jmp	short loc_73ACD0
; 

loc_73ACFF:				; CODE XREF: VrpFindDiffHiveEntryForMountPointWithLock+EDj
		mov	ecx, [ebp+var_8]
		jmp	loc_8CA32C
; 

loc_73AD07:				; CODE XREF: VrpFindDiffHiveEntryForMountPointWithLock+B5j
					; VrpFindDiffHiveEntryForMountPointWithLock+18F728j
		mov	esi, edi
		jmp	short loc_73ACCC
VrpFindDiffHiveEntryForMountPointWithLock endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpFindBestMatchNamespaceNode(x, x,	x)
_VrpFindBestMatchNamespaceNode@12 proc near ; CODE XREF: VrpCreateNamespaceNode+17Ep

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_0]
		push	0
		push	1
		call	VrpFindNamespaceNode
		pop	ecx
		pop	ebp
		retn	4
_VrpFindBestMatchNamespaceNode@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VrpHandleIoctlUnloadDynamicallyLoadedHives proc	near
					; CODE XREF: VrpIoctlDeviceDispatch+118p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CA349 SIZE 00000075 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		push	esi
		push	edi
		cmp	edx, 4
		jb	loc_8CA349
		push	ebx
		lea	eax, [ebp+var_4]
		push	eax
		push	52566D43h
		push	[ebp+arg_0]
		push	ds:_PsJobType
		push	6
		push	dword ptr [ecx]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_73AE18
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_4]
		call	_PsGetJobSilo@8	; PsGetJobSilo(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_73AE18
		mov	ecx, large fs:124h
		mov	edx, [ebp+var_8]
		call	PsIsThreadInSilo
		test	al, al
		jnz	loc_8CA353
		lea	eax, [ebp+var_C]
		push	eax
		push	_VrpSiloContextSlot
		push	edx
		call	PsGetPermanentSiloContext
		mov	esi, eax
		test	esi, esi
		js	loc_8CA35D
		mov	edi, [ebp+var_C]
		mov	ecx, edi
		call	_VrpLockJobContextExclusive@4 ;	VrpLockJobContextExclusive(x)
		cmp	[edi+34h], ebx
		jnz	loc_8CA370
		mov	esi, [edi+20h]
		test	esi, esi
		jz	short loc_73AE08

loc_73ADCA:				; CODE XREF: VrpHandleIoctlUnloadDynamicallyLoadedHives+E2j
		xor	eax, eax
		cmp	ebx, esi
		jnb	short loc_73ADF4
		and	[ebp+arg_0], eax
		lea	ecx, [ebp+arg_0]
		mov	eax, [edi+1Ch]
		mul	ebx
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_73ADF2
		mov	ecx, [edi+2Ch]
		mov	eax, [ebp+arg_0]
		add	eax, ecx
		cmp	eax, ecx
		jnb	short loc_73ADF4

loc_73ADF2:				; CODE XREF: VrpHandleIoctlUnloadDynamicallyLoadedHives+C0j
		xor	eax, eax

loc_73ADF4:				; CODE XREF: VrpHandleIoctlUnloadDynamicallyLoadedHives+AAj
					; VrpHandleIoctlUnloadDynamicallyLoadedHives+CCj
		mov	eax, [eax]
		mov	[ebp+arg_0], eax
		cmp	dword ptr [eax+1Ch], 0
		jl	loc_8CA381
		inc	ebx

loc_73AE04:				; CODE XREF: VrpHandleIoctlUnloadDynamicallyLoadedHives+18F695j
		cmp	ebx, esi
		jb	short loc_73ADCA

loc_73AE08:				; CODE XREF: VrpHandleIoctlUnloadDynamicallyLoadedHives+A4j
		mov	ecx, edi
		call	VrpCleanupNamespace
		mov	ecx, edi
		call	VrpUnlockJobContextExclusive
		xor	esi, esi

loc_73AE18:				; CODE XREF: VrpHandleIoctlUnloadDynamicallyLoadedHives+3Fj
					; VrpHandleIoctlUnloadDynamicallyLoadedHives+55j ...
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_73AE29
		mov	edx, 52566D43h
		call	ObfDereferenceObjectWithTag

loc_73AE29:				; CODE XREF: VrpHandleIoctlUnloadDynamicallyLoadedHives+F9j
					; VrpHandleIoctlUnloadDynamicallyLoadedHives+18F62Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
VrpHandleIoctlUnloadDynamicallyLoadedHives endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VrpAddNamespaceNodeToList proc near	; CODE XREF: VrpHandleIoctlCreateNamespaceNode+1ACp
					; VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+20Cp	...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CA3BE SIZE 00000226 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_8], 0
		mov	eax, edx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1C], eax
		push	edi
		lea	ecx, [ebp+var_8]
		push	ecx
		mov	ecx, esi
		call	_VrpFindExactNamespaceNode@12 ;	VrpFindExactNamespaceNode(x,x,x)
		test	eax, eax
		jnz	loc_8CA3BE
		mov	ebx, [esi+20h]
		mov	edi, 8000000Bh
		and	[ebp+var_18], eax
		mov	ecx, [esi+24h]
		mov	[ebp+var_C], ebx
		cmp	[ebp+var_8], ebx
		jnb	loc_8CA3C8
		cmp	ebx, ecx
		jnb	loc_8CA4F7

loc_73AE7D:				; CODE XREF: VrpAddNamespaceNodeToList+18F7ADj
		mov	eax, [esi+1Ch]
		lea	ecx, [ebp+var_14]
		and	[ebp+var_14], 0
		mov	[ebp+var_10], eax
		mul	[ebp+var_8]
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_73AECC
		mov	ebx, [esi+2Ch]
		mov	eax, [ebp+var_14]
		add	eax, ebx
		mov	[ebp+var_C], eax
		cmp	eax, ebx
		jb	short loc_73AECC
		and	[ebp+var_14], 0
		lea	ecx, [ebp+var_14]
		mov	eax, [ebp+var_8]
		inc	eax
		mul	[ebp+var_10]
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_73AECC
		mov	eax, [ebp+var_14]
		add	eax, ebx
		mov	[ebp+var_14], eax
		cmp	eax, ebx
		jnb	short loc_73AED0

loc_73AECC:				; CODE XREF: VrpAddNamespaceNodeToList+64j
					; VrpAddNamespaceNodeToList+73j ...
		mov	eax, edi
		jmp	short loc_73AF03
; 

loc_73AED0:				; CODE XREF: VrpAddNamespaceNodeToList+98j
		mov	eax, [esi+20h]
		lea	ecx, [ebp+var_18]
		sub	eax, [ebp+var_8]
		mul	[ebp+var_10]
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_73AECC
		push	[ebp+var_18]	; size_t
		mov	edi, [ebp+var_C]
		push	edi		; void *
		push	[ebp+var_14]	; void *
		call	_memmove
		mov	ecx, [ebp+var_1C]
		add	esp, 0Ch
		mov	[edi], ecx

loc_73AEFE:				; CODE XREF: VrpAddNamespaceNodeToList+18F6C0j
		inc	dword ptr [esi+20h]
		xor	eax, eax

loc_73AF03:				; CODE XREF: VrpAddNamespaceNodeToList+9Cj
					; VrpAddNamespaceNodeToList+18F591j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
VrpAddNamespaceNodeToList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VrpIoctlDeviceDispatch proc near	; DATA XREF: VRegSetup+C8o

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CA5E4 SIZE 000001BA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+5Ch+var_4], eax
		push	ebx
		xor	eax, eax
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		lea	edi, [esp+68h+var_58]
		stosd
		lea	ecx, [esp+68h+var_5C]
		and	dword ptr [ebx+1Ch], 0
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+68h+var_48]
		stosd
		stosd
		stosd
		stosd
		mov	edi, [ebx+60h]
		mov	esi, [edi+0Ch]
		call	VRegEnabledInJob
		test	eax, eax
		jnz	loc_8CA5E4

loc_73AF53:				; CODE XREF: VrpIoctlDeviceDispatch+18F6E3j
		lea	eax, [esp+68h+var_48]
		push	eax
		push	1
		call	EtwActivityIdControl
		mov	eax, dword_6B2370
		push	4
		pop	ecx
		cmp	eax, ecx
		ja	loc_8CA643

loc_73AF6F:				; CODE XREF: VrpIoctlDeviceDispatch+18F77Dj
		mov	edx, 220014h
		cmp	esi, edx
		ja	loc_73B006
		jz	loc_8CA6A6
		sub	esi, 220004h
		jz	short loc_73AFF1
		sub	esi, ecx
		jz	short loc_73AFDC
		sub	esi, ecx
		jnz	loc_8CA68A
		movzx	eax, byte ptr [ebx+20h]
		sub	esp, 0Ch
		mov	edx, [edi+8]
		mov	ecx, [ebx+0Ch]
		push	eax
		call	VrpHandleIoctlCreateNamespaceNode

loc_73AFA9:				; CODE XREF: VrpIoctlDeviceDispatch+E7j
					; VrpIoctlDeviceDispatch+FCj ...
		mov	edi, eax

loc_73AFAB:				; CODE XREF: VrpIoctlDeviceDispatch+18F6F5j
					; VrpIoctlDeviceDispatch+18F736j ...
		xor	dl, dl
		mov	[ebx+18h], edi
		mov	ecx, ebx
		call	IofCompleteRequest
		push	4
		pop	ecx
		cmp	dword_6B2370, ecx
		ja	loc_8CA762

loc_73AFC6:				; CODE XREF: VrpIoctlDeviceDispatch+18F891j
		mov	ecx, [esp+68h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_73AFDC:				; CODE XREF: VrpIoctlDeviceDispatch+84j
		movzx	eax, byte ptr [ebx+20h]
		sub	esp, 0Ch
		mov	edx, [edi+8]
		mov	ecx, [ebx+0Ch]
		push	eax
		call	VrpHandleIoctlLoadDifferencingHive
		jmp	short loc_73AFA9
; 

loc_73AFF1:				; CODE XREF: VrpIoctlDeviceDispatch+80j
		movzx	eax, byte ptr [ebx+20h]
		sub	esp, 0Ch
		mov	edx, [edi+8]
		mov	ecx, [ebx+0Ch]
		push	eax
		call	_VrpHandleIoctlInitializeJobForVreg@24 ; VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)
		jmp	short loc_73AFA9
; 

loc_73B006:				; CODE XREF: VrpIoctlDeviceDispatch+6Ej
		sub	esi, 220018h
		jnz	loc_8CA6BE
		movzx	eax, byte ptr [ebx+20h]
		sub	esp, 0Ch
		mov	edx, [edi+8]
		mov	ecx, [ebx+0Ch]
		push	eax
		call	VrpHandleIoctlUnloadDynamicallyLoadedHives
		jmp	short loc_73AFA9
VrpIoctlDeviceDispatch endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VrpDestroyNamespaceNode	proc near	; CODE XREF: VrpCleanupNamespace+51p
					; VrpHandleIoctlUnloadDynamicallyLoadedHives+18F68Dp ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CA79E SIZE 0000013A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		push	esi
		push	edi
		push	eax
		mov	ebx, edx
		mov	esi, ecx
		xor	edi, edi
		call	_VrpFindExactNamespaceNode@12 ;	VrpFindExactNamespaceNode(x,x,x)
		cmp	eax, ebx
		jnz	loc_73B0DC
		mov	eax, [esi+20h]
		mov	edi, [ebp+var_4]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], 1
		cmp	edi, eax
		jnb	short loc_73B0D9
		mov	eax, [esi+1Ch]
		lea	ecx, [ebp+var_C]
		and	[ebp+var_C], 0
		mov	[ebp+var_14], eax
		mul	edi
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_73B0D9
		mov	ecx, [esi+2Ch]
		mov	eax, [ebp+var_C]
		add	eax, ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], eax
		cmp	eax, ecx
		jb	short loc_73B0D9
		mov	eax, [ebp+var_10]
		sub	eax, edi
		lea	edi, [eax-1]
		mov	[ebp+var_10], edi
		test	edi, edi
		jz	loc_73B186
		mov	eax, edi
		lea	ecx, [ebp+var_10]
		mov	edi, [ebp+var_14]
		mul	edi
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_73B0D9
		and	[ebp+var_C], 0
		lea	ecx, [ebp+var_C]
		mov	eax, [ebp+var_4]
		inc	eax
		mul	edi
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_73B0D9
		mov	eax, [ebp+var_C]
		add	eax, [ebp+var_1C]
		cmp	eax, [ebp+var_1C]
		jnb	short loc_73B138

loc_73B0D9:				; CODE XREF: VrpDestroyNamespaceNode+38j
					; VrpDestroyNamespaceNode+52j ...
		mov	edi, [ebp+var_8]

loc_73B0DC:				; CODE XREF: VrpDestroyNamespaceNode+20j
		mov	eax, [ebx+1Ch]
		mov	ecx, 0C0000000h
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_8CA87B

loc_73B0EE:				; CODE XREF: VrpDestroyNamespaceNode+18F889j
					; VrpDestroyNamespaceNode+18F89Fj
		mov	eax, [ebx+8]
		mov	esi, 67655256h
		test	eax, eax
		jnz	loc_8CA8CC

loc_73B0FE:				; CODE XREF: VrpDestroyNamespaceNode+18F8ABj
		mov	eax, [ebx+4]
		test	eax, eax
		jz	short loc_73B10C
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_73B10C:				; CODE XREF: VrpDestroyNamespaceNode+DBj
		mov	eax, [ebx+10h]
		test	eax, eax
		jz	short loc_73B11A
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_73B11A:				; CODE XREF: VrpDestroyNamespaceNode+E9j
		mov	ecx, [ebx+18h]
		test	ecx, ecx
		jnz	short loc_73B12F

loc_73B121:				; CODE XREF: VrpDestroyNamespaceNode+10Ej
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_73B12F:				; CODE XREF: VrpDestroyNamespaceNode+F7j
		push	esi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_73B121
; 

loc_73B138:				; CODE XREF: VrpDestroyNamespaceNode+AFj
		mov	edi, [ebp+var_10]
		push	edi		; size_t
		push	eax		; void *
		push	[ebp+var_18]	; void *
		call	_memmove
		mov	eax, [esi+1Ch]
		add	esp, 0Ch

loc_73B14B:				; CODE XREF: VrpDestroyNamespaceNode+161j
		push	eax		; size_t
		mov	eax, [ebp+var_18]
		add	eax, edi
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		dec	dword ptr [esi+20h]
		mov	edx, [esi+20h]
		cmp	edx, 10h
		jbe	loc_73B0D9
		mov	edi, [esi+1Ch]
		mov	eax, edi
		mov	ecx, [esi+24h]
		imul	eax, ecx
		cmp	eax, 400h
		jb	loc_73B0D9
		jmp	loc_8CA79E
; 

loc_73B186:				; CODE XREF: VrpDestroyNamespaceNode+73j
		mov	eax, [ebp+var_14]
		jmp	short loc_73B14B
VrpDestroyNamespaceNode	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VrpCreateNamespaceNode proc near	; CODE XREF: VrpHandleIoctlCreateNamespaceNode+195p
					; VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+1D1p	...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008CA8D8 SIZE 0000007A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ecx
		xor	ecx, ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_14], eax
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], ecx
		cmp	[eax+34h], ecx
		jnz	loc_8CA8D8
		mov	eax, [ebp+arg_8]
		and	eax, 0E0000007h
		cmp	eax, [ebp+arg_8]
		jnz	loc_8CA8E2
		mov	ecx, esi
		call	_VrpStripTrailingCharacters@8 ;	VrpStripTrailingCharacters(x,x)
		mov	ecx, [ebp+arg_4]
		call	_VrpStripTrailingCharacters@8 ;	VrpStripTrailingCharacters(x,x)
		lea	eax, [ebp+var_1C]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_8]
		call	_VrpGetNextToken@12 ; VrpGetNextToken(x,x,x)
		push	1
		push	offset _VrpRegistryString
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	loc_8CA8E2
		lea	eax, [ebp+var_1C]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_8]
		call	_VrpGetNextToken@12 ; VrpGetNextToken(x,x,x)
		push	67655256h
		push	28h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8CA8EC
		xor	eax, eax
		mov	edi, ebx
		push	0Ah
		pop	ecx
		rep stosd
		mov	eax, [ebp+arg_8]
		mov	[ebx+1Ch], eax
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jnz	short loc_73B240
		or	eax, 0FFFFFFFFh

loc_73B240:				; CODE XREF: VrpCreateNamespaceNode+AFj
		mov	[ebx+20h], eax
		movzx	eax, word ptr [esi+2]
		push	67655256h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebx+4], ecx
		test	ecx, ecx
		jz	loc_8CA8F6
		movzx	eax, word ptr [esi]
		mov	[ebx+2], ax
		mov	[ebx], ax
		movzx	eax, word ptr [esi]
		push	eax		; size_t
		push	dword ptr [esi+4] ; void *
		push	ecx		; void *
		call	_memcpy
		mov	edi, [ebp+arg_4]
		add	esp, 0Ch
		movzx	eax, word ptr [edi+2]
		push	67655256h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebx+10h], ecx
		test	ecx, ecx
		jz	loc_8CA8F6
		movzx	eax, word ptr [edi]
		mov	[ebx+0Ch], ax
		mov	[ebx+0Eh], ax
		movzx	eax, word ptr [edi]
		push	eax		; size_t
		push	dword ptr [edi+4] ; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, ebx
		call	_VrpCountPathComponents@4 ; VrpCountPathComponents(x)
		lea	ecx, [ebx+0Ch]
		mov	[ebx+24h], ax
		call	_VrpCountPathComponents@4 ; VrpCountPathComponents(x)
		mov	[ebx+26h], ax
		lea	edx, [ebp+var_8]
		lea	eax, [ebp+var_1C]
		mov	ecx, esi
		push	eax
		call	_VrpGetNextToken@12 ; VrpGetNextToken(x,x,x)
		cmp	word ptr [ebp+var_1C], 0
		ja	short loc_73B301

loc_73B2E3:				; CODE XREF: VrpCreateNamespaceNode+1E5j
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jnz	loc_8CA941

loc_73B2EE:				; CODE XREF: VrpCreateNamespaceNode+18F7C1j
		mov	eax, [ebp+arg_10]
		mov	[ebx+8], esi
		xor	esi, esi
		mov	[eax], ebx

loc_73B2F8:				; CODE XREF: VrpCreateNamespaceNode+18F751j
					; VrpCreateNamespaceNode+18F75Bj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_73B301:				; CODE XREF: VrpCreateNamespaceNode+155j
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_C]
		push	eax
		mov	edx, ebx
		call	_VrpFindBestMatchNamespaceNode@12 ; VrpFindBestMatchNamespaceNode(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_73B37C
		mov	eax, [edi+1Ch]
		test	al, 4
		jnz	short loc_73B37C
		mov	esi, [ebp+var_C]
		and	eax, 2
		or	[ebx+1Ch], eax
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		test	esi, esi
		jz	short loc_73B344

loc_73B32E:				; CODE XREF: VrpCreateNamespaceNode+1B3j
		lea	eax, [ebp+var_1C]
		mov	ecx, ebx
		push	eax
		lea	edx, [ebp+var_8]
		call	_VrpGetNextToken@12 ; VrpGetNextToken(x,x,x)
		sub	esi, 1
		jnz	short loc_73B32E
		mov	ecx, [ebp+var_8]

loc_73B344:				; CODE XREF: VrpCreateNamespaceNode+1A0j
		mov	eax, [ebx+4]
		lea	edx, [ebp+var_24]
		lea	eax, [eax+ecx*2]
		mov	[ebp+var_20], eax
		lea	eax, [ecx+ecx]
		mov	cx, [ebx]
		sub	cx, ax
		lea	eax, [ebx+14h]
		mov	word ptr [ebp+var_24], cx
		mov	word ptr [ebp+var_24+2], cx
		lea	ecx, [edi+0Ch]
		push	eax
		call	_VrpBuildKeyPath@12 ; VrpBuildKeyPath(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_73B2E3
		jmp	loc_8CA8FB
; 

loc_73B37C:				; CODE XREF: VrpCreateNamespaceNode+187j
					; VrpCreateNamespaceNode+18Ej
		mov	esi, 0C000000Dh
		jmp	loc_8CA8FB
VrpCreateNamespaceNode endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpFindExactNamespaceNode(x, x, x)
_VrpFindExactNamespaceNode@12 proc near	; CODE XREF: VrpAddNamespaceNodeToList+1Cp
					; VrpDestroyNamespaceNode+19p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	0
		push	[ebp+arg_0]
		push	0
		call	VrpFindNamespaceNode
		pop	ecx
		pop	ebp
		retn	4
_VrpFindExactNamespaceNode@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpPostEnumerateKey(x, x)
_VrpPostEnumerateKey@8 proc near	; CODE XREF: VrpRegistryCallback+1DCp

var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_F0		= dword	ptr -0F0h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
ms_exc		= CPPEH_RECORD ptr -18h

		push	160h
		push	offset dword_6A00A0
		call	__SEH_prolog4_GS
		mov	eax, edx
		mov	[ebp+var_104], eax
		mov	ebx, ecx
		mov	[ebp+var_124], ebx
		mov	[ebp+var_14C], eax
		xor	esi, esi
		mov	[ebp+var_13C], esi
		mov	[ebp+var_138], esi
		mov	[ebp+var_134], esi
		mov	[ebp+var_130], esi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_170]
		rep stosd
		lea	edi, [ebp+var_100]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_100]
		push	eax
		push	3
		call	EtwActivityIdControl
		mov	[ebp+var_144], esi
		mov	[ebp+var_118], esi
		mov	eax, [ebx+14h]
		mov	[ebp+var_128], eax
		mov	[ebp+var_154], eax
		mov	[ebp+var_11C], esi
		mov	ebx, [ebx+8]
		mov	[ebp+var_158], ebx
		mov	[ebp+var_110], esi
		mov	[ebp+var_140], esi
		call	_PsGetCurrentThreadPreviousMode@0 ; PsGetCurrentThreadPreviousMode()
		mov	byte ptr [ebp+var_108],	al
		mov	[ebp+var_120], esi
		mov	[ebp+var_114], esi
		mov	ecx, [ebp+var_124]
		mov	edi, [ecx+4]
		mov	[ebp+var_12C], esi
		cmp	dword_6B2370, 5
		jbe	loc_73B511
		mov	eax, [ebx+8]
		mov	[ebp+var_10C], eax
		lea	eax, [ebp+var_10C]
		mov	[ebp+var_D0], eax
		mov	[ebp+var_CC], esi
		mov	[ebp+var_C8], 4
		mov	[ebp+var_C4], esi
		mov	eax, [ebp+var_128]
		cmp	[eax+14h], esi
		jz	short loc_73B4A6
		add	eax, 10h
		jmp	short loc_73B4AB
; 

loc_73B4A6:				; CODE XREF: VrpPostEnumerateKey(x,x)+101j
		mov	eax, (offset loc_403A20+4)

loc_73B4AB:				; CODE XREF: VrpPostEnumerateKey(x,x)+106j
		movzx	ecx, word ptr [eax]
		mov	eax, [eax+4]
		lea	edx, [ebp+var_A8]
		mov	[ebp+var_C0], edx
		mov	[ebp+var_BC], esi
		mov	[ebp+var_B8], 2
		mov	[ebp+var_B4], esi
		mov	[ebp+var_B0], eax
		mov	[ebp+var_AC], esi
		mov	[ebp+var_A8], ecx
		mov	[ebp+var_A4], esi
		lea	eax, [ebp+var_F0]
		push	eax
		push	5
		push	esi
		lea	eax, [ebp+var_100]
		push	eax
		push	offset loc_41B0F4
		push	offset dword_6B2370
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		mov	al, byte ptr [ebp+var_108]

loc_73B511:				; CODE XREF: VrpPostEnumerateKey(x,x)+C7j
		test	edi, edi
		jns	short loc_73B529
		cmp	edi, 0C0000023h
		jz	short loc_73B529
		cmp	edi, 80000005h
		jnz	loc_73B965

loc_73B529:				; CODE XREF: VrpPostEnumerateKey(x,x)+175j
					; VrpPostEnumerateKey(x,x)+17Dj
		lea	edx, [ebp+var_110]
		push	edx
		push	dword ptr [ebx+10h]
		mov	edx, [ebx+0Ch]
		mov	cl, al
		call	_VrpProcessBufferParameter@16 ;	VrpProcessBufferParameter(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_73B965
		lea	eax, [ebx+0Ch]
		push	eax		; int
		push	dword ptr [ebx+10h] ; size_t
		mov	edx, [ebp+var_110]
		mov	cl, byte ptr [ebp+var_108]
		call	VrpOutputBufferParameter
		mov	edi, eax
		test	edi, edi
		js	loc_73B965
		lea	ecx, [ebp+var_114]
		push	ecx
		push	4
		mov	edx, [ebx+14h]
		mov	cl, byte ptr [ebp+var_108]
		call	_VrpProcessBufferParameter@16 ;	VrpProcessBufferParameter(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_73B965
		lea	eax, [ebx+14h]
		push	eax		; int
		push	4		; size_t
		mov	edx, [ebp+var_114]
		mov	cl, byte ptr [ebp+var_108]
		call	VrpOutputBufferParameter
		mov	edi, eax
		test	edi, edi
		js	loc_73B965
		mov	edx, [ebp+var_124]
		cmp	byte ptr [ebp+var_108],	1
		jnz	short loc_73B5ED
		cmp	[edx+4], esi
		jl	short loc_73B5ED
		mov	eax, [ebx+8]
		mov	ecx, [ebp+var_110]
		test	eax, eax
		jnz	short loc_73B5DD
		mov	eax, [ebx+10h]
		sub	eax, 10h
		cmp	[ecx+0Ch], eax

loc_73B5D5:				; CODE XREF: VrpPostEnumerateKey(x,x)+24Dj
		ja	loc_73B965
		jmp	short loc_73B5F3
; 

loc_73B5DD:				; CODE XREF: VrpPostEnumerateKey(x,x)+22Cj
		cmp	eax, 1
		jnz	short loc_73B5F3
		mov	eax, [ebx+10h]
		sub	eax, 18h
		cmp	[ecx+14h], eax
		jmp	short loc_73B5D5
; 

loc_73B5ED:				; CODE XREF: VrpPostEnumerateKey(x,x)+21Aj
					; VrpPostEnumerateKey(x,x)+21Fj
		mov	ecx, [ebp+var_110]

loc_73B5F3:				; CODE XREF: VrpPostEnumerateKey(x,x)+23Dj
					; VrpPostEnumerateKey(x,x)+242j
		mov	eax, [edx+4]
		cmp	eax, 0C0000023h
		jz	short loc_73B60E
		cmp	eax, 80000005h
		jz	short loc_73B60E
		cmp	dword ptr [ebx+8], 2
		jnz	loc_73B6C4

loc_73B60E:				; CODE XREF: VrpPostEnumerateKey(x,x)+25Dj
					; VrpPostEnumerateKey(x,x)+264j
		lea	eax, [ebp+var_11C]
		push	eax
		push	[ebp+var_108]
		push	ds:_CmKeyObjectType
		push	0F003Fh
		push	esi
		push	240h
		push	dword ptr [ebx]
		call	ObOpenObjectByPointer
		mov	edi, eax
		test	edi, edi
		js	loc_73B965
		lea	eax, [ebp+var_120]
		push	eax
		push	esi
		push	esi
		push	esi
		push	dword ptr [ebx+4]
		push	[ebp+var_11C]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_73B667
		cmp	edi, 0C0000023h
		jnz	loc_73B965

loc_73B667:				; CODE XREF: VrpPostEnumerateKey(x,x)+2BBj
		push	67655256h
		push	[ebp+var_120]
		push	esi
		push	100h
		call	_ExAllocatePool2@16 ; ExAllocatePool2(x,x,x,x)
		mov	[ebp+var_10C], eax
		test	eax, eax
		jnz	short loc_73B691

loc_73B687:				; CODE XREF: VrpPostEnumerateKey(x,x)+49Dj
		mov	edi, 0C000009Ah
		jmp	loc_73B965
; 

loc_73B691:				; CODE XREF: VrpPostEnumerateKey(x,x)+2E7j
		mov	[ebp+var_144], eax
		lea	ecx, [ebp+var_120]
		push	ecx
		push	[ebp+var_120]
		push	eax
		push	esi
		push	dword ptr [ebx+4]
		push	[ebp+var_11C]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_73B965
		mov	ecx, [ebp+var_10C]

loc_73B6C4:				; CODE XREF: VrpPostEnumerateKey(x,x)+26Aj
		mov	eax, [ebx+8]
		test	eax, eax
		jz	short loc_73B6F9
		cmp	[ebp+var_144], esi
		jnz	short loc_73B6F9
		cmp	eax, 1
		jnz	short loc_73B6EF
		mov	ax, [ecx+14h]
		mov	word ptr [ebp+var_134+2], ax
		mov	word ptr [ebp+var_134],	ax
		lea	eax, [ecx+18h]
		jmp	short loc_73B70E
; 

loc_73B6EF:				; CODE XREF: VrpPostEnumerateKey(x,x)+338j
		mov	edi, 0C000000Dh
		jmp	loc_73B965
; 

loc_73B6F9:				; CODE XREF: VrpPostEnumerateKey(x,x)+32Bj
					; VrpPostEnumerateKey(x,x)+333j
		mov	ax, [ecx+0Ch]
		mov	word ptr [ebp+var_134+2], ax
		mov	word ptr [ebp+var_134],	ax
		lea	eax, [ecx+10h]

loc_73B70E:				; CODE XREF: VrpPostEnumerateKey(x,x)+34Fj
		mov	[ebp+var_130], eax
		lea	eax, [ebp+var_13C]
		push	eax
		mov	ecx, [ebp+var_128]
		add	ecx, 10h
		lea	edx, [ebp+var_134]
		call	_VrpBuildKeyPath@12 ; VrpBuildKeyPath(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_73B965
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [ebp+var_104]
		add	edi, 10h
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	[ebp+var_118], 1
		push	esi
		lea	edx, [ebp+var_13C]
		mov	ecx, [ebp+var_104]
		call	_VrpFindExactNamespaceNode@12 ;	VrpFindExactNamespaceNode(x,x,x)
		test	eax, eax
		jnz	short loc_73B780

loc_73B779:				; CODE XREF: VrpPostEnumerateKey(x,x)+42Bj
					; VrpPostEnumerateKey(x,x)+4E0j
		mov	edi, esi
		jmp	loc_73B965
; 

loc_73B780:				; CODE XREF: VrpPostEnumerateKey(x,x)+3D9j
		mov	[ebp+var_170], 18h
		mov	[ebp+var_16C], esi
		mov	[ebp+var_164], 240h
		add	eax, 0Ch
		mov	[ebp+var_168], eax
		mov	[ebp+var_160], esi
		mov	[ebp+var_15C], esi
		lea	eax, [ebp+var_170]
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_12C]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_73B779
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_73B7E0
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_73B7E0:				; CODE XREF: VrpPostEnumerateKey(x,x)+439j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		nop
		add	word ptr [ecx+13Ch], 1
		jnz	short loc_73B80F
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	short loc_73B80F
		cmp	[ecx+13Eh], si
		jnz	short loc_73B80F
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_73B80F:				; CODE XREF: VrpPostEnumerateKey(x,x)+459j
					; VrpPostEnumerateKey(x,x)+461j ...
		mov	eax, esi
		mov	[ebp+var_118], eax
		mov	eax, [ebx+10h]
		test	eax, eax
		jz	short loc_73B840
		push	67655256h
		push	eax
		push	esi
		push	100h
		call	_ExAllocatePool2@16 ; ExAllocatePool2(x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_140], ecx
		test	ecx, ecx
		jnz	short loc_73B842
		jmp	loc_73B687
; 

loc_73B840:				; CODE XREF: VrpPostEnumerateKey(x,x)+47Ej
		mov	ecx, esi

loc_73B842:				; CODE XREF: VrpPostEnumerateKey(x,x)+49Bj
		mov	[ebp+var_10C], ecx
		push	[ebp+var_114]
		push	dword ptr [ebx+10h]
		push	ecx
		push	dword ptr [ebx+8]
		push	[ebp+var_12C]
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000023h
		jnz	short loc_73B874
		mov	eax, esi
		mov	[ebp+var_10C], eax
		jmp	short loc_73B88A
; 

loc_73B874:				; CODE XREF: VrpPostEnumerateKey(x,x)+4CAj
		test	edi, edi
		jns	short loc_73B884
		cmp	edi, 80000005h
		jnz	loc_73B779

loc_73B884:				; CODE XREF: VrpPostEnumerateKey(x,x)+4D8j
		mov	eax, [ebp+var_10C]

loc_73B88A:				; CODE XREF: VrpPostEnumerateKey(x,x)+4D4j
		mov	ecx, [ebx+8]
		cmp	ecx, 2
		jz	short loc_73B8C4
		push	esi		; size_t
		lea	edx, [ebp+var_13C]
		push	edx		; int
		push	[ebp+var_114]	; int
		push	dword ptr [ebx+10h] ; int
		mov	edx, eax
		call	_VrpUpdateKeyInformation@24 ; VrpUpdateKeyInformation(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_73B8C4
		cmp	edi, 80000005h
		jz	short loc_73B8F3
		cmp	edi, 0C0000023h
		jnz	loc_73B965

loc_73B8C4:				; CODE XREF: VrpPostEnumerateKey(x,x)+4F2j
					; VrpPostEnumerateKey(x,x)+510j
		cmp	edi, 80000005h
		jz	short loc_73B8F3
		cmp	edi, 0C0000023h
		jz	short loc_73B8F3
		mov	[ebp+ms_exc.disabled], esi
		push	dword ptr [ebx+10h] ; size_t
		mov	eax, [ebp+var_10C]
		push	eax		; void *
		push	dword ptr [ebx+0Ch] ; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_73B8F3:				; CODE XREF: VrpPostEnumerateKey(x,x)+518j
					; VrpPostEnumerateKey(x,x)+52Cj ...
		lea	eax, [ebp+var_114]
		push	eax		; int
		push	4		; size_t
		mov	edx, [ebx+14h]
		mov	cl, byte ptr [ebp+var_108]
		call	VrpOutputBufferParameter
		test	eax, eax
		jns	short loc_73B957
		mov	edi, eax
		jmp	short loc_73B965
; 

loc_73B912:				; DATA XREF: .text:006A00B4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_150], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_73B923:				; DATA XREF: .text:006A00B8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_150]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	esi, esi
		mov	eax, esi
		mov	[ebp+var_118], eax
		mov	eax, [ebp+var_154]
		mov	[ebp+var_128], eax
		mov	ebx, [ebp+var_158]
		mov	eax, [ebp+var_14C]
		jmp	short loc_73B96B
; 

loc_73B957:				; CODE XREF: VrpPostEnumerateKey(x,x)+56Ej
		mov	ecx, [ebp+var_124]
		mov	[ecx+0Ch], edi
		mov	edi, 0C0000503h

loc_73B965:				; CODE XREF: VrpPostEnumerateKey(x,x)+185j
					; VrpPostEnumerateKey(x,x)+1A3j ...
		mov	eax, [ebp+var_104]

loc_73B96B:				; CODE XREF: VrpPostEnumerateKey(x,x)+5B7j
		cmp	[ebp+var_118], 0
		jz	short loc_73B9C3
		lea	ecx, [eax+10h]
		mov	[ebp+var_14C], ecx
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_73B996
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp+var_14C]

loc_73B996:				; CODE XREF: VrpPostEnumerateKey(x,x)+5EBj
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		nop
		add	word ptr [ecx+13Ch], 1
		jnz	short loc_73B9C3
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	short loc_73B9C3
		cmp	[ecx+13Eh], si
		jnz	short loc_73B9C3
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_73B9C3:				; CODE XREF: VrpPostEnumerateKey(x,x)+5D4j
					; VrpPostEnumerateKey(x,x)+60Dj ...
		test	edi, edi
		jns	loc_73BA9C
		cmp	dword_6B2370, 2
		jbe	loc_73BA9C
		mov	eax, [ebx+8]
		mov	[ebp+var_148], eax
		lea	eax, [ebp+var_148]
		mov	[ebp+var_80], eax
		mov	[ebp+var_7C], esi
		mov	[ebp+var_78], 4
		mov	[ebp+var_74], esi
		mov	eax, [ebp+var_128]
		mov	edx, (offset loc_403A20+4)
		cmp	[eax+14h], esi
		lea	ecx, [eax+10h]
		jnz	short loc_73BA0C
		mov	ecx, edx

loc_73BA0C:				; CODE XREF: VrpPostEnumerateKey(x,x)+66Aj
		lea	eax, [ebp+var_58]
		mov	[ebp+var_70], eax
		mov	[ebp+var_6C], esi
		push	2
		pop	ebx
		mov	[ebp+var_68], ebx
		mov	[ebp+var_64], esi
		mov	eax, [ecx+4]
		mov	[ebp+var_60], eax
		mov	[ebp+var_5C], esi
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], esi
		cmp	[ebp+var_138], 0
		jz	short loc_73BA3F
		lea	edx, [ebp+var_13C]

loc_73BA3F:				; CODE XREF: VrpPostEnumerateKey(x,x)+699j
		lea	eax, [ebp+var_38]
		mov	[ebp+var_50], eax
		mov	[ebp+var_4C], esi
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], esi
		mov	eax, [edx+4]
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], esi
		movzx	eax, word ptr [edx]
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], esi
		mov	[ebp+var_118], edi
		lea	eax, [ebp+var_118]
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], esi
		mov	[ebp+var_28], 4
		mov	[ebp+var_24], esi
		lea	eax, [ebp+var_A0]
		push	eax
		push	8
		push	esi
		lea	eax, [ebp+var_100]
		push	eax
		push	(offset	loc_41B20F+4)
		push	offset dword_6B2370
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_73BA9C:				; CODE XREF: VrpPostEnumerateKey(x,x)+627j
					; VrpPostEnumerateKey(x,x)+634j
		cmp	[ebp+var_11C], 0
		jz	short loc_73BAB0
		push	[ebp+var_11C]
		call	_ZwClose@4	; ZwClose(x)

loc_73BAB0:				; CODE XREF: VrpPostEnumerateKey(x,x)+705j
		cmp	[ebp+var_12C], 0
		jz	short loc_73BAC4
		push	[ebp+var_12C]
		call	_ZwClose@4	; ZwClose(x)

loc_73BAC4:				; CODE XREF: VrpPostEnumerateKey(x,x)+719j
		mov	eax, [ebp+var_140]
		test	eax, eax
		jz	short loc_73BAD9
		push	67655256h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_73BAD9:				; CODE XREF: VrpPostEnumerateKey(x,x)+72Ej
		mov	eax, [ebp+var_144]
		test	eax, eax
		jz	short loc_73BAEE
		push	67655256h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_73BAEE:				; CODE XREF: VrpPostEnumerateKey(x,x)+743j
		cmp	[ebp+var_138], 0
		jz	short loc_73BB07
		push	67655256h
		push	[ebp+var_138]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_73BB07:				; CODE XREF: VrpPostEnumerateKey(x,x)+757j
		lea	edx, [ebp+var_110]
		mov	cl, byte ptr [ebp+var_108]
		call	_VrpCleanupBufferParameter@8 ; VrpCleanupBufferParameter(x,x)
		lea	edx, [ebp+var_114]
		mov	cl, byte ptr [ebp+var_108]
		call	_VrpCleanupBufferParameter@8 ; VrpCleanupBufferParameter(x,x)
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VrpPostEnumerateKey@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAddExtraParameterToBlock(x, x)
_CmpAddExtraParameterToBlock@8 proc near ; CODE	XREF: VrpPostOpenOrCreate(x,x)+108p
					; VrpPreOpenOrCreate(x,x)+2D1p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, edx
		lea	eax, [ebp+var_4]
		push	eax
		mov	esi, ecx
		lea	edx, [edi+8]
		call	_CmpFindExtraParameterInBlock@12 ; CmpFindExtraParameterInBlock(x,x,x)
		test	eax, eax
		jns	short loc_73BB76
		cmp	eax, 0C0000034h
		jnz	short loc_73BB72
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_73BB7D
		mov	[edi+4], eax
		mov	[edi], esi
		mov	[eax], edi
		xor	eax, eax
		mov	[esi+4], edi

loc_73BB72:				; CODE XREF: CmpAddExtraParameterToBlock(x,x)+21j
					; CmpAddExtraParameterToBlock(x,x)+3Fj
		pop	edi
		pop	esi
		leave
		retn
; 

loc_73BB76:				; CODE XREF: CmpAddExtraParameterToBlock(x,x)+1Aj
		mov	eax, 0C0000035h
		jmp	short loc_73BB72
; 

loc_73BB7D:				; CODE XREF: CmpAddExtraParameterToBlock(x,x)+28j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_CmpAddExtraParameterToBlock@8 endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall CmAllocateExtraParameter(x,	x, x)
_CmAllocateExtraParameter@12 proc near	; CODE XREF: VrpPostOpenOrCreate(x,x)+B6p
					; VrpPreOpenOrCreate(x,x)+27Cp
		mov	edi, edi
		push	ebx
		push	50454D43h
		push	30h
		xor	ecx, ecx
		pop	edx
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_73BBCD
		push	esi
		push	edi
		push	30h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	esi, offset _VRP_ORIGINAL_KEY_NAME_PARAMETER_GUID
		lea	edi, [ebx+8]
		add	esp, 0Ch
		lea	eax, [ebx+20h]
		movsd
		movsd
		movsd
		movsd
		pop	edi
		mov	dword ptr [ebx+18h], offset _VrpOriginalKeyNameParameterCleanup@8 ; VrpOriginalKeyNameParameterCleanup(x,x)
		mov	dword ptr [ebx+1Ch], 10h
		pop	esi

loc_73BBC9:				; CODE XREF: CmAllocateExtraParameter(x,x,x)+4Dj
		pop	ebx
		retn	4
; 

loc_73BBCD:				; CODE XREF: CmAllocateExtraParameter(x,x,x)+17j
		xor	eax, eax
		jmp	short loc_73BBC9
_CmAllocateExtraParameter@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall VrpFreeKeyContext(x)
_VrpFreeKeyContext@4 proc near		; CODE XREF: VrpRegistryCallback+173p
					; VrpPostOpenOrCreate(x,x)+21Dp ...
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		call	_VrpDecommissionKeyContext@4 ; VrpDecommissionKeyContext(x)
		mov	edi, 67655256h
		push	edi
		push	dword ptr [esi+20h]
		call	ObDereferenceObjectDeferDeleteWithTag
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
_VrpFreeKeyContext@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpFireCleanupNotifications proc near	; CODE XREF: CmpDeleteKeyObject+134p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	20h
		push	offset dword_6A00C0
		call	__SEH_prolog4
		mov	[ebp+var_20], ecx
		xor	eax, eax
		lea	edi, [ebp+var_30]
		stosd
		stosd
		stosd
		mov	eax, [ecx+28h]

loc_73BC10:				; CODE XREF: CmpFireCleanupNotifications+55j
		mov	[ebp+var_1C], eax
		mov	ecx, [ebp+var_20]
		lea	eax, [ecx+28h]
		mov	esi, [ebp+var_1C]
		cmp	esi, eax
		jz	short loc_73BC4D
		mov	edx, [esi+18h]
		mov	[ebp+var_24], edx
		mov	[ebp+var_30], ecx
		mov	eax, [esi+20h]
		mov	[ebp+var_2C], eax
		and	[ebp+ms_exc.disabled], 0
		lea	eax, [ebp+var_30]
		push	eax
		push	28h
		push	dword ptr [edx+18h]
		call	dword ptr [edx+1Ch]

loc_73BC3F:				; CODE XREF: sub_8CA952+Ej
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]
		mov	eax, [eax]
		jmp	short loc_73BC10
; 

loc_73BC4D:				; CODE XREF: CmpFireCleanupNotifications+28j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
CmpFireCleanupNotifications endp

; 
		retn
; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VrpRegistryCallback proc near		; DATA XREF: CmRegisterInternalCallback(x,x,x,x,x,x)+15o

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008CA965 SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_4]
		mov	[esp+2Ch+var_14], eax
		mov	[esp+2Ch+var_10], eax
		mov	[esp+2Ch+var_C], eax
		mov	[esp+2Ch+var_8], eax
		push	edi
		mov	edi, [ebp+arg_8]
		cmp	esi, 31h
		ja	short loc_73BCDC
		mov	[esp+30h+var_20], eax
		mov	edx, edi
		mov	[esp+30h+var_1C], eax
		mov	ecx, esi
		mov	[esp+30h+var_18], eax
		lea	eax, [esp+30h+var_1C]
		push	eax
		lea	eax, [esp+34h+var_20]
		push	eax
		call	VrpGetContextsForNotifyInfo
		mov	eax, [esp+30h+var_20]
		test	eax, eax
		jnz	short loc_73BD2A
		mov	eax, [esp+30h+var_1C]
		test	eax, eax
		jnz	loc_73BDAB
		cmp	esi, 20h
		jz	loc_73BDDD
		cmp	esi, 1Dh
		jz	short loc_73BCF2
		cmp	esi, 1Bh
		jz	short loc_73BCF2

loc_73BCDC:				; CODE XREF: VrpRegistryCallback+34j
					; VrpRegistryCallback+B7j ...
		xor	eax, eax

loc_73BCDE:				; CODE XREF: VrpRegistryCallback+18ED25j
					; VrpRegistryCallback+18ED33j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+24h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_73BCF2:				; CODE XREF: VrpRegistryCallback+75j
					; VrpRegistryCallback+7Aj
		mov	eax, [edi+4]
		xor	ecx, ecx
		mov	ebx, [eax+0Ch]
		mov	eax, [ebx]
		mov	[esp+30h+var_20], eax
		cmp	eax, ebx
		jnz	loc_73BE12

loc_73BD08:				; CODE XREF: VrpRegistryCallback+18ED19j
		mov	edx, 0C0000034h

loc_73BD0D:				; CODE XREF: VrpRegistryCallback+1D3j
		xor	eax, eax
		test	edx, edx
		setns	al
		dec	eax
		test	eax, edx
		jl	short loc_73BCDC
		lea	eax, [ecx+20h]
		xor	ecx, ecx
		test	edx, edx
		sets	cl
		dec	ecx
		and	ecx, eax
		mov	ebx, [ecx]
		jmp	short loc_73BD2D
; 

loc_73BD2A:				; CODE XREF: VrpRegistryCallback+5Bj
		mov	ebx, [eax+20h]

loc_73BD2D:				; CODE XREF: VrpRegistryCallback+C8j
					; VrpRegistryCallback+14Ej ...
		lea	eax, [esp+30h+var_14]
		push	eax
		push	1
		call	EtwActivityIdControl
		cmp	esi, 1Dh
		jz	short loc_73BD8E
		cmp	esi, 1Ch
		jz	short loc_73BDB3
		cmp	esi, 0Eh
		jl	short loc_73BD78

loc_73BD48:				; CODE XREF: VrpRegistryCallback+121j
		cmp	esi, 17h
		jge	short loc_73BD83

loc_73BD4D:				; CODE XREF: VrpRegistryCallback+12Cj
		add	esi, 0FFFFFFF9h
		cmp	esi, 29h
		ja	short loc_73BCDC
		movzx	eax, ds:byte_73BE8C[esi]
		jmp	ds:off_73BE58[eax*4]

loc_73BD63:				; DATA XREF: PAGE:0073BE5Co
		mov	ecx, [edi+8]
		test	ecx, ecx
		jz	loc_73BCDC
		call	_VrpDecommissionKeyContext@4 ; VrpDecommissionKeyContext(x)
		jmp	loc_73BCDC
; 

loc_73BD78:				; CODE XREF: VrpRegistryCallback+E6j
		cmp	esi, 8
		jge	loc_73BCDC
		jmp	short loc_73BD48
; 

loc_73BD83:				; CODE XREF: VrpRegistryCallback+EBj
		cmp	esi, 1Ah
		jl	loc_73BCDC
		jmp	short loc_73BD4D
; 

loc_73BD8E:				; CODE XREF: VrpRegistryCallback+DCj
					; VrpRegistryCallback+FCj
					; DATA XREF: ...
		mov	edx, ebx
		mov	ecx, edi
		call	_VrpPostOpenOrCreate@8 ; VrpPostOpenOrCreate(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+24h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_73BDAB:				; CODE XREF: VrpRegistryCallback+63j
		mov	ebx, [eax+4]
		jmp	loc_73BD2D
; 

loc_73BDB3:				; CODE XREF: VrpRegistryCallback+E1j
					; VrpRegistryCallback+FCj
					; DATA XREF: ...
		mov	edx, ebx
		mov	ecx, edi
		call	_VrpPreOpenOrCreate@8 ;	VrpPreOpenOrCreate(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+24h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_73BDD0:				; CODE XREF: VrpRegistryCallback+FCj
					; DATA XREF: PAGE:0073BE80o
		mov	ecx, [edi+4]
		call	_VrpFreeKeyContext@4 ; VrpFreeKeyContext(x)
		jmp	loc_73BCDC
; 

loc_73BDDD:				; CODE XREF: VrpRegistryCallback+6Cj
		lea	ecx, [esp+30h+var_18]
		call	VRegEnabledInJob
		test	eax, eax
		jz	loc_73BCDC
		mov	ebx, [esp+30h+var_18]
		jmp	loc_73BD2D
; 

loc_73BDF7:				; CODE XREF: VrpRegistryCallback+FCj
					; DATA XREF: PAGE:0073BE64o
		mov	ecx, edi
		call	VrpPostQueryKey
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+24h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_73BE12:				; CODE XREF: VrpRegistryCallback+A2j
					; VrpRegistryCallback+18ED11j
		push	10h		; size_t
		add	eax, 8
		push	offset _VRP_ORIGINAL_KEY_NAME_PARAMETER_GUID ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8CA965
		mov	ecx, [esp+30h+var_20]
		xor	edx, edx
		jmp	loc_73BD0D
; 

loc_73BE38:				; CODE XREF: VrpRegistryCallback+FCj
					; DATA XREF: PAGE:0073BE60o
		mov	edx, ebx
		mov	ecx, edi
		call	_VrpPostEnumerateKey@8 ; VrpPostEnumerateKey(x,x)
		mov	ecx, [esp+30h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
VrpRegistryCallback endp

; 
		align 4
off_73BE58	dd offset loc_73BCDC	; DATA XREF: VrpRegistryCallback+FCr
		dd offset loc_73BD63
		dd offset loc_73BE38
		dd offset loc_73BDF7
		dd offset loc_73BDB3
		dd offset loc_73BD8E
		dd offset loc_8CA9B4
		dd offset loc_8CA98A
		dd offset loc_8CA998
		dd offset loc_8CA9A6
		dd offset loc_73BDD0
		dd offset loc_8CA97E
		dd offset loc_73BCDC
byte_73BE8C	db 0			; DATA XREF: VrpRegistryCallback+F5r
		db 3 dup(0Ch)
		dd 10C0C0Ch, 0C0C0C0Ch,	30C020Ch, 40C0C0Ch, 60C0C05h, 80C070Ch
		dd 0C0C0C09h, 0C0C0A0Ch, 0C0C0C0Ch, 0CCCC000Bh,	2 dup(0CCCCCCCCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VrpGetContextsForNotifyInfo proc near	; CODE XREF: VrpRegistryCallback+50p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CA9C0 SIZE 00000009 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ecx, 30h
		ja	loc_8CA9C0
		movzx	eax, ds:byte_73BFE8[ecx]
		jmp	ds:off_73BFB8[eax*4]

loc_73BEDC:				; DATA XREF: PAGE:0073BFCCo
		mov	ecx, [edx+10h]
		mov	edx, [edx+14h]

loc_73BEE2:				; CODE XREF: VrpGetContextsForNotifyInfo+18EB04j
		mov	eax, [ebp+arg_0]
		mov	[eax], edx
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		pop	ebp
		retn	8
; 

loc_73BEF0:				; CODE XREF: VrpGetContextsForNotifyInfo+15j
					; DATA XREF: PAGE:0073BFD4o
		mov	eax, [edx]
		mov	ecx, [eax+10h]
		mov	edx, [eax+14h]
		mov	eax, [ebp+arg_0]
		mov	[eax], edx
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		pop	ebp
		retn	8
; 

loc_73BF06:				; CODE XREF: VrpGetContextsForNotifyInfo+15j
					; DATA XREF: PAGE:0073BFD0o
		mov	eax, [edx]
		xor	ecx, ecx
		mov	edx, [eax+30h]
		mov	eax, [ebp+arg_0]
		mov	[eax], edx
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		pop	ebp
		retn	8
; 

loc_73BF1B:				; CODE XREF: VrpGetContextsForNotifyInfo+15j
					; DATA XREF: PAGE:0073BFBCo
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	edx, [edx+1Ch]
		mov	[eax], edx
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		pop	ebp
		retn	8
; 

loc_73BF2E:				; CODE XREF: VrpGetContextsForNotifyInfo+15j
					; DATA XREF: PAGE:off_73BFB8o
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	edx, [edx+8]
		mov	[eax], edx
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		pop	ebp
		retn	8
; 

loc_73BF41:				; CODE XREF: VrpGetContextsForNotifyInfo+15j
					; DATA XREF: PAGE:0073BFC8o
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	edx, [edx+18h]
		mov	[eax], edx
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		pop	ebp
		retn	8
; 

loc_73BF54:				; CODE XREF: VrpGetContextsForNotifyInfo+15j
					; DATA XREF: PAGE:0073BFC4o
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	edx, [edx+14h]
		mov	[eax], edx
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		pop	ebp
		retn	8
; 

loc_73BF67:				; CODE XREF: VrpGetContextsForNotifyInfo+15j
					; DATA XREF: PAGE:0073BFC0o
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	edx, [edx+0Ch]
		mov	[eax], edx
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		pop	ebp
		retn	8
; 

loc_73BF7A:				; CODE XREF: VrpGetContextsForNotifyInfo+15j
					; DATA XREF: PAGE:0073BFE0o
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	edx, [edx+4]
		mov	[eax], edx
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		pop	ebp
		retn	8
; 

loc_73BF8D:				; CODE XREF: VrpGetContextsForNotifyInfo+15j
					; DATA XREF: PAGE:0073BFDCo
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	edx, [edx+10h]
		mov	[eax], edx
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		pop	ebp
		retn	8
; 

loc_73BFA0:				; CODE XREF: VrpGetContextsForNotifyInfo+15j
					; DATA XREF: PAGE:0073BFD8o
		mov	eax, [edx]
		xor	ecx, ecx
		mov	edx, [eax+24h]
		mov	eax, [ebp+arg_0]
		mov	[eax], edx
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		pop	ebp
		retn	8
VrpGetContextsForNotifyInfo endp

; 
		align 4
off_73BFB8	dd offset loc_73BF2E	; DATA XREF: VrpGetContextsForNotifyInfo+15r
		dd offset loc_73BF1B
		dd offset loc_73BF67
		dd offset loc_73BF54
		dd offset loc_73BF41
		dd offset loc_73BEDC
		dd offset loc_73BF06
		dd offset loc_73BEF0
		dd offset loc_73BFA0
		dd offset loc_73BF8D
		dd offset loc_73BF7A
		dd offset loc_8CA9C0
byte_73BFE8	db 0			; DATA XREF: VrpGetContextsForNotifyInfo+Er
		db 1, 2, 3
		dd 4010102h, 50B0101h, 500050Bh, 2 dup(5050505h), 7060505h
		dd 5000706h, 5020708h, 5090503h, 905090Ah, 3050905h
		db 5, 0CCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpPostOpenOrCreate(x, x)
_VrpPostOpenOrCreate@8 proc near	; CODE XREF: VrpRegistryCallback+132p

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_6C], edx
		lea	edi, [ebp+var_68]
		mov	esi, ecx
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_68]
		push	eax
		push	3
		call	EtwActivityIdControl
		mov	ecx, [esi]
		xor	ebx, ebx
		and	[ebp+var_70], ebx
		and	[ebp+var_74], ebx
		mov	[ebp+var_7C], ecx
		mov	eax, [ecx+8]
		mov	edi, [ecx+10h]
		mov	[ebp+var_78], eax
		mov	eax, [esi+4]
		mov	esi, [ecx+4]
		mov	[ebp+var_80], eax
		test	esi, esi
		jns	short loc_73C075

loc_73C06E:				; CODE XREF: VrpPostOpenOrCreate(x,x)+74j
					; VrpPostOpenOrCreate(x,x)+96j	...
		xor	esi, esi
		jmp	loc_73C24B
; 

loc_73C075:				; CODE XREF: VrpPostOpenOrCreate(x,x)+52j
		lea	ecx, [ebp+var_70]
		push	ecx
		mov	ecx, [eax+0Ch]
		call	_CmRetrieveExtraParameter@12 ; CmRetrieveExtraParameter(x,x,x)
		cmp	esi, 104h
		jnz	short loc_73C0B7
		mov	ecx, [ebp+var_70]
		test	ecx, ecx
		jz	short loc_73C06E
		add	ecx, 0FFFFFFE0h
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_73C0B2
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	short loc_73C0B2
		mov	[eax], edx
		mov	[edx+4], eax
		and	[ecx], ebx
		and	[ecx+4], ebx
		call	_CmpFreeExtraParameter@4 ; CmpFreeExtraParameter(x)
		jmp	short loc_73C06E
; 

loc_73C0B2:				; CODE XREF: VrpPostOpenOrCreate(x,x)+7Ej
					; VrpPostOpenOrCreate(x,x)+85j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_73C0B7:				; CODE XREF: VrpPostOpenOrCreate(x,x)+6Dj
		cmp	esi, 368h
		jnz	short loc_73C136
		cmp	[ebp+var_70], ebx
		jnz	short loc_73C06E
		test	edi, edi
		jnz	short loc_73C0CF
		xor	esi, esi
		jmp	loc_73C338
; 

loc_73C0CF:				; CODE XREF: VrpPostOpenOrCreate(x,x)+ACj
		push	ecx
		call	_CmAllocateExtraParameter@12 ; CmAllocateExtraParameter(x,x,x)
		mov	[ebp+var_74], eax
		test	eax, eax
		jnz	short loc_73C0E6

loc_73C0DC:				; CODE XREF: VrpPostOpenOrCreate(x,x)+12Ej
					; VrpPostOpenOrCreate(x,x)+158j
		mov	esi, 0C000009Ah
		jmp	loc_73C1BF
; 

loc_73C0E6:				; CODE XREF: VrpPostOpenOrCreate(x,x)+C0j
		add	eax, 8
		lea	edx, [edi+18h]
		push	eax
		xor	ecx, ecx
		call	_VrpBuildKeyPath@12 ; VrpBuildKeyPath(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_73C1BF
		mov	ecx, [edi+4]
		mov	edx, 67655256h
		call	ObfReferenceObjectWithTag
		mov	edx, [ebp+var_74]
		mov	eax, [edi+4]
		mov	ecx, [ebp+var_80]
		mov	[edx], eax
		mov	eax, [edi+20h]
		mov	[edx+4], eax
		add	edx, 0FFFFFFE0h
		mov	ecx, [ecx+0Ch]
		call	_CmpAddExtraParameterToBlock@8 ; CmpAddExtraParameterToBlock(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_73C1BF
		jmp	loc_73C06E
; 

loc_73C136:				; CODE XREF: VrpPostOpenOrCreate(x,x)+A3j
		mov	esi, [ebp+var_70]
		test	esi, esi
		jz	short loc_73C166
		mov	ecx, [esi]
		call	_VrpAllocateKeyContext@4 ; VrpAllocateKeyContext(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_73C0DC
		lea	eax, [ebx+10h]
		xor	ecx, ecx
		push	eax
		lea	edx, [esi+8]
		call	_VrpBuildKeyPath@12 ; VrpBuildKeyPath(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_73C1BF
		mov	eax, [ebp+var_70]
		mov	eax, [eax+4]
		jmp	short loc_73C18F
; 

loc_73C166:				; CODE XREF: VrpPostOpenOrCreate(x,x)+121j
		mov	ecx, [ebp+var_6C]
		call	_VrpAllocateKeyContext@4 ; VrpAllocateKeyContext(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_73C0DC
		lea	eax, [ebx+10h]
		xor	ecx, ecx
		push	eax
		lea	edx, [edi+18h]
		call	_VrpBuildKeyPath@12 ; VrpBuildKeyPath(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_73C1BF
		mov	eax, [edi+20h]

loc_73C18F:				; CODE XREF: VrpPostOpenOrCreate(x,x)+14Aj
		lea	ecx, [ebx+10h]
		mov	[ebx+1Ch], eax
		call	_VrpCountPathComponents@4 ; VrpCountPathComponents(x)
		mov	[ebx+18h], ax
		lea	eax, [ebp+var_6C]
		push	eax
		mov	eax, [ebp+var_78]
		push	ebx
		push	offset _VrpCallbackCookie
		mov	eax, [eax+28h]
		push	dword ptr [eax]
		call	CmSetCallbackObjectContext
		mov	esi, eax
		test	esi, esi
		jns	loc_73C24B

loc_73C1BF:				; CODE XREF: VrpPostOpenOrCreate(x,x)+C7j
					; VrpPostOpenOrCreate(x,x)+DEj	...
		cmp	dword_6B2370, 2
		jbe	short loc_73C231
		mov	eax, [ebp+var_78]
		mov	eax, [eax]
		cmp	dword ptr [eax+4], 0
		jnz	short loc_73C1D8
		mov	eax, (offset loc_403A20+4)

loc_73C1D8:				; CODE XREF: VrpPostOpenOrCreate(x,x)+1B7j
		movzx	ecx, word ptr [eax]
		lea	edx, [ebp+var_20]
		mov	eax, [eax+4]
		mov	[ebp+var_28], eax
		mov	eax, ecx
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	5
		mov	[ebp+var_38], edx
		lea	eax, [ebp+var_68]
		xor	edx, edx
		mov	[ebp+var_30], 2
		push	edx
		push	eax
		push	offset loc_41B460
		push	offset dword_6B2370
		mov	[ebp+var_34], edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_6C], esi
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_73C231:				; CODE XREF: VrpPostOpenOrCreate(x,x)+1ACj
		test	ebx, ebx
		jz	short loc_73C23C
		mov	ecx, ebx
		call	_VrpFreeKeyContext@4 ; VrpFreeKeyContext(x)

loc_73C23C:				; CODE XREF: VrpPostOpenOrCreate(x,x)+219j
		mov	eax, [ebp+var_74]
		test	eax, eax
		jz	short loc_73C24B
		lea	ecx, [eax-20h]
		call	_CmpFreeExtraParameter@4 ; CmpFreeExtraParameter(x)

loc_73C24B:				; CODE XREF: VrpPostOpenOrCreate(x,x)+56j
					; VrpPostOpenOrCreate(x,x)+19Fj ...
		test	edi, edi
		jz	loc_73C329
		mov	ebx, [ebp+var_78]
		mov	ecx, [ebx+4]
		test	ecx, ecx
		jz	short loc_73C262
		call	ObfDereferenceObject

loc_73C262:				; CODE XREF: VrpPostOpenOrCreate(x,x)+241j
		mov	eax, [edi]
		mov	[ebx+4], eax
		mov	eax, [ebp+var_7C]
		and	dword ptr [edi], 0
		mov	eax, [eax+4]
		cmp	eax, 104h
		jz	short loc_73C2B4
		cmp	eax, 368h
		jz	short loc_73C2B4
		mov	ecx, [ebx]
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_73C291
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebx]

loc_73C291:				; CODE XREF: VrpPostOpenOrCreate(x,x)+26Bj
		mov	eax, [edi+8]
		mov	[ecx], eax
		mov	eax, [edi+0Ch]
		mov	[ecx+4], eax
		mov	ecx, [ebx+3Ch]
		mov	eax, [edi+10h]
		mov	[ecx], eax
		mov	eax, [edi+14h]
		mov	[ecx+4], eax
		and	dword ptr [edi+0Ch], 0
		and	dword ptr [edi+14h], 0
		jmp	short loc_73C322
; 

loc_73C2B4:				; CODE XREF: VrpPostOpenOrCreate(x,x)+25Bj
					; VrpPostOpenOrCreate(x,x)+262j
		cmp	dword_6B2370, 5
		jbe	short loc_73C322
		mov	eax, [ebx]
		xor	ebx, ebx
		cmp	[eax+4], ebx
		jnz	short loc_73C2CB
		mov	eax, (offset loc_403A20+4)

loc_73C2CB:				; CODE XREF: VrpPostOpenOrCreate(x,x)+2AAj
		movzx	ecx, word ptr [eax]
		lea	edx, [ebp+var_20]
		mov	eax, [eax+4]
		mov	[ebp+var_28], eax
		mov	eax, ecx
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	5
		push	ebx
		lea	eax, [ebp+var_68]
		mov	[ebp+var_38], edx
		push	eax
		push	offset loc_41B2D2
		push	offset dword_6B2370
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], 2
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_6C], esi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_73C322:				; CODE XREF: VrpPostOpenOrCreate(x,x)+298j
					; VrpPostOpenOrCreate(x,x)+2A1j
		mov	ecx, edi
		call	_VrpFreeCallbackContext@4 ; VrpFreeCallbackContext(x)

loc_73C329:				; CODE XREF: VrpPostOpenOrCreate(x,x)+233j
		test	esi, esi
		jns	short loc_73C338
		mov	eax, [ebp+var_7C]
		mov	[eax+0Ch], esi
		mov	esi, 0C0000503h

loc_73C338:				; CODE XREF: VrpPostOpenOrCreate(x,x)+B0j
					; VrpPostOpenOrCreate(x,x)+311j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_VrpPostOpenOrCreate@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpPreOpenOrCreate(x, x)
_VrpPreOpenOrCreate@8 proc near		; CODE XREF: VrpRegistryCallback+157p

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ecx
		mov	[ebp+var_90], edx
		mov	[ebp+var_8C], eax
		xor	edx, edx
		push	ebx
		push	esi
		mov	eax, [eax]
		mov	ebx, edx
		mov	[ebp+var_6C], eax
		push	edi
		mov	[ebp+var_74], edx
		lea	edi, [ebp+var_68]
		mov	[ebp+var_70], edx
		mov	[ebp+var_88], edx
		mov	[ebp+var_84], edx
		mov	ecx, [eax]
		mov	esi, [eax+30h]
		mov	eax, [eax+4]
		mov	[ebp+var_9C], eax
		xor	eax, eax
		stosd
		mov	[ebp+var_A8], edx
		mov	[ebp+var_A4], edx
		mov	[ebp+var_A0], edx
		stosd
		mov	[ebp+var_94], ecx
		mov	[ebp+var_7C], edx
		mov	[ebp+var_78], esi
		stosd
		mov	[ebp+var_80], edx
		stosd
		lea	eax, [ebp+var_68]
		push	eax
		push	3
		call	EtwActivityIdControl
		mov	ecx, esi
		lea	eax, [esi+10h]
		neg	ecx
		sbb	ecx, ecx
		xor	edx, edx
		and	ecx, eax
		mov	eax, [ebp+var_94]
		cmp	[eax], dx
		jz	short loc_73C40A
		mov	eax, [eax+4]
		cmp	word ptr [eax],	5Ch
		jnz	short loc_73C40A
		mov	edi, [ebp+var_6C]
		lea	eax, [ebp+var_74]
		push	eax
		xor	ecx, ecx
		mov	edx, [edi]
		call	_VrpBuildKeyPath@12 ; VrpBuildKeyPath(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_73C42D
		jmp	loc_73C71E
; 

loc_73C40A:				; CODE XREF: VrpPreOpenOrCreate(x,x)+9Aj
					; VrpPreOpenOrCreate(x,x)+A3j
		test	esi, esi
		jnz	short loc_73C415
		mov	esi, edx
		jmp	loc_73C55F
; 

loc_73C415:				; CODE XREF: VrpPreOpenOrCreate(x,x)+C2j
		mov	edi, [ebp+var_6C]
		lea	eax, [ebp+var_74]
		push	eax
		mov	edx, [edi]
		call	_VrpBuildKeyPath@12 ; VrpBuildKeyPath(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_73C726

loc_73C42D:				; CODE XREF: VrpPreOpenOrCreate(x,x)+B9j
		xor	esi, esi
		lea	eax, [ebp+var_98]
		push	eax
		lea	edx, [ebp+var_6C]
		mov	[ebp+var_6C], esi
		lea	ecx, [ebp+var_74]
		mov	[ebp+var_98], esi
		mov	[ebp+var_94], esi
		call	_VrpGetNextToken@12 ; VrpGetNextToken(x,x,x)
		push	1
		push	offset _VrpRegistryString
		lea	eax, [ebp+var_98]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	loc_73C570
		lea	eax, [ebp+var_98]
		push	eax
		lea	edx, [ebp+var_6C]
		lea	ecx, [ebp+var_74]
		call	_VrpGetNextToken@12 ; VrpGetNextToken(x,x,x)
		push	1
		push	offset _VrpWcString
		lea	eax, [ebp+var_98]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	loc_73C570
		mov	esi, 0C0000022h

loc_73C49D:				; CODE XREF: VrpPreOpenOrCreate(x,x)+28Cj
					; VrpPreOpenOrCreate(x,x)+3E2j
		cmp	dword_6B2370, 2
		jbe	short loc_73C50B
		mov	eax, [edi]
		xor	edi, edi
		cmp	[eax+4], edi
		jnz	short loc_73C4B4
		mov	eax, (offset loc_403A20+4)

loc_73C4B4:				; CODE XREF: VrpPreOpenOrCreate(x,x)+163j
		movzx	ecx, word ptr [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_28], eax
		mov	eax, ecx
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	5
		push	edi
		lea	eax, [ebp+var_68]
		mov	[ebp+var_78], esi
		push	eax
		push	offset loc_41B49A

loc_73C4DB:				; CODE XREF: VrpPreOpenOrCreate(x,x)+42Ej
		lea	edx, [ebp+var_20]
		mov	[ebp+var_34], edi
		push	offset dword_6B2370
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], 2
		mov	[ebp+var_2C], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_73C50B:				; CODE XREF: VrpPreOpenOrCreate(x,x)+15Aj
					; VrpPreOpenOrCreate(x,x)+3EFj
		mov	eax, [ebp+var_A0]
		mov	edi, 67655256h
		test	eax, eax
		jz	short loc_73C521
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_73C521:				; CODE XREF: VrpPreOpenOrCreate(x,x)+1CEj
		cmp	[ebp+var_84], 0
		jz	short loc_73C536
		push	edi
		push	[ebp+var_84]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_73C536:				; CODE XREF: VrpPreOpenOrCreate(x,x)+1DEj
		mov	eax, [ebp+var_80]
		test	eax, eax
		jz	short loc_73C544
		mov	ecx, eax
		call	ObfDereferenceObject

loc_73C544:				; CODE XREF: VrpPreOpenOrCreate(x,x)+1F1j
		cmp	[ebp+var_70], 0
		jz	short loc_73C553
		push	edi
		push	[ebp+var_70]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_73C553:				; CODE XREF: VrpPreOpenOrCreate(x,x)+1FEj
		test	ebx, ebx
		jz	short loc_73C55F
		lea	ecx, [ebx-20h]
		call	_CmpFreeExtraParameter@4 ; CmpFreeExtraParameter(x)

loc_73C55F:				; CODE XREF: VrpPreOpenOrCreate(x,x)+C6j
					; VrpPreOpenOrCreate(x,x)+20Bj	...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_73C570:				; CODE XREF: VrpPreOpenOrCreate(x,x)+11Bj
					; VrpPreOpenOrCreate(x,x)+148j
		mov	edx, [ebp+var_9C]
		lea	eax, [ebp+var_6C]
		mov	ecx, [ebp+var_90]
		push	eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_6C], esi
		push	eax
		lea	eax, [ebp+var_A8]
		push	eax
		lea	eax, [ebp+var_80]
		push	eax
		lea	eax, [ebp+var_88]
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		push	[ebp+var_78]
		call	VrpTranslatePath
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_73C5B3
		xor	esi, esi
		jmp	short loc_73C55F
; 

loc_73C5B3:				; CODE XREF: VrpPreOpenOrCreate(x,x)+263j
		test	esi, esi
		js	loc_73C726
		test	byte ptr [ebp+var_7C], 4
		jz	loc_73C678
		push	ecx
		call	_CmAllocateExtraParameter@12 ; CmAllocateExtraParameter(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_73C5DB

loc_73C5D1:				; CODE XREF: VrpPreOpenOrCreate(x,x)+357j
		mov	esi, 0C000009Ah
		jmp	loc_73C49D
; 

loc_73C5DB:				; CODE XREF: VrpPreOpenOrCreate(x,x)+285j
		mov	esi, [ebp+var_90]
		mov	edx, 67655256h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+var_7C]
		and	eax, 0FFFFFFFBh
		mov	[ebx], esi
		mov	[ebx+4], eax
		mov	eax, [ebp+var_74]
		mov	[ebx+8], eax
		mov	eax, [ebp+var_70]
		mov	[ebx+0Ch], eax
		lea	eax, [ebp+var_74]
		push	0
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_8C]
		lea	edx, [ebx-20h]
		mov	ecx, [eax+0Ch]
		call	_CmpAddExtraParameterToBlock@8 ; CmpAddExtraParameterToBlock(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_73C726
		mov	ecx, [edi]
		xor	ebx, ebx
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_73C642
		push	67655256h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [edi]

loc_73C642:				; CODE XREF: VrpPreOpenOrCreate(x,x)+2E9j
		mov	eax, [ebp+var_88]
		mov	[ecx], eax
		mov	eax, [ebp+var_84]
		mov	[ecx+4], eax
		lea	eax, [ebp+var_88]
		push	0
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_8C]
		mov	esi, 0C0000503h
		mov	dword ptr [eax+8], 368h
		jmp	loc_73C732
; 

loc_73C678:				; CODE XREF: VrpPreOpenOrCreate(x,x)+275j
		mov	eax, [ebp+var_9C]
		mov	ecx, [ebp+var_80]
		push	67655256h
		push	24h
		mov	ax, [eax+1Eh]
		push	1
		mov	[ecx+1Eh], ax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_A0], edx
		test	edx, edx
		jz	loc_73C5D1
		mov	eax, [edi+4]
		mov	[edi+2Ch], edx
		mov	[edx], eax
		mov	ecx, [edi]
		mov	eax, [ecx]
		mov	[edx+8], eax
		mov	eax, [ecx+4]
		mov	[edx+0Ch], eax
		mov	ecx, [edi+3Ch]
		mov	eax, [ecx]
		mov	[edx+10h], eax
		mov	eax, [ecx+4]
		mov	ecx, [ebp+var_8C]
		mov	[edx+14h], eax
		mov	eax, [ebp+var_74]
		mov	[edx+18h], eax
		mov	eax, [ebp+var_70]
		mov	[edx+1Ch], eax
		mov	eax, [ebp+var_7C]
		mov	[edx+20h], eax
		mov	eax, [ebp+var_6C]
		mov	[ecx+4], eax
		mov	eax, [ebp+var_90]
		mov	[edx+4], eax
		mov	ecx, [edi]
		mov	eax, [ebp+var_80]
		mov	[edi+4], eax
		mov	eax, [ebp+var_88]
		mov	[ecx], eax
		mov	eax, [ebp+var_84]
		mov	[ecx+4], eax
		mov	ecx, [edi+3Ch]
		mov	eax, [ebp+var_A8]
		mov	[ecx], eax
		mov	eax, [ebp+var_A4]
		mov	[ecx+4], eax

loc_73C71E:				; CODE XREF: VrpPreOpenOrCreate(x,x)+BBj
		test	esi, esi
		jns	loc_73C55F

loc_73C726:				; CODE XREF: VrpPreOpenOrCreate(x,x)+DDj
					; VrpPreOpenOrCreate(x,x)+26Bj	...
		cmp	esi, 0C0000503h
		jnz	loc_73C49D

loc_73C732:				; CODE XREF: VrpPreOpenOrCreate(x,x)+329j
		cmp	dword_6B2370, 5
		jbe	loc_73C50B
		mov	eax, [edi]
		xor	edi, edi
		cmp	[eax+4], edi
		jnz	short loc_73C74D
		mov	eax, (offset loc_403A20+4)

loc_73C74D:				; CODE XREF: VrpPreOpenOrCreate(x,x)+3FCj
		movzx	ecx, word ptr [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_28], eax
		mov	eax, ecx
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	5
		push	edi
		lea	eax, [ebp+var_68]
		mov	[ebp+var_78], 0C0000503h
		push	eax
		push	(offset	loc_41B41D+4)
		jmp	loc_73C4DB
_VrpPreOpenOrCreate@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall VrpFreeCallbackContext(x)
_VrpFreeCallbackContext@4 proc near	; CODE XREF: VrpPostOpenOrCreate(x,x)+30Ap
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, 67655256h
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	short loc_73C797
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_73C797:				; CODE XREF: VrpFreeCallbackContext(x)+10j
		mov	eax, [esi+0Ch]
		test	eax, eax
		jnz	short loc_73C7A8

loc_73C79E:				; CODE XREF: VrpFreeCallbackContext(x)+31j
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
; 

loc_73C7A8:				; CODE XREF: VrpFreeCallbackContext(x)+1Ej
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_73C79E
_VrpFreeCallbackContext@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpCountPathComponents(x)
_VrpCountPathComponents@4 proc near	; CODE XREF: VrpCreateNamespaceNode+12Dp
					; VrpCreateNamespaceNode+139p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		xor	esi, esi
		lea	eax, [ebp+var_C]
		push	esi
		push	eax
		mov	edi, ecx
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_C]
		mov	ecx, edi
		push	eax
		lea	edx, [ebp+var_4]
		call	_VrpGetNextToken@12 ; VrpGetNextToken(x,x,x)
		cmp	word ptr [ebp+var_C], si
		jz	short loc_73C7FD

loc_73C7E7:				; CODE XREF: VrpCountPathComponents(x)+49j
		lea	eax, [ebp+var_C]
		mov	ecx, edi
		push	eax
		lea	edx, [ebp+var_4]
		inc	esi
		call	_VrpGetNextToken@12 ; VrpGetNextToken(x,x,x)
		cmp	word ptr [ebp+var_C], 0
		jnz	short loc_73C7E7

loc_73C7FD:				; CODE XREF: VrpCountPathComponents(x)+33j
		pop	edi
		mov	ax, si
		pop	esi
		leave
		retn
_VrpCountPathComponents@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VrpTranslatePath proc near		; CODE XREF: VrpPreOpenOrCreate(x,x)+256p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008CA9C9 SIZE 00000092 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_18], edx
		push	esi
		push	edi
		mov	edx, ecx
		mov	[ebp+var_34], ebx
		xor	eax, eax
		mov	[ebp+var_1C], edx
		push	6
		pop	ecx
		lea	edi, [ebp+var_54]
		mov	[ebp+var_30], ebx
		rep stosd
		mov	ecx, [ebp+arg_4]
		mov	edi, edx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_20], ebx
		mov	eax, [ecx]
		mov	[ebp+var_2C], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], ebx
		mov	byte ptr [ebp+arg_0+3],	bl
		movzx	eax, word ptr [eax+18h]
		mov	[ebp+var_8], eax

loc_73C855:				; CODE XREF: VrpTranslatePath+18E21Ej
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [edi+10h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lea	eax, [ebp+var_20]
		mov	ecx, edi
		push	eax
		push	ebx
		push	1
		lea	edx, [ebp+var_2C]
		call	VrpFindNamespaceNode
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8CAA27
		mov	esi, [ebp+var_20]
		xor	edx, edx
		mov	[ebp+var_C], edx
		test	esi, esi
		jz	short loc_73C8AB

loc_73C894:				; CODE XREF: VrpTranslatePath+A2j
		lea	eax, [ebp+var_34]
		push	eax
		lea	edx, [ebp+var_C]
		lea	ecx, [ebp+var_2C]
		call	_VrpGetNextToken@12 ; VrpGetNextToken(x,x,x)
		sub	esi, 1
		jnz	short loc_73C894
		mov	edx, [ebp+var_C]

loc_73C8AB:				; CODE XREF: VrpTranslatePath+8Ej
		mov	ecx, [ebp+var_2C]
		lea	eax, [edx+edx]
		sub	ecx, eax
		movzx	eax, cx
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_28]
		mov	word ptr [ebp+var_34], cx
		mov	word ptr [ebp+var_34+2], cx
		lea	ecx, [ebx+0Ch]
		lea	eax, [eax+edx*2]
		mov	[ebp+var_30], eax
		lea	edx, [ebp+var_34]
		lea	eax, [ebp+var_3C]
		push	eax
		call	_VrpBuildKeyPath@12 ; VrpBuildKeyPath(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_73CA82
		lea	ecx, [ebp+var_3C]
		call	_VrpStripTrailingCharacters@8 ;	VrpStripTrailingCharacters(x,x)
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_28]
		cmp	eax, [ecx+4]
		jnz	loc_8CA9C9

loc_73C8FA:				; CODE XREF: VrpTranslatePath+18E1CDj
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+var_38]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_3C]
		push	0
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, [ebx+1Ch]
		mov	eax, ecx
		mov	edx, [ebp+var_10]
		and	eax, 4
		or	edx, eax
		mov	[ebp+var_10], edx
		cmp	edi, [ebp+var_1C]
		jnz	short loc_73C92E
		and	ecx, 2
		or	edx, ecx
		mov	[ebp+var_10], edx

loc_73C92E:				; CODE XREF: VrpTranslatePath+120j
		cmp	word ptr [ebp+var_24], 0
		jz	loc_73CAEC

loc_73C939:				; CODE XREF: VrpTranslatePath+2F1j
		movzx	ecx, word ptr [ebx+24h]
		cmp	[ebp+var_8], ecx
		jge	loc_73CAD5
		mov	dl, 1
		mov	byte ptr [ebp+arg_0+3],	dl

loc_73C94B:				; CODE XREF: VrpTranslatePath+2D4j
		movzx	eax, word ptr [ebx+26h]
		mov	esi, [ebx+8]
		sub	eax, ecx
		mov	ecx, [ebp+var_8]
		add	ecx, eax
		mov	[ebp+var_8], ecx
		test	esi, esi
		jnz	loc_8CA9D6
		cmp	[ebp+arg_C], esi
		jz	short loc_73C9DD
		test	dl, dl
		jz	loc_73CADD
		lea	eax, [ebx+0Ch]
		mov	[ebp+var_54], 18h
		mov	[ebp+var_4C], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_54]
		mov	[ebp+var_50], ecx
		push	eax
		push	80000000h
		lea	eax, [ebp+var_14]
		mov	[ebp+var_48], 240h
		push	eax
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_73CA82
		mov	eax, ds:_CmKeyObjectType
		lea	ecx, [ebp+var_24]
		xor	edx, edx
		push	edx
		push	ecx
		push	edx
		push	eax
		push	edx
		push	[ebp+var_14]
		mov	[ebp+var_24], edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_24]
		test	esi, esi
		js	loc_73CA82
		mov	esi, eax

loc_73C9D5:				; CODE XREF: VrpTranslatePath+2E3j
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+var_8]
		mov	[eax], esi

loc_73C9DD:				; CODE XREF: VrpTranslatePath+163j
		mov	esi, [ebp+arg_10]
		test	esi, esi
		jz	short loc_73CA53
		cmp	byte ptr [ebp+arg_0+3],	0
		jz	short loc_73CA15
		movzx	edx, word ptr [ebx+0Ch]
		mov	eax, [ebp+var_2C]
		shr	edx, 1
		movzx	ecx, ax
		mov	[ebp+arg_C], ecx
		lea	eax, [edx+edx]
		cmp	eax, ecx
		jnb	short loc_73CA3B
		mov	ecx, [ebp+var_28]

loc_73CA03:				; CODE XREF: VrpTranslatePath+20Dj
		cmp	word ptr [eax+ecx], 5Ch
		jnz	short loc_73CA3B
		inc	edx
		lea	eax, [edx+edx]
		cmp	eax, [ebp+arg_C]
		jb	short loc_73CA03
		jmp	short loc_73CA3B
; 

loc_73CA15:				; CODE XREF: VrpTranslatePath+1E4j
		xor	edx, edx
		mov	[ebp+var_C], edx
		test	ecx, ecx
		jle	short loc_73CA3B
		mov	esi, [ebp+var_8]

loc_73CA21:				; CODE XREF: VrpTranslatePath+22Fj
		lea	eax, [ebp+var_34]
		push	eax
		lea	edx, [ebp+var_C]
		lea	ecx, [ebp+var_2C]
		call	_VrpGetNextToken@12 ; VrpGetNextToken(x,x,x)
		sub	esi, 1
		jnz	short loc_73CA21
		mov	edx, [ebp+var_C]
		mov	esi, [ebp+arg_10]

loc_73CA3B:				; CODE XREF: VrpTranslatePath+1FAj
					; VrpTranslatePath+204j ...
		mov	ecx, [ebp+var_2C]
		lea	eax, [edx+edx]
		sub	ecx, eax
		mov	eax, [ebp+var_28]
		mov	[esi], cx
		mov	[esi+2], cx
		lea	eax, [eax+edx*2]
		mov	[esi+4], eax

loc_73CA53:				; CODE XREF: VrpTranslatePath+1DEj
		mov	eax, [ebp+arg_14]
		test	eax, eax
		jz	short loc_73CA5F
		mov	ecx, [ebp+var_10]
		mov	[eax], ecx

loc_73CA5F:				; CODE XREF: VrpTranslatePath+254j
		mov	eax, [ebp+arg_18]
		mov	ecx, [ebx+20h]
		push	0
		mov	[eax], ecx
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_2C]
		mov	[eax], ecx
		mov	ecx, [ebp+var_28]
		mov	[eax+4], ecx
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	esi, esi

loc_73CA82:				; CODE XREF: VrpTranslatePath+D9j
					; VrpTranslatePath+1A2j ...
		push	11h
		lea	ebx, [edi+10h]
		xor	edx, edx
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jnz	short loc_73CAFA

loc_73CA93:				; CODE XREF: VrpTranslatePath+2FDj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	edi, edi
		jz	short loc_73CAB3
		cmp	edi, [ebp+var_1C]
		jnz	loc_8CAA31

loc_73CAB3:				; CODE XREF: VrpTranslatePath+2A4j
					; VrpTranslatePath+18E239j
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	loc_8CAA42

loc_73CABE:				; CODE XREF: VrpTranslatePath+18E244j
					; VrpTranslatePath+18E252j
		cmp	[ebp+var_14], 0
		jz	short loc_73CACC
		push	[ebp+var_14]
		call	_ZwClose@4	; ZwClose(x)

loc_73CACC:				; CODE XREF: VrpTranslatePath+2BEj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_73CAD5:				; CODE XREF: VrpTranslatePath+13Cj
		mov	dl, byte ptr [ebp+arg_0+3]
		jmp	loc_73C94B
; 

loc_73CADD:				; CODE XREF: VrpTranslatePath+167j
		mov	esi, [ebp+var_18]
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		jmp	loc_73C9D5
; 

loc_73CAEC:				; CODE XREF: VrpTranslatePath+12Fj
		or	edx, 20000000h
		mov	[ebp+var_10], edx
		jmp	loc_73C939
; 

loc_73CAFA:				; CODE XREF: VrpTranslatePath+28Dj
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_73CA93
VrpTranslatePath endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VrpFindNamespaceNode proc near		; CODE XREF: VrpFindBestMatchNamespaceNode(x,x,x)+Dp
					; VrpFindExactNamespaceNode(x,x,x)+Dp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008CAA5B SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ecx+20h]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_10], edx
		and	[ebp+var_4], esi
		xor	ebx, ebx
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], ecx
		test	eax, eax
		jz	short loc_73CB99

loc_73CB25:				; CODE XREF: VrpFindNamespaceNode+7Dj
		xor	edx, edx
		cmp	esi, eax
		jnb	short loc_73CB58
		mov	eax, [ecx+1Ch]
		lea	ecx, [ebp+var_8]
		and	[ebp+var_8], edx
		mul	esi
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	loc_8CAA5B
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+var_8]
		mov	ecx, [ecx+2Ch]
		add	edx, ecx
		cmp	edx, ecx
		jb	loc_8CAA5B

loc_73CB58:				; CODE XREF: VrpFindNamespaceNode+25j
					; VrpFindNamespaceNode+18DF59j
		mov	eax, [edx]
		lea	ecx, [ebp+var_4]
		push	ecx
		mov	ecx, [ebp+var_10]
		mov	edx, eax
		mov	[ebp+var_8], eax
		call	_VrpComparePath@12 ; VrpComparePath(x,x,x)
		test	eax, eax
		jz	short loc_73CB93
		cmp	[ebp+var_4], edi
		ja	short loc_73CB85

loc_73CB74:				; CODE XREF: VrpFindNamespaceNode+85j
					; VrpFindNamespaceNode+8Dj
		test	eax, eax
		js	short loc_73CB99
		mov	ecx, [ebp+var_C]
		inc	esi
		mov	eax, [ecx+20h]
		cmp	esi, eax
		jb	short loc_73CB25
		jmp	short loc_73CB99
; 

loc_73CB85:				; CODE XREF: VrpFindNamespaceNode+6Ej
		cmp	[ebp+arg_0], 1
		jnz	short loc_73CB74
		mov	edi, [ebp+var_4]
		mov	ebx, [ebp+var_8]
		jmp	short loc_73CB74
; 

loc_73CB93:				; CODE XREF: VrpFindNamespaceNode+69j
		mov	edi, [ebp+var_4]
		mov	ebx, [ebp+var_8]

loc_73CB99:				; CODE XREF: VrpFindNamespaceNode+1Fj
					; VrpFindNamespaceNode+72j ...
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_73CBA2
		mov	[eax], edi

loc_73CBA2:				; CODE XREF: VrpFindNamespaceNode+9Aj
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jnz	short loc_73CBB2

loc_73CBA9:				; CODE XREF: VrpFindNamespaceNode+B0j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
; 

loc_73CBB2:				; CODE XREF: VrpFindNamespaceNode+A3j
		mov	[ecx], esi
		jmp	short loc_73CBA9
VrpFindNamespaceNode endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpComparePath(x, x, x)
_VrpComparePath@12 proc	near		; CODE XREF: VrpFindNamespaceNode+62p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		mov	eax, ecx
		mov	ebx, edx
		xor	ecx, ecx
		mov	[ebp+var_10], ebx
		push	edi
		mov	[ebp+var_14], eax
		mov	esi, ecx
		mov	[ebp+var_1C], ecx
		mov	edi, ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], ecx

loc_73CBE3:				; CODE XREF: VrpComparePath(x,x,x)+8Aj
		lea	ecx, [ebp+var_1C]
		push	ecx
		lea	edx, [ebp+var_8]
		mov	ecx, eax
		call	_VrpGetNextToken@12 ; VrpGetNextToken(x,x,x)
		lea	eax, [ebp+var_24]
		mov	ecx, ebx
		push	eax
		lea	edx, [ebp+var_C]
		call	_VrpGetNextToken@12 ; VrpGetNextToken(x,x,x)
		mov	eax, [ebp+var_1C]
		mov	ebx, [ebp+var_24]
		test	ax, ax
		jz	short loc_73CC62

loc_73CC0A:				; CODE XREF: VrpComparePath(x,x,x)+B1j
		cmp	ax, bx
		movzx	eax, ax
		jb	short loc_73CC15
		movzx	eax, bx

loc_73CC15:				; CODE XREF: VrpComparePath(x,x,x)+5Aj
		shr	eax, 1
		push	eax		; size_t
		push	[ebp+var_20]	; wchar_t *
		push	[ebp+var_18]	; wchar_t *
		call	__wcsnicmp
		mov	edi, eax
		add	esp, 0Ch
		test	edi, edi
		jnz	short loc_73CC42
		mov	ecx, [ebp+var_1C]
		movzx	eax, bx
		movzx	edi, cx
		sub	edi, eax
		jnz	short loc_73CC56
		mov	ebx, [ebp+var_10]
		inc	esi
		mov	eax, [ebp+var_14]
		jmp	short loc_73CBE3
; 

loc_73CC42:				; CODE XREF: VrpComparePath(x,x,x)+74j
					; VrpComparePath(x,x,x)+A3j ...
		xor	esi, esi

loc_73CC44:				; CODE XREF: VrpComparePath(x,x,x)+A8j
					; VrpComparePath(x,x,x)+AFj
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_73CC4D
		mov	[eax], esi

loc_73CC4D:				; CODE XREF: VrpComparePath(x,x,x)+93j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_73CC56:				; CODE XREF: VrpComparePath(x,x,x)+81j
		test	cx, cx
		jz	short loc_73CC42
		test	bx, bx
		jz	short loc_73CC44
		jmp	short loc_73CC42
; 

loc_73CC62:				; CODE XREF: VrpComparePath(x,x,x)+52j
		test	bx, bx
		jz	short loc_73CC44
		jmp	short loc_73CC0A
_VrpComparePath@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpGetNextToken(x, x, x)
_VrpGetNextToken@12 proc near		; CODE XREF: VrpCreateNamespaceNode+58p
					; VrpCreateNamespaceNode+7Ep ...

var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		xor	ecx, ecx
		mov	[eax], cx
		movzx	eax, word ptr [ebx]
		push	edi
		mov	edi, [edx]
		lea	esi, [edi+edi]
		cmp	esi, eax
		jnb	short loc_73CCA2
		mov	esi, edi

loc_73CC90:				; CODE XREF: VrpGetNextToken(x,x,x)+C2j
		mov	eax, [ebx+4]
		lea	ecx, [esi+esi]
		push	5Ch
		pop	edx
		cmp	[ecx+eax], dx
		mov	edx, [ebp+var_4]
		jz	short loc_73CD1D

loc_73CCA2:				; CODE XREF: VrpGetNextToken(x,x,x)+22j
					; VrpGetNextToken(x,x,x)+C8j
		mov	eax, [ebx+4]
		mov	ecx, [ebp+arg_0]
		lea	eax, [eax+edi*2]
		mov	[ecx+4], eax
		mov	edx, [edx]
		movzx	esi, word ptr [ebx]
		mov	edi, esi
		lea	ecx, [edx+edx]
		cmp	ecx, esi
		jnb	short loc_73CD37
		mov	ecx, edx
		mov	eax, esi

loc_73CCC0:				; CODE XREF: VrpGetNextToken(x,x,x)+84j
		movzx	edi, ax
		mov	eax, [ebx+4]
		push	5Ch
		pop	esi
		cmp	[eax+ecx*2], si
		mov	esi, [ebp+var_4]
		jz	short loc_73CCF0
		mov	eax, [ebp+arg_0]
		add	word ptr [eax],	2
		mov	edx, [esi]
		inc	edx
		mov	ecx, edx
		mov	[esi], edx
		movzx	eax, word ptr [ebx]
		add	ecx, ecx
		mov	edi, eax
		cmp	ecx, eax
		mov	[ebp+var_C], edi
		mov	ecx, edx
		jb	short loc_73CCC0

loc_73CCF0:				; CODE XREF: VrpGetNextToken(x,x,x)+66j
					; VrpGetNextToken(x,x,x)+D0j
		lea	ecx, [edx+edx]
		movzx	eax, di
		cmp	ecx, eax
		jnb	short loc_73CD16
		push	5Ch
		pop	edi

loc_73CCFD:				; CODE XREF: VrpGetNextToken(x,x,x)+AAj
		mov	eax, [ebx+4]
		lea	ecx, [edx+edx]
		cmp	[ecx+eax], di
		jnz	short loc_73CD16
		inc	edx
		add	ecx, 2
		mov	[esi], edx
		movzx	eax, word ptr [ebx]
		cmp	ecx, eax
		jb	short loc_73CCFD

loc_73CD16:				; CODE XREF: VrpGetNextToken(x,x,x)+8Ej
					; VrpGetNextToken(x,x,x)+9Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_73CD1D:				; CODE XREF: VrpGetNextToken(x,x,x)+36j
		lea	edi, [esi+1]
		add	ecx, 2
		mov	[edx], edi
		mov	esi, edi
		movzx	eax, word ptr [ebx]
		cmp	ecx, eax
		jb	loc_73CC90
		jmp	loc_73CCA2
; 

loc_73CD37:				; CODE XREF: VrpGetNextToken(x,x,x)+50j
		mov	esi, [ebp+var_4]
		jmp	short loc_73CCF0
_VrpGetNextToken@12 endp


;  S U B	R O U T	I N E 


; __stdcall VrpStripTrailingCharacters(x, x)
_VrpStripTrailingCharacters@8 proc near	; CODE XREF: VrpCreateNamespaceNode+42p
					; VrpCreateNamespaceNode+4Ap ...
		movzx	edx, word ptr [ecx]
		shr	edx, 1
		sub	edx, 1
		js	short locret_73CD54
		mov	eax, [ecx+4]
		push	esi
		lea	eax, [eax+edx*2]

loc_73CD4D:				; CODE XREF: VrpStripTrailingCharacters(x,x)+27j
		cmp	word ptr [eax],	5Ch
		jz	short loc_73CD55
		pop	esi

locret_73CD54:				; CODE XREF: VrpStripTrailingCharacters(x,x)+8j
		retn
; 

loc_73CD55:				; CODE XREF: VrpStripTrailingCharacters(x,x)+15j
		mov	esi, 0FFFEh
		sub	eax, 2
		add	[ecx], si
		sub	edx, 1
		jns	short loc_73CD4D
		pop	esi
		retn
_VrpStripTrailingCharacters@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpBuildKeyPath(x, x, x)
_VrpBuildKeyPath@12 proc near		; CODE XREF: VrpCreateNamespaceNode+1DCp
					; VrpPostEnumerateKey(x,x)+38Cp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, edx
		xor	ecx, ecx
		mov	[ebp+var_8], eax
		and	[ebp+var_C], ecx
		mov	[ebp+var_10], ecx
		test	edi, edi
		jnz	short loc_73CD89
		lea	edi, [ebp+var_10]

loc_73CD89:				; CODE XREF: VrpBuildKeyPath(x,x,x)+1Cj
		mov	ebx, [ebp+arg_0]
		xor	ecx, ecx
		mov	[ebx], cx
		lea	esi, [ebx+2]
		movzx	ecx, word ptr [edi]
		mov	[esi], cx
		mov	dx, [eax]
		push	esi
		call	_RtlUShortAdd@12 ; RtlUShortAdd(x,x,x)
		test	eax, eax
		jns	short loc_73CDAE

loc_73CDA7:				; CODE XREF: VrpBuildKeyPath(x,x,x)+56j
		mov	esi, 0C000000Dh
		jmp	short loc_73CE1E
; 

loc_73CDAE:				; CODE XREF: VrpBuildKeyPath(x,x,x)+3Dj
		mov	cx, [esi]
		push	esi
		push	2
		pop	edx
		call	_RtlUShortAdd@12 ; RtlUShortAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_73CDA7
		movzx	eax, word ptr [ebx+2]
		push	67655256h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+4], eax
		test	eax, eax
		jnz	short loc_73CDDF
		mov	esi, 0C000009Ah
		jmp	short loc_73CE1E
; 

loc_73CDDF:				; CODE XREF: VrpBuildKeyPath(x,x,x)+6Ej
		push	edi
		push	ebx
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		cmp	[eax], cx
		jz	short loc_73CE1E
		mov	eax, [eax+4]
		push	5Ch
		pop	edx
		cmp	[eax], dx
		jz	short loc_73CE15
		movzx	ecx, word ptr [edi]
		mov	eax, [edi+4]
		shr	ecx, 1
		cmp	[eax+ecx*2-2], dx
		jz	short loc_73CE15
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@ ; void	*
		push	ebx		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)

loc_73CE15:				; CODE XREF: VrpBuildKeyPath(x,x,x)+91j
					; VrpBuildKeyPath(x,x,x)+A0j
		push	[ebp+var_8]
		push	ebx
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)

loc_73CE1E:				; CODE XREF: VrpBuildKeyPath(x,x,x)+44j
					; VrpBuildKeyPath(x,x,x)+75j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_VrpBuildKeyPath@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmRetrieveExtraParameter(x,	x, x)
_CmRetrieveExtraParameter@12 proc near	; CODE XREF: VrpPostOpenOrCreate(x,x)+62p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		mov	edx, offset _VRP_ORIGINAL_KEY_NAME_PARAMETER_GUID
		call	_CmpFindExtraParameterInBlock@12 ; CmpFindExtraParameterInBlock(x,x,x)
		test	eax, eax
		jns	short loc_73CE48

locret_73CE44:				; CODE XREF: CmRetrieveExtraParameter(x,x,x)+2Dj
		leave
		retn	4
; 

loc_73CE48:				; CODE XREF: CmRetrieveExtraParameter(x,x,x)+1Aj
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		add	ecx, 20h
		mov	[eax], ecx
		xor	eax, eax
		jmp	short locret_73CE44
_CmRetrieveExtraParameter@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFindExtraParameterInBlock(x, x, x)
_CmpFindExtraParameterInBlock@12 proc near ; CODE XREF:	CmpAddExtraParameterToBlock(x,x)+13p
					; CmRetrieveExtraParameter(x,x,x)+13p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	esi, [edi]

loc_73CE66:				; CODE XREF: CmpFindExtraParameterInBlock(x,x,x)+3Cj
		cmp	esi, edi
		jnz	short loc_73CE76
		mov	eax, 0C0000034h

loc_73CE6F:				; CODE XREF: CmpFindExtraParameterInBlock(x,x,x)+38j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_73CE76:				; CODE XREF: CmpFindExtraParameterInBlock(x,x,x)+10j
		push	10h		; size_t
		lea	eax, [esi+8]
		push	ebx		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_73CE92
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		xor	eax, eax
		jmp	short loc_73CE6F
; 

loc_73CE92:				; CODE XREF: CmpFindExtraParameterInBlock(x,x,x)+2Fj
		mov	esi, [esi]
		jmp	short loc_73CE66
_CmpFindExtraParameterInBlock@12 endp


;  S U B	R O U T	I N E 


; __stdcall VrpDecommissionKeyContext(x)
_VrpDecommissionKeyContext@4 proc near	; CODE XREF: VrpFreeKeyContext(x)+6p
					; VrpRegistryCallback+10Ep
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_73CEB8
		push	67655256h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		lea	eax, [esi+10h]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_73CEB8:				; CODE XREF: VrpDecommissionKeyContext(x)+Aj
		pop	esi
		retn
_VrpDecommissionKeyContext@4 endp

; 
		align 10h
; Exported entry 260. CmSetCallbackObjectContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CmSetCallbackObjectContext
CmSetCallbackObjectContext proc	near	; CODE XREF: VrpPostOpenOrCreate(x,x)+196p
					; VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+297p	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008CAA62 SIZE 00000071 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_1], 0
		push	edi
		mov	edi, 0C0000225h
		test	ebx, ebx
		jz	loc_8CAAC9
		cmp	dword ptr [ebx], 6B793032h
		jnz	loc_8CAAC9
		push	esi
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jz	short loc_73CEF5
		and	dword ptr [esi], 0

loc_73CEF5:				; CODE XREF: CmSetCallbackObjectContext+30j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _CmpCallbackListLock
		call	ExAcquirePushLockSharedEx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _CmpContextListLock
		call	ExAcquirePushLockSharedEx
		lea	eax, [ebx+28h]
		mov	[ebp+var_C], eax

loc_73CF2F:				; CODE XREF: CmSetCallbackObjectContext+19Bj
		mov	ebx, [eax]
		mov	ecx, [ebp+arg_4]
		cmp	ebx, eax
		jnz	loc_8CAA62

loc_73CF3C:				; CODE XREF: CmSetCallbackObjectContext+18DBD0j
					; CmSetCallbackObjectContext+18DBD8j ...
		test	edi, edi
		jns	loc_73CFEA
		cmp	[ebp+var_1], 0
		jz	loc_73D023
		mov	esi, _CallbackListHead
		mov	edx, offset _CallbackListHead
		cmp	esi, edx
		jz	loc_73D06A
		mov	eax, [ecx]
		mov	ecx, [ecx+4]

loc_73CF66:				; CODE XREF: CmSetCallbackObjectContext+1A4j
		cmp	eax, [esi+10h]
		jnz	loc_73D060
		cmp	ecx, [esi+14h]
		jnz	loc_73D060

loc_73CF78:				; CODE XREF: CmSetCallbackObjectContext+1ACj
		test	esi, esi
		jz	loc_8CAABF
		push	63634D43h
		push	28h
		push	1
		xor	edi, edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8CAAB5
		mov	edx, [ebp+arg_4]
		mov	[ecx+18h], esi
		add	esi, 28h
		mov	eax, [edx]
		mov	[ecx+10h], eax
		mov	eax, [edx+4]
		mov	[ecx+14h], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+20h], eax
		mov	eax, [ebp+arg_0]
		mov	[ecx+1Ch], eax
		lea	eax, [ecx+8]
		mov	edx, [esi+4]
		cmp	[edx], esi
		jnz	loc_73D071
		mov	[eax], esi
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[esi+4], eax
		mov	eax, [ebx+4]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_73D071
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[edx+4], ecx
		mov	[eax], ecx

loc_73CFEA:				; CODE XREF: CmSetCallbackObjectContext+7Ej
					; CmSetCallbackObjectContext+18DBFAj ...
		xor	edx, edx
		mov	ecx, offset _CmpContextListLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	edx, edx
		mov	ecx, offset _CmpCallbackListLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		pop	esi

loc_73D01D:				; CODE XREF: CmSetCallbackObjectContext+18DC0Ej
		pop	edi
		pop	ebx
		leave
		retn	10h
; 

loc_73D023:				; CODE XREF: CmSetCallbackObjectContext+88j
		mov	ebx, offset _CmpContextListLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, large fs:124h
		mov	[ebp+var_1], 1
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_C]
		jmp	loc_73CF2F
; 

loc_73D060:				; CODE XREF: CmSetCallbackObjectContext+A9j
					; CmSetCallbackObjectContext+B2j
		mov	esi, [esi]
		cmp	esi, edx
		jnz	loc_73CF66

loc_73D06A:				; CODE XREF: CmSetCallbackObjectContext+9Bj
		xor	esi, esi
		jmp	loc_73CF78
; 

loc_73D071:				; CODE XREF: CmSetCallbackObjectContext+102j
					; CmSetCallbackObjectContext+11Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall VrpAllocateKeyContext(x)
_VrpAllocateKeyContext@4:		; CODE XREF: VrpPostOpenOrCreate(x,x)+125p
					; VrpPostOpenOrCreate(x,x)+14Fp ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	67655256h
		push	24h
		push	1
		mov	ebx, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_73D0A9
		push	9
		pop	ecx
		xor	eax, eax
		mov	edi, esi
		rep stosd
		mov	edx, 67655256h
		mov	ecx, ebx
		call	ObfReferenceObjectWithTag
		mov	[esi+20h], ebx

loc_73D0A9:				; CODE XREF: CmSetCallbackObjectContext+1CFj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
CmSetCallbackObjectContext endp	; sp = -1Ch

; 
		align 10h

;  S U B	R O U T	I N E 


VRegEnabledInJob proc near		; CODE XREF: VrpIoctlDeviceDispatch+3Ep
					; VrpRegistryCallback+181p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi		; struct _exception *
		mov	ebx, ecx
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		mov	esi, eax
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	edi, eax

loc_73D0C5:				; CODE XREF: sub_8CAAD3+13j
					; sub_8CAAD3+26j
		cmp	esi, edi
		jnz	sub_8CAAD3
		xor	eax, eax

loc_73D0CF:				; CODE XREF: sub_8CAAD3+2Ej
		pop	edi
		pop	esi
		pop	ebx
		retn
VRegEnabledInJob endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VrpPostQueryKey	proc near		; CODE XREF: VrpRegistryCallback+199p

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_79		= byte ptr -79h
var_78		= dword	ptr -78h
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CAB06 SIZE 000001D6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_78]
		stosd
		mov	esi, ecx
		mov	[ebp+var_8C], esi
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_78]
		push	eax
		push	3
		call	EtwActivityIdControl
		mov	edi, [esi+14h]
		xor	edx, edx
		mov	ebx, [esi+8]
		mov	[ebp+var_80], edx
		call	_PsGetCurrentThreadPreviousMode@0 ; PsGetCurrentThreadPreviousMode()
		mov	esi, [esi+4]
		xor	edx, edx
		mov	[ebp+var_84], edx
		mov	cl, al
		mov	[ebp+var_79], cl
		test	esi, esi
		js	loc_8CAB06

loc_73D130:				; CODE XREF: VrpPostQueryKey+18DA38j
					; VrpPostQueryKey+18DA4Aj
		mov	eax, [ebx+4]
		test	eax, eax
		jz	short loc_73D140
		cmp	eax, 3
		jnz	loc_73D283

loc_73D140:				; CODE XREF: VrpPostQueryKey+61j
					; VrpPostQueryKey+1B2j	...
		cmp	dword_6B2370, 5
		ja	loc_8CAB3A

loc_73D14D:				; CODE XREF: VrpPostQueryKey+18DAD1j
		test	dword ptr [edi+1Ch], 20000000h
		jnz	short loc_73D162
		mov	eax, [ebx+4]
		cmp	eax, 3
		jnz	loc_73D271

loc_73D162:				; CODE XREF: VrpPostQueryKey+80j
					; VrpPostQueryKey+1A0j
		lea	edx, [ebp+var_80]
		push	edx
		push	dword ptr [ebx+0Ch]
		mov	edx, [ebx+8]
		call	_VrpProcessBufferParameter@16 ;	VrpProcessBufferParameter(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8CAC56
		mov	edx, [ebp+var_80]
		lea	eax, [ebx+8]
		mov	cl, [ebp+var_79]
		push	eax		; int
		push	dword ptr [ebx+0Ch] ; size_t
		call	VrpOutputBufferParameter
		mov	esi, eax
		test	esi, esi
		js	loc_8CAC56
		mov	edx, [ebx+10h]
		lea	ecx, [ebp+var_84]
		push	ecx
		mov	cl, [ebp+var_79]
		push	4
		call	_VrpProcessBufferParameter@16 ;	VrpProcessBufferParameter(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8CAC56
		mov	edx, [ebp+var_84]
		lea	eax, [ebx+10h]
		mov	cl, [ebp+var_79]
		push	eax		; int
		push	4		; size_t
		call	VrpOutputBufferParameter
		mov	esi, eax
		test	esi, esi
		js	loc_8CAC56
		push	dword ptr [edi+1Ch] ; size_t
		mov	edx, [ebp+var_80]
		lea	eax, [edi+10h]
		mov	ecx, [ebx+4]
		push	eax		; int
		push	[ebp+var_84]	; int
		push	dword ptr [ebx+0Ch] ; int
		call	_VrpUpdateKeyInformation@24 ; VrpUpdateKeyInformation(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_88], esi
		test	esi, esi
		js	loc_8CABAA

loc_73D1FE:				; CODE XREF: VrpPostQueryKey+18DADCj
					; VrpPostQueryKey+18DAEEj
		mov	edx, [ebx+8]
		lea	eax, [ebp+var_80]
		mov	cl, [ebp+var_79]
		push	eax		; int
		push	dword ptr [ebx+0Ch] ; size_t
		call	VrpOutputBufferParameter
		test	eax, eax
		js	short loc_73D291
		mov	edx, [ebx+10h]
		lea	eax, [ebp+var_84]
		mov	cl, [ebp+var_79]
		push	eax		; int
		push	4		; size_t
		call	VrpOutputBufferParameter
		test	eax, eax
		js	short loc_73D291
		mov	eax, [ebp+var_8C]
		mov	[eax+0Ch], esi
		mov	esi, 0C0000503h
		cmp	dword_6B2370, 5
		ja	loc_8CABC7

loc_73D247:				; CODE XREF: VrpPostQueryKey+1A8j
					; VrpPostQueryKey+18DB88j ...
		mov	cl, [ebp+var_79]
		lea	edx, [ebp+var_80]
		call	_VrpCleanupBufferParameter@8 ; VrpCleanupBufferParameter(x,x)
		mov	cl, [ebp+var_79]
		lea	edx, [ebp+var_84]
		call	_VrpCleanupBufferParameter@8 ; VrpCleanupBufferParameter(x,x)
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_73D271:				; CODE XREF: VrpPostQueryKey+88j
		cmp	eax, 8
		jz	loc_73D162

loc_73D27A:				; CODE XREF: VrpPostQueryKey+1BFj
					; VrpPostQueryKey+18DA44j ...
		test	esi, esi
		jns	short loc_73D247
		jmp	loc_8CAC56
; 

loc_73D283:				; CODE XREF: VrpPostQueryKey+66j
		cmp	eax, 4
		jz	loc_73D140
		jmp	loc_8CAB23
; 

loc_73D291:				; CODE XREF: VrpPostQueryKey+13Ej
					; VrpPostQueryKey+156j
		mov	esi, eax
		jmp	short loc_73D27A
VrpPostQueryKey	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	VrpOutputBufferParameter(size_t,int)
VrpOutputBufferParameter proc near	; CODE XREF: VrpPostEnumerateKey(x,x)+1BCp
					; VrpPostEnumerateKey(x,x)+1FEp ...

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	0Ch
		push	offset dword_6A00E0
		call	__SEH_prolog4
		xor	esi, esi
		cmp	cl, 1
		jnz	short loc_73D2C4
		mov	[ebp+ms_exc.disabled], esi
		push	[ebp+arg_0]	; size_t
		mov	eax, [ebp+arg_4]
		push	dword ptr [eax]	; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_73D2BD:				; CODE XREF: sub_8CACEA+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_73D2C4:				; CODE XREF: VrpOutputBufferParameter+11j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
VrpOutputBufferParameter endp


;  S U B	R O U T	I N E 


; __stdcall VrpCleanupBufferParameter(x, x)
_VrpCleanupBufferParameter@8 proc near	; CODE XREF: VrpPostEnumerateKey(x,x)+775p
					; VrpPostEnumerateKey(x,x)+786p ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		cmp	cl, 1
		jnz	short loc_73D2F6
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_73D2F6
		push	67655256h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi], 0

loc_73D2F6:				; CODE XREF: VrpCleanupBufferParameter(x,x)+8j
					; VrpCleanupBufferParameter(x,x)+Ej
		xor	eax, eax
		pop	esi
		retn
_VrpCleanupBufferParameter@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpProcessBufferParameter(x, x, x, x)
_VrpProcessBufferParameter@16 proc near	; CODE XREF: VrpPostEnumerateKey(x,x)+19Ap
					; VrpPostEnumerateKey(x,x)+1DDp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, esi
		cmp	cl, 1
		jnz	short loc_73D338
		cmp	[ebp+arg_0], esi
		jbe	short loc_73D324
		push	67655256h
		push	[ebp+arg_0]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_73D331

loc_73D324:				; CODE XREF: VrpProcessBufferParameter(x,x,x,x)+13j
		mov	eax, [ebp+arg_4]
		mov	[eax], esi

loc_73D329:				; CODE XREF: VrpProcessBufferParameter(x,x,x,x)+3Cj
					; VrpProcessBufferParameter(x,x,x,x)+43j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_73D331:				; CODE XREF: VrpProcessBufferParameter(x,x,x,x)+28j
		mov	edi, 0C000009Ah
		jmp	short loc_73D329
; 

loc_73D338:				; CODE XREF: VrpProcessBufferParameter(x,x,x,x)+Ej
		mov	ecx, [ebp+arg_4]
		mov	[ecx], edx
		jmp	short loc_73D329
_VrpProcessBufferParameter@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	VrpUpdateKeyInformation(int,int,int,size_t)
_VrpUpdateKeyInformation@24 proc near	; CODE XREF: VrpPostEnumerateKey(x,x)+507p
					; VrpPostQueryKey+115p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	eax, ecx
		mov	ebx, edx
		push	edi
		xor	edi, edi
		mov	[ebp+var_1C], eax
		mov	[ebp+var_C], ebx
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		sub	eax, edi
		jz	loc_73D416
		sub	eax, 1
		jz	loc_73D403
		push	2
		pop	esi
		sub	eax, esi
		jz	short loc_73D3EC
		sub	eax, 1
		jz	short loc_73D3A4
		sub	eax, 4
		jz	short loc_73D38F
		mov	edi, 0C000000Dh
		jmp	loc_73D577
; 

loc_73D38F:				; CODE XREF: VrpUpdateKeyInformation(x,x,x,x,x,x)+43j
		cmp	[ebp+arg_0], 4
		jb	short loc_73D3B4
		mov	eax, [ebp+arg_C]
		shr	eax, 1
		and	eax, 1
		mov	[ebx], eax
		jmp	loc_73D577
; 

loc_73D3A4:				; CODE XREF: VrpUpdateKeyInformation(x,x,x,x,x,x)+3Ej
		mov	eax, [ebp+arg_8]
		movzx	edx, word ptr [eax]
		mov	ecx, edx
		shr	ecx, 1
		cmp	[ebp+arg_0], 28h
		jnb	short loc_73D3BE

loc_73D3B4:				; CODE XREF: VrpUpdateKeyInformation(x,x,x,x,x,x)+53j
					; VrpUpdateKeyInformation(x,x,x,x,x,x)+15Ej ...
		mov	edi, 0C0000023h
		jmp	loc_73D577
; 

loc_73D3BE:				; CODE XREF: VrpUpdateKeyInformation(x,x,x,x,x,x)+72j
		test	ecx, ecx
		jz	short loc_73D3DF
		mov	eax, [eax+4]
		push	5Ch
		pop	ebx
		lea	eax, [eax+ecx*2]
		add	eax, 0FFFFFFFEh
		xor	edi, edi

loc_73D3D0:				; CODE XREF: VrpUpdateKeyInformation(x,x,x,x,x,x)+9Aj
		cmp	[eax], bx
		jz	short loc_73D3DC
		sub	eax, esi
		sub	ecx, 1
		jnz	short loc_73D3D0

loc_73D3DC:				; CODE XREF: VrpUpdateKeyInformation(x,x,x,x,x,x)+93j
		mov	ebx, [ebp+var_C]

loc_73D3DF:				; CODE XREF: VrpUpdateKeyInformation(x,x,x,x,x,x)+80j
		lea	eax, [ecx+ecx]
		sub	edx, eax
		mov	[ebx+20h], edx
		jmp	loc_73D577
; 

loc_73D3EC:				; CODE XREF: VrpUpdateKeyInformation(x,x,x,x,x,x)+39j
		mov	eax, [ebp+arg_8]
		lea	esi, [ebx+4]
		push	4
		mov	[ebp+var_8], ebx
		pop	ecx
		mov	[ebp+var_4], esi
		mov	[ebp+arg_8], eax
		jmp	loc_73D4D2
; 

loc_73D403:				; CODE XREF: VrpUpdateKeyInformation(x,x,x,x,x,x)+2Ej
		lea	eax, [ebx+0Ch]
		push	18h
		mov	[ebp+var_14], eax
		lea	eax, [ebx+10h]
		pop	edx
		mov	[ebp+var_10], eax
		push	14h
		jmp	short loc_73D41B
; 

loc_73D416:				; CODE XREF: VrpUpdateKeyInformation(x,x,x,x,x,x)+25j
		push	10h
		pop	edx
		push	0Ch

loc_73D41B:				; CODE XREF: VrpUpdateKeyInformation(x,x,x,x,x,x)+D4j
		mov	ecx, edx
		mov	[ebp+arg_C], edx
		pop	eax
		add	eax, ebx
		mov	[ebp+var_8], eax
		lea	esi, [ebx+ecx]
		mov	ecx, [ebp+arg_8]
		push	0
		mov	[ebp+var_4], esi
		mov	eax, [ecx]
		mov	[ebp+var_24], eax
		mov	eax, [ecx+4]
		mov	[ebp+arg_8], eax
		movzx	eax, word ptr [ebp+var_24]
		shr	eax, 1
		pop	ecx
		mov	word ptr [ebp+var_24], cx
		jz	short loc_73D475
		mov	edx, [ebp+arg_8]
		push	2
		pop	esi
		push	5Ch
		lea	edx, [edx+eax*2]
		add	edx, 0FFFFFFFEh
		pop	ebx
		mov	edi, edx

loc_73D45A:				; CODE XREF: VrpUpdateKeyInformation(x,x,x,x,x,x)+12Bj
		cmp	[edi], bx
		jz	short loc_73D46D
		add	cx, si
		sub	edi, esi
		mov	word ptr [ebp+var_24], cx
		sub	eax, 1
		jnz	short loc_73D45A

loc_73D46D:				; CODE XREF: VrpUpdateKeyInformation(x,x,x,x,x,x)+11Dj
		mov	ebx, [ebp+var_C]
		xor	edi, edi
		mov	esi, [ebp+var_4]

loc_73D475:				; CODE XREF: VrpUpdateKeyInformation(x,x,x,x,x,x)+107j
		cmp	[ebp+var_1C], 1
		mov	edx, [ebp+arg_8]
		mov	word ptr [ebp+var_24+2], cx
		lea	eax, [edx+eax*2]
		mov	edx, [ebp+arg_C]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_24]
		mov	[ebp+arg_8], eax
		jnz	short loc_73D4CF
		mov	eax, [ebp+arg_4]
		mov	ebx, [eax]
		cmp	ebx, edx
		mov	[ebp+var_1C], ebx
		mov	ebx, [ebp+var_C]
		jb	loc_73D3B4
		movzx	edx, cx
		mov	ecx, [ebp+var_1C]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jns	short loc_73D4BE

loc_73D4B4:				; CODE XREF: VrpUpdateKeyInformation(x,x,x,x,x,x)+1ABj
					; VrpUpdateKeyInformation(x,x,x,x,x,x)+1D5j ...
		mov	edi, 80000005h
		jmp	loc_73D577
; 

loc_73D4BE:				; CODE XREF: VrpUpdateKeyInformation(x,x,x,x,x,x)+172j
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+arg_C]
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], eax
		jmp	short loc_73D4DE
; 

loc_73D4CF:				; CODE XREF: VrpUpdateKeyInformation(x,x,x,x,x,x)+14Fj
		mov	ecx, [ebp+arg_C]

loc_73D4D2:				; CODE XREF: VrpUpdateKeyInformation(x,x,x,x,x,x)+BEj
		movzx	eax, word ptr [eax]
		mov	edx, [ebp+arg_4]
		sub	eax, ebx
		add	eax, esi
		mov	[edx], eax

loc_73D4DE:				; CODE XREF: VrpUpdateKeyInformation(x,x,x,x,x,x)+18Dj
		mov	esi, [ebp+arg_0]
		cmp	esi, ecx
		jb	loc_73D3B4
		cmp	esi, [edx]
		jb	short loc_73D4B4
		mov	ecx, [ebp+var_14]
		test	ecx, ecx
		jz	short loc_73D55A
		mov	eax, [ebp+var_10]
		mov	eax, [eax]
		mov	[ebp+arg_C], eax
		test	eax, eax
		jz	short loc_73D55A
		mov	ecx, [ecx]
		lea	edx, [ebp+arg_4]
		push	edx
		mov	edx, eax
		mov	[ebp+arg_4], edi
		mov	[ebp+var_1C], ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_73D4B4
		cmp	[ebp+arg_4], esi
		ja	short loc_73D4B4
		mov	eax, [ebp+arg_8]
		push	[ebp+arg_C]	; size_t
		movzx	esi, word ptr [eax]
		mov	eax, [ebp+var_1C]
		add	esi, 1Bh
		and	esi, 0FFFFFFFCh
		add	eax, ebx
		push	eax		; void *
		lea	eax, [esi+ebx]
		push	eax		; void *
		call	_memmove
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+arg_0]
		mov	eax, [eax]
		sub	ecx, eax
		sub	ecx, esi
		add	eax, esi
		push	ecx		; size_t
		add	eax, ebx
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_14]
		add	esp, 18h
		mov	[eax], esi

loc_73D55A:				; CODE XREF: VrpUpdateKeyInformation(x,x,x,x,x,x)+1B2j
					; VrpUpdateKeyInformation(x,x,x,x,x,x)+1BEj
		mov	ebx, [ebp+arg_8]
		movzx	eax, word ptr [ebx]
		push	eax		; size_t
		push	dword ptr [ebx+4] ; void *
		push	[ebp+var_4]	; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		movzx	ecx, word ptr [ebx]
		mov	[eax], ecx

loc_73D577:				; CODE XREF: VrpUpdateKeyInformation(x,x,x,x,x,x)+4Aj
					; VrpUpdateKeyInformation(x,x,x,x,x,x)+5Fj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_VrpUpdateKeyInformation@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VrpHandleIoctlCreateNamespaceNode proc near ; CODE XREF: VrpIoctlDeviceDispatch+9Cp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CACF5 SIZE 0000004E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	[esp+38h+var_8], eax
		mov	[esp+38h+var_4], eax
		mov	edi, eax
		mov	[esp+38h+var_10], eax
		mov	ebx, ecx
		mov	[esp+38h+var_C], eax
		mov	[esp+38h+var_20], eax
		mov	[esp+38h+var_24], eax
		mov	[esp+38h+var_18], eax
		mov	[esp+38h+var_28], edi
		mov	[esp+38h+var_2C], eax
		cmp	esi, 14h
		jb	loc_8CACF5
		movzx	eax, word ptr [ebx+4]
		test	al, 1
		jnz	loc_8CAD09
		movzx	edx, word ptr [ebx+6]
		test	dl, 1
		jnz	loc_8CAD09
		test	ax, ax
		jz	loc_8CACF5
		test	dx, dx
		jz	loc_8CACF5
		lea	ecx, [eax+10h]
		cmp	ecx, 10h
		jb	loc_8CACF5
		lea	eax, [ecx+edx]
		cmp	ecx, eax
		ja	loc_8CACF5
		cmp	esi, eax
		jb	loc_8CACF5
		mov	eax, ds:_PsJobType
		lea	edx, [esp+38h+var_20]
		mov	ecx, [ebx]
		push	edi
		push	edi
		push	edx
		push	52566D43h
		push	[ebp+arg_0]
		push	eax
		push	6
		pop	edx
		call	ObpReferenceObjectByHandleWithTag
		mov	esi, eax
		test	esi, esi
		js	loc_73D773
		mov	edi, [ebx+8]
		lea	eax, [ebx+10h]
		mov	[esp+38h+var_4], eax
		movzx	eax, word ptr [ebx+4]
		mov	word ptr [esp+38h+var_8+2], ax
		mov	word ptr [esp+38h+var_8], ax
		shr	eax, 1
		add	eax, 8
		lea	eax, [ebx+eax*2]
		mov	[esp+38h+var_C], eax
		mov	ax, [ebx+6]
		mov	word ptr [esp+38h+var_10+2], ax
		mov	word ptr [esp+38h+var_10], ax
		mov	eax, [ebx+0Ch]
		mov	[esp+38h+var_14], eax
		mov	eax, edi
		and	eax, 7
		cmp	eax, edi
		jnz	loc_8CACFF
		lea	eax, [esp+38h+var_2C]
		push	eax
		push	[esp+3Ch+var_20]
		call	_PsGetJobSilo@8	; PsGetJobSilo(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_73D773
		mov	ecx, large fs:124h
		mov	edx, [esp+38h+var_2C]
		call	PsIsThreadInSilo
		test	al, al
		jnz	loc_8CACFF
		and	[esp+38h+var_1C], 0
		lea	ecx, [esp+38h+var_1C]
		call	VRegEnabledInJob
		lea	eax, [esp+38h+var_24]
		push	eax
		push	_VrpSiloContextSlot
		push	[esp+40h+var_2C]
		call	PsGetPermanentSiloContext
		mov	esi, eax
		test	esi, esi
		js	loc_73D773
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, [esp+38h+var_24]
		xor	edx, edx
		lea	ecx, [ebx+10h]
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [esp+38h+var_28]
		mov	[esp+38h+var_18], 1
		push	eax
		push	[esp+3Ch+var_14]
		lea	eax, [esp+40h+var_10]
		mov	ecx, ebx
		push	edi
		push	eax
		push	[esp+48h+var_1C]
		lea	edx, [esp+4Ch+var_8]
		call	VrpCreateNamespaceNode
		mov	edi, [esp+38h+var_28]
		mov	esi, eax
		test	esi, esi
		js	loc_8CAD12
		mov	edx, edi
		mov	ecx, ebx
		call	VrpAddNamespaceNodeToList
		mov	esi, eax
		test	esi, esi
		js	loc_8CAD12
		mov	ecx, edi
		call	_VrpCreateNamespaceNodePlaceholderKey@4	; VrpCreateNamespaceNodePlaceholderKey(x)
		mov	esi, eax
		test	esi, esi
		js	loc_8CAD12
		xor	esi, esi

loc_73D74E:				; CODE XREF: VrpHandleIoctlCreateNamespaceNode+18D7AAj
		add	ebx, 10h
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		test	al, 2
		jnz	loc_8CAD2F

loc_73D760:				; CODE XREF: VrpHandleIoctlCreateNamespaceNode+18D7B1j
					; VrpHandleIoctlCreateNamespaceNode+18D7BEj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_73D773:				; CODE XREF: VrpHandleIoctlCreateNamespaceNode+B0j
					; VrpHandleIoctlCreateNamespaceNode+10Ej ...
		mov	ecx, [esp+38h+var_20]
		test	ecx, ecx
		jz	short loc_73D785
		mov	edx, 52566D43h
		call	ObfDereferenceObjectWithTag

loc_73D785:				; CODE XREF: VrpHandleIoctlCreateNamespaceNode+1F9j
					; VrpHandleIoctlCreateNamespaceNode+18D77Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
VrpHandleIoctlCreateNamespaceNode endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpCreateNamespaceNodePlaceholderKey(x)
_VrpCreateNamespaceNodePlaceholderKey@4	proc near
					; CODE XREF: VrpHandleIoctlCreateNamespaceNode+1BDp
					; VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+232p	...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		lea	eax, [edi+14h]
		cmp	[eax], si
		jz	short loc_73D7F9
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		push	esi
		push	esi
		lea	eax, [ebp+var_20]
		mov	[ebp+var_20], 18h
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_4]
		mov	[ebp+var_1C], esi
		push	eax
		mov	[ebp+var_14], 240h
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_73D7EB
		cmp	[ebp+var_8], 1
		jz	short loc_73D7FF

loc_73D7EB:				; CODE XREF: VrpCreateNamespaceNodePlaceholderKey(x)+53j
					; VrpCreateNamespaceNodePlaceholderKey(x)+76j
		cmp	[ebp+var_4], 0
		jz	short loc_73D7F9
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_73D7F9:				; CODE XREF: VrpCreateNamespaceNodePlaceholderKey(x)+1Aj
					; VrpCreateNamespaceNodePlaceholderKey(x)+5Fj
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_73D7FF:				; CODE XREF: VrpCreateNamespaceNodePlaceholderKey(x)+59j
		or	dword ptr [edi+1Ch], 40000000h
		jmp	short loc_73D7EB
_VrpCreateNamespaceNodePlaceholderKey@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VrpHandleIoctlLoadDifferencingHive proc	near ; CODE XREF: VrpIoctlDeviceDispatch+E2p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CAD43 SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_0]
		xor	eax, eax
		mov	ebx, edx
		push	ds:dword_A949E4
		mov	[ebp+var_10], ebx
		mov	edi, ecx
		push	ds:_SeBackupPrivilege
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_8CAD43
		push	[ebp+arg_0]
		push	ds:dword_A949DC
		push	ds:_SeRestorePrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_8CAD43
		cmp	ebx, 20h
		jb	loc_73DA3C
		movzx	ecx, word ptr [edi+10h]
		test	cl, 1
		jnz	loc_73DA3C
		movzx	edx, word ptr [edi+12h]
		test	dl, 1
		jnz	loc_73DA3C
		movzx	ebx, word ptr [edi+14h]
		test	bl, 1
		jnz	loc_73DA3C
		test	cx, cx
		jz	loc_73DA3C
		test	dx, dx
		jz	loc_73DA3C
		mov	eax, ecx
		add	eax, 1Ch
		cmp	eax, 1Ch
		jb	loc_73DA3C
		mov	esi, edx
		add	esi, eax
		cmp	eax, esi
		ja	loc_73DA3C
		lea	eax, [esi+ebx]
		cmp	esi, eax
		ja	loc_73DA3C
		cmp	[ebp+var_10], eax
		jb	loc_73DA3C
		test	byte ptr [edi+8], 1
		jnz	loc_73DA33

loc_73D8E9:				; CODE XREF: VrpHandleIoctlLoadDifferencingHive+22Ej
		mov	word ptr [ebp+var_20+2], cx
		lea	eax, [edi+1Ch]
		mov	word ptr [ebp+var_20], cx
		shr	ecx, 1
		mov	[ebp+var_1C], eax
		push	0
		mov	word ptr [ebp+var_30+2], dx
		lea	eax, [eax+ecx*2]
		mov	word ptr [ebp+var_30], dx
		mov	ecx, edx
		mov	[ebp+var_2C], eax
		shr	ecx, 1
		mov	word ptr [ebp+var_28+2], bx
		mov	word ptr [ebp+var_28], bx
		lea	eax, [eax+ecx*2]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	52566D43h
		push	[ebp+arg_0]
		push	ds:_PsJobType
		push	6
		push	dword ptr [edi]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_73DA19
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_4]
		call	_PsGetJobSilo@8	; PsGetJobSilo(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_73DA19
		mov	ecx, large fs:124h
		mov	edx, [ebp+var_8]
		call	PsIsThreadInSilo
		test	al, al
		jnz	loc_8CAD4D
		lea	eax, [ebp+var_C]
		push	eax
		push	_VrpSiloContextSlot
		push	edx
		call	PsGetPermanentSiloContext
		mov	esi, eax
		test	esi, esi
		js	loc_73DA19
		mov	ebx, [ebp+var_C]
		mov	ecx, ebx
		call	_VrpLockJobContextExclusive@4 ;	VrpLockJobContextExclusive(x)
		cmp	dword ptr [ebx+34h], 0
		jnz	loc_8CAD57
		mov	ecx, [edi+8]
		lea	edx, [ebp+var_30]
		push	dword ptr [edi+18h]
		mov	eax, ecx
		shr	eax, 2
		and	eax, 1
		push	eax
		mov	eax, ecx
		and	ecx, 1
		shr	eax, 1
		and	eax, 1
		push	eax
		push	ecx
		push	dword ptr [edi+0Ch]
		lea	eax, [ebp+var_28]
		push	eax
		lea	ecx, [ebp+var_20]
		call	_VrpLoadDifferencingHive@32 ; VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_73DA43
		movzx	eax, word ptr [ebp+var_20]
		push	67655256h
		add	eax, 6
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8CAD61
		mov	ax, word ptr [ebp+var_20]
		mov	[esi+4], ax
		movzx	eax, word ptr [ebp+var_20]
		push	eax		; size_t
		push	[ebp+var_1C]	; void *
		lea	eax, [esi+6]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebx+14h]
		add	esp, 0Ch
		mov	[esi], eax
		mov	ecx, ebx
		mov	[ebx+14h], esi
		call	VrpUnlockJobContextExclusive
		xor	esi, esi

loc_73DA19:				; CODE XREF: VrpHandleIoctlLoadDifferencingHive+132j
					; VrpHandleIoctlLoadDifferencingHive+148j ...
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_73DA2A
		mov	edx, 52566D43h
		call	ObfDereferenceObjectWithTag

loc_73DA2A:				; CODE XREF: VrpHandleIoctlLoadDifferencingHive+216j
					; VrpHandleIoctlLoadDifferencingHive+239j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_73DA33:				; CODE XREF: VrpHandleIoctlLoadDifferencingHive+DBj
		test	bx, bx
		jnz	loc_73D8E9

loc_73DA3C:				; CODE XREF: VrpHandleIoctlLoadDifferencingHive+6Aj
					; VrpHandleIoctlLoadDifferencingHive+77j ...
		mov	esi, 0C000000Dh
		jmp	short loc_73DA2A
; 

loc_73DA43:				; CODE XREF: VrpHandleIoctlLoadDifferencingHive+1C4j
					; VrpHandleIoctlLoadDifferencingHive+18D554j ...
		mov	ecx, ebx
		call	VrpUnlockJobContextExclusive
		jmp	short loc_73DA19
VrpHandleIoctlLoadDifferencingHive endp


;  S U B	R O U T	I N E 


VrpUnlockJobContextExclusive proc near	; CODE XREF: VrpHandleIoctlUnloadDynamicallyLoadedHives+EDp
					; VrpHandleIoctlLoadDifferencingHive+20Ap ...

; FUNCTION CHUNK AT 008CAD73 SIZE 00000014 BYTES

		mov	edi, edi
		push	esi
		lea	esi, [ecx+10h]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_8CAD73

loc_73DA61:				; CODE XREF: VrpUnlockJobContextExclusive+18D329j
					; VrpUnlockJobContextExclusive+18D336j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		pop	esi
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
VrpUnlockJobContextExclusive endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall VrpLockJobContextExclusive(x)
_VrpLockJobContextExclusive@4 proc near	; CODE XREF: VrpHandleIoctlUnloadDynamicallyLoadedHives+91p
					; VrpHandleIoctlLoadDifferencingHive+184p ...
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		add	ecx, 10h
		xor	edx, edx
		jmp	ExAcquirePushLockExclusiveEx
_VrpLockJobContextExclusive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpHandleIoctlInitializeJobForVreg(x, x, x,	x, x, x)
_VrpHandleIoctlInitializeJobForVreg@24 proc near ; CODE	XREF: VrpIoctlDeviceDispatch+F7p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	[esp+30h+var_8], ecx
		xor	ecx, ecx
		push	4
		pop	eax
		mov	[esp+30h+var_C], ecx
		mov	edi, ecx
		mov	[esp+30h+var_1C], ecx
		mov	ebx, ecx
		mov	[esp+30h+var_20], edi
		mov	[esp+30h+var_10], ecx
		cmp	edx, eax
		jnb	short loc_73DAC7
		mov	esi, 0C000000Dh
		jmp	loc_73DC6A
; 

loc_73DAC7:				; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+2Dj
		mov	edx, _VrpJobContextType
		lea	eax, [esp+30h+var_1C]
		push	ecx
		push	eax
		push	ecx
		push	ecx
		push	3Ch
		push	ecx
		xor	eax, eax
		inc	eax
		push	eax
		push	ecx
		xor	cl, cl
		call	ObCreateObjectEx
		mov	esi, eax
		test	esi, esi
		js	loc_73DC2E
		mov	esi, [esp+30h+var_1C]
		push	3Ch		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		and	[esi+10h], ebx
		add	esp, 0Ch
		add	esi, 18h
		xor	eax, eax
		mov	edi, esi
		mov	[esp+30h+var_14], esi
		push	6
		pop	ecx
		rep stosd
		push	4
		pop	ecx
		mul	ecx
		xor	edi, edi
		mov	[esi+4], ecx
		push	edx
		push	eax
		lea	ecx, [esp+38h+var_4]
		mov	[esi], edi
		mov	dword ptr [esi+10h], 10h
		mov	[esi+8], edi
		mov	[esi+0Ch], edi
		mov	[esi+14h], edi
		mov	[esp+38h+var_18], edi
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		jns	short loc_73DB4E

loc_73DB41:				; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+D1j
		mov	eax, edi
		mov	esi, 8000000Bh
		mov	edi, [esp+30h+var_14]
		jmp	short loc_73DBA0
; 

loc_73DB4E:				; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+B1j
		push	edi
		push	80h
		lea	ecx, [esp+38h+var_18]
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_73DB41
		push	72615452h
		push	[esp+34h+var_18]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_73DB94
		push	[esp+30h+var_18] ; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+14h], edi
		mov	dword ptr [esi+0Ch], 20h
		xor	esi, esi
		jmp	short loc_73DBB6
; 

loc_73DB94:				; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+E7j
		mov	edi, [esp+30h+var_14]
		mov	esi, 8007000Eh
		mov	eax, [edi+14h]

loc_73DBA0:				; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+BEj
		test	eax, eax
		jz	short loc_73DBAF
		push	72615452h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_73DBAF:				; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+114j
		push	6
		pop	ecx
		xor	eax, eax
		rep stosd

loc_73DBB6:				; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+104j
		test	esi, esi
		js	short loc_73DC2C
		call	VrpIncrementSiloCount
		mov	esi, eax
		test	esi, esi
		js	short loc_73DC2C
		mov	eax, [esp+30h+var_1C]
		lea	esi, [esp+30h+var_C]
		mov	ecx, [esp+30h+var_8]
		push	0
		push	0
		push	esi
		push	52566D43h
		push	[ebp+arg_0]
		mov	dword ptr [eax+38h], 1
		mov	eax, ds:_PsJobType
		mov	ecx, [ecx]
		push	eax
		push	6
		pop	edx
		call	ObpReferenceObjectByHandleWithTag
		mov	esi, eax
		test	esi, esi
		js	loc_73DD45
		lea	eax, [esp+30h+var_10]
		push	eax
		push	[esp+34h+var_C]
		call	_PsGetJobSilo@8	; PsGetJobSilo(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_73DC2C
		mov	ecx, large fs:124h
		mov	edx, [esp+30h+var_10]
		call	PsIsThreadInSilo
		test	al, al
		jz	short loc_73DC75
		mov	esi, 0C000000Dh

loc_73DC2C:				; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+12Aj
					; VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+135j	...
		mov	edi, ebx

loc_73DC2E:				; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+5Aj
					; VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+2BBj
		mov	eax, [esp+30h+var_1C]
		test	eax, eax
		jz	short loc_73DC42
		mov	edx, 67655256h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag

loc_73DC42:				; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+1A6j
		test	edi, edi
		jz	short loc_73DC4D
		mov	ecx, edi
		call	ObfDereferenceObject

loc_73DC4D:				; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+1B6j
		test	ebx, ebx
		jz	short loc_73DC58
		mov	ecx, ebx
		call	_VrpFreeKeyContext@4 ; VrpFreeKeyContext(x)

loc_73DC58:				; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+1C1j
		mov	ecx, [esp+30h+var_C]
		test	ecx, ecx
		jz	short loc_73DC6A
		mov	edx, 52566D43h
		call	ObfDereferenceObjectWithTag

loc_73DC6A:				; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+34j
					; VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+1D0j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_73DC75:				; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+197j
		mov	edi, [esp+30h+var_1C]
		lea	eax, [edx+2D8h]
		mov	ecx, [esp+30h+var_1C]
		mov	esi, eax
		mov	[esp+30h+var_8], eax
		movsd
		movsd
		movsd
		movsd
		call	_VrpAllocateKeyContext@4 ; VrpAllocateKeyContext(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_73DCA2

loc_73DC98:				; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+23Dj
		mov	esi, 0C000009Ah
		jmp	loc_73DD45
; 

loc_73DCA2:				; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+208j
		mov	esi, [esp+20h+arg_0]
		mov	edi, ebx
		xor	ecx, ecx
		inc	ecx
		push	67655256h
		movsd
		movsd
		movsd
		movsd
		mov	[ebx+18h], cx
		movzx	eax, ds:_CmRegistryRootName
		push	eax
		push	ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+14h], eax
		test	eax, eax
		jz	short loc_73DC98
		xor	eax, eax
		lea	ecx, [ebx+10h]
		mov	[ecx], ax
		mov	edx, offset _CmRegistryRootName
		mov	ax, ds:_CmRegistryRootName
		mov	[ebx+12h], ax
		call	_RtlUnicodeStringCopy@8	; RtlUnicodeStringCopy(x,x)
		mov	edi, [esp+20h]
		mov	ecx, edi
		call	_CmInitSiloNamespace@4 ; CmInitSiloNamespace(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_73DD45
		mov	eax, [esp+20h+var_C]
		push	eax
		push	_VrpSiloContextSlot
		push	edi
		call	_PsInsertSiloContext@12	; PsInsertSiloContext(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_73DD45
		mov	ecx, edi
		call	CmGetRootKeyObjectForSilo
		push	0
		push	ebx
		push	offset _VrpCallbackCookie
		push	eax
		mov	[esp+30h+var_10], eax
		call	CmSetCallbackObjectContext
		mov	edx, _VrpSiloContextSlot
		mov	esi, eax
		mov	ecx, [edi+308h]
		test	esi, esi
		js	short loc_73DD4E
		xor	ebx, ebx
		call	PspStorageMakeSlotReadOnly
		xor	esi, esi

loc_73DD45:				; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+16Bj
					; VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+20Fj	...
		mov	edi, [esp+20h+var_10]
		jmp	loc_73DC2E
; 

loc_73DD4E:				; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+2ACj
		push	0
		push	0
		call	_PspStorageRemoveObject@16 ; PspStorageRemoveObject(x,x,x,x)
		jmp	short loc_73DD45
_VrpHandleIoctlInitializeJobForVreg@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspStorageMakeSlotReadOnly proc	near	; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+2B0p
					; PsMakeSiloContextPermanent(x,x)+1Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CAD87 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		push	edi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	PspGetStorageArray
		mov	edi, eax
		test	edi, edi
		js	short loc_73DDB7
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		mov	eax, [ebp+var_8]
		push	esi
		lea	esi, [eax+ecx*8]
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+4]
		and	eax, 0FFFFFFFEh
		jz	short loc_73DDBA
		or	eax, 1
		mov	[esi+4], eax

loc_73DD9E:				; CODE XREF: PspStorageMakeSlotReadOnly+65j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_8CAD87

loc_73DDAD:				; CODE XREF: PspStorageMakeSlotReadOnly+18D02Fj
					; PspStorageMakeSlotReadOnly+18D03Cj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	eax, edi
		pop	esi

loc_73DDB7:				; CODE XREF: PspStorageMakeSlotReadOnly+21j
		pop	edi
		leave
		retn
; 

loc_73DDBA:				; CODE XREF: PspStorageMakeSlotReadOnly+3Cj
		mov	edi, 0C000000Dh
		jmp	short loc_73DD9E
PspStorageMakeSlotReadOnly endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmGetRootKeyObjectForSilo proc near	; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+285p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CAD9B SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	eax
		push	_CmpSiloContextSlot
		push	ecx
		call	PsGetPermanentSiloContext
		mov	esi, [ebp+var_4]
		test	esi, esi
		jz	loc_8CAD9B
		mov	ecx, [esi+10h]
		test	ecx, ecx
		jz	loc_8CAD9B
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [esi+10h]

loc_73DDFB:				; CODE XREF: CmGetRootKeyObjectForSilo+18CFE9j
		pop	esi
		leave
		retn
CmGetRootKeyObjectForSilo endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1841. PsInsertSiloContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsInsertSiloContext(x, x, x)
		public _PsInsertSiloContext@12
_PsInsertSiloContext@12	proc near	; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+278p
					; PspAssignSiloSystemRootPath(x,x)+9Cp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, ds:dword_717F7C
		test	esi, esi
		jz	short loc_73DE1E
		mov	edi, [esi+308h]

loc_73DE1E:				; CODE XREF: PsInsertSiloContext(x,x,x)+12j
		mov	ecx, [ebp+arg_8]
		call	_PspIsSiloContext@4 ; PspIsSiloContext(x)
		test	al, al
		jz	short loc_73DE33
		call	_ObGetExtendedUserInfo@4 ; ObGetExtendedUserInfo(x)
		cmp	[eax], esi
		jnz	short loc_73DE48

loc_73DE33:				; CODE XREF: PsInsertSiloContext(x,x,x)+24j
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		push	0
		call	PspStorageInsertObject

loc_73DE42:				; CODE XREF: PsInsertSiloContext(x,x,x)+49j
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_73DE48:				; CODE XREF: PsInsertSiloContext(x,x,x)+2Dj
		mov	eax, 0C000000Dh
		jmp	short loc_73DE42
_PsInsertSiloContext@12	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmInitSiloNamespace(x)
_CmInitSiloNamespace@4 proc near	; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+261p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	edx, [ebp+var_4]
		call	CmpGetOrCreateContextForSiloNoRef
		test	eax, eax
		js	short locret_73DE75
		mov	ecx, [ebp+var_4]
		call	_CmpStartSiloRegistryNamespace@4 ; CmpStartSiloRegistryNamespace(x)
		test	eax, eax
		js	short locret_73DE75
		xor	eax, eax

locret_73DE75:				; CODE XREF: CmInitSiloNamespace(x)+15j
					; CmInitSiloNamespace(x)+21j
		leave
		retn
_CmInitSiloNamespace@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VrpIncrementSiloCount proc near		; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+12Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CADB0 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	esi
		xor	esi, esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _VrpActiveSilosLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		cmp	_VrpNumActiveSilos, esi
		jnz	short loc_73DECD
		push	0Ch
		pop	eax
		push	0Eh
		mov	word ptr [ebp+var_8], ax
		lea	edx, [ebp+var_8]
		pop	eax
		sub	esp, 10h
		mov	word ptr [ebp+var_8+2],	ax
		mov	[ebp+var_4], offset ??_C@_1O@PAINHNKI@?$AA1?$AA8?$AA9?$AA9?$AA0?$AA0@NNGAKEGL@ ; "189900"
		call	_CmRegisterInternalCallback@24 ; CmRegisterInternalCallback(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_73DED3

loc_73DECD:				; CODE XREF: VrpIncrementSiloCount+2Dj
		inc	_VrpNumActiveSilos

loc_73DED3:				; CODE XREF: VrpIncrementSiloCount+53j
		or	edx, 0FFFFFFFFh
		lock xadd [edi], edx
		test	dl, 2
		jnz	loc_8CADB0

loc_73DEE3:				; CODE XREF: VrpIncrementSiloCount+18CF3Bj
					; VrpIncrementSiloCount+18CF48j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
VrpIncrementSiloCount endp


;  S U B	R O U T	I N E 


; __stdcall CmRegisterInternalCallback(x, x, x,	x, x, x)
_CmRegisterInternalCallback@24 proc near ; CODE	XREF: VrpIncrementSiloCount+4Ap
		cmp	_VrpDriverObject, 0
		jz	short loc_73DF1E
		push	offset _VrpCallbackCookie
		push	1
		push	0
		push	edx
		xor	edx, edx
		mov	ecx, offset VrpRegistryCallback
		call	CmpRegisterCallbackInternal

locret_73DF1B:				; CODE XREF: CmRegisterInternalCallback(x,x,x,x,x,x)+27j
		retn	10h
; 

loc_73DF1E:				; CODE XREF: CmRegisterInternalCallback(x,x,x,x,x,x)+7j
		mov	eax, 0C00000F1h
		jmp	short locret_73DF1B
_CmRegisterInternalCallback@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSetKcbAtLayerHeight(x, x, x)
_CmpSetKcbAtLayerHeight@12 proc	near	; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+2C7p
					; CmQueryValueKey+58Bp	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		movsx	esi, dx
		cmp	dx, 2
		jge	short loc_73DF41
		mov	[ecx+esi*4+4], eax

loc_73DF3C:				; CODE XREF: CmpSetKcbAtLayerHeight(x,x,x)+22j
		pop	esi
		pop	ebp
		retn	4
; 

loc_73DF41:				; CODE XREF: CmpSetKcbAtLayerHeight(x,x,x)+10j
		mov	ecx, [ecx+0Ch]
		mov	[ecx+esi*4-8], eax
		jmp	short loc_73DF3C
_CmpSetKcbAtLayerHeight@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSetTimerResolution(x, x, x)
_NtSetTimerResolution@12 proc near	; DATA XREF: .text:00580C58o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	18h
		push	offset dword_6A0100
		call	__SEH_prolog4
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		xor	ebx, ebx
		test	al, al
		jz	short loc_73DF84
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, [ebp+arg_8]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_73DF79
		mov	ecx, eax

loc_73DF79:				; CODE XREF: NtSetTimerResolution(x,x,x)+2Bj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_73DF84:				; CODE XREF: NtSetTimerResolution(x,x,x)+1Cj
		mov	eax, large fs:124h
		mov	esi, [eax+80h]
		mov	[ebp+var_19], bl
		mov	[ebp+var_24], ebx
		mov	cl, 1
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		mov	eax, ds:_KeTimeIncrement
		mov	[ebp+var_20], eax
		lea	edx, [esi+0FCh]
		cmp	byte ptr [ebp+arg_4], 0
		jnz	short loc_73E021
		mov	edi, 0FFFFEFFFh
		mov	eax, [edx]

loc_73DFB8:				; CODE XREF: NtSetTimerResolution(x,x,x)+76j
		mov	ecx, eax
		and	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_73DFB8
		test	eax, 1000h
		jnz	short loc_73DFFA
		mov	[ebp+var_24], 0C0000245h
		mov	edi, [ebp+arg_0]
		jmp	loc_73E0A7
; 

loc_73DFD8:				; DATA XREF: .text:006A0114o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_73DFE8:				; DATA XREF: .text:006A0118o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_28]
		jmp	loc_73E153
; 

loc_73DFFA:				; CODE XREF: NtSetTimerResolution(x,x,x)+7Dj
		dec	ds:_ExpTimerResolutionCount
		mov	[esi+380h], ebx
		mov	edx, esi
		xor	cl, cl
		call	PoTraceSystemTimerResolution
		push	ebx
		xor	edx, edx
		xor	cl, cl
		call	ExpUpdateTimerResolution
		mov	edi, [ebp+arg_0]
		jmp	loc_73E0A4
; 

loc_73E021:				; CODE XREF: NtSetTimerResolution(x,x,x)+65j
		mov	byte ptr [ebp+arg_4+3],	1
		mov	edi, 80001000h
		mov	eax, [edx]

loc_73E02C:				; CODE XREF: NtSetTimerResolution(x,x,x)+EAj
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_73E02C
		mov	edi, eax
		test	edi, edi
		js	short loc_73E043
		mov	ecx, esi
		call	ExpInsertTimerResolutionEntry

loc_73E043:				; CODE XREF: NtSetTimerResolution(x,x,x)+F0j
		test	edi, 1000h
		mov	edi, [ebp+arg_0]
		jnz	short loc_73E056
		inc	ds:_ExpTimerResolutionCount
		jmp	short loc_73E063
; 

loc_73E056:				; CODE XREF: NtSetTimerResolution(x,x,x)+102j
		cmp	[esi+380h], edi
		sbb	dl, dl
		inc	dl
		mov	byte ptr [ebp+arg_4+3],	dl

loc_73E063:				; CODE XREF: NtSetTimerResolution(x,x,x)+10Aj
		cmp	[esi+37Ch], ebx
		jz	short loc_73E073
		cmp	edi, [esi+384h]
		jnb	short loc_73E077

loc_73E073:				; CODE XREF: NtSetTimerResolution(x,x,x)+11Fj
		mov	[ebp+var_19], 1

loc_73E077:				; CODE XREF: NtSetTimerResolution(x,x,x)+127j
		mov	[esi+380h], edi
		mov	edx, esi
		xor	cl, cl
		call	PoTraceSystemTimerResolution
		test	dword ptr [esi+3A8h], 4000000h
		jnz	short loc_73E09F
		push	ebx
		mov	edx, edi
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ExpUpdateTimerResolution
		jmp	short loc_73E0A4
; 

loc_73E09F:				; CODE XREF: NtSetTimerResolution(x,x,x)+146j
		mov	eax, ds:_KeTimeIncrement

loc_73E0A4:				; CODE XREF: NtSetTimerResolution(x,x,x)+D2j
					; NtSetTimerResolution(x,x,x)+153j
		mov	[ebp+var_20], eax

loc_73E0A7:				; CODE XREF: NtSetTimerResolution(x,x,x)+89j
		call	_ExReleaseTimeRefreshLock@0 ; ExReleaseTimeRefreshLock()
		mov	[ebp+arg_0], ebx
		mov	[ebp+arg_4], ebx
		cmp	[ebp+var_19], 0
		jz	short loc_73E0FB
		call	PoDiagCaptureUsermodeStack
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	short loc_73E0FB
		mov	cl, 1
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		mov	eax, [esi+37Ch]
		test	eax, eax
		jz	short loc_73E0E4
		cmp	edi, [esi+384h]
		jnb	short loc_73E0F6
		test	eax, eax
		jz	short loc_73E0E4
		mov	[ebp+arg_0], eax

loc_73E0E4:				; CODE XREF: NtSetTimerResolution(x,x,x)+189j
					; NtSetTimerResolution(x,x,x)+195j
		mov	[esi+384h], edi
		mov	eax, [ebp+arg_4]
		mov	[esi+37Ch], eax
		mov	[ebp+arg_4], ebx

loc_73E0F6:				; CODE XREF: NtSetTimerResolution(x,x,x)+191j
		call	_ExReleaseTimeRefreshLock@0 ; ExReleaseTimeRefreshLock()

loc_73E0FB:				; CODE XREF: NtSetTimerResolution(x,x,x)+16Cj
					; NtSetTimerResolution(x,x,x)+178j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_73E109
		mov	ecx, eax
		call	_PoDiagFreeUsermodeStack@4 ; PoDiagFreeUsermodeStack(x)

loc_73E109:				; CODE XREF: NtSetTimerResolution(x,x,x)+1B6j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_73E117
		mov	ecx, eax
		call	_PoDiagFreeUsermodeStack@4 ; PoDiagFreeUsermodeStack(x)

loc_73E117:				; CODE XREF: NtSetTimerResolution(x,x,x)+1C4j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	short loc_73E148
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_20]
		mov	[eax], ecx

loc_73E136:				; CODE XREF: NtSetTimerResolution(x,x,x)+1FCj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_73E150
; 

loc_73E13F:				; DATA XREF: .text:006A0120o
		xor	eax, eax
		inc	eax
		retn
; 

loc_73E143:				; DATA XREF: .text:006A0124o
		mov	esp, [ebp+ms_exc.old_esp]
		jmp	short loc_73E136
; 

loc_73E148:				; CODE XREF: NtSetTimerResolution(x,x,x)+1DBj
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_20]
		mov	[eax], ecx

loc_73E150:				; CODE XREF: NtSetTimerResolution(x,x,x)+1F3j
		mov	eax, [ebp+var_24]

loc_73E153:				; CODE XREF: NtSetTimerResolution(x,x,x)+ABj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_NtSetTimerResolution@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoTraceSystemTimerResolution proc near	; CODE XREF: NtSetTimerResolution(x,x,x)+C0p
					; NtSetTimerResolution(x,x,x)+137p ...

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_7D		= byte ptr -7Dh
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008CADC5 SIZE 0000011B BYTES
; FUNCTION CHUNK AT 008CAEF3 SIZE 0000009F BYTES

		push	84h
		push	offset dword_6A0128
		call	__SEH_prolog4_GS
		mov	[ebp+var_84], edx
		mov	al, cl
		mov	[ebp+var_7D], al
		mov	esi, dword_6C1D74
		mov	edi, _PopDiagHandle
		test	al, al
		jnz	loc_8CADC5
		push	offset _POP_ETW_EVENT_STRS
		push	esi
		push	edi
		call	EtwEventEnabled

loc_73E1A0:				; CODE XREF: PoTraceSystemTimerResolution+18CC8Aj
		xor	ebx, ebx

loc_73E1A2:				; CODE XREF: PoTraceSystemTimerResolution+18CC83j
		cmp	_PopDiagHandleRegistered, 0
		jz	short loc_73E1B3
		test	al, al
		jnz	loc_8CADF5

loc_73E1B3:				; CODE XREF: PoTraceSystemTimerResolution+43j
					; sub_8CAEE4+Aj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PoTraceSystemTimerResolution endp

; 
		align 4

;  S U B	R O U T	I N E 


PoDiagCaptureUsermodeStack proc	near	; CODE XREF: NtSetTimerResolution(x,x,x)+16Ep

; FUNCTION CHUNK AT 008CAF92 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, 50455654h
		mov	ebx, 84h
		push	edi
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_73E205
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esi+4]
		push	1
		push	20h
		push	eax
		call	RtlWalkFrameChain
		test	eax, eax
		jz	loc_8CAF92
		mov	[esi], eax

loc_73E205:				; CODE XREF: PoDiagCaptureUsermodeStack+1Cj
					; PoDiagCaptureUsermodeStack+18CDD7j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
PoDiagCaptureUsermodeStack endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpFreeCallbackObjectContexts proc near	; CODE XREF: CmpDeleteKeyObject+13Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CAFA0 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	eax, [ebp+var_C]
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	bl, bl
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		push	edi
		nop
		xor	edx, edx
		mov	ecx, offset _CmpContextListLock
		call	ExAcquirePushLockExclusiveEx
		add	esi, 28h

loc_73E241:				; CODE XREF: CmpFreeCallbackObjectContexts+C6j
		mov	eax, [esi]
		cmp	eax, esi
		jnz	short loc_73E293
		xor	edx, edx
		mov	ecx, offset _CmpContextListLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	bl, bl
		jnz	loc_8CAFA0

loc_73E267:				; CODE XREF: CmpFreeCallbackObjectContexts+85j
					; CmpFreeCallbackObjectContexts+18CDA6j ...
		mov	eax, [ebp+var_C]
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	short loc_73E2D7
		cmp	[eax+4], ecx
		jnz	short loc_73E2E0
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_73E2E0
		push	63634D43h
		lea	edx, [ebp+var_C]
		mov	[ebp+var_C], ecx
		push	eax
		mov	[ecx+4], edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_73E267
; 

loc_73E293:				; CODE XREF: CmpFreeCallbackObjectContexts+39j
		cmp	[eax+4], esi
		jnz	short loc_73E2E0
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_73E2E0
		mov	[esi], ecx
		lea	edi, [eax+8]
		mov	[ecx+4], esi
		mov	edx, [edi]
		cmp	[edx+4], edi
		jnz	short loc_73E2E0
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	short loc_73E2E0
		mov	[ecx], edx
		mov	[edx+4], ecx
		cmp	ecx, edx
		jz	short loc_73E2DC

loc_73E2BE:				; CODE XREF: CmpFreeCallbackObjectContexts+D2j
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_C]
		cmp	[ecx], edx
		jnz	short loc_73E2E0
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[ebp+var_8], eax
		jmp	loc_73E241
; 

loc_73E2D7:				; CODE XREF: CmpFreeCallbackObjectContexts+63j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_73E2DC:				; CODE XREF: CmpFreeCallbackObjectContexts+B0j
		mov	bl, 1
		jmp	short loc_73E2BE
; 

loc_73E2E0:				; CODE XREF: CmpFreeCallbackObjectContexts+68j
					; CmpFreeCallbackObjectContexts+6Fj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
CmpFreeCallbackObjectContexts endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSetJobIoRateControl proc near	; CODE XREF: sub_75A01A+87p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= dword	ptr -2

; FUNCTION CHUNK AT 008CAFC9 SIZE 00000057 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		xor	ebx, ebx
		mov	[ebp+var_18], edx
		mov	esi, ecx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], ebx
		dec	word ptr [edi+13Ch]
		mov	byte ptr [ebp+var_2], bl
		mov	byte ptr [ebp+var_2+1],	bl
		mov	[ebp+var_14], edi
		nop
		lea	ecx, [esi+388h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_18]
		test	byte ptr [eax+20h], 1
		jz	loc_8CAFF1
		lea	eax, [ebp+var_8]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	PspLockRootJobExclusive
		push	ecx
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	_PspLockJobConditionally@12 ; PspLockJobConditionally(x,x,x)
		push	1
		push	ebx
		mov	dl, 1
		mov	ecx, esi
		call	PspSetJobIoAttribution
		mov	[ebp+var_10], eax
		test	eax, eax
		js	loc_73E3FF
		mov	eax, ebx

loc_73E361:				; CODE XREF: PspSetJobIoRateControl+85j
		cmp	esi, [ebp+eax*4+var_8]
		jz	short loc_73E375
		inc	eax
		cmp	eax, 1
		jb	short loc_73E361
		lea	ecx, [esi+20h]
		call	ExReleaseResourceLite

loc_73E375:				; CODE XREF: PspSetJobIoRateControl+7Fj
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		mov	ecx, [ebp+var_18]
		xor	edi, edi
		inc	edi
		cmp	[ecx+18h], ebx
		jnz	loc_8CAFC9
		call	_PspIoRateControlInfoIsAnySet@4	; PspIoRateControlInfoIsAnySet(x)
		test	al, al
		jz	loc_73E45C
		lea	eax, [ebp+var_2]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esi+340h]
		call	PspIoRateEntryActivate
		mov	[ebp+var_10], eax
		test	eax, eax
		js	short loc_73E3D8
		mov	eax, [esi+354h]
		mov	cl, 1
		mov	[ebp+var_C], eax

loc_73E3BF:				; CODE XREF: PspSetJobIoRateControl+18CD06j
		cmp	byte ptr [ebp+var_2], bl
		jnz	loc_73E47B

loc_73E3C8:				; CODE XREF: PspSetJobIoRateControl+198j
		test	cl, cl
		jz	short loc_73E3CD
		dec	edi

loc_73E3CD:				; CODE XREF: PspSetJobIoRateControl+E4j
					; PspSetJobIoRateControl+17Ej ...
		mov	[ebp+var_10], ebx
		test	edi, edi
		jz	loc_73E483

loc_73E3D8:				; CODE XREF: PspSetJobIoRateControl+CCj
					; PspSetJobIoRateControl+18CCFDj
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_8]
		push	eax
		mov	ecx, esi
		call	PspLockRootJobExclusive
		push	ecx
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	_PspLockJobConditionally@12 ; PspLockJobConditionally(x,x,x)
		push	edi
		push	ebx
		xor	dl, dl
		mov	ecx, esi
		call	PspSetJobIoAttribution
		mov	edi, [ebp+var_14]

loc_73E3FF:				; CODE XREF: PspSetJobIoRateControl+73j
					; PspSetJobIoRateControl+123j
		cmp	esi, [ebp+ebx*4+var_8]
		jz	short loc_73E413
		inc	ebx
		cmp	ebx, 1
		jb	short loc_73E3FF
		lea	ecx, [esi+20h]
		call	ExReleaseResourceLite

loc_73E413:				; CODE XREF: PspSetJobIoRateControl+11Dj
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)

loc_73E41D:				; CODE XREF: PspSetJobIoRateControl+1A0j
		or	eax, 0FFFFFFFFh
		lea	ebx, [esi+388h]
		lock xadd [ebx], eax
		test	al, 2
		jnz	loc_8CB00C

loc_73E432:				; CODE XREF: PspSetJobIoRateControl+18CD28j
					; PspSetJobIoRateControl+18CD35j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	edi, [ebp+var_10]
		mov	edx, [ebp+var_18]
		mov	ecx, [esi+2D4h]
		push	edi
		push	[ebp+var_C]
		call	EtwTracePsIoRateControl
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_73E45C:				; CODE XREF: PspSetJobIoRateControl+AFj
		mov	eax, [esi+354h]
		test	eax, eax
		jz	loc_73E3CD
		lea	ecx, [esi+340h]
		mov	[ebp+var_C], eax
		call	PspIoRateEntryDeactivate
		mov	cl, byte ptr [ebp+var_2+1]

loc_73E47B:				; CODE XREF: PspSetJobIoRateControl+DCj
		push	2
		pop	edi
		jmp	loc_73E3C8
; 

loc_73E483:				; CODE XREF: PspSetJobIoRateControl+ECj
		mov	edi, [ebp+var_14]
		jmp	short loc_73E41D
PspSetJobIoRateControl endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTracePsIoRateControl	proc near	; CODE XREF: PspSetJobIoRateControl+16Ap

var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CB020 SIZE 0000021A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 120h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_120], ecx
		push	edi
		mov	edi, offset _PsIoRateControlStart
		lea	ebx, [esi+20h]
		test	byte ptr [ebx],	1
		jz	short loc_73E4E0

loc_73E4B5:				; CODE XREF: EtwTracePsIoRateControl+5Dj
		push	edi
		push	dword_6BC18C
		push	_EtwpPsProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8CB020

loc_73E4CF:				; CODE XREF: EtwTracePsIoRateControl+18CDADj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_73E4E0:				; CODE XREF: EtwTracePsIoRateControl+2Bj
		mov	edi, offset _PsIoRateControlStop
		jmp	short loc_73E4B5
EtwTracePsIoRateControl	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspIoRateEntryActivate proc near	; CODE XREF: PspSetJobIoRateControl+C2p
					; PspSetJobIoRateControlForVolume(x,x,x,x,x)+56p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CB23A SIZE 000000C0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[esp+48h+var_2C], ecx
		push	6
		xor	eax, eax
		mov	[esp+4Ch+var_30], edx
		pop	ecx
		lea	edi, [esp+48h+var_18]
		mov	[esp+48h+var_20], ebx
		rep stosd
		mov	eax, [ebp+arg_4]
		mov	ecx, ebx
		mov	[esp+48h+var_1C], ebx
		mov	esi, ebx
		mov	[esp+48h+var_34], ebx
		mov	[esp+48h+var_28], ebx
		mov	[esp+48h+var_24], ebx
		mov	[esp+48h+var_38], ebx
		mov	[esp+48h+var_3C], ecx
		test	eax, eax
		jz	short loc_73E534
		mov	[eax], bl

loc_73E534:				; CODE XREF: PspIoRateEntryActivate+48j
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+18h]
		test	eax, eax
		jnz	loc_8CB23A
		mov	eax, [edx+328h]

loc_73E548:				; CODE XREF: PspIoRateEntryActivate+18CDDAj
		lea	edx, [esp+48h+var_34]
		push	edx
		lea	edx, [esp+4Ch+var_38]
		push	edx
		mov	edx, ecx
		mov	ecx, [ebp+arg_0]
		push	eax
		call	_IoStartIoRateControl@20 ; IoStartIoRateControl(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_73E5AE
		mov	edi, [esp+48h+var_2C]
		cmp	[edi+14h], ebx
		jnz	loc_8CB2C7

loc_73E570:				; CODE XREF: PspIoRateEntryActivate+18CDECj
		mov	eax, [esp+48h+var_38]
		xor	ecx, ecx
		mov	[edi+14h], eax
		mov	eax, [esp+48h+var_34]
		mov	[edi+0Ch], eax
		lea	eax, [edi+10h]
		mov	[edi+18h], esi
		xchg	ecx, [eax]
		mov	esi, ebx
		mov	edi, ebx

loc_73E58C:				; CODE XREF: PspIoRateEntryActivate+CAj
		test	esi, esi
		jnz	loc_8CB2D9

loc_73E594:				; CODE XREF: PspIoRateEntryActivate+18CDFFj
		test	ebx, ebx
		jnz	short loc_73E5B4

loc_73E598:				; CODE XREF: PspIoRateEntryActivate+D3j
					; PspIoRateEntryActivate+18CDA8j ...
		cmp	[esp+48h+var_3C], 0
		jnz	loc_8CB2EC

loc_73E5A3:				; CODE XREF: PspIoRateEntryActivate+18CE0Dj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_73E5AE:				; CODE XREF: PspIoRateEntryActivate+79j
		mov	ebx, [esp+48h+var_38]
		jmp	short loc_73E58C
; 

loc_73E5B4:				; CODE XREF: PspIoRateEntryActivate+AEj
		mov	ecx, ebx
		call	_IoStopIoRateControl@4 ; IoStopIoRateControl(x)
		jmp	short loc_73E598
PspIoRateEntryActivate endp

; 
		align 2

;  S U B	R O U T	I N E 


PspIoRateEntryDeactivate proc near	; CODE XREF: PspSetJobIoRateControl+18Dp
					; PspIoRateEntryActivate+18CDE1p ...

; FUNCTION CHUNK AT 008CB2FA SIZE 00000013 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		lea	ecx, [esi+10h]
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	ecx, [esi+14h]
		call	_IoStopIoRateControl@4 ; IoStopIoRateControl(x)
		and	dword ptr [esi+14h], 0
		mov	ecx, [esi+18h]
		test	ecx, ecx
		jnz	loc_8CB2FA
		pop	esi
		retn
PspIoRateEntryDeactivate endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmQuerySingleFeatureConfiguration proc near ; CODE XREF: PAGE:007822D5p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008CB30D SIZE 0000001B BYTES
; FUNCTION CHUNK AT 008CB33D SIZE 0000003A BYTES

		push	2Ch
		push	offset dword_6A0148
		call	__SEH_prolog4
		xor	eax, eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		cmp	edx, 8
		jnz	loc_8CB30D
		mov	[ebp+ms_exc.disabled], eax
		mov	edx, [ecx]
		mov	[ebp+var_38], edx
		mov	ecx, [ecx+4]
		mov	[ebp+var_34], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	18h
		pop	ebx
		cmp	[ebp+arg_4], ebx
		jnz	short loc_73E687
		lea	edi, [ebp+var_3C]
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_3C]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		push	edx
		push	ecx
		call	_RtlQueryFeatureConfiguration@16 ; RtlQueryFeatureConfiguration(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_8CB33D
		cmp	esi, 80000022h
		jnz	loc_8CB317

loc_73E649:				; CODE XREF: CmQuerySingleFeatureConfiguration+18CD39j
		mov	[ebp+ms_exc.disabled], 1
		push	6
		pop	ecx
		xor	eax, eax
		mov	edx, [ebp+arg_0]
		mov	edi, edx
		rep stosd
		mov	eax, [ebp+var_30]
		mov	[edx], eax
		mov	eax, [ebp+var_2C]
		mov	[edx+4], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_73E66E:				; CODE XREF: CmQuerySingleFeatureConfiguration+A8j
		mov	eax, [ebp+arg_8]
		mov	[eax], ebx

loc_73E673:				; CODE XREF: CmQuerySingleFeatureConfiguration+18CD2Ej
					; CmQuerySingleFeatureConfiguration+18CD3Fj ...
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_73E687:				; CODE XREF: CmQuerySingleFeatureConfiguration+38j
		mov	esi, 0C0000004h
		jmp	short loc_73E66E
CmQuerySingleFeatureConfiguration endp


;  S U B	R O U T	I N E 


; __stdcall CmpCreateLayerLink(x, x)
_CmpCreateLayerLink@8 proc near		; CODE XREF: CmpCreateKeyControlBlock+5CBp
					; CmRenameKey(x,x,x,x)+C97p
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		cmp	word ptr [esi+22h], 7Fh
		jge	short loc_73E6E6
		call	_CmpAllocateLayerInfoForKcb@4 ;	CmpAllocateLayerInfoForKcb(x)
		test	eax, eax
		js	short loc_73E6E2
		mov	ecx, edi
		call	_CmpAllocateLayerInfoForKcb@4 ;	CmpAllocateLayerInfoForKcb(x)
		test	eax, eax
		js	short loc_73E6E2
		mov	ecx, esi
		call	CmpReferenceKeyControlBlock
		mov	ax, [esi+22h]
		mov	ecx, [edi+6Ch]
		inc	ax
		mov	[edi+22h], ax
		mov	eax, [esi+6Ch]
		mov	[ecx+0Ch], eax
		add	eax, 10h
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_73E6ED
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		xor	eax, eax

loc_73E6E2:				; CODE XREF: CmpCreateLayerLink(x,x)+17j
					; CmpCreateLayerLink(x,x)+22j ...
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_73E6E6:				; CODE XREF: CmpCreateLayerLink(x,x)+Ej
		mov	eax, 0C000000Dh
		jmp	short loc_73E6E2
; 

loc_73E6ED:				; CODE XREF: CmpCreateLayerLink(x,x)+46j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_CmpCreateLayerLink@8 endp		; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall CmpAllocateLayerInfoForKcb(x)
_CmpAllocateLayerInfoForKcb@4 proc near	; CODE XREF: CmpCreateLayerLink(x,x)+10p
					; CmpCreateLayerLink(x,x)+1Bp ...
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		cmp	[ebx+6Ch], esi
		jnz	short loc_73E734
		push	696C4D43h
		push	20h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_73E739
		push	edi
		push	8
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd
		lea	eax, [edx+10h]
		mov	[edx+8], ebx
		lea	ecx, [edx+18h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		mov	[ebx+6Ch], edx
		pop	edi

loc_73E734:				; CODE XREF: CmpAllocateLayerInfoForKcb(x)+Bj
					; CmpAllocateLayerInfoForKcb(x)+4Cj
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_73E739:				; CODE XREF: CmpAllocateLayerInfoForKcb(x)+1Fj
		mov	esi, 0C000009Ah
		jmp	short loc_73E734
_CmpAllocateLayerInfoForKcb@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpKeyFullNameLength(x)
_CmpKeyFullNameLength@4	proc near	; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+F3p
					; CmpConstructNameFromKcbNameBlocks+Fp
		xor	edx, edx
		test	ecx, ecx
		jz	short loc_73E76B
		push	esi

loc_73E747:				; CODE XREF: CmpKeyFullNameLength(x)+28j
		test	dword ptr [ecx+68h], 40000h
		jnz	short loc_73E76E

loc_73E750:				; CODE XREF: CmpKeyFullNameLength(x)+33j
		mov	eax, [ecx+28h]
		test	byte ptr [eax],	1
		movzx	esi, word ptr [eax+0Ch]
		jz	short loc_73E75E
		add	esi, esi

loc_73E75E:				; CODE XREF: CmpKeyFullNameLength(x)+1Aj
		mov	ecx, [ecx+24h]
		add	edx, 2
		add	edx, esi

loc_73E766:				; CODE XREF: CmpKeyFullNameLength(x)+37j
		test	ecx, ecx
		jnz	short loc_73E747
		pop	esi

loc_73E76B:				; CODE XREF: CmpKeyFullNameLength(x)+4j
		mov	eax, edx
		retn
; 

loc_73E76E:				; CODE XREF: CmpKeyFullNameLength(x)+Ej
		mov	eax, [ecx+24h]
		test	eax, eax
		jz	short loc_73E750
		mov	ecx, eax
		jmp	short loc_73E766
_CmpKeyFullNameLength@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpEnumerateLayeredKey proc near	; CODE XREF: CmEnumerateKey+27Ap

var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_100		= dword	ptr -100h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch

; FUNCTION CHUNK AT 008CB3AE SIZE 000001D8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 164h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_10]
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_140], eax
		mov	eax, [ebp+arg_C]
		push	0FCh		; size_t
		mov	[ebp+var_13C], eax
		lea	eax, [ebp+var_108]
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_11C], edx
		mov	[ebp+var_118], ecx
		mov	[ebp+var_138], esi
		call	_memset
		xor	eax, eax
		mov	[ebp+var_114], ebx
		lea	edi, [ebp+var_134]
		mov	[ebp+var_160], ebx
		stosd
		lea	ecx, [ebp+var_108]
		add	esp, 0Ch
		mov	[ebp+var_15C], ebx
		mov	byte ptr [ebp+var_120],	bl
		stosd
		stosd
		stosd
		or	edi, 0FFFFFFFFh
		mov	word ptr [ebp+var_134+2], di
		call	_CmpKeyEnumStackInitialize@4 ; CmpKeyEnumStackInitialize(x)
		xor	edx, edx
		mov	[ebp+var_158], edi
		xor	eax, eax
		mov	[ebp+var_154], edx
		mov	[ebp+var_14C], edx
		lea	ecx, [ebp+var_160]
		mov	[ebp+var_148], edx
		mov	word ptr [ebp+var_154],	ax
		mov	[ebp+var_144], edx
		mov	[ebp+var_150], edi
		mov	word ptr [ebp+var_14C],	ax
		mov	[ebp+var_124], edx
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		cmp	[ebp+arg_0], 2
		mov	eax, [ebp+var_138]
		mov	esi, [esi]
		mov	[ebp+var_164], esi
		mov	[ebp+var_10C], esi
		mov	[eax], edx
		jz	loc_8CB3AE
		call	_CmpLockRegistry@0 ; CmpLockRegistry()

loc_73E875:				; CODE XREF: CmpEnumerateLayeredKey+18CC39j
		mov	edx, [ebp+var_118]
		lea	ecx, [ebp+var_134]
		mov	edx, [edx+8]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_73E985
		lea	ecx, [ebp+var_134]
		call	_CmpLockKcbStackShared@4 ; CmpLockKcbStackShared(x)
		mov	ecx, [ebp+var_118]
		xor	edx, edx
		mov	[ebp+var_120], 1
		call	CmpPerformKeyBodyDeletionCheck
		mov	edi, eax
		test	edi, edi
		js	loc_73E985
		movzx	edx, word ptr [ebp+var_134+2]
		xor	bl, bl
		test	dx, dx
		jle	short loc_73E8FE

loc_73E8CD:				; CODE XREF: CmpEnumerateLayeredKey+174j
		lea	ecx, [ebp+var_134]
		call	_CmpGetKcbAtLayerHeight@8 ; CmpGetKcbAtLayerHeight(x,x)
		mov	esi, eax
		mov	[ebp+var_110], esi
		cmp	dword ptr [esi+14h], 0FFFFFFFFh
		jnz	loc_8CB3B8

loc_73E8EA:				; CODE XREF: CmpEnumerateLayeredKey+18CC44j
		dec	edx
		test	dx, dx
		jg	short loc_73E8CD
		mov	esi, [ebp+var_164]
		test	bl, bl
		jnz	loc_8CB3C3

loc_73E8FE:				; CODE XREF: CmpEnumerateLayeredKey+151j
		mov	ebx, [ebp+var_130]
		lea	edx, [ebp+var_158]
		push	0
		mov	ecx, ebx
		call	CmpGetKeyNodeForKcb
		lea	ecx, [ebp+var_114]
		mov	[ebp+var_148], eax
		push	ecx
		push	[ebp+var_11C]
		mov	ecx, [ebx+10h]
		mov	edx, eax
		call	_CmpFindSubKeyByNumber@16 ; CmpFindSubKeyByNumber(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_73E985
		cmp	[ebp+var_114], 0FFFFFFFFh
		jz	loc_73EA18
		mov	eax, [ebx+10h]
		lea	ecx, [ebp+var_150]
		push	ecx
		push	[ebp+var_114]
		push	eax
		call	dword ptr [eax+4]
		mov	ecx, [ebx+10h]
		mov	edx, eax
		push	0
		push	0
		push	[ebp+var_13C]
		mov	[ebp+var_144], eax
		push	[ebp+arg_8]
		push	[ebp+var_140]
		push	[ebp+arg_0]
		call	CmpQueryKeyDataFromNode

loc_73E97D:				; CODE XREF: CmpEnumerateLayeredKey+18CDC9j
		mov	edi, eax
		test	edi, edi
		js	short loc_73E985
		xor	edi, edi

loc_73E985:				; CODE XREF: CmpEnumerateLayeredKey+113j
					; CmpEnumerateLayeredKey+13Fj ...
		lea	ecx, [ebp+var_108]
		call	_CmpKeyEnumStackCleanup@4 ; CmpKeyEnumStackCleanup(x)
		cmp	[ebp+var_144], 0
		jz	short loc_73E9A7
		mov	eax, [ebx+10h]
		lea	ecx, [ebp+var_150]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_73E9A7:				; CODE XREF: CmpEnumerateLayeredKey+21Dj
		cmp	[ebp+var_148], 0
		jz	short loc_73E9BE
		mov	eax, [ebx+10h]
		lea	ecx, [ebp+var_158]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_73E9BE:				; CODE XREF: CmpEnumerateLayeredKey+234j
		cmp	byte ptr [ebp+var_120],	0
		jz	short loc_73E9D2
		lea	ecx, [ebp+var_134]
		call	CmpUnlockKcbStack

loc_73E9D2:				; CODE XREF: CmpEnumerateLayeredKey+24Bj
		lea	ecx, [ebp+var_134]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		test	esi, esi
		jnz	loc_8CB55E

loc_73E9E5:				; CODE XREF: CmpEnumerateLayeredKey+18CDF3j
		mov	eax, [ebp+var_124]
		test	eax, eax
		jnz	loc_8CB572

loc_73E9F3:				; CODE XREF: CmpEnumerateLayeredKey+18CE07j
		xor	dl, dl
		lea	ecx, [ebp+var_160]
		call	CmpDrainDelayDerefContext
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_73EA18:				; CODE XREF: CmpEnumerateLayeredKey+1C3j
		mov	edi, 8000001Ah
		jmp	loc_73E985
CmpEnumerateLayeredKey endp


;  S U B	R O U T	I N E 


; int __fastcall CmpKeyEnumStackInitialize(void	*)
_CmpKeyEnumStackInitialize@4 proc near	; CODE XREF: CmpEnumerateLayeredKey+8Ap
					; CmpSubtreeEnumeratorStart(x,x)+60p ...
		mov	edi, edi
		push	esi
		push	edi
		push	0FCh		; size_t
		mov	esi, ecx
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [esi+8]	; void *
		call	_CmpInitializeKeyNodeStack@4 ; CmpInitializeKeyNodeStack(x)
		push	2
		add	esi, 38h
		pop	edi

loc_73EA46:				; CODE XREF: CmpKeyEnumStackInitialize(x)+31j
		mov	ecx, esi	; void *
		call	_CmpKeyEnumStackEntryInitialize@4 ; CmpKeyEnumStackEntryInitialize(x)
		add	esi, 60h
		sub	edi, 1
		jnz	short loc_73EA46
		pop	edi
		pop	esi
		retn
_CmpKeyEnumStackInitialize@4 endp


;  S U B	R O U T	I N E 


; int __fastcall CmpKeyEnumStackEntryInitialize(void *)
_CmpKeyEnumStackEntryInitialize@4 proc near ; CODE XREF: CmpKeyEnumStackInitialize(x)+26p
					; CmpKeyEnumStackReset(x)+2Fp ...
		mov	edi, edi
		push	esi
		push	edi
		push	60h		; size_t
		xor	edi, edi
		mov	esi, ecx
		push	edi		; int
		push	esi		; void *
		call	_memset
		or	dword ptr [esi+8], 0FFFFFFFFh
		add	esp, 0Ch
		xor	eax, eax
		mov	[esi+0Ch], ax
		lea	eax, [esi+38h]
		add	esi, 28h
		push	2
		pop	ecx

loc_73EA7F:				; CODE XREF: CmpKeyEnumStackEntryInitialize(x)+4Bj
		mov	[esi], edi
		xor	edx, edx
		mov	[esi+4], edi
		or	dword ptr [esi], 0FFFFFFFFh
		lea	esi, [esi+8]
		mov	[esi-4], dx
		mov	[esi+18h], edi
		mov	[esi+1Ch], edi
		or	dword ptr [esi+18h], 0FFFFFFFFh
		or	dword ptr [eax], 0FFFFFFFFh
		lea	eax, [eax+4]
		sub	ecx, 1
		jnz	short loc_73EA7F
		pop	edi
		pop	esi
		retn
_CmpKeyEnumStackEntryInitialize@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpKeyEnumStackCleanup(x)
_CmpKeyEnumStackCleanup@4 proc near	; CODE XREF: CmpEnumerateLayeredKey+211p
					; CmpSubtreeEnumeratorCleanup(x)+2Ep ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		lea	ecx, [esi+8]
		call	CmpCleanupKeyNodeStack
		xor	eax, eax
		xor	edi, edi
		cmp	ax, [esi]
		jg	short loc_73EAD5

loc_73EABF:				; CODE XREF: CmpKeyEnumStackCleanup(x)+2Bj
		mov	edx, edi
		mov	ecx, esi
		call	CmpKeyEnumStackGetEntryAtLayerHeight
		mov	ecx, eax
		call	CmpKeyEnumStackEntryCleanup
		inc	edi
		cmp	di, [esi]
		jle	short loc_73EABF

loc_73EAD5:				; CODE XREF: CmpKeyEnumStackCleanup(x)+15j
		mov	ecx, [esi+0F8h]
		pop	edi
		pop	esi
		test	ecx, ecx
		jnz	_CmpFreePool@4	; CmpFreePool(x)
		retn
_CmpKeyEnumStackCleanup@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpKeyEnumStackEntryCleanup proc near	; CODE XREF: CmpKeyEnumStackCleanup(x)+22p
					; CmpKeyEnumStackReset(x)+28p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CB586 SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		cmp	dword ptr [esi+4], 0
		jnz	loc_8CB586

loc_73EAFB:				; CODE XREF: CmpKeyEnumStackEntryCleanup+18CAAAj
		push	2
		pop	eax
		lea	ebx, [esi+48h]
		mov	[ebp+var_4], eax
		lea	edi, [esi+40h]

loc_73EB07:				; CODE XREF: CmpKeyEnumStackEntryCleanup+40j
		cmp	dword ptr [edi-20h], 0
		jnz	loc_8CB595

loc_73EB11:				; CODE XREF: CmpKeyEnumStackEntryCleanup+18CABCj
		cmp	dword ptr [edi], 0
		jnz	loc_8CB5A7

loc_73EB1A:				; CODE XREF: CmpKeyEnumStackEntryCleanup+18CACBj
		add	edi, 4
		add	ebx, 8
		sub	eax, 1
		mov	[ebp+var_4], eax
		jnz	short loc_73EB07
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
CmpKeyEnumStackEntryCleanup endp

; 
		align 2

;  S U B	R O U T	I N E 


CmpKeyEnumStackGetEntryAtLayerHeight proc near ; CODE XREF: CmpKeyEnumStackCleanup(x)+1Bp
					; CmpKeyEnumStackAdvance(x)+1Ep ...

; FUNCTION CHUNK AT 008CB5B6 SIZE 0000000D BYTES

		movsx	eax, dx
		cmp	dx, 2
		jge	loc_8CB5B6
		imul	eax, 60h
		add	eax, 38h
		add	eax, ecx
		retn
CmpKeyEnumStackGetEntryAtLayerHeight endp


;  S U B	R O U T	I N E 


CmpCleanupKeyNodeStack proc near	; CODE XREF: CmQueryLayeredKey+13Dp
					; CmpGetSubKeyCountForKcbStack(x,x,x)+58p ...

; FUNCTION CHUNK AT 008CB5C3 SIZE 0000000F BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		xor	eax, eax
		xor	esi, esi
		cmp	ax, [edi]
		jg	short loc_73EB6C

loc_73EB53:				; CODE XREF: CmpCleanupKeyNodeStack+26j
		mov	edx, esi
		mov	ecx, edi
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		cmp	dword ptr [eax+8], 0
		jnz	loc_8CB5C3

loc_73EB66:				; CODE XREF: CmpCleanupKeyNodeStack+18CA89j
		inc	esi
		cmp	si, [edi]
		jle	short loc_73EB53

loc_73EB6C:				; CODE XREF: CmpCleanupKeyNodeStack+Dj
		mov	ecx, [edi+2Ch]
		pop	edi
		pop	esi
		test	ecx, ecx
		jnz	_CmpFreePool@4	; CmpFreePool(x)
		retn
CmpCleanupKeyNodeStack endp


;  S U B	R O U T	I N E 


CmpKeyNodeStackGetEntryAtLayerHeight proc near
					; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+7Bp
					; CmpGetValueCountForKeyNodeStack(x,x)+C3p ...

; FUNCTION CHUNK AT 008CB5D2 SIZE 0000000B BYTES

		cmp	dx, 2
		jge	loc_8CB5D2
		movsx	eax, dx
		imul	eax, 14h
		add	eax, 4
		add	eax, ecx
		retn
CmpKeyNodeStackGetEntryAtLayerHeight endp


;  S U B	R O U T	I N E 


; int __fastcall CmpInitializeKeyNodeStack(void	*)
_CmpInitializeKeyNodeStack@4 proc near	; CODE XREF: CmQueryLayeredKey+5Ap
					; CmpGetSubKeyCountForKcbStack(x,x,x)+2Cp ...
		mov	edi, edi
		push	esi
		push	edi
		push	30h		; size_t
		xor	edi, edi
		mov	esi, ecx
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		add	esi, 10h
		push	2
		pop	eax

loc_73EBAA:				; CODE XREF: CmpInitializeKeyNodeStack(x)+38j
		mov	[esi-0Ch], edi
		xor	ecx, ecx
		mov	[esi-4], edi
		or	dword ptr [esi-8], 0FFFFFFFFh
		mov	[esi], edi
		mov	[esi+4], edi
		or	dword ptr [esi], 0FFFFFFFFh
		lea	esi, [esi+14h]
		mov	[esi-10h], cx
		sub	eax, 1
		jnz	short loc_73EBAA
		pop	edi
		pop	esi
		retn
_CmpInitializeKeyNodeStack@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpFindKcbInHashEntryByName proc near	; CODE XREF: CmpWalkOneLevel+6E8p
					; CmRenameKey(x,x,x,x)+48Ap ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CB5DD SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		push	esi
		mov	[ebp+var_4], edx
		mov	edi, ecx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		imul	ecx, eax, 0Ch
		mov	eax, [edi+434h]
		mov	edi, [ecx+eax+8]

loc_73EBFC:				; CODE XREF: CmpFindKcbInHashEntryByName+39j
		test	edi, edi
		jz	short loc_73EC3C
		cmp	[edi], esi
		jz	short loc_73EC09

loc_73EC04:				; CODE XREF: CmpFindKcbInHashEntryByName+47j
					; CmpFindKcbInHashEntryByName+69j
		mov	edi, [edi+4]
		jmp	short loc_73EBFC
; 

loc_73EC09:				; CODE XREF: CmpFindKcbInHashEntryByName+34j
		mov	ecx, [ebp+var_4]
		lea	eax, [edi-8]
		mov	[ebp+arg_0], eax
		cmp	[eax+24h], ecx
		jnz	short loc_73EC04
		mov	eax, [eax+28h]
		push	2
		test	byte ptr [eax],	1
		lea	edx, [eax+0Eh]
		movzx	ecx, word ptr [eax+0Ch]
		jz	loc_8CB5DD
		push	ecx
		mov	ecx, [ebp+arg_4]
		call	_CmpCompareCompressedName@16 ; CmpCompareCompressedName(x,x,x,x)

loc_73EC35:				; CODE XREF: CmpFindKcbInHashEntryByName+18CA25j
		test	eax, eax
		jnz	short loc_73EC04
		mov	ebx, [ebp+arg_0]

loc_73EC3C:				; CODE XREF: CmpFindKcbInHashEntryByName+30j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
CmpFindKcbInHashEntryByName endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1873. PsQueryTotalCycleTimeProcess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsQueryTotalCycleTimeProcess(x, x)
		public _PsQueryTotalCycleTimeProcess@8
_PsQueryTotalCycleTimeProcess@8	proc near ; CODE XREF: PAGE:0083CFEFp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, large fs:124h
		mov	cl, 1
		push	esi
		push	edi
		mov	[ebp+var_8], ebx
		call	_KeFlushProcessWriteBuffers@4 ;	KeFlushProcessWriteBuffers(x)
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		call	_KeUpdateTotalCyclesCurrentThread@8 ; KeUpdateTotalCyclesCurrentThread(x,x)
		dec	word ptr [ebx+13Ch]
		nop
		mov	esi, [ebp+arg_0]
		xor	edx, edx
		lea	edi, [esi+398h]
		mov	ecx, edi
		mov	[ebp+var_4], edi
		call	ExAcquirePushLockSharedEx
		mov	ebx, [esi+88h]
		lea	ecx, [esi+1D0h]
		mov	edx, [esi+8Ch]
		mov	eax, [ecx]
		mov	[ebp+arg_4], edx
		cmp	eax, ecx
		jz	short loc_73ECD6
		mov	edi, ecx

loc_73ECAA:				; CODE XREF: PsQueryTotalCycleTimeProcess(x,x)+84j
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0

loc_73ECB2:				; CODE XREF: PsQueryTotalCycleTimeProcess(x,x)+C0j
		mov	ecx, [eax-2B0h]
		mov	esi, [eax-2B4h]
		cmp	ecx, [eax-2ACh]
		jnz	short loc_73ED08
		mov	eax, [eax]
		add	ebx, esi
		adc	edx, ecx
		cmp	eax, edi
		jnz	short loc_73ECAA
		mov	edi, [ebp+var_4]
		mov	[ebp+arg_4], edx

loc_73ECD6:				; CODE XREF: PsQueryTotalCycleTimeProcess(x,x)+5Cj
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jnz	short loc_73ECFF

loc_73ECE4:				; CODE XREF: PsQueryTotalCycleTimeProcess(x,x)+BCj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_8]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	edx, [ebp+arg_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_73ECFF:				; CODE XREF: PsQueryTotalCycleTimeProcess(x,x)+98j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_73ECE4
; 

loc_73ED08:				; CODE XREF: PsQueryTotalCycleTimeProcess(x,x)+7Aj
		pause
		jmp	short loc_73ECB2
_PsQueryTotalCycleTimeProcess@8	endp


;  S U B	R O U T	I N E 


MiValidateUserCallTarget proc near	; CODE XREF: MiCfgMarkValidEntries+169p
					; MmValidateUserCallTarget(x,x)+2Cj

; FUNCTION CHUNK AT 008CB5F8 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, edx
		xor	esi, esi
		push	edi
		push	ecx
		mov	edi, ecx
		mov	edx, [ebx]
		call	CfgAddressToBitState
		sub	eax, esi
		jz	short loc_73ED37
		sub	eax, 1
		jnz	loc_8CB5F8

loc_73ED2C:				; CODE XREF: MiValidateUserCallTarget+18C906j
		and	edi, 0Fh
		cmp	edi, [ebx+0Ch]

loc_73ED32:				; CODE XREF: MiValidateUserCallTarget+18C8F4j
		jnz	short loc_73ED37
		xor	esi, esi
		inc	esi

loc_73ED37:				; CODE XREF: MiValidateUserCallTarget+15j
					; MiValidateUserCallTarget:loc_73ED32j	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
MiValidateUserCallTarget endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmpFreeExtraParameter(x)
_CmpFreeExtraParameter@4 proc near	; CODE XREF: VrpPostOpenOrCreate(x,x)+91p
					; VrpPostOpenOrCreate(x,x)+22Cp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+18h]
		test	ecx, ecx
		jz	short loc_73ED54
		lea	eax, [esi+20h]
		push	eax
		lea	eax, [esi+8]
		push	eax
		call	ecx

loc_73ED54:				; CODE XREF: CmpFreeExtraParameter(x)+Aj
		mov	ecx, esi
		mov	edx, 50454D43h
		pop	esi
		jmp	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
_CmpFreeExtraParameter@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall VrpDereferenceJobContext(x)
_VrpDereferenceJobContext@4 proc near	; CODE XREF: VrpOriginalKeyNameParameterCleanup(x,x)+Fp
		mov	edx, 67655256h
		jmp	ObfDereferenceObjectWithTag
_VrpDereferenceJobContext@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTiLogMapExecView proc near		; CODE XREF: NtMapViewOfSection+1ACp
					; MiMapViewOfSectionExCommon+17328Dp

var_138		= dword	ptr -138h
var_130		= dword	ptr -130h
var_125		= byte ptr -125h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008CB617 SIZE 00000008 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 138h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	0
		push	0F00h
		push	0
		push	dword_6BC124
		mov	[ebp+var_125], dl
		mov	ebx, ecx
		push	_EtwThreatIntProvRegHandle
		call	EtwProviderEnabled
		test	al, al
		jz	loc_73EEF5
		mov	eax, large fs:124h
		push	esi
		mov	esi, [eax+80h]
		xor	eax, eax
		cmp	esi, ebx
		setz	al
		cmp	[ebp+var_125], 0
		jz	loc_8CB617
		xor	ecx, ecx

loc_73EDCF:				; CODE XREF: EtwTiLogMapExecView+18C8AEj
		add	eax, ecx
		push	edi
		mov	edi, ds:off_4041C8[eax*4]
		push	edi
		push	dword_6BC124
		push	_EtwThreatIntProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_73EEF3
		lea	eax, [ebp+var_138]
		mov	edx, esi
		push	eax
		lea	ecx, [ebp+var_124]
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		mov	edx, large fs:124h
		mov	esi, eax
		mov	ecx, esi
		lea	eax, [ebp+var_124]
		shl	ecx, 4
		add	ecx, eax
		call	_EtwpTiFillThreadIdentity@8 ; EtwpTiFillThreadIdentity(x,x)
		add	esi, eax
		lea	ecx, [ebp+var_124]
		lea	eax, [ebp+var_130]
		mov	edx, ebx
		push	eax
		mov	eax, esi
		shl	eax, 4
		add	ecx, eax
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		add	esi, eax
		lea	ecx, [ebp+arg_0]
		xor	ebx, ebx
		mov	eax, esi
		add	eax, eax
		push	4
		pop	edx
		mov	[ebp+eax*8+var_124], ecx
		lea	ecx, [ebp+arg_4]
		mov	[ebp+eax*8+var_120], ebx
		mov	[ebp+eax*8+var_11C], edx
		mov	[ebp+eax*8+var_118], ebx
		lea	eax, [esi+1]
		add	eax, eax
		mov	[ebp+eax*8+var_124], ecx
		lea	ecx, [ebp+arg_8]
		mov	[ebp+eax*8+var_120], ebx
		mov	[ebp+eax*8+var_11C], edx
		mov	[ebp+eax*8+var_118], ebx
		lea	eax, [esi+2]
		add	eax, eax
		mov	[ebp+eax*8+var_124], ecx
		lea	ecx, [ebp+arg_C]
		mov	[ebp+eax*8+var_120], ebx
		mov	[ebp+eax*8+var_11C], edx
		mov	[ebp+eax*8+var_118], ebx
		lea	eax, [esi+3]
		add	eax, eax
		mov	[ebp+eax*8+var_124], ecx
		mov	[ebp+eax*8+var_120], ebx
		mov	[ebp+eax*8+var_11C], edx
		mov	[ebp+eax*8+var_118], ebx
		lea	eax, [ebp+var_124]
		push	eax
		lea	eax, [esi+4]
		push	eax
		push	ebx
		push	edi
		push	dword_6BC124
		push	_EtwThreatIntProvRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_73EEF3:				; CODE XREF: EtwTiLogMapExecView+81j
		pop	edi
		pop	esi

loc_73EEF5:				; CODE XREF: EtwTiLogMapExecView+3Aj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
EtwTiLogMapExecView endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspCompleteHardDereferenceSiloDeferred(x)
_PspCompleteHardDereferenceSiloDeferred@4 proc near
					; DATA XREF: PspHardDereferenceSiloWorker(x)+3Fo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi+308h]
		test	ecx, ecx
		jz	short loc_73EF1C
		call	PspStorageEmptyNonReadonly

loc_73EF1C:				; CODE XREF: PspCompleteHardDereferenceSiloDeferred(x)+11j
		mov	ecx, esi
		call	ObfDereferenceObject
		pop	esi
		pop	ebp
		retn	4
_PspCompleteHardDereferenceSiloDeferred@4 endp


;  S U B	R O U T	I N E 


PspStorageEmptyNonReadonly proc	near	; CODE XREF: PspCompleteHardDereferenceSiloDeferred(x)+13p

; FUNCTION CHUNK AT 008CB61F SIZE 00000011 BYTES

		mov	edi, edi
		push	esi
		push	edi
		push	20h
		pop	edx
		mov	esi, ecx
		call	PspStorageEmptyArrayNonReadonly
		mov	ecx, [esi+100h]
		mov	edi, eax
		test	ecx, ecx
		jnz	loc_8CB61F

loc_73EF46:				; CODE XREF: PspStorageEmptyNonReadonly+18C703j
		mov	eax, edi
		pop	edi
		pop	esi
		retn
PspStorageEmptyNonReadonly endp

; 
		align 10h
; Exported entry 406. ExRaiseDatatypeMisalignment

; __stdcall ExRaiseDatatypeMisalignment()
		public _ExRaiseDatatypeMisalignment@0
_ExRaiseDatatypeMisalignment@0:		; CODE XREF: RtlWalkFrameChain:loc_433968p
					; .text:loc_4474D4p ...
		push	80000002h
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopGetRelatedFileName proc near		; CODE XREF: IopSymlinkRememberJunction+C3p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CB630 SIZE 0000004E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	eax, 100h
		mov	[ebp+var_4], edx
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_C], ecx
		xor	edi, edi
		mov	[ebp+var_10], eax
		and	[ebp+var_8], ebx
		mov	esi, eax

loc_73EF7E:				; CODE XREF: IopGetRelatedFileName+18C6D7j
		test	edi, edi
		jnz	loc_8CB638

loc_73EF86:				; CODE XREF: IopGetRelatedFileName+18C6E6j
		cmp	esi, 0FFFFh
		jnb	loc_8CB674
		push	63466F49h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8CB66A
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	eax, [ebp+var_C]
		add	esp, 0Ch
		mov	edx, edi
		mov	ecx, [eax+4]
		lea	eax, [ebp+var_8]
		push	0
		push	eax
		push	esi
		call	ObQueryNameStringMode
		mov	ecx, [ebp+arg_4]
		mov	esi, eax
		mov	eax, [ebp+var_8]
		add	eax, 8
		mov	[ebp+var_14], eax
		test	ecx, ecx
		jz	short loc_73EFE1
		mov	ax, [edi]
		mov	[ecx], ax

loc_73EFE1:				; CODE XREF: IopGetRelatedFileName+7Dj
		cmp	esi, 80000005h
		jz	loc_8CB630
		test	esi, esi
		js	loc_73F0DA

loc_73EFF5:				; CODE XREF: IopGetRelatedFileName+FAj
		test	ebx, ebx
		jnz	loc_8CB647

loc_73EFFD:				; CODE XREF: IopGetRelatedFileName+18C6F5j
		mov	esi, [ebp+var_10]
		cmp	esi, 0FFFFh
		jnb	loc_8CB660
		push	63466F49h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8CB656
		push	esi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_8]
		mov	edx, esi
		push	eax
		mov	eax, [ebp+var_C]
		push	ebx
		push	9
		mov	ecx, [eax+20h]
		call	IopGetFileInformation
		mov	esi, eax
		mov	eax, [ebx]
		mov	[ebp+arg_4], eax
		add	eax, 8
		mov	[ebp+var_10], eax
		cmp	esi, 80000005h
		jz	short loc_73EFF5
		test	esi, esi
		js	short loc_73F0CE
		movzx	eax, word ptr [edi]
		add	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		movzx	edx, cx
		add	edx, eax
		mov	[ebp+arg_4], edx
		cmp	edx, 0FFFFh
		jnb	loc_8CB660
		movzx	ecx, dx
		mov	edx, [ebp+var_4]
		mov	eax, ecx
		sub	eax, [ebp+arg_0]
		push	63466F49h
		mov	[edx], ax
		mov	eax, edx
		mov	edx, [ebp+arg_4]
		push	edx
		push	1
		mov	[eax+2], cx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+var_4]
		mov	[eax+4], ecx
		test	ecx, ecx
		jz	short loc_73F0EF
		movzx	eax, word ptr [edi]
		push	eax		; size_t
		push	dword ptr [edi+4] ; void *
		push	ecx		; void *
		call	_memcpy
		push	dword ptr [ebx]	; size_t
		mov	ecx, [ebp+var_4]
		lea	eax, [ebx+4]
		push	eax		; void *
		movzx	eax, word ptr [edi]
		add	eax, [ecx+4]
		push	eax		; void *
		call	_memcpy
		add	esp, 18h

loc_73F0CE:				; CODE XREF: IopGetRelatedFileName+FEj
					; IopGetRelatedFileName+198j ...
		test	ebx, ebx
		jz	short loc_73F0DA
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_73F0DA:				; CODE XREF: IopGetRelatedFileName+93j
					; IopGetRelatedFileName+174j ...
		test	edi, edi
		jz	short loc_73F0E6
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_73F0E6:				; CODE XREF: IopGetRelatedFileName+180j
					; IopGetRelatedFileName+18C713j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_73F0EF:				; CODE XREF: IopGetRelatedFileName+14Bj
		mov	esi, 0C000009Ah
		jmp	short loc_73F0CE
IopGetRelatedFileName endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 920. IoQueryInformationByName

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoQueryInformationByName
IoQueryInformationByName proc near	; CODE XREF: NtQueryInformationByName(x,x,x,x,x)+18p

var_178		= dword	ptr -178h
var_170		= dword	ptr -170h
var_168		= dword	ptr -168h
var_160		= dword	ptr -160h
var_150		= dword	ptr -150h
var_14A		= word ptr -14Ah
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_130		= dword	ptr -130h
var_123		= byte ptr -123h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_114		= dword	ptr -114h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= byte ptr -0F8h
var_E8		= dword	ptr -0E8h
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_BD		= byte ptr -0BDh
var_BC		= dword	ptr -0BCh
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008CB67E SIZE 00000097 BYTES

		push	168h
		push	offset dword_6A01C0
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_D0], eax
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_D4], esi
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_C8], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_C4], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_D8], eax
		push	0A0h		; size_t
		xor	ebx, ebx
		push	ebx		; int
		lea	eax, [ebp+var_BC]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_BD], bl
		mov	eax, large fs:124h
		mov	ecx, [ebp+arg_14]
		and	ecx, 100h
		neg	ecx
		sbb	cl, cl
		not	cl
		and	cl, [eax+15Ah]
		mov	byte ptr [ebp+var_CC], cl
		mov	edi, [ebp+arg_10]
		push	edi
		push	[ebp+var_C4]
		push	[ebp+var_C8]
		push	esi
		call	IopValidateQueryInformationParameters
		test	eax, eax
		js	loc_73F343
		cmp	edi, 4Bh
		jz	loc_8CB67E

loc_73F19D:				; CODE XREF: IoQueryInformationByName+18C588j
					; IoQueryInformationByName+18C598j
		cmp	edi, 44h
		jnz	loc_8CB699

loc_73F1A6:				; CODE XREF: IoQueryInformationByName+18C5A0j
					; IoQueryInformationByName+18C5A9j
		mov	esi, 90h
		push	esi		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_178]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	8
		pop	eax
		mov	word ptr [ebp+var_178],	ax
		mov	word ptr [ebp+var_178+2], si
		push	7
		pop	eax
		mov	[ebp+var_14A], ax
		mov	[ebp+var_13C], 1
		mov	[ebp+var_150], 204000h
		mov	[ebp+var_123], 1
		mov	[ebp+var_F8], 1
		lea	eax, [ebp+var_BC]
		mov	[ebp+var_120], eax
		mov	eax, [ebp+var_D0]
		mov	[ebp+var_160], eax
		mov	[ebp+var_11C], 20h
		mov	[ebp+var_100], edi
		mov	eax, [ebp+var_C4]
		mov	[ebp+var_FC], eax
		xor	eax, eax
		lea	edi, [ebp+var_114]
		stosd
		stosd
		stosd
		stosd
		stosd
		push	14h
		pop	edi
		mov	word ptr [ebp+var_114],	di
		xor	eax, eax
		inc	eax
		mov	[ebp+var_104], eax
		cmp	[ebp+var_BD], bl
		jnz	loc_8CB6B5

loc_73F259:				; CODE XREF: IoQueryInformationByName+18C5C0j
		mov	esi, [ebp+var_D8]
		test	esi, esi
		jz	short loc_73F297
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_73F277
		call	FsRtlpPrepareExtraCreateParametersForCreate
		test	eax, eax
		js	loc_73F343

loc_73F277:				; CODE XREF: IoQueryInformationByName+16Cj
		movsx	eax, word ptr [esi]
		cmp	eax, edi
		ja	short loc_73F280
		mov	edi, eax

loc_73F280:				; CODE XREF: IoQueryInformationByName+180j
		push	edi		; size_t
		push	esi		; void *
		lea	eax, [ebp+var_114]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_104]

loc_73F297:				; CODE XREF: IoQueryInformationByName+165j
		cmp	eax, 1
		jz	loc_8CB6C1

loc_73F2A0:				; CODE XREF: IoQueryInformationByName+18C5D0j
		mov	eax, [ebp+var_C8]
		cmp	eax, ds:_MmHighestUserAddress
		jbe	loc_8CB6D1
		mov	[ebp+var_130], eax
		push	0FFFFFFFEh
		pop	edi

loc_73F2BB:				; CODE XREF: IoQueryInformationByName+18C5EFj
		call	_IopUpdateOtherOperationCount@0	; IopUpdateOtherOperationCount()
		lea	eax, [ebp+var_E8]
		push	eax
		push	[ebp+var_104]
		lea	eax, [ebp+var_178]
		push	eax
		push	80h
		push	ebx
		push	[ebp+var_CC]
		push	ds:_IoFileObjectType
		push	[ebp+var_D0]
		call	ObOpenObjectByNameEx
		mov	esi, eax
		lea	ecx, [ebp+var_178]
		call	_IopCleanupExtraCreateParameters@4 ; IopCleanupExtraCreateParameters(x)
		cmp	[ebp+var_168], 0BEAA0251h
		jnz	short loc_73F310
		mov	esi, [ebp+var_170]

loc_73F310:				; CODE XREF: IoQueryInformationByName+20Cj
		mov	eax, [ebp+var_C8]
		cmp	eax, [ebp+var_130]
		jnz	loc_8CB6F0

loc_73F322:				; CODE XREF: sub_8CB737+Cj
		mov	[ebp+ms_exc.disabled], 2
		mov	eax, [ebp+var_D4]
		mov	[eax], esi
		test	esi, esi
		js	short loc_73F33B
		mov	ebx, [ebp+var_FC]

loc_73F33B:				; CODE XREF: IoQueryInformationByName+237j
		mov	[eax+4], ebx
		mov	[ebp+ms_exc.disabled], edi

loc_73F341:				; CODE XREF: sub_8CB759+10j
		mov	eax, esi

loc_73F343:				; CODE XREF: IoQueryInformationByName+92j
					; IoQueryInformationByName+175j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
IoQueryInformationByName endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopGetNetworkOpenInformation proc near	; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+17DEp

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CB794 SIZE 00000098 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	ebx, ecx
		lea	edi, [esp+5Ch+var_48]
		pop	ecx
		push	6
		xor	eax, eax
		mov	esi, edx
		rep stosd
		pop	ecx
		push	1
		lea	edi, [esp+5Ch+var_20]
		rep stosd
		lea	eax, [esp+5Ch+var_4C]
		mov	ecx, ebx
		push	eax
		lea	eax, [esp+60h+var_48]
		push	eax
		push	0
		push	28h
		push	4
		pop	edx
		call	IopQueryXxxInformation
		mov	edx, eax
		test	edx, edx
		jns	loc_8CB794

loc_73F3AB:				; CODE XREF: IopGetNetworkOpenInformation+18C45Cj
					; IopGetNetworkOpenInformation+18C4D1j
		mov	ecx, [esp+58h+var_4]
		mov	eax, edx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
IopGetNetworkOpenInformation endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLogClearAccessBitsEvent(x, x, x)
_CmpLogClearAccessBitsEvent@12 proc near ; CODE	XREF: CmpClearKeyAccessBits+F9p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, _EtwKernelProvRegHandle
		mov	eax, esi
		push	edi
		mov	edi, dword_6BC12C
		or	eax, edi
		mov	[ebp+var_4C], edx
		jz	short loc_73F453
		movzx	edx, word ptr [ecx]
		mov	ax, dx
		mov	[ebp+var_3C], 2
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_44], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_34], eax
		mov	eax, edx
		push	ebx
		mov	[ebp+var_2C], eax
		xor	ebx, ebx
		push	4
		pop	ecx
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_40], ebx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	ebx
		push	offset _REG_EVENT_CLEAR_ACCESS
		push	edi
		push	esi
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	ebx

loc_73F453:				; CODE XREF: CmpLogClearAccessBitsEvent(x,x,x)+27j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_CmpLogClearAccessBitsEvent@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlQueryOpen(x, x, x, x, x)
_FsRtlQueryOpen@20 proc	near		; CODE XREF: IopQueryInformation(x,x,x,x,x)+9Dp

var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_FA		= word ptr -0FAh
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 130h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		and	[ebp+var_12C], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	124h		; size_t
		mov	[ebp+var_130], eax
		mov	edi, edx
		lea	eax, [ebp+var_128]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	esi
		call	_IoGetAttachedDevice@4 ; IoGetAttachedDevice(x)
		mov	ecx, [edi+60h]
		mov	dl, 0F9h
		push	1
		push	dword ptr [ecx+18h]
		push	ecx
		push	eax
		lea	ecx, [ebp+var_128]
		call	FsFilterCtrlInit
		test	eax, eax
		js	loc_73F554
		mov	eax, [ebp+var_130]
		mov	[ebp+var_110], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_10C], eax
		mov	eax, large fs:124h
		mov	[ebp+var_118], edi
		mov	[ebp+var_114], ebx
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [ebp+var_12C]
		mov	dl, 1
		push	eax
		push	1
		lea	ecx, [ebp+var_128]
		call	FsFilterPerformCallbacks
		cmp	[ebp+var_FA], 0
		mov	esi, eax
		jbe	short loc_73F52E
		mov	edx, esi
		lea	ecx, [ebp+var_128]
		call	_FsFilterPerformCompletionCallbacks@8 ;	FsFilterPerformCompletionCallbacks(x,x)
		mov	esi, eax

loc_73F52E:				; CODE XREF: FsRtlQueryOpen(x,x,x,x,x)+B9j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		lea	ecx, [ebp+var_128]
		call	_FsFilterCtrlFree@4 ; FsFilterCtrlFree(x)
		test	esi, esi
		js	short loc_73F552
		test	byte ptr [ebp+var_12C],	2
		jz	short loc_73F565

loc_73F552:				; CODE XREF: FsRtlQueryOpen(x,x,x,x,x)+E3j
					; FsRtlQueryOpen(x,x,x,x,x)+106j
		mov	eax, esi

loc_73F554:				; CODE XREF: FsRtlQueryOpen(x,x,x,x,x)+64j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_73F565:				; CODE XREF: FsRtlQueryOpen(x,x,x,x,x)+ECj
		mov	esi, 0C0000002h
		jmp	short loc_73F552
_FsRtlQueryOpen@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspCreateSilo(x)
_PspCreateSilo@4 proc near		; CODE XREF: sub_75A258+8p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], eax
		push	edi
		mov	ebx, esi
		mov	edi, ecx
		mov	[ebp+var_4], ebx
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jz	short loc_73F59B
		mov	eax, 0C0000061h
		jmp	loc_73F62E
; 

loc_73F59B:				; CODE XREF: PspCreateSilo(x)+23j
		cmp	[edi+308h], esi
		jnz	short loc_73F5B2
		lea	ecx, [ebp+var_4]
		call	_PspAllocStorage@4 ; PspAllocStorage(x)
		test	eax, eax
		js	short loc_73F62E
		mov	ebx, [ebp+var_4]

loc_73F5B2:				; CODE XREF: PspCreateSilo(x)+35j
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		call	_PspLockJobExclusive@8 ; PspLockJobExclusive(x,x)
		mov	ecx, edi
		call	_PspJobHasChildren@4 ; PspJobHasChildren(x)
		test	al, al
		jz	short loc_73F5CE
		mov	esi, 0C000050Fh
		jmp	short loc_73F617
; 

loc_73F5CE:				; CODE XREF: PspCreateSilo(x)+59j
		mov	ecx, 40000000h
		test	[edi+310h], ecx
		jz	short loc_73F5E2
		mov	esi, 0C0000508h
		jmp	short loc_73F617
; 

loc_73F5E2:				; CODE XREF: PspCreateSilo(x)+6Dj
		test	dword ptr [edi+0B0h], offset off_402000
		jnz	short loc_73F5F5
		mov	esi, 0C000000Dh
		jmp	short loc_73F617
; 

loc_73F5F5:				; CODE XREF: PspCreateSilo(x)+80j
		mov	ecx, ebx
		lea	edx, [edi+308h]
		xor	eax, eax
		lock cmpxchg [edx], ecx
		neg	eax
		mov	ecx, 40000000h
		sbb	eax, eax
		and	ebx, eax
		lea	eax, [edi+310h]
		lock or	[eax], ecx

loc_73F617:				; CODE XREF: PspCreateSilo(x)+60j
					; PspCreateSilo(x)+74j	...
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		test	ebx, ebx
		jz	short loc_73F62C
		mov	ecx, ebx
		call	_PspFreeStorage@4 ; PspFreeStorage(x)

loc_73F62C:				; CODE XREF: PspCreateSilo(x)+B7j
		mov	eax, esi

loc_73F62E:				; CODE XREF: PspCreateSilo(x)+2Aj
					; PspCreateSilo(x)+41j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PspCreateSilo@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PspJobHasChildren(x)
_PspJobHasChildren@4 proc near		; CODE XREF: PspCreateSilo(x)+52p
					; PsInsertPermanentSiloContextEx+13B402p ...
		xor	edx, edx
		cmp	[ecx+8Ch], edx
		jnz	short loc_73F64B
		lea	eax, [ecx+23Ch]
		cmp	[eax], eax
		jnz	short loc_73F64B

loc_73F648:				; CODE XREF: PspJobHasChildren(x)+19j
		mov	al, dl
		retn
; 

loc_73F64B:				; CODE XREF: PspJobHasChildren(x)+8j
					; PspJobHasChildren(x)+12j
		mov	dl, 1
		jmp	short loc_73F648
_PspJobHasChildren@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvlQueryVsmProtectionInfo proc near	; CODE XREF: PAGE:00781DCFp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CB82C SIZE 00000061 BYTES

		push	2Ch
		push	offset dword_6A01F8
		call	__SEH_prolog4_GS
		mov	ebx, ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_38], eax
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		stosd
		stosd
		stosd
		stosd
		xor	esi, esi
		cmp	edx, 3
		jb	loc_8CB82C
		push	4
		pop	eax
		cmp	edx, eax
		mov	[ebp+var_34], edx
		jb	short loc_73F685
		mov	[ebp+var_34], eax

loc_73F685:				; CODE XREF: HvlQueryVsmProtectionInfo+30j
		and	[ebp+var_30], esi
		mov	al, ds:_HvlHypervisorConnected
		test	al, al
		jnz	loc_8CB836

loc_73F695:				; CODE XREF: HvlQueryVsmProtectionInfo+18C213j
					; HvlQueryVsmProtectionInfo+18C220j
		call	_KeIsCetCapable@0 ; KeIsCetCapable()
		mov	byte ptr [ebp+var_30+1], 0

loc_73F69E:				; CODE XREF: HvlQueryVsmProtectionInfo+18C238j
		mov	byte ptr [ebp+var_30], al

loc_73F6A1:				; CODE XREF: HvlQueryVsmProtectionInfo+18C20Cj
		mov	eax, ds:_HvlpFlags
		shr	eax, 11h
		and	al, 1
		mov	byte ptr [ebp+var_30+2], al
		mov	al, byte ptr ds:_HvlpFlags+3
		and	al, 1
		mov	byte ptr [ebp+var_30+3], al
		and	[ebp+ms_exc.disabled], esi
		push	[ebp+var_34]	; size_t
		lea	eax, [ebp+var_30]
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_73F6CB:				; CODE XREF: sub_8CB89B+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	esi, esi
		js	short loc_73F6F2
		mov	ecx, [ebp+var_34]
		mov	eax, [ebp+var_38]
		mov	[eax], ecx

loc_73F6DE:				; CODE XREF: HvlQueryVsmProtectionInfo+A8j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_73F6F2:				; CODE XREF: HvlQueryVsmProtectionInfo+84j
					; HvlQueryVsmProtectionInfo+18C1E1j
		mov	ecx, [ebp+var_38]
		and	dword ptr [ecx], 0
		jmp	short loc_73F6DE
HvlQueryVsmProtectionInfo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtOpenJobObject	proc near		; DATA XREF: .text:00580F4Co

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008CB8B9 SIZE 00000011 BYTES
; FUNCTION CHUNK AT 008CB8E0 SIZE 00000020 BYTES

		push	18h
		push	offset dword_6A0218
		call	__SEH_prolog4
		xor	edi, edi
		mov	[ebp+var_1C], edi
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		test	al, al
		jz	short loc_73F738
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_73F787

loc_73F72D:				; CODE XREF: NtOpenJobObject+8Fj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_73F738:				; CODE XREF: NtOpenJobObject+22j
		mov	esi, ds:_PsJobType
		lea	eax, [ebp+var_1C]
		push	eax
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		push	edi
		push	[ebp+arg_4]
		push	edi
		push	[ebp+var_24]
		push	esi
		push	[ebp+arg_8]
		call	ObOpenObjectByNameEx
		mov	esi, eax
		test	esi, esi
		jns	loc_8CB8B9

loc_73F763:				; CODE XREF: NtOpenJobObject+18C1EDj
		test	ds:_PerfGlobalGroupMask, 80000h
		jnz	loc_8CB8EC

loc_73F773:				; CODE XREF: NtOpenJobObject+18C201j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_73F787:				; CODE XREF: NtOpenJobObject+31j
		mov	ecx, eax
		jmp	short loc_73F72D
NtOpenJobObject	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspIdentityBasedJobBreakaway(x, x, x)
_PspIdentityBasedJobBreakaway@12 proc near ; CODE XREF:	PspInitializeProcessSecurity+1A8p

var_368		= dword	ptr -368h
var_364		= dword	ptr -364h
var_360		= dword	ptr -360h
var_35C		= dword	ptr -35Ch
var_358		= dword	ptr -358h
var_354		= dword	ptr -354h
var_350		= dword	ptr -350h
var_34C		= dword	ptr -34Ch
var_348		= dword	ptr -348h
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_33C		= dword	ptr -33Ch
var_338		= dword	ptr -338h
var_334		= dword	ptr -334h
var_330		= dword	ptr -330h
var_32C		= dword	ptr -32Ch
var_328		= dword	ptr -328h
var_324		= dword	ptr -324h
var_320		= dword	ptr -320h
var_31C		= dword	ptr -31Ch
var_21C		= dword	ptr -21Ch
var_11C		= dword	ptr -11Ch
var_94		= dword	ptr -94h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 368h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_340], edx
		mov	edx, 100h
		push	esi
		xor	esi, esi
		mov	[ebp+var_320], edx
		push	edi
		lea	eax, [edx-7Ch]
		mov	[ebp+var_324], edx
		mov	[ebp+var_328], eax
		lea	edx, [ebp+var_21C]
		mov	[ebp+var_32C], eax
		mov	eax, esi
		mov	[ebp+var_344], eax
		mov	[ebp+var_33C], eax
		mov	[ebp+var_348], eax
		mov	[ebp+var_338], eax
		lea	eax, [ebp+var_334]
		push	eax
		push	ecx
		lea	eax, [ebp+var_328]
		mov	[ebp+var_358], esi
		push	eax
		lea	eax, [ebp+var_94]
		mov	[ebp+var_354], esi
		push	eax
		lea	eax, [ebp+var_320]
		mov	[ebp+var_368], esi
		push	eax
		mov	[ebp+var_364], esi
		mov	[ebp+var_350], esi
		mov	[ebp+var_34C], esi
		mov	[ebp+var_360], esi
		mov	[ebp+var_35C], esi
		mov	[ebp+var_334], esi
		mov	[ebp+var_330], esi
		mov	[ebx], esi
		call	_RtlQueryPackageIdentityEx@28 ;	RtlQueryPackageIdentityEx(x,x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000225h
		jz	short loc_73F86F
		cmp	edi, 80000005h
		jz	short loc_73F86F
		mov	ecx, [ebp+var_330]
		mov	esi, [ebp+var_334]
		jmp	short loc_73F873
; 

loc_73F86F:				; CODE XREF: PspIdentityBasedJobBreakaway(x,x,x)+CBj
					; PspIdentityBasedJobBreakaway(x,x,x)+D3j
		xor	ecx, ecx
		xor	edi, edi

loc_73F873:				; CODE XREF: PspIdentityBasedJobBreakaway(x,x,x)+E1j
		test	edi, edi
		js	loc_73F9B4
		mov	eax, esi
		or	eax, ecx
		push	1
		pop	eax
		jnz	short loc_73F888
		mov	[ebx], eax
		jmp	short loc_73F88A
; 

loc_73F888:				; CODE XREF: PspIdentityBasedJobBreakaway(x,x,x)+F6j
		mov	eax, [ebx]

loc_73F88A:				; CODE XREF: PspIdentityBasedJobBreakaway(x,x,x)+FAj
		test	eax, eax
		jnz	short loc_73F8E4
		lea	eax, [ebp+var_33C]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_340]
		lea	eax, [ebp+var_32C]
		push	eax
		lea	eax, [ebp+var_11C]
		push	eax
		lea	eax, [ebp+var_324]
		push	eax
		lea	edx, [ebp+var_31C]
		call	_RtlQueryPackageIdentityEx@28 ;	RtlQueryPackageIdentityEx(x,x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000225h
		jz	short loc_73F8DC
		cmp	edi, 80000005h
		jz	short loc_73F8DC
		mov	edx, [ebp+var_338]
		mov	ecx, [ebp+var_33C]
		jmp	short loc_73F8F0
; 

loc_73F8DC:				; CODE XREF: PspIdentityBasedJobBreakaway(x,x,x)+138j
					; PspIdentityBasedJobBreakaway(x,x,x)+140j
		xor	ecx, ecx
		xor	edx, edx
		xor	edi, edi
		jmp	short loc_73F8F0
; 

loc_73F8E4:				; CODE XREF: PspIdentityBasedJobBreakaway(x,x,x)+100j
		mov	ecx, [ebp+var_344]
		mov	edx, [ebp+var_348]

loc_73F8F0:				; CODE XREF: PspIdentityBasedJobBreakaway(x,x,x)+14Ej
					; PspIdentityBasedJobBreakaway(x,x,x)+156j
		test	edi, edi
		js	loc_73F9B4
		mov	eax, ecx
		or	eax, edx
		jz	loc_73F9B4
		xor	esi, ecx
		and	esi, 0FFFFFFDFh
		or	esi, 0
		jnz	loc_73F9AF
		mov	eax, [ebp+var_320]
		cmp	eax, [ebp+var_324]
		jnz	loc_73F9AF
		mov	eax, [ebp+var_328]
		cmp	eax, [ebp+var_32C]
		jnz	short loc_73F9AF
		lea	eax, [ebp+var_21C]
		push	eax
		lea	eax, [ebp+var_358]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_94]
		push	eax
		lea	eax, [ebp+var_368]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_31C]
		push	eax
		lea	eax, [ebp+var_350]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_11C]
		push	eax
		lea	eax, [ebp+var_360]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		inc	esi
		lea	eax, [ebp+var_350]
		push	esi
		push	eax
		lea	eax, [ebp+var_358]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_73F9B2
		push	esi
		lea	eax, [ebp+var_360]
		push	eax
		lea	eax, [ebp+var_368]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_73F9B4
		jmp	short loc_73F9B2
; 

loc_73F9AF:				; CODE XREF: PspIdentityBasedJobBreakaway(x,x,x)+17Ej
					; PspIdentityBasedJobBreakaway(x,x,x)+190j ...
		xor	esi, esi
		inc	esi

loc_73F9B2:				; CODE XREF: PspIdentityBasedJobBreakaway(x,x,x)+207j
					; PspIdentityBasedJobBreakaway(x,x,x)+221j
		mov	[ebx], esi

loc_73F9B4:				; CODE XREF: PspIdentityBasedJobBreakaway(x,x,x)+E9j
					; PspIdentityBasedJobBreakaway(x,x,x)+166j ...
		mov	ecx, [ebp+var_8]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PspIdentityBasedJobBreakaway@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VrpRegistryDispatch proc near		; DATA XREF: VRegSetup+B1o

arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CB900 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		push	esi
		mov	eax, [ecx+60h]
		movzx	eax, byte ptr [eax]
		sub	eax, 0
		jz	short loc_73F9E6
		dec	eax
		sub	eax, 1
		jnz	loc_8CB900

loc_73F9E6:				; CODE XREF: VrpRegistryDispatch+12j
					; VrpRegistryDispatch+18BF3Bj
		xor	esi, esi

loc_73F9E8:				; CODE XREF: VrpRegistryDispatch+18BF46j
		and	dword ptr [ecx+1Ch], 0
		xor	dl, dl
		mov	[ecx+18h], esi
		call	IofCompleteRequest
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
VrpRegistryDispatch endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcAllocateObcb(x, x, x)
_CcAllocateObcb@12 proc	near		; CODE XREF: CcPinRead+100p
					; CcPinMappedData+1539D7p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, ecx
		mov	[ebp+var_4], eax
		and	esi, 0FFFFFFFEh
		mov	ebx, edx
		push	edi
		mov	eax, [eax]
		sub	eax, [esi+8]
		sub	eax, [esi+4]
		add	eax, 0FFFh
		add	eax, ebx
		shr	eax, 0Ch
		push	624F6343h
		lea	esi, ds:18h[eax*4]
		push	esi
		push	210h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi		; size_t
		mov	edi, eax
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	ecx, [ebp+var_4]
		mov	eax, 2FAh
		mov	[edi], ax
		add	esp, 0Ch
		mov	[edi+2], si
		mov	[edi+4], ebx
		mov	eax, [ecx]
		mov	[edi+8], eax
		mov	eax, [ecx+4]
		mov	[edi+0Ch], eax
		mov	eax, [ebp+arg_0]
		mov	[edi+10h], eax
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_CcAllocateObcb@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtUnloadKey(x)
_NtUnloadKey@4	proc near		; DATA XREF: .text:00580BECo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	0
		push	0
		call	CmUnloadKey
		pop	ebp
		retn	4
_NtUnloadKey@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspDeleteSiloContext(x)
_PspDeleteSiloContext@4	proc near	; DATA XREF: PspInitializeSiloStructures+F1o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		lea	ecx, [edx-18h]
		mov	al, [ecx+0Eh]
		test	al, 40h
		jz	short loc_73FAC3
		movzx	eax, al
		and	eax, 7Fh
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		mov	eax, [ecx]
		add	eax, 14h

loc_73FAB6:				; CODE XREF: PspDeleteSiloContext(x)+36j
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_73FABF
		push	edx
		call	eax

loc_73FABF:				; CODE XREF: PspDeleteSiloContext(x)+2Aj
		pop	ebp
		retn	4
; 

loc_73FAC3:				; CODE XREF: PspDeleteSiloContext(x)+10j
		push	4
		pop	eax
		jmp	short loc_73FAB6
_PspDeleteSiloContext@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmGetKeyFlags	proc near		; CODE XREF: CmQueryLayeredKey+177C74p
					; CmQueryKey+32Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CB913 SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	esi, [ecx+68h]
		mov	ebx, edx
		and	esi, 0Fh
		test	ebx, ebx
		jnz	loc_8CB913

loc_73FAE5:				; CODE XREF: CmGetKeyFlags+18BE7Ej
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
CmGetKeyFlags	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PspEnableProcessWakeCounters(void *,int)
PspEnableProcessWakeCounters proc near	; DATA XREF: PspAllocateAndQueryNotificationChannel+2C1o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CB94B SIZE 00000067 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, [edi+158h]
		mov	[ebp+var_8], esi
		test	dword ptr [esi+310h], 1000h
		jz	loc_8CB94B

loc_73FB11:				; CODE XREF: PspEnableProcessWakeCounters+18BEC1j
		pop	edi
		xor	eax, eax
		pop	esi
		leave
		retn	8
PspEnableProcessWakeCounters endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtUnloadKeyEx(x, x)
_NtUnloadKeyEx@8 proc near		; DATA XREF: .text:00580BE4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	1
		call	CmUnloadKey
		pop	ebp
		retn	8
_NtUnloadKeyEx@8 endp


;  S U B	R O U T	I N E 


CmpRecordUnloadEventForHive proc near	; CODE XREF: CmpFreezeHive(x,x)+19p
					; CmpLinkHiveToMaster+182D97p ...

; FUNCTION CHUNK AT 008CB9B2 SIZE 0000002B BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		push	76456D43h
		mov	eax, [esi+6D0h]
		lea	eax, ds:4[eax*4]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_73FB8B
		mov	eax, [esi+6D0h]
		test	eax, eax
		jnz	loc_8CB9B2

loc_73FB6F:				; CODE XREF: CmpRecordUnloadEventForHive+18BEA0j
		mov	[esi+6D4h], edi
		mov	ecx, ebx
		mov	[edi+eax*4], ebx
		inc	dword ptr [esi+6D0h]
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	eax, eax

loc_73FB87:				; CODE XREF: CmpRecordUnloadEventForHive+58j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_73FB8B:				; CODE XREF: CmpRecordUnloadEventForHive+27j
		mov	eax, 0C000009Ah
		jmp	short loc_73FB87
CmpRecordUnloadEventForHive endp


;  S U B	R O U T	I N E 


; __stdcall CmpFreezeHive(x, x)
_CmpFreezeHive@8 proc near		; CODE XREF: CmpPerformUnloadKey+145p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	ebx, [esi+10h]
		call	CmpReferenceKeyControlBlockUnsafe
		test	edi, edi
		jz	short loc_73FBB6
		mov	edx, edi
		mov	ecx, ebx
		call	CmpRecordUnloadEventForHive
		mov	edi, eax
		test	edi, edi
		js	short loc_73FBDB

loc_73FBB6:				; CODE XREF: CmpFreezeHive(x,x)+13j
		xor	edi, edi
		mov	ecx, esi
		push	edi
		push	2
		pop	edx
		call	CmpSearchForOpenSubKeys
		or	word ptr [esi+4], 20h
		mov	byte ptr [ebx+6DCh], 1
		mov	[ebx+6D8h], esi

loc_73FBD5:				; CODE XREF: CmpFreezeHive(x,x)+50j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_73FBDB:				; CODE XREF: CmpFreezeHive(x,x)+22j
		mov	ecx, esi
		call	CmpDereferenceKeyControlBlockUnsafe
		jmp	short loc_73FBD5
_CmpFreezeHive@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpSearchForOpenSubKeys	proc near	; CODE XREF: CmpFreezeHive(x,x)+2Cp
					; NtQueryOpenSubKeys(x,x)+14Dp	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CB9DD SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], edi
		sub	edx, ebx
		jz	loc_8CB9DD
		sub	edx, 1
		jz	short loc_73FC33
		sub	edx, 1
		jnz	short loc_73FC2E
		mov	esi, offset _CmpSearchAndTagNoDelayCloseWorker@8 ; CmpSearchAndTagNoDelayCloseWorker(x,x)

loc_73FC16:				; CODE XREF: CmpSearchForOpenSubKeys+54j
					; CmpSearchForOpenSubKeys+18BE09j
		lea	eax, [ebp+var_C]
		mov	dl, bl
		push	eax
		push	esi
		mov	ecx, edi
		call	CmpEnumerateAllOpenSubKeys
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_73FC2E:				; CODE XREF: CmpSearchForOpenSubKeys+2Bj
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_73FC33:				; CODE XREF: CmpSearchForOpenSubKeys+26j
		mov	esi, offset _CmpSearchAndRehashWorker@8	; CmpSearchAndRehashWorker(x,x)
		jmp	short loc_73FC16
CmpSearchForOpenSubKeys	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSearchAndTagNoDelayCloseWorker(x, x)
_CmpSearchAndTagNoDelayCloseWorker@8 proc near ; DATA XREF: CmpSearchForOpenSubKeys+2Do

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		or	word ptr [eax+4], 20h
		xor	eax, eax
		pop	ebp
		retn	8
_CmpSearchAndTagNoDelayCloseWorker@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoesKeyHaveOpenSubkeysWorker(x, x)
_CmpDoesKeyHaveOpenSubkeysWorker@8 proc	near ; DATA XREF: CmpDoesKeyHaveOpenSubkeys(x)+16o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		inc	dword ptr [eax+4]
		xor	eax, eax
		inc	eax
		pop	ebp
		retn	8
_CmpDoesKeyHaveOpenSubkeysWorker@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmCloseRmHandle(x, x)
_CmCloseRmHandle@8 proc	near		; CODE XREF: CmpTryToRundownHive+131p
					; CmpPerformUnloadKey+18B74Ap ...
		xor	eax, eax
		test	ecx, ecx
		jz	short locret_73FC73
		cmp	dword ptr [ecx+20h], 1
		jnz	short loc_73FC74

loc_73FC6C:				; CODE XREF: CmCloseRmHandle(x,x)+19j
		mov	eax, [ecx+18h]
		and	dword ptr [ecx+18h], 0

locret_73FC73:				; CODE XREF: CmCloseRmHandle(x,x)+4j
					; CmCloseRmHandle(x,x)+17j
		retn
; 

loc_73FC74:				; CODE XREF: CmCloseRmHandle(x,x)+Aj
		cmp	dl, 1
		jnz	short locret_73FC73
		jmp	short loc_73FC6C
_CmCloseRmHandle@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmCloseTmHandle(x, x)
_CmCloseTmHandle@8 proc	near		; CODE XREF: CmpTryToRundownHive+13Fp
					; CmpPerformUnloadKey+18B759p ...
		xor	eax, eax
		test	ecx, ecx
		jz	short locret_73FC8F
		cmp	dword ptr [ecx+20h], 1
		jnz	short loc_73FC90

loc_73FC88:				; CODE XREF: CmCloseTmHandle(x,x)+19j
		mov	eax, [ecx+10h]
		and	dword ptr [ecx+10h], 0

locret_73FC8F:				; CODE XREF: CmCloseTmHandle(x,x)+4j
					; CmCloseTmHandle(x,x)+17j
		retn
; 

loc_73FC90:				; CODE XREF: CmCloseTmHandle(x,x)+Aj
		cmp	dl, 1
		jnz	short locret_73FC8F
		jmp	short loc_73FC88
_CmCloseTmHandle@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmShutdownCmRM(x, x)
_CmShutdownCmRM@8 proc near		; CODE XREF: CmpTryToRundownHive+173p
					; CmpPerformUnloadKey+18B78Ap ...
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		test	esi, esi
		jz	short loc_73FCBA
		lea	eax, [esi+20h]
		cmp	dword ptr [eax], 0
		jz	short loc_73FCBA
		lock dec dword ptr [eax]
		cmp	dword ptr [eax], 0
		jnz	short loc_73FCBA
		call	CmpStopRMLog

loc_73FCBA:				; CODE XREF: CmShutdownCmRM(x,x)+Bj
					; CmShutdownCmRM(x,x)+13j ...
		mov	dl, bl
		mov	ecx, esi
		call	CmpRunDownCmRM
		pop	esi
		pop	ebx
		pop	ecx
		retn
_CmShutdownCmRM@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpRunDownCmRM	proc near		; CODE XREF: CmShutdownCmRM(x,x)+26p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CB9F2 SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		push	edi
		test	esi, esi
		jz	loc_73FDE1
		xor	edi, edi
		cmp	[esi+20h], edi
		jnz	loc_73FDE1
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpTransactionListLock
		call	ExAcquireFastMutexUnsafe
		mov	edx, _CmpLazyCommitListHead
		cmp	edx, offset _CmpLazyCommitListHead
		jnz	loc_8CB9F2

loc_73FD1D:				; CODE XREF: CmpRunDownCmRM+18BD6Ej
		mov	ecx, offset _CmpTransactionListLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_73FD33:				; CODE XREF: CmpRunDownCmRM+18BD80j
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_8]
		cmp	[edx+4], eax
		jnz	loc_73FDE6
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	loc_73FDE6
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_8], eax
		mov	[eax+4], ecx
		mov	eax, ecx
		cmp	edx, eax
		jnz	loc_8CBA3B
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpRmListLock
		call	ExAcquireFastMutexUnsafe
		or	dword ptr [esi+3Ch], 8
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_73FDE6
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_73FDE6
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	eax, [esi+30h]
		test	eax, eax
		jz	short loc_73FD9F
		mov	[eax+9A0h], edi
		mov	[esi+30h], edi

loc_73FD9F:				; CODE XREF: CmpRunDownCmRM+CCj
		mov	ecx, offset _CmpRmListLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	short loc_73FDC5
		push	eax
		call	_ObDereferenceObjectDeferDelete@4 ; ObDereferenceObjectDeferDelete(x)
		mov	[esi+1Ch], edi

loc_73FDC5:				; CODE XREF: CmpRunDownCmRM+F2j
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_73FDD5
		push	eax
		call	_ObDereferenceObjectDeferDelete@4 ; ObDereferenceObjectDeferDelete(x)
		mov	[esi+14h], edi

loc_73FDD5:				; CODE XREF: CmpRunDownCmRM+102j
		cmp	bl, 1
		jnz	short loc_73FDE1
		mov	ecx, esi
		call	_CmpDelayFreeCmRm@4 ; CmpDelayFreeCmRm(x)

loc_73FDE1:				; CODE XREF: CmpRunDownCmRM+11j
					; CmpRunDownCmRM+1Cj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_73FDE6:				; CODE XREF: CmpRunDownCmRM+74j
					; CmpRunDownCmRM+7Fj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall ObpDeleteDirectoryObject(x)
_ObpDeleteDirectoryObject@4:		; DATA XREF: ObInitSystem+272o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+9Ch]
		test	eax, eax
		jnz	short loc_73FE0E

loc_73FDFF:				; CODE XREF: CmpRunDownCmRM+14Cj
		mov	eax, [esi+0A4h]
		pop	esi
		test	eax, eax
		jnz	short loc_73FE16

loc_73FE0A:				; CODE XREF: CmpRunDownCmRM+154j
		pop	ebp
		retn	4
; 

loc_73FE0E:				; CODE XREF: CmpRunDownCmRM+135j
		push	eax
		call	_ObDereferenceObjectDeferDelete@4 ; ObDereferenceObjectDeferDelete(x)
		jmp	short loc_73FDFF
; 

loc_73FE16:				; CODE XREF: CmpRunDownCmRM+140j
		push	eax
		call	_ObDereferenceObjectDeferDelete@4 ; ObDereferenceObjectDeferDelete(x)
		jmp	short loc_73FE0A
CmpRunDownCmRM	endp


;  S U B	R O U T	I N E 


; __stdcall CmpDelayFreeCmRm(x)
_CmpDelayFreeCmRm@4 proc near		; CODE XREF: CmpRunDownCmRM+114p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, offset _CmpDelayFreeRMLock
		mov	ecx, edi
		call	ExAcquireFastMutex
		mov	eax, dword_6CDD94
		mov	ecx, offset _CmpDelayFreeRMListHead
		cmp	[eax], ecx
		jnz	short loc_73FE81
		cmp	_CmpDelayFreeRMWorkItemActive, 0
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6CDD94, esi
		jnz	short loc_73FE76
		push	0FFFFFFFFh
		push	0EE1E5D00h
		push	offset _CmpDelayFreeRMDpc
		push	0
		xor	edx, edx
		mov	_CmpDelayFreeRMWorkItemActive, 1
		mov	ecx, offset _CmpDelayFreeRMTimer
		call	KiSetTimerEx

loc_73FE76:				; CODE XREF: CmpDelayFreeCmRm(x)+35j
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_73FE81:				; CODE XREF: CmpDelayFreeCmRm(x)+1Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_CmpDelayFreeCmRm@4 endp		; AL = character to display


;  S U B	R O U T	I N E 


CmpStopRMLog	proc near		; CODE XREF: CmShutdownCmRM(x,x)+1Dp

; FUNCTION CHUNK AT 008CBA4D SIZE 00000042 BYTES

		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	dword ptr [esi+50h]
		call	ExAcquireResourceExclusiveLite
		xor	edi, edi
		cmp	[esi+34h], edi
		jnz	loc_8CBA4D

loc_73FEB5:				; CODE XREF: CmpStopRMLog+18BC04j
		mov	ecx, [esi+50h]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		pop	edi
		pop	esi
		pop	ecx
		retn
CmpStopRMLog	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoesKeyHaveOpenSubkeys(x)
_CmpDoesKeyHaveOpenSubkeys@4 proc near	; CODE XREF: CmpTryToRundownHive+1764D6p
					; CmpPerformUnloadKey+12Cp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_C]
		and	[ebp+var_4], 0
		xor	dl, dl
		push	eax
		push	offset _CmpDoesKeyHaveOpenSubkeysWorker@8 ; CmpDoesKeyHaveOpenSubkeysWorker(x,x)
		mov	[ebp+var_C], ecx
		call	CmpEnumerateAllOpenSubKeys
		cmp	[ebp+var_8], 0
		setnz	al
		leave
		retn
_CmpDoesKeyHaveOpenSubkeys@4 endp


;  S U B	R O U T	I N E 


CmpReferenceKeyControlBlockLockNotHeld proc near ; CODE	XREF: CmpWalkOneLevel+6F6p
					; CmpCreateKeyControlBlock+53Bp

; FUNCTION CHUNK AT 008CBA8F SIZE 00000018 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_73FF20

loc_73FF09:				; CODE XREF: CmpReferenceKeyControlBlockLockNotHeld+43j
		lea	edx, [ecx+1]
		test	edx, edx
		jz	loc_8CBA8F
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jnz	short loc_73FF3D
		pop	esi
		retn
; 

loc_73FF20:				; CODE XREF: CmpReferenceKeyControlBlockLockNotHeld+9j
					; CmpReferenceKeyControlBlockLockNotHeld+45j
		lea	ecx, [esi+18h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lock inc dword ptr [esi+1Ch]
		mov	ecx, esi
		call	CmpReferenceKeyControlBlock
		mov	ecx, esi
		pop	esi
		jmp	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
; 

loc_73FF3D:				; CODE XREF: CmpReferenceKeyControlBlockLockNotHeld+1Ej
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_73FF09
		jmp	short loc_73FF20
CmpReferenceKeyControlBlockLockNotHeld endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpReferenceKeyControlBlock proc near	; CODE XREF: .text:0055134Ap
					; CmpGetVirtualStoreRoot(x,x,x,x)+59p ...

var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CBAA7 SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		test	dword ptr [ecx+4], 80000h
		jnz	loc_8CBA9E
		xor	eax, eax
		inc	eax
		lock xadd [ecx], eax
		inc	eax
		jz	loc_8CBAA7
		test	byte ptr [ecx+20h], 2
		jnz	short loc_73FF70
		leave
		retn
; 

loc_73FF70:				; CODE XREF: CmpReferenceKeyControlBlock+26j
		call	_CmpRemoveFromDelayedClose@4 ; CmpRemoveFromDelayedClose(x)
		leave
		retn
CmpReferenceKeyControlBlock endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpEnumerateAllOpenSubKeys proc	near	; CODE XREF: CmpInvalidateSubtree(x,x,x,x,x)+2Ep
					; CmpPrepareForSubtreeInvalidation(x,x,x)+27p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_1], dl
		push	esi
		push	edi
		mov	[ebp+var_10], ebx
		mov	edi, [ebx+10h]
		mov	ecx, edi
		call	_CmpCleanUpKCBCacheTable@4 ; CmpCleanUpKCBCacheTable(x)
		mov	eax, [ebx]
		cmp	eax, 1
		jz	short loc_73FFFD
		test	dword ptr [ebx+68h], 40000h
		jz	short loc_73FFAA
		cmp	eax, 2
		jz	short loc_73FFFD

loc_73FFAA:				; CODE XREF: CmpEnumerateAllOpenSubKeys+2Bj
		xor	esi, esi
		mov	[ebp+var_8], esi
		cmp	[edi+438h], esi
		jbe	short loc_73FFF3
		mov	ecx, esi
		mov	[ebp+var_C], esi

loc_73FFBC:				; CODE XREF: CmpEnumerateAllOpenSubKeys+79j
		push	[ebp+arg_4]
		mov	edx, [edi+434h]
		push	[ebp+arg_0]
		add	edx, ecx
		mov	ecx, ebx
		call	_CmpEnumerateKcbCacheBucket@16 ; CmpEnumerateKcbCacheBucket(x,x,x,x)
		cmp	eax, 1
		jz	short loc_73FFFD
		mov	ecx, [ebp+var_C]
		cmp	eax, 2
		mov	eax, [ebp+var_8]
		jz	short loc_740004

loc_73FFE1:				; CODE XREF: CmpEnumerateAllOpenSubKeys+90j
		inc	eax
		add	ecx, 0Ch
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], ecx
		cmp	eax, [edi+438h]
		jb	short loc_73FFBC

loc_73FFF3:				; CODE XREF: CmpEnumerateAllOpenSubKeys+3Dj
		cmp	[ebp+var_1], 0
		jnz	loc_8CBAB6

loc_73FFFD:				; CODE XREF: CmpEnumerateAllOpenSubKeys+22j
					; CmpEnumerateAllOpenSubKeys+30j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_740004:				; CODE XREF: CmpEnumerateAllOpenSubKeys+67j
		dec	eax
		sub	ecx, 0Ch
		jmp	short loc_73FFE1
CmpEnumerateAllOpenSubKeys endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpEnumerateKcbCacheBucket(x, x, x,	x)
_CmpEnumerateKcbCacheBucket@16 proc near ; CODE	XREF: CmpEnumerateAllOpenSubKeys+54p
					; CmpReferenceKeyControlBlock+18BB8Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [edx+8]
		push	edi
		mov	edi, ecx

loc_740017:				; CODE XREF: CmpEnumerateKcbCacheBucket(x,x,x,x)+39j
					; CmpEnumerateKcbCacheBucket(x,x,x,x)+49j ...
		test	esi, esi
		jnz	short loc_740024
		xor	eax, eax

loc_74001D:				; CODE XREF: CmpEnumerateKcbCacheBucket(x,x,x,x)+54j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_740024:				; CODE XREF: CmpEnumerateKcbCacheBucket(x,x,x,x)+Fj
		mov	ecx, [edi+4]
		lea	ebx, [esi-8]
		mov	eax, [ebx+4]
		mov	esi, [esi+4]
		shr	eax, 15h
		shr	ecx, 15h
		and	eax, 3FFh
		and	ecx, 3FFh
		cmp	ecx, eax
		jnb	short loc_740017

loc_740045:				; DATA XREF: PAGE:??_C@_1BK@GCMGPE@?$AAE?$AAt?$AAw?$AAR?$AAT?$AA?$CF?$AAw?$AAs?$AA?4?$AAe?$AAt?$AAl@NNGAKEGL@o
		mov	edx, ebx
		sub	eax, ecx

loc_740049:				; CODE XREF: CmpEnumerateKcbCacheBucket(x,x,x,x)+45j
		mov	edx, [edx+24h]
		sub	eax, 1
		jnz	short loc_740049
		cmp	edx, edi
		jnz	short loc_740017
		push	[ebp+arg_4]
		push	ebx
		call	[ebp+arg_0]

loc_74005C:				; DATA XREF: DbgkForwardException+53o
		test	eax, eax
		jnz	short loc_74001D
		jmp	short loc_740017
_CmpEnumerateKcbCacheBucket@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCleanUpKCBCacheTable(x)
_CmpCleanUpKCBCacheTable@4 proc	near	; CODE XREF: CmpEnumerateAllOpenSubKeys+18p
					; CmpCleanUpHigherLayerKcbCachesPostCallback(x,x,x)+Cp	...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h

loc_74006A:				; DATA XREF: PAGE:008BC762o
					; PAGE:008C8C3Co
		sub	esp, 24h

loc_74006D:				; DATA XREF: PAGE:008B8DD0o
					; PAGE:008B95C0o ...
		mov	eax, ___security_cookie

loc_740072:				; DATA XREF: PAGE:008B7094o
					; PAGE:008B72B8o ...
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		mov	ebx, [ecx+438h]
		xor	eax, eax
		and	[esp+28h+var_24], eax
		and	[esp+28h+var_20], eax
		push	esi
		mov	esi, [ecx+434h]
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+30h+var_1C]
		rep stosd
		lea	ecx, [esp+30h+var_1C]
		call	CmpAttachToRegistryProcess
		lea	ecx, [esp+30h+var_24]
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		test	ebx, ebx
		jz	short loc_7400C1
		lea	edi, [esi+8]

loc_7400B3:				; CODE XREF: CmpCleanUpKCBCacheTable(x)+5Dj
		mov	eax, [edi]

loc_7400B5:				; CODE XREF: CmpCleanUpKCBCacheTable(x)+89j
		test	eax, eax
		jnz	short loc_7400DE
		add	edi, 0Ch
		sub	ebx, 1
		jnz	short loc_7400B3

loc_7400C1:				; CODE XREF: CmpCleanUpKCBCacheTable(x)+4Cj
		xor	edx, edx
		lea	ecx, [esp+30h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [esp+30h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7400DE:				; CODE XREF: CmpCleanUpKCBCacheTable(x)+55j
		lea	esi, [eax-8]
		cmp	dword ptr [esi], 0
		jz	short loc_7400ED
		lea	eax, [esi+0Ch]

loc_7400E9:				; CODE XREF: CmpCleanUpKCBCacheTable(x)+BAj
		mov	eax, [eax]
		jmp	short loc_7400B5
; 

loc_7400ED:				; CODE XREF: CmpCleanUpKCBCacheTable(x)+82j
		mov	ecx, esi
		call	_CmpRemoveFromDelayedClose@4 ; CmpRemoveFromDelayedClose(x)
		lea	edx, [esp+30h+var_24]
		mov	ecx, esi
		call	CmpCleanUpKcbCacheWithLock
		test	dword ptr [esi+4], 80000h
		jz	short loc_74010F
		mov	ecx, esi
		call	CmpFreeKeyControlBlock

loc_74010F:				; CODE XREF: CmpCleanUpKCBCacheTable(x)+A4j
		mov	dl, 1
		lea	ecx, [esp+30h+var_24]
		call	CmpDrainDelayDerefContext
		mov	eax, edi
		jmp	short loc_7400E9
_CmpCleanUpKCBCacheTable@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpFreeKeyControlBlock proc near	; CODE XREF: CmpCleanUpKCBCacheTable(x)+A8p
					; CmpUnlockKcb(x)+50j ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CBAFD SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		mov	[ebp+var_4], offset _CmPerfCounters
		mov	esi, [ebp+var_4]
		push	edi
		mov	[ebp+var_8], ecx
		jmp	short loc_740140
; 
		align 10h

loc_740140:				; CODE XREF: CmpFreeKeyControlBlock+18j
					; CmpFreeKeyControlBlock+42j ...
		mov	edi, ds:_CmPerfCounters
		mov	ebx, edi
		mov	edx, ds:dword_A94394
		sub	ebx, 1
		mov	ecx, edx
		mov	[ebp+var_4], edx
		sbb	ecx, 0
		mov	eax, edi
		nop
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, edi
		jnz	short loc_740140
		cmp	edx, [ebp+var_4]
		jnz	short loc_740140
		mov	esi, [ebp+var_8]
		lea	eax, [esi+40h]
		cmp	[eax], eax
		jnz	loc_8CBAFD
		test	dword ptr [esi+4], 10000h
		jnz	loc_8CBB0B
		mov	ecx, [esi+0A0h]
		test	cl, 1
		jnz	loc_8CBB19

loc_740193:				; CODE XREF: CmpFreeKeyControlBlock+18B9FCj
		test	ecx, ecx
		jnz	loc_74021C

loc_74019B:				; CODE XREF: CmpFreeKeyControlBlock+106j
		or	dword ptr [esi+4], 10000h
		mov	dword ptr [esi+10h], 0
		mov	ax, word_6F9D84
		inc	dword_6F9D94
		cmp	ax, word_6F9D88
		jnb	short loc_740208
		mov	edx, esi
		mov	ecx, offset _CmpKcbLookaside
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_7401CA:				; CODE XREF: CmpFreeKeyControlBlock+FAj
		mov	[ebp+var_8], offset dword_A943B0

loc_7401D1:				; CODE XREF: CmpFreeKeyControlBlock+DBj
					; CmpFreeKeyControlBlock+DFj
		mov	esi, ds:dword_A943B0
		mov	ebx, esi
		mov	edi, ds:dword_A943B4
		sub	ebx, 1
		mov	ecx, edi
		mov	[ebp+var_4], edi
		sbb	ecx, 0
		mov	eax, esi
		mov	edx, edi
		nop
		mov	edi, [ebp+var_8]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_4]
		cmp	eax, esi
		jnz	short loc_7401D1
		cmp	edx, edi
		jnz	short loc_7401D1
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_740208:				; CODE XREF: CmpFreeKeyControlBlock+9Cj
		inc	dword_6F9D98
		push	offset _CmpKcbLookaside
		push	esi
		call	dword_6F9DAC
		jmp	short loc_7401CA
; 

loc_74021C:				; CODE XREF: CmpFreeKeyControlBlock+75j
		mov	edx, 624E4D43h
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
		jmp	loc_74019B
CmpFreeKeyControlBlock endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRemoveFromDelayedClose(x)
_CmpRemoveFromDelayedClose@4 proc near	; CODE XREF: CmpReferenceKeyControlBlock:loc_73FF70p
					; CmpCleanUpKCBCacheTable(x)+8Dp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, offset _CmpDelayedCloseTableLock
		mov	ecx, edi
		call	ExAcquireFastMutex
		mov	al, [esi+20h]
		test	al, 2
		jz	short loc_74028D
		lea	ecx, [esi+78h]
		test	al, 4
		mov	eax, [ecx]
		jnz	short loc_740298
		cmp	[eax+4], ecx
		jnz	short loc_7402A1
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_7402A1
		dec	_CmpDelayedCloseElements
		mov	[edx], eax
		mov	[eax+4], edx
		add	ds:dword_A94398, 0FFFFFFFFh
		adc	ds:dword_A9439C, 0FFFFFFFFh

loc_740278:				; CODE XREF: CmpRemoveFromDelayedClose(x)+73j
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		xor	ecx, ecx
		lock or	[eax], ecx
		and	byte ptr [esi+20h], 0FDh

loc_74028D:				; CODE XREF: CmpRemoveFromDelayedClose(x)+1Cj
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		pop	esi
		leave
		retn
; 

loc_740298:				; CODE XREF: CmpRemoveFromDelayedClose(x)+25j
		mov	byte ptr [eax],	1
		and	byte ptr [esi+20h], 0FBh
		jmp	short loc_740278
; 

loc_7402A1:				; CODE XREF: CmpRemoveFromDelayedClose(x)+2Aj
					; CmpRemoveFromDelayedClose(x)+31j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_CmpRemoveFromDelayedClose@4 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmUnloadKey	proc near		; CODE XREF: NtUnloadKey(x)+Ep
					; NtUnloadKeyEx(x,x)+Fp ...

var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= byte ptr -0D4h
var_D2		= byte ptr -0D2h
var_D1		= byte ptr -0D1h
var_D0		= dword	ptr -0D0h
var_BC		= dword	ptr -0BCh
var_94		= dword	ptr -94h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_54		= dword	ptr -54h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CBB21 SIZE 00000007 BYTES
; FUNCTION CHUNK AT 008CBB40 SIZE 00000137 BYTES
; FUNCTION CHUNK AT 008CBC88 SIZE 00000010 BYTES

		push	13Ch
		push	offset dword_6A0240
		call	__SEH_prolog4_GS
		mov	esi, edx
		mov	[ebp+var_110], esi
		mov	[ebp+var_F4], ecx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_10C], eax
		xor	ebx, ebx
		mov	[ebp+var_138], ebx
		mov	[ebp+var_DC], ebx
		mov	[ebp+var_D8], ebx
		push	ebx
		lea	eax, [ebp+var_DC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	0B4h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_D0]
		push	eax		; void *
		call	_memset
		or	[ebp+var_94], 0FFFFFFFFh
		mov	[ebp+var_78], ebx
		mov	[ebp+var_74], ebx
		lea	eax, [ebp+var_78]
		mov	[ebp+var_74], eax
		mov	[ebp+var_78], eax
		push	38h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_54]
		push	eax		; void *
		call	_memset
		add	esp, 18h
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_D2], al
		mov	byte ptr [ebp+var_F8], al
		mov	[ebp+var_E0], ebx
		mov	[ebp+var_E4], ebx
		mov	[ebp+var_F0], ebx
		mov	[ebp+var_E8], ebx
		xor	eax, eax
		lea	edi, [ebp+var_14C]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	al, bl
		mov	[ebp+var_D1], al
		lea	eax, [ebp+var_100]
		mov	[ebp+var_FC], eax
		mov	[ebp+var_100], eax
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		call	CmpAcquireShutdownRundown
		mov	[ebp+var_D4], al
		test	al, al
		jz	loc_8CBB21
		push	[ebp+var_F8]
		push	ds:dword_A949DC
		push	ds:_SeRestorePrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_8CBB47
		test	esi, 0FFFFFFFEh
		jnz	loc_8CBB4E
		mov	[ebp+ms_exc.disabled], ebx
		mov	al, [ebp+var_D2]
		mov	edx, [ebp+var_F4]
		cmp	al, 1
		jz	loc_8CBB55

loc_7403D5:				; CODE XREF: CmUnloadKey+18B8CAj
		push	6
		pop	ecx
		mov	esi, edx
		lea	edi, [ebp+var_134]
		rep movsd
		cmp	al, 1
		jz	loc_8CBB7A
		mov	ecx, [edx+8]
		mov	eax, [ecx]
		mov	[ebp+var_DC], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_D8], eax

loc_7403FE:				; CODE XREF: CmUnloadKey+18B91Bj
					; CmUnloadKey+18B934j ...
		movzx	esi, word ptr [ebp+var_DC]
		mov	eax, esi
		test	ax, ax
		jz	loc_8CBBFE
		push	35374D43h
		mov	edx, eax
		call	_CmpAllocateTransientPoolWithQuotaTag@12 ; CmpAllocateTransientPoolWithQuotaTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_F0], edi
		test	edi, edi
		jz	loc_8CBBE7
		push	esi		; size_t
		push	[ebp+var_D8]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	word ptr [ebp+var_DC], si
		mov	word ptr [ebp+var_DC+2], si
		mov	[ebp+var_D8], edi

loc_740450:				; CODE XREF: CmUnloadKey+18B965j
		lea	eax, [ebp+var_DC]
		mov	[ebp+var_12C], eax
		mov	[ebp+var_124], ebx
		mov	[ebp+var_120], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+var_D2], 1
		jz	loc_8CBC10

loc_74047C:				; CODE XREF: CmUnloadKey+18B995j
		mov	[ebp+var_BC], ebx
		mov	[ebp+var_D0], 4
		lea	eax, [ebp+var_E0]
		push	eax
		lea	eax, [ebp+var_D0]
		push	eax
		push	ebx
		push	ds:_CmKeyObjectType
		push	ebx
		xor	edx, edx
		lea	ecx, [ebp+var_134]
		call	ObReferenceObjectByNameEx
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_8CBC40

loc_7404BD:				; CODE XREF: CmUnloadKey+18B99Fj
		test	esi, esi
		js	loc_7405A5
		mov	ecx, [ebp+var_10C]
		test	ecx, ecx
		jz	short loc_74050D
		mov	eax, ds:_ExEventObjectType
		mov	[ebp+var_EC], ebx
		push	ebx
		lea	edx, [ebp+var_EC]
		push	edx
		push	[ebp+var_F8]
		push	eax
		push	2
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_EC]
		mov	[ebp+var_E4], eax
		test	esi, esi
		js	loc_7405A5
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_74050D:				; CODE XREF: CmUnloadKey+227j
		cmp	_CmpCallBackCount, 0
		jz	short loc_740568
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredSharedLite
		test	eax, eax
		jnz	short loc_740568
		mov	ecx, [ebp+var_E0]
		mov	[ebp+var_14C], ecx
		mov	eax, [ebp+var_E4]
		mov	[ebp+var_148], eax
		lea	eax, [ebp+var_100]
		push	eax
		push	ecx
		push	23h
		push	1
		push	ebx
		lea	edx, [ebp+var_14C]
		push	22h
		pop	ecx
		call	CmpCallCallBacksEx
		mov	esi, eax
		test	esi, esi
		js	loc_8CBC4A
		mov	[ebp+var_D1], 1

loc_740568:				; CODE XREF: CmUnloadKey+26Ej
					; CmUnloadKey+27Cj
		mov	[ebp+var_114], ebx
		mov	edi, [ebp+var_110]

loc_740574:				; CODE XREF: CmUnloadKey+18B9C2j
		mov	eax, _CmpShutdownRundown
		test	al, 1
		jnz	loc_8CBC6D
		push	[ebp+var_E4]
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, [ebp+var_E0]
		call	CmpPerformUnloadKey
		mov	esi, eax
		cmp	esi, 0C000022Dh
		jz	loc_8CBC5D

loc_7405A5:				; CODE XREF: CmUnloadKey+219j
					; CmUnloadKey+25Bj ...
		mov	al, [ebp+var_D1]

loc_7405AB:				; CODE XREF: CmUnloadKey+18B89Cj
		test	al, al
		jz	short loc_7405CF
		lea	eax, [ebp+var_100]
		push	eax
		push	ebx
		lea	eax, [ebp+var_14C]
		push	eax
		push	esi
		mov	edx, [ebp+var_E0]
		push	23h
		pop	ecx
		call	_CmPostCallbackNotificationEx@24 ; CmPostCallbackNotificationEx(x,x,x,x,x,x)
		mov	esi, eax

loc_7405CF:				; CODE XREF: CmUnloadKey+307j
		mov	ecx, [ebp+var_E4]
		test	ecx, ecx
		jz	short loc_7405DE
		call	ObfDereferenceObject

loc_7405DE:				; CODE XREF: CmUnloadKey+331j
		mov	ecx, [ebp+var_E0]
		test	ecx, ecx
		jz	short loc_7405ED
		call	ObfDereferenceObject

loc_7405ED:				; CODE XREF: CmUnloadKey+340j
		mov	edi, [ebp+var_F0]
		test	edi, edi
		jz	short loc_7405FE
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_7405FE:				; CODE XREF: CmUnloadKey+34Fj
		cmp	[ebp+var_E8], 0
		jnz	loc_8CBC88

loc_74060B:				; CODE XREF: CmUnloadKey+18B9EDj
		xor	dl, dl
		lea	ecx, [ebp+var_D0]
		call	CmpCleanupParseContext
		cmp	[ebp+var_D4], 0
		jz	short loc_740626
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_740626:				; CODE XREF: CmUnloadKey+379j
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
CmUnloadKey	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpFlushNotify	proc near		; CODE XREF: CmpPerformUnloadKey+10Ap
					; CmpDeleteKeyObject+170p ...

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CBC98 SIZE 0000005A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_1], dl
		push	esi
		push	edi
		mov	edi, [ebx+0Ch]
		test	edi, edi
		jz	short loc_7406CF
		mov	eax, [ebx+8]
		mov	esi, [eax+10h]
		add	esi, 448h
		test	dl, dl
		jnz	short loc_740674
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	edi, [ebx+0Ch]
		mov	dl, [ebp+var_1]

loc_740674:				; CODE XREF: CmpFlushNotify+23j
		test	edi, edi
		jz	short loc_7406D6
		lea	eax, [edi+8]
		cmp	[eax], eax
		jnz	loc_8CBCC2

loc_740683:				; CODE XREF: CmpFlushNotify+18B699j
		test	edi, edi
		jz	loc_8CBC98
		lea	eax, [edi+1Ch]
		push	eax
		call	SeReleaseSubjectContext
		mov	ecx, [edi+4]
		mov	eax, [edi]
		mov	[ecx], eax
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_7406A7
		mov	eax, [edi+4]
		mov	[ecx+4], eax

loc_7406A7:				; CODE XREF: CmpFlushNotify+5Fj
		and	dword ptr [ebx+0Ch], 0
		cmp	[ebp+var_1], 0
		jnz	short loc_7406C7
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_8CBCDE

loc_7406C0:				; CODE XREF: CmpFlushNotify+18B6A0j
					; CmpFlushNotify+18B6ADj
		mov	ecx, esi
		call	KeAbPostRelease

loc_7406C7:				; CODE XREF: CmpFlushNotify+6Fj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7406CF:				; CODE XREF: CmpFlushNotify+13j
					; CmpFlushNotify:loc_8CBC9Cj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7406D6:				; CODE XREF: CmpFlushNotify+36j
		test	dl, dl
		jmp	loc_8CBC9C
CmpFlushNotify	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmpPerformKcbUnloadCheck(x)
_CmpPerformKcbUnloadCheck@4 proc near	; CODE XREF: CmpPerformUnloadKey+111p
		mov	eax, [ecx+10h]
		cmp	eax, ds:_CmpMasterHive
		jz	short loc_740707
		test	dword ptr [ecx+68h], 40000h
		jz	short loc_740707
		mov	al, [eax+980h]
		and	al, 4
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 0C0000022h
		retn
; 

loc_740707:				; CODE XREF: CmpPerformKcbUnloadCheck(x)+9j
					; CmpPerformKcbUnloadCheck(x)+12j
		mov	eax, 0C000000Dh
		retn
_CmpPerformKcbUnloadCheck@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpPerformUnloadKey proc near		; CODE XREF: CmUnloadKey+2ECp

var_62		= byte ptr -62h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CBCF2 SIZE 000001BF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+64h+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	[esp+70h+var_5C], eax
		lea	edi, [esp+70h+var_1C]
		xor	eax, eax
		mov	[esp+70h+var_40], edx
		mov	esi, ecx
		xor	edx, edx
		push	6
		pop	ecx
		rep stosd
		lea	eax, [esp+70h+var_54]
		mov	[esp+70h+var_30], esi
		mov	[esp+70h+var_50], eax
		lea	edi, [esp+70h+var_4C]
		mov	[esp+70h+var_54], eax
		lea	ecx, [esp+70h+var_38]
		xor	eax, eax
		mov	[esp+70h+var_62], dl
		stosd
		mov	[esp+70h+var_38], edx
		mov	[esp+70h+var_34], edx
		mov	[esp+0Fh], dl
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+70h+var_2C]
		stosd
		stosd
		stosd
		stosd
		or	eax, 0FFFFFFFFh
		mov	word ptr [esp+70h+var_2C+2], ax
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		mov	cl, 1
		call	CmpLockRegistryFreezeAware
		push	6
		pop	ebx
		mov	[esp+70h+var_60], ebx
		mov	[esp+70h+var_58], ebx
		mov	ebx, [esi+8]
		test	byte ptr [ebx+4], 80h
		mov	edi, [ebx+10h]
		mov	[esp+70h+var_3C], edi
		jnz	loc_8CBCF2
		xor	edx, edx
		mov	ecx, esi
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	loc_8CBCF7
		test	dword ptr [ebx+4], 40000h
		jnz	loc_8CBD42
		mov	eax, [esp+70h+var_40]
		and	eax, 1
		cmp	byte ptr [edi+6DCh], 0
		mov	[esp+70h+var_40], eax
		jnz	loc_8CBD49

loc_7407E8:				; CODE XREF: CmpPerformUnloadKey+18B646j
		mov	edx, ebx
		lea	ecx, [esp+70h+var_2C]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		test	eax, eax
		js	loc_8CBD61
		lea	eax, [esp+70h+var_54]
		xor	edx, edx
		push	eax
		push	4
		lea	ecx, [esp+78h+var_2C]
		call	_CmpReportNotifyForKcbStack@16 ; CmpReportNotifyForKcbStack(x,x,x,x)
		mov	ecx, [esp+70h+var_30]
		lea	eax, [esp+70h+var_54]
		push	eax
		mov	dl, 1
		call	CmpFlushNotify
		mov	ecx, ebx
		call	_CmpPerformKcbUnloadCheck@4 ; CmpPerformKcbUnloadCheck(x)
		mov	esi, eax
		test	esi, esi
		js	loc_8CBCF7
		mov	edx, [esp+70h+var_40]
		test	edx, edx
		jnz	loc_740992
		call	_CmpDoesKeyHaveOpenSubkeys@4 ; CmpDoesKeyHaveOpenSubkeys(x)
		test	al, al
		jz	short loc_7408B5

loc_740843:				; CODE XREF: CmpPerformUnloadKey+1AAj
		cmp	[ebp+arg_0], 0
		jz	loc_8CBD70
		mov	edx, [esp+70h+var_5C]
		mov	ecx, ebx
		call	_CmpFreezeHive@8 ; CmpFreezeHive(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8CBCF7
		mov	esi, 103h

loc_740867:				; CODE XREF: CmpPerformUnloadKey+245j
					; CmpPerformUnloadKey+25Fj ...
		mov	ebx, [esp+70h+var_60]
		test	bl, 2
		jz	short loc_740875
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_740875:				; CODE XREF: CmpPerformUnloadKey+160j
		test	bl, 4
		jz	short loc_74087F
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()

loc_74087F:				; CODE XREF: CmpPerformUnloadKey+16Aj
		lea	eax, [esp+70h+var_54]
		cmp	[esp+70h+var_54], eax
		jnz	loc_740984

loc_74088D:				; CODE XREF: CmpPerformUnloadKey+27Fj
		lea	ecx, [esp+70h+var_2C]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		lea	ecx, [esp+70h+var_4C]
		call	CmpCleanupRollbackPacket
		mov	ecx, [esp+70h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7408B5:				; CODE XREF: CmpPerformUnloadKey+133j
		cmp	dword ptr [ebx], 2
		jnz	short loc_740843

loc_7408BA:				; CODE XREF: CmpPerformUnloadKey+2FAj
		or	dword ptr [ebx+4], 40000h
		cmp	byte ptr [edi+6DCh], 1
		mov	byte ptr [esp+0Fh], 1
		jz	loc_8CBDC1

loc_7408D3:				; CODE XREF: CmpPerformUnloadKey+18B6C8j
		xor	dl, dl
		lea	ecx, [esp+70h+var_38]
		call	CmpDrainDelayDerefContext
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		lock inc _CmpActiveHiveRundownCount
		lea	esi, [edi+430h]
		mov	ecx, esi
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	ecx, esi
		call	@ExRundownCompleted@4 ;	ExRundownCompleted(x)
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		mov	cl, 1
		call	CmpLockRegistryFreezeAware
		mov	ecx, [edi+9A0h]
		test	ecx, ecx
		jnz	loc_8CBDDB

loc_74091D:				; CODE XREF: CmpPerformUnloadKey+18B79Ej
		lea	ecx, [esp+70h+var_1C]
		call	CmpAttachToRegistryProcess
		lea	eax, [esp+70h+var_58]
		mov	ecx, ebx
		push	eax
		call	_CmpCompleteUnloadKey@12 ; CmpCompleteUnloadKey(x,x,x)
		xor	edx, edx
		lea	ecx, [esp+70h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		xor	esi, esi
		mov	eax, [esp+70h+var_58]
		mov	[esp+70h+var_60], eax

loc_740947:				; CODE XREF: CmpPerformUnloadKey+18B62Fj
		or	eax, 0FFFFFFFFh
		lock xadd _CmpActiveHiveRundownCount, eax
		dec	eax
		jnz	loc_740867
		and	[esp+70h+var_5C], 0
		lea	eax, [esp+70h+var_5C]
		xor	ecx, ecx
		lock or	[eax], ecx
		cmp	_CmpActiveHiveRundownEvent, ecx
		jz	loc_740867
		xor	edx, edx
		mov	ecx, offset _CmpActiveHiveRundownEvent
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	loc_740867
; 

loc_740984:				; CODE XREF: CmpPerformUnloadKey+179j
		lea	ecx, [esp+70h+var_54]
		call	_CmpSignalDeferredPosts@4 ; CmpSignalDeferredPosts(x)
		jmp	loc_74088D
; 

loc_740992:				; CODE XREF: CmpPerformUnloadKey+126j
		mov	eax, [ebx+6Ch]
		test	eax, eax
		jnz	loc_8CBD77

loc_74099D:				; CODE XREF: CmpPerformUnloadKey+18B66Ej
		lea	eax, [esp+70h+var_4C]
		mov	dl, 1
		push	eax
		push	ecx
		call	CmpTryAcquireKcbIXLocks
		mov	esi, eax
		cmp	esi, 0C000022Dh
		jz	loc_8CBD84
		test	esi, esi
		js	loc_8CBCF7
		lea	eax, [esp+70h+var_4C]
		xor	edx, edx
		push	eax
		mov	ecx, ebx
		call	_CmpPrepareForSubtreeInvalidation@12 ; CmpPrepareForSubtreeInvalidation(x,x,x)
		mov	esi, eax
		cmp	esi, 0C000022Dh
		jz	loc_8CBD84
		test	esi, esi
		js	loc_8CBCF7
		push	0
		lea	eax, [esp+74h+var_38]
		xor	edx, edx
		push	eax
		push	1
		inc	edx
		mov	ecx, ebx
		call	_CmpInvalidateSubtree@20 ; CmpInvalidateSubtree(x,x,x,x,x)
		push	1
		lea	eax, [esp+74h+var_38]
		xor	edx, edx
		push	eax
		inc	edx
		mov	ecx, ebx
		call	CmpFlushNotifiesOnKeyBodyList
		jmp	loc_7408BA
CmpPerformUnloadKey endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmpFlushUnsupportedOperationTelemetry()
_CmpFlushUnsupportedOperationTelemetry@0 proc near
					; CODE XREF: CmpDoReconcileNextHive:loc_7414DAp
					; CmpFlushTraceLoggingProvider()+3p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, offset _CmpUnsupportedOperationHits

loc_740A1A:				; CODE XREF: CmpFlushUnsupportedOperationTelemetry()+1Ej
		xor	edx, edx
		xchg	edx, [esi]
		test	edx, edx
		jnz	short loc_740A32

loc_740A22:				; CODE XREF: CmpFlushUnsupportedOperationTelemetry()+2Bj
		add	esi, 4
		inc	edi
		cmp	esi, offset _CmpDelayFreeRMListHead
		jl	short loc_740A1A
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_740A32:				; CODE XREF: CmpFlushUnsupportedOperationTelemetry()+12j
		mov	ecx, edi
		call	_CmpSendUnsupportedOperationTelemetryEvent@8 ; CmpSendUnsupportedOperationTelemetryEvent(x,x)
		jmp	short loc_740A22
_CmpFlushUnsupportedOperationTelemetry@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall HvIsCurrentLogSwappable(x)
_HvIsCurrentLogSwappable@4 proc	near	; CODE XREF: CmpGenerateFlushControlData+1EEp
					; CmpFlushHive+4FCp ...
		mov	edx, [ecx+68h]
		cmp	edx, 4
		jnz	short loc_740A58

loc_740A44:				; CODE XREF: HvIsCurrentLogSwappable(x)+1Fj
		xor	eax, eax
		cmp	edx, 4
		setz	al
		cmp	byte ptr [eax+ecx+80h],	0
		setz	al
		retn
; 

loc_740A58:				; CODE XREF: HvIsCurrentLogSwappable(x)+6j
		cmp	edx, 5
		jz	short loc_740A44
		xor	al, al
		retn
_HvIsCurrentLogSwappable@4 endp


;  S U B	R O U T	I N E 


; __stdcall HvpViewMapGetMaxStorageLength(x)
_HvpViewMapGetMaxStorageLength@4 proc near ; CODE XREF:	HvpAddBin+26Dp
		test	byte ptr [ecx+1Ch], 1
		jnz	short loc_740A87
		or	eax, 0FFFFFFFFh
		mov	ecx, 7FFFFFFFh

loc_740A6E:				; CODE XREF: HvpViewMapGetMaxStorageLength(x)+2Dj
		push	0
		push	7FFFF000h
		and	eax, 0FFFFF000h
		push	ecx
		push	eax
		call	_HvpMinLong64@16 ; HvpMinLong64(x,x,x,x)
		sub	eax, 1000h
		retn
; 

loc_740A87:				; CODE XREF: HvpViewMapGetMaxStorageLength(x)+4j
		mov	eax, [ecx+10h]
		mov	ecx, [ecx+14h]
		jmp	short loc_740A6E
_HvpViewMapGetMaxStorageLength@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpViewMapExtendStorage(x, x)
_HvpViewMapExtendStorage@8 proc	near	; CODE XREF: HvpAddBin+282p
					; HvpPerformLogFileRecovery(x,x,x,x)+B6p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		lea	edi, [edx+1000h]
		cmp	[esi+0Ch], ebx
		jl	short loc_740AB9
		jg	loc_740B3B
		cmp	[esi+8], edi
		jnb	loc_740B3B

loc_740AB9:				; CODE XREF: HvpViewMapExtendStorage(x,x)+18j
		cmp	ebx, [esi+14h]
		jl	short loc_740AD2
		jg	short loc_740AC5
		cmp	edi, [esi+10h]
		jbe	short loc_740AD2

loc_740AC5:				; CODE XREF: HvpViewMapExtendStorage(x,x)+2Ej
		mov	ecx, [esi]
		push	ebx
		push	edi
		call	_CmSiExtendSection@12 ;	CmSiExtendSection(x,x,x)
		test	eax, eax
		js	short loc_740B3D

loc_740AD2:				; CODE XREF: HvpViewMapExtendStorage(x,x)+2Cj
					; HvpViewMapExtendStorage(x,x)+33j
		mov	ecx, esi
		call	_HvpViewMapGetLastView@4 ; HvpViewMapGetLastView(x)
		test	eax, eax
		jz	short loc_740B2B
		mov	ecx, [eax+2Ch]
		mov	edx, [eax+28h]
		mov	ebx, [eax+18h]
		mov	[ebp+var_4], ecx
		mov	ecx, [eax+1Ch]
		mov	[ebp+var_8], ecx
		cmp	[ebp+var_4], ecx
		jl	short loc_740AFA
		jg	short loc_740B29
		cmp	edx, ebx
		jnb	short loc_740B29

loc_740AFA:				; CODE XREF: HvpViewMapExtendStorage(x,x)+62j
		test	ecx, ecx
		jg	short loc_740B04
		jl	short loc_740B0B
		cmp	ebx, edi
		jbe	short loc_740B0B

loc_740B04:				; CODE XREF: HvpViewMapExtendStorage(x,x)+6Cj
		xor	ecx, ecx
		mov	ebx, edi
		mov	[ebp+var_8], ecx

loc_740B0B:				; CODE XREF: HvpViewMapExtendStorage(x,x)+6Ej
					; HvpViewMapExtendStorage(x,x)+72j
		push	0
		push	ecx
		push	ebx
		push	[ebp+var_4]
		mov	ecx, esi
		push	edx
		mov	edx, eax
		call	HvpViewMapMakeViewRangeValid
		test	eax, eax
		js	short loc_740B3D
		mov	eax, [ebp+var_8]
		mov	[esi+8], ebx
		mov	[esi+0Ch], eax

loc_740B29:				; CODE XREF: HvpViewMapExtendStorage(x,x)+64j
					; HvpViewMapExtendStorage(x,x)+68j
		xor	ebx, ebx

loc_740B2B:				; CODE XREF: HvpViewMapExtendStorage(x,x)+4Bj
		mov	ecx, [esi+0Ch]
		mov	eax, [esi+8]
		cmp	ecx, ebx
		jg	short loc_740B3B
		jl	short loc_740B42
		cmp	eax, edi
		jb	short loc_740B42

loc_740B3B:				; CODE XREF: HvpViewMapExtendStorage(x,x)+1Aj
					; HvpViewMapExtendStorage(x,x)+23j ...
		mov	eax, ebx

loc_740B3D:				; CODE XREF: HvpViewMapExtendStorage(x,x)+40j
					; HvpViewMapExtendStorage(x,x)+8Ej ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_740B42:				; CODE XREF: HvpViewMapExtendStorage(x,x)+A5j
					; HvpViewMapExtendStorage(x,x)+A9j
		push	ebx
		push	edi
		push	ecx
		push	eax
		xor	dl, dl
		mov	ecx, esi
		call	HvpViewMapCreateViewsForRegion
		test	eax, eax
		js	short loc_740B3D
		mov	[esi+8], edi
		mov	[esi+0Ch], ebx
		jmp	short loc_740B3B
_HvpViewMapExtendStorage@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall HvpViewMapGetLastView(x)
_HvpViewMapGetLastView@4 proc near	; CODE XREF: HvpViewMapExtendStorage(x,x)+44p
		mov	edi, edi
		push	esi
		mov	esi, [ecx+8]
		mov	eax, esi
		push	edi
		mov	edi, [ecx+0Ch]
		or	eax, edi
		jz	short loc_740BC0
		sub	esi, 1
		sbb	edi, 0
		add	ecx, 20h
		test	byte ptr [ecx+4], 1
		mov	eax, [ecx]
		jz	short loc_740B83
		test	eax, eax
		jz	short loc_740B83
		xor	eax, ecx

loc_740B83:				; CODE XREF: HvpViewMapGetLastView(x)+1Fj
					; HvpViewMapGetLastView(x)+23j
		movzx	edx, byte ptr [ecx+4]
		and	edx, 1
		jmp	short loc_740B8E
; 

loc_740B8C:				; CODE XREF: HvpViewMapGetLastView(x)+46j
					; HvpViewMapGetLastView(x)+4Aj
		mov	eax, ecx

loc_740B8E:				; CODE XREF: HvpViewMapGetLastView(x)+2Ej
					; HvpViewMapGetLastView(x)+4Ej
		test	eax, eax
		jz	short loc_740BB8
		cmp	edi, [eax+24h]
		jl	short loc_740B9E
		jg	short loc_740BAC
		cmp	esi, [eax+20h]
		jnb	short loc_740BAC

loc_740B9E:				; CODE XREF: HvpViewMapGetLastView(x)+39j
		mov	ecx, [eax]

loc_740BA0:				; CODE XREF: HvpViewMapGetLastView(x)+62j
		test	edx, edx
		jz	short loc_740B8C
		test	ecx, ecx
		jz	short loc_740B8C
		xor	eax, ecx
		jmp	short loc_740B8E
; 

loc_740BAC:				; CODE XREF: HvpViewMapGetLastView(x)+3Bj
					; HvpViewMapGetLastView(x)+40j
		cmp	edi, [eax+2Ch]
		jl	short loc_740BB8
		jg	short loc_740BBB
		cmp	esi, [eax+28h]
		jnb	short loc_740BBB

loc_740BB8:				; CODE XREF: HvpViewMapGetLastView(x)+34j
					; HvpViewMapGetLastView(x)+53j	...
		pop	edi
		pop	esi
		retn
; 

loc_740BBB:				; CODE XREF: HvpViewMapGetLastView(x)+55j
					; HvpViewMapGetLastView(x)+5Aj
		mov	ecx, [eax+4]
		jmp	short loc_740BA0
; 

loc_740BC0:				; CODE XREF: HvpViewMapGetLastView(x)+Ej
		xor	eax, eax
		jmp	short loc_740BB8
_HvpViewMapGetLastView@4 endp


;  S U B	R O U T	I N E 


; __stdcall HvUpdateUnreconciledVector(x, x)
_HvUpdateUnreconciledVector@8 proc near	; CODE XREF: CmpFlushHive+542p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		lea	esi, [edi+3Ch]
		lea	edx, [edi+44Ch]
		mov	ecx, esi
		call	_RtlMergeBitMaps@8 ; RtlMergeBitMaps(x,x)
		push	esi
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	[edi+44h], eax
		pop	edi
		pop	esi
		retn
_HvUpdateUnreconciledVector@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpUpdateSystemHiveHysteresis proc near	; CODE XREF: HvpAddBin+2CAp
					; HvFreeHivePartial+18A378p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CBEB1 SIZE 0000007C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		cmp	ecx, dword_6B179C
		jz	short loc_740BFB

loc_740BF6:				; CODE XREF: CmpUpdateSystemHiveHysteresis+1Cj
					; CmpUpdateSystemHiveHysteresis+3Ej ...
		pop	esi
		pop	ebp
		retn	4
; 

loc_740BFB:				; CODE XREF: CmpUpdateSystemHiveHysteresis+Ej
		cmp	_CmpSystemHiveHysteresisCallback, 0
		jz	short loc_740BF6
		lea	eax, [esi+1000h]
		xor	edx, edx
		imul	eax, 64h
		div	_CmSystemHiveLimitSize
		cmp	esi, [ebp+arg_0]
		jbe	loc_8CBEE9
		cmp	eax, _CmpSystemHiveHysteresisHigh
		jbe	short loc_740BF6
		jmp	loc_8CBEB1
CmpUpdateSystemHiveHysteresis endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpDoFileSetSizeEx proc	near		; CODE XREF: HvTruncateAllLogFilesIfRequired+37p
					; HvpAddBin+22Fp ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 008CBF2D SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		push	esi
		mov	esi, edx
		mov	[esp+3Ch+var_10], eax
		mov	[esp+3Ch+var_C], eax
		mov	[esp+3Ch+var_18], eax
		mov	[esp+3Ch+var_14], eax
		mov	[esp+3Ch+var_8], eax
		mov	[esp+3Ch+var_4], eax
		mov	eax, [ebx+esi*4+400h]
		mov	[esp+3Ch+var_2C], eax
		push	edi
		test	eax, eax
		jz	short loc_740C8C
		call	CmpGetLastSetFileSize
		test	[ebp+arg_8], 1
		mov	[esp+40h+var_20], eax
		mov	[esp+40h+var_24], edx
		jz	short loc_740C93
		mov	ecx, eax
		or	ecx, edx
		jz	short loc_740C93
		cmp	[ebp+arg_4], edx
		jb	short loc_740C8C
		ja	short loc_740C93
		cmp	[ebp+arg_0], eax
		ja	short loc_740C93

loc_740C8C:				; CODE XREF: CmpDoFileSetSizeEx+39j
					; CmpDoFileSetSizeEx+57j
		xor	eax, eax
		jmp	loc_740D24
; 

loc_740C93:				; CODE XREF: CmpDoFileSetSizeEx+4Cj
					; CmpDoFileSetSizeEx+52j ...
		push	[ebp+arg_4]
		mov	ecx, ebx
		push	[ebp+arg_0]
		push	edx
		push	eax
		mov	edx, esi
		call	CmpAdjustRequestedFileSize
		mov	edi, eax
		mov	[esp+40h+var_30], edx
		push	0
		mov	[esp+44h+var_28], edi
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	byte ptr [esp+40h+var_1C], al
		mov	eax, [esp+40h+var_30]
		cmp	eax, [esp+40h+var_24]
		ja	short loc_740CCB
		jb	short loc_740D3E
		cmp	edi, [esp+40h+var_20]
		jb	short loc_740D3E

loc_740CCB:				; CODE XREF: CmpDoFileSetSizeEx+95j
		mov	[esp+40h+var_C], eax
		lea	eax, [esp+40h+var_10]
		mov	[esp+40h+var_10], edi
		push	14h

loc_740CD9:				; CODE XREF: CmpDoFileSetSizeEx+120j
		push	8
		push	eax
		lea	eax, [esp+4Ch+var_8]
		push	eax
		push	[esp+50h+var_2C]
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8CBF2D
		test	esi, esi
		jz	short loc_740D4E
		cmp	esi, 4
		jnz	short loc_740D2D

loc_740CFD:				; CODE XREF: CmpDoFileSetSizeEx+104j
		mov	ecx, 498h

loc_740D02:				; CODE XREF: CmpDoFileSetSizeEx+110j
		mov	eax, [esp+40h+var_28]
		mov	edx, [esp+40h+var_30]
		mov	[ecx+ebx], eax
		mov	[ecx+ebx+4], edx

loc_740D11:				; CODE XREF: CmpDoFileSetSizeEx+109j
					; CmpDoFileSetSizeEx+136j
		test	edi, edi
		js	loc_8CBF2D

loc_740D19:				; CODE XREF: CmpDoFileSetSizeEx+18B31Aj
		push	[esp+40h+var_1C]
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	eax, edi

loc_740D24:				; CODE XREF: CmpDoFileSetSizeEx+62j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_740D2D:				; CODE XREF: CmpDoFileSetSizeEx+CFj
		cmp	esi, 1
		jz	short loc_740CFD
		cmp	esi, 5
		jnz	short loc_740D11
		mov	ecx, 4A0h
		jmp	short loc_740D02
; 

loc_740D3E:				; CODE XREF: CmpDoFileSetSizeEx+97j
					; CmpDoFileSetSizeEx+9Dj
		mov	[esp+40h+var_14], eax
		lea	eax, [esp+40h+var_18]
		mov	[esp+40h+var_18], edi
		push	13h
		jmp	short loc_740CD9
; 

loc_740D4E:				; CODE XREF: CmpDoFileSetSizeEx+CAj
		mov	eax, [esp+40h+var_28]
		mov	edx, [esp+40h+var_30]
		mov	[ebx+490h], eax
		mov	[ebx+494h], edx
		jmp	short loc_740D11
CmpDoFileSetSizeEx endp


;  S U B	R O U T	I N E 


CmpGetLastSetFileSize proc near		; CODE XREF: CmpDoFileSetSizeEx+3Bp

; FUNCTION CHUNK AT 008CBF4B SIZE 0000000E BYTES

		test	edx, edx
		jz	short loc_740D7A
		cmp	edx, 4
		jnz	short loc_740D87

loc_740D6D:				; CODE XREF: CmpGetLastSetFileSize+18B1EAj
		mov	edx, 498h

loc_740D72:				; CODE XREF: CmpGetLastSetFileSize+31j
		mov	eax, [edx+ecx]
		mov	edx, [edx+ecx+4]
		retn
; 

loc_740D7A:				; CODE XREF: CmpGetLastSetFileSize+2j
		mov	eax, [ecx+490h]
		mov	edx, [ecx+494h]
		retn
; 

loc_740D87:				; CODE XREF: CmpGetLastSetFileSize+7j
		cmp	edx, 5
		jnz	loc_8CBF4B
		mov	edx, 4A0h
		jmp	short loc_740D72
CmpGetLastSetFileSize endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpAdjustRequestedFileSize proc	near	; CODE XREF: CmpDoFileSetSizeEx+73p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008CBF59 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	[ebp+var_10], ecx
		mov	eax, edx
		mov	edx, [ebp+arg_C]
		xor	ecx, ecx
		and	[ebp+var_C], ecx
		xor	ebx, ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_14], eax
		mov	[ebp+var_8], ecx
		mov	[ebp+var_1], cl
		cmp	esi, [ebp+arg_8]
		jnz	short loc_740DCE
		cmp	edi, edx
		jz	loc_8CBF59

loc_740DCE:				; CODE XREF: CmpAdjustRequestedFileSize+2Cj
		test	eax, eax
		jz	loc_740E5B
		cmp	eax, 4
		jnz	short loc_740E27

loc_740DDB:				; CODE XREF: CmpAdjustRequestedFileSize+92j
					; CmpAdjustRequestedFileSize+18B1CCj
		mov	ecx, [ebp+var_10]
		call	HvGetEffectiveLogSizeCapForHive
		and	[ebp+var_C], ebx
		mov	edx, [ebp+arg_C]
		mov	[ebp+var_8], eax

loc_740DEC:				; CODE XREF: CmpAdjustRequestedFileSize+104j
		mov	eax, [ebp+var_14]

loc_740DEF:				; CODE XREF: CmpAdjustRequestedFileSize+18B1D2j
		mov	ecx, esi
		or	ecx, edi
		jz	short loc_740E0F
		cmp	edi, edx
		ja	short loc_740E0F
		jb	short loc_740E00
		cmp	esi, [ebp+arg_8]
		jnb	short loc_740E0F

loc_740E00:				; CODE XREF: CmpAdjustRequestedFileSize+61j
		cmp	edx, [ebp+var_C]
		ja	short loc_740E0F
		mov	ecx, [ebp+var_8]
		jb	short loc_740E31
		cmp	[ebp+arg_8], ecx
		jbe	short loc_740E31

loc_740E0F:				; CODE XREF: CmpAdjustRequestedFileSize+5Bj
					; CmpAdjustRequestedFileSize+5Fj ...
		mov	esi, [ebp+arg_8]
		mov	edi, edx

loc_740E14:				; CODE XREF: CmpAdjustRequestedFileSize+BAj
					; CmpAdjustRequestedFileSize+BFj ...
		test	ebx, ebx
		jnz	loc_740EA1

loc_740E1C:				; CODE XREF: CmpAdjustRequestedFileSize+112j
		mov	eax, esi
		mov	edx, edi

loc_740E20:				; CODE XREF: CmpAdjustRequestedFileSize+18B1C4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_740E27:				; CODE XREF: CmpAdjustRequestedFileSize+41j
		cmp	eax, 5
		jz	short loc_740DDB
		jmp	loc_8CBF61
; 

loc_740E31:				; CODE XREF: CmpAdjustRequestedFileSize+70j
					; CmpAdjustRequestedFileSize+75j
		cmp	[ebp+var_1], 0
		jnz	short loc_740E0F
		test	eax, eax
		jz	short loc_740EB8

loc_740E3B:				; CODE XREF: CmpAdjustRequestedFileSize+125j
		mov	eax, [ebp+var_C]

loc_740E3E:				; CODE XREF: CmpAdjustRequestedFileSize+B8j
					; CmpAdjustRequestedFileSize+C1j
		shld	edi, esi, 1
		add	esi, esi
		cmp	edi, eax
		ja	short loc_740EAF
		jb	short loc_740E4E
		cmp	esi, ecx
		ja	short loc_740EAF

loc_740E4E:				; CODE XREF: CmpAdjustRequestedFileSize+B0j
		cmp	edi, edx
		jb	short loc_740E3E
		ja	short loc_740E14
		cmp	esi, [ebp+arg_8]
		jnb	short loc_740E14
		jmp	short loc_740E3E
; 

loc_740E5B:				; CODE XREF: CmpAdjustRequestedFileSize+38j
		mov	eax, [ebp+var_10]
		mov	ecx, 40000h
		and	[ebp+var_C], ebx
		mov	[ebp+var_8], ecx
		test	byte ptr [eax+980h], 80h
		jnz	short loc_740E83
		mov	eax, esi
		or	eax, edi
		jnz	short loc_740E87
		test	edx, edx
		jb	short loc_740E83
		ja	short loc_740E87
		cmp	[ebp+arg_8], ecx
		ja	short loc_740E87

loc_740E83:				; CODE XREF: CmpAdjustRequestedFileSize+D8j
					; CmpAdjustRequestedFileSize+E2j
		mov	[ebp+var_1], 1

loc_740E87:				; CODE XREF: CmpAdjustRequestedFileSize+DEj
					; CmpAdjustRequestedFileSize+E4j ...
		xor	ebx, ebx
		cmp	[ebp+var_1], bl
		setnz	bl
		dec	ebx
		and	ebx, 3F000h
		add	ebx, 1000h
		jmp	loc_740DEC
; 

loc_740EA1:				; CODE XREF: CmpAdjustRequestedFileSize+7Ej
		dec	esi
		add	esi, ebx
		neg	ebx
		and	esi, ebx
		xor	edi, edi
		jmp	loc_740E1C
; 

loc_740EAF:				; CODE XREF: CmpAdjustRequestedFileSize+AEj
					; CmpAdjustRequestedFileSize+B4j
		mov	esi, ecx
		mov	edi, eax
		jmp	loc_740E14
; 

loc_740EB8:				; CODE XREF: CmpAdjustRequestedFileSize+A1j
		mov	ebx, 1000h
		jmp	loc_740E3B
CmpAdjustRequestedFileSize endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvSwapLogFiles(x, x)
_HvSwapLogFiles@8 proc near		; CODE XREF: CmpFlushHive+507p
					; CmpFlushHive+82Dp

var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_A9		= dword	ptr -0A9h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0DCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_C0], 0
		and	[ebp+var_BC], 0
		push	ebx
		push	esi
		push	edi
		mov	byte ptr [ebp+var_A9], dl
		mov	esi, ecx
		call	HvGetEffectiveLogSizeCapForHive
		mov	ecx, [esi+68h]
		mov	[ebp+var_B0], eax
		cmp	ecx, 1
		jz	short loc_740F0D
		mov	eax, 4A0h
		cmp	ecx, 4
		jnz	short loc_740F12

loc_740F0D:				; CODE XREF: HvSwapLogFiles(x,x)+3Fj
		mov	eax, 498h

loc_740F12:				; CODE XREF: HvSwapLogFiles(x,x)+49j
		mov	eax, [eax+esi]
		mov	edi, [esi+6Ch]
		sub	edi, [esi+70h]
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_C0]
		push	eax
		call	KeQuerySystemTime
		mov	ebx, [ebp+var_C0]
		mov	ecx, ebx
		sub	ecx, [esi+88h]
		mov	eax, [ebp+var_BC]
		mov	edx, eax
		sbb	edx, [esi+8Ch]
		cmp	dword_6B2348, 5
		mov	[ebp+var_BC], eax
		jbe	loc_7410C9
		lea	eax, [ebp+var_A9]
		cmp	byte ptr [ebp+var_A9], 0
		mov	[ebp+var_88], eax
		mov	eax, [esi+0C8h]
		setz	byte ptr [ebp+var_A9]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_C4]
		mov	[ebp+var_78], eax
		mov	eax, [esi+7Ch]
		mov	[ebp+var_C8], eax
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_68], eax
		mov	eax, [ebp+var_B0]
		mov	[ebp+var_B0], eax
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_58], eax
		mov	eax, [esi+74h]
		mov	[ebp+var_CC], eax
		lea	eax, [ebp+var_CC]
		and	[ebp+var_84], 0
		and	[ebp+var_7C], 0
		and	[ebp+var_74], 0
		and	[ebp+var_6C], 0
		and	[ebp+var_64], 0
		and	[ebp+var_5C], 0
		and	[ebp+var_54], 0
		and	[ebp+var_4C], 0
		and	[ebp+var_44], 0
		and	[ebp+var_3C], 0
		and	[ebp+var_34], 0
		and	[ebp+var_2C], 0
		mov	[ebp+var_48], eax
		mov	eax, [ebp+var_B4]
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_B4]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_D8]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_A9+1]
		push	eax
		push	0Ah
		mov	[ebp+var_D0], edi
		xor	edi, edi
		push	edi
		push	edi
		push	offset byte_41ABA1
		push	offset dword_6B2348
		mov	[ebp+var_80], 1
		mov	[ebp+var_70], 4
		mov	[ebp+var_60], 4
		mov	[ebp+var_50], 4
		mov	[ebp+var_40], 4
		mov	[ebp+var_30], 4
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], 4
		mov	[ebp+var_1C], edi
		mov	[ebp+var_D8], ecx
		mov	[ebp+var_D4], edx
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], 8
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_741090:				; CODE XREF: HvSwapLogFiles(x,x)+209j
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		cmp	dword ptr [esi+68h], 4
		setz	al
		xor	ecx, ebp
		add	eax, 4
		mov	[esi+68h], eax
		mov	eax, [esi+6Ch]
		mov	[esi+74h], edi
		mov	[esi+70h], eax
		mov	eax, [ebp+var_BC]
		pop	edi
		mov	[esi+88h], ebx
		mov	[esi+8Ch], eax
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_7410C9:				; CODE XREF: HvSwapLogFiles(x,x)+94j
		xor	edi, edi
		jmp	short loc_741090
_HvSwapLogFiles@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall HvResetUnreconciledData(x)
_HvResetUnreconciledData@4 proc	near	; CODE XREF: HvStoreModifiedData+348p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	dword ptr [esi+40h], 0
		jz	short loc_7410ED
		lea	eax, [esi+3Ch]
		push	eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		and	dword ptr [esi+44h], 0
		mov	byte ptr [esi+83h], 0

loc_7410ED:				; CODE XREF: HvResetUnreconciledData(x)+9j
		pop	esi
		retn
_HvResetUnreconciledData@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvWriteHivePrimaryFile proc near	; CODE XREF: CmpFlushHive+6CAp
					; HvpPerformLogFileRecovery(x,x,x,x)+3A8p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CBF6F SIZE 000000BA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_1], dl
		mov	bl, [ebp+var_1]
		lea	edi, [ebp+var_2C]
		stosd
		xor	edx, edx
		inc	edx
		mov	esi, ecx
		xor	ecx, ecx
		mov	[ebp+var_10], ecx
		stosd
		mov	[ebp+var_8], ecx
		mov	[ebp+var_14], ecx
		mov	byte ptr [ebp+var_C], cl
		stosd
		mov	edi, [ebp+arg_0]
		and	edi, edx
		mov	[ebp+arg_0], edi
		test	bl, bl
		jz	loc_8CBF6F
		cmp	[esi+478h], ecx
		jz	loc_74123E
		mov	ecx, [esi+480h]

loc_74113E:				; CODE XREF: HvWriteHivePrimaryFile+18AE97j
		mov	eax, [esi+78h]
		mov	[ecx+8], eax
		inc	eax
		mov	[ecx+4], eax
		call	_HvpHeaderCheckSum@4 ; HvpHeaderCheckSum(x)
		cmp	_CmpFailPrimarySave, 1
		mov	[ecx+1FCh], eax
		jz	loc_8CBF8C
		push	edi
		push	1
		lea	eax, [ebp+var_2C]
		mov	byte ptr [ebp+var_C], 1
		push	eax
		push	0
		push	esi
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], 1000h
		call	dword ptr [esi+14h]
		mov	edi, eax
		test	edi, edi
		js	loc_74121A
		cmp	_CmpFailPrimarySave, 2
		jz	loc_8CBF8C
		test	bl, bl
		jz	loc_8CBF96
		mov	ebx, [esi+478h]
		mov	edi, [esi+47Ch]

loc_7411A6:				; CODE XREF: HvWriteHivePrimaryFile+18AED2j
					; HvWriteHivePrimaryFile+18AF27j
		cmp	_CmpFailPrimarySave, 3
		jz	loc_741242
		push	[ebp+arg_0]
		push	edi
		push	ebx
		push	0
		push	esi
		call	dword ptr [esi+14h]
		mov	edi, eax
		test	edi, edi
		js	short loc_741209
		cmp	_CmpFailPrimarySave, 4
		jz	short loc_741242
		xor	edx, edx
		mov	ecx, esi
		call	CmpFileFlushAndPurge
		mov	edi, eax
		test	edi, edi
		js	short loc_741209
		cmp	_CmpFailPrimarySave, 5
		jz	short loc_741242
		cmp	[ebp+var_1], 0
		jz	short loc_741249
		lea	eax, [esi+46Ch]
		push	eax
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)

loc_7411F7:				; CODE XREF: HvWriteHivePrimaryFile+15Cj
		mov	edx, eax
		mov	ecx, eax
		shl	edx, 9
		call	CmpTraceHiveFlushWrotePrimaryFile
		mov	byte ptr [ebp+var_C], 0
		xor	edi, edi

loc_741209:				; CODE XREF: HvWriteHivePrimaryFile+D2j
					; HvWriteHivePrimaryFile+EAj ...
		test	ebx, ebx
		jz	short loc_741217
		cmp	[ebp+var_1], 0
		jz	loc_8CC01C

loc_741217:				; CODE XREF: HvWriteHivePrimaryFile+11Bj
					; HvWriteHivePrimaryFile+18AEC5j ...
		mov	bl, [ebp+var_1]

loc_74121A:				; CODE XREF: HvWriteHivePrimaryFile+8Fj
					; HvWriteHivePrimaryFile+150j ...
		test	bl, bl
		mov	edx, edi
		mov	ecx, esi
		setz	al
		shr	edx, 1Fh
		movzx	eax, al
		xor	dl, 1
		push	eax
		push	[ebp+var_C]
		call	HvpFinishPrimaryWrite
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_74123E:				; CODE XREF: HvWriteHivePrimaryFile+42j
					; HvWriteHivePrimaryFile+18AE82j
		mov	edi, ecx
		jmp	short loc_74121A
; 

loc_741242:				; CODE XREF: HvWriteHivePrimaryFile+BDj
					; HvWriteHivePrimaryFile+DBj ...
		mov	edi, 0C0000001h
		jmp	short loc_741209
; 

loc_741249:				; CODE XREF: HvWriteHivePrimaryFile+F9j
		mov	eax, [esi+44h]
		jmp	short loc_7411F7
HvWriteHivePrimaryFile endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpFinishPrimaryWrite proc near		; CODE XREF: HvWriteHivePrimaryFile+140p

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 008CC029 SIZE 0000008C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_2], dl
		push	edi
		movzx	edi, [ebp+arg_0]
		mov	[ebp+var_1], 0
		mov	ebx, [esi+64h]
		and	ebx, 100h
		setnz	al
		cmp	dl, al
		jz	loc_8CC029
		mov	eax, [esi+9D0h]
		shr	eax, 1
		and	eax, 1
		cmp	eax, edi
		jnz	loc_8CC029

loc_74128B:				; CODE XREF: HvpFinishPrimaryWrite+18ADDFj
					; HvpFinishPrimaryWrite+18ADFBj
		test	dl, dl
		jz	loc_8CC04E
		test	ebx, ebx
		jnz	short loc_7412BD

loc_741297:				; CODE XREF: HvpFinishPrimaryWrite+76j
					; HvpFinishPrimaryWrite+18AE02j ...
		mov	ecx, [esi+9D0h]
		mov	eax, ecx
		shr	eax, 1
		and	eax, 1
		cmp	eax, edi
		jnz	loc_8CC078

loc_7412AC:				; CODE XREF: HvpFinishPrimaryWrite+18AE3Aj
		cmp	[ebp+var_1], 0
		jnz	loc_8CC08D

loc_7412B6:				; CODE XREF: HvpFinishPrimaryWrite+18AE62j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7412BD:				; CODE XREF: HvpFinishPrimaryWrite+47j
		and	dword ptr [esi+64h], 0FFFFFEFFh
		jmp	short loc_741297
HvpFinishPrimaryWrite endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTraceHiveFlushWrotePrimaryFile proc near ; CODE XREF: HvWriteHivePrimaryFile+10Ep

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CC0B5 SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_HIVE_FLUSH_WROTE_PRIMARY_FILE
		mov	[ebp+var_40], edx
		lea	edi, [ebp+var_38]
		mov	[ebp+var_3C], ecx
		lea	eax, [ebp+var_38]
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ds:dword_A93DD4
		mov	edi, ds:_EtwpRegTraceHandle
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8CC0B5

loc_74130B:				; CODE XREF: CmpTraceHiveFlushWrotePrimaryFile+18AE24j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpTraceHiveFlushWrotePrimaryFile endp

; 
		align 2

;  S U B	R O U T	I N E 


HvTruncateAllLogFilesIfRequired	proc near ; CODE XREF: CmpFlushHive+7CCp

; FUNCTION CHUNK AT 008CC0EF SIZE 0000001C BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		cmp	dword ptr [edi+68h], 1
		jz	short loc_741358
		push	4
		pop	edx
		call	_HvpShouldTruncateLogFile@8 ; HvpShouldTruncateLogFile(x,x)
		xor	esi, esi
		test	al, al
		jnz	short loc_741349

loc_741334:				; CODE XREF: HvTruncateAllLogFilesIfRequired+3Cj
		push	5
		pop	edx
		mov	ecx, edi
		call	_HvpShouldTruncateLogFile@8 ; HvpShouldTruncateLogFile(x,x)
		test	al, al
		jnz	loc_8CC0F9

loc_741346:				; CODE XREF: HvTruncateAllLogFilesIfRequired+48j
					; HvTruncateAllLogFilesIfRequired+18ADECj
		pop	edi
		pop	esi
		retn
; 

loc_741349:				; CODE XREF: HvTruncateAllLogFilesIfRequired+18j
		push	esi
		push	esi
		push	esi
		push	4
		pop	edx
		mov	ecx, edi
		call	CmpDoFileSetSizeEx
		jmp	short loc_741334
; 

loc_741358:				; CODE XREF: HvTruncateAllLogFilesIfRequired+Aj
		xor	edx, edx
		inc	edx
		call	_HvpShouldTruncateLogFile@8 ; HvpShouldTruncateLogFile(x,x)
		test	al, al
		jz	short loc_741346
		jmp	loc_8CC0EF
HvTruncateAllLogFilesIfRequired	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvValidateOrInvalidatePrimaryFileHeader	proc near ; CODE XREF: CmpFlushHive+709p
					; CmpFlushHive+7ABp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CC10B SIZE 0000004E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_1], dl
		push	esi
		push	edi
		cmp	dword ptr [ebx+400h], 0
		jz	loc_74141C
		mov	edi, [ebp+arg_4]
		mov	esi, 1000h
		and	edi, 1
		cmp	[ebp+arg_0], 0
		mov	[ebp+var_8], edi
		jz	loc_8CC10B
		mov	esi, [ebx+480h]

loc_7413A5:				; CODE XREF: HvValidateOrInvalidatePrimaryFileHeader+18ADDDj
		cmp	[ebp+var_1], 0
		mov	eax, [ebx+6Ch]
		lea	ecx, [eax-1]
		jnz	short loc_741418

loc_7413B1:				; CODE XREF: HvValidateOrInvalidatePrimaryFileHeader+B0j
		mov	[esi+8], ecx
		mov	ecx, esi
		mov	[esi+4], eax
		call	_HvpHeaderCheckSum@4 ; HvpHeaderCheckSum(x)
		push	edi
		mov	[esi+1FCh], eax
		lea	eax, [ebp+var_14]
		and	[ebp+var_14], 0
		push	1
		push	eax
		push	0
		push	ebx
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], 1000h
		call	dword ptr [ebx+14h]
		mov	edi, eax
		test	edi, edi
		js	short loc_741405
		xor	edx, edx
		mov	ecx, ebx
		call	CmpFileFlushAndPurge
		mov	edi, eax
		test	edi, edi
		js	short loc_741405
		mov	al, [ebp+var_1]
		xor	edi, edi
		mov	[ebx+82h], al
		mov	eax, [esi+8]
		mov	[ebx+78h], eax

loc_741405:				; CODE XREF: HvValidateOrInvalidatePrimaryFileHeader+79j
					; HvValidateOrInvalidatePrimaryFileHeader+88j
		cmp	[ebp+arg_0], 0
		jz	loc_8CC14C

loc_74140F:				; CODE XREF: HvValidateOrInvalidatePrimaryFileHeader+B4j
					; HvValidateOrInvalidatePrimaryFileHeader+18ADBCj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_741418:				; CODE XREF: HvValidateOrInvalidatePrimaryFileHeader+45j
		mov	ecx, eax
		jmp	short loc_7413B1
; 

loc_74141C:				; CODE XREF: HvValidateOrInvalidatePrimaryFileHeader+17j
		xor	edi, edi
		jmp	short loc_74140F
HvValidateOrInvalidatePrimaryFileHeader	endp


;  S U B	R O U T	I N E 


; __stdcall HvCountFreeLogsLockFree(x)
_HvCountFreeLogsLockFree@4 proc	near	; CODE XREF: CmpIsHiveEligibleForLazyReconcile(x)+33p
		mov	edi, edi
		push	esi
		mov	esi, [ecx+68h]
		xor	eax, eax
		cmp	esi, 1
		jz	short loc_741444
		mov	edx, eax

loc_74142F:				; CODE XREF: HvCountFreeLogsLockFree(x)+22j
		cmp	edx, esi
		jz	short loc_74143E
		cmp	byte ptr [edx+ecx+80h],	0
		jnz	short loc_74143E
		inc	eax

loc_74143E:				; CODE XREF: HvCountFreeLogsLockFree(x)+11j
					; HvCountFreeLogsLockFree(x)+1Bj
		inc	edx
		cmp	edx, 2
		jb	short loc_74142F

loc_741444:				; CODE XREF: HvCountFreeLogsLockFree(x)+Bj
		pop	esi
		retn
_HvCountFreeLogsLockFree@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpDoReconcileNextHive proc near	; DATA XREF: .data:006B1594o

var_12		= byte ptr -12h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CC159 SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, dword_6B15A4
		mov	ecx, (offset loc_98967E+2)
		mul	ecx
		push	ebx
		push	esi
		xor	bl, bl
		mov	[esp+1Ch+var_4], edx
		push	edi
		mov	edi, eax
		mov	[esp+20h+var_11], bl
		mov	[esp+20h+var_10], edi
		cmp	ds:_CmpNoWrite,	bl
		jnz	short loc_7414EF
		xor	ecx, ecx
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7414DA

loc_741485:				; CODE XREF: CmpDoReconcileNextHive+8Ej
		mov	cl, 1
		or	edi, 0FFFFFFFFh
		or	ebx, 0FFFFFFFFh
		call	KiQueryUnbiasedInterruptTime
		mov	ecx, esi
		mov	[esp+20h+var_C], eax
		mov	[esp+20h+var_8], edx
		call	_CmpIsHiveEligibleForLazyReconcile@4 ; CmpIsHiveEligibleForLazyReconcile(x)
		test	al, al
		jnz	loc_741543
		cmp	dword ptr [esi+44h], 0
		jnz	short loc_7414FA

loc_7414AF:				; CODE XREF: CmpDoReconcileNextHive+BBj
					; CmpDoReconcileNextHive+DEj ...
		cmp	ebx, [esp+20h+var_4]
		ja	short loc_7414C5
		jb	loc_8CC17C
		cmp	edi, [esp+20h+var_10]
		jb	loc_8CC17C

loc_7414C5:				; CODE XREF: CmpDoReconcileNextHive+6Dj
		mov	edi, [esp+20h+var_10]

loc_7414C9:				; CODE XREF: CmpDoReconcileNextHive+18AD3Ej
		mov	ecx, esi
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_741485
		mov	bl, [esp+20h+var_11]

loc_7414DA:				; CODE XREF: CmpDoReconcileNextHive+3Dj
		call	_CmpFlushUnsupportedOperationTelemetry@0 ; CmpFlushUnsupportedOperationTelemetry()
		test	bl, bl
		jz	short loc_7414EF
		mov	ecx, [ebp+arg_4]
		mov	eax, [esp+20h+var_4]
		mov	[ecx], edi
		mov	[ecx+4], eax

loc_7414EF:				; CODE XREF: CmpDoReconcileNextHive+30j
					; CmpDoReconcileNextHive+9Bj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7414FA:				; CODE XREF: CmpDoReconcileNextHive+67j
		test	dword ptr [esi+64h], 8001h
		jnz	short loc_7414AF
		mov	eax, dword_6B15A0
		mov	ecx, (offset loc_98967E+2)
		mul	ecx
		mov	[esp+20h+var_11], 1
		add	eax, [esi+998h]
		adc	edx, [esi+99Ch]
		cmp	[esp+20h+var_8], edx
		ja	short loc_7414AF
		mov	ecx, [esp+20h+var_C]
		jb	short loc_741534
		cmp	ecx, eax
		jnb	loc_7414AF

loc_741534:				; CODE XREF: CmpDoReconcileNextHive+E4j
		mov	edi, eax
		mov	ebx, edx
		sub	edi, ecx
		sbb	ebx, [esp+20h+var_8]
		jmp	loc_7414AF
; 

loc_741543:				; CODE XREF: CmpDoReconcileNextHive+5Dj
		mov	ecx, esi
		call	HvGetEffectiveLogSizeCapForHive
		cmp	[esi+74h], eax
		mov	ecx, esi
		sbb	edx, edx
		and	edx, 10h
		add	edx, 6
		call	CmpFlushHive
		test	eax, eax
		jns	loc_7414AF
		jmp	loc_8CC159
CmpDoReconcileNextHive endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmpIsHiveEligibleForLazyReconcile(x)
_CmpIsHiveEligibleForLazyReconcile@4 proc near ; CODE XREF: CmpDoReconcileNextHive+56p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		test	dword ptr [esi+64h], 8001h
		jnz	short loc_7415D3
		cmp	dword ptr [esi+44h], 0
		jz	short loc_7415D3
		cmp	_CmpHoldLazyFlush, 0
		jnz	short loc_7415D3
		cmp	_CmpUserPresent, 0
		jz	short loc_7415D8
		call	HvGetEffectiveLogSizeCapForHive
		cmp	[esi+74h], eax
		jnb	short loc_7415D8
		mov	ecx, esi
		call	_HvCountFreeLogsLockFree@4 ; HvCountFreeLogsLockFree(x)
		test	eax, eax
		jz	short loc_7415D8
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		mov	ecx, edx
		mov	edi, eax
		mov	eax, dword_6B15A0
		mov	edx, (offset loc_98967E+2)
		mul	edx
		add	eax, [esi+998h]
		adc	edx, [esi+99Ch]
		cmp	ecx, edx
		jb	short loc_7415D3
		ja	short loc_7415D8
		cmp	edi, eax
		jnb	short loc_7415D8

loc_7415D3:				; CODE XREF: CmpIsHiveEligibleForLazyReconcile(x)+Dj
					; CmpIsHiveEligibleForLazyReconcile(x)+13j ...
		xor	al, al

loc_7415D5:				; CODE XREF: CmpIsHiveEligibleForLazyReconcile(x)+70j
		pop	edi
		pop	esi
		retn
; 

loc_7415D8:				; CODE XREF: CmpIsHiveEligibleForLazyReconcile(x)+25j
					; CmpIsHiveEligibleForLazyReconcile(x)+2Fj ...
		mov	al, 1
		jmp	short loc_7415D5
_CmpIsHiveEligibleForLazyReconcile@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpAddBin	proc near		; CODE XREF: HvpDoAllocateCell+177p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CC189 SIZE 0000028F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		or	[ebp+var_C], 0FFFFFFFFh
		xor	eax, eax
		push	ebx
		push	esi
		lea	esi, [edx+101Fh]
		mov	[ebp+var_30], eax
		and	esi, 0FFFFF000h
		mov	[ebp+var_14], eax
		mov	[ebp+var_24], eax
		mov	ebx, ecx
		mov	[ebp+var_4], al
		mov	[ebp+var_18], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_2], al
		mov	[ebp+var_2C], eax
		mov	[ebp+var_1], al
		mov	[ebp+var_10], esi
		push	edi
		cmp	esi, 3000h
		ja	short loc_741636
		mov	eax, esi
		sub	eax, edx
		sub	eax, 20h
		cmp	eax, 0E00h
		jb	loc_741914

loc_741636:				; CODE XREF: HvpAddBin+46j
					; HvpAddBin+341j
		lea	eax, [ebp+var_24]
		mov	edx, esi
		push	eax
		push	[ebp+arg_0]
		call	_HvpFindFreeBin@16 ; HvpFindFreeBin(x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_3C], edi
		test	edi, edi
		jnz	loc_741922
		mov	eax, [ebp+arg_0]
		imul	ecx, eax, 19Ch
		mov	[ebp+var_30], ecx
		mov	edi, [ecx+ebx+0C8h]
		add	esi, edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_24], esi
		test	eax, eax
		jz	loc_7417A7

loc_741677:				; CODE XREF: HvpAddBin+1D4j
					; HvpAddBin+1EEj ...
		cmp	esi, edi
		jb	loc_7419B2
		mov	edx, esi
		mov	ecx, ebx
		call	CmpCanGrowHive
		test	al, al
		jz	loc_7419B2
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		push	esi
		push	edi
		call	HvpExpandMap
		test	eax, eax
		js	loc_7419B2
		mov	eax, [ebp+var_30]
		mov	edx, esi
		push	[ebp+arg_0]
		mov	ecx, ebx
		mov	[eax+ebx+0C8h],	esi
		call	_HvpAdjustHiveFreeDisplay@12 ; HvpAdjustHiveFreeDisplay(x,x,x)
		test	eax, eax
		js	loc_8CC319
		mov	ecx, [ebp+arg_0]
		mov	al, 1
		mov	[ebp+var_3], al
		test	ecx, ecx
		jz	loc_7417D5

loc_7416D2:				; CODE XREF: HvpAddBin+3E4j
		mov	dl, [ebp+var_2]

loc_7416D5:				; CODE XREF: HvpAddBin+29Cj
		mov	byte ptr [ebp+var_34], al
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	loc_8CC1D6

loc_7416E3:				; CODE XREF: HvpAddBin+18ACE0j
		test	dl, dl
		jnz	loc_7418BE
		lea	eax, [ebp+var_20]
		mov	[ebp+var_1], dl
		mov	edx, [ebp+var_10]
		mov	ecx, ebx
		push	eax
		push	36314D43h
		push	[ebp+arg_0]
		call	_HvpAllocateBin@20 ; HvpAllocateBin(x,x,x,x,x)
		test	eax, eax
		js	loc_8CC30A
		mov	edx, [ebp+var_10]
		push	1
		push	[ebp+var_20]
		mov	[ebp+var_1], 0
		call	_HvpProtectBin@16 ; HvpProtectBin(x,x,x,x)

loc_74171D:				; CODE XREF: HvpAddBin+333j
		test	eax, eax
		js	loc_8CC30A
		push	[ebp+var_10]	; size_t
		push	0		; int
		push	[ebp+var_20]	; void *
		call	_memset
		mov	eax, [ebp+var_20]
		add	esp, 0Ch
		mov	ecx, [ebp+var_10]
		mov	esi, [ebp+var_20]
		mov	edx, [ebp+var_1C]
		and	dword ptr [eax+1Ch], 0
		mov	dword ptr [eax], 6E696268h
		mov	[eax+8], ecx
		mov	eax, edx
		and	eax, 7FFFFFFFh
		mov	[esi+4], eax
		lea	eax, [ecx-20h]
		mov	[esi+20h], eax
		mov	eax, [ebp+arg_0]
		mov	esi, [ebp+var_24]
		shl	eax, 1Fh
		cmp	[ebp+var_18], 0
		mov	[ebp+var_14], eax
		jnz	loc_8CC2C1
		mov	cl, [ebp+var_3]
		mov	byte ptr [ebp+var_34], cl

loc_74177A:				; CODE XREF: HvpAddBin+18AD29j
		mov	ecx, [ebp+var_10]
		add	edx, eax
		push	0
		push	[ebp+var_34]
		mov	[ebp+var_1C], edx
		push	edx
		mov	edx, [ebp+var_20]
		push	ecx
		mov	ecx, ebx
		call	HvpPointMapEntriesToBuffer
		cmp	[ebp+arg_0], 0
		jz	loc_74187D

loc_74179D:				; CODE XREF: HvpAddBin+2DDj
		mov	eax, [ebp+var_1C]

loc_7417A0:				; CODE XREF: HvpAddBin+3D9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7417A7:				; CODE XREF: HvpAddBin+95j
		mov	edx, [ebp+var_10]
		cmp	edx, 40000h
		ja	loc_741677
		lea	ecx, [esi+0FFFh]
		lea	eax, [edi+1000h]
		xor	ecx, eax
		test	ecx, 0FFFC0000h
		jz	loc_741677
		jmp	loc_8CC199
; 

loc_7417D5:				; CODE XREF: HvpAddBin+F0j
		mov	eax, [ebx+64h]
		test	al, 1
		jnz	short loc_7417F4
		mov	edx, esi
		mov	ecx, ebx
		call	HvpGrowDirtyVectors
		test	eax, eax
		js	loc_8CC30A
		mov	eax, [ebx+64h]
		mov	[ebp+var_4], 1

loc_7417F4:				; CODE XREF: HvpAddBin+1FEj
		test	eax, 8001h
		jnz	short loc_74182B
		lea	eax, [esi+1000h]
		xor	edx, edx
		push	1
		xor	esi, esi
		mov	ecx, ebx
		push	esi
		push	eax
		call	CmpDoFileSetSizeEx
		test	eax, eax
		js	loc_8CC30A
		test	dword ptr [ebx+980h], 800h
		jnz	loc_8CC1BC
		mov	esi, [ebp+var_24]

loc_74182B:				; CODE XREF: HvpAddBin+21Dj
					; HvpAddBin+18ABE9j ...
		test	dword ptr [ebx+64h], 20000h
		mov	al, 1
		mov	[ebp+var_3], al
		jz	loc_7419BD
		lea	ecx, [ebx+0A0h]
		mov	[ebp+var_5], al
		mov	[ebp+var_3], al
		call	_HvpViewMapGetMaxStorageLength@4 ; HvpViewMapGetMaxStorageLength(x)
		cmp	esi, eax
		ja	loc_7419BA
		mov	edx, esi
		lea	ecx, [ebx+0A0h]
		call	_HvpViewMapExtendStorage@8 ; HvpViewMapExtendStorage(x,x)
		test	eax, eax
		js	loc_8CC30A
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		xor	al, al
		mov	[ebp+var_2], dl
		mov	[ebp+var_3], al
		jmp	loc_7416D5
; 

loc_74187D:				; CODE XREF: HvpAddBin+1BBj
		test	byte ptr [ebx+64h], 1
		jnz	short loc_7418A1
		mov	al, [ebp+var_2]
		mov	edx, edi
		mov	[ebp+var_1], al
		mov	ecx, ebx
		mov	eax, esi
		push	0
		sub	eax, edi
		push	eax
		call	HvpMarkDirty
		test	al, al
		jz	loc_8CC30A

loc_7418A1:				; CODE XREF: HvpAddBin+2A5j
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	CmpUpdateSystemHiveHysteresis
		push	4
		sub	esi, edi
		mov	edx, edi
		push	esi
		mov	ecx, ebx
		call	HvpSetRangeProtection
		jmp	loc_74179D
; 

loc_7418BE:				; CODE XREF: HvpAddBin+109j
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_1], dl
		call	CmpClaimGlobalQuota
		test	al, al
		jz	loc_8CC30A
		mov	dl, [ebp+var_2]
		lea	ecx, [ebx+0A0h]
		mov	eax, [ebp+var_10]
		add	[ebp+var_2C], eax
		mov	[ebp+var_1], dl
		lea	edx, [ebp+var_20]
		push	edx
		mov	edx, [ebp+var_1C]
		push	eax
		call	HvpViewMapPromoteRangeToMapping
		test	eax, eax
		js	loc_8CC30A
		mov	al, [ebp+var_2]
		lea	ecx, [ebx+0A0h]
		push	[ebp+var_10]
		mov	edx, [ebp+var_1C]
		mov	[ebp+var_1], al
		call	_HvpViewMapCOWAndUnsealRange@12	; HvpViewMapCOWAndUnsealRange(x,x,x)
		jmp	loc_74171D
; 

loc_741914:				; CODE XREF: HvpAddBin+54j
		add	esi, 1000h
		mov	[ebp+var_10], esi
		jmp	loc_741636
; 

loc_741922:				; CODE XREF: HvpAddBin+6Fj
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	loc_7419C5
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	loc_7419C5
		mov	[ecx], eax
		xor	esi, esi
		mov	[eax+4], ecx
		mov	ecx, [ebp+arg_0]
		mov	edx, [edi+0Ch]
		mov	eax, [edi+8]
		shl	ecx, 1Fh
		push	esi
		mov	[ebp+var_34], ecx
		add	edx, ecx
		push	eax
		mov	ecx, ebx
		call	HvpMarkDirty
		test	al, al
		jz	short loc_74199C
		mov	ecx, [edi+0Ch]
		add	ecx, [ebp+var_34]
		mov	[ebp+var_C], ecx
		cmp	[ebp+var_24], esi
		jbe	short loc_74199F
		xor	eax, eax

loc_74196D:				; CODE XREF: HvpAddBin+3BEj
		lea	esi, [eax+ecx]
		mov	ecx, ebx
		mov	edx, esi
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8CC189
		mov	eax, [ebp+var_30]
		and	dword ptr [ecx+4], 0FFFFFFFDh
		mov	[ecx], eax
		add	eax, 1000h
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_30], eax
		cmp	eax, [ebp+var_24]
		jb	short loc_74196D

loc_74199C:				; CODE XREF: HvpAddBin+37Fj
					; HvpAddBin+18AE0Fj
		mov	ecx, [ebp+var_C]

loc_74199F:				; CODE XREF: HvpAddBin+38Dj
		test	edi, edi
		jz	short loc_7419B2
		cmp	ecx, 0FFFFFFFFh
		jz	loc_8CC3F0
		push	10h
		push	edi
		call	dword ptr [ebx+10h]

loc_7419B2:				; CODE XREF: HvpAddBin+9Dj
					; HvpAddBin+AEj ...
		mov	eax, [ebp+var_C]
		jmp	loc_7417A0
; 

loc_7419BA:				; CODE XREF: HvpAddBin+274j
		mov	al, [ebp+var_5]

loc_7419BD:				; CODE XREF: HvpAddBin+25Bj
		mov	ecx, [ebp+arg_0]
		jmp	loc_7416D2
; 

loc_7419C5:				; CODE XREF: HvpAddBin+34Bj
					; HvpAddBin+356j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
HvpAddBin	endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpFindFreeBin(x, x, x, x)
_HvpFindFreeBin@16 proc	near		; CODE XREF: HvpAddBin+63p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		imul	ebx, [ebp+arg_0], 19Ch
		mov	eax, edx
		push	esi
		push	edi
		lea	edi, [ecx+258h]
		mov	[ebp+var_4], eax
		add	edi, ebx
		mov	esi, [edi]

loc_7419E9:				; CODE XREF: HvpFindFreeBin(x,x,x,x)+4Fj
		cmp	esi, edi
		jnz	short loc_7419F6
		xor	eax, eax

loc_7419EF:				; CODE XREF: HvpFindFreeBin(x,x,x,x)+48j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7419F6:				; CODE XREF: HvpFindFreeBin(x,x,x,x)+21j
		mov	edx, [esi+8]
		cmp	edx, eax
		jb	short loc_741A17
		mov	eax, [esi+0Ch]
		add	eax, edx
		cmp	eax, [ebx+ecx+0C8h]
		ja	short loc_741A14
		mov	ecx, [ebp+arg_4]
		mov	eax, esi
		mov	[ecx], edx
		jmp	short loc_7419EF
; 

loc_741A14:				; CODE XREF: HvpFindFreeBin(x,x,x,x)+3Fj
		mov	eax, [ebp+var_4]

loc_741A17:				; CODE XREF: HvpFindFreeBin(x,x,x,x)+31j
		mov	esi, [esi]
		jmp	short loc_7419E9
_HvpFindFreeBin@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpExpandMap	proc near		; CODE XREF: HvpAddBin+BBp
					; HvpPerformLogFileRecovery(x,x,x,x)+D9p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CC418 SIZE 000000A2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edx
		test	esi, esi
		jz	short loc_741A5A

loc_741A35:				; CODE XREF: HvpExpandMap+82j
		shr	esi, 0Ch
		dec	esi

loc_741A39:				; CODE XREF: HvpExpandMap+86j
		mov	eax, [ebp+arg_4]
		shr	eax, 0Ch
		shr	esi, 9
		dec	eax
		shr	eax, 9
		mov	[ebp+arg_4], eax
		cmp	eax, esi
		ja	loc_8CC418

loc_741A51:				; CODE XREF: HvpExpandMap+8Dj
					; HvpExpandMap+18AA79j	...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_741A5A:				; CODE XREF: HvpExpandMap+17j
		push	37314D43h
		push	edi
		push	1800h
		call	dword ptr [ebx+0Ch]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_741AA4
		push	1800h		; size_t
		push	edi		; int
		push	eax		; void *
		call	_memset
		imul	ecx, [ebp+var_4], 19Ch
		add	esp, 0Ch
		mov	edx, [ebp+arg_0]
		lea	eax, [ecx+0D0h]
		add	eax, ebx
		mov	[ecx+ebx+0CCh],	eax
		mov	[eax], edx
		mov	edx, [ebp+var_4]
		test	esi, esi
		jnz	short loc_741A35
		mov	esi, edi
		jmp	short loc_741A39
; 

loc_741AA4:				; CODE XREF: HvpExpandMap+51j
					; HvpExpandMap+18AA30j
		mov	edi, 0C0000017h
		jmp	short loc_741A51
HvpExpandMap	endp

; 
		align 4

;  S U B	R O U T	I N E 


CmpCanGrowHive	proc near		; CODE XREF: HvpAddBin+A7p

; FUNCTION CHUNK AT 008CC4BA SIZE 00000054 BYTES

		mov	edi, edi
		push	esi
		mov	esi, edx
		cmp	esi, 7FFFE000h
		ja	short loc_741B03
		cmp	ecx, dword_6B179C
		jz	short loc_741AC5

loc_741AC1:				; CODE XREF: CmpCanGrowHive+50j
					; CmpCanGrowHive+18AA15j ...
		mov	al, 1
		pop	esi
		retn
; 

loc_741AC5:				; CODE XREF: CmpCanGrowHive+13j
		add	esi, 1000h
		cmp	esi, _CmSystemHiveLimitSize
		ja	short loc_741B03
		mov	eax, dword_6D3018
		mov	ecx, 19000h
		mov	eax, [eax]
		mov	eax, [eax+0F48h]
		shr	eax, 1
		cmp	eax, ecx
		jb	short loc_741AED
		mov	eax, ecx

loc_741AED:				; CODE XREF: CmpCanGrowHive+3Dj
		imul	eax, 9000h
		xor	edx, edx
		push	0Ah
		pop	ecx
		div	ecx
		cmp	esi, eax
		jbe	short loc_741AC1
		jmp	loc_8CC4BA
; 

loc_741B03:				; CODE XREF: CmpCanGrowHive+Bj
					; CmpCanGrowHive+25j
		xor	al, al
		pop	esi
		retn
CmpCanGrowHive	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpProtectBin(x, x,	x, x)
_HvpProtectBin@16 proc near		; CODE XREF: HvpAddBin+13Cp
					; HvpAddBin+18AC79p ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		mov	ecx, [ebp+arg_0]
		jz	short loc_741B2E
		push	4
		call	_ExProtectPool@12 ; ExProtectPool(x,x,x)
		test	eax, eax
		jz	short loc_741B27

loc_741B21:				; CODE XREF: HvpProtectBin(x,x,x,x)+2Dj
		xor	eax, eax

loc_741B23:				; CODE XREF: HvpProtectBin(x,x,x,x)+24j
		pop	ebp
		retn	8
; 

loc_741B27:				; CODE XREF: HvpProtectBin(x,x,x,x)+17j
		mov	eax, 0C000009Ah
		jmp	short loc_741B23
; 

loc_741B2E:				; CODE XREF: HvpProtectBin(x,x,x,x)+Cj
		push	2
		call	_ExProtectPool@12 ; ExProtectPool(x,x,x)
		jmp	short loc_741B21
_HvpProtectBin@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpGenerateFlushControlData proc near	; CODE XREF: CmpFlushHive+216p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CC50E SIZE 00000067 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		xor	edx, edx
		mov	[esi], edx
		mov	[esi+4], edx
		mov	[esi+8], edx
		mov	[esi+14h], edx
		mov	[esi+0Ch], edx
		mov	cl, [edi+83h]
		test	cl, cl
		jnz	short loc_741B6C
		cmp	[edi+34h], edx
		jz	loc_741C56

loc_741B6C:				; CODE XREF: CmpGenerateFlushControlData+29j
					; CmpGenerateFlushControlData+121j
		mov	byte ptr [ebp+arg_0+3],	1
		cmp	[edi+34h], edx
		jz	loc_741C62

loc_741B79:				; CODE XREF: CmpGenerateFlushControlData+134j
		push	9
		pop	ebx
		mov	[esi], ebx
		cmp	[edi+82h], dl
		jnz	loc_741CAB

loc_741B8A:				; CODE XREF: CmpGenerateFlushControlData+178j
		cmp	[edi+9D4h], edx
		jnz	loc_8CC50E

loc_741B96:				; CODE XREF: CmpGenerateFlushControlData+18A9DEj
		mov	ecx, edi
		call	HvGetEffectiveLogSizeCapForHive
		mov	[esi+18h], eax

loc_741BA0:				; CODE XREF: CmpGenerateFlushControlData+12Ej
		cmp	byte ptr [ebp+arg_0+3],	0
		mov	edx, ebx
		jz	short loc_741BB2
		test	byte ptr [ebp+var_4], 4
		jnz	loc_741CB5

loc_741BB2:				; CODE XREF: CmpGenerateFlushControlData+6Ej
					; CmpGenerateFlushControlData+184j
		test	byte ptr [edi+64h], 2
		jnz	loc_741D3D
		test	dword ptr [edi+980h], 800h
		setz	cl
		test	byte ptr _CmpGlobalFlushControlFlags, 1
		setz	al
		test	cl, al
		jz	loc_741D3D
		test	byte ptr [ebp+var_4], 8
		jnz	loc_741C71

loc_741BE5:				; CODE XREF: CmpGenerateFlushControlData+145j
		and	dl, 48h
		cmp	dl, 8
		jnz	short loc_741C15
		mov	edx, [esi+18h]
		lea	ebx, [esi+8]
		push	ebx
		mov	ecx, edi
		call	HvGetHiveLogFileStatus
		mov	eax, [ebx]
		test	al, 1
		jnz	loc_8CC51B
		test	al, 0Ah
		jnz	loc_8CC546
		test	al, 4
		jnz	loc_8CC523

loc_741C15:				; CODE XREF: CmpGenerateFlushControlData+B3j
					; CmpGenerateFlushControlData+18AA09j ...
		mov	ebx, [esi]
		test	bl, 40h
		jnz	loc_741CFA

loc_741C20:				; CODE XREF: CmpGenerateFlushControlData+200j
					; CmpGenerateFlushControlData+18AA2Cj
		lea	ecx, [esi+8]

loc_741C23:				; CODE XREF: CmpGenerateFlushControlData+18AA1Ej
		mov	eax, ebx
		and	al, 48h
		cmp	al, 8
		jnz	short loc_741C46
		cmp	dword ptr [edi+44h], 0
		mov	eax, ebx
		jz	loc_741CEC

loc_741C37:				; CODE XREF: CmpGenerateFlushControlData+1BDj
		test	byte ptr [ecx],	14h
		mov	ebx, eax
		jz	short loc_741C46
		or	ebx, 1000h
		mov	[esi], ebx

loc_741C46:				; CODE XREF: CmpGenerateFlushControlData+F1j
					; CmpGenerateFlushControlData+104j
		test	byte ptr [edi+9D0h], 1
		jz	short loc_741CC1

loc_741C4F:				; CODE XREF: CmpGenerateFlushControlData+156j
					; CmpGenerateFlushControlData+169j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_741C56:				; CODE XREF: CmpGenerateFlushControlData+2Ej
		cmp	[edi+44h], edx
		jnz	loc_741B6C
		mov	byte ptr [ebp+arg_0+3],	dl

loc_741C62:				; CODE XREF: CmpGenerateFlushControlData+3Bj
		mov	ebx, edx
		test	cl, cl
		jz	loc_741BA0
		jmp	loc_741B79
; 

loc_741C71:				; CODE XREF: CmpGenerateFlushControlData+A7j
		cmp	byte ptr [edi+82h], 0
		jz	short loc_741C83
		test	dl, 10h
		jz	loc_741BE5

loc_741C83:				; CODE XREF: CmpGenerateFlushControlData+140j
		or	edx, 107h
		mov	[esi], edx
		test	dl, 8
		jz	short loc_741C4F
		mov	edx, [esi+18h]
		lea	ebx, [esi+8]
		push	ebx
		mov	ecx, edi
		call	HvGetHiveLogFileStatus
		test	byte ptr [ebx],	0Ch
		jz	short loc_741C4F
		or	dword ptr [esi], 400h
		jmp	short loc_741C4F
; 

loc_741CAB:				; CODE XREF: CmpGenerateFlushControlData+4Cj
		push	1Bh
		pop	ebx
		mov	[esi], ebx
		jmp	loc_741B8A
; 

loc_741CB5:				; CODE XREF: CmpGenerateFlushControlData+74j
		mov	edx, ebx
		or	edx, 42h
		mov	[esi], edx
		jmp	loc_741BB2
; 

loc_741CC1:				; CODE XREF: CmpGenerateFlushControlData+115j
		cmp	dword ptr [edi+400h], 0
		jz	short loc_741C4F
		test	bl, 8
		setz	cl
		test	byte ptr [ebp+var_4], 20h
		setz	al
		test	cl, al
		jnz	loc_741C4F
		or	ebx, 202h
		mov	[esi], ebx
		jmp	loc_741C4F
; 

loc_741CEC:				; CODE XREF: CmpGenerateFlushControlData+F9j
		mov	eax, ebx
		or	eax, 800h
		mov	[esi], eax
		jmp	loc_741C37
; 

loc_741CFA:				; CODE XREF: CmpGenerateFlushControlData+E2j
		lea	ecx, [edi+9C8h]
		call	_CmpIsWriteQueueActive@4 ; CmpIsWriteQueueActive(x)
		test	al, al
		jnz	loc_741C4F
		lea	ecx, [esi+8]
		mov	eax, [ecx]
		mov	[ebp+arg_0], eax
		test	al, 8
		jnz	loc_8CC54E
		mov	eax, ebx
		mov	ecx, edi
		or	eax, 1
		mov	[esi], eax
		call	_HvIsCurrentLogSwappable@4 ; HvIsCurrentLogSwappable(x)
		test	al, al
		jz	loc_8CC55B
		or	ebx, 21h

loc_741D36:				; CODE XREF: CmpGenerateFlushControlData+18AA38j
		mov	[esi], ebx
		jmp	loc_741C20
; 

loc_741D3D:				; CODE XREF: CmpGenerateFlushControlData+7Ej
					; CmpGenerateFlushControlData+9Dj
		cmp	dword ptr [edi+34h], 0
		jz	short loc_741D61

loc_741D43:				; CODE XREF: CmpGenerateFlushControlData+230j
		or	edx, 46h
		mov	[esi], edx
		cmp	byte ptr [edi+82h], 0
		jz	short loc_741D54
		or	edx, 10h

loc_741D54:				; CODE XREF: CmpGenerateFlushControlData+217j
		or	edx, 500h

loc_741D5A:				; CODE XREF: CmpGenerateFlushControlData+251j
		mov	[esi], edx
		jmp	loc_741C4F
; 

loc_741D61:				; CODE XREF: CmpGenerateFlushControlData+209j
		cmp	byte ptr [edi+83h], 0
		jnz	short loc_741D43
		test	byte ptr [edi+9D0h], 1
		setz	cl
		test	byte ptr [ebp+var_4], 20h
		setnz	al
		test	cl, al
		jz	loc_741C4F
		or	edx, 202h
		jmp	short loc_741D5A
CmpGenerateFlushControlData endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall HvTruncateCurrentLogFileIfRequired(x)
_HvTruncateCurrentLogFileIfRequired@4 proc near	; CODE XREF: CmpFlushHive+38Ap
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+64h]
		test	al, 1
		jnz	short loc_741DD3
		test	eax, 8000h
		jnz	short loc_741DD3
		push	edi
		mov	edi, [esi+68h]
		test	edi, edi
		jz	short loc_741DD2
		cmp	dword ptr [esi+edi*4+400h], 0
		jz	short loc_741DD2
		push	ebx
		cmp	edi, 1
		jz	short loc_741DC1
		mov	ebx, 4A0h
		cmp	edi, 4
		jnz	short loc_741DC6

loc_741DC1:				; CODE XREF: HvTruncateCurrentLogFileIfRequired(x)+29j
		mov	ebx, 498h

loc_741DC6:				; CODE XREF: HvTruncateCurrentLogFileIfRequired(x)+33j
		mov	edx, edi
		call	_HvpShouldTruncateLogFile@8 ; HvpShouldTruncateLogFile(x,x)
		test	al, al
		jnz	short loc_741DD5

loc_741DD1:				; CODE XREF: HvTruncateCurrentLogFileIfRequired(x)+52j
					; HvTruncateCurrentLogFileIfRequired(x)+59j ...
		pop	ebx

loc_741DD2:				; CODE XREF: HvTruncateCurrentLogFileIfRequired(x)+19j
					; HvTruncateCurrentLogFileIfRequired(x)+23j
		pop	edi

loc_741DD3:				; CODE XREF: HvTruncateCurrentLogFileIfRequired(x)+Aj
					; HvTruncateCurrentLogFileIfRequired(x)+11j
		pop	esi
		retn
; 

loc_741DD5:				; CODE XREF: HvTruncateCurrentLogFileIfRequired(x)+43j
		mov	eax, [ebx+esi+4]
		mov	ecx, [esi+74h]
		test	eax, eax
		jb	short loc_741DD1
		ja	short loc_741DE7
		cmp	[ebx+esi], ecx
		jbe	short loc_741DD1

loc_741DE7:				; CODE XREF: HvTruncateCurrentLogFileIfRequired(x)+54j
		push	0
		push	0
		push	ecx
		mov	edx, edi
		mov	ecx, esi
		call	CmpDoFileSetSizeEx
		jmp	short loc_741DD1
_HvTruncateCurrentLogFileIfRequired@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall HvpShouldTruncateLogFile(x,	x)
_HvpShouldTruncateLogFile@8 proc near	; CODE XREF: HvTruncateAllLogFilesIfRequired+Fp
					; HvTruncateAllLogFilesIfRequired+1Fp ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		cmp	edx, 1
		jz	short loc_741E0D
		mov	esi, 4A0h
		cmp	edx, 4
		jnz	short loc_741E12

loc_741E0D:				; CODE XREF: HvpShouldTruncateLogFile(x,x)+9j
		mov	esi, 498h

loc_741E12:				; CODE XREF: HvpShouldTruncateLogFile(x,x)+13j
		call	HvGetEffectiveLogSizeCapForHive
		mov	edx, eax
		mov	eax, [esi+edi+4]
		test	eax, eax
		jb	short loc_741E28
		ja	short loc_741E2D
		cmp	[esi+edi], edx
		ja	short loc_741E2D

loc_741E28:				; CODE XREF: HvpShouldTruncateLogFile(x,x)+27j
		xor	al, al

loc_741E2A:				; CODE XREF: HvpShouldTruncateLogFile(x,x)+37j
		pop	edi
		pop	esi
		retn
; 

loc_741E2D:				; CODE XREF: HvpShouldTruncateLogFile(x,x)+29j
					; HvpShouldTruncateLogFile(x,x)+2Ej
		mov	al, 1
		jmp	short loc_741E2A
_HvpShouldTruncateLogFile@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


HvGetEffectiveLogSizeCapForHive	proc near ; CODE XREF: CmpAdjustRequestedFileSize+46p
					; HvSwapLogFiles(x,x)+2Ep ...

; FUNCTION CHUNK AT 008CC575 SIZE 0000001B BYTES

		test	dword ptr [ecx+980h], 800h
		jnz	short loc_741E8E
		mov	eax, [ecx+7Ch]
		mov	edx, 2000h
		mov	ecx, [ecx+0C8h]
		cmp	ecx, edx
		jb	short loc_741E8A

loc_741E50:				; CODE XREF: HvGetEffectiveLogSizeCapForHive+5Aj
		push	esi
		mov	esi, edx
		push	edi
		shl	esi, 3
		xor	edi, edi
		sub	ecx, edx
		jz	short loc_741E64
		shr	ecx, 2
		add	esi, ecx
		adc	edi, edi

loc_741E64:				; CODE XREF: HvGetEffectiveLogSizeCapForHive+29j
		test	edi, edi
		jb	short loc_741E6E
		ja	short loc_741E70
		cmp	esi, eax
		jnb	short loc_741E70

loc_741E6E:				; CODE XREF: HvGetEffectiveLogSizeCapForHive+34j
		mov	eax, esi

loc_741E70:				; CODE XREF: HvGetEffectiveLogSizeCapForHive+36j
					; HvGetEffectiveLogSizeCapForHive+3Aj
		mov	ecx, _CmpLogFileSizeCap
		pop	edi
		pop	esi
		test	ecx, ecx
		jnz	loc_8CC575

loc_741E80:				; CODE XREF: HvGetEffectiveLogSizeCapForHive+18A749j
					; HvGetEffectiveLogSizeCapForHive+18A751j ...
		mov	ecx, 8000h
		cmp	eax, ecx
		jb	short loc_741E94
		retn
; 

loc_741E8A:				; CODE XREF: HvGetEffectiveLogSizeCapForHive+1Cj
		mov	edx, ecx
		jmp	short loc_741E50
; 

loc_741E8E:				; CODE XREF: HvGetEffectiveLogSizeCapForHive+Aj
		mov	eax, 2000000h
		retn
; 

loc_741E94:				; CODE XREF: HvGetEffectiveLogSizeCapForHive+55j
		mov	eax, ecx
		retn
HvGetEffectiveLogSizeCapForHive	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvGetHiveLogFileStatus proc near	; CODE XREF: CmpGenerateFlushControlData+BEp
					; CmpGenerateFlushControlData+161p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CC590 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edi
		lea	esi, [edi+2Ch]
		mov	ecx, esi
		call	_HvpCountSetRangesInVector@4 ; HvpCountSetRangesInVector(x)
		mov	edi, [edi+34h]
		xor	ebx, ebx
		push	ebx
		shl	eax, 3
		shl	edi, 9
		add	edi, eax
		pop	eax
		push	8
		adc	ebx, eax
		add	edi, 28h
		push	eax
		push	esi
		adc	ebx, eax
		call	_RtlAreBitsClear@12 ; RtlAreBitsClear(x,x,x)
		test	al, al
		jz	short loc_741EE1
		add	edi, 1008h
		adc	ebx, 0

loc_741EE1:				; CODE XREF: HvGetHiveLogFileStatus+3Ej
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		mov	edx, [ecx+74h]
		add	edx, edi
		adc	eax, ebx
		mov	[ebp+var_C], eax
		jnz	loc_8CC590
		cmp	edx, 2000000h
		ja	loc_8CC590
		xor	al, al

loc_741F04:				; CODE XREF: HvGetHiveLogFileStatus+18A6FAj
		mov	esi, [ebp+arg_0]
		xor	edx, edx
		and	dword ptr [esi], 0
		cmp	[ecx+83h], dl
		jnz	short loc_741F74

loc_741F14:				; CODE XREF: HvGetHiveLogFileStatus+E1j
		test	al, al
		jnz	loc_8CC597

loc_741F1C:				; CODE XREF: HvGetHiveLogFileStatus+18A704j
		cmp	dword ptr [ecx+6Ch], 0FFFFFFFFh
		jz	loc_8CC5A1

loc_741F26:				; CODE XREF: HvGetHiveLogFileStatus+18A70Ej
		test	edx, edx
		jnz	short loc_741F7B

loc_741F2A:				; CODE XREF: HvGetHiveLogFileStatus+F5j
		mov	eax, [ecx+74h]
		mov	[ebp+arg_0], eax
		mov	[ebp+var_4], eax
		xor	eax, eax
		add	[ebp+arg_0], edi
		adc	eax, ebx
		test	eax, eax
		jb	short loc_741F48
		ja	short loc_741F63
		mov	eax, [ebp+var_8]
		cmp	[ebp+arg_0], eax
		jnb	short loc_741F63

loc_741F48:				; CODE XREF: HvGetHiveLogFileStatus+A4j
		mov	ecx, [ebp+var_4]

loc_741F4B:				; CODE XREF: HvGetHiveLogFileStatus+D3j
		xor	eax, eax
		add	ecx, edi
		adc	eax, ebx
		test	eax, eax
		jb	short loc_741F5C
		ja	short loc_741F6D
		cmp	ecx, [ebp+var_8]
		jnb	short loc_741F6D

loc_741F5C:				; CODE XREF: HvGetHiveLogFileStatus+BBj
					; HvGetHiveLogFileStatus+DAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_741F63:				; CODE XREF: HvGetHiveLogFileStatus+A6j
					; HvGetHiveLogFileStatus+AEj
		or	edx, 10h
		mov	[esi], edx
		mov	ecx, [ecx+74h]
		jmp	short loc_741F4B
; 

loc_741F6D:				; CODE XREF: HvGetHiveLogFileStatus+BDj
					; HvGetHiveLogFileStatus+C2j
		or	edx, 20h

loc_741F70:				; CODE XREF: HvGetHiveLogFileStatus+FAj
		mov	[esi], edx
		jmp	short loc_741F5C
; 

loc_741F74:				; CODE XREF: HvGetHiveLogFileStatus+7Aj
		push	2
		pop	edx
		mov	[esi], edx
		jmp	short loc_741F14
; 

loc_741F7B:				; CODE XREF: HvGetHiveLogFileStatus+90j
		add	ecx, 9C8h
		call	_CmpIsWriteQueueActive@4 ; CmpIsWriteQueueActive(x)
		test	al, al
		jnz	short loc_741F8F
		mov	ecx, [ebp+var_4]
		jmp	short loc_741F2A
; 

loc_741F8F:				; CODE XREF: HvGetHiveLogFileStatus+F0j
		or	edx, 1
		jmp	short loc_741F70
HvGetHiveLogFileStatus endp


;  S U B	R O U T	I N E 


; __stdcall HvResetDirtyData(x)
_HvResetDirtyData@4 proc near		; CODE XREF: HvStoreModifiedData+14Dp
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1268p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	dword ptr [esi+30h], 0
		jz	short loc_741FBF
		call	_HvpResetPageProtection@4 ; HvpResetPageProtection(x)
		lea	eax, [esi+2Ch]
		push	eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		mov	eax, [esi+34h]
		mov	ecx, offset _CmpDirtySectorCount
		neg	eax
		lock xadd [ecx], eax
		and	dword ptr [esi+34h], 0

loc_741FBF:				; CODE XREF: HvResetDirtyData(x)+9j
		pop	esi
		retn
_HvResetDirtyData@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpGenerateLogEntry proc near		; CODE XREF: HvStoreModifiedData+BDp

var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= byte ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CC5AB SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_2C], edx
		xor	ecx, ecx
		push	esi
		push	edi
		mov	eax, [ebx+74h]
		mov	edi, ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		test	eax, eax
		jz	loc_74211C

loc_741FF3:				; CODE XREF: HvpGenerateLogEntry+162j
		setz	al
		lea	esi, [ebx+2Ch]
		mov	[ebp+var_18], al
		xor	edx, edx
		lea	eax, [ebp+var_8]
		mov	ecx, esi
		push	eax
		call	_HvpGenerateLogMetadata@12 ; HvpGenerateLogMetadata(x,x,x)
		push	esi
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	esi, [ebp+var_8]
		xor	edx, edx
		push	eax
		push	esi
		inc	edx
		mov	ecx, ebx
		call	_CmpLogDirtyVectorUse@16 ; CmpLogDirtyVectorUse(x,x,x,x)
		mov	eax, [ebx+34h]
		mov	ecx, esi
		shl	ecx, 3
		shl	eax, 9
		add	eax, edi
		push	6F494D43h
		lea	esi, [ecx+1027h]
		add	esi, eax
		push	ecx
		and	esi, 0FFFFF000h
		push	5
		mov	[ebp+var_1C], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	loc_8CC5AB
		push	esi
		lea	edx, [ebp+var_14]
		lea	ecx, [ebp+var_10]
		call	HvpAllocateLogBuffers
		mov	edi, [ebp+var_14]
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		js	loc_742129
		push	dword ptr [ebp+var_18] ; char
		mov	esi, [ebp+var_10]
		lea	eax, [ebp+var_4]
		push	[ebp+var_8]	; int
		mov	edx, esi	; int
		push	[ebp+var_1C]	; int
		push	eax		; int
		lea	eax, [ebp+var_C]
		push	eax		; int
		push	ecx		; int
		mov	ecx, ebx	; size_t
		call	_HvpGenerateLogEntryHeader@32 ;	HvpGenerateLogEntryHeader(x,x,x,x,x,x,x,x)
		push	[ebp+var_8]
		lea	eax, [ebp+var_4]
		mov	edx, esi
		push	[ebp+var_20]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	ecx
		mov	ecx, ebx
		call	_HvpGenerateLogEntryMetadata@28	; HvpGenerateLogEntryMetadata(x,x,x,x,x,x,x)
		push	ecx		; int
		lea	eax, [ebp+var_4]
		mov	edx, esi	; int
		push	eax		; int
		lea	eax, [ebp+var_C]
		push	eax		; int
		push	ecx		; int
		mov	ecx, ebx	; int
		call	_HvpGenerateLogEntryDirtyData@24 ; HvpGenerateLogEntryDirtyData(x,x,x,x,x,x)
		imul	ecx, [ebp+var_C], arg_4
		mov	eax, [ecx+esi+8]
		cmp	[ebp+var_4], eax
		jnb	short loc_7420DC
		sub	eax, [ebp+var_4]
		push	eax		; size_t
		mov	eax, [ecx+esi+4]
		add	eax, [ebp+var_4]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_7420DC:				; CODE XREF: HvpGenerateLogEntry+102j
		push	dword ptr [ebp+var_18]
		mov	edx, edi
		mov	ecx, esi
		call	HvpGenerateLogEntryChecksums
		mov	eax, [ebp+var_2C]
		xor	ebx, ebx
		mov	ecx, [ebp+var_1C]
		mov	[eax], esi
		xor	esi, esi
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_24], esi
		mov	[eax], edi
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx

loc_742101:				; CODE XREF: HvpGenerateLogEntry+16Aj
		push	0
		push	[ebp+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		jnz	loc_8CC5B5

loc_742113:				; CODE XREF: HvpGenerateLogEntry+18A5EEj
					; HvpGenerateLogEntry+18A61Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_74211C:				; CODE XREF: HvpGenerateLogEntry+2Bj
		mov	edi, 200h
		mov	[ebp+var_24], ecx
		jmp	loc_741FF3
; 

loc_742129:				; CODE XREF: HvpGenerateLogEntry+A8j
		mov	ebx, [ebp+var_10]
		jmp	short loc_742101
HvpGenerateLogEntry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpGenerateLogEntryChecksums proc near	; CODE XREF: HvpGenerateLogEntry+121p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_8		= dword	ptr -8
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008CC5E5 SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_2C], edx
		push	8
		xor	eax, eax
		lea	edi, [ebp+var_28]
		pop	ecx
		mov	esi, [ebx+4]
		rep stosd
		cmp	[ebp+arg_0], al
		jnz	short loc_7421B9

loc_74215A:				; CODE XREF: HvpGenerateLogEntryChecksums+91j
		mov	edx, offset _HvSymcryptSeed
		lea	ecx, [ebp+var_28]
		call	@SymCryptMarvin32Init@8	; SymCryptMarvin32Init(x,x)
		cmp	[ebp+arg_0], 0
		lea	edx, [esi+28h]	; void *
		mov	ecx, [ebx+8]
		lea	eax, [ecx-28h]
		jnz	short loc_7421C1

loc_742176:				; CODE XREF: HvpGenerateLogEntryChecksums+99j
		push	eax		; int
		lea	ecx, [ebp+var_28] ; int
		call	@SymCryptMarvin32Append@12 ; SymCryptMarvin32Append(x,x,x)
		mov	eax, [ebp+var_2C]
		cmp	eax, 1
		ja	loc_8CC5E5

loc_74218B:				; CODE XREF: HvpGenerateLogEntryChecksums+18A4D2j
		lea	edx, [esi+18h]
		lea	ecx, [ebp+var_28]
		call	@SymCryptMarvin32Result@8 ; SymCryptMarvin32Result(x,x)
		lea	eax, [esi+20h]
		mov	edx, esi
		push	eax
		push	20h
		mov	ecx, offset _HvSymcryptSeed
		call	@SymCryptMarvin32@16 ; SymCryptMarvin32(x,x,x,x)
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_7421B9:				; CODE XREF: HvpGenerateLogEntryChecksums+2Aj
		add	esi, 200h
		jmp	short loc_74215A
; 

loc_7421C1:				; CODE XREF: HvpGenerateLogEntryChecksums+46j
		lea	eax, [ecx-228h]
		jmp	short loc_742176
HvpGenerateLogEntryChecksums endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpGenerateLogMetadata(x, x, x)
_HvpGenerateLogMetadata@12 proc	near	; CODE XREF: HvpGenerateLogEntryMetadata(x,x,x,x,x,x,x)+19p
					; HvpGenerateLogEntry+42p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	esi, esi
		mov	[ebp+var_C], edi
		mov	ebx, ecx
		mov	[ebp+var_4], esi
		call	_HvpCountSetRangesInVector@4 ; HvpCountSetRangesInVector(x)
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_10], eax
		test	edi, edi
		jz	short loc_742255
		cmp	[edx], eax
		jb	short loc_742255
		mov	edi, esi
		mov	[ebp+var_8], esi
		cmp	[ebx], esi
		jbe	short loc_74224A

loc_7421FD:				; CODE XREF: HvpGenerateLogMetadata(x,x,x)+78j
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		push	ebx
		call	RtlFindNextForwardRunClear
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	short loc_74225C
		mov	ecx, [ebp+var_4]
		cmp	ecx, edi
		jz	short loc_74223D
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		mov	eax, [ebp+var_C]
		shl	ecx, 9
		mov	[eax+edx*8], ecx
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_C]
		sub	eax, edi
		shl	eax, 9
		mov	[ecx+edx*8+4], eax
		inc	edx
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_14]
		mov	[ebp+var_8], edx

loc_74223D:				; CODE XREF: HvpGenerateLogMetadata(x,x,x)+4Aj
		lea	edi, [ecx+eax]
		cmp	edi, [ebx]
		jb	short loc_7421FD

loc_742244:				; CODE XREF: HvpGenerateLogMetadata(x,x,x)+ABj
		mov	eax, [ebp+var_10]
		mov	edx, [ebp+arg_0]

loc_74224A:				; CODE XREF: HvpGenerateLogMetadata(x,x,x)+31j
					; HvpGenerateLogMetadata(x,x,x)+90j
		pop	edi
		mov	[edx], eax
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_742255:				; CODE XREF: HvpGenerateLogMetadata(x,x,x)+24j
					; HvpGenerateLogMetadata(x,x,x)+28j
		mov	esi, 0C0000023h
		jmp	short loc_74224A
; 

loc_74225C:				; CODE XREF: HvpGenerateLogMetadata(x,x,x)+43j
		mov	ecx, [ebp+var_8]
		mov	eax, edi
		mov	edx, [ebp+var_C]
		shl	eax, 9
		mov	[edx+ecx*8], eax
		mov	eax, [ebx]
		sub	eax, edi
		shl	eax, 9
		mov	[edx+ecx*8+4], eax
		jmp	short loc_742244
_HvpGenerateLogMetadata@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpCountSetRangesInVector(x)
_HvpCountSetRangesInVector@4 proc near	; CODE XREF: HvpGenerateLogEntryDirtyData(x,x,x,x,x,x)+5Ep
					; HvGetHiveLogFileStatus+18p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edi
		mov	esi, edi
		cmp	[ebx], edi
		jbe	short loc_7422AE

loc_74228E:				; CODE XREF: HvpCountSetRangesInVector(x)+34j
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		push	ebx
		call	RtlFindNextForwardRunClear
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_7422B5
		mov	eax, [ebp+var_4]
		cmp	eax, edi
		jz	short loc_7422A7
		inc	esi

loc_7422A7:				; CODE XREF: HvpCountSetRangesInVector(x)+2Cj
		lea	edi, [eax+ecx]
		cmp	edi, [ebx]
		jb	short loc_74228E

loc_7422AE:				; CODE XREF: HvpCountSetRangesInVector(x)+14j
					; HvpCountSetRangesInVector(x)+3Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7422B5:				; CODE XREF: HvpCountSetRangesInVector(x)+25j
		inc	esi
		jmp	short loc_7422AE
_HvpCountSetRangesInVector@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvFreeHivePartial proc near		; CODE XREF: HvpTruncateBins+77p
					; HvpPerformLogFileRecovery(x,x,x,x)+40Ap

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CC605 SIZE 000000E3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		imul	edx, eax, 19Ch
		mov	ecx, esi
		push	edi
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], esi
		mov	[ebp+var_10], edx
		mov	edx, [edx+ebx+0C8h]
		mov	[ebp+var_24], edx
		cmp	esi, edx
		jnz	short loc_7422F0

loc_7422E9:				; CODE XREF: HvFreeHivePartial+164j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7422F0:				; CODE XREF: HvFreeHivePartial+2Fj
		shl	eax, 1Fh
		mov	[ebp+var_28], eax

loc_7422F6:				; CODE XREF: HvFreeHivePartial+16Cj
		lea	edi, [eax+ecx]
		mov	[ebp+var_14], ecx
		mov	edx, edi
		mov	[ebp+var_18], edi
		mov	ecx, ebx
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	loc_8CC6CF
		mov	eax, [ecx+4]
		test	al, 2
		jz	loc_8CC605
		mov	ecx, [ecx]

loc_742322:				; CODE XREF: HvFreeHivePartial+18A34Fj
		test	ecx, ecx
		jz	loc_8CC60C
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	loc_742429
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	loc_742429
		push	10h
		mov	[eax], edx
		push	ecx
		mov	[edx+4], eax
		call	dword ptr [ebx+10h]
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+4]

loc_742351:				; CODE XREF: HvFreeHivePartial+18A357j
		mov	ecx, [ecx+8]
		mov	[ebp+var_1C], ecx
		test	al, 8
		jz	loc_8CC614
		and	eax, 0FFFFFFF0h
		mov	edx, ecx
		push	ecx
		mov	ecx, eax
		mov	[ebp+var_20], eax
		call	_CmpProtectPool@12 ; CmpProtectPool(x,x,x)
		push	[ebp+var_1C]
		push	[ebp+var_20]
		call	dword ptr [ebx+10h]

loc_742378:				; CODE XREF: HvFreeHivePartial+18A361j
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		add	ecx, [eax+8]
		mov	[ebp+var_8], ecx

loc_742384:				; CODE XREF: HvFreeHivePartial+100j
		mov	edx, edi
		mov	ecx, ebx
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8CC6C8
		mov	edi, ecx
		xor	eax, eax
		mov	ecx, 1000h
		stosd
		stosd
		stosd
		mov	eax, [ebp+var_14]
		mov	edi, [ebp+var_18]
		add	eax, ecx
		add	edi, ecx
		mov	[ebp+var_14], eax
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_18], edi
		cmp	eax, ecx
		jb	short loc_742384
		cmp	ecx, [ebp+var_24]
		jb	short loc_742421
		mov	ecx, [ebp+var_10]
		mov	eax, [ecx+ebx+0C8h]
		mov	edx, [ecx+ebx+0CCh]
		shr	eax, 0Ch
		dec	eax
		shr	eax, 9
		test	esi, esi
		jz	short loc_74242E
		lea	ecx, [esi-1]
		shr	ecx, 15h

loc_7423E1:				; CODE XREF: HvFreeHivePartial+179j
		push	eax
		lea	eax, [ecx+1]
		mov	ecx, ebx
		push	eax
		call	_HvpFreeMap@16	; HvpFreeMap(x,x,x,x)
		cmp	[ebp+arg_0], 0
		jz	loc_8CC61E

loc_7423F7:				; CODE XREF: HvFreeHivePartial+18A384j
					; HvFreeHivePartial+18A397j
		mov	eax, [ebp+var_10]
		mov	edx, esi
		and	edx, 7FFFFFFFh
		mov	[eax+ebx+0C8h],	edx
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	loc_8CC654

loc_742414:				; CODE XREF: HvFreeHivePartial+18A40Bj
		push	eax
		mov	ecx, ebx
		call	_HvpAdjustHiveFreeDisplay@12 ; HvpAdjustHiveFreeDisplay(x,x,x)
		jmp	loc_7422E9
; 

loc_742421:				; CODE XREF: HvFreeHivePartial+105j
		mov	eax, [ebp+var_28]
		jmp	loc_7422F6
; 

loc_742429:				; CODE XREF: HvFreeHivePartial+77j
					; HvFreeHivePartial+82j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_74242E:				; CODE XREF: HvFreeHivePartial+121j
		or	ecx, 0FFFFFFFFh
		jmp	short loc_7423E1
HvFreeHivePartial endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvStoreModifiedData proc near		; CODE XREF: CmpFlushHive+305p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008CC6E8 SIZE 000000B0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_5], dl
		xor	ecx, ecx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_34], ecx
		test	dword ptr [ebx+64h], 8000h
		mov	eax, ecx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_10], esi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_C], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_40], ecx
		mov	[ebp+var_20], edi
		mov	[ebp+var_24], esi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_58], ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_4C], ecx
		jnz	loc_8CC6E0
		mov	ecx, ebx
		call	HvpTruncateBins
		test	byte ptr [ebx+64h], 1
		movzx	eax, al
		mov	[ebx+464h], eax
		jnz	loc_8CC6E0
		mov	eax, [ebx+38h]
		mov	[ebp+var_18], eax
		cmp	[ebx+34h], esi
		jz	short loc_74250A
		push	30354D43h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	loc_8CC6E8
		push	[ebp+var_18]	; size_t
		push	dword ptr [ebx+30h] ; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebx+2Ch]
		lea	edx, [ebp+var_2C]
		mov	[ebp+var_58], eax
		add	esp, 0Ch
		mov	eax, [ebp+var_1C]
		mov	ecx, ebx
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_40]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		call	HvpGenerateLogEntry
		test	eax, eax
		js	loc_8CC6F0
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_30]
		mov	[ebp+var_C], eax

loc_74250A:				; CODE XREF: HvStoreModifiedData+7Bj
		cmp	[ebp+var_5], 0
		jnz	loc_7425E2
		cmp	[ebp+arg_0], 0
		jnz	loc_7425E2

loc_74251E:				; CODE XREF: HvStoreModifiedData+2F7j
					; HvStoreModifiedData+362j
		mov	eax, [ebx+0C8h]
		xor	edx, edx
		cmp	[ebx+488h], eax
		jb	loc_742786
		cmp	[ebx+464h], edx
		jnz	loc_742786

loc_74253E:				; CODE XREF: HvStoreModifiedData+358j
		cmp	[ebx+34h], edx
		jz	short loc_742588
		mov	eax, [ebp+var_58]
		mov	ecx, ebx
		mov	[ebx+44Ch], eax
		mov	eax, [ebp+var_1C]
		mov	[ebx+450h], eax
		mov	eax, [ebp+var_18]
		mov	[ebx+454h], eax
		mov	eax, [ebp+var_10]
		mov	[ebx+458h], eax
		mov	eax, [ebp+var_C]
		mov	[ebx+45Ch], eax
		mov	eax, [ebp+var_40]
		mov	[ebp+var_1C], edx
		mov	[ebx+460h], eax
		mov	[ebp+var_10], edx
		call	_HvResetDirtyData@4 ; HvResetDirtyData(x)
		xor	edx, edx

loc_742588:				; CODE XREF: HvStoreModifiedData+10Dj
		cmp	[ebp+var_5], 0
		mov	cl, [ebp+arg_0]
		jnz	loc_742730
		test	cl, cl
		jnz	loc_742730

loc_74259D:				; CODE XREF: HvStoreModifiedData+313j
					; HvStoreModifiedData+34Dj
		xor	esi, esi

loc_74259F:				; CODE XREF: HvStoreModifiedData+18A2D0j
		mov	ebx, [ebp+var_10]
		mov	edi, [ebp+var_C]

loc_7425A5:				; CODE XREF: HvStoreModifiedData+18A2C8j
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	loc_8CC709

loc_7425B0:				; CODE XREF: HvStoreModifiedData+18A2DDj
		test	ebx, ebx
		jnz	loc_8CC716

loc_7425B8:				; CODE XREF: HvStoreModifiedData+18A313j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	loc_8CC74C

loc_7425C3:				; CODE XREF: HvStoreModifiedData+18A320j
		mov	ebx, [ebp+var_24]
		test	ebx, ebx
		jnz	loc_8CC759

loc_7425CE:				; CODE XREF: HvStoreModifiedData+18A352j
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	loc_8CC78B

loc_7425D9:				; CODE XREF: HvFreeHivePartial+18A42Bj
					; HvStoreModifiedData+18A2B7j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7425E2:				; CODE XREF: HvStoreModifiedData+DAj
					; HvStoreModifiedData+E4j
		push	30354D43h
		mov	esi, 1000h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		jz	loc_8CC701
		push	esi		; size_t
		push	0		; int
		push	ecx		; void *
		call	_memset
		mov	ecx, [ebx+20h]
		add	esp, 0Ch
		cmp	[ebp+arg_0], 0
		mov	eax, [ebx+0C8h]
		mov	edi, [ebp+var_28]
		mov	[ecx+28h], eax
		mov	ecx, 80h
		mov	esi, [ebx+20h]
		rep movsd
		jz	loc_742791
		mov	esi, [ebp+var_18]
		push	30354D43h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_20], edi
		test	edi, edi
		jz	loc_8CC701
		push	esi		; size_t
		push	dword ptr [ebx+40h] ; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [ebx+3Ch]
		add	esp, 0Ch
		cmp	dword ptr [ebx+34h], 0
		mov	[ebp+var_44], eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_4C], edi
		jz	short loc_742677
		lea	edx, [ebp+var_58]
		lea	ecx, [ebp+var_50]
		call	_RtlMergeBitMaps@8 ; RtlMergeBitMaps(x,x)

loc_742677:				; CODE XREF: HvStoreModifiedData+236j
		lea	ecx, [ebp+var_50]
		call	_HvpCountSetRangesInVector@4 ; HvpCountSetRangesInVector(x)
		mov	[ebp+var_14], eax
		imul	eax, 0Ch
		push	32354D43h
		push	eax
		push	1
		mov	[ebp+var_30], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		jz	loc_8CC701
		push	[ebp+var_30]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		and	[ebp+var_30], 0
		add	esp, 0Ch
		and	[ebp+var_48], 0
		cmp	[ebp+var_14], 0
		jbe	short loc_74271C
		lea	eax, [esi+4]
		mov	[ebp+var_2C], eax

loc_7426C4:				; CODE XREF: HvStoreModifiedData+2E6j
		push	1
		lea	eax, [ebp+var_38]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		lea	edx, [ebp+var_50]
		call	HvpFindNextDirtyBlock
		test	al, al
		jz	short loc_74271C
		cmp	[ebp+var_34], 0
		jz	loc_8CC701
		mov	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_38]
		mov	eax, [ebp+var_3C]
		mov	edi, [ebp+var_34]
		mov	[edx-4], ecx
		add	ecx, eax
		mov	[edx+4], eax
		mov	eax, [ebp+var_30]
		mov	[edx], edi
		inc	eax
		mov	edi, [ebp+var_20]
		add	edx, 0Ch
		mov	[ebp+var_38], ecx
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], edx
		cmp	eax, [ebp+var_14]
		jb	short loc_7426C4

loc_74271C:				; CODE XREF: HvStoreModifiedData+288j
					; HvStoreModifiedData+2AEj
		push	[ebp+var_18]	; size_t
		push	dword ptr [ebx+40h] ; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_74251E
; 

loc_742730:				; CODE XREF: HvStoreModifiedData+15Bj
					; HvStoreModifiedData+163j
		cmp	byte ptr [ebx+83h], 0
		mov	eax, [ebp+var_28]
		mov	[ebx+480h], eax
		mov	[ebp+var_28], edx
		jnz	short loc_74279B

loc_742745:				; CODE XREF: HvStoreModifiedData+36Ej
		test	cl, cl
		jz	loc_74259D
		mov	eax, [ebp+var_44]
		mov	ecx, ebx
		mov	[ebx+46Ch], eax
		mov	eax, [ebp+var_18]
		mov	[ebx+470h], edi
		mov	[ebx+474h], eax
		mov	eax, [ebp+var_14]
		mov	[ebp+var_20], edx
		mov	[ebx+478h], esi
		mov	[ebx+47Ch], eax
		mov	[ebp+var_24], edx
		call	_HvResetUnreconciledData@4 ; HvResetUnreconciledData(x)
		jmp	loc_74259D
; 

loc_742786:				; CODE XREF: HvStoreModifiedData+F8j
					; HvStoreModifiedData+104j
		mov	[ebx+488h], eax
		jmp	loc_74253E
; 

loc_742791:				; CODE XREF: HvStoreModifiedData+1F6j
		mov	edi, [ebp+var_20]
		mov	esi, edi
		jmp	loc_74251E
; 

loc_74279B:				; CODE XREF: HvStoreModifiedData+30Fj
		mov	byte ptr [ebx+468h], 1
		jmp	short loc_742745
HvStoreModifiedData endp


;  S U B	R O U T	I N E 


; __stdcall CmpInitializeRollbackPacket(x)
_CmpInitializeRollbackPacket@4 proc near ; CODE	XREF: CmpTryToRundownHive+25p
		mov	edi, edi
		push	edi
		mov	edi, ecx
		xor	eax, eax
		stosd
		stosd
		stosd
		pop	edi
		retn
_CmpInitializeRollbackPacket@4 endp


;  S U B	R O U T	I N E 


CmpCleanupRollbackPacket proc near	; CODE XREF: CmpTryToRundownHive+94p
					; CmpTryToRundownHive+176530p ...

; FUNCTION CHUNK AT 008CC798 SIZE 00000021 BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		cmp	[edi], esi
		ja	loc_8CC798

loc_7427C0:				; CODE XREF: CmpCleanupRollbackPacket+18A004j
		mov	ecx, [edi+8]
		pop	edi
		pop	esi
		test	ecx, ecx
		jnz	_CmpFreePool@4	; CmpFreePool(x)
		retn
CmpCleanupRollbackPacket endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpWorkerEngineWorker proc near		; DATA XREF: CmInitSystem1(x)+12Fo

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CC7B9 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, offset _CmpWorkerEngineListHead

loc_7427DC:				; CODE XREF: CmpWorkerEngineWorker+50j
					; CmpWorkerEngineWorker+189FF3j
		mov	ecx, offset _CmpWorkerEngineLock
		call	ExAcquireFastMutex
		mov	edi, _CmpWorkerEngineListHead
		cmp	edi, ebx
		jz	short loc_742825
		cmp	[edi+4], ebx
		jnz	short loc_74285D
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	short loc_74285D
		mov	_CmpWorkerEngineListHead, eax
		mov	ecx, offset _CmpWorkerEngineLock
		mov	[eax+4], ebx
		mov	[edi+4], edi
		mov	[edi], edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		push	dword ptr [edi+10h]
		mov	esi, [edi+8]
		call	dword ptr [edi+0Ch]
		test	esi, esi
		jnz	short loc_7427DC
		jmp	loc_8CC7B9
; 

loc_742825:				; CODE XREF: CmpWorkerEngineWorker+20j
		mov	ecx, offset _CmpWorkerEngineLock
		mov	_CmpWorkerEngineWorkItemActive,	0
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		pop	edi
		pop	esi
		pop	ebx
		cmp	_CmpWorkerEngineFinishedEvent, ecx
		jz	short locret_742859
		xor	edx, edx
		mov	ecx, offset _CmpWorkerEngineFinishedEvent
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)

locret_742859:				; CODE XREF: CmpWorkerEngineWorker+7Dj
		leave
		retn	4
; 

loc_74285D:				; CODE XREF: CmpWorkerEngineWorker+25j
					; CmpWorkerEngineWorker+2Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
CmpWorkerEngineWorker endp		; AL = character to display


;  S U B	R O U T	I N E 


CmpVolumeContextDecrementRefCount proc near ; CODE XREF: CmpCompleteUnloadKey(x,x,x)+188p
					; CmShutdownSystem(x)+2A7p ...

; FUNCTION CHUNK AT 008CC7C6 SIZE 000000AD BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi+8]
		lea	ebx, [esi+0Ch]
		mov	ecx, [ebx]
		lea	edx, [ecx-1]

loc_742874:				; CODE XREF: CmpVolumeContextDecrementRefCount+2Dj
		test	edx, edx
		jle	loc_8CC7C6
		mov	eax, ecx
		lock cmpxchg [ebx], edx
		mov	edx, eax
		cmp	edx, ecx
		jnz	short loc_74288C
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_74288C:				; CODE XREF: CmpVolumeContextDecrementRefCount+24j
		mov	ecx, edx
		dec	edx
		jmp	short loc_742874
CmpVolumeContextDecrementRefCount endp

; 
		align 2

;  S U B	R O U T	I N E 


CmpRecordRMRecoveryMode	proc near	; CODE XREF: CmpCompleteUnloadKey(x,x,x)+47p
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	bl, bl
		mov	eax, [esi+9A0h]
		test	eax, eax
		jnz	loc_8CC847

loc_7428A9:				; CODE XREF: CmpVolumeContextDecrementRefCount+18A00Cj
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ecx
		retn
CmpRecordRMRecoveryMode	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTraceHiveUnloadStart	proc near	; CODE XREF: CmpCompleteUnloadKey(x,x,x)+5Cp

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CC873 SIZE 00000091 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_HIVE_UNLOAD_START
		mov	[ebp+var_60], edx
		lea	edi, [ebp+var_58]
		mov	ebx, ecx
		lea	eax, [ebp+var_58]
		push	eax
		mov	eax, ds:_EtwpRegTraceHandle
		movsd
		mov	[ebp+var_64], eax
		movsd
		movsd
		movsd
		mov	edi, ds:dword_A93DD4
		push	edi
		push	eax
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8CC873

loc_7428F7:				; CODE XREF: CmpTraceHiveUnloadStart+18A04Fj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpTraceHiveUnloadStart	endp


;  S U B	R O U T	I N E 


; __stdcall CmpRemoveFromPreloadedHivesList(x)
_CmpRemoveFromPreloadedHivesList@4 proc	near ; CODE XREF: CmpCompleteUnloadKey(x,x,x)+107p
		test	dword ptr [ecx+64h], 400h
		jnz	short loc_742910
		retn
; 

loc_742910:				; CODE XREF: CmpRemoveFromPreloadedHivesList(x)+7j
		lea	eax, [ecx+428h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_74292A
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_74292A
		mov	[ecx], edx
		mov	[edx+4], ecx
		retn
; 

loc_74292A:				; CODE XREF: CmpRemoveFromPreloadedHivesList(x)+15j
					; CmpRemoveFromPreloadedHivesList(x)+1Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_CmpRemoveFromPreloadedHivesList@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpVERemoveHiveFromSIDMappingTable(x)
_CmpVERemoveHiveFromSIDMappingTable@4 proc near
					; CODE XREF: CmpCompleteUnloadKey(x,x,x)+10Ep
					; CmShutdownSystem(x)+231p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	byte ptr [esi+980h], 2
		jnz	short loc_742944
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_742944:				; CODE XREF: CmpVERemoveHiveFromSIDMappingTable(x)+Ej
		mov	ecx, offset _CmpSIDMappingLock
		call	ExAcquireFastMutex
		mov	ecx, _CmpSIDToHiveMappingCount
		xor	ebx, ebx
		test	ecx, ecx
		jz	short loc_74296E
		mov	eax, _CmpSIDToHiveMapping
		add	eax, 0Ch

loc_742962:				; CODE XREF: CmpVERemoveHiveFromSIDMappingTable(x)+3Cj
		cmp	[eax], esi
		jz	short loc_74296E
		inc	ebx
		add	eax, 10h
		cmp	ebx, ecx
		jb	short loc_742962

loc_74296E:				; CODE XREF: CmpVERemoveHiveFromSIDMappingTable(x)+28j
					; CmpVERemoveHiveFromSIDMappingTable(x)+34j
		mov	eax, _CmpSIDToHiveMapping
		mov	edi, ebx
		shl	edi, 4
		push	0
		push	dword ptr [edi+eax+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, _CmpSIDToHiveMappingCount
		mov	edx, _CmpSIDToHiveMapping
		dec	esi
		add	edx, edi
		mov	_CmpSIDToHiveMappingCount, esi
		sub	esi, ebx
		shl	esi, 4
		push	esi		; size_t
		lea	eax, [edx+10h]
		push	eax		; void *
		push	edx		; void *
		call	_memmove
		add	esp, 0Ch
		mov	ecx, offset _CmpSIDMappingLock
		pop	edi
		pop	esi
		pop	ebx
		jmp	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
_CmpVERemoveHiveFromSIDMappingTable@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpLateUnloadHiveWorker	proc near	; DATA XREF: CmpDoQueueLateUnloadWorker+ACo

var_22		= byte ptr -22h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CC904 SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+30h+var_1C]
		mov	[esp+30h+var_20], 2
		rep stosd
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		mov	cl, 1
		call	CmpLockRegistryFreezeAware
		push	16h
		pop	edx
		mov	ecx, ebx
		call	_CmpLogUnload@8	; CmpLogUnload(x,x)
		test	byte ptr [ebx+64h], 40h
		mov	esi, [ebx+6D8h]
		jnz	loc_8CC904
		call	CmpAcquireShutdownRundown
		mov	[esp+30h+var_21], al
		test	al, al
		jz	loc_8CC908
		cmp	byte ptr [ebx+6DCh], 0
		jz	loc_8CC92F
		test	byte ptr [ebx+980h], 20h
		jz	short loc_742A3A
		inc	_CmpActiveAppHiveUnloadCount

loc_742A3A:				; CODE XREF: CmpLateUnloadHiveWorker+7Aj
		push	ecx
		lea	eax, [esp+13h]
		mov	edx, esi
		push	eax
		mov	ecx, ebx
		call	CmpTryToRundownHive
		and	dword ptr [ebx+6E0h], 0
		test	al, al
		jz	loc_8CC93E
		mov	esi, [ebx+6D8h]
		mov	ecx, ebx
		push	1Eh
		pop	edx
		call	_CmpLogUnload@8	; CmpLogUnload(x,x)
		lea	ecx, [esp+30h+var_1C]
		call	CmpAttachToRegistryProcess
		lea	eax, [esp+30h+var_20]
		mov	ecx, esi
		push	eax
		call	_CmpCompleteUnloadKey@12 ; CmpCompleteUnloadKey(x,x,x)
		xor	edx, edx
		lea	ecx, [esp+30h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, esi
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)

loc_742A94:				; CODE XREF: CmpLateUnloadHiveWorker+189F81j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		mov	ecx, ebx
		call	_CmpDereferenceHive@4 ;	CmpDereferenceHive(x)
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_742AAA:				; CODE XREF: CmpLateUnloadHiveWorker+189F72j
		mov	ecx, [esp+30h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
CmpLateUnloadHiveWorker	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCompleteUnloadKey(x, x, x)
_CmpCompleteUnloadKey@12 proc near	; CODE XREF: CmpPerformUnloadKey+21Fp
					; CmpLateUnloadHiveWorker+C0p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		and	[ebp+var_14], 0
		and	[ebp+var_10], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	ecx, [ebp+var_14]
		mov	esi, [edi+10h]
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		mov	ebx, [esi+980h]
		mov	ecx, esi
		push	6
		and	ebx, 20h
		pop	edx
		mov	[ebp+var_8], ebx
		call	_CmpLogUnload@8	; CmpLogUnload(x,x)
		xor	edx, edx
		lea	ecx, [esi+6E0h]
		inc	edx
		xor	eax, eax
		lock cmpxchg [ecx], edx
		mov	ecx, esi
		call	CmpRecordRMRecoveryMode
		or	dword ptr [esi+64h], 40h
		lea	edx, [esi+4B8h]
		lea	ecx, [esi+4B0h]
		call	CmpTraceHiveUnloadStart
		lea	eax, [ebp+var_14]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	_CmpRemoveHiveFromNamespace@12 ; CmpRemoveHiveFromNamespace(x,x,x)
		push	8
		pop	edx
		mov	ecx, esi
		call	_CmpLogUnload@8	; CmpLogUnload(x,x)
		test	ebx, ebx
		jz	short loc_742B49
		mov	dword ptr [esi+0BF0h], 1
		call	CmpDecrementAppHiveUnloadCount

loc_742B49:				; CODE XREF: CmpCompleteUnloadKey(x,x,x)+7Aj
		push	0
		lea	eax, [ebp+var_14]
		xor	edx, edx
		push	eax
		inc	edx
		mov	ecx, edi
		call	CmpFlushNotifiesOnKeyBodyList
		lea	edx, [ebp+var_14]
		mov	ecx, edi
		call	_CmpMarkKeyUnbacked@8 ;	CmpMarkKeyUnbacked(x,x)
		mov	ecx, edi
		call	_CmpDiscardKcb@4 ; CmpDiscardKcb(x)
		lea	edx, [ebp+var_14]
		mov	ecx, edi
		call	_CmpRemoveLayerLinkForDiscardedKcb@8 ; CmpRemoveLayerLinkForDiscardedKcb(x,x)
		mov	ecx, [edi+24h]
		mov	dl, 1
		mov	ecx, [ecx+24h]
		call	CmpCleanUpSubKeyInfo
		xor	dl, dl
		lea	ecx, [ebp+var_14]
		call	CmpDrainDelayDerefContext
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	edi, [ebp+arg_0]
		and	dword ptr [edi], 0FFFFFFFDh
		mov	eax, [edi]
		test	al, 4
		jz	short loc_742BA4
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		and	dword ptr [edi], 0FFFFFFFBh

loc_742BA4:				; CODE XREF: CmpCompleteUnloadKey(x,x,x)+DCj
		mov	ecx, esi
		call	_CmpRemoveFromHiveFileList@4 ; CmpRemoveFromHiveFileList(x)
		mov	ecx, esi
		call	_CmpDestroySecurityCache@4 ; CmpDestroySecurityCache(x)
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	ecx, esi
		call	_CmpUnJoinClassOfTrust@4 ; CmpUnJoinClassOfTrust(x)
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	_CmpRemoveFromPreloadedHivesList@4 ; CmpRemoveFromPreloadedHivesList(x)
		mov	ecx, esi
		call	_CmpVERemoveHiveFromSIDMappingTable@4 ;	CmpVERemoveHiveFromSIDMappingTable(x)
		push	2Ch
		pop	edx
		mov	ecx, esi
		call	CmpFlushHive
		mov	ebx, [esi+0C8h]
		mov	ecx, esi
		lea	edi, [eax+3FFFFFF3h]
		neg	edi
		sbb	edi, edi
		add	ebx, 1000h
		and	edi, eax
		call	HvHiveCleanup
		test	edi, edi
		js	short loc_742C35
		test	dword ptr [esi+64h], 8000h
		jnz	short loc_742C35
		mov	ecx, [esi+490h]
		mov	eax, [esi+494h]
		sub	ecx, ebx
		push	0
		pop	edx
		sbb	eax, edx
		mov	[ebp+var_18], eax
		js	short loc_742C35
		jg	short loc_742C29
		cmp	ecx, 100000h
		jbe	short loc_742C35

loc_742C29:				; CODE XREF: CmpCompleteUnloadKey(x,x,x)+161j
		push	edx
		push	edx
		push	ebx
		xor	edx, edx
		mov	ecx, esi
		call	CmpDoFileSetSizeEx

loc_742C35:				; CODE XREF: CmpCompleteUnloadKey(x,x,x)+13Ej
					; CmpCompleteUnloadKey(x,x,x)+147j ...
		mov	ecx, esi
		call	_CmpCmdHiveClose@4 ; CmpCmdHiveClose(x)
		mov	ecx, [esi+0BFCh]
		test	ecx, ecx
		jz	short loc_742C4B
		call	CmpVolumeContextDecrementRefCount

loc_742C4B:				; CODE XREF: CmpCompleteUnloadKey(x,x,x)+186j
		cmp	[ebp+var_8], 0
		jz	short loc_742C73
		xor	ebx, ebx
		lea	ecx, [esi+0BF4h]
		mov	[esi+0BF0h], ebx
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], ebx
		xor	edx, edx
		lock or	[eax], edx
		cmp	[ecx], ebx
		jz	short loc_742C73
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)

loc_742C73:				; CODE XREF: CmpCompleteUnloadKey(x,x,x)+191j
					; CmpCompleteUnloadKey(x,x,x)+1AEj
		mov	ecx, esi
		call	_CmpSignalUnloadEventArrayForHive@4 ; CmpSignalUnloadEventArrayForHive(x)
		mov	ecx, edi
		call	CmpTraceHiveUnloadStop
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_CmpCompleteUnloadKey@12 endp


;  S U B	R O U T	I N E 


; __stdcall CmpLogUnload(x, x)
_CmpLogUnload@8	proc near		; CODE XREF: CmpLateUnloadHiveWorker+40p
					; CmpLateUnloadHiveWorker+ABp ...
		xor	eax, eax
		inc	eax
		lock xadd [ecx+9DCh], eax
		inc	eax
		dec	eax
		and	eax, 7Fh
		mov	[ecx+eax*4+9E0h], edx
		retn
_CmpLogUnload@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTraceHiveUnloadStop proc near	; CODE XREF: CmpCompleteUnloadKey(x,x,x)+1BEp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CC95F SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_HIVE_UNLOAD_STOP
		mov	[ebp+var_2C], ecx
		lea	edi, [ebp+var_28]
		lea	eax, [ebp+var_28]
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ds:dword_A93DD4
		mov	edi, ds:_EtwpRegTraceHandle
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8CC95F

loc_742CE2:				; CODE XREF: CmpTraceHiveUnloadStop+189CE6j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpTraceHiveUnloadStop endp


;  S U B	R O U T	I N E 


; __stdcall CmpSignalUnloadEventArrayForHive(x)
_CmpSignalUnloadEventArrayForHive@4 proc near ;	CODE XREF: CmpCompleteUnloadKey(x,x,x)+1B7p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	eax, [esi+6D0h]
		test	eax, eax
		jnz	short loc_742D05

loc_742D02:				; CODE XREF: CmpSignalUnloadEventArrayForHive(x)+42j
					; CmpSignalUnloadEventArrayForHive(x)+51j
		pop	edi
		pop	esi
		retn
; 

loc_742D05:				; CODE XREF: CmpSignalUnloadEventArrayForHive(x)+10j
					; CmpSignalUnloadEventArrayForHive(x)+3Ej
		mov	eax, [esi+6D4h]
		push	0
		push	0
		push	dword ptr [eax+edi*4]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [esi+6D4h]
		mov	ecx, [ecx+edi*4]
		call	ObfDereferenceObject
		mov	eax, [esi+6D0h]
		inc	edi
		cmp	edi, eax
		jb	short loc_742D05
		test	eax, eax
		jz	short loc_742D02
		push	0
		push	dword ptr [esi+6D4h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_742D02
_CmpSignalUnloadEventArrayForHive@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCmdHiveClose(x)
_CmpCmdHiveClose@4 proc	near		; CODE XREF: CmpCompleteUnloadKey(x,x,x)+179p
					; CmShutdownSystem(x)+298p ...

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edx, edx
		lea	edi, [ebp+var_30]
		push	0Ah
		mov	ebx, ecx
		mov	[ebp+var_4C], edx
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_48], edx
		rep stosd
		push	edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], edx
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	esi, [ebx+400h]
		mov	byte ptr [ebp+var_44], al
		test	esi, esi
		jz	short loc_742E05
		push	4
		push	28h
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	esi
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		test	eax, eax
		js	short loc_742DF0
		lea	eax, [ebp+var_40]
		push	eax
		call	KeQuerySystemTime
		cmp	byte ptr [ebx+51h], 0
		mov	ecx, [ebp+var_3C]
		mov	edx, [ebp+var_40]
		jz	short loc_742DB9
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		jmp	short loc_742DD8
; 

loc_742DB9:				; CODE XREF: CmpCmdHiveClose(x)+6Bj
		mov	eax, [ebx+9BCh]
		mov	edi, [ebx+9B8h]
		mov	[ebp+var_3C], eax
		mov	eax, edi
		or	eax, [ebp+var_3C]
		jz	short loc_742DD8
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], eax

loc_742DD8:				; CODE XREF: CmpCmdHiveClose(x)+73j
					; CmpCmdHiveClose(x)+89j
		push	4
		push	28h
		lea	eax, [ebp+var_30]
		mov	[ebp+var_28], edx
		push	eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_24], ecx
		push	eax
		push	esi
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)

loc_742DF0:				; CODE XREF: CmpCmdHiveClose(x)+56j
		test	dword ptr [ebx+980h], 10000h
		jz	short loc_742E05
		xor	dl, dl
		mov	ecx, esi
		call	_CmpAdjustFileCFSafety@8 ; CmpAdjustFileCFSafety(x,x)

loc_742E05:				; CODE XREF: CmpCmdHiveClose(x)+40j
					; CmpCmdHiveClose(x)+B6j
		xor	ecx, ecx
		mov	esi, ecx

loc_742E09:				; CODE XREF: CmpCmdHiveClose(x)+10Aj
		mov	eax, [ebx+esi*4+400h]
		test	eax, eax
		jz	short loc_742E4A
		push	2
		test	esi, esi
		jnz	short loc_742E23
		mov	word ptr [ebp+var_34], si
		lea	ecx, [ebp+var_34]
		jmp	short loc_742E2C
; 

loc_742E23:				; CODE XREF: CmpCmdHiveClose(x)+D4j
		mov	word ptr [ebp+var_3C], 0
		lea	ecx, [ebp+var_3C]

loc_742E2C:				; CODE XREF: CmpCmdHiveClose(x)+DDj
		push	ecx
		push	4
		push	eax
		call	_ZwSetInformationObject@16 ; ZwSetInformationObject(x,x,x,x)
		push	dword ptr [ebx+esi*4+400h]
		call	_ZwClose@4	; ZwClose(x)
		xor	ecx, ecx
		mov	[ebx+esi*4+400h], ecx

loc_742E4A:				; CODE XREF: CmpCmdHiveClose(x)+CEj
		inc	esi
		cmp	esi, 6
		jb	short loc_742E09
		push	[ebp+var_44]
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpCmdHiveClose@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpViewMapCleanup(x)
_HvpViewMapCleanup@4 proc near		; CODE XREF: HvHiveCleanup+138p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		lea	esi, [ebx+20h]
		test	byte ptr [esi+4], 1
		mov	eax, [esi]
		jz	short loc_742E83
		test	eax, eax
		jz	short loc_742E83
		xor	eax, esi

loc_742E83:				; CODE XREF: HvpViewMapCleanup(x)+13j
					; HvpViewMapCleanup(x)+17j
		mov	cl, [esi+4]
		movzx	edx, cl
		and	edx, 1
		test	eax, eax
		jz	short loc_742EDB
		mov	esi, edx
		push	edi

loc_742E93:				; CODE XREF: HvpViewMapCleanup(x)+51j
					; HvpViewMapCleanup(x)+6Aj ...
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_742EA3
		mov	edx, eax
		test	esi, esi
		jnz	short loc_742EB4
		mov	eax, ecx
		jmp	short loc_742EB6
; 

loc_742EA3:				; CODE XREF: HvpViewMapCleanup(x)+2Fj
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_742EBB
		mov	edx, eax
		test	esi, esi
		jnz	short loc_742EF6
		mov	eax, ecx
		jmp	short loc_742EF8
; 

loc_742EB4:				; CODE XREF: HvpViewMapCleanup(x)+35j
		xor	eax, ecx

loc_742EB6:				; CODE XREF: HvpViewMapCleanup(x)+39j
		and	dword ptr [edx], 0
		jmp	short loc_742E93
; 

loc_742EBB:				; CODE XREF: HvpViewMapCleanup(x)+40j
		mov	edi, [eax+8]
		and	edi, 0FFFFFFFCh
		test	esi, esi
		jnz	short loc_742EFE

loc_742EC5:				; CODE XREF: HvpViewMapCleanup(x)+98j
					; HvpViewMapCleanup(x)+9Cj
		push	ebx
		push	eax
		call	_HvpViewMapDeleteViewTreeNode@8	; HvpViewMapDeleteViewTreeNode(x,x)
		test	edi, edi
		jz	short loc_742ED4
		mov	eax, edi
		jmp	short loc_742E93
; 

loc_742ED4:				; CODE XREF: HvpViewMapCleanup(x)+66j
		lea	esi, [ebx+20h]
		mov	cl, [esi+4]
		pop	edi

loc_742EDB:				; CODE XREF: HvpViewMapCleanup(x)+26j
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0
		test	cl, 1
		jnz	short loc_742F06

loc_742EE7:				; CODE XREF: HvpViewMapCleanup(x)+A2j
		mov	ecx, [ebx]
		pop	esi
		pop	ebx
		test	ecx, ecx
		jz	short locret_742EF4
		call	_BiZwClose@4	; BiZwClose(x)

locret_742EF4:				; CODE XREF: HvpViewMapCleanup(x)+85j
		leave
		retn
; 

loc_742EF6:				; CODE XREF: HvpViewMapCleanup(x)+46j
		xor	eax, ecx

loc_742EF8:				; CODE XREF: HvpViewMapCleanup(x)+4Aj
		and	dword ptr [edx+4], 0
		jmp	short loc_742E93
; 

loc_742EFE:				; CODE XREF: HvpViewMapCleanup(x)+5Bj
		test	edi, edi
		jz	short loc_742EC5
		xor	edi, eax
		jmp	short loc_742EC5
; 

loc_742F06:				; CODE XREF: HvpViewMapCleanup(x)+7Dj
		mov	byte ptr [esi+4], 1
		jmp	short loc_742EE7
_HvpViewMapCleanup@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpViewMapDeleteViewTreeNode(x, x)
_HvpViewMapDeleteViewTreeNode@8	proc near ; CODE XREF: HvpViewMapCleanup(x)+5Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+30h]
		test	eax, eax
		jz	short loc_742F28
		mov	edx, [ebp+arg_4]
		push	eax
		mov	edx, [edx+18h]
		call	_CmSiUnmapViewOfSection@12 ; CmSiUnmapViewOfSection(x,x,x)

loc_742F28:				; CODE XREF: HvpViewMapDeleteViewTreeNode(x,x)+Ej
		mov	ecx, esi
		call	_CmpFreePool@4	; CmpFreePool(x)
		pop	esi
		pop	ebp
		retn	8
_HvpViewMapDeleteViewTreeNode@8	endp ; sp = -4


;  S U B	R O U T	I N E 


; __stdcall HvFreeDirtyData(x)
_HvFreeDirtyData@4 proc	near		; CODE XREF: CmpDeleteHive(x)+44p
					; CmpFlushHive+3D5p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+450h]
		test	eax, eax
		jnz	short loc_742F45
		pop	esi
		retn
; 

loc_742F45:				; CODE XREF: HvFreeDirtyData(x)+Dj
		push	ebx
		push	edi
		xor	edi, edi
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+44Ch], edi
		mov	ebx, edi
		mov	[esi+450h], edi
		cmp	[esi+45Ch], edi
		jbe	short loc_742F95

loc_742F66:				; CODE XREF: HvFreeDirtyData(x)+5Dj
		mov	eax, [esi+458h]
		mov	eax, [eax+edi+4]
		test	eax, eax
		jz	short loc_742F87
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi+458h]
		and	dword ptr [eax+edi+4], 0

loc_742F87:				; CODE XREF: HvFreeDirtyData(x)+3Ej
		inc	ebx
		add	edi, 0Ch
		cmp	ebx, [esi+45Ch]
		jb	short loc_742F66
		xor	edi, edi

loc_742F95:				; CODE XREF: HvFreeDirtyData(x)+30j
		push	edi
		push	dword ptr [esi+458h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+458h], edi
		mov	[esi+45Ch], edi
		mov	[esi+460h], edi
		pop	edi
		pop	ebx
		pop	esi
		retn
_HvFreeDirtyData@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmpDeleteKcbCache(x)
_CmpDeleteKcbCache@4 proc near		; CODE XREF: CmpDeleteHive(x)+4Bp
					; CmpInitializeKcbCache+E7p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	eax, [esi+434h]
		mov	edi, [esi+43Ch]
		test	eax, eax
		jz	short loc_742FE8
		push	61434D43h
		push	eax
		mov	[esi+434h], ebx
		mov	[esi+438h], ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_742FE8:				; CODE XREF: CmpDeleteKcbCache(x)+17j
		test	edi, edi
		jz	short loc_743003
		push	61434D43h
		push	edi
		mov	[esi+43Ch], ebx
		mov	[esi+440h], ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_743003:				; CODE XREF: CmpDeleteKcbCache(x)+32j
		pop	edi
		pop	esi
		pop	ebx
		retn
_CmpDeleteKcbCache@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmpDeleteHive(x)
_CmpDeleteHive@4 proc near		; CODE XREF: CmpUnlockHashEntryByKcb(x)+5Cj
					; CmpUnlockDeletedHashEntryByKcb(x)+53j ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [esi+420h]
		cmp	[edi], edi
		jz	short loc_743044
		push	ebx
		mov	ebx, offset _CmpHiveListHeadLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [edi]
		cmp	[edx+4], edi
		jnz	short loc_743094
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	short loc_743094
		mov	[eax], edx
		mov	ecx, ebx
		mov	[edx+4], eax
		xor	edx, edx
		call	ExReleasePushLockEx
		pop	ebx

loc_743044:				; CODE XREF: CmpDeleteHive(x)+Ej
		mov	ecx, esi
		mov	dword ptr [esi], 0BAD0BEE0h
		call	_HvFreeDirtyData@4 ; HvFreeDirtyData(x)
		mov	ecx, esi
		call	_CmpDeleteKcbCache@4 ; CmpDeleteKcbCache(x)
		mov	eax, [esi+4B4h]
		test	eax, eax
		jz	short loc_74306D
		push	624E4D43h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_74306D:				; CODE XREF: CmpDeleteHive(x)+58j
		mov	eax, [esi+4BCh]
		test	eax, eax
		jz	short loc_74307F
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_74307F:				; CODE XREF: CmpDeleteHive(x)+6Dj
		mov	ecx, 0C00h
		call	CmpReleaseGlobalQuota
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
; 

loc_743094:				; CODE XREF: CmpDeleteHive(x)+24j
					; CmpDeleteHive(x)+2Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_CmpDeleteHive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpInitializeActualFileSizes proc near	; CODE XREF: HvLoadHive+125p
					; CmpMountPreloadedHives+9A10Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CC98B SIZE 00000066 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		lea	edx, [ebp+var_8]
		mov	ecx, [esi+400h]
		call	_CmpGetFileSize@8 ; CmpGetFileSize(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8CC98B
		mov	edx, [ebp+var_8]
		mov	eax, edx
		mov	ecx, [ebp+var_4]
		or	eax, ecx
		mov	[esi+490h], edx
		mov	[esi+494h], ecx
		jz	loc_8CC998
		test	ecx, ecx
		jl	short loc_7430FC
		mov	eax, 7FFFF000h
		jg	loc_8CC9A3
		cmp	edx, eax
		ja	loc_8CC9A3

loc_7430FC:				; CODE XREF: CmpInitializeActualFileSizes+4Dj
					; CmpInitializeActualFileSizes+189916j
		test	ebx, ebx
		jz	short loc_743108
		mov	eax, [esi+490h]
		mov	[ebx], eax

loc_743108:				; CODE XREF: CmpInitializeActualFileSizes+64j
		mov	eax, [esi+68h]
		cmp	eax, 1
		jz	short loc_743172
		cmp	eax, 4
		jnz	loc_74319C

loc_743119:				; CODE XREF: CmpInitializeActualFileSizes+107j
		mov	ecx, [esi+410h]
		lea	edx, [ebp+var_8]
		call	_CmpGetFileSize@8 ; CmpGetFileSize(x,x)
		test	eax, eax
		js	loc_8CC9C7
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_8]

loc_743135:				; CODE XREF: CmpInitializeActualFileSizes+189940j
		mov	[esi+498h], eax
		lea	edx, [ebp+var_8]
		mov	[esi+49Ch], ecx
		mov	ecx, [esi+414h]
		call	_CmpGetFileSize@8 ; CmpGetFileSize(x,x)
		test	eax, eax
		js	loc_8CC9DF
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_8]

loc_74315D:				; CODE XREF: CmpInitializeActualFileSizes+189952j
		mov	[esi+4A0h], eax
		mov	[esi+4A4h], ecx

loc_743169:				; CODE XREF: CmpInitializeActualFileSizes+100j
					; CmpInitializeActualFileSizes+105j
		xor	edi, edi

loc_74316B:				; CODE XREF: CmpInitializeActualFileSizes+1898F9j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_743172:				; CODE XREF: CmpInitializeActualFileSizes+74j
		mov	ecx, [esi+404h]
		lea	edx, [ebp+var_8]
		call	_CmpGetFileSize@8 ; CmpGetFileSize(x,x)
		test	eax, eax
		js	loc_8CC9B5
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_8]

loc_74318E:				; CODE XREF: CmpInitializeActualFileSizes+189928j
		mov	[esi+498h], eax
		mov	[esi+49Ch], ecx
		jmp	short loc_743169
; 

loc_74319C:				; CODE XREF: CmpInitializeActualFileSizes+79j
		cmp	eax, 5
		jnz	short loc_743169
		jmp	loc_743119
CmpInitializeActualFileSizes endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGetFileSize(x, x)
_CmpGetFileSize@8 proc near		; CODE XREF: CmpInitializeActualFileSizes+20p
					; CmpInitializeActualFileSizes+88p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		mov	esi, ecx
		lea	edi, [ebp+var_20]
		pop	ecx
		xor	eax, eax
		mov	ebx, edx
		and	[ebp+var_28], eax
		and	[ebp+var_24], eax
		push	5
		rep stosd
		push	18h
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		push	esi
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		test	eax, eax
		js	short loc_7431F2
		mov	eax, [ebp+var_18]
		mov	[ebx], eax
		mov	eax, [ebp+var_14]
		mov	[ebx+4], eax
		xor	eax, eax

loc_7431F2:				; CODE XREF: CmpGetFileSize(x,x)+3Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpGetFileSize@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTraceHiveMountBaseFileMounted proc near ; CODE XREF:	HvLoadHive+1E7p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CC9F1 SIZE 00000082 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_HIVE_MOUNT_BASE_FILE_MOUNTED
		mov	[ebp+var_58], edx
		lea	edi, [ebp+var_48]
		mov	ebx, ecx
		lea	eax, [ebp+var_48]
		push	eax
		push	ds:dword_A93DD4
		movsd
		push	ds:_EtwpRegTraceHandle
		movsd
		movsd
		movsd
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8CC9F1

loc_743245:				; CODE XREF: CmpTraceHiveMountBaseFileMounted+189805j
					; CmpTraceHiveMountBaseFileMounted+18986Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpTraceHiveMountBaseFileMounted endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvLoadHive	proc near		; CODE XREF: HvHiveStartFileBacked+CFp

var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_8D		= byte ptr -8Dh
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CCA73 SIZE 00000325 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ECh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_CC], edx
		xor	edx, edx
		lea	edi, [ebp+var_EC]
		push	8
		pop	ecx
		mov	eax, [ebx+1Ch]
		mov	[ebp+var_94], eax
		xor	eax, eax
		push	30h		; size_t
		rep stosd
		push	edx		; int
		lea	eax, [ebp+var_88]
		mov	[ebp+var_A8], edx
		push	eax		; void *
		mov	[ebp+var_A4], edx
		mov	[ebp+var_A0], edx
		mov	[ebp+var_8C], edx
		mov	[ebp+var_9C], edx
		mov	[ebp+var_8D], dl
		mov	[ebp+var_AC], edx
		mov	[ebp+var_BC], edx
		mov	[ebp+var_B8], edx
		mov	[ebp+var_B4], edx
		call	_memset
		add	esp, 0Ch
		test	dword ptr [ebx+64h], 8001h
		jz	loc_74350F

loc_7432E7:				; CODE XREF: HvLoadHive+2C3j
		mov	edi, [ebp+var_94]

loc_7432ED:				; CODE XREF: HvLoadHive+2D6j
					; HvLoadHive+18982Dj
		lea	eax, [ebp+var_A8]
		mov	ecx, ebx
		push	eax
		lea	edx, [ebp+var_8C]
		call	HvpGetHiveHeader
		mov	ecx, eax
		mov	[ebp+var_B0], ecx
		cmp	ecx, 2
		jz	loc_8CCA86
		cmp	ecx, 7
		jz	loc_8CCAA2
		test	ecx, ecx
		jz	loc_8CCAAE
		cmp	ecx, 5
		jz	loc_8CCABA
		cmp	ecx, 4
		jz	loc_8CCABA

loc_743335:				; CODE XREF: HvLoadHive+18986Aj
		mov	eax, [ebp+var_8C]
		xor	edx, edx
		inc	edx
		cmp	ecx, 5
		jz	loc_8CCAD6
		cmp	ecx, 4
		jz	loc_8CCACD

loc_743350:				; CODE XREF: HvLoadHive+1899A5j
					; HvLoadHive+1899B0j
		and	[ebp+var_8C], 0
		lea	edx, [ebp+var_A0]
		mov	[ebx+20h], eax
		mov	ecx, [eax+14h]
		mov	eax, [eax+18h]
		shl	ecx, 0Ch
		add	ecx, 0FFFFF000h
		add	eax, ecx
		mov	ecx, ebx
		mov	[ebx+9Ch], eax
		call	CmpInitializeActualFileSizes
		mov	esi, eax
		test	esi, esi
		js	loc_8CCD82
		mov	esi, [ebx+20h]
		mov	eax, [esi+28h]
		mov	[ebp+var_98], eax
		add	eax, 1000h
		cmp	[ebp+var_A0], eax
		jb	loc_8CCC09

loc_7433A5:				; CODE XREF: HvLoadHive+1899C5j
					; HvLoadHive+189A99j
		mov	eax, [esi+28h]
		cmp	eax, 7FFFE000h
		ja	loc_8CCA93
		test	eax, eax
		jz	loc_8CCA93
		mov	ecx, ebx
		call	HvpInitMap
		mov	esi, eax
		test	esi, esi
		js	loc_8CCCF2
		mov	ecx, [ebx+64h]
		test	ecx, 20000h
		jz	loc_8CCD0E
		mov	eax, ecx
		shr	eax, 16h
		and	eax, 2
		test	ecx, 8001h
		jz	short loc_7433EE
		or	eax, 1

loc_7433EE:				; CODE XREF: HvLoadHive+195j
		mov	edx, [ebx+400h]
		lea	ecx, [ebx+0A0h]
		push	eax
		mov	eax, [ebx+20h]
		push	[ebp+var_CC]
		push	dword ptr [eax+28h]
		call	_HvpViewMapStart@20 ; HvpViewMapStart(x,x,x,x,x)
		mov	esi, eax
		xor	edx, edx
		test	esi, esi
		js	loc_8CCCFC
		mov	eax, [ebx+20h]
		mov	ecx, ebx
		push	dword ptr [eax+28h]
		call	_HvpMapHiveImageFromViewMap@12 ; HvpMapHiveImageFromViewMap(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8CCD07

loc_74342F:				; CODE XREF: HvLoadHive+189ACDj
		mov	edx, [ebx+20h]
		mov	ecx, [ebx+400h]
		mov	edx, [edx+28h]
		call	CmpTraceHiveMountBaseFileMounted
		mov	edx, [ebp+var_AC]
		test	edx, edx
		jnz	loc_8CCD2E
		mov	edx, [ebx+20h]
		mov	eax, [edx+4]
		mov	[ebx+6Ch], eax
		mov	[ebx+78h], eax
		mov	[ebx+70h], eax
		mov	byte ptr [ebx+82h], 1

loc_743464:				; CODE XREF: HvLoadHive+189B00j
		mov	edx, [edx+28h]
		mov	ecx, ebx
		push	0
		call	_HvpAdjustHiveFreeDisplay@12 ; HvpAdjustHiveFreeDisplay(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8CCD59
		mov	ecx, ebx
		call	HvpRemapAndEnlistHiveBins
		mov	esi, eax
		mov	ecx, 40000009h
		cmp	esi, ecx
		jz	loc_8CCD60
		test	esi, esi
		js	loc_8CCD67
		mov	al, [ebp+var_8D]

loc_74349E:				; CODE XREF: HvLoadHive+189B0Ej
		cmp	[ebp+var_B0], 4
		jz	loc_8CCD6E
		test	al, al
		jnz	loc_8CCD6E
		xor	esi, esi

loc_7434B5:				; CODE XREF: HvLoadHive+189B1Cj
		mov	eax, [ebx+64h]
		test	eax, 20000h
		jz	loc_8CCD75

loc_7434C3:				; CODE XREF: HvLoadHive+189B29j
		mov	ecx, [ebx+20h]
		mov	eax, [ecx+4]
		mov	[ecx+8], eax
		mov	eax, [ebx+20h]
		and	dword ptr [eax+0FFCh], 0

loc_7434D6:				; CODE XREF: HvLoadHive+189B3Fj
		mov	edi, [ebp+var_8C]
		mov	ecx, [ebp+var_E8]
		test	ecx, ecx
		jnz	short loc_743535

loc_7434E6:				; CODE XREF: HvLoadHive+2E6j
		mov	ecx, [ebp+var_D8]
		test	ecx, ecx
		jnz	short loc_74353C

loc_7434F0:				; CODE XREF: HvLoadHive+2EDj
		mov	eax, [ebp+var_9C]
		test	eax, eax
		jnz	short loc_743543

loc_7434FA:				; CODE XREF: HvLoadHive+2F6j
		test	edi, edi
		jnz	short loc_74354C

loc_7434FE:				; CODE XREF: HvLoadHive+2FFj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_74350F:				; CODE XREF: HvLoadHive+8Dj
		mov	ecx, [ebx+400h]
		test	ecx, ecx
		jz	loc_7432E7
		call	CmpDoFileFlush
		mov	edi, [ebp+var_94]
		test	eax, eax
		jns	loc_7432ED
		jmp	loc_8CCA73
; 

loc_743535:				; CODE XREF: HvLoadHive+290j
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	short loc_7434E6
; 

loc_74353C:				; CODE XREF: HvLoadHive+29Aj
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	short loc_7434F0
; 

loc_743543:				; CODE XREF: HvLoadHive+2A4j
		push	dword ptr [ebx+48h]
		push	eax
		call	dword ptr [ebx+10h]
		jmp	short loc_7434FA
; 

loc_74354C:				; CODE XREF: HvLoadHive+2A8j
		push	dword ptr [ebx+48h]
		push	edi
		call	dword ptr [ebx+10h]
		jmp	short loc_7434FE
HvLoadHive	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall HvpHeaderCheckSum(x)
_HvpHeaderCheckSum@4 proc near		; CODE XREF: HvpGenerateLogEntryHeader(x,x,x,x,x,x,x,x)+E5p
					; HvWriteHivePrimaryFile+58p ...
		xor	eax, eax
		mov	edx, eax

loc_74355A:				; CODE XREF: HvpHeaderCheckSum(x)+Bj
		xor	eax, [ecx+edx*4]
		inc	edx
		cmp	edx, 7Fh
		jb	short loc_74355A
		cmp	eax, 0FFFFFFFFh
		jz	short loc_74356D

loc_743568:				; CODE XREF: HvpHeaderCheckSum(x)+1Aj
		test	eax, eax
		jz	short loc_743572
		retn
; 

loc_74356D:				; CODE XREF: HvpHeaderCheckSum(x)+10j
		push	0FFFFFFFEh
		pop	eax
		jmp	short loc_743568
; 

loc_743572:				; CODE XREF: HvpHeaderCheckSum(x)+14j
		xor	eax, eax
		inc	eax
		retn
_HvpHeaderCheckSum@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpGetHiveHeader proc near		; CODE XREF: HvLoadHive+A8p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CCD98 SIZE 00000057 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	eax, edx
		push	32334D43h
		push	1
		mov	[ebp+var_4], eax
		push	dword ptr [ebx+48h]
		and	dword ptr [eax], 0
		call	dword ptr [ebx+0Ch]
		mov	esi, eax
		test	esi, esi
		jz	loc_743654
		push	edi
		mov	edi, 1000h
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebx+4Ch]
		add	esp, 0Ch
		shl	eax, 9
		push	eax
		push	esi
		push	0
		push	0
		push	ebx
		call	dword ptr [ebx+18h]
		test	eax, eax
		js	loc_8CCD98
		cmp	dword ptr [esi], 66676572h
		jnz	loc_8CCDB9
		mov	ecx, esi
		call	_HvpHeaderCheckSum@4 ; HvpHeaderCheckSum(x)
		cmp	[esi+1FCh], eax
		jnz	loc_8CCDB9
		mov	eax, [esi+28h]
		test	eax, eax
		jz	loc_8CCDB9
		cmp	eax, 7FFFE000h
		ja	loc_8CCDB9
		test	eax, 0FFFh
		jnz	loc_8CCDB9
		cmp	dword ptr [esi+1Ch], 0
		jnz	short loc_74365D
		mov	eax, [esi+14h]
		xor	edx, edx
		inc	edx
		cmp	eax, edx
		ja	short loc_74365D
		mov	ecx, [esi+18h]
		push	3
		pop	edi
		cmp	ecx, edi
		jb	short loc_74365D
		cmp	ecx, 6
		ja	short loc_743659

loc_743628:				; CODE XREF: HvpGetHiveHeader+E5j
		cmp	[esi+20h], edx
		jnz	short loc_74365D
		mov	ecx, [ebp+arg_0]
		mov	eax, [esi+0Ch]
		mov	[ecx], eax
		mov	eax, [esi+10h]
		mov	[ecx+4], eax
		mov	eax, [ebp+var_4]
		mov	[eax], esi
		mov	eax, [esi+4]
		cmp	eax, [esi+8]
		jnz	short loc_743664
		mov	[esi+2Ch], edx

loc_74364B:				; CODE XREF: HvpGetHiveHeader+F1j
					; HvpGetHiveHeader+18983Ej
		mov	eax, edi
		pop	edi

loc_74364E:				; CODE XREF: HvpGetHiveHeader+E1j
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_743654:				; CODE XREF: HvpGetHiveHeader+23j
		push	2
		pop	eax
		jmp	short loc_74364E
; 

loc_743659:				; CODE XREF: HvpGetHiveHeader+B0j
		cmp	eax, edx
		jnz	short loc_743628

loc_74365D:				; CODE XREF: HvpGetHiveHeader+97j
					; HvpGetHiveHeader+A1j	...
		xor	edi, edi
		jmp	loc_8CCDAD
; 

loc_743664:				; CODE XREF: HvpGetHiveHeader+D0j
		push	5
		pop	edi
		jmp	short loc_74364B
HvpGetHiveHeader endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFileRead(x, x, x, x, x)
_CmpFileRead@20	proc near		; CODE XREF: CmpSaveKeyByFileCopy(x,x)+5Bp
					; CmpSaveKeyByFileCopy(x,x)+BCp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		mov	eax, [ecx+eax*4+400h]
		test	eax, eax
		jz	short loc_743698
		push	dword ptr [ecx+1Ch]
		push	ecx
		push	[ebp+arg_10]
		mov	ecx, eax
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	CmpDoFileRead

loc_743694:				; CODE XREF: CmpFileRead(x,x,x,x,x)+30j
		pop	ebp
		retn	14h
; 

loc_743698:				; CODE XREF: CmpFileRead(x,x,x,x,x)+14j
		xor	eax, eax
		jmp	short loc_743694
_CmpFileRead@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmCheckRegistry(x, x, x)
_CmCheckRegistry@12 proc near		; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+5A7p
					; CmpReorganizeHive+1848B3p

var_60		= dword	ptr -60h
var_50		= dword	ptr -50h
var_40		= dword	ptr -40h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_10], edx
		push	38h		; size_t
		lea	eax, [ebp+var_60]
		mov	[ebp+var_20], ebx
		push	ebx		; int
		push	eax		; void *
		mov	edi, ecx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ebx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_5], bl
		mov	[ebp+var_1C], ebx
		mov	byte ptr [ebp+var_14], bl
		cmp	edi, ds:_CmpMasterHive
		jnz	short loc_7436E1
		mov	esi, ebx
		jmp	loc_743872
; 

loc_7436E1:				; CODE XREF: CmCheckRegistry(x,x,x)+3Cj
		mov	esi, [edi+0C8h]
		mov	ecx, [ebp+var_10]
		shr	esi, 3
		lea	ebx, [esi+7]
		shr	ebx, 3
		add	ebx, 3
		and	ebx, 0FFFFFFFCh
		test	ecx, 80000h
		jz	short loc_743744
		push	624C4D43h
		push	0
		push	ebx
		call	dword ptr [edi+0Ch]
		mov	[ebp+var_20], eax
		test	eax, eax
		jnz	short loc_74372B
		mov	ecx, [ebp+arg_0]
		mov	esi, 0C000009Ah
		push	eax
		push	esi
		push	0Bh
		xor	edx, edx
		call	SetFailureLocation
		jmp	loc_743872
; 

loc_74372B:				; CODE XREF: CmCheckRegistry(x,x,x)+75j
		mov	[ebp+var_28], esi
		lea	esi, [ebp+var_28]
		mov	[ebp+var_24], eax
		mov	eax, esi
		push	eax
		mov	[ebp+var_C], esi
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		mov	ecx, [ebp+var_10]
		jmp	short loc_743747
; 

loc_743744:				; CODE XREF: CmCheckRegistry(x,x,x)+63j
		mov	esi, [ebp+var_C]

loc_743747:				; CODE XREF: CmCheckRegistry(x,x,x)+A6j
		mov	eax, ecx
		and	eax, 10000h
		mov	[ebp+var_18], eax

loc_743751:				; CODE XREF: CmCheckRegistry(x,x,x)+18Cj
		test	eax, eax
		jz	short loc_7437A9
		test	esi, esi
		jz	short loc_74375F
		push	esi
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)

loc_74375F:				; CODE XREF: CmCheckRegistry(x,x,x)+BBj
		push	[ebp+arg_0]
		lea	eax, [ebp+var_60]
		push	eax
		push	esi
		push	ecx
		mov	ecx, edi
		call	HvCheckHive
		mov	esi, eax
		test	esi, esi
		js	loc_74382D
		mov	eax, [ebp+var_40]
		add	eax, [ebp+var_50]
		add	eax, [ebp+var_60]
		cmp	eax, _CmpReorganizeLimit
		jbe	short loc_743794
		or	dword ptr [edi+980h], 400h

loc_743794:				; CODE XREF: CmCheckRegistry(x,x,x)+ECj
		mov	eax, [ebp+var_30]
		mov	ecx, [ebp+var_10]
		mov	[edi+0BE0h], eax
		mov	eax, [ebp+var_2C]
		mov	[edi+0BE4h], eax

loc_7437A9:				; CODE XREF: CmCheckRegistry(x,x,x)+B7j
		mov	eax, [edi+20h]
		cmp	dword ptr [eax+24h], 0
		jl	loc_743852
		push	[ebp+arg_0]
		lea	eax, [ebp+var_14]
		mov	edx, ecx
		push	[ebp+var_C]
		mov	ecx, edi
		push	eax
		call	_CmpValidateHiveSecurityDescriptors@20 ; CmpValidateHiveSecurityDescriptors(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_7437DB
		cmp	esi, 8000002Ah
		jnz	short loc_743813
		mov	[ebp+var_5], 1

loc_7437DB:				; CODE XREF: CmCheckRegistry(x,x,x)+131j
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+arg_0]
		mov	eax, [edi+20h]
		push	[ebp+var_C]
		push	[ebp+var_14]
		push	ecx
		push	dword ptr [eax+24h]
		mov	ecx, edi
		call	_CmpCheckRegistry2@32 ;	CmpCheckRegistry2(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_743839
		cmp	esi, 8000002Ah
		jz	short loc_743835
		cmp	esi, 0C000022Dh
		jz	short loc_74381B
		push	40h
		jmp	short loc_743859
; 

loc_743813:				; CODE XREF: CmCheckRegistry(x,x,x)+139j
		cmp	esi, 0C000022Dh
		jnz	short loc_743831

loc_74381B:				; CODE XREF: CmCheckRegistry(x,x,x)+171j
		mov	esi, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_18]
		mov	[ebp+var_5], 1
		jmp	loc_743751
; 

loc_74382D:				; CODE XREF: CmCheckRegistry(x,x,x)+D7j
		push	10h
		jmp	short loc_743859
; 

loc_743831:				; CODE XREF: CmCheckRegistry(x,x,x)+17Dj
		push	30h
		jmp	short loc_743859
; 

loc_743835:				; CODE XREF: CmCheckRegistry(x,x,x)+169j
		mov	[ebp+var_5], 1

loc_743839:				; CODE XREF: CmCheckRegistry(x,x,x)+161j
		movzx	esi, [ebp+var_5]
		mov	eax, [ebp+var_1C]
		neg	esi
		mov	[edi+0BECh], eax
		sbb	esi, esi
		and	esi, 8000002Ah
		jmp	short loc_743866
; 

loc_743852:				; CODE XREF: CmCheckRegistry(x,x,x)+114j
		mov	esi, 0C000014Ch
		push	20h

loc_743859:				; CODE XREF: CmCheckRegistry(x,x,x)+175j
					; CmCheckRegistry(x,x,x)+193j ...
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	esi
		push	0Bh
		call	SetFailureLocation

loc_743866:				; CODE XREF: CmCheckRegistry(x,x,x)+1B4j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_743872
		push	ebx
		push	eax
		call	dword ptr [edi+10h]

loc_743872:				; CODE XREF: CmCheckRegistry(x,x,x)+40j
					; CmCheckRegistry(x,x,x)+8Aj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_CmCheckRegistry@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmpAdjustSecurityCacheSize(x)
_CmpAdjustSecurityCacheSize@4 proc near	; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+1EAp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, [esi+4C0h]
		cmp	eax, [esi+4C4h]
		jnb	short loc_7438E2
		push	63534D43h
		push	0
		shl	eax, 3
		push	eax
		call	dword ptr [esi+0Ch]
		mov	edi, eax
		test	edi, edi
		jz	short loc_7438E7
		mov	eax, [esi+4C0h]
		shl	eax, 3
		push	eax		; size_t
		push	dword ptr [esi+4CCh] ; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [esi+4C4h]
		add	esp, 0Ch
		shl	eax, 3
		push	eax
		push	dword ptr [esi+4CCh]
		call	dword ptr [esi+10h]
		mov	eax, [esi+4C0h]
		mov	[esi+4CCh], edi
		mov	[esi+4C4h], eax

loc_7438E2:				; CODE XREF: CmpAdjustSecurityCacheSize(x)+12j
		mov	al, 1

loc_7438E4:				; CODE XREF: CmpAdjustSecurityCacheSize(x)+6Dj
		pop	edi
		pop	esi
		retn
; 

loc_7438E7:				; CODE XREF: CmpAdjustSecurityCacheSize(x)+26j
		xor	al, al
		jmp	short loc_7438E4
_CmpAdjustSecurityCacheSize@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpFreeMap(x, x, x,	x)
_HvpFreeMap@16	proc near		; CODE XREF: HvFreeHivePartial+130p
					; HvHiveCleanup+ABp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		test	ebx, ebx
		jz	short loc_74392C
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	edi, 400h
		jnb	short loc_743931

loc_743908:				; CODE XREF: HvpFreeMap(x,x,x,x)+4Aj
		push	esi
		mov	esi, [ebp+arg_0]
		jmp	short loc_743926
; 

loc_74390E:				; CODE XREF: HvpFreeMap(x,x,x,x)+3Cj
		mov	eax, [ebx+esi*4]
		test	eax, eax
		jz	short loc_743925
		push	1800h
		push	eax
		call	dword ptr [ecx+10h]
		and	dword ptr [ebx+esi*4], 0
		mov	ecx, [ebp+var_4]

loc_743925:				; CODE XREF: HvpFreeMap(x,x,x,x)+27j
		inc	esi

loc_743926:				; CODE XREF: HvpFreeMap(x,x,x,x)+20j
		cmp	esi, edi
		jbe	short loc_74390E
		pop	esi
		pop	edi

loc_74392C:				; CODE XREF: HvpFreeMap(x,x,x,x)+Ej
		pop	ebx
		leave
		retn	8
; 

loc_743931:				; CODE XREF: HvpFreeMap(x,x,x,x)+1Aj
		mov	edi, 3FFh
		jmp	short loc_743908
_HvpFreeMap@16	endp


;  S U B	R O U T	I N E 


HvCheckAndUpdateHiveBackupTimeStamp proc near
					; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+7D4p
					; CmpCreateHiveRootCell+141p ...

; FUNCTION CHUNK AT 008CCDEF SIZE 00000029 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	edx, edx
		mov	esi, ecx
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		test	eax, eax
		jz	loc_8CCDEF
		mov	edi, [eax+4]
		xor	ebx, ebx
		mov	ecx, [esi+20h]
		and	edi, 0FFFFFFF0h
		mov	eax, [edi+14h]
		cmp	eax, [ecx+0Ch]
		jnz	short loc_74396F
		mov	eax, [edi+18h]
		cmp	eax, [ecx+10h]
		jnz	short loc_74396F

loc_743969:				; CODE XREF: HvCheckAndUpdateHiveBackupTimeStamp+56j
					; HvCheckAndUpdateHiveBackupTimeStamp+5Dj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		retn
; 

loc_74396F:				; CODE XREF: HvCheckAndUpdateHiveBackupTimeStamp+27j
					; HvCheckAndUpdateHiveBackupTimeStamp+2Fj
		push	ebx
		push	20h
		xor	edx, edx
		mov	ecx, esi
		call	HvpMarkDirty
		test	al, al
		jz	short loc_743990
		mov	edx, [esi+20h]
		mov	ecx, [edx+0Ch]
		mov	[edi+14h], ecx
		mov	ecx, [edx+10h]
		mov	[edi+18h], ecx
		jmp	short loc_743969
; 

loc_743990:				; CODE XREF: HvCheckAndUpdateHiveBackupTimeStamp+45j
		mov	ebx, 0C000017Dh
		jmp	short loc_743969
HvCheckAndUpdateHiveBackupTimeStamp endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpTruncateBins	proc near		; CODE XREF: HvStoreModifiedData+5Ap

var_24		= dword	ptr -24h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CCE18 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		xor	esi, esi

loc_7439A7:				; CODE XREF: HvpTruncateBins+69j
		imul	eax, esi, 19Ch
		mov	edi, [eax+ebx+0C8h]
		test	edi, edi
		jz	short loc_7439E7
		mov	eax, esi
		shl	eax, 1Fh
		mov	[ebp+var_4], eax

loc_7439C0:				; CODE XREF: HvpTruncateBins+8Aj
		add	eax, 0FFFFF000h
		mov	ecx, ebx
		add	eax, edi
		mov	edx, eax
		mov	[ebp+var_8], eax
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		test	eax, eax
		jz	loc_8CCE18
		test	byte ptr [eax+4], 2
		jnz	short loc_743A16
		xor	eax, eax

loc_7439E3:				; CODE XREF: HvpTruncateBins+80j
		test	eax, eax
		jnz	short loc_743A1A

loc_7439E7:				; CODE XREF: HvpTruncateBins+1Ej
					; HvpTruncateBins+8Cj
		test	esi, esi
		jnz	short loc_743A0A
		lea	eax, [edi+10000h]
		cmp	eax, [ebx+488h]
		jbe	loc_8CCE01

loc_7439FD:				; CODE XREF: HvpTruncateBins+7Cj
					; HvCheckAndUpdateHiveBackupTimeStamp+1894D5j
		inc	esi
		cmp	esi, 2
		jl	short loc_7439A7
		pop	edi
		pop	esi
		xor	al, al
		pop	ebx
		leave
		retn
; 

loc_743A0A:				; CODE XREF: HvpTruncateBins+51j
					; HvCheckAndUpdateHiveBackupTimeStamp+1894DBj
		push	esi
		mov	edx, edi
		mov	ecx, ebx
		call	HvFreeHivePartial
		jmp	short loc_7439FD
; 

loc_743A16:				; CODE XREF: HvpTruncateBins+47j
		mov	eax, [eax]
		jmp	short loc_7439E3
; 

loc_743A1A:				; CODE XREF: HvpTruncateBins+4Dj
		mov	edi, [eax+0Ch]
		mov	eax, [ebp+var_4]
		test	edi, edi
		jnz	short loc_7439C0
		jmp	short loc_7439E7
HvpTruncateBins	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFreeSecurityDescriptor(x, x)
_CmpFreeSecurityDescriptor@8 proc near	; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+4C4p
					; CmpFreeKeyByCell+101p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		or	[ebp+var_14], 0FFFFFFFFh
		lea	eax, [ebp+var_14]
		and	[ebp+var_10], 0
		or	[ebp+var_C], 0FFFFFFFFh
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		push	eax
		mov	esi, ecx
		xor	edi, edi
		push	edx
		push	esi
		call	dword ptr [esi+4]
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_743A93
		mov	ebx, [eax+2Ch]
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_743A7F
		lea	eax, [ebp+var_C]
		push	eax
		push	ebx
		push	esi
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jz	short loc_743A7F
		mov	eax, [edi+0Ch]
		cmp	eax, 1
		jz	short loc_743A98
		dec	eax
		mov	[edi+0Ch], eax

loc_743A78:				; CODE XREF: CmpFreeSecurityDescriptor(x,x)+8Ej
		mov	eax, [ebp+var_4]
		or	dword ptr [eax+2Ch], 0FFFFFFFFh

loc_743A7F:				; CODE XREF: CmpFreeSecurityDescriptor(x,x)+35j
					; CmpFreeSecurityDescriptor(x,x)+44j
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		test	edi, edi
		jz	short loc_743A93
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_743A93:				; CODE XREF: CmpFreeSecurityDescriptor(x,x)+2Dj
					; CmpFreeSecurityDescriptor(x,x)+63j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_743A98:				; CODE XREF: CmpFreeSecurityDescriptor(x,x)+4Cj
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edx, ebx
		mov	ecx, esi
		xor	edi, edi
		call	_CmpRemoveSecurityCellList@8 ; CmpRemoveSecurityCellList(x,x)
		mov	edx, ebx
		mov	ecx, esi
		call	HvFreeCell
		jmp	short loc_743A78
_CmpFreeSecurityDescriptor@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpMarkIndexDirty proc near		; CODE XREF: CmpMarkKeyDirty+17Dp
					; CmpInitializeKeyNameString(x,x,x)+A5p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CCE35 SIZE 00000040 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		or	[ebp+var_24], 0FFFFFFFFh
		lea	eax, [ebp+var_24]
		or	[ebp+var_2C], 0FFFFFFFFh
		or	[ebp+var_8], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		push	eax
		push	[ebp+arg_0]
		mov	esi, ecx
		mov	[ebp+var_10], edx
		xor	ebx, ebx
		push	esi
		mov	[ebp+var_20], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jz	loc_8CCE6E
		test	byte ptr [edi+2], 20h
		movzx	eax, word ptr [edi+48h]
		jz	loc_8CCE35
		add	eax, eax
		xor	ecx, ecx
		mov	word ptr [ebp+var_1C], ax
		inc	ecx
		mov	word ptr [ebp+var_1C+2], ax
		movzx	eax, ax
		push	20204D43h
		push	eax
		push	ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+arg_0], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_18], ebx
		test	ebx, ebx
		jz	loc_8CCE2B
		movzx	eax, word ptr [edi+48h]
		mov	ecx, ebx
		mov	edx, [ebp+arg_0]
		push	eax
		lea	eax, [edi+4Ch]
		push	eax
		call	_CmpCopyCompressedName@16 ; CmpCopyCompressedName(x,x,x,x)

loc_743B45:				; CODE XREF: CmpMarkIndexDirty+189390j
		lea	eax, [ebp+var_24]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_10]
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_8CCE60
		xor	ecx, ecx
		mov	[ebp+arg_0], ecx
		cmp	[esi+98h], ecx
		jbe	loc_743C0B
		add	eax, 1Ch
		mov	[ebp+var_C], eax

loc_743B77:				; CODE XREF: CmpMarkIndexDirty+14Fj
		cmp	dword ptr [eax-8], 0
		jz	short loc_743BF5
		mov	eax, [eax]
		lea	ecx, [ebp+var_2C]
		push	ecx
		push	eax
		push	esi
		mov	[ebp+var_10], eax
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jz	short loc_743C0B
		mov	eax, 6972h
		cmp	[edi], ax
		jz	short loc_743C18

loc_743B9B:				; CODE XREF: CmpMarkIndexDirty+1AFj
		lea	eax, [ebp+var_8]
		mov	edx, edi
		push	eax
		push	0
		lea	eax, [ebp+var_1C]
		mov	ecx, esi
		push	eax
		call	_CmpFindSubKeyInLeaf@20	; CmpFindSubKeyInLeaf(x,x,x,x,x)
		test	eax, eax
		js	loc_8CCE4B
		lea	eax, [ebp+var_2C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		cmp	[ebp+var_8], 0FFFFFFFFh
		jz	short loc_743BEF
		cmp	byte ptr [ebp+var_14], 0
		jz	short loc_743BD2
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_743BD2:				; CODE XREF: CmpMarkIndexDirty+112j
		lea	eax, [ebp+var_24]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edx, [ebp+var_10]
		mov	ecx, esi
		push	0
		push	0
		call	HvpMarkCellDirty

loc_743BE8:				; CODE XREF: CmpMarkIndexDirty+1893BAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_743BEF:				; CODE XREF: CmpMarkIndexDirty+10Cj
					; CmpMarkIndexDirty+18Bj
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_C]

loc_743BF5:				; CODE XREF: CmpMarkIndexDirty+C5j
		inc	ecx
		add	eax, 4
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_C], eax
		cmp	ecx, [esi+98h]
		jb	loc_743B77

loc_743C0B:				; CODE XREF: CmpMarkIndexDirty+B5j
					; CmpMarkIndexDirty+D9j ...
		lea	eax, [ebp+var_24]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	loc_8CCE60
; 

loc_743C18:				; CODE XREF: CmpMarkIndexDirty+E3j
		lea	eax, [ebp+var_8]
		mov	edx, edi
		push	eax
		push	0
		lea	eax, [ebp+var_1C]
		mov	ecx, esi
		push	eax
		call	_CmpFindSubKeyInRoot@20	; CmpFindSubKeyInRoot(x,x,x,x,x)
		test	eax, eax
		js	loc_8CCE4B
		lea	eax, [ebp+var_2C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edi, [ebp+var_8]
		cmp	edi, 0FFFFFFFFh
		jz	short loc_743BEF
		mov	edx, [ebp+var_10]
		mov	ecx, esi
		push	0
		push	0
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_743C0B
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_10], edi
		push	eax
		push	edi
		push	esi
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jnz	loc_743B9B
		jmp	short loc_743C0B
CmpMarkIndexDirty endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpAllocateBin(x, x, x, x, x)
_HvpAllocateBin@20 proc	near		; CODE XREF: HvpAddBin+123p
					; HvpDropPagedBins+6Fp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	[ebp+arg_4]
		setz	al
		movzx	eax, al
		push	eax
		push	edx
		call	dword ptr [ecx+0Ch]
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_743C96
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		xor	eax, eax

loc_743C92:				; CODE XREF: HvpAllocateBin(x,x,x,x,x)+2Dj
		pop	ebp
		retn	0Ch
; 

loc_743C96:				; CODE XREF: HvpAllocateBin(x,x,x,x,x)+1Bj
		mov	eax, 0C000009Ah
		jmp	short loc_743C92
_HvpAllocateBin@20 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmpDestroySecurityCache(x)
_CmpDestroySecurityCache@4 proc	near	; CODE XREF: CmpCompleteUnloadKey(x,x,x)+EFp
					; CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+350p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	eax, [esi+4C0h]
		test	eax, eax
		jz	short loc_743CFF
		push	ebx

loc_743CB1:				; CODE XREF: CmpDestroySecurityCache(x)+47j
		mov	eax, [esi+4CCh]
		mov	edx, [eax+edi*8+4]
		lea	eax, [edx+8]
		mov	ebx, [eax]
		cmp	[ebx+4], eax
		jnz	short loc_743D17
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_743D17
		mov	[ecx], ebx
		mov	[ebx+4], ecx
		mov	eax, [edx+10h]
		add	eax, 18h
		push	eax
		push	edx
		call	dword ptr [esi+10h]
		mov	eax, [esi+4C0h]
		inc	edi
		cmp	edi, eax
		jb	short loc_743CB1
		pop	ebx
		test	eax, eax
		jz	short loc_743CFF
		mov	eax, [esi+4C4h]
		shl	eax, 3
		push	eax
		push	dword ptr [esi+4CCh]
		call	dword ptr [esi+10h]

loc_743CFF:				; CODE XREF: CmpDestroySecurityCache(x)+10j
					; CmpDestroySecurityCache(x)+4Cj
		and	dword ptr [esi+4CCh], 0
		and	dword ptr [esi+4C0h], 0
		and	dword ptr [esi+4C4h], 0
		pop	edi
		pop	esi
		retn
; 

loc_743D17:				; CODE XREF: CmpDestroySecurityCache(x)+25j
					; CmpDestroySecurityCache(x)+2Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_CmpDestroySecurityCache@4 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpFreeKeyBody	proc near		; CODE XREF: CmpFreeKeyByCell+115p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CCE75 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		or	[ebp+var_8], 0FFFFFFFFh
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], eax
		mov	ebx, edx
		lea	eax, [ebp+var_8]
		mov	esi, ecx
		push	eax
		push	ebx
		push	esi
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jz	short loc_743D74
		test	byte ptr [edi+2], 2
		jnz	short loc_743D5C
		mov	edx, [edi+2Ch]
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_743D78

loc_743D50:				; CODE XREF: CmpFreeKeyBody+63j
		xor	eax, eax
		cmp	[edi+4Ah], ax
		ja	loc_8CCE75

loc_743D5C:				; CODE XREF: CmpFreeKeyBody+2Aj
					; CmpFreeKeyBody+189163j
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edx, ebx
		mov	ecx, esi
		call	HvFreeCell
		mov	al, 1

loc_743D6F:				; CODE XREF: CmpFreeKeyBody+5Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_743D74:				; CODE XREF: CmpFreeKeyBody+24j
		xor	al, al
		jmp	short loc_743D6F
; 

loc_743D78:				; CODE XREF: CmpFreeKeyBody+32j
		mov	ecx, esi
		call	HvFreeCell
		jmp	short loc_743D50
CmpFreeKeyBody	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRemoveSubKey(x, x, x)
_CmpRemoveSubKey@12 proc near		; CODE XREF: CmpFreeKeyByCell+71p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		or	[ebp+var_10], 0FFFFFFFFh
		lea	eax, [ebp+var_10]
		push	ebx
		push	esi
		push	edi
		push	eax
		mov	esi, ecx
		xor	ebx, ebx
		push	edx
		push	esi
		mov	[ebp+var_C], ebx
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jz	short loc_743DD7
		mov	eax, [ebp+arg_0]
		mov	ecx, esi
		push	[ebp+arg_0]
		shr	eax, 1Fh
		mov	[ebp+var_8], eax
		lea	edx, [eax+7]
		lea	edx, [edi+edx*4]
		call	_CmpRemoveSubKeyFromList@12 ; CmpRemoveSubKeyFromList(x,x,x)
		mov	bl, al
		test	bl, bl
		jz	short loc_743DCF
		mov	eax, [ebp+var_8]
		mov	bl, 1
		dec	dword ptr [edi+eax*4+14h]

loc_743DCF:				; CODE XREF: CmpRemoveSubKey(x,x,x)+42j
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_743DD7:				; CODE XREF: CmpRemoveSubKey(x,x,x)+23j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
_CmpRemoveSubKey@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRemoveSubKeyFromList(x, x, x)
_CmpRemoveSubKeyFromList@12 proc near	; CODE XREF: CmpRemoveSubKey(x,x,x)+39p
					; CmRenameKey(x,x,x,x)+AECp ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_20], edx
		push	esi
		push	edi
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_3C], ebx
		push	ebx
		lea	eax, [ebp+var_30]
		mov	[ebp+var_40], edi
		push	eax
		mov	esi, ecx
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], ebx
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_8], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_40]
		push	eax
		push	[ebp+arg_0]
		push	esi
		call	dword ptr [esi+4]
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_74401E
		mov	ax, [ecx+2]
		and	ax, 20h
		movzx	eax, ax
		mov	[ebp+var_14], eax
		mov	ax, [ecx+48h]
		mov	word ptr [ebp+var_30], ax
		mov	ax, [ecx+48h]
		mov	word ptr [ebp+var_30+2], ax
		lea	eax, [ecx+4Ch]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_40]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx]
		lea	ecx, [ebp+var_28]
		push	ecx
		push	eax
		push	esi
		mov	[ebp+var_10], eax
		mov	[ebp+var_18], eax
		call	dword ptr [esi+4]
		mov	ecx, eax
		mov	[ebp+arg_0], ecx
		test	ecx, ecx
		jz	loc_74401E
		mov	eax, 80000000h
		mov	[ebp+var_1C], eax
		mov	eax, 6972h
		cmp	[ecx], ax
		jnz	short loc_743F01
		mov	eax, [ebp+var_14]
		mov	edx, ebx
		test	ax, ax
		jnz	short loc_743E9E
		lea	edx, [ebp+var_30]

loc_743E9E:				; CODE XREF: CmpRemoveSubKeyFromList(x,x,x)+B9j
		movzx	eax, ax
		lea	ecx, [ebp+var_C]
		push	ecx
		neg	eax
		lea	ecx, [ebp+var_30]
		sbb	eax, eax
		and	eax, ecx
		mov	ecx, esi
		push	eax
		push	edx
		mov	edx, [ebp+arg_0]
		call	_CmpFindSubKeyInRoot@20	; CmpFindSubKeyInRoot(x,x,x,x,x)
		mov	[ebp+var_1C], eax
		test	eax, eax
		js	loc_744002
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_28]
		mov	[ebp+var_38], eax
		mov	ax, word ptr [ebp+var_24]
		mov	word ptr [ebp+var_34], ax
		xor	eax, eax
		mov	[ebp+var_24], ebx
		push	ecx
		mov	word ptr [ebp+var_24], ax
		mov	eax, [ebp+var_C]
		push	eax
		push	esi
		mov	[ebp+var_28], edi
		mov	[ebp+var_18], eax
		call	dword ptr [esi+4]
		mov	ecx, eax
		mov	[ebp+arg_0], eax
		test	ecx, ecx
		jz	loc_744010

loc_743F01:				; CODE XREF: CmpRemoveSubKeyFromList(x,x,x)+AFj
		mov	eax, [ebp+var_14]
		mov	edx, ebx
		test	ax, ax
		jnz	short loc_743F0E
		lea	edx, [ebp+var_30]

loc_743F0E:				; CODE XREF: CmpRemoveSubKeyFromList(x,x,x)+129j
		movzx	eax, ax
		lea	ecx, [ebp+var_C]
		push	ecx
		neg	eax
		lea	ecx, [ebp+var_30]
		sbb	eax, eax
		and	eax, ecx
		mov	ecx, esi
		push	eax
		push	edx
		mov	edx, [ebp+arg_0]
		call	_CmpFindSubKeyInLeaf@20	; CmpFindSubKeyInLeaf(x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	loc_744002
		mov	ecx, [ebp+arg_0]
		mov	eax, 0FFFFh
		add	[ecx+2], ax
		mov	ax, [ecx+2]
		jnz	short loc_743FB4
		lea	eax, [ebp+var_28]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edx, [ebp+var_18]
		mov	ecx, esi
		mov	[ebp+arg_0], ebx
		call	HvFreeCell
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	loc_743FFB
		mov	eax, 0FFFFh
		add	[ecx+2], ax
		mov	ax, [ecx+2]
		jnz	short loc_743F8C
		lea	eax, [ebp+var_38]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edx, [ebp+var_10]
		mov	ecx, esi
		mov	[ebp+var_8], ebx
		call	HvFreeCell
		jmp	short loc_743FFB
; 

loc_743F8C:				; CODE XREF: CmpRemoveSubKeyFromList(x,x,x)+193j
		mov	edx, [ebp+var_1C]
		mov	ebx, [ebp+var_10]
		mov	edi, ebx
		movzx	eax, ax
		cmp	edx, eax
		jnb	short loc_743FFB
		sub	eax, edx
		shl	eax, 2
		push	eax		; size_t
		lea	eax, [edx+2]
		inc	edx
		lea	eax, [ecx+eax*4]
		push	eax		; void *
		lea	eax, [ecx+edx*4]
		push	eax		; void *
		call	_memmove
		jmp	short loc_743FF8
; 

loc_743FB4:				; CODE XREF: CmpRemoveSubKeyFromList(x,x,x)+164j
		mov	ebx, [ebp+var_10]
		mov	edi, ebx
		movzx	eax, ax
		cmp	edx, eax
		jnb	short loc_743FFB
		mov	edi, 696Ch
		sub	eax, edx
		cmp	[ecx], di
		jnz	short loc_743FDF
		shl	eax, 2
		push	eax
		lea	eax, [ecx+8]
		add	ecx, 4
		lea	eax, [eax+edx*4]
		push	eax
		lea	eax, [ecx+edx*4]
		jmp	short loc_743FF0
; 

loc_743FDF:				; CODE XREF: CmpRemoveSubKeyFromList(x,x,x)+1EAj
		shl	eax, 3
		push	eax		; size_t
		lea	eax, [ecx+0Ch]
		lea	eax, [eax+edx*8]
		push	eax		; void *
		lea	eax, [ecx+4]
		lea	eax, [eax+edx*8]

loc_743FF0:				; CODE XREF: CmpRemoveSubKeyFromList(x,x,x)+1FDj
		push	eax		; void *
		call	_memmove
		mov	edi, ebx

loc_743FF8:				; CODE XREF: CmpRemoveSubKeyFromList(x,x,x)+1D2j
		add	esp, 0Ch

loc_743FFB:				; CODE XREF: CmpRemoveSubKeyFromList(x,x,x)+180j
					; CmpRemoveSubKeyFromList(x,x,x)+1AAj ...
		mov	eax, [ebp+var_20]
		mov	bl, 1
		mov	[eax], edi

loc_744002:				; CODE XREF: CmpRemoveSubKeyFromList(x,x,x)+DFj
					; CmpRemoveSubKeyFromList(x,x,x)+14Ej
		cmp	[ebp+arg_0], 0
		jz	short loc_744010
		lea	eax, [ebp+var_28]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_744010:				; CODE XREF: CmpRemoveSubKeyFromList(x,x,x)+11Bj
					; CmpRemoveSubKeyFromList(x,x,x)+226j
		cmp	[ebp+var_8], 0
		jz	short loc_74401E
		lea	eax, [ebp+var_38]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_74401E:				; CODE XREF: CmpRemoveSubKeyFromList(x,x,x)+4Cj
					; CmpRemoveSubKeyFromList(x,x,x)+99j ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
_CmpRemoveSubKeyFromList@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpValidateHiveSecurityDescriptors(x, x, x,	x, x)
_CmpValidateHiveSecurityDescriptors@20 proc near ; CODE	XREF: CmCheckRegistry(x,x,x)+128p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_20], edx
		push	esi
		xor	esi, esi
		xor	eax, eax
		mov	[ebp+var_34], esi
		mov	edx, [ebx+20h]
		or	[ebp+var_34], 0FFFFFFFFh
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		or	[ebp+var_2C], 0FFFFFFFFh
		mov	[ebp+var_28], esi
		push	edi
		mov	word ptr [ebp+var_30], ax
		mov	word ptr [ebp+var_28], ax
		mov	eax, [ebx+4C0h]
		mov	edx, [edx+24h]
		push	esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_1C], eax
		call	_HvIsCellAllocated@12 ;	HvIsCellAllocated(x,x,x)
		test	al, al
		jnz	short loc_74409F
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_744087
		mov	eax, [ebx+20h]
		mov	eax, [eax+24h]
		mov	[ecx+0D8h], eax

loc_744087:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+51j
		push	0

loc_744089:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+A4j
		mov	esi, 0C000014Ch
		xor	edx, edx
		push	esi
		push	9
		mov	edi, esi
		call	SetFailureLocation
		jmp	loc_7443DA
; 

loc_74409F:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+4Aj
		mov	eax, [ebx+20h]
		lea	ecx, [ebp+var_34]
		push	ecx
		mov	eax, [eax+24h]
		push	eax
		push	ebx
		call	dword ptr [ebx+4]
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jnz	short loc_7440CE
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_7440CA
		mov	eax, [ebx+20h]
		mov	eax, [eax+24h]
		mov	[ecx+0D8h], eax

loc_7440CA:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+94j
		push	10h
		jmp	short loc_744089
; 

loc_7440CE:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+8Dj
		push	0FFFFFFFCh
		pop	eax
		sub	eax, [ecx-4]
		cmp	eax, 4Ch
		jge	short loc_744104
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_7440EC
		mov	eax, [ebx+20h]
		mov	eax, [eax+24h]
		mov	[ecx+0D8h], eax

loc_7440EC:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+B6j
		mov	esi, 0C000014Ch
		push	18h
		mov	edi, esi
		push	esi

loc_7440F6:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+2FEj
		xor	edx, edx
		push	9
		call	SetFailureLocation
		jmp	loc_7443C4
; 

loc_744104:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+AFj
		mov	edi, [ecx+2Ch]
		mov	[ebp+var_14], esi
		mov	[ebp+var_18], edi
		mov	[ebp+var_C], edi

loc_744110:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+1B2j
		push	[ebp+arg_4]
		mov	edx, edi
		mov	ecx, ebx
		call	_HvIsCellAllocated@12 ;	HvIsCellAllocated(x,x,x)
		mov	esi, 0C000014Ch
		test	al, al
		jz	loc_7442FA
		lea	eax, [ebp+var_2C]
		push	eax
		push	edi
		push	ebx
		call	dword ptr [ebx+4]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_7442F3
		push	0FFFFFFFCh
		pop	ecx
		sub	ecx, [eax-4]
		cmp	ecx, 14h
		jb	loc_7442E4
		mov	edx, [eax+10h]
		mov	[ebp+var_10], edx
		add	edx, 14h
		cmp	edx, [ebp+var_10]
		jb	loc_7442E4
		cmp	edx, ecx
		ja	loc_7442E4
		cmp	edi, [ebp+var_C]
		jz	short loc_744177
		mov	ecx, [ebp+var_14]
		cmp	[eax+8], ecx
		jnz	loc_744200

loc_744177:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+141j
		push	0
		push	[ebp+var_10]
		add	eax, 14h
		push	eax
		call	_RtlValidRelativeSecurityDescriptor@12 ; RtlValidRelativeSecurityDescriptor(x,x,x)
		test	al, al
		jz	loc_74428C
		cmp	[ebp+var_1C], 0
		mov	edx, edi
		jnz	short loc_7441AF
		push	ecx
		push	1
		mov	ecx, ebx
		call	CmpAddSecurityCellToCache
		mov	edi, eax
		test	edi, edi
		jns	short loc_7441C0
		push	0B0h
		jmp	loc_7443A2
; 

loc_7441AF:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+16Bj
		mov	ecx, ebx
		call	_CmpResetCachedSecurity@8 ; CmpResetCachedSecurity(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_744282

loc_7441C0:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+17Bj
		mov	eax, [ebp+var_8]
		mov	esi, [ebp+var_18]
		mov	[ebp+var_14], esi
		mov	edi, [eax+4]
		lea	eax, [ebp+var_2C]
		push	eax
		push	ebx
		mov	[ebp+var_18], edi
		call	dword ptr [ebx+8]
		cmp	edi, [ebp+var_C]
		jnz	loc_744110
		lea	eax, [ebp+var_2C]
		push	eax
		push	edi
		push	ebx
		call	dword ptr [ebx+4]
		mov	[ebp+var_8], eax
		cmp	[eax+8], esi
		jz	short loc_74420A
		mov	esi, 0C000014Ch
		push	0C8h
		jmp	loc_744320
; 

loc_744200:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+149j
		push	0A0h
		jmp	loc_744320
; 

loc_74420A:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+1C7j
		cmp	[ebp+var_1C], 0
		jnz	short loc_744217
		mov	ecx, ebx
		call	_CmpAdjustSecurityCacheSize@4 ;	CmpAdjustSecurityCacheSize(x)

loc_744217:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+1E6j
		test	[ebp+var_20], 2000000h
		jz	short loc_744253
		cmp	dword ptr [ebx+4C0h], 1
		jbe	short loc_744253
		xor	esi, esi

loc_74422B:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+229j
		mov	edx, [ebx+4CCh]
		mov	ecx, ebx
		push	0
		push	20019h
		push	1
		mov	edx, [edx+esi*8]
		call	_CmpCheckSecurityCellAccess@20 ; CmpCheckSecurityCellAccess(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_74425A
		inc	esi
		cmp	esi, [ebx+4C0h]
		jb	short loc_74422B

loc_744253:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+1F6j
					; CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+1FFj
		xor	edi, edi
		jmp	loc_7443C4
; 

loc_74425A:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+220j
		mov	ecx, [ebp+arg_8]
		xor	edx, edx
		push	0D0h
		push	edi
		push	9
		call	SetFailureLocation
		cmp	edi, 0C000009Ah
		jz	loc_7443C4
		mov	edi, 0C000014Ch
		jmp	loc_7443C4
; 

loc_744282:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+192j
		push	0B8h
		jmp	loc_7443A2
; 

loc_74428C:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+15Fj
		lea	eax, [ebp+var_2C]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		push	0A8h

loc_744299:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+2C9j
		mov	ecx, [ebp+arg_8]
		xor	edx, edx
		push	esi
		push	9
		inc	edx
		call	SetFailureLocation

loc_7442A7:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+2D5j
		test	[ebp+var_20], 20000h
		jnz	loc_7443AF
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_7442CA
		test	byte ptr _CmpBootType, 6
		jz	loc_7443AF

loc_7442CA:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+293j
		mov	edi, [ebp+var_24]
		mov	ecx, ebx
		push	0
		mov	edx, [edi+2Ch]
		call	_HvIsCellAllocated@12 ;	HvIsCellAllocated(x,x,x)
		test	al, al
		jnz	short loc_744309
		push	20h
		jmp	loc_7443B1
; 

loc_7442E4:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+11Ej
					; CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+130j ...
		lea	eax, [ebp+var_2C]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		push	98h
		jmp	short loc_744299
; 

loc_7442F3:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+10Fj
		push	90h
		jmp	short loc_744320
; 

loc_7442FA:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+FBj
		cmp	[ebp+var_C], edi
		jnz	short loc_7442A7
		push	80h
		jmp	loc_7443B1
; 

loc_744309:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+2B3j
		mov	eax, [edi+2Ch]
		lea	ecx, [ebp+var_2C]
		push	ecx
		push	eax
		push	ebx
		call	dword ptr [ebx+4]
		mov	edi, eax
		mov	[ebp+var_8], edi
		test	edi, edi
		jnz	short loc_74432B
		push	30h

loc_744320:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+1D3j
					; CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+1DDj ...
		mov	edi, esi
		push	esi

loc_744323:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+37Bj
		mov	ecx, [ebp+arg_8]
		jmp	loc_7440F6
; 

loc_74432B:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+2F4j
		push	0FFFFFFFCh
		pop	edx
		sub	edx, [edi-4]
		cmp	edx, 14h
		jb	short loc_7443A8
		mov	eax, [edi+10h]
		lea	ecx, [eax+14h]
		cmp	ecx, eax
		jb	short loc_7443A8
		cmp	ecx, edx
		ja	short loc_7443A8
		push	0
		push	eax
		lea	eax, [edi+14h]
		push	eax
		call	_RtlValidRelativeSecurityDescriptor@12 ; RtlValidRelativeSecurityDescriptor(x,x,x)
		test	al, al
		jnz	short loc_744358
		push	40h
		jmp	short loc_744320
; 

loc_744358:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+32Aj
		mov	esi, [ebp+var_24]
		mov	ecx, ebx
		push	0
		push	0
		mov	edx, [esi+2Ch]
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_74439B
		mov	eax, [esi+2Ch]
		mov	ecx, ebx
		mov	[edi+8], eax
		mov	[edi+4], eax
		call	_CmpDestroySecurityCache@4 ; CmpDestroySecurityCache(x)
		mov	ecx, ebx
		call	_CmpInitSecurityCache@4	; CmpInitSecurityCache(x)
		mov	eax, [ebx+20h]
		mov	edi, 0C000022Dh
		or	dword ptr [eax+0FF8h], 4
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax],	1
		jmp	short loc_7443C4
; 

loc_74439B:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+343j
		mov	edi, 0C000017Dh
		push	60h

loc_7443A2:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+182j
					; CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+25Fj
		push	edi
		jmp	loc_744323
; 

loc_7443A8:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+30Cj
					; CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+316j ...
		push	50h
		jmp	loc_744320
; 

loc_7443AF:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+286j
					; CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+29Cj
		push	70h

loc_7443B1:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+2B7j
					; CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+2DCj
		mov	ecx, [ebp+arg_8]
		xor	edx, edx
		push	esi
		push	9
		mov	edi, esi
		call	SetFailureLocation
		and	[ebp+var_8], 0

loc_7443C4:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+D7j
					; CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+22Dj ...
		lea	eax, [ebp+var_34]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		cmp	[ebp+var_8], 0
		jz	short loc_7443DA
		lea	eax, [ebp+var_2C]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]

loc_7443DA:				; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+72j
					; CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+3A8j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_CmpValidateHiveSecurityDescriptors@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpInitMap	proc near		; CODE XREF: HvLoadHive+169p
					; HvpBuildMapForMemoryBackedHive+1Bp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CCE84 SIZE 000000BE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_14], ebx
		mov	eax, [esi+20h]
		mov	ecx, [esi+1Ch]
		mov	[ebp+var_4], ecx
		mov	edx, [eax+28h]
		mov	[ebp+var_10], edx
		test	edx, 0FFFh
		jnz	loc_8CCE84
		mov	eax, edx
		shr	eax, 0Ch
		test	eax, eax
		jz	loc_8CCEA9
		lea	ecx, [eax-1]
		shr	ecx, 9
		mov	[ebp+var_8], ecx

loc_74442C:				; CODE XREF: HvpInitMap+188AC8j
		mov	[esi+0C8h], edx
		cmp	[esi+30h], ebx
		jnz	short loc_7444A2
		lea	edi, [eax+3]
		and	edi, 0FFFFFFFCh
		jz	loc_8CCEB1

loc_744443:				; CODE XREF: HvpInitMap+188AD0j
		mov	ebx, 37324D43h
		push	ebx
		push	1
		push	edi
		call	dword ptr [esi+0Ch]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_8CCE8E
		push	ebx
		push	1
		push	edi
		call	dword ptr [esi+0Ch]
		mov	ebx, eax
		mov	[ebp+var_14], ebx
		test	ebx, ebx
		jz	loc_8CCEB9
		push	edi		; size_t
		push	0		; int
		push	[ebp+var_C]	; void *
		call	_memset
		add	esp, 0Ch
		push	edi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	ecx, [ebp+var_10]
		add	esp, 0Ch
		mov	eax, [ebp+var_C]
		shr	ecx, 9
		mov	[esi+2Ch], ecx
		mov	[esi+30h], eax
		mov	[esi+40h], ebx
		xor	ebx, ebx
		mov	[esi+3Ch], ecx
		mov	[esi+38h], edi

loc_7444A2:				; CODE XREF: HvpInitMap+51j
		cmp	[ebp+var_8], 0
		mov	eax, [esi+0Ch]
		jnz	short loc_7444EE
		push	36324D43h
		push	ebx
		push	1800h
		call	eax
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_8CCEC0
		push	1800h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_10]
		lea	ebx, [esi+0D0h]
		add	esp, 0Ch

loc_7444DB:				; CODE XREF: HvpInitMap+14Cj
		mov	[esi+0CCh], ebx
		mov	[esi+0D0h], eax
		xor	eax, eax

loc_7444E9:				; CODE XREF: HvpInitMap+188B59j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7444EE:				; CODE XREF: HvpInitMap+C5j
		push	38324D43h
		push	ebx
		push	1000h
		call	eax
		mov	ebx, eax
		mov	[ebp+var_10], ebx
		test	ebx, ebx
		jz	loc_8CCEC9
		push	1000h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		mov	edx, ebx
		mov	ecx, esi
		push	[ebp+var_8]
		push	0
		call	_HvpAllocateMap@16 ; HvpAllocateMap(x,x,x,x)
		test	al, al
		jz	loc_8CCEE1
		xor	eax, eax
		jmp	short loc_7444DB
HvpInitMap	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpAddSecurityCellToCache proc near	; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+172p
					; PAGE:0074BDD5p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CCF42 SIZE 000003C9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		or	[ebp+var_14], 0FFFFFFFFh
		and	[ebp+var_10], 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		push	eax
		mov	[ebp+var_8], ebx
		call	_CmpFindSecurityCellCacheIndex@12 ; CmpFindSecurityCellCacheIndex(x,x,x)
		cmp	al, 1
		jz	loc_744652
		mov	ecx, [edi+4C4h]
		cmp	[edi+4C0h], ecx
		jz	loc_74465B

loc_744573:				; CODE XREF: CmpAddSecurityCellToCache+188j
					; CmpAddSecurityCellToCache+195j
		lea	eax, [ebp+var_14]
		push	eax
		push	ebx
		push	edi
		call	dword ptr [edi+4]
		mov	esi, eax
		mov	[ebp+arg_0], esi
		test	esi, esi
		jz	loc_8CCF58
		mov	eax, [esi+10h]
		add	eax, 18h
		cmp	eax, 18h
		jbe	loc_8CCF50
		push	63534D43h
		push	0
		push	eax
		call	dword ptr [edi+0Ch]
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8CCF50
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebx+18h]
		add	esi, 14h
		push	dword ptr [eax+10h] ; size_t
		push	esi		; void *
		push	ecx		; void *
		call	_memcpy
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, [ebp+var_8]
		mov	edx, esi
		mov	[ebx], eax
		mov	eax, [ecx+10h]
		and	dword ptr [ebx+14h], 0
		mov	[ebx+10h], eax
		mov	ecx, [ecx+10h]
		call	_CmpSecConvKey@8 ; CmpSecConvKey(x,x)
		mov	[ebx+4], eax
		lea	ecx, [ebx+8]
		and	eax, 3Fh
		add	eax, 9Ah
		lea	eax, [edi+eax*8]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_7446CC
		mov	esi, [ebp+var_4]
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		mov	ecx, [edi+4C0h]
		cmp	esi, ecx
		jnb	short loc_74462E
		mov	eax, [edi+4CCh]
		sub	ecx, esi
		shl	ecx, 3
		push	ecx		; size_t
		lea	eax, [eax+esi*8]
		push	eax		; void *
		add	eax, 8
		push	eax		; void *
		call	_memmove
		add	esp, 0Ch

loc_74462E:				; CODE XREF: CmpAddSecurityCellToCache+DEj
		mov	eax, [edi+4CCh]
		mov	ecx, [ebp+var_8]
		mov	[eax+esi*8], ecx
		mov	eax, [edi+4CCh]
		mov	[eax+esi*8+4], ebx
		lea	eax, [ebp+var_14]
		inc	dword ptr [edi+4C0h]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_744652:				; CODE XREF: CmpAddSecurityCellToCache+29j
		xor	eax, eax

loc_744654:				; CODE XREF: CmpAddSecurityCellToCache+188A2Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_74465B:				; CODE XREF: CmpAddSecurityCellToCache+3Bj
		mov	esi, [edi+4CCh]
		mov	eax, ecx
		shl	eax, 3
		mov	[ebp+var_C], eax
		xor	eax, eax
		cmp	byte ptr [ebp+arg_0], 1
		push	63534D43h
		setz	al
		add	ecx, 200h
		dec	eax
		and	eax, 0FFFFFE10h
		add	eax, ecx
		mov	[edi+4C4h], eax
		push	0
		shl	eax, 3
		push	eax
		call	dword ptr [edi+0Ch]
		mov	ecx, eax
		mov	eax, [edi+4C0h]
		mov	[edi+4CCh], ecx
		test	ecx, ecx
		jz	loc_8CCF42
		shl	eax, 3
		push	eax		; size_t
		push	esi		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		test	esi, esi
		jz	loc_744573
		push	[ebp+var_C]
		push	esi
		call	dword ptr [edi+10h]
		jmp	loc_744573
; 

loc_7446CC:				; CODE XREF: CmpAddSecurityCellToCache+C3j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

HvpViewMapPromoteRangeToMapping:	; CODE XREF: HvpAddBin+30Fp
					; HvpRemapAndEnlistHiveBins+E3p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [edx+1000h]
		xor	ebx, ebx
		mov	[ebp+var_10], eax
		push	edi
		add	esi, eax
		mov	[ebp+var_14], ebx
		push	ebx
		pop	edx
		adc	edx, ebx
		mov	[ebp+var_18], ecx
		lea	ebx, [ecx+20h]
		mov	[ebp+arg_0], esi
		test	byte ptr [ebx+4], 1
		lea	eax, [ebp+var_28]
		mov	edi, [ebx]
		mov	[ebp+var_8], edx
		mov	[ebp+var_24], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_4], ebx
		jz	short loc_744723
		test	edi, edi
		jnz	short loc_744721
		xor	eax, eax
		mov	edi, eax
		mov	[ebp+var_C], eax
		jmp	short loc_744726
; 

loc_744721:				; CODE XREF: CmpAddSecurityCellToCache+1E4j
		xor	edi, ebx

loc_744723:				; CODE XREF: CmpAddSecurityCellToCache+1E0j
		mov	[ebp+var_C], edi

loc_744726:				; CODE XREF: CmpAddSecurityCellToCache+1EDj
		movzx	ecx, byte ptr [ebx+4]
		and	ecx, 1
		test	edi, edi
		jz	short loc_744765
		mov	esi, [ebp+var_10]
		xor	edx, edx

loc_744736:				; CODE XREF: CmpAddSecurityCellToCache+21Aj
		cmp	edx, [edi+24h]
		jl	short loc_744742
		jg	short loc_744750
		cmp	esi, [edi+20h]
		jnb	short loc_744750

loc_744742:				; CODE XREF: CmpAddSecurityCellToCache+207j
		mov	eax, [edi]

loc_744744:				; CODE XREF: CmpAddSecurityCellToCache+269j
		test	ecx, ecx
		jnz	short loc_744790

loc_744748:				; CODE XREF: CmpAddSecurityCellToCache+260j
		mov	edi, eax

loc_74474A:				; CODE XREF: CmpAddSecurityCellToCache+264j
		test	edi, edi
		jnz	short loc_744736
		jmp	short loc_74475C
; 

loc_744750:				; CODE XREF: CmpAddSecurityCellToCache+209j
					; CmpAddSecurityCellToCache+20Ej
		cmp	edx, [edi+2Ch]
		jl	short loc_74475C
		jg	short loc_744798
		cmp	esi, [edi+28h]
		jnb	short loc_744798

loc_74475C:				; CODE XREF: CmpAddSecurityCellToCache+21Cj
					; CmpAddSecurityCellToCache+221j
		mov	esi, [ebp+arg_0]
		mov	edx, [ebp+var_8]
		mov	[ebp+var_C], edi

loc_744765:				; CODE XREF: CmpAddSecurityCellToCache+1FDj
		cmp	[edi+2Ch], edx
		jg	short loc_744779
		jl	loc_8CCF62
		cmp	[edi+28h], esi
		jb	loc_8CCF62

loc_744779:				; CODE XREF: CmpAddSecurityCellToCache+236j
		mov	ecx, [edi+30h]
		mov	eax, [ebp+arg_4]
		sub	ecx, [edi+10h]
		add	ecx, [ebp+var_10]
		mov	[eax], ecx
		xor	eax, eax

loc_744789:				; CODE XREF: CmpAddSecurityCellToCache+188DB1j
					; CmpAddSecurityCellToCache+188DD4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_744790:				; CODE XREF: CmpAddSecurityCellToCache+214j
		test	eax, eax
		jz	short loc_744748
		xor	edi, eax
		jmp	short loc_74474A
; 

loc_744798:				; CODE XREF: CmpAddSecurityCellToCache+223j
					; CmpAddSecurityCellToCache+228j
		mov	eax, [edi+4]
		jmp	short loc_744744
CmpAddSecurityCellToCache endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpResetPageProtection(x)
_HvpResetPageProtection@4 proc near	; CODE XREF: HvResetDirtyData(x)+Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	edi
		mov	edi, ecx
		xor	eax, eax
		mov	[ebp+var_4], eax
		mov	edx, [edi+34h]
		lea	ebx, [edi+2Ch]
		mov	ecx, [ebx]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		test	ecx, ecx
		jz	short loc_7447FD
		push	esi

loc_7447C2:				; CODE XREF: HvpResetPageProtection(x)+5Cj
		lea	ecx, [ebp+var_4]
		mov	edx, eax
		push	ecx
		mov	ecx, ebx
		call	RtlFindNextForwardRunSet
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_7447FC
		mov	esi, [ebp+var_4]
		mov	ecx, ebx
		shl	ecx, 9
		mov	edx, esi
		push	2
		push	ecx
		shl	edx, 9
		mov	ecx, edi
		call	HvpSetRangeProtection
		sub	[ebp+var_8], ebx
		lea	eax, [ebx+esi]
		jz	short loc_7447FC
		lea	ebx, [edi+2Ch]
		cmp	eax, [ebp+var_C]
		jb	short loc_7447C2

loc_7447FC:				; CODE XREF: HvpResetPageProtection(x)+35j
					; HvpResetPageProtection(x)+54j
		pop	esi

loc_7447FD:				; CODE XREF: HvpResetPageProtection(x)+21j
		pop	edi
		pop	ebx
		leave
		retn
_HvpResetPageProtection@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpViewMapMakeViewRangeReadOnly(x, x, x, x,	x, x)
_HvpViewMapMakeViewRangeReadOnly@24 proc near ;	CODE XREF: HvpViewMapSealRange(x,x,x)+A7p
					; HvpViewMapMigrateCOWData(x,x,x)+173p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	eax
		mov	eax, [ebp+arg_8]
		mov	edi, edx
		mov	edx, [ecx+18h]
		sub	eax, esi
		push	2
		push	eax
		mov	eax, [edi+30h]
		sub	eax, [edi+10h]
		add	eax, esi
		push	eax
		call	_CmSiProtectViewOfSection@24 ; CmSiProtectViewOfSection(x,x,x,x,x,x)
		mov	ecx, [ebp+arg_4]
		cmp	ecx, [ebp+arg_C]
		jl	short loc_74483F
		jg	short loc_74485C

loc_74483A:				; CODE XREF: HvpViewMapMakeViewRangeReadOnly(x,x,x,x,x,x)+58j
		cmp	esi, [ebp+arg_8]
		jnb	short loc_74485C

loc_74483F:				; CODE XREF: HvpViewMapMakeViewRangeReadOnly(x,x,x,x,x,x)+34j
					; HvpViewMapMakeViewRangeReadOnly(x,x,x,x,x,x)+56j
		mov	eax, esi
		sub	eax, [edi+10h]
		shr	eax, 0Ch
		and	byte ptr [eax+edi+38h],	0F7h
		add	esi, 1000h
		adc	ecx, 0
		cmp	ecx, [ebp+arg_C]
		jl	short loc_74483F
		jle	short loc_74483A

loc_74485C:				; CODE XREF: HvpViewMapMakeViewRangeReadOnly(x,x,x,x,x,x)+36j
					; HvpViewMapMakeViewRangeReadOnly(x,x,x,x,x,x)+3Bj
		pop	edi
		pop	esi
		leave
		retn	10h
_HvpViewMapMakeViewRangeReadOnly@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpFreeKeyByCell proc near		; CODE XREF: CmpRemoveHiveFromNamespace(x,x,x)+35p
					; CmDeleteLayeredKey(x,x,x)+33Ep ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CD30B SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		or	[ebp+var_18], 0FFFFFFFFh
		or	[ebp+var_20], 0FFFFFFFFh
		or	[ebp+var_28], 0FFFFFFFFh
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], ebx
		xor	edx, edx
		mov	[ebp+var_14], edi
		lea	eax, [esi+484h]
		mov	[ebp+var_1C], edi
		mov	ecx, eax
		mov	[ebp+var_24], edi
		mov	[ebp+var_10], eax
		call	ExAcquirePushLockExclusiveEx
		push	ecx
		push	[ebp+arg_0]
		mov	edx, ebx
		mov	ecx, esi
		call	CmpMarkKeyDirty
		test	al, al
		jz	loc_8CD30B
		lea	eax, [ebp+var_18]
		push	eax
		push	ebx
		push	esi
		call	dword ptr [esi+4]
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_7449A9
		cmp	byte ptr [ebp+arg_0], 1
		jnz	short loc_74490A
		push	[ebp+var_8]
		mov	edx, [ebx+10h]
		mov	ecx, esi
		call	_CmpRemoveSubKey@12 ; CmpRemoveSubKey(x,x,x)
		test	al, al
		jz	loc_8CD315
		mov	eax, [ebx+10h]
		lea	ecx, [ebp+var_20]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8CD315
		mov	eax, [ecx+18h]
		add	eax, [ecx+14h]
		jz	loc_74499B

loc_744902:				; CODE XREF: CmpFreeKeyByCell+142j
		lea	eax, [ebp+var_20]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_74490A:				; CODE XREF: CmpFreeKeyByCell+67j
		test	byte ptr [ebx+2], 42h
		jnz	short loc_744968
		cmp	[ebx+24h], edi
		jbe	short loc_744958
		mov	eax, [ebx+28h]
		lea	ecx, [ebp+var_28]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_8CD315
		cmp	[ebx+24h], edi
		jbe	short loc_744946

loc_744931:				; CODE XREF: CmpFreeKeyByCell+E0j
		mov	edx, [eax+edi*4]
		mov	ecx, esi
		call	_CmpFreeValue@8	; CmpFreeValue(x,x)
		mov	eax, [ebp+var_C]
		inc	edi
		cmp	edi, [ebx+24h]
		jb	short loc_744931
		xor	edi, edi

loc_744946:				; CODE XREF: CmpFreeKeyByCell+CDj
		lea	eax, [ebp+var_28]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edx, [ebx+28h]
		mov	ecx, esi
		call	HvFreeCell

loc_744958:				; CODE XREF: CmpFreeKeyByCell+B1j
		cmp	dword ptr [ebx+2Ch], 0FFFFFFFFh
		jz	short loc_744968
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_CmpFreeSecurityDescriptor@8 ; CmpFreeSecurityDescriptor(x,x)

loc_744968:				; CODE XREF: CmpFreeKeyByCell+ACj
					; CmpFreeKeyByCell+FAj
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		mov	ebx, edi
		call	CmpFreeKeyBody
		test	al, al
		jz	short loc_7449A9

loc_744980:				; CODE XREF: CmpFreeKeyByCell+188AB8j
		test	ebx, ebx
		jnz	loc_8CD31F

loc_744988:				; CODE XREF: CmpFreeKeyByCell+14Cj
					; CmpFreeKeyByCell+188AAEj ...
		mov	ecx, [ebp+var_10]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_74499B:				; CODE XREF: CmpFreeKeyByCell+9Aj
		xor	eax, eax
		mov	[ecx+38h], edi
		mov	[ecx+34h], ax
		jmp	loc_744902
; 

loc_7449A9:				; CODE XREF: CmpFreeKeyByCell+5Dj
					; CmpFreeKeyByCell+11Cj
		mov	edi, 0C000009Ah
		jmp	short loc_744988
CmpFreeKeyByCell endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFreeValue(x, x)
_CmpFreeValue@8	proc near		; CODE XREF: CmpFreeKeyByCell+D4p
					; CmDeleteValueKey+472p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		or	[ebp+var_8], 0FFFFFFFFh
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	esi
		push	edi
		push	eax
		mov	edi, edx
		mov	esi, ecx
		push	edi
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	short loc_7449FE
		push	dword ptr [eax+4]
		mov	edx, [eax+8]
		mov	ecx, esi
		call	CmpFreeValueData
		mov	ecx, [esi+8]
		test	al, al
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		jz	short loc_7449FC
		call	ecx
		mov	edx, edi
		mov	ecx, esi
		call	HvFreeCell
		mov	al, 1

loc_7449F8:				; CODE XREF: CmpFreeValue(x,x)+50j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_7449FC:				; CODE XREF: CmpFreeValue(x,x)+39j
		call	ecx

loc_7449FE:				; CODE XREF: CmpFreeValue(x,x)+20j
		xor	al, al
		jmp	short loc_7449F8
_CmpFreeValue@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAddSubKeyEx(x, x, x, x)
_CmpAddSubKeyEx@16 proc	near		; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+B00p
					; CmpCopySyncTree2(x,x,x,x,x,x,x)+487p	...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		or	esi, 0FFFFFFFFh
		xor	ebx, ebx
		mov	eax, esi
		mov	[ebp+var_28], esi
		push	edi
		mov	[ebp+var_C], eax
		mov	edi, ecx
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	edx
		push	edi
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_10], ebx
		call	dword ptr [edi+4]
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	loc_744BFA
		mov	ecx, [ebp+arg_0]
		shr	ecx, 1Fh
		mov	[ebp+var_14], ecx
		cmp	[eax+ecx*4+14h], ebx
		jnz	short loc_744AC7
		inc	ebx
		cmp	dword ptr [edi+9Ch], 5
		jb	short loc_744A7F
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	short loc_744A64
		mov	eax, ebx

loc_744A64:				; CODE XREF: CmpAddSubKeyEx(x,x,x,x)+5Ej
		mov	edx, 3F4h
		cmp	eax, edx
		jb	short loc_744A6F
		mov	eax, edx

loc_744A6F:				; CODE XREF: CmpAddSubKeyEx(x,x,x,x)+69j
		lea	edx, ds:4[eax*8]
		mov	[ebp+arg_4], 686Ch
		jmp	short loc_744A89
; 

loc_744A7F:				; CODE XREF: CmpAddSubKeyEx(x,x,x,x)+57j
		push	0Ch
		pop	edx
		mov	[ebp+arg_4], 666Ch

loc_744A89:				; CODE XREF: CmpAddSubKeyEx(x,x,x,x)+7Bj
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		mov	ecx, edi
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		cmp	eax, esi
		mov	[ebp+var_C], eax
		mov	esi, [ebp+var_4]
		mov	[ebp+var_8], eax
		jnz	short loc_744AAD

loc_744AA6:				; CODE XREF: CmpAddSubKeyEx(x,x,x,x)+DDj
					; CmpAddSubKeyEx(x,x,x,x)+108j	...
		xor	bl, bl
		jmp	loc_744BD6
; 

loc_744AAD:				; CODE XREF: CmpAddSubKeyEx(x,x,x,x)+A2j
		mov	eax, [ebp+arg_4]
		lea	edx, [ebp+var_8]
		mov	[esi], ax
		xor	eax, eax
		mov	[ebp+var_10], ebx
		mov	[esi+2], ax
		mov	[ebp+arg_4], edx
		jmp	loc_744BA7
; 

loc_744AC7:				; CODE XREF: CmpAddSubKeyEx(x,x,x,x)+4Dj
		add	ecx, 7
		lea	ebx, [eax+ecx*4]
		mov	eax, [ebx]
		lea	ecx, [ebp+var_20]
		push	ecx
		push	eax
		push	edi
		mov	[ebp+arg_4], ebx
		call	dword ptr [edi+4]
		mov	esi, eax
		test	esi, esi
		jz	short loc_744AA6
		mov	eax, 666Ch
		mov	ecx, 696Ch
		cmp	[esi], ax
		jnz	short loc_744B36
		mov	eax, 1FBh
		cmp	[esi+2], ax
		jb	short loc_744B36
		mov	edx, [ebx]
		mov	ecx, edi
		push	0
		push	0
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_744AA6
		xor	eax, eax
		xor	edx, edx
		cmp	ax, [esi+2]
		jnb	short loc_744B2E
		lea	ecx, [esi+4]
		mov	ebx, ecx

loc_744B1B:				; CODE XREF: CmpAddSubKeyEx(x,x,x,x)+12Aj
		mov	eax, [ebx]
		inc	edx
		mov	[ecx], eax
		lea	ebx, [ebx+8]
		movzx	eax, word ptr [esi+2]
		lea	ecx, [ecx+4]
		cmp	edx, eax
		jb	short loc_744B1B

loc_744B2E:				; CODE XREF: CmpAddSubKeyEx(x,x,x,x)+112j
		mov	ecx, 696Ch
		mov	[esi], cx

loc_744B36:				; CODE XREF: CmpAddSubKeyEx(x,x,x,x)+ECj
					; CmpAddSubKeyEx(x,x,x,x)+F7j
		movzx	eax, word ptr [esi]
		xor	ebx, ebx
		inc	ebx
		cmp	ax, cx
		jz	short loc_744B4B
		mov	ecx, 686Ch
		cmp	ax, cx
		jnz	short loc_744BA4

loc_744B4B:				; CODE XREF: CmpAddSubKeyEx(x,x,x,x)+13Dj
		mov	eax, 3F5h
		cmp	[esi+2], ax
		jb	short loc_744BA4
		lea	eax, [ebp+var_20]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_4]
		mov	ecx, edi
		push	eax
		push	[ebp+var_14]
		push	0Ch
		pop	edx
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	esi, [ebp+var_4]
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		cmp	ecx, 0FFFFFFFFh
		jz	loc_744AA6
		mov	edx, [ebp+arg_4]
		mov	eax, 6972h
		or	[ebp+var_8], 0FFFFFFFFh
		mov	[esi], ax
		mov	[esi+2], bx
		mov	eax, [edx]
		mov	[esi+4], eax
		mov	[edx], ecx
		jmp	short loc_744BA7
; 

loc_744BA4:				; CODE XREF: CmpAddSubKeyEx(x,x,x,x)+147j
					; CmpAddSubKeyEx(x,x,x,x)+152j
		mov	edx, [ebp+arg_4]

loc_744BA7:				; CODE XREF: CmpAddSubKeyEx(x,x,x,x)+C0j
					; CmpAddSubKeyEx(x,x,x,x)+1A0j
		push	[ebp+arg_0]
		mov	ecx, edi
		call	CmpAddSubKeyToList
		test	al, al
		jnz	short loc_744BB9
		xor	bl, bl
		jmp	short loc_744BD0
; 

loc_744BB9:				; CODE XREF: CmpAddSubKeyEx(x,x,x,x)+1B1j
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+var_14]
		mov	edx, [ebp+var_18]
		mov	eax, [eax]
		inc	dword ptr [edx+ecx*4+14h]
		and	[ebp+var_10], 0
		mov	[edx+ecx*4+1Ch], eax

loc_744BD0:				; CODE XREF: CmpAddSubKeyEx(x,x,x,x)+1B5j
		mov	eax, [ebp+var_8]
		mov	[ebp+var_C], eax

loc_744BD6:				; CODE XREF: CmpAddSubKeyEx(x,x,x,x)+A6j
		lea	eax, [ebp+var_28]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		test	esi, esi
		jz	short loc_744BEA
		lea	eax, [ebp+var_20]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_744BEA:				; CODE XREF: CmpAddSubKeyEx(x,x,x,x)+1DEj
		cmp	[ebp+var_10], 0
		jz	short loc_744BFA
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		call	HvFreeCell

loc_744BFA:				; CODE XREF: CmpAddSubKeyEx(x,x,x,x)+3Aj
					; CmpAddSubKeyEx(x,x,x,x)+1ECj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	8
_CmpAddSubKeyEx@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpAddSubKeyToList proc	near		; CODE XREF: CmpAddSubKeyEx(x,x,x,x)+1AAp
					; CmRenameKey(x,x,x,x)+B27p ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CD32C SIZE 0000004A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		or	[ebp+var_34], 0FFFFFFFFh
		xor	eax, eax
		or	[ebp+var_2C], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		mov	word ptr [ebp+var_24], ax
		mov	esi, ecx
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_C], edx
		push	eax
		push	[ebp+arg_0]
		xor	ebx, ebx
		push	esi
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_20], ebx
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jz	loc_744D1E
		test	byte ptr [edi+2], 20h
		movzx	eax, word ptr [edi+48h]
		jz	loc_8CD32C
		add	eax, eax
		push	20384D43h
		movzx	ecx, ax
		mov	word ptr [ebp+var_24], ax
		mov	word ptr [ebp+var_24+2], ax
		movzx	eax, ax
		push	ebx
		push	eax
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], eax
		call	dword ptr [esi+0Ch]
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_744D16
		movzx	eax, word ptr [edi+48h]
		mov	edx, [ebp+var_14]
		push	eax
		lea	eax, [edi+4Ch]
		mov	[ebp+var_5], 1
		push	eax
		call	_CmpCopyCompressedName@16 ; CmpCopyCompressedName(x,x,x,x)
		mov	eax, [ebp+var_18]
		movzx	eax, ax

loc_744C9B:				; CODE XREF: CmpAddSubKeyToList+188739j
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	eax, [ebp+var_C]
		lea	ecx, [ebp+var_34]
		push	ecx
		mov	edi, ebx
		mov	eax, [eax]
		push	eax
		push	esi
		mov	[ebp+var_18], eax
		call	dword ptr [esi+4]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	short loc_744CF6
		mov	ecx, 6972h
		cmp	[eax], cx
		jz	loc_8CD342
		mov	eax, [ebp+var_18]

loc_744CD1:				; CODE XREF: CmpAddSubKeyToList+18875Aj
		lea	ecx, [ebp+var_24]
		mov	edx, eax
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, esi
		call	_CmpAddToLeaf@16 ; CmpAddToLeaf(x,x,x,x)
		mov	ecx, eax
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_744CF6
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_744CF2
		mov	eax, [ebp+var_C]

loc_744CF2:				; CODE XREF: CmpAddSubKeyToList+E9j
		mov	[eax], ecx
		mov	bl, 1

loc_744CF6:				; CODE XREF: CmpAddSubKeyToList+BAj
					; CmpAddSubKeyToList+E2j ...
		cmp	[ebp+var_5], 0
		jz	short loc_744D09
		mov	eax, [ebp+var_14]
		movzx	eax, ax
		push	eax
		push	[ebp+var_20]
		call	dword ptr [esi+10h]

loc_744D09:				; CODE XREF: CmpAddSubKeyToList+F6j
		cmp	[ebp+var_1C], edi
		jz	short loc_744D1E
		lea	eax, [ebp+var_34]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_744D16:				; CODE XREF: CmpAddSubKeyToList+76j
		test	edi, edi
		jnz	loc_8CD369

loc_744D1E:				; CODE XREF: CmpAddSubKeyToList+3Bj
					; CmpAddSubKeyToList+108j ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
CmpAddSubKeyToList endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpAddValueToListEx proc near		; CODE XREF: CmpSetValueKeyNew+50p
					; CmpLightWeightPrepareSetValueKeyUoW+ABC11p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008CD376 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_4], 0
		or	[ebp+var_14], 0FFFFFFFFh
		and	[ebp+var_10], 0
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	[ebp+var_C], edx
		xor	edx, edx
		push	edi
		mov	esi, [ebx]
		inc	edx
		mov	[ebp+var_8], ecx
		lea	edi, [esi+1]
		cmp	edi, edx
		jbe	short loc_744DA5
		cmp	edi, 64h
		jnb	short loc_744DC2
		mov	eax, edi
		shl	eax, 2

loc_744D5E:				; CODE XREF: CmpAddValueToListEx+A8j
					; CmpAddValueToListEx+B4j
		lea	ecx, [ebp+var_14]
		push	ecx
		lea	ecx, [ebp+var_4]
		push	ecx
		mov	ecx, [ebp+var_8]
		push	edx
		mov	edx, [ebx+4]
		push	eax
		call	_HvReallocateCell@24 ; HvReallocateCell(x,x,x,x,x,x)

loc_744D73:				; CODE XREF: CmpAddValueToListEx+98j
		cmp	eax, 0FFFFFFFFh
		jz	short loc_744DDE
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+var_4]
		mov	[ebx+4], eax

loc_744D81:				; CODE XREF: CmpAddValueToListEx+188656j
		cmp	esi, ecx
		ja	loc_8CD376
		mov	eax, [ebp+var_C]
		mov	[edx+ecx*4], eax
		lea	eax, [ebp+var_14]
		push	eax
		mov	eax, [ebp+var_8]
		push	eax
		mov	[ebx], edi
		call	dword ptr [eax+8]
		xor	eax, eax

loc_744D9E:				; CODE XREF: CmpAddValueToListEx+BBj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_744DA5:				; CODE XREF: CmpAddValueToListEx+2Aj
		cmp	[ebp+arg_C], edx
		jb	short loc_744DAD
		mov	edx, [ebp+arg_C]

loc_744DAD:				; CODE XREF: CmpAddValueToListEx+80j
		lea	eax, [ebp+var_14]
		shl	edx, 2
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		jmp	short loc_744D73
; 

loc_744DC2:				; CODE XREF: CmpAddValueToListEx+2Fj
		lea	eax, [edi+63h]
		and	eax, 0FFFFFF9Ch
		shl	eax, 2
		cmp	eax, 1000h
		jbe	short loc_744D5E
		add	eax, 0FFFh
		and	eax, 0FFFFF000h
		jmp	short loc_744D5E
; 

loc_744DDE:				; CODE XREF: CmpAddValueToListEx+4Ej
		mov	eax, 0C000009Ah
		jmp	short loc_744D9E
CmpAddValueToListEx endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvReallocateCell(x,	x, x, x, x, x)
_HvReallocateCell@24 proc near		; CODE XREF: CmpAddValueToListEx+46p
					; CmpAddToLeaf(x,x,x,x)+CAp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		or	[ebp+var_20], 0FFFFFFFFh
		xor	eax, eax
		and	[ebp+var_1C], 0
		or	[ebp+var_18], 0FFFFFFFFh
		and	[ebp+var_14], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		mov	edi, edx
		mov	[ebp+var_4], eax
		mov	esi, ecx
		lea	eax, [ebp+var_20]
		mov	[ebp+var_10], edi
		push	eax
		push	edi
		push	esi
		call	dword ptr [esi+4]
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_744E27
		or	edi, 0FFFFFFFFh
		jmp	loc_744F12
; 

loc_744E27:				; CODE XREF: HvReallocateCell(x,x,x,x,x,x)+37j
		mov	edx, [ebp+arg_0]
		push	0FFFFFFFCh
		pop	eax
		sub	eax, [ebx-4]
		add	edx, 4
		mov	[ebp+var_C], eax
		add	eax, 4
		cmp	edx, eax
		ja	short loc_744E55
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+arg_C]
		mov	[eax], ebx
		mov	eax, [ebp+var_20]
		mov	[ecx], eax
		mov	eax, [ebp+var_1C]
		mov	[ecx+4], eax
		jmp	loc_744F12
; 

loc_744E55:				; CODE XREF: HvReallocateCell(x,x,x,x,x,x)+55j
		add	edx, 7
		mov	eax, 4000h
		and	edx, 0FFFFFFF8h
		xor	ecx, ecx
		cmp	edx, eax
		jbe	short loc_744E73

loc_744E66:				; CODE XREF: HvReallocateCell(x,x,x,x,x,x)+85j
		add	eax, eax
		inc	ecx
		cmp	edx, eax
		ja	short loc_744E66
		test	ecx, ecx
		jz	short loc_744E73
		mov	edx, eax

loc_744E73:				; CODE XREF: HvReallocateCell(x,x,x,x,x,x)+7Ej
					; HvReallocateCell(x,x,x,x,x,x)+89j
		cmp	edx, 100000h
		jbe	short loc_744E80
		or	edi, 0FFFFFFFFh
		jmp	short loc_744EF8
; 

loc_744E80:				; CODE XREF: HvReallocateCell(x,x,x,x,x,x)+93j
		lea	eax, [ebp+var_18]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		mov	eax, edi
		shr	eax, 1Fh
		push	eax
		call	HvpDoAllocateCell
		mov	edi, eax
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_744EA6
		mov	edx, [ebp+var_4]
		or	edi, eax
		mov	[ebp+var_8], edx
		jmp	short loc_744EF8
; 

loc_744EA6:				; CODE XREF: HvReallocateCell(x,x,x,x,x,x)+B4j
		push	[ebp+var_C]	; size_t
		push	ebx		; void *
		push	[ebp+var_4]	; void *
		call	_memmove
		add	esp, 0Ch
		lea	eax, [ebp+var_20]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		xor	ebx, ebx
		cmp	[ebp+arg_4], 1
		jnz	short loc_744ECF
		mov	edx, [ebp+var_10]
		mov	ecx, esi
		call	HvFreeCell

loc_744ECF:				; CODE XREF: HvReallocateCell(x,x,x,x,x,x)+DDj
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_4]
		and	[ebp+var_8], ebx
		mov	[eax], ecx
		mov	ecx, [ebp+arg_C]
		mov	eax, [ebp+var_18]
		and	[ebp+var_18], ebx
		or	[ebp+var_18], 0FFFFFFFFh
		mov	[ecx], eax
		mov	eax, [ebp+var_14]
		and	[ebp+var_14], ebx
		mov	[ecx+4], eax
		xor	eax, eax
		mov	word ptr [ebp+var_14], ax

loc_744EF8:				; CODE XREF: HvReallocateCell(x,x,x,x,x,x)+98j
					; HvReallocateCell(x,x,x,x,x,x)+BEj
		test	ebx, ebx
		jz	short loc_744F04
		lea	eax, [ebp+var_20]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_744F04:				; CODE XREF: HvReallocateCell(x,x,x,x,x,x)+114j
		cmp	[ebp+var_8], 0
		jz	short loc_744F12
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_744F12:				; CODE XREF: HvReallocateCell(x,x,x,x,x,x)+3Cj
					; HvReallocateCell(x,x,x,x,x,x)+6Aj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_HvReallocateCell@24 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpSetValueDataNew proc	near		; CODE XREF: CmpAddValueKeyNew+80p
					; CmpSetValueKeyExisting+18660Bp ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008CD383 SIZE 0000006F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		or	[ebp+var_18], 0FFFFFFFFh
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], edi
		cmp	dword ptr [esi+9Ch], 4
		mov	[ebp+var_14], ecx
		jb	short loc_744F53
		lea	eax, [ebx-3FD9h]
		cmp	eax, 7FFFC026h
		jbe	short loc_744F93

loc_744F53:				; CODE XREF: CmpSetValueDataNew+28j
		lea	eax, [ebp+var_18]
		mov	edx, ebx
		push	eax
		lea	eax, [ebp+var_8]
		mov	ecx, esi
		push	eax
		push	[ebp+arg_4]
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_8CD3E8
		push	ebx		; size_t
		push	edi		; void *
		push	[ebp+var_8]	; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_744F8A:				; CODE XREF: CmpSetValueDataNew+178j
		xor	eax, eax

loc_744F8C:				; CODE XREF: CmpSetValueDataNew+1884D1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_744F93:				; CODE XREF: CmpSetValueDataNew+35j
		or	[ebp+var_28], 0FFFFFFFFh
		lea	eax, [ebp+var_28]
		or	[ebp+var_20], 0FFFFFFFFh
		push	eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_10], ecx
		push	eax
		push	[ebp+arg_4]
		mov	[ebp+var_24], ecx
		push	8
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_1C], ecx
		mov	ecx, esi
		pop	edx
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_8CD3E8
		xor	edx, edx
		mov	edi, [ebp+var_10]
		mov	ecx, 3FD8h
		lea	eax, [ebx+3FD7h]
		div	ecx
		lea	ecx, [ebp+var_20]
		mov	dword ptr [edi], 6264h
		or	dword ptr [edi+4], 0FFFFFFFFh
		push	ecx
		movzx	eax, ax
		lea	ecx, [ebp+arg_0]
		push	ecx
		push	[ebp+arg_4]
		movzx	edx, ax
		mov	ecx, esi
		shl	edx, 2
		mov	[ebp+var_10], eax
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	[edi+4], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_8CD383
		mov	eax, [ebp+var_10]
		cmp	[edi+2], ax
		jnb	short loc_745084

loc_745019:				; CODE XREF: CmpSetValueDataNew+166j
		lea	eax, [ebp+var_18]
		mov	edx, 3FD8h
		push	eax
		lea	eax, [ebp+var_8]
		mov	ecx, esi
		push	eax
		push	[ebp+arg_4]
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	edx, [ebp+arg_0]
		movzx	ecx, word ptr [edi+2]
		mov	[edx+ecx*4], eax
		movzx	eax, word ptr [edi+2]
		cmp	dword ptr [edx+eax*4], 0FFFFFFFFh
		jz	loc_8CD386
		mov	eax, 3FD8h
		cmp	ebx, eax
		jbe	short loc_745099

loc_745051:				; CODE XREF: CmpSetValueDataNew+17Fj
		push	eax		; size_t
		push	[ebp+var_C]	; void *
		push	[ebp+var_8]	; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		and	[ebp+var_8], 0
		mov	eax, 3FD8h
		add	[ebp+var_C], eax
		sub	ebx, eax
		inc	word ptr [edi+2]
		mov	ax, [edi+2]
		cmp	ax, word ptr [ebp+var_10]
		jb	short loc_745019

loc_745084:				; CODE XREF: CmpSetValueDataNew+FBj
		lea	eax, [ebp+var_20]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		lea	eax, [ebp+var_28]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	loc_744F8A
; 

loc_745099:				; CODE XREF: CmpSetValueDataNew+133j
		mov	eax, ebx
		jmp	short loc_745051
CmpSetValueDataNew endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpFindNextDirtyBlock proc near		; CODE XREF: HvpGenerateLogEntryDirtyData(x,x,x,x,x,x)+4Cp
					; HvStoreModifiedData+2A7p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

; FUNCTION CHUNK AT 008CD3F2 SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_10], 0
		mov	eax, edx
		mov	edx, [ebp+arg_0]
		and	[ebp+var_C], 0
		push	edi
		push	ecx
		mov	[ebp+var_4], ecx
		xor	edi, edi
		lea	ecx, [ebp+var_10]
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		mov	ecx, eax
		call	HvpFindNextDirtyRun
		test	al, al
		jz	loc_745268
		mov	eax, [ebp+var_C]
		push	ebx
		mov	bl, [ebp+arg_10]
		push	esi
		mov	esi, eax
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_10]
		mov	[ebp+var_10], eax
		shl	eax, 9
		shl	esi, 9
		mov	[ebp+var_14], eax
		sub	eax, esi
		mov	[ebp+var_C], eax
		test	bl, bl
		jnz	loc_74522B

loc_7450FA:				; CODE XREF: HvpFindNextDirtyBlock+19Ej
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8CD3FD
		mov	eax, [ecx+4]
		test	al, 2
		jnz	loc_74528D
		xor	edx, edx

loc_74511B:				; CODE XREF: HvpFindNextDirtyBlock+1F1j
		and	eax, 0FFFFFFF0h
		test	edx, edx
		jnz	loc_745294
		mov	ecx, [ecx]
		add	ecx, eax

loc_74512A:				; CODE XREF: HvpFindNextDirtyBlock+1FDj
		test	bl, bl
		jnz	loc_745247
		mov	edx, esi
		and	edx, 0FFFh
		add	edx, ecx

loc_74513C:				; CODE XREF: HvpFindNextDirtyBlock+1ABj
		mov	eax, [ebp+arg_4]
		lea	ebx, [esi+1000h]
		push	8
		mov	[eax], edx
		mov	eax, [ebp+arg_C]
		mov	esi, [ebp+var_10]
		sub	esi, [ebp+var_8]
		pop	edx
		mov	[eax], ebx
		mov	eax, [ebp+var_8]
		and	eax, 7
		mov	[ebp+arg_C], esi
		sub	edx, eax
		mov	[ebp+arg_4], edx
		cmp	esi, edx
		jb	loc_8CD417

loc_74516B:				; CODE XREF: HvpFindNextDirtyBlock+18837Ej
		mov	esi, edx
		shl	esi, 9
		cmp	[ebp+arg_10], 0
		jnz	loc_74524E

loc_74517A:				; CODE XREF: HvpFindNextDirtyBlock+1C5j
		cmp	[ebp+arg_C], edx
		ja	short loc_745190

loc_74517F:				; CODE XREF: HvpFindNextDirtyBlock+1D5j
					; HvpFindNextDirtyBlock+1E6j
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_C]
		mov	[eax], ecx

loc_745187:				; CODE XREF: HvpFindNextDirtyBlock+12Bj
					; HvpFindNextDirtyBlock+132j ...
		pop	esi
		mov	al, 1
		pop	ebx

loc_74518B:				; CODE XREF: HvpFindNextDirtyBlock+1CCj
		pop	edi
		leave
		retn	14h
; 

loc_745190:				; CODE XREF: HvpFindNextDirtyBlock+DFj
		and	ebx, 0FFFFF000h

loc_745196:				; CODE XREF: HvpFindNextDirtyBlock+188j
		cmp	esi, [ebp+var_C]
		jnb	short loc_7451BC
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		test	eax, eax
		jz	loc_8CD405
		cmp	[ebp+arg_10], 0
		jnz	short loc_7451D2
		test	byte ptr [eax+4], 1
		jz	short loc_7451D2
		mov	edx, [ebp+arg_4]

loc_7451BC:				; CODE XREF: HvpFindNextDirtyBlock+FBj
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		mov	eax, [ebp+var_8]
		add	eax, edx
		cmp	eax, [ebp+var_10]
		jz	short loc_745187
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		jmp	short loc_745187
; 

loc_7451D2:				; CODE XREF: HvpFindNextDirtyBlock+113j
					; HvpFindNextDirtyBlock+119j
		mov	ecx, [eax+4]
		test	cl, 2
		jnz	loc_7452A0
		xor	edx, edx

loc_7451E0:				; CODE XREF: HvpFindNextDirtyBlock+204j
		and	ecx, 0FFFFFFF0h
		test	edx, edx
		jnz	loc_7452A7
		mov	eax, [eax]
		add	ecx, eax

loc_7451EF:				; CODE XREF: HvpFindNextDirtyBlock+20Ej
		mov	eax, [ebp+var_14]
		mov	edx, 1000h
		sub	eax, ebx
		cmp	eax, edx
		jbe	short loc_74526F
		cmp	[ebp+arg_10], 0
		jz	loc_745289
		push	edx		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, 1000h
		add	esp, 0Ch
		add	edi, eax

loc_745219:				; CODE XREF: HvpFindNextDirtyBlock+1EDj
		mov	edx, [ebp+arg_4]
		add	esi, eax
		add	edx, 8
		add	ebx, eax
		mov	[ebp+arg_4], edx
		jmp	loc_745196
; 

loc_74522B:				; CODE XREF: HvpFindNextDirtyBlock+56j
		push	33354D43h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_7450FA
		jmp	loc_8CD3F2
; 

loc_745247:				; CODE XREF: HvpFindNextDirtyBlock+8Ej
		mov	edx, edi
		jmp	loc_74513C
; 

loc_74524E:				; CODE XREF: HvpFindNextDirtyBlock+D6j
		shl	eax, 9
		push	esi		; size_t
		add	eax, ecx
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		mov	edx, [ebp+arg_4]
		add	esp, 0Ch
		add	edi, esi
		jmp	loc_74517A
; 

loc_745268:				; CODE XREF: HvpFindNextDirtyBlock+2Dj
		xor	al, al
		jmp	loc_74518B
; 

loc_74526F:				; CODE XREF: HvpFindNextDirtyBlock+15Dj
		cmp	[ebp+arg_10], 0
		jz	loc_74517F
		push	eax		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_74517F
; 

loc_745289:				; CODE XREF: HvpFindNextDirtyBlock+163j
		mov	eax, edx
		jmp	short loc_745219
; 

loc_74528D:				; CODE XREF: HvpFindNextDirtyBlock+75j
		mov	edx, [ecx]
		jmp	loc_74511B
; 

loc_745294:				; CODE XREF: HvpFindNextDirtyBlock+82j
		mov	ecx, eax
		sub	ecx, [edx+0Ch]
		add	ecx, esi
		jmp	loc_74512A
; 

loc_7452A0:				; CODE XREF: HvpFindNextDirtyBlock+13Aj
		mov	edx, [eax]
		jmp	loc_7451E0
; 

loc_7452A7:				; CODE XREF: HvpFindNextDirtyBlock+147j
		sub	ecx, [edx+0Ch]
		add	ecx, ebx
		jmp	loc_7451EF
HvpFindNextDirtyBlock endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpPointMapEntriesToBuffer proc	near	; CODE XREF: HvpAddBin+1B2p
					; HvpRemapAndEnlistHiveBins+FBp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008CD421 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, ecx
		xor	esi, esi
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], eax
		test	edi, edi
		jz	short loc_74531D
		mov	ecx, [ebp+arg_4]
		push	ebx

loc_7452D0:				; CODE XREF: HvpPointMapEntriesToBuffer+68j
		lea	ebx, [esi+ecx]
		mov	ecx, eax
		mov	edx, ebx
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8CD421
		mov	eax, [ebp+var_8]
		mov	[ecx+4], eax
		test	esi, esi
		jnz	short loc_745323
		or	eax, 1
		mov	[ecx+4], eax
		mov	eax, edi

loc_7452F8:				; CODE XREF: HvpPointMapEntriesToBuffer+73j
		mov	[ecx+8], eax
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jnz	short loc_74532D
		mov	eax, esi

loc_745304:				; CODE XREF: HvpPointMapEntriesToBuffer+7Fj
		cmp	[ebp+arg_8], 0
		mov	[ecx], eax
		jnz	short loc_745327

loc_74530C:				; CODE XREF: HvpPointMapEntriesToBuffer+79j
		mov	eax, [ebp+var_4]
		add	esi, 1000h
		mov	ecx, [ebp+arg_4]
		cmp	esi, edi
		jb	short loc_7452D0
		pop	ebx

loc_74531D:				; CODE XREF: HvpPointMapEntriesToBuffer+18j
		pop	edi
		pop	esi
		leave
		retn	10h
; 

loc_745323:				; CODE XREF: HvpPointMapEntriesToBuffer+3Cj
		xor	eax, eax
		jmp	short loc_7452F8
; 

loc_745327:				; CODE XREF: HvpPointMapEntriesToBuffer+58j
		or	dword ptr [ecx+4], 8
		jmp	short loc_74530C
; 

loc_74532D:				; CODE XREF: HvpPointMapEntriesToBuffer+4Ej
		or	dword ptr [ecx+4], 2
		jmp	short loc_745304
HvpPointMapEntriesToBuffer endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpViewMapSealRange(x, x, x)
_HvpViewMapSealRange@12	proc near	; CODE XREF: HvpSetRangeProtection+B5p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	ebx, [edx+1000h]
		xor	edx, edx
		mov	eax, ecx
		add	esi, ebx
		mov	[ebp+var_C], eax
		push	edx
		pop	ecx
		adc	ecx, edx
		mov	[ebp+arg_0], esi
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], edx
		cmp	edx, ecx
		jb	short loc_74536F
		ja	loc_745402
		cmp	ebx, esi
		jnb	loc_745402

loc_74536F:				; CODE XREF: HvpViewMapSealRange(x,x,x)+2Bj
		push	edi
		lea	edi, [eax+20h]

loc_745373:				; CODE XREF: HvpViewMapSealRange(x,x,x)+BFj
					; HvpViewMapSealRange(x,x,x)+C7j
		test	byte ptr [edi+4], 1
		mov	ecx, [edi]
		jz	short loc_745385
		test	ecx, ecx
		jnz	short loc_745383
		mov	ecx, edx
		jmp	short loc_745385
; 

loc_745383:				; CODE XREF: HvpViewMapSealRange(x,x,x)+49j
		xor	ecx, edi

loc_745385:				; CODE XREF: HvpViewMapSealRange(x,x,x)+45j
					; HvpViewMapSealRange(x,x,x)+4Dj
		movzx	edx, byte ptr [edi+4]
		and	edx, 1
		test	ecx, ecx
		jz	short loc_7453BC
		mov	esi, [ebp+var_4]

loc_745393:				; CODE XREF: HvpViewMapSealRange(x,x,x)+75j
		cmp	esi, [ecx+24h]
		jl	short loc_74539F
		jg	short loc_7453AD
		cmp	ebx, [ecx+20h]
		jnb	short loc_7453AD

loc_74539F:				; CODE XREF: HvpViewMapSealRange(x,x,x)+62j
		mov	eax, [ecx]

loc_7453A1:				; CODE XREF: HvpViewMapSealRange(x,x,x)+DFj
		test	edx, edx
		jnz	short loc_745408

loc_7453A5:				; CODE XREF: HvpViewMapSealRange(x,x,x)+D6j
		mov	ecx, eax

loc_7453A7:				; CODE XREF: HvpViewMapSealRange(x,x,x)+DAj
		test	ecx, ecx
		jnz	short loc_745393
		jmp	short loc_7453B9
; 

loc_7453AD:				; CODE XREF: HvpViewMapSealRange(x,x,x)+64j
					; HvpViewMapSealRange(x,x,x)+69j
		cmp	esi, [ecx+2Ch]
		jl	short loc_7453B9
		jg	short loc_745410
		cmp	ebx, [ecx+28h]
		jnb	short loc_745410

loc_7453B9:				; CODE XREF: HvpViewMapSealRange(x,x,x)+77j
					; HvpViewMapSealRange(x,x,x)+7Cj
		mov	esi, [ebp+arg_0]

loc_7453BC:				; CODE XREF: HvpViewMapSealRange(x,x,x)+5Aj
		push	dword ptr [ecx+2Ch]
		push	dword ptr [ecx+28h]
		push	[ebp+var_8]
		push	esi
		call	_HvpMinLong64@16 ; HvpMinLong64(x,x,x,x)
		mov	esi, edx
		mov	[ebp+var_10], eax
		push	esi
		push	eax
		push	[ebp+var_4]
		mov	edx, ecx
		mov	ecx, [ebp+var_C]
		push	ebx
		call	_HvpViewMapMakeViewRangeReadOnly@24 ; HvpViewMapMakeViewRangeReadOnly(x,x,x,x,x,x)
		mov	eax, [ebp+var_10]
		mov	ebx, eax
		cmp	esi, [ebp+var_8]
		push	0
		mov	[ebp+var_4], esi
		mov	esi, [ebp+arg_0]
		pop	edx
		jg	short loc_745401
		jl	loc_745373
		cmp	eax, esi
		jb	loc_745373

loc_745401:				; CODE XREF: HvpViewMapSealRange(x,x,x)+BDj
		pop	edi

loc_745402:				; CODE XREF: HvpViewMapSealRange(x,x,x)+2Dj
					; HvpViewMapSealRange(x,x,x)+35j
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_745408:				; CODE XREF: HvpViewMapSealRange(x,x,x)+6Fj
		test	eax, eax
		jz	short loc_7453A5
		xor	ecx, eax
		jmp	short loc_7453A7
; 

loc_745410:				; CODE XREF: HvpViewMapSealRange(x,x,x)+7Ej
					; HvpViewMapSealRange(x,x,x)+83j
		mov	eax, [ecx+4]
		jmp	short loc_7453A1
_HvpViewMapSealRange@12	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpViewMapCOWAndUnsealRange(x, x, x)
_HvpViewMapCOWAndUnsealRange@12	proc near ; CODE XREF: HvpAddBin+32Ep
					; HvpSetRangeProtection:loc_745B6Ep ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		lea	edi, [edx+1000h]
		mov	[ebp+var_10], ecx
		xor	edx, edx
		add	eax, edi
		push	edx
		pop	ebx
		adc	ebx, edx
		mov	[ebp+arg_0], eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], edx
		cmp	edx, ebx
		jb	short loc_745450
		ja	loc_7454EA
		cmp	edi, eax
		jnb	loc_7454EA

loc_745450:				; CODE XREF: HvpViewMapCOWAndUnsealRange(x,x,x)+2Aj
		lea	esi, [ecx+20h]
		mov	[ebp+var_C], esi

loc_745456:				; CODE XREF: HvpViewMapCOWAndUnsealRange(x,x,x)+CEj
					; HvpViewMapCOWAndUnsealRange(x,x,x)+F1j
		test	byte ptr [esi+4], 1
		mov	ecx, [esi]
		jz	short loc_745468
		test	ecx, ecx
		jnz	short loc_745466
		mov	ecx, edx
		jmp	short loc_745468
; 

loc_745466:				; CODE XREF: HvpViewMapCOWAndUnsealRange(x,x,x)+4Aj
		xor	ecx, esi

loc_745468:				; CODE XREF: HvpViewMapCOWAndUnsealRange(x,x,x)+46j
					; HvpViewMapCOWAndUnsealRange(x,x,x)+4Ej
		movzx	edx, byte ptr [esi+4]
		and	edx, 1
		test	ecx, ecx
		jz	short loc_7454A2
		mov	esi, [ebp+var_4]

loc_745476:				; CODE XREF: HvpViewMapCOWAndUnsealRange(x,x,x)+76j
		cmp	esi, [ecx+24h]
		jl	short loc_745482
		jg	short loc_745490
		cmp	edi, [ecx+20h]
		jnb	short loc_745490

loc_745482:				; CODE XREF: HvpViewMapCOWAndUnsealRange(x,x,x)+63j
		mov	eax, [ecx]

loc_745484:				; CODE XREF: HvpViewMapCOWAndUnsealRange(x,x,x)+E8j
		test	edx, edx
		jnz	short loc_7454F3

loc_745488:				; CODE XREF: HvpViewMapCOWAndUnsealRange(x,x,x)+DFj
		mov	ecx, eax

loc_74548A:				; CODE XREF: HvpViewMapCOWAndUnsealRange(x,x,x)+E3j
		test	ecx, ecx
		jnz	short loc_745476
		jmp	short loc_74549C
; 

loc_745490:				; CODE XREF: HvpViewMapCOWAndUnsealRange(x,x,x)+65j
					; HvpViewMapCOWAndUnsealRange(x,x,x)+6Aj
		cmp	esi, [ecx+2Ch]
		jl	short loc_74549C
		jg	short loc_7454FB
		cmp	edi, [ecx+28h]
		jnb	short loc_7454FB

loc_74549C:				; CODE XREF: HvpViewMapCOWAndUnsealRange(x,x,x)+78j
					; HvpViewMapCOWAndUnsealRange(x,x,x)+7Dj
		mov	esi, [ebp+var_C]
		mov	eax, [ebp+arg_0]

loc_7454A2:				; CODE XREF: HvpViewMapCOWAndUnsealRange(x,x,x)+5Bj
		push	dword ptr [ecx+2Ch]
		push	dword ptr [ecx+28h]
		push	ebx
		push	eax
		call	_HvpMinLong64@16 ; HvpMinLong64(x,x,x,x)
		mov	ebx, eax
		mov	eax, edx
		push	eax
		push	ebx
		push	[ebp+var_4]
		mov	edx, ecx
		mov	[ebp+var_14], eax
		mov	ecx, [ebp+var_10]
		push	edi
		call	HvpViewMapMakeViewRangeCOWByCaller
		test	eax, eax
		js	short loc_7454EC
		mov	eax, [ebp+var_14]
		mov	edi, ebx
		cmp	eax, [ebp+var_8]
		push	0
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		pop	edx
		jg	short loc_745500
		jl	short loc_745504
		cmp	ebx, eax
		mov	ebx, [ebp+var_8]
		jb	loc_745456

loc_7454EA:				; CODE XREF: HvpViewMapCOWAndUnsealRange(x,x,x)+2Cj
					; HvpViewMapCOWAndUnsealRange(x,x,x)+34j ...
		mov	eax, edx

loc_7454EC:				; CODE XREF: HvpViewMapCOWAndUnsealRange(x,x,x)+B2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7454F3:				; CODE XREF: HvpViewMapCOWAndUnsealRange(x,x,x)+70j
		test	eax, eax
		jz	short loc_745488
		xor	ecx, eax
		jmp	short loc_74548A
; 

loc_7454FB:				; CODE XREF: HvpViewMapCOWAndUnsealRange(x,x,x)+7Fj
					; HvpViewMapCOWAndUnsealRange(x,x,x)+84j
		mov	eax, [ecx+4]
		jmp	short loc_745484
; 

loc_745500:				; CODE XREF: HvpViewMapCOWAndUnsealRange(x,x,x)+C5j
		xor	edx, edx
		jmp	short loc_7454EA
; 

loc_745504:				; CODE XREF: HvpViewMapCOWAndUnsealRange(x,x,x)+C7j
		mov	ebx, [ebp+var_8]
		jmp	loc_745456
_HvpViewMapCOWAndUnsealRange@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpSetValueKeyNew proc near		; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+688p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		lea	ebx, [edx+24h]
		xor	eax, eax
		mov	esi, ecx
		push	edi
		cmp	[ebx], eax
		jz	short loc_74552E
		mov	edx, [edx+28h]
		push	eax
		push	eax
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_745573

loc_74552E:				; CODE XREF: CmpSetValueKeyNew+12j
		push	[ebp+arg_14]	; int
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		push	[ebp+arg_8]	; int
		call	CmpAddValueKeyNew
		mov	edi, eax
		cmp	edi, 0FFFFFFFFh
		jz	loc_8CD43D
		push	1
		push	ebx
		push	[ebp+arg_14]
		mov	edx, edi
		mov	ecx, esi
		push	[ebp+arg_4]
		call	CmpAddValueToListEx
		test	eax, eax
		js	loc_8CD434
		xor	eax, eax

loc_74556B:				; CODE XREF: CmpSetValueKeyNew+6Cj
					; HvpPointMapEntriesToBuffer+188190j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	18h
; 

loc_745573:				; CODE XREF: CmpSetValueKeyNew+20j
		mov	eax, 0C000017Dh
		jmp	short loc_74556B
CmpSetValueKeyNew endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmpAddValueKeyNew(int,void *,int,int)
CmpAddValueKeyNew proc near		; CODE XREF: CmpSetValueKeyNew+33p
					; CmSetValueKey(x,x,x,x,x,x,x)+763p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008CD447 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_4], 0
		or	[ebp+var_10], 0FFFFFFFFh
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	ecx, edi
		call	_CmpNameSize@4	; CmpNameSize(x)
		movzx	edx, ax
		mov	ecx, ebx
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_C]
		lea	edx, [edx+14h]
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	[ebp+var_8], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_745646
		mov	esi, [ebp+var_4]
		mov	eax, 6B76h
		mov	edx, edi
		lea	ecx, [esi+14h]
		mov	[esi], ax
		call	CmpCopyName
		mov	[esi+2], ax
		cmp	ax, [edi]
		jnb	short loc_745642
		xor	eax, eax
		inc	eax

loc_7455E1:				; CODE XREF: CmpAddValueKeyNew+CAj
		mov	edi, [ebp+arg_8]
		mov	[esi+10h], ax
		cmp	edi, 4
		jbe	short loc_745624
		mov	edx, [ebp+arg_4]
		lea	eax, [esi+8]
		push	eax
		push	[ebp+arg_C]
		mov	ecx, ebx
		push	edi
		call	CmpSetValueDataNew
		test	eax, eax
		js	loc_8CD447
		mov	[esi+4], edi

loc_74560A:				; CODE XREF: CmpAddValueKeyNew+C6j
		mov	eax, [ebp+arg_0]
		mov	[esi+0Ch], eax
		mov	esi, [ebp+var_8]

loc_745613:				; CODE XREF: CmpAddValueKeyNew+187EDAj
		lea	eax, [ebp+var_10]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		mov	eax, esi

loc_74561D:				; CODE XREF: CmpAddValueKeyNew+CFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_745624:				; CODE XREF: CmpAddValueKeyNew+71j
		lea	eax, [edi-80000000h]
		push	edi		; size_t
		push	[ebp+arg_4]	; void *
		mov	[esi+4], eax
		lea	eax, [esi+8]
		and	dword ptr [eax], 0
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_74560A
; 

loc_745642:				; CODE XREF: CmpAddValueKeyNew+62j
		xor	eax, eax
		jmp	short loc_7455E1
; 

loc_745646:				; CODE XREF: CmpAddValueKeyNew+40j
		or	eax, 0FFFFFFFFh
		jmp	short loc_74561D
CmpAddValueKeyNew endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCopyName	proc near		; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+4F8p
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+A42p ...

; FUNCTION CHUNK AT 008CD459 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		xor	edi, edi
		movzx	eax, word ptr [ebx]
		mov	edx, eax
		mov	esi, eax
		test	eax, 0FFFFFFFEh
		jbe	short loc_745691
		mov	esi, ecx

loc_745669:				; CODE XREF: CmpCopyName+41j
		mov	ecx, [ebx+4]
		mov	eax, 0FFh
		cmp	[ecx+edi*2], ax
		ja	loc_8CD459
		mov	al, [ecx+edi*2]
		mov	[edi+esi], al
		inc	edi
		movzx	eax, word ptr [ebx]
		mov	ecx, eax
		shr	eax, 1
		mov	edx, ecx
		cmp	edi, eax
		jb	short loc_745669
		mov	esi, ecx

loc_745691:				; CODE XREF: CmpCopyName+19j
		shr	si, 1
		mov	ax, si

loc_745697:				; CODE XREF: CmpCopyName+187E1Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
CmpCopyName	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpFreeHiveFreeDisplay(x)
_HvpFreeHiveFreeDisplay@4 proc near	; CODE XREF: HvHiveCleanup+13Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		push	2
		pop	ebx
		mov	[ebp+var_C], ecx
		lea	edi, [ecx+0D8h]
		mov	[ebp+var_8], ebx

loc_7456B6:				; CODE XREF: HvpFreeHiveFreeDisplay(x)+54j
		mov	ebx, [ebp+var_C]
		mov	esi, edi
		push	18h
		pop	eax
		mov	[ebp+var_4], eax

loc_7456C1:				; CODE XREF: HvpFreeHiveFreeDisplay(x)+48j
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_7456DB
		push	dword ptr [esi]
		push	ecx
		call	dword ptr [ebx+10h]
		mov	eax, [ebp+var_4]
		xor	ecx, ecx
		mov	[esi+8], ecx
		mov	[esi+0Ch], ecx
		mov	[esi], ecx

loc_7456DB:				; CODE XREF: HvpFreeHiveFreeDisplay(x)+2Aj
		add	esi, 10h
		sub	eax, 1
		mov	[ebp+var_4], eax
		jnz	short loc_7456C1
		add	edi, 19Ch
		sub	[ebp+var_8], 1
		jnz	short loc_7456B6
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_HvpFreeHiveFreeDisplay@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpDelistFreeCell(x, x, x)
_HvpDelistFreeCell@12 proc near		; CODE XREF: HvpIsFreeNeighbor(x,x,x,x,x)+62p
					; HvpDoAllocateCell+14Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		or	[ebp+var_C], 0FFFFFFFFh
		lea	eax, [ebp+var_C]
		and	[ebp+var_8], 0
		push	esi
		push	edi
		push	eax
		mov	edi, edx
		mov	esi, ecx
		push	edi
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	short loc_745742
		add	eax, 0FFFFFFFCh
		jz	short loc_745742
		mov	eax, [eax]
		shr	eax, 3
		dec	eax
		cmp	eax, 10h
		jnb	short loc_745748

loc_74572B:				; CODE XREF: HvpDelistFreeCell(x,x,x)+60j
					; HvpDelistFreeCell(x,x,x)+65j
		push	0
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, esi
		push	eax
		call	HvpRemoveFreeCellHint
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_745742:				; CODE XREF: HvpDelistFreeCell(x,x,x)+21j
					; HvpDelistFreeCell(x,x,x)+26j
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_745748:				; CODE XREF: HvpDelistFreeCell(x,x,x)+31j
		shr	eax, 4
		cmp	eax, 0FFh
		ja	short loc_74575A
		bsr	eax, eax
		add	eax, 10h
		jmp	short loc_74572B
; 

loc_74575A:				; CODE XREF: HvpDelistFreeCell(x,x,x)+58j
		push	17h
		pop	eax
		jmp	short loc_74572B
_HvpDelistFreeCell@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvFreeCell	proc near		; CODE XREF: CmpDereferenceSecurityNode(x,x)+4Ep
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+D65p ...

var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CD46F SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		and	[ebp+var_C], 0
		and	[ebp+var_8], 0
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		xor	edx, edx
		mov	[ebp+var_10], esi
		mov	[ebp+var_18], edi
		lea	ecx, [edi+28h]
		call	ExAcquirePushLockExclusiveEx
		mov	edx, esi
		mov	ecx, edi
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_8CD46F
		mov	eax, [eax+4]
		mov	ecx, esi
		push	ebx
		mov	ebx, eax
		shr	ecx, 1Fh
		and	ebx, 0FFFFFFF0h
		mov	[ebp+var_4], ecx
		test	al, 4
		jnz	loc_8CD47F

loc_7457B3:				; CODE XREF: HvFreeCell+187D2Bj
		mov	eax, [ebp+var_14]
		and	esi, 0FFFh
		add	esi, [eax]
		add	esi, ebx
		neg	dword ptr [esi]

loc_7457C2:				; CODE XREF: HvFreeCell+F3j
		push	ecx
		lea	eax, [ebp+var_C]
		mov	edx, ebx
		push	eax
		push	esi
		mov	ecx, edi
		call	_HvpIsFreeNeighbor@20 ;	HvpIsFreeNeighbor(x,x,x,x,x)
		mov	edx, [ebp+var_8]
		cmp	al, 1
		jz	short loc_745821

loc_7457D8:				; CODE XREF: HvFreeCell+F9j
		mov	ecx, [ebp+var_4]
		mov	edi, ecx
		and	[ebp+var_10], 0
		shl	edi, 1Fh
		add	edi, [ebx+4]
		sub	edi, ebx
		mov	[ebp+var_14], esi
		mov	ebx, [ebp+var_18]
		add	edi, esi
		test	edx, edx
		jnz	short loc_74585E

loc_7457F5:				; CODE XREF: HvFreeCell+12Cj
		push	ecx
		push	dword ptr [esi]
		mov	edx, edi
		mov	ecx, ebx
		call	HvpEnlistFreeCell
		or	eax, 0FFFFFFFFh
		lea	esi, [ebx+28h]
		lock xadd [esi], eax
		and	al, 6
		pop	ebx
		cmp	al, 2
		jz	loc_7458B6

loc_745816:				; CODE XREF: HvFreeCell+15Dj
		mov	ecx, esi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		leave
		retn
; 

loc_745821:				; CODE XREF: HvFreeCell+76j
		mov	ecx, [ebp+var_C]
		lea	eax, [edx+1]
		mov	[ebp+var_14], eax
		mov	eax, [ecx]
		mov	[ebp+var_8], eax
		cmp	ecx, esi
		jbe	short loc_745891
		mov	ecx, [esi]
		add	eax, ecx
		add	ecx, [ebp+var_10]
		mov	[esi], eax
		mov	eax, [ebp+var_8]

loc_74583F:				; CODE XREF: HvFreeCell+142j
		mov	[ebp+edx*4+var_20], eax
		mov	[ebp+edx*4+var_28], ecx
		mov	edx, [ebp+var_14]
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_8], edx
		cmp	edx, 2
		jb	loc_7457C2
		jmp	loc_7457D8
; 

loc_74585E:				; CODE XREF: HvFreeCell+93j
		mov	esi, [ebp+var_10]

loc_745861:				; CODE XREF: HvFreeCell+127j
		mov	eax, [ebp+esi*4+var_20]
		and	[ebp+var_18], 0
		shr	eax, 3
		dec	eax
		cmp	eax, 10h
		jnb	short loc_7458A4

loc_745872:				; CODE XREF: HvFreeCell+154j
					; HvFreeCell+165j
		mov	edx, [ebp+esi*4+var_28]
		push	edi
		push	ecx
		push	eax
		mov	ecx, ebx
		call	HvpRemoveFreeCellHint
		mov	ecx, [ebp+var_4]
		inc	esi
		cmp	esi, [ebp+var_8]
		jb	short loc_745861
		mov	esi, [ebp+var_14]
		jmp	loc_7457F5
; 

loc_745891:				; CODE XREF: HvFreeCell+D1j
		mov	eax, [esi]
		mov	esi, ecx
		add	eax, [ebp+var_8]
		mov	[ecx], eax
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_8]
		sub	ecx, eax
		jmp	short loc_74583F
; 

loc_7458A4:				; CODE XREF: HvFreeCell+110j
		shr	eax, 4
		cmp	eax, 0FFh
		ja	short loc_7458C2
		bsr	eax, eax
		add	eax, 10h
		jmp	short loc_745872
; 

loc_7458B6:				; CODE XREF: HvFreeCell+B0j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_745816
; 

loc_7458C2:				; CODE XREF: HvFreeCell+14Cj
		push	17h
		pop	eax
		jmp	short loc_745872
HvFreeCell	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpIsFreeNeighbor(x, x, x, x, x)
_HvpIsFreeNeighbor@20 proc near		; CODE XREF: HvFreeCell+6Cp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	esi, [edx]
		and	dword ptr [ecx], 0
		add	esi, edx
		mov	eax, esi
		sub	eax, edi
		cmp	eax, [edi+8]
		jnb	short loc_7458F4
		cmp	dword ptr [esi], 0
		jg	short loc_745918

loc_7458F4:				; CODE XREF: HvpIsFreeNeighbor(x,x,x,x,x)+25j
		lea	esi, [edi+20h]
		jmp	short loc_745901
; 

loc_7458F9:				; CODE XREF: HvpIsFreeNeighbor(x,x,x,x,x)+41j
		add	eax, esi
		cmp	eax, edx
		jz	short loc_745933
		mov	esi, eax

loc_745901:				; CODE XREF: HvpIsFreeNeighbor(x,x,x,x,x)+2Fj
					; HvpIsFreeNeighbor(x,x,x,x,x)+45j
		cmp	esi, edx
		jnb	short loc_74590F
		mov	eax, [esi]
		test	eax, eax
		jg	short loc_7458F9
		sub	esi, eax
		jmp	short loc_745901
; 

loc_74590F:				; CODE XREF: HvpIsFreeNeighbor(x,x,x,x,x)+3Bj
					; HvpIsFreeNeighbor(x,x,x,x,x)+89j
		xor	al, al

loc_745911:				; CODE XREF: HvpIsFreeNeighbor(x,x,x,x,x)+69j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_745918:				; CODE XREF: HvpIsFreeNeighbor(x,x,x,x,x)+2Aj
		mov	[ecx], esi

loc_74591A:				; CODE XREF: HvpIsFreeNeighbor(x,x,x,x,x)+70j
					; HvpIsFreeNeighbor(x,x,x,x,x)+87j
		mov	edx, [edi+4]
		mov	ecx, [ebp+var_4]
		push	ebx
		shl	ebx, 1Fh
		add	edx, ebx
		sub	edx, edi
		add	edx, esi
		call	_HvpDelistFreeCell@12 ;	HvpDelistFreeCell(x,x,x)
		mov	al, 1
		jmp	short loc_745911
; 

loc_745933:				; CODE XREF: HvpIsFreeNeighbor(x,x,x,x,x)+35j
		mov	[ecx], esi
		cmp	ebx, 1
		jz	short loc_74591A
		mov	edx, [edi+4]
		mov	ecx, [ebp+var_4]
		sub	edx, edi
		push	0
		add	edx, esi
		push	1
		call	HvpMarkCellDirty
		test	al, al
		jnz	short loc_74591A
		jmp	short loc_74590F
_HvpIsFreeNeighbor@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvHiveCleanup	proc near		; CODE XREF: CmpCompleteUnloadKey(x,x,x)+137p
					; CmShutdownSystem(x)+24Cp ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CD490 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		push	edi
		mov	[ebp+var_C], ecx
		and	dword ptr [esi+64h], 0FFFFFFFEh
		lea	edi, [esi+0CCh]
		mov	eax, [esi+64h]
		and	eax, 10h
		xor	ebx, ebx
		mov	[ebp+var_1C], eax

loc_74597B:				; CODE XREF: HvHiveCleanup+D9j
		cmp	dword ptr [edi], 0
		jz	loc_745A1A
		mov	eax, [edi-4]
		add	eax, ebx
		mov	[ebp+var_18], eax
		cmp	eax, ebx
		jz	loc_745A1A
		mov	ecx, ebx
		mov	[ebp+var_8], ebx
		jbe	short loc_7459E9

loc_74599B:				; CODE XREF: HvHiveCleanup+93j
		mov	edx, ecx
		mov	ecx, esi
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_7459E9
		test	al, 2
		jnz	loc_745A9D
		xor	ecx, ecx

loc_7459BA:				; CODE XREF: HvHiveCleanup+14Bj
		test	ecx, ecx
		jnz	loc_745AA4
		mov	ecx, [ebp+var_4]

loc_7459C5:				; CODE XREF: HvHiveCleanup+16Fj
		mov	ecx, [ecx+8]
		mov	[ebp+var_10], ecx
		test	al, 8
		jnz	loc_745AE1
		call	CmpReleaseGlobalQuota

loc_7459D8:				; CODE XREF: HvHiveCleanup+1A6j
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		add	ecx, [eax+8]
		mov	[ebp+var_8], ecx
		cmp	ecx, [ebp+var_18]
		jb	short loc_74599B

loc_7459E9:				; CODE XREF: HvHiveCleanup+45j
					; HvHiveCleanup+5Aj
		mov	eax, [edi-4]
		mov	ecx, [edi]
		mov	edx, ecx
		shr	eax, 0Ch
		dec	eax
		mov	[ebp+var_8], ecx
		shr	eax, 9
		mov	ecx, esi
		push	eax
		push	0
		call	_HvpFreeMap@16	; HvpFreeMap(x,x,x,x)
		lea	eax, [edi+4]
		cmp	[ebp+var_8], eax
		jnz	loc_745AC8

loc_745A10:				; CODE XREF: HvHiveCleanup+188j
		and	dword ptr [edi], 0
		and	dword ptr [edi-4], 0
		mov	ecx, [ebp+var_C]

loc_745A1A:				; CODE XREF: HvHiveCleanup+2Aj
					; HvHiveCleanup+3Aj
		inc	ecx
		sub	ebx, 80000000h
		add	edi, 19Ch
		mov	[ebp+var_C], ecx
		cmp	ecx, 2
		jb	loc_74597B
		cmp	[ebp+var_1C], 0
		jnz	loc_745AFF

loc_745A3D:				; CODE XREF: HvHiveCleanup+1B6j
					; HvHiveCleanup+187B41j
		mov	eax, [esi+20h]
		test	eax, eax
		jz	loc_8CD49A
		push	dword ptr [esi+48h]
		push	eax
		call	dword ptr [esi+10h]
		xor	ebx, ebx
		mov	[esi+20h], ebx

loc_745A54:				; CODE XREF: HvHiveCleanup+187B48j
		mov	edi, [esi+30h]
		test	edi, edi
		jz	short loc_745A6D
		mov	ecx, [esi+38h]
		call	CmpReleaseGlobalQuota
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+30h], ebx

loc_745A6D:				; CODE XREF: HvHiveCleanup+105j
		mov	edi, [esi+40h]
		test	edi, edi
		jz	short loc_745A86
		mov	ecx, [esi+38h]
		call	CmpReleaseGlobalQuota
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+40h], ebx

loc_745A86:				; CODE XREF: HvHiveCleanup+11Ej
		lea	ecx, [esi+0A0h]
		call	_HvpViewMapCleanup@4 ; HvpViewMapCleanup(x)
		mov	ecx, esi
		call	_HvpFreeHiveFreeDisplay@4 ; HvpFreeHiveFreeDisplay(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_745A9D:				; CODE XREF: HvHiveCleanup+5Ej
		mov	ecx, [ecx]
		jmp	loc_7459BA
; 

loc_745AA4:				; CODE XREF: HvHiveCleanup+68j
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_745B15
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_745B15
		push	10h
		mov	[edx], eax
		push	ecx
		mov	[eax+4], edx
		call	dword ptr [esi+10h]
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+4]
		jmp	loc_7459C5
; 

loc_745AC8:				; CODE XREF: HvHiveCleanup+B6j
		mov	ecx, 1000h
		call	CmpReleaseGlobalQuota
		push	0
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_745A10
; 

loc_745AE1:				; CODE XREF: HvHiveCleanup+79j
		and	eax, 0FFFFFFF0h
		mov	edx, ecx
		push	ecx
		mov	ecx, eax
		mov	[ebp+var_14], eax
		call	_CmpProtectPool@12 ; CmpProtectPool(x,x,x)
		push	[ebp+var_10]
		push	[ebp+var_14]
		call	dword ptr [esi+10h]
		jmp	loc_7459D8
; 

loc_745AFF:				; CODE XREF: HvHiveCleanup+E3j
		or	eax, 0FFFFFFFFh
		lock xadd _CmpPreloadedHivesCount, eax
		jnz	loc_745A3D
		jmp	loc_8CD490
; 

loc_745B15:				; CODE XREF: HvHiveCleanup+155j
					; HvHiveCleanup+15Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall CmpFree(x, x)
_CmpFree@8:				; DATA XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+390o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		call	CmpReleaseGlobalQuota
		push	0
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	8
HvHiveCleanup	endp ; sp = -2Ch

; 
		align 2

;  S U B	R O U T	I N E 


CmpReleaseGlobalQuota proc near		; CODE XREF: CmpDeleteHive(x)+7Cp
					; HvHiveCleanup+7Fp ...

; FUNCTION CHUNK AT 008CD4A1 SIZE 0000001E BYTES

		cmp	ecx, ds:_CmpGlobalQuotaUsed
		ja	loc_8CD4A1
		neg	ecx
		mov	eax, offset _CmpGlobalQuotaUsed
		lock xadd [eax], ecx
		retn
CmpReleaseGlobalQuota endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpSetRangeProtection proc near		; CODE XREF: HvpAddBin+2D8p
					; HvpResetPageProtection(x)+49p ...

var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CD4BF SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		mov	[ebp+var_4], esi
		test	byte ptr [esi+64h], 11h
		jnz	loc_745C37
		push	edi
		mov	edi, [ebp+arg_0]
		jmp	short loc_745B82
; 

loc_745B6E:				; CODE XREF: HvpSetRangeProtection+AFj
		call	_HvpViewMapCOWAndUnsealRange@12	; HvpViewMapCOWAndUnsealRange(x,x,x)
		test	eax, eax
		js	loc_8CD4BF

loc_745B7B:				; CODE XREF: HvpSetRangeProtection+BAj
					; HvpSetRangeProtection+DAj ...
		sub	edi, esi

loc_745B7D:				; CODE XREF: CmpReleaseGlobalQuota+187984j
		add	ebx, esi
		mov	esi, [ebp+var_4]

loc_745B82:				; CODE XREF: HvpSetRangeProtection+1Ej
		test	edi, edi
		jz	loc_745C0D
		mov	edx, ebx
		mov	ecx, esi
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8CD4D0
		mov	eax, [ecx+4]
		mov	[ebp+var_8], eax
		test	eax, 0FFFFFFF0h
		jz	loc_8CD4B1
		test	al, 2
		jnz	loc_745C3C
		xor	edx, edx

loc_745BB8:				; CODE XREF: HvpSetRangeProtection+F0j
		test	edx, edx
		jnz	loc_745C43
		mov	eax, [ecx]

loc_745BC2:				; CODE XREF: HvpSetRangeProtection+FAj
		mov	edx, ebx
		mov	[ebp+arg_0], eax
		sub	edx, eax
		mov	ecx, esi
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		mov	esi, [eax+8]
		mov	eax, [ebp+arg_0]
		sub	esi, eax
		cmp	edi, esi
		jb	short loc_745C33

loc_745BDC:				; CODE XREF: HvpSetRangeProtection+E7j
		mov	ecx, [ebp+var_8]
		test	cl, 8
		jnz	short loc_745C17
		mov	eax, [ebp+var_4]
		test	dword ptr [eax+64h], 20000h
		jz	short loc_745C4D
		cmp	[ebp+arg_4], 2
		lea	ecx, [eax+0A0h]
		push	esi
		mov	edx, ebx
		jnz	loc_745B6E
		call	_HvpViewMapSealRange@12	; HvpViewMapSealRange(x,x,x)
		jmp	loc_745B7B
; 

loc_745C0D:				; CODE XREF: HvpSetRangeProtection+36j
		xor	eax, eax
		inc	eax

loc_745C10:				; CODE XREF: HvpSetRangeProtection+187977j
		pop	edi

loc_745C11:				; CODE XREF: HvpSetRangeProtection+ECj
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_745C17:				; CODE XREF: HvpSetRangeProtection+94j
		push	[ebp+arg_4]
		and	ecx, 0FFFFFFF0h
		push	esi
		lea	edx, [eax+ecx]
		call	ExProtectPoolEx

loc_745C26:				; CODE XREF: HvpSetRangeProtection+102j
		test	eax, eax
		jnz	loc_745B7B
		jmp	loc_8CD4C1
; 

loc_745C33:				; CODE XREF: HvpSetRangeProtection+8Cj
		mov	esi, edi
		jmp	short loc_745BDC
; 

loc_745C37:				; CODE XREF: HvpSetRangeProtection+14j
		xor	eax, eax
		inc	eax
		jmp	short loc_745C11
; 

loc_745C3C:				; CODE XREF: HvpSetRangeProtection+62j
		mov	edx, [ecx]
		jmp	loc_745BB8
; 

loc_745C43:				; CODE XREF: HvpSetRangeProtection+6Cj
		mov	eax, ebx
		sub	eax, [edx+0Ch]
		jmp	loc_745BC2
; 

loc_745C4D:				; CODE XREF: HvpSetRangeProtection+A0j
		xor	eax, eax
		inc	eax
		jmp	short loc_745C26
HvpSetRangeProtection endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpRemapAndEnlistHiveBins proc near	; CODE XREF: HvLoadHive+228p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 008CD4EB SIZE 00000249 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		mov	ebx, ecx
		xor	ecx, ecx
		push	esi
		push	edi
		mov	[ebp+var_1C], ecx
		test	dword ptr [ebx+64h], 20000h
		mov	eax, [ebx+0C8h]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_1], cl
		mov	[ebp+var_14], eax
		jz	loc_8CD4E1
		mov	eax, [ebx+0A8h]
		sub	eax, 1000h
		mov	[ebp+var_10], eax

loc_745C91:				; CODE XREF: HvpSetRangeProtection+187998j
		mov	edi, ecx
		mov	[ebp+var_18], edi
		test	eax, eax
		jz	short loc_745CFA

loc_745C9A:				; CODE XREF: HvpRemapAndEnlistHiveBins+A6j
		mov	edx, edi
		mov	ecx, ebx
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		push	[ebp+var_14]
		mov	edx, edi
		mov	[ebp+var_24], eax
		mov	esi, [eax+4]
		and	esi, 0FFFFFFF0h
		mov	ecx, esi
		mov	[ebp+var_20], esi
		call	_HvpValidateLoadedBin@12 ; HvpValidateLoadedBin(x,x,x)
		test	al, al
		jz	loc_8CD4EB

loc_745CC3:				; CODE XREF: HvpRemapAndEnlistHiveBins+1878F1j
		mov	ecx, [esi+8]
		cmp	ecx, 1000h
		jnz	short loc_745D1D

loc_745CCE:				; CODE XREF: HvpRemapAndEnlistHiveBins+10Cj
		push	0
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	HvpEnlistFreeCells
		mov	esi, eax
		cmp	esi, 40000009h
		jz	loc_8CD548
		test	esi, esi
		js	short loc_745D16

loc_745CEC:				; CODE XREF: HvpRemapAndEnlistHiveBins+1878FAj
		mov	eax, [ebp+var_20]
		add	edi, [eax+8]
		mov	[ebp+var_18], edi
		cmp	edi, [ebp+var_10]
		jb	short loc_745C9A

loc_745CFA:				; CODE XREF: HvpRemapAndEnlistHiveBins+46j
					; HvpRemapAndEnlistHiveBins+D4j ...
		cmp	edi, [ebp+var_14]
		jb	loc_8CD565
		cmp	[ebp+var_1], 0
		jnz	short loc_745D63
		xor	esi, esi

loc_745D0B:				; CODE XREF: HvpRemapAndEnlistHiveBins+1879B8j
					; HvpRemapAndEnlistHiveBins+187A71j
		mov	edi, [ebp+var_C]
		test	edi, edi
		jnz	loc_8CD71D

loc_745D16:				; CODE XREF: HvpRemapAndEnlistHiveBins+98j
					; HvpRemapAndEnlistHiveBins+ECj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_745D1D:				; CODE XREF: HvpRemapAndEnlistHiveBins+7Aj
		lea	eax, [ecx+edi]
		mov	[ebp+var_8], ecx
		cmp	eax, [ebp+var_10]
		ja	short loc_745CFA
		lea	eax, [ebp+var_1C]
		mov	edx, edi
		push	eax
		push	ecx
		lea	ecx, [ebx+0A0h]
		call	HvpViewMapPromoteRangeToMapping
		mov	esi, eax
		test	esi, esi
		js	short loc_745D16
		mov	edx, [ebp+var_1C]
		mov	ecx, ebx
		push	0
		push	0
		push	edi
		push	[ebp+var_8]
		call	HvpPointMapEntriesToBuffer
		mov	esi, [ebp+var_24]
		mov	esi, [esi+4]
		and	esi, 0FFFFFFF0h
		mov	[ebp+var_20], esi
		jmp	loc_745CCE
; 

loc_745D63:				; CODE XREF: HvpRemapAndEnlistHiveBins+B5j
		mov	esi, 40000009h
		jmp	short loc_745D16
HvpRemapAndEnlistHiveBins endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpEnlistFreeCells proc	near		; CODE XREF: HvpRemapAndEnlistHiveBins+83p
					; HvpBuildMapForMemoryBackedHive+8Dp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CD734 SIZE 000000B9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, edx
		mov	[ebp+var_1], 0
		mov	edx, ecx
		mov	[ebp+var_C], eax
		push	ebx
		push	esi
		push	edi
		add	dword ptr [edx+54h], 20h
		mov	esi, 20h
		mov	edi, [eax+8]
		mov	ecx, [edx+1Ch]
		mov	[ebp+var_8], edx
		mov	[ebp+var_10], ecx
		cmp	edi, esi
		jbe	short loc_745DF2
		nop

loc_745DA0:				; CODE XREF: HvpEnlistFreeCells+7Aj
		mov	eax, [eax+esi]
		mov	ebx, eax
		test	eax, eax
		jns	short loc_745DAB
		neg	ebx

loc_745DAB:				; CODE XREF: HvpEnlistFreeCells+37j
		shr	eax, 1Fh
		lea	ecx, [ebx+esi]
		xor	al, 1
		cmp	ecx, esi
		jb	loc_8CD734
		cmp	ecx, edi
		ja	loc_8CD734
		test	bl, 7
		jnz	loc_8CD734
		test	ebx, ebx
		jz	loc_8CD734
		mov	edi, [ebp+arg_0]
		add	edi, esi
		test	al, al
		jnz	short loc_745DFD
		add	[edx+5Ch], ebx

loc_745DE0:				; CODE XREF: HvpEnlistFreeCells+A0j
		mov	eax, [ebp+var_C]
		add	esi, ebx
		mov	edi, [eax+8]
		cmp	esi, edi
		jb	short loc_745DA0
		cmp	[ebp+var_1], 0
		jnz	short loc_745E12

loc_745DF2:				; CODE XREF: HvpEnlistFreeCells+2Dj
		xor	eax, eax

loc_745DF4:				; CODE XREF: HvpEnlistFreeCells+A7j
					; HvpEnlistFreeCells+187A5Bj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_745DFD:				; CODE XREF: HvpEnlistFreeCells+6Bj
					; HvpEnlistFreeCells+187A3Ej
		add	[edx+58h], ebx
		mov	edx, edi
		mov	ecx, [ebp+var_8]
		push	0
		push	ebx
		call	HvpEnlistFreeCell
		mov	edx, [ebp+var_8]
		jmp	short loc_745DE0
; 

loc_745E12:				; CODE XREF: HvpEnlistFreeCells+80j
		mov	eax, 40000009h
		jmp	short loc_745DF4
HvpEnlistFreeCells endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpValidateLoadedBin(x, x, x)
_HvpValidateLoadedBin@12 proc near	; CODE XREF: HvpRemapAndEnlistHiveBins+64p
					; HvpBuildMapForMemoryBackedHive+49p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+8]
		push	esi
		mov	esi, [ecx+4]
		push	edi
		lea	edi, [esi+eax]
		cmp	edi, [ebp+arg_0]
		ja	short loc_745E55
		cmp	edi, eax
		jb	short loc_745E55
		cmp	eax, 1000h
		jb	short loc_745E55
		test	eax, 0FFFh
		jnz	short loc_745E55
		cmp	dword ptr [ecx], 6E696268h
		jnz	short loc_745E55
		cmp	esi, edx
		jnz	short loc_745E55
		mov	al, 1

loc_745E4F:				; CODE XREF: HvpValidateLoadedBin(x,x,x)+3Dj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_745E55:				; CODE XREF: HvpValidateLoadedBin(x,x,x)+13j
					; HvpValidateLoadedBin(x,x,x)+17j ...
		xor	al, al
		jmp	short loc_745E4F
_HvpValidateLoadedBin@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvCheckHive	proc near		; CODE XREF: CmCheckRegistry(x,x,x)+CEp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008CD7ED SIZE 00000078 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_10], 0
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		mov	[ebp+var_C], ecx
		xor	edi, edi
		add	ecx, 0C8h
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], ecx

loc_745E7F:				; CODE XREF: HvCheckHive+E2j
		mov	ebx, [ecx]
		mov	[ebp+var_14], ebx
		cmp	edi, ebx
		jnb	loc_745F27

loc_745E8C:				; CODE XREF: HvCheckHive+C1j
		mov	ecx, [ebp+var_C]
		mov	edx, edi
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		test	eax, eax
		jz	loc_8CD834
		mov	ecx, [eax+4]
		test	cl, 2
		jnz	loc_745F4D
		xor	eax, eax

loc_745EAC:				; CODE XREF: HvCheckHive+F5j
		test	eax, eax
		jnz	loc_745F54
		and	ecx, 0FFFFFFF0h
		mov	eax, ebx
		sub	eax, edi
		mov	[ebp+arg_C], ecx
		mov	edx, [ecx+8]
		cmp	edx, eax
		ja	loc_8CD7FA
		cmp	edx, 20h
		jb	loc_8CD7FA
		test	edx, 0FFFh
		jnz	loc_8CD7FA
		cmp	dword ptr [ecx], 6E696268h
		jnz	loc_8CD7FA
		cmp	[ecx+4], edi
		jnz	loc_8CD7FA
		push	esi
		push	[ebp+arg_8]
		lea	eax, [ebp+var_10]
		mov	edx, ecx
		push	[ebp+arg_4]
		push	eax
		push	ecx
		call	HvCheckBin
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8CD7ED
		mov	eax, [ebp+arg_C]
		mov	ebx, [ebp+var_14]
		add	edi, [eax+8]

loc_745F19:				; CODE XREF: HvCheckHive+104j
					; HvCheckHive+112j
		cmp	edi, ebx
		jb	loc_745E8C
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]

loc_745F27:				; CODE XREF: HvCheckHive+2Cj
		inc	eax
		add	ecx, 19Ch
		mov	[ebp+var_4], eax
		mov	edi, 80000000h
		mov	[ebp+var_8], ecx
		cmp	eax, 1
		jbe	loc_745E7F
		xor	ebx, ebx

loc_745F44:				; CODE XREF: HvCheckHive+187995j
					; HvCheckHive+1879A9j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
; 

loc_745F4D:				; CODE XREF: HvCheckHive+4Aj
		mov	eax, [eax]
		jmp	loc_745EAC
; 

loc_745F54:				; CODE XREF: HvCheckHive+54j
		mov	edx, [eax+8]
		add	edi, edx
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_745F19
		mov	ecx, eax
		call	_HvAddToLayoutStats@8 ;	HvAddToLayoutStats(x,x)
		call	_HvMoveLayoutStats@4 ; HvMoveLayoutStats(x)
		jmp	short loc_745F19
HvCheckHive	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpMapHiveImageFromViewMap(x, x, x)
_HvpMapHiveImageFromViewMap@12 proc near ; CODE	XREF: HvLoadHive+1CCp
					; HvpPerformLogFileRecovery(x,x,x,x)+146p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_4], ecx
		mov	ecx, esi
		push	edi
		mov	edi, edx
		call	CmpClaimGlobalQuota
		test	al, al
		jz	short loc_745FDD
		lea	eax, [edi+esi]
		xor	edi, edi
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, edi
		test	eax, eax
		jz	short loc_745FD4
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+0A0h]
		mov	[ebp+arg_0], ecx

loc_745FA5:				; CODE XREF: HvpMapHiveImageFromViewMap(x,x,x)+64j
		mov	edx, ebx
		mov	ecx, eax
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		mov	ecx, [ebp+arg_0]
		mov	edx, ebx
		mov	esi, eax
		call	_HvpViewMapGetPageAddress@8 ; HvpViewMapGetPageAddress(x,x)
		mov	ecx, 1000h
		mov	[esi], edi
		or	eax, 1
		mov	[esi+8], ecx
		add	ebx, ecx
		mov	[esi+4], eax
		mov	eax, [ebp+var_4]
		cmp	ebx, [ebp+var_8]
		jb	short loc_745FA5

loc_745FD4:				; CODE XREF: HvpMapHiveImageFromViewMap(x,x,x)+29j
		pop	ebx

loc_745FD5:				; CODE XREF: HvpMapHiveImageFromViewMap(x,x,x)+74j
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_745FDD:				; CODE XREF: HvpMapHiveImageFromViewMap(x,x,x)+1Aj
		mov	edi, 0C000009Ah
		jmp	short loc_745FD5
_HvpMapHiveImageFromViewMap@12 endp


;  S U B	R O U T	I N E 


; __stdcall HvpViewMapGetPageAddress(x,	x)
_HvpViewMapGetPageAddress@8 proc near	; CODE XREF: HvpMapHiveImageFromViewMap(x,x,x)+47p
		mov	edi, edi
		push	esi
		lea	eax, [ecx+20h]
		mov	ecx, [eax]
		lea	esi, [edx+1000h]
		push	edi
		xor	edi, edi
		test	byte ptr [eax+4], 1
		jz	short loc_746005
		test	ecx, ecx
		jnz	short loc_746003
		mov	ecx, edi
		jmp	short loc_746005
; 

loc_746003:				; CODE XREF: HvpViewMapGetPageAddress(x,x)+19j
		xor	ecx, eax

loc_746005:				; CODE XREF: HvpViewMapGetPageAddress(x,x)+15j
					; HvpViewMapGetPageAddress(x,x)+1Dj
		movzx	edx, byte ptr [eax+4]
		and	edx, 1
		jmp	short loc_746010
; 

loc_74600E:				; CODE XREF: HvpViewMapGetPageAddress(x,x)+40j
					; HvpViewMapGetPageAddress(x,x)+44j
		mov	ecx, eax

loc_746010:				; CODE XREF: HvpViewMapGetPageAddress(x,x)+28j
					; HvpViewMapGetPageAddress(x,x)+48j
		test	ecx, ecx
		jz	short loc_74603A
		cmp	edi, [ecx+24h]
		jl	short loc_746020
		jg	short loc_74602E
		cmp	esi, [ecx+20h]
		jnb	short loc_74602E

loc_746020:				; CODE XREF: HvpViewMapGetPageAddress(x,x)+33j
		mov	eax, [ecx]

loc_746022:				; CODE XREF: HvpViewMapGetPageAddress(x,x)+64j
		test	edx, edx
		jz	short loc_74600E
		test	eax, eax
		jz	short loc_74600E
		xor	ecx, eax
		jmp	short loc_746010
; 

loc_74602E:				; CODE XREF: HvpViewMapGetPageAddress(x,x)+35j
					; HvpViewMapGetPageAddress(x,x)+3Aj
		cmp	edi, [ecx+2Ch]
		jl	short loc_74603A
		jg	short loc_746045
		cmp	esi, [ecx+28h]
		jnb	short loc_746045

loc_74603A:				; CODE XREF: HvpViewMapGetPageAddress(x,x)+2Ej
					; HvpViewMapGetPageAddress(x,x)+4Dj
		mov	eax, [ecx+30h]
		sub	eax, [ecx+10h]
		pop	edi
		add	eax, esi
		pop	esi
		retn
; 

loc_746045:				; CODE XREF: HvpViewMapGetPageAddress(x,x)+4Fj
					; HvpViewMapGetPageAddress(x,x)+54j
		mov	eax, [ecx+4]
		jmp	short loc_746022
_HvpViewMapGetPageAddress@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvAllocateCell(x, x, x, x, x)
_HvAllocateCell@20 proc	near		; CODE XREF: CmpCreateTombstone(x,x)+91p
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+3C4p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		add	edx, 0Bh
		mov	eax, 4000h
		push	esi
		and	edx, 0FFFFFFF8h
		xor	esi, esi
		cmp	edx, eax
		ja	short loc_746070

loc_746061:				; CODE XREF: HvAllocateCell(x,x,x,x,x)+2Fj
					; HvAllocateCell(x,x,x,x,x)+33j
		cmp	edx, 100000h
		ja	short loc_74607F
		pop	esi
		pop	ebp
		jmp	HvpDoAllocateCell
; 

loc_746070:				; CODE XREF: HvAllocateCell(x,x,x,x,x)+15j
					; HvAllocateCell(x,x,x,x,x)+2Bj
		add	eax, eax
		inc	esi
		cmp	edx, eax
		ja	short loc_746070
		test	esi, esi
		jz	short loc_746061
		mov	edx, eax
		jmp	short loc_746061
; 

loc_74607F:				; CODE XREF: HvAllocateCell(x,x,x,x,x)+1Dj
		or	eax, 0FFFFFFFFh
		pop	esi
		pop	ebp
		retn	0Ch
_HvAllocateCell@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpDoAllocateCell proc near		; CODE XREF: HvReallocateCell(x,x,x,x,x,x)+AAp
					; HvAllocateCell(x,x,x,x,x)+21j

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008CD865 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		mov	eax, edx
		mov	[ebp+var_10], ecx
		push	edi
		xor	edx, edx
		mov	[ebp+var_14], eax
		mov	edi, eax
		mov	[ebp+var_C], edx
		or	esi, 0FFFFFFFFh
		shr	edi, 3
		dec	edi
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], edx
		cmp	edi, 10h
		jnb	loc_7461E1

loc_7460BB:				; CODE XREF: HvpDoAllocateCell+16Aj
					; HvpDoAllocateCell+1D0j
		lea	ebx, [ecx+28h]
		mov	[ebp+var_5], dl
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [ebp+var_24]
		mov	edx, edi
		mov	edi, [ebp+var_10]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+arg_0]
		push	[ebp+var_14]
		call	HvpFindFreeCell
		mov	[ebp+var_10], eax
		cmp	eax, esi
		jz	loc_7461F7
		mov	edx, [ebp+var_C]
		mov	[ebp+var_C], edx

loc_7460F5:				; CODE XREF: HvpDoAllocateCell+1A5j
		mov	esi, [ebp+var_14]
		mov	ecx, [edx]
		lea	eax, [esi+8]
		cmp	eax, ecx
		ja	loc_7461CD
		mov	eax, ecx
		sub	eax, esi
		mov	[edx+esi], eax
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_10]
		add	eax, esi
		neg	esi
		cmp	[ebp+var_5], 0
		mov	[ebp+var_18], eax
		mov	[edx], esi
		jnz	loc_746232
		shr	ecx, 3
		xor	edx, edx
		dec	ecx
		cmp	ecx, 10h
		jb	short loc_746145
		shr	ecx, 4
		cmp	ecx, 0FFh
		ja	loc_746239
		bsr	ecx, ecx
		add	ecx, 10h

loc_746145:				; CODE XREF: HvpDoAllocateCell+A6j
					; HvpDoAllocateCell+1B4j
		mov	esi, [ebp+var_14]
		mov	eax, esi
		shr	eax, 3
		dec	eax
		cmp	eax, 10h
		jb	short loc_746167
		shr	eax, 4
		cmp	eax, 0FFh
		ja	loc_746241
		bsr	eax, eax
		add	eax, 10h

loc_746167:				; CODE XREF: HvpDoAllocateCell+C9j
					; HvpDoAllocateCell+1BCj
		cmp	ecx, eax
		jnz	short loc_7461AE

loc_74616B:				; CODE XREF: HvpDoAllocateCell+143j
		mov	esi, [ebp+var_C]

loc_74616E:				; CODE XREF: HvpDoAllocateCell+157j
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_746249

loc_74617F:				; CODE XREF: HvpDoAllocateCell+1C8j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	loc_8CD886
		lea	eax, [esi+4]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+var_24]
		mov	[ecx], eax
		mov	eax, [ebp+var_20]
		mov	[ecx+4], eax

loc_7461A4:				; CODE XREF: HvpDoAllocateCell+187806j
		mov	eax, [ebp+var_10]

loc_7461A7:				; CODE XREF: HvpDoAllocateCell+1877F9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7461AE:				; CODE XREF: HvpDoAllocateCell+E1j
		push	edx
		push	[ebp+arg_0]
		mov	edx, [ebp+var_10]
		push	ecx
		mov	ecx, edi
		call	HvpRemoveFreeCellHint
		mov	edx, [ebp+var_18]

loc_7461C0:				; CODE XREF: HvpDoAllocateCell+1AFj
		push	[ebp+arg_0]
		mov	ecx, edi
		push	esi
		call	HvpEnlistFreeCell
		jmp	short loc_74616B
; 

loc_7461CD:				; CODE XREF: HvpDoAllocateCell+77j
		push	[ebp+arg_0]
		mov	edx, [ebp+var_10]
		mov	ecx, edi
		call	_HvpDelistFreeCell@12 ;	HvpDelistFreeCell(x,x,x)
		mov	esi, [ebp+var_C]
		neg	dword ptr [esi]
		jmp	short loc_74616E
; 

loc_7461E1:				; CODE XREF: HvpDoAllocateCell+2Dj
		shr	edi, 4
		cmp	edi, 0FFh
		ja	short loc_746255
		bsr	edi, edi
		add	edi, 10h
		jmp	loc_7460BB
; 

loc_7461F7:				; CODE XREF: HvpDoAllocateCell+61j
		push	[ebp+arg_0]
		mov	edx, [ebp+var_14]
		mov	ecx, edi
		call	HvpAddBin
		cmp	eax, esi
		jz	loc_8CD865
		lea	ecx, [ebp+var_24]
		add	eax, 20h
		push	ecx
		push	eax
		push	edi
		mov	[ebp+var_10], eax
		call	dword ptr [edi+4]
		test	eax, eax
		jz	short loc_74625D
		lea	edx, [eax-4]
		mov	[ebp+var_C], edx
		test	edx, edx
		jz	short loc_74625D
		mov	[ebp+var_5], 1
		jmp	loc_7460F5
; 

loc_746232:				; CODE XREF: HvpDoAllocateCell+97j
		mov	esi, [ebp+var_14]
		mov	edx, eax
		jmp	short loc_7461C0
; 

loc_746239:				; CODE XREF: HvpDoAllocateCell+B1j
		push	17h
		pop	ecx
		jmp	loc_746145
; 

loc_746241:				; CODE XREF: HvpDoAllocateCell+D3j
		push	17h
		pop	eax
		jmp	loc_746167
; 

loc_746249:				; CODE XREF: HvpDoAllocateCell+F1j
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_74617F
; 

loc_746255:				; CODE XREF: HvpDoAllocateCell+162j
		push	17h
		pop	edi
		jmp	loc_7460BB
; 

loc_74625D:				; CODE XREF: HvpDoAllocateCell+195j
					; HvpDoAllocateCell+19Fj
		mov	ecx, esi
		lock xadd [ebx], ecx
		and	cl, 6
		cmp	cl, 2
		jmp	loc_8CD86F
HvpDoAllocateCell endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpFindFreeCell	proc near		; CODE XREF: HvpDoAllocateCell+57p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008CD893 SIZE 0000006F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		imul	eax, [ebp+arg_4], 19Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	edx, ecx
		push	edi
		mov	[ebp+var_8], eax
		or	edi, 0FFFFFFFFh
		mov	ecx, esi
		mov	[ebp+var_C], esi
		mov	eax, edi
		mov	[ebp+var_4], edx
		shl	eax, cl
		mov	ecx, [ebp+var_8]
		mov	ebx, [ecx+edx+260h]
		and	ebx, eax
		jz	loc_746355
		and	[ebp+var_18], 0
		bsf	eax, ebx
		cmp	eax, esi
		jz	short loc_7462B8
		mov	esi, eax
		mov	[ebp+var_C], eax

loc_7462B8:				; CODE XREF: HvpFindFreeCell+43j
		mov	eax, esi
		mov	[ebp+var_14], edi
		shl	eax, 4
		add	eax, ecx
		mov	eax, [eax+edx+0DCh]
		mov	[ebp+var_10], eax

loc_7462CC:				; CODE XREF: HvpFindFreeCell+100j
		push	[ebp+var_10]
		shl	esi, 4
		lea	eax, [edx+0E0h]
		add	esi, ecx
		push	1
		add	eax, esi
		push	eax
		call	RtlFindSetBits
		mov	ecx, [ebp+var_4]
		mov	edx, eax
		mov	eax, [ebp+var_14]
		mov	[esi+ecx+0DCh],	edx
		lea	esi, [edx+1]
		mov	[ebp+var_10], esi
		cmp	eax, edx
		jz	short loc_746373

loc_7462FD:				; CODE XREF: HvpFindFreeCell+150j
		cmp	eax, edi
		jnz	short loc_746304
		mov	[ebp+var_14], edx

loc_746304:				; CODE XREF: HvpFindFreeCell+91j
		mov	esi, [ebp+arg_4]
		shl	edx, 0Ch
		shl	esi, 1Fh
		add	esi, edx
		mov	edx, esi
		mov	[ebp+var_18], esi
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		test	eax, eax
		jz	loc_8CD893
		mov	eax, [eax+4]
		mov	esi, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		test	al, 6
		jnz	short loc_74636B
		test	al, 1
		jz	short loc_74636B
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_18]
		push	[ebp+arg_8]
		and	eax, 0FFFFFFF0h
		push	ecx
		mov	ecx, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		call	_HvpFindFreeCellInBin@28 ; HvpFindFreeCellInBin(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_74635E
		mov	edi, [ebp+var_18]

loc_746355:				; CODE XREF: HvpFindFreeCell+34j
					; HvpFindFreeCell+F5j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_74635E:				; CODE XREF: HvpFindFreeCell+E2j
		cmp	eax, 0C0000225h
		jnz	short loc_746355
		mov	esi, [ebp+var_C]
		mov	ecx, [ebp+var_8]

loc_74636B:				; CODE XREF: HvpFindFreeCell+BEj
					; HvpFindFreeCell+C2j
		mov	edx, [ebp+var_4]
		jmp	loc_7462CC
; 

loc_746373:				; CODE XREF: HvpFindFreeCell+8Dj
		lea	eax, [ebx-1]
		and	ebx, eax
		jz	short loc_746355
		bsf	edx, ebx
		and	[ebp+var_18], 0
		mov	esi, edx
		mov	[ebp+var_C], edx
		shl	esi, 4
		add	esi, [ebp+var_8]
		mov	eax, [esi+ecx+0DCh]
		push	eax
		lea	eax, [edx+0Eh]
		shl	eax, 4
		add	eax, [ebp+var_8]
		push	1
		add	eax, ecx
		push	eax
		call	RtlFindSetBits
		mov	ecx, [ebp+var_4]
		mov	edx, eax
		lea	eax, [edx+1]
		mov	[esi+ecx+0DCh],	edx
		mov	[ebp+var_10], eax
		mov	eax, edx
		mov	[ebp+var_14], eax
		jmp	loc_7462FD
HvpFindFreeCell	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpRemoveFreeCellHint proc near		; CODE XREF: HvpDelistFreeCell(x,x,x)+3Dp
					; HvFreeCell+11Bp ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_1], 0
		mov	ebx, ecx
		mov	[ebp+var_10], esi
		push	edi
		mov	[ebp+var_C], ebx
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		test	eax, eax
		jz	loc_8CD8A6
		mov	ebx, [eax+4]
		mov	eax, [ebp+arg_4]
		and	ebx, 0FFFFFFF0h
		shl	eax, 1Fh
		mov	[ebp+var_18], ebx
		mov	ecx, [ebx+4]
		lea	edx, [ebx+20h]
		mov	[ebp+var_8], ecx
		lea	esi, [ecx+20h]
		or	esi, eax
		mov	eax, [ebx+8]
		mov	[ebp+var_14], eax
		lea	edi, [eax+ebx]
		cmp	edx, edi
		jnb	short loc_746436
		mov	ebx, [ebp+arg_0]

loc_746423:				; CODE XREF: HvpRemoveFreeCellHint+61j
		mov	eax, [edx]
		test	eax, eax
		jns	short loc_7464A6
		neg	eax

loc_74642B:				; CODE XREF: HvpRemoveFreeCellHint+EAj
					; HvpRemoveFreeCellHint+F3j ...
		add	edx, eax
		add	esi, eax
		cmp	edx, edi
		jb	short loc_746423

loc_746433:				; CODE XREF: HvpRemoveFreeCellHint+106j
		mov	ecx, [ebp+var_8]

loc_746436:				; CODE XREF: HvpRemoveFreeCellHint+4Ej
		imul	ebx, [ebp+arg_4], 19Ch
		mov	edx, [ebp+var_C]
		shr	ecx, 0Ch
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+arg_0]
		mov	edi, ecx
		add	edi, edi
		lea	esi, [ebx+0E0h]
		lea	eax, [edx+edi*8]
		add	esi, eax
		cmp	[ebp+var_1], 0
		jnz	loc_7464EE
		mov	eax, [ebp+var_14]
		shr	eax, 0Ch
		push	eax
		push	[ebp+var_8]
		push	esi
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		push	[ebp+var_8]
		push	1
		push	esi
		call	RtlFindSetBits
		mov	esi, [ebp+var_C]
		mov	ecx, [esi+ebx+260h]
		cmp	eax, 0FFFFFFFFh
		jnz	loc_746522
		mov	eax, [ebp+arg_0]
		btr	ecx, eax
		mov	[esi+ebx+260h],	ecx

loc_74649D:				; CODE XREF: HvpRemoveFreeCellHint+14Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7464A6:				; CODE XREF: HvpRemoveFreeCellHint+57j
		mov	ecx, eax
		mov	[ebp+var_1C], 0
		shr	ecx, 3
		dec	ecx
		cmp	ecx, 10h
		jnb	short loc_7464DB

loc_7464B8:				; CODE XREF: HvpRemoveFreeCellHint+11Cj
					; HvpRemoveFreeCellHint+177j
		cmp	ebx, ecx
		jnz	loc_74642B
		cmp	esi, [ebp+var_10]
		jz	loc_74642B
		cmp	esi, [ebp+arg_8]
		jz	loc_74642B
		mov	[ebp+var_1], 1
		jmp	loc_746433
; 

loc_7464DB:				; CODE XREF: HvpRemoveFreeCellHint+E6j
		shr	ecx, 4
		cmp	ecx, 0FFh
		ja	short loc_746542
		bsr	ecx, ecx
		add	ecx, 10h
		jmp	short loc_7464B8
; 

loc_7464EE:				; CODE XREF: HvpRemoveFreeCellHint+8Cj
		mov	eax, [edx+ebx+260h]
		bts	eax, ecx
		mov	ecx, [ebp+var_8]
		mov	[edx+ebx+260h],	eax
		lea	eax, [ebx+edi*8]
		mov	[eax+edx+0DCh],	ecx
		mov	eax, [ebp+var_18]
		mov	eax, [eax+8]
		shr	eax, 0Ch
		push	eax
		push	ecx
		push	esi
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		jmp	loc_74649D
; 

loc_746522:				; CODE XREF: HvpRemoveFreeCellHint+BAj
		mov	edx, [ebp+arg_0]
		bts	ecx, edx
		mov	[esi+ebx+260h],	ecx
		lea	ecx, [ebx+edi*8]
		pop	edi
		mov	[ecx+esi+0DCh],	eax
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_746542:				; CODE XREF: HvpRemoveFreeCellHint+114j
		mov	ecx, 17h
		jmp	loc_7464B8
HvpRemoveFreeCellHint endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpAddFreeCellHint proc	near		; CODE XREF: HvpEnlistFreeCell+59p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	ebx, ecx
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		test	eax, eax
		jz	loc_8CD8B7
		mov	eax, [eax+4]
		imul	edi, [ebp+arg_4], 19Ch
		and	eax, 0FFFFFFF0h
		mov	esi, [eax+4]
		mov	eax, [eax+8]
		shr	eax, 0Ch
		push	eax
		mov	eax, [ebp+arg_0]
		add	eax, 0Eh
		shr	esi, 0Ch
		shl	eax, 4
		add	eax, edi
		push	esi
		add	eax, ebx
		push	eax
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	eax, ecx
		shl	eax, 4
		add	eax, edi
		mov	[eax+ebx+0DCh],	esi
		mov	eax, [edi+ebx+260h]
		bts	eax, ecx
		mov	[edi+ebx+260h],	eax
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
HvpAddFreeCellHint endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpMarkCellDirty proc near		; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+390p
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+AC5p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		or	[ebp+var_10], 0FFFFFFFFh
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		test	byte ptr [esi+64h], 1
		jnz	loc_746670
		test	ebx, ebx
		js	loc_746670
		cmp	[ebp+arg_0], 0
		lea	edi, [esi+28h]
		jnz	short loc_7465F7
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx

loc_7465F7:				; CODE XREF: HvpMarkCellDirty+30j
		lea	eax, [ebp+var_10]
		push	eax
		push	ebx
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_8CD8D8
		add	eax, 0FFFFFFFCh
		mov	[ebp+var_4], eax
		jz	loc_8CD8D8
		mov	edx, ebx
		mov	ecx, esi
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		test	eax, eax
		jz	loc_8CD8C8
		lea	eax, [ebx-4]
		mov	ebx, [ebp+var_4]
		mov	[ebp+var_8], eax
		mov	ebx, [ebx]
		test	ebx, ebx
		jns	short loc_746636
		neg	ebx

loc_746636:				; CODE XREF: HvpMarkCellDirty+76j
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		push	[ebp+arg_4]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		push	ebx
		call	HvpMarkDirty
		cmp	[ebp+arg_0], 0
		mov	bl, al
		jnz	short loc_746668
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_746679

loc_746661:				; CODE XREF: HvpMarkCellDirty+C4j
		mov	ecx, edi
		call	KeAbPostRelease

loc_746668:				; CODE XREF: HvpMarkCellDirty+96j
		test	bl, bl
		jz	short loc_746682
		mov	byte ptr [esi+51h], 1

loc_746670:				; CODE XREF: HvpMarkCellDirty+1Bj
					; HvpMarkCellDirty+23j
		mov	al, 1

loc_746672:				; CODE XREF: HvpMarkCellDirty+C8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_746679:				; CODE XREF: HvpMarkCellDirty+A3j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_746661
; 

loc_746682:				; CODE XREF: HvpMarkCellDirty+AEj
					; HvpFindFreeCell+18766Ej ...
		xor	al, al
		jmp	short loc_746672
HvpMarkCellDirty endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpMarkDirty	proc near		; CODE XREF: HvpAddBin+2B8p
					; HvpAddBin+378p ...

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CD902 SIZE 000000D6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, ecx
		mov	eax, edx
		push	esi
		push	edi
		mov	[ebp+var_58], eax
		test	byte ptr [ebx+64h], 1
		mov	[ebp+var_54], ebx
		jnz	loc_746774
		test	eax, eax
		js	loc_746774
		mov	esi, [ebp+arg_0]
		mov	ecx, eax
		mov	edx, [ebx+4Ch]
		dec	esi
		add	esi, eax
		shr	ecx, 9
		shr	esi, 9
		cmp	edx, 1
		jbe	loc_74678C
		lea	eax, [edx-1]
		add	esi, edx
		not	eax
		mov	edi, eax
		and	esi, eax
		and	edi, ecx
		dec	esi

loc_7466E9:				; CODE XREF: HvpMarkDirty+FEj
		add	esi, 10h
		lea	ecx, [edi+8]
		and	esi, 0FFFFFFF8h
		and	ecx, 0FFFFFFF8h
		sub	esi, 9
		mov	[ebp+var_4C], ecx
		test	ecx, ecx
		jz	short loc_746705
		sub	ecx, 8
		mov	[ebp+var_4C], ecx

loc_746705:				; CODE XREF: HvpMarkDirty+6Dj
		mov	eax, [ebx+0C8h]
		shr	eax, 9
		cmp	esi, eax
		jnb	loc_8CD902

loc_746716:				; CODE XREF: HvpMarkDirty+187275j
		mov	eax, ecx
		cmp	ecx, esi
		ja	short loc_746744
		mov	edi, [ebx+30h]
		xor	ebx, ebx

loc_746721:				; CODE XREF: HvpMarkDirty+A8j
		mov	edx, eax
		mov	ecx, eax
		shr	edx, 5
		and	ecx, 1Fh
		mov	edx, [edi+edx*4]
		sar	edx, cl
		test	dl, 1
		jz	short loc_746789

loc_746735:				; CODE XREF: HvpMarkDirty+FAj
		inc	eax
		cmp	eax, esi
		jbe	short loc_746721
		mov	[ebp+var_50], ebx
		test	ebx, ebx
		mov	ebx, [ebp+var_54]
		jnz	short loc_746793

loc_746744:				; CODE XREF: HvpMarkDirty+8Aj
					; HvpMarkDirty+17Bj ...
		test	byte ptr [ebx+64h], 2
		jnz	short loc_746774
		mov	eax, _CmpLazyFlushIntervalInSeconds
		mov	ecx, (offset loc_98967E+2)
		mul	ecx
		push	0
		add	eax, [ebx+990h]
		mov	[ebp+var_60], eax
		adc	edx, [ebx+994h]
		xor	ecx, ecx
		mov	[ebp+var_5C], edx
		lea	edx, [ebp+var_60]
		call	CmpArmLazyWriter

loc_746774:				; CODE XREF: HvpMarkDirty+23j
					; HvpMarkDirty+2Bj ...
		mov	al, 1

loc_746776:				; CODE XREF: HvpMarkDirty+18727Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_746789:				; CODE XREF: HvpMarkDirty+A3j
		inc	ebx
		jmp	short loc_746735
; 

loc_74678C:				; CODE XREF: HvpMarkDirty+45j
		mov	edi, ecx
		jmp	loc_7466E9
; 

loc_746793:				; CODE XREF: HvpMarkDirty+B2j
		mov	edi, [ebp+var_4C]
		mov	ecx, ebx
		sub	esi, edi
		mov	edx, edi
		push	4
		shl	edx, 9
		lea	eax, [esi+1]
		shl	eax, 9
		push	eax
		call	HvpSetRangeProtection
		test	al, al
		jz	loc_8CD90A
		mov	eax, [ebx+34h]
		mov	[ebp+var_5C], eax
		add	eax, [ebp+var_50]
		mov	[ebx+34h], eax
		lea	eax, [esi+1]
		push	eax
		push	edi
		lea	eax, [ebx+2Ch]
		push	eax
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		push	[ebp+arg_0]
		xor	edx, edx
		mov	ecx, ebx
		push	[ebp+var_58]
		call	_CmpLogDirtyVectorUse@16 ; CmpLogDirtyVectorUse(x,x,x,x)
		test	ds:dword_70EFC8, 1000000h
		mov	[ebp+var_58], ebx
		jnz	loc_8CD911

loc_7467F1:				; CODE XREF: HvpMarkDirty+187339j
		cmp	[ebp+var_5C], 0
		jz	short loc_746816

loc_7467F7:				; CODE XREF: HvpMarkDirty+19Ej
		mov	eax, [ebp+var_50]
		mov	edx, offset _CmpDirtySectorCount
		lock xadd [edx], eax
		add	eax, [ebp+var_50]
		cmp	eax, 8000h
		jl	loc_746744
		jmp	loc_8CD9CE
; 

loc_746816:				; CODE XREF: HvpMarkDirty+165j
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		mov	[ebx+990h], eax
		mov	[ebx+994h], edx
		call	CmpIssueNewDirtyCallback
		jmp	short loc_7467F7
HvpMarkDirty	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpEnlistFreeCell proc near		; CODE XREF: HvFreeCell+9Cp
					; HvpEnlistFreeCells+98p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CD9D8 SIZE 0000000B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], edi
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		and	ebx, 0FFFFF000h
		mov	ecx, edi
		sub	ebx, [eax]
		mov	edx, ebx
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		mov	esi, [ebp+arg_0]
		mov	ecx, [ebp+var_8]
		mov	eax, [eax+8]
		mov	[ebp+var_10], eax
		lea	edx, [eax+ebx]
		mov	[ebp+var_C], edx
		test	ebx, ebx
		jz	short loc_746878
		lea	eax, [ebx+20h]
		cmp	ecx, eax
		jz	short loc_7468AC

loc_746878:				; CODE XREF: HvpEnlistFreeCell+3Fj
					; HvpEnlistFreeCell+81j ...
		shr	esi, 3
		dec	esi
		cmp	esi, 10h
		jnb	short loc_746895

loc_746881:				; CODE XREF: HvpEnlistFreeCell+7Aj
					; HvpEnlistFreeCell+F7j
		push	[ebp+arg_4]
		mov	edx, ecx
		mov	ecx, edi
		push	esi
		call	HvpAddFreeCellHint

loc_74688E:				; CODE XREF: HvpEnlistFreeCell+EFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_746895:				; CODE XREF: HvpEnlistFreeCell+4Fj
		shr	esi, 4
		cmp	esi, 0FFh
		ja	loc_746924
		bsr	esi, esi
		add	esi, 10h
		jmp	short loc_746881
; 

loc_7468AC:				; CODE XREF: HvpEnlistFreeCell+46j
		lea	eax, [ecx+esi]
		cmp	eax, edx
		jnz	short loc_746878
		push	20374D43h
		push	0
		push	10h
		call	dword ptr [edi+0Ch]
		mov	edi, eax
		test	edi, edi
		jz	loc_8CD9D8
		and	dword ptr [edi], 0
		mov	ecx, ebx
		and	dword ptr [edi+4], 0
		and	ecx, 7FFFFFFFh
		mov	eax, [ebp+var_10]
		mov	esi, [ebp+var_4]
		mov	[edi+8], eax
		mov	[edi+0Ch], ecx

loc_7468E4:				; CODE XREF: HvpEnlistFreeCell+CEj
		cmp	ebx, [ebp+var_C]
		jnb	short loc_746900
		mov	edx, ebx
		mov	ecx, esi
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		or	dword ptr [eax+4], 2
		add	ebx, 1000h
		mov	[eax], edi
		jmp	short loc_7468E4
; 

loc_746900:				; CODE XREF: HvpEnlistFreeCell+B7j
		imul	eax, [ebp+arg_4], 19Ch
		add	eax, 258h
		add	eax, esi
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_74692C
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[ecx+4], edi
		mov	[eax], edi
		jmp	loc_74688E
; 

loc_746924:				; CODE XREF: HvpEnlistFreeCell+6Ej
		push	17h
		pop	esi
		jmp	loc_746881
; 

loc_74692C:				; CODE XREF: HvpEnlistFreeCell+E3j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
HvpEnlistFreeCell endp


;  S U B	R O U T	I N E 


; __stdcall HvpGetCellMap(x, x)
_HvpGetCellMap@8 proc near		; CODE XREF: HvpAddBin+398p
					; HvFreeHivePartial+4Bp ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		mov	eax, esi
		shr	eax, 1Fh
		push	edi
		imul	edi, eax, 19Ch
		shl	eax, 1Fh
		add	eax, esi
		cmp	eax, [edi+ecx+0C8h]
		jnb	short loc_746973
		mov	ecx, [edi+ecx+0CCh]
		shr	esi, 0Ch
		and	esi, 1FFh
		shr	edx, 15h
		imul	eax, esi, 0Ch
		and	edx, 3FFh
		add	eax, [ecx+edx*4]

loc_746970:				; CODE XREF: HvpGetCellMap(x,x)+43j
		pop	edi
		pop	esi
		retn
; 

loc_746973:				; CODE XREF: HvpGetCellMap(x,x)+1Dj
		xor	eax, eax
		jmp	short loc_746970
_HvpGetCellMap@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpFindFreeCellInBin(x, x, x, x, x,	x, x)
_HvpFindFreeCellInBin@28 proc near	; CODE XREF: HvpFindFreeCell+DBp

var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+arg_4]
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	edi, [ecx+8]
		lea	esi, [ecx+20h]
		mov	eax, [ecx+4]
		add	edi, ecx
		mov	[ebp+arg_4], eax
		cmp	esi, edi
		jnb	short loc_7469BE
		mov	edx, [ebp+arg_0]
		lea	esp, [esp+0]

loc_7469B0:				; CODE XREF: HvpFindFreeCellInBin(x,x,x,x,x,x,x)+3Cj
		mov	eax, [esi]
		test	eax, eax
		jns	short loc_7469C5
		neg	eax

loc_7469B8:				; CODE XREF: HvpFindFreeCellInBin(x,x,x,x,x,x,x)+54j
		add	esi, eax
		cmp	esi, edi
		jb	short loc_7469B0

loc_7469BE:				; CODE XREF: HvpFindFreeCellInBin(x,x,x,x,x,x,x)+24j
		mov	eax, 0C0000225h
		jmp	short loc_746A07
; 

loc_7469C5:				; CODE XREF: HvpFindFreeCellInBin(x,x,x,x,x,x,x)+34j
		mov	ebx, edx
		shl	ebx, 1Fh
		sub	ebx, ecx
		add	ebx, [ebp+arg_4]
		add	ebx, esi
		cmp	[ebp+var_4], eax
		ja	short loc_7469B8
		mov	esi, [ebp+var_8]
		mov	edx, ebx
		push	0
		push	1
		mov	ecx, esi
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_746A10
		push	[ebp+arg_10]
		mov	eax, [esi+4]
		push	ebx
		push	esi
		call	eax
		test	eax, eax
		jz	short loc_746A17
		lea	ecx, [eax-4]

loc_7469FB:				; CODE XREF: HvpFindFreeCellInBin(x,x,x,x,x,x,x)+99j
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		mov	eax, [ebp+arg_8]
		mov	[eax], ebx
		xor	eax, eax

loc_746A07:				; CODE XREF: HvpFindFreeCellInBin(x,x,x,x,x,x,x)+43j
					; HvpFindFreeCellInBin(x,x,x,x,x,x,x)+95j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_746A10:				; CODE XREF: HvpFindFreeCellInBin(x,x,x,x,x,x,x)+68j
		mov	eax, 0C000017Dh
		jmp	short loc_746A07
; 

loc_746A17:				; CODE XREF: HvpFindFreeCellInBin(x,x,x,x,x,x,x)+76j
		xor	ecx, ecx
		jmp	short loc_7469FB
_HvpFindFreeCellInBin@28 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpAdjustHiveFreeDisplay(x,	x, x)
_HvpAdjustHiveFreeDisplay@12 proc near	; CODE XREF: HvpAddBin+D9p
					; HvFreeHivePartial+15Fp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		cmp	ebx, 7FFFE000h
		ja	short loc_746A64
		imul	eax, [ebp+arg_0], 19Ch
		push	esi
		push	edi
		lea	edi, [ecx+0D8h]
		xor	esi, esi
		add	edi, eax

loc_746A43:				; CODE XREF: HvpAdjustHiveFreeDisplay(x,x,x)+3Dj
		push	edi
		mov	edx, ebx
		call	HvpAdjustBitmap
		test	eax, eax
		js	short loc_746A5D
		mov	ecx, [ebp+var_4]
		inc	esi
		add	edi, 10h
		cmp	esi, 18h
		jb	short loc_746A43
		xor	eax, eax

loc_746A5D:				; CODE XREF: HvpAdjustHiveFreeDisplay(x,x,x)+31j
		pop	edi
		pop	esi

loc_746A5F:				; CODE XREF: HvpAdjustHiveFreeDisplay(x,x,x)+4Dj
		pop	ebx
		leave
		retn	4
; 

loc_746A64:				; CODE XREF: HvpAdjustHiveFreeDisplay(x,x,x)+12j
		mov	eax, 0C000014Ch
		jmp	short loc_746A5F
_HvpAdjustHiveFreeDisplay@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpAdjustBitmap	proc near		; CODE XREF: HvpAdjustHiveFreeDisplay(x,x,x)+2Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CD9E3 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], ecx
		mov	ecx, [ebp+arg_0]
		mov	ebx, 100h
		shr	esi, 0Ch
		add	ecx, 8
		push	edi
		lea	edi, [esi+7]
		shr	edi, 3
		test	edi, edi
		jz	loc_8CD9E3
		add	edi, 0FFh
		and	edi, 0FFFFFF00h

loc_746AA4:				; CODE XREF: HvpAdjustBitmap+186F79j
		mov	eax, [ecx]
		test	eax, eax
		jnz	short loc_746AFF
		xor	ebx, ebx

loc_746AAC:				; CODE XREF: HvpAdjustBitmap+9Bj
					; HvpAdjustBitmap+A9j
		mov	edx, [ebp+arg_0]
		cmp	edi, [edx]
		jbe	short loc_746B17
		mov	eax, [ebp+var_4]
		push	39334D43h
		push	1
		push	edi
		call	dword ptr [eax+0Ch]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_746B29
		mov	ecx, [ebp+arg_0]
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		mov	[ecx], edi
		mov	ecx, [ecx+0Ch]
		mov	[ebp+var_C], ecx
		call	_memset
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, [ebp+var_8]
		mov	[ecx+8], esi
		mov	esi, [ebp+var_C]
		mov	[ecx+0Ch], eax
		test	esi, esi
		jnz	loc_8CD9EA

loc_746AF6:				; CODE XREF: HvpAdjustBitmap+AFj
					; HvpAdjustBitmap+BBj ...
		xor	eax, eax

loc_746AF8:				; CODE XREF: HvpAdjustBitmap+C2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_746AFF:				; CODE XREF: HvpAdjustBitmap+3Cj
		lea	edx, [eax+7]
		shr	edx, 3
		test	edx, edx
		jz	short loc_746AAC
		lea	ebx, [edx+0FFh]
		and	ebx, 0FFFFFF00h
		jmp	short loc_746AAC
; 

loc_746B17:				; CODE XREF: HvpAdjustBitmap+45j
		mov	[ecx], esi
		cmp	eax, esi
		jnb	short loc_746AF6
		sub	esi, eax
		push	esi
		push	eax
		push	ecx
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		jmp	short loc_746AF6
; 

loc_746B29:				; CODE XREF: HvpAdjustBitmap+5Aj
		mov	eax, 0C000009Ah
		jmp	short loc_746AF8
HvpAdjustBitmap	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpAllocate	proc near		; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+1C3p
					; CmpCreateEmptyHiveClone(x,x)+1Cp
					; DATA XREF: ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008CDA02 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	CmpClaimGlobalQuota
		test	al, al
		jz	short loc_746B6E
		xor	eax, eax
		cmp	[ebp+arg_4], al
		push	esi
		push	[ebp+arg_8]
		setnz	al
		push	[ebp+arg_0]
		lea	eax, ds:1[eax*4]
		push	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8CDA02

loc_746B67:				; CODE XREF: CmpAllocate+186EDAj
		mov	eax, esi
		pop	esi

loc_746B6A:				; CODE XREF: CmpAllocate+40j
		pop	ebp
		retn	0Ch
; 

loc_746B6E:				; CODE XREF: CmpAllocate+Fj
		xor	eax, eax
		jmp	short loc_746B6A
CmpAllocate	endp


;  S U B	R O U T	I N E 


CmpClaimGlobalQuota proc near		; CODE XREF: HvpAddBin+2E8p
					; HvpMapHiveImageFromViewMap(x,x,x)+13p ...

; FUNCTION CHUNK AT 008CDA0F SIZE 00000054 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	CmpUpdateGlobalQuotaAllowed
		test	esi, esi
		jle	short loc_746BAD
		mov	eax, ds:_CmpGlobalQuotaAllowed
		sub	eax, ds:_CmpGlobalQuotaUsed
		cmp	esi, eax
		jge	short loc_746BAD
		mov	eax, offset _CmpGlobalQuotaUsed
		lock xadd [eax], esi
		mov	eax, ds:_CmpGlobalQuotaUsed
		cmp	eax, ds:_CmpGlobalQuotaWarning
		ja	loc_8CDA0F

loc_746BA9:				; CODE XREF: CmpClaimGlobalQuota+186EA4j
					; CmpClaimGlobalQuota+186EB1j ...
		mov	al, 1
		pop	esi
		retn
; 

loc_746BAD:				; CODE XREF: CmpClaimGlobalQuota+Cj
					; CmpClaimGlobalQuota+1Bj
		xor	al, al
		pop	esi
		retn
CmpClaimGlobalQuota endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpUpdateGlobalQuotaAllowed proc near	; CODE XREF: CmpClaimGlobalQuota+5p
					; CmQueryRegistryQuotaInformation(x)+Ep

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CDA63 SIZE 00000047 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	ds:_CmpQuotaExplicitlySet, 0
		mov	eax, ds:_MmSizeOfPagedPoolInBytes
		mov	[ebp+var_4], eax
		jnz	short locret_746BD8
		mov	eax, [ebp+var_4]
		cmp	eax, ds:_CmpSizeOfPagedPoolInBytes
		jnz	loc_8CDA63

locret_746BD8:				; CODE XREF: CmpUpdateGlobalQuotaAllowed+15j
		leave
		retn
CmpUpdateGlobalQuotaAllowed endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAddToLeaf(x, x, x, x)
_CmpAddToLeaf@16 proc near		; CODE XREF: CmpAddSubKeyToList+D8p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		or	[ebp+var_1C], 0FFFFFFFFh
		mov	eax, edx
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_4], eax
		xor	ecx, ecx
		push	edi
		push	ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	ecx
		mov	ecx, ebx
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_746DC3
		mov	edi, [ebp+var_4]
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		push	ebx
		call	dword ptr [ebx+4]
		mov	esi, eax
		test	esi, esi
		jz	loc_746DC3
		movzx	eax, word ptr [esi+2]
		mov	edx, 0FFFFh
		mov	ecx, eax
		cmp	ax, dx
		jz	loc_746DAB
		push	0FFFFFFFCh
		pop	edx
		sub	edx, [esi-4]
		mov	ecx, 696Ch
		cmp	[esi], cx
		mov	ecx, edx
		jnz	short loc_746C59
		xor	edi, edi
		mov	[ebp+var_10], 4
		mov	[ebp+var_8], edi
		shl	eax, 2
		jmp	short loc_746C68
; 

loc_746C59:				; CODE XREF: CmpAddToLeaf(x,x,x,x)+6Cj
		mov	edi, esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_10], 8
		shl	eax, 3

loc_746C68:				; CODE XREF: CmpAddToLeaf(x,x,x,x)+7Dj
		sub	ecx, eax
		mov	eax, [ebp+var_4]
		sub	ecx, 4
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_10]
		cmp	ecx, eax
		jnb	short loc_746CBF
		mov	esi, edx
		add	eax, edx
		shr	esi, 1
		add	esi, edx
		cmp	esi, eax
		jnb	short loc_746C88
		mov	esi, eax

loc_746C88:				; CODE XREF: CmpAddToLeaf(x,x,x,x)+AAj
		lea	eax, [ebp+var_1C]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_1C]
		and	[ebp+var_10], 0
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	0
		push	esi
		call	_HvReallocateCell@24 ; HvReallocateCell(x,x,x,x,x,x)
		mov	[ebp+var_C], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_746DC3
		mov	esi, [ebp+var_10]
		test	edi, edi
		jz	short loc_746CBF
		mov	[ebp+var_8], esi

loc_746CBF:				; CODE XREF: CmpAddToLeaf(x,x,x,x)+9Ej
					; CmpAddToLeaf(x,x,x,x)+E0j
		lea	eax, [ebp+var_14]
		mov	edx, esi
		push	eax
		push	0
		push	[ebp+arg_4]
		mov	ecx, ebx
		call	_CmpFindSubKeyInLeaf@20	; CmpFindSubKeyInLeaf(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_746DA8
		cmp	[ebp+var_14], 0FFFFFFFFh
		jnz	loc_746DA8
		movzx	eax, word ptr [esi+2]
		cmp	edi, eax
		jz	short loc_746D51
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		push	edi
		push	0
		mov	ecx, ebx
		call	_CmpCompareInIndex@24 ;	CmpCompareInIndex(x,x,x,x,x,x)
		cmp	eax, 2
		jz	loc_746DA8
		test	eax, eax
		jle	short loc_746D0D
		inc	edi

loc_746D0D:				; CODE XREF: CmpAddToLeaf(x,x,x,x)+130j
		movzx	eax, word ptr [esi+2]
		cmp	edi, eax
		jz	short loc_746D51
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_746D35
		movzx	eax, word ptr [ecx+2]
		sub	eax, edi
		shl	eax, 3
		push	eax
		lea	eax, [ecx+4]
		lea	eax, [eax+edi*8]
		push	eax
		lea	eax, [ecx+0Ch]
		lea	eax, [eax+edi*8]
		jmp	short loc_746D48
; 

loc_746D35:				; CODE XREF: CmpAddToLeaf(x,x,x,x)+140j
		sub	eax, edi
		shl	eax, 2
		push	eax		; size_t
		lea	eax, [edi+1]
		lea	eax, [esi+eax*4]
		push	eax		; void *
		lea	eax, [edi+2]
		lea	eax, [esi+eax*4]

loc_746D48:				; CODE XREF: CmpAddToLeaf(x,x,x,x)+159j
		push	eax		; void *
		call	_memmove
		add	esp, 0Ch

loc_746D51:				; CODE XREF: CmpAddToLeaf(x,x,x,x)+111j
					; CmpAddToLeaf(x,x,x,x)+139j
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_746D81
		mov	[ecx+edi*8+4], eax
		mov	eax, 686Ch
		cmp	[ecx], ax
		mov	ecx, [ebp+arg_4]
		jnz	short loc_746D73
		call	_CmpHashUnicodeComponent@4 ; CmpHashUnicodeComponent(x)
		jmp	short loc_746D78
; 

loc_746D73:				; CODE XREF: CmpAddToLeaf(x,x,x,x)+190j
		call	_CmpGenerateFastLeafHintForUnicodeString@4 ; CmpGenerateFastLeafHintForUnicodeString(x)

loc_746D78:				; CODE XREF: CmpAddToLeaf(x,x,x,x)+197j
		mov	ecx, [ebp+var_8]
		mov	[ecx+edi*8+8], eax
		jmp	short loc_746D85
; 

loc_746D81:				; CODE XREF: CmpAddToLeaf(x,x,x,x)+17Fj
		mov	[esi+edi*4+4], eax

loc_746D85:				; CODE XREF: CmpAddToLeaf(x,x,x,x)+1A5j
		inc	word ptr [esi+2]
		lea	eax, [ebp+var_1C]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		mov	esi, [ebp+var_C]
		mov	eax, [ebp+var_4]
		cmp	esi, eax
		jz	short loc_746DA4
		mov	edx, eax
		mov	ecx, ebx
		call	HvFreeCell

loc_746DA4:				; CODE XREF: CmpAddToLeaf(x,x,x,x)+1BFj
		mov	eax, esi
		jmp	short loc_746DC6
; 

loc_746DA8:				; CODE XREF: CmpAddToLeaf(x,x,x,x)+FBj
					; CmpAddToLeaf(x,x,x,x)+105j ...
		mov	edi, [ebp+var_4]

loc_746DAB:				; CODE XREF: CmpAddToLeaf(x,x,x,x)+56j
		lea	eax, [ebp+var_1C]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		mov	eax, [ebp+var_C]
		cmp	eax, edi
		jz	short loc_746DC3
		mov	edx, eax
		mov	ecx, ebx
		call	HvFreeCell

loc_746DC3:				; CODE XREF: CmpAddToLeaf(x,x,x,x)+2Cj
					; CmpAddToLeaf(x,x,x,x)+42j ...
		or	eax, 0FFFFFFFFh

loc_746DC6:				; CODE XREF: CmpAddToLeaf(x,x,x,x)+1CCj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_CmpAddToLeaf@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmpPopulateKeyNodeInformation(void *,size_t,int,int,int)
CmpPopulateKeyNodeInformation proc near	; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+22Fp
					; CmpQueryKeyDataFromNode+16Dp

var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008CDAAA SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, edx
		mov	[ebp+var_C], eax
		test	byte ptr [eax+2], 20h
		movzx	edx, word ptr [eax+48h]
		jz	loc_8CDAAA
		lea	eax, [edx+edx]
		movzx	eax, ax

loc_746DEF:				; CODE XREF: CmpPopulateKeyNodeInformation+186CDEj
		push	ebx
		push	esi
		movzx	esi, ax
		push	edi
		mov	edi, [ebp+arg_4]
		add	esi, 18h
		mov	[ebp+var_4], eax
		test	edi, edi
		jnz	loc_8CDAB1
		mov	ebx, esi

loc_746E08:				; CODE XREF: CmpPopulateKeyNodeInformation+186CEDj
		cmp	[ebp+arg_C], 18h
		mov	eax, [ebp+arg_10]
		mov	[eax], esi
		jb	loc_8CDAC0
		mov	edx, [ebp+arg_8]
		mov	eax, [ecx]
		mov	[edx], eax
		mov	eax, [ecx+4]
		mov	[edx+4], eax
		mov	eax, [ecx+8]
		mov	ecx, [ebp+var_4]
		mov	[edx+8], eax
		movzx	eax, cx
		mov	[edx+10h], edi
		mov	[edx+14h], eax
		test	edi, edi
		jnz	short loc_746E8C
		or	ecx, 0FFFFFFFFh

loc_746E3D:				; CODE XREF: CmpPopulateKeyNodeInformation+C0j
		mov	[edx+0Ch], ecx
		mov	ecx, [ebp+arg_C]
		add	ecx, 0FFFFFFE8h
		mov	[ebp+arg_4], ecx
		mov	ecx, [ebp+var_C]
		test	byte ptr [ecx+2], 20h
		jz	loc_8CDACA
		movzx	eax, word ptr [ecx+48h]
		push	eax
		lea	eax, [ecx+4Ch]
		lea	ecx, [edx+18h]
		mov	edx, [ebp+arg_4]
		push	eax
		call	_CmpCopyCompressedName@16 ; CmpCopyCompressedName(x,x,x,x)

loc_746E6A:				; CODE XREF: CmpPopulateKeyNodeInformation+186D15j
		mov	eax, [ebp+arg_C]
		cmp	eax, ebx
		jb	short loc_746E90
		sub	eax, ebx
		test	edi, edi
		jnz	loc_8CDAE8

loc_746E7B:				; CODE XREF: CmpPopulateKeyNodeInformation+186D32j
		cmp	[ebp+arg_C], esi
		sbb	eax, eax
		and	eax, 80000005h

loc_746E85:				; CODE XREF: CmpPopulateKeyNodeInformation+C7j
					; CmpPopulateKeyNodeInformation+186CF7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_746E8C:				; CODE XREF: CmpPopulateKeyNodeInformation+6Aj
		mov	ecx, ebx
		jmp	short loc_746E3D
; 

loc_746E90:				; CODE XREF: CmpPopulateKeyNodeInformation+A1j
		mov	eax, 80000005h
		jmp	short loc_746E85
CmpPopulateKeyNodeInformation endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCopyCompressedName(x, x,	x, x)
_CmpCopyCompressedName@16 proc near	; CODE XREF: CmpMarkIndexDirty+8Ap
					; CmpAddSubKeyToList+8Cp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		shr	edx, 1
		push	edi
		mov	edi, ecx
		cmp	edx, [ebp+arg_4]
		jb	short loc_746EAA
		mov	edx, [ebp+arg_4]

loc_746EAA:				; CODE XREF: CmpCopyCompressedName(x,x,x,x)+Dj
		xor	ecx, ecx
		test	edx, edx
		jz	short loc_746EC2
		push	esi
		mov	esi, [ebp+arg_0]

loc_746EB4:				; CODE XREF: CmpCopyCompressedName(x,x,x,x)+27j
		movzx	eax, byte ptr [ecx+esi]
		mov	[edi+ecx*2], ax
		inc	ecx
		cmp	ecx, edx
		jb	short loc_746EB4
		pop	esi

loc_746EC2:				; CODE XREF: CmpCopyCompressedName(x,x,x,x)+16j
		pop	edi
		pop	ebp
		retn	8
_CmpCopyCompressedName@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpFreeValueData proc near		; CODE XREF: CmpFreeValue(x,x)+2Ap
					; CmpSetValueKeyExisting+228p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CDB05 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, 80000000h
		mov	[ebp+var_8], edx
		mov	esi, ecx
		lea	ecx, [eax-80000000h]
		cmp	eax, edi
		jnb	short loc_746F0E
		mov	ecx, eax
		cmp	edx, 0FFFFFFFFh
		jz	short loc_746F0E
		cmp	dword ptr [esi+9Ch], 4
		jb	short loc_746F07
		lea	eax, [ecx-3FD9h]
		cmp	eax, 7FFFC026h
		jbe	short loc_746F17

loc_746F07:				; CODE XREF: CmpFreeValueData+30j
					; CmpFreeValueData+D1j
		mov	ecx, esi
		call	HvFreeCell

loc_746F0E:				; CODE XREF: CmpFreeValueData+20j
					; CmpFreeValueData+27j
		mov	al, 1

loc_746F10:				; CODE XREF: CmpFreeValueData+186C47j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_746F17:				; CODE XREF: CmpFreeValueData+3Dj
		or	[ebp+var_10], 0FFFFFFFFh
		lea	eax, [ebp+var_10]
		or	[ebp+var_18], 0FFFFFFFFh
		xor	edi, edi
		push	eax
		push	edx
		push	esi
		mov	[ebp+var_C], edi
		mov	[ebp+var_14], edi
		call	dword ptr [esi+4]
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8CDB0D
		mov	eax, [ebx+4]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_746F8E
		lea	ecx, [ebp+var_18]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	ecx, eax
		mov	[ebp+arg_0], ecx
		test	ecx, ecx
		jz	loc_8CDB05
		xor	eax, eax
		cmp	ax, [ebx+2]
		jnb	short loc_746F7C

loc_746F60:				; CODE XREF: CmpFreeValueData+B2j
		movzx	eax, di
		mov	edx, [ecx+eax*4]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_746F75
		mov	ecx, esi
		call	HvFreeCell
		mov	ecx, [ebp+arg_0]

loc_746F75:				; CODE XREF: CmpFreeValueData+A1j
		inc	edi
		cmp	di, [ebx+2]
		jb	short loc_746F60

loc_746F7C:				; CODE XREF: CmpFreeValueData+96j
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edx, [ebx+4]
		mov	ecx, esi
		call	HvFreeCell

loc_746F8E:				; CODE XREF: CmpFreeValueData+78j
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edx, [ebp+var_8]
		jmp	loc_746F07
CmpFreeValueData endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLogDirtyVectorUse(x, x, x, x)
_CmpLogDirtyVectorUse@16 proc near	; CODE XREF: HvpGenerateLogEntryDirtyData(x,x,x,x,x,x)+69p
					; HvpGenerateLogEntry+57p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		lea	edx, [esi+6F8h]
		mov	edi, [edx]

loc_746FB2:				; CODE XREF: CmpLogDirtyVectorUse(x,x,x,x)+73j
		lea	eax, [edi+1]
		cmp	eax, [esi+6FCh]
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, edi
		lock cmpxchg [edx], ecx
		cmp	edi, eax
		jnz	short loc_74700F
		mov	eax, large fs:124h
		imul	ecx, edi, 28h
		push	0
		mov	[ecx+esi+700h],	eax
		mov	eax, [ebp+arg_0]
		mov	[ecx+esi+708h],	eax
		mov	eax, [ebp+arg_4]
		mov	[ecx+esi+70Ch],	eax
		lea	eax, [esi+710h]
		add	eax, ecx
		mov	[ecx+esi+704h],	ebx
		push	eax
		push	6
		push	1
		call	RtlCaptureStackBackTrace
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_74700F:				; CODE XREF: CmpLogDirtyVectorUse(x,x,x,x)+29j
		mov	edi, eax
		jmp	short loc_746FB2
_CmpLogDirtyVectorUse@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpViewMapMakeViewRangeCOWByCaller proc	near
					; CODE XREF: HvpViewMapCOWAndUnsealRange(x,x,x)+ABp
					; HvpViewMapMigrateCOWData(x,x,x)+102p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008CDB14 SIZE 0000004F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_C], 0
		lea	eax, [ebp+var_C]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, edx
		mov	edx, [ecx+18h]
		mov	esi, edi
		push	eax
		mov	eax, [ebp+arg_8]
		sub	esi, [ebx+10h]
		sub	eax, edi
		add	esi, [ebx+30h]
		push	8
		push	eax
		push	esi
		mov	[ebp+var_10], ecx
		call	_CmSiProtectViewOfSection@24 ; CmSiProtectViewOfSection(x,x,x,x,x,x)
		test	eax, eax
		js	loc_7470DF
		mov	esi, [ebp+arg_4]
		mov	ecx, edi
		mov	edx, esi
		mov	[ebp+var_4], ecx
		mov	[ebp+var_14], esi
		mov	[ebp+var_8], edx
		cmp	esi, [ebp+arg_C]
		jl	short loc_74706C
		jg	short loc_7470DD
		cmp	edi, [ebp+arg_8]
		jmp	short loc_74709A
; 

loc_74706C:				; CODE XREF: HvpViewMapMakeViewRangeCOWByCaller+4Fj
					; HvpViewMapMakeViewRangeCOWByCaller+81j ...
		mov	eax, [ebx+10h]
		mov	[ebp+arg_4], eax
		mov	eax, ecx
		sub	eax, [ebp+arg_4]
		shr	eax, 0Ch
		test	byte ptr [eax+ebx+38h],	2
		jz	short loc_7470E6

loc_747081:				; CODE XREF: HvpViewMapMakeViewRangeCOWByCaller+F5j
		add	ecx, 1000h
		mov	[ebp+var_4], ecx
		adc	edx, 0
		mov	[ebp+var_8], edx
		cmp	edx, [ebp+arg_C]
		jg	short loc_74709C
		jl	short loc_74706C
		cmp	ecx, [ebp+arg_8]

loc_74709A:				; CODE XREF: HvpViewMapMakeViewRangeCOWByCaller+56j
		jb	short loc_74706C

loc_74709C:				; CODE XREF: HvpViewMapMakeViewRangeCOWByCaller+7Fj
		cmp	esi, [ebp+arg_C]
		jg	short loc_7470DD
		jge	short loc_7470D8

loc_7470A3:				; CODE XREF: HvpViewMapMakeViewRangeCOWByCaller+C0j
					; HvpViewMapMakeViewRangeCOWByCaller+C7j
		mov	eax, [ebx+10h]
		mov	esi, edi
		sub	esi, eax
		mov	ecx, edi
		shr	esi, 0Ch
		sub	ecx, eax
		add	ecx, [ebx+30h]
		mov	al, [esi+ebx+38h]
		or	al, 0Ah
		mov	[esi+ebx+38h], al
		test	al, 10h
		jnz	short loc_74710E

loc_7470C2:				; CODE XREF: HvpViewMapMakeViewRangeCOWByCaller+118j
		mov	eax, [ebp+var_14]
		add	edi, 1000h
		adc	eax, 0
		mov	[ebp+var_14], eax
		cmp	eax, [ebp+arg_C]
		jl	short loc_7470A3
		jg	short loc_7470DD

loc_7470D8:				; CODE XREF: HvpViewMapMakeViewRangeCOWByCaller+8Dj
		cmp	edi, [ebp+arg_8]
		jb	short loc_7470A3

loc_7470DD:				; CODE XREF: HvpViewMapMakeViewRangeCOWByCaller+51j
					; HvpViewMapMakeViewRangeCOWByCaller+8Bj ...
		xor	eax, eax

loc_7470DF:				; CODE XREF: HvpViewMapMakeViewRangeCOWByCaller+36j
					; HvpViewMapMakeViewRangeCOWByCaller+186B4Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7470E6:				; CODE XREF: HvpViewMapMakeViewRangeCOWByCaller+6Bj
		sub	ecx, [ebp+arg_4]
		mov	edx, 1000h
		add	ecx, [ebx+30h]
		push	1
		call	HvpViewMapTouchPages
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	loc_8CDB14
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_8]
		jmp	loc_747081
; 

loc_74710E:				; CODE XREF: HvpViewMapMakeViewRangeCOWByCaller+ACj
		mov	eax, [ebp+var_10]
		push	1000h
		push	ecx
		mov	edx, [eax+18h]
		call	_CmSiUnlockViewOfSection@16 ; CmSiUnlockViewOfSection(x,x,x,x)
		and	byte ptr [esi+ebx+38h],	0EFh
		dec	dword ptr [ebx+34h]
		or	byte ptr [esi+ebx+38h],	4
		jmp	short loc_7470C2
HvpViewMapMakeViewRangeCOWByCaller endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpMinLong64(x, x, x, x)
_HvpMinLong64@16 proc near		; CODE XREF: HvpViewMapGetMaxStorageLength(x)+1Cp
					; HvpViewMapSealRange(x,x,x)+92p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		cmp	edx, [ebp+arg_C]
		jg	short loc_747149
		mov	eax, [ebp+arg_0]
		jl	short loc_747145
		cmp	eax, [ebp+arg_8]
		jnb	short loc_747149

loc_747145:				; CODE XREF: HvpMinLong64(x,x,x,x)+10j
					; HvpMinLong64(x,x,x,x)+21j
		pop	ebp
		retn	10h
; 

loc_747149:				; CODE XREF: HvpMinLong64(x,x,x,x)+Bj
					; HvpMinLong64(x,x,x,x)+15j
		mov	eax, [ebp+arg_8]
		mov	edx, [ebp+arg_C]
		jmp	short loc_747145
_HvpMinLong64@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpViewMapTouchPages proc near		; CODE XREF: HvpViewMapMakeViewRangeCOWByCaller+DFp
					; HvpViewMapMakeViewRangeValid+133p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8

		push	14h
		push	offset dword_6A0280
		call	__SEH_prolog4
		mov	[ebp+var_24], 0C0000006h
		mov	[ebp+var_20], ecx
		lea	esi, [ecx+edx]
		xor	ecx, ecx
		mov	[ebp+ms_exc.disabled], ecx

loc_747170:				; CODE XREF: HvpViewMapTouchPages+37j
		mov	eax, [ebp+var_20]
		cmp	eax, esi
		jnb	short loc_747192
		mov	dl, [eax]
		mov	[ebp+var_19], dl
		cmp	[ebp+arg_0], 0
		jnz	short loc_74718B

loc_747182:				; CODE XREF: HvpViewMapTouchPages+3Ej
		add	[ebp+var_20], 1000h
		jmp	short loc_747170
; 

loc_74718B:				; CODE XREF: HvpViewMapTouchPages+2Ej
		mov	eax, [ebp+var_20]
		mov	[eax], dl
		jmp	short loc_747182
; 

loc_747192:				; CODE XREF: HvpViewMapTouchPages+23j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_747199:				; CODE XREF: sub_8CDB6F+Dj
		mov	eax, ecx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
HvpViewMapTouchPages endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmpGetSecurityDescriptorNode(int,void *,int,int)
_CmpGetSecurityDescriptorNode@24 proc near ; CODE XREF:	CmpCreateHiveRootCell+10Ep
					; CmpAssignKeySecurity+F5p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]	; int
		mov	eax, edx
		push	[ebp+arg_8]	; int
		shr	eax, 1Fh
		push	[ebp+arg_4]	; void *
		push	eax		; int
		push	[ebp+arg_0]	; int
		call	_CmpGetSecurityDescriptorNodeEx@28 ; CmpGetSecurityDescriptorNodeEx(x,x,x,x,x,x,x)
		pop	ebp
		retn	10h
_CmpGetSecurityDescriptorNode@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFindMatchingDescriptorCell(x, x,	x, x, x)
_CmpFindMatchingDescriptorCell@20 proc near
					; CODE XREF: CmpGetSecurityDescriptorNodeEx(x,x,x,x,x,x,x)+45p
					; PAGE:0074BBD2p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		push	edi
		mov	ecx, ebx
		mov	[ebp+var_C], ebx
		call	_RtlLengthSecurityDescriptorStrict@4 ; RtlLengthSecurityDescriptorStrict(x)
		mov	edx, ebx
		mov	[ebp+var_8], eax
		mov	ecx, eax
		call	_CmpSecConvKey@8 ; CmpSecConvKey(x,x)
		mov	ecx, eax
		mov	[ebp+var_4], eax
		and	ecx, 3Fh
		add	esi, 4D0h
		lea	ecx, [esi+ecx*8]
		mov	edi, [ecx]
		mov	[ebp+var_10], ecx

loc_747209:				; CODE XREF: CmpFindMatchingDescriptorCell(x,x,x,x,x)+49j
		cmp	edi, ecx
		jz	short loc_74725A
		lea	esi, [edi-8]
		cmp	[esi+4], eax
		jz	short loc_747219

loc_747215:				; CODE XREF: CmpFindMatchingDescriptorCell(x,x,x,x,x)+96j
		mov	edi, [edi]
		jmp	short loc_747209
; 

loc_747219:				; CODE XREF: CmpFindMatchingDescriptorCell(x,x,x,x,x)+45j
		mov	ebx, [esi]
		mov	eax, ebx
		shr	eax, 1Fh
		cmp	[ebp+arg_0], eax
		jnz	short loc_747261
		mov	eax, [ebp+var_8]
		cmp	eax, [esi+10h]
		jnz	short loc_747261
		push	eax		; size_t
		lea	eax, [esi+18h]
		push	eax		; void *
		push	[ebp+var_C]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_74725E
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jnz	short loc_747256

loc_74724D:				; CODE XREF: CmpFindMatchingDescriptorCell(x,x,x,x,x)+8Aj
		mov	al, 1

loc_74724F:				; CODE XREF: CmpFindMatchingDescriptorCell(x,x,x,x,x)+8Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_747256:				; CODE XREF: CmpFindMatchingDescriptorCell(x,x,x,x,x)+7Dj
		mov	[eax], esi
		jmp	short loc_74724D
; 

loc_74725A:				; CODE XREF: CmpFindMatchingDescriptorCell(x,x,x,x,x)+3Dj
		xor	al, al
		jmp	short loc_74724F
; 

loc_74725E:				; CODE XREF: CmpFindMatchingDescriptorCell(x,x,x,x,x)+71j
		mov	ecx, [ebp+var_10]

loc_747261:				; CODE XREF: CmpFindMatchingDescriptorCell(x,x,x,x,x)+55j
					; CmpFindMatchingDescriptorCell(x,x,x,x,x)+5Dj
		mov	eax, [ebp+var_4]
		jmp	short loc_747215
_CmpFindMatchingDescriptorCell@20 endp


;  S U B	R O U T	I N E 


; __stdcall CmpSecConvKey(x, x)
_CmpSecConvKey@8 proc near		; CODE XREF: CmpAddSecurityCellToCache+A8p
					; CmpFindMatchingDescriptorCell(x,x,x,x,x)+20p
		shr	ecx, 2
		xor	eax, eax
		test	ecx, ecx
		jz	short locret_74727C

loc_74726F:				; CODE XREF: CmpSecConvKey(x,x)+14j
		rol	eax, 3
		add	eax, [edx]
		lea	edx, [edx+4]
		sub	ecx, 1
		jnz	short loc_74726F

locret_74727C:				; CODE XREF: CmpSecConvKey(x,x)+7j
		retn
_CmpSecConvKey@8 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2401. RtlValidRelativeSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlValidRelativeSecurityDescriptor(x, x, x)
		public _RtlValidRelativeSecurityDescriptor@12
_RtlValidRelativeSecurityDescriptor@12 proc near
					; CODE XREF: CmpVerifyCreateOrDeleteKeyLogRecord(x)+5Cp
					; CmpVerifySetSecurityDescriptorLogRecord(x)+67p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], eax
		cmp	edi, 14h
		jb	loc_747381
		mov	esi, [ebp+arg_0]
		cmp	byte ptr [esi],	1
		jnz	loc_747381
		movzx	ebx, word ptr [esi+2]
		test	bx, bx
		jns	loc_747381
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	loc_747385
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		push	0Ch
		call	_RtlpValidateSDOffsetAndSize@16	; RtlpValidateSDOffsetAndSize(x,x,x,x)
		test	al, al
		jz	loc_747381
		cmp	byte ptr [ecx+esi], 1
		jnz	loc_747381
		mov	al, [ecx+esi+1]
		cmp	al, 0Fh
		ja	loc_747381
		movzx	eax, al
		lea	eax, ds:8[eax*4]
		cmp	[ebp+var_4], eax
		jb	short loc_747381

loc_747305:				; CODE XREF: RtlValidRelativeSecurityDescriptor(x,x,x)+107j
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_74737B
		lea	eax, [ebp+var_8]
		mov	edx, edi
		push	eax
		push	0Ch
		call	_RtlpValidateSDOffsetAndSize@16	; RtlpValidateSDOffsetAndSize(x,x,x,x)
		test	al, al
		jz	short loc_747381
		cmp	byte ptr [ecx+esi], 1
		jnz	short loc_747381
		mov	al, [ecx+esi+1]
		cmp	al, 0Fh
		ja	short loc_747381
		movzx	eax, al
		lea	eax, ds:8[eax*4]
		cmp	[ebp+var_8], eax
		jb	short loc_747381

loc_74733A:				; CODE XREF: RtlValidRelativeSecurityDescriptor(x,x,x)+FDj
		test	bl, 4
		jz	short loc_74736C
		mov	ecx, [esi+10h]
		test	ecx, ecx
		jz	short loc_74736C
		lea	eax, [ebp+var_C]
		mov	edx, edi
		push	eax
		push	8
		call	_RtlpValidateSDOffsetAndSize@16	; RtlpValidateSDOffsetAndSize(x,x,x,x)
		test	al, al
		jz	short loc_747381
		add	ecx, esi
		movzx	eax, word ptr [ecx+2]
		cmp	[ebp+var_C], eax
		jb	short loc_747381
		push	ecx
		call	RtlValidAcl
		test	al, al
		jz	short loc_747381

loc_74736C:				; CODE XREF: RtlValidRelativeSecurityDescriptor(x,x,x)+BBj
					; RtlValidRelativeSecurityDescriptor(x,x,x)+C2j
		test	byte ptr [esi+2], 10h
		jnz	short loc_747391

loc_747372:				; CODE XREF: RtlValidRelativeSecurityDescriptor(x,x,x)+114j
					; RtlValidRelativeSecurityDescriptor(x,x,x)+13Bj
		mov	al, 1

loc_747374:				; CODE XREF: RtlValidRelativeSecurityDescriptor(x,x,x)+101j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_74737B:				; CODE XREF: RtlValidRelativeSecurityDescriptor(x,x,x)+88j
		test	[ebp+arg_8], 2
		jz	short loc_74733A

loc_747381:				; CODE XREF: RtlValidRelativeSecurityDescriptor(x,x,x)+1Fj
					; RtlValidRelativeSecurityDescriptor(x,x,x)+2Bj ...
		xor	al, al
		jmp	short loc_747374
; 

loc_747385:				; CODE XREF: RtlValidRelativeSecurityDescriptor(x,x,x)+43j
		test	[ebp+arg_8], 1
		jz	loc_747305
		jmp	short loc_747381
; 

loc_747391:				; CODE XREF: RtlValidRelativeSecurityDescriptor(x,x,x)+EEj
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_747372
		lea	eax, [ebp+var_10]
		mov	edx, edi
		push	eax
		push	8
		call	_RtlpValidateSDOffsetAndSize@16	; RtlpValidateSDOffsetAndSize(x,x,x,x)
		test	al, al
		jz	short loc_747381
		lea	edx, [ecx+esi]
		movzx	ecx, word ptr [edx+2]
		cmp	[ebp+var_10], ecx
		jb	short loc_747381
		push	edx
		call	RtlValidAcl
		test	al, al
		jnz	short loc_747372
		jmp	short loc_747381
_RtlValidRelativeSecurityDescriptor@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpValidateSDOffsetAndSize(x, x, x, x)
_RtlpValidateSDOffsetAndSize@16	proc near
					; CODE XREF: RtlValidRelativeSecurityDescriptor(x,x,x)+51p
					; RtlValidRelativeSecurityDescriptor(x,x,x)+92p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0
		cmp	ecx, 14h
		jb	short loc_7473EA
		cmp	ecx, edx
		jnb	short loc_7473EA
		sub	edx, ecx
		cmp	edx, [ebp+arg_0]
		jb	short loc_7473EA
		test	cl, 3
		jnz	short loc_7473EA
		mov	[eax], edx
		mov	al, 1

loc_7473E6:				; CODE XREF: RtlpValidateSDOffsetAndSize(x,x,x,x)+2Aj
		pop	ebp
		retn	8
; 

loc_7473EA:				; CODE XREF: RtlpValidateSDOffsetAndSize(x,x,x,x)+Ej
					; RtlpValidateSDOffsetAndSize(x,x,x,x)+12j ...
		xor	al, al
		jmp	short loc_7473E6
_RtlpValidateSDOffsetAndSize@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpMarkKeyDirty	proc near		; CODE XREF: CmDeleteLayeredKey(x,x,x)+29Dp
					; CmDeleteLayeredKey(x,x,x)+2C0p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	eax, edx
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_C], eax
		push	edi
		mov	[ebp+var_2C], ecx
		xor	ebx, ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_1C], ecx
		lea	ecx, [ebp+var_2C]
		push	ecx
		push	eax
		push	esi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_4], ebx
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jz	loc_74759C
		test	byte ptr [edi+2], 2
		jnz	loc_7475A5
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		push	ebx
		push	ebx
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_747594
		mov	edx, [edi+30h]
		cmp	edx, 0FFFFFFFFh
		jnz	sub_8CDB81

loc_74745D:				; CODE XREF: sub_8CDB81+11j
		mov	edx, [edi+2Ch]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_7474C0
		push	ebx
		push	ebx
		mov	ecx, esi
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_747594
		mov	eax, [edi+2Ch]
		lea	ecx, [ebp+var_14]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_747594
		mov	edx, [eax+4]
		mov	ecx, esi
		push	ebx
		push	ebx
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_7475A9
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		push	ebx
		push	ebx
		mov	edx, [edx+8]
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_7475A9
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_7474C0:				; CODE XREF: CmpMarkKeyDirty+75j
		test	byte ptr [edi+2], 40h
		jnz	loc_747558
		cmp	[edi+24h], ebx
		jbe	loc_747558
		mov	edx, [edi+28h]
		mov	ecx, esi
		push	ebx
		push	ebx
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_747594
		mov	eax, [edi+28h]
		lea	ecx, [ebp+var_24]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	loc_747594
		mov	eax, ebx
		mov	[ebp+var_8], ebx
		cmp	[edi+24h], ebx
		jbe	short loc_747558
		jmp	short loc_74750F
; 

loc_74750C:				; CODE XREF: CmpMarkKeyDirty+168j
		mov	ecx, [ebp+var_4]

loc_74750F:				; CODE XREF: CmpMarkKeyDirty+11Cj
		mov	edx, [ecx+eax*4]
		mov	ecx, esi
		push	ebx
		push	ebx
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_747586
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_8]
		mov	eax, [ecx+eax*4]
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	short loc_747586
		mov	edx, eax
		mov	ecx, esi
		call	_CmpMarkValueDataDirty@8 ; CmpMarkValueDataDirty(x,x)
		mov	ecx, [esi+8]
		test	al, al
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		jz	short loc_7475AE
		call	ecx
		mov	eax, [ebp+var_8]
		inc	eax
		mov	[ebp+var_8], eax
		cmp	eax, [edi+24h]
		jb	short loc_74750C

loc_747558:				; CODE XREF: CmpMarkKeyDirty+D6j
					; CmpMarkKeyDirty+DFj ...
		test	byte ptr [edi+2], 4
		jnz	short loc_747584
		cmp	[ebp+arg_0], bl
		jz	short loc_747584
		push	[ebp+var_C]
		mov	edx, [edi+10h]
		mov	ecx, esi
		call	CmpMarkIndexDirty
		test	al, al
		jz	short loc_747586
		mov	edx, [edi+10h]
		mov	ecx, esi
		push	ebx
		push	ebx
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_747586

loc_747584:				; CODE XREF: CmpMarkKeyDirty+16Ej
					; CmpMarkKeyDirty+173j
		mov	bl, 1

loc_747586:				; CODE XREF: CmpMarkKeyDirty+12Fj
					; CmpMarkKeyDirty+145j	...
		cmp	[ebp+var_4], 0
		jz	short loc_747594
		lea	eax, [ebp+var_24]

loc_74758F:				; CODE XREF: CmpMarkKeyDirty+1BEj
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_747594:				; CODE XREF: CmpMarkKeyDirty+5Dj
					; CmpMarkKeyDirty+82j ...
		lea	eax, [ebp+var_2C]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_74759C:				; CODE XREF: CmpMarkKeyDirty+3Fj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	8
; 

loc_7475A5:				; CODE XREF: CmpMarkKeyDirty+49j
		mov	bl, 1
		jmp	short loc_747594
; 

loc_7475A9:				; CODE XREF: CmpMarkKeyDirty+ADj
					; CmpMarkKeyDirty+C4j
		lea	eax, [ebp+var_14]
		jmp	short loc_74758F
; 

loc_7475AE:				; CODE XREF: CmpMarkKeyDirty+15Aj
		call	ecx
		jmp	short loc_747586
CmpMarkKeyDirty	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmpSetValueKeyExisting(int,int,void *,size_t,int)
CmpSetValueKeyExisting proc near	; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+659p
					; CmpPreserveSystemHiveData(x,x)+53Fp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008CDB97 SIZE 00000061 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		or	[ebp+var_20], 0FFFFFFFFh
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		push	eax
		push	eax
		mov	ebx, ecx
		mov	[ebp+var_14], eax
		mov	[ebp+var_1C], eax
		mov	edi, eax
		mov	[ebp+var_18], eax
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_8CDBEE
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi+4]
		cmp	ecx, 80000000h
		jnb	loc_747704
		mov	eax, ecx
		mov	[ebp+var_C], ecx

loc_7475F6:				; CODE XREF: CmpSetValueKeyExisting+15Bj
		xor	edx, edx
		mov	[ebp+var_8], 2
		inc	edx
		cmp	ecx, 80000000h
		jnb	loc_747712
		cmp	dword ptr [ebx+9Ch], 4
		jb	short loc_747625
		add	eax, 0FFFFC027h
		cmp	eax, 7FFFC026h
		jbe	loc_7477E4

loc_747625:				; CODE XREF: CmpSetValueKeyExisting+61j
		mov	[ebp+arg_0], edx

loc_747628:				; CODE XREF: CmpSetValueKeyExisting+163j
		mov	ecx, [ebp+var_8]

loc_74762B:				; CODE XREF: CmpSetValueKeyExisting+238j
		mov	eax, [ebp+arg_C]
		cmp	eax, 4
		jbe	loc_74771A
		cmp	dword ptr [ebx+9Ch], 4
		jb	short loc_74764E
		add	eax, 0FFFFC027h
		cmp	eax, 7FFFC026h
		mov	eax, ecx
		jbe	short loc_747650

loc_74764E:				; CODE XREF: CmpSetValueKeyExisting+8Cj
		mov	eax, edx

loc_747650:				; CODE XREF: CmpSetValueKeyExisting+9Aj
					; CmpSetValueKeyExisting+16Aj
		mov	edx, esi
		mov	[ebp+var_10], eax
		mov	ecx, ebx
		call	_CmpMarkValueDataDirty@8 ; CmpMarkValueDataDirty(x,x)
		test	al, al
		jz	loc_8CDBEE
		mov	ecx, [ebp+var_10]
		test	cx, cx
		jz	loc_747721
		mov	eax, [esi+8]
		xor	edx, edx
		inc	edx
		mov	[ebp+var_10], eax
		cmp	cx, dx
		jnz	loc_7477EF
		cmp	word ptr [ebp+arg_0], dx
		jnz	loc_7477A8
		cmp	[ebp+var_C], edi
		jbe	loc_7477A8
		lea	ecx, [ebp+var_20]
		push	ecx
		push	eax
		push	ebx
		call	dword ptr [ebx+4]
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8CDB97
		mov	edi, [ebp+arg_C]
		push	0FFFFFFFCh
		pop	eax
		sub	eax, [ecx-4]
		cmp	edi, eax
		ja	loc_74776E
		mov	eax, [ebp+var_10]
		mov	[ebp+arg_C], eax

loc_7476BF:				; CODE XREF: CmpSetValueKeyExisting+1F1j
		push	edi		; size_t
		push	[ebp+arg_8]	; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_20]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		mov	eax, [ebp+arg_C]
		mov	[esi+8], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+0Ch], eax
		mov	eax, 0FFFDh
		and	[esi+10h], ax
		mov	eax, [ebp+var_8]
		mov	[esi+4], edi
		cmp	word ptr [ebp+arg_0], ax
		jz	loc_8CDBA1

loc_7476F9:				; CODE XREF: CmpSetValueKeyExisting+289j
					; CmpSetValueKeyExisting+1865FCj
		xor	edi, edi

loc_7476FB:				; CODE XREF: CmpSetValueKeyExisting+243j
					; CmpSetValueKeyExisting+268j ...
		mov	eax, edi

loc_7476FD:				; CODE XREF: CmpSetValueKeyExisting+1BAj
					; CmpSetValueKeyExisting+186641j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_747704:				; CODE XREF: CmpSetValueKeyExisting+39j
		lea	eax, [ecx-80000000h]
		mov	[ebp+var_C], eax
		jmp	loc_7475F6
; 

loc_747712:				; CODE XREF: CmpSetValueKeyExisting+54j
		and	[ebp+arg_0], edi
		jmp	loc_747628
; 

loc_74771A:				; CODE XREF: CmpSetValueKeyExisting+7Fj
		xor	eax, eax
		jmp	loc_747650
; 

loc_747721:				; CODE XREF: CmpSetValueKeyExisting+B8j
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		inc	ecx
		cmp	ax, cx
		mov	ecx, [ebp+var_C]
		jz	loc_7477CC

loc_747733:				; CODE XREF: CmpSetValueKeyExisting+21Cj
		cmp	ax, word ptr [ebp+var_8]
		jz	loc_7477D4

loc_74773D:				; CODE XREF: CmpSetValueKeyExisting+22Dj
		mov	ecx, [ebp+arg_C]
		push	ecx		; size_t
		push	[ebp+arg_8]	; void *
		lea	eax, [ecx-80000000h]
		mov	[esi+4], eax
		lea	eax, [esi+8]
		and	[eax], edi
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		mov	[esi+0Ch], eax
		mov	eax, 0FFFDh
		and	[esi+10h], ax
		xor	eax, eax
		jmp	short loc_7476FD
; 

loc_74776E:				; CODE XREF: CmpSetValueKeyExisting+101j
		lea	eax, [ebp+var_20]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_20]
		and	[ebp+var_14], 0
		xor	ecx, ecx
		push	eax
		lea	eax, [ebp+var_14]
		inc	ecx
		push	eax
		push	ecx
		push	edi
		mov	ecx, ebx
		call	_HvReallocateCell@24 ; HvReallocateCell(x,x,x,x,x,x)
		mov	[ebp+arg_C], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_8CDB97
		mov	[esi+8], eax

loc_7477A0:				; CODE XREF: CmpSetValueKeyExisting+213j
		mov	ecx, [ebp+var_14]
		jmp	loc_7476BF
; 

loc_7477A8:				; CODE XREF: CmpSetValueKeyExisting+D4j
					; CmpSetValueKeyExisting+DDj
		mov	edi, [ebp+arg_C]
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_14]
		mov	edx, edi
		push	eax
		push	[ebp+arg_10]
		mov	ecx, ebx
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	[ebp+arg_C], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_7477A0
		jmp	loc_8CDB97
; 

loc_7477CC:				; CODE XREF: CmpSetValueKeyExisting+17Bj
		test	ecx, ecx
		jz	loc_747733

loc_7477D4:				; CODE XREF: CmpSetValueKeyExisting+185j
		mov	edx, [esi+8]
		push	ecx
		mov	ecx, ebx
		call	CmpFreeValueData
		jmp	loc_74773D
; 

loc_7477E4:				; CODE XREF: CmpSetValueKeyExisting+6Dj
		mov	ecx, [ebp+var_8]
		mov	[ebp+arg_0], ecx
		jmp	loc_74762B
; 

loc_7477EF:				; CODE XREF: CmpSetValueKeyExisting+CAj
		mov	edx, [ebp+var_8]
		cmp	cx, dx
		jnz	loc_7476FB
		cmp	word ptr [ebp+arg_0], dx
		mov	ecx, ebx
		mov	edx, [ebp+arg_8]
		jnz	loc_8CDBB3
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	CmpSetValueDataExisting
		mov	edi, eax
		test	edi, edi
		js	loc_7476FB

loc_747820:				; CODE XREF: CmpSetValueKeyExisting+186637j
		mov	eax, [ebp+arg_C]
		mov	[esi+4], eax
		mov	eax, [ebp+var_10]
		mov	[esi+8], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+0Ch], eax
		mov	eax, 0FFFDh
		and	[esi+10h], ax
		jmp	loc_7476F9
CmpSetValueKeyExisting endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpMarkValueDataDirty(x, x)
_CmpMarkValueDataDirty@8 proc near	; CODE XREF: CmpMarkKeyDirty+14Bp
					; CmpSetValueKeyExisting+A5p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	eax, edx
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		mov	esi, ecx
		mov	edi, [eax+8]
		cmp	edi, 0FFFFFFFFh
		jz	short loc_747899
		mov	eax, [eax+4]
		mov	edx, 80000000h
		lea	ecx, [eax-80000000h]
		cmp	eax, edx
		jnb	short loc_747899
		xor	ebx, ebx
		mov	ecx, eax
		cmp	dword ptr [esi+9Ch], 4
		jb	short loc_747886
		lea	eax, [ecx-3FD9h]
		cmp	eax, 7FFFC026h
		jbe	short loc_7478A2

loc_747886:				; CODE XREF: CmpMarkValueDataDirty(x,x)+37j
					; CmpMarkValueDataDirty(x,x)+FCj
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		push	ebx
		push	ebx
		mov	edx, [edx+8]
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_74789B

loc_747899:				; CODE XREF: CmpMarkValueDataDirty(x,x)+18j
					; CmpMarkValueDataDirty(x,x)+2Aj
		mov	bl, 1

loc_74789B:				; CODE XREF: CmpMarkValueDataDirty(x,x)+57j
					; CmpMarkValueDataDirty(x,x)+80j ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_7478A2:				; CODE XREF: CmpMarkValueDataDirty(x,x)+44j
		or	[ebp+var_18], 0FFFFFFFFh
		lea	eax, [ebp+var_18]
		or	[ebp+var_10], 0FFFFFFFFh
		push	eax
		push	edi
		push	esi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_4], ebx
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jz	short loc_74789B
		mov	eax, [edi+4]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_74791A
		lea	ecx, [ebp+var_10]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	short loc_74792A
		xor	eax, eax
		cmp	ax, [edi+2]
		jnb	short loc_747908

loc_7478E4:				; CODE XREF: CmpMarkValueDataDirty(x,x)+C6j
		movzx	eax, bx
		mov	edx, [ecx+eax*4]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_747901
		push	0
		push	0
		mov	ecx, esi
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_747941
		mov	ecx, [ebp+var_4]

loc_747901:				; CODE XREF: CmpMarkValueDataDirty(x,x)+ADj
		inc	ebx
		cmp	bx, [edi+2]
		jb	short loc_7478E4

loc_747908:				; CODE XREF: CmpMarkValueDataDirty(x,x)+A2j
		mov	edx, [edi+4]
		mov	ecx, esi
		push	0
		push	0
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_747941

loc_74791A:				; CODE XREF: CmpMarkValueDataDirty(x,x)+88j
		mov	bl, 1

loc_74791C:				; CODE XREF: CmpMarkValueDataDirty(x,x)+103j
		cmp	[ebp+var_4], 0
		jz	short loc_74792A
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_74792A:				; CODE XREF: CmpMarkValueDataDirty(x,x)+9Aj
					; CmpMarkValueDataDirty(x,x)+E0j
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		test	bl, bl
		jz	loc_74789B
		xor	ebx, ebx
		jmp	loc_747886
; 

loc_747941:				; CODE XREF: CmpMarkValueDataDirty(x,x)+BCj
					; CmpMarkValueDataDirty(x,x)+D8j
		xor	bl, bl
		jmp	short loc_74791C
_CmpMarkValueDataDirty@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWnfLookupPermanentName proc near	; CODE XREF: NtDeleteWnfStateName+1F7p
					; ExpNtUpdateWnfStateData+274p	...

var_46		= byte ptr -46h
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CDBF8 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi		; struct _exception *
		mov	edi, [ebp+arg_0]
		push	22h
		mov	[esp+5Ch+var_2C], ecx
		xor	ecx, ecx
		pop	eax
		mov	[esp+58h+var_3C], ecx
		mov	ebx, ecx
		mov	word ptr [esp+58h+var_3C+2], ax
		lea	eax, [esp+58h+var_28]
		push	esi
		mov	[esp+5Ch+var_40], ecx
		mov	[esp+5Ch+var_44], ecx
		lea	ecx, [esp+5Ch+var_3C]
		push	edi
		mov	[esp+60h+var_38], eax
		call	_ExpWnfComposeValueName@12 ; ExpWnfComposeValueName(x,x,x)
		shrd	edi, esi, 4
		and	edi, 3
		jnz	loc_747ACA
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		push	eax
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	[esp+58h+var_30], eax
		mov	[esp+58h+var_45], 1

loc_7479B5:				; CODE XREF: ExpWnfLookupPermanentName+18Cj
		lea	edx, [esp+58h+var_40]
		mov	ecx, edi
		call	ExpWnfGetNameStoreRegistryRoot
		mov	esi, eax
		test	esi, esi
		js	loc_747A67
		lea	eax, [esp+58h+var_44]
		xor	edi, edi
		push	eax
		push	edi
		push	edi

loc_7479D3:				; CODE XREF: ExpWnfLookupPermanentName+176j
		push	2
		lea	eax, [esp+68h+var_3C]
		mov	[esp+68h+var_34], edi
		push	eax
		push	[esp+6Ch+var_40]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	loc_747A8D
		test	esi, esi
		js	loc_747AC1
		cmp	dword ptr [edi+4], 3
		jnz	loc_8CDC08
		mov	edi, ebx
		xor	eax, eax
		push	0
		stosd
		stosd
		stosd
		mov	edi, [esp+5Ch+var_34]
		lea	esi, [edi+0Ch]
		mov	edi, [edi+8]
		push	edi
		push	esi
		mov	[ebx+8], esi
		call	_RtlValidRelativeSecurityDescriptor@12 ; RtlValidRelativeSecurityDescriptor(x,x,x)
		test	al, al
		jz	loc_8CDC08
		mov	ecx, [ebx+8]
		call	_ExpWnfSpecializeSecurityDescriptor@4 ;	ExpWnfSpecializeSecurityDescriptor(x)
		push	dword ptr [ebx+8]
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		sub	edi, eax
		add	esi, eax
		cmp	edi, 4
		jb	loc_8CDC08
		mov	eax, [esi]
		lea	ecx, [esi+4]
		mov	[ebx], eax
		lea	eax, [edi-4]
		cmp	eax, 10h
		sbb	eax, eax
		not	eax
		and	eax, ecx
		xor	esi, esi
		mov	[ebx+4], eax
		mov	eax, [esp+58h+var_2C]
		mov	[eax], ebx

loc_747A67:				; CODE XREF: ExpWnfLookupPermanentName+7Ej
					; ExpWnfLookupPermanentName+17Dj ...
		cmp	[esp+58h+var_45], 0
		jz	short loc_747A77
		push	[esp+58h+var_30]
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)

loc_747A77:				; CODE XREF: ExpWnfLookupPermanentName+126j
		mov	ecx, [esp+58h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_747A8D:				; CODE XREF: ExpWnfLookupPermanentName+A9j
		test	ebx, ebx
		jnz	loc_8CDBF8

loc_747A95:				; CODE XREF: ExpWnfLookupPermanentName+1862BDj
		mov	eax, [esp+58h+var_44]
		push	20666E57h
		add	eax, 0Ch
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_747AD7
		lea	eax, [esp+58h+var_44]
		push	eax
		push	[esp+5Ch+var_44]
		lea	edi, [ebx+0Ch]
		push	edi
		jmp	loc_7479D3
; 

loc_747AC1:				; CODE XREF: ExpWnfLookupPermanentName+B1j
					; ExpWnfLookupPermanentName+196j ...
		test	ebx, ebx
		jz	short loc_747A67
		jmp	loc_8CDC12
; 

loc_747ACA:				; CODE XREF: ExpWnfLookupPermanentName+55j
		and	[esp+58h+var_30], ebx
		mov	[esp+58h+var_45], bl
		jmp	loc_7479B5
; 

loc_747AD7:				; CODE XREF: ExpWnfLookupPermanentName+167j
		mov	esi, 0C000009Ah
		jmp	short loc_747AC1
ExpWnfLookupPermanentName endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWnfGetNameStoreRegistryRoot proc near ; CODE	XREF: ExpWnfLookupPermanentName+75p
					; ExpWnfRegisterPermanentName+49p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CDC22 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_24]
		push	6
		xor	eax, eax
		mov	ebx, edx
		pop	ecx
		xor	edx, edx
		rep stosd
		imul	edi, esi, 1Ch
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edx
		sub	esi, edx
		jnz	short loc_747B1A
		mov	esi, offset _ExpWnfWellKnownNameStoreRootKey

loc_747B0B:				; CODE XREF: ExpWnfGetNameStoreRegistryRoot+4Ej
		cmp	[esi], edx
		jz	short loc_747B3B

loc_747B0F:				; CODE XREF: ExpWnfGetNameStoreRegistryRoot+D9j
					; ExpWnfGetNameStoreRegistryRoot+18615Bj
		mov	eax, [esi]
		mov	[ebx], eax
		xor	eax, eax

loc_747B15:				; CODE XREF: ExpWnfGetNameStoreRegistryRoot+C2j
					; ExpWnfGetNameStoreRegistryRoot+18614Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_747B1A:				; CODE XREF: ExpWnfGetNameStoreRegistryRoot+26j
		sub	esi, 1
		jz	short loc_747B2E
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		lea	esi, [eax+210h]

loc_747B2A:				; CODE XREF: ExpWnfGetNameStoreRegistryRoot+5Bj
		xor	edx, edx
		jmp	short loc_747B0B
; 

loc_747B2E:				; CODE XREF: ExpWnfGetNameStoreRegistryRoot+3Fj
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		lea	esi, [eax+20Ch]
		jmp	short loc_747B2A
; 

loc_747B3B:				; CODE XREF: ExpWnfGetNameStoreRegistryRoot+2Fj
		cmp	_CmStateSeparationEnabled, 0
		lea	eax, off_A41B3C[edi]
		mov	[ebp+var_24], 18h
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], 240h
		jnz	short loc_747B61
		lea	eax, off_A41B34[edi]

loc_747B61:				; CODE XREF: ExpWnfGetNameStoreRegistryRoot+7Bj
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_8]
		push	eax
		xor	eax, eax
		mov	[ebp+var_14], edx
		cmp	ds:dword_A41B48[edi], edx
		mov	[ebp+var_10], edx
		setnz	al
		push	eax
		push	edx
		push	edx
		lea	eax, [ebp+var_24]
		push	eax
		mov	eax, ds:dword_A41B44[edi]
		neg	eax
		sbb	eax, eax
		and	eax, 0FFF2FFDAh
		add	eax, 0F003Fh
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_747B15
		cmp	[ebp+var_8], 1
		jz	short loc_747BC2

loc_747BAC:				; CODE XREF: ExpWnfGetNameStoreRegistryRoot+112j
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		lock cmpxchg [esi], ecx
		test	eax, eax
		jz	loc_747B0F
		jmp	loc_8CDC31
; 

loc_747BC2:				; CODE XREF: ExpWnfGetNameStoreRegistryRoot+CCj
		cmp	_CmStateSeparationEnabled, 0
		lea	eax, off_A41B3C[edi]
		push	eax
		lea	eax, off_A41B34[edi]
		setnz	byte ptr [ebp+var_C]
		push	eax
		push	[ebp+var_C]
		call	ds:__imp__ExpInitializeStateSeparationPhase2@12	; ExpInitializeStateSeparationPhase2(x,x,x)
		lea	edi, [eax+3FFFFF45h]
		neg	edi
		sbb	edi, edi
		and	edi, eax
		jge	short loc_747BAC
		jmp	loc_8CDC22
ExpWnfGetNameStoreRegistryRoot endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWnfComposeValueName(x, x, x)
_ExpWnfComposeValueName@12 proc	near	; CODE XREF: ExpWnfLookupPermanentName+49p
					; ExpWnfWriteStateData+2B1p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_0]
		xor	eax, 41C64E6Dh
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		xor	edx, 0A3BC0074h
		push	ebx
		push	10h
		pop	esi
		push	esi
		push	eax
		push	edx
		call	_RtlInt64ToUnicodeString@16 ; RtlInt64ToUnicodeString(x,x,x,x)
		movzx	edx, word ptr [ebx]
		shr	edx, 1
		push	20h
		sub	esi, edx
		pop	edi
		mov	[ebx], di
		test	edx, edx
		jz	short loc_747C43

loc_747C30:				; CODE XREF: ExpWnfComposeValueName(x,x,x)+49j
		mov	ecx, [ebx+4]
		lea	edi, [edi-2]
		sub	edx, 1
		mov	ax, [ecx+edx*2]
		mov	[edi+ecx], ax
		jnz	short loc_747C30

loc_747C43:				; CODE XREF: ExpWnfComposeValueName(x,x,x)+36j
		test	esi, esi
		jnz	short loc_747C4E

loc_747C47:				; CODE XREF: ExpWnfComposeValueName(x,x,x)+63j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_747C4E:				; CODE XREF: ExpWnfComposeValueName(x,x,x)+4Dj
					; ExpWnfComposeValueName(x,x,x)+65j
		mov	eax, [ebx+4]
		sub	esi, 1
		push	30h
		pop	ecx
		mov	[eax+esi*2], cx
		jz	short loc_747C47
		jmp	short loc_747C4E
_ExpWnfComposeValueName@12 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2180. RtlInt64ToUnicodeString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlInt64ToUnicodeString(x, x, x, x)
		public _RtlInt64ToUnicodeString@16
_RtlInt64ToUnicodeString@16 proc near	; CODE XREF: ExpWnfComposeValueName(x,x,x)+22p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		mov	[ebp+var_50], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	41h
		pop	edi
		push	edi
		push	[ebp+arg_8]
		lea	eax, [ebp+var_50]
		push	eax
		call	RtlLargeIntegerToChar
		test	eax, eax
		js	short loc_747CC7
		lea	eax, [ebp+var_48]
		mov	word ptr [ebp+var_50+2], di
		mov	ecx, eax
		mov	[ebp+var_4C], eax
		lea	edx, [ecx+1]

loc_747CAE:				; CODE XREF: RtlInt64ToUnicodeString(x,x,x,x)+4Fj
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_747CAE
		push	0
		lea	eax, [ebp+var_50]
		sub	ecx, edx
		push	eax
		push	esi
		mov	word ptr [ebp+var_50], cx
		call	RtlAnsiStringToUnicodeString

loc_747CC7:				; CODE XREF: RtlInt64ToUnicodeString(x,x,x,x)+39j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_RtlInt64ToUnicodeString@16 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2282. RtlPrefixString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlPrefixString(x, x, x)
		public _RtlPrefixString@12
_RtlPrefixString@12 proc near		; CODE XREF: IopCheckDiskName(x,x,x)+24p
					; IopCheckDiskName(x,x,x)+56p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		mov	dl, [ebp+arg_8]
		push	ebx
		push	esi
		mov	esi, [ecx+4]
		movzx	ecx, word ptr [ecx]
		push	edi
		mov	edi, [eax+4]
		movzx	eax, word ptr [eax]
		cmp	eax, ecx
		jb	short loc_747D39
		add	ecx, esi
		mov	[ebp+arg_4], ecx
		cmp	esi, ecx
		jnb	short loc_747D1F
		test	dl, dl
		jz	short loc_747D42

loc_747D0A:				; CODE XREF: RtlPrefixString(x,x,x)+41j
		mov	cl, [esi]
		mov	al, [edi]
		mov	byte ptr [ebp+arg_0], cl
		mov	[ebp+arg_8], al
		cmp	cl, al
		jnz	short loc_747D23

loc_747D18:				; CODE XREF: RtlPrefixString(x,x,x)+5Bj
		inc	esi
		inc	edi
		cmp	esi, [ebp+arg_4]
		jb	short loc_747D0A

loc_747D1F:				; CODE XREF: RtlPrefixString(x,x,x)+28j
					; RtlPrefixString(x,x,x)+74j
		mov	al, 1
		jmp	short loc_747D3B
; 

loc_747D23:				; CODE XREF: RtlPrefixString(x,x,x)+3Aj
		push	dword ptr [ebp+arg_8]
		call	_RtlUpperChar@4	; RtlUpperChar(x)
		push	[ebp+arg_0]
		mov	bl, al
		call	_RtlUpperChar@4	; RtlUpperChar(x)
		cmp	al, bl
		jz	short loc_747D18

loc_747D39:				; CODE XREF: RtlPrefixString(x,x,x)+1Fj
					; RtlPrefixString(x,x,x)+6Dj
		xor	al, al

loc_747D3B:				; CODE XREF: RtlPrefixString(x,x,x)+45j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_747D42:				; CODE XREF: RtlPrefixString(x,x,x)+2Cj
		sub	edi, esi

loc_747D44:				; CODE XREF: RtlPrefixString(x,x,x)+72j
		mov	al, [esi]
		cmp	al, [edi+esi]
		jnz	short loc_747D39
		inc	esi
		cmp	esi, ecx
		jb	short loc_747D44
		jmp	short loc_747D1F
_RtlPrefixString@12 endp

; 
		align 8
; Exported entry 2214. RtlIsNameLegalDOS8Dot3

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlIsNameLegalDOS8Dot3
RtlIsNameLegalDOS8Dot3 proc near

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008CDC3E SIZE 0000004A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	bl, dl
		cmp	word ptr [eax],	18h
		mov	bh, dl
		push	edi
		mov	edi, [ebp+arg_8]
		mov	[ebp+var_11], bl
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], edx
		jbe	short loc_747D9E

loc_747D8B:				; CODE XREF: RtlIsNameLegalDOS8Dot3+6Aj
					; RtlIsNameLegalDOS8Dot3+C1j ...
		xor	al, al

loc_747D8D:				; CODE XREF: RtlIsNameLegalDOS8Dot3+FFj
					; RtlIsNameLegalDOS8Dot3+185EFAj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_747D9E:				; CODE XREF: RtlIsNameLegalDOS8Dot3+31j
		test	esi, esi
		jnz	short loc_747DB8
		lea	ecx, [ebp+var_10]
		mov	[ebp+var_20], ecx
		lea	esi, [ebp+var_24]
		xor	ecx, ecx
		push	0Ch
		mov	word ptr [ebp+var_24], cx
		pop	ecx
		mov	word ptr [ebp+var_24+2], cx

loc_747DB8:				; CODE XREF: RtlIsNameLegalDOS8Dot3+48j
		push	edx
		push	eax
		push	esi
		call	RtlUpcaseUnicodeStringToCountedOemString
		test	eax, eax
		js	short loc_747D8B
		movzx	ecx, word ptr [esi]
		xor	edx, edx
		inc	edx
		cmp	cx, dx
		jz	loc_747E92

loc_747DD3:				; CODE XREF: RtlIsNameLegalDOS8Dot3+140j
		cmp	ecx, 2
		jz	loc_747EA9

loc_747DDC:				; CODE XREF: RtlIsNameLegalDOS8Dot3+157j
					; RtlIsNameLegalDOS8Dot3+185EEAj
		xor	eax, eax
		mov	[ebp+var_18], ecx
		mov	edx, eax
		test	ecx, ecx
		jz	short loc_747E51
		mov	eax, [esi+4]
		mov	[ebp+var_1C], eax

loc_747DED:				; CODE XREF: RtlIsNameLegalDOS8Dot3+E2j
		cmp	ds:_NlsMbOemCodePageTag, 0
		mov	bl, [eax+edx]
		movzx	esi, bl
		jnz	loc_8CDC57

loc_747E00:				; CODE XREF: RtlIsNameLegalDOS8Dot3+185F0Cj
		cmp	bl, 80h
		jnb	short loc_747E25
		xor	eax, eax
		mov	ecx, esi
		and	ecx, 1Fh
		shr	esi, 5
		inc	eax
		shl	eax, cl
		test	ds:_RtlFatIllegalTable[esi*4], eax
		jnz	loc_747D8B
		mov	ecx, [ebp+var_18]
		mov	eax, [ebp+var_1C]

loc_747E25:				; CODE XREF: RtlIsNameLegalDOS8Dot3+ABj
		cmp	bl, 20h
		jz	short loc_747EA3

loc_747E2A:				; CODE XREF: RtlIsNameLegalDOS8Dot3+14Fj
		cmp	bl, 2Eh
		jz	short loc_747E65

loc_747E2F:				; CODE XREF: RtlIsNameLegalDOS8Dot3+138j
		cmp	edx, 8
		jnb	short loc_747E5C

loc_747E34:				; CODE XREF: RtlIsNameLegalDOS8Dot3+106j
					; RtlIsNameLegalDOS8Dot3+185F2Bj
		mov	eax, [ebp+var_1C]
		inc	edx
		cmp	edx, ecx
		jb	short loc_747DED
		cmp	bl, 20h
		jz	loc_747D8B
		cmp	bl, 2Eh
		jz	loc_747D8B
		mov	bl, [ebp+var_11]

loc_747E51:				; CODE XREF: RtlIsNameLegalDOS8Dot3+8Dj
		test	edi, edi
		jnz	short loc_747EBA

loc_747E55:				; CODE XREF: RtlIsNameLegalDOS8Dot3+164j
		mov	al, 1
		jmp	loc_747D8D
; 

loc_747E5C:				; CODE XREF: RtlIsNameLegalDOS8Dot3+DAj
		test	bh, bh
		jnz	short loc_747E34
		jmp	loc_747D8B
; 

loc_747E65:				; CODE XREF: RtlIsNameLegalDOS8Dot3+D5j
		test	bh, bh
		jnz	loc_747D8B
		test	edx, edx
		jz	loc_747D8B
		cmp	byte ptr [eax+edx-1], 20h
		jz	loc_747D8B
		mov	eax, ecx
		sub	eax, edx
		dec	eax
		cmp	eax, 3
		ja	loc_747D8B
		inc	bh
		jmp	short loc_747E2F
; 

loc_747E92:				; CODE XREF: RtlIsNameLegalDOS8Dot3+75j
		mov	eax, [esi+4]
		cmp	byte ptr [eax],	2Eh
		jnz	loc_747DD3
		jmp	loc_8CDC48
; 

loc_747EA3:				; CODE XREF: RtlIsNameLegalDOS8Dot3+D0j
		mov	[ebp+var_11], 1
		jmp	short loc_747E2A
; 

loc_747EA9:				; CODE XREF: RtlIsNameLegalDOS8Dot3+7Ej
		mov	eax, [esi+4]
		cmp	byte ptr [eax],	2Eh
		jnz	loc_747DDC
		jmp	loc_8CDC3E
; 

loc_747EBA:				; CODE XREF: RtlIsNameLegalDOS8Dot3+FBj
		mov	[edi], bl
		jmp	short loc_747E55
RtlIsNameLegalDOS8Dot3 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2393. RtlUpcaseUnicodeStringToCountedOemString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlUpcaseUnicodeStringToCountedOemString
RtlUpcaseUnicodeStringToCountedOemString proc near ; CODE XREF:	RtlIsNameLegalDOS8Dot3+63p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 008CDC88 SIZE 00000051 BYTES

		push	14h
		push	offset dword_6A02A0
		call	__SEH_prolog4
		xor	edi, edi
		mov	[ebp+var_20], edi
		mov	esi, [ebp+arg_4]
		push	esi
		call	_RtlxUnicodeStringToOemSize@4 ;	RtlxUnicodeStringToOemSize(x)
		sub	eax, 1
		jz	loc_8CDC88
		cmp	eax, 0FFFFh
		ja	loc_8CDC99
		movzx	ecx, ax
		mov	ebx, [ebp+arg_0]
		mov	[ebx], cx
		cmp	[ebp+arg_8], 0
		jnz	loc_8CDCA3
		cmp	cx, [ebx+2]
		ja	loc_8CDCC2

loc_747F0F:				; CODE XREF: RtlUpcaseUnicodeStringToCountedOemString+185DEEj
		mov	[ebp+var_1C], edi
		mov	[ebp+ms_exc.disabled], edi
		mov	[ebp+var_24], 1
		movzx	eax, word ptr [esi]
		push	eax
		push	dword ptr [esi+4]
		lea	eax, [ebp+var_20]
		push	eax
		movzx	eax, word ptr [ebx]
		push	eax
		push	dword ptr [ebx+4]
		call	RtlUpcaseUnicodeToOemN
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	short loc_747F57
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		call	RtlpDidUnicodeToOemWork
		test	al, al
		jz	loc_8CDCCC

loc_747F4E:				; CODE XREF: RtlUpcaseUnicodeStringToCountedOemString+185E10j
		test	esi, esi
		js	short loc_747F57
		mov	esi, edi
		mov	[ebp+var_1C], esi

loc_747F57:				; CODE XREF: RtlUpcaseUnicodeStringToCountedOemString+76j
					; RtlUpcaseUnicodeStringToCountedOemString+8Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+var_24], 0
		call	sub_747F7E
		mov	eax, esi

loc_747F6C:				; CODE XREF: RtlUpcaseUnicodeStringToCountedOemString+185DD0j
					; RtlUpcaseUnicodeStringToCountedOemString+185DDAj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
RtlUpcaseUnicodeStringToCountedOemString endp


;  S U B	R O U T	I N E 


sub_747F7E	proc near		; CODE XREF: RtlUpcaseUnicodeStringToCountedOemString+A1p
					; sub_8CDCD9+8j

; FUNCTION CHUNK AT 008CDCE6 SIZE 00000016 BYTES

		cmp	[ebp-24h], edi
		jnz	loc_8CDCE6
		test	esi, esi
		js	loc_8CDCE6

locret_747F8F:				; CODE XREF: sub_747F7E+185D6Cj
		retn
sub_747F7E	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2397. RtlUpcaseUnicodeToOemN

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlUpcaseUnicodeToOemN
RtlUpcaseUnicodeToOemN proc near	; CODE XREF: RtlUpcaseUnicodeStringToCountedOemString+6Ap
					; RtlUpcaseUnicodeStringToOemString+63p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008CDCFC SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_10]
		mov	cl, 1
		shr	esi, 1
		call	RtlpIsUtf8Process
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		test	al, al
		jnz	loc_8CDCFC
		cmp	ds:_NlsMbOemCodePageTag, al
		jnz	loc_8CDD0D
		push	ds:_NlsOemToUnicodeData
		push	ds:_NlsUnicodeToOemData
		push	esi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	UpcaseUnicodeToSingleByteNHelper

loc_747FDA:				; CODE XREF: RtlUpcaseUnicodeToOemN+185D72j
					; RtlUpcaseUnicodeToOemN+185D83j
		pop	esi
		pop	ebp
		retn	14h
RtlUpcaseUnicodeToOemN endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1955. RtlAnsiStringToUnicodeString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlAnsiStringToUnicodeString
RtlAnsiStringToUnicodeString proc near	; CODE XREF: IopCreateUnicodeFromAnsiBuffer(x,x)+23p
					; CmpInitializeLoadOptions+65p	...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 008CDD1E SIZE 0000000A BYTES
; FUNCTION CHUNK AT 008CDD4A SIZE 0000000A BYTES

		push	10h
		push	offset dword_6A02C0
		call	__SEH_prolog4
		and	[ebp+var_20], 0
		mov	ebx, [ebp+arg_4]
		push	ebx
		call	_RtlxAnsiStringToUnicodeSize@4 ; RtlxAnsiStringToUnicodeSize(x)
		cmp	eax, 0FFFEh
		ja	loc_8CDD1E
		movzx	ecx, ax
		lea	edx, [ecx-2]
		mov	edi, [ebp+arg_0]
		mov	[edi], dx
		cmp	[ebp+arg_8], 0
		jnz	loc_7480A2
		movzx	ecx, dx
		add	ecx, 2
		movzx	eax, word ptr [edi+2]
		cmp	ecx, eax
		ja	loc_8CDD4A
		cmp	ecx, 2
		jb	loc_8CDD4A

loc_748039:				; CODE XREF: RtlAnsiStringToUnicodeString+CDj
		and	[ebp+var_1C], 0
		and	[ebp+ms_exc.disabled], 0
		mov	[ebp+arg_4], 1
		movzx	eax, word ptr [ebx]
		push	eax
		push	dword ptr [ebx+4]
		lea	eax, [ebp+var_20]
		push	eax
		movzx	eax, word ptr [edi]
		push	eax
		push	dword ptr [edi+4]
		call	RtlMultiByteToUnicodeN
		mov	ebx, eax
		mov	[ebp+var_1C], ebx
		test	ebx, ebx
		js	short loc_74807B
		mov	ecx, [ebp+var_20]
		shr	ecx, 1
		mov	eax, [edi+4]
		xor	edx, edx
		mov	[eax+ecx*2], dx
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx

loc_74807B:				; CODE XREF: RtlAnsiStringToUnicodeString+82j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+arg_4], 0
		call	sub_7480BA
		mov	eax, ebx

loc_748090:				; CODE XREF: RtlAnsiStringToUnicodeString+D4j
					; RtlAnsiStringToUnicodeString+185D3Fj	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7480A2:				; CODE XREF: RtlAnsiStringToUnicodeString+34j
		mov	[edi+2], cx
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[edi+4], eax
		test	eax, eax
		jnz	short loc_748039
		mov	eax, 0C0000017h
		jmp	short loc_748090
RtlAnsiStringToUnicodeString endp


;  S U B	R O U T	I N E 


sub_7480BA	proc near		; CODE XREF: RtlAnsiStringToUnicodeString+A5p
					; sub_8CDD28+6j

; FUNCTION CHUNK AT 008CDD33 SIZE 00000017 BYTES

		cmp	dword ptr [ebp+0Ch], 0
		jnz	loc_8CDD33
		test	ebx, ebx
		js	loc_8CDD33

locret_7480CC:				; CODE XREF: sub_7480BA+185C7Dj
		retn
sub_7480BA	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2255. RtlMultiByteToUnicodeN

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlMultiByteToUnicodeN
RtlMultiByteToUnicodeN proc near	; CODE XREF: _mbstowcs+33p
					; RtlAnsiStringToUnicodeString+76p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008CDD54 SIZE 000000B9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	cl, cl
		call	RtlpIsUtf8Process
		test	al, al
		jnz	loc_8CDD54
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		shr	edx, 1
		push	edi
		cmp	ds:_NlsMbCodePageTag, al
		jnz	loc_8CDD83
		cmp	edx, [ebp+arg_10]
		jb	short loc_748102
		mov	edx, [ebp+arg_10]

loc_748102:				; CODE XREF: RtlMultiByteToUnicodeN+2Bj
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_74810E
		lea	eax, [edx+edx]
		mov	[ecx], eax

loc_74810E:				; CODE XREF: RtlMultiByteToUnicodeN+35j
		mov	esi, ds:_NlsAnsiToUnicodeData
		xor	ecx, ecx
		test	edx, edx
		jz	short loc_748131
		mov	edi, [ebp+arg_C]
		mov	ebx, [ebp+arg_0]

loc_748120:				; CODE XREF: RtlMultiByteToUnicodeN+5Dj
		movzx	eax, byte ptr [ecx+edi]
		mov	ax, [esi+eax*2]
		mov	[ebx+ecx*2], ax
		inc	ecx
		cmp	ecx, edx
		jb	short loc_748120

loc_748131:				; CODE XREF: RtlMultiByteToUnicodeN+46j
					; RtlMultiByteToUnicodeN+185D2Cj ...
		pop	edi
		pop	esi
		pop	ebx

loc_748134:				; CODE XREF: RtlMultiByteToUnicodeN+185C95j
					; RtlMultiByteToUnicodeN+185CACj
		xor	eax, eax
		pop	ebp
		retn	14h
RtlMultiByteToUnicodeN endp

; 
		align 10h
; Exported entry 1954. RtlAnsiStringToUnicodeSize
; Exported entry 2413. RtlxAnsiStringToUnicodeSize

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlxAnsiStringToUnicodeSize(x)
		public _RtlxAnsiStringToUnicodeSize@4
_RtlxAnsiStringToUnicodeSize@4 proc near
					; CODE XREF: ScAnsiToUnicodeString(char	*,_UNICODE_STRING *)+30p
					; RtlAnsiStringToUnicodeString+14p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi	; RtlAnsiStringToUnicodeSize
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		and	[ebp+var_4], 0
		movzx	eax, word ptr [ecx]
		push	eax
		push	dword ptr [ecx+4]
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlMultiByteToUnicodeSize
		mov	eax, [ebp+var_4]
		add	eax, 2
		leave
		retn	4
_RtlxAnsiStringToUnicodeSize@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2256. RtlMultiByteToUnicodeSize

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlMultiByteToUnicodeSize
RtlMultiByteToUnicodeSize proc near	; CODE XREF: RtlxAnsiStringToUnicodeSize(x)+18p
					; RtlxOemStringToUnicodeSize(x)+18p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008CDE0D SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		xor	edi, edi
		xor	cl, cl
		mov	esi, edi
		call	RtlpIsUtf8Process
		test	al, al
		jnz	loc_8CDE0D
		cmp	ds:_NlsMbCodePageTag, al
		jnz	loc_8CDE31
		mov	eax, [ebp+arg_8]
		lea	esi, [eax+eax]

loc_748198:				; CODE XREF: RtlMultiByteToUnicodeSize+185CCAj
					; RtlMultiByteToUnicodeSize+185CEFj ...
		mov	eax, [ebp+arg_0]
		mov	[eax], esi

loc_74819D:				; CODE XREF: RtlMultiByteToUnicodeSize+185CABj
					; RtlMultiByteToUnicodeSize+185CC0j
		pop	edi
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	0Ch
RtlMultiByteToUnicodeSize endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpDidUnicodeToOemWork	proc near	; CODE XREF: RtlUpcaseUnicodeStringToCountedOemString+7Dp
					; RtlUnicodeStringToCountedOemString+79p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CDE68 SIZE 000000A6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_4], edx
		push	edi
		mov	edi, ecx
		inc	ebx
		mov	cl, bl
		call	RtlpIsUtf8Process
		test	al, al
		jnz	short loc_748201
		xor	ebx, ebx
		push	esi
		movzx	esi, word ptr [edi]
		cmp	ds:_NlsMbOemCodePageTag, bl
		jnz	loc_8CDE81
		mov	ecx, ebx
		test	esi, esi
		jz	short loc_7481FD
		movzx	eax, byte ptr ds:_OemDefaultChar
		mov	edi, [edi+4]
		mov	edx, [ebp+var_4]
		mov	[ebp+var_8], eax

loc_7481EB:				; CODE XREF: RtlpDidUnicodeToOemWork+55j
		movsx	eax, byte ptr [edi+ecx]
		cmp	eax, [ebp+var_8]
		jz	loc_8CDE68

loc_7481F8:				; CODE XREF: RtlpDidUnicodeToOemWork+185CD6j
		inc	ecx
		cmp	ecx, esi
		jb	short loc_7481EB

loc_7481FD:				; CODE XREF: RtlpDidUnicodeToOemWork+33j
					; RtlpDidUnicodeToOemWork+185CDFj ...
		xor	ebx, ebx
		inc	ebx

loc_748200:				; CODE XREF: RtlpDidUnicodeToOemWork+185CD0j
					; RtlpDidUnicodeToOemWork+185D51j
		pop	esi

loc_748201:				; CODE XREF: RtlpDidUnicodeToOemWork+1Bj
		pop	edi
		mov	al, bl
		pop	ebx
		leave
		retn
RtlpDidUnicodeToOemWork	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2378. RtlUnicodeStringToOemSize
; Exported entry 2416. RtlxUnicodeStringToOemSize

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlxUnicodeStringToOemSize(x)
		public _RtlxUnicodeStringToOemSize@4
_RtlxUnicodeStringToOemSize@4 proc near	; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+480p
					; ExpSystemErrorHandler(x,x,x,x,x)+597p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi	; RtlUnicodeStringToOemSize
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		and	[ebp+var_4], 0
		movzx	eax, word ptr [ecx]
		push	eax
		push	dword ptr [ecx+4]
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUnicodeToMultiByteSize
		mov	eax, [ebp+var_4]
		inc	eax
		leave
		retn	4
_RtlxUnicodeStringToOemSize@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1986. RtlCompareString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlCompareString
RtlCompareString proc near		; CODE XREF: KsepGetModuleInfoByName(x,x,x,x)+75p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_B		= byte ptr  13h

; FUNCTION CHUNK AT 008CDF0E SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax+4]
		movzx	eax, word ptr [eax]
		movzx	ebx, word ptr [ecx]
		mov	esi, [ecx+4]
		mov	[ebp+var_8], eax
		cmp	ebx, eax
		jbe	short loc_7482AF

loc_748259:				; CODE XREF: RtlCompareString+7Bj
		lea	edx, [eax+esi]
		mov	[ebp+var_4], edx
		cmp	esi, edx
		jnb	short loc_74827D
		cmp	[ebp+arg_8], 0
		jz	short loc_7482B8

loc_748269:				; CODE XREF: RtlCompareString+45j
		mov	cl, [esi]
		mov	al, [edi]
		mov	byte ptr [ebp+arg_0], cl
		mov	byte ptr [ebp+arg_4], al
		cmp	cl, al
		jnz	short loc_748284

loc_748277:				; CODE XREF: RtlCompareString+80j
		inc	esi
		inc	edi
		cmp	esi, edx
		jb	short loc_748269

loc_74827D:				; CODE XREF: RtlCompareString+2Bj
					; RtlCompareString+185CEAj
		sub	ebx, [ebp+var_8]
		mov	eax, ebx
		jmp	short loc_7482A8
; 

loc_748284:				; CODE XREF: RtlCompareString+3Fj
		push	[ebp+arg_0]
		call	_RtlUpperChar@4	; RtlUpperChar(x)
		push	[ebp+arg_4]
		mov	[ebp+arg_B], al
		call	_RtlUpperChar@4	; RtlUpperChar(x)
		mov	cl, [ebp+arg_B]
		cmp	cl, al
		jz	short loc_7482B3

loc_74829E:				; CODE XREF: RtlCompareString+185CDFj
		movzx	eax, al
		movzx	ecx, cl
		sub	ecx, eax
		mov	eax, ecx

loc_7482A8:				; CODE XREF: RtlCompareString+4Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7482AF:				; CODE XREF: RtlCompareString+21j
		mov	eax, ebx
		jmp	short loc_748259
; 

loc_7482B3:				; CODE XREF: RtlCompareString+66j
		mov	edx, [ebp+var_4]
		jmp	short loc_748277
; 

loc_7482B8:				; CODE XREF: RtlCompareString+31j
		sub	edi, esi
		jmp	loc_8CDF0E
RtlCompareString endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2398. RtlUpperChar

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlUpperChar(x)
		public _RtlUpperChar@4
_RtlUpperChar@4	proc near		; CODE XREF: RtlEqualString(x,x,x)+5Ap
					; RtlEqualString(x,x,x)+64p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	cl, cl
		call	RtlpIsUtf8Process
		mov	al, [ebp+arg_0]
		cmp	al, 61h
		jge	short loc_7482DB

loc_7482D7:				; CODE XREF: RtlUpperChar(x)+19j
					; RtlUpperChar(x)+1Dj
		pop	ebp
		retn	4
; 

loc_7482DB:				; CODE XREF: RtlUpperChar(x)+11j
		cmp	al, 7Ah
		jg	short loc_7482D7
		xor	al, 20h
		jmp	short loc_7482D7
_RtlUpperChar@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpQueryModuleInformation proc near	; CODE XREF: PAGE:0077EEC9p

var_5C		= dword	ptr -5Ch
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_3C		= dword	ptr -3Ch
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CDF25 SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A02E0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	ebx, edx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_4C], 0
		mov	[ebp+var_48], 0
		xor	edx, edx
		xor	eax, eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], eax
		mov	edi, 4
		add	ebx, edi
		mov	ecx, _PsLoadedModuleList
		mov	esi, [ebp+arg_0]

loc_748352:				; CODE XREF: ExpQueryModuleInformation+125j
					; ExpQueryModuleInformation+141j
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], edx
		cmp	ecx, offset _PsLoadedModuleList
		jz	loc_748436
		lea	eax, [edi+11Ch]
		cmp	eax, edi
		jb	loc_8CDF25
		mov	edi, eax
		cmp	esi, edi
		jb	loc_74841A
		mov	[ebp+var_4], 0
		mov	eax, [ecx+18h]
		mov	[ebx+8], eax
		mov	eax, [ecx+20h]
		mov	[ebx+0Ch], eax
		mov	eax, [ecx+34h]
		mov	[ebx+10h], eax
		mov	ax, [ecx+38h]
		mov	[ebx+18h], ax
		mov	[ebx+14h], dx
		xor	eax, eax
		mov	[ebx+16h], ax
		lea	esi, [ebx+1Ch]
		mov	[ebp+var_48], esi
		mov	[ebp+var_4C], 1000000h
		push	eax
		lea	eax, [ecx+24h]
		push	eax
		lea	eax, [ebp+var_4C]
		push	eax
		call	RtlUnicodeStringToAnsiString
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], eax
		test	eax, eax
		js	loc_8CDF2F

loc_7483D0:				; CODE XREF: ExpQueryModuleInformation+185C44j
		movzx	ecx, word ptr [ebp+var_4C]
		mov	edx, [ebp+var_48]
		add	ecx, edx
		mov	[ebp+var_28], ecx
		lea	esp, [esp+0]

loc_7483E0:				; CODE XREF: ExpQueryModuleInformation+100j
		cmp	ecx, edx
		jbe	short loc_7483F6
		dec	ecx
		mov	[ebp+var_28], ecx
		mov	al, [ecx]
		test	al, al
		jz	short loc_7483F6
		cmp	al, 5Ch
		jnz	short loc_7483E0
		inc	ecx
		mov	[ebp+var_28], ecx

loc_7483F6:				; CODE XREF: ExpQueryModuleInformation+F2j
					; ExpQueryModuleInformation+FCj
		sub	ecx, edx
		mov	[ebx+1Ah], cx

loc_7483FC:				; CODE XREF: ExpQueryModuleInformation+185C53j
		mov	[ebp+var_4], 0FFFFFFFEh
		add	ebx, 11Ch
		mov	ecx, [ebp+var_30]
		mov	edx, [ebp+var_2C]
		mov	esi, [ebp+arg_0]
		inc	edx
		mov	ecx, [ecx]
		jmp	loc_748352
; 

loc_74841A:				; CODE XREF: ExpQueryModuleInformation+86j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_748423
		mov	[eax], edi

loc_748423:				; CODE XREF: ExpQueryModuleInformation+12Fj
		mov	eax, 0C0000004h
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], eax
		inc	edx
		mov	ecx, [ecx]
		jmp	loc_748352
; 

loc_748436:				; CODE XREF: ExpQueryModuleInformation+6Ej
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_74843F
		mov	[eax], edi

loc_74843F:				; CODE XREF: ExpQueryModuleInformation+14Bj
		cmp	esi, 4
		jb	short loc_74846E
		mov	[ebp+var_4], 1
		mov	eax, [ebp+var_3C]
		mov	[eax], edx
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+var_20]

loc_74845A:				; CODE XREF: ExpQueryModuleInformation+183j
					; ExpQueryModuleInformation+185C3Aj ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_74846E:				; CODE XREF: ExpQueryModuleInformation+152j
		mov	eax, 0C0000004h
		jmp	short loc_74845A
ExpQueryModuleInformation endp

; 
		align 10h
; Exported entry 2374. RtlUnicodeStringToAnsiString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlUnicodeStringToAnsiString
RtlUnicodeStringToAnsiString proc near	; CODE XREF: DbgUnicodeStringToAnsiString+3Fp
					; ExpSystemErrorHandler(x,x,x,x,x)+118p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 008CDFC0 SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A0308
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_20], 0
		xor	ebx, ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_1C], ebx
		mov	esi, [ebp+arg_4]
		movzx	eax, word ptr [esi]
		push	eax
		mov	eax, [esi+4]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	RtlUnicodeToMultiByteSize
		mov	ecx, [ebp+var_1C]
		inc	ecx
		cmp	ecx, 0FFFFh
		ja	loc_8CDFC0
		movzx	edx, cx
		lea	eax, [edx-1]
		mov	edi, [ebp+arg_0]
		mov	[edi], ax
		cmp	[ebp+arg_8], bl
		jnz	short loc_748573
		movzx	ecx, word ptr [edi+2]
		cmp	ax, cx
		jnb	loc_8CDFCA

loc_748503:				; CODE XREF: RtlUnicodeStringToAnsiString+102j
					; RtlUnicodeStringToAnsiString+185B67j
		mov	[ebp+var_24], 0
		mov	[ebp+var_4], 0
		mov	[ebp+arg_4], 1
		movzx	eax, word ptr [esi]
		push	eax
		mov	eax, [esi+4]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		movzx	eax, word ptr [edi]
		push	eax
		mov	eax, [edi+4]
		push	eax
		call	RtlUnicodeToMultiByteN
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		js	short loc_748544
		mov	edx, [edi+4]
		mov	ecx, [ebp+var_20]
		mov	byte ptr [ecx+edx], 0

loc_748544:				; CODE XREF: RtlUnicodeStringToAnsiString+B8j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	[ebp+arg_4], 0
		call	sub_74858F
		test	esi, esi
		js	short loc_74855D
		mov	esi, ebx

loc_74855D:				; CODE XREF: RtlUnicodeStringToAnsiString+D9j
		mov	eax, esi

loc_74855F:				; CODE XREF: RtlUnicodeStringToAnsiString+10Dj
					; RtlUnicodeStringToAnsiString+185B45j	...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_748573:				; CODE XREF: RtlUnicodeStringToAnsiString+74j
		mov	[edi+2], dx
		push	ecx
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[edi+4], eax
		test	eax, eax
		jnz	loc_748503
		mov	eax, 0C0000017h
		jmp	short loc_74855F
RtlUnicodeStringToAnsiString endp


;  S U B	R O U T	I N E 


sub_74858F	proc near		; CODE XREF: RtlUnicodeStringToAnsiString+D2p
					; sub_8CDFEC+9j

; FUNCTION CHUNK AT 008CDFFA SIZE 0000001B BYTES

		cmp	dword ptr [ebp+0Ch], 0
		jnz	loc_8CDFFA
		test	esi, esi
		js	loc_8CDFFA

locret_7485A1:				; CODE XREF: sub_74858F+185A6Fj
		retn
sub_74858F	endp

; 
		align 10h
; Exported entry 2382. RtlUnicodeToMultiByteN

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlUnicodeToMultiByteN
RtlUnicodeToMultiByteN proc near	; CODE XREF: _wcstombs+3Dp
					; __wctomb_s_l+64p ...

var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008CE015 SIZE 0000008C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	cl, cl
		call	RtlpIsUtf8Process
		test	al, al
		jnz	loc_8CE015
		mov	edx, [ebp+arg_10]
		push	ebx
		push	esi
		shr	edx, 1
		push	edi
		cmp	ds:_NlsMbCodePageTag, al
		jnz	loc_8CE042
		mov	eax, [ebp+arg_4]
		cmp	edx, eax
		jb	short loc_7485E1
		mov	edx, eax

loc_7485E1:				; CODE XREF: RtlUnicodeToMultiByteN+2Dj
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_7485EA
		mov	[eax], edx

loc_7485EA:				; CODE XREF: RtlUnicodeToMultiByteN+36j
		mov	esi, ds:_NlsUnicodeToAnsiData
		xor	eax, eax
		test	edx, edx
		jz	short loc_74860F
		mov	edi, [ebp+arg_C]
		mov	ebx, [ebp+arg_0]
		lea	esp, [esp+0]

loc_748600:				; CODE XREF: RtlUnicodeToMultiByteN+5Dj
		movzx	ecx, word ptr [edi+eax*2]
		mov	cl, [ecx+esi]
		mov	[eax+ebx], cl
		inc	eax
		cmp	eax, edx
		jb	short loc_748600

loc_74860F:				; CODE XREF: RtlUnicodeToMultiByteN+44j
					; RtlUnicodeToMultiByteN+185AE2j ...
		pop	edi
		pop	esi
		pop	ebx

loc_748612:				; CODE XREF: RtlUnicodeToMultiByteN+185A78j
					; RtlUnicodeToMultiByteN+185A8Dj
		xor	eax, eax
		pop	ebp
		retn	14h
RtlUnicodeToMultiByteN endp

; 
		align 10h
; Exported entry 2383. RtlUnicodeToMultiByteSize

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlUnicodeToMultiByteSize
RtlUnicodeToMultiByteSize proc near	; CODE XREF: _wcstombs:loc_586316p
					; RtlxUnicodeStringToOemSize(x)+18p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008CE0A1 SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	cl, cl
		xor	esi, esi
		call	RtlpIsUtf8Process
		test	al, al
		mov	eax, [ebp+arg_8]
		jnz	loc_8CE0A1
		shr	eax, 1
		cmp	ds:_NlsMbCodePageTag, 0
		jnz	loc_8CE0BE
		mov	esi, eax

loc_74864B:				; CODE XREF: RtlUnicodeToMultiByteSize+185A83j
					; RtlUnicodeToMultiByteSize+185AA0j ...
		mov	eax, [ebp+arg_0]
		mov	[eax], esi

loc_748650:				; CODE XREF: RtlUnicodeToMultiByteSize+185A99j
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	0Ch
RtlUnicodeToMultiByteSize endp

; 
		align 10h
; Exported entry 2399. RtlUpperString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlUpperString(x, x)
		public _RtlUpperString@8
_RtlUpperString@8 proc near

var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax+4]
		movzx	eax, word ptr [eax]
		movzx	ebx, word ptr [edx+2]
		mov	ecx, eax
		mov	esi, [edx+4]
		mov	[ebp+arg_0], ecx
		cmp	ax, bx
		ja	short loc_7486B9

loc_748685:				; CODE XREF: RtlUpperString(x,x)+5Ej
		mov	[edx], cx
		test	ecx, ecx
		jz	short loc_7486A8
		lea	esp, [esp+0]

loc_748690:				; CODE XREF: RtlUpperString(x,x)+46j
		mov	bl, [edi]
		xor	cl, cl
		call	RtlpIsUtf8Process
		cmp	bl, 61h
		jge	short loc_7486AF

loc_74869E:				; CODE XREF: RtlUpperString(x,x)+52j
					; RtlUpperString(x,x)+57j
		mov	[esi], bl
		inc	edi
		inc	esi
		sub	[ebp+arg_0], 1
		jnz	short loc_748690

loc_7486A8:				; CODE XREF: RtlUpperString(x,x)+2Aj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_7486AF:				; CODE XREF: RtlUpperString(x,x)+3Cj
		cmp	bl, 7Ah
		jg	short loc_74869E
		xor	bl, 20h
		jmp	short loc_74869E
; 

loc_7486B9:				; CODE XREF: RtlUpperString(x,x)+23j
		mov	ecx, ebx
		mov	[ebp+arg_0], ecx
		jmp	short loc_748685
_RtlUpperString@8 endp

; 
		dd 4 dup(0CCCCCCCCh)
; Exported entry 2396. RtlUpcaseUnicodeToMultiByteN

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlUpcaseUnicodeToMultiByteN
RtlUpcaseUnicodeToMultiByteN proc near	; CODE XREF: _toupper+31p
					; RtlUpcaseUnicodeStringToAnsiString(x,x,x)+80p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008CE0F2 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_10]
		xor	cl, cl
		shr	esi, 1
		call	RtlpIsUtf8Process
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		test	al, al
		jnz	loc_8CE0F2
		cmp	ds:_NlsMbCodePageTag, al
		jnz	loc_8CE103
		mov	eax, ds:_NlsAnsiToUnicodeData
		push	eax
		mov	eax, ds:_NlsUnicodeToAnsiData
		push	eax
		push	esi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	UpcaseUnicodeToSingleByteNHelper

loc_748714:				; CODE XREF: RtlUpcaseUnicodeToMultiByteN+185A2Ej
					; RtlUpcaseUnicodeToMultiByteN+185A3Fj
		pop	esi
		pop	ebp
		retn	14h
RtlUpcaseUnicodeToMultiByteN endp

; 
		align 10h
; Exported entry 1953. RtlAnsiCharToUnicodeChar

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlAnsiCharToUnicodeChar
RtlAnsiCharToUnicodeChar proc near	; CODE XREF: __safecrt_mbtowc+30p
					; _toupper+16p	...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CE114 SIZE 000000D9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	cl, cl
		mov	[ebp+var_8], 20h
		call	RtlpIsUtf8Process
		mov	edi, [ebp+arg_0]
		mov	ebx, [edi]
		mov	cl, [ebx]
		test	al, al
		jnz	loc_8CE114
		movzx	eax, cl
		cmp	ds:_NlsLeadByteInfoTable[eax*2], 0
		jnz	short loc_7487B4

loc_748756:				; CODE XREF: RtlAnsiCharToUnicodeChar+1859F7j
		mov	esi, 1

loc_74875B:				; CODE XREF: RtlAnsiCharToUnicodeChar+99j
					; RtlAnsiCharToUnicodeChar+185A07j ...
		lea	eax, [ebp+var_8]
		xor	cl, cl
		mov	[ebp+var_4], eax
		call	RtlpIsUtf8Process
		test	al, al
		jnz	loc_8CE149
		mov	edx, 1
		cmp	ds:_NlsMbCodePageTag, al
		jnz	loc_8CE15F
		cmp	esi, edx
		ja	short loc_748787
		mov	edx, esi

loc_748787:				; CODE XREF: RtlAnsiCharToUnicodeChar+63j
		mov	eax, ds:_NlsAnsiToUnicodeData
		xor	ecx, ecx
		mov	edi, eax

loc_748790:				; CODE XREF: RtlAnsiCharToUnicodeChar+80j
		movzx	eax, byte ptr [ecx+ebx]
		mov	ax, [edi+eax*2]
		mov	word ptr [ebp+ecx*2+var_8], ax
		inc	ecx
		cmp	ecx, edx
		jb	short loc_748790
		mov	edi, [ebp+arg_0]

loc_7487A5:				; CODE XREF: RtlAnsiCharToUnicodeChar+185A3Aj
					; RtlAnsiCharToUnicodeChar+185A4Bj ...
		add	[edi], esi
		mov	ax, word ptr [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7487B4:				; CODE XREF: RtlAnsiCharToUnicodeChar+34j
		mov	esi, 2
		jmp	short loc_74875B
RtlAnsiCharToUnicodeChar endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpIsUtf8Process proc near		; CODE XREF: RtlUpcaseUnicodeToOemN+Dp
					; RtlMultiByteToUnicodeN+7p ...

var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A0328
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		test	cl, cl
		jnz	short loc_74884D
		movzx	eax, ds:_NlsActiveCodePageIsUTF8

loc_748800:				; CODE XREF: RtlpIsUtf8Process+94j
		test	eax, eax
		jnz	short loc_748860
		mov	[ebp+var_19], al
		mov	[ebp+var_4], eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+17Ch]
		test	eax, eax
		jz	short loc_748848
		test	cl, cl
		jnz	short loc_748856
		cmp	dword ptr [eax+58h], 0
		jz	short loc_748864

loc_74882A:				; CODE XREF: RtlpIsUtf8Process+9Aj
					; sub_8CE1F3+3j
		xor	al, al

loc_74882C:				; CODE XREF: RtlpIsUtf8Process+9Ej
					; RtlpIsUtf8Process+A6j
		mov	[ebp+var_19], al

loc_74882F:				; CODE XREF: RtlpIsUtf8Process+8Bj
		mov	[ebp+var_4], 0FFFFFFFEh

loc_748836:				; CODE XREF: RtlpIsUtf8Process+A2j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_748848:				; CODE XREF: RtlpIsUtf8Process+5Ej
		mov	al, [ebp+var_19]
		jmp	short loc_74882F
; 

loc_74884D:				; CODE XREF: RtlpIsUtf8Process+37j
		movzx	eax, ds:_NlsOemCodePageIsUTF8
		jmp	short loc_748800
; 

loc_748856:				; CODE XREF: RtlpIsUtf8Process+62j
		cmp	dword ptr [eax+5Ch], 0
		jnz	short loc_74882A
		mov	al, 1
		jmp	short loc_74882C
; 

loc_748860:				; CODE XREF: RtlpIsUtf8Process+42j
		mov	al, 1
		jmp	short loc_748836
; 

loc_748864:				; CODE XREF: RtlpIsUtf8Process+68j
		mov	al, 1
		jmp	short loc_74882C
RtlpIsUtf8Process endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2236. RtlLargeIntegerToChar

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlLargeIntegerToChar
RtlLargeIntegerToChar proc near		; CODE XREF: RtlInt64ToUnicodeString(x,x,x,x)+32p

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_1F		= dword	ptr -1Fh
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008CE1FB SIZE 00000083 BYTES

		push	64h
		push	offset dword_6A0348
		call	__SEH_prolog4_GS
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_64], eax
		and	[ebp+var_6C], 0
		mov	esi, [ebp+arg_4]
		mov	eax, esi
		sub	eax, 0
		jz	loc_8CE216
		dec	eax
		sub	eax, 1
		jz	loc_8CE20C
		sub	eax, 6
		jz	loc_8CE205
		dec	eax
		sub	eax, 1
		jz	loc_8CE219
		sub	eax, 6
		jnz	loc_8CE1FB
		push	4

loc_7488BD:				; CODE XREF: RtlLargeIntegerToChar+185999j
		pop	ebx
		xor	edi, edi
		inc	edi

loc_7488C1:				; CODE XREF: RtlLargeIntegerToChar+1859A3j
		mov	ecx, ebx
		shl	edi, cl
		dec	edi

loc_7488C6:				; CODE XREF: RtlLargeIntegerToChar+1859AFj
		lea	eax, [ebp+var_1F]
		mov	[ebp+var_68], eax
		mov	eax, [edx]
		mov	ecx, [edx+4]
		test	ebx, ebx
		jz	loc_8CE222

loc_7488D9:				; CODE XREF: RtlLargeIntegerToChar+99j
		mov	esi, eax
		and	esi, edi
		mov	edx, ecx
		mov	ecx, ebx
		call	__aullshr
		mov	ecx, eax
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_70], edx
		mov	edx, [ebp+var_68]
		dec	edx
		mov	[ebp+var_68], edx
		mov	al, ds:_RtlpIntegerChars[esi]
		mov	[edx], al
		mov	eax, ecx
		mov	ecx, [ebp+var_70]
		or	eax, ecx
		mov	eax, [ebp+var_6C]
		jnz	short loc_7488D9

loc_748909:				; CODE XREF: RtlLargeIntegerToChar+1859DFj
		lea	ebx, [ebp+var_1F]
		sub	ebx, edx
		mov	edi, [ebp+arg_8]
		mov	eax, [ebp+var_64]
		test	edi, edi
		js	loc_8CE252

loc_74891C:				; CODE XREF: RtlLargeIntegerToChar+185A0Bj
		cmp	ebx, edi

loc_74891E:				; CODE XREF: RtlLargeIntegerToChar+1859E8j
		jg	short loc_748955
		and	[ebp+ms_exc.disabled], 0
		push	ebx		; size_t
		push	edx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	ebx, edi
		jge	short loc_74893A
		mov	eax, [ebp+var_64]
		mov	byte ptr [eax+ebx], 0

loc_74893A:				; CODE XREF: RtlLargeIntegerToChar+C3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax

loc_748943:				; CODE XREF: RtlLargeIntegerToChar+ECj
					; RtlLargeIntegerToChar+185992j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_748955:				; CODE XREF: RtlLargeIntegerToChar:loc_74891Ej
		mov	eax, 80000005h
		jmp	short loc_748943
RtlLargeIntegerToChar endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcHandleDataDestroyProcedure(x)
_AlpcHandleDataDestroyProcedure@4 proc near ; DATA XREF: .text:0040151Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		xor	edi, edi
		mov	ebx, [esi+4]
		test	ebx, ebx
		jz	short loc_748988
		add	esi, 8

loc_748973:				; CODE XREF: AlpcHandleDataDestroyProcedure(x)+2Aj
		cmp	dword ptr [esi+8], 0
		jz	short loc_748988
		mov	ecx, esi
		call	_ObReleaseDuplicateInfo@4 ; ObReleaseDuplicateInfo(x)
		inc	edi
		add	esi, 24h
		cmp	edi, ebx
		jb	short loc_748973

loc_748988:				; CODE XREF: AlpcHandleDataDestroyProcedure(x)+12j
					; AlpcHandleDataDestroyProcedure(x)+1Bj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	4
_AlpcHandleDataDestroyProcedure@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ObReleaseDuplicateInfo(x)
_ObReleaseDuplicateInfo@4 proc near	; CODE XREF: AlpcHandleDataDestroyProcedure(x)+1Fp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, [esi+8]
		test	edx, edx
		jz	short loc_7489C5
		mov	ecx, [esi]
		add	edx, 0FFFFFFE8h
		call	_ObpDecrementHandleCount@8 ; ObpDecrementHandleCount(x,x)
		mov	ecx, [esi+8]
		mov	edx, 7544624Fh
		call	ObfDereferenceObjectWithTag
		mov	ecx, [esi]
		mov	edx, 7544624Fh
		call	ObfDereferenceObjectWithTag
		and	dword ptr [esi+8], 0

loc_7489C5:				; CODE XREF: ObReleaseDuplicateInfo(x)+Aj
		pop	esi
		retn
_ObReleaseDuplicateInfo@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpDecrementHandleCount(x, x)
_ObpDecrementHandleCount@8 proc	near	; CODE XREF: ObReleaseDuplicateInfo(x)+11p
					; PAGE:0081725Cp ...

var_34		= byte ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+38h+var_1C]
		mov	esi, edx
		mov	edx, ecx
		push	6
		pop	ecx
		rep stosd
		mov	eax, esi
		mov	[esp+38h+var_2C], edx
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [esi+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		xor	eax, eax
		mov	[esp+38h+var_24], eax
		mov	[esp+38h+var_28], eax
		mov	ebx, ds:_ObTypeIndexTable[ecx*4]
		test	byte ptr [ebx+2Ah], 10h
		jnz	short loc_748A34
		test	byte ptr [esi+0Fh], 8
		jnz	short loc_748A34
		or	edi, 0FFFFFFFFh
		lock xadd [esi+4], edi
		dec	edi
		inc	edi
		jmp	short loc_748AA1
; 

loc_748A34:				; CODE XREF: ObpDecrementHandleCount(x,x)+58j
					; ObpDecrementHandleCount(x,x)+5Ej
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+8]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		lea	ecx, [esi+4]
		or	eax, 0FFFFFFFFh
		mov	edi, [ecx]
		lock xadd [ecx], eax
		jnz	short loc_748A76
		test	byte ptr [esi+0Fh], 8
		jz	short loc_748A76
		movzx	eax, byte ptr [esi+0Eh]
		mov	ecx, esi
		and	eax, 1Fh
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		xor	eax, eax
		mov	[ecx], eax

loc_748A76:				; CODE XREF: ObpDecrementHandleCount(x,x)+90j
					; ObpDecrementHandleCount(x,x)+96j
		test	byte ptr [ebx+2Ah], 10h
		jz	short loc_748A8C
		mov	edx, [esp+38h+var_2C]
		lea	eax, [esp+38h+var_28]
		push	eax
		mov	ecx, esi
		call	ObpReleaseHandleInfo

loc_748A8C:				; CODE XREF: ObpDecrementHandleCount(x,x)+B2j
		xor	edx, edx
		lea	ecx, [esi+8]
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	edx, [esp+38h+var_2C]
		xor	eax, eax

loc_748AA1:				; CODE XREF: ObpDecrementHandleCount(x,x)+6Aj
		mov	ecx, [ebx+60h]
		test	ecx, ecx
		jz	short loc_748B0D
		mov	[esp+38h+var_20], eax
		mov	eax, large fs:124h
		cmp	[eax+80h], edx
		jz	short loc_748AE6
		push	edx
		mov	byte ptr [esp+3Ch+var_24], 1
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		push	eax
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	ecx, [esp+38h+var_2C]
		xor	edx, edx
		mov	[esp+38h+var_20], eax
		lea	eax, [esp+38h+var_1C]
		push	eax
		call	KiStackAttachProcess
		mov	ecx, [ebx+60h]
		mov	edx, [esp+38h+var_2C]

loc_748AE6:				; CODE XREF: ObpDecrementHandleCount(x,x)+F0j
		push	edi
		push	[esp+3Ch+var_28]
		lea	eax, [esi+18h]
		push	eax
		push	edx
		call	ecx
		cmp	[esp+48h+var_34], 0
		jz	short loc_748B0D
		xor	edx, edx
		lea	ecx, [esp+48h+var_2C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		push	[esp+48h+var_30]
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)

loc_748B0D:				; CODE XREF: ObpDecrementHandleCount(x,x)+DEj
					; ObpDecrementHandleCount(x,x)+12Fj
		cmp	edi, 1
		jnz	short loc_748B19
		mov	ecx, esi
		call	ObpDeleteNameCheck

loc_748B19:				; CODE XREF: ObpDecrementHandleCount(x,x)+148j
		lock dec dword ptr [ebx+1Ch]
		mov	ecx, [esp+48h+var_14]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_ObpDecrementHandleCount@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpDeleteNameCheck proc	near		; CODE XREF: ObpDereferenceNamedObject(x)+26p
					; ObpDecrementHandleCount(x,x)+14Cp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_6		= word ptr -6
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CA0F1 SIZE 00000071 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[esp+2Ch+var_10], 0
		xor	eax, eax
		mov	[esp+2Ch+var_C], 0
		mov	[esp+2Ch+var_8], ax
		push	edi
		mov	al, [esi+0Eh]
		test	al, 2
		jz	short loc_748BBB
		movzx	eax, al
		mov	edi, esi
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	edi, eax
		jz	short loc_748BBB
		lea	ebx, [esi+8]
		jmp	short loc_748B80
; 
		align 10h

loc_748B80:				; CODE XREF: ObpDeleteNameCheck+44j
					; ObpDeleteNameCheck:loc_8CA111j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi]
		mov	[esp+30h+var_24], eax
		test	eax, eax
		jz	short loc_748BAD
		test	byte ptr [esi+0Fh], 10h
		jz	short loc_748BC2

loc_748BA7:				; CODE XREF: ObpDeleteNameCheck+96j
		xor	cl, cl

loc_748BA9:				; CODE XREF: ObpDeleteNameCheck+9Aj
		test	cl, cl
		jnz	short loc_748BCC

loc_748BAD:				; CODE XREF: ObpDeleteNameCheck+6Fj
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_748BBB:				; CODE XREF: ObpDeleteNameCheck+2Cj
					; ObpDeleteNameCheck+3Fj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_748BC2:				; CODE XREF: ObpDeleteNameCheck+75j
		cmp	dword ptr [esi+4], 0
		jnz	short loc_748BA7
		mov	cl, 1
		jmp	short loc_748BA9
; 

loc_748BCC:				; CODE XREF: ObpDeleteNameCheck+7Bj
		mov	ecx, eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	edx, [esp+30h+var_24]
		lea	ecx, [esp+30h+var_18]
		mov	[esp+30h+var_18], 0
		mov	[esp+30h+var_14], 0
		mov	[esp+30h+var_6], 0
		mov	[esp+30h+var_4], 0FFFF1234h
		call	_ObpLockDirectoryExclusive@8 ; ObpLockDirectoryExclusive(x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi]
		mov	[esp+30h+var_20], eax
		cmp	eax, [esp+30h+var_24]
		jnz	loc_8CA0F1
		test	byte ptr [esi+0Fh], 10h
		jz	loc_748CE5

loc_748C3E:				; CODE XREF: ObpDeleteNameCheck+1B9j
		xor	al, al

loc_748C40:				; CODE XREF: ObpDeleteNameCheck+1C1j
		test	al, al
		jz	loc_8CA0F1
		cmp	dword ptr [edi+0Ch], 0
		jnz	loc_748CF6
		mov	eax, esi
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [esi+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		mov	[esp+30h+var_1C], eax
		cmp	eax, _ObpSymbolicLinkObjectType
		jz	loc_8CA116
		mov	ecx, [esp+30h+var_20]

loc_748C84:				; CODE XREF: ObpDeleteNameCheck+1815F0j
		lea	eax, [esp+30h+var_18]
		push	eax
		push	0
		push	0
		push	0
		lea	edx, [edi+4]
		call	ObpLookupDirectoryEntryEx
		mov	esi, eax
		mov	eax, [esp+30h+var_1C]
		mov	[esp+30h+var_20], esi
		cmp	eax, _ObpDirectoryObjectType
		jz	loc_8CA125
		xor	esi, esi

loc_748CAF:				; CODE XREF: ObpDeleteNameCheck+181600j
		lea	ecx, [esp+30h+var_18]
		call	_ObpDeleteDirectoryEntry@4 ; ObpDeleteDirectoryEntry(x)

loc_748CB8:				; CODE XREF: ObpDeleteNameCheck+1C8j
		lea	ecx, [esp+30h+var_18]
		call	_ObpReleaseLookupContext@4 ; ObpReleaseLookupContext(x)
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	[esp+30h+var_24]
		call	_ObDereferenceObject@4 ; ObDereferenceObject(x)
		test	esi, esi
		jz	loc_748BBB
		jmp	loc_8CA135
; 

loc_748CE5:				; CODE XREF: ObpDeleteNameCheck+108j
		cmp	dword ptr [esi+4], 0
		jnz	loc_748C3E
		mov	al, 1
		jmp	loc_748C40
; 

loc_748CF6:				; CODE XREF: ObpDeleteNameCheck+11Cj
		xor	esi, esi
		jmp	short loc_748CB8
ObpDeleteNameCheck endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpCloseDirectoryObject(x, x, x, x)
_ObpCloseDirectoryObject@16 proc near	; DATA XREF: ObInitSystem+266o

arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 1
		jz	short loc_748D09

loc_748D05:				; CODE XREF: ObpCloseDirectoryObject(x,x,x,x)+19j
					; ObpCloseDirectoryObject(x,x,x,x)+20j
		pop	ebp
		retn	10h
; 

loc_748D09:				; CODE XREF: ObpCloseDirectoryObject(x,x,x,x)+9j
		mov	ecx, [ebp+arg_4]
		test	byte ptr [ecx+0A8h], 1
		jz	short loc_748D05
		call	_ObpRemoveNamespaceFromTable@4 ; ObpRemoveNamespaceFromTable(x)
		jmp	short loc_748D05
_ObpCloseDirectoryObject@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpDetermineFinalViewReservationEnd(x, x, x, x, x, x, x)
_HvpDetermineFinalViewReservationEnd@28	proc near
					; CODE XREF: HvpViewMapCreateViewsForRegion+9Ap

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], ecx
		call	_CmSiGetMemoryAllocationGranularity@0 ;	CmSiGetMemoryAllocationGranularity()
		mov	ecx, [ebp+arg_C]
		mov	esi, eax
		mov	eax, [ebp+arg_8]
		xor	edi, edi
		sub	eax, [ebp+arg_0]
		sbb	ecx, [ebp+arg_4]
		cmp	edi, ecx
		jg	short loc_748D49
		jl	short loc_748DBA

loc_748D45:				; CODE XREF: HvpDetermineFinalViewReservationEnd(x,x,x,x,x,x,x)+A8j
		cmp	esi, eax
		jb	short loc_748DBA

loc_748D49:				; CODE XREF: HvpDetermineFinalViewReservationEnd(x,x,x,x,x,x,x)+25j
					; HvpDetermineFinalViewReservationEnd(x,x,x,x,x,x,x)+AEj
		push	0
		push	8
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	__alldiv
		mov	[ebp+var_8], edx
		mov	ecx, esi
		mov	edx, edi
		mov	[ebp+var_C], eax
		shld	edx, ecx, 1
		add	ecx, ecx
		mov	eax, edx
		mov	ebx, ecx
		sub	ebx, [ebp+arg_8]
		sbb	eax, [ebp+arg_C]
		add	ebx, [ebp+arg_0]
		mov	[ebp+var_4], ebx
		adc	eax, [ebp+arg_4]
		mov	ebx, [ebp+var_10]
		cmp	eax, [ebp+var_8]
		jg	short loc_748D8D
		jl	short loc_748DCF
		mov	eax, [ebp+var_C]
		cmp	[ebp+var_4], eax
		jbe	short loc_748DCF

loc_748D8D:				; CODE XREF: HvpDetermineFinalViewReservationEnd(x,x,x,x,x,x,x)+65j
					; HvpDetermineFinalViewReservationEnd(x,x,x,x,x,x,x)+E5j
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	edi
		push	esi
		call	_HvpMinLong64@16 ; HvpMinLong64(x,x,x,x)
		add	eax, [ebp+arg_0]
		adc	edx, [ebp+arg_4]
		test	byte ptr [ebx+1Ch], 1
		jz	short loc_748DB3
		push	dword ptr [ebx+14h]
		push	dword ptr [ebx+10h]
		push	edx
		push	eax
		call	_HvpMinLong64@16 ; HvpMinLong64(x,x,x,x)

loc_748DB3:				; CODE XREF: HvpDetermineFinalViewReservationEnd(x,x,x,x,x,x,x)+88j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_748DBA:				; CODE XREF: HvpDetermineFinalViewReservationEnd(x,x,x,x,x,x,x)+27j
					; HvpDetermineFinalViewReservationEnd(x,x,x,x,x,x,x)+2Bj ...
		shld	edi, esi, 1
		add	esi, esi
		cmp	edi, ecx
		jl	short loc_748DBA
		jle	loc_748D45
		jmp	loc_748D49
; 

loc_748DCF:				; CODE XREF: HvpDetermineFinalViewReservationEnd(x,x,x,x,x,x,x)+67j
					; HvpDetermineFinalViewReservationEnd(x,x,x,x,x,x,x)+6Fj
		mov	ebx, [ebp+arg_0]

loc_748DD2:				; CODE XREF: HvpDetermineFinalViewReservationEnd(x,x,x,x,x,x,x)+D6j
					; HvpDetermineFinalViewReservationEnd(x,x,x,x,x,x,x)+E0j
		mov	esi, ecx
		mov	edi, edx
		shld	edx, ecx, 1
		add	ecx, ecx
		mov	eax, ecx
		sub	eax, [ebp+arg_8]
		mov	[ebp+var_4], eax
		mov	eax, edx
		sbb	eax, [ebp+arg_C]
		add	[ebp+var_4], ebx
		adc	eax, [ebp+arg_4]
		cmp	eax, [ebp+var_8]
		jl	short loc_748DD2
		jg	short loc_748DFE
		mov	eax, [ebp+var_C]
		cmp	[ebp+var_4], eax
		jbe	short loc_748DD2

loc_748DFE:				; CODE XREF: HvpDetermineFinalViewReservationEnd(x,x,x,x,x,x,x)+D8j
		mov	ebx, [ebp+var_10]
		jmp	short loc_748D8D
_HvpDetermineFinalViewReservationEnd@28	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpViewMapMakeViewRangeUnCOWByCaller(x, x, x, x, x,	x)
_HvpViewMapMakeViewRangeUnCOWByCaller@24 proc near
					; CODE XREF: HvpViewMapUnCOWAndSealRange(x,x,x)+A7p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_4], edx
		mov	[ebp+var_C], ecx
		cmp	ebx, [ebp+arg_C]
		jl	short loc_748E2A
		jg	short loc_748E89
		cmp	esi, [ebp+arg_8]
		jnb	short loc_748E89

loc_748E2A:				; CODE XREF: HvpViewMapMakeViewRangeUnCOWByCaller(x,x,x,x,x,x)+1Dj
		push	edi

loc_748E2B:				; CODE XREF: HvpViewMapMakeViewRangeUnCOWByCaller(x,x,x,x,x,x)+7Bj
					; HvpViewMapMakeViewRangeUnCOWByCaller(x,x,x,x,x,x)+82j
		mov	ecx, [edx+10h]
		mov	edi, esi
		sub	edi, ecx
		shr	edi, 0Ch
		mov	al, [edi+edx+38h]
		test	al, 2
		jz	short loc_748E73
		not	al
		lea	edx, [ebp+var_8]
		movzx	eax, al
		and	eax, 0FFFFFFFCh
		push	edx
		mov	edx, [ebp+var_4]
		shl	eax, 1Dh
		or	eax, 2
		push	eax
		mov	eax, [edx+30h]
		sub	eax, ecx
		add	eax, esi
		push	1000h
		push	eax
		mov	eax, [ebp+var_C]
		mov	edx, [eax+18h]
		call	_CmSiProtectViewOfSection@24 ; CmSiProtectViewOfSection(x,x,x,x,x,x)
		mov	edx, [ebp+var_4]
		and	byte ptr [edi+edx+38h],	0F5h

loc_748E73:				; CODE XREF: HvpViewMapMakeViewRangeUnCOWByCaller(x,x,x,x,x,x)+37j
		add	esi, 1000h
		adc	ebx, 0
		cmp	ebx, [ebp+arg_C]
		jl	short loc_748E2B
		jg	short loc_748E88
		cmp	esi, [ebp+arg_8]
		jb	short loc_748E2B

loc_748E88:				; CODE XREF: HvpViewMapMakeViewRangeUnCOWByCaller(x,x,x,x,x,x)+7Dj
		pop	edi

loc_748E89:				; CODE XREF: HvpViewMapMakeViewRangeUnCOWByCaller(x,x,x,x,x,x)+1Fj
					; HvpViewMapMakeViewRangeUnCOWByCaller(x,x,x,x,x,x)+24j
		pop	esi
		pop	ebx
		leave
		retn	10h
_HvpViewMapMakeViewRangeUnCOWByCaller@24 endp

; 
		align 10h

;  S U B	R O U T	I N E 


CmpIssueNewDirtyCallback proc near	; CODE XREF: HvpMarkDirty+199p
					; HvMarkBaseBlockDirty(x)+2Dp

; FUNCTION CHUNK AT 008CE29E SIZE 0000001D BYTES

		mov	edi, edi
		push	ecx
		mov	eax, _CmpHoldLazyFlush
		test	al, 8
		jnz	loc_8CE29E

loc_748EA0:				; CODE XREF: CmpIssueNewDirtyCallback+185415j
		pop	ecx
		retn
CmpIssueNewDirtyCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGenerateFastLeafHintForUnicodeString(x)
_CmpGenerateFastLeafHintForUnicodeString@4 proc	near
					; CODE XREF: CmpAddToLeaf(x,x,x,x):loc_746D73p
					; CmpCheckLeaf+111C69p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		movzx	edx, word ptr [ecx]
		xor	eax, eax
		push	esi
		push	4
		shr	edx, 1
		pop	esi
		mov	[ebp+var_4], eax
		cmp	edx, esi
		jb	short loc_748EE2

loc_748EBA:				; CODE XREF: CmpGenerateFastLeafHintForUnicodeString(x)+44j
		mov	edx, [ecx+4]
		mov	ecx, eax
		push	ebx
		push	edi

loc_748EC1:				; CODE XREF: CmpGenerateFastLeafHintForUnicodeString(x)+36j
		movzx	ebx, word ptr [edx]
		mov	edi, 0FFh
		cmp	bx, di
		ja	short loc_748EDD
		mov	byte ptr [ebp+ecx+var_4], bl
		add	edx, 2
		inc	ecx
		cmp	ecx, esi
		jb	short loc_748EC1
		mov	eax, [ebp+var_4]

loc_748EDD:				; CODE XREF: CmpGenerateFastLeafHintForUnicodeString(x)+2Aj
		pop	edi
		pop	ebx

loc_748EDF:				; CODE XREF: CmpGenerateFastLeafHintForUnicodeString(x)+46j
		pop	esi
		leave
		retn
; 

loc_748EE2:				; CODE XREF: CmpGenerateFastLeafHintForUnicodeString(x)+16j
		mov	esi, edx
		test	edx, edx
		jnz	short loc_748EBA
		jmp	short loc_748EDF
_CmpGenerateFastLeafHintForUnicodeString@4 endp

; 
		align 10h
; Exported entry 2384. RtlUnicodeToOemN

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlUnicodeToOemN
RtlUnicodeToOemN proc near		; CODE XREF: RtlUnicodeStringToCountedOemString+67p
					; RtlUnicodeStringToOemString+5Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008CE2BB SIZE 00000096 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	cl, 1
		call	RtlpIsUtf8Process
		test	al, al
		jnz	loc_8CE2BB
		mov	edx, [ebp+arg_4]
		push	ebx
		push	edi
		mov	edi, [ebp+arg_10]
		shr	edi, 1
		mov	[ebp+arg_10], edi
		cmp	ds:_NlsMbOemCodePageTag, al
		jnz	loc_8CE2F5
		mov	ecx, edi
		cmp	edi, edx
		jb	short loc_748F26
		mov	ecx, edx

loc_748F26:				; CODE XREF: RtlUnicodeToOemN+32j
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_748F2F
		mov	[eax], ecx

loc_748F2F:				; CODE XREF: RtlUnicodeToOemN+3Bj
		mov	ebx, ds:_NlsUnicodeToOemData
		xor	esi, esi
		test	ecx, ecx
		jz	short loc_748F56
		mov	edx, [ebp+arg_0]
		mov	edi, [ebp+arg_C]

loc_748F41:				; CODE XREF: RtlUnicodeToOemN+5Ej
		movzx	eax, word ptr [edi+esi*2]
		mov	al, [eax+ebx]
		mov	[esi+edx], al
		inc	esi
		cmp	esi, ecx
		jb	short loc_748F41
		mov	edx, [ebp+arg_4]
		mov	edi, [ebp+arg_10]

loc_748F56:				; CODE XREF: RtlUnicodeToOemN+49j
					; RtlUnicodeToOemN+185452j ...
		cmp	edx, edi
		pop	edi
		sbb	eax, eax
		and	eax, 80000005h
		pop	ebx

loc_748F61:				; CODE XREF: RtlUnicodeToOemN+185400j
		pop	esi
		pop	ebp
		retn	14h
RtlUnicodeToOemN endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2375. RtlUnicodeStringToCountedOemString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlUnicodeStringToCountedOemString
RtlUnicodeStringToCountedOemString proc	near

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 008CE351 SIZE 00000051 BYTES

		push	10h
		push	offset dword_6A0368
		call	__SEH_prolog4
		mov	ebx, [ebp+arg_4]
		push	ebx
		call	_RtlxUnicodeStringToOemSize@4 ;	RtlxUnicodeStringToOemSize(x)
		sub	eax, 1
		jz	loc_8CE351
		cmp	eax, 0FFFFh
		ja	loc_8CE362
		movzx	ecx, ax
		mov	edi, [ebp+arg_0]
		mov	[edi], cx
		cmp	[ebp+arg_8], 0
		jnz	loc_8CE36C
		cmp	cx, [edi+2]
		ja	loc_8CE38B

loc_748FB2:				; CODE XREF: RtlUnicodeStringToCountedOemString+18540Fj
		and	[ebp+var_1C], 0
		and	[ebp+ms_exc.disabled], 0
		mov	[ebp+arg_4], 1
		movzx	eax, word ptr [ebx]
		push	eax
		push	dword ptr [ebx+4]
		lea	eax, [ebp+var_20]
		push	eax
		movzx	eax, word ptr [edi]
		push	eax
		push	dword ptr [edi+4]
		call	RtlUnicodeToOemN
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	short loc_748FFB
		mov	edx, ebx
		mov	ecx, edi
		call	RtlpDidUnicodeToOemWork
		test	al, al
		jz	loc_8CE395

loc_748FF2:				; CODE XREF: RtlUnicodeStringToCountedOemString+185431j
		test	esi, esi
		js	short loc_748FFB
		xor	esi, esi
		mov	[ebp+var_1C], esi

loc_748FFB:				; CODE XREF: RtlUnicodeStringToCountedOemString+73j
					; RtlUnicodeStringToCountedOemString+88j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+arg_4], 0
		call	sub_749022
		mov	eax, esi

loc_749010:				; CODE XREF: RtlUnicodeStringToCountedOemString+1853F1j
					; RtlUnicodeStringToCountedOemString+1853FBj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
RtlUnicodeStringToCountedOemString endp


;  S U B	R O U T	I N E 


sub_749022	proc near		; CODE XREF: RtlUnicodeStringToCountedOemString+9Dp
					; sub_8CE3A2+6j

; FUNCTION CHUNK AT 008CE3AD SIZE 00000017 BYTES

		cmp	dword ptr [ebp+0Ch], 0
		jnz	loc_8CE3AD
		test	esi, esi
		js	loc_8CE3AD

locret_749034:				; CODE XREF: sub_749022+18538Fj
		retn
sub_749022	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpViewMapMakeViewRangeValid proc near	; CODE XREF: HvpViewMapExtendStorage(x,x)+87p
					; HvpViewMapCreateViewsForRegion+E2p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

; FUNCTION CHUNK AT 008CE3C4 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_8], ecx
		push	edi
		mov	edi, [ebp+arg_8]
		lea	edx, [ebp+var_C]
		sub	edi, [ebp+arg_0]
		mov	eax, [esi+30h]
		sub	eax, [esi+10h]
		add	eax, [ebp+arg_0]
		push	edx
		mov	edx, [ecx+18h]
		push	2
		push	edi
		push	eax
		mov	[ebp+var_10], eax
		call	_CmSiProtectViewOfSection@24 ; CmSiProtectViewOfSection(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_74915A
		mov	eax, [ebp+var_8]
		mov	ebx, [ebp+var_10]
		mov	edx, ebx
		push	edi
		mov	ecx, [eax+18h]
		call	_CmSiPrefetchVirtualMemoryRange@12 ; CmSiPrefetchVirtualMemoryRange(x,x,x)
		mov	eax, [ebp+var_8]
		mov	[ebp+var_1], 0
		test	byte ptr [eax+1Ch], 2
		jz	loc_749163
		cmp	[ebp+arg_10], 0
		jz	loc_7491A8
		mov	edx, [eax+18h]
		push	edi
		push	ebx
		call	_CmSiLockViewOfSection@16 ; CmSiLockViewOfSection(x,x,x,x)
		test	eax, eax
		js	loc_7491EF
		mov	ecx, [ebp+var_8]
		shr	edi, 0Ch
		add	[esi+34h], edi
		mov	[ebp+var_1], 1
		or	dword ptr [ecx+1Ch], 4

loc_7490C5:				; CODE XREF: HvpViewMapMakeViewRangeValid+145j
		mov	edi, [ebp+arg_0]
		mov	eax, edi
		mov	edx, [ebp+arg_4]
		mov	ebx, [ebp+arg_C]
		mov	dword ptr [ebp+arg_10],	eax
		mov	[ebp+var_10], edx
		cmp	edx, ebx
		jl	short loc_7490E1
		jg	short loc_749131
		cmp	edi, [ebp+arg_8]
		jnb	short loc_749131

loc_7490E1:				; CODE XREF: HvpViewMapMakeViewRangeValid+A2j
					; HvpViewMapMakeViewRangeValid+ECj ...
		mov	edi, eax
		sub	edi, [esi+10h]
		shr	edi, 0Ch
		mov	dl, [edi+esi+38h]
		mov	al, dl
		or	al, 1
		mov	[edi+esi+38h], al
		test	byte ptr [ecx+1Ch], 2
		jz	short loc_74910C
		cmp	[ebp+var_1], 0
		jz	loc_7491A0
		or	dl, 11h

loc_749108:				; CODE XREF: HvpViewMapMakeViewRangeValid+16Dj
		mov	[edi+esi+38h], dl

loc_74910C:				; CODE XREF: HvpViewMapMakeViewRangeValid+C3j
		mov	eax, dword ptr [ebp+arg_10]
		mov	edx, [ebp+var_10]
		add	eax, 1000h
		mov	dword ptr [ebp+arg_10],	eax
		adc	edx, 0
		mov	[ebp+var_10], edx
		cmp	edx, ebx
		jl	short loc_7490E1
		jg	short loc_74912B
		cmp	eax, [ebp+arg_8]
		jb	short loc_7490E1

loc_74912B:				; CODE XREF: HvpViewMapMakeViewRangeValid+EEj
		mov	edx, [ebp+arg_4]
		mov	edi, [ebp+arg_0]

loc_749131:				; CODE XREF: HvpViewMapMakeViewRangeValid+A4j
					; HvpViewMapMakeViewRangeValid+A9j
		mov	eax, [esi+20h]
		mov	ecx, [esi+24h]
		mov	dword ptr [ebp+arg_10],	eax
		or	eax, ecx
		mov	[ebp+arg_4], ecx
		jnz	short loc_749180
		mov	eax, [esi+28h]
		or	eax, [esi+2Ch]
		jnz	short loc_749180
		mov	eax, [ebp+arg_8]
		mov	[esi+20h], edi
		mov	[esi+24h], edx
		mov	[esi+28h], eax

loc_749155:				; CODE XREF: HvpViewMapMakeViewRangeValid+168j
		mov	[esi+2Ch], ebx

loc_749158:				; CODE XREF: HvpViewMapMakeViewRangeValid+15Ej
					; HvpViewMapMakeViewRangeValid+163j ...
		xor	ebx, ebx

loc_74915A:				; CODE XREF: HvpViewMapMakeViewRangeValid+3Aj
					; HvpViewMapMakeViewRangeValid+1853B1j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	14h
; 

loc_749163:				; CODE XREF: HvpViewMapMakeViewRangeValid+5Cj
		push	0
		mov	edx, edi
		mov	ecx, ebx
		call	HvpViewMapTouchPages
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8CE3CF

loc_749178:				; CODE XREF: HvpViewMapMakeViewRangeValid+1B7j
		mov	ecx, [ebp+var_8]
		jmp	loc_7490C5
; 

loc_749180:				; CODE XREF: HvpViewMapMakeViewRangeValid+109j
					; HvpViewMapMakeViewRangeValid+111j
		mov	ecx, [ebp+arg_8]
		cmp	dword ptr [ebp+arg_10],	ecx
		jnz	short loc_749191
		cmp	[ebp+arg_4], ebx
		jz	loc_8CE3C4

loc_749191:				; CODE XREF: HvpViewMapMakeViewRangeValid+150j
		cmp	[esi+28h], edi
		jnz	short loc_749158
		cmp	[esi+2Ch], edx
		jnz	short loc_749158
		mov	[esi+28h], ecx
		jmp	short loc_749155
; 

loc_7491A0:				; CODE XREF: HvpViewMapMakeViewRangeValid+C9j
		or	dl, 5
		jmp	loc_749108
; 

loc_7491A8:				; CODE XREF: HvpViewMapMakeViewRangeValid+66j
					; HvpViewMapMakeViewRangeValid+1BCj
		mov	edx, [eax+18h]
		lea	ecx, [ebp+var_C]
		push	ecx
		push	8
		push	edi
		push	ebx
		call	_CmSiProtectViewOfSection@24 ; CmSiProtectViewOfSection(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8CE3CF
		mov	ecx, [ebp+var_10]
		mov	edx, edi
		push	1
		call	HvpViewMapTouchPages
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8CE3CF
		lea	eax, [ebp+var_C]
		push	eax
		mov	eax, [ebp+var_8]
		push	2
		push	edi
		push	[ebp+var_10]
		mov	edx, [eax+18h]
		call	_CmSiProtectViewOfSection@24 ; CmSiProtectViewOfSection(x,x,x,x,x,x)
		jmp	short loc_749178
; 

loc_7491EF:				; CODE XREF: HvpViewMapMakeViewRangeValid+78j
		mov	eax, [ebp+var_8]
		jmp	short loc_7491A8
HvpViewMapMakeViewRangeValid endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpViewMapCreateView proc near		; CODE XREF: HvpViewMapCreateViewsForRegion+BCp
					; CmpAddSecurityCellToCache+188A50p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008CE3EC SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		push	ebx
		mov	ebx, [ebp+arg_8]
		sub	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, ebx
		mov	[ebp+var_C], edx
		shr	edi, 0Ch
		mov	edx, 35384D43h
		mov	[ebp+var_4], ecx
		add	edi, 38h
		mov	ecx, edi
		call	_CmSiAllocateMemory@8 ;	CmSiAllocateMemory(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8CE3EC
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	edi, [ebp+var_4]
		add	esp, 0Ch
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+arg_8]
		mov	edx, [ebp+arg_0]
		mov	[esi+18h], eax
		mov	eax, [ebp+arg_C]
		mov	[esi+1Ch], eax
		mov	[esi+10h], edx
		lea	edx, [esi+30h]
		mov	[esi+14h], ecx
		mov	al, [edi+1Ch]
		not	al
		push	edx
		mov	edx, [ebp+arg_0]
		movzx	eax, al
		push	ecx
		and	eax, 1
		shl	eax, 0Dh
		push	eax
		push	ebx
		push	ecx
		mov	ecx, [edi]
		push	edx
		mov	edx, [edi+18h]
		call	_CmSiMapViewOfSection@32 ; CmSiMapViewOfSection(x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_7492B3
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		push	ebx
		mov	ebx, [ebp+var_4]
		push	dword ptr [esi+30h]
		mov	edx, [ebx+18h]
		call	_CmSiProtectViewOfSection@24 ; CmSiProtectViewOfSection(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_7492A2
		mov	eax, [ebp+var_C]
		mov	[eax], esi
		xor	esi, esi
		xor	edi, edi

loc_7492A2:				; CODE XREF: HvpViewMapCreateView+A3j
					; HvpViewMapCreateView+C2j
		test	esi, esi
		jnz	loc_8CE3F6

loc_7492AA:				; CODE XREF: HvpViewMapCreateView+1851FDj
					; HvpViewMapCreateView+185219j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7492B3:				; CODE XREF: HvpViewMapCreateView+88j
		mov	ebx, [ebp+var_4]
		jmp	short loc_7492A2
HvpViewMapCreateView endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpViewMapCreateViewsForRegion proc near ; CODE	XREF: HvpViewMapExtendStorage(x,x)+BAp
					; HvpViewMapStart(x,x,x,x,x)+8Bp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008CE412 SIZE 000000A3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		lea	eax, [ebp+var_38]
		mov	[ebp+var_30], edx
		push	esi
		mov	edx, eax
		mov	[ebp+var_4], ecx
		xor	esi, esi
		mov	[ebp+var_34], eax
		push	edi
		mov	[ebp+var_8], esi
		mov	[ebp+var_38], edx
		call	_CmSiGetMemoryAllocationGranularity@0 ;	CmSiGetMemoryAllocationGranularity()
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		mov	[ebp+var_18], eax
		mov	ecx, 200000h
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], edi
		mov	[ebp+arg_4], eax
		cmp	eax, [ebp+arg_C]
		jl	short loc_74930E
		jg	loc_7493F4
		cmp	edi, [ebp+arg_8]
		jnb	loc_7493F4

loc_74930E:				; CODE XREF: HvpViewMapCreateViewsForRegion+45j
		mov	edx, [ebp+var_18]
		neg	edx
		push	0
		pop	eax
		adc	eax, eax
		mov	[ebp+var_2C], edx
		neg	eax
		mov	[ebp+var_28], eax

loc_749320:				; CODE XREF: HvpViewMapCreateViewsForRegion+128j
					; HvpViewMapCreateViewsForRegion+133j
		mov	esi, edx
		mov	edx, [ebp+arg_8]
		and	esi, edi
		mov	edi, eax
		and	edi, [ebp+arg_4]
		sub	edx, esi
		mov	eax, [ebp+arg_C]
		sbb	eax, edi
		cmp	ebx, eax
		jg	short loc_749345
		jl	loc_7494E1
		cmp	ecx, edx
		jbe	loc_7494E1

loc_749345:				; CODE XREF: HvpViewMapCreateViewsForRegion+7Dj
		push	ebx
		push	ecx
		push	[ebp+arg_C]
		mov	ecx, [ebp+var_4]
		push	[ebp+arg_8]
		push	edi
		push	esi
		call	_HvpDetermineFinalViewReservationEnd@28	; HvpDetermineFinalViewReservationEnd(x,x,x,x,x,x,x)
		mov	ecx, [ebp+arg_8]
		mov	ebx, eax
		mov	[ebp+var_20], ecx
		mov	eax, edx
		mov	ecx, [ebp+arg_C]
		mov	[ebp+var_24], edx
		mov	[ebp+var_1C], ecx

loc_74936A:				; CODE XREF: HvpViewMapCreateViewsForRegion+23Bj
		mov	ecx, [ebp+var_4]
		lea	edx, [ebp+var_8]
		push	eax
		push	ebx
		push	edi
		push	esi
		call	HvpViewMapCreateView
		mov	edi, eax
		test	edi, edi
		js	loc_8CE412
		push	[ebp+var_30]
		mov	esi, [ebp+var_8]
		mov	edx, esi
		push	[ebp+var_1C]
		mov	ecx, [ebp+var_4]
		push	[ebp+var_20]
		push	[ebp+arg_4]
		push	[ebp+var_14]
		call	HvpViewMapMakeViewRangeValid
		mov	edi, eax
		test	edi, edi
		js	loc_7494C2
		mov	eax, [ebp+var_34]
		lea	ecx, [ebp+var_38]
		cmp	[eax], ecx
		jnz	loc_7494F8
		mov	[esi], ecx
		mov	edi, ebx
		mov	ecx, [ebp+var_C]
		mov	ebx, [ebp+var_10]
		mov	[esi+4], eax
		mov	[eax], esi
		mov	eax, [ebp+var_24]
		mov	[ebp+var_34], esi
		xor	esi, esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_14], edi
		mov	[ebp+arg_4], eax

loc_7493D7:				; CODE XREF: HvpViewMapCreateViewsForRegion+185189j
		cmp	eax, [ebp+arg_C]
		mov	eax, [ebp+var_28]
		mov	edx, [ebp+var_2C]
		jl	loc_749320
		jg	short loc_7493F1
		cmp	edi, [ebp+arg_8]
		jb	loc_749320

loc_7493F1:				; CODE XREF: HvpViewMapCreateViewsForRegion+12Ej
		mov	edx, [ebp+var_38]

loc_7493F4:				; CODE XREF: HvpViewMapCreateViewsForRegion+47j
					; HvpViewMapCreateViewsForRegion+50j
		lea	eax, [ebp+var_38]
		cmp	[edx+4], eax
		jnz	loc_7494F8
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	loc_7494F8
		lea	ecx, [ebp+var_38]
		mov	[ebp+var_38], eax
		mov	[eax+4], ecx
		mov	eax, ecx
		cmp	edx, eax
		jz	loc_7494C0
		mov	edi, [ebp+var_4]
		add	edi, 20h
		xor	esi, esi

loc_749426:				; CODE XREF: HvpViewMapCreateViewsForRegion+202j
		test	byte ptr [edi+4], 1
		mov	eax, [edi]
		jz	short loc_749434
		test	eax, eax
		jz	short loc_749434
		xor	eax, edi

loc_749434:				; CODE XREF: HvpViewMapCreateViewsForRegion+174j
					; HvpViewMapCreateViewsForRegion+178j
		movzx	ebx, byte ptr [edi+4]
		and	ebx, 1
		mov	byte ptr [ebp+arg_C], 0
		test	eax, eax
		jz	short loc_749490
		mov	ecx, [edx+20h]
		mov	[ebp+var_30], ecx
		mov	ecx, [edx+24h]
		mov	[ebp+arg_4], ecx

loc_74944F:				; CODE XREF: HvpViewMapCreateViewsForRegion+1BCj
		mov	ecx, [ebp+arg_4]
		cmp	ecx, [eax+24h]
		mov	ecx, [ebp+var_30]
		jl	short loc_749476
		jg	short loc_749461
		cmp	ecx, [eax+20h]
		jb	short loc_749476

loc_749461:				; CODE XREF: HvpViewMapCreateViewsForRegion+1A2j
		mov	ecx, [eax+4]
		test	ebx, ebx
		jz	short loc_74946E
		test	ecx, ecx
		jz	short loc_74948C
		xor	ecx, eax

loc_74946E:				; CODE XREF: HvpViewMapCreateViewsForRegion+1AEj
		test	ecx, ecx
		jz	short loc_74948C

loc_749472:				; CODE XREF: HvpViewMapCreateViewsForRegion+1CCj
		mov	eax, ecx
		jmp	short loc_74944F
; 

loc_749476:				; CODE XREF: HvpViewMapCreateViewsForRegion+1A0j
					; HvpViewMapCreateViewsForRegion+1A7j
		mov	ecx, [eax]
		test	ebx, ebx
		jz	short loc_749482
		test	ecx, ecx
		jz	short loc_749486
		xor	ecx, eax

loc_749482:				; CODE XREF: HvpViewMapCreateViewsForRegion+1C2j
		test	ecx, ecx
		jnz	short loc_749472

loc_749486:				; CODE XREF: HvpViewMapCreateViewsForRegion+1C6j
		mov	byte ptr [ebp+arg_C], 0
		jmp	short loc_749490
; 

loc_74948C:				; CODE XREF: HvpViewMapCreateViewsForRegion+1B2j
					; HvpViewMapCreateViewsForRegion+1B8j
		mov	byte ptr [ebp+arg_C], 1

loc_749490:				; CODE XREF: HvpViewMapCreateViewsForRegion+189j
					; HvpViewMapCreateViewsForRegion+1D2j
		push	edx
		push	[ebp+arg_C]
		push	eax
		push	edi
		call	RtlRbInsertNodeEx
		mov	edx, [ebp+var_38]
		lea	eax, [ebp+var_38]
		cmp	[edx+4], eax
		jnz	short loc_7494F8
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	short loc_7494F8
		lea	ecx, [ebp+var_38]
		mov	[ebp+var_38], eax
		mov	[eax+4], ecx
		mov	eax, ecx
		cmp	edx, eax
		jnz	loc_749426

loc_7494C0:				; CODE XREF: HvpViewMapCreateViewsForRegion+160j
		xor	edi, edi

loc_7494C2:				; CODE XREF: HvpViewMapCreateViewsForRegion+EBj
					; HvpViewMapCreateViewsForRegion+185191j
		test	esi, esi
		jnz	loc_8CE44E

loc_7494CA:				; CODE XREF: HvpViewMapCreateViewsForRegion+1851B0j
		mov	esi, [ebp+var_38]
		lea	eax, [ebp+var_38]
		cmp	esi, eax
		jnz	loc_8CE48A

loc_7494D8:				; CODE XREF: HvpViewMapCreateViewsForRegion+1851F8j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7494E1:				; CODE XREF: HvpViewMapCreateViewsForRegion+7Fj
					; HvpViewMapCreateViewsForRegion+87j
		mov	eax, [ebp+var_10]
		mov	ebx, ecx
		add	ebx, esi
		mov	[ebp+var_20], ebx
		adc	eax, edi
		mov	[ebp+var_24], eax
		mov	[ebp+var_1C], eax
		jmp	loc_74936A
; 

loc_7494F8:				; CODE XREF: HvpViewMapCreateViewsForRegion+F9j
					; HvpViewMapCreateViewsForRegion+142j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
HvpViewMapCreateViewsForRegion endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCreateHive(x, x,	x, x, x, x, x, x, x, x,	x, x)
_CmpCreateHive@48 proc near		; CODE XREF: CmpInitHiveFromFile+3A6p
					; CmRestoreKey(x,x,x,x)+245p ...

var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_101		= byte ptr -101h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F5		= byte ptr -0F5h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_D8		= dword	ptr -0D8h
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_114], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_108], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_110], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_120], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_11C], eax
		mov	eax, [ebp+arg_20]
		push	ebx
		mov	[ebp+var_118], eax
		mov	eax, [ebp+arg_24]
		mov	[ebp+var_FC], eax
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_148]
		mov	[ebp+var_134], ecx
		stosd
		push	6
		pop	ecx
		mov	[ebp+var_10C], edx
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_124], eax
		lea	edi, [ebp+var_F0]
		mov	[ebp+var_F5], al
		mov	ebx, eax
		mov	[ebp+var_101], al
		rep stosd
		cmp	edx, 4
		jz	loc_749D8D
		cmp	edx, 3
		jz	loc_749D8D
		cmp	edx, 5
		ja	loc_749D8D
		mov	eax, [ebp+arg_0]
		test	eax, 0FF617CECh
		jz	short loc_7495D0
		push	10h

loc_7495B6:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+DCj
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+130j ...
		mov	esi, 0C000000Dh
		push	esi
		push	1

loc_7495BE:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+F6j
		mov	ecx, [ebp+var_FC]
		xor	edx, edx
		call	SetFailureLocation
		jmp	loc_749970
; 

loc_7495D0:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+B4j
		mov	esi, [ebp+arg_4]
		cmp	esi, 2
		jbe	short loc_7495DC
		push	20h
		jmp	short loc_7495B6
; 

loc_7495DC:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+D8j
		xor	ecx, ecx
		inc	ecx
		cmp	[ebp+var_114], ebx
		jnz	short loc_7495F6
		cmp	edx, ecx
		jnz	short loc_7495F6
		push	30h

loc_7495ED:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+10Dj
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+121j
		mov	esi, 0C000000Dh
		push	esi
		push	ecx
		jmp	short loc_7495BE
; 

loc_7495F6:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+E7j
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+EBj
		mov	ebx, [ebp+var_108]
		test	ebx, ebx
		jz	short loc_74965F
		and	eax, 8001h
		cmp	eax, ecx
		jnz	short loc_74960D
		push	40h
		jmp	short loc_7495ED
; 

loc_74960D:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+109j
		mov	edx, [ebx]
		test	edx, edx
		jnz	short loc_749621
		cmp	[ebx+4], edx
		jnz	short loc_74961D
		cmp	[ebx+8], edx
		jz	short loc_749621

loc_74961D:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+118j
		push	50h
		jmp	short loc_7495ED
; 

loc_749621:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+113j
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+11Dj
		mov	ecx, [ebx+4]
		test	ecx, ecx
		jz	short loc_749630
		test	esi, esi
		jnz	short loc_749630
		push	60h
		jmp	short loc_7495B6
; 

loc_749630:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+128j
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+12Cj
		mov	eax, [ebx+8]
		test	eax, eax
		jz	short loc_749643
		cmp	esi, 2
		jz	short loc_749643
		push	70h
		jmp	loc_7495B6
; 

loc_749643:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+137j
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+13Cj
		cmp	dword ptr [ebx+0Ch], 0
		jz	short loc_74965F
		test	edx, edx
		jnz	short loc_749655
		test	ecx, ecx
		jnz	short loc_749655
		test	eax, eax
		jz	short loc_74965F

loc_749655:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+14Dj
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+151j
		push	80h
		jmp	loc_7495B6
; 

loc_74965F:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+100j
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+149j ...
		call	CmpAcquireShutdownRundown
		mov	[ebp+var_F5], al
		test	al, al
		jnz	short loc_749678
		mov	esi, 0C0000189h
		jmp	loc_749970
; 

loc_749678:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+16Ej
		xor	edi, edi
		inc	edi
		mov	[ebp+var_12C], edi
		test	ebx, ebx
		jz	short loc_7496B5
		mov	ecx, [ebx]
		test	ecx, ecx
		jz	short loc_7496B5
		lea	edx, [ebp+var_12C]
		call	CmpGetVolumeClusterSize
		mov	esi, eax
		test	esi, esi
		jns	short loc_7496B5
		push	0A0h
		push	esi
		push	edi

loc_7496A3:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+1E1j
		mov	ecx, [ebp+var_FC]
		xor	edx, edx
		call	SetFailureLocation
		jmp	loc_749962
; 

loc_7496B5:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+185j
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+18Bj ...
		push	30314D43h
		push	0
		push	0C00h
		call	CmpAllocate
		mov	edi, eax
		mov	[ebp+var_100], edi
		test	edi, edi
		jnz	short loc_7496E1
		push	0B0h
		mov	esi, 0C000009Ah
		push	esi
		push	1
		jmp	short loc_7496A3
; 

loc_7496E1:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+1D2j
		mov	ecx, edi	; void *
		call	_CmpHiveInitialize@4 ; CmpHiveInitialize(x)
		test	ebx, ebx
		jz	loc_74984A
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_74973E
		xor	edx, edx
		lea	ecx, [edi+400h]
		push	edx
		push	2
		push	200h
		push	edx
		push	ecx
		push	edx
		push	eax
		push	ds:_PsInitialSystemProcess
		call	ObDuplicateObject
		mov	esi, eax
		test	esi, esi
		js	loc_74993D
		push	2
		lea	eax, [ebp+var_F4]
		mov	word ptr [ebp+var_F4], 100h
		push	eax
		push	4
		push	dword ptr [edi+400h]
		call	_ZwSetInformationObject@16 ; ZwSetInformationObject(x,x,x,x)

loc_74973E:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+1F6j
		mov	eax, [ebx+0Ch]
		test	eax, eax
		jz	short loc_74978D
		xor	edx, edx
		lea	ecx, [edi+408h]
		push	edx
		push	2
		push	200h
		push	edx
		push	ecx
		push	edx
		push	eax
		push	ds:_PsInitialSystemProcess
		call	ObDuplicateObject
		mov	esi, eax
		test	esi, esi
		js	loc_74993D
		push	2
		lea	eax, [ebp+var_F4]
		mov	word ptr [ebp+var_F4], 100h
		push	eax
		push	4
		push	dword ptr [edi+408h]
		call	_ZwSetInformationObject@16 ; ZwSetInformationObject(x,x,x,x)

loc_74978D:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+245j
		cmp	[ebp+arg_4], 1
		jnz	short loc_7497A6
		mov	eax, [ebx+4]
		test	eax, eax
		jz	loc_74984A
		lea	ebx, [edi+404h]
		jmp	short loc_74980C
; 

loc_7497A6:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+293j
		cmp	[ebp+arg_4], 2
		jnz	loc_74984A
		mov	eax, [ebx+4]
		test	eax, eax
		jz	short loc_7497FF
		xor	edx, edx
		lea	ecx, [edi+410h]
		push	edx
		push	2
		push	200h
		push	edx
		push	ecx
		push	edx
		push	eax
		push	ds:_PsInitialSystemProcess
		call	ObDuplicateObject
		mov	esi, eax
		test	esi, esi
		js	loc_74993D
		push	2
		lea	eax, [ebp+var_F4]
		mov	word ptr [ebp+var_F4], 100h
		push	eax
		push	4
		push	dword ptr [edi+410h]
		call	_ZwSetInformationObject@16 ; ZwSetInformationObject(x,x,x,x)

loc_7497FF:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+2B7j
		mov	eax, [ebx+8]
		test	eax, eax
		jz	short loc_74984A
		lea	ebx, [edi+414h]

loc_74980C:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+2A6j
		xor	ecx, ecx
		push	ecx
		push	2
		push	200h
		push	ecx
		push	ebx
		push	ecx
		push	eax
		push	ds:_PsInitialSystemProcess
		call	ObDuplicateObject
		mov	esi, eax
		test	esi, esi
		js	loc_74993D
		push	2
		lea	eax, [ebp+var_F4]
		mov	word ptr [ebp+var_F4], 100h
		push	eax
		push	4
		push	dword ptr [ebx]
		call	_ZwSetInformationObject@16 ; ZwSetInformationObject(x,x,x,x)

loc_74984A:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+1ECj
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+29Aj ...
		test	[ebp+arg_14], 8000000h
		jz	short loc_74985D
		or	dword ptr [edi+980h], 80h

loc_74985D:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+353j
		cmp	[ebp+arg_14], 0
		jge	short loc_74986D
		or	dword ptr [edi+980h], 800h

loc_74986D:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+363j
		lea	ecx, [ebp+var_F0]
		call	CmpAttachToRegistryProcess
		mov	ebx, [ebp+var_FC]
		mov	eax, [ebp+var_10C]
		mov	[ebp+var_148], offset CmpAllocate
		mov	[ebp+var_144], offset _CmpFree@8 ; CmpFree(x,x)
		mov	[ebp+var_13C], offset _CmpFileWrite@20 ; CmpFileWrite(x,x,x,x,x)
		mov	[ebp+var_138], offset _CmpFileRead@20 ;	CmpFileRead(x,x,x,x,x)
		mov	[edi+1Ch], ebx
		mov	[ebp+var_101], 1
		mov	[ebx], edi
		cmp	eax, 2
		jz	loc_749983
		cmp	eax, 5
		jz	loc_749983
		test	eax, eax
		jnz	short loc_7498E0
		mov	edx, [ebp+var_108]
		test	edx, edx
		jz	short loc_7498E0
		cmp	[edx], eax
		jnz	loc_749989

loc_7498E0:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+3CEj
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+3D8j
		push	ebx
		lea	ecx, [ebp+var_124]
		mov	edx, eax
		push	ecx
		push	[ebp+var_118]
		lea	ecx, [ebp+var_148]
		push	[ebp+var_11C]
		push	[ebp+var_120]
		push	[ebp+var_110]
		push	[ebp+var_12C]
		push	ecx
		push	[ebp+var_114]
		mov	ecx, edi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	HvHiveStartMemoryBacked
		mov	esi, eax
		test	esi, esi
		jns	loc_749A52
		push	0E8h

loc_749931:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+54Fj
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+76Aj ...
		push	esi
		push	1
		xor	edx, edx
		mov	ecx, ebx
		call	SetFailureLocation

loc_74993D:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+21Bj
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+26Aj ...
		mov	ebx, [ebp+var_100]

loc_749943:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+8A6j
		test	ebx, ebx
		jz	short loc_74994E
		mov	ecx, ebx
		call	_CmpDestroyHive@4 ; CmpDestroyHive(x)

loc_74994E:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+447j
		cmp	[ebp+var_101], 0
		jz	short loc_749962

loc_749957:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+88Aj
		lea	ecx, [ebp+var_F0]
		call	_CmpDetachFromRegistryProcess@4	; CmpDetachFromRegistryProcess(x)

loc_749962:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+1B2j
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+457j
		cmp	[ebp+var_F5], 0
		jz	short loc_749970
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_749970:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+CDj
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+175j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	28h
; 

loc_749983:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+3BDj
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+3C6j
		mov	edx, [ebp+var_108]

loc_749989:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+3DCj
		mov	edx, [edx]
		lea	eax, [edi+0BFCh]
		or	[ebp+arg_0], 20000h
		push	eax
		push	ecx
		call	CmpVolumeManagerGetContextForFile
		mov	esi, eax
		test	esi, esi
		js	short loc_74993D
		mov	ecx, [edi+0BFCh]
		call	_CmpVolumeContextMustHiveFilePagesBeKeptLocal@4	; CmpVolumeContextMustHiveFilePagesBeKeptLocal(x)
		test	al, al
		jnz	short loc_7499F3
		test	[ebp+arg_14], 2000000h
		jnz	short loc_7499F3
		mov	esi, [ebp+arg_0]
		test	esi, 8000h
		jnz	short loc_7499F6
		test	byte ptr [ebp+arg_14], 40h
		jnz	short loc_7499F6
		test	byte ptr [ebp+arg_14], 20h
		jnz	short loc_7499FF
		mov	eax, [ebp+var_108]
		mov	dl, 1
		mov	ecx, [eax]
		call	_CmpAdjustFileCFSafety@8 ; CmpAdjustFileCFSafety(x,x)
		test	eax, eax
		js	short loc_7499F6
		or	dword ptr [edi+980h], 10000h
		jmp	short loc_7499FF
; 

loc_7499F3:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+4B4j
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+4BDj
		mov	esi, [ebp+arg_0]

loc_7499F6:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+4C8j
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+4CEj ...
		or	esi, 800000h
		mov	[ebp+arg_0], esi

loc_7499FF:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+4D4j
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+4F3j
		push	ebx
		cmp	[ebp+var_10C], 0
		lea	eax, [ebp+var_124]
		push	eax
		push	[ebp+var_118]
		lea	eax, [ebp+var_148]
		setz	dl
		push	[ebp+var_11C]
		push	[ebp+var_120]
		push	[ebp+var_110]
		push	ecx
		push	[ebp+var_12C]
		mov	ecx, edi
		push	eax
		push	[ebp+arg_4]
		push	esi
		call	HvHiveStartFileBacked
		mov	esi, eax
		test	esi, esi
		jns	short loc_749A52
		push	0E4h
		jmp	loc_749931
; 

loc_749A52:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+428j
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+548j
		mov	eax, [ebp+arg_0]
		and	eax, 180000h
		cmp	eax, 80000h
		jnz	short loc_749A86
		test	[ebp+arg_14], 800000h
		jnz	short loc_749A86
		mov	eax, [edi+20h]
		cmp	dword ptr [eax+18h], 6
		jnb	short loc_749A7D

loc_749A73:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+586j
		mov	esi, 0C000000Dh
		jmp	loc_74993D
; 

loc_749A7D:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+573j
		test	byte ptr [eax+90h], 2
		jz	short loc_749A73

loc_749A86:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+561j
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+56Aj
		mov	esi, [ebp+var_10C]
		cmp	esi, 2
		jz	short loc_749A9F
		cmp	esi, 5
		jz	short loc_749A9F
		cmp	esi, 1
		jnz	loc_749C73

loc_749A9F:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+591j
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+596j
		mov	edx, [ebp+arg_14]
		mov	ecx, edi
		push	ebx
		call	_CmCheckRegistry@12 ; CmCheckRegistry(x,x,x)
		mov	esi, eax
		cmp	esi, 8000002Ah
		jnz	loc_749C5F
		cmp	dword_6B2348, 5
		jbe	loc_749C5D
		push	4000h
		push	0
		mov	ecx, offset dword_6B2348
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_749C5D
		lea	ecx, [ebx+4]
		mov	[ebp+var_120], esi
		movzx	edi, word ptr [ecx]
		lea	eax, [ebp+var_120]
		mov	[ebp+var_B8], eax
		xor	edx, edx
		mov	eax, edi
		mov	[ebp+var_B4], edx
		mov	[ebp+var_11C], eax
		lea	eax, [ebp+var_11C]
		mov	[ebp+var_A8], eax
		push	2
		pop	esi
		mov	[ebp+var_AC], edx
		mov	[ebp+var_A4], edx
		mov	[ebp+var_9C], edx
		lea	edx, [ebx+6]
		movzx	ebx, word ptr [edx]
		and	[ebp+var_94], 0
		mov	eax, ebx
		mov	[ebp+var_118], eax
		lea	eax, [ebp+var_118]
		mov	[ebp+var_98], eax
		and	[ebp+var_8C], 0
		and	[ebp+var_64], 0
		and	[ebp+var_5C], 0
		mov	[ebp+var_A0], esi
		mov	[ebp+var_90], esi
		mov	esi, [ebp+var_FC]
		add	esi, 132h
		imul	ebx, 0Ch
		mov	[ebp+var_78], ecx
		mov	ecx, [ebp+var_FC]
		imul	edi, 0Ch
		mov	al, [esi]
		mov	byte ptr [ebp+var_F4+1], al
		movzx	eax, al
		mov	[ebp+var_114], eax
		lea	eax, [ebp+var_114]
		mov	[ebp+var_88], eax
		xor	eax, eax
		mov	[ebp+var_84], eax
		mov	[ebp+var_7C], eax
		mov	[ebp+var_74], eax
		mov	[ebp+var_6C], eax
		lea	eax, [ecx+8]
		mov	[ebp+var_68], eax
		lea	eax, [ecx+68h]
		mov	[ebp+var_40], ebx
		mov	ebx, ecx
		mov	[ebp+var_48], eax
		mov	[ebp+var_58], edx
		xor	edx, edx
		push	2
		lea	eax, [ebx+134h]
		mov	[ebp+var_60], edi
		mov	[ebp+var_28], eax
		movzx	eax, byte ptr [ebp+var_F4+1]
		shl	eax, 3
		pop	edi
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_130]
		mov	[ebp+var_B0], 4
		mov	[ebp+var_80], 2
		mov	[ebp+var_70], 2
		mov	[ebp+var_54], edx
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], edx
		mov	[ebp+var_44], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_130], 1000000h
		mov	[ebp+var_12C], edx
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], 8
		lea	eax, [ebp+var_D8]
		mov	[ebp+var_C], edx
		push	eax
		push	0Dh
		push	edx
		push	edx
		push	offset byte_41A4C5
		push	offset dword_6B2348
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		mov	edi, [ebp+var_100]

loc_749C5D:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+5C1j
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+5DAj
		xor	esi, esi

loc_749C5F:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+5B4j
		test	esi, esi
		jns	short loc_749C6D
		push	0F0h
		jmp	loc_749931
; 

loc_749C6D:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+763j
		mov	esi, [ebp+var_10C]

loc_749C73:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+59Bj
		test	[ebp+arg_14], 800000h
		jz	short loc_749CA9
		mov	eax, [edi+20h]
		cmp	dword ptr [eax+18h], 6
		jb	short loc_749C8E
		test	byte ptr [eax+90h], 2
		jnz	short loc_749CA9

loc_749C8E:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+785j
		mov	ecx, edi
		call	_HvMarkBaseBlockDirty@4	; HvMarkBaseBlockDirty(x)
		mov	eax, [edi+20h]
		mov	dword ptr [eax+18h], 6
		mov	eax, [edi+20h]
		or	dword ptr [eax+90h], 2

loc_749CA9:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+77Cj
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+78Ej
		push	[ebp+arg_14]
		mov	edx, [ebp+var_110]
		mov	ecx, edi
		call	CmpReorganizeHive
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, edi
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	ecx, edi
		call	_HvLockHiveWriter@4 ; HvLockHiveWriter(x)
		test	esi, esi
		jz	short loc_749CDB
		mov	ecx, edi
		call	HvCheckAndUpdateHiveBackupTimeStamp
		mov	esi, eax
		jmp	short loc_749CE4
; 

loc_749CDB:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+7D0j
		mov	byte ptr [edi+83h], 1
		xor	esi, esi

loc_749CE4:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+7DBj
		mov	ecx, edi
		call	HvUnlockHiveWriter
		mov	ecx, edi
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		test	esi, esi
		jns	short loc_749D05
		push	100h
		jmp	loc_749931
; 

loc_749D05:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+7FBj
		mov	ebx, 1000000h
		lea	esi, [edi+420h]
		test	[ebp+arg_14], ebx
		jnz	short loc_749D48
		call	_CmpLockHiveListExclusive@0 ; CmpLockHiveListExclusive()
		mov	eax, ds:dword_A940F4
		mov	edx, offset _CmpHiveListHead
		cmp	[eax], edx
		jz	short loc_749D2D
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_749D2D:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+828j
		mov	[esi], edx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	ds:dword_A940F4, esi
		call	_CmpUnlockHiveList@0 ; CmpUnlockHiveList()
		mov	ecx, edi
		call	_CmpRecheckHiveVolumePolicy@4 ;	CmpRecheckHiveVolumePolicy(x)
		jmp	short loc_749D4D
; 

loc_749D48:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+815j
		mov	[esi+4], esi
		mov	[esi], esi

loc_749D4D:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+848j
		mov	eax, [ebp+var_134]
		and	dword ptr [edi+1Ch], 0
		mov	[eax], edi
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)
		mov	[ebp+var_F5], 0
		test	ds:dword_70EFC8, ebx
		jz	short loc_749D86
		push	[ebp+var_124]
		mov	edx, [ebp+var_10C]
		mov	ecx, edi
		push	[ebp+var_110]
		call	_CmpLogHiveInitializeEvent@16 ;	CmpLogHiveInitializeEvent(x,x,x,x)

loc_749D86:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+86Dj
		xor	esi, esi
		jmp	loc_749957
; 

loc_749D8D:				; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+94j
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+9Dj ...
		mov	ecx, [ebp+var_FC]
		mov	esi, 0C000000Dh
		push	0
		push	esi
		push	1
		xor	edx, edx
		call	SetFailureLocation
		jmp	loc_749943
_CmpCreateHive@48 endp

; 
		align 2

;  S U B	R O U T	I N E 


HvUnlockHiveWriter proc	near		; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+7E8p
					; CmpReorganizeHive+1E2p ...

; FUNCTION CHUNK AT 008CE4B5 SIZE 00000014 BYTES

		mov	edi, edi
		push	esi
		lea	esi, [ecx+28h]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_8CE4B5

loc_749DBF:				; CODE XREF: HvUnlockHiveWriter+18470Dj
					; HvUnlockHiveWriter+18471Aj
		mov	ecx, esi
		pop	esi
		jmp	KeAbPostRelease
HvUnlockHiveWriter endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall HvLockHiveWriter(x)
_HvLockHiveWriter@4 proc near		; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+7C9p
					; CmpReorganizeHive+1C5p ...
		add	ecx, 28h
		xor	edx, edx
		jmp	ExAcquirePushLockExclusiveEx
_HvLockHiveWriter@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpReorganizeHive proc near		; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+7B6p

var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_13D		= byte ptr -13Dh
var_13C		= dword	ptr -13Ch
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_5C		= dword	ptr -5Ch
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CE4C9 SIZE 00000700 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 188h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_158], edx
		xor	ecx, ecx
		mov	[ebp+var_168], ebx
		push	esi
		push	edi
		mov	eax, [ebx+20h]
		mov	[ebp+var_164], ecx
		mov	[ebp+var_160], ecx
		mov	[ebp+var_154], ecx
		test	byte ptr [eax+90h], 1
		mov	[ebp+var_150], ecx
		mov	[ebp+var_178], ecx
		mov	[ebp+var_16C], ecx
		jnz	short loc_749E40
		mov	eax, [ebx+64h]
		test	al, 10h
		jnz	short loc_749E39
		cmp	[ebx+400h], ecx
		jz	short loc_749E40

loc_749E39:				; CODE XREF: CmpReorganizeHive+5Dj
		test	eax, 8001h
		jz	short loc_749E55

loc_749E40:				; CODE XREF: CmpReorganizeHive+56j
					; CmpReorganizeHive+65j ...
		mov	esi, ecx

loc_749E42:				; CODE XREF: CmpReorganizeHive+153j
					; CmpReorganizeHive+184703j ...
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_749E55:				; CODE XREF: CmpReorganizeHive+6Cj
		cmp	[ebx+68h], ecx
		jz	short loc_749E40
		call	CmpAcquireShutdownRundown
		test	al, al
		jz	loc_8CE4C9
		test	[ebp+arg_0], 400000h
		jnz	loc_749FCA

loc_749E74:				; CODE XREF: CmpReorganizeHive+1FFj
					; CmpReorganizeHive+184799j ...
		lea	eax, [ebp+var_164]
		push	eax
		call	KeQuerySystemTime
		mov	ecx, [ebx+20h]
		mov	edi, [ebp+var_164]
		mov	esi, [ebp+var_160]
		and	edi, 0FFFFFFFCh
		mov	[ebp+var_180], ecx
		mov	eax, [ecx+0ACh]
		mov	edx, [ecx+0A8h]
		mov	[ebp+var_170], edx
		mov	[ebp+var_144], eax
		cmp	eax, esi
		jb	short loc_749EBE
		ja	loc_749F3C
		cmp	edx, edi
		ja	short loc_749F3C

loc_749EBE:				; CODE XREF: CmpReorganizeHive+E0j
		mov	eax, _CmpReorganizeDelayDays
		mov	ecx, (offset loc_98967E+2)
		mul	ecx
		mov	esi, 15180h
		mov	ecx, eax
		mov	eax, edx
		mul	esi
		mov	esi, eax
		mov	eax, ecx
		mov	ecx, 15180h
		mul	ecx
		mov	ecx, edi
		add	esi, edx
		mov	edx, [ebp+var_170]
		sub	ecx, edx
		mov	[ebp+var_170], ecx
		mov	ecx, [ebp+var_160]
		sbb	ecx, [ebp+var_144]
		cmp	ecx, esi
		ja	short loc_749F30
		jb	short loc_749F0C
		cmp	[ebp+var_170], eax
		jnb	short loc_749F30

loc_749F0C:				; CODE XREF: CmpReorganizeHive+130j
					; CmpReorganizeHive+1F3j
		xor	eax, eax
		mov	esi, eax

loc_749F10:				; CODE XREF: CmpReorganizeHive+1847AEj
					; CmpReorganizeHive+184DDBj ...
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)
		mov	eax, [ebp+var_16C]
		test	eax, eax
		jnz	loc_8CEBBD

loc_749F23:				; CODE XREF: CmpReorganizeHive+184DF2j
		test	esi, esi
		jns	loc_749E42
		jmp	loc_8CE4CE
; 

loc_749F30:				; CODE XREF: CmpReorganizeHive+12Ej
					; CmpReorganizeHive+138j
		mov	ecx, [ebp+var_180]
		mov	esi, [ebp+var_160]

loc_749F3C:				; CODE XREF: CmpReorganizeHive+E2j
					; CmpReorganizeHive+EAj
		cmp	[ebp+var_158], 0
		jz	loc_8CE585
		mov	ecx, [ebp+var_158]

loc_749F4F:				; CODE XREF: CmpReorganizeHive+1847FAj
		mov	eax, [ebp+var_144]
		cmp	edx, 2
		jnz	short loc_749F5E
		test	eax, eax
		jz	short loc_749F7D

loc_749F5E:				; CODE XREF: CmpReorganizeHive+186j
		cmp	edx, 1
		jnz	short loc_749FDC
		xor	edx, edx
		cmp	eax, edx
		jz	loc_8CE5D1

loc_749F6D:				; CODE XREF: CmpReorganizeHive+20Cj
		test	dword ptr [ebx+980h], 400h
		jnz	loc_8CE5D1

loc_749F7D:				; CODE XREF: CmpReorganizeHive+18Aj
		mov	edx, ecx
		or	edi, 2
		mov	ecx, ebx
		call	CmpClearKeyAccessBits
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, ebx
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	ecx, ebx
		call	_HvLockHiveWriter@4 ; HvLockHiveWriter(x)
		mov	ecx, ebx
		call	_HvMarkBaseBlockDirty@4	; HvMarkBaseBlockDirty(x)
		mov	eax, [ebx+20h]
		mov	ecx, ebx
		mov	[eax+0A8h], edi
		mov	[eax+0ACh], esi
		call	HvUnlockHiveWriter
		mov	ecx, ebx
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		jmp	loc_749F0C
; 

loc_749FCA:				; CODE XREF: CmpReorganizeHive+9Cj
		call	_ExIsSoftBoot@0	; ExIsSoftBoot()
		test	al, al
		jz	loc_749E74
		jmp	loc_8CE553
; 

loc_749FDC:				; CODE XREF: CmpReorganizeHive+18Fj
		xor	edx, edx
		jmp	short loc_749F6D
CmpReorganizeHive endp


;  S U B	R O U T	I N E 


; int __fastcall CmpHiveInitialize(void	*)
_CmpHiveInitialize@4 proc near		; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+1E5p
					; CmpCreateEmptyHiveClone(x,x)+33p
		mov	edi, edi
		push	esi
		push	edi
		push	0C00h		; size_t
		xor	edi, edi
		mov	esi, ecx
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, esi	; void *
		call	_HvHiveInitialize@4 ; HvHiveInitialize(x)
		lea	eax, [esi+420h]
		mov	dword ptr [esi+9D8h], 1
		mov	[esi+0BF4h], edi
		lea	ecx, [esi+430h]
		mov	[eax+4], eax
		mov	[eax], eax
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		mov	[esi+448h], edi
		lea	eax, [esi+984h]
		mov	[esi+484h], edi
		mov	ecx, esi
		mov	dword ptr [esi+6FCh], 10h
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+428h]
		pop	edi
		mov	[eax+4], eax
		mov	[eax], eax
		pop	esi
		jmp	_CmpInitSecurityCache@4	; CmpInitSecurityCache(x)
_CmpHiveInitialize@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmpInitSecurityCache(x)
_CmpInitSecurityCache@4	proc near	; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+357p
					; CmpHiveInitialize(x)+74j ...
		or	dword ptr [ecx+4C8h], 0FFFFFFFFh
		xor	eax, eax
		mov	[ecx+4CCh], eax
		mov	[ecx+4C4h], eax
		mov	[ecx+4C0h], eax
		add	ecx, 4D0h
		push	40h
		pop	eax

loc_74A07E:				; CODE XREF: CmpInitSecurityCache(x)+2Fj
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		add	ecx, 8
		sub	eax, 1
		jnz	short loc_74A07E
		retn
_CmpInitSecurityCache@4	endp


;  S U B	R O U T	I N E 


; int __fastcall HvHiveInitialize(void *)
_HvHiveInitialize@4 proc near		; CODE XREF: CmpHiveInitialize(x)+19p
					; CmpGetSystemControlValues+8Bp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	400h		; size_t
		xor	ebx, ebx
		mov	esi, ecx
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [esi], 0BEE0BEE0h
		lea	eax, [esi+258h]
		push	2
		pop	ecx

loc_74A0B3:				; CODE XREF: HvHiveInitialize(x)+3Bj
		or	dword ptr [eax-184h], 0FFFFFFFFh
		mov	[eax+4], eax
		mov	[eax], eax
		add	eax, 19Ch
		sub	ecx, 1
		jnz	short loc_74A0B3
		lea	edx, [esi+0A0h]
		mov	[esi+24h], ebx
		push	0Ah
		mov	[esi+28h], ebx
		xor	eax, eax
		pop	ecx
		mov	edi, edx
		rep stosd
		pop	edi
		pop	esi
		mov	[edx+20h], ebx
		mov	[edx+24h], ebx
		pop	ebx
		retn
_HvHiveInitialize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvHiveStartFileBacked proc near		; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+53Fp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_5		= byte ptr -5
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

; FUNCTION CHUNK AT 008CEBC9 SIZE 0000008E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_14], 0
		mov	al, dl
		and	[ebp+var_10], 0
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_5], al
		push	esi
		push	edi
		cmp	dword ptr [ebx], 0BEE0BEE0h
		jnz	loc_74A304
		mov	edi, [ebp+arg_0]
		test	edi, 0FF617CECh
		jnz	loc_74A304
		mov	ecx, [ebp+arg_4]
		cmp	ecx, 2
		ja	loc_74A304
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jz	loc_74A304
		cmp	esi, 8
		ja	loc_74A304
		test	al, al
		jnz	loc_74A20C

loc_74A145:				; CODE XREF: HvHiveStartFileBacked+12Aj
		mov	edx, [ebp+arg_8]
		mov	[ebx+64h], edi
		test	edx, edx
		jz	short loc_74A166
		mov	eax, [edx]
		mov	[ebx+0Ch], eax
		mov	eax, [edx+4]
		mov	[ebx+10h], eax
		mov	eax, [edx+0Ch]
		mov	[ebx+14h], eax
		mov	eax, [edx+10h]
		mov	[ebx+18h], eax

loc_74A166:				; CODE XREF: HvHiveStartFileBacked+65j
		test	ecx, ecx
		jz	loc_74A2FB
		dec	ecx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 3
		inc	ecx
		mov	[ebx+68h], ecx

loc_74A17A:				; CODE XREF: HvHiveStartFileBacked+217j
		lea	eax, [ebp+var_14]
		mov	dword ptr [ebx+48h], 1000h
		push	eax
		mov	[ebx+4Ch], esi
		mov	dword ptr [ebx+98h], 2
		mov	dword ptr [ebx+4], offset _HvpGetCellPaged@12 ;	HvpGetCellPaged(x,x,x)
		mov	dword ptr [ebx+8], offset HvpReleaseCellPaged
		call	KeQuerySystemTime
		cmp	[ebp+var_5], 0
		jnz	short loc_74A217
		call	CmpTraceHiveMountStart
		mov	edx, offset _CmpRegistryProcess
		mov	ecx, ebx
		call	HvLoadHive
		mov	esi, eax
		mov	ecx, esi
		call	CmpTraceHiveMountStop
		test	esi, esi
		js	loc_8CEBD2
		cmp	esi, 40000009h
		mov	esi, [ebp+arg_20]
		jz	loc_8CEC27

loc_74A1DC:				; CODE XREF: HvHiveStartFileBacked+184B41j
					; HvHiveStartFileBacked+184B4Aj
		mov	eax, [ebp+arg_24]
		test	eax, eax
		jz	short loc_74A1E9
		mov	dword ptr [eax], 31334D43h

loc_74A1E9:				; CODE XREF: HvHiveStartFileBacked+F9j
		mov	ecx, [ebx+20h]
		test	byte ptr [ecx+90h], 1
		jnz	loc_8CEC37

loc_74A1F9:				; CODE XREF: HvHiveStartFileBacked+184B6Aj
		mov	edx, [ebp+arg_14]
		call	_HvpFillFileName@8 ; HvpFillFileName(x,x)

loc_74A201:				; CODE XREF: HvHiveStartFileBacked+202j
					; HvHiveStartFileBacked+20Ej
		xor	esi, esi

loc_74A203:				; CODE XREF: HvHiveStartFileBacked+184AF9j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	2Ch
; 

loc_74A20C:				; CODE XREF: HvHiveStartFileBacked+57j
		and	edi, 0FFFDFFFFh
		jmp	loc_74A145
; 

loc_74A217:				; CODE XREF: HvHiveStartFileBacked+C1j
		push	31314D43h
		push	1
		push	dword ptr [ebx+48h]
		call	dword ptr [ebx+0Ch]
		mov	esi, eax
		mov	[ebp+arg_0], esi
		test	esi, esi
		jz	loc_8CEBC9
		push	dword ptr [ebx+48h] ; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	edx, [ebp+arg_14]
		xor	eax, eax
		and	dword ptr [esi+1Ch], 0
		inc	eax
		or	dword ptr [esi+24h], 0FFFFFFFFh
		add	esp, 0Ch
		and	dword ptr [esi+28h], 0
		mov	ecx, esi
		mov	dword ptr [esi], 66676572h
		mov	[esi+4], eax
		mov	[esi+8], eax
		mov	[esi+20h], eax
		mov	[esi+2Ch], eax
		call	_HvpFillFileName@8 ; HvpFillFileName(x,x)
		and	dword ptr [esi+90h], 0
		and	edi, 80000h
		jnz	loc_8CEBE6

loc_74A27D:				; CODE XREF: HvHiveStartFileBacked+184B08j
		neg	edi
		mov	dword ptr [esi+14h], 1
		sbb	edi, edi
		and	edi, 3
		add	edi, 3
		mov	[esi+18h], edi
		mov	[ebx+9Ch], edi
		mov	eax, [ebp+var_14]
		mov	[esi+0Ch], eax
		mov	eax, [ebp+var_10]
		mov	[esi+10h], eax
		mov	eax, [ebp+arg_18]
		mov	dword ptr [esi+0A4h], 6D746D72h
		test	eax, eax
		jnz	loc_8CEBF5

loc_74A2B8:				; CODE XREF: HvHiveStartFileBacked+184B28j
		cmp	[ebp+arg_1C], 0
		jnz	loc_8CEC15

loc_74A2C2:				; CODE XREF: HvHiveStartFileBacked+184B3Aj
		mov	ecx, [ebp+arg_0]
		call	_HvpHeaderCheckSum@4 ; HvpHeaderCheckSum(x)
		mov	[ecx+1FCh], eax
		xor	eax, eax
		inc	eax
		mov	[ebx+20h], ecx
		mov	[ebx+78h], eax
		mov	[ebx+6Ch], eax
		mov	[ebx+70h], eax
		mov	[ebx+82h], al
		mov	eax, [ebp+arg_24]
		test	eax, eax
		jz	loc_74A201
		mov	dword ptr [eax], 31314D43h
		jmp	loc_74A201
; 

loc_74A2FB:				; CODE XREF: HvHiveStartFileBacked+80j
		and	dword ptr [ebx+68h], 0
		jmp	loc_74A17A
; 

loc_74A304:				; CODE XREF: HvHiveStartFileBacked+20j
					; HvHiveStartFileBacked+2Fj ...
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
HvHiveStartFileBacked endp


;  S U B	R O U T	I N E 


; __stdcall HvpFillFileName(x, x)
_HvpFillFileName@8 proc	near		; CODE XREF: HvHiveStartFileBacked+114p
					; HvHiveStartFileBacked+17Dp ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	40h
		pop	ebx
		push	ebx		; size_t
		lea	edi, [ecx+30h]
		mov	esi, edx
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		jz	short loc_74A34E
		movzx	ecx, word ptr [esi]
		mov	eax, ecx
		cmp	cx, bx
		jb	short loc_74A352
		push	3Eh
		pop	edx

loc_74A334:				; CODE XREF: HvpFillFileName(x,x)+4Aj
		add	eax, 0FFFFFFC2h
		cmp	cx, bx
		push	edx		; size_t
		sbb	ecx, ecx
		not	ecx
		and	ecx, eax
		add	ecx, [esi+4]
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_74A34E:				; CODE XREF: HvpFillFileName(x,x)+1Bj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_74A352:				; CODE XREF: HvpFillFileName(x,x)+25j
		mov	edx, eax
		jmp	short loc_74A334
_HvpFillFileName@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpVolumeContextMustHiveFilePagesBeKeptLocal(x)
_CmpVolumeContextMustHiveFilePagesBeKeptLocal@4	proc near
					; CODE XREF: CmpRecheckHiveVolumePolicy(x)+1Dp
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+4ADp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	edx, edx
		push	edi
		lea	edi, [esi+24h]
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		cmp	byte ptr [esi+28h], 0
		push	11h
		setz	bl
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_74A38B

loc_74A37E:				; CODE XREF: CmpVolumeContextMustHiveFilePagesBeKeptLocal(x)+3Cj
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		retn
; 

loc_74A38B:				; CODE XREF: CmpVolumeContextMustHiveFilePagesBeKeptLocal(x)+26j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_74A37E
_CmpVolumeContextMustHiveFilePagesBeKeptLocal@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpVolumeManagerGetContextForFile proc near
					; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+49Cp
					; CmpVolumeManagerGetContextForFilePath(x,x,x,x)+5Ap

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CEC57 SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		lea	ecx, [ebp+var_1C]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_24], eax
		lea	edi, [ebp+var_14]
		xor	eax, eax
		xor	esi, esi
		stosd
		mov	ebx, esi
		push	esi
		push	ecx
		push	esi
		stosd
		mov	[ebp+var_18], ebx
		mov	[ebp+var_1C], esi
		stosd
		stosd
		mov	eax, _CmIoFileObjectType
		mov	eax, [eax]
		push	eax
		push	80h
		push	edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_74A469
		mov	eax, [ebp+var_1C]
		push	dword ptr [eax+4]
		call	IoGetAttachedDeviceReference
		lea	ecx, [ebp+var_14]
		mov	[ebp+var_20], eax
		push	ecx
		push	eax
		call	_IoVolumeDeviceToGuid@8	; IoVolumeDeviceToGuid(x,x)
		mov	esi, eax
		cmp	esi, 0C000000Dh
		jz	loc_8CEC57
		cmp	esi, 0C00000BBh
		jz	loc_8CEC57
		cmp	esi, 0C0000010h
		jz	loc_8CEC57
		test	esi, esi
		js	short loc_74A45B
		mov	edi, offset _CmpVolumeManager
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		lea	edx, [ebp+var_14]
		mov	ecx, edi
		call	CmpVolumeManagerGetContextForGuidUnsafe
		mov	ecx, edi
		mov	esi, eax
		call	_CmpVolumeManagerUnlockContextListShared@4 ; CmpVolumeManagerUnlockContextListShared(x)
		test	esi, esi
		jz	short loc_74A48A

loc_74A44C:				; CODE XREF: CmpVolumeManagerGetContextForFile+14Bj
		mov	eax, [ebp+var_24]
		mov	[eax], esi
		xor	esi, esi

loc_74A453:				; CODE XREF: CmpVolumeManagerGetContextForFile+15Dj
		test	ebx, ebx
		jnz	loc_8CEC81

loc_74A45B:				; CODE XREF: CmpVolumeManagerGetContextForFile+91j
					; CmpVolumeManagerGetContextForFile+1848F4j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_74A469
		mov	ecx, eax
		call	ObfDereferenceObject

loc_74A469:				; CODE XREF: CmpVolumeManagerGetContextForFile+4Bj
					; CmpVolumeManagerGetContextForFile+CCj
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_74A477
		mov	ecx, eax
		call	ObfDereferenceObject

loc_74A477:				; CODE XREF: CmpVolumeManagerGetContextForFile+DAj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_74A48A:				; CODE XREF: CmpVolumeManagerGetContextForFile+B6j
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_18]
		push	eax
		mov	ecx, edi
		call	CmpVolumeContextCreate
		mov	esi, eax
		test	esi, esi
		js	short loc_74A4EE
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		lea	edx, [ebp+var_14]
		mov	ecx, edi
		call	CmpVolumeManagerGetContextForGuidUnsafe
		mov	esi, eax
		test	esi, esi
		jnz	short loc_74A4E4

loc_74A4B7:				; CODE XREF: CmpVolumeManagerGetContextForFile+1848E8j
		mov	ecx, ds:dword_A940E8
		mov	eax, offset dword_A940E4
		cmp	[ecx], eax
		jnz	short loc_74A4E9
		mov	esi, [ebp+var_18]
		xor	ebx, ebx
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	ds:dword_A940E8, esi

loc_74A4D8:				; CODE XREF: CmpVolumeManagerGetContextForFile+153j
		mov	ecx, edi
		call	CmpVolumeManagerUnlockContextListExclusive
		jmp	loc_74A44C
; 

loc_74A4E4:				; CODE XREF: CmpVolumeManagerGetContextForFile+121j
		mov	ebx, [ebp+var_18]
		jmp	short loc_74A4D8
; 

loc_74A4E9:				; CODE XREF: CmpVolumeManagerGetContextForFile+130j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_74A4EE:				; CODE XREF: CmpVolumeManagerGetContextForFile+108j
					; CmpVolumeManagerGetContextForFile+1848D9j
		mov	ebx, [ebp+var_18]
		jmp	loc_74A453
CmpVolumeManagerGetContextForFile endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpVolumeManagerGetContextForGuidUnsafe	proc near
					; CODE XREF: CmpVolumeManagerGetContextForFile+A6p
					; CmpVolumeManagerGetContextForFile+118p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CEC8D SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		lea	ebx, [ecx+4]
		mov	eax, edx
		mov	esi, [ebx]
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], eax
		cmp	esi, ebx
		jz	short loc_74A53A

loc_74A50F:				; CODE XREF: CmpVolumeManagerGetContextForGuidUnsafe+1847A4j
		push	10h		; size_t
		push	eax		; void *
		lea	eax, [esi+10h]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8CEC8D
		mov	edi, esi
		test	esi, esi
		jz	short loc_74A53A
		xor	ecx, ecx
		inc	ecx
		lock xadd [esi+0Ch], ecx
		inc	ecx
		cmp	ecx, 1
		jle	short loc_74A541

loc_74A53A:				; CODE XREF: CmpVolumeManagerGetContextForGuidUnsafe+17j
					; CmpVolumeManagerGetContextForGuidUnsafe+34j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_74A541:				; CODE XREF: CmpVolumeManagerGetContextForGuidUnsafe+42j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_74A53A
CmpVolumeManagerGetContextForGuidUnsafe	endp


;  S U B	R O U T	I N E 


; __stdcall CmpVolumeManagerUnlockContextListShared(x)
_CmpVolumeManagerUnlockContextListShared@4 proc	near
					; CODE XREF: CmpVolumeManagerGetContextForFile+AFp
		mov	edi, edi
		push	esi
		push	11h
		mov	esi, ecx
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_74A563

loc_74A55B:				; CODE XREF: CmpVolumeManagerUnlockContextListShared(x)+20j
		mov	ecx, esi
		pop	esi
		jmp	KeAbPostRelease
; 

loc_74A563:				; CODE XREF: CmpVolumeManagerUnlockContextListShared(x)+11j
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_74A55B
_CmpVolumeManagerUnlockContextListShared@4 endp

; 
		align 10h
; Exported entry 1043. IoVolumeDeviceToGuid

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoVolumeDeviceToGuid(x, x)
		public _IoVolumeDeviceToGuid@8
_IoVolumeDeviceToGuid@8	proc near	; CODE XREF: CmpVolumeManagerGetContextForFile+64p
					; FsRtlVolumeDeviceToCorrelationId(x,x)+65p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		and	[ebp+var_4], eax
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_0]
		call	IoVolumeDeviceToGuidPath
		test	eax, eax
		js	short loc_74A5C7
		mov	eax, [ebp+var_8]
		mov	edi, [ebp+var_4]
		add	eax, 0FFFFFFECh
		push	[ebp+arg_4]
		mov	word ptr [ebp+var_10], ax
		mov	eax, [ebp+var_8+2]
		add	eax, 0FFFFFFECh
		mov	word ptr [ebp+var_10+2], ax
		lea	eax, [edi+14h]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		push	0
		push	edi
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi

loc_74A5C7:				; CODE XREF: IoVolumeDeviceToGuid(x,x)+20j
		pop	edi
		pop	esi
		leave
		retn	8
_IoVolumeDeviceToGuid@8	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1044. IoVolumeDeviceToGuidPath

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoVolumeDeviceToGuidPath
IoVolumeDeviceToGuidPath proc near	; CODE XREF: IoVolumeDeviceToGuid(x,x)+19p
					; CmpVolumeContextStart+5Bp ...

var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_208		= dword	ptr -208h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CEC9F SIZE 00000048 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 238h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+238h+var_4], eax
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		lea	edi, [esp+240h+var_218]
		mov	[esp+240h+var_224], ecx
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		xor	edi, edi
		mov	[esp+240h+var_22C], eax
		mov	eax, [ecx+2Ch]
		mov	[esp+240h+var_220], edi
		mov	[esp+240h+var_21C], edi
		mov	[esp+240h+var_234], edi
		mov	[esp+240h+var_230], edi
		mov	[esp+240h+var_228], edi
		cmp	eax, 7
		jnz	loc_8CEC9F

loc_74A62C:				; CODE XREF: IoVolumeDeviceToGuidPath+1846D0j
					; IoVolumeDeviceToGuidPath+1846D9j ...
		push	edi
		push	edi
		lea	eax, [esp+248h+var_218]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+240h+var_220]
		push	eax
		lea	eax, [esp+244h+var_218]
		push	eax
		push	edi
		push	200h
		lea	eax, [esp+250h+var_208]
		push	eax
		push	edi
		push	edi
		mov	edi, [esp+25Ch+var_224]
		push	edi
		push	4D0008h
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	loc_8CECC4
		mov	edx, eax
		mov	ecx, edi
		call	IofCallDriver
		mov	ecx, eax
		cmp	ecx, 103h
		jz	loc_8CECCE

loc_74A67D:				; CODE XREF: IoVolumeDeviceToGuidPath+184710j
		test	ecx, ecx
		js	short loc_74A6CF
		mov	ax, word ptr [esp+240h+var_208]
		mov	ecx, 1FEh
		cmp	ax, cx
		jnb	short loc_74A6E7

loc_74A690:				; CODE XREF: IoVolumeDeviceToGuidPath+117j
		mov	word ptr [esp+240h+var_234], ax
		mov	word ptr [esp+240h+var_234+2], ax
		lea	eax, [esp+240h+var_208+2]
		mov	[esp+240h+var_230], eax
		lea	eax, [esp+240h+var_22C]
		push	eax
		lea	eax, [esp+244h+var_234]
		push	eax
		call	IoVolumeDeviceNameToGuidPath
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_74A6CF
		mov	ax, word ptr [esp+240h+var_22C]
		mov	[esi], ax
		mov	ax, word ptr [esp+240h+var_22C+2]
		mov	[esi+2], ax
		mov	eax, [esp+240h+var_228]
		mov	[esi+4], eax

loc_74A6CF:				; CODE XREF: IoVolumeDeviceToGuidPath+ADj
					; IoVolumeDeviceToGuidPath+E3j	...
		mov	eax, ecx
		mov	ecx, [esp+240h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_74A6E7:				; CODE XREF: IoVolumeDeviceToGuidPath+BCj
		mov	eax, ecx
		jmp	short loc_74A690
IoVolumeDeviceToGuidPath endp

; 
		align 10h
; Exported entry 1041. IoVolumeDeviceNameToGuidPath

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoVolumeDeviceNameToGuidPath
IoVolumeDeviceNameToGuidPath proc near	; CODE XREF: IoVolumeDeviceToGuidPath+DAp
					; IoVolumeDeviceNameToGuid(x,x)+17p

var_66		= byte ptr -66h
var_65		= byte ptr -65h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CECE7 SIZE 0000005E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+68h+var_4], eax
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		mov	[esp+68h+var_48], eax
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [esp+70h+var_38]
		mov	[esp+70h+var_58], ecx
		stosd
		mov	[esp+70h+var_44], edx
		mov	[esp+70h+var_66], dl
		mov	[esp+70h+var_50], edx
		stosd
		mov	[esp+70h+var_4C], edx
		mov	[esp+70h+var_40], edx
		mov	[esp+70h+var_3C], edx
		stosd
		mov	[esp+70h+var_54], edx
		mov	[esp+70h+var_65], dl
		mov	[esp+70h+var_64], edx
		stosd
		movzx	eax, word ptr [ecx]
		mov	ecx, 0F000h
		cmp	ax, cx
		ja	loc_8CECE7
		lea	esi, [eax+1Ah]
		push	20473244h
		push	esi
		push	1
		mov	[esp+7Ch+var_60], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+70h+var_5C], edi
		test	edi, edi
		jz	loc_8CECF1
		push	esi		; size_t
		xor	esi, esi
		push	esi		; int
		push	edi		; void *
		call	_memset
		mov	ecx, [esp+7Ch+var_58]
		xor	eax, eax
		mov	[edi+4], ax
		add	esp, 0Ch
		mov	[edi+0Ch], ax
		mov	[edi], esi
		mov	[edi+8], esi
		mov	dword ptr [edi+10h], 18h
		mov	ax, [ecx]
		mov	[edi+14h], ax
		movzx	eax, word ptr [ecx]
		push	eax		; size_t
		push	dword ptr [ecx+4] ; void *
		lea	eax, [edi+18h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [esp+70h+var_40]
		push	offset ??_C@_1DE@MJJBHHAG@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAM?$AAo?$AAu?$AAn?$AAt?$AAP?$AAo@NNGAKEGL@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+70h+var_64]
		push	eax
		lea	eax, [esp+74h+var_54]
		push	eax
		push	80h
		lea	eax, [esp+7Ch+var_40]
		push	eax
		call	IoGetDeviceObjectPointer
		mov	esi, eax
		test	esi, esi
		js	loc_74A9C5
		xor	esi, esi
		mov	[esp+70h+var_65], 1
		push	esi
		push	esi
		lea	eax, [esp+78h+var_38]
		push	eax
		lea	edi, [esp+7Ch+var_28]
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+70h+var_50]
		push	eax
		lea	eax, [esp+74h+var_38]
		push	eax
		push	esi
		push	20h
		mov	eax, edi
		push	eax
		push	[esp+84h+var_60]
		push	[esp+88h+var_5C]
		push	[esp+8Ch+var_64]
		push	offset unk_6D0008
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	loc_8CECFF
		mov	ecx, [esp+70h+var_64]
		mov	edx, eax
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jz	loc_8CED09

loc_74A84A:				; CODE XREF: IoVolumeDeviceNameToGuidPath+18462Dj
		test	esi, esi
		jns	short loc_74A85A
		cmp	esi, 80000005h
		jnz	loc_74A986

loc_74A85A:				; CODE XREF: IoVolumeDeviceNameToGuidPath+15Cj
		mov	esi, [esp+70h+var_28]
		add	esi, 20h
		cmp	esi, 0FFFFh
		ja	loc_8CED22
		push	20473244h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8CECFF
		push	0
		push	0
		lea	eax, [esp+78h+var_38]
		mov	[esp+78h+var_66], 1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+70h+var_50]
		push	eax
		lea	eax, [esp+74h+var_38]
		push	eax
		push	0
		push	esi
		push	edi
		push	[esp+84h+var_60]
		push	[esp+88h+var_5C]
		push	[esp+8Ch+var_64]
		push	offset unk_6D0008
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	loc_8CECFF
		mov	ecx, [esp+70h+var_64]
		mov	edx, eax
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jz	loc_8CED2C

loc_74A8DC:				; CODE XREF: IoVolumeDeviceNameToGuidPath+184650j
		test	esi, esi
		js	loc_74A986
		and	[esp+70h+var_60], 0
		mov	esi, 0C0000225h
		cmp	dword ptr [edi+4], 0
		jbe	loc_74A986
		lea	eax, [edi+8]
		mov	[esp+70h+var_64], eax

loc_74A8FF:				; CODE XREF: IoVolumeDeviceNameToGuidPath+242j
		mov	eax, [eax]
		add	eax, edi
		push	0Ah		; size_t
		push	eax		; wchar_t *
		push	offset a??Volume ; "\\??\\Volume"
		mov	[esp+7Ch+var_58], eax
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		mov	eax, [esp+70h+var_64]
		jz	short loc_74A936
		mov	ecx, [esp+70h+var_60]
		add	eax, 18h
		inc	ecx
		mov	[esp+70h+var_64], eax
		mov	[esp+70h+var_60], ecx
		cmp	ecx, [edi+4]
		jb	short loc_74A8FF
		jmp	short loc_74A986
; 

loc_74A936:				; CODE XREF: IoVolumeDeviceNameToGuidPath+22Dj
		movzx	eax, word ptr [eax+4]
		mov	esi, [esp+70h+var_48]
		push	20473244h
		mov	[esi], ax
		add	eax, 2
		mov	[esi+2], ax
		movzx	eax, ax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esi+4], ecx
		test	ecx, ecx
		jz	loc_8CECFB
		movzx	eax, word ptr [esi]
		push	eax		; size_t
		push	[esp+74h+var_58] ; void	*
		push	ecx		; void *
		call	_memcpy
		movzx	ecx, word ptr [esi]
		xor	edx, edx
		mov	eax, [esi+4]
		add	esp, 0Ch
		shr	ecx, 1
		xor	esi, esi
		mov	[eax+ecx*2], dx

loc_74A986:				; CODE XREF: IoVolumeDeviceNameToGuidPath+164j
					; IoVolumeDeviceNameToGuidPath+1EEj ...
		push	0
		push	[esp+74h+var_5C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[esp+70h+var_66], 0
		jz	short loc_74A9A0
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_74A9A0:				; CODE XREF: IoVolumeDeviceNameToGuidPath+2A6j
		cmp	[esp+70h+var_65], 0
		jz	short loc_74A9B0
		mov	ecx, [esp+70h+var_54]
		call	ObfDereferenceObject

loc_74A9B0:				; CODE XREF: IoVolumeDeviceNameToGuidPath+2B5j
					; IoVolumeDeviceNameToGuidPath+1845FCj	...
		mov	ecx, [esp+70h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_74A9C5:				; CODE XREF: IoVolumeDeviceNameToGuidPath+F6j
		mov	edi, [esp+70h+var_44]
		jmp	short loc_74A986
IoVolumeDeviceNameToGuidPath endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopSynchronousCall proc	near		; CODE XREF: PnpSendIrp+45p
					; PnpIrpDeviceEnumerated(x)+28p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008CED45 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+30h+var_20], edx
		lea	edi, [esp+30h+var_10]
		mov	esi, 69706E50h
		stosd
		mov	edx, esi
		stosd
		stosd
		stosd
		xor	edi, edi
		mov	[esp+30h+var_18], edi
		mov	[esp+30h+var_14], edi
		call	IoGetAttachedDeviceReferenceWithTag
		mov	ebx, eax
		test	byte ptr [ebx+1Ch], 80h
		jnz	loc_74AACA

loc_74AA0A:				; CODE XREF: IopSynchronousCall+11Bj
		movzx	eax, byte ptr [ebx+30h]
		push	edi
		push	eax
		call	IoAllocateIrp
		mov	esi, eax
		mov	[esp+30h+var_1C], esi
		test	esi, esi
		jz	loc_8CED45
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_IovUtilWatermarkIrp@8 ; IovUtilWatermarkIrp(x,x)
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		mov	[esp+30h+var_18], ecx
		mov	[esi+18h], ecx
		mov	[esp+30h+var_14], eax
		push	edi
		mov	[esi+1Ch], eax
		lea	eax, [esp+34h+var_10]
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+30h+var_18]
		mov	ecx, esi
		mov	[esi+28h], eax
		lea	eax, [esp+30h+var_10]
		mov	[esi+2Ch], eax
		mov	eax, large fs:124h
		mov	[esi+50h], eax
		call	IopQueueThreadIrp
		mov	edi, [esi+60h]
		mov	esi, [esp+30h+var_20]
		sub	edi, 24h
		mov	edx, [esp+30h+var_1C]
		push	9
		pop	ecx
		rep movsd
		mov	ecx, ebx
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jz	short loc_74AAB4

loc_74AA90:				; CODE XREF: IopSynchronousCall+FCj
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_74AA9D
		mov	eax, [esp+30h+var_14]
		mov	[ecx], eax

loc_74AA9D:				; CODE XREF: IopSynchronousCall+C9j
					; IopSynchronousCall+125j ...
		mov	edx, 69706E50h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_74AAB4:				; CODE XREF: IopSynchronousCall+C2j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+40h+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esp+30h+var_18]
		jmp	short loc_74AA90
; 

loc_74AACA:				; CODE XREF: IopSynchronousCall+38j
		mov	edx, esi
		mov	ecx, ebx
		call	IoGetLowerDeviceObjectWithTag
		mov	esi, eax
		test	esi, esi
		jz	short loc_74AAEC
		mov	edx, 69706E50h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		mov	ebx, esi
		jmp	loc_74AA0A
; 

loc_74AAEC:				; CODE XREF: IopSynchronousCall+10Bj
		mov	esi, 0C0000184h
		jmp	short loc_74AA9D
IopSynchronousCall endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpGetVolumeClusterSize	proc near	; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+193p
					; CmpOpenHiveFile+3A1p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CED4F SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		pop	esi
		mov	[ebp+var_4C], edx
		lea	edi, [ebp+var_38]
		mov	edx, ecx
		mov	[ebp+var_20], esi
		xor	eax, eax
		mov	[ebp+var_48], edx
		mov	ecx, esi
		rep stosd
		mov	eax, _CmIoFileObjectType
		lea	ecx, [ebp+var_3C]
		xor	edi, edi
		push	edi
		push	ecx
		mov	eax, [eax]
		push	edi
		push	eax
		push	edi
		push	edx
		mov	[ebp+var_58], edi
		mov	[ebp+var_54], edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_44], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_3C], edi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	loc_74AC81
		lea	eax, [ebp+var_40]
		xor	ecx, ecx
		push	eax
		lea	edx, [ebp+var_44]
		call	_CmpCreateEvent@12 ; CmpCreateEvent(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_74AC90
		mov	eax, [ebp+var_3C]
		push	dword ptr [eax+4]
		call	IoGetAttachedDeviceReference
		mov	ebx, [ebp+var_40]
		mov	esi, eax
		mov	[ebp+var_50], esi
		test	esi, esi
		jz	loc_8CED63
		movzx	ecx, byte ptr [esi+30h]
		push	edi
		push	ecx
		call	IoAllocateIrp
		mov	edi, eax
		test	edi, edi
		jz	loc_8CED6D
		mov	ecx, [edi+60h]
		lea	eax, [ebp+var_20]
		mov	edx, edi
		mov	byte ptr [ecx-24h], 0Eh
		mov	[ecx-10h], esi
		mov	dword ptr [ecx-18h], 2D1400h
		mov	dword ptr [ecx-20h], 1Ch
		mov	dword ptr [ecx-1Ch], 0Ch
		mov	ecx, esi
		mov	[edi+0Ch], eax
		mov	[edi+3Ch], eax
		mov	eax, [edi+60h]
		mov	dword ptr [edi+8], 50h
		mov	dword ptr [edi+18h], 0C00000BBh
		mov	dword ptr [eax-8], offset _CmpGetVolumeClusterSizeCompletion@12	; CmpGetVolumeClusterSizeCompletion(x,x,x)
		mov	[eax-4], ebx
		mov	byte ptr [eax-21h], 0E0h
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jz	loc_8CED4F

loc_74AC06:				; CODE XREF: CmpGetVolumeClusterSize+18426Aj
		push	edi
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		xor	edi, edi

loc_74AC0E:				; CODE XREF: CmpGetVolumeClusterSize+184274j
		mov	ecx, edi
		test	esi, esi
		js	loc_8CED6F
		cmp	[ebp+var_1C], 18h
		jb	short loc_74AC94
		cmp	[ebp+var_C], 0
		jz	short loc_74AC94
		mov	ecx, [ebp+var_C]
		lea	eax, [ecx-1]
		test	eax, ecx
		jnz	short loc_74AC94

loc_74AC2E:				; CODE XREF: CmpGetVolumeClusterSize+1A5j
		test	esi, esi
		js	loc_8CED6F

loc_74AC36:				; CODE XREF: CmpGetVolumeClusterSize+18429Cj
		mov	eax, 1000h
		cmp	ecx, eax
		ja	short loc_74AC9B

loc_74AC3F:				; CODE XREF: CmpGetVolumeClusterSize+1A9j
		mov	esi, edi
		cmp	ecx, 200h
		jb	short loc_74AC9F
		shr	ecx, 9
		lea	eax, [ecx-1]
		test	eax, ecx
		jnz	short loc_74ACA4

loc_74AC53:				; CODE XREF: CmpGetVolumeClusterSize+1AEj
		mov	eax, [ebp+var_4C]
		mov	[eax], ecx

loc_74AC58:				; CODE XREF: CmpGetVolumeClusterSize+1B5j
					; CmpGetVolumeClusterSize+184293j
		mov	ecx, [ebp+var_50]
		test	ecx, ecx
		jz	short loc_74AC64
		call	ObfDereferenceObject

loc_74AC64:				; CODE XREF: CmpGetVolumeClusterSize+169j
					; CmpGetVolumeClusterSize+19Ej
		mov	ecx, [ebp+var_3C]
		call	ObfDereferenceObject
		test	ebx, ebx
		jz	short loc_74AC7F
		mov	ecx, ebx
		call	ObfDereferenceObject
		push	[ebp+var_44]
		call	_ZwClose@4	; ZwClose(x)

loc_74AC7F:				; CODE XREF: CmpGetVolumeClusterSize+17Aj
		mov	eax, esi

loc_74AC81:				; CODE XREF: CmpGetVolumeClusterSize+66j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_74AC90:				; CODE XREF: CmpGetVolumeClusterSize+7Ej
		mov	ebx, edi
		jmp	short loc_74AC64
; 

loc_74AC94:				; CODE XREF: CmpGetVolumeClusterSize+128j
					; CmpGetVolumeClusterSize+12Ej	...
		mov	esi, 0C0000218h
		jmp	short loc_74AC2E
; 

loc_74AC9B:				; CODE XREF: CmpGetVolumeClusterSize+149j
		mov	ecx, eax
		jmp	short loc_74AC3F
; 

loc_74AC9F:				; CODE XREF: CmpGetVolumeClusterSize+153j
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_74AC53
; 

loc_74ACA4:				; CODE XREF: CmpGetVolumeClusterSize+15Dj
		mov	esi, 0C0000218h
		jmp	short loc_74AC58
CmpGetVolumeClusterSize	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpViewMapStart(x, x, x, x,	x)
_HvpViewMapStart@20 proc near		; CODE XREF: HvLoadHive+1B3p
					; HvHiveStartEmptyClone(x,x)+14Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, ecx
		mov	ecx, [ebp+arg_8]
		push	edi
		push	edx
		xor	edx, edx
		xor	edi, edi
		mov	[esi+1Ch], ecx
		and	cl, 1
		mov	[esi+18h], eax
		movzx	eax, cl
		xor	eax, 1
		mov	[ebp+var_C], edi
		test	cl, cl
		mov	[ebp+var_8], edi
		push	ecx
		setnz	dl
		mov	ecx, esi
		dec	edx
		lea	eax, ds:2[eax*2]
		and	edx, 12h
		push	eax
		add	edx, 5
		call	_CmSiCreateSectionForFile@20 ; CmSiCreateSectionForFile(x,x,x,x,x)
		test	eax, eax
		js	short loc_74AD42
		mov	ecx, [esi]
		lea	edx, [ebp+var_C]
		call	_CmSiGetSectionLength@8	; CmSiGetSectionLength(x,x)
		test	eax, eax
		js	short loc_74AD42
		mov	eax, [ebp+var_8]
		mov	edx, 1000h
		mov	ecx, [ebp+var_C]
		mov	[esi+10h], ecx
		mov	[esi+14h], eax
		cmp	eax, edi
		jg	short loc_74AD21
		jl	short loc_74AD48
		cmp	ecx, edx
		jb	short loc_74AD48

loc_74AD21:				; CODE XREF: HvpViewMapStart(x,x,x,x,x)+6Dj
		mov	eax, [ebp+arg_0]
		mov	ecx, esi
		push	edi
		add	eax, 1000h
		mov	[esi+0Ch], edi
		push	eax
		push	edi
		push	edx
		mov	dl, 1
		mov	[esi+8], eax
		call	HvpViewMapCreateViewsForRegion
		test	eax, eax
		js	short loc_74AD42
		mov	eax, edi

loc_74AD42:				; CODE XREF: HvpViewMapStart(x,x,x,x,x)+4Aj
					; HvpViewMapStart(x,x,x,x,x)+58j ...
		pop	edi
		pop	esi
		leave
		retn	0Ch
; 

loc_74AD48:				; CODE XREF: HvpViewMapStart(x,x,x,x,x)+6Fj
					; HvpViewMapStart(x,x,x,x,x)+73j
		mov	eax, 0C000014Ch
		jmp	short loc_74AD42
_HvpViewMapStart@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTraceHiveMountStop proc near		; CODE XREF: HvHiveStartFileBacked+D8p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CED95 SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_HIVE_MOUNT_STOP
		mov	[ebp+var_2C], ecx
		lea	edi, [ebp+var_28]
		lea	eax, [ebp+var_28]
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ds:dword_A93DD4
		mov	edi, ds:_EtwpRegTraceHandle
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8CED95

loc_74AD92:				; CODE XREF: CmpTraceHiveMountStop+18406Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpTraceHiveMountStop endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTraceHiveMountStart proc near	; CODE XREF: HvHiveStartFileBacked+C3p

var_18		= dword	ptr -18h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CEDC1 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_HIVE_MOUNT_START
		lea	edi, [ebp+var_18]
		lea	eax, [ebp+var_18]
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ds:dword_A93DD4
		mov	edi, ds:_EtwpRegTraceHandle
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8CEDC1

loc_74ADDF:				; CODE XREF: CmpTraceHiveMountStart+184031j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpTraceHiveMountStart endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall HvViewMapContainsLockedPages(x)
_HvViewMapContainsLockedPages@4	proc near ; CODE XREF: CmpRecheckHiveVolumePolicy(x)+84p
		mov	al, [ecx+1Ch]
		shr	al, 2
		and	al, 1
		retn
_HvViewMapContainsLockedPages@4	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1414. MmGetSystemRoutineAddress

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmGetSystemRoutineAddress
MmGetSystemRoutineAddress proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CEDD6 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi

loc_74AE0C:				; CODE XREF: MmGetSystemRoutineAddress+183FE6j
		push	1
		push	[ebp+arg_0]
		lea	eax, [ebp+var_8]
		push	eax
		call	RtlUnicodeStringToAnsiString
		test	eax, eax
		js	loc_8CEDD6
		push	[ebp+var_4]
		push	ds:_PsNtosImageBase
		call	_RtlFindExportedRoutineByName@8	; RtlFindExportedRoutineByName(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_74AE46

loc_74AE36:				; CODE XREF: MmGetSystemRoutineAddress+5Aj
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlFreeAnsiString@4 ; RtlFreeAnsiString(x)
		mov	eax, esi
		pop	esi
		leave
		retn	4
; 

loc_74AE46:				; CODE XREF: MmGetSystemRoutineAddress+38j
		push	[ebp+var_4]
		push	ds:_PsHalImageBase
		call	_RtlFindExportedRoutineByName@8	; RtlFindExportedRoutineByName(x,x)
		mov	esi, eax
		jmp	short loc_74AE36
MmGetSystemRoutineAddress endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpViewMapUnCOWAndSealRange(x, x, x)
_HvpViewMapUnCOWAndSealRange@12	proc near ; CODE XREF: HvUnCOWReconciledPages+138p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	ebx, [edx+1000h]
		xor	edx, edx
		mov	eax, ecx
		add	esi, ebx
		mov	[ebp+var_C], eax
		push	edx
		pop	ecx
		adc	ecx, edx
		mov	[ebp+arg_0], esi
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], edx
		cmp	edx, ecx
		jb	short loc_74AE93
		ja	loc_74AF26
		cmp	ebx, esi
		jnb	loc_74AF26

loc_74AE93:				; CODE XREF: HvpViewMapUnCOWAndSealRange(x,x,x)+2Bj
		push	edi
		lea	edi, [eax+20h]

loc_74AE97:				; CODE XREF: HvpViewMapUnCOWAndSealRange(x,x,x)+BFj
					; HvpViewMapUnCOWAndSealRange(x,x,x)+C7j
		test	byte ptr [edi+4], 1
		mov	ecx, [edi]
		jz	short loc_74AEA9
		test	ecx, ecx
		jnz	short loc_74AEA7
		mov	ecx, edx
		jmp	short loc_74AEA9
; 

loc_74AEA7:				; CODE XREF: HvpViewMapUnCOWAndSealRange(x,x,x)+49j
		xor	ecx, edi

loc_74AEA9:				; CODE XREF: HvpViewMapUnCOWAndSealRange(x,x,x)+45j
					; HvpViewMapUnCOWAndSealRange(x,x,x)+4Dj
		movzx	edx, byte ptr [edi+4]
		and	edx, 1
		test	ecx, ecx
		jz	short loc_74AEE0
		mov	esi, [ebp+var_4]

loc_74AEB7:				; CODE XREF: HvpViewMapUnCOWAndSealRange(x,x,x)+75j
		cmp	esi, [ecx+24h]
		jl	short loc_74AEC3
		jg	short loc_74AED1
		cmp	ebx, [ecx+20h]
		jnb	short loc_74AED1

loc_74AEC3:				; CODE XREF: HvpViewMapUnCOWAndSealRange(x,x,x)+62j
		mov	eax, [ecx]

loc_74AEC5:				; CODE XREF: HvpViewMapUnCOWAndSealRange(x,x,x)+DFj
		test	edx, edx
		jnz	short loc_74AF2C

loc_74AEC9:				; CODE XREF: HvpViewMapUnCOWAndSealRange(x,x,x)+D6j
		mov	ecx, eax

loc_74AECB:				; CODE XREF: HvpViewMapUnCOWAndSealRange(x,x,x)+DAj
		test	ecx, ecx
		jnz	short loc_74AEB7
		jmp	short loc_74AEDD
; 

loc_74AED1:				; CODE XREF: HvpViewMapUnCOWAndSealRange(x,x,x)+64j
					; HvpViewMapUnCOWAndSealRange(x,x,x)+69j
		cmp	esi, [ecx+2Ch]
		jl	short loc_74AEDD
		jg	short loc_74AF34
		cmp	ebx, [ecx+28h]
		jnb	short loc_74AF34

loc_74AEDD:				; CODE XREF: HvpViewMapUnCOWAndSealRange(x,x,x)+77j
					; HvpViewMapUnCOWAndSealRange(x,x,x)+7Cj
		mov	esi, [ebp+arg_0]

loc_74AEE0:				; CODE XREF: HvpViewMapUnCOWAndSealRange(x,x,x)+5Aj
		push	dword ptr [ecx+2Ch]
		push	dword ptr [ecx+28h]
		push	[ebp+var_8]
		push	esi
		call	_HvpMinLong64@16 ; HvpMinLong64(x,x,x,x)
		mov	esi, edx
		mov	[ebp+var_10], eax
		push	esi
		push	eax
		push	[ebp+var_4]
		mov	edx, ecx
		mov	ecx, [ebp+var_C]
		push	ebx
		call	_HvpViewMapMakeViewRangeUnCOWByCaller@24 ; HvpViewMapMakeViewRangeUnCOWByCaller(x,x,x,x,x,x)
		mov	eax, [ebp+var_10]
		mov	ebx, eax
		cmp	esi, [ebp+var_8]
		push	0
		mov	[ebp+var_4], esi
		mov	esi, [ebp+arg_0]
		pop	edx
		jg	short loc_74AF25
		jl	loc_74AE97
		cmp	eax, esi
		jb	loc_74AE97

loc_74AF25:				; CODE XREF: HvpViewMapUnCOWAndSealRange(x,x,x)+BDj
		pop	edi

loc_74AF26:				; CODE XREF: HvpViewMapUnCOWAndSealRange(x,x,x)+2Dj
					; HvpViewMapUnCOWAndSealRange(x,x,x)+35j
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_74AF2C:				; CODE XREF: HvpViewMapUnCOWAndSealRange(x,x,x)+6Fj
		test	eax, eax
		jz	short loc_74AEC9
		xor	ecx, eax
		jmp	short loc_74AECB
; 

loc_74AF34:				; CODE XREF: HvpViewMapUnCOWAndSealRange(x,x,x)+7Ej
					; HvpViewMapUnCOWAndSealRange(x,x,x)+83j
		mov	eax, [ecx+4]
		jmp	short loc_74AEC5
_HvpViewMapUnCOWAndSealRange@12	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipForwardWmiIrp proc near		; CODE XREF: WmipQueryAllData+1E8p
					; WmipSendWmiIrpToTraceDeviceList+9Ep ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008CEDE7 SIZE 00000071 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+28h+var_10]
		stosd
		mov	esi, ecx
		mov	ecx, [ebp+arg_0]
		mov	bl, dl
		mov	[esp+28h+var_18], esi
		stosd
		stosd
		stosd
		call	WmipFindRegEntryByDevice
		mov	edi, eax
		test	edi, edi
		jz	loc_8CEDEE
		mov	eax, [edi+18h]
		test	eax, 20000000h
		jnz	loc_8CEDE7
		mov	ecx, [edi+8]
		mov	[esp+28h+var_1C], ecx
		test	eax, 10000000h
		jnz	loc_74B0B8
		cmp	bl, 0Bh
		jz	short loc_74AFD6
		cmp	bl, 8
		jz	short loc_74AFD6
		mov	eax, [ebp+arg_C]
		push	10h		; size_t
		add	eax, 18h
		push	offset _WmipDataProviderPnpidGuid ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_8CEE0B
		mov	eax, [ebp+arg_C]
		push	10h		; size_t
		add	eax, 18h
		push	offset _WmipDataProviderPnPIdInstanceNamesGuid ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_8CEE0B

loc_74AFD2:				; CODE XREF: WmipForwardWmiIrp+183ED5j
		mov	ecx, [esp+28h+var_1C]

loc_74AFD6:				; CODE XREF: WmipForwardWmiIrp+55j
					; WmipForwardWmiIrp+5Aj ...
		push	ecx
		call	IoGetAttachedDeviceReference
		mov	ecx, _WmipServiceDeviceObject
		mov	[esp+28h+var_14], eax
		mov	bh, [eax+30h]
		inc	bh
		cmp	bh, [ecx+30h]
		jg	loc_74B0AB

loc_74AFF4:				; CODE XREF: WmipForwardWmiIrp+173j
		push	0
		push	1
		lea	eax, [esp+30h+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [esi+60h]
		lea	ecx, [esp+28h+var_10]
		mov	edx, esi
		mov	[eax-4], ecx
		mov	dword ptr [eax-8], offset _SmKmGenericCompletion@12 ; SmKmGenericCompletion(x,x,x)
		mov	byte ptr [eax-21h], 0E0h
		mov	ecx, [esi+60h]
		mov	eax, [esp+28h+var_1C]
		mov	[ecx-20h], eax
		mov	eax, [ebp+arg_4]
		mov	[ecx-1Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx-18h], eax
		mov	eax, [ebp+arg_C]
		mov	byte ptr [ecx-24h], 17h
		mov	[ecx-23h], bl
		mov	[ecx-14h], eax
		mov	eax, [esi+60h]
		mov	ecx, [esp+28h+var_14]
		mov	dword ptr [esi+18h], 0C00000BBh
		or	byte ptr [eax+3], 1
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jz	loc_8CEE3C
		mov	eax, [esp+28h+var_18]

loc_74B065:				; CODE XREF: WmipForwardWmiIrp+183F19j
		cmp	esi, 0C00000BBh
		jz	short loc_74B0EB

loc_74B06D:				; CODE XREF: WmipForwardWmiIrp+1B9j
		cmp	bl, 0Bh
		jz	short loc_74B092
		cmp	bl, 8
		jz	short loc_74B092

loc_74B077:				; CODE XREF: WmipForwardWmiIrp+15Aj
					; WmipForwardWmiIrp+160j ...
		mov	ecx, edi
		call	WmipUnreferenceRegEntry

loc_74B07E:				; CODE XREF: WmipForwardWmiIrp+183EFDj
		mov	ecx, [esp+28h+var_14]
		call	ObfDereferenceObject

loc_74B087:				; CODE XREF: WmipForwardWmiIrp+1AFj
		mov	eax, esi

loc_74B089:				; CODE XREF: WmipForwardWmiIrp+183EC1j
					; WmipForwardWmiIrp+183ECCj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_74B092:				; CODE XREF: WmipForwardWmiIrp+136j
					; WmipForwardWmiIrp+13Bj
		test	esi, esi
		js	short loc_74B077
		cmp	dword ptr [eax+1Ch], 14h
		jbe	short loc_74B077
		push	edi		; int
		push	[ebp+arg_8]	; void *
		mov	dl, bl
		mov	ecx, eax
		call	WmipTranslatePDOInstanceNames
		jmp	short loc_74B077
; 

loc_74B0AB:				; CODE XREF: WmipForwardWmiIrp+B4j
		cmp	eax, ecx
		jz	loc_74AFF4
		jmp	loc_8CEE24
; 

loc_74B0B8:				; CODE XREF: WmipForwardWmiIrp+4Cj
		and	[esp+28h+var_1C], 0
		lea	eax, [esp+28h+var_1C]
		push	eax
		push	ecx
		push	[ebp+arg_C]
		movzx	eax, bl
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	eax
		call	dword ptr [ecx]
		mov	ecx, [esp+40h+var_34]
		mov	esi, eax
		mov	eax, [esp+40h+var_30]
		mov	[eax+1Ch], ecx
		mov	ecx, edi
		mov	[eax+18h], esi
		call	WmipUnreferenceRegEntry
		jmp	short loc_74B087
; 

loc_74B0EB:				; CODE XREF: WmipForwardWmiIrp+131j
		mov	esi, 0C0000295h
		mov	[eax+18h], esi
		jmp	loc_74B06D
WmipForwardWmiIrp endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpFileFlushAndPurge proc near		; CODE XREF: HvWriteHivePrimaryFile+E1p
					; HvValidateOrInvalidatePrimaryFileHeader+7Fp ...

var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CEE58 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		mov	ebx, edx
		stosd
		mov	esi, ecx
		push	0
		push	1
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_14]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	edi, edi
		test	dword ptr [esi+64h], 20000h
		jz	short loc_74B130
		test	ebx, ebx
		jz	loc_74B217

loc_74B130:				; CODE XREF: CmpFileFlushAndPurge+2Ej
		mov	ecx, [esi+ebx*4+400h]
		test	ecx, ecx
		jz	loc_74B22A
		cmp	ds:_CmpNoWrite,	0
		jnz	loc_74B22A
		mov	eax, _CmIoFileObjectType
		lea	edx, [ebp+var_4]
		and	[ebp+var_4], edi
		push	0
		push	edx
		mov	eax, [eax]
		push	0
		push	eax
		push	2
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	loc_74B1FB
		push	ebx
		call	IoGetRelatedDeviceObject
		mov	esi, eax
		push	0
		movzx	eax, byte ptr [esi+30h]
		push	eax
		call	IoAllocateIrp
		mov	edi, eax
		test	edi, edi
		jz	loc_8CEE58
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_14]
		mov	[edi+50h], eax
		mov	edx, edi
		xor	eax, eax
		mov	[edi+64h], ebx
		mov	ebx, [ebp+var_4]
		mov	[edi+54h], eax
		mov	[edi+20h], ax
		mov	[edi+30h], eax
		mov	[edi+24h], al
		mov	[edi+38h], eax
		mov	eax, [edi+60h]
		mov	word ptr [eax-24h], 109h
		mov	[eax-0Ch], ebx
		mov	[eax-10h], esi
		mov	eax, [edi+60h]
		mov	[eax-4], ecx
		mov	ecx, esi
		mov	dword ptr [eax-8], offset _SmKmGenericCompletion@12 ; SmKmGenericCompletion(x,x,x)
		mov	byte ptr [eax-21h], 0E0h
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jnz	short loc_74B1FB
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [edi+18h]

loc_74B1FB:				; CODE XREF: CmpFileFlushAndPurge+76j
					; CmpFileFlushAndPurge+EFj ...
		test	ebx, ebx
		jz	short loc_74B206
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_74B206:				; CODE XREF: CmpFileFlushAndPurge+105j
		test	edi, edi
		jz	short loc_74B210
		push	edi
		call	_IoFreeIrp@4	; IoFreeIrp(x)

loc_74B210:				; CODE XREF: CmpFileFlushAndPurge+110j
					; CmpFileFlushAndPurge+130j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_74B217:				; CODE XREF: CmpFileFlushAndPurge+32j
		mov	ecx, [esi+400h]
		test	ecx, ecx
		jz	short loc_74B22A
		call	CmpDoFileFlush
		mov	esi, eax
		jmp	short loc_74B210
; 

loc_74B22A:				; CODE XREF: CmpFileFlushAndPurge+41j
					; CmpFileFlushAndPurge+4Ej ...
		xor	esi, esi
		jmp	short loc_74B210
CmpFileFlushAndPurge endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTraceHiveFlushWroteLogFile proc near	; CODE XREF: HvWriteLogFile+CAp

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CEE62 SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_HIVE_FLUSH_WROTE_LOG_FILE
		mov	[ebp+var_40], edx
		lea	edi, [ebp+var_38]
		mov	[ebp+var_3C], 1
		lea	eax, [ebp+var_38]
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ds:dword_A93DD4
		mov	edi, ds:_EtwpRegTraceHandle
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8CEE62

loc_74B277:				; CODE XREF: CmpTraceHiveFlushWroteLogFile+183C69j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpTraceHiveFlushWroteLogFile endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvWriteLogFile	proc near		; CODE XREF: CmpFlushHive+370p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CEE9C SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	dword ptr [esi+64h], 8001h
		jnz	loc_74B35A
		mov	edx, [esi+68h]
		test	edx, edx
		jz	loc_8CEE9C
		cmp	dword ptr [esi+edx*4+400h], 0
		jz	loc_8CEE9C
		mov	eax, [esi+45Ch]
		mov	edi, [esi+458h]
		mov	[ebp+var_4], eax
		mov	eax, [esi+460h]
		mov	ebx, eax
		add	ebx, [esi+74h]
		mov	[ebp+var_C], eax
		push	0
		pop	eax
		adc	eax, eax
		mov	[ebp+var_8], eax
		call	_HvGetCurrentLogFileSizePointer@4 ; HvGetCurrentLogFileSizePointer(x)
		mov	ecx, [ebp+var_8]
		cmp	ecx, [eax+4]
		jl	short loc_74B2F1
		jg	short loc_74B363
		cmp	ebx, [eax]
		ja	short loc_74B363

loc_74B2F1:				; CODE XREF: HvWriteLogFile+63j
					; HvWriteLogFile+E8j
		xor	ebx, ebx
		cmp	[ebp+var_4], ebx
		jbe	short loc_74B31F
		mov	eax, [esi+74h]

loc_74B2FB:				; CODE XREF: HvWriteLogFile+97j
		push	0
		push	1
		push	edi
		mov	[edi], eax
		push	dword ptr [esi+68h]
		push	esi
		call	dword ptr [esi+14h]
		test	eax, eax
		js	short loc_74B35C
		mov	eax, [edi+8]
		add	edi, 0Ch
		add	[esi+74h], eax
		inc	ebx
		mov	eax, [esi+74h]
		cmp	ebx, [ebp+var_4]
		jb	short loc_74B2FB

loc_74B31F:				; CODE XREF: HvWriteLogFile+70j
		mov	edx, [esi+68h]
		mov	ecx, esi
		call	CmpFileFlushAndPurge
		test	eax, eax
		js	short loc_74B35C
		inc	dword ptr [esi+6Ch]
		mov	eax, [esi+68h]
		cmp	eax, 1
		jz	short loc_74B342
		cmp	eax, 4
		mov	eax, 81h
		jnz	short loc_74B347

loc_74B342:				; CODE XREF: HvWriteLogFile+B0j
		mov	eax, 80h

loc_74B347:				; CODE XREF: HvWriteLogFile+BAj
		mov	byte ptr [eax+esi], 1
		mov	esi, [ebp+var_C]
		mov	edx, esi
		call	CmpTraceHiveFlushWroteLogFile
		mov	eax, [ebp+arg_4]
		mov	[eax], esi

loc_74B35A:				; CODE XREF: HvWriteLogFile+14j
		xor	eax, eax

loc_74B35C:				; CODE XREF: HvWriteLogFile+85j
					; HvWriteLogFile+A5j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_74B363:				; CODE XREF: HvWriteLogFile+65j
					; HvWriteLogFile+69j
		push	1
		push	ecx
		push	ebx
		mov	ecx, esi
		call	CmpDoFileSetSizeEx
		jmp	short loc_74B2F1
HvWriteLogFile	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2443. SeCheckForCriticalAceRemoval

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeCheckForCriticalAceRemoval
SeCheckForCriticalAceRemoval proc near	; CODE XREF: PAGE:0074BA93p

var_4E		= dword	ptr -4Eh
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008CEEA6 SIZE 0000004D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		xor	ebx, ebx
		push	edi
		lea	edi, [esp+60h+var_4E+1]
		mov	byte ptr [esp+60h+var_4E], bl
		push	edi
		lea	edi, [esp+64h+var_4E]
		mov	byte ptr [esp+64h+var_4E+1], bl
		push	edi
		push	eax
		mov	[esp+6Ch+var_4E+2], ebx
		call	_SepCheckForCriticalAceRemoval@20 ; SepCheckForCriticalAceRemoval(x,x,x,x,x)
		cmp	byte ptr [esp+60h+var_4E], bl
		jnz	short loc_74B3D5

loc_74B3BF:				; CODE XREF: SeCheckForCriticalAceRemoval+63j
					; SeCheckForCriticalAceRemoval+77j ...
		mov	ecx, [esp+60h+var_4]
		pop	edi
		mov	[esi], bl
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_74B3D5:				; CODE XREF: SeCheckForCriticalAceRemoval+47j
		cmp	byte ptr [esp+60h+var_4E+1], bl
		jnz	short loc_74B3BF
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		lea	edx, [esp+60h+var_4E+2]
		mov	ecx, eax
		call	PsGetAllocatedFullProcessImageNameEx
		test	eax, eax
		js	short loc_74B3BF
		cmp	dword_6B29A8, 5
		jbe	short loc_74B3BF
		push	2000h
		mov	edi, offset dword_6B29A8
		push	ebx
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_74B3BF
		jmp	loc_8CEEA6
SeCheckForCriticalAceRemoval endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeSinglePrivilegeCheckEx(x,	x, x, x)
_SeSinglePrivilegeCheckEx@16 proc near	; CODE XREF: SepCheckForCriticalAceRemoval(x,x,x,x,x)+4Ap
					; SepValidOwnerSubjectContext(x,x,x)+D1p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_8], 0
		xor	eax, eax
		inc	eax
		push	ebx
		push	esi
		mov	[ebp+var_18], eax
		mov	ebx, edx
		mov	[ebp+var_14], eax
		mov	esi, ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_18]
		push	esi
		push	eax
		call	_SePrivilegeCheck@12 ; SePrivilegeCheck(x,x,x)
		mov	byte ptr [ebp+var_1C], al
		test	bl, bl
		jz	short loc_74B46A
		push	[ebp+var_1C]
		lea	eax, [ebp+var_18]
		mov	edx, esi
		push	eax
		xor	ecx, ecx
		call	_SePrivilegedServiceAuditAlarm@16 ; SePrivilegedServiceAuditAlarm(x,x,x,x)
		mov	al, byte ptr [ebp+var_1C]

loc_74B46A:				; CODE XREF: SeSinglePrivilegeCheckEx(x,x,x,x)+41j
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_SeSinglePrivilegeCheckEx@16 endp


;  S U B	R O U T	I N E 


; __stdcall CmLockHiveSecurityExclusive(x)
_CmLockHiveSecurityExclusive@4 proc near ; CODE	XREF: CmpCreateTombstone(x,x)+145p
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+416p ...
		add	ecx, 484h
		xor	edx, edx
		jmp	ExAcquirePushLockExclusiveEx
_CmLockHiveSecurityExclusive@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmUnlockHiveSecurity(x)
_CmUnlockHiveSecurity@4	proc near	; CODE XREF: CmpCreateTombstone(x,x)+15Dp
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+4D5p ...
		add	ecx, 484h
		xor	edx, edx
		jmp	ExReleasePushLockEx
_CmUnlockHiveSecurity@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSetKeySecurity(x, x, x, x, x, x)
_CmpSetKeySecurity@24 proc near		; CODE XREF: CmpSecurityMethod+176p

var_84		= dword	ptr -84h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_21		= byte ptr -21h
var_20		= byte ptr -20h
var_1F		= byte ptr -1Fh
var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_74], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_70], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_6C], eax
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_84]
		mov	[ebp+var_58], edx
		stosd
		mov	esi, ecx
		push	6
		pop	ecx
		xor	edx, edx
		mov	[ebp+var_2C], esi
		stosd
		mov	ebx, edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], edx
		stosd
		mov	[ebp+var_50], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_1F], dl
		stosd
		xor	eax, eax
		mov	byte ptr [ebp+var_5C], al
		lea	edi, [ebp+var_1C]
		rep stosd
		lea	edi, [ebp+var_3C]
		mov	[ebp+var_20], dl
		stosd
		mov	[ebp+var_1D], dl
		mov	[ebp+var_54], edx
		stosd
		stosd
		stosd
		or	eax, 0FFFFFFFFh
		mov	word ptr [ebp+var_3C+2], ax
		mov	[ebp+var_64], eax
		xor	eax, eax
		mov	word ptr [ebp+var_60], ax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_48], eax
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_84]
		push	eax
		call	SeCaptureSubjectContext
		lea	ecx, [ebp+var_1C]
		call	CmpAttachToRegistryProcess
		call	CmpAcquireShutdownRundown
		mov	[ebp+var_21], al
		test	al, al
		jz	loc_74B94A

loc_74B544:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+2D2j
		cmp	[ebp+var_1F], bl
		jz	short loc_74B550
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		jmp	short loc_74B555
; 

loc_74B550:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+B1j
		call	_CmpLockRegistry@0 ; CmpLockRegistry()

loc_74B555:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+B8j
		mov	edi, [esi+8]
		mov	ecx, edi
		mov	[ebp+var_1E], 1
		call	_CmpIsKcbImmutable@4 ; CmpIsKcbImmutable(x)
		test	al, al
		jnz	loc_74B76D
		mov	edx, edi
		lea	ecx, [ebp+var_3C]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_74B772
		cmp	[ebp+var_1F], bl
		jnz	short loc_74B590
		lea	ecx, [ebp+var_3C]
		call	_CmpLockKcbStackTopExclusiveRestShared@4 ; CmpLockKcbStackTopExclusiveRestShared(x)
		mov	[ebp+var_1D], 1

loc_74B590:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+ECj
		mov	ecx, [ebp+var_2C]
		xor	edx, edx
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	loc_74B772
		mov	esi, [ebp+var_2C]
		xor	eax, eax
		cmp	[esi+20h], eax
		jnz	short loc_74B5B3
		cmp	[esi+24h], eax
		jz	short loc_74B5DF

loc_74B5B3:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+116j
		lea	edx, [ebp+var_28]
		mov	ecx, esi
		call	CmpTransSearchAddTransFromKeyBody
		mov	esi, eax
		test	esi, esi
		js	loc_74B772
		mov	edx, [ebp+var_28]
		mov	ecx, [ebp+var_2C]
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	loc_74B772
		mov	esi, [ebp+var_2C]

loc_74B5DF:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+11Bj
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_68], al
		test	al, al
		jz	short loc_74B602
		mov	eax, [edi+10h]
		test	byte ptr [eax+980h], 20h
		jnz	loc_74B76D

loc_74B602:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+15Aj
		xor	eax, eax
		cmp	[edi+22h], ax
		jz	short loc_74B656
		xor	edx, edx
		mov	ecx, edi
		call	_CmpGetEffectiveKcbSemantics@8 ; CmpGetEffectiveKcbSemantics(x,x)
		test	eax, eax
		jnz	short loc_74B654
		cmp	[ebp+var_1F], dl
		jnz	short loc_74B654
		lea	ecx, [ebp+var_3C]
		mov	[ebp+var_1F], 1
		call	CmpUnlockKcbStack
		xor	eax, eax
		lea	ecx, [ebp+var_3C]
		mov	[ebp+var_1D], al
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		xor	eax, eax
		lea	edi, [ebp+var_3C]
		stosd
		stosd
		stosd
		stosd
		or	eax, 0FFFFFFFFh
		mov	word ptr [ebp+var_3C+2], ax
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)
		jmp	loc_74B755
; 

loc_74B654:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+17Fj
					; CmpSetKeySecurity(x,x,x,x,x,x)+184j
		xor	eax, eax

loc_74B656:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+172j
		cmp	[esi+4], ax
		jz	short loc_74B687
		mov	eax, [ebp+var_58]
		lea	edx, [ebp+var_50]
		mov	ecx, [eax]
		call	SeSetSecurityAccessMask
		mov	edx, [ebp+var_28]
		lea	ecx, [ebp+var_3C]
		xor	eax, eax
		push	eax
		push	[ebp+var_50]
		push	[ebp+var_68]
		call	_CmpCheckKcbStackAccess@20 ; CmpCheckKcbStackAccess(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_74B772

loc_74B687:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+1C4j
		xor	esi, esi
		cmp	[edi+22h], si
		jz	short loc_74B6C3
		xor	edx, edx
		mov	ecx, edi
		call	_CmpGetEffectiveKcbSemantics@8 ; CmpGetEffectiveKcbSemantics(x,x)
		test	eax, eax
		jnz	short loc_74B6C3
		push	eax
		mov	dl, 1
		lea	ecx, [ebp+var_3C]
		call	_CmpPromoteKey@12 ; CmpPromoteKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_74B772
		lea	ecx, [ebp+var_3C]
		call	_CmpPartialPromoteSubkeys@4 ; CmpPartialPromoteSubkeys(x)
		mov	esi, eax
		test	esi, esi
		js	loc_74B772

loc_74B6C3:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+1F7j
					; CmpSetKeySecurity(x,x,x,x,x,x)+204j
		cmp	[ebp+var_28], ebx
		jnz	loc_74B7DA
		lea	ecx, [edi+84h]
		call	_CmpTryAcquireIXLockExclusive@4	; CmpTryAcquireIXLockExclusive(x)
		test	al, al
		jz	short loc_74B6EE
		lea	ecx, [edi+8Ch]
		call	_CmpTryAcquireIXLockExclusive@4	; CmpTryAcquireIXLockExclusive(x)
		test	al, al
		jnz	loc_74B84D

loc_74B6EE:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+243j
		lea	eax, [ebp+var_40]
		push	eax
		lea	edx, [ebp+var_44]
		call	_CmpSnapshotTxOwnerArray@12 ; CmpSnapshotTxOwnerArray(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_74B772
		cmp	[ebp+var_1D], bl
		jz	short loc_74B70D
		lea	ecx, [ebp+var_3C]
		call	CmpUnlockKcbStack

loc_74B70D:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+26Dj
		xor	eax, eax
		lea	ecx, [ebp+var_3C]
		mov	[ebp+var_1D], al
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		xor	eax, eax
		lea	edi, [ebp+var_3C]
		stosd
		stosd
		stosd
		stosd
		or	eax, 0FFFFFFFFh
		mov	word ptr [ebp+var_3C+2], ax
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	ecx, ecx
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)
		mov	edx, [ebp+var_40]
		xor	eax, eax
		mov	[ebp+var_21], al
		lea	eax, [ebp+var_54]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_44]
		call	_CmpRollbackTransactionArray@16	; CmpRollbackTransactionArray(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_74B7D6

loc_74B755:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+1B9j
		call	CmpAcquireShutdownRundown
		mov	[ebp+var_21], al
		test	al, al
		jz	loc_74B94A
		mov	esi, [ebp+var_2C]
		jmp	loc_74B544
; 

loc_74B76D:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+CFj
					; CmpSetKeySecurity(x,x,x,x,x,x)+166j
		mov	esi, 0C0000022h

loc_74B772:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+E3j
					; CmpSetKeySecurity(x,x,x,x,x,x)+108j ...
		mov	bl, [ebp+var_1E]

loc_74B775:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+4BBj
		mov	al, [ebp+var_1D]

loc_74B778:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+342j
		test	al, al
		jz	short loc_74B784
		lea	ecx, [ebp+var_3C]
		call	CmpUnlockKcbStack

loc_74B784:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+2E4j
		lea	ecx, [ebp+var_3C]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		test	bl, bl
		jz	short loc_74B795
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_74B795:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+2F8j
		lea	eax, [ebp+var_4C]
		cmp	[ebp+var_4C], eax
		jz	short loc_74B7A4
		mov	ecx, eax
		call	_CmpSignalDeferredPosts@4 ; CmpSignalDeferredPosts(x)

loc_74B7A4:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+305j
		cmp	[ebp+var_21], 0
		jz	short loc_74B7AF
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_74B7AF:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+312j
		lea	ecx, [ebp+var_1C]
		call	_CmpDetachFromRegistryProcess@4	; CmpDetachFromRegistryProcess(x)
		lea	eax, [ebp+var_84]
		push	eax
		call	SeReleaseSubjectContext
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_74B7D6:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+2B9j
		mov	al, bl
		jmp	short loc_74B778
; 

loc_74B7DA:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+230j
		mov	eax, [edi+10h]
		test	byte ptr [eax+64h], 2
		jz	short loc_74B7EA
		mov	esi, 0C0190001h
		jmp	short loc_74B772
; 

loc_74B7EA:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+34Bj
		call	_CmpAllocateUnitOfWork@0 ; CmpAllocateUnitOfWork()
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_74B7FF
		mov	esi, 0C000009Ah
		jmp	loc_74B772
; 

loc_74B7FF:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+35Dj
		mov	edx, edi
		mov	ecx, ebx
		call	_CmpTransEnlistUowInKcb@8 ; CmpTransEnlistUowInKcb(x,x)
		mov	edx, [ebp+var_28]
		mov	ecx, ebx
		call	CmpTransEnlistUowInCmTrans
		mov	esi, eax
		test	esi, esi
		js	loc_74B92F
		xor	eax, eax
		lea	ecx, [edi+84h]
		push	eax
		mov	edx, ebx
		call	CmpLockIXLockExclusive
		test	al, al
		jnz	short loc_74B83A

loc_74B830:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+3B5j
		mov	esi, 0C0190001h
		jmp	loc_74B92F
; 

loc_74B83A:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+398j
		push	1
		lea	ecx, [edi+8Ch]
		mov	edx, ebx
		call	CmpLockIXLockExclusive
		test	al, al
		jz	short loc_74B830

loc_74B84D:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+252j
		cmp	[ebp+var_1F], 0
		jnz	short loc_74B86B
		mov	ecx, [edi+10h]
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	ecx, [edi+10h]
		mov	al, 1
		mov	[ebp+var_20], al
		mov	byte ptr [ebp+var_5C], al
		call	_CmLockHiveSecurityExclusive@4 ; CmLockHiveSecurityExclusive(x)

loc_74B86B:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+3BBj
		mov	edx, [ebp+var_58]
		lea	eax, [ebp+var_84]
		push	eax
		push	ebx
		push	[ebp+var_28]
		mov	ecx, edi
		push	[ebp+var_6C]
		push	[ebp+arg_8]
		push	[ebp+var_70]
		push	[ebp+var_74]
		call	_CmpSetSecurityDescriptorInfo@36 ; CmpSetSecurityDescriptorInfo(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	al, [ebp+var_20]
		mov	cl, al
		test	esi, esi
		js	short loc_74B915
		xor	ecx, ecx
		mov	[ebp+var_1F], al
		mov	ebx, ecx
		test	al, al
		jz	short loc_74B8B1
		mov	ecx, [edi+10h]
		call	_CmUnlockHiveSecurity@4	; CmUnlockHiveSecurity(x)
		xor	eax, eax
		mov	[ebp+var_1F], al
		jmp	short loc_74B8B3
; 

loc_74B8B1:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+40Aj
		xor	eax, eax

loc_74B8B3:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+419j
		cmp	[edi+22h], ax
		jz	short loc_74B8EB
		xor	edx, edx
		mov	ecx, edi
		call	_CmpGetEffectiveKcbSemantics@8 ; CmpGetEffectiveKcbSemantics(x,x)
		test	eax, eax
		jnz	short loc_74B8EB
		push	[ebp+var_5C]
		lea	edx, [ebp+var_64]
		call	CmpGetKeyNodeForKcb
		lea	edx, [ebp+var_64]
		mov	cl, [eax+0Dh]
		and	cl, 0FEh
		or	cl, 2
		mov	[eax+0Dh], cl
		mov	ecx, edi
		call	_CmpReleaseKeyNodeForKcb@8 ; CmpReleaseKeyNodeForKcb(x,x)
		mov	byte ptr [edi+21h], 2

loc_74B8EB:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+421j
					; CmpSetKeySecurity(x,x,x,x,x,x)+42Ej
		cmp	[ebp+var_20], bl
		jz	short loc_74B8FD
		mov	ecx, [edi+10h]
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		xor	eax, eax
		mov	[ebp+var_20], al

loc_74B8FD:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+458j
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_4C]
		push	eax
		push	0Ah
		lea	ecx, [ebp+var_3C]
		call	_CmpReportNotifyForKcbStack@16 ; CmpReportNotifyForKcbStack(x,x,x,x)
		mov	cl, [ebp+var_1F]
		xor	eax, eax
		mov	esi, eax

loc_74B915:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+3FFj
		test	cl, cl
		jz	short loc_74B921
		mov	ecx, [edi+10h]
		call	_CmUnlockHiveSecurity@4	; CmUnlockHiveSecurity(x)

loc_74B921:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+481j
		cmp	[ebp+var_20], 0
		jz	short loc_74B92F
		mov	ecx, [edi+10h]
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)

loc_74B92F:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+380j
					; CmpSetKeySecurity(x,x,x,x,x,x)+39Fj ...
		test	ebx, ebx
		jz	loc_74B772
		mov	ecx, ebx
		call	CmpRundownUnitOfWork
		mov	ecx, ebx
		call	_CmpFreeUnitOfWork@4 ; CmpFreeUnitOfWork(x)
		jmp	loc_74B772
; 

loc_74B94A:				; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+A8j
					; CmpSetKeySecurity(x,x,x,x,x,x)+2C9j
		mov	esi, 0C0000189h
		xor	eax, eax
		jmp	loc_74B775
_CmpSetKeySecurity@24 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmGetKCBCacheSecurity proc near		; CODE XREF: CmpGetSecurityCacheEntryForKcbStack(x,x,x)+7Dp
					; PAGE:0074BA2Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CEEF3 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	esi
		mov	esi, [ecx+2Ch]
		push	edi
		mov	edi, edx
		test	edi, edi
		jnz	short loc_74B97B
		mov	eax, esi

loc_74B975:				; CODE XREF: CmGetKCBCacheSecurity+41j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_74B97B:				; CODE XREF: CmGetKCBCacheSecurity+11j
		push	ebx
		lea	eax, [ecx+70h]
		mov	[ebp+var_4], 0
		push	ecx
		lea	edx, [ebp+var_4]
		mov	[ebp+var_8], eax
		mov	ecx, eax
		call	CmListGetPrevElement
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_8CEEF3

loc_74B99E:				; CODE XREF: CmGetKCBCacheSecurity+1835C1j
		mov	eax, esi

loc_74B9A0:				; CODE XREF: CmGetKCBCacheSecurity+1835AAj
		pop	ebx
		jmp	short loc_74B975
CmGetKCBCacheSecurity endp

; 
		align 4

; __stdcall CmpSetSecurityDescriptorInfo(x, x, x, x, x,	x, x, x, x)
_CmpSetSecurityDescriptorInfo@36:	; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+3F1p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 78h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp-30h], edx
		xor	ecx, ecx
		mov	[ebp-28h], edi
		or	eax, 0FFFFFFFFh
		mov	[ebp-24h], ecx
		mov	ebx, ecx
		mov	[ebp-20h], ecx
		mov	esi, [edi+10h]
		mov	[ebp-58h], ecx
		mov	[ebp-50h], ecx
		mov	[ebp-68h], ecx
		mov	[ebp-70h], ecx
		mov	[ebp-14h], ecx
		mov	[ebp-4Ch], ecx
		mov	[ebp-48h], ecx
		mov	[ebp-38h], ecx
		mov	[ebp-5], cl
		mov	[ebp-64h], ecx
		mov	[ebp-60h], ecx
		mov	[ebp-3Ch], ecx
		mov	[ebp-1Ch], ecx
		lea	ecx, [ebp-74h]
		push	ecx
		mov	[ebp-5Ch], eax
		mov	[ebp-54h], eax
		mov	[ebp-6Ch], eax
		mov	[ebp-74h], eax
		mov	eax, [edi+14h]
		push	eax
		push	esi
		mov	[ebp-18h], ebx
		mov	[ebp-34h], eax
		call	dword ptr [esi+4]
		mov	[ebp-2Ch], eax
		test	eax, eax
		jnz	short loc_74BA1D
		mov	eax, 0C000009Ah
		jmp	loc_74BF76
; 

loc_74BA1D:				; CODE XREF: PAGE:0074BA11j
		push	dword ptr [ebp-34h]
		mov	edx, eax
		mov	ecx, esi
		call	_CmpUpdateKeyNodeAccessBits@12 ; CmpUpdateKeyNodeAccessBits(x,x,x)
		mov	edx, [ebp+18h]
		mov	ecx, edi
		call	CmGetKCBCacheSecurity
		lea	ecx, [ebp-5Ch]
		push	ecx
		mov	eax, [eax]
		push	eax
		push	esi
		mov	[ebp-0Ch], eax
		call	dword ptr [esi+4]
		mov	[ebp-10h], eax
		test	eax, eax
		jnz	short loc_74BA52

loc_74BA48:				; CODE XREF: PAGE:0074BA69j
					; PAGE:0074BC92j ...
		mov	edi, 0C000009Ah
		jmp	loc_74BF16
; 

loc_74BA52:				; CODE XREF: PAGE:0074BA46j
		mov	edx, [eax+10h]
		xor	ecx, ecx
		push	36384D43h
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp-1Ch], ecx
		test	ecx, ecx
		jz	short loc_74BA48
		mov	eax, [ebp-10h]
		push	dword ptr [eax+10h]
		add	eax, 14h
		push	eax
		push	ecx
		call	_memcpy
		mov	eax, [ebp-30h]
		add	esp, 0Ch
		test	byte ptr [eax],	4
		jz	short loc_74BAFB
		lea	eax, [ebp-5]
		push	eax
		push	dword ptr [ebp+20h]
		push	dword ptr [ebp+8]
		push	dword ptr [ebp-1Ch]
		call	SeCheckForCriticalAceRemoval
		cmp	[ebp-5], bl
		jz	short loc_74BAFB
		mov	ecx, edi
		call	_CmpConstructName@4 ; CmpConstructName(x)
		mov	[ebp-40h], eax
		test	eax, eax
		jnz	short loc_74BAC4
		push	(offset	loc_8B70E1+1)
		lea	eax, [ebp-64h]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp-64h]
		mov	[ebp-5], bl
		mov	[ebp-40h], eax
		jmp	short loc_74BAC8
; 

loc_74BAC4:				; CODE XREF: PAGE:0074BAA9j
		mov	byte ptr [ebp-5], 1

loc_74BAC8:				; CODE XREF: PAGE:0074BAC2j
		lea	ecx, [ebp-6]
		push	ecx
		lea	ecx, [ebp-44h]
		push	ecx
		push	dword ptr [ebp+20h]
		push	dword ptr [ebp+8]
		push	dword ptr [ebp-1Ch]
		push	eax
		call	_SeAdjustObjectSecurity@24 ; SeAdjustObjectSecurity(x,x,x,x,x,x)
		mov	edi, eax
		cmp	[ebp-5], bl
		jz	short loc_74BAF3
		mov	ecx, [ebp-40h]
		mov	edx, 624E4D43h
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_74BAF3:				; CODE XREF: PAGE:0074BAE4j
		test	edi, edi
		js	loc_74BF16

loc_74BAFB:				; CODE XREF: PAGE:0074BA84j
					; PAGE:0074BA9Bj
		push	dword ptr [ebp+20h]
		mov	eax, [ebp-1Ch]
		push	dword ptr [ebp+14h]
		mov	edx, [ebp-30h]
		push	dword ptr [ebp+10h]
		mov	[ebp-14h], eax
		lea	eax, [ebp-14h]
		push	ecx
		push	eax
		push	dword ptr [ebp+8]
		call	_SeSetSecurityDescriptorInfoEx2@32 ; SeSetSecurityDescriptorInfoEx2(x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_74BB28
		and	[ebp-14h], ebx
		jmp	loc_74BF26
; 

loc_74BB28:				; CODE XREF: PAGE:0074BB1Ej
		push	dword ptr [ebp-14h]
		mov	eax, [ebp-30h]
		push	dword ptr [ebp+8]
		mov	edx, [ebp-1Ch]
		mov	ecx, [ebp-28h]
		push	dword ptr [eax]
		call	CmpTraceSecurityChanging
		mov	edi, eax
		test	edi, edi
		js	loc_74BF16
		mov	ecx, [ebp-14h]
		call	_RtlLengthSecurityDescriptorStrict@4 ; RtlLengthSecurityDescriptorStrict(x)
		mov	[ebp+14h], eax
		cmp	[ebp+18h], ebx
		jz	short loc_74BB61
		mov	dword ptr [ebp+8], 1
		jmp	short loc_74BB6A
; 

loc_74BB61:				; CODE XREF: PAGE:0074BB56j
		mov	eax, [ebp-34h]
		shr	eax, 1Fh
		mov	[ebp+8], eax

loc_74BB6A:				; CODE XREF: PAGE:0074BB5Fj
		lea	eax, [ebp-4Ch]
		push	eax
		call	KeQuerySystemTime
		mov	ecx, esi
		push	0
		cmp	[ebp+18h], ebx
		jnz	short loc_74BBA2
		mov	edx, [ebp-34h]
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jz	short loc_74BB98
		mov	edx, [ebp-0Ch]
		mov	ecx, esi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jnz	short loc_74BBC2

loc_74BB98:				; CODE XREF: PAGE:0074BB86j
					; PAGE:0074BBACj ...
		mov	edi, 0C000017Dh
		jmp	loc_74BF16
; 

loc_74BBA2:				; CODE XREF: PAGE:0074BB7Aj
		mov	edx, [ebp-0Ch]
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jz	short loc_74BB98
		mov	eax, [ebp+1Ch]
		or	dword ptr [eax+34h], 0FFFFFFFFh
		and	[eax+30h], ebx
		mov	dword ptr [eax+24h], 9
		mov	[eax+38h], bl

loc_74BBC2:				; CODE XREF: PAGE:0074BB96j
		mov	edx, [ebp-14h]
		lea	eax, [ebp-38h]
		push	eax
		lea	eax, [ebp-24h]
		mov	ecx, esi
		push	eax
		push	dword ptr [ebp+8]
		call	_CmpFindMatchingDescriptorCell@20 ; CmpFindMatchingDescriptorCell(x,x,x,x,x)
		test	al, al
		jz	loc_74BD00
		mov	eax, [ebp-24h]
		cmp	eax, [ebp-0Ch]
		jnz	short loc_74BC34
		cmp	[ebp+18h], ebx
		jnz	short loc_74BC09
		mov	edx, [ebp-2Ch]
		mov	ecx, [ebp-4Ch]
		mov	eax, [ebp-48h]
		mov	[edx+4], ecx
		mov	[edx+8], eax
		mov	edx, [ebp-28h]
		mov	[edx+58h], ecx
		mov	[edx+5Ch], eax
		jmp	loc_74BF16
; 

loc_74BC09:				; CODE XREF: PAGE:0074BBEAj
		mov	ecx, [ebp-10h]
		mov	edx, esi
		push	0
		push	eax
		call	_CmpKeySecurityIncrementReferenceCount@16 ; CmpKeySecurityIncrementReferenceCount(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_74BF16
		mov	edx, [ebp+1Ch]
		mov	eax, [ebp-24h]
		mov	[edx+34h], eax
		mov	eax, [ebp-38h]
		mov	[edx+30h], eax
		jmp	loc_74BF16
; 

loc_74BC34:				; CODE XREF: PAGE:0074BBE5j
		push	0
		mov	edx, eax
		mov	ecx, esi
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jz	loc_74BB98
		cmp	[ebp+18h], ebx
		jnz	short loc_74BC66
		push	ecx
		push	dword ptr [ebp-0Ch]
		mov	ecx, [ebp-10h]
		mov	edx, esi
		call	_CmpKeySecurityMarkDirtyForReferenceCountDecrement@16 ;	CmpKeySecurityMarkDirtyForReferenceCountDecrement(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_74BF16
		jmp	short loc_74BC74
; 

loc_74BC66:				; CODE XREF: PAGE:0074BC4Aj
		mov	ecx, [ebp-38h]
		mov	edx, [ebp+1Ch]
		mov	eax, [ecx]
		mov	[edx+34h], eax
		mov	[edx+30h], ecx

loc_74BC74:				; CODE XREF: PAGE:0074BC64j
		mov	edi, [ebp-24h]
		lea	eax, [ebp-54h]
		push	eax
		push	edi
		push	esi
		call	dword ptr [esi+4]
		mov	ebx, eax
		mov	[ebp+8], ebx
		test	ebx, ebx
		jnz	short loc_74BC97
		cmp	[ebp+18h], eax
		jz	loc_74BF7D
		jmp	loc_74BA48
; 

loc_74BC97:				; CODE XREF: PAGE:0074BC87j
		push	0
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	_CmpKeySecurityIncrementReferenceCount@16 ; CmpKeySecurityIncrementReferenceCount(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_74BF16
		cmp	dword ptr [ebp+18h], 0
		jnz	short loc_74BCF2
		push	dword ptr [ebp-0Ch]
		mov	ecx, [ebp-10h]
		mov	edx, esi
		call	_CmpKeySecurityDecrementReferenceCount@12 ; CmpKeySecurityDecrementReferenceCount(x,x,x)
		mov	bl, al
		lea	eax, [ebp-5Ch]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		and	dword ptr [ebp-10h], 0
		test	bl, bl
		jz	short loc_74BCE6
		mov	edx, [ebp-0Ch]
		mov	ecx, esi
		call	_CmpRemoveSecurityCellList@8 ; CmpRemoveSecurityCellList(x,x)
		mov	edx, [ebp-0Ch]
		mov	ecx, esi
		call	HvFreeCell

loc_74BCE6:				; CODE XREF: PAGE:0074BCD0j
		mov	ecx, [ebp-2Ch]
		mov	eax, [ebp-24h]
		mov	ebx, [ebp+8]
		mov	[ecx+2Ch], eax

loc_74BCF2:				; CODE XREF: PAGE:0074BCB1j
		mov	eax, [ebp-0Ch]
		mov	ecx, [ebp+1Ch]
		mov	[ebp+20h], eax
		jmp	loc_74BEC0
; 

loc_74BD00:				; CODE XREF: PAGE:0074BBD9j
		mov	ecx, [ebp-14h]
		lea	eax, [ebp-54h]
		push	eax
		lea	eax, [ebp-18h]
		push	eax
		push	dword ptr [ebp+8]
		call	_RtlLengthSecurityDescriptorStrict@4 ; RtlLengthSecurityDescriptorStrict(x)
		mov	ecx, esi
		lea	edx, [eax+14h]
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+20h], edi
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_74BD34
		mov	edi, 0C000009Ah

loc_74BD2C:				; CODE XREF: PAGE:0074BD54j
					; PAGE:0074BD67j
		mov	ebx, [ebp-18h]
		jmp	loc_74BF16
; 

loc_74BD34:				; CODE XREF: PAGE:0074BD25j
		mov	[ebp-20h], edi
		cmp	[ebp+18h], ebx
		jnz	short loc_74BD9F
		mov	ebx, [ebp-10h]
		mov	ecx, esi
		push	0
		mov	edx, [ebx+4]
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jnz	short loc_74BD56
		mov	edi, 0C000017Dh
		jmp	short loc_74BD2C
; 

loc_74BD56:				; CODE XREF: PAGE:0074BD4Dj
		push	ecx
		push	dword ptr [ebp-0Ch]
		mov	edx, esi
		mov	ecx, ebx
		call	_CmpKeySecurityMarkDirtyForReferenceCountDecrement@16 ;	CmpKeySecurityMarkDirtyForReferenceCountDecrement(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_74BD2C
		mov	eax, [ebx+4]
		lea	ecx, [ebp-6Ch]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	ebx, [ebp-18h]
		mov	edx, eax
		mov	[ebp-3Ch], edx
		test	edx, edx
		jz	loc_74BA48
		mov	ecx, [ebp-10h]
		mov	edi, [ebp+20h]
		mov	eax, [ecx+4]
		mov	[ebx+4], eax
		mov	eax, [ebp-0Ch]
		mov	[ebx+8], eax
		mov	[ecx+4], edi
		mov	[edx+8], edi
		jmp	short loc_74BDA8
; 

loc_74BD9F:				; CODE XREF: PAGE:0074BD3Aj
		mov	ebx, [ebp-18h]
		mov	[ebx+8], edi
		mov	[ebx+4], edi

loc_74BDA8:				; CODE XREF: PAGE:0074BD9Dj
		mov	eax, 6B73h
		mov	[ebp+8], ebx
		mov	[ebx], ax
		mov	eax, [ebp+14h]
		push	eax
		mov	dword ptr [ebx+0Ch], 1
		mov	[ebx+10h], eax
		lea	eax, [ebx+14h]
		push	dword ptr [ebp-14h]
		push	eax
		call	_memcpy
		pop	ecx
		pop	ecx
		push	0
		mov	edx, edi
		mov	ecx, esi
		call	CmpAddSecurityCellToCache
		mov	edi, eax
		test	edi, edi
		jns	short loc_74BE01
		cmp	dword ptr [ebp+18h], 0
		jnz	loc_74BF16
		mov	ecx, [ebp-10h]
		mov	eax, [ebx+4]
		mov	[ecx+4], eax
		mov	ecx, [ebp-3Ch]
		mov	eax, [ebx+8]
		mov	[ecx+8], eax
		jmp	loc_74BF16
; 

loc_74BE01:				; CODE XREF: PAGE:0074BDDEj
		cmp	dword ptr [ebp+18h], 0
		mov	edx, [ebp+20h]
		jnz	short loc_74BE88
		mov	ecx, [ebp-2Ch]
		push	dword ptr [ebp-0Ch]
		mov	[ecx+2Ch], edx
		mov	edx, esi
		mov	ecx, [ebp-10h]
		call	_CmpKeySecurityDecrementReferenceCount@12 ; CmpKeySecurityDecrementReferenceCount(x,x,x)
		mov	bl, al
		lea	eax, [ebp-5Ch]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		and	dword ptr [ebp-10h], 0
		test	bl, bl
		jz	short loc_74BE43
		mov	edx, [ebp-0Ch]
		mov	ecx, esi
		call	_CmpRemoveSecurityCellList@8 ; CmpRemoveSecurityCellList(x,x)
		mov	edx, [ebp-0Ch]
		mov	ecx, esi
		call	HvFreeCell

loc_74BE43:				; CODE XREF: PAGE:0074BE2Dj
		mov	ebx, [ebp+8]

loc_74BE46:				; CODE XREF: PAGE:0074BEC4j
		mov	edx, [ebp-2Ch]
		mov	ecx, [ebp-4Ch]
		mov	eax, [ebp-48h]
		push	0
		mov	[edx+8], eax
		mov	[edx+4], ecx
		mov	edx, [ebp-28h]
		mov	[edx+58h], ecx
		mov	ecx, edx
		add	dword ptr [ecx+0A8h], 1
		mov	[ecx+5Ch], eax
		pop	eax
		adc	[ecx+0ACh], eax
		push	eax
		push	1
		push	eax
		mov	eax, [ebp-2Ch]
		mov	edx, [eax+2Ch]
		call	CmpAssignSecurityToKcb
		and	dword ptr [ebp-20h], 0
		jmp	loc_74BF16
; 

loc_74BE88:				; CODE XREF: PAGE:0074BE08j
		and	dword ptr [ebp+8], 0
		lea	eax, [ebp+8]
		push	eax
		mov	ecx, esi
		call	_CmpFindSecurityCellCacheIndex@12 ; CmpFindSecurityCellCacheIndex(x,x,x)
		test	al, al
		jnz	short loc_74BEA8
		push	dword ptr [ebp+20h]
		push	dword ptr [ebp-28h]
		push	3
		jmp	loc_74BF81
; 

loc_74BEA8:				; CODE XREF: PAGE:0074BE99j
		mov	ecx, [esi+4CCh]
		mov	eax, [ebp+8]
		mov	eax, [ecx+eax*8+4]
		mov	ecx, [ebp+1Ch]
		mov	[ecx+30h], eax
		mov	eax, [eax]
		mov	[ecx+34h], eax

loc_74BEC0:				; CODE XREF: PAGE:0074BCFBj
		cmp	dword ptr [ebp+18h], 0
		jz	short loc_74BE46
		xor	edx, edx
		inc	edx
		call	_CmAddLogForAction@8 ; CmAddLogForAction(x,x)
		and	dword ptr [ebp-20h], 0
		mov	edi, eax
		test	edi, edi
		jns	short loc_74BF16
		push	dword ptr [ebp+20h]
		mov	edx, esi
		mov	ecx, ebx
		call	_CmpKeySecurityDecrementReferenceCount@12 ; CmpKeySecurityDecrementReferenceCount(x,x,x)
		mov	bl, al
		lea	eax, [ebp-54h]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		and	dword ptr [ebp+8], 0
		and	dword ptr [ebp-20h], 0
		test	bl, bl
		jz	short loc_74BF13
		mov	edx, [ebp+20h]
		mov	ecx, esi
		call	_CmpRemoveSecurityCellList@8 ; CmpRemoveSecurityCellList(x,x)
		mov	edx, [ebp+20h]
		mov	ecx, esi
		call	HvFreeCell
		xor	eax, eax
		mov	[ebp-20h], eax

loc_74BF13:				; CODE XREF: PAGE:0074BEF8j
		mov	ebx, [ebp+8]

loc_74BF16:				; CODE XREF: PAGE:0074BA4Dj
					; PAGE:0074BAF5j ...
		cmp	dword ptr [ebp-14h], 0
		jz	short loc_74BF26
		push	0
		push	dword ptr [ebp-14h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_74BF26:				; CODE XREF: PAGE:0074BB23j
					; PAGE:0074BF1Aj
		mov	eax, [ebp-1Ch]
		test	eax, eax
		jz	short loc_74BF34
		mov	ecx, eax
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_74BF34:				; CODE XREF: PAGE:0074BF2Bj
		mov	eax, [ebp-20h]
		test	eax, eax
		jz	short loc_74BF44
		mov	edx, eax
		mov	ecx, esi
		call	HvFreeCell

loc_74BF44:				; CODE XREF: PAGE:0074BF39j
		cmp	dword ptr [ebp-3Ch], 0
		jz	short loc_74BF52
		lea	eax, [ebp-6Ch]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_74BF52:				; CODE XREF: PAGE:0074BF48j
		test	ebx, ebx
		jz	short loc_74BF5E
		lea	eax, [ebp-54h]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_74BF5E:				; CODE XREF: PAGE:0074BF54j
		cmp	dword ptr [ebp-10h], 0
		jz	short loc_74BF6C
		lea	eax, [ebp-5Ch]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_74BF6C:				; CODE XREF: PAGE:0074BF62j
		lea	eax, [ebp-74h]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	eax, edi

loc_74BF76:				; CODE XREF: PAGE:0074BA18j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_74BF7D:				; CODE XREF: PAGE:0074BC8Cj
		push	edi
		push	esi
		push	5

loc_74BF81:				; CODE XREF: PAGE:0074BEA3j
		push	4
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTraceSecurityChanging proc near	; CODE XREF: PAGE:0074BB39p

var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008CEF26 SIZE 00000163 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		and	[ebp+var_C0], 0
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_C8], eax
		mov	eax, [ebp+arg_8]
		lea	edx, [ebp+var_C0]
		push	edi
		mov	[ebp+var_C4], ebx
		mov	[ebp+var_CC], eax
		call	CmpConstructNameWithStatus
		mov	edi, [ebp+var_C0]
		mov	esi, eax
		test	esi, esi
		js	short loc_74BFF3
		push	1
		push	offset _CmMpsSvcKeySubstring
		push	edi
		call	RtlFindUnicodeSubstring
		test	eax, eax
		jnz	loc_8CEF26

loc_74BFF1:				; CODE XREF: CmpTraceSecurityChanging+182FEDj
					; CmpTraceSecurityChanging+183003j ...
		xor	esi, esi

loc_74BFF3:				; CODE XREF: CmpTraceSecurityChanging+4Ej
		test	edi, edi
		jz	short loc_74C003
		mov	edx, 624E4D43h
		mov	ecx, edi
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_74C003:				; CODE XREF: CmpTraceSecurityChanging+69j
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
CmpTraceSecurityChanging endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeSetSecurityDescriptorInfoEx2(x, x, x, x, x, x, x,	x)
_SeSetSecurityDescriptorInfoEx2@32 proc	near ; CODE XREF: PAGE:0074BB15p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		cmp	dword ptr [eax], 0
		jz	short loc_74C03F
		push	[ebp+arg_14]
		mov	edx, [edx]
		xor	ecx, ecx
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	0
		push	eax
		push	[ebp+arg_0]
		call	RtlpSetSecurityObject

loc_74C03B:				; CODE XREF: SeSetSecurityDescriptorInfoEx2(x,x,x,x,x,x,x,x)+2Ej
		pop	ebp
		retn	18h
; 

loc_74C03F:				; CODE XREF: SeSetSecurityDescriptorInfoEx2(x,x,x,x,x,x,x,x)+Bj
		mov	eax, 0C00000D7h
		jmp	short loc_74C03B
_SeSetSecurityDescriptorInfoEx2@32 endp


;  S U B	R O U T	I N E 


; __stdcall CmpLockKcbExclusive(x)
_CmpLockKcbExclusive@4 proc near	; CODE XREF: CmpRemoveHiveFromNamespace(x,x,x)+19p
					; CmpRemoveHiveFromNamespace(x,x,x)+20p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	edx, edx
		lea	ecx, [esi+18h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+1Ch], eax
		pop	esi
		retn
_CmpLockKcbExclusive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpInitializeKcbCache proc near		; CODE XREF: CmpLinkHiveToMaster+DEp
					; CmInitSystem1(x)+270p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CF089 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, 0C000009Ah
		xor	edx, edx
		push	edi
		mov	edi, ecx
		lea	eax, [esi-1]
		test	eax, esi
		jnz	loc_8CF089
		xor	eax, eax
		mov	[ebp+var_4], eax
		cmp	esi, 15555555h
		ja	loc_8CF093
		imul	eax, esi, 0Ch
		push	61434D43h
		push	eax
		push	1
		mov	[ebp+var_C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_8CF09D
		push	[ebp+var_C]	; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	61434D43h
		push	180h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_74C140
		push	180h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+var_8]
		add	esp, 0Ch
		xor	ecx, ecx
		test	esi, esi
		jz	short loc_74C102
		mov	eax, edx
		mov	[ebp+var_8], esi
		mov	ecx, esi

loc_74C0F6:				; CODE XREF: CmpInitializeKcbCache+A0j
		and	dword ptr [eax], 0
		lea	eax, [eax+0Ch]
		sub	[ebp+var_8], 1
		jnz	short loc_74C0F6

loc_74C102:				; CODE XREF: CmpInitializeKcbCache+8Dj
		mov	eax, [ebp+var_4]
		cmp	ecx, esi
		jnz	short loc_74C119
		push	20h
		mov	ecx, eax
		pop	ebx

loc_74C10E:				; CODE XREF: CmpInitializeKcbCache+B7j
		and	dword ptr [ecx], 0
		lea	ecx, [ecx+0Ch]
		sub	ebx, 1
		jnz	short loc_74C10E

loc_74C119:				; CODE XREF: CmpInitializeKcbCache+A7j
					; CmpInitializeKcbCache+E3j ...
		mov	[edi+434h], edx
		mov	[edi+438h], esi
		mov	[edi+43Ch], eax
		mov	dword ptr [edi+440h], 20h
		test	ebx, ebx
		js	short loc_74C145

loc_74C139:				; CODE XREF: CmpInitializeKcbCache+ECj
		mov	eax, ebx

loc_74C13B:				; CODE XREF: CmpInitializeKcbCache+18302Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_74C140:				; CODE XREF: CmpInitializeKcbCache+74j
					; CmpInitializeKcbCache+183040j
		mov	edx, [ebp+var_8]
		jmp	short loc_74C119
; 

loc_74C145:				; CODE XREF: CmpInitializeKcbCache+D7j
		mov	ecx, edi
		call	_CmpDeleteKcbCache@4 ; CmpDeleteKcbCache(x)
		jmp	short loc_74C139
CmpInitializeKcbCache endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFileWrite(x, x, x, x, x)
_CmpFileWrite@20 proc near		; CODE XREF: CmpSaveKeyByFileCopy(x,x)+8Ap
					; CmpSaveKeyByFileCopy(x,x)+E0p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_CmpNoWrite,	0
		jnz	short loc_74C180
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+ecx*4+400h]
		test	ecx, ecx
		jz	short loc_74C180
		push	ecx
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	CmpDoFileWrite

loc_74C17C:				; CODE XREF: CmpFileWrite(x,x,x,x,x)+34j
		pop	ebp
		retn	14h
; 

loc_74C180:				; CODE XREF: CmpFileWrite(x,x,x,x,x)+Cj
					; CmpFileWrite(x,x,x,x,x)+1Dj
		xor	eax, eax
		jmp	short loc_74C17C
_CmpFileWrite@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpDoFileWrite	proc near		; CODE XREF: CmpFileWrite(x,x,x,x,x)+29p
					; CmpWriteOffsetArrayToFile(x,x,x,x,x)+3Ep

var_2A		= byte ptr -2Ah
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 008CF0A5 SIZE 00000099 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[esp+34h+var_20], ecx
		push	edi
		push	77624D43h
		mov	edx, 0A00h
		mov	[esp+3Ch+var_8], ebx
		mov	ecx, 200h
		mov	[esp+3Ch+var_4], ebx
		mov	[esp+3Ch+var_2A], bl
		mov	edi, ebx
		mov	[esp+3Ch+var_C], ebx
		mov	[esp+3Ch+var_10], ebx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8CF0A5
		push	0A00h		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		test	[ebp+arg_8], 1
		jnz	loc_74C35A

loc_74C1E5:				; CODE XREF: CmpDoFileWrite+200j
		mov	ecx, large fs:124h
		mov	dl, 1
		call	_CmpSetRespectIoPriorityThread@8 ; CmpSetRespectIoPriorityThread(x,x)
		mov	[esp+38h+var_29], al
		mov	[esp+38h+var_18], ebx
		cmp	[ebp+arg_4], ebx
		jbe	loc_74C2EB
		mov	ecx, [ebp+arg_0]
		add	ecx, 8
		mov	[esp+38h+var_14], ecx

loc_74C20E:				; CODE XREF: CmpDoFileWrite+158j
		mov	eax, [ecx-8]
		and	[esp+38h+var_4], 0
		mov	edx, [ecx-4]
		mov	[esp+38h+var_8], eax
		mov	eax, [ecx]
		mov	[esp+38h+var_24], edx
		mov	[esp+38h+var_28], eax
		test	eax, eax
		jz	loc_74C2CD
		xor	ebx, ebx

loc_74C231:				; CODE XREF: CmpDoFileWrite+13Bj
		lea	ecx, [esi+edi*4]
		cmp	[ecx], ebx
		jnz	short loc_74C25D
		mov	edx, ecx
		lea	eax, [esi+100h]
		lea	eax, [eax+edi*4]
		xor	ecx, ecx
		push	eax
		inc	ecx
		call	_CmpCreateEvent@12 ; CmpCreateEvent(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_74C2ED
		mov	eax, [esp+38h+var_28]
		lea	ecx, [esi+edi*4]

loc_74C25D:				; CODE XREF: CmpDoFileWrite+B2j
		mov	edx, 100000h
		mov	ebx, eax
		cmp	eax, edx
		jnb	loc_74C3F0

loc_74C26C:				; CODE XREF: CmpDoFileWrite+26Ej
		push	0
		lea	edx, [esp+3Ch+var_8]
		push	edx
		mov	edx, [esp+40h+var_24]
		lea	eax, [esi+800h]
		push	ebx
		push	edx
		lea	eax, [eax+edi*8]
		push	eax
		push	0
		push	0
		push	dword ptr [ecx]
		push	[esp+58h+var_20]
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_8CF0AF

loc_74C29A:				; CODE XREF: CmpDoFileWrite+182F77j
		mov	eax, [esp+38h+var_28]
		inc	edi
		add	[esp+38h+var_24], ebx
		sub	eax, ebx
		add	[esp+38h+var_8], ebx
		push	0
		pop	ebx
		adc	[esp+38h+var_4], ebx
		mov	[esp+38h+var_28], eax
		cmp	edi, 40h
		jz	loc_74C3AE

loc_74C2BD:				; CODE XREF: CmpDoFileWrite+267j
		test	eax, eax
		jnz	loc_74C231
		mov	ecx, [esp+38h+var_14]
		mov	ebx, [esp+38h+var_18]

loc_74C2CD:				; CODE XREF: CmpDoFileWrite+A5j
		inc	ebx
		add	ecx, 0Ch
		mov	[esp+38h+var_18], ebx
		mov	[esp+38h+var_14], ecx
		cmp	ebx, [ebp+arg_4]
		jb	loc_74C20E
		cmp	edi, 40h
		jz	loc_8CF100

loc_74C2EB:				; CODE XREF: CmpDoFileWrite+7Aj
					; CmpDoFileWrite+182FB5j
		xor	ebx, ebx

loc_74C2ED:				; CODE XREF: CmpDoFileWrite+CCj
					; CmpDoFileWrite+182F6Dj
		test	edi, edi
		jz	short loc_74C30F
		lea	eax, [esi+200h]
		push	eax
		push	0
		push	0
		push	0
		push	0
		push	0
		lea	eax, [esi+100h]
		push	eax
		push	edi
		call	KeWaitForMultipleObjects

loc_74C30F:				; CODE XREF: CmpDoFileWrite+16Bj
					; CmpDoFileWrite+252j ...
		cmp	[esp+38h+var_2A], 0
		jnz	short loc_74C389

loc_74C316:				; CODE XREF: CmpDoFileWrite+225j
		mov	dl, [esp+38h+var_29]
		mov	ecx, large fs:124h
		call	_CmpSetRespectIoPriorityThread@8 ; CmpSetRespectIoPriorityThread(x,x)
		xor	edi, edi

loc_74C328:				; CODE XREF: CmpDoFileWrite+1C2j
		cmp	dword ptr [esi+edi*4], 0
		jz	short loc_74C348
		mov	ecx, [esi+edi*4+100h]
		call	ObfDereferenceObject
		push	dword ptr [esi+edi*4]
		call	_ZwClose@4	; ZwClose(x)
		inc	edi
		cmp	edi, 40h
		jb	short loc_74C328

loc_74C348:				; CODE XREF: CmpDoFileWrite+1A8j
		mov	ecx, esi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_74C34F:				; CODE XREF: CmpDoFileWrite+182F26j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_74C35A:				; CODE XREF: CmpDoFileWrite+5Bj
		mov	ecx, large fs:124h
		xor	edx, edx
		call	_CmpSetIoPriorityThread@8 ; CmpSetIoPriorityThread(x,x)
		mov	ecx, large fs:124h
		push	4
		pop	edx
		mov	[esp+38h+var_10], eax
		call	_CmpSetPriorityThread@8	; CmpSetPriorityThread(x,x)
		mov	[esp+38h+var_C], eax
		mov	[esp+38h+var_2A], 1
		jmp	loc_74C1E5
; 

loc_74C389:				; CODE XREF: CmpDoFileWrite+190j
		mov	ecx, large fs:124h
		mov	edx, [esp+38h+var_10]
		call	_CmpSetIoPriorityThread@8 ; CmpSetIoPriorityThread(x,x)
		mov	ecx, large fs:124h
		mov	edx, [esp+38h+var_C]
		call	_CmpSetPriorityThread@8	; CmpSetPriorityThread(x,x)
		jmp	loc_74C316
; 

loc_74C3AE:				; CODE XREF: CmpDoFileWrite+133j
		lea	eax, [esi+200h]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esi+100h]
		push	eax
		push	40h
		call	KeWaitForMultipleObjects
		mov	edi, ebx
		lea	eax, [esi+800h]
		mov	ecx, ebx

loc_74C3D2:				; CODE XREF: CmpDoFileWrite+25Fj
		mov	ebx, [eax]
		test	ebx, ebx
		js	loc_74C30F
		inc	ecx
		add	eax, 8
		cmp	ecx, 40h
		jb	short loc_74C3D2
		mov	eax, [esp+38h+var_28]
		xor	ebx, ebx
		jmp	loc_74C2BD
; 

loc_74C3F0:				; CODE XREF: CmpDoFileWrite+E2j
		mov	ebx, edx
		jmp	loc_74C26C
CmpDoFileWrite	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpLinkHiveToMaster proc near		; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+15Ep
					; CmpFinishSystemHivesLoad(x)+221p ...

var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DA		= byte ptr -0DAh
var_D9		= byte ptr -0D9h
var_D8		= dword	ptr -0D8h
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_A4		= dword	ptr -0A4h
var_9C		= dword	ptr -9Ch
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_5C		= dword	ptr -5Ch
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= byte ptr  28h
arg_24		= dword	ptr  2Ch

; FUNCTION CHUNK AT 008CF13E SIZE 000000EA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 12Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_24]
		mov	[ebp+var_10C], eax
		mov	eax, [ebp+arg_14]
		push	edi
		mov	[ebp+var_E4], eax
		lea	edi, [ebp+var_1C]
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_100], eax
		mov	eax, [ebp+arg_1C]
		push	6
		mov	[ebp+var_F4], ecx
		pop	ecx
		mov	[ebp+var_110], eax
		xor	eax, eax
		mov	[ebp+var_104], edx
		xor	edx, edx
		push	0B4h		; size_t
		rep stosd
		push	edx		; int
		lea	eax, [ebp+var_D8]
		mov	[ebp+var_108], esi
		push	eax		; void *
		mov	[ebp+var_FC], edx
		mov	[ebp+var_F8], edx
		mov	[ebp+var_F0], edx
		mov	[ebp+var_E0], edx
		mov	[ebp+var_DA], dl
		mov	[ebp+var_D9], dl
		call	_memset
		or	[ebp+var_9C], 0FFFFFFFFh
		lea	eax, [ebp+var_80]
		add	esp, 0Ch
		mov	[ebp+var_7C], eax
		xor	ecx, ecx
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_5C]
		push	38h		; size_t
		push	ecx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [ebp+var_FC]
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		mov	eax, [ebx+64h]
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_EC], ecx
		test	al, 20h
		jz	loc_74C752

loc_74C4D1:				; CODE XREF: CmpLinkHiveToMaster+372j
		mov	edx, [ebp+arg_8]
		mov	ecx, ebx
		call	CmpInitializeKcbCache
		mov	edi, eax
		test	edi, edi
		js	loc_8CF13E
		cmp	[ebp+arg_C], 0
		mov	[ebp+var_D8], 43h
		jz	short loc_74C4FF
		mov	[ebp+var_D8], 843h

loc_74C4FF:				; CODE XREF: CmpLinkHiveToMaster+FBj
		cmp	[ebp+arg_4], 0
		mov	[ebp+var_B4], ebx
		jnz	loc_74C746
		mov	eax, [ebx+20h]
		mov	eax, [eax+24h]
		mov	[ebp+var_B8], eax

loc_74C51B:				; CODE XREF: CmpLinkHiveToMaster+355j
		mov	eax, [ebp+var_100]
		and	[ebp+var_114], 0
		mov	esi, ds:_CmKeyObjectType
		mov	[ebp+var_A4], eax
		mov	eax, [ebp+var_104]
		mov	[ebp+var_124], eax
		mov	eax, [ebp+var_F4]
		mov	[ebp+var_120], eax
		mov	eax, [ebp+var_E4]
		mov	[ebp+var_118], eax
		lea	eax, [ebp+var_E0]
		push	eax
		mov	[ebp+var_128], 18h
		mov	[ebp+var_11C], 240h
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		lea	eax, [ebp+var_D8]
		push	eax
		push	2001Fh
		push	0
		push	0
		push	esi
		lea	eax, [ebp+var_128]
		push	eax
		call	ObOpenObjectByNameEx
		mov	[ebp+var_E4], eax
		test	eax, eax
		js	loc_8CF151
		xor	ecx, ecx
		lea	eax, [ebp+var_E8]
		push	ecx
		push	eax
		push	ecx
		push	ds:_CmKeyObjectType
		mov	[ebp+var_E8], ecx
		push	ecx
		push	[ebp+var_E0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		push	[ebp+var_E0]
		mov	esi, [ebp+var_E8]
		call	_ZwClose@4	; ZwClose(x)
		lea	ecx, [ebp+var_1C]
		mov	[ebp+var_D9], 1
		call	CmpAttachToRegistryProcess
		cmp	[ebp+arg_20], 0
		jnz	short loc_74C5F2
		call	_CmpLockRegistry@0 ; CmpLockRegistry()

loc_74C5F2:				; CODE XREF: CmpLinkHiveToMaster+1F3j
		mov	ecx, [esi+8]
		call	_CmpConstructName@4 ; CmpConstructName(x)
		cmp	[ebp+arg_20], 0
		mov	edi, eax
		mov	[ebp+var_F0], edi
		jnz	short loc_74C60D
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_74C60D:				; CODE XREF: CmpLinkHiveToMaster+20Ej
		test	edi, edi
		jz	loc_8CF17E
		movzx	eax, word ptr [edi]
		push	70684D43h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+4BCh], eax
		test	eax, eax
		jz	loc_8CF17E
		xor	eax, eax
		lea	ecx, [ebx+4B8h]
		mov	[ecx], ax
		mov	edx, edi
		mov	ax, [edi]
		mov	[ebx+4BAh], ax
		call	_RtlUnicodeStringCopy@8	; RtlUnicodeStringCopy(x,x)
		xor	eax, eax
		mov	byte ptr [ebx+51h], 0
		inc	eax
		lock xadd _CmHiveIdentity, eax
		inc	eax
		cmp	[ebp+arg_20], 0
		mov	[ebx+444h], eax
		jnz	short loc_74C670
		call	_CmpLockRegistry@0 ; CmpLockRegistry()

loc_74C670:				; CODE XREF: CmpLinkHiveToMaster+271j
		cmp	[ebp+arg_C], 0
		jz	short loc_74C695
		mov	ecx, [esi+8]
		call	CmpReferenceKeyControlBlockUnsafe
		mov	edi, [ebp+var_10C]
		mov	eax, [esi+8]
		mov	[ebx+6D8h], eax
		test	edi, edi
		jnz	loc_8CF185

loc_74C695:				; CODE XREF: CmpLinkHiveToMaster+27Cj
					; CmpLinkHiveToMaster+182D9Cj
		cmp	ds:_CmpTraceRoutine, 0
		jnz	loc_8CF199

loc_74C6A2:				; CODE XREF: CmpLinkHiveToMaster+182DABj
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		cmp	[ebp+arg_20], 0
		jnz	short loc_74C6B7
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_74C6B7:				; CODE XREF: CmpLinkHiveToMaster+2B8j
		mov	edi, [ebp+var_110]
		test	edi, edi
		jz	short loc_74C6CE
		mov	ecx, [esi+8]
		call	CmpReferenceKeyControlBlockUnsafe
		mov	eax, [esi+8]
		mov	[edi], eax

loc_74C6CE:				; CODE XREF: CmpLinkHiveToMaster+2C7j
		mov	ecx, esi
		call	ObfDereferenceObject
		cmp	[ebp+arg_C], 0
		jz	short loc_74C6E2
		mov	byte ptr [ebx+6DCh], 1

loc_74C6E2:				; CODE XREF: CmpLinkHiveToMaster+2E1j
		xor	edi, edi

loc_74C6E4:				; CODE XREF: CmpLinkHiveToMaster+182D54j
					; CmpLinkHiveToMaster+182D81j
		xor	esi, esi
		test	edi, edi
		js	loc_8CF1A8

loc_74C6EE:				; CODE XREF: CmpLinkHiveToMaster+182DB9j
					; CmpLinkHiveToMaster+182E09j ...
		mov	eax, [ebp+var_F0]
		test	eax, eax
		jz	short loc_74C704
		mov	edx, 624E4D43h
		mov	ecx, eax
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_74C704:				; CODE XREF: CmpLinkHiveToMaster+2FEj
		test	esi, esi
		jnz	short loc_74C77C

loc_74C708:				; CODE XREF: CmpLinkHiveToMaster+38Bj
		cmp	[ebp+var_DA], 0
		jnz	short loc_74C76F

loc_74C711:				; CODE XREF: CmpLinkHiveToMaster+382j
		test	edi, edi
		js	short loc_74C725
		test	ds:dword_70EFC8, 1000000h
		jnz	loc_8CF216

loc_74C725:				; CODE XREF: CmpLinkHiveToMaster+31Bj
					; CmpLinkHiveToMaster+182E2Bj
		mov	dl, [ebp+arg_20]
		lea	ecx, [ebp+var_D8]
		call	CmpCleanupParseContext
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	28h
; 

loc_74C746:				; CODE XREF: CmpLinkHiveToMaster+111j
		or	[ebp+var_B8], 0FFFFFFFFh
		jmp	loc_74C51B
; 

loc_74C752:				; CODE XREF: CmpLinkHiveToMaster+D3j
		or	eax, 20h
		mov	[ebp+var_DA], cl
		mov	[ebx+64h], eax
		mov	eax, large fs:124h
		mov	[ebx+9ACh], eax
		jmp	loc_74C4D1
; 

loc_74C76F:				; CODE XREF: CmpLinkHiveToMaster+317j
		and	dword ptr [ebx+64h], 0FFFFFFDFh
		and	dword ptr [ebx+9ACh], 0
		jmp	short loc_74C711
; 

loc_74C77C:				; CODE XREF: CmpLinkHiveToMaster+30Ej
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	short loc_74C708
CmpLinkHiveToMaster endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpGetSymbolicLinkTarget proc near	; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+C4Ep
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1BB0p ...

var_11C		= dword	ptr -11Ch
var_10C		= dword	ptr -10Ch
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_8D		= byte ptr -8Dh
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= byte ptr -78h
var_76		= byte ptr -76h
var_75		= byte ptr -75h
var_74		= dword	ptr -74h
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
arg_0		= word ptr  8
arg_4		= word ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008CF228 SIZE 000001D8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 110h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_C]
		mov	[ebp+var_FC], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_EC], eax
		mov	eax, [ebp+arg_18]
		push	edi
		mov	[ebp+var_F0], eax
		lea	eax, [ebp+var_84]
		push	0
		push	eax
		mov	[ebp+var_A4], edx
		mov	[ebp+var_88], ecx
		mov	[ebp+var_F4], ebx
		mov	[ebp+var_84], 0
		mov	[ebp+var_80], 0
		mov	[ebp+var_C0], 0
		mov	[ebp+var_BC], 0
		mov	[ebp+var_E8], 0
		mov	[ebp+var_C8], 0
		mov	[ebp+var_C4], 0
		mov	[ebp+var_B8], 0
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		mov	[ebp+var_CC], 0
		mov	[ebp+var_7C], eax
		mov	[ebp+var_8C], eax
		xor	al, al
		mov	[ebp+var_75], al
		mov	[ebp-77h], al
		xor	eax, eax
		mov	[ebp+var_DC], eax
		mov	[ebp+var_D4], eax
		push	64h		; size_t
		push	eax		; int
		mov	word ptr [ebp+var_CC], ax
		mov	[ebp+var_B4], eax
		mov	[ebp+var_9C], eax
		mov	word ptr [ebp+var_DC], ax
		mov	[ebp+var_98], eax
		mov	[ebp+var_78], al
		mov	[ebp+var_A0], eax
		mov	word ptr [ebp+var_D4], ax
		lea	eax, [ebp+var_74]
		mov	[ebp+var_D0], 0
		push	eax		; void *
		mov	[ebp+var_76], 1
		mov	[ebp+var_D0], 0FFFFFFFFh
		mov	[ebp+var_94], 0FFFFFFFFh
		mov	[ebp+var_E0], 0FFFFFFFFh
		mov	[ebp+var_D8], 0FFFFFFFFh
		call	_memset
		mov	ecx, [ebp+var_88]
		lea	edi, [ebp+var_10C]
		xor	eax, eax
		add	esp, 0Ch
		stosd
		stosd
		stosd
		stosd
		or	eax, 0FFFFFFFFh
		mov	word ptr [ebp+var_10C+2], ax
		test	ebx, ebx
		jnz	loc_8CF228
		movzx	eax, word ptr [ecx+2]
		mov	ecx, eax
		mov	edx, eax
		test	ax, ax
		jnz	loc_74D32F
		mov	bl, 1

loc_74C90D:				; CODE XREF: CmpGetSymbolicLinkTarget+BA4j
		mov	edx, [ebp+var_88]
		movzx	eax, ax
		mov	[ebp+var_8D], bl
		movsx	edi, ax
		lfence	eax
		cmp	ax, 2
		jge	loc_8CF231
		mov	edi, [edx+edi*4+4]

loc_74C930:				; CODE XREF: CmpGetSymbolicLinkTarget+182AA8j
		mov	[ebp+var_E4], edi
		test	bl, bl
		jz	loc_74CC85
		test	byte ptr [edi+4], 8
		jz	loc_74CC85
		mov	eax, [edi+38h]
		xor	cl, cl
		mov	[ebp+var_8C], eax
		mov	ebx, [eax+0A0h]
		test	bl, 1
		jnz	loc_8CF23D

loc_74C962:				; CODE XREF: CmpGetSymbolicLinkTarget+182AB2j
		test	ebx, ebx
		jz	loc_8CF298
		test	cl, cl
		jnz	loc_8CF298
		mov	edi, [ebp+var_8C]
		mov	ecx, edi
		mov	[ebp+var_7C], edi
		call	CmpReferenceKeyControlBlockUnsafe
		mov	ecx, [ebp+var_88]
		xor	eax, eax
		xor	esi, esi
		cmp	ax, [ecx+2]
		jg	short loc_74C9C0
		mov	edi, ecx
		jmp	short loc_74C9A0
; 
		align 10h

loc_74C9A0:				; CODE XREF: CmpGetSymbolicLinkTarget+204j
					; CmpGetSymbolicLinkTarget+22Bj
		movsx	ecx, si
		cmp	si, 2
		jge	loc_8CF247
		mov	ecx, [edi+ecx*4+4]

loc_74C9B1:				; CODE XREF: CmpGetSymbolicLinkTarget+182ABEj
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		inc	esi
		cmp	si, [edi+2]
		jle	short loc_74C9A0
		mov	edi, [ebp+var_7C]

loc_74C9C0:				; CODE XREF: CmpGetSymbolicLinkTarget+200j
		lea	ecx, [edi+18h]
		mov	[ebp+var_76], 0
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lock inc dword ptr [edi+1Ch]
		movsx	ecx, [ebp+arg_0]
		movsx	eax, [ebp+arg_4]
		movzx	esi, word ptr [ebx]
		mov	[ebp+var_75], 1
		mov	[ebp+var_A0], ecx
		cmp	ecx, eax
		jnb	short loc_74CA23
		mov	edi, [ebp+var_A4]
		lea	edx, ds:20h[ecx*8]
		jmp	short loc_74CA00
; 
		align 10h

loc_74CA00:				; CODE XREF: CmpGetSymbolicLinkTarget+268j
					; CmpGetSymbolicLinkTarget+28Ej
		cmp	ecx, 8
		jnb	loc_74CC6F
		mov	eax, edi

loc_74CA0B:				; CODE XREF: CmpGetSymbolicLinkTarget+4E2j
		movzx	eax, word ptr [edx+eax]
		inc	ecx
		add	eax, 2
		add	edx, 8
		add	esi, eax
		movsx	eax, [ebp+arg_4]
		cmp	ecx, eax
		jb	short loc_74CA00
		mov	edi, [ebp+var_7C]

loc_74CA23:				; CODE XREF: CmpGetSymbolicLinkTarget+259j
		cmp	esi, 0FFFFh
		ja	loc_8CF253
		push	36364D43h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_80], eax
		test	eax, eax
		jz	loc_8CF25D
		xor	eax, eax
		mov	word ptr [ebp+var_84+2], si
		mov	edx, ebx
		mov	word ptr [ebp+var_84], ax
		lea	ecx, [ebp+var_84]
		call	_RtlUnicodeStringCopy@8	; RtlUnicodeStringCopy(x,x)
		movsx	eax, [ebp+arg_0]
		movsx	ecx, [ebp+arg_4]
		cmp	eax, ecx
		jnb	loc_74CBBC
		movsx	edx, [ebp+arg_4]
		lea	ecx, ds:20h[eax*8]
		mov	edi, 0FFFEh
		mov	[ebp+var_8C], ecx
		mov	cx, word ptr [ebp+var_84]
		mov	ebx, 5Ch
		mov	[ebp+var_B8], edi
		lea	esp, [esp+0]

loc_74CAA0:				; CODE XREF: CmpGetSymbolicLinkTarget+423j
		cmp	eax, 8
		jnb	loc_74CC77
		mov	esi, [ebp+var_A4]

loc_74CAAF:				; CODE XREF: CmpGetSymbolicLinkTarget+4F0j
		mov	eax, [ebp+var_80]
		movzx	ecx, cx
		shr	ecx, 1
		mov	[eax+ecx*2], bx
		mov	ecx, [ebp+var_84]
		add	ecx, 2
		movzx	ebx, cx
		mov	word ptr [ebp+var_84], cx
		test	bl, 1
		jnz	loc_74CB98
		test	byte ptr [ebp+var_84+2], 1
		jnz	loc_74CB98
		mov	ax, word ptr [ebp+var_84+2]
		cmp	bx, ax
		ja	loc_74CB98
		cmp	ax, di
		ja	loc_74CB98
		cmp	[ebp+var_80], 0
		jz	loc_8CF26A

loc_74CB07:				; CODE XREF: CmpGetSymbolicLinkTarget+182AECj
		movzx	edx, ax
		mov	edi, ebx
		mov	eax, [ebp+var_8C]
		shr	edi, 1
		shr	edx, 1
		mov	[ebp+var_A8], edi
		movzx	ebx, word ptr [eax+esi]
		test	bl, 1
		jnz	short loc_74CB8F
		movzx	eax, word ptr [eax+esi+2]
		test	al, 1
		jnz	short loc_74CB8F
		cmp	bx, ax
		ja	short loc_74CB8F
		cmp	ax, word ptr [ebp+var_B8]
		ja	short loc_74CB8F
		mov	edi, [ebp+var_8C]
		mov	esi, [edi+esi+4]
		mov	edi, [ebp+var_A8]
		test	esi, esi
		jz	loc_8CF281

loc_74CB54:				; CODE XREF: CmpGetSymbolicLinkTarget+182B03j
		mov	ecx, [ebp+var_80]
		mov	eax, ebx
		shr	eax, 1
		mov	ebx, 0
		sub	edx, edi
		lea	edi, [ecx+edi*2]
		jz	short loc_74CB7E

loc_74CB67:				; CODE XREF: CmpGetSymbolicLinkTarget+3ECj
		test	eax, eax
		jz	short loc_74CB7E
		mov	cx, [esi]
		dec	eax
		mov	[edi], cx
		add	esi, 2
		add	edi, 2
		inc	ebx
		sub	edx, 1
		jnz	short loc_74CB67

loc_74CB7E:				; CODE XREF: CmpGetSymbolicLinkTarget+3D5j
					; CmpGetSymbolicLinkTarget+3D9j
		mov	ecx, [ebp+var_A8]
		add	ecx, ebx
		add	ecx, ecx
		mov	word ptr [ebp+var_84], cx

loc_74CB8F:				; CODE XREF: CmpGetSymbolicLinkTarget+393j
					; CmpGetSymbolicLinkTarget+39Cj ...
		movsx	edx, [ebp+arg_4]
		mov	edi, 0FFFEh

loc_74CB98:				; CODE XREF: CmpGetSymbolicLinkTarget+341j
					; CmpGetSymbolicLinkTarget+34Ej ...
		mov	eax, [ebp+var_A0]
		mov	ebx, 5Ch
		add	[ebp+var_8C], 8
		inc	eax
		mov	[ebp+var_A0], eax
		cmp	eax, edx
		jb	loc_74CAA0
		mov	edi, [ebp+var_7C]

loc_74CBBC:				; CODE XREF: CmpGetSymbolicLinkTarget+2DEj
		mov	ebx, [ebp+var_EC]
		mov	eax, [ebx+4]
		test	eax, eax
		jz	short loc_74CBD1
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_74CBD1:				; CODE XREF: CmpGetSymbolicLinkTarget+437j
		mov	eax, [ebp+var_84]
		mov	[ebx], eax
		mov	eax, [ebp+var_80]
		mov	[ebx+4], eax
		lea	eax, [ebp+var_84]
		push	0
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, edi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	eax, [ebp+var_F0]
		xor	bl, bl
		mov	[eax], edi
		xor	edi, edi
		xor	esi, esi

loc_74CC02:				; CODE XREF: CmpGetSymbolicLinkTarget+958j
		mov	eax, [ebp+var_80]
		test	eax, eax
		jnz	loc_8CF358

loc_74CC0D:				; CODE XREF: CmpGetSymbolicLinkTarget+182B84j
					; CmpGetSymbolicLinkTarget+182BD3j
		mov	ecx, [ebp+var_98]
		test	ecx, ecx
		jnz	loc_74D2D9

loc_74CC1B:				; CODE XREF: CmpGetSymbolicLinkTarget+B69j
		cmp	[ebp+var_B4], 0
		jnz	loc_74D2FE

loc_74CC28:				; CODE XREF: CmpGetSymbolicLinkTarget+B84j
		test	eax, eax
		jnz	loc_8CF375

loc_74CC30:				; CODE XREF: CmpGetSymbolicLinkTarget+182BEDj
		cmp	[ebp+var_76], 0
		jnz	loc_8CF382

loc_74CC3A:				; CODE XREF: CmpGetSymbolicLinkTarget+182AD5j
					; CmpGetSymbolicLinkTarget+182BFDj
		test	edi, edi
		jnz	loc_8CF392

loc_74CC42:				; CODE XREF: CmpGetSymbolicLinkTarget+182C14j
		mov	ecx, [ebp+var_100]
		test	ecx, ecx
		jnz	loc_8CF3A9

loc_74CC50:				; CODE XREF: CmpGetSymbolicLinkTarget+182C1Ej
		cmp	[ebp+var_14], 0
		jnz	loc_8CF3B3

loc_74CC5A:				; CODE XREF: CmpGetSymbolicLinkTarget+182C5Ej
					; CmpGetSymbolicLinkTarget+182C6Bj
		mov	eax, esi
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_74CC6F:				; CODE XREF: CmpGetSymbolicLinkTarget+273j
		mov	eax, [edi+60h]
		jmp	loc_74CA0B
; 

loc_74CC77:				; CODE XREF: CmpGetSymbolicLinkTarget+313j
		mov	eax, [ebp+var_A4]
		mov	esi, [eax+60h]
		jmp	loc_74CAAF
; 

loc_74CC85:				; CODE XREF: CmpGetSymbolicLinkTarget+1A8j
					; CmpGetSymbolicLinkTarget+1B2j ...
		test	byte ptr [esi+60h], 1
		jnz	short loc_74CC9D
		lea	ecx, [esi+64h]
		call	CmpAttachToRegistryProcess
		or	dword ptr [esi+60h], 1
		mov	edx, [ebp+var_88]

loc_74CC9D:				; CODE XREF: CmpGetSymbolicLinkTarget+4F9j
		movzx	ecx, word ptr [edx+2]
		test	cx, cx
		js	loc_8CF34B
		lea	ebx, [ebx+0]

loc_74CCB0:				; CODE XREF: CmpGetSymbolicLinkTarget+BC0j
		movzx	eax, cx
		mov	[ebp+var_F8], eax
		movsx	esi, ax
		cmp	cx, 2
		jge	loc_8CF2AC
		mov	esi, [edx+esi*4+4]

loc_74CCCA:				; CODE XREF: CmpGetSymbolicLinkTarget+182B23j
		xor	edx, edx
		mov	[ebp+var_A8], esi
		mov	ecx, esi
		call	_CmpGetEffectiveKcbSemantics@8 ; CmpGetEffectiveKcbSemantics(x,x)
		cmp	eax, 1
		jz	loc_8CF34B
		cmp	dword ptr [esi+14h], 0FFFFFFFFh
		jz	loc_74D339
		mov	edx, [ebp+var_F4]
		mov	ecx, [esi+9Ch]
		call	CmEqualTrans
		test	al, al
		jnz	loc_8CF2B8
		mov	ecx, [esi+10h]
		lea	edx, [ebp+var_D0]
		mov	eax, [esi+14h]
		push	edx
		push	eax
		mov	eax, [ecx+4]
		push	ecx
		call	eax
		lea	ecx, [ebp+var_94]
		push	ecx
		mov	ecx, [esi+10h]
		push	0
		push	0
		push	offset _CmSymbolicLinkValueName
		lea	edx, [eax+24h]
		call	_CmpFindNameInListWithStatus@24	; CmpFindNameInListWithStatus(x,x,x,x,x,x)
		mov	esi, eax
		lea	ecx, [ebp+var_D0]
		mov	eax, [ebp+var_A8]
		push	ecx
		mov	eax, [eax+10h]
		push	eax
		mov	eax, [eax+8]
		call	eax

loc_74CD4C:				; CODE XREF: CmpGetSymbolicLinkTarget+182B60j
		test	esi, esi
		js	loc_8CF2F5
		mov	eax, [ebp+var_A8]
		mov	esi, [eax+10h]
		mov	[ebp+var_9C], esi

loc_74CD63:				; CODE XREF: CmpGetSymbolicLinkTarget+BC7j
		mov	eax, [ebp+var_94]
		cmp	eax, 0FFFFFFFFh
		jz	loc_8CF34B
		lea	ecx, [ebp+var_E0]
		push	ecx
		push	eax
		mov	eax, [esi+4]
		push	esi
		call	eax
		mov	[ebp+var_B4], eax
		test	byte ptr [eax+10h], 2
		jnz	loc_8CF34B
		cmp	dword ptr [eax+0Ch], 6
		jnz	loc_8CF34B
		mov	edx, [ebp+var_94]
		lea	ecx, [ebp+var_D8]
		push	ecx
		lea	ecx, [ebp+var_78]
		push	ecx
		lea	ecx, [ebp+var_98]
		push	ecx
		lea	ecx, [ebp+var_A0]
		push	ecx
		push	eax
		mov	ecx, esi
		call	CmpGetValueData
		test	al, al
		jz	loc_8CF302
		mov	ecx, [ebp+var_A0]
		cmp	ecx, 0FFFFh
		ja	loc_8CF34B
		test	cl, 1
		jnz	loc_8CF34B
		mov	eax, [ebp+var_98]
		mov	[ebp+var_BC], eax
		movsx	eax, [ebp+arg_4]
		mov	word ptr [ebp+var_C0], cx
		mov	word ptr [ebp+var_C0+2], cx
		movzx	esi, cx
		movsx	ecx, [ebp+arg_0]
		cmp	ecx, eax
		jnb	short loc_74CE46
		mov	edi, [ebp+var_A4]
		lea	edx, ds:20h[ecx*8]
		lea	ebx, [ebx+0]

loc_74CE20:				; CODE XREF: CmpGetSymbolicLinkTarget+6AEj
		cmp	ecx, 8
		jnb	loc_74D319
		mov	eax, edi

loc_74CE2B:				; CODE XREF: CmpGetSymbolicLinkTarget+B8Cj
		movzx	eax, word ptr [edx+eax]
		inc	ecx
		add	eax, 2
		add	edx, 8
		add	esi, eax
		movsx	eax, [ebp+arg_4]
		cmp	ecx, eax
		jb	short loc_74CE20
		mov	edi, [ebp+var_E4]

loc_74CE46:				; CODE XREF: CmpGetSymbolicLinkTarget+67Bj
		cmp	esi, 0FFFFh
		ja	loc_8CF34B
		push	36364D43h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_80], eax
		test	eax, eax
		jz	loc_8CF309
		xor	eax, eax
		mov	word ptr [ebp+var_84+2], si
		lea	edx, [ebp+var_C0]
		mov	word ptr [ebp+var_84], ax
		lea	ecx, [ebp+var_84]
		call	_RtlUnicodeStringCopy@8	; RtlUnicodeStringCopy(x,x)
		cmp	[ebp+var_78], 0
		jnz	loc_8CF319
		mov	esi, [ebp+var_9C]
		lea	eax, [ebp+var_D8]
		push	eax
		push	esi
		mov	eax, [esi+8]
		call	eax

loc_74CEA8:				; CODE XREF: CmpGetSymbolicLinkTarget+182B9Cj
		lea	eax, [ebp+var_E0]
		mov	[ebp+var_98], 0
		push	eax
		mov	eax, [esi+8]
		push	esi
		call	eax
		mov	ecx, [ebp+var_88]
		mov	[ebp+var_B4], 0
		call	CmpUnlockKcbStack
		mov	[ebp+var_76], 0
		test	bl, bl
		jz	loc_74D037
		mov	eax, [ebp+var_84]
		xor	esi, esi
		mov	ecx, [ebp+var_80]
		mov	[ebp+var_B0], eax
		shr	eax, 10h
		mov	[ebp+var_AC], ecx
		mov	[ebp+var_C4], ecx
		mov	word ptr [ebp+var_C8], si
		mov	word ptr [ebp+var_C8+2], ax
		cmp	word ptr [ebp+var_84], si
		jbe	loc_74CF9E
		mov	dx, word ptr [ebp+var_B0+2]
		mov	ebx, 0FFFEh
		mov	ax, word ptr [ebp+var_B0]
		mov	edi, edi

loc_74CF30:				; CODE XREF: CmpGetSymbolicLinkTarget+988j
		cmp	word ptr [ecx],	5Ch
		jz	loc_74D0ED
		test	ax, ax
		jz	short loc_74CF9E
		nop

loc_74CF40:				; CODE XREF: CmpGetSymbolicLinkTarget+7E1j
		cmp	word ptr [ecx],	5Ch
		jz	short loc_74CF75
		add	ax, bx
		add	ecx, 2
		add	dx, bx
		mov	[ebp+var_AC], ecx
		add	si, 2
		mov	word ptr [ebp+var_B0], ax
		mov	word ptr [ebp+var_B0+2], dx
		mov	word ptr [ebp+var_C8], si
		test	ax, ax
		jnz	short loc_74CF40
		jmp	short loc_74CF9E
; 

loc_74CF75:				; CODE XREF: CmpGetSymbolicLinkTarget+7B4j
		test	ax, ax
		jz	short loc_74CF9E
		lea	ebx, [ebx+0]

loc_74CF80:				; CODE XREF: CmpGetSymbolicLinkTarget+99Cj
		cmp	word ptr [ecx],	5Ch
		jz	loc_74D123

loc_74CF8A:				; CODE XREF: CmpGetSymbolicLinkTarget+9A2j
		mov	[ebp+var_AC], ecx
		mov	word ptr [ebp+var_B0], ax
		mov	word ptr [ebp+var_B0+2], dx

loc_74CF9E:				; CODE XREF: CmpGetSymbolicLinkTarget+785j
					; CmpGetSymbolicLinkTarget+7ADj ...
		push	2
		mov	edx, offset _CmRegistryRootName
		lea	ecx, [ebp+var_C8]
		call	CmpCompareUnicodeString
		test	eax, eax
		jnz	loc_74D037
		lea	eax, [ebp+var_74]
		push	eax
		lea	edx, [ebp+var_E8]
		lea	ecx, [ebp+var_B0]
		call	CmpComputeComponentHashes
		test	eax, eax
		js	short loc_74D037
		mov	esi, [ebp+var_E8]
		lea	edx, [ebp+var_74]
		movsx	ebx, si
		mov	ecx, ebx
		call	_CmpValidateComponents@8 ; CmpValidateComponents(x,x)
		test	eax, eax
		js	short loc_74D037
		mov	ecx, ds:_CmpRegistryRootObject
		lea	eax, [ebp+var_B8]
		push	eax
		lea	eax, [ebp-77h]
		push	eax
		mov	ecx, [ecx+8]
		lea	eax, [ebp+var_8C]
		push	eax
		push	0
		mov	eax, edx
		xor	edx, edx
		push	eax
		push	ebx
		call	CmpPerformCompleteKcbCacheLookup
		test	eax, eax
		js	loc_8CF331
		cmp	word ptr [ebp+var_B8], si
		jz	loc_74D137
		mov	ecx, [ebp+var_8C]
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)
		mov	[ebp+var_7C], 0

loc_74D037:				; CODE XREF: CmpGetSymbolicLinkTarget+74Aj
					; CmpGetSymbolicLinkTarget+822j ...
		movsx	ebx, [ebp+arg_0]
		movsx	edi, [ebp+arg_4]
		cmp	ebx, edi
		jnb	short loc_74D095
		lea	esi, ds:20h[ebx*8]
		lea	ebx, [ebx+0]

loc_74D050:				; CODE XREF: CmpGetSymbolicLinkTarget+903j
		cmp	ebx, 8
		jnb	loc_74D321
		mov	edx, [ebp+var_A4]

loc_74D05F:				; CODE XREF: CmpGetSymbolicLinkTarget+B9Aj
		movzx	ecx, word ptr [ebp+var_84]
		mov	edi, 5Ch
		mov	eax, [ebp+var_80]
		add	edx, esi
		shr	ecx, 1
		mov	[eax+ecx*2], di
		lea	ecx, [ebp+var_84]
		add	word ptr [ebp+var_84], 2
		call	_RtlUnicodeStringCat@8 ; RtlUnicodeStringCat(x,x)
		movsx	edi, [ebp+arg_4]
		inc	ebx
		add	esi, 8
		cmp	ebx, edi
		jb	short loc_74D050

loc_74D095:				; CODE XREF: CmpGetSymbolicLinkTarget+8B1j
		mov	ebx, [ebp+var_EC]
		mov	eax, [ebx+4]
		test	eax, eax
		jz	short loc_74D0B1
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [ebx+4], 0

loc_74D0B1:				; CODE XREF: CmpGetSymbolicLinkTarget+910j
		cmp	byte ptr [ebp-77h], 0
		mov	esi, [ebp+var_7C]
		jnz	loc_8CF33F

loc_74D0BE:				; CODE XREF: CmpGetSymbolicLinkTarget+182BB6j
		mov	eax, [ebp+var_F0]
		xor	edi, edi
		push	edi
		mov	[eax], esi
		mov	eax, [ebp+var_84]
		mov	[ebx], eax
		mov	eax, [ebp+var_80]
		mov	[ebx+4], eax
		lea	eax, [ebp+var_84]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	esi, esi

loc_74D0E5:				; CODE XREF: CmpGetSymbolicLinkTarget+182AC8j
					; CmpGetSymbolicLinkTarget+182BC3j
		mov	bl, [ebp+var_75]
		jmp	loc_74CC02
; 

loc_74D0ED:				; CODE XREF: CmpGetSymbolicLinkTarget+7A4j
		add	ax, bx
		add	ecx, 2
		add	dx, bx
		mov	[ebp+var_AC], ecx
		add	si, 2
		mov	word ptr [ebp+var_B0], ax
		mov	word ptr [ebp+var_B0+2], dx
		mov	word ptr [ebp+var_C8], si
		test	ax, ax
		jnz	loc_74CF30
		jmp	loc_74CF9E
; 

loc_74D123:				; CODE XREF: CmpGetSymbolicLinkTarget+7F4j
		add	ecx, 2
		add	dx, bx
		add	ax, bx
		jnz	loc_74CF80
		jmp	loc_74CF8A
; 

loc_74D137:				; CODE XREF: CmpGetSymbolicLinkTarget+88Fj
		mov	ebx, [ebp+var_8C]
		lea	ecx, [ebp+var_10C]
		mov	edx, ebx
		mov	[ebp+var_7C], ebx
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		test	eax, eax
		js	loc_74D037
		lea	ecx, [ebp+var_10C]
		call	_CmpLockKcbStackShared@4 ; CmpLockKcbStackShared(x)
		push	ecx
		xor	edx, edx
		mov	ecx, ebx
		call	CmpConstructAndCacheName
		lea	ecx, [ebp+var_10C]
		mov	esi, eax
		call	CmpUnlockKcbStack
		test	esi, esi
		js	loc_74D037
		cmp	byte ptr [ebp-77h], 0
		jz	short loc_74D190
		mov	ecx, ebx
		call	_CmpUnlockHashEntryByKcb@4 ; CmpUnlockHashEntryByKcb(x)
		mov	byte ptr [ebp-77h], 0

loc_74D190:				; CODE XREF: CmpGetSymbolicLinkTarget+9F3j
		mov	ecx, [ebp+var_88]
		call	_CmpLockKcbStackTopExclusiveRestShared@4 ; CmpLockKcbStackTopExclusiveRestShared(x)
		mov	ecx, [ebp+var_88]
		xor	edx, edx
		mov	[ebp+var_76], 1
		call	CmpIsKeyStackDeleted
		test	al, al
		jnz	loc_74D037
		mov	ecx, [edi+10h]
		lea	edx, [ebp+var_D0]
		mov	eax, [edi+14h]
		push	edx
		push	eax
		mov	eax, [ecx+4]
		push	ecx
		call	eax
		lea	ecx, [ebp+var_94]
		push	ecx
		mov	ecx, [edi+10h]
		push	0
		push	0
		push	offset _CmSymbolicLinkValueName
		lea	edx, [eax+24h]
		call	_CmpFindNameInListWithStatus@24	; CmpFindNameInListWithStatus(x,x,x,x,x,x)
		mov	ecx, [edi+10h]
		mov	esi, eax
		lea	eax, [ebp+var_D0]
		push	eax
		push	ecx
		mov	ecx, [ecx+8]
		call	ecx
		test	esi, esi
		js	loc_74D037
		mov	eax, [edi+10h]
		lea	ecx, [ebp+var_E0]
		mov	esi, [ebp+var_94]
		push	ecx
		push	esi
		mov	[ebp+var_9C], eax
		push	eax
		mov	eax, [eax+4]
		call	eax
		mov	[ebp+var_B4], eax
		cmp	dword ptr [eax+0Ch], 6
		jnz	loc_74D037
		lea	ecx, [ebp+var_D8]
		mov	edx, esi
		push	ecx
		lea	ecx, [ebp+var_78]
		push	ecx
		lea	ecx, [ebp+var_98]
		push	ecx
		lea	ecx, [ebp+var_A0]
		push	ecx
		mov	ecx, [ebp+var_9C]
		push	eax
		call	CmpGetValueData
		test	al, al
		jz	loc_74D037
		mov	ecx, [ebp+var_A0]
		cmp	ecx, 0FFFFh
		ja	loc_74D037
		test	cl, 1
		jnz	loc_74D037
		mov	eax, [ebp+var_98]
		lea	edx, [ebp+var_C0]
		mov	word ptr [ebp+var_C0], cx
		mov	word ptr [ebp+var_C0+2], cx
		lea	ecx, [ebp+var_84]
		push	0
		mov	[ebp+var_BC], eax
		call	CmpCompareUnicodeString
		test	eax, eax
		jnz	loc_74D037
		mov	edx, [ebp+var_FC]
		mov	ecx, edi
		call	_CmpCleanUpKcbCachedSymlink@8 ;	CmpCleanUpKcbCachedSymlink(x,x)
		mov	ecx, ebx
		mov	[edi+38h], ebx
		call	CmpReferenceKeyControlBlockUnsafe
		mov	ecx, [ebp+var_88]
		or	word ptr [edi+4], 8
		call	CmpUnlockKcbStack
		mov	[ebp+var_76], 0
		jmp	loc_74D037
; 

loc_74D2D9:				; CODE XREF: CmpGetSymbolicLinkTarget+485j
		cmp	[ebp+var_78], 0
		jnz	loc_8CF368
		lea	eax, [ebp+var_D8]
		push	eax
		mov	eax, [ebp+var_9C]
		push	eax
		mov	eax, [eax+8]
		call	eax

loc_74D2F6:				; CODE XREF: CmpGetSymbolicLinkTarget+182BE0j
		mov	eax, [ebp+var_80]
		jmp	loc_74CC1B
; 

loc_74D2FE:				; CODE XREF: CmpGetSymbolicLinkTarget+492j
		lea	eax, [ebp+var_E0]
		push	eax
		mov	eax, [ebp+var_9C]
		push	eax
		mov	eax, [eax+8]
		call	eax
		mov	eax, [ebp+var_80]
		jmp	loc_74CC28
; 

loc_74D319:				; CODE XREF: CmpGetSymbolicLinkTarget+693j
		mov	eax, [edi+60h]
		jmp	loc_74CE2B
; 

loc_74D321:				; CODE XREF: CmpGetSymbolicLinkTarget+8C3j
		mov	eax, [ebp+var_A4]
		mov	edx, [eax+60h]
		jmp	loc_74D05F
; 

loc_74D32F:				; CODE XREF: CmpGetSymbolicLinkTarget+175j
					; CmpGetSymbolicLinkTarget+182A9Cj
		xor	bl, bl
		movzx	eax, dx
		jmp	loc_74C90D
; 

loc_74D339:				; CODE XREF: CmpGetSymbolicLinkTarget+556j
					; CmpGetSymbolicLinkTarget+182B41j ...
		mov	eax, [ebp+var_F8]
		dec	eax
		movzx	eax, ax
		mov	ecx, eax
		test	ax, ax
		js	short loc_74D355
		mov	edx, [ebp+var_88]
		jmp	loc_74CCB0
; 

loc_74D355:				; CODE XREF: CmpGetSymbolicLinkTarget+BB8j
		xor	esi, esi
		jmp	loc_74CD63
CmpGetSymbolicLinkTarget endp


;  S U B	R O U T	I N E 


CmpReferenceKeyControlBlockUnsafe proc near
					; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+1B2p
					; CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+1D0p	...

; FUNCTION CHUNK AT 008CF400 SIZE 0000002C BYTES

		xor	eax, eax
		inc	eax
		lock xadd [ecx], eax
		inc	eax
		jz	loc_8CF400
		cmp	eax, 1
		jz	loc_8CF409
		retn
CmpReferenceKeyControlBlockUnsafe endp


;  S U B	R O U T	I N E 


CmpGetLastHive	proc near		; CODE XREF: CmpDoFlushAll(x)+15p
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x)+418p
		mov	edi, edi
		push	esi
		push	edi
		xor	edx, edx
		mov	ecx, offset _CmpHiveListHeadLock
		xor	edi, edi
		call	ExAcquirePushLockSharedEx
		mov	esi, ds:dword_A940F4
		cmp	esi, offset _CmpHiveListHead
		jz	short loc_74D3AD
		push	ebx

loc_74D395:				; CODE XREF: CmpReferenceKeyControlBlockUnsafe+1820C5j
		lea	ebx, [esi-420h]
		mov	ecx, ebx
		call	_CmpReferenceHive@4 ; CmpReferenceHive(x)
		test	al, al
		jz	loc_8CF418
		mov	edi, ebx

loc_74D3AC:				; CODE XREF: CmpReferenceKeyControlBlockUnsafe+1820CBj
		pop	ebx

loc_74D3AD:				; CODE XREF: CmpGetLastHive+1Ej
		xor	edx, edx
		mov	ecx, offset _CmpHiveListHeadLock
		call	ExReleasePushLockEx
		mov	eax, edi
		pop	edi
		pop	esi
		retn
CmpGetLastHive	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpPostApc	proc near		; DATA XREF: NtNotifyChangeMultipleKeys+39Do

ms_exc		= CPPEH_RECORD ptr -18h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008CF42C SIZE 0000005A BYTES
; FUNCTION CHUNK AT 008CF49C SIZE 0000002D BYTES

		push	8
		push	offset dword_6A0388
		call	__SEH_prolog4
		mov	eax, [ebp+arg_10]
		mov	esi, [eax]
		mov	[ebp+arg_10], esi
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, [esi+20h]
		lea	eax, [ecx+38h]
		cmp	[eax], eax
		jz	loc_8CF42C

loc_74D3E4:				; CODE XREF: CmpPostApc+182082j
					; CmpPostApc+18208Fj ...
		mov	eax, [esi+20h]
		mov	ecx, [eax+38h]
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]
		mov	[ecx], eax
		mov	eax, [esi+20h]
		mov	eax, [eax+38h]
		and	dword ptr [eax+4], 0
		mov	ecx, [esi+20h]
		lea	eax, [ecx+38h]
		cmp	[eax], eax
		jz	loc_8CF459

loc_74D409:				; CODE XREF: CmpPostApc+1820AFj
					; CmpPostApc+1820BCj ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_74D410:				; CODE XREF: sub_8CF48A+Dj
		mov	eax, [esi+20h]
		mov	ecx, [eax+38h]
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		mov	ecx, [esi+20h]
		lea	eax, [ecx+38h]
		cmp	[eax], eax
		jz	loc_8CF49C

loc_74D429:				; CODE XREF: CmpPostApc+1820F2j
					; CmpPostApc+1820FFj ...
		mov	eax, [esi+20h]
		mov	eax, [eax+4]
		test	eax, eax
		jz	short loc_74D448
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [esi+20h]
		mov	ecx, [ecx+4]
		call	ObfDereferenceObject

loc_74D448:				; CODE XREF: CmpPostApc+73j
		lea	eax, [esi+8]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_74D47E
		cmp	[ecx], eax
		jnz	short loc_74D47E
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, esi
		call	_CmpFreeSubordinatePost@4 ; CmpFreeSubordinatePost(x)
		mov	ecx, esi
		call	_CmpFreePostBlock@4 ; CmpFreePostBlock(x)
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_74D47E:				; CODE XREF: CmpPostApc+95j
					; CmpPostApc+99j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
CmpPostApc	endp


;  S U B	R O U T	I N E 


; __stdcall CmpFreePostBlock(x)
_CmpFreePostBlock@4 proc near		; CODE XREF: CmpPostApc+A9p
					; CmpFreeSubordinatePost(x)+3Cj ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+18h]
		test	eax, eax
		jnz	short loc_74D4AD

loc_74D490:				; CODE XREF: CmpFreePostBlock(x)+3Bj
		test	dword ptr [esi+1Ch], 10000h
		jz	short loc_74D4A3
		push	0
		push	dword ptr [esi+20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_74D4A3:				; CODE XREF: CmpFreePostBlock(x)+13j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
; 

loc_74D4AD:				; CODE XREF: CmpFreePostBlock(x)+Aj
		push	dword ptr [eax+8]
		call	_ObDereferenceObjectDeferDelete@4 ; ObDereferenceObjectDeferDelete(x)
		push	0
		push	dword ptr [esi+18h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_74D490
_CmpFreePostBlock@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtDeleteKey	proc near		; DATA XREF: .text:005810B0o

var_88		= byte ptr -88h
var_87		= byte ptr -87h
var_86		= byte ptr -86h
var_85		= byte ptr -85h
var_84		= dword	ptr -84h
var_7E		= byte ptr -7Eh
var_7D		= byte ptr -7Dh
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CF4C9 SIZE 00000190 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+8Ch+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		lea	edi, [esp+98h+var_48]
		mov	[esp+98h+var_70], esi
		stosd
		xor	ebx, ebx
		push	8
		pop	ecx
		mov	[esp+98h+var_60], ebx
		stosd
		mov	[esp+98h+var_87], bl
		mov	[esp+98h+var_78], ebx
		mov	[esp+98h+var_74], ebx
		stosd
		mov	[esp+98h+var_6C], ebx
		stosd
		xor	eax, eax
		lea	edi, [esp+98h+var_28]
		rep stosd
		cmp	ds:_CmpTraceRoutine, eax
		jnz	loc_8CF4C9

loc_74D51F:				; CODE XREF: NtDeleteKey+182015j
		xor	eax, eax
		mov	[esp+98h+var_86], bl
		lea	edi, [esp+98h+var_58]
		mov	[esp+98h+var_85], bl
		stosd
		mov	[esp+98h+var_84], ebx
		stosd
		stosd
		stosd
		lea	eax, [esp+98h+var_68]
		mov	[esp+98h+var_64], eax
		mov	[esp+98h+var_68], eax
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[esp+98h+var_7E], al
		mov	byte ptr [esp+98h+var_7C], al
		call	CmpAcquireShutdownRundown
		mov	[esp+98h+var_7D], al
		test	al, al
		jz	loc_8CF4DC
		lea	eax, [esp+98h+var_60]
		mov	edx, 10000h
		push	eax
		lea	eax, [esp+9Ch+var_84]
		push	eax
		push	[esp+0A0h+var_7C]
		push	ecx
		mov	ecx, esi
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, eax
		mov	edi, 0C0000022h
		cmp	ebx, edi
		jz	loc_8CF4E6
		mov	esi, [esp+98h+var_84]

loc_74D594:				; CODE XREF: NtDeleteKey+18208Dj
		test	ebx, ebx
		js	loc_74D688
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		cmp	_CmpCallBackCount, 0
		mov	[esp+98h+var_85], 1
		jz	short loc_74D5E7
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredSharedLite
		test	eax, eax
		jnz	short loc_74D5E7
		lea	eax, [esp+98h+var_68]
		mov	[esp+98h+var_48], esi
		push	eax
		push	esi
		push	0Fh
		push	1
		push	0
		lea	edx, [esp+0ACh+var_48]
		xor	ecx, ecx
		call	CmpCallCallBacksEx
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8CF554
		mov	[esp+98h+var_86], 1

loc_74D5E7:				; CODE XREF: NtDeleteKey+EBj
					; NtDeleteKey+F9j
		cmp	ds:_CmpTraceRoutine, 0
		jnz	loc_8CF567

loc_74D5F4:				; CODE XREF: NtDeleteKey+1820A7j
					; NtDeleteKey+1820B4j
		mov	edi, offset _ExpKeyManipLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	ecx, _ExpControlKey
		test	ecx, ecx
		jz	short loc_74D618
		mov	eax, [esi+8]
		cmp	eax, [ecx+8]
		jz	loc_8CF57B

loc_74D618:				; CODE XREF: NtDeleteKey+148j
		mov	ecx, dword_6BBE54
		test	ecx, ecx
		jz	short loc_74D62E
		mov	eax, [esi+8]
		cmp	eax, [ecx+8]
		jz	loc_8CF57B

loc_74D62E:				; CODE XREF: NtDeleteKey+15Ej
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jnz	loc_74D6FC

loc_74D640:				; CODE XREF: NtDeleteKey+241j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, [esi+8]
		test	byte ptr [eax+4], 80h
		jnz	loc_8CF5E1
		mov	eax, [eax+24h]
		test	eax, eax
		jz	short loc_74D665
		test	byte ptr [eax+4], 80h
		jnz	loc_8CF5E1

loc_74D665:				; CODE XREF: NtDeleteKey+197j
		cmp	[esp+98h+var_87], 0
		jnz	loc_8CF59E

loc_74D670:				; CODE XREF: NtDeleteKey+182119j
		mov	ecx, esi
		call	CmDeleteKey
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_74D688
		test	byte ptr [esp+98h+var_60], 4
		jnz	loc_8CF5EB

loc_74D688:				; CODE XREF: NtDeleteKey+D4j
					; NtDeleteKey+1B9j ...
		cmp	[esp+98h+var_87], 0
		jnz	loc_8CF507

loc_74D693:				; CODE XREF: NtDeleteKey+18204Fj
		cmp	[esp+98h+var_86], 0
		jz	short loc_74D6B3
		lea	eax, [esp+98h+var_68]
		mov	edx, esi
		push	eax
		push	0
		lea	eax, [esp+0A0h+var_48]
		push	eax
		push	ebx
		push	0Fh
		pop	ecx
		call	_CmPostCallbackNotificationEx@24 ; CmPostCallbackNotificationEx(x,x,x,x,x,x)
		mov	ebx, eax

loc_74D6B3:				; CODE XREF: NtDeleteKey+1D6j
		cmp	[esp+98h+var_85], 0
		jz	short loc_74D6BF
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_74D6BF:				; CODE XREF: NtDeleteKey+1F6j
		test	esi, esi
		jz	short loc_74D6CA
		mov	ecx, esi
		call	ObfDereferenceObject

loc_74D6CA:				; CODE XREF: NtDeleteKey+1FFj
					; NtDeleteKey+18201Fj
		mov	eax, ds:_CmpTraceRoutine
		test	eax, eax
		jnz	loc_8CF642

loc_74D6D7:				; CODE XREF: NtDeleteKey+182192j
		cmp	[esp+98h+var_7D], 0
		jz	short loc_74D6E3
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_74D6E3:				; CODE XREF: NtDeleteKey+21Aj
		mov	ecx, [esp+98h+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_74D6FC:				; CODE XREF: NtDeleteKey+178j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_74D640
NtDeleteKey	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmDeleteKey	proc near		; CODE XREF: NtDeleteKey+1B0p

var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_21		= byte ptr -21h
var_20		= byte ptr -20h
var_1F		= byte ptr -1Fh
var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CF659 SIZE 0000039B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[ebp+var_8C], ecx
		push	esi
		push	edi
		push	6
		pop	ecx
		lea	edi, [ebp+var_1C]
		xor	ebx, ebx
		rep stosd
		lea	eax, [ebp+var_44]
		mov	[ebp+var_70], ebx
		mov	[ebp+var_40], eax
		lea	edi, [ebp+var_68]
		mov	[ebp+var_44], eax
		or	ecx, 0FFFFFFFFh
		xor	eax, eax
		mov	[ebp+var_6C], ebx
		stosd
		mov	[ebp+var_30], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_2C], ebx
		stosd
		mov	[ebp+var_28], ebx
		mov	[ebp+var_1F], bl
		mov	[ebp+var_1D], bl
		stosd
		mov	[ebp+var_21], bl
		mov	[ebp+var_1E], bl
		mov	[ebp+var_4C], ebx
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_88]
		mov	word ptr [ebp+var_68+2], cx
		stosd
		mov	[ebp+var_50], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_70]
		push	eax
		mov	word ptr [ebp+var_88+2], cx
		call	KeQuerySystemTime
		xor	ecx, ecx
		mov	[ebp+var_98], 0C0000001h
		xor	eax, eax
		mov	[ebp+var_74], ecx
		mov	[ebp+var_54], ecx
		or	esi, 0FFFFFFFFh
		mov	word ptr [ebp+var_74], ax
		mov	word ptr [ebp+var_54], ax
		lea	eax, [ebp+var_94]
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_48], ecx
		lea	ecx, [ebp+var_2C]
		mov	[ebp+var_78], esi
		mov	[ebp+var_58], esi
		mov	[ebp+var_90], eax
		mov	[ebp+var_94], eax
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		lea	ecx, [ebp+var_1C]
		call	CmpAttachToRegistryProcess

loc_74D7E1:				; CODE XREF: CmDeleteKey+182017j
					; CmDeleteKey+18209Bj
		mov	eax, _CmpShutdownRundown
		test	al, 1
		jnz	loc_8CF9B7
		cmp	[ebp+var_1F], 0
		jnz	loc_8CF659
		call	_CmpLockRegistry@0 ; CmpLockRegistry()

loc_74D7FD:				; CODE XREF: CmDeleteKey+181F56j
		mov	edi, [ebp+var_8C]
		mov	[ebp+var_20], 1
		mov	ebx, [edi+8]
		mov	ecx, ebx
		call	_CmpIsKcbImmutable@4 ; CmpIsKcbImmutable(x)
		test	al, al
		jnz	loc_8CF9AD
		xor	eax, eax
		cmp	[ebx+24h], eax
		jz	loc_74DAB1
		cmp	[ebx+22h], ax
		jnz	loc_8CF998
		mov	edx, ebx
		lea	ecx, [ebp+var_88]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_74D9FA
		mov	edx, [ebx+24h]
		lea	ecx, [ebp+var_68]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_74D9FA
		cmp	[ebp+var_1F], 0
		jnz	short loc_74D882
		mov	ecx, ebx
		call	CmpLockHashEntryExclusiveByKcb
		lea	ecx, [ebp+var_68]
		mov	[ebp+var_1D], 1
		call	_CmpLockKcbStackTopExclusiveRestShared@4 ; CmpLockKcbStackTopExclusiveRestShared(x)
		lea	ecx, [ebp+var_88]
		call	_CmpLockKcbStackExclusive@4 ; CmpLockKcbStackExclusive(x)
		mov	[ebp+var_1E], 1

loc_74D882:				; CODE XREF: CmDeleteKey+156j
		xor	edx, edx
		mov	ecx, edi
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	loc_74D9F8
		xor	eax, eax
		cmp	[edi+20h], eax
		jnz	loc_8CF663
		cmp	[edi+24h], eax
		jnz	loc_8CF663
		mov	edi, [ebp+var_4C]

loc_74D8AA:				; CODE XREF: CmDeleteKey+181F9Cj
		mov	eax, [ebx+6Ch]
		test	eax, eax
		jnz	loc_8CF6A9

loc_74D8B5:				; CODE XREF: CmDeleteKey+181F96j
					; CmDeleteKey+181FA6j ...
		mov	edx, [ebx+80h]
		test	edx, edx
		jnz	loc_8CF724

loc_74D8C3:				; CODE XREF: CmDeleteKey+18202Bj
		test	edi, edi
		jnz	loc_8CF7B4
		mov	ecx, [ebx+24h]
		xor	eax, eax
		add	ecx, 84h
		cmp	[ecx], eax
		jl	loc_8CF738
		lea	ecx, [ebx+84h]
		cmp	[ecx], eax
		jnz	loc_8CF738
		lea	ecx, [ebx+8Ch]
		cmp	[ecx], eax
		jnz	loc_8CF738
		mov	esi, eax

loc_74D8FC:				; CODE XREF: CmDeleteKey+182146j
		cmp	[ebp+var_1F], 0
		jnz	short loc_74D90E
		mov	ecx, [ebx+10h]
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	[ebp+var_21], 1

loc_74D90E:				; CODE XREF: CmDeleteKey+1F8j
		push	1
		lea	edx, [ebp+var_78]
		mov	ecx, ebx
		call	CmpGetKeyNodeForKcb
		push	edi
		mov	edx, eax
		mov	[ebp+var_48], eax
		mov	ecx, ebx
		call	CmGetVisibleSubkeyCount
		test	eax, eax
		jnz	loc_74DAB1
		mov	eax, [ebp+var_48]
		test	byte ptr [eax+2], 8
		jnz	loc_74DAB1
		mov	eax, [ebx+10h]
		lea	ecx, [ebp+var_78]
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		and	[ebp+var_48], 0
		test	edi, edi
		jnz	loc_8CF868
		mov	eax, [ebx+6Ch]
		test	eax, eax
		jnz	loc_8CF8BC

loc_74D95E:				; CODE XREF: CmDeleteKey+1821B9j
		lea	eax, [ebp+var_44]
		xor	edx, edx
		push	eax
		push	1
		lea	ecx, [ebp+var_68]
		call	_CmpReportNotifyForKcbStack@16 ; CmpReportNotifyForKcbStack(x,x,x,x)
		mov	edx, [ebx+14h]
		mov	ecx, [ebx+10h]
		push	1
		call	CmpFreeKeyByCell
		mov	esi, eax
		test	esi, esi
		js	short loc_74D9FA
		push	0
		lea	eax, [ebp+var_2C]
		mov	ecx, ebx
		push	eax
		push	8
		pop	edx
		call	CmpFlushNotifiesOnKeyBodyList
		mov	ecx, [ebx+24h]
		mov	dl, 1
		call	CmpCleanUpSubKeyInfo
		mov	ecx, [ebx+24h]
		lea	edx, [ebp+var_58]
		push	1
		call	CmpGetKeyNodeForKcb
		mov	edx, [ebx+24h]
		mov	cx, [eax+34h]
		mov	[edx+60h], cx
		mov	ecx, [ebx+24h]
		mov	edx, [ebp+var_70]
		add	dword ptr [ecx+0A8h], 1
		adc	dword ptr [ecx+0ACh], 0
		mov	ecx, [ebp+var_6C]
		mov	[eax+8], ecx
		mov	[eax+4], edx
		mov	eax, [ebx+24h]
		mov	[eax+58h], edx
		mov	[eax+5Ch], ecx
		lea	ecx, [ebp+var_58]
		mov	eax, [ebx+24h]
		push	ecx
		mov	eax, [eax+10h]
		push	eax
		call	dword ptr [eax+8]
		lea	edx, [ebp+var_2C]
		mov	ecx, ebx
		call	_CmpMarkKeyUnbacked@8 ;	CmpMarkKeyUnbacked(x,x)
		mov	ecx, ebx
		call	_CmpDiscardKcb@4 ; CmpDiscardKcb(x)

loc_74D9F8:				; CODE XREF: CmDeleteKey+185j
					; CmDeleteKey+181F8Ej ...
		xor	esi, esi

loc_74D9FA:				; CODE XREF: CmDeleteKey+137j
					; CmDeleteKey+14Cj ...
		lea	edx, [ebp+var_2C]
		lea	ecx, [ebp+var_9C]
		call	CmpCleanupDiscardReplaceContext
		cmp	[ebp+var_48], 0
		jnz	loc_74DABB

loc_74DA12:				; CODE XREF: CmDeleteKey+3BEj
		cmp	[ebp+var_21], 0
		jz	short loc_74DA20
		mov	ecx, [ebx+10h]
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)

loc_74DA20:				; CODE XREF: CmDeleteKey+30Ej
		mov	edi, [ebp+var_38]
		test	edi, edi
		jnz	loc_8CF9C6

loc_74DA2B:				; CODE XREF: CmDeleteKey+1822D0j
		mov	edi, [ebp+var_3C]
		test	edi, edi
		jnz	loc_8CF9DD

loc_74DA36:				; CODE XREF: CmDeleteKey+1822E7j
		cmp	[ebp+var_1E], 0
		jz	short loc_74DA4F
		lea	ecx, [ebp+var_88]
		call	CmpUnlockKcbStack
		lea	ecx, [ebp+var_68]
		call	CmpUnlockKcbStack

loc_74DA4F:				; CODE XREF: CmDeleteKey+332j
		cmp	[ebp+var_1D], 0
		jz	short loc_74DA5C
		mov	ecx, ebx
		call	_CmpUnlockHashEntryByKcb@4 ; CmpUnlockHashEntryByKcb(x)

loc_74DA5C:				; CODE XREF: CmDeleteKey+34Bj
		lea	ecx, [ebp+var_88]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		lea	ecx, [ebp+var_68]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		xor	dl, dl
		lea	ecx, [ebp+var_2C]
		call	CmpDrainDelayDerefContext
		cmp	[ebp+var_20], 0
		jz	short loc_74DA84
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_74DA84:				; CODE XREF: CmDeleteKey+375j
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		lea	eax, [ebp+var_44]
		cmp	[ebp+var_44], eax
		jnz	short loc_74DAA7

loc_74DA96:				; CODE XREF: CmDeleteKey+3A7j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_74DAA7:				; CODE XREF: CmDeleteKey+38Cj
		lea	ecx, [ebp+var_44]
		call	_CmpSignalDeferredPosts@4 ; CmpSignalDeferredPosts(x)
		jmp	short loc_74DA96
; 

loc_74DAB1:				; CODE XREF: CmDeleteKey+116j
					; CmDeleteKey+221j ...
		mov	esi, 0C0000121h
		jmp	loc_74D9FA
; 

loc_74DABB:				; CODE XREF: CmDeleteKey+304j
		mov	eax, [ebx+10h]
		lea	ecx, [ebp+var_78]
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		jmp	loc_74DA12
CmDeleteKey	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpGetKeyNodeForKcb proc near		; CODE XREF: CmpEnumerateLayeredKey+194p
					; CmpSetKeySecurity(x,x,x,x,x,x)+436p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		push	ebx
		mov	eax, [edi+14h]
		mov	esi, [edi+10h]
		push	eax
		push	esi
		call	dword ptr [esi+4]
		cmp	[ebp+arg_0], 0
		mov	esi, eax
		mov	ecx, [edi+10h]
		mov	edx, esi
		jz	short loc_74DB02
		push	dword ptr [edi+14h]
		call	_CmpUpdateKeyNodeAccessBits@12 ; CmpUpdateKeyNodeAccessBits(x,x,x)

loc_74DAF9:				; CODE XREF: CmpGetKeyNodeForKcb+3Dj
					; sub_8CF9F4+4Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_74DB02:				; CODE XREF: CmpGetKeyNodeForKcb+23j
		call	_CmpKeyNodeNeedsAccessBitUpdate@8 ; CmpKeyNodeNeedsAccessBitUpdate(x,x)
		test	al, al
		jz	short loc_74DAF9
		jmp	sub_8CF9F4
CmpGetKeyNodeForKcb endp


;  S U B	R O U T	I N E 


; __stdcall CmpUnlockHashEntryByKcb(x)
_CmpUnlockHashEntryByKcb@4 proc	near	; CODE XREF: CmpRemoveHiveFromNamespace(x,x,x)+8Fp
					; CmDeleteLayeredKey(x,x,x)+1CBp ...
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	eax, [ebx+8]
		mov	esi, [ebx+10h]
		mov	ecx, esi
		push	eax
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		lea	ecx, [eax+eax*2]
		mov	eax, [esi+434h]
		mov	dword ptr [eax+ecx*4+4], 0
		mov	eax, [ebx+8]
		mov	edi, [ebx+10h]
		mov	ecx, edi
		push	eax
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		xor	edx, edx
		lea	ecx, [eax+eax*2]
		mov	eax, [edi+434h]
		lea	ecx, [eax+ecx*4]
		call	ExReleasePushLockEx
		or	eax, 0FFFFFFFFh
		lock xadd [esi+9D8h], eax
		pop	edi
		jz	short loc_74DB68
		pop	esi
		pop	ebx
		retn
; 

loc_74DB68:				; CODE XREF: CmpUnlockHashEntryByKcb(x)+53j
		mov	ecx, esi
		pop	esi
		pop	ebx
		jmp	_CmpDeleteHive@4 ; CmpDeleteHive(x)
_CmpUnlockHashEntryByKcb@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


CmpCleanupDiscardReplaceContext	proc near ; CODE XREF: CmDeleteLayeredKey(x,x,x)+1D6p
					; CmDeleteKey+2FBp ...

; FUNCTION CHUNK AT 008CFA48 SIZE 00000036 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	ecx, [esi]
		test	ecx, ecx
		jnz	loc_8CFA48

loc_74DB85:				; CODE XREF: CmpCleanupDiscardReplaceContext+181EDBj
					; CmpCleanupDiscardReplaceContext+181EF8j ...
		pop	edi
		pop	esi
		pop	ebx
		retn
CmpCleanupDiscardReplaceContext	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmGetVisibleSubkeyCount	proc near	; CODE XREF: CmDeleteKey+21Ap
					; CmpQueryKeyDataFromNode+1D9p	...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, [edx+18h]
		add	esi, [edx+14h]
		test	ecx, ecx
		jz	short loc_74DBA9
		cmp	[ebp+arg_0], 0
		jnz	sub_8CFA7E

loc_74DBA9:				; CODE XREF: CmGetVisibleSubkeyCount+13j
					; sub_8CFA7E+3Bj
		mov	eax, esi
		pop	esi
		leave
		retn	4
CmGetVisibleSubkeyCount	endp


;  S U B	R O U T	I N E 


; __stdcall CmpLockKcbStackExclusive(x)
_CmpLockKcbStackExclusive@4 proc near	; CODE XREF: CmDeleteLayeredKey(x,x,x)+159p
					; CmDeleteLayeredKey(x,x,x)+22Dp ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		xor	eax, eax
		xor	esi, esi
		cmp	ax, [edi+2]
		jg	short loc_74DBE9
		push	ebx

loc_74DBC1:				; CODE XREF: CmpLockKcbStackExclusive(x)+36j
		movsx	ecx, si
		cmp	si, 2
		jge	short loc_74DBEC
		mov	ebx, [edi+ecx*4+4]

loc_74DBCE:				; CODE XREF: CmpLockKcbStackExclusive(x)+43j
		lea	ecx, [ebx+18h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		inc	esi
		mov	[ebx+1Ch], eax
		cmp	si, [edi+2]
		jle	short loc_74DBC1
		pop	ebx

loc_74DBE9:				; CODE XREF: CmpLockKcbStackExclusive(x)+Ej
		pop	edi
		pop	esi
		retn
; 

loc_74DBEC:				; CODE XREF: CmpLockKcbStackExclusive(x)+18j
		mov	eax, [edi+0Ch]
		mov	ebx, [eax+ecx*4-8]
		jmp	short loc_74DBCE
_CmpLockKcbStackExclusive@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtLoadKeyEx(x, x, x, x, x, x, x, x)
_NtLoadKeyEx@32	proc near		; CODE XREF: NtLoadKey(x,x)+13p
					; DATA XREF: .text:00580FB0o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_4], al
		xor	eax, eax
		push	[ebp+var_4]
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	CmLoadDifferencingKey
		leave
		retn	20h
_NtLoadKeyEx@32	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmLoadDifferencingKey proc near		; CODE XREF: NtLoadKey3(x,x,x,x,x,x,x,x)+15Fp
					; VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+26Ap ...

var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_170		= dword	ptr -170h
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= byte ptr -160h
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= byte ptr -0E0h
var_DF		= byte ptr -0DFh
var_DE		= byte ptr -0DEh
var_DD		= byte ptr -0DDh
var_DC		= dword	ptr -0DCh
var_A0		= dword	ptr -0A0h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_60		= dword	ptr -60h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= byte ptr  2Ch

; FUNCTION CHUNK AT 008CFABE SIZE 00000124 BYTES
; FUNCTION CHUNK AT 008CFC0D SIZE 00000013 BYTES
; FUNCTION CHUNK AT 008CFC4E SIZE 0000002A BYTES

		push	1A8h
		push	offset dword_6A03A8
		call	__SEH_prolog4_GS
		mov	[ebp+var_F8], edx
		mov	[ebp+var_F0], ecx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_158], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_138], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_FC], eax
		mov	esi, [ebp+arg_18]
		mov	[ebp+var_154], esi
		mov	eax, [ebp+arg_20]
		mov	[ebp+var_12C], eax
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_180]
		rep stosd
		xor	ebx, ebx
		mov	[ebp+var_E8], ebx
		mov	[ebp+var_E4], ebx
		mov	[ebp+var_11C], ebx
		mov	[ebp+var_118], ebx
		mov	[ebp+var_100], ebx
		mov	[ebp+var_130], ebx
		mov	[ebp+var_DE], bl
		mov	[ebp+var_1B8], ebx
		mov	[ebp+var_DD], bl
		push	ebx
		lea	eax, [ebp+var_E8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_DF], bl
		push	ebx
		lea	eax, [ebp+var_11C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_EC], ebx
		mov	[ebp+var_F4], ebx
		mov	[ebp+var_114], ebx
		mov	[ebp+var_110], ebx
		mov	[ebp+var_108], ebx
		mov	[ebp+var_128], ebx
		push	0B4h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_DC]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		or	[ebp+var_A0], 0FFFFFFFFh
		mov	[ebp+var_84], ebx
		mov	[ebp+var_80], ebx
		lea	eax, [ebp+var_84]
		mov	[ebp+var_80], eax
		mov	[ebp+var_84], eax
		push	38h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_60]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_104], ebx
		call	CmpAcquireShutdownRundown
		mov	[ebp+var_E0], al
		test	al, al
		jz	loc_8CFABE
		mov	[ebp+var_DD], bl
		mov	ecx, [ebp+arg_0]
		test	ecx, 0FFFF000Bh
		jnz	loc_74E2C0
		test	esi, esi
		jnz	loc_74E45C

loc_74DD7E:				; CODE XREF: CmLoadDifferencingKey+82Ej
		cmp	byte ptr [ebp+arg_1C], bl
		jnz	loc_74E51E

loc_74DD87:				; CODE XREF: CmLoadDifferencingKey+8F8j
		test	ecx, 1000h
		jnz	loc_74E2AF

loc_74DD93:				; CODE XREF: CmLoadDifferencingKey+686j
		mov	edi, ecx
		and	edi, 810h
		mov	[ebp+var_13C], edi
		call	_CmCheckNoTxContext@0 ;	CmCheckNoTxContext()
		mov	esi, eax
		test	esi, esi
		js	loc_74E2C5
		mov	eax, [ebp+arg_0]
		mov	ecx, eax
		and	ecx, 10h
		mov	[ebp+var_120], ecx
		jz	loc_74E3B9

loc_74DDC4:				; CODE XREF: CmLoadDifferencingKey+7ABj
		test	edi, edi
		jz	short loc_74DDEB
		cmp	[ebp+var_FC], ebx
		jz	loc_8CFADC
		test	eax, 444h
		setnz	cl
		test	al, 10h
		setnz	al
		test	cl, al
		jnz	loc_74E2C0
		jmp	short loc_74DE03
; 

loc_74DDEB:				; CODE XREF: CmLoadDifferencingKey+192j
		cmp	[ebp+var_FC], ebx
		jnz	loc_8CFADC
		cmp	[ebp+var_138], ebx
		jnz	loc_8CFAE6

loc_74DE03:				; CODE XREF: CmLoadDifferencingKey+1B5j
		lea	eax, [ebp+var_11C]
		push	eax
		mov	dl, [ebp+arg_24]
		mov	ecx, [ebp+var_F8]
		call	CmpNameFromAttributes
		mov	esi, eax
		mov	[ebp+var_124], esi
		test	esi, esi
		js	loc_74E2C5
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, dword ptr [ebp+arg_24]
		mov	edx, [ebp+var_F0]
		cmp	al, 1
		jnz	short loc_74DE76
		mov	ecx, edx
		test	dl, 3
		jnz	loc_74E551
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_8CFAF0

loc_74DE50:				; CODE XREF: CmLoadDifferencingKey+181EBEj
		nop
		mov	al, [ecx]
		test	edi, edi
		jz	short loc_74DE73
		mov	eax, [ebp+var_FC]
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		jnb	loc_8CFAF7

loc_74DE6B:				; CODE XREF: CmLoadDifferencingKey+181EC5j
		mov	[eax], ebx
		mov	edx, [ebp+var_F0]

loc_74DE73:				; CODE XREF: CmLoadDifferencingKey+221j
		mov	eax, dword ptr [ebp+arg_24]

loc_74DE76:				; CODE XREF: CmLoadDifferencingKey+202j
		push	6
		pop	ecx
		mov	esi, edx
		lea	edi, [ebp+var_180]
		rep movsd
		cmp	[ebp+var_17C], 0
		jnz	loc_74E3E4

loc_74DE90:				; CODE XREF: CmLoadDifferencingKey+7B7j
		cmp	al, 1
		jnz	loc_74E443
		mov	[ebp+var_150], ebx
		mov	[ebp+var_14C], ebx
		mov	edx, [ebp+var_178]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_8CFB1C

loc_74DEB7:				; CODE XREF: CmLoadDifferencingKey+181EEAj
		nop
		mov	ecx, [edx]
		mov	[ebp+var_150], ecx
		mov	edx, [edx+4]
		mov	[ebp+var_14C], edx
		mov	eax, [ebp+var_150]
		mov	[ebp+var_E8], eax
		mov	[ebp+var_E4], edx
		movzx	eax, cx
		test	ax, ax
		jz	short loc_74DF04
		test	dl, 1
		jnz	loc_74E551
		add	eax, edx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	loc_8CFB23
		cmp	eax, edx
		jb	loc_8CFB23

loc_74DF04:				; CODE XREF: CmLoadDifferencingKey+2ADj
					; CmLoadDifferencingKey+823j ...
		movzx	esi, word ptr [ebp+var_E8]
		mov	eax, esi
		test	ax, ax
		jz	loc_8CFB2A
		push	6B624D43h
		mov	edx, eax
		call	_CmpAllocateTransientPoolWithQuotaTag@12 ; CmpAllocateTransientPoolWithQuotaTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_128], edi
		test	edi, edi
		jz	loc_8CFB05
		push	esi		; size_t
		push	[ebp+var_E4]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	word ptr [ebp+var_E8], si
		mov	word ptr [ebp+var_E8+2], si
		mov	[ebp+var_E4], edi

loc_74DF56:				; CODE XREF: CmLoadDifferencingKey+181F03j
		lea	eax, [ebp+var_E8]
		mov	[ebp+var_178], eax
		mov	[ebp+var_170], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_158]
		test	eax, eax
		jnz	loc_74E4EA

loc_74DF7D:				; CODE XREF: CmLoadDifferencingKey+8CFj
		mov	ecx, [ebp+var_138]
		mov	edi, dword ptr [ebp+arg_24]
		test	ecx, ecx
		jnz	loc_8CFB3C

loc_74DF8E:				; CODE XREF: CmLoadDifferencingKey+181F3Bj
		mov	ecx, [ebp+var_154]
		test	ecx, ecx
		jnz	loc_74E46D

loc_74DF9C:				; CODE XREF: CmLoadDifferencingKey+859j
		mov	ecx, [ebp+var_12C]
		test	ecx, ecx
		jnz	loc_8CFB74

loc_74DFAA:				; CODE XREF: CmLoadDifferencingKey+181F7Cj
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	[ebp+var_DF], 1
		lea	eax, [ebp+var_110]
		push	eax
		push	20019h
		push	dword ptr [ebp+arg_24]
		mov	ecx, [ebp+var_17C]
		call	_CmConvertHandleToKernelHandle@20 ; CmConvertHandleToKernelHandle(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_74E2C5
		mov	eax, [ebp+var_110]
		mov	[ebp+var_17C], eax
		mov	[ebp+var_F0], ebx
		push	30h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_1B4]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		lea	edi, [ebp+var_168]
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_144]
		mov	[ebp+var_140], eax
		mov	[ebp+var_144], eax
		cmp	_CmpCallBackCount, 0
		jz	loc_8CFBC0
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredSharedLite
		test	eax, eax
		jnz	loc_8CFBC0
		cmp	[ebp+var_17C], eax
		jnz	loc_74E492
		mov	eax, ebx

loc_74E048:				; CODE XREF: CmLoadDifferencingKey+88Bj
		mov	[ebp+var_18C], 2
		mov	[ebp+var_1B4], eax
		lea	eax, [ebp+var_E8]
		mov	[ebp+var_1B0], eax
		lea	eax, [ebp+var_11C]
		mov	[ebp+var_1AC], eax
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_1A8], edi
		mov	eax, [ebp+var_EC]
		mov	[ebp+var_1A4], eax
		mov	eax, [ebp+var_108]
		mov	[ebp+var_1A0], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_19C], eax
		mov	eax, [ebp+var_FC]
		mov	[ebp+var_198], eax
		mov	eax, [ebp+var_104]
		mov	[ebp+var_188], eax
		lea	eax, [ebp+var_1B4]
		mov	[ebp+var_168], eax
		mov	eax, [ebp+var_114]
		mov	[ebp+var_164], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_160], al
		lea	eax, [ebp+var_144]
		push	eax
		push	ebx
		push	21h
		push	1
		lea	eax, [ebp+var_168]
		push	eax
		lea	edx, [ebp+var_1B4]
		push	20h
		pop	ecx
		call	CmpCallCallBacksEx
		mov	esi, eax

loc_74E0F6:				; CODE XREF: CmLoadDifferencingKey+181F8Fj
		test	esi, esi
		js	loc_8CFBC8
		mov	edx, edi
		lea	ecx, [ebp+var_11C]
		call	CmpTraceHiveLoadStart
		mov	[ebp+var_DD], 1
		cmp	[ebp+var_120], 0
		jz	loc_74E3F6
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)
		mov	[ebp+var_E0], bl
		lea	eax, [ebp+var_F4]
		push	eax
		lea	eax, [ebp+var_100]
		push	eax
		push	dword ptr [ebp+arg_24]
		push	[ebp+var_104]
		push	[ebp+var_108]
		push	[ebp+var_EC]
		push	edi
		lea	edx, [ebp+var_11C]
		lea	ecx, [ebp+var_180]
		call	_CmLoadAppKey@36 ; CmLoadAppKey(x,x,x,x,x,x,x,x,x)

loc_74E15F:				; CODE XREF: CmLoadDifferencingKey+800j
		lea	ecx, [ebp+var_144]
		push	ecx
		lea	ecx, [ebp+var_168]
		push	ecx
		lea	ecx, [ebp+var_1B4]
		push	ecx
		push	eax
		mov	edx, [ebp+var_F0]
		push	21h
		pop	ecx
		call	_CmPostCallbackNotificationEx@24 ; CmPostCallbackNotificationEx(x,x,x,x,x,x)
		mov	esi, eax

loc_74E185:				; CODE XREF: CmLoadDifferencingKey+181F9Aj
					; CmLoadDifferencingKey+181FA9j
		mov	eax, [ebp+var_F0]
		test	eax, eax
		jnz	loc_74E4C4

loc_74E193:				; CODE XREF: CmLoadDifferencingKey+897j
		mov	ecx, [ebp+var_EC]
		test	ecx, ecx
		jnz	loc_74E50E

loc_74E1A1:				; CODE XREF: CmLoadDifferencingKey+8E5j
		test	esi, esi
		js	loc_74E2C5
		cmp	[ebp+var_13C], 0
		jz	loc_74E2C5
		cmp	[ebp+var_DE], 0
		jnz	loc_74E2C5
		mov	[ebp+var_10C], ebx
		mov	eax, [ebp+var_120]
		mov	[ebp+var_12C], eax
		test	eax, eax
		jz	short loc_74E1E3
		mov	[ebp+var_DC], 40h

loc_74E1E3:				; CODE XREF: CmLoadDifferencingKey+5A3j
		mov	eax, [ebp+var_100]
		test	eax, eax
		jz	loc_74E3A8

loc_74E1F1:				; CODE XREF: CmLoadDifferencingKey+780j
		lea	ecx, [ebp+var_10C]
		push	ecx
		lea	ecx, [ebp+var_DC]
		push	ecx
		push	ebx
		push	ds:_CmKeyObjectType
		push	ebx
		push	ebx
		push	40h
		push	eax
		call	ObReferenceObjectByName
		mov	esi, eax
		test	esi, esi
		js	short loc_74E281
		push	[ebp+var_10C]
		call	ObDeleteCapturedInsertInfo
		lea	eax, [ebp+var_130]
		push	eax
		mov	ecx, dword ptr [ebp+arg_24]
		push	ecx
		push	ds:_CmKeyObjectType
		push	[ebp+arg_C]
		push	ebx
		xor	eax, eax
		test	cl, cl
		setz	al
		dec	eax
		and	eax, 0FFFFFE00h
		add	eax, 240h
		push	eax
		push	[ebp+var_10C]
		call	ObOpenObjectByPointer
		mov	esi, eax
		mov	ecx, [ebp+var_10C]
		call	ObfDereferenceObject
		test	esi, esi
		js	short loc_74E281
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_130]
		mov	ecx, [ebp+var_FC]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_74E281:				; CODE XREF: CmLoadDifferencingKey+5E0j
					; CmLoadDifferencingKey+62Fj ...
		mov	ecx, [ebp+var_F4]
		test	ecx, ecx
		jz	short loc_74E2A5
		cmp	[ebp+var_12C], 0
		jz	loc_74E537
		mov	edx, esi
		call	CmReleaseLoadKeyContext

loc_74E29F:				; CODE XREF: CmLoadDifferencingKey+918j
		mov	[ebp+var_F4], ebx

loc_74E2A5:				; CODE XREF: CmLoadDifferencingKey+655j
		test	esi, esi
		js	loc_8CFC0D
		jmp	short loc_74E2C5
; 

loc_74E2AF:				; CODE XREF: CmLoadDifferencingKey+159j
		mov	eax, ecx
		mov	edx, 600h
		and	eax, edx
		cmp	eax, edx
		jz	loc_74DD93

loc_74E2C0:				; CODE XREF: CmLoadDifferencingKey+13Cj
					; CmLoadDifferencingKey+1AFj ...
		mov	esi, 0C00000F1h

loc_74E2C5:				; CODE XREF: CmLoadDifferencingKey+176j
					; CmLoadDifferencingKey+1EEj ...
		mov	ecx, [ebp+var_F4]
		test	ecx, ecx
		jnz	loc_8CFC4E

loc_74E2D3:				; CODE XREF: CmLoadDifferencingKey+182021j
		mov	ecx, [ebp+var_100]
		test	ecx, ecx
		jz	short loc_74E2F1
		lea	eax, [ebp+var_E8]
		cmp	ecx, eax
		jz	short loc_74E2F1
		mov	edx, 624E4D43h
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_74E2F1:				; CODE XREF: CmLoadDifferencingKey+6A7j
					; CmLoadDifferencingKey+6B1j
		cmp	[ebp+var_110], 0
		jnz	loc_74E4D0

loc_74E2FE:				; CODE XREF: CmLoadDifferencingKey+8A7j
		cmp	[ebp+var_DF], 0
		jz	short loc_74E30C
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_74E30C:				; CODE XREF: CmLoadDifferencingKey+6D1j
		mov	ecx, [ebp+var_104]
		test	ecx, ecx
		jnz	loc_8CFC5A

loc_74E31A:				; CODE XREF: CmLoadDifferencingKey+18202Bj
		mov	ecx, [ebp+var_114]
		test	ecx, ecx
		jnz	loc_74E4E0

loc_74E328:				; CODE XREF: CmLoadDifferencingKey+8B1j
		mov	ecx, [ebp+var_108]
		test	ecx, ecx
		jnz	loc_8CFC64

loc_74E336:				; CODE XREF: CmLoadDifferencingKey+182035j
		mov	ecx, [ebp+var_EC]
		test	ecx, ecx
		jnz	loc_8CFC6E

loc_74E344:				; CODE XREF: CmLoadDifferencingKey+18203Fj
		mov	edi, [ebp+var_128]
		test	edi, edi
		jz	short loc_74E355
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_74E355:				; CODE XREF: CmLoadDifferencingKey+718j
		cmp	[ebp+var_118], 0
		jz	short loc_74E36A
		push	ebx
		push	[ebp+var_118]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_74E36A:				; CODE XREF: CmLoadDifferencingKey+728j
		xor	dl, dl
		lea	ecx, [ebp+var_DC]
		call	CmpCleanupParseContext
		cmp	[ebp+var_E0], 0
		jnz	loc_74E439

loc_74E384:				; CODE XREF: CmLoadDifferencingKey+80Aj
		cmp	[ebp+var_DD], 0
		jz	short loc_74E394
		mov	ecx, esi
		call	CmpTraceHiveLoadStop

loc_74E394:				; CODE XREF: CmLoadDifferencingKey+757j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	28h
; 

loc_74E3A8:				; CODE XREF: CmLoadDifferencingKey+5B7j
		lea	eax, [ebp+var_E8]
		mov	[ebp+var_100], eax
		jmp	loc_74E1F1
; 

loc_74E3B9:				; CODE XREF: CmLoadDifferencingKey+18Aj
		mov	edi, dword ptr [ebp+arg_24]
		push	edi
		push	ds:dword_A949DC
		push	ds:_SeRestorePrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_8CFAD2
		mov	eax, [ebp+arg_0]
		mov	edi, [ebp+var_13C]
		jmp	loc_74DDC4
; 

loc_74E3E4:				; CODE XREF: CmLoadDifferencingKey+256j
		cmp	[ebp+var_120], 0
		jz	loc_74DE90
		jmp	loc_8CFAFE
; 

loc_74E3F6:				; CODE XREF: CmLoadDifferencingKey+4E5j
		lea	eax, [ebp+var_F4]
		push	eax
		lea	eax, [ebp+var_100]
		push	eax
		push	dword ptr [ebp+arg_24]
		push	[ebp+var_104]
		push	[ebp+var_108]
		push	[ebp+arg_1C]
		push	[ebp+var_114]
		push	[ebp+var_EC]
		push	edi
		lea	edx, [ebp+var_11C]
		lea	ecx, [ebp+var_180]
		call	CmLoadKey
		jmp	loc_74E15F
; 

loc_74E439:				; CODE XREF: CmLoadDifferencingKey+74Aj
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)
		jmp	loc_74E384
; 

loc_74E443:				; CODE XREF: CmLoadDifferencingKey+25Ej
		mov	ecx, [edx+8]
		mov	eax, [ecx]
		mov	[ebp+var_E8], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_E4], eax
		jmp	loc_74DF04
; 

loc_74E45C:				; CODE XREF: CmLoadDifferencingKey+144j
		test	ecx, 0FFFF9EFFh
		jz	loc_74DD7E
		jmp	loc_74E2C0
; 

loc_74E46D:				; CODE XREF: CmLoadDifferencingKey+362j
		push	ebx
		lea	eax, [ebp+var_114]
		push	eax
		push	dword ptr [ebp+arg_24]
		push	ecx
		xor	edx, edx
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_74E2C5
		mov	edi, dword ptr [ebp+arg_24]
		jmp	loc_74DF9C
; 

loc_74E492:				; CODE XREF: CmLoadDifferencingKey+40Cj
		mov	[ebp+var_F8], ebx
		push	ebx
		lea	eax, [ebp+var_F8]
		push	eax
		push	ebx
		push	ds:_CmKeyObjectType
		push	ebx
		push	[ebp+var_17C]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	eax, [ebp+var_F8]
		mov	[ebp+var_F0], eax
		jmp	loc_74E048
; 

loc_74E4C4:				; CODE XREF: CmLoadDifferencingKey+559j
		mov	ecx, eax
		call	ObfDereferenceObject
		jmp	loc_74E193
; 

loc_74E4D0:				; CODE XREF: CmLoadDifferencingKey+6C4j
		push	[ebp+var_110]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_74E2FE
; 

loc_74E4E0:				; CODE XREF: CmLoadDifferencingKey+6EEj
		call	ObfDereferenceObject
		jmp	loc_74E328
; 

loc_74E4EA:				; CODE XREF: CmLoadDifferencingKey+343j
		push	ebx
		lea	ecx, [ebp+var_EC]
		push	ecx
		push	dword ptr [ebp+arg_24]
		push	ecx
		xor	edx, edx
		mov	ecx, eax
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_74DF7D
		jmp	loc_74E2C5
; 

loc_74E50E:				; CODE XREF: CmLoadDifferencingKey+567j
		call	ObfDereferenceObject
		mov	[ebp+var_EC], ebx
		jmp	loc_74E1A1
; 

loc_74E51E:				; CODE XREF: CmLoadDifferencingKey+14Dj
		test	esi, esi
		jz	loc_8CFAC8
		test	ecx, 4000h
		jnz	loc_74DD87
		jmp	loc_74E2C0
; 

loc_74E537:				; CODE XREF: CmLoadDifferencingKey+65Ej
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, [ebp+var_F4]
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		jmp	loc_74E29F
; 

loc_74E551:				; CODE XREF: CmLoadDifferencingKey+209j
					; CmLoadDifferencingKey+2B2j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
CmLoadDifferencingKey endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTraceHiveLoadStop proc near		; CODE XREF: CmLoadDifferencingKey+75Bp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CFC78 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+30h+var_4], eax
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_HIVE_LOAD_STOP
		mov	[esp+38h+var_2C], ecx
		lea	edi, [esp+38h+var_28]
		lea	eax, [esp+38h+var_28]
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ds:dword_A93DD4
		mov	edi, ds:_EtwpRegTraceHandle
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8CFC78

loc_74E59F:				; CODE XREF: CmpTraceHiveLoadStop+181750j
		mov	ecx, [esp+38h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
CmpTraceHiveLoadStop endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtDeleteValueKey proc near		; CODE XREF: ExpWatchProductTypeWork+11E717p
					; DATA XREF: .text:005810A4o

var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_57		= byte ptr -57h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_45		= byte ptr -45h
var_44		= byte ptr -44h
var_43		= byte ptr -43h
var_42		= byte ptr -42h
var_41		= byte ptr -41h
var_40		= dword	ptr -40h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CFCAB SIZE 00000129 BYTES
; FUNCTION CHUNK AT 008CFE10 SIZE 00000016 BYTES

		push	0A8h
		push	offset dword_6A03D0
		call	__SEH_prolog4_GS
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_70], esi
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_5C], eax
		xor	eax, eax
		lea	edi, [ebp+var_B8]
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	ebx, ebx
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_88], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_41], bl
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_A4], ebx
		push	8
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_40]
		rep stosd
		mov	[ebp+var_74], ebx
		cmp	ds:_CmpTraceRoutine, eax
		jnz	loc_8CFCAB

loc_74E614:				; CODE XREF: NtDeleteValueKey+181708j
		mov	al, bl
		mov	[ebp+var_43], al
		mov	[ebp+var_44], al
		mov	[ebp+var_4C], ebx
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_78], eax
		mov	[ebp+var_7C], eax
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_45], al
		mov	byte ptr [ebp+var_68], al
		xor	eax, eax
		lea	edi, [ebp+var_A0]
		stosd
		stosd
		stosd
		stosd
		call	CmpAcquireShutdownRundown
		mov	[ebp+var_57], al
		test	al, al
		jz	loc_8CFCBD
		lea	eax, [ebp+var_8C]
		push	eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	[ebp+var_68]
		push	ecx
		push	2
		pop	edx
		mov	ecx, esi
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_60], esi
		mov	edi, 0C0000022h
		cmp	esi, edi
		jz	loc_74E8B0
		mov	dl, bl

loc_74E683:				; CODE XREF: NtDeleteValueKey+181757j
		mov	al, dl
		test	esi, esi
		js	loc_74E824
		cmp	ds:_CmpTraceRoutine, ebx
		jnz	loc_8CFD0C

loc_74E699:				; CODE XREF: NtDeleteValueKey+181761j
					; NtDeleteValueKey+18176Dj
		mov	[ebp+ms_exc.disabled], ebx
		mov	dh, [ebp+var_45]
		cmp	dh, 1
		jnz	loc_74E89D
		mov	[ebp+var_84], ebx
		mov	[ebp+var_80], ebx
		mov	ecx, ds:_MmUserProbeAddress
		mov	eax, [ebp+var_5C]
		cmp	eax, ecx
		jnb	loc_8CFD22

loc_74E6C2:				; CODE XREF: NtDeleteValueKey+181774j
		nop
		mov	ecx, [eax]
		mov	[ebp+var_84], ecx
		mov	esi, [eax+4]
		mov	[ebp+var_5C], esi
		mov	[ebp+var_80], esi
		mov	eax, [ebp+var_84]
		mov	[ebp+var_54], eax
		mov	[ebp+var_50], esi
		movzx	eax, cx
		mov	ecx, esi
		test	ax, ax
		jz	short loc_74E70B
		test	cl, 1
		jnz	loc_74E8F1
		lea	esi, [ecx+eax]
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		ja	loc_8CFD29
		cmp	esi, ecx
		jb	loc_8CFD29

loc_74E70B:				; CODE XREF: NtDeleteValueKey+138j
					; NtDeleteValueKey+2FBj ...
		mov	si, word ptr [ebp+var_54]
		movzx	edi, si
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		mov	[ebp+var_50], edi
		mov	word ptr [ebp+var_54+2], si
		test	si, si
		jz	short loc_74E767
		movsx	ecx, dh
		mov	edx, edi
		call	_CmpDoesBufferRequireCapturing@8 ; CmpDoesBufferRequireCapturing(x,x)
		test	al, al
		jz	short loc_74E764
		push	62634D43h
		movzx	edx, si
		call	_CmpAllocateTransientPoolWithQuotaTag@12 ; CmpAllocateTransientPoolWithQuotaTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_64], edi
		test	edi, edi
		jz	loc_8CFD33
		movzx	eax, word ptr [ebp+var_54]
		push	eax		; size_t
		push	[ebp+var_50]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_50], edi
		mov	si, word ptr [ebp+var_54]

loc_74E764:				; CODE XREF: NtDeleteValueKey+180j
		mov	dl, [ebp+var_41]

loc_74E767:				; CODE XREF: NtDeleteValueKey+172j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	byte ptr [ebp+var_54], 1
		jnz	loc_8CFD47
		mov	eax, [ebp+var_4C]
		mov	eax, [eax+8]
		test	byte ptr [eax+4], 80h
		jnz	loc_8CFD54
		movzx	eax, si
		shr	eax, 1
		dec	eax
		lea	eax, [edi+eax*2]

loc_74E791:				; CODE XREF: NtDeleteValueKey+1817BFj
		test	si, si
		jz	short loc_74E79F
		cmp	[eax], bx
		jz	loc_8CFD60

loc_74E79F:				; CODE XREF: NtDeleteValueKey+1E4j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	[ebp+var_44], 1
		cmp	_CmpCallBackCount, 0
		jz	short loc_74E7F5
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredSharedLite
		test	eax, eax
		jnz	short loc_74E7F5
		mov	ecx, [ebp+var_4C]
		mov	[ebp+var_B8], ecx
		lea	eax, [ebp+var_54]
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_7C]
		push	eax
		push	ecx
		push	11h
		push	1
		push	ebx
		lea	edx, [ebp+var_B8]
		push	2
		pop	ecx
		call	CmpCallCallBacksEx
		test	eax, eax
		js	loc_8CFD74
		mov	[ebp+var_43], 1

loc_74E7F5:				; CODE XREF: NtDeleteValueKey+1FFj
					; NtDeleteValueKey+20Dj
		cmp	[ebp+var_41], 0
		jnz	loc_8CFD85

loc_74E7FF:				; CODE XREF: NtDeleteValueKey+181812j
		push	[ebp+var_50]
		push	[ebp+var_54]
		mov	eax, [ebp+var_8C]
		shr	eax, 2
		and	al, 1
		movzx	eax, al
		push	eax
		mov	edx, [ebp+var_70]
		mov	ecx, [ebp+var_4C]
		call	CmDeleteValueKey
		mov	esi, eax

loc_74E821:				; CODE XREF: NtDeleteValueKey+181792j
					; NtDeleteValueKey+1817D0j ...
		mov	al, [ebp+var_41]

loc_74E824:				; CODE XREF: NtDeleteValueKey+D7j
					; NtDeleteValueKey+32Bj ...
		test	al, al
		jnz	loc_74E8E0

loc_74E82C:				; CODE XREF: NtDeleteValueKey+33Cj
		cmp	[ebp+var_43], 0
		jz	short loc_74E84C
		lea	eax, [ebp+var_7C]
		push	eax
		push	ebx
		lea	eax, [ebp+var_B8]
		push	eax
		push	esi
		mov	edx, [ebp+var_4C]
		push	11h
		pop	ecx
		call	_CmPostCallbackNotificationEx@24 ; CmPostCallbackNotificationEx(x,x,x,x,x,x)
		mov	esi, eax

loc_74E84C:				; CODE XREF: NtDeleteValueKey+280j
		cmp	[ebp+var_44], 0
		jz	short loc_74E857
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_74E857:				; CODE XREF: NtDeleteValueKey+2A0j
		mov	ecx, [ebp+var_4C]
		test	ecx, ecx
		jz	short loc_74E863
		call	ObfDereferenceObject

loc_74E863:				; CODE XREF: NtDeleteValueKey+2ACj
		mov	eax, ds:_CmpTraceRoutine
		test	eax, eax
		jnz	loc_8CFE10

loc_74E870:				; CODE XREF: NtDeleteValueKey+181871j
		mov	edi, [ebp+var_64]
		test	edi, edi
		jz	short loc_74E87E
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_74E87E:				; CODE XREF: NtDeleteValueKey+2C5j
		cmp	[ebp+var_57], 0
		jz	short loc_74E889
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_74E889:				; CODE XREF: NtDeleteValueKey+2D2j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_74E89D:				; CODE XREF: NtDeleteValueKey+F2j
		mov	ecx, [ebp+var_5C]
		mov	eax, [ecx]
		mov	[ebp+var_54], eax
		mov	ecx, [ecx+4]
		mov	[ebp+var_50], ecx
		jmp	loc_74E70B
; 

loc_74E8B0:				; CODE XREF: NtDeleteValueKey+CBj
		lea	eax, [ebp+var_A0]
		push	eax
		call	SeCaptureSubjectContext
		mov	[ebp+var_42], 1
		lea	edx, [ebp+var_6C]
		lea	ecx, [ebp+var_A0]
		call	CmDoVirtualTest
		test	al, al
		jnz	loc_8CFCC9

loc_74E8D6:				; CODE XREF: NtDeleteValueKey+18174Cj
		mov	esi, edi

loc_74E8D8:				; CODE XREF: NtDeleteValueKey+18173Cj
		mov	al, [ebp+var_42]
		jmp	loc_74E824
; 

loc_74E8E0:				; CODE XREF: NtDeleteValueKey+276j
		lea	eax, [ebp+var_A0]
		push	eax
		call	SeReleaseSubjectContext
		jmp	loc_74E82C
; 

loc_74E8F1:				; CODE XREF: NtDeleteValueKey+13Dj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
NtDeleteValueKey endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmDeleteValueKey proc near		; CODE XREF: NtDeleteValueKey+26Ap

var_100		= byte ptr -100h
var_F8		= byte ptr -0F8h
var_F7		= byte ptr -0F7h
var_F5		= byte ptr -0F5h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= byte ptr -0C4h
var_C3		= byte ptr -0C3h
var_C2		= byte ptr -0C2h
var_C1		= byte ptr -0C1h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= byte ptr -0B0h
var_AF		= byte ptr -0AFh
var_AE		= byte ptr -0AEh
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_78		= dword	ptr -78h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008CFE26 SIZE 000004BA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0B4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0B4h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+0C0h+var_94], ecx
		push	6
		pop	ecx
		lea	edi, [esp+0C0h+var_1C]
		mov	[esp+0C0h+var_38], edx
		rep stosd
		lea	eax, [esp+0C0h+var_64]
		xor	edx, edx
		mov	[esp+0C0h+var_60], eax
		lea	edi, [esp+0C0h+var_80]
		mov	[esp+0C0h+var_64], eax
		or	ecx, 0FFFFFFFFh
		xor	eax, eax
		mov	[esp+0C0h+var_5C], ecx
		stosd
		mov	ebx, edx
		mov	[esp+0C0h+var_4C], ecx
		mov	[esp+0C0h+var_88], ecx
		mov	[esp+0C0h+var_58], edx
		stosd
		mov	[esp+0C0h+var_48], edx
		mov	[esp+0C0h+var_84], edx
		mov	[esp+0C0h+var_A8], ecx
		stosd
		mov	[esp+0C0h+var_8C], ecx
		mov	[esp+0C0h+var_70], edx
		mov	[esp+0C0h+var_6C], edx
		stosd
		xor	eax, eax
		mov	word ptr [esp+0C0h+var_80+2], cx
		lea	ecx, [esp+0C0h+var_44]
		mov	[esp+0C0h+var_9C], edx
		mov	[esp+0C0h+var_90], edx
		mov	[esp+0C0h+var_44], edx
		mov	[esp+0C0h+var_40], edx
		mov	[esp+0C0h+var_98], edx
		mov	[esp+13h], dl
		mov	[esp+0C0h+var_54], edx
		mov	[esp+0C0h+var_A4], edx
		mov	[esp+0C0h+var_A0], edx
		mov	word ptr [esp+0C0h+var_58], ax
		mov	word ptr [esp+0C0h+var_48], ax
		mov	[esp+0C0h+var_AC], edx
		mov	word ptr [esp+0C0h+var_84], ax
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		push	6
		pop	ecx
		lea	edi, [esp+0C0h+var_34]
		mov	[esp+0C0h+var_50], edx
		rep stosd
		lea	ecx, [esp+0C0h+var_1C]
		call	CmpAttachToRegistryProcess

loc_74E9D9:				; CODE XREF: CmDeleteValueKey+1816D5j
		mov	eax, _CmpShutdownRundown
		test	al, 1
		jnz	loc_8D021E
		lea	eax, [esp+0C0h+var_70]
		push	eax
		call	KeQuerySystemTime
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	edi, [esp+0C0h+var_94]
		mov	[esp+0C0h+var_AE], 1
		mov	ebx, [edi+8]
		mov	ecx, ebx
		call	_CmpIsKcbImmutable@4 ; CmpIsKcbImmutable(x)
		test	al, al
		jnz	loc_8D020E
		mov	edx, ebx
		lea	ecx, [esp+0C0h+var_80]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8D020A
		lea	ecx, [esp+0C0h+var_80]
		call	_CmpLockKcbStackTopExclusiveRestShared@4 ; CmpLockKcbStackTopExclusiveRestShared(x)
		xor	eax, eax
		mov	[esp+0C0h+var_AF], 1
		cmp	[edi+20h], eax
		jnz	loc_8CFE26
		cmp	[edi+24h], eax
		jnz	loc_8CFE26

loc_74EA47:				; CODE XREF: CmDeleteValueKey+18155Dj
					; CmDeleteValueKey+181662j
		mov	esi, [esp+0C0h+var_A4]
		mov	ecx, edi
		mov	edx, esi
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	loc_8D01E2
		test	esi, esi
		jnz	loc_8CFE63
		lea	ecx, [ebx+84h]
		xor	eax, eax
		cmp	[ecx], eax
		jl	loc_8CFF5D
		lea	ecx, [ebx+8Ch]
		cmp	[ecx], eax
		jnz	loc_8CFF5D

loc_74EA82:				; CODE XREF: CmDeleteValueKey+1815FAj
		movzx	edx, word ptr [ebx+22h]
		test	dx, dx
		js	loc_74EB39

loc_74EA8F:				; CODE XREF: CmDeleteValueKey+181634j
		movzx	eax, dx
		lea	ecx, [esp+0C0h+var_80]
		mov	[esp+0C0h+var_3C], eax
		call	_CmpGetKcbAtLayerHeight@8 ; CmpGetKcbAtLayerHeight(x,x)
		mov	edx, [esp+0C0h+var_94]
		mov	edi, eax
		mov	ecx, edi
		call	_CmpGetEffectiveKcbSemantics@8 ; CmpGetEffectiveKcbSemantics(x,x)
		cmp	eax, 1
		jz	loc_74EB39
		mov	ecx, [edi+14h]
		or	eax, 0FFFFFFFFh
		cmp	ecx, eax
		jz	short loc_74EB23
		test	esi, esi
		jnz	loc_8CFEF5

loc_74EACA:				; CODE XREF: CmDeleteValueKey+181605j
		mov	eax, [edi+10h]
		lea	edx, [esp+0C0h+var_4C]
		push	edx
		push	ecx
		push	eax
		call	dword ptr [eax+4]
		lea	ecx, [esp+0CCh+var_B4]
		push	ecx
		lea	ecx, [esp+0D0h+var_98]
		push	ecx
		push	0
		lea	ecx, [ebp+arg_4]
		push	ecx
		mov	ecx, [edi+10h]
		lea	edx, [eax+24h]
		call	_CmpFindNameInListWithStatus@24	; CmpFindNameInListWithStatus(x,x,x,x,x,x)
		mov	esi, eax
		lea	ecx, [esp+0CCh+var_58]
		mov	eax, [edi+10h]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_74EB00:				; CODE XREF: CmDeleteValueKey+18162Bj
		test	esi, esi
		jns	loc_74EC0F
		cmp	esi, 0C0000034h
		jnz	loc_8CFFD3
		mov	edx, [esp+0D4h+var_A8]
		mov	ecx, edi
		call	_CmpGetEffectiveKcbSemantics@8 ; CmpGetEffectiveKcbSemantics(x,x)
		test	eax, eax
		jnz	short loc_74EB39

loc_74EB23:				; CODE XREF: CmDeleteValueKey+1CAj
		mov	eax, [esp+0D4h+var_50]
		dec	eax
		movzx	eax, ax
		mov	edx, eax
		test	ax, ax
		jns	loc_8CFF26

loc_74EB39:				; CODE XREF: CmDeleteValueKey+193j
					; CmDeleteValueKey+1BCj ...
		mov	esi, [esp+0D4h+var_C0]

loc_74EB3D:				; CODE XREF: CmDeleteValueKey+31Fj
		mov	ecx, [esp+0D4h+var_BC]
		or	eax, 0FFFFFFFFh
		cmp	ecx, eax
		jnz	loc_74EC1A
		mov	esi, 0C0000034h

loc_74EB51:				; CODE XREF: CmDeleteValueKey+181598j
					; CmDeleteValueKey+1818D2j
		mov	[esp+0D4h+var_C3], 1

loc_74EB56:				; CODE XREF: CmDeleteValueKey+181550j
					; CmDeleteValueKey+181568j
		xor	eax, eax

loc_74EB58:				; CODE XREF: CmDeleteValueKey+181923j
		mov	[esp+0D4h+var_C4], al

loc_74EB5C:				; CODE XREF: CmDeleteValueKey+4F3j
					; CmDeleteValueKey+50Aj ...
		mov	eax, [esp+0D4h+var_AC]
		test	eax, eax
		jnz	loc_8D0236

loc_74EB68:				; CODE XREF: CmDeleteValueKey+181956j
		xor	eax, eax

loc_74EB6A:				; CODE XREF: CmDeleteValueKey+1818E7j
		cmp	[esp+0D4h+var_C1], 0
		jnz	loc_8D0251

loc_74EB75:				; CODE XREF: CmDeleteValueKey+181984j
		cmp	[esp+0D4h+var_C4], 0
		jnz	loc_8D027F

loc_74EB80:				; CODE XREF: CmDeleteValueKey+181991j
		cmp	[esp+0D4h+var_C3], 0
		jz	short loc_74EB90
		lea	ecx, [esp+0D4h+var_94]
		call	CmpUnlockKcbStack

loc_74EB90:				; CODE XREF: CmDeleteValueKey+28Fj
		xor	dl, dl
		lea	ecx, [esp+0D4h+var_58]
		call	CmpDrainDelayDerefContext
		cmp	[esp+0D4h+var_C2], 0
		jz	short loc_74EBA7
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_74EBA7:				; CODE XREF: CmDeleteValueKey+2AAj
		lea	eax, [esp+0D4h+var_78]
		cmp	[esp+0D4h+var_78], eax
		jnz	short loc_74EC04

loc_74EBB1:				; CODE XREF: CmDeleteValueKey+317j
		xor	edx, edx
		lea	ecx, [esp+0D4h+var_30]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	edi, [esp+0D4h+var_64]
		test	esi, esi
		jns	loc_74EE05

loc_74EBCB:				; CODE XREF: CmDeleteValueKey+513j
					; CmDeleteValueKey+181998j ...
		mov	ecx, [esp+0D4h+var_40]
		test	ecx, ecx
		jnz	loc_8D02C0

loc_74EBDA:				; CODE XREF: CmDeleteValueKey+1819D4j
		test	edi, edi
		jnz	loc_8D02CF

loc_74EBE2:				; CODE XREF: CmDeleteValueKey+1819E5j
		lea	ecx, [esp+0D4h+var_94]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		mov	ecx, [esp+0D4h+var_18]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_74EC04:				; CODE XREF: CmDeleteValueKey+2B9j
		lea	ecx, [esp+0D4h+var_78]
		call	_CmpSignalDeferredPosts@4 ; CmpSignalDeferredPosts(x)
		jmp	short loc_74EBB1
; 

loc_74EC0F:				; CODE XREF: CmDeleteValueKey+20Cj
		mov	esi, edi
		mov	[esp+0D4h+var_C0], esi
		jmp	loc_74EB3D
; 

loc_74EC1A:				; CODE XREF: CmDeleteValueKey+250j
		mov	eax, [esi+10h]
		lea	edx, [esp+0D4h+var_9C]
		push	edx
		push	ecx
		push	eax
		call	dword ptr [eax+4]
		mov	ecx, [esi+10h]
		mov	edi, eax
		mov	edx, edi
		call	_CmpIsValueTombstone@8 ; CmpIsValueTombstone(x,x)
		test	al, al
		jnz	loc_8D0194
		lea	eax, [esp+0E0h+var_A8]
		push	eax
		push	ecx
		call	dword ptr [ecx+8]
		xor	eax, eax
		cmp	dword ptr [ebx+14h], 0FFFFFFFFh
		mov	edi, eax
		jz	loc_8CFF2F
		add	dword ptr [ebx+0A8h], 1
		mov	ecx, [ebx+10h]
		adc	[ebx+0ACh], eax
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	byte ptr [esp+0E8h+var_D8], 1
		cmp	[esp+0E8h+var_CC], edi
		jnz	short loc_74EC89
		mov	edx, [ebx+14h]
		xor	eax, eax
		mov	ecx, [ebx+10h]
		push	eax
		push	eax
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_8CFFE2

loc_74EC89:				; CODE XREF: CmDeleteValueKey+37Aj
		mov	eax, [ebx+14h]
		lea	edx, [esp+0E8h+var_84]
		mov	ecx, [ebx+10h]
		push	edx
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		push	dword ptr [ebx+14h]
		mov	ecx, [ebx+10h]
		mov	esi, eax
		mov	edx, esi
		mov	[esp+0F8h+var_D4], esi
		call	_CmpUpdateKeyNodeAccessBits@12 ; CmpUpdateKeyNodeAccessBits(x,x,x)
		cmp	[ebp+arg_0], 0
		jnz	loc_8CFFEC

loc_74ECB6:				; CODE XREF: CmDeleteValueKey+181742j
		mov	eax, [ebx+10h]
		cmp	[esp+0F4h+var_D8], edi
		jnz	loc_8D012E
		mov	edx, [ebx+14h]
		xor	ecx, ecx
		cmp	[ebx+22h], cx
		push	ecx
		push	ecx
		mov	ecx, eax
		jnz	loc_8D0051
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_8D003D
		mov	edx, [esi+28h]
		xor	eax, eax
		mov	ecx, [ebx+10h]
		push	eax
		push	eax
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_8D003D
		mov	edi, [esp+0F4h+var_DC]
		xor	eax, eax
		mov	ecx, [ebx+10h]
		mov	edx, edi
		push	eax
		push	eax
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_8D003D
		mov	eax, [esp+0F4h+var_E0]
		lea	ecx, [esp+0F4h+var_BC]
		push	ecx
		push	edi
		mov	eax, [eax+10h]
		push	eax
		call	dword ptr [eax+4]
		mov	edi, eax
		mov	eax, [esp+100h+var_EC]
		mov	edx, edi
		mov	ecx, [eax+10h]
		call	_CmpMarkValueDataDirty@8 ; CmpMarkValueDataDirty(x,x)
		test	al, al
		jz	loc_8D0047
		mov	eax, [esp+100h+var_EC]
		lea	ecx, [esp+100h+var_C8]
		push	ecx
		mov	eax, [eax+10h]
		push	eax
		call	dword ptr [eax+8]
		mov	edx, [esp+108h+var_D4]
		xor	eax, eax
		mov	ecx, [ebx+10h]
		add	esi, 24h
		push	esi
		mov	edi, eax
		call	_CmpRemoveValueFromList@12 ; CmpRemoveValueFromList(x,x,x)
		mov	edx, [esp+108h+var_F0]
		mov	ecx, [ebx+10h]
		call	_CmpFreeValue@8	; CmpFreeValue(x,x)
		mov	edx, [esp+108h+var_E8]
		mov	ecx, [esp+108h+var_B8]
		mov	eax, [esp+108h+var_B4]
		mov	[edx+4], ecx
		mov	[edx+8], eax
		mov	[ebx+58h], ecx
		xor	ecx, ecx
		mov	[ebx+5Ch], eax
		cmp	[esi], ecx
		mov	esi, edx
		jz	loc_74EE14

loc_74ED91:				; CODE XREF: CmDeleteValueKey+52Dj
					; CmDeleteValueKey+1817D4j ...
		lea	edx, [esp+108h+var_8C]
		mov	ecx, ebx
		call	_CmpCleanUpKcbCachedSymlink@8 ;	CmpCleanUpKcbCachedSymlink(x,x)
		mov	ecx, [esi+28h]
		mov	eax, [esi+24h]
		mov	[ebx+30h], eax
		mov	[ebx+34h], ecx

loc_74EDA8:				; CODE XREF: CmDeleteValueKey+181899j
		mov	ecx, [ebx+10h]
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		mov	edx, [esp+108h+var_EC]
		lea	eax, [esp+108h+var_AC]
		xor	ecx, ecx
		push	eax
		mov	[esp+10Ch+var_F8], cl
		mov	[esp+10Ch+var_E0], ecx
		mov	[esp+10Ch+var_F5], cl
		lea	ecx, [esp+10Ch+var_C8]
		push	4
		call	_CmpReportNotifyForKcbStack@16 ; CmpReportNotifyForKcbStack(x,x,x,x)
		xor	eax, eax
		mov	esi, eax

loc_74EDD6:				; CODE XREF: CmDeleteValueKey+181756j
					; CmDeleteValueKey+1818A9j
		test	edi, edi
		jnz	loc_8D01A4

loc_74EDDE:				; CODE XREF: CmDeleteValueKey+181711j
					; CmDeleteValueKey+181738j ...
		mov	edx, [esp+108h+var_E8]
		mov	[esp+108h+var_F7], 1
		test	edx, edx
		jz	loc_74EB5C
		mov	eax, [ebx+10h]
		lea	ecx, [esp+108h+var_A4]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_74EDFB:				; CODE XREF: CmDeleteValueKey+1816F1j
					; CmDeleteValueKey+1818C8j
		mov	byte ptr [esp+11h], 1
		jmp	loc_74EB5C
; 

loc_74EE05:				; CODE XREF: CmDeleteValueKey+2CFj
		cmp	[ebp+arg_0], 0
		jz	loc_74EBCB
		jmp	loc_8D028C
; 

loc_74EE14:				; CODE XREF: CmDeleteValueKey+495j
		mov	[esi+3Ch], ecx
		xor	eax, eax
		mov	[ebx+62h], ax
		mov	[esi+40h], ecx
		mov	[ebx+64h], ecx
		jmp	loc_74ED91
CmDeleteValueKey endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCloseKeyObject proc near		; DATA XREF: CmpCreateObjectTypes()+80o

var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008D02E0 SIZE 0000004E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		xor	eax, eax
		mov	[esp+3Ch+var_30], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	ebx, ebx
		push	edi
		mov	[esp+48h+var_2C], 0
		mov	[esp+48h+var_38], 0
		mov	[esp+48h+var_34], 0
		mov	[esp+48h+var_28], eax
		mov	[esp+48h+var_24], eax
		mov	[esp+48h+var_20], eax
		mov	[esp+48h+var_1C], eax
		mov	[esp+48h+var_18], eax
		mov	[esp+48h+var_14], eax
		mov	[esp+48h+var_10], eax
		mov	[esp+48h+var_C], eax
		cmp	ds:_CmpTraceRoutine, eax
		jnz	loc_8D02E0

loc_74EE9C:				; CODE XREF: CmpCloseKeyObject+1814C4j
					; CmpCloseKeyObject+1814CCj ...
		cmp	[ebp+arg_C], 1
		ja	short loc_74EEB0
		cmp	dword ptr [esi], 6B793032h
		jnz	short loc_74EEB0
		cmp	dword ptr [esi+0Ch], 0
		jnz	short loc_74EED1

loc_74EEB0:				; CODE XREF: CmpCloseKeyObject+70j
					; CmpCloseKeyObject+78j ...
		mov	eax, ds:_CmpTraceRoutine
		test	eax, eax
		jnz	loc_8D0319

loc_74EEBD:				; CODE XREF: CmpCloseKeyObject+1814F9j
		mov	ecx, [esp+48h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_74EED1:				; CODE XREF: CmpCloseKeyObject+7Ej
		lea	eax, [esp+48h+var_30]
		mov	[esp+48h+var_2C], eax
		mov	[esp+48h+var_30], eax
		lea	eax, [esp+48h+var_38]
		mov	[esp+48h+var_34], eax
		mov	[esp+48h+var_38], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	edi, [esi+8]
		xor	edx, edx
		lea	ecx, [edi+18h]
		call	ExAcquirePushLockSharedEx
		lock inc dword ptr [edi+1Ch]
		xor	edx, edx
		mov	ecx, esi
		call	CmpIsKeyDeletedForKeyBody
		mov	ecx, [esi+8]
		test	al, al
		jnz	loc_8D030A
		mov	ecx, [ecx+10h]
		xor	edx, edx
		add	ecx, 448h
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_74EF56
		lea	eax, [ecx+8]
		cmp	[eax], eax
		jz	short loc_74EF56
		lea	eax, [esp+48h+var_30]
		push	eax
		lea	eax, [esp+4Ch+var_38]
		push	eax
		push	0
		push	10Bh
		push	ecx
		call	CmpPostNotify

loc_74EF56:				; CODE XREF: CmpCloseKeyObject+106j
					; CmpCloseKeyObject+10Dj
		mov	eax, [esi+8]
		mov	edi, [eax+10h]
		or	eax, 0FFFFFFFFh
		add	edi, 448h
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_74EFA6

loc_74EF6F:				; CODE XREF: CmpCloseKeyObject+17Dj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [esi+8]
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		lea	ecx, [esp+5Ch+var_4C]
		call	_CmpDelayedDerefKeys@4 ; CmpDelayedDerefKeys(x)
		lea	ecx, [esp+5Ch+var_44]
		call	_CmpSignalDeferredPosts@4 ; CmpSignalDeferredPosts(x)

loc_74EF95:				; CODE XREF: CmpCloseKeyObject+1814E4j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_74EEB0
; 

loc_74EFA6:				; CODE XREF: CmpCloseKeyObject+13Dj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_74EF6F
CmpCloseKeyObject endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpReportNotifyForKcbStack(x, x, x,	x)
_CmpReportNotifyForKcbStack@16 proc near ; CODE	XREF: CmDeleteLayeredKey(x,x,x)+17Ep
					; CmDeleteLayeredKey(x,x,x)+3B6p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	dx, [edi+2]
		call	_CmpGetKcbAtLayerHeight@8 ; CmpGetKcbAtLayerHeight(x,x)
		push	[ebp+arg_4]
		mov	esi, eax
		mov	ecx, edi
		push	[ebp+arg_0]
		push	ebx
		mov	edx, [esi+10h]
		call	CmpReportNotifyHelper
		mov	edx, ds:_CmpMasterHive
		cmp	[esi+10h], edx
		jz	short loc_74EFF2
		push	[ebp+arg_4]
		mov	ecx, edi
		push	[ebp+arg_0]
		push	ebx
		call	CmpReportNotifyHelper

loc_74EFF2:				; CODE XREF: CmpReportNotifyForKcbStack(x,x,x,x)+32j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
_CmpReportNotifyForKcbStack@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpReportNotifyHelper proc near		; CODE XREF: CmpReportNotifyForKcbStack(x,x,x,x)+24p
					; CmpReportNotifyForKcbStack(x,x,x,x)+3Dp

var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008D032E SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		lea	eax, [ebp+var_18]
		mov	[ebp+var_C], ecx
		push	ebx
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], eax
		movzx	eax, word ptr [ecx+2]
		push	esi
		mov	esi, edx
		movsx	edx, ax
		push	edi
		lfence	eax
		cmp	ax, 2
		jge	loc_8D032E
		mov	ebx, [ecx+edx*4+4]

loc_74F031:				; CODE XREF: CmpReportNotifyHelper+181335j
		lea	edi, [esi+448h]
		xor	edx, edx
		mov	ecx, edi
		mov	[ebp+var_10], edi
		call	ExAcquirePushLockExclusiveEx
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	esi, [esi+418h]
		mov	[ebp+var_5], al
		test	esi, esi
		jnz	short loc_74F090

loc_74F058:				; CODE XREF: CmpReportNotifyHelper+129j
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_74F167

loc_74F071:				; CODE XREF: CmpReportNotifyHelper+16Ej
		mov	ecx, edi
		call	KeAbPostRelease
		lea	ecx, [ebp+var_18]
		call	_CmpDelayedDerefKeys@4 ; CmpDelayedDerefKeys(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 
		align 10h

loc_74F090:				; CODE XREF: CmpReportNotifyHelper+56j
					; CmpReportNotifyHelper+11Dj
		mov	edx, [esi+10h]
		mov	eax, [ebx+4]
		and	eax, 7FE00000h
		mov	ecx, [edx+4]
		and	ecx, 7FE00000h
		cmp	ecx, eax
		ja	short loc_74F123
		mov	ecx, [esi+18h]
		mov	eax, ecx
		and	eax, [ebp+arg_4]
		test	eax, 3FFFFFFFh
		jz	short loc_74F117
		test	ecx, 40000000h
		jz	short loc_74F12E

loc_74F0BF:				; CODE XREF: CmpReportNotifyHelper+132j
		mov	eax, [esi+14h]
		mov	ecx, [ebp+arg_0]
		mov	eax, [eax+20h]
		test	ecx, ecx
		jnz	loc_74F15D

loc_74F0D0:				; CODE XREF: CmpReportNotifyHelper+162j
		test	eax, eax
		jnz	loc_8D033A

loc_74F0D8:				; CODE XREF: CmpReportNotifyHelper+181348j
		mov	edi, [esi+10h]
		mov	eax, ebx
		mov	ecx, [ebx+4]
		shr	ecx, 15h
		and	ecx, 3FFh
		mov	edx, [edi+4]
		shr	edx, 15h
		and	edx, 3FFh
		cmp	ecx, edx
		jbe	short loc_74F113
		lea	esp, [esp+0]

loc_74F100:				; CODE XREF: CmpReportNotifyHelper+111j
		mov	eax, [eax+24h]
		mov	ecx, [eax+4]
		shr	ecx, 15h
		and	ecx, 3FFh
		cmp	ecx, edx
		ja	short loc_74F100

loc_74F113:				; CODE XREF: CmpReportNotifyHelper+F7j
		cmp	eax, edi
		jz	short loc_74F134

loc_74F117:				; CODE XREF: CmpReportNotifyHelper+B5j
					; CmpReportNotifyHelper+130j ...
		mov	eax, [esi]
		mov	esi, eax
		test	eax, eax
		jnz	loc_74F090

loc_74F123:				; CODE XREF: CmpReportNotifyHelper+A6j
		mov	edi, [ebp+var_10]
		mov	al, [ebp+var_5]
		jmp	loc_74F058
; 

loc_74F12E:				; CODE XREF: CmpReportNotifyHelper+BDj
		cmp	edx, ebx
		jnz	short loc_74F117
		jmp	short loc_74F0BF
; 

loc_74F134:				; CODE XREF: CmpReportNotifyHelper+115j
		push	[ebp+arg_0]
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		call	_CmpNotifyTriggerCheck@12 ; CmpNotifyTriggerCheck(x,x,x)
		test	al, al
		jz	short loc_74F117
		push	[ebp+arg_8]
		lea	eax, [ebp+var_18]
		push	eax
		push	0
		push	10Ch
		push	ecx
		mov	ecx, esi
		call	CmpPostNotify
		jmp	short loc_74F117
; 

loc_74F15D:				; CODE XREF: CmpReportNotifyHelper+CAj
		cmp	[ecx+1Ch], eax
		jnz	short loc_74F117
		jmp	loc_74F0D0
; 

loc_74F167:				; CODE XREF: CmpReportNotifyHelper+6Bj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_74F071
CmpReportNotifyHelper endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmpDelayedDerefKeys(x)
_CmpDelayedDerefKeys@4 proc near	; CODE XREF: CmpCloseKeyObject+157p
					; CmpReportNotifyHelper+7Bp ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx

loc_74F17A:				; CODE XREF: CmpDelayedDerefKeys(x)+30j
		mov	esi, [edi]
		cmp	esi, edi
		jnz	short loc_74F183
		pop	edi
		pop	esi
		retn
; 

loc_74F183:				; CODE XREF: CmpDelayedDerefKeys(x)+Aj
		cmp	[esi+4], edi
		jnz	short loc_74F1A6
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_74F1A6
		mov	[edi], eax
		mov	[eax+4], edi
		push	dword ptr [esi+8]
		call	_ObDereferenceObjectDeferDelete@4 ; ObDereferenceObjectDeferDelete(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_74F17A
; 

loc_74F1A6:				; CODE XREF: CmpDelayedDerefKeys(x)+12j
					; CmpDelayedDerefKeys(x)+19j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_CmpDelayedDerefKeys@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpNotifyTriggerCheck(x, x,	x)
_CmpNotifyTriggerCheck@12 proc near	; CODE XREF: CmpReportNotifyHelper+13Cp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	ecx, offset _CmpPostLock
		call	ExAcquireFastMutexUnsafe
		lea	eax, [edi+8]
		mov	esi, [eax]
		cmp	esi, eax
		jnz	short loc_74F1E8

loc_74F1CB:				; CODE XREF: CmpNotifyTriggerCheck(x,x,x)+41j
		mov	ecx, offset _CmpPostLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		push	[ebp+arg_0]
		mov	edx, ebx
		mov	ecx, edi
		call	_CmpCheckNotifyAccess@12 ; CmpCheckNotifyAccess(x,x,x)

loc_74F1E1:				; CODE XREF: CmpNotifyTriggerCheck(x,x,x)+4Fj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_74F1E8:				; CODE XREF: CmpNotifyTriggerCheck(x,x,x)+1Dj
		cmp	word ptr [esi+1Ch], 3
		jnz	short loc_74F1CB
		mov	ecx, offset _CmpPostLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	al, 1
		jmp	short loc_74F1E1
_CmpNotifyTriggerCheck@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCheckNotifyAccess(x, x, x)
_CmpCheckNotifyAccess@12 proc near	; CODE XREF: CmpNotifyTriggerCheck(x,x,x)+30p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	eax, edx
		xor	edi, edi
		mov	edx, [ebp+arg_0]
		mov	esi, ecx
		push	edi
		mov	ecx, eax
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], edi
		call	_CmpGetSecurityCacheEntryForKcbStack@12	; CmpGetSecurityCacheEntryForKcbStack(x,x,x)
		mov	ecx, ds:_CmKeyObjectType
		mov	edx, eax
		lea	eax, [ebp+var_4]
		add	ecx, 34h
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		push	ecx
		push	edi
		push	edi
		push	10h
		push	edi
		lea	eax, [esi+1Ch]
		push	eax
		lea	eax, [edx+18h]
		push	eax
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		pop	edi
		pop	esi
		leave
		retn	4
_CmpCheckNotifyAccess@12 endp

; 

CmpPostNotify:				; CODE XREF: CmpCloseKeyObject+121p
					; CmpReportNotifyHelper+156p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		and	dword ptr [esp+0Ch], 0
		and	dword ptr [esp+10h], 0
		and	dword ptr [esp+14h], 0
		and	dword ptr [esp+18h], 0
		cmp	dword ptr [ebp+14h], 0
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jz	loc_74F3F8
		mov	edi, [ebp+14h]

loc_74F27D:				; CODE XREF: PAGE:0074F406j
		cmp	dword ptr [ebp+18h], 0
		jz	loc_74F3D0
		mov	ecx, [ebp+18h]

loc_74F28A:				; CODE XREF: PAGE:0074F3DEj
		mov	[esp+14h], ecx
		mov	cl, [ebp+10h]
		test	cl, cl
		jnz	short loc_74F2A2
		mov	ecx, offset _CmpPostLock
		call	ExAcquireFastMutexUnsafe
		mov	cl, [ebp+10h]

loc_74F2A2:				; CODE XREF: PAGE:0074F293j
		mov	eax, [esi+18h]
		lea	ebx, [esi+8]
		cmp	[ebx], ebx
		jnz	short loc_74F2CB
		or	eax, 80000000h
		mov	[esi+18h], eax
		test	cl, cl
		jnz	short loc_74F2C2
		mov	ecx, offset _CmpPostLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)

loc_74F2C2:				; CODE XREF: PAGE:0074F2B6j
					; PAGE:0074F3BCj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_74F2CB:				; CODE XREF: PAGE:0074F2AAj
		and	eax, 7FFFFFFFh
		mov	[esi+18h], eax

loc_74F2D3:				; CODE XREF: PAGE:0074F359j
					; PAGE:0074F39Dj ...
		mov	esi, [ebx]
		cmp	esi, ebx
		jz	loc_74F3A2
		cmp	[esi+4], ebx
		jnz	loc_74F450
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_74F450
		mov	ecx, [ebp+0Ch]
		mov	[ebx], eax
		mov	[eax+4], ebx
		cmp	ecx, 10Bh
		jnz	short loc_74F30E
		test	dword ptr [esi+1Ch], 10000h
		jz	loc_8D034D

loc_74F30E:				; CODE XREF: PAGE:0074F2FFj
		mov	eax, [esi+1Ch]
		test	eax, 10000h
		jz	loc_74F414

loc_74F31C:				; CODE XREF: PAGE:0074F431j
		cmp	ax, 1
		jz	short loc_74F339
		mov	edx, edi
		mov	ecx, esi
		call	_CmpCancelSubordinatePost@8 ; CmpCancelSubordinatePost(x,x)
		mov	eax, [esi+18h]
		test	eax, eax
		jnz	loc_74F436

loc_74F336:				; CODE XREF: PAGE:0074F44Bj
		mov	ecx, [ebp+0Ch]

loc_74F339:				; CODE XREF: PAGE:0074F320j
		mov	eax, [esi+1Ch]
		and	eax, 0FFFFh
		cmp	eax, 2
		jz	loc_74F3E3
		cmp	eax, 1
		jz	loc_8D03D5
		add	eax, 0FFFFFFFDh
		cmp	eax, 1
		ja	loc_74F2D3
		mov	ecx, esi
		call	_CmpFreeSubordinatePost@4 ; CmpFreeSubordinatePost(x)
		add	esi, 8
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	loc_74F450
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	loc_74F450
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	ecx, [esp+14h]
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	loc_74F450
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[ecx+4], esi
		jmp	loc_74F2D3
; 

loc_74F3A2:				; CODE XREF: PAGE:0074F2D7j
		cmp	byte ptr [ebp+10h], 0
		jnz	short loc_74F3B2
		mov	ecx, offset _CmpPostLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)

loc_74F3B2:				; CODE XREF: PAGE:0074F3A6j
		cmp	dword ptr [ebp+14h], 0
		jz	short loc_74F40B

loc_74F3B8:				; CODE XREF: PAGE:0074F412j
		cmp	dword ptr [ebp+18h], 0
		jnz	loc_74F2C2
		mov	ecx, [esp+14h]
		call	_CmpSignalDeferredPosts@4 ; CmpSignalDeferredPosts(x)
		jmp	loc_74F2C2
; 

loc_74F3D0:				; CODE XREF: PAGE:0074F281j
		lea	ecx, [esp+20h]
		mov	eax, ecx
		mov	[esp+24h], eax
		mov	[esp+20h], eax
		jmp	loc_74F28A
; 

loc_74F3E3:				; CODE XREF: PAGE:0074F344j
		mov	eax, [esi+20h]
		push	0
		push	esi
		push	ecx
		add	eax, 8
		push	eax
		call	KeInsertQueueApc
		jmp	loc_74F2D3
; 

loc_74F3F8:				; CODE XREF: PAGE:0074F274j
		lea	edi, [esp+18h]
		mov	eax, edi
		mov	[esp+1Ch], eax
		mov	[esp+18h], eax
		jmp	loc_74F27D
; 

loc_74F40B:				; CODE XREF: PAGE:0074F3B6j
		mov	ecx, edi
		call	_CmpDelayedDerefKeys@4 ; CmpDelayedDerefKeys(x)
		jmp	short loc_74F3B8
; 

loc_74F414:				; CODE XREF: PAGE:0074F316j
		mov	eax, esi

loc_74F416:				; CODE XREF: PAGE:0074F425j
		mov	eax, [eax+10h]
		and	dword ptr [eax+0Ch], 0FFFEFFFFh
		sub	eax, 10h
		cmp	eax, esi
		jnz	short loc_74F416
		or	dword ptr [esi+1Ch], 10000h
		mov	eax, [esi+1Ch]
		jmp	loc_74F31C
; 

loc_74F436:				; CODE XREF: PAGE:0074F330j
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	short loc_74F450
		mov	[eax], edi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[edi+4], eax
		and	dword ptr [esi+18h], 0
		jmp	loc_74F336
; 

loc_74F450:				; CODE XREF: PAGE:0074F2E0j
					; PAGE:0074F2EBj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpGetKcbAtLayerHeight(x, x)
_CmpGetKcbAtLayerHeight@8 proc near	; CODE XREF: CmQueryLayeredKey+177C4Ep
					; CmpLockKcbStackFlusherLocksExclusive(x)+18p ...
		movsx	eax, dx
		cmp	dx, 2
		jge	short loc_74F46E
		mov	eax, [ecx+eax*4+4]
		retn
; 

loc_74F46E:				; CODE XREF: CmpGetKcbAtLayerHeight(x,x)+7j
		mov	ecx, [ecx+0Ch]
		mov	eax, [ecx+eax*4-8]
		retn
_CmpGetKcbAtLayerHeight@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpCancelSubordinatePost(x,	x)
_CmpCancelSubordinatePost@8 proc near	; CODE XREF: PAGE:0074F326p
					; CmNotifyRunDown+121p
		add	ecx, 10h
		mov	eax, [ecx]
		cmp	eax, ecx
		jnz	short loc_74F480
		retn
; 

loc_74F480:				; CODE XREF: CmpCancelSubordinatePost(x,x)+7j
		add	eax, 0FFFFFFF0h
		push	esi
		mov	esi, [eax]
		cmp	[esi+4], eax
		jnz	short loc_74F4B9
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_74F4B9
		mov	[ecx], esi
		mov	[esi+4], ecx
		test	edx, edx
		jz	short loc_74F4B7
		mov	ecx, [eax+18h]
		test	ecx, ecx
		jz	short loc_74F4B7
		mov	esi, [edx+4]
		cmp	[esi], edx
		jnz	short loc_74F4B9
		mov	[ecx], edx
		mov	[ecx+4], esi
		mov	[esi], ecx
		mov	[edx+4], ecx
		and	dword ptr [eax+18h], 0

loc_74F4B7:				; CODE XREF: CmpCancelSubordinatePost(x,x)+23j
					; CmpCancelSubordinatePost(x,x)+2Aj
		pop	esi
		retn
; 

loc_74F4B9:				; CODE XREF: CmpCancelSubordinatePost(x,x)+13j
					; CmpCancelSubordinatePost(x,x)+1Aj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_CmpCancelSubordinatePost@8 endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall CmpFreeSubordinatePost(x)
_CmpFreeSubordinatePost@4 proc near	; CODE XREF: CmpPostApc+A2p
					; PAGE:0074F361p ...
		add	ecx, 10h
		mov	eax, [ecx]
		cmp	eax, ecx
		jnz	short loc_74F4C8
		retn
; 

loc_74F4C8:				; CODE XREF: CmpFreeSubordinatePost(x)+7j
		mov	edx, [eax]
		push	esi
		push	edi
		lea	edi, [eax-10h]
		cmp	[edx+4], eax
		jnz	short loc_74F4FF
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_74F4FF
		mov	[ecx], edx
		mov	[edx+4], ecx
		lea	edx, [edi+8]
		mov	esi, [edx]
		cmp	[esi+4], edx
		jnz	short loc_74F4FF
		mov	eax, [edx+4]
		cmp	[eax], edx
		jnz	short loc_74F4FF
		mov	[eax], esi
		mov	ecx, edi
		pop	edi
		mov	[esi+4], eax
		pop	esi
		jmp	_CmpFreePostBlock@4 ; CmpFreePostBlock(x)
; 

loc_74F4FF:				; CODE XREF: CmpFreeSubordinatePost(x)+14j
					; CmpFreeSubordinatePost(x)+1Bj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_CmpFreeSubordinatePost@4 endp		; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall CmpLockKcbStackTopExclusiveRestShared(x)
_CmpLockKcbStackTopExclusiveRestShared@4 proc near
					; CODE XREF: CmDeleteLayeredKey(x,x,x)+225p
					; CmpDoBuildVirtualStack(x,x,x,x,x)+23Cp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		push	2
		movzx	eax, word ptr [esi+2]
		mov	ecx, eax
		cwde
		sub	eax, 1
		pop	eax
		jns	short loc_74F53D

loc_74F51B:				; CODE XREF: CmpLockKcbStackTopExclusiveRestShared(x)+69j
		movsx	edx, cx
		cmp	cx, ax
		jge	short loc_74F578
		mov	esi, [esi+edx*4+4]

loc_74F527:				; CODE XREF: CmpLockKcbStackTopExclusiveRestShared(x)+7Bj
		lea	ecx, [esi+18h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		pop	edi
		mov	[esi+1Ch], eax
		pop	esi
		retn
; 

loc_74F53D:				; CODE XREF: CmpLockKcbStackTopExclusiveRestShared(x)+15j
		mov	ecx, edi
		push	ebx

loc_74F540:				; CODE XREF: CmpLockKcbStackTopExclusiveRestShared(x)+64j
		cmp	di, ax
		jge	short loc_74F56F
		mov	ebx, [esi+ecx*4+4]

loc_74F549:				; CODE XREF: CmpLockKcbStackTopExclusiveRestShared(x)+72j
		lea	ecx, [ebx+18h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lock inc dword ptr [ebx+1Ch]
		movzx	edx, word ptr [esi+2]
		inc	edi
		movsx	eax, dx
		dec	eax
		movsx	ecx, di
		push	2
		cmp	ecx, eax
		pop	eax
		jle	short loc_74F540
		mov	ecx, edx
		pop	ebx
		jmp	short loc_74F51B
; 

loc_74F56F:				; CODE XREF: CmpLockKcbStackTopExclusiveRestShared(x)+3Fj
		mov	eax, [esi+0Ch]
		mov	ebx, [eax+ecx*4-8]
		jmp	short loc_74F549
; 

loc_74F578:				; CODE XREF: CmpLockKcbStackTopExclusiveRestShared(x)+1Dj
		mov	eax, [esi+0Ch]
		mov	esi, [eax+edx*4-8]
		jmp	short loc_74F527
_CmpLockKcbStackTopExclusiveRestShared@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTraceHiveLoadStart proc near		; CODE XREF: CmLoadDifferencingKey+4D2p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D03EF SIZE 00000065 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_HIVE_LOAD_START
		mov	[esp+60h+var_4C], edx
		lea	edi, [esp+60h+var_48]
		mov	ebx, ecx
		lea	eax, [esp+60h+var_48]
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ds:dword_A93DD4
		mov	edi, ds:_EtwpRegTraceHandle
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8D03EF

loc_74F5CE:				; CODE XREF: CmpTraceHiveLoadStart+180ECDj
		mov	ecx, [esp+60h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
CmpTraceHiveLoadStart endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmConvertHandleToKernelHandle(x, x,	x, x, x)
_CmConvertHandleToKernelHandle@20 proc near ; CODE XREF: CmLoadDifferencingKey+397p
					; CmUnloadKey+18B97Ap ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ds:_CmKeyObjectType
		test	ecx, ecx
		jnz	short loc_74F601
		mov	eax, [ebp+arg_8]
		and	[eax], ecx
		xor	eax, eax

loc_74F5FA:				; CODE XREF: CmConvertHandleToKernelHandle(x,x,x,x,x)+62j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_74F601:				; CODE XREF: CmConvertHandleToKernelHandle(x,x,x,x,x)+11j
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	0
		push	eax
		push	[ebp+arg_0]
		push	edi
		push	[ebp+arg_4]
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	short loc_74F640
		push	[ebp+arg_8]
		push	0
		push	edi
		push	[ebp+arg_4]
		push	0
		push	200h
		push	ebx
		call	ObOpenObjectByPointer
		mov	ecx, ebx
		mov	esi, eax
		call	ObfDereferenceObject

loc_74F640:				; CODE XREF: CmConvertHandleToKernelHandle(x,x,x,x,x)+3Fj
		mov	eax, esi
		jmp	short loc_74F5FA
_CmConvertHandleToKernelHandle@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpNameFromAttributes proc near		; CODE XREF: CmLoadDifferencingKey+1DFp
					; NtReplaceKey(x,x,x)+1ECp ...

var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D0454 SIZE 00000181 BYTES

		push	25Ch
		push	offset dword_6A03F0
		call	__SEH_prolog4_GS
		mov	[ebp+var_230], edx
		mov	eax, ecx
		mov	[ebp+var_22C], eax
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_24C], ebx
		xor	edx, edx
		mov	[ebp+var_238], edx
		mov	[ebp+var_234], edx
		mov	[ebp+var_23C], edx
		mov	[ebp+var_244], edx
		mov	[ebx+4], edx
		mov	[ebp+ms_exc.disabled], edx
		cmp	byte ptr [ebp+var_230],	1
		jnz	short loc_74F6B2
		test	al, 3
		jnz	loc_74F7A9
		mov	esi, ds:_MmUserProbeAddress
		cmp	eax, esi
		jnb	loc_8D0454

loc_74F6A9:				; CODE XREF: CmpNameFromAttributes+180E12j
		nop
		mov	al, [ecx]
		mov	eax, [ebp+var_22C]

loc_74F6B2:				; CODE XREF: CmpNameFromAttributes+4Dj
		push	6
		pop	ecx
		mov	esi, eax
		lea	edi, [ebp+var_26C]
		rep movsd
		cmp	byte ptr [ebp+var_230],	1
		jnz	short loc_74F6DF
		mov	eax, [ebp+var_264]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	loc_8D045B

loc_74F6DC:				; CODE XREF: CmpNameFromAttributes+180E19j
		nop
		mov	al, [eax]

loc_74F6DF:				; CODE XREF: CmpNameFromAttributes+82j
		mov	eax, [ebp+var_264]
		mov	ecx, [eax]
		mov	[ebp+var_240], ecx
		mov	[ebp+var_254], ecx
		mov	eax, [eax+4]
		mov	[ebp+var_22C], eax
		mov	[ebp+var_250], eax
		cmp	byte ptr [ebp+var_230],	1
		jnz	short loc_74F737
		test	cx, cx
		jz	short loc_74F737
		test	al, 1
		jnz	loc_74F7A9
		movzx	eax, cx
		mov	esi, [ebp+var_22C]
		add	esi, eax
		mov	edi, ds:_MmUserProbeAddress
		mov	eax, [ebp+var_22C]
		cmp	esi, edi
		ja	short loc_74F7AE
		cmp	esi, eax
		jb	short loc_74F7AE

loc_74F737:				; CODE XREF: CmpNameFromAttributes+C5j
					; CmpNameFromAttributes+CAj ...
		test	cl, 1
		jnz	loc_8D0494
		mov	edx, [ebp+var_268]
		test	edx, edx
		jnz	loc_8D0462
		test	cx, cx
		jz	loc_8D0494
		mov	[ebx], cx
		mov	[ebx+2], cx
		movzx	esi, cx
		push	6E664D43h
		push	esi
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	[ebx+4], eax
		test	eax, eax
		jz	short loc_74F7B2
		push	esi		; size_t
		mov	esi, [ebp+var_22C]
		push	esi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	esi, esi

loc_74F788:				; CODE XREF: CmpNameFromAttributes+173j
					; CmpNameFromAttributes+180F8Cj
		mov	[ebp+var_228], esi

loc_74F78E:				; CODE XREF: sub_8D05E6+1Aj
					; sub_8D05E6+2Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi

loc_74F797:				; CODE XREF: CmpNameFromAttributes+180E37j
					; CmpNameFromAttributes+180E5Cj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_74F7A9:				; CODE XREF: CmpNameFromAttributes+51j
					; CmpNameFromAttributes+CEj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_74F7AE:				; CODE XREF: CmpNameFromAttributes+EDj
					; CmpNameFromAttributes+F1j
		mov	[edi], dl
		jmp	short loc_74F737
; 

loc_74F7B2:				; CODE XREF: CmpNameFromAttributes+12Fj
		mov	esi, 0C000009Ah
		jmp	short loc_74F788
CmpNameFromAttributes endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmCheckNoTxContext()
_CmCheckNoTxContext@0 proc near		; CODE XREF: CmLoadDifferencingKey+16Dp
					; NtCompactKeys(x,x)+1Bp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		call	ds:__imp__TmCurrentTransaction@4 ; TmCurrentTransaction(x)
		cmp	eax, 0C00000BBh
		jz	short loc_74F7DF
		test	eax, eax
		js	short locret_74F7E1
		cmp	[ebp+var_4], 0
		jnz	short loc_74F7E3

loc_74F7DF:				; CODE XREF: CmCheckNoTxContext()+19j
		xor	eax, eax

locret_74F7E1:				; CODE XREF: CmCheckNoTxContext()+1Dj
		leave
		retn
; 

loc_74F7E3:				; CODE XREF: CmCheckNoTxContext()+23j
		mov	eax, 0C0190001h
		leave
		retn
_CmCheckNoTxContext@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmLoadAppKey(x, x, x, x, x,	x, x, x, x)
_CmLoadAppKey@36 proc near		; CODE XREF: CmLoadDifferencingKey+526p

var_362		= byte ptr -362h
var_361		= dword	ptr -361h
var_35A		= byte ptr -35Ah
var_359		= byte ptr -359h
var_358		= dword	ptr -358h
var_354		= dword	ptr -354h
var_350		= dword	ptr -350h
var_34C		= dword	ptr -34Ch
var_348		= dword	ptr -348h
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_33C		= dword	ptr -33Ch
var_338		= dword	ptr -338h
var_334		= dword	ptr -334h
var_330		= dword	ptr -330h
var_32C		= dword	ptr -32Ch
var_328		= dword	ptr -328h
var_324		= dword	ptr -324h
var_320		= dword	ptr -320h
var_31C		= dword	ptr -31Ch
var_318		= dword	ptr -318h
var_314		= dword	ptr -314h
var_310		= dword	ptr -310h
var_30C		= dword	ptr -30Ch
var_308		= dword	ptr -308h
var_304		= dword	ptr -304h
var_300		= dword	ptr -300h
var_2FC		= dword	ptr -2FCh
var_2F8		= byte ptr -2F8h
var_2F4		= dword	ptr -2F4h
var_2E4		= dword	ptr -2E4h
var_2E0		= dword	ptr -2E0h
var_2DC		= dword	ptr -2DCh
var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_2CC		= dword	ptr -2CCh
var_2C8		= dword	ptr -2C8h
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_294		= dword	ptr -294h
var_290		= dword	ptr -290h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_27C		= dword	ptr -27Ch
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_258		= dword	ptr -258h
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 364h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+364h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	[esp+370h+var_33C], esi
		mov	ebx, ecx
		mov	[esp+370h+var_2D0], ebx
		mov	eax, [ebp+arg_4]
		mov	[esp+370h+var_2D4], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+370h+var_2D8], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+370h+var_338], eax
		mov	eax, [ebp+arg_14]
		mov	[esp+370h+var_2DC], eax
		mov	eax, [ebp+arg_18]
		mov	[esp+370h+var_354], eax
		xor	eax, eax
		push	2Ch		; size_t
		push	eax		; int
		mov	[esp+378h+var_31C], eax
		mov	[esp+378h+var_350], eax
		lea	eax, [esp+378h+var_30C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	edi, [esp+370h+var_270]
		xor	eax, eax
		mov	byte ptr [esp+370h+var_330], al
		mov	[esp+370h+var_35A], al
		push	6
		pop	ecx
		rep stosd
		mov	[esp+370h+var_359], al
		mov	[esp+370h+var_344], eax
		mov	byte ptr [esp+370h+var_361], al
		mov	[esp+370h+var_348], eax
		mov	[esp+370h+var_310], eax
		mov	[esp+370h+var_358], eax
		mov	eax, [ebx+8]
		push	2
		pop	edi
		movzx	eax, word ptr [eax]
		cmp	ax, di
		jb	short loc_74F8BB
		mov	ecx, eax
		shr	ecx, 1
		jz	short loc_74F8BB

loc_74F8A0:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+CFj
		mov	edx, [ebx+8]
		mov	eax, [edx+4]
		cmp	word ptr [eax+ecx*2-2],	5Ch
		jnz	short loc_74F8BB
		mov	eax, 0FFFEh
		add	[edx], ax
		sub	ecx, 1
		jnz	short loc_74F8A0

loc_74F8BB:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+AEj
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x)+B4j ...
		mov	eax, [ebx+8]
		cmp	[eax], di
		jnb	short loc_74F8DF
		mov	eax, 0C000000Dh

loc_74F8C8:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+118j
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x)+13Cj	...
		mov	ecx, [esp+370h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_74F8DF:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+D7j
		xor	ecx, ecx
		mov	ebx, 154h
		push	33394D43h
		mov	edx, ebx
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+370h+var_34C], edi
		test	edi, edi
		jnz	short loc_74F904
		mov	eax, 0C000009Ah
		jmp	short loc_74F8C8
; 

loc_74F904:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+111j
		push	ebx		; size_t
		xor	ebx, ebx
		push	ebx		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		call	CmpAcquireShutdownRundown
		test	al, al
		jnz	short loc_74F928
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)
		mov	eax, 0C0000189h
		jmp	short loc_74F8C8
; 

loc_74F928:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+12Ej
		mov	ecx, [ebp+arg_0]
		mov	eax, ecx
		and	eax, 20h
		mov	[esp+370h+var_2A4], eax
		neg	eax
		sbb	eax, eax
		and	eax, 4000000h
		add	eax, 3190001h
		mov	[esp+370h+var_334], eax
		test	cl, cl
		jns	short loc_74F956
		or	eax, 8000000h
		mov	[esp+370h+var_334], eax

loc_74F956:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+161j
		test	ecx, 200h
		jz	short loc_74F967
		or	eax, 10000000h
		mov	[esp+370h+var_334], eax

loc_74F967:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+172j
		mov	eax, ecx
		and	eax, 2000h
		mov	[esp+370h+var_2E0], eax
		push	0
		pop	eax
		setnz	al
		mov	[esp+370h+var_324], eax
		test	ecx, 8000h
		jz	short loc_74F98E
		or	eax, 20h
		mov	[esp+370h+var_324], eax

loc_74F98E:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+19Bj
		lea	eax, [esp+370h+var_344]
		xor	edx, edx
		push	eax
		push	ebx
		push	ebx
		push	[esp+37Ch+var_338]
		lea	eax, [esp+380h+var_31C]
		mov	ecx, esi
		push	8
		push	eax
		lea	eax, [esp+388h+var_350]
		push	eax
		call	CmpOpenHiveFile
		mov	ebx, eax
		mov	[esp+370h+var_361+1], ebx
		cmp	ebx, 0C0000034h
		jnz	short loc_74F9CE
		mov	[esp+370h+var_35A], 1
		xor	ebx, ebx
		mov	[esp+370h+var_2FC], esi
		mov	[esp+370h+var_2F8], 1
		jmp	short loc_74FA3D
; 

loc_74F9CE:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+1D0j
		xor	edx, edx
		test	ebx, ebx
		jns	short loc_74F9E5
		push	10h
		push	ebx
		push	20h
		mov	ecx, edi
		call	SetFailureLocation
		jmp	loc_74FF0A
; 

loc_74F9E5:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+1E8j
		mov	eax, _CmIoFileObjectType
		lea	ecx, [esp+370h+var_320]
		push	edx
		push	ecx
		push	edx
		mov	eax, [eax]
		push	eax
		push	edx
		push	[esp+384h+var_350]
		mov	[esp+388h+var_320], edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		push	[esp+370h+var_350]
		mov	esi, [esp+374h+var_320]
		mov	ebx, eax
		mov	[esp+374h+var_361+1], ebx
		mov	[esp+374h+var_358], esi
		call	_ZwClose@4	; ZwClose(x)
		test	ebx, ebx
		jns	short loc_74FA30
		push	20h
		push	ebx
		push	20h
		xor	edx, edx
		mov	ecx, edi
		call	SetFailureLocation
		jmp	loc_74FEFF
; 

loc_74FA30:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+231j
		mov	eax, [esi+14h]
		xor	ebx, ebx
		mov	[esp+370h+var_2FC], eax
		mov	[esp+370h+var_2F8], bl

loc_74FA3D:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+1E2j
		push	ebx
		push	ebx
		lea	eax, [esp+378h+var_2F4]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	ecx, [esp+370h+var_2E4]
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		lea	eax, [esp+370h+var_304]
		mov	[esp+370h+var_300], eax
		mov	[esp+370h+var_304], eax
		call	_CmpLockAppHiveLoadList@0 ; CmpLockAppHiveLoadList()
		mov	esi, _CmpAppHiveLoadList
		mov	ecx, offset _CmpAppHiveLoadList
		cmp	esi, ecx
		jz	short loc_74FAF1
		mov	ebx, [esp+370h+var_2FC]

loc_74FA7C:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+303j
		cmp	byte ptr [esi+14h], 0
		jnz	short loc_74FAD2
		cmp	[esi+10h], ebx
		jnz	short loc_74FAE9

loc_74FA87:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+2F8j
		mov	eax, [esi+0Ch]
		add	esi, 8
		cmp	[eax], esi
		jnz	loc_750642
		mov	[esp+370h+var_300], eax
		lea	ecx, [esp+370h+var_304]
		mov	[esp+370h+var_304], esi
		mov	[eax], ecx
		mov	eax, ecx
		mov	[esi+4], eax
		mov	esi, [esp+370h+var_300]
		lea	ecx, [esi+20h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		call	_CmpUnlockAppHiveLoadList@0 ; CmpUnlockAppHiveLoadList()
		xor	ebx, ebx
		lea	eax, [esi+10h]
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	eax
		call	KeWaitForSingleObject
		lea	ecx, [esi+20h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	short loc_74FB18
; 

loc_74FAD2:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+296j
		push	1
		push	[esp+374h+var_33C]
		push	dword ptr [esi+10h]
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_74FA87
		mov	ecx, offset _CmpAppHiveLoadList

loc_74FAE9:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+29Bj
		mov	esi, [esi]
		cmp	esi, ecx
		jnz	short loc_74FA7C
		xor	ebx, ebx

loc_74FAF1:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+28Cj
		mov	eax, dword_6CE0AC
		cmp	[eax], ecx
		jnz	loc_750642
		mov	[esp+370h+var_30C], ecx
		lea	ecx, [esp+370h+var_30C]
		mov	[esp+370h+var_308], eax
		mov	[eax], ecx
		mov	eax, ecx
		mov	dword_6CE0AC, eax
		call	_CmpUnlockAppHiveLoadList@0 ; CmpUnlockAppHiveLoadList()

loc_74FB18:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+2E6j
		mov	esi, [esp+370h+var_33C]
		lea	eax, [esp+370h+var_330]
		push	edi
		push	eax
		push	[esp+378h+var_338]
		lea	eax, [esp+37Ch+var_328]
		mov	byte ptr [esp+37Ch+var_32C], 1
		push	[esp+37Ch+var_324]
		mov	dl, 1
		mov	[esp+380h+var_328], ebx
		push	[esp+380h+var_334]
		mov	ecx, esi
		push	eax
		lea	eax, [esp+388h+var_32C]
		push	eax
		call	_CmpCmdHiveOpen@36 ; CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		mov	[esp+370h+var_361+1], ebx
		test	ebx, ebx
		jz	loc_74FE12
		mov	al, byte ptr [esp+370h+var_361]

loc_74FB5C:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+622j
		cmp	ebx, 0C0000043h
		jnz	loc_7500C2
		cmp	[esp+370h+var_2A4], 0
		jnz	loc_7500C2
		test	al, al
		jnz	loc_7500C2
		cmp	[esp+370h+var_35A], al
		jz	short loc_74FBF6
		lea	eax, [esp+370h+var_344]
		xor	edx, edx
		push	eax
		xor	eax, eax
		mov	ecx, esi
		push	eax
		push	eax
		push	[esp+37Ch+var_338]
		lea	eax, [esp+380h+var_31C]
		push	8
		push	eax
		lea	eax, [esp+388h+var_350]
		push	eax
		call	CmpOpenHiveFile
		mov	ebx, eax
		mov	[esp+370h+var_361+1], ebx
		test	ebx, ebx
		js	loc_75003C
		mov	eax, _CmIoFileObjectType
		lea	ecx, [esp+370h+var_318]
		xor	edx, edx
		push	edx
		push	ecx
		mov	eax, [eax]
		push	edx
		push	eax
		push	edx
		push	[esp+384h+var_350]
		mov	[esp+388h+var_318], edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		push	[esp+370h+var_350]
		mov	esi, [esp+374h+var_318]
		mov	ebx, eax
		mov	[esp+374h+var_361+1], ebx
		mov	[esp+374h+var_358], esi
		call	_ZwClose@4	; ZwClose(x)
		test	ebx, ebx
		js	loc_750029
		mov	esi, [esp+370h+var_33C]

loc_74FBF6:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+398j
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		mov	cl, 1
		call	CmpLockRegistryFreezeAware
		call	CmpGetLastHive
		mov	[esp+370h+var_348], eax
		test	eax, eax
		jz	loc_74FDC4

loc_74FC13:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+4F2j
		mov	ecx, _CmpActiveAppHiveUnloadCount
		mov	[esp+370h+var_340], ecx
		jmp	short loc_74FC56
; 

loc_74FC1F:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+471j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		push	0
		push	4
		lea	eax, [esp+378h+var_340]
		mov	edx, offset _CmpActiveAppHiveUnloadCount
		push	eax
		mov	ecx, offset _CmpActiveAppHiveUnloadEvent
		call	ExBlockOnAddressPushLock
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		mov	cl, 1
		call	CmpLockRegistryFreezeAware
		mov	eax, _CmpActiveAppHiveUnloadCount
		mov	[esp+370h+var_340], eax

loc_74FC56:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+433j
		cmp	[esp+370h+var_340], 0
		jnz	short loc_74FC1F
		xor	ecx, ecx

loc_74FC5F:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+4B5j
		call	CmpGetNextHive
		mov	esi, eax
		test	esi, esi
		jz	loc_74FDB5
		mov	ecx, [esi+0BF0h]
		mov	[esp+370h+var_314], ecx
		test	ecx, ecx
		jnz	short loc_74FCA1
		mov	edx, [esi+400h]
		test	edx, edx
		jz	short loc_74FC93
		mov	ecx, [esp+370h+var_358]
		call	_CmpIsThisSameFile@8 ; CmpIsThisSameFile(x,x)
		test	al, al
		jnz	short loc_74FCE7

loc_74FC93:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+49Aj
		cmp	esi, [esp+370h+var_348]
		jz	loc_74FDAE
		mov	ecx, esi
		jmp	short loc_74FC5F
; 

loc_74FCA1:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+490j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		push	0
		push	4
		lea	eax, [esp+378h+var_314]
		push	eax
		lea	edx, [esi+0BF0h]
		lea	ecx, [esi+0BF4h]
		call	ExBlockOnAddressPushLock
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		mov	cl, 1
		call	CmpLockRegistryFreezeAware
		mov	ecx, esi
		call	_CmpQuitNextHive@4 ; CmpQuitNextHive(x)
		cmp	esi, [esp+370h+var_348]
		jnz	loc_74FC13
		jmp	loc_74FDB5
; 

loc_74FCE7:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+4A7j
		mov	eax, [esi+64h]
		mov	ecx, [esi+980h]
		and	eax, 8000h
		test	cl, 20h
		jz	loc_7500A0
		test	cl, 40h
		jnz	loc_7500A0
		cmp	[esp+370h+var_2E0], 0
		jnz	short loc_74FD39
		test	eax, eax
		jz	short loc_74FD4E
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		mov	ecx, esi
		call	_CmpQuitNextHive@4 ; CmpQuitNextHive(x)
		push	70h

loc_74FD28:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+8C9j
		mov	eax, 0C0000043h
		mov	ebx, eax
		mov	[esp+374h+var_361+1], ebx
		push	eax
		jmp	loc_750050
; 

loc_74FD39:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+525j
		test	eax, eax
		jnz	short loc_74FD4E
		mov	ecx, [esp+370h+var_344]
		call	_CmpCheckHivePrimaryFileReadWriteAccess@4 ; CmpCheckHivePrimaryFileReadWriteAccess(x)
		test	al, al
		jz	loc_750060

loc_74FD4E:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+529j
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x)+551j
		lea	ecx, [esp+370h+var_270]
		call	CmpAttachToRegistryProcess
		mov	ecx, [esi+6D8h]
		mov	[esp+370h+var_310], esi
		call	_CmpConstructName@4 ; CmpConstructName(x)
		mov	ebx, [esp+370h+var_2DC]
		lea	ecx, [esp+370h+var_270]
		mov	[ebx], eax
		call	_CmpDetachFromRegistryProcess@4	; CmpDetachFromRegistryProcess(x)
		cmp	dword ptr [ebx], 0
		jz	loc_750081
		mov	ecx, [esi+6D8h]
		call	CmpReferenceKeyControlBlockUnsafe
		mov	ecx, [esp+370h+var_354]
		mov	eax, [esi+6D8h]
		mov	[ecx], eax
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		xor	ebx, ebx
		mov	[esp+370h+var_361+1], ebx

loc_74FDAE:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+4ADj
		mov	ecx, esi
		call	_CmpQuitNextHive@4 ; CmpQuitNextHive(x)

loc_74FDB5:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+47Ej
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x)+4F8j
		cmp	[esp+370h+var_310], 0
		jnz	loc_7500B8
		mov	esi, [esp+370h+var_33C]

loc_74FDC4:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+423j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		xor	eax, eax
		mov	byte ptr [esp+370h+var_32C], 1
		push	edi
		mov	byte ptr [esp+374h+var_330], al
		mov	dl, 1
		mov	[esp+374h+var_328], eax
		mov	ecx, esi
		lea	eax, [esp+374h+var_330]
		push	eax
		push	[esp+378h+var_338]
		lea	eax, [esp+37Ch+var_328]
		push	[esp+37Ch+var_324]
		push	[esp+380h+var_334]
		push	eax
		lea	eax, [esp+388h+var_32C]
		push	eax
		call	_CmpCmdHiveOpen@36 ; CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		mov	al, 1
		mov	[esp+370h+var_361+1], ebx
		test	ebx, ebx
		jnz	loc_74FB5C

loc_74FE12:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+368j
		mov	edx, [esp+370h+var_2D0]
		mov	ecx, [esp+370h+var_328]
		push	edi
		push	[esp+374h+var_330]
		push	[esp+378h+var_32C]
		push	[esp+37Ch+var_354]
		push	[ebp+arg_10]
		push	[esp+384h+var_2D8]
		push	0
		push	[esp+38Ch+var_2D4]
		push	[ebp+arg_0]
		call	_CmpLoadKeyCommon@44 ; CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		mov	[esp+370h+var_361+1], ebx

loc_74FE4B:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+871j
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x)+8B1j	...
		mov	esi, [esp+370h+var_358]

loc_74FE4F:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+84Dj
		call	_CmpLockAppHiveLoadList@0 ; CmpLockAppHiveLoadList()
		mov	ecx, [esp+370h+var_30C]
		lea	edx, [esp+370h+var_30C]
		mov	eax, [esp+370h+var_308]
		cmp	[ecx+4], edx
		jnz	loc_750642
		cmp	[eax], edx
		jnz	loc_750642
		mov	[eax], ecx
		mov	[ecx+4], eax
		lea	ecx, [esp+370h+var_304]
		mov	eax, [esp+370h+var_304]
		cmp	eax, ecx
		jz	short loc_74FECE
		mov	edx, [esp+370h+var_300]
		lea	edi, [esp+370h+var_304]
		cmp	[eax+4], edi
		lea	ecx, [eax-8]
		mov	edi, [esp+370h+var_34C]
		jnz	loc_750642
		lea	ebx, [esp+370h+var_304]
		cmp	[edx], ebx
		mov	ebx, [esp+370h+var_361+1]
		jnz	loc_750642
		mov	[edx], eax
		mov	[eax+4], edx
		mov	edx, offset _CmpAppHiveLoadList
		mov	eax, dword_6CE0AC
		cmp	[eax], edx
		jnz	loc_750642
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	dword_6CE0AC, ecx

loc_74FECE:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+696j
		call	_CmpUnlockAppHiveLoadList@0 ; CmpUnlockAppHiveLoadList()
		xor	eax, eax
		push	eax
		push	eax
		lea	eax, [esp+378h+var_2F4]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		lea	ecx, [esp+370h+var_2E4]
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	eax, [esp+370h+var_348]
		test	eax, eax
		jz	short loc_74FEFF
		mov	ecx, eax
		call	_CmpDereferenceHive@4 ;	CmpDereferenceHive(x)

loc_74FEFF:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+241j
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x)+70Cj
		test	esi, esi
		jz	short loc_74FF0A
		mov	ecx, esi
		call	ObfDereferenceObject

loc_74FF0A:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+1F6j
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x)+717j
		xor	esi, esi
		cmp	[esp+370h+var_344], esi
		jz	short loc_74FF1C
		push	esi
		push	[esp+374h+var_344]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_74FF1C:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+726j
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)
		test	ebx, ebx
		jns	loc_75052A
		movzx	eax, word ptr [edi+4]
		mov	[esp+370h+var_354], eax
		test	ax, ax
		jnz	loc_7500C6
		cmp	[edi+6], si
		jnz	loc_7500C6
		cmp	[edi+132h], al
		jnz	loc_7500C6
		cmp	dword_6B2348, 5
		jbe	loc_750632
		push	4000h
		mov	esi, offset dword_6B2348
		push	8
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_750632
		lea	eax, [esp+370h+var_278]
		mov	[esp+370h+var_278], 1
		mov	[esp+370h+var_38], eax
		xor	ecx, ecx
		lea	eax, [esp+370h+var_2CC]
		mov	[esp+370h+var_274], ecx
		mov	[esp+370h+var_28], eax
		lea	eax, [esp+370h+var_2A0]
		push	8
		pop	edx
		mov	[esp+370h+var_18], eax
		lea	eax, [esp+370h+var_58]
		push	eax
		mov	[esp+374h+var_30], edx
		mov	[esp+374h+var_10], edx
		mov	edx, (offset loc_41A17E+6)
		mov	[esp+374h+var_34], ecx
		mov	[esp+374h+var_2C], ecx
		mov	[esp+374h+var_2CC], ebx
		mov	[esp+374h+var_24], ecx
		mov	[esp+374h+var_20], 4
		mov	[esp+374h+var_1C], ecx
		mov	[esp+374h+var_2A0], 1000000h
		mov	[esp+374h+var_29C], ecx
		mov	[esp+374h+var_14], ecx
		mov	[esp+374h+var_C], ecx
		push	5

loc_750024:				; DATA XREF: PAGE:??_C@_15EFLNJKHH@?$AA?$CF?$AAu@NNGAKEGL@o
					; PAGE:??_C@_1M@LBIBGIJG@?$AA?$CF?$AAu?$AA?0?$AA?$CF?$AAu@NNGAKEGL@o ...
		jmp	loc_75062A
; 

loc_750029:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+402j
		push	50h
		push	ebx
		push	20h
		xor	edx, edx
		mov	ecx, edi
		call	SetFailureLocation
		jmp	loc_74FE4F
; 

loc_75003C:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+3C4j
					; DATA XREF: PAGE:??_C@_1BM@BCFBFHLN@?$AA?$DM?$AAu?$AAn?$AAs?$AAp?$AAe?$AAc?$AAi?$AAf?$AAi?$AAe?$AAd?$AA?$DO@NNGAKEGL@o ...
		cmp	ebx, 0C0000034h

loc_750042:				; DATA XREF: PAGE:??_C@_1CO@DFPMJEGC@?$AAB?$AAu?$AAf?$AAf?$AAe?$AAr?$AAA?$AAl?$AAl?$AAo?$AAc?$AAa?$AAt?$AAi?$AAo@NNGAKEGL@o
					; PAGE:??_C@_1BM@JIENPPCJ@?$AAB?$AAu?$AAs?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAD?$AAe?$AAs?$AAc@NNGAKEGL@o	...
		jnz	short loc_75004D

loc_750044:				; DATA XREF: PAGE:??_C@_1BK@PDBCOOKL@?$AAD?$AAu?$AAm?$AAp?$AAF?$AAi?$AAl?$AAe?$AAS?$AAi?$AAz?$AAe@NNGAKEGL@o
					; PAGE:??_C@_1BE@NAMCHGKG@?$AAD?$AAu?$AAp?$AAl?$AAi?$AAc?$AAa?$AAt?$AAe@NNGAKEGL@o ...
		lea	eax, [ebx+0Fh]

loc_750047:				; DATA XREF: PAGE:??_C@_19BPBMCKGC@?$AAG?$AAu?$AAi?$AAd@NNGAKEGL@o
		mov	ebx, eax
		mov	[esp+370h+var_361+1], eax

loc_75004D:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x):loc_750042j
					; DATA XREF: PAGE:??_C@_1DC@DPPPMAFH@?$AAM?$AAu?$AAl?$AAt?$AAi?$AAP?$AAh?$AAa?$AAs?$AAe?$AAR?$AAe?$AAs?$AAu?$AAm@NNGAKEGL@o ...
		push	40h

loc_75004F:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+895j
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x)+8DAj
		push	ebx

loc_750050:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+54Aj
		push	20h
		xor	edx, edx
		mov	ecx, edi
		call	SetFailureLocation
		jmp	loc_74FE4B
; 

loc_750060:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+55Ej
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		mov	ecx, esi

loc_75006C:				; DATA XREF: PAGE:008B8964o
					; PAGE:008BA488o ...
		call	_CmpQuitNextHive@4 ; CmpQuitNextHive(x)
		mov	ebx, 0C0000022h
		mov	[esp+370h+var_361+1], ebx
		push	80h
		jmp	short loc_75004F
; 

loc_750081:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+597j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		mov	ebx, 0C000009Ah
		mov	ecx, esi
		mov	[esp+370h+var_361+1], ebx
		call	_CmpQuitNextHive@4 ; CmpQuitNextHive(x)
		jmp	loc_74FE4B
; 

loc_7500A0:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+50Ej
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x)+517j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		mov	ecx, esi
		call	_CmpQuitNextHive@4 ; CmpQuitNextHive(x)
		push	60h
		jmp	loc_74FD28
; 

loc_7500B8:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+5D0j
		mov	[esp+370h+var_359], 1
		jmp	loc_74FE4B
; 

loc_7500C2:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+378j
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x)+386j	...
		push	30h
		jmp	short loc_75004F
; 

loc_7500C6:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+74Aj
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x)+754j	...
		cmp	dword_6B2348, 5
		jbe	loc_750632
		push	4000h
		mov	esi, offset dword_6B2348
		push	8
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_75032F
		lea	eax, [esp+370h+var_298]
		mov	[esp+370h+var_2C8], ebx
		mov	[esp+370h+var_238], eax
		lea	ecx, [edi+6]
		movzx	esi, word ptr [ecx]
		lea	eax, [esp+370h+var_2C8]
		mov	[esp+370h+var_228], eax
		xor	edx, edx
		mov	eax, [esp+370h+var_354]
		movzx	eax, ax
		mov	[esp+370h+var_2C4], eax
		lea	eax, [esp+370h+var_2C4]
		mov	[esp+370h+var_218], eax
		mov	eax, esi
		mov	[esp+370h+var_2C0], eax
		lea	eax, [esp+370h+var_2C0]
		mov	[esp+370h+var_208], eax
		push	2
		pop	ebx
		mov	[esp+370h+var_294], edx
		mov	[esp+370h+var_234], edx
		mov	[esp+370h+var_22C], edx
		mov	[esp+370h+var_224], edx
		mov	[esp+370h+var_21C], edx
		mov	[esp+370h+var_214], edx
		mov	[esp+370h+var_20C], edx
		mov	[esp+370h+var_204], edx
		mov	[esp+370h+var_1FC], edx
		lea	edx, [edi+132h]
		mov	[esp+370h+var_210], ebx
		mov	[esp+370h+var_200], ebx
		mov	bl, [edx]
		movzx	eax, bl
		mov	[esp+370h+var_2BC], eax
		lea	eax, [esp+370h+var_2BC]
		mov	[esp+370h+var_1F8], eax
		xor	eax, eax
		mov	[esp+370h+var_1F4], eax
		mov	[esp+370h+var_1EC], eax
		lea	eax, [edi+4]
		mov	[esp+370h+var_1E8], eax
		xor	eax, eax
		mov	[esp+370h+var_1E4], eax
		mov	[esp+370h+var_1DC], eax
		lea	eax, [edi+8]
		mov	[esp+370h+var_1D8], eax
		xor	eax, eax
		mov	[esp+370h+var_1D4], eax
		mov	eax, [esp+370h+var_354]
		movzx	eax, ax
		imul	eax, 0Ch
		imul	esi, 0Ch
		mov	[esp+370h+var_1C8], ecx
		xor	ecx, ecx
		mov	[esp+370h+var_298], 1
		mov	[esp+370h+var_230], 8
		mov	[esp+370h+var_1D0], eax
		xor	eax, eax
		mov	[esp+370h+var_1CC], eax
		lea	eax, [edi+68h]
		mov	[esp+370h+var_1B8], eax
		lea	eax, [edi+134h]
		mov	[esp+370h+var_198], eax
		movzx	eax, bl
		shl	eax, 3
		mov	[esp+370h+var_220], 4
		mov	[esp+370h+var_1F0], 2
		mov	[esp+370h+var_1E0], 2
		mov	[esp+370h+var_1C4], ecx
		mov	[esp+370h+var_1C0], 2
		mov	[esp+370h+var_1BC], ecx
		mov	[esp+370h+var_1B4], ecx
		mov	[esp+370h+var_1B0], esi
		mov	[esp+370h+var_1AC], ecx
		mov	[esp+370h+var_1A8], edx
		mov	[esp+370h+var_1A4], ecx
		mov	[esp+370h+var_1A0], 2
		mov	[esp+370h+var_19C], ecx
		mov	[esp+370h+var_194], ecx
		mov	[esp+370h+var_190], eax
		mov	[esp+370h+var_18C], ecx
		lea	eax, [esp+370h+var_290]
		mov	[esp+370h+var_28C], ecx
		mov	[esp+370h+var_188], eax
		mov	esi, offset dword_6B2348
		lea	eax, [esp+370h+var_258]
		mov	[esp+370h+var_184], ecx
		push	eax
		push	0Eh
		mov	[esp+378h+var_17C], ecx
		mov	edx, offset loc_419EE5
		push	ecx
		mov	ecx, esi
		mov	[esp+37Ch+var_290], 1000000h
		mov	[esp+37Ch+var_180], 8
		call	__tlgWriteAgg@20 ; _tlgWriteAgg(x,x,x,x,x)
		mov	ebx, [esp+370h+var_361+1]

loc_75032F:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+8FEj
		lea	eax, [edi+4]
		xor	ecx, ecx
		cmp	dword_6B2348, 5
		mov	[esp+370h+var_354], eax
		jbe	loc_750632
		push	ecx
		push	8
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_750632
		movzx	esi, word ptr [edi+4]
		lea	eax, [esp+370h+var_2B8]
		mov	[esp+370h+var_158], eax
		lea	ecx, [edi+6]
		movzx	edi, word ptr [ecx]
		xor	edx, edx
		mov	eax, esi
		mov	[esp+370h+var_154], edx
		mov	[esp+370h+var_2B4], eax
		lea	eax, [esp+370h+var_2B4]
		mov	[esp+370h+var_148], eax
		mov	eax, edi
		mov	[esp+370h+var_2B0], eax
		lea	eax, [esp+370h+var_2B0]
		mov	[esp+370h+var_138], eax
		push	2
		mov	[esp+374h+var_14C], edx
		mov	[esp+374h+var_144], edx
		mov	[esp+374h+var_13C], edx
		mov	[esp+374h+var_134], edx
		mov	[esp+374h+var_12C], edx
		mov	edx, [esp+374h+var_34C]
		add	edx, 132h
		mov	[esp+374h+var_2B8], ebx
		pop	ebx
		mov	[esp+370h+var_140], ebx
		mov	[esp+370h+var_130], ebx
		mov	bl, [edx]
		movzx	eax, bl
		mov	[esp+370h+var_2AC], eax
		lea	eax, [esp+370h+var_2AC]
		mov	[esp+370h+var_128], eax
		xor	eax, eax
		mov	[esp+370h+var_124], eax
		mov	[esp+370h+var_11C], eax
		mov	eax, [esp+370h+var_354]
		and	[esp+370h+var_114], 0
		mov	[esp+370h+var_118], eax
		xor	eax, eax
		mov	[esp+370h+var_10C], eax
		mov	eax, [esp+370h+var_34C]
		add	eax, 8
		imul	edi, 0Ch
		mov	[esp+370h+var_108], eax
		xor	eax, eax
		mov	[esp+370h+var_104], eax
		mov	[esp+370h+var_FC], eax
		mov	eax, [esp+370h+var_34C]
		add	eax, 68h
		mov	[esp+370h+var_E0], edi
		mov	edi, [esp+370h+var_34C]
		mov	[esp+370h+var_E8], eax
		imul	esi, 0Ch
		mov	[esp+370h+var_F8], ecx
		xor	ecx, ecx
		lea	eax, [edi+134h]
		mov	[esp+370h+var_150], 4
		mov	[esp+370h+var_C8], eax
		push	2
		movzx	eax, bl
		shl	eax, 3
		mov	[esp+374h+var_100], esi
		pop	esi
		mov	[esp+370h+var_C0], eax
		lea	eax, [esp+370h+var_178]
		push	eax
		push	0Ch
		mov	[esp+378h+var_120], 2
		mov	[esp+378h+var_110], 2
		mov	[esp+378h+var_F4], ecx
		mov	[esp+378h+var_F0], esi
		mov	[esp+378h+var_EC], ecx
		mov	[esp+378h+var_E4], ecx
		mov	[esp+378h+var_DC], ecx
		mov	[esp+378h+var_D8], edx
		mov	[esp+378h+var_D4], ecx
		mov	[esp+378h+var_D0], esi
		mov	[esp+378h+var_CC], ecx
		mov	[esp+378h+var_C4], ecx
		mov	[esp+378h+var_BC], ecx
		push	ecx
		push	ecx
		push	offset loc_41A048
		mov	esi, offset dword_6B2348
		push	esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_750632
; 

loc_75052A:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+739j
		cmp	dword_6B2348, 5
		jbe	loc_750632
		push	4000h
		mov	esi, offset dword_6B2348
		push	8
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_750632
		lea	eax, [esp+370h+var_288]
		mov	[esp+370h+var_90], 8
		mov	[esp+370h+var_98], eax
		xor	edx, edx
		lea	eax, [esp+370h+var_2A8]
		mov	[esp+370h+var_2A8], ebx
		mov	[esp+370h+var_88], eax
		inc	edx
		mov	al, [esp+370h+var_359]
		xor	ecx, ecx
		mov	byte ptr [esp+370h+var_361], al
		lea	eax, [esp+370h+var_361]
		mov	[esp+370h+var_78], eax
		lea	eax, [esp+370h+var_280]
		mov	[esp+370h+var_68], eax
		lea	eax, [esp+370h+var_B8]
		push	eax
		mov	[esp+374h+var_288], edx
		mov	[esp+374h+var_70], edx
		mov	edx, offset loc_419E7B
		mov	[esp+374h+var_284], ecx
		mov	[esp+374h+var_94], ecx
		mov	[esp+374h+var_8C], ecx
		mov	[esp+374h+var_84], ecx
		mov	[esp+374h+var_80], 4
		mov	[esp+374h+var_7C], ecx
		mov	[esp+374h+var_74], ecx
		mov	[esp+374h+var_6C], ecx
		mov	[esp+374h+var_280], 1000000h
		mov	[esp+374h+var_27C], ecx
		mov	[esp+374h+var_64], ecx
		mov	[esp+374h+var_60], 8
		mov	[esp+374h+var_5C], ecx
		push	6

loc_75062A:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x):loc_750024j
		push	ecx
		mov	ecx, esi
		call	__tlgWriteAgg@20 ; _tlgWriteAgg(x,x,x,x,x)

loc_750632:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+76Dj
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x)+788j	...
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)
		mov	eax, [esp+370h+var_361+1]
		jmp	loc_74F8C8
; 

loc_750642:				; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+2A5j
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x)+30Ej	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_CmLoadAppKey@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpIsThisSameFile(x, x)
_CmpIsThisSameFile@8 proc near		; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+4A0p
					; CmpIsHiveAlreadyLoaded(x,x,x,x,x)+4Fp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, _CmIoFileObjectType
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		mov	eax, [eax]
		lea	ecx, [ebp+var_4]
		push	ebx
		push	ecx
		push	ebx
		push	eax
		push	ebx
		push	edx
		mov	[ebp+var_4], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_750694
		mov	edx, [esi+14h]
		mov	ecx, [ebp+var_4]
		test	edx, edx
		jz	short loc_750685
		mov	eax, [ecx+14h]
		test	eax, eax
		jz	short loc_750685
		cmp	edx, eax
		jz	short loc_750690

loc_750685:				; CODE XREF: CmpIsThisSameFile(x,x)+30j
					; CmpIsThisSameFile(x,x)+37j ...
		call	ObfDereferenceObject
		mov	al, bl

loc_75068C:				; CODE XREF: CmpIsThisSameFile(x,x)+4Ej
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_750690:				; CODE XREF: CmpIsThisSameFile(x,x)+3Bj
		mov	bl, 1
		jmp	short loc_750685
; 

loc_750694:				; CODE XREF: CmpIsThisSameFile(x,x)+26j
		xor	al, al
		jmp	short loc_75068C
_CmpIsThisSameFile@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpUnlockAppHiveLoadList()
_CmpUnlockAppHiveLoadList@0 proc near	; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+2CAp
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x)+329p	...
		xor	edx, edx
		mov	ecx, offset _CmpAppHiveLoadListLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_CmpUnlockAppHiveLoadList@0 endp


;  S U B	R O U T	I N E 


; __stdcall CmpLockAppHiveLoadList()
_CmpLockAppHiveLoadList@0 proc near	; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+27Ap
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x):loc_74FE4Fp
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _CmpAppHiveLoadListLock
		jmp	ExAcquirePushLockExclusiveEx
_CmpLockAppHiveLoadList@0 endp

; 
		align 10h
; Exported entry 1615. ObDeleteCapturedInsertInfo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObDeleteCapturedInsertInfo
ObDeleteCapturedInsertInfo proc	near	; CODE XREF: CcInitializeCacheMapEx+67Dp
					; CmLoadDifferencingKey+5E8p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D0617 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	byte ptr [esi-9], 1
		jz	short loc_750716
		mov	edx, [esi-8]
		test	edx, edx
		jz	short loc_750716
		mov	ecx, [edx+18h]
		test	ecx, ecx
		jnz	loc_8D0617

loc_7506F1:				; CODE XREF: ObDeleteCapturedInsertInfo+17FF5Ej
		push	edi
		mov	edi, large fs:20h
		mov	ecx, [edi+5C0h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jnb	short loc_75071B

loc_75070C:				; CODE XREF: ObDeleteCapturedInsertInfo+5Fj
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_750711:				; CODE XREF: ObDeleteCapturedInsertInfo+68j
		and	dword ptr [esi-8], 0
		pop	edi

loc_750716:				; CODE XREF: ObDeleteCapturedInsertInfo+Dj
					; ObDeleteCapturedInsertInfo+14j
		pop	esi
		pop	ebp
		retn	4
; 

loc_75071B:				; CODE XREF: ObDeleteCapturedInsertInfo+3Aj
		inc	dword ptr [ecx+18h]
		mov	ecx, [edi+5C4h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	short loc_75070C
		inc	dword ptr [ecx+18h]
		push	edx
		call	dword ptr [ecx+2Ch]
		jmp	short loc_750711
ObDeleteCapturedInsertInfo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmReleaseLoadKeyContext	proc near	; CODE XREF: CmLoadDifferencingKey+666p
					; CmLoadDifferencingKey+18201Cp

; FUNCTION CHUNK AT 008D0633 SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	esi
		mov	esi, ecx
		test	edx, edx
		js	loc_8D0633
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, esi
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_75075F:				; CODE XREF: CmReleaseLoadKeyContext+17FF2Fj
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
CmReleaseLoadKeyContext	endp


;  S U B	R O U T	I N E 


; __stdcall CmpMarkKeyUnbacked(x, x)
_CmpMarkKeyUnbacked@8 proc near		; CODE XREF: CmpRemoveHiveFromNamespace(x,x,x)+4Ep
					; CmDeleteLayeredKey(x,x,x)+1ABp ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		inc	eax
		push	0
		pop	ebx
		add	[esi+0A8h], eax
		mov	ecx, [esi+24h]
		adc	[esi+0ACh], ebx
		or	dword ptr [esi+14h], 0FFFFFFFFh
		test	ecx, ecx
		jz	short loc_75078D
		cmp	byte ptr [ecx+21h], 3
		jz	short loc_75078F

loc_75078D:				; CODE XREF: CmpMarkKeyUnbacked(x,x)+21j
		mov	al, bl

loc_75078F:				; CODE XREF: CmpMarkKeyUnbacked(x,x)+27j
		mov	ecx, esi
		mov	[esi+21h], al
		call	_CmpCleanUpKcbCachedSymlink@8 ;	CmpCleanUpKcbCachedSymlink(x,x)
		and	word ptr [esi+6Ah], 4
		xor	eax, eax
		and	dword ptr [esi+68h], 0FFFFFF00h
		or	dword ptr [esi+34h], 0FFFFFFFFh
		mov	[esi+30h], ebx
		mov	[esi+3Ch], ebx
		mov	[esi+58h], ebx
		mov	[esi+5Ch], ebx
		mov	[esi+64h], ebx
		mov	[esi+69h], bl
		mov	[esi+60h], eax
		pop	esi
		pop	ebx
		retn
_CmpMarkKeyUnbacked@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRebuildKcbCacheFromNode(x, x, x,	x)
_CmpRebuildKcbCacheFromNode@16 proc near ; CODE	XREF: CmDeleteLayeredKey(x,x,x)+3A7p
					; CmpCreateTombstone(x,x)+1B5p	...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	dl, 1
		mov	al, [edi+0Dh]
		and	al, 3
		mov	[esi+21h], al
		call	CmpCleanUpSubKeyInfo
		mov	edx, [esi+68h]
		test	edx, 400000h
		jnz	short loc_7507FB
		cmp	[ebp+arg_4], 0
		jnz	short loc_750869

loc_7507EF:				; CODE XREF: CmpRebuildKcbCacheFromNode(x,x,x,x)+B2j
		mov	ecx, [edi+28h]
		mov	eax, [edi+24h]
		mov	[esi+30h], eax
		mov	[esi+34h], ecx

loc_7507FB:				; CODE XREF: CmpRebuildKcbCacheFromNode(x,x,x,x)+23j
		mov	eax, [edi+4]
		mov	[esi+58h], eax
		mov	eax, [edi+8]
		mov	[esi+5Ch], eax
		mov	ax, [edi+34h]
		mov	[esi+60h], ax
		mov	ax, [edi+3Ch]
		mov	[esi+62h], ax
		mov	eax, [edi+40h]
		mov	[esi+64h], eax
		movzx	ecx, word ptr [edi+36h]
		xor	ecx, edx
		and	ecx, 0Fh
		xor	ecx, edx
		mov	[esi+68h], ecx
		movzx	eax, word ptr [edi+36h]
		xor	eax, ecx
		and	eax, 0F0h
		xor	eax, ecx
		mov	[esi+68h], eax
		mov	al, [edi+37h]
		mov	[esi+69h], al
		mov	ax, [edi+2]
		mov	[esi+6Ah], ax
		mov	edx, [edi+2Ch]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_750863
		xor	eax, eax
		mov	ecx, esi
		push	eax
		push	eax
		push	eax
		call	CmpAssignSecurityToKcb

loc_75085D:				; CODE XREF: CmpRebuildKcbCacheFromNode(x,x,x,x)+A3j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_750863:				; CODE XREF: CmpRebuildKcbCacheFromNode(x,x,x,x)+8Bj
		and	dword ptr [esi+2Ch], 0
		jmp	short loc_75085D
; 

loc_750869:				; CODE XREF: CmpRebuildKcbCacheFromNode(x,x,x,x)+29j
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_CmpCleanUpKcbCachedSymlink@8 ;	CmpCleanUpKcbCachedSymlink(x,x)
		mov	edx, [esi+68h]
		jmp	loc_7507EF
_CmpRebuildKcbCacheFromNode@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCleanUpSubKeyInfo proc near		; CODE XREF: CmpCreateTombstone(x,x)+220p
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+C36p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D066E SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		or	[ebp+var_8], 0FFFFFFFFh
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		mov	eax, [esi+4]
		test	al, 7
		jnz	loc_8D066E

loc_75089C:				; CODE XREF: CmpCleanUpSubKeyInfo+17FE0Fj
		movzx	eax, ax
		or	eax, 40h
		mov	[esi+4], ax
		test	bl, bl
		jz	short loc_7508DB
		mov	ecx, [esi+14h]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_7508DB
		mov	eax, [esi+10h]
		lea	edx, [ebp+var_8]
		push	edx
		push	ecx
		push	eax
		call	dword ptr [eax+4]
		mov	ecx, 0FFBFh
		and	[esi+4], cx
		mov	ecx, [eax+18h]
		add	ecx, [eax+14h]
		mov	eax, [esi+10h]
		mov	[esi+3Ch], ecx
		lea	ecx, [ebp+var_8]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_7508DB:				; CODE XREF: CmpCleanUpSubKeyInfo+2Cj
					; CmpCleanUpSubKeyInfo+34j
		pop	esi
		pop	ebx
		leave
		retn
CmpCleanUpSubKeyInfo endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpAssignSecurityToKcb proc near	; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+B6Dp
					; CmpDoBuildVirtualStack(x,x,x,x,x)+3E7p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 008D0690 SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		push	edi
		mov	edi, edx
		inc	ebx
		cmp	edi, 0FFFFFFFFh
		jz	short loc_750961
		cmp	[ebp+arg_4], 0
		mov	eax, [esi+10h]
		mov	[ebp+var_4], eax
		lea	ecx, [eax+484h]
		mov	[ebp+var_C], ecx
		jnz	short loc_75091A
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebp+var_4]

loc_75091A:				; CODE XREF: CmpAssignSecurityToKcb+2Ej
		lea	ecx, [ebp+var_8]
		mov	edx, edi
		push	ecx
		mov	ecx, eax
		call	_CmpFindSecurityCellCacheIndex@12 ; CmpFindSecurityCellCacheIndex(x,x,x)
		test	al, al
		jz	loc_8D0690
		cmp	[ebp+arg_0], 0
		jnz	short loc_750948
		mov	edx, [ebp+var_4]
		mov	eax, [ebp+var_8]
		mov	edx, [edx+4CCh]
		mov	eax, [edx+eax*8+4]
		mov	[esi+2Ch], eax

loc_750948:				; CODE XREF: CmpAssignSecurityToKcb+53j
					; CmpAssignSecurityToKcb+17FDBCj
		cmp	[ebp+arg_4], 0
		jnz	short loc_750958
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		call	ExReleasePushLockEx

loc_750958:				; CODE XREF: CmpAssignSecurityToKcb+6Cj
					; CmpAssignSecurityToKcb+85j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	0Ch
; 

loc_750961:				; CODE XREF: CmpAssignSecurityToKcb+19j
		and	dword ptr [esi+2Ch], 0
		jmp	short loc_750958
CmpAssignSecurityToKcb endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpFlushNotifiesOnKeyBodyList proc near	; CODE XREF: CmpRemoveHiveFromNamespace(x,x,x)+44p
					; CmDeleteLayeredKey(x,x,x)+199p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 008D06BF SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		mov	[ebp+var_C], ebx
		lea	edi, [ebx+40h]
		mov	esi, [edi]
		cmp	esi, edi
		jnz	short loc_7509DF

loc_750984:				; CODE XREF: CmpFlushNotifiesOnKeyBodyList+A9j
		push	4
		lea	edi, [ebx+48h]
		pop	ebx

loc_75098A:				; CODE XREF: CmpFlushNotifiesOnKeyBodyList+2Ej
		mov	esi, [edi]
		test	esi, esi
		jnz	short loc_75099F

loc_750990:				; CODE XREF: CmpFlushNotifiesOnKeyBodyList+3Aj
					; CmpFlushNotifiesOnKeyBodyList+3Fj ...
		add	edi, 4
		sub	ebx, 1
		jnz	short loc_75098A
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_75099F:				; CODE XREF: CmpFlushNotifiesOnKeyBodyList+26j
		cmp	esi, 1
		jz	short loc_750990
		cmp	esi, 2
		jz	short loc_750990
		push	2
		pop	ecx
		mov	eax, esi
		lock cmpxchg [edi], ecx
		cmp	eax, esi
		jnz	short loc_750990
		cmp	dword ptr [esi+0Ch], 0
		jnz	loc_8D06CE

loc_7509C0:				; CODE XREF: CmpFlushNotifiesOnKeyBodyList+17FD72j
		xor	ecx, ecx
		lea	eax, [esi+30h]
		xchg	ecx, [eax]
		test	ecx, ecx
		jnz	loc_8D06DF

loc_7509CF:				; CODE XREF: CmpFlushNotifiesOnKeyBodyList+17FD81j
		mov	eax, [ebp+var_4]
		or	[esi+1Ch], ax
		push	2
		pop	eax
		lock cmpxchg [edi], esi
		jmp	short loc_750990
; 

loc_7509DF:				; CODE XREF: CmpFlushNotifiesOnKeyBodyList+1Aj
		mov	bl, [ebp+arg_4]

loc_7509E2:				; CODE XREF: CmpFlushNotifiesOnKeyBodyList+A4j
		cmp	dword ptr [esi-8], 0
		mov	[ebp+var_8], esi
		jnz	loc_8D06AE

loc_7509EF:				; CODE XREF: CmpAssignSecurityToKcb+17FDDAj
		xor	ecx, ecx
		lea	eax, [esi+1Ch]
		xchg	ecx, [eax]
		test	ecx, ecx
		jnz	loc_8D06BF

loc_7509FE:				; CODE XREF: CmpFlushNotifiesOnKeyBodyList+17FD61j
		mov	eax, [ebp+var_4]
		or	[esi+8], ax
		mov	eax, [ebp+var_8]
		mov	esi, [eax]
		cmp	esi, edi
		jnz	short loc_7509E2
		mov	ebx, [ebp+var_C]
		jmp	loc_750984
CmpFlushNotifiesOnKeyBodyList endp


;  S U B	R O U T	I N E 


; __stdcall CmpUnlockDeletedHashEntryByKcb(x)
_CmpUnlockDeletedHashEntryByKcb@4 proc near ; CODE XREF: CmpDiscardKcb(x)+91j
					; CmpCleanUpKcbCacheWithLock+1CEp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, [edi+10h]
		mov	ecx, ebx
		push	dword ptr [edi+8]
		call	_CmpGetDeletedHashIndexInHive@8	; CmpGetDeletedHashIndexInHive(x,x)
		imul	ecx, eax, 0Ch
		mov	eax, [ebx+43Ch]
		and	dword ptr [ecx+eax+4], 0
		mov	esi, [edi+10h]
		mov	ecx, esi
		push	dword ptr [edi+8]
		call	_CmpGetDeletedHashIndexInHive@8	; CmpGetDeletedHashIndexInHive(x,x)
		imul	ecx, eax, 0Ch
		xor	edx, edx
		add	ecx, [esi+43Ch]
		call	ExReleasePushLockEx
		or	eax, 0FFFFFFFFh
		lock xadd [ebx+9D8h], eax
		pop	edi
		pop	esi
		jz	short loc_750A66
		pop	ebx
		retn
; 

loc_750A66:				; CODE XREF: CmpUnlockDeletedHashEntryByKcb(x)+4Cj
		mov	ecx, ebx
		pop	ebx
		jmp	_CmpDeleteHive@4 ; CmpDeleteHive(x)
_CmpUnlockDeletedHashEntryByKcb@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpDereferenceHive(x)
_CmpDereferenceHive@4 proc near		; CODE XREF: CmpDoFlushAll(x)+66p
					; CmpLateUnloadHiveWorker+E8p ...
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+9D8h], eax
		jz	_CmpDeleteHive@4 ; CmpDeleteHive(x)
		retn
_CmpDereferenceHive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpDoFlushNextHive proc	near		; DATA XREF: .data:006B151Co

var_E		= byte ptr -0Eh
var_D		= byte ptr -0Dh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008D06EE SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		or	[esp+14h+var_C], 0FFFFFFFFh
		or	[esp+14h+var_8], 0FFFFFFFFh
		push	ebx
		xor	bl, bl
		push	esi
		push	edi
		mov	[esp+20h+var_D], bl
		cmp	ds:_CmpNoWrite,	bl
		jnz	loc_8D06EE
		xor	ecx, ecx
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_750B27

loc_750AB7:				; CODE XREF: CmpDoFlushNextHive+91j
		or	edi, 0FFFFFFFFh
		or	ebx, 0FFFFFFFFh
		test	byte ptr [esi+64h], 3
		jnz	short loc_750AE3
		cmp	dword ptr [esi+34h], 0
		ja	loc_750B69
		cmp	byte ptr [esi+83h], 0
		jnz	loc_750B69
		test	byte ptr [esi+9D0h], 1
		jz	short loc_750B5A

loc_750AE3:				; CODE XREF: CmpDoFlushNextHive+41j
					; CmpDoFlushNextHive+E4j ...
		cmp	byte ptr [esi+6DCh], 1
		jz	short loc_750B32

loc_750AEC:				; CODE XREF: CmpDoFlushNextHive+D8j
		cmp	ebx, [esp+20h+var_8]
		ja	short loc_750B02
		jb	loc_750BAE
		cmp	edi, [esp+20h+var_C]
		jb	loc_750BAE

loc_750B02:				; CODE XREF: CmpDoFlushNextHive+70j
		mov	edi, [esp+20h+var_C]

loc_750B06:				; CODE XREF: CmpDoFlushNextHive+136j
		mov	ecx, esi
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_750AB7
		mov	bl, [esp+20h+var_D]
		test	bl, bl
		jz	short loc_750B27
		mov	ecx, [ebp+arg_4]
		mov	eax, [esp+20h+var_8]
		mov	[ecx], edi
		mov	[ecx+4], eax

loc_750B27:				; CODE XREF: CmpDoFlushNextHive+35j
					; CmpDoFlushNextHive+99j
		mov	al, bl

loc_750B29:				; CODE XREF: CmpDoFlushNextHive+17FC70j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_750B32:				; CODE XREF: CmpDoFlushNextHive+6Aj
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		xor	cl, cl
		call	CmpLockRegistryFreezeAware
		cmp	byte ptr [esi+6DCh], 1
		jnz	short loc_750B4E
		mov	ecx, esi
		call	CmpDoQueueLateUnloadWorker

loc_750B4E:				; CODE XREF: CmpDoFlushNextHive+C5j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		jmp	short loc_750AEC
; 

loc_750B5A:				; CODE XREF: CmpDoFlushNextHive+61j
		push	22h
		pop	edx
		mov	ecx, esi
		call	CmpFlushHive
		jmp	loc_750AE3
; 

loc_750B69:				; CODE XREF: CmpDoFlushNextHive+47j
					; CmpDoFlushNextHive+54j
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		mov	[esp+20h+var_4], edx
		mov	ecx, eax
		mov	eax, dword_6B1528
		mov	edx, (offset loc_98967E+2)
		mul	edx
		add	eax, [esi+990h]
		adc	edx, [esi+994h]
		cmp	[esp+20h+var_4], edx
		ja	short loc_750BBB
		jb	short loc_750B9A
		cmp	ecx, eax
		jnb	short loc_750BBB

loc_750B9A:				; CODE XREF: CmpDoFlushNextHive+114j
		mov	edi, eax
		mov	ebx, edx
		sub	edi, ecx
		sbb	ebx, [esp+20h+var_4]

loc_750BA4:				; CODE XREF: CmpDoFlushNextHive+17FC8Bj
		mov	[esp+20h+var_D], 1
		jmp	loc_750AE3
; 

loc_750BAE:				; CODE XREF: CmpDoFlushNextHive+72j
					; CmpDoFlushNextHive+7Cj
		mov	[esp+20h+var_C], edi
		mov	[esp+20h+var_8], ebx
		jmp	loc_750B06
; 

loc_750BBB:				; CODE XREF: CmpDoFlushNextHive+112j
					; CmpDoFlushNextHive+118j
		push	12h
		pop	edx
		mov	ecx, esi
		call	CmpFlushHive
		test	eax, eax
		jns	loc_750AE3
		jmp	loc_8D06F5
CmpDoFlushNextHive endp


;  S U B	R O U T	I N E 


; __stdcall CmpGetNextActiveHive(x)
_CmpGetNextActiveHive@4	proc near	; CODE XREF: CmpLockKcbStackFlusherLocksExclusive(x):loc_5FF28Bp
					; CmpDoReconcileNextHive+34p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, offset _CmpHiveListHead
		test	esi, esi
		jz	short loc_750BEA
		lea	edi, [esi+420h]

loc_750BEA:				; CODE XREF: CmpGetNextActiveHive(x)+10j
		xor	edx, edx
		mov	ecx, offset _CmpHiveListHeadLock
		call	ExAcquirePushLockSharedEx

loc_750BF6:				; CODE XREF: CmpGetNextActiveHive(x)+66j
		mov	edi, [edi]
		cmp	edi, offset _CmpHiveListHead
		jz	short loc_750C15
		lea	ebx, [edi-420h]
		lea	ecx, [ebx+430h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_750C36

loc_750C15:				; CODE XREF: CmpGetNextActiveHive(x)+2Cj
		xor	edx, edx
		mov	ecx, offset _CmpHiveListHeadLock
		call	ExReleasePushLockEx
		test	esi, esi
		jz	short loc_750C30
		lea	ecx, [esi+430h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_750C30:				; CODE XREF: CmpGetNextActiveHive(x)+51j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		retn
; 

loc_750C36:				; CODE XREF: CmpGetNextActiveHive(x)+41j
		xor	ebx, ebx
		jmp	short loc_750BF6
_CmpGetNextActiveHive@4	endp


;  S U B	R O U T	I N E 


; __stdcall UNLOCK_HIVE_LOAD()
_UNLOCK_HIVE_LOAD@0 proc near		; CODE XREF: CmpTryToRundownHive+B8p
					; CmpTryToRundownHive+147p ...
		mov	edi, edi
		push	esi
		mov	esi, large fs:124h
		xor	edx, edx
		and	ds:_CmpLoadHiveLockOwner, 0
		mov	ecx, offset _CmpLoadHiveLock
		call	ExReleasePushLockEx
		mov	ecx, esi
		pop	esi
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_UNLOCK_HIVE_LOAD@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 


CmpDoQueueLateUnloadWorker proc	near	; CODE XREF: CmpDoFlushNextHive+C9p
					; CmpDelayDerefKeyControlBlock(x,x)+6Cp ...

; FUNCTION CHUNK AT 008D0710 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	edx, edx
		push	edi
		lea	edi, [esi+448h]
		mov	ecx, edi
		lea	ebx, [esi+6E4h]
		call	ExAcquirePushLockExclusiveEx
		xor	eax, eax
		lea	ecx, [esi+9DCh]
		inc	eax
		lock xadd [ecx], eax
		inc	eax
		dec	eax
		and	eax, 7Fh
		mov	dword ptr [esi+eax*4+9E0h], 13h
		mov	eax, [esi+6D8h]
		cmp	dword ptr [eax], 2
		jz	short loc_750CBD

loc_750CA4:				; CODE XREF: CmpDoQueueLateUnloadWorker+66j
					; CmpDoQueueLateUnloadWorker+89j ...
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_8D0710

loc_750CB3:				; CODE XREF: CmpDoQueueLateUnloadWorker+17FAB2j
					; CmpDoQueueLateUnloadWorker+17FABFj
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	KeAbPostRelease
; 

loc_750CBD:				; CODE XREF: CmpDoQueueLateUnloadWorker+42j
		lea	edx, [esi+6E0h]
		cmp	dword ptr [edx], 0
		jnz	short loc_750CA4
		xor	eax, eax
		inc	eax
		lock xadd [ecx], eax
		inc	eax
		dec	eax
		mov	ecx, ebx
		and	eax, 7Fh
		mov	dword ptr [esi+eax*4+9E0h], 14h
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	short loc_750CA4
		xor	edx, edx
		lea	ecx, [esi+9DCh]
		inc	edx
		mov	eax, edx
		lock xadd [ecx], eax
		inc	eax
		dec	eax
		mov	ecx, esi
		and	eax, 7Fh
		mov	dword ptr [esi+eax*4+9E0h], 15h
		mov	dword ptr [ebx+0Ch], offset CmpLateUnloadHiveWorker
		mov	[ebx+8], edx
		mov	[ebx+10h], esi
		call	_CmpReferenceHive@4 ; CmpReferenceHive(x)
		mov	ecx, ebx
		call	_CmWorkerEngineQueueWorkItem@4 ; CmWorkerEngineQueueWorkItem(x)
		jmp	loc_750CA4
CmpDoQueueLateUnloadWorker endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpLockRegistryFreezeAware proc	near	; CODE XREF: CmpTryToRundownHive+E5p
					; CmpTryToRundownHive+17Ap ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch

; FUNCTION CHUNK AT 008D0724 SIZE 000000A1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		push	6
		mov	bl, cl
		lea	edi, [ebp+var_18]
		pop	ecx
		xor	esi, esi
		push	esi
		rep stosd
		push	1
		lea	eax, [ebp+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		test	bl, bl
		jz	short loc_750D6C
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()

loc_750D58:				; CODE XREF: CmpLockRegistryFreezeAware+47j
		cmp	_CmpFreezeThawState, 1
		jz	loc_8D0724

loc_750D65:				; CODE XREF: CmpLockRegistryFreezeAware+17FA65j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
; 

loc_750D6C:				; CODE XREF: CmpLockRegistryFreezeAware+27j
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		jmp	short loc_750D58
CmpLockRegistryFreezeAware endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmpLockRegistryExclusive()
_CmpLockRegistryExclusive@0 proc near	; CODE XREF: CmDeleteLayeredKey(x,x,x)+214p
					; CmpSetKeySecurity(x,x,x,x,x,x)+B3p ...
		mov	ecx, large fs:124h
		xor	dl, dl
		call	_PsBoostThreadIo@8 ; PsBoostThreadIo(x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _CmpRegistryLock
		call	ExAcquireResourceExclusiveLite
		retn
_CmpLockRegistryExclusive@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall LOCK_HIVE_LOAD()
_LOCK_HIVE_LOAD@0 proc near		; CODE XREF: CmpTryToRundownHive+DEp
					; CmpTryToRundownHive:loc_432EF2p ...
		mov	edi, edi
		push	esi
		mov	esi, large fs:124h
		dec	word ptr [esi+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _CmpLoadHiveLock
		call	ExAcquirePushLockExclusiveEx
		mov	ds:_CmpLoadHiveLockOwner, esi
		pop	esi
		retn
_LOCK_HIVE_LOAD@0 endp


;  S U B	R O U T	I N E 


; __stdcall HvLockHiveFlusherExclusive(x)
_HvLockHiveFlusherExclusive@4 proc near	; CODE XREF: CmpRecheckHiveVolumePolicy(x)+Ep
					; CmpRecheckHiveVolumePolicy(x)+6Bp ...
		add	ecx, 24h
		xor	edx, edx
		jmp	ExAcquirePushLockExclusiveEx
_HvLockHiveFlusherExclusive@4 endp


;  S U B	R O U T	I N E 


; __stdcall HvUnlockHiveFlusherExclusive(x)
_HvUnlockHiveFlusherExclusive@4	proc near
					; CODE XREF: CmpRecheckHiveVolumePolicy(x):loc_433E19p
					; CmpRecheckHiveVolumePolicy(x)+9Bp ...
		mov	edi, edi
		push	esi
		lea	esi, [ecx+24h]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_750DE9

loc_750DE1:				; CODE XREF: HvUnlockHiveFlusherExclusive(x)+22j
		mov	ecx, esi
		pop	esi
		jmp	KeAbPostRelease
; 

loc_750DE9:				; CODE XREF: HvUnlockHiveFlusherExclusive(x)+11j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_750DE1
_HvUnlockHiveFlusherExclusive@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLogFlushPhaseStart(x, x)
_CmpLogFlushPhaseStart@8 proc near	; CODE XREF: CmpFlushHive+361p
					; CmpFlushHive+3ADp ...

var_39		= dword	ptr -39h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	dword_6B2348, 4
		jbe	short loc_750E3C
		lea	eax, [ebp+var_39]
		mov	byte ptr [ebp+var_39], dl
		mov	[ebp+var_18], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_39+1]
		mov	[ebp+var_14], ecx
		push	eax
		push	3
		push	ecx
		push	ecx
		push	offset loc_41A31D
		push	offset dword_6B2348
		mov	[ebp+var_10], 1
		mov	[ebp+var_C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_750E3C:				; CODE XREF: CmpLogFlushPhaseStart(x,x)+19j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpLogFlushPhaseStart@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLogFlushPhaseEnd(x, x, x)
_CmpLogFlushPhaseEnd@12	proc near	; CODE XREF: CmpFlushHive+37Bp
					; CmpFlushHive+3E5p ...

var_54		= dword	ptr -54h
var_4D		= dword	ptr -4Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	esi
		push	4
		pop	esi
		cmp	dword_6B2348, esi
		jbe	short loc_750EA9
		lea	eax, [ebp+var_4D]
		mov	byte ptr [ebp+var_4D], dl
		mov	[ebp+var_2C], eax
		xor	ecx, ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_54]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_4D+1]
		push	eax
		push	esi
		push	ecx
		push	ecx
		push	offset loc_41A2EE
		push	offset dword_6B2348
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], 1
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_750EA9:				; CODE XREF: CmpLogFlushPhaseEnd(x,x,x)+1Cj
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_CmpLogFlushPhaseEnd@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTraceHiveFlushStop proc near		; CODE XREF: CmpFlushHive+128p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_HIVE_FLUSH_STOP
		mov	[ebp+var_2C], ecx
		lea	edi, [ebp+var_28]
		lea	eax, [ebp+var_28]
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ds:dword_A93DD4
		mov	edi, ds:_EtwpRegTraceHandle
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8D0799

loc_750EFA:				; CODE XREF: CmpLockRegistryFreezeAware+17FA96j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpTraceHiveFlushStop endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspValidateJobChainLimits(x, x, x, x)
_PspValidateJobChainLimits@16 proc near	; CODE XREF: PspImplicitAssignProcessToJob(x,x,x)+A9p
					; PspAssignProcessToJob+174p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, edx
		shr	esi, 0Fh
		not	esi
		push	edi
		mov	edi, ecx
		and	esi, 1
		jmp	short loc_750F37
; 

loc_750F22:				; CODE XREF: PspValidateJobChainLimits(x,x,x,x)+31j
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	esi
		call	PspValidateJobAssignmentProcessLimits
		test	eax, eax
		js	short loc_750F3D
		mov	edi, [edi+244h]

loc_750F37:				; CODE XREF: PspValidateJobChainLimits(x,x,x,x)+18j
		cmp	edi, ebx
		jnz	short loc_750F22
		xor	eax, eax

loc_750F3D:				; CODE XREF: PspValidateJobChainLimits(x,x,x,x)+27j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
_PspValidateJobChainLimits@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspValidateJobAssignmentProcessLimits proc near
					; CODE XREF: PspValidateJobChainLimits(x,x,x,x)+20p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D07C5 SIZE 0000005A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		test	dword ptr [edi+0FCh], 4000000h
		jnz	short loc_750F9D

loc_750F5E:				; CODE XREF: PspValidateJobAssignmentProcessLimits+5Fj
					; PspValidateJobAssignmentProcessLimits+17F88Cj
		cmp	dword ptr [esi+2C8h], 0FFFFFFFFh
		jz	short loc_750FCF
		mov	ecx, [esi+0B0h]
		test	cl, 8
		jnz	short loc_750FAC

loc_750F72:				; CODE XREF: PspValidateJobAssignmentProcessLimits+7Bj
		test	cl, 4
		jnz	loc_8D0810

loc_750F7B:				; CODE XREF: PspValidateJobAssignmentProcessLimits+17F8D4j
		mov	eax, [esi+310h]
		test	eax, 20000000h
		jnz	short loc_750FC8
		and	al, 80h
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 0C000010Ah

loc_750F96:				; CODE XREF: PspValidateJobAssignmentProcessLimits+87j
					; PspValidateJobAssignmentProcessLimits+8Ej ...
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
; 

loc_750F9D:				; CODE XREF: PspValidateJobAssignmentProcessLimits+16j
		mov	ecx, [esi+0C4h]
		test	ecx, ecx
		jz	short loc_750F5E
		jmp	loc_8D07C5
; 

loc_750FAC:				; CODE XREF: PspValidateJobAssignmentProcessLimits+2Aj
		mov	eax, [esi+90h]
		sub	eax, [esi+2CCh]
		add	eax, [ebp+arg_0]
		cmp	eax, [esi+0B4h]
		jbe	short loc_750F72
		jmp	loc_8D07D7
; 

loc_750FC8:				; CODE XREF: PspValidateJobAssignmentProcessLimits+40j
		mov	eax, 0C000000Dh
		jmp	short loc_750F96
; 

loc_750FCF:				; CODE XREF: PspValidateJobAssignmentProcessLimits+1Fj
					; PspValidateJobAssignmentProcessLimits+17F8A4j ...
		mov	eax, 0C0000044h
		jmp	short loc_750F96
PspValidateJobAssignmentProcessLimits endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspEstablishJobHierarchy proc near	; CODE XREF: PspImplicitAssignProcessToJob(x,x,x)+BCp
					; PspAssignProcessToJob+18Ep

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008D081F SIZE 000001E5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		mov	ebx, edx
		mov	[ebp+var_4], ebx
		mov	esi, ecx
		stosd
		stosd
		mov	eax, [ebp+arg_4]
		sub	eax, 1
		jnz	short loc_751058
		call	PspBindProcessSessionToJob
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8D09D2
		mov	edx, 73507350h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	edi, [ebp+var_4]
		mov	ecx, esi
		mov	edx, edi
		call	MmLinkJobProcess

loc_75101F:				; CODE XREF: PspEstablishJobHierarchy+17F9FFj
		cmp	dword ptr [esi+324h], 0
		mov	ecx, [esi+328h]
		jnz	loc_751229
		test	ecx, ecx
		jnz	loc_8D09DA

loc_75103A:				; CODE XREF: PspEstablishJobHierarchy+243j
					; PspEstablishJobHierarchy+25Aj ...
		test	edi, edi
		jz	short loc_75104F
		test	ebx, ebx
		js	short loc_75104F
		cmp	ds:_PsCpuFairShareEnabled, 0
		jnz	loc_8D09E5

loc_75104F:				; CODE XREF: PspEstablishJobHierarchy+66j
					; PspEstablishJobHierarchy+6Aj	...
		mov	eax, ebx

loc_751051:				; CODE XREF: PspEstablishJobHierarchy+17F8A1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_751058:				; CODE XREF: PspEstablishJobHierarchy+20j
		sub	eax, 1
		jz	loc_8D0848
		sub	eax, 1
		jz	loc_8D0982
		sub	eax, 1
		jnz	loc_8D081F

loc_751073:				; CODE XREF: PspEstablishJobHierarchy+17F84Cj
					; PspEstablishJobHierarchy+17F85Aj
		mov	edi, [ebp+arg_0]
		and	[ebp+var_8], 0
		mov	eax, [edi+254h]
		inc	eax
		mov	[ebp+arg_0], eax
		cmp	eax, 2
		ja	loc_8D0851

loc_75108D:				; CODE XREF: PspEstablishJobHierarchy+17F896j
		cmp	[ebp+arg_4], 4
		jnz	loc_8D087C

loc_751097:				; CODE XREF: PspEstablishJobHierarchy+17F8B0j
		mov	edx, ebx
		mov	ecx, esi
		call	PspBindProcessSessionToJob
		mov	ebx, eax
		test	ebx, ebx
		js	loc_75120B

loc_7510AA:				; CODE XREF: PspEstablishJobHierarchy+17F8AAj
		mov	ecx, [esi+220h]
		test	ecx, ecx
		jnz	loc_8D088B
		mov	eax, [edi+220h]
		test	eax, eax
		jnz	loc_75121E

loc_7510C6:				; CODE XREF: PspEstablishJobHierarchy+24Ej
					; PspEstablishJobHierarchy+17F908j
		cmp	[ebp+arg_4], 4
		mov	ecx, esi
		jnz	loc_8D08E3

loc_7510D2:				; CODE XREF: PspEstablishJobHierarchy+17F90Fj
		mov	edx, 73507350h
		call	ObfReferenceObjectWithTag
		lea	ecx, [edi+23Ch]
		mov	edx, [ecx+4]
		lea	eax, [esi+234h]
		cmp	[edx], ecx
		jnz	loc_751235
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		mov	[esi+244h], edi
		mov	eax, [edi+248h]
		mov	[esi+248h], eax
		mov	al, [edi+1A6h]
		inc	al
		mov	[esi+1A6h], al
		mov	eax, [ebp+arg_0]
		mov	[esi+254h], eax
		cmp	eax, 2
		ja	loc_8D08EA

loc_75112F:				; CODE XREF: PspEstablishJobHierarchy+17F949j
		cmp	[ebp+arg_4], 4
		mov	ebx, [ebp+var_4]
		jnz	short loc_75114A
		mov	edx, ebx
		mov	ecx, edi
		call	PspUnlinkJobProcess
		mov	edx, ebx
		mov	ecx, esi
		call	MmLinkJobProcess

loc_75114A:				; CODE XREF: PspEstablishJobHierarchy+160j
		xor	edx, edx
		mov	ecx, esi
		call	PspSetEffectiveJobLimits
		mov	eax, [edi+194h]
		add	[esi+194h], eax
		mov	eax, [edi+19Ch]
		add	[esi+19Ch], eax
		mov	eax, [edi+198h]
		add	[esi+198h], eax
		mov	eax, [edi+1A0h]
		add	[esi+1A0h], eax
		mov	eax, [edi+3A8h]
		mov	[esi+3A8h], eax
		mov	eax, [edi+3ACh]
		mov	[esi+3ACh], eax
		mov	ecx, [edi+310h]
		and	ecx, 1841000h
		jz	short loc_7511B2
		lea	eax, [esi+310h]
		lock or	[eax], ecx

loc_7511B2:				; CODE XREF: PspEstablishJobHierarchy+1D1j
		xor	eax, eax
		mov	[ebp+arg_0], eax

loc_7511B7:				; CODE XREF: PspEstablishJobHierarchy+200j
		cmp	eax, 2
		jz	short loc_7511CF
		cmp	eax, 1
		jz	short loc_7511CF
		mov	edx, [edi+184h]
		test	edx, edx
		jnz	loc_8D0924

loc_7511CF:				; CODE XREF: PspEstablishJobHierarchy+1E4j
					; PspEstablishJobHierarchy+1E9j ...
		inc	eax
		mov	[ebp+arg_0], eax
		cmp	eax, 3
		jl	short loc_7511B7
		cmp	dword ptr [edi+324h], 0
		jnz	short loc_7511EF
		mov	edi, [edi+328h]
		test	edi, edi
		jnz	loc_8D0934

loc_7511EF:				; CODE XREF: PspEstablishJobHierarchy+209j
		test	edi, edi
		jnz	loc_8D0934
		cmp	[esi+324h], edi
		jnz	loc_8D0956

loc_751203:				; CODE XREF: PspEstablishJobHierarchy+17F97Bj
					; PspEstablishJobHierarchy+17F984j ...
		cmp	[ebp+arg_4], 7
		jz	short loc_75123A

loc_751209:				; CODE XREF: PspEstablishJobHierarchy+26Fj
		xor	ebx, ebx

loc_75120B:				; CODE XREF: PspEstablishJobHierarchy+CEj
					; PspEstablishJobHierarchy+17F8E7j
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	loc_8D0972

loc_751216:				; CODE XREF: PspEstablishJobHierarchy+17F9A7j
					; PspEstablishJobHierarchy+17F9F7j
		mov	edi, [ebp+var_4]
		jmp	loc_75103A
; 

loc_75121E:				; CODE XREF: PspEstablishJobHierarchy+EAj
		mov	[esi+220h], eax
		jmp	loc_7510C6
; 

loc_751229:				; CODE XREF: PspEstablishJobHierarchy+56j
					; PspEstablishJobHierarchy+17FA0Aj
		mov	edx, edi
		call	_IoSetDiskIoAttributionOnProcess@8 ; IoSetDiskIoAttributionOnProcess(x,x)
		jmp	loc_75103A
; 

loc_751235:				; CODE XREF: PspEstablishJobHierarchy+117j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_75123A:				; CODE XREF: PspEstablishJobHierarchy+231j
		lea	eax, [esi+314h]
		lock bts dword ptr [eax], 0
		jmp	short loc_751209
PspEstablishJobHierarchy endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmLinkJobProcess proc near		; CODE XREF: PspEstablishJobHierarchy+44p
					; PspEstablishJobHierarchy+16Fp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D0A04 SIZE 00000073 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		lea	eax, [ebp+var_20]
		mov	[ebp+var_C], ecx
		push	ebx
		mov	[ebp+var_1C], eax
		mov	ebx, edx
		mov	[ebp+var_20], eax
		mov	eax, large fs:124h
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_18], eax
		dec	word ptr [eax+13Eh]
		mov	[ebp+var_4], edi
		nop
		lea	eax, [ebx+41Ch]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_14], eax
		call	ExAcquirePushLockExclusiveEx
		lea	esi, [ebx+3A8h]
		test	byte ptr [esi],	10h
		mov	[ebp+var_10], esi
		jnz	loc_75132C
		lea	esi, [ebx+420h]
		mov	edi, [esi]

loc_7512A3:				; CODE XREF: MmLinkJobProcess+B2j
		cmp	edi, esi
		jz	short loc_7512FC
		mov	eax, [edi+8]
		mov	edx, 6E53694Dh
		push	0
		push	100h
		push	28h
		pop	ecx
		mov	[ebp+var_8], eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8D0A04
		mov	eax, [ebp+var_8]
		lea	edx, [ebp+var_20]
		mov	[ecx+20h], eax
		mov	eax, [edi-8]
		mov	[ecx+10h], eax
		mov	eax, [edi-4]
		mov	[ecx+14h], eax
		lea	eax, [ecx+18h]
		mov	ecx, [ebp+var_1C]
		cmp	[ecx], edx
		jnz	loc_7513F6
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[ebp+var_1C], eax
		mov	edi, [edi]
		jmp	short loc_7512A3
; 

loc_7512FC:				; CODE XREF: MmLinkJobProcess+5Dj
		mov	edi, [ebp+var_4]
		jmp	short loc_75130D
; 

loc_751301:				; CODE XREF: MmLinkJobProcess+C9j
		mov	ecx, [eax+8]
		mov	edx, ebx
		push	1
		call	MiRemoveSharedCommitNode

loc_75130D:				; CODE XREF: MmLinkJobProcess+B7j
					; MmLinkJobProcess+17F7C4j
		mov	eax, [esi]
		cmp	eax, esi
		jnz	short loc_751301
		test	edi, edi
		js	loc_8D0A11
		lea	esi, [ebx+3A8h]
		test	byte ptr [esi],	8
		jnz	short loc_75132C
		push	8
		pop	eax
		lock or	[esi], eax

loc_75132C:				; CODE XREF: MmLinkJobProcess+4Dj
					; MmLinkJobProcess+DCj	...
		mov	esi, [ebp+var_C]
		lea	eax, [ebx+1C4h]
		lea	ecx, [esi+18h]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_7513F6
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		mov	[ebx+158h], esi
		or	esi, 0FFFFFFFFh

loc_751356:				; CODE XREF: MmLinkJobProcess+175j
		mov	edi, [ebp+var_20]
		lea	eax, [ebp+var_20]
		cmp	edi, eax
		jz	short loc_7513BF
		cmp	[edi+4], eax
		jnz	loc_7513F6
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	loc_7513F6
		lea	ecx, [ebp+var_20]
		mov	[ebp+var_20], eax
		add	edi, 0FFFFFFE8h
		mov	[eax+4], ecx
		cmp	[ebp+var_4], 0
		jl	short loc_7513B5
		mov	eax, [edi+10h]
		or	eax, [edi+14h]
		mov	ecx, [edi+20h]
		mov	[ebp+var_C], ecx
		jz	short loc_7513B5

loc_751394:				; CODE XREF: MmLinkJobProcess+16Bj
		push	1
		mov	edx, ebx
		call	MiInsertSharedCommitNode
		mov	[ebp+var_4], eax
		test	eax, eax
		js	short loc_7513B5
		add	[edi+10h], esi
		mov	edx, [edi+10h]
		adc	[edi+14h], esi
		or	edx, [edi+14h]
		mov	ecx, [ebp+var_C]
		jnz	short loc_751394

loc_7513B5:				; CODE XREF: MmLinkJobProcess+13Cj
					; MmLinkJobProcess+14Aj ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_751356
; 

loc_7513BF:				; CODE XREF: MmLinkJobProcess+116j
		cmp	[ebp+var_4], 0
		jl	loc_8D0A49

loc_7513C9:				; CODE XREF: MmLinkJobProcess+17F82Aj
		mov	esi, [ebp+var_14]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7513ED

loc_7513D9:				; CODE XREF: MmLinkJobProcess+1ACj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_18]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7513ED:				; CODE XREF: MmLinkJobProcess+18Fj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7513D9
; 

loc_7513F6:				; CODE XREF: MmLinkJobProcess+A0j
					; MmLinkJobProcess+F5j	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
MmLinkJobProcess endp


;  S U B	R O U T	I N E 


PspBindProcessSessionToJob proc	near	; CODE XREF: PspEstablishJobHierarchy+22p
					; PspEstablishJobHierarchy+C5p	...

; FUNCTION CHUNK AT 008D0A77 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ecx, edx
		push	edi
		lea	ebx, [esi+0E8h]
		mov	edi, [ebx]
		call	_MmGetSessionId@4 ; MmGetSessionId(x)
		mov	edx, eax
		cmp	edi, edx
		jnz	short loc_75141E

loc_751418:				; CODE XREF: PspBindProcessSessionToJob+35j
					; PspBindProcessSessionToJob+17F67Dj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		retn
; 

loc_75141E:				; CODE XREF: PspBindProcessSessionToJob+1Aj
		cmp	edi, 0FFFFFFFFh
		jnz	loc_8D0A7F
		mov	ecx, edx
		or	eax, edi
		lock cmpxchg [ebx], ecx
		cmp	eax, edi
		jz	short loc_751418
		jmp	loc_8D0A77
PspBindProcessSessionToJob endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspIncrementJobChainProcessCounts(x, x, x, x)
_PspIncrementJobChainProcessCounts@16 proc near
					; CODE XREF: PspImplicitAssignProcessToJob(x,x,x)+D3p
					; PspAssignProcessToJob+239p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	esi, edi
		cmp	edi, ebx
		jz	short loc_7514AE
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+arg_0]
		and	ecx, 8000h

loc_751456:				; CODE XREF: PspIncrementJobChainProcessCounts(x,x,x,x)+51j
		mov	eax, [esi+8Ch]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_751468
		inc	eax
		mov	[esi+8Ch], eax

loc_751468:				; CODE XREF: PspIncrementJobChainProcessCounts(x,x,x,x)+27j
		inc	dword ptr [esi+90h]
		inc	dword ptr [esi+2C8h]
		test	ecx, ecx
		jnz	short loc_7514D5
		test	byte ptr [edx+3A8h], 20h
		jnz	short loc_7514D5

loc_751481:				; CODE XREF: PspIncrementJobChainProcessCounts(x,x,x,x)+A3j
		mov	esi, [esi+244h]
		cmp	esi, ebx
		jnz	short loc_751456
		jmp	short loc_7514AA
; 

loc_75148D:				; CODE XREF: PspIncrementJobChainProcessCounts(x,x,x,x)+74j
		mov	ecx, 0FFDFFFFFh
		lea	eax, [edi+310h]
		lock and [eax],	ecx
		cmp	dword ptr [edi+0D4h], 0
		jnz	short loc_7514B5

loc_7514A4:				; CODE XREF: PspIncrementJobChainProcessCounts(x,x,x,x)+84j
					; PspIncrementJobChainProcessCounts(x,x,x,x)+9Bj
		mov	edi, [edi+244h]

loc_7514AA:				; CODE XREF: PspIncrementJobChainProcessCounts(x,x,x,x)+53j
		cmp	edi, ebx
		jnz	short loc_75148D

loc_7514AE:				; CODE XREF: PspIncrementJobChainProcessCounts(x,x,x,x)+10j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_7514B5:				; CODE XREF: PspIncrementJobChainProcessCounts(x,x,x,x)+6Aj
		test	byte ptr [edi+1A8h], 40h
		jz	short loc_7514A4
		mov	eax, [ebp+arg_0]
		mov	ecx, edi
		push	0
		push	dword ptr [eax+0E4h]
		push	6
		pop	edx
		call	_PspSendJobNotification@16 ; PspSendJobNotification(x,x,x,x)
		jmp	short loc_7514A4
; 

loc_7514D5:				; CODE XREF: PspIncrementJobChainProcessCounts(x,x,x,x)+3Ej
					; PspIncrementJobChainProcessCounts(x,x,x,x)+47j
		inc	dword ptr [esi+2CCh]
		jmp	short loc_751481
_PspIncrementJobChainProcessCounts@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspImplicitAssignProcessToJob(x, x,	x)
_PspImplicitAssignProcessToJob@12 proc near ; CODE XREF: PspInsertProcess+60p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[esp+18h+var_8], eax
		mov	edi, ecx
		mov	edx, eax
		push	0
		mov	[esp+1Ch+var_4], edi
		call	PspLockJobChain
		test	[ebp+arg_0], 400h
		jz	short loc_751538
		push	edi
		call	_PsGetEffectiveServerSilo@4 ; PsGetEffectiveServerSilo(x)
		mov	esi, eax

loc_751518:				; CODE XREF: PspImplicitAssignProcessToJob(x,x,x)+71j
					; PspImplicitAssignProcessToJob(x,x,x)+88j ...
		test	esi, esi
		jnz	short loc_75157F
		xor	edi, edi

loc_75151E:				; CODE XREF: PspImplicitAssignProcessToJob(x,x,x)+9Fj
					; PspImplicitAssignProcessToJob(x,x,x)+B2j ...
		mov	edx, [esp+18h+var_8]
		mov	ecx, [esp+18h+var_4]
		push	0
		call	PspUnlockJobChain
		mov	eax, edi

loc_75152F:				; CODE XREF: PspImplicitAssignProcessToJob(x,x,x)+141j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_751538:				; CODE XREF: PspImplicitAssignProcessToJob(x,x,x)+30j
		mov	esi, edi
		test	edi, edi
		jz	short loc_751562

loc_75153E:				; CODE XREF: PspImplicitAssignProcessToJob(x,x,x)+82j
		mov	eax, [esi+0B0h]
		test	eax, 1000h
		jnz	short loc_751558
		test	byte ptr [ebp+arg_0], 1
		jz	short loc_751518
		test	eax, 800h
		jz	short loc_751562

loc_751558:				; CODE XREF: PspImplicitAssignProcessToJob(x,x,x)+6Bj
		mov	esi, [esi+244h]
		test	esi, esi
		jnz	short loc_75153E

loc_751562:				; CODE XREF: PspImplicitAssignProcessToJob(x,x,x)+5Ej
					; PspImplicitAssignProcessToJob(x,x,x)+78j
		test	byte ptr [ebp+arg_0], 1
		jz	short loc_751518
		cmp	esi, edi
		jnz	short loc_751518
		test	dword ptr [esi+310h], 40000000h
		jnz	short loc_751518
		mov	edi, 0C0000022h
		jmp	short loc_75151E
; 

loc_75157F:				; CODE XREF: PspImplicitAssignProcessToJob(x,x,x)+3Cj
		push	[ebp+arg_0]
		xor	edx, edx
		mov	ecx, esi
		push	ebx
		call	_PspValidateJobChainLimits@16 ;	PspValidateJobChainLimits(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_75151E
		push	1
		push	0
		mov	edx, ebx
		mov	ecx, esi
		call	PspEstablishJobHierarchy
		mov	edi, eax
		test	edi, edi
		js	loc_75151E
		push	[ebp+arg_0]
		xor	edx, edx
		mov	ecx, esi
		push	ebx
		call	_PspIncrementJobChainProcessCounts@16 ;	PspIncrementJobChainProcessCounts(x,x,x,x)
		push	ebx
		xor	edx, edx
		mov	ecx, esi
		call	_PspApplyJobChainLimitsToProcess@12 ; PspApplyJobChainLimitsToProcess(x,x,x)
		test	dword ptr [esi+310h], 1000h
		jz	short loc_7515ED
		push	7
		lea	ecx, [ebx+468h]
		pop	esi

loc_7515D5:				; CODE XREF: PspImplicitAssignProcessToJob(x,x,x)+102j
		lock bts dword ptr [ecx], 1Fh
		add	ecx, 4
		sub	esi, 1
		jnz	short loc_7515D5
		lea	eax, [ebx+48Ch]
		lock bts dword ptr [eax], 1Fh

loc_7515ED:				; CODE XREF: PspImplicitAssignProcessToJob(x,x,x)+ECj
		mov	edx, [esp+18h+var_8]
		mov	ecx, [esp+18h+var_4]
		push	0
		call	PspUnlockJobChain
		mov	ecx, ebx
		call	PspApplyWorkingSetLimitsToProcess
		mov	esi, eax
		test	esi, esi
		js	short loc_75161D
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	MmAssignProcessToJob
		test	eax, eax
		jnz	short loc_75161D
		mov	esi, 0C0000044h

loc_75161D:				; CODE XREF: PspImplicitAssignProcessToJob(x,x,x)+129j
					; PspImplicitAssignProcessToJob(x,x,x)+138j
		mov	eax, esi
		jmp	loc_75152F
_PspImplicitAssignProcessToJob@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmAssignProcessToJob proc near		; CODE XREF: PspImplicitAssignProcessToJob(x,x,x)+131p
					; PspAssignProcessToJob+2A6p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D0A89 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, large fs:124h
		mov	ebx, ecx
		push	edi
		push	6
		xor	eax, eax
		mov	[ebp+var_2C], edx
		and	[ebp+var_28], eax
		lea	edi, [ebp+var_20]
		pop	ecx
		rep stosd
		mov	[ebp+var_30], esi
		cmp	[esi+80h], ebx
		jz	short loc_751671
		lea	eax, [ebp+var_20]
		mov	[ebp+var_28], 1
		push	eax
		xor	edx, edx
		mov	ecx, ebx
		call	KiStackAttachProcess

loc_751671:				; CODE XREF: MmAssignProcessToJob+37j
		push	0
		push	0FFFFFFFFh
		or	edx, 0FFFFFFFFh
		mov	ecx, ebx
		call	MiLockVadRange
		mov	edi, eax
		test	edi, edi
		jz	loc_8D0A89

loc_751689:				; CODE XREF: MmAssignProcessToJob+17F46Cj
		mov	edx, ebx
		mov	ecx, esi
		call	_LOCK_PAGE_TABLE_COMMITMENT@8 ;	LOCK_PAGE_TABLE_COMMITMENT(x,x)
		push	[ebp+var_2C]
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebx+158h]
		or	ecx, 3
		mov	edx, [ebx+224h]
		push	ebx
		mov	[ebx+144h], eax
		call	PspChangeJobMemoryUsageByProcess
		push	10h
		mov	[ebp+var_21], al
		lea	esi, [ebx+0F8h]
		pop	eax
		lock or	[esi], eax
		mov	ecx, [ebp+var_30]
		mov	edx, ebx
		call	UNLOCK_PAGE_TABLE_COMMITMENT

loc_7516CC:				; CODE XREF: MmAssignProcessToJob+17F476j
		push	0
		push	edi
		or	edx, 0FFFFFFFFh
		mov	ecx, ebx
		call	_MiUnlockVadRange@16 ; MiUnlockVadRange(x,x,x,x)
		cmp	[ebp+var_28], 0
		jz	short loc_7516E9
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_7516E9:				; CODE XREF: MmAssignProcessToJob+B9j
		mov	ecx, [ebp+var_8]
		movzx	eax, [ebp+var_21]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
MmAssignProcessToJob endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspApplyWorkingSetLimitsToProcess proc near
					; CODE XREF: PspImplicitAssignProcessToJob(x,x,x)+120p
					; PspAssignProcessToJob+289p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008D0A9F SIZE 00000050 BYTES

		push	40h
		push	offset dword_6A0410
		call	__SEH_prolog4_GS
		mov	esi, ecx
		mov	[ebp+var_40], esi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_38]
		rep stosd
		mov	ecx, large fs:124h
		mov	[ebp+var_3C], ecx
		mov	edi, [esi+158h]
		xor	ebx, ebx
		lea	eax, [ebp+var_38]
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	KiStackAttachProcess
		mov	eax, [ebp+var_3C]
		dec	word ptr [eax+13Eh]
		nop
		lea	esi, [edi+20h]
		push	1
		push	esi
		call	ExAcquireResourceExclusiveLite
		mov	eax, [edi+170h]
		mov	[ebp+var_4C], eax
		mov	eax, [edi+174h]
		mov	[ebp+var_48], eax
		mov	eax, [edi+18Ch]
		not	eax
		and	eax, 1
		inc	eax
		mov	[ebp+var_44], eax
		xor	edx, edx
		mov	ecx, offset dword_6BEF18
		call	ExAcquirePushLockExclusiveEx
		add	edi, 310h
		mov	eax, 100h
		lock or	[edi], eax
		mov	ecx, esi
		call	ExReleaseResourceLite
		mov	esi, [ebp+var_44]
		cmp	esi, 2
		jnz	loc_8D0A9F

loc_75179C:				; CODE XREF: PspApplyWorkingSetLimitsToProcess+17F3B4j
		mov	edx, esi
		mov	esi, [ebp+var_40]
		mov	ecx, esi
		call	MmEnforceWorkingSetLimit
		mov	eax, 0FFFFFEFFh
		lock and [edi],	eax
		or	eax, 0FFFFFFFFh
		mov	edi, offset dword_6BEF18
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_75182D

loc_7517C2:				; CODE XREF: PspApplyWorkingSetLimitsToProcess+136j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_3C]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edi, [esi+17Ch]
		test	edi, edi
		jz	short loc_751811
		test	byte ptr [esi+0FCh], 8
		jnz	short loc_751836
		lea	ecx, [esi+0F0h]
		mov	[ebp+var_40], ecx
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_75183A
		and	[ebp+ms_exc.disabled], 0
		lea	eax, [edi+28h]
		lock bts dword ptr [eax], 0

loc_751802:				; CODE XREF: sub_8D0AFD+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_40]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_751811:				; CODE XREF: PspApplyWorkingSetLimitsToProcess+DBj
					; PspApplyWorkingSetLimitsToProcess+13Aj ...
		xor	edx, edx
		lea	ecx, [ebp+var_38]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_75182D:				; CODE XREF: PspApplyWorkingSetLimitsToProcess+C2j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7517C2
; 

loc_751836:				; CODE XREF: PspApplyWorkingSetLimitsToProcess+E4j
		xor	ebx, ebx
		jmp	short loc_751811
; 

loc_75183A:				; CODE XREF: PspApplyWorkingSetLimitsToProcess+F6j
		mov	ebx, 0C000010Ah
		jmp	short loc_751811
PspApplyWorkingSetLimitsToProcess endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspApplyJobChainLimitsToProcess(x, x, x)
_PspApplyJobChainLimitsToProcess@12 proc near
					; CODE XREF: PspImplicitAssignProcessToJob(x,x,x)+DDp
					; PspAssignProcessToJob+244p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		xor	edx, edx
		mov	ecx, esi
		call	PspApplyJobLimitsToProcess
		mov	edx, [edi+220h]
		test	edx, edx
		jnz	short loc_7518C0

loc_751864:				; CODE XREF: PspApplyJobChainLimitsToProcess(x,x,x)+92j
		push	0
		mov	ecx, edi
		call	_PspComputeExecutionState@4 ; PspComputeExecutionState(x)
		mov	edx, eax
		mov	ecx, esi
		call	PspRequestProcessExecutionState
		cmp	dword ptr [edi+198h], 0
		ja	short loc_7518D6

loc_75187F:				; CODE XREF: PspApplyJobChainLimitsToProcess(x,x,x)+A2j
					; PspApplyJobChainLimitsToProcess(x,x,x)+C5j
		test	dword ptr [edi+310h], 40000h
		jnz	short loc_7518B6

loc_75188B:				; CODE XREF: PspApplyJobChainLimitsToProcess(x,x,x)+7Cj
		push	dword ptr [edi+3ACh]
		push	dword ptr [edi+3A8h]
		push	8
		push	esi
		call	PsUpdateComponentPower
		push	20h
		push	4
		lea	ecx, [esi+0F8h]
		pop	edx
		call	@RtlInterlockedSetClearBits@12 ; RtlInterlockedSetClearBits(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_7518B6:				; CODE XREF: PspApplyJobChainLimitsToProcess(x,x,x)+47j
		lea	eax, [esi+64h]
		lock bts dword ptr [eax], 4
		jmp	short loc_75188B
; 

loc_7518C0:				; CODE XREF: PspApplyJobChainLimitsToProcess(x,x,x)+20j
		test	ebx, ebx
		jnz	short loc_7518E6

loc_7518C4:				; CODE XREF: PspApplyJobChainLimitsToProcess(x,x,x)+ABj
		cmp	ds:_PsCpuFairShareEnabled, 0
		jnz	short loc_7518EF

loc_7518CD:				; CODE XREF: PspApplyJobChainLimitsToProcess(x,x,x)+BCj
		mov	ecx, esi
		call	PspSetProcessSchedulingGroup
		jmp	short loc_751864
; 

loc_7518D6:				; CODE XREF: PspApplyJobChainLimitsToProcess(x,x,x)+3Bj
		test	ebx, ebx
		jnz	short loc_751900

loc_7518DA:				; CODE XREF: PspApplyJobChainLimitsToProcess(x,x,x)+CBj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_PspNotifyProcessBackgroundTransition@8	; PspNotifyProcessBackgroundTransition(x,x)
		jmp	short loc_75187F
; 

loc_7518E6:				; CODE XREF: PspApplyJobChainLimitsToProcess(x,x,x)+80j
		cmp	dword ptr [ebx+220h], 0
		jz	short loc_7518C4

loc_7518EF:				; CODE XREF: PspApplyJobChainLimitsToProcess(x,x,x)+89j
		xor	edx, edx
		mov	ecx, esi
		call	PspSetProcessSchedulingGroup
		mov	edx, [edi+220h]
		jmp	short loc_7518CD
; 

loc_751900:				; CODE XREF: PspApplyJobChainLimitsToProcess(x,x,x)+96j
		cmp	dword ptr [ebx+198h], 0
		jnz	loc_75187F
		jmp	short loc_7518DA
_PspApplyJobChainLimitsToProcess@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoEnergyContextUpdateComponentPower(x, x, x, x)
_PoEnergyContextUpdateComponentPower@16	proc near ; CODE XREF: PsUpdateComponentPower+13Bp
					; NtSetThreadExecutionState+12Bp ...

var_B2		= byte ptr -0B2h
var_B1		= byte ptr -0B1h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0B4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0B4h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	eax, [esp+0C0h+var_98]
		push	90h		; size_t
		push	0		; int
		push	eax		; void *
		mov	esi, [ebx+3E0h]
		mov	edi, edx
		mov	[esp+0CCh+var_A0], ebx
		mov	[esp+0CCh+var_A8], esi
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		jz	loc_751EF1
		mov	eax, large fs:124h
		lea	ecx, [esi+1B0h]
		mov	[esp+0C0h+var_9C], ecx
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+1B4h], eax
		lea	eax, [edi-4]	; switch 11 cases
		cmp	eax, 0Ah
		ja	loc_751ED5	; default
		jmp	ds:off_751F08[eax*4] ; switch jump

loc_75199B:				; DATA XREF: PAGE:off_751F08o
		call	_KeQueryTimelineBitmapTime@0 ; case 0x7
		mov	edx, eax
		or	edi, 0FFFFFFFFh
		mov	eax, [ebp+arg_0]
		test	ax, ax
		jz	short loc_7519D5
		mov	ebx, [esi+80h]
		movzx	eax, ax
		mov	ecx, eax
		not	ecx
		cmp	ecx, ebx
		jb	short loc_7519C2
		add	eax, ebx
		jmp	short loc_7519C4
; 

loc_7519C2:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+ACj
		mov	eax, edi

loc_7519C4:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+B0j
		lea	ecx, [esi+140h]
		mov	[esi+80h], eax
		call	_RtlTimelineBitmapUpdate@8 ; RtlTimelineBitmapUpdate(x,x)

loc_7519D5:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+9Bj
		mov	ax, word ptr [ebp+arg_0+2]
		test	ax, ax
		jz	short loc_751A05
		mov	ebx, [esi+84h]
		movzx	ecx, ax
		mov	eax, ecx
		not	eax
		cmp	eax, ebx
		lea	eax, [ebx+ecx]
		jnb	short loc_7519F4
		mov	eax, edi

loc_7519F4:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+E0j
		lea	ecx, [esi+148h]
		mov	[esi+84h], eax
		call	_RtlTimelineBitmapUpdate@8 ; RtlTimelineBitmapUpdate(x,x)

loc_751A05:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+CCj
		mov	eax, [ebp+arg_4]
		test	ax, ax
		jz	loc_751ED5	; default
		mov	ebx, [esi+88h]
		movzx	ecx, ax
		mov	eax, ecx
		not	eax
		cmp	eax, ebx
		jb	short loc_751A25
		lea	edi, [ebx+ecx]

loc_751A25:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+110j
		mov	[esi+88h], edi
		lea	ecx, [esi+150h]

loc_751A31:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+1E6j
					; PoEnergyContextUpdateComponentPower(x,x,x,x)+380j
		call	_RtlTimelineBitmapUpdate@8 ; RtlTimelineBitmapUpdate(x,x)
		jmp	loc_751ED5	; default
; 

loc_751A3B:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+84j
					; DATA XREF: PAGE:off_751F08o
		mov	eax, [esi+180h]	; case 0x9
		mov	edx, 0FFDF0324h
		mov	ecx, ds:0FFDF0004h
		mov	[esp+0C0h+var_AC], eax
		mov	eax, [esi+184h]
		mov	edi, [edx]
		lea	ebx, [edx-4]
		mov	[esp+0C0h+var_A4], eax
		mov	eax, [ebx]
		mov	[esp+0C0h+var_B0], eax
		lea	eax, [edx+4]
		mov	eax, [eax]
		mov	[esp+0C0h+var_A0], ecx
		cmp	edi, eax
		jz	short loc_751A8B
		lea	esi, [edx+4]

loc_751A75:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+16Fj
		pause
		mov	edi, [edx]
		mov	eax, [ebx]
		mov	ecx, [esi]
		cmp	edi, ecx
		jnz	short loc_751A75
		mov	esi, [esp+0C0h+var_A8]
		mov	ecx, [esp+0C0h+var_A0]
		jmp	short loc_751A8F
; 

loc_751A8B:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+160j
		mov	eax, [esp+0C0h+var_B0]

loc_751A8F:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+179j
		mul	ecx
		shl	edi, 8
		imul	edi, ecx
		shrd	eax, edx, 18h
		add	eax, edi
		mov	ecx, eax
		mov	[esp+0C0h+var_B0], eax
		sub	ecx, [esp+0C0h+var_AC]
		mov	eax, 3E8h
		cmp	ecx, eax
		jbe	short loc_751AB2
		mov	ecx, eax

loc_751AB2:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+19Ej
		or	edi, 0FFFFFFFFh
		mov	edx, 7FFFFFFFh
		cmp	ecx, edi
		jnb	short loc_751ACF
		mov	ebx, [esp+0C0h+var_A4]
		mov	eax, ecx
		and	ebx, edx
		not	eax
		cmp	eax, ebx
		jb	short loc_751ACF
		lea	edi, [ebx+ecx]

loc_751ACF:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+1ACj
					; PoEnergyContextUpdateComponentPower(x,x,x,x)+1BAj
		mov	eax, [esp+0C0h+var_A4]
		xor	edi, eax
		mov	ecx, [esp+0C0h+var_B0]
		and	edi, edx
		xor	eax, edi
		mov	[esi+180h], ecx
		mov	[esi+184h], eax
		call	_KeQueryTimelineBitmapTime@0 ; KeQueryTimelineBitmapTime()
		lea	ecx, [esi+158h]

loc_751AF4:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+207j
					; PoEnergyContextUpdateComponentPower(x,x,x,x)+29Cj
		mov	edx, eax
		jmp	loc_751A31
; 

loc_751AFB:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+84j
					; DATA XREF: PAGE:off_751F08o
		inc	dword ptr [esi+1ACh] ; case 0xE
		jmp	loc_751ED5	; default
; 

loc_751B06:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+84j
					; DATA XREF: PAGE:off_751F08o
		inc	dword ptr [esi+1A8h] ; case 0xD
		call	_KeQueryTimelineBitmapTime@0 ; KeQueryTimelineBitmapTime()
		lea	ecx, [esi+178h]
		jmp	short loc_751AF4
; 

loc_751B19:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+84j
					; DATA XREF: PAGE:off_751F08o
		cmp	[ebp+arg_0], 0	; case 0xA
		mov	edx, 0FFDF0324h
		setnz	[esp+0C0h+var_B1]
		xor	eax, eax
		cmp	edi, 0Bh
		lea	ebx, [edx-4]
		setz	al
		lea	ecx, [edx+4]
		lea	eax, ds:160h[eax*8]
		add	eax, esi
		mov	[esp+0C0h+var_A8], eax
		xor	eax, eax
		cmp	edi, 0Bh
		setz	al
		lea	eax, ds:188h[eax*8]
		add	eax, esi
		mov	esi, [edx]
		mov	edi, [ebx]
		mov	[esp+0C0h+var_B0], eax
		mov	eax, ds:0FFDF0004h
		mov	[esp+0C0h+var_AC], eax
		mov	eax, [ecx]
		cmp	esi, eax
		jz	short loc_751B7B

loc_751B6A:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+269j
		pause
		mov	esi, [edx]
		mov	edi, [ebx]
		mov	ecx, [ecx]
		cmp	esi, ecx
		mov	ecx, 0FFDF0328h
		jnz	short loc_751B6A

loc_751B7B:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+258j
		mov	bl, [esp+0C0h+var_B1]
		mov	eax, edi
		mul	[esp+0C0h+var_AC]
		mov	ecx, [esp+0C0h+var_B0]
		shl	esi, 8
		imul	esi, [esp+0C0h+var_AC]
		shrd	eax, edx, 18h
		mov	dl, bl
		add	eax, esi
		push	eax
		call	_RtlStateDurationUpdate@12 ; RtlStateDurationUpdate(x,x,x)
		mov	edx, eax
		call	_KeQueryTimelineBitmapTime@0 ; KeQueryTimelineBitmapTime()
		mov	ecx, [esp+0C0h+var_A8]
		test	bl, bl
		jnz	loc_751AF4
		shr	edx, 0Ch
		push	eax
		sub	eax, edx

loc_751BB8:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+449j
		mov	edx, eax
		call	_RtlTimelineBitmapUpdateRange@12 ; RtlTimelineBitmapUpdateRange(x,x,x)
		jmp	loc_751ED5	; default
; 

loc_751BC4:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+84j
					; DATA XREF: PAGE:off_751F08o
		lea	eax, [esi+170h]	; case 0xC
		mov	[esp+0C0h+var_A8], eax
		lea	ecx, [esi+198h]
		mov	eax, [ebp+arg_0]
		mov	[esp+0C0h+var_A0], ecx
		cmp	eax, 3
		jnz	loc_751C95
		cmp	dword ptr [ecx+4], 0
		jl	loc_751ED5	; default
		mov	eax, [ecx]
		mov	edx, 0FFDF0324h
		mov	[esp+0C0h+var_B0], eax
		mov	eax, [ecx+4]
		mov	[esp+0C0h+var_A4], eax
		mov	esi, [edx]
		lea	ebx, [edx-4]
		mov	eax, ds:0FFDF0004h
		lea	ecx, [edx+4]
		mov	edi, [ebx]
		mov	[esp+0C0h+var_AC], eax
		mov	eax, [ecx]
		cmp	esi, eax
		jz	short loc_751C2A

loc_751C19:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+318j
		pause
		mov	esi, [edx]
		mov	edi, [ebx]
		mov	ecx, [ecx]
		cmp	esi, ecx
		mov	ecx, 0FFDF0328h
		jnz	short loc_751C19

loc_751C2A:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+307j
		mov	eax, edi
		shl	esi, 8
		mul	[esp+0C0h+var_AC]
		imul	esi, [esp+0C0h+var_AC]
		shrd	eax, edx, 18h
		add	eax, esi
		mov	ecx, eax
		mov	[esp+0C0h+var_AC], eax
		sub	ecx, [esp+0C0h+var_B0]
		mov	eax, 1000h
		cmp	ecx, eax
		jbe	short loc_751C53
		mov	ecx, eax

loc_751C53:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+33Fj
		mov	ebx, [esp+0C0h+var_A4]
		or	edi, 0FFFFFFFFh
		mov	edx, 7FFFFFFFh
		cmp	ecx, edi
		jnb	short loc_751C72
		mov	esi, ebx
		mov	eax, ecx
		and	esi, edx
		not	eax
		cmp	eax, esi
		jb	short loc_751C72
		lea	edi, [esi+ecx]

loc_751C72:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+351j
					; PoEnergyContextUpdateComponentPower(x,x,x,x)+35Dj
		mov	eax, [esp+0C0h+var_A0]
		xor	edi, ebx
		and	edi, edx
		mov	edx, [esp+0C0h+var_AC]
		xor	ebx, edi
		mov	[eax], edx
		mov	[eax+4], ebx
		call	_KeQueryTimelineBitmapTime@0 ; KeQueryTimelineBitmapTime()

loc_751C8A:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+439j
		mov	ecx, [esp+0C0h+var_A8]
		mov	edx, eax
		jmp	loc_751A31
; 

loc_751C95:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+2CEj
		cmp	eax, 1
		jz	short loc_751CA3
		cmp	eax, 2
		jnz	loc_751ED5	; default

loc_751CA3:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+388j
		mov	edi, [esi+1C8h]
		mov	[esp+0C0h+var_A4], edi
		cmp	eax, 1
		jnz	short loc_751CC7
		inc	edi
		mov	[esp+0C0h+var_A4], edi
		mov	[esi+1C8h], edi
		cmp	edi, eax
		ja	loc_751ED5	; default
		jmp	short loc_751CDE
; 

loc_751CC7:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+3A0j
		test	edi, edi
		jz	short loc_751CE0
		sub	edi, 1
		mov	[esp+0C0h+var_A4], edi
		mov	[esi+1C8h], edi
		jnz	loc_751ED5	; default

loc_751CDE:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+3B5j
		test	edi, edi

loc_751CE0:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+3B9j
		mov	eax, ds:0FFDF0004h
		mov	edx, 0FFDF0324h
		mov	[esp+0C0h+var_B0], eax
		setnz	[esp+0C0h+var_B1]
		mov	esi, [edx]
		lea	ebx, [edx-4]
		mov	eax, [ebx]
		mov	[esp+0C0h+var_AC], eax
		lea	eax, [edx+4]
		mov	eax, [eax]
		cmp	esi, eax
		jz	short loc_751D20
		lea	edi, [edx+4]

loc_751D0A:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+404j
		pause
		mov	esi, [edx]
		mov	eax, [ebx]
		mov	ecx, [edi]
		cmp	esi, ecx
		jnz	short loc_751D0A
		mov	edi, [esp+0C0h+var_A4]
		mov	ecx, [esp+0C0h+var_A0]
		jmp	short loc_751D24
; 

loc_751D20:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+3F5j
		mov	eax, [esp+0C0h+var_AC]

loc_751D24:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+40Ej
		mul	[esp+0C0h+var_B0]
		shl	esi, 8
		imul	esi, [esp+0C0h+var_B0]
		shrd	eax, edx, 18h
		mov	dl, [esp+0C0h+var_B1]
		add	eax, esi
		push	eax
		call	_RtlStateDurationUpdate@12 ; RtlStateDurationUpdate(x,x,x)
		mov	ecx, eax
		call	_KeQueryTimelineBitmapTime@0 ; KeQueryTimelineBitmapTime()
		test	edi, edi
		jnz	loc_751C8A
		shr	ecx, 0Ch
		push	eax
		sub	eax, ecx
		mov	ecx, [esp+0C4h+var_A8]
		jmp	loc_751BB8
; 

loc_751D5E:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+84j
					; DATA XREF: PAGE:off_751F08o
		cmp	[ebp+arg_0], 0	; case 0x4
		mov	edx, 0FFDF0324h
		mov	ecx, ds:0FFDF0004h
		setnz	[esp+0C0h+var_B1]
		mov	[esp+0C0h+var_AC], ecx
		mov	edi, [edx]
		lea	ebx, [edx-4]
		mov	eax, [ebx]
		mov	[esp+0C0h+var_B0], eax
		lea	eax, [edx+4]
		mov	eax, [eax]
		cmp	edi, eax
		jz	short loc_751DA3
		lea	esi, [edx+4]

loc_751D8D:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+487j
		pause
		mov	edi, [edx]
		mov	eax, [ebx]
		mov	ecx, [esi]
		cmp	edi, ecx
		jnz	short loc_751D8D
		mov	esi, [esp+0C0h+var_A8]
		mov	ecx, [esp+0C0h+var_AC]
		jmp	short loc_751DA7
; 

loc_751DA3:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+478j
		mov	eax, [esp+0C0h+var_B0]

loc_751DA7:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+491j
		mov	bl, [esp+0C0h+var_B1]
		mul	ecx
		shl	edi, 8
		imul	edi, ecx
		lea	ecx, [esi+68h]
		shrd	eax, edx, 18h
		mov	dl, bl
		add	eax, edi
		push	eax
		call	_RtlStateDurationUpdate@12 ; RtlStateDurationUpdate(x,x,x)
		mov	edi, eax
		call	_KeQueryTimelineBitmapTime@0 ; KeQueryTimelineBitmapTime()
		movzx	edx, word ptr [esi+1C0h]
		lea	ecx, [esi+130h]
		test	bl, bl
		jz	short loc_751DF2
		or	edx, 1

loc_751DDF:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+56Ej
		mov	[esi+1C0h], dx
		mov	edx, eax
		call	_RtlTimelineBitmapUpdate@8 ; RtlTimelineBitmapUpdate(x,x)
		jmp	loc_751E9D
; 

loc_751DF2:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+4CAj
		and	edx, 0FFFEh
		jmp	loc_751E89
; 

loc_751DFD:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+84j
					; DATA XREF: PAGE:off_751F08o
		cmp	[ebp+arg_0], 0	; case 0x5
		mov	edx, 0FFDF0324h
		mov	ecx, ds:0FFDF0004h
		setnz	[esp+0C0h+var_B1]
		mov	[esp+0C0h+var_AC], ecx
		mov	edi, [edx]
		lea	ebx, [edx-4]
		mov	eax, [ebx]
		mov	[esp+0C0h+var_B0], eax
		lea	eax, [edx+4]
		mov	eax, [eax]
		cmp	edi, eax
		jz	short loc_751E42
		lea	esi, [edx+4]

loc_751E2C:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+526j
		pause
		mov	edi, [edx]
		mov	eax, [ebx]
		mov	ecx, [esi]
		cmp	edi, ecx
		jnz	short loc_751E2C
		mov	esi, [esp+0C0h+var_A8]
		mov	ecx, [esp+0C0h+var_AC]
		jmp	short loc_751E46
; 

loc_751E42:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+517j
		mov	eax, [esp+0C0h+var_B0]

loc_751E46:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+530j
		mov	bl, [esp+0C0h+var_B1]
		mul	ecx
		shl	edi, 8
		imul	edi, ecx
		lea	ecx, [esi+70h]
		shrd	eax, edx, 18h
		mov	dl, bl
		add	eax, edi
		push	eax
		call	_RtlStateDurationUpdate@12 ; RtlStateDurationUpdate(x,x,x)
		mov	edi, eax
		call	_KeQueryTimelineBitmapTime@0 ; KeQueryTimelineBitmapTime()
		movzx	edx, word ptr [esi+1C0h]
		lea	ecx, [esi+138h]
		test	bl, bl
		jz	short loc_751E83
		or	edx, 2
		jmp	loc_751DDF
; 

loc_751E83:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+569j
		and	edx, 0FFFDh

loc_751E89:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+4E8j
		shr	edi, 0Ch
		push	eax
		sub	eax, edi
		mov	[esi+1C0h], dx
		mov	edx, eax
		call	_RtlTimelineBitmapUpdateRange@12 ; RtlTimelineBitmapUpdateRange(x,x,x)

loc_751E9D:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+4DDj
		mov	ecx, [esp+0C0h+var_A0]
		call	_PopEtEnergyContextProcessStateUpdate@4	; PopEtEnergyContextProcessStateUpdate(x)
		jmp	short loc_751ED5 ; default
; 

loc_751EA8:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+84j
					; DATA XREF: PAGE:off_751F08o
		push	88h		; case 0x8
		lea	eax, [esp+0C4h+var_90]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+arg_0]
		lea	edx, [esp+0CCh+var_98]
		add	esp, 0Ch
		mov	[esp+0C0h+var_98], eax
		mov	eax, [ebp+arg_4]
		mov	ecx, ebx
		mov	[esp+0C0h+var_94], eax
		call	_PopEtEnergyContextSetState@8 ;	PopEtEnergyContextSetState(x,x)

loc_751ED5:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+7Ej
					; PoEnergyContextUpdateComponentPower(x,x,x,x)+84j ...
		mov	eax, [esp+0C0h+var_9C] ; default
		cmp	dword ptr [eax+4], 0
		jz	short loc_751EE3
		and	dword ptr [eax+4], 0

loc_751EE3:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+5CDj
		xor	edx, edx
		mov	ecx, eax
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_751EF1:				; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+47j
		mov	ecx, [esp+0C0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_PoEnergyContextUpdateComponentPower@16	endp

; 
off_751F08	dd offset loc_751D5E	; DATA XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+84r
		dd offset loc_751DFD	; jump table for switch	statement
		dd offset loc_751ED5
		dd offset loc_75199B
		dd offset loc_751EA8
		dd offset loc_751A3B
		dd offset loc_751B19
		dd offset loc_751B19
		dd offset loc_751BC4
		dd offset loc_751B06
		dd offset loc_751AFB

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtEnergyContextSetState(x, x)
_PopEtEnergyContextSetState@8 proc near	; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+5C0p
					; PoSetProcessEnergyTrackingState+90p

var_16		= byte ptr -16h
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		mov	eax, ecx
		mov	ebx, edx
		push	esi
		push	edi
		mov	[esp+28h+var_4], eax
		mov	edi, [eax+3E0h]
		xor	eax, eax
		test	byte ptr [ebx+0Ch], 1
		mov	esi, eax
		mov	[esp+28h+var_10], edi
		mov	[esp+28h+var_C], eax
		mov	[esp+28h+var_14], esi
		mov	[esp+28h+var_15], al
		jz	short loc_751FBD
		lea	ecx, [ebx+10h]
		mov	edx, ecx
		lea	eax, [edx+2]
		mov	[esp+28h+var_8], eax

loc_751F76:				; CODE XREF: PopEtEnergyContextSetState(x,x)+4Dj
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [esp+28h+var_C]
		jnz	short loc_751F76
		sub	edx, [esp+28h+var_8]
		sar	edx, 1
		jz	short loc_751FA7
		lea	eax, [esp+28h+var_14]
		push	eax
		call	_PopEtStringIntern@12 ;	PopEtStringIntern(x,x,x)
		mov	esi, [esp+28h+var_14]
		mov	edi, eax
		test	edi, edi
		js	loc_752078
		mov	edi, [esp+28h+var_10]

loc_751FA7:				; CODE XREF: PopEtEnergyContextSetState(x,x)+55j
		lea	ecx, [edi+1BCh]
		cmp	[ecx], esi
		jz	short loc_751FBD
		mov	edx, esi
		call	_PopEtStringSet@8 ; PopEtStringSet(x,x)
		mov	[esp+28h+var_15], 1

loc_751FBD:				; CODE XREF: PopEtEnergyContextSetState(x,x)+34j
					; PopEtEnergyContextSetState(x,x)+7Bj
		mov	eax, [ebx]
		mov	ecx, [edi+1C0h]
		not	eax
		and	eax, ecx
		movzx	edx, ax
		or	edx, [ebx+4]
		movzx	eax, cx
		mov	[esp+28h+var_C], edx
		cmp	eax, edx
		jz	loc_752063
		mov	ebx, ds:0FFDF0004h
		mov	esi, 0FFDF0324h
		mov	[esp+28h+var_8], ebx
		mov	edi, [esi]
		lea	edx, [esi-4]
		mov	edx, [edx]
		lea	ecx, [esi+4]
		mov	eax, [ecx]
		cmp	edi, eax
		jz	short loc_752015
		lea	ebx, [esi-4]

loc_752000:				; CODE XREF: PopEtEnergyContextSetState(x,x)+DBj
		pause
		mov	edi, [esi]
		mov	edx, [ebx]
		mov	ecx, [ecx]
		cmp	edi, ecx
		mov	ecx, 0FFDF0328h
		jnz	short loc_752000
		mov	ebx, [esp+28h+var_8]

loc_752015:				; CODE XREF: PopEtEnergyContextSetState(x,x)+C7j
		mov	eax, edx
		shl	edi, 8
		mul	ebx
		imul	edi, ebx
		mov	ebx, [esp+28h+var_10]
		mov	esi, eax
		shrd	esi, edx, 18h
		lea	ecx, [ebx+78h]
		add	esi, edi
		mov	edi, [esp+28h+var_C]
		mov	edx, edi
		shr	edx, 2
		push	esi
		and	dl, 1
		call	_RtlStateDurationUpdate@12 ; RtlStateDurationUpdate(x,x,x)
		mov	edx, edi
		lea	ecx, [ebx+1A0h]
		shr	edx, 3
		push	esi
		and	dl, 1
		call	_RtlStateDurationUpdate@12 ; RtlStateDurationUpdate(x,x,x)
		mov	esi, [esp+28h+var_14]
		mov	al, 1
		mov	[ebx+1C0h], di
		jmp	short loc_752067
; 

loc_752063:				; CODE XREF: PopEtEnergyContextSetState(x,x)+A4j
		mov	al, [esp+28h+var_15]

loc_752067:				; CODE XREF: PopEtEnergyContextSetState(x,x)+12Dj
		test	al, al
		jz	short loc_752074
		mov	ecx, [esp+28h+var_4]
		call	_PopEtEnergyContextProcessStateUpdate@4	; PopEtEnergyContextProcessStateUpdate(x)

loc_752074:				; CODE XREF: PopEtEnergyContextSetState(x,x)+135j
		xor	eax, eax
		mov	edi, eax

loc_752078:				; CODE XREF: PopEtEnergyContextSetState(x,x)+69j
		test	esi, esi
		jz	short loc_75208C
		mov	ecx, _PopEtGlobals
		mov	edx, esi
		lea	ecx, [ecx+20h]
		call	RtlInternEntryDereference

loc_75208C:				; CODE XREF: PopEtEnergyContextSetState(x,x)+146j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PopEtEnergyContextSetState@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspRequestProcessExecutionState	proc near ; CODE XREF: PspSetProcessFreezeStateCallback+F4p
					; PspApplyJobChainLimitsToProcess(x,x,x)+2Fp ...

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008D0B08 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr [ecx+3A8h], 1
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		jnz	loc_8D0B08

loc_7520AD:				; CODE XREF: PspRequestProcessExecutionState+17EA81j
		mov	esi, 30000000h

loc_7520B2:				; CODE XREF: PspRequestProcessExecutionState+17EA7Bj
		shl	edi, 1Ch
		lea	ebx, [ecx+0F8h]
		mov	eax, [ebx]
		and	edi, esi
		not	esi

loc_7520C1:				; CODE XREF: PspRequestProcessExecutionState+39j
		mov	ecx, esi
		mov	edx, eax
		and	ecx, eax
		or	ecx, edi
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	short loc_7520C1
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
PspRequestProcessExecutionState	endp


;  S U B	R O U T	I N E 


; __stdcall PspComputeExecutionState(x)
_PspComputeExecutionState@4 proc near	; CODE XREF: PspSetJobFreezeCountCallback(x,x):loc_50D58Dp
					; PspApplyJobChainLimitsToProcess(x,x,x)+26p ...
		xor	eax, eax
		cmp	eax, [ecx+19Ch]
		sbb	eax, eax
		and	eax, 2
		cmp	dword ptr [ecx+194h], 0
		ja	short loc_7520EF
		retn
; 

loc_7520EF:				; CODE XREF: PspComputeExecutionState(x)+14j
		or	eax, 1
		retn
_PspComputeExecutionState@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspApplyJobLimitsToProcess proc	near	; CODE XREF: PspApplyJobChainLimitsToProcess(x,x,x)+13p
					; PspSetJobLimitsProcessCallback+1Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D0B1C SIZE 0000006F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		mov	ecx, large fs:124h
		xor	eax, eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], ecx
		push	edi
		mov	edi, [esi+158h]
		test	bl, 20h
		jnz	short loc_75212A
		test	byte ptr [edi+18Ch], 20h
		jnz	loc_8D0B1C

loc_75212A:				; CODE XREF: PspApplyJobLimitsToProcess+27j
					; PspApplyJobLimitsToProcess+17EA49j
		test	bl, 10h
		jnz	short loc_75213C
		test	byte ptr [edi+18Ch], 10h
		jnz	loc_8D0B42

loc_75213C:				; CODE XREF: PspApplyJobLimitsToProcess+39j
					; PspApplyJobLimitsToProcess+17EA66j ...
		test	ebx, 100h
		jnz	short loc_75216C
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		call	_PspLockJobMemoryLimitsShared@8	; PspLockJobMemoryLimitsShared(x,x)
		test	dword ptr [edi+18Ch], 100h
		jnz	short loc_7521AA
		xor	eax, eax

loc_75215C:				; CODE XREF: PspApplyJobLimitsToProcess+BCj
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		mov	[esi+220h], eax
		call	_PspUnlockJobMemoryLimitsShared@8 ; PspUnlockJobMemoryLimitsShared(x,x)

loc_75216C:				; CODE XREF: PspApplyJobLimitsToProcess+4Ej
		test	bl, bl
		js	short loc_7521A5
		cmp	byte ptr [esi+1BBh], 1
		jz	short loc_7521A5
		mov	ebx, [edi+190h]
		cmp	ebx, 0Ah
		jb	short loc_75218A
		mov	ebx, [edi+0ECh]

loc_75218A:				; CODE XREF: PspApplyJobLimitsToProcess+8Ej
		cmp	ds:_PspUseJobSchedulingClasses,	0
		jnz	loc_8D0B79

loc_752197:				; CODE XREF: PspApplyJobLimitsToProcess+17EA92j
		xor	edx, edx
		mov	ecx, esi
		cmp	ebx, 9
		jz	short loc_7521B2

loc_7521A0:				; CODE XREF: PspApplyJobLimitsToProcess+BFj
		call	_KeSetDisableQuantumProcess@8 ;	KeSetDisableQuantumProcess(x,x)

loc_7521A5:				; CODE XREF: PspApplyJobLimitsToProcess+7Aj
					; PspApplyJobLimitsToProcess+83j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7521AA:				; CODE XREF: PspApplyJobLimitsToProcess+64j
		mov	eax, [edi+178h]
		jmp	short loc_75215C
; 

loc_7521B2:				; CODE XREF: PspApplyJobLimitsToProcess+AAj
		inc	edx
		jmp	short loc_7521A0
PspApplyJobLimitsToProcess endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSendProcessNotificationToJobChain(x, x, x, x)
_PspSendProcessNotificationToJobChain@16 proc near
					; CODE XREF: PspRundownSingleProcess(x,x)+172p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_8]
		mov	edi, edx
		push	eax
		mov	edx, ebx
		call	PspLockRootJobFromProcess
		mov	esi, [ebp+var_8]
		jmp	short loc_752208
; 

loc_7521E6:				; CODE XREF: PspSendProcessNotificationToJobChain(x,x,x,x)+54j
		push	ecx
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	_PspLockJobConditionally@12 ; PspLockJobConditionally(x,x,x)
		cmp	dword ptr [esi+0D4h], 0
		jnz	short loc_75221D

loc_7521FA:				; CODE XREF: PspSendProcessNotificationToJobChain(x,x,x,x)+74j
					; PspSendProcessNotificationToJobChain(x,x,x,x)+84j
		xor	eax, eax

loc_7521FC:				; CODE XREF: PspSendProcessNotificationToJobChain(x,x,x,x)+8Aj
		cmp	esi, [ebp+eax*4+var_4]
		jnz	short loc_75223C

loc_752202:				; CODE XREF: PspSendProcessNotificationToJobChain(x,x,x,x)+94j
		mov	esi, [esi+244h]

loc_752208:				; CODE XREF: PspSendProcessNotificationToJobChain(x,x,x,x)+2Ej
		test	esi, esi
		jnz	short loc_7521E6
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_75221D:				; CODE XREF: PspSendProcessNotificationToJobChain(x,x,x,x)+42j
		xor	eax, eax
		mov	ecx, edi
		inc	eax
		shl	eax, cl
		test	[esi+1A8h], eax
		jz	short loc_7521FA
		push	0
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, esi
		call	_PspSendJobNotification@16 ; PspSendJobNotification(x,x,x,x)
		jmp	short loc_7521FA
; 

loc_75223C:				; CODE XREF: PspSendProcessNotificationToJobChain(x,x,x,x)+4Aj
		inc	eax
		cmp	eax, 1
		jb	short loc_7521FC
		lea	ecx, [esi+20h]
		call	ExReleaseResourceLite
		jmp	short loc_752202
_PspSendProcessNotificationToJobChain@16 endp


;  S U B	R O U T	I N E 


PspUnlinkJobProcess proc near		; CODE XREF: PspEstablishJobHierarchy+166p
					; PspRemoveProcessFromJobChain+1EBp ...

; FUNCTION CHUNK AT 008D0B8B SIZE 00000021 BYTES

		mov	edi, edi
		push	esi
		lea	esi, [ecx+24Ch]
		mov	ecx, [esi]
		cmp	ecx, esi
		jnz	loc_8D0B8B

loc_75225F:				; CODE XREF: PspUnlinkJobProcess+17E95Bj
		lea	eax, [edx+1C4h]
		mov	edx, [eax]
		pop	esi
		cmp	[edx+4], eax
		jnz	short loc_75227A
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_75227A
		mov	[ecx], edx
		mov	[edx+4], ecx
		retn
; 

loc_75227A:				; CODE XREF: PspUnlinkJobProcess+1Fj
					; PspUnlinkJobProcess+26j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PspUnlinkJobProcess endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspFoldProcessAccountingIntoJob(x, x, x)
_PspFoldProcessAccountingIntoJob@12 proc near ;	CODE XREF: PspRemoveProcessFromJobChain+198p

var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1C8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		push	1B0h		; size_t
		lea	eax, [ebp+var_1BC]
		mov	[ebp+var_1C8], edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_1C0], ecx
		call	_memset
		mov	ebx, [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, [ebp+var_1C0]
		mov	esi, [ebx+8]
		add	[eax+58h], esi
		mov	edi, [ebx+0Ch]
		adc	[eax+5Ch], edi
		mov	ecx, [ebx]
		add	[eax+60h], ecx
		mov	edx, [ebx+4]
		adc	[eax+64h], edx
		mov	eax, [ebx+10h]
		mov	[ebp+var_1C4], esi
		mov	esi, [ebp+var_1C0]
		add	[esi+228h], eax
		mov	eax, [ebx+14h]
		adc	[esi+22Ch], eax
		mov	eax, [ebx+18h]
		add	[esi+68h], eax
		mov	eax, [ebx+1Ch]
		adc	[esi+6Ch], eax
		mov	eax, [ebp+var_1C0]
		mov	esi, [ebp+var_1C4]
		add	[eax+70h], esi
		mov	esi, eax
		mov	eax, [ebx+20h]
		adc	[esi+74h], edi
		add	[esi+78h], ecx
		mov	edi, [ebp+var_1C8]
		adc	[esi+7Ch], edx
		add	[esi+80h], eax
		mov	eax, [ebx+24h]
		adc	[esi+84h], eax
		mov	eax, [ebx+28h]
		add	[esi+0F0h], eax
		mov	eax, [ebx+2Ch]
		adc	[esi+0F4h], eax
		mov	eax, [ebx+30h]
		add	[esi+0F8h], eax
		mov	eax, [ebx+34h]
		adc	[esi+0FCh], eax
		mov	eax, [ebx+38h]
		add	[esi+100h], eax
		mov	eax, [ebx+3Ch]
		adc	[esi+104h], eax
		mov	eax, [ebx+40h]
		add	[esi+108h], eax
		mov	eax, [ebx+44h]
		adc	[esi+10Ch], eax
		mov	eax, [ebx+48h]
		add	[esi+110h], eax
		mov	eax, [ebx+4Ch]
		adc	[esi+114h], eax
		mov	eax, [ebx+50h]
		add	[esi+118h], eax
		mov	eax, [ebx+54h]
		adc	[esi+11Ch], eax
		mov	eax, [edi+244h]
		add	[esi+88h], eax
		mov	eax, [ebx+58h]
		add	[esi+3B0h], eax
		mov	eax, [ebx+5Ch]
		adc	[esi+3B4h], eax
		mov	eax, [ebx+60h]
		add	[esi+3B8h], eax
		mov	eax, [ebx+64h]
		adc	[esi+3BCh], eax
		mov	ecx, [edi+3D0h]
		test	ecx, ecx
		jz	short loc_752435
		mov	eax, [ecx]
		add	[esi+120h], eax
		mov	eax, [ecx+4]
		adc	[esi+124h], eax
		mov	eax, [ecx+8]
		add	[esi+128h], eax
		mov	eax, [ecx+0Ch]
		adc	[esi+12Ch], eax
		mov	eax, [ecx+10h]
		add	[esi+130h], eax
		mov	eax, [ecx+14h]
		adc	[esi+134h], eax
		mov	eax, [ecx+18h]
		add	[esi+138h], eax
		mov	eax, [ecx+1Ch]
		adc	[esi+13Ch], eax
		mov	eax, [ecx+20h]
		add	[esi+140h], eax
		mov	eax, [ecx+24h]
		adc	[esi+144h], eax

loc_752435:				; CODE XREF: PspFoldProcessAccountingIntoJob(x,x,x)+15Aj
		mov	edx, [edi+228h]
		mov	ecx, esi
		call	PspUpdateJobPeakProcessMemory
		call	_PoEnergyEstimationEnabled@0 ; PoEnergyEstimationEnabled()
		test	al, al
		jz	short loc_752469
		lea	edx, [ebp+var_1BC]
		mov	ecx, edi
		call	_PsQueryProcessEnergyValues@8 ;	PsQueryProcessEnergyValues(x,x)
		mov	ecx, [esi+318h]
		lea	edx, [ebp+var_1BC]
		call	PsAddProcessEnergyValues

loc_752469:				; CODE XREF: PspFoldProcessAccountingIntoJob(x,x,x)+1C9j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PspFoldProcessAccountingIntoJob@12 endp


;  S U B	R O U T	I N E 


PspUpdateJobPeakProcessMemory proc near	; CODE XREF: PspFoldProcessAccountingIntoJob(x,x,x)+1BDp

; FUNCTION CHUNK AT 008D0BAC SIZE 00000019 BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	esi, edx
		lea	edi, [ecx+154h]
		cmp	esi, [edi]
		ja	short loc_75248D

loc_75248A:				; CODE XREF: PspUpdateJobPeakProcessMemory+17E73Cj
					; PspUpdateJobPeakProcessMemory+17E746j
		pop	edi
		pop	esi
		retn
; 

loc_75248D:				; CODE XREF: PspUpdateJobPeakProcessMemory+Ej
		mov	eax, [edi]
		jmp	loc_8D0BAC
PspUpdateJobPeakProcessMemory endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1742. PsAcquireProcessExitSynchronization

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsAcquireProcessExitSynchronization(x)
		public _PsAcquireProcessExitSynchronization@4
_PsAcquireProcessExitSynchronization@4 proc near
					; CODE XREF: EtwQueryProcessTelemetryInfo+D3p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		lea	ecx, [ecx+0F0h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFEF6h
		add	eax, 0C000010Ah
		pop	ebp
		retn	4
_PsAcquireProcessExitSynchronization@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwQueryProcessTelemetryInfo(size_t,char,int)
EtwQueryProcessTelemetryInfo proc near	; CODE XREF: PAGE:0083E9E6p

var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_FC		= dword	ptr -0FCh
var_78		= dword	ptr -78h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008D0BC5 SIZE 00000019 BYTES

		push	22Ch
		push	offset dword_6A0430
		call	__SEH_prolog4_GS
		mov	ebx, edx
		mov	esi, ecx
		mov	[ebp+var_208], esi
		mov	[ebp+var_238], esi
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_22C], eax
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		push	18Ch		; size_t
		xor	edi, edi
		push	edi		; int
		lea	eax, [ebp+var_204]
		push	eax		; void *
		call	_memset
		push	44h		; size_t
		push	edi		; int
		lea	eax, [ebp+var_78]
		push	eax		; void *
		call	_memset
		add	esp, 18h
		mov	[ebp+var_20C], edi
		mov	[ebp+var_220], edi
		mov	[ebp+var_21C], edi

loc_752529:				; DATA XREF: PAGE:??_C@_03PCJIPBFG@?4?$CFu@NNGAKEGL@o
		mov	[ebp+var_228], edi
		mov	[ebp+var_224], edi
		mov	eax, [esi+1C0h]
		mov	[ebp+var_210], eax
		test	eax, eax
		jz	loc_8D0BC5

loc_752549:				; CODE XREF: EtwQueryProcessTelemetryInfo+17E70Dj
		push	esi
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	esi, eax
		mov	[ebp+var_23C], esi
		mov	[ebp+var_214], edi
		lea	eax, [ebp+var_214]
		push	eax
		lea	edx, [ebp+var_204]
		mov	ecx, esi
		call	_EtwpQueryTokenPackageInfo@12 ;	EtwpQueryTokenPackageInfo(x,x,x)
		lea	eax, [ebp+var_20C]
		push	eax
		push	44h
		lea	edx, [ebp+var_78]
		mov	ecx, esi
		call	_SeQueryUserSidToken@16	; SeQueryUserSidToken(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7526F6
		mov	esi, [ebp+var_208]
		push	esi
		call	_PsAcquireProcessExitSynchronization@4 ; PsAcquireProcessExitSynchronization(x)
		test	eax, eax
		js	short loc_7525DA
		lea	eax, [ebp+var_34]
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	KiStackAttachProcess
		lea	edx, [ebp+var_228]
		mov	ecx, esi
		call	EtwpQueryProcessOtherInfo
		lea	edx, [ebp+var_220]
		mov	ecx, esi
		call	EtwpQueryProcessCommandLine
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		lea	ecx, [esi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_7525DA:				; CODE XREF: EtwQueryProcessTelemetryInfo+DAj
		mov	eax, [ebp+var_220]
		movzx	ecx, ax
		mov	[ebp+var_230], ecx
		mov	eax, [ebp+var_210]
		movzx	eax, word ptr [eax]
		add	eax, ecx
		add	eax, [ebp+var_200]
		add	eax, [ebp+var_204]
		mov	ecx, [ebp+var_20C]
		add	ecx, 64h
		add	eax, ecx
		mov	[ebp+var_214], eax
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, [ebp+var_22C]
		test	ecx, ecx
		jnz	loc_75274C

loc_752622:				; CODE XREF: EtwQueryProcessTelemetryInfo+28Cj
		cmp	[ebp+arg_4], 0
		jnz	loc_752736

loc_75262C:				; CODE XREF: EtwQueryProcessTelemetryInfo+285j
		cmp	eax, [ebp+arg_0]
		jb	short loc_752634
		mov	eax, [ebp+arg_0]

loc_752634:				; CODE XREF: EtwQueryProcessTelemetryInfo+16Dj
		push	eax		; size_t
		push	edi		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		push	60h
		pop	eax
		cmp	[ebp+arg_0], eax
		jb	loc_8D0BD4
		mov	[ebx], eax
		mov	eax, [esi+0E4h]
		mov	[ebx+4], eax
		mov	ecx, esi
		call	_EtwpGetProcessStartKey@4 ; EtwpGetProcessStartKey(x)
		mov	[ebx+8], eax
		mov	[ebx+0Ch], edx
		mov	eax, [esi+100h]
		mov	[ebx+10h], eax
		mov	eax, [esi+104h]
		mov	[ebx+14h], eax
		mov	eax, [esi+3F0h]
		mov	[ebx+18h], eax
		mov	eax, [esi+3F4h]
		mov	[ebx+1Ch], eax
		mov	eax, [esi+3F8h]
		mov	[ebx+20h], eax
		mov	eax, [esi+3FCh]
		mov	[ebx+24h], eax
		mov	eax, [esi+3E8h]
		mov	[ebx+28h], eax
		mov	eax, [esi+3ECh]
		mov	[ebx+2Ch], eax
		call	_MmGetSessionCreateTime@4 ; MmGetSessionCreateTime(x)
		mov	[ebx+30h], eax
		mov	[ebx+34h], edx
		push	esi
		call	_PsGetProcessSessionId@4 ; PsGetProcessSessionId(x)
		mov	[ebx+38h], eax
		mov	eax, ds:0FFDF02C4h
		mov	[ebx+3Ch], eax
		mov	eax, [ebp+var_228]
		mov	[ebx+40h], eax
		mov	eax, [ebp+var_224]
		mov	[ebx+44h], eax
		mov	eax, [ebp+var_214]
		cmp	[ebp+arg_0], eax
		jnb	short loc_752753
		mov	esi, 80000005h

loc_7526E9:				; CODE XREF: EtwQueryProcessTelemetryInfo+17E717j
		mov	[ebp+var_218], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7526F6:				; CODE XREF: EtwQueryProcessTelemetryInfo+C6j
					; EtwQueryProcessTelemetryInfo+33Ej
		mov	ebx, [ebp+var_208]

loc_7526FC:				; CODE XREF: sub_8D0BEF+1Ej
		mov	eax, [ebp+var_21C]
		test	eax, eax
		jz	short loc_75270D
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_75270D:				; CODE XREF: EtwQueryProcessTelemetryInfo+242j
		mov	edx, [ebp+var_23C]
		test	edx, edx
		jz	short loc_752722
		lea	ecx, [ebx+12Ch]
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)

loc_752722:				; CODE XREF: EtwQueryProcessTelemetryInfo+253j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_752736:				; CODE XREF: EtwQueryProcessTelemetryInfo+164j
		push	4
		push	[ebp+arg_0]
		push	ebx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	eax, [ebp+var_214]
		jmp	loc_75262C
; 

loc_75274C:				; CODE XREF: EtwQueryProcessTelemetryInfo+15Aj
		mov	[ecx], eax
		jmp	loc_752622
; 

loc_752753:				; CODE XREF: EtwQueryProcessTelemetryInfo+220j
		lea	esi, [ebx+60h]
		mov	dword ptr [ebx+48h], 60h
		push	[ebp+var_20C]	; size_t
		lea	eax, [ebp+var_78]
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esi, [ebp+var_20C]
		mov	eax, esi
		sub	eax, ebx
		mov	[ebx+4Ch], eax
		mov	ecx, [ebp+var_210]
		movzx	eax, word ptr [ecx]
		push	eax		; size_t
		push	dword ptr [ecx+4] ; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+var_210]
		movzx	eax, word ptr [eax]
		add	eax, 2
		add	esi, eax
		mov	eax, esi
		sub	eax, ebx
		mov	[ebx+50h], eax
		push	[ebp+var_204]	; size_t
		lea	eax, [ebp+var_1FC]
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esi, [ebp+var_204]
		mov	eax, esi
		sub	eax, ebx
		mov	[ebx+54h], eax
		push	[ebp+var_200]	; size_t
		lea	eax, [ebp+var_FC]
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esi, [ebp+var_200]
		mov	eax, esi
		sub	eax, ebx
		mov	[ebx+58h], eax
		push	[ebp+var_230]	; size_t
		push	[ebp+var_21C]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 3Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, edi
		jmp	loc_7526F6
EtwQueryProcessTelemetryInfo endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopEtAggregateKeyCleanup(x)
_PopEtAggregateKeyCleanup@4 proc near	; CODE XREF: PopEtProcessSnapshotUpdate+141p
					; PopEtEnergyTrackerCleanupAggregates+91p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, [esi]
		test	edx, edx
		jz	short loc_75282B
		test	dword ptr [edx+0Ch], 3FFh
		jz	short loc_752828
		mov	ecx, _PopEtGlobals
		lea	ecx, [ecx+20h]
		call	RtlInternEntryDereference

loc_752828:				; CODE XREF: PopEtAggregateKeyCleanup(x)+12j
		and	dword ptr [esi], 0

loc_75282B:				; CODE XREF: PopEtAggregateKeyCleanup(x)+9j
		mov	edx, [esi+4]
		test	edx, edx
		jnz	short loc_752834
		pop	esi
		retn
; 

loc_752834:				; CODE XREF: PopEtAggregateKeyCleanup(x)+2Aj
		mov	ecx, _PopEtGlobals
		lea	ecx, [ecx+20h]
		call	RtlInternEntryDereference
		and	dword ptr [esi+4], 0
		pop	esi
		retn
_PopEtAggregateKeyCleanup@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlInternEntryDereference proc near	; CODE XREF: PopEtEnergyContextSetState(x,x)+153p
					; PopEtAggregateKeyCleanup(x)+1Dp ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D0C12 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		or	eax, 0FFFFFFFFh
		lock xadd [ebx+8], eax
		dec	eax
		test	eax, eax
		jle	short loc_752865

loc_752861:				; CODE XREF: RtlInternEntryDereference+A7j
					; RtlInternEntryDereference+17E3CFj
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_752865:				; CODE XREF: RtlInternEntryDereference+17j
		jnz	loc_8D0C12
		mov	eax, [edi+0Ch]
		xor	ecx, ecx
		push	esi
		push	ecx
		push	edi
		call	dword ptr [eax+8]
		mov	esi, [edi+4]
		or	edx, 0FFFFFFFFh
		mov	ecx, esi
		shr	esi, 5
		and	ecx, 1Fh
		shl	edx, cl
		and	edx, [ebx+4]
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	[ebp+var_4], edx
		imul	ecx, eax, 25h
		movzx	eax, dh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+3]
		imul	edx, ecx, 25h
		lea	ecx, [esi-1]
		mov	esi, 80000002h
		add	edx, eax
		mov	eax, [edi+8]
		and	ecx, edx
		xor	edx, edx
		lea	ecx, [eax+ecx*4]
		mov	eax, [ebx]
		and	eax, esi
		cmp	eax, esi
		jz	short loc_7528F4

loc_7528C8:				; CODE XREF: RtlInternEntryDereference+8Cj
					; RtlInternEntryDereference+AEj
		mov	eax, [ecx]
		test	al, 1
		jnz	short loc_7528F8
		cmp	eax, ebx
		jz	short loc_7528D6
		mov	ecx, eax
		jmp	short loc_7528C8
; 

loc_7528D6:				; CODE XREF: RtlInternEntryDereference+88j
		mov	eax, [ebx]
		mov	[ecx], eax
		dec	dword ptr [edi]
		or	[ebx], esi

loc_7528DE:				; CODE XREF: RtlInternEntryDereference+B2j
		mov	eax, [edi+0Ch]
		push	edx
		push	edi
		call	dword ptr [eax+0Ch]
		mov	eax, [edi+0Ch]
		push	ebx
		push	edi
		call	dword ptr [eax+4]
		pop	esi
		jmp	loc_752861
; 

loc_7528F4:				; CODE XREF: RtlInternEntryDereference+7Ej
		mov	eax, [edx]
		jmp	short loc_7528C8
; 

loc_7528F8:				; CODE XREF: RtlInternEntryDereference+84j
		mov	eax, [edx]
		jmp	short loc_7528DE
RtlInternEntryDereference endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WbRemoveWarbirdProcess proc near	; CODE XREF: PspProcessDelete+C7p
					; sub_A1AAB4+151p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D0C1C SIZE 0000007E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		dec	word ptr [eax+13Eh]
		push	edi
		mov	edi, ecx
		nop
		mov	ebx, offset unk_6D6BD8
		xor	edx, edx
		push	0
		mov	ecx, ebx
		call	KeAbPreAcquire
		push	11h
		mov	esi, eax
		xor	eax, eax
		pop	ecx
		lock cmpxchg [ebx], ecx
		test	eax, eax
		jnz	short loc_752988

loc_75293A:				; CODE XREF: WbRemoveWarbirdProcess+96j
		test	esi, esi
		jz	short loc_752942
		or	byte ptr [esi+0Eh], 1

loc_752942:				; CODE XREF: WbRemoveWarbirdProcess+40j
		push	0
		lea	eax, [ebp+var_8]
		mov	edx, edi
		push	eax
		push	4
		mov	ecx, offset unk_6D6BC0
		call	WbFindLookupEntry
		push	11h
		mov	esi, eax
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [ebx], ecx
		cmp	eax, 11h
		jnz	short loc_752994

loc_752966:				; CODE XREF: WbRemoveWarbirdProcess+9Fj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		test	esi, esi
		jns	loc_8D0C1C

loc_752981:				; CODE XREF: WbRemoveWarbirdProcess+17E399j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_752988:				; CODE XREF: WbRemoveWarbirdProcess+3Cj
		push	ebx
		mov	edx, esi
		mov	ecx, ebx
		call	ExfAcquirePushLockSharedEx
		jmp	short loc_75293A
; 

loc_752994:				; CODE XREF: WbRemoveWarbirdProcess+68j
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_752966
WbRemoveWarbirdProcess endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WbFindWarbirdProcess proc near		; CODE XREF: sub_A1B500+5Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D0C9A SIZE 0000004B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	edi
		push	0
		mov	edi, edx
		mov	edx, ecx
		push	eax
		push	4
		mov	ecx, offset unk_6D6BC0
		mov	[ebp+var_C], edi
		call	WbFindLookupEntry
		mov	[ebp+var_10], eax
		test	eax, eax
		jns	loc_8D0C9A

loc_7529CF:				; CODE XREF: WbFindWarbirdProcess+17E2FEj
					; WbFindWarbirdProcess+17E342j
		pop	edi
		leave
		retn	4
WbFindWarbirdProcess endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WbFindLookupEntry proc near		; CODE XREF: WbRemoveWarbirdProcess+55p
					; WbFindWarbirdProcess+21p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008D0CE5 SIZE 00000066 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		push	esi
		push	edi
		xor	ecx, ecx
		mov	eax, 0C0000272h
		mov	edi, [ebx+4]
		sub	edi, 1
		mov	[ebp+var_4], ecx
		push	ecx
		pop	esi
		jns	loc_8D0CE5

loc_7529FB:				; CODE XREF: WbFindLookupEntry+17E359j
					; WbFindLookupEntry+17E360j
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jnz	short loc_752A18

loc_752A02:				; CODE XREF: WbFindLookupEntry+46j
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_752A11
		test	eax, eax
		jns	loc_8D0D39

loc_752A11:				; CODE XREF: WbFindLookupEntry+33j
					; WbFindLookupEntry+17E372j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_752A18:				; CODE XREF: WbFindLookupEntry+2Cj
		mov	[ecx], esi
		jmp	short loc_752A02
WbFindLookupEntry endp


;  S U B	R O U T	I N E 


; __stdcall ObDereferenceDeviceMap(x)
_ObDereferenceDeviceMap@4 proc near	; CODE XREF: PspProcessDelete+80p
					; PspAssignPrimaryToken+131p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		push	edi
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		mov	ecx, eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	edx, large fs:124h
		dec	word ptr [edx+13Eh]
		nop
		lea	esi, [eax+70h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ebx, [edi+198h]
		xor	edx, edx
		and	dword ptr [edi+198h], 0
		mov	ecx, esi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		test	ebx, ebx
		jz	short loc_752A7B
		mov	ecx, ebx
		pop	ebx
		jmp	ObfDereferenceDeviceMap
; 

loc_752A7B:				; CODE XREF: ObDereferenceDeviceMap(x)+55j
		pop	ebx
		retn
_ObDereferenceDeviceMap@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PspDeleteProcessSecurity(x)
_PspDeleteProcessSecurity@4 proc near	; CODE XREF: PspProcessDelete+1A8p
		add	ecx, 12Ch
		cmp	dword ptr [ecx], 0
		jz	short locret_752A9E
		xor	edx, edx
		call	@ObFastReplaceObject@8 ; ObFastReplaceObject(x,x)
		mov	ecx, eax
		mov	byte ptr [eax+0B4h], 0
		jmp	ObfDereferenceObject
; 

locret_752A9E:				; CODE XREF: PspDeleteProcessSecurity(x)+9j
		retn
_PspDeleteProcessSecurity@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


EtwExitProcess	proc near		; CODE XREF: PspProcessDelete+1CDp

; FUNCTION CHUNK AT 008D0D4B SIZE 00000020 BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+19Ch]
		test	esi, esi
		jz	short loc_752AD1
		and	dword ptr [edi+19Ch], 0
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_752AC2
		call	ObfDereferenceObject

loc_752AC2:				; CODE XREF: EtwExitProcess+1Bj
		mov	ecx, [esi+4]
		test	ecx, ecx
		jnz	short loc_752AE2

loc_752AC9:				; CODE XREF: EtwExitProcess+47j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_752AD1:				; CODE XREF: EtwExitProcess+Ej
		mov	esi, [edi+4B0h]
		test	esi, esi
		jnz	loc_8D0D4B

loc_752ADF:				; CODE XREF: EtwExitProcess+17E2C6j
		pop	edi
		pop	esi
		retn
; 

loc_752AE2:				; CODE XREF: EtwExitProcess+27j
		call	ObfDereferenceObject
		jmp	short loc_752AC9
EtwExitProcess	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall LpcExitProcess(x)
_LpcExitProcess@4 proc near		; CODE XREF: PspProcessDelete+1D4p
					; PspExitThread+481p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	dword ptr [esi+370h], 0
		ja	short loc_752B00

loc_752AF8:				; CODE XREF: LpcExitProcess(x)+2Cj
		mov	ecx, esi
		pop	esi
		jmp	AlpcpCleanupProcessViews
; 

loc_752B00:				; CODE XREF: LpcExitProcess(x)+Cj
		push	dword ptr [esi+370h]
		push	esi
		call	_PsReturnProcessPagedPoolQuota@8 ; PsReturnProcessPagedPoolQuota(x,x)
		mov	dword ptr [esi+370h], 0
		jmp	short loc_752AF8
_LpcExitProcess@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpCleanupProcessViews proc near	; CODE XREF: LpcExitProcess(x)+11j

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D0D6B SIZE 000001F9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	esi, ecx
		nop
		xor	eax, eax
		lea	edi, [esi+364h]
		and	[esp+38h+var_2C], eax
		xor	ebx, ebx
		xor	edx, edx
		mov	dword ptr [esp+38h+var_20], eax
		mov	ecx, edi
		mov	[esp+38h+var_28], eax
		mov	[esp+38h+var_24], ebx
		mov	[esp+38h+var_18], edi
		call	ExAcquirePushLockExclusiveEx
		lea	edx, [esi+368h]
		mov	[esp+38h+var_4], edx

loc_752B67:				; CODE XREF: AlpcpCleanupProcessViews+17E440j
		mov	esi, [edx]
		mov	eax, dword ptr [esp+38h+var_20]
		mov	ecx, eax
		cmp	esi, edx
		jnz	loc_8D0D6B
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_752B97

loc_752B84:				; CODE XREF: AlpcpCleanupProcessViews+86j
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_752B97:				; CODE XREF: AlpcpCleanupProcessViews+6Aj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_752B84
AlpcpCleanupProcessViews endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExWnfExitProcess(x,	x)
_ExWnfExitProcess@8 proc near		; CODE XREF: PspProcessDelete+1DEp
					; PspExitThread+471p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [ebp+var_4]
		mov	ecx, [eax+39Ch]
		test	ecx, ecx
		jz	short loc_752BCC
		call	ExpWnfDeleteProcessContext

loc_752BCC:				; CODE XREF: ExWnfExitProcess(x,x)+25j
		test	esi, esi
		jz	short loc_752BDC
		push	ecx
		push	3
		lea	edx, [ebp+var_4]
		pop	ecx
		call	_ExpWnfDeleteScopeById@12 ; ExpWnfDeleteScopeById(x,x,x)

loc_752BDC:				; CODE XREF: ExWnfExitProcess(x,x)+2Ej
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	esi
		leave
		retn
_ExWnfExitProcess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWnfDeleteProcessContext proc	near	; CODE XREF: ExWnfExitProcess(x,x)+27p
					; ExpWnfCreateProcessContext+124F61p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D0F64 SIZE 00000079 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_C], edx
		push	esi
		push	edi
		push	0
		lea	edi, [ebx+28h]
		mov	[ebp+var_8], ebx
		xor	edx, edx
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	esi, eax
		lock bts dword ptr [edi], 0
		jnb	short loc_752C18
		push	edi
		mov	edx, esi
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_752C18:				; CODE XREF: ExpWnfDeleteProcessContext+28j
		test	esi, esi
		jnz	loc_752D6F

loc_752C20:				; CODE XREF: ExpWnfDeleteProcessContext+18Fj
		or	esi, 0FFFFFFFFh

loc_752C23:				; CODE XREF: ExpWnfDeleteProcessContext+A5j
		lea	ecx, [ebx+2Ch]

loc_752C26:				; CODE XREF: ExpWnfDeleteProcessContext+9Fj
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	short loc_752C8B
		add	eax, 0FFFFFFF0h
		mov	[ebp+var_4], eax
		lea	ecx, [eax+4]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	eax, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_752D81

loc_752C4A:				; CODE XREF: ExpWnfDeleteProcessContext+1A4j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	edx, [ebx+4]
		mov	ecx, [ebp+var_4]
		call	ExpWnfDeleteSubscription
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	[ebp+var_4], eax
		lock bts dword ptr [edi], 0
		jnb	short loc_752C7E
		push	edi
		mov	edx, eax
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_4]

loc_752C7E:				; CODE XREF: ExpWnfDeleteProcessContext+8Bj
		lea	ecx, [ebx+2Ch]
		test	eax, eax
		jz	short loc_752C26
		or	byte ptr [eax+0Eh], 1
		jmp	short loc_752C23
; 

loc_752C8B:				; CODE XREF: ExpWnfDeleteProcessContext+46j
		mov	eax, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_752D8D

loc_752C9B:				; CODE XREF: ExpWnfDeleteProcessContext+1B0j
		mov	ecx, edi
		call	KeAbPostRelease
		lea	edi, [ebx+1Ch]
		xor	edx, edx
		push	0
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	[ebp+var_4], eax
		lock bts dword ptr [edi], 0
		jnb	short loc_752CC7
		push	edi
		mov	edx, eax
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_4]

loc_752CC7:				; CODE XREF: ExpWnfDeleteProcessContext+D4j
		test	eax, eax
		jnz	loc_752D78

loc_752CCF:				; CODE XREF: ExpWnfDeleteProcessContext+198j
		lea	eax, [ebx+20h]
		mov	ebx, eax

loc_752CD4:				; CODE XREF: ExpWnfDeleteProcessContext+17E3EAj
					; ExpWnfDeleteProcessContext+17E3F4j
		mov	eax, [ebx]
		cmp	eax, ebx
		jnz	loc_8D0F64
		mov	eax, esi
		lock xadd [edi], eax
		mov	ebx, [ebp+var_8]
		and	al, 6
		cmp	al, 2
		jz	loc_752D99

loc_752CF1:				; CODE XREF: ExpWnfDeleteProcessContext+1BCj
		mov	ecx, edi
		call	KeAbPostRelease
		cmp	[ebp+var_C], 0
		jz	short loc_752D6A
		mov	edi, offset _ExpWnfProcessesListLock
		xor	edx, edx
		push	0
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	esi, eax
		lock bts dword ptr [edi], 0
		jnb	short loc_752D21
		push	edi
		mov	edx, esi
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_752D21:				; CODE XREF: ExpWnfDeleteProcessContext+131j
		test	esi, esi
		jz	short loc_752D29
		or	byte ptr [esi+0Eh], 1

loc_752D29:				; CODE XREF: ExpWnfDeleteProcessContext+13Fj
		lea	eax, [ebx+8]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_752DAE
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_752DAE
		mov	[ecx], edx
		or	eax, 0FFFFFFFFh
		mov	[edx+4], ecx
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_752DA5

loc_752D4C:				; CODE XREF: ExpWnfDeleteProcessContext+1C8j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebx+40h]
		test	ecx, ecx
		jz	short loc_752D5F
		call	ObfDereferenceObject

loc_752D5F:				; CODE XREF: ExpWnfDeleteProcessContext+174j
		push	20666E57h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_752D6A:				; CODE XREF: ExpWnfDeleteProcessContext+118j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_752D6F:				; CODE XREF: ExpWnfDeleteProcessContext+36j
		or	byte ptr [esi+0Eh], 1
		jmp	loc_752C20
; 

loc_752D78:				; CODE XREF: ExpWnfDeleteProcessContext+E5j
		or	byte ptr [eax+0Eh], 1
		jmp	loc_752CCF
; 

loc_752D81:				; CODE XREF: ExpWnfDeleteProcessContext+60j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_752C4A
; 

loc_752D8D:				; CODE XREF: ExpWnfDeleteProcessContext+B1j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_752C9B
; 

loc_752D99:				; CODE XREF: ExpWnfDeleteProcessContext+107j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_752CF1
; 

loc_752DA5:				; CODE XREF: ExpWnfDeleteProcessContext+166j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_752D4C
; 

loc_752DAE:				; CODE XREF: ExpWnfDeleteProcessContext+14Dj
					; ExpWnfDeleteProcessContext+154j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
ExpWnfDeleteProcessContext endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWnfDeleteScopeById(x, x,	x)
_ExpWnfDeleteScopeById@12 proc near	; CODE XREF: ExWnfExitProcess(x,x)+37p
					; MiDereferenceSessionFinal+81p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	esi, [eax+208h]
		test	esi, esi
		jz	short loc_752E2D
		imul	eax, edi, 0Ch
		xor	edx, edx
		push	0
		lea	ecx, [eax+14h]
		add	eax, 10h
		add	ecx, esi
		add	esi, eax
		mov	[ebp+var_4], ecx
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	edi, eax
		lock bts dword ptr [esi], 0
		jnb	short loc_752DFF
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockExclusiveEx

loc_752DFF:				; CODE XREF: ExpWnfDeleteScopeById(x,x,x)+3Fj
		test	edi, edi
		jnz	short loc_752E34

loc_752E03:				; CODE XREF: ExpWnfDeleteScopeById(x,x,x)+84j
		mov	ecx, [ebp+var_4] ; int
		mov	edx, ebx	; void *
		push	4		; size_t
		call	_ExpWnfFindScopeInstance@12 ; ExpWnfFindScopeInstance(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_752E3A

loc_752E15:				; CODE XREF: ExpWnfDeleteScopeById(x,x,x)+9Fj
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_752E60

loc_752E22:				; CODE XREF: ExpWnfDeleteScopeById(x,x,x)+B3j
		mov	ecx, esi
		call	KeAbPostRelease
		test	edi, edi
		jnz	short loc_752E55

loc_752E2D:				; CODE XREF: ExpWnfDeleteScopeById(x,x,x)+1Bj
					; ExpWnfDeleteScopeById(x,x,x)+AAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_752E34:				; CODE XREF: ExpWnfDeleteScopeById(x,x,x)+4Dj
		or	byte ptr [edi+0Eh], 1
		jmp	short loc_752E03
; 

loc_752E3A:				; CODE XREF: ExpWnfDeleteScopeById(x,x,x)+5Fj
		lea	ecx, [edi+14h]
		mov	edx, [ecx]
		mov	eax, [ecx+4]
		cmp	[edx+4], ecx
		jnz	short loc_752E69
		cmp	[eax], ecx
		jnz	short loc_752E69
		mov	[eax], edx
		mov	[edx+4], eax
		and	dword ptr [ecx], 0
		jmp	short loc_752E15
; 

loc_752E55:				; CODE XREF: ExpWnfDeleteScopeById(x,x,x)+77j
		mov	dl, 1
		mov	ecx, edi
		call	_ExpWnfFreeScopeInstance@8 ; ExpWnfFreeScopeInstance(x,x)
		jmp	short loc_752E2D
; 

loc_752E60:				; CODE XREF: ExpWnfDeleteScopeById(x,x,x)+6Cj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_752E22
; 

loc_752E69:				; CODE XREF: ExpWnfDeleteScopeById(x,x,x)+91j
					; ExpWnfDeleteScopeById(x,x,x)+95j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ExpWnfDeleteScopeById@12 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspProcessDelete proc near		; DATA XREF: PspInitPhase0+31Eo

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D0FDD SIZE 0000014B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		mov	ebx, large fs:124h
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+30h+var_1C]
		mov	[esp+30h+var_20], ebx
		rep stosd
		lea	edi, [esi+0E8h]
		cmp	[edi], eax
		jz	short loc_752ED3
		mov	ecx, ebx
		call	_PspLockProcessListExclusive@4 ; PspLockProcessListExclusive(x)
		mov	ecx, [edi]
		cmp	[ecx+4], edi
		jnz	loc_75309C
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	loc_75309C
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	ecx, ebx
		call	PspUnlockProcessListExclusive

loc_752ED3:				; CODE XREF: PspProcessDelete+3Aj
		mov	eax, [esi+1C0h]
		test	eax, eax
		jz	short loc_752EEC
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+1C0h], 0

loc_752EEC:				; CODE XREF: PspProcessDelete+6Dj
		mov	ecx, esi
		call	_ObDereferenceDeviceMap@4 ; ObDereferenceDeviceMap(x)
		lea	ecx, [esi+460h]
		mov	eax, [ecx]
		or	eax, [ecx+4]
		jz	short loc_752F06
		push	ecx
		call	_ZwDeleteWnfStateName@4	; ZwDeleteWnfStateName(x)

loc_752F06:				; CODE XREF: PspProcessDelete+90j
		mov	ecx, [esi+190h]
		test	ecx, ecx
		jnz	loc_8D0FDD

loc_752F14:				; CODE XREF: PspProcessDelete+17E17Bj
		mov	ecx, [esi+128h]
		test	ecx, ecx
		jz	short loc_752F2D
		and	ecx, 0FFFFFFF8h
		call	ObfDereferenceObject
		and	dword ptr [esi+128h], 0

loc_752F2D:				; CODE XREF: PspProcessDelete+AEj
		push	esi
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		mov	ecx, eax
		call	WbRemoveWarbirdProcess
		mov	edi, [esi+174h]
		test	edi, edi
		jnz	loc_8D0FEE

loc_752F48:				; CODE XREF: PspProcessDelete+17E1A2j
		mov	edi, [esi+0F4h]
		test	edi, edi
		jnz	loc_8D1015

loc_752F56:				; CODE XREF: PspProcessDelete+17E275j
		test	dword ptr [esi+0FCh], 40000h
		jz	short loc_752F97
		lea	eax, [esp+30h+var_1C]
		push	eax
		push	esi
		call	KeStackAttachProcess
		test	dword ptr [esi+0F8h], 400h
		jnz	loc_8D10E8

loc_752F7D:				; CODE XREF: PspProcessDelete+17E281j
		mov	edx, esi
		xor	cl, cl
		call	PspExitProcess
		lea	eax, [esp+30h+var_1C]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		mov	ecx, esi
		call	MmDeleteProcessAddressSpace

loc_752F97:				; CODE XREF: PspProcessDelete+F2j
		cmp	[esi+158h], edi
		jz	short loc_752FD2
		push	edi
		push	1
		xor	edx, edx
		mov	ecx, esi
		call	PspRemoveProcessFromJobChain
		push	73507350h
		push	dword ptr [esi+158h]
		call	ObDereferenceObjectDeferDeleteWithTag
		mov	[esi+158h], edi
		mov	[esi+144h], edi
		mov	eax, ds:_MmBadPointer
		mov	[esi+3A0h], eax

loc_752FD2:				; CODE XREF: PspProcessDelete+12Fj
		cmp	[esi+0E4h], edi
		jz	short loc_753014
		dec	word ptr [ebx+13Eh]
		nop
		mov	edx, [esi+0E4h]
		mov	ecx, ds:_PspCidTable
		call	ExMapHandleToPointer
		test	eax, eax
		jz	loc_8D10F4
		mov	edx, [esi+0E4h]
		mov	ecx, ds:_PspCidTable
		push	eax
		call	ExDestroyHandle
		mov	ecx, ebx
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_753014:				; CODE XREF: PspProcessDelete+16Aj
		mov	ecx, esi
		call	_PspDeleteProcessSecurity@4 ; PspDeleteProcessSecurity(x)
		mov	eax, [esi+168h]
		test	eax, eax
		jnz	loc_8D10FB

loc_753029:				; CODE XREF: PspProcessDelete+17E29Fj
		push	esi
		mov	edx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		mov	ecx, offset unk_718478
		call	_SmpKeyedStoreDeleteInitiate@12	; SmpKeyedStoreDeleteInitiate(x,x,x)
		mov	ecx, esi
		call	EtwExitProcess
		mov	ecx, esi
		call	_LpcExitProcess@4 ; LpcExitProcess(x)
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_ExWnfExitProcess@8 ; ExWnfExitProcess(x,x)
		mov	edx, esi
		xor	ecx, ecx
		call	_IoSetDiskIoAttributionOnProcess@8 ; IoSetDiskIoAttributionOnProcess(x,x)
		mov	ecx, esi
		call	_PoEnergyContextCleanup@4 ; PoEnergyContextCleanup(x)
		mov	ecx, [esi+3E4h]
		test	ecx, ecx
		jnz	loc_8D1112

loc_75306F:				; CODE XREF: PspProcessDelete+17E2B5j
		mov	ecx, [esi+188h]
		test	ecx, ecx
		jz	short loc_753085
		lock dec dword ptr [ecx+204h]
		call	PspDereferenceQuotaBlock

loc_753085:				; CODE XREF: PspProcessDelete+209j
		mov	eax, [esi+7Ch]
		mov	ecx, [esp+30h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_75309C:				; CODE XREF: PspProcessDelete+48j
					; PspProcessDelete+53j	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PspProcessDelete endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmpKeyedStoreDeleteInitiate(x, x, x)
_SmpKeyedStoreDeleteInitiate@12	proc near ; CODE XREF: PspProcessDelete+1C6p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		push	0
		mov	edi, edx
		lea	edx, [ebp+arg_0]
		push	2
		call	_SmpKeyedStoreEntryGet@16 ; SmpKeyedStoreEntryGet(x,x,x,x)
		test	eax, eax
		jnz	short loc_7530C3

loc_7530BC:				; CODE XREF: SmpKeyedStoreDeleteInitiate(x,x,x)+57j
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
; 

loc_7530C3:				; CODE XREF: SmpKeyedStoreDeleteInitiate(x,x,x)+18j
		movzx	esi, word ptr [eax+8]
		mov	ecx, eax
		call	_CmpFreePool@4	; CmpFreePool(x)
		and	esi, 3FFh
		mov	ecx, edi
		push	1
		mov	edx, esi
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		mov	ecx, edi
		mov	edx, [eax]
		call	_SmKmStoreDeleteWhenEmpty@12 ; SmKmStoreDeleteWhenEmpty(x,x,x)
		mov	edx, esi
		mov	ecx, edi
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	short loc_7530BC
_SmpKeyedStoreDeleteInitiate@12	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoEnergyContextCleanup(x)
_PoEnergyContextCleanup@4 proc near	; CODE XREF: PspProcessDelete+1EEp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ecx
		push	esi
		mov	[ebp+var_10], eax
		mov	esi, [eax+3E0h]
		mov	[ebp+var_8], esi
		test	esi, esi
		jz	loc_753248
		push	ebx
		mov	ebx, ds:0FFDF0004h
		mov	edx, 0FFDF0320h
		push	edi
		mov	edi, 0FFDF0324h
		mov	[ebp+var_4], ebx
		mov	ecx, 0FFDF0328h
		mov	edi, [edi]
		mov	edx, [edx]
		mov	eax, [ecx]
		cmp	edi, eax
		jz	short loc_75315C
		lea	esi, [ecx-4]
		lea	ebx, [ecx-8]

loc_753145:				; CODE XREF: PoEnergyContextCleanup(x)+58j
		pause
		mov	edi, [esi]
		mov	edx, [ebx]
		mov	ecx, [ecx]
		cmp	edi, ecx
		mov	ecx, 0FFDF0328h
		jnz	short loc_753145
		mov	esi, [ebp+var_8]
		mov	ebx, [ebp+var_4]

loc_75315C:				; CODE XREF: PoEnergyContextCleanup(x)+41j
		mov	eax, edx
		shl	edi, 8
		mul	ebx
		imul	edi, ebx
		mov	ecx, eax
		shrd	ecx, edx, 18h
		add	ecx, edi
		mov	[ebp+var_8], ecx
		call	_KeQueryTimelineBitmapTime@0 ; KeQueryTimelineBitmapTime()
		mov	[ebp+var_C], eax
		xor	ebx, ebx

loc_75317B:				; CODE XREF: PoEnergyContextCleanup(x)+D4j
		push	ecx
		lea	edi, [esi+68h]
		add	edi, ebx
		push	ecx
		mov	edx, edi
		mov	ecx, edi
		call	_RtlStateDurationCapture@16 ; RtlStateDurationCapture(x,x,x,x)
		lea	ecx, [esi+68h]
		mov	[ebp+var_4], eax
		cmp	edi, ecx
		jnz	short loc_75319D
		lea	ecx, [esi+130h]
		jmp	short loc_7531B1
; 

loc_75319D:				; CODE XREF: PoEnergyContextCleanup(x)+97j
		lea	eax, [esi+70h]
		cmp	edi, eax
		mov	eax, [ebp+var_4]
		jnz	short loc_7531AF
		lea	ecx, [esi+138h]
		jmp	short loc_7531B1
; 

loc_7531AF:				; CODE XREF: PoEnergyContextCleanup(x)+A9j
		xor	ecx, ecx

loc_7531B1:				; CODE XREF: PoEnergyContextCleanup(x)+9Fj
					; PoEnergyContextCleanup(x)+B1j
		test	ecx, ecx
		jz	short loc_7531C7
		test	eax, eax
		jz	short loc_7531C7
		mov	edx, [ebp+var_C]
		shr	eax, 0Ch
		push	edx
		sub	edx, eax
		call	_RtlTimelineBitmapUpdateRange@12 ; RtlTimelineBitmapUpdateRange(x,x,x)

loc_7531C7:				; CODE XREF: PoEnergyContextCleanup(x)+B7j
					; PoEnergyContextCleanup(x)+BBj
		mov	ecx, [ebp+var_8]
		add	ebx, 8
		cmp	ebx, 18h
		jb	short loc_75317B
		lea	ecx, [esi+1A0h]
		push	ecx
		push	[ebp+var_8]
		mov	edx, ecx
		call	_RtlStateDurationCapture@16 ; RtlStateDurationCapture(x,x,x,x)
		mov	eax, [ebp+var_10]
		lea	edi, [esi+1B0h]
		mov	[ebp+var_1C], eax
		xor	ebx, ebx
		mov	eax, large fs:124h
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_24], 4
		dec	word ptr [eax+13Ch]
		mov	[ebp+var_14], esi
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		lea	edx, [ebp+var_24]
		mov	[edi+4], eax
		call	PopEtEnumEnergyTrackers
		cmp	[edi+4], ebx
		jz	short loc_753231
		mov	[edi+4], ebx

loc_753231:				; CODE XREF: PoEnergyContextCleanup(x)+130j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	_PopEtEnergyContextCleanup@4 ; PopEtEnergyContextCleanup(x)
		pop	edi
		pop	ebx

loc_753248:				; CODE XREF: PoEnergyContextCleanup(x)+19j
		pop	esi
		leave
		retn
_PoEnergyContextCleanup@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopEtEnergyContextCleanup(x)
_PopEtEnergyContextCleanup@4 proc near	; CODE XREF: PoEnergyContextCleanup(x)+145p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, [esi+1B8h]
		test	edx, edx
		jz	short loc_753279
		test	dword ptr [edx+0Ch], 3FFh
		jz	short loc_753272
		mov	ecx, _PopEtGlobals
		lea	ecx, [ecx+20h]
		call	RtlInternEntryDereference

loc_753272:				; CODE XREF: PopEtEnergyContextCleanup(x)+16j
		and	dword ptr [esi+1B8h], 0

loc_753279:				; CODE XREF: PopEtEnergyContextCleanup(x)+Dj
		mov	edx, [esi+1BCh]
		test	edx, edx
		jnz	short loc_753285
		pop	esi
		retn
; 

loc_753285:				; CODE XREF: PopEtEnergyContextCleanup(x)+35j
		mov	ecx, _PopEtGlobals
		lea	ecx, [ecx+20h]
		call	RtlInternEntryDereference
		and	dword ptr [esi+1BCh], 0
		pop	esi
		retn
_PopEtEnergyContextCleanup@4 endp


;  S U B	R O U T	I N E 


; __stdcall EtwGetProcessAppSessionGuid(x, x)
_EtwGetProcessAppSessionGuid@8 proc near ; CODE	XREF: EtwpInitStateChangeInfo+30p
					; MiLogReserveVaFailed+75p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, edx
		push	esi
		mov	eax, [esi+0E4h]
		mov	[edi], eax
		call	_PsGetProcessSessionId@4 ; PsGetProcessSessionId(x)
		mov	[edi+4], ax
		mov	ax, ds:0FFDF02C4h
		mov	[edi+6], ax
		mov	eax, [esi+100h]
		mov	[edi+8], eax
		mov	eax, [esi+104h]
		mov	[edi+0Ch], eax
		pop	edi
		pop	esi
		retn
_EtwGetProcessAppSessionGuid@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpInitStateChangeInfo	proc near	; CODE XREF: EtwTraceProcess+115p
					; EtwTraceAppStateChange+17DA71p

var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_20]
		stosd
		mov	ebx, edx
		push	62h		; size_t
		mov	esi, ecx
		mov	[ebp+var_C], ebx
		push	0		; int
		stosd
		push	ebx		; void *
		mov	[ebp+var_4], esi
		stosd
		stosd
		call	_memset
		add	esp, 0Ch
		lea	edx, [ebp+var_20]
		mov	ecx, esi
		call	_EtwGetProcessAppSessionGuid@8 ; EtwGetProcessAppSessionGuid(x,x)
		mov	ecx, [ebp+var_4]
		lea	edi, [ebx+15h]
		lea	esi, [ebp+var_20]
		movsd
		movsd
		movsd
		movsd
		call	_EtwpGetProcessStartKey@4 ; EtwpGetProcessStartKey(x)
		mov	[ebp+var_18], eax
		lea	edi, [ebx+2]
		mov	[ebp+var_14], edx
		lea	esi, [ebp+var_20]
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ecx+3E8h]
		mov	[ebx+25h], eax

loc_753336:				; CODE XREF: EtwpInitStateChangeInfo+8Cj
					; EtwpInitStateChangeInfo+90j
		mov	edi, _EtwpAppStateChangeSequenceNumber
		mov	ebx, edi
		mov	esi, dword_6BC5C4
		add	ebx, 1
		mov	ecx, esi
		mov	[ebp+var_8], esi
		mov	edx, esi
		adc	ecx, 0
		mov	eax, edi
		mov	esi, offset _EtwpAppStateChangeSequenceNumber
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [ebp+var_8]
		cmp	eax, edi
		jnz	short loc_753336
		cmp	edx, esi
		jnz	short loc_753336
		mov	ecx, [ebp+var_C]
		add	edi, 1
		mov	edx, [ebp+var_4]
		adc	esi, 0
		mov	[ecx+52h], edi
		mov	[ecx+56h], esi
		mov	eax, [edx+3E8h]
		pop	edi
		mov	[ecx+5Ah], eax
		mov	eax, [edx+3ECh]
		pop	esi
		mov	[ecx+5Eh], eax
		pop	ebx
		leave
		retn
EtwpInitStateChangeInfo	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MmGetSessionCreateTime(x)
_MmGetSessionCreateTime@4 proc near	; CODE XREF: EtwQueryProcessTelemetryInfo+1E9p
					; EtwpWriteProcessStarted+1FDp
		mov	edx, [ecx+180h]
		test	edx, edx
		jz	short loc_7533B5
		test	dword ptr [ecx+3A8h], 1000h
		jnz	short loc_7533B5
		mov	eax, [edx+2458h]
		mov	edx, [edx+245Ch]
		retn
; 

loc_7533B5:				; CODE XREF: MmGetSessionCreateTime(x)+8j
					; MmGetSessionCreateTime(x)+14j
		xor	eax, eax
		xor	edx, edx
		retn
_MmGetSessionCreateTime@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpWriteProcessStarted	proc near	; CODE XREF: EtwTraceProcess+10Ap

var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_4C		= dword	ptr -4Ch
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008D1128 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 180h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_154], eax
		mov	ebx, edx
		mov	esi, [edi+1C0h]
		test	esi, esi
		jz	loc_8D1128

loc_7533ED:				; CODE XREF: EtwpWriteProcessStarted+17DD73j
		cmp	dword_6B2A18, 5
		jbe	loc_7536A4
		push	0
		push	3
		mov	ecx, offset dword_6B2A18
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_7536A4
		mov	eax, [edi+100h]
		xor	edx, edx
		mov	[ebp+var_15C], eax
		mov	eax, [edi+104h]
		mov	[ebp+var_158], eax
		lea	eax, [ebp+var_15C]
		mov	[ebp+var_11C], eax
		mov	eax, [edi+0E4h]
		mov	[ebp+var_140], eax
		lea	eax, [ebp+var_140]
		mov	[ebp+var_10C], eax
		mov	eax, [edi+170h]
		push	4
		pop	ecx
		mov	[ebp+var_144], eax
		lea	eax, [ebp+var_144]
		push	edi
		mov	[ebp+var_118], edx
		mov	[ebp+var_114], 8
		mov	[ebp+var_110], edx
		mov	[ebp+var_108], edx
		mov	[ebp+var_104], ecx
		mov	[ebp+var_100], edx
		mov	[ebp+var_FC], eax
		mov	[ebp+var_F8], edx
		mov	[ebp+var_F4], ecx
		mov	[ebp+var_F0], edx
		call	_PsGetProcessSessionId@4 ; PsGetProcessSessionId(x)
		mov	[ebp+var_148], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_148]
		mov	[ebp+var_E8], ecx
		mov	[ebp+var_EC], eax
		lea	eax, [ebp+var_C4]
		mov	[ebp+var_DC], eax
		mov	eax, [esi+4]
		mov	[ebp+var_CC], eax
		movzx	eax, word ptr [esi]
		mov	[ebp+var_E0], ecx
		mov	[ebp+var_D8], ecx
		mov	[ebp+var_D0], ecx
		mov	[ebp+var_C8], ecx
		mov	[ebp+var_C0], ecx
		mov	ecx, edi
		mov	[ebp+var_E4], 4
		mov	[ebp+var_D4], 2
		mov	[ebp+var_C4], eax
		call	_EtwpGetProcessStartKey@4 ; EtwpGetProcessStartKey(x)
		mov	[ebp+var_164], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_164]
		mov	[ebp+var_B8], ecx
		mov	[ebp+var_BC], eax
		mov	eax, [edi+3E8h]
		mov	[ebp+var_16C], eax
		mov	eax, [edi+3ECh]
		mov	[ebp+var_168], eax
		lea	eax, [ebp+var_16C]
		mov	[ebp+var_AC], eax
		mov	eax, [edi+3F0h]
		mov	[ebp+var_174], eax
		mov	eax, [edi+3F4h]
		push	8
		pop	esi
		mov	[ebp+var_170], eax
		lea	eax, [ebp+var_174]
		mov	[ebp+var_B0], ecx
		mov	[ebp+var_A8], ecx
		mov	[ebp+var_A0], ecx
		mov	[ebp+var_98], ecx
		mov	[ebp+var_90], ecx
		mov	ecx, edi
		mov	[ebp+var_160], edx
		mov	[ebp+var_B4], esi
		mov	[ebp+var_A4], esi
		mov	[ebp+var_9C], eax
		mov	[ebp+var_94], esi
		call	_MmGetSessionCreateTime@4 ; MmGetSessionCreateTime(x)
		mov	[ebp+var_17C], eax
		lea	eax, [ebp+var_17C]
		mov	[ebp+var_178], edx
		mov	[ebp+var_8C], eax
		xor	edi, edi
		mov	eax, [ebx]
		mov	[ebp+var_14C], eax
		lea	eax, [ebp+var_14C]
		mov	[ebp+var_84], esi
		mov	esi, [ebp+var_154]
		mov	[ebp+var_7C], eax
		mov	eax, [ebx+4]
		push	4
		pop	ecx
		mov	[ebp+var_150], eax
		lea	edx, [esi+8]
		mov	[ebp+var_74], ecx
		lea	eax, [ebp+var_150]
		mov	[ebp+var_64], ecx
		lea	ecx, [ebp+var_5C]
		mov	[ebp+var_88], edi
		mov	[ebp+var_80], edi
		mov	[ebp+var_78], edi
		mov	[ebp+var_70], edi
		mov	[ebp+var_6C], eax
		mov	[ebp+var_68], edi
		mov	[ebp+var_60], edi
		call	_tlgCreate1Sz_wchar_t
		lea	edx, [esi+108h]
		lea	ecx, [ebp+var_4C]
		call	_tlgCreate1Sz_wchar_t
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	loc_8D1132
		mov	ecx, [ecx]

loc_753649:				; CODE XREF: EtwpWriteProcessStarted+17DD7Ej
		mov	al, [ecx+1]
		movzx	eax, al
		mov	[ebp+var_3C], ecx
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_38], edi
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_30], edi
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_2C], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_1C], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_13C]
		push	eax
		push	13h
		push	edi
		push	edi
		push	offset loc_423697
		push	offset dword_6B2A18
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], 2
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_7536A4:				; CODE XREF: EtwpWriteProcessStarted+3Aj
					; EtwpWriteProcessStarted+50j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
EtwpWriteProcessStarted	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpWriteAppStateChange	proc near	; CODE XREF: EtwTraceProcess+123p
					; EtwTraceAppStateChange+17DB56p

var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D113D SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	dword_6B2A18, 5
		push	esi
		push	edi
		mov	esi, ecx
		jbe	short loc_7536F0
		push	2000h
		mov	edi, offset dword_6B2A18
		push	1
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_8D113D

loc_7536F0:				; CODE XREF: EtwpWriteAppStateChange+1Dj
					; EtwpWriteAppStateChange+17DAACj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
EtwpWriteAppStateChange	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTraceAppStateChange proc near	; CODE XREF: PsSetProcessTelemetryAppState+133p

var_2D0		= dword	ptr -2D0h
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_290		= dword	ptr -290h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_241		= byte ptr -241h
var_240		= dword	ptr -240h
var_AC		= dword	ptr -0ACh
var_92		= dword	ptr -92h
var_69		= dword	ptr -69h
var_65		= dword	ptr -65h
var_61		= dword	ptr -61h
var_5D		= dword	ptr -5Dh
var_59		= dword	ptr -59h
var_55		= dword	ptr -55h
var_51		= dword	ptr -51h
var_4D		= dword	ptr -4Dh
var_49		= dword	ptr -49h
var_45		= dword	ptr -45h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D1167 SIZE 00000387 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 2D0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	62h		; size_t
		lea	eax, [ebp+var_92]
		mov	edi, edx
		mov	esi, ecx
		mov	[ebp+var_248], edi
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_24C], esi
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_30]
		push	2Ch		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		cmp	dword_6B2A18, 0
		jbe	short loc_753784
		xor	eax, eax
		mov	ecx, offset dword_6B2A18
		inc	eax
		push	6000h
		push	eax
		mov	[ebp+var_25C], eax
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_8D1167

loc_753784:				; CODE XREF: EtwTraceAppStateChange+63j
					; EtwTraceAppStateChange+17DC7Dj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
EtwTraceAppStateChange endp ; sp =  4

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpInitHiveFromFile proc near		; CODE XREF: CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)+95p
					; CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)+144p ...

var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BB		= byte ptr -0BBh
var_BA		= byte ptr -0BAh
var_B9		= byte ptr -0B9h
var_B8		= dword	ptr -0B8h
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_90		= dword	ptr -90h
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 008D14EE SIZE 00000177 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 12Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_F4], edx
		mov	esi, ecx
		mov	[ebp+var_D4], esi
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_F8], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_FC], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_E8], eax
		xor	ebx, ebx
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_108], eax
		lea	edi, [ebp+var_128]
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_C8], eax
		xor	eax, eax
		stosd
		push	0Ah
		pop	ecx
		push	6
		stosd
		mov	[ebp+var_F0], ebx
		stosd
		mov	[ebp+var_104], ebx
		mov	[ebp+var_C0], ebx
		mov	[ebp+var_EC], ebx
		stosd
		xor	eax, eax
		cmp	dword_6B2348, 4
		lea	edi, [ebp+var_B8]
		rep stosd
		pop	ecx
		lea	edi, [ebp+var_90]
		mov	[ebp+var_118], ebx
		rep stosd
		mov	[ebp+var_114], ebx
		mov	edi, offset dword_6B2348
		jbe	short loc_753855
		push	ebx
		push	8
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_8D14EE

loc_753855:				; CODE XREF: CmpInitHiveFromFile+A9j
					; CmpInitHiveFromFile+17DD8Ej
		mov	eax, [ebp+arg_8]
		mov	edi, ebx
		mov	edx, [ebp+var_F4]
		mov	ecx, edx
		and	[ebp+var_E4], ebx
		shr	eax, 13h
		and	eax, 40h
		mov	[ebp+var_BA], bl
		and	ecx, 8000h
		mov	[ebp+var_BB], bl
		mov	[ebp+var_100], ecx
		mov	ecx, eax
		mov	[ebp+var_D8], ebx
		mov	[ebp+var_C4], edi
		mov	[ebp+var_D0], ebx
		mov	[ebp+var_B9], 1
		jz	loc_753CAD
		or	ecx, 20h
		mov	[ebp+var_DC], ecx
		test	edx, 40000h
		jz	short loc_7538C3
		or	eax, 0A0h
		mov	[ebp+var_DC], eax

loc_7538C3:				; CODE XREF: CmpInitHiveFromFile+11Ej
		mov	[ebp+var_B9], bl

loc_7538C9:				; CODE XREF: CmpInitHiveFromFile+52Cj
					; CmpInitHiveFromFile+53Bj ...
		mov	eax, [ebp+var_F8]
		xor	edx, edx
		and	[ebp+var_110], 0
		mov	ecx, esi
		and	[ebp+var_10C], 0
		push	0
		and	dword ptr [eax], 0
		lea	eax, [ebp+var_110]
		push	0
		push	eax
		push	[ebp+var_E8]
		lea	eax, [ebp+var_EC]
		push	[ebp+var_DC]
		push	eax
		lea	eax, [ebp+var_D8]
		push	eax
		call	CmpOpenHiveFile
		mov	esi, eax
		test	esi, esi
		jns	loc_753998
		push	10h

loc_75391A:				; CODE XREF: CmpInitHiveFromFile+5DDj
					; CmpInitHiveFromFile+5F4j ...
		mov	ecx, [ebp+var_C8]
		xor	edx, edx
		push	esi
		push	1Ch
		call	SetFailureLocation

loc_75392A:				; CODE XREF: CmpInitHiveFromFile+4C8j
					; CmpInitHiveFromFile+17DE11j
		cmp	[ebp+var_BB], 0
		jnz	loc_753C65

loc_753937:				; CODE XREF: CmpInitHiveFromFile+4EFj
		mov	eax, [ebp+var_D8]
		test	eax, eax
		jnz	loc_753C8C

loc_753945:				; CODE XREF: CmpInitHiveFromFile+4FAj
		test	edi, edi
		jnz	loc_753C97

loc_75394D:				; CODE XREF: CmpInitHiveFromFile+505j
		test	ebx, ebx
		jnz	loc_753CA2

loc_753955:				; CODE XREF: CmpInitHiveFromFile+510j
		mov	eax, [ebp+var_E4]
		xor	ebx, ebx
		test	eax, eax
		jnz	loc_753CF8

loc_753965:				; CODE XREF: CmpInitHiveFromFile+567j
		push	4
		pop	edi
		cmp	dword_6B2348, edi
		jbe	short loc_753985
		push	ebx
		push	8
		mov	ecx, offset dword_6B2348
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_8D1631

loc_753985:				; CODE XREF: CmpInitHiveFromFile+1D6j
					; CmpInitHiveFromFile+17DEC8j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	20h
; 

loc_753998:				; CODE XREF: CmpInitHiveFromFile+17Aj
		cmp	[ebp+var_EC], 2
		mov	eax, [ebp+var_DC]
		mov	[ebp+var_CC], eax
		jz	loc_753D04

loc_7539B1:				; CODE XREF: CmpInitHiveFromFile+57Ej
		cmp	[ebp+var_100], 0
		jz	loc_753CD8

loc_7539BE:				; CODE XREF: CmpInitHiveFromFile+555j
		test	[ebp+arg_8], 10000000h
		lea	eax, [ebp+var_F0]
		push	0
		push	[ebp+var_E4]
		push	0
		push	[ebp+var_E8]
		push	[ebp+var_CC]
		push	eax
		lea	eax, [ebp+var_C4]
		push	eax
		jnz	loc_753D2D
		mov	ecx, [ebp+var_D4]
		push	4
		pop	edx
		mov	[ebp+var_E0], 2
		call	CmpOpenHiveFile
		mov	esi, eax
		test	esi, esi
		js	loc_753D5E
		mov	edi, [ebp+var_C4]

loc_753A17:				; CODE XREF: CmpInitHiveFromFile+5D5j
		mov	ecx, [ebp+var_D4]
		lea	eax, [ebp+var_104]
		push	0
		push	[ebp+var_E4]
		push	0
		push	[ebp+var_E8]
		push	[ebp+var_CC]
		push	eax
		lea	eax, [ebp+var_D0]
		push	eax
		push	5
		pop	edx
		call	CmpOpenHiveFile
		mov	esi, eax
		mov	al, [ebp+var_B9]
		test	esi, esi
		js	loc_753D7A
		mov	ebx, [ebp+var_D0]

loc_753A5F:				; CODE XREF: CmpInitHiveFromFile+5C1j
					; CmpInitHiveFromFile+5ECj ...
		test	al, al
		jnz	short loc_753A82
		mov	ecx, [ebp+var_E0]
		cmp	ecx, 2
		jnz	loc_8D1568
		test	edi, edi
		jz	loc_753D91
		test	ebx, ebx
		jz	loc_8D1542

loc_753A82:				; CODE XREF: CmpInitHiveFromFile+2C9j
					; CmpInitHiveFromFile+608j ...
		cmp	[ebp+var_BB], 0
		jnz	short loc_753ABF
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpShutdownRundown
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	bl, al
		mov	[ebp+var_BB], bl
		test	bl, bl
		jz	loc_8D1584

loc_753AB3:				; CODE XREF: CmpInitHiveFromFile+17DDFAj
		mov	edi, [ebp+var_C4]
		mov	ebx, [ebp+var_D0]

loc_753ABF:				; CODE XREF: CmpInitHiveFromFile+2F1j
		cmp	[ebp+var_BA], 0
		jnz	loc_753D1B
		push	5
		pop	esi

loc_753ACF:				; CODE XREF: CmpInitHiveFromFile+585j
		mov	eax, [ebp+var_D8]
		and	[ebp+var_11C], 0
		push	154h		; size_t
		push	0		; int
		push	[ebp+var_C8]	; void *
		mov	[ebp+var_CC], esi
		mov	[ebp+var_128], eax
		mov	[ebp+var_124], edi
		mov	[ebp+var_120], ebx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_128]
		xor	ecx, ecx
		mov	edx, esi
		push	[ebp+var_C8]
		push	[ebp+var_108]
		push	ecx
		push	ecx
		push	[ebp+arg_8]
		push	[ebp+var_D4]
		push	eax
		push	ecx
		push	[ebp+var_E0]
		lea	ecx, [ebp+var_C0]
		push	[ebp+var_F4]
		call	_CmpCreateHive@48 ; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C000022Dh
		jz	loc_8D15AE
		test	esi, esi
		js	loc_8D15FA
		cmp	[ebp+var_CC], 0
		jz	short loc_753B78
		mov	eax, [ebp+var_C0]
		test	dword ptr [eax+980h], 800h
		jnz	loc_753DA5

loc_753B78:				; CODE XREF: CmpInitHiveFromFile+3C8j
					; CmpInitHiveFromFile+637j ...
		mov	esi, [ebp+var_D4]
		push	624E4D43h
		movzx	eax, word ptr [esi]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+var_C0]
		mov	[ecx+4B4h], eax
		mov	ecx, [ebp+var_C0]
		cmp	dword ptr [ecx+4B4h], 0
		jz	short loc_753BE4
		mov	ax, [esi]
		mov	[ecx+4B0h], ax
		mov	eax, [ebp+var_C0]
		mov	cx, [esi]
		mov	[eax+4B2h], cx
		movzx	eax, word ptr [esi]
		push	eax		; size_t
		mov	eax, [ebp+var_C0]
		push	dword ptr [esi+4] ; void *
		push	dword ptr [eax+4B4h] ; void *
		call	_memcpy
		mov	ecx, [ebp+var_C0]
		add	esp, 0Ch

loc_753BE4:				; CODE XREF: CmpInitHiveFromFile+40Fj
		mov	eax, [ecx+20h]
		test	byte ptr [eax+0FF8h], 4
		jnz	loc_8D161C

loc_753BF4:				; CODE XREF: CmpInitHiveFromFile+17DE94j
		push	4
		push	28h
		lea	eax, [ebp+var_B8]
		push	eax
		lea	eax, [ebp+var_118]
		push	eax
		push	[ebp+var_D8]
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		test	eax, eax
		js	short loc_753C33
		mov	ecx, [ebp+var_C0]
		mov	eax, [ebp+var_A8]
		mov	[ecx+9B8h], eax
		mov	eax, [ebp+var_A4]
		mov	[ecx+9BCh], eax

loc_753C33:				; CODE XREF: CmpInitHiveFromFile+47Bj
		mov	ecx, [ebp+var_C0]
		xor	esi, esi
		mov	eax, [ebp+var_10C]
		mov	[ecx+7Ch], eax
		mov	ecx, [ebp+var_F8]
		mov	eax, [ebp+var_C0]
		mov	[ecx], eax
		mov	ecx, [ebp+var_FC]
		mov	al, [ebp+var_BA]
		mov	[ecx], al
		jmp	loc_75392A
; 

loc_753C65:				; CODE XREF: CmpInitHiveFromFile+199j
		mov	ecx, offset _CmpShutdownRundown
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	edi, [ebp+var_C4]
		mov	ebx, [ebp+var_D0]
		jmp	loc_753937
; 

loc_753C8C:				; CODE XREF: CmpInitHiveFromFile+1A7j
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_753945
; 

loc_753C97:				; CODE XREF: CmpInitHiveFromFile+1AFj
		push	edi
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_75394D
; 

loc_753CA2:				; CODE XREF: CmpInitHiveFromFile+1B7j
		push	ebx
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_753955
; 

loc_753CAD:				; CODE XREF: CmpInitHiveFromFile+109j
		test	[ebp+arg_8], 40000000h
		mov	[ebp+var_DC], eax
		jnz	short loc_753D22

loc_753CBC:				; CODE XREF: CmpInitHiveFromFile+593j
		mov	eax, [ebp+var_FC]
		cmp	[eax], bl
		jz	loc_7538C9
		or	ecx, 1
		mov	[ebp+var_DC], ecx
		jmp	loc_7538C9
; 

loc_753CD8:				; CODE XREF: CmpInitHiveFromFile+220j
		mov	ecx, [ebp+var_D8]
		lea	edx, [ebp+var_E4]
		call	CmpQueryFileSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		jns	loc_7539BE
		jmp	loc_8D15F3
; 

loc_753CF8:				; CODE XREF: CmpInitHiveFromFile+1C7j
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_753965
; 

loc_753D04:				; CODE XREF: CmpInitHiveFromFile+213j
		mov	ecx, eax
		mov	[ebp+var_BA], 1
		or	ecx, 10h
		mov	[ebp+var_CC], ecx
		jmp	loc_7539B1
; 

loc_753D1B:				; CODE XREF: CmpInitHiveFromFile+32Ej
		xor	esi, esi
		jmp	loc_753ACF
; 

loc_753D22:				; CODE XREF: CmpInitHiveFromFile+522j
		or	ecx, 2
		mov	[ebp+var_DC], ecx
		jmp	short loc_753CBC
; 

loc_753D2D:				; CODE XREF: CmpInitHiveFromFile+251j
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_E0], ecx
		mov	edx, ecx
		mov	ecx, [ebp+var_D4]
		call	CmpOpenHiveFile
		mov	esi, eax
		mov	al, [ebp+var_B9]
		test	esi, esi
		js	loc_8D152B
		mov	edi, [ebp+var_C4]
		jmp	loc_753A5F
; 

loc_753D5E:				; CODE XREF: CmpInitHiveFromFile+273j
		xor	edi, edi
		cmp	[ebp+var_B9], 0
		mov	[ebp+var_C4], edi
		jz	loc_753A17
		push	40h
		jmp	loc_75391A
; 

loc_753D7A:				; CODE XREF: CmpInitHiveFromFile+2BBj
		xor	ebx, ebx
		mov	[ebp+var_D0], ebx
		test	al, al
		jz	loc_753A5F
		push	50h
		jmp	loc_75391A
; 

loc_753D91:				; CODE XREF: CmpInitHiveFromFile+2DCj
					; CmpInitHiveFromFile+17DDB8j
		test	ebx, ebx
		jnz	loc_8D1555

loc_753D99:				; CODE XREF: CmpInitHiveFromFile+17DDCBj
		and	[ebp+var_E0], 0
		jmp	loc_753A82
; 

loc_753DA5:				; CODE XREF: CmpInitHiveFromFile+3DAj
		lea	ecx, [ebp+var_90]
		call	CmpAttachToRegistryProcess
		mov	ecx, [ebp+var_C0]
		push	0Ch
		pop	edx
		call	CmpFlushHive
		xor	edx, edx
		lea	ecx, [ebp+var_90]
		mov	esi, eax
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		test	esi, esi
		jns	loc_753B78
		jmp	loc_8D1601
CmpInitHiveFromFile endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpFlushHive	proc near		; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+265p
					; CmpDoFlushAll(x)+40p	...

var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C1		= byte ptr -0C1h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_A8		= dword	ptr -0A8h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D1665 SIZE 0000029B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0E4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	7
		mov	ebx, ecx
		mov	[ebp+var_BC], edx
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_24]
		push	4
		rep stosd
		xor	ecx, ecx
		pop	esi
		mov	[ebp+var_DC], ecx
		mov	[ebp+var_CC], ecx
		cmp	dword_6B2348, esi
		jbe	loc_753EB7
		lea	eax, [ebp+var_70]
		mov	[ebp+var_84], ecx
		mov	[ebp+var_88], eax
		mov	eax, [ebx+4BCh]
		mov	[ebp+var_78], eax
		movzx	eax, word ptr [ebx+4B8h]
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_68], eax
		mov	eax, [ebx+4B4h]
		mov	[ebp+var_58], eax
		movzx	eax, word ptr [ebx+4B0h]
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_D4]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_A8]
		push	eax
		push	7
		push	ecx
		push	ecx
		push	offset loc_41A294
		push	offset dword_6B2348
		mov	[ebp+var_80], 2
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_60], 2
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_D4], edx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		mov	edx, [ebp+var_BC]

loc_753EB7:				; CODE XREF: CmpFlushHive+41j
		mov	esi, offset _REGISTRY_PERF_EVENT_HIVE_FLUSH_START
		mov	[ebp+var_D4], edx
		lea	edi, [ebp+var_B8]
		lea	eax, [ebp+var_B8]
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ds:dword_A93DD4
		mov	edi, ds:_EtwpRegTraceHandle
		push	esi
		push	edi
		mov	[ebp+var_C8], esi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8D1665

loc_753EF4:				; CODE XREF: CmpFlushHive+17D979j
		mov	eax, [ebx+64h]
		test	eax, 8001h
		jz	short loc_753F56

loc_753EFE:				; CODE XREF: CmpFlushHive+81Dj
		xor	esi, esi

loc_753F00:				; CODE XREF: CmpFlushHive+604j
					; CmpFlushHive+624j ...
		mov	ecx, esi
		call	CmpTraceHiveFlushStop
		push	4
		pop	ecx
		cmp	dword_6B2348, ecx
		jbe	short loc_753F45
		and	[ebp+var_14], 0
		lea	eax, [ebp+var_D8]
		and	[ebp+var_C], 0
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	3
		push	0
		push	0
		push	offset loc_41A2CB
		push	offset dword_6B2348
		mov	[ebp+var_D8], esi
		mov	[ebp+var_10], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_753F45:				; CODE XREF: CmpFlushHive+136j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_753F56:				; CODE XREF: CmpFlushHive+122j
		cmp	dword ptr [ebx+400h], 0
		jz	loc_754653
		test	al, 2
		mov	eax, [ebp+var_BC]
		jnz	loc_754645

loc_753F71:				; CODE XREF: CmpFlushHive+874j
		and	[ebp+var_C8], 0
		mov	ecx, eax
		shr	ecx, 4
		mov	edi, eax
		and	ecx, 1
		mov	[ebp+var_D0], ecx
		mov	ecx, eax
		and	ecx, 1
		and	edi, 2
		mov	[ebp+var_D8], ecx
		mov	[ebp+var_D4], edi

loc_753F9C:				; CODE XREF: CmpFlushHive+17DA0Bj
		test	ecx, ecx
		jnz	loc_8D1758
		xor	cl, cl
		call	CmpLockRegistryFreezeAware

loc_753FAB:				; CODE XREF: CmpFlushHive+17D983j
		mov	ecx, ebx
		call	_HvLockHiveFlusherExclusive@4 ;	HvLockHiveFlusherExclusive(x)
		lea	esi, [ebx+9C8h]
		test	edi, edi
		jnz	loc_754403

loc_753FC0:				; CODE XREF: CmpFlushHive+63Aj
		mov	eax, [ebp+var_BC]

loc_753FC6:				; CODE XREF: CmpFlushHive+653j
					; CmpFlushHive+17D990j
		mov	edx, eax
		and	edx, 4
		jnz	loc_754483

loc_753FD1:				; CODE XREF: CmpFlushHive+6B2j
		lea	ecx, [ebx+9C0h]
		call	_CmpIsWriteQueueActive@4 ; CmpIsWriteQueueActive(x)
		test	al, al
		jnz	loc_8D1780
		mov	edx, [ebp+var_BC]
		lea	eax, [ebp+var_24]
		push	eax
		mov	ecx, ebx
		call	CmpGenerateFlushControlData
		cmp	dword_6B2348, 4
		mov	eax, [ebp+var_24]
		mov	ecx, [ebp+var_1C]
		mov	[ebp+var_C0], eax
		jbe	short loc_75405C
		mov	[ebp+var_E0], eax
		xor	edx, edx
		push	4
		lea	eax, [ebp+var_E0]
		mov	[ebp+var_E4], ecx
		pop	ecx
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_E4]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	ecx
		push	edx
		push	edx
		push	offset loc_41A249
		push	offset dword_6B2348
		mov	[ebp+var_54], edx
		mov	[ebp+var_50], 4
		mov	[ebp+var_4C], edx
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		mov	eax, [ebp+var_24]

loc_75405C:				; CODE XREF: CmpFlushHive+22Ej
		test	eax, 358h
		jz	loc_7545EB
		test	al, 2
		jnz	loc_75443F

loc_75406F:				; CODE XREF: CmpFlushHive+67Cj
		test	al, 1
		jz	short loc_754081
		lea	ecx, [ebx+9C0h]
		call	_CmpAcquireWriteQueue@4	; CmpAcquireWriteQueue(x)
		mov	eax, [ebp+var_24]

loc_754081:				; CODE XREF: CmpFlushHive+297j
		test	eax, 110h
		mov	edi, eax
		mov	esi, 0C0000001h
		setnz	cl
		shr	edi, 6
		and	edi, 1
		mov	[ebp+var_C1], cl
		test	al, 8
		jz	short loc_7540CF
		mov	ecx, ebx
		call	_HvLockHiveWriter@4 ; HvLockHiveWriter(x)
		push	0
		push	1000h
		xor	edx, edx
		mov	ecx, ebx
		call	HvpMarkDirty
		mov	ecx, ebx
		test	al, al
		jz	loc_8D17EA
		call	HvUnlockHiveWriter
		mov	eax, [ebp+var_24]
		mov	cl, [ebp+var_C1]

loc_7540CF:				; CODE XREF: CmpFlushHive+2C4j
		test	eax, 158h
		jz	loc_754438
		mov	dl, cl
		mov	ecx, ebx
		push	edi
		call	HvStoreModifiedData
		mov	ecx, eax
		mov	eax, [ebp+var_24]

loc_7540E9:				; CODE XREF: CmpFlushHive+660j
		sub	ecx, 0
		jnz	loc_8D1807
		mov	esi, [ebp+var_CC]

loc_7540F8:				; CODE XREF: CmpFlushHive+17DA35j
		test	al, al
		js	loc_8D1817

loc_754100:				; CODE XREF: CmpFlushHive+17DA5Ej
		mov	eax, [ebp+var_14]
		mov	edi, [ebp+var_10]
		mov	[ebp+var_CC], eax

loc_75410C:				; CODE XREF: CmpFlushHive+17DA70j
		mov	ecx, ebx
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		test	byte ptr [ebp+var_C0], 80h
		jnz	loc_8D184F
		mov	eax, [ebp+var_20]

loc_754128:				; CODE XREF: CmpFlushHive+17DAA1j
		mov	[ebp+var_BC], eax
		mov	eax, [ebp+var_C0]
		test	al, 8
		jz	short loc_754176
		push	2
		pop	edx
		call	_CmpLogFlushPhaseStart@8 ; CmpLogFlushPhaseStart(x,x)
		lea	eax, [ebp+var_DC]
		push	eax
		push	ecx
		mov	ecx, ebx
		call	HvWriteLogFile
		mov	esi, eax
		push	esi
		push	2
		pop	edx
		call	_CmpLogFlushPhaseEnd@12	; CmpLogFlushPhaseEnd(x,x,x)
		test	esi, esi
		js	loc_754243
		mov	ecx, ebx
		call	_HvTruncateCurrentLogFileIfRequired@4 ;	HvTruncateCurrentLogFileIfRequired(x)
		or	[ebp+var_BC], 2
		mov	eax, [ebp+var_C0]

loc_754176:				; CODE XREF: CmpFlushHive+35Cj
		test	al, 10h
		jnz	loc_7544CE
		mov	edi, [ebp+var_D0]

loc_754184:				; CODE XREF: CmpFlushHive+728j
		push	4
		pop	edx
		call	_CmpLogFlushPhaseStart@8 ; CmpLogFlushPhaseStart(x,x)
		mov	eax, [ebp+var_C0]
		and	eax, 448h
		cmp	eax, 48h
		jnz	short loc_7541BB
		lea	edx, [ebx+44Ch]
		lea	ecx, [ebx+46Ch]
		call	_RtlMergeBitMaps@8 ; RtlMergeBitMaps(x,x)
		mov	ecx, ebx
		call	_HvFreeDirtyData@4 ; HvFreeDirtyData(x)
		or	[ebp+var_BC], 4

loc_7541BB:				; CODE XREF: CmpFlushHive+3C0j
		push	esi
		push	4
		pop	edx
		call	_CmpLogFlushPhaseEnd@12	; CmpLogFlushPhaseEnd(x,x,x)
		mov	eax, [ebp+var_C0]
		test	al, 20h
		jnz	loc_7545FC

loc_7541D2:				; CODE XREF: CmpFlushHive+83Fj
		and	eax, 45h
		cmp	al, 41h
		jnz	short loc_75421D
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, ebx
		call	_HvLockHiveFlusherExclusive@4 ;	HvLockHiveFlusherExclusive(x)
		mov	eax, [ebp+var_BC]
		lea	ecx, [ebx+9C0h]
		mov	edx, [ecx+4]
		and	dword ptr [ecx+4], 0
		and	dword ptr [ecx], 0
		test	al, 2
		jnz	short loc_754204
		mov	esi, 0C0000001h

loc_754204:				; CODE XREF: CmpFlushHive+423j
		push	esi
		call	CmpWakeWriteQueueWaiters
		or	[ebp+var_BC], 10h
		mov	ecx, ebx
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_75421D:				; CODE XREF: CmpFlushHive+3FDj
		mov	eax, [ebp+var_C0]
		test	al, 40h
		jnz	loc_754497

loc_75422B:				; CODE XREF: CmpFlushHive+6EFj
		test	eax, 100h
		jnz	loc_754576

loc_754236:				; CODE XREF: CmpFlushHive+7D7j
		test	eax, 200h
		jnz	loc_754507

loc_754241:				; CODE XREF: CmpFlushHive+735j
					; CmpFlushHive+77Bj
		xor	esi, esi

loc_754243:				; CODE XREF: CmpFlushHive+382j
					; CmpFlushHive+6DCj ...
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, ebx
		call	_HvLockHiveFlusherExclusive@4 ;	HvLockHiveFlusherExclusive(x)
		mov	eax, [ebp+var_C0]
		mov	ecx, [ebp+var_BC]
		test	esi, esi
		js	loc_8D189A

loc_754263:				; CODE XREF: CmpFlushHive+17DAC2j
					; CmpFlushHive+17DACBj	...
		test	cl, 20h
		jnz	loc_75445B

loc_75426C:				; CODE XREF: CmpFlushHive+68Fj
		test	esi, esi
		js	loc_8D18BC
		test	eax, 800h
		jnz	loc_7545B6

loc_75427F:				; CODE XREF: CmpFlushHive+80Cj
		test	eax, 1000h
		jnz	loc_75462A

loc_75428A:				; CODE XREF: CmpFlushHive+85Cj
					; CmpFlushHive+17DAE5j	...
		mov	eax, [ebp+var_C0]
		mov	edi, eax
		shr	edi, 6
		and	edi, 1
		jz	short loc_7542EC
		mov	ecx, ebx
		test	esi, esi
		js	loc_8D18EA
		call	HvUnCOWReconciledPages
		mov	ecx, ebx
		call	_HvFreeUnreconciledData@4 ; HvFreeUnreconciledData(x)
		test	byte ptr [ebp+var_C0], 1
		jz	loc_75461E
		mov	eax, [ebp+var_BC]
		test	al, 10h
		jnz	loc_75461E
		mov	ecx, ebx
		call	_HvResetLogFileStatusAll@4 ; HvResetLogFileStatusAll(x)
		and	dword ptr [ebx+74h], 0
		call	_HvIsCurrentLogSwappable@4 ; HvIsCurrentLogSwappable(x)
		test	al, al
		jz	short loc_7542E6
		xor	dl, dl
		call	_HvSwapLogFiles@8 ; HvSwapLogFiles(x,x)

loc_7542E6:				; CODE XREF: CmpFlushHive+503j
					; CmpFlushHive+84Bj ...
		mov	eax, [ebp+var_C0]

loc_7542EC:				; CODE XREF: CmpFlushHive+4BEj
		test	eax, 110h
		jz	short loc_754300
		mov	ecx, ebx
		call	_HvFreeUnreconciledData@4 ; HvFreeUnreconciledData(x)
		mov	eax, [ebp+var_C0]

loc_754300:				; CODE XREF: CmpFlushHive+517j
		test	al, 8
		mov	eax, [ebp+var_BC]
		jz	short loc_75432E
		test	al, 4
		jnz	short loc_75432E
		test	al, 2
		jz	loc_8D18F4
		test	edi, edi
		jnz	short loc_754321
		mov	ecx, ebx
		call	_HvUpdateUnreconciledVector@8 ;	HvUpdateUnreconciledVector(x,x)

loc_754321:				; CODE XREF: CmpFlushHive+53Ej
		mov	ecx, ebx
		call	_HvFreeDirtyData@4 ; HvFreeDirtyData(x)

loc_754328:				; CODE XREF: CmpFlushHive+17DB21j
		mov	eax, [ebp+var_BC]

loc_75432E:				; CODE XREF: CmpFlushHive+52Ej
					; CmpFlushHive+532j ...
		and	[ebp+var_D0], 0
		and	[ebp+var_C8], 0
		test	byte ptr [ebp+var_C0], 1
		jz	loc_754564
		test	al, 10h
		jnz	loc_754564
		mov	dl, 1

loc_754353:				; CODE XREF: CmpFlushHive+78Cj
		mov	eax, [ebp+var_C0]
		lea	ecx, [ebx+9C0h]
		shr	eax, 1
		and	al, 1
		mov	[ebp+var_C1], dl
		mov	[ebp+var_C0], eax
		mov	[ebp+var_CC], ecx
		test	dl, dl
		jz	loc_75456B
		mov	edx, [ebx+9C4h]
		and	dword ptr [ebx+9C4h], 0
		and	dword ptr [ecx], 0
		mov	[ebp+var_D0], edx

loc_754393:				; CODE XREF: CmpFlushHive+797j
		lea	ecx, [ebx+9C8h]
		test	al, al
		jnz	loc_75446E

loc_7543A1:				; CODE XREF: CmpFlushHive+6A4j
		mov	ecx, ebx
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		cmp	[ebp+var_C1], 0
		jz	short loc_7543D7
		mov	eax, [ebp+var_BC]
		mov	edx, [ebp+var_D0]
		mov	ecx, [ebp+var_CC]
		test	al, 2
		jz	loc_75463B
		push	0

loc_7543D2:				; CODE XREF: CmpFlushHive+866j
		call	CmpWakeWriteQueueWaiters

loc_7543D7:				; CODE XREF: CmpFlushHive+5DAj
		cmp	byte ptr [ebp+var_C0], 0
		jz	loc_753F00
		mov	edx, [ebp+var_C8]
		lea	ecx, [ebx+9C8h]
		test	edi, edi
		jz	loc_75455A
		push	esi

loc_7543F9:				; CODE XREF: CmpFlushHive+785j
		call	CmpWakeWriteQueueWaiters
		jmp	loc_753F00
; 

loc_754403:				; CODE XREF: CmpFlushHive+1E0j
		mov	ecx, esi
		call	_CmpIsWriteQueueActive@4 ; CmpIsWriteQueueActive(x)
		test	al, al
		jnz	loc_7545EB
		test	edi, edi
		jz	loc_753FC0
		lea	ecx, [ebx+9C0h]
		call	_CmpIsWriteQueueActive@4 ; CmpIsWriteQueueActive(x)
		test	al, al
		mov	eax, [ebp+var_BC]
		jz	loc_753FC6
		jmp	loc_8D1762
; 

loc_754438:				; CODE XREF: CmpFlushHive+2FAj
		xor	ecx, ecx
		jmp	loc_7540E9
; 

loc_75443F:				; CODE XREF: CmpFlushHive+28Fj
		mov	ecx, esi
		call	_CmpIsWriteQueueActive@4 ; CmpIsWriteQueueActive(x)
		test	al, al
		jnz	loc_8D176F
		call	_CmpAcquireWriteQueue@4	; CmpAcquireWriteQueue(x)
		mov	eax, [ebp+var_24]
		jmp	loc_75406F
; 

loc_75445B:				; CODE XREF: CmpFlushHive+48Cj
		and	dword ptr [ebx+9D4h], 0
		or	dword ptr [ebx+9D0h], 1
		jmp	loc_75426C
; 

loc_75446E:				; CODE XREF: CmpFlushHive+5C1j
		mov	eax, [ecx+4]
		and	dword ptr [ecx+4], 0
		and	dword ptr [ecx], 0
		mov	[ebp+var_C8], eax
		jmp	loc_7543A1
; 

loc_754483:				; CODE XREF: CmpFlushHive+1F1j
		mov	ecx, esi
		call	_CmpIsWriteQueueActive@4 ; CmpIsWriteQueueActive(x)
		test	al, al
		jz	loc_753FD1
		jmp	loc_8D176F
; 

loc_754497:				; CODE XREF: CmpFlushHive+44Bj
		push	5
		pop	edx
		call	_CmpLogFlushPhaseStart@8 ; CmpLogFlushPhaseStart(x,x)
		push	edi
		mov	dl, 1
		mov	ecx, ebx
		call	HvWriteHivePrimaryFile
		mov	esi, eax
		push	esi
		push	5
		pop	edx
		call	_CmpLogFlushPhaseEnd@12	; CmpLogFlushPhaseEnd(x,x,x)
		test	esi, esi
		js	loc_754243
		or	[ebp+var_BC], 20h
		mov	eax, [ebp+var_C0]
		jmp	loc_75422B
; 

loc_7544CE:				; CODE XREF: CmpFlushHive+39Ej
		push	3
		pop	edx
		call	_CmpLogFlushPhaseStart@8 ; CmpLogFlushPhaseStart(x,x)
		mov	edi, [ebp+var_D0]
		xor	dl, dl
		push	edi
		push	1
		mov	ecx, ebx
		call	HvValidateOrInvalidatePrimaryFileHeader
		mov	esi, eax
		push	esi
		push	3
		pop	edx
		call	_CmpLogFlushPhaseEnd@12	; CmpLogFlushPhaseEnd(x,x,x)
		test	esi, esi
		js	loc_8D188B
		or	[ebp+var_BC], 20h
		jmp	loc_754184
; 

loc_754507:				; CODE XREF: CmpFlushHive+461j
		mov	eax, [ebp+var_BC]
		test	al, 20h
		jnz	loc_754241
		push	7
		pop	edx
		call	_CmpLogFlushPhaseStart@8 ; CmpLogFlushPhaseStart(x,x)
		xor	edx, edx
		mov	ecx, ebx
		call	CmpFileFlushAndPurge
		test	eax, eax
		mov	eax, [ebp+var_BC]
		js	short loc_754539
		or	eax, 20h
		mov	[ebp+var_BC], eax

loc_754539:				; CODE XREF: CmpFlushHive+754j
		and	al, 20h
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFFFFh
		add	eax, 0C0000001h
		push	eax
		push	7
		pop	edx
		call	_CmpLogFlushPhaseEnd@12	; CmpLogFlushPhaseEnd(x,x,x)
		jmp	loc_754241
; 

loc_75455A:				; CODE XREF: CmpFlushHive+618j
		push	0C0000001h
		jmp	loc_7543F9
; 

loc_754564:				; CODE XREF: CmpFlushHive+569j
					; CmpFlushHive+571j
		xor	dl, dl
		jmp	loc_754353
; 

loc_75456B:				; CODE XREF: CmpFlushHive+59Dj
		mov	[ebp+var_CC], ecx
		jmp	loc_754393
; 

loc_754576:				; CODE XREF: CmpFlushHive+456j
		push	6
		pop	edx
		call	_CmpLogFlushPhaseStart@8 ; CmpLogFlushPhaseStart(x,x)
		push	edi
		push	1
		mov	dl, 1
		mov	ecx, ebx
		call	HvValidateOrInvalidatePrimaryFileHeader
		mov	esi, eax
		push	esi
		push	6
		pop	edx
		call	_CmpLogFlushPhaseEnd@12	; CmpLogFlushPhaseEnd(x,x,x)
		test	esi, esi
		js	loc_754243
		or	[ebp+var_BC], 20h
		mov	ecx, ebx
		call	HvTruncateAllLogFilesIfRequired
		mov	eax, [ebp+var_C0]
		jmp	loc_754236
; 

loc_7545B6:				; CODE XREF: CmpFlushHive+49Fj
		call	KeQueryUnbiasedInterruptTime
		mov	[ebx+998h], eax
		mov	eax, [ebp+var_C0]
		mov	[ebx+99Ch], edx
		test	eax, 1000h
		jnz	short loc_75462A
		xor	ecx, ecx
		xor	edx, edx
		push	0
		inc	ecx
		call	CmpArmLazyWriter
		mov	eax, [ebp+var_C0]
		jmp	loc_75427F
; 

loc_7545EB:				; CODE XREF: CmpFlushHive+287j
					; CmpFlushHive+632j ...
		mov	ecx, ebx
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		jmp	loc_753EFE
; 

loc_7545FC:				; CODE XREF: CmpFlushHive+3F2j
		mov	edx, [ebp+var_1C]
		mov	ecx, ebx
		shr	edx, 2
		and	dl, 1
		call	_HvSwapLogFiles@8 ; HvSwapLogFiles(x,x)
		or	[ebp+var_BC], 8
		mov	eax, [ebp+var_C0]
		jmp	loc_7541D2
; 

loc_75461E:				; CODE XREF: CmpFlushHive+4DDj
					; CmpFlushHive+4EBj
		mov	ecx, ebx
		call	_HvResetInactiveLogFileStatus@4	; HvResetInactiveLogFileStatus(x)
		jmp	loc_7542E6
; 

loc_75462A:				; CODE XREF: CmpFlushHive+4AAj
					; CmpFlushHive+7F8j
		xor	ecx, ecx
		xor	edx, edx
		push	1
		inc	ecx
		call	CmpArmLazyWriter
		jmp	loc_75428A
; 

loc_75463B:				; CODE XREF: CmpFlushHive+5F0j
		push	0C0000001h
		jmp	loc_7543D2
; 

loc_754645:				; CODE XREF: CmpFlushHive+191j
		or	eax, 0Ch
		mov	[ebp+var_BC], eax
		jmp	loc_753F71
; 

loc_754653:				; CODE XREF: CmpFlushHive+183j
		mov	esi, 0C000000Dh
		jmp	loc_753F00
CmpFlushHive	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpWriteAppStateChangeSummary proc near ; CODE	XREF: EtwTraceProcess+153p
					; EtwTraceAppStateChange+17DDCCp

var_338		= dword	ptr -338h
var_334		= dword	ptr -334h
var_330		= dword	ptr -330h
var_32C		= dword	ptr -32Ch
var_328		= dword	ptr -328h
var_324		= dword	ptr -324h
var_320		= dword	ptr -320h
var_31C		= dword	ptr -31Ch
var_318		= dword	ptr -318h
var_314		= dword	ptr -314h
var_310		= dword	ptr -310h
var_30C		= dword	ptr -30Ch
var_308		= dword	ptr -308h
var_304		= dword	ptr -304h
var_300		= dword	ptr -300h
var_2FC		= dword	ptr -2FCh
var_2F8		= dword	ptr -2F8h
var_2F4		= dword	ptr -2F4h
var_2F0		= dword	ptr -2F0h
var_2EC		= dword	ptr -2ECh
var_2E8		= dword	ptr -2E8h
var_2E4		= dword	ptr -2E4h
var_2E0		= dword	ptr -2E0h
var_2DC		= dword	ptr -2DCh
var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_2CC		= dword	ptr -2CCh
var_2C8		= dword	ptr -2C8h
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_294		= dword	ptr -294h
var_290		= dword	ptr -290h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_27C		= dword	ptr -27Ch
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_266		= byte ptr -266h
var_265		= dword	ptr -265h
var_261		= dword	ptr -261h
var_258		= dword	ptr -258h
var_248		= dword	ptr -248h
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_78		= dword	ptr -78h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008D1900 SIZE 000006C2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 33Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_270], eax
		push	7
		xor	eax, eax
		mov	[ebp+var_26C], edx
		cmp	dword_6B2A18, 0
		lea	edi, [ebp+var_265]
		pop	ecx
		rep stosd
		stosb
		jbe	short loc_7546B7
		push	2000h
		push	0
		mov	ecx, offset dword_6B2A18
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_8D1900

loc_7546B7:				; CODE XREF: EtwpWriteAppStateChangeSummary+3Ej
		mov	eax, 100h

loc_7546BC:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D2B8j
		mov	edi, [ebx+34Ch]
		xor	ecx, ecx
		mov	[ebp+var_274], edi
		cmp	edi, 0C0000139h
		jz	short loc_754742
		cmp	edi, 0C0000135h
		jz	short loc_754742

loc_7546DA:				; CODE XREF: EtwpWriteAppStateChangeSummary+F0j
		push	ebx
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		mov	esi, eax
		push	esi
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jz	short loc_754750
		mov	esi, offset _PspNullGuid

loc_7546F1:				; CODE XREF: EtwpWriteAppStateChangeSummary+F8j
		test	esi, esi
		jz	short loc_754705
		lea	edi, [ebp+var_258]
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_274]

loc_754705:				; CODE XREF: EtwpWriteAppStateChangeSummary+95j
		mov	esi, [ebx+1C0h]
		test	esi, esi
		jz	short loc_754758

loc_75470F:				; CODE XREF: EtwpWriteAppStateChangeSummary+FFj
		cmp	dword_6B2A18, 5
		jbe	short loc_754731
		push	4000h
		push	0
		mov	ecx, offset dword_6B2A18
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_8D191B

loc_754731:				; CODE XREF: EtwpWriteAppStateChangeSummary+B8j
					; EtwpWriteAppStateChangeSummary+17D95Fj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_754742:				; CODE XREF: EtwpWriteAppStateChangeSummary+72j
					; EtwpWriteAppStateChangeSummary+7Aj
		mov	[ebp+var_265], eax
		mov	[ebp+var_261], ecx
		jmp	short loc_7546DA
; 

loc_754750:				; CODE XREF: EtwpWriteAppStateChangeSummary+8Cj
		add	esi, 2E8h
		jmp	short loc_7546F1
; 

loc_754758:				; CODE XREF: EtwpWriteAppStateChangeSummary+AFj
		mov	esi, (offset loc_403A20+4)
		jmp	short loc_75470F
EtwpWriteAppStateChangeSummary endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpOpenHiveFile	proc near		; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+1BFp
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x)+3B7p	...

var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_51		= byte ptr -51h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008D1FC2 SIZE 00000113 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, edx
		push	edi
		mov	[ebp+var_B0], eax
		lea	edi, [ebp+var_34]
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_84], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_64], ecx
		mov	[ebp+var_A4], eax
		mov	eax, [ebp+arg_14]
		push	0Ah
		mov	[ebp+var_9C], eax
		mov	eax, [ebp+arg_18]
		pop	ecx
		mov	[ebp+var_A8], eax
		xor	eax, eax
		rep stosd
		push	6
		pop	edx
		mov	[ebp+var_98], ebx
		mov	ecx, edx
		mov	[ebp+var_AC], esi
		lea	edi, [ebp+var_4C]
		mov	[ebp+var_A0], eax
		mov	[ebp+var_70], eax
		mov	[ebp+var_6C], eax
		mov	[ebp+var_7C], edx
		mov	[ebp+var_50], eax
		mov	[ebp+var_78], eax
		mov	[ebp+var_74], eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_58], eax
		mov	byte ptr [ebp+var_94], al
		mov	[ebp+var_80], eax
		mov	byte ptr [ebp+var_90], al
		mov	[esi], eax
		mov	[ebp+var_51], al
		mov	[ebp+var_8C], 2
		mov	[ebp+var_68], eax
		rep stosd
		lea	edi, [ebp+var_C8]
		mov	ecx, edx
		rep stosd
		cmp	ebx, edx
		jnb	loc_8D1FC2
		lea	eax, [ebp+var_70]
		xor	ecx, ecx
		push	eax
		lea	edx, [ebp+var_6C]
		call	_CmpCreateEvent@12 ; CmpCreateEvent(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_754A1B
		mov	edi, ds:_CmFileNameExtensions[ebx*4]
		test	edi, edi
		jnz	loc_754A4C
		mov	ecx, [ebp+var_64]
		mov	eax, [ecx]
		mov	[ebp+var_5C], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_58], eax

loc_754853:				; CODE XREF: CmpOpenHiveFile+350j
		mov	ecx, [ebp+arg_8]
		mov	edx, ecx
		mov	eax, ecx
		and	edx, 20h
		jz	loc_754A2C
		xor	edi, edi
		shr	eax, 7
		inc	edi
		not	eax
		and	eax, edi

loc_75486D:				; CODE XREF: CmpOpenHiveFile+2E7j
		mov	[ebp+var_88], eax
		test	ebx, ebx
		jnz	loc_754AB5
		mov	eax, ecx
		mov	[ebp+var_7C], 80h
		and	al, 21h
		mov	[ebp+var_60], 0C024h
		cmp	al, 1
		setz	bl
		lea	ebx, ds:1[ebx*2]

loc_754899:				; CODE XREF: CmpOpenHiveFile+367j
		cmp	[ebp+var_84], 0
		jnz	loc_8D1FD6

loc_7548A6:				; CODE XREF: CmpOpenHiveFile+17D8CCj
		xor	edx, edx
		mov	[ebp+var_C8], 18h
		push	edx
		push	edx
		push	[ebp+var_60]
		mov	eax, ecx
		mov	[ebp+var_C4], edx
		and	eax, 40h
		mov	[ebp+var_B4], edx
		or	eax, 24h
		push	ebx
		mov	ebx, [ebp+var_88]
		shl	eax, 4
		mov	[ebp+var_BC], eax
		lea	eax, [ebp+var_5C]
		push	ebx
		push	[ebp+var_7C]
		mov	[ebp+var_C0], eax
		mov	eax, [ebp+var_9C]
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_78]
		push	edx
		push	eax
		lea	eax, [ebp+var_C8]
		push	eax
		push	edi
		lea	eax, [ebp+var_50]
		push	eax
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, [ebp+var_60]
		mov	esi, eax
		cmp	esi, 0C0000022h
		jz	loc_8D2031

loc_75491B:				; CODE XREF: CmpOpenHiveFile+17D8E9j
		cmp	[ebp+var_51], 0
		jnz	loc_8D204E

loc_754925:				; CODE XREF: CmpOpenHiveFile+17D912j
					; CmpOpenHiveFile+17D92Ej
		test	esi, esi
		js	loc_754AE9
		mov	ebx, [ebp+arg_8]
		mov	edi, [ebp+var_74]
		test	bl, 28h
		jz	loc_754B20

loc_75493C:				; CODE XREF: CmpOpenHiveFile+3F4j
		and	bl, 22h
		cmp	bl, 2
		jz	loc_754B6F
		xor	ebx, ebx

loc_75494A:				; CODE XREF: CmpOpenHiveFile+43Fj
					; CmpOpenHiveFile+447j
		push	ebx
		push	ebx
		push	4
		lea	eax, [ebp+var_A0]
		push	eax
		push	9C040h
		lea	eax, [ebp+var_78]
		push	eax
		push	ebx
		push	ebx
		push	[ebp+var_6C]
		push	[ebp+var_50]
		call	_ZwFsControlFile@40 ; ZwFsControlFile(x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 103h
		jz	loc_754AD8

loc_754976:				; CODE XREF: CmpOpenHiveFile+384j
		cmp	[ebp+var_98], 0
		jnz	short loc_7549D6
		cmp	edi, 2
		jz	short loc_7549A8
		push	5
		push	18h
		lea	eax, [ebp+var_4C]
		push	eax
		lea	eax, [ebp+var_78]
		push	eax
		push	[ebp+var_50]
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		test	eax, eax
		js	short loc_7549A8
		mov	eax, [ebp+var_44]
		or	eax, [ebp+var_40]
		jz	loc_8D20B4

loc_7549A8:				; CODE XREF: CmpOpenHiveFile+222j
					; CmpOpenHiveFile+23Aj	...
		mov	ebx, [ebp+var_A4]
		test	ebx, ebx
		jnz	loc_754AFC

loc_7549B6:				; CODE XREF: CmpOpenHiveFile+3BBj
		mov	eax, [ebp+var_A8]
		test	eax, eax
		jz	short loc_7549D4
		mov	ecx, [ebp+var_50]
		mov	edx, eax
		call	CmpQueryFileSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	loc_8D20BC

loc_7549D4:				; CODE XREF: CmpOpenHiveFile+25Ej
		xor	ebx, ebx

loc_7549D6:				; CODE XREF: CmpOpenHiveFile+21Dj
		mov	ecx, [ebp+var_AC]
		mov	esi, ebx
		mov	eax, [ebp+var_50]
		mov	[ecx], eax
		mov	eax, [ebp+var_B0]
		mov	[eax], edi

loc_7549EB:				; CODE XREF: CmpOpenHiveFile+397j
					; CmpOpenHiveFile+17D94Fj
		mov	eax, [ebp+var_58]
		test	eax, eax
		jz	short loc_7549FE
		mov	ecx, [ebp+var_64]
		cmp	eax, [ecx+4]
		jnz	loc_754ACC

loc_7549FE:				; CODE XREF: CmpOpenHiveFile+290j
					; CmpOpenHiveFile+373j
		mov	eax, [ebp+var_68]
		test	eax, eax
		jnz	loc_8D20C9

loc_754A09:				; CODE XREF: CmpOpenHiveFile+17D871j
					; CmpOpenHiveFile+17D970j
		push	[ebp+var_6C]
		call	_ZwClose@4	; ZwClose(x)
		mov	ecx, [ebp+var_70]
		call	ObfDereferenceObject
		mov	eax, esi

loc_754A1B:				; CODE XREF: CmpOpenHiveFile+D0j
					; CmpOpenHiveFile+17D867j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
; 

loc_754A2C:				; CODE XREF: CmpOpenHiveFile+FDj
		and	al, 8
		movzx	edi, al
		neg	edi
		sbb	edi, edi
		and	edi, 0FFFFFFFDh
		add	edi, 3
		test	ebx, ebx
		jnz	short loc_754A45
		or	edi, 20000h

loc_754A45:				; CODE XREF: CmpOpenHiveFile+2DDj
		xor	eax, eax
		jmp	loc_75486D
; 

loc_754A4C:				; CODE XREF: CmpOpenHiveFile+DFj
		mov	ecx, edi
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_754A53:				; CODE XREF: CmpOpenHiveFile+2FCj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_754A53
		sub	ecx, edx
		sar	ecx, 1
		push	62774D43h
		lea	eax, ds:2[ecx*2]
		mov	ecx, [ebp+var_64]
		add	ax, [ecx]
		movzx	ebx, ax
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_58], eax
		test	eax, eax
		jz	loc_8D1FCC
		push	[ebp+var_64]
		xor	eax, eax
		mov	word ptr [ebp+var_5C+2], bx
		mov	word ptr [ebp+var_5C], ax
		lea	eax, [ebp+var_5C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	edi		; void *
		lea	eax, [ebp+var_5C]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	ebx, [ebp+var_98]
		jmp	loc_754853
; 

loc_754AB5:				; CODE XREF: CmpOpenHiveFile+115j
		test	edx, edx
		jz	loc_754B59
		xor	ebx, ebx
		inc	ebx

loc_754AC0:				; CODE XREF: CmpOpenHiveFile+40Aj
		mov	[ebp+var_60], 800Ch
		jmp	loc_754899
; 

loc_754ACC:				; CODE XREF: CmpOpenHiveFile+298j
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7549FE
; 

loc_754AD8:				; CODE XREF: CmpOpenHiveFile+210j
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+var_70]
		call	KeWaitForSingleObject
		jmp	loc_754976
; 

loc_754AE9:				; CODE XREF: CmpOpenHiveFile+1C7j
		push	ebx
		push	edi
		mov	edx, esi
		lea	ecx, [ebp+var_5C]
		call	CmpLogHiveFileInaccessible

loc_754AF5:				; CODE XREF: CmpOpenHiveFile+17D8B9j
					; CmpOpenHiveFile+17D964j
		xor	ebx, ebx
		jmp	loc_7549EB
; 

loc_754AFC:				; CODE XREF: CmpOpenHiveFile+250j
		mov	ecx, [ebp+var_50]
		mov	edx, ebx
		call	CmpGetVolumeClusterSize
		mov	esi, eax
		test	esi, esi
		js	loc_8D20BC
		mov	ecx, [ebp+var_50]
		call	CmpGetVolumeLogFileSizeCap
		mov	[ebx+4], eax
		jmp	loc_7549B6
; 

loc_754B20:				; CODE XREF: CmpOpenHiveFile+1D6j
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		xor	eax, eax
		push	4
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	28h
		push	eax
		lea	eax, [ebp+var_78]
		push	eax
		push	[ebp+var_50]
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		jmp	loc_75493C
; 

loc_754B59:				; CODE XREF: CmpOpenHiveFile+357j
		mov	al, cl
		and	al, 10h
		movzx	ebx, al
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 0FFFFFFFDh
		add	ebx, 3
		jmp	loc_754AC0
; 

loc_754B6F:				; CODE XREF: CmpOpenHiveFile+1E2j
		xor	ebx, ebx
		lea	eax, [ebp+var_78]
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	9004Fh
		push	eax
		push	ebx
		push	ebx
		push	[ebp+var_6C]
		push	[ebp+var_50]
		call	_ZwFsControlFile@40 ; ZwFsControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 103h
		jz	loc_8D2093

loc_754B99:				; CODE XREF: CmpOpenHiveFile+17D942j
		cmp	esi, 0C0000010h
		jz	loc_75494A
		test	esi, esi
		jns	loc_75494A
		jmp	loc_8D20A7
CmpOpenHiveFile	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCreateEvent(x, x, x)
_CmpCreateEvent@12 proc	near		; CODE XREF: CmpDoFileRead+3Ep
					; CmpGetVolumeClusterSize+75p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_24], 18h
		push	esi
		push	ecx
		lea	eax, [ebp+var_24]
		mov	[ebp+var_8], esi
		push	eax
		push	1F0003h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_20], esi
		push	eax
		mov	ebx, edx
		mov	[ebp+var_18], 240h
		mov	[ebp+var_1C], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		call	_ZwCreateEvent@20 ; ZwCreateEvent(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_754C34
		push	esi
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], esi
		push	eax
		push	esi
		push	esi
		push	1F0003h
		push	[ebp+var_8]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_754C34
		mov	eax, [ebp+var_8]
		mov	edi, esi
		mov	ecx, [ebp+arg_0]
		mov	[ebx], eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_8], esi
		mov	[ecx], eax

loc_754C27:				; CODE XREF: CmpCreateEvent(x,x,x)+85j
		test	esi, esi
		jnz	short loc_754C39

loc_754C2B:				; CODE XREF: CmpCreateEvent(x,x,x)+8Dj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_754C34:				; CODE XREF: CmpCreateEvent(x,x,x)+44j
					; CmpCreateEvent(x,x,x)+61j
		mov	esi, [ebp+var_8]
		jmp	short loc_754C27
; 

loc_754C39:				; CODE XREF: CmpCreateEvent(x,x,x)+77j
		push	esi
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_754C2B
_CmpCreateEvent@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsSetProcessTelemetryAppState proc near	; CODE XREF: PspExitProcess+30p
					; PsThawProcess+10Bp ...

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D20D5 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		push	ebx
		push	esi
		push	edi
		push	8
		mov	esi, ecx
		lea	edi, [esp+84h+var_58]
		pop	ecx
		xor	eax, eax
		mov	ebx, edx
		rep stosd
		push	38h		; size_t
		xor	edi, edi
		lea	eax, [esp+84h+var_38]
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	ecx, large fs:124h
		add	esp, 0Ch
		mov	[esp+80h+var_70], ecx

loc_754C7C:				; CODE XREF: PsSetProcessTelemetryAppState+17D4A6j
		lea	edx, [esp+80h+var_58]
		mov	ecx, esi
		call	_PsGetProcessDeepFreezeStats@8 ; PsGetProcessDeepFreezeStats(x,x)
		mov	eax, [esp+80h+var_50]
		sub	eax, [esp+80h+var_48]
		mov	ecx, [esp+80h+var_4C]
		sbb	ecx, [esp+80h+var_44]
		sub	eax, [esi+3F8h]
		mov	[esp+80h+var_6C], eax
		mov	eax, [esp+80h+var_70]
		sbb	ecx, [esi+3FCh]
		mov	[esp+80h+var_68], ecx
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [esi+0E0h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+410h]
		mov	edx, [esi+414h]
		mov	[esp+80h+var_5C], eax
		mov	eax, edx
		shr	eax, 1Dh
		mov	[esp+80h+var_64], eax
		cmp	eax, 3
		jnz	loc_754D9C

loc_754CE6:				; CODE XREF: PsSetProcessTelemetryAppState+174j
					; PsSetProcessTelemetryAppState+17Ej ...
		or	eax, 0FFFFFFFFh
		lea	ecx, [esi+0E0h]
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_754D8C

loc_754CFD:				; CODE XREF: PsSetProcessTelemetryAppState+155j
		call	KeAbPostRelease
		mov	ecx, [esp+80h+var_70]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	eax, [esi+410h]
		mov	cl, 3Dh
		mov	edx, [esi+414h]
		call	__aullshr
		cmp	eax, 3
		jnz	short loc_754D83
		test	edx, edx
		jnz	short loc_754D83
		test	edi, edi
		jz	short loc_754D7A

loc_754D2B:				; CODE XREF: PsSetProcessTelemetryAppState+143j
		mov	eax, [esp+80h+var_58]
		lea	edx, [esp+80h+var_38]
		mov	[esp+80h+var_38], eax
		mov	ecx, esi
		mov	eax, [esp+80h+var_54]
		mov	[esp+80h+var_34], eax
		mov	eax, [esp+80h+var_50]
		mov	[esp+80h+var_30], eax
		mov	eax, [esp+80h+var_4C]
		mov	[esp+80h+var_2C], eax
		mov	eax, [esp+80h+var_48]
		mov	[esp+80h+var_10], eax
		mov	eax, [esp+80h+var_44]
		mov	[esp+80h+var_C], eax
		mov	eax, [esp+80h+var_6C]
		mov	[esp+80h+var_18], eax
		mov	eax, [esp+80h+var_68]
		mov	[esp+80h+var_14], eax
		mov	[esp+80h+var_4], ebx
		call	EtwTraceAppStateChange

loc_754D7A:				; CODE XREF: PsSetProcessTelemetryAppState+E7j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_754D83:				; CODE XREF: PsSetProcessTelemetryAppState+DFj
					; PsSetProcessTelemetryAppState+E3j
		test	edi, edi
		jnz	short loc_754D2B
		jmp	loc_8D20E6
; 

loc_754D8C:				; CODE XREF: PsSetProcessTelemetryAppState+B5j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [esi+0E0h]
		jmp	loc_754CFD
; 

loc_754D9C:				; CODE XREF: PsSetProcessTelemetryAppState+9Ej
		mov	eax, [esi+40Ch]
		cmp	eax, [esp+80h+var_54]
		mov	ecx, [esi+408h]
		mov	[esp+80h+var_60], eax
		mov	eax, [esp+80h+var_64]
		jb	short loc_754DC6
		ja	loc_754CE6
		cmp	ecx, [esp+80h+var_58]
		ja	loc_754CE6

loc_754DC6:				; CODE XREF: PsSetProcessTelemetryAppState+172j
		mov	[esp+80h+var_28], ecx
		mov	edi, 1FFFFFFFh
		mov	ecx, [esp+80h+var_60]
		and	edx, edi
		mov	[esp+80h+var_24], ecx
		mov	ecx, [esp+80h+var_5C]
		mov	[esp+80h+var_8], eax
		mov	[esp+80h+var_20], ecx
		mov	[esp+80h+var_1C], edx
		cmp	ebx, 5
		jz	loc_8D20D5

loc_754DF2:				; CODE XREF: PsSetProcessTelemetryAppState+17D496j
					; PsSetProcessTelemetryAppState+17D49Fj
		mov	eax, [esp+80h+var_58]
		xor	ecx, ecx
		or	ecx, [esp+80h+var_6C]
		mov	[esi+408h], eax
		mov	eax, [esp+80h+var_54]
		mov	[esi+40Ch], eax
		mov	eax, ebx
		cdq
		mov	edx, eax
		mov	[esi+410h], ecx
		mov	eax, [esp+80h+var_68]
		and	eax, edi
		shl	edx, 1Dh
		or	edx, eax
		xor	edi, edi
		mov	[esi+414h], edx
		inc	edi
		jmp	loc_754CE6
PsSetProcessTelemetryAppState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopEtProcessSnapshotCreate proc	near	; CODE XREF: PopEtProcessSnapshotUpdate+97p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D20ED SIZE 00000031 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, [ecx+8]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+0Ch]
		mov	ebx, 1E0h
		push	54456F50h
		push	ebx
		push	1
		mov	[ebp+var_24], edx
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_14], esi
		test	esi, esi
		jz	loc_8D20F3
		push	ebx		; size_t
		xor	ebx, ebx
		push	ebx		; int
		push	esi		; void *
		call	_memset
		mov	edx, [ebp+var_10]
		lea	eax, [edi+10h]
		add	esp, 0Ch
		mov	[esi+4], edx
		lea	ecx, [esi+8]
		push	eax
		call	PopEtAggregateKeyCopyFromProcess
		lea	ecx, [esi+0Ch]
		xor	edx, edx
		call	_PopEtStringSet@8 ; PopEtStringSet(x,x)
		lea	esi, [edi+28h]
		mov	[ebp+var_8], ebx
		mov	edi, [esi+4]
		mov	eax, edi
		shr	eax, 5
		mov	[ebp+var_4], esi
		lea	ecx, [eax+eax]
		cmp	[esi], ecx
		jnb	short loc_754F06

loc_754EAA:				; CODE XREF: PopEtProcessSnapshotCreate+E7j
					; PopEtProcessSnapshotCreate+1D9j ...
		or	eax, 0FFFFFFFFh
		mov	edx, edi
		and	edi, 1Fh
		shr	edx, 5
		mov	ecx, edi
		mov	edi, [ebp+var_14]
		shl	eax, cl
		and	eax, [edi+4]
		mov	[ebp+var_20], eax
		mov	[ebp+var_10], eax
		movzx	eax, al
		add	eax, offset unk_B15DCB
		imul	ecx, eax, 25h
		mov	eax, [ebp+var_20]
		movzx	eax, ah
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_10+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_10+3]
		imul	ecx, 25h
		add	ecx, eax
		dec	edx
		and	edx, ecx
		mov	ecx, [esi+8]
		mov	eax, [ecx+edx*4]
		mov	[edi], eax
		mov	eax, [ebp+var_24]
		mov	[ecx+edx*4], edi
		inc	dword ptr [esi]
		mov	[eax], edi

loc_754EFF:				; CODE XREF: PopEtProcessSnapshotCreate+17D2D0j
					; PopEtProcessSnapshotCreate+17D2E9j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_754F06:				; CODE XREF: PopEtProcessSnapshotCreate+78j
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_754EAA
		mov	esi, [ebp+var_8]
		cmp	esi, 4
		jnb	short loc_754F24
		push	4
		pop	esi

loc_754F24:				; CODE XREF: PopEtProcessSnapshotCreate+EFj
		mov	eax, esi
		push	ebx
		shl	eax, 2
		push	eax
		call	_PopEtBucketsAllocate@8	; PopEtBucketsAllocate(x,x)
		mov	edi, eax
		mov	[ebp+var_10], edi
		test	edi, edi
		jz	loc_755000
		lea	ecx, [esi-1]
		test	ecx, esi
		jz	short loc_754F55
		or	ecx, 0FFFFFFFFh
		test	esi, esi
		jz	short loc_754F50

loc_754F4B:				; CODE XREF: PopEtProcessSnapshotCreate+11Ej
		inc	ecx
		shr	esi, 1
		jnz	short loc_754F4B

loc_754F50:				; CODE XREF: PopEtProcessSnapshotCreate+119j
		xor	esi, esi
		inc	esi
		shl	esi, cl

loc_754F55:				; CODE XREF: PopEtProcessSnapshotCreate+112j
		mov	eax, 4000000h
		cmp	esi, eax
		jbe	short loc_754F60
		mov	esi, eax

loc_754F60:				; CODE XREF: PopEtProcessSnapshotCreate+12Cj
		mov	eax, [ebp+var_4]
		mov	edx, esi
		shl	edx, 2
		or	eax, 1
		mov	[ebp+var_C], edi
		lea	ecx, [edx+edi]
		shr	edx, 2
		cmp	ecx, edi
		sbb	ecx, ecx
		not	ecx
		and	ecx, edx
		ja	loc_755054

loc_754F82:				; CODE XREF: PopEtProcessSnapshotCreate+233j
		mov	edx, [ebp+var_4]
		or	edi, 0FFFFFFFFh
		mov	eax, [edx+4]
		mov	ecx, eax
		and	ecx, 1Fh
		shl	edi, cl
		mov	[ebp+var_1C], edi
		mov	edi, ebx
		test	eax, 0FFFFFFE0h
		jbe	loc_755024

loc_754FA2:				; CODE XREF: PopEtProcessSnapshotCreate+1F0j
		mov	edx, [edx+8]
		mov	[ebp+var_20], edx

loc_754FA8:				; CODE XREF: PopEtProcessSnapshotCreate+1CEj
		mov	ecx, [edx+edi*4]
		mov	[ebp+var_C], ecx
		test	ecx, 1
		jnz	short loc_755014
		mov	eax, [ecx]
		mov	[edx+edi*4], eax
		mov	edx, [ecx+4]
		and	edx, [ebp+var_1C]
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	ebx, [ebp+var_C]
		imul	ecx, eax, 25h
		movzx	eax, dh
		mov	[ebp+var_8], edx
		lea	edx, [esi-1]
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_8+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_8+3]
		imul	ecx, 25h
		add	ecx, eax
		and	edx, ecx
		mov	ecx, [ebp+var_10]
		mov	eax, [ecx+edx*4]
		mov	[ebx], eax
		mov	eax, ebx
		mov	[ecx+edx*4], eax
		mov	edx, [ebp+var_20]
		jmp	short loc_754FA8
; 

loc_755000:				; CODE XREF: PopEtProcessSnapshotCreate+107j
		mov	esi, [ebp+var_4]
		mov	edi, [esi+4]
		cmp	edi, 20h
		jnb	loc_754EAA
		jmp	loc_8D20ED
; 

loc_755014:				; CODE XREF: PopEtProcessSnapshotCreate+184j
		mov	edx, [ebp+var_4]
		inc	edi
		mov	eax, [edx+4]
		shr	eax, 5
		cmp	edi, eax
		jb	short loc_754FA2
		xor	ebx, ebx

loc_755024:				; CODE XREF: PopEtProcessSnapshotCreate+16Cj
		mov	edi, [edx+4]
		mov	ecx, [edx+8]
		and	edi, 1Fh
		mov	eax, [ebp+var_10]
		shl	esi, 5
		or	edi, esi
		mov	[edx+8], eax
		mov	[edx+4], edi
		test	ecx, ecx
		jz	short loc_75504C
		push	ebx
		push	ecx
		call	_PopEtBucketsFree@8 ; PopEtBucketsFree(x,x)
		mov	edi, [ebp+var_18]
		mov	edi, [edi+2Ch]

loc_75504C:				; CODE XREF: PopEtProcessSnapshotCreate+20Dj
		mov	esi, [ebp+var_4]
		jmp	loc_754EAA
; 

loc_755054:				; CODE XREF: PopEtProcessSnapshotCreate+14Cj
		mov	edx, [ebp+var_C]
		mov	edi, ebx

loc_755059:				; CODE XREF: PopEtProcessSnapshotCreate+231j
		inc	edi
		mov	[edx], eax
		lea	edx, [edx+4]
		cmp	edi, ecx
		jb	short loc_755059
		jmp	loc_754F82
PopEtProcessSnapshotCreate endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopEtAggregateKeyCopyFromProcess proc near ; CODE XREF:	PopEtProcessSnapshotCreate+53p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D211E SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	eax, eax
		mov	[ebp+var_14], eax
		mov	ebx, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	esi, [edi+3E0h]
		mov	[ebp+var_8], eax
		mov	eax, [esi+1B8h]
		mov	[ebp+var_1C], eax
		mov	eax, [esi+1BCh]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_0]
		test	byte ptr [eax+8], 1
		jnz	loc_8D211E

loc_7550AA:				; CODE XREF: PopEtAggregateKeyCopyFromProcess+17D0D1j
		lea	edx, [ebp+var_1C]
		mov	ecx, ebx
		call	_PopEtAggregateKeyCopy@8 ; PopEtAggregateKeyCopy(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
PopEtAggregateKeyCopyFromProcess endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PspGetProcessAccountingInformation(x, x)
_PspGetProcessAccountingInformation@8 proc near
					; CODE XREF: PspRemoveProcessFromJobChain+A5p
		mov	edi, edi
		push	esi
		lea	eax, [ecx+0F8h]
		lock bts dword ptr [eax], 1
		jb	short loc_7550DB
		push	0FFFFFFDFh
		pop	esi
		lock and [eax],	esi
		call	PsQueryStatisticsProcess
		mov	al, 1
		pop	esi
		retn
; 

loc_7550DB:				; CODE XREF: PspGetProcessAccountingInformation(x,x)+Ej
		xor	al, al
		pop	esi
		retn
_PspGetProcessAccountingInformation@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspChangeProcessExecutionState proc near
					; CODE XREF: PspExecuteJobFreezeThawCallback(x,x)+3Ap
					; PspRemoveProcessFromJobChain+15Cp ...

var_4C		= byte ptr -4Ch
var_4B		= byte ptr -4Bh
var_4A		= byte ptr -4Ah
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D213E SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		and	[esp+4Ch+var_3C], 0
		mov	edx, ecx
		push	ebx
		push	esi
		push	edi
		push	6
		xor	eax, eax
		mov	[esp+5Ch+var_48], edx
		pop	ecx
		lea	edi, [esp+58h+var_1C]
		rep stosd
		push	6
		pop	ecx
		lea	edi, [esp+58h+var_34]
		rep stosd
		xor	al, al
		xor	edi, edi
		mov	[esp+58h+var_49], al
		mov	[esp+58h+var_4B], al
		lea	eax, [edx+0F8h]
		mov	edx, [eax]
		mov	[esp+58h+var_40], eax
		mov	[esp+58h+var_44], edi
		test	edx, 40000000h
		jnz	short loc_755150

loc_75513C:				; CODE XREF: PspChangeProcessExecutionState+17D065j
		mov	ebx, edx
		mov	esi, edx
		shr	ebx, 1Ch
		shr	esi, 16h
		and	ebx, 3
		and	esi, 3
		cmp	ebx, esi
		jnz	short loc_755166

loc_755150:				; CODE XREF: PspChangeProcessExecutionState+5Aj
					; PspChangeProcessExecutionState+19Cj ...
		mov	ecx, [esp+58h+var_4]
		mov	eax, [esp+58h+var_3C]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_755166:				; CODE XREF: PspChangeProcessExecutionState+6Ej
		mov	edi, [esp+58h+var_40]
		mov	ecx, edx
		or	ecx, 40000000h
		mov	eax, edx
		lock cmpxchg [edi], ecx
		mov	edi, [esp+58h+var_44]
		cmp	eax, edx
		jnz	loc_8D213E

loc_755184:				; CODE XREF: PspChangeProcessExecutionState+17D095j
		mov	eax, ebx
		mov	[esp+58h+var_38], ebx
		xor	eax, esi
		mov	[esp+58h+var_4A], 0
		cmp	[esp+58h+var_4B], 0
		mov	esi, [esp+58h+var_48]
		mov	[esp+58h+var_44], eax
		jnz	short loc_7551E3
		lea	eax, [esp+58h+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, esi
		call	KiStackAttachProcess
		mov	ecx, esi
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_7551DA
		mov	ecx, eax
		call	_MmGetSessionById@4 ; MmGetSessionById(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_7551DA
		lea	edx, [esp+58h+var_34]
		mov	ecx, edi
		call	MmAttachSession
		test	eax, eax
		js	loc_8D2150

loc_7551DA:				; CODE XREF: PspChangeProcessExecutionState+D8j
					; PspChangeProcessExecutionState+E5j ...
		mov	eax, [esp+58h+var_44]
		mov	[esp+58h+var_4B], 1

loc_7551E3:				; CODE XREF: PspChangeProcessExecutionState+BEj
		test	al, 2
		jnz	loc_7552AB

loc_7551EB:				; CODE XREF: PspChangeProcessExecutionState+1D5j
					; PspChangeProcessExecutionState+210j
		test	al, 1
		jz	short loc_755205
		mov	dl, 1
		mov	[esp+58h+var_49], 1
		mov	ecx, esi
		test	bl, dl
		jz	loc_7552DB
		call	PsFreezeProcess

loc_755205:				; CODE XREF: PspChangeProcessExecutionState+10Dj
					; PspChangeProcessExecutionState+200j
		cmp	[esp+58h+var_4A], 0
		mov	esi, ebx
		jnz	loc_7552BA

loc_755212:				; CODE XREF: PspChangeProcessExecutionState+1F0j
					; PspChangeProcessExecutionState+17D08Ej
		mov	eax, [esp+58h+var_40]
		mov	edx, [eax]

loc_755218:				; CODE XREF: PspChangeProcessExecutionState+17D0A2j
		mov	ebx, edx
		shr	ebx, 1Ch
		and	ebx, 3
		cmp	ebx, [esp+58h+var_38]
		jnz	loc_8D2173

loc_75522A:				; CODE XREF: PspChangeProcessExecutionState+17D09Bj
		mov	ebx, [esp+58h+var_40]
		mov	ecx, esi
		shl	ecx, 6
		mov	eax, edx
		or	ecx, esi
		and	eax, 8F3FFFFFh
		shl	ecx, 16h
		or	ecx, eax
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	loc_8D2180
		cmp	[esp+58h+var_4B], 0
		jz	short loc_755277
		test	edi, edi
		jz	short loc_75526C
		lea	edx, [esp+58h+var_34]
		mov	ecx, edi
		call	MmDetachSession
		mov	ecx, edi
		call	ObfDereferenceObject

loc_75526C:				; CODE XREF: PspChangeProcessExecutionState+178j
		xor	edx, edx
		lea	ecx, [esp+58h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_755277:				; CODE XREF: PspChangeProcessExecutionState+174j
		cmp	[esp+58h+var_49], 0
		jz	loc_755150
		mov	ecx, ds:_PspMmcssExtensionHost
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	loc_755150
		push	[esp+58h+var_48]
		call	dword ptr [eax]
		mov	ecx, ds:_PspMmcssExtensionHost
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)
		jmp	loc_755150
; 

loc_7552AB:				; CODE XREF: PspChangeProcessExecutionState+105j
		test	bl, 2
		jz	short loc_7552E5
		mov	[esp+58h+var_4A], 1
		jmp	loc_7551EB
; 

loc_7552BA:				; CODE XREF: PspChangeProcessExecutionState+12Cj
		mov	ecx, [esp+58h+var_48]
		xor	edx, edx
		cmp	_PspOutSwapSharedPages,	edx
		setnz	dl
		call	MmOutSwapWorkingSet
		test	eax, eax
		jns	loc_755212
		jmp	loc_8D215E
; 

loc_7552DB:				; CODE XREF: PspChangeProcessExecutionState+11Aj
		call	PsThawProcess
		jmp	loc_755205
; 

loc_7552E5:				; CODE XREF: PspChangeProcessExecutionState+1CEj
		mov	ecx, esi
		call	MmInSwapWorkingSet
		mov	eax, [esp+58h+var_44]
		jmp	loc_7551EB
PspChangeProcessExecutionState endp

; 
		align 2

;  S U B	R O U T	I N E 


PopEtEnumEnergyTrackers	proc near	; CODE XREF: PoEnergyContextCleanup(x)+128p
					; PopEtEnergyContextProcessStateUpdate(x)+78p

; FUNCTION CHUNK AT 008D2187 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		xor	ecx, ecx

loc_7552FF:				; CODE XREF: PopEtEnumEnergyTrackers+33j
		call	_PopEtGetNextEnergyTracker@4 ; PopEtGetNextEnergyTracker(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_75531A
		xor	edi, edi

loc_75530C:				; CODE XREF: PopEtEnumEnergyTrackers+2Fj
		test	esi, esi
		jnz	loc_8D2187

loc_755314:				; CODE XREF: PopEtEnumEnergyTrackers+17CE9Dj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_75531A:				; CODE XREF: PopEtEnumEnergyTrackers+12j
		push	ebx
		push	esi
		call	_PopEtEnergyTrackerEnumSnapshotCallback@8 ; PopEtEnergyTrackerEnumSnapshotCallback(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_75530C
		mov	ecx, esi
		jmp	short loc_7552FF
PopEtEnumEnergyTrackers	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopEtGetNextEnergyTracker(x)
_PopEtGetNextEnergyTracker@4 proc near	; CODE XREF: PopEtEnumEnergyTrackers:loc_7552FFp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		mov	ecx, _PopEtGlobals
		dec	word ptr [eax+13Ch]
		lea	ecx, [ecx+8]
		nop
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	esi, edi
		test	edi, edi
		jnz	short loc_75535D
		mov	esi, _PopEtGlobals

loc_75535D:				; CODE XREF: PopEtGetNextEnergyTracker(x)+29j
					; PopEtGetNextEnergyTracker(x)+49j
		mov	esi, [esi]
		cmp	esi, _PopEtGlobals
		jz	short loc_755379
		mov	edx, 74456F50h
		mov	ecx, esi
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jz	short loc_75535D
		mov	ebx, esi

loc_755379:				; CODE XREF: PopEtGetNextEnergyTracker(x)+39j
		mov	ecx, _PopEtGlobals
		add	ecx, 8
		cmp	dword ptr [ecx+4], 0
		jz	short loc_75538C
		and	dword ptr [ecx+4], 0

loc_75538C:				; CODE XREF: PopEtGetNextEnergyTracker(x)+5Aj
		xor	edx, edx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	edi, edi
		jz	short loc_7553A8
		mov	edx, 74456F50h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_7553A8:				; CODE XREF: PopEtGetNextEnergyTracker(x)+6Ej
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		retn
_PopEtGetNextEnergyTracker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtEnergyTrackerEnumSnapshotCallback(x, x)
_PopEtEnergyTrackerEnumSnapshotCallback@8 proc near ; CODE XREF: PopEtEnumEnergyTrackers+26p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ecx, esi
		mov	[esi+0Ch], eax
		call	PopEtProcessSnapshotUpdate
		and	dword ptr [esi+0Ch], 0
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	8
_PopEtEnergyTrackerEnumSnapshotCallback@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspQueryJobHierarchyProcessIdList proc near ; CODE XREF: PAGE:00757392p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	24h
		push	offset dword_6A0450
		call	__SEH_prolog4
		mov	ebx, edx
		mov	edi, ecx
		mov	[ebp+var_24], edi
		mov	edx, large fs:124h
		mov	[ebp+var_20], edx
		call	_PspLockJobShared@8 ; PspLockJobShared(x,x)
		lea	eax, [ebx+8]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_0]
		add	eax, 0FFFFFFF8h
		mov	[ebp+var_30], eax
		and	[ebp+var_2C], 0
		mov	eax, [edi+90h]
		mov	[ebp+var_28], eax
		push	1
		lea	eax, [ebp+var_34]
		push	eax
		push	offset PspQueryProcessIdListCallback
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	PspEnumJobsAndProcessesInJobHierarchy
		mov	esi, eax
		test	esi, esi
		js	short loc_755474

loc_75542A:				; CODE XREF: PspQueryJobHierarchyProcessIdList+AAj
		mov	ecx, [edi+90h]
		lea	ecx, ds:8[ecx*4]
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [edi+90h]
		mov	[ebx], eax
		mov	eax, [ebp+var_2C]
		mov	[ebx+4], eax

loc_75544E:				; CODE XREF: sub_8D21A8+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_755455:				; CODE XREF: PspQueryJobHierarchyProcessIdList+ACj
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_24]
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_755474:				; CODE XREF: PspQueryJobHierarchyProcessIdList+58j
		cmp	esi, 80000005h
		jz	short loc_75542A
		jmp	short loc_755455
PspQueryJobHierarchyProcessIdList endp


;  S U B	R O U T	I N E 


; __stdcall PopEtAggregateKeyCopy(x, x)
_PopEtAggregateKeyCopy@8 proc near	; CODE XREF: PopEtAggregateKeyCopyFromProcess+47p
					; PopEtAggregateGet+72p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	esi, edx
		push	6
		pop	ecx
		mov	edi, ebx
		rep movsd
		mov	eax, [ebx]
		xor	edi, edi
		inc	edi
		test	eax, eax
		jz	short loc_7554B8
		test	dword ptr [eax+0Ch], 3FFh
		jz	short loc_7554B8
		lea	esi, [eax+8]
		mov	edx, [esi]
		lea	ecx, [edx+1]

loc_7554A8:				; CODE XREF: PopEtAggregateKeyCopy(x,x)+65j
		cmp	ecx, edi
		jbe	short loc_7554E5
		mov	eax, edx
		lock cmpxchg [esi], ecx
		mov	ecx, eax
		cmp	ecx, edx
		jnz	short loc_7554E0

loc_7554B8:				; CODE XREF: PopEtAggregateKeyCopy(x,x)+17j
					; PopEtAggregateKeyCopy(x,x)+20j ...
		mov	eax, [ebx+4]
		test	eax, eax
		jnz	short loc_7554C3

loc_7554BF:				; CODE XREF: PopEtAggregateKeyCopy(x,x)+5Bj
					; PopEtAggregateKeyCopy(x,x):loc_7554EEj ...
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_7554C3:				; CODE XREF: PopEtAggregateKeyCopy(x,x)+3Fj
		lea	esi, [eax+8]
		mov	ecx, [esi]
		lea	edx, [ecx+1]

loc_7554CB:				; CODE XREF: PopEtAggregateKeyCopy(x,x)+60j
		cmp	edx, edi
		jbe	short loc_7554EE
		mov	eax, ecx
		lock cmpxchg [esi], edx
		mov	edx, eax
		cmp	edx, ecx
		jz	short loc_7554BF
		mov	ecx, edx
		inc	edx
		jmp	short loc_7554CB
; 

loc_7554E0:				; CODE XREF: PopEtAggregateKeyCopy(x,x)+38j
		mov	edx, ecx
		inc	ecx
		jmp	short loc_7554A8
; 

loc_7554E5:				; CODE XREF: PopEtAggregateKeyCopy(x,x)+2Cj
		jz	short loc_7554B8
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_7554B8
; 

loc_7554EE:				; CODE XREF: PopEtAggregateKeyCopy(x,x)+4Fj
		jz	short loc_7554BF
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_7554BF
_PopEtAggregateKeyCopy@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspRemoveProcessFromJobChain proc near	; CODE XREF: PspProcessDelete+138p
					; PspRundownSingleProcess(x,x)+21Fp ...

var_88		= dword	ptr -88h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_7		= byte ptr  0Fh

; FUNCTION CHUNK AT 008D21B3 SIZE 00000091 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1C], edx
		xor	ebx, ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		test	dword ptr [edi+3A8h], 1000h
		jnz	loc_8D21B3

loc_755523:				; CODE XREF: PspRemoveProcessFromJobChain+17CCC5j
		push	68h		; size_t
		lea	eax, [ebp+var_88]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	esi, large fs:124h
		lea	eax, [edi+0F8h]
		add	esp, 0Ch
		mov	[ebp+var_14], esi
		lock bts dword ptr [eax], 0
		setb	al
		mov	[ebp+var_2], bl
		neg	al
		sbb	al, al
		inc	al
		test	byte ptr [ebp+arg_0], 2
		mov	[ebp+var_1], al
		jnz	loc_75572C

loc_755563:				; CODE XREF: PspRemoveProcessFromJobChain+24Dj
					; PspRemoveProcessFromJobChain+261j
		lea	eax, [ebp+var_8]
		mov	[ebp+var_C], 1
		push	eax
		lea	eax, [ebp+var_10]
		mov	edx, esi
		push	eax
		mov	ecx, edi
		call	PspLockRootJobFromProcess
		test	ds:_PerfGlobalGroupMask, 80000h
		jnz	loc_8D21C2

loc_75558B:				; CODE XREF: PspRemoveProcessFromJobChain+17CCD7j
		test	byte ptr [ebp+arg_0], 4
		jz	loc_7556D7
		lea	edx, [ebp+var_88]
		mov	ecx, edi
		call	_PspGetProcessAccountingInformation@8 ;	PspGetProcessAccountingInformation(x,x)
		mov	[ebp+arg_7], al

loc_7555A5:				; CODE XREF: PspRemoveProcessFromJobChain+1E2j
		mov	esi, [ebp+var_10]
		test	esi, esi
		jz	short loc_755601
		mov	eax, [ebp+arg_0]
		and	eax, 8
		mov	[ebp+var_18], eax

loc_7555B5:				; CODE XREF: PspRemoveProcessFromJobChain+104j
		push	ecx
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	_PspLockJobConditionally@12 ; PspLockJobConditionally(x,x,x)
		mov	al, [ebp+var_1]
		test	al, al
		jnz	loc_755667

loc_7555CB:				; CODE XREF: PspRemoveProcessFromJobChain+17Cj
					; PspRemoveProcessFromJobChain+188j
		cmp	[ebp+var_18], ebx
		jnz	loc_8D21D4

loc_7555D4:				; CODE XREF: PspRemoveProcessFromJobChain+17CCDEj
					; PspRemoveProcessFromJobChain+17CCEAj
		mov	edx, [ebp+var_1C]
		test	edx, edx
		jnz	loc_8D21E7

loc_7555DF:				; CODE XREF: PspRemoveProcessFromJobChain+17CCF7j
					; PspRemoveProcessFromJobChain+17CD03j	...
		cmp	[ebp+arg_7], bl
		jnz	loc_755685

loc_7555E8:				; CODE XREF: PspRemoveProcessFromJobChain+1C5j
					; PspRemoveProcessFromJobChain+1D4j ...
		mov	eax, ebx

loc_7555EA:				; CODE XREF: PspRemoveProcessFromJobChain+20Aj
		cmp	esi, [ebp+eax*4+var_8]
		jnz	loc_7556FE

loc_7555F4:				; CODE XREF: PspRemoveProcessFromJobChain+218j
		mov	esi, [esi+244h]
		test	esi, esi
		jnz	short loc_7555B5
		mov	esi, [ebp+var_10]

loc_755601:				; CODE XREF: PspRemoveProcessFromJobChain+B2j
		push	ecx
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	_PspLockJobConditionally@12 ; PspLockJobConditionally(x,x,x)
		test	byte ptr [ebp+arg_0], 1
		jnz	loc_7556DF
		cmp	[ebp+var_1], bl
		jz	short loc_755633
		test	byte ptr [edi+0F8h], 4
		jz	short loc_755633
		cmp	[ebp+var_2], bl
		jnz	short loc_755633
		push	ebx
		xor	edx, edx
		mov	ecx, edi
		call	PspRequestProcessExecutionState

loc_755633:				; CODE XREF: PspRemoveProcessFromJobChain+121j
					; PspRemoveProcessFromJobChain+12Aj ...
		cmp	esi, [ebp+ebx*4+var_8]
		jnz	loc_755715

loc_75563D:				; CODE XREF: PspRemoveProcessFromJobChain+22Fj
		mov	ebx, [ebp+var_14]
		mov	edx, ebx
		mov	ecx, [ebp+var_8]
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		dec	word ptr [ebx+13Ch]
		nop
		mov	ecx, edi
		call	PspChangeProcessExecutionState
		mov	ecx, ebx
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)

loc_755660:				; CODE XREF: PspRemoveProcessFromJobChain+201j
					; PspRemoveProcessFromJobChain+17CCBFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_755667:				; CODE XREF: PspRemoveProcessFromJobChain+CDj
		dec	dword ptr [esi+90h]
		test	byte ptr [edi+3A8h], 20h
		jz	loc_7555CB
		dec	dword ptr [esi+2CCh]
		jmp	loc_7555CB
; 

loc_755685:				; CODE XREF: PspRemoveProcessFromJobChain+EAj
		lea	eax, [ebp+var_88]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	_PspFoldProcessAccountingIntoJob@12 ; PspFoldProcessAccountingIntoJob(x,x,x)
		cmp	esi, [edi+158h]
		jnz	loc_75575E
		mov	eax, ds:_PspEnforcementSequenceNumber
		mov	ecx, [esi+2D0h]
		sub	ecx, eax
		neg	ecx
		sbb	ecx, ecx
		not	ecx
		and	ecx, [ebp+var_C]
		mov	[ebp+var_C], ecx

loc_7556BA:				; CODE XREF: PspRemoveProcessFromJobChain+269j
		cmp	ecx, 1
		jnz	loc_7555E8
		mov	ecx, esi
		call	_PspIsEnforcementAccountingNonZero@4 ; PspIsEnforcementAccountingNonZero(x)
		test	al, al
		jz	loc_7555E8
		jmp	loc_8D2227
; 

loc_7556D7:				; CODE XREF: PspRemoveProcessFromJobChain+97j
		mov	[ebp+arg_7], bl
		jmp	loc_7555A5
; 

loc_7556DF:				; CODE XREF: PspRemoveProcessFromJobChain+118j
		mov	edx, edi
		mov	ecx, esi
		call	PspUnlinkJobProcess

loc_7556E8:				; CODE XREF: PspRemoveProcessFromJobChain+272j
		cmp	esi, [ebp+ebx*4+var_8]
		jnz	short loc_755766

loc_7556EE:				; CODE XREF: PspRemoveProcessFromJobChain+280j
		mov	edx, [ebp+var_14]
		mov	ecx, [ebp+var_8]
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		jmp	loc_755660
; 

loc_7556FE:				; CODE XREF: PspRemoveProcessFromJobChain+F6j
		inc	eax
		cmp	eax, 1
		jb	loc_7555EA
		lea	ecx, [esi+20h]
		call	ExReleaseResourceLite
		jmp	loc_7555F4
; 

loc_755715:				; CODE XREF: PspRemoveProcessFromJobChain+13Fj
		inc	ebx
		cmp	ebx, 1
		jb	loc_755633
		lea	ecx, [esi+20h]
		call	ExReleaseResourceLite
		jmp	loc_75563D
; 

loc_75572C:				; CODE XREF: PspRemoveProcessFromJobChain+65j
		test	dword ptr [edi+0FCh], 4000000h
		setnz	cl
		test	byte ptr [edi+3A8h], 40h
		setz	al
		test	cl, al
		jz	loc_755563
		mov	edx, [ebp+0Ch]
		mov	ecx, edi
		call	_PsTerminateProcess@8 ;	PsTerminateProcess(x,x)
		mov	[ebp+var_2], 1
		jmp	loc_755563
; 

loc_75575E:				; CODE XREF: PspRemoveProcessFromJobChain+1A3j
		mov	ecx, [ebp+var_C]
		jmp	loc_7556BA
; 

loc_755766:				; CODE XREF: PspRemoveProcessFromJobChain+1F4j
		inc	ebx
		cmp	ebx, 1
		jb	loc_7556E8
		lea	ecx, [esi+20h]
		call	ExReleaseResourceLite
		jmp	loc_7556EE
PspRemoveProcessFromJobChain endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PspLockJobConditionally(x, x, x)
_PspLockJobConditionally@12 proc near	; CODE XREF: .text:005117B6p
					; .text:005E7633p ...
		xor	eax, eax

loc_755780:				; CODE XREF: PspLockJobConditionally(x,x,x)+Ej
		cmp	ecx, [edx+eax*4]
		jnz	short loc_755788

locret_755785:				; CODE XREF: PspLockJobConditionally(x,x,x)+1Bj
		retn	4
; 

loc_755788:				; CODE XREF: PspLockJobConditionally(x,x,x)+5j
		inc	eax
		cmp	eax, 1
		jb	short loc_755780
		push	1
		lea	eax, [ecx+20h]
		push	eax
		call	ExAcquireResourceExclusiveLite
		jmp	short locret_755785
_PspLockJobConditionally@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsEnumProcesses	proc near		; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+D4p
					; EtwpProcessThreadImageRundown+9Dp ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D2244 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		xor	ecx, ecx
		mov	[ebp+var_4], edi
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)

loc_7557B3:				; CODE XREF: PsEnumProcesses+35j
		mov	esi, eax
		test	esi, esi
		jz	short loc_7557D3
		push	ebx
		push	esi
		call	edi
		mov	edi, eax
		mov	ecx, esi
		test	edi, edi
		js	loc_8D2244
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	edi, [ebp+var_4]
		jmp	short loc_7557B3
; 

loc_7557D3:				; CODE XREF: PsEnumProcesses+1Bj
		xor	eax, eax

loc_7557D5:				; CODE XREF: PsEnumProcesses+17CAB4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PsEnumProcesses	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfpPrivSourceEnum(x, x, x)
_PfpPrivSourceEnum@12 proc near		; CODE XREF: PAGE:0077D390p

var_164		= dword	ptr -164h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_140		= dword	ptr -140h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_118		= dword	ptr -118h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_97		= byte ptr -97h
var_95		= dword	ptr -95h
var_90		= dword	ptr -90h
var_44		= dword	ptr -44h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	154h
		push	offset dword_6A0470
		call	__SEH_prolog4_GS
		mov	[ebp+var_A0], edx
		mov	esi, ecx
		mov	[ebp+var_108], esi
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C0], eax
		push	9
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_44]
		rep stosd
		lea	edi, [ebp+var_140]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_130]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	byte ptr [ebp+var_95], 0
		push	8
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_164]
		rep stosd
		and	[ebp+var_BC], eax
		lea	edi, [ebp+var_B4]
		stosd
		stosd
		stosd
		stosd
		xor	edi, edi
		mov	[ebp+var_9C], edi
		mov	[ebp+var_110], edi
		xor	ebx, ebx
		xor	eax, eax
		mov	[ebp+var_A4], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_B8], eax
		mov	ecx, [esi+10h]
		cmp	ecx, 0Ch
		jnb	short loc_755878

loc_75586E:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+1D4j
		mov	esi, 0C0000023h
		jmp	loc_755D8D
; 

loc_755878:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+92j
		and	[ebp+ms_exc.disabled], ebx
		test	dl, dl
		jz	short loc_755894
		push	4
		push	ecx
		push	eax
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	eax, [ebp+var_B8]
		mov	edx, [ebp+var_A0]

loc_755894:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+A3j
		mov	esi, eax
		lea	edi, [ebp+var_95+1]
		movsd
		movsd
		movsd
		and	dword ptr [eax+8], 0
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+var_95+1],	8
		jz	short loc_7558C3

loc_7558B3:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+FAj
					; PfpPrivSourceEnum(x,x,x)+101j
		mov	esi, 0C000000Dh

loc_7558B8:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+13Bj
					; PfpPrivSourceEnum(x,x,x)+286j ...
		mov	edi, [ebp+var_9C]
		jmp	loc_755D8D
; 

loc_7558C3:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+D7j
		mov	eax, [ebp+var_90]
		mov	[ebp+var_A0], eax
		test	eax, 0FFFFFFF8h
		jnz	short loc_7558B3
		and	eax, 3
		cmp	al, 3
		jz	short loc_7558B3
		push	edx
		push	ds:dword_A949EC
		push	ds:_SeProfileSingleProcessPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_755920
		lea	edx, [ebp+var_95]
		xor	ecx, ecx
		call	_SeIsAppContainerOrIdentifyLevelContext@8 ; SeIsAppContainerOrIdentifyLevelContext(x,x)
		mov	esi, eax
		cmp	esi, 0C00000A5h
		jnz	short loc_755913
		mov	byte ptr [ebp+var_95], 1
		jmp	short loc_755917
; 

loc_755913:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+12Ej
		test	esi, esi
		js	short loc_7558B8

loc_755917:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+137j
		mov	byte ptr [ebp-96h], 0
		jmp	short loc_755927
; 

loc_755920:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+117j
		mov	byte ptr [ebp-96h], 1

loc_755927:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+144j
		cmp	byte ptr [ebp+var_95], 0
		jnz	short loc_755959
		mov	[ebp+var_B0], 1
		xor	ecx, ecx
		jmp	short loc_755946
; 

loc_75593E:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+17Bj
		inc	[ebp+var_B0]
		mov	ecx, edi

loc_755946:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+162j
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		mov	edi, eax
		test	edi, edi
		mov	[ebp+var_9C], edi
		jnz	short loc_75593E
		jmp	short loc_75595F
; 

loc_755959:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+154j
		mov	edi, [ebp+var_9C]

loc_75595F:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+17Dj
		xor	ecx, ecx
		jmp	short loc_75596B
; 

loc_755963:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+19Cj
		inc	[ebp+var_B0]
		mov	ecx, ebx

loc_75596B:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+187j
		xor	dl, dl
		call	ExGetNextProcess
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_755963
		mov	eax, [ebp+var_B0]
		push	40h
		pop	ecx
		mul	ecx
		add	eax, 0Ch
		adc	edx, ebx
		mov	[ebp+var_118], edx
		jnz	loc_755D55
		cmp	eax, 0FFFFFFFFh
		ja	loc_755D55
		mov	[ebp+var_A4], eax
		mov	edx, [ebp+var_108]
		mov	edx, [edx+10h]
		cmp	eax, edx
		ja	loc_75586E
		lea	eax, [edx-0Ch]
		shr	eax, 6
		mov	[ebp+var_A8], eax
		mov	eax, [ebp+var_B8]
		mov	[ebp+var_B4], eax
		cmp	byte ptr [ebp+var_95], bl
		jnz	loc_755B31
		push	ecx		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_104]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	offset ??_C@_0M@PEBBHHKC@KernelSpace@NNGAKEGL@ ; "KernelSpace"
		push	10h
		pop	edx
		lea	ecx, [ebp+var_E4]
		call	_RtlStringCbCopyA@12 ; RtlStringCbCopyA(x,x,x)
		push	ebx
		push	24h
		lea	eax, [ebp+var_44]
		push	eax
		push	77h
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_755D8D
		lea	ecx, [ebp+var_140]
		call	_MmQuerySystemMemoryInformation@8 ; MmQuerySystemMemoryInformation(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_755D8D
		mov	ecx, [ebp+var_44]
		shr	ecx, 0Ch
		mov	[ebp+var_F0], ecx
		mov	eax, [ebp+var_140]
		mov	[ebp+var_EC], eax
		cmp	eax, ecx
		ja	short loc_755A4B
		mov	[ebp+var_EC], ecx

loc_755A4B:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+269j
		lea	edx, [ebp+var_104]
		lea	ecx, [ebp+var_B4]
		call	PfpPrivSourceAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7558B8
		xor	ecx, ecx
		jmp	loc_755B1C
; 

loc_755A6D:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+351j
		push	40h		; size_t
		push	0		; int
		lea	eax, [ebp+var_104]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_104], 1
		mov	ecx, edi
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_100], eax
		cmp	byte ptr [ebp-96h], 0
		jz	short loc_755AAB
		call	_MmGetSessionGlobalVA@4	; MmGetSessionGlobalVA(x)
		mov	[ebp+var_F4], eax

loc_755AAB:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+2C4j
		mov	edx, [edi+180h]
		lea	ecx, [ebp+var_130]
		call	_MiFillSessionWorkingSetEntry@8	; MiFillSessionWorkingSetEntry(x,x)
		mov	eax, [ebp+var_120]
		mov	[ebp+var_F0], eax
		mov	eax, [ebp+var_12C]
		mov	[ebp+var_D0], eax
		mov	eax, [ebp+var_128]
		mov	[ebp+var_EC], eax
		mov	eax, [ebp+var_124]
		mov	[ebp+var_D4], eax
		push	offset ??_C@_07FFOFCADM@Session@NNGAKEGL@
		push	10h
		pop	edx
		lea	ecx, [ebp+var_E4]
		call	_RtlStringCbCopyA@12 ; RtlStringCbCopyA(x,x,x)
		lea	edx, [ebp+var_104]
		lea	ecx, [ebp+var_B4]
		call	PfpPrivSourceAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7558B8
		mov	ecx, edi

loc_755B1C:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+28Ej
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		mov	edi, eax
		test	edi, edi
		mov	[ebp+var_9C], edi
		jnz	loc_755A6D

loc_755B31:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+1F8j
		mov	dl, byte ptr [ebp+var_95]
		xor	ecx, ecx
		call	ExGetNextProcess
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_755D45
		mov	esi, [ebp+var_A0]
		and	esi, 4
		mov	[ebp+var_A0], esi

loc_755B57:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+565j
		push	40h		; size_t
		push	0		; int
		lea	eax, [ebp+var_104]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		jz	short loc_755B7B
		test	byte ptr [ebx+3A8h], 1
		jnz	loc_755D2E

loc_755B7B:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+392j
		mov	[ebp+var_104], 2
		mov	ecx, [ebx+0E4h]
		mov	[ebp+var_100], ecx
		mov	eax, [ebx+1DCh]
		mov	[ebp+var_FC], eax
		mov	edx, [ebx+100h]
		mov	eax, [ebx+104h]
		xor	eax, ecx
		xor	eax, edx
		and	eax, 1FFFFFFFh
		shr	edx, 3
		and	edx, 1C000000h
		xor	eax, edx
		mov	[ebp+var_F8], eax
		cmp	byte ptr [ebp-96h], 0
		jz	short loc_755BD2
		mov	[ebp+var_F4], ebx

loc_755BD2:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+3F0j
		mov	eax, [ebx+28Ch]
		mov	[ebp+var_F0], eax
		mov	ecx, [ebx+288h]
		cmp	eax, ecx
		mov	[ebp+var_D0], eax
		ja	short loc_755BF4
		mov	[ebp+var_D0], ecx

loc_755BF4:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+412j
		mov	eax, [ebx+14Ch]
		mov	[ebp+var_EC], eax
		mov	eax, [ebp+var_F0]
		cmp	[ebp+var_EC], eax
		ja	short loc_755C14
		mov	[ebp+var_EC], eax

loc_755C14:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+432j
		mov	ecx, ebx
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_E8], eax
		mov	[ebp+var_97], 0
		push	0
		lea	edx, [ebp+var_97]
		call	_PsQueryProcessAttributes@12 ; PsQueryProcessAttributes(x,x,x)
		mov	ecx, ebx
		call	_SmStoreExistsForProcess@4 ; SmStoreExistsForProcess(x)
		mov	esi, eax
		and	esi, 1
		shl	esi, 3
		movzx	ecx, [ebp+var_97]
		and	ecx, 1
		or	esi, ecx
		mov	ecx, [ebp+var_C8]
		and	ecx, 0FFFFFFF6h
		or	esi, ecx
		mov	[ebp+var_C8], esi
		lea	edx, [ebp+var_164]
		mov	ecx, ebx
		call	_PsGetProcessDeepFreezeStats@8 ; PsGetProcessDeepFreezeStats(x,x)
		mov	eax, [ebp+var_14C]
		or	eax, [ebp+var_148]
		jz	short loc_755CA3
		or	esi, 2
		mov	[ebp+var_C8], esi
		push	0
		push	2710h
		push	[ebp+var_148]
		push	[ebp+var_14C]
		call	__aulldiv
		mov	[ebp+var_CC], eax

loc_755CA3:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+4A0j
		cmp	byte ptr [ebx+2A2h], 2
		jnz	short loc_755CB5
		or	esi, 4
		mov	[ebp+var_C8], esi

loc_755CB5:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+4D0j
		lea	eax, [ebx+1ACh]
		push	eax
		push	10h
		pop	edx
		lea	ecx, [ebp+var_E4]
		call	_RtlStringCbCopyA@12 ; RtlStringCbCopyA(x,x,x)
		test	byte ptr [ebp+var_90], 1
		jz	short loc_755CE2
		lea	edx, [ebp+var_D4]
		mov	ecx, ebx
		call	_MmQueryProcessWorkingSetSwapPages@8 ; MmQueryProcessWorkingSetSwapPages(x,x)
		jmp	short loc_755D0D
; 

loc_755CE2:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+4F7j
		test	byte ptr [ebp+var_90], 2
		jz	short loc_755D0D
		push	0
		lea	edx, [ebp+var_BC]
		mov	ecx, ebx
		call	SmProcessQueryStoreStats
		test	eax, eax
		js	short loc_755D0D
		mov	eax, [ebp+var_BC]
		shr	eax, 0Ch
		mov	[ebp+var_D4], eax

loc_755D0D:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+506j
					; PfpPrivSourceEnum(x,x,x)+50Fj ...
		lea	edx, [ebp+var_104]
		lea	ecx, [ebp+var_B4]
		call	PfpPrivSourceAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7558B8
		mov	esi, [ebp+var_A0]

loc_755D2E:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+39Bj
		mov	dl, byte ptr [ebp+var_95]
		mov	ecx, ebx
		call	ExGetNextProcess
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_755B57

loc_755D45:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+368j
		mov	eax, [ebp+var_AC]
		shl	eax, 6
		add	eax, 0Ch
		xor	esi, esi
		jmp	short loc_755D87
; 

loc_755D55:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+1B4j
					; PfpPrivSourceEnum(x,x,x)+1BDj
		mov	esi, 0C000009Ah
		jmp	short loc_755D8D
; 

loc_755D5C:				; DATA XREF: .text:006A0484o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_10C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_755D6D:				; DATA XREF: .text:006A0488o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_10C]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_110]
		mov	ebx, edi
		mov	eax, ebx

loc_755D87:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+579j
		mov	[ebp+var_A4], eax

loc_755D8D:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+99j
					; PfpPrivSourceEnum(x,x,x)+E4j	...
		test	edi, edi
		jz	short loc_755D98
		mov	ecx, edi
		call	ObfDereferenceObject

loc_755D98:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+5B5j
		test	ebx, ebx
		jz	short loc_755DA8
		mov	edx, 6E457350h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_755DA8:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+5C0j
		cmp	esi, 0C0000023h
		jnz	short loc_755DE6
		mov	eax, [ebp+var_AC]
		inc	eax
		cmp	eax, [ebp+var_B0]
		ja	short loc_755DC5
		mov	eax, [ebp+var_B0]

loc_755DC5:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+5E3j
		push	40h
		pop	ecx
		mul	ecx
		add	eax, 0Ch
		adc	edx, 0
		mov	[ebp+var_118], edx
		jnz	short loc_755DDD
		cmp	eax, 0FFFFFFFFh
		jbe	short loc_755DEC

loc_755DDD:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+5FCj
		xor	eax, eax
		mov	esi, 0C000009Ah
		jmp	short loc_755DEC
; 

loc_755DE6:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+5D4j
		mov	eax, [ebp+var_A4]

loc_755DEC:				; CODE XREF: PfpPrivSourceEnum(x,x,x)+601j
					; PfpPrivSourceEnum(x,x,x)+60Aj
		mov	ecx, [ebp+var_C0]
		mov	[ecx], eax
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PfpPrivSourceEnum@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExGetNextProcess proc near		; CODE XREF: PfpPrivSourceEnum(x,x,x)+193p
					; PfpPrivSourceEnum(x,x,x)+35Fp ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D2255 SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	bl, dl
		mov	esi, ecx

loc_755E18:				; CODE XREF: ExGetNextProcess+27j
					; ExGetNextProcess+17C46Dj
		mov	ecx, esi
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_755E3F
		test	dword ptr [esi+0FCh], 4000000h
		jz	short loc_755E18
		test	bl, bl
		jnz	loc_8D2255

loc_755E39:				; CODE XREF: ExGetNextProcess+17C47Dj
		mov	eax, esi

loc_755E3B:				; CODE XREF: ExGetNextProcess+39j
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_755E3F:				; CODE XREF: ExGetNextProcess+1Bj
		xor	eax, eax
		jmp	short loc_755E3B
ExGetNextProcess endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetNextProcess(x)
_PsGetNextProcess@4 proc near		; CODE XREF: MiEmptyAccessLogs:loc_556FEFp
					; PsEnumProcesses+12p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		xor	eax, eax
		mov	ecx, large fs:124h
		push	esi
		push	edi
		mov	[ebp+var_4], eax
		mov	esi, eax
		dec	word ptr [ecx+13Eh]
		mov	[ebp+var_8], ecx
		nop
		xor	edx, edx
		mov	ecx, offset _PspActiveProcessLock
		call	ExAcquirePushLockSharedEx
		mov	edi, _PsActiveProcessHead
		test	ebx, ebx
		jz	short loc_755E85
		mov	edi, [ebx+0E8h]

loc_755E85:				; CODE XREF: PsGetNextProcess(x)+39j
					; PsGetNextProcess(x)+B0j
		cmp	edi, offset _PsActiveProcessHead
		jz	short loc_755EA9
		lea	eax, [edi-0E8h]
		mov	edx, 6E457350h
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jz	short loc_755EF2
		xor	esi, esi
		inc	esi

loc_755EA9:				; CODE XREF: PsGetNextProcess(x)+47j
		push	11h
		xor	edx, edx
		mov	edi, offset _PspActiveProcessLock
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_755EE9

loc_755EBC:				; CODE XREF: PsGetNextProcess(x)+ACj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_8]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		test	ebx, ebx
		jz	short loc_755EDB
		mov	edx, 6E457350h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_755EDB:				; CODE XREF: PsGetNextProcess(x)+89j
		neg	esi
		pop	edi
		sbb	esi, esi
		and	esi, [ebp+var_4]
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_755EE9:				; CODE XREF: PsGetNextProcess(x)+76j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_755EBC
; 

loc_755EF2:				; CODE XREF: PsGetNextProcess(x)+60j
		mov	edi, [edi]
		jmp	short loc_755E85
_PsGetNextProcess@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpPrivSourceAdd proc near		; CODE XREF: PfpPrivSourceEnum(x,x,x)+27Dp
					; PfpPrivSourceEnum(x,x,x)+331p ...

ms_exc		= CPPEH_RECORD ptr -18h

		push	0Ch
		push	offset dword_6A0490
		call	__SEH_prolog4
		mov	esi, edx
		mov	ebx, ecx
		mov	ecx, [ebx+8]
		cmp	ecx, [ebx+0Ch]
		jnb	short loc_755F43
		xor	edx, edx
		mov	[ebp+ms_exc.disabled], edx
		shl	ecx, 6
		mov	edi, [ebx]
		add	edi, 0Ch
		add	edi, ecx
		push	10h
		pop	ecx
		rep movsd
		mov	eax, [ebx]
		inc	dword ptr [eax+8]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		inc	dword ptr [ebx+8]

loc_755F31:				; CODE XREF: PfpPrivSourceAdd+52j
					; sub_8D2298+Dj
		mov	eax, edx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_755F43:				; CODE XREF: PfpPrivSourceAdd+16j
		mov	edx, 0C0000023h
		jmp	short loc_755F31
PfpPrivSourceAdd endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessDeepFreezeStats(x, x)
_PsGetProcessDeepFreezeStats@8 proc near ; CODE	XREF: PsSetProcessTelemetryAppState+40p
					; PfpPrivSourceEnum(x,x,x)+48Fp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	edi, edx
		mov	esi, ecx
		mov	[ebp+var_C], eax
		nop
		lea	ebx, [esi+0E0h]
		xor	edx, edx
		mov	ecx, ebx
		mov	[ebp+var_8], ebx
		call	ExAcquirePushLockSharedEx
		mov	eax, [esi+400h]
		mov	ebx, 0FFDF03B0h
		mov	[edi+10h], eax
		mov	eax, [esi+404h]
		mov	[edi+14h], eax
		mov	eax, [esi+3C8h]
		mov	[edi+18h], eax
		mov	eax, [esi+3CCh]
		mov	[edi+1Ch], eax

loc_755FA5:				; CODE XREF: PsGetProcessDeepFreezeStats(x,x)+75j
					; PsGetProcessDeepFreezeStats(x,x)+79j
		mov	eax, [ebx]
		mov	esi, [ebx+4]
		mov	[ebp+var_4], eax
		call	KeQueryInterruptTime
		mov	[edi], eax
		mov	[edi+4], edx
		mov	eax, [ebx]
		mov	ecx, [ebx+4]
		cmp	[ebp+var_4], eax
		jnz	short loc_755FA5
		cmp	esi, ecx
		jnz	short loc_755FA5
		mov	ebx, [ebp+var_8]
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jnz	short loc_756012

loc_755FD6:				; CODE XREF: PsGetProcessDeepFreezeStats(x,x)+CFj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [ebp+var_C]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	ecx, [edi]
		sub	ecx, [ebp+var_4]
		mov	edx, [edi+4]
		mov	ebx, [edi+1Ch]
		sbb	edx, esi
		mov	esi, [edi+18h]
		mov	eax, esi
		or	eax, ebx
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		jnz	short loc_756006

loc_756001:				; CODE XREF: PsGetProcessDeepFreezeStats(x,x)+C6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_756006:				; CODE XREF: PsGetProcessDeepFreezeStats(x,x)+B5j
		sub	ecx, esi
		sbb	edx, ebx
		add	[edi+10h], ecx
		adc	[edi+14h], edx
		jmp	short loc_756001
; 

loc_756012:				; CODE XREF: PsGetProcessDeepFreezeStats(x,x)+8Aj
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_755FD6
_PsGetProcessDeepFreezeStats@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtProcessEnumSnapshotCallback(x,	x)
_PopEtProcessEnumSnapshotCallback@8 proc near
					; CODE XREF: PopEtProcessEnumSnapshotCallback(x,x)+DEp
					; DATA XREF: PopEtEnergyTrackerQuery(x,x,x)+CFo ...

var_1B8		= dword	ptr -1B8h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1BCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1BCh+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		lea	eax, [esp+1C4h+var_1B8]
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		push	1B0h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		cmp	[esi+4], ebx
		jz	loc_7560EB

loc_75605F:				; CODE XREF: PopEtProcessEnumSnapshotCallback(x,x)+D6j
					; PopEtProcessEnumSnapshotCallback(x,x)+E3j
		cmp	[edi+3E0h], ebx
		jz	short loc_7560D2
		lea	eax, [esp+1C8h+var_1B8]
		mov	[esi+8], edi
		mov	[esi+10h], eax
		mov	eax, large fs:124h
		mov	ecx, [edi+3E0h]
		add	ecx, 1B0h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lea	edx, [esp+1C8h+var_1B8]
		mov	ecx, edi
		cmp	edi, ds:_PsIdleProcess
		jz	short loc_756104
		call	_PsQueryProcessEnergyValues@8 ;	PsQueryProcessEnergyValues(x,x)

loc_7560A5:				; CODE XREF: PopEtProcessEnumSnapshotCallback(x,x)+EDj
		mov	ecx, esi
		call	PopEtProcessSnapshotUpdate
		mov	ecx, [edi+3E0h]
		add	ecx, 1B0h
		cmp	[ecx+4], ebx
		jz	short loc_7560C0
		mov	[ecx+4], ebx

loc_7560C0:				; CODE XREF: PopEtProcessEnumSnapshotCallback(x,x)+9Fj
		xor	edx, edx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		inc	dword ptr [esi+4]
		mov	[esi+8], ebx

loc_7560D2:				; CODE XREF: PopEtProcessEnumSnapshotCallback(x,x)+49j
		mov	ecx, [esp+1C8h+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7560EB:				; CODE XREF: PopEtProcessEnumSnapshotCallback(x,x)+3Dj
		mov	eax, ds:_PsIdleProcess
		cmp	edi, eax
		jz	loc_75605F
		push	esi
		push	eax
		call	_PopEtProcessEnumSnapshotCallback@8 ; PopEtProcessEnumSnapshotCallback(x,x)
		jmp	loc_75605F
; 

loc_756104:				; CODE XREF: PopEtProcessEnumSnapshotCallback(x,x)+82j
		call	_PopEtIsrDpcQuery@8 ; PopEtIsrDpcQuery(x,x)
		jmp	short loc_7560A5
_PopEtProcessEnumSnapshotCallback@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopEtProcessSnapshotUpdate proc	near	; CODE XREF: PopEtEnergyTrackerEnumSnapshotCallback(x,x)+11p
					; PopEtProcessEnumSnapshotCallback(x,x)+8Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D22AA SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, [esi+8]
		mov	eax, [eax+3E0h]
		mov	[ebp+var_C], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_8], eax
		lea	ebx, [eax+8]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	[ebx+4], eax
		call	_PopEtProcessSnapshotFind@4 ; PopEtProcessSnapshotFind(x)
		mov	edi, eax
		mov	[ebp+var_4], edi
		test	edi, edi
		jz	short loc_75619E

loc_75615E:				; CODE XREF: PopEtProcessSnapshotUpdate+C4j
		push	dword ptr [esi]
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		push	dword ptr [esi+10h]
		call	_PopEtEnergyTrackerUpdateAggregate@16 ;	PopEtEnergyTrackerUpdateAggregate(x,x,x,x)
		mov	eax, [esi]

loc_75616F:				; CODE XREF: PopEtProcessSnapshotUpdate+164j
		cmp	eax, 4
		jz	short loc_7561D2
		mov	edx, esi
		mov	ecx, edi
		call	_PopEtProcessSnapshotUpdateFromSnapshotContext@8 ; PopEtProcessSnapshotUpdateFromSnapshotContext(x,x)

loc_75617D:				; CODE XREF: PopEtProcessSnapshotUpdate+151j
		xor	eax, eax
		mov	edi, eax

loc_756181:				; CODE XREF: PopEtProcessSnapshotUpdate+17C1A0j
		cmp	[ebx+4], eax
		jz	short loc_756189
		mov	[ebx+4], eax

loc_756189:				; CODE XREF: PopEtProcessSnapshotUpdate+78j
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_75619E:				; CODE XREF: PopEtProcessSnapshotUpdate+50j
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	PopEtProcessSnapshotCreate
		mov	edi, eax
		test	edi, edi
		js	loc_8D22AA
		mov	eax, [esi]
		cmp	eax, 1
		jz	loc_75626D
		mov	ecx, [ebp+var_C]
		cmp	dword ptr [ecx+1C4h], 1
		ja	loc_75626D
		mov	edi, [ebp+var_4]
		jmp	short loc_75615E
; 

loc_7561D2:				; CODE XREF: PopEtProcessSnapshotUpdate+66j
		mov	eax, [ebp+var_8]
		or	edx, 0FFFFFFFFh
		mov	esi, [eax+2Ch]
		mov	ecx, esi
		and	ecx, 1Fh
		shr	esi, 5
		shl	edx, cl
		and	edx, [edi+4]
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	[ebp+var_C], edx
		imul	ecx, eax, 25h
		movzx	eax, dh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_C+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_C+3]
		imul	edx, ecx, 25h
		lea	ecx, [esi-1]
		mov	esi, 80000002h
		add	edx, eax
		and	ecx, edx
		mov	edx, [ebp+var_8]
		mov	eax, [edx+30h]
		lea	ecx, [eax+ecx*4]
		mov	eax, [edi]
		and	eax, esi
		cmp	eax, esi
		jnz	short loc_756262
		xor	esi, esi
		mov	eax, [esi]
		mov	edi, [ebp+var_4]

loc_75622F:				; CODE XREF: PopEtProcessSnapshotUpdate+12Fj
					; PopEtProcessSnapshotUpdate+158j
		mov	eax, [ecx]
		test	al, 1
		jnz	short loc_756266
		cmp	eax, edi
		jz	short loc_75623D
		mov	ecx, eax
		jmp	short loc_75622F
; 

loc_75623D:				; CODE XREF: PopEtProcessSnapshotUpdate+12Bj
		mov	eax, [edi]
		mov	[ecx], eax
		dec	dword ptr [edx+28h]
		or	dword ptr [edi], 80000002h

loc_75624A:				; CODE XREF: PopEtProcessSnapshotUpdate+15Fj
		lea	ecx, [edi+8]
		call	_PopEtAggregateKeyCleanup@4 ; PopEtAggregateKeyCleanup(x)
		push	54456F50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_75617D
; 

loc_756262:				; CODE XREF: PopEtProcessSnapshotUpdate+11Aj
		xor	esi, esi
		jmp	short loc_75622F
; 

loc_756266:				; CODE XREF: PopEtProcessSnapshotUpdate+127j
		mov	eax, [esi]
		mov	edi, [ebp+var_4]
		jmp	short loc_75624A
; 

loc_75626D:				; CODE XREF: PopEtProcessSnapshotUpdate+ABj
					; PopEtProcessSnapshotUpdate+BBj
		mov	edi, [ebp+var_4]
		jmp	loc_75616F
PopEtProcessSnapshotUpdate endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtProcessSnapshotFind(x)
_PopEtProcessSnapshotFind@4 proc near	; CODE XREF: PopEtProcessSnapshotUpdate+44p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ecx
		or	edx, 0FFFFFFFFh
		push	ebx
		push	esi
		mov	[ebp+var_14], eax
		mov	esi, [eax+0Ch]
		mov	eax, [eax+8]
		mov	[ebp+var_8], eax
		push	edi
		mov	eax, [esi+2Ch]
		xor	edi, edi
		mov	ecx, eax
		shr	eax, 5
		and	ecx, 1Fh
		mov	[ebp+var_C], eax
		shl	edx, cl
		mov	ecx, [ebp+var_8]
		mov	ebx, edx
		and	ebx, ecx
		mov	[ebp+var_10], edx
		mov	[ebp+var_4], ebx
		test	eax, eax
		jz	short loc_756309
		movzx	eax, bl
		add	eax, offset unk_B15DCB
		imul	ecx, eax, 25h
		movzx	eax, bh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+3]
		imul	edx, ecx, 25h
		mov	ecx, [ebp+var_C]
		add	edx, eax
		mov	eax, [esi+30h]
		dec	ecx
		and	ecx, edx
		mov	edx, [ebp+var_10]
		lea	ecx, [eax+ecx*4]

loc_7562E6:				; CODE XREF: PopEtProcessSnapshotFind(x)+81j
		mov	ecx, [ecx]
		test	ecx, 1
		jnz	short loc_756331
		mov	eax, [ecx+4]
		and	eax, edx
		cmp	ebx, eax
		jnz	short loc_7562E6

loc_7562F9:				; CODE XREF: PopEtProcessSnapshotFind(x)+BDj
		test	ecx, ecx
		jz	short loc_756306
		mov	edi, ecx

loc_7562FF:				; CODE XREF: PopEtProcessSnapshotFind(x)+9Aj
					; PopEtProcessSnapshotFind(x)+A2j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_756306:				; CODE XREF: PopEtProcessSnapshotFind(x)+85j
		mov	ecx, [ebp+var_8]

loc_756309:				; CODE XREF: PopEtProcessSnapshotFind(x)+3Dj
		test	byte ptr [esi+254h], 1
		jnz	short loc_7562FF
		mov	eax, [ebp+var_14]
		cmp	dword ptr [eax], 1
		jz	short loc_7562FF
		mov	ecx, [ecx+3E0h]
		cmp	dword ptr [ecx+1C4h], 1
		jbe	short loc_7562FF
		inc	dword ptr [esi+238h]
		jmp	short loc_7562FF
; 

loc_756331:				; CODE XREF: PopEtProcessSnapshotFind(x)+78j
		mov	ecx, edi
		jmp	short loc_7562F9
_PopEtProcessSnapshotFind@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtEnergyTrackerUpdateAggregate(x, x, x, x)
_PopEtEnergyTrackerUpdateAggregate@16 proc near	; CODE XREF: PopEtProcessSnapshotUpdate+5Cp

var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1C4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1C4h+var_4], eax
		and	[esp+1C4h+var_1C0], 0
		lea	eax, [esp+1C4h+var_1B8]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	1B0h		; size_t
		mov	esi, ecx
		mov	edi, edx
		push	0		; int
		push	eax		; void *
		mov	[esp+1DCh+var_1BC], esi
		call	_memset
		and	[esp+1DCh+var_1C4], 0
		lea	eax, [esp+1DCh+var_1C4]
		add	esp, 0Ch
		lea	ecx, [edi+20h]
		mov	edx, ebx
		push	eax
		lea	eax, [esp+1D4h+var_1B8]
		push	eax
		call	_PopEtEnergyValuesDeltaCalculate@16 ; PopEtEnergyValuesDeltaCalculate(x,x,x,x)
		cmp	[esp+1D0h+var_1C4], 0
		jnz	loc_756463
		lea	eax, [esp+1D0h+var_1C0]
		mov	ecx, esi
		push	eax
		lea	edx, [edi+8]
		call	PopEtAggregateGet
		mov	esi, [esp+1D0h+var_1C0]
		lea	edx, [esp+1D0h+var_1B8]
		lea	ecx, [esi+20h]
		call	PsAddProcessEnergyValues
		mov	eax, [edi+1D4h]
		test	eax, eax
		js	short loc_7563D7
		or	eax, 80000000h
		mov	[edi+1D4h], eax
		inc	dword ptr [esi+1DCh]

loc_7563D7:				; CODE XREF: PopEtEnergyTrackerUpdateAggregate(x,x,x,x)+8Ej
		inc	dword ptr [esi+1D0h]
		mov	edx, 7FFFFFFFh
		mov	eax, [edi+1D4h]
		lea	ecx, [eax+1]
		xor	ecx, eax
		and	ecx, edx
		xor	ecx, eax
		mov	[edi+1D4h], ecx
		and	ecx, edx
		cmp	ecx, 1
		jz	loc_756492

loc_756402:				; CODE XREF: PopEtEnergyTrackerUpdateAggregate(x,x,x,x)+162j
		cmp	[ebp+arg_4], 2
		jnz	short loc_75647A
		inc	dword ptr [esi+1D4h]

loc_75640E:				; CODE XREF: PopEtEnergyTrackerUpdateAggregate(x,x,x,x)+14Ej
					; PopEtEnergyTrackerUpdateAggregate(x,x,x,x)+156j ...
		test	[ebx+6Ch], edx
		jnz	loc_7564BC

loc_756417:				; CODE XREF: PopEtEnergyTrackerUpdateAggregate(x,x,x,x)+18Dj
		test	[ebx+74h], edx
		jnz	loc_7564A5

loc_756420:				; CODE XREF: PopEtEnergyTrackerUpdateAggregate(x,x,x,x)+176j
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		push	0
		push	2710h
		push	edx
		push	eax
		call	__aulldiv
		mov	ebx, eax
		mov	eax, [esp+1D0h+var_1BC]
		mov	edx, ebx
		mov	ecx, ebx
		sub	edx, [edi+1D8h]
		sub	ecx, [eax+22Ch]
		cmp	edx, ecx
		ja	short loc_75648E

loc_75644F:				; CODE XREF: PopEtEnergyTrackerUpdateAggregate(x,x,x,x)+15Aj
		add	[esi+1E8h], edx
		cmp	[esi+1E8h], ecx
		ja	short loc_75649D

loc_75645D:				; CODE XREF: PopEtEnergyTrackerUpdateAggregate(x,x,x,x)+16Dj
		mov	[edi+1D8h], ebx

loc_756463:				; CODE XREF: PopEtEnergyTrackerUpdateAggregate(x,x,x,x)+61j
		mov	ecx, [esp+1D0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_75647A:				; CODE XREF: PopEtEnergyTrackerUpdateAggregate(x,x,x,x)+D0j
		cmp	[ebp+arg_4], 3
		jz	short loc_7564B1
		cmp	[ebp+arg_4], 4
		jnz	short loc_75640E
		inc	dword ptr [esi+1E4h]
		jmp	short loc_75640E
; 

loc_75648E:				; CODE XREF: PopEtEnergyTrackerUpdateAggregate(x,x,x,x)+117j
		mov	edx, ecx
		jmp	short loc_75644F
; 

loc_756492:				; CODE XREF: PopEtEnergyTrackerUpdateAggregate(x,x,x,x)+C6j
		inc	dword ptr [esi+1E0h]
		jmp	loc_756402
; 

loc_75649D:				; CODE XREF: PopEtEnergyTrackerUpdateAggregate(x,x,x,x)+125j
		mov	[esi+1E8h], ecx
		jmp	short loc_75645D
; 

loc_7564A5:				; CODE XREF: PopEtEnergyTrackerUpdateAggregate(x,x,x,x)+E4j
		or	dword ptr [esi+1ECh], 2
		jmp	loc_756420
; 

loc_7564B1:				; CODE XREF: PopEtEnergyTrackerUpdateAggregate(x,x,x,x)+148j
		inc	dword ptr [esi+1D8h]
		jmp	loc_75640E
; 

loc_7564BC:				; CODE XREF: PopEtEnergyTrackerUpdateAggregate(x,x,x,x)+DBj
		or	dword ptr [esi+1ECh], 1
		jmp	loc_756417
_PopEtEnergyTrackerUpdateAggregate@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtEnergyValuesDeltaCalculate(x, x, x, x)
_PopEtEnergyValuesDeltaCalculate@16 proc near
					; CODE XREF: PopEtEnergyTrackerUpdateAggregate(x,x,x,x)+57p

var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [edx+44h]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [edx+40h]
		push	edi
		mov	edi, ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_C], edi
		sub	esi, [edi+40h]
		sbb	eax, [edi+44h]
		mov	[ebx+44h], eax
		mov	[ebx+40h], esi
		lea	esi, [edi+68h]
		mov	ecx, [edx+48h]
		sub	ecx, [edi+48h]
		mov	eax, [edx+4Ch]
		sbb	eax, [edi+4Ch]
		mov	[ebx+48h], ecx
		mov	[ebx+4Ch], eax
		mov	ecx, [edx+50h]
		sub	ecx, [edi+50h]
		mov	eax, [edx+54h]
		sbb	eax, [edi+54h]
		mov	[ebx+50h], ecx
		mov	[ebx+54h], eax
		mov	ecx, [edx+58h]
		sub	ecx, [edi+58h]
		mov	eax, [edx+5Ch]
		sbb	eax, [edi+5Ch]
		mov	[ebx+58h], ecx
		mov	[ebx+5Ch], eax
		mov	ecx, [edx+60h]
		sub	ecx, [edi+60h]
		mov	eax, [edx+64h]
		sbb	eax, [edi+64h]
		mov	[ebx+64h], eax
		mov	eax, edx
		mov	[ebx+60h], ecx
		sub	eax, edi
		mov	ecx, ebx
		mov	[ebp+var_14], eax
		sub	ecx, edi
		mov	ebx, eax
		mov	[ebp+var_10], ecx
		mov	edi, 3

loc_756558:				; CODE XREF: PopEtEnergyValuesDeltaCalculate(x,x,x,x)+9Ej
		lea	eax, [ebx+esi]
		add	ecx, esi
		push	eax
		mov	edx, esi
		call	_RtlStateDurationDelta@12 ; RtlStateDurationDelta(x,x,x)
		mov	ecx, [ebp+var_10]
		add	esi, 8
		sub	edi, 1
		jnz	short loc_756558
		mov	esi, [ebp+var_C]
		mov	edi, 5
		mov	ebx, [ebp+arg_0]
		add	esi, 180h

loc_756581:				; CODE XREF: PopEtEnergyValuesDeltaCalculate(x,x,x,x)+CAj
		mov	ecx, [ebp+var_10]
		mov	edx, esi
		mov	eax, [ebp+var_14]
		add	eax, esi
		push	eax
		lea	ecx, [esi+ecx]
		call	_RtlStateDurationDelta@12 ; RtlStateDurationDelta(x,x,x)
		add	esi, 8
		sub	edi, 1
		jnz	short loc_756581
		mov	ecx, [ebp+var_18]
		lea	edi, [ebx+110h]
		mov	edx, [ebp+var_C]
		mov	[ebp+var_10], edx
		mov	[ebp+var_14], ebx
		mov	eax, [ecx+80h]
		lea	esi, [ecx+110h]
		sub	eax, [edx+80h]
		mov	[ebx+80h], eax
		mov	eax, [ecx+84h]
		sub	eax, [edx+84h]
		mov	[ebx+84h], eax
		mov	eax, [ecx+88h]
		sub	eax, [edx+88h]
		mov	[ebx+88h], eax
		mov	eax, [ecx+1A8h]
		sub	eax, [edx+1A8h]
		mov	[ebx+1A8h], eax
		mov	eax, [ecx+1ACh]
		mov	ecx, 1Ch
		sub	eax, [edx+1ACh]
		mov	[ebx+1ACh], eax
		xor	eax, eax
		mov	[ebp+var_8], eax
		lea	eax, [ebx+0D0h]
		rep movsd
		mov	[ebp+var_1C], eax
		lea	ecx, [edx+98h]
		mov	eax, [ebp+var_18]
		xor	edi, edi
		sub	[ebp+var_10], eax
		sub	[ebp+var_14], eax
		sub	edx, ebx
		mov	ebx, [ebp+var_1C]
		mov	[ebp+var_4], ecx
		lea	esi, [eax+90h]
		mov	[ebp+var_C], edx
		mov	[ebp+var_18], 4
		lea	esp, [esp+0]

loc_756650:				; CODE XREF: PopEtEnergyValuesDeltaCalculate(x,x,x,x)+24Ej
		mov	eax, [esi-90h]
		sub	eax, [ecx-98h]
		mov	ecx, [esi-8Ch]
		mov	edx, [ebp+var_4]
		sbb	ecx, [edx-94h]
		add	edi, eax
		mov	edx, [ebp+var_10]
		adc	[ebp+var_8], ecx
		mov	[ebx-0CCh], ecx
		mov	[ebx-0D0h], eax
		mov	eax, [esi]
		sub	eax, [edx+esi]
		mov	ecx, [esi+4]
		sbb	ecx, [edx+esi+4]
		add	edi, eax
		mov	edx, [ebp+var_14]
		lea	esi, [esi+10h]
		adc	[ebp+var_8], ecx
		mov	[edx+esi-0Ch], ecx
		mov	[edx+esi-10h], eax
		mov	ecx, [esi+30h]
		mov	eax, [esi+34h]
		mov	edx, [ebp+var_C]
		sub	ecx, [edx+ebx]
		sbb	eax, [edx+ebx+4]
		lea	ebx, [ebx+10h]
		mov	edx, [ebp+var_4]
		mov	[ebx-10h], ecx
		mov	ecx, [ebp+var_4]
		mov	[ebx-0Ch], eax
		mov	eax, [esi-98h]
		sub	eax, [ecx-90h]
		mov	ecx, [esi-94h]
		sbb	ecx, [edx-8Ch]
		add	edi, eax
		mov	[ebx-0D4h], ecx
		adc	[ebp+var_8], ecx
		mov	ecx, edx
		mov	[ebx-0D8h], eax
		mov	eax, [esi-8]
		sub	eax, [ecx]
		mov	ecx, [esi-4]
		sbb	ecx, [edx+4]
		add	edi, eax
		mov	[ebx-48h], eax
		mov	eax, edx
		adc	[ebp+var_8], ecx
		mov	[ebx-44h], ecx
		mov	ecx, [esi+38h]
		sub	ecx, [eax+40h]
		mov	eax, [esi+3Ch]
		sbb	eax, [edx+44h]
		mov	[ebx-8], ecx
		mov	ecx, edx
		add	ecx, 10h
		mov	[ebx-4], eax
		sub	[ebp+var_18], 1
		mov	[ebp+var_4], ecx
		jnz	loc_756650
		or	edi, [ebp+var_8]
		mov	ebx, [ebp+arg_0]
		jz	short loc_75673E

loc_75672C:				; CODE XREF: PopEtEnergyValuesDeltaCalculate(x,x,x,x)+274j
					; PopEtEnergyValuesDeltaCalculate(x,x,x,x)+27Cj ...
		mov	eax, [ebp+arg_4]
		pop	edi
		pop	esi
		pop	ebx
		mov	dword ptr [eax], 0
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_75673E:				; CODE XREF: PopEtEnergyValuesDeltaCalculate(x,x,x,x)+25Aj
		mov	eax, [ebx+40h]
		or	eax, [ebx+44h]
		jnz	short loc_75672C
		mov	eax, [ebx+48h]
		or	eax, [ebx+4Ch]
		jnz	short loc_75672C
		mov	eax, [ebx+50h]
		or	eax, [ebx+54h]
		jnz	short loc_75672C
		test	dword ptr [ebx+6Ch], 7FFFFFFFh
		jnz	short loc_75672C
		test	dword ptr [ebx+74h], 7FFFFFFFh
		jnz	short loc_75672C
		test	dword ptr [ebx+7Ch], 7FFFFFFFh
		jnz	short loc_75672C
		test	dword ptr [ebx+184h], 7FFFFFFFh
		jnz	short loc_75672C
		test	dword ptr [ebx+18Ch], 7FFFFFFFh
		jnz	short loc_75672C
		test	dword ptr [ebx+194h], 7FFFFFFFh
		jnz	short loc_75672C
		test	dword ptr [ebx+19Ch], 7FFFFFFFh
		jnz	short loc_75672C
		test	dword ptr [ebx+1A4h], 7FFFFFFFh
		jnz	loc_75672C
		cmp	[ebx+80h], eax
		jnz	loc_75672C
		cmp	[ebx+84h], eax
		jnz	loc_75672C
		cmp	[ebx+88h], eax
		jnz	loc_75672C
		mov	eax, [ebp+arg_4]
		pop	edi
		pop	esi
		pop	ebx
		mov	dword ptr [eax], 1
		mov	esp, ebp
		pop	ebp
		retn	8
_PopEtEnergyValuesDeltaCalculate@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtProcessSnapshotUpdateFromSnapshotContext(x, x)
_PopEtProcessSnapshotUpdateFromSnapshotContext@8 proc near
					; CODE XREF: PopEtProcessSnapshotUpdate+6Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edi
		mov	eax, [esi+8]
		lea	ecx, [edi+0Ch]
		mov	ebx, [eax+3E0h]
		mov	eax, [esi+0Ch]
		mov	[ebp+var_8], eax
		mov	edx, [ebx+1BCh]
		call	_PopEtStringSet@8 ; PopEtStringSet(x,x)
		mov	esi, [esi+10h]
		add	edi, 20h
		mov	edx, [ebp+var_4]
		push	6Ch
		pop	ecx
		rep movsd
		mov	eax, [ebx+1C4h]
		mov	ecx, [ebp+var_8]
		mov	[edx+1D0h], eax
		mov	ax, [ebx+1C0h]
		pop	edi
		and	ax, [ecx+14h]
		pop	esi
		mov	[edx+1Ch], ax
		pop	ebx
		leave
		retn
_PopEtProcessSnapshotUpdateFromSnapshotContext@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopEtStringSet(x, x)
_PopEtStringSet@8 proc near		; CODE XREF: PopEtEnergyContextSetState(x,x)+7Fp
					; PopEtProcessSnapshotCreate+5Dp ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	edx, [edi]
		test	edx, edx
		jnz	short loc_75687D

loc_756856:				; CODE XREF: PopEtStringSet(x,x)+43j
		mov	[edi], esi
		test	esi, esi
		jnz	short loc_75685F

loc_75685C:				; CODE XREF: PopEtStringSet(x,x)+2Ej
					; PopEtStringSet(x,x):loc_75688Dj ...
		pop	edi
		pop	esi
		retn
; 

loc_75685F:				; CODE XREF: PopEtStringSet(x,x)+12j
		add	esi, 8
		mov	edx, [esi]
		lea	ecx, [edx+1]

loc_756867:				; CODE XREF: PopEtStringSet(x,x)+33j
		cmp	ecx, 1
		jbe	short loc_75688D
		mov	eax, edx
		lock cmpxchg [esi], ecx
		mov	ecx, eax
		cmp	ecx, edx
		jz	short loc_75685C
		mov	edx, ecx
		inc	ecx
		jmp	short loc_756867
; 

loc_75687D:				; CODE XREF: PopEtStringSet(x,x)+Cj
		mov	ecx, _PopEtGlobals
		lea	ecx, [ecx+20h]
		call	RtlInternEntryDereference
		jmp	short loc_756856
; 

loc_75688D:				; CODE XREF: PopEtStringSet(x,x)+22j
		jz	short loc_75685C
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_75685C
_PopEtStringSet@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopEtAggregateGet proc near		; CODE XREF: PopEtEnergyTrackerUpdateAggregate(x,x,x,x)+71p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D22B1 SIZE 000000A8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		mov	esi, ecx
		mov	eax, edx
		push	edi
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_10], eax
		push	ecx
		xor	edi, edi
		mov	[ebp+var_14], esi
		mov	ecx, esi
		mov	[ebp+var_8], edi
		call	_PopEtAggregateFind@12 ; PopEtAggregateFind(x,x,x)
		test	eax, eax
		jnz	loc_756991
		push	ebx
		lea	ebx, [esi+1Ch]
		mov	eax, [ebx]
		mov	[ebp+var_20], ebx
		cmp	eax, [esi+10h]
		jnb	loc_8D22B1
		push	54456F50h
		push	1F0h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_8D22E1
		push	1F0h		; size_t
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	esi, [ebp+var_C]
		add	esp, 0Ch
		mov	edx, [ebp+var_10]
		lea	ecx, [esi+8]
		call	_PopEtAggregateKeyCopy@8 ; PopEtAggregateKeyCopy(x,x)
		mov	eax, [ebp+var_8]
		mov	[esi+4], eax
		mov	[ebp+var_8], edi
		mov	edi, [ebx+4]
		mov	eax, edi
		shr	eax, 5
		lea	ecx, [eax+eax]
		cmp	[ebx], ecx
		jnb	short loc_756998

loc_756925:				; CODE XREF: PopEtAggregateGet+113j
					; PopEtAggregateGet+204j ...
		mov	esi, edi
		or	edx, 0FFFFFFFFh
		and	edi, 1Fh
		shr	esi, 5
		mov	ecx, edi
		mov	edi, [ebp+var_C]
		shl	edx, cl
		and	edx, [edi+4]
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	[ebp+var_10], edx
		imul	ecx, eax, 25h
		movzx	eax, dh
		lea	edx, [esi-1]
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_10+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_10+3]
		imul	ecx, 25h
		add	ecx, eax
		and	edx, ecx
		mov	ecx, [ebx+8]
		mov	eax, [ecx+edx*4]
		mov	[edi], eax
		mov	eax, [ebp+arg_0]
		mov	[ecx+edx*4], edi
		inc	dword ptr [ebx]
		xor	esi, esi
		mov	[eax], edi
		mov	edi, esi

loc_75697A:				; CODE XREF: PopEtAggregateGet+17BA2Bj
		test	edi, edi
		jnz	loc_8D22C6

loc_756982:				; CODE XREF: PopEtAggregateGet+17BA43j
		test	esi, esi
		js	loc_8D22DE

loc_75698A:				; CODE XREF: PopEtAggregateGet+17BA61j
					; PopEtAggregateGet+17BABEj
		pop	ebx

loc_75698B:				; CODE XREF: PopEtAggregateGet+100j
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_756991:				; CODE XREF: PopEtAggregateGet+26j
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		jmp	short loc_75698B
; 

loc_756998:				; CODE XREF: PopEtAggregateGet+8Dj
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_756925
		mov	esi, [ebp+var_8]
		cmp	esi, 4
		jnb	short loc_7569BA
		push	4
		pop	esi

loc_7569BA:				; CODE XREF: PopEtAggregateGet+11Fj
		xor	edi, edi
		mov	eax, esi
		push	edi
		shl	eax, 2
		push	eax
		call	_PopEtBucketsAllocate@8	; PopEtBucketsAllocate(x,x)
		mov	edx, eax
		mov	[ebp+var_4], edx
		test	edx, edx
		jz	loc_756A94
		lea	ecx, [esi-1]
		test	ecx, esi
		jz	short loc_7569ED
		or	ecx, 0FFFFFFFFh
		test	esi, esi
		jz	short loc_7569E8

loc_7569E3:				; CODE XREF: PopEtAggregateGet+150j
		inc	ecx
		shr	esi, 1
		jnz	short loc_7569E3

loc_7569E8:				; CODE XREF: PopEtAggregateGet+14Bj
		xor	esi, esi
		inc	esi
		shl	esi, cl

loc_7569ED:				; CODE XREF: PopEtAggregateGet+144j
		mov	eax, 4000000h
		cmp	esi, eax
		jbe	short loc_7569F8
		mov	esi, eax

loc_7569F8:				; CODE XREF: PopEtAggregateGet+15Ej
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		mov	[ebp+var_10], edx
		or	eax, 1
		mov	edx, esi
		mov	[ebp+var_8], edi
		shl	edx, 2
		add	ecx, edx
		shr	edx, 2
		cmp	ecx, [ebp+var_4]
		sbb	ecx, ecx
		not	ecx
		and	ecx, edx
		ja	loc_756AE5

loc_756A1F:				; CODE XREF: PopEtAggregateGet+25Fj
		mov	eax, [ebx+4]
		or	edx, 0FFFFFFFFh
		mov	ecx, eax
		and	ecx, 1Fh
		shl	edx, cl
		mov	[ebp+var_18], edx
		test	eax, 0FFFFFFE0h
		jbe	short loc_756AB3

loc_756A36:				; CODE XREF: PopEtAggregateGet+21Bj
		mov	edx, [ebx+8]
		mov	[ebp+var_1C], edx

loc_756A3C:				; CODE XREF: PopEtAggregateGet+1FCj
		mov	ecx, [edx+edi*4]
		mov	[ebp+var_10], ecx
		test	ecx, 1
		jnz	short loc_756AA5
		mov	eax, [ecx]
		mov	[edx+edi*4], eax
		mov	edx, [ecx+4]
		and	edx, [ebp+var_18]
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	ebx, [ebp+var_10]
		imul	ecx, eax, 25h
		movzx	eax, dh
		mov	[ebp+var_8], edx
		lea	edx, [esi-1]
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_8+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_8+3]
		imul	ecx, 25h
		add	ecx, eax
		and	edx, ecx
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+edx*4]
		mov	[ebx], eax
		mov	eax, ebx
		mov	[ecx+edx*4], eax
		mov	edx, [ebp+var_1C]
		jmp	short loc_756A3C
; 

loc_756A94:				; CODE XREF: PopEtAggregateGet+139j
		mov	edi, [ebx+4]
		cmp	edi, 20h
		jnb	loc_756925
		jmp	loc_8D22B9
; 

loc_756AA5:				; CODE XREF: PopEtAggregateGet+1B2j
		mov	ebx, [ebp+var_20]
		inc	edi
		mov	eax, [ebx+4]
		shr	eax, 5
		cmp	edi, eax
		jb	short loc_756A36

loc_756AB3:				; CODE XREF: PopEtAggregateGet+19Ej
		mov	edi, [ebx+4]
		mov	ecx, [ebx+8]
		and	edi, 1Fh
		mov	eax, [ebp+var_4]
		shl	esi, 5
		or	edi, esi
		mov	[ebx+8], eax
		mov	[ebx+4], edi
		test	ecx, ecx
		jz	loc_756925
		push	0
		push	ecx
		call	_PopEtBucketsFree@8 ; PopEtBucketsFree(x,x)
		mov	edi, [ebp+var_14]
		mov	edi, [edi+20h]
		jmp	loc_756925
; 

loc_756AE5:				; CODE XREF: PopEtAggregateGet+183j
		mov	edx, [ebp+var_10]

loc_756AE8:				; CODE XREF: PopEtAggregateGet+25Dj
		inc	[ebp+var_8]
		mov	[edx], eax
		lea	edx, [edx+4]
		cmp	[ebp+var_8], ecx
		jb	short loc_756AE8
		jmp	loc_756A1F
PopEtAggregateGet endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtAggregateFind(x, x, x)
_PopEtAggregateFind@12 proc near	; CODE XREF: PopEtAggregateGet+1Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, edx
		mov	[ebp+var_4], ecx
		push	3
		mov	[ebp+var_8], eax
		mov	esi, eax
		mov	ebx, 4CB2Fh
		pop	edi

loc_756B17:				; CODE XREF: PopEtAggregateFind(x,x,x)+70j
		movzx	eax, byte ptr [esi+1]
		imul	edx, eax, 25h
		movzx	eax, byte ptr [esi+2]
		add	edx, eax
		movzx	eax, byte ptr [esi+3]
		imul	ecx, edx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [esi+4]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [esi+5]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [esi+6]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [esi]
		imul	ecx, 25h
		lea	esi, [esi+8]
		imul	eax, 1A617D0Dh
		add	ecx, eax
		imul	eax, ebx, 2FE8ED1Fh
		movzx	ebx, byte ptr [esi-1]
		sub	ecx, eax
		add	ebx, ecx
		sub	edi, 1
		jnz	short loc_756B17
		mov	eax, [ebp+arg_0]
		or	edi, 0FFFFFFFFh
		xor	esi, esi
		mov	[eax], ebx
		mov	eax, [ebp+var_4]
		mov	eax, [eax+20h]
		mov	ecx, eax
		and	ecx, 1Fh
		mov	[ebp+var_C], eax
		shl	edi, cl
		and	ebx, edi
		mov	[ebp+arg_0], ebx

loc_756B8B:				; CODE XREF: PopEtAggregateFind(x,x,x)+108j
		test	esi, esi
		jnz	short loc_756BC8
		mov	edx, eax
		shr	edx, 5
		test	edx, edx
		jz	short loc_756BE3
		movzx	eax, bl
		imul	ecx, eax, 25h
		movzx	eax, bh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+arg_0+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+arg_0+3]
		imul	ecx, 25h
		add	eax, 164B2F3Fh
		add	eax, ecx
		lea	ecx, [edx-1]
		and	ecx, eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+24h]
		lea	esi, [eax+ecx*4]

loc_756BC8:				; CODE XREF: PopEtAggregateFind(x,x,x)+93j
					; PopEtAggregateFind(x,x,x)+E1j
		mov	esi, [esi]
		test	esi, 1
		jnz	short loc_756BDD
		mov	eax, [esi+4]
		and	eax, edi
		cmp	ebx, eax
		jz	short loc_756BDF
		jmp	short loc_756BC8
; 

loc_756BDD:				; CODE XREF: PopEtAggregateFind(x,x,x)+D6j
		xor	esi, esi

loc_756BDF:				; CODE XREF: PopEtAggregateFind(x,x,x)+DFj
		test	esi, esi
		jnz	short loc_756BEC

loc_756BE3:				; CODE XREF: PopEtAggregateFind(x,x,x)+9Cj
		xor	eax, eax

loc_756BE5:				; CODE XREF: PopEtAggregateFind(x,x,x)+10Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_756BEC:				; CODE XREF: PopEtAggregateFind(x,x,x)+E7j
		push	18h		; size_t
		push	[ebp+var_8]	; void *
		lea	ecx, [esi+8]
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		mov	eax, [ebp+var_C]
		jnz	short loc_756B8B
		mov	eax, esi
		jmp	short loc_756BE5
_PopEtAggregateFind@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspQueryJobHierarchyAccountingInformation proc near ; CODE XREF: PAGE:0075744Bp
					; PAGE:007576A9p

var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1B8		= dword	ptr -1B8h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D2359 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2C4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2C4h+var_4], eax
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+2D0h+var_2C0], eax
		push	2B0h		; size_t
		lea	eax, [esp+2D4h+var_2B8]
		mov	[esp+2D4h+var_2C4], edi
		push	edi		; int
		push	eax		; void *
		mov	esi, edx
		mov	ebx, ecx
		call	_memset
		mov	edx, [esp+2DCh+var_2C0]
		lea	eax, [esp+2DCh+var_2C4]
		add	esp, 0Ch
		mov	ecx, ebx
		push	eax
		call	PspLockRootJobShared
		mov	eax, edi

loc_756C60:				; CODE XREF: PspQueryJobHierarchyAccountingInformation+62j
		cmp	ebx, [esp+eax*4+2D0h+var_2C4]
		jz	short loc_756C77
		inc	eax
		cmp	eax, 1
		jb	short loc_756C60
		push	1
		lea	eax, [ebx+20h]
		push	eax
		call	ExAcquireResourceSharedLite

loc_756C77:				; CODE XREF: PspQueryJobHierarchyAccountingInformation+5Cj
		push	1
		lea	eax, [esp+2D4h+var_2B8]
		xor	edx, edx
		push	eax
		push	offset _PspQueryProcessAccountingInformationCallback@8 ; PspQueryProcessAccountingInformationCallback(x,x)
		push	edi
		mov	ecx, ebx
		call	PspEnumJobsAndProcessesInJobHierarchy
		mov	ecx, [ebx+58h]
		mov	eax, [ebx+5Ch]
		add	ecx, [esp+2D0h+var_248]
		mov	[esi], ecx
		adc	eax, [esp+2D0h+var_244]
		mov	[esi+4], eax
		mov	ecx, [ebx+70h]
		mov	eax, [ebx+74h]
		add	ecx, [esp+2D0h+var_248]
		mov	[esi+10h], ecx
		adc	eax, [esp+2D0h+var_244]
		mov	[esi+14h], eax
		mov	ecx, [ebx+60h]
		mov	eax, [ebx+64h]
		add	ecx, [esp+2D0h+var_250]
		mov	[esi+8], ecx
		adc	eax, [esp+2D0h+var_24C]
		mov	[esi+0Ch], eax
		mov	ecx, [ebx+78h]
		mov	eax, [ebx+7Ch]
		add	ecx, [esp+2D0h+var_250]
		mov	[esi+18h], ecx
		adc	eax, [esp+2D0h+var_24C]
		mov	[esi+1Ch], eax
		mov	eax, [ebx+88h]
		add	eax, [esp+2D0h+var_1C0]
		mov	[esi+20h], eax
		mov	eax, [ebx+8Ch]
		mov	[esi+24h], eax
		mov	eax, [ebx+90h]
		mov	[esi+28h], eax
		mov	eax, [ebx+94h]
		mov	[esi+2Ch], eax
		mov	ecx, [ebx+0F0h]
		add	ecx, [esp+2D0h+var_228]
		mov	eax, [ebx+0F4h]
		adc	eax, [esp+2D0h+var_224]
		mov	[esi+30h], ecx
		mov	[esi+34h], eax
		mov	ecx, [ebx+0F8h]
		add	ecx, [esp+2D0h+var_220]
		mov	eax, [ebx+0FCh]
		adc	eax, [esp+2D0h+var_21C]
		mov	[esi+38h], ecx
		mov	[esi+3Ch], eax
		mov	ecx, [ebx+100h]
		add	ecx, [esp+2D0h+var_218]
		mov	eax, [ebx+104h]
		adc	eax, [esp+2D0h+var_214]
		mov	[esi+40h], ecx
		mov	[esi+44h], eax
		mov	ecx, [ebx+108h]
		add	ecx, [esp+2D0h+var_210]
		mov	eax, [ebx+10Ch]
		adc	eax, [esp+2D0h+var_20C]
		mov	[esi+48h], ecx
		mov	[esi+4Ch], eax
		mov	ecx, [ebx+110h]
		add	ecx, [esp+2D0h+var_208]
		mov	eax, [ebx+114h]
		adc	eax, [esp+2D0h+var_204]
		mov	[esi+50h], ecx
		mov	[esi+54h], eax
		mov	ecx, [ebx+118h]
		add	ecx, [esp+2D0h+var_200]
		mov	eax, [ebx+11Ch]
		adc	eax, [esp+2D0h+var_1FC]
		mov	[esi+58h], ecx
		mov	[esi+5Ch], eax
		mov	ecx, [ebx+120h]
		add	ecx, [esp+2D0h+var_1E8]
		mov	eax, [ebx+124h]
		adc	eax, [esp+2D0h+var_1E4]
		mov	[esi+60h], ecx
		mov	[esi+64h], eax
		mov	ecx, [ebx+128h]
		add	ecx, [esp+2D0h+var_1E0]
		mov	eax, [ebx+12Ch]
		adc	eax, [esp+2D0h+var_1DC]
		mov	[esi+68h], ecx
		mov	[esi+6Ch], eax
		mov	ecx, [ebx+130h]
		add	ecx, [esp+2D0h+var_1D8]
		mov	eax, [ebx+134h]
		adc	eax, [esp+2D0h+var_1D4]
		mov	[esi+70h], ecx
		mov	[esi+74h], eax
		mov	ecx, [ebx+138h]
		add	ecx, [esp+2D0h+var_1D0]
		mov	eax, [ebx+13Ch]
		adc	eax, [esp+2D0h+var_1CC]
		mov	[esi+78h], ecx
		mov	[esi+7Ch], eax
		mov	ecx, [ebx+140h]
		add	ecx, [esp+2D0h+var_1C8]
		mov	eax, [ebx+144h]
		adc	eax, [esp+2D0h+var_1C4]
		mov	[esi+80h], ecx
		mov	[esi+84h], eax
		mov	ecx, [ebx+80h]
		add	ecx, [esp+2D0h+var_230]
		mov	eax, [ebx+84h]
		adc	eax, [esp+2D0h+var_22C]
		mov	[esi+88h], ecx
		mov	[esi+8Ch], eax
		mov	ecx, [ebx+68h]
		add	ecx, [esp+2D0h+var_238]
		mov	eax, [ebx+6Ch]
		adc	eax, [esp+2D0h+var_234]
		mov	[esi+90h], ecx
		mov	[esi+94h], eax
		mov	ecx, [ebx+228h]
		add	ecx, [esp+2D0h+var_240]
		mov	eax, [ebx+22Ch]
		adc	eax, [esp+2D0h+var_23C]
		mov	[esi+98h], ecx
		mov	[esi+9Ch], eax
		mov	ecx, [ebx+3B0h]
		add	ecx, [esp+2D0h+var_1F8]
		mov	eax, [ebx+3B4h]
		adc	eax, [esp+2D0h+var_1F4]
		mov	[esi+1B0h], ecx
		mov	[esi+1B4h], eax
		mov	ecx, [ebx+3B8h]
		add	ecx, [esp+2D0h+var_1F0]
		mov	eax, [ebx+3BCh]
		adc	eax, [esp+2D0h+var_1EC]
		mov	[esi+1B8h], ecx
		mov	[esi+1BCh], eax
		mov	ecx, [ebx+21Ch]
		test	ecx, ecx
		jnz	short loc_756FB3

loc_756F47:				; CODE XREF: PspQueryJobHierarchyAccountingInformation+3BFj
		mov	edx, [ebx+318h]
		lea	eax, [esi+0A0h]
		mov	[esp+2D0h+var_2BC], eax
		test	edx, edx
		jz	loc_8D2359
		lea	ecx, [esp+2D0h+var_1B8]
		call	PsAddProcessEnergyValues
		mov	edi, [esp+2D0h+var_2BC]
		lea	esi, [esp+2D0h+var_1B8]
		push	44h
		pop	ecx
		rep movsd
		xor	edi, edi

loc_756F7D:				; CODE XREF: PspQueryJobHierarchyAccountingInformation+37Fj
					; PspQueryJobHierarchyAccountingInformation+17B760j
		cmp	ebx, [esp+edi*4+2D0h+var_2C4]
		jz	short loc_756F91
		inc	edi
		cmp	edi, 1
		jb	short loc_756F7D
		lea	ecx, [ebx+20h]
		call	ExReleaseResourceLite

loc_756F91:				; CODE XREF: PspQueryJobHierarchyAccountingInformation+379j
		mov	edx, [esp+2D0h+var_2C0]
		mov	ecx, [esp+2D0h+var_2C4]
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		mov	ecx, [esp+2D0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_756FB3:				; CODE XREF: PspQueryJobHierarchyAccountingInformation+33Dj
		add	ecx, 40h
		call	_KeQuerySchedulingGroupReadyTime@4 ; KeQuerySchedulingGroupReadyTime(x)
		add	[esi+98h], eax
		adc	[esi+9Ch], edx
		jmp	loc_756F47
PspQueryJobHierarchyAccountingInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspLockRootJobFromProcess proc near	; CODE XREF: PspSendProcessNotificationToJobChain(x,x,x,x)+26p
					; PspRemoveProcessFromJobChain+7Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008D236D SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx

loc_756FD9:				; CODE XREF: PspLockRootJobFromProcess+17B3ADj
		mov	eax, [esi+158h]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+248h]
		mov	[ebp+var_8], eax
		mov	ecx, [ebp+var_8]
		call	_PspLockJobExclusive@8 ; PspLockJobExclusive(x,x)
		mov	eax, [ebp+var_4]
		cmp	eax, [esi+158h]
		jnz	loc_8D236D
		mov	eax, [ebp+var_4]
		mov	eax, [eax+248h]
		cmp	[ebp+var_8], eax
		jnz	loc_8D236D
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		mov	[eax], ecx
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+var_8]
		mov	[eax], ecx
		leave
		retn	8
PspLockRootJobFromProcess endp

; 
		align 2

NtQueryInformationJobObject:		; DATA XREF: .text:00580E70o
		push	608h
		push	offset dword_6A04B0
		call	__SEH_prolog4_GS
		mov	eax, [ebp+14h]
		mov	[ebp-54Ch], eax
		mov	eax, [ebp+8]
		mov	[ebp-574h], eax
		mov	eax, [ebp+0Ch]
		mov	[ebp-578h], eax
		mov	eax, [ebp+10h]
		mov	[ebp-55Ch], eax
		mov	eax, [ebp+18h]
		mov	[ebp-57Ch], eax
		push	1C0h
		xor	ebx, ebx
		push	ebx
		lea	eax, [ebp-540h]
		push	eax
		call	_memset
		xor	eax, eax
		lea	edi, [ebp-34h]
		stosd
		stosd
		stosd
		mov	[ebp-541h], bl
		mov	[ebp-551h], bl
		mov	[ebp-5A8h], ebx
		mov	[ebp-5B8h], ebx
		mov	[ebp-5B4h], ebx
		mov	[ebp-59Ch], ebx
		push	9
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp-1E8h]
		rep stosd
		lea	edi, [ebp-14Ch]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp-5C8h], ebx
		mov	[ebp-5C4h], ebx
		mov	[ebp-5A4h], ebx
		mov	[ebp-5B0h], ebx
		mov	[ebp-5ACh], ebx
		push	78h
		push	ebx
		lea	eax, [ebp-1C4h]
		push	eax
		call	_memset
		xor	eax, eax
		lea	edi, [ebp-0BCh]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp-5A0h], ebx
		push	48h
		push	ebx
		lea	eax, [ebp-2D8h]
		push	eax
		call	_memset
		mov	[ebp-558h], ebx
		mov	[ebp-5D8h], ebx
		push	68h
		push	ebx
		lea	eax, [ebp-9Ch]
		push	eax
		call	_memset
		push	50h
		push	ebx
		lea	eax, [ebp-328h]
		push	eax
		call	_memset
		push	58h
		push	ebx
		lea	eax, [ebp-380h]
		push	eax
		call	_memset
		add	esp, 48h
		push	0Ah
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp-0F4h]
		rep stosd
		lea	edi, [ebp-0ACh]
		stosd
		stosd
		stosd
		stosd
		push	48h
		push	ebx
		lea	eax, [ebp-13Ch]
		push	eax
		call	_memset
		push	30h
		push	ebx
		lea	eax, [ebp-218h]
		push	eax
		call	_memset
		push	38h
		push	ebx
		lea	eax, [ebp-250h]
		push	eax
		call	_memset
		mov	[ebp-588h], ebx
		mov	[ebp-598h], ebx
		mov	[ebp-594h], ebx
		mov	[ebp-5C0h], ebx
		mov	[ebp-5BCh], ebx
		push	40h
		push	ebx
		lea	eax, [ebp-290h]
		push	eax
		call	_memset
		add	esp, 30h
		xor	eax, eax
		lea	edi, [ebp-0CCh]
		stosd
		stosd
		stosd
		stosd
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp-600h]
		rep stosd
		mov	[ebp-58Ch], ebx
		mov	[ebp-562h], bl
		mov	[ebp-552h], bl
		mov	edx, [ebp-578h]
		lea	eax, [edx-1]
		mov	[ebp-570h], eax
		cmp	eax, 2Eh
		ja	loc_8D2C39
		cmp	edx, 14h
		jg	loc_757404
		jz	loc_757A75
		mov	eax, edx
		sub	eax, 9
		jz	short loc_757262
		sub	eax, 3
		jz	loc_757A23
		sub	eax, 1
		jz	loc_757A0C
		sub	eax, 6
		jz	loc_75745F

loc_757233:				; CODE XREF: PAGE:00757418j
		mov	eax, ds:dword_A40604[edx*4]
		mov	[ebp-550h], eax
		mov	ecx, [ebp-54Ch]
		cmp	ecx, eax
		jz	short loc_75727C
		mov	eax, edx
		sub	eax, 3
		jnz	loc_8D237E

loc_757255:				; CODE XREF: PAGE:008D2382j
					; PAGE:008D238Bj ...
		cmp	ecx, [ebp-550h]
		jnb	short loc_757276
		jmp	loc_8D23AC
; 

loc_757262:				; CODE XREF: PAGE:00757216j
		mov	ecx, [ebp-54Ch]
		cmp	ecx, 70h
		jz	short loc_757276
		cmp	ecx, 78h

loc_757270:				; CODE XREF: PAGE:00757475j
					; PAGE:00757A1Ej ...
		jnz	loc_8D23AC

loc_757276:				; CODE XREF: PAGE:0075725Bj
					; PAGE:0075726Bj ...
		mov	[ebp-550h], ecx

loc_75727C:				; CODE XREF: PAGE:00757248j
					; PAGE:008D23CDj
		mov	edi, large fs:124h
		mov	[ebp-580h], edi
		mov	al, [edi+15Ah]
		mov	[ebp-561h], al
		mov	[ebp-548h], al
		test	al, al
		jz	loc_757B3D
		mov	eax, ds:dword_A406C4[edx*4]
		mov	[ebp-4], ebx
		test	ecx, ecx
		jz	short loc_7572E3
		dec	eax
		test	[ebp-55Ch], eax
		jnz	loc_757CAC
		mov	edx, [ebp-55Ch]
		lea	eax, [edx+ecx]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	loc_8D23D2
		cmp	eax, edx
		jb	loc_8D23D2

loc_7572DD:				; CODE XREF: PAGE:008D23D4j
		mov	edx, [ebp-578h]

loc_7572E3:				; CODE XREF: PAGE:007572AFj
		mov	ecx, [ebp-57Ch]
		test	ecx, ecx
		jnz	loc_757423

loc_7572F1:				; CODE XREF: PAGE:00757434j
		push	0FFFFFFFEh
		pop	esi
		mov	[ebp-4], esi

loc_7572F7:				; CODE XREF: PAGE:00757B40j
		mov	eax, [ebp-574h]
		test	eax, eax
		jz	loc_757AE5
		push	ebx
		lea	ecx, [ebp-558h]
		push	ecx
		push	79517350h
		push	dword ptr [ebp-548h]
		push	ds:_PsJobType
		push	4
		push	eax
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7573F2
		mov	ebx, [ebp-558h]
		mov	[ebp-568h], ebx

loc_75733A:				; CODE XREF: PAGE:00757B13j
					; PAGE:008D23FFj ...
		mov	eax, [ebp-550h]
		mov	[ebp-56Ch], eax
		xor	ecx, ecx
		mov	[ebp-541h], cl
		mov	edx, ecx
		mov	[ebp-548h], edx
		mov	[ebp-574h], edx
		mov	[ebp-560h], ecx
		mov	eax, [ebp-570h]
		movzx	eax, ds:byte_757D36[eax]
		jmp	ds:off_757CB2[eax*4]

loc_757376:				; DATA XREF: PAGE:00757CBAo
		mov	[ebp-56Ch], ecx
		lea	eax, [ebp-56Ch]
		push	eax
		mov	eax, [ebp-54Ch]
		push	eax
		mov	edx, [ebp-55Ch]
		mov	ecx, ebx
		call	PspQueryJobHierarchyProcessIdList
		mov	edi, eax
		mov	byte ptr [ebp-541h], 1

loc_7573A0:				; CODE XREF: PAGE:00757903j
					; PAGE:00757A07j ...
		mov	esi, [ebp-548h]

loc_7573A6:				; CODE XREF: PAGE:0075745Aj
					; PAGE:00757526j ...
		test	ebx, ebx
		jz	short loc_7573B6
		mov	edx, 79517350h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_7573B6:				; CODE XREF: PAGE:007573A8j
		mov	dword ptr [ebp-4], 6
		test	edi, edi
		js	short loc_7573DF
		cmp	byte ptr [ebp-541h], 0
		jnz	short loc_7573DF
		push	dword ptr [ebp-550h]
		push	esi
		push	dword ptr [ebp-55Ch]
		call	_memcpy
		add	esp, 0Ch

loc_7573DF:				; CODE XREF: PAGE:007573BFj
					; PAGE:007573C8j
		mov	ecx, [ebp-57Ch]
		test	ecx, ecx
		jnz	short loc_757439

loc_7573E9:				; CODE XREF: PAGE:00757441j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, edi

loc_7573F2:				; CODE XREF: PAGE:00757328j
					; PAGE:008D23B1j ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_757404:				; CODE XREF: PAGE:00757205j
		mov	eax, edx
		sub	eax, 1Ch
		jz	short loc_75747A
		dec	eax
		sub	eax, 1
		jz	loc_757B8D
		sub	eax, 0Dh
		jnz	loc_757233
		jmp	loc_8D23B6
; 

loc_757423:				; CODE XREF: PAGE:007572EBj
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8D23D9

loc_757430:				; CODE XREF: PAGE:008D23DBj
		mov	eax, [ecx]
		mov	[ecx], eax
		jmp	loc_7572F1
; 

loc_757439:				; CODE XREF: PAGE:007573E7j
		mov	eax, [ebp-56Ch]
		mov	[ecx], eax
		jmp	short loc_7573E9
; 

loc_757443:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:off_757CB2o
		lea	edx, [ebp-540h]
		mov	ecx, ebx
		call	PspQueryJobHierarchyAccountingInformation
		xor	esi, esi
		mov	edi, esi
		lea	esi, [ebp-540h]
		jmp	loc_7573A6
; 

loc_75745F:				; CODE XREF: PAGE:0075722Dj
		mov	ecx, [ebp-54Ch]
		mov	eax, ecx
		sub	eax, 1B0h
		jz	loc_757276
		sub	eax, 10h
		jmp	loc_757270
; 

loc_75747A:				; CODE XREF: PAGE:00757409j
		mov	ecx, [ebp-54Ch]
		cmp	ecx, 10h
		jz	loc_757276
		cmp	ecx, 28h
		jz	loc_757276
		jmp	loc_8D23AC
; 

loc_757497:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757CFAo
		mov	[ebp-0DCh], ecx
		mov	[ebp-0D8h], ecx
		mov	[ebp-0D4h], ecx
		mov	[ebp-0D0h], ecx
		mov	edx, edi
		mov	ecx, ebx
		call	_PspLockJobMemoryLimitsShared@8	; PspLockJobMemoryLimitsShared(x,x)
		mov	eax, [ebx+158h]
		xor	ecx, ecx
		shld	ecx, eax, 0Ch
		shl	eax, 0Ch
		mov	[ebp-0ECh], eax
		mov	[ebp-0E8h], ecx
		mov	eax, [ebx+208h]
		mov	ecx, [ebx+20Ch]
		shld	ecx, eax, 0Ch
		shl	eax, 0Ch
		mov	[ebp-0F4h], eax
		mov	[ebp-0F0h], ecx
		mov	ecx, [ebx+31Ch]
		xor	eax, eax
		shld	eax, ecx, 0Ch
		shl	ecx, 0Ch
		mov	[ebp-0E4h], ecx
		mov	[ebp-0E0h], eax
		mov	edx, edi
		mov	ebx, [ebp-558h]
		mov	ecx, ebx
		call	_PspUnlockJobMemoryLimitsShared@8 ; PspUnlockJobMemoryLimitsShared(x,x)
		xor	esi, esi
		mov	edi, esi
		lea	esi, [ebp-0F4h]
		jmp	loc_7573A6
; 

loc_75752B:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757CB6o
		mov	edx, edi
		mov	ecx, ebx
		call	_PspLockJobShared@8 ; PspLockJobShared(x,x)
		mov	eax, [ebx+0A8h]
		mov	[ebp-1B0h], eax
		mov	eax, [ebx+0ACh]
		mov	[ebp-1ACh], eax
		mov	eax, [ebx+0B4h]
		mov	[ebp-1A8h], eax
		movzx	eax, byte ptr [ebx+1A5h]
		mov	[ebp-1A0h], eax
		mov	eax, [ebx+0ECh]
		mov	[ebp-19Ch], eax
		xor	esi, esi
		cmp	[ebx+0C0h], esi
		jnz	loc_8D2418
		mov	[ebp-1A4h], esi

loc_757585:				; CODE XREF: PAGE:008D2424j
		mov	eax, [ebx+98h]
		mov	[ebp-1C4h], eax
		mov	eax, [ebx+9Ch]
		mov	[ebp-1C0h], eax
		mov	eax, [ebx+0A0h]
		mov	[ebp-1BCh], eax
		mov	eax, [ebx+0A4h]
		mov	[ebp-1B8h], eax
		mov	edx, [ebp-54Ch]
		mov	ecx, [ebp-578h]
		call	_PspGetJobLimitInformationValidFlags@8 ; PspGetJobLimitInformationValidFlags(x,x)
		mov	ecx, eax
		or	ecx, 7FFFh
		mov	eax, [ebx+0B0h]
		and	eax, ecx
		mov	[ebp-1B4h], eax
		cmp	dword ptr [ebp-578h], 9
		jnz	loc_757C73
		lea	ecx, [ebx+230h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebx+148h]
		shl	eax, 0Ch
		mov	[ebp-164h], eax
		mov	eax, [ebx+14Ch]
		shl	eax, 0Ch
		mov	[ebp-160h], eax
		mov	eax, [ebx+158h]
		shl	eax, 0Ch
		mov	[ebp-158h], eax
		mov	eax, [ebx+150h]
		shl	eax, 0Ch
		mov	[ebp-154h], eax
		xor	edx, edx
		mov	ecx, ebx
		call	_PspUnlockJobMemoryLimitsShared@8 ; PspUnlockJobMemoryLimitsShared(x,x)
		mov	edx, edi
		mov	ecx, ebx
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		mov	eax, [ebx+154h]
		shl	eax, 0Ch
		mov	[ebp-15Ch], eax

loc_757653:				; CODE XREF: PAGE:00757C7Cj
		mov	edi, esi
		lea	esi, [ebp-1C4h]
		jmp	loc_7573A6
; 

loc_757660:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757CFEo
		mov	eax, [ebx+31Ch]
		mov	[ebp-5C0h], eax
		mov	[ebp-5BCh], ecx
		mov	edi, ecx
		mov	ebx, [ebp-558h]
		lea	esi, [ebp-5C0h]
		jmp	loc_7573A6
; 

loc_757685:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757CD6o
		mov	[ebp-54h], ecx
		mov	[ebp-50h], ecx
		xor	eax, eax
		lea	edi, [ebp-44h]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp-584h], cx
		mov	[ebp-582h], cl
		lea	edx, [ebp-540h]
		mov	ecx, ebx
		call	PspQueryJobHierarchyAccountingInformation
		mov	eax, [ebp-4F8h]
		mov	[ebp-94h], eax
		mov	eax, [ebp-4F4h]
		mov	[ebp-90h], eax
		mov	eax, [ebp-4F0h]
		mov	[ebp-84h], eax
		mov	eax, [ebp-4ECh]
		mov	[ebp-80h], eax
		mov	eax, [ebp-540h]
		mov	[ebp-74h], eax
		mov	eax, [ebp-53Ch]
		mov	[ebp-70h], eax
		mov	edx, [ebp-580h]
		mov	ecx, ebx
		call	_PspLockJobExclusive@8 ; PspLockJobExclusive(x,x)
		lea	ecx, [ebx+310h]
		mov	eax, [ecx]
		test	al, 8
		jnz	loc_757C15

loc_75770A:				; CODE XREF: PAGE:00757C1Aj
		push	0FFFFFFFBh
		pop	eax
		lock and [ecx],	eax

loc_757710:				; CODE XREF: PAGE:00757C20j
		lea	ecx, [ebx+230h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebx+208h]
		mov	ecx, [ebx+20Ch]
		shld	ecx, eax, 0Ch
		shl	eax, 0Ch
		mov	[ebp-64h], eax
		mov	[ebp-60h], ecx
		xor	edx, edx
		mov	ecx, ebx
		call	_PspUnlockJobMemoryLimitsShared@8 ; PspUnlockJobMemoryLimitsShared(x,x)
		mov	eax, [ebx+210h]
		test	eax, eax
		jz	loc_757C25
		mov	eax, [eax]
		mov	[ebp-9Ch], eax
		mov	eax, [ebx+210h]
		mov	eax, [eax+4]
		mov	[ebp-98h], eax
		mov	edx, [ebx+210h]
		mov	ecx, [edx+48h]
		mov	esi, [edx+4Ch]
		mov	eax, ecx
		or	eax, esi
		jnz	loc_8D2759
		mov	eax, [edx+8]
		mov	[ebp-8Ch], eax
		mov	eax, [edx+0Ch]
		mov	[ebp-88h], eax

loc_75778C:				; CODE XREF: PAGE:008D2765j
		mov	ecx, [edx+50h]
		mov	esi, [edx+54h]
		mov	eax, ecx
		or	eax, esi
		jnz	loc_8D276A
		mov	eax, [edx+10h]
		mov	[ebp-7Ch], eax
		mov	eax, [edx+14h]
		mov	[ebp-78h], eax

loc_7577A8:				; CODE XREF: PAGE:008D2770j
		mov	ecx, [edx+58h]
		mov	esi, [edx+5Ch]
		mov	eax, ecx
		or	eax, esi
		jnz	loc_8D2775
		mov	eax, [edx+18h]
		mov	[ebp-6Ch], eax
		mov	eax, [edx+1Ch]
		mov	[ebp-68h], eax

loc_7577C4:				; CODE XREF: PAGE:008D277Bj
		mov	ecx, [edx+60h]
		mov	esi, [edx+64h]
		mov	eax, ecx
		or	eax, esi
		jnz	loc_757B7B
		mov	eax, [edx+20h]
		mov	ecx, [edx+24h]
		shld	ecx, eax, 0Ch
		shl	eax, 0Ch
		mov	[ebp-4Ch], eax
		mov	[ebp-48h], ecx

loc_7577E7:				; CODE XREF: PAGE:00757B88j
		mov	ecx, [edx+68h]
		mov	esi, [edx+6Ch]
		mov	eax, ecx
		or	eax, esi
		jnz	loc_757A63
		mov	eax, [edx+28h]
		mov	ecx, [edx+2Ch]
		shld	ecx, eax, 0Ch
		shl	eax, 0Ch
		mov	[ebp-5Ch], eax
		mov	[ebp-58h], ecx

loc_75780A:				; CODE XREF: PAGE:00757A70j
		xor	esi, esi
		mov	edi, esi
		lea	ebx, [edx+30h]

loc_757811:				; CODE XREF: PAGE:00757836j
		mov	edx, edi
		lea	ecx, [ebp-9Ch]
		call	_PspLimitViolationRateControlToleranceLimitField@8 ; PspLimitViolationRateControlToleranceLimitField(x,x)
		mov	ecx, eax
		mov	eax, [ebx+40h]
		test	eax, eax
		jnz	loc_8D2780
		mov	eax, [ebx]

loc_75782D:				; CODE XREF: PAGE:008D2788j
		mov	[ecx], eax
		inc	edi
		add	ebx, 4
		cmp	edi, 3
		jl	short loc_757811
		mov	ebx, [ebp-568h]

loc_75783E:				; CODE XREF: PAGE:00757C6Ej
		mov	edi, esi

loc_757840:				; CODE XREF: PAGE:0075789Cj
		mov	edx, [ebx+210h]
		test	edx, edx
		jz	short loc_757859
		mov	ecx, edi
		call	_PspRateControlLimitFlag@4 ; PspRateControlLimitFlag(x)
		test	[edx], eax
		jnz	loc_8D278D

loc_757859:				; CODE XREF: PAGE:00757848j
		xor	edx, edx
		inc	edx

loc_75785C:				; CODE XREF: PAGE:008D2791j
		mov	[ebp-560h], edx
		push	edi
		lea	eax, [ebp-588h]
		push	eax
		movzx	eax, byte ptr [ebp+edi-584h]
		push	eax
		mov	ecx, ebx
		call	PspQueryRateControlHistory
		mov	eax, edi
		sub	eax, esi
		jz	loc_757A42
		sub	eax, 1
		jz	loc_757A3A
		lea	ecx, [ebp-54h]

loc_757890:				; CODE XREF: PAGE:00757A3Dj
					; PAGE:00757A45j
		mov	eax, [ebp-588h]
		mov	[ecx], eax
		inc	edi
		cmp	edi, 3
		jl	short loc_757840
		mov	eax, [ebx+210h]
		test	eax, eax
		mov	edi, [ebp-580h]
		jz	short loc_7578C6
		mov	[eax+4], esi
		push	40h
		push	esi
		mov	eax, [ebx+210h]
		add	eax, 48h
		push	eax
		call	_memset
		add	esp, 0Ch

loc_7578C6:				; CODE XREF: PAGE:007578ACj
		mov	edx, edi
		mov	ecx, ebx
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		mov	eax, [ebp-54Ch]
		cmp	eax, 58h
		jnz	loc_8D2796
		lea	edx, [ebp-380h]
		lea	ecx, [ebp-9Ch]
		call	_PspConvertJobLimitViolationToV2@8 ; PspConvertJobLimitViolationToV2(x,x)
		mov	eax, edx

loc_7578F1:				; CODE XREF: PAGE:008D27AEj
					; PAGE:008D27B9j
		mov	[ebp-548h], eax
		mov	edi, esi
		test	ds:_PerfGlobalGroupMask, 80000h
		jz	loc_7573A0
		jmp	loc_8D27BE
; 

loc_75790E:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757CD2o
		mov	edx, edi
		mov	ecx, ebx
		call	_PspLockJobShared@8 ; PspLockJobShared(x,x)
		mov	edx, [ebx+210h]
		test	edx, edx
		jz	loc_757B74
		mov	eax, [edx]
		mov	[ebp-114h], eax
		mov	eax, [edx+8]
		mov	[ebp-13Ch], eax
		mov	eax, [edx+0Ch]
		mov	[ebp-138h], eax
		mov	eax, [edx+10h]
		mov	[ebp-134h], eax
		mov	eax, [edx+14h]
		mov	[ebp-130h], eax
		mov	eax, [edx+18h]
		mov	[ebp-12Ch], eax
		mov	eax, [edx+1Ch]
		mov	[ebp-128h], eax
		mov	eax, [edx+20h]
		mov	ecx, [edx+24h]
		shld	ecx, eax, 0Ch
		shl	eax, 0Ch
		mov	[ebp-10Ch], eax
		mov	[ebp-108h], ecx
		mov	eax, [edx+28h]
		mov	ecx, [edx+2Ch]
		shld	ecx, eax, 0Ch
		shl	eax, 0Ch
		mov	[ebp-124h], eax
		mov	[ebp-120h], ecx
		xor	esi, esi
		mov	edi, esi
		lea	ebx, [edx+3Ch]

loc_75799C:				; CODE XREF: PAGE:007579C6j
		mov	edx, edi
		lea	ecx, [ebp-13Ch]
		call	_PspNotificationLimitRateControlToleranceField@8 ; PspNotificationLimitRateControlToleranceField(x,x)
		mov	ecx, [ebx-0Ch]
		mov	[eax], ecx
		mov	edx, edi
		lea	ecx, [ebp-13Ch]
		call	_PspNotificationLimitRateControlToleranceIntervalField@8 ; PspNotificationLimitRateControlToleranceIntervalField(x,x)
		mov	ecx, [ebx]
		mov	[eax], ecx
		inc	edi
		lea	ebx, [ebx+4]
		cmp	edi, 3
		jl	short loc_75799C
		mov	ebx, [ebp-568h]
		mov	edi, [ebp-580h]

loc_7579D4:				; CODE XREF: PAGE:00757B76j
		mov	edx, edi
		mov	ecx, ebx
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		mov	eax, [ebp-54Ch]
		cmp	eax, 38h
		jnz	loc_8D2731
		lea	edx, [ebp-250h]
		lea	ecx, [ebp-13Ch]
		call	_PspConvertJobNotificationLimitToV2@8 ;	PspConvertJobNotificationLimitToV2(x,x)
		mov	eax, edx

loc_7579FF:				; CODE XREF: PAGE:008D273Cj
					; PAGE:008D2754j
		mov	[ebp-548h], eax
		mov	edi, esi
		jmp	loc_7573A0
; 

loc_757A0C:				; CODE XREF: PAGE:00757224j
		mov	ecx, [ebp-54Ch]
		cmp	ecx, 50h
		jz	loc_757276
		cmp	ecx, 58h
		jmp	loc_757270
; 

loc_757A23:				; CODE XREF: PAGE:0075721Bj
		mov	ecx, [ebp-54Ch]
		cmp	ecx, 30h
		jz	loc_757276
		cmp	ecx, 38h
		jmp	loc_757270
; 

loc_757A3A:				; CODE XREF: PAGE:00757887j
		lea	ecx, [ebp-44h]
		jmp	loc_757890
; 

loc_757A42:				; CODE XREF: PAGE:0075787Ej
		lea	ecx, [ebp-3Ch]
		jmp	loc_757890
; 

loc_757A4A:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757CE2o
		mov	eax, [ebx+1A8h]
		mov	[ebp-59Ch], eax
		mov	edi, ecx
		lea	esi, [ebp-59Ch]
		jmp	loc_7573A6
; 

loc_757A63:				; CODE XREF: PAGE:007577F1j
		shld	esi, ecx, 0Ch
		shl	ecx, 0Ch
		mov	[ebp-5Ch], ecx
		mov	[ebp-58h], esi
		jmp	loc_75780A
; 

loc_757A75:				; CODE XREF: PAGE:0075720Bj
		mov	ecx, [ebp-54Ch]
		cmp	ecx, 28h
		jz	loc_757276
		cmp	ecx, 40h
		jmp	loc_757270
; 

loc_757A8C:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757CEEo
		lea	eax, [ebp-290h]
		push	eax
		mov	edx, ebx
		mov	ecx, edi
		call	PspAllocateAndQueryNotificationChannel
		mov	edi, eax
		test	edi, edi
		js	loc_7573A0
		xor	esi, esi
		mov	edi, esi
		lea	esi, [ebp-290h]
		jmp	loc_7573A6
; 

loc_757AB5:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757D1Eo
		mov	edx, edi
		mov	ecx, ebx
		call	_PspLockJobShared@8 ; PspLockJobShared(x,x)
		lea	edx, [ebp-2D8h]
		mov	ecx, ebx
		call	PspQueryJobIoAttribution
		mov	edi, eax
		mov	edx, [ebp-580h]
		mov	ecx, ebx
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		lea	esi, [ebp-2D8h]
		jmp	loc_7573A6
; 

loc_757AE5:				; CODE XREF: PAGE:007572FFj
		mov	eax, [edi+80h]
		mov	eax, [eax+158h]
		mov	[ebp-558h], eax
		mov	ebx, eax
		mov	[ebp-568h], ebx
		test	ebx, ebx
		jz	loc_8D23FC
		mov	edx, 79517350h
		mov	ecx, ebx
		call	ObfReferenceObjectWithTag
		jmp	loc_75733A
; 

loc_757B18:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757CE6o
		mov	eax, [ebx+0E0h]
		mov	[ebp-5B8h], eax
		mov	eax, [ebx+0E4h]
		mov	[ebp-5B4h], eax
		mov	edi, ecx
		lea	esi, [ebp-5B8h]
		jmp	loc_7573A6
; 

loc_757B3D:				; CODE XREF: PAGE:0075729Dj
		push	0FFFFFFFEh
		pop	esi
		jmp	loc_7572F7
; 

loc_757B45:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757CDEo
		mov	edx, edi
		mov	ecx, ebx
		call	_PspLockJobShared@8 ; PspLockJobShared(x,x)
		mov	eax, [ebx+21Ch]
		test	eax, eax
		jnz	loc_757BE6

loc_757B5C:				; CODE XREF: PAGE:00757BECj
					; PAGE:008D2815j
		mov	edx, edi
		mov	ecx, ebx
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		xor	esi, esi
		mov	edi, esi
		lea	esi, [ebp-5C8h]
		jmp	loc_7573A6
; 

loc_757B74:				; CODE XREF: PAGE:0075791Fj
		xor	esi, esi
		jmp	loc_7579D4
; 

loc_757B7B:				; CODE XREF: PAGE:007577CEj
		shld	esi, ecx, 0Ch
		shl	ecx, 0Ch
		mov	[ebp-4Ch], ecx
		mov	[ebp-48h], esi
		jmp	loc_7577E7
; 

loc_757B8D:				; CODE XREF: PAGE:0075740Fj
		mov	ecx, [ebp-54Ch]
		cmp	ecx, 10h
		jz	loc_757276
		cmp	ecx, 24h
		jmp	loc_757270
; 

loc_757BA4:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757D02o
		lea	esi, [ebx+2D8h]
		lea	edi, [ebp-1E8h]
		movsd
		movsd
		movsd
		movsd
		cmp	dword ptr [ebp-54Ch], 24h
		jnz	short loc_757BD9
		lea	esi, [ebx+2E8h]
		lea	edi, [ebp-1D8h]
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ebx+2D4h]
		mov	[ebp-1C8h], eax

loc_757BD9:				; CODE XREF: PAGE:00757BBBj
		mov	edi, ecx
		lea	esi, [ebp-1E8h]
		jmp	loc_7573A6
; 

loc_757BE6:				; CODE XREF: PAGE:00757B56j
		mov	ecx, [eax+14h]
		test	cl, 40h
		jnz	loc_757B5C
		jmp	loc_8D27E4
; 

loc_757BF7:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757CF2o
		mov	eax, [ebx+310h]
		shr	eax, 0Ah
		and	al, 1
		mov	[ebp-551h], al
		mov	edi, ecx
		lea	esi, [ebp-551h]
		jmp	loc_7573A6
; 

loc_757C15:				; CODE XREF: PAGE:00757704j
		test	eax, 4000h
		jz	loc_75770A
		jmp	loc_757710
; 

loc_757C25:				; CODE XREF: PAGE:00757747j
		xor	esi, esi
		mov	[ebp-9Ch], esi
		mov	[ebp-98h], esi
		mov	[ebp-8Ch], esi
		mov	[ebp-88h], esi
		mov	[ebp-7Ch], esi
		mov	[ebp-78h], esi
		mov	[ebp-6Ch], esi
		mov	[ebp-68h], esi
		mov	[ebp-4Ch], esi
		mov	[ebp-48h], esi
		mov	[ebp-5Ch], esi
		mov	[ebp-58h], esi
		mov	edi, esi

loc_757C59:				; CODE XREF: PAGE:00757C6Cj
		mov	edx, edi
		lea	ecx, [ebp-9Ch]
		call	_PspLimitViolationRateControlToleranceLimitField@8 ; PspLimitViolationRateControlToleranceLimitField(x,x)
		mov	[eax], esi
		inc	edi
		cmp	edi, 3
		jl	short loc_757C59
		jmp	loc_75783E
; 

loc_757C73:				; CODE XREF: PAGE:007575E3j
		mov	edx, edi
		mov	ecx, ebx
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		jmp	loc_757653
; 

loc_757C81:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757D16o
		lea	eax, [ebp-58Ch]
		push	eax
		push	ebx
		call	PsGetJobServerSilo
		mov	edi, [ebp-58Ch]
		push	edi
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jz	loc_8D2AB6
		mov	edi, 0C0000509h
		jmp	loc_7573A0
; 

loc_757CAC:				; CODE XREF: PAGE:007572B8j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		nop
; 
off_757CB2	dd offset loc_757443	; DATA XREF: PAGE:0075736Fr
		dd offset loc_75752B
		dd offset loc_757376
		dd offset loc_8D2429
		dd offset loc_8D2456
		dd offset loc_8D2520
		dd offset loc_8D2503
		dd offset loc_8D2539
		dd offset loc_75790E
		dd offset loc_757685
		dd offset loc_8D265D
		dd offset loc_757B45
		dd offset loc_757A4A
		dd offset loc_757B18
		dd offset loc_8D281A
		dd offset loc_757A8C
		dd offset loc_757BF7
		dd offset loc_8D2887
		dd offset loc_757497
		dd offset loc_757660
		dd offset loc_757BA4
		dd offset loc_8D292B
		dd offset loc_8D28B3
		dd offset loc_8D2952
		dd offset loc_8D29C4
		dd offset loc_757C81
		dd offset loc_8D2B4A
		dd offset loc_757AB5
		dd offset loc_8D2BB0
		dd offset loc_8D2935
		dd offset loc_8D2BBD
		dd offset loc_8D2BF6
		dd offset loc_8D2651
byte_757D36	db 0			; DATA XREF: PAGE:00757368r
; 
		add	[edx], eax
		add	eax, ds:6010020h[eax]
		pop	es
		or	[ecx], cl
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		add	[edi], cl
		adc	[eax], ah
		and	[eax], ah
		and	[ecx], dl
		and	[edx], dl
		adc	edx, ds:20090816h[edx]
		pop	ss
		sbb	[ecx], bl
		sbb	ah, [eax]
		and	[ebx], bl
		sbb	al, 1Dh
		and	[esi], bl
		pop	ds
		int	3		; Trap to Debugger

;  S U B	R O U T	I N E 


; __stdcall PspGetNextSilo(x, x)
_PspGetNextSilo@8 proc near		; CODE XREF: EtwpAdjustTraceBuffers+1Ep
					; IopDecrementDeviceObjectRefCount+D3FCDp ...
		mov	edi, edi
		push	ebx
		mov	bl, dl
		jmp	short loc_757D7A
; 

loc_757D6D:				; CODE XREF: PspGetNextSilo(x,x)+2Bj
		test	bl, bl
		jz	short loc_757D97
		call	_PsIsServerSilo@4 ; PsIsServerSilo(x)
		test	al, al
		jnz	short loc_757D97

loc_757D7A:				; CODE XREF: PspGetNextSilo(x,x)+5j
					; PspGetNextSilo(x,x)+29j
		call	_PspGetNextJob@4 ; PspGetNextJob(x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_757D93
		test	dword ptr [ecx+310h], 40000000h
		jz	short loc_757D7A
		jmp	short loc_757D6D
; 

loc_757D93:				; CODE XREF: PspGetNextSilo(x,x)+1Dj
		xor	eax, eax
		pop	ebx
		retn
; 

loc_757D97:				; CODE XREF: PspGetNextSilo(x,x)+9j
					; PspGetNextSilo(x,x)+12j
		mov	eax, ecx
		pop	ebx
		retn
_PspGetNextSilo@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspJobTimeLimitsWork(x)
_PspJobTimeLimitsWork@4	proc near	; DATA XREF: PspInitializeJobStructures+45o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ebx
		push	esi
		xor	bl, bl
		mov	esi, offset _PspJobTimeLimitsWorkItemFlags

loc_757DAD:				; CODE XREF: PspJobTimeLimitsWork(x)+37j
		push	0FFFFFFFCh
		pop	edx
		mov	eax, [esi]

loc_757DB2:				; CODE XREF: PspJobTimeLimitsWork(x)+1Ej
		mov	ecx, eax
		and	ecx, edx
		lock cmpxchg [esi], ecx
		jnz	short loc_757DB2
		test	al, 1
		jnz	short loc_757DE1
		mov	cl, 1

loc_757DC2:				; CODE XREF: PspJobTimeLimitsWork(x)+49j
		call	PspEnforceLimits
		push	4
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 4
		jnz	short loc_757DAD
		test	bl, bl
		jnz	short loc_757DE7

loc_757DD9:				; CODE XREF: PspJobTimeLimitsWork(x)+55j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_757DE1:				; CODE XREF: PspJobTimeLimitsWork(x)+22j
		mov	bl, 1
		xor	cl, cl
		jmp	short loc_757DC2
; 

loc_757DE7:				; CODE XREF: PspJobTimeLimitsWork(x)+3Bj
		mov	_PspJobTimeLimitsCount,	7
		jmp	short loc_757DD9
_PspJobTimeLimitsWork@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspEnforceLimits proc near		; CODE XREF: PspJobTimeLimitsWork(x):loc_757DC2p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D2C43 SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	38h		; size_t
		xor	edi, edi
		lea	eax, [ebp+var_40]
		push	edi		; int
		push	eax		; void *
		mov	bl, cl
		call	_memset
		add	esp, 0Ch
		lock inc ds:_PspEnforcementSequenceNumber
		test	bl, bl
		jz	short loc_757E9A

loc_757E27:				; CODE XREF: PspEnforceLimits+ACj
					; PspEnforceLimits+17AE7Cj
		xor	ecx, ecx

loc_757E29:				; CODE XREF: PspEnforceLimits+5Aj
		call	_PspGetNextJob@4 ; PspGetNextJob(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_757E8B
		cmp	[esi+244h], edi
		jnz	short loc_757E4C
		test	bl, bl
		jz	short loc_757E50
		test	dword ptr [esi+310h], 100000h
		jnz	short loc_757E50

loc_757E4C:				; CODE XREF: PspEnforceLimits+46j
					; PspEnforceLimits+95j
		mov	ecx, esi
		jmp	short loc_757E29
; 

loc_757E50:				; CODE XREF: PspEnforceLimits+4Aj
					; PspEnforceLimits+56j
		mov	ecx, 0FFEFFFFFh
		lea	eax, [esi+310h]
		lock and [eax],	ecx
		push	38h		; size_t
		lea	eax, [ebp+var_40]
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_40]
		mov	edx, offset _PspEnforceLimitsJobPreCallback@8 ;	PspEnforceLimitsJobPreCallback(x,x)
		mov	ecx, esi
		push	6
		push	eax
		push	offset PspEnforceLimitsProcessCallback
		push	offset PspEnforceLimitsJobPostCallback
		call	PspEnumJobsAndProcessesInJobHierarchy
		jmp	short loc_757E4C
; 

loc_757E8B:				; CODE XREF: PspEnforceLimits+3Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_757E9A:				; CODE XREF: PspEnforceLimits+31j
		cmp	ds:_PspNoWakeChargeReferencedProcess, edi
		jz	short loc_757E27
		jmp	loc_8D2C43
PspEnforceLimits endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspGetNextJob(x)
_PspGetNextJob@4 proc near		; CODE XREF: PspGetNextSilo(x,x):loc_757D7Ap
					; PspEnforceLimits:loc_757E29p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, large fs:124h
		push	edi
		mov	edi, ecx
		dec	word ptr [esi+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset _PspJobListLock
		call	ExAcquirePushLockSharedEx
		test	edi, edi
		jz	short loc_757F44
		mov	ebx, [edi+10h]

loc_757EDD:				; CODE XREF: PspGetNextJob(x)+9Aj
		cmp	ebx, offset _PspJobList
		jz	short loc_757F62

loc_757EE5:				; CODE XREF: PspGetNextJob(x)+B0j
		lea	eax, [ebx-10h]
		mov	edx, 6E457350h
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jz	short loc_757F58
		mov	ebx, [ebp+var_4]

loc_757EFE:				; CODE XREF: PspGetNextJob(x)+B4j
		xor	edx, edx
		mov	eax, 11h
		mov	ecx, offset _PspJobListLock
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	short loc_757F4C

loc_757F13:				; CODE XREF: PspGetNextJob(x)+A6j
		call	KeAbPostRelease
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_757F2B
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	short loc_757F66

loc_757F2B:				; CODE XREF: PspGetNextJob(x)+71j
					; PspGetNextJob(x)+BBj
		test	edi, edi
		jz	short loc_757F3B
		mov	edx, 6E457350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_757F3B:				; CODE XREF: PspGetNextJob(x)+7Dj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_757F44:				; CODE XREF: PspGetNextJob(x)+28j
		mov	ebx, ds:_PspJobList
		jmp	short loc_757EDD
; 

loc_757F4C:				; CODE XREF: PspGetNextJob(x)+61j
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, offset _PspJobListLock
		jmp	short loc_757F13
; 

loc_757F58:				; CODE XREF: PspGetNextJob(x)+49j
		mov	ebx, [ebx]
		cmp	ebx, offset _PspJobList
		jnz	short loc_757EE5

loc_757F62:				; CODE XREF: PspGetNextJob(x)+33j
		xor	ebx, ebx
		jmp	short loc_757EFE
; 

loc_757F66:				; CODE XREF: PspGetNextJob(x)+79j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_757F2B
_PspGetNextJob@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspChargeJobWakeCounter	proc near	; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+286p
					; PspAssignProcessToJob+1266E1p ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008D2C75 SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		mov	ebx, [ebp+arg_C]
		mov	eax, ecx
		mov	ecx, [ebp+arg_0]
		and	ebx, 4
		push	esi
		mov	[ebp+var_10], eax
		mov	esi, eax
		xor	eax, eax
		mov	[ebp+var_24], edx
		mov	edx, large fs:124h
		inc	eax
		and	[ebp+var_14], 0
		push	edi
		mov	edi, [ebp+arg_C]
		shl	eax, cl
		and	edi, 1
		mov	[ebp+var_28], edx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], edi
		jz	short loc_757FBB
		lea	eax, [ebp+var_14]
		mov	ecx, esi
		push	eax
		call	PspLockRootJobShared

loc_757FBB:				; CODE XREF: PspChargeJobWakeCounter+40j
					; PspChargeJobWakeCounter+F1j
		test	edi, edi
		jz	short loc_757FCA
		push	1
		lea	eax, [esi+20h]
		push	eax
		call	ExAcquireResourceSharedLite

loc_757FCA:				; CODE XREF: PspChargeJobWakeCounter+4Fj
		test	ebx, ebx
		jz	loc_758067
		mov	eax, 1F0h

loc_757FD7:				; CODE XREF: PspChargeJobWakeCounter+103j
		lea	edi, [eax+esi]

loc_757FDA:				; CODE XREF: PspChargeJobWakeCounter+8Dj
					; PspChargeJobWakeCounter+94j
		mov	eax, [edi]
		mov	ebx, eax
		mov	edx, [edi+4]
		mov	ecx, edx
		add	ebx, [ebp+arg_4]
		mov	[ebp+var_4], eax
		adc	ecx, [ebp+arg_8]
		mov	[ebp+var_8], edx
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [ebp+var_4]
		mov	ebx, edx
		cmp	eax, ecx
		jnz	short loc_757FDA
		mov	edx, [ebp+var_8]
		cmp	ebx, edx
		jnz	short loc_757FDA
		add	ecx, [ebp+arg_4]
		mov	ebx, [ebp+var_C]
		adc	edx, [ebp+arg_8]
		mov	edi, [ebp+var_18]
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], edx
		test	ebx, ebx
		jz	short loc_758076
		xor	eax, eax
		cmp	[esi+194h], eax
		jnz	loc_758104

loc_758028:				; CODE XREF: PspChargeJobWakeCounter+1AAj
					; PspChargeJobWakeCounter+17AD2Dj
		test	edi, edi
		jz	short loc_758034
		lea	ecx, [esi+20h]
		call	ExReleaseResourceLite

loc_758034:				; CODE XREF: PspChargeJobWakeCounter+BCj
					; PspChargeJobWakeCounter+17Aj
		mov	esi, [esi+244h]
		cmp	esi, [ebp+var_24]
		jnz	short loc_758055

loc_75803F:				; CODE XREF: PspChargeJobWakeCounter+F7j
		test	edi, edi
		jz	short loc_75804E
		mov	edx, [ebp+var_28]
		mov	ecx, [ebp+var_14]
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)

loc_75804E:				; CODE XREF: PspChargeJobWakeCounter+D3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_758055:				; CODE XREF: PspChargeJobWakeCounter+CFj
		test	dword ptr [esi+310h], 1000h
		jnz	loc_757FBB
		jmp	short loc_75803F
; 

loc_758067:				; CODE XREF: PspChargeJobWakeCounter+5Ej
		mov	eax, [ebp+arg_0]
		lea	eax, ds:1B8h[eax*8]
		jmp	loc_757FD7
; 

loc_758076:				; CODE XREF: PspChargeJobWakeCounter+AAj
		mov	ecx, [esi+310h]
		mov	eax, [esi+1F8h]
		and	ecx, 800h
		mov	[ebp+var_30], eax
		mov	eax, [esi+1FCh]
		setnz	bh
		mov	[ebp+var_20], eax
		mov	bl, bh
		mov	[ebp+var_2C], eax
		test	ecx, ecx
		jz	short loc_7580A7
		mov	eax, [ebp+var_4]
		or	eax, edx
		jz	short loc_7580ED

loc_7580A7:				; CODE XREF: PspChargeJobWakeCounter+130j
					; PspChargeJobWakeCounter+187j	...
		test	edi, edi
		jz	short loc_7580B6
		lea	ecx, [esi+20h]
		call	ExReleaseResourceLite
		mov	edx, [ebp+var_8]

loc_7580B6:				; CODE XREF: PspChargeJobWakeCounter+13Bj
		test	bl, bl
		jz	short loc_7580E5
		xor	eax, eax
		cmp	[ebp+arg_8], eax
		jl	short loc_7580CB
		jg	short loc_7580C8
		cmp	[ebp+arg_4], eax
		jbe	short loc_7580CB

loc_7580C8:				; CODE XREF: PspChargeJobWakeCounter+153j
		push	6
		pop	eax

loc_7580CB:				; CODE XREF: PspChargeJobWakeCounter+151j
					; PspChargeJobWakeCounter+158j
		test	edi, edi
		jz	short loc_7580D2
		or	eax, 1

loc_7580D2:				; CODE XREF: PspChargeJobWakeCounter+15Fj
		push	eax
		push	edx
		push	[ebp+var_4]
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_30]
		push	eax
		mov	ecx, esi
		call	PspSendWakeNotification

loc_7580E5:				; CODE XREF: PspChargeJobWakeCounter+14Aj
		mov	ebx, [ebp+var_C]
		jmp	loc_758034
; 

loc_7580ED:				; CODE XREF: PspChargeJobWakeCounter+137j
		mov	ecx, [ebp+var_1C]
		mov	bl, bh
		test	[ebp+var_20], ecx
		jnz	short loc_7580A7
		xor	bl, bl
		lea	eax, [esi+200h]
		lock or	[eax], ecx
		jmp	short loc_7580A7
; 

loc_758104:				; CODE XREF: PspChargeJobWakeCounter+B4j
		test	byte ptr [ebp+arg_C], 2
		jnz	loc_8D2C75

loc_75810E:				; CODE XREF: PspChargeJobWakeCounter+17AD0Dj
					; PspChargeJobWakeCounter+17AD15j
		test	ds:dword_70EFD0, 200h
		jz	loc_758028
		jmp	loc_8D2C88
PspChargeJobWakeCounter	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspEnumJobsAndProcessesInJobHierarchy proc near
					; CODE XREF: PspQueryJobHierarchyProcessIdList+4Fp
					; PspQueryJobHierarchyAccountingInformation+80p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008D2CA0 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, [ebp+arg_C]
		mov	[ebp+var_C], edx
		push	esi
		push	edi
		mov	edi, ecx
		test	bl, 8
		jnz	loc_758216
		mov	eax, ebx
		and	eax, 0FFFFFFFEh
		mov	[ebp+var_4], eax

loc_758148:				; CODE XREF: PspEnumJobsAndProcessesInJobHierarchy+F8j
		xor	eax, eax
		mov	esi, edi
		mov	[ebp+arg_C], eax

loc_75814F:				; CODE XREF: PspEnumJobsAndProcessesInJobHierarchy+CDj
		test	bl, 2
		jz	loc_7581F6

loc_758158:				; CODE XREF: PspEnumJobsAndProcessesInJobHierarchy+EDj
		xor	edx, edx
		mov	ecx, esi
		call	_PspGetNextChildJob@8 ;	PspGetNextChildJob(x,x)
		test	eax, eax
		jnz	short loc_7581BE
		mov	ecx, [esi+244h]
		mov	[ebp+var_8], ecx
		cmp	esi, edi
		jz	short loc_7581BE
		mov	edx, ebx
		and	edx, 2
		mov	[ebp+var_10], edx

loc_75817A:				; CODE XREF: PspEnumJobsAndProcessesInJobHierarchy+98j
		test	edx, edx
		jz	short loc_75819E
		push	[ebp+var_4]
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PspCallJobHierarchyCallbacks@24 ; PspCallJobHierarchyCallbacks(x,x,x,x,x,x)
		mov	[ebp+arg_C], eax
		test	eax, eax
		js	short loc_7581E0
		mov	ecx, [ebp+var_8]

loc_75819E:				; CODE XREF: PspEnumJobsAndProcessesInJobHierarchy+58j
		mov	edx, esi
		call	_PspGetNextChildJob@8 ;	PspGetNextChildJob(x,x)
		test	eax, eax
		jnz	short loc_7581BE
		mov	ecx, [ebp+var_8]
		mov	esi, ecx
		mov	edx, [ebp+var_10]
		mov	ecx, [ecx+244h]
		mov	[ebp+var_8], ecx
		cmp	esi, edi
		jnz	short loc_75817A

loc_7581BE:				; CODE XREF: PspEnumJobsAndProcessesInJobHierarchy+3Fj
					; PspEnumJobsAndProcessesInJobHierarchy+4Cj ...
		mov	esi, eax
		test	eax, eax
		jnz	short loc_7581EE
		test	bl, 2
		jz	short loc_7581E4
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		push	ebx
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PspCallJobHierarchyCallbacks@24 ; PspCallJobHierarchyCallbacks(x,x,x,x,x,x)
		mov	[ebp+arg_C], eax

loc_7581E0:				; CODE XREF: PspEnumJobsAndProcessesInJobHierarchy+75j
					; PspEnumJobsAndProcessesInJobHierarchy+E8j
		test	esi, esi
		jnz	short loc_758221

loc_7581E4:				; CODE XREF: PspEnumJobsAndProcessesInJobHierarchy+A3j
					; PspEnumJobsAndProcessesInJobHierarchy+FFj
		mov	eax, [ebp+arg_C]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7581EE:				; CODE XREF: PspEnumJobsAndProcessesInJobHierarchy+9Ej
		mov	edx, [ebp+var_C]
		jmp	loc_75814F
; 

loc_7581F6:				; CODE XREF: PspEnumJobsAndProcessesInJobHierarchy+2Ej
		push	ebx
		push	[ebp+arg_8]
		mov	ecx, esi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PspCallJobHierarchyCallbacks@24 ; PspCallJobHierarchyCallbacks(x,x,x,x,x,x)
		mov	[ebp+arg_C], eax
		test	eax, eax
		js	short loc_7581E0
		mov	ebx, [ebp+var_4]
		jmp	loc_758158
; 

loc_758216:				; CODE XREF: PspEnumJobsAndProcessesInJobHierarchy+16j
		or	ebx, 1
		mov	[ebp+var_4], ebx
		jmp	loc_758148
; 

loc_758221:				; CODE XREF: PspEnumJobsAndProcessesInJobHierarchy+BEj
					; PspEnumJobsAndProcessesInJobHierarchy+17AB8Ej
		cmp	esi, edi
		jz	short loc_7581E4
		jmp	loc_8D2CA0
PspEnumJobsAndProcessesInJobHierarchy endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspGetNextChildJob(x, x)
_PspGetNextChildJob@8 proc near		; CODE XREF: PspEnumJobsAndProcessesInJobHierarchy+38p
					; PspEnumJobsAndProcessesInJobHierarchy+7Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], eax
		mov	edx, eax
		mov	ebx, ecx
		call	_PspLockJobShared@8 ; PspLockJobShared(x,x)
		test	edi, edi
		jnz	short loc_758274
		mov	esi, [ebx+23Ch]

loc_758253:				; CODE XREF: PspGetNextChildJob(x,x)+50j
					; PspGetNextChildJob(x,x)+80j
		lea	eax, [ebx+23Ch]
		cmp	esi, eax
		jnz	short loc_75827C
		xor	esi, esi

loc_75825F:				; CODE XREF: PspGetNextChildJob(x,x)+6Ej
		mov	edx, [ebp+var_8]
		mov	ecx, ebx
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		test	edi, edi
		jnz	short loc_75829A

loc_75826D:				; CODE XREF: PspGetNextChildJob(x,x)+7Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_758274:				; CODE XREF: PspGetNextChildJob(x,x)+21j
		mov	esi, [edi+234h]
		jmp	short loc_758253
; 

loc_75827C:				; CODE XREF: PspGetNextChildJob(x,x)+31j
		lea	eax, [esi-234h]
		mov	edx, 6E457350h
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jz	short loc_7582A8
		mov	esi, [ebp+var_4]
		jmp	short loc_75825F
; 

loc_75829A:				; CODE XREF: PspGetNextChildJob(x,x)+41j
		mov	edx, 6E457350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		jmp	short loc_75826D
; 

loc_7582A8:				; CODE XREF: PspGetNextChildJob(x,x)+69j
		mov	esi, [esi]
		jmp	short loc_758253
_PspGetNextChildJob@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspEnforceLimitsJobPostCallback	proc near ; DATA XREF: PspEnforceLimits+8Bo

var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008D2CB7 SIZE 000002AE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+10Ch+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	ecx, ebx
		mov	[esp+110h+var_F8], eax
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [esp+118h+var_BC]
		mov	[esp+118h+var_F4], ebx
		stosd
		mov	[esp+118h+var_E0], 0
		mov	[esp+118h+var_DC], 0
		mov	[esp+118h+var_E8], 0
		stosd
		mov	[esp+118h+var_E4], 0
		stosd
		mov	eax, large fs:124h
		mov	edx, eax
		mov	[esp+118h+var_104], eax
		call	_PspLockJobShared@8 ; PspLockJobShared(x,x)
		mov	esi, [ebx+210h]
		test	esi, esi
		jnz	loc_758545
		push	40h		; size_t
		lea	eax, [esp+11Ch+var_48]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_75833A:				; CODE XREF: PspEnforceLimitsJobPostCallback+2A6j
		test	byte ptr [ebx+0B0h], 4
		lea	esi, [ebx+260h]
		mov	eax, [ebx+10Ch]
		lea	edi, [esp+118h+var_B0]
		mov	[esp+118h+var_100], eax
		mov	ecx, 1Ah
		mov	eax, [ebx+110h]
		mov	[esp+118h+var_D4], eax
		mov	eax, [ebx+114h]
		mov	[esp+118h+var_D0], eax
		mov	eax, [ebx+58h]
		mov	[esp+118h+var_CC], eax
		mov	eax, [ebx+5Ch]
		mov	[esp+118h+var_FC], eax
		mov	eax, [ebx+70h]
		mov	[esp+118h+var_C8], eax
		mov	eax, [ebx+74h]
		rep movsd
		mov	esi, [ebx+108h]
		mov	[esp+118h+var_C4], eax
		mov	eax, [ebx+0D0h]
		mov	[esp+118h+var_C0], eax
		jnz	loc_8D2CB7
		mov	[esp+118h+var_F0], 0
		mov	[esp+118h+var_EC], 0

loc_7583B2:				; CODE XREF: PspEnforceLimitsJobPostCallback+17AA1Bj
		lea	eax, [esp+118h+var_E8]
		mov	ecx, ebx
		push	eax
		lea	edx, [esp+11Ch+var_E0]
		call	PspGetEffectiveNoWakeCharge
		mov	edi, [esp+118h+var_104]
		mov	ecx, ebx
		mov	edx, edi
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		mov	eax, [esp+118h+var_48]
		xor	ecx, ecx
		or	eax, [esp+118h+var_44]
		mov	[esp+118h+var_108], ecx
		jnz	loc_8D2CD0

loc_7583E9:				; CODE XREF: PspEnforceLimitsJobPostCallback+17AA3Bj
					; PspEnforceLimitsJobPostCallback+17AA4Aj ...
		mov	esi, [esp+118h+var_40]
		mov	eax, esi
		or	eax, [esp+118h+var_3C]
		jnz	loc_8D2D0E

loc_7583FF:				; CODE XREF: PspEnforceLimitsJobPostCallback+17AA7Bj
					; PspEnforceLimitsJobPostCallback+17AA85j ...
		mov	esi, [esp+118h+var_38]
		mov	eax, esi
		or	eax, [esp+118h+var_34]
		jnz	loc_8D2D4A

loc_758415:				; CODE XREF: PspEnforceLimitsJobPostCallback+17AAB1j
					; PspEnforceLimitsJobPostCallback+17AABBj ...
		mov	eax, [esp+118h+var_28]
		or	eax, [esp+118h+var_24]
		jnz	loc_75855B
		mov	eax, [esp+118h+var_30]
		or	eax, [esp+118h+var_2C]
		jnz	loc_75855B

loc_75843D:				; CODE XREF: PspEnforceLimitsJobPostCallback+2E9j
		mov	edi, [esp+118h+var_F8]
		lea	eax, [esp+118h+var_44]
		sub	eax, edi
		lea	ecx, [esp+118h+var_38]
		xor	esi, esi
		mov	[esp+118h+var_100], eax
		sub	ecx, edi
		lea	edx, [edi+24h]
		mov	ebx, ecx
		mov	edi, [esp+118h+var_108]

loc_758462:				; CODE XREF: PspEnforceLimitsJobPostCallback+1C4j
		mov	ecx, [eax+edx]
		test	ecx, ecx
		jnz	loc_8D2D7D

loc_75846D:				; CODE XREF: PspEnforceLimitsJobPostCallback+17AAE6j
		inc	esi
		add	edx, 4
		cmp	esi, 3
		jl	short loc_758462
		mov	ebx, [esp+118h+var_F4]
		test	edi, edi
		mov	[esp+118h+var_108], edi
		mov	edi, [esp+118h+var_F8]
		jnz	loc_7585E8

loc_75848A:				; CODE XREF: PspEnforceLimitsJobPostCallback+402j
		mov	ecx, [edi+0Ch]
		test	ecx, ecx
		jnz	loc_8D2DF9

loc_758495:				; CODE XREF: PspEnforceLimitsJobPostCallback+17AB94j
		mov	ecx, [esp+118h+var_F0]
		mov	eax, ecx
		mov	edx, [esp+118h+var_EC]
		or	eax, edx
		jnz	loc_8D2E49

loc_7584A7:				; CODE XREF: PspEnforceLimitsJobPostCallback+17ABABj
					; PspEnforceLimitsJobPostCallback+17ABB5j ...
		mov	eax, [edi+10h]
		add	eax, [esp+118h+var_E8]
		mov	ecx, [edi+14h]
		adc	ecx, [esp+118h+var_E4]
		cmp	byte ptr [edi+30h], 0
		mov	[edi+10h], eax
		mov	[edi+14h], ecx
		jnz	short loc_7584F5
		mov	edx, ds:_PspSystemNoWakeChargeLimit
		test	ecx, ecx
		jb	short loc_7584D9
		ja	loc_8D2F49
		cmp	eax, edx
		jnb	loc_8D2F49

loc_7584D9:				; CODE XREF: PspEnforceLimitsJobPostCallback+219j
		cmp	[esp+118h+var_DC], 0
		mov	eax, ds:_PspJobNoWakeChargeLimit
		jb	short loc_7584F5
		ja	loc_8D2F59
		cmp	[esp+118h+var_E0], eax
		jnb	loc_8D2F59

loc_7584F5:				; CODE XREF: PspEnforceLimitsJobPostCallback+20Fj
					; PspEnforceLimitsJobPostCallback+233j	...
		mov	ecx, [ebx+244h]
		lea	esi, [ebx+260h]
		test	ecx, ecx
		jnz	loc_75859E
		mov	edx, [esp+118h+var_104]
		mov	ecx, ebx
		call	_PspLockJobExclusive@8 ; PspLockJobExclusive(x,x)
		push	68h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	edx, [esp+124h+var_104]
		add	esp, 0Ch
		mov	ecx, ebx

loc_758527:				; CODE XREF: PspEnforceLimitsJobPostCallback+333j
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		mov	ecx, [esp+118h+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_758545:				; CODE XREF: PspEnforceLimitsJobPostCallback+71j
		add	esi, 8
		lea	edi, [esp+118h+var_48]
		mov	ecx, 10h
		rep movsd
		jmp	loc_75833A
; 

loc_75855B:				; CODE XREF: PspEnforceLimitsJobPostCallback+173j
					; PspEnforceLimitsJobPostCallback+187j
		mov	edx, edi
		mov	ecx, ebx
		call	_PspLockJobMemoryLimitsShared@8	; PspLockJobMemoryLimitsShared(x,x)
		mov	edx, [ebx+31Ch]
		xor	eax, eax
		mov	esi, [ebx+208h]
		add	edx, esi
		mov	ecx, [ebx+20Ch]
		adc	eax, ecx
		push	eax
		push	edx
		push	ecx
		push	esi
		mov	edx, 8200h
		mov	ecx, ebx
		call	_PspGetJobMemoryUsageNotificationViolations@24 ; PspGetJobMemoryUsageNotificationViolations(x,x,x,x,x,x)
		or	[esp+118h+var_108], eax
		mov	edx, edi
		mov	ecx, ebx
		call	_PspUnlockJobMemoryLimitsShared@8 ; PspUnlockJobMemoryLimitsShared(x,x)
		jmp	loc_75843D
; 

loc_75859E:				; CODE XREF: PspEnforceLimitsJobPostCallback+253j
		mov	edi, [esp+118h+var_104]
		mov	edx, edi
		call	_PspLockJobExclusive@8 ; PspLockJobExclusive(x,x)
		mov	edx, edi
		mov	ecx, ebx
		call	_PspLockJobExclusive@8 ; PspLockJobExclusive(x,x)
		mov	ecx, [ebx+244h]
		mov	edx, esi
		add	ecx, 260h
		call	_PspAddAccountingValues@8 ; PspAddAccountingValues(x,x)
		push	68h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	edx, edi
		mov	ecx, ebx
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		mov	ecx, [ebx+244h]
		mov	edx, edi
		jmp	loc_758527
; 

loc_7585E8:				; CODE XREF: PspEnforceLimitsJobPostCallback+1D4j
		mov	esi, [esp+118h+var_104]
		mov	ecx, ebx
		mov	edx, esi
		call	_PspLockJobExclusive@8 ; PspLockJobExclusive(x,x)
		mov	ecx, [ebx+210h]
		test	ecx, ecx
		jz	loc_75868B
		mov	eax, [esp+118h+var_108]
		or	[ecx+4], eax
		mov	ecx, [ebx+210h]
		add	ecx, 48h
		test	eax, 10000h
		jnz	loc_8D2D9B

loc_75861E:				; CODE XREF: PspEnforceLimitsJobPostCallback+17AAFEj
		test	eax, 20000h
		jnz	loc_8D2DB3

loc_758629:				; CODE XREF: PspEnforceLimitsJobPostCallback+17AB17j
		test	al, 4
		jnz	loc_8D2DCC

loc_758631:				; CODE XREF: PspEnforceLimitsJobPostCallback+17AB30j
		test	eax, 200h
		jnz	short loc_7586B7

loc_758638:				; CODE XREF: PspEnforceLimitsJobPostCallback+41Bj
		test	eax, 8000h
		jz	short loc_758653
		mov	eax, [esp+118h+var_30]
		mov	[ecx+18h], eax
		mov	eax, [esp+118h+var_2C]
		mov	[ecx+1Ch], eax

loc_758653:				; CODE XREF: PspEnforceLimitsJobPostCallback+38Dj
		mov	edi, [esp+118h+var_108]
		lea	eax, [esp+118h+var_48]
		xor	edx, edx
		lea	esi, [ecx+34h]
		sub	eax, ecx
		mov	ebx, eax

loc_758667:				; CODE XREF: PspEnforceLimitsJobPostCallback+3CDj
		mov	ecx, edx
		call	_PspRateControlLimitFlag@4 ; PspRateControlLimitFlag(x)
		test	eax, edi
		jnz	loc_8D2DE5

loc_758676:				; CODE XREF: PspEnforceLimitsJobPostCallback+17AB44j
		inc	edx
		add	esi, 4
		cmp	edx, 3
		jl	short loc_758667
		mov	ebx, [esp+118h+var_F4]
		mov	edi, [esp+118h+var_F8]
		mov	esi, [esp+118h+var_104]

loc_75868B:				; CODE XREF: PspEnforceLimitsJobPostCallback+34Dj
		cmp	dword ptr [ebx+0D4h], 0
		jz	short loc_7586A9
		test	dword ptr [ebx+1A8h], 800h
		jz	short loc_7586A9
		test	byte ptr [ebx+310h], 4
		jz	short loc_7586D0

loc_7586A9:				; CODE XREF: PspEnforceLimitsJobPostCallback+3E2j
					; PspEnforceLimitsJobPostCallback+3EEj	...
		mov	edx, esi
		mov	ecx, ebx
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		jmp	loc_75848A
; 

loc_7586B7:				; CODE XREF: PspEnforceLimitsJobPostCallback+386j
		mov	edx, [esp+118h+var_28]
		mov	[ecx+20h], edx
		mov	edx, [esp+118h+var_24]
		mov	[ecx+24h], edx
		jmp	loc_758638
; 

loc_7586D0:				; CODE XREF: PspEnforceLimitsJobPostCallback+3F7j
		mov	edx, 0Bh
		mov	ecx, ebx
		call	PspSendReliableJobNotification
		jmp	short loc_7586A9
PspEnforceLimitsJobPostCallback	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PspUnlockJob(x, x)
_PspUnlockJob@8	proc near		; CODE XREF: .text:0051167Ap
					; .text:005117EAp ...
		mov	edi, edi
		push	esi
		add	ecx, 20h
		mov	esi, edx
		call	ExReleaseResourceLite
		test	esi, esi
		jz	short loc_758704
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_758704
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	short loc_758706

loc_758704:				; CODE XREF: PspUnlockJob(x,x)+Fj
					; PspUnlockJob(x,x)+1Aj
		pop	esi
		retn
; 

loc_758706:				; CODE XREF: PspUnlockJob(x,x)+22j
		pop	esi
		jmp	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
_PspUnlockJob@8	endp


;  S U B	R O U T	I N E 


; __stdcall PspLockJobShared(x,	x)
_PspLockJobShared@8 proc near		; CODE XREF: PspQueryJobHierarchyProcessIdList+1Dp
					; PAGE:0075752Fp ...
		mov	edi, edi
		push	ecx
		test	edx, edx
		jz	short loc_75871B
		dec	word ptr [edx+13Eh]
		nop

loc_75871B:				; CODE XREF: PspLockJobShared(x,x)+5j
		push	1
		lea	eax, [ecx+20h]
		push	eax
		call	ExAcquireResourceSharedLite
		pop	ecx
		retn
_PspLockJobShared@8 endp


;  S U B	R O U T	I N E 


; __stdcall PspLockJobExclusive(x, x)
_PspLockJobExclusive@8 proc near	; CODE XREF: .text:0051165Ep
					; PspCreateSilo(x)+4Bp	...
		test	edx, edx
		jz	short loc_758734
		dec	word ptr [edx+13Eh]
		nop

loc_758734:				; CODE XREF: PspLockJobExclusive(x,x)+2j
		push	1
		lea	eax, [ecx+20h]
		push	eax
		call	ExAcquireResourceExclusiveLite
		retn
_PspLockJobExclusive@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspCallJobHierarchyCallbacks(x, x, x, x, x,	x)
_PspCallJobHierarchyCallbacks@24 proc near
					; CODE XREF: PspEnumJobsAndProcessesInJobHierarchy+6Bp
					; PspEnumJobsAndProcessesInJobHierarchy+B4p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		mov	ecx, large fs:124h
		xor	esi, esi
		mov	[ebp+var_4], edi
		mov	[ebp+var_C], ecx
		test	ebx, ebx
		jz	loc_7587ED

loc_758766:				; CODE XREF: PspCallJobHierarchyCallbacks(x,x,x,x,x,x)+B0j
		mov	eax, [ebp+arg_C]
		and	eax, 1
		mov	[ebp+var_8], eax
		jnz	short loc_758784
		test	byte ptr [ebp+arg_C], 4
		mov	edx, ecx
		mov	ecx, edi
		jz	loc_758806
		call	_PspLockJobExclusive@8 ; PspLockJobExclusive(x,x)

loc_758784:				; CODE XREF: PspCallJobHierarchyCallbacks(x,x,x,x,x,x)+2Fj
					; PspCallJobHierarchyCallbacks(x,x,x,x,x,x)+CBj
		test	ebx, ebx
		jz	short loc_758794
		push	[ebp+arg_8]
		push	edi
		call	ebx
		mov	esi, eax
		test	esi, esi
		js	short loc_7587C1

loc_758794:				; CODE XREF: PspCallJobHierarchyCallbacks(x,x,x,x,x,x)+46j
		cmp	[ebp+arg_4], 0
		jz	short loc_7587C1
		lea	eax, [edi+18h]
		mov	ebx, [eax]
		cmp	ebx, eax
		jz	short loc_7587C1
		mov	edi, eax

loc_7587A5:				; CODE XREF: PspCallJobHierarchyCallbacks(x,x,x,x,x,x)+7Cj
		push	[ebp+arg_8]
		lea	eax, [ebx-1C4h]
		push	eax
		call	[ebp+arg_4]
		mov	esi, eax
		test	esi, esi
		js	short loc_7587BE
		mov	ebx, [ebx]
		cmp	ebx, edi
		jnz	short loc_7587A5

loc_7587BE:				; CODE XREF: PspCallJobHierarchyCallbacks(x,x,x,x,x,x)+76j
		mov	edi, [ebp+var_4]

loc_7587C1:				; CODE XREF: PspCallJobHierarchyCallbacks(x,x,x,x,x,x)+52j
					; PspCallJobHierarchyCallbacks(x,x,x,x,x,x)+58j ...
		cmp	[ebp+var_8], 0
		jnz	short loc_7587D1
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)

loc_7587D1:				; CODE XREF: PspCallJobHierarchyCallbacks(x,x,x,x,x,x)+85j
		test	esi, esi
		js	short loc_7587F8

loc_7587D5:				; CODE XREF: PspCallJobHierarchyCallbacks(x,x,x,x,x,x)+B6j
		cmp	[ebp+arg_0], 0
		jz	short loc_7587E4
		push	[ebp+arg_8]
		push	edi
		call	[ebp+arg_0]
		mov	esi, eax

loc_7587E4:				; CODE XREF: PspCallJobHierarchyCallbacks(x,x,x,x,x,x)+99j
					; PspCallJobHierarchyCallbacks(x,x,x,x,x,x)+C4j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7587ED:				; CODE XREF: PspCallJobHierarchyCallbacks(x,x,x,x,x,x)+20j
		cmp	[ebp+arg_4], esi
		jnz	loc_758766
		jmp	short loc_7587D5
; 

loc_7587F8:				; CODE XREF: PspCallJobHierarchyCallbacks(x,x,x,x,x,x)+93j
		lea	eax, [esi+3FFFFEE0h]
		neg	eax
		sbb	eax, eax
		and	esi, eax
		jmp	short loc_7587E4
; 

loc_758806:				; CODE XREF: PspCallJobHierarchyCallbacks(x,x,x,x,x,x)+39j
		call	_PspLockJobShared@8 ; PspLockJobShared(x,x)
		jmp	loc_758784
_PspCallJobHierarchyCallbacks@24 endp


;  S U B	R O U T	I N E 


; __stdcall PspRateControlLimitFlag(x)
_PspRateControlLimitFlag@4 proc	near	; CODE XREF: PAGE:0075784Cp
					; PspEnforceLimitsJobPostCallback+3B9p	...
		sub	ecx, 0
		jz	short loc_758826
		sub	ecx, 1
		jz	short loc_758820
		mov	eax, 40000h
		retn
; 

loc_758820:				; CODE XREF: PspRateControlLimitFlag(x)+8j
		mov	eax, 80000h
		retn
; 

loc_758826:				; CODE XREF: PspRateControlLimitFlag(x)+3j
		mov	eax, 100000h
		retn
_PspRateControlLimitFlag@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspEnforceLimitsJobPreCallback(x, x)
_PspEnforceLimitsJobPreCallback@8 proc near ; DATA XREF: PspEnforceLimits+7Co

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, ds:_PspEnforcementSequenceNumber
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		xor	edi, edi
		test	byte ptr [esi+18Ch], 6
		mov	[esi+2D0h], eax
		jnz	short loc_75886D
		cmp	[esi+1A0h], edi
		jnz	short loc_75886D
		lea	ebx, [esi+310h]
		test	dword ptr [ebx], 800h
		jz	loc_7588F5

loc_75886D:				; CODE XREF: PspEnforceLimitsJobPreCallback(x,x)+25j
					; PspEnforceLimitsJobPreCallback(x,x)+2Dj
		mov	ecx, [ebp+arg_4]
		mov	eax, [esi+168h]
		push	24h
		mov	[esp+1Ch+var_C], edi
		mov	[ecx], eax
		lea	edx, [ecx+18h]
		mov	eax, [esi+16Ch]
		mov	[ecx+4], eax
		mov	eax, [esi+180h]
		mov	[ecx+8], eax
		pop	eax
		sub	eax, ecx
		mov	[ecx+0Ch], edi
		mov	[esp+18h+var_8], edx
		mov	[esp+18h+var_4], eax

loc_7588A1:				; CODE XREF: PspEnforceLimitsJobPreCallback(x,x)+B1j
		mov	ebx, [esi+210h]
		test	ebx, ebx
		jnz	short loc_7588EA

loc_7588AB:				; CODE XREF: PspEnforceLimitsJobPreCallback(x,x)+C5j
		xor	ebx, ebx
		inc	ebx

loc_7588AE:				; CODE XREF: PspEnforceLimitsJobPreCallback(x,x)+C7j
		push	[esp+18h+var_C]
		lea	eax, [edx+0Ch]
		mov	ecx, esi
		push	eax
		push	edi
		mov	edx, ebx
		call	PspQueryRateControlHistory
		mov	edx, [esp+18h+var_8]
		mov	eax, [esp+18h+var_C]
		inc	eax
		mov	[esp+18h+var_C], eax
		mov	[edx], ebx
		add	edx, 4
		cmp	eax, 3
		mov	[esp+18h+var_8], edx
		mov	eax, [esp+18h+var_4]
		jl	short loc_7588A1

loc_7588DF:				; CODE XREF: PspEnforceLimitsJobPreCallback(x,x)+E8j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7588EA:				; CODE XREF: PspEnforceLimitsJobPreCallback(x,x)+7Dj
		add	eax, edx
		mov	ebx, [eax+ebx]
		test	ebx, ebx
		jz	short loc_7588AB
		jmp	short loc_7588AE
; 

loc_7588F5:				; CODE XREF: PspEnforceLimitsJobPreCallback(x,x)+3Bj
		push	68h		; size_t
		lea	eax, [esi+260h]
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, 0FFBFFFFFh
		lock and [ebx],	eax
		mov	edi, 0C0000120h
		jmp	short loc_7588DF
_PspEnforceLimitsJobPreCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspQueryRateControlHistory proc	near	; CODE XREF: PAGE:00757875p
					; PspEnforceLimitsJobPreCallback(x,x)+8Fp

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008D2F65 SIZE 00000074 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		and	[ebp+var_28], 0
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_40], ebx
		mov	edx, ecx
		lea	edi, [ebp+var_24]
		push	6
		pop	ecx
		rep stosd
		mov	ecx, [ebp+arg_8]
		xor	edi, edi
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], edi
		mov	[ebp+var_3C], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_48], edi
		mov	[ebp+var_44], edi
		mov	[ebx], edi
		cmp	ecx, 1
		jz	short loc_7589AF
		mov	eax, ecx
		mov	ebx, 21Ch
		sub	eax, edi
		jnz	short loc_758971
		mov	ebx, 30Ch

loc_758971:				; CODE XREF: PspQueryRateControlHistory+54j
		mov	ebx, [edx+ebx]

loc_758974:				; CODE XREF: PspQueryRateControlHistory+9Fj
		test	ebx, ebx
		jnz	short loc_758989

loc_758978:				; CODE XREF: PspQueryRateControlHistory+95j
					; PspQueryRateControlHistory+181j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_758989:				; CODE XREF: PspQueryRateControlHistory+60j
		sub	ecx, edi
		jz	loc_8D2F65
		lea	eax, [ebp+var_2C]
		lea	edx, [ebp+var_3C]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		sub	ecx, 1
		jnz	short loc_7589B7
		mov	ecx, [ebp+var_30]
		call	PspJobIoRateQueryHistory
		test	eax, eax
		js	short loc_758978
		jmp	short loc_7589BF
; 

loc_7589AF:				; CODE XREF: PspQueryRateControlHistory+49j
		lea	ebx, [edx+32Ch]
		jmp	short loc_758974
; 

loc_7589B7:				; CODE XREF: PspQueryRateControlHistory+89j
		lea	ecx, [ebx+40h]
		call	KeQuerySchedulingGroupHistory

loc_7589BF:				; CODE XREF: PspQueryRateControlHistory+97j
		mov	ecx, [ebp+var_28]
		mov	edx, [ebp+var_3C]
		mov	edi, [ebp+var_2C]
		mov	eax, [ebp+var_38]
		mov	[ebp+var_28], edx

loc_7589CE:				; CODE XREF: PspQueryRateControlHistory+17A67Bj
		dec	esi
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], edi
		sub	esi, 1
		jz	loc_8D2FA0
		sub	esi, 1
		jz	loc_8D2F96
		mov	eax, 2710h

loc_7589EC:				; CODE XREF: PspQueryRateControlHistory+17A685j
					; PspQueryRateControlHistory+17A68Fj
		dec	eax
		xor	edx, edx
		add	eax, ecx
		div	ecx
		mov	[ebp+var_38], eax
		lea	esi, [eax+7]
		shr	esi, 3
		cmp	esi, 8
		jnb	short loc_758A04
		push	8
		pop	esi

loc_758A04:				; CODE XREF: PspQueryRateControlHistory+E9j
		mov	eax, [ebx+0Ch]
		mov	ecx, eax
		test	eax, eax
		jz	short loc_758A16
		cmp	[ebx+10h], esi
		jb	loc_8D2FAA

loc_758A16:				; CODE XREF: PspQueryRateControlHistory+F5j
					; PspQueryRateControlHistory+17A6A9j
		test	ecx, ecx
		jz	loc_758ADC
		mov	eax, esi
		shl	eax, 3
		cmp	edi, eax
		jnb	loc_758B16
		test	edi, edi
		jnz	short loc_758AA2

loc_758A2F:				; CODE XREF: PspQueryRateControlHistory+1A0j
					; PspQueryRateControlHistory+1FBj ...
		push	40h
		pop	ecx
		cmp	edi, ecx
		ja	short loc_758A39
		mov	ecx, [ebp+var_2C]

loc_758A39:				; CODE XREF: PspQueryRateControlHistory+11Ej
		mov	edi, [ebx+0Ch]
		xor	eax, eax
		inc	eax
		xor	edx, edx
		call	__allshl
		add	eax, 0FFFFFFFFh
		mov	esi, eax
		adc	edx, 0FFFFFFFFh
		not	esi
		and	esi, [edi]
		mov	ecx, edx
		and	eax, [ebp+var_28]
		not	ecx
		and	ecx, [edi+4]
		or	esi, eax
		and	edx, [ebp+var_30]
		or	ecx, edx
		mov	[edi], esi
		mov	esi, [ebp+var_38]
		mov	[edi+4], ecx
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_48]
		push	eax
		mov	[ebp+var_48], esi
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		imul	eax, 64h
		xor	edx, edx
		div	esi
		cmp	eax, 3Ch
		jnb	short loc_758AD1
		cmp	eax, 28h
		jnb	short loc_758AC6
		cmp	eax, 14h
		jnb	short loc_758ABB

loc_758A93:				; CODE XREF: PspQueryRateControlHistory+1AEj
					; PspQueryRateControlHistory+1B9j ...
		cmp	[ebp+arg_0], 0
		jz	loc_758978
		jmp	loc_8D2FC4
; 

loc_758AA2:				; CODE XREF: PspQueryRateControlHistory+117j
		push	edi
		lea	esi, [ebx+4]
		push	esi
		push	esi
		call	RtlCopyBitMap
		push	edi
		push	0
		push	esi
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		jmp	loc_758A2F
; 

loc_758ABB:				; CODE XREF: PspQueryRateControlHistory+17Bj
		mov	eax, [ebp+var_40]
		mov	dword ptr [eax], 1
		jmp	short loc_758A93
; 

loc_758AC6:				; CODE XREF: PspQueryRateControlHistory+176j
		mov	eax, [ebp+var_40]
		mov	dword ptr [eax], 2
		jmp	short loc_758A93
; 

loc_758AD1:				; CODE XREF: PspQueryRateControlHistory+171j
		mov	eax, [ebp+var_40]
		mov	dword ptr [eax], 3
		jmp	short loc_758A93
; 

loc_758ADC:				; CODE XREF: PspQueryRateControlHistory+102j
		push	624A7350h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+0Ch], eax
		test	eax, eax
		jz	loc_758978
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebx+0Ch]
		mov	eax, esi
		add	esp, 0Ch
		mov	[ebx+8], ecx
		shl	eax, 3
		mov	[ebx+4], eax
		mov	[ebx+10h], esi
		jmp	loc_758A2F
; 

loc_758B16:				; CODE XREF: PspQueryRateControlHistory+10Fj
		push	esi		; size_t
		push	0		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_758A2F
PspQueryRateControlHistory endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspGetEffectiveNoWakeCharge proc near	; CODE XREF: PspEnforceLimitsJobPostCallback+10Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D2FD9 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		lea	ebx, [ecx+310h]
		mov	edx, [ebx]
		xor	eax, eax
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[esi], eax
		mov	[esi+4], eax
		mov	[ebp+arg_0], 400000h
		mov	[edi], eax
		mov	[edi+4], eax
		mov	eax, edx
		test	edx, 800h
		jz	short loc_758B65
		cmp	dword ptr [ecx+194h], 0
		jnz	short loc_758B73

loc_758B65:				; CODE XREF: PspGetEffectiveNoWakeCharge+32j
					; PspGetEffectiveNoWakeCharge+6Fj ...
		mov	edx, [ebp+arg_0]

loc_758B68:				; CODE XREF: PspGetEffectiveNoWakeCharge+A2j
					; PspGetEffectiveNoWakeCharge+AFj
		test	eax, edx
		jnz	short loc_758BD9

loc_758B6C:				; CODE XREF: PspGetEffectiveNoWakeCharge+C7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_758B73:				; CODE XREF: PspGetEffectiveNoWakeCharge+3Bj
		mov	eax, [ecx+1F0h]
		mov	ebx, [ecx+1F4h]
		mov	[ebp+var_8], eax
		mov	[esi], eax
		mov	eax, ebx
		mov	[ebp+var_4], ebx
		lea	ebx, [ecx+310h]
		mov	[esi+4], eax
		mov	eax, edx
		test	[ebp+arg_0], edx
		jnz	short loc_758B65
		mov	esi, [ecx+244h]
		test	esi, esi
		jz	short loc_758BB8
		test	dword ptr [esi+310h], 1000h
		jz	short loc_758BB8
		cmp	dword ptr [esi+194h], 0
		jnz	short loc_758B65

loc_758BB8:				; CODE XREF: PspGetEffectiveNoWakeCharge+79j
					; PspGetEffectiveNoWakeCharge+85j
		mov	eax, [ebp+var_8]
		mov	[edi], eax
		mov	eax, [ebp+var_4]
		mov	[edi+4], eax
		mov	eax, edx
		mov	edx, [ebp+arg_0]
		test	esi, esi
		jz	short loc_758B68
		lea	eax, [esi+310h]
		lock or	[eax], edx
		mov	eax, [ebx]
		jmp	short loc_758B68
; 

loc_758BD9:				; CODE XREF: PspGetEffectiveNoWakeCharge+42j
		mov	eax, [ecx+244h]
		test	eax, eax
		jnz	loc_8D2FD9

loc_758BE7:				; CODE XREF: PspGetEffectiveNoWakeCharge+17A4BCj
		mov	eax, 0FFBFFFFFh
		lock and [ebx],	eax
		jmp	loc_758B6C
PspGetEffectiveNoWakeCharge endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspLockRootJobShared proc near		; CODE XREF: PspQueryJobHierarchyAccountingInformation+51p
					; PspChargeJobWakeCounter+48p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D2FE9 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		test	edx, edx
		jz	short loc_758C0A
		dec	word ptr [edx+13Eh]
		nop

loc_758C0A:				; CODE XREF: PspLockRootJobShared+Cj
					; PspLockRootJobShared+17A3FDj
		mov	eax, [esi+248h]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+var_4]
		push	1
		add	eax, 20h
		push	eax
		call	ExAcquireResourceSharedLite
		mov	eax, [esi+248h]
		cmp	[ebp+var_4], eax
		mov	ecx, [ebp+var_4]
		jnz	loc_8D2FE9
		mov	eax, [ebp+arg_0]
		pop	esi
		mov	[eax], ecx
		leave
		retn	4
PspLockRootJobShared endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspEnforceLimitsProcessCallback	proc near ; DATA XREF: PspEnforceLimits+86o

var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008D2FF6 SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 68h
		lea	eax, [esp+68h+var_68]
		push	esi
		push	edi
		push	68h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	esi, [ebp+arg_0]
		add	esp, 0Ch
		test	byte ptr [esi+0F8h], 2
		jz	short loc_758C71

loc_758C67:				; CODE XREF: PspEnforceLimitsProcessCallback+5Aj
					; PspEnforceLimitsProcessCallback+65j ...
		pop	edi
		xor	eax, eax
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_758C71:				; CODE XREF: PspEnforceLimitsProcessCallback+27j
		lea	edx, [esp+70h+var_68]
		mov	ecx, esi
		call	PsQueryStatisticsProcess
		mov	ecx, [esi+158h]
		lea	edx, [esp+70h+var_68]
		add	ecx, 260h
		call	_PspAddAccountingValues@8 ; PspAddAccountingValues(x,x)
		mov	edi, [ebp+arg_4]
		cmp	dword ptr [edi+0Ch], 0
		jnz	short loc_758C67
		mov	ecx, [edi]
		mov	eax, ecx
		mov	edx, [edi+4]
		or	eax, edx
		jz	short loc_758C67
		jmp	loc_8D2FF6
PspEnforceLimitsProcessCallback	endp


;  S U B	R O U T	I N E 


; __stdcall PspUnlockJobMemoryLimitsShared(x, x)
_PspUnlockJobMemoryLimitsShared@8 proc near ; CODE XREF: PspApplyJobLimitsToProcess+73p
					; PAGE:00757517p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	11h
		mov	ebx, edx
		lea	edi, [ecx+230h]
		xor	esi, esi
		pop	eax
		lock cmpxchg [edi], esi
		cmp	eax, 11h
		jnz	short loc_758CDC

loc_758CC5:				; CODE XREF: PspUnlockJobMemoryLimitsShared(x,x)+39j
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		test	ebx, ebx
		jz	short loc_758CDA
		mov	ecx, ebx
		pop	ebx
		jmp	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
; 

loc_758CDA:				; CODE XREF: PspUnlockJobMemoryLimitsShared(x,x)+26j
		pop	ebx
		retn
; 

loc_758CDC:				; CODE XREF: PspUnlockJobMemoryLimitsShared(x,x)+19j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_758CC5
_PspUnlockJobMemoryLimitsShared@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspGetJobMemoryUsageNotificationViolations(x, x, x,	x, x, x)
_PspGetJobMemoryUsageNotificationViolations@24 proc near
					; CODE XREF: PspEnforceLimitsJobPostCallback+2D7p
					; sub_759647-225p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ecx+210h]
		mov	ebx, edx
		push	edi
		mov	[ebp+var_4], ebx
		test	dword ptr [esi], 200000h
		jz	short loc_758D62
		mov	edi, [ebp+arg_8]
		mov	edx, [ebp+arg_C]

loc_758D08:				; CODE XREF: PspGetJobMemoryUsageNotificationViolations(x,x,x,x,x,x)+82j
		mov	eax, [esi+28h]
		xor	ecx, ecx
		mov	[ebp+arg_4], eax
		mov	eax, [esi+2Ch]
		mov	[ebp+arg_C], eax
		mov	eax, [ebp+arg_4]
		or	eax, [ebp+arg_C]
		jz	short loc_758D33
		mov	eax, 200h
		test	ebx, eax
		jz	short loc_758D33
		cmp	edx, [ebp+arg_C]
		jb	short loc_758D33
		ja	short loc_758D5E
		cmp	edi, [ebp+arg_4]
		ja	short loc_758D5E

loc_758D33:				; CODE XREF: PspGetJobMemoryUsageNotificationViolations(x,x,x,x,x,x)+36j
					; PspGetJobMemoryUsageNotificationViolations(x,x,x,x,x,x)+3Fj ...
		mov	ebx, [esi+20h]
		mov	eax, ebx
		mov	esi, [esi+24h]
		or	eax, esi
		jz	short loc_758D55
		mov	eax, 8000h
		test	[ebp+var_4], eax
		jz	short loc_758D55
		cmp	edx, esi
		ja	short loc_758D55
		jb	short loc_758D53
		cmp	edi, ebx
		jnb	short loc_758D55

loc_758D53:				; CODE XREF: PspGetJobMemoryUsageNotificationViolations(x,x,x,x,x,x)+67j
		or	ecx, eax

loc_758D55:				; CODE XREF: PspGetJobMemoryUsageNotificationViolations(x,x,x,x,x,x)+57j
					; PspGetJobMemoryUsageNotificationViolations(x,x,x,x,x,x)+61j ...
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	10h
; 

loc_758D5E:				; CODE XREF: PspGetJobMemoryUsageNotificationViolations(x,x,x,x,x,x)+46j
					; PspGetJobMemoryUsageNotificationViolations(x,x,x,x,x,x)+4Bj
		mov	ecx, eax
		jmp	short loc_758D33
; 

loc_758D62:				; CODE XREF: PspGetJobMemoryUsageNotificationViolations(x,x,x,x,x,x)+1Aj
		mov	edi, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		jmp	short loc_758D08
_PspGetJobMemoryUsageNotificationViolations@24 endp


;  S U B	R O U T	I N E 


; __stdcall PspLockJobMemoryLimitsShared(x, x)
_PspLockJobMemoryLimitsShared@8	proc near ; CODE XREF: PspApplyJobLimitsToProcess+55p
					; PAGE:007574B3p ...
		test	edx, edx
		jz	short loc_758D76
		dec	word ptr [edx+13Eh]
		nop

loc_758D76:				; CODE XREF: PspLockJobMemoryLimitsShared(x,x)+2j
		add	ecx, 230h
		xor	edx, edx
		jmp	ExAcquirePushLockSharedEx
_PspLockJobMemoryLimitsShared@8	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PspAddAccountingValues(x, x)
_PspAddAccountingValues@8 proc near	; CODE XREF: PspEnforceLimitsJobPostCallback+310p
					; PspEnforceLimitsProcessCallback+4Ep ...
		mov	eax, [edx]
		add	[ecx], eax
		mov	eax, [edx+4]
		adc	[ecx+4], eax
		mov	eax, [edx+8]
		add	[ecx+8], eax
		mov	eax, [edx+0Ch]
		adc	[ecx+0Ch], eax
		mov	eax, [edx+18h]
		add	[ecx+18h], eax
		mov	eax, [edx+1Ch]
		adc	[ecx+1Ch], eax
		mov	eax, [edx+10h]
		add	[ecx+10h], eax
		mov	eax, [edx+14h]
		adc	[ecx+14h], eax
		mov	eax, [edx+58h]
		add	[ecx+58h], eax
		mov	eax, [edx+5Ch]
		adc	[ecx+5Ch], eax
		mov	eax, [edx+60h]
		add	[ecx+60h], eax
		mov	eax, [edx+64h]
		adc	[ecx+64h], eax
		mov	eax, [edx+20h]
		add	[ecx+20h], eax
		mov	eax, [edx+24h]
		adc	[ecx+24h], eax
		mov	eax, [edx+28h]
		add	[ecx+28h], eax
		mov	eax, [edx+2Ch]
		adc	[ecx+2Ch], eax
		mov	eax, [edx+30h]
		add	[ecx+30h], eax
		mov	eax, [edx+34h]
		adc	[ecx+34h], eax
		mov	eax, [edx+38h]
		add	[ecx+38h], eax
		mov	eax, [edx+3Ch]
		adc	[ecx+3Ch], eax
		mov	eax, [edx+40h]
		add	[ecx+40h], eax
		mov	eax, [edx+44h]
		adc	[ecx+44h], eax
		mov	eax, [edx+48h]
		add	[ecx+48h], eax
		mov	eax, [edx+4Ch]
		adc	[ecx+4Ch], eax
		mov	eax, [edx+50h]
		add	[ecx+50h], eax
		mov	eax, [edx+54h]
		adc	[ecx+54h], eax
		retn
_PspAddAccountingValues@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PspLimitViolationRateControlToleranceLimitField(x, x)
_PspLimitViolationRateControlToleranceLimitField@8 proc	near ; CODE XREF: PAGE:00757819p
					; PAGE:00757C61p
		sub	edx, 0
		jz	short loc_758E34
		sub	edx, 1
		jz	short loc_758E30
		push	4Ch

loc_758E2C:				; CODE XREF: PspLimitViolationRateControlToleranceLimitField(x,x)+12j
					; PspLimitViolationRateControlToleranceLimitField(x,x)+16j
		pop	eax
		add	eax, ecx
		retn
; 

loc_758E30:				; CODE XREF: PspLimitViolationRateControlToleranceLimitField(x,x)+8j
		push	5Ch
		jmp	short loc_758E2C
; 

loc_758E34:				; CODE XREF: PspLimitViolationRateControlToleranceLimitField(x,x)+3j
		push	64h
		jmp	short loc_758E2C
_PspLimitViolationRateControlToleranceLimitField@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtSetInformationJobObject proc near	; DATA XREF: .text:00580CCCo

var_77C		= dword	ptr -77Ch
var_3BC		= dword	ptr -3BCh
var_374		= dword	ptr -374h
var_2EC		= dword	ptr -2ECh
var_2BC		= dword	ptr -2BCh
var_280		= dword	ptr -280h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1E8		= dword	ptr -1E8h
var_1DC		= dword	ptr -1DCh
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_194		= dword	ptr -194h
var_180		= dword	ptr -180h
var_17C		= byte ptr -17Ch
var_17B		= byte ptr -17Bh
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_13C		= dword	ptr -13Ch
var_10C		= dword	ptr -10Ch
var_94		= dword	ptr -94h
var_84		= dword	ptr -84h
var_78		= dword	ptr -78h
var_30		= dword	ptr -30h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00759352 SIZE 00000017 BYTES
; FUNCTION CHUNK AT 0075A001 SIZE 00000019 BYTES
; FUNCTION CHUNK AT 008D3028 SIZE 00000012 BYTES
; FUNCTION CHUNK AT 008D3044 SIZE 00000008 BYTES
; FUNCTION CHUNK AT 008D432E SIZE 0000000A BYTES

		push	76Ch
		push	offset dword_6A0518
		call	__SEH_prolog4_GS
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_194], ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_1B0], eax
		mov	[ebp+var_1C0], ecx
		mov	esi, [ebp+arg_C]
		mov	[ebp+var_180], esi
		xor	eax, eax
		lea	edi, [ebp+var_84]
		stosd
		stosd
		stosd
		xor	ebx, ebx
		mov	[ebp+var_270], ebx
		mov	[ebp+var_26C], ebx
		mov	[ebp+var_200], ebx
		mov	[ebp+var_1FC], ebx
		mov	[ebp+var_1F8], ebx
		mov	[ebp+var_1F4], ebx
		mov	[ebp+var_17B], bl
		mov	[ebp+var_218], ebx
		mov	[ebp+var_214], ebx
		push	78h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_10C]
		push	eax		; void *
		call	_memset
		xor	eax, eax
		lea	edi, [ebp+var_94]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_280]
		stosd
		stosd
		stosd
		push	48h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_3BC]
		push	eax		; void *
		call	_memset
		mov	[ebp+var_1A0], ebx
		push	88h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_374]
		push	eax		; void *
		call	_memset
		mov	[ebp+var_178], ebx
		mov	[ebp+var_1A4], ebx
		push	3C0h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_77C]
		push	eax		; void *
		call	_memset
		xor	eax, eax
		lea	edi, [ebp+var_2BC]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_1DC]
		stosd
		stosd
		stosd
		stosd
		stosd
		push	48h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_78]
		push	eax		; void *
		call	_memset
		push	30h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_13C]
		push	eax		; void *
		call	_memset
		add	esp, 48h
		push	38h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_174]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_1B8], ebx
		mov	[ebp+var_1B4], ebx
		mov	[ebp+var_17C], bl
		xor	eax, eax
		lea	edi, [ebp+var_30]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_1BC], ebx
		xor	eax, eax
		lea	edi, [ebp+var_1E8]
		stosd
		stosd
		stosd
		mov	[ebp+var_1C4], ebx
		xor	eax, eax
		lea	edi, [ebp+var_2EC]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_208], ebx
		mov	[ebp+var_204], ebx
		mov	[ebp+var_220], ebx
		mov	[ebp+var_21C], ebx
		mov	ecx, [ebp+arg_4]
		lea	eax, [ecx-1]
		cmp	eax, 2Eh
		ja	loc_8D432E
		push	9
		pop	eax
		cmp	ecx, eax
		jz	loc_759CA2
		cmp	ecx, 0Ch
		jz	loc_759352
		cmp	ecx, 1Fh
		jz	loc_75A001
		mov	eax, ds:dword_A40604[ecx*4]
		cmp	esi, eax
		jnz	loc_8D3028
NtSetInformationJobObject endp

; START	OF FUNCTION CHUNK FOR sub_759647

loc_758FF2:				; CODE XREF: NtSetInformationJobObject+51Dj
					; NtSetInformationJobObject+526j ...
		mov	edi, large fs:124h
		mov	[ebp-198h], edi
		mov	al, [edi+15Ah]
		mov	[ebp-179h], al
		mov	[ebp-19Ch], al
		test	al, al
		jz	loc_8D3079
		mov	eax, ecx
		mov	eax, ds:dword_A406C4[eax*4]
		mov	[ebp-4], ebx
		mov	edi, [ebp-1C0h]
		mov	[ebp-18Ch], edi
		test	esi, esi
		jz	short loc_759057
		dec	eax
		test	eax, edi
		jnz	loc_75A2B8
		lea	eax, [esi+edi]
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	loc_8D304C
		cmp	eax, edi
		jb	loc_8D304C

loc_759057:				; CODE XREF: sub_759647-614j
					; sub_759647+179A07j
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_75905E:				; CODE XREF: sub_759647+179A3Ej
		mov	edx, [ebp-1B0h]
		test	edx, edx
		jz	loc_8D308A
		push	ebx
		lea	eax, [ebp-178h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-19Ch]
		push	ds:_PsJobType
		xor	eax, eax
		cmp	ecx, 5
		setz	al
		dec	eax
		and	eax, 0FFFFFFF2h
		add	eax, 10h
		push	eax
		push	edx
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_759165
		mov	esi, ebx
		mov	[ebp-1A8h], esi
		mov	[ebp-188h], esi
		mov	[ebp-17Ah], bl
		mov	eax, [ebp-198h]
		dec	word ptr [eax+13Eh]
		nop
		mov	eax, [ebp+0Ch]
		add	eax, 0FFFFFFFEh
		cmp	eax, 2Dh
		ja	sub_8D42F5
		movzx	eax, ds:byte_75A334[eax]
		jmp	ds:off_75A2C0[eax*4]

loc_7590E2:				; DATA XREF: PAGE:0075A2E0o
		mov	dword ptr [ebp-4], 0Ch
		mov	eax, [edi]
		mov	[ebp-1ACh], eax
		mov	[ebp-2C4h], eax
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		mov	ebx, [ebp-178h]
		test	eax, 0FFFFC001h
		jnz	loc_8D3F56
		lea	esi, [ebx+20h]
		push	1
		push	esi
		call	ExAcquireResourceExclusiveLite
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	_PspLockJobMemoryLimitsExclusive@12 ; PspLockJobMemoryLimitsExclusive(x,x,x)
		mov	eax, [ebp-1ACh]
		mov	[ebx+1A8h], eax
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	_PspUnlockJobMemoryLimitsExclusive@12 ;	PspUnlockJobMemoryLimitsExclusive(x,x,x)

loc_75913B:				; CODE XREF: sub_759647-1E0j
		mov	ecx, esi

loc_75913D:				; CODE XREF: sub_75A26C+47j
		call	ExReleaseResourceLite

loc_759142:				; CODE XREF: sub_759647-213j
					; sub_759647-1FCj ...
		xor	esi, esi
; END OF FUNCTION CHUNK	FOR sub_759647
; START	OF FUNCTION CHUNK FOR sub_75A01A

loc_759144:				; CODE XREF: sub_759647-18Fj
					; sub_759647-171j ...
		mov	ecx, [ebp-198h]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		test	esi, esi
		jnz	loc_8D4305

loc_759157:				; CODE XREF: sub_75A01A+17A2F5j
					; sub_75A01A+17A30Fj
		mov	edx, 79517350h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		mov	eax, esi

loc_759165:				; CODE XREF: sub_759647-5AAj
					; sub_759647+1799F8j ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; END OF FUNCTION CHUNK	FOR sub_75A01A
; 
; START	OF FUNCTION CHUNK FOR sub_759647

loc_759177:				; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A2D8o
		mov	dword ptr [ebp-4], 7
		mov	eax, [ebp-180h]
		cmp	eax, 38h
		jnz	loc_8D3A88
		push	0Eh
		pop	ecx
		mov	esi, [ebp-194h]
		lea	edi, [ebp-174h]
		rep movsd
		lea	edx, [ebp-78h]
		lea	ecx, [ebp-174h]
		call	_PspConvertJobNotificationLimitFromV2@8	; PspConvertJobNotificationLimitFromV2(x,x)
		mov	eax, 278204h

loc_7591B1:				; CODE XREF: sub_759647+17A459j
					; sub_759647+17A482j
		mov	[ebp-210h], eax
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		not	eax
		mov	ecx, [ebp-50h]
		test	eax, ecx
		jnz	loc_8D3ADA
		test	ecx, 8000h
		jz	loc_7596FD
		mov	eax, [ebp-44h]
		cmp	eax, ebx
		ja	short loc_7591F0
		jb	loc_8D3ADA
		cmp	dword ptr [ebp-48h], 1000h
		jb	loc_8D3ADA

loc_7591F0:				; CODE XREF: sub_759647-46Cj
					; sub_759647+BEj
		test	ecx, 200h
		jz	loc_75A0BB
		cmp	[ebp-5Ch], ebx
		ja	short loc_75920E
		cmp	dword ptr [ebp-60h], 1000h
		jb	loc_8D3ADA

loc_75920E:				; CODE XREF: sub_759647-448j
		cmp	[ebp-5Ch], eax
		ja	short loc_759225
		jb	loc_8D3ADA
		mov	eax, [ebp-60h]
		cmp	eax, [ebp-48h]
		jb	loc_8D3ADA

loc_759225:				; CODE XREF: sub_759647-436j
					; sub_759647+A7Aj
		test	cl, 4
		jnz	loc_8D3ACE
		mov	[ebp-68h], ebx
		mov	[ebp-64h], ebx

loc_759234:				; CODE XREF: sub_759647+17A48Dj
		test	ecx, 10000h
		jnz	loc_8D3AE4
		mov	[ebp-78h], ebx
		mov	[ebp-74h], ebx

loc_759246:				; CODE XREF: sub_759647+17A4A3j
		test	ecx, 20000h
		jnz	loc_8D3AF2
		mov	[ebp-70h], ebx
		mov	[ebp-6Ch], ebx

loc_759258:				; CODE XREF: sub_759647+17A4B1j
		mov	edi, ebx
		mov	esi, [ebp-50h]

loc_75925D:				; CODE XREF: sub_759647-3AFj
		cmp	edi, 3
		jge	short loc_75929A
		mov	edx, edi
		lea	ecx, [ebp-78h]
		call	_PspNotificationLimitRateControlToleranceField@8 ; PspNotificationLimitRateControlToleranceField(x,x)
		mov	[ebp-184h], eax
		mov	edx, edi
		call	_PspNotificationLimitRateControlToleranceIntervalField@8 ; PspNotificationLimitRateControlToleranceIntervalField(x,x)
		mov	edx, eax
		mov	ecx, edi
		call	_PspRateControlLimitFlag@4 ; PspRateControlLimitFlag(x)
		test	eax, esi
		mov	eax, [ebp-184h]
		jnz	loc_8D3B00
		mov	[eax], ebx
		mov	[edx], ebx
		mov	esi, [ebp-50h]

loc_759297:				; CODE XREF: sub_759647+17A4CFj
		inc	edi
		jmp	short loc_75925D
; 

loc_75929A:				; CODE XREF: sub_759647-3E7j
		mov	ebx, [ebp-178h]
		lea	edi, [ebx+210h]
		cmp	dword ptr [edi], 0
		jz	loc_759F00
		xor	esi, esi
		and	[ebp-1A0h], esi

loc_7592B7:				; CODE XREF: sub_759647+90Ej
		xor	eax, eax
		inc	eax
		lea	ecx, [ebx+20h]
		push	eax
		push	ecx
		call	ExAcquireResourceExclusiveLite
		cmp	dword ptr [edi], 0
		jz	loc_759F5A
		test	esi, esi
		jnz	loc_8D3B1B

loc_7592D5:				; CODE XREF: sub_759647+921j
					; sub_759647+17A4F1j
		mov	esi, [edi]
		mov	eax, [esi]
		mov	[ebp-1ACh], eax
		mov	eax, [ebp-78h]
		mov	[esi+8], eax
		mov	eax, [ebp-74h]
		mov	[esi+0Ch], eax
		mov	eax, [ebp-70h]
		mov	[esi+10h], eax
		mov	eax, [ebp-6Ch]
		mov	[esi+14h], eax
		mov	eax, [ebp-68h]
		mov	[esi+18h], eax
		mov	eax, [ebp-64h]
		mov	[esi+1Ch], eax
		xor	eax, eax
		lea	ecx, [esi+3Ch]

loc_759308:				; CODE XREF: sub_759647-2F7j
		mov	[ebp-190h], ecx
		mov	[ebp-1A0h], eax
		cmp	eax, 3
		jge	short loc_759369
		mov	edx, eax
		lea	ecx, [ebp-78h]
		call	_PspNotificationLimitRateControlToleranceField@8 ; PspNotificationLimitRateControlToleranceField(x,x)
		mov	eax, [eax]
		mov	ecx, [ebp-190h]
		mov	[ecx-0Ch], eax
		mov	edx, [ebp-1A0h]
		lea	ecx, [ebp-78h]
		call	_PspNotificationLimitRateControlToleranceIntervalField@8 ; PspNotificationLimitRateControlToleranceIntervalField(x,x)
		mov	eax, [eax]
		mov	ecx, [ebp-190h]
		mov	[ecx], eax
		mov	eax, [ebp-1A0h]
		inc	eax
		add	ecx, 4
		jmp	short loc_759308
; END OF FUNCTION CHUNK	FOR sub_759647
; 
; START	OF FUNCTION CHUNK FOR NtSetInformationJobObject

loc_759352:				; CODE XREF: NtSetInformationJobObject+19Cj
		cmp	esi, 30h
		jz	loc_758FF2
		cmp	esi, 38h
		jz	loc_758FF2
		jmp	loc_8D303A
; END OF FUNCTION CHUNK	FOR NtSetInformationJobObject
; 
; START	OF FUNCTION CHUNK FOR sub_759647

loc_759369:				; CODE XREF: sub_759647-330j
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	_PspLockJobMemoryLimitsExclusive@12 ; PspLockJobMemoryLimitsExclusive(x,x,x)
		mov	eax, [ebp-48h]
		mov	ecx, [ebp-44h]
		shrd	eax, ecx, 0Ch
		shr	ecx, 0Ch
		mov	[esi+20h], eax
		mov	[esi+24h], ecx
		mov	eax, [ebp-60h]
		mov	ecx, [ebp-5Ch]
		shrd	eax, ecx, 0Ch
		shr	ecx, 0Ch
		mov	[esi+28h], eax
		mov	[esi+2Ch], ecx
		mov	ecx, [edi]
		mov	eax, [ebp-50h]
		mov	[ecx], eax
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	_PspUnlockJobMemoryLimitsExclusive@12 ;	PspUnlockJobMemoryLimitsExclusive(x,x,x)
		mov	eax, [edi]
		test	dword ptr [eax], 0FFFF7DFFh
		jz	short loc_7593BB
		call	_PspUpdateEnforcementTimer@4 ; PspUpdateEnforcementTimer(x)

loc_7593BB:				; CODE XREF: sub_759647-293j
		mov	ecx, [ebp-1ACh]
		test	ecx, ecx
		jz	loc_759E93

loc_7593C9:				; CODE XREF: sub_759647+17A4FEj
		mov	eax, [edi]
		cmp	dword ptr [eax], 0
		jz	loc_759E9E

loc_7593D4:				; CODE XREF: sub_759647+86Aj
					; sub_759647+17A4F8j
		test	ds:_PerfGlobalGroupMask, 80000h
		jnz	loc_8D3B4A

loc_7593E4:				; CODE XREF: sub_759647+17A51Aj
		lea	ecx, [ebx+20h]
		call	ExReleaseResourceLite
		lea	ecx, [ebx+230h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	edx, [ebx+31Ch]
		mov	ebx, [ebp-178h]
		mov	esi, [ebx+208h]
		mov	ecx, [ebx+20Ch]
		xor	eax, eax
		add	edx, esi
		adc	eax, ecx
		push	eax
		push	edx
		push	ecx
		push	esi
		mov	edx, 8200h
		mov	ecx, ebx
		call	_PspGetJobMemoryUsageNotificationViolations@24 ; PspGetJobMemoryUsageNotificationViolations(x,x,x,x,x,x)
		mov	esi, eax
		xor	edx, edx
		mov	ecx, ebx
		call	_PspUnlockJobMemoryLimitsShared@8 ; PspUnlockJobMemoryLimitsShared(x,x)
		test	esi, esi
		jz	loc_759142
		mov	ecx, [ebx+248h]
		call	_PspScheduleEnforcementWorker@4	; PspScheduleEnforcementWorker(x)
		mov	ebx, [ebp-178h]
		jmp	loc_759142
; 

loc_759450:				; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A2F8o
		mov	ebx, [ebp-178h]
		lea	esi, [ebx+20h]
		push	1
		push	esi
		call	ExAcquireResourceExclusiveLite
		push	ebx
		call	_KeResetEvent@4	; KeResetEvent(x)
		jmp	loc_75913B
; 

loc_75946C:				; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A2E4o
		push	9
		pop	ecx
		mov	[ebp-4], ecx
		mov	esi, edi
		lea	edi, [ebp-94h]
		movsd
		movsd
		movsd
		movsd
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		cmp	dword ptr [ebp-94h], 0
		jz	loc_8D3ADA
		test	dword ptr [ebp-94h], 0FFFFFFF8h
		jnz	loc_8D3ADA
		lea	edx, [ebp-94h]
		mov	ebx, [ebp-178h]
		mov	ecx, ebx
		call	PspFreezeJobTree
		mov	esi, eax
		test	esi, esi
		js	loc_759144
		mov	dword ptr [ebp-4], 0Ah
		mov	eax, [ebp-94h]
		mov	ecx, [ebp-18Ch]
		mov	[ecx], eax

loc_7594D3:				; CODE XREF: sub_8D40FD+112j
		mov	[ebp-4], edi
		jmp	loc_759144
; END OF FUNCTION CHUNK	FOR sub_759647

;  S U B	R O U T	I N E 


sub_7594DB	proc near		; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A328o
		mov	dword ptr [ebp-4], 17h
		mov	eax, [edi]
		mov	[ebp-218h], eax
		mov	eax, [edi+4]
		mov	[ebp-214h], eax
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		lea	edx, [ebp-218h]
		mov	ebx, [ebp-178h]
		mov	ecx, ebx
		call	_PspSetEnergyTrackingStateJobTree@8 ; PspSetEnergyTrackingStateJobTree(x,x)

loc_75950C:				; CODE XREF: sub_759647+296j
		mov	esi, eax
		test	esi, esi
		jns	loc_759142
		jmp	loc_759144
sub_7594DB	endp

; 
; START	OF FUNCTION CHUNK FOR sub_759647

loc_75951B:				; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A2D0o
		mov	eax, ebx
		mov	[ebp-180h], eax
		mov	[ebp-1A4h], eax
		mov	dword ptr [ebp-4], 5
		mov	eax, [edi]
		mov	[ebp-184h], eax
		mov	[ebp-270h], eax
		mov	eax, [edi+4]
		mov	[ebp-26Ch], eax
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		test	eax, eax
		jz	loc_759CC3
		push	ebx
		lea	ecx, [ebp-1A0h]
		push	ecx
		push	624A7350h
		push	dword ptr [ebp-19Ch]
		push	ds:_IoCompletionObjectType
		push	2
		push	eax
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	ebx, [ebp-178h]
		test	esi, esi
		js	loc_8D3692
		cmp	dword ptr [ebx+218h], 0
		jnz	loc_8D369D
		push	ebx
		push	offset PspNotificationPacketCallback
		call	_IoAllocateMiniCompletionPacket@8 ; IoAllocateMiniCompletionPacket(x,x)
		mov	edi, eax
		mov	[ebp-180h], edi
		test	edi, edi
		jz	loc_8D366E

loc_7595AE:				; CODE XREF: sub_759647+17A05Cj
		lea	eax, [ebx+20h]
		push	1
		push	eax
		call	ExAcquireResourceExclusiveLite
		xor	eax, eax
		cmp	[ebx+0D4h], eax
		jnz	loc_8D3675
		test	dword ptr [ebx+0B0h], 2000h
		jnz	loc_759EB6

loc_7595D7:				; CODE XREF: sub_759647+878j
		cmp	[ebx+218h], eax
		jnz	loc_8D36A8
		mov	[ebx+218h], edi
		mov	edi, eax

loc_7595EB:				; CODE XREF: sub_759647+17A067j
		push	eax
		xor	edx, edx
		mov	ecx, ebx
		call	_PspLockJobMemoryLimitsExclusive@12 ; PspLockJobMemoryLimitsExclusive(x,x,x)
		mov	eax, [ebp-184h]
		mov	[ebx+0D8h], eax
		mov	eax, [ebp-1A0h]
		mov	[ebx+0D4h], eax
		xor	eax, eax
		mov	[ebx+0E0h], eax
		mov	[ebx+0E4h], eax
		push	eax
		xor	edx, edx
		mov	ecx, ebx
		call	_PspUnlockJobMemoryLimitsExclusive@12 ;	PspUnlockJobMemoryLimitsExclusive(x,x,x)
		test	byte ptr [ebx+1A8h], 40h
		jnz	loc_759F6D

loc_759632:				; CODE XREF: sub_759647+935j
		lea	ecx, [ebx+20h]
		call	ExReleaseResourceLite

loc_75963A:				; CODE XREF: sub_759647+17A051j
					; sub_8D36C4+1Cj
		test	edi, edi
		jz	loc_759144
		jmp	loc_8D36E5
; END OF FUNCTION CHUNK	FOR sub_759647

;  S U B	R O U T	I N E 


sub_759647	proc near		; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A318o

; FUNCTION CHUNK AT 00758FF2 SIZE 00000152 BYTES
; FUNCTION CHUNK AT 00759177 SIZE 000001DB BYTES
; FUNCTION CHUNK AT 00759369 SIZE 00000172 BYTES
; FUNCTION CHUNK AT 0075951B SIZE 0000012C BYTES
; FUNCTION CHUNK AT 00759CC3 SIZE 0000033E BYTES
; FUNCTION CHUNK AT 0075A0BB SIZE 0000019D BYTES
; FUNCTION CHUNK AT 0075A2B8 SIZE 00000008 BYTES
; FUNCTION CHUNK AT 008D303A SIZE 0000000A BYTES
; FUNCTION CHUNK AT 008D304C SIZE 00000007 BYTES
; FUNCTION CHUNK AT 008D3079 SIZE 000004E8 BYTES
; FUNCTION CHUNK AT 008D358F SIZE 00000014 BYTES
; FUNCTION CHUNK AT 008D35BC SIZE 00000038 BYTES
; FUNCTION CHUNK AT 008D3610 SIZE 00000042 BYTES
; FUNCTION CHUNK AT 008D366E SIZE 00000045 BYTES
; FUNCTION CHUNK AT 008D36E5 SIZE 0000013B BYTES
; FUNCTION CHUNK AT 008D385F SIZE 00000307 BYTES
; FUNCTION CHUNK AT 008D3B82 SIZE 000000A3 BYTES
; FUNCTION CHUNK AT 008D3CBB SIZE 00000014 BYTES
; FUNCTION CHUNK AT 008D3CEB SIZE 0000000A BYTES
; FUNCTION CHUNK AT 008D3D11 SIZE 00000013 BYTES
; FUNCTION CHUNK AT 008D409A SIZE 00000012 BYTES
; FUNCTION CHUNK AT 008D40D3 SIZE 0000002A BYTES

		mov	al, bl
		mov	[ebp-179h], al
		mov	dword ptr [ebp-4], 15h
		push	12h
		pop	ecx
		mov	esi, edi
		lea	edi, [ebp-3BCh]
		rep movsd
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		mov	ecx, [ebp-3BCh]
		test	ecx, 0FFFFFFFCh
		jnz	loc_8D409A
		mov	ebx, [ebp-178h]
		test	cl, 3
		jz	loc_759CB9
		mov	byte ptr [ebp-179h], 8
		lea	eax, [ebp-1BCh]
		push	eax
		mov	edi, [ebp-198h]
		mov	edx, edi
		mov	ecx, ebx
		call	PspLockRootJobExclusive
		push	ecx
		lea	edx, [ebp-1BCh]
		mov	ecx, ebx
		call	_PspLockJobConditionally@12 ; PspLockJobConditionally(x,x,x)
		xor	eax, eax
		inc	eax
		push	eax
		push	eax
		mov	edx, [ebp-3BCh]
		and	dl, al
		mov	ecx, ebx
		call	PspSetJobIoAttribution
		mov	esi, eax
		test	esi, esi
		js	loc_8D40A1
		push	ecx
		lea	edx, [ebp-1BCh]
		mov	ecx, ebx
		call	_PspUnlockJobConditionally@12 ;	PspUnlockJobConditionally(x,x,x)
		mov	edx, edi
		mov	ecx, [ebp-1BCh]
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		xor	al, al

loc_7596F0:				; CODE XREF: sub_759647+677j
					; sub_759647+17AA60j ...
		cmp	al, 8
		jb	loc_759144
		jmp	loc_8D40DE
; 

loc_7596FD:				; CODE XREF: sub_759647-477j
		mov	[ebp-48h], ebx
		mov	eax, ebx
		mov	[ebp-44h], eax
		jmp	loc_7591F0
; 

loc_75970A:				; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A2DCo
		mov	dword ptr [ebp-4], 8
		mov	eax, [ebp-180h]
		push	eax		; size_t
		push	edi		; void *
		lea	eax, [ebp-1F8h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		mov	ecx, [ebp-1F8h]
		test	ecx, 0FFFFFFE0h
		jnz	loc_8D3ADA
		mov	esi, [ebp-1F4h]
		mov	[ebp-1B8h], esi
		mov	edx, ecx
		xor	eax, eax
		inc	eax
		and	edx, eax
		mov	[ebp-184h], edx
		jz	short loc_759784
		test	cl, 2
		jz	loc_759F81
		push	10h
		pop	edx
		test	cl, dl
		jnz	loc_8D3ADA
		cmp	si, ax
		jb	loc_8D3ADA
		push	9
		pop	ecx
		cmp	si, cx
		ja	loc_8D3ADA

loc_759784:				; CODE XREF: sub_759647+112j
					; sub_759647+94Ej
		mov	edi, 2710h

loc_759789:				; CODE XREF: sub_759647+17A55Aj
		mov	[ebp-1A4h], ebx
		push	ebx
		mov	edx, [ebp-198h]
		mov	ebx, [ebp-178h]
		mov	ecx, ebx
		call	PspLockJobChain
		cmp	dword ptr [ebp-184h], 0
		jz	loc_759DD9
		test	byte ptr [ebx+310h], 20h
		jnz	short loc_7597D5
		push	2
		pop	ecx
		call	PspAllocateRateControl
		mov	[ebp-1A4h], eax
		test	eax, eax
		jz	loc_8D3BAC
		mov	[ebx+21Ch], eax

loc_7597D5:				; CODE XREF: sub_759647+170j
					; sub_759647+799j
		mov	eax, [ebx+21Ch]
		and	dword ptr [eax+14h], 0
		mov	eax, [ebx+21Ch]
		mov	[eax+18h], esi
		cmp	dword ptr [ebp-184h], 0
		jz	loc_759DEB
		mov	edx, [ebp-1F8h]
		xor	ecx, ecx
		inc	ecx
		test	dl, 4
		jnz	loc_759FA0

loc_759807:				; CODE XREF: sub_759647+969j
		test	dl, 2
		jz	loc_759FB5
		mov	eax, [ebx+21Ch]
		or	dword ptr [eax+14h], 4
		xor	esi, esi
		mov	[ebp-1B4h], esi

loc_759822:				; CODE XREF: sub_759647+979j
					; sub_759647+17A580j
		test	dl, 8
		jnz	loc_759FCB

loc_75982B:				; CODE XREF: sub_759647+98Ej
		push	20h
		pop	edi
		test	dl, 10h
		jnz	loc_8D3BCC

loc_759837:				; CODE XREF: sub_759647+17A58Ej
		mov	eax, [ebx+21Ch]
		lea	edx, [eax+40h]
		cmp	eax, [ebp-1A4h]
		jnz	loc_759FDA
		mov	eax, [ebp-1B8h]
		mov	[edx], eax
		mov	[edx+4], esi
		mov	edx, ebx
		mov	ecx, [ebx+244h]
		call	PspAddSchedulingGroupToJobChain
		mov	esi, eax
		test	esi, esi
		js	loc_8D3BDA
		lea	eax, [ebx+310h]
		lock or	[eax], edi

loc_759877:				; CODE XREF: sub_759647+9B5j
					; sub_759647+17A5BAj
		mov	eax, [ebx+21Ch]
		mov	eax, [eax+14h]
		mov	[ebp-200h], eax
		mov	eax, [ebx+21Ch]
		mov	eax, [eax+18h]
		mov	[ebp-1FCh], eax

loc_759895:				; CODE XREF: sub_759647+821j
					; sub_759647+847j
		xor	esi, esi
		test	ds:_PerfGlobalGroupMask, 80000h
		jnz	loc_8D3C06

loc_7598A7:				; CODE XREF: sub_759647+17A56Aj
					; sub_759647+17A574j ...
		mov	edx, [ebp-198h]
		mov	ecx, ebx

loc_7598AF:				; CODE XREF: sub_759647+B85j
		push	0
		call	PspUnlockJobChain
		jmp	loc_759144
; 

loc_7598BB:				; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A2E8o
		mov	dword ptr [ebp-4], 0Bh
		mov	dl, [edi]
		mov	[ebp-1C6h], dl
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		mov	ebx, [ebp-178h]
		mov	ecx, ebx
		call	PspSetBackgroundJobTree
		jmp	loc_75950C
; 

loc_7598E2:				; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A2F4o
		mov	dword ptr [ebp-4], 0Eh
		mov	eax, [edi]
		mov	[ebp-184h], eax
		mov	[ebp-2CCh], eax
		mov	eax, [edi+4]
		mov	[ebp-1ACh], eax
		mov	[ebp-2C8h], eax
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		mov	ebx, [ebp-178h]
		lea	eax, [ebx+20h]
		push	1
		push	eax
		call	ExAcquireResourceExclusiveLite
		test	byte ptr [ebx+310h], 20h
		jz	loc_8D3CEB
		mov	edi, [ebx+21Ch]
		mov	ecx, [edi+14h]
		lea	esi, [edi+1Ch]
		push	10h
		pop	eax
		test	cl, al
		jz	loc_75A1F9

loc_759941:				; CODE XREF: sub_759647+BC3j
		push	dword ptr [ebp-1ACh]
		push	dword ptr [ebp-184h]
		lea	ecx, [edi+40h]
		mov	edx, esi
		call	_KeSetSchedulingGroupCycleNotification@16 ; KeSetSchedulingGroupCycleNotification(x,x,x,x)
		xor	esi, esi

loc_759959:				; CODE XREF: sub_759647+17A6A9j
		lea	ecx, [ebx+20h]

loc_75995C:				; CODE XREF: sub_759647+78Dj
		call	ExReleaseResourceLite
		jmp	loc_759144
; 

loc_759966:				; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:off_75A2C0o
		mov	dword ptr [ebp-4], 1
		mov	esi, [ebp-180h]
		push	esi		; size_t
		push	edi		; void *
		lea	eax, [ebp-10Ch]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		push	78h
		pop	eax
		cmp	esi, eax
		jnb	short loc_7599A6
		sub	eax, esi
		push	eax		; size_t
		push	ebx		; int
		lea	eax, [ebp-10Ch]
		add	eax, esi
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_7599A6:				; CODE XREF: sub_759647+348j
		mov	edx, esi
		mov	ecx, [ebp+0Ch]
		call	_PspGetJobLimitInformationValidFlags@8 ; PspGetJobLimitInformationValidFlags(x,x)
		not	eax
		mov	[ebp-194h], eax
		mov	ecx, [ebp-0FCh]
		test	eax, ecx
		jnz	loc_8D3ADA
		mov	[ebp-6CCh], ecx
		mov	edi, ebx
		mov	[ebp-180h], edi
		mov	[ebp-190h], ebx
		mov	[ebp-18Ch], ebx
		mov	al, cl
		and	al, 8
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, [ebp-0F0h]
		mov	[ebp-6C8h], eax
		test	cl, 20h
		jnz	loc_8D3094
		mov	[ebp-5D7h], bl

loc_759A06:				; CODE XREF: sub_759647+179AAEj
		test	cl, cl
		js	loc_8D3104
		mov	dword ptr [ebp-690h], 5

loc_759A18:				; CODE XREF: sub_759647+179B11j
		test	cl, 2
		jnz	loc_8D315D
		mov	[ebp-6E4h], ebx
		mov	[ebp-6E0h], ebx

loc_759A2D:				; CODE XREF: sub_759647+179B38j
		mov	eax, ecx
		and	eax, 4
		mov	[ebp-1B0h], eax
		jnz	loc_8D3184

loc_759A3E:				; CODE XREF: sub_759647+179B5Fj
		test	cl, 1
		jnz	loc_8D31AB
		mov	[ebp-6D4h], ebx
		mov	[ebp-6D0h], ebx

loc_759A53:				; CODE XREF: sub_759647+179BE2j
		mov	eax, 100h
		test	ecx, eax
		jnz	loc_75A20F
		mov	[ebp-634h], ebx

loc_759A66:				; CODE XREF: sub_759647+BE2j
		test	ecx, 200h
		jnz	loc_75A22E
		mov	[ebp-630h], ebx

loc_759A78:				; CODE XREF: sub_759647+C01j
		test	ecx, 200000h
		jnz	loc_8D322E
		mov	[ebp-62Ch], ebx

loc_759A8A:				; CODE XREF: sub_759647+179C01j
		lea	eax, [ebp-6C4h]
		push	eax
		call	_KeInitializeAffinityEx@4 ; KeInitializeAffinityEx(x)
		push	10h
		pop	edx
		mov	ebx, [ebp-178h]
		test	[ebp-6CCh], dl
		jnz	loc_8D324D

loc_759AAB:				; CODE XREF: sub_759647+179D28j
		lea	eax, [ebx+20h]
		mov	[ebp-19Ch], eax
		push	1
		push	eax
		call	ExAcquireResourceExclusiveLite
		mov	al, [ebp-6CCh]
		test	al, 4
		jnz	short loc_759ADC
		test	al, 40h
		jnz	loc_8D3374
		and	dword ptr [ebp-6DCh], 0
		and	dword ptr [ebp-6D8h], 0

loc_759ADC:				; CODE XREF: sub_759647+47Dj
					; sub_759647+179D54j
		mov	eax, [ebp-6CCh]
		and	eax, 0FFFFFFBFh
		mov	[ebp-6CCh], eax
		test	byte ptr [ebp-17Ah], 2
		jnz	loc_8D33A0
		test	eax, 4000h
		jnz	loc_8D348F

loc_759B03:				; CODE XREF: sub_759647+179E43j
					; sub_759647+179E55j
		xor	eax, eax
		inc	eax
		test	[ebx+0B0h], al
		jnz	loc_8D34A1

loc_759B12:				; CODE XREF: sub_759647+179E60j
					; sub_759647+179E6Bj
		mov	[ebp-1E8h], ebx
		mov	eax, [ebx+0B0h]
		mov	[ebp-1E0h], eax
		mov	eax, [ebp-6D4h]
		mov	[ebx+0A8h], eax
		mov	eax, [ebp-6D0h]
		mov	[ebx+0ACh], eax
		mov	eax, [ebp-6C8h]
		mov	[ebx+0B4h], eax
		test	byte ptr [ebp-17Ah], 2
		jnz	loc_8D34B7

loc_759B55:				; CODE XREF: sub_759647+179E7Fj
		mov	al, [ebp-5D7h]
		mov	[ebx+1A5h], al
		mov	eax, [ebp-690h]
		mov	[ebx+0ECh], eax
		mov	eax, [ebp-6E4h]
		mov	[ebx+98h], eax
		mov	eax, [ebp-6E0h]
		mov	[ebx+9Ch], eax
		lea	esi, [ebx+0A0h]
		mov	eax, [ebp-6DCh]
		mov	[esi], eax
		mov	eax, [ebp-6D8h]
		mov	[esi+4], eax
		push	9
		pop	ecx
		cmp	[ebp+0Ch], ecx
		jnz	loc_75A1DC
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	_PspLockJobMemoryLimitsExclusive@12 ; PspLockJobMemoryLimitsExclusive(x,x,x)
		mov	eax, [ebx+0B0h]
		and	eax, [ebp-194h]
		or	eax, [ebp-6CCh]
		mov	[ebx+0B0h], eax
		mov	eax, [ebp-634h]
		mov	[ebx+148h], eax
		mov	eax, [ebp-630h]
		mov	[ebx+14Ch], eax
		mov	eax, [ebp-62Ch]
		mov	[ebx+150h], eax
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	_PspUnlockJobMemoryLimitsExclusive@12 ;	PspUnlockJobMemoryLimitsExclusive(x,x,x)

loc_759BFA:				; CODE XREF: sub_759647+BADj
		mov	eax, [ebx+0B0h]
		or	eax, [ebp-1E0h]
		not	eax
		mov	[ebp-1E4h], eax
		cmp	dword ptr [ebp-1B0h], 0
		jnz	loc_8D34CB

loc_759C1B:				; CODE XREF: sub_759647+179EA7j
		test	byte ptr [ebx+0B0h], 6
		jnz	loc_8D34F3

loc_759C28:				; CODE XREF: sub_759647+179EB1j
		xor	eax, eax
		inc	eax
		test	[ebp-1E4h], al
		jz	loc_8D34FD

loc_759C37:				; CODE XREF: sub_759647+179EBCj
		push	5
		lea	eax, [ebp-1E8h]
		push	eax
		push	offset PspSetJobLimitsProcessCallback
		push	offset PspSetJobLimitsJobPostCallback
		mov	edx, offset PspSetJobLimitsJobPreCallback
		mov	ecx, ebx
		call	PspEnumJobsAndProcessesInJobHierarchy
		mov	esi, [ebp-1A8h]

loc_759C5C:				; CODE XREF: sub_759647+179D8Cj
					; sub_759647+179DE5j
		and	byte ptr [ebp-17Ah], 1
		jnz	loc_8D3508

loc_759C69:				; CODE XREF: sub_759647+179EE2j
		mov	ecx, [ebp-19Ch]
		call	ExReleaseResourceLite
		cmp	byte ptr [ebp-17Ah], 0
		jnz	loc_8D354A

loc_759C81:				; CODE XREF: sub_759647+179F0Aj
		mov	eax, [ebp-18Ch]
		test	eax, eax
		jnz	loc_8D3556

loc_759C8F:				; CODE XREF: sub_759647+179F15j
		mov	eax, [ebp-180h]

loc_759C95:				; CODE XREF: sub_759647+17A41Cj
		test	eax, eax
		jz	loc_759144
		jmp	loc_8D3A68
; 

loc_759CA2:				; CODE XREF: NtSetInformationJobObject+193j
		cmp	esi, 70h
		jz	loc_758FF2
		cmp	esi, 78h

loc_759CAE:				; CODE XREF: NtSetInformationJobObject+17A20Fj
		jz	loc_758FF2
		jmp	loc_8D303A
; 

loc_759CB9:				; CODE XREF: sub_759647+3Dj
		mov	esi, 0C000000Dh
		jmp	loc_7596F0
sub_759647	endp

; 
; START	OF FUNCTION CHUNK FOR sub_759647

loc_759CC3:				; CODE XREF: sub_759647-F8j
		mov	ebx, [ebp-178h]
		lea	esi, [ebx+20h]
		push	1
		push	esi
		call	ExAcquireResourceExclusiveLite
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	_PspLockJobMemoryLimitsExclusive@12 ; PspLockJobMemoryLimitsExclusive(x,x,x)
		mov	edi, [ebx+0D4h]
		and	dword ptr [ebx+0D4h], 0
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	_PspUnlockJobMemoryLimitsExclusive@12 ;	PspUnlockJobMemoryLimitsExclusive(x,x,x)
		mov	ecx, esi
		call	ExReleaseResourceLite
		test	edi, edi
		jz	short loc_759D0E
		mov	edx, 624A7350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_759D0E:				; CODE XREF: sub_759647+6B9j
					; sub_759647+17A006j
		mov	esi, [ebp-1A8h]
		jmp	loc_759144
; 

loc_759D19:				; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A2ECo
		mov	dword ptr [ebp-4], 0Dh
		mov	al, [edi]
		mov	[ebp-17Bh], al
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		mov	ebx, [ebp-178h]
		lea	edi, [ebx+20h]
		push	1
		push	edi
		call	ExAcquireResourceExclusiveLite
		push	20h
		pop	ecx
		test	[ebx+310h], cl
		jz	loc_8D3CC5
		mov	esi, [ebx+21Ch]
		mov	edx, [esi+14h]
		test	dl, 40h
		jnz	loc_8D3CC5
		xor	eax, eax
		inc	eax
		test	dl, al
		jnz	loc_8D3CBB
		test	dl, cl
		jnz	loc_8D3CBB
		mov	ecx, edx
		shr	ecx, 3
		and	ecx, eax
		xor	eax, eax
		cmp	[ebp-17Bh], al
		setnz	al
		cmp	ecx, eax
		jz	loc_8D3CC5
		movzx	eax, byte ptr [ebp-17Bh]
		neg	eax
		sbb	eax, eax
		and	eax, 8
		and	edx, 0FFFFFFF7h
		or	edx, eax
		mov	[esi+14h], edx
		mov	ecx, [ebx+21Ch]
		add	ecx, 40h
		mov	dl, [ebp-17Bh]
		call	KeSetSchedulingGroupRankBias
		push	1
		lea	eax, [ebp-17Bh]
		push	eax
		push	offset _PspSetProcessCacheIsolationCallback@8 ;	PspSetProcessCacheIsolationCallback(x,x)
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	PspEnumJobsAndProcessesInJobHierarchy

loc_759DD0:				; CODE XREF: sub_8D400A+6Fj
		xor	esi, esi

loc_759DD2:				; CODE XREF: sub_759647+17A679j
					; sub_759647+17A683j ...
		mov	ecx, edi
		jmp	loc_75995C
; 

loc_759DD9:				; CODE XREF: sub_759647+163j
		test	byte ptr [ebx+310h], 20h
		jnz	loc_7597D5
		jmp	loc_8D3BB6
; 

loc_759DEB:				; CODE XREF: sub_759647+1A8j
		mov	dword ptr [ebp-1B4h], 3
		mov	dword ptr [ebp-1B8h], 27102710h
		mov	eax, [ebx+21Ch]
		or	dword ptr [eax+14h], 40h
		mov	eax, [ebx+21Ch]
		mov	esi, [ebp-1B8h]
		mov	[eax+18h], esi
		mov	ecx, [ebx+21Ch]
		add	ecx, 40h
		mov	[ebp-1C4h], ecx
		mov	eax, [ecx+4]
		shr	eax, 2
		xor	edx, edx
		inc	edx
		and	al, dl
		mov	[ebp-17Ch], al
		call	_KeQuerySchedulingGroupReadyTime@4 ; KeQuerySchedulingGroupReadyTime(x)
		add	[ebx+228h], eax
		adc	[ebx+22Ch], edx
		lea	eax, [ebp-1B8h]
		push	eax
		lea	edx, [ebp-1C4h]
		call	KeSetSchedulingGroupCpuRates
		mov	[ebp-1FCh], esi
		cmp	byte ptr [ebp-17Ch], 0
		jz	loc_759895
		mov	byte ptr [ebp-17Ch], 0
		push	1
		lea	eax, [ebp-17Ch]
		push	eax
		push	offset _PspSetProcessCacheIsolationCallback@8 ;	PspSetProcessCacheIsolationCallback(x,x)
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	PspEnumJobsAndProcessesInJobHierarchy
		jmp	loc_759895
; 

loc_759E93:				; CODE XREF: sub_759647-284j
		mov	eax, [edi]
		cmp	dword ptr [eax], 0
		jz	loc_8D3B3D

loc_759E9E:				; CODE XREF: sub_759647-279j
		push	5
		push	eax
		push	0
		push	0
		mov	edx, offset _PspSetJobNotificationCountCallback@8 ; PspSetJobNotificationCountCallback(x,x)
		mov	ecx, ebx
		call	PspEnumJobsAndProcessesInJobHierarchy
		jmp	loc_7593D4
; 

loc_759EB6:				; CODE XREF: sub_759647-76j
		xor	edx, edx
		inc	edx
		test	[ebx+310h], dl
		jz	loc_7595D7
		jmp	loc_8D3675
; 

loc_759ECA:				; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A2F0o
		mov	dword ptr [ebp-4], 0Fh
		push	0FFFFFFFEh
		cmp	byte ptr [edi],	1
		pop	edi
		jnz	loc_8D3D11
		mov	[ebp-4], edi
		push	ebx
		push	ebx
		push	offset _PspEnableProcessTimerVirtualization@8 ;	PspEnableProcessTimerVirtualization(x,x)
		push	offset _PspEnableTimerVirtualization@8 ; PspEnableTimerVirtualization(x,x)
		xor	edx, edx
		mov	ebx, [ebp-178h]
		mov	ecx, ebx
		call	PspEnumJobsAndProcessesInJobHierarchy
		jmp	loc_759142
; 

loc_759F00:				; CODE XREF: sub_759647-39Ej
		push	624A7350h
		push	88h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8D3335
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		push	0
		mov	ebx, 88h
		mov	edx, ebx
		call	PsChargeSharedPoolQuota
		mov	[ebp-1A0h], eax
		test	eax, eax
		jz	loc_8D3346
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	ebx, [ebp-178h]
		jmp	loc_7592B7
; 

loc_759F5A:				; CODE XREF: sub_759647-380j
		mov	[edi], esi
		mov	ecx, [ebp-1A0h]
		mov	[ebx+214h], ecx
		jmp	loc_7592D5
; 

loc_759F6D:				; CODE XREF: sub_759647-1Bj
		push	1
		push	ebx
		mov	edx, offset _PspAssociateCompletionPortCallback@8 ; PspAssociateCompletionPortCallback(x,x)
		mov	ecx, ebx
		call	_PspEnumProcessesInJobHierarchy@16 ; PspEnumProcessesInJobHierarchy(x,x,x,x)
		jmp	loc_759632
; 

loc_759F81:				; CODE XREF: sub_759647+117j
		lea	eax, [esi-1]
		mov	edx, 270Fh
		cmp	ax, dx
		ja	loc_8D3ADA
		test	cl, 10h
		jz	loc_759784
		jmp	loc_8D3B82
; 

loc_759FA0:				; CODE XREF: sub_759647+1BAj
		mov	eax, [ebx+21Ch]
		or	[eax+14h], ecx
		mov	[ebp-1B6h], si
		jmp	loc_759807
; 

loc_759FB5:				; CODE XREF: sub_759647+1C3j
		mov	esi, ecx
		mov	[ebp-1B4h], esi
		test	dl, 14h
		jnz	loc_759822
		jmp	loc_8D3BC0
; 

loc_759FCB:				; CODE XREF: sub_759647+1DEj
		mov	eax, [ebx+21Ch]
		or	dword ptr [eax+14h], 2
		jmp	loc_75982B
; 

loc_759FDA:				; CODE XREF: sub_759647+1FFj
		mov	[ebp-1C4h], edx
		lea	edx, [ebp-1C4h]
		test	byte ptr [eax+14h], 4
		lea	eax, [ebp-1B8h]
		push	eax
		jz	loc_8D3BFC
		call	KeSetSchedulingGroupWeights
		jmp	loc_759877
; END OF FUNCTION CHUNK	FOR sub_759647
; 
; START	OF FUNCTION CHUNK FOR NtSetInformationJobObject

loc_75A001:				; CODE XREF: NtSetInformationJobObject+1A5j
		mov	eax, esi
		sub	eax, 28h
		jz	loc_758FF2
		sub	eax, 30h
		jz	loc_758FF2
		jmp	loc_8D3044
; END OF FUNCTION CHUNK	FOR NtSetInformationJobObject

;  S U B	R O U T	I N E 


sub_75A01A	proc near		; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A300o

; FUNCTION CHUNK AT 00759144 SIZE 00000033 BYTES
; FUNCTION CHUNK AT 008D3D8C SIZE 000000D5 BYTES
; FUNCTION CHUNK AT 008D3E88 SIZE 00000010 BYTES
; FUNCTION CHUNK AT 008D3E9E SIZE 0000000A BYTES
; FUNCTION CHUNK AT 008D4305 SIZE 00000029 BYTES

		mov	dword ptr [ebp-4], 10h
		mov	eax, [ebp-180h]
		push	eax		; size_t
		push	edi		; void *
		lea	eax, [ebp-374h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp-35Ch]
		test	eax, eax
		jnz	loc_8D3D8C

loc_75A046:				; CODE XREF: sub_75A01A+179E34j
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		test	dword ptr [ebp-354h], 0FFFFFFF0h
		jnz	loc_8D3E53
		mov	eax, [ebp-344h]
		or	eax, [ebp-340h]
		jnz	short loc_75A086
		mov	eax, [ebp-364h]
		or	eax, [ebp-360h]
		jnz	short loc_75A086
		mov	eax, [ebp-32Ch]
		or	eax, [ebp-328h]
		jz	short loc_75A093

loc_75A086:				; CODE XREF: sub_75A01A+4Ej
					; sub_75A01A+5Cj
		call	_PspIsContextAdmin@0 ; PspIsContextAdmin()
		test	al, al
		jz	loc_8D3E5A

loc_75A093:				; CODE XREF: sub_75A01A+6Aj
		lea	edx, [ebp-374h]
		mov	ebx, [ebp-178h]
		mov	ecx, ebx
		call	PspSetJobIoRateControl
		mov	esi, eax

loc_75A0A8:				; CODE XREF: sub_75A01A+179E74j
		mov	edi, [ebp-21Ch]
		test	edi, edi
		jz	loc_759144
		jmp	loc_8D3E93
sub_75A01A	endp

; 
; START	OF FUNCTION CHUNK FOR sub_759647

loc_75A0BB:				; CODE XREF: sub_759647-451j
		mov	[ebp-60h], ebx
		mov	[ebp-5Ch], ebx
		jmp	loc_759225
; 

loc_75A0C6:				; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A2C4o
		mov	dword ptr [ebp-4], 2
		mov	eax, [edi]
		mov	[ebp-1F0h], eax
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		test	eax, 0FFFFFF00h
		jnz	loc_8D3ADA
		mov	byte ptr [ebp-179h], 8
		push	ebx
		mov	edx, [ebp-198h]
		mov	ebx, [ebp-178h]
		mov	ecx, ebx
		call	PspLockJobChain
		xor	edx, edx
		mov	ecx, ebx
		call	PspDoesJobHierarchyPermitUILimits
		test	al, al
		jz	loc_8D358F
		lea	esi, [ebx+0E8h]
		cmp	[esi], edi
		jz	loc_8D3599
		mov	edx, large fs:124h
		mov	edx, [edx+80h]
		mov	ebx, [ebp-178h]
		mov	ecx, ebx
		call	PspBindProcessSessionToJob
		mov	eax, [esi]
		mov	[ebp-1A4h], eax
		cmp	eax, 0FFFFFFFDh
		ja	loc_75A24D
		mov	eax, [ebx+0CCh]
		mov	esi, [ebp-1F0h]
		xor	eax, esi
		jz	loc_75A24D
		push	1
		mov	edx, [ebp-198h]
		mov	ecx, ebx
		call	PspUnlockJobChain
		mov	byte ptr [ebp-179h], 0
		mov	[ebp-2ACh], ebx
		and	dword ptr [ebp-2A8h], 0
		mov	[ebp-2A4h], esi
		lea	eax, [ebp-1A4h]
		push	eax
		push	1
		lea	eax, [ebp-2ACh]
		push	eax
		push	6
		call	PsInvokeWin32Callout
		mov	esi, eax
		test	esi, esi
		js	short loc_75A1BD

loc_75A1A5:				; CODE XREF: sub_759647+C0Cj
		mov	eax, [ebp-1F0h]
		mov	[ebx+0CCh], eax
		lea	eax, [ebx+310h]
		push	10h
		pop	edx
		lock or	[eax], edx

loc_75A1BD:				; CODE XREF: sub_759647+B5Cj
					; sub_759647+179F4Dj ...
		mov	edx, [ebp-198h]
		mov	ecx, ebx
		cmp	byte ptr [ebp-179h], 8
		jnb	loc_7598AF

loc_75A1D2:				; CODE XREF: sub_759647+17AAB1j
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		jmp	loc_759144
; 

loc_75A1DC:				; CODE XREF: sub_759647+55Bj
		mov	eax, [ebx+0B0h]
		and	eax, [ebp-194h]
		or	eax, [ebp-6CCh]
		mov	[ebx+0B0h], eax
		jmp	loc_759BFA
; 

loc_75A1F9:				; CODE XREF: sub_759647+2F4j
		or	ecx, eax
		mov	[edi+14h], ecx
		push	ebx
		push	offset PspJobCycleTimeNotificationDpcRoutine
		push	esi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		jmp	loc_759941
; 

loc_75A20F:				; CODE XREF: sub_759647+413j
		mov	eax, [ebp-0ACh]
		cmp	eax, 1000h
		jb	loc_8D3ADA
		shr	eax, 0Ch
		mov	[ebp-634h], eax
		jmp	loc_759A66
; 

loc_75A22E:				; CODE XREF: sub_759647+425j
		mov	eax, [ebp-0A8h]
		cmp	eax, 1000h
		jb	loc_8D3ADA
		shr	eax, 0Ch
		mov	[ebp-630h], eax
		jmp	loc_759A78
; 

loc_75A24D:				; CODE XREF: sub_759647+AFEj
					; sub_759647+B12j
		mov	esi, [ebp-188h]
		jmp	loc_75A1A5
; END OF FUNCTION CHUNK	FOR sub_759647

;  S U B	R O U T	I N E 


sub_75A258	proc near		; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A308o
		mov	ebx, [ebp-178h]
		mov	ecx, ebx
		call	_PspCreateSilo@4 ; PspCreateSilo(x)

loc_75A265:				; CODE XREF: sub_8D3D73+14j
					; sub_8D3EE6+57j ...
		mov	esi, eax
		jmp	loc_759144
sub_75A258	endp


;  S U B	R O U T	I N E 


sub_75A26C	proc near		; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A320o

; FUNCTION CHUNK AT 008D3EA8 SIZE 0000000A BYTES

		mov	ebx, [ebp-178h]
		lea	edi, [ebx+20h]
		push	1
		push	edi
		call	ExAcquireResourceExclusiveLite
		lea	eax, [ebx+310h]
		cmp	[eax], esi
		jl	loc_8D3EA8
		mov	dword ptr [ebp-4], 11h
		lea	edi, [ebx+2E8h]
		mov	esi, [ebp-18Ch]
		movsd
		movsd
		movsd
		movsd
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		mov	ecx, 80000000h
		lock or	[eax], ecx
		lea	ecx, [ebx+20h]
		jmp	loc_75913D
sub_75A26C	endp

; 
; START	OF FUNCTION CHUNK FOR sub_759647

loc_75A2B8:				; CODE XREF: sub_759647-60Fj
					; sub_75A01A+179D83j ...
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		lea	ecx, [ecx+0]
; END OF FUNCTION CHUNK	FOR sub_759647
; 
off_75A2C0	dd offset loc_759966	; DATA XREF: sub_759647-56Cr
		dd offset loc_75A0C6
		dd offset loc_8D35BC
		dd offset loc_8D3610
		dd offset loc_75951B
		dd offset loc_8D36F5
		dd offset loc_759177
		dd offset loc_75970A
		dd offset loc_7590E2
		dd offset loc_75946C
		dd offset loc_7598BB
		dd offset loc_759D19
		dd offset loc_759ECA
		dd offset loc_7598E2
		dd offset loc_759450
		dd offset sub_8D3D46
		dd offset sub_75A01A
		dd offset sub_8D3D73
		dd offset sub_75A258
		dd offset sub_8D3EE6
		dd offset sub_8D3F7C
		dd offset sub_8D400A
		dd offset sub_759647
		dd offset sub_8D3C95
		dd offset sub_75A26C
		dd offset sub_8D40FD
		dd offset sub_7594DB
		dd offset sub_8D4270
		dd offset sub_8D42F5
byte_75A334	db 0			; DATA XREF: sub_759647-573r
; 
		sbb	al, 1
		add	al, [ebx]
		add	al, 1Ch
		add	ds:7051C06h[eax], bl
		or	[ecx+ecx], bl
		sbb	al, 1Ch
		or	cl, [ebx]
		or	al, 0Dh
		push	cs
		sbb	al, 0Fh
		sbb	al, 1Ch
		sbb	al, 10h
		adc	[esi], eax
		sbb	al, 12h
		sbb	al, 13h
		sbb	al, 1Ch
		adc	al, 15h
		push	ss
		pop	ss
		sbb	[ecx], bl
		sbb	bl, [ebx]

;  S U B	R O U T	I N E 


; __stdcall PspNotificationLimitRateControlToleranceIntervalField(x, x)
_PspNotificationLimitRateControlToleranceIntervalField@8 proc near
					; CODE XREF: PAGE:007579B6p
					; sub_759647-3D3p ...
		sub	edx, 0
		jz	short loc_75A376
		sub	edx, 1
		jz	short loc_75A372
		push	24h

loc_75A36E:				; CODE XREF: PspNotificationLimitRateControlToleranceIntervalField(x,x)+12j
					; PspNotificationLimitRateControlToleranceIntervalField(x,x)+16j
		pop	eax
		add	eax, ecx
		retn
; 

loc_75A372:				; CODE XREF: PspNotificationLimitRateControlToleranceIntervalField(x,x)+8j
		push	38h
		jmp	short loc_75A36E
; 

loc_75A376:				; CODE XREF: PspNotificationLimitRateControlToleranceIntervalField(x,x)+3j
		push	40h
		jmp	short loc_75A36E
_PspNotificationLimitRateControlToleranceIntervalField@8 endp


;  S U B	R O U T	I N E 


; __stdcall PspNotificationLimitRateControlToleranceField(x, x)
_PspNotificationLimitRateControlToleranceField@8 proc near ; CODE XREF:	PAGE:007579A4p
					; sub_759647-3E0p ...
		sub	edx, 0
		jz	short loc_75A38E
		sub	edx, 1
		jz	short loc_75A38A
		push	20h

loc_75A386:				; CODE XREF: PspNotificationLimitRateControlToleranceField(x,x)+12j
					; PspNotificationLimitRateControlToleranceField(x,x)+16j
		pop	eax
		add	eax, ecx
		retn
; 

loc_75A38A:				; CODE XREF: PspNotificationLimitRateControlToleranceField(x,x)+8j
		push	2Ch
		jmp	short loc_75A386
; 

loc_75A38E:				; CODE XREF: PspNotificationLimitRateControlToleranceField(x,x)+3j
		push	3Ch
		jmp	short loc_75A386
_PspNotificationLimitRateControlToleranceField@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspQueryProcessAccountingInformationCallback(x, x)
_PspQueryProcessAccountingInformationCallback@8	proc near
					; DATA XREF: PspQueryJobHierarchyAccountingInformation+78o

var_1B8		= dword	ptr -1B8h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1B8h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1B8h+var_4], eax
		push	esi
		mov	esi, [ebp+arg_4]
		lea	eax, [esp+1BCh+var_1B8]
		push	edi
		mov	edi, [ebp+arg_0]
		push	1B0h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		test	byte ptr [edi+0F8h], 2
		jnz	loc_75A47C
		mov	edx, esi
		mov	ecx, edi
		call	PsQueryStatisticsProcess
		lea	ecx, [esi+68h]
		mov	edx, esi
		call	_PspAddAccountingValues@8 ; PspAddAccountingValues(x,x)
		mov	eax, [edi+244h]
		add	[esi+0F8h], eax
		mov	ecx, [edi+3D0h]
		test	ecx, ecx
		jz	short loc_75A459
		mov	eax, [ecx]
		add	[esi+0D0h], eax
		mov	eax, [ecx+4]
		adc	[esi+0D4h], eax
		mov	eax, [ecx+8]
		add	[esi+0D8h], eax
		mov	eax, [ecx+0Ch]
		adc	[esi+0DCh], eax
		mov	eax, [ecx+10h]
		add	[esi+0E0h], eax
		mov	eax, [ecx+14h]
		adc	[esi+0E4h], eax
		mov	eax, [ecx+18h]
		add	[esi+0E8h], eax
		mov	eax, [ecx+1Ch]
		adc	[esi+0ECh], eax
		mov	eax, [ecx+20h]
		add	[esi+0F0h], eax
		mov	eax, [ecx+24h]
		adc	[esi+0F4h], eax

loc_75A459:				; CODE XREF: PspQueryProcessAccountingInformationCallback(x,x)+6Cj
		call	_PoEnergyEstimationEnabled@0 ; PoEnergyEstimationEnabled()
		test	al, al
		jz	short loc_75A47C
		lea	edx, [esp+1C0h+var_1B8]
		mov	ecx, edi
		call	_PsQueryProcessEnergyValues@8 ;	PsQueryProcessEnergyValues(x,x)
		lea	ecx, [esi+100h]
		lea	edx, [esp+1C0h+var_1B8]
		call	PsAddProcessEnergyValues

loc_75A47C:				; CODE XREF: PspQueryProcessAccountingInformationCallback(x,x)+3Fj
					; PspQueryProcessAccountingInformationCallback(x,x)+CEj
		mov	ecx, [esp+1C0h+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_PspQueryProcessAccountingInformationCallback@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpCopyProcessInfo proc	near		; CODE XREF: ExpGetProcessInformation+276p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008D4338 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A0658
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, edx
		mov	edi, ecx
		mov	[ebp+var_24], 0
		mov	[ebp+var_20], 0
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		call	PsQueryStatisticsProcess
		mov	[ebp+var_4], 0
		mov	[ebp+var_28], 0
		mov	[ebp+var_2C], 0
		xor	ebx, ebx
		mov	[ebp+var_2C], ebx
		lea	ecx, [esi+0F0h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_75A708
		mov	ebx, [esi+18Ch]
		mov	[ebp+var_2C], ebx
		test	ebx, ebx
		jz	loc_8D4338

loc_75A52F:				; CODE XREF: ExpCopyProcessInfo+26Aj
		push	0
		lea	edx, [ebp+var_28]
		mov	ecx, ebx
		call	ExHandleTableQuery
		lea	ecx, [esi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	eax, [ebp+var_28]

loc_75A549:				; CODE XREF: ExpCopyProcessInfo+275j
		mov	[edi+4Ch], eax
		mov	eax, [esi+100h]
		mov	ecx, [esi+104h]
		mov	[edi+20h], eax
		mov	[edi+24h], ecx
		movsx	eax, byte ptr [esi+68h]
		mov	[edi+40h], eax
		mov	eax, [esi+0E4h]
		mov	[edi+44h], eax
		mov	eax, [esi+170h]
		mov	[edi+48h], eax
		mov	eax, [esi+390h]
		mov	[edi+14h], eax
		mov	eax, [esi+118h]
		mov	[edi+58h], eax
		mov	eax, [esi+11Ch]
		mov	[edi+5Ch], eax
		mov	eax, [esi+244h]
		mov	[edi+60h], eax
		mov	eax, [esi+298h]
		mov	[edi+10h], eax
		mov	eax, [esi+294h]
		shl	eax, 0Ch
		mov	[edi+64h], eax
		mov	eax, [esi+280h]
		shl	eax, 0Ch
		mov	[ebp+var_3C], eax
		mov	ecx, [esi+284h]
		shl	ecx, 0Ch
		mov	[ebp+var_40], ecx
		nop
		mov	[edi+68h], eax
		cmp	ecx, eax
		jnb	loc_75A701

loc_75A5D4:				; CODE XREF: ExpCopyProcessInfo+263j
		mov	[edi+8], ecx
		mov	dword ptr [edi+0Ch], 0
		mov	eax, [esi+10Ch]
		mov	[ebp+var_20], eax
		mov	eax, [esi+114h]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_20]
		mov	[edi+70h], eax
		mov	eax, [ebp+var_24]
		mov	[edi+6Ch], eax
		mov	eax, [esi+108h]
		mov	[ebp+var_20], eax
		mov	eax, [esi+110h]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_20]
		mov	[edi+78h], eax
		mov	eax, [ebp+var_24]
		mov	[edi+74h], eax
		mov	eax, [esi+224h]
		shl	eax, 0Ch
		mov	[ebp+var_30], eax
		mov	[edi+7Ch], eax
		mov	eax, [esi+228h]
		shl	eax, 0Ch
		mov	[edi+80h], eax
		mov	eax, [ebp+var_30]
		mov	[edi+84h], eax
		mov	ecx, [ebp+arg_4]
		mov	eax, [ecx+18h]
		mov	[edi+18h], eax
		mov	eax, [ecx+1Ch]
		mov	[edi+1Ch], eax
		mov	eax, [ecx+8]
		mov	[edi+28h], eax
		mov	eax, [ecx+0Ch]
		mov	[edi+2Ch], eax
		mov	eax, [ecx]
		mov	[edi+30h], eax
		mov	eax, [ecx+4]
		mov	[edi+34h], eax
		mov	eax, [ecx+28h]
		mov	[edi+88h], eax
		mov	eax, [ecx+2Ch]
		mov	[edi+8Ch], eax
		mov	eax, [ecx+30h]
		mov	[edi+90h], eax
		mov	eax, [ecx+34h]
		mov	[edi+94h], eax
		mov	eax, [ecx+38h]
		mov	[edi+98h], eax
		mov	eax, [ecx+3Ch]
		mov	[edi+9Ch], eax
		mov	eax, [ecx+40h]
		mov	[edi+0A0h], eax
		mov	eax, [ecx+44h]
		mov	[edi+0A4h], eax
		mov	eax, [ecx+48h]
		mov	[edi+0A8h], eax
		mov	eax, [ecx+4Ch]
		mov	[edi+0ACh], eax
		mov	eax, [ecx+50h]
		mov	[edi+0B0h], eax
		mov	eax, [ecx+54h]
		mov	[edi+0B4h], eax
		cmp	[ebp+arg_0], 0
		jnz	short loc_75A6F6

loc_75A6D9:				; CODE XREF: ExpCopyProcessInfo+25Fj
		mov	[ebp+var_4], 0FFFFFFFEh
		xor	eax, eax

loc_75A6E2:				; CODE XREF: sub_8D4374+Dj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_75A6F6:				; CODE XREF: ExpCopyProcessInfo+237j
		mov	eax, [esi+0E4h]
		mov	[edi+54h], eax
		jmp	short loc_75A6D9
; 

loc_75A701:				; CODE XREF: ExpCopyProcessInfo+12Ej
		mov	ecx, eax
		jmp	loc_75A5D4
; 

loc_75A708:				; CODE XREF: ExpCopyProcessInfo+78j
					; ExpCopyProcessInfo+179EA3j
		test	ebx, ebx
		jnz	loc_75A52F
		xor	eax, eax
		mov	[ebp+var_28], eax
		jmp	loc_75A549
ExpCopyProcessInfo endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsQueryStatisticsProcess proc near	; CODE XREF: PspGetProcessAccountingInformation(x,x)+16p
					; PspEnforceLimitsProcessCallback+39p ...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D4386 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		xor	eax, eax
		push	ebx
		mov	[esp+58h+var_1C], eax
		mov	[esp+58h+var_10], eax
		mov	[esp+58h+var_C], eax
		mov	[esp+58h+var_8], eax
		mov	[esp+58h+var_4], eax
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, edx
		mov	[esp+60h+var_2C], eax
		dec	word ptr [eax+13Ch]
		mov	edi, ecx
		nop
		lea	eax, [edi+398h]
		xor	edx, edx
		mov	ecx, eax
		mov	[esp+60h+var_30], eax
		call	ExAcquirePushLockSharedEx
		mov	eax, [edi+0A0h]
		mov	edx, [edi+9Ch]
		mov	[esp+60h+var_4C], eax
		mov	eax, [edi+0A4h]
		mov	[esp+60h+var_48], eax
		mov	eax, [edi+0B0h]
		mov	[esp+60h+var_40], eax
		mov	eax, [edi+0B4h]
		mov	[esp+60h+var_44], eax
		mov	eax, [edi+0B8h]
		mov	[esp+60h+var_38], eax
		mov	eax, [edi+0BCh]
		mov	[esp+60h+var_3C], eax
		mov	eax, [edi+88h]
		mov	ecx, [edi+8Ch]
		mov	[esi+18h], eax
		mov	[esi+1Ch], ecx
		mov	eax, [edi+90h]
		mov	[esi+20h], eax
		mov	eax, [edi+94h]
		mov	[esi+24h], eax
		mov	eax, [edi+1F0h]
		mov	[esi+28h], eax
		mov	eax, [edi+1F4h]
		mov	[esi+2Ch], eax
		mov	eax, [edi+1F8h]
		mov	[esi+30h], eax
		mov	eax, [edi+1FCh]
		mov	[esi+34h], eax
		mov	eax, [edi+200h]
		mov	[esi+38h], eax
		mov	eax, [edi+204h]
		mov	[esi+3Ch], eax
		mov	eax, [edi+208h]
		mov	[esi+40h], eax
		mov	eax, [edi+20Ch]
		mov	[esi+44h], eax
		mov	eax, [edi+210h]
		mov	[esi+48h], eax
		mov	eax, [edi+214h]
		mov	[esi+4Ch], eax
		mov	eax, [edi+218h]
		mov	[esi+50h], eax
		mov	eax, [edi+21Ch]
		mov	[esi+54h], eax
		lea	eax, [edi+1D0h]
		mov	ebx, [eax]
		mov	[esp+60h+var_50], edx
		mov	[esp+60h+var_34], eax
		cmp	ebx, eax
		jz	loc_75A907
		jmp	short loc_75A860
; 
		align 10h

loc_75A860:				; CODE XREF: PsQueryStatisticsProcess+137j
					; PsQueryStatisticsProcess+1E1j
		add	edx, [ebx-150h]
		lea	edi, [ebx-2E4h]
		mov	eax, [esp+60h+var_4C]
		mov	ecx, edi
		add	eax, [edi+1C0h]
		mov	[esp+60h+var_50], edx
		lea	edx, [esp+60h+var_20]
		mov	[esp+60h+var_4C], eax
		call	KeQueryValuesThread
		mov	eax, [esp+60h+var_48]
		add	eax, [esp+60h+var_1C]
		mov	[esp+60h+var_48], eax
		mov	eax, [esp+60h+var_40]
		add	eax, [esp+60h+var_10]
		mov	[esp+60h+var_40], eax
		mov	eax, [esp+60h+var_44]
		adc	eax, [esp+60h+var_C]
		mov	[esp+60h+var_44], eax
		mov	eax, [esp+60h+var_38]
		add	eax, [esp+60h+var_8]
		mov	[esp+60h+var_38], eax
		mov	eax, [esp+60h+var_3C]
		adc	eax, [esp+60h+var_4]
		mov	[esp+60h+var_3C], eax
		mov	eax, [edi+34h]
		mov	ecx, [edi+30h]
		mov	[esp+60h+var_28], 0
		mov	[esp+60h+var_24], 0
		cmp	eax, [edi+38h]
		jnz	loc_8D4386

loc_75A8E4:				; CODE XREF: PsQueryStatisticsProcess+179C73j
		add	[esi+18h], ecx
		mov	edx, [esp+60h+var_50]
		adc	[esi+1Ch], eax
		mov	eax, [edi+8Ch]
		add	[esi+20h], eax
		adc	dword ptr [esi+24h], 0
		mov	ebx, [ebx]
		cmp	ebx, [esp+60h+var_34]
		jnz	loc_75A860

loc_75A907:				; CODE XREF: PsQueryStatisticsProcess+131j
		mov	edi, [esp+60h+var_30]
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_75A987

loc_75A91B:				; CODE XREF: PsQueryStatisticsProcess+26Ej
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [esp+60h+var_2C]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	edi, ds:_KeMaximumIncrement
		mov	eax, edi
		mul	[esp+60h+var_50]
		push	[esp+60h+var_44]
		mov	[esi], eax
		mov	eax, edi
		push	[esp+64h+var_40]
		mov	[esi+4], edx
		mul	[esp+68h+var_4C]
		push	0
		mov	[esi+8], eax
		mov	eax, edi
		mov	[esi+0Ch], edx
		mul	[esp+6Ch+var_48]
		push	edi
		mov	[esi+10h], eax
		mov	[esi+14h], edx
		call	__allmul
		push	[esp+60h+var_3C]
		mov	[esi+58h], eax
		push	[esp+64h+var_38]
		mov	[esi+5Ch], edx
		push	0
		push	edi
		call	__allmul
		pop	edi
		mov	[esi+60h], eax
		mov	[esi+64h], edx
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_75A987:				; CODE XREF: PsQueryStatisticsProcess+1F9j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_75A91B
PsQueryStatisticsProcess endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExHandleTableQuery proc	near		; CODE XREF: ExpCopyProcessInfo+96p
					; ObGetProcessHandleCount(x,x)+21p

var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D4398 SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ecx
		mov	[ebp+var_18], edx
		push	ebx
		push	esi
		mov	[ebp+var_10], eax
		xor	edx, edx
		lea	esi, [eax+40h]
		mov	[ebp+var_4], edx
		mov	eax, ds:_ExpFreeListCount
		xor	ecx, ecx
		shl	eax, 6
		xor	ebx, ebx
		add	eax, esi
		mov	[ebp+var_8], ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], eax
		cmp	esi, eax
		jnb	short loc_75AA11

loc_75A9C5:				; CODE XREF: ExHandleTableQuery+5Fj
		mov	eax, [esi+0Ch]
		mov	ecx, [esi+10h]
		cmp	eax, ecx
		jg	loc_8D4398

loc_75A9D3:				; CODE XREF: ExHandleTableQuery+179A0Aj
		cdq
		add	edi, eax
		adc	ebx, edx
		mov	edx, [ebp+var_4]
		add	edx, ecx
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_4], edx
		adc	ecx, 0
		add	esi, 40h
		mov	[ebp+var_8], ecx
		cmp	esi, [ebp+var_C]
		jb	short loc_75A9C5
		test	ebx, ebx
		jg	short loc_75AA55
		jl	short loc_75AA5C
		test	edi, edi
		jb	short loc_75AA5C
		test	ebx, ebx
		jl	short loc_75AA06
		jg	short loc_75AA55
		cmp	edi, 0FFFFFFFFh
		ja	short loc_75AA55

loc_75AA06:				; CODE XREF: ExHandleTableQuery+6Dj
					; ExHandleTableQuery+CAj
		test	ecx, ecx
		jl	short loc_75AA11
		jg	short loc_75AA60
		cmp	edx, 0FFFFFFFFh
		ja	short loc_75AA60

loc_75AA11:				; CODE XREF: ExHandleTableQuery+33j
					; ExHandleTableQuery+78j ...
		mov	eax, [ebp+var_10]
		mov	eax, [eax]
		shr	eax, 2
		imul	eax, 1FFh
		shr	eax, 9
		test	ebx, ebx
		jl	short loc_75AA2C
		jg	short loc_75AA67
		cmp	edi, eax
		ja	short loc_75AA67

loc_75AA2C:				; CODE XREF: ExHandleTableQuery+94j
					; ExHandleTableQuery+DBj
		cmp	ecx, ebx
		jl	short loc_75AA38
		jg	short loc_75AA36
		cmp	edx, edi
		jbe	short loc_75AA38

loc_75AA36:				; CODE XREF: ExHandleTableQuery+A0j
		mov	edx, edi

loc_75AA38:				; CODE XREF: ExHandleTableQuery+9Ej
					; ExHandleTableQuery+A4j
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	short loc_75AA41
		mov	[eax], edi

loc_75AA41:				; CODE XREF: ExHandleTableQuery+ADj
		mov	eax, [ebp+arg_0]
		pop	edi
		pop	esi
		pop	ebx
		test	eax, eax
		jnz	short loc_75AA51

loc_75AA4B:				; CODE XREF: ExHandleTableQuery+C3j
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_75AA51:				; CODE XREF: ExHandleTableQuery+B9j
		mov	[eax], edx
		jmp	short loc_75AA4B
; 

loc_75AA55:				; CODE XREF: ExHandleTableQuery+63j
					; ExHandleTableQuery+6Fj ...
		or	edi, 0FFFFFFFFh

loc_75AA58:				; CODE XREF: ExHandleTableQuery+CEj
		xor	ebx, ebx
		jmp	short loc_75AA06
; 

loc_75AA5C:				; CODE XREF: ExHandleTableQuery+65j
					; ExHandleTableQuery+69j
		xor	edi, edi
		jmp	short loc_75AA58
; 

loc_75AA60:				; CODE XREF: ExHandleTableQuery+7Aj
					; ExHandleTableQuery+7Fj
		or	edx, 0FFFFFFFFh
		xor	ecx, ecx
		jmp	short loc_75AA11
; 

loc_75AA67:				; CODE XREF: ExHandleTableQuery+96j
					; ExHandleTableQuery+9Aj
		mov	edi, eax
		xor	ebx, ebx
		jmp	short loc_75AA2C
ExHandleTableQuery endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspUnlockJobMemoryLimitsExclusive(x, x, x)
_PspUnlockJobMemoryLimitsExclusive@12 proc near	; CODE XREF: sub_759647-511p
					; sub_759647-2A0p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ecx, edx
		jz	short loc_75AA93
		push	esi
		lea	esi, [ecx+230h]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_75AA9E

loc_75AA8B:				; CODE XREF: PspUnlockJobMemoryLimitsExclusive(x,x,x)+37j
		mov	ecx, esi
		call	KeAbPostRelease
		pop	esi

loc_75AA93:				; CODE XREF: PspUnlockJobMemoryLimitsExclusive(x,x,x)+7j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_75AAA7

loc_75AA9A:				; CODE XREF: PspUnlockJobMemoryLimitsExclusive(x,x,x)+3Ej
		pop	ebp
		retn	4
; 

loc_75AA9E:				; CODE XREF: PspUnlockJobMemoryLimitsExclusive(x,x,x)+1Bj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_75AA8B
; 

loc_75AAA7:				; CODE XREF: PspUnlockJobMemoryLimitsExclusive(x,x,x)+2Aj
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	short loc_75AA9A
_PspUnlockJobMemoryLimitsExclusive@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspLockJobMemoryLimitsExclusive(x, x, x)
_PspLockJobMemoryLimitsExclusive@12 proc near ;	CODE XREF: sub_759647-528p
					; sub_759647-2D8p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_75AACF

loc_75AABA:				; CODE XREF: PspLockJobMemoryLimitsExclusive(x,x,x)+29j
		cmp	ecx, edx
		jz	short loc_75AACB
		add	ecx, 230h
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx

loc_75AACB:				; CODE XREF: PspLockJobMemoryLimitsExclusive(x,x,x)+Ej
		pop	ebp
		retn	4
; 

loc_75AACF:				; CODE XREF: PspLockJobMemoryLimitsExclusive(x,x,x)+Aj
		dec	word ptr [eax+13Eh]
		nop
		jmp	short loc_75AABA
_PspLockJobMemoryLimitsExclusive@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspQueryProcessIdListCallback proc near	; DATA XREF: PspQueryJobHierarchyProcessIdList+44o

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	0Ch
		push	offset dword_6A0678
		call	__SEH_prolog4
		mov	eax, [ebp+arg_0]
		test	byte ptr [eax+0F8h], 1
		jnz	short loc_75AB32
		mov	edx, [ebp+arg_4]
		cmp	dword ptr [edx+4], 4
		jb	short loc_75AB36
		xor	esi, esi
		mov	[ebp+ms_exc.disabled], esi
		mov	ecx, [edx]
		mov	eax, [eax+0E4h]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		inc	dword ptr [edx+8]
		add	dword ptr [edx], 4
		add	dword ptr [edx+4], 0FFFFFFFCh
		dec	dword ptr [edx+0Ch]

loc_75AB1E:				; CODE XREF: PspQueryProcessIdListCallback+5Aj
					; PspQueryProcessIdListCallback+61j ...
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_75AB32:				; CODE XREF: PspQueryProcessIdListCallback+16j
		xor	esi, esi
		jmp	short loc_75AB1E
; 

loc_75AB36:				; CODE XREF: PspQueryProcessIdListCallback+1Fj
		mov	esi, 80000005h
		jmp	short loc_75AB1E
PspQueryProcessIdListCallback endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspLockJobChain	proc near		; CODE XREF: PspImplicitAssignProcessToJob(x,x,x)+24p
					; sub_759647+157p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D43C1 SIZE 0000004D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		test	esi, esi
		jz	short loc_75AB56
		dec	word ptr [esi+13Eh]
		nop

loc_75AB56:				; CODE XREF: PspLockJobChain+Ej
		push	ebx
		mov	ebx, [ebp+arg_0]
		and	ebx, 1
		mov	[ebp+arg_0], ebx
		jnz	short loc_75AB69
		mov	ecx, esi
		call	_PspLockJobAssignment@4	; PspLockJobAssignment(x)

loc_75AB69:				; CODE XREF: PspLockJobChain+22j
		mov	eax, [edi+254h]
		test	eax, eax
		jnz	short loc_75AB90

loc_75AB73:				; CODE XREF: PspLockJobChain+6Cj
		push	1
		lea	eax, [edi+20h]
		push	eax
		call	ExAcquireResourceExclusiveLite
		test	bl, bl
		pop	ebx
		jnz	short loc_75AB8A
		mov	ecx, esi
		call	_PspUnlockJobAssignment@4 ; PspUnlockJobAssignment(x)

loc_75AB8A:				; CODE XREF: PspLockJobChain+43j
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_75AB90:				; CODE XREF: PspLockJobChain+33j
		cmp	eax, 1
		ja	loc_8D43C1

loc_75AB99:				; CODE XREF: PspLockJobChain+17989Dj
					; PspLockJobChain+1798A6j ...
		mov	eax, [edi+244h]
		push	1
		add	eax, 20h
		push	eax
		call	ExAcquireResourceExclusiveLite
		jmp	short loc_75AB73
PspLockJobChain	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspUnlockJobChain proc near		; CODE XREF: PspImplicitAssignProcessToJob(x,x,x)+4Ap
					; PspImplicitAssignProcessToJob(x,x,x)+119p ...

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008D440E SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	eax, [esi+254h]
		cmp	eax, 1
		ja	loc_8D440E

loc_75ABC7:				; CODE XREF: PspUnlockJobChain+179876j
		cmp	eax, 2
		ja	loc_8D4427

loc_75ABD0:				; CODE XREF: PspUnlockJobChain+179880j
					; PspUnlockJobChain+1798A3j
		test	eax, eax
		jnz	short loc_75ABF4

loc_75ABD4:				; CODE XREF: PspUnlockJobChain+56j
		test	[ebp+arg_0], 1
		jnz	short loc_75ABED
		lea	ecx, [esi+20h]
		call	ExReleaseResourceLite
		test	ebx, ebx
		jz	short loc_75ABED
		mov	ecx, ebx
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_75ABED:				; CODE XREF: PspUnlockJobChain+2Cj
					; PspUnlockJobChain+38j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_75ABF4:				; CODE XREF: PspUnlockJobChain+26j
		mov	ecx, [esi+244h]
		add	ecx, 20h
		call	ExReleaseResourceLite
		jmp	short loc_75ABD4
PspUnlockJobChain endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObGetProcessHandleCount(x, x)
_ObGetProcessHandleCount@8 proc	near	; CODE XREF: EtwpPsProvTraceProcess+4DFp
					; PAGE:0083C323p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, edx
		mov	ebx, ecx
		mov	[ebp+var_4], esi
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		test	eax, eax
		jz	short loc_75AC3F
		push	edi
		lea	edx, [ebp+var_4]
		mov	ecx, eax
		call	ExHandleTableQuery
		lea	ecx, [ebx+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	esi, [ebp+var_4]

loc_75AC38:				; CODE XREF: ObGetProcessHandleCount(x,x)+3Dj
					; ObGetProcessHandleCount(x,x)+41j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_75AC3F:				; CODE XREF: ObGetProcessHandleCount(x,x)+19j
		test	edi, edi
		jz	short loc_75AC38
		mov	[edi], esi
		jmp	short loc_75AC38
_ObGetProcessHandleCount@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspEvaluateAndNotifyEmptyJob(x, x, x)
_PspEvaluateAndNotifyEmptyJob@12 proc near ; CODE XREF:	PspNotifyEmptyJobsInJobChain(x)+27p
					; PspTerminateAllProcessesInJobHierarchy+6Cp

var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	bl, dl
		mov	[ebp+var_4], eax
		push	edi
		mov	edx, eax
		mov	esi, ecx
		call	_PspLockJobExclusive@8 ; PspLockJobExclusive(x,x)
		mov	eax, [esi+2C8h]
		test	bl, bl
		jz	short loc_75AC77
		dec	eax
		mov	[esi+2C8h], eax

loc_75AC77:				; CODE XREF: PspEvaluateAndNotifyEmptyJob(x,x,x)+26j
		test	eax, eax
		jz	short loc_75AC8C

loc_75AC7B:				; CODE XREF: PspEvaluateAndNotifyEmptyJob(x,x,x)+61j
					; PspEvaluateAndNotifyEmptyJob(x,x,x)+8Ej ...
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_75AC8C:				; CODE XREF: PspEvaluateAndNotifyEmptyJob(x,x,x)+31j
		lea	edi, [esi+310h]
		lock btr dword ptr [edi], 7
		push	0
		pop	ebx
		jnb	short loc_75ACA4
		push	ebx
		push	ebx
		push	esi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_75ACA4:				; CODE XREF: PspEvaluateAndNotifyEmptyJob(x,x,x)+52j
		lock bts dword ptr [edi], 15h
		jb	short loc_75AC7B
		cmp	[ebp+arg_0], 0
		jz	short loc_75ACCC
		cmp	[esi+0D4h], ebx
		jz	short loc_75ACCC
		test	byte ptr [esi+1A8h], 10h
		jz	short loc_75ACCC
		push	4
		pop	edx
		mov	ecx, esi
		call	PspSendReliableJobNotification

loc_75ACCC:				; CODE XREF: PspEvaluateAndNotifyEmptyJob(x,x,x)+67j
					; PspEvaluateAndNotifyEmptyJob(x,x,x)+6Fj ...
		test	dword ptr [esi+0B0h], 400000h
		jz	short loc_75AC7B
		lock bts dword ptr [edi], 1Dh
		jb	short loc_75AC7B
		test	dword ptr [edi], 40000000h
		jz	short loc_75AC7B
		mov	ecx, esi
		call	_PspHardDereferenceSiloWorker@4	; PspHardDereferenceSiloWorker(x)
		jmp	short loc_75AC7B
_PspEvaluateAndNotifyEmptyJob@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpGetGlobalLocaleSection proc near	; CODE XREF: NtInitializeNlsFiles+6Fp

var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_210		= dword	ptr -210h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D4454 SIZE 000000E3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 26Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+26Ch+var_4], eax
		push	ebx
		xor	ebx, ebx
		mov	[esp+270h+var_238], ecx
		push	esi
		push	edi
		mov	edi, ds:_NlsLocaleSectionPointer
		mov	[esp+278h+var_22C], ebx
		mov	[esp+278h+var_228], ebx
		mov	[esp+278h+var_268], ebx
		mov	[esp+278h+var_244], ebx
		mov	[esp+278h+var_234], ebx
		mov	[esp+278h+var_230], ebx
		mov	[esp+278h+var_248], ebx
		mov	[esp+278h+var_23C], ebx
		mov	[esp+278h+var_240], ebx
		cmp	edi, 1
		jbe	short loc_75AD68
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_75AD4B:				; CODE XREF: ExpGetGlobalLocaleSection+21Bj
		mov	eax, [esp+278h+var_238]
		mov	[eax], edi
		xor	eax, eax

loc_75AD53:				; CODE XREF: ExpGetGlobalLocaleSection+123j
					; ExpGetGlobalLocaleSection+222j
		mov	ecx, [esp+278h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_75AD68:				; CODE XREF: ExpGetGlobalLocaleSection+52j
		push	18h
		pop	edi
		lea	eax, [esp+278h+var_260]
		mov	[esp+278h+var_260], edi
		push	eax
		push	1
		lea	eax, [esp+280h+var_248]
		mov	[esp+280h+var_25C], ebx
		push	eax
		mov	[esp+284h+var_254], 240h
		mov	[esp+284h+var_258], offset _NlsRegKeyName
		mov	[esp+284h+var_250], ebx
		mov	[esp+284h+var_24C], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_75ADCD
		lea	eax, [esp+278h+var_23C]
		push	eax
		push	14h
		lea	eax, [esp+280h+var_224]
		push	eax
		push	2
		push	(offset	loc_A41A0F+5)
		push	[esp+28Ch+var_248]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_8D4454

loc_75ADC4:				; CODE XREF: ExpGetGlobalLocaleSection+179769j
					; ExpGetGlobalLocaleSection+179774j ...
		push	[esp+278h+var_248]
		call	_ZwClose@4	; ZwClose(x)

loc_75ADCD:				; CODE XREF: ExpGetGlobalLocaleSection+AEj
		mov	eax, [esp+278h+var_268]
		test	eax, eax
		jnz	short loc_75AE25
		push	ebx
		push	1
		lea	eax, [esp+280h+var_22C]
		mov	[esp+280h+var_260], edi
		push	eax
		lea	eax, [esp+284h+var_260]
		mov	[esp+284h+var_25C], ebx
		push	eax
		push	100000h
		lea	eax, [esp+28Ch+var_268]
		mov	[esp+28Ch+var_254], 240h
		push	eax
		mov	[esp+290h+var_258], (offset loc_A41A17+5)
		mov	[esp+290h+var_250], ebx
		mov	[esp+290h+var_24C], ebx
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		js	loc_75AD53
		mov	eax, [esp+278h+var_268]
		mov	[esp+278h+var_240], 40500h

loc_75AE25:				; CODE XREF: ExpGetGlobalLocaleSection+E3j
		push	eax
		push	8000000h
		push	2
		push	ebx
		lea	eax, [esp+288h+var_260]
		mov	[esp+288h+var_260], edi
		push	eax
		push	4
		lea	eax, [esp+290h+var_244]
		mov	[esp+290h+var_25C], ebx
		push	eax
		mov	[esp+294h+var_254], 240h
		mov	[esp+294h+var_258], ebx
		mov	[esp+294h+var_250], ebx
		mov	[esp+294h+var_24C], ebx
		call	_ZwCreateSection@28 ; ZwCreateSection(x,x,x,x,x,x,x)
		push	[esp+278h+var_268]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	loc_75AF10
		mov	eax, ds:_MmSectionObjectType
		lea	ecx, [esp+278h+var_264]
		push	ebx
		push	ecx
		push	ebx
		push	eax
		push	0F001Fh
		push	[esp+28Ch+var_244]
		mov	[esp+290h+var_264], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		push	[esp+278h+var_244]
		mov	edi, [esp+27Ch+var_264]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_75AF10
		mov	ebx, large fs:124h
		dec	word ptr [ebx+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _NlsSectionLock
		call	ExAcquirePushLockExclusiveEx
		mov	esi, ds:_NlsLocaleSectionPointer
		cmp	esi, 1
		jnz	loc_8D4518
		mov	eax, [esp+278h+var_240]
		mov	esi, [esp+278h+var_264]
		mov	ecx, esi
		mov	ds:_NlsTableVersion, eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ds:_NlsLocaleSectionPointer, esi

loc_75AEE4:				; CODE XREF: ExpGetGlobalLocaleSection+17982Aj
					; ExpGetGlobalLocaleSection+179842j
		or	eax, 0FFFFFFFFh
		mov	esi, offset _NlsSectionLock
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_75AEFD
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_75AEFD:				; CODE XREF: ExpGetGlobalLocaleSection+204j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, ebx
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		jmp	loc_75AD4B
; 

loc_75AF10:				; CODE XREF: ExpGetGlobalLocaleSection+178j
					; ExpGetGlobalLocaleSection+1AEj
		mov	eax, esi
		jmp	loc_75AD53
ExpGetGlobalLocaleSection endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtInitializeNlsFiles proc near		; DATA XREF: .text:00580FDCo

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008D4537 SIZE 00000018 BYTES

		push	28h
		push	offset dword_6A0698
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_1C], ebx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	loc_8D4537
		mov	[ebp+ms_exc.disabled], ebx
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8D4541

loc_75AF55:				; CODE XREF: NtInitializeNlsFiles+17962Bj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	edi, [ebp+arg_4]
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	loc_8D4548

loc_75AF6B:				; CODE XREF: NtInitializeNlsFiles+179632j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		lea	eax, [ebp+var_24]
		push	eax
		push	ebx
		call	_ZwQueryDefaultLocale@8	; ZwQueryDefaultLocale(x,x)
		test	eax, eax
		js	short loc_75AFF0
		lea	ecx, [ebp+var_1C]
		call	ExpGetGlobalLocaleSection
		test	eax, eax
		js	short loc_75AFF0
		mov	[ebp+var_20], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_28], ebx
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	2
		push	400000h
		push	1
		lea	ecx, [ebp+var_28]
		push	ecx
		lea	ecx, [ebp+var_38]
		push	ecx
		push	ebx
		push	ebx
		lea	ecx, [ebp+var_20]
		push	ecx
		push	eax
		push	[ebp+var_1C]
		call	MmMapViewOfSection
		mov	ebx, eax
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObject
		test	ebx, ebx
		js	short loc_75AFEE
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_20]
		mov	[esi], eax
		mov	eax, [ebp+var_24]
		mov	[edi], eax

loc_75AFE7:				; CODE XREF: sub_8D455F+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_75AFEE:				; CODE XREF: NtInitializeNlsFiles+BCj
		mov	eax, ebx

loc_75AFF0:				; CODE XREF: NtInitializeNlsFiles+6Aj
					; NtInitializeNlsFiles+76j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
NtInitializeNlsFiles endp

; 
		align 8
; Exported entry 2275. RtlOpenImageFileOptionsKey

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlOpenImageFileOptionsKey(x, x, x)
		public _RtlOpenImageFileOptionsKey@12
_RtlOpenImageFileOptionsKey@12 proc near
					; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+774p

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_8]
		push	ecx
		mov	ecx, [ebp+arg_0]
		call	RtlpOpenImageFileOptionsKeyEx
		pop	ecx
		pop	ebp
		retn	0Ch
_RtlOpenImageFileOptionsKey@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PspApplyWin32kFilterOptions(x, x)
_PspApplyWin32kFilterOptions@8 proc near
					; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1522p
		mov	eax, [edx+11Ch]
		push	esi
		mov	esi, ecx
		test	eax, eax
		jnz	short loc_75B02F
		pop	esi
		retn
; 

loc_75B02F:				; CODE XREF: PspApplyWin32kFilterOptions(x,x)+Bj
		mov	ecx, [eax]
		push	edi
		lea	edi, [esi+490h]
		test	cl, 1
		jnz	short loc_75B05C

loc_75B03D:				; CODE XREF: PspApplyWin32kFilterOptions(x,x)+4Cj
		test	cl, 2
		jz	short loc_75B050
		mov	eax, 8000h
		lock or	[edi], eax
		mov	eax, [edx+11Ch]

loc_75B050:				; CODE XREF: PspApplyWin32kFilterOptions(x,x)+20j
		mov	eax, [eax+4]
		pop	edi
		mov	[esi+438h], eax
		pop	esi
		retn
; 

loc_75B05C:				; CODE XREF: PspApplyWin32kFilterOptions(x,x)+1Bj
		mov	eax, 4000h
		lock or	[edi], eax
		mov	eax, [edx+11Ch]
		mov	ecx, [eax]
		jmp	short loc_75B03D
_PspApplyWin32kFilterOptions@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSetupReservedUserMappings proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+17E6p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D458A SIZE 00000093 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_C], edx
		mov	eax, [edi+7Ch]
		mov	esi, [eax+8]
		and	esi, 60h
		jnz	loc_8D458A
		cmp	[edi+9Ch], ebx
		jnz	loc_8D458A
		xor	eax, eax

loc_75B0A4:				; CODE XREF: PspSetupReservedUserMappings+1795AAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
PspSetupReservedUserMappings endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSetupUserProcessAddressSpace	proc near
					; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1930p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008D461D SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_14], 0
		and	[ebp+var_18], 0
		mov	[ebp+var_20], eax
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		mov	[ebp+var_1C], edx
		stosd
		mov	[ebp+var_28], ecx
		stosd
		stosd
		mov	eax, large fs:124h
		mov	edi, [ebx+7Ch]
		mov	[ebp+var_2C], eax
		movzx	eax, byte ptr [ebx+9]
		shr	eax, 2
		and	eax, 3
		sub	eax, 1
		jz	loc_75B216
		sub	eax, 1
		jz	loc_75B23E

loc_75B108:				; CODE XREF: PspSetupUserProcessAddressSpace+173j
					; PspSetupUserProcessAddressSpace+18Dj	...
		mov	esi, [edi+8]
		mov	eax, esi
		and	eax, 60h
		test	byte ptr ds:_PspGlobalFlags, 1
		mov	[ebp+var_24], eax
		jnz	loc_8D461D

loc_75B120:				; CODE XREF: PspSetupUserProcessAddressSpace+17957Aj
		cmp	dword ptr [edi+2A0h], 0
		jnz	short loc_75B134
		mov	eax, ds:_PsDefaultLoaderThreads
		mov	[edi+2A0h], eax

loc_75B134:				; CODE XREF: PspSetupUserProcessAddressSpace+7Bj
		push	edx
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		mov	ecx, eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		cmp	byte ptr [eax+260h], 0
		jnz	loc_8D462B

loc_75B14E:				; CODE XREF: PspSetupUserProcessAddressSpace+179588j
		push	[ebp+var_20]
		mov	esi, [ebp+var_1C]
		xor	edx, edx
		mov	ecx, esi
		call	KiStackAttachProcess
		test	byte ptr [ebx+8], 10h
		jz	short loc_75B176
		mov	edx, ebx
		mov	ecx, esi
		call	PspLocateInPEManifest
		mov	esi, eax
		test	esi, esi
		js	loc_75B1F9

loc_75B176:				; CODE XREF: PspSetupUserProcessAddressSpace+B5j
		mov	eax, [edi]
		add	eax, [edi+290h]
		cmp	[ebp+var_24], 0
		mov	[ebp+var_14], eax
		jnz	short loc_75B193
		mov	ecx, 20000h
		cmp	eax, ecx
		jnb	short loc_75B193
		mov	[ebp+var_14], ecx

loc_75B193:				; CODE XREF: PspSetupUserProcessAddressSpace+D9j
					; PspSetupUserProcessAddressSpace+E2j
		push	4
		push	3000h
		lea	ecx, [ebp+var_14]
		push	ecx
		lea	eax, [ebx+80h]
		and	dword ptr [eax], 0
		push	0
		push	eax
		push	0FFFFFFFFh
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_75B1F9
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_28]
		push	ebx
		call	PspCopyAndFixupParameters
		mov	esi, eax
		test	esi, esi
		js	short loc_75B1F9
		mov	edx, ebx
		call	PspPrepareSystemDllInitBlock
		mov	esi, eax
		test	esi, esi
		js	short loc_75B1F9
		mov	ebx, [ebp+var_1C]
		mov	edx, ebx
		mov	ecx, [ebp+var_2C]
		call	PspWritePebAffinityInfo
		mov	ecx, ebx
		call	MmMapApiSetView
		mov	esi, eax
		test	esi, esi
		js	short loc_75B1F9
		mov	ecx, ebx
		call	PspMapSiloSharedDataView
		mov	esi, eax

loc_75B1F9:				; CODE XREF: PspSetupUserProcessAddressSpace+C4j
					; PspSetupUserProcessAddressSpace+109j	...
		mov	ecx, [ebp+var_20]
		xor	edx, edx
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	eax, esi

loc_75B205:				; CODE XREF: PspSetupUserProcessAddressSpace+188j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_75B216:				; CODE XREF: PspSetupUserProcessAddressSpace+4Dj
		mov	eax, [ebx+2Ch]
		cmp	eax, [ebx+0ACh]
		jnz	loc_75B108
		lea	eax, [ebp+var_10]
		mov	edx, eax
		mov	[ebp+var_18], eax
		call	PspGetStandardHandleList
		test	eax, eax
		js	short loc_75B205
		mov	edx, [ebp+var_1C]
		jmp	loc_75B108
; 

loc_75B23E:				; CODE XREF: PspSetupUserProcessAddressSpace+56j
		lea	eax, [edi+18h]
		mov	[ebp+var_18], eax
		jmp	loc_75B108
PspSetupUserProcessAddressSpace	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspMapSiloSharedDataView proc near	; CODE XREF: PspSetupUserProcessAddressSpace+146p
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1A49p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008D4639 SIZE 00000051 BYTES
; FUNCTION CHUNK AT 008D469E SIZE 0000000E BYTES

		push	20h
		push	offset dword_6A06C0
		call	__SEH_prolog4
		mov	edi, ecx
		push	edi
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		mov	ebx, eax
		push	ebx
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jz	loc_8D4639
		xor	eax, eax

loc_75B270:				; CODE XREF: PspMapSiloSharedDataView+179429j
					; PspMapSiloSharedDataView+17945Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PspMapSiloSharedDataView endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmMapApiSetView	proc near		; CODE XREF: PspSetupUserProcessAddressSpace+139p
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1A3Cp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008D46AC SIZE 00000012 BYTES

		push	20h
		push	offset dword_6A06E0
		call	__SEH_prolog4
		mov	esi, ecx
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_20], ebx
		push	esi
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		mov	edi, eax
		push	edi
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jz	loc_8D46AC
		mov	eax, dword_6CF4E0

loc_75B2B7:				; CODE XREF: MmMapApiSetView+179439j
		push	2
		push	400000h
		push	1
		lea	ecx, [ebp+var_20]
		push	ecx
		lea	ecx, [ebp+var_30]
		push	ecx
		push	ebx
		push	ebx
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	esi
		push	eax
		call	MmMapViewOfSection
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_75B2F1
		mov	edx, [esi+17Ch]
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+var_1C]
		mov	[edx+38h], eax

loc_75B2EA:				; CODE XREF: sub_8D46CC+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_75B2F1:				; CODE XREF: MmMapApiSetView+59j
		mov	eax, ecx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MmMapApiSetView	endp

; 
		align 4

; __stdcall MmCreatePeb(x, x, x, x)
_MmCreatePeb@16:			; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+18BEp
		push	0F0h
		push	offset dword_6A0700
		call	__SEH_prolog4_GS
		mov	ebx, edx
		mov	esi, ecx
		mov	eax, [ebp+8]
		mov	[ebp-88h], eax
		mov	edx, [ebp+0Ch]
		mov	[ebp-44h], edx
		and	dword ptr [ebp-5Ch], 0
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp-38h]
		rep stosd
		mov	[ebp-48h], eax
		mov	[ebp-54h], eax
		mov	[ebp-7Ch], eax
		mov	[ebp-78h], eax
		mov	[ebp-40h], eax
		mov	edi, edx
		stosd
		stosd
		stosd
		call	_MmGetMinWsPagePriority@0 ; MmGetMinWsPagePriority()
		bsf	eax, eax
		mov	[ebp-48h], eax
		mov	[edx+4], ax
		lea	eax, [ebp-38h]
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	KiStackAttachProcess
		mov	eax, ds:_InitNlsSectionPointer
		test	eax, eax
		jz	short loc_75B3A4
		push	2
		push	offset loc_500000
		push	1
		lea	ecx, [ebp-40h]
		push	ecx
		lea	ecx, [ebp-7Ch]
		push	ecx
		push	0
		push	0
		lea	ecx, [ebp-54h]
		push	ecx
		push	esi
		push	eax
		call	MmMapViewOfSection
		mov	edi, eax
		test	edi, edi
		jns	short loc_75B3A4

loc_75B393:				; CODE XREF: PAGE:0075B3D9j
		xor	edx, edx

loc_75B395:				; CODE XREF: PAGE:0075B3F4j
		lea	ecx, [ebp-38h]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	eax, edi
		jmp	loc_75B806
; 

loc_75B3A4:				; CODE XREF: PAGE:0075B36Bj
					; PAGE:0075B391j
		xor	ecx, ecx
		mov	[ebp-58h], ecx
		mov	[ebp-7Ch], ecx
		mov	[ebp-78h], ecx
		mov	[ebp-40h], ecx
		push	2
		push	offset loc_500000
		push	1
		lea	eax, [ebp-40h]
		push	eax
		lea	eax, [ebp-7Ch]
		push	eax
		push	ecx
		push	ecx
		lea	eax, [ebp-58h]
		push	eax
		push	esi
		push	ds:_ExLeapSecondDataSectionPointer
		call	MmMapViewOfSection
		mov	edi, eax
		test	edi, edi
		js	short loc_75B393
		and	dword ptr [ebp-60h], 0
		push	ecx
		lea	eax, [ebp-60h]
		push	eax
		mov	edx, 1000h
		call	MiAllocateFromSubAllocatedRegion
		mov	edi, eax
		xor	edx, edx
		test	edi, edi
		js	short loc_75B395
		mov	edi, [esi+160h]
		mov	[ebp-70h], edi
		mov	dword ptr [ebp-0F0h], 0Ah
		mov	[ebp-0ECh], edx
		mov	ax, word ptr _NtBuildNumber
		mov	[ebp-4Ch], eax
		mov	[ebp-0E4h], ax
		push	2
		pop	eax
		mov	[ebp-50h], eax
		mov	[ebp-0E8h], eax
		mov	ax, word ptr _CmNtCSDVersion
		mov	[ebp-3Eh], ax
		mov	[ebp-0E2h], ax
		mov	eax, ds:dword_7051E4
		mov	[ebp-64h], eax
		mov	[ebp-0E0h], eax
		mov	eax, ds:dword_7051E0
		mov	[ebp-68h], eax
		mov	[ebp-0DCh], eax
		mov	al, [ebx]
		mov	[ebp-39h], al
		mov	[ebp-0B0h], al
		mov	al, [ebx+3]
		mov	[ebp-3Ah], al
		mov	[ebp-0AFh], al
		mov	eax, [ebx+4]
		mov	[ebp-6Ch], eax
		mov	[ebp-0ACh], eax
		mov	ecx, [ebp-54h]
		test	ecx, ecx
		jnz	short loc_75B496
		mov	[ebp-0A4h], edx
		mov	[ebp-0A0h], edx
		mov	[ebp-9Ch], edx
		jmp	short loc_75B4D4
; 

loc_75B496:				; CODE XREF: PAGE:0075B480j
		mov	eax, ds:_InitUnicodeCaseTableDataOffset
		lea	edx, [eax+ecx]
		mov	[ebp-9Ch], edx
		test	eax, eax
		jnz	short loc_75B4B8
		xor	edx, edx
		mov	[ebp-0A4h], edx
		mov	[ebp-0A0h], edx
		jmp	short loc_75B4D4
; 

loc_75B4B8:				; CODE XREF: PAGE:0075B4A6j
		mov	eax, ds:_InitAnsiCodePageDataOffset
		add	eax, ecx
		mov	[ebp-0A4h], eax
		mov	eax, ds:_InitOemCodePageDataOffset
		add	eax, ecx
		mov	[ebp-0A0h], eax
		xor	edx, edx

loc_75B4D4:				; CODE XREF: PAGE:0075B494j
					; PAGE:0075B4B6j
		cmp	[esi+180h], edx
		jz	short loc_75B4EB
		mov	ecx, esi
		call	_MmGetSessionId@4 ; MmGetSessionId(x)
		mov	[ebp-0CCh], eax
		jmp	short loc_75B4F1
; 

loc_75B4EB:				; CODE XREF: PAGE:0075B4DAj
		mov	[ebp-0CCh], edx

loc_75B4F1:				; CODE XREF: PAGE:0075B4E9j
		mov	eax, [ebp-58h]
		mov	[ebp-74h], eax
		mov	[ebp-98h], eax
		call	_Feature_Leap_Seconds_Sixty_Second__private_ReportDeviceUsage@0	; Feature_Leap_Seconds_Sixty_Second__private_ReportDeviceUsage()
		and	dword ptr [ebp-4], 0
		push	edi
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	esi, eax
		mov	[ebp-5Ch], esi
		movzx	edi, word ptr [esi+16h]
		mov	[ebp-84h], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		inc	ebx
		mov	[ebp-4], ebx
		lea	eax, [ebp-100h]
		push	eax
		push	dword ptr [ebp-0F0h]
		push	ebx
		push	dword ptr [ebp-70h]
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	ecx, eax
		mov	[ebp-80h], ecx
		test	ecx, ecx
		jz	short loc_75B5BE
		test	cl, 3
		jnz	loc_75B818
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_75B55B
		mov	ecx, eax

loc_75B55B:				; CODE XREF: PAGE:0075B557j
		nop
		mov	al, [ecx]
		mov	esi, [ebp-5Ch]
		mov	ecx, [ebp-80h]
		mov	eax, [ebp-98h]
		mov	[ebp-74h], eax
		mov	eax, [ebp-0ACh]
		mov	[ebp-6Ch], eax
		mov	al, [ebp-0AFh]
		mov	[ebp-3Ah], al
		mov	al, [ebp-0B0h]
		mov	[ebp-39h], al
		mov	eax, [ebp-0DCh]
		mov	[ebp-68h], eax
		mov	eax, [ebp-0E0h]
		mov	[ebp-64h], eax
		mov	ax, [ebp-0E2h]
		mov	[ebp-3Eh], ax
		mov	ax, [ebp-0E4h]
		mov	[ebp-4Ch], eax
		mov	eax, [ebp-0E8h]
		mov	[ebp-50h], eax
		mov	edi, [ebp-84h]

loc_75B5BE:				; CODE XREF: PAGE:0075B545j
		movzx	eax, word ptr [esi+5Ch]
		mov	[ebp-0FCh], eax
		movzx	eax, word ptr [esi+48h]
		mov	[ebp-0F8h], eax
		movzx	eax, word ptr [esi+4Ah]
		mov	[ebp-0F4h], eax
		mov	edx, [esi+4Ch]
		test	edx, edx
		jz	short loc_75B633
		test	ecx, ecx
		jz	short loc_75B5FB
		movzx	eax, word ptr [ecx+34h]
		test	ax, ax
		jz	short loc_75B5FB
		mov	[ebp-3Eh], ax
		mov	[ebp-0E2h], ax

loc_75B5FB:				; CODE XREF: PAGE:0075B5E5j
					; PAGE:0075B5EEj
		movzx	eax, dl
		mov	[ebp-0F0h], eax
		mov	eax, edx
		shr	eax, 8
		movzx	eax, al
		mov	[ebp-0ECh], eax
		mov	eax, edx
		shr	eax, 10h
		mov	[ebp-4Ch], eax
		mov	[ebp-0E4h], ax
		xor	edx, 0BFFFFFFFh
		shr	edx, 1Eh
		mov	[ebp-50h], edx
		mov	[ebp-0E8h], edx

loc_75B633:				; CODE XREF: PAGE:0075B5E1j
		mov	eax, [ebp-44h]
		test	ecx, ecx
		jz	short loc_75B653
		mov	esi, [ecx+30h]
		mov	[eax], esi
		push	dword ptr [ebp-48h]
		call	_KeQueryGroupAffinity@4	; KeQueryGroupAffinity(x)
		and	eax, esi
		cmp	eax, esi
		mov	eax, [ebp-44h]
		jz	short loc_75B653
		and	dword ptr [eax], 0

loc_75B653:				; CODE XREF: PAGE:0075B638j
					; PAGE:0075B64Ej
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	edi, 4000h
		jz	short loc_75B688
		mov	edi, ebx
		lock xadd dword_6D05F8,	edi
		inc	edi

loc_75B66D:				; CODE XREF: PAGE:0075B686j
		and	edi, 1Fh
		mov	esi, ebx
		mov	ecx, edi
		shl	esi, cl
		mov	[eax], esi
		inc	edi
		push	dword ptr [ebp-48h]
		call	_KeQueryGroupAffinity@4	; KeQueryGroupAffinity(x)
		test	eax, esi
		mov	eax, [ebp-44h]
		jz	short loc_75B66D

loc_75B688:				; CODE XREF: PAGE:0075B660j
		mov	dword ptr [ebp-4], 2
		mov	esi, [ebp-60h]
		mov	eax, [ebp-0F0h]
		mov	[esi+0A4h], eax
		mov	eax, [ebp-0ECh]
		mov	[esi+0A8h], eax
		mov	eax, [ebp-4Ch]
		mov	[esi+0ACh], ax
		mov	eax, [ebp-50h]
		mov	[esi+0B0h], eax
		mov	ax, [ebp-3Eh]
		mov	[esi+0AEh], ax
		mov	eax, [ebp-64h]
		mov	[esi+78h], eax
		mov	eax, [ebp-68h]
		mov	[esi+7Ch], eax
		mov	eax, ds:_KeNumberProcessors
		mov	[esi+64h], eax
		mov	eax, _NtGlobalFlag
		mov	[esi+68h], eax
		mov	eax, _NtGlobalFlag2
		mov	[esi+478h], eax
		mov	eax, dword_6D0600
		mov	[esi+70h], eax
		mov	eax, dword_6D0604
		mov	[esi+74h], eax
		mov	eax, ds:dword_7051D0
		mov	[esi+208h], eax
		mov	eax, ds:dword_7051DC
		mov	[esi+80h], eax
		mov	eax, ds:dword_7051D8
		mov	[esi+84h], eax
		mov	eax, [ebp-0CCh]
		mov	[esi+1D4h], eax
		mov	eax, [ebp-0FCh]
		mov	[esi+0B4h], eax
		mov	eax, [ebp-0F8h]
		mov	[esi+0B8h], eax
		mov	eax, [ebp-0F4h]
		mov	[esi+0BCh], eax
		mov	al, [ebp-39h]
		mov	[esi], al
		mov	al, [ebp-3Ah]
		mov	[esi+3], al
		mov	eax, [ebp-6Ch]
		mov	[esi+4], eax
		mov	eax, [ebp-70h]
		mov	[esi+8], eax
		mov	eax, [ebp-0A4h]
		mov	[esi+58h], eax
		mov	eax, [ebp-0A0h]
		mov	[esi+5Ch], eax
		mov	eax, [ebp-9Ch]
		mov	[esi+60h], eax
		mov	eax, [ebp-74h]
		mov	[esi+470h], eax
		and	dword ptr [esi+474h], 0
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	edx, edx
		lea	ecx, [ebp-38h]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	eax, [ebp-88h]
		mov	[eax], esi
		xor	eax, eax
		jmp	short loc_75B806
; 

loc_75B7AF:				; DATA XREF: .text:006A072Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-8Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_75B7C0:				; DATA XREF: .text:006A0730o
		mov	esi, [ebp-8Ch]
		jmp	short loc_75B7D1
; 

loc_75B7C8:				; DATA XREF: .text:006A0720o
		xor	eax, eax
		inc	eax
		retn
; 

loc_75B7CC:				; DATA XREF: .text:006A0724o
		mov	esi, 0C0000130h

loc_75B7D1:				; CODE XREF: PAGE:0075B7C6j
		mov	esp, [ebp-18h]
		xor	edx, edx
		lea	ecx, [ebp-38h]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, esi
		jmp	short loc_75B806
; 

loc_75B7E9:				; DATA XREF: .text:006A0714o
		xor	eax, eax
		inc	eax
		retn
; 

loc_75B7ED:				; DATA XREF: .text:006A0718o
		mov	esp, [ebp-18h]
		xor	edx, edx
		lea	ecx, [ebp-38h]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000130h

loc_75B806:				; CODE XREF: PAGE:0075B39Fj
					; PAGE:0075B7ADj ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_75B818:				; CODE XREF: PAGE:0075B54Aj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		db 3 dup(0CCh)
		dd 0CCCCCCCCh
; Exported entry 1446. MmMapViewOfSection

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmMapViewOfSection
MmMapViewOfSection proc	near		; CODE XREF: NtInitializeNlsFiles+ABp
					; MmMapApiSetView+50p ...

var_58		= dword	ptr -58h
var_4C		= dword	ptr -4Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

; FUNCTION CHUNK AT 008D46D7 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 58h
		lea	eax, [esp+58h+var_58]
		push	esi
		push	edi
		push	58h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	edi, [ebp+arg_18]
		lea	ecx, [esp+6Ch+var_58]
		mov	esi, [ebp+arg_8]
		add	esp, 0Ch
		mov	edx, [ebp+arg_0]
		push	[ebp+arg_C]
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	dword ptr [edi]
		push	dword ptr [esi]
		push	[ebp+arg_4]
		call	MiMapParametersInitialize
		test	eax, eax
		js	short loc_75B891
		mov	ecx, [ebp+arg_0]
		lea	edx, [esp+60h+var_58]
		push	1
		push	[ebp+arg_1C]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	esi
		call	MiMapViewOfSection
		mov	ecx, eax
		test	ecx, ecx
		js	loc_8D46D7
		mov	eax, [esp+60h+var_4C]
		mov	[edi], eax
		mov	eax, ecx

loc_75B891:				; CODE XREF: MmMapViewOfSection+41j
					; MmMapViewOfSection+178EBEj ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	28h
MmMapViewOfSection endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2082. RtlFindExportedRoutineByName

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlFindExportedRoutineByName(x, x)
		public _RtlFindExportedRoutineByName@8
_RtlFindExportedRoutineByName@8	proc near ; CODE XREF: MmGetSystemRoutineAddress+2Fp
					; MmGetSystemRoutineAddress+53p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, [ebp+var_14]
		push	eax
		xor	esi, esi
		push	esi
		push	1
		push	edi
		mov	[ebp+var_14], esi
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	edx, eax
		mov	[ebp+var_10], edx
		test	edx, edx
		jz	loc_75B97B
		mov	eax, [edx+20h]
		mov	ecx, [edx+18h]
		add	eax, edi
		mov	[ebp+var_18], eax
		mov	eax, [edx+24h]
		add	eax, edi
		sub	ecx, 1
		mov	[ebp+var_1C], eax
		mov	eax, esi
		mov	[ebp+var_C], eax
		js	loc_75B97B
		push	ebx

loc_75B8EC:				; CODE XREF: RtlFindExportedRoutineByName(x,x)+AAj
		lea	ebx, [eax+ecx]
		mov	eax, [ebp+var_18]
		sar	ebx, 1
		mov	eax, [eax+ebx*4]
		add	eax, edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_8], edi

loc_75B8FF:				; CODE XREF: RtlFindExportedRoutineByName(x,x)+98j
		mov	edi, [ebp+var_8]
		mov	dl, [edi]
		cmp	dl, [eax]
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_1], dl
		mov	edx, [ebp+var_10]
		jnz	short loc_75B983
		cmp	[ebp+var_1], 0
		jz	short loc_75B938
		mov	edi, [ebp+var_8]
		mov	dl, [edi+1]
		cmp	dl, [eax+1]
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_1], dl
		mov	edx, [ebp+var_10]
		jnz	short loc_75B983
		add	[ebp+var_8], 2
		add	eax, 2
		cmp	[ebp+var_1], 0
		jnz	short loc_75B8FF

loc_75B938:				; CODE XREF: RtlFindExportedRoutineByName(x,x)+77j
		mov	eax, esi

loc_75B93A:				; CODE XREF: RtlFindExportedRoutineByName(x,x)+EAj
		test	eax, eax
		js	short loc_75B94C
		jle	short loc_75B958
		lea	eax, [ebx+1]
		mov	[ebp+var_C], eax

loc_75B946:				; CODE XREF: RtlFindExportedRoutineByName(x,x)+B8j
		cmp	ecx, eax
		jge	short loc_75B8EC
		jmp	short loc_75B95B
; 

loc_75B94C:				; CODE XREF: RtlFindExportedRoutineByName(x,x)+9Ej
		test	ebx, ebx
		jz	short loc_75B97A
		mov	eax, [ebp+var_C]
		lea	ecx, [ebx-1]
		jmp	short loc_75B946
; 

loc_75B958:				; CODE XREF: RtlFindExportedRoutineByName(x,x)+A0j
		mov	eax, [ebp+var_C]

loc_75B95B:				; CODE XREF: RtlFindExportedRoutineByName(x,x)+ACj
		cmp	ecx, eax
		jl	short loc_75B97A
		mov	eax, [ebp+var_1C]
		movzx	ecx, word ptr [eax+ebx*2]
		cmp	ecx, [edx+14h]
		jnb	short loc_75B97A
		mov	eax, [edx+1Ch]
		lea	eax, [eax+ecx*4]
		mov	esi, [eax+edi]
		add	esi, edi
		cmp	esi, edx
		ja	short loc_75B98A

loc_75B97A:				; CODE XREF: RtlFindExportedRoutineByName(x,x)+B0j
					; RtlFindExportedRoutineByName(x,x)+BFj ...
		pop	ebx

loc_75B97B:				; CODE XREF: RtlFindExportedRoutineByName(x,x)+26j
					; RtlFindExportedRoutineByName(x,x)+47j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	8
; 

loc_75B983:				; CODE XREF: RtlFindExportedRoutineByName(x,x)+71j
					; RtlFindExportedRoutineByName(x,x)+8Bj
		sbb	eax, eax
		or	eax, 1
		jmp	short loc_75B93A
; 

loc_75B98A:				; CODE XREF: RtlFindExportedRoutineByName(x,x)+DAj
		mov	ecx, [ebp+var_14]
		add	ecx, edx
		cmp	esi, ecx
		sbb	ecx, ecx
		not	ecx
		and	esi, ecx
		jmp	short loc_75B97A
_RtlFindExportedRoutineByName@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspWritePebAffinityInfo	proc near	; CODE XREF: PspSetupUserProcessAddressSpace+132p
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1A2Dp ...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008D46F2 SIZE 00000056 BYTES
; FUNCTION CHUNK AT 008D475E SIZE 00000028 BYTES

		push	40h
		push	offset dword_6A0738
		call	__SEH_prolog4_GS
		mov	esi, edx
		mov	edx, ecx
		mov	[ebp+var_44], esi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		mov	[ebp+var_38], eax
		and	[ebp+var_3C], eax
		mov	ecx, [esi+17Ch]
		mov	[ebp+var_40], ecx
		test	ecx, ecx
		jz	short loc_75BA26
		cmp	[esi+0E4h], eax
		jnz	loc_8D46F2

loc_75B9D6:				; CODE XREF: PspWritePebAffinityInfo+178D93j
					; PspWritePebAffinityInfo+178DA9j
		mov	[ebp+var_50], eax

loc_75B9D9:				; CODE XREF: PspWritePebAffinityInfo+53j
					; PspWritePebAffinityInfo+7Fj
		call	_MmGetMinWsPagePriority@0 ; MmGetMinWsPagePriority()
		bsf	eax, eax
		mov	[ebp+var_3C], eax
		mov	ecx, [esi+eax*4+48h]
		mov	[ebp+var_4C], ecx
		test	ecx, ecx
		jz	short loc_75B9D9
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [ebp+var_40]
		mov	[eax+0C0h], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_75BA03:				; CODE XREF: sub_8D474C+Dj
		and	[ebp+var_48], 0
		xor	ecx, ecx
		lea	eax, [ebp+var_48]
		lock or	[eax], ecx
		mov	eax, [ebp+var_3C]
		mov	eax, [esi+eax*4+48h]
		cmp	[ebp+var_4C], eax
		jnz	short loc_75B9D9
		mov	eax, [ebp+var_38]
		test	eax, eax
		jnz	loc_8D475E

loc_75BA26:				; CODE XREF: PspWritePebAffinityInfo+2Ej
					; PspWritePebAffinityInfo+178D88j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PspWritePebAffinityInfo	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspPrepareSystemDllInitBlock proc near	; CODE XREF: PspSetupUserProcessAddressSpace+11Fp
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1A56p

var_60		= dword	ptr -60h
var_48		= dword	ptr -48h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008D4786 SIZE 00000020 BYTES

		push	50h
		push	offset dword_6A0758
		call	__SEH_prolog4
		mov	[ebp+var_1C], edx
		mov	ebx, ds:_PspSystemDllInitBlock
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		mov	ecx, [eax+0B8h]
		mov	[ebp+var_20], ecx
		mov	eax, [eax+0BCh]
		mov	[ebp+var_24], eax
		push	6
		lea	edi, [ebp+var_48]
		pop	ecx
		push	6
		test	edx, edx
		jz	loc_8D4786
		lea	esi, [edx+0D0h]
		rep movsd
		lea	esi, [edx+128h]
		pop	ecx
		lea	edi, [ebp+var_60]
		rep movsd

loc_75BA93:				; CODE XREF: PspPrepareSystemDllInitBlock+178D5Aj
		xor	esi, esi
		mov	[ebp+ms_exc.disabled], esi
		cmp	dword ptr [ebx], 0F0h
		jnz	loc_8D4795
		mov	eax, ds:_PspSystemDlls
		mov	eax, [eax+20h]
		mov	[ebx+10h], eax
		mov	[ebx+14h], esi
		mov	[ebx+8], esi
		mov	[ebx+0Ch], esi
		xor	ecx, ecx
		inc	ecx
		call	ExGenRandom
		mov	[ebx+98h], eax
		mov	[ebx+9Ch], esi
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_75BAD9
		test	byte ptr [eax+9], 2
		jnz	short loc_75BB48

loc_75BAD9:				; CODE XREF: PspPrepareSystemDllInitBlock+9Bj
					; PspPrepareSystemDllInitBlock+119j
		lea	edi, [ebx+0A0h]
		push	6
		pop	ecx
		lea	esi, [ebp+var_48]
		rep movsd
		lea	edi, [ebx+0D8h]
		push	6
		pop	ecx
		lea	esi, [ebp+var_60]
		rep movsd
		mov	eax, [ebp+var_20]
		cdq
		mov	[ebx+0B8h], eax
		mov	[ebx+0BCh], edx
		mov	eax, [ebp+var_24]
		mov	[ebx+0C0h], eax
		xor	eax, eax
		mov	[ebx+0C4h], eax
		mov	[ebx+0C8h], eax
		mov	[ebx+0CCh], eax
		mov	[ebx+0D0h], eax
		mov	[ebx+0D4h], eax

loc_75BB2E:				; CODE XREF: sub_8D47B4+6j
		mov	[ebp+var_2C], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_75BB38:				; CODE XREF: PspPrepareSystemDllInitBlock+178D6Bj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_75BB48:				; CODE XREF: PspPrepareSystemDllInitBlock+A1j
		or	dword ptr [ebx+9Ch], 1
		jmp	short loc_75BAD9
PspPrepareSystemDllInitBlock endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspCopyAndFixupParameters proc near	; CODE XREF: PspSetupUserProcessAddressSpace+112p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D47BF SIZE 00000054 BYTES

		push	24h
		push	offset dword_6A0778
		call	__SEH_prolog4
		mov	[ebp+var_20], edx
		mov	[ebp+var_2C], ecx
		and	[ebp+var_1C], 0
		mov	edi, [ebp+arg_0]
		mov	ebx, [edi+7Ch]
		mov	eax, [ebx+290h]
		add	eax, [ebx]
		mov	[ebp+var_30], eax
		mov	esi, [edi+80h]
		mov	eax, large fs:124h
		mov	edx, [eax+80h]
		mov	[ebp+var_28], edx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_0], al
		test	byte ptr [edi+8], 40h
		jz	short loc_75BBB0
		test	byte ptr [edi+9], 1
		jnz	short loc_75BBB0
		or	dword ptr [ebx+8], 4000h

loc_75BBB0:				; CODE XREF: PspCopyAndFixupParameters+4Fj
					; PspCopyAndFixupParameters+55j
		cmp	dword ptr [edi+2Ch], 3
		jnz	short loc_75BBDC
		mov	eax, [ebx+10h]
		test	eax, eax
		jle	short loc_75BBDC
		push	[ebp+arg_0]
		push	6
		push	0
		push	0
		lea	edi, [ebp+var_1C]
		push	edi
		push	edx
		push	eax
		push	ecx
		call	ObDuplicateObject
		test	eax, eax
		js	short loc_75BBDC
		mov	eax, [ebp+var_1C]
		mov	[ebx+10h], eax

loc_75BBDC:				; CODE XREF: PspCopyAndFixupParameters+62j
					; PspCopyAndFixupParameters+69j ...
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jnz	loc_75BCD3

loc_75BBE7:				; CODE XREF: PspCopyAndFixupParameters+19Cj
		mov	edi, esi
		sub	edi, ebx
		and	[ebp+ms_exc.disabled], 0
		push	[ebp+var_30]	; size_t
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [esi+28h]
		test	eax, eax
		jz	short loc_75BC08
		add	eax, edi
		mov	[esi+28h], eax

loc_75BC08:				; CODE XREF: PspCopyAndFixupParameters+AFj
		mov	eax, [esi+34h]
		test	eax, eax
		jnz	loc_75BCC9

loc_75BC13:				; CODE XREF: PspCopyAndFixupParameters+17Cj
		mov	eax, [esi+3Ch]
		test	eax, eax
		jz	short loc_75BC1F
		add	eax, edi
		mov	[esi+3Ch], eax

loc_75BC1F:				; CODE XREF: PspCopyAndFixupParameters+C6j
		mov	eax, [esi+44h]
		test	eax, eax
		jz	short loc_75BC2B
		add	eax, edi
		mov	[esi+44h], eax

loc_75BC2B:				; CODE XREF: PspCopyAndFixupParameters+D2j
		mov	eax, [esi+74h]
		test	eax, eax
		jz	short loc_75BC37
		add	eax, edi
		mov	[esi+74h], eax

loc_75BC37:				; CODE XREF: PspCopyAndFixupParameters+DEj
		mov	eax, [esi+7Ch]
		test	eax, eax
		jz	short loc_75BC43
		add	eax, edi
		mov	[esi+7Ch], eax

loc_75BC43:				; CODE XREF: PspCopyAndFixupParameters+EAj
		mov	eax, [esi+84h]
		test	eax, eax
		jz	short loc_75BC55
		add	eax, edi
		mov	[esi+84h], eax

loc_75BC55:				; CODE XREF: PspCopyAndFixupParameters+F9j
		mov	eax, [esi+8Ch]
		test	eax, eax
		jnz	loc_8D47DF

loc_75BC63:				; CODE XREF: PspCopyAndFixupParameters+178C95j
		mov	eax, [esi+2A8h]
		test	eax, eax
		jnz	loc_8D47EC

loc_75BC71:				; CODE XREF: PspCopyAndFixupParameters+178CA2j
		mov	eax, [esi+2B0h]
		test	eax, eax
		jnz	loc_8D47F9

loc_75BC7F:				; CODE XREF: PspCopyAndFixupParameters+178CAFj
		mov	eax, [esi+2B4h]
		test	eax, eax
		jnz	loc_8D4806

loc_75BC8D:				; CODE XREF: PspCopyAndFixupParameters+178CBCj
		mov	eax, [esi+48h]
		test	eax, eax
		jz	short loc_75BC99
		add	eax, edi
		mov	[esi+48h], eax

loc_75BC99:				; CODE XREF: PspCopyAndFixupParameters+140j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+17Ch]
		mov	[eax+10h], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax

loc_75BCB7:				; CODE XREF: PspCopyAndFixupParameters+178C82j
					; sub_8D4821+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_75BCC9:				; CODE XREF: PspCopyAndFixupParameters+BBj
		add	eax, edi
		mov	[esi+34h], eax
		jmp	loc_75BC13
; 

loc_75BCD3:				; CODE XREF: PspCopyAndFixupParameters+8Fj
		lea	edx, [ebx+18h]
		mov	[ebp+var_24], edx
		xor	edi, edi

loc_75BCDB:				; CODE XREF: PspCopyAndFixupParameters+19Aj
		mov	eax, [ecx+edi*4]
		test	eax, eax
		jnz	short loc_75BCF3

loc_75BCE2:				; CODE XREF: PspCopyAndFixupParameters+1D3j
		add	edx, 4
		mov	[ebp+var_24], edx
		inc	edi
		cmp	edi, 3
		jb	short loc_75BCDB
		jmp	loc_75BBE7
; 

loc_75BCF3:				; CODE XREF: PspCopyAndFixupParameters+18Ej
		js	loc_8D47BF
		push	[ebp+arg_0]
		push	6
		push	0
		push	0
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_28]
		push	eax
		push	[ebp+var_2C]
		call	ObDuplicateObject
		mov	ecx, [ebp+var_1C]
		mov	edx, [ebp+var_24]

loc_75BD18:				; CODE XREF: PspCopyAndFixupParameters+178C77j
		test	eax, eax
		js	loc_8D47CE
		mov	[edx], ecx

loc_75BD22:				; CODE XREF: PspCopyAndFixupParameters+178C88j
		mov	ecx, [ebp+var_20]
		jmp	short loc_75BCE2
PspCopyAndFixupParameters endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PspSetProcessShortName(x, x)
_PspSetProcessShortName@8 proc near	; CODE XREF: PspInitializeFullProcessImageName+69p
					; PspSetMinimalProcessName(x,x)+64p
		mov	eax, [edx+4]
		push	esi
		lea	esi, [ecx+1ACh]
		movzx	ecx, word ptr [edx]
		add	ecx, eax
		xor	edx, edx
		test	eax, eax
		jz	short loc_75BD7A
		push	edi
		cmp	ecx, eax
		jbe	short loc_75BD5B

loc_75BD42:				; CODE XREF: PspSetProcessShortName(x,x)+28j
		mov	edi, ecx
		sub	ecx, 2
		cmp	word ptr [ecx],	5Ch
		jz	short loc_75BD54
		inc	edx
		cmp	ecx, eax
		ja	short loc_75BD42
		jmp	short loc_75BD56
; 

loc_75BD54:				; CODE XREF: PspSetProcessShortName(x,x)+23j
		mov	ecx, edi

loc_75BD56:				; CODE XREF: PspSetProcessShortName(x,x)+2Aj
		cmp	edx, 0Fh
		jnb	short loc_75BD7F

loc_75BD5B:				; CODE XREF: PspSetProcessShortName(x,x)+18j
					; PspSetProcessShortName(x,x)+5Aj
		push	ebx
		xor	ebx, ebx
		lea	eax, [esi+edx]
		cmp	eax, esi
		sbb	edi, edi
		not	edi
		and	edi, edx
		jbe	short loc_75BD78

loc_75BD6B:				; CODE XREF: PspSetProcessShortName(x,x)+4Ej
		mov	al, [ecx]
		lea	ecx, [ecx+2]
		mov	[esi], al
		inc	esi
		inc	ebx
		cmp	ebx, edi
		jb	short loc_75BD6B

loc_75BD78:				; CODE XREF: PspSetProcessShortName(x,x)+41j
		pop	ebx
		pop	edi

loc_75BD7A:				; CODE XREF: PspSetProcessShortName(x,x)+13j
		mov	byte ptr [esi],	0
		pop	esi
		retn
; 

loc_75BD7F:				; CODE XREF: PspSetProcessShortName(x,x)+31j
		push	0Eh
		pop	edx
		jmp	short loc_75BD5B
_PspSetProcessShortName@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoEnergyContextStart(x)
_PoEnergyContextStart@4	proc near	; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+597p
					; PopEtInit+118p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [esp+30h+var_1C]
		push	6
		xor	eax, eax
		xor	bl, bl
		cmp	_PopEtGlobals, 0
		pop	ecx
		rep stosd
		mov	eax, [esi+3E0h]
		mov	[esp+30h+var_20], eax
		jz	short loc_75BE31
		mov	eax, large fs:124h
		lea	edi, [esi+0F0h]
		cmp	[eax+80h], esi
		jz	short loc_75BDEE
		mov	ecx, edi
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_75BE35
		lea	eax, [esp+30h+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, esi
		call	KiStackAttachProcess
		inc	bl

loc_75BDEE:				; CODE XREF: PoEnergyContextStart(x)+4Dj
		mov	edx, [esp+30h+var_20]
		mov	ecx, esi
		add	edx, 1B8h
		call	PopEtGetProcessAppId
		mov	esi, eax
		test	esi, esi
		js	short loc_75BE07
		xor	esi, esi

loc_75BE07:				; CODE XREF: PoEnergyContextStart(x)+7Fj
		test	bl, bl
		jz	short loc_75BE1D
		xor	edx, edx
		lea	ecx, [esp+30h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, edi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_75BE1D:				; CODE XREF: PoEnergyContextStart(x)+85j
					; PoEnergyContextStart(x)+AFj ...
		mov	ecx, [esp+30h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_75BE31:				; CODE XREF: PoEnergyContextStart(x)+39j
		xor	esi, esi
		jmp	short loc_75BE1D
; 

loc_75BE35:				; CODE XREF: PoEnergyContextStart(x)+58j
		mov	esi, 0C000010Ah
		jmp	short loc_75BE1D
_PoEnergyContextStart@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopEtGetProcessAppId proc near		; CODE XREF: PoEnergyContextStart(x)+76p

var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= word ptr -218h
var_216		= word ptr -216h
var_214		= word ptr -214h
var_212		= word ptr -212h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_F4		= dword	ptr -0F4h
var_70		= dword	ptr -70h
var_24		= dword	ptr -24h
var_8		= word ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D4833 SIZE 0000005E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 23Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_200], edx
		push	edi
		push	188h		; size_t
		lea	eax, [ebp+var_1F8]
		mov	[ebp+var_210], esi
		push	esi		; int
		push	eax		; void *
		mov	ebx, ecx
		mov	[ebp+var_20C], esi
		mov	[ebp+var_1FC], esi
		mov	[ebp+var_208], esi
		mov	[ebp+var_204], esi
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_70]
		push	44h		; size_t
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	edi, [ebx+1C0h]
		add	esp, 0Ch
		test	edi, edi
		jz	loc_8D4833
		cmp	[edi], si
		jz	loc_8D4833

loc_75BEB7:				; CODE XREF: PopEtGetProcessAppId+178A2Ej
		lea	edx, [ebp+var_210]
		mov	ecx, ebx
		call	PopEtGetProcessImageInfo
		lea	eax, [ebp+var_1F8]
		mov	ecx, ebx
		push	eax
		lea	edx, [ebp+var_70]
		call	_PopEtGetProcessSidAndPackageIdentity@12 ; PopEtGetProcessSidAndPackageIdentity(x,x,x)
		lea	eax, [ebp+var_210]
		mov	[ebp+var_23C], esi
		mov	[ebp+var_22C], eax
		lea	edx, [ebp+var_1FC]
		lea	eax, [ebp+var_70]
		mov	[ebp+var_238], esi
		mov	[ebp+var_21C], eax
		lea	ecx, [ebp+var_23C]
		movzx	eax, byte ptr [ebp+var_70+1]
		add	ax, 2
		mov	[ebp+var_234], esi
		shl	ax, 2
		mov	[ebp+var_212], ax
		mov	eax, [edi+4]
		mov	[ebp+var_228], eax
		mov	ax, [edi]
		shr	ax, 1
		mov	[ebp+var_218], ax
		lea	eax, [ebp+var_1F4]
		mov	[ebp+var_224], eax
		mov	ax, word ptr [ebp+var_1F8]
		mov	[ebp+var_216], ax
		lea	eax, [ebp+var_F4]
		mov	[ebp+var_220], eax
		mov	ax, word ptr [ebp+var_1F8+2]
		mov	[ebp+var_230], esi
		mov	[ebp+var_214], ax
		call	_PopEtAppIdIntern@8 ; PopEtAppIdIntern(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_75BF9F
		mov	ecx, [ebp+var_200]
		mov	edi, esi
		mov	eax, [ebp+var_1FC]
		mov	[ecx], eax

loc_75BF86:				; CODE XREF: PopEtGetProcessAppId+169j
		test	esi, esi
		jnz	loc_8D486F

loc_75BF8E:				; CODE XREF: PopEtGetProcessAppId+178A3Aj
					; PopEtGetProcessAppId+178A50j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_75BF9F:				; CODE XREF: PopEtGetProcessAppId+138j
		mov	esi, [ebp+var_1FC]
		jmp	short loc_75BF86
PopEtGetProcessAppId endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtAppIdIntern(x,	x)
_PopEtAppIdIntern@8 proc near		; CODE XREF: PopEtGetProcessAppId+12Fp

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_68], 2Ch
		push	50h		; size_t
		lea	eax, [ebp+var_58]
		mov	[ebp+var_5C], edi
		push	edi		; int
		push	eax		; void *
		mov	ebx, edx
		mov	[ebp+var_64], eax
		mov	esi, ecx
		call	_memset
		mov	eax, [esi+10h]
		lea	edx, [ebp+var_68]
		mov	[ebp+var_58], eax
		add	esp, 0Ch
		movzx	eax, word ptr [esi+2Ah]
		mov	[ebp+var_40], eax
		mov	eax, [esi+20h]
		mov	[ebp+var_48], eax
		movzx	eax, word ptr [esi+24h]
		add	eax, eax
		mov	[ebp+var_50], 8
		mov	[ebp+var_30], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_38], eax
		movzx	eax, word ptr [esi+26h]
		push	4
		pop	ecx
		add	eax, eax
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_20], eax
		mov	eax, [esi+18h]
		push	2
		pop	ecx
		mov	[ebp+var_28], eax
		movzx	eax, word ptr [esi+28h]
		mov	[ebp+var_2C], ecx
		add	eax, eax
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_C], ecx
		mov	ecx, _PopEtGlobals
		mov	[ebp+var_10], eax
		mov	eax, [esi+1Ch]
		mov	[ebp+var_60], 5
		lea	ecx, [ecx+20h]
		mov	[ebp+var_18], eax
		call	RtlInternTableIntern
		test	eax, eax
		jz	short loc_75C06A
		mov	[ebx], eax

loc_75C059:				; CODE XREF: PopEtAppIdIntern(x,x)+C7j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_75C06A:				; CODE XREF: PopEtAppIdIntern(x,x)+ADj
		mov	edi, 0C000009Ah
		jmp	short loc_75C059
_PopEtAppIdIntern@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlInternTableIntern proc near		; CODE XREF: PopEtAppIdIntern(x,x)+A6p
					; PopEtStringIntern(x,x,x)+45p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D4891 SIZE 0000005F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, edx
		lea	edx, [ebp+var_4]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_20], ebx
		push	edi
		and	dword ptr [ebx+0Ch], 0
		mov	ecx, ebx
		mov	[ebp+var_1C], esi
		call	RtlpInternEntryHash
		mov	ecx, [esi+0Ch]
		mov	edi, eax
		push	1
		push	esi
		mov	[ebp+var_10], edi
		call	dword ptr [ecx+8]
		push	[ebp+var_4]
		mov	edx, ebx
		mov	ecx, esi
		push	edi
		call	RtlpInternEntryFind
		mov	edi, eax
		mov	eax, [esi+0Ch]
		push	1
		push	esi
		test	edi, edi
		jz	short loc_75C0D9
		call	dword ptr [eax+0Ch]

loc_75C0C3:				; CODE XREF: RtlInternTableIntern+161j
					; RtlInternTableIntern+178821j	...
		mov	ecx, [ebx+0Ch]
		mov	eax, ecx
		and	al, 3
		cmp	al, 1
		jz	loc_8D48C8

loc_75C0D2:				; CODE XREF: RtlInternTableIntern+178879j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_75C0D9:				; CODE XREF: RtlInternTableIntern+4Cj
		mov	ecx, [esi+10h]
		mov	[ebp+var_8], ecx
		mov	ecx, [esi+14h]
		mov	[ebp+var_14], ecx
		call	dword ptr [eax+0Ch]
		push	[ebp+var_4]
		mov	edi, [ebp+var_10]
		mov	edx, ebx
		push	edi
		mov	ecx, esi
		call	RtlpInternEntryCreate
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_8D4891
		mov	eax, [esi+0Ch]
		push	0
		push	esi
		call	dword ptr [eax+8]
		mov	eax, [ebp+var_8]
		cmp	eax, [esi+10h]
		jnz	loc_8D4898
		mov	eax, [ebp+var_14]
		cmp	eax, [esi+14h]
		jnz	loc_8D4898

loc_75C124:				; CODE XREF: RtlInternTableIntern+17883Dj
		mov	eax, [esi+4]
		mov	edx, eax
		and	[ebp+var_8], 0
		shr	edx, 5
		push	2
		pop	edi
		lea	ecx, [edx+edx]
		cmp	[esi], ecx
		jb	short loc_75C156
		mov	[ebp+var_18], eax
		lea	ecx, [ebp+var_8]
		mov	eax, edx
		mul	edi
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		jns	loc_75C1DE
		mov	eax, [ebp+var_18]

loc_75C156:				; CODE XREF: RtlInternTableIntern+C6j
					; RtlInternTableIntern+26Dj ...
		mov	edi, [ebp+var_C]
		mov	edx, eax
		and	eax, 1Fh
		shr	edx, 5
		mov	ecx, eax
		or	eax, 0FFFFFFFFh
		shl	eax, cl
		and	eax, [edi+4]
		mov	[ebp+var_20], eax
		mov	[ebp+var_10], eax
		movzx	eax, al
		add	eax, offset unk_B15DCB
		imul	ecx, eax, 25h
		mov	eax, [ebp+var_20]
		movzx	eax, ah
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_10+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_10+3]
		imul	ecx, 25h
		add	ecx, eax
		dec	edx
		and	edx, ecx
		mov	ecx, [esi+8]
		mov	eax, [ecx+edx*4]
		mov	[edi], eax
		mov	[ecx+edx*4], edi
		inc	dword ptr [esi]
		add	dword ptr [esi+10h], 1
		adc	dword ptr [esi+14h], 0
		or	dword ptr [ebx+0Ch], 2
		mov	eax, [esi+0Ch]
		mov	eax, [eax+10h]
		test	eax, eax
		jz	short loc_75C1C1
		push	ebx
		push	edi
		push	esi
		call	eax

loc_75C1C1:				; CODE XREF: RtlInternTableIntern+148j
		and	[ebp+var_C], 0

loc_75C1C5:				; CODE XREF: RtlInternTableIntern+178837j
					; RtlInternTableIntern+178844j
		mov	eax, [esi+0Ch]
		push	0
		push	esi
		call	dword ptr [eax+0Ch]
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jz	loc_75C0C3
		jmp	loc_8D48BB
; 

loc_75C1DE:				; CODE XREF: RtlInternTableIntern+DBj
		mov	edi, [ebp+var_8]
		cmp	edi, 4
		jnb	short loc_75C1E9
		push	4
		pop	edi

loc_75C1E9:				; CODE XREF: RtlInternTableIntern+172j
		mov	eax, edi
		push	esi
		shl	eax, 2
		push	eax
		call	_RtlpInternHashBucketsAllocate@8 ; RtlpInternHashBucketsAllocate(x,x)
		mov	edx, eax
		mov	[ebp+var_4], edx
		test	edx, edx
		jz	loc_75C2D9
		lea	ecx, [edi-1]
		test	ecx, edi
		jz	short loc_75C21A
		or	ecx, 0FFFFFFFFh
		test	edi, edi
		jz	short loc_75C215

loc_75C210:				; CODE XREF: RtlInternTableIntern+1A1j
		inc	ecx
		shr	edi, 1
		jnz	short loc_75C210

loc_75C215:				; CODE XREF: RtlInternTableIntern+19Cj
		xor	edi, edi
		inc	edi
		shl	edi, cl

loc_75C21A:				; CODE XREF: RtlInternTableIntern+195j
		mov	eax, 4000000h
		cmp	edi, eax
		jbe	short loc_75C225
		mov	edi, eax

loc_75C225:				; CODE XREF: RtlInternTableIntern+1AFj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		and	[ebp+var_8], 0
		or	eax, 1
		mov	[ebp+var_14], edx
		mov	edx, edi
		shl	edx, 2
		add	ecx, edx
		shr	edx, 2
		cmp	ecx, [ebp+var_4]
		sbb	ecx, ecx
		not	ecx
		and	ecx, edx
		jbe	short loc_75C259
		mov	edx, [ebp+var_14]

loc_75C24C:				; CODE XREF: RtlInternTableIntern+1E5j
		inc	[ebp+var_8]
		mov	[edx], eax
		lea	edx, [edx+4]
		cmp	[ebp+var_8], ecx
		jb	short loc_75C24C

loc_75C259:				; CODE XREF: RtlInternTableIntern+1D5j
		mov	eax, [esi+4]
		or	edx, 0FFFFFFFFh
		and	[ebp+var_14], 0
		mov	ecx, eax
		and	ecx, 1Fh
		shl	edx, cl
		mov	[ebp+var_18], edx
		test	eax, 0FFFFFFE0h
		jbe	loc_75C2FB
		mov	ebx, [ebp+var_14]

loc_75C27B:				; CODE XREF: RtlInternTableIntern+284j
		mov	edx, [esi+8]
		mov	[ebp+var_14], edx

loc_75C281:				; CODE XREF: RtlInternTableIntern+265j
		mov	ecx, [edx+ebx*4]
		mov	[ebp+var_10], ecx
		test	ecx, 1
		jnz	short loc_75C2EA
		mov	eax, [ecx]
		mov	[edx+ebx*4], eax
		mov	edx, [ecx+4]
		and	edx, [ebp+var_18]
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	esi, [ebp+var_10]
		imul	ecx, eax, 25h
		movzx	eax, dh
		mov	[ebp+var_8], edx
		lea	edx, [edi-1]
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_8+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_8+3]
		imul	ecx, 25h
		add	ecx, eax
		and	edx, ecx
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+edx*4]
		mov	[esi], eax
		mov	eax, esi
		mov	[ecx+edx*4], eax
		mov	edx, [ebp+var_14]
		jmp	short loc_75C281
; 

loc_75C2D9:				; CODE XREF: RtlInternTableIntern+18Aj
		mov	eax, [esi+4]
		cmp	eax, 20h
		jnb	loc_75C156
		jmp	loc_8D48B4
; 

loc_75C2EA:				; CODE XREF: RtlInternTableIntern+21Bj
		mov	esi, [ebp+var_1C]
		inc	ebx
		mov	eax, [esi+4]
		shr	eax, 5
		cmp	ebx, eax
		jb	short loc_75C27B
		mov	ebx, [ebp+var_20]

loc_75C2FB:				; CODE XREF: RtlInternTableIntern+200j
		mov	ecx, [esi+8]
		mov	eax, [ebp+var_4]
		mov	[esi+8], eax
		mov	eax, [esi+4]
		and	eax, 1Fh
		shl	edi, 5
		or	eax, edi
		mov	[esi+4], eax
		test	ecx, ecx
		jz	loc_75C156
		push	esi
		push	ecx
		call	_RtlpInternHashBucketsFree@8 ; RtlpInternHashBucketsFree(x,x)
		mov	eax, [esi+4]
		jmp	loc_75C156
RtlInternTableIntern endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopEtInternerUnlock(x, x)
_PopEtInternerUnlock@8 proc near	; DATA XREF: PopEtInit+7Ao
		mov	ecx, _PopEtGlobals
		add	ecx, 14h
		cmp	dword ptr [ecx+4], 0
		jz	short loc_75C33D
		and	dword ptr [ecx+4], 0

loc_75C33D:				; CODE XREF: PopEtInternerUnlock(x,x)+Dj
		xor	edx, edx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		retn	8
_PopEtInternerUnlock@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtInternerLock(x, x)
_PopEtInternerLock@8 proc near		; DATA XREF: PopEtInit+73o

arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		cmp	[ebp+arg_4], 0
		jz	short loc_75C379
		mov	ecx, _PopEtGlobals
		lea	ecx, [ecx+14h]
		nop
		xor	edx, edx
		call	ExAcquirePushLockSharedEx

loc_75C375:				; CODE XREF: PopEtInternerLock(x,x)+49j
		pop	ebp
		retn	8
; 

loc_75C379:				; CODE XREF: PopEtInternerLock(x,x)+16j
		push	esi
		mov	esi, _PopEtGlobals
		nop
		xor	edx, edx
		lea	ecx, [esi+14h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+18h], eax
		pop	esi
		jmp	short loc_75C375
_PopEtInternerLock@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpInternEntryFind proc near		; CODE XREF: RtlInternTableIntern+3Dp
					; RtlInternTableIntern+17882Ep

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008D48F0 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ecx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], eax
		or	edx, 0FFFFFFFFh
		push	ebx
		push	esi
		mov	eax, [eax+4]
		mov	ecx, eax
		and	ecx, 1Fh
		mov	[ebp+var_10], eax
		shl	edx, cl
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edx
		mov	ebx, edx
		mov	esi, edi
		and	ebx, [ebp+arg_0]
		mov	[ebp+arg_0], ebx

loc_75C3CA:				; CODE XREF: RtlpInternEntryFind+A2j
		test	esi, esi
		jnz	short loc_75C40E
		mov	edx, eax
		shr	edx, 5
		test	edx, edx
		jz	loc_75C45B
		movzx	eax, bl
		imul	ecx, eax, 25h
		movzx	eax, bh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+arg_0+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+arg_0+3]
		imul	ecx, 25h
		add	eax, 164B2F3Fh
		add	eax, ecx
		lea	ecx, [edx-1]
		mov	edx, [ebp+var_4]
		and	ecx, eax
		mov	eax, [ebp+var_8]
		mov	eax, [eax+8]
		lea	esi, [eax+ecx*4]

loc_75C40E:				; CODE XREF: RtlpInternEntryFind+34j
					; RtlpInternEntryFind+87j
		mov	esi, [esi]
		test	esi, 1
		jnz	short loc_75C464
		mov	eax, [esi+4]
		and	eax, edx
		cmp	ebx, eax
		jnz	short loc_75C40E

loc_75C421:				; CODE XREF: RtlpInternEntryFind+CEj
		test	esi, esi
		jz	short loc_75C45B
		push	[ebp+arg_4]
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		call	_RtlpInternEntryMatch@12 ; RtlpInternEntryMatch(x,x,x)
		mov	edx, [ebp+var_4]
		test	al, al
		mov	eax, [ebp+var_10]
		jz	short loc_75C3CA
		lea	ebx, [esi+8]
		mov	edx, [ebx]
		lea	ecx, [edx+1]

loc_75C444:				; CODE XREF: RtlpInternEntryFind+D3j
		cmp	ecx, 1
		jbe	loc_8D48F0
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		mov	ecx, eax
		cmp	ecx, edx
		jnz	short loc_75C468
		mov	edi, esi

loc_75C45B:				; CODE XREF: RtlpInternEntryFind+3Dj
					; RtlpInternEntryFind+8Bj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_75C464:				; CODE XREF: RtlpInternEntryFind+7Ej
		mov	esi, edi
		jmp	short loc_75C421
; 

loc_75C468:				; CODE XREF: RtlpInternEntryFind+BFj
		mov	edx, ecx
		inc	ecx
		jmp	short loc_75C444
RtlpInternEntryFind endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpInternEntryHash proc near		; CODE XREF: RtlInternTableIntern+22p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D4903 SIZE 00000061 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ecx+8]
		mov	[ebp+var_14], edx
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, [ecx]
		push	esi
		mov	esi, 4CB2Fh
		test	eax, eax
		jz	loc_75C552
		mov	ecx, [ecx+4]
		mov	[ebp+var_4], ecx
		push	edi

loc_75C497:				; CODE XREF: RtlpInternEntryHash+DDj
		mov	edx, [ecx+0Ch]
		mov	edi, [ecx+8]
		lea	ecx, [ebx-1]
		add	ecx, edx
		dec	ebx
		lea	eax, [edx-1]
		and	ecx, eax
		mov	eax, edi
		sub	eax, ecx
		mov	ecx, [ebp+var_4]
		add	eax, edx
		add	ebx, eax
		mov	[ebp+var_10], ebx
		mov	edx, [ecx]
		cmp	edi, 8
		jl	loc_8D4903
		mov	eax, edi
		shr	eax, 3
		mov	[ebp+var_C], eax
		mov	ebx, eax
		imul	eax, -8
		add	edi, eax

loc_75C4D0:				; CODE XREF: RtlpInternEntryHash+B5j
		movzx	eax, byte ptr [edx+1]
		imul	ecx, eax, 25h
		movzx	eax, byte ptr [edx+2]
		add	ecx, eax
		movzx	eax, byte ptr [edx+3]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx+4]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx+5]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx+6]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx]
		imul	ecx, 25h
		imul	eax, 1A617D0Dh
		add	ecx, eax
		imul	eax, esi, 2FE8ED1Fh
		movzx	esi, byte ptr [edx+7]
		add	edx, 8
		sub	ecx, eax
		add	esi, ecx
		sub	ebx, 1
		jnz	short loc_75C4D0
		mov	ebx, [ebp+var_10]
		mov	ecx, [ebp+var_4]
		jmp	loc_8D4903
; 

loc_75C530:				; CODE XREF: RtlpInternEntryHash+1784A1j
					; RtlpInternEntryHash+1784F1j
		movzx	eax, byte ptr [edx]
		imul	esi, 25h
		add	esi, eax
		inc	edx

loc_75C539:				; CODE XREF: RtlpInternEntryHash+178498j
		movzx	eax, byte ptr [edx]
		imul	esi, 25h
		add	esi, eax

loc_75C541:				; CODE XREF: RtlpInternEntryHash+1784BEj
		add	ecx, 10h
		sub	[ebp+var_8], 1
		mov	[ebp+var_4], ecx
		jnz	loc_75C497
		pop	edi

loc_75C552:				; CODE XREF: RtlpInternEntryHash+1Cj
		mov	eax, [ebp+var_14]
		mov	[eax], ebx
		lea	eax, [ebx+esi]
		pop	esi
		pop	ebx
		leave
		retn
RtlpInternEntryHash endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtGetProcessSidAndPackageIdentity(x, x, x)
_PopEtGetProcessSidAndPackageIdentity@12 proc near ; CODE XREF:	PopEtGetProcessAppId+94p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		mov	edi, edx
		mov	[ebp+var_C], edx
		push	ecx
		mov	[esi], eax
		mov	[ebp+var_10], ecx
		stosd
		mov	byte ptr [ebp+var_1], 0
		stosd
		stosd
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	ebx, eax
		lea	eax, [ebp+arg_0+3]
		push	eax
		lea	eax, [ebp+var_1]
		push	eax
		push	ebx
		call	_PsQueryProcessAttributesByToken@12 ; PsQueryProcessAttributesByToken(x,x,x)
		cmp	byte ptr [ebp+var_1], 0
		jnz	short loc_75C5C8

loc_75C59B:				; CODE XREF: PopEtGetProcessSidAndPackageIdentity(x,x,x)+95j
					; PopEtGetProcessSidAndPackageIdentity(x,x,x)+AAj
		mov	edi, [ebp+var_C]
		lea	eax, [ebp+arg_0]
		push	eax
		push	44h
		mov	edx, edi
		mov	ecx, ebx
		call	_SeQueryUserSidToken@16	; SeQueryUserSidToken(x,x,x,x)
		test	eax, eax
		js	short loc_75C60A

loc_75C5B1:				; CODE XREF: PopEtGetProcessSidAndPackageIdentity(x,x,x)+B1j
		mov	ecx, [ebp+var_10]
		mov	edx, ebx
		add	ecx, 12Ch
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_75C5C8:				; CODE XREF: PopEtGetProcessSidAndPackageIdentity(x,x,x)+3Bj
		push	0
		lea	eax, [ebp+var_8]
		mov	[ebp+arg_0], 100h
		push	eax
		lea	eax, [esi+104h]
		mov	[ebp+var_8], 84h
		push	eax
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [esi+4]
		push	eax
		push	ebx
		call	_RtlQueryPackageIdentity@24 ; RtlQueryPackageIdentity(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_75C59B
		mov	eax, [ebp+arg_0]
		shr	eax, 1
		dec	eax
		mov	[esi], ax
		mov	eax, [ebp+var_8]
		shr	eax, 1
		dec	eax
		mov	[esi+2], ax
		jmp	short loc_75C59B
; 

loc_75C60A:				; CODE XREF: PopEtGetProcessSidAndPackageIdentity(x,x,x)+51j
		xor	eax, eax
		stosd
		stosd
		stosd
		jmp	short loc_75C5B1
_PopEtGetProcessSidAndPackageIdentity@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopEtGetProcessImageInfo proc near	; CODE XREF: PopEtGetProcessAppId+83p

ms_exc		= CPPEH_RECORD ptr -18h

		push	0Ch
		push	offset dword_6A0798
		call	__SEH_prolog4
		mov	edi, edx
		xor	esi, esi
		mov	[edi], esi
		mov	[edi+4], esi
		test	byte ptr [ecx+3A8h], 1
		jnz	short loc_75C65B
		push	ecx
		call	_PsGetProcessSectionBaseAddress@4 ; PsGetProcessSectionBaseAddress(x)
		test	eax, eax
		jz	short loc_75C65B
		mov	[ebp+ms_exc.disabled], esi
		push	eax
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_75C654
		mov	eax, [ecx+58h]
		mov	[edi], eax
		mov	eax, [ecx+8]
		mov	[edi+4], eax

loc_75C654:				; CODE XREF: PopEtGetProcessImageInfo+35j
					; sub_8D4972+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_75C65B:				; CODE XREF: PopEtGetProcessImageInfo+1Cj
					; PopEtGetProcessImageInfo+26j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PopEtGetProcessImageInfo endp

; 
		align 2

;  S U B	R O U T	I N E 


EtwpAppStateChangeSummaryShouldLogCommandLine proc near	; CODE XREF: EtwTraceProcess+12Ap
					; EtwTraceAppStateChange+17DD65p
		mov	eax, [ecx+1C0h]
		push	ebx
		xor	bl, bl
		test	eax, eax
		jz	short loc_75C6D0
		movzx	ecx, word ptr [eax]
		test	cx, cx
		jz	short loc_75C6D0
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, [eax+4]
		shr	edi, 1
		lea	esi, [ecx+edi*2]

loc_75C68F:				; CODE XREF: EtwpAppStateChangeSummaryShouldLogCommandLine+2Ej
		cmp	esi, ecx
		jz	short loc_75C6A0
		mov	eax, esi
		sub	esi, 2
		cmp	word ptr [esi],	5Ch
		jnz	short loc_75C68F
		mov	esi, eax

loc_75C6A0:				; CODE XREF: EtwpAppStateChangeSummaryShouldLogCommandLine+23j
		mov	eax, esi
		sub	eax, ecx
		sar	eax, 1
		sub	edi, eax
		push	edi		; size_t
		push	offset ??_C@_1BI@GOFOEOMC@?$AAs?$AAv?$AAc?$AAh?$AAo?$AAs?$AAt?$AA?4?$AAe?$AAx?$AAe@NNGAKEGL@ ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_75C6D4
		push	edi		; size_t
		push	offset ??_C@_1BO@DGNLKEMN@?$AAo?$AAe?$AAm?$AAs?$AAv?$AAc?$AAh?$AAo?$AAs?$AAt?$AA?4?$AAe?$AAx?$AAe@NNGAKEGL@ ; "oemsvchost.exe"
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_75C6D4

loc_75C6CE:				; CODE XREF: EtwpAppStateChangeSummaryShouldLogCommandLine+68j
		pop	edi
		pop	esi

loc_75C6D0:				; CODE XREF: EtwpAppStateChangeSummaryShouldLogCommandLine+Bj
					; EtwpAppStateChangeSummaryShouldLogCommandLine+13j
		mov	al, bl
		pop	ebx
		retn
; 

loc_75C6D4:				; CODE XREF: EtwpAppStateChangeSummaryShouldLogCommandLine+4Bj
					; EtwpAppStateChangeSummaryShouldLogCommandLine+5Ej
		mov	bl, 1
		jmp	short loc_75C6CE
EtwpAppStateChangeSummaryShouldLogCommandLine endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspInitializeFullProcessImageName proc near
					; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1704p

var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D497D SIZE 0000003E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 124h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+124h+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	108h		; size_t
		lea	eax, [esp+134h+var_110]
		mov	edi, edx
		push	0		; int
		push	eax		; void *
		mov	[esp+13Ch+var_11C], edi
		mov	ebx, ecx
		call	_memset
		add	esp, 0Ch
		xor	esi, esi
		test	byte ptr [edi+3A8h], 1
		jnz	loc_75C83A
		test	ebx, ebx
		jz	loc_8D497D
		mov	ebx, [ebx+6Ch]

loc_75C72D:				; CODE XREF: PspInitializeFullProcessImageName+1782BDj
		mov	eax, [ebx+30h]
		lea	edx, [esp+130h+var_118]
		mov	[esp+130h+var_118], eax
		mov	ecx, edi
		mov	eax, [ebx+34h]
		mov	[esp+130h+var_114], eax
		call	_PspSetProcessShortName@8 ; PspSetProcessShortName(x,x)
		push	0
		lea	eax, [esp+134h+var_120]
		mov	esi, 108h
		push	eax
		push	esi
		lea	edx, [esp+13Ch+var_110]
		mov	[esp+13Ch+var_120], esi
		mov	ecx, ebx
		call	ObQueryNameStringMode
		mov	edi, eax
		cmp	edi, 80000005h
		jz	loc_75C7FC
		cmp	edi, 0C0000023h
		jz	loc_75C7FC
		cmp	edi, 0C0000004h
		jz	short loc_75C7FC
		test	edi, edi
		js	loc_75C83A
		mov	ecx, [esp+130h+var_120]
		lea	eax, [ecx-9]
		cmp	eax, 0FFh
		ja	loc_75C83A
		push	6E497350h
		push	ecx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_75C83A
		mov	ecx, [esp+130h+var_110]
		mov	[esi], ecx
		lea	ecx, [esi+8]
		mov	[esi+4], ecx
		movzx	eax, word ptr [esp+130h+var_110+2]
		push	eax		; size_t
		push	[esp+134h+var_10C] ; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_75C7D7:				; CODE XREF: PspInitializeFullProcessImageName+1782CAj
					; PspInitializeFullProcessImageName+1782D4j
		test	edi, edi
		js	short loc_75C83A

loc_75C7DB:				; CODE XREF: PspInitializeFullProcessImageName+15Bj
					; PspInitializeFullProcessImageName+194j ...
		mov	eax, [esp+130h+var_11C]
		mov	ecx, [esp+130h+var_4]
		mov	[eax+1C0h], esi
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_75C7FC:				; CODE XREF: PspInitializeFullProcessImageName+92j
					; PspInitializeFullProcessImageName+9Ej ...
		cmp	[esp+130h+var_120], esi
		jbe	short loc_75C83A
		push	6E497350h
		push	[esp+134h+var_120]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_75C83A
		push	0
		lea	eax, [esp+134h+var_120]
		mov	edx, esi
		push	eax
		push	[esp+138h+var_120]
		mov	ecx, ebx
		call	ObQueryNameStringMode
		mov	edi, eax
		test	edi, edi
		jns	short loc_75C7DB
		jmp	loc_8D499A
; 

loc_75C83A:				; CODE XREF: PspInitializeFullProcessImageName+44j
					; PspInitializeFullProcessImageName+AEj ...
		push	8
		pop	eax
		push	6E497350h
		push	eax
		push	200h
		mov	[esp+13Ch+var_120], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8D49B1
		push	[esp+130h+var_120] ; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		xor	edi, edi
		jmp	loc_75C7DB
PspInitializeFullProcessImageName endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspRundownSingleProcess(x, x)
_PspRundownSingleProcess@8 proc	near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+C44p
					; PspExitThread+47Ap ...

var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[esp+30h+var_1D], dl
		push	6
		xor	eax, eax
		lea	edi, [esp+34h+var_1C]
		pop	ecx
		rep stosd
		mov	edi, large fs:124h
		test	dl, dl
		jnz	loc_75C947
		dec	word ptr [edi+13Ch]
		nop
		lea	esi, [ebx+0E0h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		cmp	dword ptr [ebx+1D8h], 0
		jnz	short loc_75C8F4
		lea	edx, [ebx+0FCh]
		mov	esi, 2000008h
		mov	eax, [edx]

loc_75C8D8:				; CODE XREF: PspRundownSingleProcess(x,x)+6Ej
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_75C8D8
		lea	esi, [ebx+0E0h]
		test	eax, 2000000h
		jnz	short loc_75C8F4
		mov	[esp+30h+var_1D], 1

loc_75C8F4:				; CODE XREF: PspRundownSingleProcess(x,x)+57j
					; PspRundownSingleProcess(x,x)+7Bj
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_75C908
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_75C908:				; CODE XREF: PspRundownSingleProcess(x,x)+8Dj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		cmp	[esp+30h+var_1D], 0
		jnz	short loc_75C947
		mov	ecx, ebx
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		test	eax, eax
		jz	loc_75CAAF
		push	1
		mov	edx, eax
		mov	ecx, ebx
		call	ExSweepHandleTable
		lea	ecx, [ebx+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_75CAAF
; 

loc_75C947:				; CODE XREF: PspRundownSingleProcess(x,x)+33j
					; PspRundownSingleProcess(x,x)+A9j
		lea	esi, [ebx+0F0h]
		mov	ecx, esi
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	ecx, esi
		call	@ExRundownCompleted@4 ;	ExRundownCompleted(x)
		xor	esi, esi
		cmp	[ebx+158h], esi
		jz	loc_75C9EB
		lea	ecx, [ebx+0F8h]
		test	byte ptr [ecx],	1
		jnz	short loc_75C9EB
		mov	eax, [ebx+34Ch]
		push	8
		pop	edx
		cmp	eax, 0C0000096h
		jg	loc_75CAC5
		cmp	eax, 0C000008Ch
		jge	short loc_75C9D0
		cmp	eax, 80000001h
		jl	loc_75CAF8
		cmp	eax, 80000004h
		jle	short loc_75C9D0
		cmp	eax, 0C0000004h
		jle	loc_75CAF8
		cmp	eax, 0C0000006h
		jle	short loc_75C9D0
		cmp	eax, 0C000001Dh
		jz	short loc_75C9D0
		cmp	eax, 0C0000024h
		jle	loc_75CAF8
		cmp	eax, 0C0000026h
		jg	loc_75CAF8

loc_75C9D0:				; CODE XREF: PspRundownSingleProcess(x,x)+11Bj
					; PspRundownSingleProcess(x,x)+12Dj ...
		mov	esi, edx

loc_75C9D2:				; CODE XREF: PspRundownSingleProcess(x,x)+289j
		push	20h
		call	@RtlInterlockedSetClearBits@12 ; RtlInterlockedSetClearBits(x,x,x)
		push	ecx
		push	dword ptr [ebx+0E4h]
		mov	edx, esi
		mov	ecx, ebx
		call	_PspSendProcessNotificationToJobChain@16 ; PspSendProcessNotificationToJobChain(x,x,x,x)
		xor	esi, esi

loc_75C9EB:				; CODE XREF: PspRundownSingleProcess(x,x)+F1j
					; PspRundownSingleProcess(x,x)+100j
		test	dword ptr [ebx+0FCh], 40000h
		jz	short loc_75CA26
		lea	eax, [esp+30h+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, ebx
		call	KiStackAttachProcess
		cmp	[ebx+18Ch], esi
		jz	short loc_75CA14
		mov	ecx, ebx
		call	_ObKillProcess@4 ; ObKillProcess(x)

loc_75CA14:				; CODE XREF: PspRundownSingleProcess(x,x)+199j
		mov	ecx, ebx
		call	MmCleanProcessAddressSpace
		xor	edx, edx
		lea	ecx, [esp+30h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_75CA26:				; CODE XREF: PspRundownSingleProcess(x,x)+183j
		cmp	[ebx+4CCh], esi
		jz	short loc_75CA40
		push	esi
		push	dword ptr [ebx+4CCh]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebx+4CCh], esi

loc_75CA40:				; CODE XREF: PspRundownSingleProcess(x,x)+1BAj
		mov	ecx, [ebx+15Ch]
		test	ecx, ecx
		jz	short loc_75CA55
		mov	[ebx+15Ch], esi
		call	ObfDereferenceObject

loc_75CA55:				; CODE XREF: PspRundownSingleProcess(x,x)+1D6j
		mov	ecx, [ebx+1A8h]
		test	ecx, ecx
		jz	short loc_75CA6F
		mov	edx, 72437350h
		call	ObfDereferenceObjectWithTag
		mov	[ebx+1A8h], esi

loc_75CA6F:				; CODE XREF: PspRundownSingleProcess(x,x)+1EBj
		test	dword ptr [ebx+0FCh], 40000h
		jz	short loc_75CA82
		mov	ecx, ebx
		call	KeSetProcess

loc_75CA82:				; CODE XREF: PspRundownSingleProcess(x,x)+207j
		cmp	[ebx+158h], esi
		jz	short loc_75CA9D
		push	esi
		push	4
		xor	edx, edx
		mov	ecx, ebx
		call	PspRemoveProcessFromJobChain
		mov	ecx, ebx
		call	_PspNotifyEmptyJobsInJobChain@4	; PspNotifyEmptyJobsInJobChain(x)

loc_75CA9D:				; CODE XREF: PspRundownSingleProcess(x,x)+216j
		mov	edx, [ebx+0E4h]
		test	edx, edx
		jz	short loc_75CAAF
		push	ebx
		mov	ecx, edi
		call	_PspClearProcessThreadCidRefs@12 ; PspClearProcessThreadCidRefs(x,x,x)

loc_75CAAF:				; CODE XREF: PspRundownSingleProcess(x,x)+B4j
					; PspRundownSingleProcess(x,x)+D0j ...
		mov	ecx, [esp+30h+var_4]
		mov	al, [esp+30h+var_1D]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_75CAC5:				; CODE XREF: PspRundownSingleProcess(x,x)+110j
		cmp	eax, 0C00000FDh
		jz	loc_75C9D0
		cmp	eax, 0C000013Ah
		jz	loc_75C9D0
		cmp	eax, 0C00002B3h
		jle	short loc_75CAF8
		cmp	eax, 0C00002B5h
		jle	loc_75C9D0
		cmp	eax, 0C00002C9h
		jz	loc_75C9D0

loc_75CAF8:				; CODE XREF: PspRundownSingleProcess(x,x)+122j
					; PspRundownSingleProcess(x,x)+134j ...
		push	7
		pop	esi
		jmp	loc_75C9D2
_PspRundownSingleProcess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExSweepHandleTable proc	near		; CODE XREF: PspRundownSingleProcess(x,x)+C0p
					; EtwpQueryProcessCommandLine+1D1p ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D49BB SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_28], edx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_30], ebx
		mov	ecx, 6
		mov	[ebp+var_21], al
		lea	edi, [ebp+var_20]
		rep stosd
		mov	edi, large fs:124h
		mov	[ebp+var_2C], edi
		cmp	[edi+80h], ebx
		jnz	loc_8D49BB

loc_75CB42:				; CODE XREF: ExSweepHandleTable+177ECFj
		xor	ebx, ebx
		mov	esi, 4
		dec	word ptr [edi+13Ch]
		nop

loc_75CB51:				; CODE XREF: ExSweepHandleTable+83j
		push	esi
		mov	ecx, edx
		call	ExpLookupHandleTableEntry
		mov	edi, eax
		test	edi, edi
		jz	short loc_75CBBD
		nop

loc_75CB60:				; CODE XREF: ExSweepHandleTable+7Bj
					; ExSweepHandleTable+90j ...
		mov	edx, [edi]
		test	dl, 1
		jnz	short loc_75CB85
		test	edx, edx
		jnz	loc_8D49D4

loc_75CB6F:				; CODE XREF: ExSweepHandleTable+B8j
					; ExSweepHandleTable+BBj
		add	esi, 4
		add	edi, 8
		test	esi, 7FFh
		jnz	short loc_75CB60
		mov	edx, [ebp+var_28]
		add	esi, 4
		jmp	short loc_75CB51
; 

loc_75CB85:				; CODE XREF: ExSweepHandleTable+65j
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_75CB60
		mov	ecx, [ebp+var_28]
		mov	edx, edi
		push	1
		push	[ebp+arg_0]
		push	esi
		push	[ebp+var_30]
		call	_ObCloseHandleTableEntry@24 ; ObCloseHandleTableEntry(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_75CC15
		mov	al, 1

loc_75CBAB:				; CODE XREF: ExSweepHandleTable+117j
		mov	ecx, [ebp+var_2C]
		dec	word ptr [ecx+13Ch]
		nop
		test	al, al
		jz	short loc_75CB6F
		inc	ebx
		jmp	short loc_75CB6F
; 

loc_75CBBD:				; CODE XREF: ExSweepHandleTable+5Dj
		mov	edi, [ebp+var_28]
		xor	edx, edx
		lea	esi, [edi+40h]
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		sub	[edi+4Ch], ebx
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_75CC0C

loc_75CBDC:				; CODE XREF: ExSweepHandleTable+113j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_2C]
		or	byte ptr [edi+1Ch], 4
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		cmp	[ebp+var_21], 1
		jz	loc_8D49E4

loc_75CBF9:				; CODE XREF: ExSweepHandleTable+177EEEj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_75CC0C:				; CODE XREF: ExSweepHandleTable+DAj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_75CBDC
; 

loc_75CC15:				; CODE XREF: ExSweepHandleTable+A7j
		xor	al, al
		jmp	short loc_75CBAB
ExSweepHandleTable endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ExpRemoveHandleTable(x)
_ExpRemoveHandleTable@4	proc near	; CODE XREF: EtwpQueryProcessCommandLine+1E7p
					; PAGE:007E5FEDp ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	esi, ecx
		dec	word ptr [edi+13Ch]
		nop
		mov	ebx, offset _HandleTableListLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		add	esi, 10h
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_75CC81
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_75CC81
		mov	[eax], ecx
		mov	[ecx+4], eax
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_75CC78

loc_75CC61:				; CODE XREF: ExpRemoveHandleTable(x)+65j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		pop	edi
		mov	[esi+4], esi
		mov	[esi], esi
		pop	esi
		pop	ebx
		retn
; 

loc_75CC78:				; CODE XREF: ExpRemoveHandleTable(x)+45j
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_75CC61
; 

loc_75CC81:				; CODE XREF: ExpRemoveHandleTable(x)+2Cj
					; ExpRemoveHandleTable(x)+33j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ExpRemoveHandleTable@4	endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpFreeHandleTable proc	near		; CODE XREF: EtwpQueryProcessCommandLine+1EEp
					; PAGE:007E5FF4p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D49F3 SIZE 00000079 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	[ebp+var_4], ebx
		mov	edi, [ebx+8]
		mov	eax, edi
		mov	esi, [ebx+0Ch]
		and	edi, 0FFFFFFFCh
		and	eax, 3
		jnz	short loc_75CCD5
		mov	edx, edi
		mov	ecx, esi
		call	ExpFreeLowLevelTable

loc_75CCAF:				; CODE XREF: ExpFreeHandleTable+8Ej
					; ExpFreeHandleTable+177DD0j ...
		mov	edx, [ebx+54h]
		test	edx, edx
		jnz	short loc_75CD16

loc_75CCB6:				; CODE XREF: ExpFreeHandleTable+97j
		push	6274624Fh
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jz	short loc_75CCD0
		push	80h
		push	esi
		call	_PsReturnProcessPagedPoolQuota@8 ; PsReturnProcessPagedPoolQuota(x,x)

loc_75CCD0:				; CODE XREF: ExpFreeHandleTable+3Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_75CCD5:				; CODE XREF: ExpFreeHandleTable+1Ej
		cmp	eax, 1
		jnz	loc_8D49F3
		xor	ebx, ebx

loc_75CCE0:				; CODE XREF: ExpFreeHandleTable+6Fj
		mov	edx, [edi+ebx*4]
		test	edx, edx
		jz	short loc_75CCF7
		mov	ecx, esi
		call	ExpFreeLowLevelTable
		inc	ebx
		cmp	ebx, 400h
		jb	short loc_75CCE0

loc_75CCF7:				; CODE XREF: ExpFreeHandleTable+5Fj
		push	6274624Fh
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jz	short loc_75CD11
		push	1000h
		push	esi
		call	_PsReturnProcessPagedPoolQuota@8 ; PsReturnProcessPagedPoolQuota(x,x)

loc_75CD11:				; CODE XREF: ExpFreeHandleTable+7Ej
		mov	ebx, [ebp+var_4]
		jmp	short loc_75CCAF
; 

loc_75CD16:				; CODE XREF: ExpFreeHandleTable+2Ej
		mov	ecx, ebx
		call	_ExDereferenceHandleDebugInfo@8	; ExDereferenceHandleDebugInfo(x,x)
		jmp	short loc_75CCB6
ExpFreeHandleTable endp

; 
		align 10h

;  S U B	R O U T	I N E 


ExpFreeLowLevelTable proc near		; CODE XREF: ExpFreeHandleTable+24p
					; ExpFreeHandleTable+63p ...

; FUNCTION CHUNK AT 008D4A6C SIZE 0000001F BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	ebx, 1000h
		mov	eax, [edi]
		test	eax, eax
		jnz	loc_8D4A6C

loc_75CD38:				; CODE XREF: ExpFreeLowLevelTable+177D59j
					; ExpFreeLowLevelTable+177D66j
		push	6274624Fh
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jz	short loc_75CD4E
		push	ebx
		push	esi
		call	_PsReturnProcessPagedPoolQuota@8 ; PsReturnProcessPagedPoolQuota(x,x)

loc_75CD4E:				; CODE XREF: ExpFreeLowLevelTable+25j
		pop	edi
		pop	esi
		pop	ebx
		retn
ExpFreeLowLevelTable endp


;  S U B	R O U T	I N E 


; __stdcall PspSelectNodeForProcess()
_PspSelectNodeForProcess@0 proc	near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x):loc_75EF17p
		mov	edi, edi
		push	ebx
		push	esi
		xor	eax, eax
		xor	esi, esi
		push	edi
		xor	ecx, ecx
		inc	eax
		lock xadd ds:_PspProcessNodeAssignment,	eax
		inc	eax
		mov	bx, ds:_KeNumberNodes
		xor	edx, edx
		movzx	edi, bx
		div	edi
		movzx	edx, dx
		test	edi, edi
		jz	short loc_75CDAC

loc_75CD7C:				; CODE XREF: PspSelectNodeForProcess()+50j
		movzx	eax, dx
		mov	eax, ds:_KeNodeBlock[eax*4]
		test	byte ptr [eax+0A5h], 10h
		jnz	short loc_75CD97
		cmp	[eax+84h], esi
		jnz	short loc_75CDA6

loc_75CD97:				; CODE XREF: PspSelectNodeForProcess()+3Bj
		inc	ecx
		inc	edx
		cmp	dx, bx
		sbb	eax, eax
		and	edx, eax
		cmp	ecx, edi
		jb	short loc_75CD7C
		jmp	short loc_75CDAC
; 

loc_75CDA6:				; CODE XREF: PspSelectNodeForProcess()+43j
		mov	esi, eax
		test	esi, esi
		jnz	short loc_75CDD6

loc_75CDAC:				; CODE XREF: PspSelectNodeForProcess()+28j
					; PspSelectNodeForProcess()+52j
		xor	ecx, ecx
		test	edi, edi
		jz	short loc_75CDE3

loc_75CDB2:				; CODE XREF: PspSelectNodeForProcess()+7Ej
		movzx	eax, dx
		mov	eax, ds:_KeNodeBlock[eax*4]
		cmp	dword ptr [eax+84h], 0
		jnz	short loc_75CDD4
		inc	ecx
		inc	edx
		cmp	dx, bx
		sbb	eax, eax
		and	edx, eax
		cmp	ecx, edi
		jb	short loc_75CDB2
		jmp	short loc_75CDD6
; 

loc_75CDD4:				; CODE XREF: PspSelectNodeForProcess()+71j
		mov	esi, eax

loc_75CDD6:				; CODE XREF: PspSelectNodeForProcess()+58j
					; PspSelectNodeForProcess()+80j
		test	ecx, ecx
		jz	short loc_75CDE3
		mov	eax, offset _PspProcessNodeAssignment
		lock xadd [eax], ecx

loc_75CDE3:				; CODE XREF: PspSelectNodeForProcess()+5Ej
					; PspSelectNodeForProcess()+86j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_PspSelectNodeForProcess@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCmdHiveOpen(x, x, x, x, x, x, x,	x, x)
_CmpCmdHiveOpen@36 proc	near		; CODE XREF: CmLoadAppKey(x,x,x,x,x,x,x,x,x)+35Bp
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x)+613p	...

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3D		= byte ptr -3Dh
var_3C		= dword	ptr -3Ch
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[ebp+var_50], eax
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_10]
		mov	[ebp+var_54], eax
		mov	eax, [ebp+arg_14]
		push	edi
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+arg_18]
		push	0
		mov	[ebp+var_3D], dl
		mov	[ebp+var_58], ecx
		mov	[ebp+var_44], esi
		mov	[ebp+var_48], eax
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	ebx, [ebp+arg_C]
		xor	edi, edi
		mov	byte ptr [ebp+var_64], al
		test	bl, 1
		jz	short loc_75CE46
		mov	edi, 8000h
		test	bl, 2
		jnz	short loc_75CE46
		mov	edi, 48000h

loc_75CE46:				; CODE XREF: CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)+4Bj
					; CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)+55j
		test	bl, 4
		jz	short loc_75CE51
		or	edi, 80000h

loc_75CE51:				; CODE XREF: CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)+5Fj
		test	bl, 8
		jz	short loc_75CE5C
		or	edi, 108000h

loc_75CE5C:				; CODE XREF: CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)+6Aj
		test	[ebp+arg_8], 20000000h
		jz	short loc_75CE68
		or	edi, 2

loc_75CE68:				; CODE XREF: CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)+79j
		push	[ebp+var_48]
		mov	edx, edi
		push	[ebp+var_4C]
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_58]
		push	esi
		push	[ebp+arg_8]
		push	[ebp+var_50]
		push	[ebp+var_54]
		call	CmpInitHiveFromFile
		cmp	[ebp+var_44], 0
		mov	esi, eax
		jnz	loc_75CFC2
		cmp	[ebp+var_3D], 0
		jz	loc_75CFC2
		test	bl, 20h
		jnz	loc_75CFC2
		cmp	esi, 0C0000022h
		jz	short loc_75CED7
		cmp	esi, 0C0000064h
		jz	short loc_75CED7
		cmp	esi, 0C000006Ah
		jz	short loc_75CED7
		cmp	esi, 0C0000193h
		jz	short loc_75CED7
		cmp	esi, 0C0000072h
		jz	short loc_75CED7
		cmp	esi, 0C000006Eh
		jnz	loc_75CFC2

loc_75CED7:				; CODE XREF: CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)+BFj
					; CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)+C7j ...
		mov	ecx, large fs:124h
		xor	eax, eax
		push	eax
		mov	byte ptr [ebp+var_44], al
		xor	edx, edx
		mov	byte ptr [ebp+var_60], al
		inc	edx
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_44]
		push	eax
		call	_PsReferenceImpersonationTokenEx@24 ; PsReferenceImpersonationTokenEx(x,x,x,x,x,x)
		push	0
		push	2
		xor	edx, edx
		mov	ebx, eax
		pop	ecx
		call	_RtlImpersonateSelfEx@12 ; RtlImpersonateSelfEx(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_75CFB7
		push	[ebp+var_48]
		mov	edx, edi
		push	[ebp+var_4C]
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_58]
		push	0
		push	[ebp+arg_8]
		push	[ebp+var_50]
		push	[ebp+var_54]
		call	CmpInitHiveFromFile
		mov	esi, eax
		test	ebx, ebx
		jz	short loc_75CF45
		push	[ebp+var_5C]
		push	[ebp+var_60]
		push	[ebp+var_44]
		push	ebx
		jmp	short loc_75CF4C
; 

loc_75CF45:				; CODE XREF: CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)+14Dj
		push	2
		xor	eax, eax
		push	eax
		push	eax
		push	eax

loc_75CF4C:				; CODE XREF: CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)+159j
		mov	eax, large fs:124h
		push	eax
		call	PsImpersonateClient
		test	esi, esi
		js	short loc_75CFB7
		test	[ebp+arg_8], 2000000h
		jz	short loc_75CFB7
		cmp	dword_6B2348, 5
		jbe	short loc_75CFB7
		push	4000h
		push	8
		pop	edi
		push	edi
		mov	ecx, offset dword_6B2348
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_75CFB7
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_6C], 1000000h
		mov	[ebp+var_1C], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_68], ecx
		push	eax
		push	3
		push	ecx
		push	ecx
		push	offset byte_41AC37
		push	offset dword_6B2348
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_75CFB7:				; CODE XREF: CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)+126j
					; CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)+170j ...
		test	ebx, ebx
		jz	short loc_75CFC2
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_75CFC2:				; CODE XREF: CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)+A0j
					; CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)+AAj ...
		push	[ebp+var_64]
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
_CmpCmdHiveOpen@36 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTraceProcess	proc near		; CODE XREF: PspExitProcess+45p
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+587p

var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_1FE		= dword	ptr -1FEh
var_1FA		= dword	ptr -1FAh
var_198		= dword	ptr -198h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D4A8B SIZE 0000000C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 214h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+214h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [esp+220h+var_198]
		push	18Ch		; size_t
		push	ebx		; int
		push	eax		; void *
		mov	edi, edx
		mov	[esp+22Ch+var_20C], ebx
		mov	esi, ecx
		call	_memset
		mov	eax, 302h
		mov	[esp+22Ch+var_208], ebx
		add	esp, 0Ch
		mov	[esp+220h+var_204], ebx
		mov	[esp+220h+var_214], ebx
		mov	[esp+220h+var_210], ebx
		cmp	di, ax
		jnz	short loc_75D071
		test	ds:_PerfGlobalGroupMask, 0C004h
		jz	short loc_75D064
		push	ebx
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		push	offset _PerfGlobalGroupMask
		xor	edx, edx
		mov	byte ptr [esp+224h+var_1FE], al
		mov	ecx, esi
		call	EtwpEnumerateAddressSpace
		push	[esp+220h+var_1FE]
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)

loc_75D064:				; CODE XREF: EtwTraceProcess+63j
		test	byte ptr ds:_PerfGlobalGroupMask, 8
		jnz	loc_8D4A8B

loc_75D071:				; CODE XREF: EtwTraceProcess+57j
					; EtwTraceProcess+177AB4j
		lea	eax, [esp+220h+var_20C]
		mov	edx, edi
		push	eax
		lea	eax, [esp+224h+var_214]
		mov	ecx, esi
		push	eax
		lea	eax, [esp+228h+var_198]
		push	eax
		lea	eax, [esp+22Ch+var_208]
		push	eax
		call	EtwpWriteProcessEvent
		mov	eax, 301h
		cmp	di, ax
		mov	edi, [esp+220h+var_20C]
		jnz	loc_75D136
		cmp	dword_6B2A18, ebx
		jbe	loc_75D136
		push	6000h
		push	3
		mov	ecx, offset dword_6B2A18
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_75D136
		push	62h		; size_t
		lea	eax, [esp+224h+var_1FA]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+220h+var_214]
		lea	edx, [esp+220h+var_208]
		mov	ecx, esi
		push	edi
		push	eax
		lea	eax, [esp+228h+var_198]
		push	eax
		call	EtwpWriteProcessStarted
		lea	edx, [esp+220h+var_1FA]
		mov	ecx, esi
		call	EtwpInitStateChangeInfo
		lea	ecx, [esp+220h+var_1FA]
		mov	word ptr [esp+220h+var_1FA], bx
		call	EtwpWriteAppStateChange
		mov	ecx, esi
		call	EtwpAppStateChangeSummaryShouldLogCommandLine
		test	al, al
		jnz	short loc_75D118
		xor	eax, eax
		mov	word ptr [esp+220h+var_214], ax

loc_75D118:				; CODE XREF: EtwTraceProcess+131j
		lea	eax, [esp+220h+var_214]
		mov	ecx, esi
		push	eax
		lea	eax, [esp+224h+var_208]
		push	eax
		lea	eax, [esp+228h+var_198]
		push	eax
		push	ebx
		lea	edx, [esp+230h+var_1FA]
		call	EtwpWriteAppStateChangeSummary

loc_75D136:				; CODE XREF: EtwTraceProcess+BFj
					; EtwTraceProcess+CBj ...
		cmp	[esp+220h+var_210], ebx
		jz	short loc_75D146
		push	ebx
		push	[esp+224h+var_210]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_75D146:				; CODE XREF: EtwTraceProcess+15Cj
		test	edi, edi
		jz	short loc_75D151
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_75D151:				; CODE XREF: EtwTraceProcess+16Aj
		mov	ecx, [esp+220h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
EtwTraceProcess	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpWriteProcessEvent proc near		; CODE XREF: EtwTraceProcess+AEp

var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D5		= dword	ptr -0D5h
var_D1		= byte ptr -0D1h
var_D0		= dword	ptr -0D0h
var_B8		= dword	ptr -0B8h
var_B0		= dword	ptr -0B0h
var_98		= dword	ptr -98h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008D4A97 SIZE 0000000B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0F4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_EC], eax
		lea	edi, [ebp+var_D0]
		mov	eax, [ebp+arg_4]
		mov	esi, ecx
		mov	[ebp+var_DC], eax
		mov	ebx, edx
		mov	eax, [ebp+arg_8]
		xor	edx, edx
		mov	[ebp+var_E4], eax
		mov	eax, [ebp+arg_C]
		push	8
		mov	[ebp+var_E8], eax
		xor	eax, eax
		pop	ecx
		rep stosd
		push	6
		pop	ecx
		lea	edi, [ebp+var_B0]
		mov	[ebp+var_F4], edx
		rep stosd
		mov	eax, large fs:124h
		mov	[ebp+var_F0], edx
		mov	[ebp+var_E0], edx
		mov	[ebp+var_D1], dl
		mov	byte ptr [ebp+var_D5], 1
		cmp	[eax+80h], esi
		jz	short loc_75D219
		lea	ecx, [esi+0F0h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		xor	edx, edx
		test	al, al
		jz	loc_8D4A97
		lea	eax, [ebp+var_B0]
		mov	ecx, esi
		push	eax
		call	KiStackAttachProcess
		mov	[ebp+var_D1], 1
		xor	edx, edx

loc_75D219:				; CODE XREF: EtwpWriteProcessEvent+85j
					; EtwpWriteProcessEvent+177937j
		push	[ebp+var_E8]
		mov	eax, [ebp+var_E4]
		mov	ecx, esi
		mov	edi, [ebp+var_EC]
		push	eax
		mov	[eax], edx
		mov	[eax+4], edx
		lea	eax, [ebp+var_F4]
		push	eax
		push	[ebp+var_DC]
		lea	eax, [ebp+var_E0]
		mov	edx, ebx
		push	eax
		lea	eax, [ebp+var_98]
		push	eax
		push	edi
		lea	eax, [ebp+var_D0]
		push	eax
		push	[ebp+var_D5]
		call	EtwpBuildProcessEvent
		cmp	[ebp+var_D1], 0
		jz	short loc_75D284
		xor	edx, edx
		lea	ecx, [ebp+var_B0]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		lea	ecx, [esi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_75D284:				; CODE XREF: EtwpWriteProcessEvent+104j
		mov	eax, ds:_EtwpHostSiloState
		add	eax, 0A48h
		jz	short loc_75D2AA
		test	byte ptr [eax],	1
		jz	short loc_75D2AA
		mov	edx, [ebp+var_B8]
		mov	ecx, esi
		push	ebx
		push	edi
		push	[ebp+var_DC]
		call	EtwpPsProvTraceProcess

loc_75D2AA:				; CODE XREF: EtwpWriteProcessEvent+128j
					; EtwpWriteProcessEvent+12Dj
		push	(offset	loc_501902+2)
		push	ebx
		push	1
		push	[ebp+var_E0]
		push	esi
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		lea	edx, [ebp+var_98]
		mov	ecx, eax
		call	EtwTraceSiloKernelEvent
		lea	eax, [ebp+var_F4]
		push	eax
		call	_RtlFreeAnsiString@4 ; RtlFreeAnsiString(x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
EtwpWriteProcessEvent endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2099. RtlFreeAnsiString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlFreeAnsiString(x)
		public _RtlFreeAnsiString@4
_RtlFreeAnsiString@4 proc near		; CODE XREF: MmGetSystemRoutineAddress+3Ep
					; EtwpWriteProcessEvent+16Cp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_75D303

loc_75D2FE:				; CODE XREF: RtlFreeAnsiString(x)+22j
		pop	esi
		pop	ebp
		retn	4
; 

loc_75D303:				; CODE XREF: RtlFreeAnsiString(x)+Ej
		push	eax
		call	_ExFreePool@4	; ExFreePool(x)
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0
		jmp	short loc_75D2FE
_RtlFreeAnsiString@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpPsProvTraceProcess proc near	; CODE XREF: EtwpWriteProcessEvent+13Fp
					; EtwpPsProvProcessEnumCallback(x,x)+135p

var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_17C		= dword	ptr -17Ch
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= word ptr -28h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h

; FUNCTION CHUNK AT 008D4AA2 SIZE 0000005E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 208h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_194]
		push	68h		; size_t
		push	edi		; int
		push	eax		; void *
		mov	ebx, edx
		mov	[ebp+var_1A0], edi
		mov	esi, ecx
		mov	[ebp+var_1C0], edi
		mov	[ebp+var_1C8], edi
		mov	[ebp+var_19C], edi
		mov	[ebp+var_1AC], edi
		mov	[ebp+var_1E4], edi
		mov	[ebp+var_1E0], edi
		mov	[ebp+var_1EC], edi
		mov	[ebp+var_1E8], edi
		call	_memset
		mov	cx, [ebp+arg_8]
		mov	edx, 301h
		movzx	eax, cx
		add	esp, 0Ch
		mov	[ebp+var_1B0], edi
		mov	[ebp+var_1B4], edi
		mov	[ebp+var_1B8], edi
		mov	[ebp+var_1BC], edi
		mov	[ebp+var_208], edi
		mov	[ebp+var_204], edi
		sub	eax, edx
		jnz	loc_75D9B1
		mov	[ebp+var_1A4], offset _ProcessStart

loc_75D3BA:				; CODE XREF: EtwpPsProvTraceProcess+6B2j
					; EtwpPsProvTraceProcess+1777A3j
		mov	eax, [esi+0E4h]
		mov	[ebp+var_1F8], eax
		lea	eax, [ebp+var_1F8]
		mov	[ebp+var_12C], eax
		lea	eax, [esi+3E8h]
		mov	[ebp+var_11C], eax
		lea	eax, [esi+100h]
		push	8
		pop	edx
		mov	[ebp+var_10C], eax
		mov	eax, 301h
		mov	[ebp+var_128], edi
		mov	[ebp+var_120], edi
		mov	[ebp+var_118], edi
		mov	[ebp+var_110], edi
		mov	[ebp+var_108], edi
		mov	[ebp+var_100], edi
		mov	[ebp+var_124], 4
		mov	[ebp+var_114], edx
		mov	[ebp+var_104], edx
		push	3
		pop	edi
		cmp	cx, ax
		jnz	loc_75D70C

loc_75D438:				; CODE XREF: EtwpPsProvTraceProcess+402j
		mov	eax, [esi+170h]
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_1F4], ecx
		xor	edx, edx
		mov	[ebp+var_1F0], ecx
		mov	[ebp+var_1D0], ecx
		mov	[ebp+var_1D8], ecx
		lea	ecx, [ebp+var_1C0]
		mov	[ebp+var_FC], ecx
		lea	ecx, [ebp+var_1C4]
		push	ecx
		push	eax
		mov	[ebp+var_1C4], edx
		mov	[ebp+var_1CC], edx
		mov	[ebp+var_1D4], edx
		mov	[ebp+var_200], edx
		mov	[ebp+var_1C0], eax
		mov	[ebp+var_F8], edx
		mov	[ebp+var_F4], 4
		mov	[ebp+var_F0], edx
		call	PsLookupProcessByProcessId
		test	eax, eax
		js	short loc_75D4CF
		mov	ecx, [ebp+var_1C4]
		mov	eax, [ecx+3E8h]
		mov	[ebp+var_1F4], eax
		mov	eax, [ecx+3ECh]
		mov	[ebp+var_1F0], eax
		call	ObfDereferenceObject

loc_75D4CF:				; CODE XREF: EtwpPsProvTraceProcess+198j
		lea	eax, [ebp+var_1F4]
		mov	[ebp+var_E4], 8
		xor	edx, edx
		mov	[ebp+var_EC], eax
		mov	ecx, esi
		mov	[ebp+var_E8], edx
		mov	[ebp+var_E0], edx
		call	_MmGetSessionId@4 ; MmGetSessionId(x)
		mov	[ebp+var_1C8], eax
		lea	eax, [ebp+var_1C8]
		mov	[ebp+var_DC], eax
		mov	[ebp+var_D8], edx
		mov	[ebp+var_D0], edx
		push	4
		pop	ecx
		mov	[ebp+var_D4], ecx
		test	bl, 1
		jnz	loc_75DA0E
		push	2
		pop	edi

loc_75D52D:				; CODE XREF: EtwpPsProvTraceProcess+706j
		test	bl, 8
		jnz	loc_75DA1D

loc_75D536:				; CODE XREF: EtwpPsProvTraceProcess+711j
		lea	eax, [ebp+var_1A0]
		mov	[ebp+var_C4], ecx
		xor	ebx, ebx
		mov	[ebp+var_CC], eax
		push	esi
		mov	[ebp+var_C8], ebx
		mov	[ebp+var_C0], ebx
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	edi, eax
		lea	eax, [ebp+var_1CC]
		push	eax
		push	12h
		push	edi
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	ecx, [ebp+var_1CC]
		test	eax, eax
		js	short loc_75D57F
		mov	eax, [ecx]
		mov	[ebp+var_1D0], eax

loc_75D57F:				; CODE XREF: EtwpPsProvTraceProcess+263j
		mov	[ebp+var_B8], ebx
		lea	eax, [ebp+var_1D0]
		mov	[ebp+var_BC], eax
		mov	[ebp+var_B4], 4
		mov	[ebp+var_B0], ebx
		test	ecx, ecx
		jz	short loc_75D5AC
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_75D5AC:				; CODE XREF: EtwpPsProvTraceProcess+291j
		lea	eax, [ebp+var_1D4]
		push	eax
		push	14h
		push	edi
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	ecx, [ebp+var_1D4]
		test	eax, eax
		js	short loc_75D5CD
		mov	eax, [ecx]
		mov	[ebp+var_1D8], eax

loc_75D5CD:				; CODE XREF: EtwpPsProvTraceProcess+2B1j
		mov	[ebp+var_A8], ebx
		lea	eax, [ebp+var_1D8]
		mov	[ebp+var_AC], eax
		mov	[ebp+var_A4], 4
		mov	[ebp+var_A0], ebx
		test	ecx, ecx
		jz	short loc_75D5FA
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_75D5FA:				; CODE XREF: EtwpPsProvTraceProcess+2DFj
		lea	edx, [ebp+var_200]
		mov	ecx, edi
		call	_SeQueryTokenIntegrity@8 ; SeQueryTokenIntegrity(x,x)
		mov	eax, [ebp+var_200]
		mov	edx, edi
		mov	cl, [eax+1]
		mov	[ebp+var_9C], eax
		movzx	eax, cl
		lea	ecx, [esi+12Ch]
		mov	[ebp+var_98], ebx
		mov	[ebp+var_90], ebx
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_94], eax
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		mov	eax, [esi+1C0h]
		test	eax, eax
		jz	loc_8D4AC1
		cmp	[eax], bx
		jz	loc_8D4AC1

loc_75D656:				; CODE XREF: EtwpPsProvTraceProcess+1777DFj
		test	eax, eax
		jz	loc_8D4AF6

loc_75D65E:				; CODE XREF: EtwpPsProvTraceProcess+1777E9j
		movzx	ecx, word ptr [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_8C], eax
		mov	eax, ecx
		mov	[ebp+var_84], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_6C], eax
		push	4
		pop	ecx
		add	eax, ecx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_54], ecx
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_5C], eax
		mov	[ebp+var_88], ebx
		mov	[ebp+var_80], ebx
		lea	eax, [ecx+8]
		mov	[ebp+var_7C], offset _EtwpNull
		mov	[ebp+var_4C], eax
		mov	eax, [ecx]
		mov	[ebp+var_44], eax
		lea	eax, [ecx+108h]
		mov	[ebp+var_3C], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_78], ebx
		mov	[ebp+var_74], 2
		mov	[ebp+var_70], ebx
		mov	[ebp+var_68], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_40], ebx

loc_75D6CF:				; CODE XREF: EtwpPsProvTraceProcess+69Aj
		push	10h
		pop	edi
		mov	[ebp+var_30], ebx
		mov	[ebp+var_34], eax
		mov	[ebp+var_38], ebx

loc_75D6DB:				; CODE XREF: EtwpPsProvTraceProcess+40Ej
		lea	eax, [ebp+var_12C]
		push	eax
		push	edi
		push	ebx
		push	[ebp+var_1A4]
		push	dword_6BC18C
		push	_EtwpPsProvRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_75D6FB:				; CODE XREF: EtwpPsProvTraceProcess+177793j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_75D70C:				; CODE XREF: EtwpPsProvTraceProcess+120j
		mov	eax, 303h
		cmp	cx, ax
		jz	loc_75D438
		dec	eax
		xor	ebx, ebx
		cmp	cx, ax
		jnz	short loc_75D6DB
		lea	edx, [ebp+var_194]
		mov	[ebp+var_198], ebx
		mov	ecx, esi
		call	PsQueryStatisticsProcess
		lea	eax, [esi+388h]
		mov	[ebp+var_F8], ebx
		mov	[ebp+var_FC], eax
		lea	eax, [esi+34Ch]
		push	esi
		mov	[ebp+var_F4], 8
		mov	[ebp+var_F0], ebx
		mov	[ebp+var_EC], eax
		mov	[ebp+var_E8], ebx
		mov	[ebp+var_E4], 4
		mov	[ebp+var_E0], ebx
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	edi, eax
		lea	eax, [ebp+var_198]
		push	eax
		push	12h
		push	edi
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		test	eax, eax
		js	short loc_75D7AB
		mov	ecx, [ebp+var_198]
		mov	eax, [ecx]
		cmp	eax, 1
		jz	loc_75D9C9
		mov	[ebp+var_19C], eax

loc_75D7AB:				; CODE XREF: EtwpPsProvTraceProcess+480j
					; EtwpPsProvTraceProcess+6EAj ...
		lea	ecx, [esi+12Ch]
		mov	edx, edi
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		cmp	[ebp+var_198], ebx
		jz	short loc_75D7CC
		push	ebx
		push	[ebp+var_198]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_75D7CC:				; CODE XREF: EtwpPsProvTraceProcess+4ACj
		push	4
		lea	eax, [ebp+var_19C]
		mov	[ebp+var_D8], ebx
		pop	edi
		xor	edx, edx
		mov	[ebp+var_DC], eax
		mov	ecx, esi
		mov	[ebp+var_D4], edi
		mov	[ebp+var_D0], ebx
		call	_ObGetProcessHandleCount@8 ; ObGetProcessHandleCount(x,x)
		mov	[ebp+var_1AC], eax
		mov	ecx, 1000h
		lea	eax, [ebp+var_1AC]
		mov	[ebp+var_C8], ebx
		mov	[ebp+var_CC], eax
		mov	eax, [esi+224h]
		mul	ecx
		push	8
		mov	[ebp+var_1E4], eax
		lea	eax, [ebp+var_1E4]
		mov	[ebp+var_BC], eax
		mov	eax, [esi+228h]
		mov	[ebp+var_1E0], edx
		mul	ecx
		pop	ecx
		mov	[ebp+var_1EC], eax
		lea	eax, [ebp+var_1EC]
		mov	[ebp+var_AC], eax
		lea	eax, [ebp+var_17C]
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_94], ecx
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_9C], eax
		mov	eax, ecx
		mov	[ebp+var_C4], edi
		mov	[ebp+var_C0], ebx
		mov	[ebp+var_B8], ebx
		mov	[ebp+var_B4], 8
		mov	[ebp+var_B0], ebx
		mov	[ebp+var_1E8], edx
		mov	[ebp+var_A8], ebx
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_98], ebx
		mov	[ebp+var_90], ebx
		cmp	[ebp+var_168], ebx
		jnz	short loc_75D8BB
		mov	eax, [ebp+var_16C]

loc_75D8BB:				; CODE XREF: EtwpPsProvTraceProcess+5A1j
		mov	[ebp+var_1B0], eax
		lea	eax, [ebp+var_1B0]
		mov	[ebp+var_8C], eax
		mov	eax, ecx
		mov	[ebp+var_88], ebx
		mov	[ebp+var_84], edi
		mov	[ebp+var_80], ebx
		cmp	[ebp+var_160], ebx
		jnz	short loc_75D8EC
		mov	eax, [ebp+var_164]

loc_75D8EC:				; CODE XREF: EtwpPsProvTraceProcess+5D2j
		mov	edx, [ebp+var_154]
		mov	[ebp+var_1B4], eax
		lea	eax, [ebp+var_1B4]
		mov	[ebp+var_7C], eax
		mov	eax, [ebp+var_150]
		shrd	edx, eax, 0Ah
		mov	[ebp+var_78], ebx
		sar	eax, 0Ah
		mov	[ebp+var_74], edi
		mov	[ebp+var_70], ebx
		mov	[ebp+var_154], edx
		mov	[ebp+var_150], eax
		test	eax, eax
		jnz	loc_8D4ABA

loc_75D92B:				; CODE XREF: EtwpPsProvTraceProcess+1777AAj
		lea	eax, [ebp+var_1B8]
		mov	[ebp+var_1B8], edx
		mov	edx, [ebp+var_14C]
		mov	[ebp+var_6C], eax
		mov	eax, [ebp+var_148]
		shrd	edx, eax, 0Ah
		mov	[ebp+var_68], ebx
		sar	eax, 0Ah
		mov	[ebp+var_64], edi
		mov	[ebp+var_60], ebx
		mov	[ebp+var_14C], edx
		mov	[ebp+var_148], eax
		test	eax, eax
		jnz	short loc_75D968
		mov	ecx, edx

loc_75D968:				; CODE XREF: EtwpPsProvTraceProcess+652j
		lea	eax, [ebp+var_1BC]
		mov	[ebp+var_1BC], ecx
		mov	[ebp+var_5C], eax
		lea	eax, [esi+298h]
		add	esi, 1ACh
		mov	[ebp+var_58], ebx
		mov	ecx, esi
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], edi
		lea	edx, [ecx+1]
		mov	[ebp+var_40], ebx

loc_75D99D:				; CODE XREF: EtwpPsProvTraceProcess+690j
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_75D99D
		sub	ecx, edx
		mov	[ebp+var_3C], esi
		lea	eax, [ecx+1]
		jmp	loc_75D6CF
; 

loc_75D9B1:				; CODE XREF: EtwpPsProvTraceProcess+98j
		sub	eax, 1
		jnz	loc_8D4AA2
		mov	[ebp+var_1A4], offset _ProcessStop
		jmp	loc_75D3BA
; 

loc_75D9C9:				; CODE XREF: EtwpPsProvTraceProcess+48Dj
		lea	eax, [ebp+var_1A8]
		mov	[ebp+var_1A8], ebx
		push	eax
		push	14h
		push	edi
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	ecx, [ebp+var_1A8]
		test	eax, eax
		js	short loc_75D9FA
		mov	eax, [ecx]
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFFFDh
		add	eax, 4
		mov	[ebp+var_19C], eax

loc_75D9FA:				; CODE XREF: EtwpPsProvTraceProcess+6D4j
		test	ecx, ecx
		jz	loc_75D7AB
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_75D7AB
; 

loc_75DA0E:				; CODE XREF: EtwpPsProvTraceProcess+212j
		mov	[ebp+var_1A0], 1
		jmp	loc_75D52D
; 

loc_75DA1D:				; CODE XREF: EtwpPsProvTraceProcess+21Ej
		mov	[ebp+var_1A0], edi
		jmp	loc_75D536
EtwpPsProvTraceProcess endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpBuildProcessEvent proc near		; CODE XREF: EtwpWriteProcessEvent+F8p
					; EtwpTraceProcessRundown(x,x,x,x)+CCp

var_8		= dword	ptr -8
var_2		= word ptr -2
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 008D4B00 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_2], dx
		push	edi
		push	[ebp+arg_18]
		mov	esi, ecx
		mov	[ebp+arg_C], edi
		mov	[ebp+var_8], esi
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		mov	eax, [ebp+arg_20]
		mov	ecx, esi
		mov	[eax], edi
		mov	edi, [ebp+arg_4]
		mov	[edi], esi
		mov	eax, [esi+0E4h]
		mov	[edi+4], eax
		mov	eax, [esi+170h]
		mov	[edi+8], eax
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[edi+0Ch], eax
		xor	edx, edx
		mov	eax, [esi+34Ch]
		mov	[edi+10h], eax
		mov	eax, [esi+18h]
		mov	[edi+14h], eax
		lea	eax, [edi+18h]
		push	esi
		mov	[ebp+arg_4], eax
		mov	[eax], edx
		call	_PsIsProtectedProcess@4	; PsIsProtectedProcess(x)
		test	eax, eax
		jnz	loc_75DC6D

loc_75DA99:				; CODE XREF: EtwpBuildProcessEvent+24Cj
		xor	eax, eax
		mov	[ebx], edi
		push	esi
		mov	[ebx+4], eax
		mov	dword ptr [ebx+8], 1Ch
		mov	[ebx+0Ch], eax
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_14]
		mov	edi, eax
		mov	ecx, edi
		call	_EtwpQueryTokenPackageInfo@12 ;	EtwpQueryTokenPackageInfo(x,x,x)
		lea	eax, [ebp+arg_C]
		push	eax
		push	1
		push	edi
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		add	ecx, 12Ch
		mov	esi, eax
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		test	esi, esi
		js	loc_8D4B00
		mov	ecx, [ebp+arg_C]
		mov	edx, [ebp+arg_20]
		mov	eax, [ecx]
		mov	[edx], ecx
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:10h[eax*4]

loc_75DAFA:				; CODE XREF: EtwpBuildProcessEvent+1770E3j
		mov	esi, [ebp+var_8]
		mov	[ebx+10h], ecx
		xor	ecx, ecx
		mov	[ebx+14h], ecx
		mov	[ebx+1Ch], ecx
		lea	ecx, [esi+1ACh]
		mov	[ebx+18h], eax
		mov	edi, ecx
		lea	edx, [edi+1]

loc_75DB16:				; CODE XREF: EtwpBuildProcessEvent+F3j
		mov	al, [edi]
		inc	edi
		test	al, al
		jnz	short loc_75DB16
		sub	edi, edx
		cmp	edi, 0Eh
		jz	loc_75DC1E

loc_75DB28:				; CODE XREF: EtwpBuildProcessEvent+1FEj
					; EtwpBuildProcessEvent+209j ...
		mov	[ebx+20h], ecx
		xor	eax, eax
		mov	cl, [ebp+arg_0]
		mov	[ebx+28h], edi
		xor	edi, edi
		mov	[ebx+24h], eax
		mov	[ebx+2Ch], edi
		mov	dword ptr [ebx+30h], offset _EtwpNull
		mov	[ebx+34h], edi
		mov	dword ptr [ebx+38h], 1
		mov	[ebx+3Ch], edi
		test	cl, cl
		jz	loc_75DC80
		mov	edx, [ebp+arg_8]
		mov	ecx, esi
		call	EtwpQueryProcessOtherInfo
		mov	cl, [ebp+arg_0]

loc_75DB64:				; CODE XREF: EtwpBuildProcessEvent+260j
		mov	edi, [ebp+arg_1C]
		xor	eax, eax
		mov	[edi], ax
		cmp	[esi+17Ch], eax
		jz	loc_75DC79
		test	cl, cl
		jz	loc_75DC79
		mov	edx, edi
		mov	ecx, esi
		call	EtwpQueryProcessCommandLine
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		test	ax, ax
		jz	loc_75DC79
		mov	eax, [edi+4]
		xor	edx, edx
		mov	[ebx+40h], eax
		mov	eax, ecx
		mov	[ebx+44h], edx
		mov	[ebx+48h], eax
		mov	[ebx+4Ch], edx
		push	5

loc_75DBAC:				; CODE XREF: EtwpBuildProcessEvent+253j
		mov	eax, [ebp+arg_14]
		xor	ecx, ecx
		pop	edi
		mov	edx, edi
		add	edx, edx
		mov	dword ptr [ebx+edx*8], offset _EtwpNull
		mov	[ebx+edx*8+4], ecx
		mov	dword ptr [ebx+edx*8+8], 2
		mov	[ebx+edx*8+0Ch], ecx
		mov	ecx, [eax]
		add	eax, 8
		mov	[ebx+edx*8+10h], eax
		xor	eax, eax
		mov	[ebx+edx*8+14h], eax
		mov	[ebx+edx*8+1Ch], eax
		mov	eax, [ebp+arg_14]
		mov	[ebx+edx*8+18h], ecx
		lea	edx, [edi+2]
		shl	edx, 4
		add	edx, ebx
		mov	ecx, [eax+4]
		add	eax, 108h
		mov	[edx], eax
		xor	eax, eax
		mov	[edx+4], eax
		mov	[edx+0Ch], eax
		mov	eax, 327h
		mov	[edx+8], ecx
		lea	edx, [edi+3]
		cmp	[ebp+var_2], ax
		jz	short loc_75DC8D

loc_75DC12:				; CODE XREF: EtwpBuildProcessEvent+284j
		mov	eax, [ebp+arg_10]
		pop	edi
		pop	esi
		pop	ebx
		mov	[eax], edx
		leave
		retn	24h
; 

loc_75DC1E:				; CODE XREF: EtwpBuildProcessEvent+FAj
		mov	eax, [esi+1C0h]
		test	eax, eax
		jz	loc_75DB28
		xor	edx, edx
		cmp	[eax], dx
		jz	loc_75DB28
		push	1
		push	eax
		push	[ebp+arg_18]
		call	RtlUnicodeStringToAnsiString
		test	eax, eax
		js	loc_8D4B10
		mov	eax, [ebp+arg_18]
		movzx	edi, word ptr [eax]
		mov	eax, [eax+4]
		lea	ecx, [eax+edi]

loc_75DC56:				; CODE XREF: EtwpBuildProcessEvent+238j
		cmp	ecx, eax
		jz	short loc_75DC64
		mov	edx, ecx
		dec	ecx
		cmp	byte ptr [ecx],	5Ch
		jnz	short loc_75DC56
		mov	ecx, edx

loc_75DC64:				; CODE XREF: EtwpBuildProcessEvent+230j
		sub	eax, ecx
		add	edi, eax
		jmp	loc_75DB28
; 

loc_75DC6D:				; CODE XREF: EtwpBuildProcessEvent+6Bj
		mov	dword ptr [edi+18h], 4
		jmp	loc_75DA99
; 

loc_75DC79:				; CODE XREF: EtwpBuildProcessEvent+14Aj
					; EtwpBuildProcessEvent+152j ...
		push	4
		jmp	loc_75DBAC
; 

loc_75DC80:				; CODE XREF: EtwpBuildProcessEvent+129j
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		mov	[eax+4], edi
		jmp	loc_75DB64
; 

loc_75DC8D:				; CODE XREF: EtwpBuildProcessEvent+1E8j
		mov	ecx, edx
		lea	eax, [esi+388h]
		shl	ecx, 4
		add	ecx, ebx
		mov	[ecx], eax
		xor	eax, eax
		mov	[ecx+4], eax
		inc	edx
		mov	dword ptr [ecx+8], 8
		mov	[ecx+0Ch], eax
		jmp	loc_75DC12
EtwpBuildProcessEvent endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpQueryTokenPackageInfo(x, x, x)
_EtwpQueryTokenPackageInfo@12 proc near	; CODE XREF: EtwQueryProcessTelemetryInfo+AAp
					; EtwpBuildProcessEvent+92p ...

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	eax, ecx
		xor	ecx, ecx
		mov	[ebp+var_8], eax
		push	edi
		mov	[ebp+var_1], cl
		mov	[ebp+var_2], cl
		lea	edi, [esi+4]
		mov	[esi], ecx
		mov	[edi], ecx
		lea	ecx, [ebp+var_2]
		push	ecx
		lea	ecx, [ebp-1]
		push	ecx
		push	eax
		call	_PsQueryProcessAttributesByToken@12 ; PsQueryProcessAttributesByToken(x,x,x)
		cmp	[ebp+var_1], 0
		jnz	short loc_75DD0D

loc_75DCE6:				; CODE XREF: EtwpQueryTokenPackageInfo(x,x,x)+8Cj
					; EtwpQueryTokenPackageInfo(x,x,x)+91j
		cmp	dword ptr [esi], 0
		push	2
		pop	ecx
		jnz	short loc_75DCF6
		xor	eax, eax
		mov	[esi], ecx
		mov	[esi+8], ax

loc_75DCF6:				; CODE XREF: EtwpQueryTokenPackageInfo(x,x,x)+3Aj
		cmp	dword ptr [edi], 0
		jnz	short loc_75DD06
		xor	eax, eax
		mov	[edi], ecx
		mov	[esi+108h], ax

loc_75DD06:				; CODE XREF: EtwpQueryTokenPackageInfo(x,x,x)+47j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_75DD0D:				; CODE XREF: EtwpQueryTokenPackageInfo(x,x,x)+32j
		mov	ebx, [ebp+arg_0]
		lea	eax, [esi+108h]
		push	0
		push	edi
		push	eax
		or	dword ptr [ebx], 1
		lea	eax, [esi+8]
		push	esi
		push	eax
		push	[ebp+var_8]
		mov	dword ptr [esi], 100h
		mov	dword ptr [edi], 82h
		call	_RtlQueryPackageIdentity@24 ; RtlQueryPackageIdentity(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_75DD45

loc_75DD3A:				; CODE XREF: EtwpQueryTokenPackageInfo(x,x,x)+99j
		cmp	[ebp+var_2], 0
		jz	short loc_75DCE6
		or	dword ptr [ebx], 8
		jmp	short loc_75DCE6
; 

loc_75DD45:				; CODE XREF: EtwpQueryTokenPackageInfo(x,x,x)+86j
		and	dword ptr [esi], 0
		and	dword ptr [edi], 0
		jmp	short loc_75DD3A
_EtwpQueryTokenPackageInfo@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpQueryProcessOtherInfo proc near	; CODE XREF: EtwQueryProcessTelemetryInfo+F1p
					; EtwpBuildProcessEvent+134p ...

ms_exc		= CPPEH_RECORD ptr -18h

		push	8
		push	offset dword_6A07B8
		call	__SEH_prolog4
		mov	esi, edx
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0
		push	ecx
		call	_PsGetProcessSectionBaseAddress@4 ; PsGetProcessSectionBaseAddress(x)
		test	eax, eax
		jz	short loc_75DD8D
		and	[ebp+ms_exc.disabled], 0
		push	eax
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jz	short loc_75DD86
		mov	ecx, [eax+58h]
		mov	[esi], ecx
		mov	eax, [eax+8]
		mov	[esi+4], eax

loc_75DD86:				; CODE XREF: EtwpQueryProcessOtherInfo+2Bj
					; sub_8D4B1F+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_75DD8D:				; CODE XREF: EtwpQueryProcessOtherInfo+1Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
EtwpQueryProcessOtherInfo endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpQueryProcessCommandLine proc near	; CODE XREF: SepLogUnmatchedSessionFlagImpersonationAttempt(x,x)+6Dp
					; EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)+F4p ...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008D4B27 SIZE 00000026 BYTES

		push	34h
		push	offset dword_6A07D8
		call	__SEH_prolog4
		mov	edi, edx
		mov	[ebp+var_24], edi
		mov	eax, ecx
		xor	ebx, ebx
		mov	[ebp+var_19], bl
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_28], ebx
		xor	ecx, ecx
		mov	[edi], cx
		mov	ecx, [edi+4]
		mov	[ebp+var_20], ecx
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [eax+17Ch]
		mov	eax, [eax+10h]
		mov	[ebp+var_2C], eax
		test	eax, eax
		jz	loc_75DF0F
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ebx
		lea	ecx, [eax+40h]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8D4B27

loc_75DDF4:				; CODE XREF: EtwpQueryProcessCommandLine+176D8Bj
		nop
		mov	esi, [ecx]
		mov	[ebp+var_44], esi
		mov	ecx, [ecx+4]
		mov	[ebp+var_28], ecx
		mov	[ebp+var_40], ecx
		mov	eax, [ebp+var_44]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], ecx
		and	esi, 0FFFEh
		mov	word ptr [ebp+var_3C], si
		jbe	loc_8D4B3B
		test	ecx, ecx
		jz	loc_8D4B35
		test	cl, 1
		jnz	loc_75DF45
		movzx	eax, si
		add	eax, ecx
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	loc_8D4B2E
		cmp	eax, ecx
		jb	loc_8D4B2E

loc_75DE48:				; CODE XREF: EtwpQueryProcessCommandLine+176D92j
		mov	eax, 400h
		mov	ecx, [ebp+var_20]
		cmp	si, ax
		ja	loc_75DF03

loc_75DE59:				; CODE XREF: EtwpQueryProcessCommandLine+16Cj
					; EtwpQueryProcessCommandLine+175j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	si, si
		jz	short loc_75DED5
		movzx	eax, word ptr [edi+2]
		test	ax, ax
		jnz	loc_75DEF9
		push	50777445h
		movzx	eax, si
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_8D4B43
		mov	[ebp+var_19], 1
		mov	[edi+4], ecx
		mov	[edi+2], si

loc_75DE9A:				; CODE XREF: EtwpQueryProcessCommandLine+15Ej
					; EtwpQueryProcessCommandLine+163j
		mov	[ebp+ms_exc.disabled], 1
		movzx	eax, si
		mov	[ebp+var_2C], eax
		push	eax		; size_t
		push	[ebp+var_28]	; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_2C]
		shr	ecx, 1
		mov	eax, ebx
		jz	short loc_75DED2
		mov	edx, [ebp+var_20]

loc_75DEC7:				; CODE XREF: EtwpQueryProcessCommandLine+132j
		cmp	[edx+eax*2], bx
		jz	short loc_75DEED

loc_75DECD:				; CODE XREF: EtwpQueryProcessCommandLine+159j
		inc	eax
		cmp	eax, ecx
		jb	short loc_75DEC7

loc_75DED2:				; CODE XREF: EtwpQueryProcessCommandLine+124j
		mov	[edi], si

loc_75DED5:				; CODE XREF: EtwpQueryProcessCommandLine+C5j
		mov	esi, ebx

loc_75DED7:				; CODE XREF: EtwpQueryProcessCommandLine+1A5j
		test	esi, esi
		js	short loc_75DF18

loc_75DEDB:				; CODE XREF: EtwpQueryProcessCommandLine+17Ej
					; sub_8D4B63+12j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_75DEED:				; CODE XREF: EtwpQueryProcessCommandLine+12Dj
		push	20h
		pop	edi
		mov	[edx+eax*2], di
		mov	edi, [ebp+var_24]
		jmp	short loc_75DECD
; 

loc_75DEF9:				; CODE XREF: EtwpQueryProcessCommandLine+CEj
		cmp	si, ax
		jb	short loc_75DE9A
		mov	si, ax
		jmp	short loc_75DE9A
; 

loc_75DF03:				; CODE XREF: EtwpQueryProcessCommandLine+B5j
		mov	si, ax
		mov	word ptr [ebp+var_3C], si
		jmp	loc_75DE59
; 

loc_75DF0F:				; CODE XREF: EtwpQueryProcessCommandLine+3Aj
		mov	si, word ptr [ebp+var_3C]
		jmp	loc_75DE59
; 

loc_75DF18:				; CODE XREF: EtwpQueryProcessCommandLine+13Bj
					; EtwpQueryProcessCommandLine+176DAAj
		cmp	[ebp+var_19], 0
		jz	short loc_75DEDB
		jmp	sub_8D4B63
; 

loc_75DF23:				; DATA XREF: .text:006A07ECo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_75DF31:				; DATA XREF: .text:006A07F0o
		mov	esi, [ebp+var_34]

loc_75DF34:				; CODE XREF: sub_8D4B5B+3j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_24]
		xor	ebx, ebx
		jmp	short loc_75DED7
; 

loc_75DF45:				; CODE XREF: EtwpQueryProcessCommandLine+89j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

; __stdcall ObKillProcess(x)
_ObKillProcess@4:			; CODE XREF: PspRundownSingleProcess(x,x)+19Dp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+18Ch]
		test	esi, esi
		jz	short loc_75DF91
		push	0
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		push	0
		mov	edx, esi
		mov	byte ptr [ebp+ms_exc.disabled],	al
		mov	ecx, edi
		call	ExSweepHandleTable
		push	[ebp+ms_exc.disabled]
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		and	dword ptr [edi+18Ch], 0
		mov	ecx, esi
		call	_ExpRemoveHandleTable@4	; ExpRemoveHandleTable(x)
		mov	ecx, esi
		call	ExpFreeHandleTable

loc_75DF91:				; CODE XREF: EtwpQueryProcessCommandLine+1BFj
		pop	edi
		pop	esi
		leave
		retn
EtwpQueryProcessCommandLine endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmCreateProcessAddressSpace proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+FF5p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008D4B7A SIZE 000000EE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		and	[esp+14h+var_8], 0
		push	ebx
		push	esi
		mov	esi, ds:_PspMinimumWorkingSet
		mov	[esp+1Ch+var_C], esi
		push	edi
		mov	edi, [ebp+arg_C]
		test	ecx, ecx
		jnz	loc_8D4B7A
		mov	ebx, offset _MiSystemPartition

loc_75DFC3:				; CODE XREF: MmCreateProcessAddressSpace+176BECj
		mov	ecx, ebx
		call	MiMakePartitionActive
		test	eax, eax
		jz	loc_75E193
		push	0
		push	5
		pop	edx
		mov	ecx, ebx
		call	MiChargeCommit
		test	eax, eax
		jz	loc_75E193
		push	offset dword_6D05F4
		call	_RtlRandomEx@4	; RtlRandomEx(x)
		movzx	eax, ax
		lea	ecx, [edi+240h]
		mov	[ecx], eax
		lea	eax, [edi+420h]
		mov	[eax+4], eax
		mov	[eax], eax
		and	dword ptr [edi+41Ch], 0
		call	_PsGetDefaultWsMaximum@0 ; PsGetDefaultWsMaximum()
		mov	edx, [ebp+arg_0]
		cmp	edx, eax
		jnz	loc_8D4B87

loc_75E01D:				; CODE XREF: MmCreateProcessAddressSpace+176C10j
		test	byte ptr [ebp+arg_4], 1
		mov	[ecx+3Ch], esi
		mov	[ecx+50h], edx
		jnz	loc_8D4BAB

loc_75E02D:				; CODE XREF: MmCreateProcessAddressSpace+176C19j
		push	esi
		mov	ecx, edi
		call	_PsChargeProcessQuota@12 ; PsChargeProcessQuota(x,x,x)
		test	eax, eax
		js	loc_8D4BF2
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	_MiChargeResident@12 ; MiChargeResident(x,x,x)
		test	eax, eax
		jz	loc_8D4BEA
		xor	edx, edx
		mov	ecx, offset dword_6D35E0
		inc	edx
		call	MiReservePtes
		mov	[esp+20h+var_4], eax
		test	eax, eax
		jz	loc_8D4BE1
		mov	ecx, edi
		call	MiPaeAllocate
		test	eax, eax
		jz	loc_8D4BD1
		push	[ebp+arg_8]
		mov	ecx, edi
		call	MiAllocateProcessShadow
		test	eax, eax
		js	loc_8D4BBB
		lea	ecx, [esp+20h+var_8]
		call	MiJoinSession
		mov	ecx, edi
		test	eax, eax
		jz	loc_8D4BB4
		push	[ebp+arg_8]
		mov	ebx, [esp+24h+var_4]
		mov	edx, ebx
		mov	dword ptr [edi+224h], 5
		call	MiAllocateTopLevelPage
		mov	edx, [esp+20h+var_8]
		mov	[esp+20h+var_10], eax
		test	edx, edx
		jz	short loc_75E0D5
		mov	[edi+180h], edx
		lea	eax, [edi+0FCh]
		mov	ecx, 10000h
		lock or	[eax], ecx

loc_75E0D5:				; CODE XREF: MmCreateProcessAddressSpace+129j
		mov	ecx, edi
		call	MiInsertNewProcess
		mov	esi, ebx
		mov	ecx, edi
		shl	esi, 9
		mov	edx, esi
		call	MiCreateNewProcessTopLevelMappings
		mov	ecx, 0C0600000h
		call	_MiGetPdeAddress@4 ; MiGetPdeAddress(x)
		mov	edx, [esp+20h+var_10]
		xor	ecx, ecx
		shr	eax, 3
		and	eax, 1FFh
		push	90000006h
		lea	eax, [esi+eax*8]
		mov	[esp+24h+var_4], eax
		call	MiMakeValidPte
		and	[esp+20h+var_10], 0
		mov	esi, eax
		mov	ecx, [esp+20h+var_4]
		and	esi, 0FFFFFEFFh
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_8D4C01

loc_75E131:				; CODE XREF: MmCreateProcessAddressSpace+176CBDj
		mov	eax, [esp+20h+var_10]

loc_75E135:				; CODE XREF: MmCreateProcessAddressSpace+176C82j
					; MmCreateProcessAddressSpace+176C94j ...
		mov	[ecx+4], edx
		nop
		mov	[ecx], esi
		test	eax, eax
		jnz	loc_8D4C58

loc_75E143:				; CODE XREF: MmCreateProcessAddressSpace+176CCDj
		mov	edx, ecx
		mov	ecx, edi
		call	MiInitializePageDirectoryPages
		xor	edx, edx
		mov	ecx, edi
		call	MiCreateNewProcessTopLevelMappings
		mov	esi, [edi+194h]
		mov	ecx, edi
		mov	eax, esi
		and	esi, 0FFFh
		and	eax, 0FFFFF000h
		mov	edx, [eax+8]
		shl	edx, 0Ch
		add	edx, esi
		mov	[edi+18h], edx
		call	MiSyncSystemPdes
		push	1
		mov	edx, ebx
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		mov	al, 1

loc_75E18A:				; CODE XREF: MmCreateProcessAddressSpace+1FFj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_75E193:				; CODE XREF: MmCreateProcessAddressSpace+36j
					; MmCreateProcessAddressSpace+4Aj ...
		xor	al, al
		jmp	short loc_75E18A
MmCreateProcessAddressSpace endp

; 
		align 4

;  S U B	R O U T	I N E 


MiJoinSession	proc near		; CODE XREF: MmCreateProcessAddressSpace+F8p

; FUNCTION CHUNK AT 008D4C68 SIZE 0000000F BYTES

		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	edi, ecx
		mov	edx, [eax+80h]
		and	dword ptr [edi], 0
		test	dword ptr [edx+3A8h], 1000h
		jnz	short loc_75E1DE
		mov	edx, [edx+180h]
		test	edx, edx
		jz	short loc_75E1DE
		mov	esi, [edx]
		test	esi, esi
		jz	short loc_75E1E4

loc_75E1C7:				; CODE XREF: MiJoinSession+176AD4j
		lea	ecx, [esi+1]
		mov	eax, esi
		lock cmpxchg [edx], ecx
		cmp	eax, esi
		jnz	loc_8D4C68
		lock inc dword ptr [edx+0Ch]
		mov	[edi], edx

loc_75E1DE:				; CODE XREF: MiJoinSession+1Dj
					; MiJoinSession+27j
		xor	eax, eax
		inc	eax

loc_75E1E1:				; CODE XREF: MiJoinSession+4Ej
		pop	edi
		pop	esi
		retn
; 

loc_75E1E4:				; CODE XREF: MiJoinSession+2Dj
					; MiJoinSession+176ADAj
		xor	eax, eax
		jmp	short loc_75E1E1
MiJoinSession	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspAllocateProcess(x, x, x,	x, x, x, x, x, x, x, x,	x, x, x, x)
_PspAllocateProcess@60 proc near	; CODE XREF: PAGE:007A326Ap
					; PspCreateProcess+20Ep ...

var_40C		= dword	ptr -40Ch
var_3F8		= word ptr -3F8h
var_3F6		= word ptr -3F6h
var_3EE		= word ptr -3EEh
var_3E9		= byte ptr -3E9h
var_3DC		= dword	ptr -3DCh
var_3D8		= dword	ptr -3D8h
var_3CC		= dword	ptr -3CCh
var_3C8		= dword	ptr -3C8h
var_3C4		= dword	ptr -3C4h
var_3C0		= dword	ptr -3C0h
var_3BC		= dword	ptr -3BCh
var_3B8		= dword	ptr -3B8h
var_3B4		= dword	ptr -3B4h
var_3B0		= dword	ptr -3B0h
var_3AC		= dword	ptr -3ACh
var_3A8		= dword	ptr -3A8h
var_3A4		= dword	ptr -3A4h
var_3A0		= dword	ptr -3A0h
var_39C		= dword	ptr -39Ch
var_398		= dword	ptr -398h
var_394		= dword	ptr -394h
var_390		= dword	ptr -390h
var_38C		= dword	ptr -38Ch
var_388		= dword	ptr -388h
var_384		= dword	ptr -384h
var_380		= dword	ptr -380h
var_37C		= dword	ptr -37Ch
var_378		= dword	ptr -378h
var_374		= dword	ptr -374h
var_370		= dword	ptr -370h
var_36C		= dword	ptr -36Ch
var_368		= dword	ptr -368h
var_364		= word ptr -364h
var_35C		= dword	ptr -35Ch
var_358		= dword	ptr -358h
var_354		= dword	ptr -354h
var_350		= dword	ptr -350h
var_34C		= dword	ptr -34Ch
var_348		= dword	ptr -348h
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_33C		= dword	ptr -33Ch
var_338		= dword	ptr -338h
var_334		= dword	ptr -334h
var_330		= dword	ptr -330h
var_32C		= dword	ptr -32Ch
var_328		= dword	ptr -328h
var_324		= dword	ptr -324h
var_31C		= dword	ptr -31Ch
var_314		= dword	ptr -314h
var_310		= dword	ptr -310h
var_30C		= dword	ptr -30Ch
var_308		= dword	ptr -308h
var_304		= dword	ptr -304h
var_300		= dword	ptr -300h
var_2FC		= dword	ptr -2FCh
var_2F8		= dword	ptr -2F8h
var_2F4		= dword	ptr -2F4h
var_2F0		= dword	ptr -2F0h
var_2EC		= dword	ptr -2ECh
var_2E8		= dword	ptr -2E8h
var_2E4		= dword	ptr -2E4h
var_2E0		= dword	ptr -2E0h
var_2DC		= dword	ptr -2DCh
var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_2CC		= dword	ptr -2CCh
var_2C8		= dword	ptr -2C8h
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BA		= dword	ptr -2BAh
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A5		= dword	ptr -2A5h
var_2A0		= dword	ptr -2A0h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_60		= dword	ptr -60h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_30		= dword	ptr -30h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= byte ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h

		push	3FCh
		push	offset dword_6A0800
		call	__SEH_prolog4_GS
		mov	[ebp+var_2D0], edx
		mov	eax, ecx
		mov	[ebp+var_2AC], eax
		mov	[ebp+var_390], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_310], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_2D8], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_2C4], eax
		mov	esi, [ebp+arg_20]
		mov	[ebp+var_2D4], esi
		mov	[ebp+var_398], esi
		mov	eax, [ebp+arg_28]
		mov	[ebp+var_334], eax
		mov	eax, [ebp+arg_2C]
		mov	[ebp+var_31C], eax
		mov	eax, [ebp+arg_30]
		mov	[ebp+var_394], eax
		xor	ebx, ebx
		mov	[ebp+var_39C], ebx
		push	6
		pop	edx
		mov	ecx, edx
		xor	eax, eax
		lea	edi, [ebp+var_60]
		rep stosd
		mov	ecx, edx
		lea	edi, [ebp+var_3B4]
		rep stosd
		lea	edi, [ebp+var_368]
		stosd
		stosd
		stosd
		mov	[ebp+var_328], ebx
		xor	eax, eax
		lea	edi, [ebp+var_3D8]
		stosd
		stosd
		stosd
		mov	eax, ebx
		mov	[ebp+var_2A5+1], eax
		mov	[ebp+var_2B4], eax
		mov	ecx, edx
		lea	edi, [ebp+var_48]
		rep stosd
		mov	ecx, edx
		lea	edi, [ebp+var_78]
		rep stosd
		mov	byte ptr [ebp+var_2BA],	bl
		mov	ecx, edx
		lea	edi, [ebp+var_3CC]
		rep stosd
		mov	[ebp+var_32C], ebx
		mov	[ebp+var_300], ebx
		mov	byte ptr [ebp+var_2BA+1], bl
		mov	[ebp+var_388], ebx
		mov	[ebp+var_2C8], ebx
		push	34h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_40C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_314], ebx
		mov	edi, large fs:124h
		mov	[ebp+var_370], edi
		mov	eax, [edi+80h]
		mov	[ebp+var_2E0], eax
		mov	eax, ebx
		mov	[ebp+var_330], eax
		mov	[ebp+var_2BA+2], eax
		mov	[ebp+var_350], ebx
		mov	[ebp+var_2DC], ebx
		mov	[ebp+var_30C], ebx
		mov	[ebp+var_2C0], ebx
		mov	[ebp+var_2EC], ebx
		mov	[ebp+var_34C], ebx
		mov	[ebp+var_354], ebx
		mov	[ebp+var_304], ebx
		mov	[ebp+var_37C], ebx
		mov	[ebp+var_340], ebx
		mov	[ebp+var_380], ebx
		mov	[ebp+var_378], ebx
		mov	[ebp+var_374], ebx
		push	210h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_2A0]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_2B0], eax
		test	eax, 800h
		jz	short loc_75E3C7
		mov	edx, 400h
		mov	[ebp+var_2A5+1], edx
		mov	[ebp+var_2B4], edx
		test	eax, 2000h
		jz	short loc_75E3CD
		mov	edx, 10400h
		mov	[ebp+var_2A5+1], edx
		mov	[ebp+var_2B4], edx
		test	eax, 4000h
		jz	short loc_75E3CD
		mov	edx, 30400h
		mov	[ebp+var_2A5+1], edx
		mov	[ebp+var_2B4], edx
		jmp	short loc_75E3CD
; 

loc_75E3C7:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+19Aj
		mov	edx, [ebp+var_2A5+1]

loc_75E3CD:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1B2j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1CAj ...
		and	eax, 100h
		neg	eax
		sbb	eax, eax
		mov	ecx, [ebp+var_2AC]
		and	eax, ecx
		mov	[ebp+var_2CC], eax
		test	esi, esi
		jz	short loc_75E421
		test	dword ptr [esi+4], 2000h
		jz	short loc_75E421
		test	eax, eax
		jz	short loc_75E3FF
		mov	eax, 0C0000030h
		jmp	loc_75EE5F
; 

loc_75E3FF:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+20Bj
		movzx	eax, word ptr [esi+96h]
		mov	eax, ds:_KeNodeBlock[eax*4]
		mov	[ebp+var_330], eax
		mov	[ebp+var_2BA+2], eax
		mov	[ebp+var_2CC], ebx
		jmp	short loc_75E447
; 

loc_75E421:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1FEj
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+207j
		test	ecx, ecx
		jz	short loc_75E447
		mov	[ebp+var_2CC], eax
		test	dword ptr [ecx+0F8h], 200000h
		jz	short loc_75E447
		mov	[ebp+var_2CC], ecx
		mov	[ebp+var_2C0], 200000h

loc_75E447:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+237j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+23Bj ...
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_90]
		rep stosd
		mov	[ebp+var_348], ebx
		mov	edi, 500h
		mov	[ebp+var_2E8], ebx
		mov	[ebp+var_2F4], ebx
		cmp	ds:_PsDisableDiskCounters, eax
		jnz	short loc_75E48E
		mov	[ebp+var_2E8], edi
		add	edi, 28h
		or	edx, 200h
		mov	[ebp+var_2A5+1], edx
		mov	[ebp+var_2B4], edx

loc_75E48E:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+289j
		call	_PoEnergyEstimationEnabled@0 ; PoEnergyEstimationEnabled()
		test	al, al
		jz	short loc_75E4C0
		lea	esi, [edi+7]
		and	esi, 0FFFFFFF8h
		mov	[ebp+var_2F4], esi
		lea	edi, [esi+1D0h]
		mov	eax, [ebp+var_2A5+1]
		or	eax, 2000h
		mov	[ebp+var_2A5+1], eax
		mov	[ebp+var_2B4], eax

loc_75E4C0:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2ADj
		call	_KeQueryMaximumGroupCount@0 ; KeQueryMaximumGroupCount()
		movzx	eax, ax
		mov	[ebp+var_33C], eax
		mov	[ebp+var_2F0], ebx
		xor	ecx, ecx
		inc	ecx
		cmp	eax, ecx
		jbe	short loc_75E4EA
		lea	esi, [edi+3]
		and	esi, 0FFFFFFFCh
		mov	[ebp+var_2F0], esi
		lea	edi, [esi+eax*8]

loc_75E4EA:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2F1j
		lea	eax, [ebp+var_300]
		push	eax
		push	edi
		push	ebx
		push	edi
		push	ebx
		mov	eax, [ebp+var_2D0]
		push	eax
		push	[ebp+var_310]
		push	ds:_PsProcessType
		push	eax
		call	_ObCreateObject@36 ; ObCreateObject(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_75EE5F
		mov	edx, 72437350h
		mov	esi, [ebp+var_300]
		mov	[ebp+var_2E4], esi
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		push	edi		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, esi
		call	_LpcInitializeProcess@4	; LpcInitializeProcess(x)
		lea	ecx, [esi+0F0h]
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		mov	ecx, esi
		call	_PspInitializeProcessLock@4 ; PspInitializeProcessLock(x)
		lea	eax, [esi+1D0h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+3BCh]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+458h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	al, [ebp+arg_4]
		mov	[esi+3A6h], al
		mov	al, [ebp+arg_8]
		mov	[esi+3A4h], al
		mov	al, [ebp+arg_C]
		mov	[esi+3A5h], al
		mov	eax, [ebp+var_2A5+1]
		mov	ecx, eax
		and	ecx, 400h
		mov	[ebp+var_308], ecx
		jz	short loc_75E5B9
		xor	ecx, ecx
		inc	ecx
		or	[esi+3A8h], ecx

loc_75E5B9:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3C6j
		mov	edx, [ebp+var_2B0]
		test	edx, 8000h
		jz	short loc_75E5D8
		push	20h
		pop	edi
		mov	[ebp+var_310], edi
		or	[esi+3A8h], edi
		jmp	short loc_75E5E2
; 

loc_75E5D8:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3DDj
		mov	[ebp+var_310], 20h

loc_75E5E2:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3EEj
		mov	ecx, [ebp+var_2F0]
		test	ecx, ecx
		jz	short loc_75E613
		or	dword ptr [esi+3A8h], 80h
		add	ecx, esi
		mov	[esi+428h], ecx
		mov	edx, [ebp+var_33C]
		lea	ecx, [ecx+edx*4]
		mov	[esi+42Ch], ecx
		mov	edx, [ebp+var_2B0]

loc_75E613:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+402j
		xor	ecx, ecx
		inc	ecx
		test	[ebp+arg_1C], cl
		jz	short loc_75E625
		or	dword ptr [esi+3A8h], 1000h

loc_75E625:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+431j
		test	[ebp+arg_1C], 4
		jz	short loc_75E635
		or	dword ptr [esi+3A8h], 800000h

loc_75E635:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+441j
		test	[ebp+arg_1C], 8
		jz	short loc_75E645
		or	dword ptr [esi+3A8h], 8000000h

loc_75E645:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+451j
		mov	ecx, [ebp+var_2E0]
		mov	ecx, [ecx+0E4h]
		test	edx, 200h
		jnz	short loc_75E65C
		or	ecx, 2

loc_75E65C:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+46Fj
		mov	[esi+178h], ecx
		mov	edx, 200h
		test	eax, edx
		jz	short loc_75E679
		mov	ecx, [ebp+var_2E8]
		add	ecx, esi
		mov	[esi+3D0h], ecx

loc_75E679:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+481j
		test	eax, 2000h
		jz	short loc_75E693
		mov	ecx, [ebp+var_2F4]
		add	ecx, esi
		mov	[esi+3E0h], ecx
		call	_PoEnergyContextInitialize@4 ; PoEnergyContextInitialize(x)

loc_75E693:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+496j
		mov	edi, [ebp+var_2D4]
		test	edi, edi
		jz	short loc_75E6AA
		test	[edi+4], edx
		jz	short loc_75E6AA
		mov	eax, [edi+0C0h]
		jmp	short loc_75E6BF
; 

loc_75E6AA:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4B3j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4B8j
		mov	eax, [ebp+var_2AC]
		test	eax, eax
		jz	short loc_75E6BC
		mov	eax, [eax+1E0h]
		jmp	short loc_75E6BF
; 

loc_75E6BC:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4CAj
		xor	eax, eax
		inc	eax

loc_75E6BF:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4C0j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4D2j
		lea	ecx, [esi+1E0h]
		mov	[ebp+var_33C], ecx
		mov	[ecx], eax
		mov	dword ptr [esi+34Ch], 103h
		mov	eax, [ebp+var_2AC]
		test	eax, eax
		jz	short loc_75E707
		mov	edx, [eax+0FCh]
		mov	ecx, [eax+0F8h]
		shr	ecx, 0Ch
		and	ecx, 7
		mov	eax, [eax+0E4h]
		mov	[esi+170h], eax
		and	edx, 38000000h
		jmp	short loc_75E713
; 

loc_75E707:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4F7j
		call	_MmGetDefaultPagePriority@0 ; MmGetDefaultPagePriority()
		mov	ecx, eax
		mov	edx, 10000000h

loc_75E713:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+51Dj
		lea	eax, [esi+0FCh]
		mov	[ebp+var_2F4], eax
		mov	eax, [eax]
		and	eax, 0C7FFFFFFh
		or	eax, edx
		mov	edx, [ebp+var_2F4]
		mov	[edx], eax
		lea	edx, [esi+0F8h]
		mov	[ebp+var_2F0], edx
		mov	eax, [edx]
		and	eax, 0FFFF8FFFh
		shl	ecx, 0Ch
		or	eax, ecx
		mov	[edx], eax
		mov	edx, [ebp+var_2D8]
		cmp	[ebp+var_308], ebx
		jnz	short loc_75E789
		mov	[ebp+var_2EC], edx
		test	edx, edx
		jz	loc_75E85E
		test	[ebp+var_2B0], 1000h
		jz	short loc_75E77C

loc_75E772:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+687j
		mov	ebx, 0C0000030h
		jmp	loc_75EE28
; 

loc_75E77C:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+588j
		mov	ecx, edx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edx, [ebp+var_2D8]

loc_75E789:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+56Ej
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+67Ej ...
		lea	eax, [esi+15Ch]
		mov	[ebp+var_344], eax
		mov	[eax], edx
		mov	[ebp+var_2E8], ebx
		test	edi, edi
		jz	loc_75EC49
		mov	eax, [edi+118h]
		mov	[esi+3A0h], eax
		lea	eax, [edi+1Ch]
		push	eax
		push	4
		push	edx
		call	_MmGetSectionInformation@12 ; MmGetSectionInformation(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_75EE28
		mov	ecx, [edi+4Ch]
		mov	al, [edi+3Fh]
		mov	byte ptr [ebp+var_2A5],	al
		movzx	edx, al
		mov	ebx, ecx
		and	ebx, 0F8h
		add	ebx, ebx
		mov	eax, ecx
		and	eax, 2
		or	ebx, eax
		add	ebx, ebx
		xor	eax, eax
		inc	eax
		and	ecx, eax
		or	ebx, ecx
		shl	ebx, 0Bh
		mov	eax, edx
		and	eax, 2
		or	ebx, eax
		shl	ebx, 2
		and	edx, 4
		or	ebx, edx
		shl	ebx, 5
		or	ebx, [ebp+var_2A5+1]
		mov	[ebp+var_308], ebx
		movzx	eax, word ptr [edi+32h]
		mov	[ebp+var_34C], eax
		movzx	eax, word ptr [edi+30h]
		mov	[ebp+var_354], eax
		movzx	edx, word ptr [edi+3Ch]
		test	ebx, 100h
		jz	loc_75E8E2
		mov	eax, 14Ch
		cmp	dx, ax
		jnz	loc_75E8E2
		xor	eax, eax
		inc	eax
		test	byte ptr [ebp+var_2A5],	al
		jz	loc_75E8E2
		mov	ecx, 8000h
		xor	ebx, ebx
		jmp	loc_75E8E6
; 

loc_75E85E:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+578j
		mov	eax, [ebp+var_2AC]
		test	eax, eax
		jz	loc_75E789
		cmp	[ebp+arg_24], ebx
		jnz	loc_75E772
		push	eax
		call	_PsIsSystemProcess@4 ; PsIsSystemProcess(x)
		test	al, al
		jz	short loc_75E889
		mov	ebx, 0C000000Dh
		jmp	loc_75EE28
; 

loc_75E889:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+695j
		mov	ecx, [ebp+var_2AC]
		lea	ecx, [ecx+0F0h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_75E8CA
		mov	eax, [ebp+var_2AC]
		mov	ecx, [eax+15Ch]
		mov	[ebp+var_2D8], ecx
		test	ecx, ecx
		jz	short loc_75E8BF
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [ebp+var_2AC]

loc_75E8BF:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+6CAj
		lea	ecx, [eax+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_75E8CA:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+6B4j
		mov	edx, [ebp+var_2D8]
		test	edx, edx
		jnz	loc_75E789
		mov	ebx, 0C000010Ah
		jmp	loc_75EE28
; 

loc_75E8E2:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+647j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+655j ...
		xor	ebx, ebx
		mov	ecx, ebx

loc_75E8E6:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+671j
		mov	eax, [ebp+var_308]
		or	eax, ecx
		mov	[ebp+var_2A5+1], eax
		mov	[ebp+var_2B4], eax
		mov	cx, [edi+38h]
		test	[edi+0Ah], cx
		jz	short loc_75E91A
		push	0
		push	3

loc_75E908:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+74Fj
		mov	ebx, 0C000007Bh

loc_75E90D:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7FCj
		mov	edx, edi
		pop	ecx
		call	PspUpdateCreateInfo
		jmp	loc_75EE28
; 

loc_75E91A:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+71Aj
		test	eax, 8000h
		jnz	short loc_75E939
		cmp	dx, ds:0FFDF002Ch
		jb	short loc_75E933
		cmp	dx, ds:0FFDF002Eh
		jbe	short loc_75E939

loc_75E933:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+740j
		push	0
		push	4
		jmp	short loc_75E908
; 

loc_75E939:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+737j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+749j
		cmp	[ebp+var_2EC], 0
		jz	loc_75ED0B
		movzx	ecx, word ptr [edi+3Ah]
		mov	[ebp+var_2E8], ecx
		lea	eax, [edi+74h]
		push	eax
		push	ebx
		lea	eax, [edi+8Ch]
		push	eax
		call	_RtlOpenImageFileOptionsKey@12 ; RtlOpenImageFileOptionsKey(x,x,x)
		test	eax, eax
		jns	short loc_75E973
		cmp	eax, 0C0000034h
		jnz	short loc_75E970
		or	byte ptr [edi+8], 40h

loc_75E970:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+782j
		mov	[edi+74h], ebx

loc_75E973:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+77Bj
		mov	edx, 72437350h
		mov	ecx, [edi+6Ch]
		call	ObfReferenceObjectWithTag
		mov	eax, [edi+6Ch]
		mov	[esi+1A8h], eax
		mov	eax, [edi+74h]
		test	eax, eax
		jz	loc_75ED0B
		cmp	byte ptr [edi+8], 0
		jl	short loc_75E9E9
		lea	ecx, [ebp+var_2C8]
		push	ecx
		push	2
		lea	ecx, [ebp+var_388]
		push	ecx
		xor	ecx, ecx
		inc	ecx
		push	ecx
		push	(offset	loc_8BE6A8+2)
		push	eax
		call	RtlQueryImageFileKeyOption
		test	eax, eax
		jns	short loc_75E9C8
		cmp	eax, 80000005h
		jz	short loc_75E9DB
		test	eax, eax
		js	short loc_75E9E9

loc_75E9C8:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7D3j
		cmp	[ebp+var_2C8], 2
		jnz	short loc_75E9E9
		cmp	word ptr [ebp+var_388],	0
		jz	short loc_75E9E9

loc_75E9DB:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7DAj
		mov	ebx, 0C0000039h
		push	0
		push	5
		jmp	loc_75E90D
; 

loc_75E9E9:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7B0j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7DEj ...
		mov	[ebp+var_2F8], ebx
		push	ebx
		push	4
		lea	eax, [ebp+var_2F8]
		push	eax
		push	4
		push	offset ??_C@_1BM@LBJILCNA@?$AAU?$AAs?$AAe?$AAL?$AAa?$AAr?$AAg?$AAe?$AAP?$AAa?$AAg?$AAe?$AAs@NNGAKEGL@
		push	dword ptr [edi+74h]
		call	RtlQueryImageFileKeyOption
		test	eax, eax
		js	loc_75EACA
		cmp	[ebp+var_2F8], 0
		jz	loc_75EACA
		mov	eax, [ebp+var_2B0]
		or	eax, 10h
		mov	[ebp+var_2B0], eax
		mov	[ebp+arg_18], eax
		mov	[ebp+var_3B4], 18h
		mov	eax, [edi+74h]
		mov	[ebp+var_3B0], eax
		mov	[ebp+var_3A8], 240h
		mov	[ebp+var_3AC], offset _PspLargePageDLLKeyName
		mov	[ebp+var_3A4], ebx
		mov	[ebp+var_3A0], ebx
		lea	eax, [ebp+var_3B4]
		push	eax
		xor	eax, eax
		inc	eax
		push	eax
		lea	eax, [ebp+var_328]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_75EACA
		mov	[ebp+var_2F8], ebx
		push	ebx
		push	4
		lea	eax, [ebp+var_2F8]
		push	eax
		push	4
		push	offset ??_C@_1BE@GJOFHIHD@?$AAn?$AAt?$AAd?$AAl?$AAl?$AA?4?$AAd?$AAl?$AAl@NNGAKEGL@
		push	[ebp+var_328]
		call	RtlQueryImageFileKeyOption
		test	eax, eax
		js	short loc_75EABE
		cmp	[ebp+var_2F8], 0
		jz	short loc_75EABE
		mov	eax, [ebp+var_2B0]
		or	eax, 20h
		mov	[ebp+var_2B0], eax
		mov	[ebp+arg_18], eax

loc_75EABE:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8B9j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8C2j
		push	ebx
		push	[ebp+var_328]
		call	ObCloseHandle

loc_75EACA:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+822j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+82Fj ...
		cmp	[ebp+var_2CC], 0
		jnz	short loc_75EAF0
		lea	eax, [ebp+var_2BA+2]
		push	eax
		mov	edx, [edi+74h]
		mov	ecx, esi
		call	PspReadIFEONodeOptions
		mov	eax, [ebp+var_2BA+2]
		mov	[ebp+var_330], eax

loc_75EAF0:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8E9j
		mov	[ebp+var_384], ebx
		push	ebx
		push	4
		lea	eax, [ebp+var_384]
		push	eax
		push	4
		push	(offset	loc_8BE765+1)
		push	dword ptr [edi+74h]
		call	RtlQueryImageFileKeyOption
		test	eax, eax
		js	short loc_75EB23
		cmp	[ebp+var_384], 0
		jz	short loc_75EB23
		or	[ebp+var_2C0], 40h

loc_75EB23:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+929j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+932j
		lea	eax, [ebp+var_2C8]
		push	eax
		push	ebx
		push	ebx
		push	3
		push	(offset	loc_8BE785+1)
		push	dword ptr [edi+74h]
		call	RtlQueryImageFileKeyOption
		cmp	eax, 80000005h
		jnz	loc_75EBD5
		cmp	[ebp+var_2C8], 8
		ja	loc_75EBD5
		test	byte ptr [ebp+var_2C8],	7
		jnz	short loc_75EBD5
		push	73437350h
		push	[ebp+var_2C8]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_350], eax
		test	eax, eax
		jnz	short loc_75EB85
		mov	ebx, 0C0000017h
		jmp	loc_75EE28
; 

loc_75EB85:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+991j
		lea	ecx, [ebp+var_2C8]
		push	ecx
		push	[ebp+var_2C8]
		push	eax
		push	3
		push	(offset	loc_8BE785+1)
		push	dword ptr [edi+74h]
		call	RtlQueryImageFileKeyOption
		test	eax, eax
		js	short loc_75EBD5
		test	byte ptr [ebp+var_2C8],	7
		jnz	short loc_75EBD5
		mov	eax, [ebp+var_2A5+1]
		or	eax, 200000h
		mov	[ebp+var_2A5+1], eax
		mov	[ebp+var_2B4], eax
		mov	eax, [ebp+var_2C8]
		shr	eax, 3
		mov	[ebp+var_2DC], eax

loc_75EBD5:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+958j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+965j ...
		mov	[ebp+var_3CC], 18h
		mov	eax, [edi+74h]
		mov	[ebp+var_3C8], eax
		mov	[ebp+var_3C0], 240h
		mov	[ebp+var_3C4], (offset loc_A4078F+1)
		mov	[ebp+var_3BC], ebx
		mov	[ebp+var_3B8], ebx
		lea	eax, [ebp+var_3CC]
		push	eax
		xor	eax, eax
		inc	eax
		push	eax
		lea	eax, [ebp+var_32C]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_75ED0B
		lea	edx, [ebp+var_90]
		mov	ecx, [ebp+var_32C]
		call	PspReadIFEOPerfOptions
		push	ebx
		push	[ebp+var_32C]
		call	ObCloseHandle
		jmp	loc_75ED0B
; 

loc_75EC49:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+5B7j
		test	edx, edx
		jz	loc_75ED0B
		lea	eax, [ebp+var_40C]
		push	eax
		push	4
		push	edx
		call	_MmGetSectionInformation@12 ; MmGetSectionInformation(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_75EE28
		movzx	esi, [ebp+var_3E9]
		mov	ecx, [ebp+var_3DC]
		mov	edx, ecx
		and	edx, 0F8h
		add	edx, edx
		mov	eax, ecx
		and	eax, 2
		or	edx, eax
		add	edx, edx
		xor	eax, eax
		inc	eax
		and	ecx, eax
		or	edx, ecx
		shl	edx, 0Bh
		mov	eax, esi
		and	eax, 2
		or	edx, eax
		shl	edx, 2
		and	esi, 4
		or	edx, esi
		shl	edx, 5
		mov	eax, [ebp+var_2A5+1]
		or	eax, edx
		mov	[ebp+var_2A5+1], eax
		mov	[ebp+var_2B4], eax
		movzx	ecx, [ebp+var_3EE]
		mov	[ebp+var_2E8], ecx
		movzx	ecx, [ebp+var_3F6]
		mov	[ebp+var_34C], ecx
		movzx	ecx, [ebp+var_3F8]
		mov	[ebp+var_354], ecx
		mov	esi, [ebp+var_2E4]
		cmp	[ebp+var_2EC], 0
		jnz	short loc_75ED0B
		mov	[ebp+var_30C], 8
		or	eax, 800h
		mov	[ebp+var_2A5+1], eax
		mov	[ebp+var_2B4], eax

loc_75ED0B:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+758j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7A6j ...
		lea	eax, [ebp+var_314]
		push	eax
		push	1Dh
		push	[ebp+var_2C4]
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_75EE28
		xor	ebx, ebx
		mov	eax, [ebp+var_2D0]
		test	al, al
		jz	loc_75EDEC
		test	edi, edi
		jz	short loc_75ED5B
		test	dword ptr [edi+4], 100h
		jz	short loc_75ED5B
		cmp	byte ptr [edi+94h], 4
		jnz	short loc_75ED5B
		mov	[ebp+var_30], 0Eh
		xor	eax, eax
		lea	ebx, [eax+1]

loc_75ED5B:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B53j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B5Cj ...
		cmp	[ebp+arg_24], 0
		jz	short loc_75ED6A
		mov	[ebp+ebx*4+var_30], 3
		inc	ebx

loc_75ED6A:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B77j
		mov	eax, [ebp+var_2B0]
		test	al, 30h
		jz	short loc_75ED7D
		mov	[ebp+ebx*4+var_30], 4
		inc	ebx

loc_75ED7D:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B8Aj
		test	al, al
		jns	short loc_75ED9F
		mov	ecx, [ebp+var_2E0]
		call	_MmIsSessionLeaderProcess@4 ; MmIsSessionLeaderProcess(x)
		test	eax, eax
		mov	eax, [ebp+var_2B0]
		jnz	short loc_75ED9F
		mov	[ebp+ebx*4+var_30], 0Ah
		inc	ebx

loc_75ED9F:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B97j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+BACj
		test	eax, 8400h
		jz	short loc_75EDAF
		mov	[ebp+ebx*4+var_30], 7
		inc	ebx

loc_75EDAF:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+BBCj
		test	ebx, ebx
		jz	short loc_75EDE6
		lea	eax, [ebp+var_348]
		push	eax
		xor	eax, eax
		cmp	[ebp+arg_24], eax
		setnz	al
		push	eax
		mov	edx, ebx
		lea	ecx, [ebp+var_30]
		call	RtlAcquirePrivilege
		test	eax, eax
		js	short loc_75EDE6
		mov	eax, [ebp+var_2A5+1]
		or	eax, 10h
		mov	[ebp+var_2A5+1], eax
		mov	[ebp+var_2B4], eax

loc_75EDE6:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+BC9j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+BE7j
		mov	eax, [ebp+var_2D0]

loc_75EDEC:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B4Bj
		test	[ebp+var_2B0], 8400h
		jz	short loc_75EE71
		push	eax
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_75EE71

loc_75EE0E:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+ED0j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+15CAj
		mov	ebx, 0C0000061h

loc_75EE13:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+E61j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+EAEj ...
		mov	eax, [ebp+var_2A5+1]

loc_75EE19:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+E8Dj
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+EEAj ...
		test	al, 10h
		jz	short loc_75EE28
		mov	ecx, [ebp+var_348]
		call	_RtlReleasePrivilege@4 ; RtlReleasePrivilege(x)

loc_75EE28:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+58Fj
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+5D9j ...
		xor	dl, dl
		mov	ecx, esi
		call	_PspRundownSingleProcess@8 ; PspRundownSingleProcess(x,x)
		mov	edx, 72437350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_75EE3D:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1B0Bj
		mov	eax, [ebp+var_350]
		test	eax, eax
		jz	short loc_75EE52
		push	73437350h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_75EE52:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+C5Dj
		lea	ecx, [ebp+var_2A0]
		call	_SeDeleteCodeIntegrityOriginClaimMembers@4 ; SeDeleteCodeIntegrityOriginClaimMembers(x)
		mov	eax, ebx

loc_75EE5F:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+212j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+328j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	34h
; 

loc_75EE71:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+C0Ej
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+C24j
		mov	eax, [ebp+var_2CC]
		test	eax, eax
		jnz	loc_75EF85
		mov	eax, [ebp+var_330]
		test	eax, eax
		jnz	loc_75EF65
		mov	eax, [ebp+var_2AC]
		test	eax, eax
		jz	loc_75EF58
		test	dword ptr [eax+0F8h], 100000h
		jz	short loc_75EF17
		mov	ebx, [ebp+var_2C0]
		or	ebx, 100000h
		movzx	eax, word ptr [eax+72h]
		mov	eax, ds:_KeNodeBlock[eax*4]
		mov	[ebp+var_2BA+2], eax
		movzx	esi, word ptr [eax+88h]

loc_75EECB:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+D5Bj
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+D60j ...
		mov	[ebp+var_364], si
		movzx	eax, si
		mov	eax, ds:dword_70E328[eax*4]
		mov	[ebp+var_368], eax
		mov	eax, [ebp+var_2BA+2]
		mov	[ebp+var_2CC], eax
		test	eax, eax
		jnz	short loc_75EF6E
		lea	ecx, [ebp+var_368]
		call	KeSelectNodeForAffinity
		mov	ecx, [ebp+arg_18]
		mov	[ebp+var_2B0], ecx
		mov	esi, [ebp+var_300]
		mov	[ebp+var_2E4], esi
		jmp	loc_75EFCA
; 

loc_75EF17:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+CBDj
		call	_PspSelectNodeForProcess@0 ; PspSelectNodeForProcess()
		mov	[ebp+var_2BA+2], eax
		movzx	esi, word ptr [eax+88h]
		cmp	ds:_KeForceGroupAwareness, 0
		jz	short loc_75EF5A
		call	_KeQueryActiveGroupCount@0 ; KeQueryActiveGroupCount()
		xor	ecx, ecx
		inc	ecx
		mov	ebx, [ebp+var_2C0]
		cmp	ax, cx
		jbe	short loc_75EECB
		test	si, si
		jnz	short loc_75EECB
		and	[ebp+var_2BA+2], 0
		mov	esi, ecx
		jmp	loc_75EECB
; 

loc_75EF58:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+CADj
		xor	esi, esi

loc_75EF5A:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+D48j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+D84j
		mov	ebx, [ebp+var_2C0]
		jmp	loc_75EECB
; 

loc_75EF65:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+C9Fj
		movzx	esi, word ptr [eax+88h]
		jmp	short loc_75EF5A
; 

loc_75EF6E:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+D08j
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_2B0], eax
		mov	esi, [ebp+var_300]
		mov	[ebp+var_2E4], esi
		jmp	short loc_75EFD0
; 

loc_75EF85:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+C91j
		lea	ecx, [ebp+var_324]
		push	ecx
		push	0
		lea	edx, [ebp+var_3D8]
		mov	ecx, eax
		call	_KeQueryAffinityProcess@16 ; KeQueryAffinityProcess(x,x,x,x)
		lea	eax, [ebp+var_3D8]
		push	eax
		lea	eax, [ebp+var_368]
		push	eax
		call	_KeFirstGroupAffinityEx@8 ; KeFirstGroupAffinityEx(x,x)
		movzx	eax, [ebp+var_364]
		movzx	eax, word ptr [ebp+eax*2+var_324]
		mov	eax, ds:_KeNodeBlock[eax*4]
		mov	ebx, [ebp+var_2C0]

loc_75EFCA:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+D2Aj
		mov	[ebp+var_2CC], eax

loc_75EFD0:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+D9Bj
		mov	eax, [ebp+var_2F4]
		mov	ecx, [ebp+var_30C]
		or	[eax], ecx
		mov	ecx, [ebp+var_2F0]
		or	[ecx], ebx
		mov	eax, [ebp+var_2AC]
		test	eax, eax
		jz	loc_75F227
		and	[ebp+var_338], 0
		xor	ebx, ebx
		mov	[ebp+var_36C], ebx
		mov	byte ptr [ebp+var_2A5],	bl
		cmp	[ebp+arg_24], ebx
		jz	loc_75F0E2
		push	[ebp+var_2D0]
		push	ds:dword_A94A04
		push	ds:_SeAssignPrimaryTokenPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	short loc_75F034
		or	[ebp+var_2A5+1], 4

loc_75F034:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+E43j
		lea	edx, [ebp+var_2A5]
		mov	ecx, [ebp+var_2C4]
		call	_SeIsTokenAssignableToProcess@8	; SeIsTokenAssignableToProcess(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_75EE13
		mov	eax, [ebp+var_2A5+1]
		mov	ecx, eax
		shr	ecx, 2
		and	ecx, 1
		mov	[ebp+var_30C], ecx
		cmp	byte ptr [ebp+var_2A5],	0
		jnz	short loc_75F07A
		test	ecx, ecx
		jnz	short loc_75F080
		mov	ebx, 0C0000061h
		jmp	loc_75EE19
; 

loc_75F07A:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+E82j
		mov	[ebp+var_30C], ecx

loc_75F080:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+E86j
		lea	eax, [ebp+var_36C]
		push	eax
		push	[ebp+var_2C4]
		call	_SeQuerySessionIdToken@8 ; SeQuerySessionIdToken(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_75EE13
		mov	ecx, [ebp+var_2E0]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ebx, [ebp+var_36C]
		cmp	ebx, eax
		jz	short loc_75F10F
		cmp	[ebp+var_30C], 0
		jz	loc_75EE0E
		mov	eax, [ebp+var_2A5+1]
		test	byte ptr [ebp+var_2B0],	80h
		jz	short loc_75F0D7
		mov	ebx, 0C000000Dh
		jmp	loc_75EE19
; 

loc_75F0D7:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+EE3j
		or	eax, 1

loc_75F0DA:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+F25j
		mov	[ebp+var_2A5+1], eax
		jmp	short loc_75F115
; 

loc_75F0E2:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+E24j
		cmp	[ebp+var_2EC], ebx
		jnz	short loc_75F10F
		mov	ecx, eax
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ebx, eax
		mov	ecx, [ebp+var_2E0]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		xor	ecx, ecx
		cmp	ebx, eax
		setnz	cl
		mov	eax, [ebp+var_2A5+1]
		or	eax, ecx
		jmp	short loc_75F0DA
; 

loc_75F10F:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+EC7j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+F00j
		mov	eax, [ebp+var_2A5+1]

loc_75F115:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+EF8j
		and	eax, 1
		mov	[ebp+var_308], eax
		jz	short loc_75F151
		lea	eax, [ebp+var_338]
		push	eax
		lea	edx, [ebp+var_60]
		mov	ecx, ebx
		call	_PspAttachSession@12 ; PspAttachSession(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_75F145
		mov	eax, [ebp+var_2A5+1]
		and	eax, 0FFFFFFFEh
		jmp	loc_75EE19
; 

loc_75F145:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+F4Dj
		mov	eax, [ebp+var_2F0]
		or	dword ptr [eax], 80h

loc_75F151:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+F36j
		mov	al, byte ptr [ebp+var_2A5]
		cmp	[ebp+arg_24], 0
		jz	short loc_75F196
		test	al, al
		jnz	short loc_75F19A
		push	[ebp+var_2C4]
		mov	edx, esi
		xor	ecx, ecx
		call	PspAssignProcessQuotaBlock
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_75F1AF
		cmp	[ebp+var_308], 0
		jz	loc_75EE13
		lea	edx, [ebp+var_60]
		mov	ecx, [ebp+var_338]
		call	_PspDetachSession@8 ; PspDetachSession(x,x)
		jmp	loc_75EE13
; 

loc_75F196:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+F73j
		test	al, al
		jz	short loc_75F1A2

loc_75F19A:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+F77j
		mov	edx, [ebp+var_2E0]
		jmp	short loc_75F1A8
; 

loc_75F1A2:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+FB0j
		mov	edx, [ebp+var_2AC]

loc_75F1A8:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+FB8j
		mov	ecx, esi
		call	_PspInheritQuota@8 ; PspInheritQuota(x,x)

loc_75F1AF:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+F8Cj
		mov	ecx, [ebp+var_8C]
		xor	eax, eax
		inc	eax
		and	ecx, eax
		mov	edx, [ebp+var_7C]
		jnz	short loc_75F1C5
		mov	edx, ds:_PspMaximumWorkingSet

loc_75F1C5:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+FD5j
		push	esi
		mov	ebx, [ebp+var_2CC]
		movzx	eax, word ptr [ebx+8Ah]
		inc	eax
		push	eax
		push	ecx
		push	edx
		mov	ecx, [ebp+var_334]
		call	MmCreateProcessAddressSpace
		movzx	ecx, al
		xor	edx, edx
		inc	edx
		and	ecx, edx
		shl	ecx, 5
		mov	eax, [ebp+var_2A5+1]
		or	eax, ecx
		mov	[ebp+var_2A5+1], eax
		mov	[ebp+var_2B4], eax
		test	al, dl
		jz	short loc_75F219
		lea	edx, [ebp+var_60]
		mov	ecx, [ebp+var_338]
		call	_PspDetachSession@8 ; PspDetachSession(x,x)
		mov	eax, [ebp+var_2A5+1]

loc_75F219:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+101Bj
		test	al, 20h
		jnz	short loc_75F251
		mov	ebx, 0C000009Ah
		jmp	loc_75EE19
; 

loc_75F227:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+E06j
		xor	edx, edx
		mov	ecx, esi
		call	_PspInheritQuota@8 ; PspInheritQuota(x,x)
		xor	eax, eax
		inc	eax
		mov	[esi+74h], al
		call	MmInitializeHandBuiltProcess
		mov	ebx, eax
		mov	eax, [ebp+var_2A5+1]
		test	ebx, ebx
		js	loc_75EE19
		mov	ebx, [ebp+var_2CC]

loc_75F251:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1033j
		mov	[ebp+var_334], eax
		mov	eax, 40000h
		mov	edx, [ebp+var_2F4]
		lock or	[edx], eax
		mov	eax, [ebp+var_33C]
		mov	eax, [eax]
		shr	eax, 2
		xor	ecx, ecx
		inc	ecx
		and	eax, ecx
		push	eax
		mov	ecx, esi
		call	_MmGetSessionSchedulingGroupByProcess@4	; MmGetSessionSchedulingGroupByProcess(x)
		push	eax
		push	ebx
		lea	eax, [ebp+var_368]
		push	eax
		push	8
		pop	edx
		call	_KeInitializeProcess@24	; KeInitializeProcess(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_75EE13
		test	edi, edi
		jz	loc_75F342
		mov	eax, [edi+0FCh]
		mov	[ebp+var_304], eax
		mov	eax, [edi+100h]
		mov	[ebp+var_37C], eax
		mov	eax, [edi+10Ch]
		mov	[ebp+var_380], eax
		mov	eax, [edi+110h]
		mov	[ebp+var_378], eax
		mov	eax, [edi+7Ch]
		mov	[ebp+var_374], eax
		mov	ebx, [edi+104h]
		mov	ecx, [edi+108h]
		mov	[ebp+var_2FC], ecx
		mov	ecx, [edi+6Ch]
		test	ecx, ecx
		jz	short loc_75F34C
		lea	edx, [ebp+var_2A0]
		call	_SeGetCodeIntegrityOriginClaimForFileObject@8 ;	SeGetCodeIntegrityOriginClaimForFileObject(x,x)
		test	eax, eax
		js	short loc_75F34C
		cmp	[ebp+var_2A0], 0
		jnz	short loc_75F335
		test	ebx, ebx
		jz	short loc_75F335
		cmp	[ebp+var_2FC], 20Ch
		jnz	short loc_75F335
		mov	ecx, 83h
		mov	esi, ebx
		lea	edi, [ebp+var_2A0]
		rep movsd
		mov	esi, [ebp+var_2E4]
		mov	edi, [ebp+var_2D4]

loc_75F335:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1120j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1124j ...
		lea	ebx, [ebp+var_2A0]
		mov	eax, 210h
		jmp	short loc_75F352
; 

loc_75F342:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+10B2j
		mov	ebx, [ebp+var_340]
		mov	eax, ebx
		jmp	short loc_75F352
; 

loc_75F34C:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1108j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1117j
		mov	eax, [ebp+var_2FC]

loc_75F352:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1158j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1162j
		push	[ebp+var_31C]
		push	[ebp+var_374]
		push	[ebp+var_378]
		push	[ebp+var_380]
		push	eax
		push	ebx
		push	[ebp+var_37C]
		push	0
		mov	eax, [ebp+var_2A5+1]
		shr	eax, 0Bh
		xor	ecx, ecx
		inc	ecx
		and	eax, ecx
		push	eax
		push	[ebp+var_304]
		push	[ebp+arg_24]
		push	[ebp+var_2C4]
		mov	edx, esi
		mov	ecx, [ebp+var_2AC]
		call	PspInitializeProcessSecurity
		mov	ebx, eax
		test	ebx, ebx
		js	loc_75EE13
		mov	byte ptr [esi+1BBh], 2
		mov	edx, [ebp+var_2AC]
		test	edx, edx
		jz	short loc_75F409
		mov	al, [edx+1BBh]
		xor	ecx, ecx
		inc	ecx
		cmp	al, cl
		jz	short loc_75F3CB
		cmp	al, 5
		jnz	short loc_75F3D1

loc_75F3CB:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+11DDj
		mov	[esi+1BBh], al

loc_75F3D1:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+11E1j
		test	edi, edi
		jz	short loc_75F3DD
		mov	ecx, [edi+0B4h]
		jmp	short loc_75F3DF
; 

loc_75F3DD:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+11EBj
		xor	ecx, ecx

loc_75F3DF:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+11F3j
		test	edi, edi
		jz	short loc_75F3EB
		mov	eax, [edi+0B0h]
		jmp	short loc_75F3ED
; 

loc_75F3EB:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+11F9j
		xor	eax, eax

loc_75F3ED:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1201j
		push	ecx
		push	eax
		mov	eax, [ebp+var_2B0]
		and	al, 4
		movzx	ecx, al
		neg	ecx
		sbb	ecx, ecx
		and	ecx, edx
		mov	edx, esi
		call	ObInitProcess
		jmp	short loc_75F422
; 

loc_75F409:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+11D0j
		mov	eax, [ebp+var_2E0]
		mov	eax, [eax+18Ch]
		mov	[esi+18Ch], eax
		mov	ecx, esi
		call	MmInitializeHandBuiltProcess2

loc_75F422:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+121Fj
		mov	ebx, eax
		test	ebx, ebx
		js	loc_75EE13
		mov	ebx, [ebp+var_2D0]
		test	byte ptr [ebp+var_90], 7
		jz	short loc_75F449
		push	ebx
		lea	edx, [ebp+var_90]
		mov	ecx, esi
		call	PspApplyIFEOPerfOptions

loc_75F449:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1251j
		test	[ebp+var_2A5+1], 200000h
		jz	short loc_75F46C
		xor	eax, eax
		inc	eax
		push	eax
		push	[ebp+var_350]
		mov	edx, [ebp+var_2DC]
		mov	ecx, esi
		call	_KeSetCpuSetsProcess@16	; KeSetCpuSetsProcess(x,x,x,x)

loc_75F46C:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+126Bj
		test	edi, edi
		jz	short loc_75F493
		test	dword ptr [edi+4], 100h
		jz	short loc_75F493
		push	ebx
		push	0
		mov	dl, [edi+94h]
		mov	ecx, esi
		call	PspSetProcessPriorityClass
		mov	ebx, eax
		test	ebx, ebx
		js	loc_75EE13

loc_75F493:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1286j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+128Fj
		push	0
		push	0
		lea	eax, [ebp+var_2BA+1]
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	_PspComputeQuantumAndPriority@20 ; PspComputeQuantumAndPriority(x,x,x,x,x)
		mov	[esi+68h], al
		mov	al, byte ptr [ebp+var_2BA+1]
		mov	[esi+69h], al
		xor	ebx, ebx
		mov	[ebp+var_2BA+2], ebx
		and	[ebp+var_304], ebx
		lea	edx, [ebp+var_48]
		mov	ecx, edi
		call	_PspReadIFEOMitigationOptions@8	; PspReadIFEOMitigationOptions(x,x)
		sub	esp, 18h
		push	6
		pop	ecx
		lea	esi, [ebp+var_48]
		mov	edi, esp
		rep movsd
		sub	esp, 18h
		push	6
		pop	ecx
		mov	esi, offset _PspSystemMitigationOptions
		mov	edi, esp
		rep movsd
		lea	ecx, [ebp+var_48]
		call	_PspInheritMitigationOptions@52	; PspInheritMitigationOptions(x,x,x,x,x,x,x,x,x,x,x,x,x)
		lea	edx, [ebp+var_78]
		mov	ecx, [ebp+var_2D4]
		call	PspReadIFEOMitigationAuditOptions
		sub	esp, 18h
		push	6
		pop	ecx
		lea	esi, [ebp+var_78]
		mov	edi, esp
		rep movsd
		sub	esp, 18h
		push	6
		pop	ecx
		mov	esi, offset _PspSystemMitigationAuditOptions
		mov	edi, esp
		rep movsd
		lea	ecx, [ebp+var_78]
		call	_PspInheritMitigationAuditOptions@52 ; PspInheritMitigationAuditOptions(x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	eax, [ebp+var_44]
		shr	eax, 10h
		and	[ebp+var_31C], ebx
		and	eax, 3
		shl	eax, 10h
		mov	[ebp+var_2C4], eax
		mov	edi, [ebp+var_2D4]
		test	edi, edi
		jz	short loc_75F5AF
		test	dword ptr [edi+4], 10000h
		jz	short loc_75F577
		lea	esi, [edi+0D0h]
		sub	esp, 18h
		push	6
		pop	ecx
		mov	edi, esp
		rep movsd
		sub	esp, 18h
		push	6
		pop	ecx
		lea	esi, [ebp+var_48]
		mov	edi, esp
		rep movsd
		lea	ecx, [ebp+var_48]
		call	_PspInheritMitigationOptions@52	; PspInheritMitigationOptions(x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, [ebp+var_2D4]

loc_75F577:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1362j
		test	edi, edi
		jz	short loc_75F5AF
		test	dword ptr [edi+4], 8000000h
		jz	short loc_75F5AF
		lea	esi, [edi+128h]
		sub	esp, 18h
		push	6
		pop	ecx
		mov	edi, esp
		rep movsd
		sub	esp, 18h
		push	6
		pop	ecx
		lea	esi, [ebp+var_78]
		mov	edi, esp
		rep movsd
		lea	ecx, [ebp+var_78]
		call	_PspInheritMitigationAuditOptions@52 ; PspInheritMitigationAuditOptions(x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, [ebp+var_2D4]

loc_75F5AF:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1359j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1391j ...
		mov	eax, [ebp+var_2C4]
		cmp	[ebp+var_314], ebx
		jz	short loc_75F5C6
		or	eax, 4
		mov	[ebp+var_2C4], eax

loc_75F5C6:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+13D3j
		test	al, 4
		jz	short loc_75F5D5
		or	eax, 100h
		mov	[ebp+var_2C4], eax

loc_75F5D5:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+13E0j
		test	eax, 0FF00h
		jz	short loc_75F5E4
		lea	ecx, [ebp+var_48]
		call	_PspHardenMitigationOptions@4 ;	PspHardenMitigationOptions(x)

loc_75F5E4:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+13F2j
		mov	ecx, [ebp+var_40]
		mov	[ebp+var_31C], ecx
		mov	eax, [ebp+var_3C]
		and	eax, 0EFFFFFFFh
		or	eax, 20000000h
		mov	[ebp+var_340], eax
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], eax
		mov	ecx, [ebp+var_2E8]
		mov	edx, ecx
		and	edx, 4000h
		mov	eax, [ebp+var_2A5+1]
		mov	esi, eax
		and	esi, 180h
		neg	esi
		sbb	esi, esi
		neg	esi
		shr	ecx, 4
		and	ecx, 2
		or	esi, ecx
		mov	ecx, edx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 8
		or	esi, ecx
		or	esi, [ebp+var_2C4]
		test	dx, dx
		jz	short loc_75F64D
		test	eax, 40000h
		jnz	short loc_75F653

loc_75F64D:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+145Cj
		and	[ebp+var_310], ebx

loc_75F653:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1463j
		mov	ecx, eax
		shr	ecx, 1
		and	ecx, 7C00000h
		mov	edx, eax
		and	edx, 100000h
		or	ecx, edx
		shr	ecx, 2
		or	ecx, esi
		or	ecx, [ebp+var_310]
		and	eax, 400h
		mov	[ebp+var_2DC], eax
		jz	short loc_75F6DA
		mov	edx, [ebp+var_31C]
		and	edx, 0FFFFFFFEh
		mov	eax, [ebp+var_340]
		and	eax, 0EFFFFFFFh
		or	edx, 2
		or	eax, 20000000h
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+var_48]
		and	eax, 0FFFCFFFFh
		mov	edx, [ebp+var_44]
		and	edx, 0FFFFFEFFh
		or	edx, 200h
		mov	[ebp+var_44], edx
		test	[ebp+arg_1C], 2
		jz	short loc_75F6CD
		and	eax, 0FFEFFFFFh
		or	eax, 220000h
		jmp	short loc_75F6D7
; 

loc_75F6CD:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+14D7j
		and	eax, 0FFDFFFFFh
		or	eax, 110000h

loc_75F6D7:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+14E3j
		mov	[ebp+var_48], eax

loc_75F6DA:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1495j
		push	[ebp+var_354]
		push	[ebp+var_34C]
		push	ecx
		lea	eax, [ebp+var_78]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		mov	edx, [ebp+var_2AC]
		mov	esi, [ebp+var_2E4]
		mov	ecx, esi
		call	_PspApplyMitigationOptions@28 ;	PspApplyMitigationOptions(x,x,x,x,x,x,x)
		test	edi, edi
		jz	short loc_75F74C
		mov	edx, edi
		mov	ecx, esi
		call	_PspApplyWin32kFilterOptions@8 ; PspApplyWin32kFilterOptions(x,x)
		test	edi, edi
		jz	short loc_75F74C
		mov	ecx, esi
		call	_PspApplyComponentFilterOptions@8 ; PspApplyComponentFilterOptions(x,x)
		test	edi, edi
		jz	short loc_75F74C
		add	edi, 0D0h
		push	6
		pop	ecx
		lea	esi, [ebp+var_48]
		rep movsd
		mov	edi, [ebp+var_2D4]
		add	edi, 128h
		push	6
		pop	ecx
		lea	esi, [ebp+var_78]
		rep movsd
		mov	esi, [ebp+var_2E4]
		mov	edi, [ebp+var_2D4]

loc_75F74C:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+151Cj
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1529j ...
		lea	eax, [ebp+var_2BA]
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	_PsQueryProcessAttributes@12 ; PsQueryProcessAttributes(x,x,x)
		xor	edx, edx
		cmp	[ebp+var_314], edx
		jz	short loc_75F76B
		xor	eax, eax
		lea	edx, [eax+1]

loc_75F76B:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+157Cj
		test	[ebp+var_2B0], 20000h
		jz	short loc_75F77A
		or	edx, 2

loc_75F77A:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+158Dj
		mov	ecx, esi
		call	_SmProcessCreateNotification@8 ; SmProcessCreateNotification(x,x)
		test	byte ptr [ebp+var_2B0],	80h
		jz	short loc_75F7B8
		mov	ecx, [ebp+var_2E0]
		call	_MmIsSessionLeaderProcess@4 ; MmIsSessionLeaderProcess(x)
		test	eax, eax
		jnz	short loc_75F7B8
		push	[ebp+var_2D0]
		push	ds:dword_A94E04
		push	ds:_SeLoadDriverPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_75EE0E

loc_75F7B8:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+15A0j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+15AFj
		cmp	[ebp+var_2DC], ebx
		jnz	loc_75F8E8
		cmp	[ebp+var_2EC], ebx
		jnz	loc_75F8E8
		mov	ecx, [ebp+var_2AC]
		test	ecx, ecx
		jz	loc_75F99C
		mov	eax, [ecx+160h]
		mov	[esi+160h], eax
		mov	eax, [ebp+var_2A5+1]
		shr	eax, 0Bh
		and	eax, 1
		push	eax
		lea	eax, [ebp+arg_18]
		push	eax
		push	0
		mov	edx, ecx
		mov	ecx, esi
		call	MmInitializeProcessAddressSpace
		mov	ebx, eax
		mov	[ebp+var_2BA+2], ebx
		test	ebx, ebx
		js	loc_75EE13
		mov	eax, [ebp+arg_18]
		and	eax, 10h
		shl	eax, 2
		or	eax, [ebp+var_334]
		or	eax, 2
		mov	[ebp+var_2A5+1], eax
		mov	eax, [ebp+var_2AC]
		mov	eax, [eax+1C0h]
		movzx	eax, word ptr [eax+2]
		add	eax, 8
		mov	[ebp+var_31C], eax
		push	61506553h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+1C0h], eax
		test	eax, eax
		jz	short loc_75F8DE
		push	[ebp+var_31C]	; size_t
		mov	ecx, [ebp+var_2AC]
		push	dword ptr [ecx+1C0h] ; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [esi+1C0h]
		lea	eax, [ecx+8]
		mov	[ecx+4], eax
		mov	eax, [ebp+var_2AC]
		mov	eax, [eax+164h]
		mov	[esi+164h], eax
		mov	eax, [ebp+var_2A5+1]
		mov	[ebp+var_2B4], eax
		test	[ebp+arg_18], 1000h
		jz	loc_75F9A2
		mov	eax, [ebp+var_344]
		and	dword ptr [eax], 0
		mov	ecx, [ebp+var_2D8]
		call	ObfDereferenceObject
		mov	eax, [ebp+var_2A5+1]

loc_75F8CD:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+17AFj
		mov	[ebp+var_2A5+1], eax
		mov	[ebp+var_2B4], eax
		jmp	loc_75F9A2
; 

loc_75F8DE:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1677j
		mov	ebx, 0C000009Ah
		jmp	loc_75EE13
; 

loc_75F8E8:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+15D6j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+15E2j
		mov	edx, esi
		mov	ecx, edi
		call	PspInitializeFullProcessImageName
		mov	ebx, eax
		mov	eax, [ebp+var_2A5+1]
		test	ebx, ebx
		js	loc_75EE19
		test	eax, 10000h
		jnz	short loc_75F927
		push	0
		lea	eax, [ebp+arg_18]
		push	eax
		push	[ebp+var_2D8]
		xor	edx, edx
		mov	ecx, esi
		call	MmInitializeProcessAddressSpace
		mov	ebx, eax
		mov	[ebp+var_2BA+2], ebx
		jmp	short loc_75F94B
; 

loc_75F927:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+171Ej
		shr	eax, 11h
		xor	ecx, ecx
		inc	ecx
		and	eax, ecx
		push	eax
		lea	eax, [ebp+arg_18]
		push	eax
		push	0
		mov	edx, [ebp+var_2AC]
		mov	ecx, esi
		call	MmInitializeProcessAddressSpace
		mov	ebx, eax
		mov	[ebp+var_2BA+2], eax

loc_75F94B:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+173Dj
		test	ebx, ebx
		js	loc_75EE13
		test	edi, edi
		jz	short loc_75F971
		mov	ecx, [ebp+var_2D8]
		call	_MmGetImageSectionBasedAddress@4 ; MmGetImageSectionBasedAddress(x)
		mov	ecx, [esi+160h]
		cmp	eax, ecx
		jz	short loc_75F971
		sub	ecx, eax
		add	[edi+1Ch], ecx

loc_75F971:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+176Dj
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1782j
		mov	[ebp+var_304], ebx
		mov	eax, [ebp+var_2A5+1]
		cmp	[ebp+var_2DC], 0
		jnz	short loc_75F989
		or	eax, 2

loc_75F989:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+179Cj
		mov	ecx, [ebp+arg_18]
		and	ecx, 10h
		or	ecx, 2
		shl	ecx, 2
		or	eax, ecx
		jmp	loc_75F8CD
; 

loc_75F99C:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+15F0j
		mov	eax, [ebp+var_2A5+1]

loc_75F9A2:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+16C5j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+16F1j
		test	al, 10h
		jz	short loc_75F9B7
		mov	ecx, [ebp+var_348]
		call	_RtlReleasePrivilege@4 ; RtlReleasePrivilege(x)
		mov	eax, [ebp+var_2A5+1]

loc_75F9B7:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+17BCj
		mov	ecx, eax
		and	ecx, 8
		mov	[ebp+var_2DC], ecx
		jz	short loc_75F9E9
		test	edi, edi
		jz	short loc_75F9E9
		push	edi
		lea	edx, [ebp+var_60]
		mov	ecx, esi
		call	PspSetupReservedUserMappings
		mov	ebx, eax
		mov	[ebp+var_2BA+2], ebx
		test	ebx, ebx
		js	loc_75EE28
		mov	eax, [ebp+var_2A5+1]

loc_75F9E9:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+17DAj
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+17DEj
		mov	ecx, eax
		and	ecx, 2
		mov	[ebp+var_31C], ecx
		jz	loc_75FAF6
		and	[ebp+var_35C], 0
		or	[ebp+var_358], 0FFFFFFFFh
		push	esi
		call	_PsIsProtectedProcess@4	; PsIsProtectedProcess(x)
		mov	ebx, eax
		push	esi
		call	_PsIsProtectedProcessLight@4 ; PsIsProtectedProcessLight(x)
		mov	ecx, eax
		mov	eax, [ebp+var_2A5+1]
		mov	edx, eax
		shr	edx, 7
		and	dl, 1
		and	cl, 1
		shl	cl, 4
		or	dl, cl
		add	dl, dl
		xor	ecx, ecx
		inc	ecx
		and	bl, cl
		or	dl, bl
		add	dl, dl
		mov	ecx, eax
		shr	ecx, 6
		xor	ebx, ebx
		inc	ebx
		and	cl, bl
		or	dl, cl
		mov	cl, byte ptr [ebp+var_35C+3]
		and	cl, 0B8h
		or	dl, cl
		mov	[ebp+var_344], edx
		cmp	[ebp+var_314], 0
		setz	cl
		dec	cl
		and	cl, 2
		mov	dl, byte ptr [ebp+var_2BA]
		and	dl, bl
		or	dl, cl
		shl	dl, 4
		mov	ecx, [ebp+var_344]
		and	cl, 0CFh
		or	dl, cl
		mov	byte ptr [ebp+var_35C+3], dl
		cmp	[ebp+var_2EC], 0
		jz	loc_75FB24
		lea	eax, [esi+17Ch]
		lea	ecx, [ebp+var_368]
		push	ecx
		push	eax
		lea	edx, [ebp+var_35C]
		mov	ecx, esi
		call	_MmCreatePeb@16	; MmCreatePeb(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_75FABD
		and	dword ptr [esi+17Ch], 0
		jmp	loc_75EE28
; 

loc_75FABD:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+18C7j
		cmp	[ebp+var_368], 0
		jz	short loc_75FAF0
		mov	ecx, 0FFCFFFFFh
		mov	eax, [ebp+var_2F0]
		lock and [eax],	ecx
		lea	eax, [ebp+var_39C]
		push	eax
		lea	eax, [ebp+var_368]
		push	eax
		push	0
		xor	eax, eax
		lea	edx, [eax+1]
		mov	ecx, esi
		call	_PspSetProcessAffinitySafe@20 ;	PspSetProcessAffinitySafe(x,x,x,x,x)

loc_75FAF0:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+18DCj
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+19F9j
		mov	eax, [ebp+var_2A5+1]

loc_75FAF6:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+180Cj
		mov	ecx, [ebp+var_2AC]

loc_75FAFC:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1A04j
		cmp	[ebp+var_2DC], 0
		jz	loc_75FBF1
		test	edi, edi
		jz	loc_75FBF1
		push	edi
		lea	eax, [ebp+var_60]
		push	eax
		mov	edx, esi
		call	PspSetupUserProcessAddressSpace
		mov	ebx, eax
		jmp	loc_75FC4E
; 

loc_75FB24:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+18A2j
		mov	ecx, [ebp+var_2AC]
		mov	ebx, [ecx+17Ch]
		mov	[esi+17Ch], ebx
		test	eax, 800h
		jnz	loc_75FBE6
		xor	eax, eax
		inc	eax
		mov	byte ptr [ebp+var_35C],	al
		lea	eax, [ebp+var_60]
		push	eax
		push	esi
		call	KeStackAttachProcess
		push	4
		push	480h
		push	ebx
		call	_MmSecureVirtualMemory@12 ; MmSecureVirtualMemory(x,x,x)
		test	eax, eax
		jz	short loc_75FBCB
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [ebp+var_35C]
		mov	[ebx], eax
		or	dword ptr [ebx+4], 0FFFFFFFFh
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_2BA+2]
		jmp	short loc_75FBD0
; 

loc_75FB84:				; DATA XREF: .text:006A0814o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_38C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_75FB95:				; DATA XREF: .text:006A0818o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_38C]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_2B4]
		mov	[ebp+var_2A5+1], eax
		mov	esi, [ebp+var_300]
		mov	eax, [ebp+var_390]
		mov	[ebp+var_2AC], eax
		mov	edi, [ebp+var_398]
		jmp	short loc_75FBD0
; 

loc_75FBCB:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+197Bj
		mov	ebx, 0C0000141h

loc_75FBD0:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+199Aj
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+19E1j
		lea	eax, [ebp+var_60]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		test	ebx, ebx
		js	loc_75EE28
		jmp	loc_75FAF0
; 

loc_75FBE6:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1953j
		mov	ebx, [ebp+var_2BA+2]
		jmp	loc_75FAFC
; 

loc_75FBF1:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+191Bj
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1923j
		cmp	[ebp+var_31C], 0
		jz	short loc_75FC4E
		test	eax, 800h
		jnz	short loc_75FC4E
		xor	ebx, ebx
		lea	eax, [ebp+var_60]
		push	eax
		push	esi
		call	KeStackAttachProcess
		mov	edx, esi
		mov	ecx, [ebp+var_370]
		call	PspWritePebAffinityInfo
		cmp	[ebp+var_2DC], ebx
		jz	short loc_75FC45
		mov	ecx, esi
		call	MmMapApiSetView
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_75FC45
		mov	ecx, esi
		call	PspMapSiloSharedDataView
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_75FC45
		xor	edx, edx
		call	PspPrepareSystemDllInitBlock
		mov	ebx, eax

loc_75FC45:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1A38j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1A45j ...
		lea	eax, [ebp+var_60]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)

loc_75FC4E:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1937j
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1A10j ...
		test	ebx, ebx
		js	loc_75EE28
		mov	edi, [ebp+var_370]
		mov	edx, edi
		mov	ecx, esi
		call	_PspLockProcessExclusive@8 ; PspLockProcessExclusive(x,x)
		mov	edx, esi
		mov	ecx, ds:_PspCidTable
		call	_ExCreateHandle@8 ; ExCreateHandle(x,x)
		mov	[esi+0E4h], eax
		test	eax, eax
		jnz	short loc_75FC8F
		mov	edx, edi
		mov	ecx, esi
		call	PspUnlockProcessExclusive
		mov	ebx, 0C000009Ah
		jmp	loc_75EE28
; 

loc_75FC8F:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1A92j
		call	_KeQuerySystemTimeUnsafe@0 ; KeQuerySystemTimeUnsafe()
		or	eax, edx
		lea	eax, [esi+100h]
		push	eax
		jz	short loc_75FCA6
		call	_KeQuerySystemTimePrecise@4 ; KeQuerySystemTimePrecise(x)
		jmp	short loc_75FCAB
; 

loc_75FCA6:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1AB5j
		call	KeQuerySystemTime

loc_75FCAB:				; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1ABCj
		call	KeQueryInterruptTime
		mov	[esi+3F0h], eax
		mov	[esi+3F4h], edx
		call	KeQueryUnbiasedInterruptTime
		mov	[esi+3F8h], eax
		mov	[esi+3FCh], edx
		mov	eax, [esi+3F0h]
		mov	[esi+408h], eax
		mov	eax, [esi+3F4h]
		mov	[esi+40Ch], eax
		mov	eax, [ebp+var_394]
		mov	[eax], esi
		mov	ebx, [ebp+var_304]
		jmp	loc_75EE3D
_PspAllocateProcess@60 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspApplyMitigationOptions(x, x, x, x, x, x,	x)
_PspApplyMitigationOptions@28 proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1515p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+64h+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	[esp+70h+var_64], ecx
		lea	edi, [esp+70h+var_38]
		push	6
		pop	ebx
		mov	[esp+70h+var_5C], edx
		mov	ecx, ebx
		mov	edx, [ebp+arg_0]
		sub	esp, 18h
		mov	esi, edx
		mov	[esp+88h+var_3C], edx
		rep movsd
		mov	esi, eax
		lea	edi, [esp+88h+var_20]
		mov	ecx, ebx
		rep movsd
		mov	edi, esp
		lea	esi, [esp+88h+var_38]
		mov	ecx, ebx
		rep movsd
		call	_PspDecodeMitigationExecuteOptions@24 ;	PspDecodeMitigationExecuteOptions(x,x,x,x,x,x)
		mov	edx, [esp+70h+var_64]
		mov	edi, [esp+70h+var_38]
		mov	ecx, edi
		mov	ebx, [esp+70h+var_34]
		push	2
		mov	[edx+6Bh], al
		mov	eax, ebx
		shrd	ecx, eax, 8
		pop	esi
		and	ecx, 3
		sub	ecx, 1
		jz	short loc_75FD7E
		sub	ecx, esi
		jnz	short loc_75FD8A
		push	8
		lea	eax, [edx+490h]
		pop	ecx
		lock or	[eax], ecx

loc_75FD7E:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+74j
		push	10h
		lea	eax, [edx+490h]
		pop	ecx
		lock or	[eax], ecx

loc_75FD8A:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+78j
		mov	ecx, edi
		mov	eax, ebx
		shrd	ecx, eax, 10h
		push	1
		and	ecx, 3
		pop	eax
		sub	ecx, 0
		jz	short loc_75FDA3
		sub	ecx, esi
		jz	short loc_75FDA8
		jmp	short loc_75FDB4
; 

loc_75FDA3:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+A3j
		test	[ebp+arg_8], al
		jnz	short loc_75FDB4

loc_75FDA8:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+A7j
		push	40h
		lea	eax, [edx+490h]
		pop	ecx
		lock or	[eax], ecx

loc_75FDB4:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+A9j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+AEj
		lea	esi, [edx+490h]
		test	byte ptr [esi],	40h
		mov	[esp+70h+var_58], esi
		jnz	short loc_75FDE6
		mov	ecx, edi
		mov	eax, ebx
		shrd	ecx, eax, 14h
		and	ecx, 3
		sub	ecx, 0
		jz	short loc_75FDDA
		sub	ecx, 1
		jz	short loc_75FDE0
		jmp	short loc_75FDE6
; 

loc_75FDDA:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+D9j
		test	[ebp+arg_8], 2
		jz	short loc_75FDE6

loc_75FDE0:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+DEj
		push	20h
		pop	eax
		lock or	[esi], eax

loc_75FDE6:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+C9j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+E0j	...
		cmp	[esp+70h+var_5C], 0
		jz	short loc_75FE59
		mov	ecx, edi
		mov	eax, ebx
		shrd	ecx, eax, 18h
		and	ecx, 3
		sub	ecx, 0
		jz	short loc_75FE04
		sub	ecx, 1
		jz	short loc_75FE0A
		jmp	short loc_75FE34
; 

loc_75FE04:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+103j
		test	[ebp+arg_8], 4
		jz	short loc_75FE34

loc_75FE0A:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+108j
		mov	ecx, edx
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		test	eax, eax
		jz	short loc_75FE30
		xor	ecx, ecx
		lea	edx, [ecx+1]
		mov	ecx, eax
		call	ExEnableHandleExceptions
		mov	ecx, [esp+70h+var_64]
		lea	ecx, [ecx+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_75FE30:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+11Bj
		mov	edx, [esp+70h+var_64]

loc_75FE34:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+10Aj
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+110j
		mov	eax, [esp+70h+var_5C]
		test	dword ptr [eax+490h], 1000h
		jz	short loc_75FE59
		and	edi, 0DFFFFFFFh
		mov	[esp+70h+var_34], ebx
		mov	eax, 10000000h
		or	edi, eax
		mov	[esp+70h+var_38], edi

loc_75FE59:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+F3j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+14Aj
		mov	ecx, edi
		mov	eax, ebx
		shrd	ecx, eax, 1Ch
		mov	al, cl
		and	eax, 3
		sub	eax, 1
		jnz	short loc_75FE73
		mov	eax, 3000h
		lock or	[esi], eax

loc_75FE73:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+171j
		test	dword ptr [esi], 1000h
		jnz	short loc_75FE99
		mov	ecx, [esp+70h+var_20]
		mov	eax, [esp+70h+var_1C]
		shrd	ecx, eax, 1Ch
		mov	al, cl
		and	eax, 3
		sub	eax, 1
		jnz	short loc_75FE99
		mov	eax, 2000h
		lock or	[esi], eax

loc_75FE99:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+181j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+197j
		mov	eax, [esp+70h+var_5C]
		test	eax, eax
		jz	short loc_75FEBC
		test	byte ptr [eax+4D0h], 2
		jz	short loc_75FEBC
		mov	ecx, [esp+70h+var_28]
		and	ecx, 0FDFFFFFFh
		or	ecx, 1000000h
		jmp	short loc_75FEC0
; 

loc_75FEBC:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+1A7j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+1B0j
		mov	ecx, [esp+70h+var_28]

loc_75FEC0:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+1C2j
		mov	eax, [esp+70h+var_24]
		mov	[esp+70h+var_48], eax
		mov	[esp+70h+var_4C], ecx
		shrd	ecx, eax, 18h
		mov	al, cl
		and	eax, 3
		sub	eax, 1
		jnz	short loc_75FEE6
		push	6
		lea	eax, [edx+4D0h]
		pop	ecx
		lock or	[eax], ecx

loc_75FEE6:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+1E0j
		add	edx, 4D0h
		test	byte ptr [edx],	2
		jnz	short loc_75FF0D
		mov	ecx, [esp+70h+var_10]
		mov	eax, [esp+70h+var_C]
		shrd	ecx, eax, 18h
		mov	al, cl
		and	eax, 3
		sub	eax, 1
		jnz	short loc_75FF0D
		push	4
		pop	eax
		lock or	[edx], eax

loc_75FF0D:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+1F7j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+20Dj
		mov	eax, ebx
		mov	edx, 200h
		shr	eax, 4
		and	eax, 3
		sub	eax, 1
		jz	short loc_75FF29
		push	2
		pop	ecx
		sub	eax, ecx
		jnz	short loc_75FF31
		lock or	[esi], edx

loc_75FF29:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+225j
		mov	eax, 900h
		lock or	[esi], eax

loc_75FF31:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+22Cj
		mov	edx, [esp+70h+var_2C]
		mov	eax, edx
		shr	eax, 18h
		and	eax, 3
		mov	[esp+70h+var_54], edx
		sub	eax, 1
		mov	eax, 400h
		jnz	short loc_75FF4E
		lock or	[esi], eax

loc_75FF4E:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+251j
		mov	ecx, 100h
		test	[esi], ecx
		jnz	short loc_75FF8E
		mov	eax, [esp+70h+var_1C]
		shr	eax, 4
		and	eax, 3
		sub	eax, 1
		jnz	short loc_75FF7C
		mov	eax, 800h
		lock or	[esi], eax
		mov	ecx, [esp+70h+var_30]
		mov	[esp+70h+var_60], ecx
		mov	ecx, [esp+70h+var_18]
		jmp	short loc_75FFBB
; 

loc_75FF7C:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+26Cj
		mov	eax, [esp+70h+var_30]
		mov	[esp+70h+var_60], eax
		mov	eax, [esp+70h+var_18]
		mov	[esp+70h+var_50], eax
		jmp	short loc_75FFC4
; 

loc_75FF8E:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+25Dj
		mov	ecx, [esp+70h+var_30]
		mov	eax, 2220000h
		and	ecx, 0FEEEFFFFh
		mov	[esp+70h+var_54], edx
		or	ecx, eax
		mov	[esp+70h+var_2C], edx
		mov	[esp+70h+var_60], ecx
		mov	[esp+70h+var_30], ecx
		mov	ecx, [esp+70h+var_18]
		and	ecx, 0FEEEFFFFh
		or	ecx, eax

loc_75FFBB:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+282j
		mov	[esp+70h+var_50], ecx
		mov	ecx, 100h

loc_75FFC4:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+294j
		mov	al, bl
		and	eax, 3
		sub	eax, 1
		mov	eax, 80h
		jnz	short loc_75FFD6
		lock or	[esi], eax

loc_75FFD6:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+2D9j
		mov	eax, ebx
		shr	eax, 8
		and	eax, 3
		sub	eax, 0
		jz	short loc_76003B
		sub	eax, 1
		jz	loc_760076
		push	2
		pop	ecx
		sub	eax, ecx
		jnz	loc_76008E
		cmp	ds:_PspDisableControlFlowGuardExportSuppression, eax
		jnz	short loc_76000A
		lock or	[esi], ecx
		or	ebx, 300h
		jmp	short loc_760016
; 

loc_76000A:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+305j
		and	ebx, 0FFFFFDFFh
		or	ebx, 100h

loc_760016:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+310j
		xor	eax, eax
		mov	[esp+70h+var_34], ebx
		mov	[esp+70h+var_38], edi
		inc	eax
		lock or	[esi], eax
		test	[ebp+arg_8], 10h
		jnz	short loc_76008E
		mov	ecx, [esp+70h+var_64]
		mov	edx, eax
		call	_KeSetCheckStackExtentsProcess@8 ; KeSetCheckStackExtentsProcess(x,x)
		mov	edx, [esp+70h+var_54]
		jmp	short loc_76008E
; 

loc_76003B:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+2E9j
		push	8
		pop	eax
		test	[ebp+arg_8], al
		jz	short loc_76008E

loc_760043:				; DATA XREF: PAGE:??_C@_1DE@GILKAFIA@?$AAE?$AAv?$AAe?$AAn?$AAt?$AA?5?$AAT?$AAr?$AAa?$AAc?$AAi?$AAn?$AAg?$AA?5?$AAf@NNGAKEGL@o
					; PAGE:??_C@_1EE@NGOEOFND@?$AAE?$AAv?$AAe?$AAn?$AAt?$AA?5?$AAT?$AAr?$AAa?$AAc?$AAi?$AAn?$AAg?$AA?5?$AAf@NNGAKEGL@o ...
		and	ebx, 0FFFFFDFFh
		mov	[esp+70h+var_38], edi
		or	ebx, ecx

loc_76004F:				; DATA XREF: PAGE:??_C@_1CK@JHJFKBFG@?$AAO?$AAv?$AAe?$AAr?$AAr?$AAi?$AAd?$AAe?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAV@NNGAKEGL@o
		test	[ebp+arg_8], 20h
		mov	[esp+70h+var_34], ebx
		jz	short loc_760076
		cmp	ds:_PspDisableControlFlowGuardExportSuppression, 0
		jnz	short loc_760076
		push	2
		pop	eax

loc_760065:				; DATA XREF: PAGE:008B88C8o
		lock or	[esi], eax
		or	ebx, 300h
		mov	[esp+70h+var_38], edi

loc_760072:				; DATA XREF: PAGE:??_C@_1BI@GOFOEOMC@?$AAs?$AAv?$AAc?$AAh?$AAo?$AAs?$AAt?$AA?4?$AAe?$AAx?$AAe@NNGAKEGL@o
					; PAGE:off_A41204o
		mov	[esp+70h+var_34], ebx

loc_760076:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+2EEj
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+35Fj ...
		xor	eax, eax
		inc	eax
		lock or	[esi], eax
		test	[ebp+arg_8], 10h
		jnz	short loc_76008E
		mov	eax, [esp+70h+var_64]
		add	eax, 64h
		lock bts dword ptr [eax], 5

loc_76008E:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+2F9j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+330j ...
		mov	ecx, [esp+70h+var_60]
		mov	eax, edx
		shrd	ecx, eax, 8
		mov	al, cl
		and	eax, 3
		sub	eax, 1
		jnz	short loc_7600AD
		inc	eax
		test	[esi], al
		jz	short loc_7600AD
		push	4
		pop	eax
		lock or	[esi], eax

loc_7600AD:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+3A8j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+3ADj
		mov	eax, ebx
		shr	eax, 0Ch
		and	eax, 3
		sub	eax, 1
		jz	short loc_7600E7
		push	2
		pop	ecx
		sub	eax, ecx
		jnz	short loc_760117
		mov	eax, [esp+70h+var_64]
		cmp	byte ptr [eax+3A4h], 6
		jnb	short loc_7600D5
		mov	byte ptr [eax+3A4h], 6

loc_7600D5:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+3D4j
		cmp	byte ptr [eax+3A5h], 6
		jnb	short loc_76010D
		mov	byte ptr [eax+3A5h], 6
		jmp	short loc_76010D
; 

loc_7600E7:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+3C0j
		mov	eax, [esp+70h+var_64]
		push	8
		pop	ecx
		cmp	[eax+3A4h], cl
		jnb	short loc_7600FC
		mov	[eax+3A4h], cl

loc_7600FC:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+3FCj
		push	2
		cmp	[eax+3A5h], cl
		jnb	short loc_76010C
		mov	[eax+3A5h], cl

loc_76010C:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+40Cj
		pop	ecx

loc_76010D:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+3E4j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+3EDj
		mov	eax, (offset loc_7FFFFF+1)
		lock or	[esi], eax
		jmp	short loc_76011C
; 

loc_760117:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+3C7j
		mov	eax, (offset loc_7FFFFF+1)

loc_76011C:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+41Dj
		test	[esi], eax
		jnz	short loc_760142
		mov	eax, [esp+70h+var_1C]
		shr	eax, 0Ch
		and	eax, 3
		sub	eax, 1
		jz	short loc_76013A
		sub	eax, ecx
		jnz	short loc_760142
		mov	eax, 2000000h
		jmp	short loc_76013F
; 

loc_76013A:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+435j
		mov	eax, 1000000h

loc_76013F:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+440j
		lock or	[esi], eax

loc_760142:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+426j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+439j
		mov	ecx, edi
		mov	eax, ebx
		shrd	ecx, eax, 4
		test	cl, 3
		jnz	short loc_760166
		xor	eax, eax
		inc	eax
		test	[esi], al
		jz	short loc_760166
		push	10h
		and	edi, 0FFFFFFDFh
		mov	[esp+74h+var_34], ebx
		pop	eax
		or	edi, eax
		mov	[esp+70h+var_38], edi

loc_760166:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+455j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+45Cj
		mov	ecx, edi
		mov	eax, ebx
		shrd	ecx, eax, 4
		xor	eax, eax
		and	cl, 3
		inc	eax
		cmp	cl, al
		jz	short loc_760199
		mov	eax, [esp+70h+var_1C]
		mov	ecx, [esp+70h+var_20]
		shrd	ecx, eax, 4
		mov	al, cl
		and	eax, 3
		sub	eax, 1
		jnz	short loc_760199
		or	edi, 30h
		mov	[esp+70h+var_34], ebx
		mov	[esp+70h+var_38], edi

loc_760199:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+47Ej
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+494j
		mov	esi, dword ptr [ebp+arg_8]
		mov	ecx, 30000h
		mov	eax, esi
		and	eax, ecx
		cmp	eax, 10000h
		jnz	short loc_7601B6
		and	ebx, 0FFFDFFFFh
		or	ebx, eax
		jmp	short loc_7601C7
; 

loc_7601B6:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+4B2j
		cmp	eax, ecx
		jnz	short loc_7601CF
		mov	eax, ebx
		shr	eax, 10h
		and	al, 3
		cmp	al, 1
		jz	short loc_7601CF
		or	ebx, ecx

loc_7601C7:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+4BCj
		mov	[esp+70h+var_34], ebx
		mov	[esp+70h+var_38], edi

loc_7601CF:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+4C0j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+4CBj
		mov	eax, ebx
		shr	eax, 10h
		and	eax, 3
		sub	eax, 1
		jz	short loc_7601EE
		push	2
		pop	ecx
		sub	eax, ecx
		mov	ecx, [esp+70h+var_58]
		jnz	short loc_7601FA
		mov	eax, 20000h
		jmp	short loc_7601F7
; 

loc_7601EE:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+4E2j
		mov	ecx, [esp+70h+var_58]
		mov	eax, 10000h

loc_7601F7:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+4F4j
		lock or	[ecx], eax

loc_7601FA:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+4EDj
		test	dword ptr [ecx], 30000h
		jnz	short loc_760219
		mov	eax, [esp+70h+var_1C]
		shr	eax, 10h
		and	eax, 3
		sub	eax, 1
		jnz	short loc_760219
		mov	eax, 20000h
		lock or	[ecx], eax

loc_760219:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+508j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+517j
		mov	eax, [esp+70h+var_5C]
		test	eax, eax
		jz	short loc_760241
		test	dword ptr [eax+490h], 80000h
		jz	short loc_760241
		and	ebx, 0FFDFFFFFh
		mov	[esp+70h+var_38], edi
		or	ebx, 100000h
		mov	[esp+70h+var_34], ebx

loc_760241:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+527j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+533j
		mov	eax, ebx
		shr	eax, 14h
		and	eax, 3
		sub	eax, 1
		mov	eax, 80000h
		jnz	short loc_760256
		lock or	[ecx], eax

loc_760256:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+559j
		test	[ecx], eax
		jnz	short loc_760271
		mov	eax, [esp+70h+var_1C]
		shr	eax, 14h
		and	eax, 3
		sub	eax, 1
		jnz	short loc_760271
		mov	eax, 100000h
		lock or	[ecx], eax

loc_760271:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+560j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+56Fj
		mov	eax, [esp+70h+var_5C]
		test	eax, eax
		jz	short loc_76029A
		test	dword ptr [eax+490h], 200000h
		jz	short loc_76029A
		and	ebx, 0FDFFFFFFh
		mov	[esp+70h+var_38], edi
		mov	eax, 1000000h
		or	ebx, eax
		mov	[esp+70h+var_34], ebx

loc_76029A:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+57Fj
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+58Bj
		mov	eax, ebx
		shr	eax, 18h
		and	eax, 3
		sub	eax, 1
		mov	eax, 200000h
		jnz	short loc_7602AF
		lock or	[ecx], eax

loc_7602AF:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+5B2j
		mov	[esp+70h+var_44], 400000h
		test	[ecx], eax
		jnz	short loc_7602D1
		mov	eax, [esp+70h+var_1C]
		shr	eax, 18h
		and	eax, 3
		sub	eax, 1
		jnz	short loc_7602D1
		mov	eax, [esp+70h+var_44]
		lock or	[ecx], eax

loc_7602D1:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+5C1j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+5D0j
		mov	eax, [esp+70h+var_5C]
		test	eax, eax
		jz	short loc_7602F9
		test	dword ptr [eax+490h], 40000h
		jz	short loc_7602F9
		and	ebx, 0DFFFFFFFh
		mov	[esp+70h+var_38], edi
		or	ebx, 10000000h
		mov	[esp+70h+var_34], ebx

loc_7602F9:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+5DFj
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+5EBj
		shr	ebx, 1Ch
		and	ebx, 3
		sub	ebx, 1
		jnz	short loc_76030C
		mov	ebx, 40000h
		lock or	[ecx], ebx

loc_76030C:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+60Aj
		mov	edi, [esp+70h+var_60]
		mov	ecx, 8000000h
		test	eax, eax
		jz	short loc_76033E
		mov	eax, [eax+490h]
		test	eax, 4000000h
		jz	short loc_760368
		push	10h
		and	edi, 0FFFFFFDFh
		pop	eax
		or	edi, eax

loc_76032E:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+677j
		mov	[esp+70h+var_30], edi
		mov	[esp+70h+var_54], edx
		mov	[esp+70h+var_60], edi
		mov	[esp+70h+var_2C], edx

loc_76033E:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+61Fj
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+672j
		mov	ecx, edi
		mov	eax, edx
		shrd	ecx, eax, 4
		mov	eax, 0C000000h
		and	ecx, 3
		sub	ecx, 1
		jz	short loc_760371
		push	2
		pop	ebx
		sub	ecx, ebx
		mov	ebx, [esp+70h+var_58]
		jnz	short loc_760378
		mov	ecx, 8000000h
		lock or	[ebx], ecx
		jmp	short loc_760378
; 

loc_760368:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+62Cj
		test	eax, ecx
		jz	short loc_76033E
		or	edi, 30h
		jmp	short loc_76032E
; 

loc_760371:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+659j
		mov	ebx, [esp+70h+var_58]
		lock or	[ebx], eax

loc_760378:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+664j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+66Ej
		test	[ebx], eax
		jnz	short loc_76039A
		mov	ecx, [esp+70h+var_50]
		mov	eax, [esp+70h+var_14]
		shrd	ecx, eax, 4
		mov	al, cl
		and	eax, 3
		sub	eax, 1
		jnz	short loc_76039A
		mov	eax, 8000000h
		lock or	[ebx], eax

loc_76039A:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+682j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+698j
		mov	ecx, edi
		mov	eax, edx
		shrd	ecx, eax, 1Ch
		push	3
		mov	al, cl
		pop	ecx
		and	eax, ecx
		sub	eax, 1
		jnz	short loc_7603C1
		mov	eax, [esp+70h+var_64]
		xor	ebx, ebx
		add	eax, 494h
		inc	ebx
		lock or	[eax], ebx
		mov	ebx, [esp+70h+var_58]

loc_7603C1:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+6B4j
		mov	edi, [esp+70h+var_64]
		xor	eax, eax
		add	edi, 494h
		inc	eax
		mov	[esp+70h+var_40], edi
		test	[edi], al
		jnz	short loc_7603F4
		mov	ecx, [esp+70h+var_50]
		mov	eax, [esp+70h+var_14]
		shrd	ecx, eax, 1Ch
		push	3
		mov	al, cl
		pop	ecx
		and	eax, ecx
		sub	eax, 1
		jnz	short loc_7603F4
		push	2
		pop	eax
		lock or	[edi], eax

loc_7603F4:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+6DCj
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+6F4j
		mov	al, dl
		and	eax, ecx
		sub	eax, 1
		jnz	short loc_760403
		push	4
		pop	eax
		lock or	[edi], eax

loc_760403:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+703j
		mov	eax, edx
		shr	eax, 10h
		and	eax, ecx
		sub	eax, 1
		mov	eax, 40000000h
		jnz	short loc_760417
		lock or	[ebx], eax

loc_760417:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+71Aj
		mov	eax, edx
		shr	eax, 14h
		and	eax, ecx
		sub	eax, 1
		jnz	short loc_76042B
		mov	eax, 2000h
		lock or	[edi], eax

loc_76042B:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+729j
		test	byte ptr [edi],	4
		jnz	short loc_760441
		mov	al, byte ptr [esp+70h+var_14]
		and	eax, ecx
		sub	eax, 1
		jnz	short loc_760441
		push	8
		pop	eax
		lock or	[edi], eax

loc_760441:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+736j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+741j
		mov	eax, edx
		shr	eax, 8
		and	eax, ecx
		sub	eax, 1
		mov	eax, 400h
		jnz	short loc_760455
		lock or	[edi], eax

loc_760455:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+758j
		test	[edi], eax
		jnz	short loc_76046F
		mov	eax, [esp+70h+var_14]
		shr	eax, 8
		and	eax, ecx
		sub	eax, 1
		jnz	short loc_76046F
		mov	eax, 800h
		lock or	[edi], eax

loc_76046F:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+75Fj
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+76Dj
		mov	ebx, [esp+70h+var_60]
		mov	eax, edx
		mov	ecx, ebx
		shrd	ecx, eax, 10h
		mov	al, cl
		and	eax, 3
		sub	eax, 1
		jnz	short loc_76048B
		push	10h
		pop	eax
		lock or	[edi], eax

loc_76048B:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+78Bj
		test	byte ptr [edi],	10h
		jnz	short loc_7604AC
		mov	ecx, [esp+70h+var_50]
		mov	eax, [esp+70h+var_14]
		shrd	ecx, eax, 10h
		mov	al, cl
		and	eax, 3
		sub	eax, 1
		jnz	short loc_7604AC
		push	20h
		pop	eax
		lock or	[edi], eax

loc_7604AC:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+796j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+7ACj
		mov	ecx, ebx
		mov	eax, edx
		shrd	ecx, eax, 14h
		mov	al, cl
		and	eax, 3
		sub	eax, 1
		jnz	short loc_7604C4
		push	40h
		pop	eax
		lock or	[edi], eax

loc_7604C4:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+7C4j
		test	byte ptr [edi],	40h
		jnz	short loc_7604E7
		mov	ecx, [esp+70h+var_50]
		mov	eax, [esp+70h+var_14]
		shrd	ecx, eax, 14h
		mov	al, cl
		and	eax, 3
		sub	eax, 1
		jnz	short loc_7604E7
		mov	eax, 80h
		lock or	[edi], eax

loc_7604E7:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+7CFj
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+7E5j
		mov	ecx, ebx
		mov	eax, edx
		shrd	ecx, eax, 18h
		mov	al, cl
		and	eax, 3
		sub	eax, 1
		mov	eax, 100h
		jnz	short loc_760501
		lock or	[edi], eax

loc_760501:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+804j
		test	[edi], eax
		jnz	short loc_760523
		mov	eax, [esp+70h+var_14]
		mov	ecx, [esp+70h+var_50]
		shrd	ecx, eax, 18h
		mov	al, cl
		and	eax, 3
		sub	eax, 1
		jnz	short loc_760523
		mov	eax, 200h
		lock or	[edi], eax

loc_760523:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+80Bj
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+821j
		mov	ebx, edx
		shr	ebx, 4
		movzx	eax, bl
		and	eax, 3
		sub	eax, 1
		jz	short loc_76053E
		push	2
		pop	ecx
		sub	eax, ecx
		jnz	short loc_76054C
		mov	edx, ecx
		jmp	short loc_760543
; 

loc_76053E:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+839j
		xor	eax, eax
		lea	edx, [eax+1]

loc_760543:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+844j
		mov	ecx, [esp+70h+var_64]
		call	_PspSetNoChildProcessRestrictedPolicy@8	; PspSetNoChildProcessRestrictedPolicy(x,x)

loc_76054C:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+840j
		xor	eax, eax
		and	bl, 3
		inc	eax
		cmp	bl, al
		mov	ebx, [esp+70h+var_14]
		jz	short loc_760573
		mov	eax, ebx
		shr	eax, 4
		and	eax, 3
		sub	eax, 1
		jnz	short loc_760573
		mov	ecx, [esp+70h+var_64]
		push	3
		pop	edx
		call	_PspSetNoChildProcessRestrictedPolicy@8	; PspSetNoChildProcessRestrictedPolicy(x,x)

loc_760573:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+860j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+86Dj
		mov	eax, [esp+70h+var_5C]
		mov	edx, [esp+70h+var_60]
		test	eax, eax
		jz	short loc_7605AF
		mov	eax, [eax+490h]
		mov	ecx, 10000000h
		test	eax, ecx
		mov	ecx, [esp+70h+var_54]
		jz	short loc_7605B3
		test	eax, 20000000h
		jnz	short loc_7605B3
		and	ecx, 0FFFFDFFFh
		mov	[esp+70h+var_30], edx
		or	ecx, 1000h
		mov	[esp+70h+var_2C], ecx
		jmp	short loc_7605B3
; 

loc_7605AF:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+885j
		mov	ecx, [esp+70h+var_54]

loc_7605B3:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+898j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+89Fj ...
		mov	eax, ecx
		shr	eax, 0Ch
		and	eax, 3
		sub	eax, 1
		jz	short loc_7605CD
		dec	eax
		sub	eax, 1
		jnz	short loc_7605DD
		mov	edi, 30000000h
		jmp	short loc_7605D2
; 

loc_7605CD:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+8C6j
		mov	edi, 10000000h

loc_7605D2:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+8D3j
		mov	eax, [esp+70h+var_58]
		lock or	[eax], edi
		mov	edi, [esp+70h+var_40]

loc_7605DD:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+8CCj
		mov	eax, ecx
		mov	[esp+70h+var_5C], 4000h
		shr	eax, 1Ch
		and	eax, 3
		sub	eax, 0
		jz	short loc_760623
		sub	eax, 1
		jz	short loc_760655
		dec	eax
		sub	eax, 1
		jnz	short loc_76065E
		and	ecx, 0DFFFFFFFh
		mov	[esp+70h+var_30], edx
		mov	edx, [esp+70h+var_5C]
		mov	eax, 10000000h
		or	ecx, eax
		mov	[esp+70h+var_2C], ecx
		lock or	[edi], edx
		mov	eax, 100000h
		lock or	[edi], eax
		jmp	short loc_760662
; 

loc_760623:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+8F8j
		mov	eax, 40000h
		test	esi, eax
		jz	short loc_76065E
		test	esi, 1800000h
		jnz	short loc_76065E
		mov	eax, 100000h
		test	esi, eax
		jz	short loc_760640
		lock or	[edi], eax

loc_760640:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+943j
		and	ecx, 0DFFFFFFFh
		mov	[esp+70h+var_30], edx
		mov	eax, 10000000h
		or	ecx, eax
		mov	[esp+70h+var_2C], ecx

loc_760655:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+8FDj
		mov	edx, [esp+70h+var_5C]
		lock or	[edi], edx
		jmp	short loc_760662
; 

loc_76065E:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+903j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+932j ...
		mov	edx, [esp+70h+var_5C]

loc_760662:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+929j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+964j
		push	3
		shr	ebx, 1Ch
		pop	ecx
		and	ebx, ecx
		sub	ebx, 1
		jnz	short loc_760677
		mov	eax, 8000h
		lock or	[edi], eax

loc_760677:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+975j
		test	[edi], edx
		jnz	short loc_760687
		mov	ebx, [esp+70h+var_4C]
		push	2
		and	ebx, 0FFFFFFFEh
		pop	eax
		jmp	short loc_7606B6
; 

loc_760687:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+981j
		mov	eax, 20000h
		lock or	[edi], eax
		mov	ebx, [esp+70h+var_4C]
		mov	al, bl
		and	al, cl
		jz	short loc_76069F
		cmp	al, cl
		jnz	short loc_7606B0
		jmp	short loc_7606A8
; 

loc_76069F:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+99Fj
		mov	eax, 200000h
		test	esi, eax
		jz	short loc_7606B0

loc_7606A8:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+9A5j
		mov	eax, 80000000h
		lock or	[edi], eax

loc_7606B0:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+9A3j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+9AEj
		xor	eax, eax
		and	ebx, 0FFFFFFFDh
		inc	eax

loc_7606B6:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+98Dj
		mov	edx, [esp+70h+var_48]
		or	ebx, eax
		mov	eax, [esp+70h+var_10]
		movzx	eax, al
		and	eax, ecx
		mov	[esp+70h+var_24], edx
		mov	[esp+70h+var_28], ebx
		sub	eax, 1
		jnz	short loc_7606DA
		mov	eax, 40000h
		lock or	[edi], eax

loc_7606DA:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+9D8j
		mov	ecx, ebx
		mov	eax, edx
		shrd	ecx, eax, 4
		and	ecx, 3
		sub	ecx, 1
		jz	short loc_7606FF
		push	2
		pop	eax
		sub	ecx, eax
		jnz	short loc_760707
		mov	eax, 200000h
		lock or	[edi], eax
		mov	eax, [esp+70h+var_44]
		jmp	short loc_760704
; 

loc_7606FF:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+9F0j
		mov	eax, 200000h

loc_760704:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+A05j
		lock or	[edi], eax

loc_760707:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+9F7j
		mov	ecx, [esp+70h+var_10]
		mov	eax, [esp+70h+var_C]
		shrd	ecx, eax, 4
		mov	al, cl
		and	eax, 3
		sub	eax, 1
		jnz	short loc_760725
		mov	eax, (offset loc_7FFFFF+1)
		lock or	[edi], eax

loc_760725:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+A23j
		mov	ecx, ebx
		mov	eax, edx
		shrd	ecx, eax, 10h
		and	ecx, 3
		sub	ecx, 0
		jz	short loc_76073C
		sub	ecx, 1
		jz	short loc_760742
		jmp	short loc_76074A
; 

loc_76073C:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+A3Bj
		test	[esp+70h+var_44], esi
		jnz	short loc_76074A

loc_760742:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+A40j
		mov	eax, 40000000h
		lock or	[edi], eax

loc_76074A:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+A42j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+A48j
		mov	esi, [esp+70h+var_64]
		shrd	ebx, edx, 14h
		movzx	eax, bl
		and	eax, 3
		sub	eax, 1
		jnz	short loc_760769
		xor	eax, eax
		mov	ecx, esi
		lea	edx, [eax+1]
		call	_PspSetRedirectionTrustPolicy@8	; PspSetRedirectionTrustPolicy(x,x)

loc_760769:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+A63j
		xor	eax, eax
		and	bl, 3
		inc	eax
		cmp	bl, al
		jz	short loc_760793
		mov	eax, [esp+70h+var_10]
		mov	ecx, [esp+70h+var_C]
		shrd	eax, ecx, 14h
		and	eax, 3
		sub	eax, 1
		jnz	short loc_760793
		push	2
		pop	eax
		mov	edx, eax
		mov	ecx, esi
		call	_PspSetRedirectionTrustPolicy@8	; PspSetRedirectionTrustPolicy(x,x)

loc_760793:				; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+A79j
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+A8Dj
		mov	edi, [esp+70h+var_3C]
		lea	esi, [esp+70h+var_38]
		push	6
		pop	eax
		mov	ecx, eax
		rep movsd
		mov	ecx, [esp+70h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
_PspApplyMitigationOptions@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspProcessClose	proc near		; DATA XREF: PspInitPhase0+343o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008D4C77 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 1
		push	edi
		mov	edi, [ebp+arg_4]
		jbe	short loc_7607EC

loc_7607C5:				; CODE XREF: PspProcessClose+3Dj
		test	dword ptr [edi+3A8h], 8000h
		jz	short loc_7607D6

loc_7607D1:				; CODE XREF: PspProcessClose+2Fj
					; PspProcessClose+87j ...
		pop	edi
		pop	ebp
		retn	10h
; 

loc_7607D6:				; CODE XREF: PspProcessClose+19j
		mov	ecx, [ebp+arg_0]
		mov	eax, [edi+178h]
		cmp	[ecx+0E4h], eax
		jnz	short loc_7607D1
		jmp	loc_8D4C77
; 

loc_7607EC:				; CODE XREF: PspProcessClose+Dj
		cmp	dword ptr [edi+1D8h], 0
		jnz	short loc_7607C5
		push	ebx
		mov	ebx, large fs:124h
		mov	ecx, edi
		push	esi
		mov	edx, ebx
		mov	esi, 2000000h
		call	_PspLockProcessExclusive@8 ; PspLockProcessExclusive(x,x)
		cmp	dword ptr [edi+1D8h], 0
		jnz	short loc_76082C
		push	8
		pop	edx
		lea	esi, [edi+0FCh]
		mov	eax, [esi]

loc_760820:				; CODE XREF: PspProcessClose+72j
		mov	ecx, eax
		or	ecx, edx
		lock cmpxchg [esi], ecx
		jnz	short loc_760820
		mov	esi, eax

loc_76082C:				; CODE XREF: PspProcessClose+5Dj
		mov	edx, ebx
		mov	ecx, edi
		call	PspUnlockProcessExclusive
		test	esi, 2000000h
		pop	esi
		pop	ebx
		jnz	short loc_7607D1
		mov	ecx, edi
		call	PspRundownProcess
		jmp	short loc_7607D1
PspProcessClose	endp


;  S U B	R O U T	I N E 


; __stdcall SmProcessCreateNotification(x, x)
_SmProcessCreateNotification@8 proc near
					; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1594p
		test	byte ptr ds:dword_718474, 0Ch
		jz	short loc_76086D
		test	dl, 3
		jnz	short loc_76085C
		mov	eax, 0C000A200h
		retn
; 

loc_76085C:				; CODE XREF: SmProcessCreateNotification(x,x)+Cj
		push	ecx
		mov	edx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		mov	ecx, offset unk_718478
		call	SmpKeyedStoreCreate
		retn
; 

loc_76086D:				; CODE XREF: SmProcessCreateNotification(x,x)+7j
		mov	eax, 0C00000BBh
		retn
_SmProcessCreateNotification@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsQueryProcessAttributes(x,	x, x)
_PsQueryProcessAttributes@12 proc near	; CODE XREF: PfpPrivSourceEnum(x,x,x)+456p
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+156Fp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	edi, edx
		push	ebx
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		push	[ebp+arg_0]
		mov	esi, eax
		push	edi
		push	esi
		call	_PsQueryProcessAttributesByToken@12 ; PsQueryProcessAttributesByToken(x,x,x)
		lea	ecx, [ebx+12Ch]
		mov	edx, esi
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PsQueryProcessAttributes@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspReadIFEOMitigationOptions(x, x)
_PspReadIFEOMitigationOptions@8	proc near
					; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+12DEp

var_20		= dword	ptr -20h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		mov	esi, ecx
		lea	edi, [esp+34h+var_20]
		pop	ecx
		xor	eax, eax
		mov	ebx, edx
		rep stosd
		lea	eax, [esp+30h+var_20]
		mov	edx, offset ??_C@_1CE@NNPBFBMJ@?$AAM?$AAi?$AAt?$AAi?$AAg?$AAa?$AAt?$AAi?$AAo?$AAn?$AAO?$AAp?$AAt?$AAi?$AAo@NNGAKEGL@
		push	ecx
		push	eax
		mov	ecx, esi
		call	_PspReadOptionsMapFromIFEO@16 ;	PspReadOptionsMapFromIFEO(x,x,x,x)
		test	eax, eax
		jns	short loc_7608F6

loc_7608E4:				; CODE XREF: PspReadIFEOMitigationOptions(x,x)+67j
					; PspReadIFEOMitigationOptions(x,x)+74j
		mov	ecx, [esp+30h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7608F6:				; CODE XREF: PspReadIFEOMitigationOptions(x,x)+3Cj
		sub	esp, 18h
		lea	esi, [esp+48h+var_20]
		push	6
		pop	ecx
		mov	edi, esp
		rep movsd
		mov	cl, 1
		call	_PspValidateMitigationOptions@28 ; PspValidateMitigationOptions(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7608E4
		push	6
		pop	ecx
		lea	esi, [esp+30h+var_20]
		mov	edi, ebx
		rep movsd
		jmp	short loc_7608E4
_PspReadIFEOMitigationOptions@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspReadIFEOMitigationAuditOptions proc near
					; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1310p

var_20		= dword	ptr -20h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		mov	esi, ecx
		lea	edi, [esp+34h+var_20]
		pop	ecx
		xor	eax, eax
		mov	ebx, edx
		rep stosd
		lea	eax, [esp+30h+var_20]
		mov	edx, offset ??_C@_1CO@GNDGOBAE@?$AAM?$AAi?$AAt?$AAi?$AAg?$AAa?$AAt?$AAi?$AAo?$AAn?$AAA?$AAu?$AAd?$AAi?$AAt@NNGAKEGL@ ; "MitigationAuditOptions"
		push	ecx
		push	eax
		mov	ecx, esi
		call	_PspReadOptionsMapFromIFEO@16 ;	PspReadOptionsMapFromIFEO(x,x,x,x)
		test	eax, eax
		jns	sub_8D4C99

loc_76095E:				; CODE XREF: sub_8D4C99+15j
					; sub_8D4C99+26j
		mov	ecx, [esp+30h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
PspReadIFEOMitigationAuditOptions endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspReadOptionsMapFromIFEO(x, x, x, x)
_PspReadOptionsMapFromIFEO@16 proc near	; CODE XREF: PspReadIFEOMitigationOptions(x,x)+35p
					; PspReadIFEOMitigationAuditOptions+35p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	short loc_760988
		mov	eax, [ecx+74h]
		test	eax, eax
		jnz	short loc_760994

loc_760988:				; CODE XREF: PspReadOptionsMapFromIFEO(x,x,x,x)+Fj
		mov	eax, 0C000000Dh

loc_76098D:				; CODE XREF: PspReadOptionsMapFromIFEO(x,x,x,x)+49j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_760994:				; CODE XREF: PspReadOptionsMapFromIFEO(x,x,x,x)+16j
		mov	ebx, [ebp+arg_0]
		lea	ecx, [ebp+var_4]
		push	ecx
		push	18h
		pop	edi
		push	edi
		push	ebx
		push	0
		push	edx
		push	eax
		call	RtlQueryImageFileKeyOption
		mov	esi, eax
		cmp	esi, 80000005h
		jz	short loc_7609D0

loc_7609B3:				; CODE XREF: PspReadOptionsMapFromIFEO(x,x,x,x)+65j
		test	esi, esi
		jns	short loc_7609BB

loc_7609B7:				; CODE XREF: PspReadOptionsMapFromIFEO(x,x,x,x)+5Ej
		mov	eax, esi
		jmp	short loc_76098D
; 

loc_7609BB:				; CODE XREF: PspReadOptionsMapFromIFEO(x,x,x,x)+45j
		mov	eax, [ebp+var_4]
		sub	edi, eax
		push	edi		; size_t
		add	eax, ebx
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_7609B7
; 

loc_7609D0:				; CODE XREF: PspReadOptionsMapFromIFEO(x,x,x,x)+41j
		mov	esi, 0C0000004h
		jmp	short loc_7609B3
_PspReadOptionsMapFromIFEO@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspComputeQuantumAndPriority(x, x, x, x, x)
_PspComputeQuantumAndPriority@20 proc near
					; CODE XREF: PspSetProcessPriorityByClass(x,x)+22p
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+12BAp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		inc	ecx
		cmp	edx, ecx
		setnz	bl
		dec	bl
		and	bl, 2
		test	eax, eax
		jnz	short loc_760A2C

loc_7609F5:				; CODE XREF: PspComputeQuantumAndPriority(x,x,x,x,x)+64j
					; PspComputeQuantumAndPriority(x,x,x,x,x)+7Ej
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jnz	short loc_760A3E

loc_7609FC:				; CODE XREF: PspComputeQuantumAndPriority(x,x,x,x,x)+7Aj
		cmp	edx, 2
		jz	short loc_760A0A

loc_760A01:				; CODE XREF: PspComputeQuantumAndPriority(x,x,x,x,x)+75j
		mov	dl, bl
		mov	ecx, esi
		call	MmSetMemoryPriorityProcess

loc_760A0A:				; CODE XREF: PspComputeQuantumAndPriority(x,x,x,x,x)+27j
		mov	dl, bl
		mov	ecx, esi
		call	PspComputeQuantum
		mov	ecx, [ebp+arg_0]
		mov	[ecx], al
		movzx	eax, byte ptr [esi+1BBh]
		pop	esi
		pop	ebx
		mov	eax, dword ptr ds:_PspPriorityTable[eax*4]
		pop	ebp
		retn	0Ch
; 

loc_760A2C:				; CODE XREF: PspComputeQuantumAndPriority(x,x,x,x,x)+1Bj
		cmp	byte ptr [esi+2A2h], 2
		jnz	short loc_760A39
		test	edx, edx
		jz	short loc_760A54

loc_760A39:				; CODE XREF: PspComputeQuantumAndPriority(x,x,x,x,x)+5Bj
		and	dword ptr [eax], 0
		jmp	short loc_7609F5
; 

loc_760A3E:				; CODE XREF: PspComputeQuantumAndPriority(x,x,x,x,x)+22j
		cmp	byte ptr [esi+2A2h], 0
		jnz	short loc_760A4F
		cmp	edx, ecx
		jnz	short loc_760A4F
		mov	[eax], ecx
		jmp	short loc_760A01
; 

loc_760A4F:				; CODE XREF: PspComputeQuantumAndPriority(x,x,x,x,x)+6Dj
					; PspComputeQuantumAndPriority(x,x,x,x,x)+71j
		and	dword ptr [eax], 0
		jmp	short loc_7609FC
; 

loc_760A54:				; CODE XREF: PspComputeQuantumAndPriority(x,x,x,x,x)+5Fj
		mov	[eax], ecx
		jmp	short loc_7609F5
_PspComputeQuantumAndPriority@20 endp


;  S U B	R O U T	I N E 


PspComputeQuantum proc near		; CODE XREF: PspComputeQuantumAndPriority(x,x,x,x,x)+36p
					; PsChangeQuantumTable+BDp

; FUNCTION CHUNK AT 008D4CC4 SIZE 00000018 BYTES

		cmp	byte ptr [ecx+1BBh], 1
		jz	short loc_760A8D
		mov	ecx, [ecx+158h]
		test	ecx, ecx
		jnz	short loc_760A7F

loc_760A6B:				; CODE XREF: PspComputeQuantum+2Ej
		movzx	eax, dl
		neg	eax
		sbb	eax, eax
		and	eax, ds:_PsPrioritySeparation
		mov	al, byte ptr ds:_PspForegroundQuantum[eax]
		retn
; 

loc_760A7F:				; CODE XREF: PspComputeQuantum+11j
		cmp	ds:_PspUseJobSchedulingClasses,	0
		jz	short loc_760A6B
		jmp	loc_8D4CC4
; 

loc_760A8D:				; CODE XREF: PspComputeQuantum+7j
		mov	al, 6
		retn
PspComputeQuantum endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspInitializeProcessSecurity proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+11B2p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h

; FUNCTION CHUNK AT 008D4CDC SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		mov	ebx, [ebp+arg_2C]
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		xor	ecx, ecx
		mov	[esp+40h+var_28], edi
		mov	[esp+40h+var_2C], ecx
		mov	word ptr [esp+40h+var_30], cx
		mov	byte ptr [esp+40h+var_30+2], cl
		mov	[ebx], ecx
		mov	[ebx+4], ecx
		mov	[esp+40h+var_20], ecx
		test	edi, edi
		jz	loc_760C46
		mov	eax, [ebp+arg_8]
		mov	ecx, esi
		mov	[esp+40h+var_18], eax
		mov	eax, [ebp+arg_24]
		mov	[esp+40h+var_14], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+40h+var_10], eax
		mov	eax, [ebp+arg_10]
		mov	[esp+40h+var_C], eax
		mov	eax, [ebp+arg_28]
		mov	[esp+40h+var_4], eax
		lea	eax, [esp+40h+var_30]
		push	eax
		push	[ebp+arg_20]
		lea	eax, [esp+48h+var_18]
		mov	[esp+48h+var_8], edi
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	eax
		call	_MmGetSessionId@4 ; MmGetSessionId(x)
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	eax
		xor	eax, eax
		cmp	[ebp+arg_4], eax
		setz	al
		lea	eax, ds:1[eax*2]
		push	eax
		lea	eax, [esp+60h+var_2C]
		push	eax
		call	SeSubProcessToken
		mov	[esp+40h+var_24], eax
		test	eax, eax
		js	short loc_760B78
		mov	edx, [esp+40h+var_2C]
		lea	ecx, [esi+12Ch]
		call	@ObInitializeFastReference@8 ; ObInitializeFastReference(x,x)
		cmp	[ebp+arg_4], 0
		jnz	loc_760BD9
		cmp	byte ptr [esp+40h+var_30], 0
		jnz	loc_760BD9
		xor	ecx, ecx
		inc	ecx

loc_760B5C:				; CODE XREF: PspInitializeProcessSecurity+14Ej
		cmp	byte ptr [esp+40h+var_30+1], 0
		jnz	loc_8D4CDC
		mov	eax, [ebx+4]

loc_760B6A:				; CODE XREF: PspInitializeProcessSecurity+174251j
		test	eax, eax
		jnz	short loc_760B78
		cmp	byte ptr [esp+40h+var_30+2], al
		jnz	loc_760C24

loc_760B78:				; CODE XREF: PspInitializeProcessSecurity+A3j
					; PspInitializeProcessSecurity+DCj ...
		cmp	dword ptr [ebx], 0
		jnz	short loc_760BE3
		cmp	dword ptr [edi+490h], 0
		jl	short loc_760BE3
		test	dword ptr [esi+3A8h], (offset loc_7FFFFF+1)
		lea	eax, [edi+4A0h]
		mov	[esp+40h+var_2C], eax
		jnz	loc_8D4CE6

loc_760BA0:				; CODE XREF: PspInitializeProcessSecurity+17426Fj
		xor	eax, eax
		xor	edx, edx
		nop
		mov	edi, [esp+40h+var_2C]
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		push	edx
		push	eax

loc_760BB3:				; CODE XREF: PspInitializeProcessSecurity+192j
		mov	ecx, esi
		call	PspWriteProcessSecurityDomain
		mov	edi, [esp+40h+var_28]
		mov	ebx, [esp+40h+var_24]

loc_760BC2:				; CODE XREF: PspInitializeProcessSecurity+1C8j
		mov	eax, [esp+40h+var_20]
		test	eax, eax
		jnz	loc_760C5D

loc_760BCE:				; CODE XREF: PspInitializeProcessSecurity+1DAj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	30h
; 

loc_760BD9:				; CODE XREF: PspInitializeProcessSecurity+B8j
					; PspInitializeProcessSecurity+C3j
		xor	ecx, ecx
		inc	ecx
		mov	[ebx], ecx
		jmp	loc_760B5C
; 

loc_760BE3:				; CODE XREF: PspInitializeProcessSecurity+EBj
					; PspInitializeProcessSecurity+F4j ...
		mov	eax, _PsNextSecurityDomain
		mov	edi, offset _PsNextSecurityDomain
		mov	edx, dword_6B5BC4
		mov	ebx, eax
		add	ebx, 1
		mov	[esp+40h+var_1C], eax
		mov	ecx, edx
		mov	[esp+40h+var_2C], edx
		adc	ecx, 0
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [esp+40h+var_1C]
		cmp	eax, ecx
		jnz	short loc_760BE3
		mov	eax, [esp+40h+var_2C]
		cmp	edx, eax
		jnz	short loc_760BE3
		add	ecx, 1
		adc	eax, 0
		push	eax
		push	ecx
		jmp	short loc_760BB3
; 

loc_760C24:				; CODE XREF: PspInitializeProcessSecurity+E2j
		push	edi
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	edx, [esp+40h+var_2C]
		mov	ecx, eax
		lea	eax, [ebx+4]
		mov	[esp+40h+var_20], ecx
		push	eax
		call	_PspIdentityBasedJobBreakaway@12 ; PspIdentityBasedJobBreakaway(x,x,x)
		mov	[esp+40h+var_24], eax
		jmp	loc_760B78
; 

loc_760C46:				; CODE XREF: PspInitializeProcessSecurity+33j
		mov	edx, [ebp+arg_0]
		mov	[esi+12Ch], ecx
		mov	ecx, esi
		call	SeAssignPrimaryToken
		xor	ebx, ebx
		jmp	loc_760BC2
; 

loc_760C5D:				; CODE XREF: PspInitializeProcessSecurity+138j
		lea	ecx, [edi+12Ch]
		mov	edx, eax
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		jmp	loc_760BCE
PspInitializeProcessSecurity endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __fastcall ObInitializeFastReference(x, x)
@ObInitializeFastReference@8 proc near	; CODE XREF: PspInitializeProcessSecurity+AFp
					; SeAssignPrimaryToken+45p ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		test	esi, esi
		jz	short loc_760C8F
		push	ecx
		push	7
		pop	edx
		mov	ecx, esi
		call	ObReferenceObjectExWithTag
		add	esi, 7

loc_760C8A:				; CODE XREF: ObInitializeFastReference(x,x)+21j
		mov	[edi], esi
		pop	edi
		pop	esi
		retn
; 

loc_760C8F:				; CODE XREF: ObInitializeFastReference(x,x)+Aj
		xor	esi, esi
		jmp	short loc_760C8A
@ObInitializeFastReference@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeProcess(x, x, x, x, x, x)
_KeInitializeProcess@24	proc near	; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+352p
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+10A1p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		lea	eax, [edi+8]
		mov	byte ptr [edi],	3
		mov	[eax+4], eax
		mov	[eax], eax
		xor	eax, eax
		inc	eax
		mov	[edi+68h], dl
		mov	[edi+58h], ax
		mov	[edi+5Ah], ax
		mov	[edi+5Ch], ecx
		mov	[edi+60h], ecx
		test	[ebp+arg_C], al
		jnz	short loc_760D2B

loc_760CC3:				; CODE XREF: KeInitializeProcess(x,x,x,x,x,x)+9Aj
		mov	esi, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		mov	[edi+40h], ax
		mov	[edi+42h], ax
		mov	[edi+44h], ecx
		mov	[edi+48h], ecx
		mov	eax, [esi]
		mov	[edi+48h], eax
		lea	eax, [edi+10h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edi+4Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edi+2Ch]
		mov	[edi+7Ch], ecx
		mov	ecx, edi
		mov	[eax+4], eax
		mov	[eax], eax
		mov	byte ptr [edi+69h], 6
		movzx	eax, word ptr [esi+4]
		push	eax
		call	_KiSetIdealNodeProcessByGroup@12 ; KiSetIdealNodeProcessByGroup(x,x,x)
		movzx	eax, word ptr [esi+4]
		mov	ax, [edi+eax*2+70h]
		mov	[edi+72h], ax
		mov	eax, [ebp+arg_8]
		mov	[edi+78h], eax
		mov	eax, 20ACh
		mov	[edi+76h], ax
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
; 

loc_760D2B:				; CODE XREF: KeInitializeProcess(x,x,x,x,x,x)+2Dj
		or	[edi+64h], eax
		jmp	short loc_760CC3
_KeInitializeProcess@24	endp


;  S U B	R O U T	I N E 


; __stdcall MmGetSessionSchedulingGroupByProcess(x)
_MmGetSessionSchedulingGroupByProcess@4	proc near
					; CODE XREF: PsQueryCpuQuotaInformation+7DEF1p
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1090p ...
		mov	eax, [ecx+180h]
		test	eax, eax
		jz	short loc_760D4D
		test	dword ptr [ecx+3A8h], 1000h
		jnz	short loc_760D4D
		mov	eax, [eax+2Ch]
		mov	eax, [eax+14h]
		retn
; 

loc_760D4D:				; CODE XREF: MmGetSessionSchedulingGroupByProcess(x)+8j
					; MmGetSessionSchedulingGroupByProcess(x)+14j
		xor	eax, eax
		retn
_MmGetSessionSchedulingGroupByProcess@4	endp


;  S U B	R O U T	I N E 


; __stdcall PoEnergyContextInitialize(x)
_PoEnergyContextInitialize@4 proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4A6p
					; PopEtInit+90p
		and	dword ptr [ecx+1B0h], 0
		and	dword ptr [ecx+1B4h], 0
		mov	eax, _PopEtGlobals
		test	eax, eax
		jz	short locret_760D72
		add	eax, 278h
		mov	[ecx+1B8h], eax

locret_760D72:				; CODE XREF: PoEnergyContextInitialize(x)+15j
		retn
_PoEnergyContextInitialize@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall LpcInitializeProcess(x)
_LpcInitializeProcess@4	proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+35Fp
		xor	eax, eax
		mov	[ecx+36Ch], eax
		mov	[ecx+370h], eax
		mov	[ecx+364h], eax
		lea	eax, [ecx+368h]
		mov	[eax+4], eax
		mov	[eax], eax
		retn
_LpcInitializeProcess@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmInitializeProcessAddressSpace	proc near
					; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1619p
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1730p ...

var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_68		= dword	ptr -68h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008D4D04 SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0A4h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	6
		mov	[esp+0B4h+var_88], eax
		lea	edi, [esp+0B4h+var_1C]
		mov	eax, [ebp+arg_4]
		mov	ebx, ecx
		pop	ecx
		mov	[esp+0B0h+var_9C], eax
		mov	esi, edx
		xor	eax, eax
		mov	[esp+0B0h+var_94], esi
		push	48h		; size_t
		push	eax		; int
		rep stosd
		lea	eax, [esp+0B8h+var_68]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	edx, 3250694Dh
		mov	ecx, 0F98h
		push	0
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[esp+0B0h+var_A0], eax
		test	eax, eax
		jz	loc_8D4D04
		push	1
		add	eax, 0A4h
		push	eax
		call	_ExInitializeAutoExpandPushLock@8 ; ExInitializeAutoExpandPushLock(x,x)
		test	esi, esi
		jnz	loc_76109B
		xor	eax, eax
		mov	[esp+0B0h+var_84], esi
		lea	edi, [esp+0B0h+var_78]
		mov	[esp+0B0h+var_80], esi
		stosd
		mov	[esp+0B0h+var_7C], esi
		stosd
		stosd
		stosd

loc_760E31:				; CODE XREF: MmInitializeProcessAddressSpace+348j
		lea	eax, [esp+0B0h+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, ebx
		call	KiStackAttachProcess
		mov	[ebx+134h], esi
		mov	[ebx+138h], esi
		mov	[ebx+350h], esi
		mov	eax, ds:_MmTrackLockedPages
		test	al, 1
		jnz	loc_8D4D0E

loc_760E61:				; CODE XREF: MmInitializeProcessAddressSpace+173F7Fj
					; MmInitializeProcessAddressSpace+173F8Cj
		mov	edx, [esp+0B0h+var_A0]
		lea	eax, [ebx+240h]
		push	esi
		push	esi
		mov	ecx, eax
		mov	[esp+0B8h+var_90], esi
		mov	[esp+0B8h+var_8C], eax
		call	_MiInitializeWorkingSetList@16 ; MiInitializeWorkingSetList(x,x,x,x)
		mov	eax, [ebx+24Ch]
		mov	ecx, ebx
		add	eax, 18h
		mov	[esp+0B0h+var_98], eax
		mov	dword ptr [eax+50h], 1
		call	_MiInitializeProcessPageTableCommitmentBitMaps@4 ; MiInitializeProcessPageTableCommitmentBitMaps(x)
		mov	ecx, 400h
		lea	eax, [ebx+0FCh]
		lock or	[eax], ecx
		mov	edi, [esp+0B0h+var_94]
		lea	eax, [esp+0B0h+var_A0]
		push	eax
		push	[esp+0B4h+var_88]
		mov	edx, edi
		mov	[esp+0B8h+var_A0], esi
		mov	ecx, ebx
		call	MiComputeProcessUserVa
		mov	esi, eax
		test	esi, esi
		js	loc_8D4D2A
		test	edi, edi
		jnz	short loc_760EEF
		test	byte ptr [ebx+3A8h], 1
		jnz	short loc_760EEF
		mov	edx, [esp+0B0h+var_A0]
		mov	ecx, ebx
		call	MiAllocateProcessVads
		mov	esi, eax
		mov	[esp+0B0h+var_90], esi
		test	esi, esi
		jz	loc_8D4D25

loc_760EEF:				; CODE XREF: MmInitializeProcessAddressSpace+137j
					; MmInitializeProcessAddressSpace+140j
		mov	eax, [esp+0B0h+var_98]
		and	dword ptr [eax+78h], 0
		and	dword ptr [eax+7Ch], 0
		test	edi, edi
		jnz	short loc_760F1E
		mov	ecx, ebx
		call	_MiInitializeProcessBottomUpEntropy@4 ;	MiInitializeProcessBottomUpEntropy(x)
		mov	ecx, ebx
		call	_MiInitializeProcessTopDownEntropy@8 ; MiInitializeProcessTopDownEntropy(x,x)
		xor	ecx, ecx
		call	_MiInitializeVadBitMap@4 ; MiInitializeVadBitMap(x)
		mov	esi, eax
		test	esi, esi
		js	loc_8D4D2A

loc_760F1E:				; CODE XREF: MmInitializeProcessAddressSpace+169j
		lea	edx, [esp+0B0h+var_90]
		mov	ecx, ebx
		call	_MiInsertProcessVads@8 ; MiInsertProcessVads(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8D4D2A
		mov	ecx, [esp+0B0h+var_88]
		test	ecx, ecx
		jz	short loc_760F7B
		mov	eax, [esp+0B0h+var_9C]
		mov	edx, ecx
		push	eax
		mov	ecx, ebx
		call	MiMapProcessExecutable
		mov	esi, eax

loc_760F4B:				; CODE XREF: MmInitializeProcessAddressSpace+34Fj
		mov	ecx, [esp+0B0h+var_8C]
		call	MiAllowWorkingSetExpansion

loc_760F54:				; CODE XREF: MmInitializeProcessAddressSpace+173F9Fj
		xor	edx, edx
		lea	ecx, [esp+0B0h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_760F62:				; CODE XREF: MmInitializeProcessAddressSpace+302j
					; MmInitializeProcessAddressSpace+36Aj
		mov	eax, esi

loc_760F64:				; CODE XREF: MmInitializeProcessAddressSpace+173F75j
		mov	ecx, [esp+0B0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_760F7B:				; CODE XREF: MmInitializeProcessAddressSpace+1A5j
		test	byte ptr [ebx+3A8h], 1
		jnz	loc_7610E1

loc_760F88:				; CODE XREF: MmInitializeProcessAddressSpace+355j
		mov	eax, [esp+0B0h+var_9C]
		and	dword ptr [eax], 0FFFFFFEFh
		test	edi, edi
		jz	loc_7610EE
		mov	eax, [esp+0B0h+var_94]
		lea	esi, [edi+1ACh]
		lea	edi, [ebx+1ACh]
		movsd
		push	12h
		pop	ecx
		movsd
		movsd
		movsw
		movsb
		mov	eax, [eax+1CCh]
		lea	esi, [esp+0B0h+var_68]
		mov	[ebx+1CCh], eax
		mov	eax, [esp+0B0h+var_98]
		mov	edi, eax
		rep movsd
		mov	ecx, [esp+0B0h+var_84]
		lea	esi, [esp+0B0h+var_78]
		lea	edi, [eax+0A0h]
		mov	[eax+48h], ecx
		movsd
		xor	ecx, ecx
		inc	ecx
		movsd
		movsd
		movsd
		call	_MiInitializeVadBitMap@4 ; MiInitializeVadBitMap(x)
		mov	esi, eax
		test	esi, esi
		js	loc_8D4D2A
		mov	eax, [esp+0B0h+var_9C]
		test	byte ptr [eax],	80h
		jnz	loc_8D4D38
		xor	esi, esi

loc_760FFE:				; CODE XREF: MmInitializeProcessAddressSpace+173FABj
		mov	eax, [ebp+arg_8]
		mov	[esp+0B0h+var_8C], eax
		test	al, 1
		jz	loc_8D4D44
		mov	ecx, [esp+0B0h+var_80]
		mov	edx, [esp+0B0h+var_7C]
		add	ecx, 1
		adc	edx, 0

loc_76101B:				; CODE XREF: MmInitializeProcessAddressSpace+173FB4j
		mov	eax, [esp+0B0h+var_98]
		mov	[eax+70h], ecx
		lea	ecx, [esp+0B0h+var_1C]
		mov	[eax+74h], edx
		add	eax, 64h
		xor	edx, edx
		mov	[eax+4], eax
		mov	[eax], eax
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		test	esi, esi
		js	short loc_76108B
		push	[esp+0B0h+var_8C]
		mov	ecx, [esp+0B4h+var_94]
		mov	edx, ebx
		call	MiCloneProcessAddressSpace
		mov	esi, eax
		test	esi, esi
		js	short loc_76108B
		lea	eax, [esp+0B0h+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, ebx
		call	KiStackAttachProcess
		cmp	[esp+0B0h+var_74], 0
		jz	short loc_76107D
		push	ecx
		mov	ecx, large fs:124h
		mov	edx, [esp+0B4h+var_78]
		call	_MiReferenceCfgVad@12 ;	MiReferenceCfgVad(x,x,x)

loc_76107D:				; CODE XREF: MmInitializeProcessAddressSpace+2D6j
		xor	edx, edx
		lea	ecx, [esp+0B0h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_76108B:				; CODE XREF: MmInitializeProcessAddressSpace+2A9j
					; MmInitializeProcessAddressSpace+2BEj
		lea	ecx, [ebx+240h]
		call	MiAllowWorkingSetExpansion
		jmp	loc_760F62
; 

loc_76109B:				; CODE XREF: MmInitializeProcessAddressSpace+81j
		mov	eax, [esi+24Ch]
		lea	edi, [esp+0B0h+var_68]
		push	12h
		pop	ecx
		lea	esi, [eax+18h]
		rep movsd
		mov	ecx, [eax+60h]
		lea	esi, [eax+0B8h]
		lea	edi, [esp+0B0h+var_78]
		mov	[esp+0B0h+var_84], ecx
		mov	ecx, [eax+88h]
		movsd
		mov	[esp+0B0h+var_80], ecx
		mov	ecx, [eax+8Ch]
		mov	[esp+0B0h+var_7C], ecx
		movsd
		movsd
		movsd
		xor	esi, esi
		mov	[esp+0B0h+var_70], esi
		jmp	loc_760E31
; 

loc_7610E1:				; CODE XREF: MmInitializeProcessAddressSpace+1EEj
		test	edi, edi
		jz	loc_760F4B
		jmp	loc_760F88
; 

loc_7610EE:				; CODE XREF: MmInitializeProcessAddressSpace+1FDj
		xor	edx, edx
		lea	ecx, [esp+0B0h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		xor	esi, esi
		jmp	loc_760F62
MmInitializeProcessAddressSpace	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInsertProcessVads(x, x)
_MiInsertProcessVads@8 proc near	; CODE XREF: MmInitializeProcessAddressSpace+190p
					; MmInitializeHandBuiltProcess2+68p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_8], ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, [ebx]
		test	esi, esi
		jz	short loc_761144

loc_76111C:				; CODE XREF: MiInsertProcessVads(x,x)+3Ej
		mov	eax, [esi]
		mov	edx, ecx
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_4], eax
		call	MiInsertVadCharges
		mov	edi, eax
		test	edi, edi
		js	short loc_76114E
		mov	ecx, esi
		call	MiGetWsAndInsertVad
		mov	eax, [ebp+var_4]
		mov	esi, eax
		mov	ecx, [ebp+var_8]
		test	eax, eax
		jnz	short loc_76111C

loc_761144:				; CODE XREF: MiInsertProcessVads(x,x)+16j
		and	dword ptr [ebx], 0

loc_761147:				; CODE XREF: MiInsertProcessVads(x,x)+4Cj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_76114E:				; CODE XREF: MiInsertProcessVads(x,x)+2Bj
		mov	[ebx], esi
		jmp	short loc_761147
_MiInsertProcessVads@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeVadBitMap(x)
_MiInitializeVadBitMap@4 proc near	; CODE XREF: MmInitializeProcessAddressSpace+17Bp
					; MmInitializeProcessAddressSpace+24Cp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, large fs:124h
		push	ebx
		mov	[ebp+var_4], eax
		push	esi
		mov	edx, [eax+80h]
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edx
		mov	eax, [edx+24Ch]
		mov	[ebp+var_14], eax
		mov	[ebp+var_8], edi
		cmp	[eax+60h], edi
		jbe	short loc_7611EC
		lea	ebx, [eax+20h]

loc_761188:				; CODE XREF: MiInitializeVadBitMap(x)+98j
		mov	ecx, [ebx+18h]
		mov	eax, ecx
		and	eax, 7FFFh
		shr	ecx, 0Fh
		mov	[ebx], eax
		mov	eax, dword_6D2E88
		shl	ecx, 0Ch
		shr	ecx, 2
		cmp	[ebp+var_10], 1
		lea	eax, [eax+ecx*4]
		mov	[ebx-4], eax
		jz	short loc_7611F3

loc_7611AE:				; CODE XREF: MiInitializeVadBitMap(x)+A4j
		mov	ecx, [ebp+var_4]
		call	_LOCK_ADDRESS_SPACE@8 ;	LOCK_ADDRESS_SPACE(x,x)
		xor	edx, edx
		lea	ecx, [ebx-8]
		inc	edx
		call	_MiExpandVadBitMap@8 ; MiExpandVadBitMap(x,x)
		mov	edx, [ebp+var_C]
		mov	esi, eax
		mov	eax, [ebx]
		mov	ecx, [ebp+var_4]
		mov	[ebx+8], eax
		call	UNLOCK_ADDRESS_SPACE
		test	esi, esi
		jz	short loc_7611F8
		mov	edx, [ebp+var_8]
		add	ebx, 24h
		mov	eax, [ebp+var_14]
		inc	edx
		mov	[ebp+var_8], edx
		cmp	edx, [eax+60h]
		mov	edx, [ebp+var_C]
		jb	short loc_761188

loc_7611EC:				; CODE XREF: MiInitializeVadBitMap(x)+31j
					; MiInitializeVadBitMap(x)+ABj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7611F3:				; CODE XREF: MiInitializeVadBitMap(x)+5Aj
		mov	[ebx-8], edi
		jmp	short loc_7611AE
; 

loc_7611F8:				; CODE XREF: MiInitializeVadBitMap(x)+83j
		mov	edi, 0C0000017h
		jmp	short loc_7611EC
_MiInitializeVadBitMap@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiExpandVadBitMap(x, x)
_MiExpandVadBitMap@8 proc near		; CODE XREF: MiInitializeVadBitMap(x)+6Ap
					; MiFindEmptyAddressRange+128p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, large fs:124h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	eax, [eax+80h]
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	eax, [eax+24Ch]
		mov	ecx, [esi]
		mov	[ebp+var_C], eax
		mov	eax, [esi+4]
		mov	edx, eax
		sub	edx, dword_6D2E88
		mov	[ebp+var_8], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_14], ecx
		lea	edi, [ecx+edx*8]
		sub	eax, edi
		mov	[ebp+var_10], edi
		inc	eax
		cmp	ebx, eax
		ja	loc_761306
		lea	eax, [ecx+edx*8]
		mov	edi, ecx
		lea	edx, [ebp+var_4]
		shr	edi, 3
		add	edi, [ebp+var_8]
		push	edx
		lea	edx, [ebx-1]
		shl	eax, 10h
		add	edx, ecx
		mov	[ebp+var_18], eax
		shr	edx, 3
		mov	ecx, edi
		add	edx, [ebp+var_8]
		call	MiMakeHyperRangeAccessible
		test	eax, eax
		js	loc_761311
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_4]
		push	0
		add	[ecx+64h], eax
		test	bl, 1Fh
		pop	eax
		setnz	al
		shr	ebx, 5
		add	eax, ebx
		mov	ebx, [ebp+var_10]
		shl	eax, 2
		mov	edx, eax
		and	edx, 0FFFh
		neg	edx
		sbb	edx, edx
		shr	eax, 0Ch
		neg	edx
		add	edx, eax
		mov	eax, [esi]
		mov	ecx, edx
		shl	ecx, 0Fh
		add	eax, ecx
		add	ebx, ecx
		mov	[esi], eax
		mov	ecx, [esi+14h]
		mov	[ebp+var_C], eax
		lea	eax, [ecx+1]
		cmp	ebx, eax
		jbe	short loc_7612D2
		mov	eax, [ebp+var_C]
		sub	ecx, ebx
		inc	eax
		add	eax, ecx
		mov	[esi], eax

loc_7612D2:				; CODE XREF: MiExpandVadBitMap(x,x)+C6j
		xor	ebx, ebx
		inc	ebx
		cmp	edi, dword_6D2E88
		jnz	short loc_7612EF
		mov	ecx, [esi+4]
		movsx	eax, byte ptr [ecx]
		bts	eax, 0
		cmp	[ebp+var_14], 0
		mov	[ecx], al
		jnz	short loc_761315

loc_7612EF:				; CODE XREF: MiExpandVadBitMap(x,x)+DBj
					; MiExpandVadBitMap(x,x)+118j
		mov	ecx, [ebp+var_18]
		imul	edx, 80000000h
		add	edx, ecx
		call	MiUpdateVadBits
		mov	eax, ebx

loc_761301:				; CODE XREF: MiExpandVadBitMap(x,x)+10Fj
					; MiExpandVadBitMap(x,x)+113j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_761306:				; CODE XREF: MiExpandVadBitMap(x,x)+49j
		mov	edx, ebx
		mov	ecx, esi
		call	MiExpandVadBitMapDown
		jmp	short loc_761301
; 

loc_761311:				; CODE XREF: MiExpandVadBitMap(x,x)+78j
		xor	eax, eax
		jmp	short loc_761301
; 

loc_761315:				; CODE XREF: MiExpandVadBitMap(x,x)+EDj
		mov	[esi+8], ebx
		jmp	short loc_7612EF
_MiExpandVadBitMap@8 endp


;  S U B	R O U T	I N E 


MiUpdateVadBits	proc near		; CODE XREF: MiExpandVadBitMap(x,x)+FAp
					; MiExpandVadBitMapDown+B391Cp

; FUNCTION CHUNK AT 008D4D4D SIZE 00000049 BYTES

		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, [eax+80h]
		cmp	edi, ecx
		jb	short loc_761348

loc_76132E:				; CODE XREF: MiUpdateVadBits+34j
		lea	eax, [edi-1]
		mov	edx, ecx
		push	eax
		mov	ecx, esi
		call	MiLocateLowestConflictingVad
		mov	esi, eax
		test	esi, esi
		jnz	loc_8D4D4D

loc_761345:				; CODE XREF: MiUpdateVadBits+173A67j
					; MiUpdateVadBits+173A77j
		pop	edi
		pop	esi
		retn
; 

loc_761348:				; CODE XREF: MiUpdateVadBits+12j
		mov	edi, ds:_MmHighestUserAddress
		jmp	short loc_76132E
MiUpdateVadBits	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiComputeProcessUserVa proc near	; CODE XREF: MmInitializeProcessAddressSpace+126p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008D4D96 SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ds:_MmHighestUserAddress
		mov	ebx, edx
		mov	edx, [ebp+arg_4]
		inc	esi
		push	edi		; struct _exception *
		mov	edi, ecx
		and	dword ptr [edx], 0
		mov	eax, [edi+24Ch]
		add	eax, 7Ch
		mov	[eax+4], eax
		mov	[eax], eax
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		test	eax, eax
		jnz	short loc_7613A7
		test	byte ptr [edi+3A8h], 1
		jnz	short loc_7613A7
		push	2
		pop	edx
		call	MiChargeFullProcessCommitment
		test	eax, eax
		js	short loc_7613DA
		push	2
		lea	ecx, [edi+240h]
		pop	edx
		call	_MiUpdateChargedWsles@8	; MiUpdateChargedWsles(x,x)
		mov	edx, [ebp+arg_4]

loc_7613A7:				; CODE XREF: MiComputeProcessUserVa+2Fj
					; MiComputeProcessUserVa+38j
		test	ebx, ebx
		jnz	short loc_7613C5
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_7613C5
		test	byte ptr [ecx+20h], 20h
		jz	short loc_7613C5
		mov	ebx, 7FFF0000h
		cmp	esi, ebx
		ja	loc_8D4D96

loc_7613C5:				; CODE XREF: MiComputeProcessUserVa+59j
					; MiComputeProcessUserVa+60j ...
		cmp	ds:dword_7051C8, 0
		jnz	loc_8D4DB3

loc_7613D2:				; CODE XREF: MiComputeProcessUserVa+173A69j
					; MiComputeProcessUserVa+173A7Dj
		mov	[edi+1CCh], esi
		xor	eax, eax

loc_7613DA:				; CODE XREF: MiComputeProcessUserVa+44j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
MiComputeProcessUserVa endp


;  S U B	R O U T	I N E 


; __stdcall MiInitializeProcessTopDownEntropy(x, x)
_MiInitializeProcessTopDownEntropy@8 proc near
					; CODE XREF: MmInitializeProcessAddressSpace+174p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		test	byte ptr [edi+490h], 40h
		mov	esi, [edi+1CCh]
		jnz	short loc_76140E
		test	esi, esi
		jz	short loc_76140E
		xor	ecx, ecx
		inc	ecx
		call	ExGenRandom
		movzx	eax, al
		imul	eax, 0FFFF0000h
		add	esi, eax

loc_76140E:				; CODE XREF: MiInitializeProcessTopDownEntropy(x,x)+13j
					; MiInitializeProcessTopDownEntropy(x,x)+17j
		mov	eax, [edi+24Ch]
		pop	edi
		mov	[eax+30h], esi
		mov	[eax+54h], esi
		pop	esi
		retn
_MiInitializeProcessTopDownEntropy@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeProcessBottomUpEntropy(x)
_MiInitializeProcessBottomUpEntropy@4 proc near
					; CODE XREF: MmInitializeProcessAddressSpace+16Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	[ebp+var_C], esi
		mov	eax, [edi+24Ch]
		lea	ebx, [edi+490h]
		mov	[ebp+var_4], eax
		xor	eax, eax
		inc	eax
		test	byte ptr [ebx],	40h
		mov	[ebp+var_8], eax
		jnz	short loc_76145C
		xor	ecx, ecx
		inc	ecx
		call	ExGenRandom
		movzx	eax, al
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_761497

loc_76145C:				; CODE XREF: MiInitializeProcessBottomUpEntropy(x)+2Aj
					; MiInitializeProcessBottomUpEntropy(x)+7Fj
		push	0FFFFFFDFh
		pop	ecx
		lock and [ebx],	ecx
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_4]
		push	2
		pop	edx
		mov	[eax+60h], edx
		lea	ecx, [eax+38h]

loc_761471:				; CODE XREF: MiInitializeProcessBottomUpEntropy(x)+72j
		mov	eax, [edi+1CCh]
		dec	eax
		shr	eax, 10h
		mov	[ecx-0Ch], eax
		mov	eax, [ebp+esi*4+var_C]
		mov	[ecx], eax
		lea	ecx, [ecx+24h]
		shl	eax, 10h
		inc	esi
		mov	[ecx-28h], eax
		cmp	esi, edx
		jb	short loc_761471
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_761497:				; CODE XREF: MiInitializeProcessBottomUpEntropy(x)+3Cj
		xor	eax, eax
		inc	eax
		mov	[ebp+var_8], eax
		jmp	short loc_76145C
_MiInitializeProcessBottomUpEntropy@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocateProcessVads proc near		; CODE XREF: MmInitializeProcessAddressSpace+148p
					; MmInitializeHandBuiltProcess2+55p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D4DD2 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		push	1
		mov	edx, 7FFE0FFFh
		mov	ecx, 7FFE0000h
		call	MiAllocateVad
		mov	esi, eax
		test	esi, esi
		jz	short loc_761510
		mov	ecx, dword_6D0618
		test	ecx, ecx
		jz	short loc_7614F6
		push	1
		lea	edx, [ecx+0FFFh]
		call	MiAllocateVad
		test	eax, eax
		jz	short loc_761509
		mov	[eax], esi
		mov	esi, eax

loc_7614F6:				; CODE XREF: MiAllocateProcessVads+3Fj
		test	edi, edi
		jnz	loc_8D4DD2

loc_7614FE:				; CODE XREF: MiAllocateProcessVads+173951j
		mov	eax, esi

loc_761500:				; CODE XREF: MiAllocateProcessVads+72j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_761509:				; CODE XREF: MiAllocateProcessVads+50j
					; MiAllocateProcessVads+173947j
		mov	ecx, esi
		call	_MiReturnProcessVads@4 ; MiReturnProcessVads(x)

loc_761510:				; CODE XREF: MiAllocateProcessVads+35j
		xor	eax, eax
		jmp	short loc_761500
MiAllocateProcessVads endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocateVad	proc near		; CODE XREF: MiFreeVadRange+10AFC5p
					; MiAllocateProcessVads+2Cp ...

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008D4DF6 SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	0
		push	40h
		push	28h
		mov	edi, edx
		mov	ebx, ecx
		mov	edx, 53646156h
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8D4DFE
		mov	ecx, [esi+1Ch]
		mov	eax, ebx
		and	dword ptr [esi+18h], 0
		and	ecx, 0FFFFF0FFh
		mov	edx, edi
		shr	eax, 0Ch
		shr	edx, 0Ch
		or	ecx, 80h
		test	[ebp+arg_0], 1
		mov	dword ptr [esi+8], 0FFFFFFFEh
		mov	[esi+0Ch], eax
		mov	[esi+10h], edx
		jz	loc_8D4E05
		sub	edx, eax
		inc	edx
		or	dword ptr [esi+20h], 80000000h

loc_76157D:				; CODE XREF: MiAllocateVad+173908j
					; MiAllocateVad+173912j
		mov	eax, [esi+20h]
		or	ecx, 100000h
		xor	eax, edx
		mov	[esi+1Ch], ecx
		and	eax, 7FFFFFFFh
		xor	[esi+20h], eax
		test	[ebp+arg_0], 2
		jnz	short loc_7615B2
		push	0
		push	80000001h
		push	edi
		mov	edx, ebx
		mov	ecx, esi
		call	MiAddSecureEntry
		test	eax, eax
		jz	loc_8D4DF6

loc_7615B2:				; CODE XREF: MiAllocateVad+83j
		mov	eax, esi

loc_7615B4:				; CODE XREF: MiAllocateVad+1738ECj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
MiAllocateVad	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapProcessExecutable proc near	; CODE XREF: MmInitializeProcessAddressSpace+1B0p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D4E2B SIZE 00000080 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, edx
		mov	[ebp+var_4], ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_10], eax
		push	edi
		test	byte ptr [eax+20h], 20h
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		jz	loc_8D4E2B
		mov	edi, [ebx+8]
		test	byte ptr [edi],	80h
		jnz	loc_761695

loc_761600:				; CODE XREF: MiMapProcessExecutable+DEj
		push	ecx
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_30]
		mov	ecx, [ebp+var_10]
		push	esi
		push	esi
		push	1
		push	eax
		mov	eax, [edi]
		and	eax, 10h
		mov	[ebp+var_C], esi
		push	4
		shl	eax, 19h
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_8], esi
		push	eax
		lea	eax, [ebp+var_20]
		mov	[ebp+var_20], esi
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_1C], esi
		push	eax
		mov	[ebp+var_30], 5
		mov	[ebp+var_2C], esi
		mov	[ebp+var_28], 20h
		mov	[ebp+var_24], esi
		call	_MmMapViewOfSectionEx@48 ; MmMapViewOfSectionEx(x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_8]
		mov	edi, eax
		mov	eax, [ebp+var_4]
		mov	[eax+160h], ecx
		test	edi, edi
		js	short loc_761688
		mov	eax, [ebx+8]
		test	byte ptr [eax],	10h
		jnz	loc_8D4E35

loc_761669:				; CODE XREF: MiMapProcessExecutable+1738D8j
					; MiMapProcessExecutable+1738E8j
		mov	edx, esi
		mov	esi, [ebp+var_4]
		mov	ecx, esi
		call	PsMapSystemDlls
		test	eax, eax
		js	short loc_7616A4

loc_761679:				; CODE XREF: MiMapProcessExecutable+E8j
		test	edi, edi
		js	short loc_761688
		mov	ecx, esi
		call	_MiCfgInitializeProcess@4 ; MiCfgInitializeProcess(x)
		test	eax, eax
		js	short loc_7616A8

loc_761688:				; CODE XREF: MiMapProcessExecutable+9Dj
					; MiMapProcessExecutable+BDj ...
		mov	eax, edi

loc_76168A:				; CODE XREF: MiMapProcessExecutable+E4j
					; MiMapProcessExecutable+173872j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_761695:				; CODE XREF: MiMapProcessExecutable+3Cj
		call	MiSessionCreate
		test	eax, eax
		jns	loc_761600
		jmp	short loc_76168A
; 

loc_7616A4:				; CODE XREF: MiMapProcessExecutable+B9j
		mov	edi, eax
		jmp	short loc_761679
; 

loc_7616A8:				; CODE XREF: MiMapProcessExecutable+C8j
		mov	edi, eax
		jmp	short loc_761688
MiMapProcessExecutable endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCfgInitializeProcess(x)
_MiCfgInitializeProcess@4 proc near	; CODE XREF: MiMapProcessExecutable+C1p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		test	byte ptr [edi+490h], 1
		jz	loc_7617BA
		mov	eax, [edi+1CCh]
		xor	esi, esi
		mov	edx, dword_6CF4F8
		shr	eax, 4
		add	eax, eax
		mov	[ebp+var_10], esi
		shr	eax, 3
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_C], esi
		push	eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_4], esi
		push	eax
		call	_MiMapCfgBitMapSection@20 ; MiMapCfgBitMapSection(x,x,x,x,x)
		test	eax, eax
		js	loc_7617B5
		mov	ebx, large fs:124h
		mov	edx, [ebp+var_4]
		push	ecx
		mov	ecx, ebx
		call	_MiReferenceCfgVad@12 ;	MiReferenceCfgVad(x,x,x)
		mov	edx, edi
		mov	[ebp+var_4], esi
		mov	ecx, ebx
		call	_LOCK_ADDRESS_SPACE_SHARED@8 ; LOCK_ADDRESS_SPACE_SHARED(x,x)
		mov	eax, [edi+350h]
		jmp	short loc_76172B
; 

loc_761727:				; CODE XREF: MiCfgInitializeProcess(x)+81j
		mov	esi, eax
		mov	eax, [eax]

loc_76172B:				; CODE XREF: MiCfgInitializeProcess(x)+79j
		test	eax, eax
		jnz	short loc_761727
		jmp	short loc_761743
; 

loc_761731:				; CODE XREF: MiCfgInitializeProcess(x)+ABj
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_761743

loc_761739:				; CODE XREF: MiCfgInitializeProcess(x)+95j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_761739

loc_761743:				; CODE XREF: MiCfgInitializeProcess(x)+83j
					; MiCfgInitializeProcess(x)+8Bj ...
		test	esi, esi
		jz	short loc_7617A9
		mov	eax, [esi+1Ch]
		and	al, 70h
		cmp	al, 20h
		jz	short loc_761769

loc_761750:				; CODE XREF: MiCfgInitializeProcess(x)+FBj
		mov	eax, [esi+4]
		mov	ecx, esi
		test	eax, eax
		jnz	short loc_761731

loc_761759:				; CODE XREF: MiCfgInitializeProcess(x)+BBj
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jz	short loc_761743
		cmp	[esi], ecx
		jz	short loc_761743
		mov	ecx, esi
		jmp	short loc_761759
; 

loc_761769:				; CODE XREF: MiCfgInitializeProcess(x)+A2j
		mov	ecx, esi
		call	_MiReferenceVad@4 ; MiReferenceVad(x)
		mov	edx, edi
		mov	ecx, ebx
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)
		mov	edx, esi
		mov	ecx, ebx
		call	_MiLockVad@8	; MiLockVad(x,x)
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	MiCommitVadCfgBits
		mov	ecx, esi
		mov	[ebp+var_4], eax
		call	MiUnlockAndDereferenceVad
		mov	eax, [ebp+var_4]
		test	eax, eax
		js	short loc_7617B5
		mov	edx, edi
		mov	ecx, ebx
		call	_LOCK_ADDRESS_SPACE_SHARED@8 ; LOCK_ADDRESS_SPACE_SHARED(x,x)
		jmp	short loc_761750
; 

loc_7617A9:				; CODE XREF: MiCfgInitializeProcess(x)+99j
		mov	edx, edi
		mov	ecx, ebx
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)
		mov	eax, [ebp+var_4]

loc_7617B5:				; CODE XREF: MiCfgInitializeProcess(x)+4Fj
					; MiCfgInitializeProcess(x)+F0j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7617BA:				; CODE XREF: MiCfgInitializeProcess(x)+14j
		xor	eax, eax
		jmp	short loc_7617B5
_MiCfgInitializeProcess@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsMapSystemDlls	proc near		; CODE XREF: MiMapProcessExecutable+B2p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D4EAB SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_28], edx
		push	6
		xor	eax, eax
		mov	[ebp+var_24], esi
		pop	ecx
		lea	edi, [ebp+var_1C]
		rep stosd
		mov	eax, large fs:124h
		xor	ecx, ecx
		mov	ebx, ecx
		cmp	esi, [eax+80h]
		jnz	loc_8D4EAB
		mov	[ebp+var_20], ecx

loc_7617FE:				; CODE XREF: PsMapSystemDlls+173702j
		mov	edi, [ebp+var_24]
		mov	esi, ecx

loc_761803:				; CODE XREF: PsMapSystemDlls+54j
		mov	edx, ds:_PspSystemDlls[esi*4]
		test	edx, edx
		jnz	short loc_76182F

loc_76180E:				; CODE XREF: PsMapSystemDlls+88j
					; PsMapSystemDlls+8Ej
		inc	esi
		cmp	esi, 6
		jl	short loc_761803

loc_761814:				; CODE XREF: PsMapSystemDlls+84j
		cmp	[ebp+var_20], 0
		jnz	loc_8D4EC5

loc_76181E:				; CODE XREF: PsMapSystemDlls+173711j
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_76182F:				; CODE XREF: PsMapSystemDlls+4Ej
		test	esi, esi
		jg	short loc_761848

loc_761833:				; CODE XREF: PsMapSystemDlls+90j
		push	ecx
		push	[ebp+var_28]
		mov	ecx, edi
		call	PspMapSystemDll
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_761814
		xor	ecx, ecx
		jmp	short loc_76180E
; 

loc_761848:				; CODE XREF: PsMapSystemDlls+73j
		cmp	[edx+0Ah], cx
		jz	short loc_76180E
		jmp	short loc_761833
PsMapSystemDlls	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocateNewSubAllocatedRegion	proc near ; CODE XREF: MiAllocateFromSubAllocatedRegion+181p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D4ED4 SIZE 0000007C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	ebx, [eax+80h]
		xor	edi, edi
		mov	[esp+40h+var_30], eax
		mov	[esp+40h+var_1C], ecx
		mov	[esp+40h+var_28], edi
		mov	eax, [ebx+24Ch]
		mov	[esp+40h+var_18], ebx
		mov	[esp+40h+var_4], eax
		cmp	edx, 10h
		ja	loc_8D4F46
		push	edi
		push	40h
		push	28h
		mov	edx, 53646156h
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8D4F46
		mov	ecx, [esi+1Ch]
		xor	edx, edx
		and	ecx, 0FFFFF27Fh
		mov	dword ptr [esi+8], 0FFFFFFFEh
		or	ecx, 100200h
		mov	[esi+18h], edi
		mov	[esi+1Ch], ecx
		mov	ecx, ebx
		call	MiGetUserReservationHighestAddress
		mov	ecx, 200000h
		mov	[esp+40h+var_10], eax
		mov	[esp+40h+var_14], edi
		mov	ebx, 200h
		mov	[esp+40h+var_20], edi
		mov	[esp+40h+var_2C], ecx

loc_7618E8:				; CODE XREF: MiAllocateNewSubAllocatedRegion+173686j
		lea	eax, [esp+40h+var_28]
		mov	[esp+40h+var_24], edi
		push	eax
		lea	eax, [esp+44h+var_24]
		mov	edx, ebx
		push	eax
		mov	eax, [esi+1Ch]
		push	80000000h
		shr	eax, 7
		and	eax, 1Fh
		shl	edx, 0Ch
		push	eax
		push	ecx
		push	ecx
		push	edx
		push	[esp+5Ch+var_10]
		mov	[esp+60h+var_C], edx
		xor	ecx, ecx
		xor	edx, edx
		call	_MiSelectUserAddress@40	; MiSelectUserAddress(x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8D4EDB

loc_761928:				; CODE XREF: MiAllocateNewSubAllocatedRegion+1736A7j
		mov	[esp+40h+var_2C], ebx
		cmp	ebx, 10h
		mov	ebx, [esp+40h+var_18]
		jb	loc_761A56
		mov	edx, [esp+40h+var_C]
		mov	ecx, ebx
		mov	eax, [esp+40h+var_28]
		dec	edx
		add	edx, [esp+40h+var_28]
		shr	eax, 0Ch
		mov	[esp+40h+var_8], eax
		mov	[esi+0Ch], eax
		mov	eax, edx
		push	40h
		push	[esp+44h+var_2C]
		shr	eax, 0Ch
		mov	[esp+48h+var_C], edx
		mov	edx, esi
		mov	[esp+48h+var_10], eax
		mov	[esi+10h], eax
		call	MiCreateVadEventBitmap
		mov	edi, eax
		test	edi, edi
		js	loc_8D4F23
		push	40h
		pop	edx
		mov	ecx, esi
		call	_MiLocateVadEvent@8 ; MiLocateVadEvent(x,x)
		xor	ecx, ecx
		inc	ecx
		lea	edi, [eax+4]
		mov	[esp+40h+var_20], edi
		call	ExGenRandom
		mov	ecx, [esp+40h+var_2C]
		xor	edx, edx
		div	ecx
		mov	eax, [esp+40h+var_1C]
		shl	edx, 2
		and	eax, 3
		xor	edx, eax
		mov	[edi+18h], ecx
		xor	eax, eax
		mov	[edi+1Ch], edx
		mov	edx, [esp+40h+var_28]
		mov	ecx, esi
		push	eax
		push	80000001h
		push	[esp+48h+var_C]
		mov	[edi+10h], esi
		mov	[edi+8], eax
		mov	[edi+0Ch], eax
		mov	[edi+14h], eax
		call	MiAddSecureEntry
		mov	[esp+40h+var_14], eax
		test	eax, eax
		jz	loc_8D4EFC
		push	ecx
		mov	edx, ebx
		mov	ecx, esi
		call	MiInsertVadCharges
		mov	edi, eax
		test	edi, edi
		js	loc_8D4F01
		mov	ecx, [esp+40h+var_30]
		mov	edx, esi
		call	_MiLockVad@8	; MiLockVad(x,x)
		mov	edx, ebx
		mov	ecx, esi
		call	MiInsertPrivateVad
		mov	ecx, [esp+40h+var_30]
		mov	edx, esi
		call	MiUnlockVad
		cmp	[esp+40h+var_24], 0
		jnz	loc_8D4F30

loc_761A19:				; CODE XREF: MiAllocateNewSubAllocatedRegion+1736F1j
		mov	ecx, [esp+40h+var_30]
		mov	edx, ebx
		call	_LOCK_PAGE_TABLE_COMMITMENT@8 ;	LOCK_PAGE_TABLE_COMMITMENT(x,x)
		mov	eax, [esp+40h+var_1C]
		lea	eax, ds:7Ch[eax*8]
		add	eax, [esp+40h+var_4]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_761A67
		mov	ecx, [esp+40h+var_20]
		add	ecx, 8
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[edx+4], ecx
		mov	edx, ebx
		mov	[eax], ecx
		mov	ecx, [esp+40h+var_30]
		call	UNLOCK_PAGE_TABLE_COMMITMENT

loc_761A56:				; CODE XREF: MiAllocateNewSubAllocatedRegion+E3j
		test	edi, edi
		js	loc_8D4F01

loc_761A5E:				; CODE XREF: MiAllocateNewSubAllocatedRegion+1736DBj
		mov	eax, edi

loc_761A60:				; CODE XREF: MiAllocateNewSubAllocatedRegion+1736FBj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_761A67:				; CODE XREF: MiAllocateNewSubAllocatedRegion+1E8j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
MiAllocateNewSubAllocatedRegion	endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmDeleteTeb(x, x)
_MmDeleteTeb@8	proc near		; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+206p
					; PspExitThread+34Ep ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [esp+30h+var_1C]
		push	6
		pop	ecx
		xor	eax, eax
		mov	ebx, edx
		rep stosd
		lea	eax, [esp+30h+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, esi
		call	KiStackAttachProcess
		lea	eax, [esp+30h+var_20]
		xor	edx, edx
		push	eax
		mov	ecx, ebx
		call	MiObtainReferencedVadEx
		test	eax, eax
		jz	short loc_761AC1
		push	1000h
		push	ebx
		mov	ecx, eax
		call	MiFreeToSubAllocatedRegion

loc_761AC1:				; CODE XREF: MmDeleteTeb(x,x)+46j
		xor	edx, edx
		lea	ecx, [esp+30h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [esp+30h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_MmDeleteTeb@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFreeToSubAllocatedRegion proc	near	; CODE XREF: MmDeleteTeb(x,x)+50p
					; MiAllocateFromSubAllocatedRegion+167D47p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008D4F50 SIZE 00000073 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, large fs:124h
		and	[ebp+var_18], 0
		and	[ebp+var_14], 0
		push	ebx
		push	esi
		push	edi
		push	40h
		mov	[ebp+var_10], eax
		mov	ebx, ecx
		mov	eax, [eax+80h]
		pop	edx
		mov	[ebp+var_8], eax
		call	_MiLocateVadEvent@8 ; MiLocateVadEvent(x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_761BEE
		mov	edi, [ebp+arg_4]
		mov	edx, [ebp+var_8]
		add	edi, 0FFFh
		mov	ecx, [ebp+var_10]
		mov	esi, [ebx+0Ch]
		shr	edi, 0Ch
		call	_LOCK_PAGE_TABLE_COMMITMENT@8 ;	LOCK_PAGE_TABLE_COMMITMENT(x,x)
		mov	eax, [ebp+arg_0]
		shl	esi, 0Ch
		sub	eax, esi
		mov	esi, [ebp+var_C]
		push	edi
		shr	eax, 0Ch
		add	esi, 4
		push	eax
		push	esi
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		mov	eax, [esi+14h]
		mov	ecx, eax
		sub	ecx, edi
		mov	edi, [esi+18h]
		mov	[esi+14h], ecx
		mov	edx, ecx
		cmp	eax, edi
		jnb	loc_8D4F50

loc_761B62:				; CODE XREF: MiFreeToSubAllocatedRegion+173474j
					; MiFreeToSubAllocatedRegion+1734A6j
		mov	eax, [ebp+arg_4]
		test	edx, edx
		mov	edi, [ebp+arg_0]
		mov	edx, [ebx+24h]
		setz	[ebp+var_1]
		mov	ecx, [ebp+var_14]
		dec	eax
		mov	esi, [ebp+var_18]
		add	eax, edi
		mov	[ebp+arg_4], eax

loc_761B7D:				; CODE XREF: MiFreeToSubAllocatedRegion+C9j
		test	edx, edx
		jz	short loc_761BA9
		cmp	dword ptr [edx+24h], 2
		jnz	short loc_761BA5
		cmp	esi, 1
		ja	short loc_761B8D
		inc	esi

loc_761B8D:				; CODE XREF: MiFreeToSubAllocatedRegion+ACj
		cmp	edi, [edx+8]
		ja	short loc_761BA5
		mov	eax, [edx+4]
		and	eax, 0FFFFF000h
		cmp	[ebp+arg_4], eax
		jb	short loc_761BA5
		cmp	ecx, 1
		ja	short loc_761BA5
		inc	ecx

loc_761BA5:				; CODE XREF: MiFreeToSubAllocatedRegion+A7j
					; MiFreeToSubAllocatedRegion+B2j ...
		mov	edx, [edx]
		jmp	short loc_761B7D
; 

loc_761BA9:				; CODE XREF: MiFreeToSubAllocatedRegion+A1j
		cmp	esi, 1
		setnz	al
		dec	al
		and	al, [ebp+var_1]
		dec	ecx
		neg	ecx
		mov	byte ptr [ebp+arg_0+3],	al
		sbb	ecx, ecx
		not	ecx
		and	ecx, 1
		cmp	al, 1
		jz	loc_8D4F89
		test	ecx, ecx
		jz	short loc_761BD9
		push	[ebp+arg_4]
		mov	edx, edi
		mov	ecx, ebx
		call	_MiDecommitRegion@12 ; MiDecommitRegion(x,x,x)

loc_761BD9:				; CODE XREF: MiFreeToSubAllocatedRegion+EDj
					; MiFreeToSubAllocatedRegion+1734CBj
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_10]
		call	UNLOCK_PAGE_TABLE_COMMITMENT
		cmp	byte ptr [ebp+arg_0+3],	1
		jz	loc_8D4FB3

loc_761BEE:				; CODE XREF: MiFreeToSubAllocatedRegion+34j
		mov	ecx, ebx
		call	MiUnlockAndDereferenceVad

loc_761BF5:				; CODE XREF: MiFreeToSubAllocatedRegion+1734E0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
MiFreeToSubAllocatedRegion endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreateVadEventBitmap proc near	; CODE XREF: MiAllocateNewSubAllocatedRegion+11Ap
					; MiCreateWriteWatchView(x,x,x)+32p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008D4FC3 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, [ebp+arg_0]
		test	al, 1Fh
		push	ebx
		push	esi
		push	edi
		push	0
		pop	ebx
		setnz	bl
		mov	[esp+10h+var_4], edx
		add	ebx, 0Ah
		shr	eax, 5
		add	ebx, eax
		mov	edi, ecx
		push	0
		shl	ebx, 2
		mov	edx, 77776D4Dh
		push	40h
		mov	ecx, ebx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_761C75
		push	ebx
		push	edi
		call	_PsChargeProcessNonPagedPoolQuota@8 ; PsChargeProcessNonPagedPoolQuota(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8D4FC3
		mov	eax, [ebp+arg_4]
		mov	edx, esi
		mov	ecx, [esp+10h+var_4]
		mov	[esi+24h], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+4], eax
		lea	eax, [esi+28h]
		push	1
		mov	[esi+8], eax
		call	_MiInsertVadEvent@12 ; MiInsertVadEvent(x,x,x)
		xor	eax, eax

loc_761C6C:				; CODE XREF: MiCreateVadEventBitmap+7Ej
					; MiCreateVadEventBitmap+1733D1j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_761C75:				; CODE XREF: MiCreateVadEventBitmap+3Cj
		mov	eax, 0C000009Ah
		jmp	short loc_761C6C
MiCreateVadEventBitmap endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspMapSystemDll	proc near		; CODE XREF: PsMapSystemDlls+7Bp
					; PspLocateSystemDll+117p

var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_48		= byte ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D4FD2 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 58h
		push	esi
		mov	esi, edx
		mov	[ebp+var_C], ecx
		push	edi
		mov	ecx, esi
		mov	[ebp+var_14], esi
		call	PspReferenceSystemDll
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_761D9C
		xor	eax, eax
		lea	edi, [ebp+var_58]
		push	8
		pop	ecx
		rep stosd
		mov	ecx, [ebx+8]
		lea	eax, [ebp+var_34]
		mov	[ebp+var_50], eax
		lea	edi, [ebp+var_34]
		xor	eax, eax
		mov	byte ptr [ebp+var_58], 1
		xor	edx, edx
		stosd
		neg	ecx
		mov	[ebp+var_4], edx
		mov	[ebp+var_20], edx
		sbb	ecx, ecx
		mov	[ebp+var_1C], edx
		stosd
		and	ecx, 20000000h
		test	byte ptr [esi+8], 8
		mov	[ebp+var_10], edx
		mov	[ebp+var_48], 5
		mov	[ebp+var_40], 20h
		mov	[ebp+var_3C], edx
		stosd
		jnz	short loc_761D05
		mov	eax, ds:_MmHighestUserAddress
		mov	[ebp+var_30], eax

loc_761D05:				; CODE XREF: PspMapSystemDll+7Fj
		push	ecx
		push	edx
		push	edx
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_58]
		push	2
		push	eax
		push	4
		push	ecx
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_MmMapViewOfSectionEx@48 ; MmMapViewOfSectionEx(x,x,x,x,x,x,x,x,x,x,x,x)
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		mov	edi, eax
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		cmp	edi, 40000003h
		jz	loc_8D4FD2

loc_761D40:				; CODE XREF: PspMapSystemDll+17336Aj
		test	edi, edi
		js	short loc_761D76

loc_761D44:				; CODE XREF: PspMapSystemDll+17335Fj
		cmp	dword ptr [ebx+0Ch], 0
		jnz	short loc_761D83
		mov	eax, [ebp+var_4]
		cmp	[esi+14h], eax
		jnz	short loc_761D9C
		push	4
		mov	[ebp+var_28], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_18]
		mov	[ebp+var_24], 1000h
		push	eax
		lea	eax, [ebp+var_28]
		inc	ecx
		push	eax
		push	ecx
		push	4
		push	0FFFFFFFFh
		mov	[ebp+var_18], ecx
		call	_ZwSetInformationVirtualMemory@24 ; ZwSetInformationVirtualMemory(x,x,x,x,x,x)

loc_761D76:				; CODE XREF: PspMapSystemDll+C6j
					; PspMapSystemDll+11Ej
		mov	eax, edi

loc_761D78:				; CODE XREF: PspMapSystemDll+125j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_761D83:				; CODE XREF: PspMapSystemDll+CCj
		mov	esi, [ebp+var_4]
		xor	edi, edi
		push	esi
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	ecx, [ebp+var_14]
		mov	eax, [eax+34h]
		mov	[ecx+14h], eax
		mov	[ecx+18h], esi
		jmp	short loc_761D76
; 

loc_761D9C:				; CODE XREF: PspMapSystemDll+30j
					; PspMapSystemDll+D4j
		mov	eax, 0C0000001h
		jmp	short loc_761D78
PspMapSystemDll	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapViewOfSectionExCommon proc	near	; CODE XREF: MmMapViewOfSectionEx(x,x,x,x,x,x,x,x,x,x,x,x)+25p
					; NtMapViewOfSectionEx(x,x,x,x,x,x,x,x,x)+39p

var_D8		= dword	ptr -0D8h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A0		= dword	ptr -0A0h
var_94		= dword	ptr -94h
var_70		= byte ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= byte ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D4FED SIZE 0000004E BYTES
; FUNCTION CHUNK AT 008D5057 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A0820
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		push	ecx
		push	ecx
		push	ebx
		sub	esp, 0C0h
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_24], edx
		mov	esi, ecx
		push	58h		; size_t
		push	0		; int
		lea	eax, [ebp+var_A0]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	8
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_48]
		rep stosd
		push	38h		; size_t
		push	eax		; int
		lea	eax, [ebp+var_D8]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_48]
		push	eax
		push	dword ptr [ebx+30h]
		push	0
		push	dword ptr [ebx+1Ch]
		mov	edi, [ebx+10h]
		push	edi
		push	dword ptr [ebx+14h]
		push	dword ptr [ebx+0Ch]
		push	dword ptr [ebx+8]
		mov	edx, esi
		mov	ecx, [ebp+var_24]
		call	MiMapViewOfSectionCommon
		mov	edx, eax
		test	edx, edx
		js	loc_8D4FED
		lea	eax, [ebp+var_D8]
		push	eax		; void *
		push	26h		; int
		push	dword ptr [ebx+30h] ; char
		mov	edx, [ebx+24h]
		mov	ecx, [ebx+20h]
		call	MiCaptureAllocateMapExtendedParameters
		mov	esi, eax
		test	esi, esi
		js	loc_8D500E
		mov	eax, [ebp+var_B0]
		and	eax, 0FFFFFFDFh
		or	eax, [ebp+var_AC]
		jnz	loc_8D5009
		push	eax
		push	dword ptr [ebx+1Ch]
		push	dword ptr [ebx+18h]
		push	[ebp+var_44]
		push	[ebp+var_48]
		push	[ebp+var_30]
		mov	edx, [ebp+var_34]
		lea	ecx, [ebp+var_A0]
		call	MiMapParametersInitialize
		mov	esi, eax
		test	esi, esi
		js	loc_8D500E
		lea	eax, [ebp+var_D8]
		push	eax
		lea	edx, [ebp+var_48]
		lea	ecx, [ebp+var_A0]
		call	MiMapExParametersInitialize
		mov	esi, eax
		test	esi, esi
		js	loc_8D500E
		mov	eax, [ebx+28h]
		mov	[ebp+var_6C], eax
		mov	eax, [ebx+2Ch]
		mov	[ebp+var_68], eax
		push	0
		push	1
		lea	eax, [ebp+var_40]
		push	eax
		push	0
		lea	eax, [ebp+var_48]
		push	eax
		lea	edx, [ebp+var_A0]
		mov	ecx, [ebp+var_34]
		call	MiMapViewOfSection
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		js	loc_8D500E
		test	[ebp+var_70], 4
		jz	short loc_761F1A
		sub	esp, 10h
		push	[ebp+var_48]
		mov	edx, [ebp+var_34]
		mov	ecx, [ebp+var_30]
		call	DbgkMapViewOfSection

loc_761F1A:				; CODE XREF: MiMapViewOfSectionExCommon+163j
		mov	eax, [ebp+var_34]
		test	byte ptr [eax+20h], 20h
		jz	short loc_761F7A

loc_761F23:				; CODE XREF: MiMapViewOfSectionExCommon+1DAj
					; MiMapViewOfSectionExCommon+173292j
		and	[ebp+var_4], 0
		mov	eax, [ebp+var_48]
		mov	ecx, [ebx+0Ch]
		mov	[ecx], eax
		mov	eax, [ebp+var_94]
		mov	ecx, [ebx+14h]
		mov	[ecx], eax
		test	edi, edi
		jz	short loc_761F49
		mov	eax, [ebp+var_40]
		mov	[edi], eax
		mov	eax, [ebp+var_3C]
		mov	[edi+4], eax

loc_761F49:				; CODE XREF: MiMapViewOfSectionExCommon+198j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_761F50:				; CODE XREF: sub_8D5042+10j
		test	esi, esi
		js	loc_8D500E

loc_761F58:				; CODE XREF: MiMapViewOfSectionExCommon+173276j
					; MiMapViewOfSectionExCommon+1732B9j
		cmp	dword ptr [ebx+8], 0
		jz	loc_8D5062

loc_761F62:				; CODE XREF: MiMapViewOfSectionExCommon+1732D3j
		mov	eax, esi

loc_761F64:				; CODE XREF: MiMapViewOfSectionExCommon+173255j
					; MiMapViewOfSectionExCommon+173260j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	30h
; 

loc_761F7A:				; CODE XREF: MiMapViewOfSectionExCommon+17Dj
		test	[ebp+var_38], 2
		jz	short loc_761F23
		jmp	loc_8D501F
MiMapViewOfSectionExCommon endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapExParametersInitialize proc near	; CODE XREF: MiMapViewOfSectionExCommon+11Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D507C SIZE 00000072 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	eax, edx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], eax
		mov	ecx, [eax+14h]
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	ebx, [ebp+arg_0]
		xor	esi, esi
		mov	[ebp+var_8], eax
		cmp	[ebx+8], esi
		jnz	loc_762088
		test	dword ptr [edi+14h], 4000h
		jnz	loc_8D507C

loc_761FBD:				; CODE XREF: MiMapExParametersInitialize+173119j
		mov	eax, [edi+8]
		mov	edx, [ebx]
		dec	eax
		mov	[ebp+arg_0], edx
		test	eax, edx
		jnz	loc_762088
		mov	eax, [ebp+var_4]
		cmp	[eax], esi
		jnz	loc_8D50A4

loc_761FD9:				; CODE XREF: MiMapExParametersInitialize+173138j
		mov	ecx, [ebx+4]
		test	ecx, ecx
		jnz	loc_762072
		mov	ecx, [eax+18h]
		xor	edx, edx
		call	MiGetUserReservationHighestAddress
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		mov	[ebx+4], ecx

loc_761FF6:				; CODE XREF: MiMapExParametersInitialize+FCj
		cmp	edx, ecx
		jnb	loc_762088
		mov	eax, [ebp+var_4]
		mov	eax, [eax+4]
		test	eax, eax
		jnz	loc_76208F

loc_76200C:				; CODE XREF: MiMapExParametersInitialize+10Ej
		mov	edx, [edi+14h]
		test	dl, 7Fh
		jnz	short loc_762088
		cmp	[edi+20h], esi
		jnz	short loc_762088
		movzx	eax, ds:_KeNumberNodes
		mov	ecx, [ebx+10h]
		cmp	ecx, eax
		ja	short loc_762088
		mov	eax, [ebp+var_8]
		test	edx, 40000000h
		jnz	loc_8D50C3

loc_762036:				; CODE XREF: MiMapExParametersInitialize+17314Aj
		test	edx, 20000000h
		jnz	loc_8D50D5

loc_762042:				; CODE XREF: MiMapExParametersInitialize+173153j
					; MiMapExParametersInitialize+173163j
		mov	eax, [ebx+28h]
		and	eax, 20h
		or	eax, esi
		jz	short loc_762053
		or	dword ptr [edi+28h], 2
		mov	ecx, [ebx+10h]

loc_762053:				; CODE XREF: MiMapExParametersInitialize+C4j
		mov	[edi+20h], ecx
		and	edx, 0FFFFBFFFh
		mov	ecx, [ebx]
		mov	[edi], ecx
		mov	ecx, [ebx+4]
		mov	[edi+4], ecx
		mov	[edi+14h], edx

loc_762069:				; CODE XREF: MiMapExParametersInitialize+107j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_762072:				; CODE XREF: MiMapExParametersInitialize+58j
		cmp	ecx, ds:_MmHighestUserAddress
		ja	short loc_762088
		lea	eax, [ecx+1]
		test	eax, 0FFFh
		jz	loc_761FF6

loc_762088:				; CODE XREF: MiMapExParametersInitialize+24j
					; MiMapExParametersInitialize+42j ...
		mov	esi, 0C000000Dh
		jmp	short loc_762069
; 

loc_76208F:				; CODE XREF: MiMapExParametersInitialize+80j
		sub	ecx, edx
		inc	ecx
		cmp	ecx, eax
		jnb	loc_76200C
		jmp	short loc_762088
MiMapExParametersInitialize endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAllocateVirtualMemoryEx(x, x, x, x, x, x,	x)
_NtAllocateVirtualMemoryEx@28 proc near	; DATA XREF: .text:005812C0o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_4], al
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	[ebp+var_4]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	MmAllocateVirtualMemory
		leave
		retn	1Ch
_NtAllocateVirtualMemoryEx@28 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmAllocateVirtualMemory	proc near	; CODE XREF: NtAllocateVirtualMemoryEx(x,x,x,x,x,x,x)+32p
					; sub_A1DD29+9Dp

var_6C		= dword	ptr -6Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 008D50EE SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A0840
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 5Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, edx
		mov	[ebp+var_2C], ecx
		push	38h		; size_t
		push	0		; int
		lea	eax, [ebp+var_6C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_24], 0
		mov	[ebp+var_28], 0
		mov	[ebp+var_4], 0
		mov	ebx, dword ptr [ebp+arg_14]
		test	bl, bl
		jz	loc_8D50FC
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8D50EE

loc_762159:				; CODE XREF: MmAllocateVirtualMemory+173010j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	loc_8D50F5

loc_76216F:				; CODE XREF: MmAllocateVirtualMemory+173017j
		mov	eax, [ecx]
		mov	[ecx], eax

loc_762173:				; CODE XREF: MmAllocateVirtualMemory+17301Fj
		mov	eax, [esi]
		mov	[ebp+var_24], eax
		mov	eax, [edi]
		mov	[ebp+var_28], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		lea	eax, [ebp+var_6C]
		push	eax		; void *
		push	3Eh		; int
		push	ebx		; char
		mov	edx, [ebp+arg_10]
		mov	ecx, [ebp+arg_C]
		call	MiCaptureAllocateMapExtendedParameters
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_7621E2
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	ebx
		lea	eax, [ebp+var_6C]
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		lea	eax, [ebp+var_28]
		push	eax
		push	0
		lea	edx, [ebp+var_24]
		mov	ecx, [ebp+var_2C]
		call	MiAllocateVirtualMemoryCommon
		mov	ecx, eax
		mov	[ebp+arg_0], ecx
		test	ecx, ecx
		js	short loc_7621E2
		mov	[ebp+var_4], 1
		mov	eax, [ebp+var_24]
		mov	[esi], eax
		mov	eax, [ebp+var_28]
		mov	[edi], eax

loc_7621DB:				; CODE XREF: PAGE:008D514Cj
		mov	[ebp+var_4], 0FFFFFFFEh

loc_7621E2:				; CODE XREF: MmAllocateVirtualMemory+BAj
					; MmAllocateVirtualMemory+E8j ...
		mov	eax, ecx
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
MmAllocateVirtualMemory	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	MiCaptureAllocateMapExtendedParameters(char,int,void *)
MiCaptureAllocateMapExtendedParameters proc near ; CODE	XREF: MiMapViewOfSectionExCommon+BFp
					; MmAllocateVirtualMemory+B1p ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008D5151 SIZE 00000094 BYTES
; FUNCTION CHUNK AT 008D51EB SIZE 0000000F BYTES

		push	30h
		push	offset dword_6A0868
		call	__SEH_prolog4
		mov	ebx, edx
		mov	esi, ecx
		and	[ebp+var_20], 0
		push	38h		; size_t
		push	0		; int
		mov	edi, [ebp+arg_8]
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		test	ebx, ebx
		jnz	short loc_76223D
		mov	eax, esi
		neg	eax
		sbb	eax, eax
		and	eax, 0C000000Dh

loc_76222B:				; CODE XREF: MiCaptureAllocateMapExtendedParameters+63j
					; MiCaptureAllocateMapExtendedParameters+13Cj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_76223D:				; CODE XREF: MiCaptureAllocateMapExtendedParameters+26j
		test	esi, esi
		jz	loc_8D5151
		mov	eax, ebx
		push	10h
		pop	ecx
		mul	ecx
		push	edx
		push	eax
		lea	ecx, [ebp+var_20]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	[ebp+var_1C], eax
		test	eax, eax
		js	short loc_76222B
		xor	edx, edx
		mov	[ebp+var_24], edx
		and	[ebp+ms_exc.disabled], edx
		cmp	[ebp+arg_0], dl
		jz	short loc_762278
		push	8
		push	[ebp+var_20]
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	edx, [ebp+var_24]

loc_762278:				; CODE XREF: MiCaptureAllocateMapExtendedParameters+70j
		mov	[ebp+var_28], esi
		shl	ebx, 4
		add	ebx, esi
		mov	[ebp+var_30], ebx

loc_762283:				; CODE XREF: MiCaptureAllocateMapExtendedParameters+12Bj
		cmp	esi, ebx
		jnb	loc_762328
		mov	ecx, [esi]
		and	ecx, 0FFh
		mov	[ebp+var_34], ecx
		jz	loc_76236C
		cmp	ecx, 6
		jnb	loc_76236C
		cmp	dword ptr [esi+4], 0
		jb	short loc_7622BD
		ja	loc_76236C
		cmp	dword ptr [esi], 100h
		jnb	loc_76236C

loc_7622BD:				; CODE XREF: MiCaptureAllocateMapExtendedParameters+B1j
		xor	eax, eax
		inc	eax
		shl	eax, cl
		test	[ebp+arg_4], eax
		mov	edi, [ebp+arg_8]
		jz	loc_76236C
		test	eax, edx
		jnz	loc_76236C
		bts	edx, ecx
		mov	[ebp+var_38], edx
		sub	ecx, 1
		jnz	short loc_762339
		mov	ecx, [esi+8]
		mov	[ebp+var_3C], ecx
		cmp	[ebp+arg_0], 0
		jz	short loc_76230D
		test	cl, 3
		jnz	loc_762376
		lea	eax, [ecx+0Ch]
		mov	edi, ds:_MmUserProbeAddress
		mov	[ebp+var_24], edi
		cmp	eax, edi
		mov	edi, [ebp+arg_8]
		ja	short loc_76237B
		cmp	eax, ecx
		jb	short loc_76237B

loc_76230D:				; CODE XREF: MiCaptureAllocateMapExtendedParameters+F3j
					; MiCaptureAllocateMapExtendedParameters+189j
		mov	eax, [ecx]
		mov	[edi], eax
		mov	eax, [ecx+4]
		mov	[edi+4], eax
		mov	eax, [ecx+8]
		mov	[edi+8], eax

loc_76231D:				; CODE XREF: MiCaptureAllocateMapExtendedParameters+172j
					; MiCaptureAllocateMapExtendedParameters+172F6Dj ...
		add	esi, 10h
		mov	[ebp+var_28], esi
		jmp	loc_762283
; 

loc_762328:				; CODE XREF: MiCaptureAllocateMapExtendedParameters+8Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[edi+20h], edx
		xor	eax, eax
		jmp	loc_76222B
; 

loc_762339:				; CODE XREF: MiCaptureAllocateMapExtendedParameters+E7j
		sub	ecx, 1
		jz	loc_8D517D
		sub	ecx, 1
		jz	loc_8D516A
		sub	ecx, 1
		jz	loc_8D515B
		sub	ecx, 1
		jnz	short loc_76236C
		mov	ecx, [esi+8]
		mov	eax, [esi+0Ch]
		mov	[edi+28h], ecx
		mov	[edi+2Ch], eax
		and	ecx, 0FFFFFFC0h
		or	ecx, eax
		jz	short loc_76231D

loc_76236C:				; CODE XREF: MiCaptureAllocateMapExtendedParameters+9Ej
					; MiCaptureAllocateMapExtendedParameters+A7j ...
		mov	eax, 0C000000Dh
		jmp	loc_8D51EB
; 

loc_762376:				; CODE XREF: MiCaptureAllocateMapExtendedParameters+F8j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_76237B:				; CODE XREF: MiCaptureAllocateMapExtendedParameters+10Fj
					; MiCaptureAllocateMapExtendedParameters+113j
		mov	eax, [ebp+var_24]
		mov	byte ptr [eax],	0
		jmp	short loc_76230D
MiCaptureAllocateMapExtendedParameters endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DbgkMapViewOfSection proc near		; CODE XREF: MiMapViewOfSectionExCommon+171p
					; NtMapViewOfSection+17Dp

var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_B4		= dword	ptr -0B4h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D520A SIZE 000000A9 BYTES
; FUNCTION CHUNK AT 008D52CE SIZE 00000058 BYTES

		push	0C4h
		push	offset dword_6A0888
		call	__SEH_prolog4_GS
		mov	[ebp+var_D4], edx
		mov	edi, ecx
		mov	[ebp+var_D0], edi
		mov	ebx, [ebp+arg_0]
		push	0A8h		; size_t
		xor	esi, esi
		push	esi		; int
		lea	eax, [ebp+var_CC]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	short loc_7623E7
		mov	ecx, large fs:124h
		test	byte ptr [ecx+2FCh], 4
		jnz	short loc_7623E7
		cmp	[edi+190h], esi
		jnz	loc_8D520A

loc_7623E7:				; CODE XREF: DbgkMapViewOfSection+45j
					; DbgkMapViewOfSection+55j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
DbgkMapViewOfSection endp

; 
		align 2

;  S U B	R O U T	I N E 


MiGetUserReservationHighestAddress proc	near
					; CODE XREF: MiAllocateNewSubAllocatedRegion+79p
					; MiMapExParametersInitialize+63p ...

; FUNCTION CHUNK AT 008D5326 SIZE 00000016 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ds:_MmHighestUserAddress
		mov	eax, esi
		push	edi
		mov	edi, ecx
		test	edx, edx
		jnz	loc_8D5326

loc_762410:				; CODE XREF: MiGetUserReservationHighestAddress+172F35j
					; MiGetUserReservationHighestAddress+172F3Dj
		mov	ecx, [edi+1CCh]
		lea	eax, [ecx-1]
		cmp	esi, eax
		ja	short loc_762422

loc_76241D:				; CODE XREF: MiGetUserReservationHighestAddress+2Bj
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_762422:				; CODE XREF: MiGetUserReservationHighestAddress+21j
		lea	esi, [ecx-1]
		jmp	short loc_76241D
MiGetUserReservationHighestAddress endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspReferenceSystemDll proc near		; CODE XREF: PspMapSystemDll+26p
					; DbgkCreateThread+19Ep ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D533C SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	ebx, ecx
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8D533C

loc_762441:				; CODE XREF: PspReferenceSystemDll+172F60j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
PspReferenceSystemDll endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDeleteVadBitmap proc near		; CODE XREF: MiDeleteFinalPageTables+B2p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D538D SIZE 00000059 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_28]
		push	6
		pop	ecx
		rep stosd
		mov	eax, [esi+148h]
		test	eax, eax
		jnz	loc_8D538D
		mov	eax, [esi+24Ch]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_76251C
		mov	ecx, dword_6D2E88
		mov	ebx, [eax+64h]
		mov	[ebp+var_10], ecx
		call	MiHyperSpaceSize
		lea	edx, [ebp+var_28]
		push	edx
		push	0
		lea	edi, [ecx-1]
		mov	dl, 21h
		push	0
		add	edi, eax
		push	edi
		push	ecx
		lea	ecx, [esi+240h]
		call	_MiDeletePagablePteRange@28 ; MiDeletePagablePteRange(x,x,x,x,x,x,x)
		mov	eax, [ebp+var_24]
		mov	[ebp+var_C], eax
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	ecx, eax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_4], ecx
		add	ebx, [eax+6Ch]
		jz	short loc_7624CF
		mov	edx, ebx
		mov	ecx, esi
		call	_MiReturnFullProcessCharges@8 ;	MiReturnFullProcessCharges(x,x)
		mov	ecx, [ebp+var_4]

loc_7624CF:				; CODE XREF: MiDeleteVadBitmap+79j
		sub	ebx, [ebp+var_C]
		jz	short loc_7624DB
		mov	edx, ebx
		call	MiReturnCommit

loc_7624DB:				; CODE XREF: MiDeleteVadBitmap+8Aj
		mov	edx, [ebp+var_10]
		lea	ebx, [esi+240h]
		sub	edi, edx
		mov	ecx, ebx
		inc	edi
		push	0
		shr	edi, 0Ch
		push	edi
		call	_MiDeleteWsleRange@16 ;	MiDeleteWsleRange(x,x,x,x)
		mov	edi, [esi+2DCh]
		test	edi, edi
		jz	short loc_76251C
		mov	edx, edi
		mov	ecx, ebx
		neg	edx
		call	_MiUpdateChargedWsles@8	; MiUpdateChargedWsles(x,x)
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		call	MiReturnCommit
		mov	edx, edi
		mov	ecx, esi
		call	_MiReturnFullProcessCharges@8 ;	MiReturnFullProcessCharges(x,x)

loc_76251C:				; CODE XREF: MiDeleteVadBitmap+30j
					; MiDeleteVadBitmap+B4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiDeleteVadBitmap endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmDeleteProcessAddressSpace proc near	; CODE XREF: PspProcessDelete+124p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D53E6 SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		xor	edx, edx
		push	esi
		push	edi
		mov	[ebp+var_4], ebx
		lea	ecx, [ebx+240h]
		call	MiUnlinkWorkingSet
		mov	edx, [ebx+150h]
		xor	esi, esi
		mov	edi, [ebx+1ECh]
		test	edx, edx
		jnz	loc_8D539E
		test	edi, edi
		jnz	loc_8D53E6

loc_76255D:				; CODE XREF: MmDeleteProcessAddressSpace+172EF4j
		lea	ecx, [ebx+240h]
		call	_MiGetSharedVm@4 ; MiGetSharedVm(x)
		mov	ecx, ebx
		mov	edi, eax
		call	MiDeleteFinalPageTables
		push	5
		mov	ecx, ebx
		mov	[ebp+var_4], eax
		call	_PsReturnProcessQuota@12 ; PsReturnProcessQuota(x,x,x)
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		push	5
		pop	edx
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	_MiReturnResident@8 ; MiReturnResident(x,x)
		mov	ecx, ebx
		call	_MiDeleteProcessPhysicalPages@4	; MiDeleteProcessPhysicalPages(x)
		mov	ecx, [edi+18h]
		test	ecx, ecx
		jnz	short loc_76260B

loc_76259D:				; CODE XREF: MmDeleteProcessAddressSpace+F1j
		mov	eax, [edi+14h]
		test	eax, eax
		jnz	loc_8D541B

loc_7625A8:				; CODE XREF: MmDeleteProcessAddressSpace+172F03j
		test	byte ptr [ebx+0F8h], 10h
		jz	short loc_7625BE
		push	esi
		push	ebx
		push	0FFFFFFFBh
		pop	edx
		push	2
		pop	ecx
		call	PspChangeJobMemoryUsageByProcess

loc_7625BE:				; CODE XREF: MmDeleteProcessAddressSpace+8Dj
		mov	edi, [ebp+var_8]
		mov	ecx, edi
		push	5
		pop	eax
		sub	eax, [ebp+var_4]
		mov	edx, eax
		call	MiReturnCommit
		mov	ecx, [ebx+194h]
		test	ecx, ecx
		jz	short loc_7625E5
		call	MiPaeFree
		mov	[ebx+194h], esi

loc_7625E5:				; CODE XREF: MmDeleteProcessAddressSpace+B6j
		lea	ecx, [ebx+240h]
		call	_MiDeleteWorkingSetList@4 ; MiDeleteWorkingSetList(x)
		mov	ecx, [ebx+180h]
		test	ecx, ecx
		jz	short loc_7625FF
		call	MiReleaseProcessReferenceToSessionDataPage

loc_7625FF:				; CODE XREF: MmDeleteProcessAddressSpace+D6j
		mov	ecx, edi
		call	MiContractPagingFiles
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_76260B:				; CODE XREF: MmDeleteProcessAddressSpace+79j
		call	MiEmptyPageAccessLog
		mov	[edi+18h], esi
		jmp	short loc_76259D
MmDeleteProcessAddressSpace endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiDeleteProcessPhysicalPages(x)
_MiDeleteProcessPhysicalPages@4	proc near ; CODE XREF: MmDeleteProcessAddressSpace+6Fp
		mov	edi, edi
		push	esi
		mov	esi, [ecx+24Ch]
		test	esi, esi
		jz	short loc_762639
		mov	edx, [esi+9Ch]
		test	edx, edx
		jnz	short loc_76263B

loc_76262D:				; CODE XREF: MiDeleteProcessPhysicalPages(x)+2Aj
		lea	eax, [esi+0A4h]
		push	eax
		call	ExCleanupAutoExpandPushLock

loc_762639:				; CODE XREF: MiDeleteProcessPhysicalPages(x)+Bj
		pop	esi
		retn
; 

loc_76263B:				; CODE XREF: MiDeleteProcessPhysicalPages(x)+15j
		call	_MiDeleteAweInfo@8 ; MiDeleteAweInfo(x,x)
		jmp	short loc_76262D
_MiDeleteProcessPhysicalPages@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReleaseProcessReferenceToSessionDataPage proc	near
					; CODE XREF: MmDeleteProcessAddressSpace+D8p
					; MiSessionObjectDelete(x)+12p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D542A SIZE 0000012D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		mov	ebx, ecx
		mov	[ebp+var_28], ebx
		stosd
		stosd
		or	eax, 0FFFFFFFFh
		lock xadd [ebx+0Ch], eax
		jz	loc_8D542A

loc_762672:				; CODE XREF: MiReleaseProcessReferenceToSessionDataPage+172F10j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
MiReleaseProcessReferenceToSessionDataPage endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtTerminateProcess proc	near		; DATA XREF: .text:00580C14o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008D5557 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		cmp	[ebp+arg_0], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	al, [edi+15Ah]
		mov	ebx, [edi+80h]
		mov	[ebp+var_1], al
		mov	byte ptr [ebp+var_C], al
		jz	loc_762748
		push	0
		lea	eax, [ebp+var_8]
		push	eax
		push	65547350h
		push	[ebp+var_C]
		xor	eax, eax
		push	ds:_PsProcessType
		inc	eax
		push	eax
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7627C1
		mov	esi, [ebp+var_8]
		mov	eax, [esi+0E4h]
		dec	word ptr [edi+13Ch]
		mov	[ebp+var_C], eax
		nop
		xor	eax, eax
		mov	edx, edi
		cmp	[ebp+var_1], al
		mov	ecx, esi
		setz	al
		push	eax
		push	[ebp+arg_4]
		call	PspTerminateProcess
		mov	edx, 65547350h
		mov	[ebp+arg_0], eax
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		cmp	esi, ebx
		jnz	loc_7627C8
		cmp	[ebp+var_1], 1
		jnz	loc_7627D7
		xor	ecx, ecx
		lea	eax, [edi+2FCh]
		inc	ecx
		lock or	[eax], ecx
		mov	ecx, edi
		call	_KeForceResumeThread@4 ; KeForceResumeThread(x)
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	ecx, [ebp+arg_4]
		call	PspExitThread

loc_762748:				; CODE XREF: NtTerminateProcess+2Cj
		cmp	al, 1
		jnz	loc_8D5572
		test	[ebx+3A8h], al
		jnz	loc_8D5572
		mov	edx, edi
		mov	ecx, ebx
		call	_PspLockProcessExclusive@8 ; PspLockProcessExclusive(x,x)
		mov	ecx, 40000000h
		lea	esi, [ebx+0FCh]
		mov	eax, [esi]

loc_762772:				; CODE XREF: NtTerminateProcess+F8j
		mov	edx, eax
		or	edx, ecx
		lock cmpxchg [esi], edx
		jnz	short loc_762772
		test	eax, 40000008h
		jnz	loc_8D5557
		or	dword ptr [edi+300h], 40h
		cmp	dword ptr [ebx+34Ch], 103h
		mov	esi, [ebp+arg_4]
		jnz	short loc_7627A3
		mov	[ebx+34Ch], esi

loc_7627A3:				; CODE XREF: NtTerminateProcess+119j
		mov	ecx, ebx
		call	_PspUnlockProcessExclusiveUnsafe@4 ; PspUnlockProcessExclusiveUnsafe(x)
		push	0
		push	esi
		mov	edx, edi
		mov	ecx, ebx
		call	PspTerminateAllThreads
		mov	esi, eax

loc_7627B8:				; CODE XREF: NtTerminateProcess+153j
					; NtTerminateProcess+158j
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	eax, esi

loc_7627C1:				; CODE XREF: NtTerminateProcess+54j
					; NtTerminateProcess+172EEBj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7627C8:				; CODE XREF: NtTerminateProcess+94j
		mov	esi, [ebp+arg_0]
		mov	edx, esi
		mov	ecx, [ebp+var_C]
		call	_PspLogAuditTerminateRemoteProcessEvent@8 ; PspLogAuditTerminateRemoteProcessEvent(x,x)
		jmp	short loc_7627B8
; 

loc_7627D7:				; CODE XREF: NtTerminateProcess+9Ej
		mov	esi, [ebp+arg_0]
		jmp	short loc_7627B8
NtTerminateProcess endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspTerminateProcess proc near		; CODE XREF: NtTerminateProcess+7Ep
					; PsTerminateProcess(x,x)+1Ep ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008D557C SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	8
		pop	ecx
		lea	edi, [ebx+0FCh]
		mov	eax, [edi]

loc_7627F7:				; CODE XREF: PspTerminateProcess+23j
		mov	esi, eax
		or	esi, ecx
		lock cmpxchg [edi], esi
		jnz	short loc_7627F7
		mov	esi, eax
		mov	edi, [ebp+arg_0]
		mov	eax, esi
		and	eax, ecx
		mov	[ebp+var_8], eax
		jnz	loc_7628A9
		test	byte ptr ds:_PerfGlobalGroupMask, 1
		jz	short loc_762823
		mov	ecx, ebx
		call	_EtwTraceProcessTerminate@4 ; EtwTraceProcessTerminate(x)

loc_762823:				; CODE XREF: PspTerminateProcess+3Ej
		xor	edx, edx
		mov	ecx, ebx
		call	_KeSetProcessSchedulingGroup@8 ; KeSetProcessSchedulingGroup(x,x)
		test	esi, 40000000h
		jz	short loc_7628B1
		or	[ebp+arg_4], 4

loc_762838:				; CODE XREF: PspTerminateProcess+DBj
		lea	esi, [ebx+0E0h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		cmp	dword ptr [ebx+1D8h], 0
		jz	short loc_76285E
		cmp	edi, 0C000004Bh
		jz	short loc_7628BC

loc_762858:				; CODE XREF: PspTerminateProcess+EAj
		mov	[ebx+34Ch], edi

loc_76285E:				; CODE XREF: PspTerminateProcess+72j
					; PspTerminateProcess+ECj
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7628CA

loc_76286B:				; CODE XREF: PspTerminateProcess+F5j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+var_4]

loc_762878:				; CODE XREF: PspTerminateProcess+D3j
		test	dword ptr [ebx+0F8h], 400h
		jnz	loc_8D557C
		push	eax
		push	edi
		mov	ecx, ebx
		call	PspTerminateAllThreads

loc_762891:				; CODE XREF: PspTerminateProcess+172DB2j
		mov	esi, eax

loc_762893:				; CODE XREF: PspTerminateProcess+172DC5j
		cmp	[ebp+var_8], 0
		jnz	short loc_7628A0
		mov	ecx, ebx
		call	_KeForceResumeProcess@4	; KeForceResumeProcess(x)

loc_7628A0:				; CODE XREF: PspTerminateProcess+BBj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7628A9:				; CODE XREF: PspTerminateProcess+31j
		mov	eax, [ebp+arg_4]
		or	eax, 2
		jmp	short loc_762878
; 

loc_7628B1:				; CODE XREF: PspTerminateProcess+56j
		mov	eax, [ebp+arg_4]
		mov	[ebp+arg_4], eax
		jmp	loc_762838
; 

loc_7628BC:				; CODE XREF: PspTerminateProcess+7Aj
		cmp	dword ptr [ebx+34Ch], 103h
		jz	short loc_762858
		jmp	short loc_76285E
; 

loc_7628CA:				; CODE XREF: PspTerminateProcess+8Dj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_76286B
PspTerminateProcess endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTraceThreadSetName proc near		; CODE XREF: NtSetInformationThread+768p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D55A6 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ecx+2ACh]
		push	ebx
		mov	[ebp+var_40], eax
		mov	eax, [ecx+2B0h]
		push	edi
		mov	[ebp+var_3C], eax
		xor	edi, edi
		lea	eax, [ebp+var_40]
		mov	[ebp+var_38], edi
		push	2
		mov	[ebp+var_34], eax
		mov	eax, [ecx+394h]
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], 8
		mov	[ebp+var_28], edi
		pop	ebx
		mov	edx, ebx
		test	eax, eax
		jz	loc_8D55A6
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	loc_8D55A6
		push	esi
		movzx	esi, word ptr [eax]
		mov	eax, 800h
		cmp	si, ax
		jnb	short loc_762940
		mov	eax, esi

loc_762940:				; CODE XREF: EtwTraceThreadSetName+68j
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], edi
		pop	esi
		test	eax, eax
		jz	short loc_76295A
		shr	eax, 1
		cmp	[ecx+eax*2-2], di
		jz	short loc_76296D

loc_76295A:				; CODE XREF: EtwTraceThreadSetName+7Bj
		push	3
		mov	[ebp+var_14], offset _EtwpNull
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], edi
		pop	edx

loc_76296D:				; CODE XREF: EtwTraceThreadSetName+84j
					; EtwTraceThreadSetName+172CE2j
		push	(offset	loc_501800+2)
		push	548h
		push	ebx
		lea	ecx, [ebp+var_34]
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
EtwTraceThreadSetName endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMapCfgBitMapSection(x, x,	x, x, x)
_MiMapCfgBitMapSection@20 proc near	; CODE XREF: MiCfgInitializeProcess(x)+48p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		mov	[ebp+var_4], eax
		mov	esi, edx
		mov	[ebp+var_14], eax
		xor	edx, edx
		mov	[ebp+var_1C], eax
		inc	edx
		lea	eax, [ebp+var_10]
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], eax
		xor	eax, eax
		stosd
		push	ecx
		stosd
		stosd
		lea	eax, [ebp+var_4]
		push	eax
		push	80000001h
		push	edx
		lea	eax, [ebp+var_20]
		push	eax
		push	edx
		push	0
		push	dword ptr [ebx+10h]
		mov	edx, ecx
		mov	ecx, esi
		push	dword ptr [ebx+8]
		push	dword ptr [ebx+0Ch]
		call	_MmMapViewOfSectionEx@48 ; MmMapViewOfSectionEx(x,x,x,x,x,x,x,x,x,x,x,x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	0Ch
_MiMapCfgBitMapSection@20 endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReferenceCfgVad(x, x, x)
_MiReferenceCfgVad@12 proc near		; CODE XREF: MmInitializeProcessAddressSpace+2E4p
					; MiCfgInitializeProcess(x)+62p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax+80h]
		mov	edi, edx
		mov	ebx, ecx
		mov	ecx, edi
		mov	esi, [eax+24Ch]
		lea	eax, [ebp+var_4]
		push	eax
		push	2
		pop	edx
		call	MiObtainReferencedVadEx
		mov	edx, eax
		mov	ecx, [eax+10h]
		and	dword ptr [esi+0C4h], 0
		inc	ecx
		shl	ecx, 0Ch
		sub	ecx, edi
		mov	[esi+0B8h], edi
		mov	[esi+0BCh], ecx
		mov	ecx, ebx
		mov	[esi+0C0h], eax
		call	_MiUnlockVadShared@8 ; MiUnlockVadShared(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiReferenceCfgVad@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreateWriteWatchView(x, x, x)
_MiCreateWriteWatchView@12 proc	near	; CODE XREF: MiReserveUserMemory+434p
					; MiAllocateChildVads+B4956p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		push	edi
		mov	ecx, ebx
		call	_MiGetVadMandatoryPageSize@4 ; MiGetVadMandatoryPageSize(x)
		mov	edi, eax
		mov	esi, [ebp+var_4]
		mov	eax, [ebp+arg_0]
		mov	edx, edi
		dec	eax
		neg	edx
		add	eax, edi
		mov	ecx, esi
		and	eax, edx
		xor	edx, edx
		div	edi
		push	4
		push	eax
		mov	edx, ebx
		call	MiCreateVadEventBitmap
		test	eax, eax
		js	short loc_762AA5
		mov	ecx, 8000h
		lea	eax, [esi+0FCh]
		lock or	[eax], ecx
		xor	eax, eax

loc_762AA5:				; CODE XREF: MiCreateWriteWatchView(x,x,x)+39j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiCreateWriteWatchView@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	MiReadImageHeaders(int,void *)
MiReadImageHeaders proc	near		; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+204p
					; MiCreateImageFileMap(x,x,x,x,x,x,x,x)+346p ...

var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008D55BB SIZE 000000BF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	edx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	eax, [edx+8]
		lea	edi, [ebp+var_20]
		mov	ebx, [edx+14h]
		mov	esi, ecx
		mov	ecx, [edx+0Ch]
		add	ebx, 0FFFh
		mov	[ebp+var_8], eax
		and	ecx, 0FFFh
		shl	eax, 0Ch
		add	ebx, ecx
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_4]
		and	[ebp+var_C], 0
		shr	ebx, 0Ch
		and	dword ptr [eax+4], 0
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_20]
		xor	edi, edi
		push	edi
		push	edi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, [ebp+var_20]
		push	2
		push	[ebp+arg_4]
		mov	edx, edi
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_MiPageRead@28	; MiPageRead(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_4], esi
		cmp	esi, 103h
		jnz	short loc_762B77
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	9
		lea	eax, [ebp+var_20]
		push	eax
		call	KeWaitForSingleObject
		mov	ecx, [ebp+arg_4]
		mov	esi, [ecx]
		mov	[ebp+var_4], esi

loc_762B3F:				; CODE XREF: MiReadImageHeaders+CEj
		test	esi, esi
		js	loc_8D563D
		mov	ecx, [ecx+4]
		mov	eax, ebx
		shl	eax, 0Ch
		cmp	ecx, eax
		jnz	short loc_762B62

loc_762B53:				; CODE XREF: MiReadImageHeaders+C9j
		mov	edi, [edi]
		test	edi, edi
		jnz	short loc_762B7C

loc_762B59:				; CODE XREF: MiReadImageHeaders+172B8Cj
					; MiReadImageHeaders+172BA6j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_762B62:				; CODE XREF: MiReadImageHeaders+A5j
		sub	eax, ecx
		push	eax		; size_t
		mov	eax, [edi+0Ch]
		add	eax, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_762B53
; 

loc_762B77:				; CODE XREF: MiReadImageHeaders+79j
		mov	ecx, [ebp+arg_4]
		jmp	short loc_762B3F
; 

loc_762B7C:				; CODE XREF: MiReadImageHeaders+ABj
		mov	esi, [ebp+var_8]
		jmp	loc_8D55BB
MiReadImageHeaders endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmPrefetchForCacheManager(x, x, x, x, x, x,	x, x, x)
_MmPrefetchForCacheManager@36 proc near	; CODE XREF: CcPerformReadAhead+29Ep
					; CcAsyncReadPrefetch+12Fp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_8], 0
		push	ebx
		mov	ebx, large fs:124h
		mov	eax, [ecx+14h]
		push	esi
		xor	esi, esi
		push	edi
		mov	eax, [eax]
		mov	edi, [ebp+arg_4]
		mov	[esp+18h+var_4], eax
		cmp	dword_6D3154, esi
		jz	short loc_762BC0
		cmp	edi, dword_6D3158
		jnb	loc_762C4C

loc_762BC0:				; CODE XREF: MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x)+2Ej
					; MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x)+D9j
		push	[ebp+arg_18]
		lea	ecx, [esp+1Ch+var_8]
		mov	edx, eax
		push	[ebp+arg_14]
		push	ecx
		push	0FFFFFFFFh
		push	edi
		push	[ebp+arg_0]
		mov	ecx, esi
		push	0
		call	MiPfPrepareSequentialReadList
		test	eax, eax
		js	loc_762C92
		mov	eax, [esp+18h+var_8]
		test	eax, eax
		jz	loc_762C92
		mov	edi, [ebp+arg_10]
		xor	ecx, ecx
		inc	ecx
		mov	[eax+3Ch], ecx
		cmp	dword ptr [edi], 0
		jnz	short loc_762C06
		dec	word ptr [ebx+13Eh]
		nop

loc_762C06:				; CODE XREF: MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x)+78j
		push	ecx
		mov	ecx, [esp+1Ch+var_8]
		xor	edx, edx
		call	MiPfPutPagesInTransition
		mov	ecx, [esp+18h+var_8]
		test	eax, eax
		js	short loc_762C72
		lea	eax, [ecx+48h]
		cmp	[eax], eax
		jz	short loc_762C72
		test	esi, esi
		jnz	short loc_762C62

loc_762C25:				; CODE XREF: MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x)+ECj
		push	[ebp+arg_C]
		xor	edx, edx
		push	0FFFFFFFFh
		inc	edx
		call	MiPfExecuteReadList
		mov	ecx, [esp+18h+var_8]
		xor	eax, eax
		mov	edx, [edi]
		inc	eax
		mov	[ecx], edx
		mov	ecx, [esp+18h+var_8]
		mov	[edi], ecx

loc_762C43:				; CODE XREF: MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x)+114j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_762C4C:				; CODE XREF: MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x)+36j
		mov	edx, [ebp+arg_0]
		shr	edx, 0Ch
		call	_MiGetCcAccessLog@8 ; MiGetCcAccessLog(x,x)
		mov	esi, eax
		mov	eax, [esp+18h+var_4]
		jmp	loc_762BC0
; 

loc_762C62:				; CODE XREF: MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x)+9Fj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_MiReturnCcAccessLog@8 ; MiReturnCcAccessLog(x,x)
		mov	ecx, [esp+18h+var_8]
		jmp	short loc_762C25
; 

loc_762C72:				; CODE XREF: MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x)+94j
					; MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x)+9Bj
		cmp	dword ptr [edi], 0
		jnz	short loc_762C82
		mov	ecx, ebx
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [esp+18h+var_8]

loc_762C82:				; CODE XREF: MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x)+F1j
		call	_MiReleaseReadListResources@4 ;	MiReleaseReadListResources(x)
		push	0
		push	[esp+1Ch+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_762C92:				; CODE XREF: MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x)+5Aj
					; MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x)+66j
		test	esi, esi
		jnz	short loc_762C9A

loc_762C96:				; CODE XREF: MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x)+11Fj
		xor	eax, eax
		jmp	short loc_762C43
; 

loc_762C9A:				; CODE XREF: MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x)+110j
		xor	edx, edx
		mov	ecx, esi
		call	_MiReturnCcAccessLog@8 ; MiReturnCcAccessLog(x,x)
		jmp	short loc_762C96
_MmPrefetchForCacheManager@36 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPfExecuteReadList proc near		; CODE XREF: MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x)+A9p
					; MiPrefetchControlArea(x,x,x,x,x,x,x)+75p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008D567A SIZE 00000050 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_8], eax
		mov	edi, ebx
		mov	[ebp+var_1], 0
		not	edi
		lea	eax, [ecx+48h]
		mov	esi, [eax]
		and	edi, 2
		or	edi, 1
		mov	[ebp+var_10], eax
		cmp	esi, eax
		jz	loc_762D6D
		mov	ecx, [ebp+arg_0]
		and	ebx, 1

loc_762CE0:				; CODE XREF: MiPfExecuteReadList+C1j
		mov	eax, [esi+98h]
		mov	edx, ecx
		mov	[ebp+var_C], eax
		mov	ecx, esi
		or	word ptr [eax+6], 42h
		mov	eax, [eax+14h]
		mov	[esi+70h], eax
		call	MiReferenceInPageFile
		test	eax, eax
		jz	loc_8D567A
		xor	ecx, ecx

loc_762D07:				; CODE XREF: MiPfExecuteReadList+1729DAj
		mov	[esi+7Ch], eax
		and	dword ptr [esi+60h], 0
		and	dword ptr [esi+64h], 0
		mov	eax, [esi+90h]
		mov	[esi+8Ch], eax
		test	ebx, ebx
		jnz	short loc_762D74

loc_762D22:				; CODE XREF: MiPfExecuteReadList+E1j
		test	ecx, ecx
		jnz	loc_8D5685

loc_762D2A:				; CODE XREF: MiPfExecuteReadList+1729E8j
		test	dword ptr [esi+78h], 100h
		lea	eax, [esi+30h]
		lea	ecx, [esi+10h]
		lea	edx, [esi+38h]
		jnz	loc_8D569B
		push	[ebp+arg_4]
		push	6
		push	eax
		push	ecx
		mov	ecx, [esi+7Ch]
		push	edx
		mov	edx, [ebp+var_C]
		call	_MiPageRead@28	; MiPageRead(x,x,x,x,x,x,x)

loc_762D53:				; CODE XREF: MiPfExecuteReadList+1729F0j
					; MiPfExecuteReadList+172A07j
		test	ebx, ebx
		jnz	short loc_762D89

loc_762D57:				; CODE XREF: MiPfExecuteReadList+EFj
		test	eax, eax
		js	loc_8D56B2

loc_762D5F:				; CODE XREF: MiPfExecuteReadList+172A1Fj
		mov	esi, [esi]
		mov	ecx, [ebp+arg_0]
		cmp	esi, [ebp+var_10]
		jnz	loc_762CE0

loc_762D6D:				; CODE XREF: MiPfExecuteReadList+2Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_762D74:				; CODE XREF: MiPfExecuteReadList+7Aj
		mov	eax, [ebp+var_8]
		mov	dl, [eax+308h]
		mov	[ebp+var_1], dl
		mov	byte ptr [eax+308h], 1
		jmp	short loc_762D22
; 

loc_762D89:				; CODE XREF: MiPfExecuteReadList+AFj
		mov	ecx, [ebp+var_8]
		mov	dl, [ebp+var_1]
		mov	[ecx+308h], dl
		jmp	short loc_762D57
MiPfExecuteReadList endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiGetCcAccessLog(x,	x)
_MiGetCcAccessLog@8 proc near		; CODE XREF: MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x)+CEp
		cmp	dword_6D3140, 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		jz	short loc_762E1C
		xor	esi, esi
		mov	eax, offset dword_6D3140
		xchg	esi, [eax]
		test	esi, esi
		jz	short loc_762E1C
		mov	eax, [esi+20h]
		mov	ecx, [esi+24h]
		lea	eax, [eax+edi*8]
		cmp	eax, ecx
		ja	loc_762E59
		mov	eax, [esi+28h]
		sub	eax, ecx
		and	eax, 0FFFFFFFCh
		cmp	eax, 800h
		jge	loc_762E59

loc_762DD9:				; CODE XREF: MiGetCcAccessLog(x,x)+CAj
		test	esi, esi
		jz	short loc_762E1C

loc_762DDD:				; CODE XREF: MiGetCcAccessLog(x,x)+BFj
		mov	eax, [esi+24h]
		mov	edx, [esi+28h]
		mov	edi, [ebx+0Ch]
		lea	ecx, [eax+4]
		cmp	ecx, edx
		jnb	short loc_762E10

loc_762DED:				; CODE XREF: MiGetCcAccessLog(x,x)+5Ej
		cmp	[ecx], edi
		jz	short loc_762DF8
		add	ecx, 4
		cmp	ecx, edx
		jb	short loc_762DED

loc_762DF8:				; CODE XREF: MiGetCcAccessLog(x,x)+57j
		cmp	ecx, edx
		jnb	short loc_762E10

loc_762DFC:				; CODE XREF: MiGetCcAccessLog(x,x)+82j
		mov	eax, [esi+20h]
		sub	edx, ecx
		sar	edx, 2
		mov	[esi+18h], eax
		mov	eax, esi
		mov	[esi+8], edx

loc_762E0C:				; CODE XREF: MiGetCcAccessLog(x,x)+D1j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_762E10:				; CODE XREF: MiGetCcAccessLog(x,x)+53j
					; MiGetCcAccessLog(x,x)+62j
		mov	ecx, eax
		add	eax, 0FFFFFFFCh
		mov	[esi+24h], eax
		mov	[ecx], edi
		jmp	short loc_762DFC
; 

loc_762E1C:				; CODE XREF: MiGetCcAccessLog(x,x)+Ej
					; MiGetCcAccessLog(x,x)+1Bj ...
		lea	edi, ds:103Fh[edi*8]
		mov	edx, 63416D4Dh
		push	0
		and	edi, 0FFFFF000h
		push	40h
		mov	ecx, edi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_762E67
		push	edi
		xor	ecx, ecx
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	edx, esi
		mov	ecx, eax
		call	MiInitializePageAccessLogging
		mov	dword ptr [esi+4], 1
		jmp	short loc_762DDD
; 

loc_762E59:				; CODE XREF: MiGetCcAccessLog(x,x)+28j
					; MiGetCcAccessLog(x,x)+3Bj
		mov	ecx, esi
		call	_MiQueuePageAccessLog@4	; MiQueuePageAccessLog(x)
		xor	esi, esi
		jmp	loc_762DD9
; 

loc_762E67:				; CODE XREF: MiGetCcAccessLog(x,x)+A5j
		xor	eax, eax
		jmp	short loc_762E0C
_MiGetCcAccessLog@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsTerminateProcess(x, x)
_PsTerminateProcess@8 proc near		; CODE XREF: MiReAcquireCommitFailWorker(x)+Dp
					; PspRemoveProcessFromJobChain+258p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		push	edi
		mov	edi, large fs:124h
		dec	word ptr [edi+13Ch]
		nop
		push	1
		push	edx
		mov	edx, edi
		call	PspTerminateProcess
		mov	ecx, edi
		mov	esi, eax
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_PsTerminateProcess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPrefetchControlArea(x, x,	x, x, x, x, x)
_MiPrefetchControlArea@28 proc near	; CODE XREF: .text:004786B1p
					; MiSetPagesModified(x,x)+9Bp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		dec	word ptr [edi+13Ch]
		nop
		push	[ebp+arg_10]
		lea	eax, [ebp+var_4]
		push	[ebp+arg_C]
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_0]
		push	edx
		mov	edx, ecx
		xor	ecx, ecx
		push	ebx
		call	MiPfPrepareSequentialReadList
		mov	esi, eax
		test	esi, esi
		js	short loc_762F51
		cmp	[ebp+var_4], ebx
		jz	short loc_762F51
		inc	byte ptr [edi+30Ah]
		xor	edx, edx
		mov	eax, [ebp+var_4]
		push	[ebp+arg_4]
		mov	[eax+3Ch], ebx
		mov	ecx, [ebp+var_4]
		call	MiPfPutPagesInTransition
		mov	ecx, [ebp+var_4]
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_762F2C
		lea	esi, [ecx+48h]
		cmp	[esi], esi
		jz	short loc_762F2C
		mov	edx, [ebp+arg_4]
		push	0
		push	[ebp+arg_8]
		call	MiPfExecuteReadList
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		push	0
		lea	ecx, [ecx+48h]
		call	_MiPfCompletePrefetchIos@12 ; MiPfCompletePrefetchIos(x,x,x)
		mov	ecx, [ebp+var_4]

loc_762F2C:				; CODE XREF: MiPrefetchControlArea(x,x,x,x,x,x,x)+64j
					; MiPrefetchControlArea(x,x,x,x,x,x,x)+6Bj
		call	_MiReleaseReadListResources@4 ;	MiReleaseReadListResources(x)
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		dec	byte ptr [edi+30Ah]
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, ebx

loc_762F4A:				; CODE XREF: MiPrefetchControlArea(x,x,x,x,x,x,x)+BAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_762F51:				; CODE XREF: MiPrefetchControlArea(x,x,x,x,x,x,x)+3Dj
					; MiPrefetchControlArea(x,x,x,x,x,x,x)+42j
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	eax, esi
		jmp	short loc_762F4A
_MiPrefetchControlArea@28 endp


;  S U B	R O U T	I N E 


AlpcpSignalPortAndUnlock proc near	; CODE XREF: AlpcpDisconnectPort+284p
					; AlpcpCancelMessage(x,x,x)+39Ep

; FUNCTION CHUNK AT 008D56CA SIZE 000000C3 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		cmp	[esi+10h], ebx
		jz	short loc_762F76
		push	ebx
		push	1
		xor	dl, dl
		call	_AlpcpQueueIoCompletionPort@16 ; AlpcpQueueIoCompletionPort(x,x,x,x)

loc_762F73:				; CODE XREF: AlpcpSignalPortAndUnlock+58j
		pop	esi
		pop	ebx
		retn
; 

loc_762F76:				; CODE XREF: AlpcpSignalPortAndUnlock+Bj
		test	dword ptr [esi+0F4h], 200h
		push	edi
		jz	loc_8D56CA
		push	11h
		lea	edi, [esi+0D0h]
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_762FB6

loc_762F9B:				; CODE XREF: AlpcpSignalPortAndUnlock+61j
		mov	ecx, edi
		call	KeAbPostRelease
		push	ebx
		push	ecx
		mov	ecx, [esi+94h]

loc_762FAA:				; CODE XREF: AlpcpSignalPortAndUnlock+172807j
		xor	edx, edx
		inc	edx
		push	edx
		call	KeReleaseSemaphoreEx
		pop	edi
		jmp	short loc_762F73
; 

loc_762FB6:				; CODE XREF: AlpcpSignalPortAndUnlock+3Dj
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_762F9B
AlpcpSignalPortAndUnlock endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 214. CcMdlRead

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcMdlRead
CcMdlRead	proc near		; CODE XREF: FsRtlMdlReadDev(x,x,x,x,x,x,x)+11Bp

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008D578D SIZE 0000001E BYTES

		push	50h
		push	offset dword_6A08F8
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+var_1C], esi
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_28], ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_2C], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_40], esi
		mov	edi, [ebp+arg_0]
		mov	eax, [edi+14h]
		mov	ebx, [eax+4]
		mov	[ebp+var_4C], ebx
		mov	edx, [edi+18h]
		mov	[ebp+var_3C], edx
		mov	[ebp+var_50], edx
		test	dword ptr [edx], 20000h
		jnz	loc_76313E

loc_763008:				; CODE XREF: CcMdlRead+185j
		inc	large dword ptr	fs:664h
		mov	eax, large fs:124h
		mov	[eax+328h], esi
		mov	eax, [ebp+arg_4]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ecx
		mov	[ebp+ms_exc.disabled], esi
		mov	[ebp+var_58], 1
		mov	[ebp+var_30], edx
		mov	[ebp+var_34], ecx
		mov	eax, [ebp+arg_8]

loc_76303C:				; CODE XREF: CcMdlRead+142j
		test	eax, eax
		jz	loc_76310B
		mov	[ebp+var_20], esi
		push	ecx
		push	edx
		push	esi
		push	esi
		lea	eax, [ebp+var_20]
		push	eax
		lea	edx, [ebp+var_24]
		mov	ecx, ebx
		call	CcGetVirtualAddress
		mov	[ebp+var_44], eax
		test	byte ptr [ebx+60h], 8
		jnz	short loc_763085
		push	esi
		mov	eax, [ebp+var_3C]
		mov	ecx, [eax]
		shr	ecx, 12h
		and	ecx, 7
		push	ecx
		push	[ebp+var_24]
		lea	eax, [ebp+var_40]
		push	eax
		push	1
		push	[ebp+arg_8]
		lea	edx, [ebp+var_60]
		mov	ecx, edi
		call	_CcFetchDataForRead@32 ; CcFetchDataForRead(x,x,x,x,x,x,x,x)

loc_763085:				; CODE XREF: CcMdlRead+9Cj
		mov	eax, [ebp+arg_8]
		cmp	[ebp+var_20], eax
		jbe	loc_763136
		mov	[ebp+var_20], eax

loc_763094:				; CODE XREF: CcMdlRead+175j
		mov	ecx, eax
		xor	edx, edx
		add	ecx, [ebp+var_30]
		mov	[ebp+var_48], ecx
		adc	edx, [ebp+var_34]
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_34], edx
		push	esi
		push	esi
		push	esi
		push	eax
		push	[ebp+var_44]
		call	IoAllocateMdl
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	loc_8D578D
		push	esi
		push	esi
		push	eax
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	ecx, [ebp+var_24]
		call	CcFreeVirtualAddress
		mov	[ebp+var_24], esi
		mov	eax, [ebp+arg_C]
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	loc_8D5797
		mov	edx, [ebp+var_1C]
		mov	[eax], edx

loc_7630E6:				; CODE XREF: CcMdlRead+1727E2j
		mov	[ebp+var_1C], esi
		mov	edx, [ebp+var_48]
		mov	[ebp+var_60], edx
		mov	eax, [ebp+var_38]
		mov	[ebp+var_5C], eax
		mov	ecx, [ebp+var_20]
		add	[ebp+var_2C], ecx
		mov	eax, [ebp+arg_8]
		sub	eax, ecx
		mov	[ebp+arg_8], eax
		mov	ecx, [ebp+var_38]
		jmp	loc_76303C
; 

loc_76310B:				; CODE XREF: CcMdlRead+7Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_28]
		mov	edx, [ebp+var_3C]
		mov	[ebp+var_58], 0
		call	sub_76314E
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_763136:				; CODE XREF: CcMdlRead+C7j
		mov	eax, [ebp+var_20]
		jmp	loc_763094
; 

loc_76313E:				; CODE XREF: CcMdlRead+3Ej
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	edi
		call	CcScheduleReadAheadEx
		jmp	loc_763008
CcMdlRead	endp


;  S U B	R O U T	I N E 


sub_76314E	proc near		; CODE XREF: CcMdlRead+15Bp
					; sub_8D57AB+11j

; FUNCTION CHUNK AT 008D57C1 SIZE 00000053 BYTES

		mov	eax, large fs:124h
		mov	eax, [eax+328h]
		add	large fs:6A0h, eax
		cmp	[ebp-58h], esi
		jnz	loc_8D57C1
		test	dword ptr [edx], 20000h
		jnz	short loc_763178
		cmp	dword ptr [ebp-40h], 0
		jnz	short loc_763199

loc_763178:				; CODE XREF: sub_76314E+22j
					; sub_76314E+59j
		push	ecx
		mov	edx, [ebp+0Ch]
		mov	ecx, edi
		call	_CcUpdateReadHistory@12	; CcUpdateReadHistory(x,x,x)
		test	byte ptr [ebx+60h], 8
		jnz	loc_8D5804

loc_76318D:				; CODE XREF: sub_76314E+1726C1j
		mov	ecx, [ebp+18h]
		mov	[ecx], esi
		mov	eax, [ebp-2Ch]
		mov	[ecx+4], eax
		retn
; 

loc_763199:				; CODE XREF: sub_76314E+28j
		push	esi
		push	ecx
		push	dword ptr [ebp+0Ch]
		push	edi
		call	CcScheduleReadAheadEx
		mov	ecx, [ebp-28h]
		jmp	short loc_763178
sub_76314E	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpSetProviderTraitsUm(x, x, x)
_EtwpSetProviderTraitsUm@12 proc near	; CODE XREF: NtTraceControl(x,x,x,x,x,x)+66Ap

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	24h
		push	offset dword_6A0918
		call	__SEH_prolog4
		mov	[ebp+var_2C], edx
		mov	ebx, ecx
		xor	edx, edx
		mov	edi, edx
		mov	[ebp+var_1C], edx
		cmp	[ebx+8], edx
		jz	loc_7632F6
		cmp	[ebx+10h], dx
		jz	loc_7632F6
		mov	eax, ds:_EtwpRegistrationObjectType
		mov	ecx, [ebx]
		mov	[ebp+var_20], edx
		push	edx
		lea	edx, [ebp+var_20]
		push	edx
		push	1
		push	eax
		push	800h
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	edi, [ebp+var_20]
		mov	[ebp+var_34], edi
		mov	[ebp+var_24], esi
		test	esi, esi
		js	loc_7632FB
		movzx	eax, word ptr [edi+32h]
		test	al, 8
		jnz	loc_7632F6
		test	al, 2
		jz	loc_7632F6
		cmp	dword ptr [edi+38h], 0
		jz	short loc_763229
		mov	esi, 0C0000001h
		jmp	loc_7632FB
; 

loc_763229:				; CODE XREF: EtwpSetProviderTraitsUm(x,x,x)+73j
		and	[ebp+ms_exc.disabled], 0
		movzx	ecx, word ptr [ebx+10h]
		mov	eax, ecx
		test	cx, cx
		jz	short loc_763259
		mov	esi, [ebx+8]
		lea	eax, [esi+ecx]
		mov	[ebp+var_28], eax
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	short loc_763252
		mov	eax, ecx
		cmp	[ebp+var_28], esi
		jnb	short loc_763259

loc_763252:				; CODE XREF: EtwpSetProviderTraitsUm(x,x,x)+9Fj
		mov	byte ptr [edx],	0
		movzx	eax, word ptr [ebx+10h]

loc_763259:				; CODE XREF: EtwpSetProviderTraitsUm(x,x,x)+8Cj
					; EtwpSetProviderTraitsUm(x,x,x)+A6j
		push	54777445h
		movzx	eax, ax
		add	eax, 10h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		jnz	short loc_763286
		mov	esi, 0C000009Ah
		mov	[ebp+var_24], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_7632FB
; 

loc_763286:				; CODE XREF: EtwpSetProviderTraitsUm(x,x,x)+C9j
		movzx	eax, word ptr [ebx+10h]
		push	eax		; size_t
		push	dword ptr [ebx+8] ; void *
		lea	eax, [esi+10h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	offset _EtwpProviderTraitsUmTree
		push	offset _EtwpProviderTraitsUmMutex
		movzx	eax, word ptr [ebx+10h]
		push	eax
		push	esi
		push	edi
		push	[ebp+arg_0]
		mov	edx, [ebp+var_2C]
		mov	ecx, ebx
		call	EtwpSetProviderTraitsCommon
		mov	esi, eax
		jmp	short loc_7632FB
; 

loc_7632C3:				; DATA XREF: .text:006A092Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7632D1:				; DATA XREF: .text:006A0930o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_30]
		mov	[ebp+var_24], esi
		cmp	[ebp+var_1C], 0
		jz	short loc_7632EA
		push	0
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7632EA:				; CODE XREF: EtwpSetProviderTraitsUm(x,x,x)+134j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_34]
		jmp	short loc_7632FB
; 

loc_7632F6:				; CODE XREF: EtwpSetProviderTraitsUm(x,x,x)+1Bj
					; EtwpSetProviderTraitsUm(x,x,x)+25j ...
		mov	esi, 0C000000Dh

loc_7632FB:				; CODE XREF: EtwpSetProviderTraitsUm(x,x,x)+55j
					; EtwpSetProviderTraitsUm(x,x,x)+7Aj ...
		test	edi, edi
		jz	short loc_76332D
		test	esi, esi
		jz	short loc_763326
		push	offset _ETW_EVENT_SET_TRAITS_FAILED
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_763326
		push	esi
		push	edi
		push	ecx
		push	ecx
		call	_EtwpEventWriteRegistrationStatus@24 ; EtwpEventWriteRegistrationStatus(x,x,x,x,x,x)

loc_763326:				; CODE XREF: EtwpSetProviderTraitsUm(x,x,x)+157j
					; EtwpSetProviderTraitsUm(x,x,x)+171j
		mov	ecx, edi
		call	ObfDereferenceObject

loc_76332D:				; CODE XREF: EtwpSetProviderTraitsUm(x,x,x)+153j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpSetProviderTraitsUm@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpSetProviderTraitsCommon proc near	; CODE XREF: EtwpSetProviderTraitsUm(x,x,x)+110p
					; EtwpSetProviderTraitsKm(x,x,x)+75p

var_3A		= byte ptr -3Ah
var_39		= byte ptr -39h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_14]
		mov	[esp+44h+var_20], eax
		mov	eax, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_8]
		mov	ebx, edi
		mov	[esp+48h+var_2C], esi
		mov	esi, [ebp+arg_C]
		mov	[esp+48h+var_38], eax
		mov	eax, [ebp+arg_10]
		mov	[esp+48h+var_1C], edx
		mov	[esp+48h+var_18], ecx
		mov	[esp+48h+var_28], eax
		mov	[esp+48h+var_3A], 0
		mov	[esp+48h+var_24], 0
		mov	[esp+48h+var_34], ebx
		cmp	esi, 3
		jnb	short loc_7633B5

loc_7633AB:				; CODE XREF: EtwpSetProviderTraitsCommon+A5j
		mov	esi, 0C0000102h
		jmp	loc_7635FF
; 

loc_7633B5:				; CODE XREF: EtwpSetProviderTraitsCommon+59j
		movzx	eax, word ptr [edi+10h]
		cmp	eax, esi
		jz	short loc_7633C7
		mov	esi, 0C0000102h
		jmp	loc_7635FF
; 

loc_7633C7:				; CODE XREF: EtwpSetProviderTraitsCommon+6Bj
		lea	eax, [esi-2]
		push	eax
		lea	eax, [edi+12h]
		push	eax
		call	_strnlen
		add	esp, 8
		lea	ecx, [eax+3]
		cmp	ecx, esi
		jbe	short loc_7633E8
		mov	esi, 0C0000102h
		jmp	loc_7635FF
; 

loc_7633E8:				; CODE XREF: EtwpSetProviderTraitsCommon+8Cj
		jnb	short loc_763402
		lea	ebx, [ebx+0]

loc_7633F0:				; CODE XREF: EtwpSetProviderTraitsCommon+B0j
		lea	eax, [ecx+2]
		cmp	eax, esi
		ja	short loc_7633AB
		movzx	eax, word ptr [edi+ecx+10h]
		add	ecx, eax
		cmp	ecx, esi
		jb	short loc_7633F0

loc_763402:				; CODE XREF: EtwpSetProviderTraitsCommon:loc_7633E8j
		cmp	ecx, esi
		jz	short loc_763410
		mov	esi, 0C0000102h
		jmp	loc_7635FF
; 

loc_763410:				; CODE XREF: EtwpSetProviderTraitsCommon+B4j
		mov	ecx, [esp+48h+var_28]
		lea	ebx, [edi+0Ch]
		xor	eax, eax
		mov	[edi], eax
		mov	[edi+4], eax
		mov	[edi+8], eax
		mov	dword ptr [ebx], 1
		call	ExAcquireFastMutex
		call	_Feature_1445264698__private_IsEnabledDeviceUsage@0 ; Feature_1445264698__private_IsEnabledDeviceUsage()
		mov	ecx, [esp+48h+var_2C]
		test	eax, eax
		setnz	[esp+48h+var_3A]
		test	byte ptr [ecx+4], 1
		jz	short loc_76344E
		mov	esi, [ecx]
		test	esi, esi
		jz	short loc_763456
		mov	eax, esi
		xor	eax, ecx
		jmp	short loc_763452
; 

loc_76344E:				; CODE XREF: EtwpSetProviderTraitsCommon+F0j
		mov	eax, [ecx]
		mov	esi, eax

loc_763452:				; CODE XREF: EtwpSetProviderTraitsCommon+FCj
		test	eax, eax
		jnz	short loc_7634A6

loc_763456:				; CODE XREF: EtwpSetProviderTraitsCommon+F6j
		xor	esi, esi
		mov	byte ptr [esp+48h+var_30], 0
		mov	[esp+48h+var_39], 0

loc_763462:				; CODE XREF: EtwpSetProviderTraitsCommon+17Cj
					; EtwpSetProviderTraitsCommon+18Fj ...
		push	edi
		push	[esp+4Ch+var_30]
		push	esi
		mov	esi, [esp+54h+var_2C]
		push	esi
		call	RtlRbInsertNodeEx
		xor	eax, eax
		mov	[esp+48h+var_34], eax

loc_763478:				; CODE XREF: EtwpSetProviderTraitsCommon+1D8j
					; EtwpSetProviderTraitsCommon+1E4j
		mov	ecx, [esp+48h+var_38]
		mov	edx, edi
		add	ecx, 38h
		xor	eax, eax
		lock cmpxchg [ecx], edx
		test	eax, eax
		jz	loc_76354B
		cmp	[esp+48h+var_39], 0
		jz	loc_763539
		dec	dword ptr [ebx]
		mov	esi, 0C0000001h
		jmp	loc_76354D
; 

loc_7634A6:				; CODE XREF: EtwpSetProviderTraitsCommon+104j
		xor	al, al
		mov	byte ptr [esp+48h+var_30], 0
		mov	[esp+48h+var_39], al
		test	esi, esi
		jz	short loc_7634E7

loc_7634B5:				; CODE XREF: EtwpSetProviderTraitsCommon+188j
		push	esi
		push	edi
		call	_TraitsCompare@8 ; TraitsCompare(x,x)
		test	eax, eax
		jle	short loc_7634CE
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_7634D6
		mov	byte ptr [esp+48h+var_30], 1
		jmp	short loc_763462
; 

loc_7634CE:				; CODE XREF: EtwpSetProviderTraitsCommon+16Ej
		jns	short loc_7634E1
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_7634DA

loc_7634D6:				; CODE XREF: EtwpSetProviderTraitsCommon+175j
		mov	esi, eax
		jmp	short loc_7634B5
; 

loc_7634DA:				; CODE XREF: EtwpSetProviderTraitsCommon+184j
		mov	byte ptr [esp+48h+var_30], 0
		jmp	short loc_763462
; 

loc_7634E1:				; CODE XREF: EtwpSetProviderTraitsCommon:loc_7634CEj
		mov	al, 1
		mov	[esp+48h+var_39], al

loc_7634E7:				; CODE XREF: EtwpSetProviderTraitsCommon+163j
		test	al, al
		jz	loc_763462
		mov	edi, esi
		call	_Feature_1445264698__private_IsEnabledDeviceUsage@0 ; Feature_1445264698__private_IsEnabledDeviceUsage()
		neg	eax
		lea	ebx, [esi+0Ch]
		sbb	eax, eax
		neg	eax
		mov	eax, [ebx]
		jz	short loc_76352D
		lea	ecx, [esp+48h+var_24]
		mov	edx, 1
		push	ecx
		mov	ecx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7635FB
		mov	eax, [esp+48h+var_24]
		mov	esi, [esp+48h+var_2C]
		mov	[ebx], eax
		jmp	loc_763478
; 

loc_76352D:				; CODE XREF: EtwpSetProviderTraitsCommon+1B1j
		mov	esi, [esp+48h+var_2C]
		inc	eax
		mov	[ebx], eax
		jmp	loc_763478
; 

loc_763539:				; CODE XREF: EtwpSetProviderTraitsCommon+144j
		push	edi
		push	esi
		call	RtlRbRemoveNode
		mov	[esp+48h+var_34], edi
		mov	esi, 0C0000001h
		jmp	short loc_76354D
; 

loc_76354B:				; CODE XREF: EtwpSetProviderTraitsCommon+139j
		xor	esi, esi

loc_76354D:				; CODE XREF: EtwpSetProviderTraitsCommon+151j
					; EtwpSetProviderTraitsCommon+1F9j
		call	_Feature_1445264698__private_IsEnabledDeviceUsage@0 ; Feature_1445264698__private_IsEnabledDeviceUsage()
		mov	ecx, [esp+48h+var_28]
		neg	eax
		sbb	al, al
		not	al
		and	[esp+48h+var_3A], al
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	esi, esi
		jnz	loc_7635FB
		cmp	word ptr [edi+10h], 16h
		lea	ecx, [edi+10h]
		jnz	short loc_763598
		cmp	dword ptr [ecx+2], 2001300h
		jnz	short loc_763598
		mov	ecx, [esp+48h+var_38]
		call	AddDecodeGuidToSessions
		mov	edi, [esp+48h+var_38]
		test	al, al
		jz	short loc_7635EC
		mov	ecx, 400h
		jmp	short loc_7635EE
; 

loc_763598:				; CODE XREF: EtwpSetProviderTraitsCommon+225j
					; EtwpSetProviderTraitsCommon+22Ej
		mov	edi, [esp+48h+var_38]
		cmp	dword ptr [edi+14h], 0
		jnz	short loc_7635EC
		call	EtwpGetProviderGroupFromTraits
		test	eax, eax
		jz	short loc_7635EC
		mov	ecx, [eax]
		lea	edx, [esp+48h+var_14]
		push	[esp+48h+var_20]
		mov	[esp+4Ch+var_14], ecx
		mov	ecx, [eax+4]
		push	[esp+4Ch+var_1C]
		mov	[esp+50h+var_10], ecx
		mov	ecx, [eax+8]
		push	[esp+50h+var_18]
		mov	[esp+54h+var_C], ecx
		mov	ecx, edi
		mov	eax, [eax+0Ch]
		mov	[esp+54h+var_8], eax
		call	EtwpAddRegEntryToGroup
		mov	esi, eax
		test	esi, esi
		jz	short loc_7635EC
		mov	ecx, edi
		call	_EtwpReleaseProviderTraitsReference@4 ;	EtwpReleaseProviderTraitsReference(x)
		jmp	short loc_7635FB
; 

loc_7635EC:				; CODE XREF: EtwpSetProviderTraitsCommon+23Fj
					; EtwpSetProviderTraitsCommon+250j ...
		xor	ecx, ecx

loc_7635EE:				; CODE XREF: EtwpSetProviderTraitsCommon+246j
		or	ecx, 200h
		lea	eax, [edi+32h]
		lock or	[eax], cx

loc_7635FB:				; CODE XREF: EtwpSetProviderTraitsCommon+1C8j
					; EtwpSetProviderTraitsCommon+217j ...
		mov	ebx, [esp+48h+var_34]

loc_7635FF:				; CODE XREF: EtwpSetProviderTraitsCommon+60j
					; EtwpSetProviderTraitsCommon+72j ...
		call	_Feature_1445264698__private_IsEnabledDeviceUsage@0 ; Feature_1445264698__private_IsEnabledDeviceUsage()
		test	eax, eax
		jz	short loc_763618
		cmp	[esp+48h+var_3A], 0
		jz	short loc_763618
		mov	ecx, [esp+48h+var_28]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_763618:				; CODE XREF: EtwpSetProviderTraitsCommon+2B6j
					; EtwpSetProviderTraitsCommon+2BDj
		test	ebx, ebx
		jz	short loc_763624
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_763624:				; CODE XREF: EtwpSetProviderTraitsCommon+2CAj
		mov	ecx, [esp+48h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
EtwpSetProviderTraitsCommon endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TraitsCompare(x, x)
_TraitsCompare@8 proc near		; CODE XREF: EtwpSetProviderTraitsCommon+167p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		add	edx, 10h
		add	esi, 10h
		movzx	ecx, word ptr [edx]
		movzx	eax, word ptr [esi]
		cmp	cx, ax
		jb	short loc_763669
		ja	short loc_76366E
		push	ecx		; size_t
		push	esi		; void *
		push	edx		; void *
		call	_memcmp
		add	esp, 0Ch

loc_763664:				; CODE XREF: TraitsCompare(x,x)+32j
					; TraitsCompare(x,x)+37j
		pop	esi
		pop	ebp
		retn	8
; 

loc_763669:				; CODE XREF: TraitsCompare(x,x)+1Bj
		or	eax, 0FFFFFFFFh
		jmp	short loc_763664
; 

loc_76366E:				; CODE XREF: TraitsCompare(x,x)+1Dj
		xor	eax, eax
		inc	eax
		jmp	short loc_763664
_TraitsCompare@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


EtwpGetProviderGroupFromTraits proc near ; CODE	XREF: EtwpSetProviderTraitsCommon+252p
		movzx	eax, word ptr [ecx]
		push	esi
		push	edi
		lea	esi, [ecx+2]
		lea	edi, [eax+ecx]
		add	eax, 0FFFFFFFDh
		push	eax
		push	esi
		call	_strnlen
		pop	ecx
		pop	ecx
		lea	ecx, [esi+1]

loc_76368E:				; CODE XREF: EtwpGetProviderGroupFromTraits+26j
					; EtwpGetProviderGroupFromTraits+2Cj
		add	ecx, eax
		cmp	ecx, edi
		jnb	short loc_7636A8
		movzx	eax, word ptr [ecx]
		cmp	eax, 13h
		jnz	short loc_76368E
		cmp	byte ptr [ecx+2], 1
		jnz	short loc_76368E
		lea	eax, [ecx+3]

loc_7636A5:				; CODE XREF: EtwpGetProviderGroupFromTraits+36j
		pop	edi
		pop	esi
		retn
; 

loc_7636A8:				; CODE XREF: EtwpGetProviderGroupFromTraits+1Ej
		xor	eax, eax
		jmp	short loc_7636A5
EtwpGetProviderGroupFromTraits endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopHandleExecutionRequiredPowerRequestUpdate(x)
_PopHandleExecutionRequiredPowerRequestUpdate@4	proc near
					; CODE XREF: PopHandleConvergedPowerRequestUpdate(x,x)+30p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		push	eax
		push	offset _PopPowerRequestTable
		mov	[ebp+var_4], ecx
		call	_RtlLookupElementGenericTableAvl@8 ; RtlLookupElementGenericTableAvl(x,x)
		test	eax, eax
		jz	short locret_7636F0
		mov	ecx, [eax]
		call	_PopPowerRequestIsExecutionRequiredCapable@4 ; PopPowerRequestIsExecutionRequiredCapable(x)
		test	al, al
		jz	short locret_7636F0
		call	_PopPowerRequestIsExecutionRequiredStatusHeld@4	; PopPowerRequestIsExecutionRequiredStatusHeld(x)
		test	al, al
		jz	short loc_7636F2
		cmp	_PopExecutionRequiredContext, 0
		jz	short locret_7636F0
		mov	dl, 1

loc_7636EB:				; CODE XREF: PopHandleExecutionRequiredPowerRequestUpdate(x)+48j
		call	_PopUpdatePowerRequestProcessWakeCounter@8 ; PopUpdatePowerRequestProcessWakeCounter(x,x)

locret_7636F0:				; CODE XREF: PopHandleExecutionRequiredPowerRequestUpdate(x)+1Ej
					; PopHandleExecutionRequiredPowerRequestUpdate(x)+29j ...
		leave
		retn
; 

loc_7636F2:				; CODE XREF: PopHandleExecutionRequiredPowerRequestUpdate(x)+32j
		xor	dl, dl
		jmp	short loc_7636EB
_PopHandleExecutionRequiredPowerRequestUpdate@4	endp


;  S U B	R O U T	I N E 


; __stdcall PopHandleConvergedPowerRequestUpdate(x, x)
_PopHandleConvergedPowerRequestUpdate@8	proc near
					; CODE XREF: PopSystemRequiredCallback(x,x,x)+Bp
					; PopExecutionRequiredCallback(x,x,x)+Bp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	edi, edx
		mov	esi, ecx
		nop
		mov	ebx, offset _PopPowerRequestLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	dword_6C3884, eax
		call	_PopHandleExecutionRequiredPowerRequestUpdate@4	; PopHandleExecutionRequiredPowerRequestUpdate(x)
		cmp	dword_6C3884, 0
		jz	short loc_76373B
		and	dword_6C3884, 0

loc_76373B:				; CODE XREF: PopHandleConvergedPowerRequestUpdate(x,x)+3Cj
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	PopHandleSystemRequiredPowerRequestsUpdate
_PopHandleConvergedPowerRequestUpdate@8	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopCheckResiliencyScenarios proc near	; CODE XREF: PopHandleSystemRequiredPowerRequestsUpdate+83p
					; PopCoalescingSetActiveState(x)+57p ...

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 008D5814 SIZE 000000A3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	ds:_PopCurrentCoalescingSpindownTimeout, 0
		push	ebx
		setnz	[ebp+var_2]
		cmp	ds:_PopDeepSleepEnforced, 0
		push	esi
		jnz	short loc_7637ED
		cmp	ds:_PopCoalescingEnforced, 0
		jnz	short loc_7637ED
		xor	ebx, ebx
		inc	ebx
		cmp	byte_6C2E34, 0
		jnz	loc_8D5814
		cmp	dword_6C22C4, 0
		setnz	al
		cmp	_PopConsoleDisplayState, 0
		setnz	ah
		cmp	byte_6C26C1, 3
		setz	dl
		xor	cl, cl
		mov	[ebp+var_1], cl
		test	al, al
		jz	short loc_7637F1

loc_7637B1:				; CODE XREF: PopCheckResiliencyScenarios+9Fj
					; PopCheckResiliencyScenarios+A3j
		xor	dl, dl

loc_7637B3:				; CODE XREF: PopCheckResiliencyScenarios+A7j
					; PopCheckResiliencyScenarios+1720D6j ...
		call	_PopDeepSleepEnabled@0 ; PopDeepSleepEnabled()
		cmp	ds:_PopDppeCoalescingSpindownTimeout, 0
		setnz	ch
		test	dl, dl
		jnz	short loc_7637FD

loc_7637C6:				; CODE XREF: PopCheckResiliencyScenarios+ADj
		xor	bl, bl

loc_7637C8:				; CODE XREF: PopCheckResiliencyScenarios+ABj
		test	cl, cl
		jnz	loc_8D584F

loc_7637D0:				; CODE XREF: PopCheckResiliencyScenarios+1720FDj
		xor	ecx, ecx
		call	PopDeepSleepSetDisengageReason
		cmp	byte_6C2E34, 0
		jnz	loc_8D5863

loc_7637E4:				; CODE XREF: PopCheckResiliencyScenarios+17210Aj
					; PopCheckResiliencyScenarios+172116j ...
		cmp	bl, [ebp+var_2]
		jnz	loc_8D589D

loc_7637ED:				; CODE XREF: PopCheckResiliencyScenarios+1Bj
					; PopCheckResiliencyScenarios+24j ...
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7637F1:				; CODE XREF: PopCheckResiliencyScenarios+5Bj
		test	ah, ah
		jnz	short loc_7637B1
		test	dl, dl
		jnz	short loc_7637B1
		mov	dl, bl
		jmp	short loc_7637B3
; 

loc_7637FD:				; CODE XREF: PopCheckResiliencyScenarios+70j
		test	ch, ch
		jnz	short loc_7637C8
		jmp	short loc_7637C6
PopCheckResiliencyScenarios endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpNotifyTargetDeviceChange proc near	; CODE XREF: PnpProcessCustomDeviceEvent(x)+23p
					; PnpCancelRemoveOnHungDevices(x,x,x,x,x)+15Fp	...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008D58B7 SIZE 00000134 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_28], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_40], eax
		lea	edi, [ebp+var_1C]
		mov	eax, [ebp+arg_4]
		mov	ebx, ecx
		mov	[ebp+var_38], eax
		mov	esi, edx
		push	6
		xor	eax, eax
		mov	[ebp+var_30], esi
		pop	ecx
		rep stosd
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_34], ebx
		mov	edx, 4E706E50h
		mov	[ebp+var_3C], eax
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	eax, [esi+0B0h]
		mov	ecx, [ebp+var_40]
		mov	esi, [eax+14h]
		xor	eax, eax
		inc	eax
		mov	[ebp+var_24], esi
		test	ecx, ecx
		jz	loc_8D58B7
		mov	[ecx], ax

loc_76386C:				; CODE XREF: PnpNotifyTargetDeviceChange+1720CAj
		mov	ecx, offset _PnpTargetDeviceNotifyLock
		call	@KeAcquireGuardedMutex@4 ; KeAcquireGuardedMutex(x)
		mov	eax, offset _GUID_TARGET_DEVICE_REMOVE_CANCELLED
		cmp	ebx, eax
		jz	loc_8D58D3
		push	10h		; Length
		push	eax		; Source2
		push	ebx		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 10h
		jz	loc_8D58D3
		mov	ebx, [esi+140h]
		mov	[ebp+var_1D], 0

loc_76389F:				; CODE XREF: PnpNotifyTargetDeviceChange+1720D9j
		add	esi, 140h
		mov	[ebp+var_2C], esi
		cmp	ebx, esi
		jnz	short loc_7638D8

loc_7638AC:				; CODE XREF: PnpNotifyTargetDeviceChange+181j
		xor	esi, esi

loc_7638AE:				; CODE XREF: PnpNotifyTargetDeviceChange+1721E2j
		mov	ecx, offset _PnpTargetDeviceNotifyLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, [ebp+var_30]
		mov	edx, 4E706E50h
		call	ObfDereferenceObjectWithTag
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_7638D8:				; CODE XREF: PnpNotifyTargetDeviceChange+A6j
		mov	edi, [ebp+var_34]

loc_7638DB:				; CODE XREF: PnpNotifyTargetDeviceChange+17Bj
		mov	[ebp+var_34], ebx
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		push	eax
		call	_PsGetServerSiloServiceSessionId@4 ; PsGetServerSiloServiceSessionId(x)
		cmp	[ebx+0Ch], eax
		jnz	loc_8D58E2

loc_7638F2:				; CODE XREF: PnpNotifyTargetDeviceChange+1720E9j
		inc	word ptr [ebx+20h]
		mov	ecx, offset _PnpTargetDeviceNotifyLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [ebx+28h]
		call	ExAcquireResourceExclusiveLite
		mov	eax, [ebp+var_3C]
		cmp	eax, 0FFFFFFFFh
		jnz	loc_8D58F2

loc_76391B:				; CODE XREF: PnpNotifyTargetDeviceChange+1720F1j
		cmp	byte ptr [ebx+22h], 0
		jnz	loc_8D58FB
		mov	ecx, [ebp+var_40]
		mov	eax, [ebx+2Ch]
		test	ecx, ecx
		jz	short loc_76398A
		mov	[ecx+14h], eax
		mov	edx, ecx

loc_763934:				; CODE XREF: PnpNotifyTargetDeviceChange+18Cj
		lea	eax, [ebp+var_28]
		mov	ecx, ebx
		push	eax
		call	PnpNotifyDriverCallback
		mov	ecx, [ebx+28h]
		mov	esi, eax
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	esi, esi
		js	short loc_763992
		mov	eax, [ebp+var_28]

loc_763955:				; CODE XREF: PnpNotifyTargetDeviceChange+193j
		mov	[ebp+var_24], eax
		test	eax, eax
		js	loc_8D590D

loc_763960:				; CODE XREF: PnpNotifyTargetDeviceChange+17211Ej
		mov	esi, [ebp+var_2C]

loc_763963:				; CODE XREF: PnpNotifyTargetDeviceChange+172104j
		mov	ecx, offset _PnpTargetDeviceNotifyLock
		call	@KeAcquireGuardedMutex@4 ; KeAcquireGuardedMutex(x)
		cmp	[ebp+var_1D], 0
		jnz	short loc_763999
		mov	ebx, [ebx]

loc_763975:				; CODE XREF: PnpNotifyTargetDeviceChange+198j
		mov	ecx, [ebp+var_34]
		call	_PnpDereferenceNotify@4	; PnpDereferenceNotify(x)
		cmp	ebx, esi
		jnz	loc_7638DB
		jmp	loc_7638AC
; 

loc_76398A:				; CODE XREF: PnpNotifyTargetDeviceChange+129j
		mov	[ebp+var_8], eax
		lea	edx, [ebp+var_1C]
		jmp	short loc_763934
; 

loc_763992:				; CODE XREF: PnpNotifyTargetDeviceChange+14Cj
		xor	eax, eax
		mov	[ebp+var_28], eax
		jmp	short loc_763955
; 

loc_763999:				; CODE XREF: PnpNotifyTargetDeviceChange+16Dj
		mov	ebx, [ebx+4]
		jmp	short loc_763975
PnpNotifyTargetDeviceChange endp


;  S U B	R O U T	I N E 


; __stdcall PiUEventIsDeviceEventVetoable(x)
_PiUEventIsDeviceEventVetoable@4 proc near ; CODE XREF:	PAGE:00763B64p
		mov	edi, edi
		push	esi
		push	10h		; size_t
		lea	esi, [ecx+48h]
		push	(offset	loc_4055E5+3) ;	void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_7639D0
		push	10h		; size_t
		push	offset _GUID_DEVICE_KERNEL_INITIATED_EJECT ; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_7639D0
		xor	al, al
		pop	esi
		retn
; 

loc_7639D0:				; CODE XREF: PiUEventIsDeviceEventVetoable(x)+18j
					; PiUEventIsDeviceEventVetoable(x)+2Cj
		mov	al, 1
		pop	esi
		retn
_PiUEventIsDeviceEventVetoable@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiUEventCacheObjectProperties proc near	; CODE XREF: PAGE:00763C1Dp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D59EB SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		lea	eax, [ecx+20h]
		xor	edx, edx
		or	dword ptr [eax], 0FFFFFFFFh
		mov	[ebp+var_14], eax
		lea	eax, [ecx+18h]
		push	ebx
		push	esi
		mov	[ebp+var_10], eax
		mov	[eax], edx
		mov	eax, [ecx+3Ch]
		mov	[ebp+var_4], edx
		mov	[ebp+var_C], edx
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], edi
		sub	eax, 1
		jz	short loc_763A17
		sub	eax, 1
		jz	loc_763ACE
		sub	eax, 1
		jnz	loc_763AA6

loc_763A17:				; CODE XREF: PiUEventCacheObjectProperties+2Fj
					; PiUEventCacheObjectProperties+D5j ...
		lea	ebx, [ecx+50h]

loc_763A1A:				; CODE XREF: PiUEventCacheObjectProperties+130j
		push	edx
		lea	eax, [ebp+var_C]
		mov	ecx, 59706E50h
		push	eax
		push	[ebp+var_10]
		lea	eax, [ebp+var_4]
		push	eax
		push	offset _DEVPKEY_Device_RestrictedSD
		push	edx
		push	edx
		push	1
		push	ebx
		mov	edx, 200h
		call	PnpGetObjectProperty
		mov	esi, eax
		test	esi, esi
		jns	loc_763B19
		cmp	esi, 0C0000034h
		jnz	short loc_763A9C

loc_763A51:				; CODE XREF: PiUEventCacheObjectProperties+CEj
					; PiUEventCacheObjectProperties+149j ...
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_C]
		xor	esi, esi
		mov	edx, ebx
		push	esi
		push	eax
		push	4
		push	[ebp+var_14]
		lea	eax, [ebp+var_4]
		push	eax
		push	offset _DEVPKEY_Device_SessionId
		push	esi
		push	esi
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_763A87
		cmp	esi, 0C0000034h
		jnz	short loc_763A92

loc_763A85:				; CODE XREF: PiUEventCacheObjectProperties+C4j
		xor	esi, esi

loc_763A87:				; CODE XREF: PiUEventCacheObjectProperties+A7j
					; PiUEventCacheObjectProperties+C6j ...
		test	edi, edi
		jnz	short loc_763B09

loc_763A8B:				; CODE XREF: PiUEventCacheObjectProperties+F8j
					; PiUEventCacheObjectProperties+140j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_763A92:				; CODE XREF: PiUEventCacheObjectProperties+AFj
		cmp	esi, 0C0000225h
		jz	short loc_763A85
		jmp	short loc_763A87
; 

loc_763A9C:				; CODE XREF: PiUEventCacheObjectProperties+7Bj
		cmp	esi, 0C0000225h
		jz	short loc_763A51
		jmp	short loc_763A87
; 

loc_763AA6:				; CODE XREF: PiUEventCacheObjectProperties+3Dj
		sub	eax, 1
		jz	loc_763A17
		sub	eax, 5
		jz	loc_763A17
		sub	eax, 1
		jz	loc_763A17
		sub	eax, 1
		jz	loc_763A17
		mov	esi, edx
		jmp	short loc_763A8B
; 

loc_763ACE:				; CODE XREF: PiUEventCacheObjectProperties+34j
		push	edx
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	offset _DEVPKEY_Device_InstanceId
		push	edx
		push	edx
		lea	eax, [ecx+60h]
		mov	edx, 0C8h
		push	3
		push	eax
		mov	ecx, 59706E50h
		call	PnpGetObjectProperty
		mov	edi, [ebp+var_8]
		mov	esi, eax
		test	esi, esi
		js	short loc_763A87
		mov	ebx, edi
		xor	edx, edx
		jmp	loc_763A1A
; 

loc_763B09:				; CODE XREF: PiUEventCacheObjectProperties+B5j
		push	59706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_763A8B
; 

loc_763B19:				; CODE XREF: PiUEventCacheObjectProperties+6Fj
		cmp	[ebp+var_4], 13h
		jz	loc_763A51
		jmp	loc_8D59EB
PiUEventCacheObjectProperties endp

; 

PiUEventNotifyUserMode:			; CODE XREF: PAGE:00763F76p
					; PAGE:00763FA2p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	byte ptr [ebp-1], 0
		mov	ebx, ecx
		mov	byte ptr [ebp-2], 0
		cmp	dword_6CC5E4, edi
		jnz	loc_8D5A02
		cmp	dword ptr [ebx+58h], 4
		jz	loc_763C9F

loc_763B55:				; CODE XREF: PAGE:00763CACj
					; PAGE:00763CB6j ...
		mov	ecx, ebx
		call	_PiUEventShouldQueueEvent@4 ; PiUEventShouldQueueEvent(x)
		test	al, al
		jz	loc_763C98
		call	_PiUEventIsDeviceEventVetoable@4 ; PiUEventIsDeviceEventVetoable(x)
		mov	[ebp-2], al
		mov	eax, [ebx+64h]
		add	eax, 2Ch
		push	59706E50h
		push	eax
		push	1
		mov	[ebp-8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8D5AC4
		push	dword ptr [ebp-8]
		push	0
		push	esi
		call	_memset
		add	esp, 0Ch
		push	59706E50h
		push	20h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+8], eax
		test	eax, eax
		jz	loc_8D5ABD
		mov	ecx, eax
		call	@KeInitializeGuardedMutex@4 ; KeInitializeGuardedMutex(x)
		mov	al, [ebp-2]
		mov	dword ptr [esi+1Ch], 1
		mov	[esi+29h], al
		test	al, al
		jnz	loc_8D5A19
		mov	ecx, [ebx+1Ch]
		test	ecx, ecx
		jnz	loc_8D5A2E

loc_763BDD:				; CODE XREF: PAGE:008D5A30j
		mov	ecx, [ebx+20h]
		test	ecx, ecx
		jnz	loc_8D5A35

loc_763BE8:				; CODE XREF: PAGE:008D5A46j
		cmp	[ebx+10h], edi
		jnz	loc_8D5A4B
		test	al, al
		jnz	loc_8D5A4B

loc_763BF9:				; CODE XREF: PAGE:008D5A78j
		mov	al, [ebp-1]
		mov	[esi+28h], al
		mov	eax, [ebx+64h]
		add	eax, 8
		mov	[esi+24h], eax
		lea	eax, [ebx+48h]
		push	dword ptr [ebx+64h]
		push	eax
		lea	eax, [esi+2Ch]
		push	eax
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, esi
		call	PiUEventCacheObjectProperties
		mov	ecx, offset _PiUEventUsermodeEventQueueLock
		call	ExAcquireFastMutex
		mov	eax, dword_6CC7DC
		mov	ecx, offset _PiUEventUsermodeEventQueue
		cmp	_PiUEventUsermodeEventQueue, ecx
		setz	byte ptr [ebp-3]
		cmp	[eax], ecx
		jnz	short loc_763CC1
		mov	[esi], ecx
		mov	ecx, offset _PiUEventUsermodeEventQueueLock
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6CC7DC, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		cmp	byte ptr [ebp-3], 0
		jz	short loc_763C8E
		push	59706E50h
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_8D5A7D
		and	[eax], edi
		push	3
		push	eax
		mov	dword ptr [eax+8], offset _PiUEventProcessEventWorker@4	; PiUEventProcessEventWorker(x)
		mov	[eax+0Ch], eax
		call	ExQueueWorkItem

loc_763C8E:				; CODE XREF: PAGE:00763C5Fj
		cmp	byte ptr [ebp-1], 0
		jnz	loc_8D5ACE

loc_763C98:				; CODE XREF: PAGE:00763B5Ej
					; PAGE:008D5A07j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_763C9F:				; CODE XREF: PAGE:00763B4Fj
		lea	edx, [ebp-2]
		lea	ecx, [ebx+6Ch]
		call	PiUEventDeviceNeedsInstall
		test	eax, eax
		js	loc_763B55
		cmp	byte ptr [ebp-2], 0
		jz	loc_763B55
		jmp	loc_8D5A0C
; 

loc_763CC1:				; CODE XREF: PAGE:00763C42j
					; PAGE:008D5A8Ej ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dw 0CCCCh
		dd 0CCCCCCCCh
; Exported entry 2348. RtlStringFromGUID

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStringFromGUID(x, x)
		public _RtlStringFromGUID@8
_RtlStringFromGUID@8 proc near		; CODE XREF: CmpInitCmRM+1E0p
					; CmpStartRMLog+B8p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	1
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		pop	ebp
		retn	8
_RtlStringFromGUID@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpCompleteDeviceEvent proc near	; CODE XREF: PAGE:00763EC5p
					; PnpProcessCompletedEject(x)+DCp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D5B79 SIZE 0000009A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_10], 0FFF0BDC0h
		mov	[ebp+var_C], edi
		lea	ebx, [esi+28h]

loc_763D02:				; CODE XREF: PnpCompleteDeviceEvent+171EA4j
		xor	eax, eax
		inc	eax
		xchg	eax, [ebx]
		test	eax, eax
		jnz	loc_8D5B79
		mov	eax, [esi+30h]
		test	eax, eax
		jnz	loc_8D5B9B

loc_763D1A:				; CODE XREF: PnpCompleteDeviceEvent+171EC5j
		cmp	byte ptr [esi+2Ch], 0
		jnz	loc_8D5BB6
		mov	eax, [esi+30h]
		test	eax, eax
		jnz	loc_8D5BAC

loc_763D2F:				; CODE XREF: PnpCompleteDeviceEvent+171ECEj
		cmp	dword ptr [esi+10h], 0
		mov	eax, [esi+5Ch]
		jnz	loc_8D5BCE
		test	eax, eax
		jnz	loc_8D5BE4

loc_763D44:				; CODE XREF: PnpCompleteDeviceEvent+171EFDj
					; PnpCompleteDeviceEvent+171F06j ...
		mov	eax, [esi+14h]
		test	eax, eax
		jnz	short loc_763D82

loc_763D4B:				; CODE XREF: PnpCompleteDeviceEvent+A5j
					; PnpCompleteDeviceEvent+171ED9j ...
		mov	ecx, [esi+68h]
		test	ecx, ecx
		jnz	short loc_763D76

loc_763D52:				; CODE XREF: PnpCompleteDeviceEvent+9Ej
		mov	ecx, [esi+30h]
		mov	ebx, 4B706E50h
		test	ecx, ecx
		jnz	loc_8D5BF8

loc_763D62:				; CODE XREF: PnpCompleteDeviceEvent+171F1Dj
					; PnpCompleteDeviceEvent+171F2Cj
		lock xadd [esi+24h], edi
		dec	edi
		jnz	short loc_763D71
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_763D71:				; CODE XREF: PnpCompleteDeviceEvent+86j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_763D76:				; CODE XREF: PnpCompleteDeviceEvent+6Ej
		mov	edx, 56706E50h
		call	ObfDereferenceObjectWithTag
		jmp	short loc_763D52
; 

loc_763D82:				; CODE XREF: PnpCompleteDeviceEvent+67j
		push	dword ptr [esi+18h]
		call	eax
		jmp	short loc_763D4B
PnpCompleteDeviceEvent endp

; 
		align 4

PnpDeviceEventWorker:			; DATA XREF: PnpInsertEventInQueue+DCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+28h], eax
		mov	eax, [ebp+8]
		push	ebx
		push	esi
		push	edi
		mov	[esp+18h], eax
		lea	edi, [esp+24h]
		xor	eax, eax
		xor	ebx, ebx
		stosd
		push	ebx
		push	ebx
		mov	[esp+24h], ebx
		stosd
		mov	[esp+28h], ebx
		mov	[esp+1Ch], ebx
		push	ebx
		stosd
		push	ebx
		stosd
		mov	eax, large fs:124h
		mov	_PnpDeviceEventThread, eax
		mov	eax, ds:_PnpDeviceEventList
		add	eax, 4
		push	eax
		call	KeWaitForSingleObject
		test	eax, eax
		js	loc_8D5C13

loc_763DE9:				; CODE XREF: PAGE:00763ED7j
					; PAGE:00763EE3j
		mov	ecx, ds:_PnpDeviceEventList
		mov	[esp+13h], bl
		lea	ecx, [ecx+24h]
		call	ExAcquireFastMutex
		mov	edx, ds:_PnpDeviceEventList
		lea	eax, [edx+44h]
		mov	ebx, [eax]
		cmp	ebx, eax
		jz	loc_763EE8
		cmp	[ebx+4], eax
		jnz	loc_763FD8
		mov	ecx, [ebx]
		cmp	[ecx+4], ebx
		jnz	loc_763FD8
		mov	[eax], ecx
		mov	[ecx+4], eax
		lea	ecx, [edx+24h]
		mov	[ebx+4], ebx
		mov	[ebx], ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		push	10h
		lea	esi, [ebx+34h]
		mov	[esp+18h], ebx
		push	esi
		push	offset _GUID_NULL
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_763FAE

loc_763E53:				; CODE XREF: PAGE:00763FC5j
		mov	eax, [ebx+68h]
		xor	esi, esi
		test	eax, eax
		jnz	loc_763F5E

loc_763E60:				; CODE XREF: PAGE:00763F69j
					; PAGE:008D5C48j
		cmp	dword_6CC5E4, 0
		jnz	loc_8D5C4D

loc_763E6D:				; CODE XREF: PAGE:008D5C5Cj
					; PAGE:008D5C67j
		test	esi, esi
		js	short loc_763EA0 ; case	0x6
		xor	ecx, ecx
		mov	edx, ebx
		inc	ecx
		call	_PnpEnableWatchdog@8 ; PnpEnableWatchdog(x,x)
		mov	[ebx+44h], eax
		mov	eax, [ebx+58h]
		cmp	eax, 0Bh	; switch 12 cases
		ja	loc_8D5C90	; default
		jmp	ds:off_763FE0[eax*4] ; switch jump

loc_763E91:				; DATA XREF: PAGE:off_763FE0o
		lea	ecx, [esp+14h]	; case 0x3
		call	_PnpProcessCustomDeviceEvent@4 ; PnpProcessCustomDeviceEvent(x)

loc_763E9A:				; CODE XREF: PAGE:00763FD3j
		mov	ebx, [esp+14h]
		mov	esi, eax

loc_763EA0:				; CODE XREF: PAGE:00763E6Fj
					; PAGE:00763E8Aj ...
		cmp	esi, 103h	; case 0x6
		jz	short loc_763ECA

loc_763EA8:				; CODE XREF: PAGE:00763FA9j
		mov	edi, [ebx+44h]
		test	edi, edi
		jz	short loc_763EC1
		mov	ecx, edi
		call	PnpCancelWatchdog
		mov	ecx, edi
		call	_PnpFreeWatchdog@4 ; PnpFreeWatchdog(x)
		and	dword ptr [ebx+44h], 0

loc_763EC1:				; CODE XREF: PAGE:00763EADj
		mov	edx, esi
		mov	ecx, ebx
		call	PnpCompleteDeviceEvent

loc_763ECA:				; CODE XREF: PAGE:00763EA6j
		call	_PnpProcessDeferredRegistrations@0 ; PnpProcessDeferredRegistrations()
		cmp	byte ptr [esp+13h], 0
		push	0
		pop	ebx
		jz	loc_763DE9
		push	ebx
		call	_IoSetActivityIdThread@4 ; IoSetActivityIdThread(x)
		jmp	loc_763DE9
; 

loc_763EE8:				; CODE XREF: PAGE:00763E08j
		mov	esi, offset _PnpNotificationInProgressLock
		mov	ecx, esi
		call	ExAcquireFastMutex
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	offset _PnpEventQueueEmpty
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ds:_PnpNotificationInProgress, bl
		call	_PnpProcessDeferredRegistrations@0 ; PnpProcessDeferredRegistrations()
		mov	ecx, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, ds:_PnpDeviceEventList
		lea	ecx, [ecx+24h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, [esp+18h]
		test	eax, eax
		jz	short loc_763F35
		push	4C706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_763F35:				; CODE XREF: PAGE:00763F28j
		mov	eax, ds:_PnpDeviceEventList
		push	ebx
		add	eax, 4
		mov	_PnpDeviceEventThread, ebx
		push	eax
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)

loc_763F4A:				; CODE XREF: PAGE:008D5C3Ej
		mov	ecx, [esp+34h]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_763F5E:				; CODE XREF: PAGE:00763E5Aj
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jnz	loc_763E60
		jmp	loc_8D5C43
; 

loc_763F74:				; CODE XREF: PAGE:00763E8Aj
					; DATA XREF: PAGE:off_763FE0o
		mov	ecx, ebx	; case 0x9
		call	PiUEventNotifyUserMode
		mov	esi, eax
		jmp	loc_763EA0	; case 0x6
; 

loc_763F82:				; CODE XREF: PAGE:00763E8Aj
					; DATA XREF: PAGE:off_763FE0o
		lea	eax, [ebx+7Ch]	; case 0x2
		push	eax
		lea	eax, [esp+20h]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+1Ch]
		push	eax
		lea	edx, [ebx+6Ch]
		lea	ecx, [ebx+48h]
		call	PnpNotifyDeviceClassChange

loc_763FA0:				; CODE XREF: PAGE:00763E8Aj
					; DATA XREF: PAGE:off_763FE0o
		mov	ecx, ebx	; case 0x4
		call	PiUEventNotifyUserMode
		xor	esi, esi
		jmp	loc_763EA8
; 

loc_763FAE:				; CODE XREF: PAGE:00763E4Dj
		lea	edi, [esp+24h]
		movsd
		lea	eax, [esp+24h]
		push	eax
		movsd
		movsd
		movsd
		call	_IoSetActivityIdThread@4 ; IoSetActivityIdThread(x)
		mov	byte ptr [esp+13h], 1
		jmp	loc_763E53
; 

loc_763FCA:				; CODE XREF: PAGE:00763E8Aj
					; DATA XREF: PAGE:off_763FE0o
		lea	ecx, [esp+14h]	; case 0x1
		call	PnpProcessTargetDeviceEvent
		jmp	loc_763E9A
; 

loc_763FD8:				; CODE XREF: PAGE:00763E11j
					; PAGE:00763E1Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		lea	ecx, [ecx+0]
; 
off_763FE0	dd offset loc_8D5C6C	; DATA XREF: PAGE:00763E8Ar
		dd offset loc_763FCA	; jump table for switch	statement
		dd offset loc_763F82
		dd offset loc_763E91
		dd offset loc_763FA0
		dd offset loc_8D5C90
		dd offset loc_763EA0
		dd offset loc_763EA0
		dd offset loc_763EA0
		dd offset loc_763F74
		dd offset loc_763F74
		dd offset loc_763F74

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpProcessDeferredRegistrations()
_PnpProcessDeferredRegistrations@0 proc	near ; CODE XREF: PAGE:loc_763ECAp
					; PAGE:00763F08p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_28], 0
		xor	eax, eax
		and	[ebp+var_2C], 0
		push	ebx
		push	esi
		push	edi
		push	6
		pop	ecx
		lea	edi, [ebp+var_1C]
		rep stosd
		lea	eax, [ebp+var_24]
		mov	ecx, offset _PnpDeferredRegistrationLock
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], eax
		call	ExAcquireFastMutex

loc_76404A:				; CODE XREF: PnpProcessDeferredRegistrations()+E5j
		mov	esi, ds:_PnpDeferredRegistrationList
		mov	ecx, offset _PnpDeferredRegistrationList
		cmp	esi, ecx
		jz	loc_7640FA
		cmp	[esi+4], ecx
		jnz	loc_764166
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_764166
		mov	ds:_PnpDeferredRegistrationList, eax
		mov	[eax+4], ecx
		mov	edi, [esi+8]
		mov	eax, edi
		mov	ebx, [edi+24h]
		test	ebx, ebx
		jz	short loc_76408F
		mov	ecx, ebx
		call	ExAcquireFastMutex
		mov	eax, [esi+8]

loc_76408F:				; CODE XREF: PnpProcessDeferredRegistrations()+73j
		push	37706E50h
		push	esi
		mov	byte ptr [eax+22h], 0
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	dword ptr [edi+8], 3
		jnz	short loc_7640E3
		mov	eax, [edi+30h]
		test	eax, eax
		jz	short loc_7640E3
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_7640E3
		test	dword ptr [eax+1C8h], 4000h
		jz	short loc_7640E3
		mov	ecx, [ebp+var_20]
		lea	edx, [ebp+var_24]
		lea	eax, [edi+34h]
		cmp	[ecx], edx
		jnz	loc_764166
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[ebp+var_20], eax
		inc	word ptr [edi+20h]

loc_7640E3:				; CODE XREF: PnpProcessDeferredRegistrations()+92j
					; PnpProcessDeferredRegistrations()+99j ...
		test	ebx, ebx
		jz	short loc_7640EE
		mov	ecx, ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_7640EE:				; CODE XREF: PnpProcessDeferredRegistrations()+D5j
		mov	ecx, edi
		call	_PnpDereferenceNotify@4	; PnpDereferenceNotify(x)
		jmp	loc_76404A
; 

loc_7640FA:				; CODE XREF: PnpProcessDeferredRegistrations()+47j
		mov	ecx, offset _PnpDeferredRegistrationLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_764104:				; CODE XREF: PnpProcessDeferredRegistrations()+154j
		mov	ebx, [ebp+var_24]
		lea	eax, [ebp+var_24]
		cmp	ebx, eax
		jz	short loc_76416B
		cmp	[ebx+4], eax
		jnz	short loc_764166
		mov	eax, [ebx]
		cmp	[eax+4], ebx
		jnz	short loc_764166
		mov	[ebp+var_24], eax
		lea	ecx, [ebp+var_24]
		mov	[eax+4], ecx
		lea	edi, [ebp+var_18]
		xor	eax, eax
		lea	edx, [ebp+var_1C]
		inc	eax
		lea	ecx, [ebx-34h]
		mov	word ptr [ebp+var_1C], ax
		mov	esi, offset _GUID_TARGET_DEVICE_REMOVE_COMPLETE
		push	18h
		pop	eax
		mov	word ptr [ebp+var_1C+2], ax
		lea	eax, [ebp+var_28]
		movsd
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		movsd
		movsd
		movsd
		call	_PnpNotifyTargetDeviceChangeNotifyEntry@16 ; PnpNotifyTargetDeviceChangeNotifyEntry(x,x,x,x)
		mov	ecx, [ebx-4]
		call	ObfDereferenceObject
		and	dword ptr [ebx-4], 0
		lea	ecx, [ebx-34h]
		call	_PnpDereferenceNotify@4	; PnpDereferenceNotify(x)
		jmp	short loc_764104
; 

loc_764166:				; CODE XREF: PnpProcessDeferredRegistrations()+50j
					; PnpProcessDeferredRegistrations()+5Bj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_76416B:				; CODE XREF: PnpProcessDeferredRegistrations()+FCj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PnpProcessDeferredRegistrations@0 endp


;  S U B	R O U T	I N E 


; __stdcall PnpEnableWatchdog(x, x)
_PnpEnableWatchdog@8 proc near		; CODE XREF: PAGE:00763E76p
					; PnpCallDriverEntry(x,x)+25p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		call	PnpAllocateWatchdog
		mov	esi, eax
		test	esi, esi
		jz	short loc_7641A9
		mov	[esi+10h], edi
		mov	[esi+0Ch], ebx
		call	KeQueryInterruptTime
		mov	ecx, [esi+8]
		mov	[esi], eax
		mov	[esi+4], edx
		mov	edx, [ecx+10h]
		call	_WdtpArmTimer@8	; WdtpArmTimer(x,x)

loc_7641A9:				; CODE XREF: PnpEnableWatchdog(x,x)+12j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_PnpEnableWatchdog@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


PnpCancelWatchdog proc near		; CODE XREF: PAGE:00763EB1p
					; PnpCallDriverEntry(x,x)+39p ...

; FUNCTION CHUNK AT 008D5CAC SIZE 0000000C BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	ebx, ebx
		push	ebx
		push	1
		push	1
		mov	edi, [esi+8]
		push	dword ptr [edi+20h]
		call	ExDeleteTimer
		mov	[edi+20h], ebx
		mov	eax, [edi+34h]
		test	eax, eax
		jg	sub_8D5C9A

loc_7641D7:				; CODE XREF: sub_8D5C9A+Dj
		push	54645750h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, [esi+0Ch]
		xor	ecx, ecx
		mov	[esi+8], ebx
		call	_PnpRecordBlackbox@8 ; PnpRecordBlackbox(x,x)
		cmp	[esi+14h], bl
		jnz	loc_8D5CAC
		pop	edi
		pop	esi
		pop	ebx
		retn
PnpCancelWatchdog endp


;  S U B	R O U T	I N E 


; __stdcall PnpRecordBlackbox(x, x)
_PnpRecordBlackbox@8 proc near		; CODE XREF: PnpCancelWatchdog+3Ap
					; PnpWatchdogWorkItem(x)+Fp
		mov	edi, edi
		push	ecx
		cmp	edx, 1
		jnz	short loc_76420B
		call	PnpRecordBlackboxPnpEventWorkerInformation

loc_764209:				; CODE XREF: PnpRecordBlackbox(x,x)+27j
		pop	ecx
		retn
; 

loc_76420B:				; CODE XREF: PnpRecordBlackbox(x,x)+6j
		cmp	edx, 2
		jnz	short loc_764217
		call	PnpRecordBlackboxDeviceCompletionQueueInformation
		pop	ecx
		retn
; 

loc_764217:				; CODE XREF: PnpRecordBlackbox(x,x)+12j
		cmp	edx, 3
		jz	short loc_764227
		push	5
		pop	ecx
		jle	short loc_764225
		cmp	edx, ecx
		jle	short loc_764209

loc_764225:				; CODE XREF: PnpRecordBlackbox(x,x)+23j
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_764227:				; CODE XREF: PnpRecordBlackbox(x,x)+1Ej
		call	_PnpRecordBlackboxDelayedRemoveWorkerInformation@4 ; PnpRecordBlackboxDelayedRemoveWorkerInformation(x)
		pop	ecx
		retn
_PnpRecordBlackbox@8 endp


;  S U B	R O U T	I N E 


PnpWatchdogTimerAllocate proc near	; CODE XREF: PnpAllocateWatchdog+56p

; FUNCTION CHUNK AT 008D5CB8 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, ecx
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_764288
		mov	eax, [ebx+0Ch]
		test	eax, eax
		jz	short loc_764288
		cmp	[ebx+4], esi
		jnz	short loc_76424B
		cmp	[ebx+8], esi
		jz	short loc_764288

loc_76424B:				; CODE XREF: PnpWatchdogTimerAllocate+16j
		mov	ecx, [ebx+10h]
		test	ecx, ecx
		jnz	loc_8D5CB8

loc_764256:				; CODE XREF: PnpWatchdogTimerAllocate+171A9Bj
		call	WdtpAllocateTimer
		mov	edx, eax
		test	edx, edx
		jz	short loc_764283
		push	edi
		push	6
		pop	ecx
		lea	edi, [edx+4]
		mov	esi, ebx
		xor	eax, eax
		rep movsd
		pop	edi
		cmp	[ebx+8], eax
		jz	short loc_764281
		mov	dword ptr [edx+2Ch], offset _WdtpBarkWorkerThread@4 ; WdtpBarkWorkerThread(x)
		mov	[edx+30h], edx
		mov	[edx+24h], eax

loc_764281:				; CODE XREF: PnpWatchdogTimerAllocate+44j
		mov	esi, edx

loc_764283:				; CODE XREF: PnpWatchdogTimerAllocate+31j
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_764288:				; CODE XREF: PnpWatchdogTimerAllocate+Aj
					; PnpWatchdogTimerAllocate+11j	...
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PnpWatchdogTimerAllocate endp


;  S U B	R O U T	I N E 


WdtpAllocateTimer proc near		; CODE XREF: PnpWatchdogTimerAllocate:loc_764256p
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, 54645750h
		push	ebx
		push	48h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7642DF
		push	edi
		push	48h		; size_t
		xor	edi, edi
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	byte ptr [esi],	77h
		push	edi
		push	esi
		push	offset _WdtpTimerCallback@8 ; WdtpTimerCallback(x,x)
		call	ExAllocateTimer
		mov	[esi+20h], eax
		test	eax, eax
		jz	sub_8D5CCE
		push	edi
		push	edi
		lea	eax, [esi+38h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)

loc_7642DE:				; CODE XREF: sub_8D5CCE+9j
		pop	edi

loc_7642DF:				; CODE XREF: WdtpAllocateTimer+1Aj
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
WdtpAllocateTimer endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpRecordBlackboxPnpEventWorkerInformation proc	near ; CODE XREF: PnpRecordBlackbox(x,x)+8p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D5CDC SIZE 000000A4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_14], 0
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		xor	edi, edi
		xor	esi, esi
		call	KeQueryInterruptTime
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], edx
		test	ebx, ebx
		jnz	loc_8D5CDC

loc_764310:				; CODE XREF: PnpRecordBlackboxPnpEventWorkerInformation+171A0Fj
		xor	ecx, ecx

loc_764312:				; CODE XREF: PnpRecordBlackboxPnpEventWorkerInformation+171A87j
		push	ecx
		push	ecx
		push	14h
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_14], ecx
		push	eax
		push	5Eh
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], 9
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], edi
		call	NtPowerInformation
		test	esi, esi
		jnz	loc_8D5D70

loc_76433C:				; CODE XREF: PnpRecordBlackboxPnpEventWorkerInformation+171A97j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PnpRecordBlackboxPnpEventWorkerInformation endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtPowerInformation proc	near		; CODE XREF: WheaLogInternalEvent+80FFAp
					; PopRecordPepWorkorderBlackboxInformation()+155p ...

var_3B8		= dword	ptr -3B8h
var_3B4		= dword	ptr -3B4h
var_3A8		= dword	ptr -3A8h
var_3A4		= dword	ptr -3A4h
var_3A0		= dword	ptr -3A0h
var_39C		= dword	ptr -39Ch
var_398		= dword	ptr -398h
var_394		= dword	ptr -394h
var_38D		= byte ptr -38Dh
var_38C		= dword	ptr -38Ch
var_388		= dword	ptr -388h
var_384		= dword	ptr -384h
var_37E		= byte ptr -37Eh
var_37D		= byte ptr -37Dh
var_37C		= dword	ptr -37Ch
var_376		= byte ptr -376h
var_375		= dword	ptr -375h
var_370		= dword	ptr -370h
var_36C		= dword	ptr -36Ch
var_365		= byte ptr -365h
var_364		= dword	ptr -364h
var_360		= dword	ptr -360h
var_35C		= dword	ptr -35Ch
var_358		= dword	ptr -358h
var_354		= dword	ptr -354h
var_350		= dword	ptr -350h
var_34A		= dword	ptr -34Ah
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_33C		= dword	ptr -33Ch
var_338		= dword	ptr -338h
var_334		= byte ptr -334h
var_333		= byte ptr -333h
var_330		= dword	ptr -330h
var_32C		= byte ptr -32Ch
var_5C		= dword	ptr -5Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008D5D80 SIZE 0000014B BYTES
; FUNCTION CHUNK AT 008D5F06 SIZE 00000B80 BYTES
; FUNCTION CHUNK AT 008D6AC4 SIZE 00000012 BYTES

		push	3A8h
		push	offset dword_6A0938
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_37C], eax
		mov	edi, [ebp+arg_4]
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_3A0], eax
		mov	[ebp+var_37E], 0
		push	300h		; size_t
		push	0		; int
		lea	eax, [ebp+var_35C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		and	[ebp+var_394], 0
		and	[ebp+var_3A8], 0
		and	[ebp+var_3A4], 0
		and	[ebp+var_375+1], 0
		and	[ebp+var_370], 0
		xor	ebx, ebx
		mov	[ebp+var_384], ebx
		and	[ebp+var_39C], ebx
		xor	cl, cl
		mov	[ebp+var_365], cl
		mov	[ebp+var_37D], cl
		mov	byte ptr [ebp+var_375],	cl
		mov	esi, [ebp+arg_0]
		cmp	esi, 5Fh
		ja	loc_765531
		mov	eax, large fs:124h
		mov	dl, [eax+15Ah]
		mov	[ebp+var_376], dl
		mov	byte ptr [ebp+var_38C],	dl
		mov	ebx, edi
		neg	ebx
		sbb	ebx, ebx
		and	ebx, [ebp+var_3A0]
		mov	[ebp+var_36C], ebx
		mov	eax, ebx
		neg	eax
		sbb	eax, eax
		and	eax, edi
		mov	[ebp+var_364], eax
		mov	edi, eax
		mov	ecx, [ebp+var_37C]
		mov	eax, ecx
		neg	eax
		sbb	eax, eax
		and	eax, [ebp+arg_10]
		mov	[ebp+var_37C], eax
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_360], eax
		test	dl, dl
		jz	loc_7648D1
		cmp	esi, 6
		jz	loc_8D5F1C
		cmp	esi, 11h
		jz	loc_8D5F1C
		cmp	esi, 7
		jz	loc_8D5F1C
		cmp	esi, 20h
		jz	loc_8D5F1C
		cmp	esi, 22h
		jz	loc_8D5F1C
		cmp	esi, 21h
		jz	loc_8D5F1C
		cmp	esi, 50h
		jz	loc_8D5F1C
		cmp	esi, 51h
		jz	loc_8D5F1C
		cmp	esi, 52h
		jz	loc_8D5F1C
		cmp	esi, 34h
		jz	loc_8D5F1C
		cmp	esi, 35h
		jz	loc_8D5F1C
		cmp	esi, 36h
		jz	loc_8D5F1C
		cmp	esi, 18h
		jz	loc_8D5F1C
		cmp	esi, 1Eh
		jz	loc_8D5F1C
		cmp	esi, 1Fh
		jz	loc_8D5F1C
		cmp	esi, 27h
		jz	loc_8D5F1C
		cmp	esi, 28h
		jz	loc_8D5F1C
		cmp	esi, 29h
		jz	loc_8D5F1C
		cmp	esi, 3Fh
		jz	loc_8D5F1C
		cmp	esi, 2Ah
		jz	loc_8D5F1C
		cmp	esi, 31h
		jz	loc_8D5F1C
		cmp	esi, 2Fh
		jz	loc_8D5F1C
		cmp	esi, 19h
		jz	loc_8D5F1C
		cmp	esi, 3Dh
		jz	loc_8D5F1C
		cmp	esi, 3Eh
		jz	loc_8D5F1C
		cmp	esi, 38h
		jz	loc_8D5F1C
		cmp	esi, 47h
		jz	loc_8D5F1C
		cmp	esi, 43h
		jz	loc_8D5F1C
		cmp	esi, 44h
		jz	loc_8D5F1C
		cmp	esi, 45h
		jz	loc_8D5F1C
		cmp	esi, 4Fh
		jz	loc_8D5F1C
		cmp	esi, 55h
		jz	loc_8D5F1C
		cmp	esi, 5Bh
		jz	loc_8D5F1C
		and	[ebp+ms_exc.disabled], 0
		cmp	esi, 5Eh
		jz	loc_764C64
		cmp	esi, 25h
		jz	loc_764C64
		cmp	esi, 5Fh
		jz	loc_764C64
		cmp	esi, 49h
		jz	loc_764C64
		cmp	esi, 40h
		jz	loc_764C64
		cmp	esi, 2Dh
		jz	loc_764C64
		cmp	esi, 26h
		jz	loc_764C64
		cmp	esi, 37h
		jz	loc_764C64
		cmp	esi, 30h
		jz	loc_764C64
		cmp	esi, 3Ch
		jz	loc_764C64
		cmp	esi, 39h
		jz	loc_764C64
		cmp	esi, 48h
		jz	loc_764C64
		cmp	esi, 2
		jz	loc_764C64
		cmp	esi, 3
		jz	loc_764C64
		cmp	esi, 54h
		jz	loc_764C64
		cmp	esi, 58h
		jz	loc_764C64

loc_7645F4:				; CODE XREF: NtPowerInformation+956j
		cmp	esi, 5Dh
		jz	loc_764BA1
		cmp	esi, 5Ch
		jz	loc_764BA1

loc_764606:				; CODE XREF: NtPowerInformation+879j
		cmp	esi, 1Ch
		jz	loc_7654E1
		cmp	esi, 2Dh
		jz	loc_7654E1
		cmp	esi, 32h
		jz	loc_7654E1
		cmp	esi, 4Eh
		jz	loc_7654E1

loc_76462A:				; CODE XREF: NtPowerInformation+11A6j
		test	edi, edi
		jnz	loc_7648DE
		mov	ebx, [ebp+var_384]

loc_764638:				; CODE XREF: NtPowerInformation+687j
		mov	eax, [ebp+var_360]
		test	eax, eax
		jz	short loc_764650
		push	1
		push	[ebp+var_37C]
		push	eax
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_764650:				; CODE XREF: NtPowerInformation+2FEj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_764657:				; CODE XREF: NtPowerInformation+597j
		xor	edx, edx
		inc	edx
		cmp	esi, 3Ah
		jz	loc_7647E3
		cmp	esi, 2Ch
		jz	loc_7647E3
		cmp	esi, 3Bh
		jz	loc_7647E3
		cmp	esi, 2Bh
		jz	loc_7647E3
		cmp	esi, 42h
		jz	loc_7647E3
		cmp	esi, 44h
		jz	loc_7647E3
		cmp	esi, 47h
		jz	loc_7647E3
		cmp	esi, 1Dh
		jz	loc_7647E3
		cmp	esi, 43h
		jz	loc_7647E3
		cmp	esi, 1Eh
		jz	loc_7647E3
		cmp	esi, 1Fh
		jz	loc_7647E3
		cmp	esi, 3Eh
		jz	loc_7647E3
		cmp	esi, 3Dh
		jz	loc_7647E3
		cmp	esi, 2Fh
		jz	loc_7647E3
		cmp	esi, 1Ch
		jz	loc_7647E3
		cmp	esi, 2Dh
		jz	loc_7647E3
		cmp	esi, 55h
		jz	loc_7647E3
		cmp	esi, 48h
		jz	loc_7647E3
		cmp	esi, 49h
		jz	loc_7647E3
		cmp	esi, 4Ah
		jz	loc_7647E3
		cmp	esi, 26h
		jz	loc_7647E3
		cmp	esi, 37h
		jz	loc_7647E3
		cmp	esi, 30h
		jz	loc_7647E3
		cmp	esi, 28h
		jz	loc_7647E3
		cmp	esi, 19h
		jz	loc_7647E3
		cmp	esi, 0Ah
		jz	loc_7647E3
		cmp	esi, 33h
		jz	loc_7647E3
		cmp	esi, 59h
		jz	loc_7647E3
		cmp	esi, 38h
		jz	loc_7647E3
		cmp	esi, 39h
		jz	short loc_7647E3
		cmp	esi, 40h
		jz	short loc_7647E3
		push	10h
		pop	ecx
		cmp	esi, 5
		jz	short loc_7647E6
		cmp	esi, 57h
		jz	short loc_7647E6
		cmp	esi, ecx
		jz	short loc_7647E6
		cmp	esi, 5Eh
		jz	short loc_7647E6
		cmp	esi, 4Bh
		jz	short loc_7647E6
		cmp	esi, 5Dh
		jz	short loc_7647E6
		cmp	esi, 0Bh
		jz	short loc_7647E6
		cmp	esi, 5Bh
		jz	short loc_7647E6
		cmp	esi, 5Fh
		jz	short loc_7647E6
		cmp	esi, 29h
		jz	short loc_7647E6
		cmp	esi, 53h
		jz	short loc_7647E6
		cmp	esi, 7
		jz	short loc_7647E6
		cmp	esi, 5Ch
		jz	short loc_7647E6
		cmp	esi, 4Eh
		jz	short loc_7647E6
		cmp	esi, 4Dh
		jz	short loc_7647E6
		cmp	esi, 4Fh
		jz	short loc_7647E6
		cmp	esi, 54h
		jz	short loc_7647E6
		cmp	esi, 56h
		jz	short loc_7647E6
		cmp	esi, 58h
		jz	short loc_7647E6
		cmp	esi, 5Ah
		jz	short loc_7647E6
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		xor	edx, edx
		inc	edx
		mov	[ebp+var_37D], dl
		mov	[ebp+var_365], dl

loc_7647E3:				; CODE XREF: NtPowerInformation+31Bj
					; NtPowerInformation+324j ...
		push	10h
		pop	ecx

loc_7647E6:				; CODE XREF: NtPowerInformation+42Dj
					; NtPowerInformation+432j ...
		mov	al, [ebp+var_365]
		jmp	ds:off_7657A6[esi*4]

loc_7647F3:				; DATA XREF: PAGE:007657BAo
		test	ebx, ebx
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jz	loc_765531
		lea	ecx, [ebp+var_35C]
		call	_PopCurrentPowerState@4	; PopCurrentPowerState(x)

loc_764814:				; CODE XREF: NtPowerInformation+11CCj
		lea	eax, [ebp+var_35C]
		mov	[ebp+var_375+1], eax
		mov	[ebp+var_370], 20h

loc_76482A:				; CODE XREF: NtPowerInformation+6F4j
					; NtPowerInformation+764j ...
		mov	eax, [ebp+var_364]

loc_764830:				; CODE XREF: NtPowerInformation+171DE9j
		cmp	[ebp+var_375+1], 0
		jz	short loc_764872
		test	esi, esi
		jz	short loc_764872
		mov	ecx, [ebp+var_37C]
		cmp	ecx, [ebp+var_370]
		jb	loc_8D6A7A
		mov	[ebp+ms_exc.disabled], 1
		push	[ebp+var_370]	; size_t
		push	[ebp+var_375+1]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_764872:				; CODE XREF: NtPowerInformation+4F5j
					; NtPowerInformation+4F9j
		xor	esi, esi

loc_764874:				; CODE XREF: NtPowerInformation+1721E0j
		mov	edi, [ebp+var_364]

loc_76487A:				; CODE XREF: NtPowerInformation+6E8j
					; NtPowerInformation+7E1j ...
		cmp	[ebp+var_39C], 0
		jnz	loc_8D6AC4

loc_764887:				; CODE XREF: NtPowerInformation+17278Fj
		cmp	byte ptr [ebp+var_375],	0
		jnz	loc_764B4A

loc_764894:				; CODE XREF: NtPowerInformation+818j
		cmp	[ebp+var_365], 0
		jnz	loc_764B5F

loc_7648A1:				; CODE XREF: NtPowerInformation+822j
		test	ebx, ebx
		jnz	short loc_7648B9

loc_7648A5:				; CODE XREF: NtPowerInformation+579j
					; NtPowerInformation+580j ...
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7648B9:				; CODE XREF: NtPowerInformation+561j
		cmp	ebx, edi
		jz	short loc_7648A5
		lea	eax, [ebp+var_5C]
		cmp	ebx, eax
		jz	short loc_7648A5
		push	206D654Dh
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7648A5
; 

loc_7648D1:				; CODE XREF: NtPowerInformation+EFj
		mov	ebx, edi
		mov	[ebp+var_384], ebx
		jmp	loc_764657
; 

loc_7648DE:				; CODE XREF: NtPowerInformation+2EAj
		cmp	esi, 3Ah
		jz	short loc_764909
		cmp	esi, 3Bh
		jz	short loc_764909
		cmp	esi, 2Bh
		jz	short loc_764909
		cmp	esi, 2Eh
		jz	short loc_764909
		cmp	esi, 0Bh
		jz	short loc_764909
		cmp	esi, 48h
		jz	short loc_764909
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_8D5DC9

loc_764909:				; CODE XREF: NtPowerInformation+59Fj
					; NtPowerInformation+5A4j ...
		cmp	esi, 5Fh
		jz	loc_76507A
		cmp	esi, 9
		jz	loc_76507A
		cmp	esi, 26h
		jz	loc_76507A
		cmp	esi, 37h
		jz	loc_76507A
		cmp	esi, 30h
		jz	loc_76507A
		cmp	esi, 33h
		jz	loc_76507A
		cmp	esi, 59h
		jz	loc_76507A
		cmp	esi, 3Ch
		jz	loc_76507A
		cmp	esi, 5Ah
		jz	loc_76507A
		cmp	esi, 40h
		jz	loc_76507A

loc_764963:				; CODE XREF: NtPowerInformation+D3Fj
		cmp	esi, 3Ah
		jz	short loc_76498A
		cmp	esi, 57h
		jz	short loc_76498A
		cmp	esi, 2Ch
		jz	short loc_76498A
		cmp	esi, 5Dh
		jz	short loc_76498A
		cmp	esi, 3Bh
		jz	short loc_76498A
		cmp	esi, 5Eh
		jz	short loc_76498A
		cmp	esi, 2Bh
		jnz	loc_764DD2

loc_76498A:				; CODE XREF: NtPowerInformation+624j
					; NtPowerInformation+629j ...
		test	ebx, ebx
		jz	short loc_7649A7
		lea	eax, [ebx+edi]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	loc_8D5EAC
		cmp	eax, edi
		jb	loc_8D5EAC

loc_7649A7:				; CODE XREF: NtPowerInformation+64Aj
					; NtPowerInformation+171B6Dj
		cmp	ebx, 40h
		ja	loc_764B28
		lea	ebx, [ebp+var_5C]
		mov	[ebp+var_384], ebx

loc_7649B9:				; CODE XREF: NtPowerInformation+7FDj
		push	[ebp+var_36C]	; size_t
		push	edi		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_764638
; 

loc_7649CE:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:00765902o
		test	ebx, ebx
		jz	loc_765531
		mov	esi, [ebp+var_36C]
		cmp	esi, 8
		jb	loc_765531
		mov	ecx, [ebx]
		mov	[ebp+var_398], ecx
		cmp	ecx, 44h
		jge	loc_8D6979

loc_7649F6:				; CODE XREF: NtPowerInformation+17264Fj
		cmp	ecx, 1000h
		jge	loc_8D6996

loc_764A02:				; CODE XREF: NtPowerInformation+17265Aj
		lea	eax, [ebp+var_375]
		push	eax
		lea	eax, [ebp+var_370]
		push	eax
		lea	eax, [ebp+var_375+1]
		push	eax
		mov	eax, [ebp+var_360]
		push	eax
		push	esi
		mov	edx, ebx
		call	PopPowerInformationInternal

loc_764A26:				; CODE XREF: NtPowerInformation+7A5j
					; NtPowerInformation+85Aj ...
		mov	esi, eax

loc_764A28:				; CODE XREF: NtPowerInformation+171E7Cj
					; NtPowerInformation+17211Dj
		test	esi, esi
		js	loc_76487A

loc_764A30:				; CODE XREF: NtPowerInformation+91Dj
					; NtPowerInformation+9FEj ...
		mov	esi, [ebp+var_360]
		jmp	loc_76482A
; 

loc_764A3B:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007657E6o
		test	ebx, ebx
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jz	loc_765531
		cmp	dword_6B1470, ebx
		jnz	loc_764B69

loc_764A5D:				; CODE XREF: NtPowerInformation+82Dj
		cmp	_PopPowerRequestAttributes, 0
		jz	short loc_764A90
		or	[ebp+var_35C], 2
		jmp	short loc_764A90
; 

loc_764A6F:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007658D2o
		test	ebx, ebx
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jz	loc_765531
		call	PopCapturePlatformRole
		mov	[ebp+var_35C], eax

loc_764A90:				; CODE XREF: NtPowerInformation+722j
					; NtPowerInformation+72Bj
		lea	eax, [ebp+var_35C]
		mov	[ebp+var_375+1], eax
		mov	[ebp+var_370], 4
		jmp	loc_76482A
; 

loc_764AAB:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:0076591Eo
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_360], 0
		jnz	loc_765531
		cmp	[ebp+var_37C], 0
		jnz	loc_765531
		cmp	[ebp+var_36C], 14h
		jnz	loc_76579B
		mov	dl, [ebp+var_376]
		mov	ecx, ebx
		call	PopBlackBoxUpdate
		jmp	loc_764A26
; 

loc_764AEC:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:0076588Eo
		mov	eax, [ebp+var_360]
		test	eax, eax
		jz	loc_765531
		test	edi, edi
		jz	short loc_764B0B
		cmp	[ebp+var_36C], 14h
		jnz	loc_76579B

loc_764B0B:				; CODE XREF: NtPowerInformation+7BAj
		cmp	[ebp+var_37C], 8
		jnz	loc_76579B
		mov	edx, eax
		mov	ecx, ebx
		call	PopGetSettingNotificationName

loc_764B21:				; CODE XREF: NtPowerInformation+996j
					; NtPowerInformation+BCDj ...
		mov	esi, eax
		jmp	loc_76487A
; 

loc_764B28:				; CODE XREF: NtPowerInformation+668j
		push	206D654Dh
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_384], ebx
		test	ebx, ebx
		jnz	loc_7649B9
		jmp	loc_8D5EB4
; 

loc_764B4A:				; CODE XREF: NtPowerInformation+54Cj
		push	206D654Dh
		push	[ebp+var_375+1]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_764894
; 

loc_764B5F:				; CODE XREF: NtPowerInformation+559j
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		jmp	loc_7648A1
; 

loc_764B69:				; CODE XREF: NtPowerInformation+715j
		or	[ebp+var_35C], edx
		jmp	loc_764A5D
; 

loc_764B74:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:00765856o
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_360], 0
		jnz	loc_765531
		cmp	[ebp+var_36C], ecx
		jnz	loc_76579B
		mov	ecx, ebx
		call	PopPowerRequestActionInfo
		jmp	loc_764A26
; 

loc_764BA1:				; CODE XREF: NtPowerInformation+2B5j
					; NtPowerInformation+2BEj
		mov	cl, dl
		call	ExCheckFullProcessInformationAccess
		mov	esi, eax
		mov	[ebp+var_388], esi
		test	esi, esi
		js	loc_8D5DBD
		mov	esi, [ebp+arg_0]
		jmp	loc_764606
; 

loc_764BC0:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:0076591Ao
		test	ebx, ebx
		jz	loc_765531
		mov	eax, [ebp+var_360]
		test	eax, eax
		jz	loc_765531
		cmp	[ebp+var_36C], 4
		jnz	loc_76579B
		mov	ecx, [ebp+var_37C]
		cmp	ecx, 0Ch
		jb	loc_76579B
		push	ecx
		mov	edx, eax
		mov	ecx, [ebx]
		call	_PopEtEnergyTrackerQuery@12 ; PopEtEnergyTrackerQuery(x,x,x)
		jmp	loc_764A26
; 

loc_764C01:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007657B6o
		test	ebx, ebx
		jnz	loc_8D6080
		cmp	[ebp+var_360], ebx
		jz	loc_765531
		test	ebx, ebx
		jnz	loc_8D6080

loc_764C1D:				; CODE XREF: NtPowerInformation+171D7Bj
		mov	eax, _PopFullWake
		and	al, dl
		mov	byte_6C2E29, al
		call	PopDisksRegisteredForIdle
		mov	byte_6C2E35, al
		lea	edx, [ebp+var_35C]
		mov	ecx, offset _PopCapabilities
		call	PopFilterCapabilities
		lea	eax, [ebp+var_35C]
		mov	[ebp+var_375+1], eax
		mov	[ebp+var_370], 4Ch
		mov	ebx, [ebp+var_384]
		jmp	loc_764A30
; 

loc_764C64:				; CODE XREF: NtPowerInformation+225j
					; NtPowerInformation+22Ej ...
		lea	edx, [ebp+var_37E]
		xor	ecx, ecx
		call	_SeIsAppContainerOrIdentifyLevelContext@8 ; SeIsAppContainerOrIdentifyLevelContext(x,x)
		mov	esi, eax
		mov	[ebp+var_388], esi
		test	esi, esi
		js	loc_8D5DBD
		mov	al, [ebp+var_37E]
		mov	esi, [ebp+arg_0]
		test	al, al
		jnz	loc_8D5D80

loc_764C92:				; CODE XREF: NtPowerInformation+171A4Cj
					; NtPowerInformation+171A63j
		mov	dl, [ebp+var_376]
		jmp	loc_7645F4
; 

loc_764C9D:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:00765892o
		test	ebx, ebx
		jz	loc_765531
		mov	eax, [ebp+var_360]
		test	eax, eax
		jz	loc_765531
		cmp	[ebp+var_36C], ecx
		jnz	loc_76579B
		mov	ecx, [ebp+var_37C]
		cmp	ecx, 4
		jb	loc_76579B
		push	ecx
		mov	edx, eax
		mov	ecx, ebx
		call	PopGetSettingValue
		jmp	loc_764B21
; 

loc_764CDD:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:00765852o ...
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_360], 0
		jz	loc_765531
		cmp	[ebp+var_36C], 1Ch
		jnz	loc_76579B
		cmp	[ebp+var_37C], 4
		jnz	loc_76579B
		lea	eax, [ebp+var_35C]
		push	eax
		cmp	esi, 48h
		setz	dl
		mov	ecx, ebx
		call	_PopPowerRequestCreateInfo@12 ;	PopPowerRequestCreateInfo(x,x,x)

loc_764D20:				; CODE XREF: NtPowerInformation+1454j
					; NtPowerInformation+172456j
		mov	esi, eax
		test	esi, esi
		js	loc_76487A
		lea	eax, [ebp+var_35C]
		mov	[ebp+var_375+1], eax
		mov	[ebp+var_370], 4
		jmp	loc_764A30
; 

loc_764D45:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007658AEo
		test	ebx, ebx
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jz	loc_765531
		mov	al, _PopPlatformAoAc
		mov	byte ptr [ebp+var_35C],	al
		lea	eax, [ebp+var_35C]
		mov	[ebp+var_375+1], eax
		mov	[ebp+var_370], edx
		jmp	loc_76482A
; 

loc_764D7D:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007657D2o
		test	ebx, ebx
		jnz	loc_765531
		cmp	[ebp+var_360], ebx
		jz	loc_765531
		mov	eax, large fs:20h
		movzx	eax, byte ptr [eax+3C5h]
		lea	ecx, [ebp+var_370]
		push	ecx
		push	eax
		lea	ecx, [ebp+var_35C]
		call	PopProcessorInformation
		mov	ebx, [ebp+var_384]

loc_764DB7:				; CODE XREF: NtPowerInformation+12B6j
		mov	esi, eax
		test	esi, esi
		js	loc_76487A
		lea	eax, [ebp+var_35C]
		mov	[ebp+var_375+1], eax
		jmp	loc_764A30
; 

loc_764DD2:				; CODE XREF: NtPowerInformation+642j
		cmp	esi, 25h
		jz	loc_76498A
		cmp	esi, 5Fh
		jz	loc_76498A
		cmp	esi, 2Eh
		jz	loc_76498A
		cmp	esi, 5Ch
		jz	loc_76498A
		jmp	loc_8D5DD0
; 

loc_764DFB:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007657DEo
		test	ebx, ebx
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jz	loc_765531
		mov	[ebp+var_375+1], offset	dword_6C2700

loc_764E1B:				; CODE XREF: NtPowerInformation+107Fj
		mov	[ebp+var_370], 8
		jmp	loc_76482A
; 

loc_764E2A:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:0076583Ao
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_360], 0
		jnz	loc_765531
		cmp	[ebp+var_376], dl
		jnz	loc_8D6386
		mov	edx, [ebp+var_36C]
		mov	ecx, ebx
		call	_PopValidateServiceNotification@8 ; PopValidateServiceNotification(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_76487A
		mov	ecx, ebx
		call	_PopDiagTraceServiceNotification@4 ; PopDiagTraceServiceNotification(x)
		jmp	loc_764A30
; 

loc_764E6E:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:00765912o
		cmp	_PopPlatformAoAc, 0
		jnz	loc_8D6A3C

loc_764E7B:				; CODE XREF: NtPowerInformation+D51j
		mov	esi, 0C00000BBh
		jmp	loc_76487A
; 

loc_764E85:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007657D6o
		test	ebx, ebx
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jz	loc_765531
		mov	eax, dword_6C22A4
		mov	[ebp+var_358], eax
		mov	eax, dword_6C22AC
		sub	eax, dword_6C22A8
		mov	[ebp+var_354], eax
		mov	al, byte ptr _PopCoolingMode
		mov	byte ptr [ebp+var_350],	al
		lea	eax, [ebp+var_35C]
		mov	[ebp+var_375+1], eax
		mov	[ebp+var_370], ecx
		jmp	loc_76482A
; 

loc_764ED9:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007658B6o
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_36C], 8
		jnz	loc_765531
		cmp	[ebp+var_360], 0
		jnz	loc_765531
		cmp	[ebp+var_37C], 0
		jnz	loc_765531
		mov	ecx, ebx
		call	PopMonitorInvocation
		jmp	loc_764B21
; 

loc_764F14:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:0076581Eo ...
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_360], 0
		jnz	loc_765531
		cmp	[ebp+var_36C], 4
		jb	loc_76579B
		mov	ecx, ebx
		cmp	esi, 1Eh
		jnz	loc_764FF9
		call	_PopDiagTraceAppPowerMessage@4 ; PopDiagTraceAppPowerMessage(x)
		jmp	loc_764A30
; 

loc_764F4B:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007658C2o
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_36C], 8
		jnz	loc_765531
		cmp	[ebp+var_360], 0
		jnz	loc_8D67CC

loc_764F6D:				; CODE XREF: NtPowerInformation+172497j
		mov	ecx, ebx
		call	_PopSuspendResumeInvocation@4 ;	PopSuspendResumeInvocation(x)
		jmp	loc_764B21
; 

loc_764F79:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:0076581Ao
		test	ebx, ebx
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jz	loc_765531
		mov	[ebp+var_370], 4
		push	206D654Dh
		push	4
		push	edx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_375+1], eax
		test	eax, eax
		jz	loc_8D6390
		mov	byte ptr [ebp+var_375],	1
		mov	ecx, _PopConsoleDisplayState
		mov	[eax], ecx
		jmp	loc_76482A
; 

loc_764FC8:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007658B2o
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_36C], 5Ch
		jnz	loc_765531
		mov	eax, [ebp+var_360]
		test	eax, eax
		jnz	loc_76567E

loc_764FEB:				; CODE XREF: NtPowerInformation+1343j
		mov	edx, eax
		mov	ecx, ebx
		call	_PopPdcInvocation@8 ; PopPdcInvocation(x,x)
		jmp	loc_764B21
; 

loc_764FF9:				; CODE XREF: NtPowerInformation+BF9j
		call	_PopDiagTraceAppPowerMessageEnd@4 ; PopDiagTraceAppPowerMessageEnd(x)
		jmp	loc_764A30
; 

loc_765003:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:0076589Eo
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_36C], 2
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jz	loc_765531
		cmp	[ebp+var_37C], 8
		jnz	loc_765531
		push	esi
		call	_PopGetSessionId@0 ; PopGetSessionId()
		mov	edx, ebx
		mov	ecx, eax
		call	_PopSessionConnectionChange@12 ; PopSessionConnectionChange(x,x,x)
		call	_PopGetSessionId@0 ; PopGetSessionId()
		mov	cl, [ebx]
		mov	byte ptr [ebp+var_398],	cl
		mov	cl, [ebx+1]
		mov	byte ptr [ebp+var_38C],	cl
		mov	ecx, dword_6D6FBC
		test	ecx, ecx
		jz	loc_76482A
		push	[ebp+var_398]
		push	[ebp+var_38C]
		push	eax
		call	ecx
		jmp	loc_76482A
; 

loc_76507A:				; CODE XREF: NtPowerInformation+5CAj
					; NtPowerInformation+5D3j ...
		call	_EtwpCoverageUserIsAdmin@0 ; EtwpCoverageUserIsAdmin()
		test	al, al
		jnz	loc_764963
		jmp	loc_8D5DAB
; 

loc_76508C:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007658AAo
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_764E7B
		test	ebx, ebx
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jz	loc_765531
		lea	edx, [ebp+var_35C]
		mov	ecx, offset _PopCapabilities
		call	PopFilterCapabilities
		cmp	byte ptr [ebp+var_34A],	bl
		jz	short loc_7650D2
		lea	ecx, [ebp+var_34A]
		call	PopReadHiberbootPolicy

loc_7650D2:				; CODE XREF: NtPowerInformation+D83j
		lea	eax, [ebp+var_34A]

loc_7650D8:				; CODE XREF: NtPowerInformation+172733j
		mov	[ebp+var_375+1], eax
		mov	[ebp+var_370], 1
		jmp	loc_76482A
; 

loc_7650ED:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007657BEo
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_360], 0
		jnz	loc_765531
		cmp	[ebp+var_36C], ecx
		jb	loc_76579B
		mov	eax, [ebx]
		cmp	eax, 7
		jnb	loc_765531
		mov	ecx, eax
		shl	ecx, 4
		mov	[ebp+var_38C], ecx
		cmp	dword_6C2DA8[ecx], 0
		jnz	loc_765513

loc_765131:				; CODE XREF: NtPowerInformation+11D4j
					; NtPowerInformation+11E9j
		lea	edi, _PopPowerStateHandlers[ecx]
		mov	esi, ebx
		movsd
		movsd
		movsd
		movsd
		mov	word_6C2DA5[ecx], 0
		mov	byte_6C2DA7[ecx], 0
		xor	ecx, ecx
		xor	esi, esi
		sub	eax, esi
		jz	loc_8D614D
		sub	eax, 1
		jz	loc_8D6130
		sub	eax, 1
		jz	loc_76555A
		sub	eax, 1
		jz	loc_76553B
		sub	eax, 1
		jnz	loc_76548E
		mov	ecx, offset byte_6C2E27
		jmp	loc_7654AF
; 

loc_765187:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:0076589Ao
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_36C], 8
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jz	loc_765531
		cmp	[ebp+var_37C], 8
		jnz	loc_765531
		push	esi
		call	_PopGetSessionId@0 ; PopGetSessionId()
		mov	edx, ebx
		mov	ecx, eax
		call	_PopSessionInputChange@12 ; PopSessionInputChange(x,x,x)
		jmp	loc_76482A
; 

loc_7651CB:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:0076584Eo
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_36C], ecx
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jnz	loc_765531
		cmp	byte ptr [ebx+0Dh], 0
		jz	short loc_7651FD
		cmp	byte ptr [ebx+0Ch], 0
		jnz	loc_76545D

loc_7651FD:				; CODE XREF: NtPowerInformation+EAFj
					; NtPowerInformation+113Cj ...
		mov	al, [ebx+0Eh]
		test	al, al
		jz	loc_76482A
		cmp	byte ptr [ebx+0Ch], 0
		jz	short loc_765227
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	4
		lea	eax, [ebx+4]
		push	eax
		push	offset _WNF_PO_PRIMARY_DISPLAY_VISIBLE_STATE
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	al, [ebx+0Eh]

loc_765227:				; CODE XREF: NtPowerInformation+ECAj
		test	al, al
		jz	loc_76482A
		push	dword ptr [ebx+8]
		movzx	eax, byte ptr [ebx+0Ch]
		push	eax
		cmp	dword ptr [ebx+4], 0
		setz	cl
		mov	edx, [ebx]
		call	_PopDiagTraceSessionDisplayStateChange@16 ; PopDiagTraceSessionDisplayStateChange(x,x,x,x)
		jmp	loc_76482A
; 

loc_76524A:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:00765922o
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_36C], edx
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jnz	loc_765531
		push	esi
		push	ebx
		push	_PipCslCallbackObject
		call	_ExNotifyCallback@12 ; ExNotifyCallback(x,x,x)
		jmp	loc_76482A
; 

loc_76527E:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:0076584Ao
		test	ebx, ebx
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jz	loc_765531
		cmp	[ebp+var_37C], 34h
		jnz	loc_765531
		call	_PopEsGetState@0 ; PopEsGetState()
		cmp	eax, 1
		jz	loc_8D65F6

loc_7652AF:				; CODE XREF: NtPowerInformation+1722BBj
		call	_TtmIsEnabled@0	; TtmIsEnabled()
		mov	[ebp+var_32C], al
		test	al, al
		jnz	loc_8D6602

loc_7652C2:				; CODE XREF: NtPowerInformation+1722DAj
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		and	[ebp+var_354], 0
		mov	[ebp+var_35C], offset _PopNoMoreInput
		mov	[ebp+var_358], offset _PopHiberBootForceMonitorOff
		xor	eax, eax
		cmp	byte_6C2D11, al
		setnz	al
		mov	[ebp-34Ch], eax
		mov	eax, dword_6C2D0C
		mov	[ebp+var_34A+2], eax
		mov	eax, dword_6C2D2C
		mov	[ebp+var_350], eax
		mov	eax, dword_6C2D30
		mov	[ebp+var_344], eax
		mov	eax, dword_6C2D34
		mov	[ebp+var_340], eax
		mov	eax, dword_6C2D38
		mov	[ebp+var_33C], eax
		mov	eax, dword_6C2D3C
		mov	[ebp+var_330], eax
		mov	eax, dword_6C2D40
		mov	[ebp+var_338], eax
		mov	al, _PopLidOpened
		mov	[ebp+var_333], al
		lea	eax, [ebp+var_35C]
		mov	[ebp+var_375+1], eax
		mov	[ebp+var_370], 34h
		call	_PopGetSessionId@0 ; PopGetSessionId()
		mov	ecx, eax
		call	_PopSessionCreated@4 ; PopSessionCreated(x)
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		jmp	loc_76482A
; 

loc_765377:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:00765862o
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_36C], ecx
		jnz	loc_765531
		mov	ecx, ebx
		call	_PopUmpoSendLegacyEvent@4 ; PopUmpoSendLegacyEvent(x)
		mov	esi, eax
		test	esi, esi
		jns	loc_764A30
		jmp	loc_8D66E3
; 

loc_7653A1:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007657E2o
		test	ebx, ebx
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jz	loc_765531
		mov	[ebp+var_375+1], offset	dword_6C2708
		jmp	loc_764E1B
; 

loc_7653C6:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:00765832o
		test	ebx, ebx
		jnz	loc_765531
		cmp	[ebp+var_360], ebx
		jz	loc_765531
		cmp	[ebp+var_365], bl
		jz	short loc_7653E7
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_7653E7:				; CODE XREF: NtPowerInformation+109Ej
		mov	[ebp+var_365], 0
		lea	edx, [ebp+var_370]
		xor	ecx, ecx
		call	PopGetWakeSource
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_76543E
		push	206D654Dh
		push	[ebp+var_370]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_375+1], eax
		test	eax, eax
		jz	loc_8D5F06
		mov	byte ptr [ebp+var_375],	1
		lea	edx, [ebp+var_370]
		mov	ecx, eax
		call	PopGetWakeSource
		mov	esi, eax

loc_76543E:				; CODE XREF: NtPowerInformation+10C1j
		test	esi, esi
		js	loc_76487A
		mov	dl, [ebp+var_365]
		mov	[ebp+var_365], dl
		mov	[ebp+var_37D], dl
		jmp	loc_764A30
; 

loc_76545D:				; CODE XREF: NtPowerInformation+EB5j
		cmp	_PopPlatformAoAc, 0
		jnz	loc_8D6621

loc_76546A:				; CODE XREF: NtPowerInformation+172314j
					; NtPowerInformation+17231Ej ...
		mov	ecx, [ebx+4]
		call	_PopSetDisplayStatus@4 ; PopSetDisplayStatus(x)
		mov	ecx, [ebx+4]
		call	_PopUpdateConsoleDisplayState@4	; PopUpdateConsoleDisplayState(x)
		cmp	dword ptr [ebx+4], 1
		jnz	loc_7651FD
		call	PopPowerAggregatorNotifyDisplayPoweredOn
		jmp	loc_7651FD
; 

loc_76548E:				; CODE XREF: NtPowerInformation+E35j
		dec	eax
		sub	eax, 1
		jnz	short loc_7654AF
		push	4
		mov	ecx, _PopSimulate
		and	ecx, 2000h
		neg	ecx
		sbb	ecx, ecx
		not	ecx
		and	ecx, offset unk_6C2E31

loc_7654AE:				; CODE XREF: NtPowerInformation+1213j
					; NtPowerInformation+1230j ...
		pop	esi

loc_7654AF:				; CODE XREF: NtPowerInformation+E40j
					; NtPowerInformation+1150j
		mov	eax, [ebp+var_38C]
		movzx	eax, byte_6C2DA4[eax]
		neg	eax
		sbb	eax, eax
		and	eax, esi
		cmp	eax, dword_6C2E60
		jle	short loc_7654CF
		mov	dword_6C2E60, eax

loc_7654CF:				; CODE XREF: NtPowerInformation+1186j
		test	ecx, ecx
		jz	loc_764A30
		call	_PopChangeCapability@8 ; PopChangeCapability(x,x)
		jmp	loc_764A30
; 

loc_7654E1:				; CODE XREF: NtPowerInformation+2C7j
					; NtPowerInformation+2D0j ...
		call	_EtwpCoverageUserIsAdmin@0 ; EtwpCoverageUserIsAdmin()
		test	al, al
		jnz	loc_76462A
		jmp	loc_8D5DAB
; 

loc_7654F3:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007658F2o
		test	ebx, ebx
		jnz	short loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jz	short loc_765531
		xor	edx, edx
		lea	ecx, [ebp+var_35C]
		call	_PopCurrentPowerStatePrecise@8 ; PopCurrentPowerStatePrecise(x,x)
		jmp	loc_764814
; 

loc_765513:				; CODE XREF: NtPowerInformation+DE9j
		cmp	eax, 5
		jz	loc_765131
		cmp	eax, 4
		jnz	short loc_765531
		cmp	dword_6C2DE8, offset _PopShutdownHandler@20 ; PopShutdownHandler(x,x,x,x,x)
		jz	loc_765131

loc_765531:				; CODE XREF: NtPowerInformation+8Cj
					; NtPowerInformation+4AAj ...
		mov	esi, 0C000000Dh
		jmp	loc_76487A
; 

loc_76553B:				; CODE XREF: NtPowerInformation+E2Cj
		push	5
		mov	ecx, _PopSimulate
		and	ecx, 2000h
		neg	ecx
		sbb	ecx, ecx
		not	ecx
		and	ecx, offset byte_6C2E26
		jmp	loc_7654AE
; 

loc_76555A:				; CODE XREF: NtPowerInformation+E23j
		push	4
		mov	eax, _PopSimulate
		and	al, 20h
		movzx	ecx, al
		neg	ecx
		sbb	ecx, ecx
		not	ecx
		and	ecx, (offset word_6C2E24+1)
		jmp	loc_7654AE
; 

loc_765577:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007657EAo
		test	ebx, ebx
		jz	short loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jnz	short loc_765531
		cmp	[ebp+var_36C], 8
		jb	loc_76579B
		cmp	_PopPowerStateNotifyHandler, esi
		jnz	loc_8D616A

loc_76559E:				; CODE XREF: NtPowerInformation+171E31j
		mov	eax, [ebx]
		mov	_PopPowerStateNotifyHandler, eax
		mov	eax, [ebx+4]
		mov	dword_6C2184, eax
		jmp	loc_76482A
; 

loc_7655B2:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:0076585Eo
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_36C], 2
		jb	loc_765531
		cmp	[ebp+var_360], 0
		jz	loc_765531
		movzx	esi, word ptr [ebx]
		call	_KeQueryActiveGroupCount@0 ; KeQueryActiveGroupCount()
		cmp	si, ax
		jnb	loc_765531
		lea	eax, [ebp+var_370]
		push	eax
		push	esi
		lea	ecx, [ebp+var_35C]
		call	PopProcessorInformation
		jmp	loc_764DB7
; 

loc_7655FD:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:00765806o
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_360], 0
		jnz	loc_765531
		cmp	[ebp+var_36C], 8
		jb	loc_76579B
		push	0		; int
		push	0		; void *
		mov	edx, [ebx+4]
		mov	ecx, [ebx]
		call	PopLogSleepDisabled
		jmp	loc_764A26
; 

loc_765632:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007658A2o
		test	ebx, ebx
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jnz	loc_765531
		call	_PopGetSessionId@0 ; PopGetSessionId()
		mov	ecx, eax
		call	_PopSessionClosed@4 ; PopSessionClosed(x)
		call	_TtmIsEnabled@0	; TtmIsEnabled()
		test	al, al
		jz	loc_76482A
		jmp	loc_8D6570
; 

loc_765666:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:00765816o
		mov	ecx, edx
		call	_PopSuspendResumePdc@4 ; PopSuspendResumePdc(x)
		mov	_PopHiberBootForceMonitorOff, 1
		call	_PoPowerOffMonitor@0 ; PoPowerOffMonitor()
		jmp	loc_764B21
; 

loc_76567E:				; CODE XREF: NtPowerInformation+CA3j
		cmp	[ebp+var_37C], 50h
		jz	loc_764FEB
		jmp	loc_765531
; 

loc_765690:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007658BAo
		test	ebx, ebx
		jnz	loc_765531
		cmp	[ebp+var_360], ebx
		jnz	loc_765531
		call	PopInitPlatformSettings
		mov	esi, eax
		mov	al, _PopPlatformAoAc
		mov	byte_6C2E34, al
		jmp	loc_76487A
; 

loc_7656BA:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007658D6o
		test	ebx, ebx
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jz	loc_765531
		mov	eax, dword_6C2908
		mov	[ebp+var_35C], eax
		mov	eax, dword_6C2AA0
		mov	[ebp+var_354], eax
		mov	eax, dword_6C2AA4
		mov	[ebp+var_350], eax
		mov	eax, dword_6C2AA8
		mov	[ebp-34Ch], eax
		mov	eax, dword_6C2AAC
		mov	[ebp+var_34A+2], eax
		cmp	_PopSleepStats,	bl
		jz	loc_8D6855
		lea	eax, [ebp+var_35C]
		mov	[ebp+var_375+1], eax
		mov	[ebp+var_370], 18h
		jmp	loc_76482A
; 

loc_76572E:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007657C2o
		test	ebx, ebx
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jz	loc_765531
		call	PpmHeteroHgsBackupInit
		mov	[ebp+var_375+1], offset	_PpmProcessorDriverDispatchTable
		mov	[ebp+var_370], 78h
		jmp	loc_76482A
; 

loc_765762:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:00765916o
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_360], 0
		jz	loc_765531
		cmp	[ebp+var_36C], 0Ch
		jnz	short loc_76579B
		cmp	[ebp+var_37C], 4
		jnz	short loc_76579B
		lea	edx, [ebp+var_35C]
		mov	ecx, ebx
		call	_PopEtEnergyTrackerCreate@8 ; PopEtEnergyTrackerCreate(x,x)
		jmp	loc_764D20
; 

loc_76579B:				; CODE XREF: NtPowerInformation+792j
					; NtPowerInformation+7C3j ...
		mov	esi, 0C0000023h
		jmp	loc_76487A
NtPowerInformation endp

; 
		align 2
off_7657A6	dd offset loc_8D5F44	; DATA XREF: NtPowerInformation+4AAr
		dd offset loc_8D5F44
		dd offset loc_8D600F
		dd offset loc_8D600F
		dd offset loc_764C01
		dd offset loc_7647F3
		dd offset loc_7650ED
		dd offset loc_76572E
		dd offset loc_8D6050
		dd offset loc_8D5FAF
		dd offset loc_8D6178
		dd offset loc_764D7D
		dd offset loc_764E85
		dd offset loc_8D5FA5
		dd offset loc_764DFB
		dd offset loc_7653A1
		dd offset loc_764A3B
		dd offset loc_765577
		dd offset loc_8D5FA5
		dd offset loc_8D5FA5
		dd offset loc_8D5FA5
		dd offset loc_8D5FA5
		dd offset loc_8D5FA5
		dd offset loc_8D627A
		dd offset loc_7655FD
		dd offset loc_8D62C6
		dd offset loc_765531
		dd offset loc_765531
		dd offset loc_765666
		dd offset loc_764F79
		dd offset loc_764F14
		dd offset loc_764F14
		dd offset loc_8D5FA5
		dd offset loc_8D5FA5
		dd offset loc_8D5FA5
		dd offset loc_7653C6
		dd offset loc_8D639A
		dd offset loc_764E2A
		dd offset loc_8D641D
		dd offset loc_8D64B9
		dd offset loc_8D6527
		dd offset loc_76527E
		dd offset loc_7651CB
		dd offset loc_764CDD
		dd offset loc_764B74
		dd offset loc_8D6695
		dd offset loc_7655B2
		dd offset loc_765377
		dd offset loc_8D6464
		dd offset loc_8D5FA5
		dd offset loc_8D66F4
		dd offset loc_8D61C3
		dd offset loc_8D5FA5
		dd offset loc_8D5FA5
		dd offset loc_8D5FA5
		dd offset loc_8D670A
		dd offset loc_8D6758
		dd offset loc_8D65B0
		dd offset loc_764AEC
		dd offset loc_764C9D
		dd offset loc_8D679D
		dd offset loc_765187
		dd offset loc_765003
		dd offset loc_765632
		dd offset loc_8D657A
		dd offset loc_76508C
		dd offset loc_764D45
		dd offset loc_764FC8
		dd offset loc_764ED9
		dd offset loc_765690
		dd offset loc_8D5F2C
		dd offset loc_764F4B
		dd offset loc_764CDD
		dd offset loc_8D67DE
		dd offset loc_8D680D
		dd offset loc_764A6F
		dd offset loc_7656BA
		dd offset loc_8D68AC
		dd offset loc_8D685F
		dd offset loc_8D5FA5
		dd offset loc_8D5FA5
		dd offset loc_8D5FA5
		dd offset loc_8D5FA5
		dd offset loc_7654F3
		dd offset loc_8D6936
		dd offset loc_8D6676
		dd offset loc_8D60C2
		dd offset loc_7649CE
		dd offset loc_8D67DE
		dd offset loc_8D6256
		dd offset loc_8D6A0A
		dd offset loc_764E6E
		dd offset loc_765762
		dd offset loc_764BC0
		dd offset loc_764AAB
		dd offset loc_76524A

;  S U B	R O U T	I N E 


; __stdcall PopCurrentPowerState(x)
_PopCurrentPowerState@4	proc near	; CODE XREF: PopEsUpdateState+23p
					; PopUpdateAcDcState+827EBp ...
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	edi, ecx
		nop
		mov	ebx, offset dword_6C266C
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		push	8
		pop	ecx
		mov	esi, offset byte_6C2674
		rep movsd
		cmp	dword_6C2670, 0
		jnz	short loc_76596B

loc_76595A:				; CODE XREF: PopCurrentPowerState(x)+4Cj
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
; 

loc_76596B:				; CODE XREF: PopCurrentPowerState(x)+32j
		and	dword_6C2670, 0
		jmp	short loc_76595A
_PopCurrentPowerState@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPowerInformationInternal proc near	; CODE XREF: NtPowerInformation+6DFp

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4D		= dword	ptr -4Dh
var_48		= dword	ptr -48h
var_41		= dword	ptr -41h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008D6AD6 SIZE 00000A6C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+5Ch+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ebx, ecx
		mov	ecx, [ebp+arg_10]
		push	edi
		mov	edi, edx
		mov	[esp+68h+var_58], eax
		xor	edx, edx
		mov	[esp+68h+var_4D+1], esi
		mov	[esi], edx
		mov	[eax], edx
		mov	eax, large fs:124h
		mov	[esp+68h+var_2C], edx
		mov	[esp+68h+var_28], edx
		mov	[ecx], dl
		mov	[esp+68h+var_54], ecx
		mov	[esp+68h+var_48], edx
		mov	byte ptr [esp+68h+var_41], dl
		mov	byte ptr [esp+68h+var_4D], dl
		mov	[esp+68h+var_3C], edx
		mov	[esp+68h+var_34], edx
		mov	[esp+68h+var_38], edx
		mov	[esp+68h+var_41+1], edx
		cmp	[eax+15Ah], dl
		jnz	loc_765AEC
		cmp	ebx, 21h
		jz	loc_8D752B
		cmp	ebx, 7
		jz	loc_8D752B
		cmp	ebx, 18h
		jz	loc_8D752B
		cmp	ebx, 5
		jz	loc_8D752B
		cmp	ebx, 27h
		jz	loc_8D752B
		cmp	ebx, 2Ch
		jz	loc_8D752B
		cmp	ebx, 2Dh
		jz	loc_8D752B
		cmp	ebx, 2Eh
		jz	loc_8D752B
		cmp	ebx, 2Fh
		jz	loc_8D752B
		cmp	ebx, 30h
		jz	loc_8D752B
		cmp	ebx, 33h
		jz	loc_8D752B
		cmp	ebx, 35h
		jz	loc_8D752B
		cmp	ebx, 36h
		jz	loc_8D752B
		cmp	ebx, 38h
		jz	loc_8D752B
		cmp	ebx, 3Ch
		jz	loc_8D752B
		cmp	ebx, 40h
		jz	loc_8D752B

loc_765A74:				; CODE XREF: PopPowerInformationInternal+291j
		cmp	ebx, 43h	; switch 68 cases
		ja	loc_8D72A5	; default

loc_765A7D:				; CODE XREF: PopPowerInformationInternal+3F1j
					; PopPowerInformationInternal+171170j ...
		jmp	ds:off_765EFC[ebx*4] ; switch jump

loc_765A84:				; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 38h ; case	0x15
		jb	loc_765C83
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		cmp	[edi+8], edx
		jz	loc_765C7B

loc_765A9C:				; CODE XREF: PopPowerInformationInternal+309j
		cmp	dword ptr [edi+14h], 19Ch
		jz	loc_8D6D73

loc_765AA9:				; CODE XREF: PopPowerInformationInternal+17141Bj
					; PopPowerInformationInternal+171426j
		mov	[esp+68h+var_48], edx
		push	4
		pop	ebx
		test	ecx, ecx
		jnz	loc_765C8D

loc_765AB8:				; CODE XREF: PopPowerInformationInternal+32Cj
		movzx	eax, byte ptr [edi+34h]
		lea	edx, [edi+0Ch]
		mov	ecx, [edi+8]
		push	eax
		call	PopSetWatchdog
		cmp	[ebp+arg_4], 0
		mov	ecx, eax
		jnz	loc_765C61

loc_765AD4:				; CODE XREF: PopPowerInformationInternal+302j
					; PopPowerInformationInternal+3B4j ...
		xor	esi, esi

loc_765AD6:				; CODE XREF: PopPowerInformationInternal+2C5j
					; PopPowerInformationInternal+2E8j ...
		mov	ecx, [esp+6Ch+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_765AEC:				; CODE XREF: PopPowerInformationInternal+6Aj
		cmp	ebx, 24h
		jz	loc_8D6AD6
		test	ebx, ebx
		jz	loc_8D6AEA
		cmp	ebx, 17h
		jz	loc_8D6AEA
		cmp	ebx, 1Ch
		jz	loc_8D6AEA
		cmp	ebx, 2
		jz	loc_8D6AEA
		cmp	ebx, 13h
		jz	loc_8D6AEA
		cmp	ebx, 14h
		jz	loc_8D6AEA
		cmp	ebx, 8
		jz	loc_8D6AEA
		cmp	ebx, 15h
		jz	loc_8D6AEA
		cmp	ebx, 1Ah
		jz	loc_8D6AEA
		cmp	ebx, 28h
		jz	loc_8D6AEA
		cmp	ebx, 29h
		jz	loc_8D6AEA
		cmp	ebx, 3Ah
		jz	loc_8D6AEA
		cmp	ebx, 3Bh
		jz	loc_8D6AEA
		cmp	ebx, 39h
		jz	loc_8D6AEA
		cmp	ebx, 3Fh
		jz	loc_8D6AEA
		cmp	ebx, 41h
		jz	loc_8D6AEA
		cmp	ebx, 43h
		jz	loc_8D6AEA
		cmp	ebx, 1Dh
		jz	loc_8D6AF4
		cmp	ebx, 2Fh
		jz	loc_8D6AF4
		cmp	ebx, 30h
		jz	loc_8D6AF4
		cmp	ebx, 33h
		jz	loc_8D6AF4
		cmp	ebx, 35h
		jz	loc_8D6AF4
		cmp	ebx, 36h
		jz	loc_8D6AF4
		cmp	ebx, 38h
		jz	loc_8D6AF4
		cmp	ebx, 3Ch
		jz	loc_8D6AF4
		cmp	ebx, 40h
		jz	loc_8D6AF4

loc_765BDE:				; CODE XREF: PopPowerInformationInternal+171189j
		cmp	ebx, 23h
		jz	loc_8D6B02
		cmp	ebx, 18h
		jz	loc_8D6B02

loc_765BF0:				; CODE XREF: PopPowerInformationInternal+171197j
		cmp	ebx, 3Dh
		jz	loc_8D6B10
		cmp	ebx, 2Dh
		jz	loc_765D5E
		cmp	ebx, 19h
		jnz	loc_765A74
		jmp	loc_8D6B1B
; 

loc_765C10:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 90h ; case	0x2C
		jb	short loc_765C83
		cmp	[ebp+arg_4], 0
		jnz	loc_8D72A5	; default
		lea	eax, [esp+68h+var_4D]
		push	eax
		push	_PopTimeBrokerServiceSid
		push	0
		call	_RtlCheckTokenMembership@12 ; RtlCheckTokenMembership(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_765AD6
		cmp	byte ptr [esp+68h+var_4D], 0
		jz	loc_8D6AEA
		cmp	_PopPlatformAoAc, 0
		jnz	loc_8D726C

loc_765C57:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; PopPowerInformationInternal+171388j ...
		mov	esi, 0C00000BBh	; case 0x21
		jmp	loc_765AD6
; 

loc_765C61:				; CODE XREF: PopPowerInformationInternal+15Aj
		mov	eax, [esp+6Ch+var_4D+1]
		mov	[eax], ecx

loc_765C67:				; CODE XREF: PopPowerInformationInternal+4B0j
		mov	[esi], eax

loc_765C69:				; CODE XREF: PopPowerInformationInternal+560j
					; PopPowerInformationInternal+1717B1j
		mov	ecx, [esp+6Ch+var_5C]
		mov	[ecx], ebx

loc_765C6F:				; CODE XREF: PopPowerInformationInternal+465j
					; PopPowerInformationInternal+171491j ...
		mov	eax, [esp+6Ch+var_58]
		mov	byte ptr [eax],	1
		jmp	loc_765AD4
; 

loc_765C7B:				; CODE XREF: PopPowerInformationInternal+122j
		test	ecx, ecx
		jnz	loc_765A9C

loc_765C83:				; CODE XREF: PopPowerInformationInternal+114j
					; PopPowerInformationInternal+2A3j ...
		mov	esi, 0C0000023h
		jmp	loc_765AD6
; 

loc_765C8D:				; CODE XREF: PopPowerInformationInternal+13Ej
		push	206D654Dh
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+68h+var_48], eax
		test	eax, eax
		jnz	loc_765AB8
		jmp	loc_8D704B
; 

loc_765CAB:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 10h ; case	0x1F
		jnz	loc_8D72A5	; default
		cmp	[ebp+arg_4], 0
		jnz	loc_8D700A
		mov	eax, [esp+68h+var_41+1]

loc_765CC3:				; CODE XREF: PopPowerInformationInternal+1716D1j
		cmp	ebx, 1Fh
		jz	short loc_765D2D
		cmp	ebx, 20h
		jnz	loc_8D7063
		cmp	dword ptr [edi+8], 0
		jz	loc_8D7055
		mov	edx, eax
		mov	ecx, edi
		call	PopBootStatSet

loc_765CE4:				; CODE XREF: PopPowerInformationInternal+3CCj
					; PopPowerInformationInternal+171701j ...
		mov	esi, eax

loc_765CE6:				; CODE XREF: PopPowerInformationInternal+171729j
		test	esi, esi
		js	loc_8D705A
		mov	edx, [esp+68h+var_41+1]
		test	edx, edx
		jnz	loc_8D70A2

loc_765CFA:				; CODE XREF: PopPowerInformationInternal+171747j
		xor	esi, esi

loc_765CFC:				; CODE XREF: PopPowerInformationInternal+1716EAj
					; PopPowerInformationInternal+171BBCj
		test	edx, edx
		jz	loc_765AD6
		jmp	loc_8D7535
; 

loc_765D09:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 10h ; case	0x1B
		jb	loc_765C83
		cmp	[ebp+arg_4], 0
		jnz	loc_8D72A5	; default
		mov	edx, [edi+0Ch]
		mov	ecx, [edi+8]
		call	_PopTransitionCheckpoint@8 ; PopTransitionCheckpoint(x,x)
		jmp	loc_765AD4
; 

loc_765D2D:				; CODE XREF: PopPowerInformationInternal+352j
		cmp	dword ptr [edi+8], 0
		jz	loc_8D7055
		mov	edx, eax
		mov	ecx, edi
		call	PopBootStatGet
		jmp	short loc_765CE4
; 

loc_765D42:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 10h ; case	0x3A
		jb	loc_8D72A5	; default
		push	dword ptr [edi+0Ch]
		push	dword ptr [edi+8]
		call	_PoDirectedDripsSetDeviceFlags@8 ; PoDirectedDripsSetDeviceFlags(x,x)

loc_765D57:				; CODE XREF: PopPowerInformationInternal+41Aj
					; PopPowerInformationInternal+1712AFj ...
		mov	esi, eax
		jmp	loc_765AD6
; 

loc_765D5E:				; CODE XREF: PopPowerInformationInternal+288j
		call	_PopIsRunningAsLocalSystem@0 ; PopIsRunningAsLocalSystem()
		test	al, al
		jnz	loc_765A7D
		jmp	loc_8D6B10
; 

loc_765D70:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		xor	eax, eax	; case 0x2
		mov	_PopVideoInitialized, 1
		push	eax
		push	eax
		push	eax
		push	eax
		push	1
		push	offset _PopVideoInitialized
		push	offset _WNF_PO_VIDEO_INITIALIALIZED
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		jmp	short loc_765D57
; 

loc_765D90:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 8	; case 0x4
		jb	loc_765C83
		cmp	[ebp+arg_4], 0
		jz	loc_765C83
		push	206D654Dh
		push	1
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8D704B
		cmp	_PopPlatformAoAc, 0
		jnz	loc_8D6BD2

loc_765DC9:				; CODE XREF: PopPowerInformationInternal+171265j
		xor	al, al

loc_765DCB:				; CODE XREF: PopPowerInformationInternal+17126Dj
					; PopPowerInformationInternal+1719E5j
		mov	[edi], al
		mov	[esi], edi

loc_765DCF:				; CODE XREF: PopPowerInformationInternal+171860j
		mov	ecx, [esp+68h+var_58]
		mov	dword ptr [ecx], 1
		jmp	loc_765C6F
; 

loc_765DDE:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 0Ch ; case	0x2D
		jnz	loc_8D72A5	; default
		cmp	byte ptr [edi+8], 0
		jnz	loc_765EF0
		call	_PoUserShutdownCancelled@0 ; PoUserShutdownCancelled()
		jmp	loc_765AD4
; 

loc_765DFC:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_4], 0	; case 0x3F
		jz	loc_8D72A5	; default
		push	206D654Dh
		push	4
		pop	ebx
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_8D704B
		mov	dword ptr [eax], offset	_SshpRoutineBlock
		jmp	loc_765C67
; 

loc_765E29:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 14h ; case	0x0
		jb	loc_765C83
		cmp	[ebp+arg_4], 0
		jz	loc_765C83
		mov	ebx, 206D654Dh
		push	ebx
		push	8
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+68h+var_48], eax
		test	eax, eax
		jz	loc_8D704B
		mov	edx, eax
		mov	ecx, edi
		call	_PopFxPlatformRegisterInterface@8 ; PopFxPlatformRegisterInterface(x,x)

loc_765E61:				; CODE XREF: PopPowerInformationInternal+1718F3j
		mov	esi, eax
		mov	eax, [esp+68h+var_48]
		test	esi, esi
		js	loc_8D6B56
		mov	ecx, [esp+68h+var_4D+1]
		mov	[ecx], eax

loc_765E75:				; CODE XREF: PopPowerInformationInternal+171226j
		mov	ecx, [esp+68h+var_58]
		mov	dword ptr [ecx], 8

loc_765E7F:				; CODE XREF: PopPowerInformationInternal+1713D1j
					; PopPowerInformationInternal+171A5Dj
		mov	eax, [esp+68h+var_54]
		mov	byte ptr [eax],	1
		jmp	loc_765AD6
; 

loc_765E8B:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 8	; case 0x7
		jb	loc_765C83
		cmp	[ebp+arg_4], 0
		jz	loc_765C83
		push	206D654Dh
		push	20h
		pop	ebx
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_8D704B
		mov	esi, offset _PopBsdPowerTransitionAtBoot

loc_765EBE:				; CODE XREF: PopPowerInformationInternal+171898j
		push	8
		pop	ecx
		mov	edi, edx
		xor	eax, eax
		rep stosd
		push	8
		pop	ecx
		mov	edi, edx
		rep movsd
		mov	ecx, [esp+68h+var_4D+1]
		mov	[ecx], edx
		jmp	loc_765C69
; 

loc_765ED9:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 0Ch ; case	0x17
		jnz	loc_8D72A5	; default
		mov	cl, [edi+8]
		call	_PopUpdateExternalDisplayState@4 ; PopUpdateExternalDisplayState(x)
		jmp	loc_765AD4
; 

loc_765EF0:				; CODE XREF: PopPowerInformationInternal+478j
		call	PoUserShutdownInitiated
		jmp	loc_765AD4
PopPowerInformationInternal endp

; 
		align 4
off_765EFC	dd offset loc_765E29, offset loc_8D6B5D, offset	loc_765D70
					; DATA XREF: PopPowerInformationInternal:loc_765A7Dr
		dd offset loc_8D6B9F, offset loc_765D90, offset	loc_8D6BE6 ; jump table	for switch statement
		dd offset loc_8D6C07, offset loc_765E8B, offset	loc_8D6CD4
		dd offset loc_8D72A5, offset loc_8D72A5, offset	loc_8D72A5
		dd offset loc_8D72A5, offset loc_8D72A5, offset	loc_8D72A5
		dd offset loc_8D72A5, offset loc_8D72A5, offset	loc_8D72A5
		dd offset loc_8D6CF5, offset loc_8D6C28, offset	loc_8D6D4A
		dd offset loc_765A84, offset loc_8D6D9F, offset	loc_765ED9
		dd offset loc_8D6E0A, offset loc_8D6EB6, offset	loc_8D6EE7
		dd offset loc_765D09, offset loc_8D6FB5, offset	loc_8D6FDD
		dd offset loc_8D6F5A, offset loc_765CAB, offset	loc_765CAB
		dd offset loc_765C57, offset loc_765CAB, offset	loc_765CAB
		dd offset loc_8D70C0, offset loc_8D70EE, offset	loc_765CAB
		dd offset loc_8D712A, offset loc_8D7141, offset	loc_8D7172
		dd offset loc_8D71D9, offset loc_8D7211, offset	loc_765C10
		dd offset loc_765DDE, offset loc_8D72B8, offset	loc_8D72D7
		dd offset loc_8D730C, offset loc_8D7332, offset	loc_8D735E
		dd offset loc_8D738A, offset loc_8D72A5, offset	loc_8D73A9
		dd offset loc_8D73A9, offset loc_8D72A5, offset	loc_8D73A9
		dd offset loc_8D73F0, offset loc_765D42, offset	loc_8D73D6
		dd offset loc_8D7409, offset loc_8D7453, offset	loc_8D74A4
		dd offset loc_765DFC, offset loc_8D73A9, offset	loc_8D74CB
		dd offset loc_765C57, offset loc_8D74F4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopBlackBoxUpdate proc near		; CODE XREF: NtPowerInformation+7A0p

var_38		= dword	ptr -38h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008D7542 SIZE 0000003D BYTES
; FUNCTION CHUNK AT 008D75AF SIZE 0000000A BYTES
; FUNCTION CHUNK AT 008D75C7 SIZE 00000014 BYTES

		push	28h
		push	offset dword_6A0960
		call	__SEH_prolog4
		mov	esi, ecx
		mov	[ebp+var_20], esi
		xor	eax, eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_19], al
		mov	edi, [esi+0Ch]
		cmp	edi, 15h
		ja	loc_766185
		shl	edi, 6
		add	edi, offset _PopBlackBoxEntries
		mov	[ebp+var_38], edi
		test	dl, dl
		jnz	loc_766109

loc_766045:				; CODE XREF: PopBlackBoxUpdate+12Dj
					; PopBlackBoxUpdate+171563j
		mov	ebx, [esi+10h]
		mov	[ebp+var_19], 1
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopBlackBoxLock
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esi+4]
		test	bl, 1
		mov	ebx, ecx
		jnz	loc_766144
		and	[ebp+var_24], 0
		mov	eax, 1000h
		cmp	ecx, eax
		jnb	loc_7661AF

loc_766085:				; CODE XREF: PopBlackBoxUpdate+1A5j
		mov	[edi+38h], ecx
		mov	[edi+34h], ebx

loc_76608B:				; CODE XREF: PopBlackBoxUpdate+174j
		cmp	dword ptr [edi+30h], 0
		jz	loc_76618F

loc_766095:				; CODE XREF: PopBlackBoxUpdate+198j
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		mov	[edi+28h], eax
		mov	[edi+2Ch], edx
		test	ebx, ebx
		jnz	short loc_7660E7

loc_7660A6:				; CODE XREF: PopBlackBoxUpdate+FBj
		xor	esi, esi

loc_7660A8:				; CODE XREF: PopBlackBoxUpdate+153j
					; PopBlackBoxUpdate+17Ej ...
		mov	ebx, offset _PopBlackBoxLock
		cmp	[ebp+var_19], 0
		jz	short loc_7660D5
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		test	al, 2
		jnz	loc_8D75C7

loc_7660C2:				; CODE XREF: PopBlackBoxUpdate+1715BDj
					; PopBlackBoxUpdate+1715CAj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_7660D5:				; CODE XREF: PopBlackBoxUpdate+A5j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7660E7:				; CODE XREF: PopBlackBoxUpdate+98j
		mov	[ebp+ms_exc.disabled], 1
		push	ebx		; size_t
		push	dword ptr [esi]	; void *
		mov	eax, [edi+30h]
		add	eax, [ebp+var_24]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_7660A6
; 

loc_766109:				; CODE XREF: PopBlackBoxUpdate+33j
		mov	[ebp+ms_exc.disabled], eax
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_76612E
		mov	edx, [esi]
		lea	ebx, [edx+ecx]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	ebx, ecx
		ja	loc_8D7542
		cmp	ebx, edx
		jb	loc_8D7542

loc_76612E:				; CODE XREF: PopBlackBoxUpdate+105j
					; PopBlackBoxUpdate+171538j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	byte ptr [edi+8], 1
		jz	loc_766045
		jmp	loc_8D7549
; 

loc_766144:				; CODE XREF: PopBlackBoxUpdate+62j
		test	ebx, ebx
		jz	short loc_766185
		mov	eax, [esi+8]
		mov	[ebp+var_24], eax
		lea	ecx, [ebp+var_28]
		push	ecx
		mov	edx, ebx
		mov	ecx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7660A8
		mov	ecx, [ebp+var_28]
		cmp	ecx, [edi+38h]
		ja	short loc_766185
		mov	eax, 1000h
		mov	edx, [ebp+var_24]
		cmp	edx, eax
		jnb	short loc_7661B6
		cmp	ecx, eax
		ja	short loc_7661BA

loc_76617D:				; CODE XREF: PopBlackBoxUpdate+1ACj
					; PopBlackBoxUpdate+1B2j
		mov	esi, [ebp+var_20]
		jmp	loc_76608B
; 

loc_766185:				; CODE XREF: PopBlackBoxUpdate+1Fj
					; PopBlackBoxUpdate+13Aj ...
		mov	esi, 0C000000Dh
		jmp	loc_7660A8
; 

loc_76618F:				; CODE XREF: PopBlackBoxUpdate+83j
		push	206D654Dh
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi+30h], eax
		test	eax, eax
		jnz	loc_766095
		jmp	loc_8D75AF
; 

loc_7661AF:				; CODE XREF: PopBlackBoxUpdate+73j
		mov	ebx, eax
		jmp	loc_766085
; 

loc_7661B6:				; CODE XREF: PopBlackBoxUpdate+16Bj
		xor	ebx, ebx
		jmp	short loc_76617D
; 

loc_7661BA:				; CODE XREF: PopBlackBoxUpdate+16Fj
		mov	ebx, eax
		sub	ebx, edx
		jmp	short loc_76617D
PopBlackBoxUpdate endp


;  S U B	R O U T	I N E 


PopCapturePlatformRole proc near	; CODE XREF: NtPowerInformation+743p
					; PopDripsWatchdogInitializeActions(x)+32p

; FUNCTION CHUNK AT 008D75DB SIZE 00000027 BYTES

		mov	eax, _PopPlatformRole
		test	eax, eax
		jz	loc_8D75DB

locret_7661CD:				; CODE XREF: PopCapturePlatformRole+171438j
		retn
PopCapturePlatformRole endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopGetSettingNotificationName proc near	; CODE XREF: NtPowerInformation+7DAp

var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_26		= byte ptr -26h
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008D7602 SIZE 0000000A BYTES

		push	28h
		push	offset dword_6A0988
		call	__SEH_prolog4_GS
		mov	[ebp+var_30], edx
		mov	esi, ecx
		xor	eax, eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_26], al
		mov	ecx, offset _PopSettingLock
		call	ExAcquireFastMutex
		mov	[ebp+var_25], 1
		test	esi, esi
		jz	loc_7663A5
		mov	edi, [esi+10h]

loc_766203:				; CODE XREF: PopGetSettingNotificationName+1DAj
		mov	ebx, esi
		neg	ebx
		sbb	ebx, ebx
		and	ebx, esi
		jz	loc_7663AD
		mov	ecx, ebx	; void *
		call	_PopStateIsSessionSpecific@4 ; PopStateIsSessionSpecific(x)
		test	al, al
		jnz	loc_7662A9
		or	edi, 0FFFFFFFFh

loc_766223:				; CODE XREF: PopGetSettingNotificationName+115j
					; PopGetSettingNotificationName+192j ...
		mov	edx, edi
		mov	ecx, ebx
		call	_PopFindPowerSettingConfiguration@8 ; PopFindPowerSettingConfiguration(x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_766296
		cmp	dword ptr [edi+28h], 0
		jz	loc_7662E8

loc_76623C:				; CODE XREF: PopGetSettingNotificationName+11Ej
		mov	eax, [edi+28h]
		mov	[ebp+var_24], eax
		mov	eax, [edi+2Ch]

loc_766245:				; CODE XREF: PopGetSettingNotificationName+1F1j
		mov	[ebp+var_20], eax

loc_766248:				; CODE XREF: PopGetSettingNotificationName+167j
					; PopGetSettingNotificationName+221j
		mov	ecx, offset _PopSettingLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	[ebp+var_25], 0
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [ebp+var_24]
		mov	ecx, [ebp+var_30]
		mov	[ecx], eax
		mov	eax, [ebp+var_20]
		mov	[ecx+4], eax
		xor	esi, esi

loc_76626A:				; CODE XREF: sub_8D761A+6j
		mov	[ebp+var_38], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_766274:				; CODE XREF: PopGetSettingNotificationName+CDj
					; PopGetSettingNotificationName+130j ...
		cmp	[ebp+var_25], 0
		jnz	short loc_76629D

loc_76627A:				; CODE XREF: PopGetSettingNotificationName+D9j
		cmp	[ebp+var_26], 0
		jnz	loc_76633A

loc_766284:				; CODE XREF: PopGetSettingNotificationName+176j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_766296:				; CODE XREF: PopGetSettingNotificationName+62j
		mov	esi, 0C0000225h
		jmp	short loc_766274
; 

loc_76629D:				; CODE XREF: PopGetSettingNotificationName+AAj
		mov	ecx, offset _PopSettingLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	short loc_76627A
; 

loc_7662A9:				; CODE XREF: PopGetSettingNotificationName+4Cj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	eax
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	esi, eax
		mov	[ebp+var_2C], esi
		cmp	edi, 0FFFFFFFFh
		jnz	loc_766349

loc_7662C9:				; CODE XREF: PopGetSettingNotificationName+17Dj
		cmp	esi, 0FFFFFFFFh
		jz	loc_8D7602
		mov	ecx, esi
		call	_PsIsServiceSession@4 ;	PsIsServiceSession(x)
		test	al, al
		jnz	loc_8D7602
		mov	edi, esi
		jmp	loc_766223
; 

loc_7662E8:				; CODE XREF: PopGetSettingNotificationName+68j
		cmp	dword ptr [edi+2Ch], 0
		jnz	loc_76623C
		lea	ecx, [ebp+var_24]
		call	_PopCreateNotificationName@4 ; PopCreateNotificationName(x)
		mov	esi, eax
		test	esi, esi
		js	loc_766274
		push	10h		; size_t
		push	(offset	loc_407FB3+5) ;	void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_7663F4

loc_76631C:				; CODE XREF: PopGetSettingNotificationName+22Aj
		mov	ecx, [edi+24h]
		mov	eax, [ebp+var_24]
		mov	[edi+28h], eax
		mov	eax, [ebp+var_20]
		mov	[edi+2Ch], eax
		or	ecx, 1
		mov	[edi+24h], ecx
		mov	[ebp+var_26], 1
		jmp	loc_766248
; 

loc_76633A:				; CODE XREF: PopGetSettingNotificationName+B0j
		mov	ecx, 80h
		call	_PopSetNotificationWork@4 ; PopSetNotificationWork(x)
		jmp	loc_766284
; 

loc_766349:				; CODE XREF: PopGetSettingNotificationName+F5j
		cmp	edi, esi
		jz	loc_7662C9
		mov	ecx, _SeLocalSystemSid
		call	_PopValidateContextMembership@4	; PopValidateContextMembership(x)
		mov	esi, eax
		test	esi, esi
		jns	loc_766223
		mov	ecx, [ebp+var_2C]
		call	_PsIsServiceSession@4 ;	PsIsServiceSession(x)
		test	al, al
		jz	loc_766274
		mov	ecx, edi
		call	_MmIsSessionInCurrentServerSilo@4 ; MmIsSessionInCurrentServerSilo(x)
		test	al, al
		jz	loc_766274
		mov	ecx, ds:_SeExports
		mov	ecx, [ecx+128h]
		call	_PopValidateContextMembership@4	; PopValidateContextMembership(x)
		mov	esi, eax
		test	esi, esi
		jns	loc_766223
		jmp	loc_766274
; 

loc_7663A5:				; CODE XREF: PopGetSettingNotificationName+2Cj
		or	edi, 0FFFFFFFFh
		jmp	loc_766203
; 

loc_7663AD:				; CODE XREF: PopGetSettingNotificationName+3Dj
		mov	ecx, _PopPopPowerSettingSetChangeNotification
		test	ecx, ecx
		jz	short loc_7663C4

loc_7663B7:				; CODE XREF: PopGetSettingNotificationName+1FDj
		mov	[ebp+var_24], ecx
		mov	eax, dword_6CEA4C
		jmp	loc_766245
; 

loc_7663C4:				; CODE XREF: PopGetSettingNotificationName+1E7j
		cmp	dword_6CEA4C, 0
		jnz	short loc_7663B7
		lea	ecx, [ebp+var_24]
		call	_PopCreateNotificationName@4 ; PopCreateNotificationName(x)
		mov	esi, eax
		test	esi, esi
		js	loc_766274
		mov	eax, [ebp+var_24]
		mov	_PopPopPowerSettingSetChangeNotification, eax
		mov	eax, [ebp+var_20]
		mov	dword_6CEA4C, eax
		jmp	loc_766248
; 

loc_7663F4:				; CODE XREF: PopGetSettingNotificationName+148j
		or	dword ptr [edi+24h], 8
		jmp	loc_76631C
PopGetSettingNotificationName endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopUmpoProcessMessages proc near	; CODE XREF: PopUmpoMessageCallback(x,x,x)p
					; PopUmpoInitializeChannel+1A9p

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D7625 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+8Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6F706D55h
		mov	esi, 1000h
		xor	ebx, ebx
		push	esi
		push	1
		mov	[esp+0A4h+var_88], ebx
		mov	[esp+0A4h+var_80], ebx
		mov	[esp+0A4h+var_7C], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8D7625
		push	6Ch		; size_t
		lea	eax, [esp+9Ch+var_78]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+98h+var_84]
		push	eax
		push	6Ch
		lea	eax, [esp+0A0h+var_78]
		push	eax
		push	20000000h
		call	_AlpcInitializeMessageAttribute@16 ; AlpcInitializeMessageAttribute(x,x,x,x)
		mov	[esp+98h+var_88], esi

loc_766471:				; CODE XREF: PopUmpoProcessMessages+EAj
		lea	eax, [esp+98h+var_80]
		push	eax
		lea	eax, [esp+9Ch+var_78]
		push	eax
		lea	eax, [esp+0A0h+var_88]
		push	eax
		push	edi
		push	ebx
		push	ebx
		push	ebx
		push	_PopAlpcServerPort
		call	_ZwAlpcSendWaitReceivePort@32 ;	ZwAlpcSendWaitReceivePort(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7664B5
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		js	short loc_7664EA

loc_7664A0:				; CODE XREF: PopUmpoProcessMessages+F3j
		mov	ecx, [esp+98h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7664B5:				; CODE XREF: PopUmpoProcessMessages+95j
		mov	esi, 20000000h
		lea	eax, [esp+98h+var_78]
		push	esi
		push	eax
		call	_AlpcGetMessageAttribute@8 ; AlpcGetMessageAttribute(x,x)
		mov	edx, eax
		mov	ecx, edi
		call	PopUmpoProcessMessage
		lea	eax, [esp+98h+var_84]
		push	eax
		push	6Ch
		lea	eax, [esp+0A0h+var_78]
		push	eax
		push	esi
		call	_AlpcInitializeMessageAttribute@16 ; AlpcInitializeMessageAttribute(x,x,x,x)
		mov	[esp+98h+var_88], 1000h
		jmp	short loc_766471
; 

loc_7664EA:				; CODE XREF: PopUmpoProcessMessages+A0j
					; PopUmpoProcessMessages+17122Cj
		mov	ecx, esi
		call	_PopDiagTraceUmpoAlpcProcessingError@4 ; PopDiagTraceUmpoAlpcProcessingError(x)
		jmp	short loc_7664A0
PopUmpoProcessMessages endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopUmpoProcessMessage proc near		; CODE XREF: PopUmpoSendPowerMessage+112p
					; PopUmpoProcessMessages+CBp

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D7653 SIZE 0000004E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		movzx	ecx, word ptr [edi+4]
		mov	eax, ecx
		and	eax, 0FFFF00FFh
		cmp	eax, 1
		jz	loc_8D768F
		jbe	short loc_766546
		cmp	eax, 3
		ja	short loc_76655C
		test	ecx, 2000h
		jnz	loc_8D768F
		lea	ecx, [edi+18h]
		call	PopUmpoProcessPowerMessage
		mov	esi, eax
		test	esi, esi
		js	short loc_766548

loc_766546:				; CODE XREF: PopUmpoProcessMessage+31j
					; PopUmpoProcessMessage+6Bj ...
		mov	esi, ebx

loc_766548:				; CODE XREF: PopUmpoProcessMessage+50j
					; sub_8D762F+1Fj ...
		mov	ecx, [esp+58h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_76655C:				; CODE XREF: PopUmpoProcessMessage+36j
		cmp	eax, 4
		jbe	short loc_766546
		cmp	eax, 6
		jbe	loc_8D7653
		cmp	eax, 0Ah
		jnz	short loc_766546
		push	2Ch		; size_t
		lea	eax, [esp+5Ch+var_30]
		mov	[esp+5Ch+var_48], 18h
		push	ebx		; int
		push	eax		; void *
		mov	[esp+64h+var_44], ebx
		mov	[esp+64h+var_3C], 200h
		mov	[esp+64h+var_40], ebx
		mov	[esp+64h+var_38], ebx
		mov	[esp+64h+var_34], ebx
		call	_memset
		add	esp, 0Ch
		mov	[esp+58h+var_20], 1000h
		cmp	_PopUmpoAlpcClientConnected, bl
		lea	eax, [esp+58h+var_30]
		setz	byte ptr [esp+58h+var_4C]
		push	[esp+58h+var_4C]
		push	ebx
		push	edi
		push	ebx
		push	eax
		lea	eax, [esp+6Ch+var_48]
		push	eax
		push	ebx
		push	_PopAlpcServerPort
		push	offset _PopAlpcClientPort
		call	_ZwAlpcAcceptConnectPort@36 ; ZwAlpcAcceptConnectPort(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	sub_8D762F
		mov	_PopUmpoAlpcClientConnected, 1
		jmp	loc_766546
PopUmpoProcessMessage endp


;  S U B	R O U T	I N E 


PopUmpoProcessPowerMessage proc	near	; CODE XREF: PopUmpoProcessMessage+47p

; FUNCTION CHUNK AT 008D76A1 SIZE 00000029 BYTES

		mov	edi, edi
		push	ecx
		mov	eax, [ecx]
		sub	eax, 4
		jnz	short loc_766604
		add	ecx, 4
		call	_PopSetNewPolicyValue@4	; PopSetNewPolicyValue(x)
		test	eax, eax
		js	short loc_766602

loc_766600:				; CODE XREF: PopUmpoProcessPowerMessage+2Cj
					; PopUmpoProcessPowerMessage+37j ...
		xor	eax, eax

loc_766602:				; CODE XREF: PopUmpoProcessPowerMessage+14j
		pop	ecx
		retn
; 

loc_766604:				; CODE XREF: PopUmpoProcessPowerMessage+8j
		sub	eax, 3
		jz	short loc_766635
		sub	eax, 1
		jnz	short loc_766618
		add	ecx, 4
		call	PopProcessPowerRequestOverrideQueryResponse
		jmp	short loc_766600
; 

loc_766618:				; CODE XREF: PopUmpoProcessPowerMessage+22j
		dec	eax
		sub	eax, 1
		jz	short loc_766628
		sub	eax, 4
		jnz	short loc_766600
		jmp	loc_8D76A1
; 

loc_766628:				; CODE XREF: PopUmpoProcessPowerMessage+32j
		cmp	byte ptr [ecx+4], 0
		jnz	short loc_766640

loc_76662E:				; CODE XREF: PopUmpoProcessPowerMessage+5Bj
		call	_PopPowerRequestOverrideInitialize@0 ; PopPowerRequestOverrideInitialize()
		jmp	short loc_766600
; 

loc_766635:				; CODE XREF: PopUmpoProcessPowerMessage+1Dj
		cmp	byte ptr [ecx+10h], 0
		jz	short loc_766600
		jmp	loc_8D76AE
; 

loc_766640:				; CODE XREF: PopUmpoProcessPowerMessage+42j
		call	_PopPowerRequestNotificationsBegin@0 ; PopPowerRequestNotificationsBegin()
		jmp	short loc_76662E
PopUmpoProcessPowerMessage endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetNewPolicyValue(x)
_PopSetNewPolicyValue@4	proc near	; CODE XREF: PopUmpoProcessPowerMessage+Dp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
Length		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	edx, [ebp+var_14]
		xor	esi, esi
		push	1
		mov	[ebp+var_14], esi
		lea	eax, [edi+4]
		mov	[ebp+var_10], esi
		lea	ebx, [edi+14h]
		mov	[ebp+var_4], eax
		mov	ecx, ebx
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		test	eax, eax
		js	short loc_76667F
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_76667F:				; CODE XREF: PopSetNewPolicyValue(x)+2Cj
		mov	ecx, ebx	; void *
		call	_PopStateIsSessionSpecific@4 ; PopStateIsSessionSpecific(x)
		test	al, al
		jnz	short loc_7666C7
		mov	eax, [edi+38h]
		mov	esi, [edi+34h]
		mov	[ebp+Length], eax
		lea	eax, [edi+3Ch]
		push	10h		; size_t
		mov	[ebp+var_C], eax
		lea	eax, [edi+24h]
		push	(offset	loc_405607+1) ;	void *
		push	eax		; void *
		mov	[ebp+var_10], esi
		call	_memcmp
		mov	edi, [ebp+Length]
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_7666CE

loc_7666B6:				; CODE XREF: PopSetNewPolicyValue(x)+BAj
		push	[ebp+var_C]	; void *
		or	edx, 0FFFFFFFFh
		mov	ecx, ebx
		push	edi		; Length
		push	esi		; int
		call	PopSetPowerSettingValue
		mov	esi, eax

loc_7666C7:				; CODE XREF: PopSetNewPolicyValue(x)+40j
					; PopSetNewPolicyValue(x)+B5j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7666CE:				; CODE XREF: PopSetNewPolicyValue(x)+6Cj
		mov	ecx, [ebp+var_4] ; void	*
		mov	edx, ebx	; int
		push	edi		; int
		push	[ebp+var_C]	; int
		push	esi		; int
		call	PpmSetProfilePolicySetting
		push	10h		; size_t
		push	offset _GUID_NULL ; void *
		push	[ebp+var_4]	; void *
		lea	esi, [eax+3FFFFDDBh]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7666C7
		mov	esi, [ebp+var_10]
		jmp	short loc_7666B6
_PopSetNewPolicyValue@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStringFromGUIDEx(x, x, x)
_RtlStringFromGUIDEx@12	proc near	; CODE XREF: BapdpMarshallBootDataToRegistry+82A8Dp
					; KsepEvntLogShimsApplied(x,x,x)+BDp ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jz	short loc_766785
		push	4Eh
		pop	eax
		push	eax
		mov	[esi+2], ax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[esi+4], eax
		test	eax, eax
		jz	short loc_766797
		movzx	ecx, word ptr [esi+2]

loc_76672D:				; CODE XREF: RtlStringFromGUIDEx(x,x,x)+8Aj
		push	4Ch
		pop	eax
		mov	[esi], ax
		movzx	eax, byte ptr [edi+0Fh]
		push	eax
		movzx	eax, byte ptr [edi+0Eh]
		push	eax
		movzx	eax, byte ptr [edi+0Dh]
		push	eax
		movzx	eax, byte ptr [edi+0Ch]
		push	eax
		movzx	eax, byte ptr [edi+0Bh]
		push	eax
		movzx	eax, byte ptr [edi+0Ah]
		push	eax
		movzx	eax, byte ptr [edi+9]
		push	eax
		movzx	eax, byte ptr [edi+8]
		push	eax
		movzx	eax, word ptr [edi+6]
		push	eax
		movzx	eax, word ptr [edi+4]
		push	eax
		push	dword ptr [edi]
		movzx	eax, cx
		push	offset _GuidFormat
		shr	eax, 1
		push	eax
		push	dword ptr [esi+4]
		call	_swprintf_s
		add	esp, 38h
		xor	eax, eax

loc_76677F:				; CODE XREF: RtlStringFromGUIDEx(x,x,x)+91j
					; RtlStringFromGUIDEx(x,x,x)+98j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_766785:				; CODE XREF: RtlStringFromGUIDEx(x,x,x)+Fj
		movzx	eax, word ptr [esi+2]
		mov	ecx, eax
		cmp	eax, 4Eh
		jnb	short loc_76672D
		mov	eax, 0C0000023h
		jmp	short loc_76677F
; 

loc_766797:				; CODE XREF: RtlStringFromGUIDEx(x,x,x)+23j
		mov	eax, 0C0000017h
		jmp	short loc_76677F
_RtlStringFromGUIDEx@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopSetPowerSettingValue(int,SIZE_T Length,void *)
PopSetPowerSettingValue	proc near	; CODE XREF: PopInitilizeAcDcSettings+1Fp
					; PopInitilizeAcDcSettings+36p	...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
Source2		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
Length		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008D76CA SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+Length]
		xor	eax, eax
		push	74655350h
		push	edi
		mov	ebx, edx
		mov	[ebp+var_C], ecx
		mov	esi, eax
		mov	[ebp+var_20], ebx
		push	1
		mov	[ebp+var_4], al
		mov	[ebp+var_2], al
		mov	[ebp+var_5], al
		mov	[ebp+var_1C], eax
		mov	[ebp+var_14], esi
		mov	[ebp+var_3], al
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+Source2], eax
		test	eax, eax
		jz	loc_8D76CA
		xor	cl, cl
		call	PopIncrementPowerSettingPendingUpdates
		push	edi		; size_t
		push	[ebp+arg_8]	; void *
		push	[ebp+Source2]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edx, edi	; int
		mov	edi, [ebp+var_C]
		mov	ecx, edi	; void *
		push	[ebp+Source2]	; int
		call	PopValidatePowerSettingData
		mov	ecx, edi	; void *
		call	_PopStateIsSessionSpecific@4 ; PopStateIsSessionSpecific(x)
		mov	ecx, offset _PopSettingLock
		mov	[ebp+var_1], al
		call	ExAcquireFastMutex
		mov	edx, ebx
		mov	ecx, edi
		call	_PopFindPowerSettingConfiguration@8 ; PopFindPowerSettingConfiguration(x,x)
		mov	ebx, eax
		mov	[ebp+var_18], eax
		test	ebx, ebx
		jz	loc_7669DB

loc_766831:				; CODE XREF: PopSetPowerSettingValue+2F4j
		mov	edi, [ebp+arg_0]
		push	[ebp+Length]	; Length
		mov	edx, [ebp+Source2] ; Source2
		mov	edi, [ebx+edi*4+30h]
		mov	ecx, edi	; int
		call	_PopArePowerSettingsEqual@12 ; PopArePowerSettingsEqual(x,x,x)
		test	al, al
		jz	short loc_7668A6
		xor	ebx, ebx

loc_76684B:				; CODE XREF: PopSetPowerSettingValue+1EFj
					; PopSetPowerSettingValue+170F45j
		mov	edi, [ebp+var_C]

loc_76684E:				; CODE XREF: PopSetPowerSettingValue+170F3Bj
		mov	ecx, offset _PopSettingLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		cmp	[ebp+var_2], 0
		jnz	loc_766A97

loc_766862:				; CODE XREF: PopSetPowerSettingValue+309j
		push	74655350h
		push	[ebp+Source2]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	_PopOsInitPhase, 3
		jb	short loc_766896
		cmp	[ebp+var_3], 0
		jnz	loc_766AF4

loc_766882:				; CODE XREF: PopSetPowerSettingValue+368j
		cmp	[ebp+var_4], 0
		jnz	loc_766992

loc_76688C:				; CODE XREF: PopSetPowerSettingValue+203j
		cmp	[ebp+var_5], 0
		jnz	loc_766ADF

loc_766896:				; CODE XREF: PopSetPowerSettingValue+D8j
					; PopSetPowerSettingValue+34Bj
		xor	cl, cl
		call	PopDecrementPowerSettingPendingUpdates
		mov	eax, ebx

loc_76689F:				; CODE XREF: PopSetPowerSettingValue+170F31j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7668A6:				; CODE XREF: PopSetPowerSettingValue+A9j
		lea	eax, [ebx+30h]
		xor	dl, dl
		xor	ecx, ecx
		mov	[ebp+var_20], eax
		mov	ebx, eax
		mov	byte ptr [ebp+arg_8+3],	dl
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_14], ecx

loc_7668BB:				; CODE XREF: PopSetPowerSettingValue+156j
		cmp	ecx, eax
		jz	short loc_7668EA
		test	esi, esi
		jnz	short loc_7668E1
		push	[ebp+Length]	; Length
		mov	edx, [ebp+Source2] ; Source2
		mov	ecx, [ebx]	; int
		call	_PopArePowerSettingsEqual@12 ; PopArePowerSettingsEqual(x,x,x)
		mov	ecx, [ebp+var_14]
		test	al, al
		mov	dl, byte ptr [ebp+arg_8+3]
		mov	eax, [ebp+arg_0]
		jnz	loc_7669A6

loc_7668E1:				; CODE XREF: PopSetPowerSettingValue+123j
					; PopSetPowerSettingValue+20Cj
		cmp	[ebx], edi
		jnz	short loc_7668EA
		mov	dl, 1
		mov	byte ptr [ebp+arg_8+3],	dl

loc_7668EA:				; CODE XREF: PopSetPowerSettingValue+11Fj
					; PopSetPowerSettingValue+145j
		inc	ecx
		add	ebx, 4
		mov	[ebp+var_14], ecx
		cmp	ecx, 3
		jl	short loc_7668BB
		mov	ebx, [ebp+var_18]
		test	esi, esi
		jnz	short loc_766959
		mov	eax, [ebp+Length]
		add	eax, 0Ch
		push	74655350h
		push	eax
		push	1
		mov	[ebp+var_20], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8D76DE
		push	[ebp+var_20]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	ecx, [ebp+Length]
		xor	edx, edx
		add	esp, 0Ch
		mov	[esi+4], ecx
		inc	edx
		mov	[esi], edx

loc_766936:				; CODE XREF: PopSetPowerSettingValue+1A3j
		mov	eax, edx
		lock xadd _PopPowerSettingChangeStamp, eax
		inc	eax
		jz	short loc_766936
		push	ecx		; size_t
		push	[ebp+Source2]	; void *
		mov	[esi+8], eax
		lea	eax, [esi+0Ch]
		push	eax		; void *
		call	_memcpy
		mov	dl, byte ptr [ebp+arg_8+3]
		add	esp, 0Ch

loc_766959:				; CODE XREF: PopSetPowerSettingValue+15Dj
		test	edi, edi
		jnz	short loc_7669AF

loc_76695D:				; CODE XREF: PopSetPowerSettingValue+22Ej
					; PopSetPowerSettingValue+23Bj
		mov	eax, [ebp+arg_0]
		mov	[ebx+eax*4+30h], esi
		cmp	dword_6C2D0C, eax
		jnz	short loc_766976
		cmp	[ebp+var_1], 0
		jnz	short loc_766976
		mov	[ebp+var_4], 1

loc_766976:				; CODE XREF: PopSetPowerSettingValue+1CCj
					; PopSetPowerSettingValue+1D2j
		cmp	dword ptr [ebx+28h], 0
		jnz	loc_766AD2
		cmp	dword ptr [ebx+2Ch], 0
		jnz	loc_766AD2

loc_76698A:				; CODE XREF: PopSetPowerSettingValue+33Cj
		mov	ebx, [ebp+var_1C]
		jmp	loc_76684B
; 

loc_766992:				; CODE XREF: PopSetPowerSettingValue+E8j
		mov	cl, 1
		call	PopIncrementPowerSettingPendingUpdates
		push	20h
		pop	ecx
		call	_PopSetNotificationWork@4 ; PopSetNotificationWork(x)
		jmp	loc_76688C
; 

loc_7669A6:				; CODE XREF: PopSetPowerSettingValue+13Dj
		mov	esi, [ebx]
		inc	dword ptr [esi]
		jmp	loc_7668E1
; 

loc_7669AF:				; CODE XREF: PopSetPowerSettingValue+1BDj
		test	dl, dl
		jnz	short loc_7669C9
		lea	ecx, [ebx+8]
		mov	eax, [ecx]

loc_7669B8:				; CODE XREF: PopSetPowerSettingValue+229j
		cmp	eax, ecx
		jz	short loc_7669C9
		cmp	[eax+34h], edi
		jnz	short loc_7669C5
		and	dword ptr [eax+34h], 0

loc_7669C5:				; CODE XREF: PopSetPowerSettingValue+221j
		mov	eax, [eax]
		jmp	short loc_7669B8
; 

loc_7669C9:				; CODE XREF: PopSetPowerSettingValue+213j
					; PopSetPowerSettingValue+21Cj
		sub	dword ptr [edi], 1
		jnz	short loc_76695D
		push	74655350h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_76695D
; 

loc_7669DB:				; CODE XREF: PopSetPowerSettingValue+8Dj
		push	74655350h
		push	3Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_18], ebx
		test	ebx, ebx
		jz	loc_8D76D4
		push	3Ch		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	esi, [ebp+var_C]
		lea	edi, [ebx+10h]
		mov	ecx, [ebp+var_C]
		add	esp, 0Ch
		movsd
		movsd
		movsd
		movsd
		call	_PopGetListHead@4 ; PopGetListHead(x)
		cmp	[ebp+var_1], 0
		lea	edi, [ebx+8]
		mov	ecx, eax
		mov	[edi+4], edi
		mov	[ebp+arg_8], ecx
		mov	[edi], edi
		jnz	loc_766B0B
		mov	esi, _PopRegisteredPowerSettingCallbacks
		cmp	esi, offset _PopRegisteredPowerSettingCallbacks
		jz	short loc_766A5E

loc_766A3A:				; CODE XREF: PopSetPowerSettingValue+2BBj
		push	10h		; size_t
		push	[ebp+var_C]	; void *
		mov	eax, esi
		mov	esi, [esi]
		add	eax, 14h
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_766AAC

loc_766A53:				; CODE XREF: PopSetPowerSettingValue+332j
		cmp	esi, offset _PopRegisteredPowerSettingCallbacks
		jnz	short loc_766A3A
		mov	ecx, [ebp+arg_8]

loc_766A5E:				; CODE XREF: PopSetPowerSettingValue+29Aj
		or	eax, 0FFFFFFFFh

loc_766A61:				; CODE XREF: PopSetPowerSettingValue+370j
		mov	[ebx+20h], eax
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	loc_766B13
		mov	[ebx], ecx
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	[ecx+4], ebx
		cmp	_PopPopPowerSettingSetChangeNotification, 0
		mov	[ebp+var_2], 1
		jnz	short loc_766AEE
		cmp	dword_6CEA4C, 0
		jnz	short loc_766AEE

loc_766A8F:				; CODE XREF: PopSetPowerSettingValue+354j
		mov	esi, [ebp+var_14]
		jmp	loc_766831
; 

loc_766A97:				; CODE XREF: PopSetPowerSettingValue+BEj
		xor	eax, eax
		push	eax		; int
		push	eax		; int
		push	offset _PopTracePowerSettingChange@16 ;	int
		push	edi		; void *
		push	eax		; int
		call	PoRegisterPowerSettingCallback
		jmp	loc_766862
; 

loc_766AAC:				; CODE XREF: PopSetPowerSettingValue+2B3j
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_766B13
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_766B13
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	short loc_766B13
		mov	[eax], edi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[edi+4], eax
		jmp	short loc_766A53
; 

loc_766AD2:				; CODE XREF: PopSetPowerSettingValue+1DCj
					; PopSetPowerSettingValue+1E6j
		or	dword ptr [ebx+24h], 1
		mov	[ebp+var_5], 1
		jmp	loc_76698A
; 

loc_766ADF:				; CODE XREF: PopSetPowerSettingValue+F2j
		mov	ecx, 80h
		call	_PopSetNotificationWork@4 ; PopSetNotificationWork(x)
		jmp	loc_766896
; 

loc_766AEE:				; CODE XREF: PopSetPowerSettingValue+2E6j
					; PopSetPowerSettingValue+2EFj
		mov	[ebp+var_3], 1
		jmp	short loc_766A8F
; 

loc_766AF4:				; CODE XREF: PopSetPowerSettingValue+DEj
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _PopPopPowerSettingSetChangeNotification
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		jmp	loc_766882
; 

loc_766B0B:				; CODE XREF: PopSetPowerSettingValue+288j
		mov	eax, [ebp+var_20]
		jmp	loc_766A61
; 

loc_766B13:				; CODE XREF: PopSetPowerSettingValue+2CBj
					; PopSetPowerSettingValue+313j	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
PopSetPowerSettingValue	endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PopArePowerSettingsEqual(int,void *Source2,SIZE_T Length)
_PopArePowerSettingsEqual@12 proc near	; CODE XREF: PopSetPowerSettingValue+A2p
					; PopSetPowerSettingValue+12Dp

Length		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		test	ecx, ecx
		jz	short loc_766B44
		test	edx, edx
		jz	short loc_766B44
		mov	esi, [ebp+Length]
		cmp	[ecx+4], esi
		jnz	short loc_766B44
		push	esi		; Length
		push	edx		; Source2
		lea	eax, [ecx+0Ch]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, esi
		jnz	short loc_766B44
		mov	al, 1

loc_766B3F:				; CODE XREF: PopArePowerSettingsEqual(x,x,x)+2Ej
		pop	esi
		pop	ebp
		retn	4
; 

loc_766B44:				; CODE XREF: PopArePowerSettingsEqual(x,x,x)+8j
					; PopArePowerSettingsEqual(x,x,x)+Cj ...
		xor	al, al
		jmp	short loc_766B3F
_PopArePowerSettingsEqual@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFindPowerSettingConfiguration(x,	x)
_PopFindPowerSettingConfiguration@8 proc near
					; CODE XREF: PopGetPowerSettingValue(x,x,x,x,x,x)+2Ep
					; PopInitilizeAcDcSettings+4Cp	...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	ebx, ecx
		call	_PopGetListHead@4 ; PopGetListHead(x)
		mov	edi, eax
		mov	ecx, ebx	; void *
		mov	esi, [edi]
		call	_PopStateIsSessionSpecific@4 ; PopStateIsSessionSpecific(x)
		test	al, al
		jnz	short loc_766B85

loc_766B6A:				; CODE XREF: PopFindPowerSettingConfiguration(x,x)+3Bj
		cmp	esi, edi
		jz	short loc_766B9E
		push	10h		; size_t
		lea	eax, [esi+10h]
		push	ebx		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_766B97
		mov	esi, [esi]
		jmp	short loc_766B6A
; 

loc_766B85:				; CODE XREF: PopFindPowerSettingConfiguration(x,x)+20j
		cmp	esi, edi
		jz	short loc_766B9E
		mov	eax, [ebp+var_4]

loc_766B8C:				; CODE XREF: PopFindPowerSettingConfiguration(x,x)+5Ej
		cmp	[esi+20h], eax
		jnz	short loc_766BA2
		test	byte ptr [esi+24h], 4
		jnz	short loc_766BA2

loc_766B97:				; CODE XREF: PopFindPowerSettingConfiguration(x,x)+37j
		mov	eax, esi

loc_766B99:				; CODE XREF: PopFindPowerSettingConfiguration(x,x)+58j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_766B9E:				; CODE XREF: PopFindPowerSettingConfiguration(x,x)+24j
					; PopFindPowerSettingConfiguration(x,x)+3Fj ...
		xor	eax, eax
		jmp	short loc_766B99
; 

loc_766BA2:				; CODE XREF: PopFindPowerSettingConfiguration(x,x)+47j
					; PopFindPowerSettingConfiguration(x,x)+4Dj
		mov	esi, [esi]
		cmp	esi, edi
		jnz	short loc_766B8C
		jmp	short loc_766B9E
_PopFindPowerSettingConfiguration@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopGetListHead(x)
_PopGetListHead@4 proc near		; CODE XREF: PopSetPowerSettingValue+272p
					; PopFindPowerSettingConfiguration(x,x)+Ep
		mov	edi, edi
		push	ebx
		push	edi
		mov	ebx, ecx
		xor	edi, edi
		call	_PopStateIsSessionSpecific@4 ; PopStateIsSessionSpecific(x)
		test	al, al
		jnz	short loc_766BC5
		mov	edi, offset _PopPowerSettings

loc_766BC0:				; CODE XREF: PopGetListHead(x)+3Cj
		mov	eax, edi
		pop	edi
		pop	ebx
		retn
; 

loc_766BC5:				; CODE XREF: PopGetListHead(x)+Fj
		push	esi
		mov	esi, edi

loc_766BC8:				; CODE XREF: PopGetListHead(x)+42j
		push	10h		; size_t
		push	ebx		; void *
		push	ds:_PopSessionSpecificGuids[esi*4] ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_766BE8
		lea	edi, _PopSessionSpecificLists[esi*8]

loc_766BE5:				; CODE XREF: PopGetListHead(x)+44j
		pop	esi
		jmp	short loc_766BC0
; 

loc_766BE8:				; CODE XREF: PopGetListHead(x)+32j
		inc	esi
		cmp	esi, 2
		jb	short loc_766BC8
		jmp	short loc_766BE5
_PopGetListHead@4 endp


;  S U B	R O U T	I N E 


; int __fastcall PopStateIsSessionSpecific(void	*)
_PopStateIsSessionSpecific@4 proc near	; CODE XREF: PopGetSettingNotificationName+45p
					; PopSetNewPolicyValue(x)+39p ...
		mov	edi, edi
		push	ebx
		push	esi
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	esi, ebx

loc_766BFB:				; CODE XREF: PopStateIsSessionSpecific(x)+26j
		push	10h		; size_t
		push	edi		; void *
		push	ds:_PopSessionSpecificGuids[esi] ; void	*
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_766C1E
		add	esi, 4
		cmp	esi, 8
		jb	short loc_766BFB

loc_766C18:				; CODE XREF: PopStateIsSessionSpecific(x)+30j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		retn
; 

loc_766C1E:				; CODE XREF: PopStateIsSessionSpecific(x)+1Ej
		mov	bl, 1
		jmp	short loc_766C18
_PopStateIsSessionSpecific@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PopValidatePowerSettingData(void *,int,int)
PopValidatePowerSettingData proc near	; CODE XREF: PopSetPowerSettingValue+64p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D76E8 SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	eax, ecx
		mov	ebx, edx
		push	10h		; size_t
		push	eax		; void *
		push	offset _GUID_DISK_POWERDOWN_TIMEOUT ; "8gBJj@iun"
		mov	[ebp+var_4], eax
		mov	edi, 0C0000225h
		call	_memcmp
		mov	esi, [ebp+arg_0]
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_766C83

loc_766C4E:				; CODE XREF: PopValidatePowerSettingData+64j
					; PopValidatePowerSettingData+68j ...
		push	10h		; size_t
		push	[ebp+var_4]	; void *
		push	offset _GUID_STANDBY_TIMEOUT ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_766C97

loc_766C64:				; CODE XREF: PopValidatePowerSettingData+78j
					; PopValidatePowerSettingData+7Cj ...
		push	10h		; size_t
		push	[ebp+var_4]	; void *
		push	(offset	loc_405617+1) ;	void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_766CAB

loc_766C7A:				; CODE XREF: PopValidatePowerSettingData+8Cj
					; PopValidatePowerSettingData+90j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_766C83:				; CODE XREF: PopValidatePowerSettingData+2Aj
		cmp	ebx, 4
		jnz	short loc_766C4E
		test	esi, esi
		jz	short loc_766C4E
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_766C4E
		jmp	loc_8D76E8
; 

loc_766C97:				; CODE XREF: PopValidatePowerSettingData+40j
		cmp	ebx, 4
		jnz	short loc_766C64
		test	esi, esi
		jz	short loc_766C64
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_766C64
		jmp	loc_8D7709
; 

loc_766CAB:				; CODE XREF: PopValidatePowerSettingData+56j
		cmp	ebx, 4
		jnz	short loc_766C7A
		test	esi, esi
		jz	short loc_766C7A
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_766C7A
		jmp	loc_8D771D
PopValidatePowerSettingData endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PpmSetProfilePolicySetting(void *,int,int,int,int)
PpmSetProfilePolicySetting proc	near	; CODE XREF: PopSetNewPolicyValue(x)+90p
					; PpmProcessSettingsFromQueryTable(x,x,x)+B7p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_9		= byte ptr -9
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008D7731 SIZE 00000172 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_34], edx
		push	esi
		push	edi
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_30], eax
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_1A], bl
		mov	[ebp+var_19], bl
		mov	byte ptr [ebp+var_48], bl
		cmp	[ebp+arg_8], ebx
		jz	loc_8D7899
		cmp	[ebp+arg_4], ebx
		jz	loc_8D7899
		test	eax, eax
		jnz	short loc_766D20
		push	10h		; size_t
		push	offset _GUID_POWER_POLICY_PROFILE_LOW_POWER ; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_766E49
		mov	edx, [ebp+var_34]

loc_766D20:				; CODE XREF: PpmSetProfilePolicySetting+43j
		mov	ecx, offset off_7056C4
		mov	[ebp+var_40], ebx
		mov	[ebp+var_20], ecx

loc_766D2B:				; CODE XREF: PpmSetProfilePolicySetting+BFj
		mov	esi, [ecx]
		lea	edi, [ebp+var_18]
		test	byte ptr [ecx+15h], 4
		push	0
		pop	eax
		movsd
		setnz	al
		inc	eax
		mov	[ebp+var_24], eax
		movsd
		movsd
		movsd
		mov	esi, ebx
		mov	edi, eax

loc_766D46:				; CODE XREF: PpmSetProfilePolicySetting+A2j
		push	10h		; size_t
		push	edx		; void *
		lea	eax, [ebp+var_18]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_766D8B
		mov	edx, [ebp+var_34]
		inc	esi
		inc	[ebp+var_9]
		cmp	esi, edi
		jb	short loc_766D46
		mov	edx, [ebp+var_40]
		mov	ecx, [ebp+var_20]
		add	edx, 1Ch
		add	ecx, 1Ch
		mov	[ebp+var_40], edx
		cmp	edx, 5CCh
		mov	[ebp+var_20], ecx
		mov	edx, [ebp+var_34]
		jb	short loc_766D2B

loc_766D81:				; CODE XREF: PpmSetProfilePolicySetting+170AEAj
					; PpmSetProfilePolicySetting+170B0Ej
		mov	ebx, 0C0000225h
		jmp	loc_766E49
; 

loc_766D8B:				; CODE XREF: PpmSetProfilePolicySetting+97j
		mov	edi, [ebp+var_20]
		xor	eax, eax
		add	edi, 0FFFFFFFCh
		mov	[ebp+var_28], esi
		inc	eax
		xor	edx, edx
		movzx	ecx, byte ptr [edi+18h]
		call	__allshl
		test	byte ptr [edi+19h], 1
		mov	[ebp+var_38], eax
		mov	[ebp+var_20], edx
		jz	loc_766E7C
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)

loc_766DBC:				; CODE XREF: PpmSetProfilePolicySetting+1E1j
		mov	eax, _PpmCurrentProfile
		push	10h		; size_t
		push	offset _GUID_NULL ; void *
		push	[ebp+var_2C]	; void *
		mov	[ebp+var_40], eax
		mov	eax, dword_6C2D0C
		mov	[ebp+var_34], eax
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8D7746
		imul	eax, [ebp+var_30], 0F0h
		mov	[ebp+var_3C], eax
		lea	edx, dword_6BF8A0[eax]
		mov	eax, [edi+14h]
		mov	[ebp+var_2C], eax
		imul	eax, esi
		add	eax, [edi+10h]
		add	eax, edx
		test	byte ptr [edi+19h], 4
		mov	[ebp+var_24], eax
		jnz	short loc_766E5C

loc_766E0D:				; CODE XREF: PpmSetProfilePolicySetting+19Ej
					; PpmSetProfilePolicySetting+1AEj
		mov	eax, esi

loc_766E0F:				; CODE XREF: PpmSetProfilePolicySetting+1BAj
		push	[ebp+arg_8]
		mov	ecx, edi
		push	[ebp+arg_4]
		push	eax
		push	esi
		call	PpmInfoAdjustSetting
		mov	ebx, [ebp+var_3C]
		mov	edx, [ebp+var_38]
		push	0
		or	dword_6BF8A0[ebx+esi*8], edx
		mov	edx, [ebp+var_20]
		or	dword_6BF8A4[ebx+esi*8], edx
		pop	ebx
		test	al, al
		jnz	short loc_766EA6

loc_766E3C:				; CODE XREF: PpmSetProfilePolicySetting+220j
					; PpmSetProfilePolicySetting+2BAj ...
		push	[ebp+var_48]
		mov	dl, [ebp+var_19]
		mov	ecx, edi
		call	PpmInfoApplySettingUpdate

loc_766E49:				; CODE XREF: PpmSetProfilePolicySetting+57j
					; PpmSetProfilePolicySetting+C6j ...
		mov	ecx, [ebp+var_8]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_766E5C:				; CODE XREF: PpmSetProfilePolicySetting+14Bj
		test	esi, esi
		jnz	short loc_766E0D
		mov	ecx, [edx+8]
		mov	eax, [edx+0Ch]
		and	ecx, [ebp+var_38]
		and	eax, [ebp+var_20]
		or	ecx, eax
		jnz	short loc_766E0D
		xor	eax, eax
		mov	[ebp+var_1A], 1
		inc	eax
		mov	[ebp+var_28], eax
		jmp	short loc_766E0F
; 

loc_766E7C:				; CODE XREF: PpmSetProfilePolicySetting+ECj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C2ADC, eax
		jmp	loc_766DBC
; 

loc_766EA6:				; CODE XREF: PpmSetProfilePolicySetting+17Aj
		mov	edx, [edi]
		mov	cl, byte_6BF884
		push	ebx
		push	[ebp+var_30]
		push	[ebp+var_2C]
		push	[ebp+var_24]
		push	esi
		push	dword ptr [edi+4]
		call	PpmEventTraceProfileSetting
		cmp	[ebp+var_40], offset _PpmDefaultProfile
		jnz	short loc_766ED6
		mov	eax, [ebp+var_34]
		cmp	eax, [ebp+var_30]
		jz	loc_766F90

loc_766ED6:				; CODE XREF: PpmSetProfilePolicySetting+208j
					; PpmSetProfilePolicySetting+2D4j
		cmp	_PpmProfileCount, 0
		mov	[ebp+var_24], ebx
		jz	loc_766E3C
		mov	edx, ebx
		mov	[ebp+var_2C], ebx

loc_766EEB:				; CODE XREF: PpmSetProfilePolicySetting+2B4j
		mov	eax, _PpmProfiles
		add	eax, edx
		mov	edx, [ebp+var_3C]
		add	edx, 20h
		mov	[ebp+var_44], eax
		add	edx, eax
		mov	ecx, [edx+esi*8]
		mov	eax, [edx+esi*8+4]
		and	ecx, [ebp+var_38]
		and	eax, [ebp+var_20]
		or	ecx, eax
		jnz	short loc_766F58
		test	esi, esi
		jnz	short loc_766F7F

loc_766F12:				; CODE XREF: PpmSetProfilePolicySetting+2CCj
		test	byte ptr [edi+19h], 4
		jz	short loc_766F3A
		test	esi, esi
		jnz	short loc_766F3A
		cmp	[ebp+var_1A], 0
		jz	short loc_766F99
		mov	ecx, [edx+8]
		mov	eax, [edx+0Ch]
		and	ecx, [ebp+var_38]
		and	eax, [ebp+var_20]
		or	ecx, eax
		jnz	short loc_766F3A
		xor	eax, eax
		inc	eax

loc_766F35:				; CODE XREF: PpmSetProfilePolicySetting+2DBj
		mov	[ebp+var_28], eax
		jmp	short loc_766F3D
; 

loc_766F3A:				; CODE XREF: PpmSetProfilePolicySetting+256j
					; PpmSetProfilePolicySetting+25Aj ...
		mov	eax, [ebp+var_28]

loc_766F3D:				; CODE XREF: PpmSetProfilePolicySetting+278j
		push	[ebp+arg_8]
		mov	ecx, edi
		push	[ebp+arg_4]
		push	eax
		push	esi
		call	PpmInfoAdjustSetting
		mov	eax, [ebp+var_40]
		cmp	eax, [ebp+var_44]
		jz	loc_8D7731

loc_766F58:				; CODE XREF: PpmSetProfilePolicySetting+24Cj
					; PpmSetProfilePolicySetting+2CEj ...
		mov	ecx, [ebp+var_24]
		mov	edx, [ebp+var_2C]
		inc	ecx
		movzx	eax, _PpmProfileCount
		add	edx, 228h
		mov	[ebp+var_24], ecx
		mov	[ebp+var_2C], edx
		cmp	ecx, eax
		jb	loc_766EEB
		jmp	loc_766E3C
; 

loc_766F7F:				; CODE XREF: PpmSetProfilePolicySetting+250j
		mov	ecx, [edx]
		mov	eax, [edx+4]
		and	ecx, [ebp+var_38]
		and	eax, [ebp+var_20]
		or	ecx, eax
		jz	short loc_766F12
		jmp	short loc_766F58
; 

loc_766F90:				; CODE XREF: PpmSetProfilePolicySetting+210j
		mov	[ebp+var_19], 1
		jmp	loc_766ED6
; 

loc_766F99:				; CODE XREF: PpmSetProfilePolicySetting+260j
		mov	eax, ebx
		jmp	short loc_766F35
PpmSetProfilePolicySetting endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmInfoAdjustSetting proc near		; CODE XREF: PpmSetProfilePolicySetting+159p
					; PpmSetProfilePolicySetting+287p ...

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008D78A3 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		sub	esp, 10h
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		cmp	eax, [esi+14h]
		jb	short loc_76700D

loc_766FB4:				; CODE XREF: PpmInfoAdjustSetting+73j
		movzx	ecx, byte ptr [esi+18h]
		xor	eax, eax
		push	ebx
		inc	eax
		mov	[ebp+var_1], 0
		xor	edx, edx
		call	__allshl
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_8], eax
		cmp	ebx, [ebp+arg_4]
		ja	short loc_767017

loc_766FD2:				; CODE XREF: PpmInfoAdjustSetting+4Dj
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+arg_8]
		push	edi
		push	esi
		push	ebx
		call	PpmInfoWriteData
		test	al, al
		jnz	short loc_766FF8
		mov	al, [ebp+var_1]

loc_766FE7:				; CODE XREF: PpmInfoAdjustSetting+5Fj
		inc	ebx
		cmp	ebx, [ebp+arg_4]
		jbe	short loc_766FD2
		test	al, al
		jnz	short loc_766FFF

loc_766FF1:				; CODE XREF: PpmInfoAdjustSetting+68j
					; PpmInfoAdjustSetting+7Cj
		pop	ebx

loc_766FF2:				; CODE XREF: PpmInfoAdjustSetting+77j
		pop	edi
		pop	esi
		leave
		retn	10h
; 

loc_766FF8:				; CODE XREF: PpmInfoAdjustSetting+44j
		mov	al, 1
		mov	[ebp+var_1], al
		jmp	short loc_766FE7
; 

loc_766FFF:				; CODE XREF: PpmInfoAdjustSetting+51j
		test	[ebp+var_8], 200h
		jz	short loc_766FF1
		jmp	loc_8D78A3
; 

loc_76700D:				; CODE XREF: PpmInfoAdjustSetting+14j
		test	byte ptr [esi+19h], 8
		jnz	short loc_766FB4
		xor	al, al
		jmp	short loc_766FF2
; 

loc_767017:				; CODE XREF: PpmInfoAdjustSetting+32j
					; PpmInfoAdjustSetting+170910j
		mov	al, [ebp+var_1]
		jmp	short loc_766FF1
PpmInfoAdjustSetting endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmInfoWriteData proc near		; CODE XREF: PpmInfoAdjustSetting+3Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008D78B3 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	eax, ecx
		mov	edx, [ebp+arg_4]
		xor	ecx, ecx
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], ecx
		mov	ebx, [edx+14h]
		mov	esi, ebx
		imul	esi, [ebp+arg_0]
		mov	[ebp+var_10], ebx
		add	esi, [edx+10h]
		add	esi, [ebp+arg_8]
		test	byte ptr [edx+19h], 8
		mov	[ebp+var_C], esi
		jnz	short loc_76707E
		cmp	ebx, 1
		jnz	short loc_767071
		movzx	ecx, byte ptr [eax]
		movzx	edi, byte ptr [esi]
		call	PpmInfoApplyMinMaxConstraint
		mov	[esi], al

loc_767063:				; CODE XREF: PpmInfoWriteData+60j
		cmp	edi, eax
		setnz	cl

loc_767068:				; CODE XREF: PpmInfoWriteData+A8j
					; PpmInfoWriteData+BAj
		pop	edi
		pop	esi
		mov	al, cl
		pop	ebx
		leave
		retn	0Ch
; 

loc_767071:				; CODE XREF: PpmInfoWriteData+38j
		mov	ecx, [eax]
		mov	edi, [esi]
		call	PpmInfoApplyMinMaxConstraint
		mov	[esi], eax
		jmp	short loc_767063
; 

loc_76707E:				; CODE XREF: PpmInfoWriteData+33j
		cmp	edi, ebx
		jnb	loc_8D78B3

loc_767086:				; CODE XREF: PpmInfoWriteData+17089Cj
		mov	[ebp+arg_0], ecx
		test	edi, edi
		jz	short loc_7670C2
		mov	[ebp+arg_8], esi
		sub	eax, esi
		mov	[ebp+arg_4], edi
		mov	esi, eax
		mov	edi, [ebp+arg_8]

loc_76709A:				; CODE XREF: PpmInfoWriteData+9Bj
		movzx	ecx, byte ptr [esi+edi]
		call	PpmInfoApplyMinMaxConstraint
		mov	ebx, eax
		movzx	eax, byte ptr [edi]
		mov	[ebp+arg_0], ebx
		cmp	eax, ebx
		jnz	short loc_7670DF
		mov	ecx, [ebp+var_4]

loc_7670B2:				; CODE XREF: PpmInfoWriteData+CBj
		inc	edi
		sub	[ebp+arg_4], 1
		jnz	short loc_76709A
		mov	esi, [ebp+var_C]
		mov	edi, [ebp+var_8]
		mov	ebx, [ebp+var_10]

loc_7670C2:				; CODE XREF: PpmInfoWriteData+6Fj
		cmp	edi, ebx
		jnb	short loc_767068
		mov	edx, [ebp+arg_0]

loc_7670C9:				; CODE XREF: PpmInfoWriteData+B8j
		movzx	eax, byte ptr [esi+edi]
		cmp	eax, edx
		jnz	short loc_7670D8

loc_7670D1:				; CODE XREF: PpmInfoWriteData+C1j
		inc	edi
		cmp	edi, ebx
		jb	short loc_7670C9
		jmp	short loc_767068
; 

loc_7670D8:				; CODE XREF: PpmInfoWriteData+B3j
		mov	cl, 1
		mov	[esi+edi], dl
		jmp	short loc_7670D1
; 

loc_7670DF:				; CODE XREF: PpmInfoWriteData+91j
		xor	ecx, ecx
		mov	[edi], bl
		inc	ecx
		mov	[ebp+var_4], ecx
		jmp	short loc_7670B2
PpmInfoWriteData endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmInfoApplySettingUpdate proc near	; CODE XREF: PpmSetProfilePolicySetting+184p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008D78BD SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		mov	[ebp+var_8], edi
		test	dl, dl
		jnz	short loc_767142
		cmp	ds:_PopHeteroSystem, edi
		jnz	loc_8D78BD

loc_76710B:				; CODE XREF: PpmInfoApplySettingUpdate+1707DAj
					; PpmInfoApplySettingUpdate+1707EAj
		test	byte ptr [esi+19h], 1
		jz	short loc_767121
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)

loc_76711B:				; CODE XREF: PpmInfoApplySettingUpdate+56j
					; PpmInfoApplySettingUpdate+88j
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_767121:				; CODE XREF: PpmInfoApplySettingUpdate+25j
					; PpmInfoApplySettingUpdate+170800j
		cmp	dword_6C2ADC, edi
		jz	short loc_76712F
		mov	dword_6C2ADC, edi

loc_76712F:				; CODE XREF: PpmInfoApplySettingUpdate+3Dj
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	short loc_76711B
; 

loc_767142:				; CODE XREF: PpmInfoApplySettingUpdate+13j
					; PpmInfoApplySettingUpdate+1707E4j
		movzx	ecx, byte ptr [esi+18h]
		xor	eax, eax
		inc	eax
		xor	edx, edx
		call	__allshl
		mov	[ebp+var_10], edx
		lea	ecx, [ebp+var_14]
		lea	edx, [ebp+var_8]
		mov	[ebp+var_14], eax
		call	PpmGetPolicyAction
		test	byte ptr [esi+19h], 1
		jz	loc_8D78D9
		mov	ecx, edx
		call	PpmReapplyPerfPolicy
		jmp	short loc_76711B
PpmInfoApplySettingUpdate endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1938. RtlAddAccessAllowedAce

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlAddAccessAllowedAce(x, x, x, x)
		public _RtlAddAccessAllowedAce@16
_RtlAddAccessAllowedAce@16 proc	near	; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+179p
					; RtlCheckTokenMembershipEx(x,x,x,x)+1ABp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	0
		call	RtlpAddKnownAce
		pop	ebp
		retn	10h
_RtlAddAccessAllowedAce@16 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2334. RtlSetGroupSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSetGroupSecurityDescriptor(x, x,	x)
		public _RtlSetGroupSecurityDescriptor@12
_RtlSetGroupSecurityDescriptor@12 proc near
					; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+152p
					; RtlCheckTokenCapability(x,x,x)+1B5p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	byte ptr [eax],	1
		jnz	short loc_7671E6
		movzx	ecx, word ptr [eax+2]
		test	cx, cx
		js	short loc_7671ED
		and	dword ptr [eax+8], 0
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jnz	short loc_7671D8

loc_7671BF:				; CODE XREF: RtlSetGroupSecurityDescriptor(x,x,x)+3Dj
		and	ecx, 0FFFDh
		cmp	[ebp+arg_8], 0
		movzx	edx, cx
		mov	[eax+2], cx
		jnz	short loc_7671DD

loc_7671D2:				; CODE XREF: RtlSetGroupSecurityDescriptor(x,x,x)+46j
		xor	eax, eax

loc_7671D4:				; CODE XREF: RtlSetGroupSecurityDescriptor(x,x,x)+4Dj
					; RtlSetGroupSecurityDescriptor(x,x,x)+54j
		pop	ebp
		retn	0Ch
; 

loc_7671D8:				; CODE XREF: RtlSetGroupSecurityDescriptor(x,x,x)+1Fj
		mov	[eax+8], edx
		jmp	short loc_7671BF
; 

loc_7671DD:				; CODE XREF: RtlSetGroupSecurityDescriptor(x,x,x)+32j
		or	edx, 2
		mov	[eax+2], dx
		jmp	short loc_7671D2
; 

loc_7671E6:				; CODE XREF: RtlSetGroupSecurityDescriptor(x,x,x)+Bj
		mov	eax, 0C0000058h
		jmp	short loc_7671D4
; 

loc_7671ED:				; CODE XREF: RtlSetGroupSecurityDescriptor(x,x,x)+14j
		mov	eax, 0C0000079h
		jmp	short loc_7671D4
_RtlSetGroupSecurityDescriptor@12 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2335. RtlSetOwnerSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSetOwnerSecurityDescriptor(x, x,	x)
		public _RtlSetOwnerSecurityDescriptor@12
_RtlSetOwnerSecurityDescriptor@12 proc near
					; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+145p
					; RtlCheckTokenCapability(x,x,x)+1A4p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	byte ptr [eax],	1
		jnz	short loc_767242
		movzx	ecx, word ptr [eax+2]
		test	cx, cx
		js	short loc_767249
		and	dword ptr [eax+4], 0
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jnz	short loc_767234

loc_76721B:				; CODE XREF: RtlSetOwnerSecurityDescriptor(x,x,x)+3Dj
		and	ecx, 0FFFEh
		cmp	[ebp+arg_8], 0
		movzx	edx, cx
		mov	[eax+2], cx
		jnz	short loc_767239

loc_76722E:				; CODE XREF: RtlSetOwnerSecurityDescriptor(x,x,x)+46j
		xor	eax, eax

loc_767230:				; CODE XREF: RtlSetOwnerSecurityDescriptor(x,x,x)+4Dj
					; RtlSetOwnerSecurityDescriptor(x,x,x)+54j
		pop	ebp
		retn	0Ch
; 

loc_767234:				; CODE XREF: RtlSetOwnerSecurityDescriptor(x,x,x)+1Fj
		mov	[eax+4], edx
		jmp	short loc_76721B
; 

loc_767239:				; CODE XREF: RtlSetOwnerSecurityDescriptor(x,x,x)+32j
		or	edx, 1
		mov	[eax+2], dx
		jmp	short loc_76722E
; 

loc_767242:				; CODE XREF: RtlSetOwnerSecurityDescriptor(x,x,x)+Bj
		mov	eax, 0C0000058h
		jmp	short loc_767230
; 

loc_767249:				; CODE XREF: RtlSetOwnerSecurityDescriptor(x,x,x)+14j
		mov	eax, 0C0000079h
		jmp	short loc_767230
_RtlSetOwnerSecurityDescriptor@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExCheckFullProcessInformationAccess proc near ;	CODE XREF: NtPowerInformation+861p
					; ExpGetProcessInformation+121Bp ...

var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 008D78EF SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		xor	ebx, ebx
		mov	byte ptr [ebp+var_1], bl
		mov	[ebp+var_8], ebx
		cmp	cl, 1
		jnz	short loc_7672A5
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		push	offset _ExpInitFullProcessSecurityInfo@12 ; ExpInitFullProcessSecurityInfo(x,x,x)
		push	offset _ExpFullProcessInfoInit
		call	RtlRunOnceExecuteOnce
		test	eax, eax
		js	loc_8D78EF
		lea	eax, [ebp+var_1]
		push	eax
		push	[ebp+var_8]
		push	ebx
		call	_RtlCheckTokenMembership@12 ; RtlCheckTokenMembership(x,x,x)
		test	eax, eax
		js	loc_8D78EF
		cmp	byte ptr [ebp+var_1], bl
		jz	loc_8D78EF

loc_7672A0:				; CODE XREF: ExCheckFullProcessInformationAccess+1706C0j
		xor	eax, eax

loc_7672A2:				; CODE XREF: ExCheckFullProcessInformationAccess+5Aj
		pop	ebx
		leave
		retn
; 

loc_7672A5:				; CODE XREF: ExCheckFullProcessInformationAccess+14j
					; ExCheckFullProcessInformationAccess+1706B1j ...
		mov	eax, 0C0000022h
		jmp	short loc_7672A2
ExCheckFullProcessInformationAccess endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RawQueryFsVolumeInfo(x, x, x, x)
_RawQueryFsVolumeInfo@16 proc near	; CODE XREF: RawQueryVolumeInformation+2Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		call	_RawBeginOperation@8 ; RawBeginOperation(x,x)
		test	al, al
		jz	short loc_7672F1
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		push	edi
		push	6
		mov	edi, edx
		pop	ecx
		rep stosd
		mov	eax, [esi+8Ch]
		mov	ecx, esi
		mov	eax, [eax+10h]
		mov	[edx+8], eax
		mov	edx, ebx
		mov	eax, [ebp+arg_4]
		add	dword ptr [eax], 0FFFFFFEEh
		call	_RawEndOperation@8 ; RawEndOperation(x,x)
		xor	eax, eax
		pop	edi

loc_7672EB:				; CODE XREF: RawQueryFsVolumeInfo(x,x,x,x)+4Aj
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_7672F1:				; CODE XREF: RawQueryFsVolumeInfo(x,x,x,x)+12j
		mov	eax, 0C000026Eh
		jmp	short loc_7672EB
_RawQueryFsVolumeInfo@16 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 772. IoCheckShareAccess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCheckShareAccess(x, x, x,	x, x)
		public _IoCheckShareAccess@20
_IoCheckShareAccess@20 proc near	; CODE XREF: RawCreate+FBp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		cmp	[ebp+arg_10], al
		setnz	al
		push	eax
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	IoCheckLinkShareAccess
		pop	ebp
		retn	14h
_IoCheckShareAccess@20 endp

; 
		align 10h
; Exported entry 767. IoCheckLinkShareAccess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoCheckLinkShareAccess
IoCheckLinkShareAccess proc near	; CODE XREF: IoCheckShareAccess(x,x,x,x,x)+1Cp
					; IoCheckShareAccessEx(x,x,x,x,x,x)+33p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008D7915 SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	ecx, [ebp+arg_0]
		mov	edx, ecx
		and	edx, 21h
		push	ebx
		mov	ebx, [ebp+arg_14]
		setnz	[ebp+var_1]
		push	edi
		mov	edi, ecx
		and	edi, 6
		setnz	[ebp+var_2]
		and	ecx, 10000h
		setnz	[ebp+var_4]
		cmp	[ebp+arg_C], 0
		jz	loc_7674F4

loc_767366:				; CODE XREF: IoCheckLinkShareAccess+1D4j
					; IoCheckLinkShareAccess+1E7j
		mov	eax, [ebp+arg_8]
		push	esi
		mov	esi, ebx
		and	esi, 2
		jnz	short loc_767386
		mov	bl, [ebp+var_1]
		mov	[eax+26h], bl
		mov	bl, [ebp+var_2]
		mov	[eax+27h], bl
		mov	bl, [ebp+var_4]
		mov	[eax+28h], bl
		mov	ebx, [ebp+arg_14]

loc_767386:				; CODE XREF: IoCheckLinkShareAccess+3Fj
		test	edx, edx
		jnz	short loc_7673A2
		test	edi, edi
		jnz	short loc_7673A2
		test	ecx, ecx
		jnz	short loc_7673A2
		test	bl, 20h
		jnz	short loc_7673A2

loc_767397:				; CODE XREF: IoCheckLinkShareAccess+145j
					; IoCheckLinkShareAccess+179j ...
		xor	eax, eax
		pop	esi

loc_76739A:				; CODE XREF: IoCheckLinkShareAccess+1705EAj
		pop	edi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_7673A2:				; CODE XREF: IoCheckLinkShareAccess+58j
					; IoCheckLinkShareAccess+5Cj ...
		mov	eax, [ebp+arg_4]
		and	eax, 2
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_4]
		setnz	[ebp+var_3]
		and	eax, 4
		mov	[ebp+var_C], eax
		setnz	[ebp+var_5]
		and	byte ptr [ebp+arg_4], 1
		mov	al, byte ptr [ebp+arg_4]
		mov	byte ptr [ebp+arg_0+3],	al
		mov	eax, [ebp+arg_8]
		test	ebx, ebx
		js	loc_8D791F

loc_7673D1:				; CODE XREF: IoCheckLinkShareAccess+1705FAj
					; IoCheckLinkShareAccess+170604j
		test	esi, esi
		jnz	short loc_7673EA
		mov	bl, byte ptr [ebp+arg_0+3]
		mov	[eax+29h], bl
		mov	bl, [ebp+var_3]
		mov	[eax+2Ah], bl
		mov	bl, [ebp+var_5]
		mov	[eax+2Bh], bl
		mov	ebx, [ebp+arg_14]

loc_7673EA:				; CODE XREF: IoCheckLinkShareAccess+A3j
		test	eax, eax
		jz	short loc_7673F9
		mov	eax, [eax+7Ch]
		test	eax, eax
		jnz	loc_7674C0

loc_7673F9:				; CODE XREF: IoCheckLinkShareAccess+BCj
					; IoCheckLinkShareAccess+199j
		xor	al, al
		test	bl, 4
		jnz	loc_767522
		test	edx, edx
		mov	edx, [ebp+arg_C]
		jz	short loc_767416
		mov	eax, [edx+10h]
		cmp	eax, [edx]
		jb	loc_767534

loc_767416:				; CODE XREF: IoCheckLinkShareAccess+D9j
		cmp	byte ptr [ebp+arg_0+3],	0
		jz	loc_76752A

loc_767420:				; CODE XREF: IoCheckLinkShareAccess+1FEj
		xor	al, al

loc_767422:				; CODE XREF: IoCheckLinkShareAccess+1F5j
					; IoCheckLinkShareAccess+206j
		test	bl, 8
		jnz	short loc_76743F
		test	al, al
		jnz	short loc_76743F
		test	edi, edi
		jnz	loc_76753B

loc_767433:				; CODE XREF: IoCheckLinkShareAccess+210j
		cmp	dword ptr [edx+8], 0
		jnz	loc_7674E3

loc_76743D:				; CODE XREF: IoCheckLinkShareAccess+1B7j
		xor	al, al

loc_76743F:				; CODE XREF: IoCheckLinkShareAccess+F5j
					; IoCheckLinkShareAccess+F9j ...
		test	bl, 10h
		jnz	loc_8D7939
		test	al, al
		jnz	loc_7674D5
		mov	esi, [ebp+arg_10]
		test	esi, esi
		jz	loc_767548
		test	bl, 40h
		jnz	loc_767548
		test	ecx, ecx
		jnz	short loc_7674CE

loc_767468:				; CODE XREF: IoCheckLinkShareAccess+1A3j
		cmp	dword ptr [esi+4], 0

loc_76746C:				; CODE XREF: IoCheckLinkShareAccess+220j
		jnz	loc_767555

loc_767472:				; CODE XREF: IoCheckLinkShareAccess+229j
					; IoCheckLinkShareAccess+170614j
		test	bl, 1
		jz	loc_767397
		movzx	eax, [ebp+var_1]
		add	[edx+4], eax
		movzx	eax, [ebp+var_2]
		add	[edx+8], eax
		movzx	eax, byte ptr [ebp+arg_0+3]
		add	[edx+10h], eax
		movzx	eax, [ebp+var_3]
		add	[edx+14h], eax
		movzx	ecx, [ebp+var_4]
		movzx	eax, [ebp+var_5]
		inc	dword ptr [edx]
		add	[edx+0Ch], ecx
		add	[edx+18h], eax
		test	esi, esi
		jz	loc_767397
		inc	dword ptr [esi]
		test	bl, bl
		js	short loc_7674B8
		add	[esi+4], ecx

loc_7674B8:				; CODE XREF: IoCheckLinkShareAccess+183j
		add	[esi+8], eax
		jmp	loc_767397
; 

loc_7674C0:				; CODE XREF: IoCheckLinkShareAccess+C3j
		test	byte ptr [eax],	1
		jnz	loc_767397
		jmp	loc_7673F9
; 

loc_7674CE:				; CODE XREF: IoCheckLinkShareAccess+136j
		mov	eax, [esi+8]
		cmp	eax, [esi]
		jnb	short loc_767468

loc_7674D5:				; CODE XREF: IoCheckLinkShareAccess+11Aj
					; IoCheckLinkShareAccess+244j ...
		pop	esi
		pop	edi
		mov	eax, 0C0000043h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_7674E3:				; CODE XREF: IoCheckLinkShareAccess+107j
		cmp	[ebp+var_10], 0
		jnz	loc_76743D

loc_7674ED:				; CODE XREF: IoCheckLinkShareAccess+216j
		mov	al, 1
		jmp	loc_76743F
; 

loc_7674F4:				; CODE XREF: IoCheckLinkShareAccess+30j
		mov	eax, ebx
		and	eax, 0Ch
		cmp	al, 0Ch
		jnz	loc_8D7915
		test	bl, 10h
		jnz	loc_767366
		cmp	[ebp+arg_10], 0
		jz	loc_8D7915
		test	bl, 40h
		jz	loc_767366
		jmp	loc_8D7915
; 

loc_767522:				; CODE XREF: IoCheckLinkShareAccess+CEj
		mov	edx, [ebp+arg_C]
		jmp	loc_767422
; 

loc_76752A:				; CODE XREF: IoCheckLinkShareAccess+EAj
		cmp	dword ptr [edx+4], 0
		jz	loc_767420

loc_767534:				; CODE XREF: IoCheckLinkShareAccess+E0j
		mov	al, 1
		jmp	loc_767422
; 

loc_76753B:				; CODE XREF: IoCheckLinkShareAccess+FDj
		mov	eax, [edx+14h]
		cmp	eax, [edx]
		jnb	loc_767433
		jmp	short loc_7674ED
; 

loc_767548:				; CODE XREF: IoCheckLinkShareAccess+125j
					; IoCheckLinkShareAccess+12Ej
		test	ecx, ecx
		jnz	short loc_76756D

loc_76754C:				; CODE XREF: IoCheckLinkShareAccess+242j
		cmp	dword ptr [edx+0Ch], 0
		jmp	loc_76746C
; 

loc_767555:				; CODE XREF: IoCheckLinkShareAccess:loc_76746Cj
		cmp	[ebp+var_C], 0
		jnz	loc_767472
		pop	esi
		pop	edi
		mov	eax, 0C0000043h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_76756D:				; CODE XREF: IoCheckLinkShareAccess+21Aj
		mov	eax, [edx+18h]
		cmp	eax, [edx]
		jnb	short loc_76754C
		jmp	loc_7674D5
IoCheckLinkShareAccess endp

; 
		align 10h
; Exported entry 998. IoSetLinkShareAccess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetLinkShareAccess(x, x, x, x, x,	x)
		public _IoSetLinkShareAccess@24
_IoSetLinkShareAccess@24 proc near	; CODE XREF: RawCreate+8Fp
					; IoSetShareAccess(x,x,x,x)+15p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		mov	esi, edx
		and	esi, 21h
		push	edi
		setnz	cl
		mov	edi, edx
		and	edi, 6
		mov	[eax+26h], cl
		setnz	cl
		and	edx, 10000h
		mov	[eax+27h], cl
		setnz	cl
		mov	[eax+28h], cl
		mov	ecx, [eax+7Ch]
		test	ecx, ecx
		jnz	loc_767671

loc_7675BB:				; CODE XREF: IoSetLinkShareAccess(x,x,x,x,x,x)+F4j
		xor	bl, bl

loc_7675BD:				; CODE XREF: IoSetLinkShareAccess(x,x,x,x,x,x)+FCj
		test	esi, esi
		jnz	short loc_7675E7
		test	edi, edi
		jnz	short loc_7675E7
		test	edx, edx
		jnz	short loc_7675E7
		mov	eax, [ebp+arg_C]
		mov	[eax], edx
		mov	[eax+4], edx
		mov	[eax+8], edx
		mov	[eax+0Ch], edx
		mov	[eax+10h], edx
		mov	[eax+14h], edx
		mov	[eax+18h], edx

loc_7675E0:				; CODE XREF: IoSetLinkShareAccess(x,x,x,x,x,x)+D2j
					; IoSetLinkShareAccess(x,x,x,x,x,x)+D6j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	18h
; 

loc_7675E7:				; CODE XREF: IoSetLinkShareAccess(x,x,x,x,x,x)+3Fj
					; IoSetLinkShareAccess(x,x,x,x,x,x)+43j ...
		mov	edx, [ebp+arg_4]
		mov	ecx, edx
		shr	ecx, 1
		mov	bh, dl
		and	cl, 1
		shr	edx, 2
		and	bh, 1
		mov	[eax+2Ah], cl
		mov	ecx, [ebp+arg_14]
		and	dl, 1
		mov	[eax+29h], bh
		mov	[eax+2Bh], dl
		mov	[ebp+arg_0], ecx
		test	ecx, ecx
		js	loc_7676AE

loc_767613:				; CODE XREF: IoSetLinkShareAccess(x,x,x,x,x,x)+130j
					; IoSetLinkShareAccess(x,x,x,x,x,x)+13Aj
		mov	edx, [ebp+arg_C]
		test	bl, bl
		jnz	short loc_767681
		mov	dword ptr [edx], 1
		movzx	ecx, byte ptr [eax+26h]
		mov	[edx+4], ecx
		movzx	ecx, byte ptr [eax+27h]
		mov	[edx+8], ecx
		movzx	ecx, byte ptr [eax+28h]
		mov	[edx+0Ch], ecx
		movzx	ecx, byte ptr [eax+29h]
		mov	[edx+10h], ecx
		movzx	ecx, byte ptr [eax+2Ah]
		mov	[edx+14h], ecx
		movzx	esi, byte ptr [eax+2Bh]
		mov	ecx, [ebp+arg_0]

loc_76764A:				; CODE XREF: IoSetLinkShareAccess(x,x,x,x,x,x)+12Cj
		mov	[edx+18h], esi
		mov	edx, [ebp+arg_10]
		test	edx, edx
		jz	short loc_7675E0
		test	bl, bl
		jnz	short loc_7675E0
		inc	dword ptr [edx]
		test	cl, cl
		js	short loc_767665
		movzx	ecx, byte ptr [eax+28h]
		add	[edx+4], ecx

loc_767665:				; CODE XREF: IoSetLinkShareAccess(x,x,x,x,x,x)+DCj
		movzx	eax, byte ptr [eax+2Bh]
		add	[edx+8], eax
		jmp	loc_7675E0
; 

loc_767671:				; CODE XREF: IoSetLinkShareAccess(x,x,x,x,x,x)+35j
		test	byte ptr [ecx],	1
		jz	loc_7675BB
		mov	bl, 1
		jmp	loc_7675BD
; 

loc_767681:				; CODE XREF: IoSetLinkShareAccess(x,x,x,x,x,x)+98j
		mov	dword ptr [edx], 0
		xor	esi, esi
		mov	dword ptr [edx+4], 0
		mov	dword ptr [edx+8], 0
		mov	dword ptr [edx+0Ch], 0
		mov	dword ptr [edx+10h], 0
		mov	dword ptr [edx+14h], 0
		jmp	short loc_76764A
; 

loc_7676AE:				; CODE XREF: IoSetLinkShareAccess(x,x,x,x,x,x)+8Dj
		test	bh, bh
		jnz	loc_767613
		mov	byte ptr [eax+29h], 1
		jmp	loc_767613
_IoSetLinkShareAccess@24 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PfSnAsyncContextInitialize(void *,int,int,int)
_PfSnAsyncContextInitialize@16 proc near ; CODE	XREF: PfSnPrefetchScenario+3Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	90h		; size_t
		mov	edi, ecx
		mov	esi, edx
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	[edi+10h], eax
		mov	eax, large fs:124h
		mov	[edi+78h], esi
		mov	ecx, [eax+80h]
		mov	[edi+7Ch], ecx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, [edi+7Ch]
		call	PfSnReferenceProcessTrace
		mov	ecx, [edi+10h]
		mov	[edi+80h], eax
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		mov	ecx, large fs:124h
		call	_PsGetPagePriorityThread@4 ; PsGetPagePriorityThread(x)
		and	dword ptr [edi], 0
		cmp	[ebp+arg_4], 0
		mov	[edi+88h], eax
		mov	dword ptr [edi+8], offset PfSnAsyncPrefetchWorker
		mov	[edi+0Ch], edi
		jnz	short loc_767741

loc_767733:				; CODE XREF: PfSnAsyncContextInitialize(x,x,x,x)+88j
		lea	ecx, [edi+18h]
		call	_PfSnPowerBoostInitialize@4 ; PfSnPowerBoostInitialize(x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_767741:				; CODE XREF: PfSnAsyncContextInitialize(x,x,x,x)+71j
		or	dword ptr [edi+8Ch], 1
		jmp	short loc_767733
_PfSnAsyncContextInitialize@16 endp


;  S U B	R O U T	I N E 


; __stdcall PfSnPowerBoostInitialize(x)
_PfSnPowerBoostInitialize@4 proc near	; CODE XREF: PfSnAsyncContextInitialize(x,x,x,x)+76p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		and	dword ptr [esi+50h], 0
		lea	eax, [esi+8]
		push	0
		push	eax
		mov	dword ptr [esi+58h], offset _PfSnPowerBoostWorker@4 ; PfSnPowerBoostWorker(x)
		mov	[esi+5Ch], esi
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	esi
		push	offset _PfSnPowerBoostDpc@16 ; PfSnPowerBoostDpc(x,x,x,x)
		lea	eax, [esi+30h]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		pop	esi
		retn
_PfSnPowerBoostInitialize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnBeginTrace	proc near		; CODE XREF: PfSnBeginScenario+148p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008D7949 SIZE 0000004A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _PfSnNumActiveTraces
		push	esi
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], ecx
		cmp	eax, dword_6D46E8
		jnb	loc_767953
		cmp	ds:_FsRtlpVolumeStartupApplicationsComplete, 0
		jz	loc_8D7949
		push	ebx
		push	54506343h
		mov	esi, 198h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8D7953
		push	edi
		push	esi		; size_t
		xor	edi, edi
		push	edi		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [ebx], 43435341h
		lea	eax, [ebx+68h]
		push	edi
		push	eax
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		lea	eax, [ebx+54h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ebx+140h]
		push	eax
		mov	[ebx+60h], edi
		mov	dword ptr [ebx+138h], 0C000002Dh
		call	KeQuerySystemTime
		push	ebx
		push	offset PfSnTraceTimerRoutine
		lea	eax, [ebx+98h]
		mov	[ebx+164h], edi
		mov	[ebx+168h], edi
		push	eax
		mov	[ebx+0B8h], edi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		lea	esi, [ebx+104h]
		mov	ecx, esi
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		mov	ecx, esi
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	esi, [ebp+arg_0]
		mov	edx, 73576650h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	edx, [ebp+var_8]
		mov	[ebx+108h], edi
		mov	dword ptr [ebx+110h], offset _PfSnEndTraceWorkerThreadRoutine@4	; PfSnEndTraceWorkerThreadRoutine(x)
		mov	[ebx+114h], ebx
		mov	ax, [ebx+152h]
		mov	[ebx+100h], esi
		mov	esi, [ebp+var_4]
		mov	[ebx+118h], edi
		lea	edi, [ebx+0Ch]
		push	10h
		pop	ecx
		rep movsd
		xor	ecx, ecx
		mov	[ebx+4Ch], edx
		cmp	[ebp+arg_8], ecx
		mov	esi, 0FFFEh
		pop	edi
		setnz	cl
		and	ax, si
		shl	edx, 4
		or	cx, ax
		add	edx, offset unk_6D46C8
		mov	[ebx+152h], cx
		mov	ecx, [edx]
		mov	[ebx+0F8h], ecx
		mov	eax, [edx+8]
		mov	[ebx+90h], eax
		mov	eax, [edx+0Ch]
		mov	[ebx+94h], eax
		test	ecx, ecx
		jz	loc_8D795D
		mov	eax, 100000h
		cmp	ecx, eax
		jg	loc_8D7967

loc_7678DD:				; CODE XREF: PfSnBeginTrace+1701EFj
		call	_PfSnTraceBufferAllocate@0 ; PfSnTraceBufferAllocate()
		mov	[ebx+50h], eax
		cmp	dword ptr [ebx+50h], 0
		jz	loc_8D7972
		mov	eax, [ebx+50h]
		lea	ecx, [ebx+54h]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_76796B
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		lea	eax, [ebx+124h]
		or	dword ptr [ebx+128h], 0FFFFFFFFh
		mov	dword ptr [eax], 0FFFFFFF8h
		mov	dword ptr [ebx+5Ch], 1
		mov	[ebx+120h], eax
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	loc_8D797C

loc_767931:				; CODE XREF: PfSnBeginTrace+170210j
		mov	ecx, ebx
		call	PfSnActivateTrace
		mov	esi, eax
		test	esi, esi
		js	short loc_767947
		mov	eax, [ebp+arg_C]
		mov	[eax], ebx
		xor	ebx, ebx
		xor	esi, esi

loc_767947:				; CODE XREF: PfSnBeginTrace+1BEj
					; PfSnBeginTrace+1701E4j ...
		test	ebx, ebx
		jnz	short loc_76795A

loc_76794B:				; CODE XREF: PfSnBeginTrace+1EBj
					; PfSnBeginTrace+1701DAj
		pop	ebx

loc_76794C:				; CODE XREF: PfSnBeginTrace+1DAj
					; PfSnBeginTrace+1701D0j
		mov	eax, esi
		pop	esi
		leave
		retn	10h
; 

loc_767953:				; CODE XREF: PfSnBeginTrace+19j
		mov	esi, 0C00000CEh
		jmp	short loc_76794C
; 

loc_76795A:				; CODE XREF: PfSnBeginTrace+1CBj
		mov	ecx, ebx
		call	_PfSnCleanupTrace@4 ; PfSnCleanupTrace(x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_76794B
; 

loc_76796B:				; CODE XREF: PfSnBeginTrace+17Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall PopFxPluginWork(x)
_PopFxPluginWork@4:			; DATA XREF: PopFxInitializeWorkPool(x,x)+54o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		xor	edx, edx
		mov	ecx, [esi]
		lea	eax, [ecx+3Ch]

loc_767980:				; CODE XREF: PfSnBeginTrace+217j
		cmp	eax, esi
		jnz	short loc_76798E

loc_767984:				; CODE XREF: PfSnBeginTrace+219j
		call	PopFxProcessWorkPool
		pop	esi
		pop	ebp
		retn	4
; 

loc_76798E:				; CODE XREF: PfSnBeginTrace+204j
		inc	edx
		add	eax, 14h
		cmp	edx, 4
		jb	short loc_767980
		jmp	short loc_767984
PfSnBeginTrace	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCreateTimer	proc near		; DATA XREF: .text:005810FCo

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008D7993 SIZE 00000011 BYTES
; FUNCTION CHUNK AT 008D79C4 SIZE 0000000C BYTES

		push	20h
		push	offset dword_6A09A8
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_20], ecx
		mov	edi, [ebp+arg_C]
		test	edi, edi
		jz	short loc_7679BE
		cmp	edi, 1
		jnz	loc_8D7993

loc_7679BE:				; CODE XREF: NtCreateTimer+19j
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+arg_C], bl
		test	bl, bl
		jz	short loc_7679F1
		mov	[ebp+ms_exc.disabled], ecx
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8D799D

loc_7679E4:				; CODE XREF: NtCreateTimer+170005j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ecx, ecx

loc_7679F1:				; CODE XREF: NtCreateTimer+35j
		mov	edx, ds:_ExTimerObjectType
		push	ecx
		lea	eax, [ebp+var_1C]
		push	eax
		push	ecx
		push	ecx
		push	0C0h
		push	ecx
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		mov	cl, bl
		call	ObCreateObjectEx
		mov	[ebp+arg_C], eax
		test	eax, eax
		js	loc_767AB0
		mov	esi, [ebp+var_1C]
		push	esi
		push	offset _ExpTimerDpcRoutine@16 ;	ExpTimerDpcRoutine(x,x,x,x)
		lea	eax, [esi+5Ch]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	edi
		push	esi
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		lea	eax, [esi+28h]
		mov	[ebp+var_2C], eax
		xor	ecx, ecx
		mov	[eax], ecx
		mov	[esi+0A8h], cl
		mov	[esi+90h], ecx
		mov	[esi+94h], ecx
		lea	eax, [esi+9Ch]
		mov	[ebp+var_28], eax
		mov	[eax], ecx
		test	bl, bl
		jz	short loc_767A78
		mov	eax, large fs:124h
		mov	edx, [eax+80h]
		mov	[ebp+var_30], edx
		test	byte ptr [edx+64h], 10h
		jnz	short loc_767AC5
		mov	esi, [ebp+var_1C]

loc_767A78:				; CODE XREF: NtCreateTimer+C4j
					; NtCreateTimer+1A8j
		lea	eax, [ebp+var_20]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+arg_4]
		xor	edx, edx
		mov	ecx, esi
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	[ebp+arg_C], eax
		test	eax, eax
		js	short loc_767AB0
		test	bl, bl
		jz	loc_767B47
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_767AA9:				; CODE XREF: sub_8D79D4+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_767AB0:				; CODE XREF: NtCreateTimer+7Cj
					; NtCreateTimer+F6j ...
		mov	eax, [ebp+arg_C]

loc_767AB3:				; CODE XREF: NtCreateTimer+16FFFEj
					; sub_8D79B2+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_767AC5:				; CODE XREF: NtCreateTimer+D9j
		mov	edi, [edx+158h]
		mov	byte ptr [ebp+arg_C], cl
		test	edi, edi
		jz	loc_8D79C4
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		lea	eax, [edi+20h]
		mov	[ebp+arg_8], eax
		push	1
		push	eax
		call	ExAcquireResourceExclusiveLite
		test	dword ptr [edi+310h], 40000h
		jz	short loc_767B07
		cmp	dword ptr [edi+194h], 0
		jnz	short loc_767B54

loc_767B07:				; CODE XREF: NtCreateTimer+162j
		mov	byte ptr [ebp+arg_C], 0

loc_767B0B:				; CODE XREF: NtCreateTimer+1BEj
					; NtCreateTimer+170031j
		push	[ebp+var_28]
		push	[ebp+arg_C]
		push	[ebp+var_2C]
		mov	esi, [ebp+var_1C]
		lea	edx, [esi+0A0h]
		mov	ecx, [ebp+var_30]
		call	PsInsertVirtualizedTimer
		test	edi, edi
		jz	short loc_767B40
		mov	ecx, [ebp+arg_8]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	esi, [ebp+var_1C]

loc_767B40:				; CODE XREF: NtCreateTimer+18Dj
		xor	ecx, ecx
		jmp	loc_767A78
; 

loc_767B47:				; CODE XREF: NtCreateTimer+FAj
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jmp	loc_767AB0
; 

loc_767B54:				; CODE XREF: NtCreateTimer+16Bj
		mov	byte ptr [ebp+arg_C], 1
		jmp	short loc_767B0B
NtCreateTimer	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ExProcessorCounterSetCallback(int,int,int,int,int)
ExProcessorCounterSetCallback proc near	; DATA XREF: ExpPcwHostCallback+108o

var_2EA		= byte ptr -2EAh
var_2E9		= byte ptr -2E9h
var_2E8		= byte ptr -2E8h
var_2E4		= dword	ptr -2E4h
var_2E0		= dword	ptr -2E0h
var_2DC		= dword	ptr -2DCh
var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_2CC		= dword	ptr -2CCh
var_2C8		= dword	ptr -2C8h
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= word ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008D79DC SIZE 000001F6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2ECh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2ECh+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	eax, eax
		push	edi		; char
		lea	edi, [esp+2F8h+var_298]
		xor	ebx, ebx
		stosd
		stosd
		stosd
		lea	eax, [esp+2F8h+var_278]
		mov	edi, 0C8h
		push	edi		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+2F8h+var_1B0]
		push	edi		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+2F8h+var_2B0], ebx
		lea	eax, [esp+2F8h+var_E8]
		mov	[esp+2F8h+var_2AC], ebx
		mov	[esp+2F8h+var_2D8], ebx
		push	edi		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		dec	eax
		mov	[esp+2F8h+var_2E9], bl
		mov	byte ptr [esp+2F8h+var_2E0], bl
		mov	byte ptr [esp+2F8h+var_2E4], bl
		mov	[esp+2F8h+var_2DC], ebx
		mov	dword ptr [esp+2F8h+var_2E8], ebx
		sub	eax, 1
		jz	loc_8D7A50
		sub	eax, 1
		jnz	loc_7687BF
		mov	edx, [esi]
		mov	ecx, edx
		mov	ebx, [esi+4]
		and	ecx, 0E0FF05h
		mov	edi, [esi+14h]
		mov	eax, ebx
		and	eax, 1
		mov	[esp+2F8h+var_2C0], edi
		or	ecx, eax
		jz	loc_8D79DC
		xor	ecx, ecx
		inc	ecx
		mov	[esp+2F8h+var_2E9], cl

loc_767C20:				; CODE XREF: ExProcessorCounterSetCallback+16FE8Aj
		mov	eax, edx
		mov	byte ptr [esp+2F8h+var_2E0], cl
		and	eax, 0C00F0000h
		or	eax, 0
		jnz	short loc_767C35
		mov	byte ptr [esp+2F8h+var_2E0], 0

loc_767C35:				; CODE XREF: ExProcessorCounterSetCallback+D4j
		and	edx, 3F000000h
		mov	byte ptr [esp+2F8h+var_2E4], cl
		and	ebx, 6
		or	edx, ebx
		jnz	short loc_767C4B
		mov	byte ptr [esp+2F8h+var_2E4], 0

loc_767C4B:				; CODE XREF: ExProcessorCounterSetCallback+EAj
		lea	eax, [esp+2F8h+var_2DC]
		push	eax
		lea	eax, [esp+2FCh+var_2E8]
		push	eax
		mov	eax, [esi+8]
		push	offset ??_C@_1M@LBIBGIJG@?$AA?$CF?$AAu?$AA?0?$AA?$CF?$AAu@NNGAKEGL@
		push	dword ptr [eax+4]
		call	_swscanf_s
		add	esp, 10h
		cmp	eax, 2
		jz	loc_8D79E9

loc_767C71:				; CODE XREF: ExProcessorCounterSetCallback+16FEFDj
		push	0FFFFh
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		xor	esi, esi
		mov	ebx, eax
		and	[esp+2F8h+var_2A8], esi
		xor	ecx, ecx
		and	[esp+2F8h+var_2B4], esi
		xor	eax, eax
		and	[esp+2F8h+var_2B8], esi
		mov	[esp+2F8h+var_2A0], ebx
		mov	[esp+2F8h+var_2BC], esi
		mov	dword ptr [esp+2F8h+var_2E8], ecx
		cmp	ax, ds:_KeNumberNodes
		jnb	loc_76859D

loc_767CA8:				; CODE XREF: ExProcessorCounterSetCallback+A35j
		lea	eax, [esp+2F8h+var_2D8]
		push	eax
		lea	eax, [esp+2FCh+var_298]
		push	eax
		push	ecx
		call	_KeQueryNodeActiveAffinity@12 ;	KeQueryNodeActiveAffinity(x,x,x)
		mov	ebx, [esp+2F8h+var_298]
		test	ebx, ebx
		jz	loc_76857D
		push	0C8h		; size_t
		lea	eax, [esp+2FCh+var_278]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [esp+304h+var_2D8]
		xor	edx, edx
		movzx	ecx, ax
		add	esp, 0Ch
		mov	[esp+2F8h+var_2C8], edx
		mov	[esp+2F8h+var_2CC], edx
		mov	[esp+2F8h+var_2D0], edx
		mov	[esp+2F8h+var_2D4], edx
		mov	[esp+2F8h+var_2DC], edx
		mov	[esp+2F8h+var_2C4], ecx
		test	ecx, ecx
		jz	loc_768364

loc_767D04:				; CODE XREF: ExProcessorCounterSetCallback+800j
		test	ebx, ebx
		jz	loc_8D7A5C
		bsf	esi, ebx

loc_767D0F:				; CODE XREF: ExProcessorCounterSetCallback+16FF05j
		mov	ecx, ds:_KiProcessorBlock[esi*4]
		mov	dl, [esp+2F8h+var_2E9]
		mov	eax, [ecx+3C8h]
		not	eax
		and	ebx, eax
		lea	eax, [esp+2F8h+var_E8]
		push	eax
		push	[esp+2FCh+var_2E4]
		mov	[esp+300h+var_298], ebx
		push	[esp+300h+var_2E0]
		call	ExpQueryProcessorInformationCounters
		push	[esp+2F8h+var_2DC]
		lea	eax, [esp+2FCh+var_20]
		push	dword ptr [esp+2FCh+var_2E8] ; char
		push	offset ??_C@_1M@LBIBGIJG@?$AA?$CF?$AAu?$AA?0?$AA?$CF?$AAu@NNGAKEGL@ ; wchar_t *
		push	1Ah		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 14h
		lea	eax, [esp+2F8h+var_20]
		push	eax
		lea	eax, [esp+2FCh+var_2B0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+2F8h+var_E8]
		mov	[esp+2F8h+var_288], 0C8h
		mov	[esp+2F8h+var_28C], eax
		lea	eax, [esp+2F8h+var_28C]
		push	eax
		xor	eax, eax
		inc	eax
		push	eax
		push	esi
		lea	eax, [esp+304h+var_2B0]
		push	eax
		push	edi
		call	_PcwAddInstance@20 ; PcwAddInstance(x,x,x,x,x)
		test	eax, eax
		js	loc_7687A8
		mov	eax, [esp+2F8h+var_278]
		add	eax, [esp+2F8h+var_E8]
		mov	[esp+2F8h+var_278], eax
		mov	eax, [esp+2F8h+var_274]
		adc	eax, [esp+2F8h+var_E4]
		mov	[esp+2F8h+var_274], eax
		mov	eax, [esp+2F8h+var_270]
		add	eax, [esp+2F8h+var_E0]
		mov	[esp+2F8h+var_270], eax
		mov	eax, [esp+2F8h+var_26C]
		adc	eax, [esp+2F8h+var_DC]
		mov	[esp+2F8h+var_26C], eax
		mov	eax, [esp+2F8h+var_268]
		add	eax, [esp+2F8h+var_D8]
		mov	[esp+2F8h+var_268], eax
		mov	eax, [esp+2F8h+var_264]
		adc	eax, [esp+2F8h+var_D4]
		mov	[esp+2F8h+var_264], eax
		mov	eax, [esp+2F8h+var_260]
		add	eax, [esp+2F8h+var_D0]
		mov	[esp+2F8h+var_260], eax
		mov	eax, [esp+2F8h+var_25C]
		adc	eax, [esp+2F8h+var_CC]
		mov	[esp+2F8h+var_25C], eax
		mov	eax, [esp+2F8h+var_C8]
		add	[esp+2F8h+var_258], eax
		mov	eax, [esp+2F8h+var_248]
		add	eax, [esp+2F8h+var_B8]
		mov	[esp+2F8h+var_248], eax
		mov	eax, [esp+2F8h+var_244]
		adc	eax, [esp+2F8h+var_B4]
		mov	[esp+2F8h+var_244], eax
		mov	eax, [esp+2F8h+var_AC]
		add	[esp+2F8h+var_23C], eax
		mov	eax, [esp+2F8h+var_A8]
		add	[esp+2F8h+var_238], eax
		mov	eax, [esp+2F8h+var_250]
		add	eax, [esp+2F8h+var_C0]
		mov	[esp+2F8h+var_250], eax
		mov	eax, [esp+2F8h+var_24C]
		adc	eax, [esp+2F8h+var_BC]
		mov	[esp+2F8h+var_24C], eax
		mov	eax, [esp+2F8h+var_B0]
		add	[esp+2F8h+var_240], eax
		mov	eax, [esp+2F8h+var_230]
		add	eax, [esp+2F8h+var_A0]
		mov	[esp+2F8h+var_230], eax
		mov	eax, [esp+2F8h+var_22C]
		adc	eax, [esp+2F8h+var_9C]
		mov	[esp+2F8h+var_22C], eax
		mov	eax, [esp+2F8h+var_88]
		add	[esp+2F8h+var_218], eax
		mov	eax, [esp+2F8h+var_84]
		adc	[esp+2F8h+var_214], eax
		mov	eax, [esp+2F8h+var_228]
		add	eax, [esp+2F8h+var_98]
		mov	[esp+2F8h+var_228], eax
		mov	eax, [esp+2F8h+var_224]
		adc	eax, [esp+2F8h+var_94]
		mov	[esp+2F8h+var_224], eax
		mov	eax, [esp+2F8h+var_80]
		add	[esp+2F8h+var_210], eax
		mov	eax, [esp+2F8h+var_7C]
		adc	[esp+2F8h+var_20C], eax
		mov	eax, [esp+2F8h+var_220]
		add	eax, [esp+2F8h+var_90]
		mov	[esp+2F8h+var_220], eax
		mov	eax, [esp+2F8h+var_21C]
		adc	eax, [esp+2F8h+var_8C]
		mov	[esp+2F8h+var_21C], eax
		mov	eax, [esp+2F8h+var_78]
		add	[esp+2F8h+var_208], eax
		mov	eax, [esp+2F8h+var_74]
		adc	[esp+2F8h+var_204], eax
		mov	eax, [esp+2F8h+var_40]
		add	[esp+2F8h+var_1D0], eax
		mov	eax, [esp+2F8h+var_3C]
		adc	[esp+2F8h+var_1CC], eax
		mov	eax, [esp+2F8h+var_38]
		add	[esp+2F8h+var_1C8], eax
		mov	eax, [esp+2F8h+var_34]
		adc	[esp+2F8h+var_1C4], eax
		mov	eax, [esp+2F8h+var_200]
		add	eax, [esp+2F8h+var_70]
		mov	[esp+2F8h+var_200], eax
		mov	eax, [esp+2F8h+var_1FC]
		adc	eax, [esp+2F8h+var_6C]
		mov	[esp+2F8h+var_1FC], eax
		mov	eax, [esp+2F8h+var_1F4]
		add	eax, [esp+2F8h+var_64]
		mov	[esp+2F8h+var_1F4], eax
		mov	eax, [esp+2F8h+var_1F0]
		add	eax, [esp+2F8h+var_60]
		mov	ebx, [esp+2F8h+var_48]
		mov	edi, [esp+2F8h+var_44]
		mov	esi, [esp+2F8h+var_28]
		mov	[esp+2F8h+var_1F0], eax
		mov	eax, [esp+2F8h+var_2D0]
		add	eax, [esp+2F8h+var_58]
		mov	edx, [esp+2F8h+var_24]
		adc	[esp+2F8h+var_2D4], 0
		mov	ecx, [esp+2F8h+var_30]
		mov	[esp+2F8h+var_2D0], eax
		mov	eax, [esp+2F8h+var_2C8]
		add	eax, [esp+2F8h+var_54]
		mov	[esp+2F8h+var_2C8], eax
		adc	[esp+2F8h+var_2CC], 0
		mov	eax, [esp+2F8h+var_1E0]
		add	eax, [esp+2F8h+var_50]
		mov	[esp+2F8h+var_1E0], eax
		mov	eax, [esp+2F8h+var_1DC]
		adc	eax, [esp+2F8h+var_4C]
		add	[esp+2F8h+var_1D8], ebx
		mov	ebx, [esp+2F8h+var_E8]
		adc	[esp+2F8h+var_1D4], edi
		add	[esp+2F8h+var_1B8], esi
		mov	[esp+2F8h+var_1DC], eax
		adc	[esp+2F8h+var_1B4], edx
		add	[esp+2F8h+var_1C0], ecx
		mov	eax, [esp+2F8h+var_2C]
		or	[esp+2F8h+var_1BC], eax
		add	[esp+2F8h+var_1B0], ebx
		mov	ebx, [esp+2F8h+var_E4]
		adc	[esp+2F8h+var_1AC], ebx
		mov	ebx, [esp+2F8h+var_E0]
		add	[esp+2F8h+var_1A8], ebx
		mov	ebx, [esp+2F8h+var_DC]
		adc	[esp+2F8h+var_1A4], ebx
		mov	ebx, [esp+2F8h+var_D8]
		add	[esp+2F8h+var_1A0], ebx
		mov	ebx, [esp+2F8h+var_D4]
		adc	[esp+2F8h+var_19C], ebx
		mov	ebx, [esp+2F8h+var_D0]
		add	[esp+2F8h+var_198], ebx
		mov	ebx, [esp+2F8h+var_CC]
		adc	[esp+2F8h+var_194], ebx
		mov	ebx, [esp+2F8h+var_C8]
		add	[esp+2F8h+var_190], ebx
		mov	ebx, [esp+2F8h+var_B8]
		add	[esp+2F8h+var_180], ebx
		mov	ebx, [esp+2F8h+var_B4]
		adc	[esp+2F8h+var_17C], ebx
		mov	ebx, [esp+2F8h+var_AC]
		add	[esp+2F8h+var_174], ebx
		mov	ebx, [esp+2F8h+var_A8]
		add	[esp+2F8h+var_170], ebx
		mov	ebx, [esp+2F8h+var_C0]
		add	[esp+2F8h+var_188], ebx
		mov	ebx, [esp+2F8h+var_BC]
		adc	[esp+2F8h+var_184], ebx
		mov	ebx, [esp+2F8h+var_B0]
		add	[esp+2F8h+var_178], ebx
		mov	ebx, [esp+2F8h+var_A0]
		add	[esp+2F8h+var_168], ebx
		mov	ebx, [esp+2F8h+var_9C]
		adc	[esp+2F8h+var_164], ebx
		mov	ebx, [esp+2F8h+var_88]
		add	[esp+2F8h+var_150], ebx
		mov	ebx, [esp+2F8h+var_84]
		adc	[esp+2F8h+var_14C], ebx
		mov	ebx, [esp+2F8h+var_98]
		add	[esp+2F8h+var_160], ebx
		mov	ebx, [esp+2F8h+var_94]
		adc	[esp+2F8h+var_15C], ebx
		mov	ebx, [esp+2F8h+var_80]
		add	[esp+2F8h+var_148], ebx
		mov	ebx, [esp+2F8h+var_7C]
		adc	[esp+2F8h+var_144], ebx
		mov	ebx, [esp+2F8h+var_90]
		add	[esp+2F8h+var_158], ebx
		mov	ebx, [esp+2F8h+var_8C]
		adc	[esp+2F8h+var_154], ebx
		mov	ebx, [esp+2F8h+var_78]
		add	[esp+2F8h+var_140], ebx
		mov	ebx, [esp+2F8h+var_74]
		adc	[esp+2F8h+var_13C], ebx
		mov	ebx, [esp+2F8h+var_40]
		add	[esp+2F8h+var_108], ebx
		mov	ebx, [esp+2F8h+var_3C]
		adc	[esp+2F8h+var_104], ebx
		mov	ebx, [esp+2F8h+var_38]
		add	[esp+2F8h+var_100], ebx
		mov	ebx, [esp+2F8h+var_34]
		adc	[esp+2F8h+var_FC], ebx
		mov	ebx, [esp+2F8h+var_70]
		add	[esp+2F8h+var_138], ebx
		mov	ebx, [esp+2F8h+var_6C]
		adc	[esp+2F8h+var_134], ebx
		mov	ebx, [esp+2F8h+var_64]
		add	[esp+2F8h+var_12C], ebx
		mov	ebx, [esp+2F8h+var_60]
		add	[esp+2F8h+var_128], ebx
		mov	ebx, [esp+2F8h+var_2B4]
		add	ebx, [esp+2F8h+var_58]
		mov	[esp+2F8h+var_2B4], ebx
		adc	[esp+2F8h+var_2B8], 0
		mov	ebx, [esp+2F8h+var_2BC]
		add	ebx, [esp+2F8h+var_54]
		mov	[esp+2F8h+var_2BC], ebx
		adc	[esp+2F8h+var_2A8], 0
		mov	ebx, [esp+2F8h+var_50]
		add	[esp+2F8h+var_118], ebx
		mov	ebx, [esp+2F8h+var_4C]
		adc	[esp+2F8h+var_114], ebx
		mov	ebx, [esp+2F8h+var_48]
		add	[esp+2F8h+var_110], ebx
		mov	ebx, [esp+2F8h+var_298]
		adc	[esp+2F8h+var_10C], edi
		add	[esp+2F8h+var_F0], esi
		mov	edi, [esp+2F8h+var_2C0]
		adc	[esp+2F8h+var_EC], edx
		or	[esp+2F8h+var_F4], eax
		add	[esp+2F8h+var_F8], ecx
		mov	eax, [esp+2F8h+var_2DC]
		mov	ecx, [esp+2F8h+var_2C4]
		inc	eax
		mov	[esp+2F8h+var_2DC], eax
		cmp	eax, ecx
		jb	loc_767D04
		mov	eax, [esp+2F8h+var_2D8]

loc_768364:				; CODE XREF: ExProcessorCounterSetCallback+1A4j
		xor	ebx, ebx
		inc	ebx
		cmp	ax, bx
		jbe	loc_7684FD
		mov	eax, ecx
		cdq
		mov	esi, edx
		mov	edi, eax
		push	esi
		push	edi
		push	[esp+300h+var_274]
		push	[esp+304h+var_278]
		call	__aulldiv
		push	esi
		push	edi
		push	[esp+300h+var_26C]
		mov	[esp+304h+var_278], eax
		push	[esp+304h+var_270]
		mov	[esp+308h+var_274], edx
		call	__aulldiv
		push	esi
		push	edi
		push	[esp+300h+var_264]
		mov	[esp+304h+var_270], eax
		push	[esp+304h+var_268]
		mov	[esp+308h+var_26C], edx
		call	__aulldiv
		push	esi
		push	edi
		push	[esp+300h+var_25C]
		mov	[esp+304h+var_268], eax
		push	[esp+304h+var_260]
		mov	[esp+308h+var_264], edx
		call	__aulldiv
		push	esi
		push	edi
		push	[esp+300h+var_244]
		mov	[esp+304h+var_260], eax
		push	[esp+304h+var_248]
		mov	[esp+308h+var_25C], edx
		call	__aulldiv
		push	esi
		push	edi
		push	[esp+300h+var_24C]
		mov	[esp+304h+var_248], eax
		push	[esp+304h+var_250]
		mov	[esp+308h+var_244], edx
		call	__aulldiv
		push	esi
		push	edi
		push	[esp+300h+var_22C]
		mov	[esp+304h+var_250], eax
		push	[esp+304h+var_230]
		mov	[esp+308h+var_24C], edx
		call	__aulldiv
		push	esi
		push	edi
		push	[esp+300h+var_224]
		mov	[esp+304h+var_230], eax
		push	[esp+304h+var_228]
		mov	[esp+308h+var_22C], edx
		call	__aulldiv
		push	esi
		push	edi
		push	[esp+300h+var_21C]
		mov	[esp+304h+var_228], eax
		push	[esp+304h+var_220]
		mov	[esp+308h+var_224], edx
		call	__aulldiv
		push	esi
		push	edi
		push	[esp+300h+var_1FC]
		mov	[esp+304h+var_220], eax
		push	[esp+304h+var_200]
		mov	[esp+308h+var_21C], edx
		call	__aulldiv
		mov	ecx, [esp+2F8h+var_2C4]
		mov	[esp+2F8h+var_200], eax
		mov	eax, [esp+2F8h+var_1F4]
		mov	[esp+2F8h+var_1FC], edx
		xor	edx, edx
		div	ecx
		xor	edx, edx
		mov	[esp+2F8h+var_1F4], eax
		mov	eax, [esp+2F8h+var_1F0]
		div	ecx
		mov	[esp+2F8h+var_1F0], eax

loc_7684FD:				; CODE XREF: ExProcessorCounterSetCallback+810j
		cmp	byte ptr [esp+2F8h+var_2E4], 0
		jnz	loc_8D7A64

loc_768508:				; CODE XREF: ExProcessorCounterSetCallback+16FFAAj
		cmp	byte ptr [esp+2F8h+var_2E0], 0
		jnz	loc_8D7B09

loc_768513:				; CODE XREF: ExProcessorCounterSetCallback+16FFC1j
		push	dword ptr [esp+2F8h+var_2E8] ; char
		lea	eax, [esp+2FCh+var_20]
		push	offset ??_C@_1BE@KIJPPDLH@?$AA?$CF?$AAu?$AA?0?$AA_?$AAT?$AAo?$AAt?$AAa?$AAl@NNGAKEGL@ ;	wchar_t	*
		push	1Ah		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 10h
		lea	eax, [esp+2F8h+var_20]
		push	eax
		lea	eax, [esp+2FCh+var_2B0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, ds:_KeMaximumProcessors
		lea	ecx, [esp+2F8h+var_278]
		add	eax, dword ptr [esp+2F8h+var_2E8]
		mov	edi, [esp+2F8h+var_2C0]
		mov	[esp+2F8h+var_284], ecx
		lea	ecx, [esp+2F8h+var_284]
		push	ecx
		push	ebx
		push	eax
		lea	eax, [esp+304h+var_2B0]
		mov	[esp+304h+var_280], 0C8h
		push	eax
		push	edi
		call	_PcwAddInstance@20 ; PcwAddInstance(x,x,x,x,x)
		test	eax, eax
		js	loc_7687A8

loc_76857D:				; CODE XREF: ExProcessorCounterSetCallback+164j
		mov	ecx, dword ptr [esp+2F8h+var_2E8]
		movzx	eax, ds:_KeNumberNodes
		inc	ecx
		mov	dword ptr [esp+2F8h+var_2E8], ecx
		cmp	ecx, eax
		jb	loc_767CA8
		mov	ebx, [esp+2F8h+var_2A0]
		mov	esi, [esp+2F8h+var_2BC]

loc_76859D:				; CODE XREF: ExProcessorCounterSetCallback+148j
		xor	eax, eax
		inc	eax
		cmp	ebx, eax
		jbe	loc_768734
		push	0
		push	ebx
		push	[esp+300h+var_1AC]
		push	[esp+304h+var_1B0]
		call	__aulldiv
		push	0
		push	ebx
		push	[esp+300h+var_1A4]
		mov	[esp+304h+var_1B0], eax
		push	[esp+304h+var_1A8]
		mov	[esp+308h+var_1AC], edx
		call	__aulldiv
		push	0
		push	ebx
		push	[esp+300h+var_19C]
		mov	[esp+304h+var_1A8], eax
		push	[esp+304h+var_1A0]
		mov	[esp+308h+var_1A4], edx
		call	__aulldiv
		push	0
		push	ebx
		push	[esp+300h+var_194]
		mov	[esp+304h+var_1A0], eax
		push	[esp+304h+var_198]
		mov	[esp+308h+var_19C], edx
		call	__aulldiv
		push	0
		push	ebx
		push	[esp+300h+var_17C]
		mov	[esp+304h+var_198], eax
		push	[esp+304h+var_180]
		mov	[esp+308h+var_194], edx
		call	__aulldiv
		push	0
		push	ebx
		push	[esp+300h+var_184]
		mov	[esp+304h+var_180], eax
		push	[esp+304h+var_188]
		mov	[esp+308h+var_17C], edx
		call	__aulldiv
		push	0
		push	ebx
		push	[esp+300h+var_164]
		mov	[esp+304h+var_188], eax
		push	[esp+304h+var_168]
		mov	[esp+308h+var_184], edx
		call	__aulldiv
		push	0
		push	ebx
		push	[esp+300h+var_15C]
		mov	[esp+304h+var_168], eax
		push	[esp+304h+var_160]
		mov	[esp+308h+var_164], edx
		call	__aulldiv
		push	0
		push	ebx
		push	[esp+300h+var_154]
		mov	[esp+304h+var_160], eax
		push	[esp+304h+var_158]
		mov	[esp+308h+var_15C], edx
		call	__aulldiv
		push	0
		push	ebx
		push	[esp+300h+var_134]
		mov	[esp+304h+var_158], eax
		push	[esp+304h+var_138]
		mov	[esp+308h+var_154], edx
		call	__aulldiv
		mov	[esp+2F8h+var_138], eax
		mov	eax, [esp+2F8h+var_12C]
		mov	[esp+2F8h+var_134], edx
		xor	edx, edx
		div	ebx
		xor	edx, edx
		mov	[esp+2F8h+var_12C], eax
		mov	eax, [esp+2F8h+var_128]
		div	ebx
		mov	[esp+2F8h+var_128], eax

loc_768734:				; CODE XREF: ExProcessorCounterSetCallback+A48j
		cmp	byte ptr [esp+2F8h+var_2E4], 0
		jnz	loc_8D7B20

loc_76873F:				; CODE XREF: ExProcessorCounterSetCallback+17005Cj
		cmp	byte ptr [esp+2F8h+var_2E0], 0
		jnz	loc_8D7BBB

loc_76874A:				; CODE XREF: ExProcessorCounterSetCallback+170073j
		push	offset ??_C@_1O@NKAIMMPD@?$AA_?$AAT?$AAo?$AAt?$AAa?$AAl@NNGAKEGL@ ; "_Total"
		lea	eax, [esp+2FCh+var_20]
		push	1Ah		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 0Ch
		lea	eax, [esp+2F8h+var_20]
		push	eax
		lea	eax, [esp+2FCh+var_2B0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	eax, ds:_KeNumberNodes
		lea	ecx, [esp+2F8h+var_1B0]
		add	eax, ds:_KeMaximumProcessors
		mov	[esp+2F8h+var_2A8], ecx
		lea	ecx, [esp+2F8h+var_2A8]
		push	ecx
		xor	ecx, ecx
		mov	[esp+2FCh+var_2A4], 0C8h
		inc	ecx
		push	ecx
		push	eax
		lea	eax, [esp+304h+var_2B0]
		push	eax
		push	edi
		call	_PcwAddInstance@20 ; PcwAddInstance(x,x,x,x,x)

loc_7687A8:				; CODE XREF: ExProcessorCounterSetCallback+23Ej
					; ExProcessorCounterSetCallback+A1Dj ...
		mov	ecx, [esp+2F8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7687BF:				; CODE XREF: ExProcessorCounterSetCallback+98j
					; ExProcessorCounterSetCallback+16FEF1j
		xor	eax, eax
		jmp	short loc_7687A8
ExProcessorCounterSetCallback endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpQueryProcessorInformationCounters proc near
					; CODE XREF: ExProcessorCounterSetCallback+1DEp
					; ExProcessorCounterSetCallback+16FEBFp

var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_87		= byte ptr -87h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008D7BD2 SIZE 00000053 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		mov	[ebp+var_74], eax
		mov	bl, dl
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_78], ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		stosd
		xor	edx, edx
		add	esp, 0Ch
		mov	byte ptr [ebp+var_70+3], dl
		stosd
		stosd
		stosd
		mov	edi, [ebp+var_78]
		movzx	eax, byte ptr [edi+3C5h]
		mov	word ptr [ebp+var_70], ax
		mov	al, [edi+3C4h]
		mov	byte ptr [ebp+var_70+2], al
		test	bl, bl
		jz	loc_8D7BD2
		lea	eax, [ebp+var_1C]
		push	eax
		lea	edx, [ebp+var_6C]
		lea	ecx, [ebp+var_70]
		call	_PoGetIdleTimes@12 ; PoGetIdleTimes(x,x,x)
		mov	ebx, [ebp+var_74]
		xor	ecx, ecx
		mov	eax, [ebp+var_64]
		mov	[ebx+48h], eax
		mov	eax, [ebp+var_60]
		mov	[ebx+4Ch], eax
		mov	eax, [ebp+var_4C]
		mov	[ebx+60h], eax
		mov	eax, [ebp+var_5C]
		mov	[ebx+50h], eax
		mov	eax, [ebp+var_58]
		mov	[ebx+54h], eax
		mov	eax, [ebp+var_48]
		mov	[ebx+68h], eax
		mov	eax, [ebp+var_54]
		mov	[ebx+58h], eax
		mov	eax, [ebp+var_50]
		mov	[ebx+5Ch], eax
		mov	eax, [ebp+var_44]
		mov	[ebx+70h], eax
		mov	eax, [ebp+var_14]
		mov	[ebx+78h], eax
		mov	eax, [ebp+var_10]
		mov	[ebx+7Ch], eax
		mov	eax, [ebp+var_1C]
		mov	[ebx+64h], ecx
		mov	[ebx+6Ch], ecx
		mov	[ebx+74h], ecx
		mov	ecx, ds:_KeMaximumIncrement
		mul	ecx
		mov	esi, eax
		mov	edi, edx
		mov	eax, [ebp+var_18]
		mul	ecx
		mov	[ebx], esi
		sub	eax, esi
		mov	[ebx+4], edi
		mov	[ebp+var_74], eax
		mov	eax, ecx
		mov	ecx, [ebp+var_78]
		sbb	edx, edi
		mov	[ebp+var_7C], edx
		mul	dword ptr [ecx+594h]
		add	eax, esi
		mov	ecx, edx
		mov	[ebp+var_80], eax
		mov	eax, [ebp+var_74]
		adc	ecx, edi
		mov	edi, [ebp+var_78]
		mov	edx, [ebp+var_80]
		mov	[ebp+var_84], ecx
		mov	ecx, [ebp+var_7C]
		mov	esi, [ebp+var_84]

loc_7688D2:				; CODE XREF: ExpQueryProcessorInformationCounters+16F446j
		mov	[ebx+8], edx
		mov	[ebx+0Ch], esi
		mov	[ebx+18h], eax
		mov	[ebx+1Ch], ecx
		mov	esi, ds:_KeMaximumIncrement
		mov	eax, esi
		mul	dword ptr [edi+4A8h]
		push	8
		mov	[ebx+10h], eax
		mov	eax, esi
		mov	[ebx+14h], edx
		mov	ecx, [edi+4A0h]
		mov	[ebx+20h], ecx
		mul	dword ptr [edi+4B4h]
		mov	[ebx+30h], eax
		mov	eax, esi
		mov	[ebx+34h], edx
		mov	ecx, [edi+21F0h]
		mov	[ebx+3Ch], ecx
		mov	ecx, [edi+2218h]
		mov	[ebx+40h], ecx
		mul	dword ptr [edi+4ACh]
		mov	ecx, [ebx+58h]
		add	ecx, [ebx+50h]
		mov	[ebx+28h], eax
		mov	[ebx+2Ch], edx
		mov	eax, [edi+224Ch]
		lea	edi, [ebp+var_A4]
		mov	[ebx+38h], eax
		mov	eax, [ebx+5Ch]
		adc	eax, [ebx+54h]
		add	ecx, [ebx+48h]
		mov	[ebx+0A8h], ecx
		adc	eax, [ebx+4Ch]
		mov	ecx, [ebx+70h]
		add	ecx, [ebx+68h]
		mov	[ebx+0ACh], eax
		mov	eax, [ebx+74h]
		adc	eax, [ebx+6Ch]
		add	ecx, [ebx+60h]
		mov	[ebx+0B0h], ecx
		adc	eax, [ebx+64h]
		mov	[ebx+0B4h], eax
		xor	eax, eax
		pop	ecx
		rep stosd
		push	8
		pop	ecx
		lea	edi, [ebp+var_3C]
		rep stosd
		movzx	eax, [ebp+arg_4]
		lea	ecx, [ebp+var_3C]
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		cmp	[ebp+arg_0], 0
		jnz	loc_8D7C0F
		test	eax, eax
		jnz	loc_8D7C0F

loc_7689A2:				; CODE XREF: ExpQueryProcessorInformationCounters+16F45Cj
		movzx	eax, [ebp+var_87]
		mov	[ebx+80h], eax
		mov	eax, [ebp+var_A0]
		mov	[ebx+84h], eax
		mov	eax, [ebp+var_9C]
		mov	ecx, [ebp+var_8]
		mov	[ebx+88h], eax
		xor	ecx, ebp
		mov	eax, [ebp+var_A4]
		mov	[ebx+8Ch], eax
		mov	eax, [ebp+var_90]
		mov	[ebx+0B8h], eax
		mov	eax, [ebp+var_8C]
		mov	[ebx+0BCh], eax
		mov	eax, [ebp+var_3C]
		mov	[ebx+90h], eax
		mov	eax, [ebp+var_38]
		mov	[ebx+94h], eax
		mov	eax, [ebp+var_34]
		mov	[ebx+98h], eax
		mov	eax, [ebp+var_30]
		mov	[ebx+9Ch], eax
		mov	eax, [ebp+var_2C]
		mov	[ebx+0A0h], eax
		mov	eax, [ebp+var_28]
		mov	[ebx+0A4h], eax
		mov	eax, [ebp+var_24]
		pop	edi
		mov	[ebx+0C0h], eax
		mov	eax, [ebp+var_20]
		pop	esi
		mov	[ebx+0C4h], eax
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
ExpQueryProcessorInformationCounters endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpQueryNumaProcessorMap proc near	; CODE XREF: PAGE:00780353p

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D7C25 SIZE 0000001A BYTES

		push	0Ch
		push	offset dword_6A09D0
		call	__SEH_prolog4
		mov	esi, edx
		mov	ebx, ecx
		and	[ebp+ms_exc.disabled], 0
		push	4
		pop	ecx
		cmp	esi, ecx
		jb	loc_8D7C25
		call	_KeQueryHighestNodeNumber@0 ; KeQueryHighestNodeNumber()
		movzx	eax, ax
		mov	[ebx], eax
		lea	ecx, [eax+1]
		lea	eax, [esi-8]
		xor	edx, edx
		push	0Ch
		pop	edi
		div	edi
		mov	edi, eax
		cmp	edi, ecx
		jbe	short loc_768A82
		mov	edi, ecx

loc_768A82:				; CODE XREF: ExpQueryNumaProcessorMap+3Aj
		cmp	esi, 8
		jb	short loc_768AB9
		test	edi, edi
		jz	short loc_768AB9
		imul	ecx, edi, 0Ch
		add	ecx, 8
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		xor	ecx, ecx
		xor	esi, esi

loc_768A9A:				; CODE XREF: ExpQueryNumaProcessorMap+73j
		mov	[ebp+arg_0], ecx
		cmp	esi, edi
		jnb	short loc_768AC2
		push	0
		imul	eax, esi, 0Ch
		add	eax, 8
		add	eax, ebx
		push	eax
		push	ecx
		call	_KeQueryNodeActiveAffinity@12 ;	KeQueryNodeActiveAffinity(x,x,x)
		lea	ecx, [esi+1]
		mov	esi, ecx
		jmp	short loc_768A9A
; 

loc_768AB9:				; CODE XREF: ExpQueryNumaProcessorMap+41j
					; ExpQueryNumaProcessorMap+45j
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 4

loc_768AC2:				; CODE XREF: ExpQueryNumaProcessorMap+5Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax

loc_768ACB:				; CODE XREF: ExpQueryNumaProcessorMap+16F1F6j
					; sub_8D7C4F+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
ExpQueryNumaProcessorMap endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RawDispatch	proc near		; DATA XREF: RawInitialize+DAo

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008D7C61 SIZE 00000073 BYTES

		push	10h
		push	offset dword_6A09F0
		call	__SEH_prolog4
		mov	esi, [ebp+arg_4]
		mov	edi, [esi+60h]
		mov	eax, 0B8h
		mov	ebx, [ebp+arg_0]
		cmp	[ebx+2], ax
		jz	loc_768BC2

loc_768B02:				; CODE XREF: RawDispatch+EEj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		add	ebx, 0B8h
		xor	ecx, ecx
		mov	[ebp+ms_exc.disabled], ecx
		movzx	eax, byte ptr [edi]
		cmp	eax, 12h
		jz	loc_768BAA
		ja	loc_768C02
		cmp	eax, 6
		ja	short loc_768B7A
		jz	loc_8D7C80
		test	eax, eax
		jz	short loc_768B9E
		cmp	eax, 2
		jnz	loc_8D7C61
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	_RawClose@12	; RawClose(x,x,x)

loc_768B4F:				; CODE XREF: RawDispatch+BEj
					; RawDispatch+CAj ...
		mov	[ebp+var_1C], eax

loc_768B52:				; CODE XREF: RawDispatch+16F1D0j
					; RawDispatch+16F1F1j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [ebp+var_1C]

loc_768B68:				; CODE XREF: RawDispatch+110j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_768B7A:				; CODE XREF: RawDispatch+52j
		sub	eax, 9
		jz	short loc_768B92
		sub	eax, 1
		jz	short loc_768BB6
		sub	eax, 3
		jz	short loc_768BF3
		sub	eax, 1
		jnz	loc_8D7C8F

loc_768B92:				; CODE XREF: RawDispatch+9Fj
					; RawDispatch+15Fj ...
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	RawReadWriteDeviceControl
		jmp	short loc_768B4F
; 

loc_768B9E:				; CODE XREF: RawDispatch+5Cj
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	RawCreate
		jmp	short loc_768B4F
; 

loc_768BAA:				; CODE XREF: RawDispatch+43j
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	RawCleanup
		jmp	short loc_768B4F
; 

loc_768BB6:				; CODE XREF: RawDispatch+A4j
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	RawQueryVolumeInformation
		jmp	short loc_768B4F
; 

loc_768BC2:				; CODE XREF: RawDispatch+1Ej
		mov	al, [edi]
		cmp	al, 0Dh
		jnz	short loc_768BD2
		cmp	byte ptr [edi+1], 1
		jz	loc_768B02

loc_768BD2:				; CODE XREF: RawDispatch+E8j
		test	al, al
		jz	short loc_768BDE
		cmp	al, 12h
		jz	short loc_768BDE
		cmp	al, 2
		jnz	short loc_768C42

loc_768BDE:				; CODE XREF: RawDispatch+F6j
					; RawDispatch+FAj
		xor	edi, edi

loc_768BE0:				; CODE XREF: RawDispatch+169j
		mov	[esi+18h], edi
		mov	dl, 1
		mov	ecx, esi
		call	IofCompleteRequest
		mov	eax, edi
		jmp	loc_768B68
; 

loc_768BF3:				; CODE XREF: RawDispatch+A9j
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	RawFileSystemControl
		jmp	loc_768B4F
; 

loc_768C02:				; CODE XREF: RawDispatch+49j
		cmp	eax, 1Bh
		jnz	loc_8D7C8F
		cmp	byte ptr [edi+1], 1
		jz	loc_8D7C9A
		lea	eax, [ebx+0A0h]
		mov	[ebp+arg_4], eax
		mov	ecx, eax
		call	ExAcquireFastMutex
		test	byte ptr [ebx+48h], 2
		jnz	loc_8D7CB3
		inc	dword ptr [ebx+50h]
		lea	ecx, [ebx+0A0h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	loc_768B92
; 

loc_768C42:				; CODE XREF: RawDispatch+FEj
		mov	edi, 0C0000010h
		jmp	short loc_768BE0
RawDispatch	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RawClose(x,	x, x)
_RawClose@12	proc near		; CODE XREF: RawDispatch+6Cp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	eax, [eax+18h]
		test	dword ptr [eax+2Ch], 100h
		jnz	short loc_768C95
		push	ebx
		lea	ebx, [esi+0A0h]
		mov	ecx, ebx
		call	ExAcquireFastMutex
		dec	dword ptr [esi+4Ch]
		dec	dword ptr [esi+50h]
		cmp	dword ptr [esi+4Ch], 0
		jnz	short loc_768C8D
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	RawInitiateDeleteVolume
		test	al, al
		jnz	short loc_768C94

loc_768C8D:				; CODE XREF: RawClose(x,x,x)+32j
		mov	ecx, ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_768C94:				; CODE XREF: RawClose(x,x,x)+41j
		pop	ebx

loc_768C95:				; CODE XREF: RawClose(x,x,x)+18j
		and	dword ptr [edi+18h], 0
		mov	dl, 1
		mov	ecx, edi
		call	IofCompleteRequest
		pop	edi
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	4
_RawClose@12	endp ; sp = -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RawReadWriteDeviceControl proc near	; CODE XREF: RawDispatch+B9p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D7CF9 SIZE 00000062 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_4], edi
		mov	edx, [edx+18h]
		call	_RawBeginOperation@8 ; RawBeginOperation(x,x)
		mov	edx, [ebp+arg_0]
		mov	cl, [edx]
		test	al, al
		jz	loc_8D7CF9
		cmp	cl, 3
		jz	loc_8D7D33
		cmp	cl, 4
		jz	loc_8D7D33

loc_768CE4:				; CODE XREF: RawReadWriteDeviceControl+16F08Ej
		mov	eax, [edi+60h]
		mov	esi, edx
		mov	edx, [ebp+var_4]
		push	9
		pop	ecx
		lea	edi, [eax-24h]
		rep movsd
		or	byte ptr [eax-22h], 2
		mov	eax, [edx+60h]
		mov	dword ptr [eax-8], offset RawCompletionRoutine
		mov	[eax-4], ebx
		mov	byte ptr [eax-21h], 0E0h
		mov	ecx, [ebx+88h]
		call	IofCallDriver

loc_768D14:				; CODE XREF: RawReadWriteDeviceControl+16F0ACj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
RawReadWriteDeviceControl endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RawCleanup	proc near		; CODE XREF: RawDispatch+D1p

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D7D5B SIZE 0000003E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1], 0
		push	edi
		mov	ebx, edx
		lea	ecx, [esi+0A0h]
		call	ExAcquireFastMutex
		mov	edi, [ebp+arg_0]
		lea	eax, [esi+54h]
		push	0
		push	0
		push	eax
		push	dword ptr [edi+18h]
		call	_IoRemoveLinkShareAccessEx@16 ;	IoRemoveLinkShareAccessEx(x,x,x,x)
		mov	eax, [edi+18h]
		cmp	eax, [esi+98h]
		jz	loc_8D7D5B

loc_768D5A:				; CODE XREF: RawCleanup+16F051j
		cmp	eax, [esi+94h]
		jz	loc_8D7D72

loc_768D66:				; CODE XREF: RawCleanup+16F069j
		lea	ecx, [esi+0A0h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		cmp	[ebp+var_1], 0
		jnz	loc_8D7D8A

loc_768D7B:				; CODE XREF: RawCleanup+16F078j
		and	dword ptr [ebx+18h], 0
		mov	dl, 1
		mov	ecx, ebx
		call	IofCompleteRequest
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	4
RawCleanup	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RawCreate	proc near		; CODE XREF: RawDispatch+C5p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D7D99 SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		lea	ecx, [esi+0A0h]
		call	ExAcquireFastMutex
		mov	edi, [ebp+arg_0]
		xor	eax, eax
		mov	ecx, [edi+18h]
		test	ecx, ecx
		jz	short loc_768DCA
		cmp	[ecx+30h], ax
		jnz	loc_8D7DAB
		cmp	[ecx+20h], eax
		jnz	loc_8D7DAB

loc_768DCA:				; CODE XREF: RawCreate+23j
		mov	edx, [edi+8]
		mov	eax, edx
		and	eax, 0FF000000h
		cmp	eax, 1000000h
		jnz	loc_8D7DA9
		test	dl, 1
		jnz	loc_8D7DA9
		mov	eax, [esi+48h]
		test	al, 1
		jnz	loc_8D7D99
		test	al, 2
		jnz	loc_8D7DA0
		mov	eax, [edi+4]
		movzx	edx, word ptr [edi+0Eh]
		mov	[ebp+var_8], edx
		mov	eax, [eax+8]
		mov	[ebp+var_4], eax
		mov	eax, [esi+4Ch]
		test	eax, eax
		jnz	short loc_768E82

loc_768E12:				; CODE XREF: RawCreate+117j
		xor	eax, eax
		push	eax
		push	eax
		lea	eax, [esi+54h]
		push	eax
		push	dword ptr [edi+18h]
		push	edx
		push	[ebp+var_4]
		call	_IoSetLinkShareAccess@24 ; IoSetLinkShareAccess(x,x,x,x,x,x)
		mov	eax, [esi+4Ch]

loc_768E29:				; CODE XREF: RawCreate+115j
		inc	eax
		inc	dword ptr [esi+50h]
		mov	[esi+4Ch], eax
		mov	ecx, [edi+18h]
		mov	eax, [esi+8Ch]
		mov	[ecx+8], eax
		xor	eax, eax
		mov	ecx, [ebp+arg_0]
		mov	edi, eax
		mov	dword ptr [ebx+1Ch], 1
		mov	eax, [ecx+18h]
		or	dword ptr [eax+2Ch], 8
		mov	eax, [ecx+18h]
		mov	[eax+0Ch], esi
		xor	eax, eax

loc_768E59:				; CODE XREF: RawCreate+16F021j
		cmp	[esi+4Ch], eax
		jz	loc_8D7DB8

loc_768E62:				; CODE XREF: RawCreate+16F039j
		lea	ecx, [esi+0A0h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_768E6D:				; CODE XREF: RawCreate+16F033j
		mov	dl, 1
		mov	[ebx+18h], edi
		mov	ecx, ebx
		call	IofCompleteRequest
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_768E82:				; CODE XREF: RawCreate+7Ej
		push	1
		lea	eax, [esi+54h]
		push	eax
		push	ecx
		push	edx
		push	[ebp+var_4]
		call	_IoCheckShareAccess@20 ; IoCheckShareAccess(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8D7DA5
		mov	eax, [esi+4Ch]
		mov	edi, [ebp+arg_0]
		mov	edx, [ebp+var_8]
		test	eax, eax
		jnz	short loc_768E29
		jmp	loc_768E12
RawCreate	endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 953. IoRemoveLinkShareAccessEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoRemoveLinkShareAccessEx(x, x, x, x)
		public _IoRemoveLinkShareAccessEx@16
_IoRemoveLinkShareAccessEx@16 proc near	; CODE XREF: RawCleanup+2Ap
					; IoRemoveShareAccess(x,x)+Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+7Ch]
		test	ecx, ecx
		jnz	short loc_768F3A

loc_768ECF:				; CODE XREF: IoRemoveLinkShareAccessEx(x,x,x,x)+7Dj
		cmp	byte ptr [eax+26h], 0
		jnz	short loc_768EE5
		cmp	byte ptr [eax+27h], 0
		jnz	short loc_768EE5
		cmp	byte ptr [eax+28h], 0
		jnz	short loc_768EE5

loc_768EE1:				; CODE XREF: IoRemoveLinkShareAccessEx(x,x,x,x)+5Fj
					; IoRemoveLinkShareAccessEx(x,x,x,x)+73j ...
		pop	ebp
		retn	10h
; 

loc_768EE5:				; CODE XREF: IoRemoveLinkShareAccessEx(x,x,x,x)+13j
					; IoRemoveLinkShareAccessEx(x,x,x,x)+19j ...
		mov	ecx, [ebp+arg_4]
		dec	dword ptr [ecx]
		cmp	byte ptr [eax+26h], 0
		jz	short loc_768EF3
		dec	dword ptr [ecx+4]

loc_768EF3:				; CODE XREF: IoRemoveLinkShareAccessEx(x,x,x,x)+2Ej
		cmp	byte ptr [eax+27h], 0
		jnz	short loc_768F41

loc_768EF9:				; CODE XREF: IoRemoveLinkShareAccessEx(x,x,x,x)+84j
		cmp	byte ptr [eax+29h], 0
		jz	short loc_768F02
		dec	dword ptr [ecx+10h]

loc_768F02:				; CODE XREF: IoRemoveLinkShareAccessEx(x,x,x,x)+3Dj
		cmp	byte ptr [eax+2Ah], 0
		jz	short loc_768F0B
		dec	dword ptr [ecx+14h]

loc_768F0B:				; CODE XREF: IoRemoveLinkShareAccessEx(x,x,x,x)+46j
		cmp	byte ptr [eax+28h], 0
		jnz	short loc_768F46

loc_768F11:				; CODE XREF: IoRemoveLinkShareAccessEx(x,x,x,x)+89j
		cmp	byte ptr [eax+2Bh], 0
		jz	short loc_768F1A
		dec	dword ptr [ecx+18h]

loc_768F1A:				; CODE XREF: IoRemoveLinkShareAccessEx(x,x,x,x)+55j
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_768EE1
		dec	dword ptr [ecx]
		test	[ebp+arg_C], 80h
		jnz	short loc_768F2F
		cmp	byte ptr [eax+28h], 0
		jnz	short loc_768F4B

loc_768F2F:				; CODE XREF: IoRemoveLinkShareAccessEx(x,x,x,x)+67j
					; IoRemoveLinkShareAccessEx(x,x,x,x)+8Ej
		cmp	byte ptr [eax+2Bh], 0
		jz	short loc_768EE1
		dec	dword ptr [ecx+8]
		jmp	short loc_768EE1
; 

loc_768F3A:				; CODE XREF: IoRemoveLinkShareAccessEx(x,x,x,x)+Dj
		test	byte ptr [ecx],	1
		jz	short loc_768ECF
		jmp	short loc_768EE1
; 

loc_768F41:				; CODE XREF: IoRemoveLinkShareAccessEx(x,x,x,x)+37j
		dec	dword ptr [ecx+8]
		jmp	short loc_768EF9
; 

loc_768F46:				; CODE XREF: IoRemoveLinkShareAccessEx(x,x,x,x)+4Fj
		dec	dword ptr [ecx+0Ch]
		jmp	short loc_768F11
; 

loc_768F4B:				; CODE XREF: IoRemoveLinkShareAccessEx(x,x,x,x)+6Dj
		dec	dword ptr [ecx+4]
		jmp	short loc_768F2F
_IoRemoveLinkShareAccessEx@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RawQueryVolumeInformation proc near	; CODE XREF: RawDispatch+DDp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D7DD0 SIZE 0000005A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, edx
		mov	eax, [edi+4]
		mov	edx, [ebx+0Ch]
		mov	[ebp+var_4], eax
		mov	[ebp+arg_0], eax
		mov	eax, [edi+8]
		sub	eax, 1
		jnz	short loc_768F9F
		lea	eax, [ebp+arg_0]
		push	eax
		push	edx
		mov	edx, [edi+18h]
		call	_RawQueryFsVolumeInfo@16 ; RawQueryFsVolumeInfo(x,x,x,x)

loc_768F7F:				; CODE XREF: RawQueryVolumeInformation+74j
					; RawQueryVolumeInformation+16EEC3j ...
		mov	esi, eax

loc_768F81:				; CODE XREF: RawQueryVolumeInformation+16EE8Aj
					; RawQueryVolumeInformation+16EEA2j ...
		mov	eax, [edi+4]
		mov	dl, 1
		sub	eax, [ebp+arg_0]
		mov	ecx, ebx
		mov	[ebx+1Ch], eax
		mov	[ebx+18h], esi
		call	IofCompleteRequest
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_768F9F:				; CODE XREF: RawQueryVolumeInformation+20j
		dec	eax
		sub	eax, 1
		jz	loc_8D7E18
		sub	eax, 1
		jz	loc_8D7E06
		sub	eax, 1
		jnz	loc_8D7DD0
		lea	eax, [ebp+arg_0]
		push	eax
		call	_RawQueryFsAttributeInfo@12 ; RawQueryFsAttributeInfo(x,x,x)
		jmp	short loc_768F7F
RawQueryVolumeInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnPrefetchScenario proc near		; CODE XREF: PfSnBeginScenario+1FBp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D7E2A SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		push	61506343h
		push	90h
		push	200h
		mov	ebx, edx
		mov	esi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_76903E
		shr	ebx, 4
		lea	eax, [ebp+var_4]
		and	ebx, 1
		mov	edx, esi	; int
		push	ebx		; int
		push	eax		; int
		mov	ecx, edi	; void *
		call	_PfSnAsyncContextInitialize@16 ; PfSnAsyncContextInitialize(x,x,x,x)
		lea	ecx, [ebp+var_4]
		xor	esi, esi
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	eax, large fs:124h
		push	eax
		call	_KeQueryPriorityThread@4 ; KeQueryPriorityThread(x)
		add	eax, 20h
		push	eax
		push	edi
		call	ExQueueWorkItem
		lea	ecx, [ebp+var_4]
		xor	edi, edi
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)

loc_76902F:				; CODE XREF: PfSnPrefetchScenario+7Dj
		test	esi, esi
		jnz	loc_8D7E2A

loc_769037:				; CODE XREF: PfSnPrefetchScenario+16EE6Cj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_76903E:				; CODE XREF: PfSnPrefetchScenario+29j
		mov	edi, 0C000009Ah
		jmp	short loc_76902F
PfSnPrefetchScenario endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnPreallocatePrefetchHeader proc near	; CODE XREF: PfSnEndTrace+248p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D7E37 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	68506343h
		mov	eax, [esi]
		imul	ebx, [eax+58h],	28h
		push	ebx
		push	1
		mov	[ebp+var_C], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_8], edx
		test	edx, edx
		jz	loc_8D7E37
		and	[ebp+var_4], 0
		push	edi
		mov	edi, [esi]
		mov	[esi+1Ch], edx
		cmp	dword ptr [edi+58h], 0
		jbe	short loc_7690AD
		mov	edx, [ebp+var_4]
		xor	ebx, ebx

loc_76908A:				; CODE XREF: PfSnPreallocatePrefetchHeader+5Fj
		mov	ecx, [esi+1Ch]
		xor	eax, eax
		add	ecx, ebx
		add	ebx, 20h
		mov	edi, ecx
		stosd
		stosd
		stosd
		stosd
		stosd
		or	dword ptr [ecx+10h], 2
		inc	edx
		mov	edi, [esi]
		cmp	edx, [edi+58h]
		jb	short loc_76908A
		mov	edx, [ebp+var_8]
		mov	ebx, [ebp+var_C]

loc_7690AD:				; CODE XREF: PfSnPreallocatePrefetchHeader+3Dj
		mov	ecx, [edi+58h]
		shl	ecx, 5
		add	ecx, edx
		mov	[esi+20h], ecx
		mov	eax, [edi+58h]
		push	ebx		; size_t
		push	0		; int
		push	edx		; void *
		lea	eax, [ecx+eax*4]
		mov	[esi+24h], eax
		call	_memset
		mov	eax, [esi]
		add	esp, 0Ch
		mov	edi, [eax+78h]
		add	edi, [eax+58h]
		mov	ebx, edi
		push	68506343h
		shl	ebx, 4
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+3Ch], eax
		test	eax, eax
		jz	short loc_76913F
		push	ebx		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+44h], edi
		push	4D506343h
		push	1810h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+28h], eax
		test	eax, eax
		jz	short loc_76913F
		push	57506343h
		push	380h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+2Ch], eax
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFF66h
		add	eax, 0C000009Ah

loc_76913A:				; CODE XREF: PfSnPreallocatePrefetchHeader+FEj
		pop	edi

loc_76913B:				; CODE XREF: PfSnPreallocatePrefetchHeader+16EDF6j
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_76913F:				; CODE XREF: PfSnPreallocatePrefetchHeader+A6j
					; PfSnPreallocatePrefetchHeader+CDj
		mov	eax, 0C000009Ah
		jmp	short loc_76913A
PfSnPreallocatePrefetchHeader endp


;  S U B	R O U T	I N E 


; int __fastcall PfpPrefetchSharedInitialize(void *)
_PfpPrefetchSharedInitialize@4 proc near ; CODE	XREF: PfSnEndTrace+29Cp
					; PfpPrefetchRequestPerform+8Ap ...
		mov	edi, edi
		push	esi
		push	5Ch		; size_t
		mov	esi, ecx
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+18h], esi
		lea	eax, [esi+3Ch]
		mov	dword ptr [esi+14h], offset _PfpPrefetchSharedConflictNotifyStart@12 ; PfpPrefetchSharedConflictNotifyStart(x,x,x)
		push	0
		push	0
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	dword ptr [esi+50h], 1
		pop	esi
		retn
_PfpPrefetchSharedInitialize@4 endp


;  S U B	R O U T	I N E 


; __stdcall PfpPrefetchSharedStart(x)
_PfpPrefetchSharedStart@4 proc near	; CODE XREF: PfSnEndTrace+2C6p
					; PfpPrefetchRequestPerform+C2p ...
		mov	edi, edi
		push	ecx
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, large fs:124h
		or	dword ptr [esi+28h], 8
		push	1
		mov	[esi+8], eax
		call	_PsSetCurrentThreadPrefetching@4 ; PsSetCurrentThreadPrefetching(x)
		movzx	eax, al
		mov	ecx, offset unk_6D492C
		add	eax, eax
		xor	eax, [esi+28h]
		and	eax, 2
		xor	[esi+28h], eax
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_769262
		mov	eax, large fs:124h
		or	dword ptr [esi+28h], 1
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset dword_6D4934
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		test	byte ptr dword_6D4940, 1
		jnz	short loc_769207
		mov	eax, dword_6D4938
		mov	ecx, offset dword_6D4938
		cmp	[eax+4], ecx
		jnz	short loc_769269
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[eax+4], esi
		mov	dword_6D4938, esi

loc_769207:				; CODE XREF: PfpPrefetchSharedStart(x)+70j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_769259

loc_769214:				; CODE XREF: PfpPrefetchSharedStart(x)+E8j
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	edi, edi
		cmp	[esi], edi
		jz	short loc_769262
		push	edi
		xor	edx, edx
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	[esi+54h], eax
		test	eax, eax
		jz	short loc_76923B
		or	byte ptr [eax+0Eh], 1

loc_76923B:				; CODE XREF: PfpPrefetchSharedStart(x)+BDj
		push	edi
		xor	edx, edx
		mov	ecx, offset _PfGlobals
		call	KeAbPreAcquire
		mov	[esi+58h], eax
		test	eax, eax
		jz	short loc_769253
		or	byte ptr [eax+0Eh], 1

loc_769253:				; CODE XREF: PfpPrefetchSharedStart(x)+D5j
					; PfpPrefetchSharedStart(x)+EFj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_769259:				; CODE XREF: PfpPrefetchSharedStart(x)+9Aj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_769214
; 

loc_769262:				; CODE XREF: PfpPrefetchSharedStart(x)+43j
					; PfpPrefetchSharedStart(x)+ACj
		mov	edi, 0C00002B9h
		jmp	short loc_769253
; 

loc_769269:				; CODE XREF: PfpPrefetchSharedStart(x)+7Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PfpPrefetchSharedStart@4 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnAsyncPrefetchStep(x, x,	x)
_PfSnAsyncPrefetchStep@12 proc near	; CODE XREF: PfSnEndTrace+321p
					; PfSnEndTrace+16DE8Fp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, ebx
		mov	edx, edi
		call	PfSnPrefetchMetadata
		push	dword ptr [esi+7Ch]
		xor	edx, edx
		push	ecx
		push	edi
		mov	ecx, ebx
		call	PfSnPrefetchSections
		test	eax, eax
		js	short loc_7692B3
		push	dword ptr [esi+7Ch]
		xor	edx, edx
		push	ecx
		push	edi
		inc	edx
		mov	ecx, ebx
		call	PfSnPrefetchSections
		test	eax, eax
		js	short loc_7692B3
		or	[esi+84h], edi
		xor	eax, eax

loc_7692B3:				; CODE XREF: PfSnAsyncPrefetchStep(x,x,x)+28j
					; PfSnAsyncPrefetchStep(x,x,x)+3Bj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PfSnAsyncPrefetchStep@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnPrefetchSections proc near		; CODE XREF: PfSnAsyncPrefetchStep(x,x,x)+21p
					; PfSnAsyncPrefetchStep(x,x,x)+34p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008D7E41 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_18], edx
		push	8
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_C], ebx
		lea	edi, [ebp+var_44]
		rep stosd
		mov	eax, [ebx]
		xor	edi, edi
		and	[ebp+var_14], edi
		push	ecx
		push	edx
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	PfSnLogPrefetchSectionsStart
		mov	ecx, [ebx]
		xor	esi, esi
		inc	esi
		mov	eax, esi
		mov	[ebp+var_10], esi
		mov	ecx, [ecx+7Ch]
		shl	eax, cl
		cmp	[ebp+arg_0], eax
		jge	loc_8D7E41
		mov	eax, [ebp+var_18]
		sub	eax, edi
		jz	loc_769450
		sub	eax, esi
		jnz	loc_8D7E41

loc_769318:				; CODE XREF: PfSnPrefetchSections+19Bj
		mov	ebx, [ebp+var_8]
		mov	edi, [ebp+var_C]
		mov	ebx, [ebx+58h]
		mov	eax, ebx
		mov	ecx, [edi+20h]
		shl	eax, 2
		push	eax		; size_t
		push	0		; int
		push	ecx		; void *
		mov	[ebp+var_24], ecx
		call	_memset
		mov	eax, [edi+2Ch]
		add	esp, 0Ch
		mov	[ebp+var_1C], eax
		push	380h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [ebp+var_44]
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_3C], eax
		mov	eax, large fs:124h
		push	eax
		mov	[ebp+var_40], edi
		mov	[ebp+var_30], ebx
		call	_KeQueryPriorityThread@4 ; KeQueryPriorityThread(x)
		mov	ecx, eax
		push	20h
		pop	eax
		add	ecx, eax
		mov	[ebp+var_20], ecx
		cmp	ebx, eax
		ja	loc_76945A

loc_769380:				; CODE XREF: PfSnPrefetchSections+1A2j
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		call	PfSnLogGetReadListsStart
		test	ebx, ebx
		jz	short loc_7693D5
		mov	edi, [ebp+var_1C]
		add	edi, 18h

loc_769394:				; CODE XREF: PfSnPrefetchSections+119j
		lea	eax, [ebp+var_44]
		mov	[edi-8], eax
		lea	ecx, [ebp+var_44]
		mov	eax, [edi]
		and	eax, 0FFFFFFFEh
		or	eax, esi
		lea	esi, [edi-18h]
		mov	[edi], eax
		mov	eax, [ebp+arg_0]
		mov	[edi-4], eax
		and	dword ptr [esi], 0
		mov	dword ptr [edi-10h], offset PfSnPopulateReadList
		mov	[edi-0Ch], esi
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		push	[ebp+var_20]
		push	esi
		call	ExQueueWorkItem
		mov	esi, [ebp+var_10]
		lea	edi, [edi+1Ch]
		sub	ebx, 1
		jnz	short loc_769394

loc_7693D5:				; CODE XREF: PfSnPrefetchSections+D2j
		lea	ecx, [ebp+var_44]
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	ecx, [ebp+var_8]
		call	PfSnLogGetReadListsStop
		mov	edi, [ebp+var_38]
		mov	esi, [ebp+var_28]
		test	esi, esi
		js	short loc_769419
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_14], eax
		test	edi, edi
		jz	short loc_76946F
		test	eax, eax
		jz	short loc_769468
		mov	ebx, [ebp+var_C]
		mov	ecx, edi
		mov	edx, [ebp+var_24]
		add	ebx, 38h
		push	ebx
		call	MmPrefetchPagesEx
		mov	esi, eax
		test	esi, esi
		js	short loc_769419
		cmp	dword ptr [ebx], 0
		jz	short loc_769461

loc_769419:				; CODE XREF: PfSnPrefetchSections+133j
					; PfSnPrefetchSections+158j ...
		test	edi, edi
		jz	short loc_769434
		push	20h
		pop	eax
		cmp	edi, eax
		ja	short loc_769426
		mov	eax, edi

loc_769426:				; CODE XREF: PfSnPrefetchSections+168j
		push	[ebp+arg_8]
		mov	ecx, [ebp+var_C]
		mov	edx, edi
		push	eax
		call	_PfSnPrefetchSectionsCleanup@16	; PfSnPrefetchSectionsCleanup(x,x,x,x)

loc_769434:				; CODE XREF: PfSnPrefetchSections+161j
					; PfSnPrefetchSections+1B7j ...
		mov	edx, [ebp+arg_0]
		push	edi
		push	[ebp+var_14]
		push	ecx
		push	[ebp+var_18]
		mov	ecx, [ebp+var_8]
		call	PfSnLogPrefetchSectionsStop
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_769450:				; CODE XREF: PfSnPrefetchSections+50j
		xor	esi, esi
		mov	[ebp+var_10], esi
		jmp	loc_769318
; 

loc_76945A:				; CODE XREF: PfSnPrefetchSections+C0j
		mov	ebx, eax
		jmp	loc_769380
; 

loc_769461:				; CODE XREF: PfSnPrefetchSections+15Dj
		mov	esi, 8000001Ah
		jmp	short loc_769419
; 

loc_769468:				; CODE XREF: PfSnPrefetchSections+141j
		mov	esi, 0C0000001h
		jmp	short loc_769419
; 

loc_76946F:				; CODE XREF: PfSnPrefetchSections+13Dj
		xor	esi, esi
		jmp	short loc_769434
PfSnPrefetchSections endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnLogPrefetchSectionsStop proc near	; CODE XREF: PfSnPrefetchSections+188p

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008D7E4B SIZE 00000099 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_A0], edx
		push	esi
		mov	esi, ecx
		mov	byte ptr [ebp+var_98], bl
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_A8], eax
		mov	[ebp+var_A4], ebx
		test	esi, esi
		jz	short loc_7694DD
		mov	ecx, dword_6D49E8
		mov	eax, ecx
		mov	edx, dword_6D49EC
		or	eax, edx
		jz	short loc_7694DD
		push	edi
		mov	edi, offset _PfSnEvt_PrefetchSections_Stop
		push	edi
		push	edx
		push	ecx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8D7E4B

loc_7694DC:				; CODE XREF: PfSnLogPrefetchSectionsStop+16EA6Bj
		pop	edi

loc_7694DD:				; CODE XREF: PfSnLogPrefetchSectionsStop+3Ej
					; PfSnLogPrefetchSectionsStop+50j
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
PfSnLogPrefetchSectionsStop endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnPrefetchSectionsCleanup(x, x, x, x)
_PfSnPrefetchSectionsCleanup@16	proc near ; CODE XREF: PfSnPrefetchSections+175p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		imul	eax, [ebp+arg_0], 1Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	ebx, edx
		push	eax		; size_t
		push	0		; int
		mov	ecx, [esi+2Ch]
		push	ecx		; void *
		mov	[ebp+var_4], ecx
		call	_memset
		add	esp, 0Ch
		lea	edi, [ebp+var_24]
		xor	eax, eax
		push	8
		pop	ecx
		rep stosd
		lea	ecx, [ebp+var_24]
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_1C], eax
		mov	eax, large fs:124h
		push	eax
		mov	[ebp+var_20], esi
		mov	[ebp+var_10], ebx
		call	_KeQueryPriorityThread@4 ; KeQueryPriorityThread(x)
		mov	esi, [ebp+arg_0]
		lea	edi, [eax+20h]
		test	esi, esi
		jz	short loc_769573
		mov	ebx, [ebp+var_4]

loc_76954A:				; CODE XREF: PfSnPrefetchSectionsCleanup(x,x,x,x)+83j
		lea	eax, [ebp+var_24]
		mov	[ebx+10h], eax
		mov	ecx, eax
		and	dword ptr [ebx], 0
		mov	dword ptr [ebx+8], offset _PfSnSectionInfoCleanupWorkItem@4 ; PfSnSectionInfoCleanupWorkItem(x)
		mov	[ebx+0Ch], ebx
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		push	edi
		push	ebx
		call	ExQueueWorkItem
		add	ebx, 1Ch
		sub	esi, 1
		jnz	short loc_76954A

loc_769573:				; CODE XREF: PfSnPrefetchSectionsCleanup(x,x,x,x)+57j
		lea	ecx, [ebp+var_24]
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PfSnPrefetchSectionsCleanup@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnLogGetReadListsStop	proc near	; CODE XREF: PfSnPrefetchSections+126p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D7EE4 SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_48], 0
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_7695C8
		mov	ecx, dword_6D49E8
		mov	eax, ecx
		mov	edx, dword_6D49EC
		or	eax, edx
		jz	short loc_7695C8
		push	edi
		mov	edi, offset _PfSnEvt_GetReadLists_Stop
		push	edi
		push	edx
		push	ecx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8D7EE4

loc_7695C7:				; CODE XREF: PfSnLogGetReadListsStop+16E98Fj
		pop	edi

loc_7695C8:				; CODE XREF: PfSnLogGetReadListsStop+1Bj
					; PfSnLogGetReadListsStop+2Dj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PfSnLogGetReadListsStop	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnLogGetReadListsStart proc near	; CODE XREF: PfSnPrefetchSections+CBp

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D7F16 SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_5C], edx
		xor	edi, edi
		mov	[ebp+var_58], edi
		test	esi, esi
		jz	short loc_769621
		mov	edx, dword_6D49E8
		mov	eax, edx
		mov	ecx, dword_6D49EC
		or	eax, ecx
		jz	short loc_769621
		push	ebx
		mov	ebx, offset _PfSnEvt_GetReadLists_Start
		push	ebx
		push	ecx
		push	edx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8D7F16

loc_769620:				; CODE XREF: PfSnLogGetReadListsStart+16E97Fj
		pop	ebx

loc_769621:				; CODE XREF: PfSnLogGetReadListsStart+20j
					; PfSnLogGetReadListsStart+32j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PfSnLogGetReadListsStart endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnLogPrefetchSectionsStart proc near	; CODE XREF: PfSnPrefetchSections+2Ep

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D7F5A SIZE 00000065 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_80], edx
		mov	esi, ecx
		mov	byte ptr [ebp+var_78], bl
		mov	[ebp+var_7C], ebx
		test	esi, esi
		jz	short loc_769681
		mov	ecx, dword_6D49E8
		mov	eax, ecx
		mov	edx, dword_6D49EC
		or	eax, edx
		jz	short loc_769681
		push	edi
		mov	edi, offset _PfSnEvt_PrefetchSections_Start
		push	edi
		push	edx
		push	ecx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8D7F5A

loc_769680:				; CODE XREF: PfSnLogPrefetchSectionsStart+16E98Aj
		pop	edi

loc_769681:				; CODE XREF: PfSnLogPrefetchSectionsStart+26j
					; PfSnLogPrefetchSectionsStart+38j
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
PfSnLogPrefetchSectionsStart endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PfSnAsyncContextCleanup(x)
_PfSnAsyncContextCleanup@4 proc	near	; CODE XREF: PfSnEndTrace+3C3p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+80h]
		test	ecx, ecx
		jz	short loc_7696AC
		add	ecx, 104h
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_7696AC:				; CODE XREF: PfSnAsyncContextCleanup(x)+Dj
		mov	eax, [esi+78h]
		test	eax, eax
		jz	short loc_7696BB
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7696BB:				; CODE XREF: PfSnAsyncContextCleanup(x)+1Fj
		mov	ecx, [esi+7Ch]
		pop	esi
		test	ecx, ecx
		jnz	ObfDereferenceObject
		retn
_PfSnAsyncContextCleanup@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnScenarioAlloc(x)
_PfSnScenarioAlloc@4 proc near		; DATA XREF: PfSnGetPrefetchInstructions+1A9o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	70506343h
		push	[ebp+arg_0]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	4
_PfSnScenarioAlloc@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnScenarioFree(x)
_PfSnScenarioFree@4 proc near		; DATA XREF: PfSnGetPrefetchInstructions+1B4o
					; AlpcpInitSystem+15Ao

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	4
_PfSnScenarioFree@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnGetPrefetchInstructions proc near	; CODE XREF: PfSnBeginScenario+196p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D7FBF SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 78h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_3C], ecx
		lea	edi, [ebp+var_78]
		push	6
		mov	[ebp+var_4C], eax
		xor	esi, esi
		xor	eax, eax
		mov	[ebp+var_58], esi
		pop	ecx
		rep stosd
		push	6
		pop	ecx
		lea	edi, [ebp+var_24]
		mov	[ebp+var_54], esi
		rep stosd
		mov	eax, large fs:124h
		mov	ebx, esi
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], esi
		mov	[ebp+var_44], esi
		mov	[ebp+var_2C], esi
		dec	word ptr [eax+13Ch]
		mov	[ebp+var_48], edx
		mov	[ebp+var_30], esi
		mov	[ebp+var_28], esi
		nop
		xor	edx, edx
		mov	ecx, offset unk_6D4858
		call	ExAcquirePushLockSharedEx
		mov	ecx, offset unk_6D46F0
		lea	edx, [ecx+2]

loc_769765:				; CODE XREF: PfSnGetPrefetchInstructions+7Aj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_769765
		sub	ecx, edx
		sar	ecx, 1
		push	46506343h
		lea	edi, ds:66h[ecx*2]
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_50], esi
		test	esi, esi
		jz	loc_8D7FBF
		mov	eax, [ebp+var_3C]
		push	offset ??_C@_15FLFCPLEC@?$AAp?$AAf@NNGAKEGL@ ; "pf"
		push	dword ptr [eax+3Ch]
		push	eax
		push	offset unk_6D46F0 ; char
		push	offset ??_C@_1CA@CDDODOJL@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAw?$AAs?$AA?9?$AA?$CF?$AA0?$AA8?$AAX?$AA?4?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; "%"
		push	edi		; int
		push	esi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 1Ch
		xor	ecx, ecx
		mov	edi, offset unk_6D4858
		push	11h
		pop	eax
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jnz	loc_769936

loc_7697CC:				; CODE XREF: PfSnGetPrefetchInstructions+249j
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	esi
		lea	eax, [ebp+var_58]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	18h
		pop	edi
		push	20h
		xor	ecx, ecx
		mov	[ebp+var_78], edi
		lea	eax, [ebp+var_58]
		mov	[ebp+var_74], ecx
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_38]
		push	ecx
		push	eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_6C], 240h
		push	eax
		push	80100000h
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_68], ecx
		push	eax
		mov	[ebp+var_64], ecx
		call	_NtOpenFile@24	; NtOpenFile(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_769931
		push	5		; int
		push	edi		; size_t
		lea	eax, [ebp+var_24]
		push	eax		; int
		lea	eax, [ebp+var_38]
		push	eax		; int
		push	[ebp+var_2C]	; int
		call	_NtQueryInformationFile@20 ; NtQueryInformationFile(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_769931
		mov	edi, [ebp+var_1C]
		mov	eax, 10000000h
		mov	[ebp+var_40], eax
		cmp	edi, eax
		ja	loc_8D7FF9
		test	edi, edi
		jz	loc_8D7FF9
		cmp	[ebp+var_18], ebx
		jnz	loc_8D7FF9
		push	70506343h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8D7FEF
		xor	ecx, ecx
		lea	eax, [ebp+var_38]
		push	ecx
		push	ecx
		push	edi
		push	ebx
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+var_2C]
		call	_NtReadFile@36	; NtReadFile(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_769931
		lea	eax, [ebp+var_60]
		mov	[ebp+var_60], offset _PfSnScenarioAlloc@4 ; PfSnScenarioAlloc(x)
		push	eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_5C], offset _PfSnScenarioFree@4 ; PfSnScenarioFree(x)
		push	eax
		lea	eax, [ebp+var_30]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_28]
		mov	ecx, ebx
		push	eax
		call	SmDecompressBuffer
		mov	esi, eax
		test	esi, esi
		js	short loc_769931
		mov	edi, [ebp+var_28]
		lea	eax, [ebp+var_44]
		mov	edx, [ebp+var_30]
		mov	ecx, edi
		push	eax
		call	PfVerifyScenarioBuffer
		test	al, al
		jz	short loc_769942
		mov	eax, [ebp+var_48]
		cmp	[edi+50h], eax
		jnz	short loc_769949
		mov	eax, [ebp+var_4C]
		mov	[eax], edi
		xor	edi, edi
		xor	esi, esi

loc_7698ED:				; CODE XREF: PfSnGetPrefetchInstructions+240j
					; PfSnGetPrefetchInstructions+253j ...
		cmp	[ebp+var_2C], 0
		jz	short loc_7698FB
		push	[ebp+var_2C]
		call	NtClose

loc_7698FB:				; CODE XREF: PfSnGetPrefetchInstructions+1FDj
		mov	eax, [ebp+var_50]
		test	eax, eax
		jz	short loc_76990A
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_76990A:				; CODE XREF: PfSnGetPrefetchInstructions+20Cj
		test	ebx, ebx
		jz	short loc_769916
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_769916:				; CODE XREF: PfSnGetPrefetchInstructions+218j
		test	edi, edi
		jnz	loc_8D8003

loc_76991E:				; CODE XREF: PfSnGetPrefetchInstructions+16E917j
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_769931:				; CODE XREF: PfSnGetPrefetchInstructions+129j
					; PfSnGetPrefetchInstructions+146j ...
		mov	edi, [ebp+var_28]
		jmp	short loc_7698ED
; 

loc_769936:				; CODE XREF: PfSnGetPrefetchInstructions+D2j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_7697CC
; 

loc_769942:				; CODE XREF: PfSnGetPrefetchInstructions+1E6j
		mov	esi, 0C000007Bh
		jmp	short loc_7698ED
; 

loc_769949:				; CODE XREF: PfSnGetPrefetchInstructions+1EEj
		mov	esi, 0C0000001h
		jmp	short loc_7698ED
PfSnGetPrefetchInstructions endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfVerifyScenarioBuffer proc near	; CODE XREF: PfSnGetPrefetchInstructions+1DFp

var_D4		= dword	ptr -0D4h
var_D0		= byte ptr -0D0h
var_CC		= dword	ptr -0CCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_55		= byte ptr -55h
var_54		= word ptr -54h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D8010 SIZE 00000363 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_5C], ecx
		lea	edi, [ebp+var_D4]
		mov	[ebp+var_B8], eax
		xor	bl, bl
		xor	eax, eax
		mov	[ebp+var_55], bl
		mov	ecx, 6
		xor	esi, esi
		rep stosd
		cmp	edx, 128h
		jb	loc_8D8010
		mov	ecx, [ebp+var_5C]
		test	cl, 7
		jnz	loc_8D801A
		cmp	dword ptr [ecx], 1Eh
		jnz	loc_8D8369
		cmp	dword ptr [ecx+4], 41434353h
		jnz	loc_8D8369
		cmp	edx, 10000000h
		ja	loc_8D8024
		cmp	edx, [ecx+0Ch]
		jnz	loc_8D802E
		cmp	dword ptr [ecx+50h], 1
		ja	loc_8D835F
		mov	eax, [ecx+58h]
		mov	[ebp+var_88], eax
		cmp	eax, 4000h
		ja	loc_8D8355
		mov	eax, [ecx+70h]
		mov	[ebp+var_74], eax
		cmp	eax, 4000h
		ja	loc_8D8355
		mov	eax, [ecx+60h]
		mov	[ebp+var_70], eax
		cmp	eax, 100000h
		ja	loc_8D8355
		mov	edi, [ecx+68h]
		cmp	edi, 400000h
		ja	loc_8D8355
		cmp	[ebp+var_88], esi
		jz	loc_8D834B
		test	eax, eax
		jz	loc_8D834B
		test	edi, edi
		jz	loc_8D834B
		mov	eax, [ecx+0CCh]
		dec	eax
		cmp	eax, 7
		ja	loc_8D8341
		add	ecx, 10h
		call	_PfVerifyScenarioId@4 ;	PfVerifyScenarioId(x)
		test	al, al
		jz	loc_8D8038
		mov	eax, [ebp+var_5C]
		mov	ecx, [eax+54h]
		add	ecx, eax
		test	cl, 3
		jnz	loc_8D8042
		cmp	ecx, eax
		jb	loc_8D8337
		add	eax, edx
		mov	[ebp+var_60], eax
		cmp	ecx, eax
		jnb	loc_8D8337
		mov	eax, [ebp+var_88]
		mov	edx, [ebp+var_5C]
		shl	eax, 5
		dec	eax
		add	eax, ecx
		cmp	eax, edx
		jb	loc_8D832D
		cmp	eax, [ebp+var_60]
		jnb	loc_8D832D
		mov	eax, [edx+5Ch]
		add	eax, edx
		mov	[ebp+var_B0], eax
		test	al, 3
		jnz	loc_8D804C
		cmp	eax, edx
		jb	loc_8D8323
		cmp	eax, [ebp+var_60]
		jnb	loc_8D8323
		mov	edx, [ebp+var_70]
		lea	eax, [eax+edx*8]
		dec	eax
		cmp	eax, [ebp+var_5C]
		jb	loc_8D8319
		cmp	eax, [ebp+var_60]
		jnb	loc_8D8319
		mov	eax, [ebp+var_5C]
		mov	edx, [eax+64h]
		add	edx, eax
		mov	[ebp+var_8C], edx
		test	dl, 1
		jnz	loc_8D8056
		cmp	edx, eax
		jb	loc_8D830F
		mov	eax, edx
		cmp	eax, [ebp+var_60]
		jnb	loc_8D830F
		dec	eax
		add	eax, edi
		mov	edi, [ebp+var_5C]
		cmp	eax, edi
		jb	loc_8D8305
		cmp	eax, [ebp+var_60]
		jnb	loc_8D8305
		mov	eax, [edi+6Ch]
		add	eax, edi
		mov	[ebp+var_6C], eax
		test	al, 7
		jnz	loc_8D8060
		cmp	eax, edi
		jb	loc_8D82FB
		cmp	eax, [ebp+var_60]
		jnb	loc_8D82FB
		mov	edx, [ebp+var_6C]
		mov	eax, [edi+74h]
		dec	edx
		add	eax, edx
		cmp	eax, edi
		jb	loc_8D82F1
		cmp	eax, [ebp+var_60]
		jnb	loc_8D82F1
		mov	eax, [ebp+var_74]
		mov	edx, [ebp+var_6C]
		dec	edx
		lea	eax, [eax+eax*2]
		shl	eax, 5
		add	eax, edx
		mov	edx, [ebp+var_70]
		cmp	eax, edi
		jb	loc_8D82E7
		cmp	eax, [ebp+var_60]
		jnb	loc_8D82E7
		mov	eax, [edi+7Ch]
		mov	[ebp+var_A8], eax
		cmp	eax, 7
		ja	loc_8D806A
		mov	[ebp+var_68], edx
		mov	[ebp+var_9C], esi
		mov	[ebp+var_78], esi
		cmp	[ebp+var_88], esi
		jbe	loc_769DD4
		lea	edi, [ecx+10h]
		mov	[ebp+var_7C], edi
		lea	ebx, [ebx+0]

loc_769BB0:				; CODE XREF: PfVerifyScenarioBuffer+478j
		mov	eax, [edi-4]
		add	eax, [ebp+var_8C]
		test	al, 1
		jnz	loc_8D8162
		mov	edx, [ebp+var_5C]
		cmp	eax, edx
		jb	loc_8D8155
		mov	ebx, [ebp+var_60]
		cmp	eax, ebx
		jnb	loc_8D8155
		mov	ecx, [edi]
		test	ecx, ecx
		jz	loc_8D8148
		cmp	ecx, 400h
		ja	loc_8D813B
		lea	ecx, [eax+ecx*2]
		lea	eax, [ecx+1]
		cmp	eax, edx
		jb	loc_8D812E
		cmp	eax, ebx
		jnb	loc_8D812E
		cmp	[ecx], si
		jnz	loc_8D8121
		mov	edx, [edi-0Ch]
		cmp	edx, 8000h
		ja	loc_8D8114
		mov	eax, [ebp+var_68]
		cmp	edx, eax
		ja	loc_8D8107
		mov	ebx, [edi-10h]
		sub	eax, edx
		mov	[ebp+var_68], eax
		mov	[ebp+var_B4], ebx
		cmp	ebx, 0FFFFFFFFh
		jz	loc_8D8074

loc_769C3D:				; CODE XREF: PfVerifyScenarioBuffer+16E726j
		mov	eax, [ebp+var_9C]
		cmp	ebx, eax
		jnz	loc_8D8089

loc_769C4B:				; CODE XREF: PfVerifyScenarioBuffer+16E73Cj
		add	eax, edx
		mov	[ebp+var_9C], eax
		mov	eax, [edi+4]
		test	eax, 7F00h
		mov	[ebp+var_64], eax
		setz	cl
		test	al, 1
		setz	al
		test	cl, al
		mov	eax, [ebp+var_64]
		jz	short loc_769C75
		test	al, 0FEh
		jz	loc_8D809F

loc_769C75:				; CODE XREF: PfVerifyScenarioBuffer+31Bj
		and	eax, 1
		mov	[ebp+var_80], eax
		jnz	short loc_769C86
		cmp	[edi-8], esi
		jz	loc_8D80AC

loc_769C86:				; CODE XREF: PfVerifyScenarioBuffer+32Bj
		lea	ecx, [ebx+edx]
		mov	edi, ebx
		xor	eax, eax
		mov	[ebp+var_98], ecx
		xor	ebx, ebx
		mov	[ebp+var_90], eax
		xor	edx, edx
		mov	[ebp+var_84], ebx
		mov	[ebp+var_94], edx
		cmp	edi, ecx
		jge	loc_769D84
		mov	ecx, [ebp+var_B0]
		add	ecx, 4
		lea	ecx, [ecx+edi*8]
		mov	[ebp+var_A0], ecx

loc_769CC3:				; CODE XREF: PfVerifyScenarioBuffer+422j
		test	edi, edi
		js	loc_8D80E0
		cmp	edi, [ebp+var_70]
		jnb	loc_8D80E0
		cmp	edi, [ebp+var_B4]
		jz	short loc_769CE8
		mov	eax, [ecx-4]
		cmp	eax, [ecx-0Ch]
		jbe	loc_8D80B9

loc_769CE8:				; CODE XREF: PfVerifyScenarioBuffer+38Aj
		mov	eax, [ecx]
		mov	edx, eax
		mov	ebx, eax
		shr	edx, 4
		and	ebx, 1
		jnz	short loc_769D07
		mov	ecx, edx
		and	ecx, 7
		cmp	ecx, [ebp+var_A8]
		ja	loc_8D80C6

loc_769D07:				; CODE XREF: PfVerifyScenarioBuffer+3A4j
		test	al, 0Eh
		jnz	short loc_769D30
		mov	bl, [ebp+var_55]
		mov	esi, 0ADh

loc_769D13:				; CODE XREF: PfVerifyScenarioBuffer+76Bj
					; PfVerifyScenarioBuffer+16E6C5j ...
		mov	eax, [ebp+var_B8]
		mov	ecx, [ebp+var_8]
		pop	edi
		xor	ecx, ebp
		mov	[eax], esi
		mov	al, bl
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_769D30:				; CODE XREF: PfVerifyScenarioBuffer+3B9j
		test	ebx, ebx
		jnz	loc_76A0C0
		inc	[ebp+var_90]
		and	edx, 7
		test	al, 4
		jnz	loc_76A0D3

loc_769D49:				; CODE XREF: PfVerifyScenarioBuffer+792j
		mov	ebx, [ebp+var_84]
		test	al, 2
		jz	short loc_769D5C
		bts	ebx, edx
		mov	[ebp+var_84], ebx

loc_769D5C:				; CODE XREF: PfVerifyScenarioBuffer+401j
					; PfVerifyScenarioBuffer+77Ej
		mov	ecx, [ebp+var_A0]
		inc	edi
		add	ecx, 8
		mov	[ebp+var_A0], ecx
		cmp	edi, [ebp+var_98]
		jl	loc_769CC3
		mov	eax, [ebp+var_90]
		mov	edx, [ebp+var_94]

loc_769D84:				; CODE XREF: PfVerifyScenarioBuffer+35Bj
		mov	edi, [ebp+var_7C]
		cmp	eax, [edi-8]
		jnz	loc_8D80FA
		cmp	[ebp+var_80], esi
		jnz	short loc_769DB5
		mov	ecx, [ebp+var_64]
		mov	eax, ecx
		shr	eax, 1
		and	eax, 7Fh
		cmp	edx, eax
		jnz	loc_8D80ED
		shr	ecx, 8
		and	ecx, 7Fh
		cmp	ebx, ecx
		jnz	loc_8D80ED

loc_769DB5:				; CODE XREF: PfVerifyScenarioBuffer+443j
		mov	edx, [ebp+var_78]
		add	edi, 20h
		inc	edx
		mov	[ebp+var_7C], edi
		mov	[ebp+var_78], edx
		cmp	edx, [ebp+var_88]
		jb	loc_769BB0
		mov	bl, [ebp+var_55]
		mov	edx, [ebp+var_68]

loc_769DD4:				; CODE XREF: PfVerifyScenarioBuffer+24Ej
		test	edx, edx
		jnz	loc_8D816F
		mov	edx, [ebp+var_74]
		xor	eax, eax
		mov	[ebp+var_64], eax
		mov	[ebp+var_7C], eax
		test	edx, edx
		jz	loc_8D8297
		mov	edi, [ebp+var_6C]
		mov	ecx, 1
		mov	[ebp+var_78], ecx
		add	edi, 14h
		mov	[ebp+var_98], 400h
		jmp	short loc_769E10
; 
		align 10h

loc_769E10:				; CODE XREF: PfVerifyScenarioBuffer+4B7j
					; PfVerifyScenarioBuffer+7CCj
		mov	eax, [edi-0Ch]
		mov	ebx, ecx
		mov	[ebp+var_AC], eax
		mov	eax, [edi-8]
		mov	[ebp+var_A8], eax
		mov	eax, [edi-4]
		mov	[ebp+var_80], eax
		cmp	ecx, edx
		jb	loc_76A0F1

loc_769E32:				; CODE XREF: PfVerifyScenarioBuffer+7C2j
		mov	ebx, [edi-14h]
		lea	edx, [edi-14h]
		add	ebx, [ebp+var_6C]
		test	bl, 1
		jnz	loc_8D828A
		cmp	ebx, [ebp+var_5C]
		jb	loc_8D827D
		cmp	ebx, [ebp+var_60]
		jnb	loc_8D827D
		mov	eax, [edi-10h]
		lea	ecx, [ebx+eax*2]
		lea	eax, [ecx+1]
		cmp	eax, [ebp+var_5C]
		jb	loc_8D8270
		cmp	eax, [ebp+var_60]
		jnb	loc_8D8270
		cmp	word ptr [ecx],	0
		jnz	loc_8D8263
		push	edx
		mov	edx, [ebp+var_5C]
		lea	ecx, [ebp+var_D4]
		call	_PfFillVolumeInfoForVolume@12 ;	PfFillVolumeInfoForVolume(x,x,x)
		push	[ebp+var_CC]
		lea	eax, [ebp+var_54]
		push	[ebp+var_D4]
		push	dword ptr [ebp+var_D0] ; char
		push	offset ??_C@_1DE@ONODJGGB@?$AA?2?$AAV?$AAO?$AAL?$AAU?$AAM?$AAE?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?$CF?$AA0@NNGAKEGL@ ; "\\VOLUME{%08lx%08lx-%08lx}"
		push	23h		; int
		push	eax		; wchar_t *
		call	StringCchPrintfW
		add	esp, 18h
		lea	eax, [ebp+var_54]

loc_769EB2:				; CODE XREF: PfVerifyScenarioBuffer+58Aj
		mov	cx, [ebx]
		cmp	cx, [eax]
		jnz	loc_76A0E7
		test	cx, cx
		jz	short loc_769EDC
		mov	cx, [ebx+2]
		cmp	cx, [eax+2]
		jnz	loc_76A0E7
		add	ebx, 4
		add	eax, 4
		test	cx, cx
		jnz	short loc_769EB2

loc_769EDC:				; CODE XREF: PfVerifyScenarioBuffer+571j
		xor	eax, eax

loc_769EDE:				; CODE XREF: PfVerifyScenarioBuffer+79Cj
		test	eax, eax
		jnz	loc_8D8256
		mov	eax, [edi]
		add	eax, [ebp+var_6C]
		test	al, 7
		jnz	loc_8D8249
		mov	edx, [ebp+var_5C]
		cmp	eax, edx
		jb	loc_8D823C
		cmp	eax, [ebp+var_60]
		jnb	loc_8D823C
		mov	ebx, [edi+4]
		mov	[ebp+var_80], ebx
		cmp	ebx, 18h
		jb	loc_8D822F
		lea	ecx, [eax-1]
		add	ecx, ebx
		cmp	ecx, edx
		jb	loc_8D8222
		cmp	ecx, [ebp+var_60]
		jnb	loc_8D8222
		cmp	dword ptr [eax], 3
		jnz	loc_8D8215
		mov	edx, [eax+4]
		cmp	edx, 84000h
		ja	loc_8D8208
		mov	ecx, [ebp+var_5C]
		xor	eax, eax
		mov	[ebp+var_68], eax
		mov	ecx, [ecx+7Ch]
		test	ecx, ecx
		jz	short loc_769F77
		lea	ebx, [edi+10h]
		mov	esi, ecx
		jmp	short loc_769F60
; 
		align 10h

loc_769F60:				; CODE XREF: PfVerifyScenarioBuffer+608j
					; PfVerifyScenarioBuffer+61Fj
		mov	eax, [ebx+1Ch]
		lea	ebx, [ebx+4]
		add	eax, [ebx-4]
		add	[ebp+var_68], eax
		sub	esi, 1
		jnz	short loc_769F60
		mov	eax, [ebp+var_68]
		mov	ebx, [ebp+var_80]

loc_769F77:				; CODE XREF: PfVerifyScenarioBuffer+601j
		cmp	eax, edx
		jnz	loc_8D81FB
		mov	eax, 18h
		test	edx, edx
		jz	short loc_769F8F
		lea	eax, ds:10h[edx*8]

loc_769F8F:				; CODE XREF: PfVerifyScenarioBuffer+636j
		cmp	eax, ebx
		jnz	loc_8D81EE
		mov	ebx, [edi+0Ch]
		cmp	ebx, 80000h
		ja	loc_8D81E1
		xor	eax, eax
		test	ecx, ecx
		jz	short loc_769FBA
		lea	edx, [edi+2Ch]
		nop

loc_769FB0:				; CODE XREF: PfVerifyScenarioBuffer+668j
		add	eax, [edx]
		lea	edx, [edx+4]
		sub	ecx, 1
		jnz	short loc_769FB0

loc_769FBA:				; CODE XREF: PfVerifyScenarioBuffer+65Aj
		cmp	eax, ebx
		jnz	loc_8D81D4
		mov	ecx, [edi+8]
		add	ecx, [ebp+var_6C]
		add	[ebp+var_64], eax
		test	cl, 1
		jnz	loc_8D81C7
		xor	edx, edx
		test	ebx, ebx
		jz	short loc_76A042
		lea	ebx, [ebx+0]

loc_769FE0:				; CODE XREF: PfVerifyScenarioBuffer+6F0j
		cmp	ecx, [ebp+var_5C]
		jb	loc_8D81BA
		cmp	ecx, [ebp+var_60]
		jnb	loc_8D81BA
		lea	eax, [ecx+3]
		cmp	eax, [ebp+var_5C]
		jb	loc_8D81AD
		cmp	eax, [ebp+var_60]
		jnb	loc_8D81AD
		movzx	eax, word ptr [ecx]
		cmp	ax, word ptr [ebp+var_98]
		jnb	loc_8D81A0
		lea	ecx, [ecx+eax*2]
		lea	eax, [ecx+3]
		cmp	eax, [ebp+var_5C]
		jb	loc_8D8193
		cmp	eax, [ebp+var_60]
		jnb	loc_8D8193
		cmp	word ptr [ecx+2], 0
		jnz	loc_8D8186
		inc	edx
		add	ecx, 4
		cmp	edx, ebx
		jb	short loc_769FE0

loc_76A042:				; CODE XREF: PfVerifyScenarioBuffer+688j
		mov	ebx, [ebp+var_5C]
		add	edi, 60h
		mov	edx, [ebp+var_7C]
		mov	ecx, [ebp+var_78]
		inc	edx
		inc	ecx
		mov	[ebp+var_7C], edx
		mov	eax, [ebx+70h]
		mov	[ebp+var_78], ecx
		mov	[ebp+var_74], eax
		cmp	edx, eax
		jb	loc_76A11A
		mov	eax, [ebp+var_64]

loc_76A067:				; CODE XREF: PfVerifyScenarioBuffer+16E94Aj
		cmp	eax, [ebx+78h]
		jnz	loc_8D829F
		cmp	eax, 80000h
		ja	loc_8D82AC
		mov	eax, [ebx+0D4h]
		test	eax, eax
		jz	loc_8D82B9
		xor	ecx, ecx

loc_76A08B:				; CODE XREF: PfVerifyScenarioBuffer+16E96Ej
		mov	edx, [ebx+0D8h]
		test	edx, edx
		jz	loc_8D82C3
		xor	edi, edi

loc_76A09B:				; CODE XREF: PfVerifyScenarioBuffer+16E978j
		cmp	ecx, edi
		jnz	loc_8D82CD
		test	eax, eax
		jz	short loc_76A0B9
		push	0
		lea	ecx, [eax+ebx]
		call	_StringCbLengthW@12 ; StringCbLengthW(x,x,x)
		test	eax, eax
		js	loc_8D82DA

loc_76A0B9:				; CODE XREF: PfVerifyScenarioBuffer+755j
		mov	bl, 1
		jmp	loc_769D13
; 

loc_76A0C0:				; CODE XREF: PfVerifyScenarioBuffer+3E2j
		test	al, 8
		jnz	loc_8D80D3
		mov	ebx, [ebp+var_84]
		jmp	loc_769D5C
; 

loc_76A0D3:				; CODE XREF: PfVerifyScenarioBuffer+3F3j
		mov	ecx, [ebp+var_94]
		bts	ecx, edx
		mov	[ebp+var_94], ecx
		jmp	loc_769D49
; 

loc_76A0E7:				; CODE XREF: PfVerifyScenarioBuffer+568j
					; PfVerifyScenarioBuffer+57Bj
		sbb	eax, eax
		or	eax, 1
		jmp	loc_769EDE
; 

loc_76A0F1:				; CODE XREF: PfVerifyScenarioBuffer+4DCj
		lea	ecx, [edi+4Ch]

loc_76A0F4:				; CODE XREF: PfVerifyScenarioBuffer+7C8j
		push	eax
		lea	edx, [ebp+var_AC]
		call	_PfMetadataRecordIsEqual@12 ; PfMetadataRecordIsEqual(x,x,x)
		test	al, al
		jnz	loc_8D8179
		mov	eax, [ebp+var_80]
		inc	ebx
		add	ecx, 60h
		cmp	ebx, [ebp+var_74]
		jnb	loc_769E32
		jmp	short loc_76A0F4
; 

loc_76A11A:				; CODE XREF: PfVerifyScenarioBuffer+70Ej
		mov	edx, eax
		jmp	loc_769E10
PfVerifyScenarioBuffer endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfFillVolumeInfoForVolume(x, x, x)
_PfFillVolumeInfoForVolume@12 proc near	; CODE XREF: PfVerifyScenarioBuffer+535p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	dword ptr [ecx+0Ch], 0
		xor	eax, eax
		mov	[ecx+16h], ax
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+8]
		mov	[ecx], eax
		mov	eax, [esi+0Ch]
		mov	[ecx+4], eax
		mov	eax, [esi+10h]
		mov	[ecx+8], eax
		mov	eax, [edx+6Ch]
		add	eax, [esi]
		add	eax, edx
		mov	[ecx+10h], eax
		mov	ax, [esi+4]
		mov	[ecx+14h], ax
		mov	eax, 0FFE1h
		and	[ecx+16h], ax
		pop	esi
		pop	ebp
		retn	4
_PfFillVolumeInfoForVolume@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnEndTraceWorkerThreadRoutine(x)
_PfSnEndTraceWorkerThreadRoutine@4 proc	near ; DATA XREF: PfSnBeginTrace+DBo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	PfSnEndTrace
		pop	ebp
		retn	4
_PfSnEndTraceWorkerThreadRoutine@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnLogEndTrace	proc near		; CODE XREF: PfSnEndTrace+33p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D8373 SIZE 00000047 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		mov	[ebp+var_58], edi
		test	esi, esi
		jz	short loc_76A1C0
		mov	ecx, dword_6D49E8
		mov	eax, ecx
		mov	edx, dword_6D49EC
		or	eax, edx
		jz	short loc_76A1C0
		push	ebx
		mov	ebx, offset _PfSnEvt_EndTrace_Info
		push	ebx
		push	edx
		push	ecx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8D8373

loc_76A1BF:				; CODE XREF: PfSnLogEndTrace+16E23Dj
		pop	ebx

loc_76A1C0:				; CODE XREF: PfSnLogEndTrace+1Dj
					; PfSnLogEndTrace+2Fj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PfSnLogEndTrace	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnBuildDumpFromTrace proc near	; CODE XREF: PfSnEndTrace+88p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D83BA SIZE 0000003E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		and	[ebp+var_20], 0
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_4], edi
		and	dword ptr [edi], 0
		cmp	dword ptr [ebx+0F0h], 20h
		jl	loc_8D83BA
		test	byte ptr [ebx+150h], 2
		jnz	loc_8D83C1
		mov	eax, [ebx+0FCh]
		add	eax, [ebx+5Ch]
		push	44506343h
		lea	ecx, ds:0D3h[eax*8]
		mov	eax, [ebx+14Ch]
		shl	eax, 4
		and	ecx, 0FFFFFFFCh
		add	eax, 8
		add	eax, ecx
		push	eax
		push	1
		mov	[ebp+var_10], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[edi], esi
		test	esi, esi
		jz	loc_8D83CC
		push	[ebp+var_10]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		lea	edx, [esi+8]
		add	esp, 0Ch
		mov	dword ptr [edx], 1Eh
		lea	esi, [ebx+0Ch]
		mov	dword ptr [edx+4], 43435341h
		lea	edi, [edx+0Ch]
		mov	[ebp+var_10], edx
		push	10h
		pop	ecx
		rep movsd
		mov	eax, [ebx+4Ch]
		lea	esi, [ebx+54h]
		mov	[edx+4Ch], eax
		mov	eax, [ebx+140h]
		mov	[edx+98h], eax
		mov	eax, [ebx+144h]
		mov	[edx+9Ch], eax
		mov	eax, [ebx+90h]
		mov	[edx+68h], eax
		mov	eax, [ebx+94h]
		mov	[edx+6Ch], eax
		movzx	eax, word ptr [ebx+150h]
		xor	eax, [edx+0A0h]
		and	eax, 1
		mov	[ebp+var_18], esi
		xor	[edx+0A0h], eax
		movzx	ecx, word ptr [ebx+152h]
		mov	eax, [edx+0A0h]
		add	ecx, ecx
		xor	ecx, eax
		and	ecx, 2
		xor	ecx, eax
		mov	[edx+0A0h], ecx
		lea	ecx, [edx+0D3h]
		and	ecx, 0FFFFFFFCh
		mov	eax, ecx
		mov	[ebp+var_C], ecx
		sub	eax, edx
		mov	[edx+50h], eax
		mov	eax, [esi]
		cmp	eax, esi
		jz	loc_76A3A5
		mov	ebx, eax

loc_76A2F8:				; CODE XREF: PfSnBuildDumpFromTrace+157j
		mov	edi, [ebx+8]
		mov	eax, ebx
		mov	ebx, [ebx]
		mov	esi, edi
		shl	esi, 3
		add	eax, 10h
		push	esi		; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		mov	ecx, [ebp+var_C]
		add	esp, 0Ch
		mov	eax, [ebp+var_8]
		add	ecx, esi
		add	eax, edi
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], eax
		cmp	ebx, [ebp+var_18]
		jnz	short loc_76A2F8
		mov	ebx, [ebp+var_1C]
		mov	edx, [ebp+var_10]

loc_76A32D:				; CODE XREF: PfSnBuildDumpFromTrace+1DAj
		mov	[edx+54h], eax
		lea	edi, [edx+70h]
		mov	eax, [ebx+0F0h]
		lea	esi, [ebx+0C0h]
		mov	[edx+58h], eax
		mov	eax, [ebx+0F4h]
		mov	[edx+5Ch], eax
		mov	eax, [ebp+var_C]
		push	0Ah
		pop	ecx
		rep movsd
		add	eax, 3
		and	eax, 0FFFFFFFCh
		mov	edi, eax
		sub	edi, edx
		mov	[edx+60h], edi
		mov	esi, [ebx+14Ch]
		shl	esi, 4
		push	esi		; size_t
		push	dword ptr [ebx+148h] ; void *
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+var_10]
		lea	edx, [edi+esi]
		mov	eax, [ebx+14Ch]
		add	esp, 0Ch
		mov	[ecx+64h], eax
		lea	eax, [ebp+var_20]
		push	eax
		mov	[ecx+8], edx
		call	PfVerifyTraceBuffer
		test	al, al
		jz	loc_8D83D6
		xor	edi, edi

loc_76A39E:				; CODE XREF: PfSnBuildDumpFromTrace+16E214j
					; PfSnBuildDumpFromTrace+16E225j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_76A3A5:				; CODE XREF: PfSnBuildDumpFromTrace+122j
		mov	eax, [ebp+var_8]
		jmp	short loc_76A32D
PfSnBuildDumpFromTrace endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfVerifyTraceBuffer proc near		; CODE XREF: PfSnBuildDumpFromTrace+1C1p

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D83F8 SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		xor	edx, edx
		mov	[ebp+var_1], dl
		push	edi
		cmp	esi, 0D0h
		jb	loc_8D83F8
		test	bl, 7
		jnz	loc_8D83FC
		cmp	dword ptr [ebx], 1Eh
		jnz	loc_8D841C
		cmp	dword ptr [ebx+4], 43435341h
		jnz	loc_8D841C
		cmp	esi, 10000000h
		ja	loc_8D8400
		cmp	dword ptr [ebx+4Ch], 1
		ja	loc_8D8418
		mov	edi, [ebx+64h]
		cmp	edi, 84000h
		ja	loc_8D8414
		mov	eax, [ebx+54h]
		mov	[ebp+var_8], eax
		cmp	eax, 100000h
		ja	loc_8D8414
		cmp	[ebx+8], esi
		jnz	loc_8D8404
		lea	ecx, [ebx+0Ch]
		call	_PfVerifyScenarioId@4 ;	PfVerifyScenarioId(x)
		test	al, al
		jz	loc_8D8408
		mov	eax, [ebx+50h]
		add	eax, ebx
		test	al, 3
		jnz	loc_8D840C
		cmp	eax, ebx
		jb	loc_8D8410
		lea	ecx, [ebx+esi]
		cmp	eax, ecx
		jnb	loc_8D8410
		mov	esi, [ebp+var_8]
		lea	eax, [eax+esi*8]
		dec	eax
		cmp	eax, ebx
		jb	short loc_76A4CF
		cmp	eax, ecx
		jnb	short loc_76A4CF
		mov	eax, edx
		mov	[ebp+var_8], 0Ah
		lea	esi, [ebx+70h]

loc_76A472:				; CODE XREF: PfVerifyTraceBuffer+D1j
		add	eax, [esi]
		lea	esi, [esi+4]
		sub	[ebp+var_8], 1
		jnz	short loc_76A472
		cmp	eax, [ebx+58h]
		jb	short loc_76A4BA
		test	edi, edi
		jnz	short loc_76A494

loc_76A486:				; CODE XREF: PfVerifyTraceBuffer+107j
		mov	al, 1

loc_76A488:				; CODE XREF: PfVerifyTraceBuffer+16E078j
		mov	ecx, [ebp+arg_0]
		pop	edi
		pop	esi
		pop	ebx
		mov	[ecx], edx
		leave
		retn	4
; 

loc_76A494:				; CODE XREF: PfVerifyTraceBuffer+DAj
		mov	eax, [ebx+60h]
		add	eax, ebx
		test	al, 3
		jnz	short loc_76A4C1
		cmp	eax, ebx
		jb	short loc_76A4C8
		cmp	eax, ecx
		jnb	short loc_76A4C8
		shl	edi, 4
		dec	eax
		add	eax, edi
		cmp	eax, ebx
		jb	short loc_76A4B3
		cmp	eax, ecx
		jb	short loc_76A486

loc_76A4B3:				; CODE XREF: PfVerifyTraceBuffer+103j
		push	5Ah
		jmp	loc_8D841E
; 

loc_76A4BA:				; CODE XREF: PfVerifyTraceBuffer+D6j
		push	78h
		jmp	loc_8D841E
; 

loc_76A4C1:				; CODE XREF: PfVerifyTraceBuffer+F1j
		push	41h
		jmp	loc_8D841E
; 

loc_76A4C8:				; CODE XREF: PfVerifyTraceBuffer+F5j
					; PfVerifyTraceBuffer+F9j
		push	50h
		jmp	loc_8D841E
; 

loc_76A4CF:				; CODE XREF: PfVerifyTraceBuffer+B6j
					; PfVerifyTraceBuffer+BAj
		push	32h
		jmp	loc_8D841E
PfVerifyTraceBuffer endp


;  S U B	R O U T	I N E 


; __stdcall PfVerifyScenarioId(x)
_PfVerifyScenarioId@4 proc near		; CODE XREF: PfVerifyScenarioBuffer+FBp
					; PfVerifyTraceBuffer+80p
		push	1Dh
		pop	eax

loc_76A4D9:				; CODE XREF: PfVerifyScenarioId(x)+13j
		cmp	word ptr [ecx+eax*2], 0
		jnz	short loc_76A4E6

loc_76A4E0:				; CODE XREF: PfVerifyScenarioId(x)+15j
		test	eax, eax
		setnle	al
		retn
; 

loc_76A4E6:				; CODE XREF: PfVerifyScenarioId(x)+8j
		sub	eax, 1
		jns	short loc_76A4D9
		jmp	short loc_76A4E0
_PfVerifyScenarioId@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnCleanupTrace(x)
_PfSnCleanupTrace@4 proc near		; CODE XREF: PfSnBeginTrace+1DEp
					; PfSnEndTrace+A0p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		lea	edi, [esi+164h]
		test	byte ptr [edi+4], 1
		mov	eax, [edi]
		jz	short loc_76A513
		test	eax, eax
		jnz	short loc_76A511
		mov	eax, ebx
		jmp	short loc_76A513
; 

loc_76A511:				; CODE XREF: PfSnCleanupTrace(x)+1Dj
		xor	eax, edi

loc_76A513:				; CODE XREF: PfSnCleanupTrace(x)+19j
					; PfSnCleanupTrace(x)+21j
		mov	cl, [edi+4]
		movzx	edx, cl
		and	edx, 1
		test	eax, eax
		jz	short loc_76A57B
		mov	edi, edx

loc_76A522:				; CODE XREF: PfSnCleanupTrace(x)+44j
					; PfSnCleanupTrace(x)+80j ...
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_76A534
		mov	edx, eax
		test	edi, edi
		jz	short loc_76A54C
		xor	eax, ecx

loc_76A530:				; CODE XREF: PfSnCleanupTrace(x)+60j
		mov	[edx], ebx
		jmp	short loc_76A522
; 

loc_76A534:				; CODE XREF: PfSnCleanupTrace(x)+38j
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_76A550
		mov	edx, eax
		test	edi, edi
		jnz	loc_76A5F6
		mov	eax, ecx
		jmp	loc_76A5F8
; 

loc_76A54C:				; CODE XREF: PfSnCleanupTrace(x)+3Ej
		mov	eax, ecx
		jmp	short loc_76A530
; 

loc_76A550:				; CODE XREF: PfSnCleanupTrace(x)+4Bj
		mov	ebx, [eax+8]
		and	ebx, 0FFFFFFFCh
		test	edi, edi
		jnz	loc_76A600

loc_76A55E:				; CODE XREF: PfSnCleanupTrace(x)+114j
					; PfSnCleanupTrace(x)+11Cj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		jz	short loc_76A570
		mov	eax, ebx
		xor	ebx, ebx
		jmp	short loc_76A522
; 

loc_76A570:				; CODE XREF: PfSnCleanupTrace(x)+7Aj
		lea	edi, [esi+164h]
		xor	ebx, ebx
		mov	cl, [edi+4]

loc_76A57B:				; CODE XREF: PfSnCleanupTrace(x)+30j
		mov	[edi], ebx
		mov	[edi+4], ebx
		test	cl, 1
		jnz	loc_76A60F

loc_76A589:				; CODE XREF: PfSnCleanupTrace(x)+125j
		mov	eax, [esi+188h]
		test	eax, eax
		jz	short loc_76A59A
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_76A59A:				; CODE XREF: PfSnCleanupTrace(x)+A3j
		lea	edi, [esi+54h]

loc_76A59D:				; CODE XREF: PfSnCleanupTrace(x)+D0j
		mov	eax, [edi]
		cmp	eax, edi
		jz	short loc_76A5C0
		cmp	[eax+4], edi
		jnz	short loc_76A621
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_76A621
		mov	[edi], ecx
		push	ebx
		mov	[ecx+4], edi
		dec	dword ptr [esi+5Ch]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_76A59D
; 

loc_76A5C0:				; CODE XREF: PfSnCleanupTrace(x)+B3j
		mov	eax, [esi+148h]
		test	eax, eax
		jnz	short loc_76A618

loc_76A5CA:				; CODE XREF: PfSnCleanupTrace(x)+131j
		mov	ecx, [esi+100h]
		test	ecx, ecx
		jz	short loc_76A5DE
		mov	edx, 73576650h
		call	ObfDereferenceObjectWithTag

loc_76A5DE:				; CODE XREF: PfSnCleanupTrace(x)+E4j
		test	byte ptr [esi+152h], 2
		pop	edi
		pop	esi
		pop	ebx
		jz	short locret_76A5F4
		mov	ecx, offset unk_6D492C
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

locret_76A5F4:				; CODE XREF: PfSnCleanupTrace(x)+FAj
		leave
		retn
; 

loc_76A5F6:				; CODE XREF: PfSnCleanupTrace(x)+51j
		xor	eax, ecx

loc_76A5F8:				; CODE XREF: PfSnCleanupTrace(x)+59j
		mov	[edx+4], ebx
		jmp	loc_76A522
; 

loc_76A600:				; CODE XREF: PfSnCleanupTrace(x)+6Aj
		test	ebx, ebx
		jz	loc_76A55E
		xor	ebx, eax
		jmp	loc_76A55E
; 

loc_76A60F:				; CODE XREF: PfSnCleanupTrace(x)+95j
		mov	byte ptr [edi+4], 1
		jmp	loc_76A589
; 

loc_76A618:				; CODE XREF: PfSnCleanupTrace(x)+DAj
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_76A5CA
; 

loc_76A621:				; CODE XREF: PfSnCleanupTrace(x)+B8j
					; PfSnCleanupTrace(x)+BFj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PfSnCleanupTrace@4 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnEndTrace	proc near		; CODE XREF: PfSnEndTraceWorkerThreadRoutine(x)+8p

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_34		= dword	ptr -34h
var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D8427 SIZE 000000BF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	al, [eax+15Ah]
		mov	esi, ecx
		mov	[ebp+var_1], al
		mov	eax, large fs:124h
		push	edi
		mov	byte ptr [eax+15Ah], 0
		call	PfSnDeactivateTrace
		mov	ecx, esi
		call	PfSnLogEndTrace
		mov	edx, [esi+0E8h]
		mov	eax, [esi+0F0h]
		cmp	edx, eax
		jg	loc_8D8427

loc_76A672:				; CODE XREF: PfSnEndTrace+16DE09j
		mov	ecx, [esi+0ECh]
		cmp	ecx, dword_6D4854
		jge	loc_76A761
		sub	eax, edx
		mov	[esi+ecx*4+0C0h], eax
		mov	eax, [esi+0F0h]
		inc	dword ptr [esi+0ECh]
		mov	[esi+0E8h], eax

loc_76A69F:				; CODE XREF: PfSnEndTrace+148j
					; PfSnEndTrace+16DE24j
		cmp	dword ptr [esi+4Ch], 1
		jz	loc_76A7AA

loc_76A6A9:				; CODE XREF: PfSnEndTrace+18Bj
		mov	edx, esi
		lea	ecx, [ebp+var_8]
		call	PfSnBuildDumpFromTrace
		mov	edi, eax

loc_76A6B5:				; CODE XREF: PfSnEndTrace+16DE2Ej
		mov	ebx, [ebp+var_8]
		mov	ecx, esi
		mov	[esi+138h], edi
		mov	[esi+134h], ebx
		call	_PfSnCleanupTrace@4 ; PfSnCleanupTrace(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		js	short loc_76A74B
		mov	ecx, offset unk_6D4320
		call	PfFbBufferListFlushStandby
		mov	esi, offset dword_6D4964
		mov	ecx, esi
		call	ExAcquireFastMutex
		cmp	dword_6D4988, 1
		jz	loc_8D8459
		mov	eax, dword_6D4960
		mov	esi, offset dword_6D495C
		cmp	[eax], esi
		jnz	loc_76A7BC
		mov	[ebx+4], eax
		mov	[ebx], esi
		mov	[eax], ebx
		mov	eax, dword_6D4984
		mov	dword_6D4960, ebx
		inc	eax

loc_76A71F:				; CODE XREF: PfSnEndTrace+17Fj
		mov	dword_6D4984, eax
		cmp	eax, dword_6D46EC
		ja	short loc_76A779

loc_76A72C:				; CODE XREF: PfSnEndTrace+15Aj
		mov	ecx, offset dword_6D4964
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, dword_6D498C
		test	eax, eax
		jz	short loc_76A749
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_76A749:				; CODE XREF: PfSnEndTrace+117j
		xor	edi, edi

loc_76A74B:				; CODE XREF: PfSnEndTrace+AFj
					; PfSnEndTrace+16DE42j
		mov	eax, large fs:124h
		mov	cl, [ebp+var_1]
		mov	[eax+15Ah], cl
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_76A761:				; CODE XREF: PfSnEndTrace+58j
		push	0Ah
		pop	edi
		cmp	ecx, edi
		jg	loc_8D8434

loc_76A76C:				; CODE XREF: PfSnEndTrace+16DE16j
		cmp	edx, eax
		jz	loc_76A69F
		jmp	loc_8D8441
; 

loc_76A779:				; CODE XREF: PfSnEndTrace+104j
		mov	eax, dword_6D495C
		cmp	eax, esi
		jz	short loc_76A72C
		cmp	[eax+4], esi
		jnz	short loc_76A7BC
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_76A7BC
		push	0
		mov	dword_6D495C, ecx
		push	eax
		mov	[ecx+4], esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, dword_6D4984
		dec	eax
		jmp	loc_76A71F
; 

loc_76A7AA:				; CODE XREF: PfSnEndTrace+7Dj
		cmp	dword ptr [esi+118h], 8
		jz	loc_76A6A9
		jmp	loc_8D844F
; 

loc_76A7BC:				; CODE XREF: PfSnEndTrace+E0j
					; PfSnEndTrace+15Fj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

PfSnAsyncPrefetchWorker:		; DATA XREF: PfSnAsyncContextInitialize(x,x,x,x)+67o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+8Ch+var_1C], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		push	6
		pop	ecx
		mov	ebx, [esi+78h]
		lea	edi, [esp+98h+var_34]
		push	48h		; size_t
		push	eax		; int
		rep stosd
		mov	[esp+0A0h+var_8C], eax
		mov	[esp+0A0h+var_84], eax
		mov	[esp+0A0h+var_88], eax
		lea	eax, [esp+0A0h+var_80]
		push	eax		; void *
		call	_memset
		mov	edi, [esi+88h]
		lea	eax, [esp+0A4h+var_74]
		add	esp, 0Ch
		mov	[esp+98h+var_70], eax
		mov	[esp+98h+var_74], eax
		mov	edx, offset _PfSnEvt_AsyncWorker_Start
		lea	eax, [esp+98h+var_6C]
		mov	[esp+98h+var_80], ebx
		mov	ecx, ebx
		mov	[esp+98h+var_68], eax
		mov	[esp+98h+var_6C], eax
		call	PfSnLogAsyncWorker
		test	byte ptr [esi+8Ch], 1
		jnz	loc_76AA17

loc_76A843:				; CODE XREF: PfSnEndTrace+404j
		mov	ecx, [esi+7Ch]
		lea	eax, [esp+98h+var_34]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		call	_MmGetDefaultPagePriority@0 ; MmGetDefaultPagePriority()
		lea	ecx, [eax-1]
		cmp	edi, ecx
		jbe	loc_76AA0A
		mov	[esp+98h+var_50], ecx
		mov	[esp+98h+var_4C], eax

loc_76A86A:				; CODE XREF: PfSnEndTrace+3ECj
		lea	ecx, [esp+98h+var_80]
		call	PfSnPreallocatePrefetchHeader
		test	eax, eax
		js	loc_76A979
		mov	ecx, [esp+98h+var_4C]
		lea	ecx, [ecx+1]
		call	_MmGetAvailablePagesBelowPriority@4 ; MmGetAvailablePagesBelowPriority(x)
		cmp	eax, 0F00h
		jb	loc_8D846D
		add	eax, 0FFFFF100h

loc_76A897:				; CODE XREF: PfSnEndTrace+16DE49j
		mov	[esp+98h+var_48], eax
		test	eax, eax
		jz	loc_76A979
		push	43536650h
		push	5Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+98h+var_7C], eax
		test	eax, eax
		jz	loc_76A979
		mov	ecx, eax	; void *
		call	_PfpPrefetchSharedInitialize@4 ; PfpPrefetchSharedInitialize(x)
		mov	eax, [esp+98h+var_7C]
		lea	ecx, [esp+98h+var_80]
		mov	[eax+10h], ecx
		mov	eax, [esp+98h+var_7C]
		mov	dword ptr [eax+20h], 0FAh
		mov	eax, [esp+98h+var_7C]
		mov	dword ptr [eax+1Ch], 0Fh
		mov	ecx, [esp+98h+var_7C]
		call	_PfpPrefetchSharedStart@4 ; PfpPrefetchSharedStart(x)
		test	eax, eax
		js	loc_76A979
		lea	edx, [esp+98h+var_8C]
		lea	ecx, [esp+98h+var_80]
		call	PfSnOpenVolumesForPrefetch
		test	eax, eax
		js	short loc_76A979
		cmp	dword ptr [ebx+50h], 1
		mov	eax, [esp+98h+var_8C]
		jz	loc_8D8474

loc_76A918:				; CODE XREF: PfSnEndTrace+16DE51j
		test	byte ptr dword_6D4850, 4
		mov	[esp+98h+var_8C], eax
		jnz	loc_8D8484
		test	al, 1
		jz	loc_8D847C
		mov	edi, [ebx+7Ch]

loc_76A934:				; CODE XREF: PfSnEndTrace+16DE59j
		xor	eax, eax
		mov	ecx, edi
		inc	eax
		shl	eax, cl
		sub	eax, 1
		jz	short loc_76A950
		push	eax
		lea	edx, [esp+9Ch+var_80]
		mov	ecx, esi
		call	_PfSnAsyncPrefetchStep@12 ; PfSnAsyncPrefetchStep(x,x,x)
		test	eax, eax
		js	short loc_76A979

loc_76A950:				; CODE XREF: PfSnEndTrace+318j
		mov	ecx, [esi+10h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	edx, offset _PfSnEvt_SyncPrefetchingDone_Info
		mov	[esp+98h+var_84], 1
		mov	ecx, ebx
		call	PfSnLogAsyncWorker
		mov	eax, [esp+98h+var_8C]

loc_76A970:				; CODE XREF: PfSnEndTrace+16DE63j
		cmp	edi, [ebx+7Ch]
		jb	loc_8D848E

loc_76A979:				; CODE XREF: PfSnEndTrace+24Fj
					; PfSnEndTrace+277j ...
		mov	eax, [esi+7Ch]
		xor	ecx, ecx
		add	eax, 3D8h
		xchg	ecx, [eax]
		mov	ecx, [esi+80h]
		test	ecx, ecx
		jz	short loc_76A9AE
		mov	eax, [esp+98h+var_44]
		mov	[ecx+148h], eax
		mov	ecx, [esp+98h+var_40]
		mov	eax, [esi+80h]
		and	[esp+98h+var_44], 0
		mov	[eax+14Ch], ecx

loc_76A9AE:				; CODE XREF: PfSnEndTrace+367j
		lea	ecx, [esp+98h+var_80]
		call	_PfSnCleanupPrefetchHeader@4 ; PfSnCleanupPrefetchHeader(x)
		lock dec dword_6D4990
		cmp	[esp+98h+var_88], 0
		jnz	short loc_76AA2F

loc_76A9C5:				; CODE XREF: PfSnEndTrace+413j
		xor	edx, edx
		lea	ecx, [esp+98h+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		cmp	[esp+98h+var_84], 0
		jz	loc_8D84CD

loc_76A9DB:				; CODE XREF: PfSnEndTrace+16DEBBj
		mov	edx, offset _PfSnEvt_AsyncWorker_Stop
		mov	ecx, ebx
		call	PfSnLogAsyncWorker
		mov	ecx, esi
		call	_PfSnAsyncContextCleanup@4 ; PfSnAsyncContextCleanup(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [esp+98h+var_1C]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_76AA0A:				; CODE XREF: PfSnEndTrace+236j
		mov	[esp+98h+var_50], edi
		mov	[esp+98h+var_4C], edi
		jmp	loc_76A86A
; 

loc_76AA17:				; CODE XREF: PfSnEndTrace+217j
		xor	edx, edx
		lea	ecx, [esi+18h]
		inc	edx
		call	_PfSnPowerBoost@8 ; PfSnPowerBoost(x,x)
		mov	[esp+98h+var_88], 1
		jmp	loc_76A843
; 

loc_76AA2F:				; CODE XREF: PfSnEndTrace+39Dj
		lea	ecx, [esi+18h]
		xor	edx, edx
		call	_PfSnPowerBoost@8 ; PfSnPowerBoost(x,x)
		jmp	short loc_76A9C5
PfSnEndTrace	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnLogAsyncWorker proc	near		; CODE XREF: PfSnEndTrace+20Bp
					; PfSnEndTrace+341p ...

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D84E6 SIZE 0000004D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		mov	[ebp+var_58], ebx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	short loc_76AA80
		mov	ecx, dword_6D49E8
		mov	eax, ecx
		mov	edx, dword_6D49EC
		or	eax, edx
		jz	short loc_76AA80
		push	edi
		push	edx
		push	ecx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8D84E6

loc_76AA80:				; CODE XREF: PfSnLogAsyncWorker+20j
					; PfSnLogAsyncWorker+32j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PfSnLogAsyncWorker endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PfpSectInfoHandleFullBuffer(void *)
_PfpSectInfoHandleFullBuffer@4 proc near ; DATA	XREF: PfTInitialize+164o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	eax, [ecx+0Ch]
		mov	edi, [ecx+8]
		sub	eax, ecx
		mov	esi, [ecx+14h]
		sub	edi, ecx
		mov	ebx, [ecx+10h]
		push	38h		; size_t
		push	0		; int
		push	ecx		; void *
		mov	[ebp+var_4], eax
		call	_memset
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		push	2Dh
		pop	eax
		mov	[ecx+8], ax
		lea	edx, [ecx+18h]
		push	0Dh
		pop	eax
		mov	[ecx+0Ah], ax
		lea	eax, [edi-8]
		mov	[ecx+10h], eax
		mov	dword ptr [ecx+0Ch], 43435341h
		mov	dword ptr [ecx+14h], 1
		mov	dword ptr [edx], 3
		mov	eax, dword_6D448C
		mov	[edx+4], eax
		mov	eax, dword_6D4494
		mov	[edx+8], eax
		mov	eax, ecx
		sub	eax, edx
		mov	[edx+10h], ebx
		add	eax, 38h
		mov	[edx+0Ch], eax
		mov	eax, [ebp+var_4]
		mov	[ecx+2Ch], eax
		mov	[ecx+30h], esi
		call	PfTTraceListAdd
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PfpSectInfoHandleFullBuffer@4 endp


;  S U B	R O U T	I N E 


; __stdcall PfpRepurposeNameLoggingTrace(x)
_PfpRepurposeNameLoggingTrace@4	proc near ; CODE XREF: PfTFreeTraceDump(x)+4j
		push	1
		push	dword ptr [ecx+30h]
		mov	edx, ecx
		push	dword ptr [ecx+2Ch]
		mov	ecx, offset unk_6D4320
		call	PfFbBufferListInsertInFree
		retn
_PfpRepurposeNameLoggingTrace@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpFlushEventBuffers proc near		; CODE XREF: PfpFlushBuffers+26p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D8533 SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	esi, esi
		mov	ecx, offset unk_6D4380
		push	edi
		mov	[ebp+var_4], esi
		call	PfFbBufferListFlushStandby
		mov	ecx, offset unk_6D43D0
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_76AB74

loc_76AB6A:				; CODE XREF: PfpFlushEventBuffers+A3j
					; PfpFlushEventBuffers+16DA0Fj	...
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_76AB74:				; CODE XREF: PfpFlushEventBuffers+28j
					; PfpFlushEventBuffers+3Ej
		mov	eax, ecx
		mov	ecx, [ecx]
		mov	[eax], esi
		mov	esi, eax
		test	ecx, ecx
		jnz	short loc_76AB74

loc_76AB80:				; CODE XREF: PfpFlushEventBuffers+A5j
		mov	ebx, esi
		mov	ecx, esi
		mov	esi, [esi]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], esi
		cmp	dword ptr [ebx+10h], 0
		lea	edi, [ebx+18h]
		jz	short loc_76ABBF

loc_76AB95:				; CODE XREF: PfpFlushEventBuffers+77j
		mov	ecx, edi
		call	PfpCopyEvent
		mov	esi, eax
		mov	[ebp+var_4], esi
		test	esi, esi
		js	short loc_76ABB9
		mov	ecx, [edi]
		shr	ecx, 2
		and	ecx, 3FFh
		add	dword ptr [ebx+10h], 0FFFFFFFFh
		lea	edi, [edi+ecx*8]
		jnz	short loc_76AB95

loc_76ABB9:				; CODE XREF: PfpFlushEventBuffers+63j
		mov	esi, [ebp+var_8]
		mov	ecx, [ebp+var_C]

loc_76ABBF:				; CODE XREF: PfpFlushEventBuffers+53j
		cmp	[ebp+var_4], 0
		jl	loc_8D8533
		mov	eax, [ebx+14h]
		mov	edx, ebx
		push	1
		push	eax
		mov	eax, [ecx+0Ch]
		mov	ecx, offset unk_6D4380
		sub	eax, ebx
		push	eax
		call	PfFbBufferListInsertInFree
		test	esi, esi
		jz	short loc_76AB6A
		jmp	short loc_76AB80
PfpFlushEventBuffers endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpCopyEvent	proc near		; CODE XREF: PfpFlushEventBuffers+57p
					; PfpFlushBuffers+FCp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D8567 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], 0
		mov	[ebp+var_8], 0
		mov	esi, [edi]
		mov	eax, esi
		and	eax, 1F000h
		cmp	eax, 0A000h
		jnz	loc_76ACCE
		mov	ecx, [edi+10h]
		mov	eax, ecx
		and	eax, 7FFFFFFFh
		mov	[ebp+var_C], 0
		mov	[ebp+var_8], 0
		cmp	eax, 0FFh
		jnb	loc_76AD09

loc_76AC42:				; CODE XREF: PfpCopyEvent+11Ej
		mov	esi, 2
		test	ecx, ecx
		js	short loc_76AC50
		mov	esi, 1002h

loc_76AC50:				; CODE XREF: PfpCopyEvent+59j
		mov	edx, [edi+18h]
		mov	ecx, edx
		movzx	eax, al
		shl	ecx, 8
		or	ecx, eax
		mov	eax, edx
		xor	eax, esi
		mov	[ebp+var_8], ecx
		mov	ecx, [edi+0Ch]
		and	eax, 0FFFFFFh
		xor	eax, edx
		lea	edx, [edi+0Ch]
		mov	[ebp+var_C], eax
		xor	eax, eax
		shld	eax, ecx, 0Ch
		push	1
		shl	ecx, 0Ch
		or	ecx, 1
		mov	[ebp+var_14], eax
		push	edx
		lea	eax, [ebp+var_C]
		mov	[ebp+var_18], ecx
		mov	ecx, [edi+14h]
		lea	edx, [ebp+var_18]
		push	eax
		call	PfpLogPageAccess
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8D8567
		mov	edx, dword_6D42B8
		movzx	ecx, word ptr [ecx+6]
		movzx	eax, word ptr [edx+1Ch]
		sub	ecx, eax
		lea	eax, [edx+23h]
		and	eax, 0FFFFFFFCh
		lea	ecx, [ecx+ecx*4]
		test	byte ptr [eax+ecx*4+4],	4
		lea	esi, [eax+ecx*4]
		jnz	short loc_76AD13

loc_76ACC5:				; CODE XREF: PfpCopyEvent+117j
					; PfpCopyEvent+132j
		xor	eax, eax

loc_76ACC7:				; CODE XREF: PfpCopyEvent+16D97Cj
					; PfpCopyEvent+16D986j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_76ACCE:				; CODE XREF: PfpCopyEvent+29j
		shr	esi, 2
		lea	edx, [ebp+var_8]
		and	esi, 3FFh
		mov	ecx, offset unk_6D4290
		push	esi
		call	PfTAcquireLogEntry
		test	eax, eax
		jz	loc_8D8571
		lea	ecx, [eax+13h]
		shl	esi, 3
		mov	eax, [ebp+var_8]
		and	ecx, 0FFFFFFFCh
		push	esi		; size_t
		push	edi		; void *
		lea	eax, [ecx+eax*8]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_76ACC5
; 

loc_76AD09:				; CODE XREF: PfpCopyEvent+4Cj
		mov	eax, 0FFh
		jmp	loc_76AC42
; 

loc_76AD13:				; CODE XREF: PfpCopyEvent+D3j
		lea	eax, [ebp+var_4]
		push	eax
		mov	eax, [edi+1Ch]
		push	eax
		call	PsLookupProcessByProcessId
		test	eax, eax
		js	short loc_76ACC5
		mov	ebx, [ebp+var_4]
		mov	eax, [ebx+104h]
		xor	eax, [ebx+0E4h]
		mov	ecx, [ebx+100h]
		xor	eax, ecx
		shr	ecx, 3
		and	eax, 1FFFFFFFh
		and	ecx, 1C000000h
		xor	eax, ecx
		cmp	eax, [edi+14h]
		jnz	short loc_76AD65
		mov	ecx, ebx
		call	_PfpIsProcessInfoPresent@4 ; PfpIsProcessInfoPresent(x)
		test	eax, eax
		jz	short loc_76AD65
		mov	edx, ebx
		lea	ecx, [esi+4]
		call	_PfpFillProcessInfo@8 ;	PfpFillProcessInfo(x,x)

loc_76AD65:				; CODE XREF: PfpCopyEvent+15Ej
					; PfpCopyEvent+169j
		mov	edx, 746C6644h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
PfpCopyEvent	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpFlushBuffers	proc near		; CODE XREF: PfTLoggingWorker:loc_890F3Ap
					; PfTLoggingWorker:loc_890F82p	...

var_60		= dword	ptr -60h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D857B SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_3C], 1
		push	edi
		mov	[ebp+var_40], esi
		xor	edi, edi
		mov	[ebp+var_2C], esi
		call	PfpFlushEventBuffers
		mov	[ebp+var_20], eax
		test	eax, eax
		js	loc_76B08D
		mov	ecx, offset unk_6FB620
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		test	eax, eax
		jz	loc_76AFC8

loc_76ADC8:				; CODE XREF: PfpFlushBuffers+57j
		mov	ecx, eax
		mov	ebx, esi
		mov	eax, [eax]
		mov	[ebp+var_38], ebx
		mov	[ecx], esi
		mov	esi, ecx
		test	eax, eax
		jnz	short loc_76ADC8
		lea	esp, [esp+0]

loc_76ADE0:				; CODE XREF: PfpFlushBuffers+20Cj
		mov	edx, esi
		mov	[ebp+var_34], esi
		mov	[ebp+var_28], edx
		mov	esi, ebx
		mov	ecx, [edx+10h]
		mov	eax, [edx+14h]
		mov	edx, 0FFDF0004h
		mov	edx, [edx]
		mov	[ebp+var_1C], edx
		mul	edx
		mov	ebx, edx
		shld	ebx, eax, 8
		shl	eax, 8
		mov	[ebp+var_18], eax
		mov	eax, ecx
		mul	[ebp+var_1C]
		mov	ecx, [ebp+var_18]
		shrd	eax, edx, 18h
		shr	edx, 18h
		add	ecx, eax
		mov	eax, dword_6D486C
		adc	ebx, edx
		mov	[ebp+var_24], eax
		shrd	ecx, ebx, 0Ah
		add	ecx, eax
		mov	eax, [ebp+var_28]
		mov	[ebp+var_18], ecx
		mov	[ebp+var_C], ecx
		mov	ecx, [eax+18h]
		mov	eax, [eax+1Ch]
		mul	[ebp+var_1C]
		mov	ebx, edx
		shld	ebx, eax, 8
		shl	eax, 8
		mov	[ebp+var_30], eax
		mov	eax, ecx
		mul	[ebp+var_1C]
		mov	ecx, [ebp+var_30]
		shrd	eax, edx, 18h
		shr	edx, 18h
		add	ecx, eax
		mov	eax, [ebp+var_18]
		adc	ebx, edx
		mov	[ebp+var_10], eax
		shrd	ecx, ebx, 0Ah
		xor	eax, eax
		add	ecx, [ebp+var_24]
		and	eax, 0FFFE800Bh
		mov	[ebp+var_8], ecx
		or	eax, 2800Bh
		lea	ecx, [ebp+var_14]
		mov	[ebp+var_14], eax
		call	PfpCopyEvent
		mov	ebx, [ebp+var_28]
		mov	eax, [ebx+4]
		cmp	eax, 1
		jg	loc_76AFE6
		mov	eax, [ebx+8]
		lea	ecx, [ebp+var_48]
		mov	[ebp+var_48], 17007h
		mov	[ebp+var_44], eax
		call	PfpCopyEvent
		mov	ecx, [ebp+var_34]
		mov	eax, [ecx+4]
		cmp	eax, 1
		jg	loc_76AFE6
		mov	ecx, [ebx+2Ch]
		mov	eax, [ebx+28h]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], ecx
		cmp	ecx, 1
		jz	loc_76B049
		test	ecx, ecx
		jz	short loc_76AEEF
		cmp	dword ptr [ecx+0E4h], 0
		jz	loc_76AF76
		mov	eax, [ecx+100h]
		or	eax, [ecx+104h]
		jz	loc_76AF76
		mov	eax, [ebp+var_1C]

loc_76AEEF:				; CODE XREF: PfpFlushBuffers+14Bj
					; PfpFlushBuffers+2D0j
		lea	edx, [ebx+38h]
		mov	edi, edx
		mov	[ebp+var_2C], edx
		cmp	edx, [ebx+20h]
		jnb	short loc_76AF20
		lea	esp, [esp+0]

loc_76AF00:				; CODE XREF: PfpFlushBuffers+19Ej
		push	0
		push	eax
		lea	eax, [ebp+var_40]
		mov	edx, edi
		push	eax
		call	PfpLogPageAccess
		test	eax, eax
		jz	short loc_76AF91
		mov	ecx, [ebp+var_18]
		add	edi, 8
		mov	eax, [ebp+var_1C]
		cmp	edi, [ebx+20h]
		jb	short loc_76AF00

loc_76AF20:				; CODE XREF: PfpFlushBuffers+17Aj
					; PfpFlushBuffers+26Fj	...
		cmp	[ebp+var_20], 0
		jl	short loc_76AF98

loc_76AF26:				; CODE XREF: PfpFlushBuffers+2C4j
		mov	eax, [ebp+var_28]
		mov	ecx, 0FFDF0004h
		mov	ebx, [ebx+18h]
		mov	[ebp+var_50], 24007h
		mov	eax, [eax+1Ch]
		mov	ecx, [ecx]
		mul	ecx
		shld	edx, eax, 8
		shl	eax, 8
		mov	[ebp+var_24], eax
		mov	eax, ebx
		mov	[ebp+var_30], edx
		mul	ecx
		mov	ecx, [ebp+var_24]
		shrd	eax, edx, 18h
		shr	edx, 18h
		add	ecx, eax
		mov	eax, [ebp+var_30]
		adc	eax, edx
		shrd	ecx, eax, 0Ah
		add	ecx, dword_6D486C
		mov	[ebp+var_4C], ecx
		lea	ecx, [ebp+var_50]
		call	PfpCopyEvent

loc_76AF76:				; CODE XREF: PfpFlushBuffers+154j
					; PfpFlushBuffers+166j
		mov	ecx, [ebp+var_34]
		xor	dl, dl
		call	_MmFreeAccessPfnBuffer@8 ; MmFreeAccessPfnBuffer(x,x)
		test	esi, esi
		jz	short loc_76AFC8
		mov	ebx, [ebp+var_38]
		mov	ebx, [ebx]
		mov	[ebp+var_38], ebx
		jmp	loc_76ADE0
; 

loc_76AF91:				; CODE XREF: PfpFlushBuffers+190j
		mov	[ebp+var_20], 0C0000188h

loc_76AF98:				; CODE XREF: PfpFlushBuffers+1A4j
		cmp	dword ptr [ebx+4], 1
		jg	short loc_76AFC1
		mov	eax, [ebx+20h]
		sub	eax, edi
		and	eax, 0FFFFFFF8h
		push	eax		; size_t
		push	edi		; void *
		push	[ebp+var_2C]	; void *
		call	_memmove
		sub	edi, [ebp+var_2C]
		add	esp, 0Ch
		sar	edi, 3
		neg	edi
		shl	edi, 3
		add	[ebx+20h], edi

loc_76AFC1:				; CODE XREF: PfpFlushBuffers+21Cj
		mov	ecx, ebx
		call	PfpReturnAccessBuffer

loc_76AFC8:				; CODE XREF: PfpFlushBuffers+42j
					; PfpFlushBuffers+202j
		mov	eax, [ebp+var_20]
		test	eax, eax
		js	loc_76B07B
		mov	al, 1

loc_76AFD5:				; CODE XREF: PfpFlushBuffers+30Fj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_76AFE6:				; CODE XREF: PfpFlushBuffers+10Aj
					; PfpFlushBuffers+12Ej
		mov	eax, [ebx+20h]
		mov	[ebp+var_18], eax
		cmp	eax, [ebx+24h]
		ja	loc_76AF20

loc_76AFF5:				; CODE XREF: PfpFlushBuffers+2C2j
		mov	edx, dword_6D42A0
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		mov	eax, [edx+8]
		inc	eax
		cmp	eax, [edx+0Ch]
		ja	short loc_76B055

loc_76B009:				; CODE XREF: PfpFlushBuffers+2F7j
		mov	ecx, [edx+8]
		lea	eax, [ecx+1]
		mov	[edx+8], eax
		lea	eax, [edx+13h]
		and	eax, 0FFFFFFFCh
		lea	ecx, [eax+ecx*8]
		mov	eax, [ecx]
		and	eax, 0FFFC6007h
		or	eax, 6007h
		mov	[ecx], eax
		mov	eax, [ebp+var_24]
		mov	[ecx+4], eax
		mov	eax, [ebp+var_18]
		add	eax, 4
		mov	[ebp+var_20], 0
		mov	[ebp+var_18], eax
		cmp	eax, [ebx+24h]
		jbe	short loc_76AFF5
		jmp	loc_76AF26
; 

loc_76B049:				; CODE XREF: PfpFlushBuffers+143j
		mov	ecx, [ebx+30h]
		inc	ecx
		mov	[ebp+var_18], ecx
		jmp	loc_76AEEF
; 

loc_76B055:				; CODE XREF: PfpFlushBuffers+287j
					; PfpFlushBuffers+2F9j
		mov	ecx, offset unk_6D4290
		call	PfTReplaceCurrentBuffer
		cmp	eax, 0C0000001h
		jz	loc_8D857B
		mov	edx, dword_6D42A0
		mov	eax, [edx+8]
		inc	eax
		cmp	eax, [edx+0Ch]
		jbe	short loc_76B009
		jmp	short loc_76B055
; 

loc_76B07B:				; CODE XREF: PfpFlushBuffers+24Dj
		test	esi, esi
		jz	short loc_76B08D
		nop

loc_76B080:				; CODE XREF: PfpFlushBuffers+30Bj
		mov	ecx, esi
		mov	esi, [esi]
		call	PfpReturnAccessBuffer
		test	esi, esi
		jnz	short loc_76B080

loc_76B08D:				; CODE XREF: PfpFlushBuffers+30j
					; PfpFlushBuffers+2FDj
		xor	al, al
		jmp	loc_76AFD5
PfpFlushBuffers	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpLogPageAccess proc near		; CODE XREF: PfpCopyEvent+A3p
					; PfpFlushBuffers+189p

var_3C		= dword	ptr -3Ch
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008D858D SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, edx
		mov	[ebp+var_24], 0
		push	ebx
		mov	[ebp+var_30], eax
		push	esi
		mov	eax, [eax]
		mov	esi, ecx
		mov	[ebp+var_1C], 0FFFFh
		push	edi
		and	eax, 1FFh
		jz	short loc_76B13C
		mov	ecx, [ebp+arg_4]
		shl	eax, 2
		sub	ecx, eax
		mov	[ebp+var_4], 0
		mov	byte ptr [ebp+arg_4+3],	0
		mov	eax, [ecx]
		mov	[ebp+var_28], eax
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_20], eax
		mov	[ebp+var_18], eax
		lea	ebx, [ebx+0]

loc_76B0F0:				; CODE XREF: PfpLogPageAccess+54Fj
		mov	edi, dword_6D42B8
		mov	edx, [edi+8]
		lea	ebx, [edi+23h]
		and	ebx, 0FFFFFFFCh
		lea	ecx, [edx+edx*4]
		cmp	[ebx+ecx*4], eax
		jnz	loc_76B343
		movzx	ecx, dx

loc_76B10E:				; CODE XREF: PfpLogPageAccess+2E5j
					; PfpLogPageAccess+3B4j
		mov	edx, 0FFFFh
		cmp	cx, dx
		jz	loc_76B503
		mov	dl, byte ptr [ebp+arg_4+3]

loc_76B11F:				; CODE XREF: PfpLogPageAccess+491j
		test	edi, edi
		jz	loc_76B5F5
		mov	ax, [edi+1Ch]
		add	ax, cx
		movzx	eax, ax
		mov	[ebp+var_1C], eax
		test	dl, dl
		jnz	loc_76B4BF

loc_76B13C:				; CODE XREF: PfpLogPageAccess+27j
					; PfpLogPageAccess+455j
		test	esi, esi
		jns	loc_76B2F1
		cmp	[ebp+arg_8], 0
		jnz	loc_76B310
		mov	eax, [esi+104h]
		xor	eax, [esi+0E4h]
		mov	ecx, [esi+100h]
		xor	eax, ecx
		shr	ecx, 3
		and	eax, 1FFFFFFFh
		and	ecx, 1C000000h
		xor	eax, ecx

loc_76B172:				; CODE XREF: PfpLogPageAccess+272j
		and	eax, 0FFFFFFFDh
		mov	[ebp+var_8], 0
		or	eax, 1
		mov	byte ptr [ebp+arg_4+3],	0
		mov	ecx, eax
		mov	[ebp+var_2C], eax
		and	ecx, 3
		mov	[ebp+var_20], eax
		lea	ecx, ds:8[ecx*4]
		mov	[ebp+var_4], ecx
		jmp	short loc_76B1A0
; 
		align 10h

loc_76B1A0:				; CODE XREF: PfpLogPageAccess+F8j
					; PfpLogPageAccess+573j
		mov	edi, dword_6D42B8
		mov	edx, [edi+ecx]
		lea	ebx, [edi+23h]
		and	ebx, 0FFFFFFFCh
		lea	ecx, [edx+edx*4]
		cmp	[ebx+ecx*4], eax
		jnz	loc_76B3A1

loc_76B1BB:				; CODE XREF: PfpLogPageAccess+347j
		movzx	ecx, dx
		mov	edx, 0FFFFh
		cmp	cx, dx
		jz	loc_76B591
		mov	dl, byte ptr [ebp+arg_4+3]

loc_76B1CF:				; CODE XREF: PfpLogPageAccess+51Bj
		test	edi, edi
		jz	loc_76B5F5
		mov	ax, [edi+1Ch]
		add	ax, cx
		mov	[ebp+arg_4], 2
		movzx	edi, ax
		movzx	eax, cx
		mov	[ebp+var_18], edi
		lea	ecx, ds:1[eax*4]
		add	ecx, eax
		lea	ecx, [ebx+ecx*4]
		test	dl, dl
		jnz	loc_76B570
		test	byte ptr [ecx],	4
		jnz	loc_76B570

loc_76B20B:				; CODE XREF: PfpLogPageAccess+26Bj
					; PfpLogPageAccess+2FCj ...
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		mov	edx, dword_6D42A0
		mov	eax, [esi]
		mov	[ebp+arg_8], eax
		and	al, 3
		cmp	al, 2
		mov	eax, [edx+8]
		setz	bl
		inc	ebx
		add	eax, ebx
		cmp	eax, [edx+0Ch]
		ja	loc_76B541

loc_76B231:				; CODE XREF: PfpLogPageAccess+4CBj
		mov	ecx, [edx+8]
		lea	eax, [ebx+ecx]
		mov	[edx+8], eax
		lea	eax, [edx+13h]
		and	eax, 0FFFFFFFCh
		lea	edi, [eax+ecx*8]
		mov	eax, [ebp+arg_8]
		and	al, 3
		cmp	al, 2
		jz	loc_76B317

loc_76B250:				; CODE XREF: PfpLogPageAccess+28Dj
		mov	ebx, [ebp+var_30]
		mov	edx, [edi]
		test	dword ptr [ebx], 1FFh
		jz	short loc_76B2AA
		and	edx, 0FFFFFFFCh
		mov	[edi], edx
		mov	eax, [ebx]
		shr	eax, 7
		xor	eax, edx
		and	eax, 4
		xor	eax, edx
		mov	[edi], eax
		mov	esi, [ebx]
		shr	esi, 7
		xor	esi, eax
		and	esi, 8
		xor	esi, eax
		mov	eax, [ebp+var_18]
		mov	[edi], esi
		and	esi, 0Fh
		mov	edx, [ebx]
		mov	ecx, [ebx+4]
		shrd	edx, ecx, 0Ch
		mov	[edi+6], ax
		mov	eax, [ebp+var_1C]
		shl	edx, 4
		or	edx, esi
		mov	[edi+4], ax
		mov	[edi], edx
		mov	eax, edi

loc_76B2A1:				; CODE XREF: PfpLogPageAccess+557j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_76B2AA:				; CODE XREF: PfpLogPageAccess+1BBj
		and	edx, 0FFFFFFFDh
		or	edx, 1
		mov	[edi], edx
		and	edx, 0FFFFFFE3h
		mov	ecx, [ebx]
		shr	ecx, 7
		and	ecx, 4
		or	ecx, edx
		mov	edx, [ebp+arg_4]
		lea	eax, ds:0[edx*8]
		or	ecx, eax
		mov	[edi], ecx
		mov	eax, [ebx]
		xor	eax, ecx
		and	eax, 0FFFh
		xor	eax, [ebx]
		mov	[edi], eax
		cmp	edx, 2
		jnz	short loc_76B332
		mov	eax, [ebp+var_18]
		mov	[edi+6], ax
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_76B2F1:				; CODE XREF: PfpLogPageAccess+9Ej
		cmp	[ebp+arg_8], 0
		jnz	short loc_76B310
		mov	[ebp+var_18], 0FFFFh
		test	esi, esi
		jnz	loc_76B38A
		xor	eax, eax
		mov	[ebp+arg_4], eax
		jmp	loc_76B20B
; 

loc_76B310:				; CODE XREF: PfpLogPageAccess+A8j
					; PfpLogPageAccess+255j
		mov	eax, esi
		jmp	loc_76B172
; 

loc_76B317:				; CODE XREF: PfpLogPageAccess+1AAj
		mov	ecx, [esi]
		mov	eax, [esi+4]
		and	ecx, 0FFFFF00Bh
		or	ecx, 8
		mov	[edi+4], eax
		mov	[edi], ecx
		add	edi, 8
		jmp	loc_76B250
; 

loc_76B332:				; CODE XREF: PfpLogPageAccess+23Dj
		mov	eax, [ebp+var_24]
		mov	[edi+4], eax
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_76B343:				; CODE XREF: PfpLogPageAccess+65j
		movzx	ecx, al
		add	ecx, offset unk_B15DCB
		imul	edx, ecx, 25h
		movzx	ecx, ah
		add	edx, ecx
		movzx	ecx, byte ptr [ebp+var_18+2]
		imul	edx, 25h
		add	edx, ecx
		movzx	ecx, byte ptr [ebp+var_18+3]
		imul	edx, 25h
		add	edx, ecx
		mov	ecx, [edi+18h]
		mov	[ebp+var_10], ecx
		dec	ecx
		and	ecx, edx
		mov	[ebp+var_8], ecx
		mov	edx, [ebp+var_8]
		lea	ecx, [ecx+ecx*4]
		mov	ecx, [ebx+ecx*4]
		cmp	ecx, eax
		jnz	short loc_76B3EC
		mov	[edi+8], edx
		movzx	ecx, dx
		jmp	loc_76B10E
; 

loc_76B38A:				; CODE XREF: PfpLogPageAccess+260j
		mov	eax, esi
		mov	[ebp+arg_4], 1
		and	eax, 7FFFFFFFh
		dec	eax
		mov	[ebp+var_24], eax
		jmp	loc_76B20B
; 

loc_76B3A1:				; CODE XREF: PfpLogPageAccess+115j
		movzx	ecx, al
		add	ecx, offset unk_B15DCB
		imul	edx, ecx, 25h
		movzx	ecx, ah
		add	edx, ecx
		movzx	ecx, byte ptr [ebp+var_20+2]
		imul	edx, 25h
		add	edx, ecx
		movzx	ecx, byte ptr [ebp+var_20+3]
		imul	edx, 25h
		add	edx, ecx
		mov	ecx, [edi+18h]
		mov	[ebp+var_10], ecx
		dec	ecx
		and	ecx, edx
		mov	[ebp+var_C], ecx
		lea	ecx, [ecx+ecx*4]
		mov	ecx, [ebx+ecx*4]
		cmp	ecx, eax
		jnz	loc_76B459
		mov	edx, [ebp+var_C]

loc_76B3E1:				; CODE XREF: PfpLogPageAccess+3EAj
		mov	ecx, [ebp+var_4]
		mov	[edi+ecx], edx
		jmp	loc_76B1BB
; 

loc_76B3EC:				; CODE XREF: PfpLogPageAccess+2DDj
		test	ecx, ecx
		jz	loc_76B4FA
		lea	ecx, [edx+1]
		mov	[ebp+var_14], 0
		mov	[ebp+var_1C], ecx

loc_76B401:				; CODE XREF: PfpLogPageAccess+3A7j
		cmp	ecx, [ebp+var_10]
		jnb	short loc_76B438
		lea	ecx, [ecx+ecx*4]
		lea	ecx, [ebx+ecx*4]
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+var_1C]

loc_76B412:				; CODE XREF: PfpLogPageAccess+396j
		mov	eax, [ebp+var_C]
		mov	edx, [eax]
		mov	eax, [ebp+var_20]
		cmp	edx, eax
		mov	[ebp+var_1C], edx
		mov	edx, [ebp+var_8]
		jz	short loc_76B44E
		cmp	[ebp+var_1C], 0
		jz	loc_76B536
		add	[ebp+var_C], 14h
		inc	ecx
		cmp	ecx, [ebp+var_10]
		jb	short loc_76B412

loc_76B438:				; CODE XREF: PfpLogPageAccess+364j
		inc	[ebp+var_14]
		xor	ecx, ecx
		cmp	[ebp+var_14], 2
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_10], edx
		jb	short loc_76B401
		jmp	loc_8D858D
; 

loc_76B44E:				; CODE XREF: PfpLogPageAccess+382j
		mov	[edi+8], ecx
		movzx	ecx, cx
		jmp	loc_76B10E
; 

loc_76B459:				; CODE XREF: PfpLogPageAccess+338j
		test	ecx, ecx
		jz	loc_76B582
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_18], 0
		lea	edx, [ecx+1]
		mov	[ebp+var_14], edx

loc_76B471:				; CODE XREF: PfpLogPageAccess+418j
		cmp	edx, [ebp+var_10]
		jnb	short loc_76B4A9
		lea	ecx, [edx+edx*4]
		lea	ecx, [ebx+ecx*4]
		lea	esp, [esp+0]

loc_76B480:				; CODE XREF: PfpLogPageAccess+404j
		mov	edx, [ecx]
		cmp	edx, eax
		mov	[ebp+var_28], edx
		mov	edx, [ebp+var_14]
		jz	loc_76B3E1
		cmp	[ebp+var_28], 0
		jz	loc_76B5C0
		inc	edx
		add	ecx, 14h
		mov	[ebp+var_14], edx
		cmp	edx, [ebp+var_10]
		jb	short loc_76B480
		mov	ecx, [ebp+var_C]

loc_76B4A9:				; CODE XREF: PfpLogPageAccess+3D4j
		inc	[ebp+var_18]
		xor	edx, edx
		cmp	[ebp+var_18], 2
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		jb	short loc_76B471
		jmp	loc_8D8599
; 

loc_76B4BF:				; CODE XREF: PfpLogPageAccess+96j
		mov	edi, [ebp+var_28]
		movzx	eax, cx
		lea	eax, [eax+eax*4]
		mov	ecx, [ebx+eax*4+4]
		lea	edx, [ebx+eax*4]
		mov	eax, edi
		and	ecx, 8
		shl	eax, 4
		or	ecx, eax
		shr	edi, 1Ch
		mov	ax, [edx+8]
		or	ecx, 4
		mov	[edx+4], ecx
		mov	ecx, 0FFF0h
		and	ax, cx
		or	di, ax
		mov	[edx+8], di
		jmp	loc_76B13C
; 

loc_76B4FA:				; CODE XREF: PfpLogPageAccess+34Ej
		mov	[edi+8], edx
		movzx	edx, dx
		mov	[ebp+var_4], edx

loc_76B503:				; CODE XREF: PfpLogPageAccess+76j
					; PfpLogPageAccess+49Fj ...
		mov	ecx, [edi+18h]
		mov	edx, [edi+14h]
		shr	ecx, 2
		lea	ecx, [ecx+ecx*2]
		cmp	edx, ecx
		jnb	loc_76B5DD
		lea	ecx, [edx+1]
		mov	dl, 1
		mov	[edi+14h], ecx
		mov	ecx, [ebp+var_4]
		movzx	ecx, cx
		lea	ecx, [ecx+ecx*4]
		mov	[ebx+ecx*4], eax
		mov	eax, [ebp+var_4]
		movzx	ecx, ax
		jmp	loc_76B11F
; 

loc_76B536:				; CODE XREF: PfpLogPageAccess+388j
		movzx	edx, cx
		mov	[edi+8], ecx
		mov	[ebp+var_4], edx
		jmp	short loc_76B503
; 

loc_76B541:				; CODE XREF: PfpLogPageAccess+18Bj
					; PfpLogPageAccess+4C4j
		mov	ecx, offset unk_6D4290
		call	PfTReplaceCurrentBuffer
		cmp	eax, 0C0000001h
		jz	loc_76B5F5
		mov	edx, dword_6D42A0
		mov	eax, [edx+8]
		add	eax, ebx
		cmp	eax, [edx+0Ch]
		ja	short loc_76B541
		mov	eax, [esi]
		mov	[ebp+arg_8], eax
		jmp	loc_76B231
; 

loc_76B570:				; CODE XREF: PfpLogPageAccess+15Cj
					; PfpLogPageAccess+165j
		cmp	[ebp+arg_8], 0
		jnz	short loc_76B5CE
		mov	edx, esi
		call	_PfpFillProcessInfo@8 ;	PfpFillProcessInfo(x,x)
		jmp	loc_76B20B
; 

loc_76B582:				; CODE XREF: PfpLogPageAccess+3BBj
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_C]
		mov	[edi+ecx], edx
		movzx	edx, dx
		mov	[ebp+var_8], edx

loc_76B591:				; CODE XREF: PfpLogPageAccess+126j
					; PfpLogPageAccess+52Cj ...
		mov	ecx, [edi+18h]
		mov	edx, [edi+14h]
		shr	ecx, 2
		lea	ecx, [ecx+ecx*2]
		cmp	edx, ecx
		jnb	short loc_76B5FC
		lea	ecx, [edx+1]
		mov	dl, 1
		mov	[edi+14h], ecx
		mov	ecx, [ebp+var_8]
		movzx	ecx, cx
		lea	ecx, [ecx+ecx*4]
		mov	[ebx+ecx*4], eax
		mov	eax, [ebp+var_8]
		movzx	ecx, ax
		jmp	loc_76B1CF
; 

loc_76B5C0:				; CODE XREF: PfpLogPageAccess+3F4j
		mov	ecx, [ebp+var_4]
		mov	[edi+ecx], edx
		movzx	edx, dx
		mov	[ebp+var_8], edx
		jmp	short loc_76B591
; 

loc_76B5CE:				; CODE XREF: PfpLogPageAccess+4D4j
		mov	eax, [ecx]
		and	eax, 0FFFFFFFDh
		or	eax, 5
		mov	[ecx], eax
		jmp	loc_76B20B
; 

loc_76B5DD:				; CODE XREF: PfpLogPageAccess+471j
		mov	ecx, offset unk_6D42A8
		call	PfTReplaceCurrentBuffer
		cmp	eax, 0C0000001h
		mov	eax, [ebp+var_20]
		jnz	loc_76B0F0

loc_76B5F5:				; CODE XREF: PfpLogPageAccess+81j
					; PfpLogPageAccess+131j ...
		xor	eax, eax
		jmp	loc_76B2A1
; 

loc_76B5FC:				; CODE XREF: PfpLogPageAccess+4FFj
		mov	ecx, offset unk_6D42A8
		call	PfTReplaceCurrentBuffer
		mov	ecx, [ebp+var_4]
		cmp	eax, 0C0000001h
		mov	eax, [ebp+var_2C]
		jz	short loc_76B5F5
		jmp	loc_76B1A0
PfpLogPageAccess endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfTAcquireLogEntry proc	near		; CODE XREF: PfpCopyEvent+F0p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D85A5 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, [ebx+10h]
		mov	esi, [eax+8]
		add	esi, edi
		cmp	esi, [eax+0Ch]
		ja	short loc_76B655

loc_76B63E:				; CODE XREF: PfTAcquireLogEntry+52j
		mov	edx, [eax+8]
		lea	ecx, [edx+edi]
		mov	[eax+8], ecx
		mov	ecx, [ebp+var_4]
		mov	[ecx], edx

loc_76B64C:				; CODE XREF: PfTAcquireLogEntry+16CF90j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_76B655:				; CODE XREF: PfTAcquireLogEntry+1Cj
					; PfTAcquireLogEntry+54j
		mov	ecx, ebx
		call	PfTReplaceCurrentBuffer
		cmp	eax, 0C0000001h
		jz	loc_8D85A5
		mov	eax, [ebx+10h]
		mov	ecx, [eax+8]
		add	ecx, edi
		cmp	ecx, [eax+0Ch]
		jbe	short loc_76B63E
		jmp	short loc_76B655
PfTAcquireLogEntry endp


;  S U B	R O U T	I N E 


PfTReplaceCurrentBuffer	proc near	; CODE XREF: PfpFlushBuffers+2DAp
					; PfpLogPageAccess+4A6p ...

; FUNCTION CHUNK AT 008D85B5 SIZE 00000012 BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		call	_PfTGetFreeBuffer@4 ; PfTGetFreeBuffer(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_76B6E7
		mov	edx, [edi]
		and	dl, 0Fh
		cmp	dl, 1
		jz	short loc_76B6C4

loc_76B691:				; CODE XREF: PfTReplaceCurrentBuffer+6Aj
					; PfTReplaceCurrentBuffer+16CF4Cj
		lea	eax, [edi+10h]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_76B6EE
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[ecx+4], esi
		mov	[eax], esi
		xor	esi, esi
		mov	ax, [edi+0Ah]
		cmp	ax, [edi+8]
		jbe	short loc_76B6B6

loc_76B6B1:				; CODE XREF: PfTReplaceCurrentBuffer+4Cj
					; PfTReplaceCurrentBuffer+76j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_76B6B6:				; CODE XREF: PfTReplaceCurrentBuffer+39j
		push	esi
		push	esi
		push	offset unk_6D42C4
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_76B6B1
; 

loc_76B6C4:				; CODE XREF: PfTReplaceCurrentBuffer+19j
		mov	eax, [edi+10h]
		mov	edx, 0FFFFh
		mov	ax, [eax+1Ch]
		add	ax, [esi+18h]
		mov	[esi+1Ch], ax
		movzx	eax, ax
		sub	edx, eax
		cmp	edx, [esi+18h]
		jnb	short loc_76B691
		jmp	loc_8D85B5
; 

loc_76B6E7:				; CODE XREF: PfTReplaceCurrentBuffer+Fj
		mov	esi, 0C0000001h
		jmp	short loc_76B6B1
; 

loc_76B6EE:				; CODE XREF: PfTReplaceCurrentBuffer+23j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PfTReplaceCurrentBuffer	endp


;  S U B	R O U T	I N E 


; __stdcall PfTGetFreeBuffer(x)
_PfTGetFreeBuffer@4 proc near		; CODE XREF: PfTReplaceCurrentBuffer+6p
					; PfTAllocateBuffers+6Cp
		mov	edx, [ecx+0Ch]
		xor	eax, eax
		test	edx, edx
		jz	short locret_76B70D
		mov	eax, [edx]
		mov	[ecx+0Ch], eax
		mov	eax, edx
		mov	edx, 0FFFFh
		add	[ecx+0Ah], dx

locret_76B70D:				; CODE XREF: PfTGetFreeBuffer(x)+7j
		retn
_PfTGetFreeBuffer@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfTGenerateTrace()
_PfTGenerateTrace@0 proc near		; CODE XREF: PfTLoggingWorker+12Cp
					; PfTLoggingWorker:loc_890FC0p	...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	ecx, [ebp+var_4]
		push	esi
		call	PfTCreateTraceDump
		mov	esi, eax
		test	esi, esi
		js	short loc_76B747
		inc	dword_6D44A0
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		mov	ecx, [ebp+var_4]
		mov	dword_6D42F8, eax
		mov	dword_6D42FC, edx
		call	PfTTraceListAdd

loc_76B747:				; CODE XREF: PfTGenerateTrace()+17j
		mov	eax, esi
		pop	esi
		leave
		retn
_PfTGenerateTrace@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfTCreateTraceDump proc	near		; CODE XREF: PfTGenerateTrace()+Ep

var_8C		= dword	ptr -8Ch
var_78		= dword	ptr -78h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D85C7 SIZE 0000005A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		push	ebx
		push	esi
		push	edi
		push	38h		; size_t
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_54], ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, dword_6D42BC
		xor	edx, edx
		mov	[ebp+var_3C], eax
		add	esp, 0Ch
		mov	eax, dword_6D42B8
		xor	esi, esi
		xor	ecx, ecx
		mov	[ebp+var_8], edx
		cmp	eax, offset dword_6D42B8
		jz	short loc_76B79D

loc_76B791:				; CODE XREF: PfTCreateTraceDump+4Bj
		add	ecx, [eax+18h]
		mov	eax, [eax]
		cmp	eax, offset dword_6D42B8
		jnz	short loc_76B791

loc_76B79D:				; CODE XREF: PfTCreateTraceDump+3Fj
		push	74546650h
		lea	edi, [ecx+ecx]
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	loc_8D85C7
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, dword_6D42BC
		add	esp, 0Ch
		mov	ax, [eax+1Ch]
		mov	word ptr [ebp+var_78], ax
		mov	eax, offset dword_6D42A0

loc_76B7D6:				; CODE XREF: PfTCreateTraceDump+19Dj
		mov	eax, [eax+4]
		xor	ebx, ebx
		mov	[ebp+var_20], eax
		mov	[ebp+var_10], ebx
		cmp	[eax+8], ebx
		jbe	loc_76B8E7
		lea	ecx, [eax+13h]
		and	ecx, 0FFFFFFFCh
		mov	[ebp+var_1C], ecx

loc_76B7F3:				; CODE XREF: PfTCreateTraceDump+191j
		mov	eax, [ecx+ebx*8]
		lea	ecx, [ecx+ebx*8]
		mov	edx, eax
		and	edx, 3
		cmp	edx, 2
		jnb	loc_76BBBB
		inc	esi
		mov	[ebp+var_C], esi

loc_76B80B:				; CODE XREF: PfTCreateTraceDump+48Dj
		xor	edx, edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], edx
		mov	edx, 0FFFFh
		test	al, 3
		jnz	loc_76BB74
		movzx	eax, word ptr [ecx+6]
		mov	word ptr [ebp+var_2C], ax
		movzx	eax, word ptr [ecx+4]
		mov	word ptr [ebp+var_38], ax

loc_76B83C:				; CODE XREF: PfTCreateTraceDump+43Aj
					; PfTCreateTraceDump+4BBj
		mov	ebx, [ebp+var_3C]
		lea	eax, [ebp+var_34]
		mov	edi, 2

loc_76B847:				; CODE XREF: PfTCreateTraceDump+142j
		movzx	esi, word ptr [eax-4]
		cmp	si, dx
		jz	short loc_76B88C
		movzx	ecx, word ptr [ebx+1Ch]
		cmp	si, cx
		jb	loc_76BD1F
		mov	[ebp+var_14], ecx
		mov	edx, esi
		mov	ecx, [ebx+18h]
		add	ecx, [ebp+var_14]
		cmp	edx, ecx
		jnb	loc_76BD1F
		sub	edx, [ebp+var_14]
		lea	ecx, [ebx+23h]

loc_76B876:				; CODE XREF: PfTCreateTraceDump+611j
		and	ecx, 0FFFFFFFCh
		lea	edx, [edx+edx*4]
		lea	ecx, [ecx+edx*4]
		add	ecx, 4

loc_76B882:				; CODE XREF: PfTCreateTraceDump+622j
		mov	[eax], ebx
		mov	edx, 0FFFFh
		mov	[eax+4], ecx

loc_76B88C:				; CODE XREF: PfTCreateTraceDump+FEj
		add	eax, 0Ch
		sub	edi, 1
		jnz	short loc_76B847
		mov	[ebp+var_3C], ebx
		mov	ebx, [ebp+var_10]
		cmp	[ebp+var_30], edi
		jz	short loc_76B8B5
		mov	eax, [ebp+var_38]
		sub	eax, [ebp+var_78]
		mov	ecx, [ebp+var_18]
		movzx	eax, ax
		cmp	[ecx+eax*2], dx
		jnz	loc_76BC66

loc_76B8B5:				; CODE XREF: PfTCreateTraceDump+14Dj
					; PfTCreateTraceDump+51Dj
		cmp	[ebp+var_24], 0
		mov	esi, [ebp+var_C]
		jz	short loc_76B8D4
		mov	eax, [ebp+var_2C]
		sub	eax, [ebp+var_78]
		mov	ecx, [ebp+var_18]
		movzx	eax, ax
		cmp	[ecx+eax*2], dx
		jnz	loc_76BC72

loc_76B8D4:				; CODE XREF: PfTCreateTraceDump+16Cj
					; PfTCreateTraceDump+481j ...
		mov	eax, [ebp+var_20]
		inc	ebx
		mov	ecx, [ebp+var_1C]
		mov	[ebp+var_10], ebx
		cmp	ebx, [eax+8]
		jb	loc_76B7F3

loc_76B8E7:				; CODE XREF: PfTCreateTraceDump+94j
		cmp	eax, dword_6D42A0
		jnz	loc_76B7D6
		test	esi, esi
		jz	loc_76BD66
		mov	eax, [ebp+var_8]
		lea	ebx, ds:33h[esi*8]
		shl	eax, 4
		and	ebx, 0FFFFFFFCh
		push	44546650h
		add	ebx, eax
		mov	[ebp+var_8], eax
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_50], eax
		test	eax, eax
		jz	loc_8D85DF
		lea	edx, [eax+8]
		mov	ecx, 6
		xor	eax, eax
		mov	edi, edx
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [edx+10h]
		mov	[ebp+var_4], edi
		rep stosd
		mov	ecx, [ebp+var_8]
		lea	eax, [ebx-8]
		mov	[edx+8], eax
		lea	ebx, [edx+10h]
		lea	eax, ds:18h[esi*8]
		mov	dword ptr [edx], 0D002Dh
		add	ecx, eax
		mov	dword ptr [edx+4], 43435341h
		mov	dword ptr [edx+0Ch], 0
		lea	esi, [ebx+18h]
		mov	[ebx+8], eax
		xor	edx, edx
		add	eax, ebx
		mov	dword ptr [ebx], 18h
		mov	[ebp+var_1C], eax
		lea	eax, [ecx+ebx]
		mov	[ebp+var_14], eax
		xor	eax, eax
		mov	[ebp+var_8], eax
		mov	word ptr [ebp+var_5C], ax
		mov	eax, offset dword_6D42A0
		mov	[ebx+10h], ecx
		mov	[ebp+var_10], edx

loc_76B998:				; CODE XREF: PfTCreateTraceDump+3DAj
		mov	eax, [eax+4]
		xor	ecx, ecx
		mov	[ebp+var_40], eax
		mov	[ebp+var_20], ecx
		cmp	[eax+8], ecx
		jbe	loc_8D8619
		lea	ebx, [eax+13h]
		and	ebx, 0FFFFFFFCh
		mov	[ebp+var_4C], ebx

loc_76B9B5:				; CODE XREF: PfTCreateTraceDump+3CBj
		lea	edi, [ebx+ecx*8]
		lea	ebx, [esi+edx*8]
		mov	esi, [edi]
		mov	eax, esi
		mov	[ebp+var_44], ebx
		and	al, 3
		cmp	al, 2
		jnb	loc_76BBE2
		mov	esi, 1

loc_76B9D1:				; CODE XREF: PfTCreateTraceDump+4A1j
		lea	ecx, ds:0[esi*8]
		lea	eax, [ecx+ebx]
		cmp	eax, [ebp+var_1C]
		ja	loc_8D860E
		push	ecx		; size_t
		push	edi		; void *
		push	ebx		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		mov	edx, [ebp+var_10]
		add	edx, esi
		mov	[ebp+var_10], edx
		add	[eax+4], esi
		mov	ecx, [edi]
		mov	eax, ecx
		and	al, 3
		cmp	al, 2
		jz	loc_76BBF6

loc_76BA0B:				; CODE XREF: PfTCreateTraceDump+4B2j
		mov	eax, ecx
		and	eax, 3
		cmp	eax, 2
		jnb	loc_76BBB3
		xor	edx, edx
		mov	ebx, 0FFFFh
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], edx
		test	eax, eax
		jnz	loc_76BB8F
		movzx	eax, word ptr [edi+6]
		mov	word ptr [ebp+var_2C], ax
		movzx	eax, word ptr [edi+4]
		mov	word ptr [ebp+var_38], ax

loc_76BA4A:				; CODE XREF: PfTCreateTraceDump+453j
					; PfTCreateTraceDump+4C4j
		lea	edx, [ebp+var_34]
		mov	edi, 2

loc_76BA52:				; CODE XREF: PfTCreateTraceDump+350j
		movzx	esi, word ptr [edx-4]
		cmp	si, bx
		jz	short loc_76BA9A
		mov	ebx, [ebp+var_3C]
		movzx	eax, word ptr [ebx+1Ch]
		cmp	si, ax
		jb	loc_76BCCC
		mov	[ebp+var_C], eax
		mov	ecx, esi
		mov	eax, [ebx+18h]
		add	eax, [ebp+var_C]
		cmp	ecx, eax
		jnb	loc_76BCCC
		sub	ecx, [ebp+var_C]
		lea	eax, [ebx+23h]

loc_76BA84:				; CODE XREF: PfTCreateTraceDump+5CAj
		and	eax, 0FFFFFFFCh
		lea	ecx, [ecx+ecx*4]
		lea	eax, [eax+ecx*4]
		add	eax, 4

loc_76BA90:				; CODE XREF: PfTCreateTraceDump+16CE9Bj
		mov	[edx], ebx
		mov	ebx, 0FFFFh
		mov	[edx+4], eax

loc_76BA9A:				; CODE XREF: PfTCreateTraceDump+309j
		add	edx, 0Ch
		sub	edi, 1
		jnz	short loc_76BA52
		mov	edx, [ebp+var_30]
		test	edx, edx
		jz	loc_76BBA8
		mov	eax, [ebp+var_38]
		sub	eax, [ebp+var_78]
		mov	ecx, [ebp+var_18]
		movzx	eax, ax
		lea	esi, [ecx+eax*2]
		movzx	eax, word ptr [esi]
		cmp	ax, bx
		jz	loc_76BC19
		mov	ecx, eax

loc_76BACA:				; CODE XREF: PfTCreateTraceDump+511j
					; PfTCreateTraceDump+16CEAAj
		mov	ebx, [ebp+var_44]
		mov	[ebx+4], cx

loc_76BAD1:				; CODE XREF: PfTCreateTraceDump+45Bj
		mov	edx, [ebp+var_24]
		test	edx, edx
		jz	loc_76BBB0
		mov	eax, [ebp+var_2C]
		sub	eax, [ebp+var_78]
		mov	ecx, [ebp+var_18]
		movzx	eax, ax
		lea	esi, [ecx+eax*2]
		mov	ecx, 0FFFFh
		movzx	eax, word ptr [esi]
		cmp	ax, cx
		jz	loc_76BC7E
		mov	ecx, eax

loc_76BAFE:				; CODE XREF: PfTCreateTraceDump+16CEB9j
		mov	edi, [ebp+var_4]

loc_76BB01:				; CODE XREF: PfTCreateTraceDump+577j
		mov	edx, [ebp+var_10]
		mov	[ebx+6], cx

loc_76BB08:				; CODE XREF: PfTCreateTraceDump+466j
		mov	ecx, [ebp+var_20]
		lea	esi, [edi+18h]
		mov	eax, [ebp+var_40]
		inc	ecx
		mov	ebx, [ebp+var_4C]
		mov	[ebp+var_20], ecx
		cmp	ecx, [eax+8]
		jb	loc_76B9B5

loc_76BB21:				; CODE XREF: PfTCreateTraceDump+16CEC4j
		lea	esi, [edi+18h]

loc_76BB24:				; CODE XREF: PfTCreateTraceDump+16CECCj
		cmp	eax, dword_6D42A0
		jnz	loc_76B998
		mov	ebx, [ebp+var_14]
		mov	ax, word ptr [ebp+var_5C+2]
		sub	ebx, edi
		mov	ecx, [ebp+var_54]
		sub	ebx, [edi+10h]
		xor	esi, esi
		mov	[edi+0Eh], ax
		mov	eax, [ebp+var_50]
		mov	[edi+14h], ebx
		mov	[ecx], eax

loc_76BB4D:				; CODE XREF: PfTCreateTraceDump+61Bj
					; PfTCreateTraceDump+16CE94j
		push	0
		push	[ebp+var_18]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_76BB57:				; CODE XREF: PfTCreateTraceDump+16CE7Cj
		mov	ecx, offset unk_6D4290
		call	_PfTFreeBufferList@4 ; PfTFreeBufferList(x)
		mov	ecx, offset unk_6D42A8
		call	_PfTFreeBufferList@4 ; PfTFreeBufferList(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_76BB74:				; CODE XREF: PfTCreateTraceDump+D6j
		and	al, 18h
		mov	word ptr [ebp+var_38], dx
		cmp	al, 10h
		jnz	loc_76BC07
		mov	ax, [ecx+6]
		mov	word ptr [ebp+var_2C], ax
		jmp	loc_76B83C
; 

loc_76BB8F:				; CODE XREF: PfTCreateTraceDump+2E4j
		and	cl, 18h
		mov	word ptr [ebp+var_38], bx
		cmp	cl, 10h
		jnz	short loc_76BC10
		mov	ax, [edi+6]
		mov	word ptr [ebp+var_2C], ax
		jmp	loc_76BA4A
; 

loc_76BBA8:				; CODE XREF: PfTCreateTraceDump+357j
		mov	ebx, [ebp+var_44]
		jmp	loc_76BAD1
; 

loc_76BBB0:				; CODE XREF: PfTCreateTraceDump+386j
		mov	edx, [ebp+var_10]

loc_76BBB3:				; CODE XREF: PfTCreateTraceDump+2C3j
		mov	edi, [ebp+var_4]
		jmp	loc_76BB08
; 

loc_76BBBB:				; CODE XREF: PfTCreateTraceDump+B1j
		shr	eax, 2
		dec	ebx
		and	eax, 3FFh
		add	esi, eax
		add	ebx, eax
		mov	[ebp+var_C], esi
		mov	[ebp+var_10], ebx
		cmp	edx, 2
		jnz	loc_76B8D4
		mov	eax, [ecx+8]
		add	ecx, 8
		jmp	loc_76B80B
; 

loc_76BBE2:				; CODE XREF: PfTCreateTraceDump+276j
		shr	esi, 2
		dec	ecx
		and	esi, 3FFh
		add	ecx, esi
		mov	[ebp+var_20], ecx
		jmp	loc_76B9D1
; 

loc_76BBF6:				; CODE XREF: PfTCreateTraceDump+2B5j
		mov	ecx, [edi+8]
		add	edi, 8
		add	ebx, 8
		mov	[ebp+var_44], ebx
		jmp	loc_76BA0B
; 

loc_76BC07:				; CODE XREF: PfTCreateTraceDump+42Cj
		mov	word ptr [ebp+var_2C], dx
		jmp	loc_76B83C
; 

loc_76BC10:				; CODE XREF: PfTCreateTraceDump+449j
		mov	word ptr [ebp+var_2C], bx
		jmp	loc_76BA4A
; 

loc_76BC19:				; CODE XREF: PfTCreateTraceDump+372j
		mov	eax, [ebp+var_8]
		movzx	ecx, ax
		mov	eax, [ebp+var_5C]
		mov	[esi], cx
		inc	eax
		mov	esi, ecx
		movzx	edi, ax
		shl	esi, 4
		add	esi, [ebp+var_1C]
		mov	[ebp+var_8], eax
		mov	word ptr [ebp+var_5C], ax
		lea	eax, [esi+10h]
		cmp	eax, [ebp+var_14]
		ja	loc_8D85F0
		mov	eax, [edx]
		mov	[esi], eax
		mov	eax, [edx+4]
		mov	[esi+4], eax
		mov	eax, [edx+8]
		mov	[esi+8], eax
		mov	eax, [edx+0Ch]
		mov	[esi+0Ch], eax
		mov	eax, [ebp+var_4]
		inc	word ptr [eax+0Ch]
		jmp	loc_76BACA
; 

loc_76BC66:				; CODE XREF: PfTCreateTraceDump+15Fj
		inc	[ebp+var_8]
		mov	[ecx+eax*2], dx
		jmp	loc_76B8B5
; 

loc_76BC72:				; CODE XREF: PfTCreateTraceDump+17Ej
		inc	[ebp+var_8]
		mov	[ecx+eax*2], dx
		jmp	loc_76B8D4
; 

loc_76BC7E:				; CODE XREF: PfTCreateTraceDump+3A6j
		mov	eax, [ebp+var_8]
		movzx	ecx, ax
		mov	[esi], cx
		mov	esi, ecx
		shl	esi, 4
		add	esi, [ebp+var_1C]
		lea	eax, [ecx+1]
		movzx	eax, ax
		mov	edi, eax
		mov	[ebp+var_8], eax
		mov	word ptr [ebp+var_5C], ax
		lea	eax, [esi+10h]
		cmp	eax, [ebp+var_14]
		ja	loc_8D85FF
		mov	eax, [edx]
		mov	edi, [ebp+var_4]
		mov	[esi], eax
		mov	eax, [edx+4]
		mov	[esi+4], eax
		mov	eax, [edx+8]
		mov	[esi+8], eax
		mov	eax, [edx+0Ch]
		mov	[esi+0Ch], eax
		inc	word ptr [edi+0Ch]
		jmp	loc_76BB01
; 

loc_76BCCC:				; CODE XREF: PfTCreateTraceDump+315j
					; PfTCreateTraceDump+328j
		mov	eax, ebx
		mov	edi, edi

loc_76BCD0:				; CODE XREF: PfTCreateTraceDump+5A7j
					; PfTCreateTraceDump+5B4j
		mov	eax, [eax+4]
		mov	[ebp+var_C], eax
		cmp	eax, offset dword_6D42B8
		jnz	short loc_76BCE5
		mov	eax, dword_6D42BC
		mov	[ebp+var_C], eax

loc_76BCE5:				; CODE XREF: PfTCreateTraceDump+58Bj
		cmp	eax, ebx
		jz	loc_8D85E9
		movzx	ecx, word ptr [eax+1Ch]
		mov	[ebp+var_48], ecx
		cmp	si, cx
		jb	short loc_76BCD0
		movzx	ecx, cx
		add	ecx, [eax+18h]
		mov	eax, [ebp+var_C]
		cmp	esi, ecx
		jnb	short loc_76BCD0
		mov	ebx, eax
		mov	ecx, esi
		mov	eax, [ebp+var_48]
		movzx	eax, ax
		sub	ecx, eax
		mov	[ebp+var_3C], ebx
		mov	eax, ebx
		add	eax, 23h
		jmp	loc_76BA84
; 

loc_76BD1F:				; CODE XREF: PfTCreateTraceDump+107j
					; PfTCreateTraceDump+11Aj
		mov	ecx, ebx

loc_76BD21:				; CODE XREF: PfTCreateTraceDump+5F1j
					; PfTCreateTraceDump+5FEj
		mov	ecx, [ecx+4]
		mov	[ebp+var_4], ecx
		cmp	ecx, offset dword_6D42B8
		jz	loc_8D85D1

loc_76BD33:				; CODE XREF: PfTCreateTraceDump+16CE8Aj
		cmp	ecx, ebx
		jz	short loc_76BD70
		movzx	edx, word ptr [ecx+1Ch]
		mov	[ebp+var_40], edx
		cmp	si, dx
		jb	short loc_76BD21
		movzx	edx, dx
		add	edx, [ecx+18h]
		mov	ecx, [ebp+var_4]
		cmp	esi, edx
		jnb	short loc_76BD21
		mov	ebx, ecx
		mov	edx, esi
		mov	ecx, [ebp+var_40]
		movzx	ecx, cx
		sub	edx, ecx
		mov	ecx, ebx
		add	ecx, 23h
		jmp	loc_76B876
; 

loc_76BD66:				; CODE XREF: PfTCreateTraceDump+1A5j
		mov	esi, 8000001Ah
		jmp	loc_76BB4D
; 

loc_76BD70:				; CODE XREF: PfTCreateTraceDump+5E5j
		xor	ecx, ecx
		jmp	loc_76B882
PfTCreateTraceDump endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfTFreeBufferList(x)
_PfTFreeBufferList@4 proc near		; CODE XREF: PfTCreateTraceDump+40Cp
					; PfTCreateTraceDump+416p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, [edi]
		lea	ebx, [edi+10h]
		mov	edx, [ebx]
		mov	ecx, eax
		mov	esi, [ebx+4]
		shr	ecx, 4
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], edx
		cmp	edx, esi
		jz	short loc_76BDDA

loc_76BD9D:				; CODE XREF: PfTFreeBufferList(x)+5Ej
		cmp	[esi], ebx
		jnz	short loc_76BE09
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_76BE09
		mov	[ebx+4], eax
		mov	[eax], ebx
		test	byte ptr [edi],	0Fh
		jnz	short loc_76BDEF
		mov	edx, ecx
		mov	ecx, esi
		push	1
		call	_PfTLbInitialize@12 ; PfTLbInitialize(x,x,x)

loc_76BDBD:				; CODE XREF: PfTFreeBufferList(x)+8Fj
		mov	eax, [edi+0Ch]
		mov	ecx, [ebp+var_4]
		mov	[esi], eax
		inc	word ptr [edi+0Ah]
		mov	[edi+0Ch], esi
		mov	eax, [ebx]
		mov	esi, [ebx+4]
		mov	[ebp+var_8], eax
		cmp	eax, esi
		jnz	short loc_76BD9D
		mov	eax, [edi]

loc_76BDDA:				; CODE XREF: PfTFreeBufferList(x)+23j
		pop	edi
		pop	esi
		pop	ebx
		test	al, 0Fh
		jnz	short locret_76BDED
		mov	edx, ecx
		mov	ecx, [ebp+var_8]
		push	1
		call	_PfTLbInitialize@12 ; PfTLbInitialize(x,x,x)

locret_76BDED:				; CODE XREF: PfTFreeBufferList(x)+67j
		leave
		retn
; 

loc_76BDEF:				; CODE XREF: PfTFreeBufferList(x)+38j
		push	ecx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+4], esi
		mov	[esi], esi
		mov	dword ptr [esi+18h], 800h
		jmp	short loc_76BDBD
; 

loc_76BE09:				; CODE XREF: PfTFreeBufferList(x)+27j
					; PfTFreeBufferList(x)+2Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PfTFreeBufferList@4 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfTLbInitialize(x, x, x)
_PfTLbInitialize@12 proc near		; CODE XREF: PfTFreeBufferList(x)+40p
					; PfTFreeBufferList(x)+70p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [edx-10h]
		jz	short loc_76BE3F
		push	edi		; size_t
		lea	eax, [esi+10h]
		push	0		; int
		push	eax		; void *
		call	_memset

loc_76BE2C:				; CODE XREF: PfTLbInitialize(x,x,x)+3Fj
		and	dword ptr [esi+8], 0
		add	esp, 0Ch
		shr	edi, 3
		mov	[esi+0Ch], edi
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_76BE3F:				; CODE XREF: PfTLbInitialize(x,x,x)+10j
		push	edx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	[esi+4], esi
		mov	[esi], esi
		jmp	short loc_76BE2C
_PfTLbInitialize@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PfSnEndProcessTrace(void *)
_PfSnEndProcessTrace@12	proc near	; CODE XREF: PfProcessExitNotification(x)+20p
					; PfSnOperationProcess+F5p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	esi, edx
		call	PfSnReferenceProcessTrace
		mov	edi, eax
		test	edi, edi
		jnz	short loc_76BE71
		mov	esi, 0C0000225h

loc_76BE69:				; CODE XREF: PfSnEndProcessTrace(x,x,x)+52j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
; 

loc_76BE71:				; CODE XREF: PfSnEndProcessTrace(x,x,x)+12j
		cmp	[ebp+arg_0], 0
		jnz	short loc_76BEA4

loc_76BE77:				; CODE XREF: PfSnEndProcessTrace(x,x,x)+67j
		lea	ecx, [edi+118h]
		xor	eax, eax
		lock cmpxchg [ecx], esi
		test	eax, eax
		jnz	short loc_76BEC0
		push	1
		lea	eax, [edi+108h]
		push	eax
		call	ExQueueWorkItem
		xor	esi, esi

loc_76BE97:				; CODE XREF: PfSnEndProcessTrace(x,x,x)+6Ej
					; PfSnEndProcessTrace(x,x,x)+75j
		lea	ecx, [edi+104h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	short loc_76BE69
; 

loc_76BEA4:				; CODE XREF: PfSnEndProcessTrace(x,x,x)+25j
		push	40h		; size_t
		lea	eax, [edi+0Ch]
		push	eax		; void *
		push	[ebp+arg_0]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_76BE77
		mov	esi, 0C0000272h
		jmp	short loc_76BE97
; 

loc_76BEC0:				; CODE XREF: PfSnEndProcessTrace(x,x,x)+35j
		mov	esi, 0C0000189h
		jmp	short loc_76BE97
_PfSnEndProcessTrace@12	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnPrefetchCacheEntryGet(x, x, x, x)
_PfSnPrefetchCacheEntryGet@16 proc near	; CODE XREF: KiSchedulerApcTerminate+253p
					; PfSnPrefetchCacheEntryUpdate(x)+B3p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		xor	eax, eax
		mov	[ebp+var_18], edi
		mov	ebx, eax
		or	esi, 0FFFFFFFFh
		mov	eax, [edi+4]
		mov	ecx, eax
		and	ecx, 1Fh
		mov	[ebp+var_C], eax
		shl	esi, cl
		xor	eax, eax
		mov	edx, esi
		mov	[ebp+var_10], esi
		and	edx, [ebp+arg_0]
		inc	eax
		mov	[ebp+var_14], edx
		mov	[ebp+var_4], edx

loc_76BF00:				; CODE XREF: PfSnPrefetchCacheEntryGet(x,x,x,x)+ADj
		test	ebx, ebx
		jnz	short loc_76BF45
		mov	esi, [ebp+var_C]
		shr	esi, 5
		test	esi, esi
		jz	loc_76BFC1
		movzx	eax, dl
		imul	ecx, eax, 25h
		movzx	eax, dh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+3]
		imul	ecx, 25h
		add	eax, 164B2F3Fh
		add	eax, ecx
		lea	ecx, [esi-1]
		mov	esi, [ebp+var_10]
		and	ecx, eax
		mov	eax, [edi+8]
		lea	ebx, [eax+ecx*4]

loc_76BF42:				; CODE XREF: PfSnPrefetchCacheEntryGet(x,x,x,x)+8Cj
		xor	eax, eax
		inc	eax

loc_76BF45:				; CODE XREF: PfSnPrefetchCacheEntryGet(x,x,x,x)+3Aj
		mov	ebx, [ebx]
		test	ebx, eax
		jnz	short loc_76BF56
		mov	eax, [ebx+4]
		and	eax, esi
		cmp	edx, eax
		jz	short loc_76BF58
		jmp	short loc_76BF42
; 

loc_76BF56:				; CODE XREF: PfSnPrefetchCacheEntryGet(x,x,x,x)+81j
		xor	ebx, ebx

loc_76BF58:				; CODE XREF: PfSnPrefetchCacheEntryGet(x,x,x,x)+8Aj
		test	ebx, ebx
		jz	short loc_76BFC1
		push	40h		; size_t
		push	[ebp+var_8]	; void *
		lea	eax, [ebx+10h]
		push	eax		; void *
		call	_memcmp
		mov	edx, [ebp+var_14]
		add	esp, 0Ch
		test	eax, eax
		push	1
		pop	eax
		jnz	short loc_76BF00
		lea	eax, [ebx+8]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_76C126
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_76C126
		add	edi, 0Ch
		mov	[edx], ecx
		mov	[ecx+4], edx
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	loc_76C126
		mov	[eax], edi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[edi+4], eax
		xor	eax, eax

loc_76BFAF:				; CODE XREF: PfSnPrefetchCacheEntryGet(x,x,x,x)+230j
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_76BFB8
		mov	[ecx], eax

loc_76BFB8:				; CODE XREF: PfSnPrefetchCacheEntryGet(x,x,x,x)+ECj
					; PfSnPrefetchCacheEntryGet(x,x,x,x)+FEj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_76BFC1:				; CODE XREF: PfSnPrefetchCacheEntryGet(x,x,x,x)+44j
					; PfSnPrefetchCacheEntryGet(x,x,x,x)+92j
		xor	ebx, ebx
		cmp	[ebp+arg_4], ebx
		jz	short loc_76BFB8
		cmp	[edi+8], ebx
		jz	loc_76C115

loc_76BFD1:				; CODE XREF: PfSnPrefetchCacheEntryGet(x,x,x,x)+256j
		mov	ebx, [edi+14h]
		test	ebx, ebx
		jnz	loc_76C10B
		lea	eax, [edi+0Ch]
		mov	ebx, [eax]
		cmp	[ebx+4], eax
		jnz	loc_76C126
		mov	ecx, [ebx]
		cmp	[ecx+4], ebx
		jnz	loc_76C126
		mov	[eax], ecx
		add	ebx, 0FFFFFFF8h
		mov	[ecx+4], eax
		or	eax, 0FFFFFFFFh
		mov	esi, [edi+4]
		mov	edx, eax
		mov	ecx, esi
		shr	esi, 5
		and	ecx, 1Fh
		shl	edx, cl
		and	edx, [ebx+4]
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	[ebp+var_4], edx
		imul	ecx, eax, 25h
		movzx	eax, dh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+3]
		imul	edx, ecx, 25h
		lea	ecx, [esi-1]
		mov	esi, 80000002h
		add	edx, eax
		mov	eax, [edi+8]
		and	ecx, edx
		xor	edx, edx
		lea	ecx, [eax+ecx*4]
		mov	eax, [ebx]
		and	eax, esi
		cmp	eax, esi
		jz	loc_76C0FD

loc_76C055:				; CODE XREF: PfSnPrefetchCacheEntryGet(x,x,x,x)+19Dj
					; PfSnPrefetchCacheEntryGet(x,x,x,x)+237j
		mov	eax, [ecx]
		test	al, 1
		jnz	loc_76C104
		cmp	eax, ebx
		jz	short loc_76C067
		mov	ecx, eax
		jmp	short loc_76C055
; 

loc_76C067:				; CODE XREF: PfSnPrefetchCacheEntryGet(x,x,x,x)+199j
		mov	eax, [ebx]
		mov	[ecx], eax
		dec	dword ptr [edi]
		or	[ebx], esi

loc_76C06F:				; CODE XREF: PfSnPrefetchCacheEntryGet(x,x,x,x)+23Ej
					; PfSnPrefetchCacheEntryGet(x,x,x,x)+248j
		push	64h		; size_t
		xor	eax, eax
		push	eax		; int
		push	ebx		; void *
		call	_memset
		mov	esi, [ebp+var_8]
		lea	edi, [ebx+10h]
		add	esp, 0Ch
		or	eax, 0FFFFFFFFh
		push	10h
		pop	ecx
		rep movsd
		mov	esi, [ebp+var_18]
		mov	edi, [ebp+arg_0]
		mov	[ebx+4], edi
		mov	ecx, [esi+4]
		mov	edx, ecx
		and	ecx, 1Fh
		shr	edx, 5
		shl	eax, cl
		and	eax, edi
		mov	[ebp+arg_0], eax
		mov	[ebp+var_4], eax
		movzx	eax, al
		add	eax, offset unk_B15DCB
		imul	ecx, eax, 25h
		mov	eax, [ebp+arg_0]
		movzx	eax, ah
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+3]
		imul	ecx, 25h
		add	ecx, eax
		dec	edx
		and	edx, ecx
		mov	ecx, [esi+8]
		mov	eax, [ecx+edx*4]
		mov	[ebx], eax
		lea	eax, [ebx+8]
		mov	[ecx+edx*4], ebx
		inc	dword ptr [esi]
		add	esi, 0Ch
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_76C126
		mov	[eax], esi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[esi+4], eax

loc_76C0F5:				; CODE XREF: PfSnPrefetchCacheEntryGet(x,x,x,x)+25Cj
		xor	eax, eax
		inc	eax
		jmp	loc_76BFAF
; 

loc_76C0FD:				; CODE XREF: PfSnPrefetchCacheEntryGet(x,x,x,x)+187j
		mov	eax, [edx]
		jmp	loc_76C055
; 

loc_76C104:				; CODE XREF: PfSnPrefetchCacheEntryGet(x,x,x,x)+191j
		mov	eax, [edx]
		jmp	loc_76C06F
; 

loc_76C10B:				; CODE XREF: PfSnPrefetchCacheEntryGet(x,x,x,x)+10Ej
		mov	eax, [ebx]
		mov	[edi+14h], eax
		jmp	loc_76C06F
; 

loc_76C115:				; CODE XREF: PfSnPrefetchCacheEntryGet(x,x,x,x)+103j
		mov	ecx, edi
		call	PfSnPrefetchCacheCtxStart
		test	eax, eax
		jns	loc_76BFD1
		jmp	short loc_76C0F5
; 

loc_76C126:				; CODE XREF: PfSnPrefetchCacheEntryGet(x,x,x,x)+B7j
					; PfSnPrefetchCacheEntryGet(x,x,x,x)+C2j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_PfSnPrefetchCacheEntryGet@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiSchedulerApcTerminate	proc near	; DATA XREF: KiSchedulerApc+D0o
					; KiInsertQueueApc+54o	...

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_30		= dword	ptr -30h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008D8621 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		mov	ecx, large fs:124h
		lea	edx, [esp+8+var_4]
		and	[esp+8+var_4], 0
		call	KiIsProcessTerminationRequested
		test	al, al
		jnz	loc_8D8621

loc_76C153:				; CODE XREF: KiSchedulerApcTerminate+16C50Bj
		mov	ecx, large fs:124h
		mov	ecx, [ecx+324h]
		call	PspExitThread
		int	3		; Trap to Debugger

; __stdcall PfSnCheckActionsNeeded(x, x, x, x, x)
_PfSnCheckActionsNeeded@20:		; CODE XREF: PfSnBeginScenario+8Cp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 98h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	[ebp+var_74], eax
		xor	esi, esi
		mov	eax, [ebp+arg_4]
		push	edi
		mov	[ebp+var_90], eax
		mov	eax, [ebp+arg_8]
		push	58h		; size_t
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_64]
		push	esi		; int
		push	eax		; void *
		mov	[ebp+var_6C], edx
		mov	[ebp+var_78], ecx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_80], esi
		test	byte ptr dword_6D4850, 8
		mov	[ebp+var_7C], esi
		push	3
		pop	edi
		push	17h
		mov	esi, edi
		pop	ebx
		mov	[ebp+var_68], esi
		mov	[ebp+var_70], ebx
		jz	short loc_76C1D4
		push	16h

loc_76C1CC:				; CODE XREF: KiSchedulerApcTerminate+D2j
		pop	ebx
		mov	edi, ebx
		jmp	loc_76C42C
; 

loc_76C1D4:				; CODE XREF: KiSchedulerApcTerminate+9Cj
		mov	ecx, [ebp+var_74]
		call	_PsGetPagePriorityThread@4 ; PsGetPagePriorityThread(x)
		mov	edx, eax
		call	_MmGetDefaultPagePriority@0 ; MmGetDefaultPagePriority()
		mov	[ebp+var_84], eax
		lea	ecx, [eax-1]
		mov	[ebp+var_88], ecx
		cmp	edx, ecx
		jbe	short loc_76C1FC
		mov	edx, eax
		cmp	edx, ecx
		ja	short loc_76C200

loc_76C1FC:				; CODE XREF: KiSchedulerApcTerminate+C8j
		push	2
		jmp	short loc_76C1CC
; 

loc_76C200:				; CODE XREF: KiSchedulerApcTerminate+CEj
		test	byte ptr dword_6D49F0, 10h
		jz	short loc_76C21B
		cmp	[ebp+var_6C], 0
		jnz	short loc_76C21B
		xor	esi, esi
		push	0Eh
		inc	esi
		pop	ebx
		mov	[ebp+var_68], esi
		mov	[ebp+var_70], ebx

loc_76C21B:				; CODE XREF: KiSchedulerApcTerminate+DBj
					; KiSchedulerApcTerminate+E1j
		mov	edx, [ebp+var_78]
		mov	esi, 4CB2Fh
		push	8
		pop	edi

loc_76C226:				; CODE XREF: KiSchedulerApcTerminate+14Dj
		movzx	eax, byte ptr [edx+1]
		imul	ecx, eax, 25h
		movzx	eax, byte ptr [edx+2]
		add	ecx, eax
		movzx	eax, byte ptr [edx+3]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx+4]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx+5]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx+6]
		imul	ecx, 25h
		add	ecx, eax
		imul	eax, esi, 2FE8ED1Fh
		imul	ecx, 25h
		sub	ecx, eax
		movzx	eax, byte ptr [edx]
		imul	esi, eax, 1A617D0Dh
		lea	edx, [edx+8]
		movzx	eax, byte ptr [edx-1]
		add	esi, ecx
		add	esi, eax
		sub	edi, 1
		jnz	short loc_76C226
		mov	eax, ds:0FFDF0004h
		mov	[ebp+var_6C], eax
		mov	eax, 0FFDF0324h
		push	3
		mov	[ebp+var_8C], esi
		mov	esi, [ebp+var_68]
		mov	ecx, [eax]
		add	eax, 0FFFFFFFCh
		pop	edi
		mov	edx, [eax]
		mov	eax, 0FFDF0328h
		mov	eax, [eax]
		cmp	ecx, eax
		jz	short loc_76C2C6
		mov	esi, 0FFDF0324h
		lea	edi, [esi-4]
		lea	ebx, [esi+4]

loc_76C2B1:				; CODE XREF: KiSchedulerApcTerminate+18Fj
		pause
		mov	ecx, [esi]
		mov	edx, [edi]
		mov	eax, [ebx]
		cmp	ecx, eax
		jnz	short loc_76C2B1
		mov	esi, [ebp+var_68]
		mov	ebx, [ebp+var_70]
		push	3
		pop	edi

loc_76C2C6:				; CODE XREF: KiSchedulerApcTerminate+178j
		mov	eax, edx
		shl	ecx, 8
		mul	[ebp+var_6C]
		imul	ecx, [ebp+var_6C]
		shrd	eax, edx, 18h
		lea	edx, [ebp+var_64]
		add	eax, ecx
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_80]
		push	eax
		push	ecx
		push	58h
		or	ecx, 0FFFFFFFFh
		call	MmQueryMemoryListInformation
		xor	ecx, ecx
		mov	edx, ecx
		mov	eax, ecx

loc_76C2F3:				; CODE XREF: KiSchedulerApcTerminate+1CFj
		add	edx, [ebp+eax*4+var_30]
		inc	eax
		cmp	eax, 7
		jbe	short loc_76C2F3
		mov	eax, edx
		mov	edx, 1000h
		mul	edx
		shrd	eax, edx, 12h
		mov	edx, ecx
		mov	[ebp+var_74], eax
		mov	eax, [ebp+var_84]
		jmp	short loc_76C31C
; 

loc_76C317:				; CODE XREF: KiSchedulerApcTerminate+1F3j
		add	edx, [ebp+eax*4+var_30]
		inc	eax

loc_76C31C:				; CODE XREF: KiSchedulerApcTerminate+1E9j
		cmp	eax, 7
		jbe	short loc_76C317
		mov	eax, edx
		mov	edx, 1000h
		mul	edx
		shrd	eax, edx, 12h
		mov	[ebp+var_68], eax
		mov	eax, [ebp+var_88]
		jmp	short loc_76C33E
; 

loc_76C339:				; CODE XREF: KiSchedulerApcTerminate+215j
		add	ecx, [ebp+eax*4+var_30]
		inc	eax

loc_76C33E:				; CODE XREF: KiSchedulerApcTerminate+20Bj
		cmp	eax, 7
		jbe	short loc_76C339
		mov	eax, ecx
		mov	ecx, 1000h
		mul	ecx
		shrd	eax, edx, 12h
		mov	[ebp+var_70], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset unk_6D49AC
		call	ExAcquireResourceExclusiveLite
		mov	edx, [ebp+var_78]
		lea	eax, [ebp+var_7C]
		push	eax
		push	[ebp+var_8C]
		mov	ecx, offset unk_6D4994
		call	_PfSnPrefetchCacheEntryGet@16 ;	PfSnPrefetchCacheEntryGet(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_76C391
		mov	ebx, edi
		jmp	loc_76C416
; 

loc_76C391:				; CODE XREF: KiSchedulerApcTerminate+25Cj
		cmp	[ebp+var_7C], 0
		jnz	short loc_76C3F4
		mov	eax, [ebp+var_6C]
		sub	eax, [ecx+5Ch]
		mov	edx, [ecx+60h]
		cmp	eax, edx
		jnb	short loc_76C3A9
		and	esi, 0FFFFFFFEh
		cmp	eax, edx

loc_76C3A9:				; CODE XREF: KiSchedulerApcTerminate+276j
		sbb	edi, edi
		neg	edi
		add	edi, 4
		cmp	esi, 2
		jb	short loc_76C3FE
		test	byte ptr dword_6D4850, 2
		push	4
		pop	ebx
		jnz	short loc_76C3FE
		mov	edx, [ebp+var_68]
		cmp	eax, 1B7740h
		jnb	short loc_76C3D2
		mov	eax, edx
		sub	eax, [ecx+50h]
		jmp	short loc_76C3E7
; 

loc_76C3D2:				; CODE XREF: KiSchedulerApcTerminate+29Dj
		cmp	eax, 36EE80h
		jnb	short loc_76C3E1
		mov	eax, [ebp+var_70]
		sub	eax, [ecx+54h]
		jmp	short loc_76C3E7
; 

loc_76C3E1:				; CODE XREF: KiSchedulerApcTerminate+2ABj
		mov	eax, [ebp+var_74]
		sub	eax, [ecx+58h]

loc_76C3E7:				; CODE XREF: KiSchedulerApcTerminate+2A4j
					; KiSchedulerApcTerminate+2B3j
		cmp	eax, 1
		jnb	short loc_76C401
		push	7
		and	esi, 0FFFFFFFDh
		pop	ebx
		jmp	short loc_76C401
; 

loc_76C3F4:				; CODE XREF: KiSchedulerApcTerminate+269j
		push	0Dh
		pop	edi
		cmp	esi, 2
		jb	short loc_76C3FE
		mov	ebx, edi

loc_76C3FE:				; CODE XREF: KiSchedulerApcTerminate+287j
					; KiSchedulerApcTerminate+293j	...
		mov	edx, [ebp+var_68]

loc_76C401:				; CODE XREF: KiSchedulerApcTerminate+2BEj
					; KiSchedulerApcTerminate+2C6j
		mov	eax, [ebp+var_6C]
		mov	[ecx+5Ch], eax
		mov	eax, [ebp+var_70]
		mov	[ecx+54h], eax
		mov	eax, [ebp+var_74]
		mov	[ecx+50h], edx
		mov	[ecx+58h], eax

loc_76C416:				; CODE XREF: KiSchedulerApcTerminate+260j
		mov	ecx, offset unk_6D49AC
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_76C42C:				; CODE XREF: KiSchedulerApcTerminate+A3j
		mov	eax, [ebp+var_90]
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		mov	[eax], edi
		mov	eax, [ebp+var_94]
		pop	edi
		mov	[eax], ebx
		mov	eax, esi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
KiSchedulerApcTerminate	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MmGetDirectoryFrameFromProcess(x)
_MmGetDirectoryFrameFromProcess@4 proc near ; CODE XREF: PfpLogApplicationEvent+10Fp
		mov	ecx, [ecx+194h]
		mov	eax, [ecx+18h]
		mov	ecx, [ecx+1Ch]
		shrd	eax, ecx, 0Ch
		and	eax, 1FFFFFFh
		retn
_MmGetDirectoryFrameFromProcess@4 endp


;  S U B	R O U T	I N E 


; __stdcall MmGetSessionGlobalVA(x)
_MmGetSessionGlobalVA@4	proc near	; CODE XREF: PfpLogApplicationEvent+172p
					; PfpPrivSourceEnum(x,x,x)+2C6p
		test	dword ptr [ecx+3A8h], 1000h
		jnz	short loc_76C479
		mov	eax, [ecx+180h]
		retn
; 

loc_76C479:				; CODE XREF: MmGetSessionGlobalVA(x)+Aj
		xor	eax, eax
		retn
_MmGetSessionGlobalVA@4	endp


;  S U B	R O U T	I N E 


; __stdcall PfSnFindImageFileName(x, x)
_PfSnFindImageFileName@8 proc near	; CODE XREF: PfSnBeginAppLaunch+81p
					; PfSnOperationProcess+AAp
		mov	edi, edi
		push	ebx
		push	esi
		movzx	esi, word ptr [ecx]
		mov	ebx, edx
		push	edi
		mov	edi, [ecx+4]
		xor	edx, edx
		shr	esi, 1
		mov	eax, edx
		lea	ecx, [edi-2]
		lea	ecx, [ecx+esi*2]
		cmp	ecx, edi
		jb	short loc_76C4B2

loc_76C499:				; CODE XREF: PfSnFindImageFileName(x,x)+29j
		cmp	word ptr [ecx],	5Ch
		jz	short loc_76C4A7
		sub	ecx, 2
		inc	eax
		cmp	ecx, edi
		jnb	short loc_76C499

loc_76C4A7:				; CODE XREF: PfSnFindImageFileName(x,x)+21j
		test	eax, eax
		jz	short loc_76C4B2
		sub	esi, eax
		mov	[ebx], eax
		lea	edx, [edi+esi*2]

loc_76C4B2:				; CODE XREF: PfSnFindImageFileName(x,x)+1Bj
					; PfSnFindImageFileName(x,x)+2Dj
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		retn
_PfSnFindImageFileName@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnIsHostingApplication proc near	; CODE XREF: PfSnBeginAppLaunch+C5p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D863C SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		mov	esi, edi
		lea	ecx, [esi+2]

loc_76C4CA:				; CODE XREF: PfSnIsHostingApplication+1Bj
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, bx
		jnz	short loc_76C4CA
		mov	eax, large fs:124h
		sub	esi, ecx
		sar	esi, 1
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset unk_6D4858
		call	ExAcquirePushLockSharedEx
		mov	ecx, offset word_6D4750
		lea	edx, [ecx+2]

loc_76C4FB:				; CODE XREF: PfSnIsHostingApplication+4Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_76C4FB
		sub	ecx, edx
		sar	ecx, 1
		push	edi		; wchar_t *
		push	offset word_6D4750 ; wchar_t *
		lea	eax, word_6D4750[ecx*2]
		mov	[ebp+var_4], eax
		call	_wcsstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_76C54B

loc_76C525:				; CODE XREF: PfSnIsHostingApplication+9Bj
					; PfSnIsHostingApplication+A2j	...
		push	11h
		xor	edx, edx
		mov	esi, offset unk_6D4858
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_76C584

loc_76C538:				; CODE XREF: PfSnIsHostingApplication+D3j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_76C54B:				; CODE XREF: PfSnIsHostingApplication+6Bj
		push	2Ch
		pop	ecx

loc_76C54E:				; CODE XREF: PfSnIsHostingApplication+16C195j
		cmp	eax, offset word_6D4750
		jb	short loc_76C525
		mov	edx, [ebp+var_4]
		cmp	eax, edx
		jnb	short loc_76C525
		cmp	eax, offset word_6D4750
		jz	short loc_76C56D
		cmp	[eax-2], cx
		jnz	loc_8D863C

loc_76C56D:				; CODE XREF: PfSnIsHostingApplication+A9j
		lea	ecx, [eax+esi*2]
		cmp	ecx, edx
		jz	short loc_76C580
		push	2Ch
		pop	edx
		cmp	[ecx], dx
		jnz	loc_8D863C

loc_76C580:				; CODE XREF: PfSnIsHostingApplication+BAj
		mov	bl, 1
		jmp	short loc_76C525
; 

loc_76C584:				; CODE XREF: PfSnIsHostingApplication+7Ej
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_76C538
PfSnIsHostingApplication endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnScanCommandLine(x, x)
_PfSnScanCommandLine@8 proc near	; CODE XREF: PfSnBeginAppLaunch+D1p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	esi, eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		call	PfSnGetUnsafeProcessParameters
		test	eax, eax
		jz	short loc_76C5FD
		lea	ecx, [ebp+var_10]
		push	ecx
		lea	edx, [eax+40h]
		mov	ecx, eax
		call	PfSnCaptureParamBlockString
		test	eax, eax
		js	short loc_76C5DF
		lea	edx, [ebp+var_4]
		lea	ecx, [ebp+var_10]
		call	PfSnParsePrefetchParam
		test	eax, eax
		jns	short loc_76C5F8

loc_76C5D7:				; CODE XREF: PfSnScanCommandLine(x,x)+6Dj
		test	edi, edi
		jnz	short loc_76C5E4

loc_76C5DB:				; CODE XREF: PfSnScanCommandLine(x,x)+68j
		mov	[ebx], esi
		xor	eax, eax

loc_76C5DF:				; CODE XREF: PfSnScanCommandLine(x,x)+38j
					; PfSnScanCommandLine(x,x)+63j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_76C5E4:				; CODE XREF: PfSnScanCommandLine(x,x)+4Bj
		lea	edx, [ebp+var_8]
		lea	ecx, [ebp+var_10]
		call	PfSnHashUnsafeUnicodeString
		test	eax, eax
		js	short loc_76C5DF
		add	esi, [ebp+var_8]
		jmp	short loc_76C5DB
; 

loc_76C5F8:				; CODE XREF: PfSnScanCommandLine(x,x)+47j
		mov	esi, [ebp+var_4]
		jmp	short loc_76C5D7
; 

loc_76C5FD:				; CODE XREF: PfSnScanCommandLine(x,x)+26j
		mov	eax, 0C0000189h
		jmp	short loc_76C5DF
_PfSnScanCommandLine@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnParsePrefetchParam proc near	; CODE XREF: PfSnScanCommandLine(x,x)+40p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= word ptr -3Ch
var_1E		= dword	ptr -1Eh
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008D8658 SIZE 0000001B BYTES

		push	4Ch
		push	offset dword_6A0A10
		call	__SEH_prolog4_GS
		mov	[ebp+var_58], edx
		mov	edi, ecx
		xor	ebx, ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ebx
		push	offset ??_C@_1BG@FNKMPIDB@?$AA?1?$AAp?$AAr?$AAe?$AAf?$AAe?$AAt?$AAc?$AAh?$AA?3@NNGAKEGL@
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+ms_exc.disabled], ebx
		movzx	eax, word ptr [edi]
		test	ax, ax
		jz	short loc_76C65A
		mov	ecx, [edi+4]
		test	cl, 1
		jnz	loc_76C703
		lea	edx, [ecx+eax]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	loc_8D8658
		cmp	edx, ecx
		jb	loc_8D8658

loc_76C65A:				; CODE XREF: PfSnParsePrefetchParam+30j
					; PfSnParsePrefetchParam+16C056j
		lea	edx, [ebp+var_48]
		mov	ecx, edi
		call	_PfSnFindString@8 ; PfSnFindString(x,x)
		test	eax, eax
		jnz	short loc_76C689
		mov	ebx, 0C0000225h

loc_76C66D:				; CODE XREF: PfSnParsePrefetchParam+16C060j
					; sub_8D8681+6j
		mov	[ebp+var_40], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_76C677:				; CODE XREF: PfSnParsePrefetchParam+FAj
					; PfSnParsePrefetchParam+16C06Aj
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_76C689:				; CODE XREF: PfSnParsePrefetchParam+62j
		movzx	esi, word ptr [ebp+var_48]
		add	esi, eax
		mov	[ebp+var_4C], esi
		movzx	eax, word ptr [edi]
		add	eax, [edi+4]
		mov	[ebp+var_54], eax
		lea	edi, [ebp+var_3C]
		mov	[ebp+var_50], edi

loc_76C6A1:				; CODE XREF: PfSnParsePrefetchParam+D4j
		lea	ecx, [ebp+var_1E]
		cmp	esi, eax
		jnb	short loc_76C6DA
		cmp	edi, ecx
		jnb	short loc_76C6DA
		movzx	eax, word ptr [esi]
		cmp	eax, 20h
		jz	short loc_76C6DA
		push	eax		; wint_t
		call	_iswdigit
		pop	ecx
		test	eax, eax
		jz	loc_8D865F
		mov	ax, [esi]
		mov	[edi], ax
		add	esi, 2
		mov	[ebp+var_4C], esi
		add	edi, 2
		mov	[ebp+var_50], edi
		mov	eax, [ebp+var_54]
		jmp	short loc_76C6A1
; 

loc_76C6DA:				; CODE XREF: PfSnParsePrefetchParam+A2j
					; PfSnParsePrefetchParam+A6j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		mov	[edi], ax
		lea	eax, [ebp+var_3C]
		push	eax		; wchar_t *
		call	__wtol
		pop	ecx
		cmp	eax, 8
		ja	loc_8D8669
		mov	ecx, [ebp+var_58]
		mov	[ecx], eax
		jmp	loc_76C677
; 

loc_76C703:				; CODE XREF: PfSnParsePrefetchParam+38j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
PfSnParsePrefetchParam endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnFindString(x, x)
_PfSnFindString@8 proc near		; CODE XREF: PfSnParsePrefetchParam+5Bp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		movzx	eax, word ptr [ecx]
		push	ebx
		push	esi
		mov	esi, [ecx+4]
		mov	ecx, [edx+4]
		shr	eax, 1
		push	edi
		mov	[ebp+var_4], ecx
		lea	edi, [esi+eax*2]
		movzx	eax, word ptr [edx]
		shr	eax, 1
		lea	ebx, [ecx+eax*2]
		jmp	short loc_76C744
; 

loc_76C72C:				; CODE XREF: PfSnFindString(x,x)+3Ej
		mov	edx, esi

loc_76C72E:				; CODE XREF: PfSnFindString(x,x)+4Fj
		cmp	ecx, ebx
		jnb	short loc_76C73C
		mov	ax, [edx]
		cmp	ax, [ecx]
		jz	short loc_76C74F

loc_76C73A:				; CODE XREF: PfSnFindString(x,x)+51j
		cmp	ecx, ebx

loc_76C73C:				; CODE XREF: PfSnFindString(x,x)+28j
		jz	short loc_76C75B
		mov	ecx, [ebp+var_4]
		add	esi, 2

loc_76C744:				; CODE XREF: PfSnFindString(x,x)+22j
		cmp	esi, edi
		jb	short loc_76C72C
		xor	eax, eax

loc_76C74A:				; CODE XREF: PfSnFindString(x,x)+55j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_76C74F:				; CODE XREF: PfSnFindString(x,x)+30j
		add	edx, 2
		add	ecx, 2
		cmp	edx, edi
		jb	short loc_76C72E
		jmp	short loc_76C73A
; 

loc_76C75B:				; CODE XREF: PfSnFindString(x,x):loc_76C73Cj
		mov	eax, esi
		jmp	short loc_76C74A
_PfSnFindString@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnCaptureParamBlockString proc near	; CODE XREF: PfSnScanCommandLine(x,x)+31p

var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D86A0 SIZE 00000008 BYTES

		push	10h
		push	offset dword_6A0A30
		call	__SEH_prolog4
		mov	edi, ecx
		xor	esi, esi
		mov	[ebp+ms_exc.disabled], esi
		mov	eax, [edx]
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, [edx+4]
		mov	[ecx+4], eax
		nop
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_76C7B5
		cmp	[ecx], si
		jz	short loc_76C7B5
		test	byte ptr [edi+8], 1
		jz	short loc_76C7AE

loc_76C793:				; CODE XREF: PfSnCaptureParamBlockString+53j
					; PfSnCaptureParamBlockString+16BF43j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_76C7AE:				; CODE XREF: PfSnCaptureParamBlockString+31j
		add	eax, edi
		mov	[ecx+4], eax
		jmp	short loc_76C793
; 

loc_76C7B5:				; CODE XREF: PfSnCaptureParamBlockString+26j
					; PfSnCaptureParamBlockString+2Bj
		mov	esi, 0C0000225h
		jmp	loc_8D86A0
PfSnCaptureParamBlockString endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnGetUnsafeProcessParameters proc near ; CODE	XREF: PfSnScanCommandLine(x,x)+1Fp

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	0Ch
		push	offset dword_6A0A50
		call	__SEH_prolog4
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+17Ch]
		test	eax, eax
		jz	short loc_76C818
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [eax+10h]
		mov	[ebp+var_1C], eax
		nop
		test	al, 3
		jnz	short loc_76C81C
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	short loc_76C821

loc_76C7FB:				; CODE XREF: PfSnGetUnsafeProcessParameters+63j
		nop
		mov	al, [eax]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]

loc_76C808:				; CODE XREF: PfSnGetUnsafeProcessParameters+5Aj
					; sub_8D86AC+Fj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_76C818:				; CODE XREF: PfSnGetUnsafeProcessParameters+20j
		xor	eax, eax
		jmp	short loc_76C808
; 

loc_76C81C:				; CODE XREF: PfSnGetUnsafeProcessParameters+2Fj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_76C821:				; CODE XREF: PfSnGetUnsafeProcessParameters+39j
		mov	eax, ecx
		jmp	short loc_76C7FB
PfSnGetUnsafeProcessParameters endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnCheckModernApp proc	near		; CODE XREF: PfSnBeginAppLaunch+102p

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0076C96F SIZE 000000AA BYTES
; FUNCTION CHUNK AT 008D86C0 SIZE 000000CD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, large fs:124h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	eax, [eax+80h]
		mov	esi, [ebp+arg_4]
		push	edi
		push	eax
		mov	[ebp+var_9C], edx
		xor	edi, edi
		mov	[ebp+var_A0], ecx
		mov	[ebp+var_94], esi
		mov	[ebp+var_A4], eax
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		push	edi
		lea	ecx, [ebp+var_98]
		mov	[ebp+var_A8], eax
		push	ecx
		lea	ecx, [ebp+var_90]
		mov	[ebp+var_98], 82h
		push	ecx
		push	esi
		push	ebx
		push	eax
		call	_RtlQueryPackageIdentity@24 ; RtlQueryPackageIdentity(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_76C8E3
		xor	eax, eax
		cmp	esi, 0C0000225h
		jnz	short loc_76C8B9

loc_76C8A7:				; CODE XREF: PfSnCheckModernApp+16BF62j
		mov	ecx, [ebp+var_9C]
		xor	esi, esi
		mov	[ecx], edi
		mov	ecx, [ebp+var_A0]
		mov	[ecx], eax

loc_76C8B9:				; CODE XREF: PfSnCheckModernApp+7Fj
		mov	ecx, [ebp+var_A4]
		mov	edx, [ebp+var_A8]
		add	ecx, 12Ch
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_76C8E3:				; CODE XREF: PfSnCheckModernApp+75j
		mov	edi, [ebp+var_94]
		mov	edx, 4CB2Fh
		mov	esi, edx
		mov	edi, [edi]
		sub	edi, 2
		cmp	edi, 8
		jl	loc_8D86C0
		mov	eax, edi
		shr	eax, 3
		mov	[ebp+var_94], eax
		mov	edx, eax
		imul	eax, -8
		add	edi, eax

loc_76C910:				; CODE XREF: PfSnCheckModernApp+13Dj
		movzx	eax, byte ptr [ebx+1]
		imul	ecx, eax, 25h
		movzx	eax, byte ptr [ebx+2]
		add	ecx, eax
		movzx	eax, byte ptr [ebx+3]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebx+4]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebx+5]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebx+6]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebx]
		imul	ecx, 25h
		imul	eax, 1A617D0Dh
		add	ecx, eax
		imul	eax, esi, 2FE8ED1Fh
		movzx	esi, byte ptr [ebx+7]
		add	ebx, 8
		sub	ecx, eax
		add	esi, ecx
		sub	edx, 1
		jnz	short loc_76C910
		mov	edx, 4CB2Fh
		jmp	loc_8D86C0
PfSnCheckModernApp endp

; 
; START	OF FUNCTION CHUNK FOR PfSnCheckModernApp

loc_76C96F:				; CODE XREF: PfSnCheckModernApp+1EEj
		mov	eax, ebx
		shr	eax, 3
		mov	[ebp+var_94], eax
		imul	eax, -8
		add	ebx, eax
		mov	[ebp+var_98], ebx
		mov	ebx, [ebp+var_94]

loc_76C98B:				; CODE XREF: PfSnCheckModernApp+1B8j
		movzx	eax, byte ptr [edi+1]
		imul	ecx, eax, 25h
		movzx	eax, byte ptr [edi+2]
		add	ecx, eax
		movzx	eax, byte ptr [edi+3]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edi+4]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edi+5]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edi+6]
		imul	ecx, 25h
		add	ecx, eax
		imul	eax, edx, 2FE8ED1Fh
		imul	ecx, 25h
		sub	ecx, eax
		movzx	eax, byte ptr [edi]
		imul	edx, eax, 1A617D0Dh
		movzx	eax, byte ptr [edi+7]
		add	edi, 8
		add	edx, ecx
		add	edx, eax
		sub	ebx, 1
		jnz	short loc_76C98B
		mov	ebx, [ebp+var_98]
		jmp	loc_8D8721
; 

loc_76C9EB:				; CODE XREF: PfSnCheckModernApp+16BEA6j
					; PfSnCheckModernApp+16BEF6j
		movzx	eax, byte ptr [ebx]
		imul	esi, 25h
		add	esi, eax
		inc	ebx

loc_76C9F4:				; CODE XREF: PfSnCheckModernApp+16BE9Dj
		movzx	eax, byte ptr [ebx]
		imul	esi, 25h
		add	esi, eax

loc_76C9FC:				; CODE XREF: PfSnCheckModernApp+16BEC3j
		mov	ebx, [ebp+var_98]
		lea	edi, [ebp+var_90]
		add	ebx, 0FFFFFFFEh
		cmp	ebx, 8
		jl	loc_8D8721
		jmp	loc_76C96F
; END OF FUNCTION CHUNK	FOR PfSnCheckModernApp
; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnBeginScenario proc near		; CODE XREF: PfSnBeginAppLaunch+13Fp
					; PfSnOperationProcess+146p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008D878D SIZE 00000053 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_34], ecx
		push	ebx
		mov	ebx, large fs:124h
		xor	ecx, ecx
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_28], eax
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_3C], ecx
		mov	al, [eax+15Ah]
		mov	esi, ecx
		mov	[ebx+15Ah], cl
		mov	[ebp+var_38], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_1C], ecx
		mov	ecx, ebx
		mov	[ebp+var_2C], edi
		mov	[ebp+var_30], ebx
		mov	[ebp+var_5], al
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		cmp	eax, 2
		jl	loc_76CC40
		xor	ecx, ecx
		inc	ecx
		mov	eax, ecx
		lock xadd dword_6D4990,	eax
		inc	eax
		cmp	eax, dword_6D46E8
		jnb	loc_8D878D
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_10]
		mov	ecx, edi
		push	eax
		push	ebx
		call	_PfSnCheckActionsNeeded@20 ; PfSnCheckActionsNeeded(x,x,x,x,x)
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_C], eax
		test	dl, 2
		jnz	loc_8D87A1
		mov	esi, [ebp+var_18]
		mov	[ebp+var_18], esi

loc_76CAC0:				; CODE XREF: PfSnBeginScenario+16BD94j
		test	al, 2
		jnz	loc_76CBA7

loc_76CAC8:				; CODE XREF: PfSnBeginScenario+246j
		mov	ebx, [ebp+var_10]
		mov	edi, [ebp+var_14]

loc_76CACE:				; CODE XREF: PfSnBeginScenario+1EBj
		test	dl, 4
		jnz	loc_8D87B3

loc_76CAD7:				; CODE XREF: PfSnBeginScenario+16BDA2j
		test	al, 1
		jnz	short loc_76CB3D

loc_76CADB:				; CODE XREF: PfSnBeginScenario+16Ej
		test	al, 2
		jnz	loc_76CC0A
		xor	eax, eax
		inc	eax

loc_76CAE6:				; CODE XREF: PfSnBeginScenario+20Bj
		and	[ebp+arg_4], 0
		mov	esi, [ebp+var_C]
		test	al, al
		jz	short loc_76CAF8

loc_76CAF1:				; CODE XREF: PfSnBeginScenario+16BD82j
		lock dec dword_6D4990

loc_76CAF8:				; CODE XREF: PfSnBeginScenario+D5j
		test	edi, edi
		jnz	loc_8D87D3

loc_76CB00:				; CODE XREF: PfSnBeginScenario+16BDC1j
		mov	edi, [ebp+var_1C]
		test	edi, edi
		jnz	loc_76CB8D

loc_76CB0B:				; CODE XREF: PfSnBeginScenario+188j
		mov	edi, [ebp+arg_4]

loc_76CB0E:				; CODE XREF: PfSnBeginScenario+22Ej
		push	[ebp+var_20]
		mov	eax, [ebp+var_18]
		push	[ebp+var_24]
		mov	edx, [ebp+arg_0]
		push	[ebp+var_28]
		mov	ecx, [ebp+var_2C]
		push	eax
		push	ebx
		push	esi
		call	PfSnLogScenarioDecision
		mov	eax, [ebp+var_30]
		mov	cl, [ebp+var_5]
		mov	[eax+15Ah], cl
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_76CB3D:				; CODE XREF: PfSnBeginScenario+BFj
		mov	al, dl
		and	al, 1
		movzx	ecx, al
		lea	eax, [ebp+var_1C]
		push	eax
		neg	ecx
		mov	eax, edx
		mov	edx, [ebp+arg_0]
		sbb	ecx, ecx
		shr	eax, 3
		and	ecx, [ebp+var_30]
		and	eax, 1
		push	eax
		push	ecx
		push	[ebp+var_34]
		mov	ecx, [ebp+var_2C]
		call	PfSnBeginTrace
		test	eax, eax
		js	loc_76CC6A

loc_76CB6F:				; CODE XREF: PfSnBeginScenario+25Aj
					; PfSnBeginScenario+16BDB4j
		mov	ecx, [ebp+var_1C]
		test	ecx, ecx
		jz	short loc_76CB82
		mov	edx, [ebp+arg_8]
		test	edx, edx
		jz	short loc_76CB82
		call	_PfSnLogIdentifier@8 ; PfSnLogIdentifier(x,x)

loc_76CB82:				; CODE XREF: PfSnBeginScenario+15Aj
					; PfSnBeginScenario+161j
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+arg_4]
		jmp	loc_76CADB
; 

loc_76CB8D:				; CODE XREF: PfSnBeginScenario+EBj
		mov	ecx, edi
		call	PfSnStartTraceTimer
		lea	ecx, [edi+104h]
		mov	[ebp+arg_4], eax
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_76CB0B
; 

loc_76CBA7:				; CODE XREF: PfSnBeginScenario+A8j
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_14]
		push	eax
		mov	ecx, edi
		call	PfSnGetPrefetchInstructions
		test	eax, eax
		js	loc_76CC4D
		lea	eax, [ebp+var_3C]
		push	eax
		call	KeQuerySystemTime
		mov	edi, [ebp+var_14]
		mov	eax, [ebp+var_3C]
		mov	ecx, [ebp+var_38]
		sub	eax, [edi+80h]
		mov	[ebp+var_24], eax
		sbb	ecx, [edi+84h]
		mov	[ebp+var_20], ecx
		cmp	ecx, [edi+0C4h]
		jg	short loc_76CBF3
		jl	short loc_76CC2A
		cmp	eax, [edi+0C0h]
		jb	short loc_76CC2A

loc_76CBF3:				; CODE XREF: PfSnBeginScenario+1CDj
		mov	ebx, [ebp+var_10]
		mov	eax, [ebp+var_C]

loc_76CBF9:				; CODE XREF: PfSnBeginScenario+219j
					; PfSnBeginScenario+224j
		mov	ecx, [edi+0C8h]
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_28], ecx
		jmp	loc_76CACE
; 

loc_76CC0A:				; CODE XREF: PfSnBeginScenario+C3j
		test	byte ptr [edi+0D0h], 3
		jnz	short loc_76CC65

loc_76CC13:				; CODE XREF: PfSnBeginScenario+24Ej
		mov	ecx, edi
		call	PfSnPrefetchScenario
		test	eax, eax
		setns	al
		dec	al
		and	al, 1
		xor	edi, edi
		jmp	loc_76CAE6
; 

loc_76CC2A:				; CODE XREF: PfSnBeginScenario+1CFj
					; PfSnBeginScenario+1D7j
		mov	ebx, [ebp+var_10]
		mov	eax, [ebp+var_C]
		cmp	ebx, 16h
		jz	short loc_76CBF9
		and	eax, 0FFFFFFFEh
		push	0Bh
		mov	[ebp+var_C], eax
		pop	ebx
		jmp	short loc_76CBF9
; 

loc_76CC40:				; CODE XREF: PfSnBeginScenario+5Ej
		mov	ebx, [ebp+var_10]
		mov	edi, 40190034h
		jmp	loc_76CB0E
; 

loc_76CC4D:				; CODE XREF: PfSnBeginScenario+19Dj
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+arg_4]
		and	eax, 0FFFFFFFDh
		mov	[ebp+var_C], eax
		mov	[ebp+var_18], 0Ah
		jmp	loc_76CAC8
; 

loc_76CC65:				; CODE XREF: PfSnBeginScenario+1F7j
		or	edx, 10h
		jmp	short loc_76CC13
; 

loc_76CC6A:				; CODE XREF: PfSnBeginScenario+14Fj
		cmp	eax, 0C00000CEh
		jnz	short loc_76CC79
		push	10h

loc_76CC73:				; CODE XREF: PfSnBeginScenario+27Aj
					; PfSnBeginScenario+27Ej ...
		pop	ebx
		jmp	loc_76CB6F
; 

loc_76CC79:				; CODE XREF: PfSnBeginScenario+255j
		cmp	eax, 0C000009Ah
		jz	short loc_76CC96
		cmp	eax, 0C01A0006h
		jz	short loc_76CC9A
		cmp	eax, 0C0000021h
		jnz	loc_8D87C1
		push	13h
		jmp	short loc_76CC73
; 

loc_76CC96:				; CODE XREF: PfSnBeginScenario+264j
		push	11h
		jmp	short loc_76CC73
; 

loc_76CC9A:				; CODE XREF: PfSnBeginScenario+26Bj
		push	12h
		jmp	short loc_76CC73
PfSnBeginScenario endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnLogScenarioDecision	proc near	; CODE XREF: PfSnBeginScenario+109p
					; PfSnBeginAppLaunch+198p

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_96		= dword	ptr -96h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= word ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008D87E0 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ecx
		mov	[ebp+var_A0], edx
		mov	ecx, dword_6D49E8
		mov	eax, ecx
		mov	edx, dword_6D49EC
		push	edi
		xor	edi, edi
		or	eax, edx
		mov	[ebp+var_9C], edi
		jz	short loc_76CCEA
		push	ebx
		mov	ebx, offset _PfSnEvt_ScenarioDecision_Info
		push	ebx
		push	edx
		push	ecx
		call	EtwEventEnabled
		test	al, al
		jnz	short loc_76CCFA

loc_76CCE9:				; CODE XREF: PfSnLogScenarioDecision+137j
		pop	ebx

loc_76CCEA:				; CODE XREF: PfSnLogScenarioDecision+37j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_76CCFA:				; CODE XREF: PfSnLogScenarioDecision+49j
		lea	eax, [ebp+var_96+2]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_9C]
		push	eax
		lea	edx, [ebp+var_A0]
		call	_PfSnBuildScenarioEventDescriptors@16 ;	PfSnBuildScenarioEventDescriptors(x,x,x,x)
		movzx	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	[ebp+var_A4], eax
		inc	ecx
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_54], eax
		mov	al, [ebp+arg_4]
		mov	byte ptr [ebp+var_96+1], al
		lea	eax, [ebp+var_96+1]
		mov	[ebp+var_44], eax
		mov	al, [ebp+arg_8]
		mov	byte ptr [ebp+var_96], al
		lea	eax, [ebp+var_96]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_C]
		push	4
		mov	[ebp+var_2C], ecx
		mov	ecx, [ebp+arg_14]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], 2
		mov	[ebp+var_48], edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], edi
		pop	esi
		mov	[ebp+var_1C], esi
		cmp	ecx, edi
		jl	short loc_76CD98
		jg	loc_8D87E0
		cmp	eax, edi
		jnb	loc_8D87E0

loc_76CD98:				; CODE XREF: PfSnLogScenarioDecision+EAj
		and	eax, ecx
		or	ecx, 0FFFFFFFFh
		cmp	eax, ecx
		jnz	short loc_76CDDA

loc_76CDA1:				; CODE XREF: PfSnLogScenarioDecision+13Fj
					; PfSnLogScenarioDecision+16BB51j
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_A8], ecx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_96+2]
		push	eax
		push	9
		push	edi
		push	ebx
		push	dword_6D49EC
		mov	[ebp+var_10], edi
		push	dword_6D49E8
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_76CCE9
; 

loc_76CDDA:				; CODE XREF: PfSnLogScenarioDecision+101j
		push	0FFFFFFFEh
		pop	ecx
		jmp	short loc_76CDA1
PfSnLogScenarioDecision	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DbgkFlushErrorPort proc	near		; CODE XREF: PspExitProcess+93p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D87F4 SIZE 00000067 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		push	ebx
		mov	[ebp+var_4], ebx
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		mov	ecx, eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		lea	esi, [eax+238h]
		cmp	ebx, [esi+8]
		jz	loc_8D87F4

loc_76CE09:				; CODE XREF: DbgkFlushErrorPort+16BA76j
		pop	esi
		pop	ebx
		leave
		retn
DbgkFlushErrorPort endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspExitProcess	proc near		; CODE XREF: PspProcessDelete+113p
					; PspExitThread+431p

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 008D885B SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	al, cl
		push	4
		mov	[esp+14h+var_1], al
		pop	ecx
		lea	ebx, [esi+0FCh]
		lock or	[ebx], ecx
		mov	edi, large fs:124h
		test	al, al
		jz	short loc_76CE7F
		push	3
		pop	edx
		mov	ecx, esi
		call	PsSetProcessTelemetryAppState
		test	byte ptr ds:_PerfGlobalGroupMask, 1
		jz	short loc_76CE58
		mov	edx, 302h
		mov	ecx, esi
		call	EtwTraceProcess

loc_76CE58:				; CODE XREF: PspExitProcess+3Cj
		test	byte ptr [esi+3A8h], 1
		jnz	loc_8D885B

loc_76CE65:				; CODE XREF: PspExitProcess+16BA5Aj
		dec	word ptr [edi+13Ch]
		nop
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	PspCallProcessNotifyRoutines
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)

loc_76CE7F:				; CODE XREF: PspExitProcess+29j
					; PspExitProcess+16BA54j
		mov	ecx, [esi+1BCh]
		test	ecx, ecx
		jnz	short loc_76CEBB
		mov	dword ptr [esi+1BCh], 1

loc_76CE93:				; CODE XREF: PspExitProcess+B2j
					; PspExitProcess+16BA6Aj
		cmp	[esp+10h+var_1], 0
		jz	short loc_76CEB4
		cmp	dword ptr [ebx], 0
		jl	short loc_76CEC7

loc_76CE9F:				; CODE XREF: PspExitProcess+BEj
		mov	ecx, esi
		call	DbgkFlushErrorPort
		mov	ecx, esi
		call	_PfProcessExitNotification@4 ; PfProcessExitNotification(x)
		mov	ecx, esi
		call	PspProcessUnbindVirtualizedTimers

loc_76CEB4:				; CODE XREF: PspExitProcess+8Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_76CEBB:				; CODE XREF: PspExitProcess+79j
		xor	edi, edi
		inc	edi
		cmp	ecx, edi
		jz	short loc_76CE93
		jmp	loc_8D886D
; 

loc_76CEC7:				; CODE XREF: PspExitProcess+8Fj
		call	_ExCleanTimerResolutionRequest@0 ; ExCleanTimerResolutionRequest()
		jmp	short loc_76CE9F
PspExitProcess	endp


;  S U B	R O U T	I N E 


; __stdcall PfProcessExitNotification(x)
_PfProcessExitNotification@4 proc near	; CODE XREF: PspExitProcess+9Ap
		mov	edi, edi
		push	esi
		push	1
		xor	edx, edx
		mov	esi, ecx
		call	PfpLogApplicationEvent
		cmp	_PfSnNumActiveTraces, 0
		jnz	short loc_76CEE7
		pop	esi
		retn
; 

loc_76CEE7:				; CODE XREF: PfProcessExitNotification(x)+15j
		push	0		; void *
		push	2
		pop	edx
		mov	ecx, esi
		call	_PfSnEndProcessTrace@12	; PfSnEndProcessTrace(x,x,x)
		pop	esi
		retn
_PfProcessExitNotification@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfProcessCreateNotification proc near	; CODE XREF: PspUserThreadStartup+DCp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D887D SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		test	edx, edx
		jz	loc_8D887D
		and	[ebp+var_4], 0
		test	byte ptr dword_6D4284, 1
		jz	short loc_76CF6E

loc_76CF14:				; CODE XREF: PfProcessCreateNotification+7Fj
		lea	eax, [ebp+var_4]
		or	eax, 1
		push	eax
		push	esi
		call	PfCalculateProcessHash
		test	byte ptr dword_6D4920, 1
		jz	short loc_76CF3D
		mov	ecx, [esi+1DCh]
		test	ecx, ecx
		jz	short loc_76CF3D
		call	_PfCheckDeprioritizeImage@4 ; PfCheckDeprioritizeImage(x)
		test	eax, eax
		jnz	short loc_76CF5E

loc_76CF3D:				; CODE XREF: PfProcessCreateNotification+32j
					; PfProcessCreateNotification+3Cj ...
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		push	0
		call	PfSnBeginAppLaunch
		cmp	[ebp+var_4], 0
		jz	short loc_76CF59
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_76CF59:				; CODE XREF: PfProcessCreateNotification+57j
		xor	eax, eax

loc_76CF5B:				; CODE XREF: PfProcessCreateNotification+16B98Cj
		pop	esi
		leave
		retn
; 

loc_76CF5E:				; CODE XREF: PfProcessCreateNotification+45j
		mov	ecx, 4000h
		lea	eax, [esi+0FCh]
		lock or	[eax], ecx
		jmp	short loc_76CF3D
; 

loc_76CF6E:				; CODE XREF: PfProcessCreateNotification+1Cj
		test	byte ptr dword_6D4920, 1
		jnz	short loc_76CF14
		jmp	short loc_76CF3D
PfProcessCreateNotification endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnBeginAppLaunch proc	near		; CODE XREF: PfProcessCreateNotification+4Ep
					; PfSnAppLaunchScenarioControl(x,x)+8Cp

var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D8887 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 16Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+16Ch+var_4], eax
		push	ebx
		push	esi
		xor	esi, esi
		mov	[esp+174h+var_158], edx
		push	edi
		push	40h		; size_t
		lea	eax, [esp+17Ch+var_148]
		mov	[esp+17Ch+var_15C], ecx
		push	esi		; int
		mov	ebx, esi
		mov	[esp+180h+var_14C], esi
		push	eax		; void *
		mov	[esp+184h+var_168], esi
		mov	[esp+184h+var_150], esi
		mov	[esp+184h+var_160], ebx
		mov	[esp+184h+var_164], esi
		call	_memset
		add	esp, 0Ch
		lea	edx, [esp+178h+var_14C]
		xor	ecx, ecx
		call	_PfSnCheckScenario@8 ; PfSnCheckScenario(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_76D102
		mov	ecx, [esp+178h+var_158]
		test	ecx, ecx
		jz	loc_8D8887

loc_76CFEA:				; CODE XREF: PfSnBeginAppLaunch+16B92Bj
		mov	eax, [ecx]
		lea	edx, [esp+178h+var_168]
		mov	[esp+178h+var_158], eax
		mov	eax, [ecx+4]
		mov	[esp+178h+var_154], eax
		call	_PfSnFindImageFileName@8 ; PfSnFindImageFileName(x,x)
		test	eax, eax
		jz	loc_8D88AA
		push	1Dh
		pop	edi
		cmp	[esp+178h+var_168], edi
		jnb	short loc_76D015
		mov	edi, [esp+178h+var_168]

loc_76D015:				; CODE XREF: PfSnBeginAppLaunch+95j
		add	edi, edi
		push	edi		; size_t
		push	eax		; void *
		lea	eax, [esp+180h+var_148]
		push	eax		; void *
		call	_memcpy
		xor	eax, eax
		lea	ecx, [esp+184h+var_148]
		mov	word ptr [esp+edi+184h+var_148], ax
		add	esp, 0Ch
		mov	eax, [esp+178h+var_15C]
		mov	eax, [eax+1DCh]
		mov	[esp+178h+var_10C], eax
		call	PfSnIsHostingApplication
		movzx	edx, al
		lea	ecx, [esp+178h+var_164]
		call	_PfSnScanCommandLine@8 ; PfSnScanCommandLine(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_76D102
		mov	eax, [esp+178h+var_164]
		lea	edx, [esp+178h+var_164]
		add	[esp+178h+var_10C], eax
		lea	ecx, [esp+178h+var_150]
		lea	eax, [esp+178h+var_168]
		mov	[esp+178h+var_168], 100h
		push	eax
		lea	eax, [esp+17Ch+var_108]
		push	eax
		call	PfSnCheckModernApp
		mov	edi, eax
		test	edi, edi
		js	short loc_76D102
		mov	ecx, [esp+178h+var_10C]
		cmp	[esp+178h+var_150], esi
		jnz	short loc_76D0E3
		mov	edx, esi

loc_76D093:				; CODE XREF: PfSnBeginAppLaunch+186j
		add	ecx, [ebp+arg_0]
		test	byte ptr dword_6D49F0, 20h
		mov	[esp+178h+var_10C], ecx
		jnz	short loc_76D119
		cmp	[esp+178h+var_14C], 2
		jz	short loc_76D119

loc_76D0AA:				; CODE XREF: PfSnBeginAppLaunch+1A2j
		mov	ecx, [esp+178h+var_15C]
		lea	eax, [esp+178h+var_158]
		push	eax
		push	edx
		push	esi
		lea	edx, [esp+184h+var_148]
		call	PfSnBeginScenario
		mov	edi, eax
		test	edi, edi
		js	short loc_76D0C6
		mov	edi, esi

loc_76D0C6:				; CODE XREF: PfSnBeginAppLaunch+148j
					; PfSnBeginAppLaunch+19Dj
		test	ebx, ebx
		jnz	short loc_76D11E

loc_76D0CA:				; CODE XREF: PfSnBeginAppLaunch+1ABj
		mov	ecx, [esp+178h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_76D0E3:				; CODE XREF: PfSnBeginAppLaunch+115j
		add	ecx, [esp+178h+var_164]
		lea	eax, [esp+178h+var_108]
		push	8
		mov	[esp+17Ch+var_154], eax
		mov	eax, [esp+17Ch+var_168]
		pop	edx
		mov	word ptr [esp+178h+var_158], ax
		mov	word ptr [esp+178h+var_158+2], ax
		jmp	short loc_76D093
; 

loc_76D102:				; CODE XREF: PfSnBeginAppLaunch+5Ej
					; PfSnBeginAppLaunch+DAj ...
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		push	edi
		push	0Fh
		push	0Fh
		push	esi
		xor	edx, edx
		lea	ecx, [esp+190h+var_148]
		call	PfSnLogScenarioDecision
		jmp	short loc_76D0C6
; 

loc_76D119:				; CODE XREF: PfSnBeginAppLaunch+127j
					; PfSnBeginAppLaunch+12Ej
		or	edx, 2
		jmp	short loc_76D0AA
; 

loc_76D11E:				; CODE XREF: PfSnBeginAppLaunch+14Ej
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_76D0CA
PfSnBeginAppLaunch endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PfSnCheckScenario(x, x)
_PfSnCheckScenario@8 proc near		; CODE XREF: PfSnBeginAppLaunch+55p
					; PfSnOperationProcess+72p
		mov	eax, dword_6D46C0[ecx*4]
		test	eax, eax
		jz	short loc_76D162
		test	byte ptr dword_6D49F0, 1
		jnz	short loc_76D153

loc_76D13C:				; CODE XREF: PfSnCheckScenario(x,x)+32j
		cmp	dword_6D4988, 1
		jz	short loc_76D168
		cmp	dword_6D4928, 0
		jz	short loc_76D16E
		mov	[edx], eax
		xor	eax, eax
		retn
; 

loc_76D153:				; CODE XREF: PfSnCheckScenario(x,x)+12j
		test	byte ptr dword_6D4850, 1
		jnz	short loc_76D13C
		mov	eax, 0C0000063h
		retn
; 

loc_76D162:				; CODE XREF: PfSnCheckScenario(x,x)+9j
		mov	eax, 0C00001A9h
		retn
; 

loc_76D168:				; CODE XREF: PfSnCheckScenario(x,x)+1Bj
		mov	eax, 0C0000210h
		retn
; 

loc_76D16E:				; CODE XREF: PfSnCheckScenario(x,x)+24j
		mov	eax, 0C00002B9h
		retn
_PfSnCheckScenario@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfCalculateProcessHash proc near	; CODE XREF: PfProcessCreateNotification+26p
					; PfSnOperationProcess+95p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0076D2BC SIZE 00000005 BYTES
; FUNCTION CHUNK AT 008D88B4 SIZE 0000006B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	edx, edx
		mov	eax, ebx
		mov	[ebp+var_4], edx
		and	eax, 1
		push	esi
		mov	[ebp+var_C], eax
		jz	short loc_76D196
		and	ebx, 0FFFFFFFEh
		mov	[ebp+arg_4], ebx

loc_76D196:				; CODE XREF: PfCalculateProcessHash+1Aj
		mov	ecx, [ebp+arg_0]
		cmp	[ecx+15Ch], edx
		jz	loc_76D2B5
		push	edi
		lea	edx, [ebp+var_4]
		call	_PsGetAllocatedFullProcessImageName@8 ;	PsGetAllocatedFullProcessImageName(x,x)
		mov	edi, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	loc_76D298
		xor	esi, esi
		cmp	[edi], si
		jz	loc_8D88B4
		push	esi
		push	edi
		push	edi
		call	RtlUpcaseUnicodeString
		mov	ecx, [ebp+arg_0]
		cmp	[ecx+1DCh], esi
		jnz	loc_76D282
		mov	esi, [edi+4]
		mov	edx, 4CB2Fh
		movzx	edi, word ptr [edi]
		cmp	edi, 8
		jb	loc_8D88BE
		mov	eax, edi
		shr	eax, 3
		mov	[ebp+var_8], eax
		mov	ebx, eax
		imul	eax, -8
		add	edi, eax

loc_76D200:				; CODE XREF: PfCalculateProcessHash+DFj
		movzx	eax, byte ptr [esi+1]
		imul	ecx, eax, 25h
		movzx	eax, byte ptr [esi+2]
		add	ecx, eax
		movzx	eax, byte ptr [esi+3]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [esi+4]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [esi+5]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [esi+6]
		imul	ecx, 25h
		add	ecx, eax
		imul	eax, edx, 2FE8ED1Fh
		imul	ecx, 25h
		sub	ecx, eax
		movzx	eax, byte ptr [esi]
		imul	edx, eax, 1A617D0Dh
		movzx	eax, byte ptr [esi+7]
		add	esi, 8
		add	edx, ecx
		add	edx, eax
		sub	ebx, 1
		jnz	short loc_76D200
		mov	ebx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		jmp	loc_8D88BE
; 

loc_76D260:				; CODE XREF: PfCalculateProcessHash+16B756j
					; PfCalculateProcessHash+16B7A6j
		movzx	eax, byte ptr [esi]
		imul	edx, 25h
		add	edx, eax
		inc	esi

loc_76D269:				; CODE XREF: PfCalculateProcessHash+16B74Dj
		movzx	eax, byte ptr [esi]
		imul	edx, 25h
		add	edx, eax

loc_76D271:				; CODE XREF: PfCalculateProcessHash+16B773j
		cmp	edx, 1
		jbe	short loc_76D2BC

loc_76D276:				; CODE XREF: PfCalculateProcessHash+14Bj
		nop
		mov	edi, [ebp+var_4]
		xor	esi, esi
		mov	[ecx+1DCh], edx

loc_76D282:				; CODE XREF: PfCalculateProcessHash+63j
		cmp	[ebp+var_C], 0
		jz	short loc_76D290
		push	esi
		mov	edx, edi
		call	PfpLogApplicationEvent

loc_76D290:				; CODE XREF: PfCalculateProcessHash+112j
		test	ebx, ebx
		jz	short loc_76D298
		mov	[ebx], edi
		mov	edi, esi

loc_76D298:				; CODE XREF: PfCalculateProcessHash+41j
					; PfCalculateProcessHash+11Ej ...
		test	edi, edi
		jnz	short loc_76D2AB

loc_76D29C:				; CODE XREF: PfCalculateProcessHash+13Fj
		pop	edi

loc_76D29D:				; CODE XREF: PfCalculateProcessHash+146j
		neg	ebx
		sbb	ebx, ebx
		and	ebx, esi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_76D2AB:				; CODE XREF: PfCalculateProcessHash+126j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_76D29C
; 

loc_76D2B5:				; CODE XREF: PfCalculateProcessHash+2Bj
		mov	esi, 0C0000225h
		jmp	short loc_76D29D
PfCalculateProcessHash endp

; 
; START	OF FUNCTION CHUNK FOR PfCalculateProcessHash

loc_76D2BC:				; CODE XREF: PfCalculateProcessHash+100j
		xor	edx, edx
		inc	edx
		jmp	short loc_76D276
; END OF FUNCTION CHUNK	FOR PfCalculateProcessHash
; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnLogStreamCreate proc near		; CODE XREF: PfFileInfoNotify+4C2p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D891F SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_C], esi
		mov	[ebp+var_4], ebx
		mov	eax, [esi+10h]
		movzx	ecx, word ptr [esi+12h]
		and	eax, 0FFFFh
		cmp	ecx, eax
		jbe	loc_8D891F
		sub	ecx, eax
		mov	[ebp+var_10], ecx
		lea	eax, [ecx+ecx]
		mov	ecx, [esi]
		lea	edi, [eax+39h]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_4]
		shr	edi, 3
		push	eax
		mov	edx, edi
		call	PfSnLogHelper
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	loc_76D3F0
		mov	ecx, [ebp+var_4]
		lea	eax, ds:0FFFFFFF8h[edi*8]
		or	eax, 5
		push	ebx
		mov	[ecx+4], ebx
		lea	edi, [ecx+0Fh]
		mov	[ecx], eax
		and	edi, 0FFFFFFF8h
		mov	eax, [esi+8]
		mov	[ecx+4], eax
		mov	[edi], ebx
		lea	eax, [edi+20h]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		mov	word ptr [ebp+var_20], ax
		mov	eax, [ebp+var_10]
		movzx	esi, ax
		mov	eax, [ebp+var_C]
		lea	edx, [esi+esi]
		movzx	ecx, word ptr [eax+10h]
		mov	eax, [eax+0Ch]
		mov	word ptr [ebp+var_20+2], dx
		mov	word ptr [ebp+var_8], dx
		mov	word ptr [ebp+var_8+2],	dx
		lea	eax, [eax+ecx*2]
		mov	ecx, [ebp+var_14]
		mov	[ebp+var_4], eax
		mov	eax, [edi]
		and	eax, 80000000h
		lea	ecx, ds:150h[ecx*8]
		and	ecx, 7FFFFFF8h
		or	ecx, eax
		mov	[edi], ecx
		mov	ecx, [ebp+var_C]
		mov	eax, [ecx+18h]
		mov	[edi+4], eax
		mov	eax, [ecx+1Ch]
		mov	[edi+8], eax
		mov	eax, [ecx+4]
		mov	[edi+14h], eax
		mov	eax, [ecx+20h]
		mov	[edi+18h], eax
		mov	eax, [ecx+8]
		mov	[edi+10h], eax
		mov	eax, [edi+1Ch]
		xor	eax, [ecx+14h]
		and	eax, 1
		xor	[edi+1Ch], eax
		mov	ecx, [ecx+14h]
		mov	eax, [edi+1Ch]
		add	ecx, ecx
		xor	ecx, eax
		and	ecx, 4
		xor	ecx, eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_20]
		mov	[edi+1Ch], ecx
		push	eax
		mov	[edi+1Eh], si
		call	RtlUpcaseUnicodeString
		mov	eax, [ebp+var_10]
		xor	ecx, ecx
		mov	[edi+eax*2+20h], cx
		mov	ecx, [ebp+var_18]
		add	ecx, 104h
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_76D3E9:				; CODE XREF: PfSnLogStreamCreate+133j
					; PfSnLogStreamCreate+16B662j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_76D3F0:				; CODE XREF: PfSnLogStreamCreate+4Cj
		mov	ebx, 0C000017Ah
		jmp	short loc_76D3E9
PfSnLogStreamCreate endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnLogHelper	proc near		; CODE XREF: PfSnLogStreamCreate+42p
					; PfSnLogVolumeCreate+29p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D8929 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		xor	edi, edi
		call	PfSnReferenceProcessTrace
		mov	esi, eax
		test	esi, esi
		jz	short loc_76D42B
		push	[ebp+arg_0]
		mov	edx, ebx
		mov	ecx, esi
		call	PfSnTraceGetLogEntry
		test	eax, eax
		js	short loc_76D434
		mov	edi, esi
		xor	esi, esi

loc_76D423:				; CODE XREF: PfSnLogHelper+43j
		test	esi, esi
		jnz	loc_8D8929

loc_76D42B:				; CODE XREF: PfSnLogHelper+15j
					; PfSnLogHelper+16B53Cj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_76D434:				; CODE XREF: PfSnLogHelper+25j
		mov	ecx, esi
		call	_PfSnFailProcessTrace@4	; PfSnFailProcessTrace(x)
		jmp	short loc_76D423
PfSnLogHelper	endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 2391. RtlUpcaseUnicodeString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlUpcaseUnicodeString
RtlUpcaseUnicodeString proc near	; CODE XREF: .text:00513651p
					; PfCalculateProcessHash+55p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 0076D596 SIZE 0000000A BYTES
; FUNCTION CHUNK AT 008D8939 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A0A70
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	eax, [ebp+arg_4]
		movzx	ecx, word ptr [eax]
		mov	edx, ecx
		mov	edi, [ebp+arg_0]
		cmp	[ebp+arg_8], 0
		jnz	loc_76D56F
		cmp	cx, [edi+2]
		ja	loc_8D8939

loc_76D4A1:				; CODE XREF: RtlUpcaseUnicodeString+136j
		movzx	ebx, dx
		shr	ebx, 1
		mov	[ebp+var_4], 0
		mov	[ebp+var_24], 1
		xor	esi, esi

loc_76D4B6:				; CODE XREF: RtlUpcaseUnicodeString+92j
					; RtlUpcaseUnicodeString+11Aj
		mov	[ebp+var_20], esi
		cmp	esi, ebx
		jnb	short loc_76D4FF
		mov	eax, [eax+4]
		movzx	edi, word ptr [eax+esi*2]
		cmp	edi, 61h
		jb	short loc_76D4FB
		cmp	edi, 7Ah
		ja	short loc_76D4E4
		lea	eax, [edi-20h]
		movzx	ecx, ax

loc_76D4D4:				; CODE XREF: RtlUpcaseUnicodeString+ADj
		mov	edi, [ebp+arg_0]
		mov	eax, [edi+4]
		mov	[eax+esi*2], cx
		inc	esi
		mov	eax, [ebp+arg_4]
		jmp	short loc_76D4B6
; 

loc_76D4E4:				; CODE XREF: RtlUpcaseUnicodeString+7Cj
		mov	ecx, ds:_Nls844UnicodeUpcaseTable
		mov	[ebp+var_1C], ecx
		test	ecx, ecx
		jz	short loc_76D4FB
		mov	eax, 0C0h
		cmp	di, ax
		jnb	short loc_76D52E

loc_76D4FB:				; CODE XREF: RtlUpcaseUnicodeString+77j
					; RtlUpcaseUnicodeString+9Fj
		mov	ecx, edi
		jmp	short loc_76D4D4
; 

loc_76D4FF:				; CODE XREF: RtlUpcaseUnicodeString+6Bj
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	[ebp+var_24], 0
		call	sub_76D58B
		mov	ax, [eax]
		mov	[edi], ax
		xor	eax, eax

loc_76D51A:				; CODE XREF: RtlUpcaseUnicodeString+14Bj
					; RtlUpcaseUnicodeString+16B4EEj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_76D52E:				; CODE XREF: RtlUpcaseUnicodeString+A9j
		mov	edx, edi
		mov	eax, edi
		shr	eax, 8
		movzx	ecx, word ptr [ecx+eax*2]
		mov	eax, edx
		shr	eax, 4
		and	eax, 0Fh
		add	ecx, eax
		mov	eax, [ebp+var_1C]
		movzx	eax, word ptr [eax+ecx*2]
		and	edx, 0Fh
		add	eax, edx
		mov	ecx, [ebp+var_1C]
		mov	ax, [ecx+eax*2]
		add	ax, di
		movzx	ecx, ax
		mov	edi, [ebp+arg_0]
		mov	eax, [edi+4]
		mov	[eax+esi*2], cx
		inc	esi
		mov	eax, [ebp+arg_4]
		jmp	loc_76D4B6
; 

loc_76D56F:				; CODE XREF: RtlUpcaseUnicodeString+41j
		mov	[edi+2], cx
		push	edx
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[edi+4], eax
		test	eax, eax
		jz	short loc_76D596
		mov	eax, [ebp+arg_4]
		movzx	edx, word ptr [eax]
		jmp	loc_76D4A1
RtlUpcaseUnicodeString endp


;  S U B	R O U T	I N E 


sub_76D58B	proc near		; CODE XREF: RtlUpcaseUnicodeString+BDp
					; sub_8D8943+6j

; FUNCTION CHUNK AT 008D894E SIZE 0000001E BYTES

		cmp	dword ptr [ebp-24h], 0
		jnz	loc_8D894E

locret_76D595:				; CODE XREF: sub_76D58B+16B3C7j
		retn
sub_76D58B	endp

; 
; START	OF FUNCTION CHUNK FOR RtlUpcaseUnicodeString

loc_76D596:				; CODE XREF: RtlUpcaseUnicodeString+12Ej
		mov	eax, 0C0000017h
		jmp	loc_76D51A
; END OF FUNCTION CHUNK	FOR RtlUpcaseUnicodeString
; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2474. SeLocateProcessImageName

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeLocateProcessImageName(x,	x)
		public _SeLocateProcessImageName@8
_SeLocateProcessImageName@8 proc near	; CODE XREF: SeAuditProcessCreation+8Cp
					; SeAuditProcessCreation+C7p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	PsGetAllocatedFullProcessImageNameEx
		pop	ebp
		retn	8
_SeLocateProcessImageName@8 endp


;  S U B	R O U T	I N E 


PsGetAllocatedFullProcessImageNameEx proc near ; CODE XREF: SeCheckForCriticalAceRemoval+70p
					; SeLocateProcessImageName(x,x)+Bp ...

; FUNCTION CHUNK AT 008D896C SIZE 00000017 BYTES

		cmp	dword ptr [ecx+3D4h], 0
		mov	eax, 0C0000225h
		push	esi
		jnz	loc_8D896C

loc_76D5CD:				; CODE XREF: PsGetAllocatedFullProcessImageNameEx+16B3BAj
		cmp	dword ptr [ecx+1C0h], 0
		jz	short loc_76D5DC
		pop	esi
		jmp	_PsGetAllocatedFullProcessImageName@8 ;	PsGetAllocatedFullProcessImageName(x,x)
; 

loc_76D5DC:				; CODE XREF: PsGetAllocatedFullProcessImageNameEx+1Aj
					; PsGetAllocatedFullProcessImageNameEx+16B3C4j
		pop	esi
		retn
PsGetAllocatedFullProcessImageNameEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetAllocatedFullProcessImageName(x, x)
_PsGetAllocatedFullProcessImageName@8 proc near	; CODE XREF: PfCalculateProcessHash+35p
					; PsGetAllocatedFullProcessImageNameEx+1Dj ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ecx+1C0h]
		push	esi
		push	edi
		push	6E497350h
		movzx	eax, word ptr [ebx+2]
		add	eax, 8
		mov	[ebp+var_4], edx
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_76D640
		mov	ecx, [ebx]
		xor	edi, edi
		mov	[esi], ecx
		mov	ecx, [ebx+4]
		mov	[esi+4], ecx
		cmp	ecx, edi
		jz	short loc_76D634
		lea	ecx, [esi+8]
		mov	[esi+4], ecx
		movzx	eax, word ptr [ebx+2]
		push	eax		; size_t
		push	dword ptr [ebx+4] ; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_76D634:				; CODE XREF: PsGetAllocatedFullProcessImageName(x,x)+3Dj
		mov	eax, [ebp+var_4]
		mov	[eax], esi

loc_76D639:				; CODE XREF: PsGetAllocatedFullProcessImageName(x,x)+67j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_76D640:				; CODE XREF: PsGetAllocatedFullProcessImageName(x,x)+2Dj
		mov	edi, 0C0000017h
		jmp	short loc_76D639
_PsGetAllocatedFullProcessImageName@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfGetCompletedTrace proc near		; CODE XREF: PAGE:0077D2EAp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008D8983 SIZE 0000002F BYTES
; FUNCTION CHUNK AT 008D89D5 SIZE 0000002C BYTES

		push	30h
		push	offset dword_6A0A90
		call	__SEH_prolog4
		mov	[ebp+var_2C], edx
		mov	[ebp+var_1C], ecx
		xor	ebx, ebx
		mov	esi, ebx
		mov	[ebp+var_20], esi
		mov	[ebp+var_38], ebx
		mov	[ebp+var_28], 1
		mov	edi, offset unk_6D4400

loc_76D670:				; CODE XREF: PfGetCompletedTrace+1B8j
		mov	ecx, edi
		call	ExAcquireFastMutex
		cmp	dword_6D43FC, ebx
		jnz	loc_76D7E9
		call	_PFP_CAN_DO_ACCESS_LOGGING@0 ; PFP_CAN_DO_ACCESS_LOGGING()
		mov	[ebp+var_3C], eax
		mov	ecx, ebx

loc_76D68D:				; CODE XREF: PfGetCompletedTrace+66j
		test	ecx, ecx
		jnz	loc_76D7D1
		mov	eax, offset unk_6D43E4
		mov	[ebp+var_24], offset dword_6D43F4

loc_76D6A1:				; CODE XREF: PfGetCompletedTrace+195j
		mov	[ebp+var_34], eax
		mov	edx, [eax]
		cmp	edx, eax
		jnz	short loc_76D6B2
		inc	ecx
		cmp	ecx, 2
		jb	short loc_76D68D
		jmp	short loc_76D6E7
; 

loc_76D6B2:				; CODE XREF: PfGetCompletedTrace+60j
		mov	esi, edx
		mov	[ebp+var_20], edx
		mov	ecx, [esi+10h]
		add	ecx, 10h
		mov	[ebp+var_38], ecx
		cmp	ecx, [ebp+var_2C]
		ja	loc_76D805
		mov	ecx, [edx]
		cmp	[edx+4], eax
		jnz	loc_76D81A
		cmp	[ecx+4], edx
		jnz	loc_76D81A
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	eax, [ebp+var_24]
		dec	dword ptr [eax]

loc_76D6E7:				; CODE XREF: PfGetCompletedTrace+68j
		cmp	[ebp+var_3C], ebx
		jz	loc_8D8983

loc_76D6F0:				; CODE XREF: PfGetCompletedTrace+16B342j
					; PfGetCompletedTrace+16B365j
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	[ebp+var_28], ebx
		test	esi, esi
		jz	loc_76D7E2
		mov	[ebp+var_3C], ebx
		mov	[ebp+ms_exc.disabled], ebx
		cmp	[ebp+arg_0], 0
		jz	short loc_76D71B
		push	8
		push	[ebp+var_2C]
		push	[ebp+var_1C]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_76D71B:				; CODE XREF: PfGetCompletedTrace+C4j
		xor	eax, eax
		mov	ecx, [ebp+var_1C]
		mov	edi, ecx
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		inc	eax
		mov	[ecx], ax
		push	10h
		pop	eax
		mov	[ecx+2], ax
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		mov	esi, dword_6D4918
		mov	[ebp+var_30], esi
		mov	eax, dword_6D491C
		mov	[ebp+var_2C], eax
		mov	ecx, ds:0FFDF0004h
		mul	ecx
		mov	edi, eax
		mov	ebx, edx
		shld	ebx, edi, 8
		shl	edi, 8
		mov	eax, esi
		mul	ecx
		shrd	eax, edx, 18h
		shr	edx, 18h
		add	edi, eax
		adc	ebx, edx
		mov	ecx, [ebp+var_1C]
		mov	[ecx+8], edi
		mov	[ecx+0Ch], ebx
		nop
		add	ecx, 10h
		mov	ebx, [ebp+var_20]
		push	dword ptr [ebx+10h] ; size_t
		lea	eax, [ebx+8]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+var_3C]

loc_76D796:				; CODE XREF: sub_8D89C0+10j
		xor	eax, eax
		mov	edi, offset unk_6D4400
		inc	eax
		test	esi, esi
		js	loc_8D89D5
		mov	edx, [ebp+arg_4]
		mov	eax, [ebp+var_38]
		mov	[edx], eax
		mov	ecx, ebx
		call	_PfTFreeTraceDump@4 ; PfTFreeTraceDump(x)
		xor	esi, esi

loc_76D7B7:				; CODE XREF: PfGetCompletedTrace+19Fj
					; PfGetCompletedTrace+1C7j ...
		cmp	[ebp+var_28], 0
		jnz	short loc_76D811

loc_76D7BD:				; CODE XREF: PfGetCompletedTrace+1D0j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_76D7D1:				; CODE XREF: PfGetCompletedTrace+47j
		mov	eax, offset unk_6D43DC
		mov	[ebp+var_24], offset dword_6D43EC
		jmp	loc_76D6A1
; 

loc_76D7E2:				; CODE XREF: PfGetCompletedTrace+B4j
		mov	esi, 8000001Ah
		jmp	short loc_76D7B7
; 

loc_76D7E9:				; CODE XREF: PfGetCompletedTrace+35j
		mov	dword_6D43FC, ebx
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, offset unk_6D4320
		call	PfFbBufferListFlushStandby
		jmp	loc_76D670
; 

loc_76D805:				; CODE XREF: PfGetCompletedTrace+7Bj
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		mov	esi, 0C0000023h
		jmp	short loc_76D7B7
; 

loc_76D811:				; CODE XREF: PfGetCompletedTrace+173j
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	short loc_76D7BD
; 

loc_76D81A:				; CODE XREF: PfGetCompletedTrace+86j
					; PfGetCompletedTrace+8Fj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PfGetCompletedTrace endp


PfTTraceListAdd:			; CODE XREF: PfpSectInfoHandleFullBuffer(x)+80p
					; PfTGenerateTrace()+34p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		lea	eax, [esp+10h]
		mov	edi, ecx
		mov	ecx, offset unk_6D4400
		mov	[esp+14h], eax
		mov	[esp+10h], eax
		call	ExAcquireFastMutex
		call	_PFP_CAN_DO_ACCESS_LOGGING@0 ; PFP_CAN_DO_ACCESS_LOGGING()
		cmp	dword ptr [edi+14h], 1
		mov	ebx, eax
		jz	loc_76D8EB
		mov	eax, dword_6D43EC
		mov	esi, offset unk_6D43DC
		mov	edx, dword_6D43F0
		inc	eax
		mov	ecx, offset dword_6D43EC
		cmp	eax, edx
		jz	loc_8D8A0C

loc_76D875:				; CODE XREF: PAGE:008D8A12j
		mov	dword_6D43FC, 1

loc_76D87F:				; CODE XREF: PAGE:0076D903j
					; PAGE:008D8A07j
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	loc_76D916
		mov	[edi], esi
		mov	[edi+4], eax
		mov	[eax], edi
		mov	[esi+4], edi
		inc	dword ptr [ecx]
		cmp	[ecx], edx
		ja	loc_8D8A17

loc_76D89E:				; CODE XREF: PAGE:008D8A24j
		xor	edi, edi
		cmp	esi, offset unk_6D43DC
		jnz	short loc_76D8AC
		cmp	[esi], esi
		jz	short loc_76D90E

loc_76D8AC:				; CODE XREF: PAGE:0076D8A6j
					; PAGE:0076D914j
		test	ebx, ebx
		jz	short loc_76D8BD
		call	_PFP_CAN_DO_ACCESS_LOGGING@0 ; PFP_CAN_DO_ACCESS_LOGGING()
		test	eax, eax
		jz	loc_8D8A29

loc_76D8BD:				; CODE XREF: PAGE:0076D8AEj
					; PAGE:008D8A35j
		push	edi
		push	edi
		push	dword_6D4420
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, offset unk_6D4400
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_76D8D4:				; CODE XREF: PAGE:008D8A62j
		mov	ecx, [esp+10h]
		lea	eax, [esp+10h]
		cmp	ecx, eax
		jnz	loc_8D8A3A
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_76D8EB:				; CODE XREF: PAGE:0076D851j
		mov	eax, dword_6D43F4
		mov	esi, offset unk_6D43E4
		mov	edx, dword_6D43F8
		inc	eax
		mov	ecx, offset dword_6D43F4
		cmp	eax, edx
		jnz	loc_76D87F
		jmp	loc_8D8A01
; 

loc_76D90E:				; CODE XREF: PAGE:0076D8AAj
		mov	dword_6D43FC, edi
		jmp	short loc_76D8AC
; 

loc_76D916:				; CODE XREF: PAGE:0076D884j
					; PAGE:008D8A41j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		align 10h
; Exported entry 1877. PsReferenceProcessFilePointer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsReferenceProcessFilePointer(x, x)
		public _PsReferenceProcessFilePointer@8
_PsReferenceProcessFilePointer@8 proc near
					; CODE XREF: SepVerifyDesktopAppxImage(x,x,x,x)+50p
					; SepMandatorySubProcessToken+62p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [esi+0F0h]
		mov	ecx, edi
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_76D96E
		mov	ecx, [esi+15Ch]
		test	ecx, ecx
		jz	short loc_76D967
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	ecx, eax
		call	MiReferenceControlAreaFile
		mov	ecx, edi
		mov	esi, eax
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		mov	[ecx], esi

loc_76D961:				; CODE XREF: PsReferenceProcessFilePointer(x,x)+53j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_76D967:				; CODE XREF: PsReferenceProcessFilePointer(x,x)+23j
		mov	ecx, edi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_76D96E:				; CODE XREF: PsReferenceProcessFilePointer(x,x)+19j
		mov	eax, 0C0000001h
		jmp	short loc_76D961
_PsReferenceProcessFilePointer@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpCreateUserThreadEx proc near	; CODE XREF: ExpWorkerFactoryCreateThread+D4p
					; RtlCreateUserThread(x,x,x,x,x,x,x,x,x,x)+2Bp

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 008D8A67 SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_14]
		push	ebx
		mov	[ebp+var_3C], eax
		mov	ebx, edx
		mov	eax, [ebp+arg_18]
		mov	edx, ecx
		mov	ecx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_20]
		mov	[ebp+var_38], eax
		xor	eax, eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		push	edi
		mov	edi, [ebp+arg_1C]
		test	ecx, 0FFFFFF88h
		jnz	loc_8D8A67
		mov	eax, ecx
		and	eax, 1
		test	cl, 2
		jnz	loc_8D8A71

loc_76D9D5:				; CODE XREF: RtlpCreateUserThreadEx+16B0FEj
		test	cl, 4
		jnz	loc_8D8A79

loc_76D9DE:				; CODE XREF: RtlpCreateUserThreadEx+16B106j
		test	cl, 10h
		jz	short loc_76D9E6
		or	eax, 10h

loc_76D9E6:				; CODE XREF: RtlpCreateUserThreadEx+6Bj
		test	cl, 20h
		jnz	loc_8D8A81

loc_76D9EF:				; CODE XREF: RtlpCreateUserThreadEx+16B10Ej
		test	cl, 40h
		jnz	loc_8D8A89

loc_76D9F8:				; CODE XREF: RtlpCreateUserThreadEx+16B116j
		xor	ecx, ecx
		mov	[ebp+var_54], 18h
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_18], ecx
		lea	ecx, [ebp+var_34]
		mov	[ebp+var_1C], ecx
		lea	ecx, [ebp+var_28]
		push	ecx
		push	[ebp+arg_8]
		mov	[ebp+var_48], 200h
		push	[ebp+arg_C]
		mov	[ebp+var_44], ebx
		push	[ebp+arg_4]
		mov	[ebp+var_24], 10003h
		push	eax
		push	[ebp+var_38]
		lea	eax, [ebp+var_54]
		mov	[ebp+var_20], 8
		push	[ebp+var_3C]
		mov	[ebp+var_28], 14h
		push	edx
		push	eax
		push	1FFFFFh
		lea	eax, [ebp+var_2C]
		push	eax
		call	_ZwCreateThreadEx@44 ; ZwCreateThreadEx(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_76DA7B
		test	edi, edi
		jz	loc_8D8A91
		mov	eax, [ebp+var_2C]
		mov	[edi], eax

loc_76DA6A:				; CODE XREF: RtlpCreateUserThreadEx+16B123j
		test	esi, esi
		jz	short loc_76DA79
		mov	eax, [ebp+var_34]
		mov	[esi], eax
		mov	eax, [ebp+var_30]
		mov	[esi+4], eax

loc_76DA79:				; CODE XREF: RtlpCreateUserThreadEx+F6j
		xor	eax, eax

loc_76DA7B:				; CODE XREF: RtlpCreateUserThreadEx+E5j
					; RtlpCreateUserThreadEx+16B0F6j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	24h
RtlpCreateUserThreadEx endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1611. ObCloseHandle

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObCloseHandle
ObCloseHandle	proc near		; CODE XREF: ExpDeleteWorkerFactory(x)+4Bp
					; ExpWorkerFactoryCreateThread+119p ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 008D8A9E SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		test	_MmVerifierData, 100h
		push	ebx
		mov	bl, [ebp+arg_4]
		jnz	loc_8D8A9E

loc_76DAAF:				; CODE XREF: ObCloseHandle+16B00Ej
					; ObCloseHandle+16B020j ...
		mov	ecx, [ebp+arg_0]
		mov	dl, bl
		call	ObpCloseHandle
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
ObCloseHandle	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpCloseHandle	proc near		; CODE XREF: ObCloseHandle+22p
					; ObpSetDeviceMap+9E0AEp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 008D8AC2 SIZE 000000C2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	ebx, [eax+80h]
		mov	edi, ecx
		mov	[ebp+var_C], edx
		mov	byte ptr [ebp+var_1], 0
		mov	[ebp+var_10], eax
		mov	[ebp+var_2], 0
		call	_ObpIsKernelHandle@8 ; ObpIsKernelHandle(x,x)
		test	al, al
		jz	short loc_76DB42
		mov	eax, ds:_PsInitialSystemProcess
		xor	edi, 80000000h
		mov	esi, _ObpKernelHandleTable
		mov	[ebp+var_8], eax

loc_76DB04:				; CODE XREF: ObpCloseHandle+9Aj
					; ObpCloseHandle+B4j
		mov	eax, [ebp+var_10]
		dec	word ptr [eax+13Ch]
		nop
		mov	edx, edi
		mov	ecx, esi
		call	ExMapHandleToPointer
		test	eax, eax
		jz	loc_8D8AC2
		push	0
		push	[ebp+var_C]
		mov	edx, eax
		mov	ecx, esi
		push	edi
		mov	edi, [ebp+var_8]
		push	edi
		call	_ObCloseHandleTableEntry@24 ; ObCloseHandleTableEntry(x,x,x,x,x,x)
		mov	esi, eax

loc_76DB35:				; CODE XREF: ObpCloseHandle+16B0BFj
		cmp	[ebp+var_2], 0
		jnz	short loc_76DB76

loc_76DB3B:				; CODE XREF: ObpCloseHandle+A1j
					; ObpCloseHandle+C1j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_76DB42:				; CODE XREF: ObpCloseHandle+2Ej
		call	_KeIsAttachedProcess@0 ; KeIsAttachedProcess()
		mov	[ebp+var_8], ebx
		test	al, al
		jnz	short loc_76DB63
		mov	esi, [ebx+18Ch]
		cmp	esi, _ObpKernelHandleTable
		jnz	short loc_76DB04

loc_76DB5C:				; CODE XREF: ObpCloseHandle+AEj
		mov	esi, 0C0000008h
		jmp	short loc_76DB3B
; 

loc_76DB63:				; CODE XREF: ObpCloseHandle+8Cj
		mov	ecx, ebx
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_76DB5C
		mov	[ebp+var_2], 1
		jmp	short loc_76DB04
; 

loc_76DB76:				; CODE XREF: ObpCloseHandle+79j
		lea	ecx, [edi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	short loc_76DB3B
ObpCloseHandle	endp

; 
		align 8
; Exported entry 835. IoFreeMiniCompletionPacket

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoFreeMiniCompletionPacket(x)
		public _IoFreeMiniCompletionPacket@4
_IoFreeMiniCompletionPacket@4 proc near	; CODE XREF: ExpDeleteWorkerFactory(x)+61p
					; AlpcpDeferredFreeCompletionPacketLookaside(x)+13p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		and	dword ptr [ecx+1Ch], 0
		call	_IopFreeMiniCompletionPacket@4 ; IopFreeMiniCompletionPacket(x)
		pop	ebp
		retn	4
_IoFreeMiniCompletionPacket@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtQueryDefaultLocale proc near		; DATA XREF: .text:00580EA4o

var_24		= dword	ptr -24h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		push	14h
		push	offset dword_6A0AB0
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp+ms_exc.disabled], edx
		mov	eax, large fs:124h
		mov	[ebp+var_24], eax
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		test	al, al
		jz	short loc_76DBD5
		mov	ecx, [ebp+arg_4]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_76DC0D

loc_76DBD1:				; CODE XREF: NtQueryDefaultLocale+71j
		mov	eax, [ecx]
		mov	[ecx], eax

loc_76DBD5:				; CODE XREF: NtQueryDefaultLocale+25j
		cmp	[ebp+arg_0], 0
		jnz	short loc_76DC01
		mov	ecx, ds:_PsDefaultSystemLocaleId
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx

loc_76DBE6:				; CODE XREF: NtQueryDefaultLocale+6Dj
					; sub_8D8B94+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, edx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_76DC01:				; CODE XREF: NtQueryDefaultLocale+3Bj
		call	_MmGetSessionLocaleId@0	; MmGetSessionLocaleId()
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		jmp	short loc_76DBE6
; 

loc_76DC0D:				; CODE XREF: NtQueryDefaultLocale+31j
		mov	ecx, eax
		jmp	short loc_76DBD1
NtQueryDefaultLocale endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTraceThread	proc near		; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+5CDp
					; PspExitThread+2F2p

var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= byte ptr -5Ch
var_5B		= byte ptr -5Bh
var_5A		= byte ptr -5Ah
var_59		= byte ptr -59h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	8Ch
		push	offset dword_6A0AD0
		call	__SEH_prolog4_GS
		mov	[ebp+var_98], edx
		mov	esi, ecx
		mov	[ebp+var_88], esi
		mov	[ebp+var_94], 2
		xor	ebx, ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_8C], (offset loc_501902+1)
		mov	eax, ds:_EtwpHostSiloState
		add	eax, 0A48h
		jz	short loc_76DC61
		test	byte ptr [eax],	2
		jz	short loc_76DC61
		push	[ebp+arg_0]
		call	EtwpPsProvTraceThread

loc_76DC61:				; CODE XREF: EtwTraceThread+40j
					; EtwTraceThread+45j
		mov	eax, [esi+2ACh]
		mov	[ebp+var_84], eax
		mov	eax, [esi+2B0h]
		mov	[ebp+var_80], eax
		mov	eax, [esi+28h]
		mov	[ebp+var_7C], eax
		mov	eax, [esi+24h]
		mov	[ebp+var_78], eax
		mov	eax, [esi+164h]
		mov	[ebp+var_6C], eax
		mov	eax, [esi+2DCh]
		mov	[ebp+var_68], eax
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], ebx
		mov	eax, [esi+0A8h]
		mov	[ebp+var_9C], eax
		mov	[ebp+var_64], eax
		mov	[ebp+var_60], ebx
		mov	al, [esi+15Bh]
		mov	[ebp+var_5C], al
		mov	ecx, esi
		call	_PsGetPagePriorityThread@4 ; PsGetPagePriorityThread(x)
		mov	[ebp+var_5B], al
		mov	ecx, esi
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		mov	[ebp+var_5A], al
		mov	[ebp+var_59], bl
		cmp	byte ptr [ebp+arg_0], bl
		jnz	loc_76DD89
		mov	[ebp+var_90], 502h
		mov	[ebp+var_8C], 4501903h
		mov	ecx, [ebp+var_9C]
		test	ecx, ecx
		jz	short loc_76DD16
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ecx+0F60h]
		mov	[ebp+var_60], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_74], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_70], eax

loc_76DD0F:				; CODE XREF: EtwTraceThread+1B0j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_76DD16:				; CODE XREF: EtwTraceThread+DFj
					; EtwTraceThread+19Ej ...
		lea	eax, [ebp+var_84]
		mov	[ebp+var_54], eax
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], 2Ch
		mov	[ebp+var_48], ebx
		mov	eax, [esi+394h]
		test	eax, eax
		jnz	loc_76DDC7

loc_76DD3A:				; CODE XREF: EtwTraceThread+1BAj
		mov	[ebp+var_44], offset _EtwpNull
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], 2
		mov	[ebp+var_38], ebx

loc_76DD4E:				; CODE XREF: EtwTraceThread+1FAj
					; EtwTraceThread+21Ej
		push	[ebp+var_8C]
		push	[ebp+var_90]
		push	2
		push	[ebp+var_94]
		push	dword ptr [esi+150h]
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		lea	edx, [ebp+var_54]
		mov	ecx, eax
		call	EtwTraceSiloKernelEvent
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_76DD89:				; CODE XREF: EtwTraceThread+BDj
		mov	[ebp+var_90], 501h
		mov	ecx, [ebp+var_98]
		test	ecx, ecx
		jz	short loc_76DDA9
		mov	eax, [ecx+8]
		mov	[ebp+var_74], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_70], eax

loc_76DDA9:				; CODE XREF: EtwTraceThread+189j
		call	_PsGetCurrentThreadTeb@0 ; PsGetCurrentThreadTeb()
		test	eax, eax
		jz	loc_76DD16
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [eax+0F60h]
		mov	[ebp+var_60], eax
		jmp	loc_76DD0F
; 

loc_76DDC7:				; CODE XREF: EtwTraceThread+122j
		mov	edx, [eax+4]
		test	edx, edx
		jz	loc_76DD3A
		movzx	ecx, word ptr [eax]
		mov	[ebp+var_88], ecx
		mov	ecx, 800h
		cmp	word ptr [ebp+var_88], cx
		jnb	short loc_76DDF2
		mov	ecx, [ebp+var_88]
		movzx	ecx, cx

loc_76DDF2:				; CODE XREF: EtwTraceThread+1D5j
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], ebx
		test	ecx, ecx
		jz	short loc_76DE12
		shr	ecx, 1
		mov	eax, [eax+4]
		cmp	[eax+ecx*2-2], bx
		jz	loc_76DD4E

loc_76DE12:				; CODE XREF: EtwTraceThread+1EEj
		mov	[ebp+var_34], offset _EtwpNull
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], 2
		mov	[ebp+var_28], ebx
		mov	[ebp+var_94], 3
		jmp	loc_76DD4E
EtwTraceThread	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpPsProvTraceThread proc near		; CODE XREF: EtwTraceThread+4Ap

var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8

		push	0ECh
		push	offset dword_6A0AF8
		call	__SEH_prolog4_GS
		mov	[ebp+var_F4], edx
		mov	[ebp+var_D0], ecx
		xor	esi, esi
		mov	[ebp+var_E8], esi
		mov	[ebp+var_E4], esi
		mov	[ebp+var_D4], esi
		mov	[ebp+var_D8], esi
		mov	[ebp+var_DC], esi
		cmp	[ebp+arg_0], 0
		jnz	loc_76E07A
		mov	[ebp+var_E0], offset _ThreadStop
		mov	eax, ecx
		mov	eax, [eax+0A8h]
		test	eax, eax
		jz	short loc_76DEAB
		mov	[ebp+ms_exc.disabled], 1

loc_76DE98:				; CODE XREF: EtwpPsProvTraceThread+25Ej
		mov	eax, [eax+0F60h]
		mov	[ebp+var_DC], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_76DEAB:				; CODE XREF: EtwpPsProvTraceThread+59j
					; EtwpPsProvTraceThread+255j ...
		mov	edi, [ebp+var_D0]
		mov	eax, [edi+2ACh]
		mov	[ebp+var_EC], eax
		lea	eax, [ebp+var_EC]
		mov	[ebp+var_CC], eax
		mov	[ebp+var_C8], esi
		push	4
		pop	ebx
		mov	[ebp+var_C4], ebx
		mov	[ebp+var_C0], esi
		mov	eax, [edi+2B0h]
		mov	[ebp+var_F0], eax
		lea	eax, [ebp+var_F0]
		mov	[ebp+var_BC], eax
		mov	[ebp+var_B8], esi
		mov	[ebp+var_B4], ebx
		mov	[ebp+var_B0], esi
		lea	eax, [edi+28h]
		mov	[ebp+var_AC], eax
		mov	[ebp+var_A8], esi
		mov	[ebp+var_A4], ebx
		mov	[ebp+var_A0], esi
		lea	eax, [edi+24h]
		mov	[ebp+var_9C], eax
		mov	[ebp+var_98], esi
		mov	[ebp+var_94], ebx
		mov	[ebp+var_90], esi
		cmp	[ebp+arg_0], 0
		jnz	loc_76E099
		mov	eax, edi
		mov	ecx, [eax+0A8h]
		test	ecx, ecx
		jz	short loc_76DF74
		mov	[ebp+ms_exc.disabled], 2
		mov	eax, [ecx+4]
		mov	[ebp+var_D4], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_D8], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_76DF74:				; CODE XREF: EtwpPsProvTraceThread+11Cj
					; EtwpPsProvTraceThread+26Bj ...
		lea	eax, [ebp+var_D4]
		mov	[ebp+var_8C], eax
		mov	[ebp+var_88], esi
		mov	[ebp+var_84], ebx
		mov	[ebp+var_80], esi
		lea	eax, [ebp+var_D8]
		mov	[ebp+var_7C], eax
		mov	[ebp+var_78], esi
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], esi
		xor	edx, edx
		inc	edx
		mov	edi, [ebp+var_D0]
		mov	ecx, edi
		call	_PsQueryThreadStartAddress@8 ; PsQueryThreadStartAddress(x,x)
		lea	ecx, [ebp+var_FC]
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], esi
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], esi
		mov	eax, [edi+2DCh]
		mov	[ebp+var_FC], eax
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], esi
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], esi
		lea	eax, [edi+0A8h]
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], esi
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], esi
		lea	eax, [ebp+var_DC]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], esi
		push	0Ah
		pop	eax
		cmp	[ebp+arg_0], 0
		jnz	short loc_76E048
		mov	[ebp+var_F8], esi
		mov	[ebp+var_F4], esi

loc_76E014:				; CODE XREF: EtwpPsProvTraceThread+28Aj
		mov	eax, [edi+34h]
		mov	ecx, [edi+30h]
		cmp	eax, [edi+38h]
		jnz	loc_76E0BE
		mov	[ebp+var_E8], ecx
		mov	[ebp+var_E4], eax
		lea	eax, [ebp+var_E8]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], 8
		mov	[ebp+var_20], esi
		push	0Bh
		pop	eax

loc_76E048:				; CODE XREF: EtwpPsProvTraceThread+1D0j
		lea	ecx, [ebp+var_CC]
		push	ecx
		push	eax
		push	esi
		push	[ebp+var_E0]
		push	dword_6BC18C
		push	_EtwpPsProvRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_76E07A:				; CODE XREF: EtwpPsProvTraceThread+3Fj
		mov	[ebp+var_E0], offset _ThreadStart
		call	_PsGetCurrentThreadTeb@0 ; PsGetCurrentThreadTeb()
		test	eax, eax
		jz	loc_76DEAB
		mov	[ebp+ms_exc.disabled], esi
		jmp	loc_76DE98
; 

loc_76E099:				; CODE XREF: EtwpPsProvTraceThread+10Cj
		mov	ecx, [ebp+var_F4]
		test	ecx, ecx
		jz	loc_76DF74
		mov	eax, [ecx+8]
		mov	[ebp+var_D4], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_D8], eax
		jmp	loc_76DF74
; 

loc_76E0BE:				; CODE XREF: EtwpPsProvTraceThread+1E7j
		pause
		jmp	loc_76E014
EtwpPsProvTraceThread endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PsQuerySystemDllInfo(x)
_PsQuerySystemDllInfo@4	proc near	; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+1B7p
					; DbgkCreateThread+133p ...
		mov	eax, ds:_PspSystemDlls[ecx*4]
		test	eax, eax
		jnz	short loc_76E0D4

loc_76E0D1:				; CODE XREF: PsQuerySystemDllInfo(x)+12j
		xor	eax, eax
		retn
; 

loc_76E0D4:				; CODE XREF: PsQuerySystemDllInfo(x)+9j
		cmp	dword ptr [eax+14h], 0
		jz	short loc_76E0D1
		add	eax, 8
		retn
_PsQuerySystemDllInfo@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspBuildCreateProcessContext(x, x, x, x)
_PspBuildCreateProcessContext@16 proc near ; CODE XREF:	NtCreateThreadEx+C0p
					; PAGE:007A2B50p

var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	108h
		push	offset dword_6A0B30
		call	__SEH_prolog4_GS
		mov	eax, edx
		mov	[ebp+var_58], eax
		mov	[ebp+var_E4], eax
		mov	ebx, ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_108], eax
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_50], esi
		mov	[ebp+var_F4], esi
		mov	[ebp+var_C0], esi
		mov	[ebp+var_F8], esi
		xor	edx, edx
		mov	[ebp+var_D0], edx
		mov	[ebp+var_80], edx
		mov	[ebp+var_5C], edx
		mov	[ebp+var_CC], edx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		push	6
		pop	ecx
		lea	edi, [ebp+var_4C]
		rep stosd
		mov	[ebp+var_10C], edx
		mov	[ebp+var_B4], edx
		mov	[ebp+var_B0], edx
		mov	[ebp+var_BC], edx
		mov	[ebp+var_B8], edx
		mov	[ebp+var_84], edx
		mov	[ebp+var_94], edx
		mov	[ebp+var_90], edx
		mov	[ebp+var_D4], edx
		mov	[ebp+var_98], edx
		mov	[ebp+var_C4], edx
		mov	[ebp+var_E8], edx
		mov	[ebp+var_78], edx
		mov	[ebp+var_6C], edx
		mov	[ebp+var_54], edx
		mov	[ebp+var_AC], edx
		mov	[ebp+var_9C], edx
		mov	[ebp+var_D8], edx
		mov	[ebp+var_C8], edx
		mov	[ebp+var_8C], edx
		mov	[ebp+var_A0], edx
		mov	[ebp+var_110], edx
		mov	[ebp+var_DC], edx
		mov	[ebp+var_FC], edx
		mov	[ebp+var_A8], edx
		mov	[ebp+var_88], edx
		mov	[ebp+var_EC], edx
		mov	[ebp+var_F0], edx
		mov	[ebp+var_100], edx
		mov	[ebp+var_A4], edx
		mov	eax, [ebp+var_58]
		mov	[esi], al
		mov	[ebp+ms_exc.disabled], edx
		test	al, al
		jz	short loc_76E214
		mov	ecx, ebx
		test	bl, 3
		jnz	loc_76F15E
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_76E20E
		mov	ecx, eax

loc_76E20E:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+12Cj
		nop
		mov	al, [ecx]
		mov	eax, [ebp+var_58]

loc_76E214:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+118j
		mov	ecx, [ebx]
		mov	[ebp+var_7C], ecx
		cmp	ecx, 14h
		jnb	short loc_76E22F

loc_76E21E:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+187j
					; PspBuildCreateProcessContext(x,x,x,x)+9E4j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000000Dh
		jmp	loc_76F14C
; 

loc_76E22F:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+13Ej
		test	al, al
		jz	short loc_76E25D
		lea	eax, [ecx-14h]
		test	eax, eax
		jz	short loc_76E25D
		test	bl, 3
		jnz	loc_76F15E
		lea	eax, [ebx+ecx]
		mov	[ebp+var_60], eax
		mov	edi, ds:_MmUserProbeAddress
		cmp	eax, edi
		ja	short loc_76E25B
		lea	eax, [ebx+14h]
		cmp	[ebp+var_60], eax
		jnb	short loc_76E25D

loc_76E25B:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+173j
		mov	[edi], dl

loc_76E25D:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+153j
					; PspBuildCreateProcessContext(x,x,x,x)+15Aj ...
		lea	eax, [ecx-4]
		mov	[ebp+var_7C], eax
		test	al, 0Fh
		jnz	short loc_76E21E
		shr	eax, 4
		mov	[ebp+var_7C], eax
		add	ebx, 4
		mov	[ebp+var_5C], ebx

loc_76E273:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+799j
		test	eax, eax
		jz	loc_76F0B8
		mov	eax, [ebx]
		mov	[ebp+var_114], eax
		cmp	[ebp+arg_0], 0
		jz	short loc_76E29A
		test	eax, 10000h
		jnz	short loc_76E29A

loc_76E290:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+1C6j
					; PspBuildCreateProcessContext(x,x,x,x)+1DAj ...
		mov	esi, 0C000000Dh
		jmp	loc_76F0BA
; 

loc_76E29A:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+1A9j
					; PspBuildCreateProcessContext(x,x,x,x)+1B0j
		test	eax, 20000h
		jz	short loc_76E2A6
		cmp	[ebx+0Ch], edx
		jnz	short loc_76E290

loc_76E2A6:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+1C1j
		xor	edi, edi
		inc	edi
		mov	cl, al
		shl	edi, cl
		mov	[ebp+var_118], edi
		mov	ecx, [esi+4]
		test	edi, ecx
		jnz	short loc_76E290
		or	edi, ecx
		mov	[esi+4], edi
		cmp	eax, 20015h
		ja	loc_76EA41
		jz	loc_76E9FB
		cmp	eax, 20009h
		ja	loc_76E670
		jz	loc_76E62A
		sub	eax, 6
		jz	loc_76E5A4
		sub	eax, 0FFFDh
		jz	loc_76E529
		sub	eax, 1
		jz	loc_76E4AD
		sub	eax, 10001h
		jz	loc_76E40B
		dec	eax
		sub	eax, 1
		jz	short loc_76E356
		sub	eax, 1
		jnz	loc_76E290
		cmp	dword ptr [ebx+4], 1
		jnz	loc_76E290
		mov	eax, [ebx+8]
		mov	[ebp+var_C4], eax
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76E349
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_76E33D
		mov	eax, ecx

loc_76E33D:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+25Bj
		nop
		mov	al, [eax]
		mov	ebx, [ebp+var_5C]
		mov	eax, [ebp+var_C4]

loc_76E349:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+251j
		mov	al, [eax]
		mov	[esi+94h], al
		jmp	loc_76E86A
; 

loc_76E356:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+22Fj
		mov	eax, [ebx+4]
		mov	[ebp+var_64], eax
		mov	[ebp+var_6C], eax
		test	eax, eax
		jz	loc_76E290
		test	al, 7
		jnz	loc_76E290
		mov	ecx, [ebx+8]
		mov	[ebp+var_68], ecx
		mov	[ebp+var_E8], ecx
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76E3A6
		test	cl, 3
		jnz	loc_76F15E
		lea	edi, [ecx+eax]
		mov	esi, ds:_MmUserProbeAddress
		mov	[ebp+var_60], esi
		cmp	edi, esi
		mov	esi, [ebp+var_50]
		ja	short loc_76E3A1
		cmp	edi, ecx
		jnb	short loc_76E3A6

loc_76E3A1:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+2BDj
		mov	edi, [ebp+var_60]
		mov	[edi], dl

loc_76E3A6:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+2A1j
					; PspBuildCreateProcessContext(x,x,x,x)+2C1j
		mov	edi, [ebp+var_F8]
		cmp	eax, 8
		ja	short loc_76E3BF
		lea	edx, [esi+0A0h]
		mov	[edi+0A8h], edx
		jmp	short loc_76E3EF
; 

loc_76E3BF:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+2D1j
		push	6C527350h
		push	eax
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	[edi+0A8h], eax
		mov	edx, [esi+0A8h]
		test	edx, edx
		jnz	short loc_76E3E9

loc_76E3DF:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+397j
					; PspBuildCreateProcessContext(x,x,x,x)+676j ...
		mov	esi, 0C000009Ah
		jmp	loc_76F0BA
; 

loc_76E3E9:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+2FFj
		mov	eax, [ebp+var_64]
		mov	ecx, [ebp+var_68]

loc_76E3EF:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+2DFj
		push	eax		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_64]
		shr	eax, 3
		mov	[esi+9Ch], eax
		jmp	loc_76E4A6
; 

loc_76E40B:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+225j
		mov	eax, [ebx+4]
		mov	[ebp+var_64], eax
		mov	[ebp+var_6C], eax
		test	eax, eax
		jz	loc_76E290
		test	al, 1
		jnz	loc_76E290
		cmp	eax, 0FFFFh
		ja	loc_76E290
		mov	ecx, [ebx+8]
		mov	[ebp+var_68], ecx
		mov	[ebp+var_10C], ecx
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76E45D
		lea	edi, [ecx+eax]
		mov	esi, ds:_MmUserProbeAddress
		mov	[ebp+var_60], esi
		cmp	edi, esi
		mov	esi, [ebp+var_50]
		ja	short loc_76E458
		cmp	edi, ecx
		jnb	short loc_76E45D

loc_76E458:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+374j
		mov	ecx, [ebp+var_60]
		mov	[ecx], dl

loc_76E45D:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+361j
					; PspBuildCreateProcessContext(x,x,x,x)+378j
		push	6E467350h
		push	eax
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	[ebp+var_D0], eax
		test	eax, eax
		jz	loc_76E3DF
		and	dword ptr [esi+8Ch], 0
		mov	edi, [ebp+var_64]
		mov	[esi+8Eh], di
		mov	[esi+90h], eax
		push	edi		; size_t
		push	[ebp+var_68]	; void *
		push	eax		; void *
		call	_memcpy
		mov	[esi+8Ch], di

loc_76E4A3:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+DC2j
		add	esp, 0Ch

loc_76E4A6:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+328j
					; PspBuildCreateProcessContext(x,x,x,x)+898j ...
		xor	edx, edx
		jmp	loc_76E86A
; 

loc_76E4AD:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+21Aj
		cmp	dword ptr [ebx+4], 4
		jnz	loc_76E290
		mov	ecx, [ebx+8]
		mov	[ebp+var_C8], ecx
		mov	eax, [ebp+var_58]
		test	al, al
		jz	short loc_76E4EB
		test	cl, 3
		jnz	loc_76F15E
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_76E4DB
		mov	[eax], dl

loc_76E4DB:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+3F9j
		mov	al, [ecx]
		mov	ecx, [ebp+var_C8]
		mov	[ecx], al
		mov	ebx, [ebp+var_5C]
		mov	eax, [ebp+var_58]

loc_76E4EB:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+3E7j
		mov	[esi+10h], ecx
		mov	ecx, [ebx+0Ch]
		mov	[ebp+var_78], ecx
		test	ecx, ecx
		jz	loc_76E86A
		test	al, al
		jz	short loc_76E51E
		test	cl, 3
		jnz	loc_76F15E
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_76E514
		mov	[eax], dl

loc_76E514:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+432j
		mov	al, [ecx]
		mov	ecx, [ebp+var_78]
		mov	[ecx], al
		mov	ebx, [ebp+var_5C]

loc_76E51E:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+420j
		mov	dword ptr [ecx], 4
		jmp	loc_76E86A
; 

loc_76E529:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+211j
		push	8
		pop	edi
		cmp	[ebx+4], edi
		jnz	loc_76E290
		mov	eax, [ebx+8]
		mov	[ebp+var_80], eax
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76E568
		test	al, 3
		jnz	loc_76F15E
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_76E555
		mov	[ecx], dl

loc_76E555:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+473j
		mov	al, [eax]
		mov	ecx, [ebp+var_80]
		mov	[ecx], al
		mov	al, [ecx+4]
		mov	[ecx+4], al
		mov	eax, [ebp+var_80]
		mov	ebx, [ebp+var_5C]

loc_76E568:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+461j
		mov	[esi+0Ch], eax
		mov	ecx, [ebx+0Ch]
		mov	[ebp+var_78], ecx
		test	ecx, ecx
		jz	loc_76E86A
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76E59D
		test	cl, 3
		jnz	loc_76F15E
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_76E593
		mov	[eax], dl

loc_76E593:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+4B1j
		mov	al, [ecx]
		mov	ecx, [ebp+var_78]
		mov	[ecx], al
		mov	ebx, [ebp+var_5C]

loc_76E59D:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+49Fj
		mov	[ecx], edi
		jmp	loc_76E86A
; 

loc_76E5A4:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+206j
		cmp	dword ptr [ebx+4], 30h
		jnz	loc_76E290
		mov	eax, [ebx+8]
		mov	[ebp+var_84], eax
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76E5EA
		test	al, 3
		jnz	loc_76F15E
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_76E5D1
		mov	[ecx], dl

loc_76E5D1:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+4EFj
		mov	al, [eax]
		mov	ecx, [ebp+var_84]
		mov	[ecx], al
		mov	al, [ecx+2Ch]
		mov	[ecx+2Ch], al
		mov	ebx, [ebp+var_5C]
		mov	eax, [ebp+var_84]

loc_76E5EA:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+4DDj
		mov	[esi+14h], eax
		mov	ecx, [ebx+0Ch]
		mov	[ebp+var_78], ecx
		test	ecx, ecx
		jz	loc_76E86A
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76E61F
		test	cl, 3
		jnz	loc_76F15E
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_76E615
		mov	[eax], dl

loc_76E615:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+533j
		mov	al, [ecx]
		mov	ecx, [ebp+var_78]
		mov	[ecx], al
		mov	ebx, [ebp+var_5C]

loc_76E61F:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+521j
		mov	dword ptr [ecx], 30h
		jmp	loc_76E86A
; 

loc_76E62A:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+1FDj
		cmp	dword ptr [ebx+4], 4
		jnz	loc_76E290
		mov	eax, [ebx+8]
		mov	[ebp+var_CC], eax
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76E663
		test	al, 3
		jnz	loc_76F15E
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_76E657
		mov	eax, ecx

loc_76E657:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+575j
		nop
		mov	al, [eax]
		mov	ebx, [ebp+var_5C]
		mov	eax, [ebp+var_CC]

loc_76E663:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+563j
		mov	eax, [eax]
		mov	[esi+0C0h], eax
		jmp	loc_76E86A
; 

loc_76E670:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+1F7j
		sub	eax, 2000Ah
		jz	loc_76E97B
		sub	eax, 1
		jz	loc_76E8EF
		dec	eax
		sub	eax, 1
		jz	loc_76E87C
		push	3
		pop	ecx
		sub	eax, ecx
		jz	loc_76E7E2
		sub	eax, ecx
		jz	short loc_76E6EC
		sub	eax, 1
		jnz	loc_76E290
		cmp	dword ptr [ebx+4], 4
		jnz	loc_76E290
		mov	eax, [ebx+8]
		mov	[ebp+var_8C], eax
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76E6DF
		test	al, cl
		jnz	loc_76F15E
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_76E6D3
		mov	eax, ecx

loc_76E6D3:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+5F1j
		nop
		mov	al, [eax]
		mov	ebx, [ebp+var_5C]
		mov	eax, [ebp+var_8C]

loc_76E6DF:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+5DFj
		mov	eax, [eax]
		mov	[esi+0FCh], eax
		jmp	loc_76E86A
; 

loc_76E6EC:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+5BDj
		mov	eax, [ebx+4]
		mov	[ebp+var_64], eax
		mov	[ebp+var_6C], eax
		test	eax, eax
		jz	loc_76E290
		test	al, cl
		jnz	loc_76E290
		mov	ecx, [ebx+8]
		mov	[ebp+var_68], ecx
		mov	[ebp+var_B0], ecx
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76E73C
		test	cl, 3
		jnz	loc_76F15E
		lea	edi, [ecx+eax]
		mov	esi, ds:_MmUserProbeAddress
		mov	[ebp+var_60], esi
		cmp	edi, esi
		mov	esi, [ebp+var_50]
		ja	short loc_76E737
		cmp	edi, ecx
		jnb	short loc_76E73C

loc_76E737:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+653j
		mov	ecx, [ebp+var_60]
		mov	[ecx], dl

loc_76E73C:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+637j
					; PspBuildCreateProcessContext(x,x,x,x)+657j
		push	6C4A7350h
		push	eax
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	[esi+0F0h], eax
		test	eax, eax
		jz	loc_76E3DF
		mov	edi, [ebp+var_64]
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		shr	edi, 2
		mov	[esi+0F8h], edi
		xor	edx, edx
		mov	edi, edx
		mov	[ebp+var_94], edi
		mov	eax, edx
		mov	[ebp+var_64], eax

loc_76E781:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+702j
		cmp	eax, [esi+0F8h]
		jnb	loc_76E86A
		push	edx
		lea	eax, [ebp+var_90]
		push	eax
		push	6C4A7350h
		push	[ebp+var_58]
		push	ds:_PsJobType
		push	1
		mov	eax, [ebp+var_68]
		push	dword ptr [eax+edi*4]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_54], esi
		test	esi, esi
		js	loc_76F0BD
		mov	esi, [ebp+var_50]
		mov	ecx, [esi+0F0h]
		mov	eax, [ebp+var_90]
		mov	[ecx+edi*4], eax
		mov	edi, [ebp+var_64]
		inc	edi
		mov	[ebp+var_94], edi
		mov	eax, edi
		mov	[ebp+var_64], edi
		xor	edx, edx
		jmp	short loc_76E781
; 

loc_76E7E2:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+5B5j
		mov	edx, [ebx+4]
		mov	[ebp+var_6C], edx
		cmp	edx, 18h
		ja	loc_76E290
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_4C]
		rep stosd
		mov	ebx, [ebp+var_5C]
		cmp	byte ptr [ebp+var_58], al
		jz	short loc_76E823
		mov	eax, [ebx+8]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_76E812
		mov	eax, ecx

loc_76E812:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+730j
		push	edx		; size_t
		push	eax		; void *
		lea	eax, [ebp+var_4C]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		nop
		jmp	short loc_76E833
; 

loc_76E823:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+723j
		push	edx		; size_t
		push	dword ptr [ebx+8] ; void *
		lea	eax, [ebp+var_4C]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_76E833:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+743j
		sub	esp, 18h
		push	6
		pop	ecx
		lea	esi, [ebp+var_4C]
		mov	edi, esp
		rep movsd
		xor	cl, cl
		call	_PspValidateMitigationOptions@28 ; PspValidateMitigationOptions(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_54], esi
		test	esi, esi
		js	loc_76F0BD
		mov	edi, [ebp+var_50]
		add	edi, 0D0h
		lea	esi, [ebp+var_4C]

loc_76E860:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+A71j
		push	6
		pop	ecx
		rep movsd

loc_76E865:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+D4Cj
					; PspBuildCreateProcessContext(x,x,x,x)+EB3j
		xor	edx, edx

loc_76E867:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+D2Cj
		mov	esi, [ebp+var_50]

loc_76E86A:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+273j
					; PspBuildCreateProcessContext(x,x,x,x)+3CAj ...
		add	ebx, 10h
		mov	[ebp+var_5C], ebx
		mov	eax, [ebp+var_7C]
		dec	eax
		mov	[ebp+var_7C], eax
		jmp	loc_76E273
; 

loc_76E87C:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+5AAj
		cmp	dword ptr [ebx+4], 2
		jnz	loc_76E290
		mov	eax, [ebx+8]
		mov	[ebp+var_98], eax
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76E8B5
		test	al, 1
		jnz	loc_76F15E
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_76E8A9
		mov	eax, ecx

loc_76E8A9:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+7C7j
		nop
		mov	al, [eax]
		mov	ebx, [ebp+var_5C]
		mov	eax, [ebp+var_98]

loc_76E8B5:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+7B5j
		movzx	ecx, word ptr [eax]
		mov	edi, ecx
		mov	[ebp+var_D4], edi
		cmp	cx, ds:_KeNumberNodes
		jnb	loc_76E290
		lfence	eax
		mov	eax, ds:_KeNodeBlock[edi*4]
		cmp	[eax+84h], edx
		jz	loc_76E290
		mov	[esi+96h], di
		jmp	loc_76E86A
; 

loc_76E8EF:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+5A0j
		mov	eax, [ebx+4]
		mov	[ebp+var_64], eax
		mov	[ebp+var_6C], eax
		test	eax, eax
		jz	loc_76E290
		test	al, 3
		jnz	loc_76E290
		mov	ecx, [ebx+8]
		mov	[ebp+var_68], ecx
		mov	[ebp+var_B0], ecx
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76E93F
		test	cl, 3
		jnz	loc_76F15E
		lea	edi, [ecx+eax]
		mov	esi, ds:_MmUserProbeAddress
		mov	[ebp+var_60], esi
		cmp	edi, esi
		mov	esi, [ebp+var_50]
		ja	short loc_76E93A
		cmp	edi, ecx
		jnb	short loc_76E93F

loc_76E93A:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+856j
		mov	ecx, [ebp+var_60]
		mov	[ecx], dl

loc_76E93F:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+83Aj
					; PspBuildCreateProcessContext(x,x,x,x)+85Aj
		push	6C487350h
		push	eax
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	[esi+0B4h], eax
		test	eax, eax
		jz	loc_76E3DF
		mov	edi, [ebp+var_64]
		push	edi		; size_t
		push	[ebp+var_68]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		shr	edi, 2
		mov	[esi+0B0h], edi
		jmp	loc_76E4A6
; 

loc_76E97B:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+597j
		cmp	dword ptr [ebx+4], 8
		jnz	loc_76E290
		mov	ecx, [ebx+8]
		mov	[ebp+var_9C], ecx
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76E9B4
		test	cl, 3
		jnz	loc_76F15E
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_76E9A8
		mov	ecx, eax

loc_76E9A8:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+8C6j
		nop
		mov	al, [ecx]
		mov	ebx, [ebp+var_5C]
		mov	ecx, [ebp+var_9C]

loc_76E9B4:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+8B4j
		mov	eax, [ecx]
		test	al, 1Ch
		jz	short loc_76E9C4
		mov	esi, 0C00000BBh
		jmp	loc_76F0BA
; 

loc_76E9C4:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+8DAj
		and	eax, 3
		mov	[ebp+var_60], eax
		mov	[ebp+var_D8], eax
		cmp	al, 3
		jnb	loc_76E290
		shl	al, 2
		xor	al, [esi+9]
		and	al, 0Ch
		xor	[esi+9], al
		cmp	[ebp+var_60], 1
		jnz	loc_76E86A
		mov	eax, [ecx+4]
		mov	[esi+0ACh], eax
		jmp	loc_76E86A
; 

loc_76E9FB:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+1ECj
		cmp	dword ptr [ebx+4], 4
		jnz	loc_76E290
		mov	eax, [ebx+8]
		mov	[ebp+var_A0], eax
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76EA34
		test	al, 3
		jnz	loc_76F15E
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_76EA28
		mov	eax, ecx

loc_76EA28:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+946j
		nop
		mov	al, [eax]
		mov	ebx, [ebp+var_5C]
		mov	eax, [ebp+var_A0]

loc_76EA34:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+934j
		mov	eax, [eax]
		mov	[esi+100h], eax
		jmp	loc_76E86A
; 

loc_76EA41:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+1E6j
		cmp	eax, 3000Ch
		ja	loc_76EF9C
		jz	loc_76EF38
		sub	eax, 20016h
		jz	loc_76EEA5
		sub	eax, 1
		jz	loc_76EE2F
		sub	eax, 1
		jz	loc_76EB9A
		sub	eax, 1
		jz	loc_76EB54
		dec	eax
		sub	eax, 1
		jz	short loc_76EAD3
		dec	eax
		sub	eax, 1
		jnz	loc_76E290
		cmp	dword ptr [ebx+4], 4
		jnz	loc_76E290
		mov	eax, [ebx+8]
		mov	[ebp+var_DC], eax
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76EABC
		test	al, 3
		jnz	loc_76F15E
		lea	ecx, [eax+4]
		mov	edi, ds:_MmUserProbeAddress
		cmp	ecx, edi
		ja	short loc_76EABA
		cmp	ecx, eax
		jnb	short loc_76EABC

loc_76EABA:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+9D6j
		mov	[edi], dl

loc_76EABC:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+9C1j
					; PspBuildCreateProcessContext(x,x,x,x)+9DAj
		test	dword ptr [eax], 0FFFFFFFEh
		jnz	loc_76E21E
		mov	[esi+120h], eax
		jmp	loc_76E86A
; 

loc_76EAD3:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+99Ej
		mov	edx, [ebx+4]
		mov	[ebp+var_6C], edx
		cmp	edx, 18h
		ja	loc_76E290
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		mov	ebx, [ebp+var_5C]
		cmp	byte ptr [ebp+var_58], al
		jz	short loc_76EB14
		mov	eax, [ebx+8]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_76EB03
		mov	eax, ecx

loc_76EB03:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+A21j
		push	edx		; size_t
		push	eax		; void *
		lea	eax, [ebp+var_34]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		nop
		jmp	short loc_76EB24
; 

loc_76EB14:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+A14j
		push	edx		; size_t
		push	dword ptr [ebx+8] ; void *
		lea	eax, [ebp+var_34]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_76EB24:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+A34j
		sub	esp, 18h
		push	6
		pop	ecx
		lea	esi, [ebp+var_34]
		mov	edi, esp
		rep movsd
		call	_PspValidateMitigationAuditOptions@24 ;	PspValidateMitigationAuditOptions(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_54], esi
		test	esi, esi
		js	loc_76F0BD
		mov	edi, [ebp+var_50]
		add	edi, 128h
		lea	esi, [ebp+var_34]
		jmp	loc_76E860
; 

loc_76EB54:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+994j
		cmp	dword ptr [ebx+4], 4
		jnz	loc_76E290
		mov	eax, [ebx+8]
		mov	[ebp+var_A4], eax
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76EB8D
		test	al, 3
		jnz	loc_76F15E
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_76EB81
		mov	eax, ecx

loc_76EB81:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+A9Fj
		nop
		mov	al, [eax]
		mov	ebx, [ebp+var_5C]
		mov	eax, [ebp+var_A4]

loc_76EB8D:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+A8Dj
		mov	eax, [eax]
		mov	[esi+110h], eax
		jmp	loc_76E86A
; 

loc_76EB9A:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+98Bj
		mov	ecx, [ebx+4]
		mov	[ebp+var_68], ecx
		mov	[ebp+var_6C], ecx
		cmp	ecx, 14h
		jnz	loc_76E290
		mov	eax, [ebx+8]
		mov	[ebp+var_70], eax
		mov	[ebp+var_A8], eax
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76EBE7
		test	al, 3
		jnz	loc_76F15E
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_76EBD2
		mov	eax, ecx

loc_76EBD2:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+AF0j
		nop
		mov	al, [eax]
		mov	ebx, [ebp+var_5C]
		mov	ecx, [ebp+var_6C]
		mov	[ebp+var_68], ecx
		mov	eax, [ebp+var_A8]
		mov	[ebp+var_70], eax

loc_76EBE7:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+ADEj
		push	70426E50h
		push	ecx
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	edi, eax
		lea	ecx, [esi+10Ch]
		mov	[ebp+var_64], ecx
		mov	[ecx], edi
		test	edi, edi
		jz	loc_76E3DF
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+ms_exc.disabled], 1
		xor	esi, esi
		mov	[ebp+var_AC], esi
		push	[ebp+var_68]	; size_t
		push	[ebp+var_70]	; void *
		push	dword ptr [ecx]	; void *
		call	_memcpy
		add	esp, 0Ch
		xor	edx, edx
		mov	[ebp+ms_exc.disabled], edx
		mov	edi, [ebp+var_50]
		jmp	short loc_76EC88
; 

loc_76EC3C:				; DATA XREF: .text:006A0B50o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_E0], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_76EC4D:				; DATA XREF: .text:006A0B54o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_E0]
		mov	[ebp+var_AC], esi
		mov	edi, [ebp+var_C0]
		mov	[ebp+var_50], edi
		mov	eax, [edi+10Ch]
		xor	edx, edx
		mov	[eax+4], edx
		mov	eax, [edi+10Ch]
		mov	[eax+0Ch], edx
		mov	[ebp+ms_exc.disabled], edx
		mov	ebx, [ebp+var_5C]
		mov	eax, [ebp+var_E4]
		mov	[ebp+var_58], eax

loc_76EC88:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+B5Cj
		test	esi, esi
		jns	short loc_76EC94

loc_76EC8C:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+CF5j
		mov	[ebp+var_54], esi
		jmp	loc_76F0C0
; 

loc_76EC94:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+BACj
		mov	eax, [ebp+var_64]
		mov	esi, [eax]
		mov	[ebp+var_68], esi
		mov	[ebp+var_100], esi
		mov	ecx, [esi+4]
		mov	[ebp+var_60], ecx
		mov	[ebp+var_EC], ecx
		mov	ecx, [esi+0Ch]
		mov	[ebp+var_70], ecx
		mov	[ebp+var_F0], ecx
		mov	[esi+4], edx
		mov	eax, [eax]
		mov	[eax+0Ch], edx
		movzx	ecx, word ptr [esi]
		test	cx, cx
		jz	short loc_76ED1E
		movzx	eax, word ptr [esi+2]
		cmp	cx, ax
		ja	loc_76EDCE
		test	cl, 1
		jnz	loc_76EDCE
		test	al, 1
		jnz	loc_76EDCE
		mov	ecx, 0FFFEh
		cmp	ax, cx
		ja	loc_76EDCE
		mov	esi, [ebp+var_60]
		test	esi, esi
		jz	loc_76EDCE
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76ED1E
		test	ax, ax
		jz	short loc_76ED1E
		add	eax, esi
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_76ED1C
		cmp	eax, esi
		jnb	short loc_76ED1E

loc_76ED1C:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+C38j
		mov	[ecx], dl

loc_76ED1E:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+BEAj
					; PspBuildCreateProcessContext(x,x,x,x)+C27j ...
		mov	eax, [ebp+var_64]
		mov	eax, [eax]
		mov	esi, [eax+8]
		mov	ecx, eax
		test	esi, esi
		jz	short loc_76ED7C
		cmp	[ebp+var_70], 0
		jz	loc_76EDCE
		cmp	esi, 0FFFFh
		ja	loc_76EDCE
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76ED7C
		shl	esi, 2
		test	esi, esi
		jz	short loc_76ED7C
		mov	ecx, [ebp+var_70]
		test	cl, 3
		jnz	loc_76F15E
		add	esi, ecx
		mov	edi, ds:_MmUserProbeAddress
		cmp	esi, edi
		ja	short loc_76ED6E
		mov	ecx, eax
		cmp	esi, [ebp+var_70]
		jnb	short loc_76ED7C

loc_76ED6E:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+C87j
		mov	[edi], dl
		mov	eax, [ebp+var_F4]
		mov	ecx, [eax+10Ch]

loc_76ED7C:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+C4Cj
					; PspBuildCreateProcessContext(x,x,x,x)+C68j ...
		mov	esi, edx
		mov	[ebp+var_88], esi
		mov	edi, [ebp+var_68]
		movzx	eax, word ptr [edi+2]
		mov	edi, eax
		mov	[ebp+var_74], edi
		test	ax, ax
		mov	edi, [ebp+var_68]
		jnz	short loc_76EDA8
		mov	edi, eax
		movzx	edi, di
		mov	[ebp+var_74], edi
		cmp	[ecx+8], edx
		mov	edi, [ebp+var_68]
		jbe	short loc_76EDD8

loc_76EDA8:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+CB8j
		push	70426E50h
		mov	ecx, [ecx+8]
		lea	eax, [eax+ecx*4]
		push	eax
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	esi, eax
		mov	[ebp+var_88], esi
		movzx	eax, word ptr [edi+2]
		xor	edx, edx
		jmp	short loc_76EDDB
; 

loc_76EDCE:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+BF3j
					; PspBuildCreateProcessContext(x,x,x,x)+BFCj ...
		mov	esi, 0C000000Dh
		jmp	loc_76EC8C
; 

loc_76EDD8:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+CC8j
		mov	eax, [ebp+var_74]

loc_76EDDB:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+CEEj
		test	ax, ax
		jz	short loc_76EE02
		mov	[edi+4], esi
		movzx	ecx, word ptr [edi+2]
		push	ecx		; size_t
		push	[ebp+var_60]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		movzx	eax, word ptr [edi+2]
		add	esi, eax
		mov	[ebp+var_88], esi
		xor	edx, edx

loc_76EE02:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+D00j
		mov	ecx, [ebp+var_64]
		mov	eax, [ecx]
		cmp	[eax+8], edx
		jbe	loc_76E867
		mov	[eax+0Ch], esi
		mov	ecx, [ecx]
		mov	eax, [ecx+8]
		shl	eax, 2
		push	eax		; size_t
		push	[ebp+var_70]	; void *
		push	dword ptr [ecx+0Ch] ; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_76E865
; 

loc_76EE2F:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+982j
		mov	edi, [ebx+4]
		mov	[ebp+var_6C], edi
		cmp	edi, 20Ch
		jnz	loc_76E290
		mov	eax, [ebx+8]
		mov	[ebp+var_60], eax
		mov	[ebp+var_FC], eax
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76EE72
		lea	ecx, [eax+20Ch]
		mov	esi, ds:_MmUserProbeAddress
		mov	[ebp+var_74], esi
		cmp	ecx, esi
		mov	esi, [ebp+var_50]
		ja	short loc_76EE6D
		cmp	ecx, eax
		jnb	short loc_76EE72

loc_76EE6D:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+D89j
		mov	eax, [ebp+var_74]
		mov	[eax], dl

loc_76EE72:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+D73j
					; PspBuildCreateProcessContext(x,x,x,x)+D8Dj
		push	634F7350h
		push	edi
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	[esi+104h], eax
		test	eax, eax
		jz	loc_76E3DF
		push	edi		; size_t
		push	[ebp+var_60]	; void *
		push	eax		; void *
		call	_memcpy
		mov	[esi+108h], edi
		jmp	loc_76E4A3
; 

loc_76EEA5:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+979j
		cmp	dword ptr [ebx+4], 8
		jnz	loc_76E290
		mov	eax, [ebx+8]
		mov	[ebp+var_74], eax
		mov	[ebp+var_110], eax
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76EEDC
		test	al, 3
		jnz	loc_76F15E
		lea	ecx, [eax+8]
		mov	edi, ds:_MmUserProbeAddress
		cmp	ecx, edi
		ja	short loc_76EEDA
		cmp	ecx, eax
		jnb	short loc_76EEDC

loc_76EEDA:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+DF6j
		mov	[edi], dl

loc_76EEDC:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+DE1j
					; PspBuildCreateProcessContext(x,x,x,x)+DFAj
		push	77736350h
		push	8
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	edx, eax
		mov	[esi+11Ch], edx
		test	edx, edx
		jnz	short loc_76EF03
		mov	esi, 0C0000017h
		jmp	loc_76F0BA
; 

loc_76EF03:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+E19j
		mov	ecx, [ebp+var_74]
		mov	eax, [ecx]
		mov	[edx], eax
		mov	eax, [ecx+4]
		mov	[edx+4], eax
		mov	eax, [esi+11Ch]
		test	byte ptr [eax],	3
		jz	loc_76E290
		mov	eax, [eax+4]
		test	eax, eax
		jz	loc_76E290
		cmp	eax, 6
		jbe	loc_76E4A6
		jmp	loc_76E290
; 

loc_76EF38:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+96Ej
		cmp	[ebp+arg_0], 0
		jz	loc_76E290
		cmp	dword ptr [ebx+4], 0Ch
		jnz	loc_76E290
		mov	eax, [ebx+8]
		mov	[ebp+var_B4], eax
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76EF7B
		test	al, 3
		jnz	loc_76F15E
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_76EF6F
		mov	eax, ecx

loc_76EF6F:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+E8Dj
		nop
		mov	al, [eax]
		mov	ebx, [ebp+var_5C]
		mov	eax, [ebp+var_B4]

loc_76EF7B:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+E7Bj
		lea	ecx, [esi+0C4h]
		mov	esi, eax
		mov	edi, ecx
		movsd
		movsd
		movsd
		mov	dl, 1
		call	_KeVerifyGroupAffinity@8 ; KeVerifyGroupAffinity(x,x)
		test	al, al
		jnz	loc_76E865
		jmp	loc_76E290
; 

loc_76EF9C:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+968j
		sub	eax, 3000Eh
		jz	loc_76F053
		sub	eax, 2FFF2h
		jz	loc_76F03E
		sub	eax, 1
		jz	short loc_76F029
		sub	eax, 1
		jz	short loc_76F014
		sub	eax, 0Fh
		jz	short loc_76EFEE
		sub	eax, 9
		jnz	loc_76E290
		cmp	dword ptr [ebx+4], 1
		jnz	loc_76E290
		cmp	[ebx+8], edx
		setz	cl
		dec	cl
		and	cl, 80h
		mov	al, [esi+9]
		and	al, 7Fh
		or	cl, al
		mov	[esi+9], cl
		jmp	loc_76E86A
; 

loc_76EFEE:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+EE1j
		cmp	dword ptr [ebx+4], 1
		jnz	loc_76E290
		mov	al, [ebx+8]
		mov	[esi+0E8h], al
		push	eax
		call	RtlValidProcessProtection
		test	al, al

loc_76F009:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+FD5j
		jnz	loc_76E4A6
		jmp	loc_76E290
; 

loc_76F014:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+EDCj
		cmp	dword ptr [ebx+4], 4
		jnz	loc_76E290
		mov	eax, [ebx+8]
		mov	[esi+5Ch], eax
		jmp	loc_76E86A
; 

loc_76F029:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+ED7j
		cmp	dword ptr [ebx+4], 4
		jnz	loc_76E290
		mov	eax, [ebx+8]
		mov	[esi+58h], eax
		jmp	loc_76E86A
; 

loc_76F03E:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+ECEj
		cmp	dword ptr [ebx+4], 4
		jnz	loc_76E290
		mov	eax, [ebx+8]
		mov	[esi+50h], eax
		jmp	loc_76E86A
; 

loc_76F053:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+EC3j
		cmp	[ebp+arg_0], 0
		jz	loc_76E290
		cmp	dword ptr [ebx+4], 4
		jnz	loc_76E290
		mov	eax, [ebx+8]
		mov	[ebp+var_B8], eax
		cmp	byte ptr [ebp+var_58], 0
		jz	short loc_76F096
		test	al, 1
		jnz	loc_76F15E
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_76F08A
		mov	eax, ecx

loc_76F08A:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+FA8j
		nop
		mov	al, [eax]
		mov	ebx, [ebp+var_5C]
		mov	eax, [ebp+var_B8]

loc_76F096:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+F96j
		mov	eax, [eax]
		mov	[ebp+var_BC], eax
		lea	eax, [ebp+var_BC]
		push	eax
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		mov	[esi+98h], eax
		cmp	eax, 0FFFFFFFFh
		jmp	loc_76F009
; 

loc_76F0B8:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+197j
		mov	esi, edx

loc_76F0BA:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+1B7j
					; PspBuildCreateProcessContext(x,x,x,x)+306j ...
		mov	[ebp+var_54], esi

loc_76F0BD:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+6D9j
					; PspBuildCreateProcessContext(x,x,x,x)+770j ...
		mov	edi, [ebp+var_50]

loc_76F0C0:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+BB1j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_76F0F3
; 

loc_76F0C9:				; DATA XREF: .text:006A0B44o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_104], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_76F0DA:				; DATA XREF: .text:006A0B48o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_104]
		mov	[ebp+var_54], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_C0]

loc_76F0F3:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+FE9j
		test	esi, esi
		js	short loc_76F143
		test	dword ptr [edi+4], 800h
		jz	short loc_76F13F
		push	offset _PspSortHandleList ; int	__cdecl	(*)(const void *,const void *)
		push	4		; size_t
		push	dword ptr [edi+0B0h] ; size_t
		push	dword ptr [edi+0B4h] ; void *
		call	_qsort
		add	esp, 10h
		mov	eax, [edi+0B4h]
		cmp	dword ptr [eax], 0
		jge	short loc_76F12B
		mov	esi, 0C000000Dh

loc_76F12B:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+1046j
		cmp	[ebp+var_108], 0
		setnz	dl
		mov	al, [edi+8]
		and	al, 0FEh
		or	dl, al
		mov	[edi+8], dl

loc_76F13F:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+1020j
		test	esi, esi
		jns	short loc_76F14A

loc_76F143:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+1017j
		mov	ecx, edi
		call	PspDeleteCreateProcessContext

loc_76F14A:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+1063j
		mov	eax, esi

loc_76F14C:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+14Cj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_76F15E:				; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+11Fj
					; PspBuildCreateProcessContext(x,x,x,x)+15Fj ...
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger
_PspBuildCreateProcessContext@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspUserThreadStartup proc near		; DATA XREF: PspAllocateThread+38Fo

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008D8BF3 SIZE 00000012 BYTES
; FUNCTION CHUNK AT 008D8C23 SIZE 0000000C BYTES

		push	20h
		push	offset dword_6A0B58
		call	__SEH_prolog4
		xor	edi, edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edi
		mov	ecx, large fs:0
		call	_KeI386GetExceptionChainTerminator@0 ; KeI386GetExceptionChainTerminator()
		mov	[ecx], eax
		xor	cl, cl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, large fs:124h
		mov	[ebp+var_1C], ebx
		mov	ecx, ebx
		call	_PspDisablePrimaryTokenExchange@4 ; PspDisablePrimaryTokenExchange(x)
		test	byte ptr [ebx+2FCh], 2
		jz	loc_8D8BF3

loc_76F1AC:				; CODE XREF: PspUserThreadStartup+169A9Cj
		mov	esi, [ebx+80h]
		mov	[ebp+var_20], esi
		mov	[ebp+var_24], esi
		test	byte ptr [esi+3A8h], 1
		jnz	loc_8D8C23
		mov	edx, [ebx+0A8h]
		mov	[ebp+ms_exc.disabled], edi
		call	_MmGetSessionLocaleId@0	; MmGetSessionLocaleId()
		mov	[edx+0C4h], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_76F1E0:				; CODE XREF: sub_8D8C09+15j
		mov	edx, ebx
		mov	ecx, ebx
		call	PspWriteTebIdealProcessor
		mov	ecx, ebx
		call	DbgkCreateThread
		lea	eax, [esi+0FCh]
		test	dword ptr [eax], 80000h
		jz	short loc_76F231

loc_76F1FE:				; CODE XREF: PspUserThreadStartup+D2j
					; PspUserThreadStartup+E1j ...
		mov	eax, ds:0FFDF0330h
		test	eax, eax
		jz	short loc_76F255

loc_76F207:				; CODE XREF: PspUserThreadStartup+150j
		mov	eax, [ebx+2FCh]
		test	al, 1
		jnz	short loc_76F247
		test	byte ptr [esi+3A8h], 1
		jnz	short loc_76F21F
		call	PspInitializeThunkContext

loc_76F21F:				; CODE XREF: PspUserThreadStartup+B4j
					; PspUserThreadStartup+EFj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_76F231:				; CODE XREF: PspUserThreadStartup+98j
		lock bts dword ptr [eax], 13h
		jb	short loc_76F1FE
		mov	edx, [esi+15Ch]
		mov	ecx, esi
		call	PfProcessCreateNotification
		jmp	short loc_76F1FE
; 

loc_76F247:				; CODE XREF: PspUserThreadStartup+ABj
		push	edi
		push	edi
		push	1
		push	6
		push	ebx
		call	KeWaitForSingleObject
		jmp	short loc_76F21F
; 

loc_76F255:				; CODE XREF: PspUserThreadStartup+A1j
					; PspUserThreadStartup+148j
		lea	eax, [ebp+var_30]
		push	eax
		call	_KeQuerySystemTimePrecise@4 ; KeQuerySystemTimePrecise(x)
		mov	ebx, large fs:20h
		push	edi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	edi, eax
		mov	[ebp+var_24], edx
		xor	ecx, ecx
		inc	ecx
		call	ExGenRandom
		mov	esi, eax
		rdtsc
		xor	esi, eax
		mov	ecx, [ebx+3CF8h]
		xor	ecx, esi
		mov	edx, [ebx+4B4h]
		xor	edx, [ebx+4A0h]
		xor	edx, ecx
		xor	edx, edi
		xor	edx, [ebp+var_2C]
		xor	edx, [ebp+var_30]
		xor	eax, eax
		mov	ecx, 0FFDF0330h
		lock cmpxchg [ecx], edx
		xor	edi, edi
		cmp	[ecx], edi
		jz	short loc_76F255
		mov	ebx, [ebp+var_1C]
		mov	esi, [ebp+var_20]
		jmp	loc_76F207
PspUserThreadStartup endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DbgkCreateThread proc near		; CODE XREF: PspUserThreadStartup+87p

var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008D8C43 SIZE 0000000F BYTES
; FUNCTION CHUNK AT 008D8C72 SIZE 0000009F BYTES
; FUNCTION CHUNK AT 008D8D33 SIZE 000000F0 BYTES

		push	0E8h
		push	offset dword_6A0B78
		call	__SEH_prolog4_GS
		mov	edi, ecx
		mov	[ebp+var_D4], edi
		push	0A8h		; size_t
		xor	esi, esi
		push	esi		; int
		lea	eax, [ebp+var_C4]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	ebx, [edi+80h]
		mov	[ebp+var_CC], ebx
		mov	edi, 400001h
		lea	edx, [ebx+0FCh]
		mov	eax, [edx]

loc_76F301:				; CODE XREF: DbgkCreateThread+4Fj
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_76F301
		mov	[ebp+var_F8], eax
		test	eax, 400000h
		jz	short loc_76F33E

loc_76F318:				; CODE XREF: DbgkCreateThread+8Bj
		push	0FFFFFFFEh
		pop	edi

loc_76F31B:				; CODE XREF: DbgkCreateThread+12Dj
		mov	ebx, [ebp+var_CC]
		cmp	dword ptr [ebx+190h], 0
		jnz	loc_8D8C72

loc_76F32E:				; CODE XREF: DbgkCreateThread+169B50j
					; DbgkCreateThread+169B64j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_76F33E:				; CODE XREF: DbgkCreateThread+5Cj
		call	PsIsImageNotifyEnabled
		test	al, al
		jz	short loc_76F318
		mov	[ebp+var_F0], esi
		mov	[ebp+var_D8], esi
		mov	[ebp+var_C8], esi
		mov	[ebp+var_EC], esi
		mov	byte ptr [ebp+var_EC], 3
		mov	eax, [ebx+160h]
		mov	[ebp+var_E8], eax
		mov	[ebp+var_E0], esi
		mov	[ebp+ms_exc.disabled], esi
		push	eax
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jz	short loc_76F38E
		mov	eax, [eax+50h]
		mov	[ebp+var_E0], eax

loc_76F38E:				; CODE XREF: DbgkCreateThread+C9j
					; sub_8D8C33+Bj
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi
		mov	[ebp+var_E4], esi
		mov	[ebp+var_DC], esi
		lea	eax, [ebp+var_C8]
		push	eax
		mov	ebx, [ebp+var_CC]
		push	ebx
		call	_PsReferenceProcessFilePointer@8 ; PsReferenceProcessFilePointer(x,x)
		mov	ecx, [ebx+1C0h]
		push	[ebp+var_C8]
		lea	eax, [ebp+var_F0]
		push	eax
		mov	edx, ebx
		call	PsCallImageNotifyRoutines
		mov	ecx, [ebp+var_C8]
		call	ObfDereferenceObject
		mov	[ebp+var_C8], esi

loc_76F3DE:				; CODE XREF: DbgkCreateThread+14Aj
		mov	ecx, [ebp+var_C8]
		cmp	ecx, 6
		jge	loc_76F31B
		call	_PsQuerySystemDllInfo@4	; PsQuerySystemDllInfo(x)
		mov	ebx, eax
		mov	[ebp+var_D0], ebx
		test	ebx, ebx
		jnz	short loc_76F406

loc_76F3FE:				; CODE XREF: DbgkCreateThread+1EFj
					; DbgkCreateThread+16998Dj
		inc	[ebp+var_C8]
		jmp	short loc_76F3DE
; 

loc_76F406:				; CODE XREF: DbgkCreateThread+142j
		test	ecx, ecx
		jg	loc_8D8C43

loc_76F40E:				; CODE XREF: DbgkCreateThread+169993j
		mov	[ebp+var_EC], esi
		mov	byte ptr [ebp+var_EC], 3
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_E8], eax
		mov	[ebp+var_E0], esi
		mov	[ebp+ms_exc.disabled], 1
		push	dword ptr [ebx+0Ch]
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jz	short loc_76F446
		mov	eax, [eax+50h]
		mov	[ebp+var_E0], eax

loc_76F446:				; CODE XREF: DbgkCreateThread+181j
		mov	[ebp+ms_exc.disabled], edi

loc_76F449:				; CODE XREF: sub_8D8C56+17j
		mov	[ebp+var_E4], esi
		mov	[ebp+var_DC], esi
		lea	ecx, [ebx-8]
		call	PspReferenceSystemDll
		mov	[ebp+var_F4], eax
		mov	ecx, eax
		call	_MmGetFileObjectForSection@4 ; MmGetFileObjectForSection(x)
		mov	[ebp+var_D0], eax
		mov	edx, [ebp+var_F4]
		test	edx, edx
		jz	short loc_76F488
		lea	ecx, [ebx-8]
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		mov	eax, [ebp+var_D0]

loc_76F488:				; CODE XREF: DbgkCreateThread+1BEj
		push	eax
		lea	eax, [ebp+var_F0]
		push	eax
		lea	ecx, [ebx+4]
		mov	edx, [ebp+var_CC]
		call	PsCallImageNotifyRoutines
		mov	ecx, [ebp+var_D0]
		call	ObfDereferenceObject
		jmp	loc_76F3FE
DbgkCreateThread endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspWriteTebIdealProcessor proc near	; CODE XREF: PspUserThreadStartup+80p
					; NtSetInformationThread+104136p ...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_36		= byte ptr -36h
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008D8E23 SIZE 00000035 BYTES
; FUNCTION CHUNK AT 008D8E70 SIZE 0000001F BYTES

		push	40h
		push	offset dword_6A0BB0
		call	__SEH_prolog4_GS
		mov	esi, edx
		mov	edx, ecx
		mov	[ebp+var_44], edx
		mov	[ebp+var_4C], esi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		xor	ebx, ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_40], ebx
		mov	eax, [esi+0A8h]
		mov	[ebp+var_48], eax
		mov	edi, [esi+150h]
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_50], eax
		mov	[ebp+var_36], bl
		cmp	esi, edx
		jnz	loc_8D8E23

loc_76F4F6:				; CODE XREF: PspWriteTebIdealProcessor+16998Fj
		mov	[ebp+var_35], bl
		cmp	edi, [edx+80h]
		jnz	loc_8D8E42

loc_76F505:				; CODE XREF: PspWriteTebIdealProcessor+1699A5j
		lea	eax, [ebp+var_3C]
		push	eax
		push	dword ptr [esi+88h]
		call	_KeGetProcessorNumberFromIndex@8 ; KeGetProcessorNumberFromIndex(x,x)

loc_76F514:				; CODE XREF: PspWriteTebIdealProcessor+D6j
		mov	al, byte ptr [ebp+var_3C+2]
		mov	byte ptr [ebp+var_3C+3], al
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, [ebp+var_3C]
		mov	eax, [ebp+var_48]
		mov	[eax+0F74h], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_76F530:				; CODE XREF: sub_8D8E5C+Fj
		mov	[ebp+var_44], ebx
		xor	ecx, ecx
		lea	eax, [ebp+var_44]
		lock or	[eax], ecx
		lea	eax, [ebp+var_40]
		push	eax
		push	dword ptr [esi+88h]
		call	_KeGetProcessorNumberFromIndex@8 ; KeGetProcessorNumberFromIndex(x,x)
		mov	eax, [ebp+var_40]
		cmp	ax, word ptr [ebp+var_3C]
		jnz	short loc_76F57F
		mov	cl, byte ptr [ebp+var_40+2]
		cmp	cl, byte ptr [ebp+var_3C+2]
		jnz	short loc_76F57F
		cmp	[ebp+var_35], 0
		jnz	loc_8D8E70

loc_76F565:				; CODE XREF: PspWriteTebIdealProcessor+1699CCj
		cmp	[ebp+var_36], 0
		jnz	loc_8D8E7F

loc_76F56F:				; CODE XREF: PspWriteTebIdealProcessor+169982j
					; PspWriteTebIdealProcessor+1699DCj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_76F57F:				; CODE XREF: PspWriteTebIdealProcessor+A3j
					; PspWriteTebIdealProcessor+ABj
		mov	ecx, [ebp+var_50]
		mov	[ecx], eax
		jmp	short loc_76F514
PspWriteTebIdealProcessor endp


;  S U B	R O U T	I N E 


; __stdcall MmGetSessionLocaleId()
_MmGetSessionLocaleId@0	proc near	; CODE XREF: NtQueryDefaultLocale:loc_76DC01p
					; PspUserThreadStartup+6Ap
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		mov	eax, [ecx+180h]
		test	eax, eax
		jz	short loc_76F5AC
		test	dword ptr [ecx+3A8h], 1000h
		jnz	short loc_76F5AC
		mov	eax, [eax+38h]
		retn
; 

loc_76F5AC:				; CODE XREF: MmGetSessionLocaleId()+14j
					; MmGetSessionLocaleId()+20j
		mov	eax, ds:_PsDefaultThreadLocaleId
		retn
_MmGetSessionLocaleId@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspDisablePrimaryTokenExchange(x)
_PspDisablePrimaryTokenExchange@4 proc near ; CODE XREF: PspSystemThreadStartup+2Bp
					; PspUserThreadStartup+36p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi+80h]
		lea	eax, [edi+0F8h]
		test	dword ptr [eax], 8000h
		jz	loc_76F693

loc_76F5D6:				; CODE XREF: PspDisablePrimaryTokenExchange(x)+10Dj
		test	dword ptr [edi+3A8h], 400000h
		jz	short loc_76F5F2

loc_76F5E2:				; CODE XREF: PspDisablePrimaryTokenExchange(x)+DCj
		and	[ebp+var_10], 0
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock or	[eax], ecx
		pop	edi
		pop	esi
		leave
		retn
; 

loc_76F5F2:				; CODE XREF: PspDisablePrimaryTokenExchange(x)+2Ej
		push	ebx
		push	edi
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	esi, eax
		push	esi
		call	SeTokenIsAdmin
		xor	ebx, ebx
		mov	ecx, esi
		test	al, al
		setnz	bl
		call	ObfDereferenceObject
		lea	esi, [edi+3A8h]
		mov	ecx, [esi]
		and	ecx, 800000h
		neg	ecx
		sbb	ecx, ecx
		not	ecx
		and	ecx, ebx
		mov	[ebp+var_8], ecx
		pop	ebx
		jz	short loc_76F639
		push	0
		push	0
		mov	ecx, edi
		call	PspWriteProcessSecurityDomain
		mov	ecx, [ebp+var_8]

loc_76F639:				; CODE XREF: PspDisablePrimaryTokenExchange(x)+77j
		call	_KeKvaShadowingActive@0	; KeKvaShadowingActive()
		test	eax, eax
		jz	loc_76F6CB
		mov	eax, [esi]
		test	eax, 4000h
		jnz	short loc_76F6CB
		test	ecx, ecx
		jz	short loc_76F663
		and	[ebp+var_C], 0
		lea	eax, [ebp+var_C]
		mov	byte ptr [edi+74h], 1
		xor	ecx, ecx
		lock or	[eax], ecx

loc_76F663:				; CODE XREF: PspDisablePrimaryTokenExchange(x)+9Fj
		mov	ecx, edi
		call	_KeSynchronizeAddressPolicy@4 ;	KeSynchronizeAddressPolicy(x)
		lock bts dword ptr [esi], 0Eh
		jb	short loc_76F689
		cmp	byte ptr [edi+74h], 1
		jnz	short loc_76F689
		cmp	edi, ds:_PsInitialSystemProcess
		jz	short loc_76F689
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	MiDeleteProcessShadow

loc_76F689:				; CODE XREF: PspDisablePrimaryTokenExchange(x)+BDj
					; PspDisablePrimaryTokenExchange(x)+C3j ...
		lock bts dword ptr [esi], 16h
		jmp	loc_76F5E2
; 

loc_76F693:				; CODE XREF: PspDisablePrimaryTokenExchange(x)+1Ej
		lock bts dword ptr [eax], 0Fh
		dec	word ptr [esi+13Ch]
		nop
		and	[ebp+var_4], 0
		lea	ecx, [edi+0E0h]
		xor	edx, edx
		lea	eax, [ebp+var_4]
		lock or	[eax], edx
		mov	eax, [ecx]
		test	al, 1
		jnz	short loc_76F6C4

loc_76F6B8:				; CODE XREF: PspDisablePrimaryTokenExchange(x)+117j
		mov	ecx, esi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_76F5D6
; 

loc_76F6C4:				; CODE XREF: PspDisablePrimaryTokenExchange(x)+104j
		call	@ExfAcquireReleasePushLockExclusive@4 ;	ExfAcquireReleasePushLockExclusive(x)
		jmp	short loc_76F6B8
; 

loc_76F6CB:				; CODE XREF: PspDisablePrimaryTokenExchange(x)+8Ej
					; PspDisablePrimaryTokenExchange(x)+9Bj
		lock bts dword ptr [esi], 0Eh
		jmp	short loc_76F689
_PspDisablePrimaryTokenExchange@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspInitializeThunkContext proc near	; CODE XREF: PspUserThreadStartup+B6p

var_350		= dword	ptr -350h
var_34C		= dword	ptr -34Ch
var_348		= dword	ptr -348h
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_33C		= dword	ptr -33Ch
var_338		= dword	ptr -338h
var_330		= dword	ptr -330h
var_32C		= dword	ptr -32Ch
var_328		= dword	ptr -328h
var_2E8		= dword	ptr -2E8h
var_224		= dword	ptr -224h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008D8E8F SIZE 00000015 BYTES
; FUNCTION CHUNK AT 008D8ED2 SIZE 0000003A BYTES

		push	344h
		push	offset dword_6A0BD0
		call	__SEH_prolog4_GS
		push	50h		; size_t
		xor	ebx, ebx
		push	ebx		; int
		lea	eax, [ebp+var_338]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_34C], ebx
		mov	[ebp+var_33C], ebx
		mov	[ebp+var_350], ebx
		mov	edi, large fs:124h
		mov	[ebp+var_348], edi
		lea	edx, [ebp+var_33C]
		mov	ecx, 10017h
		call	_RtlGetExtendedContextLength@8 ; RtlGetExtendedContextLength(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_76F8C5
		mov	eax, [ebp+var_33C]
		call	__alloca_probe_16
		mov	[ebp+ms_exc.old_esp], esp
		mov	esi, esp
		mov	[ebp+var_344], esi
		push	[ebp+var_33C]	; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_34C]
		push	eax
		mov	edx, 10017h
		mov	ecx, esi
		call	_RtlInitializeExtendedContext@12 ; RtlInitializeExtendedContext(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_76F8C5
		push	2CCh		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_2E8]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		dec	word ptr [edi+13Eh]
		nop
		push	1
		mov	dl, 1
		mov	ecx, edi
		call	PspCallThreadNotifyRoutines
		push	ebx
		push	1
		push	ebx
		mov	edx, [ebp+var_344]
		mov	ecx, edi
		call	PspGetContextThreadInternal
		mov	esi, eax
		mov	[ebp+var_340], esi
		test	esi, esi
		js	loc_76F8C5
		mov	eax, [ebp+var_344]
		mov	edi, [eax+0C4h]
		mov	esi, [ebp+var_33C]
		sub	edi, esi
		and	edi, 0FFFFFFFCh
		lea	eax, [edi-10h]
		mov	[ebp+var_224], eax
		mov	eax, ds:_PspSystemDlls
		push	dword ptr [eax+14h]
		push	edi
		push	ds:_PspLoaderInitRoutine
		xor	edx, edx
		lea	ecx, [ebp+var_2E8]
		call	_PspCreateUserContext@20 ; PspCreateUserContext(x,x,x,x,x)
		mov	edx, [ebp+var_348]
		call	PspAdjustContextForInstrumentation
		mov	[ebp+ms_exc.disabled], ebx
		test	esi, esi
		jz	loc_8D8E96
		cmp	esi, 1000h
		jnb	loc_8D8E96
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	loc_8D8E8F

loc_76F825:				; CODE XREF: PspInitializeThunkContext+1697BFj
		mov	al, [edi]
		mov	[edi], al
		mov	ecx, [ebp+var_33C]
		cmp	ecx, 4
		jbe	short loc_76F83E
		dec	ecx
		and	ecx, 0FFFFFFFCh
		mov	al, [ecx+edi]
		mov	[ecx+edi], al

loc_76F83E:				; CODE XREF: PspInitializeThunkContext+160j
					; PspInitializeThunkContext+1697CDj
		lea	eax, [ebp+var_350]
		push	eax
		mov	edx, 10017h
		mov	ecx, edi
		call	_RtlInitializeExtendedContext@12 ; RtlInitializeExtendedContext(x,x,x)
		mov	esi, eax
		mov	[ebp+var_340], esi
		test	esi, esi
		js	short loc_76F8A0
		push	[ebp+var_344]
		mov	ecx, edi
		call	RtlCopyContext
		mov	esi, eax
		mov	[ebp+var_340], esi
		test	esi, esi
		js	short loc_76F8A0
		mov	eax, ds:_MmUserProbeAddress
		lea	ecx, [edi-10h]
		cmp	ecx, eax
		jnb	short loc_76F8EA

loc_76F882:				; CODE XREF: PspInitializeThunkContext+21Aj
		mov	al, [ecx]
		mov	[ecx], al
		mov	al, [ecx+0Ch]
		mov	[ecx+0Ch], al
		mov	[ecx+4], edi
		mov	eax, ds:_PspSystemDlls
		mov	eax, [eax+14h]
		mov	[ecx+8], eax
		mov	esi, [ebp+var_340]

loc_76F8A0:				; CODE XREF: PspInitializeThunkContext+189j
					; PspInitializeThunkContext+1A2j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_76F8A7:				; CODE XREF: sub_8D8EB5+18j
		mov	edi, [ebp+var_348]
		test	esi, esi
		js	short loc_76F8C5
		push	2
		push	1
		push	ebx
		lea	edx, [ebp+var_2E8]
		mov	ecx, edi
		call	PspSetContextThreadInternal
		mov	esi, eax

loc_76F8C5:				; CODE XREF: PspInitializeThunkContext+56j
					; PspInitializeThunkContext+99j ...
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		test	esi, esi
		js	loc_8D8ED2

loc_76F8D4:				; CODE XREF: PspInitializeThunkContext+169835j
		lea	esp, [ebp-364h]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_76F8EA:				; CODE XREF: PspInitializeThunkContext+1AEj
		mov	[eax], bl
		jmp	short loc_76F882
PspInitializeThunkContext endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSetContextThreadInternal proc near	; CODE XREF: PspInitializeThunkContext+1ECp
					; NtSetContextThread(x,x)+92p ...

var_8C		= dword	ptr -8Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5C		= byte ptr -5Ch
var_5B		= byte ptr -5Bh
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008D8F0C SIZE 00000024 BYTES
; FUNCTION CHUNK AT 008D8F50 SIZE 00000130 BYTES

		push	7Ch
		push	offset dword_6A0BF0
		call	__SEH_prolog4_GS
		mov	esi, edx
		mov	edi, ecx
		xor	ebx, ebx
		mov	[ebp+var_2C], ebx
		push	50h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_8C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_28], ebx
		mov	eax, large fs:124h
		mov	[ebp+var_30], eax
		mov	eax, [ebp+arg_8]
		and	eax, 1
		mov	[ebp+var_38], eax
		mov	bl, [ebp+arg_0]
		test	bl, bl
		jnz	loc_8D8F0C
		mov	eax, [esi]
		mov	[ebp+var_24], eax

loc_76F93A:				; CODE XREF: PspSetContextThreadInternal+16963Dj
		mov	dl, bl
		lea	ecx, [ebp+var_24]
		call	RtlpSanitizeContextFlags
		test	eax, eax
		js	loc_76F9E6
		test	bl, bl
		jnz	loc_8D8F50
		mov	[ebp+var_44], esi

loc_76F957:				; CODE XREF: PspSetContextThreadInternal+1696C5j
		mov	bh, [ebp+arg_4]
		test	bh, bh
		jz	short loc_76F96B
		test	dword ptr [edi+58h], 400h
		jnz	loc_8D8FBE

loc_76F96B:				; CODE XREF: PspSetContextThreadInternal+6Ej
		mov	al, [ebp+var_5B]
		and	al, 0FBh
		mov	[ebp+var_5B], al
		mov	bl, al
		test	bh, bh
		jz	short loc_76F983
		test	byte ptr [ebp+arg_8], 2
		jz	loc_8D8FC8

loc_76F983:				; CODE XREF: PspSetContextThreadInternal+89j
					; PspSetContextThreadInternal+1696EEj ...
		mov	[ebp+var_5C], bh
		mov	eax, [ebp+var_38]
		add	al, al
		and	bl, 0FDh
		or	al, bl
		mov	esi, [ebp+var_30]
		cmp	edi, esi
		jnz	loc_8D9004
		mov	[ebp+var_68], 1
		mov	[ebp+var_64], edi
		and	al, 0FEh
		mov	[ebp+var_5B], al
		dec	word ptr [esi+13Eh]
		nop
		lea	eax, [ebp+var_64]
		push	eax
		lea	eax, [ebp+var_68]
		push	eax
		push	0
		push	0
		lea	eax, [ebp+var_8C]
		push	eax
		call	PspGetSetContextSpecialApc
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_76F9D1:				; CODE XREF: PspSetContextThreadInternal+169766j
		mov	esi, [ebp+var_58]
		mov	eax, esi
		test	eax, eax
		js	short loc_76F9E4
		cmp	[ebp+arg_0], 1
		jz	loc_8D9059

loc_76F9E4:				; CODE XREF: PspSetContextThreadInternal+EAj
					; PspSetContextThreadInternal+1696D5j ...
		mov	eax, esi

loc_76F9E6:				; CODE XREF: PspSetContextThreadInternal+58j
					; sub_8D8F3E+Dj ...
		lea	esp, [ebp-9Ch]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
PspSetContextThreadInternal endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspGetContextThreadInternal proc near	; CODE XREF: PspInitializeThunkContext+D3p
					; PAGE:007A3316p ...

var_A4		= dword	ptr -0A4h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_74		= byte ptr -74h
var_73		= byte ptr -73h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_5C		= dword	ptr -5Ch
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008D9080 SIZE 00000007 BYTES
; FUNCTION CHUNK AT 008D90A7 SIZE 00000014 BYTES

		push	94h
		push	offset dword_6A0C10
		call	__SEH_prolog4_GS
		mov	esi, edx
		mov	[ebp+var_40], ecx
		xor	ebx, ebx
		mov	[ebp+var_48], ebx
		push	50h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_A4]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_44], ebx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_38]
		rep stosd
		mov	ebx, [ebp+arg_8]
		and	ebx, 1
		mov	ecx, large fs:124h
		mov	[ebp+var_4C], ecx
		mov	dl, [ebp+arg_0]
		test	dl, dl
		jnz	loc_76FB07
		mov	eax, [esi]
		mov	[ebp+var_3C], eax

loc_76FA56:				; CODE XREF: PspGetContextThreadInternal+129j
		lea	ecx, [ebp+var_3C]
		call	RtlpSanitizeContextFlags
		test	eax, eax
		js	loc_76FAEF
		cmp	[ebp+arg_0], 0
		jnz	loc_76FB2C
		mov	[ebp+var_5C], esi
		lea	edi, [esi+2CCh]

loc_76FA79:				; CODE XREF: PspGetContextThreadInternal+17Bj
		mov	al, [ebp+arg_4]
		mov	edx, [ebp+var_40]
		test	al, al
		jz	short loc_76FA90
		test	dword ptr [edx+58h], 400h
		jnz	loc_8D90A7

loc_76FA90:				; CODE XREF: PspGetContextThreadInternal+83j
		mov	[ebp+var_74], al
		add	bl, bl
		mov	al, [ebp+var_73]
		and	al, 0FDh
		or	bl, al
		mov	eax, [ebp+var_4C]
		cmp	edx, eax
		jnz	loc_76FB9C
		xor	ecx, ecx
		mov	[ebp+var_80], ecx
		mov	[ebp+var_7C], edx
		and	bl, 0FEh
		mov	[ebp+var_73], bl
		dec	word ptr [eax+13Eh]
		nop
		lea	eax, [ebp+var_7C]
		push	eax
		lea	eax, [ebp+var_80]
		push	eax
		push	ecx
		push	ecx
		lea	eax, [ebp+var_A4]
		push	eax
		call	PspGetSetContextSpecialApc
		mov	ecx, [ebp+var_4C]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_76FADB:				; CODE XREF: PspGetContextThreadInternal+1EBj
		mov	eax, [ebp+var_70]
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_76FAEF
		mov	ecx, [ebp+var_5C]
		cmp	ecx, esi
		jnz	loc_76FB84

loc_76FAEF:				; CODE XREF: PspGetContextThreadInternal+62j
					; PspGetContextThreadInternal+E4j ...
		lea	esp, [ebp-0B4h]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_76FB07:				; CODE XREF: PspGetContextThreadInternal+4Dj
		and	[ebp+ms_exc.disabled], eax
		mov	eax, esi
		mov	ecx, ds:_MmUserProbeAddress
		cmp	esi, ecx
		jnb	loc_8D9080

loc_76FB1A:				; CODE XREF: PspGetContextThreadInternal+169684j
		nop
		mov	eax, [eax]
		mov	[ebp+var_3C], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_76FA56
; 

loc_76FB2C:				; CODE XREF: PspGetContextThreadInternal+6Cj
		lea	edx, [ebp+var_44]
		mov	ecx, [ebp+var_3C]
		call	_RtlGetExtendedContextLength@8 ; RtlGetExtendedContextLength(x,x)
		test	eax, eax
		js	short loc_76FAEF
		mov	eax, [ebp+var_44]
		call	__alloca_probe_16
		mov	[ebp+ms_exc.old_esp], esp
		mov	ecx, esp
		mov	[ebp+var_5C], ecx
		lea	eax, [ebp+var_48]
		push	eax
		mov	edx, [ebp+var_3C]
		call	_RtlInitializeExtendedContext@12 ; RtlInitializeExtendedContext(x,x,x)
		test	eax, eax
		js	short loc_76FAEF
		mov	edi, [ebp+var_48]
		lea	eax, [edi-2CCh]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	esi
		push	[ebp+var_3C]
		push	edi
		xor	dl, dl
		call	RtlpReadExtendedContext
		test	eax, eax
		jns	loc_76FA79
		jmp	loc_76FAEF
; 

loc_76FB84:				; CODE XREF: PspGetContextThreadInternal+EBj
		mov	eax, [ecx]
		push	edi
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		lea	edx, [esi+2CCh]
		call	RtlpWriteExtendedContext
		jmp	loc_76FAEF
; 

loc_76FB9C:				; CODE XREF: PspGetContextThreadInternal+A3j
		or	bl, 1
		mov	[ebp+var_73], bl
		lea	ecx, [ebp+var_6C]
		call	@KeInitializeGate@8 ; KeInitializeGate(x,x)
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset PspGetSetContextSpecialApc
		push	ebx
		push	edx
		lea	eax, [ebp+var_A4]
		push	eax
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		push	2
		mov	ecx, [ebp+var_40]
		push	ecx
		push	ebx
		lea	eax, [ebp+var_A4]
		push	eax
		call	KeInsertQueueApc
		test	al, al
		jz	loc_8D90B1
		push	ecx
		xor	edx, edx
		lea	ecx, [ebp+var_6C]
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		jmp	loc_76FADB
PspGetContextThreadInternal endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspGetSetContextSpecialApc proc	near	; CODE XREF: PspSetContextThreadInternal+D7p
					; PspGetContextThreadInternal+D0p
					; DATA XREF: ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D90BB SIZE 00000053 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		cmp	byte ptr [esi+30h], 0
		mov	ecx, [esi+28h]
		jz	loc_8D90BB
		call	_PspGetBaseTrapFrame@8 ; PspGetBaseTrapFrame(x,x)
		mov	edi, eax

loc_76FC0C:				; CODE XREF: PspGetSetContextSpecialApc+1694E1j
		xor	eax, eax
		push	ebx
		mov	ebx, [esi+48h]
		cmp	[esi+24h], eax
		jnz	short loc_76FC3E
		push	ebx
		push	eax
		push	edi
		call	KeContextFromKframes
		mov	eax, [ebx]
		test	eax, 40000000h
		jnz	loc_8D90DF

loc_76FC2C:				; CODE XREF: PspGetSetContextSpecialApc+5Fj
					; PspGetSetContextSpecialApc+16950Ej ...
		xor	eax, eax
		pop	ebx

loc_76FC2F:				; CODE XREF: PspGetSetContextSpecialApc+1694ECj
		mov	[esi+34h], eax
		test	byte ptr [esi+31h], 1
		jnz	short loc_76FC4F

loc_76FC38:				; CODE XREF: PspGetSetContextSpecialApc+6Cj
		pop	edi
		pop	esi
		pop	ebp
		retn	14h
; 

loc_76FC3E:				; CODE XREF: PspGetSetContextSpecialApc+27j
		movzx	ecx, byte ptr [esi+30h]
		push	ecx
		push	dword ptr [ebx]
		push	ebx
		push	eax
		push	edi
		call	KeContextToKframes
		jmp	short loc_76FC2C
; 

loc_76FC4F:				; CODE XREF: PspGetSetContextSpecialApc+48j
		xor	edx, edx
		lea	ecx, [esi+38h]
		inc	edx
		call	KeSignalGate
		jmp	short loc_76FC38
PspGetSetContextSpecialApc endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspAdjustContextForInstrumentation proc	near ; CODE XREF: PspInitializeThunkContext+12Ap

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008D910E SIZE 00000049 BYTES
; FUNCTION CHUNK AT 008D915E SIZE 00000029 BYTES

		push	14h
		push	offset dword_6A0C30
		call	__SEH_prolog4
		mov	[ebp+var_1C], ecx
		mov	eax, [edx+80h]
		mov	eax, [eax+3DCh]
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	loc_8D910E

loc_76FC82:				; CODE XREF: PspAdjustContextForInstrumentation+1694D0j
					; PspAdjustContextForInstrumentation+16951Aj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PspAdjustContextForInstrumentation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspCreateUserContext(x, x, x, x, x)
_PspCreateUserContext@20 proc near	; CODE XREF: PspInitializeThunkContext+11Fp
					; NtCreateThreadEx+12Ep ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		and	dword ptr [ecx+8Ch], 0
		mov	[ecx+0B8h], eax
		mov	eax, [ebp+arg_4]
		mov	[ecx+0B0h], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+0A4h], eax
		mov	dword ptr [ecx+90h], 3Bh
		mov	dword ptr [ecx+0BCh], 1Bh
		push	23h
		pop	eax
		mov	[ecx+94h], eax
		mov	[ecx+98h], eax
		mov	[ecx+0C8h], eax
		test	dl, 1
		jnz	short loc_76FCED
		mov	dword ptr [ecx], 10007h

loc_76FCED:				; CODE XREF: PspCreateUserContext(x,x,x,x,x)+53j
		pop	ebp
		retn	0Ch
_PspCreateUserContext@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCreateThreadEx proc near		; DATA XREF: .text:00581100o

var_1A4		= dword	ptr -1A4h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_168		= dword	ptr -168h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

; FUNCTION CHUNK AT 008D9187 SIZE 0000000A BYTES

		push	194h
		push	offset dword_6A0C50
		call	__SEH_prolog4_GS
		mov	ebx, [ebp+arg_0]
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_190], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_18C], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_188], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_17C], eax
		mov	esi, [ebp+arg_28]
		xor	eax, eax
		lea	edi, [ebp+var_1A4]
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		stosd
		stosd
		stosd
		stosd
		xor	edi, edi
		mov	[ebp+var_184], edi
		mov	[ebp+var_178], edi
		test	[ebp+arg_18], 0FFFFFF80h
		jnz	loc_8D9187
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jnz	loc_76FE87

loc_76FD70:				; CODE XREF: NtCreateThreadEx+1AEj
		mov	eax, [ebp+arg_20]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_24]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_28], eax
		push	148h		; size_t
		push	edi		; int
		lea	eax, [ebp+var_174]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		jz	short loc_76FDBF
		mov	eax, large fs:124h
		mov	dl, [eax+15Ah]
		lea	eax, [ebp+var_174]
		push	eax
		push	1
		mov	ecx, esi
		call	_PspBuildCreateProcessContext@16 ; PspBuildCreateProcessContext(x,x,x,x)
		test	eax, eax
		js	loc_76FE6F

loc_76FDBF:				; CODE XREF: NtCreateThreadEx+A7j
		push	edi
		push	edi
		lea	edx, [ebp+var_178]
		mov	edi, 10007h
		mov	ecx, edi
		call	RtlGetExtendedContextLength2
		mov	eax, [ebp+var_178]
		call	__alloca_probe_16
		mov	[ebp+ms_exc.old_esp], esp
		mov	esi, esp
		push	[ebp+var_178]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		push	0
		push	0
		lea	eax, [ebp+var_184]
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	RtlInitializeExtendedContext2
		push	[ebp+var_17C]
		mov	edi, [ebp+var_188]
		push	edi
		push	ds:_PspUserThreadStart
		xor	edx, edx
		inc	edx
		mov	ecx, esi
		call	_PspCreateUserContext@20 ; PspCreateUserContext(x,x,x,x,x)
		lea	eax, [ebp+var_2C]
		push	eax
		push	[ebp+var_17C]
		push	edi
		push	[ebp+arg_18]
		lea	eax, [ebp+var_1A4]
		push	eax
		push	esi
		push	[ebp+var_168]
		lea	eax, [ebp+var_174]
		push	eax
		push	0
		push	[ebp+var_18C]
		push	[ebp+var_190]
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		call	PspCreateThread
		mov	esi, eax
		lea	ecx, [ebp+var_174]
		call	PspDeleteCreateProcessContext
		mov	eax, esi

loc_76FE6F:				; CODE XREF: NtCreateThreadEx+C7j
					; NtCreateThreadEx+16949Aj ...
		lea	esp, [ebp-1B4h]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	2Ch
; 

loc_76FE87:				; CODE XREF: NtCreateThreadEx+78j
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	short loc_76FEA5

loc_76FE95:				; CODE XREF: NtCreateThreadEx+1B5j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_76FD70
; 

loc_76FEA5:				; CODE XREF: NtCreateThreadEx+1A1j
		mov	ecx, eax
		jmp	short loc_76FE95
NtCreateThreadEx endp

; 
		align 2

;  S U B	R O U T	I N E 


PspDeleteCreateProcessContext proc near	; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+1067p
					; NtCreateThreadEx+176p ...

; FUNCTION CHUNK AT 008D91B7 SIZE 000000C8 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		mov	eax, [esi+68h]
		test	eax, eax
		jnz	loc_76FF8E

loc_76FEBD:				; CODE XREF: PspDeleteCreateProcessContext+EBj
		mov	ecx, [esi+6Ch]
		test	ecx, ecx
		jnz	loc_76FF9A

loc_76FEC8:				; CODE XREF: PspDeleteCreateProcessContext+F5j
		mov	ecx, [esi+60h]
		test	ecx, ecx
		jnz	loc_76FF84

loc_76FED3:				; CODE XREF: PspDeleteCreateProcessContext+DFj
		mov	ecx, [esi+54h]
		test	ecx, ecx
		jnz	loc_76FFD4

loc_76FEDE:				; CODE XREF: PspDeleteCreateProcessContext+134j
		mov	eax, [esi+70h]
		test	eax, eax
		jnz	loc_76FFA4

loc_76FEE9:				; CODE XREF: PspDeleteCreateProcessContext+101j
		mov	eax, [esi+74h]
		test	eax, eax
		jnz	loc_76FFC8

loc_76FEF4:				; CODE XREF: PspDeleteCreateProcessContext+125j
		mov	ecx, [esi+78h]
		test	ecx, ecx
		jnz	loc_76FFB0

loc_76FEFF:				; CODE XREF: PspDeleteCreateProcessContext+10Bj
		test	byte ptr [esi+8], 4
		jnz	loc_76FFBA

loc_76FF09:				; CODE XREF: PspDeleteCreateProcessContext+119j
		mov	ecx, [esi+0A8h]
		test	ecx, ecx
		jnz	loc_8D91B7

loc_76FF17:				; CODE XREF: PspDeleteCreateProcessContext+169315j
					; PspDeleteCreateProcessContext+169322j
		mov	eax, [esi+0B4h]
		test	eax, eax
		jnz	loc_76FFE3

loc_76FF25:				; CODE XREF: PspDeleteCreateProcessContext+140j
		mov	eax, [esi+0F0h]
		test	eax, eax
		jnz	loc_8D91D1

loc_76FF33:				; CODE XREF: PspDeleteCreateProcessContext+169364j
		mov	eax, [esi+0ECh]
		test	eax, eax
		jnz	loc_8D9213

loc_76FF41:				; CODE XREF: PspDeleteCreateProcessContext+169385j
		mov	eax, [esi+104h]
		test	eax, eax
		jnz	loc_8D9234

loc_76FF4F:				; CODE XREF: PspDeleteCreateProcessContext+1693A6j
		mov	eax, [esi+10Ch]
		test	eax, eax
		jnz	loc_8D9255

loc_76FF5D:				; CODE XREF: PspDeleteCreateProcessContext+1693D0j
		mov	eax, [esi+11Ch]
		test	eax, eax
		jnz	loc_76FFEF

loc_76FF6B:				; CODE XREF: PspDeleteCreateProcessContext+152j
		lea	eax, [esi+8Ch]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [esi+140h]
		pop	esi
		pop	ebx
		jmp	_PspDestroyProcessParameterOverrides@4 ; PspDestroyProcessParameterOverrides(x)
; 

loc_76FF84:				; CODE XREF: PspDeleteCreateProcessContext+23j
		call	ObfDereferenceObject
		jmp	loc_76FED3
; 

loc_76FF8E:				; CODE XREF: PspDeleteCreateProcessContext+Dj
		push	ebx
		push	eax
		call	ObCloseHandle
		jmp	loc_76FEBD
; 

loc_76FF9A:				; CODE XREF: PspDeleteCreateProcessContext+18j
		call	ObfDereferenceObject
		jmp	loc_76FEC8
; 

loc_76FFA4:				; CODE XREF: PspDeleteCreateProcessContext+39j
		push	ebx
		push	eax
		call	ObCloseHandle
		jmp	loc_76FEE9
; 

loc_76FFB0:				; CODE XREF: PspDeleteCreateProcessContext+4Fj
		call	ObfDereferenceObject
		jmp	loc_76FEFF
; 

loc_76FFBA:				; CODE XREF: PspDeleteCreateProcessContext+59j
		push	ebx
		push	dword ptr [esi+7Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_76FF09
; 

loc_76FFC8:				; CODE XREF: PspDeleteCreateProcessContext+44j
		push	ebx
		push	eax
		call	ObCloseHandle
		jmp	loc_76FEF4
; 

loc_76FFD4:				; CODE XREF: PspDeleteCreateProcessContext+2Ej
		mov	edx, 72437350h
		call	ObfDereferenceObjectWithTag
		jmp	loc_76FEDE
; 

loc_76FFE3:				; CODE XREF: PspDeleteCreateProcessContext+75j
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_76FF25
; 

loc_76FFEF:				; CODE XREF: PspDeleteCreateProcessContext+BBj
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+11Ch], ebx
		jmp	loc_76FF6B
; 
		align 2

; __stdcall PspDestroyProcessParameterOverrides(x)
_PspDestroyProcessParameterOverrides@4:	; CODE XREF: PspDeleteCreateProcessContext+D5j
		test	ecx, ecx
		jnz	short loc_770007
		retn
; 

loc_770007:				; CODE XREF: PspDeleteCreateProcessContext+15Aj
		push	ecx
		call	ds:__imp__PsDestroyProcessParameterOverrides@4 ; PsDestroyProcessParameterOverrides(x)
		retn
PspDeleteCreateProcessContext endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspCreateThread	proc near		; CODE XREF: NtCreateThreadEx+169p
					; PsCreateSystemThreadEx+1ACp ...

var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

; FUNCTION CHUNK AT 008D927F SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1A0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax

loc_770025:				; DATA XREF: PAGE:??_C@_1BA@IHOFGBGC@?$AA?$CF?$AAw?$AAZ?$AA?2?$AA?$CF?$AAw?$AAZ@NNGAKEGL@o
					; PAGE:??_C@_1BK@IHJLDEBK@?$AA?$CF?$AAw?$AAZ?$AA?3?$AA?$CF?$AAw?$AAZ?$AA?3?$AA?$CF?$AA0?$AA8?$AAX@NNGAKEGL@o ...
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_194], edx
		mov	[ebp+var_190], ecx
		mov	eax, [ebp+arg_0]
		and	[ebp+var_164], 0
		mov	[ebp+var_188], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_184], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_16C], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_160], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_18C], eax
		mov	eax, [ebp+arg_18]

loc_77006B:				; DATA XREF: PAGE:008BD6D8o
		mov	[ebp+var_180], eax
		mov	eax, [ebp+arg_20]
		mov	esi, [ebp+arg_14]
		mov	[ebp+var_154], eax
		mov	eax, [ebp+arg_24]
		mov	[ebp+var_178], eax
		mov	eax, [ebp+arg_28]
		push	144h		; size_t
		mov	[ebp+var_17C], eax
		lea	eax, [ebp+var_150]
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_158], esi
		call	_memset
		mov	ebx, large fs:124h
		xor	ecx, ecx
		add	esp, 0Ch
		mov	[ebp+var_19C], ecx
		mov	[ebp+var_198], ecx
		mov	eax, [ebx+80h]
		mov	[ebp+var_174], eax
		test	esi, esi
		jz	loc_7702E1
		mov	al, [ebx+15Ah]
		mov	byte ptr [ebp+var_15C],	al

loc_7700E0:				; CODE XREF: PspCreateThread+2D7j
		mov	eax, [ebp+var_184]
		mov	esi, ecx
		mov	[ebp+var_168], ecx
		mov	edi, 0C0000008h
		mov	[ebp+var_170], esi
		test	eax, eax
		jz	loc_7702EC
		push	ecx
		lea	ecx, [ebp+var_170]
		push	ecx
		push	72437350h
		push	[ebp+var_15C]
		push	ds:_PsProcessType
		push	2
		push	eax
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, [ebp+var_170]

loc_770128:				; CODE XREF: PspCreateThread+345j
		test	eax, eax
		js	loc_77029B

loc_770130:				; CODE XREF: PspCreateThread+2F6j
		mov	edx, [ebp+var_174]
		cmp	esi, edx
		jnz	loc_7702C7

loc_77013E:				; CODE XREF: PspCreateThread+2CCj
		mov	eax, [ebp+var_154]
		mov	ecx, [ebp+var_158]
		test	eax, eax
		jz	short loc_770162
		mov	eax, ecx
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, [ebp+var_154]
		mov	[ebp+var_154], eax

loc_770162:				; CODE XREF: PspCreateThread+13Cj
		cmp	[ebp+var_160], 0
		jz	loc_77030B

loc_77016F:				; CODE XREF: PspCreateThread+2FDj
					; PspCreateThread+16929Ej
		cmp	byte ptr [ebp+var_15C],	0
		jnz	loc_7702AC

loc_77017C:				; CODE XREF: PspCreateThread+2AFj
		test	byte ptr [esi+3A8h], 1
		jnz	loc_770318

loc_770189:				; CODE XREF: PspCreateThread+30Fj
					; PspCreateThread+317j
		mov	ecx, [ebp+arg_1C]
		lea	edx, [ebp+var_164]
		call	_PspMapThreadCreationFlags@8 ; PspMapThreadCreationFlags(x,x)
		dec	word ptr [ebx+13Ch]
		nop
		lea	eax, [esi+0F0h]
		mov	ecx, eax
		mov	[ebp+var_16C], eax
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_770334
		mov	edx, 72437350h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+var_180]
		mov	ecx, esi
		mov	[ebp+var_1A0], eax
		lea	eax, [ebp+var_150]
		push	eax
		push	[ebp+var_17C]
		mov	edx, [ebp+var_188]
		lea	eax, [ebp+var_168]
		push	eax
		lea	eax, [ebp+var_164]
		push	eax
		push	[ebp+var_178]
		lea	eax, [ebp+var_1A0]
		push	[ebp+var_154]
		push	eax
		push	[ebp+var_158]
		push	[ebp+var_160]
		push	[ebp+var_15C]
		call	PspAllocateThread
		mov	edi, eax
		test	edi, edi
		js	loc_8D92BE
		mov	edx, 72437350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		push	[ebp+var_18C]
		mov	ecx, [ebp+var_168]
		lea	eax, [ebp+var_150]
		push	[ebp+var_190]
		mov	edx, esi
		push	eax
		push	[ebp+var_178]
		lea	eax, [ebp+var_164]
		push	[ebp+var_160]
		push	[ebp+var_17C]
		push	[ebp+var_194]
		push	eax
		push	[ebp+var_180]
		call	_PspInsertThread@44 ; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_16C]
		mov	esi, eax
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, ebx
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	ecx, [ebp+var_168]
		call	ObfDereferenceObject
		mov	eax, esi

loc_77029B:				; CODE XREF: PspCreateThread+11Aj
					; PspCreateThread+33Ej	...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	2Ch
; 

loc_7702AC:				; CODE XREF: PspCreateThread+166j
		mov	eax, [esi+3A8h]
		test	eax, 1000h
		jnz	loc_770340
		test	al, 1
		jz	loc_77017C
		jmp	short loc_770340
; 

loc_7702C7:				; CODE XREF: PspCreateThread+128j
		mov	ecx, esi
		call	PspIsProcessReadyForRemoteThread
		test	al, al
		jz	loc_8D927F
		mov	edx, [ebp+var_174]
		jmp	loc_77013E
; 

loc_7702E1:				; CODE XREF: PspCreateThread+BEj
		mov	byte ptr [ebp+var_15C],	cl
		jmp	loc_7700E0
; 

loc_7702EC:				; CODE XREF: PspCreateThread+EBj
		cmp	[ebp+var_158], ecx
		jnz	short loc_770353
		mov	esi, [ebp+var_16C]
		mov	edx, 72437350h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		jmp	loc_770130
; 

loc_77030B:				; CODE XREF: PspCreateThread+159j
		test	eax, eax
		jnz	loc_77016F
		jmp	loc_8D9289
; 

loc_770318:				; CODE XREF: PspCreateThread+173j
		cmp	dword ptr [esi+3D4h], 0
		jnz	loc_770189
		test	ecx, ecx
		jz	loc_770189
		mov	edi, 0C0000022h
		jmp	short loc_770340
; 

loc_770334:				; CODE XREF: PspCreateThread+1A4j
		mov	ecx, ebx
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	edi, 0C000010Ah

loc_770340:				; CODE XREF: PspCreateThread+2A7j
					; PspCreateThread+2B5j	...
		mov	edx, 72437350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_77029B
; 

loc_770353:				; CODE XREF: PspCreateThread+2E2j
		mov	eax, edi
		jmp	loc_770128
PspCreateThread	endp


;  S U B	R O U T	I N E 


; __stdcall PspMapThreadCreationFlags(x, x)
_PspMapThreadCreationFlags@8 proc near	; CODE XREF: PspCreateThread+182p
					; PAGE:007A33A3p
		xor	eax, eax
		mov	[edx], eax
		test	cl, 1
		jz	short loc_770366
		inc	eax
		mov	[edx], eax

loc_770366:				; CODE XREF: PspMapThreadCreationFlags(x,x)+7j
		test	cl, 2
		jnz	short loc_770389

loc_77036B:				; CODE XREF: PspMapThreadCreationFlags(x,x)+34j
		test	cl, 4
		jnz	short loc_770390

loc_770370:				; CODE XREF: PspMapThreadCreationFlags(x,x)+3Bj
		test	cl, 10h
		jnz	short loc_770380

loc_770375:				; CODE XREF: PspMapThreadCreationFlags(x,x)+2Dj
		test	cl, 20h
		jnz	short loc_770397

loc_77037A:				; CODE XREF: PspMapThreadCreationFlags(x,x)+44j
		test	cl, 40h
		jnz	short loc_7703A0
		retn
; 

loc_770380:				; CODE XREF: PspMapThreadCreationFlags(x,x)+19j
		or	eax, 80h
		mov	[edx], eax
		jmp	short loc_770375
; 

loc_770389:				; CODE XREF: PspMapThreadCreationFlags(x,x)+Fj
		or	eax, 2
		mov	[edx], eax
		jmp	short loc_77036B
; 

loc_770390:				; CODE XREF: PspMapThreadCreationFlags(x,x)+14j
		or	eax, 4
		mov	[edx], eax
		jmp	short loc_770370
; 

loc_770397:				; CODE XREF: PspMapThreadCreationFlags(x,x)+1Ej
		or	eax, 100h
		mov	[edx], eax
		jmp	short loc_77037A
; 

loc_7703A0:				; CODE XREF: PspMapThreadCreationFlags(x,x)+23j
		or	eax, 200h
		mov	[edx], eax
		retn
_PspMapThreadCreationFlags@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspInsertThread(x, x, x, x,	x, x, x, x, x, x, x)
_PspInsertThread@44 proc near		; CODE XREF: PspCreateThread+265p
					; PAGE:007A3568p ...

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A0C70
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		push	ecx
		push	ecx
		push	ebx
		sub	esp, 38h
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, edx
		mov	[ebp+var_28], esi
		mov	edi, ecx
		mov	[ebp+var_38], edi
		and	[ebp+var_2C], 0
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[ebp+var_44], eax
		mov	eax, [edi+0A8h]
		mov	[ebp+var_40], eax
		and	[ebp+var_34], 0
		and	[ebp+var_30], 0
		mov	edx, [ebx+18h]
		test	edx, edx
		jz	short loc_770465
		mov	eax, [edx+10h]
		mov	[ebp+var_3C], eax
		mov	ecx, [edx+4]
		mov	eax, ecx
		and	eax, 4000h
		mov	[ebp+var_34], eax
		lea	eax, [edx+98h]
		mov	esi, [ebp+var_34]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		mov	[ebp+var_34], esi
		and	ecx, 1000h
		lea	eax, [edx+0C4h]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	[ebp+var_30], ecx
		mov	esi, [ebp+var_28]
		jmp	short loc_770469
; 

loc_770465:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+7Cj
		and	[ebp+var_3C], 0

loc_770469:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+BBj
		mov	eax, [ebx+0Ch]
		test	byte ptr [eax],	20h
		jnz	short loc_77047E
		lea	ecx, [esi+0E0h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx

loc_77047E:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+C7j
		mov	ecx, [esi+158h]
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jz	short loc_7704E2
		test	dword ptr [edi+58h], 400h
		jnz	short loc_7704E2
		push	1
		lea	eax, [ecx+20h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	[ebp+var_2C], 1
		mov	edx, [ebp+var_30]
		mov	ecx, [ebp+var_24]
		test	edx, edx
		jz	short loc_7704E5
		test	byte ptr [ecx+18Ch], 10h
		jz	short loc_7704E5
		movzx	eax, word ptr [edx+4]
		mov	eax, [ecx+eax*4+164h]
		mov	[ebp+var_30], eax
		test	eax, eax
		jz	short loc_7704D9
		mov	ecx, [edx]
		mov	eax, ecx
		and	eax, [ebp+var_30]
		cmp	eax, ecx
		mov	ecx, [ebp+var_24]
		jz	short loc_7704E5

loc_7704D9:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+121j
		mov	[ebp+var_2C], 5
		jmp	short loc_7704E5
; 

loc_7704E2:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+E1j
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+EAj
		mov	edx, [ebp+var_30]

loc_7704E5:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+106j
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+10Fj ...
		cmp	[ebp+var_2C], 4
		jnb	short loc_770520
		mov	eax, [esi+0FCh]
		mov	[ebp+var_30], eax
		and	eax, 4000008h
		cmp	eax, 4000000h
		jnz	short loc_770520
		test	[ebp+var_30], 40000000h
		jz	short loc_77051A
		test	dword ptr [edi+58h], 400h
		jnz	short loc_77051A
		mov	eax, [ebx+0Ch]
		test	byte ptr [eax],	2
		jz	short loc_770520

loc_77051A:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+15Fj
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+168j
		and	[ebp+var_30], 0
		jmp	short loc_770527
; 

loc_770520:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+141j
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+156j ...
		mov	[ebp+var_30], 0C0000001h

loc_770527:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+176j
		mov	eax, [ebp+var_2C]
		and	eax, 1
		mov	[ebp+var_48], eax
		cmp	[ebp+var_30], 0
		jge	loc_7705E1
		test	eax, eax
		jz	short loc_770546
		add	ecx, 20h
		call	ExReleaseResourceLite

loc_770546:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+194j
		lea	ecx, [esi+0E0h]
		mov	[ebp+var_44], ecx
		or	esi, 0FFFFFFFFh
		mov	eax, esi
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_770566
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_44]

loc_770566:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+1B4j
		call	KeAbPostRelease
		lea	esi, [edi+2F0h]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_770585
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_770585:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+1D4j
		mov	ecx, esi
		call	KeAbPostRelease
		push	2
		pop	edx
		mov	ecx, [edi+28h]
		call	_MmDeleteKernelStack@8 ; MmDeleteKernelStack(x,x)
		and	dword ptr [edi+20h], 0
		mov	edi, [ebx+14h]
		mov	esi, [ebp+var_28]
		test	edi, edi
		jz	short loc_7705C3
		mov	edx, [ebp+var_40]
		test	edx, edx
		jz	short loc_7705B3
		mov	ecx, esi
		call	_MmDeleteTeb@8	; MmDeleteTeb(x,x)

loc_7705B3:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+202j
		cmp	byte ptr [edi],	0
		jz	short loc_7705C3
		push	edi
		push	dword ptr [ebx+8]
		mov	ecx, esi
		call	_PspDeleteUserStack@16 ; PspDeleteUserStack(x,x,x,x)

loc_7705C3:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+1FBj
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+20Ej
		mov	eax, [esi+0FCh]
		and	eax, 40000008h
		neg	eax
		sbb	eax, eax
		and	eax, 109h
		add	eax, 0C0000001h
		jmp	loc_770B51
; 

loc_7705E1:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+18Cj
		push	[ebp+var_34]
		mov	ecx, edi
		call	KeStartThread
		cmp	[ebp+var_48], 0
		jz	short loc_770600
		mov	ecx, [ebp+var_24]
		add	ecx, 20h
		call	ExReleaseResourceLite
		and	[ebp+var_2C], 0FFFFFFFEh

loc_770600:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+247j
		mov	eax, [esi+0FCh]
		push	2
		pop	edx
		test	eax, 40000000h
		jz	short loc_77062C
		mov	[ebp+var_48], eax
		mov	eax, [ebx+0Ch]
		test	[eax], dl
		jz	short loc_770629
		or	dword ptr [edi+300h], 40h
		mov	eax, [esi+0FCh]
		jmp	short loc_77062C
; 

loc_770629:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+270j
		mov	eax, [ebp+var_48]

loc_77062C:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+266j
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+27Fj
		shr	eax, 1Bh
		and	eax, 7
		mov	ecx, [edi+2FCh]
		and	ecx, 0FFFFF1FFh
		shl	eax, 9
		or	ecx, eax
		mov	[edi+2FCh], ecx
		mov	eax, [esi+0F8h]
		xor	eax, ecx
		and	eax, 7000h
		xor	eax, ecx
		mov	[edi+2FCh], eax
		inc	dword ptr [esi+1D8h]
		mov	eax, [esi+1D8h]
		cmp	eax, [esi+390h]
		jbe	short loc_77067E
		mov	eax, [esi+1D8h]
		mov	[esi+390h], eax

loc_77067E:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+2C8j
		cmp	dword ptr [esi+1D8h], 1
		jnz	short loc_77068C
		or	[ebp+var_2C], edx
		jmp	short loc_7706A7
; 

loc_77068C:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+2DDj
		cmp	[esi+1D8h], edx
		jnz	short loc_7706A7
		lea	eax, [esi+0F8h]
		test	dword ptr [eax], 8000h
		jnz	short loc_7706A7
		lock bts dword ptr [eax], 0Fh

loc_7706A7:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+2E2j
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+2EAj ...
		lea	eax, [esi+398h]
		mov	[ebp+var_34], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [edi+2E4h]
		add	esi, 1D0h
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jz	short loc_7706D1
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_7706D1:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+322j
		mov	[eax], esi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[esi+4], eax
		or	esi, 0FFFFFFFFh
		mov	eax, esi
		mov	ecx, [ebp+var_34]
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_7706F5
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_34]

loc_7706F5:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+343j
		call	KeAbPostRelease
		mov	ecx, [ebp+var_28]
		cmp	dword ptr [ecx+3DCh], 0
		jz	short loc_77070B
		lock bts dword ptr [edi], 17h

loc_77070B:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+35Cj
		add	ecx, 0E0h
		mov	[ebp+var_48], ecx
		mov	eax, esi
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_770728
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_48]

loc_770728:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+376j
		call	KeAbPostRelease
		mov	eax, [ebx+0Ch]
		mov	esi, [ebp+var_28]
		test	byte ptr [eax],	40h
		jz	short loc_77073F
		mov	ecx, esi
		call	PspChangeProcessExecutionState

loc_77073F:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+38Ej
		push	ecx
		push	2
		pop	edx
		mov	ecx, edi
		call	ObReferenceObjectExWithTag
		mov	dword ptr [edi+338h], 1
		mov	eax, [ebx+0Ch]
		test	byte ptr [eax],	1
		jz	short loc_7707A9
		and	[ebp+var_4], 0
		mov	ecx, edi
		call	KeSuspendThread
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_770799
; 

loc_770770:				; DATA XREF: .text:006A0C84o
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	ecx, [eax]
		xor	eax, eax
		cmp	ecx, 0C000004Ah
		setz	al
		retn
; 

loc_770786:				; DATA XREF: .text:006A0C88o
		mov	ebx, [ebp-1Ch]
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-38h]
		mov	esi, [ebp-28h]

loc_770799:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+3C6j
		test	byte ptr [edi+2FCh], 1
		jz	short loc_7707A9
		mov	ecx, edi
		call	_KeForceResumeThread@4 ; KeForceResumeThread(x)

loc_7707A9:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+3B2j
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+3F8j
		and	[ebp+var_34], 0
		mov	eax, [ebx+20h]
		cmp	byte ptr [eax+13Ch], 0
		jz	short loc_7707C6
		mov	eax, [ebx+0Ch]
		test	byte ptr [eax],	10h
		jnz	short loc_7707C6
		mov	esi, [ebp+var_44]
		jmp	short loc_7707CD
; 

loc_7707C6:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+40Fj
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+417j
		mov	[ebp+var_34], 1

loc_7707CD:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+41Cj
		mov	eax, ds:_PsThreadType
		add	eax, 34h
		push	eax		; int
		push	dword ptr [ebx+10h] ; int
		mov	ecx, [ebx+20h]
		lea	eax, [ecx+74h]
		push	eax		; void *
		push	ecx		; void *
		push	esi		; int
		push	0		; int
		call	_SeCreateAccessStateEx@24 ; SeCreateAccessStateEx(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_24], esi
		mov	ecx, edi
		test	esi, esi
		js	loc_7708D2
		xor	eax, eax
		push	eax
		push	eax
		push	[ebp+var_34]
		push	eax
		push	dword ptr [ebx+10h]
		mov	edx, [ebx+20h]
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		js	loc_7708BC
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jz	short loc_770864
		mov	[ebp+var_4], 1
		mov	eax, [ebp+var_40]
		mov	[ecx], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_770864
; 

loc_77083B:				; DATA XREF: .text:006A0C90o
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_77084C:				; DATA XREF: .text:006A0C94o
		mov	ebx, [ebp-1Ch]
		mov	esp, [ebp-18h]
		mov	eax, [ebp-4Ch]
		mov	[ebp-24h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-38h]
		mov	esi, eax

loc_770864:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+47Cj
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+491j
		push	2
		pop	eax
		test	esi, esi
		js	short loc_7708BC
		mov	ecx, [ebx+28h]
		test	ecx, ecx
		jz	short loc_7708B8
		mov	[ebp+var_4], eax
		mov	eax, [edi+2ACh]
		mov	[ecx], eax
		mov	eax, [edi+2B0h]
		mov	[ecx+4], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_7708B8
; 

loc_77088F:				; DATA XREF: .text:006A0C9Co
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-50h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7708A0:				; DATA XREF: .text:006A0CA0o
		mov	ebx, [ebp-1Ch]
		mov	esp, [ebp-18h]
		mov	eax, [ebp-50h]
		mov	[ebp-24h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-38h]
		mov	esi, eax

loc_7708B8:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+4C8j
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+4E5j
		test	esi, esi
		jns	short loc_7708D7

loc_7708BC:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+46Aj
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+4C1j
		mov	ecx, [ebx+20h]
		call	SepDeleteAccessState
		mov	eax, [ebx+20h]
		add	eax, 1Ch
		push	eax
		call	SeReleaseSubjectContext
		jmp	short loc_7708D7
; 

loc_7708D2:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+44Aj
		call	ObfDereferenceObject

loc_7708D7:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+512j
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+528j
		lea	edx, [edi+2F0h]
		test	esi, esi
		js	loc_7709FF
		lea	eax, [edi+2FCh]
		push	2
		pop	ecx
		lock or	[eax], ecx
		or	eax, 0FFFFFFFFh
		lock xadd [edx], eax
		and	al, 6
		cmp	al, cl
		jnz	short loc_77090B
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	edx, [edi+2F0h]

loc_77090B:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+554j
		mov	ecx, edx
		call	KeAbPostRelease

loc_770912:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+68Cj
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+695j
		mov	esi, [ebp+var_28]

loc_770915:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+6A9j
		and	[ebp+var_40], 0
		test	byte ptr [ebp+var_2C], 2
		jz	short loc_770965
		mov	eax, ds:_PerfGlobalGroupMask
		test	al, 1
		jz	short loc_770934
		mov	edx, 301h
		mov	ecx, esi
		call	EtwTraceProcess

loc_770934:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+57Ej
		cmp	dword ptr [esi+3E0h], 0
		jz	short loc_770944
		mov	ecx, esi
		call	_PoEnergyContextStart@4	; PoEnergyContextStart(x)

loc_770944:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+593j
		test	byte ptr [esi+3A8h], 1
		jz	short loc_770956
		cmp	dword ptr [esi+3D4h], 0
		jz	short loc_770965

loc_770956:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+5A3j
		push	1
		mov	edx, [ebx+18h]
		mov	ecx, esi
		call	PspCallProcessNotifyRoutines
		mov	[ebp+var_40], eax

loc_770965:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+575j
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+5ACj
		test	byte ptr ds:_PerfGlobalGroupMask, 2
		jz	short loc_77097A
		push	1
		mov	edx, [ebx+8]
		mov	ecx, edi
		call	EtwTraceThread

loc_77097A:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+5C4j
		test	byte ptr [esi+3A8h], 1
		jz	short loc_77098C
		cmp	dword ptr [esi+3D4h], 0
		jz	short loc_770997

loc_77098C:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+5D9j
		push	0
		mov	dl, 1
		mov	ecx, edi
		call	PspCallThreadNotifyRoutines

loc_770997:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+5E2j
		mov	eax, [ebp+var_24]
		test	eax, eax
		js	loc_770B45
		mov	eax, [ebp+var_40]
		test	eax, eax
		js	short loc_7709B9
		push	ds:_PsThreadType
		mov	edx, [ebx+20h]
		mov	ecx, edi
		call	PspCreateObjectHandle

loc_7709B9:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+5FFj
		mov	[ebp+var_24], eax
		mov	ecx, [ebx+20h]
		call	SepDeleteAccessState
		mov	eax, [ebx+20h]
		add	eax, 1Ch
		push	eax
		call	SeReleaseSubjectContext
		mov	eax, [ebp+var_24]
		test	eax, eax
		js	loc_770AFE
		mov	edx, [ebx+18h]
		test	edx, edx
		jz	short loc_770A56
		mov	eax, [edx+0F0h]
		test	eax, eax
		jz	short loc_770A56
		push	dword ptr [edx+0F8h]
		mov	edx, eax
		mov	ecx, esi
		call	_PspAssignProcessToJobList@12 ;	PspAssignProcessToJobList(x,x,x)
		mov	esi, eax
		jmp	short loc_770A59
; 

loc_7709FF:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+537j
		or	eax, 0FFFFFFFFh
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_770A19
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	edx, [edi+2F0h]

loc_770A19:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+662j
		mov	ecx, edx
		call	KeAbPostRelease
		mov	eax, [ebx+0Ch]
		test	byte ptr [eax],	1
		jz	short loc_770A2F
		mov	ecx, edi
		call	_KeForceResumeThread@4 ; KeForceResumeThread(x)

loc_770A2F:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+67Ej
		mov	eax, [ebx+14h]
		test	eax, eax
		jz	loc_770912
		cmp	byte ptr [eax],	0
		jz	loc_770912
		push	eax
		push	dword ptr [ebx+8]
		mov	esi, [ebp+var_28]
		mov	ecx, esi
		call	_PspDeleteUserStack@16 ; PspDeleteUserStack(x,x,x,x)
		jmp	loc_770915
; 

loc_770A56:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+638j
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+642j
		mov	esi, [ebp+var_24]

loc_770A59:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+655j
		test	esi, esi
		js	short loc_770AB3
		mov	[ebp+var_4], 3
		mov	eax, [ebx+20h]
		mov	ecx, [eax+140h]
		mov	eax, [ebx+24h]
		mov	[eax], ecx
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_770AAB
; 

loc_770A7B:				; DATA XREF: .text:006A0CA8o
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-54h], eax
		xor	eax, eax
		mov	ecx, [ebx+20h]
		cmp	byte ptr [ecx+13Ch], 1
		setz	al
		retn
; 

loc_770A98:				; DATA XREF: .text:006A0CACo
		mov	ebx, [ebp-1Ch]
		mov	esp, [ebp-18h]
		mov	esi, [ebp-54h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-38h]

loc_770AAB:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+6D1j
		test	esi, esi
		jns	loc_770B48

loc_770AB3:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+6B3j
		mov	eax, [ebx+20h]
		test	dword ptr [eax+138h], 200h
		jnz	short loc_770AD5
		mov	eax, [ebp+var_44]
		test	dword ptr [eax+3A8h], 1000h
		mov	byte ptr [ebp+var_44], 1
		jz	short loc_770AD9

loc_770AD5:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+718j
		mov	byte ptr [ebp+var_44], 0

loc_770AD9:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+72Bj
		push	[ebp+var_44]
		mov	eax, [ebx+20h]
		push	dword ptr [eax+140h]
		call	ObCloseHandle
		mov	eax, [ebx+14h]
		test	eax, eax
		jz	short loc_770B01
		test	byte ptr [eax],	1
		jz	short loc_770B01
		push	esi
		call	_KeRaiseUserException@4	; KeRaiseUserException(x)
		jmp	short loc_770B01
; 

loc_770AFE:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+62Dj
		mov	esi, [ebp+var_24]

loc_770B01:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+747j
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+74Cj ...
		test	esi, esi
		jns	short loc_770B48
		lea	eax, [edi+2FCh]
		lock bts dword ptr [eax], 0
		jb	short loc_770B16
		or	[ebp+var_2C], 8

loc_770B16:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+768j
		test	dword ptr [edi+58h], 400h
		jnz	short loc_770B34
		cmp	[ebp+var_2C], 8
		jb	short loc_770B2B
		mov	[edi+324h], esi

loc_770B2B:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+77Bj
		mov	ecx, edi
		call	KeRequestTerminationThread
		jmp	short loc_770B48
; 

loc_770B34:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+775j
		mov	eax, [ebx+0Ch]
		test	byte ptr [eax],	1
		jz	short loc_770B48
		mov	ecx, edi
		call	_KeForceResumeThread@4 ; KeForceResumeThread(x)
		jmp	short loc_770B48
; 

loc_770B45:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+5F4j
		mov	esi, [ebp+var_24]

loc_770B48:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+705j
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+75Bj ...
		mov	ecx, edi
		call	_KeReadyThread@4 ; KeReadyThread(x)
		mov	eax, esi

loc_770B51:				; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+234j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	24h
_PspInsertThread@44 endp ; sp =	 4

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspCreateObjectHandle proc near		; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+60Cp
					; PAGE:007A35C6p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D92D5 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		movzx	eax, byte ptr [esi+13Ch]
		lea	ebx, [esi+140h]
		push	ebx
		push	eax
		push	[ebp+arg_0]
		push	0
		push	esi
		push	dword ptr [esi+138h]
		push	ecx
		call	ObOpenObjectByPointer
		mov	edi, eax
		test	edi, edi
		js	short loc_770BAB
		mov	ecx, [esi+30h]
		mov	ecx, [ecx]
		test	ecx, ecx
		jz	short loc_770BAB
		cmp	dword ptr [ecx], 0
		ja	loc_8D92D5

loc_770BAB:				; CODE XREF: PspCreateObjectHandle+2Fj
					; PspCreateObjectHandle+38j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
PspCreateObjectHandle endp

; 
		align 8

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspAllocateThread proc near		; CODE XREF: PspCreateThread+20Ap
					; PAGE:007A3427p ...

var_90		= dword	ptr -90h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_7C		= dword	ptr -7Ch
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_41		= byte ptr -41h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

; FUNCTION CHUNK AT 008D92F3 SIZE 00000051 BYTES
; FUNCTION CHUNK AT 008D9375 SIZE 000000A6 BYTES
; FUNCTION CHUNK AT 008D9434 SIZE 000000E3 BYTES
; FUNCTION CHUNK AT 008D9548 SIZE 00000075 BYTES

		push	80h
		push	offset dword_6A0CB0
		call	__SEH_prolog4_GS
		mov	[ebp+var_50], edx
		mov	esi, ecx
		mov	[ebp+var_40], esi
		mov	[ebp+var_6C], esi
		mov	[ebp+var_7C], edx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_5C], eax
		mov	[ebp+var_84], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_90], eax
		mov	eax, [ebp+arg_20]
		mov	[ebp+var_70], eax
		mov	eax, [ebp+arg_24]
		mov	[ebp+var_74], eax
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_38]
		rep stosd
		xor	ebx, ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_60], ebx
		mov	eax, large fs:124h
		mov	[ebp+var_88], eax
		mov	[ebp+var_54], ebx
		mov	eax, [ebp+var_5C]
		test	eax, eax
		jz	loc_8D92F3
		mov	eax, [eax]
		mov	[ebp+var_64], eax

loc_770C33:				; CODE XREF: PspAllocateThread+16873Ej
		mov	ecx, [ebp+var_4C]
		test	ecx, ecx
		jz	short loc_770C76
		mov	[ebp+var_3C], ebx
		mov	eax, [ecx+4]
		mov	[ebp+var_5C], eax
		mov	edi, eax
		and	edi, 1000h
		lea	eax, [ecx+0C4h]
		neg	edi
		sbb	edi, edi
		and	edi, eax
		test	[ebp+var_5C], 4000h
		jnz	loc_77106B
		mov	eax, ebx

loc_770C66:				; CODE XREF: PspAllocateThread+4C3j
		test	eax, eax
		jnz	loc_771080
		test	edi, edi
		jnz	loc_77100A

loc_770C76:				; CODE XREF: PspAllocateThread+80j
					; PspAllocateThread+454j ...
		mov	ecx, [ebp+var_74]
		mov	[ecx+138h], ebx
		mov	al, byte ptr [ebp+arg_0]
		mov	[ecx+13Ch], al
		cmp	[ebp+var_48], ebx
		jz	loc_770FCA
		cmp	esi, ds:_PsInitialSystemProcess
		jz	loc_8D9331
		test	edx, edx
		jz	short loc_770CDC
		mov	[ebp+ms_exc.disabled], ebx
		cmp	al, 1
		jz	loc_771052

loc_770CAC:				; CODE XREF: PspAllocateThread+4AEj
		xor	eax, eax
		cmp	byte ptr [ebp+arg_0], al
		setz	al
		dec	eax
		and	eax, 0FFFEFE00h
		add	eax, 11FF2h
		and	eax, [edx+0Ch]
		mov	[ecx+138h], eax
		mov	edi, ebx
		mov	[ebp+var_68], edi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_770CD4:				; CODE XREF: sub_8D9352+1Ej
		test	edi, edi
		js	loc_8D9336

loc_770CDC:				; CODE XREF: PspAllocateThread+E7j
					; PspAllocateThread+414j ...
		call	_PoEnergyEstimationEnabled@0 ; PoEnergyEstimationEnabled()
		mov	cl, al
		mov	[ebp+var_41], cl
		xor	eax, eax
		test	cl, cl
		setnz	al
		dec	eax
		and	eax, 0FFFFFF38h
		add	eax, 5A8h
		mov	[ebp+var_3C], eax
		call	_KeQueryMaximumGroupCount@0 ; KeQueryMaximumGroupCount()
		movzx	ecx, ax
		mov	[ebp+var_4C], ebx
		mov	eax, [ebp+var_3C]
		cmp	ecx, 1
		ja	loc_8D9375

loc_770D12:				; CODE XREF: PspAllocateThread+1687CCj
		mov	edx, ds:_PsThreadType
		push	ebx
		lea	ecx, [ebp+var_60]
		push	ecx
		push	eax
		push	ebx
		push	eax
		push	ecx
		push	[ebp+arg_0]
		push	[ebp+var_50]
		mov	cl, byte ptr [ebp+arg_0]
		call	ObCreateObjectEx
		mov	edi, eax
		test	edi, edi
		js	loc_8D9336
		mov	eax, [ebp+var_3C]
		push	eax		; size_t
		push	ebx		; int
		mov	esi, [ebp+var_60]
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		cmp	[ebp+var_41], 0
		jz	short loc_770D61
		lea	eax, [esi+4E0h]
		mov	[esi+388h], eax
		lock bts dword ptr [esi], 15h

loc_770D61:				; CODE XREF: PspAllocateThread+196j
		cmp	ds:_KiSchedulerAssistThreadFlagEnabled,	0
		jnz	loc_7710D9

loc_770D6E:				; CODE XREF: PspAllocateThread+526j
		mov	eax, [ebp+var_4C]
		test	eax, eax
		jnz	loc_8D93A4

loc_770D79:				; CODE XREF: PspAllocateThread+1687FEj
		lea	ecx, [esi+2ECh]
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		mov	eax, [ebp+var_40]
		mov	eax, [eax+0E4h]
		mov	[esi+2ACh], eax
		mov	ecx, [ebp+arg_18]
		mov	eax, [ecx]
		test	al, 4
		jnz	loc_8D93BB

loc_770DA0:				; CODE XREF: PspAllocateThread+16880Cj
		test	eax, 200h
		jnz	loc_8D93C9

loc_770DAB:				; CODE XREF: PspAllocateThread+168818j
		mov	[esi+2F0h], ebx
		mov	dword ptr [esi+2F4h], 7
		push	1
		push	ebx
		lea	eax, [esi+2B4h]
		push	eax
		call	_KeInitializeSemaphore@12 ; KeInitializeSemaphore(x,x,x)
		lea	eax, [esi+288h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+33Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+344h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[esi+34Ch], ebx
		lea	eax, [esi+370h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[eax+8], ebx
		lea	eax, [esi+2CCh]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[esi+350h], ebx
		mov	[esi+2A0h], ebx
		lea	eax, [esi+2A4h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	dword ptr [esi+390h], 0FFFFFFFDh
		call	_KeQuerySystemTimeUnsafe@0 ; KeQuerySystemTimeUnsafe()
		or	eax, edx
		lea	eax, [esi+280h]
		push	eax
		jz	loc_7710BC
		call	_KeQuerySystemTimePrecise@4 ; KeQuerySystemTimePrecise(x)

loc_770E44:				; CODE XREF: PspAllocateThread+509j
		lea	eax, [esi+3A4h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[esi+3ACh], ebx
		lea	eax, [esi+3B0h]
		mov	[eax+4], eax
		mov	[eax], eax
		xor	edx, edx
		lea	ecx, [esi+2F0h]
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, ds:_PspCidTable
		push	ebx
		push	ebx
		push	ebx
		mov	edx, esi
		call	ExCreateHandleEx
		mov	[esi+2B0h], eax
		test	eax, eax
		jz	loc_8D93D5
		cmp	[ebp+var_48], 0
		jz	loc_770FE5
		mov	edx, [ebp+arg_18]
		mov	edx, [edx]
		mov	eax, edx
		and	eax, 40h
		shl	eax, 4
		movzx	ecx, ax
		mov	eax, ecx
		mov	[ebp+var_3C], eax
		test	dl, 2
		jnz	loc_8D9400

loc_770EB3:				; CODE XREF: PspAllocateThread+168851j
		test	dl, dl
		js	loc_770FBD

loc_770EBB:				; CODE XREF: PspAllocateThread+40Dj
		test	edx, 100h
		jnz	loc_8D940E

loc_770EC7:				; CODE XREF: PspAllocateThread+16885Ej
		mov	eax, [ebp+var_70]
		test	eax, eax
		jz	loc_8D9434
		push	[ebp+var_54]
		push	eax
		push	[ebp+var_64]
		mov	edx, [ebp+var_48]
		mov	ecx, [ebp+var_40]
		call	PspSetupUserStack
		mov	edi, eax
		test	edi, edi
		js	loc_8D9569
		lea	eax, [ebp+var_58]
		push	eax
		push	ecx
		lea	ecx, [esi+2ACh]
		push	ecx
		mov	edx, [ebp+var_64]
		mov	ecx, [ebp+var_40]
		call	MmCreateTeb
		mov	edi, eax
		test	edi, edi
		js	loc_8D9569
		mov	ecx, [ebp+var_48]
		mov	eax, [ecx+0B8h]
		mov	[esi+298h], eax
		mov	eax, [ecx+0B0h]
		mov	[esi+2DCh], eax
		mov	edi, [ebp+var_3C]
		test	di, di
		jnz	short loc_770F7B

loc_770F32:				; CODE XREF: PspAllocateThread+3FAj
					; PspAllocateThread+1688B9j
		push	[ebp+var_54]
		push	[ebp+var_40]
		push	[ebp+var_58]
		push	[ebp+var_48]
		push	dword ptr [esi+298h]
		push	[ebp+arg_10]
		push	offset PspUserThreadStartup

loc_770F4C:				; CODE XREF: PspAllocateThread+44Dj
		xor	edx, edx
		mov	ecx, esi
		call	KeInitThread
		mov	edi, eax
		test	edi, edi
		js	loc_8D9552
		mov	eax, [ebp+var_90]
		mov	[eax], esi
		xor	eax, eax

loc_770F69:				; CODE XREF: PspAllocateThread+1687E7j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	28h
; 

loc_770F7B:				; CODE XREF: PspAllocateThread+378j
		lea	eax, [ebp+var_38]
		push	eax
		xor	edx, edx
		mov	ecx, [ebp+var_40]
		call	KiStackAttachProcess
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_58]
		mov	[eax+0FCAh], di
		mov	edi, ebx
		mov	[ebp+var_68], edi

loc_770F9F:				; CODE XREF: PspAllocateThread+16895Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_770FA6:				; CODE XREF: sub_8D9429+11Aj
					; PspAllocateThread+168995j
		xor	edx, edx
		lea	ecx, [ebp+var_38]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		test	edi, edi
		jns	loc_770F32
		jmp	loc_8D9569
; 

loc_770FBD:				; CODE XREF: PspAllocateThread+2FDj
		or	eax, 2000h
		mov	[ebp+var_3C], eax
		jmp	loc_770EBB
; 

loc_770FCA:				; CODE XREF: PspAllocateThread+D3j
		test	edx, edx
		jz	loc_770CDC
		mov	eax, [edx+0Ch]
		and	eax, 11FF2h
		mov	[ecx+138h], eax
		jmp	loc_770CDC
; 

loc_770FE5:				; CODE XREF: PspAllocateThread+2D7j
		mov	eax, [ebp+arg_10]
		mov	[esi+298h], eax
		mov	[esi+2DCh], eax
		push	[ebp+var_54]
		push	[ebp+var_40]
		push	ebx
		push	ebx
		push	[ebp+arg_14]
		push	eax
		push	offset PspSystemThreadStartup
		jmp	loc_770F4C
; 

loc_77100A:				; CODE XREF: PspAllocateThread+B8j
		cmp	[edi], ebx
		jz	loc_770C76
		mov	ecx, edi
		call	KeSelectNodeForAffinity
		movzx	ecx, word ptr [eax+8Ah]
		inc	ecx
		mov	[ebp+var_54], ecx
		mov	edx, [ebp+var_5C]
		or	edx, 4000h
		mov	ecx, [ebp+var_4C]
		mov	[ecx+4], edx
		push	ebx
		push	ebx
		mov	edx, edi
		mov	ecx, eax
		call	_KeSelectIdealProcessor@16 ; KeSelectIdealProcessor(x,x,x,x)
		movzx	eax, ax
		mov	ecx, [ebp+var_4C]
		mov	[ecx+98h], eax
		mov	edx, [ebp+var_50]
		jmp	loc_770C76
; 

loc_771052:				; CODE XREF: PspAllocateThread+EEj
		mov	eax, edx
		test	dl, 3
		jnz	short loc_7710D0
		mov	edi, ds:_MmUserProbeAddress
		cmp	edx, edi
		jnb	short loc_7710D5

loc_771063:				; CODE XREF: PspAllocateThread+51Fj
		nop
		mov	al, [eax]
		jmp	loc_770CAC
; 

loc_77106B:				; CODE XREF: PspAllocateThread+A6j
		mov	eax, [ecx+98h]
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	[ebp+var_3C], eax
		jmp	loc_770C66
; 

loc_771080:				; CODE XREF: PspAllocateThread+B0j
		test	edi, edi
		jz	loc_8D92FB
		movzx	eax, byte ptr [eax+3C5h]
		cmp	ax, [edi+4]
		jnz	short loc_7710C6
		mov	eax, [edi]
		mov	edi, [ebp+var_3C]
		test	eax, eax
		jz	short loc_7710A6
		test	[edi+3C8h], eax
		jz	short loc_7710C6

loc_7710A6:				; CODE XREF: PspAllocateThread+4E4j
					; PspAllocateThread+168774j
		mov	eax, [edi+338h]
		movzx	eax, word ptr [eax+8Ah]
		inc	eax
		mov	[ebp+var_54], eax
		jmp	loc_770C76
; 

loc_7710BC:				; CODE XREF: PspAllocateThread+281j
		call	KeQuerySystemTime
		jmp	loc_770E44
; 

loc_7710C6:				; CODE XREF: PspAllocateThread+4DBj
					; PspAllocateThread+4ECj
		mov	edi, 0C0000030h
		jmp	loc_8D9336
; 

loc_7710D0:				; CODE XREF: PspAllocateThread+49Fj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7710D5:				; CODE XREF: PspAllocateThread+4A9j
		mov	eax, edi
		jmp	short loc_771063
; 

loc_7710D9:				; CODE XREF: PspAllocateThread+1B0j
		lock bts dword ptr [esi], 16h
		jmp	loc_770D6E
PspAllocateThread endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspExitThread	proc near		; CODE XREF: NtTerminateProcess+C1p
					; KiSchedulerApcTerminate+34p ...

var_78		= dword	ptr -78h
var_74		= word ptr -74h
var_72		= word ptr -72h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008D95BD SIZE 000001B0 BYTES
; FUNCTION CHUNK AT 008D9788 SIZE 0000003D BYTES

		push	68h
		push	offset dword_6A0D08
		call	__SEH_prolog4
		mov	[ebp+var_20], ecx
		push	8
		pop	eax
		mov	ecx, eax
		xor	eax, eax
		lea	edi, [ebp+var_78]
		rep stosd
		xor	ebx, ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_48], ebx
		mov	edi, large fs:124h
		mov	[ebp+var_38], edi
		mov	esi, [edi+150h]
		mov	[ebp+var_30], esi
		mov	[ebp+var_44], esi
		push	edi
		mov	edx, [edi+2B0h]
		mov	ecx, edi
		call	_PspClearProcessThreadCidRefs@12 ; PspClearProcessThreadCidRefs(x,x,x)
		mov	ecx, [edi+80h]
		cmp	esi, ecx
		jnz	loc_8D95BD
		xor	cl, cl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	byte ptr [edi+300h], 1
		jnz	loc_8D95DA
		mov	eax, [edi+13Ch]
		test	eax, eax
		jnz	loc_8D95E5
		cmp	[edi+290h], ebx
		jnz	loc_8D95EE

loc_77116E:				; CODE XREF: PspExitThread+168529j
		lea	ecx, [edi+370h]
		call	_PspEmptyPropertySet@4 ; PspEmptyPropertySet(x)
		mov	ecx, edi
		call	PspRevertContainerImpersonation
		lea	ecx, [edi+2ECh]
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	eax, [edi+2E0h]
		mov	[ebp+var_2C], eax
		test	eax, eax
		jnz	loc_771687

loc_77119C:				; CODE XREF: PspExitThread+5B8j
		mov	[ebp+var_19], bl
		mov	[ebp+var_2C], ebx
		mov	eax, [ebp+var_20]
		mov	[edi+324h], eax
		test	byte ptr ds:_PerfGlobalGroupMask, 2
		jnz	loc_7713D1

loc_7711B8:				; CODE XREF: PspExitThread+2F7j
		dec	word ptr [edi+13Ch]
		nop
		test	byte ptr [esi+3A8h], 1
		jnz	loc_7715DD

loc_7711CD:				; CODE XREF: PspExitThread+505j
		push	ebx
		xor	dl, dl
		mov	ecx, edi
		call	PspCallThreadNotifyRoutines

loc_7711D7:				; CODE XREF: PspExitThread+4FFj
		lea	eax, [esi+0E0h]
		mov	[ebp+var_24], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockExclusiveEx
		dec	dword ptr [esi+1D8h]
		cmp	[esi+1D8h], ebx
		jz	loc_771456
		mov	eax, [ebp+var_20]
		cmp	eax, 0C000004Bh
		jz	short loc_77120B
		mov	[esi+1E4h], eax

loc_77120B:				; CODE XREF: PspExitThread+11Fj
					; PspExitThread+3ABj ...
		or	eax, 0FFFFFFFFh
		lea	ecx, [esi+0E0h]
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_7715FF

loc_771222:				; CODE XREF: PspExitThread+526j
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jnz	loc_7715EE

loc_771239:				; CODE XREF: PspExitThread+516j
		mov	cl, bl
		mov	eax, [edi+390h]
		cmp	eax, 0FFFFFFFDh
		jnz	loc_8D962D

loc_77124A:				; CODE XREF: PspExitThread+16854Bj
		test	cl, cl
		jnz	loc_8D9634

loc_771252:				; CODE XREF: PspExitThread+1685A5j
		cmp	[esi+190h], ebx
		jnz	loc_8D969D

loc_77125E:				; CODE XREF: PspExitThread+1685C0j
					; PspExitThread+1685D6j ...
		cmp	_KdDebuggerEnabled, bl
		jnz	loc_8D96CC

loc_77126A:				; CODE XREF: PspExitThread+1685EFj
					; PspExitThread+168606j ...
		cmp	[ebp+var_19], bl
		jnz	loc_7714C2

loc_771273:				; CODE XREF: PspExitThread+3E8j
					; PspExitThread+16864Bj
		mov	eax, [edi+29Ch]
		mov	[ebp+var_3C], eax
		test	eax, eax
		jnz	loc_77160F

loc_771284:				; CODE XREF: PspExitThread+59Ej
		test	byte ptr [edi+2FCh], 2
		jz	short loc_7712F5
		mov	ecx, esi
		call	_PsCaptureExceptionPort@4 ; PsCaptureExceptionPort(x)
		mov	[ebp+var_3C], eax
		test	eax, eax
		jz	short loc_7712F5
		push	8
		pop	eax
		mov	word ptr [ebp+var_78], ax
		push	20h
		pop	eax
		mov	word ptr [ebp+var_78+2], ax
		push	6
		pop	eax
		mov	[ebp+var_74], ax
		xor	eax, eax
		mov	[ebp+var_72], ax
		mov	eax, [edi+280h]
		mov	[ebp+var_60], eax
		mov	eax, [edi+284h]
		mov	[ebp+var_5C], eax
		mov	esi, [ebp+var_3C]

loc_7712CB:				; CODE XREF: PspExitThread+16866Dj
		lea	eax, [ebp+var_78]
		push	eax
		push	esi
		call	_LpcRequestPort@8 ; LpcRequestPort(x,x)
		cmp	eax, 0C0000017h
		jz	loc_8D9745
		cmp	eax, 0C000009Ah
		jz	loc_8D9745
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	esi, [ebp+var_30]

loc_7712F5:				; CODE XREF: PspExitThread+1A7j
					; PspExitThread+1B5j
		cmp	[edi+124h], ebx
		jnz	loc_77143C

loc_771301:				; CODE XREF: PspExitThread+36Dj
		cmp	[ebp+var_19], bl
		jnz	loc_7714D7

loc_77130A:				; CODE XREF: PspExitThread+3F9j
					; PspExitThread+411j
		test	byte ptr [edi+5Ch], 40h
		jz	loc_8D95CC
		call	IoCancelThreadIo
		call	ExTimerRundown
		mov	ecx, edi
		call	CmNotifyRunDown
		mov	ecx, large fs:124h
		call	KiRundownMutants
		mov	eax, [edi+0A8h]
		mov	[ebp+var_30], eax
		test	eax, eax
		jz	short loc_771384
		mov	[edi+0A8h], ebx
		dec	word ptr [edi+13Ch]
		nop
		lea	ecx, [edi+2F0h]
		mov	[ebp+var_3C], ebx
		xor	edx, edx
		lea	eax, [ebp+var_3C]
		lock or	[eax], edx
		mov	eax, [ecx]
		test	al, 1
		jnz	loc_8D9756

loc_771367:				; CODE XREF: PspExitThread+168677j
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		test	dword ptr [edi+58h], 400h
		jnz	short loc_771384
		mov	eax, [esi+0FCh]
		test	eax, 40000008h
		jz	short loc_7713E0

loc_771384:				; CODE XREF: PspExitThread+258j
					; PspExitThread+291j ...
		call	_KeQuerySystemTimeUnsafe@0 ; KeQuerySystemTimeUnsafe()
		or	eax, edx
		lea	eax, [edi+288h]
		push	eax
		jz	loc_8D9788
		call	_KeQuerySystemTimePrecise@4 ; KeQuerySystemTimePrecise(x)

loc_77139D:				; CODE XREF: PspExitThread+1686A9j
		cmp	[ebp+var_19], 0
		jnz	loc_7714FA

loc_7713A7:				; CODE XREF: PspExitThread+486j
		mov	ecx, edi
		call	KeRundownApcQueues
		cmp	[edi+1B8h], ebx
		jnz	loc_8D97B0

loc_7713BA:				; CODE XREF: PspExitThread+1686D3j
					; PspExitThread+1686DCj
		mov	ecx, edi
		call	KeTerminateThread
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn			; struct _exception *
; 

loc_7713D1:				; CODE XREF: PspExitThread+CEj
		push	ebx
		xor	edx, edx
		mov	ecx, edi
		call	EtwTraceThread
		jmp	loc_7711B8
; 

loc_7713E0:				; CODE XREF: PspExitThread+29Ej
		mov	[ebp+ms_exc.disabled], ebx
		test	byte ptr [edi+2FCh], 2
		jz	short loc_771415
		mov	eax, [ebp+var_30]
		mov	eax, [eax+0E0Ch]
		mov	[ebp+var_28], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_34], ebx
		mov	[ebp+var_34], ebx
		push	8000h
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_40]
		push	eax
		push	0FFFFFFFFh
		call	_ZwFreeVirtualMemory@16	; ZwFreeVirtualMemory(x,x,x,x)

loc_771415:				; CODE XREF: PspExitThread+306j
		mov	eax, [ebp+var_30]
		mov	eax, [eax+0F24h]
		test	eax, eax
		jnz	loc_8D9760

loc_771426:				; CODE XREF: PspExitThread+168684j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_77142D:				; CODE XREF: sub_8D9771+12j
		mov	edx, [ebp+var_30]
		mov	ecx, esi
		call	_MmDeleteTeb@8	; MmDeleteTeb(x,x)
		jmp	loc_771384
; 

loc_77143C:				; CODE XREF: PspExitThread+217j
		mov	[ebp+var_4C], edi
		xor	eax, eax
		inc	eax
		mov	[ebp+var_48], eax
		push	ebx
		push	ebx
		lea	ecx, [ebp+var_4C]
		push	ecx
		push	eax
		call	PsInvokeWin32Callout
		jmp	loc_771301
; 

loc_771456:				; CODE XREF: PspExitThread+111j
		mov	ecx, 2000008h
		lea	eax, [esi+0FCh]
		lock or	[eax], ecx
		mov	ecx, esi
		call	_KeForceResumeProcess@4	; KeForceResumeProcess(x)
		mov	[ebp+var_19], 1
		cmp	dword ptr [esi+34Ch], 103h
		jz	loc_8D9612

loc_77147F:				; CODE XREF: PspExitThread+168544j
		lea	eax, [esi+1D0h]
		mov	[ebp+var_3C], eax
		mov	ecx, [eax]
		mov	[ebp+var_28], ecx
		cmp	ecx, eax
		jz	loc_77120B
		mov	esi, [ebp+var_24]

loc_771498:				; CODE XREF: PspExitThread+3D4j
		lea	eax, [ecx-2E4h]
		mov	[ebp+var_24], eax
		cmp	eax, edi
		jz	short loc_7714B0
		mov	eax, [eax+4]
		test	al, al
		jz	loc_77156F

loc_7714B0:				; CODE XREF: PspExitThread+3BFj
					; PspExitThread+4F4j
		mov	ecx, [ecx]
		mov	[ebp+var_28], ecx
		cmp	ecx, [ebp+var_3C]
		jnz	short loc_771498
		mov	esi, [ebp+var_30]
		jmp	loc_77120B
; 

loc_7714C2:				; CODE XREF: PspExitThread+189j
		test	dword ptr [esi+0FCh], 2000h
		jz	loc_771273
		jmp	loc_8D9712
; 

loc_7714D7:				; CODE XREF: PspExitThread+220j
		cmp	[esi+154h], ebx
		jz	loc_77130A
		mov	[ebp+var_54], esi
		mov	[ebp+var_50], ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_54]
		push	eax
		push	ebx
		call	PsInvokeWin32Callout
		jmp	loc_77130A
; 

loc_7714FA:				; CODE XREF: PspExitThread+2BDj
		lea	ecx, [edi+288h]
		mov	eax, [ecx]
		mov	[esi+388h], eax
		mov	eax, [ecx+4]
		mov	[esi+38Ch], eax
		mov	edx, esi
		mov	cl, 1
		call	PspExitProcess
		push	esi
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	[ebp+var_44], eax
		mov	edx, eax
		mov	ecx, 87h
		call	SeAuditingWithTokenForSubcategory
		test	al, al
		jnz	loc_8D9792

loc_771537:				; CODE XREF: PspExitThread+1686BBj
		lea	ecx, [esi+12Ch]
		mov	edx, [ebp+var_44]
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		cmp	[esi+0F4h], ebx
		jnz	loc_8D97A4

loc_771551:				; CODE XREF: PspExitThread+1686C7j
		xor	edx, edx
		mov	ecx, esi
		call	_ExWnfExitProcess@8 ; ExWnfExitProcess(x,x)
		mov	dl, 1
		mov	ecx, esi
		call	_PspRundownSingleProcess@8 ; PspRundownSingleProcess(x,x)
		mov	ecx, esi
		call	_LpcExitProcess@4 ; LpcExitProcess(x)
		jmp	loc_7713A7
; 

loc_77156F:				; CODE XREF: PspExitThread+3C6j
		mov	edx, 65547350h
		mov	ecx, [ebp+var_24]
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jz	short loc_7715D5
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_7716A1

loc_771591:				; CODE XREF: PspExitThread+5C4j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+var_24]
		call	KeWaitForSingleObject
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jz	short loc_7715BE
		mov	edx, 65547350h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag

loc_7715BE:				; CODE XREF: PspExitThread+4CCj
		mov	eax, [ebp+var_24]
		mov	[ebp+var_2C], eax
		dec	word ptr [edi+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx

loc_7715D5:				; CODE XREF: PspExitThread+49Aj
		mov	ecx, [ebp+var_28]
		jmp	loc_7714B0
; 

loc_7715DD:				; CODE XREF: PspExitThread+E3j
		cmp	[esi+3D4h], ebx
		jz	loc_7711D7
		jmp	loc_7711CD
; 

loc_7715EE:				; CODE XREF: PspExitThread+14Fj
		mov	edx, 65547350h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag
		jmp	loc_771239
; 

loc_7715FF:				; CODE XREF: PspExitThread+138j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [esi+0E0h]
		jmp	loc_771222
; 

loc_77160F:				; CODE XREF: PspExitThread+19Aj
		push	8
		pop	eax
		mov	word ptr [ebp+var_78], ax
		push	20h
		pop	eax
		mov	word ptr [ebp+var_78+2], ax
		push	6
		pop	eax
		mov	[ebp+var_74], ax
		xor	eax, eax
		mov	[ebp+var_72], ax
		mov	eax, [edi+280h]
		mov	[ebp+var_60], eax
		mov	eax, [edi+284h]
		mov	[ebp+var_5C], eax
		mov	edi, [ebp+var_3C]

loc_77163F:				; CODE XREF: PspExitThread+596j
					; PspExitThread+16865Cj
		lea	eax, [ebp+var_78]
		push	eax
		push	dword ptr [edi+4]
		call	_LpcRequestPort@8 ; LpcRequestPort(x,x)
		cmp	eax, 0C0000017h
		jz	loc_8D9734
		cmp	eax, 0C000009Ah
		jz	loc_8D9734
		mov	ecx, [edi+4]
		call	ObfDereferenceObject
		mov	esi, [edi]
		push	70547350h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, esi
		test	esi, esi
		jnz	short loc_77163F
		mov	edi, [ebp+var_38]
		mov	esi, [ebp+var_30]
		jmp	loc_771284
; 

loc_771687:				; CODE XREF: PspExitThread+B2j
		mov	ecx, eax
		call	_PopPowerRequestCleanUp@4 ; PopPowerRequestCleanUp(x)
		mov	ecx, [ebp+var_2C]
		call	ObfDereferenceObject
		mov	[edi+2E0h], ebx
		jmp	loc_77119C
; 

loc_7716A1:				; CODE XREF: PspExitThread+4A7j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_771591
PspExitThread	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsCaptureExceptionPort(x)
_PsCaptureExceptionPort@4 proc near	; CODE XREF: PspExitThread+1ABp
					; ExpRaiseHardError+115p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		cmp	[ebx+128h], esi
		jz	short loc_771711
		mov	eax, large fs:124h
		push	edi
		mov	[ebp+var_4], eax
		dec	word ptr [eax+13Ch]
		nop
		lea	edi, [ebx+0E0h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	esi, [ebx+128h]
		and	esi, 0FFFFFFF8h
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_771717

loc_771701:				; CODE XREF: PsCaptureExceptionPort(x)+70j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_4]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		pop	edi

loc_771711:				; CODE XREF: PsCaptureExceptionPort(x)+12j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_771717:				; CODE XREF: PsCaptureExceptionPort(x)+51j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_771701
_PsCaptureExceptionPort@4 endp


;  S U B	R O U T	I N E 


; __stdcall PspEmptyPropertySet(x)
_PspEmptyPropertySet@4 proc near	; CODE XREF: .text:00511604p
					; PspExitThread+90p
		mov	edi, edi
		push	esi
		mov	esi, ecx

loc_771725:				; CODE XREF: PspEmptyPropertySet(x)+19j
		mov	eax, [esi]
		cmp	eax, esi
		jnz	short loc_77172D
		pop	esi
		retn
; 

loc_77172D:				; CODE XREF: PspEmptyPropertySet(x)+9j
		mov	edx, [eax+8]
		mov	ecx, esi
		push	0
		call	PspRemoveProperty
		jmp	short loc_771725
_PspEmptyPropertySet@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspClearProcessThreadCidRefs(x, x, x)
_PspClearProcessThreadCidRefs@12 proc near ; CODE XREF:	PspRundownSingleProcess(x,x)+238p
					; PspExitThread+48p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		dec	word ptr [edi+13Eh]
		nop
		mov	ecx, ds:_PspCidTable
		call	ExMapHandleToPointer
		mov	edx, eax
		xor	eax, eax
		inc	eax
		mov	esi, [edx+4]
		mov	ecx, esi
		and	ecx, 7FFFFFFh
		shr	esi, 1Bh
		mov	[edx+4], ecx
		mov	ecx, ds:_PspCidTable
		lock xadd [edx], eax
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		add	ecx, 20h
		xor	edx, edx
		lock or	[eax], edx
		cmp	[ecx], edx
		jnz	short loc_7717A7

loc_77178C:				; CODE XREF: PspClearProcessThreadCidRefs(x,x,x)+72j
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		test	esi, esi
		jz	short loc_7717A1
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	@ObDereferenceObjectEx@8 ; ObDereferenceObjectEx(x,x)

loc_7717A1:				; CODE XREF: PspClearProcessThreadCidRefs(x,x,x)+59j
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_7717A7:				; CODE XREF: PspClearProcessThreadCidRefs(x,x,x)+4Ej
		xor	edx, edx
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	short loc_77178C
_PspClearProcessThreadCidRefs@12 endp


;  S U B	R O U T	I N E 


KeRundownApcQueues proc	near		; CODE XREF: PspExitThread+2C5p

; FUNCTION CHUNK AT 008D97C5 SIZE 0000006A BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		dec	word ptr [esi+13Ch]
		nop
		and	dword ptr [esi+58h], 0FFFFBFFFh
		call	_KiAcquireReleaseThreadLock@4 ;	KiAcquireReleaseThreadLock(x)
		mov	ecx, esi
		call	_KeForceResumeThread@4 ; KeForceResumeThread(x)
		mov	ecx, esi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	dl, 1
		mov	ecx, esi
		call	KiFlushQueueApc
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_77180B

loc_7717E8:				; CODE XREF: KeRundownApcQueues+168032j
		xor	dl, dl
		mov	ecx, esi
		call	KiFlushQueueApc
		mov	edi, eax
		test	edi, edi
		jnz	loc_8D97E7
		cmp	[esi+13Ch], eax
		jnz	loc_8D97E7
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_77180B:				; CODE XREF: KeRundownApcQueues+36j
		mov	edi, ebx
		jmp	loc_8D97C5
KeRundownApcQueues endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmNotifyRunDown	proc near		; CODE XREF: PspExitThread+23Cp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008D982F SIZE 0000002D BYTES
; FUNCTION CHUNK AT 008D9872 SIZE 0000001A BYTES

		push	18h
		push	offset dword_6A0D28
		call	__SEH_prolog4
		mov	[ebp+var_20], ecx
		lea	esi, [ecx+294h]
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_77183D

loc_77182D:				; CODE XREF: CmNotifyRunDown+2Dj
					; CmNotifyRunDown+151j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_77183D:				; CODE XREF: CmNotifyRunDown+19j
		cmp	eax, esi
		jz	short loc_77182D
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, offset _CmpPostLock
		call	ExAcquireFastMutexUnsafe
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_19], al
		cmp	dword ptr [esi], 0
		jz	loc_77194B

loc_771864:				; CODE XREF: CmNotifyRunDown+134j
					; CmNotifyRunDown+168075j
		mov	ecx, [ebp+var_20]
		add	ecx, 294h
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	loc_77194B
		mov	edx, [eax]
		cmp	[eax+4], ecx
		jnz	loc_771968
		cmp	[edx+4], eax
		jnz	loc_771968
		mov	[ecx], edx
		mov	[edx+4], ecx
		lea	esi, [eax-8]
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		mov	edx, [esi+1Ch]
		test	edx, 10000h
		jz	loc_8D9872
		cmp	dx, 2
		jnz	short loc_77191C
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, [esi+20h]
		lea	eax, [ecx+38h]
		cmp	[eax], eax
		jz	loc_8D9802

loc_7718C0:				; CODE XREF: KeRundownApcQueues+168066j
					; KeRundownApcQueues+168073j ...
		mov	eax, [esi+20h]
		mov	eax, [eax+38h]
		mov	dword ptr [eax], 10Bh
		mov	eax, [esi+20h]
		mov	eax, [eax+38h]
		and	dword ptr [eax+4], 0
		mov	ecx, [esi+20h]
		lea	eax, [ecx+38h]
		cmp	[eax], eax
		jz	loc_8D982F

loc_7718E4:				; CODE XREF: CmNotifyRunDown+168031j
					; CmNotifyRunDown+16803Ej ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7718EB:				; CODE XREF: sub_8D9860+Dj
		mov	ecx, [esi+20h]
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_771910
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [esi+20h]
		mov	ecx, [ecx+4]
		call	ObfDereferenceObject
		mov	eax, [ebp+var_28]
		mov	ecx, [eax+20h]

loc_771910:				; CODE XREF: CmNotifyRunDown+E1j
		add	ecx, 8
		call	KeRemoveQueueApc
		test	al, al
		jnz	short loc_771938

loc_77191C:				; CODE XREF: CmNotifyRunDown+9Aj
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		mov	eax, [esi+4]
		jnz	short loc_771968
		cmp	[eax], esi
		jnz	short loc_771968
		mov	[eax], ecx
		mov	[ecx+4], eax
		xor	edx, edx
		mov	ecx, esi
		call	_CmpCancelSubordinatePost@8 ; CmpCancelSubordinatePost(x,x)

loc_771938:				; CODE XREF: CmNotifyRunDown+108j
		mov	ecx, esi
		call	_CmpFreeSubordinatePost@4 ; CmpFreeSubordinatePost(x)
		mov	ecx, esi
		call	_CmpFreePostBlock@4 ; CmpFreePostBlock(x)
		jmp	loc_771864
; 

loc_77194B:				; CODE XREF: CmNotifyRunDown+4Cj
					; CmNotifyRunDown+5Fj
		mov	cl, [ebp+var_19]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, offset _CmpPostLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		jmp	loc_77182D
; 

loc_771968:				; CODE XREF: CmNotifyRunDown+6Aj
					; CmNotifyRunDown+73j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
CmNotifyRunDown	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoCancelThreadIo proc near		; CODE XREF: PspExitThread+230p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 008D988C SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, large fs:124h
		add	esi, 2CCh
		push	edi
		cmp	[esi], esi
		jnz	short loc_77198F

loc_77198A:				; CODE XREF: IoCancelThreadIo+79j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_77198F:				; CODE XREF: IoCancelThreadIo+1Aj
		mov	ebx, ds:__imp_@KfRaiseIrql@4 ; KfRaiseIrql(x)
		mov	cl, 1
		call	ebx
		mov	edi, [esi]
		mov	[ebp+var_1], al
		cmp	esi, edi
		jz	short loc_7719B4

loc_7719A2:				; CODE XREF: IoCancelThreadIo+41j
		lea	ecx, [edi-10h]
		push	ecx
		call	IoCancelIrp
		mov	edi, [edi]
		cmp	esi, edi
		jnz	short loc_7719A2
		mov	al, [ebp+var_1]

loc_7719B4:				; CODE XREF: IoCancelThreadIo+32j
		imul	ecx, _IopIrpCompletionTimeoutInSeconds,	64h
		and	[ebp+var_8], 0
		or	[ebp+var_14], 0FFFFFFFFh
		mov	edi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	[ebp+var_18], 0FFFE7960h
		mov	[ebp+var_C], ecx
		mov	cl, al
		call	edi

loc_7719D7:				; CODE XREF: IoCancelThreadIo+167F39j
					; IoCancelThreadIo+167F44j
		mov	cl, 1
		call	ebx
		mov	cl, al
		cmp	[esi], esi
		jnz	loc_8D988C
		call	edi
		jmp	short loc_77198A
IoCancelThreadIo endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCreateSemaphore proc near		; DATA XREF: .text:0058110Co

var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008D98B7 SIZE 00000007 BYTES
; FUNCTION CHUNK AT 008D98EA SIZE 00000017 BYTES

		push	18h
		push	offset dword_6A0D48
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ecx
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_28], bl
		test	bl, bl
		jz	short loc_771A31
		mov	[ebp+ms_exc.disabled], ecx
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8D98B7

loc_771A24:				; CODE XREF: NtCreateSemaphore+167ECFj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ecx, ecx

loc_771A31:				; CODE XREF: NtCreateSemaphore+25j
		cmp	[ebp+arg_10], 0
		jle	loc_8D98F7
		mov	edi, [ebp+arg_C]
		test	edi, edi
		js	loc_8D98F7
		cmp	edi, [ebp+arg_10]
		jg	loc_8D98F7
		mov	edx, ds:_ExSemaphoreObjectType
		push	ecx
		lea	eax, [ebp+var_1C]
		push	eax
		push	ecx
		push	ecx
		push	14h
		push	ecx
		push	[ebp+var_28]
		push	[ebp+arg_8]
		mov	cl, bl
		call	ObCreateObjectEx
		mov	[ebp+arg_C], eax
		test	eax, eax
		js	short loc_771ABA
		push	[ebp+arg_10]
		push	edi
		push	[ebp+var_1C]
		call	_KeInitializeSemaphore@12 ; KeInitializeSemaphore(x,x,x)
		lea	eax, [ebp+var_20]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_4]
		xor	edx, edx
		mov	ecx, [ebp+var_1C]
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	[ebp+arg_C], eax
		test	eax, eax
		js	short loc_771ABA
		test	bl, bl
		jz	loc_8D98EA
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_771AB3:				; CODE XREF: sub_8D98E2+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_771ABA:				; CODE XREF: NtCreateSemaphore+87j
					; NtCreateSemaphore+B0j ...
		mov	eax, [ebp+arg_C]

loc_771ABD:				; CODE XREF: sub_8D98CC+Dj
					; NtCreateSemaphore+167F12j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
NtCreateSemaphore endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1352. LpcRequestPort

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LpcRequestPort(x, x)
		public _LpcRequestPort@8
_LpcRequestPort@8 proc near		; CODE XREF: PspExitThread+1ECp
					; PspExitThread+562p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, large fs:124h
		xor	ecx, ecx
		push	esi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ecx
		dec	word ptr [eax+13Ch]
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], ecx
		nop
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		push	ecx
		push	ecx
		lea	ecx, [ebp+var_24]
		mov	[ebp+var_24], eax
		mov	[ebp+var_C], 10002h
		call	@AlpcpSendMessage@16 ; AlpcpSendMessage(x,x,x,x)
		mov	esi, eax
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, esi
		pop	esi
		leave
		retn	8
_LpcRequestPort@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlGuardIsValidStackPointer proc near	; CODE XREF: KeVerifyContextRecord(x,x,x,x,x)+2Ap

ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008D9901 SIZE 0000002B BYTES

		push	8
		push	offset dword_6A0DD8
		call	__SEH_prolog4
		test	edx, edx
		jz	loc_8D9901

loc_771B3E:				; CODE XREF: RtlGuardIsValidStackPointer+167DF6j
					; RtlGuardIsValidStackPointer+167DFDj
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [edx+8]
		cmp	ecx, eax
		jb	short loc_771B6A
		mov	eax, [edx+4]
		cmp	ecx, eax
		ja	short loc_771B6A
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		inc	eax

loc_771B5A:				; CODE XREF: RtlGuardIsValidStackPointer+49j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_771B6A:				; CODE XREF: RtlGuardIsValidStackPointer+1Dj
					; RtlGuardIsValidStackPointer+24j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	short loc_771B5A
RtlGuardIsValidStackPointer endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmCreateTeb	proc near		; CODE XREF: PspAllocateThread+348p

var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008D9938 SIZE 0000000F BYTES

		push	34h
		push	offset dword_6A0DF8
		call	__SEH_prolog4_GS
		mov	ebx, edx
		mov	esi, ecx
		mov	[ebp+var_3C], esi
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_44], eax
		and	[ebp+var_38], 0
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		lea	eax, [ebp+var_34]
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	KiStackAttachProcess
		lea	eax, [ebp+var_38]
		push	eax
		call	_MiCreatePebOrTeb@12 ; MiCreatePebOrTeb(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8D9938
		and	[ebp+ms_exc.disabled], 0
		mov	esi, [ebp+var_38]
		mov	dword ptr [esi+10h], 1E00h
		mov	[esi+18h], esi
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+4]
		mov	[esi+24h], eax
		mov	eax, [ecx]
		mov	[esi+20h], eax
		mov	dword ptr [esi+1D0h], 0FFFEh
		mov	eax, [ecx+4]
		mov	[esi+6B8h], eax
		mov	eax, [ecx]
		mov	[esi+6B4h], eax
		mov	eax, 20Ah
		mov	[esi+0BFAh], ax
		lea	eax, [esi+0C00h]
		mov	[esi+0BFCh], eax
		mov	eax, [ebp+var_3C]
		mov	eax, [eax+17Ch]
		mov	[esi+30h], eax
		mov	eax, [ebx+8]
		mov	[esi+4], eax
		mov	eax, [ebx+0Ch]
		mov	[esi+8], eax
		mov	eax, [ebx+10h]
		mov	[esi+0E0Ch], eax
		mov	eax, _BBTBuffer
		mov	[esi+0F7Ch], eax
		or	dword ptr [esi], 0FFFFFFFFh
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_771C45:				; CODE XREF: sub_8D9955+10j
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	eax, [ebp+var_44]
		mov	[eax], esi

loc_771C54:				; CODE XREF: MmCreateTeb+167DCCj
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
MmCreateTeb	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreatePebOrTeb(x,	x, x)
_MiCreatePebOrTeb@12 proc near		; CODE XREF: MmCreateTeb+38p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		mov	edx, 1000h
		push	ecx
		push	eax
		and	dword ptr [eax], 0
		call	MiAllocateFromSubAllocatedRegion
		pop	ecx
		pop	ebp
		retn	4
_MiCreatePebOrTeb@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocateFromSubAllocatedRegion proc near ; CODE XREF:	PAGE:0075B3E9p
					; MiCreatePebOrTeb(x,x,x)+13p

var_34		= dword	ptr -34h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D996A SIZE 0000006D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, [ebp+arg_0]
		mov	ecx, edx
		push	ebx
		mov	ebx, large fs:124h
		xor	edx, edx
		push	esi
		mov	[eax], edx
		mov	esi, edx
		mov	[esp+2Ch+var_4], edx
		mov	[esp+2Ch+var_8], edx
		push	edi
		mov	edi, [ebx+80h]
		mov	[esp+30h+var_10], ecx
		mov	[esp+30h+var_20], edi
		mov	[esp+30h+var_1C], edx
		mov	eax, [edi+24Ch]
		mov	[esp+30h+var_14], eax
		lea	eax, [ecx+0FFFh]
		shr	eax, 0Ch
		dec	word ptr [ebx+13Eh]
		mov	[esp+30h+var_18], eax
		nop
		mov	edx, edi
		mov	ecx, ebx
		call	_LOCK_ADDRESS_SPACE@8 ;	LOCK_ADDRESS_SPACE(x,x)
		test	byte ptr [edi+0FCh], 20h
		jnz	loc_8D996A
		mov	eax, [esp+30h+var_14]
		add	eax, 7Ch
		mov	[esp+30h+var_14], eax

loc_771D00:				; CODE XREF: MiAllocateFromSubAllocatedRegion+194j
		mov	edx, edi
		mov	ecx, ebx
		call	_LOCK_PAGE_TABLE_COMMITMENT@8 ;	LOCK_PAGE_TABLE_COMMITMENT(x,x)
		mov	eax, [esp+30h+var_14]
		mov	edi, [eax]
		cmp	edi, eax
		jz	loc_771DF8

loc_771D17:				; CODE XREF: MiAllocateFromSubAllocatedRegion+167D08j
		lea	ecx, [edi-8]
		mov	eax, [ecx+1Ch]
		shr	eax, 2
		push	eax
		push	[esp+34h+var_18]
		push	ecx
		call	RtlFindClearBitsAndSet
		mov	[esp+30h+var_C], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_8D9988
		mov	esi, [esp+30h+var_18]
		add	[edi+0Ch], esi
		lea	ecx, [esi+eax]
		mov	eax, [edi+14h]
		and	eax, 3
		shl	ecx, 2
		or	ecx, eax
		mov	eax, [edi+0Ch]
		mov	[edi+14h], ecx
		cmp	eax, [edi+10h]
		jnb	loc_8D9999

loc_771D5C:				; CODE XREF: MiAllocateFromSubAllocatedRegion+167D29j
		mov	esi, [edi+8]
		mov	edi, [esi+0Ch]
		add	edi, [esp+30h+var_C]
		shl	edi, 0Ch
		mov	[esp+30h+var_1C], edi

loc_771D6D:				; CODE XREF: MiAllocateFromSubAllocatedRegion+176j
		mov	edx, [esp+30h+var_20]
		mov	ecx, ebx
		call	UNLOCK_PAGE_TABLE_COMMITMENT
		test	esi, esi
		jz	loc_771E01
		mov	ecx, esi
		call	_MiReferenceVad@4 ; MiReferenceVad(x)
		mov	edx, [esp+30h+var_20]
		mov	ecx, ebx
		call	UNLOCK_ADDRESS_SPACE
		mov	edx, esi
		mov	ecx, ebx
		call	_MiLockVad@8	; MiLockVad(x,x)
		mov	ecx, ebx
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, esi
		call	_MiVadDeleted@4	; MiVadDeleted(x)
		test	eax, eax
		jnz	loc_8D99B9
		lea	eax, [esp+30h+var_8]
		mov	edx, edi
		push	eax
		lea	eax, [esp+34h+var_4]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		mov	eax, [esi+1Ch]
		shr	eax, 7
		and	eax, 1Fh
		push	eax
		push	[esp+50h+var_10]
		call	_MiCommitExistingVad@44	; MiCommitExistingVad(x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		mov	ecx, esi
		test	ebx, ebx
		js	loc_8D99C8
		call	MiUnlockAndDereferenceVad
		mov	eax, [ebp+arg_0]
		mov	[eax], edi

loc_771DED:				; CODE XREF: MiAllocateFromSubAllocatedRegion+167D4Cj
		mov	eax, ebx

loc_771DEF:				; CODE XREF: MiAllocateFromSubAllocatedRegion+167CFDj
					; MiAllocateFromSubAllocatedRegion+167D3Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_771DF8:				; CODE XREF: MiAllocateFromSubAllocatedRegion+8Bj
					; MiAllocateFromSubAllocatedRegion+167D0Ej
		mov	edi, [esp+30h+var_1C]
		jmp	loc_771D6D
; 

loc_771E01:				; CODE XREF: MiAllocateFromSubAllocatedRegion+F4j
		mov	edx, [esp+30h+var_18]
		xor	ecx, ecx
		call	MiAllocateNewSubAllocatedRegion
		mov	edi, eax
		test	edi, edi
		js	loc_8D996F
		mov	edi, [esp+30h+var_20]
		jmp	loc_771D00
MiAllocateFromSubAllocatedRegion endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSetupUserStack proc near		; CODE XREF: PspAllocateThread+327p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008D99D7 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_24], eax
		lea	edi, [ebp+var_20]
		push	6
		xor	eax, eax
		mov	[ebp+var_28], edx
		pop	ecx
		rep stosd
		mov	al, [esi]
		test	al, 1
		jnz	loc_771EE8
		mov	eax, [ebp+arg_8]
		mov	edi, 1000h
		test	eax, eax
		jnz	loc_8D99D7

loc_771E67:				; CODE XREF: PspSetupUserStack+167BBCj
		lea	eax, [ebp+var_20]
		xor	edx, edx
		push	eax
		mov	ecx, ebx
		call	KiStackAttachProcess
		push	[ebp+var_24]
		mov	edx, [esi+0Ch]
		push	ecx
		mov	ecx, [esi+8]
		push	edi
		push	dword ptr [esi+4]
		call	RtlCreateUserStack
		mov	edi, eax
		test	edi, edi
		js	loc_8D99E1
		xor	ecx, ecx
		test	byte ptr [ebx+490h], 40h
		jnz	short loc_771EAD
		inc	ecx
		call	ExGenRandom
		mov	ecx, eax
		and	ecx, 1FFh
		shl	ecx, 2

loc_771EAD:				; CODE XREF: PspSetupUserStack+7Aj
		mov	eax, [ebp+var_24]
		xor	edx, edx
		mov	eax, [eax+8]
		sub	eax, ecx
		mov	ecx, [ebp+var_28]
		sub	eax, 10h
		mov	[ecx+0C4h], eax
		lea	ecx, [ebp+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	al, [esi]
		mov	cl, 2

loc_771ECF:				; CODE XREF: PspSetupUserStack+CAj
		and	al, 0FDh
		or	al, cl
		mov	[esi], al
		xor	eax, eax

loc_771ED7:				; CODE XREF: PspSetupUserStack+167BCDj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_771EE8:				; CODE XREF: PspSetupUserStack+31j
		xor	cl, cl
		jmp	short loc_771ECF
PspSetupUserStack endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlCreateUserStack proc	near		; CODE XREF: PspSetupUserStack+62p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008D99F2 SIZE 00000039 BYTES
; FUNCTION CHUNK AT 008D9A4B SIZE 00000011 BYTES

		push	54h
		push	offset dword_6A0E18
		call	__SEH_prolog4
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		xor	ebx, ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_4C], ebx
		mov	edi, [ebp+arg_4]
		mov	edx, edi
		shr	edx, 18h
		mov	[ebp+var_28], edx
		and	edi, 0FFFFFFh
		cmp	dl, 10h
		ja	loc_8D99F2
		lea	eax, [edi+edi]
		mov	[ebp+var_34], eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+17Ch]
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	loc_772058
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jz	loc_772058

loc_771F51:				; CODE XREF: RtlCreateUserStack+1B7j
		test	eax, eax
		jz	loc_8D99FC

loc_771F59:				; CODE XREF: RtlCreateUserStack+167B15j
		cmp	eax, ecx
		jnb	loc_7720CA

loc_771F61:				; CODE XREF: RtlCreateUserStack+1EAj
		lea	ebx, [edi-1]
		add	ebx, eax
		mov	eax, edi
		neg	eax
		and	ebx, eax
		lea	esi, [ecx+0FFFFh]
		and	esi, 0FFFF0000h
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_2C]
		mov	eax, [eax+208h]
		mov	[ebp+var_48], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	eax, eax
		jnz	loc_7720A8

loc_771F9A:				; CODE XREF: RtlCreateUserStack+1BEj
					; RtlCreateUserStack+1D9j
		movzx	eax, dl
		mov	[ebp+var_64], eax
		xor	eax, eax
		mov	[ebp+var_60], eax
		mov	[ebp+var_58], eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_54], esi
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_50], eax
		push	1Ch
		lea	eax, [ebp+var_64]
		push	eax
		push	29h
		push	0FFFFFFFFh
		call	_ZwSetInformationProcess@16 ; ZwSetInformationProcess(x,x,x,x)
		test	eax, eax
		js	short loc_772046
		mov	edi, [ebp+arg_C]
		xor	edx, edx
		mov	[edi], edx
		mov	[edi+4], edx
		mov	ecx, [ebp+var_4C]
		mov	[edi+10h], ecx
		lea	eax, [ecx+esi]
		mov	[edi+8], eax
		sub	ecx, ebx
		add	ecx, esi
		mov	[ebp+arg_4], ecx
		sub	esi, ebx
		mov	[ebp+var_30], ebx
		push	4
		push	1000h
		lea	eax, [ebp+var_30]
		push	eax
		push	edx
		lea	eax, [ebp+arg_4]
		push	eax
		push	0FFFFFFFFh
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8D9A06
		mov	eax, [ebp+arg_4]
		mov	[edi+0Ch], eax
		mov	ecx, [ebp+var_34]
		cmp	esi, ecx
		jb	short loc_772044
		sub	eax, ecx
		mov	[ebp+arg_4], eax
		mov	[ebp+var_24], ecx
		push	104h
		push	1000h
		lea	eax, [ebp+var_24]
		push	eax
		push	0
		lea	eax, [ebp+arg_4]
		push	eax
		push	0FFFFFFFFh
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8D9A06

loc_772044:				; CODE XREF: RtlCreateUserStack+129j
		xor	eax, eax

loc_772046:				; CODE XREF: RtlCreateUserStack+D9j
					; RtlCreateUserStack+167B0Bj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_772058:				; CODE XREF: RtlCreateUserStack+54j
					; RtlCreateUserStack+5Fj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+160h]
		mov	[ebp+ms_exc.disabled], ebx
		push	eax
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jz	loc_8D9A4B
		mov	ecx, [eax+64h]
		mov	edx, [eax+60h]
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_77208D
		mov	eax, ecx
		mov	[ebp+var_1C], eax

loc_77208D:				; CODE XREF: RtlCreateUserStack+19Aj
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jnz	short loc_772099
		mov	ecx, edx
		mov	[ebp+var_20], ecx

loc_772099:				; CODE XREF: RtlCreateUserStack+1A6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edx, [ebp+var_28]
		jmp	loc_771F51
; 

loc_7720A8:				; CODE XREF: RtlCreateUserStack+A8j
		cmp	ebx, eax
		jnb	loc_771F9A
		lea	ebx, [edi-1]
		add	ebx, eax
		neg	edi
		and	ebx, edi
		lea	esi, [ebx+0FFFFFh]
		and	esi, 0FFF00000h
		jmp	loc_771F9A
; 

loc_7720CA:				; CODE XREF: RtlCreateUserStack+6Fj
		lea	ecx, [eax+0FFFFFh]
		and	ecx, 0FFF00000h
		jmp	loc_771F61
RtlCreateUserStack endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtResumeThread	proc near		; DATA XREF: .text:00580D40o

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	1Ch
		push	offset dword_6A0E40
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], edx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		mov	[ebp+ms_exc.disabled], edx
		test	al, al
		jnz	short loc_77216C

loc_772106:				; CODE XREF: NtResumeThread+95j
					; NtResumeThread+A4j
		push	0FFFFFFFEh
		pop	esi
		mov	[ebp+ms_exc.disabled], esi
		push	edx
		lea	eax, [ebp+var_1C]
		push	eax
		mov	edi, 75537350h
		push	edi
		push	[ebp+var_24]
		push	ds:_PsThreadType
		push	1000h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_77215A
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_1C]
		call	PsResumeThread
		mov	edx, edi
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObjectWithTag
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jnz	short loc_772182

loc_772155:				; CODE XREF: NtResumeThread+ABj
		mov	[ebp+ms_exc.disabled], esi
		xor	eax, eax

loc_77215A:				; CODE XREF: NtResumeThread+53j
					; sub_8D9A8C+Dj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_77216C:				; CODE XREF: NtResumeThread+28j
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_772106
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_772189

loc_77217C:				; CODE XREF: NtResumeThread+AFj
		mov	eax, [ecx]
		mov	[ecx], eax
		jmp	short loc_772106
; 

loc_772182:				; CODE XREF: NtResumeThread+77j
		mov	eax, [ebp+var_20]
		mov	[ecx], eax
		jmp	short loc_772155
; 

loc_772189:				; CODE XREF: NtResumeThread+9Ej
		mov	ecx, eax
		jmp	short loc_77217C
NtResumeThread	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsResumeThread	proc near		; CODE XREF: NtResumeThread+5Cp
					; DbgkpPostFakeThreadMessages(x,x,x,x,x)+2A4p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008D9ABE SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	edi
		call	_KeResumeThread@4 ; KeResumeThread(x)
		mov	edx, large fs:124h
		mov	edi, eax
		cmp	edi, 1
		jnz	short loc_7721D1
		mov	ecx, [esi+150h]
		add	ecx, 3A8h
		push	ebx
		mov	ebx, 8000h
		mov	eax, [ecx]
		test	eax, ebx
		jz	short loc_7721E2

loc_7721C5:				; CODE XREF: PsResumeThread+59j
		pop	ebx
		test	eax, 100000h
		jnz	loc_8D9ABE

loc_7721D1:				; CODE XREF: PsResumeThread+1Dj
					; PsResumeThread+16793Aj
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_7721DA
		mov	[eax], edi

loc_7721DA:				; CODE XREF: PsResumeThread+48j
		pop	edi
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	8
; 

loc_7721E2:				; CODE XREF: PsResumeThread+35j
		lock or	[ecx], ebx
		mov	eax, [ecx]
		jmp	short loc_7721C5
PsResumeThread	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWnfDeleteSubscription proc near	; CODE XREF: ExpWnfDeleteProcessContext+73p
					; NtUnsubscribeWnfStateChange+83p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D9ACD SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, edx
		push	ebx
		push	esi
		mov	[ebp+var_14], eax
		mov	eax, [eax+39Ch]
		mov	[ebp+var_10], eax
		push	edi
		mov	edi, ecx
		test	eax, eax
		jz	short loc_772232
		lea	ebx, [eax+28h]
		xor	edx, edx
		push	0
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	esi, eax
		lock bts dword ptr [ebx], 0
		jnb	short loc_77222A
		push	ebx
		mov	edx, esi
		mov	ecx, ebx
		call	ExfAcquirePushLockExclusiveEx

loc_77222A:				; CODE XREF: ExpWnfDeleteSubscription+34j
		test	esi, esi
		jnz	loc_77243B

loc_772232:				; CODE XREF: ExpWnfDeleteSubscription+1Dj
					; ExpWnfDeleteSubscription+255j
		xor	ebx, ebx
		or	eax, 0FFFFFFFFh
		cmp	[edi+18h], ebx
		jz	loc_7723C6
		mov	eax, [edi+1Ch]
		and	[ebp+var_C], ebx
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_7724F6
		lea	ecx, [eax+40h]
		xor	edx, edx
		push	ebx
		mov	[ebp+var_4], ecx
		call	KeAbPreAcquire
		mov	esi, eax
		mov	eax, [ebp+var_4]
		lock bts dword ptr [eax], 0
		jnb	short loc_772275
		push	eax
		mov	edx, esi
		mov	ecx, eax
		call	ExfAcquirePushLockExclusiveEx

loc_772275:				; CODE XREF: ExpWnfDeleteSubscription+7Fj
		test	esi, esi
		jnz	loc_77244D

loc_77227D:				; CODE XREF: ExpWnfDeleteSubscription+267j
		lea	eax, [edi+28h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_772527
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_772527
		mov	[ecx], edx
		or	esi, 0FFFFFFFFh
		mov	[edx+4], ecx
		and	[edi+1Ch], ebx
		test	dword ptr [edi+3Ch], 1
		jz	short loc_7722BA
		mov	eax, [ebp+var_8]
		mov	ebx, esi
		lock xadd [eax+58h], ebx
		dec	ebx
		neg	ebx
		sbb	ebx, ebx
		inc	ebx

loc_7722BA:				; CODE XREF: ExpWnfDeleteSubscription+BEj
					; ExpWnfDeleteSubscription+30Fj
		lea	eax, [edi+10h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_772527
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_772527
		mov	[ecx], edx
		mov	[edx+4], ecx
		xor	edx, edx
		mov	ecx, [ebp+var_10]
		add	ecx, 34h
		push	0
		mov	[ebp+var_4], ecx
		call	KeAbPreAcquire
		mov	edx, [ebp+var_4]
		mov	[ebp+var_18], eax
		lock bts dword ptr [edx], 0
		jnb	short loc_772308
		mov	ecx, [ebp+var_4]
		push	edx
		mov	edx, eax
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_18]
		mov	edx, [ebp+var_4]

loc_772308:				; CODE XREF: ExpWnfDeleteSubscription+10Bj
		test	eax, eax
		jnz	loc_772444

loc_772310:				; CODE XREF: ExpWnfDeleteSubscription+25Ej
		mov	ecx, [edi+48h]
		xor	eax, eax
		inc	eax
		cmp	ecx, eax
		jz	loc_772459
		mov	eax, [edi+18h]
		cmp	eax, ds:_PsInitialSystemProcess
		jz	short loc_772331
		test	ecx, ecx
		jnz	loc_772456

loc_772331:				; CODE XREF: ExpWnfDeleteSubscription+13Dj
					; ExpWnfDeleteSubscription+29Dj ...
		and	dword ptr [edi+18h], 0
		mov	eax, esi
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_7724B4

loc_772345:				; CODE XREF: ExpWnfDeleteSubscription+2D4j
		mov	ecx, edx
		call	KeAbPostRelease
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_7723C0
		and	[ebp+var_4], 0
		test	ebx, ebx
		jnz	loc_7723F5
		cmp	[ebp+var_C], ebx
		jnz	loc_7723F5

loc_772368:				; CODE XREF: ExpWnfDeleteSubscription+225j
					; ExpWnfDeleteSubscription+1678F6j
		lea	ecx, [eax+40h]
		mov	eax, esi
		mov	[ebp+var_1C], ecx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_7724C3

loc_77237E:				; CODE XREF: ExpWnfDeleteSubscription+2E1j
		call	KeAbPostRelease
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_7723A9
		lea	ecx, [eax+28h]
		mov	eax, esi
		mov	[ebp+var_1C], ecx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_7724D0

loc_7723A0:				; CODE XREF: ExpWnfDeleteSubscription+2EEj
		call	KeAbPostRelease
		and	[ebp+var_10], 0

loc_7723A9:				; CODE XREF: ExpWnfDeleteSubscription+19Ej
		cmp	[ebp+var_C], 0
		mov	esi, [ebp+var_8]
		jnz	loc_7724FE

loc_7723B6:				; CODE XREF: ExpWnfDeleteSubscription+32Fj
		test	ebx, ebx
		jnz	short loc_772414

loc_7723BA:				; CODE XREF: ExpWnfDeleteSubscription+245j
		cmp	[ebp+var_4], 0
		jnz	short loc_772431

loc_7723C0:				; CODE XREF: ExpWnfDeleteSubscription+167j
					; ExpWnfDeleteSubscription+24Fj
		xor	ebx, ebx
		or	eax, 0FFFFFFFFh
		inc	ebx

loc_7723C6:				; CODE XREF: ExpWnfDeleteSubscription+50j
		mov	ecx, [ebp+var_10]
		test	ecx, ecx
		jnz	loc_7724DD

loc_7723D1:				; CODE XREF: ExpWnfDeleteSubscription+307j
		lea	ecx, [edi+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		test	ebx, ebx
		jz	short loc_7723F0
		lea	ecx, [edi+4]
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		push	20666E57h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7723F0:				; CODE XREF: ExpWnfDeleteSubscription+1F1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7723F5:				; CODE XREF: ExpWnfDeleteSubscription+16Fj
					; ExpWnfDeleteSubscription+178j
		lea	ecx, [eax+4]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		mov	eax, [ebp+var_8]
		jz	loc_8D9ADB
		mov	[ebp+var_4], 1
		jmp	loc_772368
; 

loc_772414:				; CODE XREF: ExpWnfDeleteSubscription+1CEj
		mov	ecx, [ebp+var_14]
		xor	eax, eax
		cmp	ecx, ds:_PsInitialSystemProcess
		mov	ecx, esi
		setnz	al
		push	eax
		push	1
		push	4
		pop	edx
		call	_ExpWnfNotifyNameSubscribers@16	; ExpWnfNotifyNameSubscribers(x,x,x,x)
		jmp	short loc_7723BA
; 

loc_772431:				; CODE XREF: ExpWnfDeleteSubscription+1D4j
		lea	ecx, [esi+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	short loc_7723C0
; 

loc_77243B:				; CODE XREF: ExpWnfDeleteSubscription+42j
		or	byte ptr [esi+0Eh], 1
		jmp	loc_772232
; 

loc_772444:				; CODE XREF: ExpWnfDeleteSubscription+120j
		or	byte ptr [eax+0Eh], 1
		jmp	loc_772310
; 

loc_77244D:				; CODE XREF: ExpWnfDeleteSubscription+8Dj
		or	byte ptr [esi+0Eh], 1
		jmp	loc_77227D
; 

loc_772456:				; CODE XREF: ExpWnfDeleteSubscription+141j
		xor	eax, eax
		inc	eax

loc_772459:				; CODE XREF: ExpWnfDeleteSubscription+12Ej
		lea	ecx, [edi+40h]
		mov	edx, [ecx]
		mov	[ebp+var_1C], edx
		cmp	[edx+4], ecx
		jnz	loc_772527
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_772527
		mov	ecx, edx
		mov	edx, [ebp+var_1C]
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_4]
		test	ecx, ecx
		jz	loc_772331
		test	[edi+3Ch], eax
		jz	loc_772331
		test	[edi+4Ch], eax
		jz	loc_8D9ACD

loc_77249F:				; CODE XREF: ExpWnfDeleteSubscription+1678ECj
		mov	eax, esi
		lock xadd [ecx+5Ch], eax
		dec	eax
		neg	eax
		sbb	eax, eax
		inc	eax
		mov	[ebp+var_C], eax
		jmp	loc_772331
; 

loc_7724B4:				; CODE XREF: ExpWnfDeleteSubscription+155j
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, [ebp+var_4]
		jmp	loc_772345
; 

loc_7724C3:				; CODE XREF: ExpWnfDeleteSubscription+18Ej
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_1C]
		jmp	loc_77237E
; 

loc_7724D0:				; CODE XREF: ExpWnfDeleteSubscription+1B0j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_1C]
		jmp	loc_7723A0
; 

loc_7724DD:				; CODE XREF: ExpWnfDeleteSubscription+1E1j
		lea	esi, [ecx+28h]
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_77251E

loc_7724EA:				; CODE XREF: ExpWnfDeleteSubscription+33Bj
		mov	ecx, esi
		call	KeAbPostRelease
		jmp	loc_7723D1
; 

loc_7724F6:				; CODE XREF: ExpWnfDeleteSubscription+61j
		or	esi, 0FFFFFFFFh
		jmp	loc_7722BA
; 

loc_7724FE:				; CODE XREF: ExpWnfDeleteSubscription+1C6j
		mov	ecx, [ebp+var_14]
		xor	eax, eax
		cmp	ecx, ds:_PsInitialSystemProcess
		mov	ecx, esi
		setnz	al
		push	eax
		push	1
		push	8
		pop	edx
		call	_ExpWnfNotifyNameSubscribers@16	; ExpWnfNotifyNameSubscribers(x,x,x,x)
		jmp	loc_7723B6
; 

loc_77251E:				; CODE XREF: ExpWnfDeleteSubscription+2FEj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7724EA
; 

loc_772527:				; CODE XREF: ExpWnfDeleteSubscription+9Bj
					; ExpWnfDeleteSubscription+A6j	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
ExpWnfDeleteSubscription endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTiLogReadWriteVm proc near		; CODE XREF: MiReadWriteVirtualMemory+1A5p

var_130		= dword	ptr -130h
var_128		= dword	ptr -128h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008D9AE5 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 130h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_118], eax
		mov	eax, large fs:124h
		push	edi
		mov	edi, edx
		mov	[ebp+var_11C], ecx
		mov	[ebp+var_120], edi
		cmp	byte ptr [eax+15Ah], 1
		jnz	loc_7726B0
		xor	eax, eax
		cmp	[ebp+arg_4], 10h
		push	ebx
		mov	ebx, _EtwThreatIntProvRegHandle
		setz	al
		push	esi
		mov	esi, dword_6BC124
		dec	eax
		push	0
		and	eax, 90000h
		add	eax, 30000h
		push	eax
		push	0
		push	esi
		push	ebx
		call	EtwProviderEnabled
		test	al, al
		jz	loc_7726AE
		cmp	edi, [ebp+var_118]
		jz	loc_7726BF
		cmp	[ebp+arg_4], 10h
		jz	loc_8D9AE5
		mov	edi, offset _THREATINT_WRITEVM_REMOTE

loc_7725BD:				; CODE XREF: EtwTiLogReadWriteVm+19Cj
					; EtwTiLogReadWriteVm+1A7j ...
		push	edi
		push	esi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jz	loc_7726AE
		mov	edx, [ebp+var_120]
		lea	eax, [ebp+var_11C]
		and	[ebp+var_110], 0
		lea	ecx, [ebp+var_104]
		and	[ebp+var_108], 0
		push	4
		mov	[ebp+var_114], eax
		lea	eax, [ebp+var_130]
		pop	ebx
		push	eax
		mov	[ebp+var_10C], ebx
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		mov	edx, large fs:124h
		lea	esi, [eax+1]
		mov	ecx, esi
		lea	eax, [ebp+var_114]
		shl	ecx, 4
		add	ecx, eax
		call	_EtwpTiFillThreadIdentity@8 ; EtwpTiFillThreadIdentity(x,x)
		mov	edx, [ebp+var_118]
		lea	ecx, [ebp+var_114]
		add	esi, eax
		lea	eax, [ebp+var_128]
		push	eax
		mov	eax, esi
		shl	eax, 4
		add	ecx, eax
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		add	esi, eax
		lea	ecx, [ebp+arg_8]
		mov	eax, esi
		xor	edx, edx
		add	eax, eax
		mov	[ebp+eax*8+var_114], ecx
		lea	ecx, [ebp+arg_C]
		mov	[ebp+eax*8+var_110], edx
		mov	[ebp+eax*8+var_10C], ebx
		mov	[ebp+eax*8+var_108], edx
		lea	eax, [esi+1]
		add	eax, eax
		mov	[ebp+eax*8+var_114], ecx
		mov	[ebp+eax*8+var_110], edx
		mov	[ebp+eax*8+var_10C], ebx
		mov	[ebp+eax*8+var_108], edx
		lea	eax, [ebp+var_114]
		push	eax
		lea	eax, [esi+2]
		push	eax
		push	edx
		push	edi
		push	dword_6BC124
		push	_EtwThreatIntProvRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_7726AE:				; CODE XREF: EtwTiLogReadWriteVm+70j
					; EtwTiLogReadWriteVm+9Bj
		pop	esi
		pop	ebx

loc_7726B0:				; CODE XREF: EtwTiLogReadWriteVm+3Aj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_7726BF:				; CODE XREF: EtwTiLogReadWriteVm+7Cj
		cmp	[ebp+arg_4], 10h
		mov	edi, offset _THREATINT_READVM_LOCAL
		jz	loc_7725BD
		mov	edi, offset _THREATINT_WRITEVM_LOCAL
		jmp	loc_7725BD
EtwTiLogReadWriteVm endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTiLogAllocExecVm proc near		; CODE XREF: MiAllocateVirtualMemory+2EFp

var_1A8		= dword	ptr -1A8h
var_1A1		= byte ptr -1A1h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008D9AEF SIZE 00000008 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1ACh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	0
		push	0Fh
		push	0
		push	dword_6BC124
		mov	[ebp+var_1A1], dl
		mov	ebx, ecx
		push	_EtwThreatIntProvRegHandle
		call	EtwProviderEnabled
		test	al, al
		jz	loc_772886
		mov	eax, large fs:124h
		mov	esi, [eax+80h]
		mov	eax, large fs:124h
		mov	ecx, [eax+150h]
		xor	eax, eax
		cmp	ecx, ebx
		mov	[ebp+var_1A8], ecx
		setz	al
		cmp	[ebp+var_1A1], 0
		jz	loc_8D9AEF
		xor	ecx, ecx

loc_77274B:				; CODE XREF: EtwTiLogAllocExecVm+16741Aj
		add	eax, ecx
		mov	edi, ds:off_4041D8[eax*4]
		push	edi
		push	dword_6BC124
		push	_EtwThreatIntProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_772886
		lea	eax, [ebp+var_20]
		mov	edx, esi
		push	eax
		lea	ecx, [ebp+var_1A0]
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		mov	edx, large fs:124h
		mov	esi, eax
		mov	ecx, esi
		lea	eax, [ebp+var_1A0]
		shl	ecx, 4
		add	ecx, eax
		call	_EtwpTiFillThreadIdentity@8 ; EtwpTiFillThreadIdentity(x,x)
		add	esi, eax
		lea	ecx, [ebp+var_1A0]
		lea	eax, [ebp+var_18]
		mov	edx, ebx
		push	eax
		mov	eax, esi
		shl	eax, 4
		add	ecx, eax
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		mov	edx, [ebp+var_1A8]
		lea	ecx, [ebp+var_1A0]
		add	esi, eax
		lea	eax, [ebp+var_10]
		push	eax
		mov	eax, esi
		shl	eax, 4
		add	ecx, eax
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		add	esi, eax
		lea	ecx, [ebp+arg_0]
		xor	ebx, ebx
		mov	eax, esi
		add	eax, eax
		push	4
		pop	edx
		mov	[ebp+eax*8+var_1A0], ecx
		lea	ecx, [ebp+arg_4]
		mov	[ebp+eax*8+var_19C], ebx
		mov	[ebp+eax*8+var_198], edx
		mov	[ebp+eax*8+var_194], ebx
		lea	eax, [esi+1]
		add	eax, eax
		mov	[ebp+eax*8+var_1A0], ecx
		lea	ecx, [ebp+arg_8]
		mov	[ebp+eax*8+var_19C], ebx
		mov	[ebp+eax*8+var_198], edx
		mov	[ebp+eax*8+var_194], ebx
		lea	eax, [esi+2]
		add	eax, eax
		mov	[ebp+eax*8+var_1A0], ecx
		lea	ecx, [ebp+arg_C]
		mov	[ebp+eax*8+var_19C], ebx
		mov	[ebp+eax*8+var_198], edx
		mov	[ebp+eax*8+var_194], ebx
		lea	eax, [esi+3]
		add	eax, eax
		mov	[ebp+eax*8+var_1A0], ecx
		mov	[ebp+eax*8+var_19C], ebx
		mov	[ebp+eax*8+var_198], edx
		mov	[ebp+eax*8+var_194], ebx
		lea	eax, [ebp+var_1A0]
		push	eax
		lea	eax, [esi+4]
		push	eax
		push	ebx
		push	edi
		push	dword_6BC124
		push	_EtwThreatIntProvRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_772886:				; CODE XREF: EtwTiLogAllocExecVm+39j
					; EtwTiLogAllocExecVm+90j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
EtwTiLogAllocExecVm endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTiLogProtectExecVm proc near		; CODE XREF: NtProtectVirtualMemory+217p

var_1A4		= dword	ptr -1A4h
var_19D		= byte ptr -19Dh
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008D9AF7 SIZE 0000011D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1A4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	0
		push	0F0h
		push	0
		push	dword_6BC124
		mov	[ebp+var_19D], dl
		mov	ebx, ecx
		push	_EtwThreatIntProvRegHandle
		call	EtwProviderEnabled
		test	al, al
		jz	short loc_77292B
		mov	eax, large fs:124h
		push	esi
		mov	esi, [eax+80h]
		mov	eax, large fs:124h
		mov	eax, [eax+150h]
		mov	[ebp+var_1A4], eax
		xor	eax, eax
		cmp	esi, ebx
		setz	al
		cmp	[ebp+var_19D], 0
		jz	short loc_77293A
		xor	ecx, ecx

loc_772905:				; CODE XREF: EtwTiLogProtectExecVm+A5j
		add	eax, ecx
		push	edi
		mov	edi, ds:off_4041B8[eax*4]
		push	edi
		push	dword_6BC124
		push	_EtwThreatIntProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8D9AF7

loc_772929:				; CODE XREF: EtwTiLogProtectExecVm+167377j
		pop	edi
		pop	esi

loc_77292B:				; CODE XREF: EtwTiLogProtectExecVm+3Aj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_77293A:				; CODE XREF: EtwTiLogProtectExecVm+69j
		push	2
		pop	ecx
		jmp	short loc_772905
EtwTiLogProtectExecVm endp

; 
		align 10h

;  S U B	R O U T	I N E 


MiArbitraryCodeBlocked proc near	; CODE XREF: MiAllowProtectionChange(x,x,x,x,x,x)+F5p
					; MiReserveUserMemory+334p ...

; FUNCTION CHUNK AT 008D9C14 SIZE 00000042 BYTES

		mov	eax, large fs:124h
		mov	edx, 40000h
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+490h]
		test	ecx, 100h
		jnz	loc_8D9C14

loc_772960:				; CODE XREF: MiArbitraryCodeBlocked+1672DAj
		test	ecx, 800h
		jnz	loc_8D9C3B

loc_77296C:				; CODE XREF: MiArbitraryCodeBlocked+167301j
					; MiArbitraryCodeBlocked+167311j
		xor	ecx, ecx
		call	EtwTraceMemoryAcg
		xor	eax, eax
		pop	esi
		retn
MiArbitraryCodeBlocked endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpWriteUserEvent(x, x, x,	x, x, x, x, x, x, x, x,	x, x, x, x, x, x, x)
_EtwpWriteUserEvent@72 proc near	; CODE XREF: .text:004470A4p
					; .text:004470F9p ...

var_234		= dword	ptr -234h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= word ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CA		= byte ptr -1CAh
var_1C9		= byte ptr -1C9h
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_179		= byte ptr -179h
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_149		= byte ptr -149h
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_132		= byte ptr -132h
var_131		= byte ptr -131h
var_130		= dword	ptr -130h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch
arg_38		= dword	ptr  40h
arg_3C		= dword	ptr  44h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A0EB8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 214h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_1A8], edx
		mov	eax, ecx
		mov	[ebp+var_168], eax
		mov	[ebp+var_1F8], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_184], eax
		mov	esi, [ebp+arg_28]
		mov	[ebp+var_190], esi
		mov	eax, [ebp+arg_2C]
		mov	[ebp+var_1C4], eax
		mov	edi, [ebp+arg_30]
		mov	[ebp+var_144], edi
		mov	eax, [ebp+arg_38]
		mov	[ebp+var_1E8], eax
		mov	eax, [ebp+arg_3C]
		mov	[ebp+var_1FC], eax
		mov	[ebp+var_158], 0
		push	0C0h		; size_t
		push	0		; int
		lea	eax, [ebp+var_130]
		push	eax		; void *
		call	_memset
		mov	[ebp+var_1D0], 0
		push	50h		; size_t
		push	0		; int
		lea	eax, [ebp+var_6C]
		push	eax		; void *
		call	_memset
		add	esp, 18h
		mov	[ebp+var_170], 0
		mov	[ebp+var_1B8], 0
		mov	[ebp+var_1B4], 0
		mov	[ebp+var_1DC], 0
		mov	[ebp+var_1B0], 0
		mov	[ebp+var_1AC], 0
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	eax, [eax+1F0h]
		mov	[ebp+var_1D8], eax
		mov	ecx, [ebp+arg_34]
		mov	eax, ecx
		and	eax, 200h
		mov	[ebp+var_1BC], eax
		shr	ecx, 0Ah
		and	cl, 1
		mov	ebx, [ebp+arg_24]
		test	esi, esi
		jnz	short loc_772AAE
		test	ebx, ebx
		jnz	short loc_772ABA
		test	esi, esi
		jz	short loc_772AB2

loc_772AAE:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+124j
		test	ebx, ebx
		jz	short loc_772ABA

loc_772AB2:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+12Cj
		cmp	ebx, 80h
		jbe	short loc_772AC4

loc_772ABA:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+128j
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+130j
		mov	eax, 0C000000Dh
		jmp	loc_773E90
; 

loc_772AC4:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+138j
		mov	esi, [ebp+var_168]
		test	edi, edi
		jnz	short loc_772AD4
		mov	[ebp+var_144], esi

loc_772AD4:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+14Cj
		mov	[ebp+var_131], 0
		mov	[ebp+var_70], 0
		mov	esi, [esi+164h]
		mov	[ebp+var_160], esi
		mov	[ebp+var_1F4], esi
		mov	eax, [ebp+var_1FC]
		test	eax, eax
		jz	short loc_772B1C
		mov	edx, [eax]
		mov	esi, [eax+4]
		mov	eax, edx
		or	eax, esi
		jz	short loc_772B1C
		mov	[ebp+var_1B0], edx
		mov	[ebp+var_1AC], esi
		mov	[ebp+var_131], 10h

loc_772B1C:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+17Cj
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+187j
		lea	eax, [ebp+var_1DC]
		push	eax
		lea	eax, [ebp+var_1B4]
		push	eax
		mov	dl, cl
		mov	ecx, [ebp+var_1E8]
		call	DecodeProviderTraits
		mov	edx, large fs:124h
		mov	[ebp+var_194], edx
		mov	[ebp+var_1F0], edx
		dec	word ptr [edx+13Ch]
		nop
		mov	al, [ebp+arg_4]
		not	al
		mov	cl, byte ptr [ebp+var_1A8]
		and	cl, al
		mov	[ebp+var_132], cl
		mov	byte ptr [ebp+var_1A8],	cl
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_21C], eax
		mov	eax, [ebp+arg_0]
		mov	dword ptr [ebp+var_1E0], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_174], eax
		jmp	short loc_772B90
; 
		align 10h

loc_772B90:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+206j
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3E6j	...
		mov	esi, [ebp+var_144]

loc_772B96:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A9Cj
		mov	edx, [ebp+arg_20]

loc_772B99:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2D1j
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2F3j	...
		movzx	eax, cl
		bsf	ecx, eax
		mov	[ebp+var_1D0], ecx
		jz	loc_773DE5
		mov	[ebp+var_164], 1
		xor	eax, eax
		mov	[ebp+var_218], eax
		mov	[ebp+var_214], eax
		mov	[ebp+var_210], eax
		mov	[ebp+var_19C], eax
		mov	[ebp+var_198], eax
		mov	[ebp+var_13C], 50h
		mov	[ebp+var_1D4], eax
		mov	[ebp+var_149], al
		mov	[ebp+var_1A4], eax
		mov	[ebp+var_180], eax
		mov	[ebp+var_1A0], eax
		mov	[ebp+var_1EC], eax
		mov	ah, [ebp+var_132]
		mov	al, ah
		dec	al
		and	ah, al
		mov	[ebp+var_132], ah
		mov	byte ptr [ebp+var_1A8],	ah
		lea	edi, [ecx+3]
		shl	edi, 5
		add	edi, esi
		cmp	[ebp+var_1C4], 0
		jz	short loc_772C57
		movzx	ecx, word ptr [edi+6]
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, 1
		shl	eax, cl
		mov	ecx, [ebp+var_1C4]
		test	[ecx+edx*4], eax
		mov	edx, [ebp+arg_20]
		mov	cl, [ebp+var_132]
		jnz	loc_772B99

loc_772C57:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2AAj
		push	edx
		push	[ebp+arg_1C]
		mov	dl, byte ptr [ebp+var_174]
		mov	ecx, edi
		call	_EtwpLevelKeywordEnabled@16 ; EtwpLevelKeywordEnabled(x,x,x,x)
		test	al, al
		mov	edx, [ebp+arg_20]
		mov	cl, [ebp+var_132]
		jz	loc_772B99
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	byte ptr [ebp+var_21C],	2
		jnz	short loc_772C97
		cmp	dword ptr [eax+0F8h], 0
		jge	short loc_772CAD

loc_772C97:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+30Cj
		test	dword ptr [edi+8], 200h
		mov	edx, [ebp+arg_20]
		mov	cl, [ebp+var_132]
		jnz	loc_772B99

loc_772CAD:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+315j
		mov	eax, [ebp+var_144]
		mov	ecx, [eax+160h]
		mov	esi, [ebp+var_1D0]
		test	ecx, ecx
		jz	short loc_772D0F
		imul	eax, esi, 34h
		mov	ecx, [eax+ecx]
		mov	eax, ecx
		and	eax, 80000200h
		cmp	eax, 80000200h
		jz	short loc_772CE5
		and	ecx, 80000100h
		cmp	ecx, 80000100h
		jnz	short loc_772D09

loc_772CE5:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+355j
		push	[ebp+var_190]	; void *
		push	ebx		; int
		push	[ebp+var_184]	; int
		push	dword ptr [ebp+var_1E0]	; __int16
		mov	edx, esi
		mov	ecx, [ebp+var_144]
		call	EtwpApplyEventIdPayloadFilterOnUserEvent
		test	al, al
		jz	short loc_772D60

loc_772D09:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+363j
		mov	eax, [ebp+var_144]

loc_772D0F:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+341j
		cmp	word ptr [ebp+var_1BC],	0
		jz	short loc_772D6B
		push	0
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+var_174]
		mov	edx, esi
		mov	ecx, eax
		call	EtwpIsEventNameFilterEnabled
		test	al, al
		jz	short loc_772D6B
		push	0
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+var_174]
		push	0
		push	1
		push	[ebp+var_190]
		push	ebx
		mov	edx, esi
		mov	ecx, [ebp+var_144]
		call	_EtwpApplyEventNameFilter@40 ; EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)
		test	al, al
		jnz	short loc_772D6B
		mov	edi, edi

loc_772D60:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+387j
		mov	cl, [ebp+var_132]
		jmp	loc_772B90
; 

loc_772D6B:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+397j
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3B2j	...
		xor	eax, eax
		mov	[ebp+var_138], eax
		cmp	[ebp+arg_14], eax
		jz	short loc_772D90
		mov	ebx, 68h
		mov	[ebp+var_13C], ebx
		mov	eax, 8
		mov	[ebp+var_138], eax
		jmp	short loc_772D96
; 

loc_772D90:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3F6j
		mov	ebx, [ebp+var_13C]

loc_772D96:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+40Ej
		mov	[ebp+var_140], ebx
		mov	edx, [edi+8]
		test	edx, 0FFFFFF9Fh
		jz	loc_7730D5
		test	edx, 800h
		jz	short loc_772DEB
		mov	ecx, [ebp+var_1D8]
		test	ecx, ecx
		jz	short loc_772DEB
		cmp	ecx, ds:_EtwpHostSiloState
		jz	short loc_772DEB
		or	eax, 80h
		mov	[ebp+var_138], eax
		movzx	ecx, word ptr [ecx+90Ch]
		add	ecx, 0Fh
		and	ecx, 0FFFFFFF8h
		add	ebx, ecx
		mov	[ebp+var_140], ebx
		mov	[ebp+var_13C], ebx

loc_772DEB:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+431j
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+43Bj	...
		test	dl, 1
		jz	short loc_772E2C
		test	[ebp+var_131], 2
		jnz	short loc_772E0B
		lea	ecx, [ebp+var_6C]
		call	EtwpGetSidExtendedHeaderItem
		or	[ebp+var_131], 2
		mov	edx, [edi+8]

loc_772E0B:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+477j
		mov	eax, [ebp+var_138]
		or	eax, 2
		mov	[ebp+var_138], eax
		movzx	ecx, word ptr [ebp+var_6C]
		add	ebx, ecx
		mov	[ebp+var_140], ebx
		mov	[ebp+var_13C], ebx

loc_772E2C:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+46Ej
		test	dl, 2
		jz	short loc_772E49
		or	eax, 1
		mov	[ebp+var_138], eax
		add	ebx, 10h
		mov	[ebp+var_140], ebx
		mov	[ebp+var_13C], ebx

loc_772E49:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4AFj
		test	dl, dl
		jns	short loc_772E65
		or	eax, 20h
		mov	[ebp+var_138], eax
		add	ebx, 10h
		mov	[ebp+var_140], ebx
		mov	[ebp+var_13C], ebx

loc_772E65:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4CBj
		test	edx, 100h
		jz	short loc_772E85
		or	eax, 40h
		mov	[ebp+var_138], eax
		add	ebx, 10h
		mov	[ebp+var_140], ebx
		mov	[ebp+var_13C], ebx

loc_772E85:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4EBj
		test	dl, 4
		jz	loc_77303B
		mov	eax, [ebp+var_144]
		mov	ecx, [eax+160h]
		test	ecx, ecx
		jz	loc_772F3F
		imul	eax, esi, 34h
		mov	ecx, [eax+ecx]
		mov	eax, ecx
		and	eax, 80001000h
		cmp	eax, 80001000h
		jz	short loc_772ED2
		mov	eax, ecx
		and	eax, 80002000h
		cmp	eax, 80002000h
		jz	short loc_772ED2
		and	ecx, 80004000h
		cmp	ecx, 80004000h
		jnz	short loc_772F3F

loc_772ED2:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+534j
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+542j
		push	1
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+var_174]
		mov	edx, esi
		mov	ecx, [ebp+var_144]
		call	_EtwpApplyLevelKwFilter@24 ; EtwpApplyLevelKwFilter(x,x,x,x,x,x)
		test	al, al
		jz	loc_77303B
		push	esi
		mov	edx, [ebp+var_144]
		mov	ecx, [ebp+var_184]
		call	_EtwpApplyStackWalkFilterOnUserEvent@12	; EtwpApplyStackWalkFilterOnUserEvent(x,x,x)
		test	al, al
		jz	loc_77303B
		push	1
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+var_174]
		push	0
		push	1
		push	[ebp+var_190]
		push	[ebp+arg_24]
		mov	edx, esi
		mov	ecx, [ebp+var_144]
		call	_EtwpApplyEventNameFilter@40 ; EtwpApplyEventNameFilter(x,x,x,x,x,x,x,x,x,x)
		test	al, al
		jz	loc_77303B

loc_772F3F:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+51Cj
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+550j
		mov	al, [ebp+var_131]
		mov	[ebp+var_179], al
		test	al, 1
		jnz	loc_77300F
		call	_EtwpGetStackLookasideListEntry@0 ; EtwpGetStackLookasideListEntry()
		mov	[ebp+var_170], eax
		test	eax, eax
		jz	short loc_772F9E
		push	0
		push	0
		lea	eax, [ebp+var_170]
		push	eax
		push	100h
		xor	edx, edx
		mov	ecx, [ebp+var_194]
		call	_EtwpGetStackExtendedHeaderItem@24 ; EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)
		mov	ecx, [ebp+var_170]
		neg	ecx
		sbb	cl, cl
		and	cl, 8
		mov	al, [ebp+var_179]
		and	al, 0F7h
		or	al, cl
		mov	[ebp+var_131], al
		jmp	short loc_773008
; 

loc_772F9E:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+5E0j
		mov	[ebp+var_1E4], 0
		mov	[ebp+var_200], 0
		lea	eax, [ebp+var_1E4]
		push	eax
		lea	eax, [ebp+var_200]
		push	eax
		call	IoGetStackLimits
		lea	eax, [ebp+var_1E4]
		sub	eax, [ebp+var_200]
		cmp	eax, 528h
		jbe	short loc_773008
		mov	eax, 310h
		call	__alloca_probe_16
		mov	[ebp+var_18], esp
		mov	[ebp+var_170], esp
		push	0
		push	0
		lea	eax, [ebp+var_170]
		push	eax
		push	0C0h
		xor	edx, edx
		mov	ecx, [ebp+var_194]
		call	_EtwpGetStackExtendedHeaderItem@24 ; EtwpGetStackExtendedHeaderItem(x,x,x,x,x,x)

loc_773008:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+61Cj
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+656j
		or	[ebp+var_131], 1

loc_77300F:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+5CDj
		mov	eax, [ebp+var_170]
		mov	esi, [ebp+var_138]
		test	eax, eax
		jz	short loc_773041
		or	esi, 4
		mov	[ebp+var_138], esi
		movzx	eax, word ptr [eax]
		add	ebx, eax
		mov	[ebp+var_140], ebx
		mov	[ebp+var_13C], ebx
		jmp	short loc_773041
; 

loc_77303B:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+508j
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+56Fj	...
		mov	esi, [ebp+var_138]

loc_773041:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+69Dj
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+6B9j
		test	byte ptr [edi+8], 8
		jz	loc_7730D5
		test	[ebp+var_131], 4
		jnz	short loc_7730B1
		mov	[ebp+var_204], 0
		mov	[ebp+var_208], 0
		lea	eax, [ebp+var_204]
		push	eax
		lea	eax, [ebp+var_208]
		push	eax
		call	IoGetStackLimits
		lea	eax, [ebp+var_204]
		sub	eax, [ebp+var_208]
		cmp	eax, 1E0h
		jbe	short loc_7730AA
		mov	eax, 1E0h
		call	__alloca_probe_16
		mov	[ebp+var_18], esp
		mov	eax, esp
		mov	[ebp+var_1B8], eax
		mov	ecx, eax
		call	_EtwpGetPsmKeyExtendedHeaderItem@4 ; EtwpGetPsmKeyExtendedHeaderItem(x)

loc_7730AA:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+70Cj
		or	[ebp+var_131], 4

loc_7730B1:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+6D2j
		mov	eax, [ebp+var_1B8]
		test	eax, eax
		jz	short loc_7730D5
		or	esi, 10h
		mov	[ebp+var_138], esi
		movzx	eax, word ptr [eax]
		add	ebx, eax
		mov	[ebp+var_140], ebx
		mov	[ebp+var_13C], ebx

loc_7730D5:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+425j
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+6C5j	...
		movzx	edi, word ptr [edi+6]
		mov	[ebp+var_1C8], edi
		mov	eax, [ebp+var_70]
		lea	eax, [eax+eax*2]
		lea	esi, [ebp+var_130]
		lea	esi, [esi+eax*8]
		mov	[ebp+var_178], esi
		mov	ecx, [ebp+arg_24]
		test	ecx, ecx
		jz	loc_773204
		mov	[ebp+var_4], 0
		mov	[ebp+var_20C], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_1C9], al
		test	al, al
		jz	short loc_773154
		mov	eax, ecx
		shl	eax, 4
		test	eax, eax
		jz	short loc_773154
		mov	edx, [ebp+var_190]
		test	dl, 3
		jnz	loc_773EB4
		add	eax, edx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_77314E
		cmp	eax, edx
		jnb	short loc_773151

loc_77314E:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7C8j
		mov	byte ptr [ecx],	0

loc_773151:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7CCj
		mov	ecx, [ebp+arg_24]

loc_773154:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7A4j
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7ADj
		xor	edx, edx
		mov	ebx, [ebp+var_13C]
		mov	[ebp+var_140], ebx

loc_773162:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+86Cj
		mov	[ebp+var_20C], edx
		cmp	edx, ecx
		jnb	loc_7731F1
		mov	edi, ebx
		mov	esi, edx
		shl	esi, 4
		add	esi, [ebp+var_190]
		mov	eax, [esi+8]
		mov	[ebp+var_1D4], eax
		mov	ecx, eax
		cmp	ecx, 0FFFFh
		ja	loc_773DD4
		cmp	word ptr [ebp+var_1BC],	0
		jnz	short loc_7731A2
		xor	al, al
		jmp	short loc_7731AB
; 

loc_7731A2:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+81Cj
		mov	al, [esi+0Ch]
		mov	ecx, [ebp+var_1D4]

loc_7731AB:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+820j
		movzx	eax, al
		sub	eax, 0
		jz	short loc_7731CC
		sub	eax, 1
		jnz	short loc_7731C4
		add	[ebp+var_1A4], ecx
		inc	[ebp+var_180]

loc_7731C4:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+836j
		mov	ebx, [ebp+var_13C]
		jmp	short loc_7731DA
; 

loc_7731CC:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+831j
		mov	ebx, [ebp+var_13C]
		add	ebx, ecx
		mov	[ebp+var_13C], ebx

loc_7731DA:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+84Aj
		mov	[ebp+var_140], ebx
		cmp	ebx, edi
		jb	loc_773DD4
		inc	edx
		mov	ecx, [ebp+arg_24]
		jmp	loc_773162
; 

loc_7731F1:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7EAj
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	esi, [ebp+var_178]
		mov	edi, [ebp+var_1C8]

loc_773204:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+779j
		cmp	[ebp+var_180], 0
		jz	short loc_773228
		movzx	eax, word ptr [ebp+var_1A4]
		add	eax, 0Fh
		and	eax, 0FFFFFFF8h
		add	ebx, eax
		mov	[ebp+var_140], ebx
		mov	[ebp+var_13C], ebx

loc_773228:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+88Bj
		mov	eax, [ebp+var_1B4]
		mov	[ebp+var_178], eax
		test	ax, ax
		jz	short loc_773250
		movzx	eax, ax
		add	eax, 0Fh
		and	eax, 0FFFFFFF8h
		add	ebx, eax
		mov	[ebp+var_140], ebx
		mov	[ebp+var_13C], ebx

loc_773250:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8B7j
		mov	[esi+14h], ebx
		mov	ecx, [ebp+var_160]
		mov	ecx, [ecx+188h]
		mov	edx, 1
		mov	ecx, [ecx+edi*4]
		call	@ExAcquireRundownProtectionCacheAwareEx@8 ; ExAcquireRundownProtectionCacheAwareEx(x,x)
		test	al, al
		jz	short loc_7732EE
		mov	eax, [ebp+var_160]
		cmp	edi, [eax+8]
		jnb	short loc_7732E0
		lfence	eax
		mov	eax, [eax+18Ch]
		mov	ecx, [eax+edi*4]
		mov	[ebp+var_164], ecx
		mov	al, 1
		jmp	short loc_7732F4
; 

loc_773291:				; DATA XREF: .text:006A0ECCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-224h], eax
		mov	eax, 1
		retn
; 

loc_7732A4:				; DATA XREF: .text:006A0ED0o
		mov	eax, [ebp-224h]

loc_7732AA:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+144Fj
		mov	esp, [ebp-18h]
		mov	[ebp-158h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1F0h]
		mov	[ebp-194h], eax
		mov	ebx, [ebp-1F4h]
		mov	esi, [ebp-1F8h]
		mov	eax, [ebp+20h]
		mov	[ebp-174h], eax
		jmp	loc_773DF1
; 

loc_7732E0:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8F9j
		mov	[ebp+var_164], 1
		mov	al, 1
		jmp	short loc_7732F4
; 

loc_7732EE:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8EEj
		mov	al, [ebp+var_149]

loc_7732F4:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+90Fj
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+96Cj
		mov	ecx, [ebp+var_164]
		test	cl, 1
		jz	short loc_77334D
		mov	esi, [ebp+var_160]
		test	al, al
		jz	short loc_77331C
		mov	ecx, [esi+188h]
		mov	edx, 1
		mov	ecx, [ecx+edi*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)

loc_77331C:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+987j
		cmp	edi, 3
		mov	ebx, [ebp+arg_24]
		mov	cl, [ebp+var_132]
		jnz	loc_772B90
		mov	eax, [esi+8A4h]
		neg	eax
		sbb	eax, eax
		and	eax, 2F6h
		add	eax, 0C0000008h
		mov	[ebp+var_158], eax
		jmp	loc_773DE5
; 

loc_77334D:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+97Dj
		push	0
		lea	eax, [ebp+var_19C]
		push	eax
		lea	eax, [ebp+var_218]
		push	eax
		mov	edx, ebx
		call	EtwpReserveTraceBuffer
		mov	edx, eax
		mov	[ebp+var_15C], edx
		test	edx, edx
		jnz	loc_773431
		mov	edi, [ebp+var_164]
		cmp	ebx, 0FFF8h
		jbe	short loc_773389
		mov	esi, 0C0000095h
		jmp	short loc_77339A
; 

loc_773389:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A00j
		cmp	[edi+8], ebx
		sbb	esi, esi
		and	esi, 0BFFFFFEEh
		add	esi, 0C0000017h

loc_77339A:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A07j
		push	offset _ETW_EVENT_LOST_EVENT
		mov	eax, dword_6BC30C
		push	eax
		mov	eax, _EtwpEventTracingProvRegHandle
		push	eax
		call	EtwEventEnabled
		test	al, al
		jz	short loc_7733D0
		push	esi
		lea	eax, [edi+5Ch]
		push	eax
		mov	edx, [ebp+var_184]
		lea	edx, [edx+28h]
		mov	ecx, [ebp+var_168]
		lea	ecx, [ecx+14h]
		call	_EtwpTraceLostEvent@16 ; EtwpTraceLostEvent(x,x,x,x)

loc_7733D0:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A32j
		cmp	[ebp+var_158], 0
		jl	short loc_7733E8
		test	dword ptr [edi+0Ch], 8000000h
		jnz	short loc_7733E8
		mov	[ebp+var_158], esi

loc_7733E8:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A57j
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A60j
		mov	eax, [ebp+var_160]
		mov	ecx, [eax+188h]
		mov	edx, 1
		mov	edi, [ebp+var_1C8]
		mov	ecx, [ecx+edi*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		cmp	esi, 0C0000095h
		mov	ebx, [ebp+arg_24]
		mov	esi, [ebp+var_144]
		mov	cl, [ebp+var_132]
		jnz	loc_772B96
		mov	[ebp+var_158], 0C0000095h
		jmp	loc_773DE5
; 

loc_773431:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+9EEj
		mov	eax, [ebp+var_164]
		mov	[esi], eax
		mov	[esi+4], edx
		mov	eax, [ebp+var_218]
		mov	[esi+8], eax
		mov	eax, [ebp+var_214]
		mov	[esi+0Ch], eax
		mov	eax, [ebp+var_210]
		mov	[esi+10h], eax
		inc	[ebp+var_70]
		mov	[ebp+var_4], 1
		mov	[ebp+var_1C0], 0
		mov	eax, 50h
		mov	[ebp+var_150], eax
		mov	[ebp+var_154], eax
		xor	ebx, ebx
		mov	[ebp+var_16C], ebx
		mov	ecx, 14h
		mov	esi, [ebp+var_184]
		mov	edi, edx
		rep movsd
		mov	ecx, [ebp+var_1DC]
		test	ecx, ecx
		jnz	short loc_7734BD
		mov	ecx, [ebp+var_168]
		mov	eax, [ecx+14h]
		mov	[edx+18h], eax
		mov	eax, [ecx+18h]
		mov	[edx+1Ch], eax
		mov	eax, [ecx+1Ch]
		mov	[edx+20h], eax
		mov	eax, [ecx+20h]
		mov	[edx+24h], eax
		jmp	short loc_7734DD
; 

loc_7734BD:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B1Bj
		mov	eax, [ecx]
		mov	[edx+18h], eax
		mov	eax, [ecx+4]
		mov	[edx+1Ch], eax
		mov	eax, [ecx+8]
		mov	[edx+20h], eax
		mov	eax, [ecx+0Ch]
		mov	[edx+24h], eax
		mov	eax, 80h
		or	[edx+4], ax

loc_7734DD:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B3Bj
		mov	eax, dword ptr [ebp+var_1E0]
		movzx	eax, ax
		mov	ecx, [ebp+var_164]
		mov	eax, [ecx+eax*4+14h]
		mov	ecx, [ebp+var_140]
		or	eax, ecx
		mov	[edx], eax
		mov	[ebp+var_148], 50h
		mov	eax, [ebp+var_138]
		test	eax, eax
		jz	loc_773943
		test	al, al
		jns	loc_7735CF
		lea	ebx, [edx+50h]
		mov	edx, [ebp+var_1D8]
		movzx	ecx, word ptr [edx+90Ch]
		add	cx, 0Fh
		mov	eax, 0FFF8h
		and	cx, ax
		mov	[ebx], cx
		mov	eax, 10h
		mov	[ebx+2], ax
		movzx	eax, word ptr [edx+90Ch]
		mov	[ebx+6], ax
		mov	eax, 0FFFEh
		and	[ebx+4], ax
		movzx	eax, word ptr [ebx+4]
		and	eax, 1
		mov	[ebx+4], ax
		movzx	eax, word ptr [edx+90Ch]
		sub	ecx, eax
		sub	ecx, 8
		movzx	esi, cx
		lea	edi, [ebx+8]
		push	eax		; size_t
		mov	eax, [edx+908h]
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		push	esi		; size_t
		push	0		; int
		mov	eax, [ebp+var_1D8]
		movzx	eax, word ptr [eax+90Ch]
		add	eax, edi
		push	eax		; void *
		call	_memset
		add	esp, 18h
		mov	edx, [ebp+var_15C]
		or	word ptr [edx+4], 1
		movzx	esi, word ptr [ebx]
		add	esi, 50h
		mov	[ebp+var_150], esi
		mov	[ebp+var_154], esi
		mov	[ebp+var_16C], ebx
		mov	edi, esi
		mov	[ebp+var_148], esi
		mov	eax, [ebp+var_138]
		jmp	short loc_7735E0
; 

loc_7735CF:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B94j
		mov	edi, 50h
		mov	[ebp+var_148], edi
		mov	esi, [ebp+var_150]

loc_7735E0:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+C4Dj
		test	al, 8
		jz	short loc_773663
		add	esi, edx
		mov	[ebp+var_148], esi
		mov	dword ptr [esi], 10018h
		mov	ecx, 10h
		mov	[esi+6], cx
		mov	ecx, 0FFFEh
		and	[esi+4], cx
		movzx	ecx, word ptr [esi+4]
		and	ecx, 1
		mov	[esi+4], cx
		mov	ecx, [ebp+arg_14]
		mov	ecx, [ecx]
		mov	[esi+8], ecx
		mov	ecx, [ebp+arg_14]
		mov	ecx, [ecx+4]
		mov	[esi+0Ch], ecx
		mov	ecx, [ebp+arg_14]
		mov	ecx, [ecx+8]
		mov	[esi+10h], ecx
		mov	ecx, [ebp+arg_14]
		mov	ecx, [ecx+0Ch]
		mov	[esi+14h], ecx
		or	word ptr [edx+4], 1
		lea	esi, [edi+18h]
		mov	[ebp+var_150], esi
		mov	[ebp+var_154], esi
		test	ebx, ebx
		jz	short loc_77364F
		or	word ptr [ebx+4], 1

loc_77364F:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+CC8j
		mov	ebx, [ebp+var_148]
		mov	[ebp+var_16C], ebx
		mov	edi, esi
		mov	[ebp+var_148], edi

loc_773663:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+C62j
		test	al, 2
		jz	short loc_7736B5
		lea	eax, [edi+edx]
		movzx	esi, word ptr [ebp+var_6C]
		push	esi		; size_t
		lea	ecx, [ebp+var_6C]
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edx, [ebp+var_15C]
		or	word ptr [edx+4], 1
		add	esi, edi
		mov	[ebp+var_150], esi
		mov	[ebp+var_154], esi
		test	ebx, ebx
		jz	short loc_77369E
		or	word ptr [ebx+4], 1

loc_77369E:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+D17j
		lea	ebx, [edi+edx]
		mov	[ebp+var_16C], ebx
		mov	edi, esi
		mov	[ebp+var_148], edi
		mov	eax, [ebp+var_138]

loc_7736B5:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+CE5j
		test	al, 1
		jz	short loc_773729
		add	esi, edx
		mov	[ebp+var_148], esi
		mov	dword ptr [esi], 30010h
		mov	eax, 4
		mov	[esi+6], ax
		mov	eax, 0FFFEh
		and	[esi+4], ax
		movzx	eax, word ptr [esi+4]
		and	eax, 1
		mov	[esi+4], ax
		call	_PsGetCurrentProcessSessionId@0	; PsGetCurrentProcessSessionId()
		mov	[esi+8], eax
		mov	edx, [ebp+var_15C]
		or	word ptr [edx+4], 1
		lea	esi, [edi+10h]
		mov	[ebp+var_150], esi
		mov	[ebp+var_154], esi
		test	ebx, ebx
		jz	short loc_77370F
		or	word ptr [ebx+4], 1

loc_77370F:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+D88j
		mov	ebx, [ebp+var_148]
		mov	[ebp+var_16C], ebx
		mov	edi, esi
		mov	[ebp+var_148], edi
		mov	eax, [ebp+var_138]

loc_773729:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+D37j
		test	al, 20h
		jz	loc_7737C8
		add	esi, edx
		mov	[ebp+var_178], esi
		mov	dword ptr [esi], 0D0010h
		mov	eax, 8
		mov	[esi+6], ax
		mov	eax, 0FFFEh
		and	[esi+4], ax
		movzx	eax, word ptr [esi+4]
		and	eax, 1
		mov	[esi+4], ax
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		call	_EtwpGetProcessStartKey@4 ; EtwpGetProcessStartKey(x)
		mov	[esi+8], eax
		mov	[esi+0Ch], edx
		mov	edx, [ebp+var_15C]
		or	word ptr [edx+4], 1
		lea	esi, [edi+10h]
		mov	[ebp+var_150], esi
		mov	[ebp+var_154], esi
		test	ebx, ebx
		jz	short loc_773796
		or	word ptr [ebx+4], 1

loc_773796:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+E0Fj
		mov	ebx, [ebp+var_178]
		mov	[ebp+var_16C], ebx
		mov	edi, esi
		mov	[ebp+var_148], edi
		mov	ecx, [ebp+var_13C]
		mov	[ebp+var_140], ecx
		mov	eax, [ebp+var_1B4]
		mov	[ebp+var_178], eax
		mov	eax, [ebp+var_138]

loc_7737C8:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+DABj
		test	al, 40h
		jz	loc_773889
		lea	edi, [esi+edx]
		mov	[ebp+var_188], edi
		mov	dword ptr [edi], 0A0010h
		mov	eax, 8
		mov	[edi+6], ax
		mov	eax, 0FFFEh
		and	[edi+4], ax
		movzx	eax, word ptr [edi+4]
		and	eax, 1
		mov	[edi+4], ax
		test	[ebp+var_131], 10h
		jnz	short loc_773840
		lea	ecx, [ebp+var_1B0]
		call	_EtwpCreateEventKey@4 ;	EtwpCreateEventKey(x)
		or	[ebp+var_131], 10h
		mov	edx, [ebp+var_1FC]
		test	edx, edx
		jz	short loc_77383A
		mov	eax, [ebp+var_1B0]
		mov	[edx], eax
		mov	ecx, [ebp+var_1AC]
		mov	[edx+4], ecx
		mov	edx, [ebp+var_15C]
		jmp	short loc_77384C
; 

loc_77383A:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+E9Fj
		mov	edx, [ebp+var_15C]

loc_773840:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+E83j
		mov	ecx, [ebp+var_1AC]
		mov	eax, [ebp+var_1B0]

loc_77384C:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+EB8j
		mov	[edi+8], eax
		mov	[edi+0Ch], ecx
		or	word ptr [edx+4], 1
		add	esi, 10h
		mov	[ebp+var_150], esi
		mov	edi, esi
		mov	[ebp+var_148], edi
		mov	[ebp+var_154], esi
		test	ebx, ebx
		jz	short loc_773877
		or	word ptr [ebx+4], 1

loc_773877:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+EF0j
		mov	ebx, [ebp+var_188]
		mov	[ebp+var_16C], ebx
		mov	eax, [ebp+var_138]

loc_773889:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+E4Aj
		test	al, 4
		jz	short loc_7738E9
		lea	ecx, [edi+edx]
		mov	[ebp+var_188], ecx
		mov	esi, [ebp+var_170]
		movzx	eax, word ptr [esi]
		push	eax		; size_t
		push	esi		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edx, [ebp+var_15C]
		or	word ptr [edx+4], 1
		movzx	esi, word ptr [esi]
		add	esi, edi
		mov	[ebp+var_150], esi
		mov	edi, esi
		mov	[ebp+var_148], edi
		mov	[ebp+var_154], esi
		test	ebx, ebx
		jz	short loc_7738D7
		or	word ptr [ebx+4], 1

loc_7738D7:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+F50j
		mov	ebx, [ebp+var_188]
		mov	[ebp+var_16C], ebx
		mov	eax, [ebp+var_138]

loc_7738E9:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+F0Bj
		test	al, 10h
		jz	short loc_773949
		lea	ecx, [edi+edx]
		mov	[ebp+var_188], ecx
		mov	esi, [ebp+var_1B8]
		movzx	eax, word ptr [esi]
		push	eax		; size_t
		push	esi		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edx, [ebp+var_15C]
		or	word ptr [edx+4], 1
		movzx	esi, word ptr [esi]
		add	esi, edi
		mov	[ebp+var_150], esi
		mov	[ebp+var_148], esi
		mov	[ebp+var_154], esi
		test	ebx, ebx
		jz	short loc_773935
		or	word ptr [ebx+4], 1

loc_773935:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+FAEj
		mov	ebx, [ebp+var_188]
		mov	[ebp+var_16C], ebx
		jmp	short loc_773949
; 

loc_773943:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B8Cj
		mov	esi, [ebp+var_150]

loc_773949:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+F6Bj
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+FC1j
		mov	eax, [ebp+var_178]
		test	ax, ax
		jz	loc_773A01
		lea	edi, [esi+edx]
		mov	[ebp+var_188], edi
		movzx	edx, ax
		lea	ecx, [edx+0Fh]
		and	ecx, 0FFF8h
		mov	[edi], cx
		mov	esi, 0Ch
		mov	[edi+2], si
		mov	[edi+6], ax
		mov	eax, 0FFFEh
		and	[edi+4], ax
		movzx	eax, word ptr [edi+4]
		and	eax, 1
		mov	[edi+4], ax
		sub	ecx, [ebp+var_178]
		sub	ecx, 8
		movzx	esi, cx
		add	edi, 8
		push	edx		; size_t
		push	[ebp+var_1E8]	; void *
		push	edi		; void *
		call	_memcpy
		push	esi		; size_t
		push	0		; int
		mov	ecx, [ebp+var_178]
		movzx	eax, cx
		add	eax, edi
		push	eax		; void *
		call	_memset
		add	esp, 18h
		mov	edx, [ebp+var_15C]
		or	word ptr [edx+4], 1
		mov	edi, [ebp+var_188]
		movzx	esi, word ptr [edi]
		add	esi, [ebp+var_148]
		mov	[ebp+var_150], esi
		mov	[ebp+var_148], esi
		mov	[ebp+var_154], esi
		test	ebx, ebx
		jz	short loc_7739F9
		or	word ptr [ebx+4], 1

loc_7739F9:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1072j
		mov	ebx, edi
		mov	[ebp+var_16C], ebx

loc_773A01:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+FD2j
		cmp	[ebp+var_180], 0
		jz	loc_773A9D
		lea	edi, [esi+edx]
		mov	ecx, [ebp+var_1A4]
		movzx	esi, cx
		lea	edx, [esi+0Fh]
		and	edx, 0FFF8h
		mov	[edi], dx
		mov	eax, 0Bh
		mov	[edi+2], ax
		mov	[edi+6], cx
		mov	eax, 0FFFEh
		and	[edi+4], ax
		movzx	eax, word ptr [edi+4]
		and	eax, 1
		mov	[edi+4], ax
		sub	edx, ecx
		sub	edx, 8
		movzx	eax, dx
		lea	ecx, [edi+8]
		mov	[ebp+var_138], ecx
		mov	[ebp+var_1A0], ecx
		add	ecx, esi
		mov	[ebp+var_1EC], ecx
		push	eax		; size_t
		push	0		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		mov	edx, [ebp+var_15C]
		or	word ptr [edx+4], 1
		movzx	eax, word ptr [edi]
		add	eax, [ebp+var_148]
		mov	[ebp+var_150], eax
		mov	[ebp+var_154], eax
		test	ebx, ebx
		jz	short loc_773AA9
		or	word ptr [ebx+4], 1
		jmp	short loc_773AA9
; 

loc_773A9D:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1088j
		mov	ecx, [ebp+var_1A0]
		mov	[ebp+var_138], ecx

loc_773AA9:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1114j
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+111Bj
		xor	eax, eax
		mov	ebx, [ebp+var_140]

loc_773AB1:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+11FBj
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+126Aj ...
		mov	[ebp+var_1C0], eax
		cmp	eax, [ebp+arg_24]
		jnb	loc_773CC5
		shl	eax, 4
		mov	edi, [ebp+var_190]
		add	edi, eax
		mov	esi, [edi+8]
		mov	ecx, [edi]
		mov	eax, [edi+4]
		mov	[ebp+var_188], eax
		mov	[ebp+var_18C], ecx
		mov	[ebp+var_188], eax
		cmp	word ptr [ebp+var_1BC],	0
		jnz	short loc_773AF9
		xor	al, al
		mov	edi, [ebp+var_138]
		jmp	short loc_773B26
; 

loc_773AF9:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+116Dj
		mov	al, [edi+0Ch]
		mov	[ebp+var_149], al
		mov	ebx, [ebp+var_13C]
		mov	edi, [ebp+var_1A0]
		mov	[ebp+var_138], edi
		mov	eax, [ebp+var_154]
		mov	[ebp+var_150], eax
		mov	al, [ebp+var_149]

loc_773B26:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1177j
		movzx	eax, al
		sub	eax, 0
		jz	loc_773C1D
		sub	eax, 1
		jz	short loc_773B80
		sub	eax, 2
		jnz	loc_773CB3
		cmp	esi, 8
		jnz	loc_773CB3
		lea	eax, [ecx+8]
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	short loc_773B5A
		cmp	eax, ecx
		jnb	short loc_773B5D

loc_773B5A:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+11D4j
		mov	byte ptr [edx],	0

loc_773B5D:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+11D8j
		mov	eax, [ecx]
		mov	[ebp+var_19C], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_198], eax
		mov	eax, [ebp+var_1C0]
		inc	eax
		mov	edx, [ebp+var_15C]
		jmp	loc_773AB1
; 

loc_773B80:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+11B5j
		test	edi, edi
		jz	short loc_773BEF
		lea	eax, [esi+edi]
		mov	[ebp+var_188], eax
		cmp	eax, edi
		jb	short loc_773BEF
		cmp	eax, [ebp+var_1EC]
		ja	short loc_773BEF
		cmp	[ebp+var_180], 0
		jz	short loc_773BEF
		test	esi, esi
		jz	short loc_773BBA
		lea	eax, [ecx+esi]
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	short loc_773BB7
		cmp	eax, ecx
		jnb	short loc_773BBA

loc_773BB7:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1231j
		mov	byte ptr [edx],	0

loc_773BBA:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1224j
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1235j
		push	esi		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [ebp+var_188]
		mov	[ebp+var_1A0], ecx
		dec	[ebp+var_180]
		mov	[ebp+var_138], ecx
		mov	eax, [ebp+var_1C0]
		inc	eax
		mov	edx, [ebp+var_15C]
		jmp	loc_773AB1
; 

loc_773BEF:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1202j
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+120Fj ...
		mov	[ebp+var_158], 0C0000004h
		mov	eax, [ebp+var_164]
		mov	eax, [eax+18h]
		or	eax, ebx
		mov	[edx], eax
		mov	eax, [ebp+var_19C]
		mov	[edx+10h], eax
		mov	eax, [ebp+var_198]
		mov	[edx+14h], eax
		jmp	loc_773DDE
; 

loc_773C1D:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+11ACj
		mov	edi, [ebp+var_150]
		lea	eax, [edi+edx]
		mov	[ebp+var_188], eax
		lea	eax, [esi+edi]
		cmp	eax, edi
		jb	short loc_773C3D
		mov	[ebp+var_154], eax
		xor	edi, edi
		jmp	short loc_773C4F
; 

loc_773C3D:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+12B1j
		mov	[ebp+var_154], 0FFFFFFFFh
		mov	edi, 0C0000095h
		or	eax, 0FFFFFFFFh

loc_773C4F:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+12BBj
		test	edi, edi
		jnz	short loc_773BEF
		cmp	eax, ebx
		ja	short loc_773BEF
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_1CA], al
		test	al, al
		jz	short loc_773C85
		test	esi, esi
		jz	short loc_773C85
		lea	eax, [ecx+esi]
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	short loc_773C82
		cmp	eax, ecx
		jnb	short loc_773C85

loc_773C82:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+12FCj
		mov	byte ptr [edx],	0

loc_773C85:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+12EBj
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+12EFj ...
		push	esi		; size_t
		push	ecx		; void *
		push	[ebp+var_188]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ebx, [ebp+var_13C]
		mov	ecx, [ebp+var_1A0]
		mov	eax, [ebp+var_154]
		mov	[ebp+var_150], eax
		mov	[ebp+var_138], ecx

loc_773CB3:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+11BAj
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+11C3j
		mov	eax, [ebp+var_1C0]
		inc	eax
		mov	edx, [ebp+var_15C]
		jmp	loc_773AB1
; 

loc_773CC5:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+113Aj
		mov	ecx, [ebp+var_1C4]
		test	ecx, ecx
		jz	short loc_773CE7
		mov	edi, [ebp+var_1C8]
		mov	eax, edi
		shr	eax, 5
		lea	ecx, [ecx+eax*4]
		and	edi, 1Fh
		mov	eax, [ecx]
		bts	eax, edi
		mov	[ecx], eax

loc_773CE7:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+134Dj
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+var_19C]
		mov	[edx+10h], eax
		mov	eax, [ebp+var_198]
		mov	[edx+14h], eax
		mov	edi, [ebp+var_194]
		mov	eax, [edi+194h]
		mov	[edx+38h], eax
		mov	eax, [edi+1C0h]
		mov	[edx+3Ch], eax
		mov	eax, [edi+2B0h]
		mov	[edx+8], eax
		mov	eax, [edi+2ACh]
		mov	[edx+0Ch], eax
		mov	ebx, [ebp+var_164]
		test	dword ptr [ebx+0Ch], 80000h
		jz	short loc_773D61
		cmp	_KdDebuggerNotPresent, 0
		jnz	short loc_773D4B
		cmp	_KdPitchDebugger, 0
		jz	short loc_773D54

loc_773D4B:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+13C0j
		cmp	_KdEventLoggingPresent,	0
		jz	short loc_773D61

loc_773D54:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+13C9j
		lea	edx, [ebp+var_218]
		mov	ecx, ebx
		call	_EtwpSendTraceEvent@8 ;	EtwpSendTraceEvent(x,x)

loc_773D61:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+13B7j
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+13D2j
		cmp	dword ptr [ebx+360h], 0
		mov	ebx, [ebp+arg_24]
		mov	esi, [ebp+var_144]
		mov	edx, [ebp+arg_20]
		mov	cl, [ebp+var_132]
		jz	loc_772B99
		sub	esp, 8
		call	_RtlEndStrongEnumerationHashTable@8 ; RtlEndStrongEnumerationHashTable(x,x)
		jmp	loc_772B90
; 

loc_773D8D:				; DATA XREF: .text:006A0ED8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-220h], eax
		mov	eax, 1
		retn
; 

loc_773DA0:				; DATA XREF: .text:006A0EDCo
		mov	eax, [ebp-164h]
		mov	eax, [eax+18h]
		or	eax, [ebp-13Ch]
		mov	ecx, [ebp-15Ch]
		mov	[ecx], eax
		mov	eax, [ebp-19Ch]
		mov	[ecx+10h], eax
		mov	eax, [ebp-198h]
		mov	[ecx+14h], eax
		mov	eax, [ebp-220h]
		jmp	loc_7732AA
; 

loc_773DD4:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+80Ej
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+862j
		mov	[ebp+var_158], 80000005h

loc_773DDE:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1298j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_773DE5:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+225j
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+9C8j	...
		mov	ebx, [ebp+var_160]
		mov	esi, [ebp+var_168]

loc_773DF1:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+95Bj
		mov	edi, [ebp+arg_20]
		test	[ebp+var_131], 8
		jz	short loc_773E10
		mov	edx, [ebp+var_170]
		lea	edx, [edx-4]
		mov	ecx, offset _EtwpStackLookAsideList
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_773E10:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+147Bj
		cmp	[ebp+var_158], 0
		jl	short loc_773E4F
		mov	edi, [ebp+var_70]
		test	edi, edi
		jz	short loc_773E7F
		lea	esi, [ebp+var_130]

loc_773E26:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+14CBj
		lea	ecx, [esi+8]
		call	_EtwpReleaseTraceBuffer@4 ; EtwpReleaseTraceBuffer(x)
		mov	eax, [esi]
		mov	eax, [eax]
		mov	ecx, [ebx+188h]
		mov	edx, 1
		mov	ecx, [ecx+eax*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		lea	esi, [esi+18h]
		sub	edi, 1
		jnz	short loc_773E26
		jmp	short loc_773E7F
; 

loc_773E4F:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1497j
		push	1
		mov	eax, [ebp+var_184]
		add	eax, 28h
		push	eax
		push	[ebp+var_158]
		push	[ebp+var_1A8]
		lea	eax, [ebp+var_130]
		push	eax
		push	edi
		push	[ebp+arg_1C]
		mov	edx, esi
		mov	cl, byte ptr [ebp+var_174]
		call	EtwpFailLogging

loc_773E7F:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+149Ej
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+14CDj
		mov	ecx, [ebp+var_194]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [ebp+var_158]

loc_773E90:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+13Fj
		lea	esp, [ebp-234h]
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	40h
; 

loc_773EB4:				; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7B8j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger
_EtwpWriteUserEvent@72 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PerfLogImageUnload proc	near		; CODE XREF: MiUnmapViewOfSection+20Ep
					; MiUnloadSystemImage+3B6p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008D9C56 SIZE 00000013 BYTES
; FUNCTION CHUNK AT 008D9C81 SIZE 00000065 BYTES

		push	24h
		push	offset dword_6A0F08
		call	__SEH_prolog4
		mov	ebx, edx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ecx
		xor	esi, esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], esi
		mov	eax, ds:_EtwpHostSiloState
		add	eax, 0A68h
		jz	short loc_773EF4
		test	byte ptr [eax],	4
		jnz	loc_8D9C56

loc_773EF4:				; CODE XREF: PerfLogImageUnload+2Fj
					; PerfLogImageUnload+165DAAj
		cmp	[ebp+arg_0], esi
		jz	short loc_773F21
		mov	[ebp+ms_exc.disabled], esi
		push	[ebp+arg_4]
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jz	short loc_773F1A
		mov	ecx, [eax+58h]
		mov	[ebp+arg_C], ecx
		mov	ecx, [eax+8]
		mov	[ebp+var_20], ecx
		mov	eax, [eax+34h]
		mov	[ebp+var_1C], eax

loc_773F1A:				; CODE XREF: PerfLogImageUnload+4Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_773F21:				; CODE XREF: PerfLogImageUnload+3Dj
					; sub_8D9C6D+Fj
		test	ebx, ebx
		jz	loc_773FCA
		cmp	[ebp+arg_18], 0
		jz	loc_8D9C81

loc_773F33:				; CODE XREF: PerfLogImageUnload+165DCEj
		push	41777445h
		push	54h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8D9CA3
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	[edi+30h], ebx
		mov	ecx, [ebp+arg_0]
		mov	[edi+34h], ecx
		mov	ecx, [ebp+arg_4]
		mov	[edi+38h], ecx
		mov	eax, [ebp+arg_8]
		mov	[edi+3Ch], eax
		mov	eax, [ebp+arg_C]
		mov	[edi+40h], eax
		mov	eax, [ebp+var_20]
		mov	[edi+44h], eax
		mov	eax, [ebp+arg_10]
		mov	[edi+48h], eax
		mov	eax, [ebp+arg_14]
		mov	[edi+4Ch], eax
		mov	eax, [ebp+var_1C]
		mov	[edi+50h], eax
		push	edi
		push	esi
		push	offset EtwpTraceImageUnloadApc
		push	offset _EtwpCancelTraceImageUnloadApc@4	; EtwpCancelTraceImageUnloadApc(x)
		push	offset _KiSchedulerApcNop@20 ; KiSchedulerApcNop(x,x,x,x,x)
		push	esi
		mov	eax, large fs:124h
		push	eax
		push	edi
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		push	esi
		push	esi
		push	esi
		push	edi
		call	KeInsertQueueApc
		test	al, al
		jz	loc_8D9C95

loc_773FB8:				; CODE XREF: PerfLogImageUnload+137j
					; PerfLogImageUnload+165E27j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_773FCA:				; CODE XREF: PerfLogImageUnload+69j
					; PerfLogImageUnload+165DF6j ...
		push	[ebp+arg_18]
		push	[ebp+var_1C]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+var_20]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_28]
		call	_EtwpTraceImageUnload@40 ; EtwpTraceImageUnload(x,x,x,x,x,x,x,x,x,x)
		cmp	[ebp+var_24], 0
		jz	short loc_773FB8
		jmp	loc_8D9CD6
PerfLogImageUnload endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DbgkUnMapViewOfSection proc near	; CODE XREF: MiUnmapViewOfSection+22Bp

var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D9CE6 SIZE 00000073 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	0A8h		; size_t
		xor	esi, esi
		lea	eax, [ebp+var_B0]
		push	esi		; int
		push	eax		; void *
		mov	ebx, edx
		mov	edi, ecx
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_774056
		mov	ecx, large fs:124h
		test	byte ptr [ecx+2FCh], 4
		jnz	short loc_774056
		cmp	[edi+190h], esi
		jnz	loc_8D9CE6

loc_774056:				; CODE XREF: DbgkUnMapViewOfSection+40j
					; DbgkUnMapViewOfSection+50j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
DbgkUnMapViewOfSection endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpAllocateBuffer(x, x, x)
_AlpcpAllocateBuffer@12	proc near	; DATA XREF: AlpcpInitSystem+15Fo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
_AlpcpAllocateBuffer@12	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpCreateSectionView(x, x, x, x, x)
_AlpcpCreateSectionView@20 proc	near	; CODE XREF: AlpcpMapLegacyPortView(x,x,x)+11Cp
					; NtAlpcCreateSectionView(x,x,x)+12Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_8]
		xor	eax, eax
		push	esi
		push	edi
		mov	[ebp+var_C], edx
		mov	esi, ecx
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	[ebx], eax
		call	AlpcpLockForCachedReferenceBlob
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		mov	ecx, esi
		call	_AlpcpCreateRegion@16 ;	AlpcpCreateRegion(x,x,x,x)
		mov	ecx, esi
		mov	edi, eax
		call	AlpcpUnlockBlob
		test	edi, edi
		js	short loc_77411F
		mov	edi, [ebp+var_C]
		xor	edx, edx
		lea	esi, [edi+0D0h]
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp+var_4]
		call	AlpcpLockForCachedReferenceBlob
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		mov	edx, edi
		call	_AlpcpCreateView@12 ; AlpcpCreateView(x,x,x)
		mov	ecx, [ebp+var_4]
		mov	edi, eax
		call	AlpcpUnlockBlob
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_774116

loc_7740F2:				; CODE XREF: AlpcpCreateSectionView(x,x,x,x,x)+ABj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		inc	edx
		call	AlpcpDereferenceBlobEx
		test	edi, edi
		js	short loc_77411F
		mov	eax, [ebp+var_8]
		mov	[ebx], eax
		xor	eax, eax

loc_77410F:				; CODE XREF: AlpcpCreateSectionView(x,x,x,x,x)+AFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_774116:				; CODE XREF: AlpcpCreateSectionView(x,x,x,x,x)+7Ej
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_7740F2
; 

loc_77411F:				; CODE XREF: AlpcpCreateSectionView(x,x,x,x,x)+3Ej
					; AlpcpCreateSectionView(x,x,x,x,x)+94j
		mov	eax, edi
		jmp	short loc_77410F
_AlpcpCreateSectionView@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpCreateRegion(x, x, x, x)
_AlpcpCreateRegion@16 proc near		; CODE XREF: AlpcpCreateSectionView(x,x,x,x,x)+2Ep

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, large fs:124h
		mov	ebx, ecx
		and	dword ptr [eax], 0
		push	edi
		mov	edi, edx
		mov	[ebp+var_18], ebx
		mov	eax, [ebx+10h]
		cmp	eax, [esi+80h]
		jz	short loc_774158
		mov	eax, 0C0000022h
		jmp	loc_774270
; 

loc_774158:				; CODE XREF: AlpcpCreateRegion(x,x,x,x)+28j
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_AlpcpViewGranularity
		mov	edx, ds:_AlpcpRegionGranularity
		mov	[ebp+arg_0], edx
		lea	esi, [ecx-1]
		add	esi, eax
		dec	eax
		not	eax
		and	esi, eax
		lea	eax, [edx-1]
		dec	edx
		mov	[ebp+var_14], esi
		add	edx, ecx
		not	eax
		and	edx, eax
		mov	[ebp+var_10], edx
		cmp	esi, ecx
		jb	loc_77426B
		cmp	edx, ecx
		jb	loc_77426B
		lea	esi, [ebx+20h]
		test	edi, edi
		jz	short loc_7741A4
		mov	ecx, [ebp+arg_0]
		dec	ecx
		add	edi, ecx
		and	edi, eax
		jmp	short loc_7741FE
; 

loc_7741A4:				; CODE XREF: AlpcpCreateRegion(x,x,x,x)+74j
		xor	eax, eax
		mov	[ebp+arg_0], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	eax, [esi]
		cmp	eax, esi
		jz	short loc_7741F5

loc_7741B5:				; CODE XREF: AlpcpCreateRegion(x,x,x,x)+BDj
		mov	ecx, [eax+0Ch]
		mov	[ebp+var_C], ecx
		sub	ecx, edi
		cmp	ecx, edx
		jz	short loc_7741F1
		jbe	short loc_7741D7
		cmp	[ebp+arg_0], 0
		jz	short loc_7741CE
		cmp	[ebp+var_4], ecx
		jbe	short loc_7741D7

loc_7741CE:				; CODE XREF: AlpcpCreateRegion(x,x,x,x)+A3j
		mov	[ebp+arg_0], eax
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], ecx

loc_7741D7:				; CODE XREF: AlpcpCreateRegion(x,x,x,x)+9Dj
					; AlpcpCreateRegion(x,x,x,x)+A8j
		mov	edi, [eax+10h]
		add	edi, [ebp+var_C]
		mov	eax, [eax]
		cmp	eax, esi
		jnz	short loc_7741B5
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_7741F5
		mov	edi, [ebp+var_8]
		mov	esi, eax
		jmp	short loc_7741FE
; 

loc_7741F1:				; CODE XREF: AlpcpCreateRegion(x,x,x,x)+9Bj
		mov	esi, eax
		jmp	short loc_7741FE
; 

loc_7741F5:				; CODE XREF: AlpcpCreateRegion(x,x,x,x)+8Fj
					; AlpcpCreateRegion(x,x,x,x)+C4j
		mov	eax, [ebx+4]
		sub	eax, edi
		cmp	eax, edx
		jb	short loc_774264

loc_7741FE:				; CODE XREF: AlpcpCreateRegion(x,x,x,x)+7Ej
					; AlpcpCreateRegion(x,x,x,x)+CBj ...
		push	0
		push	30h
		pop	edx
		mov	ecx, offset _AlpcRegionType
		call	@AlpcpAllocateBlob@12 ;	AlpcpAllocateBlob(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_774264
		push	30h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [ebp+var_10]
		lea	ecx, [ebx+20h]
		and	dword ptr [ebx+18h], 0FFFFFFFEh
		add	esp, 0Ch
		mov	[ebx+0Ch], edi
		mov	edi, [ebp+var_18]
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		mov	ecx, edi
		mov	[ebx+10h], eax
		mov	eax, [ebp+var_14]
		mov	[ebx+14h], eax
		call	AlpcpReferenceBlob
		mov	[ebx+8], edi
		mov	eax, [esi+4]
		mov	[ebx+4], eax
		mov	[ebx], esi
		mov	eax, [esi+4]
		mov	[eax], ebx
		mov	eax, [ebp+arg_4]
		mov	[esi+4], ebx
		inc	dword ptr [edi+1Ch]
		mov	[eax], ebx
		xor	eax, eax
		jmp	short loc_774270
; 

loc_774264:				; CODE XREF: AlpcpCreateRegion(x,x,x,x)+D8j
					; AlpcpCreateRegion(x,x,x,x)+EDj
		mov	eax, 0C000009Ah
		jmp	short loc_774270
; 

loc_77426B:				; CODE XREF: AlpcpCreateRegion(x,x,x,x)+61j
					; AlpcpCreateRegion(x,x,x,x)+69j
		mov	eax, 0C000000Dh

loc_774270:				; CODE XREF: AlpcpCreateRegion(x,x,x,x)+2Fj
					; AlpcpCreateRegion(x,x,x,x)+13Ej ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_AlpcpCreateRegion@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcRegionDestroyProcedure(x)
_AlpcRegionDestroyProcedure@4 proc near	; DATA XREF: .text:00403C70o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [esi+8]
		mov	ecx, edi
		call	AlpcpLockForCachedReferenceBlob
		mov	edx, [esi+4]
		mov	ecx, edi
		mov	eax, [esi]
		mov	[edx], eax
		mov	edx, [esi]
		mov	eax, [esi+4]
		mov	[edx+4], eax
		dec	dword ptr [edi+1Ch]
		call	AlpcpUnlockBlob
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	AlpcpDereferenceBlobEx
		pop	edi
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	4
_AlpcRegionDestroyProcedure@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpClosePort(x, x, x, x)
_AlpcpClosePort@16 proc	near		; DATA XREF: AlpcpInitSystem+101o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		cmp	[ebp+arg_8], 1
		jnz	short loc_774313
		push	esi
		mov	esi, [ebp+arg_4]
		test	dword ptr [esi+98h], 100000h
		jnz	short loc_7742F8
		mov	ecx, [esi+0Ch]
		mov	eax, ecx
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, ecx
		cmp	eax, [ebp+arg_0]
		jnz	short loc_774312

loc_7742F8:				; CODE XREF: AlpcpClosePort(x,x,x,x)+27j
		mov	ecx, esi
		call	AlpcpDoPortCleanup
		test	dword ptr [esi+98h], 1000h
		jnz	short loc_774312
		mov	ecx, esi
		call	_AlpcpSendCloseMessage@4 ; AlpcpSendCloseMessage(x)

loc_774312:				; CODE XREF: AlpcpClosePort(x,x,x,x)+3Ej
					; AlpcpClosePort(x,x,x,x)+51j
		pop	esi

loc_774313:				; CODE XREF: AlpcpClosePort(x,x,x,x)+17j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	ebp
		retn	10h
_AlpcpClosePort@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpDoPortCleanup proc	near		; CODE XREF: AlpcpClosePort(x,x,x,x)+42p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D9D59 SIZE 00000068 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		xor	edx, edx
		mov	edi, ecx
		call	AlpcpDisconnectPort
		lea	ebx, [edi+0D0h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		cmp	dword ptr [edi+0D4h], 0
		jnz	loc_774406

loc_774351:				; CODE XREF: AlpcpDoPortCleanup+E9j
		mov	ecx, [edi+0Ch]
		mov	eax, ecx
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		test	eax, ecx
		jz	short loc_774373
		mov	edx, 63706C41h
		call	ObfDereferenceObjectWithTag
		or	dword ptr [edi+0Ch], 1

loc_774373:				; CODE XREF: AlpcpDoPortCleanup+3Fj
		or	dword ptr [edi+0F4h], 40h
		push	esi
		or	esi, 0FFFFFFFFh
		mov	eax, esi
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7743F4

loc_77438A:				; CODE XREF: AlpcpDoPortCleanup+D7j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, edi
		call	_AlpcpFlushMessagesPort@4 ; AlpcpFlushMessagesPort(x)
		mov	ecx, edi
		call	_AlpcpFlushResourcesPort@4 ; AlpcpFlushResourcesPort(x)
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		test	dword ptr [edi+0F4h], 200h
		jnz	short loc_7743DE
		lea	eax, [edi+8Ch]
		mov	[ebp+var_4], eax
		cmp	[eax], eax
		jnz	loc_8D9D59

loc_7743C5:				; CODE XREF: AlpcpDoPortCleanup+CEj
					; AlpcpDoPortCleanup+165A98j
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		pop	esi
		cmp	al, 2
		jz	short loc_7743FD

loc_7743D3:				; CODE XREF: AlpcpDoPortCleanup+E0j
		mov	ecx, ebx
		call	KeAbPostRelease
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_7743DE:				; CODE XREF: AlpcpDoPortCleanup+8Ej
		push	0
		push	1000000h
		push	1
		push	dword ptr [edi+94h]
		call	KeReleaseSemaphore
		jmp	short loc_7743C5
; 

loc_7743F4:				; CODE XREF: AlpcpDoPortCleanup+64j
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_77438A
; 

loc_7743FD:				; CODE XREF: AlpcpDoPortCleanup+ADj
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7743D3
; 

loc_774406:				; CODE XREF: AlpcpDoPortCleanup+27j
		mov	ecx, edi
		call	_AlpcpFreeCompletionList@4 ; AlpcpFreeCompletionList(x)
		jmp	loc_774351
AlpcpDoPortCleanup endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpFlushResourcesPort(x)
_AlpcpFlushResourcesPort@4 proc	near	; CODE XREF: AlpcpDoPortCleanup+76p
					; PAGE:0079A700p
		mov	edi, edi
		push	esi
		push	edi
		lea	esi, [ecx+0C4h]
		xor	edx, edx
		lea	edi, [ecx+0C8h]
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		push	ebx

loc_77442C:				; CODE XREF: AlpcpFlushResourcesPort(x)+59j
					; AlpcpFlushResourcesPort(x)+97j
		mov	eax, [edi]
		cmp	eax, edi
		jnz	short loc_774449
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		pop	ebx
		cmp	al, 2
		jz	short loc_7744AB

loc_774440:				; CODE XREF: AlpcpFlushResourcesPort(x)+A0j
		pop	edi
		mov	ecx, esi
		pop	esi
		jmp	KeAbPostRelease
; 

loc_774449:				; CODE XREF: AlpcpFlushResourcesPort(x)+1Ej
		cmp	[eax+4], edi
		jnz	short loc_7744BD
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_7744BD
		mov	[edi], ecx
		lea	ebx, [eax+18h]
		mov	[ecx+4], edi
		mov	ecx, ebx
		mov	[eax+4], eax
		mov	[eax], eax
		call	AlpcpReferenceBlob
		test	eax, eax
		jz	short loc_77442C
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7744B4

loc_77447A:				; CODE XREF: AlpcpFlushResourcesPort(x)+A9j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, ebx
		call	AlpcpDeleteBlob
		test	al, al
		jz	short loc_774496
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	AlpcpDereferenceBlobEx

loc_774496:				; CODE XREF: AlpcpFlushResourcesPort(x)+78j
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	AlpcpDereferenceBlobEx
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		jmp	short loc_77442C
; 

loc_7744AB:				; CODE XREF: AlpcpFlushResourcesPort(x)+2Cj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_774440
; 

loc_7744B4:				; CODE XREF: AlpcpFlushResourcesPort(x)+66j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_77447A
; 

loc_7744BD:				; CODE XREF: AlpcpFlushResourcesPort(x)+3Aj
					; AlpcpFlushResourcesPort(x)+41j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_AlpcpFlushResourcesPort@4 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpFlushMessagesPort(x)
_AlpcpFlushMessagesPort@4 proc near	; CODE XREF: AlpcpDoPortCleanup+6Fp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	1
		lea	edx, [ebx+60h]
		call	AlpcpFlushQueue
		push	2
		lea	edx, [ebx+68h]
		mov	ecx, ebx
		call	AlpcpFlushQueue
		push	3
		lea	edx, [ebx+74h]
		mov	ecx, ebx
		call	AlpcpFlushQueue
		push	4
		lea	edx, [ebx+80h]
		mov	ecx, ebx
		call	AlpcpFlushQueue
		xor	edx, edx
		mov	ecx, ebx
		call	_AlpcpFlushCancelQueue@8 ; AlpcpFlushCancelQueue(x,x)
		mov	eax, [ebx+0F4h]
		and	eax, 6
		cmp	al, 6
		jz	short loc_774515

loc_774512:				; CODE XREF: AlpcpFlushMessagesPort(x)+BCj
		pop	ebx
		leave
		retn
; 

loc_774515:				; CODE XREF: AlpcpFlushMessagesPort(x)+4Ej
		push	esi
		mov	esi, [ebx+8]
		xor	edx, edx
		push	edi
		lea	eax, [esi-4]
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	ExAcquirePushLockSharedEx
		mov	edi, [esi]
		mov	esi, [esi+8]
		test	edi, edi
		jz	short loc_774542
		mov	ecx, edi
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	edi, eax

loc_774542:				; CODE XREF: AlpcpFlushMessagesPort(x)+6Ej
		test	esi, esi
		jnz	short loc_774580

loc_774546:				; CODE XREF: AlpcpFlushMessagesPort(x)+CEj
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	loc_7745FA

loc_77455B:				; CODE XREF: AlpcpFlushMessagesPort(x)+140j
		call	KeAbPostRelease
		test	edi, edi
		jz	short loc_774578
		test	byte ptr [edi+0F4h], 40h
		jnz	short loc_774571
		test	esi, esi
		jnz	short loc_77459B

loc_774571:				; CODE XREF: AlpcpFlushMessagesPort(x)+A9j
					; AlpcpFlushMessagesPort(x)+E0j ...
		mov	ecx, edi
		call	ObfDereferenceObject

loc_774578:				; CODE XREF: AlpcpFlushMessagesPort(x)+A0j
		test	esi, esi
		jnz	short loc_774592

loc_77457C:				; CODE XREF: AlpcpFlushMessagesPort(x)+D7j
		pop	edi
		pop	esi
		jmp	short loc_774512
; 

loc_774580:				; CODE XREF: AlpcpFlushMessagesPort(x)+82j
		mov	ecx, esi
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	esi, eax
		jmp	short loc_774546
; 

loc_774592:				; CODE XREF: AlpcpFlushMessagesPort(x)+B8j
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	short loc_77457C
; 

loc_77459B:				; CODE XREF: AlpcpFlushMessagesPort(x)+ADj
		test	byte ptr [esi+0F4h], 8
		jnz	short loc_774571
		push	1
		lea	eax, [edi+60h]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	AlpcpFlushMessagesByRequestor
		push	2
		lea	eax, [edi+68h]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	AlpcpFlushMessagesByRequestor
		test	byte ptr [ebx+0F4h], 80h
		jnz	short loc_7745DA
		push	3
		lea	eax, [edi+74h]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	AlpcpFlushMessagesByRequestor

loc_7745DA:				; CODE XREF: AlpcpFlushMessagesPort(x)+107j
		push	4
		lea	eax, [edi+80h]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	AlpcpFlushMessagesByRequestor
		mov	edx, ebx
		mov	ecx, edi
		call	_AlpcpFlushCancelQueue@8 ; AlpcpFlushCancelQueue(x,x)
		jmp	loc_774571
; 

loc_7745FA:				; CODE XREF: AlpcpFlushMessagesPort(x)+93j
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp+var_4]
		jmp	loc_77455B
_AlpcpFlushMessagesPort@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpFlushQueue	proc near		; CODE XREF: AlpcpFlushMessagesPort(x)+Ep
					; AlpcpFlushMessagesPort(x)+1Ap ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D9DC1 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, edx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ecx
		cmp	edi, 2
		jbe	short loc_774670
		xor	eax, eax
		cmp	edi, 3
		setz	al
		dec	eax
		and	eax, 0Ch
		add	eax, 70h

loc_774631:				; CODE XREF: AlpcpFlushQueue+6Bj
		add	ecx, eax
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		or	esi, 0FFFFFFFFh

loc_77463D:				; CODE XREF: AlpcpFlushQueue+E3j
		mov	ebx, [ebx]
		cmp	ebx, [ebp+var_8]
		jnz	short loc_774684
		mov	esi, [ebp+var_4]
		or	eax, 0FFFFFFFFh
		push	2
		pop	ecx
		cmp	edi, ecx
		ja	short loc_774675
		add	esi, 5Ch

loc_774654:				; CODE XREF: AlpcpFlushQueue+75j
					; AlpcpFlushQueue+7Aj
		lock xadd [esi], eax
		and	al, 6
		cmp	al, cl
		jz	loc_7746F0

loc_774662:				; CODE XREF: AlpcpFlushQueue+EFj
		mov	ecx, esi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_774670:				; CODE XREF: AlpcpFlushQueue+18j
		push	5Ch
		pop	eax
		jmp	short loc_774631
; 

loc_774675:				; CODE XREF: AlpcpFlushQueue+47j
		cmp	edi, 3
		jz	short loc_77467F
		add	esi, 7Ch
		jmp	short loc_774654
; 

loc_77467F:				; CODE XREF: AlpcpFlushQueue+70j
		add	esi, 70h
		jmp	short loc_774654
; 

loc_774684:				; CODE XREF: AlpcpFlushQueue+3Aj
		mov	ecx, ebx
		call	AlpcpReferenceBlob
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		push	2
		pop	edx
		cmp	edi, edx
		ja	short loc_7746FC
		add	ecx, 5Ch

loc_77469A:				; CODE XREF: AlpcpFlushQueue+FCj
					; AlpcpFlushQueue+119j
		mov	[ebp+arg_0], ecx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, dl
		jz	short loc_774717

loc_7746A7:				; CODE XREF: AlpcpFlushQueue+114j
		mov	ecx, [ebp+arg_0]
		call	KeAbPostRelease
		mov	ecx, ebx
		call	AlpcpLockForCachedReferenceBlob
		dec	word ptr [ebx-0Eh]
		mov	eax, [ebp+var_4]
		cmp	[ebx+8], eax
		jnz	loc_8D9DC1
		push	10000h
		mov	edx, ebx
		mov	ecx, eax
		call	@AlpcpCancelMessage@12 ; AlpcpCancelMessage(x,x,x)

loc_7746D4:				; CODE XREF: AlpcpFlushQueue+1657D0j
		cmp	edi, 2
		ja	short loc_774706
		push	5Ch
		pop	eax

loc_7746DC:				; CODE XREF: AlpcpFlushQueue+10Dj
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		add	ecx, eax
		call	ExAcquirePushLockExclusiveEx
		mov	ebx, [ebp+var_8]
		jmp	loc_77463D
; 

loc_7746F0:				; CODE XREF: AlpcpFlushQueue+54j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_774662
; 

loc_7746FC:				; CODE XREF: AlpcpFlushQueue+8Dj
		cmp	edi, 3
		jnz	short loc_77471E
		add	ecx, 70h
		jmp	short loc_77469A
; 

loc_774706:				; CODE XREF: AlpcpFlushQueue+CFj
		xor	eax, eax
		cmp	edi, 3
		setz	al
		dec	eax
		and	eax, 0Ch
		add	eax, 70h
		jmp	short loc_7746DC
; 

loc_774717:				; CODE XREF: AlpcpFlushQueue+9Dj
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7746A7
; 

loc_77471E:				; CODE XREF: AlpcpFlushQueue+F7j
		add	ecx, 7Ch
		jmp	loc_77469A
AlpcpFlushQueue	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpFlushCancelQueue(x, x)
_AlpcpFlushCancelQueue@8 proc near	; CODE XREF: AlpcpFlushMessagesPort(x)+3Ep
					; AlpcpFlushMessagesPort(x)+12Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ecx
		mov	[ebp+var_8], edx
		push	ebx
		push	esi
		push	edi
		lea	edi, [eax+5Ch]
		mov	[ebp+var_4], eax
		xor	edx, edx
		mov	[ebp+var_C], edi
		mov	ecx, edi
		lea	ebx, [eax+0E0h]
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [ebx]
		cmp	esi, ebx
		jnz	short loc_77476D

loc_774754:				; CODE XREF: AlpcpFlushCancelQueue(x,x)+97j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7747BF

loc_774761:				; CODE XREF: AlpcpFlushCancelQueue(x,x)+A0j
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_77476D:				; CODE XREF: AlpcpFlushCancelQueue(x,x)+2Cj
		mov	edi, [ebp+var_4]
		mov	eax, [ebp+var_8]

loc_774773:				; CODE XREF: AlpcpFlushCancelQueue(x,x)+92j
		lea	ecx, [esi-2Ch]
		mov	edx, esi
		mov	esi, [esi]
		mov	[ebp+var_4], edx
		test	eax, eax
		jnz	short loc_7747C8

loc_774781:				; CODE XREF: AlpcpFlushCancelQueue(x,x)+A7j
		and	dword ptr [ecx+14h], 0FFFEFFFFh
		mov	edx, [edx+4]
		mov	eax, [ebp+var_4]
		mov	eax, [eax]
		mov	[edx], eax
		mov	eax, [ebp+var_4]
		mov	edx, [eax]
		mov	eax, [eax+4]
		mov	[edx+4], eax
		xor	edx, edx
		dec	dword ptr [edi+114h]
		inc	edx
		and	dword ptr [ecx+20h], 0
		and	dword ptr [ecx+24h], 0
		call	AlpcpDereferenceBlobEx
		mov	eax, [ebp+var_8]

loc_7747B6:				; CODE XREF: AlpcpFlushCancelQueue(x,x)+A5j
		cmp	esi, ebx
		jnz	short loc_774773
		mov	edi, [ebp+var_C]
		jmp	short loc_774754
; 

loc_7747BF:				; CODE XREF: AlpcpFlushCancelQueue(x,x)+39j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_774761
; 

loc_7747C8:				; CODE XREF: AlpcpFlushCancelQueue(x,x)+59j
		cmp	[ecx+20h], eax
		jnz	short loc_7747B6
		jmp	short loc_774781
_AlpcpFlushCancelQueue@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpDisconnectPort proc near		; CODE XREF: AlpcpDoPortCleanup+Cp
					; NtAlpcDisconnectPort(x,x)+57p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D9DDD SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		xor	edi, edi
		mov	[esp+20h+var_C], esi
		xor	edx, edx
		mov	[esp+20h+var_8], edi
		mov	eax, [esi+8]
		mov	[esp+20h+var_4], edi
		mov	[esp+20h+var_14], eax
		lea	ecx, [eax-4]
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [esi+0D0h]
		xor	edx, edx
		mov	ecx, eax
		mov	[esp+20h+var_10], eax
		call	ExAcquirePushLockExclusiveEx
		test	bl, 1
		jnz	loc_7749CD

loc_77481D:				; CODE XREF: AlpcpDisconnectPort+207j
		mov	eax, [esi+0F4h]
		test	al, 20h
		jnz	loc_77498B
		or	eax, 20h
		lea	ebx, [esi+0D0h]
		mov	[esi+0F4h], eax
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_774A6E

loc_77484B:				; CODE XREF: AlpcpDisconnectPort+2A5j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [esi+0F4h]
		mov	eax, ecx
		and	al, 6
		cmp	al, 2
		jz	loc_7749DC

loc_774864:				; CODE XREF: AlpcpDisconnectPort+219j
		shr	ecx, 1
		and	ecx, 3
		sub	ecx, 1
		jz	loc_7749EE
		sub	ecx, 1
		jnz	loc_77497D
		mov	edi, [esp+20h+var_14]
		mov	ebx, esi
		mov	edi, [edi]

loc_774883:				; CODE XREF: AlpcpDisconnectPort+220j
		mov	esi, [esp+20h+var_14]

loc_774887:				; CODE XREF: AlpcpDisconnectPort+1B6j
		mov	[esp+20h+var_10], ebx
		test	edi, edi
		jz	short loc_77489F
		mov	ecx, edi
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	edi, eax

loc_77489F:				; CODE XREF: AlpcpDisconnectPort+BDj
		test	ebx, ebx
		jz	short loc_7748B7
		mov	ecx, ebx
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	ebx, eax
		mov	[esp+20h+var_10], ebx

loc_7748B7:				; CODE XREF: AlpcpDisconnectPort+D1j
		add	esi, 0FFFFFFFCh
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_774A7A

loc_7748CB:				; CODE XREF: AlpcpDisconnectPort+2B1j
		mov	ecx, esi
		call	KeAbPostRelease
		test	edi, edi
		jz	loc_774969
		mov	ebx, [esp+20h+var_C]
		lea	eax, [esp+20h+var_8]
		mov	[esp+20h+var_4], eax
		mov	[esp+20h+var_8], eax
		lea	eax, [edi+60h]

loc_7748ED:				; CODE XREF: AlpcpDisconnectPort+178j
		lea	ecx, [esp+20h+var_8]
		mov	edx, edi
		push	ecx
		push	1
		push	eax
		mov	ecx, ebx
		call	AlpcpCancelMessagesByRequestor
		mov	esi, eax
		mov	edx, edi
		lea	eax, [esp+20h+var_8]
		mov	ecx, ebx
		push	eax
		push	2
		lea	eax, [edi+68h]
		push	eax
		call	AlpcpCancelMessagesByRequestor
		or	esi, eax
		mov	edx, edi
		lea	eax, [esp+20h+var_8]
		mov	ecx, ebx
		push	eax
		push	3
		lea	eax, [edi+74h]
		push	eax
		call	AlpcpCancelMessagesByRequestor
		or	esi, eax
		mov	edx, edi
		lea	eax, [esp+20h+var_8]
		mov	ecx, ebx
		push	eax
		push	4
		lea	eax, [edi+80h]
		push	eax
		call	AlpcpCancelMessagesByRequestor
		or	eax, esi
		lea	eax, [edi+60h]
		jnz	short loc_7748ED
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	ebx, [esp+20h+var_10]
		mov	esi, [esp+20h+var_C]

loc_774959:				; CODE XREF: AlpcpDisconnectPort+299j
		mov	edi, [esp+20h+var_8]
		lea	eax, [esp+20h+var_8]
		cmp	edi, eax
		jnz	loc_7749F5

loc_774969:				; CODE XREF: AlpcpDisconnectPort+104j
		test	ebx, ebx
		jz	short loc_774974
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_774974:				; CODE XREF: AlpcpDisconnectPort+19Bj
		xor	eax, eax

loc_774976:				; CODE XREF: AlpcpDisconnectPort+1FBj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_77497D:				; CODE XREF: AlpcpDisconnectPort+A5j
		mov	esi, [esp+20h+var_14]
		mov	edi, [esi+8]
		mov	ebx, [esi]
		jmp	loc_774887
; 

loc_77498B:				; CODE XREF: AlpcpDisconnectPort+55j
		mov	ebx, [esp+20h+var_10]
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_774A86

loc_7749A0:				; CODE XREF: AlpcpDisconnectPort+2BDj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	edi, [esp+20h+var_14]
		or	eax, 0FFFFFFFFh
		add	edi, 0FFFFFFFCh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_774A92

loc_7749BF:				; CODE XREF: AlpcpDisconnectPort+2C9j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, 0C0000037h
		jmp	short loc_774976
; 

loc_7749CD:				; CODE XREF: AlpcpDisconnectPort+47j
		or	dword ptr [esi+0F4h], 80h
		jmp	loc_77481D
; 

loc_7749DC:				; CODE XREF: AlpcpDisconnectPort+8Ej
		mov	ecx, esi
		call	_AlpcpWalkConnectionList@4 ; AlpcpWalkConnectionList(x)
		mov	ecx, [esi+0F4h]
		jmp	loc_774864
; 

loc_7749EE:				; CODE XREF: AlpcpDisconnectPort+9Cj
		mov	ebx, edi
		jmp	loc_774883
; 

loc_7749F5:				; CODE XREF: AlpcpDisconnectPort+193j
		mov	eax, [edi]
		lea	ecx, [esp+20h+var_8]
		mov	[esp+20h+var_8], eax
		add	edi, 0FFFFFFD4h
		mov	[eax+4], ecx
		mov	ecx, edi
		call	AlpcpLockForCachedReferenceBlob
		test	ebx, ebx
		jz	loc_8D9E0A
		lea	ecx, [ebx+0D0h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		test	byte ptr [ebx+0F4h], 40h
		jnz	loc_8D9DDD
		xor	eax, eax
		inc	eax
		lock xadd [esi+0E8h], eax
		inc	eax
		mov	[edi+28h], eax
		mov	edx, edi
		mov	eax, [esi+1Ch]
		mov	ecx, ebx
		mov	[edi+44h], eax
		mov	[edi+20h], esi
		mov	[edi+24h], ebx
		call	_AlpcpInsertMessageCanceledQueue@8 ; AlpcpInsertMessageCanceledQueue(x,x)
		mov	ecx, ebx
		call	AlpcpSignalPortAndUnlock

loc_774A59:				; CODE XREF: AlpcpDisconnectPort+165635j
					; AlpcpDisconnectPort+16563Ej
		cmp	_AlpcpMessageLogEnabled, 0
		jnz	short loc_774A9E

loc_774A62:				; CODE XREF: AlpcpDisconnectPort+2D5j
		mov	ecx, edi
		call	AlpcpUnlockBlob
		jmp	loc_774959
; 

loc_774A6E:				; CODE XREF: AlpcpDisconnectPort+75j
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_77484B
; 

loc_774A7A:				; CODE XREF: AlpcpDisconnectPort+F5j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7748CB
; 

loc_774A86:				; CODE XREF: AlpcpDisconnectPort+1CAj
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7749A0
; 

loc_774A92:				; CODE XREF: AlpcpDisconnectPort+1E9j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7749BF
; 

loc_774A9E:				; CODE XREF: AlpcpDisconnectPort+290j
		mov	ecx, edi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)
		jmp	short loc_774A62
AlpcpDisconnectPort endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpCancelMessagesByRequestor proc near ; CODE	XREF: AlpcpDisconnectPort+129p
					; AlpcpDisconnectPort+13Fp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008D9E13 SIZE 0000013E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ecx
		mov	[ebp+var_4], edx
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, [edx+0F4h]
		mov	[ebp+var_8], eax
		and	esi, 6
		mov	eax, [eax+0F4h]
		and	al, 6
		push	edi
		cmp	al, 4
		jnz	loc_774B5D
		xor	eax, eax
		cmp	esi, 4
		setnz	al

loc_774ADF:				; CODE XREF: AlpcpCancelMessagesByRequestor+16536Dj
		test	eax, eax
		jz	short loc_774AE8

loc_774AE3:				; CODE XREF: AlpcpCancelMessagesByRequestor+B8j
		cmp	ebx, 3
		jz	short loc_774B44

loc_774AE8:				; CODE XREF: AlpcpCancelMessagesByRequestor+39j
		and	[ebp+var_10], 0
		cmp	ebx, 2
		ja	short loc_774B4F
		push	5Ch

loc_774AF3:				; CODE XREF: AlpcpCancelMessagesByRequestor+A5j
					; AlpcpCancelMessagesByRequestor+AEj
		pop	eax
		lea	ecx, [eax+edx]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [ebp+arg_0]
		or	eax, 0FFFFFFFFh
		and	[ebp+var_C], 0
		mov	edi, [esi]
		cmp	edi, esi
		jnz	short loc_774B67

loc_774B0E:				; CODE XREF: AlpcpCancelMessagesByRequestor+E7j
		mov	esi, [ebp+var_4]
		push	2
		pop	edx
		cmp	ebx, edx
		ja	short loc_774B3A
		add	esi, 5Ch

loc_774B1B:				; CODE XREF: AlpcpCancelMessagesByRequestor+9Aj
					; AlpcpCancelMessagesByRequestor+B3j
		lock xadd [esi], eax
		and	al, 6
		cmp	al, dl
		jz	loc_774C84

loc_774B29:				; CODE XREF: AlpcpCancelMessagesByRequestor+1E3j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	eax, [ebp+var_C]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_774B3A:				; CODE XREF: AlpcpCancelMessagesByRequestor+6Ej
		cmp	ebx, 3
		jz	short loc_774B58
		add	esi, 7Ch
		jmp	short loc_774B1B
; 

loc_774B44:				; CODE XREF: AlpcpCancelMessagesByRequestor+3Ej
		mov	[ebp+var_10], 1

loc_774B4B:				; CODE XREF: AlpcpCancelMessagesByRequestor+AAj
		push	70h
		jmp	short loc_774AF3
; 

loc_774B4F:				; CODE XREF: AlpcpCancelMessagesByRequestor+47j
		cmp	ebx, 3
		jz	short loc_774B4B
		push	7Ch
		jmp	short loc_774AF3
; 

loc_774B58:				; CODE XREF: AlpcpCancelMessagesByRequestor+95j
		add	esi, 70h
		jmp	short loc_774B1B
; 

loc_774B5D:				; CODE XREF: AlpcpCancelMessagesByRequestor+29j
		cmp	esi, 2
		jnz	short loc_774AE3
		jmp	loc_8D9E13
; 

loc_774B67:				; CODE XREF: AlpcpCancelMessagesByRequestor+64j
		mov	ecx, [ebp+var_8]
		xor	eax, eax
		mov	[ebp+var_C], eax
		or	esi, 0FFFFFFFFh
		mov	eax, [ebp+arg_0]

loc_774B75:				; CODE XREF: AlpcpCancelMessagesByRequestor+E2j
		mov	[ebp+var_18], edi
		cmp	[edi+0Ch], ecx
		jz	short loc_774B94
		test	dword ptr [edi+14h], 8000h
		jnz	short loc_774B94
		mov	edi, [edi]

loc_774B88:				; CODE XREF: AlpcpCancelMessagesByRequestor+1D7j
		cmp	edi, eax
		jnz	short loc_774B75
		or	eax, 0FFFFFFFFh
		jmp	loc_774B0E
; 

loc_774B94:				; CODE XREF: AlpcpCancelMessagesByRequestor+D3j
					; AlpcpCancelMessagesByRequestor+DCj
		mov	ecx, edi
		call	AlpcpReferenceBlob
		mov	ecx, edi
		call	AlpcpTryLockForCachedReferenceBlob
		test	al, al
		jz	loc_8D9E1A
		mov	eax, [ebp+var_8]
		cmp	[edi+0Ch], eax
		jnz	loc_8D9EE5
		and	[ebp+var_14], 0

loc_774BBA:				; CODE XREF: AlpcpCancelMessagesByRequestor+165423j
		cmp	dword ptr [edi+24h], 0
		jnz	short loc_774C1F
		mov	eax, [edi+14h]
		test	al, al
		js	short loc_774C1F
		mov	edx, [edi+10h]
		or	eax, 80h
		push	0Ch
		pop	ecx
		mov	byte ptr [edi+84h], 0
		or	[edi+84h], cx
		xor	ecx, ecx
		mov	[edi+80h], cx
		mov	[edi+14h], eax
		push	18h
		pop	ecx
		mov	[edi+82h], cx
		test	edx, edx
		jnz	loc_8D9EF4
		test	eax, 200h
		jnz	loc_8D9F26
		mov	edx, [ebp+arg_8]
		lea	ecx, [edi+2Ch]
		mov	eax, [edx+4]
		mov	[ecx+4], eax
		mov	[ecx], edx
		mov	eax, [edx+4]
		mov	[eax], ecx
		mov	[edx+4], ecx

loc_774C1F:				; CODE XREF: AlpcpCancelMessagesByRequestor+116j
					; AlpcpCancelMessagesByRequestor+11Dj ...
		mov	edx, [ebp+var_10]
		mov	ecx, edi
		call	AlpcpReleaseMessageAttributesOnCancel
		or	dword ptr [edi+14h], 200h
		mov	eax, 0FFFFDFFFh
		and	[edi+84h], ax
		mov	ecx, edi
		call	_AlpcpClearOwnerPortMessage@4 ;	AlpcpClearOwnerPortMessage(x)
		mov	ecx, edi
		call	_AlpcpTransferQuotaMessage@4 ; AlpcpTransferQuotaMessage(x)
		mov	eax, [edi+70h]
		test	eax, eax
		jnz	short loc_774C90

loc_774C51:				; CODE XREF: AlpcpCancelMessagesByRequestor+1F8j
		mov	eax, [edi+74h]
		test	eax, eax
		jnz	loc_8D9F2F

loc_774C5C:				; CODE XREF: AlpcpCancelMessagesByRequestor+165497j
		cmp	[ebp+var_14], 0
		jnz	short loc_774CA2
		mov	edi, [edi]

loc_774C64:				; CODE XREF: AlpcpCancelMessagesByRequestor+1FFj
		cmp	_AlpcpMessageLogEnabled, 0
		jnz	loc_8D9F44

loc_774C71:				; CODE XREF: AlpcpCancelMessagesByRequestor+1654A4j
		mov	ecx, [ebp+var_18]
		call	AlpcpUnlockBlob

loc_774C79:				; CODE XREF: AlpcpCancelMessagesByRequestor+165438j
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_8]
		jmp	loc_774B88
; 

loc_774C84:				; CODE XREF: AlpcpCancelMessagesByRequestor+7Bj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_774B29
; 

loc_774C90:				; CODE XREF: AlpcpCancelMessagesByRequestor+1A7j
		push	dword ptr [edi+90h]
		push	eax
		call	_PsReleaseProcessWakeCounter@8 ; PsReleaseProcessWakeCounter(x,x)
		and	dword ptr [edi+70h], 0
		jmp	short loc_774C51
; 

loc_774CA2:				; CODE XREF: AlpcpCancelMessagesByRequestor+1B8j
		mov	eax, [ebp+arg_0]
		mov	edi, [eax]
		jmp	short loc_774C64
AlpcpCancelMessagesByRequestor endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpSendCloseMessage(x)
_AlpcpSendCloseMessage@4 proc near	; CODE XREF: AlpcpClosePort(x,x,x,x)+55p
					; AlpcpDeletePort(x)+11Ep

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	ecx, [edi+0F4h]
		mov	eax, ecx
		and	eax, 6
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		cmp	eax, 2
		jz	loc_774D94
		test	cl, 8
		jnz	loc_774D94
		test	dword ptr [edi+98h], 1000h
		jnz	loc_774D98

loc_774CF7:				; CODE XREF: AlpcpSendCloseMessage(x)+F1j
		mov	eax, [edi+8]
		push	esi
		add	eax, 24h
		xor	esi, esi
		xchg	esi, [eax]
		test	esi, esi
		jz	loc_774D93
		mov	ecx, esi
		call	AlpcpLockForCachedReferenceBlob
		dec	word ptr [esi-0Eh]
		and	dword ptr [esi+90h], 7FFFFFFFh
		push	20h
		pop	eax
		mov	[esi+82h], ax
		push	8
		pop	eax
		mov	[esi+80h], ax
		xor	eax, eax
		mov	[esi+84h], bl
		or	word ptr [esi+84h], 5
		mov	[esi+86h], ax
		mov	eax, large fs:124h
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], esi
		mov	[ebp+var_C], 10000h
		mov	ecx, [eax+80h]
		mov	eax, [ecx+100h]
		mov	[esi+98h], eax
		mov	eax, [ecx+104h]
		lea	ecx, [ebp+var_24]
		mov	[esi+9Ch], eax
		mov	[esi+88h], ebx
		mov	[esi+8Ch], ebx
		call	AlpcpDispatchCloseMessage
		test	eax, eax
		js	short loc_774DA3

loc_774D93:				; CODE XREF: AlpcpSendCloseMessage(x)+5Aj
					; AlpcpSendCloseMessage(x)+108j
		pop	esi

loc_774D94:				; CODE XREF: AlpcpSendCloseMessage(x)+2Ej
					; AlpcpSendCloseMessage(x)+37j	...
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_774D98:				; CODE XREF: AlpcpSendCloseMessage(x)+47j
		cmp	eax, 4
		jz	loc_774CF7
		jmp	short loc_774D94
; 

loc_774DA3:				; CODE XREF: AlpcpSendCloseMessage(x)+E7j
		cmp	_AlpcpMessageLogEnabled, ebx
		jnz	short loc_774DB4

loc_774DAB:				; CODE XREF: AlpcpSendCloseMessage(x)+111j
		mov	ecx, esi
		call	AlpcpUnlockBlob
		jmp	short loc_774D93
; 

loc_774DB4:				; CODE XREF: AlpcpSendCloseMessage(x)+FFj
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)
		jmp	short loc_774DAB
_AlpcpSendCloseMessage@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1486. MmUnmapViewOfSection

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmUnmapViewOfSection(x, x)
		public _MmUnmapViewOfSection@8
_MmUnmapViewOfSection@8	proc near	; CODE XREF: PsShutdownSystem()+192p
					; NtMapCMFModule(x,x,x,x,x,x)+7F8p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	0
		call	MiUnmapViewOfSection
		pop	ebp
		retn	8
_MmUnmapViewOfSection@8	endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpDestroyPort(x)
_AlpcpDestroyPort@4 proc near		; CODE XREF: AlpcpDeletePort(x)+BAp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	dword ptr [esi], 0
		jz	short loc_774E1B
		push	edi
		mov	edi, offset _AlpcpPortListLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_774E47
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_774E47
		mov	[eax], ecx
		mov	[ecx+4], eax
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_774E3E

loc_774E13:				; CODE XREF: AlpcpDestroyPort(x)+6Bj
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi

loc_774E1B:				; CODE XREF: AlpcpDestroyPort(x)+8j
		test	dword ptr [esi+0F4h], 200h
		jnz	short loc_774E29

loc_774E27:				; CODE XREF: AlpcpDestroyPort(x)+57j
		pop	esi
		retn
; 

loc_774E29:				; CODE XREF: AlpcpDestroyPort(x)+4Bj
		mov	edx, [esi+94h]
		test	edx, edx
		jz	short loc_774E27
		mov	ecx, offset _AlpcpNPLookasides
		pop	esi
		jmp	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
; 

loc_774E3E:				; CODE XREF: AlpcpDestroyPort(x)+37j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_774E13
; 

loc_774E47:				; CODE XREF: AlpcpDestroyPort(x)+1Ej
					; AlpcpDestroyPort(x)+25j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_AlpcpDestroyPort@4 endp		; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall AlpcpGetValidPointer(x)
_AlpcpGetValidPointer@4	proc near	; CODE XREF: AlpcpDeletePort(x)+8Fp
					; AlpcpPortQueryServerInfo(x,x,x,x,x)+199p
		mov	al, cl
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, ecx
		retn
_AlpcpGetValidPointer@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpDeletePort(x)
_AlpcpDeletePort@4 proc	near		; DATA XREF: AlpcpInitSystem+108o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	esi, [ebp+arg_0]
		test	dword ptr [esi+98h], 1000h
		jnz	loc_774F78

loc_774E7A:				; CODE XREF: AlpcpDeletePort(x)+123j
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_774ECF
		push	edi
		call	_AlpcpLockCommunicationInfoExclusive@4 ; AlpcpLockCommunicationInfoExclusive(x)
		mov	eax, [esi+0F4h]
		xor	edi, edi
		and	eax, 6
		cmp	eax, 2
		jz	loc_774F84
		cmp	eax, 4
		jnz	loc_774F4C
		mov	eax, [esi+8]
		mov	[eax+8], edi
		mov	eax, [esi+8]
		mov	eax, [eax+4]

loc_774EB0:				; CODE XREF: AlpcpDeletePort(x)+105j
		test	eax, eax
		jnz	loc_774F3B

loc_774EB8:				; CODE XREF: AlpcpDeletePort(x)+EBj
					; AlpcpDeletePort(x)+F3j ...
		mov	ecx, [esi+8]
		call	_AlpcpUnlockCommunicationInfoExclusive@4 ; AlpcpUnlockCommunicationInfoExclusive(x)
		mov	ecx, [esi+8]
		xor	edx, edx
		inc	edx
		call	AlpcpDereferenceBlobEx
		mov	[esi+8], edi
		pop	edi

loc_774ECF:				; CODE XREF: AlpcpDeletePort(x)+23j
		mov	ecx, [esi+10h]
		test	ecx, ecx
		jnz	loc_774F66

loc_774EDA:				; CODE XREF: AlpcpDeletePort(x)+117j
		mov	ecx, [esi+0F4h]
		mov	eax, ecx
		and	al, 6
		cmp	al, 4
		jz	short loc_774F25

loc_774EE8:				; CODE XREF: AlpcpDeletePort(x)+CFj
					; AlpcpDeletePort(x)+D6j ...
		mov	ecx, [esi+0Ch]
		call	_AlpcpGetValidPointer@4	; AlpcpGetValidPointer(x)
		test	eax, eax
		jnz	loc_774F9B

loc_774EF8:				; CODE XREF: AlpcpDeletePort(x)+14Bj
		mov	ecx, [esi+0D8h]
		test	ecx, ecx
		jnz	loc_774FAC

loc_774F06:				; CODE XREF: AlpcpDeletePort(x)+155j
		xor	ecx, ecx
		lea	eax, [esi+100h]
		xchg	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_774F8E

loc_774F14:				; CODE XREF: AlpcpDeletePort(x)+13Aj
		mov	ecx, esi
		call	_AlpcpDestroyPort@4 ; AlpcpDestroyPort(x)
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	esi
		pop	ebp
		retn	4
; 

loc_774F25:				; CODE XREF: AlpcpDeletePort(x)+8Aj
		test	ecx, 400h
		jnz	short loc_774EE8
		mov	ecx, [esi+2Ch]
		test	ecx, ecx
		jz	short loc_774EE8
		call	ObfDereferenceObject
		jmp	short loc_774EE8
; 

loc_774F3B:				; CODE XREF: AlpcpDeletePort(x)+56j
		mov	[eax+0F8h], edi
		mov	[eax+0FCh], edi
		jmp	loc_774EB8
; 

loc_774F4C:				; CODE XREF: AlpcpDeletePort(x)+42j
		cmp	eax, 6
		jnz	loc_774EB8
		mov	eax, [esi+8]
		mov	[eax+4], edi
		mov	eax, [esi+8]
		mov	eax, [eax+8]
		jmp	loc_774EB0
; 

loc_774F66:				; CODE XREF: AlpcpDeletePort(x)+78j
		call	ObfDereferenceObject
		mov	ecx, [esi+18h]
		call	_AlpcpFreeCompletionPacketLookaside@4 ;	AlpcpFreeCompletionPacketLookaside(x)
		jmp	loc_774EDA
; 

loc_774F78:				; CODE XREF: AlpcpDeletePort(x)+18j
		mov	ecx, esi
		call	_AlpcpSendCloseMessage@4 ; AlpcpSendCloseMessage(x)
		jmp	loc_774E7A
; 

loc_774F84:				; CODE XREF: AlpcpDeletePort(x)+39j
		mov	eax, [esi+8]
		mov	[eax], edi
		jmp	loc_774EB8
; 

loc_774F8E:				; CODE XREF: AlpcpDeletePort(x)+B6j
		xor	edx, edx
		inc	edx
		call	AlpcpDereferenceBlobEx
		jmp	loc_774F14
; 

loc_774F9B:				; CODE XREF: AlpcpDeletePort(x)+96j
		mov	edx, 63706C41h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag
		jmp	loc_774EF8
; 

loc_774FAC:				; CODE XREF: AlpcpDeletePort(x)+A4j
		call	ObfDereferenceObject
		jmp	loc_774F06
_AlpcpDeletePort@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall AlpcpAllocateMessage(x, x,	x)
@AlpcpAllocateMessage@12 proc near	; CODE XREF: AlpcpCreateClientPort+23Fp
					; AlpcpFormatConnectionRequest+28p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ecx
		push	edi
		push	18h
		pop	eax
		test	edx, edx
		jnz	short loc_774FCD
		mov	edx, 198h
		jmp	short loc_774FD8
; 

loc_774FCD:				; CODE XREF: AlpcpAllocateMessage(x,x,x)+Ej
		cmp	edx, eax
		jb	loc_77505F
		sub	edx, 0FFFFFF80h

loc_774FD8:				; CODE XREF: AlpcpAllocateMessage(x,x,x)+15j
		push	[ebp+arg_0]
		mov	ecx, offset _AlpcMessageType
		call	@AlpcpAllocateBlob@12 ;	AlpcpAllocateBlob(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_774FF2
		mov	eax, 0C000009Ah
		jmp	short loc_775064
; 

loc_774FF2:				; CODE XREF: AlpcpAllocateMessage(x,x,x)+33j
		push	esi
		mov	ecx, edi
		call	AlpcpLockForCachedReferenceBlob
		mov	esi, [edi+90h]
		push	98h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		push	18h
		pop	eax
		mov	[edi+82h], ax
		dec	word ptr [edi-0Eh]
		and	esi, 7FFFFFFFh
		mov	[edi+90h], esi
		pop	esi

loc_77502B:				; CODE XREF: AlpcpAllocateMessage(x,x,x)+81j
		xor	eax, eax
		inc	eax
		lock xadd ds:_AlpcpNextCallbackId, eax
		inc	eax
		jz	short loc_77502B
		mov	[edi+94h], eax
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_77504F
		mov	ecx, edi
		call	_AlpcpEnterAllocationEventMessageLog@4 ; AlpcpEnterAllocationEventMessageLog(x)

loc_77504F:				; CODE XREF: AlpcpAllocateMessage(x,x,x)+90j
		push	18h
		pop	eax
		mov	[edi+82h], ax
		xor	eax, eax
		mov	[ebx], edi
		jmp	short loc_775064
; 

loc_77505F:				; CODE XREF: AlpcpAllocateMessage(x,x,x)+19j
		mov	eax, 0C000000Dh

loc_775064:				; CODE XREF: AlpcpAllocateMessage(x,x,x)+3Aj
					; AlpcpAllocateMessage(x,x,x)+A7j
		pop	edi
		pop	ebx
		pop	ebp
		retn	4
@AlpcpAllocateMessage@12 endp


;  S U B	R O U T	I N E 


AlpcpLockForCachedReferenceBlob	proc near ; CODE XREF: AlpcpCreateSectionView(x,x,x,x,x)+1Dp
					; AlpcpCreateSectionView(x,x,x,x,x)+55p ...

; FUNCTION CHUNK AT 008D9F51 SIZE 00000020 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	edx, edx
		lea	ecx, [esi-4]
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [esi-10h], 1
		lea	eax, [esi-0Ch]
		mov	ecx, 10000h
		mov	edx, ecx
		lock xadd [eax], edx
		add	edx, ecx
		test	edx, edx
		jle	loc_8D9F51
		pop	esi
		retn
AlpcpLockForCachedReferenceBlob	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall RtlpUnlockAtomTable(x)
_RtlpUnlockAtomTable@4 proc near	; CODE XREF: RtlAddAtomToAtomTableEx+9Ep
					; RtlDestroyLowBoxAtoms(x,x)+5Fp
		mov	edi, edi
		push	esi
		lea	esi, [ecx+8]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7750B8

loc_7750AB:				; CODE XREF: RtlpUnlockAtomTable(x)+27j
		mov	ecx, esi
		call	KeAbPostRelease
		pop	esi
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
; 

loc_7750B8:				; CODE XREF: RtlpUnlockAtomTable(x)+11j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7750AB
_RtlpUnlockAtomTable@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpRestoreWriteAccess(x)
_AlpcpRestoreWriteAccess@4 proc	near	; CODE XREF: AlpcViewDestroyProcedure+7Ep
					; AlpcpExposeViewAttributeInSenderContext+1649CFp

var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_1C]
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd
		mov	eax, large fs:124h
		mov	edi, [esi+8]
		mov	ebx, [eax+80h]
		mov	eax, [esi+20h]
		test	eax, eax
		jz	short loc_775127
		mov	ecx, [esi+10h]
		cmp	ecx, ebx
		jz	short loc_77510E
		lea	eax, [ebp+var_1C]
		xor	edx, edx
		push	eax
		call	KiStackAttachProcess
		mov	eax, [esi+20h]

loc_77510E:				; CODE XREF: AlpcpRestoreWriteAccess(x)+3Cj
		push	eax
		call	_MmUnsecureVirtualMemory@4 ; MmUnsecureVirtualMemory(x)
		cmp	[esi+10h], ebx
		jz	short loc_775123
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_775123:				; CODE XREF: AlpcpRestoreWriteAccess(x)+55j
		and	dword ptr [esi+20h], 0

loc_775127:				; CODE XREF: AlpcpRestoreWriteAccess(x)+35j
		or	dword ptr [esi+24h], 1
		and	dword ptr [edi+28h], 0
		mov	ecx, [ebp+var_4]
		mov	[edi+2Ch], esi
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_AlpcpRestoreWriteAccess@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmSecureVirtualMemoryAgainstWrites proc	near
					; CODE XREF: AlpcpExposeViewAttributeInSenderContext+87p
					; AlpcpPrepareViewForDelivery+164A3Dp ...

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D9F71 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_28], ecx
		mov	edx, [ebp+arg_0]
		mov	ebx, esi
		push	edi
		push	6
		xor	eax, eax
		mov	[ebp+var_38], esi
		and	ebx, 0FFFFF000h
		mov	[ebp+var_34], edx
		lea	edi, [ebp+var_20]
		pop	ecx
		rep stosd
		cmp	ebx, esi
		jnz	loc_7752B6
		mov	ecx, 0FFFh
		test	edx, ecx
		jnz	loc_7752B6
		lea	eax, [edx-1]
		xor	edi, edi
		add	eax, esi
		or	eax, ecx
		mov	[ebp+var_24], eax
		shr	eax, 0Ch
		mov	[ebp+var_30], eax
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		mov	eax, [ebp+var_28]
		mov	[ebp+var_2C], ecx
		cmp	ecx, eax
		jnz	loc_8D9F5F
		mov	[ebp+var_2C], edi

loc_7751BB:				; CODE XREF: AlpcpLockForCachedReferenceBlob+164F02j
		lea	eax, [ebp+var_3C]
		xor	edx, edx
		push	eax
		mov	ecx, ebx
		call	MiObtainReferencedVadEx
		mov	esi, eax
		test	esi, esi
		jz	loc_77528B
		mov	eax, [ebp+var_30]
		cmp	eax, [esi+10h]
		ja	loc_775284
		mov	ecx, esi
		call	_MiVadSupportsPrivateCommit@4 ;	MiVadSupportsPrivateCommit(x)
		test	eax, eax
		jz	loc_775284
		test	byte ptr [esi+1Ch], 8
		jz	short loc_775205
		mov	edx, [ebp+var_38]
		push	edi
		push	1
		push	[ebp+var_34]
		call	MiCheckSecuredVad
		test	eax, eax
		js	short loc_775284

loc_775205:				; CODE XREF: MmSecureVirtualMemoryAgainstWrites+AFj
		test	dword ptr [esi+1Ch], 100000h
		jnz	short loc_775284
		mov	eax, [esi+28h]
		test	eax, 4000000h
		jnz	short loc_775284
		mov	ecx, [esi+1Ch]
		shr	ecx, 7
		push	2
		and	ecx, 1Fh
		pop	edx
		call	_MiIsPteProtectionCompatible@8 ; MiIsPteProtectionCompatible(x,x)
		test	eax, eax
		jz	short loc_775284
		mov	eax, [esi+2Ch]
		mov	eax, [eax]
		mov	eax, [eax+1Ch]
		test	al, al
		js	loc_8D9F71

loc_77523D:				; CODE XREF: MmSecureVirtualMemoryAgainstWrites+164E37j
		mov	ecx, esi
		call	_MiVadMapsLargeImage@4 ; MiVadMapsLargeImage(x)
		test	eax, eax
		jnz	short loc_775284
		push	[ebp+var_24]
		mov	edx, ebx
		call	MiIsRangeFullyCommitted
		test	eax, eax
		jz	short loc_775284

loc_775256:				; CODE XREF: MmSecureVirtualMemoryAgainstWrites+164E31j
		push	[ebp+var_24]
		mov	ecx, [ebp+var_28]
		mov	edx, esi
		push	ebx
		call	_MiSetReadOnlyOnSectionView@16 ; MiSetReadOnlyOnSectionView(x,x,x,x)
		test	eax, eax
		js	short loc_775284
		push	edi
		push	0C0000001h
		push	[ebp+var_24]
		mov	edx, ebx
		mov	ecx, esi
		call	MiAddSecureEntry
		mov	edi, eax
		test	edi, edi
		jz	loc_8D9F7E

loc_775284:				; CODE XREF: MmSecureVirtualMemoryAgainstWrites+96j
					; MmSecureVirtualMemoryAgainstWrites+A5j ...
		mov	ecx, esi
		call	MiUnlockAndDereferenceVad

loc_77528B:				; CODE XREF: MmSecureVirtualMemoryAgainstWrites+8Aj
		cmp	[ebp+var_2C], 0
		jnz	loc_8D9F8F

loc_775295:				; CODE XREF: MmSecureVirtualMemoryAgainstWrites+164E57j
		test	edi, edi
		jz	short loc_7752A3
		mov	eax, dword_6D061C
		xor	eax, [ebp+var_28]
		xor	edi, eax

loc_7752A3:				; CODE XREF: MmSecureVirtualMemoryAgainstWrites+155j
		mov	eax, edi

loc_7752A5:				; CODE XREF: MmSecureVirtualMemoryAgainstWrites+176j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_7752B6:				; CODE XREF: MmSecureVirtualMemoryAgainstWrites+37j
					; MmSecureVirtualMemoryAgainstWrites+44j
		xor	eax, eax
		jmp	short loc_7752A5
MmSecureVirtualMemoryAgainstWrites endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiIsRangeFullyCommitted	proc near	; CODE XREF: MmSecureVirtualMemoryAgainstWrites+10Bp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008D9F9E SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		push	eax
		push	2
		shr	edx, 0Ch
		mov	edi, ecx
		call	MiGetProtoPteAddress
		mov	esi, eax
		test	esi, esi
		jz	loc_7753C1
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	eax
		push	2
		shr	edx, 0Ch
		mov	ecx, edi
		call	MiGetProtoPteAddress
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_7753C1
		mov	eax, large fs:124h
		xor	ebx, ebx
		mov	ecx, [edi+2Ch]
		inc	ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_18], eax
		mov	ecx, [ecx]
		mov	ecx, [ecx]
		dec	word ptr [eax+13Eh]
		nop
		lea	eax, [ecx+1Ch]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_14], eax
		call	ExAcquirePushLockSharedEx
		mov	edi, [ebp+var_8]

loc_775335:				; CODE XREF: MiIsRangeFullyCommitted+164CFBj
		cmp	edi, [ebp+var_4]
		jnz	loc_8D9F9E
		mov	edx, [ebp+var_10]

loc_775341:				; CODE XREF: MiIsRangeFullyCommitted+164CEEj
		mov	[ebp+arg_0], edx
		cmp	esi, edx
		ja	short loc_77537A

loc_775348:				; CODE XREF: MiIsRangeFullyCommitted+BBj
		mov	ebx, [esi]
		nop
		mov	eax, [esi+4]
		mov	ecx, esi
		mov	[ebp+var_8], eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_7753B5
		push	[ebp+var_8]
		push	ebx
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	ebx, eax
		mov	eax, edx
		mov	edx, [ebp+arg_0]

loc_77536C:				; CODE XREF: MiIsRangeFullyCommitted+FEj
		or	ebx, eax
		jz	short loc_7753BA
		add	esi, 8
		cmp	esi, edx
		jbe	short loc_775348
		mov	ebx, [ebp+var_C]

loc_77537A:				; CODE XREF: MiIsRangeFullyCommitted+8Cj
					; MiIsRangeFullyCommitted+105j
		cmp	edi, [ebp+var_4]
		jnz	loc_8D9FAD

loc_775383:				; CODE XREF: MiIsRangeFullyCommitted+164D03j
		mov	esi, [ebp+var_14]
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_7753AC

loc_775394:				; CODE XREF: MiIsRangeFullyCommitted+F9j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_18]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, ebx

loc_7753A5:				; CODE XREF: MiIsRangeFullyCommitted+109j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7753AC:				; CODE XREF: MiIsRangeFullyCommitted+D8j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_775394
; 

loc_7753B5:				; CODE XREF: MiIsRangeFullyCommitted+A0j
		mov	eax, [ebp+var_8]
		jmp	short loc_77536C
; 

loc_7753BA:				; CODE XREF: MiIsRangeFullyCommitted+B4j
		xor	ebx, ebx
		mov	[ebp+var_C], ebx
		jmp	short loc_77537A
; 

loc_7753C1:				; CODE XREF: MiIsRangeFullyCommitted+27j
					; MiIsRangeFullyCommitted+45j
		xor	eax, eax
		jmp	short loc_7753A5
MiIsRangeFullyCommitted	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiIsPteProtectionCompatible(x, x)
_MiIsPteProtectionCompatible@8 proc near ; CODE	XREF: MmSecureVirtualMemoryAgainstWrites+E2p
					; MiCommitPagefileBackedSection+24p
		and	ecx, 7
		mov	ecx, ds:_MmCompatibleProtectionMask[ecx*4]
		or	ecx, 700h
		mov	eax, ecx
		or	eax, edx
		sub	eax, ecx
		neg	eax
		sbb	eax, eax
		inc	eax
		retn
_MiIsPteProtectionCompatible@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCheckSecuredVad proc near		; CODE XREF: MiResetVirtualMemory+D2084p
					; MiFindPlaceholderVadToReplace(x,x,x,x)+C7p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008D9FC2 SIZE 0000008B BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		mov	esi, ecx
		mov	ecx, offset loc_500000
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], edi
		mov	eax, [esi+1Ch]
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_8D9FC2

loc_775417:				; CODE XREF: MiCheckSecuredVad+164BECj
		mov	eax, [ebx+8]
		xor	edx, edx
		dec	eax
		add	eax, edi
		cmp	dword ptr [ebx+0Ch], 55h
		mov	edi, [esi+24h]
		mov	[ebp+var_4], eax
		sbb	eax, eax
		and	eax, [ebx+0Ch]
		mov	[ebp+var_C], eax

loc_775431:				; CODE XREF: MiCheckSecuredVad+B2j
		test	edi, edi
		jz	short loc_775496
		cmp	dword ptr [edi+24h], 2
		jnz	short loc_775492
		mov	ecx, [edi+4]
		test	cl, 40h
		jnz	loc_8D9FDB

loc_775447:				; CODE XREF: MiCheckSecuredVad+164C03j
		mov	eax, [ebp+var_8]
		cmp	eax, [edi+8]
		ja	short loc_775492
		mov	eax, ecx
		and	eax, 0FFFFF000h
		cmp	[ebp+var_4], eax
		jb	short loc_775492
		cmp	dword ptr [ebx+0Ch], 55h
		jnb	short loc_7754DE

loc_775461:				; CODE XREF: MiCheckSecuredVad+FFj
		test	ecx, 100h
		jnz	loc_8D9FEA

loc_77546D:				; CODE XREF: MiCheckSecuredVad+164C15j
		test	cl, 4
		jnz	short loc_7754A3
		mov	eax, [ebp+var_C]
		and	eax, 0FFFFFFF8h
		cmp	eax, 10h
		jz	short loc_7754E7
		mov	eax, [ebp+var_C]
		and	eax, 7
		mov	al, ds:_MiReadWrite[eax]
		test	cl, 1
		jz	short loc_7754F7
		cmp	al, 0Ah

loc_775490:				; CODE XREF: MiCheckSecuredVad+11Cj
		jl	short loc_7754E7

loc_775492:				; CODE XREF: MiCheckSecuredVad+57j
					; MiCheckSecuredVad+6Bj ...
		mov	edi, [edi]
		jmp	short loc_775431
; 

loc_775496:				; CODE XREF: MiCheckSecuredVad+51j
					; MiCheckSecuredVad+FAj
		mov	eax, edx

loc_775498:				; CODE XREF: MiCheckSecuredVad+10Aj
					; MiCheckSecuredVad+164BF4j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	0Ch
; 

loc_7754A3:				; CODE XREF: MiCheckSecuredVad+8Ej
		cmp	dword ptr [ebx+0Ch], 55h
		jnb	short loc_775492
		mov	eax, [esi+0Ch]
		shl	eax, 0Ch
		cmp	eax, 7FFE0000h
		jz	loc_8DA02F
		mov	ecx, dword_6D0618
		cmp	eax, ecx
		jz	short loc_7754EE

loc_7754C4:				; CODE XREF: MiCheckSecuredVad+10Ej
					; MiCheckSecuredVad+164C66j
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		push	1
		push	dword ptr [ebx+0Ch]
		push	[ebp+var_4]
		call	_MiComparePteProtections@20 ; MiComparePteProtections(x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jns	short loc_775492
		jmp	short loc_775496
; 

loc_7754DE:				; CODE XREF: MiCheckSecuredVad+7Dj
		test	cl, 8
		jz	loc_775461

loc_7754E7:				; CODE XREF: MiCheckSecuredVad+99j
					; MiCheckSecuredVad:loc_775490j ...
		mov	eax, 0C0000045h
		jmp	short loc_775498
; 

loc_7754EE:				; CODE XREF: MiCheckSecuredVad+E0j
		test	ecx, ecx
		jz	short loc_7754C4
		jmp	loc_8DA02F
; 

loc_7754F7:				; CODE XREF: MiCheckSecuredVad+AAj
		test	cl, 2
		jz	short loc_775492
		cmp	al, 0Bh
		jmp	short loc_775490
MiCheckSecuredVad endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpCaptureViewAttribute proc near	; CODE XREF: AlpcpCompleteDispatchMessage+D04p

var_30		= dword	ptr -30h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	20h
		push	offset dword_6A0F48
		call	__SEH_prolog4
		xor	eax, eax
		lea	edi, [ebp+var_30]
		stosd
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	short loc_77553C
		and	[ebp+ms_exc.disabled], 0
		mov	esi, edx
		lea	edi, [ebp+var_30]
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		lea	edx, [ebp+var_30]

loc_77553C:				; CODE XREF: AlpcpCaptureViewAttribute+23j
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	AlpcpCaptureViewAttributeInternal

loc_775547:				; CODE XREF: sub_8DA05B+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
AlpcpCaptureViewAttribute endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpCaptureViewAttributeInternal proc near ; CODE XREF: AlpcpCaptureViewAttribute+42p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008DA06D SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	eax, ecx
		mov	[esp+18h+var_8], eax
		test	dword ptr [edi], 0FFF8FFFFh
		jnz	loc_8DA06D
		mov	ebx, [ebp+arg_0]
		mov	esi, [ebx+4Ch]
		mov	[esp+18h+var_4], esi
		test	esi, esi
		jz	short loc_7755BE
		and	dword ptr [ebx+4Ch], 0
		mov	ecx, [esi+8]
		call	AlpcpLockForCachedReferenceBlob
		dec	dword ptr [esi+28h]
		mov	ecx, [esi+8]
		call	AlpcpUnlockBlob
		test	dword ptr [edi], 10000h
		jz	short loc_7755B0
		mov	ecx, esi
		call	_AlpcpDeleteView@4 ; AlpcpDeleteView(x)

loc_7755B0:				; CODE XREF: AlpcpCaptureViewAttributeInternal+4Dj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	AlpcpDereferenceBlobEx
		mov	eax, [esp+18h+var_8]

loc_7755BE:				; CODE XREF: AlpcpCaptureViewAttributeInternal+2Ej
		and	dword ptr [ebx+14h], 0FFFFBFFFh
		mov	edx, [edi+4]
		test	edx, edx
		jz	loc_775662
		mov	esi, [edi+8]
		test	esi, esi
		jz	loc_8DA077
		mov	ecx, [eax+8]
		test	ecx, ecx
		jz	loc_77566A
		push	offset _AlpcSectionType
		add	ecx, 14h
		call	AlpcReferenceBlobByHandle
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_77566A
		mov	edx, [esp+18h+var_8]
		lea	eax, [esp+18h+var_4]
		push	eax
		push	esi
		mov	ecx, ebx
		call	_AlpcpLocateSectionView@16 ; AlpcpLocateSectionView(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_77564D
		mov	ecx, [edi]
		test	ecx, 40000h
		jz	short loc_775666
		mov	edx, [ebx+18h]
		shr	edx, 1
		and	dl, 1

loc_775622:				; CODE XREF: AlpcpCaptureViewAttributeInternal+10Ej
		mov	esi, [esp+18h+var_4]
		shr	ecx, 11h
		and	cl, 1
		movzx	eax, cl
		mov	ecx, esi
		push	eax
		call	AlpcpPrepareViewForDelivery
		mov	[esp+18h+var_4], eax
		test	eax, eax
		js	loc_8DA081
		mov	eax, [ebp+arg_4]
		mov	[eax+14h], esi

loc_775649:				; CODE XREF: AlpcpCaptureViewAttributeInternal+164B31j
		mov	esi, [esp+18h+var_4]

loc_77564D:				; CODE XREF: AlpcpCaptureViewAttributeInternal+B4j
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	AlpcpDereferenceBlobEx
		mov	eax, esi

loc_775659:				; CODE XREF: AlpcpCaptureViewAttributeInternal+10Aj
					; AlpcpCaptureViewAttributeInternal+115j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_775662:				; CODE XREF: AlpcpCaptureViewAttributeInternal+70j
		xor	eax, eax
		jmp	short loc_775659
; 

loc_775666:				; CODE XREF: AlpcpCaptureViewAttributeInternal+BEj
		xor	edx, edx
		jmp	short loc_775622
; 

loc_77566A:				; CODE XREF: AlpcpCaptureViewAttributeInternal+86j
					; AlpcpCaptureViewAttributeInternal+9Dj
		mov	eax, 0C0000008h
		jmp	short loc_775659
AlpcpCaptureViewAttributeInternal endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpPrepareViewForDelivery proc near	; CODE XREF: AlpcpCaptureViewAttributeInternal+D8p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008DA090 SIZE 000000AB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_21], dl
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_20]
		rep stosd
		mov	edi, [esi+8]
		xor	ebx, ebx
		mov	ecx, edi
		mov	[ebp+var_28], ebx
		call	AlpcpLockForCachedReferenceBlob
		mov	eax, [edi+18h]
		test	al, 1
		jz	short loc_7756F6
		cmp	esi, [edi+2Ch]
		jnz	short loc_77571B
		cmp	[ebp+var_21], bl
		jz	loc_8DA0E1
		cmp	[esi+28h], ebx
		ja	short loc_77571B

loc_7756BF:				; CODE XREF: AlpcpPrepareViewForDelivery+87j
					; AlpcpPrepareViewForDelivery+8Cj ...
		inc	dword ptr [esi+28h]

loc_7756C2:				; CODE XREF: AlpcpPrepareViewForDelivery+AEj
		movzx	eax, [ebp+arg_0]
		mov	ecx, edi
		add	eax, eax
		xor	eax, [esi+24h]
		and	eax, 2
		xor	[esi+24h], eax
		call	AlpcpUnlockBlob
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	loc_8DA12C

loc_7756E3:				; CODE XREF: AlpcpPrepareViewForDelivery+164AC4j
		mov	ecx, [ebp+var_8]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_7756F6:				; CODE XREF: AlpcpPrepareViewForDelivery+38j
		cmp	[ebp+var_21], bl
		jz	short loc_7756BF
		cmp	[esi+28h], ebx
		ja	short loc_7756BF
		mov	ecx, [edi+1Ch]
		cmp	ecx, 2
		ja	short loc_7756BF
		cmp	ecx, 1
		jnz	loc_8DA090
		or	eax, ecx
		mov	[edi+2Ch], esi
		mov	[edi+18h], eax
		jmp	short loc_7756BF
; 

loc_77571B:				; CODE XREF: AlpcpPrepareViewForDelivery+3Dj
					; AlpcpPrepareViewForDelivery+4Bj
		mov	ebx, 0C0000022h
		jmp	short loc_7756C2
AlpcpPrepareViewForDelivery endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpLocateSectionView(x, x, x, x)
_AlpcpLocateSectionView@16 proc	near	; CODE XREF: AlpcpCaptureViewAttributeInternal+ABp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	eax, eax
		mov	ebx, edx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], ecx
		mov	[edi], eax
		mov	eax, [ebp+arg_0]
		lea	esi, [ebx+0D0h]
		mov	[ebp+var_C], eax

loc_775748:				; CODE XREF: AlpcpLocateSectionView(x,x,x,x)+61j
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		lea	eax, [ebp+var_C]
		push	eax
		push	ecx
		mov	ecx, ebx
		call	_AlpcpEnumerateResourcesPort@16	; AlpcpEnumerateResourcesPort(x,x,x,x)
		push	11h
		mov	[ebp+arg_4], eax
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_775775
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_775775:				; CODE XREF: AlpcpLocateSectionView(x,x,x,x)+4Aj
		mov	ecx, esi
		call	KeAbPostRelease
		cmp	[ebp+arg_4], 0C000022Dh
		jz	short loc_775748
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jnz	short loc_775793

loc_77578C:				; CODE XREF: AlpcpLocateSectionView(x,x,x,x)+81j
		mov	eax, 0C0000141h
		jmp	short loc_7757A9
; 

loc_775793:				; CODE XREF: AlpcpLocateSectionView(x,x,x,x)+68j
		mov	eax, [ecx+8]
		mov	edx, [ebp+var_4]
		cmp	[eax+8], edx
		jz	short loc_7757A5
		call	_AlpcpDereferenceView@4	; AlpcpDereferenceView(x)
		jmp	short loc_77578C
; 

loc_7757A5:				; CODE XREF: AlpcpLocateSectionView(x,x,x,x)+7Aj
		mov	[edi], ecx
		xor	eax, eax

loc_7757A9:				; CODE XREF: AlpcpLocateSectionView(x,x,x,x)+6Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_AlpcpLocateSectionView@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpEnumerateResourcesPort(x, x, x, x)
_AlpcpEnumerateResourcesPort@16	proc near ; CODE XREF: AlpcpLocateSectionView(x,x,x,x)+36p
					; NtAlpcDeleteSectionView+82p

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	edx, edx
		push	edi
		xor	ebx, ebx
		lea	edi, [esi+0C4h]
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		lea	eax, [esi+0C8h]
		mov	esi, [eax]
		mov	[ebp+var_4], eax
		jmp	short loc_7757E1
; 

loc_7757D9:				; CODE XREF: AlpcpEnumerateResourcesPort(x,x,x,x)+33j
		cmp	byte ptr [esi+9], 6
		jz	short loc_775803

loc_7757DF:				; CODE XREF: AlpcpEnumerateResourcesPort(x,x,x,x)+68j
		mov	esi, [esi]

loc_7757E1:				; CODE XREF: AlpcpEnumerateResourcesPort(x,x,x,x)+27j
		cmp	esi, eax
		jnz	short loc_7757D9

loc_7757E5:				; CODE XREF: AlpcpEnumerateResourcesPort(x,x,x,x)+63j
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_77581A

loc_7757F3:				; CODE XREF: AlpcpEnumerateResourcesPort(x,x,x,x)+71j
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_775803:				; CODE XREF: AlpcpEnumerateResourcesPort(x,x,x,x)+2Dj
		push	[ebp+arg_4]
		lea	eax, [esi+18h]
		push	eax
		call	_AlpcpViewSearchCallbackFunction@8 ; AlpcpViewSearchCallbackFunction(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7757E5
		mov	eax, [ebp+var_4]
		jmp	short loc_7757DF
; 

loc_77581A:				; CODE XREF: AlpcpEnumerateResourcesPort(x,x,x,x)+41j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_7757F3
_AlpcpEnumerateResourcesPort@16	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpViewSearchCallbackFunction(x, x)
_AlpcpViewSearchCallbackFunction@8 proc	near
					; CODE XREF: AlpcpEnumerateResourcesPort(x,x,x,x)+5Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		mov	eax, [esi+14h]
		cmp	eax, [edi]
		jz	short loc_775840
		xor	eax, eax

loc_77583A:				; CODE XREF: AlpcpViewSearchCallbackFunction(x,x)+2Fj
					; AlpcpViewSearchCallbackFunction(x,x)+36j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_775840:				; CODE XREF: AlpcpViewSearchCallbackFunction(x,x)+12j
		mov	ecx, esi
		call	AlpcpReferenceBlob
		test	eax, eax
		jz	short loc_775855
		mov	[edi+4], esi
		mov	eax, 0C0000001h
		jmp	short loc_77583A
; 

loc_775855:				; CODE XREF: AlpcpViewSearchCallbackFunction(x,x)+25j
		mov	eax, 0C000022Dh
		jmp	short loc_77583A
_AlpcpViewSearchCallbackFunction@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpExposeViewAttributeInSenderContext	proc near ; CODE XREF: PAGE:008302C5p
					; AlpcpCompleteDispatchMessage+74Bp ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008DA13B SIZE 00000104 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[esp+40h+var_2C], ecx
		lea	edi, [esp+40h+var_1C]
		push	6
		xor	eax, eax
		mov	[esp+44h+var_24], edx
		and	[esp+44h+var_28], eax
		pop	ecx
		rep stosd
		mov	edi, [edx+4Ch]
		mov	[esp+40h+var_20], edi
		mov	ebx, [edi+8]
		mov	ecx, ebx
		call	AlpcpLockForCachedReferenceBlob
		mov	edi, [esp+40h+var_2C]

loc_7758A1:				; CODE XREF: AlpcpExposeViewAttributeInSenderContext+1648FCj
		mov	edx, edi
		mov	ecx, ebx
		call	_AlpcpLocateView@8 ; AlpcpLocateView(x,x)
		mov	esi, eax
		mov	[esp+40h+var_30], esi
		test	esi, esi
		jnz	loc_8DA13B

loc_7758B8:				; CODE XREF: AlpcpExposeViewAttributeInSenderContext+1648E8j
		test	byte ptr [ebx+18h], 1
		mov	edi, [esp+40h+var_20]
		jz	loc_775980
		cmp	esi, [ebx+2Ch]
		jz	short loc_775932
		test	esi, esi
		jnz	loc_8DA15D

loc_7758D3:				; CODE XREF: AlpcpExposeViewAttributeInSenderContext+164904j
		mov	eax, [edi+24h]
		test	al, 8
		jnz	short loc_7758F6
		push	dword ptr [edi+18h]
		mov	edx, [edi+14h]
		mov	ecx, [edi+10h]
		call	MmSecureVirtualMemoryAgainstWrites
		test	eax, eax
		jz	loc_7759A6
		mov	[edi+20h], eax
		mov	eax, [edi+24h]

loc_7758F6:				; CODE XREF: AlpcpExposeViewAttributeInSenderContext+7Cj
		and	eax, 0FFFFFFFEh
		mov	ecx, edi
		mov	[edi+24h], eax
		call	AlpcpReferenceBlob
		and	dword ptr [ebx+2Ch], 0
		mov	[ebx+28h], edi
		test	esi, esi
		jnz	loc_8DA221
		mov	edx, [esp+40h+var_2C]
		lea	eax, [esp+40h+var_30]
		push	eax
		mov	ecx, ebx
		call	_AlpcpCreateView@12 ; AlpcpCreateView(x,x,x)
		mov	[esp+40h+var_28], eax
		test	eax, eax
		js	loc_8DA229

loc_77592E:				; CODE XREF: AlpcpExposeViewAttributeInSenderContext+13Ej
		mov	esi, [esp+40h+var_30]

loc_775932:				; CODE XREF: AlpcpExposeViewAttributeInSenderContext+6Dj
					; AlpcpExposeViewAttributeInSenderContext+126j	...
		mov	eax, [esp+40h+var_24]
		or	dword ptr [eax+14h], 4000h
		mov	[eax+4Ch], esi
		inc	dword ptr [esi+28h]

loc_775943:				; CODE XREF: AlpcpExposeViewAttributeInSenderContext+148j
		dec	dword ptr [edi+28h]
		test	byte ptr [edi+24h], 2
		jnz	short loc_775973

loc_77594C:				; CODE XREF: AlpcpExposeViewAttributeInSenderContext+122j
		mov	ecx, ebx
		call	AlpcpUnlockBlob
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	AlpcpDereferenceBlobEx
		mov	ecx, [esp+40h+var_4]
		mov	eax, [esp+40h+var_28]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_775973:				; CODE XREF: AlpcpExposeViewAttributeInSenderContext+EEj
		mov	ecx, edi
		call	_AlpcpDeleteView@4 ; AlpcpDeleteView(x)
		and	dword ptr [edi+24h], 0FFFFFFFDh
		jmp	short loc_77594C
; 

loc_775980:				; CODE XREF: AlpcpExposeViewAttributeInSenderContext+64j
		test	esi, esi
		jnz	short loc_775932

loc_775984:				; CODE XREF: AlpcpExposeViewAttributeInSenderContext+156j
		mov	edx, [esp+40h+var_2C]
		lea	eax, [esp+40h+var_30]
		push	eax
		mov	ecx, ebx
		call	_AlpcpCreateView@12 ; AlpcpCreateView(x,x,x)
		mov	[esp+40h+var_28], eax
		test	eax, eax
		jns	short loc_77592E

loc_77599C:				; CODE XREF: AlpcpExposeViewAttributeInSenderContext+1649DEj
		mov	eax, [esp+40h+var_24]
		and	dword ptr [eax+4Ch], 0
		jmp	short loc_775943
; 

loc_7759A6:				; CODE XREF: AlpcpExposeViewAttributeInSenderContext+8Ej
		and	dword ptr [ebx+28h], 0
		and	dword ptr [ebx+2Ch], 0
		and	dword ptr [ebx+18h], 0FFFFFFFEh
		jmp	short loc_775984
AlpcpExposeViewAttributeInSenderContext	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtAlpcCreateSecurityContext proc near	; DATA XREF: .text:0058122Co

var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008DA23F SIZE 00000019 BYTES
; FUNCTION CHUNK AT 008DA27A SIZE 00000023 BYTES
; FUNCTION CHUNK AT 008DA2C2 SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A0F68
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		xor	eax, eax
		lea	edi, [ebp+var_44]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_38]
		stosd
		stosd
		stosd
		mov	[ebp+var_1C], 0
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		cmp	[ebp+arg_4], 0
		jnz	loc_8DA23F
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_4+3],	al
		mov	byte ptr [ebp+var_28], al
		test	al, al
		jz	loc_775B4E
		mov	[ebp+var_4], 0
		mov	ebx, [ebp+arg_8]
		test	bl, 3
		jnz	loc_775B88
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8DA249

loc_775A5E:				; CODE XREF: NtAlpcCreateSecurityContext+16488Cj
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+8]
		mov	[ebx+8], al
		mov	eax, [ebx]
		mov	[ebp+var_44], eax
		mov	edi, [ebx+4]
		mov	eax, [ebx+8]
		mov	[ebp+var_3C], eax
		test	edi, edi
		jz	short loc_775A9B
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8DA251

loc_775A89:				; CODE XREF: NtAlpcCreateSecurityContext+164893j
		mov	eax, [ecx]
		mov	[ebp+var_38], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_34], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_30], eax
		nop

loc_775A9B:				; CODE XREF: NtAlpcCreateSecurityContext+B8j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_775AA2:				; CODE XREF: NtAlpcCreateSecurityContext+1A1j
					; NtAlpcCreateSecurityContext+1B8j
		mov	eax, ds:_AlpcPortObjectType
		mov	[ebp+var_20], 0
		push	0
		lea	ecx, [ebp+var_20]
		push	ecx
		push	[ebp+var_28]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_775B2C
		test	edi, edi
		jz	loc_8DA27A

loc_775AD0:				; CODE XREF: NtAlpcCreateSecurityContext+1648D8j
		mov	edx, large fs:124h
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		push	1
		mov	ecx, [ebp+var_20]
		call	AlpcpCreateSecurityContext
		mov	esi, eax
		test	esi, esi
		js	short loc_775B24
		cmp	byte ptr [ebp+arg_4+3],	0
		jz	loc_775B7D
		mov	[ebp+var_4], 1
		mov	edi, [ebp+var_1C]
		mov	eax, [edi+4]
		mov	[ebx+8], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_775B10:				; CODE XREF: sub_8DA2AD+10j
		test	esi, esi
		js	loc_8DA2C2

loc_775B18:				; CODE XREF: NtAlpcCreateSecurityContext+1C6j
					; NtAlpcCreateSecurityContext+16490Bj ...
		mov	edx, 1
		mov	ecx, edi
		call	AlpcpDereferenceBlobEx

loc_775B24:				; CODE XREF: NtAlpcCreateSecurityContext+12Dj
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObject

loc_775B2C:				; CODE XREF: NtAlpcCreateSecurityContext+106j
					; NtAlpcCreateSecurityContext+164884j ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_775B4E:				; CODE XREF: NtAlpcCreateSecurityContext+78j
		mov	ebx, [ebp+arg_8]
		mov	eax, [ebx]
		mov	[ebp+var_44], eax
		mov	edi, [ebx+4]
		mov	eax, [ebx+8]
		mov	[ebp+var_3C], eax
		test	edi, edi
		jz	loc_775AA2
		mov	eax, [edi]
		mov	[ebp+var_38], eax
		mov	eax, [edi+4]
		mov	[ebp+var_34], eax
		mov	eax, [edi+8]
		mov	[ebp+var_30], eax
		jmp	loc_775AA2
; 

loc_775B7D:				; CODE XREF: NtAlpcCreateSecurityContext+133j
		mov	edi, [ebp+var_1C]
		mov	eax, [edi+4]
		mov	[ebx+8], eax
		jmp	short loc_775B18
; 

loc_775B88:				; CODE XREF: NtAlpcCreateSecurityContext+8Bj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger
NtAlpcCreateSecurityContext endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtAlpcDeleteSecurityContext proc near	; DATA XREF: .text:0058121Co

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008DA2E2 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		cmp	[ebp+arg_4], 0
		jnz	loc_8DA2E2
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_4]
		and	[ebp+var_4], 0
		push	0
		push	ecx
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_4], al
		push	[ebp+arg_4]
		mov	eax, ds:_AlpcPortObjectType
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_775C2A
		mov	edx, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+var_4]
		push	edi
		push	offset _AlpcSecurityType
		mov	ecx, [ebx+8]
		add	ecx, 14h
		call	AlpcReferenceBlobByHandle
		mov	edi, eax
		test	edi, edi
		jz	short loc_775C3D
		cmp	ebx, [edi+0Ch]
		jnz	short loc_775C44
		mov	ecx, edi
		call	AlpcpDeleteBlob
		test	al, al
		jz	short loc_775C4B
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	AlpcpDereferenceBlobEx

loc_775C17:				; CODE XREF: NtAlpcDeleteSecurityContext+BBj
					; NtAlpcDeleteSecurityContext+C2j
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	AlpcpDereferenceBlobEx

loc_775C21:				; CODE XREF: NtAlpcDeleteSecurityContext+B4j
		mov	ecx, ebx
		call	ObfDereferenceObject
		pop	edi
		pop	ebx

loc_775C2A:				; CODE XREF: NtAlpcDeleteSecurityContext+4Fj
					; NtAlpcDeleteSecurityContext+164759j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		pop	esi
		leave
		retn	0Ch
; 

loc_775C3D:				; CODE XREF: NtAlpcDeleteSecurityContext+6Dj
		mov	esi, 0C0000008h
		jmp	short loc_775C21
; 

loc_775C44:				; CODE XREF: NtAlpcDeleteSecurityContext+72j
		mov	esi, 0C0000022h
		jmp	short loc_775C17
; 

loc_775C4B:				; CODE XREF: NtAlpcDeleteSecurityContext+7Dj
		mov	esi, 0C0000056h
		jmp	short loc_775C17
NtAlpcDeleteSecurityContext endp

; 
		align 10h

;  S U B	R O U T	I N E 


AlpcpDereferenceBlobEx proc near	; CODE XREF: AlpcpCreateSectionView(x,x,x,x,x)+8Dp
					; AlpcRegionDestroyProcedure(x)+32p ...

; FUNCTION CHUNK AT 008DA2EC SIZE 0000001B BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		neg	edx
		mov	eax, edx
		lea	esi, [edi-0Ch]
		lock xadd [esi], eax
		add	eax, edx
		test	eax, eax
		jle	short loc_775C7A

loc_775C77:				; CODE XREF: AlpcpDereferenceBlobEx+56j
					; AlpcpDereferenceBlobEx+6Bj ...
		pop	edi
		pop	esi
		retn
; 

loc_775C7A:				; CODE XREF: AlpcpDereferenceBlobEx+15j
		jnz	loc_8DA2EC
		movzx	eax, byte ptr [edi-0Fh]
		push	ebx
		lea	ebx, [edi-18h]
		push	edi
		mov	esi, ds:_AlpcpRegisteredTypes[eax*4]
		mov	eax, [esi+14h]
		call	eax
		mov	eax, [esi+1Ch]
		push	edi
		call	eax
		test	eax, eax
		js	short loc_775CB5
		test	byte ptr [ebx+8], 2
		jnz	short loc_775CCD
		cmp	dword ptr [esi+20h], 0
		ja	short loc_775CB8
		mov	eax, [esi+4]
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_775CB5:				; CODE XREF: AlpcpDereferenceBlobEx+3Dj
		pop	ebx
		jmp	short loc_775C77
; 

loc_775CB8:				; CODE XREF: AlpcpDereferenceBlobEx+49j
		mov	eax, [esi+8]
		push	ebx
		lea	eax, [eax+eax*2]
		shl	eax, 6
		mov	eax, dword_6FB02C[eax]
		call	eax
		pop	ebx
		jmp	short loc_775C77
; 

loc_775CCD:				; CODE XREF: AlpcpDereferenceBlobEx+43j
		mov	eax, [esi+8]
		push	ebx
		lea	eax, [eax+eax*2]
		shl	eax, 6
		add	eax, offset _AlpcpLookasides
		push	eax
		call	_ExFreeToPagedLookasideList@8 ;	ExFreeToPagedLookasideList(x,x)
		pop	ebx
		jmp	short loc_775C77
AlpcpDereferenceBlobEx endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcSecurityDestroyProcedure(x)
_AlpcSecurityDestroyProcedure@4	proc near ; DATA XREF: .text:0040115Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_775CFE
		mov	edx, [esi+4]
		push	esi
		call	@AlpcDeleteBlobByHandle@12 ; AlpcDeleteBlobByHandle(x,x,x)

loc_775CFE:				; CODE XREF: AlpcSecurityDestroyProcedure(x)+Dj
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_775D14
		mov	edx, esi
		call	_AlpcpRemoveResourcePort@8 ; AlpcpRemoveResourcePort(x,x)
		mov	ecx, [esi+0Ch]
		call	ObfDereferenceObject

loc_775D14:				; CODE XREF: AlpcSecurityDestroyProcedure(x)+1Dj
		cmp	dword ptr [esi+8], 0
		jz	short loc_775D47
		mov	ecx, [esi+1Ch]
		cmp	dword ptr [ecx+0A8h], 1
		jz	short loc_775D2A
		test	ecx, ecx
		jz	short loc_775D2F

loc_775D2A:				; CODE XREF: AlpcSecurityDestroyProcedure(x)+3Ej
		call	ObfDereferenceObject

loc_775D2F:				; CODE XREF: AlpcSecurityDestroyProcedure(x)+42j
		mov	ecx, [esi+8]
		push	68h
		pop	edx
		call	_AlpcpReleasePagedPoolQuota@8 ;	AlpcpReleasePagedPoolQuota(x,x)
		mov	ecx, [esi+8]
		mov	edx, 63706C41h
		call	ObfDereferenceObjectWithTag

loc_775D47:				; CODE XREF: AlpcSecurityDestroyProcedure(x)+32j
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	4
_AlpcSecurityDestroyProcedure@4	endp ; sp =  8


;  S U B	R O U T	I N E 


; __stdcall AlpcpReleasePagedPoolQuota(x, x)
_AlpcpReleasePagedPoolQuota@8 proc near	; CODE XREF: AlpcSecurityDestroyProcedure(x)+4Fp
					; AlpcpCreateReserve(x,x,x)+95p ...
		test	ecx, ecx
		jz	short locret_775D69
		push	esi
		lea	esi, [ecx+370h]
		mov	eax, [esi]
		add	eax, edx
		cmp	eax, 1000h
		jnb	short loc_775D6A
		lock xadd [esi], edx
		pop	esi

locret_775D69:				; CODE XREF: AlpcpReleasePagedPoolQuota(x,x)+2j
		retn
; 

loc_775D6A:				; CODE XREF: AlpcpReleasePagedPoolQuota(x,x)+14j
		push	edx
		push	ecx
		call	_PsReturnProcessPagedPoolQuota@8 ; PsReturnProcessPagedPoolQuota(x,x)
		pop	esi
		retn
_AlpcpReleasePagedPoolQuota@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcViewDestroyProcedure proc near	; DATA XREF: .text:00403C94o

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+30h+var_1C]
		xor	ebx, ebx
		rep stosd
		mov	eax, large fs:124h
		mov	edi, [esi+8]
		mov	eax, [eax+80h]
		mov	[esp+30h+var_20], eax
		test	edi, edi
		jz	loc_775EAF
		mov	ecx, edi
		call	AlpcpLockForCachedReferenceBlob
		mov	ecx, [esi+4]
		mov	eax, [esi]
		mov	[ecx], eax
		mov	ecx, [esi]
		mov	eax, [esi+4]
		mov	[ecx+4], eax
		mov	ecx, [edi+1Ch]
		dec	ecx
		mov	[edi+1Ch], ecx
		test	byte ptr [esi+24h], 4
		jnz	short loc_775DF7
		mov	eax, [edi+18h]
		test	al, 1
		jz	short loc_775DF7
		and	[edi+2Ch], ebx
		mov	ebx, [edi+28h]
		test	ebx, ebx
		jz	loc_775EC5
		mov	ecx, ebx
		call	_AlpcpRestoreWriteAccess@4 ; AlpcpRestoreWriteAccess(x)

loc_775DF7:				; CODE XREF: AlpcViewDestroyProcedure+65j
					; AlpcViewDestroyProcedure+6Cj	...
		mov	ecx, edi
		call	AlpcpUnlockBlob
		mov	ecx, [esi+0Ch]
		mov	edx, esi
		call	_AlpcpRemoveResourcePort@8 ; AlpcpRemoveResourcePort(x,x)
		mov	ecx, [esi+0Ch]
		call	ObfDereferenceObject
		test	byte ptr [esi+24h], 8
		jnz	loc_8DA2FA
		mov	ecx, [esi+10h]
		mov	edi, [esp+28h+var_18]
		cmp	edi, ecx
		jnz	loc_775ED8

loc_775E29:				; CODE XREF: AlpcViewDestroyProcedure+170j
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	short loc_775E36
		push	eax
		call	_MmUnsecureVirtualMemory@4 ; MmUnsecureVirtualMemory(x)

loc_775E36:				; CODE XREF: AlpcViewDestroyProcedure+BAj
		mov	edx, [esi+14h]
		mov	ecx, [esi+10h]
		push	0
		push	0
		call	MiUnmapViewOfSection
		cmp	edi, [esi+10h]
		jnz	loc_775EE9

loc_775E4E:				; CODE XREF: AlpcViewDestroyProcedure+180j
					; AlpcpDereferenceBlobEx+1646A2j
		test	ebx, ebx
		jz	short loc_775E5C
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	AlpcpDereferenceBlobEx

loc_775E5C:				; CODE XREF: AlpcViewDestroyProcedure+DCj
		mov	ecx, [esi+8]
		xor	edx, edx
		inc	edx
		call	AlpcpDereferenceBlobEx
		mov	ecx, [esi+10h]
		mov	ebx, 364h
		add	ecx, ebx
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esi+30h]
		mov	eax, [esi+2Ch]
		mov	[ecx], eax
		mov	ecx, [esi+2Ch]
		mov	eax, [esi+30h]
		mov	[ecx+4], eax
		or	eax, 0FFFFFFFFh
		mov	edi, [esi+10h]
		add	edi, ebx
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_775EF9

loc_775E9B:				; CODE XREF: AlpcViewDestroyProcedure+18Cj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [esi+10h]
		mov	edx, 63706C41h
		call	ObfDereferenceObjectWithTag

loc_775EAF:				; CODE XREF: AlpcViewDestroyProcedure+3Ej
		mov	ecx, [esp+2Ch]
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_775EC5:				; CODE XREF: AlpcViewDestroyProcedure+76j
		test	ecx, ecx
		jnz	loc_775DF7
		and	eax, 0FFFFFFFEh
		mov	[edi+18h], eax
		jmp	loc_775DF7
; 

loc_775ED8:				; CODE XREF: AlpcViewDestroyProcedure+AFj
		lea	eax, [esp+28h+var_14]
		xor	edx, edx
		push	eax
		call	KiStackAttachProcess
		jmp	loc_775E29
; 

loc_775EE9:				; CODE XREF: AlpcViewDestroyProcedure+D4j
		xor	edx, edx
		lea	ecx, [esp+28h+var_14]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_775E4E
; 

loc_775EF9:				; CODE XREF: AlpcViewDestroyProcedure+125j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_775E9B
AlpcViewDestroyProcedure endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpRemoveResourcePort(x, x)
_AlpcpRemoveResourcePort@8 proc	near	; CODE XREF: AlpcSecurityDestroyProcedure(x)+21p
					; AlpcViewDestroyProcedure+8Fp	...
		mov	edi, edi
		push	esi
		push	edi
		lea	edi, [ecx+0C4h]
		lea	esi, [edx-18h]
		mov	ecx, edi
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi]
		cmp	eax, esi
		jz	short loc_775F34
		cmp	[eax+4], esi
		jnz	short loc_775F53
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_775F53
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	[esi+4], esi
		mov	[esi], esi

loc_775F34:				; CODE XREF: AlpcpRemoveResourcePort(x,x)+1Aj
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_775F4A

loc_775F41:				; CODE XREF: AlpcpRemoveResourcePort(x,x)+4Fj
		mov	ecx, edi
		pop	edi
		pop	esi
		jmp	KeAbPostRelease
; 

loc_775F4A:				; CODE XREF: AlpcpRemoveResourcePort(x,x)+3Dj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_775F41
; 

loc_775F53:				; CODE XREF: AlpcpRemoveResourcePort(x,x)+1Fj
					; AlpcpRemoveResourcePort(x,x)+26j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall NtUnmapViewOfSection(x, x)
_NtUnmapViewOfSection@8:		; DATA XREF: .text:00580BD4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	dword ptr [ebp+0Ch]
		push	dword ptr [ebp+8]
		call	NtUnmapViewOfSectionEx
		pop	ebp
		retn	8
_AlpcpRemoveResourcePort@8 endp	; sp = -8

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtUnmapViewOfSectionEx proc near	; CODE XREF: AlpcpRemoveResourcePort(x,x)+63p
					; DATA XREF: .text:00580BD8o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008DA307 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+18h+var_8], 0
		test	ebx, 0FFFFFFFCh
		jnz	loc_8DA307
		test	bl, 2
		jnz	loc_8DA311

loc_775FA0:				; CODE XREF: NtUnmapViewOfSectionEx+1643A6j
		mov	eax, large fs:124h
		mov	esi, [ebp+arg_4]
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+18h+var_4], al
		cmp	al, 1
		jnz	short loc_775FBF
		cmp	esi, ds:_MmHighestUserAddress
		ja	short loc_776013

loc_775FBF:				; CODE XREF: NtUnmapViewOfSectionEx+45j
		mov	eax, ds:_PsProcessType
		lea	ecx, [esp+18h+var_8]
		push	0
		push	0
		push	ecx
		mov	ecx, [ebp+arg_0]
		mov	edx, 8
		push	77566D4Dh
		push	[esp+28h+var_4]
		push	eax
		call	ObpReferenceObjectByHandleWithTag
		test	eax, eax
		js	short loc_77600A
		mov	ecx, [esp+18h+var_8]
		and	ebx, 1
		push	edi
		push	ebx
		mov	edx, esi
		call	MiUnmapViewOfSection
		mov	ecx, [esp+18h+var_8]
		mov	edx, 77566D4Dh
		mov	esi, eax
		call	ObfDereferenceObjectWithTag
		mov	eax, esi

loc_77600A:				; CODE XREF: NtUnmapViewOfSectionEx+76j
					; NtUnmapViewOfSectionEx+A8j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_776013:				; CODE XREF: NtUnmapViewOfSectionEx+4Dj
		mov	eax, 0C0000019h
		jmp	short loc_77600A
NtUnmapViewOfSectionEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnmapViewOfSection proc near		; CODE XREF: MmUnmapViewOfSection(x,x)+Fp
					; AlpcViewDestroyProcedure+CCp	...

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008DA31B SIZE 0000009A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		xor	eax, eax
		mov	[esp+3Ch+var_38], 0
		and	[ebp+arg_4], 4000000h
		push	ebx
		mov	[esp+40h+var_1C], eax
		mov	ebx, ecx
		mov	[esp+40h+var_18], eax
		mov	[esp+40h+var_14], eax
		mov	[esp+40h+var_10], eax
		mov	[esp+40h+var_C], eax
		mov	[esp+40h+var_8], eax
		mov	[esp+40h+var_24], eax
		mov	[esp+40h+var_3C], eax
		mov	[esp+40h+var_30], eax
		mov	eax, large fs:124h
		push	esi
		mov	esi, edx
		mov	[esp+44h+var_2C], ebx
		push	edi
		mov	ecx, [eax+80h]
		mov	[esp+48h+var_28], esi
		jnz	loc_8DA31B

loc_77608C:				; CODE XREF: MiUnmapViewOfSection+164304j
		cmp	ecx, ebx
		jnz	loc_776255

loc_776094:				; CODE XREF: MiUnmapViewOfSection+24Bj
		lea	eax, [esp+48h+var_38]
		mov	edx, 1
		push	eax
		mov	ecx, esi
		call	MiObtainReferencedVadEx
		mov	esi, eax
		test	esi, esi
		jz	loc_8DA334
		mov	edx, [esi+1Ch]
		mov	ecx, edx
		shr	ecx, 4
		test	edx, 100000h
		jnz	loc_776294

loc_7760C3:				; CODE XREF: MiUnmapViewOfSection+27Aj
		mov	ebx, [esi+0Ch]
		and	cl, 7
		mov	edi, ebx
		shl	edi, 0Ch
		mov	[esp+48h+var_34], edi
		cmp	cl, 2
		jz	short loc_776155

loc_7760D7:				; CODE XREF: MiUnmapViewOfSection+141j
					; MiUnmapViewOfSection+14Bj
		mov	edi, [esi+10h]
		sub	edi, ebx
		mov	ebx, [esp+48h+var_2C]
		inc	edi
		shl	edi, 0Ch
		test	dl, 8
		jnz	loc_776170

loc_7760ED:				; CODE XREF: MiUnmapViewOfSection+157j
					; MiUnmapViewOfSection+18Dj
		cmp	[ebp+arg_4], 0
		jnz	loc_8DA357

loc_7760F7:				; CODE XREF: MiUnmapViewOfSection+16437Bj
		test	byte ptr ds:_PerfGlobalGroupMask, 4
		jz	short loc_77610B
		cmp	[esp+48h+var_3C], 0
		jnz	loc_7761B2

loc_77610B:				; CODE XREF: MiUnmapViewOfSection+DEj
					; MiUnmapViewOfSection+199j ...
		mov	edi, [esp+48h+var_3C]

loc_77610F:				; CODE XREF: MiUnmapViewOfSection+220j
		mov	eax, [esi+1Ch]
		mov	ecx, esi
		push	[ebp+arg_0]
		mov	edx, [esp+4Ch+var_30]
		and	al, 70h
		cmp	al, 10h
		jz	loc_7762A5
		call	MiUnmapVad

loc_77612A:				; CODE XREF: MiUnmapViewOfSection+28Aj
		xor	ebx, ebx

loc_77612C:				; CODE XREF: MiUnmapViewOfSection+164320j
					; MiUnmapViewOfSection+16432Bj	...
		cmp	[esp+48h+var_24], 1
		jz	loc_776270

loc_776137:				; CODE XREF: MiUnmapViewOfSection+25Bj
		test	edi, edi
		jnz	loc_776245

loc_77613F:				; CODE XREF: MiUnmapViewOfSection+230j
		mov	eax, ebx

loc_776141:				; CODE XREF: MiUnmapViewOfSection+16430Fj
		mov	ecx, [esp+48h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_776155:				; CODE XREF: MiUnmapViewOfSection+B5j
		mov	eax, edx
		and	eax, 0F80h
		cmp	eax, 380h
		jnz	loc_7760D7
		mov	[esp+48h+var_3C], edi
		jmp	loc_7760D7
; 

loc_776170:				; CODE XREF: MiUnmapViewOfSection+C7j
		test	byte ptr [ebx+0FCh], 20h
		jnz	loc_7760ED
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	edx, [esp+48h+var_34]
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+48h+var_38], al
		push	[esp+48h+var_38]
		push	55h
		push	edi
		call	MiCheckSecuredVad
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8DA3A5
		mov	ebx, [esp+48h+var_2C]
		jmp	loc_7760ED
; 

loc_7761B2:				; CODE XREF: MiUnmapViewOfSection+E5j
		cmp	dword ptr [ebx+0E4h], 0
		jz	loc_77610B
		test	dword ptr [ebx+3A8h], 1000h
		jnz	loc_77610B
		mov	eax, [esi+2Ch]
		mov	eax, [eax]
		mov	[esp+48h+var_20], eax
		test	eax, eax
		jz	loc_77610B
		cmp	dword ptr [eax+20h], 0
		jz	loc_77610B
		mov	ecx, [eax]
		mov	[esp+48h+var_34], ecx
		mov	ecx, eax
		call	MiReferenceControlAreaFile
		mov	ecx, [esi+28h]
		mov	edx, eax
		mov	eax, [esp+48h+var_34]
		mov	[esp+48h+var_28], edx
		test	ecx, 8000000h
		jz	short loc_776280
		mov	[esp+48h+var_38], 0
		xor	ecx, ecx

loc_776216:				; CODE XREF: MiUnmapViewOfSection+272j
		mov	eax, [eax+24h]
		push	1
		push	ecx
		push	[esp+50h+var_38]
		mov	eax, [eax+2Ch]
		lea	ecx, [edx+30h]
		push	eax
		push	edi
		mov	edi, [esp+5Ch+var_3C]
		push	edi
		push	ebx
		call	PerfLogImageUnload
		mov	edx, [esp+48h+var_28]
		mov	ecx, [esp+48h+var_20]
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)
		jmp	loc_77610F
; 

loc_776245:				; CODE XREF: MiUnmapViewOfSection+119j
		mov	ecx, [esp+48h+var_2C]
		mov	edx, edi
		call	DbgkUnMapViewOfSection
		jmp	loc_77613F
; 

loc_776255:				; CODE XREF: MiUnmapViewOfSection+6Ej
		lea	eax, [esp+48h+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, ebx
		call	KiStackAttachProcess
		mov	[esp+48h+var_24], 1
		jmp	loc_776094
; 

loc_776270:				; CODE XREF: MiUnmapViewOfSection+111j
		xor	edx, edx
		lea	ecx, [esp+48h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_776137
; 

loc_776280:				; CODE XREF: MiUnmapViewOfSection+1EAj
		movzx	ecx, byte ptr [eax+0Bh]
		mov	[esp+48h+var_38], ecx
		shr	[esp+48h+var_38], 4
		shr	ecx, 1
		and	ecx, 7
		jmp	short loc_776216
; 

loc_776294:				; CODE XREF: MiUnmapViewOfSection+9Dj
		mov	eax, ecx
		and	al, 7
		cmp	al, 1
		jz	loc_7760C3
		jmp	loc_8DA350
; 

loc_7762A5:				; CODE XREF: MiUnmapViewOfSection+FFj
		call	_MiDeleteVad@12	; MiDeleteVad(x,x,x)
		jmp	loc_77612A
MiUnmapViewOfSection endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnmapVad	proc near		; CODE XREF: MiUnmapViewOfSection+105p
					; MmCleanProcessAddressSpace+F2p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DA3B5 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	eax, [esi+28h]
		test	eax, 2000000h
		jnz	short loc_7762EF

loc_7762C9:				; CODE XREF: MiUnmapVad+77j
					; MiUnmapVad+8Bj
		mov	edi, [ebp+arg_0]

loc_7762CC:				; CODE XREF: MiUnmapVad+96j
		test	ds:_PerfGlobalGroupMask, 8000h
		jnz	loc_8DA3B5

loc_7762DC:				; CODE XREF: MiUnmapVad+164109j
					; MiUnmapVad+16411Bj
		push	edi
		mov	edx, ebx
		mov	ecx, esi
		call	_MiDeleteVad@12	; MiDeleteVad(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7762EF:				; CODE XREF: MiUnmapVad+17j
		mov	eax, [esi+2Ch]
		mov	edi, [eax]
		mov	ecx, edi
		call	MiReferenceControlAreaFile
		mov	edx, eax
		mov	ecx, [eax+0Ch]
		mov	[ebp+var_4], ecx
		mov	ecx, edi
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		mov	eax, [esi+10h]
		sub	eax, [esi+0Ch]
		inc	eax
		test	dword ptr [ecx+0FCh], 4000h
		jz	short loc_7762C9
		mov	edx, [ebp+var_4]
		mov	ecx, [ecx+1DCh]
		push	eax
		call	PfCheckDeprioritizeFile
		cmp	eax, 1
		jnz	short loc_7762C9
		mov	edi, [ebp+arg_0]
		or	edi, 80000000h
		jmp	short loc_7762CC
MiUnmapVad	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpCreateView(x, x, x)
_AlpcpCreateView@12 proc near		; CODE XREF: AlpcpCreateSectionView(x,x,x,x,x)+63p
					; AlpcpExposeViewAttributeInSenderContext+C1p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+30h+var_20], 0
		mov	ebx, edx
		mov	[esp+30h+var_8], 0
		mov	[esp+30h+var_10], ebx
		mov	[esp+30h+var_4], 0
		mov	esi, [edi+8]
		mov	ecx, esi
		mov	dword ptr [eax], 0
		mov	[esp+30h+var_C], esi
		call	AlpcpLockForCachedReferenceBlob
		test	byte ptr [ebx+0F4h], 20h
		jz	short loc_7763B7
		mov	ecx, [esp+30h+var_C]
		mov	esi, 0C0000037h
		call	AlpcpUnlockBlob
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7763B7:				; CODE XREF: AlpcpCreateView(x,x,x)+4Cj
		mov	eax, [ebx+0Ch]
		mov	[esp+30h+var_18], eax
		mov	eax, [ebx+0B8h]
		test	eax, eax
		jz	short loc_7763E6
		cmp	eax, [edi+14h]
		jnb	short loc_7763E6
		mov	ecx, [esp+30h+var_C]
		mov	esi, 0C0000044h
		call	AlpcpUnlockBlob
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7763E6:				; CODE XREF: AlpcpCreateView(x,x,x)+76j
					; AlpcpCreateView(x,x,x)+7Bj
		test	byte ptr [edi+18h], 1
		jz	short loc_776411
		cmp	dword ptr [edi+1Ch], 2
		jb	short loc_77640B

loc_7763F2:				; CODE XREF: AlpcpCreateView(x,x,x)+BFj
		mov	ecx, [esp+30h+var_C]
		mov	esi, 0C0000022h
		call	AlpcpUnlockBlob
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_77640B:				; CODE XREF: AlpcpCreateView(x,x,x)+A0j
		cmp	dword ptr [edi+2Ch], 0
		jnz	short loc_7763F2

loc_776411:				; CODE XREF: AlpcpCreateView(x,x,x)+9Aj
		push	0
		mov	edx, 34h
		mov	ecx, offset _AlpcViewType
		call	@AlpcpAllocateBlob@12 ;	AlpcpAllocateBlob(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_776441
		mov	ecx, [esp+30h+var_C]
		mov	esi, 0C000009Ah
		call	AlpcpUnlockBlob
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_776441:				; CODE XREF: AlpcpCreateView(x,x,x)+D6j
		push	34h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [edi+0Ch]
		add	esp, 0Ch
		mov	[esp+30h+var_8], eax
		mov	eax, [edi+14h]
		mov	[esp+30h+var_1C], eax
		mov	eax, [esp+30h+var_10]
		mov	[esp+30h+var_4], 0
		test	dword ptr [eax+98h], 100000h
		jz	short loc_77649D
		mov	ecx, [esi]
		lea	eax, [esp+30h+var_8]
		push	0
		push	0
		push	eax
		lea	eax, [esp+3Ch+var_1C]
		mov	edx, offset unk_6CF5A4
		push	eax
		lea	eax, [esp+40h+var_20]
		push	eax
		call	MiMapViewInSystemSpace
		mov	[esp+30h+var_14], 8
		jmp	short loc_7764F9
; 

loc_77649D:				; CODE XREF: AlpcpCreateView(x,x,x)+122j
		test	byte ptr [esi+18h], 2
		jz	short loc_7764C9
		mov	edx, [esp+30h+var_18]
		lea	eax, [ebx+1Ch]
		mov	ecx, [esi]
		push	eax
		sub	esp, 10h
		lea	eax, [esp+44h+var_1C]
		push	eax
		lea	eax, [esp+48h+var_8]
		push	eax
		sub	esp, 8
		lea	eax, [esp+54h+var_20]
		push	eax
		call	MmMapSecureViewOfSection
		jmp	short loc_7764F1
; 

loc_7764C9:				; CODE XREF: AlpcpCreateView(x,x,x)+151j
		push	4
		push	0
		push	2
		lea	eax, [esp+3Ch+var_1C]
		push	eax
		lea	eax, [esp+40h+var_8]
		push	eax
		push	0
		push	0
		lea	eax, [esp+4Ch+var_20]
		push	eax
		mov	eax, [edi+8]
		push	[esp+50h+var_18]
		mov	eax, [eax]
		push	eax
		call	MmMapViewOfSection

loc_7764F1:				; CODE XREF: AlpcpCreateView(x,x,x)+177j
		mov	[esp+30h+var_14], 0

loc_7764F9:				; CODE XREF: AlpcpCreateView(x,x,x)+14Bj
		mov	esi, eax
		mov	ecx, ebx
		test	esi, esi
		jns	short loc_77651F
		mov	edx, 1
		call	AlpcpDereferenceBlobEx
		mov	ecx, [esp+30h+var_C]
		call	AlpcpUnlockBlob
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_77651F:				; CODE XREF: AlpcpCreateView(x,x,x)+1AFj
		call	AlpcpReferenceBlob
		mov	eax, [esp+30h+var_20]
		mov	edx, 63706C41h
		mov	esi, [esp+30h+var_18]
		mov	ecx, esi
		mov	[ebx+14h], eax
		mov	eax, [esp+30h+var_1C]
		mov	[ebx+18h], eax
		mov	eax, [ebx+24h]
		and	eax, 0FFFFFFF7h
		or	eax, [esp+30h+var_14]
		or	eax, 1
		mov	[ebx+24h], eax
		call	ObfReferenceObjectWithTag
		mov	[ebx+10h], esi
		mov	esi, [esp+30h+var_10]
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, edi
		mov	[ebx+0Ch], esi
		call	AlpcpReferenceBlob
		mov	[ebx+8], edi
		lea	ecx, [edi+20h]
		mov	eax, [ecx+4]
		mov	edx, ebx
		mov	[ebx], ecx
		mov	[ebx+4], eax
		mov	eax, [ecx+4]
		mov	[eax], ebx
		inc	dword ptr [edi+1Ch]
		mov	[ecx+4], ebx
		mov	ecx, esi
		call	_AlpcpInsertResourcePort@8 ; AlpcpInsertResourcePort(x,x)
		mov	esi, [esp+30h+var_18]
		xor	edx, edx
		lea	eax, [esi+364h]
		mov	ecx, eax
		mov	[esp+30h+var_10], eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+36Ch]
		lea	ecx, [esi+368h]
		mov	esi, [esp+30h+var_10]
		lea	edx, [ebx+2Ch]
		mov	[edx+4], eax
		mov	[edx], ecx
		mov	eax, [ecx+4]
		mov	[eax], edx
		or	eax, 0FFFFFFFFh
		mov	[ecx+4], edx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_7765D7
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_7765D7:				; CODE XREF: AlpcpCreateView(x,x,x)+27Ej
		mov	ecx, esi
		call	KeAbPostRelease
		test	byte ptr [edi+18h], 1
		jz	short loc_7765E7
		mov	[edi+2Ch], ebx

loc_7765E7:				; CODE XREF: AlpcpCreateView(x,x,x)+292j
		mov	eax, [ebp+arg_0]
		xor	esi, esi
		mov	[eax], ebx
		mov	ecx, [esp+30h+var_C]
		call	AlpcpUnlockBlob
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_AlpcpCreateView@12 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpInsertResourcePort(x, x)
_AlpcpInsertResourcePort@8 proc	near	; CODE XREF: AlpcpCreateView(x,x,x)+237p
					; AlpcpCreateSecurityContext+E7p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		xor	edx, edx
		lea	ebx, [edi+0C4h]
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+0CCh]
		add	edi, 0C8h
		add	esi, 0FFFFFFE8h
		cmp	[eax], edi
		jnz	short loc_776657
		mov	[esi+4], eax
		mov	[esi], edi
		mov	[eax], esi
		or	eax, 0FFFFFFFFh
		mov	[edi+4], esi
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_77664E

loc_776644:				; CODE XREF: AlpcpInsertResourcePort(x,x)+53j
		pop	edi
		pop	esi
		mov	ecx, ebx
		pop	ebx
		jmp	KeAbPostRelease
; 

loc_77664E:				; CODE XREF: AlpcpInsertResourcePort(x,x)+40j
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_776644
; 

loc_776657:				; CODE XREF: AlpcpInsertResourcePort(x,x)+29j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_AlpcpInsertResourcePort@8 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpCreateSecurityContext proc	near	; CODE XREF: NtAlpcCreateSecurityContext+124p
					; AlpcpCaptureSecurityAttributeInternal+A0p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008DA3D0 SIZE 00000094 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	eax, edx
		mov	ebx, ecx
		push	edi
		push	eax
		mov	[ebp+var_8], eax
		call	_IoThreadToProcess@4 ; IoThreadToProcess(x)
		push	0
		push	50h
		pop	edx
		mov	ecx, offset _AlpcSecurityType
		mov	edi, eax
		call	@AlpcpAllocateBlob@12 ;	AlpcpAllocateBlob(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8DA3F2
		push	50h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		or	dword ptr [esi+4], 0FFFFFFFFh
		add	esp, 0Ch
		mov	ecx, edi
		push	68h
		pop	edx
		call	_AlpcpChargePagedPoolQuota@8 ; AlpcpChargePagedPoolQuota(x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		js	loc_8DA3FC
		lea	eax, [esi+10h]
		push	eax
		push	0
		push	[ebp+arg_4]
		push	[ebp+var_8]
		call	_SeCreateClientSecurity@16 ; SeCreateClientSecurity(x,x,x,x)
		mov	[ebp+arg_4], eax
		mov	ecx, edi
		test	eax, eax
		js	loc_8DA40E
		mov	edx, 63706C41h
		call	ObfReferenceObjectWithTag
		cmp	byte ptr [ebp+arg_0], 0
		mov	[esi+8], edi
		jz	short loc_776764
		lea	edi, [ebx+0D0h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		test	byte ptr [ebx+0F4h], 20h
		jnz	loc_8DA41B
		lea	ecx, [esi-4]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [esi-10h], 4
		mov	ecx, esi
		call	AlpcpReferenceBlob
		mov	ecx, [ebx+8]
		lea	edx, [ebp+arg_0]
		add	ecx, 14h
		mov	[ebp+arg_0], esi
		mov	[esi], ecx
		call	@AlpcAddHandleTableEntry@8 ; AlpcAddHandleTableEntry(x,x)
		mov	[esi+4], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_8DA44D
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edx, esi
		mov	[esi+0Ch], ebx
		mov	ecx, ebx
		call	_AlpcpInsertResourcePort@8 ; AlpcpInsertResourcePort(x,x)
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_776772

loc_776756:				; CODE XREF: AlpcpCreateSecurityContext+11Dj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, esi
		call	@AlpcpEndInitialization@4 ; AlpcpEndInitialization(x)

loc_776764:				; CODE XREF: AlpcpCreateSecurityContext+87j
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		xor	eax, eax

loc_77676B:				; CODE XREF: AlpcpCreateSecurityContext+163D9Bj
					; AlpcpCreateSecurityContext+163DADj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_776772:				; CODE XREF: AlpcpCreateSecurityContext+F8j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_776756
AlpcpCreateSecurityContext endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpCaptureSecurityAttribute proc near	; CODE XREF: AlpcpCompleteDispatchMessage+CCAp

var_3C		= dword	ptr -3Ch
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DA464 SIZE 00000007 BYTES

		push	2Ch
		push	offset dword_6A0F90
		call	__SEH_prolog4
		mov	ebx, edx
		mov	edi, ecx
		mov	[ebp+var_28], edi
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	short loc_776818
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [ebx]
		mov	[ebp+var_24], eax
		mov	eax, [ebx+8]
		mov	[ebp+var_1C], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_20], eax
		mov	esi, eax
		test	esi, esi
		jz	short loc_77680A
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8DA464

loc_7767C7:				; CODE XREF: AlpcpCaptureSecurityAttribute+163CEAj
		lea	edi, [ebp+var_3C]
		movsd
		movsd
		movsd
		nop

loc_7767CE:				; CODE XREF: AlpcpCaptureSecurityAttribute+9Aj
		push	[ebp+arg_0]
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		mov	edx, [ebp+var_24]
		mov	ecx, [ebp+var_28]
		call	AlpcpCaptureSecurityAttributeInternal
		mov	[ebp+var_30], eax
		test	eax, eax
		js	short loc_7767F1
		mov	ecx, [ebp+var_1C]
		mov	[ebx+8], ecx

loc_7767F1:				; CODE XREF: AlpcpCaptureSecurityAttribute+6Dj
					; sub_8DA479+9j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7767F8:				; CODE XREF: AlpcpCaptureSecurityAttribute+B4j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_77680A:				; CODE XREF: AlpcpCaptureSecurityAttribute+3Cj
		lea	esi, [edi+9Ch]
		lea	edi, [ebp+var_3C]
		movsd
		movsd
		movsd
		jmp	short loc_7767CE
; 

loc_776818:				; CODE XREF: AlpcpCaptureSecurityAttribute+21j
		mov	ecx, [ebx+4]
		test	ecx, ecx
		jz	short loc_776832

loc_77681F:				; CODE XREF: AlpcpCaptureSecurityAttribute+BCj
		push	[ebp+arg_0]
		lea	eax, [ebx+8]
		push	eax
		push	ecx
		mov	edx, [ebx]
		mov	ecx, edi
		call	AlpcpCaptureSecurityAttributeInternal
		jmp	short loc_7767F8
; 

loc_776832:				; CODE XREF: AlpcpCaptureSecurityAttribute+A1j
		lea	ecx, [edi+9Ch]
		jmp	short loc_77681F
AlpcpCaptureSecurityAttribute endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpCaptureSecurityAttributeInternal proc near
					; CODE XREF: AlpcpCaptureSecurityAttribute+63p
					; AlpcpCaptureSecurityAttribute+AFp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008DA487 SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ecx
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		test	edi, 0FFFCFFFFh
		jnz	loc_8DA4C1
		mov	edx, 30000h
		mov	eax, edi
		and	eax, edx
		cmp	eax, edx
		jz	loc_8DA4C1
		mov	esi, [ebp+arg_4]
		mov	edx, [esi]
		cmp	edx, 0FFFFFFFEh
		jz	short loc_7768B6
		mov	ecx, [ecx+8]
		test	ecx, ecx
		jz	short loc_7768F6
		push	offset _AlpcSecurityType
		add	ecx, 14h
		call	AlpcReferenceBlobByHandle
		mov	esi, eax
		test	esi, esi
		jz	short loc_7768F6
		mov	eax, [ebp+var_8]
		cmp	eax, [esi+0Ch]
		jnz	loc_8DA487
		test	edi, 10000h
		jnz	loc_8DA49B

loc_7768A7:				; CODE XREF: AlpcpCaptureSecurityAttributeInternal+163C82j
		mov	eax, [ebp+arg_8]
		mov	[eax+10h], esi
		xor	eax, eax

loc_7768AF:				; CODE XREF: AlpcpCaptureSecurityAttributeInternal+BAj
					; AlpcpCaptureSecurityAttributeInternal+C1j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7768B6:				; CODE XREF: AlpcpCaptureSecurityAttributeInternal+39j
		test	edi, 20000h
		jnz	short loc_7768FD
		test	edi, 10000h
		jnz	short loc_7768F6

loc_7768C6:				; CODE XREF: AlpcpCaptureSecurityAttributeInternal+C5j
		mov	edx, large fs:124h
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_0]
		mov	byte ptr [ebp+arg_4], bl
		push	[ebp+arg_4]
		call	AlpcpCreateSecurityContext
		mov	edx, eax
		test	edx, edx
		js	short loc_7768F2
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+var_4]
		mov	[ecx+10h], eax
		test	bl, bl
		jnz	short loc_776901

loc_7768F2:				; CODE XREF: AlpcpCaptureSecurityAttributeInternal+A9j
					; AlpcpCaptureSecurityAttributeInternal+CCj
		mov	eax, edx
		jmp	short loc_7768AF
; 

loc_7768F6:				; CODE XREF: AlpcpCaptureSecurityAttributeInternal+40j
					; AlpcpCaptureSecurityAttributeInternal+53j ...
		mov	eax, 0C0000008h
		jmp	short loc_7768AF
; 

loc_7768FD:				; CODE XREF: AlpcpCaptureSecurityAttributeInternal+82j
		mov	bl, 1
		jmp	short loc_7768C6
; 

loc_776901:				; CODE XREF: AlpcpCaptureSecurityAttributeInternal+B6j
		mov	eax, [eax+4]
		mov	[esi], eax
		jmp	short loc_7768F2
AlpcpCaptureSecurityAttributeInternal endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcReferenceBlobByHandle proc near	; CODE XREF: AlpcpCaptureViewAttributeInternal+94p
					; NtAlpcDeleteSecurityContext+64p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DA4CB SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	short loc_776994
		lea	ebx, [esi+4]
		xor	edx, edx
		mov	ecx, ebx
		sub	edi, 10h
		call	ExAcquirePushLockSharedEx
		cmp	edi, [esi+8]
		jnb	short loc_77697D
		mov	esi, [esi]
		mov	esi, [esi+edi*4]
		test	esi, esi
		jz	short loc_77697D
		mov	eax, [ebp+arg_0]
		movzx	ecx, byte ptr [esi-0Fh]
		cmp	ecx, [eax]
		jnz	short loc_77697D
		mov	ecx, esi
		call	AlpcpReferenceBlob
		test	eax, eax
		jz	short loc_77697D
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [ebx], ecx
		cmp	eax, 11h
		jnz	short loc_776998

loc_776963:				; CODE XREF: AlpcReferenceBlobByHandle+8Fj
		mov	ecx, ebx
		call	KeAbPostRelease
		test	byte ptr [esi-10h], 4
		jnz	loc_8DA4CB

loc_776974:				; CODE XREF: AlpcReferenceBlobByHandle+163BD2j
					; AlpcReferenceBlobByHandle+163BDDj
		mov	eax, esi

loc_776976:				; CODE XREF: AlpcReferenceBlobByHandle+86j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_77697D:				; CODE XREF: AlpcReferenceBlobByHandle+22j
					; AlpcReferenceBlobByHandle+2Bj ...
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jnz	short loc_7769A1

loc_77698D:				; CODE XREF: AlpcReferenceBlobByHandle+98j
		mov	ecx, ebx
		call	KeAbPostRelease

loc_776994:				; CODE XREF: AlpcReferenceBlobByHandle+Ej
		xor	eax, eax
		jmp	short loc_776976
; 

loc_776998:				; CODE XREF: AlpcReferenceBlobByHandle+51j
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_776963
; 

loc_7769A1:				; CODE XREF: AlpcReferenceBlobByHandle+7Bj
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_77698D
AlpcReferenceBlobByHandle endp


;  S U B	R O U T	I N E 


AlpcpReferenceBlob proc	near		; CODE XREF: AlpcpCreateRegion(x,x,x,x)+11Cp
					; AlpcpFlushResourcesPort(x)+52p ...

; FUNCTION CHUNK AT 008DA4F2 SIZE 00000038 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [esi-0Ch]
		mov	eax, [edi]

loc_7769B5:				; CODE XREF: AlpcpReferenceBlob+1Ej
		test	eax, eax
		jle	loc_8DA4F2
		mov	edx, eax
		lea	ecx, [eax+1]
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_7769B5
		inc	eax

loc_7769CB:				; CODE XREF: AlpcpReferenceBlob+163B4Aj
		pop	edi
		pop	esi
		retn
AlpcpReferenceBlob endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpChargePagedPoolQuota(x, x)
_AlpcpChargePagedPoolQuota@8 proc near	; CODE XREF: AlpcpCreateSecurityContext+48p
					; AlpcpCreateReserve(x,x,x)+6Fp ...
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		lea	ecx, [ebx+370h]

loc_7769DD:				; CODE XREF: AlpcpChargePagedPoolQuota(x,x)+21j
		mov	esi, [ecx]
		cmp	esi, edi
		jb	short loc_7769F7
		mov	edx, esi
		mov	eax, esi
		sub	edx, edi
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_7769DD
		xor	eax, eax

loc_7769F3:				; CODE XREF: AlpcpChargePagedPoolQuota(x,x)+30j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_7769F7:				; CODE XREF: AlpcpChargePagedPoolQuota(x,x)+13j
		push	edi
		push	ebx
		call	_PsChargeProcessPagedPoolQuota@8 ; PsChargeProcessPagedPoolQuota(x,x)
		jmp	short loc_7769F3
_AlpcpChargePagedPoolQuota@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall AlpcpAllocateBlob(x, x, x)
@AlpcpAllocateBlob@12 proc near		; CODE XREF: AlpcpCreateRegion(x,x,x,x)+E4p
					; AlpcpAllocateMessage(x,x,x)+2Ap ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		add	edx, 18h
		cmp	[ebp+arg_0], 0
		push	esi
		mov	esi, ecx
		jnz	short loc_776A17
		cmp	[esi+20h], edx
		jnb	short loc_776A7E

loc_776A17:				; CODE XREF: AlpcpAllocateBlob(x,x,x)+10j
		cmp	dword ptr [esi+20h], 0
		ja	short loc_776A64
		mov	eax, [esi+4]
		push	eax
		push	edx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)

loc_776A29:				; CODE XREF: AlpcpAllocateBlob(x,x,x)+7Cj
		xor	bl, bl

loc_776A2B:				; CODE XREF: AlpcpAllocateBlob(x,x,x)+94j
		mov	edx, eax
		xor	eax, eax
		test	edx, edx
		jz	short loc_776A5E
		push	edi
		mov	ecx, 6
		mov	edi, edx
		rep stosd
		movzx	eax, byte ptr [esi]
		mov	[edx+9], al
		movzx	eax, byte ptr [edx+8]
		and	al, 0FDh
		mov	[edx+4], edx
		or	al, bl
		mov	[edx], edx
		mov	[edx+8], al
		lea	eax, [edx+18h]
		mov	dword ptr [edx+0Ch], 1
		pop	edi

loc_776A5E:				; CODE XREF: AlpcpAllocateBlob(x,x,x)+31j
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_776A64:				; CODE XREF: AlpcpAllocateBlob(x,x,x)+1Bj
		mov	eax, [esi+8]
		lea	ecx, [eax+eax*2]
		mov	eax, [esi+4]
		push	eax
		shl	ecx, 6
		push	edx
		push	1
		mov	eax, dword_6FB028[ecx]
		call	eax
		jmp	short loc_776A29
; 

loc_776A7E:				; CODE XREF: AlpcpAllocateBlob(x,x,x)+15j
		mov	eax, [esi+8]
		lea	eax, [eax+eax*2]
		shl	eax, 6
		add	eax, offset _AlpcpLookasides
		push	eax
		call	_ExAllocateFromPagedLookasideList@4 ; ExAllocateFromPagedLookasideList(x)
		mov	bl, 2
		jmp	short loc_776A2B
@AlpcpAllocateBlob@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall AlpcpEndInitialization(x)
@AlpcpEndInitialization@4 proc near	; CODE XREF: AlpcpCreateSecurityContext+103p
					; AlpcpCreateSection(x,x,x,x,x,x)+1B4p	...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		xor	edx, edx
		lock or	[eax], edx
		and	byte ptr [ecx-10h], 0FBh
		lea	esi, [ecx-4]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_776AC7

loc_776ABD:				; CODE XREF: AlpcpEndInitialization(x)+38j
		mov	ecx, esi
		call	KeAbPostRelease
		pop	esi
		leave
		retn
; 

loc_776AC7:				; CODE XREF: AlpcpEndInitialization(x)+25j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_776ABD
@AlpcpEndInitialization@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall AlpcAddHandleTableEntry(x,	x)
@AlpcAddHandleTableEntry@8 proc	near	; CODE XREF: AlpcpCreateSecurityContext+C8p
					; AlpcpCreateSection(x,x,x,x,x,x)+186p	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		push	edi
		xor	edx, edx
		lea	eax, [esi+4]
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	ExAcquirePushLockExclusiveEx
		mov	ebx, [esi+8]
		xor	edi, edi
		test	ebx, ebx
		jz	short loc_776B07
		mov	ecx, [esi]

loc_776AFA:				; CODE XREF: AlpcAddHandleTableEntry(x,x)+35j
		cmp	dword ptr [ecx], 0
		jz	short loc_776B19
		inc	edi
		add	ecx, 4
		cmp	edi, ebx
		jb	short loc_776AFA

loc_776B07:				; CODE XREF: AlpcAddHandleTableEntry(x,x)+26j
		add	ebx, ebx
		cmp	ebx, 3FFFFFFFh
		jb	short loc_776B30
		or	edi, 0FFFFFFFFh
		jmp	loc_776BA7
; 

loc_776B19:				; CODE XREF: AlpcAddHandleTableEntry(x,x)+2Dj
		mov	eax, [ebp+var_8]
		mov	eax, [eax]
		mov	[ecx], eax
		mov	ecx, [ebp+var_C]
		call	_AlpcpReleasePushLockExclusive@4 ; AlpcpReleasePushLockExclusive(x)
		lea	eax, [edi+10h]
		jmp	loc_776BB1
; 

loc_776B30:				; CODE XREF: AlpcAddHandleTableEntry(x,x)+3Fj
		mov	eax, ebx
		push	61486C41h
		shl	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_776BA7
		mov	ecx, ebx
		shl	ecx, 2
		push	ecx		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [esi+8]
		shl	eax, 2
		push	eax		; size_t
		push	dword ptr [esi]	; void *
		push	[ebp+var_4]	; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esp, 18h
		mov	edi, [esi+8]
		mov	ecx, [ebp+var_4]
		mov	eax, [eax]
		mov	[ecx+edi*4], eax
		cmp	dword ptr [esi+8], 10h
		mov	eax, [esi]
		jnz	short loc_776B91
		push	eax
		push	offset unk_6FB180
		call	_ExFreeToPagedLookasideList@8 ;	ExFreeToPagedLookasideList(x,x)
		jmp	short loc_776B9C
; 

loc_776B91:				; CODE XREF: AlpcAddHandleTableEntry(x,x)+B2j
		push	61486C41h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_776B9C:				; CODE XREF: AlpcAddHandleTableEntry(x,x)+BFj
		mov	eax, [ebp+var_4]
		add	edi, 10h
		mov	[esi], eax
		mov	[esi+8], ebx

loc_776BA7:				; CODE XREF: AlpcAddHandleTableEntry(x,x)+44j
					; AlpcAddHandleTableEntry(x,x)+7Aj
		mov	ecx, [ebp+var_C]
		call	_AlpcpReleasePushLockExclusive@4 ; AlpcpReleasePushLockExclusive(x)
		mov	eax, edi

loc_776BB1:				; CODE XREF: AlpcAddHandleTableEntry(x,x)+5Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
@AlpcAddHandleTableEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall AlpcDeleteBlobByHandle(x, x, x)
@AlpcDeleteBlobByHandle@12 proc	near	; CODE XREF: AlpcSecurityDestroyProcedure(x)+13p
					; AlpcSectionDeleteProcedure(x)+15p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	eax, ecx
		xor	ebx, ebx
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, edx
		test	eax, eax
		jz	short loc_776C1A
		push	edi
		lea	edi, [eax+4]
		xor	edx, edx
		mov	ecx, edi
		sub	esi, 10h
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_4]
		cmp	esi, [eax+8]
		jnb	short loc_776BF2
		mov	ecx, [eax]
		mov	eax, [ecx+esi*4]
		cmp	eax, [ebp+arg_0]
		jnz	short loc_776BF2
		mov	[ecx+esi*4], ebx
		mov	bl, 1

loc_776BF2:				; CODE XREF: AlpcDeleteBlobByHandle(x,x,x)+2Bj
					; AlpcDeleteBlobByHandle(x,x,x)+35j
		or	edx, 0FFFFFFFFh
		lock xadd [edi], edx
		and	dl, 6
		cmp	dl, 2
		jz	short loc_776C11

loc_776C01:				; CODE XREF: AlpcDeleteBlobByHandle(x,x,x)+62j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	al, bl
		pop	edi

loc_776C0B:				; CODE XREF: AlpcDeleteBlobByHandle(x,x,x)+66j
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_776C11:				; CODE XREF: AlpcDeleteBlobByHandle(x,x,x)+49j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_776C01
; 

loc_776C1A:				; CODE XREF: AlpcDeleteBlobByHandle(x,x,x)+13j
		xor	al, al
		jmp	short loc_776C0B
@AlpcDeleteBlobByHandle@12 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpDeleteView(x)
_AlpcpDeleteView@4 proc	near		; CODE XREF: AlpcpCaptureViewAttributeInternal+51p
					; AlpcpExposeViewAttributeInSenderContext+119p	...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	AlpcpDeleteBlob
		test	al, al
		jz	short loc_776C3A
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	AlpcpDereferenceBlobEx
		mov	al, 1
		pop	esi
		retn
; 

loc_776C3A:				; CODE XREF: AlpcpDeleteView(x)+Cj
		xor	al, al
		pop	esi
		retn
_AlpcpDeleteView@4 endp


;  S U B	R O U T	I N E 


AlpcpDeleteBlob	proc near		; CODE XREF: AlpcpFlushResourcesPort(x)+71p
					; NtAlpcDeleteSecurityContext+76p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		xor	edx, edx
		lea	esi, [edi-4]
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	al, [edi-10h]
		test	al, 8
		jnz	loc_8DA508
		or	al, 8
		mov	[edi-10h], al
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_776C88

loc_776C6D:				; CODE XREF: AlpcpDeleteBlob+51j
		mov	ecx, esi
		call	KeAbPostRelease
		movzx	eax, byte ptr [edi-0Fh]
		push	edi
		mov	eax, ds:_AlpcpRegisteredTypes[eax*4]
		call	dword ptr [eax+18h]
		mov	al, 1

loc_776C85:				; CODE XREF: AlpcpReferenceBlob+163B7Bj
		pop	edi
		pop	esi
		retn
; 

loc_776C88:				; CODE XREF: AlpcpDeleteBlob+2Dj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_776C6D
AlpcpDeleteBlob	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmMapSecureViewOfSection proc near	; CODE XREF: AlpcpCreateView(x,x,x)+172p

var_60		= dword	ptr -60h
var_54		= dword	ptr -54h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_24		= dword	ptr  2Ch

; FUNCTION CHUNK AT 008DA52A SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		push	ebx
		push	esi
		push	edi
		push	58h		; size_t
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		lea	eax, [ebp+var_60]
		mov	esi, edx
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	edi, [ebp+arg_0]
		lea	ecx, [ebp+var_60]
		add	esp, 0Ch
		push	ebx
		push	4
		push	ebx
		mov	ebx, [ebp+arg_10]
		push	dword ptr [ebx]
		push	dword ptr [edi]
		push	esi
		mov	esi, [ebp+var_4]
		mov	edx, esi
		call	MiMapParametersInitialize
		test	eax, eax
		js	loc_8DA52A
		mov	eax, [ebp+arg_24]
		lea	edx, [ebp+var_60]
		push	2
		pop	ecx
		push	1
		push	ecx
		push	[ebp+arg_C]
		mov	[ebp+var_2C], ecx
		mov	ecx, esi
		push	0
		push	edi
		mov	[ebp+var_28], eax
		call	MiMapViewOfSection
		mov	ecx, eax
		test	ecx, ecx
		js	loc_8DA52A
		mov	eax, [ebp+var_54]
		mov	[ebx], eax
		mov	eax, ecx

loc_776D07:				; CODE XREF: MmMapSecureViewOfSection+1638A3j
					; MmMapSecureViewOfSection+1638AEj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	28h
MmMapSecureViewOfSection endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpLocateView(x, x)
_AlpcpLocateView@8 proc	near		; CODE XREF: AlpcpExposeViewAttributeInSenderContext+49p
					; AlpcpQueryRemoteView+6Dp
		add	ecx, 20h
		mov	eax, [ecx]

loc_776D13:				; CODE XREF: AlpcpLocateView(x,x)+10j
		cmp	eax, ecx
		jz	short loc_776D20
		cmp	[eax+0Ch], edx
		jz	short locret_776D22
		mov	eax, [eax]
		jmp	short loc_776D13
; 

loc_776D20:				; CODE XREF: AlpcpLocateView(x,x)+7j
		xor	eax, eax

locret_776D22:				; CODE XREF: AlpcpLocateView(x,x)+Cj
		retn
_AlpcpLocateView@8 endp

; 
		align 10h
; Exported entry 1833. PsGetThreadSessionId

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetThreadSessionId(x)
		public _PsGetThreadSessionId@4
_PsGetThreadSessionId@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	ecx, [ecx+150h]
		call	_MmGetSessionId@4 ; MmGetSessionId(x)
		pop	ebp
		retn	4
_PsGetThreadSessionId@4	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2285. RtlQueryAtomInAtomTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlQueryAtomInAtomTable
RtlQueryAtomInAtomTable	proc near	; CODE XREF: NtQueryInformationAtom+B0p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008DA545 SIZE 0000003D BYTES

		push	4Ch
		push	offset dword_6A0FB0
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_54], eax
		movzx	edi, [ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_48], ecx
		mov	ecx, [ebp+arg_C]
		mov	[ebp+var_4C], ecx
		mov	ebx, [ebp+arg_10]
		mov	[ebp+var_50], ebx
		mov	ecx, [ebp+arg_14]
		mov	[ebp+var_44], ecx
		mov	ecx, eax
		call	_RtlpLockAtomTable@4 ; RtlpLockAtomTable(x)
		test	al, al
		jz	loc_8DA545
		and	[ebp+ms_exc.disabled], 0
		mov	eax, 0C000h
		cmp	di, ax
		jb	loc_776E85
		mov	esi, 0C0000008h
		mov	[ebp+var_40], esi
		mov	edx, edi
		and	edx, 3FFFh
		mov	eax, [ebp+var_54]
		mov	[ebp+var_58], eax
		mov	ecx, eax
		call	_RtlpAtomMapAtomToHandleEntry@8	; RtlpAtomMapAtomToHandleEntry(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_776E31
		cmp	[ebx+6], di
		jnz	short loc_776E31
		push	0
		mov	edx, ebx
		mov	ecx, [ebp+var_58]
		call	_RtlpLookupLowBox@12 ; RtlpLookupLowBox(x,x,x)
		test	eax, eax
		jz	short loc_776E31
		xor	esi, esi
		mov	[ebp+var_40], esi
		mov	ecx, [ebp+var_48]
		test	ecx, ecx
		jnz	loc_776E6F

loc_776DE4:				; CODE XREF: RtlQueryAtomInAtomTable+129j
		mov	ecx, [ebp+var_4C]
		test	ecx, ecx
		jnz	loc_776E7A

loc_776DEF:				; CODE XREF: RtlQueryAtomInAtomTable+134j
		mov	ecx, [ebp+var_50]
		test	ecx, ecx
		jz	short loc_776E31
		movzx	edi, byte ptr [ebx+18h]
		add	edi, edi
		mov	edx, [ebp+var_44]
		mov	eax, [edx]
		cmp	edi, eax
		jnb	loc_776EF5

loc_776E09:				; CODE XREF: RtlQueryAtomInAtomTable+1B1j
					; RtlQueryAtomInAtomTable+1CEj
		test	edi, edi
		jz	loc_8DA575
		push	edi		; size_t
		lea	eax, [ebx+1Ah]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, edi
		shr	eax, 1
		xor	edx, edx
		mov	ecx, [ebp+var_50]
		mov	[ecx+eax*2], dx

loc_776E2C:				; CODE XREF: RtlQueryAtomInAtomTable+1A4j
		mov	eax, [ebp+var_44]
		mov	[eax], edi

loc_776E31:				; CODE XREF: RtlQueryAtomInAtomTable+70j
					; RtlQueryAtomInAtomTable+76j ...
		or	eax, 0FFFFFFFFh
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_776E3B:				; CODE XREF: sub_8DA590+13j
		mov	edi, [ebp+var_54]
		add	edi, 8
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_776F02

loc_776E4F:				; CODE XREF: RtlQueryAtomInAtomTable+1BDj
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, esi

loc_776E5D:				; CODE XREF: RtlQueryAtomInAtomTable+1637FEj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_776E6F:				; CODE XREF: RtlQueryAtomInAtomTable+92j
		movzx	eax, word ptr [ebx+14h]
		mov	[ecx], eax
		jmp	loc_776DE4
; 

loc_776E7A:				; CODE XREF: RtlQueryAtomInAtomTable+9Dj
		movzx	eax, word ptr [ebx+16h]
		mov	[ecx], eax
		jmp	loc_776DEF
; 

loc_776E85:				; CODE XREF: RtlQueryAtomInAtomTable+49j
		test	di, di
		jz	loc_8DA54F
		xor	esi, esi
		mov	[ebp+var_40], esi
		mov	eax, [ebp+var_48]
		test	eax, eax
		jnz	loc_8DA556

loc_776E9E:				; CODE XREF: RtlQueryAtomInAtomTable+163810j
		mov	eax, [ebp+var_4C]
		test	eax, eax
		jnz	short loc_776F0E

loc_776EA5:				; CODE XREF: RtlQueryAtomInAtomTable+1C8j
		test	ebx, ebx
		jz	short loc_776E31
		push	edi
		push	offset ??_C@_17OGKEIBAI@?$AA?$CD?$AA?$CF?$AAu@NNGAKEGL@
		push	0FFFFFFFFh
		push	10h
		lea	eax, [ebp+var_3C]
		push	eax
		call	__snwprintf_s
		add	esp, 14h
		mov	edi, eax
		add	edi, edi
		mov	eax, [ebp+var_44]
		mov	eax, [eax]
		cmp	edi, eax
		jnb	loc_8DA561

loc_776ED0:				; CODE XREF: RtlQueryAtomInAtomTable+16381Dj
					; RtlQueryAtomInAtomTable+163824j
		test	edi, edi
		jz	loc_8DA575
		push	edi		; size_t
		lea	eax, [ebp+var_3C]
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, edi
		shr	eax, 1
		xor	ecx, ecx
		mov	[ebx+eax*2], cx
		jmp	loc_776E2C
; 

loc_776EF5:				; CODE XREF: RtlQueryAtomInAtomTable+B7j
		cmp	eax, 2
		jb	short loc_776F16
		lea	edi, [eax-2]
		jmp	loc_776E09
; 

loc_776F02:				; CODE XREF: RtlQueryAtomInAtomTable+FDj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_776E4F
; 

loc_776F0E:				; CODE XREF: RtlQueryAtomInAtomTable+157j
		mov	dword ptr [eax], 1
		jmp	short loc_776EA5
; 

loc_776F16:				; CODE XREF: RtlQueryAtomInAtomTable+1ACj
		mov	[edx], edi
		xor	edi, edi
		jmp	loc_776E09
RtlQueryAtomInAtomTable	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall RtlpLockAtomTable(x)
_RtlpLockAtomTable@4 proc near		; CODE XREF: RtlAddAtomToAtomTableEx+20p
					; RtlDestroyLowBoxAtoms(x,x)+10p ...
		test	ecx, ecx
		jz	short loc_776F47
		cmp	dword ptr [ecx], 6D6F7441h
		jnz	short loc_776F47
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		add	ecx, 8
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	al, 1
		retn
; 

loc_776F47:				; CODE XREF: RtlpLockAtomTable(x)+2j
					; RtlpLockAtomTable(x)+Aj
		xor	al, al
		retn
_RtlpLockAtomTable@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpPsProvTraceImage(x, x, x, x)
_EtwpPsProvTraceImage@16 proc near	; CODE XREF: EtwpTraceImageUnload(x,x,x,x,x,x,x,x,x,x)+138p
					; PerfLogImageLoad+1A8p

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		movzx	eax, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		sub	eax, 1401h
		jnz	loc_777036
		mov	ecx, offset _ImageLoad

loc_776F76:				; CODE XREF: EtwpPsProvTraceImage(x,x,x,x)+F6j
		lea	eax, [edx+4]
		mov	[ebp+var_84], edx
		mov	[ebp+var_74], eax
		lea	eax, [edx+8]
		mov	[ebp+var_64], eax
		lea	eax, [edx+0Ch]
		push	ebx
		mov	[ebp+var_54], eax
		xor	ebx, ebx
		push	edi
		push	4
		pop	edi
		lea	eax, [edx+10h]
		mov	[ebp+var_80], ebx
		mov	[ebp+var_44], eax
		lea	eax, [edx+18h]
		mov	[ebp+var_34], eax
		mov	eax, [esi+4]
		mov	[ebp+var_24], eax
		movzx	eax, word ptr [esi]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_84]
		push	eax
		push	8
		push	ebx
		xor	eax, eax
		mov	[ebp+var_7C], edi
		cmp	[ebp+arg_4], eax
		push	ebx
		setnz	al
		mov	[ebp+var_78], ebx
		push	eax
		push	ebx
		push	ebx
		push	ecx
		push	dword_6BC18C
		mov	[ebp+var_70], ebx
		push	_EtwpPsProvRegHandle
		mov	[ebp+var_6C], edi
		mov	[ebp+var_68], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], edi
		mov	[ebp+var_58], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], edi
		mov	[ebp+var_48], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], edi
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], edi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], offset _EtwpNull
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], 2
		mov	[ebp+var_8], ebx
		call	EtwWriteEx
		pop	edi
		pop	ebx

loc_777027:				; CODE XREF: EtwpPsProvTraceImage(x,x,x,x)+EFj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_777036:				; CODE XREF: EtwpPsProvTraceImage(x,x,x,x)+21j
		sub	eax, 1
		jnz	short loc_777027
		mov	ecx, offset _ImageUnload
		jmp	loc_776F76
_EtwpPsProvTraceImage@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapViewOfImageSection	proc near	; CODE XREF: MiMapViewOfSection+3B0p
					; MiMapViewOfSection+160E61p ...

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch

; FUNCTION CHUNK AT 008DA5A8 SIZE 00000320 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 94h
		push	ebx
		mov	[esp+98h+var_80], ecx
		xor	eax, eax
		push	esi
		push	edi
		mov	ecx, 0Ah
		mov	[esp+0A0h+var_90], eax
		lea	edi, [esp+0A0h+var_28]
		mov	ebx, edx
		rep stosd
		mov	ecx, 7
		mov	[esp+0A0h+var_4C], ebx
		mov	esi, [ebx+3Ch]
		lea	edi, [esp+0A0h+var_44]
		rep stosd
		mov	edi, [esp+0A0h+var_80]
		mov	[esp+0A0h+var_84], esi
		mov	ecx, [edi]
		mov	[esp+0A0h+var_78], ecx
		mov	edx, [ecx+24h]
		mov	ecx, dword_6CF504
		mov	[esp+0A0h+var_50], edx
		test	ecx, ecx
		jnz	loc_8DA5A8

loc_7770AD:				; CODE XREF: MiMapViewOfImageSection+163561j
					; MiMapViewOfImageSection+163577j ...
		test	dword ptr [edi+1Ch], 10000000h
		mov	ecx, [esp+0A0h+var_78]
		mov	edx, [ecx+20h]
		mov	[esp+0A0h+var_58], edx
		mov	edx, [ecx+18h]
		mov	[esp+0A0h+var_64], edx
		jnz	loc_7778AA
		test	dword ptr [esi+3A8h], 2000h
		jnz	loc_7778AA

loc_7770DC:				; CODE XREF: MiMapViewOfImageSection+85Ej
					; MiMapViewOfImageSection+869j
		mov	edx, [ebx+8]
		mov	[esp+0A0h+var_7C], edx
		mov	edx, [ebp+arg_8]
		mov	[esp+0A0h+var_90], eax
		test	edx, edx
		jz	loc_777797
		test	dword ptr [edx+20h], 80000h
		jnz	loc_777797
		test	dword ptr [ebx+14h], 40000h
		jnz	loc_777797

loc_77710C:				; CODE XREF: MiMapViewOfImageSection+75Aj
		test	eax, 200h
		jnz	short loc_77713D
		push	[esp+0A0h+var_50]
		mov	ecx, esi
		push	edi
		call	_MiAllowImageMap@16 ; MiAllowImageMap(x,x,x,x)
		test	eax, eax
		js	loc_7776B8
		mov	eax, [esi+490h]
		test	al, 10h
		jnz	loc_7777F6

loc_777135:				; CODE XREF: MiMapViewOfImageSection+7AEj
					; MiMapViewOfImageSection+16358Fj
		mov	eax, [esp+0A0h+var_90]

loc_777139:				; CODE XREF: MiMapViewOfImageSection+7C5j
		mov	ecx, [esp+0A0h+var_78]

loc_77713D:				; CODE XREF: MiMapViewOfImageSection+C1j
		or	eax, 2
		test	byte ptr [ecx+0Bh], 1
		jnz	loc_777832

loc_77714A:				; CODE XREF: MiMapViewOfImageSection+7E9j
					; MiMapViewOfImageSection+7F7j	...
		mov	esi, eax
		mov	[esp+0A0h+var_90], eax
		and	esi, 200h
		jnz	short loc_777176
		lea	eax, [edi+50h]
		test	eax, eax
		jz	short loc_777176
		nop

loc_777160:				; CODE XREF: MiMapViewOfImageSection+124j
		mov	cl, [eax+10h]
		and	cl, 0Eh
		cmp	cl, 0Ch
		jnb	loc_8DA5EF
		mov	eax, [eax+8]
		test	eax, eax
		jnz	short loc_777160

loc_777176:				; CODE XREF: MiMapViewOfImageSection+106j
					; MiMapViewOfImageSection+10Dj	...
		lea	eax, [edi+50h]
		mov	ecx, edi
		mov	[esp+0A0h+var_68], eax
		call	MiCheckPurgeAndUpMapCount
		mov	eax, [ebx+0Ch]
		mov	[esp+0A0h+var_88], eax
		call	_MmGetCurrentProcessorColor@0 ;	MmGetCurrentProcessorColor()
		or	eax, 80000000h
		mov	edx, 20646156h
		push	eax
		push	0
		push	40h
		mov	ecx, 4Ch
		call	ExAllocatePoolMm
		mov	edi, eax
		test	edi, edi
		jz	loc_8DA604
		cmp	[ebp+arg_C], 1
		mov	dword ptr [edi], 0FFFFFFFEh
		mov	dword ptr [edi+4], 0FFFFFFFEh
		mov	dword ptr [edi+8], 0FFFFFFFEh
		jnz	loc_8DA617
		mov	ecx, 4000000h

loc_7771D6:				; CODE XREF: MiMapViewOfImageSection+1635C9j
		mov	eax, [edi+28h]
		and	eax, 0FBFFFFFFh
		or	eax, ecx
		mov	[edi+28h], eax
		mov	eax, [edi+1Ch]
		and	eax, 0FFFFFFAFh
		or	eax, 20h
		mov	[edi+1Ch], eax
		mov	ecx, [ebx+20h]
		shl	ecx, 0Ch
		xor	ecx, eax
		and	ecx, 3F000h
		xor	ecx, eax
		mov	eax, [ebp+arg_8]
		mov	[edi+1Ch], ecx
		test	eax, eax
		jz	short loc_777232
		mov	ecx, eax
		call	MiReferenceFileObjectForMap
		mov	ecx, [edi+28h]
		mov	[edi+48h], eax
		and	ecx, 0F7FFFFFFh
		mov	eax, [ebp+arg_8]
		mov	eax, [eax+24h]
		shr	eax, 4
		and	eax, 8000000h
		or	eax, ecx
		mov	ecx, [edi+1Ch]
		mov	[edi+28h], eax

loc_777232:				; CODE XREF: MiMapViewOfImageSection+1B7j
		mov	dword ptr [edi+18h], 0
		test	esi, esi
		jnz	loc_7777AF
		and	ecx, 0FFFFF3FFh
		or	ecx, 380h
		mov	[edi+1Ch], ecx
		mov	eax, [edi+20h]
		xor	eax, [esp+0A0h+var_58]
		and	eax, 7FFFFFFFh
		xor	[edi+20h], eax

loc_77725F:				; CODE XREF: MiMapViewOfImageSection+77Ej
					; MiMapViewOfImageSection+78Bj
		mov	eax, large fs:124h
		test	byte ptr [ebx+30h], 1
		mov	[esp+0A0h+var_54], 0
		mov	[esp+0A0h+var_6C], eax
		jnz	loc_8DA61E

loc_77727B:				; CODE XREF: MiMapViewOfImageSection+1635D6j
		mov	eax, [ebp+arg_4]
		mov	eax, [eax]
		add	eax, [esp+0A0h+var_64]

loc_777284:				; CODE XREF: MiMapViewOfImageSection+1635E1j
		and	ecx, 0F80h
		mov	[esp+0A0h+var_8C], eax
		xor	esi, esi
		mov	[esp+0A0h+var_74], eax
		cmp	ecx, 380h
		mov	[esp+0A0h+var_70], esi
		mov	ecx, [esp+0A0h+var_84]
		jnz	short loc_7772C9
		cmp	[ecx+0E4h], esi
		jz	short loc_7772C9
		test	dword ptr [ecx+3A8h], 1000h
		jnz	short loc_7772C9
		call	PsIsImageNotifyEnabled
		test	al, al
		jz	short loc_7772C9
		or	[esp+0A0h+var_90], 800h

loc_7772C9:				; CODE XREF: MiMapViewOfImageSection+252j
					; MiMapViewOfImageSection+25Aj	...
		mov	edx, ecx
		mov	ecx, [esp+0A0h+var_6C]
		call	_LOCK_ADDRESS_SPACE@8 ;	LOCK_ADDRESS_SPACE(x,x)
		mov	ecx, [esp+0A0h+var_84]
		test	byte ptr [ecx+0FCh], 20h
		jnz	loc_8DA636
		test	byte ptr [ebx+30h], 1
		jnz	loc_8DA640

loc_7772EF:				; CODE XREF: MiMapViewOfImageSection+1635F8j
		mov	eax, ds:_MmHighestUserAddress
		mov	edx, [esp+0A0h+var_88]
		inc	eax
		cmp	edx, eax
		ja	loc_8DA671
		test	byte ptr [esp+0A0h+var_90], 1
		jnz	loc_7776FB
		mov	eax, [ebx+4]
		push	eax
		mov	eax, [ebx]
		push	eax
		push	edx
		mov	edx, [esp+0ACh+var_8C]
		call	MiIsVaRangeAvailable
		test	eax, eax
		jz	loc_7776FB

loc_777325:				; CODE XREF: MiMapViewOfImageSection+6F6j
					; MiMapViewOfImageSection+163614j ...
		mov	ebx, [ebp+arg_4]
		mov	eax, [esp+0A0h+var_74]
		mov	ecx, eax
		sub	ecx, [ebx]
		mov	[esp+0A0h+var_7C], ecx
		sub	ecx, [esp+0A0h+var_64]
		neg	ecx
		sbb	edx, edx
		mov	ecx, eax
		and	edx, 40000003h
		shr	ecx, 0Ch
		mov	[esp+0A0h+var_8C], edx
		mov	edx, [esp+0A0h+var_88]
		dec	edx
		mov	[edi+0Ch], ecx
		add	eax, edx
		mov	[esp+0A0h+var_58], ecx
		mov	edx, [esp+0A0h+var_8C]
		shr	eax, 0Ch
		mov	[edi+10h], eax
		mov	ecx, [ebx]
		mov	[esp+0A0h+var_48], eax
		mov	eax, [ebx+4]
		mov	ebx, [esp+0A0h+var_68]
		shrd	ecx, eax, 0Ch
		shr	eax, 0Ch
		mov	ebx, [ebx+1Ch]
		mov	[esp+0A0h+var_60], ebx
		mov	ebx, [esp+0A0h+var_4C]
		test	eax, eax
		jb	short loc_777396
		ja	loc_8DA75E
		cmp	ecx, [esp+0A0h+var_60]
		jnb	loc_8DA75E

loc_777396:				; CODE XREF: MiMapViewOfImageSection+334j
					; MiMapViewOfImageSection+163737j
		mov	eax, [esp+0A0h+var_68]
		mov	[edi+2Ch], eax
		mov	[esp+0A0h+var_88], edx
		mov	eax, [eax+4]
		lea	eax, [eax+ecx*8]
		mov	[edi+30h], eax
		mov	eax, [esp+0A0h+var_78]
		mov	ecx, [eax+4]
		mov	eax, [eax+28h]
		lea	eax, [eax+ecx*8]
		add	eax, 0FFFFFFF8h
		test	[ebp+arg_14], 4
		mov	[edi+34h], eax
		jnz	short loc_7773D5
		mov	eax, [esp+0A0h+var_64]
		mov	[esp+0A0h+var_88], edx
		cmp	[esp+0A0h+var_7C], eax
		jnz	loc_777751

loc_7773D5:				; CODE XREF: MiMapViewOfImageSection+371j
					; MiMapViewOfImageSection+729j	...
		mov	ecx, [esp+0A0h+var_84]
		cmp	[ebx+20h], esi
		jnz	loc_8DA7A0

loc_7773E2:				; CODE XREF: MiMapViewOfImageSection+16375Dj
		mov	eax, [esp+0A0h+var_80]
		test	dword ptr [eax+1Ch], 4000000h
		jnz	loc_7778E2

loc_7773F3:				; CODE XREF: MiMapViewOfImageSection+8BEj
		mov	edx, ecx
		mov	ecx, eax
		push	0
		call	MiInsertSharedCommitNode
		mov	ecx, [esp+0A0h+var_90]
		mov	[esp+0A0h+var_8C], eax
		test	eax, eax
		js	loc_8DA8BF
		or	ecx, 40h
		mov	edx, 8
		mov	[esp+0A0h+var_90], ecx
		test	[ebp+arg_14], dl
		jnz	loc_8DA7B2

loc_777423:				; CODE XREF: MiMapViewOfImageSection+163767j
		call	_MmGetMinWsPagePriority@0 ; MmGetMinWsPagePriority()
		test	eax, eax
		jz	loc_8DA7BC
		cmp	eax, 2
		jz	loc_8DA7C6

loc_777439:				; CODE XREF: MiMapViewOfImageSection+163795j
		mov	edx, [esp+0A0h+var_84]
		push	ecx
		mov	ecx, edi
		call	MiInsertVadCharges
		mov	[esp+0A0h+var_8C], eax
		test	eax, eax
		js	loc_8DA6DE
		cmp	[esp+0A0h+var_88], 40000036h
		jz	loc_777895

loc_77745F:				; CODE XREF: MiMapViewOfImageSection+855j
		mov	ecx, edi
		call	MiGetWsAndInsertVad
		mov	eax, [esp+0A0h+var_54]
		mov	[esp+0A0h+var_7C], esi
		test	eax, eax
		jnz	loc_777784

loc_777476:				; CODE XREF: MiMapViewOfImageSection+742j
		mov	ecx, [ebp+arg_0]
		mov	eax, [esp+0A0h+var_74]
		mov	[ecx], eax
		mov	eax, [esp+0A0h+var_50]
		cmp	byte ptr [eax+22h], 0
		jz	short loc_7774A7
		movzx	eax, word ptr [eax+20h]
		cmp	ax, ds:0FFDF002Ch
		jb	loc_8DA7EA
		cmp	ax, ds:0FFDF002Eh
		ja	loc_8DA7EA

loc_7774A7:				; CODE XREF: MiMapViewOfImageSection+437j
		mov	eax, [esp+0A0h+var_88]

loc_7774AB:				; CODE XREF: MiMapViewOfImageSection+1637A3j
		test	ds:_PerfGlobalGroupMask, 8000h
		jnz	loc_8DA7F8

loc_7774BB:				; CODE XREF: MiMapViewOfImageSection+1637B8j
		mov	edx, [esp+0A0h+var_90]
		or	edx, 4
		mov	[esp+0A0h+var_90], edx
		test	edx, 200h
		jnz	loc_7775B1
		test	_NtGlobalFlag, 40000h
		jnz	loc_777913

loc_7774E2:				; CODE XREF: MiMapViewOfImageSection+8C8j
					; MiMapViewOfImageSection+8D3j	...
		cmp	edx, 800h
		jb	loc_77759D
		mov	edx, [esp+0A0h+var_78]
		mov	byte ptr [esp+0A0h+var_40], 3
		mov	eax, [edi+28h]
		test	eax, 8000000h
		jnz	loc_7776C1
		movzx	ecx, byte ptr [edx+0Bh]
		movzx	eax, byte ptr [edx+0Bh]
		and	ecx, 0Eh
		and	eax, 0FFFFF8F0h
		shl	ecx, 7
		or	ecx, eax
		mov	eax, [esp+0A0h+var_40]
		shl	ecx, 8
		and	eax, 0FFF80FFFh
		or	ecx, eax

loc_777528:				; CODE XREF: MiMapViewOfImageSection+67Bj
		cmp	[esp+0A0h+var_88], 4000000Eh
		jz	loc_8DA80D
		xor	eax, eax

loc_777538:				; CODE XREF: MiMapViewOfImageSection+1637C2j
		and	ecx, 0FFFFF7FFh
		lea	esi, [edx+10h]
		or	ecx, eax
		mov	eax, [esp+0A0h+var_74]
		mov	[esp+0A0h+var_3C], eax
		mov	eax, [ebx+0Ch]
		mov	[esp+0A0h+var_34], eax
		or	eax, 0FFFFFFFFh
		mov	[esp+0A0h+var_40], ecx
		or	edx, eax
		nop
		or	ebx, eax
		or	ecx, eax
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, [esp+0A0h+var_4C]
		cmp	[ebx+0Ch], eax
		jnz	loc_8DA817

loc_777571:				; CODE XREF: MiMapViewOfImageSection+1637CFj
		mov	ecx, [esp+0A0h+var_80]
		mov	[esp+0A0h+var_38], 0
		mov	[esp+0A0h+var_30], 0
		call	MiReferenceControlAreaFile
		mov	edx, [esp+0A0h+var_90]
		mov	esi, [esp+0A0h+var_70]
		or	edx, 8
		mov	[esp+0A0h+var_7C], eax
		mov	[esp+0A0h+var_90], edx

loc_77759D:				; CODE XREF: MiMapViewOfImageSection+498j
		call	_MiIsProcessCfgEnabled@0 ; MiIsProcessCfgEnabled()
		test	eax, eax
		jz	loc_7776D0
		or	edx, 18h
		mov	[esp+0A0h+var_90], edx

loc_7775B1:				; CODE XREF: MiMapViewOfImageSection+47Cj
					; MiMapViewOfImageSection+6A6j
		test	dl, 8
		jz	loc_777699
		mov	ecx, [esp+0A0h+var_6C]
		mov	edx, edi
		call	_MiLockVad@8	; MiLockVad(x,x)
		mov	edx, [esp+0A0h+var_84]
		mov	ecx, [esp+0A0h+var_6C]
		call	UNLOCK_ADDRESS_SPACE_UNORDERED
		mov	eax, [esp+0A0h+var_90]
		and	eax, 0FFFFFFFBh
		mov	[esp+0A0h+var_90], eax
		test	al, 10h
		jz	short loc_7775FE
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	MiCommitVadCfgBits
		mov	edx, eax
		mov	[esp+0A0h+var_60], edx
		test	edx, edx
		js	loc_8DA886
		mov	eax, [esp+0A0h+var_90]

loc_7775FE:				; CODE XREF: MiMapViewOfImageSection+58Fj
		cmp	dword ptr [ebx+38h], 0
		jnz	loc_8DA824

loc_777608:				; CODE XREF: MiMapViewOfImageSection+16382Aj
		cmp	eax, 800h
		jb	short loc_77763B
		mov	eax, [esp+0A0h+var_48]
		mov	ecx, edi
		mov	edx, [esp+0A0h+var_58]
		push	0
		shl	eax, 0Ch
		push	80000001h
		or	eax, 0FFFh
		shl	edx, 0Ch
		push	eax
		call	MiAddSecureEntry
		mov	esi, eax
		test	esi, esi
		jz	loc_8DA87F

loc_77763B:				; CODE XREF: MiMapViewOfImageSection+5BDj
		test	byte ptr [ebx+28h], 2
		jnz	loc_777826

loc_777645:				; CODE XREF: MiMapViewOfImageSection+7DDj
		mov	ecx, [esp+0A0h+var_6C]
		mov	edx, edi
		call	MiUnlockVad
		mov	edx, [esp+0A0h+var_90]
		mov	edi, [esp+0A0h+var_84]
		cmp	edx, 800h
		jb	short loc_777681
		mov	eax, [esp+0A0h+var_7C]
		lea	ecx, [esp+0A0h+var_44]
		push	eax
		push	ecx
		mov	edx, edi
		lea	ecx, [eax+30h]
		call	PsCallImageNotifyRoutines
		mov	ecx, [esp+0A0h+var_7C]
		call	ObfDereferenceObject
		mov	edx, [esp+0A0h+var_90]

loc_777681:				; CODE XREF: MiMapViewOfImageSection+60Ej
		test	esi, esi
		jz	short loc_777699
		mov	eax, edi
		xor	eax, dword_6D061C
		xor	esi, eax
		push	esi
		call	_MmUnsecureVirtualMemory@4 ; MmUnsecureVirtualMemory(x)
		mov	edx, [esp+0A0h+var_90]

loc_777699:				; CODE XREF: MiMapViewOfImageSection+564j
					; MiMapViewOfImageSection+633j
		test	dl, 4
		jnz	loc_7777E0

loc_7776A2:				; CODE XREF: MiMapViewOfImageSection+7A1j
		test	edx, 200h
		jnz	short loc_7776B4
		cmp	[ebp+arg_8], 0
		jz	short loc_7776B4
		or	dword ptr [ebx+30h], 4

loc_7776B4:				; CODE XREF: MiMapViewOfImageSection+658j
					; MiMapViewOfImageSection+65Ej
		mov	eax, [esp+0A0h+var_88]

loc_7776B8:				; CODE XREF: MiMapViewOfImageSection+D1j
					; MiMapViewOfImageSection+163588j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_7776C1:				; CODE XREF: MiMapViewOfImageSection+4AFj
		mov	ecx, [esp+0A0h+var_40]
		and	ecx, 0FFF80FFFh
		jmp	loc_777528
; 

loc_7776D0:				; CODE XREF: MiMapViewOfImageSection+554j
		mov	eax, [edi+28h]
		test	eax, 10000000h
		jnz	loc_77781A
		cmp	dword ptr [ebx+38h], 0
		jnz	loc_77781A
		test	byte ptr [ebx+28h], 2
		jnz	loc_77781A

loc_7776F2:				; CODE XREF: MiMapViewOfImageSection+7D1j
		mov	esi, [esp+0A0h+var_70]
		jmp	loc_7775B1
; 

loc_7776FB:				; CODE XREF: MiMapViewOfImageSection+2B6j
					; MiMapViewOfImageSection+2CFj
		mov	ecx, [ebx+4]
		mov	[esp+0A0h+var_60], ecx
		cmp	dword_6D07CC, esi
		jnz	loc_8DA678

loc_77770E:				; CODE XREF: MiMapViewOfImageSection+16362Ej
					; MiMapViewOfImageSection+16363Dj
		mov	edx, [ebx]
		cmp	edx, ecx
		jnb	loc_8DA692
		lea	eax, [esp+0A0h+var_74]
		push	eax
		lea	eax, [esp+0A4h+var_54]
		push	eax
		mov	eax, [edi+1Ch]
		push	0
		shr	eax, 7
		and	eax, 1Fh
		push	eax
		push	ecx
		push	[esp+0B4h+var_7C]
		push	[esp+0B8h+var_88]
		push	ecx
		mov	ecx, [ebx+14h]
		call	_MiSelectUserAddress@40	; MiSelectUserAddress(x,x,x,x,x,x,x,x,x,x)
		mov	[esp+0A0h+var_8C], eax
		test	eax, eax
		jns	loc_777325
		jmp	loc_8DA69D
; 

loc_777751:				; CODE XREF: MiMapViewOfImageSection+37Fj
		mov	ecx, [esp+0A0h+var_90]
		mov	eax, ecx
		and	eax, 400h
		mov	[esp+0A0h+var_60], eax
		jnz	loc_777855
		test	dword ptr [ebx+14h], (offset loc_7FFFFF+1)
		jnz	loc_777855

loc_777773:				; CODE XREF: MiMapViewOfImageSection+876j
		mov	[esp+0A0h+var_88], edx
		test	eax, eax
		jz	loc_7773D5
		jmp	loc_8DA796
; 

loc_777784:				; CODE XREF: MiMapViewOfImageSection+420j
		mov	edx, [esp+0A0h+var_48]
		mov	ecx, [esp+0A0h+var_58]
		push	eax
		call	MiAdvanceVadHint
		jmp	loc_777476
; 

loc_777797:				; CODE XREF: MiMapViewOfImageSection+9Cj
					; MiMapViewOfImageSection+A9j ...
		cmp	[ebp+arg_10], 1
		jnz	loc_8DA5D3
		or	eax, 200h
		mov	[esp+0A0h+var_90], eax
		jmp	loc_77710C
; 

loc_7777AF:				; CODE XREF: MiMapViewOfImageSection+1EBj
		mov	eax, [esp+0A0h+var_90]
		and	ecx, 0FFFFF0FFh
		or	eax, 1
		or	ecx, 80h
		mov	[edi+1Ch], ecx
		mov	[esp+0A0h+var_90], eax
		cmp	eax, 400h
		jnb	loc_77725F
		and	eax, 0FFFFFFFDh
		mov	[esp+0A0h+var_90], eax
		jmp	loc_77725F
; 

loc_7777E0:				; CODE XREF: MiMapViewOfImageSection+64Cj
		mov	edx, [esp+0A0h+var_84]
		mov	ecx, [esp+0A0h+var_6C]
		call	UNLOCK_ADDRESS_SPACE
		mov	edx, [esp+0A0h+var_90]
		jmp	loc_7776A2
; 

loc_7777F6:				; CODE XREF: MiMapViewOfImageSection+DFj
		mov	ecx, [esp+0A0h+var_50]
		test	byte ptr [ecx+23h], 4
		jnz	loc_777135
		test	byte ptr [ecx+1Ch], 1
		jnz	loc_8DA5DD
		mov	eax, [esp+0A0h+var_90]
		or	eax, 1
		jmp	loc_777139
; 

loc_77781A:				; CODE XREF: MiMapViewOfImageSection+688j
					; MiMapViewOfImageSection+692j	...
		or	edx, 8
		mov	[esp+0A0h+var_90], edx
		jmp	loc_7776F2
; 

loc_777826:				; CODE XREF: MiMapViewOfImageSection+5EFj
		mov	ecx, edi
		call	MiSoftFaultMappedView
		jmp	loc_777645
; 

loc_777832:				; CODE XREF: MiMapViewOfImageSection+F4j
		test	byte ptr [esi+490h], 40h
		jnz	loc_77714A
		or	eax, 1
		cmp	eax, 400h
		jnb	loc_77714A
		and	eax, 0FFFFFFFDh
		jmp	loc_77714A
; 

loc_777855:				; CODE XREF: MiMapViewOfImageSection+710j
					; MiMapViewOfImageSection+71Dj
		mov	eax, [esp+0A0h+var_80]
		test	dword ptr [eax+1Ch], 800h
		setz	dl
		test	cl, 2
		setnz	al
		test	dl, al
		jz	short loc_7778BE
		mov	ecx, edi
		call	_MiAllocateFixupVad@4 ;	MiAllocateFixupVad(x)
		mov	[esp+0A0h+var_64], eax
		test	eax, eax
		jz	short loc_7778CB
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [esp+0A0h+var_64]
		mov	[esp+0A0h+var_88], 40000036h
		jmp	loc_7773D5
; 

loc_777895:				; CODE XREF: MiMapViewOfImageSection+409j
		mov	eax, [esp+0A0h+var_84]
		mov	eax, [eax+24Ch]
		inc	dword ptr [eax+98h]
		jmp	loc_77745F
; 

loc_7778AA:				; CODE XREF: MiMapViewOfImageSection+76j
					; MiMapViewOfImageSection+86j
		test	byte ptr [ecx+0Bh], 1
		jnz	loc_7770DC
		mov	eax, 401h
		jmp	loc_7770DC
; 

loc_7778BE:				; CODE XREF: MiMapViewOfImageSection+81Bj
		mov	edx, [esp+0A0h+var_8C]
		mov	eax, [esp+0A0h+var_60]
		jmp	loc_777773
; 

loc_7778CB:				; CODE XREF: MiMapViewOfImageSection+82Aj
		mov	eax, [esp+0A0h+var_8C]
		mov	[esp+0A0h+var_88], eax
		cmp	[esp+0A0h+var_60], esi
		jz	loc_7773D5
		jmp	loc_8DA78C
; 

loc_7778E2:				; CODE XREF: MiMapViewOfImageSection+39Dj
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [esp+0A0h+var_80]
		mov	edx, eax
		call	MiCreatePerSessionProtos
		mov	[esp+0A0h+var_8C], eax
		test	eax, eax
		js	loc_8DA6DE
		or	[esp+0A0h+var_90], 80h
		mov	ecx, [esp+0A0h+var_84]
		mov	eax, [esp+0A0h+var_80]
		jmp	loc_7773F3
; 

loc_777913:				; CODE XREF: MiMapViewOfImageSection+48Cj
		cmp	eax, 40000003h
		jz	loc_7774E2
		cmp	eax, 40000036h
		jz	loc_7774E2
		cmp	eax, 4000000Eh
		jz	loc_7774E2
		mov	eax, [esp+0A0h+var_6C]
		test	byte ptr [eax+304h], 20h
		jnz	loc_7774E2
		mov	eax, [esp+0A0h+var_78]
		movzx	ecx, word ptr [eax+8]
		test	ecx, 2000h
		jnz	loc_7774E2
		test	byte ptr [eax+0Ah], 80h
		jz	loc_7774E2
		push	[esp+0A0h+var_84]
		mov	edx, [esp+0A4h+var_74]
		or	ecx, 2000h
		mov	[eax+8], cx
		mov	ecx, [esp+0A4h+var_80]
		call	MiLoadUserSymbols
		mov	edx, [esp+0A0h+var_90]
		jmp	loc_7774E2
MiMapViewOfImageSection	endp

; 
		align 4

;  S U B	R O U T	I N E 


MiReferenceFileObjectForMap proc near	; CODE XREF: MiInsertInSystemSpace+22Fp
					; MiMapViewOfImageSection+1BBp

; FUNCTION CHUNK AT 008DA8C8 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, [ecx+14h]
		test	bl, 3
		jnz	loc_8DA8C8
		xor	ebx, ebx

loc_777999:				; CODE XREF: MiReferenceFileObjectForMap+162F4Aj
		mov	eax, ebx
		pop	ebx
		retn
MiReferenceFileObjectForMap endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCommitVadCfgBits proc	near		; CODE XREF: MiCfgInitializeProcess(x)+DCp
					; MiMapViewOfImageSection+597p	...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DA8D7 SIZE 0000000B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax+80h]
		mov	edi, edx
		mov	esi, ecx
		mov	byte ptr [ebp+var_1], 0
		mov	[ebp+var_18], eax
		call	_MiIsProcessCfgEnabled@0 ; MiIsProcessCfgEnabled()
		test	eax, eax
		jz	loc_777A93
		mov	eax, [esi+0Ch]
		mov	ebx, eax
		mov	ecx, [esi+10h]
		shl	ebx, 0Ch
		inc	ecx
		shl	ecx, 0Ch
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], ebx
		test	edi, edi
		jnz	loc_777A7A
		test	dword ptr [esi+1Ch], 100000h
		jnz	loc_777A8B
		mov	eax, [esi+2Ch]
		mov	edx, [eax]
		mov	eax, [edx+1Ch]
		mov	[ebp+var_14], eax
		test	al, 20h
		jz	loc_777A8B
		mov	edi, [edx]
		mov	ebx, 14Ch
		mov	eax, [esi+30h]
		sub	eax, [edx+54h]
		mov	[ebp+var_10], edi
		mov	edi, [edi+24h]
		sar	eax, 3
		cmp	[edi+20h], bx
		mov	ebx, [ebp+var_8]
		jnz	loc_8DA8D7
		test	byte ptr [edi+23h], 4
		jz	short loc_777A8B
		mov	edi, [ebp+var_C]
		sub	edi, eax
		mov	eax, [ebp+var_10]
		mov	eax, [eax+18h]
		shr	eax, 0Ch
		cmp	edi, eax
		jnz	short loc_777A8F
		test	[ebp+var_14], 10000000h
		jnz	short loc_777A8F
		cmp	dword ptr [edx+30h], 0FFFFFFFFh
		jz	short loc_777A8F
		xor	edx, edx
		inc	edx

loc_777A57:				; CODE XREF: MiCommitVadCfgBits+EBj
		mov	eax, [ebp+var_18]
		push	[ebp+arg_0]
		mov	eax, [eax+24Ch]
		add	eax, 0B8h
		push	eax
		push	ecx
		push	ebx
		push	esi
		mov	ecx, edx
		call	_MiMarkProcessCfgBits@28 ; MiMarkProcessCfgBits(x,x,x,x,x,x,x)

loc_777A73:				; CODE XREF: MiCommitVadCfgBits+F7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_777A7A:				; CODE XREF: MiCommitVadCfgBits+46j
		mov	ecx, [edi+4]
		mov	ebx, [edi]
		or	ecx, 0FFFh
		push	3
		inc	ecx

loc_777A88:				; CODE XREF: MiCommitVadCfgBits+EFj
					; MiCommitVadCfgBits+F3j
		pop	edx
		jmp	short loc_777A57
; 

loc_777A8B:				; CODE XREF: MiCommitVadCfgBits+53j
					; MiCommitVadCfgBits+66j ...
		push	3
		jmp	short loc_777A88
; 

loc_777A8F:				; CODE XREF: MiCommitVadCfgBits+A5j
					; MiCommitVadCfgBits+AEj ...
		push	2
		jmp	short loc_777A88
; 

loc_777A93:				; CODE XREF: MiCommitVadCfgBits+29j
		xor	eax, eax
		jmp	short loc_777A73
MiCommitVadCfgBits endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMarkProcessCfgBits(x, x, x, x, x,	x, x)
_MiMarkProcessCfgBits@28 proc near	; CODE XREF: MiCommitVadCfgBits+D0p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		sub	ecx, 1
		jnz	short loc_777AB3
		push	[ebp+arg_0]
		mov	ecx, [ebp+arg_C]
		call	MiMarkSharedImageCfgBits

loc_777AAE:				; CODE XREF: MiMarkProcessCfgBits(x,x,x,x,x,x,x)+3Ej
					; MiMarkProcessCfgBits(x,x,x,x,x,x,x)+50j ...
		pop	ecx
		pop	ebp
		retn	14h
; 

loc_777AB3:				; CODE XREF: MiMarkProcessCfgBits(x,x,x,x,x,x,x)+9j
		sub	ecx, 1
		jz	short loc_777ADD
		sub	ecx, 1
		jnz	short loc_777AEA
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_777AD8
		movzx	eax, byte ptr [eax]

loc_777AC7:				; CODE XREF: MiMarkProcessCfgBits(x,x,x,x,x,x,x)+43j
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_C]
		push	eax
		push	[ebp+arg_8]
		call	_MiMarkPrivateOpenCfgBits@16 ; MiMarkPrivateOpenCfgBits(x,x,x,x)
		jmp	short loc_777AAE
; 

loc_777AD8:				; CODE XREF: MiMarkProcessCfgBits(x,x,x,x,x,x,x)+2Aj
		xor	eax, eax
		inc	eax
		jmp	short loc_777AC7
; 

loc_777ADD:				; CODE XREF: MiMarkProcessCfgBits(x,x,x,x,x,x,x)+1Ej
		push	[ebp+arg_0]
		mov	ecx, [ebp+arg_C]
		call	MiMarkPrivateImageCfgBits
		jmp	short loc_777AAE
; 

loc_777AEA:				; CODE XREF: MiMarkProcessCfgBits(x,x,x,x,x,x,x)+23j
		mov	eax, 0C0000001h
		jmp	short loc_777AAE
_MiMarkProcessCfgBits@28 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAllowImageMap(x, x, x, x)
_MiAllowImageMap@16 proc near		; CODE XREF: MiMapViewOfImageSection+CAp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	[ebp+var_10], edx
		xor	ebx, ebx
		mov	edx, ecx
		mov	[ebp+var_4], ebx
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		mov	edi, [edx+490h]
		mov	eax, edi
		mov	esi, edi
		and	eax, 100000h
		and	esi, 80000h
		jnz	short loc_777B25
		test	eax, eax
		jz	short loc_777B4C

loc_777B25:				; CODE XREF: MiAllowImageMap(x,x,x,x)+2Dj
		mov	eax, [ebp+var_10]
		test	byte ptr [eax+14h], 3
		jz	short loc_777B4C
		xor	ecx, ecx
		test	esi, esi
		setnz	cl
		inc	ecx
		call	_EtwTimLogProhibitRemoteImageMap@8 ; EtwTimLogProhibitRemoteImageMap(x,x)
		test	esi, esi
		jz	short loc_777B49
		mov	eax, 0C0000022h
		jmp	loc_777C66
; 

loc_777B49:				; CODE XREF: MiAllowImageMap(x,x,x,x)+4Bj
		mov	edx, [ebp+var_8]

loc_777B4C:				; CODE XREF: MiAllowImageMap(x,x,x,x)+31j
					; MiAllowImageMap(x,x,x,x)+3Aj
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		cmp	[eax+22h], bl
		jz	short loc_777BD3
		call	_MiGetControlAreaLoadConfig@4 ;	MiGetControlAreaLoadConfig(x)
		test	byte ptr [edx+490h], 4
		jz	short loc_777B78
		test	eax, eax
		jz	short loc_777B6E
		test	byte ptr [eax],	1
		jnz	short loc_777B78

loc_777B6E:				; CODE XREF: MiAllowImageMap(x,x,x,x)+75j
		mov	eax, 0C0000606h
		jmp	loc_777C66
; 

loc_777B78:				; CODE XREF: MiAllowImageMap(x,x,x,x)+71j
					; MiAllowImageMap(x,x,x,x)+7Aj
		test	dword ptr [edx+494h], 200000h
		jz	short loc_777BD3
		mov	byte ptr [ebp+arg_4], bl
		test	eax, eax
		jz	short loc_777B94
		test	byte ptr [eax],	40h
		jz	short loc_777B94
		mov	byte ptr [ebp+arg_4], 1

loc_777B94:				; CODE XREF: MiAllowImageMap(x,x,x,x)+97j
					; MiAllowImageMap(x,x,x,x)+9Cj
		call	MiReferenceControlAreaFile
		mov	esi, eax
		lea	ecx, [esi+30h]
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_4]
		mov	ecx, [ecx]
		mov	ecx, [ecx+24h]
		mov	dl, [ecx+3Ch]
		mov	ecx, [ebp+var_8]
		and	dl, 1
		call	_PsBlockNonCetBinaries@16 ; PsBlockNonCetBinaries(x,x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		mov	[ebp+arg_4], eax
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)
		mov	eax, [ebp+arg_4]
		test	eax, eax
		js	loc_777C66
		mov	ecx, [ebp+arg_0]

loc_777BD3:				; CODE XREF: MiAllowImageMap(x,x,x,x)+63j
					; MiAllowImageMap(x,x,x,x)+90j
		mov	esi, edi
		and	edi, 400000h
		and	esi, 200000h
		jnz	short loc_777BE7
		test	edi, edi
		jz	short loc_777C64

loc_777BE7:				; CODE XREF: MiAllowImageMap(x,x,x,x)+EFj
		mov	byte ptr [ebp+var_C], bl
		call	MiReferenceControlAreaFile
		mov	edi, eax
		lea	edx, [ebp+var_4]
		push	ebx
		lea	eax, [ebp+var_C]
		mov	ecx, edi
		push	eax
		call	ObpGetObjectSecurity
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_777C33
		mov	ecx, [ebp+var_4]
		call	SeQueryMandatoryLabel
		cmp	eax, 1000h
		ja	short loc_777C26
		mov	ecx, [ebp+var_4]
		call	_SeGetTrustLabelAce@4 ;	SeGetTrustLabelAce(x)
		test	eax, eax
		jnz	short loc_777C26
		mov	ebx, 0C0000022h

loc_777C26:				; CODE XREF: MiAllowImageMap(x,x,x,x)+121j
					; MiAllowImageMap(x,x,x,x)+12Dj
		push	[ebp+var_C]
		push	[ebp+var_4]
		call	_ObReleaseObjectSecurity@8 ; ObReleaseObjectSecurity(x,x)
		jmp	short loc_777C38
; 

loc_777C33:				; CODE XREF: MiAllowImageMap(x,x,x,x)+112j
		mov	ebx, 0C0000022h

loc_777C38:				; CODE XREF: MiAllowImageMap(x,x,x,x)+13Fj
		cmp	ebx, 0C0000022h
		jnz	short loc_777C5A
		mov	edx, [ebp+var_8]
		lea	eax, [edi+30h]
		xor	ecx, ecx
		test	esi, esi
		push	eax
		setnz	cl
		inc	ecx
		call	_EtwTimLogProhibitLowILImageMap@12 ; EtwTimLogProhibitLowILImageMap(x,x,x)
		neg	esi
		sbb	esi, esi
		and	ebx, esi

loc_777C5A:				; CODE XREF: MiAllowImageMap(x,x,x,x)+14Cj
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)

loc_777C64:				; CODE XREF: MiAllowImageMap(x,x,x,x)+F3j
		mov	eax, ebx

loc_777C66:				; CODE XREF: MiAllowImageMap(x,x,x,x)+52j
					; MiAllowImageMap(x,x,x,x)+81j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiAllowImageMap@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiIsVaRangeAvailable proc near		; CODE XREF: MiMapViewOfImageSection+2C8p
					; MiMapViewOfDataSection+75Bp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008DA8E2 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		dec	eax
		add	eax, edx
		cmp	edx, 10000h
		jb	loc_8DA8E2

loc_777C85:				; CODE XREF: MiIsVaRangeAvailable+162C7Ej
					; MiIsVaRangeAvailable+162C91j
		cmp	edx, [ebp+arg_4]
		jb	short loc_777CA5
		cmp	eax, [ebp+arg_8]
		ja	short loc_777CA5
		cmp	eax, edx
		jbe	short loc_777CA5
		push	eax
		call	_MiCheckForConflictingVadExistence@12 ;	MiCheckForConflictingVadExistence(x,x,x)
		cmp	eax, 1
		jz	short loc_777CA5
		xor	eax, eax
		inc	eax

loc_777CA1:				; CODE XREF: MiIsVaRangeAvailable+39j
		pop	ebp
		retn	0Ch
; 

loc_777CA5:				; CODE XREF: MiIsVaRangeAvailable+1Aj
					; MiIsVaRangeAvailable+1Fj ...
		xor	eax, eax
		jmp	short loc_777CA1
MiIsVaRangeAvailable endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsInvokeWin32Callout proc near		; CODE XREF: SeCaptureAtomTableCallout()+76p
					; .text:00511671p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008CA162 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, [ebp+arg_8]
		and	[esp+4+var_4], 0
		push	esi
		sub	eax, 0
		jnz	short loc_777CD9

loc_777CC0:				; CODE XREF: PsInvokeWin32Callout+5Aj
		push	[ebp+arg_4]
		call	_MmSessionGetWin32Callouts@0 ; MmSessionGetWin32Callouts()
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		call	_ExCallCallBack@12 ; ExCallCallBack(x,x,x)

loc_777CD2:				; CODE XREF: PsInvokeWin32Callout+70j
					; PsInvokeWin32Callout+76j ...
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_777CD9:				; CODE XREF: PsInvokeWin32Callout+14j
		sub	eax, 1
		jnz	loc_8CA162
		mov	eax, large fs:124h
		mov	esi, [ebp+arg_C]
		mov	ecx, [eax+80h]
		test	dword ptr [ecx+0FCh], 10000h
		jz	short loc_777D06
		call	_MmGetSessionId@4 ; MmGetSessionId(x)
		cmp	[esi], eax
		jz	short loc_777CC0

loc_777D06:				; CODE XREF: PsInvokeWin32Callout+51j
		mov	ecx, esi

loc_777D08:				; CODE XREF: PsInvokeWin32Callout+1524C9j
		mov	edx, [ebp+arg_0]
		lea	eax, [esp+8+var_4]
		push	eax
		push	[ebp+arg_4]
		call	ExCallSessionCallBack
		test	eax, eax
		js	short loc_777CD2
		mov	eax, [esp+8+var_4]
		jmp	short loc_777CD2
PsInvokeWin32Callout endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExCallCallBack(x, x, x)
_ExCallCallBack@12 proc	near		; CODE XREF: PsInvokeWin32Callout+23p
					; PsConvertToGuiThread+A9p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	ebx, ecx
		call	ExReferenceCallBackBlock
		mov	edi, eax
		test	edi, edi
		jz	short loc_777D57
		push	[ebp+arg_0]
		push	esi
		push	dword ptr [edi+8]
		call	dword ptr [edi+4]
		mov	edx, edi
		mov	ecx, ebx
		mov	esi, eax
		call	_ExDereferenceCallBackBlock@8 ;	ExDereferenceCallBackBlock(x,x)

loc_777D4E:				; CODE XREF: ExCallCallBack(x,x,x)+3Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_777D57:				; CODE XREF: ExCallCallBack(x,x,x)+15j
		mov	esi, 0C000000Dh
		jmp	short loc_777D4E
_ExCallCallBack@12 endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1524. NtFindAtom

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtFindAtom
NtFindAtom	proc near		; DATA XREF: .text:00581054o

var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_21D		= byte ptr -21Dh
var_21C		= dword	ptr -21Ch
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008DA904 SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A0FD0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 224h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	ebx, [ebp+arg_0]
		mov	esi, [ebp+arg_4]
		mov	edi, [ebp+arg_8]
		mov	[ebp+var_228], 0
		mov	[ebp+var_22C], 0
		push	0
		push	0
		lea	eax, [ebp+var_228]
		push	eax
		push	2
		call	PsInvokeWin32Callout
		cmp	[ebp+var_228], 0
		jz	loc_8DA904
		cmp	esi, 1FEh
		ja	loc_8DA90E
		mov	eax, large fs:124h
		mov	cl, [eax+15Ah]
		mov	[ebp+var_21D], cl
		mov	eax, ebx
		mov	[ebp+var_224], eax
		test	cl, cl
		jz	loc_777E98
		mov	[ebp+var_4], 0
		test	edi, edi
		jz	short loc_777E3E
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	loc_8DA918

loc_777E2F:				; CODE XREF: NtFindAtom+162BAAj
		mov	ax, [ecx]
		movzx	eax, ax
		mov	[ecx], ax
		mov	eax, [ebp+var_224]

loc_777E3E:				; CODE XREF: NtFindAtom+AEj
		test	ebx, ebx
		jz	short loc_777E91
		test	esi, esi
		jz	short loc_777E68
		test	bl, 1
		jnz	loc_777EF6
		lea	eax, [ebx+esi]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	loc_8DA91F
		cmp	eax, ebx
		jb	loc_8DA91F

loc_777E68:				; CODE XREF: NtFindAtom+D4j
					; NtFindAtom+162BB2j
		lea	eax, [ebp+var_21C]
		mov	[ebp+var_224], eax
		push	esi		; size_t
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		shr	esi, 1
		xor	eax, eax
		mov	word ptr [ebp+esi*2+var_21C], ax
		mov	eax, [ebp+var_224]

loc_777E91:				; CODE XREF: NtFindAtom+D0j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_777E98:				; CODE XREF: NtFindAtom+9Fj
		lea	ecx, [ebp+var_22C]
		push	ecx
		push	eax
		push	[ebp+var_228]
		call	RtlLookupAtomInAtomTable
		mov	ecx, eax
		test	edi, edi
		jz	short loc_777ED6
		test	ecx, ecx
		js	short loc_777ED6
		cmp	[ebp+var_21D], 0
		jz	short loc_777EFB
		mov	[ebp+var_4], 1
		mov	ax, word ptr [ebp+var_22C]
		mov	[edi], ax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_777ED6:				; CODE XREF: NtFindAtom+13Fj
					; NtFindAtom+143j ...
		mov	eax, ecx

loc_777ED8:				; CODE XREF: NtFindAtom+162B99j
					; NtFindAtom+162BA3j ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_777EF6:				; CODE XREF: NtFindAtom+D9j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_777EFB:				; CODE XREF: NtFindAtom+14Cj
		mov	ax, word ptr [ebp+var_22C]
		mov	[edi], ax
		jmp	short loc_777ED6
NtFindAtom	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspCallProcessNotifyRoutines proc near	; CODE XREF: PspExitProcess+65p
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+5B5p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008DA977 SIZE 000000B9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_48]
		push	9
		pop	ecx
		xor	eax, eax
		mov	esi, edx
		rep stosd
		mov	ecx, ds:_PspDamExtensionHost
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		mov	ecx, ds:_PspBamExtensionHost
		mov	edi, eax
		mov	[ebp+var_18], edi
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		mov	ecx, ds:_PspNotifyEnableMask
		xor	edx, edx
		shr	ecx, 2
		and	ecx, 1
		mov	[ebp+var_8], edx
		cmp	[ebp+arg_0], 0
		mov	[ebp+var_1C], edx
		mov	[ebp+var_1], dl
		mov	edx, [ebx+3D4h]
		mov	[ebp+var_24], eax
		mov	[ebp+var_10], ecx
		mov	[ebp+var_20], edx
		jz	loc_7780F7
		test	cl, cl
		jz	loc_7780E7

loc_777F74:				; CODE XREF: PspCallProcessNotifyRoutines+1E1j
					; PspCallProcessNotifyRoutines+1E9j
		and	[ebp+var_44], 0
		mov	[ebp+var_48], 24h
		test	edx, edx
		jnz	loc_8DA977

loc_777F87:				; CODE XREF: PspCallProcessNotifyRoutines+162A76j
		mov	ecx, large fs:124h
		mov	eax, [ebx+170h]
		mov	[ebp+var_40], eax
		mov	eax, [ecx+2ACh]
		mov	[ebp+var_3C], eax
		mov	eax, [ecx+2B0h]
		xor	ecx, ecx
		mov	[ebp+var_38], eax
		mov	[ebp+var_28], ecx
		test	edx, edx
		jnz	loc_8DA983
		test	esi, esi
		jz	loc_8DA9B5
		mov	eax, [esi+6Ch]
		test	eax, eax
		jz	loc_8DA9B5
		mov	[ebp+var_8], eax

loc_777FCC:				; CODE XREF: PspCallProcessNotifyRoutines+162AC0j
		mov	[ebp+var_34], eax
		test	esi, esi
		jz	loc_8DA9CD
		test	byte ptr [esi+4], 20h
		jz	loc_8DA9CD
		or	[ebp+var_44], 1
		lea	eax, [esi+8Ch]

loc_777FEB:				; CODE XREF: PspCallProcessNotifyRoutines+162AC8j
		mov	[ebp+var_30], eax
		test	esi, esi
		jz	loc_8DA9D5
		mov	eax, [esi+7Ch]
		test	eax, eax
		jz	loc_8DA9D5
		add	eax, 40h

loc_778004:				; CODE XREF: PspCallProcessNotifyRoutines+162AA8j
		mov	[ebp+var_2C], eax

loc_778007:				; CODE XREF: PspCallProcessNotifyRoutines+162A86j
					; PspCallProcessNotifyRoutines+162A94j	...
		mov	ecx, [ebp+var_10]
		lea	esi, [ebp+var_48]

loc_77800D:				; CODE XREF: PspCallProcessNotifyRoutines+1F1j
		mov	eax, ds:_PspNotifyEnableMask
		test	al, 2
		jz	loc_7780FE

loc_77801A:				; CODE XREF: PspCallProcessNotifyRoutines+1FEj
		and	[ebp+var_14], 0
		mov	eax, offset _PspCreateProcessNotifyRoutine
		mov	[ebp+var_C], eax

loc_778026:				; CODE XREF: PspCallProcessNotifyRoutines+143j
		mov	ecx, eax
		call	ExReferenceCallBackBlock
		mov	edi, eax
		test	edi, edi
		jnz	short loc_778092

loc_778033:				; CODE XREF: PspCallProcessNotifyRoutines+1B8j
					; PspCallProcessNotifyRoutines+1C3j
		mov	ecx, [ebp+var_14]
		mov	eax, [ebp+var_C]
		add	ecx, 4
		add	eax, 4
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], eax
		cmp	ecx, 100h
		jb	short loc_778026

loc_77804D:				; CODE XREF: PspCallProcessNotifyRoutines+162AEEj
		mov	edi, [ebp+var_18]

loc_778050:				; CODE XREF: PspCallProcessNotifyRoutines+1F8j
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	short loc_778076
		test	esi, esi
		jz	short loc_778061
		cmp	dword ptr [esi+20h], 0
		jl	short loc_778076

loc_778061:				; CODE XREF: PspCallProcessNotifyRoutines+151j
		push	esi
		push	dword ptr [ebx+0E4h]
		push	ebx
		call	dword ptr [eax]
		mov	ecx, ds:_PspBamExtensionHost
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_778076:				; CODE XREF: PspCallProcessNotifyRoutines+14Dj
					; PspCallProcessNotifyRoutines+157j
		test	edi, edi
		jnz	loc_8DA9FB

loc_77807E:				; CODE XREF: PspCallProcessNotifyRoutines+162AFBj
					; PspCallProcessNotifyRoutines+162B16j
		cmp	[ebp+var_1], 0
		jnz	loc_8DAA23

loc_778088:				; CODE XREF: PspCallProcessNotifyRoutines+162B23j
		mov	eax, [ebp+var_1C]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_778092:				; CODE XREF: PspCallProcessNotifyRoutines+129j
		cmp	[ebp+var_20], 0
		mov	eax, [edi+8]
		jnz	loc_8DA9DD

loc_77809F:				; CODE XREF: PspCallProcessNotifyRoutines+162ADDj
		test	al, 2
		jz	short loc_7780D6
		cmp	byte ptr [ebp+var_10], 0
		jz	short loc_7780B4
		push	esi
		push	dword ptr [ebx+0E4h]
		push	ebx

loc_7780B1:				; CODE XREF: PspCallProcessNotifyRoutines+1DDj
		call	dword ptr [edi+4]

loc_7780B4:				; CODE XREF: PspCallProcessNotifyRoutines+19Fj
					; PspCallProcessNotifyRoutines+162AD7j
		mov	ecx, [ebp+var_C]
		mov	edx, edi
		call	_ExDereferenceCallBackBlock@8 ;	ExDereferenceCallBackBlock(x,x)
		test	esi, esi
		jz	loc_778033
		mov	eax, [esi+20h]
		test	eax, eax
		jns	loc_778033
		jmp	loc_8DA9EA
; 

loc_7780D6:				; CODE XREF: PspCallProcessNotifyRoutines+199j
		push	dword ptr [ebp+arg_0]
		push	dword ptr [ebx+0E4h]
		push	dword ptr [ebx+170h]
		jmp	short loc_7780B1
; 

loc_7780E7:				; CODE XREF: PspCallProcessNotifyRoutines+66j
		test	edi, edi
		jnz	loc_777F74
		test	eax, eax
		jnz	loc_777F74

loc_7780F7:				; CODE XREF: PspCallProcessNotifyRoutines+5Ej
		xor	esi, esi
		jmp	loc_77800D
; 

loc_7780FE:				; CODE XREF: PspCallProcessNotifyRoutines+10Cj
		test	cl, cl
		jz	loc_778050
		jmp	loc_77801A
PspCallProcessNotifyRoutines endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspCallThreadNotifyRoutines proc near	; CODE XREF: PspInitializeThunkContext+C2p
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+5EAp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008DAA30 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		cmp	dword ptr [ecx+37Ch], 0
		mov	eax, edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], ecx
		jnz	loc_8DAA30
		mov	[ebp+var_1], 0

loc_778134:				; CODE XREF: PspCallThreadNotifyRoutines+162924j
		test	al, al
		mov	eax, ds:_PspNotifyEnableMask
		jz	short loc_77816C
		cmp	[ebp+arg_0], 0
		jnz	loc_77820F
		test	al, 8
		jz	short loc_778195
		mov	esi, offset _PspCreateThreadNotifyRoutine
		mov	edi, 40h

loc_778155:				; CODE XREF: PspCallThreadNotifyRoutines+58j
		mov	ecx, esi
		call	ExReferenceCallBackBlock
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_7781D1

loc_778162:				; CODE XREF: PspCallThreadNotifyRoutines+FAj
		add	esi, 4
		sub	edi, 1
		jnz	short loc_778155
		jmp	short loc_778195
; 

loc_77816C:				; CODE XREF: PspCallThreadNotifyRoutines+2Bj
		test	al, 10h
		jz	loc_778270

loc_778174:				; CODE XREF: PspCallThreadNotifyRoutines+16Dj
		mov	esi, offset _PspCreateThreadNotifyRoutine
		mov	edi, 40h
		mov	edi, edi

loc_778180:				; CODE XREF: PspCallThreadNotifyRoutines+83j
		mov	ecx, esi
		call	ExReferenceCallBackBlock
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_77819E

loc_77818D:				; CODE XREF: PspCallThreadNotifyRoutines+BFj
		add	esi, 4
		sub	edi, 1
		jnz	short loc_778180

loc_778195:				; CODE XREF: PspCallThreadNotifyRoutines+39j
					; PspCallThreadNotifyRoutines+5Aj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_77819E:				; CODE XREF: PspCallThreadNotifyRoutines+7Bj
		cmp	[ebp+var_1], 0
		jnz	loc_8DAA39

loc_7781A8:				; CODE XREF: PspCallThreadNotifyRoutines+162933j
		mov	ecx, [ebp+var_8]
		push	0
		mov	eax, [ecx+2B0h]
		push	eax
		mov	eax, [ecx+150h]
		mov	eax, [eax+0E4h]
		push	eax
		mov	eax, [ebx+4]
		call	eax

loc_7781C6:				; CODE XREF: PspCallThreadNotifyRoutines+16292Dj
		mov	edx, ebx
		mov	ecx, esi
		call	_ExDereferenceCallBackBlock@8 ;	ExDereferenceCallBackBlock(x,x)
		jmp	short loc_77818D
; 

loc_7781D1:				; CODE XREF: PspCallThreadNotifyRoutines+50j
		mov	eax, [ebx+8]
		test	al, 1
		jnz	short loc_778201
		cmp	[ebp+var_1], 0
		jnz	loc_8DAA48

loc_7781E2:				; CODE XREF: PspCallThreadNotifyRoutines+162940j
		mov	ecx, [ebp+var_8]
		push	[ebp+var_C]
		mov	eax, [ecx+2B0h]
		push	eax
		mov	eax, [ecx+150h]
		mov	eax, [eax+0E4h]
		push	eax
		mov	eax, [ebx+4]
		call	eax

loc_778201:				; CODE XREF: PspCallThreadNotifyRoutines+C6j
					; PspCallThreadNotifyRoutines+16293Aj
		mov	edx, ebx
		mov	ecx, esi
		call	_ExDereferenceCallBackBlock@8 ;	ExDereferenceCallBackBlock(x,x)
		jmp	loc_778162
; 

loc_77820F:				; CODE XREF: PspCallThreadNotifyRoutines+31j
		test	al, 10h
		jz	short loc_778195
		mov	esi, offset _PspCreateThreadNotifyRoutine
		mov	edi, 40h
		lea	ecx, [ecx+0]

loc_778220:				; CODE XREF: PspCallThreadNotifyRoutines+123j
		mov	ecx, esi
		call	ExReferenceCallBackBlock
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_77823E

loc_77822D:				; CODE XREF: PspCallThreadNotifyRoutines+13Dj
		add	esi, 4
		sub	edi, 1
		jnz	short loc_778220
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_77823E:				; CODE XREF: PspCallThreadNotifyRoutines+11Bj
		test	byte ptr [ebx+8], 1
		jnz	short loc_77824F

loc_778244:				; CODE XREF: PspCallThreadNotifyRoutines+15Ej
		mov	edx, ebx
		mov	ecx, esi
		call	_ExDereferenceCallBackBlock@8 ;	ExDereferenceCallBackBlock(x,x)
		jmp	short loc_77822D
; 

loc_77824F:				; CODE XREF: PspCallThreadNotifyRoutines+132j
		mov	eax, [ebp+var_8]
		push	[ebp+var_C]
		mov	ecx, [eax+2B0h]
		mov	eax, [eax+150h]
		push	ecx
		mov	eax, [eax+0E4h]
		push	eax
		mov	eax, [ebx+4]
		call	eax
		jmp	short loc_778244
; 

loc_778270:				; CODE XREF: PspCallThreadNotifyRoutines+5Ej
		mov	eax, ds:_PspNotifyEnableMask
		test	al, 8
		jz	loc_778195
		jmp	loc_778174
PspCallThreadNotifyRoutines endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsCallImageNotifyRoutines proc near	; CODE XREF: DbgkCreateThread+10Ep
					; DbgkCreateThread+1DFp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008DAA55 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_14], 0
		mov	edi, edx
		mov	[ebp+var_10], 0
		dec	word ptr [eax+13Ch]
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], eax
		nop
		mov	[ebp+var_8], 0
		call	_KeAreAllApcsDisabled@0	; KeAreAllApcsDisabled()
		test	al, al
		jnz	loc_8DAA55

loc_7782D3:				; CODE XREF: PsCallImageNotifyRoutines+1627C7j
		mov	eax, _FltMgrCallbacks
		mov	ebx, [ebp+arg_4]
		test	eax, eax
		jz	loc_8DAA5C
		mov	eax, [eax+0Ch]
		lea	ecx, [ebp+var_8]
		push	ecx
		lea	ecx, [ebp+var_14]
		push	ecx
		push	400h
		push	ebx
		call	eax
		test	eax, eax
		js	loc_8DAA5C
		lea	ecx, [ebp+var_14]
		mov	[ebp+var_4], ecx

loc_778304:				; CODE XREF: PsCallImageNotifyRoutines+1627CFj
		test	edi, edi
		jz	loc_7783B3
		mov	eax, [edi+0E4h]
		mov	[ebp+arg_4], eax

loc_778315:				; CODE XREF: PsCallImageNotifyRoutines+12Aj
		test	byte ptr ds:_PerfGlobalGroupMask, 4
		mov	esi, [ebp+arg_0]
		jz	short loc_77832C
		lea	eax, [esi+4]
		mov	edx, edi
		push	eax
		call	PerfLogImageLoad

loc_77832C:				; CODE XREF: PsCallImageNotifyRoutines+8Fj
		mov	eax, ds:_PspNotifyEnableMask
		test	al, 1
		jz	short loc_77836A
		or	dword ptr [esi+4], 400h
		lea	eax, [esi+4]
		mov	dword ptr [esi], 1Ch
		mov	edi, 40h
		mov	[esi+18h], ebx
		mov	esi, offset _PspLoadImageNotifyRoutine
		mov	[ebp+arg_0], eax

loc_778355:				; CODE XREF: PsCallImageNotifyRoutines+D8j
		mov	ecx, esi
		call	ExReferenceCallBackBlock
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_77838D

loc_778362:				; CODE XREF: PsCallImageNotifyRoutines+121j
		add	esi, 4
		sub	edi, 1
		jnz	short loc_778355

loc_77836A:				; CODE XREF: PsCallImageNotifyRoutines+A3j
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_77837C
		push	eax
		mov	eax, _FltMgrCallbacks
		mov	eax, [eax+10h]
		call	eax

loc_77837C:				; CODE XREF: PsCallImageNotifyRoutines+DFj
		mov	ecx, [ebp+var_C]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_77838D:				; CODE XREF: PsCallImageNotifyRoutines+D0j
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebx+4]
		test	dword ptr [ecx], 800h
		jnz	short loc_7783BF

loc_77839B:				; CODE XREF: PsCallImageNotifyRoutines+135j
		test	eax, eax
		jz	short loc_7783A8
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+var_4]
		call	eax

loc_7783A8:				; CODE XREF: PsCallImageNotifyRoutines+10Dj
					; PsCallImageNotifyRoutines+133j
		mov	edx, ebx
		mov	ecx, esi
		call	_ExDereferenceCallBackBlock@8 ;	ExDereferenceCallBackBlock(x,x)
		jmp	short loc_778362
; 

loc_7783B3:				; CODE XREF: PsCallImageNotifyRoutines+76j
		mov	[ebp+arg_4], 0
		jmp	loc_778315
; 

loc_7783BF:				; CODE XREF: PsCallImageNotifyRoutines+109j
		test	byte ptr [ebx+8], 1
		jz	short loc_7783A8
		jmp	short loc_77839B
PsCallImageNotifyRoutines endp

; 
		align 10h
; Exported entry 2244. RtlLookupAtomInAtomTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlLookupAtomInAtomTable
RtlLookupAtomInAtomTable proc near	; CODE XREF: NtFindAtom+136p

var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008DAA64 SIZE 00000023 BYTES
; FUNCTION CHUNK AT 008DAAAF SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A0FF8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_24], 0
		mov	[ebp+var_20], 0
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	loc_8DAAAF
		cmp	dword ptr [esi], 6D6F7441h
		jnz	loc_8DAAAF
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ebx, [esi+8]
		mov	[ebp+arg_0], ebx
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	[ebp+var_4], 0
		lea	eax, [ebp+var_20]
		push	eax
		mov	edi, [ebp+arg_4]
		push	edi
		call	RtlGetIntegerAtom
		test	al, al
		jnz	loc_778506
		cmp	word ptr [edi],	0
		jz	loc_8DAA73
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	0
		push	0
		push	1
		mov	edx, edi
		mov	ecx, esi
		call	RtlpHashStringToAtom
		mov	edi, eax
		mov	[ebp+var_1C], edi
		test	edi, edi
		js	short loc_7784BD
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	short loc_7784F3
		movzx	edx, word ptr [eax+4]
		mov	ecx, esi
		call	_RtlpAtomMapAtomToHandleEntry@8	; RtlpAtomMapAtomToHandleEntry(x,x)
		test	eax, eax
		jz	loc_8DAA7D
		xor	edi, edi
		mov	[ebp+var_1C], edi
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_7784BD
		mov	eax, [ebp+var_24]
		mov	ax, [eax+6]
		mov	[ecx], ax

loc_7784BD:				; CODE XREF: RtlLookupAtomInAtomTable+BBj
					; RtlLookupAtomInAtomTable+E1j	...
		mov	[ebp+var_4], 0FFFFFFFEh

loc_7784C4:				; CODE XREF: sub_8DAA97+13j
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7784FD

loc_7784D1:				; CODE XREF: RtlLookupAtomInAtomTable+134j
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, edi

loc_7784DF:				; CODE XREF: RtlLookupAtomInAtomTable+1626E4j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7784F3:				; CODE XREF: RtlLookupAtomInAtomTable+C2j
		mov	edi, 0C0000034h

loc_7784F8:				; CODE XREF: RtlLookupAtomInAtomTable+1626A8j
					; RtlLookupAtomInAtomTable+1626B2j
		mov	[ebp+var_1C], edi
		jmp	short loc_7784BD
; 

loc_7784FD:				; CODE XREF: RtlLookupAtomInAtomTable+FFj
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7784D1
; 

loc_778506:				; CODE XREF: RtlLookupAtomInAtomTable+8Dj
		mov	ecx, 0C000h
		mov	eax, [ebp+var_20]
		cmp	ax, cx
		jnb	loc_8DAA64
		xor	edi, edi

loc_778519:				; CODE XREF: RtlLookupAtomInAtomTable+16269Ej
		mov	[ebp+var_1C], edi
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_7784BD
		mov	[ecx], ax
		jmp	short loc_7784BD
RtlLookupAtomInAtomTable endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2126. RtlGetIntegerAtom

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlGetIntegerAtom
RtlGetIntegerAtom proc near		; CODE XREF: RtlAddAtomToAtomTableEx+38p
					; RtlLookupAtomInAtomTable+86p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008DAAB9 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		test	eax, 0FFFF0000h
		jz	loc_8DAAB9
		cmp	word ptr [eax],	23h
		jz	short loc_77855B

loc_778553:				; CODE XREF: RtlGetIntegerAtom+3Ej
					; RtlGetIntegerAtom+44j ...
		xor	al, al

loc_778555:				; CODE XREF: RtlGetIntegerAtom+92j
		pop	edi
		pop	esi
		leave
		retn	8
; 

loc_77855B:				; CODE XREF: RtlGetIntegerAtom+23j
		lea	edx, [eax+2]
		mov	ecx, edx
		cmp	[edx], di
		jz	short loc_778581
		movzx	esi, word ptr [ecx]

loc_778568:				; CODE XREF: RtlGetIntegerAtom+51j
		cmp	si, 30h
		jb	short loc_778553
		cmp	si, 39h
		ja	short loc_778553
		add	ecx, 2
		movzx	eax, word ptr [ecx]
		mov	esi, eax
		test	ax, ax
		jnz	short loc_778568

loc_778581:				; CODE XREF: RtlGetIntegerAtom+35j
		lea	eax, [ebp+arg_0]
		mov	[ebp+arg_0], edi
		push	eax
		sub	ecx, edx
		mov	[ebp+var_4], edx
		push	0Ah
		lea	eax, [ebp+var_8]
		mov	word ptr [ebp+var_8], cx
		push	eax
		mov	word ptr [ebp+var_8+2],	cx
		call	RtlUnicodeStringToInteger
		test	eax, eax
		js	short loc_778553
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_7785BE
		mov	edx, [ebp+arg_0]
		mov	eax, 0C000h
		test	edx, edx
		jz	short loc_7785C2
		cmp	edx, eax
		ja	short loc_7785C2
		mov	[ecx], dx

loc_7785BE:				; CODE XREF: RtlGetIntegerAtom+7Bj
					; RtlGetIntegerAtom+97j ...
		mov	al, 1
		jmp	short loc_778555
; 

loc_7785C2:				; CODE XREF: RtlGetIntegerAtom+87j
					; RtlGetIntegerAtom+8Bj
		mov	[ecx], ax
		jmp	short loc_7785BE
RtlGetIntegerAtom endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpHashStringToAtom proc near		; CODE XREF: RtlAddAtomToAtomTableEx+64p
					; RtlpFreeAllAtom(x,x)+28p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008DAAE6 SIZE 00000040 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], ebx
		test	ebx, 0FFFF0000h
		jz	loc_8DAAE6
		movzx	eax, word ptr [ebx]
		mov	esi, ebx
		test	ax, ax
		jz	short loc_778637
		jmp	short loc_778600
; 
		align 10h

loc_778600:				; CODE XREF: RtlpHashStringToAtom+2Bj
					; RtlpHashStringToAtom+62j
		add	esi, 2
		movzx	ecx, ax
		cmp	ax, 61h
		jb	short loc_77861C
		cmp	ax, 7Ah
		ja	loc_7786DA
		add	eax, 0FFFFFFE0h

loc_778619:				; CODE XREF: RtlpHashStringToAtom+111j
		movzx	ecx, ax

loc_77861C:				; CODE XREF: RtlpHashStringToAtom+3Aj
		movzx	edx, cx
		mov	ecx, edx
		shr	ecx, 1
		lea	edi, [edi+edx*2]
		add	edi, edx
		add	edi, ecx
		movzx	ecx, word ptr [esi]
		mov	eax, ecx
		test	cx, cx
		jnz	short loc_778600
		mov	ecx, [ebp+var_4]

loc_778637:				; CODE XREF: RtlpHashStringToAtom+29j
		sub	esi, ebx
		sar	esi, 1
		cmp	esi, 0FFh
		ja	loc_8DAB1D
		mov	eax, edi
		xor	edx, edx
		div	dword ptr [ecx+14h]
		lea	ebx, [edx+6]
		mov	edi, [ecx+ebx*4]
		lea	ebx, [ecx+ebx*4]
		test	edi, edi
		jz	short loc_778685
		jmp	short loc_778660
; 
		align 10h

loc_778660:				; CODE XREF: RtlpHashStringToAtom+8Bj
					; RtlpHashStringToAtom+9Ej
		movzx	eax, byte ptr [edi+18h]
		cmp	eax, esi
		jz	short loc_778672

loc_778668:				; CODE XREF: RtlpHashStringToAtom+B3j
		mov	ebx, edi
		mov	edi, [edi]
		test	edi, edi
		jnz	short loc_778660
		jmp	short loc_778685
; 

loc_778672:				; CODE XREF: RtlpHashStringToAtom+96j
		push	[ebp+var_8]	; wchar_t *
		lea	eax, [edi+1Ah]
		push	eax		; wchar_t *
		call	__wcsicmp
		add	esp, 8
		test	eax, eax
		jnz	short loc_778668

loc_778685:				; CODE XREF: RtlpHashStringToAtom+89j
					; RtlpHashStringToAtom+A0j ...
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	short loc_7786D6

loc_77868C:				; CODE XREF: RtlpHashStringToAtom+108j
		test	edi, edi
		jz	short loc_7786BA
		mov	ecx, [ebp+var_4]

loc_778693:				; CODE XREF: RtlpHashStringToAtom+162548j
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jz	short loc_7786AA
		push	[ebp+arg_0]
		mov	edx, edi
		call	RtlpLookupOrCreateLowBox
		test	eax, eax
		jz	short loc_7786E6
		mov	[esi], eax

loc_7786AA:				; CODE XREF: RtlpHashStringToAtom+C8j
					; RtlpHashStringToAtom+EFj ...
		mov	eax, [ebp+arg_10]
		mov	[eax], edi
		xor	eax, eax

loc_7786B1:				; CODE XREF: RtlpHashStringToAtom+11Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7786BA:				; CODE XREF: RtlpHashStringToAtom+BEj
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_7786AA
		lea	eax, [esi+esi]
		mov	[ecx], eax
		mov	eax, [ebp+arg_10]
		mov	[eax], edi
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7786D6:				; CODE XREF: RtlpHashStringToAtom+BAj
		mov	[eax], ebx
		jmp	short loc_77868C
; 

loc_7786DA:				; CODE XREF: RtlpHashStringToAtom+40j
		mov	ecx, eax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		jmp	loc_778619
; 

loc_7786E6:				; CODE XREF: RtlpHashStringToAtom+D6j
		mov	eax, 0C0000017h
		jmp	short loc_7786B1
RtlpHashStringToAtom endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpAtomMapAtomToHandleEntry(x, x)
_RtlpAtomMapAtomToHandleEntry@8	proc near ; CODE XREF: RtlQueryAtomInAtomTable+67p
					; RtlLookupAtomInAtomTable+CAp	...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	edi, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [edi+0Ch]
		shl	edx, 2
		call	ExMapHandleToPointer
		test	eax, eax
		jz	short loc_778743
		mov	esi, [eax]
		xor	ecx, ecx
		mov	edx, [edi+0Ch]
		and	esi, 0FFFFFFF8h
		inc	ecx
		lock xadd [eax], ecx
		and	[ebp+var_4], 0
		lea	ecx, [edx+20h]
		xor	edx, edx
		lea	eax, [ebp+var_4]
		lock or	[eax], edx
		cmp	[ecx], edx
		jnz	short loc_778747

loc_778738:				; CODE XREF: RtlpAtomMapAtomToHandleEntry(x,x)+57j
					; RtlpAtomMapAtomToHandleEntry(x,x)+60j
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_778743:				; CODE XREF: RtlpAtomMapAtomToHandleEntry(x,x)+26j
		xor	esi, esi
		jmp	short loc_778738
; 

loc_778747:				; CODE XREF: RtlpAtomMapAtomToHandleEntry(x,x)+48j
		xor	edx, edx
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	short loc_778738
_RtlpAtomMapAtomToHandleEntry@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PerfLogImageLoad proc near		; CODE XREF: PsCallImageNotifyRoutines+97p

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= byte ptr -70h
var_6F		= byte ptr -6Fh
var_6E		= word ptr -6Eh
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1018
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_20], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	edi, edx
		mov	esi, ecx
		mov	[ebp+var_88], esi
		mov	[ebp+var_8C], edi
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_84], 0
		mov	[ebp+var_58], 0
		test	esi, esi
		jz	loc_7788CB
		cmp	word ptr [esi],	0
		jz	loc_7788CB
		cmp	dword ptr [esi+4], 0
		jz	loc_7788CB
		test	edi, edi
		jz	loc_778902
		mov	ebx, [edi+0E4h]

loc_7787D6:				; CODE XREF: PerfLogImageLoad+1B4j
		mov	edx, [ecx+4]
		mov	[ebp+var_84], edx
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_80], eax
		mov	[ebp+var_7C], ebx
		xor	eax, eax
		mov	[ebp+var_6E], ax
		mov	[ebp+var_68], eax
		mov	[ebp+var_64], eax
		mov	[ebp+var_60], eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_78], eax
		mov	[ebp+var_74], eax
		mov	[ebp+var_6C], eax
		mov	ecx, [ecx]
		mov	eax, ecx
		shr	eax, 0Ch
		and	al, 0Fh
		mov	[ebp+var_70], al
		shr	ecx, 10h
		and	cl, 7
		mov	[ebp+var_6F], cl
		mov	[ebp+var_4], 0
		push	edx
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jz	short loc_77883B
		mov	ecx, [eax+58h]
		mov	[ebp+var_78], ecx
		mov	ecx, [eax+8]
		mov	[ebp+var_74], ecx
		mov	eax, [eax+34h]
		mov	[ebp+var_6C], eax

loc_77883B:				; CODE XREF: PerfLogImageLoad+D7j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_778842:				; CODE XREF: sub_8DAB2C+16j
		mov	eax, ds:_EtwpHostSiloState
		add	eax, 0A48h
		jz	short loc_778857
		test	byte ptr [eax],	4
		jnz	loc_7788E9

loc_778857:				; CODE XREF: PerfLogImageLoad+FCj
					; PerfLogImageLoad+1ADj
		lea	eax, [ebp+var_84]
		mov	[ebp+var_54], eax
		mov	[ebp+var_50], 0
		mov	[ebp+var_4C], 2Ch
		mov	[ebp+var_48], 0
		mov	eax, [esi+4]
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], 0
		movzx	eax, word ptr [esi]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], 0
		mov	[ebp+var_34], offset _EtwpNull
		mov	[ebp+var_30], 0
		mov	[ebp+var_2C], 2
		mov	[ebp+var_28], 0
		push	(offset	loc_501902+1)
		push	30Ah
		push	4
		test	edi, edi
		jz	short loc_778909
		push	3
		lea	edx, [ebp+var_54]
		mov	ecx, [edi+3A0h]
		call	EtwTraceSiloKernelEvent

loc_7788CB:				; CODE XREF: PerfLogImageLoad+5Ej
					; PerfLogImageLoad+68j	...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_20]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7788E9:				; CODE XREF: PerfLogImageLoad+101j
		push	0
		push	1401h
		lea	edx, [ebp+var_84]
		mov	ecx, esi
		call	_EtwpPsProvTraceImage@16 ; EtwpPsProvTraceImage(x,x,x,x)
		jmp	loc_778857
; 

loc_778902:				; CODE XREF: PerfLogImageLoad+7Aj
		xor	ebx, ebx
		jmp	loc_7787D6
; 

loc_778909:				; CODE XREF: PerfLogImageLoad+169j
		mov	edx, 3
		lea	ecx, [ebp+var_54]
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	short loc_7788CB
PerfLogImageLoad endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpEnumerateAddressSpace proc near	; CODE XREF: EtwTraceProcess+78p
					; EtwpProcessEnumCallback+10Fp	...

var_D0		= dword	ptr -0D0h
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DAB47 SIZE 00000099 BYTES
; FUNCTION CHUNK AT 008DAC37 SIZE 0000018E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1038
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_20], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_58], edx
		mov	esi, ecx
		mov	[ebp+var_5C], esi
		mov	[ebp+var_B0], esi
		mov	[ebp+var_B4], edx
		mov	[ebp+var_4C], 0
		xor	eax, eax
		lea	edi, [ebp+var_34]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_6C], 0
		xor	ebx, ebx
		mov	[ebp+var_50], ebx
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_7789B0
		test	byte ptr [eax],	4
		jz	short loc_77899F
		mov	ebx, 1
		mov	[ebp+var_50], ebx

loc_77899F:				; CODE XREF: EtwpEnumerateAddressSpace+75j
		test	eax, eax
		jz	short loc_7789B0
		test	dword ptr [eax+4], 8000h
		jnz	loc_8DAB47

loc_7789B0:				; CODE XREF: EtwpEnumerateAddressSpace+70j
					; EtwpEnumerateAddressSpace+81j ...
		test	edx, edx
		jnz	loc_778C0A

loc_7789B8:				; CODE XREF: EtwpEnumerateAddressSpace+2ECj
					; EtwpEnumerateAddressSpace+2F8j ...
		test	ebx, ebx
		jz	loc_8DAB5D
		test	edx, edx
		jnz	loc_778C23
		push	66726550h
		push	2000h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_48], eax
		mov	[ebp+var_7C], 426h
		mov	[ebp+var_98], 263h
		xor	edi, edi
		mov	[ebp+var_8C], edi

loc_7789FA:				; CODE XREF: EtwpEnumerateAddressSpace+34Bj
		mov	[ebp+var_A4], edi
		mov	[ebp+var_54], edi
		mov	[ebp+var_A0], edx
		test	edx, edx
		jz	loc_8DAB64

loc_778A11:				; CODE XREF: EtwpEnumerateAddressSpace+162250j
		xor	eax, eax
		mov	[ebp+var_74], eax
		mov	[ebp+var_70], eax
		mov	[ebp+var_90], eax
		mov	[ebp+var_60], eax
		mov	[ebp+var_64], eax
		mov	edx, ebx
		mov	ecx, esi
		call	MmEnumerateAddressSpaceAndReferenceImages
		mov	[ebp+var_B8], eax
		test	eax, eax
		jz	loc_778BD7
		mov	esi, eax
		mov	[ebp+var_9C], eax

loc_778A44:				; CODE XREF: EtwpEnumerateAddressSpace+285j
		mov	ecx, [esi]
		test	ecx, ecx
		jz	loc_778BCA
		mov	eax, ecx
		and	ecx, 0FFFFFFFCh
		mov	[esi], ecx
		xor	ebx, ebx
		mov	[ebp+var_94], ebx
		and	eax, 3
		jnz	loc_8DACF0
		test	byte ptr [ebp+var_50], 2
		jnz	loc_8DAB75
		mov	[ebp+var_78], ebx
		mov	eax, [esi+4]

loc_778A76:				; CODE XREF: EtwpEnumerateAddressSpace+162280j
		mov	edi, eax
		shr	edi, 6
		and	edi, 0Fh
		mov	[ebp+var_80], edi
		mov	ebx, eax
		shr	ebx, 0Ah
		and	ebx, 7
		mov	[ebp+var_84], ebx
		and	eax, 0FFFFE03Fh
		mov	[esi+4], eax
		mov	[ebp+var_6C], 0
		call	_KeAreAllApcsDisabled@0	; KeAreAllApcsDisabled()
		test	al, al
		jnz	loc_8DABA5

loc_778AAB:				; CODE XREF: EtwpEnumerateAddressSpace+162287j
		mov	ecx, [esi]
		mov	eax, _FltMgrCallbacks
		test	eax, eax
		jz	loc_8DABAC
		lea	edx, [ebp+var_6C]
		push	edx
		push	[ebp+var_48]
		push	400h
		push	ecx
		mov	eax, [eax+0Ch]
		call	eax
		mov	ecx, eax
		mov	[ebp+var_88], ecx
		test	ecx, ecx
		js	loc_8DABAC

loc_778ADC:				; CODE XREF: EtwpEnumerateAddressSpace+1622A7j
		mov	[ebp+var_68], 0
		mov	eax, [esi+14h]
		mov	[ebp+var_BC], eax
		mov	[ebp+var_A8], eax
		mov	eax, [esi+8]
		mov	[ebp+var_C0], eax
		mov	[ebp+var_AC], eax
		mov	[ebp+var_4], 0
		mov	eax, [esi+4]
		push	eax
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jz	loc_8DABCC
		mov	edx, [eax+58h]
		mov	[ebp+var_A8], edx
		mov	ecx, [eax+8]
		mov	[ebp+var_68], ecx
		mov	eax, [eax+34h]
		mov	[ebp+var_AC], eax

loc_778B31:				; CODE XREF: EtwpEnumerateAddressSpace+1622BBj
		mov	[ebp+var_4], 0FFFFFFFEh

loc_778B38:				; CODE XREF: sub_8DABE6+4Cj
		cmp	[ebp+var_88], 0
		jl	short loc_778B61
		cmp	[ebp+var_58], 0
		jnz	short loc_778BAA
		push	0
		push	eax
		push	ebx
		push	edi
		push	ecx
		push	edx
		mov	eax, [esi+0Ch]
		push	eax
		mov	eax, [esi+4]
		push	eax
		mov	edx, [ebp+var_5C]
		mov	ecx, [ebp+var_48]
		call	_EtwpTraceImageUnload@40 ; EtwpTraceImageUnload(x,x,x,x,x,x,x,x,x,x)

loc_778B61:				; CODE XREF: EtwpEnumerateAddressSpace+21Fj
					; EtwpEnumerateAddressSpace+2A8j
		mov	eax, [ebp+var_6C]
		test	eax, eax
		jz	short loc_778B73
		push	eax
		mov	eax, _FltMgrCallbacks
		mov	eax, [eax+10h]
		call	eax

loc_778B73:				; CODE XREF: EtwpEnumerateAddressSpace+246j
		mov	eax, [esi]
		mov	[ebp+var_80], eax
		cmp	[ebp+var_78], 0
		jnz	loc_8DAC37
		mov	ebx, [ebp+var_94]

loc_778B88:				; CODE XREF: EtwpEnumerateAddressSpace+1623C0j
		mov	ecx, eax
		call	ObfDereferenceObject
		cmp	[ebp+var_78], 0
		jnz	loc_8DACE5

loc_778B99:				; CODE XREF: EtwpEnumerateAddressSpace+162464j
					; EtwpEnumerateAddressSpace+1624A0j
		add	esi, 20h
		mov	[ebp+var_9C], esi
		mov	edi, [ebp+var_54]
		jmp	loc_778A44
; 

loc_778BAA:				; CODE XREF: EtwpEnumerateAddressSpace+225j
		push	ebx
		push	edi
		push	esi
		mov	eax, [ebp+var_5C]
		mov	eax, [eax+0E4h]
		push	eax
		push	[ebp+var_48]
		mov	edx, [ebp+var_8C]
		mov	ecx, [ebp+var_54]
		call	_EtwpTraceImageRundown@28 ; EtwpTraceImageRundown(x,x,x,x,x,x,x)
		jmp	short loc_778B61
; 

loc_778BCA:				; CODE XREF: EtwpEnumerateAddressSpace+128j
		push	0
		push	[ebp+var_B8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_778BD7:				; CODE XREF: EtwpEnumerateAddressSpace+116j
		mov	edx, [ebp+var_48]

loc_778BDA:				; CODE XREF: EtwpEnumerateAddressSpace+16223Fj
					; EtwpEnumerateAddressSpace+16224Aj
		cmp	[ebp+var_58], 0
		jnz	short loc_778BEC
		test	edx, edx
		jz	short loc_778BEC
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_778BEC:				; CODE XREF: EtwpEnumerateAddressSpace+2BEj
					; EtwpEnumerateAddressSpace+2C2j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_20]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_778C0A:				; CODE XREF: EtwpEnumerateAddressSpace+92j
		test	eax, eax
		jz	loc_7789B8
		test	dword ptr [eax], 8000h
		jz	loc_7789B8
		jmp	loc_8DAB52
; 

loc_778C23:				; CODE XREF: EtwpEnumerateAddressSpace+A2j
		mov	edi, [edx+10h]
		mov	cl, [edx+24h]
		mov	edx, [edx+8]
		mov	[ebp+var_48], edx
		xor	eax, eax
		test	cl, cl
		setz	al
		add	eax, 1403h
		movzx	eax, ax
		mov	[ebp+var_8C], eax
		xor	eax, eax
		test	cl, cl
		setz	al
		add	eax, 427h
		movzx	eax, ax
		mov	[ebp+var_7C], eax
		xor	eax, eax
		test	cl, cl
		setz	al
		add	eax, 280h
		movzx	eax, ax
		mov	[ebp+var_98], eax
		jmp	loc_7789FA
EtwpEnumerateAddressSpace endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmEnumerateAddressSpaceAndReferenceImages proc near
					; CODE XREF: EtwpEnumerateAddressSpace+109p
					; EtwpCovSampEnumerateProcess(x,x)+8Cp

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008DADC5 SIZE 00000138 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	ebx, ecx
		xor	eax, eax
		mov	[ebp+var_2C], ebx
		mov	ecx, 6
		mov	[ebp+var_20], eax
		push	edi
		lea	edi, [ebp+var_1C]
		rep stosd
		test	dl, 1
		jz	short loc_778CA6
		mov	eax, 1
		mov	[ebp+var_20], eax

loc_778CA6:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+2Cj
		test	dl, 2
		jnz	loc_8DADC5

loc_778CAF:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+16215Bj
		test	dl, 4
		jnz	loc_8DADD0

loc_778CB8:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+162166j
		mov	edi, large fs:124h
		xor	esi, esi
		mov	[ebp+var_28], edi
		cmp	[edi+80h], ebx
		jnz	loc_778ED3
		mov	[ebp+var_30], esi

loc_778CD3:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+277j
		mov	edx, ebx
		mov	ecx, edi
		call	_LOCK_ADDRESS_SPACE_SHARED@8 ; LOCK_ADDRESS_SPACE_SHARED(x,x)
		mov	ecx, [ebx+358h]
		test	ecx, ecx
		jz	loc_778E78
		inc	ecx
		cmp	ecx, 7FFFFFFh
		ja	loc_778E78
		push	0
		shl	ecx, 5
		mov	edx, 3031704Dh
		push	100h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_34], esi
		test	esi, esi
		jz	loc_778E78
		mov	ecx, [ebx+350h]
		xor	esi, esi
		mov	[ebp+var_24], eax
		test	ecx, ecx
		jz	short loc_778D2F

loc_778D27:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+BDj
		mov	esi, ecx
		mov	ecx, [ecx]
		test	ecx, ecx
		jnz	short loc_778D27

loc_778D2F:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+B5j
		test	esi, esi
		jz	loc_778E6F

loc_778D37:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+1F3j
		mov	eax, [esi+4]
		mov	ebx, esi
		mov	ecx, esi
		test	eax, eax
		jz	loc_778E9A
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_778D5A
		mov	edi, edi

loc_778D50:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+E8j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_778D50

loc_778D5A:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+DCj
					; MmEnumerateAddressSpaceAndReferenceImages+230j ...
		mov	edx, ebx
		mov	ecx, edi
		call	_MiLockVadShared@8 ; MiLockVadShared(x,x)
		mov	edx, [ebx+1Ch]
		mov	ecx, ebx
		mov	edi, edx
		shr	edi, 4
		and	edi, 7
		call	_MiVadDeleted@4	; MiVadDeleted(x)
		cmp	eax, 1
		jz	loc_778E55
		cmp	edi, 1
		jz	loc_778E55
		test	edx, 100000h
		jnz	loc_778E4B
		mov	eax, [ebp+var_20]
		cmp	edi, 2
		jnz	loc_778EBD
		and	edx, 0F80h
		cmp	edx, 380h
		jnz	loc_778EBD
		test	al, 1
		jz	loc_778EBD
		mov	eax, [ebx+2Ch]
		mov	edi, [eax]
		mov	ecx, edi
		call	MiReferenceControlAreaFile
		mov	edx, [ebp+var_24]
		mov	[edx], eax
		mov	eax, [ebx+0Ch]
		shl	eax, 0Ch
		mov	[edx+4], eax
		mov	eax, [edi]
		mov	eax, [eax+18h]
		mov	[edx+8], eax
		mov	eax, [ebx+10h]
		sub	eax, [ebx+0Ch]
		inc	eax
		shl	eax, 0Ch
		mov	[edx+0Ch], eax
		mov	eax, [edi]
		mov	eax, [eax+24h]
		mov	eax, [eax+2Ch]
		mov	[edx+14h], eax
		mov	eax, [ebx+28h]
		test	eax, 8000000h
		jnz	loc_778EC6
		mov	eax, [edi]
		movzx	ecx, byte ptr [eax+0Bh]
		mov	eax, [edx+4]
		and	ecx, 0FFFFFFF0h
		and	eax, 0FFFFFC3Fh
		shl	ecx, 2
		or	ecx, eax
		mov	[edx+4], ecx
		mov	eax, [edi]
		movzx	eax, byte ptr [eax+0Bh]
		shl	eax, 9
		xor	eax, ecx
		and	eax, 1C00h
		xor	eax, ecx

loc_778E2C:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+25Ej
		test	byte ptr [ebp+var_20], 2
		mov	[edx+4], eax
		jnz	loc_8DAEB0

loc_778E39:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+16223Bj
					; MmEnumerateAddressSpaceAndReferenceImages+16226Dj ...
		mov	edi, [ebp+var_28]
		mov	edx, ebx
		mov	ecx, edi
		call	_MiUnlockVadShared@8 ; MiUnlockVadShared(x,x)
		add	[ebp+var_24], 20h
		jmp	short loc_778E61
; 

loc_778E4B:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+11Dj
		cmp	[ebp+var_20], 4
		jnb	loc_8DADDB

loc_778E55:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+108j
					; MmEnumerateAddressSpaceAndReferenceImages+111j ...
		mov	edi, [ebp+var_28]
		mov	edx, ebx
		mov	ecx, edi
		call	_MiUnlockVadShared@8 ; MiUnlockVadShared(x,x)

loc_778E61:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+1D9j
		test	esi, esi
		jnz	loc_778D37
		mov	eax, [ebp+var_24]
		mov	ebx, [ebp+var_2C]

loc_778E6F:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+C1j
		mov	esi, [ebp+var_34]
		mov	dword ptr [eax], 0

loc_778E78:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+74j
					; MmEnumerateAddressSpaceAndReferenceImages+81j ...
		mov	edx, ebx
		mov	ecx, edi
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)
		cmp	[ebp+var_30], 1
		jz	short loc_778EEC

loc_778E87:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+286j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_778E9A:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+D0j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jz	loc_778D5A

loc_778EA6:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+246j
		cmp	[esi], ecx
		jz	loc_778D5A
		mov	ecx, esi
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_778EA6
		jmp	loc_778D5A
; 

loc_778EBD:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+129j
					; MmEnumerateAddressSpaceAndReferenceImages+13Bj ...
		test	al, 2
		jz	short loc_778E55
		jmp	loc_8DAEE2
; 

loc_778EC6:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+18Bj
		mov	eax, [edx+4]
		and	eax, 0FFFFE03Fh
		jmp	loc_778E2C
; 

loc_778ED3:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+5Aj
		lea	eax, [ebp+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, ebx
		call	KiStackAttachProcess
		mov	[ebp+var_30], 1
		jmp	loc_778CD3
; 

loc_778EEC:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+215j
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	short loc_778E87
MmEnumerateAddressSpaceAndReferenceImages endp


;  S U B	R O U T	I N E 


PsIsImageNotifyEnabled proc near	; CODE XREF: DbgkCreateThread:loc_76F33Ep
					; MiMapViewOfImageSection+268p

; FUNCTION CHUNK AT 008DAEFD SIZE 00000010 BYTES

		mov	eax, ds:_PspNotifyEnableMask
		test	al, 1
		jz	loc_8DAEFD

loc_778F05:				; CODE XREF: PsIsImageNotifyEnabled+16200Cj
		mov	al, 1
		retn
PsIsImageNotifyEnabled endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMarkSharedImageCfgBits proc near	; CODE XREF: MiMarkProcessCfgBits(x,x,x,x,x,x,x)+11p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DAF0D SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+44h+var_4], eax
		mov	edx, [ebp+arg_0]
		mov	eax, large fs:124h
		push	ebx
		mov	ebx, ecx
		mov	[esp+48h+var_24], 0
		mov	ecx, [edx+2Ch]
		push	esi
		mov	[esp+4Ch+var_20], 0
		mov	eax, [eax+80h]
		mov	ecx, [ecx]
		push	edi
		mov	[esp+50h+var_28], ebx
		mov	[esp+50h+var_1C], eax
		call	_MiGetControlAreaLoadConfig@4 ;	MiGetControlAreaLoadConfig(x)
		mov	esi, [edx+10h]
		mov	edi, [edx+0Ch]
		inc	esi
		shl	edi, 0Ch
		xor	edx, edx
		mov	eax, [eax+0Ch]
		shl	esi, 0Ch
		sub	esi, edi
		mov	[esp+50h+var_2C], eax
		shr	edi, 4
		add	edi, edi
		shr	esi, 4
		shr	edi, 3
		add	esi, esi
		add	edi, [ebx]
		mov	ebx, [ebx+8]
		shr	esi, 3
		mov	[esp+50h+var_3C], edi
		mov	[esp+50h+var_40], ebx
		lea	eax, [ebx+18h]
		mov	ecx, eax
		mov	[esp+50h+var_34], eax
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, ebx
		call	_MiVadDeleted@4	; MiVadDeleted(x)
		test	eax, eax
		jnz	loc_8DAF0D
		lea	eax, [esi+edi]
		lea	ecx, [eax-1]
		mov	[esp+50h+var_30], eax
		xor	eax, eax
		lea	edi, [esp+50h+var_18]
		stosd
		or	ecx, 0FFFh
		mov	[esp+50h+var_38], ecx
		stosd
		stosd
		stosd
		stosd
		mov	edi, [esp+50h+var_3C]
		mov	esi, edi
		and	esi, 0FFFFF000h
		cmp	esi, ecx
		ja	short loc_779031
		lea	ecx, [ecx+0]

loc_778FE0:				; CODE XREF: MiMarkSharedImageCfgBits+11Fj
		mov	edx, ebx
		mov	ecx, esi
		call	_MiIsCfgBitMapPageShared@8 ; MiIsCfgBitMapPageShared(x,x)
		cmp	eax, 2
		jnz	short loc_779061
		mov	edi, esi
		or	edi, 0FFFh

loc_778FF6:				; CODE XREF: MiMarkSharedImageCfgBits+169j
					; MiMarkSharedImageCfgBits+171j
		mov	ecx, [esp+50h+var_1C]
		lea	eax, [esp+50h+var_24]
		push	eax
		lea	eax, [esp+54h+var_20]
		mov	edx, ebx
		push	eax
		push	0
		push	2
		push	edi
		push	esi
		call	_MiSetProtectionOnSection@32 ; MiSetProtectionOnSection(x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_779033
		lea	esi, [edi-0FFFh]
		mov	edi, [esp+68h+var_54]

loc_779021:				; CODE XREF: MiMarkSharedImageCfgBits+1C9j
		mov	ebx, [esp+68h+var_58]

loc_779025:				; CODE XREF: MiMarkSharedImageCfgBits+154j
		add	esi, 1000h
		cmp	esi, [esp+68h+var_50]
		jbe	short loc_778FE0

loc_779031:				; CODE XREF: MiMarkSharedImageCfgBits+CBj
					; MiMarkSharedImageCfgBits+1DCj
		xor	ebx, ebx

loc_779033:				; CODE XREF: MiMarkSharedImageCfgBits+105j
					; MiMarkSharedImageCfgBits+1CFj
		mov	esi, [esp+68h+var_4C]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_779086

loc_779044:				; CODE XREF: MiMarkSharedImageCfgBits+17Dj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	eax, ebx

loc_77904D:				; CODE XREF: MiMarkSharedImageCfgBits+162021j
		mov	ecx, [esp+68h+var_1C]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_779061:				; CODE XREF: MiMarkSharedImageCfgBits+DCj
		cmp	eax, 1
		jz	short loc_779025
		cmp	eax, 3
		jnz	short loc_77908F
		mov	eax, [esp+50h+var_38]
		mov	edi, esi
		or	edi, 1FFFFFh
		cmp	edi, eax
		jbe	loc_778FF6
		mov	edi, eax
		jmp	loc_778FF6
; 

loc_779086:				; CODE XREF: MiMarkSharedImageCfgBits+132j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_779044
; 

loc_77908F:				; CODE XREF: MiMarkSharedImageCfgBits+159j
		mov	edx, [esp+50h+var_30]
		mov	eax, edi
		sub	eax, esi
		cmp	esi, edi
		sbb	ecx, ecx
		and	ecx, eax
		lea	eax, [esi+1000h]
		cmp	eax, edx
		ja	short loc_7790E4
		mov	eax, 1000h
		sub	eax, ecx

loc_7790AE:				; CODE XREF: MiMarkSharedImageCfgBits+1DAj
		push	eax		; size_t
		mov	edx, [esp+54h+var_2C]
		lea	eax, [esp+54h+var_18]
		push	eax		; int
		mov	eax, ecx
		sub	eax, edi
		add	eax, esi
		shr	eax, 1
		shl	eax, 7
		push	eax		; int
		push	ebx		; int
		lea	eax, [ecx+esi]
		push	eax		; int
		push	0		; int
		push	ecx		; int
		mov	ecx, [esp+6Ch+var_28]
		call	MiCopyToCfgBitMap
		mov	ebx, eax
		test	ebx, ebx
		jns	loc_779021
		jmp	loc_779033
; 

loc_7790E4:				; CODE XREF: MiMarkSharedImageCfgBits+195j
		mov	eax, edx
		sub	eax, ecx
		sub	eax, esi
		jnz	short loc_7790AE
		jmp	loc_779031
MiMarkSharedImageCfgBits endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMarkPrivateOpenCfgBits(x,	x, x, x)
_MiMarkPrivateOpenCfgBits@16 proc near	; CODE XREF: MiMarkProcessCfgBits(x,x,x,x,x,x,x)+39p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		add	eax, 0FFFh
		and	eax, 0FFFFF000h
		push	eax
		push	edx
		xor	edx, edx
		cmp	[ebp+arg_4], 1
		push	0
		push	ecx
		setnz	dl
		call	MiPopulateCfgBitMap
		pop	ebp
		retn	8
_MiMarkPrivateOpenCfgBits@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPopulateCfgBitMap proc near		; CODE XREF: MiMarkPrivateOpenCfgBits(x,x,x,x)+20p
					; MiCfgMarkValidEntries+11Dp ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008DAF36 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	[ebp+var_24], edx
		stosd
		mov	[ebp+var_28], ecx
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	edi, [ebp+arg_C]
		inc	eax
		sub	edi, ebx
		shr	ebx, 4
		add	ebx, ebx
		shr	edi, 4
		shr	ebx, 3
		add	edi, edi
		add	ebx, [ecx]
		cmp	eax, edx
		lea	edx, [ebp+var_18]
		sbb	eax, eax
		and	eax, edx
		xor	edx, edx
		mov	[ebp+var_20], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_1C], eax
		lea	esi, [eax+18h]
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_1C]
		call	_MiVadDeleted@4	; MiVadDeleted(x)
		test	eax, eax
		jnz	loc_8DAF36
		mov	edx, [ebp+var_24]
		shr	edi, 3
		push	edi		; size_t
		push	[ebp+var_20]	; int
		push	eax		; int
		push	ecx		; int
		push	ebx		; int
		push	[ebp+arg_4]	; int
		push	ecx		; int
		mov	ecx, [ebp+var_28]
		call	MiCopyToCfgBitMap
		mov	edi, eax
		or	edx, 0FFFFFFFFh
		lock xadd [esi], edx
		and	dl, 6
		cmp	dl, 2
		jz	short loc_7791CD

loc_7791B3:				; CODE XREF: MiPopulateCfgBitMap+B8j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	eax, edi

loc_7791BC:				; CODE XREF: MiPopulateCfgBitMap+161E3Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_7791CD:				; CODE XREF: MiPopulateCfgBitMap+95j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7791B3
MiPopulateCfgBitMap endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	MiCopyToCfgBitMap(int,int,int,int,int,int,size_t)
MiCopyToCfgBitMap proc near		; CODE XREF: MiMarkSharedImageCfgBits+1C0p
					; MiPopulateCfgBitMap+81p

var_84		= dword	ptr -84h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008DAF5B SIZE 00000033 BYTES
; FUNCTION CHUNK AT 008DAFAB SIZE 00000057 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1080
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_20], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_44], edx
		mov	[ebp+var_68], ecx
		mov	[ebp+var_54], 0
		mov	[ebp+var_50], 0
		cmp	edx, 1
		ja	loc_7795BE

loc_779235:				; CODE XREF: MiCopyToCfgBitMap+3E4j
					; MiCopyToCfgBitMap+3F2j
		mov	edi, edx
		mov	[ebp+var_2C], edi
		mov	[ebp+var_6C], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_38], 0
		mov	ebx, [ebp+arg_10]
		mov	[ebp+var_34], ebx
		mov	[ebp+var_4C], 0
		mov	[ebp+var_3C], 1000h
		cmp	edx, 1
		ja	loc_7795D7
		test	edx, edx
		jnz	loc_779732
		mov	edx, dword_6D34F8

loc_779272:				; CODE XREF: MiCopyToCfgBitMap+558j
					; MiCopyToCfgBitMap+161D91j
		mov	[ebp+var_24], edx

loc_779275:				; CODE XREF: MiCopyToCfgBitMap+41Ej
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_30], eax
		and	eax, 0FFFh
		mov	esi, [ebp+arg_18]
		and	esi, 0FFFh
		add	eax, 0FFFh
		add	esi, eax
		shr	esi, 0Ch
		mov	ecx, [ebp+arg_18]
		mov	eax, ecx
		shr	eax, 0Ch
		add	esi, eax
		mov	[ebp+var_48], esi
		xor	esi, esi

loc_7792A2:				; CODE XREF: MiCopyToCfgBitMap+14Cj
		test	ecx, ecx
		jz	loc_779331
		mov	esi, [ebp+var_3C]
		lea	ecx, [esi-1]
		mov	eax, ecx
		and	eax, [ebp+var_30]
		sub	esi, eax
		mov	[ebp+var_28], esi
		mov	eax, [ebp+arg_18]
		cmp	esi, eax
		jb	short loc_7792C6
		mov	esi, eax
		mov	[ebp+var_28], eax

loc_7792C6:				; CODE XREF: MiCopyToCfgBitMap+DFj
		cmp	[ebp+var_44], 1
		ja	loc_77936C

loc_7792D0:				; CODE XREF: MiCopyToCfgBitMap+19Aj
					; MiCopyToCfgBitMap+3D9j
		mov	edi, [ebp+var_28]

loc_7792D3:				; CODE XREF: MiCopyToCfgBitMap+516j
		push	ecx
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+var_30]
		call	_MiSplitPrivatePage@12 ; MiSplitPrivatePage(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8DAFAB
		push	edi		; size_t
		mov	edi, [ebp+var_24]
		push	edi		; void *
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+var_30]
		call	_MiCopyToUserVa@16 ; MiCopyToUserVa(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8DAFAB
		mov	ecx, [ebp+var_38]
		test	ecx, ecx
		jnz	loc_7796FB
		cmp	[ebp+var_44], 1
		ja	loc_77953B

loc_779318:				; CODE XREF: MiCopyToCfgBitMap+361j
					; MiCopyToCfgBitMap+523j
		mov	edx, [ebp+var_24]

loc_77931B:				; CODE XREF: MiCopyToCfgBitMap+393j
		mov	eax, [ebp+var_28]
		add	[ebp+var_30], eax
		mov	ecx, [ebp+arg_18]
		sub	ecx, eax
		mov	[ebp+arg_18], ecx
		mov	edi, [ebp+var_2C]
		jmp	loc_7792A2
; 

loc_779331:				; CODE XREF: MiCopyToCfgBitMap+C4j
					; MiCopyToCfgBitMap+161DD1j
		mov	ebx, [ebp+var_48]
		cmp	[ebp+var_4C], 0
		jnz	loc_779603

loc_77933E:				; CODE XREF: MiCopyToCfgBitMap+42Bj
		test	edi, edi
		jnz	loc_779578

loc_779346:				; CODE XREF: MiCopyToCfgBitMap+3C4j
					; MiCopyToCfgBitMap+161DFDj ...
		mov	eax, esi
		lea	esp, [ebp-84h]
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_20]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_77936C:				; CODE XREF: MiCopyToCfgBitMap+EAj
		cmp	[ebp+arg_4], 1
		jz	loc_779610
		cmp	[ebp+arg_4], 0
		jnz	loc_7792D0
		mov	[ebp+var_50], edx
		lea	eax, ds:0[esi*8]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_54]
		push	eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		mov	eax, esi
		shr	eax, 1
		shl	eax, 7
		add	eax, ebx
		mov	[ebp+var_5C], eax
		mov	esi, [ebp+arg_14]
		mov	ecx, [esi]
		test	ecx, ecx
		jz	loc_779708
		nop

loc_7793B0:				; CODE XREF: MiCopyToCfgBitMap+314j
					; MiCopyToCfgBitMap+53Fj
		cmp	ecx, ebx
		jb	short loc_779412
		cmp	ecx, eax
		jnb	loc_7795A9
		mov	edx, [esi+4]
		test	dl, 1
		jz	short loc_779412
		mov	eax, ecx
		sub	eax, ebx
		shr	eax, 4
		add	eax, eax
		and	ecx, 0Fh
		mov	ebx, [ebp+var_68]
		cmp	ecx, [ebx+0Ch]
		jnz	loc_77973D
		lea	esi, [eax+1]
		mov	ebx, [ebp+var_24]
		test	dl, 4
		mov	edx, eax
		jnz	loc_779506
		shr	edx, 3
		movsx	ecx, byte ptr [edx+ebx]
		and	eax, 7
		bts	ecx, eax
		mov	[edx+ebx], cl
		mov	ecx, esi
		shr	ecx, 3
		movsx	eax, byte ptr [ecx+ebx]
		and	esi, 7
		btr	eax, esi

loc_77940C:				; CODE XREF: MiCopyToCfgBitMap+345j
		mov	esi, [ebp+arg_14]
		mov	[ecx+ebx], al

loc_779412:				; CODE XREF: MiCopyToCfgBitMap+1D2j
					; MiCopyToCfgBitMap+1E2j ...
		lea	ebx, [esi+8]
		mov	[ebp+var_74], ebx
		inc	dword ptr [ebx+4]
		mov	eax, [ebx+4]
		mov	[ebp+var_60], eax
		mov	esi, [edi+0Ch]
		mov	edi, [ebx]
		mov	eax, [ebx+8]
		mov	edx, [ebp+var_2C]
		mov	edx, [edx+8]
		add	edx, eax
		sub	esi, eax
		jz	loc_779727
		lea	esp, [esp+0]

loc_779440:				; CODE XREF: MiCopyToCfgBitMap+31Bj
		mov	al, [edx]
		inc	edx
		dec	esi
		movzx	ecx, al
		mov	eax, ecx
		shr	eax, 6
		and	ecx, 3Fh
		imul	ecx, ds:_RtlpRvaCompressionTableScales[eax*4]
		add	edi, ecx
		cmp	eax, 3
		jnz	loc_7794F9
		mov	[ebx], edi
		mov	edi, [ebp+var_2C]
		sub	edx, [edi+8]
		mov	[ebx+8], edx
		mov	esi, [ebp+arg_14]
		lea	eax, [esi+4]
		test	eax, eax
		jz	short loc_7794E4
		xor	eax, eax
		mov	[ebp+var_58], eax
		mov	ebx, [edi+4]
		mov	[ebp+var_70], ebx
		cmp	ebx, 1
		jbe	loc_77952A
		mov	edx, ebx
		imul	edx, [ebp+var_60]
		xor	edi, edi
		mov	eax, [ebp+var_6C]
		mov	eax, [eax+14h]
		mov	[ebp+var_60], eax
		lea	esi, [edi+1]
		nop

loc_7794A0:				; CODE XREF: MiCopyToCfgBitMap+2F3j
		mov	eax, edx
		shr	eax, 3
		mov	cl, dl
		and	cl, 7
		mov	ebx, [ebp+var_60]
		mov	al, [eax+ebx]
		sar	al, cl
		test	al, 1
		mov	ebx, [ebp+var_70]
		jz	short loc_7794CD
		mov	eax, [ebp+var_2C]
		mov	eax, [eax+18h]
		test	eax, eax
		jz	loc_8DAFB6
		mov	eax, [eax+edi*4]

loc_7794CA:				; CODE XREF: MiCopyToCfgBitMap+161DD8j
		or	[ebp+var_58], eax

loc_7794CD:				; CODE XREF: MiCopyToCfgBitMap+2D7j
		inc	edi
		inc	edx
		rol	esi, 1
		cmp	edi, ebx
		jb	short loc_7794A0
		mov	eax, [ebp+var_58]
		mov	edi, [ebp+var_2C]
		mov	esi, [ebp+arg_14]

loc_7794DE:				; CODE XREF: MiCopyToCfgBitMap:loc_77952Aj
					; MiCopyToCfgBitMap+359j ...
		mov	[esi+4], eax
		mov	ebx, [ebp+var_74]

loc_7794E4:				; CODE XREF: MiCopyToCfgBitMap+295j
		mov	ecx, [ebx]
		test	ecx, ecx
		jz	loc_77972A
		mov	ebx, [ebp+arg_10]
		mov	eax, [ebp+var_5C]
		jmp	loc_7793B0
; 

loc_7794F9:				; CODE XREF: MiCopyToCfgBitMap+27Cj
		test	esi, esi
		jnz	loc_779440
		jmp	loc_8DAFC7
; 

loc_779506:				; CODE XREF: MiCopyToCfgBitMap+207j
		shr	edx, 3
		movsx	ecx, byte ptr [edx+ebx]
		and	eax, 7
		btr	ecx, eax
		mov	[edx+ebx], cl
		mov	ecx, esi
		shr	ecx, 3
		movsx	eax, byte ptr [ecx+ebx]
		and	esi, 7
		bts	eax, esi
		jmp	loc_77940C
; 

loc_77952A:				; CODE XREF: MiCopyToCfgBitMap+2A5j
		jnz	short loc_7794DE
		mov	eax, [edi+18h]
		test	eax, eax
		jz	loc_8DAFBD
		mov	eax, [eax]
		jmp	short loc_7794DE
; 

loc_77953B:				; CODE XREF: MiCopyToCfgBitMap+132j
		mov	eax, [ebp+arg_14]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_779318
		cmp	[ebp+var_4C], 0
		jz	short loc_77955C
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+var_4C], 0

loc_77955C:				; CODE XREF: MiCopyToCfgBitMap+36Bj
		mov	[ebp+var_44], 1
		mov	[ebp+var_3C], 1000h
		mov	edx, dword_6D34F4
		mov	[ebp+var_24], edx
		jmp	loc_77931B
; 

loc_779578:				; CODE XREF: MiCopyToCfgBitMap+160j
		mov	edx, [ebp+arg_8]
		test	esi, esi
		js	loc_8DAFD8

loc_779583:				; CODE XREF: MiCopyToCfgBitMap+161E1Dj
		shl	ebx, 0Ch
		push	ebx
		and	edx, 0FFFFF000h
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		add	ecx, 240h
		call	MiEliminateZeroPages
		jmp	loc_779346
; 

loc_7795A9:				; CODE XREF: MiCopyToCfgBitMap+1D6j
		test	ecx, ecx
		jz	loc_77972A

loc_7795B1:				; CODE XREF: MiCopyToCfgBitMap+54Dj
		mov	ebx, [ebp+var_5C]
		mov	[ebp+arg_10], ebx
		mov	[esi], ecx
		jmp	loc_7792D0
; 

loc_7795BE:				; CODE XREF: MiCopyToCfgBitMap+4Fj
		mov	eax, [ebp+arg_14]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	loc_779235
		mov	edx, 1
		mov	[ebp+var_44], edx
		jmp	loc_779235
; 

loc_7795D7:				; CODE XREF: MiCopyToCfgBitMap+7Ej
		push	0
		push	40h
		mov	edx, 6554694Dh
		mov	ecx, 1000h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edx, eax
		mov	[ebp+var_24], edx
		test	edx, edx
		jz	loc_8DAF5B
		mov	[ebp+var_4C], 1
		jmp	loc_779275
; 

loc_779603:				; CODE XREF: MiCopyToCfgBitMap+158j
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_77933E
; 

loc_779610:				; CODE XREF: MiCopyToCfgBitMap+190j
		mov	esi, [ebp+var_38]
		mov	edi, [ebp+var_40]
		cmp	esi, [edi]
		jnb	loc_8DAF86
		mov	eax, [edi+4]
		mov	eax, [eax+esi*8]
		mov	esi, [ebp+var_34]
		sub	eax, esi
		mov	edx, ecx
		not	edx
		and	edx, eax
		mov	eax, edx
		shr	eax, 4
		add	eax, eax
		shr	eax, 3
		mov	edi, [ebp+var_3C]
		cmp	eax, edi
		jnb	loc_8DAF76

loc_779644:				; CODE XREF: MiCopyToCfgBitMap+161DA1j
		mov	edx, [ebp+var_24]
		mov	eax, [ebp+arg_18]

loc_77964A:				; CODE XREF: MiCopyToCfgBitMap+161DA9j
		mov	esi, [ebp+var_30]
		and	ecx, esi
		sub	edi, ecx
		mov	[ebp+var_28], edi
		cmp	edi, eax
		jb	short loc_77965D
		mov	edi, eax
		mov	[ebp+var_28], eax

loc_77965D:				; CODE XREF: MiCopyToCfgBitMap+476j
		mov	[ebp+var_4], 0
		push	edi		; size_t
		push	esi		; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+var_24]
		mov	[ebp+var_50], eax
		lea	eax, ds:0[edi*8]
		mov	[ebp+var_54], eax
		mov	ecx, [ebp+var_38]
		mov	eax, [ebp+var_40]
		cmp	ecx, [eax]
		jnb	short loc_7796EC
		shr	edi, 1
		shl	edi, 7

loc_779695:				; CODE XREF: MiCopyToCfgBitMap+507j
		mov	eax, [eax+4]
		mov	esi, [eax+ecx*8]
		sub	esi, [ebp+var_34]
		cmp	esi, edi
		jnb	short loc_7796E9
		shr	esi, 4
		add	esi, esi
		test	byte ptr [eax+ecx*8+4],	5
		jz	loc_77974E
		lea	edx, [esi+1]
		mov	ecx, edx
		shr	ecx, 3
		add	ecx, [ebp+var_24]
		movsx	eax, byte ptr [ecx]
		and	edx, 7
		btr	eax, edx
		mov	[ecx], al
		mov	ecx, esi
		shr	ecx, 3
		add	ecx, [ebp+var_24]
		movsx	eax, byte ptr [ecx]
		and	esi, 7
		bts	eax, esi
		mov	[ecx], al

loc_7796DB:				; CODE XREF: MiCopyToCfgBitMap+57Aj
		mov	ecx, [ebp+var_38]
		inc	ecx
		mov	[ebp+var_38], ecx
		mov	eax, [ebp+var_40]
		cmp	ecx, [eax]
		jb	short loc_779695

loc_7796E9:				; CODE XREF: MiCopyToCfgBitMap+4C0j
		mov	edi, [ebp+var_28]

loc_7796EC:				; CODE XREF: MiCopyToCfgBitMap+4AEj
		mov	eax, edi
		shr	eax, 1
		shl	eax, 7
		add	[ebp+var_34], eax
		jmp	loc_7792D3
; 

loc_7796FB:				; CODE XREF: MiCopyToCfgBitMap+128j
		mov	eax, [ebp+var_40]
		mov	eax, [eax+8]
		mov	[eax], ecx
		jmp	loc_779318
; 

loc_779708:				; CODE XREF: MiCopyToCfgBitMap+1C9j
		lea	eax, [esi+4]
		push	eax
		lea	edx, [esi+8]
		mov	ecx, edi
		call	_RtlEnumRvaListFirst@12	; RtlEnumRvaListFirst(x,x,x)
		mov	[esi], eax
		mov	ecx, eax
		mov	eax, [ebp+var_5C]
		test	ecx, ecx
		jnz	loc_7793B0
		jmp	short loc_77972A
; 

loc_779727:				; CODE XREF: MiCopyToCfgBitMap+253j
		mov	esi, [ebp+arg_14]

loc_77972A:				; CODE XREF: MiCopyToCfgBitMap+308j
					; MiCopyToCfgBitMap+3CBj ...
		or	ecx, 0FFFFFFFFh
		jmp	loc_7795B1
; 

loc_779732:				; CODE XREF: MiCopyToCfgBitMap+86j
		mov	edx, dword_6D34F4
		jmp	loc_779272
; 

loc_77973D:				; CODE XREF: MiCopyToCfgBitMap+1F6j
		push	2
		push	eax
		lea	eax, [ebp+var_54]
		push	eax
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		jmp	loc_779412
; 

loc_77974E:				; CODE XREF: MiCopyToCfgBitMap+4CCj
		push	2
		push	esi
		lea	eax, [ebp+var_54]
		push	eax
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		jmp	loc_7796DB
MiCopyToCfgBitMap endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CcMapAndCopyFromCache(int,void *,int,int,int,int,int)
CcMapAndCopyFromCache proc near		; CODE XREF: CcPerformReadAhead+32Ap
					; CcCopyReadEx+120p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008DB002 SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ecx
		mov	[esp+24h+var_20], 0
		push	ebx
		mov	[esp+28h+var_8], eax
		push	esi
		mov	eax, [eax+14h]
		mov	esi, edx
		push	edi
		xor	edi, edi
		mov	ebx, [eax+4]
		mov	[esp+30h+var_1C], ebx
		test	esi, esi
		jz	loc_779881
		mov	eax, [ebp+arg_18]
		mov	ecx, [ebp+arg_14]
		mov	[esp+30h+var_14], eax
		mov	[esp+30h+var_18], ecx

loc_7797A0:				; CODE XREF: CcMapAndCopyFromCache+13Aj
		push	eax
		xor	eax, eax
		mov	[esp+34h+var_10], 0
		cmp	[ebp+arg_4], eax
		lea	edx, [esp+34h+var_20]
		push	ecx
		setz	al
		mov	ecx, ebx
		push	eax
		push	0
		lea	eax, [esp+40h+var_10]
		push	eax
		call	CcGetVirtualAddress
		test	byte ptr [ebx+60h], 8
		mov	[esp+30h+var_4], eax
		jnz	loc_8DB002
		push	[ebp+arg_10]
		mov	ecx, [esp+34h+var_8]
		lea	edx, [ebp+arg_14]
		push	[ebp+arg_C]
		push	[esp+38h+var_20]
		push	[ebp+arg_8]
		push	[ebp+arg_0]
		push	esi
		call	_CcFetchDataForRead@32 ; CcFetchDataForRead(x,x,x,x,x,x,x,x)
		test	al, al
		jz	loc_77989F

loc_7797F8:				; CODE XREF: CcMapAndCopyFromCache+1618ACj
		mov	ebx, [esp+30h+var_10]
		xor	ecx, ecx
		mov	edx, ebx
		add	[esp+30h+var_18], edx
		adc	ecx, [esp+30h+var_14]
		mov	edx, ecx
		mov	[esp+30h+var_14], edx
		cmp	ebx, esi
		jbe	short loc_779814
		mov	ebx, esi

loc_779814:				; CODE XREF: CcMapAndCopyFromCache+B0j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_77984A
		mov	ecx, [esp+30h+var_1C]
		test	dword ptr [ecx+60h], 1000h
		jnz	loc_8DB011
		mov	[esp+30h+var_C], 0

loc_779831:				; CODE XREF: CcMapAndCopyFromCache+1618B6j
		push	dword ptr [esp+30h+var_C] ; char
		mov	edx, [esp+34h+var_4] ; int
		mov	ecx, eax	; void *
		push	ebx		; size_t
		call	CcCopyBytesToUserBuffer
		mov	edi, eax
		test	edi, edi
		js	short loc_7798A4
		add	[ebp+arg_4], ebx

loc_77984A:				; CODE XREF: CcMapAndCopyFromCache+B9j
		mov	ecx, [esp+30h+var_20]
		call	CcFreeVirtualAddress
		mov	ecx, [esp+30h+var_18]
		mov	eax, [esp+30h+var_14]
		mov	[esp+30h+var_20], 0
		mov	[ebp+arg_14], ecx
		mov	[ebp+arg_18], eax
		sub	esi, ebx
		jnz	short loc_779896

loc_77986D:				; CODE XREF: CcMapAndCopyFromCache+14Aj
					; CcMapAndCopyFromCache+153j
		cmp	edi, 0C00000D8h
		jz	short loc_7798B5
		test	edi, edi
		js	loc_8DB01B
		mov	ebx, [esp+30h+var_1C]

loc_779881:				; CODE XREF: CcMapAndCopyFromCache+2Cj
		test	byte ptr [ebx+60h], 8
		jnz	loc_8DB031

loc_77988B:				; CODE XREF: CcMapAndCopyFromCache+1618DFj
		mov	al, 1
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_779896:				; CODE XREF: CcMapAndCopyFromCache+10Bj
		mov	ebx, [esp+30h+var_1C]
		jmp	loc_7797A0
; 

loc_77989F:				; CODE XREF: CcMapAndCopyFromCache+92j
					; CcMapAndCopyFromCache+1618A6j
		mov	edi, 0C00000D8h

loc_7798A4:				; CODE XREF: CcMapAndCopyFromCache+E5j
		mov	eax, [esp+30h+var_20]
		test	eax, eax
		jz	short loc_77986D
		mov	ecx, eax
		call	CcFreeVirtualAddress
		jmp	short loc_77986D
; 

loc_7798B5:				; CODE XREF: CcMapAndCopyFromCache+113j
		pop	edi
		pop	esi
		xor	al, al
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
CcMapAndCopyFromCache endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmHardFaultBytesRequired proc near	; CODE XREF: CcFetchDataForRead(x,x,x,x,x,x,x,x)+73p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008DB044 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ecx+14h]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	ebx, [edx+0FFFh]
		mov	ecx, [eax]
		lea	edx, [ebp+var_C]
		push	edi
		push	[ebp+arg_4]
		mov	eax, esi
		mov	[ebp+var_C], 0
		and	eax, 0FFFh
		mov	[ebp+var_8], 0
		add	ebx, eax
		push	esi
		shr	ebx, 0Ch
		call	MiOffsetToProtos
		mov	ecx, [ebp+var_C]
		mov	edi, eax
		mov	[ebp+var_4], edi
		mov	edx, [edi+4]
		lea	esi, [edx+ecx*8]
		mov	ecx, [edi+1Ch]
		lea	eax, [edx+ecx*8]
		mov	[ebp+arg_4], eax
		test	ebx, ebx
		jz	short loc_779958
		lea	ebx, [ebx+0]

loc_779920:				; CODE XREF: MmHardFaultBytesRequired+96j
		cmp	esi, eax
		jnb	short loc_77998E

loc_779924:				; CODE XREF: MmHardFaultBytesRequired+E0j
		mov	edi, [esi]
		nop
		mov	edx, [esi+4]
		mov	ecx, esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_77993E
		push	edx
		push	edi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	edi, eax

loc_77993E:				; CODE XREF: MmHardFaultBytesRequired+73j
		mov	ecx, edi
		and	ecx, 1
		or	ecx, 0
		jz	short loc_779963

loc_779948:				; CODE XREF: MmHardFaultBytesRequired+B9j
					; MmHardFaultBytesRequired+161793j
		add	esi, 8
		sub	ebx, 1
		jz	short loc_779958
		mov	eax, [ebp+arg_4]
		mov	edi, [ebp+var_4]
		jmp	short loc_779920
; 

loc_779958:				; CODE XREF: MmHardFaultBytesRequired+58j
					; MmHardFaultBytesRequired+8Ej
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_779963:				; CODE XREF: MmHardFaultBytesRequired+86j
		mov	eax, edi
		and	eax, 400h
		or	eax, 0
		jnz	short loc_779980
		mov	eax, edi
		and	eax, 800h
		or	eax, 0
		jnz	short loc_779948
		jmp	loc_8DB044
; 

loc_779980:				; CODE XREF: MmHardFaultBytesRequired+ADj
					; MmHardFaultBytesRequired+16178Dj
		pop	edi
		pop	esi
		mov	eax, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_77998E:				; CODE XREF: MmHardFaultBytesRequired+62j
		mov	edi, [edi+8]
		mov	[ebp+var_4], edi
		mov	esi, [edi+4]
		mov	eax, [edi+1Ch]
		lea	eax, [esi+eax*8]
		mov	[ebp+arg_4], eax
		jmp	short loc_779924
MmHardFaultBytesRequired endp

; 
		align 10h
; Exported entry 213. CcMapData

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcMapData
CcMapData	proc near

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00779AA0 SIZE 00000004 BYTES
; FUNCTION CHUNK AT 008DB058 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A10E8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_1C], 0
		xor	eax, eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], eax
		mov	edi, [ebp+arg_14]
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		mov	ebx, [ebp+arg_C]
		push	ebx
		mov	esi, [ebp+arg_8]
		push	esi
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	CcMapDataCommon
		test	al, al
		jz	loc_779AA0
		test	bl, 10h
		jnz	short loc_779A57
		test	ebx, 100h
		jnz	loc_8DB058

loc_779A25:				; CODE XREF: CcMapData+1616CBj
		mov	[ebp+var_4], 0
		mov	[ebp+arg_14], 1
		mov	eax, [edi]
		push	eax
		push	1
		xor	edx, edx
		mov	ecx, esi
		call	_CcMapAndRead@16 ; CcMapAndRead(x,x,x,x)
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ecx, [ebp+var_20]
		mov	[ebp+arg_14], 0
		call	sub_779A89

loc_779A57:				; CODE XREF: CcMapData+67j
		mov	eax, large fs:124h
		mov	eax, [eax+328h]
		add	large fs:690h, eax
		mov	ecx, [ebp+var_1C]
		inc	ecx
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx
		mov	al, 1

loc_779A75:				; CODE XREF: CcMapData+F2j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
CcMapData	endp


;  S U B	R O U T	I N E 


sub_779A89	proc near		; CODE XREF: CcMapData+A2p
					; sub_8DB080+6j

; FUNCTION CHUNK AT 008DB08B SIZE 0000002D BYTES

		test	ebx, 100h
		jnz	loc_8DB08B

loc_779A95:				; CODE XREF: sub_779A89+161611j
		cmp	dword ptr [ebp+1Ch], 0
		jnz	loc_8DB09F

locret_779A9F:				; CODE XREF: sub_779A89+16161Bj
					; sub_779A89+16162Aj
		retn
sub_779A89	endp

; 
; START	OF FUNCTION CHUNK FOR CcMapData

loc_779AA0:				; CODE XREF: CcMapData+5Ej
		xor	al, al
		jmp	short loc_779A75
; END OF FUNCTION CHUNK	FOR CcMapData
; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReleaseVadEventBlocks	proc near	; CODE XREF: MiRemoveVadCharges+A0p
					; MiReserveUserMemory+48Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008DB0B8 SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	[ebp+var_8], edx
		mov	esi, ecx
		push	edi
		mov	edi, [eax+80h]
		mov	edx, 0FFFFFFDEh
		mov	[ebp+var_4], 0
		call	MiGetVadWakeList
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_779B20

loc_779AE3:				; CODE XREF: MiReleaseVadEventBlocks+AAj
		mov	ecx, [esi+1Ch]
		test	ecx, 100000h
		jnz	short loc_779AFE

loc_779AEE:				; CODE XREF: MiReleaseVadEventBlocks+66j
					; MiReleaseVadEventBlocks+16163Cj ...
		mov	edx, esi
		mov	ecx, edi
		call	_MiFreePhysicalView@8 ;	MiFreePhysicalView(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_779AFE:				; CODE XREF: MiReleaseVadEventBlocks+3Cj
		mov	eax, ecx
		and	eax, 0C0000h
		cmp	eax, 80000h
		jnb	loc_8DB0E9
		test	ecx, 400000h
		jz	short loc_779AEE
		jmp	loc_8DB0E9
; 
		align 10h

loc_779B20:				; CODE XREF: MiReleaseVadEventBlocks+31j
					; MiReleaseVadEventBlocks+ACj
		mov	eax, [ebx]
		mov	[ebp+var_C], eax
		mov	eax, [ebx+24h]
		test	al, 10h
		jnz	loc_8DB0B8

loc_779B30:				; CODE XREF: MiReleaseVadEventBlocks+161625j
		test	al, 8
		jnz	short loc_779B7A

loc_779B34:				; CODE XREF: MiReleaseVadEventBlocks+D4j
		test	al, 4
		jnz	short loc_779B6C

loc_779B38:				; CODE XREF: MiReleaseVadEventBlocks+C8j
		test	al, 40h
		jnz	short loc_779B5E

loc_779B3C:				; CODE XREF: MiReleaseVadEventBlocks+BAj
		test	eax, 100h
		jnz	loc_8DB0DA

loc_779B47:				; CODE XREF: MiReleaseVadEventBlocks+161634j
		test	al, al
		js	short loc_779B86

loc_779B4B:				; CODE XREF: MiReleaseVadEventBlocks+DDj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_C]
		mov	ebx, eax
		test	eax, eax
		jz	short loc_779AE3
		jmp	short loc_779B20
; 

loc_779B5E:				; CODE XREF: MiReleaseVadEventBlocks+8Aj
		mov	edx, ebx
		mov	ecx, edi
		call	_MiFreeVadEventBitmapCharges@8 ; MiFreeVadEventBitmapCharges(x,x)
		mov	eax, [ebx+24h]
		jmp	short loc_779B3C
; 

loc_779B6C:				; CODE XREF: MiReleaseVadEventBlocks+86j
		mov	edx, ebx
		mov	ecx, edi
		call	_MiFreeVadEventBitmapCharges@8 ; MiFreeVadEventBitmapCharges(x,x)
		mov	eax, [ebx+24h]
		jmp	short loc_779B38
; 

loc_779B7A:				; CODE XREF: MiReleaseVadEventBlocks+82j
		mov	ecx, ebx
		call	_MiFreeRotateVadEvent@4	; MiFreeRotateVadEvent(x)
		mov	eax, [ebx+24h]
		jmp	short loc_779B34
; 

loc_779B86:				; CODE XREF: MiReleaseVadEventBlocks+99j
		mov	ecx, ebx
		call	_MiFreePlaceholderVadEvent@4 ; MiFreePlaceholderVadEvent(x)
		jmp	short loc_779B4B
MiReleaseVadEventBlocks	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiRemoveVadCharges proc	near		; CODE XREF: MiFinishVadDeletion+C5p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008DB115 SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_28], eax
		mov	esi, ecx
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	edi, eax
		xor	edx, edx
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], edx
		call	_MiIsVadLarge@4	; MiIsVadLarge(x)
		test	eax, eax
		jnz	loc_8DB115

loc_779BD5:				; CODE XREF: MiRemoveVadCharges+16158Ej
					; MiRemoveVadCharges+1615A4j
		mov	ecx, [esi+20h]
		and	ecx, 7FFFFFFFh
		cmp	ecx, 0FFFFDh
		jnb	short loc_779C19
		test	edx, edx
		jnz	short loc_779C19
		mov	eax, [esi+4]
		lea	edx, [ebp+var_28]
		mov	[ebp+var_24], eax
		mov	eax, [esi]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_MiFillCommitReturnInfo@12 ; MiFillCommitReturnInfo(x,x,x)
		mov	edi, [ebp+var_10]
		test	edi, edi
		jnz	short loc_779C3C

loc_779C08:				; CODE XREF: MiRemoveVadCharges+B9j
					; MiRemoveVadCharges+1615B5j
		mov	edx, [ebp+var_C]
		test	edx, edx
		jnz	short loc_779C50

loc_779C0F:				; CODE XREF: MiRemoveVadCharges+D8j
					; MiRemoveVadCharges+1615D1j
		mov	edi, [ebp+var_4]

loc_779C12:				; CODE XREF: MiRemoveVadCharges+E4j
		and	dword ptr [esi+20h], 80000000h

loc_779C19:				; CODE XREF: MiRemoveVadCharges+54j
					; MiRemoveVadCharges+58j
		mov	eax, [esi+1Ch]
		and	eax, 70h
		cmp	eax, 40h
		jz	short loc_779C76
		cmp	eax, 10h
		jz	short loc_779C76

loc_779C29:				; CODE XREF: MiRemoveVadCharges+101j
					; MiRemoveVadCharges+10Cj
		mov	edx, 1
		mov	ecx, esi
		call	MiReleaseVadEventBlocks
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_779C3C:				; CODE XREF: MiRemoveVadCharges+76j
		mov	edx, edi
		mov	ecx, ebx
		call	_MiReturnFullProcessCharges@8 ;	MiReturnFullProcessCharges(x,x)
		cmp	[ebp+var_8], 0
		jz	short loc_779C08
		jmp	loc_8DB139
; 

loc_779C50:				; CODE XREF: MiRemoveVadCharges+7Dj
		lea	ecx, [ebx+240h]
		call	_MiGetSharedVm@4 ; MiGetSharedVm(x)
		mov	ecx, [eax+8]
		test	ecx, ecx
		jnz	loc_8DB14A

loc_779C66:				; CODE XREF: MiRemoveVadCharges+1615C7j
		test	edx, edx
		jz	short loc_779C0F
		mov	edi, [ebp+var_4]
		mov	ecx, edi
		call	MiReturnCommit
		jmp	short loc_779C12
; 

loc_779C76:				; CODE XREF: MiRemoveVadCharges+92j
					; MiRemoveVadCharges+97j
		mov	edx, [esi+10h]
		mov	ecx, [esi+0Ch]
		shl	edx, 0Ch
		push	0
		or	edx, 0FFFh
		shl	ecx, 0Ch
		call	_MiResidentPagesForSpan@12 ; MiResidentPagesForSpan(x,x,x)
		test	eax, eax
		jz	short loc_779C29
		mov	edx, eax
		mov	ecx, edi
		call	_MiReturnResident@8 ; MiReturnResident(x,x)
		jmp	short loc_779C29
MiRemoveVadCharges endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReturnVadQuota proc near		; CODE XREF: MiFinishVadDeletion+BCp

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DB166 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	eax, [edi+20h]
		and	eax, 7FFFFFFFh
		cmp	eax, 0FFFFDh
		jnb	short loc_779CED
		push	4Ch
		push	esi
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		cmp	[ebp+arg_0], 1
		jnz	short loc_779CE7
		mov	ecx, edi
		call	_MiVadPureReserve@4 ; MiVadPureReserve(x)
		test	eax, eax
		jnz	short loc_779CE7
		mov	eax, [edi+10h]
		sub	eax, [edi+0Ch]
		lea	eax, ds:8[eax*8]
		push	eax
		push	esi
		call	_PsReturnProcessPagedPoolQuota@8 ; PsReturnProcessPagedPoolQuota(x,x)

loc_779CE7:				; CODE XREF: MiReturnVadQuota+26j
					; MiReturnVadQuota+31j	...
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_779CED:				; CODE XREF: MiReturnVadQuota+18j
		jnz	short loc_779CE7
		jmp	loc_8DB166
MiReturnVadQuota endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvCheckBin	proc near		; CODE XREF: HvCheckHive+A7p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008DB173 SIZE 0000009D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_10]
		xor	ecx, ecx
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], 0
		mov	[ebp+var_4], ecx
		mov	ebx, edx
		mov	[ebp+var_8], esi
		push	edi
		test	eax, eax
		jz	short loc_779D2B
		mov	[eax+110h], ebx

loc_779D2B:				; CODE XREF: HvCheckBin+23j
		mov	edx, [ebx+8]
		lea	edi, [ebx+20h]
		lea	eax, [edx+ebx]
		cmp	edi, eax
		jnb	short loc_779DB5
		jmp	short loc_779D40
; 
		align 10h

loc_779D40:				; CODE XREF: HvCheckBin+38j
					; HvCheckBin+ADj
		mov	esi, [edi]
		test	esi, esi
		jns	loc_779E58
		neg	esi
		cmp	esi, edx
		ja	loc_8DB187
		lea	ecx, [edx+ebx]
		lea	eax, [esi+edi]
		cmp	eax, ecx
		ja	loc_8DB187
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_4]
		add	ecx, 0FFFFFFFCh
		add	eax, esi
		add	ecx, esi
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], ecx
		cmp	eax, edx
		ja	loc_8DB173
		mov	edx, [ebp+arg_C]
		test	edx, edx
		jz	short loc_779D89
		cmp	esi, 54h
		jnb	short loc_779DE6

loc_779D89:				; CODE XREF: HvCheckBin+82j
					; HvCheckBin+EFj ...
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_779DA3
		mov	eax, [ebx+4]
		sub	eax, ebx
		add	eax, edi
		push	1
		shr	eax, 3
		push	eax
		push	ecx
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)

loc_779DA3:				; CODE XREF: HvCheckBin+8Ej
					; HvCheckBin+18Bj ...
		mov	edx, [ebx+8]
		add	edi, esi
		lea	eax, [edx+ebx]
		cmp	edi, eax
		jb	short loc_779D40
		mov	ecx, [ebp+var_4]
		mov	esi, [ebp+var_8]

loc_779DB5:				; CODE XREF: HvCheckBin+36j
		mov	eax, [ebp+var_C]
		add	eax, 20h
		add	eax, ecx
		cmp	eax, edx
		jnz	loc_8DB1F3
		lea	eax, [edx+ebx]
		cmp	edi, eax
		jnz	loc_8DB1F7
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_779DD9
		add	[eax], esi

loc_779DD9:				; CODE XREF: HvCheckBin+D5j
		xor	esi, esi

loc_779DDB:				; CODE XREF: HvCheckBin+16147Dj
					; HvCheckBin+161491j ...
		mov	eax, esi

loc_779DDD:				; CODE XREF: HvCheckBin+1614EEj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_779DE6:				; CODE XREF: HvCheckBin+87j
		mov	eax, 6B6Eh
		cmp	[edi+4], ax
		jnz	short loc_779D89
		mov	eax, [edi+18h]
		lea	ecx, ds:14h[eax*8]
		mov	al, [edi+10h]
		test	al, 2
		jz	short loc_779E29
		mov	ecx, edx
		lea	ecx, [ecx+20h]
		call	_HvMoveLayoutStats@4 ; HvMoveLayoutStats(x)
		lea	ecx, [edx+10h]
		call	_HvMoveLayoutStats@4 ; HvMoveLayoutStats(x)
		mov	eax, edx
		mov	dword ptr [eax+30h], 0
		mov	dword ptr [eax+34h], 0
		jmp	loc_779D89
; 

loc_779E29:				; CODE XREF: HvCheckBin+100j
		lea	edx, [ecx+esi]
		mov	ecx, [ebp+arg_C]
		test	al, 1
		jz	short loc_779EA6
		lea	ecx, [ecx+20h]
		call	_HvAddToLayoutStats@8 ;	HvAddToLayoutStats(x,x)
		mov	edx, [ebp+arg_C]
		lea	ecx, [edx+10h]
		call	_HvMoveLayoutStats@4 ; HvMoveLayoutStats(x)
		cmp	dword ptr [edx+30h], 0
		jz	short loc_779EC6

loc_779E4C:				; CODE XREF: HvCheckBin+1CCj
		mov	dword ptr [edx+34h], 0
		jmp	loc_779D89
; 

loc_779E58:				; CODE XREF: HvCheckBin+44j
		cmp	esi, edx
		ja	loc_8DB1CA
		lea	ecx, [esi+edi]
		lea	eax, [edx+ebx]
		cmp	ecx, eax
		ja	loc_8DB1CA
		test	esi, esi
		jz	loc_8DB1CA
		mov	eax, [ebp+var_C]
		add	eax, esi
		mov	[ebp+var_C], eax
		cmp	eax, edx
		ja	loc_8DB1B8
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	loc_779DA3
		mov	edx, esi
		mov	ecx, eax
		call	_HvAddToLayoutStats@8 ;	HvAddToLayoutStats(x,x)
		call	_HvMoveLayoutStats@4 ; HvMoveLayoutStats(x)
		mov	esi, [edi]
		jmp	loc_779DA3
; 

loc_779EA6:				; CODE XREF: HvCheckBin+131j
		lea	ecx, [ecx+10h]
		call	_HvAddToLayoutStats@8 ;	HvAddToLayoutStats(x,x)
		mov	edx, [ebp+arg_C]
		cmp	dword ptr [edx+34h], 0
		jnz	loc_779D89
		mov	eax, [ebx+4]
		mov	[edx+34h], eax
		jmp	loc_779D89
; 

loc_779EC6:				; CODE XREF: HvCheckBin+14Aj
		mov	eax, [ebx+4]
		mov	[edx+30h], eax
		jmp	loc_779E4C
HvCheckBin	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall HvMoveLayoutStats(x)
_HvMoveLayoutStats@4 proc near		; CODE XREF: HvCheckHive+10Dp
					; HvCheckBin+107p ...
		mov	eax, [ecx+8]
		add	[ecx], eax
		mov	eax, [ecx+0Ch]
		add	[ecx+4], eax
		and	dword ptr [ecx+8], 0
		and	dword ptr [ecx+0Ch], 0
		retn
_HvMoveLayoutStats@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInsertVadCharges proc	near		; CODE XREF: MiDeletePartialVad+DD3EBp
					; MiInsertProcessVads(x,x)+22p	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008DB210 SIZE 000000EE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		xor	ecx, ecx
		mov	[ebp+var_10], 0
		mov	[ebp+var_C], ecx
		mov	ebx, [edi+10h]
		mov	eax, [edi+20h]
		mov	esi, [edi+0Ch]
		and	eax, 7FFFFFFFh
		shl	ebx, 0Ch
		shl	esi, 0Ch
		or	ebx, 0FFFh
		mov	[ebp+var_8], esi
		cmp	eax, 0FFFFDh
		jnb	loc_77A09D
		push	4Ch
		push	edx
		call	_PsChargeProcessNonPagedPoolQuota@8 ; PsChargeProcessNonPagedPoolQuota(x,x)
		test	eax, eax
		js	loc_77A094
		test	dword ptr [edi+1Ch], 100000h
		jnz	short loc_779F8C
		mov	ecx, edi
		call	_MiVadPureReserve@4 ; MiVadPureReserve(x)
		mov	edx, [ebp+var_4]
		test	eax, eax
		jnz	short loc_779F8F
		mov	eax, [edi+10h]
		sub	eax, [edi+0Ch]
		lea	eax, ds:8[eax*8]
		mov	[ebp+var_10], eax
		cmp	edx, ds:_PsInitialSystemProcess
		jz	short loc_779F8F
		mov	ecx, [edx+188h]
		push	eax
		push	1
		call	@PspChargeQuota@16 ; PspChargeQuota(x,x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		js	loc_8DB210

loc_779F8C:				; CODE XREF: MiInsertVadCharges+5Bj
		mov	edx, [ebp+var_4]

loc_779F8F:				; CODE XREF: MiInsertVadCharges+69j
					; MiInsertVadCharges+81j
		mov	ecx, [edi+1Ch]
		mov	eax, ecx
		and	eax, 70h
		cmp	eax, 30h
		jz	loc_8DB223
		cmp	eax, 40h
		jz	loc_77A0B8
		cmp	eax, 10h
		jz	loc_77A0B8
		mov	[ebp+var_C], 0

loc_779FB9:				; CODE XREF: MiInsertVadCharges:loc_77A09Dj
					; MiInsertVadCharges+1FAj
		mov	eax, [edi+20h]
		and	eax, 7FFFFFFFh
		cmp	eax, 0FFFFDh
		jnb	loc_77A0A8

loc_779FCC:				; CODE XREF: MiInsertVadCharges+1BDj
		mov	esi, large fs:124h
		mov	ecx, esi
		call	_LOCK_PAGE_TABLE_COMMITMENT@8 ;	LOCK_PAGE_TABLE_COMMITMENT(x,x)
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		push	ebx
		call	_MiCommitPageTablesForVad@12 ; MiCommitPageTablesForVad(x,x,x)
		mov	ebx, [ebp+var_4]
		mov	ecx, esi
		mov	edx, ebx
		mov	[ebp+var_8], eax
		call	UNLOCK_PAGE_TABLE_COMMITMENT
		mov	eax, [ebp+var_8]
		test	eax, eax
		js	loc_8DB27B

loc_779FFF:				; CODE XREF: MiInsertVadCharges+1C3j
		mov	eax, [edi+0Ch]
		xor	edx, edx
		shr	eax, 4
		movzx	ebx, ax
		mov	eax, [edi+10h]
		shr	eax, 4
		movzx	edi, ax
		mov	eax, large fs:124h
		mov	[ebp+var_8], edx
		mov	eax, [eax+80h]
		mov	esi, [eax+24Ch]
		add	esi, 18h
		lea	eax, [esi+48h]
		mov	[ebp+var_4], eax
		cmp	[eax], edx
		jbe	short loc_77A092
		jmp	short loc_77A040
; 
		align 10h

loc_77A040:				; CODE XREF: MiInsertVadCharges+145j
					; MiInsertVadCharges+161403j
		mov	eax, [esi+4]
		sub	eax, dword_6D2E88
		shl	eax, 3
		cmp	edi, eax
		jb	loc_8DB2E7
		mov	ecx, [esi]
		add	ecx, eax
		mov	[ebp+var_10], ecx
		cmp	ebx, ecx
		jnb	loc_8DB2E7
		mov	[ebp+var_C], 0
		mov	edx, ebx
		cmp	ebx, eax
		jb	loc_8DB2C9

loc_77A074:				; CODE XREF: MiInsertVadCharges+1613E2j
		mov	ecx, edi
		cmp	edi, [ebp+var_10]
		jnb	loc_8DB2D7

loc_77A07F:				; CODE XREF: MiInsertVadCharges+1613F2j
		sub	ecx, edx
		sub	edx, eax
		inc	ecx
		push	ecx
		push	edx
		push	esi
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		cmp	[ebp+var_C], 0
		jnz	short loc_77A0EF

loc_77A092:				; CODE XREF: MiInsertVadCharges+143j
					; MiInsertVadCharges+161409j
		xor	eax, eax

loc_77A094:				; CODE XREF: MiInsertVadCharges+4Ej
					; MiInsertVadCharges+16132Ej ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_77A09D:				; CODE XREF: MiInsertVadCharges+3Ej
		jnz	loc_779FB9
		jmp	loc_8DB266
; 

loc_77A0A8:				; CODE XREF: MiInsertVadCharges+D6j
		cmp	eax, 0FFFFEh
		jz	loc_779FCC
		jmp	loc_779FFF
; 

loc_77A0B8:				; CODE XREF: MiInsertVadCharges+B3j
					; MiInsertVadCharges+BCj
		push	0
		mov	edx, ebx
		mov	ecx, esi
		call	_MiResidentPagesForSpan@12 ; MiResidentPagesForSpan(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_C], eax

loc_77A0C8:				; CODE XREF: MiInsertVadCharges+161362j
		test	ecx, ecx
		jz	short loc_77A0E7
		push	80h
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	edx, ecx
		mov	ecx, eax
		call	_MiChargeResident@12 ; MiChargeResident(x,x,x)
		test	eax, eax
		jz	loc_8DB257

loc_77A0E7:				; CODE XREF: MiInsertVadCharges+1DAj
					; MiInsertVadCharges+161386j
		mov	edx, [ebp+var_4]
		jmp	loc_779FB9
; 

loc_77A0EF:				; CODE XREF: MiInsertVadCharges+1A0j
		mov	edx, [ebp+var_8]
		jmp	loc_8DB2E7
MiInsertVadCharges endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReturnPageTablePageCommitment(x, x, x, x,	x, x, x)
_MiReturnPageTablePageCommitment@28 proc near ;	CODE XREF: MiDeleteVad(x,x,x)+F9Dp
					; MiDeletePartialVad+294p ...

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		mov	[ebp+var_4], edx
		mov	edi, ecx
		mov	eax, [esi+20h]
		and	eax, 7FFFFFFFh
		cmp	eax, 0FFFFDh
		jb	short loc_77A12C
		cmp	eax, 0FFFFEh
		jnz	loc_77A5D0

loc_77A12C:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+1Fj
		push	ebx		; struct _exception *
		mov	ebx, [ebp+arg_4]
		test	bl, 1
		jz	short loc_77A140
		and	ebx, 0FFFFFFFEh
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_28], ebx
		jmp	short loc_77A147
; 

loc_77A140:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+33j
		mov	[ebp+var_28], 0

loc_77A147:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+3Ej
		mov	eax, [ebp+arg_8]
		test	al, 1
		jz	short loc_77A159
		and	eax, 0FFFFFFFEh
		mov	[ebp+arg_8], eax
		mov	[ebp+var_2C], eax
		jmp	short loc_77A160
; 

loc_77A159:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+4Cj
		mov	[ebp+var_2C], 0

loc_77A160:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+57j
		mov	ecx, esi
		call	_MiVadPageTableChargeLevel@4 ; MiVadPageTableChargeLevel(x)
		mov	ecx, esi
		mov	[ebp+var_30], eax
		call	_MiVadPureReserve@4 ; MiVadPureReserve(x)
		mov	ecx, [ebp+arg_0]
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_10], eax
		shr	edi, 15h
		mov	[ebp+var_8], edx
		mov	eax, [ecx+24Ch]
		xor	ecx, ecx
		add	eax, 18h
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_34], eax
		xor	eax, eax
		mov	[ebp+var_18], ecx
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_10]
		shr	ecx, 15h
		xor	edx, edx
		mov	[ebp+var_20], edi
		mov	[ebp+var_4], ecx
		mov	al, [eax]
		mov	[ebp+var_24], 3FFh
		mov	[ebp+var_14], edx

loc_77A1B6:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+482j
		mov	[ebp+var_38], edi
		mov	[ebp+var_3C], ecx
		test	al, al
		jnz	short loc_77A1C9
		inc	edi
		mov	[ebp+var_20], edi
		jmp	loc_77A2AD
; 

loc_77A1C9:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+BEj
		test	ebx, ebx
		jz	loc_77A2AD
		lea	edx, [edx+edx*8]

loc_77A1D4:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+1A4j
		mov	eax, [ebx+10h]
		mov	ecx, edx
		shr	eax, 9
		and	eax, 7FFh
		sar	eax, cl
		cmp	eax, edi
		jnz	loc_77A2AA
		mov	eax, [ebx+20h]
		and	eax, 7FFFFFFFh
		cmp	eax, 0FFFFDh
		jb	short loc_77A201
		cmp	eax, 0FFFFEh
		jnz	short loc_77A21E

loc_77A201:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+F8j
		mov	ecx, ebx
		call	_MiVadDeleted@4	; MiVadDeleted(x)
		cmp	eax, 1
		jz	loc_77A39A
		call	_MiVadPureReserve@4 ; MiVadPureReserve(x)
		test	eax, eax
		jz	loc_77A39A

loc_77A21E:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+FFj
		cmp	ebx, [ebp+var_28]
		jnz	short loc_77A261
		mov	ebx, [esi]
		mov	eax, esi
		mov	[ebp+arg_4], ebx
		test	ebx, ebx
		jz	short loc_77A243
		mov	eax, [ebx+4]
		test	eax, eax
		jz	short loc_77A2A2

loc_77A235:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+13Fj
		mov	ebx, eax
		mov	[ebp+arg_4], ebx
		mov	eax, [ebx+4]
		test	eax, eax
		jnz	short loc_77A235
		jmp	short loc_77A2A2
; 

loc_77A243:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+12Cj
		mov	ebx, [esi+8]
		and	ebx, 0FFFFFFFCh
		mov	[ebp+arg_4], ebx
		jz	short loc_77A2A2
		mov	edi, edi

loc_77A250:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+15Dj
		cmp	[ebx+4], eax
		jz	short loc_77A29F
		mov	eax, ebx
		mov	ebx, [ebx+8]
		and	ebx, 0FFFFFFFCh
		jnz	short loc_77A250
		jmp	short loc_77A29F
; 

loc_77A261:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+121j
		mov	ecx, [ebx]
		mov	eax, ebx
		test	ecx, ecx
		jz	short loc_77A283
		mov	ebx, ecx
		mov	[ebp+arg_4], ebx
		mov	eax, [ebx+4]
		test	eax, eax
		jz	short loc_77A2A2

loc_77A275:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+17Fj
		mov	ebx, eax
		mov	[ebp+arg_4], ebx
		mov	eax, [ebx+4]
		test	eax, eax
		jnz	short loc_77A275
		jmp	short loc_77A2A2
; 

loc_77A283:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+167j
		mov	ebx, [ebx+8]
		and	ebx, 0FFFFFFFCh
		mov	[ebp+arg_4], ebx
		jz	short loc_77A2A2
		mov	edi, edi

loc_77A290:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+19Dj
		cmp	[ebx+4], eax
		jz	short loc_77A29F
		mov	eax, ebx
		mov	ebx, [ebx+8]
		and	ebx, 0FFFFFFFCh
		jnz	short loc_77A290

loc_77A29F:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+153j
					; MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+15Fj ...
		mov	[ebp+arg_4], ebx

loc_77A2A2:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+133j
					; MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+141j ...
		test	ebx, ebx
		jnz	loc_77A1D4

loc_77A2AA:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+E5j
		mov	ecx, [ebp+var_4]

loc_77A2AD:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+C4j
					; MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+CBj
		mov	eax, [ebp+arg_10]

loc_77A2B0:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+2A7j
		cmp	byte ptr [eax+1], 0
		jnz	loc_77A3AC
		dec	ecx
		mov	[ebp+var_4], ecx

loc_77A2BE:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+2B1j
					; MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+2D2j ...
		mov	eax, [ebp+var_4]

loc_77A2C1:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+3ACj
		cmp	edi, eax
		jg	loc_77A588
		mov	esi, [ebp+var_14]
		cmp	esi, [ebp+var_30]
		jl	short loc_77A2E2
		cmp	[ebp+var_10], 0
		jnz	short loc_77A2E2
		mov	ecx, [ebp+var_1C]
		sub	eax, edi
		inc	ecx
		add	ecx, eax
		mov	[ebp+var_1C], ecx

loc_77A2E2:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+1CFj
					; MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+1D5j
		mov	ecx, [ebp+var_34]
		mov	eax, 2Eh
		mov	ebx, [ebp+var_20]
		sub	eax, esi
		lea	edi, [ecx+eax*8]
		mov	eax, [ebp+var_10]

loc_77A2F5:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+41Dj
		test	eax, eax
		jz	short loc_77A31B
		mov	eax, [edi+4]
		mov	edx, ebx
		shr	edx, 3
		mov	cl, bl
		and	cl, 7
		mov	al, [edx+eax]
		sar	al, cl
		test	al, 1
		jz	loc_77A510
		cmp	esi, [ebp+var_30]
		jl	short loc_77A31B
		inc	[ebp+var_1C]

loc_77A31B:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+1F7j
					; MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+216j
		mov	ecx, ebx
		mov	edx, ebx
		shr	ecx, 3
		and	edx, 7
		add	ecx, [edi+4]
		movsx	eax, byte ptr [ecx]
		btr	eax, edx
		mov	[ecx], al
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		test	eax, eax
		jnz	loc_77A510
		cmp	ebx, [ebp+var_4]
		jz	short loc_77A352
		cmp	edx, 7
		jz	short loc_77A352
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	loc_77A5DE

loc_77A352:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+240j
					; MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+245j
		mov	esi, ebx
		push	8
		and	esi, 0FFFFFFF8h
		push	esi
		push	edi
		call	_RtlAreBitsClear@12 ; RtlAreBitsClear(x,x,x)
		cmp	al, 1
		jnz	loc_77A5D8
		mov	eax, [ebp+arg_0]
		test	byte ptr [eax+3A8h], 1
		jnz	short loc_77A382
		mov	eax, [ebp+var_24]
		and	eax, 0FFFFFFF8h
		cmp	esi, eax
		jz	loc_77A50D

loc_77A382:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+272j
		cmp	[ebp+var_14], 0
		mov	ecx, [ebp+var_8]
		jz	loc_77A4B1
		inc	[ebp+var_18]
		mov	esi, [ebp+var_14]
		jmp	loc_77A513
; 

loc_77A39A:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+10Bj
					; MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+118j
		mov	eax, [ebp+arg_10]
		inc	edi
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_20], edi
		mov	byte ptr [eax],	0
		jmp	loc_77A2B0
; 

loc_77A3AC:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+1B4j
		mov	edx, [ebp+arg_8]
		test	edx, edx
		jz	loc_77A2BE
		mov	eax, [ebp+var_14]
		lea	esi, [eax+eax*8]
		lea	ecx, [ecx+0]

loc_77A3C0:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+393j
		mov	eax, [edx+0Ch]
		mov	ecx, esi
		shr	eax, 9
		and	eax, 7FFh
		sar	eax, cl
		cmp	eax, [ebp+var_4]
		jnz	loc_77A2BE
		mov	eax, [edx+20h]
		and	eax, 7FFFFFFFh
		cmp	eax, 0FFFFDh
		jb	short loc_77A3EE
		cmp	eax, 0FFFFEh
		jnz	short loc_77A40B

loc_77A3EE:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+2E5j
		mov	ecx, edx
		call	_MiVadDeleted@4	; MiVadDeleted(x)
		cmp	eax, 1
		jz	loc_77A49E
		call	_MiVadPureReserve@4 ; MiVadPureReserve(x)
		test	eax, eax
		jz	loc_77A49E

loc_77A40B:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+2ECj
		cmp	edx, [ebp+var_2C]
		jnz	short loc_77A450
		mov	ecx, [ebp+arg_C]
		mov	eax, ecx
		mov	edx, [ecx+4]
		mov	[ebp+arg_8], edx
		test	edx, edx
		jz	short loc_77A434
		mov	ecx, [edx]
		test	ecx, ecx
		jz	short loc_77A491

loc_77A425:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+330j
		mov	eax, [ecx]
		mov	edx, ecx
		mov	[ebp+arg_8], edx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_77A425
		jmp	short loc_77A491
; 

loc_77A434:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+31Dj
		mov	edx, [ecx+8]
		and	edx, 0FFFFFFFCh
		mov	[ebp+arg_8], edx
		jz	short loc_77A491
		nop

loc_77A440:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+34Cj
		cmp	[edx], eax
		jz	short loc_77A48E
		mov	eax, edx
		mov	edx, [edx+8]
		and	edx, 0FFFFFFFCh
		jnz	short loc_77A440
		jmp	short loc_77A48E
; 

loc_77A450:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+30Ej
		mov	ecx, [edx+4]
		mov	eax, edx
		test	ecx, ecx
		jz	short loc_77A473
		mov	edx, ecx
		mov	[ebp+arg_8], edx
		mov	ecx, [edx]
		test	ecx, ecx
		jz	short loc_77A491

loc_77A464:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+36Fj
		mov	eax, [ecx]
		mov	edx, ecx
		mov	[ebp+arg_8], edx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_77A464
		jmp	short loc_77A491
; 

loc_77A473:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+357j
		mov	edx, [edx+8]
		and	edx, 0FFFFFFFCh
		mov	[ebp+arg_8], edx
		jz	short loc_77A491
		mov	edi, edi

loc_77A480:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+38Cj
		cmp	[edx], eax
		jz	short loc_77A48E
		mov	eax, edx
		mov	edx, [edx+8]
		and	edx, 0FFFFFFFCh
		jnz	short loc_77A480

loc_77A48E:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+342j
					; MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+34Ej ...
		mov	[ebp+arg_8], edx

loc_77A491:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+323j
					; MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+332j ...
		test	edx, edx
		jnz	loc_77A3C0
		jmp	loc_77A2BE
; 

loc_77A49E:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+2F8j
					; MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+305j
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_10]
		dec	eax
		mov	[ebp+var_4], eax
		mov	byte ptr [ecx+1], 0
		jmp	loc_77A2C1
; 

loc_77A4B1:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+289j
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_77A4C8
		mov	ecx, esi
		mov	edx, 1
		mov	esi, [ebp+var_14]
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], edx
		jmp	short loc_77A516
; 

loc_77A4C8:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+3B4j
		mov	edx, [ebp+var_C]
		lea	eax, [ecx+edx*8]
		cmp	eax, esi
		jnz	short loc_77A4DB
		mov	esi, [ebp+var_14]
		inc	edx
		mov	[ebp+var_C], edx
		jmp	short loc_77A516
; 

loc_77A4DB:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+3D0j
		shl	ecx, 15h
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+arg_0]
		push	0
		push	edx
		mov	edx, [ebp+var_8]
		lea	ecx, [ecx+240h]
		call	_MiDeleteWsleRange@16 ;	MiDeleteWsleRange(x,x,x,x)
		mov	eax, [ebp+var_C]
		mov	ecx, esi
		add	[ebp+var_18], eax
		mov	edx, 1
		mov	esi, [ebp+var_14]
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], edx
		jmp	short loc_77A516
; 

loc_77A50D:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+27Cj
		mov	esi, [ebp+var_14]

loc_77A510:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+20Dj
					; MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+237j
		mov	ecx, [ebp+var_8]

loc_77A513:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+295j
		mov	edx, [ebp+var_C]

loc_77A516:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+3C6j
					; MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+3D9j ...
		mov	eax, [ebp+var_10]

loc_77A519:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+4E4j
		inc	ebx
		cmp	ebx, [ebp+var_4]
		jle	loc_77A2F5
		mov	ebx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_77A555
		shl	ecx, 15h
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+arg_0]
		push	0
		push	edx
		mov	edx, [ebp+var_8]
		lea	ecx, [ecx+240h]
		call	_MiDeleteWsleRange@16 ;	MiDeleteWsleRange(x,x,x,x)
		mov	eax, [ebp+var_C]
		or	edx, 0FFFFFFFFh
		add	[ebp+var_18], eax
		xor	eax, eax
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], eax

loc_77A555:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+428j
		mov	edx, [ebp+arg_10]
		inc	esi
		mov	edi, [ebp+var_38]
		mov	ecx, [ebp+var_3C]
		sar	[ebp+var_24], 9
		shr	byte ptr [edx],	1
		shr	byte ptr [edx+1], 1
		mov	al, [edx]
		sar	edi, 9
		sar	ecx, 9
		cmp	esi, 1
		mov	[ebp+var_14], esi
		mov	esi, [ebp+arg_C]
		mov	edx, [ebp+var_14]
		mov	[ebp+var_20], edi
		mov	[ebp+var_4], ecx
		jl	loc_77A1B6

loc_77A588:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+1C3j
		mov	eax, [ebp+var_18]
		mov	ebx, [ebp+arg_0]
		test	eax, eax
		jz	short loc_77A5A4
		mov	edx, eax
		lea	ecx, [ebx+240h]
		neg	edx
		call	_MiUpdateChargedWsles@8	; MiUpdateChargedWsles(x,x)
		mov	eax, [ebp+var_18]

loc_77A5A4:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+490j
		mov	ecx, [ebp+var_1C]
		test	ecx, ecx
		jz	short loc_77A5B1
		mov	edx, [ebp+var_34]
		sub	[edx+54h], ecx

loc_77A5B1:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+4A9j
		lea	esi, [eax+ecx]
		test	esi, esi
		jz	short loc_77A5CF
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	edx, esi
		mov	ecx, eax
		call	MiReturnCommit
		mov	edx, esi
		mov	ecx, ebx
		call	_MiReturnFullProcessCharges@8 ;	MiReturnFullProcessCharges(x,x)

loc_77A5CF:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+4B6j
		pop	ebx

loc_77A5D0:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+26j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_77A5D8:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+262j
		mov	esi, [ebp+var_14]
		mov	eax, [ebp+var_10]

loc_77A5DE:				; CODE XREF: MiReturnPageTablePageCommitment(x,x,x,x,x,x,x)+24Cj
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_C]
		jmp	loc_77A519
_MiReturnPageTablePageCommitment@28 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapViewOfSection proc	near		; CODE XREF: MmMapViewOfSection+56p
					; MiMapViewOfSectionExCommon+14Dp ...

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_39		= dword	ptr -39h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008DB2FE SIZE 000001B1 BYTES
; FUNCTION CHUNK AT 008DB4F0 SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1128
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_20], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, edx
		mov	ebx, ecx
		mov	[ebp+var_40], ebx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_48], eax
		mov	[ebp+var_80], esi
		mov	[ebp+var_84], eax
		mov	edx, [ebp+arg_8]
		mov	[ebp+var_44], edx
		xor	eax, eax
		mov	[ebp+var_39+1],	eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_4C], eax
		mov	[ebp+var_50], eax
		mov	eax, [esi+3Ch]
		mov	[ebp+var_60], eax
		mov	[ebp+var_7C], eax
		mov	[ebp+var_70], 0
		mov	[ebp+var_78], ebx
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	edi, eax
		mov	[ebp+var_54], edi
		mov	eax, [edi]
		mov	[ebp+var_6C], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_5C], eax
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jnz	short loc_77A6D1
		mov	eax, [ebp+arg_C]
		cmp	eax, 2
		jg	loc_77AA16
		cmp	eax, 1
		jl	loc_77AA16
		test	ecx, ecx
		jnz	short loc_77A6D1
		test	dword ptr [edi+1Ch], 400h
		jnz	short loc_77A6D1
		cmp	dword ptr [esi+8], 10000h
		jb	short loc_77A6D1
		mov	eax, [ebp+var_48]
		movzx	eax, word ptr [eax]
		test	eax, eax
		jnz	loc_8DB35A
		movzx	eax, word ptr [edx]
		test	eax, eax
		jnz	loc_8DB35A

loc_77A6D1:				; CODE XREF: MiMapViewOfSection+9Bj
					; MiMapViewOfSection+B4j ...
		lea	eax, [esi+14h]
		mov	[ebp+var_58], eax
		test	ecx, ecx
		jnz	loc_77A9CD
		test	dword ptr [eax], 9F2BDFFFh
		jnz	loc_77AA16

loc_77A6EB:				; CODE XREF: MiMapViewOfSection+3E0j
		mov	byte ptr [ebp+var_39], 1
		mov	edx, [esi+18h]
		test	edx, 40000000h
		jnz	loc_77AAD6

loc_77A6FE:				; CODE XREF: MiMapViewOfSection+4FCj
		test	byte ptr [ebx+20h], 20h
		jnz	loc_77A94E
		mov	ecx, [ebx+24h]
		and	ecx, 0FFFh
		call	_MiMakeProtectionMask@4	; MiMakeProtectionMask(x)
		and	eax, 7
		mov	eax, ds:_MmCompatibleProtectionMask[eax*4]
		or	eax, 700h
		or	edx, eax
		cmp	edx, eax
		jnz	loc_8DB386
		mov	ebx, [esi+14h]
		mov	[ebp+var_64], ebx
		test	ebx, (offset loc_83FFFB+5)
		jnz	loc_77AA16
		test	ebx, 20002000h
		setnz	cl
		test	dword ptr [edi+1Ch], 400h
		setnz	al
		test	cl, al
		jnz	loc_77AA16

loc_77A75C:				; CODE XREF: MiMapViewOfSection+37Fj
					; MiMapViewOfSection+160D2Bj
		mov	eax, [ebp+var_44]
		mov	edi, [eax]
		mov	edx, [eax+4]
		mov	[ebp+var_68], edx
		mov	eax, [ebp+var_5C]
		add	eax, edi
		mov	ecx, 0
		adc	ecx, edx
		cmp	ecx, edx
		ja	short loc_77A785
		jb	loc_77AABE
		cmp	eax, edi
		jb	loc_77AABE

loc_77A785:				; CODE XREF: MiMapViewOfSection+185j
		mov	ebx, [ebp+var_40]
		mov	edx, [ebx+18h]
		mov	ebx, [ebx+1Ch]
		cmp	ecx, ebx
		jb	short loc_77A7A0
		ja	loc_77AAB1
		cmp	eax, edx
		ja	loc_77AAB1

loc_77A7A0:				; CODE XREF: MiMapViewOfSection+1A0j
					; MiMapViewOfSection+4C8j
		cmp	[ebp+var_5C], 0
		jnz	short loc_77A7C1
		sub	edx, edi
		sbb	ebx, [ebp+var_68]
		cmp	ebx, 1
		jb	short loc_77A7BE
		ja	loc_77AABE
		test	edx, edx
		jnb	loc_77AABE

loc_77A7BE:				; CODE XREF: MiMapViewOfSection+1BEj
		mov	[esi+0Ch], edx

loc_77A7C1:				; CODE XREF: MiMapViewOfSection+1B4j
		mov	ebx, [ebp+var_54]
		test	dword ptr [ebx+1Ch], 400h
		jnz	loc_77AAF1
		mov	eax, [esi+8]
		cmp	eax, 10000h
		ja	loc_8DB332

loc_77A7DF:				; CODE XREF: MiMapViewOfSection+160D46j
					; MiMapViewOfSection+160D51j
		lea	edx, [eax-1]
		mov	edi, [ebp+var_44]
		mov	edi, [edi]
		mov	ecx, edx
		and	ecx, edi
		mov	eax, ecx
		or	eax, 0
		jnz	loc_77AA46

loc_77A7F6:				; CODE XREF: MiMapViewOfSection+46Dj
					; MiMapViewOfSection+491j ...
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jle	loc_77AABE
		mov	edx, [esi+8]
		mov	ebx, [ebp+var_48]
		mov	edi, [ebx]
		lea	eax, [edx-1]
		test	eax, edi
		jnz	loc_8DB346

loc_77A814:				; CODE XREF: MiMapViewOfSection+160D65j
		mov	[esi+10h], ecx
		mov	eax, ecx
		and	eax, 0FFFh
		mov	edi, ecx
		jnz	loc_77A9D5

loc_77A826:				; CODE XREF: MiMapViewOfSection+40Fj
		mov	ebx, [esi+30h]
		and	ebx, 1
		jnz	loc_77AA9A
		mov	edx, esi

loc_77A834:				; CODE XREF: MiMapViewOfSection+4ADj
		mov	edx, [edx]
		mov	eax, [esi+4]
		cmp	edx, eax
		ja	loc_77AA16
		sub	eax, edx
		inc	eax
		cmp	eax, edi
		jb	loc_8DB364
		mov	edx, [ebp+var_58]
		cmp	[ebp+arg_4], ecx
		ja	loc_8DB375

loc_77A858:				; CODE XREF: MiMapViewOfSection+160D91j
		xor	edi, edi
		mov	eax, [ebp+var_40]
		cmp	edi, [eax+1Ch]
		jb	short loc_77A871
		ja	loc_77AAC8
		cmp	ecx, [eax+18h]
		ja	loc_77AAC8

loc_77A871:				; CODE XREF: MiMapViewOfSection+270j
					; MiMapViewOfSection+4DEj
		mov	edx, [edx]
		test	edx, 2000h
		jnz	loc_77AAA2

loc_77A87F:				; CODE XREF: MiMapViewOfSection+4B6j
		test	edx, (offset loc_7FFFFF+1)
		jnz	loc_77AA04

loc_77A88B:				; CODE XREF: MiMapViewOfSection+420j
		test	dword ptr [esi+28h], 4000000h
		jnz	loc_8DB390

loc_77A898:				; CODE XREF: MiMapViewOfSection+160DE1j
		mov	ebx, [ebp+var_6C]
		movzx	eax, word ptr [ebx+8]
		mov	edi, eax
		mov	ecx, [esi+18h]
		test	ax, ax
		js	loc_8DB3D6

loc_77A8AD:				; CODE XREF: MiMapViewOfSection+160DF9j
		test	edi, 4000h
		jnz	loc_77AA86

loc_77A8B9:				; CODE XREF: MiMapViewOfSection+4A5j
		call	_MiMakeProtectionMask@4	; MiMakeProtectionMask(x)
		mov	ebx, eax
		mov	[ebp+var_68], ebx
		cmp	ebx, 0FFFFFFFFh
		jz	loc_8DB3EE
		mov	ecx, large fs:124h
		mov	eax, [esi+40h]
		mov	edi, [ebp+var_40]
		test	dword ptr [eax+490h], 100h
		jnz	loc_8DB3F8

loc_77A8E9:				; CODE XREF: MiMapViewOfSection+160E12j
					; MiMapViewOfSection+160E29j ...
		mov	ecx, [ebp+var_60]
		cmp	eax, ecx
		jnz	loc_77AA20

loc_77A8F4:				; CODE XREF: MiMapViewOfSection+442j
		mov	ecx, [ebp+var_54]
		mov	eax, [ecx+1Ch]
		test	eax, 400h
		jnz	loc_77AB06
		test	al, 20h
		jnz	short loc_77A97A
		lea	eax, [ebp+var_39]
		push	eax
		push	[ebp+arg_4]
		push	ebx
		push	[ebp+arg_C]
		push	edi
		push	[ebp+var_44]
		push	[ebp+var_48]
		mov	edx, esi
		call	MiMapViewOfDataSection

loc_77A922:				; CODE XREF: MiMapViewOfSection+528j
		mov	edi, eax

loc_77A924:				; CODE XREF: MiMapViewOfSection+3CAj
					; MiMapViewOfSection+3D8j
		cmp	[ebp+var_70], 0
		jnz	loc_77AA37

loc_77A92E:				; CODE XREF: MiMapViewOfSection+451j
		mov	eax, edi

loc_77A930:				; CODE XREF: MiMapViewOfSection+42Bj
					; MiMapViewOfSection+4D3j ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_20]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_77A94E:				; CODE XREF: MiMapViewOfSection+112j
		cmp	dword ptr [esi+38h], 0
		jnz	loc_8DB2FE

loc_77A958:				; CODE XREF: MiMapViewOfSection+160D1Bj
		mov	ebx, [eax]
		mov	[ebp+var_64], ebx
		test	ebx, 2000h
		jnz	loc_77AA16
		test	ebx, 20000000h
		jz	loc_77A75C
		jmp	loc_8DB310
; 

loc_77A97A:				; CODE XREF: MiMapViewOfSection+317j
		mov	eax, [ebp+var_48]
		mov	eax, [eax]
		mov	[ebp+var_4C], eax
		mov	[ebp+var_50], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_5C], eax
		mov	[ebp+var_58], eax
		mov	edi, edi

loc_77A990:				; CODE XREF: MiMapViewOfSection+160E93j
					; MiMapViewOfSection+160F32j
		push	0
		push	ebx
		push	[ebp+arg_C]
		push	edi
		push	[ebp+var_44]
		lea	eax, [ebp+var_4C]
		push	eax
		mov	edx, esi
		call	MiMapViewOfImageSection
		mov	edi, eax
		mov	[ebp+var_64], edi
		mov	eax, [esi+14h]
		test	eax, 20000000h
		jnz	loc_8DB433

loc_77A9B8:				; CODE XREF: MiMapViewOfSection+160E75j
					; MiMapViewOfSection+160F10j
		test	edi, edi
		js	loc_77A924
		mov	eax, [ebp+var_4C]
		mov	ecx, [ebp+var_48]
		mov	[ecx], eax
		jmp	loc_77A924
; 

loc_77A9CD:				; CODE XREF: MiMapViewOfSection+E9j
		mov	[ebp+var_58], eax
		jmp	loc_77A6EB
; 

loc_77A9D5:				; CODE XREF: MiMapViewOfSection+230j
		mov	edx, 1000h
		sub	edx, eax
		mov	edi, ecx
		add	edi, edx
		mov	eax, 0
		adc	eax, eax
		test	eax, eax
		ja	short loc_77A9F9
		jb	loc_77AABE
		cmp	edi, ecx
		jb	loc_77AABE

loc_77A9F9:				; CODE XREF: MiMapViewOfSection+3F9j
		lea	edi, [edx+ecx]
		mov	[esi+0Ch], edi
		jmp	loc_77A826
; 

loc_77AA04:				; CODE XREF: MiMapViewOfSection+295j
		test	byte ptr [eax+20h], 20h
		jz	short loc_77AA16
		test	edx, 20000000h
		jz	loc_77A88B

loc_77AA16:				; CODE XREF: MiMapViewOfSection+A3j
					; MiMapViewOfSection+ACj ...
		mov	eax, 0C000000Dh
		jmp	loc_77A930
; 

loc_77AA20:				; CODE XREF: MiMapViewOfSection+2FEj
		lea	eax, [ebp+var_39+1]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		mov	[ebp+var_70], 1
		jmp	loc_77A8F4
; 

loc_77AA37:				; CODE XREF: MiMapViewOfSection+338j
		xor	edx, edx
		lea	ecx, [ebp+var_39+1]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_77A92E
; 

loc_77AA46:				; CODE XREF: MiMapViewOfSection+200j
		test	byte ptr [esi+30h], 2
		jnz	loc_8DB35A
		not	edx
		and	edx, edi
		mov	eax, [ebp+var_44]
		mov	[eax], edx
		test	byte ptr [ebx+1Ch], 20h
		jnz	loc_77A7F6
		mov	edx, [esi+0Ch]
		mov	edi, edx
		add	edi, ecx
		mov	eax, 0
		adc	eax, eax
		test	eax, eax
		ja	short loc_77AA7B
		jb	short loc_77AABE
		cmp	edi, edx
		jb	short loc_77AABE

loc_77AA7B:				; CODE XREF: MiMapViewOfSection+483j
		lea	eax, [edx+ecx]
		mov	[esi+0Ch], eax
		jmp	loc_77A7F6
; 

loc_77AA86:				; CODE XREF: MiMapViewOfSection+2C3j
		and	ecx, 0FFFFFDFFh
		or	ecx, 400h
		mov	[esi+18h], ecx
		jmp	loc_77A8B9
; 

loc_77AA9A:				; CODE XREF: MiMapViewOfSection+23Cj
		mov	edx, [ebp+var_48]
		jmp	loc_77A834
; 

loc_77AAA2:				; CODE XREF: MiMapViewOfSection+289j
		test	byte ptr [eax+24h], 44h
		jnz	loc_77A87F
		jmp	loc_8DB386
; 

loc_77AAB1:				; CODE XREF: MiMapViewOfSection+1A2j
					; MiMapViewOfSection+1AAj
		test	[ebp+var_64], 2000h
		jnz	loc_77A7A0

loc_77AABE:				; CODE XREF: MiMapViewOfSection+187j
					; MiMapViewOfSection+18Fj ...
		mov	eax, 0C000001Fh
		jmp	loc_77A930
; 

loc_77AAC8:				; CODE XREF: MiMapViewOfSection+272j
					; MiMapViewOfSection+27Bj
		test	dword ptr [edx], 2000h
		jnz	loc_77A871
		jmp	short loc_77AABE
; 

loc_77AAD6:				; CODE XREF: MiMapViewOfSection+108j
		test	dl, 0F0h
		jz	loc_77AA16
		mov	byte ptr [ebp+var_39], 0
		and	edx, 0BFFFFFFFh
		mov	[esi+18h], edx
		jmp	loc_77A6FE
; 

loc_77AAF1:				; CODE XREF: MiMapViewOfSection+1DBj
		mov	ecx, [ebp+var_44]
		mov	eax, [ecx]
		test	eax, 0FFFh
		jz	loc_77A7F6
		jmp	loc_8DB320
; 

loc_77AB06:				; CODE XREF: MiMapViewOfSection+30Fj
		lea	eax, [ebp+var_39]
		push	eax
		push	ebx
		push	[ebp+var_44]
		mov	edx, [ebp+var_48]
		mov	ecx, esi
		call	MiMapViewOfPhysicalSection
		jmp	loc_77A922
MiMapViewOfSection endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1499. NtAllocateVirtualMemory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtAllocateVirtualMemory
NtAllocateVirtualMemory	proc near	; DATA XREF: .text:00581250o

var_6C		= dword	ptr -6Ch
var_5C		= dword	ptr -5Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008DB527 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1148
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 5Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_20], 0
		mov	[ebp+var_24], 0
		push	38h		; size_t
		push	0		; int
		lea	eax, [ebp+var_6C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_28], al
		mov	[ebp+var_4], 0
		mov	esi, [ebp+arg_4]
		test	al, al
		jz	loc_77AC4D
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8DB527

loc_77ABB3:				; CODE XREF: NtAllocateVirtualMemory+1609F9j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	edi, [ebp+arg_C]
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	loc_8DB52E

loc_77ABC9:				; CODE XREF: NtAllocateVirtualMemory+160A00j
		mov	eax, [ecx]
		mov	[ecx], eax

loc_77ABCD:				; CODE XREF: NtAllocateVirtualMemory+120j
		mov	eax, [esi]
		mov	[ebp+var_20], eax
		mov	eax, [edi]
		mov	[ebp+var_24], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+arg_10]
		mov	ecx, eax
		and	ecx, 7Fh
		mov	[ebp+var_5C], ecx
		and	eax, 0FFFFFF80h
		test	eax, 44000h
		jnz	short loc_77AC55
		push	0
		push	0
		push	0
		push	[ebp+var_28]
		lea	ecx, [ebp+var_6C]
		push	ecx
		push	[ebp+arg_14]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+arg_8]
		lea	edx, [ebp+var_20]
		mov	ecx, [ebp+arg_0]
		call	MiAllocateVirtualMemoryCommon
		mov	ecx, eax
		mov	[ebp+arg_C], ecx
		test	ecx, ecx
		js	short loc_77AC39
		mov	[ebp+var_4], 1
		mov	eax, [ebp+var_20]
		mov	[esi], eax
		mov	eax, [ebp+var_24]
		mov	[edi], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_77AC37:				; CODE XREF: sub_8DB555+Dj
		mov	eax, ecx

loc_77AC39:				; CODE XREF: NtAllocateVirtualMemory+EDj
					; NtAllocateVirtualMemory+12Aj	...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_77AC4D:				; CODE XREF: NtAllocateVirtualMemory+6Ej
		mov	edi, [ebp+arg_C]
		jmp	loc_77ABCD
; 

loc_77AC55:				; CODE XREF: NtAllocateVirtualMemory+C1j
		mov	eax, 0C000000Dh
		jmp	short loc_77AC39
NtAllocateVirtualMemory	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCommitPageTablesForVad(x,	x, x)
_MiCommitPageTablesForVad@12 proc near	; CODE XREF: MiSplitPrivatePage(x,x,x)+20Ap
					; .text:00452D6Ep ...

var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	edi, [eax+80h]
		mov	[ebp+var_20], esi
		cmp	dword ptr [esi+8], 0FFFFFFFEh
		mov	[ebp+var_1C], edi
		jz	loc_77AD61

loc_77AC8B:				; CODE XREF: MiCommitPageTablesForVad(x,x,x)+108j
		mov	eax, [edi+24Ch]
		mov	ecx, esi
		mov	[ebp+var_C], eax
		call	_MiVadPageTableChargeLevel@4 ; MiVadPageTableChargeLevel(x)
		mov	ecx, esi
		mov	[ebp+var_24], eax
		call	_MiVadLeafPagesPrecharged@4 ; MiVadLeafPagesPrecharged(x)
		mov	edi, [ebp+arg_0]
		xor	edx, edx
		shr	ebx, 15h
		mov	[ebp+var_28], eax
		mov	[ebp+var_18], edx
		shr	edi, 15h
		mov	[ebp+var_14], ebx

loc_77ACB9:				; CODE XREF: MiCommitPageTablesForVad(x,x,x)+1AAj
		mov	[ebp+var_10], edx
		lea	esp, [esp+0]
		xor	eax, eax
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+arg_0], eax
		mov	[ebp+var_4], eax
		cmp	[ebp+var_14], edi
		ja	short loc_77AD06
		mov	esi, [ebp+var_14]

loc_77ACD5:				; CODE XREF: MiCommitPageTablesForVad(x,x,x)+98j
		mov	edx, [ebp+var_C]
		mov	ecx, ebx
		shr	ecx, 3
		mov	eax, [edx+18Ch]
		lea	edx, [ecx+eax]
		mov	cl, bl
		mov	ah, [edx]
		and	cl, 7
		mov	al, ah
		sar	al, cl
		test	al, 1
		jz	short loc_77AD49

loc_77ACF5:				; CODE XREF: MiCommitPageTablesForVad(x,x,x)+FFj
					; MiCommitPageTablesForVad(x,x,x)+147j	...
		inc	ebx
		cmp	ebx, edi
		jbe	short loc_77ACD5
		mov	esi, [ebp+var_20]
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_10]

loc_77AD06:				; CODE XREF: MiCommitPageTablesForVad(x,x,x)+70j
		cmp	[ebp+var_24], 0
		jg	short loc_77AD11
		mov	ecx, eax
		mov	[ebp+var_8], eax

loc_77AD11:				; CODE XREF: MiCommitPageTablesForVad(x,x,x)+AAj
		test	edx, edx
		jnz	short loc_77AD3E
		cmp	[ebp+var_28], 0
		mov	ebx, [ebp+var_4]
		lea	edx, [ebx+ecx]
		jnz	short loc_77AD2C
		mov	ecx, esi
		call	_MiVadPureReserve@4 ; MiVadPureReserve(x)
		test	eax, eax
		jz	short loc_77AD86

loc_77AD2C:				; CODE XREF: MiCommitPageTablesForVad(x,x,x)+BFj
					; MiCommitPageTablesForVad(x,x,x)+133j	...
		test	edx, edx
		jnz	loc_77ADE0

loc_77AD34:				; CODE XREF: MiCommitPageTablesForVad(x,x,x)+18Aj
		cmp	[ebp+var_18], 1
		jz	loc_77ADF5

loc_77AD3E:				; CODE XREF: MiCommitPageTablesForVad(x,x,x)+B3j
					; MiCommitPageTablesForVad(x,x,x)+117j	...
		xor	eax, eax

loc_77AD40:				; CODE XREF: MiCommitPageTablesForVad(x,x,x)+124j
					; MiCommitPageTablesForVad(x,x,x)+190j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4		; struct _exception *
; 

loc_77AD49:				; CODE XREF: MiCommitPageTablesForVad(x,x,x)+93j
		inc	[ebp+arg_0]
		cmp	[ebp+var_10], 1
		jnz	short loc_77AD99
		movsx	ecx, ah
		mov	eax, ebx
		and	eax, 7
		bts	ecx, eax
		mov	[edx], cl
		jmp	short loc_77ACF5
; 

loc_77AD61:				; CODE XREF: MiCommitPageTablesForVad(x,x,x)+25j
		call	_MiVadPureReserve@4 ; MiVadPureReserve(x)
		test	eax, eax
		jz	loc_77AC8B
		mov	edx, [esi+20h]
		and	edx, 7FFFFFFFh
		jz	short loc_77AD3E
		mov	ecx, edi
		call	MiChargeFullProcessCommitment
		test	eax, eax
		jns	short loc_77AD3E
		jmp	short loc_77AD40
; 

loc_77AD86:				; CODE XREF: MiCommitPageTablesForVad(x,x,x)+CAj
		mov	eax, [esi+20h]
		and	eax, 7FFFFFFFh
		cmp	eax, 0FFFFEh
		jz	short loc_77AD2C
		add	edx, eax
		jmp	short loc_77AD2C
; 

loc_77AD99:				; CODE XREF: MiCommitPageTablesForVad(x,x,x)+F0j
		mov	[ebp+var_18], 1
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		test	eax, eax
		jnz	loc_77ACF5
		cmp	ebx, esi
		jz	short loc_77ADBA
		test	bl, 7
		jnz	loc_77ACF5

loc_77ADBA:				; CODE XREF: MiCommitPageTablesForVad(x,x,x)+14Fj
		push	8
		mov	eax, ebx
		and	eax, 0FFFFFFF8h
		push	eax
		mov	eax, [ebp+var_C]
		add	eax, 188h
		push	eax
		call	_RtlAreBitsClear@12 ; RtlAreBitsClear(x,x,x)
		cmp	al, 1
		jnz	loc_77ACF5
		inc	[ebp+var_4]
		jmp	loc_77ACF5
; 

loc_77ADE0:				; CODE XREF: MiCommitPageTablesForVad(x,x,x)+CEj
		mov	ecx, [ebp+var_1C]
		call	MiChargeFullProcessCommitment
		test	eax, eax
		jns	loc_77AD34
		jmp	loc_77AD40
; 

loc_77ADF5:				; CODE XREF: MiCommitPageTablesForVad(x,x,x)+D8j
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_8]
		add	[ecx+6Ch], eax
		test	ebx, ebx
		jnz	short loc_77AE0F

loc_77AE02:				; CODE XREF: MiCommitPageTablesForVad(x,x,x)+1BFj
		mov	ebx, [ebp+var_14]
		mov	edx, 1
		jmp	loc_77ACB9
; 

loc_77AE0F:				; CODE XREF: MiCommitPageTablesForVad(x,x,x)+1A0j
		mov	ecx, [ebp+var_1C]
		mov	edx, ebx
		lea	ecx, [ecx+240h]
		call	_MiUpdateChargedWsles@8	; MiUpdateChargedWsles(x,x)
		jmp	short loc_77AE02
_MiCommitPageTablesForVad@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmProtectVirtualMemory proc near	; CODE XREF: MiAllocateVirtualMemory+469p
					; NtProtectVirtualMemory+18Cp

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008DB5A3 SIZE 0000028D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_34], edx
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	dword ptr [eax], 1
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		mov	[ebp+var_38], ecx
		mov	edx, [eax]
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_14], 0
		mov	[ebp+var_C], 0
		mov	[ebp+var_20], 0
		mov	esi, [eax]
		mov	eax, ebx
		and	eax, 7F800h
		mov	[ebp+var_24], 1
		mov	[ebp+var_1C], edx
		mov	[ebp+var_2C], esi
		mov	[ebp+var_18], eax
		jnz	loc_8DB5A3

loc_77AE89:				; CODE XREF: MmProtectVirtualMemory+160780j
		mov	eax, ebx
		shr	eax, 1Fh
		mov	[ebp+var_10], eax
		mov	eax, ebx
		and	eax, 0B0000000h
		and	ebx, 4FF807FFh
		mov	[ebp+var_28], eax
		test	ebx, 40000000h
		jnz	loc_77B28A

loc_77AEAD:				; CODE XREF: MmProtectVirtualMemory+473j
		test	ebx, ebx
		jz	loc_8DB5C7
		mov	ecx, ebx
		call	_MiMakeProtectionMask@4	; MiMakeProtectionMask(x)
		mov	[ebp+var_4], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_8DB5E1

loc_77AEC8:				; CODE XREF: MmProtectVirtualMemory+1607ACj
		dec	esi
		mov	eax, edx
		add	esi, edx
		and	eax, 0FFFFF000h
		or	esi, 0FFFh
		mov	[ebp+arg_8], eax
		mov	ecx, esi
		mov	[ebp+var_3C], esi
		shr	ecx, 0Ch
		xor	edx, edx
		mov	[ebp+var_30], ecx
		lea	ecx, [ebp+var_14]
		push	ecx
		mov	ecx, eax
		call	MiObtainReferencedVadEx
		mov	edi, eax
		test	edi, edi
		jz	loc_8DB5EB
		mov	eax, [ebp+var_30]
		cmp	eax, [edi+10h]
		ja	loc_8DB818
		mov	eax, [edi+1Ch]
		and	eax, 1100000h
		cmp	eax, 1100000h
		jz	loc_8DB604
		cmp	[ebp+var_18], 0
		jnz	loc_8DB60E

loc_77AF26:				; CODE XREF: MmProtectVirtualMemory+1607D8j
		mov	eax, [ebp+var_4]
		mov	[ebp+var_14], 0
		test	al, 2
		jnz	loc_77B21A

loc_77AF38:				; CODE XREF: MmProtectVirtualMemory+40Fj
					; MmProtectVirtualMemory+41Cj ...
		mov	edx, [edi+1Ch]
		mov	ecx, edx
		and	ecx, 100000h
		mov	[ebp+var_38], ecx
		jnz	loc_77B1F7

loc_77AF4C:				; CODE XREF: MmProtectVirtualMemory+3DFj
		mov	eax, edx
		and	eax, 70h
		cmp	al, 50h
		jz	loc_8DB651

loc_77AF59:				; CODE XREF: MmProtectVirtualMemory+16084Bj
		mov	eax, edx
		and	eax, 3100000h
		cmp	eax, 2100000h
		jz	loc_77B18D
		test	[ebp+var_28], 5FFFFFFFh
		jnz	loc_8DB60E
		test	ebx, ebx
		jz	loc_8DB60E
		mov	eax, edx
		and	eax, 70h
		cmp	eax, 30h
		jz	loc_8DB6B9
		cmp	eax, 10h
		jz	loc_8DB818
		mov	eax, [ebp+var_10]
		cmp	eax, 1
		jz	loc_77B2A8

loc_77AFA3:				; CODE XREF: MmProtectVirtualMemory+48Aj
		test	dl, 8
		jnz	loc_8DB6FE

loc_77AFAC:				; CODE XREF: MmProtectVirtualMemory+1608D2j
					; MmProtectVirtualMemory+160908j
		mov	ecx, [edi+1Ch]
		test	ecx, 100000h
		jnz	loc_77B1BB
		test	ebx, 600h
		jnz	loc_77B2FE
		mov	eax, ecx
		and	al, 70h
		cmp	al, 20h
		jnz	short loc_77AFE1
		test	bl, 4
		jnz	loc_77B182

loc_77AFD8:				; CODE XREF: MmProtectVirtualMemory+358j
		test	bl, 40h
		jnz	loc_77B2CB

loc_77AFE1:				; CODE XREF: MmProtectVirtualMemory+19Dj
					; MmProtectVirtualMemory+4A4j
		shr	ecx, 7
		and	ecx, 7
		mov	ecx, ds:_MmCompatibleProtectionMask[ecx*4]
		or	ecx, 700h
		mov	eax, ecx
		or	eax, ebx
		cmp	eax, ecx
		jnz	loc_8DB7B5
		mov	eax, [edi+2Ch]
		mov	eax, [eax]
		mov	eax, [eax+1Ch]
		and	al, 0A0h
		cmp	al, 80h
		jz	loc_77B12A
		mov	ecx, edi
		call	_MiVadMapsLargeImage@4 ; MiVadMapsLargeImage(x)
		test	eax, eax
		jnz	loc_8DB73D
		mov	edx, [ebp+arg_8]
		mov	[ebp+var_24], eax
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		shr	edx, 0Ch
		call	MiGetProtoPteAddress
		mov	esi, eax
		test	esi, esi
		jz	loc_8DB7AE
		mov	edx, [ebp+var_30]
		lea	eax, [ebp+var_8]
		push	eax
		push	2
		mov	ecx, edi
		call	MiGetProtoPteAddress
		mov	[ebp+var_38], eax
		test	eax, eax
		jz	loc_8DB7AE
		mov	eax, large fs:124h
		mov	ecx, [edi+2Ch]
		mov	[ebp+var_1C], 1
		mov	[ebp+var_14], eax
		mov	ecx, [ecx]
		mov	ecx, [ecx]
		dec	word ptr [eax+13Eh]
		nop
		lea	eax, [ecx+1Ch]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_18], eax
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebp+var_24]
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_28], eax

loc_77B094:				; CODE XREF: MmProtectVirtualMemory+160966j
		cmp	eax, ecx
		jnz	loc_77B2D9
		mov	eax, [ebp+var_38]

loc_77B09F:				; CODE XREF: MmProtectVirtualMemory+4B8j
		mov	[ebp+var_2C], eax
		cmp	esi, eax
		ja	short loc_77B0E2

loc_77B0A6:				; CODE XREF: MmProtectVirtualMemory+2ADj
		mov	edx, [esi]
		nop
		mov	eax, [esi+4]
		mov	ecx, esi
		mov	[ebp+var_30], eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	loc_8DB777
		push	[ebp+var_30]
		push	edx
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	[ebp+var_30], eax
		mov	eax, edx
		mov	edx, [ebp+var_30]

loc_77B0CF:				; CODE XREF: MmProtectVirtualMemory+16094Aj
		or	edx, eax
		jz	loc_8DB77F
		add	esi, 8
		cmp	esi, [ebp+var_2C]
		jbe	short loc_77B0A6

loc_77B0DF:				; CODE XREF: MmProtectVirtualMemory+160956j
		mov	ecx, [ebp+var_8]

loc_77B0E2:				; CODE XREF: MmProtectVirtualMemory+274j
		mov	eax, [ebp+var_28]
		cmp	eax, ecx
		jnz	loc_8DB78B

loc_77B0ED:				; CODE XREF: MmProtectVirtualMemory+16096Fj
		mov	esi, [ebp+var_18]
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	loc_77B2BF

loc_77B104:				; CODE XREF: MmProtectVirtualMemory+496j
		mov	ecx, esi
		call	KeAbPostRelease
		nop
		mov	eax, [ebp+var_14]
		add	word ptr [eax+13Eh], 1
		jz	loc_77B2ED

loc_77B11D:				; CODE XREF: MmProtectVirtualMemory+4C3j
					; MmProtectVirtualMemory+160979j
		cmp	[ebp+var_1C], 0
		jz	loc_8DB7AE
		mov	esi, [ebp+var_3C]

loc_77B12A:				; CODE XREF: MmProtectVirtualMemory+1DCj
		mov	ecx, [ebp+var_34]
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_C]
		mov	edx, edi
		push	eax
		push	[ebp+var_10]
		push	ebx
		push	esi
		push	[ebp+arg_8]
		call	_MiSetProtectionOnSection@32 ; MiSetProtectionOnSection(x,x,x,x,x,x,x,x)

loc_77B144:				; CODE XREF: MmProtectVirtualMemory+3C2j
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8DB822
		mov	ecx, edi
		call	MiUnlockAndDereferenceVad
		mov	eax, [ebp+arg_8]
		sub	esi, eax
		mov	ecx, [ebp+arg_4]
		inc	esi
		cmp	[ebp+var_20], 1
		mov	[ecx], esi
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_C]
		mov	eax, [ebp+var_C]
		mov	[ecx], eax
		jz	loc_8DB80E

loc_77B177:				; CODE XREF: MmProtectVirtualMemory+160884j
		xor	eax, eax

loc_77B179:				; CODE XREF: MmProtectVirtualMemory+160792j
					; MmProtectVirtualMemory+1607B6j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_77B182:				; CODE XREF: MmProtectVirtualMemory+1A2j
		and	ebx, 0FFFFFFFBh
		or	ebx, 8
		jmp	loc_77AFD8
; 

loc_77B18D:				; CODE XREF: MmProtectVirtualMemory+135j
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	[ebp+arg_C]
		push	[ebp+var_28]
		push	[ebp+var_4]
		push	ebx
		push	esi
		push	[ebp+arg_8]
		push	edi
		call	_MiProtectEnclavePages@44 ; MiProtectEnclavePages(x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, edi
		mov	esi, eax
		call	MiUnlockAndDereferenceVad
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_77B1BB:				; CODE XREF: MmProtectVirtualMemory+185j
		test	bl, 88h
		jnz	loc_77B2FE
		cmp	eax, 1
		jz	loc_77B2FE
		mov	eax, ecx
		and	al, 70h
		cmp	al, 40h
		jz	loc_8DB7BC
		mov	eax, [ebp+var_4]

loc_77B1DC:				; CODE XREF: MmProtectVirtualMemory+1609D9j
		mov	edx, [ebp+arg_8]
		lea	ecx, [ebp+var_20]
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		push	ecx
		push	ebx
		push	eax
		push	esi
		mov	ecx, edi
		call	_MiProtectPrivateMemory@32 ; MiProtectPrivateMemory(x,x,x,x,x,x,x,x)
		jmp	loc_77B144
; 

loc_77B1F7:				; CODE XREF: MmProtectVirtualMemory+116j
		test	edx, 400000h
		jnz	loc_8DB651
		mov	eax, edx
		and	eax, 0C0000h
		cmp	eax, 80000h
		jb	loc_77AF4C
		jmp	loc_8DB651
; 

loc_77B21A:				; CODE XREF: MmProtectVirtualMemory+102j
		mov	edx, [ebp+var_38]
		mov	ecx, [ebp+var_34]
		push	esi
		push	[ebp+arg_8]
		push	eax
		push	edi
		call	_MiAllowProtectionChange@24 ; MiAllowProtectionChange(x,x,x,x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		js	loc_8DB81F
		mov	edx, [edi+1Ch]
		test	edx, 100h
		jnz	loc_77AF38
		call	_MiIsProcessCfgEnabled@0 ; MiIsProcessCfgEnabled()
		test	eax, eax
		jz	loc_77AF38
		cmp	[ebp+var_24], 1
		jnz	loc_77AF38
		test	dl, 8
		jnz	loc_8DB618

loc_77B265:				; CODE XREF: MmProtectVirtualMemory+16081Cj
		mov	eax, [ebp+arg_8]
		lea	edx, [ebp+var_44]
		push	0
		mov	ecx, edi
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], esi
		call	MiCommitVadCfgBits
		mov	[ebp+var_8], eax
		test	eax, eax
		jns	loc_77AF38
		jmp	loc_8DB81F
; 

loc_77B28A:				; CODE XREF: MmProtectVirtualMemory+77j
		and	ebx, 0BFFFFFFFh
		test	ebx, 0FFFFFF0Fh
		jnz	loc_8DB5BD
		mov	[ebp+var_24], 0
		jmp	loc_77AEAD
; 

loc_77B2A8:				; CODE XREF: MmProtectVirtualMemory+16Dj
		test	ecx, ecx
		jnz	short loc_77B2FE
		mov	eax, [edi+2Ch]
		mov	eax, [eax]
		test	byte ptr [eax+1Ch], 20h
		jnz	short loc_77B2FE
		mov	eax, [ebp+var_10]
		jmp	loc_77AFA3
; 

loc_77B2BF:				; CODE XREF: MmProtectVirtualMemory+2CEj
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_77B104
; 

loc_77B2CB:				; CODE XREF: MmProtectVirtualMemory+1ABj
		and	ebx, 0FFFFFFBFh
		or	ebx, 80h
		jmp	loc_77AFE1
; 

loc_77B2D9:				; CODE XREF: MmProtectVirtualMemory+266j
		mov	ecx, [eax+1Ch]
		mov	eax, [eax+4]
		lea	eax, [eax+ecx*8]
		mov	ecx, [ebp+var_8]
		add	eax, 0FFFFFFF8h
		jmp	loc_77B09F
; 

loc_77B2ED:				; CODE XREF: MmProtectVirtualMemory+2E7j
		nop
		add	eax, 70h
		cmp	[eax], eax
		jz	loc_77B11D
		jmp	loc_8DB7A4
; 

loc_77B2FE:				; CODE XREF: MmProtectVirtualMemory+191j
					; MmProtectVirtualMemory+38Ej ...
		mov	ebx, 0C00000F2h
		jmp	loc_8DB822
MmProtectVirtualMemory endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocateVirtualMemoryCommon proc near	; CODE XREF: MmAllocateVirtualMemory+DCp
					; NtAllocateVirtualMemory+E1p ...

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_4C		= dword	ptr -4Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 008DB830 SIZE 0000006C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		push	ebx
		push	esi
		push	edi
		push	58h		; size_t
		lea	eax, [esp+7Ch+var_58]
		mov	[esp+7Ch+var_60], edx
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		add	esp, 0Ch
		mov	ebx, [ebp+arg_10]
		lea	eax, [esp+78h+var_5C]
		mov	[esp+78h+var_64], 0
		xor	edi, edi
		mov	[esp+78h+var_5C], 0
		mov	ecx, esi
		mov	[esp+78h+var_68], edi
		push	eax
		lea	eax, [esp+7Ch+var_58]
		push	eax
		push	[ebp+arg_20]
		mov	eax, [ebp+arg_4]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		mov	eax, [eax]
		push	[ebp+arg_14]
		push	ebx
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	eax
		mov	eax, [esp+0A0h+var_60]
		push	[ebp+arg_0]
		mov	edx, [eax]
		call	MiAllocateVirtualMemoryPrepare
		mov	esi, eax
		test	esi, esi
		js	short loc_77B3FD
		mov	ecx, [ebx+0Ch]
		test	ecx, ecx
		jnz	loc_8DB830

loc_77B392:				; CODE XREF: MiAllocateVirtualMemoryCommon+16052Aj
					; MiAllocateVirtualMemoryCommon+160555j
		cmp	byte ptr [ebx+1Ch], 1
		jz	loc_8DB86A

loc_77B39C:				; CODE XREF: MiAllocateVirtualMemoryCommon+160567j
		cmp	[ebp+arg_18], 0
		lea	ecx, [esp+78h+var_58]
		jl	short loc_77B3E6
		lea	eax, [esp+78h+var_64]
		mov	edx, edi
		push	eax
		call	MiAllocateVirtualMemory

loc_77B3B2:				; CODE XREF: MiAllocateVirtualMemoryCommon+DFj
		mov	esi, eax
		test	esi, esi
		js	short loc_77B3FD
		mov	ecx, [esp+78h+var_60]
		mov	eax, [esp+78h+var_64]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_4]
		mov	eax, [esp+78h+var_4C]
		mov	[ecx], eax

loc_77B3CB:				; CODE XREF: MiAllocateVirtualMemoryCommon+FAj
					; MiAllocateVirtualMemoryCommon+102j
		test	edi, edi
		jnz	loc_8DB887

loc_77B3D3:				; CODE XREF: MiAllocateVirtualMemoryCommon+16057Aj
					; MiAllocateVirtualMemoryCommon+160587j
		mov	ecx, [esp+78h+var_5C]
		test	ecx, ecx
		jnz	short loc_77B3F1

loc_77B3DB:				; CODE XREF: MiAllocateVirtualMemoryCommon+EBj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_77B3E6:				; CODE XREF: MiAllocateVirtualMemoryCommon+94j
		lea	edx, [esp+78h+var_64]
		call	MiAllocateUserStack
		jmp	short loc_77B3B2
; 

loc_77B3F1:				; CODE XREF: MiAllocateVirtualMemoryCommon+C9j
		mov	edx, 6D566D4Dh
		call	ObfDereferenceObjectWithTag
		jmp	short loc_77B3DB
; 

loc_77B3FD:				; CODE XREF: MiAllocateVirtualMemoryCommon+75j
					; MiAllocateVirtualMemoryCommon+A6j ...
		cmp	[esp+78h+var_58], 0
		jnz	short loc_77B40C
		inc	dword_6D310C
		jmp	short loc_77B3CB
; 

loc_77B40C:				; CODE XREF: MiAllocateVirtualMemoryCommon+F2j
		inc	dword_6D3110
		jmp	short loc_77B3CB
MiAllocateVirtualMemoryCommon endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocateVirtualMemoryPrepare proc near ; CODE	XREF: MiAllocateVirtualMemoryCommon+6Cp

var_2E		= byte ptr -2Eh
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

; FUNCTION CHUNK AT 008DB89C SIZE 00000321 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, large fs:124h
		mov	[esp+34h+var_18], 0
		push	ebx
		mov	ebx, [ebp+arg_24]
		mov	eax, [eax+80h]
		mov	[esp+38h+var_14], eax
		push	esi
		mov	[ebx+40h], eax
		mov	esi, edx
		mov	[esp+3Ch+var_C], esi
		push	edi
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_77B7F7

loc_77B45B:				; CODE XREF: MiAllocateVirtualMemoryPrepare+40Cj
		mov	edx, [ebp+arg_C]
		mov	ecx, edx
		mov	[ebx+3Ch], eax
		and	ecx, 7F800h
		mov	eax, [ebp+arg_4]
		and	edx, 0FFF807FFh
		mov	[ebx+10h], eax
		mov	ebx, [ebp+arg_8]
		mov	[esp+40h+var_10], ecx
		mov	[ebp+arg_C], edx
		test	ebx, 9E038FFFh
		jnz	loc_77B921
		test	ebx, 1083000h
		jz	loc_77B921
		test	ebx, 61EC4000h
		jnz	loc_77B831

loc_77B4A3:				; CODE XREF: MiAllocateVirtualMemoryPrepare+490j
					; MiAllocateVirtualMemoryPrepare+160531j ...
		test	ecx, ecx
		jnz	loc_8DB979

loc_77B4AB:				; CODE XREF: MiAllocateVirtualMemoryPrepare+16056Aj
		test	ebx, 1000h
		jz	short loc_77B4BB
		test	esi, esi
		jz	loc_77B7EC

loc_77B4BB:				; CODE XREF: MiAllocateVirtualMemoryPrepare+91j
					; MiAllocateVirtualMemoryPrepare+3D2j
		mov	edi, [ebp+arg_10]
		cmp	dword ptr [edi+0Ch], 0
		jnz	loc_8DB98F

loc_77B4C8:				; CODE XREF: MiAllocateVirtualMemoryPrepare+16057Bj
					; MiAllocateVirtualMemoryPrepare+16059Bj
		mov	eax, [edi+2Ch]
		mov	edx, [edi+28h]
		mov	[esp+40h+var_8], eax
		mov	eax, edx
		and	eax, 20h
		mov	[esp+40h+var_4], edx
		or	eax, 0
		jnz	loc_77B921
		mov	ecx, ebx
		mov	[esp+40h+var_28], 10000h
		and	ecx, 20400000h
		mov	[esp+40h+var_1C], ecx
		cmp	ecx, 20000000h
		jz	loc_8DB9C0

loc_77B504:				; CODE XREF: MiAllocateVirtualMemoryPrepare+1605A8j
		mov	eax, edx
		and	eax, 1Ah
		mov	[esp+40h+var_20], eax
		jnz	loc_8DB9CD
		mov	eax, edx
		and	eax, 4
		or	eax, 0
		jnz	loc_77B921
		cmp	ecx, 400000h
		jz	loc_8DBA08

loc_77B52D:				; CODE XREF: MiAllocateVirtualMemoryPrepare:loc_8DB9F6j
					; MiAllocateVirtualMemoryPrepare+1605F7j
		mov	eax, ebx
		and	eax, 2000h
		mov	[esp+40h+var_24], eax
		jnz	loc_77B712

loc_77B53E:				; CODE XREF: MiAllocateVirtualMemoryPrepare+2FAj
		cmp	dword ptr [edi], 0
		jnz	loc_77B921
		cmp	dword ptr [edi+4], 0
		jnz	loc_77B921
		cmp	dword ptr [edi+8], 0
		jnz	loc_77B921

loc_77B55B:				; CODE XREF: MiAllocateVirtualMemoryPrepare+2F4j
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jnz	loc_8DBA2A

loc_77B566:				; CODE XREF: MiAllocateVirtualMemoryPrepare+160624j
					; MiAllocateVirtualMemoryPrepare+16062Cj ...
		mov	ecx, ebx
		and	ecx, 4000h
		mov	[esp+40h+var_2C], ecx
		test	ebx, 40000h
		jnz	loc_8DBA67
		test	ecx, ecx
		jnz	loc_8DBA73

loc_77B586:				; CODE XREF: MiAllocateVirtualMemoryPrepare+160680j
		test	eax, eax
		jnz	loc_77B71F
		mov	edx, 1000h
		mov	[esp+40h+var_28], edx

loc_77B597:				; CODE XREF: MiAllocateVirtualMemoryPrepare+30Fj
					; MiAllocateVirtualMemoryPrepare+1606A8j ...
		mov	ecx, [edi+8]
		test	ecx, ecx
		jnz	loc_77B8BB
		mov	[edi+8], edx

loc_77B5A5:				; CODE XREF: MiAllocateVirtualMemoryPrepare+4C0j
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	loc_77B921
		test	eax, eax
		jnz	loc_77B734

loc_77B5B8:				; CODE XREF: MiAllocateVirtualMemoryPrepare+328j
					; MiAllocateVirtualMemoryPrepare+1606F3j
		mov	eax, ds:_MmHighestUserAddress
		cmp	esi, eax
		ja	loc_77B921
		sub	eax, esi
		inc	eax
		cmp	eax, ecx
		jb	loc_77B921
		cmp	[esp+40h+var_24], 0
		lea	edx, [esi+ecx]
		jnz	loc_77B753
		cmp	ebx, 80000h
		jz	loc_77B8E5
		cmp	ebx, 1000000h
		jz	loc_77B8E5
		mov	ecx, [esp+40h+var_28]
		dec	edx
		add	edx, ecx
		lea	eax, [ecx-1]
		not	eax
		and	esi, eax
		and	edx, eax

loc_77B606:				; CODE XREF: MiAllocateVirtualMemoryPrepare+379j
					; MiAllocateVirtualMemoryPrepare+4D7j ...
		sub	edx, esi
		cmp	[esp+40h+var_C], 0
		jz	loc_77B79E
		mov	[edi], esi

loc_77B615:				; CODE XREF: MiAllocateVirtualMemoryPrepare+380j
		mov	eax, [edi+8]
		mov	[esp+40h+var_28], eax
		dec	eax
		test	eax, esi
		jnz	loc_77B921
		mov	ecx, [edi+4]
		test	ecx, ecx
		jnz	loc_8DBB6D
		cmp	[esp+40h+var_24], ecx
		jnz	loc_77B7A5

loc_77B63A:				; CODE XREF: MiAllocateVirtualMemoryPrepare+38Aj
					; MiAllocateVirtualMemoryPrepare+395j
		lea	ecx, [esi+edx]
		cmp	ecx, esi
		jb	loc_77B921
		dec	ecx
		mov	[edi+4], ecx
		cmp	ecx, ds:_MmHighestUserAddress
		ja	loc_77B921

loc_77B655:				; CODE XREF: MiAllocateVirtualMemoryPrepare+3C1j
					; MiAllocateVirtualMemoryPrepare+160730j ...
		cmp	esi, ecx
		jnb	loc_77B921
		mov	eax, ecx
		sub	eax, esi
		inc	eax
		cmp	eax, edx
		jb	loc_77B921
		test	bl, 7Fh
		jnz	loc_77B921
		mov	eax, [edi+10h]
		mov	[esp+40h+var_C], eax
		movzx	eax, ds:_KeNumberNodes
		cmp	[esp+40h+var_C], eax
		ja	loc_77B921
		mov	al, [edi+1Dh]
		mov	[esp+40h+var_2D], al
		cmp	al, 1
		jz	loc_8DBB8C

loc_77B69A:				; CODE XREF: MiAllocateVirtualMemoryPrepare+160771j
					; MiAllocateVirtualMemoryPrepare+160785j
		mov	eax, [ebp+arg_24]
		and	ebx, 0FFFBBFFFh
		mov	[eax], esi
		mov	esi, eax
		mov	eax, [esp+40h+var_28]
		mov	[esi+8], eax
		mov	eax, [ebp+arg_C]
		mov	[esi+18h], eax
		mov	eax, [esp+40h+var_10]
		mov	[esi+1Ch], eax
		mov	eax, [esp+40h+var_C]
		mov	[esi+20h], eax
		mov	al, [esp+40h+var_2D]
		mov	[esi+24h], al
		mov	eax, [ebp+arg_14]
		mov	[esi+44h], al
		mov	eax, [ebp+arg_18]
		or	[esi+28h], eax
		mov	eax, [ebp+arg_1C]
		mov	[esi+34h], eax
		mov	eax, [ebp+arg_20]
		mov	[esi+38h], eax
		mov	eax, [edi+18h]
		mov	[esi+48h], eax
		mov	eax, [esp+40h+var_4]
		mov	[esi+50h], eax
		mov	eax, [esp+40h+var_8]
		mov	[esi+54h], eax
		mov	eax, [ebp+arg_28]
		mov	[esi+4], ecx
		mov	ecx, [esp+40h+var_18]
		mov	[esi+0Ch], edx
		mov	[eax], ecx
		xor	eax, eax
		mov	[esi+14h], ebx

loc_77B709:				; CODE XREF: MiAllocateVirtualMemoryPrepare+510j
					; MiAllocateVirtualMemoryPrepare+160798j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_77B712:				; CODE XREF: MiAllocateVirtualMemoryPrepare+118j
		test	esi, esi
		jz	loc_77B55B
		jmp	loc_77B53E
; 

loc_77B71F:				; CODE XREF: MiAllocateVirtualMemoryPrepare+168j
		test	ebx, 40000000h
		jnz	loc_8DBACD

loc_77B72B:				; CODE XREF: MiAllocateVirtualMemoryPrepare+16068Bj
					; MiAllocateVirtualMemoryPrepare+160699j
		mov	edx, [esp+40h+var_28]
		jmp	loc_77B597
; 

loc_77B734:				; CODE XREF: MiAllocateVirtualMemoryPrepare+192j
		mov	eax, [esp+40h+var_1C]
		cmp	eax, 20400000h
		jz	loc_8DBB08
		cmp	eax, 20000000h
		jnz	loc_77B5B8
		jmp	loc_8DBB08
; 

loc_77B753:				; CODE XREF: MiAllocateVirtualMemoryPrepare+1B8j
		test	ebx, 40000000h
		jnz	loc_8DBB18
		mov	eax, [esp+40h+var_28]
		dec	eax
		cmp	[esp+40h+var_2C], 0
		jnz	loc_8DBB2C
		not	eax
		and	esi, eax
		mov	eax, [esp+40h+var_1C]
		cmp	eax, 20400000h
		jz	loc_8DBB3C
		cmp	eax, 20000000h
		jz	loc_8DBB3C
		add	edx, 0FFFh
		and	edx, 0FFFFF000h
		jmp	loc_77B606
; 

loc_77B79E:				; CODE XREF: MiAllocateVirtualMemoryPrepare+1EDj
		mov	esi, [edi]
		jmp	loc_77B615
; 

loc_77B7A5:				; CODE XREF: MiAllocateVirtualMemoryPrepare+214j
		cmp	[esp+40h+var_C], 0
		jnz	loc_77B63A
		cmp	[esp+40h+var_2C], 0
		jnz	loc_77B63A
		mov	eax, [esp+40h+var_14]
		mov	ecx, ds:_MmHighestUserAddress
		mov	eax, [eax+1CCh]
		mov	[esp+40h+var_C], eax
		dec	eax
		cmp	ecx, eax
		ja	loc_8DBB44

loc_77B7D8:				; CODE XREF: MiAllocateVirtualMemoryPrepare+160729j
		mov	eax, [esp+40h+var_20]
		mov	[edi+4], ecx
		test	eax, eax
		jz	loc_77B655
		jmp	loc_8DBB4E
; 

loc_77B7EC:				; CODE XREF: MiAllocateVirtualMemoryPrepare+95j
		or	ebx, 2000h
		jmp	loc_77B4BB
; 

loc_77B7F7:				; CODE XREF: MiAllocateVirtualMemoryPrepare+35j
		mov	eax, ds:_PsProcessType
		lea	edx, [esp+40h+var_18]
		push	0
		push	0
		push	edx
		push	6D566D4Dh
		push	[ebp+arg_14]
		mov	edx, 8
		push	eax
		call	ObpReferenceObjectByHandleWithTag
		mov	[esp+40h+var_2C], eax
		test	eax, eax
		js	loc_77B92A
		mov	eax, [esp+40h+var_18]
		mov	[esp+40h+var_14], eax
		jmp	loc_77B45B
; 

loc_77B831:				; CODE XREF: MiAllocateVirtualMemoryPrepare+7Dj
		test	ebx, 80000h
		jz	short loc_77B845
		cmp	ebx, 80000h
		jnz	loc_77B921

loc_77B845:				; CODE XREF: MiAllocateVirtualMemoryPrepare+417j
		test	ebx, 1000000h
		jnz	loc_8DB89C

loc_77B851:				; CODE XREF: MiAllocateVirtualMemoryPrepare+160488j
		test	ebx, 200000h
		jnz	loc_77B904

loc_77B85D:				; CODE XREF: MiAllocateVirtualMemoryPrepare+4FBj
		mov	eax, ebx
		and	eax, 20400000h
		cmp	eax, 20400000h
		jz	loc_8DB8AD
		cmp	eax, 20000000h
		jz	loc_8DB8BE

loc_77B87A:				; CODE XREF: MiAllocateVirtualMemoryPrepare+160493j
					; MiAllocateVirtualMemoryPrepare+1604AAj
		test	ebx, (offset loc_7FFFFF+1)
		jnz	loc_77B93B
		cmp	eax, 400000h
		jz	loc_8DB8CF
		test	ebx, 40000000h
		jnz	loc_8DB91C

loc_77B89D:				; CODE XREF: MiAllocateVirtualMemoryPrepare+529j
					; MiAllocateVirtualMemoryPrepare+160502j ...
		test	ebx, 40000h
		jnz	loc_8DB936
		mov	eax, ebx
		and	eax, 4000h
		jz	loc_77B4A3
		jmp	loc_8DB95C
; 

loc_77B8BB:				; CODE XREF: MiAllocateVirtualMemoryPrepare+17Cj
		cmp	ecx, edx
		jb	short loc_77B921
		lea	eax, [ecx-1]
		test	eax, ecx
		jnz	short loc_77B921
		mov	eax, ds:_MmHighestUserAddress
		inc	eax
		cmp	ecx, eax
		jnb	short loc_77B921
		test	ebx, 40000000h
		jnz	loc_8DBAF7

loc_77B8DC:				; CODE XREF: MiAllocateVirtualMemoryPrepare+1606E3j
		mov	eax, [esp+40h+var_24]
		jmp	loc_77B5A5
; 

loc_77B8E5:				; CODE XREF: MiAllocateVirtualMemoryPrepare+1C4j
					; MiAllocateVirtualMemoryPrepare+1D0j
		mov	ecx, [esp+40h+var_28]
		dec	esi
		add	esi, ecx
		lea	eax, [ecx-1]
		not	eax
		and	esi, eax
		and	edx, eax
		cmp	esi, edx
		jb	loc_77B606
		mov	eax, 0C0000018h
		jmp	short loc_77B926
; 

loc_77B904:				; CODE XREF: MiAllocateVirtualMemoryPrepare+437j
		test	[ebp+arg_18], 90000000h
		jnz	short loc_77B921
		test	ebx, 2000h
		jz	short loc_77B921
		test	ebx, (offset loc_83FFFB+5)
		jz	loc_77B85D

loc_77B921:				; CODE XREF: MiAllocateVirtualMemoryPrepare+65j
					; MiAllocateVirtualMemoryPrepare+71j ...
		mov	eax, 0C000000Dh

loc_77B926:				; CODE XREF: MiAllocateVirtualMemoryPrepare+4E2j
					; MiAllocateVirtualMemoryPrepare+534j ...
		mov	[esp+40h+var_2C], eax

loc_77B92A:				; CODE XREF: MiAllocateVirtualMemoryPrepare+3FEj
					; MiAllocateVirtualMemoryPrepare+160564j ...
		mov	ecx, [esp+40h+var_18]
		test	ecx, ecx
		jz	loc_77B709
		jmp	loc_8DBBAA
; 

loc_77B93B:				; CODE XREF: MiAllocateVirtualMemoryPrepare+460j
		test	ebx, 40400000h
		jnz	short loc_77B921
		test	edx, 0FFFFF9F9h
		jz	loc_77B89D

loc_77B94F:				; CODE XREF: MiAllocateVirtualMemoryPrepare+1604D1j
					; MiAllocateVirtualMemoryPrepare+1604DFj
		mov	eax, 0C0000045h
		jmp	short loc_77B926
MiAllocateVirtualMemoryPrepare endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocateVirtualMemory	proc near	; CODE XREF: MiAllocateVirtualMemoryCommon+9Dp
					; MmStoreAllocateVirtualMemory+9Fp ...

var_AC		= dword	ptr -0ACh
var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DBBBD SIZE 000003FA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		xor	eax, eax
		mov	[ebp+var_3C], edx
		mov	[ebp+var_54], 0
		mov	[ebp+var_4C], 0
		mov	[ebp+var_58], 0
		mov	[ebp+var_5C], 0
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_48], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_40], ebx
		push	esi
		mov	esi, ecx
		mov	[ebx], eax
		push	edi
		test	edx, edx
		jnz	loc_8DBBBD

loc_77B9C0:				; CODE XREF: MiAllocateVirtualMemory+160260j
					; MiAllocateVirtualMemory+160278j
		mov	eax, large fs:124h
		mov	edx, [esi+4]
		sub	edx, [esi]
		mov	ecx, [esi+18h]
		inc	edx
		sub	edx, [esi+0Ch]
		neg	edx
		mov	[ebp+var_50], eax
		mov	byte ptr [ebp+var_34], 1
		sbb	edx, edx
		mov	[ebp+var_25], 0
		and	edx, 0FFFFFFFEh
		add	edx, 2
		mov	[ebp+var_30], edx
		test	ecx, 40000000h
		jnz	loc_77BD68

loc_77B9F6:				; CODE XREF: MiAllocateVirtualMemory+41Ej
		call	_MiMakeProtectionMask@4	; MiMakeProtectionMask(x)
		mov	[ebp+var_2C], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_8DBBDD
		mov	ecx, [esi+3Ch]
		cmp	[esi+40h], ecx
		jnz	loc_77BD40

loc_77BA13:				; CODE XREF: MiAllocateVirtualMemory+3F4j
		test	dword ptr [esi+28h], 4000000h
		mov	[ebp+var_24], 0
		jnz	loc_8DBBE7

loc_77BA27:				; CODE XREF: MiAllocateVirtualMemory+16028Aj
		mov	edi, [esi+14h]
		test	edi, 40000000h
		jnz	loc_8DBBFA

loc_77BA36:				; CODE XREF: MiAllocateVirtualMemory+1602A4j
		mov	eax, [esi+50h]
		and	eax, 1Ah
		jnz	loc_8DBC14
		and	edi, 20400000h
		cmp	edi, 20000000h
		jz	loc_8DBC59

loc_77BA54:				; CODE XREF: MiAllocateVirtualMemory+1602F3j
					; MiAllocateVirtualMemory+1602FFj
		cmp	edx, 10h
		jnb	loc_8DBC64

loc_77BA5D:				; CODE XREF: MiAllocateVirtualMemory+16031Cj
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	[ebp+var_74], eax
		movzx	ecx, word ptr [eax]
		mov	[ebp+var_48], ecx
		mov	ecx, [esi+14h]
		test	ecx, 2000h
		jnz	loc_77BC01
		test	ecx, 40000000h
		jnz	loc_8DBC8C
		cmp	dword ptr [esi+38h], 0
		jnz	loc_8DBC96
		mov	ecx, [esi]
		mov	eax, ecx
		mov	edx, [esi+4]
		mov	edi, edx
		shr	eax, 0Ch
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_38], edx
		xor	edx, edx
		shr	edi, 0Ch
		push	eax
		mov	[ebp+var_24], ecx
		mov	[ebp+var_64], edi
		call	MiObtainReferencedVadEx
		mov	ebx, eax
		mov	[ebp+var_44], ebx
		test	ebx, ebx
		jz	loc_8DBCA0
		cmp	edi, [ebx+10h]
		ja	loc_8DBCB9
		mov	eax, [ebx+1Ch]
		and	eax, 1100000h
		cmp	eax, 1100000h
		jz	short loc_77BAE5
		cmp	dword ptr [esi+1Ch], 0
		jnz	loc_8DBCC3

loc_77BAE5:				; CODE XREF: MiAllocateVirtualMemory+179j
		mov	eax, [ebp+var_40]
		mov	edx, [ebp+var_24]
		mov	[eax], edx
		mov	ecx, [ebx+1Ch]
		mov	eax, ecx
		and	eax, 3100000h
		cmp	eax, 2100000h
		jz	loc_8DBCCD

loc_77BB02:				; CODE XREF: MiAllocateVirtualMemory+160393j
		mov	ecx, ebx
		call	_MiVadSupportsPrivateCommit@4 ;	MiVadSupportsPrivateCommit(x)
		test	eax, eax
		jz	loc_8DBD03

loc_77BB11:				; CODE XREF: MiAllocateVirtualMemory+1603D0j
		mov	eax, [ebx+20h]
		and	eax, 7FFFFFFFh
		cmp	eax, 0FFFFDh
		jnb	loc_8DBD40
		mov	eax, [ebx+1Ch]
		and	al, 70h
		cmp	al, 40h
		jz	loc_77BDD3
		mov	eax, [ebp+var_2C]

loc_77BB34:				; CODE XREF: MiAllocateVirtualMemory+4B9j
		mov	ecx, [esi+14h]
		test	ecx, 1080000h
		jnz	loc_77BD83
		test	al, 2
		jnz	loc_77BC56

loc_77BB4B:				; CODE XREF: MiAllocateVirtualMemory+320j
					; MiAllocateVirtualMemory+32Dj	...
		mov	ecx, [ebx+1Ch]
		mov	edx, [esi+18h]
		test	ecx, 100000h
		jz	loc_77BCCA
		test	dl, 88h
		jnz	loc_77BE1F
		mov	eax, ecx
		and	al, 70h
		cmp	al, 40h
		jz	loc_77BE40

loc_77BB72:				; CODE XREF: MiAllocateVirtualMemory+4E6j
		test	cl, 8
		jnz	loc_77BE4E

loc_77BB7B:				; CODE XREF: MiAllocateVirtualMemory+516j
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_5C]
		mov	ecx, ebx
		push	eax
		push	[ebp+var_3C]
		movzx	eax, byte ptr [esi+24h]
		push	eax
		mov	eax, [esi+54h]
		push	eax
		mov	eax, [esi+50h]
		push	eax
		mov	eax, [esi+1Ch]
		push	eax
		mov	eax, [esi+18h]
		push	eax
		mov	eax, [esi+0Ch]
		push	eax
		call	_MiCommitExistingVad@44	; MiCommitExistingVad(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_77BE24
		mov	ecx, ebx
		call	MiUnlockAndDereferenceVad
		cmp	[ebp+var_5C], 1
		jz	loc_77BD9A

loc_77BBC4:				; CODE XREF: MiAllocateVirtualMemory+3DBj
					; MiAllocateVirtualMemory+46Ej
		mov	ebx, [ebp+var_40]

loc_77BBC7:				; CODE XREF: MiAllocateVirtualMemory+2BDj
		test	dword ptr ds:byte_70EFC4, 8000h
		jnz	loc_8DBF2D

loc_77BBD7:				; CODE XREF: MiAllocateVirtualMemory+1605FCj
					; MiAllocateVirtualMemory+160606j ...
		test	byte ptr [ebp+var_30], 1
		jnz	loc_77BD59

loc_77BBE1:				; CODE XREF: MiAllocateVirtualMemory+403j
		test	byte ptr [ebp+var_2C], 2
		jnz	short loc_77BC3A

loc_77BBE7:				; CODE XREF: MiAllocateVirtualMemory+2F4j
		mov	eax, [ebp+var_24]
		mov	[ebx], eax

loc_77BBEC:				; CODE XREF: MiAllocateVirtualMemory+2D3j
					; MiAllocateVirtualMemory+160652j
		mov	eax, edi

loc_77BBEE:				; CODE XREF: MiAllocateVirtualMemory+160282j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_77BC01:				; CODE XREF: MiAllocateVirtualMemory+114j
		mov	edx, [ebp+var_3C]
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_24]
		mov	ecx, esi
		push	eax
		push	[ebp+var_34]
		push	[ebp+var_2C]
		call	MiReserveUserMemory
		mov	edi, eax
		test	edi, edi
		jns	short loc_77BBC7

loc_77BC1F:				; CODE XREF: MiAllocateVirtualMemory+4CBj
					; MiAllocateVirtualMemory+160295j ...
		test	dword ptr ds:byte_70EFC4, 8000h
		jnz	loc_8DBF7D

loc_77BC2F:				; CODE XREF: MiAllocateVirtualMemory+160624j
					; MiAllocateVirtualMemory+160630j ...
		test	byte ptr [ebp+var_30], 1
		jz	short loc_77BBEC
		jmp	loc_8DBFA8
; 

loc_77BC3A:				; CODE XREF: MiAllocateVirtualMemory+285j
		mov	eax, [esi+18h]
		mov	dl, [esi+44h]
		mov	ecx, [esi+3Ch]
		push	eax
		mov	eax, [esi+14h]
		push	eax
		mov	eax, [esi+10h]
		push	eax
		push	[ebp+var_24]
		call	EtwTiLogAllocExecVm
		jmp	short loc_77BBE7
; 

loc_77BC56:				; CODE XREF: MiAllocateVirtualMemory+1E5j
		push	[ebp+var_38]
		mov	edx, [esi+40h]
		push	[ebp+var_24]
		mov	ecx, [esi+3Ch]
		push	eax
		push	ebx
		call	_MiAllowProtectionChange@24 ; MiAllowProtectionChange(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_77BE24
		cmp	byte ptr [ebp+var_34], 0
		jz	short loc_77BC86
		test	dword ptr [ebx+1Ch], 100h
		jnz	loc_77BB4B

loc_77BC86:				; CODE XREF: MiAllocateVirtualMemory+317j
		call	_MiIsProcessCfgEnabled@0 ; MiIsProcessCfgEnabled()
		test	eax, eax
		jz	loc_77BB4B
		test	byte ptr [ebx+1Ch], 8
		jnz	loc_8DBD61

loc_77BC9D:				; CODE XREF: MiAllocateVirtualMemory+160425j
		mov	eax, [ebp+var_24]
		lea	edx, [ebp+var_7C]
		mov	[ebp+var_7C], eax
		mov	ecx, ebx
		mov	eax, [ebp+var_38]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_34]
		push	eax
		call	MiCommitVadCfgBits
		mov	edi, eax
		test	edi, edi
		js	loc_77BE24
		mov	[ebp+var_25], 1
		jmp	loc_77BB4B
; 

loc_77BCCA:				; CODE XREF: MiAllocateVirtualMemory+1F7j
		test	edx, 600h
		jnz	loc_77BE1F
		test	cl, 8
		setnz	cl
		test	byte ptr [ebp+var_30], 4
		setz	al
		test	cl, al
		jnz	loc_77BE7E

loc_77BCEB:				; CODE XREF: MiAllocateVirtualMemory+538j
		mov	eax, [ebx+2Ch]
		mov	ecx, [eax]
		mov	[ebp+var_3C], ecx
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	ax, [eax]
		movzx	eax, ax
		mov	[ebp+var_48], eax
		cmp	dword ptr [ecx+20h], 0
		jnz	loc_8DBD8A
		mov	ecx, [esi+3Ch]
		lea	eax, [ebp+var_54]
		push	eax
		lea	eax, [ebp+var_58]
		mov	edx, ebx
		push	eax
		mov	eax, [esi+18h]
		sub	esp, 8
		push	eax
		push	[ebp+var_38]
		push	[ebp+var_24]
		call	MiCommitPagefileBackedSection

loc_77BD2A:				; CODE XREF: MiAllocateVirtualMemory+438j
					; MiAllocateVirtualMemory+160387j
		mov	edi, eax
		test	edi, edi
		js	loc_77BE24
		mov	ecx, ebx
		call	MiUnlockAndDereferenceVad
		jmp	loc_77BBC4
; 

loc_77BD40:				; CODE XREF: MiAllocateVirtualMemory+ADj
		lea	eax, [ebp+var_20]
		xor	edx, edx
		push	eax
		call	KiStackAttachProcess
		mov	edx, [ebp+var_30]
		or	edx, 1
		mov	[ebp+var_30], edx
		jmp	loc_77BA13
; 

loc_77BD59:				; CODE XREF: MiAllocateVirtualMemory+27Bj
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_77BBE1
; 

loc_77BD68:				; CODE XREF: MiAllocateVirtualMemory+90j
		test	cl, 0F0h
		jz	loc_8DBBDD
		and	ecx, 0BFFFFFFFh
		mov	byte ptr [ebp+var_34], 0
		mov	[esi+18h], ecx
		jmp	loc_77B9F6
; 

loc_77BD83:				; CODE XREF: MiAllocateVirtualMemory+1DDj
		movzx	eax, byte ptr [esi+44h]
		mov	edx, [ebp+var_24]
		push	eax
		push	ecx
		mov	ecx, [esi+40h]
		push	ebx
		push	[ebp+var_38]
		call	MiResetVirtualMemory
		jmp	short loc_77BD2A
; 

loc_77BD9A:				; CODE XREF: MiAllocateVirtualMemory+25Ej
		cmp	[ebp+var_25], 0
		mov	eax, [ebp+var_24]
		mov	[ebp+var_70], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_6C], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_68], 0
		jnz	short loc_77BE30

loc_77BDB6:				; CODE XREF: MiAllocateVirtualMemory+4D4j
					; MiAllocateVirtualMemory+4DBj
		mov	edx, [esi+3Ch]
		lea	ecx, [ebp+var_68]
		push	ecx
		mov	ecx, [esi+40h]
		push	eax
		lea	eax, [ebp+var_6C]
		push	eax
		lea	eax, [ebp+var_70]
		push	eax
		call	MmProtectVirtualMemory
		jmp	loc_77BBC4
; 

loc_77BDD3:				; CODE XREF: MiAllocateVirtualMemory+1CBj
		mov	edx, [esi+18h]
		and	edx, 0FFFFF9FFh
		mov	[esi+18h], edx
		mov	eax, [ebx+1Ch]
		mov	edi, eax
		and	edi, 0C00h
		test	eax, 380h
		setnz	cl
		cmp	edi, 0C00h
		setz	al
		test	cl, al
		jz	loc_8DBD4A
		or	edx, 400h

loc_77BE09:				; CODE XREF: MiAllocateVirtualMemory+1603FCj
		mov	[esi+18h], edx

loc_77BE0C:				; CODE XREF: MiAllocateVirtualMemory+1603F0j
		mov	ecx, edx
		call	_MiMakeProtectionMask@4	; MiMakeProtectionMask(x)
		mov	[ebp+var_2C], eax
		cmp	eax, 0FFFFFFFFh
		jnz	loc_77BB34

loc_77BE1F:				; CODE XREF: MiAllocateVirtualMemory+200j
					; MiAllocateVirtualMemory+370j	...
		mov	edi, 0C0000045h

loc_77BE24:				; CODE XREF: MiAllocateVirtualMemory+24Dj
					; MiAllocateVirtualMemory+30Dj	...
		mov	ecx, ebx
		call	MiUnlockAndDereferenceVad
		jmp	loc_77BC1F
; 

loc_77BE30:				; CODE XREF: MiAllocateVirtualMemory+454j
		cmp	byte ptr [ebp+var_34], 0
		jnz	short loc_77BDB6
		or	eax, 40000000h
		jmp	loc_77BDB6
; 

loc_77BE40:				; CODE XREF: MiAllocateVirtualMemory+20Cj
		test	edx, 0FFFFF9F9h
		jz	loc_77BB72
		jmp	short loc_77BE1F
; 

loc_77BE4E:				; CODE XREF: MiAllocateVirtualMemory+215j
		mov	edx, 40h
		mov	ecx, ebx
		call	_MiLocateVadEvent@8 ; MiLocateVadEvent(x,x)
		test	eax, eax
		jnz	short loc_77BE1F
		movzx	eax, byte ptr [esi+44h]
		mov	edx, [ebp+var_24]
		push	eax
		push	[ebp+var_2C]
		mov	eax, [esi+0Ch]
		push	eax
		call	MiCheckSecuredVad
		mov	edi, eax
		test	edi, edi
		jns	loc_77BB7B
		jmp	short loc_77BE24
; 

loc_77BE7E:				; CODE XREF: MiAllocateVirtualMemory+385j
		movzx	eax, byte ptr [esi+44h]
		mov	ecx, ebx
		mov	edx, [ebp+var_24]
		push	eax
		push	[ebp+var_2C]
		mov	eax, [esi+0Ch]
		push	eax
		call	MiCheckSecuredVad
		mov	edi, eax
		test	edi, edi
		jns	loc_77BCEB
		jmp	short loc_77BE24
MiAllocateVirtualMemory	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtProtectVirtualMemory proc near	; DATA XREF: .text:00580EBCo

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008DBFB7 SIZE 0000002B BYTES
; FUNCTION CHUNK AT 008DC004 SIZE 00000032 BYTES
; FUNCTION CHUNK AT 008DC04E SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1170
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_64], eax
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_58], ecx
		mov	ebx, [ebp+arg_8]
		mov	[ebp+var_68], ebx
		mov	esi, [ebp+arg_10]
		mov	[ebp+var_6C], esi
		xor	eax, eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_48], eax
		mov	edi, [ebp+arg_C]
		cmp	edi, 80000000h
		jz	loc_8DBFC1
		cmp	edi, 10000000h
		jz	loc_8DBFC1
		mov	ecx, edi
		and	ecx, 0FF807FFh
		call	_MiMakeProtectionMask@4	; MiMakeProtectionMask(x)
		mov	edx, eax
		mov	[ebp+var_50], edx
		cmp	edx, 0FFFFFFFFh
		jz	loc_8DBFB7
		mov	ecx, [ebp+var_58]

loc_77BF49:				; CODE XREF: NtProtectVirtualMemory+160128j
		mov	eax, large fs:124h
		mov	edx, [eax+80h]
		mov	[ebp+var_4C], edx
		mov	al, [eax+15Ah]
		mov	[ebp+var_35], al
		mov	byte ptr [ebp+var_60], al
		test	al, al
		jz	loc_77C0BE
		mov	[ebp+var_4], 0
		mov	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8DBFCD

loc_77BF82:				; CODE XREF: NtProtectVirtualMemory+16012Fj
		mov	eax, [edx]
		mov	[edx], eax
		mov	edx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8DBFD4

loc_77BF95:				; CODE XREF: NtProtectVirtualMemory+160136j
		mov	eax, [edx]
		mov	[edx], eax
		mov	edx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8DBFDB

loc_77BFA8:				; CODE XREF: NtProtectVirtualMemory+16013Dj
		mov	eax, [edx]
		mov	[edx], eax
		mov	ecx, [ecx]
		mov	[ebp+var_3C], ecx
		mov	edx, [ebx]
		mov	[ebp+var_54], edx
		mov	[ebp+var_44], edx
		mov	[ebp+var_4], 0FFFFFFFEh

loc_77BFC0:				; CODE XREF: NtProtectVirtualMemory+22Bj
		mov	eax, ds:_MmHighestUserAddress
		cmp	ecx, eax
		ja	loc_8DC004
		sub	eax, ecx
		inc	eax
		cmp	eax, edx
		jb	loc_8DC04E
		test	edx, edx
		jz	loc_8DC04E
		push	0
		lea	eax, [ebp+var_40]
		push	eax
		push	76506D4Dh
		push	[ebp+var_60]
		mov	eax, ds:_PsProcessType
		push	eax
		push	8
		push	[ebp+var_64]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_77C08C
		mov	esi, [ebp+var_40]
		mov	ebx, [ebp+var_4C]
		cmp	ebx, esi
		jnz	loc_8DC00E
		mov	[ebp+var_40], 0

loc_77C01B:				; CODE XREF: NtProtectVirtualMemory+160182j
		lea	eax, [ebp+var_48]
		push	eax
		push	edi
		lea	eax, [ebp+var_44]
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		mov	edx, esi
		mov	ecx, ebx
		call	MmProtectVirtualMemory
		mov	ebx, eax
		mov	[ebp+var_4C], ebx
		cmp	[ebp+var_40], 0
		jnz	loc_8DC027

loc_77C040:				; CODE XREF: NtProtectVirtualMemory+160191j
		test	ebx, ebx
		js	short loc_77C058
		mov	edx, [ebp+var_48]
		mov	ecx, edx
		call	_MiMakeProtectionMask@4	; MiMakeProtectionMask(x)
		mov	ecx, [ebp+var_50]
		or	ecx, eax
		test	cl, 2
		jnz	short loc_77C0AA

loc_77C058:				; CODE XREF: NtProtectVirtualMemory+1A2j
					; NtProtectVirtualMemory+21Cj
		mov	edx, 76506D4Dh
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	[ebp+var_4], 1
		mov	eax, [ebp+var_44]
		mov	ecx, [ebp+var_68]
		mov	[ecx], eax
		mov	eax, [ebp+var_3C]
		mov	ecx, [ebp+var_58]
		mov	[ecx], eax
		mov	eax, [ebp+var_48]
		mov	ecx, [ebp+var_6C]
		mov	[ecx], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_77C08A:				; CODE XREF: sub_8DC03C+Dj
		mov	eax, ebx

loc_77C08C:				; CODE XREF: NtProtectVirtualMemory+160j
					; NtProtectVirtualMemory+16011Cj ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_77C0AA:				; CODE XREF: NtProtectVirtualMemory+1B6j
		push	edx
		push	edi
		push	[ebp+var_54]
		push	[ebp+var_3C]
		mov	dl, [ebp+var_35]
		mov	ecx, esi
		call	EtwTiLogProtectExecVm
		jmp	short loc_77C058
; 

loc_77C0BE:				; CODE XREF: NtProtectVirtualMemory+C6j
		mov	edx, [ebx]
		mov	[ebp+var_54], edx
		mov	[ebp+var_44], edx
		mov	ecx, [ecx]
		mov	[ebp+var_3C], ecx
		jmp	loc_77BFC0
NtProtectVirtualMemory endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiChargeFullProcessCommitment proc near	; CODE XREF: MiMakeHyperRangeAccessible+1A7p
					; MiSplitPrivatePage(x,x,x)+6Ep ...

var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 008DC058 SIZE 00000087 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1], 0
		push	edi
		mov	edi, edx
		cmp	esi, ds:_PsInitialSystemProcess
		jz	short loc_77C103
		mov	ecx, [esi+188h]
		mov	edx, esi
		push	edi
		push	2
		call	@PspChargeQuota@16 ; PspChargeQuota(x,x,x,x)
		test	eax, eax
		js	loc_8DC058

loc_77C103:				; CODE XREF: MiChargeFullProcessCommitment+19j
		mov	edx, edi
		mov	[ebp+var_1], 1
		mov	ecx, esi
		call	MiChargeProcessCommitment
		test	eax, eax
		jz	loc_8DC064
		test	byte ptr [esi+0F8h], 10h
		mov	[ebp+var_1], 3
		jz	short loc_77C140
		push	0
		push	esi
		mov	edx, edi
		mov	ecx, 2
		call	PspChangeJobMemoryUsageByProcess
		test	al, al
		jz	loc_8DC06B
		mov	[ebp+var_1], 7

loc_77C140:				; CODE XREF: MiChargeFullProcessCommitment+53j
		push	0
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	edx, edi
		mov	ecx, eax
		call	MiChargeCommit
		test	eax, eax
		jz	loc_8DC072
		xor	eax, eax

loc_77C15A:				; CODE XREF: MiChargeFullProcessCommitment+16000Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
MiChargeFullProcessCommitment endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFindEmptyAddressRange	proc near	; CODE XREF: MiSelectUserAddress(x,x,x,x,x,x,x,x,x,x)+7Ep
					; MiMapViewOfDataSection+39Dp

var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008DC0DF SIZE 000000A7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, ecx
		mov	ecx, [ebp+arg_C]
		mov	eax, ecx
		sub	eax, ebx
		push	edi
		mov	edi, edx
		inc	eax
		mov	[ebp+var_C], edi
		cmp	eax, edi
		jb	loc_77C3B6
		test	byte ptr [ebp+arg_10], 2
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_18]
		mov	dword ptr [eax], 1
		jnz	loc_77C368
		mov	[ebp+arg_10], 0
		mov	[ebp+var_4], 0
		mov	[ebp+var_8], 0

loc_77C1CC:				; CODE XREF: MiFindEmptyAddressRange+20Ej
					; MiFindEmptyAddressRange+15FF76j
		cmp	[ebp+arg_4], 0
		mov	edx, [ebp+arg_0]
		jnz	loc_77C2BC
		cmp	edx, 10000h
		jnz	loc_77C389
		add	edi, 0FFFFh

loc_77C1EB:				; CODE XREF: MiFindEmptyAddressRange+22Fj
		shr	edi, 10h
		test	ebx, ebx
		jnz	loc_77C2B9
		mov	eax, [esi+14h]
		shl	eax, 10h
		add	eax, 0FFFFh
		cmp	ecx, eax
		jb	loc_77C2B9
		lea	esp, [esp+0]

loc_77C210:				; CODE XREF: MiFindEmptyAddressRange+15FF8Fj
		mov	eax, [esi+8]
		cmp	edi, 1
		jnz	short loc_77C267

loc_77C218:				; CODE XREF: MiFindEmptyAddressRange+FAj
					; MiFindEmptyAddressRange+FFj
		mov	ebx, [esi+4]
		sub	ebx, dword_6D2E88
		cmp	[ebp+arg_10], 1
		jz	short loc_77C271

loc_77C227:				; CODE XREF: MiFindEmptyAddressRange+110j
					; MiFindEmptyAddressRange+15FF87j
		push	eax
		push	edi
		cmp	edx, 10000h
		jnz	loc_77C3AA
		push	esi
		call	RtlFindClearBits

loc_77C23B:				; CODE XREF: MiFindEmptyAddressRange+241j
		mov	ecx, eax
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_77C294
		cmp	[ebp+arg_10], 1
		jz	short loc_77C287

loc_77C248:				; CODE XREF: MiFindEmptyAddressRange+122j
		mov	eax, [esi+4]
		sub	eax, dword_6D2E88
		lea	ecx, [ecx+eax*8]
		mov	eax, [ebp+arg_14]
		shl	ecx, 10h
		mov	[eax], ecx
		xor	eax, eax

loc_77C25E:				; CODE XREF: MiFindEmptyAddressRange+1ADj
					; MiFindEmptyAddressRange+1CCj	...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_77C267:				; CODE XREF: MiFindEmptyAddressRange+A6j
		cmp	edi, [esi+0Ch]
		jb	short loc_77C218
		mov	eax, [esi+10h]
		jmp	short loc_77C218
; 

loc_77C271:				; CODE XREF: MiFindEmptyAddressRange+B5j
		lea	ecx, [eax+ebx*8]
		cmp	ecx, [ebp+var_4]
		jb	loc_8DC0EB
		cmp	ecx, [ebp+var_8]
		jb	short loc_77C227
		jmp	loc_8DC0EB
; 

loc_77C287:				; CODE XREF: MiFindEmptyAddressRange+D6j
		lea	eax, [ecx+ebx*8]
		cmp	eax, [ebp+var_4]
		jb	short loc_77C294
		cmp	eax, [ebp+var_8]
		jb	short loc_77C248

loc_77C294:				; CODE XREF: MiFindEmptyAddressRange+D0j
					; MiFindEmptyAddressRange+11Dj
		mov	edx, edi
		mov	ecx, esi
		call	_MiExpandVadBitMap@8 ; MiExpandVadBitMap(x,x)
		cmp	eax, 1
		jz	loc_8DC0FC
		cmp	[ebp+arg_10], 1
		jz	loc_77C3B6
		mov	ebx, [ebp+arg_8]
		mov	ecx, [ebp+arg_C]
		mov	edx, [ebp+arg_0]

loc_77C2B9:				; CODE XREF: MiFindEmptyAddressRange+80j
					; MiFindEmptyAddressRange+93j
		mov	edi, [ebp+var_C]

loc_77C2BC:				; CODE XREF: MiFindEmptyAddressRange+63j
					; MiFindEmptyAddressRange+224j	...
		cmp	[ebp+arg_10], 1
		mov	eax, [ebp+arg_18]
		mov	dword ptr [eax], 0
		jz	loc_8DC104

loc_77C2CF:				; CODE XREF: MiFindEmptyAddressRange+15FF9Cj
					; MiFindEmptyAddressRange+15FFA7j
		mov	esi, [esi+1Ch]
		cmp	esi, ebx
		jbe	loc_8DC11C
		mov	eax, esi
		mov	[ebp+arg_18], eax

loc_77C2DF:				; CODE XREF: MiFindEmptyAddressRange+15FFB1j
		cmp	eax, ecx
		ja	loc_8DC126
		mov	esi, [ebp+arg_10]

loc_77C2EA:				; CODE XREF: MiFindEmptyAddressRange+160006j
					; MiFindEmptyAddressRange+160011j
		cmp	eax, ecx
		jnb	loc_77C3B6
		mov	eax, ecx
		sub	eax, [ebp+arg_18]
		inc	eax
		cmp	eax, edi
		jb	loc_77C3B6
		push	[ebp+arg_14]
		mov	eax, [ebp+var_10]
		push	ecx
		push	[ebp+arg_18]
		push	[ebp+arg_4]
		lea	ecx, [eax+350h]
		push	edx
		mov	edx, edi
		call	MiFindEmptyAddressRangeInTree
		test	eax, eax
		jns	loc_77C25E
		cmp	esi, 1
		jz	loc_77C3C0
		mov	ecx, 10000h

loc_77C331:				; CODE XREF: MiFindEmptyAddressRange+256j
		cmp	ecx, ebx
		jb	loc_77C3CB

loc_77C339:				; CODE XREF: MiFindEmptyAddressRange+25Dj
		cmp	ecx, [ebp+arg_18]
		jnb	loc_77C25E
		push	[ebp+arg_14]
		mov	edx, edi
		push	[ebp+arg_C]
		push	ecx
		push	[ebp+arg_4]
		mov	ecx, [ebp+var_10]
		push	[ebp+arg_0]
		lea	ecx, [ecx+350h]
		call	MiFindEmptyAddressRangeInTree
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_77C368:				; CODE XREF: MiFindEmptyAddressRange+41j
		mov	eax, [esi+20h]
		movzx	edx, word ptr [esi+1Ah]
		mov	[ebp+arg_10], 1
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], edx
		test	eax, eax
		jnz	loc_77C1CC
		jmp	loc_8DC0DF
; 

loc_77C389:				; CODE XREF: MiFindEmptyAddressRange+6Fj
		lea	eax, [edx-200000h]
		cmp	eax, 7FE00000h
		ja	loc_77C2BC
		lea	eax, [edx-1]
		test	eax, edi
		jz	loc_77C1EB
		jmp	loc_77C2BC
; 

loc_77C3AA:				; CODE XREF: MiFindEmptyAddressRange+BFj
		mov	ecx, esi
		call	_MiFindClearVadBitsAligned@16 ;	MiFindClearVadBitsAligned(x,x,x,x)
		jmp	loc_77C23B
; 

loc_77C3B6:				; CODE XREF: MiFindEmptyAddressRange+1Fj
					; MiFindEmptyAddressRange+13Aj	...
		mov	eax, 0C0000017h
		jmp	loc_77C25E
; 

loc_77C3C0:				; CODE XREF: MiFindEmptyAddressRange+1B6j
		mov	ecx, [ebp+var_4]
		shl	ecx, 10h
		jmp	loc_77C331
; 

loc_77C3CB:				; CODE XREF: MiFindEmptyAddressRange+1C3j
		mov	ecx, ebx
		jmp	loc_77C339
MiFindEmptyAddressRange	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiRelocateImagePfn proc	near		; CODE XREF: .text:00478B3Ap
					; MiValidateInPage+20Dp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008DC186 SIZE 000000A0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ecx
		mov	[ebp+var_4], edx
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, [eax+38h]
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_10], eax
		mov	esi, [esi+10h]
		mov	[ebp+var_C], ebx
		mov	eax, [esi]
		cmp	edi, [esi+1Ch]
		jnb	loc_77C57C
		xor	ecx, ecx
		lea	eax, [eax+edi*4]

loc_77C412:				; CODE XREF: MiRelocateImagePfn+196j
		cmp	dword ptr [eax], 0
		jz	loc_77C56F
		mov	eax, [ebp+arg_4]
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	eax, [eax+ecx*4]
		mov	[ebp+arg_0], eax
		test	edx, edx
		jz	short loc_77C44E
		cmp	edx, 0C0000000h
		jb	loc_77C562
		cmp	edx, 0C07FFFFFh
		ja	loc_77C562

loc_77C44E:				; CODE XREF: MiRelocateImagePfn+54j
		mov	[ebp+var_8], edx
		mov	ecx, offset dword_6D35E0
		mov	edx, 1
		call	MiReservePtes
		mov	[ebp+arg_8], eax
		test	eax, eax
		jz	loc_8DC186

loc_77C46B:				; CODE XREF: MiRelocateImagePfn+15FDBAj
		mov	edx, [ebp+arg_0]
		mov	ecx, 4
		shl	eax, 9
		mov	[ebp+var_4], eax
		call	_MiMakeProtectionPfnCompatible@8 ; MiMakeProtectionPfnCompatible(x,x)
		mov	edx, [ebp+arg_4]
		or	eax, 0A0000000h
		mov	ecx, [ebp+arg_8]
		push	eax
		call	MiMakeValidPte
		mov	ecx, [ebp+arg_8]
		mov	[ebp+arg_4], eax
		mov	[ebp+arg_0], 0
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_8DC19F
		mov	eax, [ebp+arg_4]

loc_77C4AC:				; CODE XREF: MiRelocateImagePfn+15FDD9j
					; MiRelocateImagePfn+15FDE8j ...
		mov	[ecx+4], edx
		nop
		cmp	[ebp+arg_0], 0
		mov	[ecx], eax
		jnz	loc_8DC1FA

loc_77C4BC:				; CODE XREF: MiRelocateImagePfn+18Aj
					; MiRelocateImagePfn+15FE21j
		mov	eax, large fs:124h
		lea	ecx, [esi+0Ch]
		mov	[ebp+arg_4], eax
		mov	[ebp+arg_0], ecx
		cmp	[esi+4], eax
		jz	loc_77C559
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		call	ExAcquirePushLockSharedEx

loc_77C4E3:				; CODE XREF: MiRelocateImagePfn+180j
		mov	ecx, [esi+14h]
		test	ebx, ebx
		jnz	short loc_77C4EC
		mov	ebx, ecx

loc_77C4EC:				; CODE XREF: MiRelocateImagePfn+108j
		mov	eax, [ebp+var_C]
		push	[ebp+arg_10]
		mov	esi, [ebp+var_4]
		neg	eax
		mov	edx, [ebp+var_10]
		sbb	eax, eax
		and	eax, ecx
		mov	ecx, esi
		push	eax
		push	ebx
		push	edi
		call	MiPerformFixups
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_77C530
		mov	ebx, [ebp+arg_0]
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jnz	short loc_77C583

loc_77C522:				; CODE XREF: MiRelocateImagePfn+1AAj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_77C530:				; CODE XREF: MiRelocateImagePfn+12Dj
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_77C54E
		cmp	ecx, [ebp+var_8]
		jz	loc_8DC206
		mov	edx, ecx
		mov	ecx, offset dword_6D35E0
		push	1
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_77C54E:				; CODE XREF: MiRelocateImagePfn+155j
					; MiRelocateImagePfn+15FE41j
		xor	eax, eax

loc_77C550:				; CODE XREF: MiRelocateImagePfn+1A1j
					; MiRelocateImagePfn+15FDB2j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_77C559:				; CODE XREF: MiRelocateImagePfn+EEj
		mov	[ebp+arg_4], 0
		jmp	short loc_77C4E3
; 

loc_77C562:				; CODE XREF: MiRelocateImagePfn+5Cj
					; MiRelocateImagePfn+68j
		xor	ecx, ecx
		mov	[ebp+arg_8], ecx
		mov	[ebp+var_8], ecx
		jmp	loc_77C4BC
; 

loc_77C56F:				; CODE XREF: MiRelocateImagePfn+35j
		inc	ecx
		add	eax, 4
		cmp	ecx, 1
		jb	loc_77C412

loc_77C57C:				; CODE XREF: MiRelocateImagePfn+27j
		mov	eax, 1
		jmp	short loc_77C550
; 

loc_77C583:				; CODE XREF: MiRelocateImagePfn+140j
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_77C522
MiRelocateImagePfn endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPerformFixups	proc near		; CODE XREF: MiRelocateImagePfn+123p
					; MiRevertRelocations+70p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008DC226 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, edx
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	eax, [eax+38h]
		mov	esi, ecx
		push	edi
		mov	edi, [eax+10h]
		mov	eax, [ebp+arg_0]
		cmp	eax, [edi+1Ch]
		jnb	short loc_77C611
		mov	edx, eax
		shl	edx, 0Ch
		shl	eax, 2

loc_77C5B8:				; CODE XREF: MiPerformFixups+15FC9Fj
					; MiPerformFixups+15FCBAj
		mov	[ebp+arg_0], edx
		mov	[ebp+var_4], eax
		mov	edi, edi
		mov	ebx, [edi]
		mov	ebx, [eax+ebx]
		test	ebx, ebx
		jz	short loc_77C630
		cmp	ebx, 1
		jbe	short loc_77C5E9
		cmp	byte ptr [edi+24h], 0
		mov	edx, esi
		push	[ebp+arg_4]
		mov	ecx, [ebp+var_8]
		push	ebx
		jz	loc_8DC234
		call	MiApplyCompressedFixups

loc_77C5E6:				; CODE XREF: MiPerformFixups+15FCA9j
		mov	edx, [ebp+arg_0]

loc_77C5E9:				; CODE XREF: MiPerformFixups+3Cj
		test	bl, 1
		mov	ebx, [ebp+arg_4]
		jnz	short loc_77C61A

loc_77C5F1:				; CODE XREF: MiPerformFixups+9Ej
		mov	ecx, [edi+20h]
		mov	eax, ecx
		and	eax, 0FFFFF000h
		cmp	eax, edx
		jz	short loc_77C643

loc_77C5FF:				; CODE XREF: MiPerformFixups+BCj
		add	esi, 1000h
		test	esi, 0FFFh
		jnz	loc_8DC23E

loc_77C611:				; CODE XREF: MiPerformFixups+1Ej
					; MiPerformFixups+ACj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_77C61A:				; CODE XREF: MiPerformFixups+5Fj
		push	[ebp+arg_C]
		mov	ecx, edi
		push	[ebp+arg_8]
		push	ebx
		push	edx
		mov	edx, esi
		call	_MiApplyStraddleFixups@24 ; MiApplyStraddleFixups(x,x,x,x,x,x)
		mov	edx, [ebp+arg_0]
		jmp	short loc_77C5F1
; 

loc_77C630:				; CODE XREF: MiPerformFixups+37j
		add	esi, 1000h
		test	esi, 0FFFh
		jz	short loc_77C611
		jmp	loc_8DC226
; 

loc_77C643:				; CODE XREF: MiPerformFixups+6Dj
		and	ecx, 0FFFh
		add	[ecx+esi], ebx
		jmp	short loc_77C5FF
MiPerformFixups	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiApplyCompressedFixups	proc near	; CODE XREF: MiPerformFixups+51p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008DC24F SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ecx
		mov	[ebp+var_4], 4
		mov	[ebp+var_C], eax
		push	ebx
		push	esi
		mov	eax, [eax+38h]
		mov	esi, [ebp+arg_0]
		push	edi
		mov	di, word ptr [ebp+var_4]
		mov	eax, [eax+10h]
		mov	[ebp+var_8], edx
		mov	word ptr [ebp+var_4+2],	di
		mov	bl, [eax+24h]
		mov	eax, edx
		and	bl, 0Fh
		and	esi, 0FFFFFFFEh

loc_77C686:				; CODE XREF: MiApplyCompressedFixups+A6j
		mov	dl, [esi]
		inc	esi
		mov	cl, dl
		mov	[ebp+arg_0], esi
		and	cl, 0F0h
		cmp	cl, 0F0h
		jz	short loc_77C701
		cmp	dl, 0EFh
		jz	loc_77C72C
		movzx	ecx, dl
		cmp	dl, 0EBh
		jnb	short loc_77C6F8
		mov	[ebp+var_4], ecx
		mov	di, cx

loc_77C6AD:				; CODE XREF: MiApplyCompressedFixups+DAj
		mov	word ptr [ebp+var_4+2],	di
		mov	edx, 1

loc_77C6B6:				; CODE XREF: MiApplyCompressedFixups+AFj
					; MiApplyCompressedFixups+ECj
		movzx	esi, di
		mov	edi, [ebp+var_8]
		add	edi, 1000h

loc_77C6C2:				; CODE XREF: MiApplyCompressedFixups+9Dj
		add	eax, esi
		cmp	eax, edi
		jnb	loc_8DC25F
		test	bl, bl
		jz	short loc_77C6EA
		cmp	bl, 3
		jnz	short loc_77C6EA
		mov	ecx, eax
		and	ecx, 0FFFh
		cmp	ecx, 0FFCh
		ja	short loc_77C6EA
		mov	ecx, [ebp+arg_4]
		add	[eax], ecx

loc_77C6EA:				; CODE XREF: MiApplyCompressedFixups+7Ej
					; MiApplyCompressedFixups+83j ...
		sub	edx, 1
		jnz	short loc_77C6C2
		mov	esi, [ebp+arg_0]
		mov	di, word ptr [ebp+var_4+2]
		jmp	short loc_77C686
; 

loc_77C6F8:				; CODE XREF: MiApplyCompressedFixups+55j
		mov	edx, 0EFh
		sub	edx, ecx
		jmp	short loc_77C6B6
; 

loc_77C701:				; CODE XREF: MiApplyCompressedFixups+44j
		movzx	ecx, dl
		mov	edx, 0FF0Fh
		and	cx, dx
		movzx	ecx, cx
		mov	[ebp+var_4], ecx
		mov	cl, [esi]
		test	cl, cl
		jz	short loc_77C741
		mov	di, word ptr [ebp+var_4]
		movzx	ecx, cl
		shl	cx, 4
		or	di, cx
		inc	esi
		mov	[ebp+arg_0], esi
		jmp	short loc_77C6AD
; 

loc_77C72C:				; CODE XREF: MiApplyCompressedFixups+49j
		movzx	edx, byte ptr [esi]
		cmp	edx, 4
		jbe	loc_8DC24F
		inc	esi
		mov	[ebp+arg_0], esi
		jmp	loc_77C6B6
; 

loc_77C741:				; CODE XREF: MiApplyCompressedFixups+C6j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
MiApplyCompressedFixups	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSelectUserAddress(x, x, x, x, x, x, x, x,	x, x)
_MiSelectUserAddress@40	proc near	; CODE XREF: MiAllocateNewSubAllocatedRegion+C9p
					; MiMapViewOfImageSection+6EBp	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_4], edx
		push	ebx
		mov	ebx, [ebp+arg_18]
		mov	dword ptr [eax], 0
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_8], 0
		mov	edx, [eax+80h]
		mov	eax, [ebp+arg_14]
		shr	eax, 1Fh
		mov	dword ptr [ebx], 0
		jmp	short loc_77C790
; 
		align 10h

loc_77C790:				; CODE XREF: MiSelectUserAddress(x,x,x,x,x,x,x,x,x,x)+3Bj
		lea	edi, [eax+eax*8]
		mov	eax, [edx+24Ch]
		lea	edi, [edi+6]
		lea	edi, [eax+edi*4]
		test	esi, 100000h
		jnz	short loc_77C7EC
		test	dword ptr [edx+0FCh], 200000h
		jnz	short loc_77C7EC
		mov	esi, [ebp+arg_8]
		lea	eax, [ebp+var_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		push	eax
		push	[ebp+arg_1C]
		push	[ebp+arg_10]
		push	[ebp+arg_0]
		push	[ebp+var_4]
		push	0
		push	esi
		call	MiFindEmptyAddressRange

loc_77C7D3:				; CODE XREF: MiSelectUserAddress(x,x,x,x,x,x,x,x,x,x)+B8j
		cmp	[ebp+var_8], 1
		jnz	short loc_77C7E3
		cmp	esi, 10000h
		jnz	short loc_77C7E3
		mov	[ebx], edi

loc_77C7E3:				; CODE XREF: MiSelectUserAddress(x,x,x,x,x,x,x,x,x,x)+87j
					; MiSelectUserAddress(x,x,x,x,x,x,x,x,x,x)+8Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_77C7EC:				; CODE XREF: MiSelectUserAddress(x,x,x,x,x,x,x,x,x,x)+55j
					; MiSelectUserAddress(x,x,x,x,x,x,x,x,x,x)+61j
		push	[ebp+arg_1C]
		mov	esi, [ebp+arg_8]
		mov	ecx, edi
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_0]
		push	[ebp+var_4]
		push	0
		push	esi
		call	MiFindEmptyAddressRangeDown
		jmp	short loc_77C7D3
_MiSelectUserAddress@40	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReserveUserMemory proc near		; CODE XREF: MiAllocateVirtualMemory+2B4p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008DC27C SIZE 000003F5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		mov	eax, edx
		mov	[ebp+var_14], 0
		mov	[ebp+var_1C], eax
		mov	[ebp+var_C], 0
		mov	[ebp+var_10], 0
		push	esi
		mov	esi, ecx
		push	edi
		cmp	eax, 1
		jz	loc_8DC272
		mov	eax, [esi+3Ch]
		mov	eax, [eax+24Ch]
		add	eax, 18h
		mov	[ebp+var_2C], eax
		mov	eax, [esi+4]
		sub	eax, [esi]
		inc	eax
		cmp	eax, [esi+0Ch]
		jz	loc_8DC27C

loc_77C85E:				; CODE XREF: MiReserveUserMemory+15FA73j
		test	byte ptr [esi+18h], 88h
		jnz	loc_8DC667
		test	dword ptr [esi+28h], 20000000h
		jnz	loc_8DC288

loc_77C875:				; CODE XREF: MiReserveUserMemory+15FA88j
		test	byte ptr [ebp+arg_0], 2
		jnz	loc_77CB41

loc_77C87F:				; CODE XREF: MiReserveUserMemory+33Ej
					; MiReserveUserMemory+15FA82j
		mov	ebx, [esi+0Ch]
		test	ebx, 0FFFh
		jnz	loc_8DC29D
		xor	eax, eax

loc_77C890:				; CODE XREF: MiReserveUserMemory+15FA92j
		shr	ebx, 0Ch
		add	ebx, eax
		call	_MmGetCurrentProcessorColor@0 ;	MmGetCurrentProcessorColor()
		or	eax, 80000000h
		mov	edx, 53646156h
		push	eax
		push	0
		push	40h
		mov	ecx, 28h
		call	ExAllocatePoolMm
		mov	edi, eax
		test	edi, edi
		jz	loc_8DC2A7
		mov	ecx, [esi+20h]
		lea	eax, [edi+18h]
		mov	[ebp+var_30], eax
		mov	dword ptr [eax], 0
		mov	eax, ecx
		shl	eax, 0Ch
		xor	eax, [edi+1Ch]
		and	eax, 3F000h
		mov	dword ptr [edi], 0FFFFFFFEh
		xor	[edi+1Ch], eax
		mov	eax, [edi+1Ch]
		mov	dword ptr [edi+4], 0FFFFFFFEh
		mov	dword ptr [edi+8], 0FFFFFFFEh
		mov	[ebp+var_24], eax
		test	ecx, ecx
		jnz	loc_8DC2B1
		mov	ecx, eax

loc_77C900:				; CODE XREF: MiReserveUserMemory+15FAB4j
		mov	edx, [esi+14h]
		test	edx, 1000h
		jz	loc_77CB35
		or	dword ptr [edi+20h], 80000000h
		mov	[ebp+var_18], ebx

loc_77C919:				; CODE XREF: MiReserveUserMemory+32Cj
		mov	eax, [ebp+arg_0]
		shl	eax, 7
		xor	eax, ecx
		and	eax, 0F80h
		xor	eax, ecx
		mov	ecx, [esi+28h]
		or	eax, 100000h
		mov	[edi+1Ch], eax
		test	ecx, 40000000h
		jnz	loc_8DC2C9

loc_77C93F:				; CODE XREF: MiReserveUserMemory+15FAC1j
		test	cl, 1
		jnz	loc_77CBDE
		test	ecx, 8000000h
		jnz	loc_8DC2D6
		mov	ecx, [ebp+var_18]

loc_77C957:				; CODE XREF: MiReserveUserMemory+3D3j
					; MiReserveUserMemory+15FACBj
		mov	eax, [edi+20h]
		and	eax, 80000000h
		or	eax, ecx
		mov	ecx, large fs:124h
		mov	[edi+20h], eax
		xor	eax, eax
		mov	[ebp+var_18], eax
		mov	eax, edx
		and	eax, 20400000h
		mov	[ebp+var_8], ecx
		cmp	eax, 20000000h
		jz	loc_8DC2E0
		cmp	eax, 20400000h
		jz	loc_8DC305
		cmp	eax, 400000h
		jz	loc_8DC3D0
		test	edx, (offset loc_7FFFFF+1)
		jnz	loc_77CCB7

loc_77C9A7:				; CODE XREF: MiReserveUserMemory+4BEj
					; MiReserveUserMemory+15FB0Dj ...
		mov	ecx, [edi+1Ch]
		mov	eax, [ebp+var_18]
		and	ecx, 0FFF3FFFFh
		shl	eax, 12h
		or	ecx, eax
		test	dword ptr [esi+14h], 200000h
		mov	[edi+1Ch], ecx
		jnz	loc_77CC3E

loc_77C9C8:				; CODE XREF: MiReserveUserMemory+44Fj
		mov	eax, [esi+50h]
		and	eax, 1
		or	eax, 0
		jnz	loc_8DC464
		cmp	[esi+1Ch], eax
		jnz	loc_8DC4A3

loc_77C9E0:				; CODE XREF: MiReserveUserMemory+15FC81j
		xor	ebx, ebx
		test	dword ptr [esi+28h], 4000000h
		mov	[ebp+var_18], ebx
		jnz	loc_8DC4AF
		mov	eax, [ebp+var_C]

loc_77C9F5:				; CODE XREF: MiReserveUserMemory+15FCBCj
		mov	edx, [esi+3Ch]
		or	eax, 4
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_24], ebx
		mov	[ebp+var_C], eax
		call	_LOCK_ADDRESS_SPACE@8 ;	LOCK_ADDRESS_SPACE(x,x)
		mov	ecx, [esi+3Ch]
		test	byte ptr [ecx+0FCh], 20h
		jnz	loc_8DC4D1
		cmp	[ebp+var_C], 10h
		mov	eax, [esi+28h]
		jnb	loc_8DC4DD
		mov	edx, [esi]
		lea	ecx, [ebp+var_18]
		push	ecx
		lea	ecx, [ebp+var_24]
		push	ecx
		push	eax
		push	[ebp+arg_0]
		mov	eax, [esi+8]
		push	ecx
		mov	ecx, [esi+14h]
		push	eax
		mov	eax, [esi+0Ch]
		push	eax
		mov	eax, [esi+4]
		push	eax
		call	_MiSelectUserAddress@40	; MiSelectUserAddress(x,x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		js	loc_77CC64
		mov	eax, [esi+0Ch]
		mov	ebx, [ebp+var_18]
		dec	eax
		add	eax, ebx

loc_77CA5D:				; CODE XREF: MiReserveUserMemory+15FD2Fj
		shr	eax, 0Ch
		mov	ecx, ebx
		mov	[ebp+var_18], eax
		mov	[edi+10h], eax
		mov	eax, [esi+50h]
		shr	ecx, 0Ch
		and	eax, 1
		or	eax, 0
		mov	[ebp+arg_C], ecx
		mov	[edi+0Ch], ecx
		jnz	loc_8DC544
		mov	edx, [esi+3Ch]
		push	ecx
		mov	ecx, edi
		call	MiInsertVadCharges
		mov	edx, eax
		mov	[ebp+var_4], edx
		test	edx, edx
		js	loc_77CC79
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_8DC569
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_MiLockVad@8	; MiLockVad(x,x)

loc_77CAAD:				; CODE XREF: MiReserveUserMemory+15FD74j
		mov	edx, [esi+3Ch]
		mov	ecx, edi
		call	MiInsertPrivateVad
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	short loc_77CACA
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+arg_C]
		push	eax
		call	MiAdvanceVadHint

loc_77CACA:				; CODE XREF: MiReserveUserMemory+2ACj
		test	byte ptr [ebp+arg_0], 2
		jnz	loc_77CB56

loc_77CAD4:				; CODE XREF: MiReserveUserMemory+34Dj
		mov	eax, [ebp+var_C]

loc_77CAD7:				; CODE XREF: MiReserveUserMemory+358j
		and	eax, 2
		mov	[ebp+var_C], eax
		jnz	loc_77CB6D
		mov	eax, [edi+1Ch]
		test	eax, 100000h
		jz	short loc_77CB00
		test	eax, 400000h
		jnz	short loc_77CB6D
		and	eax, 0C0000h
		cmp	eax, 80000h
		jnb	short loc_77CB6D

loc_77CB00:				; CODE XREF: MiReserveUserMemory+2DBj
		cmp	dword ptr [esi+38h], 0
		jnz	short loc_77CB6D
		cmp	[ebp+var_10], 0
		jnz	loc_8DC589
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	MiUnlockVad
		mov	edx, [esi+3Ch]
		mov	ecx, [ebp+var_8]
		call	UNLOCK_ADDRESS_SPACE

loc_77CB25:				; CODE XREF: MiReserveUserMemory+3C9j
					; MiReserveUserMemory+15FE52j
		mov	eax, [ebp+arg_8]
		mov	[eax], ebx
		xor	eax, eax

loc_77CB2C:				; CODE XREF: MiReserveUserMemory+344j
					; MiApplyCompressedFixups+15FC27j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_77CB35:				; CODE XREF: MiReserveUserMemory+F9j
		mov	[ebp+var_18], 0
		jmp	loc_77C919
; 

loc_77CB41:				; CODE XREF: MiReserveUserMemory+69j
		mov	ecx, [esi+40h]
		call	MiArbitraryCodeBlocked
		mov	[ebp+var_14], eax
		test	eax, eax
		jns	loc_77C87F
		jmp	short loc_77CB2C
; 

loc_77CB56:				; CODE XREF: MiReserveUserMemory+2BEj
		call	_MiIsProcessCfgEnabled@0 ; MiIsProcessCfgEnabled()
		test	eax, eax
		jz	loc_77CAD4
		mov	eax, 2
		jmp	loc_77CAD7
; 

loc_77CB6D:				; CODE XREF: MiReserveUserMemory+2CDj
					; MiReserveUserMemory+2E2j ...
		mov	edx, [esi+3Ch]
		mov	ecx, [ebp+var_8]
		call	UNLOCK_ADDRESS_SPACE_UNORDERED
		mov	ecx, edi
		call	_MiReferenceVad@4 ; MiReferenceVad(x)
		cmp	[ebp+var_C], 0
		jz	short loc_77CB9D
		lea	eax, [ebp+arg_4]
		xor	edx, edx
		push	eax
		mov	ecx, edi
		call	MiCommitVadCfgBits
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	loc_8DC5D9

loc_77CB9D:				; CODE XREF: MiReserveUserMemory+373j
		mov	eax, [edi+1Ch]
		test	eax, 100000h
		jz	short loc_77CBC2
		test	eax, 400000h
		jnz	loc_8DC5B7
		and	eax, 0C0000h
		cmp	eax, 80000h
		jnb	loc_8DC5B7

loc_77CBC2:				; CODE XREF: MiReserveUserMemory+395j
					; MiReserveUserMemory+15FDABj ...
		cmp	dword ptr [esi+38h], 0
		jnz	short loc_77CBE8

loc_77CBC8:				; CODE XREF: MiReserveUserMemory+42Cj
		cmp	[ebp+var_10], 0
		mov	ecx, edi
		jnz	loc_8DC650
		call	MiUnlockAndDereferenceVad
		jmp	loc_77CB25
; 

loc_77CBDE:				; CODE XREF: MiReserveUserMemory+132j
		mov	ecx, 0FFFFEh
		jmp	loc_77C957
; 

loc_77CBE8:				; CODE XREF: MiReserveUserMemory+3B6j
		test	dword ptr [esi+28h], 40000000h
		mov	eax, [esi+34h]
		mov	[ebp+var_8], 0
		jnz	loc_8DC5ED
		cmp	eax, 80000001h
		jnz	loc_8DC618

loc_77CC0A:				; CODE XREF: MiReserveUserMemory+15FE0Bj
					; MiReserveUserMemory+15FE14j ...
		lea	ecx, [ebp+var_8]
		mov	edx, ebx
		push	ecx
		push	0
		push	eax
		mov	eax, [esi+0Ch]
		mov	ecx, edi
		push	eax
		call	_MiSecureVad@24	; MiSecureVad(x,x,x,x,x,x)
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	loc_8DC63A
		mov	eax, [ebp+var_8]

loc_77CC2C:				; CODE XREF: MiReserveUserMemory+15FDFBj
		mov	ecx, [esi+3Ch]
		xor	ecx, dword_6D061C
		xor	ecx, eax
		mov	eax, [esi+38h]
		mov	[eax], ecx
		jmp	short loc_77CBC8
; 

loc_77CC3E:				; CODE XREF: MiReserveUserMemory+1B2j
		mov	ecx, [esi+3Ch]
		mov	edx, edi
		push	ebx
		call	_MiCreateWriteWatchView@12 ; MiCreateWriteWatchView(x,x,x)
		mov	edx, eax
		mov	[ebp+var_4], edx
		mov	[ebp+var_14], edx
		test	edx, edx
		js	short loc_77CC89
		or	dword ptr [edi+1Ch], 200000h
		mov	ecx, [edi+1Ch]
		jmp	loc_77C9C8
; 

loc_77CC64:				; CODE XREF: MiReserveUserMemory+23Ej
		mov	eax, [esi+4]
		mov	edx, [esi+8]
		mov	ecx, [esi+0Ch]
		push	eax
		mov	eax, [esi]
		push	eax
		call	MiLogReserveVaFailed
		mov	ebx, [ebp+var_18]

loc_77CC79:				; CODE XREF: MiReserveUserMemory+282j
					; MiReserveUserMemory+15FCB0j ...
		mov	eax, [ebp+arg_8]
		mov	[eax], ebx
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_8DC55A

loc_77CC89:				; CODE XREF: MiReserveUserMemory+443j
					; MiReserveUserMemory+4CAj ...
		mov	ecx, [ebp+var_8]

loc_77CC8C:				; CODE XREF: MiReserveUserMemory+15FB68j
					; MiReserveUserMemory+15FC1Aj
		test	byte ptr [ebp+var_C], 4
		jz	short loc_77CC9A
		mov	edx, [esi+3Ch]
		call	UNLOCK_ADDRESS_SPACE

loc_77CC9A:				; CODE XREF: MiReserveUserMemory+480j
		xor	edx, edx
		mov	ecx, edi
		call	MiReleaseVadEventBlocks
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_77CCB7:				; CODE XREF: MiReserveUserMemory+191j
		mov	ecx, edi
		call	MiCreateRotateView
		test	eax, eax
		jz	short loc_77CCD3
		mov	eax, [edi+1Ch]
		and	eax, 0FFFFFFCFh
		or	eax, 40h

loc_77CCCB:				; CODE XREF: MiReserveUserMemory+15FC4Fj
		mov	[edi+1Ch], eax
		jmp	loc_77C9A7
; 

loc_77CCD3:				; CODE XREF: MiReserveUserMemory+4B0j
		mov	[ebp+var_4], 0C000009Ah
		jmp	short loc_77CC89
MiReserveUserMemory endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1487. MmUnsecureVirtualMemory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmUnsecureVirtualMemory(x)
		public _MmUnsecureVirtualMemory@4
_MmUnsecureVirtualMemory@4 proc	near	; CODE XREF: RtlFileMapFree+42p
					; AlpcpRestoreWriteAccess(x)+4Dp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		lea	edx, [ebp+var_4]
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	esi, [eax+80h]
		xor	esi, dword_6D061C
		xor	esi, [ebp+arg_0]
		mov	ecx, esi
		call	MiObtainReferencedSecureVad
		mov	edi, eax
		test	edi, edi
		jz	short loc_77CD23
		mov	edx, esi
		mov	ecx, edi
		call	MiRemoveSecureEntry
		mov	ecx, edi
		call	MiUnlockAndDereferenceVad

loc_77CD23:				; CODE XREF: MmUnsecureVirtualMemory(x)+2Fj
		pop	edi
		pop	esi
		leave
		retn	4
_MmUnsecureVirtualMemory@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAddSecureEntry proc near		; CODE XREF: MiAllocateVad+91p
					; MiAllocateNewSubAllocatedRegion+17Ap	...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008DC671 SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	eax, ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	[esp+10h+var_4], eax
		test	byte ptr [eax+1Ch], 8
		jnz	loc_77CE02

loc_77CD51:				; CODE XREF: MiAddSecureEntry+DEj
		call	_MmGetCurrentProcessorColor@0 ;	MmGetCurrentProcessorColor()
		or	eax, 80000000h
		mov	edx, 65536D4Dh
		push	eax
		push	0
		push	40h
		mov	ecx, 28h
		call	ExAllocatePoolMm
		mov	esi, eax
		test	esi, esi
		jz	loc_77CE14
		mov	eax, [ebp+arg_0]
		mov	[esi+8], eax
		mov	eax, [ebp+arg_4]
		mov	dword ptr [esi+24h], 2
		mov	[esi+4], edi
		test	al, 1
		jz	short loc_77CDF5
		or	edi, 8

loc_77CD93:				; CODE XREF: MiAddSecureEntry+D0j
					; MiAddSecureEntry+F3j
		mov	[esi+4], edi

loc_77CD96:				; CODE XREF: MiAddSecureEntry+CBj
		test	bl, 1
		jnz	loc_8DC671

loc_77CD9F:				; CODE XREF: MiAddSecureEntry+15F947j
		test	bl, 4
		jnz	loc_8DC67C

loc_77CDA8:				; CODE XREF: MiAddSecureEntry+15F952j
		test	bl, 8
		jnz	loc_8DC687

loc_77CDB1:				; CODE XREF: MiAddSecureEntry+15F960j
		test	eax, eax
		jns	short loc_77CDBB
		or	edi, 4
		mov	[esi+4], edi

loc_77CDBB:				; CODE XREF: MiAddSecureEntry+83j
		test	eax, 40000000h
		jnz	short loc_77CE18

loc_77CDC2:				; CODE XREF: MiAddSecureEntry+EEj
		test	eax, 20000000h
		jnz	loc_8DC695

loc_77CDCD:				; CODE XREF: MiAddSecureEntry+15F96Ej
		mov	ecx, [esp+10h+var_4]
		mov	edx, esi
		push	1
		call	_MiInsertVadEvent@12 ; MiInsertVadEvent(x,x,x)
		mov	ecx, [esp+10h+var_4]
		mov	edx, 1
		push	1
		call	MiSetVadFlags
		mov	eax, esi

loc_77CDEC:				; CODE XREF: MiAddSecureEntry+E6j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_77CDF5:				; CODE XREF: MiAddSecureEntry+5Ej
		test	al, 4
		jnz	short loc_77CE20
		test	al, 2
		jz	short loc_77CD96
		or	edi, 9
		jmp	short loc_77CD93
; 

loc_77CE02:				; CODE XREF: MiAddSecureEntry+1Bj
		test	bl, 1
		jnz	short loc_77CE14
		call	_MiLocateExclusiveSecure@4 ; MiLocateExclusiveSecure(x)
		test	eax, eax
		jz	loc_77CD51

loc_77CE14:				; CODE XREF: MiAddSecureEntry+43j
					; MiAddSecureEntry+D5j
		xor	eax, eax
		jmp	short loc_77CDEC
; 

loc_77CE18:				; CODE XREF: MiAddSecureEntry+90j
		or	edi, 10h
		mov	[esi+4], edi
		jmp	short loc_77CDC2
; 

loc_77CE20:				; CODE XREF: MiAddSecureEntry+C7j
		or	edi, 0Ah
		jmp	loc_77CD93
MiAddSecureEntry endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry  12.

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmGetNumberOfPhysicalPages(x)
		public _MmGetNumberOfPhysicalPages@4
_MmGetNumberOfPhysicalPages@4 proc near	; CODE XREF: ExpGetSystemBasicInformation+C2p
					; PopWriteHiberPages+CEE9p ...

arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	ecx, [ebp+arg_0]
		mov	eax, dword_6D3018
		mov	eax, [eax+ecx*4]
		mov	eax, [eax+0F48h]
		pop	ebp
		retn	4
_MmGetNumberOfPhysicalPages@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpPfnPrioRequest proc near		; CODE XREF: PAGE:0077D2A3p
					; PfSetSuperfetchInformation+E7p

var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DC6A3 SIZE 00000062 BYTES
; FUNCTION CHUNK AT 008DC71A SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1288
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	ebx, edx
		mov	[ebp+var_28], ebx
		mov	esi, ecx
		mov	[ebp+var_30], 0
		xor	edi, edi
		mov	[ebp+var_1C], edi
		mov	eax, [esi+8]
		cmp	eax, 6
		jnz	loc_77CF65
		mov	edx, [esi+10h]
		cmp	edx, 78h
		jb	loc_8DC71A
		push	1
		push	ebx
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	eax
		mov	ecx, [esi+0Ch]
		call	PfpCopyUserPfnPrioRequest
		mov	ebx, eax
		test	ebx, ebx
		js	loc_77CFD5
		mov	edi, [ebp+var_1C]
		lea	edx, [edi+68h]
		mov	ecx, [edi+8]
		call	MmQueryPfnList
		mov	[ebp+var_24], eax
		test	eax, eax
		js	short loc_77CEF7
		test	byte ptr [edi+4], 1
		jz	short loc_77CEF7
		lea	eax, [ebp+var_30]
		push	eax
		push	ecx
		push	58h
		lea	edx, [edi+0Ch]
		or	ecx, 0FFFFFFFFh
		call	MmQueryMemoryListInformation

loc_77CEF7:				; CODE XREF: PfpPfnPrioRequest+8Dj
					; PfpPfnPrioRequest+93j
		mov	[ebp+var_4], 0
		cmp	byte ptr [ebp+var_28], 0
		jz	short loc_77CF13

loc_77CF04:				; CODE XREF: PfpPfnPrioRequest+15F8B0j
		push	8
		mov	eax, [esi+10h]
		push	eax
		mov	eax, [esi+0Ch]
		push	eax
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_77CF13:				; CODE XREF: PfpPfnPrioRequest+B2j
					; PfpPfnPrioRequest+15F8AAj
		mov	[ebp+var_20], 68h
		mov	ebx, [edi+8]
		shl	ebx, 4
		add	ebx, 68h
		push	ebx		; size_t
		mov	[ebp+var_20], ebx
		push	edi		; void *
		mov	eax, [esi+0Ch]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0FFFFFFFEh

loc_77CF3B:				; CODE XREF: PfpPfnPrioRequest+173j
		mov	eax, [ebp+arg_0]
		mov	[eax], ebx
		mov	ebx, [ebp+var_24]

loc_77CF43:				; CODE XREF: PfpPfnPrioRequest+188j
					; PfpPfnPrioRequest+15F86Aj ...
		test	edi, edi
		jz	short loc_77CF4F
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_77CF4F:				; CODE XREF: PfpPfnPrioRequest+F5j
		mov	eax, ebx
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_77CF65:				; CODE XREF: PfpPfnPrioRequest+4Ej
		cmp	eax, 7
		jnz	loc_8DC6A3

loc_77CF6E:				; CODE XREF: PfpPfnPrioRequest+15F856j
					; PfpPfnPrioRequest+15F85Fj
		mov	edx, [esi+10h]
		cmp	edx, 78h
		jb	loc_8DC6BF
		push	0
		push	ebx
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	eax
		mov	ecx, [esi+0Ch]
		call	PfpCopyUserPfnPrioRequest
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_77CFD5
		mov	eax, [esi+8]
		cmp	eax, 7
		jnz	loc_8DC6C9
		cmp	eax, 1Dh
		jz	short loc_77CFCE
		xor	eax, eax

loc_77CFA3:				; CODE XREF: PfpPfnPrioRequest+183j
		mov	edi, [ebp+var_1C]
		push	eax
		lea	edx, [edi+68h]
		mov	ecx, [edi+8]
		call	_MmSetPfnListInfo@12 ; MmSetPfnListInfo(x,x,x)

loc_77CFB2:				; CODE XREF: PfpPfnPrioRequest+15F89Aj
		mov	[ebp+var_24], eax
		xor	ebx, ebx
		cmp	dword ptr [esi+8], 16h
		jz	loc_8DC6EF
		test	eax, eax
		jns	loc_77CF3B
		jmp	loc_8DC6EF
; 

loc_77CFCE:				; CODE XREF: PfpPfnPrioRequest+14Fj
					; PfpPfnPrioRequest+15F87Cj
		mov	eax, 1
		jmp	short loc_77CFA3
; 

loc_77CFD5:				; CODE XREF: PfpPfnPrioRequest+74j
					; PfpPfnPrioRequest+13Ej ...
		mov	edi, [ebp+var_1C]
		jmp	loc_77CF43
PfpPfnPrioRequest endp

; 
		align 10h
		dd 8 dup(0CCCCCCCCh)
; 

PfpCopyUserPfnPrioRequest:		; CODE XREF: PfpPfnPrioRequest+6Bp
					; PfpPfnPrioRequest+135p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A12B0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	edi, edx
		mov	eax, ecx
		mov	[ebp-28h], eax
		mov	dword ptr [ebp-24h], 0
		xor	ecx, ecx
		mov	[ebp-1Ch], ecx
		mov	[ebp-4], ecx
		cmp	[ebp+10h], cl
		jz	short loc_77D075
		test	edi, edi
		jz	short loc_77D075
		test	al, 7
		jnz	loc_77D1B1
		lea	ecx, [eax+edi]
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		ja	loc_8DC746
		cmp	ecx, eax
		jb	loc_8DC746

loc_77D075:				; CODE XREF: PAGE:0077D04Ej
					; PAGE:0077D052j ...
		mov	ebx, [eax+8]
		mov	[ebp-24h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, ebx
		mov	ecx, 10h
		mul	ecx
		mov	esi, eax
		add	esi, 68h
		adc	edx, 0
		mov	[ebp-1Ch], edx
		jnz	loc_8DC7A0
		cmp	esi, 0FFFFFFFFh
		ja	loc_8DC7A0
		test	ebx, ebx
		jz	loc_8DC7A0
		xor	ecx, ecx
		call	_MmGetHighestPhysicalPage@4 ; MmGetHighestPhysicalPage(x)
		inc	eax
		cmp	ebx, eax
		ja	loc_8DC7A0
		cmp	esi, edi
		ja	loc_8DC7A0
		push	42506650h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+10h], edx
		mov	[ebp-1Ch], edx
		test	edx, edx
		jz	loc_8DC74E
		mov	dword ptr [ebp-4], 1
		mov	ecx, 1Ah
		mov	eax, [ebp-28h]
		mov	esi, eax
		mov	edi, edx
		rep movsd
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		cmp	dword ptr [edx], 1
		jnz	loc_8DC758
		mov	ecx, [ebp+8]
		cmp	ecx, 6
		jnz	loc_77D1A3

loc_77D116:				; CODE XREF: PAGE:0077D1A6j
		test	dword ptr [edx+4], 0FFFFFFFEh
		jnz	loc_8DC762

loc_77D123:				; CODE XREF: PAGE:0077D1ACj
		cmp	[edx+8], ebx
		jnz	loc_8DC76C
		lea	esi, [edx+68h]
		lea	edi, [eax+68h]
		mov	eax, ebx
		shl	eax, 4
		mov	dword ptr [ebp-4], 2
		push	eax
		cmp	dword ptr [ebp+14h], 0
		jz	short loc_77D168
		push	0
		push	esi
		call	_memset
		add	esp, 0Ch
		xor	edx, edx

loc_77D152:				; CODE XREF: PAGE:0077D166j
		mov	[ebp-2Ch], edx
		cmp	edx, ebx
		jnb	short loc_77D172
		mov	ecx, edx
		add	ecx, ecx
		mov	eax, [edi+ecx*8+8]
		mov	[esi+ecx*8+8], eax
		inc	edx
		jmp	short loc_77D152
; 

loc_77D168:				; CODE XREF: PAGE:0077D143j
		push	edi
		push	esi
		call	_memcpy
		add	esp, 0Ch

loc_77D172:				; CODE XREF: PAGE:0077D157j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp+0Ch]
		mov	ecx, [ebp+10h]
		mov	[eax], ecx
		xor	edx, edx
		xor	esi, esi

loc_77D185:				; CODE XREF: PAGE:008DC753j
					; PAGE:008DC75Dj ...
		test	edx, edx
		jnz	loc_8DC7D1

loc_77D18D:				; CODE XREF: PAGE:008DC7D9j
		mov	eax, esi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_77D1A3:				; CODE XREF: PAGE:0077D110j
		cmp	ecx, 7
		jz	loc_77D116
		jmp	loc_77D123
; 

loc_77D1B1:				; CODE XREF: PAGE:0077D056j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		dw 0CCCCh
		align 10h

PfQuerySuperfetchInformation:		; CODE XREF: PAGE:0078087Dp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A12E8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		mov	[ebp-20h], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	eax, [ebp+10h]
		mov	[ebp-48h], eax
		mov	ecx, 8
		xor	eax, eax
		lea	edi, [ebp-44h]
		rep stosd
		cmp	dword ptr [ebp+8], 14h
		jnz	loc_8DC7DE
		xor	edi, edi
		mov	[ebp-4], eax
		mov	ecx, [edx]
		mov	[ebp-64h], ecx
		mov	eax, [edx+4]
		mov	[ebp-60h], eax
		mov	esi, [edx+8]
		mov	[ebp-5Ch], esi
		mov	ebx, [edx+0Ch]
		mov	[ebp-4Ch], ebx
		mov	[ebp-58h], ebx
		mov	edx, [edx+10h]
		mov	[ebp-68h], edx
		mov	[ebp-54h], edx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		cmp	ecx, 2Dh
		jnz	loc_77D51C
		cmp	eax, 6B756843h
		jnz	loc_77D51C
		cmp	esi, 8
		jz	loc_77D37F
		cmp	esi, 1Ch
		jz	loc_77D37F
		cmp	esi, 10h
		jz	loc_77D37F
		mov	ebx, [ebp+0Ch]
		push	ebx
		mov	eax, ds:dword_A949EC
		push	eax
		mov	eax, ds:_SeProfileSingleProcessPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_77D3F0
		mov	edx, [ebp-68h]

loc_77D295:				; CODE XREF: PAGE:0077D382j
		cmp	esi, 6
		jnz	short loc_77D2CA
		mov	eax, [ebp-48h]
		push	eax
		mov	dl, bl
		lea	ecx, [ebp-64h]
		call	PfpPfnPrioRequest
		mov	edi, eax

loc_77D2AA:				; CODE XREF: PAGE:0077D2F1j
					; PAGE:0077D37Aj ...
		mov	eax, edi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-20h]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_77D2CA:				; CODE XREF: PAGE:0077D298j
		dec	esi
		cmp	esi, 1Bh
		ja	loc_8DC8EA
		movzx	eax, ds:byte_77D570[esi]
		jmp	ds:off_77D53C[eax*4]

loc_77D2E2:				; DATA XREF: PAGE:off_77D53Co
		mov	eax, [ebp-48h]
		push	eax
		push	ebx
		mov	ecx, [ebp-4Ch]
		call	PfGetCompletedTrace
		mov	edi, eax
		jmp	short loc_77D2AA
; 

loc_77D2F3:				; CODE XREF: PAGE:0077D2DBj
					; DATA XREF: PAGE:0077D558o
		cmp	edx, 8
		jnz	loc_8DC7E8
		xor	edi, edi
		mov	[ebp-50h], edi
		mov	[ebp-6Ch], edi
		mov	[ebp-68h], edi
		mov	dword ptr [ebp-4], 3
		test	bl, bl
		mov	ebx, [ebp-4Ch]
		jz	short loc_77D33E
		test	bl, 3
		jnz	loc_77D535
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8DC82A

loc_77D32B:				; CODE XREF: PAGE:008DC82Dj
		mov	al, [ebx]
		mov	ecx, [ebp-58h]
		mov	[ecx], al
		mov	al, [ecx+4]
		mov	[ecx+4], al
		mov	ebx, [ebp-58h]
		mov	edi, [ebp-50h]

loc_77D33E:				; CODE XREF: PAGE:0077D313j
		mov	ecx, [ebx]
		mov	eax, [ebx+4]
		mov	[ebp-6Ch], ecx
		mov	[ebp-68h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		cmp	ecx, 1
		jnz	loc_8DC832
		mov	eax, dword_6D4948
		mov	dword ptr [ebp-4], 4
		mov	[ebx], ecx
		mov	[ebx+4], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-48h]
		mov	dword ptr [eax], 8
		jmp	loc_77D2AA
; 

loc_77D37F:				; CODE XREF: PAGE:0077D25Dj
					; PAGE:0077D266j ...
		mov	ebx, [ebp+0Ch]
		jmp	loc_77D295
; 

loc_77D387:				; CODE XREF: PAGE:0077D2DBj
					; DATA XREF: PAGE:0077D544o
		mov	eax, [ebp-48h]
		push	eax
		mov	dl, bl
		lea	ecx, [ebp-64h]
		call	_PfpPrivSourceEnum@12 ;	PfpPrivSourceEnum(x,x,x)
		mov	edi, eax
		jmp	loc_77D2AA
; 

loc_77D39C:				; CODE XREF: PAGE:0077D2DBj
					; DATA XREF: PAGE:0077D568o
		mov	eax, [ebp-48h]
		push	eax
		mov	dl, bl
		lea	ecx, [ebp-64h]
		call	PfpQueryGpuUtilization
		mov	edi, eax
		jmp	loc_77D2AA
; 

loc_77D3B1:				; CODE XREF: PAGE:0077D2DBj
					; DATA XREF: PAGE:0077D550o
		mov	eax, [ebp-48h]
		push	eax
		mov	dl, bl
		lea	ecx, [ebp-64h]
		call	PfpMemoryListQuery
		mov	edi, eax
		jmp	loc_77D2AA
; 

loc_77D3C6:				; CODE XREF: PAGE:0077D2DBj
					; DATA XREF: PAGE:0077D55Co
		mov	eax, [ebp-48h]
		push	eax
		mov	dl, bl
		lea	ecx, [ebp-64h]
		call	PfpVirtualQuery
		mov	edi, eax
		jmp	loc_77D2AA
; 

loc_77D3DB:				; CODE XREF: PAGE:0077D2DBj
					; DATA XREF: PAGE:0077D554o
		mov	eax, [ebp-48h]
		push	eax
		mov	dl, bl
		lea	ecx, [ebp-64h]
		call	PfpMemoryRangesQuery
		mov	edi, eax
		jmp	loc_77D2AA
; 

loc_77D3F0:				; CODE XREF: PAGE:0077D28Cj
		mov	edi, 0C0000022h
		jmp	loc_77D2AA
; 

loc_77D3FA:				; CODE XREF: PAGE:0077D2DBj
					; DATA XREF: PAGE:0077D54Co
		mov	eax, [ebp-48h]
		push	eax
		mov	dl, bl
		lea	ecx, [ebp-64h]
		call	PfpQueryScenarioInformation
		mov	edi, eax
		jmp	loc_77D2AA
; 

loc_77D40F:				; CODE XREF: PAGE:0077D2DBj
					; DATA XREF: PAGE:0077D540o
		cmp	edx, 1Ch
		jnz	loc_8DC7E8
		mov	dword ptr [ebp-50h], 0
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset unk_6D4858
		call	ExAcquirePushLockSharedEx
		mov	ecx, 7
		mov	esi, offset byte_6D46A4
		lea	edi, [ebp-0A0h]
		rep movsd
		xor	edx, edx
		mov	eax, 11h
		mov	esi, offset unk_6D4858
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_77D467
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_77D467:				; CODE XREF: PAGE:0077D45Ej
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	dword ptr [ebp-4], 1
		test	bl, bl
		jz	short loc_77D4A4
		mov	eax, [ebp-58h]
		test	al, 3
		jnz	loc_77D526
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	loc_8DC7F2

loc_77D497:				; CODE XREF: PAGE:008DC7F5j
		mov	al, [eax]
		mov	edx, [ebp-58h]
		mov	[edx], al
		mov	al, [edx+18h]
		mov	[edx+18h], al

loc_77D4A4:				; CODE XREF: PAGE:0077D47Cj
		mov	ecx, 7
		lea	esi, [ebp-0A0h]
		mov	edi, [ebp-58h]
		rep movsd
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-48h]
		mov	dword ptr [eax], 1Ch
		mov	edi, [ebp-50h]
		jmp	loc_77D2AA
; 

loc_77D4CC:				; CODE XREF: PAGE:0077D2DBj
					; DATA XREF: PAGE:0077D548o
		xor	edi, edi
		mov	[ebp-50h], edi
		cmp	edx, 4
		jnz	loc_8DC7E8
		mov	dword ptr [ebp-4], 2
		test	bl, bl
		mov	ebx, [ebp-4Ch]
		jz	short loc_77D500
		test	bl, 3
		jnz	short loc_77D52B
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	short loc_77D530

loc_77D4F6:				; CODE XREF: PAGE:0077D533j
		mov	al, [ebx]
		mov	ebx, [ebp-58h]
		mov	[ebx], al
		mov	edi, [ebp-50h]

loc_77D500:				; CODE XREF: PAGE:0077D4E6j
		mov	eax, dword_6FB628
		mov	[ebx], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-48h]
		mov	dword ptr [eax], 4
		jmp	loc_77D2AA
; 

loc_77D51C:				; CODE XREF: PAGE:0077D249j
					; PAGE:0077D254j
		mov	edi, 0C000000Dh
		jmp	loc_77D2AA
; 

loc_77D526:				; CODE XREF: PAGE:0077D483j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_77D52B:				; CODE XREF: PAGE:0077D4EBj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_77D530:				; CODE XREF: PAGE:0077D4F4j
		mov	byte ptr [eax],	0
		jmp	short loc_77D4F6
; 

loc_77D535:				; CODE XREF: PAGE:0077D318j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		mov	edi, edi
; 
off_77D53C	dd offset loc_77D2E2	; DATA XREF: PAGE:0077D2DBr
		dd offset loc_77D40F
		dd offset loc_77D387
		dd offset loc_77D4CC
		dd offset loc_77D3FA
		dd offset loc_77D3B1
		dd offset loc_77D3DB
		dd offset loc_77D2F3
		dd offset loc_77D3C6
		dd offset loc_8DC86C
		dd offset loc_8DC8D5
		dd offset loc_77D39C
		dd offset loc_8DC8EA
byte_77D570	db 0			; DATA XREF: PAGE:0077D2D4r
		db 1, 2	dup(0Ch)
		dd 20C0C0Ch, 40C0C03h, 50C0C0Ch, 70C0C06h, 9080C0Ch, 0B0A0C0Ch
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1571. NtQuerySystemInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtQuerySystemInformation
NtQuerySystemInformation proc near	; CODE XREF: AlpcpInitSystem+1A1p
					; DATA XREF: .text:00580DF8o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008DC91C SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	[ebp+var_4], edx
		cmp	ecx, 64h
		jg	short loc_77D5DB
		jz	short loc_77D607
		cmp	ecx, 8
		jz	short loc_77D607
		cmp	ecx, 2Ah
		jz	short loc_77D607
		cmp	ecx, 17h
		jz	short loc_77D607
		cmp	ecx, 3Dh
		jz	short loc_77D607
		cmp	ecx, 49h
		jz	short loc_77D617
		cmp	ecx, 53h
		jz	short loc_77D607

loc_77D5C6:				; CODE XREF: NtQuerySystemInformation+6Ej
					; NtQuerySystemInformation+15F396j
		mov	eax, edx

loc_77D5C8:				; CODE XREF: NtQuerySystemInformation+8Bj
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	eax
		call	_ExpQuerySystemInformation@24 ;	ExpQuerySystemInformation(x,x,x,x,x,x)

locret_77D5D7:				; CODE XREF: NtQuerySystemInformation+92j
		leave
		retn	10h
; 

loc_77D5DB:				; CODE XREF: NtQuerySystemInformation+12j
		cmp	ecx, 8Dh
		jz	short loc_77D607
		cmp	ecx, 6Bh
		jz	short loc_77D61F
		cmp	ecx, 6Ch
		jz	short loc_77D607
		cmp	ecx, 79h
		jz	short loc_77D61F
		cmp	ecx, 0B4h
		jz	short loc_77D61F
		cmp	ecx, 0D1h
		jle	short loc_77D5C6
		jmp	loc_8DC91C
; 

loc_77D607:				; CODE XREF: NtQuerySystemInformation+14j
					; NtQuerySystemInformation+19j	...
		mov	eax, large fs:20h
		movzx	eax, byte ptr [eax+3C5h]
		mov	[ebp+var_4], eax

loc_77D617:				; CODE XREF: NtQuerySystemInformation+2Dj
		push	2
		pop	eax
		lea	edx, [ebp+var_4]
		jmp	short loc_77D5C8
; 

loc_77D61F:				; CODE XREF: NtQuerySystemInformation+54j
					; NtQuerySystemInformation+5Ej	...
		mov	eax, 0C0000003h
		jmp	short locret_77D5D7
NtQuerySystemInformation endp

; 
		align 10h

; __stdcall ExpQuerySystemInformation(x, x, x, x, x, x)
_ExpQuerySystemInformation@24:		; CODE XREF: NtQuerySystemInformation+40p
					; NtQuerySystemInformationEx+A0p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1340
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 4A8h
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		mov	[ebp-1Ch], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	[ebp-1F0h], edx
		mov	esi, ecx
		mov	[ebp-204h], esi
		mov	eax, [ebp+0Ch]
		mov	[ebp-1DCh], eax
		mov	ebx, [ebp+14h]
		mov	[ebp-1D4h], ebx
		mov	[ebp-1ECh], ebx
		mov	dword ptr [ebp-208h], 0
		mov	dword ptr [ebp-260h], 0
		mov	dword ptr [ebp-25Ch], 0
		mov	dword ptr [ebp-240h], 0
		mov	dword ptr [ebp-224h], 0
		mov	dword ptr [ebp-20Ch], 0
		mov	dword ptr [ebp-210h], 0
		mov	dword ptr [ebp-22Ch], 0
		mov	dword ptr [ebp-1F4h], 0
		xor	eax, eax
		mov	[ebp-26Ch], eax
		mov	[ebp-268h], eax
		mov	[ebp-264h], eax
		mov	[ebp-214h], eax
		mov	[ebp-1E8h], eax
		mov	[ebp-234h], eax
		mov	[ebp-220h], eax
		mov	[ebp-230h], eax
		mov	[ebp-23Ch], eax
		push	1B0h
		push	eax
		lea	eax, [ebp-1D0h]
		push	eax
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [ebp-1E4h], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp-1DDh], al
		mov	[ebp-1F8h], al
		test	al, al
		jz	loc_77D7E5
		add	esi, 0FFFFFFFBh
		cmp	esi, 0DEh
		ja	short loc_77D782
		movzx	eax, ds:byte_782420[esi]
		jmp	ds:off_782414[eax*4]

loc_77D77B:				; DATA XREF: PAGE:00782418o
		mov	eax, 1
		jmp	short loc_77D787
; 

loc_77D782:				; CODE XREF: PAGE:0077D76Bj
					; PAGE:0077D774j
					; DATA XREF: ...
		mov	eax, 4

loc_77D787:				; CODE XREF: PAGE:0077D780j
		mov	dword ptr [ebp-4], 0
		push	eax
		mov	esi, [ebp+10h]
		push	esi
		mov	edi, [ebp-1DCh]
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		test	ebx, ebx
		jz	short loc_77D7B4
		mov	ecx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_77D7B0
		mov	ecx, eax

loc_77D7B0:				; CODE XREF: PAGE:0077D7ACj
		mov	eax, [ecx]
		mov	[ecx], eax

loc_77D7B4:				; CODE XREF: PAGE:0077D7A1j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_77D7EE
; 

loc_77D7BD:				; DATA XREF: .text:006A1354o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-408h], eax
		mov	eax, 1
		retn
; 

loc_77D7D0:				; DATA XREF: .text:006A1358o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-408h]
		jmp	loc_7823EE
; 

loc_77D7E5:				; CODE XREF: PAGE:0077D75Cj
		mov	edi, [ebp-1DCh]
		mov	esi, [ebp+10h]

loc_77D7EE:				; CODE XREF: PAGE:0077D7BBj
		mov	dword ptr [ebp-1D8h], 0
		mov	dword ptr [ebp-234h], 0FFFFh
		xor	ecx, ecx
		mov	[ebp-200h], ecx
		xor	edx, edx
		mov	[ebp-1F4h], edx
		mov	[ebp-22Ch], ecx
		mov	[ebp-228h], ecx
		mov	eax, 9
		mov	[ebp-218h], eax
		mov	[ebp-23Ch], eax
		mov	eax, [ebp-204h]
		add	eax, 0FFFFFFFEh
		cmp	eax, 0B3h
		ja	short loc_77D86F
		movzx	eax, ds:byte_782524[eax]
		jmp	ds:off_782500[eax*4]

loc_77D84D:				; DATA XREF: PAGE:off_782500o
		mov	dword ptr [ebp-1F4h], 0FFFFh
		push	0FFFFh

loc_77D85C:				; CODE XREF: PAGE:0077D8CAj
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	ecx, eax
		mov	[ebp-200h], ecx
		mov	edx, [ebp-1F4h]

loc_77D86F:				; CODE XREF: PAGE:0077D83Dj
					; PAGE:0077D846j ...
		mov	eax, [ebp-204h]
		cmp	eax, 0E3h
		ja	loc_7823E9
		movzx	eax, ds:byte_782814[eax]
		jmp	ds:off_7825D8[eax*4]
; 

loc_77D88E:				; CODE XREF: PAGE:0077D846j
					; DATA XREF: PAGE:00782504o
		cmp	dword ptr [ebp+8], 2
		jb	loc_78060A
		mov	dword ptr [ebp-4], 1
		mov	eax, [ebp-1F0h]
		movzx	eax, word ptr [eax]
		mov	[ebp-1F4h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		call	_KeQueryActiveGroupCount@0 ; KeQueryActiveGroupCount()
		mov	ecx, [ebp-1F4h]
		cmp	cx, ax
		jnb	loc_78060A
		push	ecx
		jmp	short loc_77D85C
; 

loc_77D8CC:				; DATA XREF: .text:006A1360o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-498h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77D8DF:				; DATA XREF: .text:006A1364o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-498h]
		jmp	loc_7823EE
; 

loc_77D8F4:				; CODE XREF: PAGE:0077D846j
					; DATA XREF: PAGE:00782510o
		cmp	dword ptr [ebp+8], 2
		jb	loc_78060A
		mov	dword ptr [ebp-4], 2
		mov	eax, [ebp-1F0h]
		movzx	eax, word ptr [eax]
		mov	[ebp-22Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		cmp	ax, ds:_KeNumberNodes
		jnb	loc_78060A
		jmp	loc_77D86F
; 

loc_77D92D:				; DATA XREF: .text:006A136Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-49Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77D940:				; DATA XREF: .text:006A1370o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-49Ch]
		jmp	loc_7823EE
; 

loc_77D955:				; CODE XREF: PAGE:0077D846j
					; DATA XREF: PAGE:0078250Co
		cmp	dword ptr [ebp+8], 4
		jb	loc_78060A
		mov	dword ptr [ebp-4], 3
		mov	eax, [ebp-1F0h]
		mov	eax, [eax]
		mov	[ebp-234h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_77D86F
; 

loc_77D980:				; DATA XREF: .text:006A1378o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4A0h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77D993:				; DATA XREF: .text:006A137Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-4A0h]
		jmp	loc_7823EE
; 

loc_77D9A8:				; CODE XREF: PAGE:0077D846j
					; DATA XREF: PAGE:00782514o
		mov	eax, [ebp+8]
		test	eax, eax
		jz	loc_77D86F
		cmp	eax, 8
		jnz	loc_78060A
		mov	dword ptr [ebp-4], 4
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_77D86F
; 

loc_77D9CF:				; DATA XREF: .text:006A1384o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-27Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77D9E2:				; DATA XREF: .text:006A1388o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-27Ch]
		jmp	loc_7823EE
; 

loc_77D9F7:				; CODE XREF: PAGE:0077D846j
					; DATA XREF: PAGE:00782518o
		cmp	dword ptr [ebp+8], 4
		jnz	loc_78060A
		mov	dword ptr [ebp-4], 5
		mov	eax, [ebp-1F0h]
		mov	eax, [eax]
		mov	[ebp-228h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_77D86F
; 

loc_77DA22:				; DATA XREF: .text:006A1390o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-280h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77DA35:				; DATA XREF: .text:006A1394o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-280h]
		jmp	loc_7823EE
; 

loc_77DA4A:				; CODE XREF: PAGE:0077D846j
					; DATA XREF: PAGE:0078251Co
		cmp	dword ptr [ebp+8], 8
		jnz	loc_78060A
		mov	dword ptr [ebp-4], 6
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_77D86F
; 

loc_77DA67:				; DATA XREF: .text:006A139Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-284h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77DA7A:				; DATA XREF: .text:006A13A0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-284h]
		jmp	loc_7823EE
; 

loc_77DA8F:				; CODE XREF: PAGE:0077D846j
					; DATA XREF: PAGE:00782508o
		cmp	dword ptr [ebp+8], 4
		jnz	loc_78060A
		mov	dword ptr [ebp-4], 7
		mov	eax, [ebp-1F0h]
		mov	eax, [eax]
		mov	[ebp-218h], eax
		mov	[ebp-23Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_77D86F
; 

loc_77DAC0:				; DATA XREF: .text:006A13A8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-288h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77DAD3:				; DATA XREF: .text:006A13ACo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-288h]
		jmp	loc_7823EE
; 

loc_77DAE8:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:off_7825D8o
		cmp	esi, 2Ch
		jz	short loc_77DB3B
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 8
		mov	dword ptr [ebx], 2Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77DB13:				; DATA XREF: .text:006A13B4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77DB26:				; DATA XREF: .text:006A13B8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-28Ch]
		jmp	loc_7823EE
; 

loc_77DB3B:				; CODE XREF: PAGE:0077DAEBj
					; PAGE:0077DB54j
		mov	ecx, edi
		call	ExpGetSystemBasicInformation
		mov	dword ptr [ebp-1D8h], 2Ch
		jmp	loc_77DC08
; 

loc_77DB51:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:0078267Co
		cmp	esi, 2Ch
		jz	short loc_77DB3B
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 9
		mov	dword ptr [ebx], 2Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77DB7C:				; DATA XREF: .text:006A13C0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-290h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77DB8F:				; DATA XREF: .text:006A13C4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-290h]
		jmp	loc_7823EE
; 

loc_77DBA4:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007825DCo
		cmp	esi, 0Ch
		jnb	short loc_77DBF7
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 0Ah
		mov	dword ptr [ebx], 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77DBCF:				; DATA XREF: .text:006A13CCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-294h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77DBE2:				; DATA XREF: .text:006A13D0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-294h]
		jmp	loc_7823EE
; 

loc_77DBF7:				; CODE XREF: PAGE:0077DBA7j
					; PAGE:0077DC38j
		mov	ecx, edi
		call	ExpGetSystemProcessorInformation

loc_77DBFE:				; CODE XREF: PAGE:0077FCB8j
		mov	dword ptr [ebp-1D8h], 0Ch

loc_77DC08:				; CODE XREF: PAGE:0077DB4Cj
					; PAGE:0077E9B0j ...
		mov	ebx, eax

loc_77DC0A:				; CODE XREF: PAGE:0077DE1Cj
					; PAGE:0077DF3Bj ...
		mov	esi, [ebp-1D4h]

loc_77DC10:				; CODE XREF: PAGE:0077E45Bj
					; PAGE:0077E499j ...
		test	esi, esi
		jz	loc_7823E5
		mov	dword ptr [ebp-4], 8Ch
		mov	eax, [ebp-1D8h]
		mov	[esi], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, ebx
		jmp	loc_7823EE
; 

loc_77DC35:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782680o
		cmp	esi, 0Ch
		jnb	short loc_77DBF7
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 0Bh
		mov	dword ptr [ebx], 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77DC60:				; DATA XREF: .text:006A13D8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-298h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77DC73:				; DATA XREF: .text:006A13DCo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-298h]
		jmp	loc_7823EE
; 

loc_77DC88:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827B8o
		cmp	esi, 38h
		jz	short loc_77DCDB
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 0Ch
		mov	dword ptr [ebx], 38h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77DCB3:				; DATA XREF: .text:006A13E4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-29Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77DCC6:				; DATA XREF: .text:006A13E8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-29Ch]
		jmp	loc_7823EE
; 

loc_77DCDB:				; CODE XREF: PAGE:0077DC8Bj
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		movzx	esi, ax
		push	esi
		call	_MmGetNumberOfPhysicalPages@4 ;	MmGetNumberOfPhysicalPages(x)
		mov	ebx, 1000h
		mul	ebx
		mov	[ebp-1D0h], eax
		mov	[ebp-1CCh], edx
		mov	ecx, esi
		call	_MmGetAvailablePages@4 ; MmGetAvailablePages(x)
		mul	ebx
		mov	[ebp-1C8h], eax
		mov	[ebp-1C4h], edx
		mov	ecx, esi
		call	_MmGetResidentAvailablePages@4 ; MmGetResidentAvailablePages(x)
		xor	ecx, ecx
		shld	ecx, eax, 0Ch
		shl	eax, 0Ch
		mov	[ebp-1C0h], eax
		mov	[ebp-1BCh], ecx
		mov	ecx, esi
		call	_MmGetTotalCommittedPages@4 ; MmGetTotalCommittedPages(x)
		mul	ebx
		mov	[ebp-1B8h], eax
		mov	[ebp-1B4h], edx
		mov	ecx, esi
		call	_MmGetTotalCommitLimit@4 ; MmGetTotalCommitLimit(x)
		mul	ebx
		mov	[ebp-1A8h], eax
		mov	[ebp-1A4h], edx
		mov	ecx, esi
		call	_MmGetPeakCommitment@4 ; MmGetPeakCommitment(x)
		mul	ebx
		mov	[ebp-1A0h], eax
		mov	[ebp-19Ch], edx
		call	_MmGetSharedCommit@0 ; MmGetSharedCommit()
		mul	ebx
		mov	[ebp-1B0h], eax
		mov	[ebp-1ACh], edx
		mov	ecx, [ebp-1C4h]
		cmp	[ebp-1CCh], ecx
		ja	short loc_77DDA9
		mov	eax, [ebp-1C8h]
		jb	short loc_77DD9D
		cmp	[ebp-1D0h], eax
		jnb	short loc_77DDA9

loc_77DD9D:				; CODE XREF: PAGE:0077DD93j
		mov	[ebp-1D0h], eax
		mov	[ebp-1CCh], ecx

loc_77DDA9:				; CODE XREF: PAGE:0077DD8Bj
					; PAGE:0077DD9Bj
		mov	ecx, [ebp-1B4h]
		mov	eax, [ebp-1B8h]
		cmp	[ebp-1A4h], ecx
		ja	short loc_77DDD3
		jb	short loc_77DDC7
		cmp	[ebp-1A8h], eax
		jnb	short loc_77DDD3

loc_77DDC7:				; CODE XREF: PAGE:0077DDBDj
		mov	[ebp-1A8h], eax
		mov	[ebp-1A4h], ecx

loc_77DDD3:				; CODE XREF: PAGE:0077DDBBj
					; PAGE:0077DDC5j
		cmp	[ebp-19Ch], ecx
		ja	short loc_77DDF1
		jb	short loc_77DDE5
		cmp	[ebp-1A0h], eax
		jnb	short loc_77DDF1

loc_77DDE5:				; CODE XREF: PAGE:0077DDDBj
		mov	[ebp-1A0h], eax
		mov	[ebp-19Ch], ecx

loc_77DDF1:				; CODE XREF: PAGE:0077DDD9j
					; PAGE:0077DDE3j
		mov	dword ptr [ebp-4], 0Dh
		mov	ecx, 0Eh
		lea	esi, [ebp-1D0h]
		rep movsd
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	dword ptr [ebp-1D8h], 38h

loc_77DE16:				; CODE XREF: PAGE:0077E4C2j
					; PAGE:0077E5F5j ...
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_77DE21:				; DATA XREF: .text:006A13F0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2A0h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77DE34:				; DATA XREF: .text:006A13F4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2A0h]
		jmp	loc_7823EE
; 

loc_77DE49:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827C0o
		cmp	esi, 18h
		jz	short loc_77DE9C
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 0Eh
		mov	dword ptr [ebx], 18h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77DE74:				; DATA XREF: .text:006A13FCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2A4h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77DE87:				; DATA XREF: .text:006A1400o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2A4h]
		jmp	loc_7823EE
; 

loc_77DE9C:				; CODE XREF: PAGE:0077DE4Cj
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		movzx	esi, ax
		push	esi
		call	_MmGetNumberOfPhysicalPages@4 ;	MmGetNumberOfPhysicalPages(x)
		mov	ebx, 1000h
		mul	ebx
		mov	edi, eax
		mov	[ebp-1D0h], edi
		mov	[ebp-1CCh], edx
		mov	ecx, esi
		call	_MmGetLowestPhysicalPage@4 ; MmGetLowestPhysicalPage(x)
		mul	ebx
		mov	[ebp-1C8h], eax
		mov	[ebp-1C4h], edx
		mov	ecx, esi
		call	_MmGetHighestPhysicalPage@4 ; MmGetHighestPhysicalPage(x)
		mul	ebx
		mov	ecx, eax
		add	ecx, 0FFFh
		adc	edx, 0
		mov	[ebp-1C0h], ecx
		mov	[ebp-1BCh], edx
		mov	dword ptr [ebp-4], 0Fh
		mov	eax, [ebp-1DCh]
		mov	[eax], edi
		mov	esi, [ebp-1CCh]
		mov	[eax+4], esi
		mov	esi, [ebp-1C8h]
		mov	[eax+8], esi
		mov	esi, [ebp-1C4h]
		mov	[eax+0Ch], esi
		mov	[eax+10h], ecx
		mov	[eax+14h], edx

loc_77DF24:				; CODE XREF: PAGE:0077ED3Dj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	dword ptr [ebp-1D8h], 18h
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_77DF40:				; DATA XREF: .text:006A1408o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2A8h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77DF53:				; DATA XREF: .text:006A140Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2A8h]
		jmp	loc_7823EE
; 

loc_77DF68:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782724o
		cmp	esi, 10h
		jz	short loc_77DFBB
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 10h
		mov	dword ptr [ebx], 10h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77DF93:				; DATA XREF: .text:006A1414o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2ACh], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77DFA6:				; DATA XREF: .text:006A1418o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2ACh]
		jmp	loc_7823EE
; 

loc_77DFBB:				; CODE XREF: PAGE:0077DF6Bj
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		movzx	edx, ax
		mov	ecx, edx
		call	_MmGetAvailablePages@4 ; MmGetAvailablePages(x)
		mov	[ebp-1D0h], eax
		mov	ecx, edx
		call	_MmGetTotalCommittedPages@4 ; MmGetTotalCommittedPages(x)
		mov	[ebp-1CCh], eax
		mov	ecx, edx
		call	_MmGetTotalCommitLimit@4 ; MmGetTotalCommitLimit(x)
		mov	[ebp-1C8h], eax
		mov	ecx, edx
		call	_MmGetPeakCommitment@4 ; MmGetPeakCommitment(x)
		mov	[ebp-1C4h], eax
		nop
		mov	edx, [ebp-1C4h]
		mov	esi, [ebp-1CCh]
		cmp	edx, esi
		jnb	short loc_77E010
		mov	edx, esi
		mov	[ebp-1C4h], edx

loc_77E010:				; CODE XREF: PAGE:0077E006j
		mov	dword ptr [ebp-4], 11h
		mov	ecx, [ebp-1D0h]
		mov	eax, [ebp-1DCh]
		mov	[eax], ecx
		mov	[eax+4], esi
		mov	ecx, [ebp-1C8h]
		mov	[eax+8], ecx
		mov	[eax+0Ch], edx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	dword ptr [ebp-1D8h], 10h
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_77E050:				; DATA XREF: .text:006A1420o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2B0h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77E063:				; DATA XREF: .text:006A1424o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2B0h]
		jmp	loc_7823EE
; 

loc_77E078:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007825E0o
		cmp	esi, 138h
		jnb	short loc_77E0CE
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 12h
		mov	dword ptr [ebx], 158h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77E0A6:				; DATA XREF: .text:006A142Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2B4h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77E0B9:				; DATA XREF: .text:006A1430o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2B4h]
		jmp	loc_7823EE
; 

loc_77E0CE:				; CODE XREF: PAGE:0077E07Ej
		cmp	esi, 158h
		jbe	short loc_77E0DB
		mov	esi, 158h

loc_77E0DB:				; CODE XREF: PAGE:0077E0D4j
		mov	dword ptr [ebp-4], 13h
		push	esi
		mov	edx, edi
		call	ExpQuerySystemPerformanceInformation
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	[ebp-1D8h], esi
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_77E102:				; DATA XREF: .text:006A1438o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2B8h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77E115:				; DATA XREF: .text:006A143Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2B8h]
		jmp	loc_7823EE
; 

loc_77E12A:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007825F8o
		mov	edi, [ebp-204h]
		add	edi, 0FFFFFFF8h
		neg	edi
		sbb	edi, edi
		and	edi, 18h
		add	edi, 30h
		mov	[ebp-1FCh], edi
		test	esi, esi
		jz	loc_77E2F7
		mov	eax, esi
		xor	edx, edx
		div	edi
		test	edx, edx
		jnz	loc_77E2F7
		mov	[ebp-214h], edx
		xor	eax, eax
		mov	edi, [ebp-1F4h]
		mov	ebx, [ebp-1FCh]

loc_77E16D:				; CODE XREF: PAGE:0077E2B3j
		mov	[ebp-220h], eax
		cmp	eax, ecx
		jnb	loc_77E2E0
		mov	[ebp-1E8h], di
		mov	[ebp-1E6h], al
		mov	byte ptr [ebp-1E5h], 0
		lea	eax, [ebp-1E8h]
		push	eax
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	[ebp-20Ch], eax
		mov	ecx, [ebp-214h]
		lea	eax, [ebx+ecx]
		cmp	esi, eax
		jb	loc_77E2E6
		mov	[ebp-214h], eax
		lea	eax, [ebp-1D0h]
		push	eax
		xor	edx, edx
		lea	ecx, [ebp-1E8h]
		call	_PoGetIdleTimes@12 ; PoGetIdleTimes(x,x,x)
		mov	dword ptr [ebp-4], 15h
		mov	eax, ds:_KeMaximumIncrement
		mov	ecx, [ebp-20Ch]
		mul	dword ptr [ecx+4A8h]
		mov	ecx, [ebp-1DCh]
		mov	[ecx+10h], eax
		mov	[ecx+14h], edx
		mov	eax, [ebp-1CCh]
		mul	ds:_KeMaximumIncrement
		mov	[ecx+8], eax
		mov	[ecx+0Ch], edx
		mov	eax, ds:_KeMaximumIncrement
		mov	edx, [ebp-20Ch]
		mul	dword ptr [edx+4ACh]
		mov	[ecx+18h], eax
		mov	[ecx+1Ch], edx
		mov	eax, ds:_KeMaximumIncrement
		mov	edx, [ebp-20Ch]
		mul	dword ptr [edx+4B4h]
		mov	[ecx+20h], eax
		mov	[ecx+24h], edx
		mov	eax, [ebp-1D0h]
		mul	ds:_KeMaximumIncrement
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	edx, [ebp-20Ch]
		mov	eax, [edx+4A0h]
		mov	[ecx+28h], eax
		cmp	dword ptr [ebp-204h], 8Dh
		jnz	short loc_77E297
		mov	eax, ds:_KeMaximumIncrement
		mul	dword ptr [edx+594h]
		mov	[ecx+30h], eax
		mov	[ecx+34h], edx
		mov	dword ptr [ecx+2Ch], 0
		mov	dword ptr [ecx+38h], 0
		mov	dword ptr [ecx+3Ch], 0
		mov	dword ptr [ecx+40h], 0
		mov	dword ptr [ecx+44h], 0

loc_77E297:				; CODE XREF: PAGE:0077E261j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		add	ecx, ebx
		mov	[ebp-1DCh], ecx
		mov	eax, [ebp-220h]
		inc	eax
		mov	ecx, [ebp-200h]
		jmp	loc_77E16D
; 

loc_77E2B8:				; DATA XREF: .text:006A1450o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2BCh], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77E2CB:				; DATA XREF: .text:006A1454o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2BCh]
		jmp	loc_7823EE
; 

loc_77E2E0:				; CODE XREF: PAGE:0077E175j
		mov	ecx, [ebp-214h]

loc_77E2E6:				; CODE XREF: PAGE:0077E1B3j
		mov	[ebp-1D8h], ecx
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_77E2F7:				; CODE XREF: PAGE:0077E145j
					; PAGE:0077E153j
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 14h
		imul	edi, ecx
		mov	[ebx], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77E31C:				; DATA XREF: .text:006A1444o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2C0h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77E32F:				; DATA XREF: .text:006A1448o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2C0h]
		jmp	loc_7823EE
; 

loc_77E344:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826E0o
		mov	[ebp-268h], dx
		push	edx
		call	_KeQueryGroupAffinity@4	; KeQueryGroupAffinity(x)
		mov	ebx, eax
		mov	[ebp-26Ch], ebx
		not	ebx
		movzx	ecx, bl
		mov	dl, ds:_RtlpBitsClearTotal[ecx]
		shr	ebx, 8
		movzx	ecx, bl
		add	dl, ds:_RtlpBitsClearTotal[ecx]
		shr	ebx, 8
		movzx	eax, bl
		add	dl, ds:_RtlpBitsClearTotal[eax]
		shr	ebx, 8
		add	dl, ds:_RtlpBitsClearTotal[ebx]
		movzx	eax, dl
		mov	[ebp-1FCh], eax
		lea	ecx, [ebp-208h]
		push	ecx
		lea	ecx, [ebp-26Ch]
		push	ecx
		push	eax
		xor	edx, edx
		xor	ecx, ecx
		call	_PpmCapturePerformanceDistribution@20 ;	PpmCapturePerformanceDistribution(x,x,x,x,x)
		mov	ebx, eax
		cmp	ebx, 0C0000004h
		jnz	loc_77DC0A
		mov	eax, [ebp-208h]
		cmp	eax, esi
		jbe	short loc_77E3C9
		mov	[ebp-1D8h], eax
		jmp	loc_77DC0A
; 

loc_77E3C9:				; CODE XREF: PAGE:0077E3BCj
		push	744D5050h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp-1F0h], esi
		test	esi, esi
		jnz	short loc_77E3EF
		mov	ebx, 0C000009Ah
		jmp	loc_77DC0A
; 

loc_77E3EF:				; CODE XREF: PAGE:0077E3E3j
		push	dword ptr [ebp-208h]
		push	0
		push	esi
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp-1D8h]
		push	eax
		lea	eax, [ebp-26Ch]
		push	eax
		push	dword ptr [ebp-1FCh]
		mov	edx, [ebp-208h]
		mov	ecx, esi
		call	_PpmCapturePerformanceDistribution@20 ;	PpmCapturePerformanceDistribution(x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_77E445
		mov	dword ptr [ebp-4], 16h
		push	dword ptr [ebp-1D8h]
		push	esi
		push	edi
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_77E445:				; CODE XREF: PAGE:0077E425j
		mov	esi, [ebp-1D4h]
		push	744D5050h
		push	dword ptr [ebp-1F0h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_77DC10
; 

loc_77E460:				; DATA XREF: .text:006A145Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2C4h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77E473:				; DATA XREF: .text:006A1460o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-2C4h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-1ECh]
		push	744D5050h
		push	dword ptr [ebp-1F0h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_77DC10
; 

loc_77E49E:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782678o
		lea	eax, [ecx+ecx*4]
		shl	eax, 4
		mov	[ebp-1D8h], eax
		cmp	esi, eax
		jnb	short loc_77E4B8

loc_77E4AE:				; CODE XREF: PAGE:0077E5EBj
					; PAGE:00781041j ...
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_77E4B8:				; CODE XREF: PAGE:0077E4ACj
		xor	ebx, ebx
		lea	ebx, [ebx+0]

loc_77E4C0:				; CODE XREF: PAGE:0077E5B0j
		cmp	ebx, ecx
		jnb	loc_77DE16
		mov	[ebp-1E8h], dx
		mov	[ebp-1E6h], bl
		mov	byte ptr [ebp-1E5h], 0
		lea	eax, [ebp-1E8h]
		push	eax
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		mov	esi, ds:_KiProcessorBlock[eax*4]
		lea	eax, [ebp-260h]
		push	eax
		push	0
		lea	edx, [ebp-1D0h]
		lea	ecx, [ebp-1E8h]
		call	PoGetPerfStateAndParkingInfo
		mov	dword ptr [ebp-4], 17h
		push	50h
		push	0
		push	edi
		call	_memset
		add	esp, 0Ch
		mov	eax, [esi+4A8h]
		add	eax, [esi+4A4h]
		mul	ds:_KeMaximumIncrement
		mov	ecx, [ebp-1DCh]
		mov	[ecx+28h], eax
		mov	[ecx+2Ch], edx
		mov	edx, [esi+0Ch]
		mov	eax, ds:_KeMaximumIncrement
		mul	dword ptr [edx+194h]
		mov	[ecx+30h], eax
		mov	[ecx+34h], edx
		cmp	byte ptr [ebp-1B4h], 0
		jz	short loc_77E579
		mov	al, [ebp-1C8h]
		mov	[ecx], al
		mov	al, [ebp-1C4h]
		mov	[ecx+7], al
		mov	al, [ebp-1C0h]
		mov	[ecx+8], al
		mov	dword ptr [ecx+0Ch], 1

loc_77E579:				; CODE XREF: PAGE:0077E556j
		mov	eax, [ebp-260h]
		mov	[ecx+48h], eax
		mov	eax, [ebp-25Ch]
		mov	[ecx+4Ch], eax
		add	ecx, 50h
		mov	[ebp-1DCh], ecx
		mov	[ebp-238h], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		inc	ebx
		mov	edi, ecx
		mov	ecx, [ebp-200h]
		mov	edx, [ebp-1F4h]
		jmp	loc_77E4C0
; 

loc_77E5B5:				; DATA XREF: .text:006A1468o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2C8h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77E5C8:				; DATA XREF: .text:006A146Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2C8h]
		jmp	loc_7823EE
; 

loc_77E5DD:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782648o
		lea	eax, [ecx+ecx*2]
		shl	eax, 4
		mov	[ebp-1D8h], eax
		cmp	esi, eax
		jb	loc_77E4AE
		xor	ebx, ebx

loc_77E5F3:				; CODE XREF: PAGE:0077E65Bj
		cmp	ebx, ecx
		jnb	loc_77DE16
		mov	[ebp-1E8h], dx
		mov	[ebp-1E6h], bl
		mov	byte ptr [ebp-1E5h], 0
		push	0
		lea	edx, [ebp-1D0h]
		lea	ecx, [ebp-1E8h]
		call	_PoGetIdleTimes@12 ; PoGetIdleTimes(x,x,x)
		mov	dword ptr [ebp-4], 18h
		mov	ecx, 0Ch
		lea	esi, [ebp-1D0h]
		mov	eax, [ebp-1DCh]
		mov	edi, eax
		rep movsd
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		add	eax, 30h
		mov	[ebp-1DCh], eax
		inc	ebx
		mov	ecx, [ebp-200h]
		mov	edx, [ebp-1F4h]
		jmp	short loc_77E5F3
; 

loc_77E65D:				; DATA XREF: .text:006A1474o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2CCh], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77E670:				; DATA XREF: .text:006A1478o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2CCh]
		jmp	loc_7823EE
; 

loc_77E685:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827F4o
		cmp	esi, 8
		jz	short loc_77E6D4
		test	ebx, ebx
		jz	short loc_77E6A2
		mov	dword ptr [ebp-4], 19h

loc_77E695:				; CODE XREF: PAGE:00782018j
		mov	dword ptr [ebx], 8
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_77E6A2:				; CODE XREF: PAGE:0077DAEFj
					; PAGE:0077DB58j ...
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77E6AC:				; DATA XREF: .text:006A1480o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2D0h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77E6BF:				; DATA XREF: .text:006A1484o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2D0h]
		jmp	loc_7823EE
; 

loc_77E6D4:				; CODE XREF: PAGE:0077E688j
		mov	dword ptr [ebp-4], 1Ah
		mov	eax, _ExLeapSecondData
		cmp	byte ptr [eax],	0
		setnz	cl
		mov	eax, [ebp-1DCh]
		mov	[eax], cl
		mov	dword ptr [eax+4], 0
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	dword ptr [ebp-1D8h], 8
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_77E711:				; DATA XREF: .text:006A148Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2D4h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77E724:				; DATA XREF: .text:006A1490o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2D4h]
		jmp	loc_7823EE
; 

loc_77E739:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007825E4o
		cmp	esi, 30h
		jbe	short loc_77E78C
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 1Bh
		mov	dword ptr [ebx], 30h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77E764:				; DATA XREF: .text:006A1498o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2D8h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77E777:				; DATA XREF: .text:006A149Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2D8h]
		jmp	loc_7823EE
; 

loc_77E78C:				; CODE XREF: PAGE:0077E73Cj
		lea	eax, [ebp-1B0h]
		push	eax
		lea	edx, [ebp-1D0h]
		lea	ecx, [ebp-1C8h]
		call	KeQueryBootTimeValues
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, [eax+268h]
		mov	eax, [ecx+1B8h]
		mov	[ebp-1C0h], eax
		mov	eax, [ecx+1BCh]
		mov	[ebp-1BCh], eax
		mov	eax, [ecx+1B0h]
		mov	[ebp-1B8h], eax
		mov	edi, 0FFDF03B0h

loc_77E7D8:				; CODE XREF: PAGE:0077E7E4j
					; PAGE:0077E7E8j
		mov	edx, [edi]
		mov	ecx, [edi+4]
		mov	eax, [edi]
		mov	ebx, [edi+4]
		cmp	edx, eax
		jnz	short loc_77E7D8
		cmp	ecx, ebx
		jnz	short loc_77E7D8
		mov	[ebp-1A8h], edx
		mov	[ebp-1A4h], ecx
		mov	dword ptr [ebp-4], 1Ch
		mov	edi, [ebp-1DCh]
		push	esi
		lea	eax, [ebp-1D0h]
		push	eax
		push	edi
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	[ebp-1D8h], esi
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_77E82C:				; DATA XREF: .text:006A14A4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2DCh], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77E83F:				; DATA XREF: .text:006A14A8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2DCh]
		jmp	loc_7823EE
; 

loc_77E854:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782630o
		cmp	esi, 0Ch
		jz	short loc_77E8AC
		cmp	esi, 18h
		jz	short loc_77E8AC
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 1Dh
		mov	dword ptr [ebx], 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77E884:				; DATA XREF: .text:006A14B0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2E0h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77E897:				; DATA XREF: .text:006A14B4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2E0h]
		jmp	loc_7823EE
; 

loc_77E8AC:				; CODE XREF: PAGE:0077E857j
					; PAGE:0077E85Cj
		mov	cl, 1
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		mov	edi, ds:_KeTimeAdjustmentFrequency
		mov	ebx, ds:dword_70E724
		mov	al, ds:_KeTimeSynchronization
		mov	[ebp-1DDh], al
		call	_ExReleaseTimeRefreshLock@0 ; ExReleaseTimeRefreshLock()
		mov	dword ptr [ebp-4], 1Eh
		cmp	esi, 18h
		jnz	short loc_77E919
		mov	eax, [ebp-1DCh]
		mov	[eax], edi
		mov	[eax+4], ebx
		mov	ecx, ds:0FFDF0300h
		mov	[eax+8], ecx
		mov	ecx, ds:0FFDF0304h
		mov	[eax+0Ch], ecx
		mov	dl, [ebp-1DDh]
		mov	[eax+10h], dl
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	[ebp-1D8h], esi
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_77E919:				; CODE XREF: PAGE:0077E8D9j
		mov	eax, ds:0FFDF0304h
		mul	ds:_KeMaximumIncrement
		mov	esi, eax
		mov	eax, ds:0FFDF0300h
		mul	ds:_KeMaximumIncrement
		add	esi, edx
		push	ebx
		push	edi
		push	esi
		push	eax
		call	__aulldiv
		mov	ecx, [ebp-1DCh]
		mov	[ecx], eax
		mov	eax, ds:_KeMaximumIncrement
		mov	[ecx+4], eax
		mov	dl, [ebp-1DDh]
		mov	[ecx+8], dl
		mov	esi, [ebp+10h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	[ebp-1D8h], esi
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_77E970:				; DATA XREF: .text:006A14BCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2E4h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77E983:				; DATA XREF: .text:006A14C0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2E4h]
		jmp	loc_7823EE
; 

loc_77E998:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007825ECo
		push	dword ptr [ebp-204h]
		push	0
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	ExpGetProcessInformation
		jmp	loc_77DC08
; 

loc_77E9B5:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826C4o
		mov	dword ptr [ebp-1D8h], 0Ch
		cmp	esi, 0Ch
		jz	short loc_77E9CE
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_77E9CE:				; CODE XREF: PAGE:0077E9C2j
		mov	dword ptr [ebp-4], 1Fh
		mov	eax, [ebp-1DCh]
		mov	ecx, [eax]
		mov	[ebp-278h], ecx
		mov	ecx, [eax+4]
		mov	[ebp-274h], ecx
		mov	edx, [eax+8]
		mov	[ebp-270h], edx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	cx, cx
		jnz	loc_78060A
		shr	ecx, 10h
		test	cl, 1
		jnz	loc_78060A
		cmp	byte ptr [ebp-1DDh], 0
		jz	short loc_77EA4F
		mov	dword ptr [ebp-4], 20h
		test	cx, cx
		jz	short loc_77EA48
		test	dl, 1
		jnz	loc_78240C
		movzx	ecx, word ptr [ebp-272h]
		add	ecx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_77EA45
		cmp	ecx, edx
		jnb	short loc_77EA48

loc_77EA45:				; CODE XREF: PAGE:0077EA3Fj
		mov	byte ptr [eax],	0

loc_77EA48:				; CODE XREF: PAGE:0077EA24j
					; PAGE:0077EA43j
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_77EA4F:				; CODE XREF: PAGE:0077EA18j
		mov	ebx, large fs:124h
		mov	[ebp-1FCh], ebx
		movzx	eax, word ptr [ebp-272h]
		mov	[ebp-244h], eax
		dec	word ptr [ebx+13Ch]
		nop
		lea	eax, [ebp-214h]
		push	eax
		push	dword ptr [ebp-278h]
		call	PsLookupProcessByProcessId
		mov	esi, eax
		test	esi, esi
		jns	short loc_77EABF
		mov	ecx, ebx
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	eax, esi
		jmp	loc_7823EE
; 

loc_77EA97:				; DATA XREF: .text:006A14D4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2E8h], eax
		mov	eax, 1
		retn
; 

loc_77EAAA:				; DATA XREF: .text:006A14D8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2E8h]
		jmp	loc_7823EE
; 

loc_77EABF:				; CODE XREF: PAGE:0077EA87j
		lea	eax, [ebp-244h]
		push	eax
		push	dword ptr [ebp-270h]
		mov	edi, [ebp-1DCh]
		lea	edx, [edi+4]
		mov	ecx, [ebp-214h]
		call	PsQueryFullProcessImageName
		mov	ebx, eax
		mov	edx, 746C6644h
		mov	ecx, [ebp-214h]
		call	ObfDereferenceObjectWithTag
		mov	ecx, [ebp-1FCh]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		cmp	ebx, 0C0000004h
		jnz	loc_77DC0A
		mov	dword ptr [ebp-4], 21h
		mov	ax, [ebp-244h]
		mov	[edi+6], ax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_77DC0A
; 

loc_77EB27:				; DATA XREF: .text:006A14E0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2ECh], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77EB3A:				; DATA XREF: .text:006A14E4o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-2ECh]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-1ECh]
		jmp	loc_77DC10
; 

loc_77EB55:				; DATA XREF: .text:006A14C8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2F0h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77EB68:				; DATA XREF: .text:006A14CCo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2F0h]
		jmp	loc_7823EE
; 

loc_77EB7D:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782660o
		cmp	esi, 0Ch
		jnb	short loc_77EBD0
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 22h
		mov	dword ptr [ebx], 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77EBA8:				; DATA XREF: .text:006A14ECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2F4h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77EBBB:				; DATA XREF: .text:006A14F0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2F4h]
		jmp	loc_7823EE
; 

loc_77EBD0:				; CODE XREF: PAGE:0077EB80j
		mov	dword ptr [ebp-4], 23h
		mov	eax, [ebp-1DCh]
		mov	ecx, [eax]
		mov	[ebp-210h], ecx
		mov	esi, [eax+8]
		mov	[ebp-24Ch], esi
		mov	edi, [eax+4]
		mov	[ebp-254h], edi
		push	4
		push	edi
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	5
		lea	eax, [ebp-210h]
		push	eax
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	ExpGetProcessInformation
		jmp	loc_77DC08
; 

loc_77EC25:				; DATA XREF: .text:006A14F8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2F8h], eax
		mov	eax, 1
		retn
; 

loc_77EC38:				; DATA XREF: .text:006A14FCo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2F8h]
		jmp	loc_7823EE
; 

loc_77EC4D:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782744o
		cmp	esi, 1Ch
		jz	short loc_77ECA0
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 24h
		mov	dword ptr [ebx], 1Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77EC78:				; DATA XREF: .text:006A1504o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2FCh], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77EC8B:				; DATA XREF: .text:006A1508o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2FCh]
		jmp	loc_7823EE
; 

loc_77ECA0:				; CODE XREF: PAGE:0077EC50j
		push	1Ch
		mov	edx, edi
		mov	ecx, [ebp-204h]
		call	_ExpGetDeviceDataInformation@12	; ExpGetDeviceDataInformation(x,x,x)
		jmp	loc_7823EE
; 

loc_77ECB4:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007825F4o
		cmp	esi, 18h
		jz	short loc_77ED07
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 25h
		mov	dword ptr [ebx], 18h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77ECDF:				; DATA XREF: .text:006A1510o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-300h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77ECF2:				; DATA XREF: .text:006A1514o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-300h]
		jmp	loc_7823EE
; 

loc_77ED07:				; CODE XREF: PAGE:0077ECB7j
		call	_IoGetConfigurationInformation@0 ; IoGetConfigurationInformation()
		mov	edx, eax
		mov	dword ptr [ebp-4], 26h
		mov	ecx, [edx]
		mov	eax, [ebp-1DCh]
		mov	[eax], ecx
		mov	ecx, [edx+4]
		mov	[eax+4], ecx
		mov	ecx, [edx+8]
		mov	[eax+8], ecx
		mov	ecx, [edx+0Ch]
		mov	[eax+0Ch], ecx
		mov	ecx, [edx+14h]
		mov	[eax+10h], ecx
		mov	ecx, [edx+18h]
		mov	[eax+14h], ecx
		jmp	loc_77DF24
; 

loc_77ED42:				; DATA XREF: .text:006A151Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-304h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77ED55:				; DATA XREF: .text:006A1520o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-304h]
		jmp	loc_7823EE
; 

loc_77ED6A:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007825FCo
		cmp	esi, 4
		jz	short loc_77EDBD
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 27h
		mov	dword ptr [ebx], 4
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77ED95:				; DATA XREF: .text:006A1528o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-308h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77EDA8:				; DATA XREF: .text:006A152Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-308h]
		jmp	loc_7823EE
; 

loc_77EDBD:				; CODE XREF: PAGE:0077ED6Dj
		mov	dword ptr [ebp-4], 28h
		mov	eax, _NtGlobalFlag

loc_77EDC9:				; CODE XREF: PAGE:0077EE6Ej
					; PAGE:007803D5j
		mov	[edi], eax

loc_77EDCB:				; CODE XREF: PAGE:007800C1j
					; PAGE:00780543j ...
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	dword ptr [ebp-1D8h], 4
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_77EDE7:				; DATA XREF: .text:006A1534o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77EDFA:				; DATA XREF: .text:006A1538o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-30Ch]
		jmp	loc_7823EE
; 

loc_77EE0F:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827F8o
		cmp	esi, 4
		jz	short loc_77EE62
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 29h
		mov	dword ptr [ebx], 4
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77EE3A:				; DATA XREF: .text:006A1540o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-310h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77EE4D:				; DATA XREF: .text:006A1544o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-310h]
		jmp	loc_7823EE
; 

loc_77EE62:				; CODE XREF: PAGE:0077EE12j
		mov	dword ptr [ebp-4], 2Ah
		mov	eax, _NtGlobalFlag2
		jmp	loc_77EDC9
; 

loc_77EE73:				; DATA XREF: .text:006A154Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-314h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77EE86:				; DATA XREF: .text:006A1550o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-314h]
		jmp	loc_7823EE
; 

loc_77EE9B:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782600o
		mov	cl, [ebp-1DDh]
		call	_ExIsRestrictedCaller@4	; ExIsRestrictedCaller(x)
		test	eax, eax
		jnz	loc_78101A
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceExclusiveLite
		lea	eax, [ebp-1D8h]
		push	eax
		push	esi
		mov	edx, edi
		call	ExpQueryModuleInformation

loc_77EECE:				; CODE XREF: PAGE:0077EF3Dj
		mov	ebx, eax
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_77DC0A
; 

loc_77EEE4:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826ACo
		mov	cl, [ebp-1DDh]
		call	_ExIsRestrictedCaller@4	; ExIsRestrictedCaller(x)
		test	eax, eax
		jnz	loc_78101A
		push	dword ptr [ebp-1F8h]
		mov	eax, ds:dword_A94E04
		push	eax
		mov	eax, ds:_SeLoadDriverPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		not	esi
		and	esi, 1
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceExclusiveLite
		lea	eax, [ebp-1D8h]
		push	eax
		push	esi
		push	dword ptr [ebp+10h]
		mov	edx, edi
		call	ExpQueryModuleInformationEx
		jmp	short loc_77EECE
; 

loc_77EF3F:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782798o
		lea	eax, [ebp-1D8h]
		push	eax
		push	dword ptr [ebp-1F8h]
		mov	edx, esi
		mov	ecx, edi
		call	_ExpQuerySingleModuleInformation@16 ; ExpQuerySingleModuleInformation(x,x,x,x)
		jmp	loc_77DC08
; 

loc_77EF5A:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782604o
		cmp	esi, 28h
		jnb	short loc_77EFAD
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 2Bh
		mov	dword ptr [ebx], 28h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77EF85:				; DATA XREF: .text:006A1558o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-318h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77EF98:				; DATA XREF: .text:006A155Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-318h]
		jmp	loc_7823EE
; 

loc_77EFAD:				; CODE XREF: PAGE:0077EF5Dj
		mov	cl, [ebp-1DDh]
		call	_ExIsRestrictedCaller@4	; ExIsRestrictedCaller(x)
		test	eax, eax
		jnz	loc_78101A
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	_ExpGetLockInformation@12 ; ExpGetLockInformation(x,x,x)
		jmp	loc_77DC08
; 

loc_77EFD5:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782608o
		cmp	esi, 9Ch
		jnb	short loc_77F02B
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 2Ch
		mov	dword ptr [ebx], 9Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77F003:				; DATA XREF: .text:006A1564o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-31Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F016:				; DATA XREF: .text:006A1568o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-31Ch]
		jmp	loc_7823EE
; 

loc_77F02B:				; CODE XREF: PAGE:0077EFDBj
		mov	cl, [ebp-1DDh]
		call	_ExIsRestrictedCaller@4	; ExIsRestrictedCaller(x)
		test	eax, eax
		jnz	loc_78101A
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	_ExpGetStackTraceInformation@12	; ExpGetStackTraceInformation(x,x,x)
		jmp	loc_77DC08
; 

loc_77F053:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:0078260Co
		mov	ebx, 0C0000002h
		jmp	loc_77DC0A
; 

loc_77F05D:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782610o
		cmp	esi, 14h
		jnb	short loc_77F0B0
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 2Dh
		mov	dword ptr [ebx], 14h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77F088:				; DATA XREF: .text:006A1570o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-320h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F09B:				; DATA XREF: .text:006A1574o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-320h]
		jmp	loc_7823EE
; 

loc_77F0B0:				; CODE XREF: PAGE:0077F060j
		test	byte ptr [ebp-1DCh], 3
		jnz	loc_77F6F4
		mov	cl, [ebp-1DDh]
		call	_ExIsRestrictedCaller@4	; ExIsRestrictedCaller(x)
		test	eax, eax
		jnz	loc_78101A
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_ExpGetHandleInformation@12 ; ExpGetHandleInformation(x,x,x)
		jmp	loc_77DC08
; 

loc_77F0E9:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782684o
		cmp	esi, 24h
		jnb	short loc_77F13C
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 2Eh
		mov	dword ptr [ebx], 24h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77F114:				; DATA XREF: .text:006A157Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-324h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F127:				; DATA XREF: .text:006A1580o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-324h]
		jmp	loc_7823EE
; 

loc_77F13C:				; CODE XREF: PAGE:0077F0ECj
		test	byte ptr [ebp-1DCh], 3
		jnz	loc_77F6F4
		mov	cl, [ebp-1DDh]
		call	_ExIsRestrictedCaller@4	; ExIsRestrictedCaller(x)
		test	eax, eax
		jnz	loc_78101A
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_ExpGetHandleInformationEx@12 ;	ExpGetHandleInformationEx(x,x,x)
		jmp	loc_77DC08
; 

loc_77F175:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782614o
		cmp	esi, 38h
		jnb	short loc_77F1C8
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 2Fh
		mov	dword ptr [ebx], 38h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77F1A0:				; DATA XREF: .text:006A1588o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-328h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F1B3:				; DATA XREF: .text:006A158Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-328h]
		jmp	loc_7823EE
; 

loc_77F1C8:				; CODE XREF: PAGE:0077F178j
		mov	cl, [ebp-1DDh]
		call	_ExIsRestrictedCaller@4	; ExIsRestrictedCaller(x)
		test	eax, eax
		jnz	loc_78101A
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_ExpGetObjectInformation@12 ; ExpGetObjectInformation(x,x,x)
		jmp	loc_77DC08
; 

loc_77F1F4:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782618o
		xor	eax, eax
		mov	ecx, [ebp-204h]
		cmp	ecx, 12h
		setnz	al
		lea	eax, ds:18h[eax*8]
		mov	[ebp-1D8h], eax
		cmp	esi, eax
		jnb	short loc_77F25D
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 30h
		mov	[ebx], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77F235:				; DATA XREF: .text:006A1594o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-32Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F248:				; DATA XREF: .text:006A1598o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-32Ch]
		jmp	loc_7823EE
; 

loc_77F25D:				; CODE XREF: PAGE:0077F211j
		mov	dword ptr [ebp-1D8h], 0
		lea	eax, [ebp-1D8h]
		push	eax
		xor	eax, eax
		cmp	ecx, 90h
		setz	al
		push	eax
		push	esi
		mov	edx, [ebp-1DCh]
		call	MmGetPageFileInformation
		jmp	loc_77DC08
; 

loc_77F28B:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782620o
		cmp	esi, 0Ch
		jnb	short loc_77F2DE
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 31h
		mov	dword ptr [ebx], 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77F2B6:				; DATA XREF: .text:006A15A0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-330h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F2C9:				; DATA XREF: .text:006A15A4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-330h]
		jmp	loc_7823EE
; 

loc_77F2DE:				; CODE XREF: PAGE:0077F28Ej
		mov	ecx, 2
		mov	eax, [ebp-204h]
		cmp	eax, 77h
		jnz	short loc_77F2F3
		lea	ecx, [eax-74h]
		jmp	short loc_77F2FB
; 

loc_77F2F3:				; CODE XREF: PAGE:0077F2ECj
		cmp	eax, 78h
		jnz	short loc_77F2FB
		lea	ecx, [eax-74h]

loc_77F2FB:				; CODE XREF: PAGE:0077F2F1j
					; PAGE:0077F2F6j
		lea	edx, [ebp-1D0h]
		call	MmQuerySystemWorkingSetInformation
		mov	dword ptr [ebp-4], 32h
		mov	ecx, [ebp-1D0h]
		mov	eax, [ebp-1DCh]
		mov	[eax], ecx
		mov	ecx, [ebp-1CCh]
		mov	[eax+4], ecx
		mov	ecx, [ebp-1C8h]
		mov	[eax+8], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, 0Ch
		cmp	esi, 24h
		jb	short loc_77F387
		mov	edx, 24h
		mov	dword ptr [ebp-4], 33h
		mov	ecx, [ebp-1C4h]
		mov	[eax+0Ch], ecx
		mov	ecx, [ebp-1C0h]
		mov	[eax+10h], ecx
		mov	ecx, [ebp-1BCh]
		mov	[eax+14h], ecx
		mov	ecx, [ebp-1B8h]
		mov	[eax+18h], ecx
		mov	ecx, [ebp-1B4h]
		mov	[eax+1Ch], ecx
		mov	ecx, [ebp-1B0h]
		mov	[eax+20h], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_77F387:				; CODE XREF: PAGE:0077F33Cj
		mov	[ebp-1D8h], edx
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_77F398:				; DATA XREF: .text:006A15B8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-334h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F3AB:				; DATA XREF: .text:006A15BCo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-334h]
		jmp	loc_7823EE
; 

loc_77F3C0:				; DATA XREF: .text:006A15ACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-338h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F3D3:				; DATA XREF: .text:006A15B0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-338h]
		jmp	loc_7823EE
; 

loc_77F3E8:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782690o
		cmp	esi, 0Ch
		jnb	short loc_77F43B
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 34h
		mov	dword ptr [ebx], 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77F413:				; DATA XREF: .text:006A15C4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-33Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F426:				; DATA XREF: .text:006A15C8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-33Ch]
		jmp	loc_7823EE
; 

loc_77F43B:				; CODE XREF: PAGE:0077F3EBj
		mov	dword ptr [ebp-4], 35h
		mov	eax, [ebp-1DCh]
		mov	ecx, [eax]
		mov	[ebp-210h], ecx
		mov	ecx, [eax+8]
		mov	[ebp-24Ch], ecx
		mov	edx, [eax+4]
		mov	[ebp-254h], edx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	cl, 7
		jnz	loc_77F6F4
		lea	eax, [ebp-210h]
		push	eax
		lea	eax, [ebp-1D8h]
		push	eax
		call	ExGetSessionPoolTagInformation
		jmp	loc_77DC08
; 

loc_77F48A:				; DATA XREF: .text:006A15D0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-340h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F49D:				; DATA XREF: .text:006A15D4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-340h]
		jmp	loc_7823EE
; 

loc_77F4B2:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782624o
		cmp	esi, 20h
		jnb	short loc_77F505
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 36h
		mov	dword ptr [ebx], 20h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77F4DD:				; DATA XREF: .text:006A15DCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-344h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F4F0:				; DATA XREF: .text:006A15E0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-344h]
		jmp	loc_7823EE
; 

loc_77F505:				; CODE XREF: PAGE:0077F4B5j
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	ExGetPoolTagInfo
		jmp	loc_77DC08
; 

loc_77F51E:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:0078268Co
		cmp	esi, 10h
		jnb	short loc_77F571
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 37h
		mov	dword ptr [ebx], 10h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77F549:				; DATA XREF: .text:006A15E8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-348h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F55C:				; DATA XREF: .text:006A15ECo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-348h]
		jmp	loc_7823EE
; 

loc_77F571:				; CODE XREF: PAGE:0077F521j
		mov	cl, [ebp-1DDh]
		call	_ExIsRestrictedCaller@4	; ExIsRestrictedCaller(x)
		test	eax, eax
		jnz	loc_78101A
		lea	eax, [ebp-1D8h]
		push	eax
		push	1
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_ExGetBigPoolInfo@16 ; ExGetBigPoolInfo(x,x,x,x)
		jmp	loc_77DC08
; 

loc_77F59F:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:0078272Co
		cmp	esi, 0Ch
		jnb	short loc_77F5F2
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 38h
		mov	dword ptr [ebx], 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77F5CA:				; DATA XREF: .text:006A15F4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F5DD:				; DATA XREF: .text:006A15F8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-34Ch]
		jmp	loc_7823EE
; 

loc_77F5F2:				; CODE XREF: PAGE:0077F5A2j
		mov	dword ptr [ebp-4], 39h
		mov	eax, [ebp-1DCh]
		mov	ecx, [eax]
		mov	[ebp-210h], ecx
		mov	ebx, [eax+8]
		mov	[ebp-24Ch], ebx
		mov	esi, [eax+4]
		mov	[ebp-254h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	bl, 7
		jnz	loc_77F6F4
		mov	cl, [ebp-1DDh]
		call	_ExIsRestrictedCaller@4	; ExIsRestrictedCaller(x)
		test	eax, eax
		jnz	loc_78101A
		lea	eax, [ebp-210h]
		push	eax
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, ebx
		call	_ExGetSessionBigPoolInformation@16 ; ExGetSessionBigPoolInformation(x,x,x,x)
		jmp	loc_77DC08
; 

loc_77F658:				; DATA XREF: .text:006A1600o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-350h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F66B:				; DATA XREF: .text:006A1604o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-350h]
		jmp	loc_7823EE
; 

loc_77F680:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782694o
		cmp	esi, 14h
		jnb	short loc_77F6D3
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 3Ah
		mov	dword ptr [ebx], 14h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77F6AB:				; DATA XREF: .text:006A160Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-354h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F6BE:				; DATA XREF: .text:006A1610o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-354h]
		jmp	loc_7823EE
; 

loc_77F6D3:				; CODE XREF: PAGE:0077F683j
		mov	dword ptr [ebp-4], 3Bh
		mov	eax, [ebp-1DCh]
		mov	ecx, [eax+4]
		mov	[ebp-210h], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	al, 7
		jz	short loc_77F6FE

loc_77F6F4:				; CODE XREF: PAGE:0077F0B7j
					; PAGE:0077F143j ...
		mov	eax, 80000002h
		jmp	loc_7823EE
; 

loc_77F6FE:				; CODE XREF: PAGE:0077F6F2j
		lea	ecx, [ebp-210h]
		push	ecx
		lea	ecx, [ebp-1D8h]
		push	ecx
		mov	edx, esi
		mov	ecx, eax
		call	_MmGetSessionMappedViewInformation@16 ;	MmGetSessionMappedViewInformation(x,x,x,x)
		jmp	loc_77DC08
; 

loc_77F71A:				; DATA XREF: .text:006A1618o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-358h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F72D:				; DATA XREF: .text:006A161Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-358h]
		jmp	loc_7823EE
; 

loc_77F742:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:0078261Co
		cmp	esi, 88h
		jnb	short loc_77F798
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 3Ch
		mov	dword ptr [ebx], 88h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77F770:				; DATA XREF: .text:006A1624o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-35Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F783:				; DATA XREF: .text:006A1628o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-35Ch]
		jmp	loc_7823EE
; 

loc_77F798:				; CODE XREF: PAGE:0077F748j
		mov	ecx, [ebp-1DCh]
		call	_ExpGetInstemulInformation@4 ; ExpGetInstemulInformation(x)
		mov	dword ptr [ebp-1D8h], 88h
		jmp	loc_77DC08
; 

loc_77F7B2:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782638o
		cmp	esi, 10h
		jnb	short loc_77F805
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 3Dh
		mov	dword ptr [ebx], 10h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77F7DD:				; DATA XREF: .text:006A1630o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-360h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F7F0:				; DATA XREF: .text:006A1634o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-360h]
		jmp	loc_7823EE
; 

loc_77F805:				; CODE XREF: PAGE:0077F7B5j
		mov	dword ptr [ebp-1D8h], 10h
		xor	esi, esi
		xor	edi, edi
		xor	edx, edx
		test	ecx, ecx
		jz	short loc_77F838
		lea	esp, [esp+0]

loc_77F820:				; CODE XREF: PAGE:0077F836j
		mov	eax, ds:_KiProcessorBlock[edx*4]
		add	esi, [eax+588h]
		add	edi, [eax+58Ch]
		inc	edx
		cmp	edx, ecx
		jb	short loc_77F820

loc_77F838:				; CODE XREF: PAGE:0077F817j
		mov	dword ptr [ebp-4], 3Eh
		mov	eax, [ebp-1DCh]
		mov	[eax], esi
		mov	[eax+4], edi
		mov	dword ptr [eax+8], 0
		mov	dword ptr [eax+0Ch], 0

loc_77F858:				; CODE XREF: PAGE:007807C9j
					; PAGE:007809F9j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_77F86A:				; DATA XREF: .text:006A163Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-364h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F87D:				; DATA XREF: .text:006A1640o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-364h]
		jmp	loc_7823EE
; 

loc_77F892:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:0078263Co
		cmp	esi, 2
		jnb	short loc_77F8E5
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 3Fh
		mov	dword ptr [ebx], 2
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77F8BD:				; DATA XREF: .text:006A1648o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-368h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F8D0:				; DATA XREF: .text:006A164Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-368h]
		jmp	loc_7823EE
; 

loc_77F8E5:				; CODE XREF: PAGE:0077F895j
		mov	dword ptr [ebp-4], 40h
		movzx	ecx, _KdDebuggerEnabled
		mov	eax, [ebp-1DCh]
		mov	[eax], cl
		movzx	ecx, _KdDebuggerNotPresent
		mov	[eax+1], cl
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	dword ptr [ebp-1D8h], 2
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_77F921:				; DATA XREF: .text:006A1654o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-36Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F934:				; DATA XREF: .text:006A1658o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-36Ch]
		jmp	loc_7823EE
; 

loc_77F949:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782788o
		cmp	esi, 1
		jnb	short loc_77F99C
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 41h
		mov	dword ptr [ebx], 1
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77F974:				; DATA XREF: .text:006A1660o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-370h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F987:				; DATA XREF: .text:006A1664o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-370h]
		jmp	loc_7823EE
; 

loc_77F99C:				; CODE XREF: PAGE:0077F94Cj
		mov	dword ptr [ebp-4], 42h
		mov	cl, _KdIgnoreUmExceptions
		mov	eax, [ebp-1DCh]
		mov	[eax], cl
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	dword ptr [ebp-1D8h], 1
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_77F9CD:				; DATA XREF: .text:006A166Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-374h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77F9E0:				; DATA XREF: .text:006A1670o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-374h]
		jmp	loc_7823EE
; 

loc_77F9F5:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:0078275Co
		cmp	esi, 3
		jnb	short loc_77FA48
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 43h
		mov	dword ptr [ebx], 3
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77FA20:				; DATA XREF: .text:006A1678o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-378h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77FA33:				; DATA XREF: .text:006A167Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-378h]
		jmp	loc_7823EE
; 

loc_77FA48:				; CODE XREF: PAGE:0077F9F8j
		mov	dword ptr [ebp-4], 44h
		cmp	ds:_KdpBootedNodebug, 0
		setz	cl
		mov	eax, [ebp-1DCh]
		mov	[eax], cl
		mov	cl, _KdDebuggerEnabled
		mov	[eax+1], cl
		cmp	_KdDebuggerNotPresent, 0
		setz	cl
		mov	[eax+2], cl
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	dword ptr [ebp-1D8h], 3
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_77FA93:				; DATA XREF: .text:006A1684o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-37Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77FAA6:				; DATA XREF: .text:006A1688o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-37Ch]
		jmp	loc_7823EE
; 

loc_77FABB:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827C8o
		test	esi, esi
		jz	short loc_77FB0D
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 45h
		mov	dword ptr [ebx], 0
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77FAE5:				; DATA XREF: .text:006A1690o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-380h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77FAF8:				; DATA XREF: .text:006A1694o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-380h]
		jmp	loc_7823EE
; 

loc_77FB0D:				; CODE XREF: PAGE:0077FABDj
		mov	byte ptr [ebp-219h], 1
		push	1
		lea	eax, [ebp-219h]
		push	eax
		push	260000A0h
		push	10200003h
		push	1
		call	_ZwFilterBootOption@20 ; ZwFilterBootOption(x,x,x,x,x)
		jmp	loc_7823EE
; 

loc_77FB33:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782640o
		cmp	esi, 30h
		jnb	short loc_77FB86
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 46h
		mov	dword ptr [ebx], 30h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77FB5E:				; DATA XREF: .text:006A169Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-384h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77FB71:				; DATA XREF: .text:006A16A0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-384h]
		jmp	loc_7823EE
; 

loc_77FB86:				; CODE XREF: PAGE:0077FB36j
		xor	esi, esi
		xor	edx, edx
		test	ecx, ecx
		jz	short loc_77FBA4
		mov	edi, edi

loc_77FB90:				; CODE XREF: PAGE:0077FBA2j
		mov	eax, ds:_KiProcessorBlock[edx*4]
		mov	eax, [eax-110h]
		add	esi, eax
		inc	edx
		cmp	edx, ecx
		jb	short loc_77FB90

loc_77FBA4:				; CODE XREF: PAGE:0077FB8Cj
		mov	dword ptr [ebp-4], 47h
		mov	eax, [ebp-1DCh]
		mov	[eax], esi
		mov	ecx, _KeThreadSwitchCounters
		mov	[eax+4], ecx
		mov	ecx, dword_6CB0E8
		mov	[eax+8], ecx
		mov	ecx, dword_6CB0E4
		mov	[eax+0Ch], ecx
		mov	ecx, dword_6CB0EC
		mov	[eax+10h], ecx
		mov	ecx, dword_6CB0F0
		mov	[eax+14h], ecx
		mov	ecx, dword_6CB0F8
		mov	[eax+18h], ecx
		mov	ecx, dword_6CB0F4
		mov	[eax+1Ch], ecx
		mov	ecx, dword_6CB0FC
		mov	[eax+20h], ecx
		mov	ecx, dword_6CB100
		mov	[eax+24h], ecx
		mov	ecx, dword_6CB104
		mov	[eax+28h], ecx
		mov	ecx, dword_6CB108
		mov	[eax+2Ch], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	dword ptr [ebp-1D8h], 30h
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_77FC32:				; DATA XREF: .text:006A16A8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-388h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77FC45:				; DATA XREF: .text:006A16ACo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-388h]
		jmp	loc_7823EE
; 

loc_77FC5A:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782644o
		cmp	esi, 0Ch
		jnb	short loc_77FCAD
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 48h
		mov	dword ptr [ebx], 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77FC85:				; DATA XREF: .text:006A16B4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77FC98:				; DATA XREF: .text:006A16B8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-38Ch]
		jmp	loc_7823EE
; 

loc_77FCAD:				; CODE XREF: PAGE:0077FC5Dj
		mov	ecx, [ebp-1DCh]
		call	_CmQueryRegistryQuotaInformation@4 ; CmQueryRegistryQuotaInformation(x)
		jmp	loc_77DBFE
; 

loc_77FCBD:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:0078262Co
		cmp	esi, 14h
		jz	short loc_77FD10
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 49h
		mov	dword ptr [ebx], 14h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77FCE8:				; DATA XREF: .text:006A16C0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-390h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77FCFB:				; DATA XREF: .text:006A16C4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-390h]
		jmp	loc_7823EE
; 

loc_77FD10:				; CODE XREF: PAGE:0077FCC0j
		mov	dword ptr [ebp-4], 4Ah
		mov	ecx, ds:_KiMaximumDpcQueueDepth
		mov	eax, [ebp-1DCh]
		mov	[eax+4], ecx
		mov	ecx, ds:_KiMinimumDpcRate
		mov	[eax+8], ecx
		mov	ecx, ds:_KiAdjustDpcThreshold
		mov	[eax+0Ch], ecx
		mov	ecx, ds:_KiIdealDpcRate
		mov	[eax+10h], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_77FD48:				; CODE XREF: PAGE:00780C23j
		mov	dword ptr [ebp-1D8h], 14h
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_77FD5D:				; DATA XREF: .text:006A16CCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-394h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77FD70:				; DATA XREF: .text:006A16D0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-394h]
		jmp	loc_7823EE
; 

loc_77FD85:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782628o
		lea	eax, [ecx+ecx*2]
		shl	eax, 3
		mov	[ebp-1D8h], eax
		cmp	esi, eax
		jnb	short loc_77FDDF
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 4Bh
		mov	[ebx], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77FDB7:				; DATA XREF: .text:006A16D8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-398h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77FDCA:				; DATA XREF: .text:006A16DCo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-398h]
		jmp	loc_7823EE
; 

loc_77FDDF:				; CODE XREF: PAGE:0077FD93j
		xor	ebx, ebx

loc_77FDE1:				; CODE XREF: PAGE:0077FE6Bj
		cmp	ebx, ecx
		jnb	loc_77FF3D
		mov	[ebp-1E8h], dx
		mov	[ebp-1E6h], bl
		mov	byte ptr [ebp-1E5h], 0
		lea	eax, [ebp-1E8h]
		push	eax
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		mov	edx, ds:_KiProcessorBlock[eax*4]
		mov	dword ptr [ebp-4], 4Ch
		mov	ecx, [edx-110h]
		mov	eax, [ebp-1DCh]
		mov	[eax], ecx
		mov	ecx, [edx+21F0h]
		mov	[eax+4], ecx
		mov	ecx, [edx+2218h]
		mov	[eax+8], ecx
		mov	ecx, ds:_KeTimeIncrement
		mov	[eax+0Ch], ecx
		mov	dword ptr [eax+10h], 0
		mov	dword ptr [eax+14h], 0
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		add	eax, 18h
		mov	[ebp-1DCh], eax
		inc	ebx
		mov	ecx, [ebp-200h]
		mov	edx, [ebp-1F4h]
		jmp	loc_77FDE1
; 

loc_77FE70:				; DATA XREF: .text:006A16E4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-39Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77FE83:				; DATA XREF: .text:006A16E8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-39Ch]
		jmp	loc_7823EE
; 

loc_77FE98:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782650o
		cmp	esi, 0ACh
		jnb	short loc_77FEEE
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 4Dh
		mov	dword ptr [ebx], 0ACh
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77FEC6:				; DATA XREF: .text:006A16F0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3A0h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77FED9:				; DATA XREF: .text:006A16F4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3A0h]
		jmp	loc_7823EE
; 

loc_77FEEE:				; CODE XREF: PAGE:0077FE9Ej
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	esi, [eax+268h]
		mov	cl, 1
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		mov	ecx, 2Bh
		lea	edi, [ebp-1D0h]
		rep movsd
		call	_ExReleaseTimeRefreshLock@0 ; ExReleaseTimeRefreshLock()
		mov	dword ptr [ebp-4], 4Eh
		mov	ecx, 2Bh
		lea	esi, [ebp-1D0h]
		mov	edi, [ebp-1DCh]
		rep movsd
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	dword ptr [ebp-1D8h], 0ACh

loc_77FF3D:				; CODE XREF: PAGE:0077FDE3j
		xor	ebx, ebx
		jmp	loc_77DC0A
; 

loc_77FF44:				; DATA XREF: .text:006A16FCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3A4h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77FF57:				; DATA XREF: .text:006A1700o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3A4h]
		jmp	loc_7823EE
; 

loc_77FF6C:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826E8o
		cmp	esi, 1B0h
		jnb	short loc_77FFC2
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 4Fh
		mov	dword ptr [ebx], 1B0h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_77FF9A:				; DATA XREF: .text:006A1708o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3A8h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_77FFAD:				; DATA XREF: .text:006A170Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3A8h]
		jmp	loc_7823EE
; 

loc_77FFC2:				; CODE XREF: PAGE:0077FF72j
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	esi, [eax+268h]
		mov	cl, 1
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		mov	ecx, 6Ch
		lea	edi, [ebp-1D0h]
		rep movsd
		call	_ExReleaseTimeRefreshLock@0 ; ExReleaseTimeRefreshLock()
		mov	dword ptr [ebp-4], 50h
		mov	ecx, 6Ch
		lea	esi, [ebp-1D0h]
		mov	edi, [ebp-1DCh]
		rep movsd
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	dword ptr [ebp-1D8h], 1B0h
		xor	ebx, ebx
		jmp	loc_77DC0A
; 

loc_780018:				; DATA XREF: .text:006A1714o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3ACh], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_78002B:				; DATA XREF: .text:006A1718o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
					; DATA XREF: PAGE:??_C@_15OEMMNBIC@?$AA0?$AAx@NNGAKEGL@o
		mov	eax, [ebp-3ACh]
		jmp	loc_7823EE
; 

loc_780040:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782654o ...
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_ExpGetLookasideInformation@12 ; ExpGetLookasideInformation(x,x,x)
		jmp	loc_77DC08
; 

loc_780059:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782658o
		cmp	esi, 4
		jz	short loc_7800AC
		test	ebx, ebx

loc_780060:				; DATA XREF: PAGE:008BC4C4o
					; PAGE:008C0B2Co ...
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 51h
		mov	dword ptr [ebx], 4
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_780084:				; DATA XREF: .text:006A1720o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3B0h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_780097:				; DATA XREF: .text:006A1724o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3B0h]
		jmp	loc_7823EE
; 

loc_7800AC:				; CODE XREF: PAGE:0078005Cj
		mov	dword ptr [ebp-4], 52h
		mov	ecx, ds:_MmSystemRangeStart
		mov	eax, [ebp-1DCh]
		mov	[eax], ecx
		jmp	loc_77EDCB
; 

loc_7800C6:				; DATA XREF: .text:006A172Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3B4h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7800D9:				; DATA XREF: .text:006A1730o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3B4h]
		jmp	loc_7823EE
; 

loc_7800EE:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:0078265Co
		cmp	esi, 78h
		jnb	short loc_780141
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 53h
		mov	dword ptr [ebx], 78h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_780119:				; DATA XREF: .text:006A1738o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3B8h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_78012C:				; DATA XREF: .text:006A173Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3B8h]
		jmp	loc_7823EE
; 

loc_780141:				; CODE XREF: PAGE:007800F1j
		push	0
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_VfGetVerifierInformation@16 ; VfGetVerifierInformation(x,x,x,x)
		jmp	loc_77DC08
; 

loc_78015C:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782718o
		cmp	esi, 0D0h
		jnb	short loc_7801B2
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 54h
		mov	dword ptr [ebx], 0D0h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_78018A:				; DATA XREF: .text:006A1744o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3BCh], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_78019D:				; DATA XREF: .text:006A1748o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3BCh]
		jmp	loc_7823EE
; 

loc_7801B2:				; CODE XREF: PAGE:00780162j
		push	1
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_VfGetVerifierInformation@16 ; VfGetVerifierInformation(x,x,x,x)
		jmp	loc_77DC08
; 

loc_7801CD:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826D0o
		cmp	esi, 24h
		jz	short loc_780220
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 55h
		mov	dword ptr [ebx], 24h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_7801F8:				; DATA XREF: .text:006A1750o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3C0h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_78020B:				; DATA XREF: .text:006A1754o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3C0h]
		jmp	loc_7823EE
; 

loc_780220:				; CODE XREF: PAGE:007801D0j
		mov	ecx, [ebp-1DCh]
		call	_VfGetVerifierInformationEx@4 ;	VfGetVerifierInformationEx(x)
		mov	ebx, eax
		xor	eax, eax
		test	ebx, ebx
		sets	al
		dec	eax
		and	eax, 24h
		mov	[ebp-1D8h], eax
		jmp	loc_77DC0A
; 

loc_780243:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:0078264Co
		cmp	esi, 0Ch
		jnb	short loc_780296
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 56h
		mov	dword ptr [ebx], 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_78026E:				; DATA XREF: .text:006A175Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3C4h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_780281:				; DATA XREF: .text:006A1760o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3C4h]
		jmp	loc_7823EE
; 

loc_780296:				; CODE XREF: PAGE:00780246j
		mov	[ebp-1D8h], esi
		lea	edx, [ebp-1D8h]
		mov	ecx, [ebp-1DCh]
		call	_ExpQueryLegacyDriverInformation@8 ; ExpQueryLegacyDriverInformation(x,x)
		jmp	loc_77DC08
; 

loc_7802B2:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782634o
		lea	eax, [ebp-1D8h]
		push	eax
		push	dword ptr [ebp-1F8h]
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_EtwQueryPerformanceTraceInformation@16	; EtwQueryPerformanceTraceInformation(x,x,x,x)
		jmp	loc_77DC08
; 

loc_7802D1:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827DCo
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_KeQueryKvaShadowInformation@12	; KeQueryKvaShadowInformation(x,x,x)
		jmp	loc_77DC08
; 

loc_7802EA:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827ECo
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_KeQuerySpeculationControlInformation@12 ; KeQuerySpeculationControlInformation(x,x,x)
		jmp	loc_77DC08
; 

loc_780303:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007825E8o
		mov	eax, 0C0000002h
		jmp	loc_7823EE
; 

loc_78030D:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782668o
		lea	eax, [ebp-1D8h]
		push	eax
		push	dword ptr [ebp-1F8h]
		push	esi
		mov	edx, [ebp-1DCh]
		call	PfSnQueryPrefetcherInformation
		jmp	loc_77DC08
; 

loc_78032B:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826E4o
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_ExpQueryNumaProximityNode@12 ;	ExpQueryNumaProximityNode(x,x,x)
		jmp	loc_77DC08
; 

loc_780344:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782664o
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	ExpQueryNumaProcessorMap
		jmp	loc_77DC08
; 

loc_78035D:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782674o
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_ExpQueryNumaAvailableMemory@12	; ExpQueryNumaAvailableMemory(x,x,x)
		jmp	loc_77DC08
; 

loc_780376:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:0078266Co
		cmp	esi, 4
		jnb	short loc_7803C9
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 57h
		mov	dword ptr [ebx], 4
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_7803A1:				; DATA XREF: .text:006A1768o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3C8h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7803B4:				; DATA XREF: .text:006A176Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3C8h]
		jmp	loc_7823EE
; 

loc_7803C9:				; CODE XREF: PAGE:00780379j
		mov	dword ptr [ebp-4], 58h
		call	_KeGetRecommendedSharedDataAlignment@0 ; KeGetRecommendedSharedDataAlignment()
		jmp	loc_77EDC9
; 

loc_7803DA:				; DATA XREF: .text:006A1774o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3CCh], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7803ED:				; DATA XREF: .text:006A1778o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3CCh]
		jmp	loc_7823EE
; 

loc_780402:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782670o
		cmp	esi, 4
		jz	short loc_780455
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 59h
		mov	dword ptr [ebx], 4
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_78042D:				; DATA XREF: .text:006A1780o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3D0h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_780440:				; DATA XREF: .text:006A1784o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3D0h]
		jmp	loc_7823EE
; 

loc_780455:				; CODE XREF: PAGE:00780405j
		cmp	dword ptr ds:0FFDF02E0h, 0FFFFFFFFh
		jnz	short loc_78046E
		call	_ExpReadComPlusPackage@0 ; ExpReadComPlusPackage()
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_780474
		jmp	loc_7823EE
; 

loc_78046E:				; CODE XREF: PAGE:0078045Cj
		mov	ebx, [ebp-1E4h]

loc_780474:				; CODE XREF: PAGE:00780467j
		mov	dword ptr [ebp-4], 5Ah
		mov	ecx, ds:0FFDF02E0h
		mov	eax, [ebp-1DCh]
		mov	[eax], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	dword ptr [ebp-1D8h], 4
		jmp	loc_77DC0A
; 

loc_78049F:				; DATA XREF: .text:006A178Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3D4h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7804B2:				; DATA XREF: .text:006A1790o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3D4h]
		jmp	loc_7823EE
; 

loc_7804C7:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782688o
		cmp	esi, 4
		jnb	short loc_78051A
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 5Bh
		mov	dword ptr [ebx], 4
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_7804F2:				; DATA XREF: .text:006A1798o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3D8h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_780505:				; DATA XREF: .text:006A179Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3D8h]
		jmp	loc_7823EE
; 

loc_78051A:				; CODE XREF: PAGE:007804CAj
		xor	esi, esi
		xor	edx, edx
		test	ecx, ecx
		jz	short loc_780534

loc_780522:				; CODE XREF: PAGE:00780532j
		mov	eax, ds:_KiProcessorBlock[edx*4]
		add	esi, [eax+55Ch]
		inc	edx
		cmp	edx, ecx
		jb	short loc_780522

loc_780534:				; CODE XREF: PAGE:00780520j
		mov	dword ptr [ebp-4], 5Ch
		mov	eax, [ebp-1DCh]
		mov	[eax], esi
		jmp	loc_77EDCB
; 

loc_780548:				; DATA XREF: .text:006A17A4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3DCh], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_78055B:				; DATA XREF: .text:006A17A8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3DCh]
		jmp	loc_7823EE
; 

loc_780570:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:0078269Co
		cmp	esi, 4
		jz	short loc_7805C3
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 5Dh
		mov	dword ptr [ebx], 4
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_78059B:				; DATA XREF: .text:006A17B0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3E0h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7805AE:				; DATA XREF: .text:006A17B4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3E0h]
		jmp	loc_7823EE
; 

loc_7805C3:				; CODE XREF: PAGE:00780573j
		mov	dword ptr [ebp-4], 5Eh
		mov	ecx, _ObpObjectSecurityMode
		mov	eax, [ebp-1DCh]
		mov	[eax], ecx
		jmp	loc_77EDCB
; 

loc_7805DD:				; DATA XREF: .text:006A17BCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3E4h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7805F0:				; DATA XREF: .text:006A17C0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3E4h]
		jmp	loc_7823EE
; 

loc_780605:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826A0o
		cmp	esi, 8
		jz	short loc_780614

loc_78060A:				; CODE XREF: PAGE:0077D892j
					; PAGE:0077D8C3j ...
		mov	eax, 0C000000Dh
		jmp	loc_7823EE
; 

loc_780614:				; CODE XREF: PAGE:00780608j
		mov	dword ptr [ebp-4], 5Fh
		mov	eax, [ebp-218h]
		sub	eax, 7
		jz	short loc_780659
		sub	eax, 1
		jz	short loc_78063C
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_780632:				; CODE XREF: PAGE:0077D887j
					; PAGE:0078207Aj
					; DATA XREF: ...
		mov	eax, 0C00000BBh
		jmp	loc_7823EE
; 

loc_78063C:				; CODE XREF: PAGE:00780629j
		mov	eax, [ebp-1DCh]
		mov	dword ptr [eax], 8
		call	off_6B13B0	; BiIsLogEnabled()
		movzx	ecx, al
		mov	eax, [ebp-1DCh]
		jmp	short loc_780674
; 

loc_780659:				; CODE XREF: PAGE:00780624j
		mov	eax, [ebp-1DCh]
		mov	dword ptr [eax], 7
		xor	ecx, ecx
		cmp	off_6B13B4, offset _xKdReleasePciDeviceForDebugging@4 ;	xKdReleasePciDeviceForDebugging(x)
		setnz	cl

loc_780674:				; CODE XREF: PAGE:00780657j
		mov	[eax+4], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	dword ptr [ebp-1D8h], 8
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_780693:				; DATA XREF: .text:006A17C8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3E8h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7806A6:				; DATA XREF: .text:006A17CCo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3E8h]
		jmp	loc_7823EE
; 

loc_7806BB:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826A4o
		mov	dword ptr [ebp-4], 60h
		lea	eax, [ebp-1D8h]
		push	eax
		push	esi
		mov	edx, [ebp-1DCh]
		mov	ecx, [ebp-1F4h]
		call	KeBuildLogicalProcessorSystemInformation
		mov	ebx, eax
		mov	[ebp-1E4h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_77DC0A
; 

loc_7806EF:				; DATA XREF: .text:006A17D4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3ECh], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_780702:				; DATA XREF: .text:006A17D8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3ECh]
		jmp	loc_7823EE
; 

loc_780717:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826F8o
		mov	[ebp-1D8h], esi
		mov	dword ptr [ebp-4], 61h
		lea	eax, [ebp-1D8h]
		push	eax
		push	dword ptr [ebp-1DCh]
		push	dword ptr [ebp-234h]
		push	0
		call	KeQueryLogicalProcessorRelationship
		mov	ebx, eax
		mov	[ebp-1E4h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_77DC0A
; 

loc_780752:				; DATA XREF: .text:006A17E0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3F0h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_780765:				; DATA XREF: .text:006A17E4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3F0h]
		jmp	loc_7823EE
; 

loc_78077A:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:0078271Co
		movzx	eax, ds:_KeNumberNodes
		shl	eax, 2
		mov	[ebp-1D8h], eax
		cmp	esi, eax
		jnb	short loc_780798
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_780798:				; CODE XREF: PAGE:0078078Cj
		mov	dword ptr [ebp-4], 62h
		xor	esi, esi
		mov	[ebp-20Ch], esi
		xor	edi, edi
		mov	eax, [ebp-1DCh]
		mov	ebx, [ebp-22Ch]
		jmp	short loc_7807C0
; 
		align 10h

loc_7807C0:				; CODE XREF: PAGE:007807B5j
					; PAGE:007807EEj
		movzx	ecx, ds:_KeNumberNodes
		cmp	edi, ecx
		jnb	loc_77F858
		movzx	edx, bx
		imul	edx, ecx
		add	edx, esi
		mov	ecx, ds:_KeNodeDistance
		mov	ecx, [ecx+edx*4]
		mov	[eax+esi*4], ecx
		lea	esi, [edi+1]
		mov	[ebp-20Ch], esi
		mov	edi, esi
		jmp	short loc_7807C0
; 

loc_7807F0:				; DATA XREF: .text:006A17ECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3F4h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_780803:				; DATA XREF: .text:006A17F0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3F4h]
		jmp	loc_7823EE
; 

loc_780818:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826A8o
		lea	eax, [ebp-1D8h]
		push	eax
		push	esi
		mov	dl, [ebp-1DDh]
		mov	ecx, [ebp-1DCh]
		call	ExpGetSystemFirmwareTableInformation
		jmp	loc_77DC08
; 

loc_780836:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782738o
		mov	edi, [ebp-1F8h]
		push	edi
		mov	eax, ds:dword_A949B4
		push	eax
		mov	eax, ds:_SeTcbPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_781487
		push	edi
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	ExpGetSystemPlatformBinary
		jmp	loc_77DC08
; 

loc_780869:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826B0o
		lea	eax, [ebp-1D8h]
		push	eax
		push	dword ptr [ebp-1F8h]
		push	esi
		mov	edx, [ebp-1DCh]
		call	PfQuerySuperfetchInformation
		jmp	loc_77DC08
; 

loc_780887:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826B4o
		lea	eax, [ebp-1D8h]
		push	eax
		push	ecx
		push	esi
		mov	edx, [ebp-1DCh]
		or	ecx, 0FFFFFFFFh
		call	MmQueryMemoryListInformation
		jmp	loc_77DC08
; 

loc_7808A3:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782748o
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	ExpQueryMemoryTopologyInformation
		jmp	loc_77DC08
; 

loc_7808BC:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:0078274Co
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_ExpQueryChannelInformation@12 ; ExpQueryChannelInformation(x,x,x)
		jmp	loc_77DC08
; 

loc_7808D5:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826B8o
		shl	ecx, 3
		mov	[ebp-1D8h], ecx
		cmp	esi, 8
		jb	loc_7809BC
		cmp	esi, ecx
		jnb	short loc_7808F2
		mov	edi, esi
		shr	edi, 3
		jmp	short loc_7808F8
; 

loc_7808F2:				; CODE XREF: PAGE:007808E9j
		mov	edi, [ebp-200h]

loc_7808F8:				; CODE XREF: PAGE:007808F0j
		cmp	esi, ecx
		sbb	ebx, ebx
		and	ebx, 0C0000004h
		mov	cl, 1
		call	_KeFlushProcessWriteBuffers@4 ;	KeFlushProcessWriteBuffers(x)
		xor	ecx, ecx

loc_78090B:				; CODE XREF: PAGE:0078097Dj
		mov	[ebp-218h], ecx
		cmp	ecx, edi
		jnb	loc_77DC0A
		mov	eax, [ebp-1F4h]
		mov	[ebp-1E8h], ax
		mov	[ebp-1E6h], cl
		mov	byte ptr [ebp-1E5h], 0
		lea	eax, [ebp-1E8h]
		push	eax
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		mov	ecx, ds:_KiProcessorBlock[eax*4]
		mov	dword ptr [ebp-4], 63h
		mov	ecx, [ecx+0Ch]
		call	_KeQueryCycleTimeThread@4 ; KeQueryCycleTimeThread(x)
		mov	ecx, [ebp-1DCh]
		mov	[ecx], eax
		mov	[ecx+4], edx
		add	ecx, 8
		mov	[ebp-1DCh], ecx
		mov	[ebp-238h], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-218h]
		inc	ecx
		jmp	short loc_78090B
; 

loc_78097F:				; DATA XREF: .text:006A17F8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3F8h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_780992:				; DATA XREF: .text:006A17FCo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3F8h]
		jmp	loc_7823EE
; 

loc_7809A7:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827D4o
		call	_KeQueryActiveGroupCount@0 ; KeQueryActiveGroupCount()
		movzx	eax, ax
		shl	eax, 2
		mov	[ebp-1D8h], eax
		cmp	esi, eax
		jnb	short loc_7809C6

loc_7809BC:				; CODE XREF: PAGE:007808E1j
					; PAGE:00780A6Fj ...
		mov	ebx, 0C0000023h
		jmp	loc_77DC0A
; 

loc_7809C6:				; CODE XREF: PAGE:007809BAj
		mov	dword ptr [ebp-4], 64h
		push	eax
		push	0
		push	dword ptr [ebp-1DCh]
		call	_memset
		add	esp, 0Ch
		xor	edx, edx
		mov	[ebp-20Ch], edx
		xor	esi, esi
		mov	eax, [ebp-1DCh]
		mov	edi, edi

loc_7809F0:				; CODE XREF: PAGE:00780A2Fj
		movzx	ecx, ds:_KeNumberNodes
		cmp	esi, ecx
		jnb	loc_77F858
		mov	edx, ds:_KeNodeBlock[edx*4]
		movzx	ecx, word ptr [edx+88h]
		mov	[ebp-1F4h], ecx
		mov	edx, [edx+0Ch]
		movzx	ecx, word ptr [ebp-1F4h]
		or	[eax+ecx*4], edx
		mov	edx, [ebp-20Ch]
		inc	edx
		mov	[ebp-20Ch], edx
		mov	esi, edx
		jmp	short loc_7809F0
; 

loc_780A31:				; DATA XREF: .text:006A1804o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3FCh], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_780A44:				; DATA XREF: .text:006A1808o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-3FCh]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-1ECh]
		jmp	loc_77DC10
; 

loc_780A5F:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826FCo
		lea	eax, ds:0[ecx*8]
		mov	[ebp-1D8h], eax
		cmp	esi, 8
		jb	loc_7809BC
		cmp	esi, eax
		jnb	short loc_780A86
		mov	ecx, esi
		shr	ecx, 3
		mov	[ebp-200h], ecx
		cmp	esi, eax

loc_780A86:				; CODE XREF: PAGE:00780A77j
		sbb	ebx, ebx
		and	ebx, 0C0000004h
		xor	eax, eax

loc_780A90:				; CODE XREF: PAGE:00780B05j
		mov	[ebp-218h], eax
		cmp	eax, ecx
		jnb	loc_77DC0A
		mov	[ebp-1E8h], dx
		mov	[ebp-1E6h], al
		mov	byte ptr [ebp-1E5h], 0
		lea	eax, [ebp-1E8h]
		push	eax
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		mov	ecx, ds:_KiProcessorBlock[eax*4]
		mov	dword ptr [ebp-4], 65h
		call	_KeQueryTotalCycleTimeProcessor@4 ; KeQueryTotalCycleTimeProcessor(x)
		mov	ecx, [ebp-1DCh]
		mov	[ecx], eax
		mov	[ecx+4], edx
		add	ecx, 8
		mov	[ebp-1DCh], ecx
		mov	[ebp-238h], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-218h]
		inc	eax
		mov	ecx, [ebp-200h]
		mov	edx, [ebp-1F4h]
		jmp	short loc_780A90
; 

loc_780B07:				; DATA XREF: .text:006A1810o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-400h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_780B1A:				; DATA XREF: .text:006A1814o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-400h]
		jmp	loc_7823EE
; 

loc_780B2F:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826CCo
		lea	eax, [ebp-1D8h]
		push	eax
		push	dword ptr [ebp-1F8h]
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	HvlQueryEnlightenmentInfo
		jmp	loc_77DC08
; 

loc_780B4E:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:0078277Co
		lea	eax, [ebp-1D8h]
		push	eax
		push	ecx
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_HvlQueryDetailInfo@16 ; HvlQueryDetailInfo(x,x,x,x)
		jmp	loc_77DC08
; 

loc_780B68:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826BCo
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_ObQueryRefTraceInformation@12 ; ObQueryRefTraceInformation(x,x,x)
		jmp	loc_77DC08
; 

loc_780B81:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826C8o
		mov	dword ptr [ebp-1D8h], 20h
		cmp	esi, 14h
		jnb	short loc_780BDD
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 66h
		mov	dword ptr [ebx], 20h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_780BB6:				; DATA XREF: .text:006A181Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4ACh], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_780BC9:				; DATA XREF: .text:006A1820o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_780BDD:				; CODE XREF: PAGE:00780B8Ej
		mov	dword ptr [ebp-4], 67h
		mov	ecx, _ExpBootEnvironmentInformation
		mov	eax, [ebp-1DCh]
		mov	[eax], ecx
		mov	ecx, dword_6BBFC4
		mov	[eax+4], ecx
		mov	ecx, dword_6BBFC8
		mov	[eax+8], ecx
		mov	ecx, dword_6BBFCC
		mov	[eax+0Ch], ecx
		mov	ecx, dword_6BBFD0
		mov	[eax+10h], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		cmp	esi, [ebp-1D8h]
		jb	loc_77FD48
		mov	dword ptr [ebp-4], 68h
		mov	ecx, dword_6BBFD8
		mov	[eax+18h], ecx
		mov	ecx, dword_6BBFDC
		mov	[eax+1Ch], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_780C54:				; DATA XREF: .text:006A1834o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-404h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_780C67:				; DATA XREF: .text:006A1838o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-404h]
		jmp	loc_7823EE
; 

loc_780C7C:				; DATA XREF: .text:006A1828o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-460h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_780C8F:				; DATA XREF: .text:006A182Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-460h]
		jmp	loc_7823EE
; 

loc_780CA4:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826C0o
		mov	dword ptr [ebp-1D8h], 8
		cmp	esi, 8
		jz	short loc_780CBD
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_780CBD:				; CODE XREF: PAGE:00780CB1j
		mov	dword ptr [ebp-4], 69h
		mov	ecx, ds:_MmSpecialPoolTag
		mov	eax, [ebp-1DCh]
		mov	[eax], ecx
		xor	ecx, ecx
		cmp	ds:_MmSpecialPoolCatchOverruns,	ecx
		setnz	cl
		mov	[eax+4], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_780CF2:				; DATA XREF: .text:006A1840o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_780D05:				; DATA XREF: .text:006A1844o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-40Ch]
		jmp	loc_7823EE
; 

loc_780D1A:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826D4o
		cmp	byte ptr [ebp-1DDh], 0
		jz	loc_78101A
		push	dword ptr [ebp-1F8h]
		mov	eax, ds:dword_A94A14
		push	eax
		mov	eax, ds:_SeDebugPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_78101A
		cmp	esi, 34h
		jnb	short loc_780D99
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 6Ah
		mov	dword ptr [ebx], 34h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_780D71:				; DATA XREF: .text:006A184Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-410h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_780D84:				; DATA XREF: .text:006A1850o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-410h]
		jmp	loc_7823EE
; 

loc_780D99:				; CODE XREF: PAGE:00780D49j
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_ExpCovQueryInformation@12 ; ExpCovQueryInformation(x,x,x)
		jmp	loc_77DC08
; 

loc_780DB2:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827E8o
		lea	eax, [ebp-1D8h]
		push	eax
		push	esi
		mov	edx, [ebp-1DCh]
		mov	ecx, 0C8h
		call	IoQuerySystemDeviceName
		jmp	loc_77DC08
; 

loc_780DCF:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826D8o
		lea	eax, [ebp-1D8h]
		push	eax
		push	esi
		mov	edx, [ebp-1DCh]
		mov	ecx, 62h
		call	IoQuerySystemDeviceName
		jmp	loc_77DC08
; 

loc_780DEC:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826DCo
		lea	eax, [ebp-1D8h]
		push	eax
		push	esi
		mov	edx, [ebp-1DCh]
		mov	ecx, 63h
		call	IoQuerySystemDeviceName
		jmp	loc_77DC08
; 

loc_780E09:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782704o
		lea	eax, [ebp-1D8h]
		push	eax
		push	esi
		mov	edx, [ebp-1DCh]
		call	IoQueryVhdBootInformation
		jmp	loc_77DC08
; 

loc_780E21:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782710o
		lea	eax, [ebp-1D8h]
		push	eax
		push	esi
		mov	edx, [ebp-1DCh]
		call	IoQueryLowPriorityIoInformation
		jmp	loc_77DC08
; 

loc_780E39:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826ECo
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_SeCodeIntegrityQueryInformation@12 ; SeCodeIntegrityQueryInformation(x,x,x)
		jmp	loc_77DC08
; 

loc_780E52:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:0078278Co
		lea	eax, [ebp-1D8h]
		push	eax
		push	esi
		push	dword ptr [ebp-1DCh]
		push	dword ptr [ebp+8]
		mov	edx, [ebp-1F0h]
		mov	ecx, [ebp-204h]
		call	_SeCodeIntegrityQueryPolicyInformation@24 ; SeCodeIntegrityQueryPolicyInformation(x,x,x,x,x,x)
		jmp	loc_77DC08
; 

loc_780E79:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826F0o
		lea	eax, [ebp-208h]
		push	eax
		push	0
		push	0
		push	17h
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		mov	ebx, eax
		cmp	ebx, 0C0000004h
		jz	short loc_780EA0

loc_780E96:				; CODE XREF: PAGE:0077D887j
					; PAGE:00782242j ...
		mov	ebx, 0C00000BBh
		jmp	loc_77DC0A
; 

loc_780EA0:				; CODE XREF: PAGE:00780E94j
		mov	ecx, [ebp-208h]
		cmp	esi, ecx
		jb	loc_780F94
		mov	eax, [ebp-1DCh]
		test	eax, eax
		jz	loc_780F94
		cmp	byte ptr [ebp-1DDh], 0
		jz	short loc_780EF0
		push	6F666E49h
		push	ecx
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	edi, eax
		mov	[ebp-1F0h], edi
		test	edi, edi
		jnz	short loc_780EE8
		mov	ebx, 0C000009Ah
		jmp	loc_77DC0A
; 

loc_780EE8:				; CODE XREF: PAGE:00780EDCj
		mov	ecx, [ebp-208h]
		jmp	short loc_780EF8
; 

loc_780EF0:				; CODE XREF: PAGE:00780EC3j
		mov	edi, eax
		mov	[ebp-1F0h], eax

loc_780EF8:				; CODE XREF: PAGE:00780EEEj
		lea	eax, [ebp-1D8h]
		push	eax
		push	edi
		push	ecx
		push	17h
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		mov	ebx, eax
		cmp	byte ptr [ebp-1DDh], 0
		jz	loc_77DC0A
		test	ebx, ebx
		js	short loc_780F3F
		mov	dword ptr [ebp-4], 6Bh

loc_780F23:				; CODE XREF: PAGE:00782107j
		push	dword ptr [ebp-1D8h]
		push	edi
		push	dword ptr [ebp-1DCh]
		call	_memcpy
		add	esp, 0Ch

loc_780F38:				; CODE XREF: PAGE:007810CDj
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_780F3F:				; CODE XREF: PAGE:00780F1Aj
					; PAGE:0078108Dj ...
		mov	esi, [ebp-1D4h]
		push	6F666E49h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_77DC10
; 

loc_780F55:				; DATA XREF: .text:006A1858o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-414h], eax
		mov	eax, 1
		retn
; 

loc_780F68:				; DATA XREF: .text:006A185Co
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-414h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-1F0h]
		mov	esi, [ebp-1ECh]
		push	6F666E49h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_77DC10
; 

loc_780F94:				; CODE XREF: PAGE:00780EA8j
					; PAGE:00780EB6j ...
		mov	[ebp-1D8h], ecx
		jmp	loc_77DC0A
; 

loc_780F9F:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007826F4o
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_MmQuerySystemVaInformation@12 ; MmQuerySystemVaInformation(x,x,x)
		jmp	loc_77DC08
; 

loc_780FB8:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782700o
		lea	eax, [ebp-1D8h]
		push	eax
		push	dword ptr [ebp-1F8h]
		push	esi
		mov	edx, [ebp-1DCh]
		call	SmQueryStoreInformation
		jmp	loc_77DC08
; 

loc_780FD6:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782708o
		lea	eax, [ebp-1D8h]
		push	eax
		push	dword ptr [ebp-1F8h]
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	PsQueryCpuQuotaInformation
		jmp	loc_77DC08
; 

loc_780FF5:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782714o
		mov	dword ptr [ebp-1D8h], 448h
		cmp	esi, 448h
		jz	short loc_781011
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_781011:				; CODE XREF: PAGE:00781005j
		cmp	byte ptr [ebp-1DDh], 0
		jz	short loc_781024

loc_78101A:				; CODE XREF: PAGE:0077EEA8j
					; PAGE:0077EEF1j ...
		mov	eax, 0C0000022h
		jmp	loc_7823EE
; 

loc_781024:				; CODE XREF: PAGE:00781018j
		mov	ecx, [ebp-1DCh]
		call	_ExQueryBootEntropyInformation@4 ; ExQueryBootEntropyInformation(x)
		jmp	loc_77DC08
; 

loc_781034:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782720o
		mov	dword ptr [ebp-1D8h], 8
		cmp	esi, 8
		jnz	loc_77E4AE
		cmp	dword ptr [ebp-1DCh], 0
		jz	loc_77E4AE
		push	6F666E49h
		push	esi
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	edi, eax
		mov	[ebp-1FCh], edi
		test	edi, edi
		jnz	short loc_781077
		mov	ebx, 0C000009Ah
		jmp	loc_77DC0A
; 

loc_781077:				; CODE XREF: PAGE:0078106Bj
		lea	eax, [ebp-1D8h]
		push	eax
		push	edi
		push	8
		push	1Ah
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_780F3F
		mov	dword ptr [ebp-4], 6Ch
		mov	ecx, [edi]
		mov	eax, [ebp-1DCh]
		mov	[eax], ecx
		mov	ecx, [eax+4]
		xor	ecx, [edi+4]
		and	ecx, 1
		xor	[eax+4], ecx
		mov	ecx, [eax+4]
		mov	edx, [edi+4]
		xor	edx, ecx
		and	edx, 2
		xor	edx, ecx
		mov	[eax+4], edx
		mov	ecx, [edi+4]
		xor	ecx, edx
		and	ecx, 4
		xor	ecx, edx
		mov	[eax+4], ecx
		jmp	loc_780F38
; 

loc_7810D2:				; DATA XREF: .text:006A1864o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-418h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7810E5:				; DATA XREF: .text:006A1868o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-418h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-1FCh]
		mov	esi, [ebp-1ECh]
		push	6F666E49h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_77DC10
; 

loc_781111:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782728o
		mov	dword ptr [ebp-1D8h], 0Ch
		cmp	esi, 4
		jnb	short loc_78112A
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_78112A:				; CODE XREF: PAGE:0078111Ej
		mov	dword ptr [ebp-4], 6Dh
		mov	eax, [ebp-1DCh]
		mov	ecx, [eax]
		mov	[ebp-4B0h], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		sub	ecx, 1
		jz	short loc_781155
		mov	ebx, 0C00000BBh
		jmp	loc_77DC0A
; 

loc_781155:				; CODE XREF: PAGE:00781149j
		cmp	esi, 0Ch
		jnb	short loc_781164
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_781164:				; CODE XREF: PAGE:00781158j
		mov	dword ptr [ebp-4], 6Eh
		mov	dword ptr [eax+8], 0
		mov	dword ptr [eax+4], 0
		or	dword ptr [eax+8], 1
		or	dword ptr [eax+4], 1
		cmp	byte ptr ds:0FFDF03C6h,	0
		jz	short loc_78118E
		and	dword ptr [eax+4], 0FFFFFFFEh

loc_78118E:				; CODE XREF: PAGE:00781188j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_7811A0:				; DATA XREF: .text:006A187Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-41Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7811B3:				; DATA XREF: .text:006A1880o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-41Ch]
		jmp	loc_7823EE
; 

loc_7811C8:				; DATA XREF: .text:006A1870o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-420h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7811DB:				; DATA XREF: .text:006A1874o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-420h]
		jmp	loc_7823EE
; 

loc_7811F0:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782730o
		mov	dword ptr [ebp-1D8h], 20h
		cmp	esi, 20h
		jz	short loc_781209
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_781209:				; CODE XREF: PAGE:007811FDj
		lea	edx, [ebp-1D0h]
		xor	ecx, ecx
		call	_BgkQueryBootGraphicsInformation@8 ; BgkQueryBootGraphicsInformation(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_77DC0A
		cmp	byte ptr [ebp-1DDh], 0
		jz	short loc_78123D
		mov	dword ptr [ebp-1D0h], 0
		mov	dword ptr [ebp-1CCh], 0

loc_78123D:				; CODE XREF: PAGE:00781227j
		mov	dword ptr [ebp-4], 6Fh

loc_781244:				; CODE XREF: PAGE:00781311j
		push	dword ptr [ebp-1D8h]
		lea	eax, [ebp-1D0h]
		push	eax
		push	dword ptr [ebp-1DCh]
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_77DC0A
; 

loc_78126B:				; DATA XREF: .text:006A1888o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-424h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_78127E:				; DATA XREF: .text:006A188Co
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-424h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-1ECh]
		jmp	loc_77DC10
; 

loc_781299:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:0078273Co
		mov	dword ptr [ebp-1D8h], 14h
		cmp	esi, 14h
		jz	short loc_7812B2
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_7812B2:				; CODE XREF: PAGE:007812A6j
		mov	edx, [ebp-1DCh]
		call	ExHandleSPCall2
		jmp	loc_77DC08
; 

loc_7812C2:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827C4o
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	sub_A1AAB4
		jmp	loc_77DC08
; 

loc_7812D4:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782770o
		mov	dword ptr [ebp-1D8h], 80h
		cmp	esi, 80h
		jz	short loc_7812F0
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_7812F0:				; CODE XREF: PAGE:007812E4j
		lea	edx, [ebp-1D0h]
		mov	ecx, 3
		call	_BgkQueryBootGraphicsInformation@8 ; BgkQueryBootGraphicsInformation(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_77DC0A
		mov	dword ptr [ebp-4], 70h
		jmp	loc_781244
; 

loc_781316:				; DATA XREF: .text:006A1894o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-428h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_781329:				; DATA XREF: .text:006A1898o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-428h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-1ECh]
		jmp	loc_77DC10
; 

loc_781344:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782750o
		test	ebx, ebx
		jnz	short loc_781357
		cmp	esi, 8
		jnb	short loc_781357
		mov	ebx, 0C000000Dh
		jmp	loc_77DC0A
; 

loc_781357:				; CODE XREF: PAGE:00781346j
					; PAGE:0078134Bj
		lea	edx, [ebp-1D8h]
		mov	ecx, 2
		call	_BgkQueryBootGraphicsInformation@8 ; BgkQueryBootGraphicsInformation(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_77DC0A
		cmp	dword ptr [ebp-1D8h], 0
		jnz	short loc_781384
		mov	ebx, 0C000009Ah
		jmp	loc_77DC0A
; 

loc_781384:				; CODE XREF: PAGE:00781378j
		cmp	esi, [ebp-1D8h]
		jnb	short loc_781396
		mov	ebx, 0C0000023h
		jmp	loc_77DC0A
; 

loc_781396:				; CODE XREF: PAGE:0078138Aj
		lea	edx, [ebp-230h]
		mov	ecx, 1
		call	_BgkQueryBootGraphicsInformation@8 ; BgkQueryBootGraphicsInformation(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_77DC0A
		mov	edi, [ebp-230h]
		test	edi, edi
		jnz	short loc_7813C4
		mov	ebx, 0C000009Ah
		jmp	loc_77DC0A
; 

loc_7813C4:				; CODE XREF: PAGE:007813B8j
		mov	dword ptr [ebp-4], 71h
		push	dword ptr [ebp-1D8h]
		push	edi
		push	dword ptr [ebp-1DCh]
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-1D4h]
		push	4B494742h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_77DC10
; 

loc_7813FD:				; DATA XREF: .text:006A18A0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-42Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_781410:				; DATA XREF: .text:006A18A4o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-42Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-230h]
		mov	esi, [ebp-1ECh]
		push	4B494742h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_77DC10
; 

loc_78143C:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782760o
		mov	eax, _ExBootLoaderMetadata
		test	eax, eax
		jz	loc_77DE16
		mov	eax, [eax]
		mov	[ebp-1D8h], eax
		cmp	dword ptr [ebp-1DCh], 0
		jz	loc_77DE16
		cmp	esi, eax
		jnb	short loc_78146C
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_78146C:				; CODE XREF: PAGE:00781460j
		push	dword ptr [ebp-1F8h]
		mov	eax, ds:dword_A949B4
		push	eax
		mov	eax, ds:_SeTcbPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_781491

loc_781487:				; CODE XREF: PAGE:00780850j
		mov	eax, 0C0000061h
		jmp	loc_7823EE
; 

loc_781491:				; CODE XREF: PAGE:00781485j
		mov	dword ptr [ebp-4], 72h
		push	dword ptr [ebp-1D8h]
		mov	eax, _ExBootLoaderMetadata
		add	eax, 4
		push	eax
		push	dword ptr [ebp-1DCh]
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_7814C7:				; DATA XREF: .text:006A18ACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-430h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7814DA:				; DATA XREF: .text:006A18B0o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-430h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-1ECh]
		jmp	loc_77DC10
; 

loc_7814F5:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782764o
		mov	dword ptr [ebp-1D8h], 4
		cmp	esi, 4
		jnb	short loc_781551
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 73h
		mov	dword ptr [ebx], 4
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_78152A:				; DATA XREF: .text:006A18B8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4B4h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_78153D:				; DATA XREF: .text:006A18BCo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_781551:				; CODE XREF: PAGE:00781502j
		mov	dword ptr [ebp-4], 74h
		mov	ecx, _ExSoftRebootFlags
		mov	eax, [ebp-1DCh]
		mov	[eax], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_781578:				; DATA XREF: .text:006A18C4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-434h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_78158B:				; DATA XREF: .text:006A18C8o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-434h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-1ECh]
		jmp	loc_77DC10
; 

loc_7815A6:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782734o
		cmp	dword ptr [ebp+8], 0
		jz	short loc_7815B6
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_7815B6:				; CODE XREF: PAGE:007815AAj
		lea	ecx, [ebp-220h]
		call	_MmEnumerateBadPages@4 ; MmEnumerateBadPages(x)
		mov	ebx, eax
		mov	edi, [ebp-220h]
		test	edi, edi
		jz	short loc_7815D4
		mov	eax, [edi]
		shl	eax, 2
		jmp	short loc_7815D6
; 

loc_7815D4:				; CODE XREF: PAGE:007815CBj
		xor	eax, eax

loc_7815D6:				; CODE XREF: PAGE:007815D2j
		mov	[ebp-1D8h], eax
		cmp	esi, eax
		jnb	short loc_7815E5
		mov	ebx, 0C0000004h

loc_7815E5:				; CODE XREF: PAGE:007815DEj
		test	edi, edi
		jz	loc_77DC0A
		test	ebx, ebx
		js	short loc_781612
		mov	dword ptr [ebp-4], 75h
		push	eax
		lea	eax, [edi+4]
		push	eax
		push	dword ptr [ebp-1DCh]
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_781612:				; CODE XREF: PAGE:007815EFj
		mov	esi, [ebp-1D4h]
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_77DC10
; 

loc_781625:				; DATA XREF: .text:006A18D0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-438h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_781638:				; DATA XREF: .text:006A18D4o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-438h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-220h]
		mov	esi, [ebp-1ECh]
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_77DC10
; 

loc_781661:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782740o
		mov	dword ptr [ebp-1D8h], 8
		cmp	esi, 8
		jnb	short loc_78167A
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_78167A:				; CODE XREF: PAGE:0078166Ej
		push	0
		lea	eax, [ebp-240h]
		push	eax
		call	_HvlQueryActiveProcessors@8 ; HvlQueryActiveProcessors(x,x)
		test	eax, eax
		jz	short loc_781696
		mov	ebx, 0C00000BBh
		jmp	loc_77DC0A
; 

loc_781696:				; CODE XREF: PAGE:0078168Aj
		lea	eax, [ebp-224h]
		push	eax
		push	0
		call	_HvlQueryProcessorTopologyCount@8 ; HvlQueryProcessorTopologyCount(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_7816B4
		mov	ebx, 0C00000BBh
		jmp	loc_77DC0A
; 

loc_7816B4:				; CODE XREF: PAGE:007816A8j
		mov	dword ptr [ebp-4], 76h
		mov	ecx, [ebp-240h]
		mov	eax, [ebp-1DCh]
		mov	[eax], ecx
		mov	ecx, [ebp-224h]
		mov	[eax+4], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_77DC0A
; 

loc_7816DE:				; DATA XREF: .text:006A18DCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-43Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7816F1:				; DATA XREF: .text:006A18E0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-43Ch]
		jmp	loc_7823EE
; 

loc_781706:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:0078270Co
		cmp	dword ptr [ebp+8], 0
		jz	short loc_781716
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_781716:				; CODE XREF: PAGE:0078170Aj
		mov	dword ptr [ebp-1D8h], 4
		cmp	esi, 4
		jnb	short loc_78172F
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_78172F:				; CODE XREF: PAGE:00781723j
		mov	dword ptr [ebp-4], 77h
		mov	ecx, ds:_DbgkErrorPortStartTimeout
		mov	eax, [ebp-1DCh]
		mov	[eax], ecx
		mov	ecx, ds:_DbgkErrorPortCommTimeout
		mov	[eax+4], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_78175F:				; DATA XREF: .text:006A18E8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-440h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_781772:				; DATA XREF: .text:006A18ECo
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-440h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-1ECh]
		jmp	loc_77DC10
; 

loc_78178D:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782754o
		lea	eax, [ebp-1D8h]
		push	eax
		push	esi
		mov	edx, [ebp-1DCh]
		mov	ecx, [ebp-204h]
		call	SeSecureBootQueryInformation
		jmp	loc_77DC08
; 

loc_7817AB:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782758o
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_ExpQueryPortableWorkspaceEfiLauncherInformation@12 ; ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)
		jmp	loc_77DC08
; 

loc_7817C4:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782768o
		cmp	dword ptr [ebp+8], 0
		jz	short loc_7817D4
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_7817D4:				; CODE XREF: PAGE:007817C8j
		mov	dword ptr [ebp-1D8h], 20h
		mov	dword ptr [ebp-4], 78h
		cmp	esi, 20h
		jb	short loc_781837
		mov	ecx, _PoOffCrashConfigTable
		mov	eax, [ebp-1DCh]
		mov	[eax], ecx
		mov	ecx, dword_6C3DA4
		mov	[eax+4], ecx
		mov	ecx, dword_6C3DA8
		mov	[eax+8], ecx
		mov	ecx, dword_6C3DB0
		mov	[eax+10h], ecx
		mov	ecx, dword_6C3DB4
		mov	[eax+14h], ecx
		mov	ecx, dword_6C3DB8
		mov	[eax+18h], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_781837:				; CODE XREF: PAGE:007817E8j
		cmp	esi, 0Ch
		jb	short loc_781878
		mov	dword ptr [ebp-1D8h], 0Ch
		mov	ecx, _PoOffCrashConfigTable
		mov	eax, [ebp-1DCh]
		mov	[eax], ecx
		mov	ecx, dword_6C3DA4
		mov	[eax+4], ecx
		mov	ecx, dword_6C3DA8
		mov	[eax+8], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_781878:				; CODE XREF: PAGE:0078183Aj
		mov	ebx, 0C0000004h
		mov	[ebp-1E4h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_77DC0A
; 

loc_78188F:				; DATA XREF: .text:006A18F4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-444h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7818A2:				; DATA XREF: .text:006A18F8o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-444h]
		mov	[ebp-1E4h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-1ECh]
		jmp	loc_77DC10
; 

loc_7818C3:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:0078276Co
		cmp	esi, 20h
		jnb	short loc_781916
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 79h
		mov	dword ptr [ebx], 20h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_7818EE:				; DATA XREF: .text:006A1900o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-448h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_781901:				; DATA XREF: .text:006A1904o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-448h]
		jmp	loc_7823EE
; 

loc_781916:				; CODE XREF: PAGE:007818C6j
		mov	ecx, [ebp-1DCh]
		call	_ExpGetSystemProcessorFeaturesInformation@4 ; ExpGetSystemProcessorFeaturesInformation(x)
		mov	dword ptr [ebp-1D8h], 20h
		jmp	loc_77DC08
; 

loc_781930:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827D0o
		cmp	esi, 20h
		jnb	short loc_781983
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 7Ah
		mov	dword ptr [ebx], 20h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_78195B:				; DATA XREF: .text:006A190Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_78196E:				; DATA XREF: .text:006A1910o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-44Ch]
		jmp	loc_7823EE
; 

loc_781983:				; CODE XREF: PAGE:00781933j
		mov	ecx, [ebp-1DCh]
		call	ExpGetSystemFlushInformation
		mov	dword ptr [ebp-1D8h], 20h
		jmp	loc_77DC08
; 

loc_78199D:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782774o
		movzx	eax, word_6BBFE6
		add	eax, 0Ch
		mov	[ebp-1D8h], eax
		cmp	esi, eax
		jnb	short loc_7819BB
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_7819BB:				; CODE XREF: PAGE:007819AFj
		mov	eax, [ebp-1DCh]
		lea	edx, [eax+0Ch]
		mov	dword ptr [ebp-4], 7Bh
		xor	ecx, ecx
		mov	[eax], ecx
		mov	[eax+4], ecx
		mov	[eax+8], ecx
		mov	ecx, _ExpManufacturingInformation
		mov	[eax], ecx
		movzx	ecx, word_6BBFE4
		mov	[eax+4], cx
		movzx	ecx, word_6BBFE6
		mov	[eax+6], cx
		cmp	word_6BBFE4, 0
		jbe	short loc_781A17
		mov	[eax+8], edx
		movzx	eax, word_6BBFE6
		push	eax
		mov	eax, dword_6BBFE8
		push	eax
		push	edx
		call	_memcpy
		add	esp, 0Ch

loc_781A17:				; CODE XREF: PAGE:007819FBj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_781A29:				; DATA XREF: .text:006A1918o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-450h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_781A3C:				; DATA XREF: .text:006A191Co
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-450h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-1ECh]
		jmp	loc_77DC10
; 

loc_781A57:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782778o
		mov	dword ptr [ebp-1D8h], 1
		cmp	esi, 1
		jnb	short loc_781AB4
		test	ebx, ebx
		jz	loc_77E4AE
		mov	dword ptr [ebp-4], 7Ch
		mov	dword ptr [ebx], 1
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_781A8C:				; DATA XREF: .text:006A1924o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-454h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_781A9F:				; DATA XREF: .text:006A1928o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-454h]
		jmp	loc_7823EE
; 

loc_781AB4:				; CODE XREF: PAGE:00781A64j
		mov	dword ptr [ebp-4], 7Dh
		call	_PoEnergyEstimationEnabled@0 ; PoEnergyEstimationEnabled()
		mov	[edi], al
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_781AD4:				; DATA XREF: .text:006A1930o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-458h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_781AE7:				; DATA XREF: .text:006A1934o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-458h]
		jmp	loc_7823EE
; 

loc_781AFC:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782780o
		mov	eax, ecx
		shl	eax, 6
		mov	[ebp-1D8h], eax
		cmp	esi, 40h
		jb	loc_7809BC
		cmp	esi, eax
		jnb	short loc_781B21
		mov	ecx, esi
		shr	ecx, 6
		mov	[ebp-200h], ecx
		cmp	esi, eax

loc_781B21:				; CODE XREF: PAGE:00781B12j
		sbb	ebx, ebx
		and	ebx, 0C0000004h
		xor	eax, eax

loc_781B2B:				; CODE XREF: PAGE:00781BA1j
		mov	[ebp-224h], eax
		cmp	eax, ecx
		jnb	loc_77DC0A
		mov	[ebp-1E8h], dx
		mov	[ebp-1E6h], al
		mov	byte ptr [ebp-1E5h], 0
		lea	eax, [ebp-1E8h]
		push	eax
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		mov	ecx, ds:_KiProcessorBlock[eax*4]
		mov	dword ptr [ebp-4], 7Eh
		mov	edx, [ebp-1DCh]
		call	_KeQueryCycleTimeStatsProcessor@8 ; KeQueryCycleTimeStatsProcessor(x,x)
		mov	eax, [ebp-1DCh]
		add	eax, 40h
		mov	[ebp-1DCh], eax
		mov	[ebp-238h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-224h]
		inc	eax
		mov	ecx, [ebp-200h]
		mov	edx, [ebp-1F4h]
		jmp	short loc_781B2B
; 

loc_781BA3:				; DATA XREF: .text:006A193Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-45Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_781BB6:				; DATA XREF: .text:006A1940o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-45Ch]
		jmp	loc_7823EE
; 

loc_781BCB:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782784o
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_SeQueryTrustedPlatformModuleInformation@12 ; SeQueryTrustedPlatformModuleInformation(x,x,x)
		jmp	loc_77DC08
; 

loc_781BE4:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782790o
		mov	dword ptr [ebp-1D8h], 10h
		cmp	esi, 10h
		jz	short loc_781C41
		test	ebx, ebx
		jz	loc_77E4AE
		mov	dword ptr [ebp-4], 7Fh
		mov	dword ptr [ebx], 10h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_781C19:				; DATA XREF: .text:006A1948o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4A4h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_781C2C:				; DATA XREF: .text:006A194Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-4A4h]
		jmp	loc_7823EE
; 

loc_781C41:				; CODE XREF: PAGE:00781BF1j
		mov	cl, _ExpFirmwarePageProtectionSupported
		shl	cl, 4
		mov	al, [ebp-1D0h]
		xor	cl, al
		and	cl, 10h
		xor	al, cl
		mov	[ebp-1D0h], al
		mov	dword ptr [ebp-4], 80h
		mov	ecx, [ebp-1D0h]
		mov	eax, [ebp-1DCh]
		mov	[eax], ecx
		mov	ecx, [ebp-1CCh]
		mov	[eax+4], ecx
		mov	ecx, [ebp-1C8h]
		mov	[eax+8], ecx
		mov	ecx, [ebp-1C4h]
		mov	[eax+0Ch], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_781C9F:				; DATA XREF: .text:006A1954o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-464h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_781CB2:				; DATA XREF: .text:006A1958o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-464h]
		jmp	loc_7823EE
; 

loc_781CC7:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782808o
		cmp	esi, 4
		jz	short loc_781D1A
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 81h
		mov	dword ptr [ebx], 4
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7823EE
; 

loc_781CF2:				; DATA XREF: .text:006A1960o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-468h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_781D05:				; DATA XREF: .text:006A1964o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-468h]
		jmp	loc_7823EE
; 

loc_781D1A:				; CODE XREF: PAGE:00781CCAj
		mov	dword ptr [ebp-4], 82h
		mov	eax, [ebp-1DCh]
		mov	dword ptr [eax], 0
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_77EDCB
		call	_KeIsCetCapable@0 ; KeIsCetCapable()
		movzx	eax, al
		mov	ecx, [ebp-1DCh]
		xor	eax, [ecx]
		and	eax, 1
		xor	[ecx], eax
		mov	edx, [ecx]
		call	_KeIsCetCapable@0 ; KeIsCetCapable()
		movzx	esi, al
		add	esi, esi
		xor	esi, edx
		and	esi, 2
		xor	esi, edx
		mov	[ecx], esi
		call	_KeIsCetCapable@0 ; KeIsCetCapable()
		movzx	eax, al
		shl	eax, 8
		xor	eax, esi
		and	eax, 100h
		xor	eax, esi
		mov	[ecx], eax
		jmp	loc_77EDCB
; 

loc_781D7F:				; DATA XREF: .text:006A196Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-46Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_781D92:				; DATA XREF: .text:006A1970o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-46Ch]
		jmp	loc_7823EE
; 

loc_781DA7:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782794o
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	SeQueryHSTIResults
		jmp	loc_77DC08
; 

loc_781DC0:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:0078279Co
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	HvlQueryVsmProtectionInfo
		jmp	loc_77DC08
; 

loc_781DD9:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827A0o
		mov	cl, [ebp-1DDh]
		call	_ExCpuSetResourceManagerAccessCheck@4 ;	ExCpuSetResourceManagerAccessCheck(x)
		test	eax, eax
		js	loc_7823EE
		mov	dword ptr [ebp-1D8h], 0Ch
		cmp	esi, 0Ch
		jz	short loc_781E05
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_781E05:				; CODE XREF: PAGE:00781DF9j
		mov	ecx, [ebp-1DCh]
		call	_KeGetAffinitizedInterruptsInfo@4 ; KeGetAffinitizedInterruptsInfo(x)
		jmp	loc_77DC08
; 

loc_781E15:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827A4o
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_PsRootSiloInformation@12 ; PsRootSiloInformation(x,x,x)
		jmp	loc_77DC08
; 

loc_781E2E:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827A8o
		mov	ecx, [ebp-228h]
		test	ecx, ecx
		jz	short loc_781E71
		mov	eax, ds:_PsProcessType
		mov	dword ptr [ebp-248h], 0
		push	0
		lea	edx, [ebp-248h]
		push	edx
		push	dword ptr [ebp-1F8h]
		push	eax
		push	1000h
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [ebp-248h]
		test	eax, eax
		jns	short loc_781E77
		jmp	loc_7823EE
; 

loc_781E71:				; CODE XREF: PAGE:00781E36j
		mov	edi, [ebp-214h]

loc_781E77:				; CODE XREF: PAGE:00781E6Aj
		push	edi
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	KeQueryCpuSetInformation

loc_781E8C:				; CODE XREF: PAGE:00781F38j
		mov	ebx, eax
		test	edi, edi
		jz	loc_77DC0A
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	loc_77DC0A
; 

loc_781EA2:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827ACo
		mov	ebx, esi
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 98h
		add	ebx, 0C0000023h
		jmp	loc_77DC0A
; 

loc_781EB9:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827B0o
		lea	eax, [ebp-1D8h]
		push	eax
		push	esi
		push	dword ptr [ebp-1DCh]
		mov	edx, [ebp+8]
		mov	ecx, [ebp-1F0h]
		call	ExpQueryInterruptSteeringInformation
		jmp	loc_77DC08
; 

loc_781EDA:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827B4o
		mov	ecx, [ebp-228h]
		test	ecx, ecx
		jz	short loc_781F1D
		mov	eax, ds:_PsProcessType
		mov	dword ptr [ebp-1FCh], 0
		push	0
		lea	edx, [ebp-1FCh]
		push	edx
		push	dword ptr [ebp-1F8h]
		push	eax
		push	1000h
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [ebp-1FCh]
		test	eax, eax
		jns	short loc_781F23
		jmp	loc_7823EE
; 

loc_781F1D:				; CODE XREF: PAGE:00781EE2j
		mov	edi, [ebp-214h]

loc_781F23:				; CODE XREF: PAGE:00781F16j
		push	edi
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	PsWow64GetSupportedArchitectures
		jmp	loc_781E8C
; 

loc_781F3D:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827BCo
		cmp	esi, 8
		jnz	loc_77E6A2
		mov	dword ptr [ebp-4], 83h
		mov	eax, [ebp-1DCh]
		mov	ecx, [eax]
		mov	[ebp-4B8h], ecx
		mov	edx, [eax+4]
		mov	[ebp-4A8h], edx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		call	_ExpQueryCodeIntegrityCertificateInfo@8	; ExpQueryCodeIntegrityCertificateInfo(x,x)
		jmp	loc_77DC08
; 

loc_781F75:				; DATA XREF: .text:006A1978o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-470h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_781F88:				; DATA XREF: .text:006A197Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-470h]
		jmp	loc_7823EE
; 

loc_781F9D:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827CCo
		cmp	esi, 4
		jnz	loc_77E6A2
		lea	ecx, [ebp-1D0h]
		call	_PsQueryActivityModerationUserSettings@4 ; PsQueryActivityModerationUserSettings(x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_77DC0A
		mov	dword ptr [ebp-4], 84h
		mov	ecx, [ebp-1D0h]
		mov	eax, [ebp-1DCh]
		mov	[eax], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_77DC0A
; 

loc_781FDC:				; DATA XREF: .text:006A1984o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-474h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_781FEF:				; DATA XREF: .text:006A1988o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-474h]
		jmp	loc_7823EE
; 

loc_782004:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827D8o
		cmp	esi, 8
		jnb	short loc_782045
		test	ebx, ebx
		jz	loc_77E6A2
		mov	dword ptr [ebp-4], 85h
		jmp	loc_77E695
; 

loc_78201D:				; DATA XREF: .text:006A1990o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-478h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_782030:				; DATA XREF: .text:006A1994o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-478h]
		jmp	loc_7823EE
; 

loc_782045:				; CODE XREF: PAGE:00782007j
		mov	ecx, [ebp-1DCh]
		call	ExpGetSystemWriteConstraintInformation
		mov	dword ptr [ebp-1D8h], 8
		jmp	loc_77DC08
; 

loc_78205F:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827E4o
		lea	eax, [ebp-208h]
		push	eax
		push	0
		push	0
		push	22h
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		mov	ebx, eax
		cmp	ebx, 0C0000004h
		jnz	loc_780632
		mov	ecx, [ebp-208h]
		cmp	esi, ecx
		jb	loc_780F94
		mov	eax, [ebp-1DCh]
		test	eax, eax
		jz	loc_780F94
		cmp	byte ptr [ebp-1DDh], 0
		jz	short loc_7820D0
		push	6F666E49h
		push	ecx
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	edi, eax
		mov	[ebp-1F0h], edi
		test	edi, edi
		jnz	short loc_7820C8
		mov	ebx, 0C000009Ah
		jmp	loc_77DC0A
; 

loc_7820C8:				; CODE XREF: PAGE:007820BCj
		mov	ecx, [ebp-208h]
		jmp	short loc_7820D8
; 

loc_7820D0:				; CODE XREF: PAGE:007820A3j
		mov	edi, eax
		mov	[ebp-1F0h], eax

loc_7820D8:				; CODE XREF: PAGE:007820CEj
		lea	eax, [ebp-1D8h]
		push	eax
		push	edi
		push	ecx
		push	22h
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		mov	ebx, eax
		cmp	byte ptr [ebp-1DDh], 0
		jz	loc_77DC0A
		test	ebx, ebx
		js	loc_780F3F
		mov	dword ptr [ebp-4], 86h
		jmp	loc_780F23
; 

loc_78210C:				; DATA XREF: .text:006A199Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-47Ch], eax
		mov	eax, 1
		retn
; 

loc_78211F:				; DATA XREF: .text:006A19A0o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-47Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-1F0h]
		mov	esi, [ebp-1ECh]
		push	6F666E49h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_77DC10
; 

loc_78214B:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827E0o
		mov	dword ptr [ebp-1D8h], 4
		cmp	esi, 4
		jnb	short loc_782164
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_782164:				; CODE XREF: PAGE:00782158j
		mov	ecx, dword_6D0618
		mov	dword ptr [ebp-4], 87h
		mov	eax, [ebp-1DCh]
		mov	dword ptr [eax], 0
		mov	[eax], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_782191:				; DATA XREF: .text:006A19A8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-480h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7821A4:				; DATA XREF: .text:006A19ACo
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-480h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-1ECh]
		jmp	loc_77DC10
; 

loc_7821BF:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827F0o
		mov	dword ptr [ebp-1D8h], 1
		cmp	esi, 1
		jz	short loc_78221C
		test	ebx, ebx
		jz	loc_77E4AE
		mov	dword ptr [ebp-4], 88h
		mov	dword ptr [ebx], 1
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_7821F4:				; DATA XREF: .text:006A19B4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-484h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_782207:				; DATA XREF: .text:006A19B8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-484h]
		jmp	loc_7823EE
; 

loc_78221C:				; CODE XREF: PAGE:007821CCj
		mov	dword ptr [ebp-250h], 0
		lea	eax, [ebp-250h]
		push	eax
		lea	eax, [ebp-1D0h]
		push	eax
		push	1
		push	2Fh
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_780E96
		cmp	dword ptr [ebp-250h], 1
		jnz	loc_780E96
		mov	dword ptr [ebp-4], 89h
		mov	cl, [ebp-1D0h]
		mov	eax, [ebp-1DCh]
		mov	[eax], cl
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_77DC0A
; 

loc_782276:				; DATA XREF: .text:006A19C0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-488h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_782289:				; DATA XREF: .text:006A19C4o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-488h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-1ECh]
		jmp	loc_77DC10
; 

loc_7822A4:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:007827FCo
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-1DCh]
		call	_SeSecurityModelQueryInformation@12 ; SeSecurityModelQueryInformation(x,x,x)
		jmp	loc_77DC08
; 

loc_7822BD:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782800o
		push	ecx
		lea	eax, [ebp-1D8h]
		push	eax
		push	esi
		push	dword ptr [ebp-1DCh]
		mov	edx, [ebp+8]
		mov	ecx, [ebp-1F0h]
		call	CmQuerySingleFeatureConfiguration
		jmp	loc_77DC08
; 

loc_7822DF:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:00782804o
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp-1FCh], al
		push	dword ptr [ebp-1FCh]
		lea	eax, [ebp-1D8h]
		push	eax
		push	esi
		push	dword ptr [ebp-1DCh]
		mov	edx, [ebp+8]
		mov	ecx, [ebp-1F0h]
		call	CmQueryFeatureConfigurationSections
		jmp	loc_77DC08
; 

loc_782318:				; CODE XREF: PAGE:0077D887j
					; DATA XREF: PAGE:0078280Co
		mov	dword ptr [ebp-1D8h], 1
		cmp	esi, 1
		jz	short loc_782372
		test	ebx, ebx
		jz	loc_77E4AE
		mov	dword ptr [ebp-4], 8Ah
		mov	dword ptr [ebx], 1
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, 0C0000004h
		jmp	loc_77DC0A
; 

loc_78234D:				; DATA XREF: .text:006A19CCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-48Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_782360:				; DATA XREF: .text:006A19D0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-48Ch]
		jmp	short loc_7823EE
; 

loc_782372:				; CODE XREF: PAGE:00782325j
		mov	dword ptr [ebp-4], 8Bh
		mov	eax, [ebp-1DCh]
		mov	byte ptr [eax],	1
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-1E4h]
		jmp	loc_77DC0A
; 

loc_782394:				; DATA XREF: .text:006A19D8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-490h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7823A7:				; DATA XREF: .text:006A19DCo
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-490h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-1ECh]
		jmp	loc_77DC10
; 

loc_7823C2:				; DATA XREF: .text:006A19E4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-494h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7823D5:				; DATA XREF: .text:006A19E8o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-494h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_7823E5:				; CODE XREF: PAGE:0077DC12j
		mov	eax, ebx
		jmp	short loc_7823EE
; 

loc_7823E9:				; CODE XREF: PAGE:0077D87Aj
					; PAGE:0077D887j
					; DATA XREF: ...
		mov	eax, 0C0000003h

loc_7823EE:				; CODE XREF: PAGE:0077D7E0j
					; PAGE:0077D8EFj ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-1Ch]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_78240C:				; CODE XREF: PAGE:0077EA29j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		lea	ecx, [ecx+0]
; 
off_782414	dd offset loc_77D782	; DATA XREF: PAGE:0077D774r
		dd offset loc_77D77B
		dd offset loc_77D782
byte_782420	db 0			; DATA XREF: PAGE:0077D76Dr
		db 3 dup(2)
		dd 20202h, 2020202h, 2020200h, 3 dup(2020202h),	2010202h
		dd 5 dup(2020202h), 2020200h, 2	dup(2020202h), 20202h
		dd 3 dup(2020202h), 20202h, 2020202h, 2000202h,	2 dup(2020202h)
		dd 20202h, 4 dup(2020202h), 2020002h, 2020202h,	2020200h
		dd 2, 2020202h,	10201h,	2020201h, 2020002h, 20100h, 2010202h
		dd 2020202h, 2020201h, 2020200h, 2 dup(2020202h), 2 dup(20202h)
		dd 2000202h, 2020200h, 2020102h, 2020202h, 2000002h, 3 dup(2020202h)
		dd 90010202h
off_782500	dd offset loc_77D84D	; DATA XREF: PAGE:0077D846r
		dd offset loc_77D88E
		dd offset loc_77DA8F
		dd offset loc_77D955
		dd offset loc_77D8F4
		dd offset loc_77D9A8
		dd offset loc_77D9F7
		dd offset loc_77DA4A
off_782520	dd offset loc_77D86F	; DATA XREF: INIT:??_C@_05JJCGIBE@?5?9?5?$CFx@PBOPGDP@w
byte_782524	db 0			; DATA XREF: PAGE:0077D83Fr
		db 3 dup(8)
		dd 8010808h, 3 dup(8080808h), 8080108h,	8080808h, 80808h
		dd 8000808h, 8080808h, 8080801h, 3 dup(8080808h), 1080808h
		db 3 dup(8)
byte_782563	db 0			; DATA XREF: PAGELK:00730F8Fo
		dd 8080808h, 1020808h, 2 dup(8080808h),	8080108h, 3 dup(8080808h)
		dd 8010808h, 8080808h, 8010308h, 2 dup(8080808h), 4080808h
		dd 4 dup(8080808h), 1080808h, 4	dup(8080808h), 8010808h
		dd 5080808h, 2 dup(8080808h), 8080608h,	6080807h
off_7825D8	dd offset loc_77DAE8	; DATA XREF: PAGE:0077D887r
		dd offset loc_77DBA4
		dd offset loc_77E078
		dd offset loc_77E739
		dd offset loc_780303
		dd offset loc_77E998
		dd offset loc_780632
		dd offset loc_77ECB4
		dd offset loc_77E12A
		dd offset loc_77ED6A
		dd offset loc_77EE9B
		dd offset loc_77EF5A
		dd offset loc_77EFD5
		dd offset loc_77F053
		dd offset loc_77F05D
		dd offset loc_77F175
		dd offset loc_77F1F4
		dd offset loc_77F742
		dd offset loc_77F28B
		dd offset loc_77F4B2
		dd offset loc_77FD85
		dd offset loc_77FCBD
		dd offset loc_77E854
		dd offset loc_7802B2
		dd offset loc_77F7B2
		dd offset loc_77F892
		dd offset loc_77FB33
		dd offset loc_77FC5A
		dd offset loc_77E5DD
		dd offset loc_780243
		dd offset loc_77FE98
		dd offset loc_780040
		dd offset loc_780059
		dd offset loc_7800EE
		dd offset loc_77EB7D
		dd offset loc_780344
		dd offset loc_78030D
		dd offset loc_780376
		dd offset loc_780402
		dd offset loc_78035D
		dd offset loc_77E49E
		dd offset loc_77DB51
		dd offset loc_77DC35
		dd offset loc_77F0E9
		dd offset loc_7804C7
		dd offset loc_77F51E
		dd offset loc_77F3E8
		dd offset loc_77F680
		dd offset loc_780E96
		dd offset loc_780570
		dd offset loc_780605
		dd offset loc_7806BB
		dd offset loc_780818
		dd offset loc_77EEE4
		dd offset loc_780869
		dd offset loc_780887
		dd offset loc_7808D5
		dd offset loc_780B68
		dd offset loc_780CA4
		dd offset loc_77E9B5
		dd offset loc_780B81
		dd offset loc_780B2F
		dd offset loc_7801CD
		dd offset loc_780D1A
		dd offset loc_780DCF
		dd offset loc_780DEC
		dd offset loc_77E344
		dd offset loc_78032B
		dd offset loc_77FF6C
		dd offset loc_780E39
		dd offset loc_780E79
		dd offset loc_780F9F
		dd offset loc_780717
		dd offset loc_780A5F
		dd offset loc_780FB8
		dd offset loc_780E09
		dd offset loc_780FD6
		dd offset loc_781706
		dd offset loc_780E21
		dd offset loc_780FF5
		dd offset loc_78015C
		dd offset loc_78077A
		dd offset loc_781034
		dd offset loc_77DF68
		dd offset loc_781111
		dd offset loc_77F59F
		dd offset loc_7811F0
		dd offset loc_7815A6
		dd offset loc_780836
		dd offset loc_781299
		dd offset loc_781661
		dd offset loc_77EC4D
		dd offset loc_7808A3
		dd offset loc_7808BC
		dd offset loc_781344
		dd offset loc_78178D
		dd offset loc_7817AB
		dd offset loc_77F9F5
		dd offset loc_78143C
		dd offset loc_7814F5
		dd offset loc_7817C4
		dd offset loc_7818C3
		dd offset loc_7812D4
		dd offset loc_78199D
		dd offset loc_781A57
		dd offset loc_780B4E
		dd offset loc_781AFC
		dd offset loc_781BCB
		dd offset loc_77F949
		dd offset loc_780E52
		dd offset loc_781BE4
		dd offset loc_781DA7
		dd offset loc_77EF3F
		dd offset loc_781DC0
		dd offset loc_781DD9
		dd offset loc_781E15
		dd offset loc_781E2E
		dd offset loc_781EA2
		dd offset loc_781EB9
		dd offset loc_781EDA
		dd offset loc_77DC88
		dd offset loc_781F3D
		dd offset loc_77DE49
		dd offset loc_7812C2
		dd offset loc_77FABB
		dd offset loc_781F9D
		dd offset loc_781930
		dd offset loc_7809A7
		dd offset loc_782004
		dd offset loc_7802D1
		dd offset loc_78214B
		dd offset loc_78205F
		dd offset loc_780DB2
		dd offset loc_7802EA
		dd offset loc_7821BF
		dd offset loc_77E685
		dd offset loc_77EE0F
		dd offset loc_7822A4
		dd offset loc_7822BD
		dd offset loc_7822DF
		dd offset loc_781CC7
		dd offset loc_782318
		dd offset loc_7823E9
byte_782814	db 0			; DATA XREF: PAGE:0077D880r
		db 1, 2, 3
		dd 7060504h, 0A040908h,	0D0D0C0Bh, 11100F0Eh, 1413128Eh
		dd 8E8E0415h, 178E0416h, 198E188Eh, 8E8E1B1Ah, 1D1C8E8Eh
		dd 8E8E1F1Eh, 21208E8Eh, 238E228Eh, 26250524h, 2A292827h
		dd 2E2D2C2Bh, 8E31302Fh, 8E8E3332h, 368E3534h, 388E1237h
		dd 3A398E8Eh, 3D3C8E3Bh, 3F8E8E3Eh, 41408E04h, 45444342h
		dd 4847468Eh, 8E8E4A49h, 4D004C4Bh, 12504F4Eh, 53525112h
		dd 8E565554h, 8E8E8E57h, 5A59588Eh, 5D5C5B5Bh, 5F8E085Eh
		dd 608E5F10h, 63626105h, 8E65648Eh, 69686766h, 6C6B8E6Ah
		dd 706F6E6Dh, 5F8E718Eh, 7473726Dh, 5F758E8Eh, 79787776h
		dd 8E7C7B7Ah, 8E6D6D7Dh, 808E7F7Eh, 6D838281h, 8E868584h
		dd 88878E8Eh, 8B8A6D89h, 8E8E048Eh, 8E8E8E8Eh, 8E8E8C8Eh
		dd 8D8E8E8Eh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SPCallServerHandleAuthenticateCaller proc near ; CODE XREF: sub_785212+1092p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00782AF6 SIZE 00000010 BYTES
; FUNCTION CHUNK AT 008DC92D SIZE 0000013E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_4], edx
		and	[ebp+var_C], ebx
		and	[ebp+var_8], ebx
		push	esi
		push	edi
		mov	[ebp+var_14], ebx
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_782AED
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_8]
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_782AED
		mov	ebx, [ebp+var_8]
		mov	[ebp+var_14], ebx
		push	8
		xor	edi, edi
		and	[ebp+var_8], edi
		pop	ecx
		mov	[ebp+var_10], ecx
		lea	eax, [ebp+var_10]
		mov	edx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		mov	edx, 0C0000095h
		test	esi, esi
		js	loc_782A61
		mov	eax, [ebp+var_10]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	loc_782A35
		mov	esi, edx

loc_782980:				; CODE XREF: SPCallServerHandleAuthenticateCaller+146j
		test	esi, esi
		js	loc_782A61
		mov	eax, [ebp+var_4]
		mov	edx, edi
		push	4
		mov	ecx, [eax+10h]
		mov	ebx, [eax+8]
		lea	eax, [ebp+var_4]
		mov	[ebp+var_18], ecx
		pop	ecx
		push	eax
		mov	[ebp+var_4], ecx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		jns	loc_782A43

loc_7829AF:				; CODE XREF: SPCallServerHandleAuthenticateCaller+15Cj
					; SPCallServerHandleAuthenticateCaller+15A044j	...
		mov	eax, [ebp+var_8]
		test	esi, esi
		js	loc_782A61

loc_7829BA:				; CODE XREF: SPCallServerHandleAuthenticateCaller+16Cj
		test	esi, esi
		js	loc_782AED

loc_7829C2:				; CODE XREF: SPCallServerHandleAuthenticateCaller+15A07Ej
		cmp	[ebp+arg_0], eax
		jb	loc_8DC981
		rdtsc
		mov	ecx, edx
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], ecx
		mov	ds:dword_A93F68, eax
		mov	ds:dword_A93F6C, ecx

loc_7829E0:				; CODE XREF: SPCallServerHandleAuthenticateCaller+15A091j
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	loc_8DC98E
		mov	eax, [ebp+var_14]
		lea	ebx, [edi+4]
		xor	esi, esi
		mov	[ebx], eax
		test	eax, eax
		jnz	short loc_782A19
		mov	esi, 0C000003Eh

loc_7829FE:				; CODE XREF: SPCallServerHandleAuthenticateCaller+13Bj
					; SPCallServerHandleAuthenticateCaller+15A0A5j
		test	esi, esi
		js	loc_782AED
		mov	eax, [edi+8]
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_8DC9A2
		jmp	loc_8DC9BE
; 

loc_782A19:				; CODE XREF: SPCallServerHandleAuthenticateCaller+FFj
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_8DC998
		mov	[edi+8], eax
		and	[edi], esi
		jmp	short loc_7829FE
; 

loc_782A35:				; CODE XREF: SPCallServerHandleAuthenticateCaller+80j
		lea	edi, [ecx+8]
		cmp	edi, ecx
		jb	short loc_782A5F
		xor	esi, esi
		jmp	loc_782980
; 

loc_782A43:				; CODE XREF: SPCallServerHandleAuthenticateCaller+B1j
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_782A69
		xor	esi, esi

loc_782A4F:				; CODE XREF: SPCallServerHandleAuthenticateCaller+179j
		mov	[ebp+var_4], ecx
		test	esi, esi
		js	loc_7829AF
		jmp	loc_8DC92D
; 

loc_782A5F:				; CODE XREF: SPCallServerHandleAuthenticateCaller+142j
		mov	esi, edx

loc_782A61:				; CODE XREF: SPCallServerHandleAuthenticateCaller+6Fj
					; SPCallServerHandleAuthenticateCaller+8Aj ...
		mov	eax, [ebp+var_C]
		jmp	loc_7829BA
; 

loc_782A69:				; CODE XREF: SPCallServerHandleAuthenticateCaller+153j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	short loc_782A4F
; 

loc_782A73:				; CODE XREF: SPCallServerHandleAuthenticateCaller+1C2j
		mov	esi, 0C0000095h

loc_782A78:				; CODE XREF: SPCallServerHandleAuthenticateCaller+1A9j
					; SPCallServerHandleAuthenticateCaller+15A0FFj
		lea	ebx, [edi+4]
		test	esi, esi
		js	short loc_782AED

loc_782A7F:				; CODE XREF: SPCallServerHandleAuthenticateCaller+15A0C1j
		mov	eax, [edi+8]
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_8DCA06
		jmp	loc_8DCA24
; 

loc_782A92:				; CODE XREF: SPCallServerHandleAuthenticateCaller+1C4j
		lea	eax, [ebp+arg_0]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_782A78
		mov	ecx, [ebp+arg_4]
		mov	ebx, [ebp+arg_0]
		inc	ecx
		mov	[ebp+arg_4], ecx
		cmp	ecx, [ebp+var_18]
		jnb	short loc_782AF6

loc_782AB2:				; CODE XREF: SPCallServerHandleAuthenticateCaller+15A0D6j
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_782A73
		jmp	short loc_782A92
; 

loc_782ABE:				; CODE XREF: SPCallServerHandleAuthenticateCaller+1EEj
		lea	eax, [ebp+arg_0]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_782AED
		mov	ecx, [ebp+arg_4]
		mov	ebx, [ebp+arg_0]
		inc	ecx
		mov	[ebp+arg_4], ecx
		cmp	ecx, [ebp+var_18]
		jnb	short loc_782AFE

loc_782ADE:				; CODE XREF: SPCallServerHandleAuthenticateCaller+15A13Cj
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jnb	short loc_782ABE

loc_782AE8:				; CODE XREF: SPCallServerHandleAuthenticateCaller+15A0E1j
					; SPCallServerHandleAuthenticateCaller+15A147j
		mov	esi, 0C0000095h

loc_782AED:				; CODE XREF: SPCallServerHandleAuthenticateCaller+2Bj
					; SPCallServerHandleAuthenticateCaller+44j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
SPCallServerHandleAuthenticateCaller endp ; sp = -2Ch

; 
; START	OF FUNCTION CHUNK FOR SPCallServerHandleAuthenticateCaller

loc_782AF6:				; CODE XREF: SPCallServerHandleAuthenticateCaller+1B8j
		mov	eax, [ebp+var_14]
		jmp	loc_8DC9D4
; 

loc_782AFE:				; CODE XREF: SPCallServerHandleAuthenticateCaller+1E4j
		mov	eax, [ebp+var_14]
		jmp	loc_8DCA3A
; END OF FUNCTION CHUNK	FOR SPCallServerHandleAuthenticateCaller

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SPCallServerHandleUpdatePolicies proc near ; CODE XREF:	sub_785212+1189p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00782C04 SIZE 000001D5 BYTES
; FUNCTION CHUNK AT 008DCA6B SIZE 00000426 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		mov	[ebp+var_10], ecx
		mov	edi, ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_8], ebx
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_8DCE88
		mov	edi, [ebp+var_8]
		and	[ebp+var_8], ebx
		push	8
		pop	ecx
		mov	[ebp+var_24], ecx
		lea	eax, [ebp+var_24]
		mov	edx, edi
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		mov	edx, 0C0000095h
		test	esi, esi
		js	loc_8DCABF
		mov	eax, [ebp+var_24]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_782BD0
		mov	esi, edx

loc_782B74:				; CODE XREF: SPCallServerHandleUpdatePolicies+D3j
		test	esi, esi
		js	short loc_782BF5
		mov	eax, [ebp+var_4]
		mov	edx, ebx
		push	4
		mov	ecx, [eax+10h]
		mov	edi, [eax+8]
		lea	eax, [ebp+var_4]
		mov	[ebp+var_28], ecx
		pop	ecx
		push	eax
		mov	[ebp+var_4], ecx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		jns	short loc_782BDB

loc_782B9B:				; CODE XREF: SPCallServerHandleUpdatePolicies+E6j
					; SPCallServerHandleUpdatePolicies+159F74j ...
		mov	eax, [ebp+var_8]
		test	esi, esi
		js	short loc_782BF5

loc_782BA2:				; CODE XREF: SPCallServerHandleUpdatePolicies+F2j
					; SPCallServerHandleUpdatePolicies+159FBBj
		test	esi, esi
		js	loc_8DCE88

loc_782BAA:				; CODE XREF: SPCallServerHandleUpdatePolicies+159FAEj
		cmp	[ebp+arg_0], eax
		jb	loc_8DCAC6
		mov	ecx, [ebp+var_10]
		xor	edi, edi
		and	[ebp+var_C], edi
		mov	edx, 0C000000Dh
		mov	eax, [ecx+8]
		test	eax, eax
		jz	loc_8DCBD8
		jmp	loc_8DCBDE
; 

loc_782BD0:				; CODE XREF: SPCallServerHandleUpdatePolicies+6Aj
		lea	ebx, [ecx+8]
		cmp	ebx, ecx
		jb	short loc_782BF3
		xor	esi, esi
		jmp	short loc_782B74
; 

loc_782BDB:				; CODE XREF: SPCallServerHandleUpdatePolicies+93j
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_782BFA
		xor	esi, esi

loc_782BE7:				; CODE XREF: SPCallServerHandleUpdatePolicies+FCj
		mov	[ebp+var_4], ecx
		test	esi, esi
		js	short loc_782B9B
		jmp	loc_8DCA6B
; 

loc_782BF3:				; CODE XREF: SPCallServerHandleUpdatePolicies+CFj
		mov	esi, edx

loc_782BF5:				; CODE XREF: SPCallServerHandleUpdatePolicies+70j
					; SPCallServerHandleUpdatePolicies+9Aj
		mov	eax, [ebp+var_C]
		jmp	short loc_782BA2
; 

loc_782BFA:				; CODE XREF: SPCallServerHandleUpdatePolicies+DDj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	short loc_782BE7
SPCallServerHandleUpdatePolicies endp

; 
; START	OF FUNCTION CHUNK FOR SPCallServerHandleUpdatePolicies

loc_782C04:				; CODE XREF: SPCallServerHandleUpdatePolicies+2CEj
					; SPCallServerHandleUpdatePolicies+15A10Bj
		test	esi, esi
		js	loc_8DCC16
		cmp	eax, 8
		jnz	loc_8DCE75
		mov	ebx, [edi]
		mov	edx, [edi+4]
		mov	ecx, [ebp+var_10]

loc_782C1D:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A118j
		test	esi, esi
		js	loc_8DCE88
		test	ebx, ebx
		jnz	short loc_782C31
		test	edx, edx
		jz	loc_8DCC23

loc_782C31:				; CODE XREF: SPCallServerHandleUpdatePolicies+121j
		mov	eax, ds:dword_A93F68
		test	eax, eax
		jnz	short loc_782C46
		cmp	ds:dword_A93F6C, eax
		jz	loc_8DCC23

loc_782C46:				; CODE XREF: SPCallServerHandleUpdatePolicies+132j
		cmp	ebx, eax
		jnz	loc_8DCDF9
		cmp	edx, ds:dword_A93F6C
		jnz	loc_8DCDF9
		mov	eax, [ecx+8]
		test	eax, eax
		jz	loc_8DCE53
		cmp	dword ptr [ecx], 4
		jbe	loc_8DCE53
		xor	edi, edi

loc_782C70:				; CODE XREF: SPCallServerHandleUpdatePolicies+19Ej
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_8DCD1C
		xor	esi, esi

loc_782C7F:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A21Ej
		mov	[ebp+arg_0], ecx
		test	esi, esi
		js	loc_8DCD36
		lea	eax, [ebp+arg_0]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_8DCD36
		mov	eax, [ebp+arg_0]
		inc	edi
		cmp	edi, 4
		jb	short loc_782C70
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_8DCD29
		xor	esi, esi

loc_782CB5:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A22Bj
		test	esi, esi
		js	loc_8DCD36
		mov	eax, edx
		mov	ebx, edx
		neg	eax
		sbb	eax, eax
		and	eax, ecx

loc_782CC7:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A235j
		test	esi, esi
		js	loc_8DCE88
		push	eax
		push	ebx
		call	ds:dword_A93EE0
		cmp	eax, 107h
		jz	loc_8DCD59
		cmp	eax, 40000000h
		jz	loc_8DCD4D
		test	eax, eax
		js	loc_8DCD40
		and	[ebp+arg_0], 0

loc_782CF9:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A242j
					; SPCallServerHandleUpdatePolicies+15A24Ej ...
		mov	edi, [ebp+arg_4]
		and	dword ptr [edi], 0
		lea	eax, [edi+4]
		and	dword ptr [eax], 0
		mov	ebx, [edi+8]
		test	ebx, ebx
		jz	loc_8DCD65
		push	20534C53h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi+8], 0
		lea	eax, [edi+4]
		xor	ebx, ebx
		test	ebx, ebx
		jz	loc_8DCD65
		jmp	loc_8DCD84
; 

loc_782D31:				; CODE XREF: SPCallServerHandleUpdatePolicies+28Ej
		mov	esi, 0C0000095h

loc_782D36:				; CODE XREF: SPCallServerHandleUpdatePolicies+271j
		mov	ebx, [ebp+arg_0]

loc_782D39:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A2BDj
		test	esi, esi
		js	loc_8DCE88

loc_782D41:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A279j
		mov	eax, [edi+4]
		test	eax, eax
		jz	loc_8DCC95
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_8DCE7C
		jmp	loc_8DCDC8
; 

loc_782D68:				; CODE XREF: SPCallServerHandleUpdatePolicies+290j
		lea	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_782D36
		mov	ecx, [ebp+var_20]
		mov	ebx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_20], ecx
		cmp	ecx, [ebp+var_28]
		jnb	loc_8DCD98

loc_782D8C:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A28Cj
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_782D31
		jmp	short loc_782D68
; 

loc_782D98:				; CODE XREF: SPCallServerHandleUpdatePolicies+2BAj
					; SPCallServerHandleUpdatePolicies+15A0DFj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_782DC7
		xor	esi, esi

loc_782DA3:				; CODE XREF: SPCallServerHandleUpdatePolicies+2C9j
		mov	[ebp+arg_0], ecx
		test	esi, esi
		js	short loc_782DD1
		lea	eax, [ebp+arg_0]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_782DD1
		mov	eax, [ebp+arg_0]
		inc	ebx
		cmp	ebx, 3
		jb	short loc_782D98
		jmp	loc_8DCBEA
; 

loc_782DC7:				; CODE XREF: SPCallServerHandleUpdatePolicies+299j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	short loc_782DA3
; 

loc_782DD1:				; CODE XREF: SPCallServerHandleUpdatePolicies+2A2j
					; SPCallServerHandleUpdatePolicies+2B1j ...
		mov	eax, [ebp+var_C]
		jmp	loc_782C04
; END OF FUNCTION CHUNK	FOR SPCallServerHandleUpdatePolicies
; 
		align 4
		db 2 dup(0CCh)
; Exported entry 454. ExUpdateLicenseData

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExUpdateLicenseData
ExUpdateLicenseData proc near		; DATA XREF: ClipInitHandles()+Fo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008DCE91 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		push	[ebp+arg_4]
		mov	ecx, [eax+204h]
		mov	eax, ds:dword_A93F18
		test	eax, eax
		jz	loc_8DCE91
		push	[ebp+arg_0]
		push	ecx
		call	eax

loc_782E04:				; CODE XREF: ExUpdateLicenseData+15A0BBj
		pop	ebp
		retn	8
ExUpdateLicenseData endp ; sp =	-0Ch

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry  20.

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExpSetKernelDataProtection
ExpSetKernelDataProtection proc	near	; CODE XREF: ExpGetLicenseTamperState(x,x)+13Ap
					; ExpSetLicenseTamperState(x,x)+36p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008DCE9E SIZE 0000001E BYTES
; FUNCTION CHUNK AT 008DCEDE SIZE 00000018 BYTES

		push	18h
		push	offset dword_6A19F0
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+var_1C], esi
		mov	edi, esi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], esi
		cmp	[ebp+arg_4], esi
		jz	loc_8DCE9E
		test	[ebp+arg_C], 1
		jnz	short loc_782E48
		mov	eax, [ebp+arg_0]
		cmp	[eax+5B7Ch], esi
		jz	loc_8DCEA8

loc_782E48:				; CODE XREF: ExpSetKernelDataProtection+29j
		mov	[ebp+ms_exc.disabled], esi
		mov	ebx, [ebp+arg_0]
		lea	ecx, [ebx+5C28h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebx+5C24h]
		test	eax, eax
		jz	loc_782F0C
		mov	eax, [eax]
		mov	[ebp+arg_C], eax
		lea	ecx, [ebp+arg_C]
		call	sub_782FD2
		mov	ebx, eax
		mov	[ebp+var_1C], ebx
		test	ebx, ebx
		js	short loc_782EBD

loc_782E7F:				; CODE XREF: ExpSetKernelDataProtection+17Cj
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_C]
		test	[ebp+arg_8], 1
		jnz	short loc_782EF8

loc_782E8B:				; CODE XREF: ExpSetKernelDataProtection+F4j
		test	[ebp+arg_8], 2
		jnz	short loc_782EF0

loc_782E91:				; CODE XREF: ExpSetKernelDataProtection+E8j
		test	[ebp+arg_8], 4
		jz	short loc_782EA3
		mov	eax, [edx+10h]
		mov	[ecx+10h], eax
		mov	eax, [edx+14h]
		mov	[ecx+14h], eax

loc_782EA3:				; CODE XREF: ExpSetKernelDataProtection+87j
		test	[ebp+arg_8], 8
		jnz	loc_782F8F

loc_782EAD:				; CODE XREF: ExpSetKernelDataProtection+18Dj
		test	[ebp+arg_8], 10h
		jnz	loc_782FA0

loc_782EB7:				; CODE XREF: ExpSetKernelDataProtection+19Ej
		test	[ebp+arg_8], 20h
		jnz	short loc_782F04

loc_782EBD:				; CODE XREF: ExpSetKernelDataProtection+6Fj
					; ExpSetKernelDataProtection+FCj ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_782FB1

loc_782EC9:				; CODE XREF: ExpSetKernelDataProtection+15A095j
					; ExpSetKernelDataProtection+15A09Cj
		test	edi, edi
		jnz	loc_8DCEDE

loc_782ED1:				; CODE XREF: ExpSetKernelDataProtection+15A0D7j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	loc_8DCEEA

loc_782EDC:				; CODE XREF: ExpSetKernelDataProtection+15A0E3j
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_782EF0:				; CODE XREF: ExpSetKernelDataProtection+81j
		mov	eax, [edx+8]
		mov	[ecx+8], eax
		jmp	short loc_782E91
; 

loc_782EF8:				; CODE XREF: ExpSetKernelDataProtection+7Bj
		mov	eax, [edx]
		mov	[ecx], eax
		mov	eax, [edx+4]
		mov	[ecx+4], eax
		jmp	short loc_782E8B
; 

loc_782F04:				; CODE XREF: ExpSetKernelDataProtection+ADj
		mov	al, [edx+28h]
		mov	[ecx+28h], al
		jmp	short loc_782EBD
; 

loc_782F0C:				; CODE XREF: ExpSetKernelDataProtection+55j
		mov	ebx, 20534C53h
		push	ebx
		push	30h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_24], edi
		test	edi, edi
		jz	loc_8DCEAF
		push	ebx
		push	4
		pop	ebx
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_8DCEAF
		mov	[ecx], edi
		mov	[ebp+arg_C], edi
		mov	[edi], esi
		mov	[edi+4], esi
		mov	[edi+10h], esi
		mov	[edi+14h], esi
		mov	[edi+8], ebx
		mov	[edi+18h], esi
		mov	[edi+1Ch], esi
		mov	[edi+20h], esi
		mov	[edi+24h], esi
		mov	byte ptr [edi+28h], 1
		call	sub_8AD454
		mov	ebx, eax
		mov	[ebp+var_1C], ebx
		test	ebx, ebx
		js	loc_782EBD
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+arg_0]
		mov	[ecx+5C24h], eax
		mov	edi, esi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], esi
		jmp	loc_782E7F
; 

loc_782F8F:				; CODE XREF: ExpSetKernelDataProtection+99j
		mov	eax, [edx+18h]
		mov	[ecx+18h], eax
		mov	eax, [edx+1Ch]
		mov	[ecx+1Ch], eax
		jmp	loc_782EAD
; 

loc_782FA0:				; CODE XREF: ExpSetKernelDataProtection+A3j
		mov	eax, [edx+20h]
		mov	[ecx+20h], eax
		mov	eax, [edx+24h]
		mov	[ecx+24h], eax
		jmp	loc_782EB7
ExpSetKernelDataProtection endp


;  S U B	R O U T	I N E 


sub_782FB1	proc near		; CODE XREF: ExpSetKernelDataProtection+B6p
					; sub_8DCEBC+8j

; FUNCTION CHUNK AT 008DCEC9 SIZE 00000015 BYTES

		mov	ecx, [ebp+8]
		add	ecx, 5C28h
		mov	[ebp+10h], ecx
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		test	al, 2
		jnz	loc_8DCEC9

loc_782FCC:				; CODE XREF: sub_782FB1+159F1Aj
					; sub_782FB1+159F28j
		call	KeAbPostRelease
		retn
sub_782FB1	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_782FD2	proc near		; CODE XREF: ExpDeleteSiloState(x)+78p
					; ExpSetKernelDataProtection+63p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		test	edi, edi
		jz	short loc_782FFB
		mov	ecx, [edi]
		mov	[ebp+var_4], ecx
		lea	ecx, [ebp+var_4]
		call	WarbirdKmDecryptPointer
		mov	ecx, [ebp+var_4]
		mov	[edi], ecx

loc_782FF5:				; CODE XREF: sub_782FD2+2Ej
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_782FFB:				; CODE XREF: sub_782FD2+Fj
		mov	esi, 0C000000Dh
		jmp	short loc_782FF5
sub_782FD2	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SPCallServerHandleGetAppPolicyValue proc near ;	CODE XREF: sub_785212+20ADp

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0078309D SIZE 000008AF BYTES
; FUNCTION CHUNK AT 008DCEF6 SIZE 000002FB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	[ebp+var_58], edx
		mov	edx, ecx
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_4], edx
		push	esi
		mov	eax, [edx+8]
		mov	ecx, 0C000000Dh
		mov	[ebp+var_8], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_50], ebx
		push	edi
		mov	edi, ebx
		test	eax, eax
		jz	loc_8DCEF6
		cmp	dword ptr [edx], 3
		jbe	loc_8DCEF6

loc_78305C:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+8Aj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_783093
		xor	esi, esi

loc_783067:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+99j
		mov	[ebp+var_14], ecx
		test	esi, esi
		js	loc_8DCF25
		lea	eax, [ebp+var_14]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_8DCF25
		mov	eax, [ebp+var_14]
		inc	ebx
		cmp	ebx, 3
		jb	short loc_78305C
		jmp	loc_8DCEFD
; 

loc_783093:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+61j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	short loc_783067
SPCallServerHandleGetAppPolicyValue endp

; 
; START	OF FUNCTION CHUNK FOR SPCallServerHandleGetAppPolicyValue

loc_78309D:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+15A016j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_8DD01D
		xor	esi, esi

loc_7830AC:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+15A023j
		test	esi, esi
		js	loc_8DD02A
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx

loc_7830BE:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+15A02Bj
		test	esi, esi
		js	short loc_7830D0
		cmp	eax, 4
		jnz	loc_8DD032
		mov	eax, [edi]
		mov	[ebp+var_30], eax

loc_7830D0:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+BEj
		mov	ebx, [ebp+var_4]

loc_7830D3:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+159FDDj
		test	esi, esi
		js	loc_7833E8
		mov	eax, [ebx+8]
		test	eax, eax
		jz	loc_8DCFB6
		cmp	dword ptr [ebx], 7
		jbe	loc_8DCFB6
		xor	edi, edi

loc_7830F1:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+123j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_8DD03C
		xor	esi, esi

loc_783100:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+15A042j
		mov	[ebp+var_18], ecx
		test	esi, esi
		js	loc_7833E8
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7833E8
		mov	eax, [ebp+var_18]
		inc	edi
		cmp	edi, 7
		jb	short loc_7830F1
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_8DD049
		xor	esi, esi

loc_783136:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+15A04Fj
		test	esi, esi
		js	loc_7833E8
		mov	eax, edx
		mov	[ebp+var_28], edx
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_2C], eax
		test	esi, esi
		js	loc_7833E8
		mov	eax, [ebx+8]
		xor	edi, edi
		and	[ebp+var_14], edi
		test	eax, eax
		jz	loc_8DD056
		cmp	dword ptr [ebx], 8
		jbe	loc_8DD056
		xor	ebx, ebx
		jmp	loc_8DD062
; 

loc_783174:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+8E4j
					; SPCallServerHandleGetAppPolicyValue+90Bj ...
		mov	ecx, [ebp+var_54]

loc_783177:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+54Bj
		mov	ebx, [ebp+var_14]

loc_78317A:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+159F9Dj
		test	esi, esi
		js	loc_78340C
		lea	edi, ds:2[ecx*2]
		test	edi, edi
		jz	loc_7838FC
		push	20534C53h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8DCFA4
		push	edi		; size_t
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_1C], esi

loc_7831B6:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+159FAFj
		mov	ebx, [ebp+var_4]
		mov	eax, [ebx+8]
		test	eax, eax
		jz	loc_8DCFB6
		cmp	dword ptr [ebx], 5
		jbe	loc_8DCFB6
		xor	edi, edi

loc_7831CF:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+201j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_8DCFC0
		xor	esi, esi

loc_7831DE:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+159FC6j
		mov	[ebp+var_18], ecx
		test	esi, esi
		js	loc_7833E8
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7833E8
		mov	eax, [ebp+var_18]
		inc	edi
		cmp	edi, 5
		jb	short loc_7831CF
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_8DCFCD
		xor	esi, esi

loc_783214:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+159FD3j
		test	esi, esi
		js	loc_7833E8
		mov	eax, edx
		mov	[ebp+var_34], edx
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_38], eax
		test	esi, esi
		js	loc_7833E8
		mov	eax, [ebx+8]
		xor	edi, edi
		and	[ebp+var_14], edi
		test	eax, eax
		jz	loc_8DCFDA
		cmp	dword ptr [ebx], 6
		jbe	loc_8DCFDA
		xor	ebx, ebx
		jmp	loc_8DCFE4
; 

loc_783252:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+363j
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7833E8
		mov	ecx, [ebp+var_44]
		mov	edx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_44], ecx
		cmp	ecx, [ebp+var_58]
		jb	loc_78335D
		mov	eax, [ebp+var_54]

loc_78327E:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+355j
		lea	ecx, [edx+4]
		cmp	ecx, edx
		jb	loc_7833E3
		mov	ecx, [ebx]
		xor	esi, esi
		add	ecx, eax
		mov	eax, [ebp+var_C]
		add	eax, 4
		add	eax, edx
		cmp	eax, ecx
		ja	loc_8DD032
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_C]
		mov	[edx], eax
		test	ecx, ecx
		jz	short loc_7832B9
		push	eax		; size_t
		push	ecx		; void *
		lea	eax, [edx+4]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_7832B9:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+2A7j
		inc	dword ptr [edi]

loc_7832BB:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+36Ej
					; SPCallServerHandleGetAppPolicyValue+15A141j
		test	esi, esi
		js	loc_7833E8

loc_7832C3:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+15A166j
		mov	eax, [ebp+var_48]
		mov	[ebp+var_40], eax
		mov	eax, [edi+8]
		mov	[ebp+var_54], eax
		test	eax, eax
		jz	loc_783375
		mov	ecx, [edi]
		mov	edx, eax
		and	[ebp+var_44], 0
		mov	[ebp+arg_4], edx
		mov	[ebp+var_58], ecx
		test	ecx, ecx
		jz	loc_7834DB

loc_7832ED:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+458j
		mov	edx, [edx]
		add	edx, 4
		cmp	edx, 4
		jnb	loc_78343B
		mov	esi, 0C0000095h

loc_783300:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+15A192j
		test	esi, esi
		jns	loc_783388
		jmp	loc_7833E8
; 

loc_78330D:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+824j
		mov	ecx, [ebx]
		push	ebx
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7833E8
		inc	dword ptr [edi]

loc_783324:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+84Dj
		cmp	[ebp+var_10], 0
		mov	ecx, [ebp+var_C]
		jz	loc_8DD136
		test	ecx, ecx
		jz	loc_8DD13E

loc_783339:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+15A136j
		mov	eax, [edi+8]
		mov	[ebp+var_54], eax
		test	eax, eax
		jz	loc_8DD148
		mov	ecx, [edi]
		mov	edx, eax
		and	[ebp+var_44], 0
		mov	[ebp+arg_4], edx
		mov	[ebp+var_58], ecx
		test	ecx, ecx
		jz	loc_78327E

loc_78335D:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+273j
		mov	edx, [edx]
		add	edx, 4
		cmp	edx, 4
		jnb	loc_783252

loc_78336B:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+15A14Cj
		mov	esi, 0C0000095h
		jmp	loc_7832BB
; 

loc_783375:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+2CFj
		mov	ecx, [ebx]
		push	ebx
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_7833E8
		inc	dword ptr [edi]

loc_783388:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+300j
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_40], eax
		mov	eax, [edi+8]
		mov	[ebp+var_54], eax
		test	eax, eax
		jnz	loc_783465
		mov	ecx, [ebx]
		push	ebx
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_7833E8
		inc	dword ptr [edi]

loc_7833AF:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+486j
		mov	eax, [ebp+var_50]
		mov	[ebp+var_40], eax
		mov	eax, [edi+8]
		mov	[ebp+var_54], eax
		test	eax, eax
		jz	loc_7834BD
		mov	ecx, [edi]
		mov	edx, eax
		and	[ebp+var_44], 0
		mov	[ebp+arg_4], edx
		mov	[ebp+var_58], ecx
		test	ecx, ecx
		jz	loc_7834FB

loc_7833D9:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+432j
		mov	edx, [edx]
		add	edx, 4
		cmp	edx, 4
		jnb	short loc_783415

loc_7833E3:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+281j
					; SPCallServerHandleGetAppPolicyValue+4DEj ...
		mov	esi, 0C0000095h

loc_7833E8:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+D3j
					; SPCallServerHandleGetAppPolicyValue+103j ...
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_7833FA
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7833FA:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+3EBj
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_78340C
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_78340C:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+17Aj
					; SPCallServerHandleGetAppPolicyValue+3FDj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_783415:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+3DFj
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_7833E8
		mov	ecx, [ebp+var_44]
		mov	edx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_44], ecx
		cmp	ecx, [ebp+var_58]
		jb	short loc_7833D9
		jmp	loc_8DD1C5
; 

loc_78343B:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+2F3j
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_7833E8
		mov	ecx, [ebp+var_44]
		mov	edx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_44], ecx
		cmp	ecx, [ebp+var_58]
		jb	loc_7832ED
		jmp	loc_8DD16D
; 

loc_783465:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+394j
		mov	ecx, [edi]
		mov	edx, eax
		and	[ebp+var_44], 0
		mov	[ebp+arg_4], edx
		mov	[ebp+var_58], ecx
		test	ecx, ecx
		jz	short loc_7834EB

loc_783477:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+4B4j
		mov	edx, [edx]
		add	edx, 4
		cmp	edx, 4
		jnb	short loc_783493
		mov	esi, 0C0000095h

loc_783486:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+15A1BEj
		test	esi, esi
		jns	loc_7833AF
		jmp	loc_7833E8
; 

loc_783493:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+47Dj
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7833E8
		mov	ecx, [ebp+var_44]
		mov	edx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_44], ecx
		cmp	ecx, [ebp+var_58]
		jb	short loc_783477
		jmp	loc_8DD199
; 

loc_7834BD:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+3BBj
		mov	ecx, [ebx]
		push	ebx
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7833E8
		inc	dword ptr [edi]
		xor	esi, esi
		jmp	loc_7833E8
; 

loc_7834DB:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+2E5j
					; SPCallServerHandleGetAppPolicyValue+15A16Ej
		lea	ecx, [edx+4]
		cmp	ecx, edx
		jb	loc_7833E3
		jmp	loc_8DD175
; 

loc_7834EB:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+473j
					; SPCallServerHandleGetAppPolicyValue+15A19Aj
		lea	ecx, [edx+4]
		cmp	ecx, edx
		jb	loc_7833E3
		jmp	loc_8DD1A1
; 

loc_7834FB:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+3D1j
					; SPCallServerHandleGetAppPolicyValue+15A1C6j
		lea	ecx, [edx+4]
		cmp	ecx, edx
		jb	loc_7833E3
		jmp	loc_8DD1CD
; 

loc_78350B:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+159F1Ej
					; SPCallServerHandleGetAppPolicyValue+159F25j
		test	esi, esi
		js	short loc_783523
		cmp	eax, 8
		jnz	loc_8DCF2C
		mov	eax, [edi]
		mov	[ebp+var_40], eax
		mov	eax, [edi+4]
		mov	[ebp+var_44], eax

loc_783523:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+50Bj
		mov	edx, [ebp+var_4]
		xor	ebx, ebx

loc_783528:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+159EF6j
		test	esi, esi
		js	loc_78340C
		mov	eax, [edx+8]
		xor	edi, edi
		and	[ebp+var_24], edi
		mov	ecx, ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_54], ecx
		test	eax, eax
		jnz	loc_8DCF36

loc_783548:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+159F37j
		mov	esi, 0C000000Dh
		jmp	loc_783177
; 

loc_783552:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+15A094j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_8DD09B
		xor	esi, esi

loc_783561:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+15A0A1j
		test	esi, esi
		js	loc_8DD0A8
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx

loc_783573:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+15A0A9j
		test	esi, esi
		js	loc_8DD0B0
		cmp	eax, 4
		jnz	loc_8DD032
		mov	ebx, [edi]
		mov	[ebp+var_C], ebx

loc_783589:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+15A05Bj
					; SPCallServerHandleGetAppPolicyValue+15A0B1j
		test	esi, esi
		js	loc_7833E8
		xor	esi, esi
		test	ebx, ebx
		jz	loc_8DD0C2
		push	20534C53h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_10], edi
		test	edi, edi
		jz	loc_8DD0B8
		push	ebx		; size_t
		push	esi		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch

loc_7835C0:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+15A0C4j
		mov	eax, ds:dword_A93E8C
		test	eax, eax
		jz	loc_8DD0CB
		lea	ecx, [ebp+var_50]
		neg	esi
		push	ecx
		lea	ecx, [ebp+var_4C]
		sbb	esi, esi
		push	ecx
		lea	ecx, [ebp+var_48]
		not	esi
		push	ecx
		push	ebx
		and	esi, edi
		push	esi
		push	[ebp+var_28]
		push	[ebp+var_2C]
		push	[ebp+var_30]
		push	[ebp+var_34]
		push	[ebp+var_38]
		push	[ebp+var_1C]
		call	eax

loc_7835F7:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+15A0CEj
		and	[ebp+var_4], 0
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7837F8
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7837F8
		lea	edx, [ebx+4]
		cmp	edx, 4
		jb	loc_7837F3
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7837F8
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7837F8
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7837F8
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7837F8
		mov	eax, [ebp+var_4]
		mov	[ebp+var_8], eax

loc_7836A2:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+7F9j
		test	esi, esi
		js	loc_7833E8
		xor	edi, edi
		mov	[ebp+var_3C], 8
		lea	ecx, [ebp+var_3C]
		mov	edx, eax
		push	ecx
		push	8
		pop	ecx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7833E8
		mov	eax, [ebp+var_3C]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_783756
		mov	esi, 0C0000095h

loc_7836DD:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+800j
		test	esi, esi
		js	loc_7833E8
		mov	ebx, [ebp+var_58]
		mov	edx, edi
		push	4
		pop	ecx
		mov	[ebp+var_4], ecx
		mov	eax, [ebx+10h]
		mov	ebx, [ebx+8]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7833E8
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_7838BD
		xor	esi, esi

loc_78371C:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+8C3j
		mov	[ebp+var_4], ecx
		test	esi, esi
		js	loc_7833E8
		lea	eax, [ebp+var_4]
		mov	edx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7833E8
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_783761
		mov	edx, [ebp+var_58]
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		jmp	short loc_783766
; 

loc_783756:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+6D4j
		lea	edi, [ecx+8]
		cmp	edi, ecx
		jnb	loc_783800

loc_783761:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+742j
		mov	esi, 0C0000095h

loc_783766:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+752j
		test	esi, esi
		js	loc_7833E8
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	loc_8DCFB6
		mov	eax, [ebp+var_8]
		lea	ebx, [edi+4]
		xor	esi, esi
		mov	[ebx], eax
		test	eax, eax
		jnz	short loc_7837D7
		mov	esi, 0C000003Eh

loc_78378C:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+7EFj
					; SPCallServerHandleGetAppPolicyValue+15A0D8j
		test	esi, esi
		js	loc_7833E8
		mov	eax, [edi+8]
		or	[ebp+var_14], 10000000h
		mov	[ebp+var_54], eax
		test	eax, eax
		jz	short loc_783807
		mov	ecx, [edi]
		mov	edx, eax
		and	[ebp+var_38], 0
		mov	[ebp+arg_4], edx
		mov	[ebp+var_58], ecx
		test	ecx, ecx
		jz	loc_7838CA

loc_7837BB:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+8B0j
		mov	edx, [edx]
		add	edx, 4
		cmp	edx, 4
		jnb	loc_78388F
		mov	esi, 0C0000095h

loc_7837CE:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+15A104j
		test	esi, esi
		jns	short loc_78381E
		jmp	loc_7833E8
; 

loc_7837D7:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+783j
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_8DD0D5
		mov	[edi+8], eax
		and	[edi], esi
		jmp	short loc_78378C
; 

loc_7837F3:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+633j
		mov	esi, 0C0000095h

loc_7837F8:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+60Ej
					; SPCallServerHandleGetAppPolicyValue+627j ...
		mov	eax, [ebp+var_8]
		jmp	loc_7836A2
; 

loc_783800:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+759j
		xor	esi, esi
		jmp	loc_7836DD
; 

loc_783807:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+7A1j
		mov	ecx, [ebx]
		push	ebx
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7833E8
		inc	dword ptr [edi]

loc_78381E:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+7CEj
		mov	eax, [edi+8]
		mov	[ebp+var_54], eax
		test	eax, eax
		jz	loc_78330D
		and	[ebp+var_38], 0
		mov	edx, eax
		mov	eax, [edi]
		mov	[ebp+arg_4], edx
		mov	[ebp+var_58], eax
		test	eax, eax
		jz	short loc_78387F

loc_78383E:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+87Bj
		mov	edx, [edx]
		add	edx, 4
		cmp	edx, 4
		jnb	short loc_78385A
		mov	esi, 0C0000095h

loc_78384D:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+15A12Fj
		test	esi, esi
		jns	loc_783324
		jmp	loc_7833E8
; 

loc_78385A:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+844j
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7833E8
		mov	ecx, [ebp+var_38]
		mov	edx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_38], ecx
		cmp	ecx, [ebp+var_58]
		jb	short loc_78383E

loc_78387F:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+83Aj
		lea	eax, [edx+4]
		cmp	eax, edx
		jb	loc_7833E3
		jmp	loc_8DD10B
; 

loc_78388F:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+7C1j
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7833E8
		mov	ecx, [ebp+var_38]
		mov	edx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_38], ecx
		cmp	ecx, [ebp+var_58]
		jb	loc_7837BB
		jmp	loc_8DD0DF
; 

loc_7838BD:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+712j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	loc_78371C
; 

loc_7838CA:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+7B3j
					; SPCallServerHandleGetAppPolicyValue+15A0E0j
		lea	ecx, [edx+4]
		cmp	ecx, edx
		jb	loc_7833E3
		jmp	loc_8DD0E7
; 

loc_7838DA:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+159F62j
		mov	ebx, edx
		mov	edi, edx
		neg	ebx
		sbb	ebx, ebx
		and	ebx, ecx
		test	esi, esi
		js	loc_783174
		test	edi, edi
		jz	short loc_7838FC
		test	edi, 1
		jz	loc_8DCF69

loc_7838FC:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+189j
					; SPCallServerHandleGetAppPolicyValue+8ECj ...
		mov	esi, 0C000003Eh
		jmp	loc_8DCFA9
; 

loc_783906:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+93Ej
		xor	esi, esi

loc_783908:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+948j
		mov	[ebp+var_18], ecx
		test	esi, esi
		js	loc_783174
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_783174
		mov	edx, [ebp+var_20]
		mov	eax, [ebp+var_18]
		inc	edx
		mov	[ebp+var_20], edx
		cmp	edx, 4
		jnb	loc_8DCF47

loc_783939:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+159F40j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jnb	short loc_783906
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	short loc_783908
; END OF FUNCTION CHUNK	FOR SPCallServerHandleGetAppPolicyValue

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SPCallServerHandleIsAppLicensed	proc near ; CODE XREF: sub_785212+1B23p

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00783A04 SIZE 000005E4 BYTES
; FUNCTION CHUNK AT 008DD1F1 SIZE 000002BF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		xor	esi, esi
		mov	ebx, edx
		mov	[ebp+var_3C], esi
		mov	[ebp+var_38], ebx
		mov	edx, ecx
		mov	ecx, [ebp+arg_4]
		stosd
		mov	[ebp+var_20], edx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_5C], esi
		stosd
		mov	[ebp+var_44], esi
		mov	[ebp+var_48], esi
		mov	[ebp+var_4C], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_54], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_50], esi
		stosd
		test	ebx, ebx
		jz	loc_8DD1F1
		test	ecx, ecx
		jz	loc_8DD1F1
		mov	eax, [edx+8]
		and	[ebp+var_18], esi
		mov	[ebp+var_24], eax
		test	eax, eax
		jz	loc_8DD1FB
		cmp	dword ptr [edx], 3
		jbe	loc_8DD1FB
		xor	edi, edi

loc_7839C3:				; CODE XREF: SPCallServerHandleIsAppLicensed+A7j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_7839FA
		xor	ebx, ebx

loc_7839CE:				; CODE XREF: SPCallServerHandleIsAppLicensed+B6j
		mov	[ebp+var_1C], ecx
		test	ebx, ebx
		js	loc_8DD22D
		lea	eax, [ebp+var_1C]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8DD22D
		mov	eax, [ebp+var_1C]
		inc	edi
		cmp	edi, 3
		jb	short loc_7839C3
		jmp	loc_8DD205
; 

loc_7839FA:				; CODE XREF: SPCallServerHandleIsAppLicensed+7Ej
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	short loc_7839CE
SPCallServerHandleIsAppLicensed	endp

; 
; START	OF FUNCTION CHUNK FOR SPCallServerHandleIsAppLicensed

loc_783A04:				; CODE XREF: SPCallServerHandleIsAppLicensed+5F1j
					; SPCallServerHandleIsAppLicensed+65Dj	...
		mov	ecx, [ebp+var_28]

loc_783A07:				; CODE XREF: SPCallServerHandleIsAppLicensed+36Ej
					; SPCallServerHandleIsAppLicensed+159A33j
		test	ebx, ebx
		js	loc_783B2D
		lea	edi, ds:2[ecx*2]
		test	edi, edi
		jz	loc_8DD34B
		push	20534C53h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8DD384
		push	edi		; size_t
		push	[ebp+var_24]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4C], esi

loc_783A45:				; CODE XREF: SPCallServerHandleIsAppLicensed+159A45j
		mov	eax, [ebp+var_20]
		mov	edi, [eax+8]
		test	edi, edi
		jz	loc_8DD396
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		cmp	eax, 7
		jbe	loc_8DD396
		mov	eax, edi
		xor	esi, esi

loc_783A65:				; CODE XREF: SPCallServerHandleIsAppLicensed+14Dj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_8DD3A0
		xor	ebx, ebx

loc_783A74:				; CODE XREF: SPCallServerHandleIsAppLicensed+159A5Cj
		mov	[ebp+var_18], ecx
		test	ebx, ebx
		js	loc_783B2D
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_783B2D
		mov	eax, [ebp+var_18]
		inc	esi
		cmp	esi, 7
		jb	short loc_783A65
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_8DD3AD
		xor	ebx, ebx

loc_783AAA:				; CODE XREF: SPCallServerHandleIsAppLicensed+159A69j
		test	ebx, ebx
		js	short loc_783B2D
		mov	eax, edx
		mov	[ebp+var_54], edx
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_40], eax
		test	ebx, ebx
		js	short loc_783B2D
		xor	esi, esi
		xor	eax, eax
		cmp	[ebp+var_28], 8
		jbe	loc_8DD3BA
		and	[ebp+var_2C], eax
		jmp	loc_8DD3C6
; 

loc_783AD6:				; CODE XREF: SPCallServerHandleIsAppLicensed+25Aj
		lea	eax, [ebp+var_18]
		mov	ecx, esi
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_783B2D
		mov	ecx, [ebp+var_44]
		mov	esi, [ebp+var_18]
		inc	ecx
		mov	[ebp+var_44], ecx
		cmp	ecx, [ebp+var_38]
		jb	loc_783B9E
		mov	eax, [ebp+var_28]

loc_783AFD:				; CODE XREF: SPCallServerHandleIsAppLicensed+24Cj
		lea	edx, [esi+4]
		cmp	edx, esi
		jb	loc_783BAC
		mov	ecx, [edi]
		xor	ebx, ebx
		add	ecx, eax
		lea	eax, [esi+14h]
		cmp	eax, ecx
		ja	loc_8DD41A
		mov	eax, [ebp+var_34]
		mov	edi, edx
		mov	dword ptr [esi], 10h
		lea	esi, [ebp+var_14]
		movsd
		movsd
		movsd
		movsd
		inc	dword ptr [eax]

loc_783B2D:				; CODE XREF: SPCallServerHandleIsAppLicensed+BDj
					; SPCallServerHandleIsAppLicensed+12Dj	...
		mov	eax, [ebp+var_48]
		test	eax, eax
		jz	short loc_783B3F
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_783B3F:				; CODE XREF: SPCallServerHandleIsAppLicensed+1E6j
		mov	eax, [ebp+var_4C]
		test	eax, eax
		jz	short loc_783B51
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_783B51:				; CODE XREF: SPCallServerHandleIsAppLicensed+1F8j
					; SPCallServerHandleIsAppLicensed+28Aj	...
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_783B64:				; CODE XREF: SPCallServerHandleIsAppLicensed+5B5j
		mov	ecx, [edi]
		push	edi
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_783B2D
		inc	dword ptr [esi]

loc_783B77:				; CODE XREF: SPCallServerHandleIsAppLicensed+53Fj
		mov	eax, [esi+8]
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	loc_8DD492
		mov	ecx, [ebp+var_34]
		mov	esi, eax
		and	[ebp+var_44], 0
		mov	[ebp+var_18], esi
		mov	ecx, [ecx]
		mov	[ebp+var_38], ecx
		test	ecx, ecx
		jz	loc_783AFD

loc_783B9E:				; CODE XREF: SPCallServerHandleIsAppLicensed+1A8j
		mov	edx, [esi]
		add	edx, 4
		cmp	edx, 4
		jnb	loc_783AD6

loc_783BAC:				; CODE XREF: SPCallServerHandleIsAppLicensed+1B6j
					; SPCallServerHandleIsAppLicensed+4E0j	...
		mov	ebx, 0C0000095h
		jmp	loc_783B2D
; 

loc_783BB6:				; CODE XREF: SPCallServerHandleIsAppLicensed+1598DCj
					; SPCallServerHandleIsAppLicensed+1598E4j
		test	ebx, ebx
		js	short loc_783BCE
		cmp	eax, 8
		jnz	loc_8DD235
		mov	eax, [esi]
		mov	[ebp+var_5C], eax
		mov	eax, [esi+4]
		mov	[ebp+var_44], eax

loc_783BCE:				; CODE XREF: SPCallServerHandleIsAppLicensed+26Cj
		mov	edx, [ebp+var_20]
		mov	eax, [ebp+var_24]

loc_783BD4:				; CODE XREF: SPCallServerHandleIsAppLicensed+1598B4j
		test	ebx, ebx
		js	loc_783B51
		xor	esi, esi
		and	[ebp+var_1C], esi
		test	eax, eax
		jz	loc_8DD23F
		cmp	dword ptr [edx], 4
		jbe	loc_8DD23F
		xor	edi, edi
		jmp	loc_8DD249
; 

loc_783BF9:				; CODE XREF: SPCallServerHandleIsAppLicensed+159931j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_8DD282
		xor	ebx, ebx

loc_783C08:				; CODE XREF: SPCallServerHandleIsAppLicensed+15993Ej
		test	ebx, ebx
		js	loc_8DD28F
		mov	esi, edx
		mov	eax, edx
		neg	esi
		sbb	esi, esi
		and	esi, ecx

loc_783C1A:				; CODE XREF: SPCallServerHandleIsAppLicensed+159946j
		test	ebx, ebx
		js	short loc_783C2C
		cmp	eax, 4
		jnz	loc_8DD235
		mov	eax, [esi]
		mov	[ebp+var_30], eax

loc_783C2C:				; CODE XREF: SPCallServerHandleIsAppLicensed+2D0j
		mov	eax, [ebp+var_24]

loc_783C2F:				; CODE XREF: SPCallServerHandleIsAppLicensed+1598F8j
		test	ebx, ebx
		js	loc_783B51
		and	[ebp+var_2C], 0
		xor	ecx, ecx
		and	[ebp+var_24], ecx
		xor	esi, esi
		xor	edi, edi
		mov	[ebp+var_28], ecx
		test	eax, eax
		jnz	loc_8DD297

loc_783C4F:				; CODE XREF: SPCallServerHandleIsAppLicensed+159951j
		mov	ebx, 0C000000Dh
		jmp	short loc_783C59
; 

loc_783C56:				; CODE XREF: SPCallServerHandleIsAppLicensed+5C6j
					; SPCallServerHandleIsAppLicensed+617j	...
		mov	ecx, [ebp+var_28]

loc_783C59:				; CODE XREF: SPCallServerHandleIsAppLicensed+308j
					; SPCallServerHandleIsAppLicensed+1599B5j
		test	ebx, ebx
		js	loc_783B51
		lea	edi, ds:2[ecx*2]
		test	edi, edi
		jz	loc_8DD2CD
		push	20534C53h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8DD306
		push	edi		; size_t
		push	[ebp+var_2C]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_48], esi

loc_783C97:				; CODE XREF: SPCallServerHandleIsAppLicensed+1599C7j
		mov	edx, [ebp+var_20]
		xor	ecx, ecx
		and	[ebp+var_24], 0
		xor	esi, esi
		and	[ebp+var_1C], ecx
		xor	edi, edi
		mov	[ebp+var_28], ecx
		mov	eax, [edx+8]
		test	eax, eax
		jnz	loc_8DD318

loc_783CB5:				; CODE XREF: SPCallServerHandleIsAppLicensed+1599CFj
		mov	ebx, 0C000000Dh
		jmp	loc_783A07
; 

loc_783CBF:				; CODE XREF: SPCallServerHandleIsAppLicensed+159AAFj
		mov	eax, [ebp+var_18]
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_8DD406
		xor	ebx, ebx

loc_783CD1:				; CODE XREF: SPCallServerHandleIsAppLicensed+159AC2j
		test	ebx, ebx
		js	loc_8DD413
		mov	esi, edx
		mov	eax, edx
		neg	esi
		sbb	esi, esi
		and	esi, ecx

loc_783CE3:				; CODE XREF: SPCallServerHandleIsAppLicensed+159AC9j
		test	ebx, ebx
		js	loc_8DD424
		cmp	eax, 4
		jnz	loc_8DD41A
		mov	ecx, [esi]

loc_783CF6:				; CODE XREF: SPCallServerHandleIsAppLicensed+159A75j
					; SPCallServerHandleIsAppLicensed+159ADBj
		test	ebx, ebx
		js	loc_783B2D
		mov	eax, ds:dword_A93E84
		test	eax, eax
		jz	loc_8DD42C
		lea	edx, [ebp+var_14]
		push	edx
		push	ecx
		push	[ebp+var_54]
		push	[ebp+var_40]
		push	[ebp+var_4C]
		push	[ebp+var_48]
		push	[ebp+var_30]
		call	eax

loc_783D21:				; CODE XREF: SPCallServerHandleIsAppLicensed+159AE5j
		mov	[ebp+var_40], eax
		push	8
		pop	edi
		mov	[ebp+var_30], edi
		lea	eax, [ebp+var_30]
		mov	ecx, edi
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8DD436
		mov	eax, [ebp+var_30]
		mov	[ebp+var_3C], eax

loc_783D48:				; CODE XREF: SPCallServerHandleIsAppLicensed+159AEDj
		test	ebx, ebx
		js	loc_783B2D
		lea	ecx, [ebp+var_3C]
		push	ecx
		push	14h
		pop	edx
		mov	ecx, eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_783B2D
		xor	esi, esi
		mov	[ebp+var_58], edi
		mov	edx, [ebp+var_3C]
		lea	eax, [ebp+var_58]
		push	eax
		mov	ecx, edi
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_783B2D
		mov	eax, [ebp+var_58]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_783DDA
		mov	ebx, 0C0000095h

loc_783D97:				; CODE XREF: SPCallServerHandleIsAppLicensed+4EDj
		test	ebx, ebx
		js	loc_783B2D
		mov	edi, [ebp+var_38]
		mov	edx, esi
		push	4
		pop	ecx
		mov	[ebp+var_20], ecx
		mov	eax, [edi+10h]
		mov	edi, [edi+8]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_20]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_783B2D
		mov	eax, [ebp+var_20]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jnb	short loc_783E3E
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	short loc_783E40
; 

loc_783DDA:				; CODE XREF: SPCallServerHandleIsAppLicensed+444j
		lea	esi, [ecx+8]
		cmp	esi, ecx
		jnb	short loc_783E37

loc_783DE1:				; CODE XREF: SPCallServerHandleIsAppLicensed+51Cj
		mov	ebx, 0C0000095h

loc_783DE6:				; CODE XREF: SPCallServerHandleIsAppLicensed+530j
		test	ebx, ebx
		js	loc_783B2D
		mov	ebx, [ebp+var_34]
		mov	eax, [ebp+var_3C]
		lea	edi, [ebx+4]
		mov	[edi], eax
		test	eax, eax
		jz	loc_8DD43E
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_8DD448
		mov	[ebx+8], edx
		and	dword ptr [ebx], 0
		mov	ebx, [ebp+var_40]
		or	ebx, 10000000h
		lea	esi, [edx+4]
		cmp	esi, edx
		jb	loc_783BAC
		jmp	loc_8DD452
; 

loc_783E37:				; CODE XREF: SPCallServerHandleIsAppLicensed+493j
		xor	ebx, ebx
		jmp	loc_783D97
; 

loc_783E3E:				; CODE XREF: SPCallServerHandleIsAppLicensed+482j
		xor	ebx, ebx

loc_783E40:				; CODE XREF: SPCallServerHandleIsAppLicensed+48Cj
		mov	[ebp+var_20], ecx
		test	ebx, ebx
		js	loc_783B2D
		lea	eax, [ebp+var_20]
		mov	edx, edi
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_783B2D
		mov	eax, [ebp+var_20]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_783DE1
		mov	edx, [ebp+var_38]
		lea	eax, [ebp+var_20]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		jmp	loc_783DE6
; 

loc_783E81:				; CODE XREF: SPCallServerHandleIsAppLicensed+585j
		mov	ebx, 0C0000095h

loc_783E86:				; CODE XREF: SPCallServerHandleIsAppLicensed+559j
		mov	esi, [ebp+var_34]

loc_783E89:				; CODE XREF: SPCallServerHandleIsAppLicensed+159B41j
		test	ebx, ebx
		jns	loc_783B77
		jmp	loc_783B2D
; 

loc_783E96:				; CODE XREF: SPCallServerHandleIsAppLicensed+587j
		lea	eax, [ebp+var_18]
		mov	ecx, esi
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_783E86
		mov	ecx, [ebp+var_30]
		mov	esi, [ebp+var_18]
		inc	ecx
		mov	[ebp+var_30], ecx
		cmp	ecx, [ebp+var_38]
		jnb	loc_8DD462
		jmp	short loc_783EC9
; 

loc_783EBC:				; CODE XREF: SPCallServerHandleIsAppLicensed+5B3j
		and	[ebp+var_30], 0
		mov	esi, eax
		mov	[ebp+var_18], esi
		test	ecx, ecx
		jz	short loc_783ED5

loc_783EC9:				; CODE XREF: SPCallServerHandleIsAppLicensed+56Ej
		mov	edx, [esi]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_783E81
		jmp	short loc_783E96
; 

loc_783ED5:				; CODE XREF: SPCallServerHandleIsAppLicensed+57Bj
					; SPCallServerHandleIsAppLicensed+159B19j
		lea	edx, [esi+4]
		cmp	edx, esi
		jb	loc_783BAC
		jmp	loc_8DD46A
; 

loc_783EE5:				; CODE XREF: SPCallServerHandleIsAppLicensed+159B11j
		mov	dword ptr [edx], 4
		mov	[esi], ebx
		mov	esi, [ebp+var_34]
		inc	dword ptr [esi]
		mov	ecx, [esi]
		mov	[ebp+var_38], ecx
		mov	eax, [esi+8]
		mov	[ebp+var_28], eax
		test	eax, eax
		jnz	short loc_783EBC
		jmp	loc_783B64
; 

loc_783F06:				; CODE XREF: SPCallServerHandleIsAppLicensed+15997Cj
		mov	esi, edx
		mov	edi, edx
		neg	esi
		sbb	esi, esi
		and	esi, ecx
		test	ebx, ebx
		js	loc_783C56
		test	edi, edi
		jz	loc_8DD2CD
		test	edi, 1
		jnz	loc_8DD2CD
		jmp	loc_8DD2D4
; 

loc_783F31:				; CODE XREF: SPCallServerHandleIsAppLicensed+1599FAj
		mov	esi, edx
		mov	edi, edx
		neg	esi
		sbb	esi, esi
		and	esi, ecx
		test	ebx, ebx
		js	loc_783A04
		test	edi, edi
		jz	loc_8DD34B
		test	edi, 1
		jnz	loc_8DD34B
		jmp	loc_8DD352
; 

loc_783F5C:				; CODE XREF: SPCallServerHandleIsAppLicensed+64Aj
		xor	ebx, ebx

loc_783F5E:				; CODE XREF: SPCallServerHandleIsAppLicensed+654j
		mov	[ebp+var_18], ecx
		test	ebx, ebx
		js	loc_783C56
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_783C56
		mov	eax, [ebp+var_1C]
		inc	eax
		mov	[ebp+var_1C], eax
		cmp	eax, 5
		mov	eax, [ebp+var_18]
		jnb	loc_8DD2AB

loc_783F8F:				; CODE XREF: SPCallServerHandleIsAppLicensed+15995Aj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jnb	short loc_783F5C
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	short loc_783F5E
; 

loc_783FA2:				; CODE XREF: SPCallServerHandleIsAppLicensed+690j
		xor	ebx, ebx

loc_783FA4:				; CODE XREF: SPCallServerHandleIsAppLicensed+69Aj
		mov	[ebp+var_18], ecx
		test	ebx, ebx
		js	loc_783A04
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_783A04
		mov	edx, [ebp+var_2C]
		mov	eax, [ebp+var_18]
		inc	edx
		mov	[ebp+var_2C], edx
		cmp	edx, 6
		jnb	loc_8DD329

loc_783FD5:				; CODE XREF: SPCallServerHandleIsAppLicensed+1599D8j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jnb	short loc_783FA2
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	short loc_783FA4
; END OF FUNCTION CHUNK	FOR SPCallServerHandleIsAppLicensed

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_783FE8	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		push	1Fh
		pop	ecx
		div	ecx
		mov	edi, [ebp+arg_0]
		mov	eax, edi
		mov	esi, [ebp+arg_14]
		and	edi, 3
		mov	ebx, [ebp+arg_18]
		shr	eax, 1
		dec	eax
		lea	ecx, [edx+1]
		and	eax, 1
		xor	edx, edx
		push	1Fh
		mov	eax, [esi+eax*4]
		sub	eax, ebx
		ror	eax, cl
		mov	[ebp+arg_8], eax
		movzx	eax, word ptr [esi+edi*2]
		mov	esi, [ebp+arg_8]
		imul	esi, eax
		mov	eax, [ebp+arg_C]
		pop	ecx
		div	ecx
		pop	edi
		lea	ecx, [edx+1]
		ror	ebx, cl
		xor	esi, ebx
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	1Ch
sub_783FE8	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SPCallServerHandleClepKdf proc near	; CODE XREF: sub_785212+1ACBp

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008DD4B0 SIZE 000000AE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	eax, ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_38], edx
		mov	[ebp+var_44], eax
		mov	[ebp+var_60], edi
		mov	[ebp+var_4C], edi
		mov	[ebp+var_48], edi
		mov	[ebp+var_58], edi
		mov	[ebp+var_3C], edi
		mov	[ebp+var_54], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_50], edi
		test	eax, eax
		jz	loc_8DD4B0
		test	edx, edx
		jz	loc_8DD4B0
		mov	edx, 0C000000Dh
		test	ebx, ebx
		jz	loc_784473
		mov	ecx, [eax+8]
		mov	esi, edi
		mov	[ebp+var_2C], ecx
		test	ecx, ecx
		jz	short loc_784120
		cmp	dword ptr [eax], 3
		jbe	short loc_784120
		mov	eax, ecx

loc_7840AA:				; CODE XREF: SPCallServerHandleClepKdf+98j
		mov	ecx, [eax]
		mov	[ebp+var_40], ecx
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_7840F4
		xor	edx, edx

loc_7840B8:				; CODE XREF: SPCallServerHandleClepKdf+BCj
		mov	[ebp+var_28], ecx
		test	edx, edx
		js	short loc_7840FE
		mov	edx, [ebp+var_40]
		lea	eax, [ebp+var_28]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_7840FE
		mov	eax, [ebp+var_28]
		inc	edi
		cmp	edi, 3
		jb	short loc_7840AA
		mov	edi, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jnb	loc_784575
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	loc_784577
; 

loc_7840F4:				; CODE XREF: SPCallServerHandleClepKdf+74j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	short loc_7840B8
; 

loc_7840FE:				; CODE XREF: SPCallServerHandleClepKdf+7Dj
					; SPCallServerHandleClepKdf+8Fj ...
		mov	eax, esi

loc_784100:				; CODE XREF: SPCallServerHandleClepKdf+549j
		test	edx, edx
		js	short loc_784118
		cmp	eax, 8
		jnz	loc_8DD4BA
		mov	eax, [esi]
		mov	[ebp+var_60], eax
		mov	eax, [esi+4]
		mov	[ebp+var_4C], eax

loc_784118:				; CODE XREF: SPCallServerHandleClepKdf+C2j
		mov	ecx, [ebp+var_2C]
		xor	edi, edi
		mov	eax, [ebp+var_44]

loc_784120:				; CODE XREF: SPCallServerHandleClepKdf+61j
					; SPCallServerHandleClepKdf+66j
		test	edx, edx
		js	loc_784473
		test	ecx, ecx
		jz	loc_8DD4B0
		mov	eax, [eax]
		mov	[ebp+var_44], eax
		cmp	eax, 4
		jbe	loc_8DD4B0
		mov	eax, ecx
		mov	esi, edi

loc_784142:				; CODE XREF: SPCallServerHandleClepKdf+138j
		mov	edi, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_8DD4C4
		xor	edx, edx

loc_784151:				; CODE XREF: SPCallServerHandleClepKdf+15948Cj
		mov	[ebp+var_30], ecx
		test	edx, edx
		js	loc_784473
		lea	eax, [ebp+var_30]
		mov	edx, edi
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_784473
		mov	eax, [ebp+var_30]
		inc	esi
		cmp	esi, 4
		jb	short loc_784142
		mov	esi, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_8DD4D1
		xor	edx, edx

loc_784189:				; CODE XREF: SPCallServerHandleClepKdf+159499j
		test	edx, edx
		js	loc_784473
		mov	eax, esi
		mov	[ebp+var_58], esi
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_48], eax
		test	edx, edx
		js	loc_784473
		cmp	[ebp+var_44], 5
		jbe	loc_8DD4B0
		mov	eax, [ebp+var_2C]
		xor	esi, esi

loc_7841B6:				; CODE XREF: SPCallServerHandleClepKdf+1ACj
		mov	edi, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_8DD4DE
		xor	edx, edx

loc_7841C5:				; CODE XREF: SPCallServerHandleClepKdf+1594A6j
		mov	[ebp+var_30], ecx
		test	edx, edx
		js	loc_8DD4F8
		lea	eax, [ebp+var_30]
		mov	edx, edi
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_8DD4F8
		mov	eax, [ebp+var_30]
		inc	esi
		cmp	esi, 5
		jb	short loc_7841B6
		mov	esi, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_8DD4EB
		xor	edx, edx

loc_7841FD:				; CODE XREF: SPCallServerHandleClepKdf+1594B3j
		test	edx, edx
		js	loc_8DD4F8
		mov	edi, esi
		mov	[ebp+var_54], esi
		neg	edi
		sbb	edi, edi
		and	edi, ecx

loc_784210:				; CODE XREF: SPCallServerHandleClepKdf+1594BBj
		test	edx, edx
		js	loc_784473
		cmp	[ebp+var_44], 6
		jbe	loc_8DD4B0
		mov	edx, [ebp+var_2C]
		xor	esi, esi

loc_784227:				; CODE XREF: SPCallServerHandleClepKdf+21Fj
		mov	eax, [edx]
		lea	ecx, [edx+4]
		cmp	ecx, edx
		jb	loc_8DD500
		xor	edx, edx

loc_784236:				; CODE XREF: SPCallServerHandleClepKdf+1594C8j
		mov	[ebp+var_3C], ecx
		test	edx, edx
		js	loc_8DD51A
		lea	edx, [ebp+var_3C]
		push	edx
		mov	edx, eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_8DD51A
		inc	esi
		cmp	esi, 6
		jnb	short loc_784261
		mov	edx, [ebp+var_3C]
		jmp	short loc_784227
; 

loc_784261:				; CODE XREF: SPCallServerHandleClepKdf+21Aj
		mov	eax, [ebp+var_3C]
		mov	esi, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_8DD50D
		xor	edx, edx

loc_784273:				; CODE XREF: SPCallServerHandleClepKdf+1594D5j
		test	edx, edx
		js	loc_8DD51A
		mov	[ebp+var_50], esi
		neg	esi
		sbb	esi, esi
		and	esi, ecx

loc_784284:				; CODE XREF: SPCallServerHandleClepKdf+1594DDj
		test	edx, edx
		js	loc_784473
		mov	eax, ds:dword_A93EA0
		test	eax, eax
		jz	loc_8DD522
		push	20h
		lea	ecx, [ebp+var_24]
		push	ecx
		push	[ebp+var_50]
		push	esi
		push	[ebp+var_54]
		push	edi
		push	[ebp+var_58]
		push	[ebp+var_48]
		call	eax
		mov	esi, eax

loc_7842B1:				; CODE XREF: SPCallServerHandleClepKdf+1594E7j
		mov	edx, esi
		test	esi, esi
		js	loc_784473
		and	[ebp+var_28], 0
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_784473
		mov	ecx, [ebp+var_28]
		lea	eax, [ebp+var_28]
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_784473
		mov	ecx, [ebp+var_28]
		lea	eax, [ebp+var_28]
		push	eax
		push	24h
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_784473
		push	8
		pop	ecx
		xor	edi, edi
		mov	[ebp+var_5C], ecx
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_5C]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_784473
		mov	eax, [ebp+var_5C]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_78437F
		mov	edx, 0C0000095h

loc_784339:				; CODE XREF: SPCallServerHandleClepKdf+39Dj
		test	edx, edx
		js	loc_784473
		mov	ecx, [ebp+var_38]
		mov	edx, edi
		push	4
		mov	eax, [ecx+10h]
		mov	[ebp+var_40], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_2C]
		pop	ecx
		push	eax
		mov	[ebp+var_2C], ecx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_784473
		mov	eax, [ebp+var_2C]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jnb	short loc_7843E2
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	short loc_7843E4
; 

loc_78437F:				; CODE XREF: SPCallServerHandleClepKdf+2F2j
		lea	edi, [ecx+8]
		cmp	edi, ecx
		jnb	short loc_7843DB

loc_784386:				; CODE XREF: SPCallServerHandleClepKdf+3C9j
		mov	edx, 0C0000095h

loc_78438B:				; CODE XREF: SPCallServerHandleClepKdf+3DDj
		test	edx, edx
		js	loc_784473
		mov	eax, [ebp+var_28]
		lea	edi, [ebx+4]
		mov	[edi], eax
		test	eax, eax
		jz	loc_8DD52C
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_8DD536
		mov	[ebx+8], edx
		and	dword ptr [ebx], 0
		or	esi, 10000000h
		lea	eax, [edx+4]
		cmp	eax, edx
		jnb	loc_7844CC

loc_7843D1:				; CODE XREF: SPCallServerHandleClepKdf+40Dj
					; SPCallServerHandleClepKdf+481j ...
		mov	edx, 0C0000095h
		jmp	loc_784473
; 

loc_7843DB:				; CODE XREF: SPCallServerHandleClepKdf+344j
		xor	edx, edx
		jmp	loc_784339
; 

loc_7843E2:				; CODE XREF: SPCallServerHandleClepKdf+333j
		xor	edx, edx

loc_7843E4:				; CODE XREF: SPCallServerHandleClepKdf+33Dj
		mov	[ebp+var_2C], ecx
		test	edx, edx
		js	loc_784473
		mov	edx, [ebp+var_38]
		lea	eax, [ebp+var_2C]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_784473
		mov	eax, [ebp+var_2C]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_784386
		mov	edx, [ebp+var_40]
		lea	eax, [ebp+var_2C]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		jmp	loc_78438B
; 

loc_784422:				; CODE XREF: SPCallServerHandleClepKdf+487j
		lea	eax, [ebp+var_34]
		mov	ecx, esi
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_784473
		mov	ecx, [ebp+var_4C]
		mov	esi, [ebp+var_34]
		inc	ecx
		mov	[ebp+var_4C], ecx
		cmp	ecx, [ebp+var_38]
		jb	short loc_7844B9
		mov	eax, [ebp+var_40]

loc_784445:				; CODE XREF: SPCallServerHandleClepKdf+477j
		lea	ecx, [esi+4]
		mov	[ebp+var_38], ecx
		cmp	ecx, esi
		jb	short loc_7843D1
		mov	ecx, [edi]
		xor	edx, edx
		add	ecx, eax
		lea	eax, [esi+24h]
		cmp	eax, ecx
		ja	loc_8DD4BA
		mov	edi, [ebp+var_38]
		mov	dword ptr [esi], 20h
		lea	esi, [ebp+var_24]
		push	8
		pop	ecx
		rep movsd
		inc	dword ptr [ebx]

loc_784473:				; CODE XREF: SPCallServerHandleClepKdf+51j
					; SPCallServerHandleClepKdf+E2j ...
		mov	ecx, [ebp+var_4]
		mov	eax, edx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_784486:				; CODE XREF: SPCallServerHandleClepKdf+4B3j
		mov	ecx, [edi]
		push	edi
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_784473
		inc	dword ptr [ebx]

loc_784499:				; CODE XREF: SPCallServerHandleClepKdf+52Aj
		mov	eax, [ebx+8]
		mov	[ebp+var_40], eax
		test	eax, eax
		jz	loc_8DD540
		mov	ecx, [ebx]
		mov	esi, eax
		and	[ebp+var_4C], 0
		mov	[ebp+var_34], esi
		mov	[ebp+var_38], ecx
		test	ecx, ecx
		jz	short loc_784445

loc_7844B9:				; CODE XREF: SPCallServerHandleClepKdf+400j
		mov	edx, [esi]
		add	edx, 4
		cmp	edx, 4
		jb	loc_7843D1
		jmp	loc_784422
; 

loc_7844CC:				; CODE XREF: SPCallServerHandleClepKdf+38Bj
		mov	ecx, [edi]
		lea	eax, [edx+8]
		add	ecx, edx
		cmp	eax, ecx
		ja	loc_8DD4BA
		mov	dword ptr [edx], 4
		mov	[edx+4], esi
		inc	dword ptr [ebx]
		mov	ecx, [ebx]
		mov	[ebp+var_38], ecx
		mov	eax, [ebx+8]
		mov	[ebp+var_40], eax
		test	eax, eax
		jz	short loc_784486
		and	[ebp+var_48], 0
		mov	esi, eax
		mov	[ebp+var_34], esi
		test	ecx, ecx
		jz	short loc_784530

loc_784502:				; CODE XREF: SPCallServerHandleClepKdf+4EEj
		mov	edx, [esi]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_784563
		lea	eax, [ebp+var_34]
		mov	ecx, esi
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_784473
		mov	ecx, [ebp+var_48]
		mov	esi, [ebp+var_34]
		inc	ecx
		mov	[ebp+var_48], ecx
		cmp	ecx, [ebp+var_38]
		jb	short loc_784502

loc_784530:				; CODE XREF: SPCallServerHandleClepKdf+4C0j
		lea	eax, [esi+4]
		cmp	eax, esi
		jb	loc_7843D1
		mov	ecx, [edi]
		lea	eax, [esi+0Ch]
		add	ecx, [ebp+var_40]
		xor	edx, edx
		cmp	eax, ecx
		ja	loc_8DD4BA
		mov	eax, [ebp+var_60]
		mov	dword ptr [esi], 8
		mov	[esi+4], eax
		mov	eax, [ebp+var_4C]
		mov	[esi+8], eax
		inc	dword ptr [ebx]
		jmp	short loc_784568
; 

loc_784563:				; CODE XREF: SPCallServerHandleClepKdf+4CAj
		mov	edx, 0C0000095h

loc_784568:				; CODE XREF: SPCallServerHandleClepKdf+521j
		test	edx, edx
		jns	loc_784499
		jmp	loc_784473
; 

loc_784575:				; CODE XREF: SPCallServerHandleClepKdf+A1j
		xor	edx, edx

loc_784577:				; CODE XREF: SPCallServerHandleClepKdf+AFj
		test	edx, edx
		js	loc_7840FE
		mov	esi, edi
		mov	eax, edi
		neg	esi
		sbb	esi, esi
		and	esi, ecx
		jmp	loc_784100
SPCallServerHandleClepKdf endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_78458E	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		push	1Fh
		pop	ecx
		div	ecx
		mov	edi, [ebp+arg_0]
		mov	eax, edi
		mov	esi, [ebp+arg_14]
		and	edi, 3
		mov	ebx, [ebp+arg_18]
		shr	eax, 1
		dec	eax
		lea	ecx, [edx+1]
		and	eax, 1
		xor	edx, edx
		push	1Fh
		mov	eax, [esi+eax*4]
		xor	eax, ebx
		ror	eax, cl
		mov	[ebp+arg_8], eax
		movzx	eax, word ptr [esi+edi*2]
		mov	esi, [ebp+arg_8]
		imul	esi, eax
		mov	eax, [ebp+arg_C]
		pop	ecx
		div	ecx
		pop	edi
		lea	ecx, [edx+1]
		ror	ebx, cl
		sub	esi, ebx
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	1Ch
sub_78458E	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_7845E6	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		push	1Fh
		pop	ecx
		div	ecx
		mov	edi, [ebp+arg_0]
		mov	eax, edi
		mov	esi, [ebp+arg_14]
		and	edi, 3
		mov	ebx, [ebp+arg_18]
		shr	eax, 1
		dec	eax
		lea	ecx, [edx+1]
		and	eax, 1
		xor	edx, edx
		push	1Fh
		mov	eax, [esi+eax*4]
		sub	eax, ebx
		ror	eax, cl
		mov	[ebp+arg_8], eax
		movzx	eax, word ptr [esi+edi*2]
		mov	esi, [ebp+arg_8]
		imul	esi, eax
		mov	eax, [ebp+arg_C]
		pop	ecx
		div	ecx
		pop	edi
		lea	ecx, [edx+1]
		ror	ebx, cl
		lea	eax, [ebx+esi]
		pop	esi
		pop	ebx
		pop	ebp
		retn	1Ch
sub_7845E6	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_78463C	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		push	7
		pop	ecx
		div	ecx
		mov	edi, [ebp+arg_0]
		mov	eax, edi
		mov	esi, [ebp+arg_14]
		and	edi, 3
		mov	ebx, [ebp+arg_18]
		shr	eax, 1
		dec	eax
		lea	ecx, [edx+1]
		and	eax, 1
		xor	edx, edx
		push	0Fh
		mov	eax, [esi+eax*4]
		xor	eax, ebx
		rol	eax, cl
		mov	[ebp+arg_8], eax
		movzx	eax, word ptr [esi+edi*2]
		mov	esi, [ebp+arg_8]
		imul	esi, eax
		mov	eax, [ebp+arg_C]
		pop	ecx
		div	ecx
		pop	edi
		lea	ecx, [edx+1]
		shr	ebx, cl
		sub	esi, ebx
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	1Ch
sub_78463C	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_784694	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		push	1Fh
		pop	ecx
		div	ecx
		mov	edi, [ebp+arg_0]
		mov	eax, edi
		mov	esi, [ebp+arg_14]
		and	edi, 3
		mov	ebx, [ebp+arg_18]
		shr	eax, 1
		dec	eax
		lea	ecx, [edx+1]
		and	eax, 1
		xor	edx, edx
		push	1Fh
		mov	eax, [esi+eax*4]
		sub	eax, ebx
		ror	eax, cl
		mov	[ebp+arg_8], eax
		movzx	eax, word ptr [esi+edi*2]
		mov	esi, [ebp+arg_8]
		imul	esi, eax
		mov	eax, [ebp+arg_C]
		pop	ecx
		div	ecx
		pop	edi
		lea	ecx, [edx+1]
		ror	ebx, cl
		sub	esi, ebx
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	1Ch
sub_784694	endp

; 
		align 10h
; Exported entry  21.

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExpGetKernelDataProtection
ExpGetKernelDataProtection proc	near	; CODE XREF: ExpGetLicenseTamperState(x,x)+43p
					; PAGE:00A06444p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008DD55E SIZE 00000017 BYTES

		push	10h
		push	offset dword_6A1A10
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	loc_8DD55E
		mov	[ebp+ms_exc.disabled], ebx
		mov	esi, [ebp+arg_0]
		lea	ecx, [esi+5C28h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	eax, [esi+5C24h]
		test	eax, eax
		jz	loc_8DD568
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		mov	[ebp+arg_4], ebx
		mov	[ebp+arg_4], eax
		lea	ecx, [ebp+arg_4]
		call	WarbirdKmDecryptPointer
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], ebx
		push	0Ch
		pop	ecx
		rep movsd

loc_78474E:				; CODE XREF: ExpGetKernelDataProtection+158E80j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_78476E

loc_78475A:				; CODE XREF: ExpGetKernelDataProtection+158E73j
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
ExpGetKernelDataProtection endp


;  S U B	R O U T	I N E 


sub_78476E	proc near		; CODE XREF: ExpGetKernelDataProtection+65p
					; sub_8DD575+3j
		mov	esi, [ebp+8]
		add	esi, 5C28h
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_78478D

loc_784785:				; CODE XREF: sub_78476E+26j
		mov	ecx, esi
		call	KeAbPostRelease
		retn
; 

loc_78478D:				; CODE XREF: sub_78476E+15j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_784785
sub_78476E	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WarbirdKmDecryptPointer	proc near	; CODE XREF: sub_782FD2+19p
					; ExpGetKernelDataProtection+4Bp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008DD57D SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ecx
		mov	[ebp+var_24], eax
		push	ebx
		push	esi
		mov	eax, [eax]
		mov	[ebp+var_14], eax
		mov	eax, ds:dword_A940A0
		mov	[ebp+var_10], eax
		mov	eax, ds:dword_A940A4
		push	edi
		mov	[ebp+var_C], eax
		xor	eax, eax
		or	ebx, 0FFFFFFFFh
		mov	[ebp+var_1C], eax
		push	38h
		mov	[ebp+var_20], ebx
		mov	edi, eax
		mov	[ebp+var_18], eax
		lea	ebx, [ebp+var_14]
		mov	esi, eax
		pop	edx

loc_7847DD:				; CODE XREF: WarbirdKmDecryptPointer+63j
		movzx	eax, byte ptr [ebx]
		inc	ebx
		cmp	esi, 4
		jge	loc_8DD57D
		lea	ecx, [edx-20h]
		shl	eax, cl
		or	[ebp+var_18], eax

loc_7847F2:				; CODE XREF: WarbirdKmDecryptPointer+158DEEj
		sub	edx, 8
		inc	esi
		cmp	edx, 18h
		jg	short loc_7847DD
		mov	ebx, [ebp+var_20]
		mov	esi, offset unk_A9407E
		push	1Eh
		pop	edx
		mov	[ebp+var_14], edx

loc_784809:				; CODE XREF: WarbirdKmDecryptPointer+96j
		mov	al, ds:byte_A94081[edx]
		cmp	al, 1Fh
		jb	short loc_784892

loc_784813:				; CODE XREF: WarbirdKmDecryptPointer+127j
		mov	al, ds:byte_A94080[edx]
		cmp	al, 1Fh
		jb	short loc_784867

loc_78481D:				; CODE XREF: WarbirdKmDecryptPointer+FAj
		sub	edx, 2
		sub	esi, 8
		mov	[ebp+var_14], edx
		cmp	esi, offset unk_A94006
		jge	short loc_784809
		xor	edi, [ebp+var_18]
		lea	esi, [ebp+var_20]
		xor	ebx, [ebp+var_1C]
		xor	eax, eax
		cmp	eax, 4
		jge	loc_8DD589

loc_784842:				; CODE XREF: WarbirdKmDecryptPointer+B8j
		rol	edi, 8
		mov	ecx, edi

loc_784847:				; CODE XREF: WarbirdKmDecryptPointer+158DF8j
		mov	[esi], cl
		inc	eax
		inc	esi
		cmp	eax, 4
		jl	short loc_784842
		mov	ecx, [ebp+var_24]
		mov	eax, [ebp+var_20]
		pop	edi
		pop	esi
		mov	[ecx], eax
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_784867:				; CODE XREF: WarbirdKmDecryptPointer+85j
		movzx	ecx, al
		lea	eax, [ebp+var_10]
		push	ebx
		push	eax
		movzx	eax, byte ptr [esi-3]
		push	eax
		movzx	eax, byte ptr [esi-4]
		push	eax
		movzx	eax, byte ptr [esi-5]
		push	eax
		movzx	eax, byte ptr [esi-6]
		push	eax
		push	edx
		call	ds:off_A93F70[ecx*4]
		mov	edx, [ebp+var_14]
		xor	edi, eax
		jmp	short loc_78481D
; 

loc_784892:				; CODE XREF: WarbirdKmDecryptPointer+7Bj
		movzx	ecx, al
		lea	eax, [ebp+var_10]
		push	edi
		push	eax
		movzx	eax, byte ptr [esi+1]
		push	eax
		movzx	eax, byte ptr [esi]
		push	eax
		movzx	eax, byte ptr [esi-1]
		push	eax
		movzx	eax, byte ptr [esi-2]
		push	eax
		lea	eax, [edx+1]
		push	eax
		call	ds:off_A93F70[ecx*4]
		mov	edx, [ebp+var_14]
		xor	ebx, eax
		jmp	loc_784813
WarbirdKmDecryptPointer	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_7848D0	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	eax, 88888889h
		mul	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		shr	edx, 3
		and	ebx, 3
		mov	eax, edx
		shl	eax, 4
		sub	eax, edx
		sub	ecx, eax
		push	esi
		mov	esi, [ebp+arg_14]
		inc	ecx
		push	edi
		mov	edi, [ebp+arg_18]
		ror	edi, cl
		movzx	eax, word ptr [esi+ebx*2]
		mov	ecx, [ebp+arg_8]
		xor	edi, eax
		mov	eax, 0AAAAAAABh
		mul	ecx
		inc	ecx
		shr	edx, 1
		add	edx, ebx
		add	ecx, edx
		and	ecx, 3
		movzx	eax, word ptr [esi+ecx*2]
		imul	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	1Ch
sub_7848D0	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_784930	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	eax, 88888889h
		mul	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		shr	edx, 3
		and	ebx, 3
		mov	eax, edx
		shl	eax, 4
		sub	eax, edx
		sub	ecx, eax
		push	esi
		mov	esi, [ebp+arg_14]
		inc	ecx
		push	edi
		mov	edi, [ebp+arg_18]
		ror	edi, cl
		movzx	eax, word ptr [esi+ebx*2]
		mov	ecx, [ebp+arg_8]
		sub	edi, eax
		mov	eax, 0AAAAAAABh
		mul	ecx
		inc	ecx
		shr	edx, 1
		add	edx, ebx
		add	ecx, edx
		and	ecx, 3
		movzx	eax, word ptr [esi+ecx*2]
		imul	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	1Ch
sub_784930	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_784990	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	ecx, [ebp+arg_8]
		mov	eax, 88888889h
		mul	ecx
		mov	ebx, [ebp+arg_18]
		shr	edx, 3
		mov	eax, edx
		shl	eax, 4
		sub	eax, edx
		sub	ecx, eax
		mov	eax, 0AAAAAAABh
		inc	ecx
		shr	ebx, cl
		mov	ecx, [ebp+arg_4]
		mul	ecx
		mov	esi, [ebp+arg_0]
		inc	ecx
		and	esi, 3
		shr	edx, 1
		add	edx, esi
		mov	[ebp+arg_0], esi
		mov	eax, [ebp+arg_0]
		add	ecx, edx
		mov	edx, [ebp+arg_14]
		and	ecx, 3
		pop	edi
		movzx	esi, word ptr [edx+ecx*2]
		xor	esi, [ebp+arg_18]
		movzx	eax, word ptr [edx+eax*2]
		imul	eax, esi
		pop	esi
		xor	eax, ebx
		pop	ebx
		pop	ebp
		retn	1Ch
sub_784990	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_7849F0	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	ecx, [ebp+arg_8]
		mov	eax, 88888889h
		mul	ecx
		mov	ebx, [ebp+arg_18]
		shr	edx, 3
		mov	eax, edx
		shl	eax, 4
		sub	eax, edx
		sub	ecx, eax
		mov	eax, 0AAAAAAABh
		inc	ecx
		ror	ebx, cl
		mov	ecx, [ebp+arg_4]
		mul	ecx
		mov	esi, [ebp+arg_0]
		inc	ecx
		and	esi, 3
		shr	edx, 1
		add	edx, esi
		mov	[ebp+arg_0], esi
		mov	eax, [ebp+arg_0]
		add	ecx, edx
		mov	edx, [ebp+arg_14]
		and	ecx, 3
		pop	edi
		movzx	esi, word ptr [edx+ecx*2]
		xor	esi, [ebp+arg_18]
		movzx	eax, word ptr [edx+eax*2]
		imul	eax, esi
		pop	esi
		xor	eax, ebx
		pop	ebx
		pop	ebp
		retn	1Ch
sub_7849F0	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_784A50	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, 8421085h
		push	edi
		mov	edi, [ebp+arg_8]
		mov	ecx, edi
		mul	edi
		mov	ebx, [ebp+arg_18]
		sub	ecx, edx
		shr	ecx, 1
		add	ecx, edx
		mov	edx, [ebp+arg_14]
		shr	ecx, 4
		mov	eax, ecx
		shl	eax, 5
		sub	eax, ecx
		sub	edi, eax
		mov	eax, esi
		shr	eax, 1
		and	esi, 3
		dec	eax
		and	eax, 1
		lea	ecx, [edi+1]
		pop	edi
		mov	eax, [edx+eax*4]
		xor	eax, ebx
		ror	eax, cl
		movzx	ecx, word ptr [edx+esi*2]
		imul	eax, ecx
		mov	ecx, [ebp+arg_C]
		mov	esi, ecx
		mov	[ebp+arg_8], eax
		mov	eax, 8421085h
		mul	ecx
		mov	eax, [ebp+arg_8]
		sub	esi, edx
		shr	esi, 1
		add	esi, edx
		shr	esi, 4
		mov	edx, esi
		shl	edx, 5
		sub	edx, esi
		sub	ecx, edx
		inc	ecx
		ror	ebx, cl
		pop	esi
		add	eax, ebx
		pop	ebx
		pop	ebp
		retn	1Ch
sub_784A50	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_784AD0	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, 8421085h
		push	edi
		mov	edi, [ebp+arg_8]
		mov	ecx, edi
		mul	edi
		mov	ebx, [ebp+arg_18]
		sub	ecx, edx
		shr	ecx, 1
		add	ecx, edx
		mov	edx, [ebp+arg_14]
		shr	ecx, 4
		mov	eax, ecx
		shl	eax, 5
		sub	eax, ecx
		sub	edi, eax
		mov	eax, esi
		shr	eax, 1
		and	esi, 3
		dec	eax
		and	eax, 1
		lea	ecx, [edi+1]
		pop	edi
		mov	eax, [edx+eax*4]
		add	eax, ebx
		ror	eax, cl
		movzx	ecx, word ptr [edx+esi*2]
		imul	eax, ecx
		mov	ecx, [ebp+arg_C]
		mov	esi, ecx
		mov	[ebp+arg_8], eax
		mov	eax, 8421085h
		mul	ecx
		mov	eax, [ebp+arg_8]
		sub	esi, edx
		shr	esi, 1
		add	esi, edx
		shr	esi, 4
		mov	edx, esi
		shl	edx, 5
		sub	edx, esi
		sub	ecx, edx
		inc	ecx
		ror	ebx, cl
		pop	esi
		sub	eax, ebx
		pop	ebx
		pop	ebp
		retn	1Ch
sub_784AD0	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_784B50	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_14]
		and	eax, 1
		mov	edx, [ecx+eax*4]
		dec	eax
		xor	edx, [ebp+arg_18]
		and	eax, 1
		mov	eax, [ecx+eax*4]
		sub	eax, edx
		pop	ebp
		retn	1Ch
sub_784B50	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_784B80	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	eax, 88888889h
		mul	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		shr	edx, 3
		and	ebx, 3
		mov	eax, edx
		shl	eax, 4
		sub	eax, edx
		sub	ecx, eax
		push	esi
		mov	esi, [ebp+arg_14]
		inc	ecx
		push	edi
		mov	edi, [ebp+arg_18]
		not	edi
		movzx	eax, word ptr [esi+ebx*2]
		ror	edi, cl
		mov	ecx, [ebp+arg_8]
		add	edi, eax
		mov	eax, 0AAAAAAABh
		mul	ecx
		inc	ecx
		shr	edx, 1
		add	edx, ebx
		add	ecx, edx
		and	ecx, 3
		movzx	eax, word ptr [esi+ecx*2]
		imul	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	1Ch
sub_784B80	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_784BE0	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_14]
		mov	eax, [ebp+arg_18]
		push	esi
		mov	esi, [ebp+arg_0]
		mov	edx, esi
		shr	edx, 1
		and	esi, 3
		dec	edx
		and	edx, 1
		sub	eax, [ecx+edx*4]
		movzx	ecx, word ptr [ecx+esi*2]
		sub	eax, ecx
		pop	esi
		pop	ebp
		retn	1Ch
sub_784BE0	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_784C10	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	eax, 24924925h
		mul	ebx
		mov	ecx, ebx
		sub	ecx, edx
		shr	ecx, 1
		add	ecx, edx
		shr	ecx, 2
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, ds:0[ecx*8]
		sub	eax, ecx
		and	edi, 3
		sub	ebx, eax
		mov	[ebp+arg_0], edi
		mov	eax, 0AAAAAAABh
		mul	esi
		lea	eax, [esi+1]
		shr	edx, 1
		lea	ecx, [ebx+1]
		add	edx, edi
		mov	edi, [ebp+arg_18]
		add	eax, edx
		mov	edx, [ebp+arg_14]
		and	eax, 3
		movzx	esi, word ptr [edx+eax*2]
		mov	eax, [ebp+arg_0]
		xor	esi, edi
		rol	esi, cl
		mov	ecx, [ebp+arg_C]
		movzx	eax, word ptr [edx+eax*2]
		imul	esi, eax
		mov	eax, 8421085h
		mul	ecx
		mov	[ebp+arg_0], esi
		mov	esi, ecx
		mov	eax, [ebp+arg_0]
		sub	esi, edx
		shr	esi, 1
		add	esi, edx
		shr	esi, 4
		mov	edx, esi
		shl	edx, 5
		sub	edx, esi
		sub	ecx, edx
		inc	ecx
		ror	edi, cl
		xor	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	1Ch
sub_784C10	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_784CB0	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_14]
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, esi
		and	eax, 3
		shr	esi, 1
		dec	esi
		and	esi, 1
		movzx	ecx, word ptr [edx+eax*2]
		mov	eax, [ebp+arg_18]
		sub	eax, ecx
		xor	eax, [edx+esi*4]
		pop	esi
		pop	ebp
		retn	1Ch
sub_784CB0	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_784CE0	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	eax, 24924925h
		mul	ebx
		mov	ecx, ebx
		sub	ecx, edx
		shr	ecx, 1
		add	ecx, edx
		shr	ecx, 2
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, ds:0[ecx*8]
		sub	eax, ecx
		and	edi, 3
		sub	ebx, eax
		mov	[ebp+arg_0], edi
		mov	eax, 0AAAAAAABh
		mul	esi
		lea	eax, [esi+1]
		shr	edx, 1
		lea	ecx, [ebx+1]
		add	edx, edi
		mov	edi, [ebp+arg_18]
		add	eax, edx
		mov	edx, [ebp+arg_14]
		and	eax, 3
		movzx	esi, word ptr [edx+eax*2]
		mov	eax, [ebp+arg_0]
		xor	esi, edi
		rol	esi, cl
		mov	ecx, [ebp+arg_C]
		movzx	eax, word ptr [edx+eax*2]
		imul	esi, eax
		mov	eax, 8421085h
		mul	ecx
		mov	[ebp+arg_0], esi
		mov	esi, ecx
		mov	eax, [ebp+arg_0]
		sub	esi, edx
		shr	esi, 1
		add	esi, edx
		shr	esi, 4
		mov	edx, esi
		shl	edx, 5
		sub	edx, esi
		sub	ecx, edx
		inc	ecx
		ror	edi, cl
		add	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	1Ch
sub_784CE0	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_784D80	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_8]
		mov	eax, 88888889h
		mul	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		shr	edx, 3
		and	ebx, 3
		mov	eax, edx
		shl	eax, 4
		sub	eax, edx
		sub	ecx, eax
		mov	eax, 0AAAAAAABh
		push	esi
		push	edi
		mov	edi, [ebp+arg_18]
		inc	ecx
		mov	esi, edi
		shr	esi, cl
		mov	ecx, [ebp+arg_4]
		mul	ecx
		inc	ecx
		shr	edx, 1
		add	edx, ebx
		add	ecx, edx
		mov	edx, [ebp+arg_14]
		and	ecx, 3
		movzx	eax, word ptr [edx+ebx*2]
		movzx	ecx, word ptr [edx+ecx*2]
		sub	edi, ecx
		imul	eax, edi
		pop	edi
		sub	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	1Ch
sub_784D80	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_784DE0	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	ecx, [ebp+arg_8]
		mov	eax, 88888889h
		mul	ecx
		mov	ebx, [ebp+arg_18]
		shr	edx, 3
		mov	eax, edx
		shl	eax, 4
		sub	eax, edx
		sub	ecx, eax
		mov	eax, 0AAAAAAABh
		inc	ecx
		ror	ebx, cl
		mov	ecx, [ebp+arg_4]
		mul	ecx
		mov	esi, [ebp+arg_0]
		inc	ecx
		and	esi, 3
		shr	edx, 1
		add	edx, esi
		mov	[ebp+arg_0], esi
		mov	eax, [ebp+arg_0]
		add	ecx, edx
		mov	edx, [ebp+arg_14]
		and	ecx, 3
		pop	edi
		movzx	esi, word ptr [edx+ecx*2]
		xor	esi, [ebp+arg_18]
		movzx	eax, word ptr [edx+eax*2]
		imul	eax, esi
		pop	esi
		add	eax, ebx
		pop	ebx
		pop	ebp
		retn	1Ch
sub_784DE0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_784E3E	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_14]
		and	edx, 1
		lea	eax, [edx-1]
		and	eax, 1
		mov	eax, [ecx+eax*4]
		xor	eax, [ecx+edx*4]
		xor	eax, [ebp+arg_18]
		pop	ebp
		retn	1Ch
sub_784E3E	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_784E60	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	eax, 24924925h
		mul	ebx
		mov	ecx, ebx
		sub	ecx, edx
		shr	ecx, 1
		add	ecx, edx
		shr	ecx, 2
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, ds:0[ecx*8]
		sub	eax, ecx
		and	edi, 3
		sub	ebx, eax
		mov	[ebp+arg_0], edi
		mov	eax, 0AAAAAAABh
		inc	ebx
		mul	esi
		lea	eax, [esi+1]
		mov	[ebp+arg_8], ebx
		mov	ecx, [ebp+arg_8]
		shr	edx, 1
		add	edx, edi
		mov	edi, [ebp+arg_18]
		add	eax, edx
		mov	edx, [ebp+arg_14]
		and	eax, 3
		movzx	ebx, word ptr [edx+eax*2]
		mov	eax, [ebp+arg_0]
		xor	ebx, edi
		rol	ebx, cl
		mov	ecx, [ebp+arg_C]
		movzx	eax, word ptr [edx+eax*2]
		imul	ebx, eax
		mov	eax, 88888889h
		mul	ecx
		shr	edx, 3
		mov	esi, edx
		shl	esi, 4
		sub	esi, edx
		sub	ecx, esi
		inc	ecx
		shr	edi, cl
		lea	eax, [edi+ebx]
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	1Ch
sub_784E60	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_784EF0	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, 8421085h
		push	edi
		mov	edi, [ebp+arg_8]
		mov	ecx, edi
		mul	edi
		mov	ebx, [ebp+arg_18]
		sub	ecx, edx
		shr	ecx, 1
		add	ecx, edx
		mov	edx, [ebp+arg_14]
		shr	ecx, 4
		mov	eax, ecx
		shl	eax, 5
		sub	eax, ecx
		sub	edi, eax
		mov	eax, esi
		shr	eax, 1
		and	esi, 3
		dec	eax
		and	eax, 1
		lea	ecx, [edi+1]
		pop	edi
		mov	eax, [edx+eax*4]
		xor	eax, ebx
		ror	eax, cl
		movzx	ecx, word ptr [edx+esi*2]
		imul	eax, ecx
		mov	ecx, [ebp+arg_C]
		mov	esi, ecx
		mov	[ebp+arg_8], eax
		mov	eax, 8421085h
		mul	ecx
		mov	eax, [ebp+arg_8]
		sub	esi, edx
		shr	esi, 1
		add	esi, edx
		shr	esi, 4
		mov	edx, esi
		shl	edx, 5
		sub	edx, esi
		sub	ecx, edx
		inc	ecx
		ror	ebx, cl
		pop	esi
		xor	eax, ebx
		pop	ebx
		pop	ebp
		retn	1Ch
sub_784EF0	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_784F6C	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		push	1Fh
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		mov	eax, [ebp+arg_14]
		and	esi, 3
		mov	edi, [ebp+arg_18]
		mov	ebx, edi
		shr	ecx, 1
		dec	ecx
		and	ecx, 1
		push	1Fh
		sub	ebx, [eax+ecx*4]
		lea	ecx, [edx+1]
		movzx	eax, word ptr [eax+esi*2]
		xor	edx, edx
		ror	ebx, cl
		imul	ebx, eax
		mov	eax, [ebp+arg_C]
		pop	ecx
		div	ecx
		lea	ecx, [edx+1]
		ror	edi, cl
		lea	eax, [edi+ebx]
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	1Ch
sub_784F6C	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_784FC0	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, 8421085h
		push	edi
		mov	edi, [ebp+arg_8]
		mov	ecx, edi
		mul	edi
		mov	ebx, [ebp+arg_18]
		sub	ecx, edx
		shr	ecx, 1
		add	ecx, edx
		mov	edx, [ebp+arg_14]
		shr	ecx, 4
		mov	eax, ecx
		shl	eax, 5
		sub	eax, ecx
		sub	edi, eax
		mov	eax, esi
		shr	eax, 1
		and	esi, 3
		dec	eax
		and	eax, 1
		lea	ecx, [edi+1]
		pop	edi
		mov	eax, [edx+eax*4]
		add	eax, ebx
		ror	eax, cl
		movzx	ecx, word ptr [edx+esi*2]
		imul	eax, ecx
		mov	ecx, [ebp+arg_C]
		mov	esi, ecx
		mov	[ebp+arg_8], eax
		mov	eax, 8421085h
		mul	ecx
		mov	eax, [ebp+arg_8]
		sub	esi, edx
		shr	esi, 1
		add	esi, edx
		shr	esi, 4
		mov	edx, esi
		shl	edx, 5
		sub	edx, esi
		sub	ecx, edx
		inc	ecx
		ror	ebx, cl
		pop	esi
		add	eax, ebx
		pop	ebx
		pop	ebp
		retn	1Ch
sub_784FC0	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_78503C	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		push	1Fh
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		mov	eax, [ebp+arg_14]
		and	esi, 3
		mov	edi, [ebp+arg_18]
		mov	ebx, edi
		shr	ecx, 1
		dec	ecx
		and	ecx, 1
		push	1Fh
		sub	ebx, [eax+ecx*4]
		lea	ecx, [edx+1]
		movzx	eax, word ptr [eax+esi*2]
		xor	edx, edx
		ror	ebx, cl
		imul	ebx, eax
		mov	eax, [ebp+arg_C]
		pop	ecx
		div	ecx
		lea	ecx, [edx+1]
		ror	edi, cl
		sub	ebx, edi
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	1Ch
sub_78503C	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_78508E	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		push	3
		pop	esi
		push	7
		pop	ecx
		div	ecx
		mov	eax, [ebp+arg_4]
		mov	ebx, [ebp+arg_0]
		mov	edi, [ebp+arg_18]
		and	ebx, esi
		mov	[ebp+arg_0], ebx
		lea	ecx, [edx+1]
		xor	edx, edx
		div	esi
		lea	eax, [ebx+1]
		mov	ebx, edi
		add	eax, edx
		xor	edx, edx
		and	eax, esi
		mov	esi, [ebp+arg_14]
		push	0Fh
		movzx	eax, word ptr [esi+eax*2]
		sub	ebx, eax
		mov	eax, [ebp+arg_0]
		rol	ebx, cl
		pop	ecx
		movzx	eax, word ptr [esi+eax*2]
		imul	ebx, eax
		mov	eax, [ebp+arg_C]
		div	ecx
		lea	ecx, [edx+1]
		shr	edi, cl
		xor	ebx, edi
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	1Ch
sub_78508E	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_7850F0	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		push	1Fh
		pop	ecx
		div	ecx
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		mov	eax, [ebp+arg_14]
		and	esi, 3
		mov	edi, [ebp+arg_18]
		mov	ebx, edi
		shr	ecx, 1
		dec	ecx
		and	ecx, 1
		push	1Fh
		sub	ebx, [eax+ecx*4]
		lea	ecx, [edx+1]
		movzx	eax, word ptr [eax+esi*2]
		xor	edx, edx
		ror	ebx, cl
		imul	ebx, eax
		mov	eax, [ebp+arg_C]
		pop	ecx
		div	ecx
		lea	ecx, [edx+1]
		ror	edi, cl
		xor	ebx, edi
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	1Ch
sub_7850F0	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_785142	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		push	3
		pop	esi
		push	7
		pop	ecx
		div	ecx
		mov	eax, [ebp+arg_4]
		mov	ebx, [ebp+arg_0]
		mov	edi, [ebp+arg_18]
		and	ebx, esi
		mov	[ebp+arg_0], ebx
		lea	ecx, [edx+1]
		xor	edx, edx
		div	esi
		lea	eax, [ebx+1]
		add	eax, edx
		xor	edx, edx
		and	eax, esi
		mov	esi, [ebp+arg_14]
		push	1Fh
		movzx	ebx, word ptr [esi+eax*2]
		mov	eax, [ebp+arg_0]
		xor	ebx, edi
		rol	ebx, cl
		pop	ecx
		movzx	eax, word ptr [esi+eax*2]
		imul	ebx, eax
		mov	eax, [ebp+arg_C]
		div	ecx
		lea	ecx, [edx+1]
		ror	edi, cl
		sub	ebx, edi
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	1Ch
sub_785142	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_7851A2	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		push	3
		pop	ecx
		div	ecx
		mov	edi, [ebp+arg_0]
		mov	esi, [ebp+arg_18]
		and	edi, ecx
		push	0Fh
		lea	eax, [edx+1]
		xor	edx, edx
		add	eax, edi
		and	eax, ecx
		mov	ecx, [ebp+arg_14]
		movzx	ebx, word ptr [ecx+eax*2]
		movzx	eax, word ptr [ecx+edi*2]
		xor	ebx, esi
		imul	ebx, eax
		mov	eax, [ebp+arg_8]
		pop	ecx
		div	ecx
		pop	edi
		lea	ecx, [edx+1]
		shr	esi, cl
		lea	eax, [esi+ebx]
		pop	esi
		pop	ebx
		pop	ebp
		retn	1Ch
sub_7851A2	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_7851EC	proc near		; DATA XREF: sub_7C1970+24o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	edx, [esi+4]
		lea	eax, [esi+10h]
		mov	ecx, [esi]
		push	eax
		lea	eax, [esi+0Ch]
		push	eax
		push	dword ptr [esi+8]
		call	sub_785212
		mov	[esi+14h], eax
		pop	esi
		pop	ebp
		retn	4
sub_7851EC	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_785212	proc near		; CODE XREF: sub_7851EC+19p

var_194		= dword	ptr -194h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_165		= byte ptr -165h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_12D		= byte ptr -12Dh
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_101		= byte ptr -101h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_42		= word ptr -42h
var_40		= dword	ptr -40h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 15Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+15Ch+var_4], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+15Ch+var_84], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	[esp+160h+var_80], eax
		xor	ebx, ebx
		xor	eax, eax
		mov	[esp+160h+var_B4], edx
		push	esi
		push	edi
		lea	edi, [esp+168h+var_110]
		mov	[esp+168h+var_AC], ebx
		stosd
		xor	edx, edx
		mov	esi, ebx
		mov	[esp+168h+var_158], edx
		mov	[esp+168h+var_E4], ebx
		mov	[esp+168h+var_B8], ebx
		stosd
		mov	[esp+168h+var_C8], ebx
		mov	[esp+168h+var_15C], esi
		mov	[esp+168h+var_B0], ebx
		stosd
		xor	eax, eax
		lea	edi, [esp+168h+var_100]
		mov	[esp+168h+var_9C], ebx
		stosd
		mov	[esp+168h+var_E0], ebx
		mov	[esp+168h+var_D4], ebx
		mov	[esp+168h+var_C0], ebx
		stosd
		mov	[esp+168h+var_13C], ebx
		mov	[esp+168h+var_DC], ebx
		mov	[esp+168h+var_148], ebx
		stosd
		mov	edi, [esp+168h+var_B4]
		mov	[esp+168h+var_150], ebx
		mov	[esp+168h+var_140], ecx
		cmp	edi, 4
		jnb	short loc_7852DC
		mov	ebx, 0C000003Eh
		mov	esi, edx
		mov	edi, edx
		jmp	loc_787CC5
; 

loc_7852DC:				; CODE XREF: sub_785212+BAj
		mov	eax, [ecx]
		mov	[esp+168h+var_134], eax
		lea	eax, [esp+168h+var_140]
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_785666
		lea	eax, [esp+168h+var_150]
		xor	ecx, ecx
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_785666
		mov	ecx, [esp+168h+var_134]
		mov	eax, edi
		sub	eax, [esp+168h+var_150]
		cmp	eax, ecx
		jnb	short loc_78532C

loc_785320:				; CODE XREF: sub_785212+15Fj
					; sub_785212+1A9j ...
		mov	ebx, 0C000003Eh
		mov	edi, esi
		jmp	loc_787CC5
; 

loc_78532C:				; CODE XREF: sub_785212+10Cj
		mov	eax, [esp+168h+var_140]
		lea	edx, [esp+168h+var_140]
		push	edx
		mov	edx, ecx
		mov	[esp+16Ch+var_F0], eax
		mov	ecx, eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_785666
		mov	edx, [esp+168h+var_134]
		lea	eax, [esp+168h+var_150]
		mov	ecx, [esp+168h+var_150]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_785666
		mov	eax, edi
		sub	eax, [esp+168h+var_150]
		cmp	eax, 4
		jb	short loc_785320
		mov	ecx, [esp+168h+var_140]
		mov	eax, [ecx]
		mov	[esp+168h+var_138], eax
		lea	eax, [esp+168h+var_140]
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_785666
		mov	ecx, [esp+168h+var_150]
		lea	eax, [esp+168h+var_150]
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_785666
		mov	ecx, [esp+168h+var_138]
		mov	eax, edi
		sub	eax, [esp+168h+var_150]
		cmp	eax, ecx
		jb	loc_785320
		mov	eax, [esp+168h+var_140]
		lea	edx, [esp+168h+var_140]
		push	edx
		mov	edx, ecx
		mov	[esp+16Ch+var_C4], eax
		mov	ecx, eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_785666
		mov	edx, [esp+168h+var_138]
		lea	eax, [esp+168h+var_150]
		mov	ecx, [esp+168h+var_150]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_785666
		mov	eax, edi
		sub	eax, [esp+168h+var_150]
		cmp	eax, 4
		jb	loc_785320
		mov	ecx, [esp+168h+var_140]
		mov	eax, [ecx]
		mov	[esp+168h+var_120], eax
		lea	eax, [esp+168h+var_140]
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_785666
		mov	ecx, [esp+168h+var_150]
		lea	eax, [esp+168h+var_150]
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_785666
		mov	ecx, [esp+168h+var_120]
		mov	eax, edi
		sub	eax, [esp+168h+var_150]
		cmp	eax, ecx
		jb	loc_785320
		lea	eax, [esp+168h+var_150]
		mov	edx, ecx
		mov	ecx, [esp+168h+var_150]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_785666
		mov	eax, edi
		sub	eax, [esp+168h+var_150]
		jnz	loc_785320
		mov	eax, [esp+168h+var_120]
		mov	ecx, [esp+168h+var_134]
		mov	ebx, [esp+168h+var_138]
		add	ecx, 0Ch
		add	eax, ebx
		add	eax, ecx
		cmp	eax, edi
		jnz	loc_785320
		push	20534C53h
		push	18h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+168h+var_E8], edi
		test	edi, edi
		jnz	short loc_7854C3
		mov	ebx, 0C0000017h
		jmp	loc_7855F0
; 

loc_7854C3:				; CODE XREF: sub_785212+2A5j
		push	6
		pop	ecx
		xor	eax, eax
		rep stosd
		mov	edi, [esp+168h+var_E8]
		cmp	[esp+168h+var_F0], eax
		jz	short loc_78551A
		mov	eax, [esp+168h+var_134]
		mov	[edi], eax
		test	eax, eax
		jnz	short loc_7854EB

loc_7854E1:				; CODE XREF: sub_785212+316j
					; sub_785212+354j
		mov	ebx, 0C000003Eh
		jmp	loc_7855A2
; 

loc_7854EB:				; CODE XREF: sub_785212+2CDj
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_785506

loc_7854FC:				; CODE XREF: sub_785212+327j
					; sub_785212+369j
		mov	ebx, 0C0000017h
		jmp	loc_7855A2
; 

loc_785506:				; CODE XREF: sub_785212+2E8j
		mov	[edi+4], eax
		push	[esp+168h+var_134] ; size_t
		push	[esp+16Ch+var_F0] ; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_78551A:				; CODE XREF: sub_785212+2C3j
		cmp	[esp+168h+var_C4], esi
		jz	short loc_785551
		mov	[edi+8], ebx
		test	ebx, ebx
		jz	short loc_7854E1
		push	20534C53h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_7854FC
		mov	[edi+0Ch], eax
		push	ebx		; size_t
		push	[esp+16Ch+var_C4] ; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_785557
; 

loc_785551:				; CODE XREF: sub_785212+30Fj
		and	[edi+8], esi
		and	[edi+0Ch], esi

loc_785557:				; CODE XREF: sub_785212+33Dj
		cmp	[esp+168h+var_140], esi
		jz	short loc_785594
		mov	ebx, [esp+168h+var_120]
		mov	[edi+10h], ebx
		test	ebx, ebx
		jz	loc_7854E1
		push	20534C53h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_7854FC
		mov	[edi+14h], eax
		push	ebx		; size_t
		push	[esp+16Ch+var_140] ; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_78559A
; 

loc_785594:				; CODE XREF: sub_785212+349j
		and	[edi+10h], esi
		and	[edi+14h], esi

loc_78559A:				; CODE XREF: sub_785212+380j
		mov	[esp+168h+var_148], edi
		xor	edi, edi
		xor	ebx, ebx

loc_7855A2:				; CODE XREF: sub_785212+2D4j
					; sub_785212+2EFj
		test	edi, edi
		jz	short loc_7855F0
		mov	eax, [edi+4]
		test	eax, eax
		jz	short loc_7855BB
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[edi+4], esi

loc_7855BB:				; CODE XREF: sub_785212+399j
		mov	eax, [edi+0Ch]
		test	eax, eax
		jz	short loc_7855D0
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[edi+0Ch], esi

loc_7855D0:				; CODE XREF: sub_785212+3AEj
		mov	eax, [edi+14h]
		test	eax, eax
		jz	short loc_7855E5
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[edi+14h], esi

loc_7855E5:				; CODE XREF: sub_785212+3C3j
		push	20534C53h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7855F0:				; CODE XREF: sub_785212+2ACj
					; sub_785212+392j
		test	ebx, ebx
		js	short loc_785604
		mov	edi, [esp+168h+var_148]
		xor	eax, eax
		mov	[esp+168h+var_158], edi
		mov	[esp+168h+var_148], eax
		jmp	short loc_78560A
; 

loc_785604:				; CODE XREF: sub_785212+3E0j
		mov	eax, [esp+168h+var_148]
		mov	edi, esi

loc_78560A:				; CODE XREF: sub_785212+3F0j
		test	eax, eax
		jz	short loc_785668
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_785627
		push	20534C53h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+168h+var_148]
		and	[eax+4], esi

loc_785627:				; CODE XREF: sub_785212+401j
		mov	ecx, [eax+0Ch]
		test	ecx, ecx
		jz	short loc_785640
		push	20534C53h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+168h+var_148]
		and	[eax+0Ch], esi

loc_785640:				; CODE XREF: sub_785212+41Aj
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	short loc_785659
		push	20534C53h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+168h+var_148]
		and	[eax+14h], esi

loc_785659:				; CODE XREF: sub_785212+433j
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_785668
; 

loc_785666:				; CODE XREF: sub_785212+E1j
					; sub_785212+FAj ...
		mov	edi, esi

loc_785668:				; CODE XREF: sub_785212+3FAj
					; sub_785212+452j
		test	ebx, ebx
		js	loc_787CC5
		and	[esp+168h+var_F0], esi
		xor	ebx, ebx
		mov	edx, [esp+168h+var_158]
		mov	[esp+168h+var_134], ebx
		test	edx, edx
		jnz	short loc_78568C

loc_785682:				; CODE XREF: sub_785212+486j
					; sub_785212+490j ...
		mov	ebx, 0C000000Dh
		jmp	loc_787CC1
; 

loc_78568C:				; CODE XREF: sub_785212+46Ej
		mov	eax, [edx+4]
		mov	[esp+168h+var_D8], eax
		test	eax, eax
		jz	short loc_785682
		mov	eax, [edx]
		mov	[esp+168h+var_114], eax
		test	eax, eax
		jz	short loc_785682
		mov	eax, [edx+14h]
		test	eax, eax
		jz	short loc_785682
		mov	edi, [edx+10h]
		test	edi, edi
		jz	short loc_785682
		mov	ecx, [edx+0Ch]
		mov	[esp+168h+var_EC], ecx
		test	ecx, ecx
		jz	short loc_785682
		mov	ecx, [edx+8]
		test	ecx, ecx
		jz	short loc_785682
		and	[esp+168h+var_144], ebx
		or	[esp+168h+var_12C], 0FFFFFFFFh
		cmp	edi, 8
		jnz	loc_785CFA
		cmp	ecx, 0A0h
		jnz	loc_785CFA
		mov	ecx, [esp+168h+var_114]
		cmp	ecx, edi
		jbe	loc_785CFA
		mov	edi, [eax]
		mov	eax, [eax+4]
		mov	[esp+168h+var_150], eax
		lea	eax, [ecx-8]
		push	20534C53h
		push	eax
		push	1
		mov	[esp+174h+var_14C], edi
		mov	[esp+174h+var_C4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+168h+var_E8], eax
		test	eax, eax
		jz	loc_785CFA
		mov	ecx, [esp+168h+var_150]
		mov	edx, [esp+168h+var_D8]
		mov	[esp+168h+var_148], eax
		mov	eax, [esp+168h+var_C4]
		and	eax, 7
		mov	[esp+168h+var_18], edi
		mov	[esp+168h+var_14], ecx
		mov	[esp+168h+var_120], edx
		mov	[esp+168h+var_140], eax
		jz	loc_78594D
		or	ecx, 0FFFFFFFFh
		xor	edx, edx
		mov	edi, ecx
		mov	[esp+168h+var_150], edx
		xor	ecx, ecx
		mov	[esp+168h+var_154], edi
		mov	[esp+168h+var_128], ecx
		mov	[esp+168h+var_F4], ecx
		test	eax, eax
		jz	short loc_7857C4
		mov	edi, [esp+168h+var_120]
		mov	edx, ecx
		push	38h
		pop	esi
		mov	ebx, ecx

loc_78577E:				; CODE XREF: sub_785212+59Ej
		movzx	ecx, byte ptr [edi]
		inc	edi
		mov	[esp+168h+var_128], ecx
		cmp	edx, 4
		jge	short loc_7857A0
		lea	ecx, [esi-20h]
		shl	[esp+168h+var_128], cl
		mov	ecx, [esp+168h+var_F4]
		or	ecx, [esp+168h+var_128]
		mov	[esp+168h+var_F4], ecx
		jmp	short loc_7857AA
; 

loc_7857A0:				; CODE XREF: sub_785212+577j
		mov	ecx, esi
		shl	[esp+168h+var_128], cl
		or	ebx, [esp+168h+var_128]

loc_7857AA:				; CODE XREF: sub_785212+58Cj
		inc	edx
		sub	esi, 8
		cmp	edx, eax
		jl	short loc_78577E
		mov	eax, edi
		mov	[esp+168h+var_120], edi
		mov	edi, [esp+168h+var_154]
		mov	[esp+168h+var_128], ebx
		mov	[esp+168h+var_120], eax

loc_7857C4:				; CODE XREF: sub_785212+55Fj
		mov	eax, [esp+168h+var_EC]
		push	1Eh
		pop	ecx
		push	0FFFFFF81h
		pop	ebx
		lea	esi, [eax+7Eh]
		mov	[esp+168h+var_138], ecx
		sub	ebx, eax
		add	eax, 9Eh
		mov	[esp+168h+var_124], eax

loc_7857E0:				; CODE XREF: sub_785212+678j
		mov	dl, [eax+1]
		mov	[esp+168h+var_101], dl
		cmp	dl, 1Fh
		mov	edx, [esp+168h+var_150]
		jnb	short loc_785829
		movzx	ecx, [esp+168h+var_101]
		lea	eax, [esp+168h+var_18]
		push	edx
		push	eax
		movzx	eax, byte ptr [esi+1]
		push	eax
		movzx	eax, byte ptr [esi]
		push	eax
		movzx	eax, byte ptr [esi-1]
		push	eax
		movzx	eax, byte ptr [esi-2]
		push	eax
		mov	eax, [esp+180h+var_124]
		add	eax, ebx
		push	eax
		call	ds:off_A93F70[ecx*4]
		mov	edx, [esp+184h+var_16C]
		xor	edi, eax
		mov	eax, [esp+184h+var_140]

loc_785829:				; CODE XREF: sub_785212+5DCj
		mov	cl, [eax]
		mov	byte ptr [esp+184h+var_120+3], cl
		cmp	cl, 1Fh
		mov	ecx, [esp+184h+var_154]
		jnb	short loc_785877
		movzx	ecx, byte ptr [esp+184h+var_120+3]
		lea	eax, [esp+184h+var_34]
		push	edi
		push	eax
		movzx	eax, byte ptr [esi-3]
		push	eax
		movzx	eax, byte ptr [esi-4]
		push	eax
		movzx	eax, byte ptr [esi-5]
		push	eax
		movzx	eax, byte ptr [esi-6]
		push	eax
		push	[esp+19Ch+var_154]
		call	ds:off_A93F70[ecx*4]
		mov	edx, [esp+1A0h+var_188]
		mov	ecx, [esp+1A0h+var_170]
		xor	edx, eax
		mov	eax, [esp+1A0h+var_15C]
		mov	[esp+1A0h+var_188], edx

loc_785877:				; CODE XREF: sub_785212+624j
		sub	ecx, 2
		sub	eax, 2
		sub	esi, 8
		mov	[esp+1A0h+var_170], ecx
		mov	[esp+1A0h+var_15C], eax
		test	ecx, ecx
		jns	loc_7857E0
		xor	edx, [esp+1A0h+var_12C]
		xor	ecx, ecx
		xor	edi, [esp+1A0h+var_160]
		mov	ebx, ecx
		mov	eax, [esp+1A0h+var_178]
		mov	esi, ecx
		mov	[esp+1A0h+var_188], edx
		mov	[esp+1A0h+var_170], edx
		mov	[esp+1A0h+var_15C], edi
		test	eax, eax
		jz	short loc_7858ED
		mov	esi, [esp+1A0h+var_180]

loc_7858B6:				; CODE XREF: sub_785212+6CFj
		lea	edx, [esi+1]
		mov	[esp+1A0h+var_180], edx
		cmp	ecx, 4
		jge	short loc_7858CD
		rol	[esp+1A0h+var_170], 8
		mov	edx, [esp+1A0h+var_170]
		jmp	short loc_7858D6
; 

loc_7858CD:				; CODE XREF: sub_785212+6AEj
		rol	[esp+1A0h+var_15C], 8
		mov	edx, [esp+1A0h+var_15C]

loc_7858D6:				; CODE XREF: sub_785212+6B9j
		mov	[esi], dl
		inc	ecx
		mov	edx, [esp+1A0h+var_180]
		mov	esi, edx
		cmp	ecx, eax
		jl	short loc_7858B6
		mov	[esp+1A0h+var_180], edx
		mov	esi, ebx
		mov	edx, [esp+1A0h+var_188]

loc_7858ED:				; CODE XREF: sub_785212+69Ej
		cmp	eax, 4
		jbe	short loc_78591A
		push	8
		pop	ecx
		sub	ecx, eax
		shl	ecx, 3
		shr	edi, cl
		shl	edi, cl
		mov	ecx, [esp+1A0h+var_4C]
		mov	[esp+1A0h+var_18C], edi
		mov	edi, [esp+1A0h+var_50]
		mov	[esp+1A0h+var_188], ecx
		mov	[esp+1A0h+var_184], edi
		jmp	short loc_78595E
; 

loc_78591A:				; CODE XREF: sub_785212+6DEj
		mov	edi, [esp+1A0h+var_50]
		xor	eax, eax
		mov	[esp+1A0h+var_18C], eax
		mov	eax, [esp+1A0h+var_178]
		mov	[esp+1A0h+var_184], edi
		cmp	eax, 4
		jnb	short loc_785940
		push	4
		pop	ecx
		sub	ecx, eax
		shl	ecx, 3
		shr	edx, cl
		shl	edx, cl

loc_785940:				; CODE XREF: sub_785212+720j
		mov	ecx, [esp+1A0h+var_4C]
		mov	[esp+1A0h+var_188], ecx
		jmp	short loc_78595E
; 

loc_78594D:				; CODE XREF: sub_785212+53Ej
		and	[esp+168h+var_F4], ebx
		xor	eax, eax
		or	[esp+168h+var_128], 0FFFFFFFFh
		xor	edx, edx
		mov	[esp+168h+var_154], eax

loc_78595E:				; CODE XREF: sub_785212+706j
					; sub_785212+739j
		mov	eax, [esp+168h+var_C4]
		shr	eax, 3
		mov	[esp+168h+var_124], eax
		test	eax, eax
		jz	loc_785C78
		mov	eax, [esp+168h+var_EC]
		push	0FFFFFF81h
		lea	ebx, [eax+9Eh]
		mov	[esp+16Ch+var_D0], ebx
		lea	ebx, [eax+7Eh]
		mov	[esp+16Ch+var_BC], ebx
		pop	ebx
		sub	ebx, eax
		mov	eax, [esp+168h+var_148]
		add	eax, 7
		mov	[esp+168h+var_11C], ebx
		mov	ebx, [esp+168h+var_154]
		mov	[esp+168h+var_EC], eax
		mov	eax, [esp+168h+var_120]
		add	eax, 2
		mov	[esp+168h+var_148], eax

loc_7859B2:				; CODE XREF: sub_785212+A5Bj
		movzx	esi, byte ptr [eax-2]
		movzx	eax, byte ptr [eax-1]
		shl	esi, 8
		or	esi, eax
		mov	eax, [esp+168h+var_148]
		shl	esi, 8
		movzx	eax, byte ptr [eax]
		or	esi, eax
		mov	eax, [esp+168h+var_148]
		shl	esi, 8
		movzx	eax, byte ptr [eax+1]
		or	esi, eax
		mov	eax, [esp+168h+var_148]
		xor	edx, esi
		mov	[esp+168h+var_120], esi
		mov	esi, ecx
		xor	esi, edi
		movzx	edi, word ptr [esp+168h+var_18+2]
		movzx	eax, byte ptr [eax+2]
		shl	eax, 8
		mov	[esp+168h+var_140], eax
		mov	eax, [esp+168h+var_148]
		movzx	eax, byte ptr [eax+3]
		or	[esp+168h+var_140], eax
		mov	eax, [esp+168h+var_148]
		shl	[esp+168h+var_140], 8
		movzx	eax, byte ptr [eax+4]
		or	[esp+168h+var_140], eax
		mov	eax, [esp+168h+var_148]
		shl	[esp+168h+var_140], 8
		add	[esp+168h+var_148], 8
		movzx	eax, byte ptr [eax+5]
		or	[esp+168h+var_140], eax
		xor	ebx, [esp+168h+var_140]
		xor	esi, ebx
		movzx	ebx, cx
		xor	esi, edx
		mov	ecx, esi
		mov	eax, esi
		xor	ecx, edi
		shr	eax, 8
		imul	ecx, ebx
		xor	ecx, eax
		xor	edx, ecx
		mov	ecx, [esp+168h+var_150]
		sub	ecx, edx
		mov	eax, edx
		ror	ecx, 0Bh
		imul	ecx, edi
		ror	eax, 0Ch
		sub	ecx, eax
		mov	eax, [esp+168h+var_14C]
		xor	esi, ecx
		mov	[esp+168h+var_154], esi
		movzx	esi, ax
		mov	eax, [esp+168h+var_154]
		mov	ecx, eax
		xor	ecx, [esp+168h+var_150]
		rol	ecx, 8
		imul	ecx, esi
		rol	eax, 2
		sub	ecx, eax
		xor	edx, ecx
		mov	[esp+168h+var_150], edx
		mov	eax, [esp+168h+var_150]
		mov	ecx, eax
		sub	ecx, [esp+168h+var_14C]
		movzx	edx, word ptr [esp+168h+var_14+2]
		ror	ecx, 4
		imul	ecx, edx
		ror	eax, 9
		xor	ecx, eax
		mov	eax, [esp+168h+var_154]
		xor	eax, ecx
		mov	ecx, [esp+168h+var_14C]
		sub	ecx, eax
		mov	[esp+168h+var_154], eax
		ror	ecx, 0Ah
		imul	ecx, ebx
		ror	eax, 4
		add	ecx, eax
		mov	eax, [esp+168h+var_150]
		xor	eax, ecx
		mov	ecx, eax
		mov	[esp+168h+var_150], eax
		xor	ecx, edx
		ror	eax, 10h
		rol	ecx, 4
		imul	ecx, edi
		push	1Eh
		sub	ecx, eax
		mov	eax, [esp+16Ch+var_154]
		xor	eax, ecx
		mov	[esp+16Ch+var_154], eax
		mov	ecx, eax
		xor	eax, edi
		ror	ecx, 7
		imul	eax, esi
		sub	eax, ecx
		mov	ecx, [esp+16Ch+var_150]
		xor	ecx, eax
		mov	eax, ecx
		mov	[esp+16Ch+var_150], ecx
		mov	ecx, [esp+16Ch+var_154]
		sub	eax, edx
		mov	edx, [esp+16Ch+var_14C]
		sub	eax, edx
		xor	ecx, eax
		sub	edx, ecx
		mov	[esp+16Ch+var_154], ecx
		mov	eax, ecx
		ror	edx, 9
		imul	edx, ebx
		ror	eax, 0Bh
		xor	edx, eax
		mov	[esp+16Ch+var_14C], edx
		mov	edx, [esp+16Ch+var_150]
		xor	edx, [esp+16Ch+var_14C]
		mov	ecx, edx
		mov	eax, edx
		sub	ecx, ebx
		shr	eax, 0Dh
		imul	ecx, edi
		mov	edi, [esp+16Ch+var_D0]
		sub	ecx, eax
		mov	eax, [esp+16Ch+var_154]
		xor	eax, ecx
		mov	ecx, eax
		mov	[esp+16Ch+var_154], eax
		sub	ecx, ebx
		mov	ebx, eax
		rol	ecx, 3
		imul	ecx, esi
		mov	esi, [esp+16Ch+var_BC]
		shr	eax, 0Fh
		xor	ecx, eax
		xor	edx, ecx
		pop	eax
		mov	[esp+168h+var_150], edx
		mov	[esp+168h+var_138], eax

loc_785B66:				; CODE XREF: sub_785212+9E2j
		mov	cl, [edi+1]
		cmp	cl, 1Fh
		jnb	short loc_785BA5
		push	edx
		lea	eax, [esp+16Ch+var_18]
		movzx	ecx, cl
		push	eax
		movzx	eax, byte ptr [esi+1]
		push	eax
		movzx	eax, byte ptr [esi]
		push	eax
		movzx	eax, byte ptr [esi-1]
		push	eax
		movzx	eax, byte ptr [esi-2]
		push	eax
		mov	eax, [esp+180h+var_11C]
		add	eax, edi
		push	eax
		call	ds:off_A93F70[ecx*4]
		mov	edx, [esp+184h+var_16C]
		xor	ebx, eax
		mov	eax, [esp+184h+var_154]

loc_785BA5:				; CODE XREF: sub_785212+95Aj
		mov	cl, [edi]
		cmp	cl, 1Fh
		jnb	short loc_785BE5
		push	ebx
		lea	eax, [esp+188h+var_34]
		movzx	ecx, cl
		push	eax
		movzx	eax, byte ptr [esi-3]
		push	eax
		movzx	eax, byte ptr [esi-4]
		push	eax
		movzx	eax, byte ptr [esi-5]
		push	eax
		movzx	eax, byte ptr [esi-6]
		push	eax
		push	[esp+19Ch+var_154]
		call	ds:off_A93F70[ecx*4]
		mov	edx, [esp+1A0h+var_188]
		xor	edx, eax
		mov	eax, [esp+1A0h+var_170]
		mov	[esp+1A0h+var_188], edx

loc_785BE5:				; CODE XREF: sub_785212+998j
		sub	eax, 2
		sub	edi, 2
		sub	esi, 8
		mov	[esp+1A0h+var_170], eax
		test	eax, eax
		jns	loc_785B66
		mov	eax, [esp+1A0h+var_124]
		xor	edx, [esp+1A0h+var_12C]
		xor	ebx, [esp+1A0h+var_160]
		mov	ecx, [esp+1A0h+var_158]
		mov	[eax-4], dl
		mov	[eax], bl
		ror	edx, 8
		mov	[eax-5], dl
		ror	ebx, 8
		mov	[eax-1], bl
		ror	edx, 8
		mov	[eax-6], dl
		ror	ebx, 8
		mov	[eax-2], bl
		ror	edx, 8
		ror	ebx, 8
		mov	[eax-7], dl
		mov	[eax-3], bl
		add	eax, 8
		ror	edx, 8
		ror	ebx, 8
		sub	[esp+1A0h+var_15C], 1
		mov	[esp+1A0h+var_12C], ecx
		mov	ecx, [esp+1A0h+var_178]
		mov	[esp+1A0h+var_160], ecx
		mov	[esp+1A0h+var_124], eax
		jz	short loc_785C72
		mov	ecx, [esp+1A0h+var_4C]
		mov	edi, [esp+1A0h+var_50]
		mov	eax, [esp+1A0h+var_180]
		mov	[esp+1A0h+var_188], ecx
		mov	[esp+1A0h+var_184], edi
		jmp	loc_7859B2
; 

loc_785C72:				; CODE XREF: sub_785212+A3Fj
		mov	ebx, [esp+1A0h+var_16C]
		mov	esi, ebx

loc_785C78:				; CODE XREF: sub_785212+75Cj
		mov	edi, [esp+1A0h+var_FC]
		xor	ecx, ecx
		mov	al, cl
		test	edi, edi
		jz	short loc_785C96
		mov	edx, [esp+1A0h+var_120]

loc_785C8E:				; CODE XREF: sub_785212+A82j
		xor	al, [edx+ecx]
		inc	ecx
		cmp	ecx, edi
		jb	short loc_785C8E

loc_785C96:				; CODE XREF: sub_785212+A73j
		mov	ecx, [esp+1A0h+var_110]
		movzx	eax, al
		cdq
		cmp	eax, [edi+ecx]
		jnz	short loc_785CBB
		cmp	edx, [edi+ecx+4]
		jnz	short loc_785CBB
		mov	eax, [esp+1A0h+var_120]
		mov	[esp+1A0h+var_128], eax
		xor	eax, eax
		jmp	short loc_785CCE
; 

loc_785CBB:				; CODE XREF: sub_785212+A92j
					; sub_785212+A98j
		mov	eax, [esp+1A0h+var_120]
		mov	edi, [esp+1A0h+var_14C]
		mov	[esp+1A0h+var_17C], 0C004D501h

loc_785CCE:				; CODE XREF: sub_785212+AA7j
		test	eax, eax
		jz	short loc_785CDD
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_785CDD:				; CODE XREF: sub_785212+ABEj
		cmp	[esp+1A0h+var_17C], 0
		jl	short loc_785CFA
		mov	eax, [esp+1A0h+var_128]
		mov	[esp+1A0h+var_E4], eax
		xor	eax, eax
		mov	[esp+1A0h+var_11C], edi
		jmp	short loc_785D0A
; 

loc_785CFA:				; CODE XREF: sub_785212+4BEj
					; sub_785212+4CAj ...
		mov	edi, [esp+168h+var_E4]
		mov	ebx, 0C0000001h
		mov	eax, [esp+168h+var_F0]

loc_785D0A:				; CODE XREF: sub_785212+AE6j
		test	eax, eax
		jz	short loc_785D19
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_785D19:				; CODE XREF: sub_785212+AFAj
		test	ebx, ebx
		js	loc_787CBD
		and	[esp+168h+var_124], 0
		mov	ecx, [esp+168h+var_AC]
		mov	[esp+168h+var_120], ecx
		cmp	edi, 4
		jnb	short loc_785D40

loc_785D36:				; CODE XREF: sub_785212+B6Dj
					; sub_785212+BBAj ...
		mov	ebx, 0C000003Eh
		jmp	loc_787CBD
; 

loc_785D40:				; CODE XREF: sub_785212+B22j
		mov	eax, [ecx]
		mov	[esp+168h+var_11C], eax
		lea	eax, [esp+168h+var_120]
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CBD
		lea	eax, [esp+168h+var_124]
		xor	ecx, ecx
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CBD
		mov	eax, edi
		sub	eax, [esp+168h+var_124]
		cmp	eax, 4
		jb	short loc_785D36
		mov	ecx, [esp+168h+var_120]
		lea	eax, [esp+168h+var_120]
		push	eax
		push	4
		pop	edx
		mov	edi, [ecx]
		mov	[esp+16Ch+var_114], edi
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CBD
		mov	ecx, [esp+168h+var_124]
		lea	eax, [esp+168h+var_124]
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CBD
		mov	eax, [esp+168h+var_E4]
		mov	ecx, [esp+168h+var_124]
		sub	eax, ecx
		cmp	eax, edi
		jb	loc_785D36
		lea	eax, [esp+168h+var_124]
		mov	edx, edi
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CBD
		mov	edx, [esp+168h+var_E4]
		mov	ebx, [esp+168h+var_AC]
		mov	ecx, [esp+168h+var_120]
		add	ecx, edi
		lea	eax, [edx+ebx]
		cmp	eax, ecx
		jb	loc_785F14
		mov	eax, [esp+168h+var_120]
		sub	edx, edi
		sub	edx, eax
		add	edx, ebx
		cmp	edx, 8
		jnb	loc_785F14
		xor	ecx, ecx
		xor	ebx, ebx
		and	[esp+168h+var_144], ecx
		and	[esp+168h+var_E8], ecx
		mov	[esp+168h+var_F0], ecx
		test	eax, eax
		jz	short loc_785E97
		mov	edx, [esp+168h+var_114]
		lea	ecx, [esp+168h+var_144]
		push	ecx
		mov	ecx, eax
		mov	edi, eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CBD
		mov	ecx, [esp+168h+var_144]
		cmp	edi, ecx
		jnb	short loc_785E8D
		mov	edx, [esp+168h+var_E8]

loc_785E5C:				; CODE XREF: sub_785212+C77j
		lea	eax, [edi+4]
		cmp	eax, edi
		jb	short loc_785EC7
		cmp	eax, ecx
		ja	short loc_785EC0
		mov	eax, [edi]
		add	eax, 4
		cmp	eax, 4
		jb	short loc_785EB9
		add	eax, edi
		cmp	eax, edi
		jb	short loc_785EC7
		mov	edi, eax
		xor	ebx, ebx
		cmp	edi, ecx
		ja	short loc_785EC0
		inc	edx
		mov	[esp+168h+var_E8], edx
		cmp	edi, ecx
		jb	short loc_785E5C
		cmp	edi, ecx

loc_785E8D:				; CODE XREF: sub_785212+C41j
		jnz	short loc_785EC0
		mov	edi, [esp+168h+var_114]
		mov	ecx, [esp+168h+var_F0]

loc_785E97:				; CODE XREF: sub_785212+C1Dj
		test	edi, edi
		jz	short loc_785ED0
		push	20534C53h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+168h+var_F0], ecx
		test	ecx, ecx
		jnz	short loc_785ECE
		mov	ebx, 0C0000017h
		jmp	short loc_785EFD
; 

loc_785EB9:				; CODE XREF: sub_785212+C5Dj
		mov	ebx, 0C0000095h
		jmp	short loc_785EFD
; 

loc_785EC0:				; CODE XREF: sub_785212+C53j
					; sub_785212+C6Bj ...
		mov	ebx, 0C000000Dh
		jmp	short loc_785F19
; 

loc_785EC7:				; CODE XREF: sub_785212+C4Fj
					; sub_785212+C63j
		mov	ebx, 0C0000095h
		jmp	short loc_785F19
; 

loc_785ECE:				; CODE XREF: sub_785212+C9Ej
		xor	ebx, ebx

loc_785ED0:				; CODE XREF: sub_785212+C87j
		mov	eax, [esp+168h+var_120]
		test	eax, eax
		jz	short loc_785EEA
		push	edi		; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		mov	ecx, [esp+174h+var_F0]
		add	esp, 0Ch

loc_785EEA:				; CODE XREF: sub_785212+CC4j
		mov	eax, [esp+168h+var_E8]
		mov	[esp+168h+var_108], ecx
		mov	[esp+168h+var_10C], edi
		mov	[esp+168h+var_110], eax

loc_785EFD:				; CODE XREF: sub_785212+CA5j
					; sub_785212+CACj
		test	ebx, ebx
		js	loc_787CBD
		mov	eax, [esp+168h+var_11C]
		cmp	eax, [esp+168h+var_110]
		jz	short loc_785F19
		jmp	loc_785D36
; 

loc_785F14:				; CODE XREF: sub_785212+BEFj
					; sub_785212+C02j
		mov	ebx, 0C000003Eh

loc_785F19:				; CODE XREF: sub_785212+CB3j
					; sub_785212+CBAj ...
		test	ebx, ebx
		js	loc_787CBD
		xor	edi, edi
		and	[esp+168h+var_11C], edi
		cmp	[esp+168h+var_108], edi
		jnz	short loc_785F34

loc_785F2D:				; CODE XREF: sub_785212+D26j
		mov	ebx, 0C000000Dh
		jmp	short loc_785F85
; 

loc_785F34:				; CODE XREF: sub_785212+D19j
		cmp	[esp+168h+var_110], edi
		jbe	short loc_785F2D
		mov	eax, [esp+168h+var_108]
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_785F4B
		xor	ebx, ebx
		jmp	short loc_785F53
; 

loc_785F4B:				; CODE XREF: sub_785212+D33j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_785F53:				; CODE XREF: sub_785212+D37j
		test	ebx, ebx
		js	short loc_785F63
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_785F67
; 

loc_785F63:				; CODE XREF: sub_785212+D43j
		mov	eax, [esp+168h+var_11C]

loc_785F67:				; CODE XREF: sub_785212+D4Fj
		test	ebx, ebx
		js	short loc_785F7E
		cmp	eax, 4
		jz	short loc_785F7A
		mov	ebx, 0C0000023h
		jmp	loc_787CBD
; 

loc_785F7A:				; CODE XREF: sub_785212+D5Cj
		mov	edi, [edi]
		jmp	short loc_785F85
; 

loc_785F7E:				; CODE XREF: sub_785212+D57j
		mov	edi, [esp+168h+var_E0]

loc_785F85:				; CODE XREF: sub_785212+D20j
					; sub_785212+D6Aj
		test	ebx, ebx
		js	loc_787CBD
		cmp	[esp+168h+var_108], 0
		jnz	short loc_785FA6
		mov	esi, [esp+168h+var_15C]
		mov	ebx, 0C000000Dh
		mov	edi, [esp+168h+var_158]
		jmp	loc_787CD8
; 

loc_785FA6:				; CODE XREF: sub_785212+D80j
		cmp	[esp+168h+var_110], 1
		ja	short loc_785FB7

loc_785FAD:				; CODE XREF: sub_785212+E3Ej
					; sub_785212+244Fj ...
		mov	ebx, 0C000000Dh
		jmp	loc_787CBD
; 

loc_785FB7:				; CODE XREF: sub_785212+D99j
		mov	eax, [esp+168h+var_108]
		and	[esp+168h+var_144], 0

loc_785FC0:				; CODE XREF: sub_785212+DFCj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_785FCD
		xor	ebx, ebx
		jmp	short loc_785FD5
; 

loc_785FCD:				; CODE XREF: sub_785212+DB5j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_785FD5:				; CODE XREF: sub_785212+DB9j
		mov	[esp+168h+var_E0], ecx
		test	ebx, ebx
		js	loc_787CBD
		lea	eax, [esp+168h+var_E0]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CBD
		mov	edx, [esp+168h+var_144]
		mov	eax, [esp+168h+var_E0]
		inc	edx
		mov	[esp+168h+var_144], edx
		cmp	edx, 1
		jb	short loc_785FC0
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_78601D
		xor	ebx, ebx
		jmp	short loc_786025
; 

loc_78601D:				; CODE XREF: sub_785212+E05j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_786025:				; CODE XREF: sub_785212+E09j
		test	ebx, ebx
		js	loc_787CBD
		mov	eax, edx
		mov	[esp+168h+var_C0], edx
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[esp+168h+var_D4], eax
		test	ebx, ebx
		js	loc_787CBD
		cmp	[esp+168h+var_110], 2
		jbe	loc_785FAD
		mov	eax, [esp+168h+var_108]
		and	[esp+168h+var_144], 0

loc_78605F:				; CODE XREF: sub_785212+E92j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_78606C
		xor	ebx, ebx
		jmp	short loc_786074
; 

loc_78606C:				; CODE XREF: sub_785212+E54j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_786074:				; CODE XREF: sub_785212+E58j
		mov	[esp+168h+var_F0], ecx
		test	ebx, ebx
		js	loc_787CBD
		lea	eax, [esp+168h+var_F0]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CBD
		mov	edx, [esp+168h+var_144]
		mov	eax, [esp+168h+var_F0]
		inc	edx
		mov	[esp+168h+var_144], edx
		cmp	edx, 2
		jb	short loc_78605F
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_7860B3
		xor	ebx, ebx
		jmp	short loc_7860BB
; 

loc_7860B3:				; CODE XREF: sub_785212+E9Bj
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_7860BB:				; CODE XREF: sub_785212+E9Fj
		test	ebx, ebx
		js	loc_787CBD
		mov	eax, edx
		mov	[esp+168h+var_DC], edx
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[esp+168h+var_13C], eax
		test	ebx, ebx
		js	loc_787CBD
		push	20534C53h
		push	18h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[esp+168h+var_134], ebx
		test	ebx, ebx
		jnz	short loc_786100
		mov	ebx, 0C0000017h
		jmp	loc_786223
; 

loc_786100:				; CODE XREF: sub_785212+EE2j
		xor	eax, eax
		mov	[ebx+0Ch], eax
		mov	[ebx+10h], eax
		mov	[ebx+14h], eax
		mov	[ebx], eax
		mov	[ebx+4], eax
		cmp	[esp+168h+var_D4], eax
		jz	short loc_786168
		mov	eax, [esp+168h+var_C0]
		mov	[ebx+8], eax
		test	eax, eax
		jnz	short loc_786131

loc_786127:				; CODE XREF: sub_785212+F6Fj
		mov	ebx, 0C000003Eh
		jmp	loc_7861C2
; 

loc_786131:				; CODE XREF: sub_785212+F13j
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_786149

loc_786142:				; CODE XREF: sub_785212+F80j
		mov	ebx, 0C0000017h
		jmp	short loc_7861C2
; 

loc_786149:				; CODE XREF: sub_785212+F2Ej
		mov	[ebx+0Ch], eax
		mov	edx, [esp+168h+var_C0]
		push	edx		; size_t
		push	[esp+16Ch+var_D4] ; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax
		jmp	short loc_78616E
; 

loc_786168:				; CODE XREF: sub_785212+F05j
		mov	[ebx+8], eax
		mov	[ebx+0Ch], eax

loc_78616E:				; CODE XREF: sub_785212+F54j
		cmp	[esp+168h+var_13C], 0
		jz	short loc_7861B0
		mov	eax, [esp+168h+var_DC]
		mov	[ebx+10h], eax
		test	eax, eax
		jz	short loc_786127
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_786142
		mov	[ebx+14h], eax
		mov	edx, [esp+168h+var_DC]
		push	edx		; size_t
		push	[esp+16Ch+var_13C] ; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax
		jmp	short loc_7861B6
; 

loc_7861B0:				; CODE XREF: sub_785212+F61j
		mov	[ebx+10h], eax
		mov	[ebx+14h], eax

loc_7861B6:				; CODE XREF: sub_785212+F9Cj
		mov	esi, ebx
		mov	[esp+168h+var_15C], ebx
		mov	[esp+168h+var_134], eax
		mov	ebx, eax

loc_7861C2:				; CODE XREF: sub_785212+F1Aj
					; sub_785212+F35j
		mov	eax, [esp+168h+var_134]
		test	eax, eax
		jz	short loc_786223
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_7861E4
		push	20534C53h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+168h+var_134]
		and	dword ptr [eax+4], 0

loc_7861E4:				; CODE XREF: sub_785212+FBDj
		mov	ecx, [eax+0Ch]
		test	ecx, ecx
		jz	short loc_7861FE
		push	20534C53h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+168h+var_134]
		and	dword ptr [eax+0Ch], 0

loc_7861FE:				; CODE XREF: sub_785212+FD7j
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	short loc_786218
		push	20534C53h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+168h+var_134]
		and	dword ptr [eax+14h], 0

loc_786218:				; CODE XREF: sub_785212+FF1j
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_786223:				; CODE XREF: sub_785212+EE9j
					; sub_785212+FB6j
		test	ebx, ebx
		js	loc_787CBD
		cmp	edi, 6Ah
		ja	loc_786C78
		jz	loc_786C62
		cmp	edi, 17h
		ja	loc_786BA4
		jz	loc_7866F1
		cmp	edi, 5
		ja	loc_786694
		jz	loc_78667E
		xor	ecx, ecx
		sub	edi, ecx
		jz	loc_786666
		sub	edi, 1
		jz	loc_78630C
		sub	edi, 1
		jz	short loc_78629A
		dec	edi
		sub	edi, 1
		jnz	loc_786DA9
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_A14547

loc_78628B:				; CODE XREF: sub_785212+19FFj
					; sub_785212+1A0Bj
		mov	esi, [esp+168h+var_15C]
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_7862B7
		jmp	loc_787CC1
; 

loc_78629A:				; CODE XREF: sub_785212+105Cj
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	[ebp+arg_0]
		call	SPCallServerHandleAuthenticateCaller

loc_7862A9:				; CODE XREF: sub_785212+118Ej
					; sub_785212+1467j ...
		mov	ebx, eax

loc_7862AB:				; CODE XREF: sub_785212+1E63j
					; sub_785212+1F00j ...
		test	ebx, ebx
		js	loc_787CBD

loc_7862B3:				; CODE XREF: sub_785212+14D4j
		mov	esi, [esp+168h+var_15C]

loc_7862B7:				; CODE XREF: sub_785212+1081j
					; sub_785212+157Bj
		rdtsc
		mov	[esp+168h+var_11C], eax
		mov	[esp+168h+var_D0], edx
		push	8
		pop	ecx
		mov	[esp+168h+var_A0], ecx
		mov	edx, [esp+168h+var_FC]
		lea	eax, [esp+168h+var_A0]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CC1
		mov	eax, [esp+168h+var_A0]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		mov	[esp+168h+var_144], ecx
		cmp	ecx, eax
		jnb	loc_78756F
		mov	ebx, 0C0000095h
		jmp	loc_787633
; 

loc_78630C:				; CODE XREF: sub_785212+1053j
		xor	eax, eax
		mov	ebx, ds:dword_A93EEC
		lea	edi, [esp+168h+var_40]
		mov	[esp+168h+var_98], ecx
		stosd
		mov	[esp+168h+var_A8], ecx
		mov	[esp+168h+var_13C], ebx
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+168h+var_60]
		stosd
		stosd
		stosd
		stosd
		push	dword ptr [ebx+12Ch]
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	dword ptr [ebx+128h]
		mov	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	dword ptr [ebx+0E4h]
		add	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	eax, 20h
		push	20534C53h
		add	esi, eax
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_7863A5
		mov	ebx, 0C0000017h

loc_786381:				; CODE XREF: sub_785212+12C7j
		mov	esi, [esp+168h+var_15C]

loc_786385:				; CODE XREF: sub_785212+1445j
		test	ebx, ebx
		js	loc_787CBD
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	[ebp+arg_0]
		lea	ecx, [esp+170h+var_110]
		call	SPCallServerHandleUpdatePolicies
		jmp	loc_7862A9
; 

loc_7863A5:				; CODE XREF: sub_785212+1168j
		push	2		; int
		push	esi		; size_t
		push	edi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7864CC
		mov	eax, [esp+168h+var_13C]
		mov	ecx, edi
		push	0
		mov	eax, [eax+128h]
		push	eax
		push	20h
		pop	esi
		push	esi
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7864CC
		mov	eax, [esp+168h+var_13C]
		mov	ecx, edi
		push	0
		mov	eax, [eax+12Ch]
		push	eax
		push	esi
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7864CC
		mov	eax, [esp+168h+var_13C]
		mov	ecx, edi
		push	0
		mov	eax, [eax+0E4h]
		push	eax
		push	esi
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7864CC
		push	1
		lea	eax, [esp+16Ch+var_40]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7864CC
		push	0
		push	edi
		push	1
		lea	eax, [esp+174h+var_40]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	ebx, eax
		mov	[esp+168h+var_134], ebx
		test	ebx, ebx
		js	short loc_7864CC
		lea	eax, [esp+168h+var_60]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		lea	eax, [esp+168h+var_A8]
		push	eax
		lea	eax, [esp+16Ch+var_98]
		push	eax
		push	1
		push	(offset	loc_A3F6BF+1)
		xor	eax, eax
		push	eax
		push	eax
		push	esi
		push	eax
		lea	eax, [esp+188h+var_60]
		push	eax
		lea	eax, [esp+18Ch+var_40]
		push	eax
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		mov	bl, al
		lea	eax, [esp+168h+var_60]
		push	eax
		call	SeReleaseSubjectContext
		test	bl, bl
		mov	ebx, [esp+168h+var_A8]
		jz	short loc_7864CC
		mov	ebx, [esp+168h+var_134]

loc_7864CC:				; CODE XREF: sub_785212+11A0j
					; sub_785212+11C7j ...
		push	20534C53h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		js	loc_786381
		xor	eax, eax
		push	8
		pop	ecx
		mov	[esp+168h+var_94], eax
		mov	[esp+168h+var_78], eax
		lea	eax, [esp+168h+var_94]
		push	eax
		push	ecx
		lea	eax, [esp+170h+var_7C]
		mov	[esp+170h+var_7C], ecx
		push	eax
		push	67h
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		mov	edx, [esp+168h+var_158]
		cmp	dword ptr [edx+8], 0A0h
		jnz	loc_78665C
		mov	ebx, [edx+0Ch]
		mov	edi, offset dword_A42648
		push	28h
		xor	esi, esi
		pop	ecx

loc_78652F:				; CODE XREF: sub_785212+1328j
		mov	eax, [edi+esi*4]
		cmp	eax, [ebx+esi*4]
		jnz	short loc_7865AA
		inc	esi
		cmp	esi, ecx
		jnz	short loc_78652F
		mov	esi, [esp+168h+var_15C]
		cmp	dword ptr [esi+8], 0A0h
		jnz	short loc_7865AE
		mov	eax, [esi+0Ch]
		xor	edi, edi
		mov	[esp+168h+var_11C], eax

loc_786552:				; CODE XREF: sub_785212+1358j
		mov	edx, [esp+168h+var_11C]
		mov	eax, offset dword_A41E88
		mov	eax, [eax+edi*4]
		cmp	eax, [edx+edi*4]
		mov	edx, [esp+168h+var_158]
		jnz	short loc_7865AE
		inc	edi
		cmp	edi, ecx
		jnz	short loc_786552
		cmp	dword ptr [edx+10h], 8
		jnz	short loc_7865AE
		mov	edi, [edx+14h]
		mov	eax, ds:dword_A41C68
		cmp	eax, [edi]
		jnz	short loc_7865AE
		mov	eax, ds:dword_A41C6C
		cmp	eax, [edi+4]
		jnz	short loc_7865AE
		cmp	dword ptr [esi+10h], 8
		jnz	short loc_7865AE
		mov	edi, [esi+14h]
		mov	eax, ds:dword_A428E0
		cmp	eax, [edi]
		jnz	short loc_7865AE
		mov	eax, ds:dword_A428E4
		cmp	eax, [edi+4]
		jz	loc_78662C
		jmp	short loc_7865AE
; 

loc_7865AA:				; CODE XREF: sub_785212+1323j
		mov	esi, [esp+168h+var_15C]

loc_7865AE:				; CODE XREF: sub_785212+1335j
					; sub_785212+1353j ...
		mov	eax, offset dword_A42278
		xor	edi, edi

loc_7865B5:				; CODE XREF: sub_785212+13B7j
		mov	eax, [eax+edi*4]
		cmp	eax, [ebx+edi*4]
		jnz	loc_78665C
		inc	edi
		mov	eax, offset dword_A42278
		cmp	edi, ecx
		jnz	short loc_7865B5
		cmp	dword ptr [esi+8], 0A0h
		jnz	loc_78665C
		mov	ebx, [esi+0Ch]
		mov	eax, offset dword_A42798
		xor	edi, edi

loc_7865E2:				; CODE XREF: sub_785212+13E0j
		mov	eax, [eax+edi*4]
		cmp	eax, [ebx+edi*4]
		jnz	short loc_78665C
		inc	edi
		mov	eax, offset dword_A42798
		cmp	edi, ecx
		jnz	short loc_7865E2
		cmp	dword ptr [edx+10h], 8
		jnz	short loc_78665C
		mov	ecx, [edx+14h]
		mov	edi, offset dword_A41C70
		mov	eax, [edi]
		cmp	eax, [ecx]
		jnz	short loc_78665C
		mov	eax, [edi+4]
		cmp	eax, [ecx+4]
		jnz	short loc_78665C
		cmp	dword ptr [esi+10h], 8
		jnz	short loc_78665C
		mov	ecx, [esi+14h]
		mov	edx, offset dword_A42118
		mov	eax, [edx]
		cmp	eax, [ecx]
		jnz	short loc_78665C
		mov	eax, [edx+4]
		cmp	eax, [ecx+4]
		jnz	short loc_78665C

loc_78662C:				; CODE XREF: sub_785212+1390j
		and	[esp+168h+var_64], 0
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsIsProtectedProcess@4	; PsIsProtectedProcess(x)
		mov	ebx, eax
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 7FF8FFFBh
		add	ebx, 80070005h
		jmp	loc_786385
; 

loc_78665C:				; CODE XREF: sub_785212+130Aj
					; sub_785212+13A9j ...
		mov	ebx, 80070005h
		jmp	loc_787CBD
; 

loc_786666:				; CODE XREF: sub_785212+104Aj
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	[ebp+arg_0]
		lea	ecx, [esp+170h+var_110]
		call	sub_787DE0
		jmp	loc_7862A9
; 

loc_78667E:				; CODE XREF: sub_785212+1040j
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	SPCallServerHandleWaitForDisplayWindow
		jmp	loc_7862A9
; 

loc_786694:				; CODE XREF: sub_785212+103Aj
		sub	edi, 6
		jz	short loc_7866D1
		sub	edi, 1
		jz	short loc_7866BB
		sub	edi, 0Fh
		jnz	loc_786DA9
		lea	eax, [esp+168h+var_100]
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_A175DB
		jmp	loc_7862A9
; 

loc_7866BB:				; CODE XREF: sub_785212+148Aj
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_A1894B
		jmp	loc_7862A9
; 

loc_7866D1:				; CODE XREF: sub_785212+1485j
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_A1A71D

loc_7866E2:				; CODE XREF: sub_785212+2358j
		mov	ebx, eax
		test	ebx, ebx
		jns	loc_7862B3
		jmp	loc_787CBD
; 

loc_7866F1:				; CODE XREF: sub_785212+1031j
		xor	eax, eax
		mov	ebx, ds:dword_A93EEC
		lea	edi, [esp+168h+var_2C]
		and	[esp+168h+var_90], 0
		stosd
		and	[esp+168h+var_A4], 0
		mov	[esp+168h+var_13C], ebx
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+168h+var_50]
		stosd
		stosd
		stosd
		stosd
		push	dword ptr [ebx+12Ch]
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	dword ptr [ebx+128h]
		mov	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	dword ptr [ebx+0E4h]
		add	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	eax, 20h
		push	20534C53h
		add	esi, eax
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_786792
		mov	ebx, 0C0000017h

loc_786768:				; CODE XREF: sub_785212+16B4j
		mov	esi, [esp+168h+var_15C]

loc_78676C:				; CODE XREF: sub_785212+1951j
					; sub_785212+195Fj ...
		test	ebx, ebx
		js	loc_787CC1
		lea	eax, [esp+168h+var_100]
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_A16F7C

loc_786783:				; CODE XREF: sub_785212+19E9j
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CC1
		jmp	loc_7862B7
; 

loc_786792:				; CODE XREF: sub_785212+154Fj
		push	2		; int
		push	esi		; size_t
		push	edi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7868B9
		mov	eax, [esp+168h+var_13C]
		mov	ecx, edi
		push	0
		mov	eax, [eax+128h]
		push	eax
		push	20h
		pop	esi
		push	esi
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7868B9
		mov	eax, [esp+168h+var_13C]
		mov	ecx, edi
		push	0
		mov	eax, [eax+12Ch]
		push	eax
		push	esi
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7868B9
		mov	eax, [esp+168h+var_13C]
		mov	ecx, edi
		push	0
		mov	eax, [eax+0E4h]
		push	eax
		push	esi
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7868B9
		push	1
		lea	eax, [esp+16Ch+var_2C]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7868B9
		push	0
		push	edi
		push	1
		lea	eax, [esp+174h+var_2C]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	ebx, eax
		mov	[esp+168h+var_134], ebx
		test	ebx, ebx
		js	short loc_7868B9
		lea	eax, [esp+168h+var_50]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		lea	eax, [esp+168h+var_A4]
		push	eax
		lea	eax, [esp+16Ch+var_90]
		push	eax
		push	1
		push	(offset	loc_A3F6BF+1)
		xor	eax, eax
		push	eax
		push	eax
		push	esi
		push	eax
		lea	eax, [esp+188h+var_50]
		push	eax
		lea	eax, [esp+18Ch+var_2C]
		push	eax
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		mov	bl, al
		lea	eax, [esp+168h+var_50]
		push	eax
		call	SeReleaseSubjectContext
		test	bl, bl
		mov	ebx, [esp+168h+var_A4]
		jz	short loc_7868B9
		mov	ebx, [esp+168h+var_134]

loc_7868B9:				; CODE XREF: sub_785212+158Dj
					; sub_785212+15B4j ...
		push	20534C53h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		js	loc_786768
		xor	eax, eax
		mov	[esp+168h+var_74], 8
		mov	[esp+168h+var_8C], eax
		mov	[esp+168h+var_70], eax
		lea	eax, [esp+168h+var_8C]
		push	eax
		push	8
		lea	eax, [esp+170h+var_74]
		push	eax
		push	67h
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		mov	edx, [esp+168h+var_158]
		push	28h
		pop	ecx
		mov	esi, [edx+8]
		mov	[esp+168h+var_D0], esi
		cmp	esi, 0A0h
		jnz	loc_786A22
		mov	ebx, [edx+0Ch]
		mov	edi, offset dword_A423C0
		xor	esi, esi

loc_786927:				; CODE XREF: sub_785212+1720j
		mov	eax, [edi+esi*4]
		cmp	eax, [ebx+esi*4]
		jnz	short loc_7869A2
		inc	esi
		cmp	esi, ecx
		jnz	short loc_786927
		mov	esi, [esp+168h+var_15C]
		cmp	dword ptr [esi+8], 0A0h
		jnz	short loc_7869A6
		mov	eax, [esi+0Ch]
		xor	edi, edi
		mov	[esp+168h+var_11C], eax

loc_78694A:				; CODE XREF: sub_785212+1750j
		mov	edx, [esp+168h+var_11C]
		mov	eax, offset dword_A42460
		mov	eax, [eax+edi*4]
		cmp	eax, [edx+edi*4]
		mov	edx, [esp+168h+var_158]
		jnz	short loc_7869A6
		inc	edi
		cmp	edi, ecx
		jnz	short loc_78694A
		cmp	dword ptr [edx+10h], 8
		jnz	short loc_7869A6
		mov	edi, [edx+14h]
		mov	eax, ds:dword_A42270
		cmp	eax, [edi]
		jnz	short loc_7869A6
		mov	eax, ds:dword_A42274
		cmp	eax, [edi+4]
		jnz	short loc_7869A6
		cmp	dword ptr [esi+10h], 8
		jnz	short loc_7869A6
		mov	edi, [esi+14h]
		mov	eax, ds:dword_A428E8
		cmp	eax, [edi]
		jnz	short loc_7869A6
		mov	eax, ds:dword_A428EC
		cmp	eax, [edi+4]
		jz	loc_786B41
		jmp	short loc_7869A6
; 

loc_7869A2:				; CODE XREF: sub_785212+171Bj
		mov	esi, [esp+168h+var_15C]

loc_7869A6:				; CODE XREF: sub_785212+172Dj
					; sub_785212+174Bj ...
		mov	eax, offset dword_A41FD8
		xor	edi, edi

loc_7869AD:				; CODE XREF: sub_785212+17ABj
		mov	eax, [eax+edi*4]
		cmp	eax, [ebx+edi*4]
		jnz	short loc_786A26
		inc	edi
		mov	eax, offset dword_A41FD8
		cmp	edi, ecx
		jnz	short loc_7869AD
		cmp	dword ptr [esi+8], 0A0h
		jnz	short loc_786A26
		mov	ebx, [esi+0Ch]
		mov	eax, offset dword_A41C78
		xor	edi, edi

loc_7869D2:				; CODE XREF: sub_785212+17D0j
		mov	eax, [eax+edi*4]
		cmp	eax, [ebx+edi*4]
		jnz	short loc_786A26
		inc	edi
		mov	eax, offset dword_A41C78
		cmp	edi, ecx
		jnz	short loc_7869D2
		cmp	dword ptr [edx+10h], 8
		jnz	short loc_786A26
		mov	edi, [edx+14h]
		mov	ebx, offset dword_A42990
		mov	eax, [ebx]
		cmp	eax, [edi]
		jnz	short loc_786A26
		mov	eax, [ebx+4]
		cmp	eax, [edi+4]
		jnz	short loc_786A26
		cmp	dword ptr [esi+10h], 8
		jnz	short loc_786A26
		mov	edi, [esi+14h]
		mov	ebx, offset dword_A41DC8
		mov	eax, [ebx]
		cmp	eax, [edi]
		jnz	short loc_786A26
		mov	eax, [ebx+4]
		cmp	eax, [edi+4]
		jz	loc_786B41
		jmp	short loc_786A26
; 

loc_786A22:				; CODE XREF: sub_785212+1705j
		mov	esi, [esp+168h+var_15C]

loc_786A26:				; CODE XREF: sub_785212+17A1j
					; sub_785212+17B4j ...
		cmp	[esp+168h+var_D0], 0A0h
		jnz	loc_786B9A
		mov	ebx, [edx+0Ch]
		mov	eax, offset dword_A41D28
		xor	edi, edi

loc_786A41:				; CODE XREF: sub_785212+183Fj
		mov	eax, [eax+edi*4]
		cmp	eax, [ebx+edi*4]
		jnz	short loc_786ABB
		inc	edi
		mov	eax, offset dword_A41D28
		cmp	edi, ecx
		jnz	short loc_786A41
		cmp	dword ptr [esi+8], 0A0h
		jnz	short loc_786ABB
		mov	eax, [esi+0Ch]
		xor	edi, edi
		mov	[esp+168h+var_11C], eax

loc_786A65:				; CODE XREF: sub_785212+186Bj
		mov	edx, [esp+168h+var_11C]
		mov	eax, offset dword_A426F8
		mov	eax, [eax+edi*4]
		cmp	eax, [edx+edi*4]
		mov	edx, [esp+168h+var_158]
		jnz	short loc_786ABB
		inc	edi
		cmp	edi, ecx
		jnz	short loc_786A65
		cmp	dword ptr [edx+10h], 8
		jnz	short loc_786ABB
		mov	edi, [edx+14h]
		mov	eax, ds:dword_A425A0
		cmp	eax, [edi]
		jnz	short loc_786ABB
		mov	eax, ds:dword_A425A4
		cmp	eax, [edi+4]
		jnz	short loc_786ABB
		cmp	dword ptr [esi+10h], 8
		jnz	short loc_786ABB
		mov	edi, [esi+14h]
		mov	eax, ds:dword_A423B8
		cmp	eax, [edi]
		jnz	short loc_786ABB
		mov	eax, ds:dword_A423BC
		cmp	eax, [edi+4]
		jz	loc_786B41

loc_786ABB:				; CODE XREF: sub_785212+1835j
					; sub_785212+1848j ...
		mov	eax, offset dword_A42130
		xor	edi, edi

loc_786AC2:				; CODE XREF: sub_785212+18C4j
		mov	eax, [eax+edi*4]
		cmp	eax, [ebx+edi*4]
		jnz	loc_786B9A
		inc	edi
		mov	eax, offset dword_A42130
		cmp	edi, ecx
		jnz	short loc_786AC2
		cmp	dword ptr [esi+8], 0A0h
		jnz	loc_786B9A
		mov	ebx, [esi+0Ch]
		mov	eax, offset dword_A42318
		xor	edi, edi

loc_786AEF:				; CODE XREF: sub_785212+18F1j
		mov	eax, [eax+edi*4]
		cmp	eax, [ebx+edi*4]
		jnz	loc_786B9A
		inc	edi
		mov	eax, offset dword_A42318
		cmp	edi, ecx
		jnz	short loc_786AEF
		cmp	dword ptr [edx+10h], 8
		jnz	loc_786B9A
		mov	ecx, [edx+14h]
		mov	edi, offset dword_A41D18
		mov	eax, [edi]
		cmp	eax, [ecx]
		jnz	short loc_786B9A
		mov	eax, [edi+4]
		cmp	eax, [ecx+4]
		jnz	short loc_786B9A
		cmp	dword ptr [esi+10h], 8
		jnz	short loc_786B9A
		mov	ecx, [esi+14h]
		mov	edx, offset dword_A426F0
		mov	eax, [edx]
		cmp	eax, [ecx]
		jnz	short loc_786B9A
		mov	eax, [edx+4]
		cmp	eax, [ecx+4]
		jnz	short loc_786B9A

loc_786B41:				; CODE XREF: sub_785212+1788j
					; sub_785212+1808j ...
		lea	eax, [esp+168h+var_B4]
		xor	ebx, ebx
		and	[esp+168h+var_B4], ebx
		push	eax
		call	ds:__imp__QueryUpdateFileEaAllowedExt@4	; QueryUpdateFileEaAllowedExt(x)
		cmp	eax, 0C00000BBh
		jz	short loc_786B77
		mov	ebx, eax
		test	eax, eax
		js	loc_78676C
		cmp	[esp+16Ch+var_B8], 1
		jz	loc_78676C

loc_786B77:				; CODE XREF: sub_785212+194Bj
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsIsProtectedProcess@4	; PsIsProtectedProcess(x)
		test	eax, eax
		jnz	loc_78676C
		mov	ebx, 80070005h
		jmp	loc_78676C
; 

loc_786B9A:				; CODE XREF: sub_785212+181Fj
					; sub_785212+18B6j ...
		mov	ebx, 80070005h
		jmp	loc_787CC1
; 

loc_786BA4:				; CODE XREF: sub_785212+102Bj
		sub	edi, 18h
		jz	loc_786C4E
		sub	edi, 4Ch
		jz	loc_786C38
		sub	edi, 1
		jz	short loc_786C22
		sub	edi, 1
		jz	short loc_786C16
		sub	edi, 1
		jz	short loc_786C00
		sub	edi, 1
		jz	short loc_786BE6
		sub	edi, 1
		jnz	loc_786DA9
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_A18362
		jmp	short loc_786BF7
; 

loc_786BE6:				; CODE XREF: sub_785212+19B6j
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_A18CA8

loc_786BF7:				; CODE XREF: sub_785212+19D2j
					; sub_785212+1BA0j
		mov	esi, [esp+168h+var_15C]
		jmp	loc_786783
; 

loc_786C00:				; CODE XREF: sub_785212+19B1j
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_A155DC
		jmp	loc_78628B
; 

loc_786C16:				; CODE XREF: sub_785212+19ACj
		push	ecx
		push	ecx
		call	sub_A18941
		jmp	loc_78628B
; 

loc_786C22:				; CODE XREF: sub_785212+19A7j
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_A19A09
		jmp	loc_7862A9
; 

loc_786C38:				; CODE XREF: sub_785212+199Ej
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_A19E9C
		jmp	loc_7862A9
; 

loc_786C4E:				; CODE XREF: sub_785212+1995j
		lea	eax, [esp+168h+var_100]
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_A16A58
		jmp	loc_7862A9
; 

loc_786C62:				; CODE XREF: sub_785212+1022j
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_A17A38
		jmp	loc_7862A9
; 

loc_786C78:				; CODE XREF: sub_785212+101Cj
		mov	eax, 0CDh
		cmp	edi, eax
		ja	loc_786D6B
		jz	loc_786D55
		sub	edi, 6Bh
		jz	loc_786D3F
		dec	edi
		sub	edi, 1
		jz	loc_786D29
		sub	edi, 1
		jz	short loc_786D13
		sub	edi, 1
		jz	short loc_786CFD
		sub	edi, 1
		jz	short loc_786CE7
		sub	edi, 1
		jz	short loc_786CD1
		sub	edi, 5Bh
		jnz	loc_786DA9
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_A1A21B
		jmp	loc_7862A9
; 

loc_786CD1:				; CODE XREF: sub_785212+1A9Ej
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	SPCallServerHandleClepKdf
		jmp	loc_7862A9
; 

loc_786CE7:				; CODE XREF: sub_785212+1A99j
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_A1506F
		jmp	loc_7862A9
; 

loc_786CFD:				; CODE XREF: sub_785212+1A94j
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_A14D17
		jmp	loc_7862A9
; 

loc_786D13:				; CODE XREF: sub_785212+1A8Fj
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_A1650D
		jmp	loc_7862A9
; 

loc_786D29:				; CODE XREF: sub_785212+1A86j
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	SPCallServerHandleIsAppLicensed
		jmp	loc_7862A9
; 

loc_786D3F:				; CODE XREF: sub_785212+1A7Cj
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_69349C
		jmp	loc_7862A9
; 

loc_786D55:				; CODE XREF: sub_785212+1A73j
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_A14998
		jmp	loc_7862A9
; 

loc_786D6B:				; CODE XREF: sub_785212+1A6Dj
		sub	edi, 0CEh
		jz	loc_7872DF
		sub	edi, 1
		jz	loc_7872C9
		sub	edi, 1
		jz	loc_7872B3
		sub	edi, 1
		jz	loc_78729D
		sub	edi, 1
		jz	loc_787287
		sub	edi, 1
		jz	loc_787271
		sub	edi, 1
		jz	short loc_786DB7

loc_786DA9:				; CODE XREF: sub_785212+1062j
					; sub_785212+148Fj ...
		lea	edx, [esp+168h+var_100]
		call	sub_A19D88
		jmp	loc_786BF7
; 

loc_786DB7:				; CODE XREF: sub_785212+1B95j
		xor	eax, eax
		cmp	[esp+168h+var_110], 3
		mov	[esp+168h+var_DC], eax
		mov	esi, eax
		mov	[esp+168h+var_D4], eax
		mov	[esp+168h+var_134], eax
		mov	[esp+168h+var_BC], eax
		mov	[esp+168h+var_114], eax
		mov	[esp+168h+var_D0], eax
		ja	short loc_786DF0
		mov	ebx, 0C000000Dh
		jmp	loc_786E7C
; 

loc_786DF0:				; CODE XREF: sub_785212+1BD2j
		mov	ecx, [esp+168h+var_108]
		mov	edi, eax
		mov	[esp+168h+var_148], ecx

loc_786DFA:				; CODE XREF: sub_785212+1C21j
		mov	eax, [ecx]
		mov	[esp+168h+var_11C], eax
		lea	eax, [esp+168h+var_148]
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_786E58
		mov	edx, [esp+168h+var_11C]
		lea	eax, [esp+168h+var_148]
		mov	ecx, [esp+168h+var_148]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_786E58
		mov	ecx, [esp+168h+var_148]
		inc	edi
		cmp	edi, 3
		jb	short loc_786DFA
		mov	edi, [ecx]
		lea	eax, [esp+168h+var_148]
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_786E58
		mov	esi, edi
		mov	eax, edi
		neg	esi
		sbb	esi, esi
		and	esi, [esp+168h+var_148]
		jmp	short loc_786E5A
; 

loc_786E58:				; CODE XREF: sub_785212+1BFFj
					; sub_785212+1C17j ...
		mov	eax, esi

loc_786E5A:				; CODE XREF: sub_785212+1C44j
		test	ebx, ebx
		js	short loc_786E7A
		cmp	eax, 8
		jnz	loc_78723E
		mov	eax, [esi]
		mov	[esp+168h+var_DC], eax
		mov	eax, [esi+4]
		mov	[esp+168h+var_D4], eax

loc_786E7A:				; CODE XREF: sub_785212+1C4Aj
		xor	eax, eax

loc_786E7C:				; CODE XREF: sub_785212+1BD9j
		test	ebx, ebx
		js	loc_787CBD
		cmp	[esp+168h+var_110], 4
		mov	esi, eax
		mov	edi, eax
		ja	short loc_786EB3
		mov	ebx, 0C000000Dh

loc_786E94:				; CODE XREF: sub_785212+1D34j
					; sub_785212+1D4Fj
		test	ebx, ebx
		js	loc_787CBD
		mov	eax, [esp+168h+var_134]

loc_786EA0:				; CODE XREF: sub_785212+1D69j
		cmp	eax, 4
		jz	loc_786F80

loc_786EA9:				; CODE XREF: sub_785212+1E1Cj
		mov	ebx, 0C0000206h
		jmp	loc_787CBD
; 

loc_786EB3:				; CODE XREF: sub_785212+1C7Bj
		mov	ecx, [esp+168h+var_108]
		mov	[esp+168h+var_F4], ecx
		mov	[esp+168h+var_144], eax

loc_786EBF:				; CODE XREF: sub_785212+1CF6j
		mov	eax, [ecx]
		mov	[esp+168h+var_11C], eax
		lea	eax, [esp+168h+var_F4]
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CBD
		mov	edx, [esp+168h+var_11C]
		lea	eax, [esp+168h+var_F4]
		mov	ecx, [esp+168h+var_F4]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CBD
		mov	eax, [esp+168h+var_144]
		mov	ecx, [esp+168h+var_F4]
		inc	eax
		mov	[esp+168h+var_144], eax
		cmp	eax, 4
		jb	short loc_786EBF
		mov	eax, [ecx]
		mov	[esp+168h+var_11C], eax
		lea	eax, [esp+168h+var_F4]
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CBD
		mov	edi, [esp+168h+var_11C]
		mov	esi, edi
		neg	esi
		sbb	esi, esi
		and	esi, [esp+168h+var_F4]
		test	ebx, ebx
		js	loc_787CBD
		test	edi, edi
		jnz	short loc_786F4B
		mov	ebx, 0C000003Eh
		jmp	loc_786E94
; 

loc_786F4B:				; CODE XREF: sub_785212+1D2Dj
		push	20534C53h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_786F66
		mov	ebx, 0C0000017h
		jmp	loc_786E94
; 

loc_786F66:				; CODE XREF: sub_785212+1D48j
		push	edi		; size_t
		push	esi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[esp+168h+var_114], esi
		mov	eax, edi
		mov	[esp+168h+var_134], edi
		jmp	loc_786EA0
; 

loc_786F80:				; CODE XREF: sub_785212+1C91j
		xor	esi, esi
		xor	edi, edi
		cmp	[esp+168h+var_110], 5
		ja	short loc_786F95
		mov	ebx, 0C000000Dh
		jmp	loc_78701C
; 

loc_786F95:				; CODE XREF: sub_785212+1D77j
		mov	ecx, [esp+168h+var_108]
		and	[esp+168h+var_144], esi
		mov	[esp+168h+var_128], ecx

loc_786FA1:				; CODE XREF: sub_785212+1DD0j
		mov	eax, [ecx]
		mov	[esp+168h+var_11C], eax
		lea	eax, [esp+168h+var_128]
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_787018
		mov	edx, [esp+168h+var_11C]
		lea	eax, [esp+168h+var_128]
		mov	ecx, [esp+168h+var_128]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_787018
		mov	eax, [esp+168h+var_144]
		mov	ecx, [esp+168h+var_128]
		inc	eax
		mov	[esp+168h+var_144], eax
		cmp	eax, 5
		jb	short loc_786FA1
		mov	eax, [ecx]
		mov	[esp+168h+var_11C], eax
		lea	eax, [esp+168h+var_128]
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_787018
		mov	edi, [esp+168h+var_11C]
		mov	esi, edi
		neg	esi
		sbb	esi, esi
		and	esi, [esp+168h+var_128]
		test	ebx, ebx
		js	short loc_787018
		test	edi, edi
		jnz	short loc_78707A
		mov	ebx, 0C000003Eh

loc_787018:				; CODE XREF: sub_785212+1DA6j
					; sub_785212+1DBEj ...
		mov	eax, [esp+168h+var_134]

loc_78701C:				; CODE XREF: sub_785212+1D7Ej
		test	ebx, ebx
		js	loc_787CBD
		mov	ecx, [esp+168h+var_D0]

loc_78702B:				; CODE XREF: sub_785212+1E8Fj
		cmp	eax, 8
		jnz	loc_786EA9
		push	dword ptr [ecx+4]
		mov	eax, [esp+16Ch+var_114]
		push	dword ptr [ecx]
		push	dword ptr [eax]
		call	ds:dword_A93ED4
		and	[esp+174h+var_144], 0
		mov	ecx, eax
		and	[esp+174h+var_120], 0
		lea	eax, [esp+174h+var_120]
		push	eax
		push	4
		pop	edx
		push	edx
		mov	[esp+17Ch+var_148], ecx
		pop	ecx
		call	RtlUIntAdd
		mov	esi, [esp+174h+var_120]
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_7870A3
		mov	esi, [esp+174h+var_C8]
		jmp	loc_7862AB
; 

loc_78707A:				; CODE XREF: sub_785212+1DFFj
		push	20534C53h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_787092
		mov	ebx, 0C0000017h
		jmp	short loc_787018
; 

loc_787092:				; CODE XREF: sub_785212+1E77j
		push	edi		; size_t
		push	esi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, esi
		mov	eax, edi
		jmp	short loc_78702B
; 

loc_7870A3:				; CODE XREF: sub_785212+1E5Aj
		lea	eax, [esp+174h+var_144]
		mov	edx, esi
		push	eax
		xor	ecx, ecx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CBD
		and	[esp+174h+var_E4], 0
		lea	eax, [esp+174h+var_E4]
		push	eax
		push	8
		pop	edx
		push	4
		pop	ecx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CBD
		mov	esi, [esp+174h+var_E4]
		mov	ecx, [esp+174h+var_144]
		lea	eax, [esp+174h+var_144]
		push	eax
		mov	edx, esi
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CBD
		mov	esi, [esp+174h+var_144]
		mov	[esp+174h+var_108], esi
		test	esi, esi
		jnz	short loc_787117
		mov	ebx, 0C000003Eh
		jmp	loc_7862AB
; 

loc_787117:				; CODE XREF: sub_785212+1EF9j
		push	20534C53h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_787134
		mov	ebx, 0C0000017h
		jmp	loc_7862AB
; 

loc_787134:				; CODE XREF: sub_785212+1F16j
		mov	[esp+70h], edi
		xor	eax, eax
		mov	[esp+174h+var_10C], eax
		or	[esp+174h+var_148], 10000000h
		mov	[esp+174h+var_128], eax
		mov	[esp+174h+var_124], eax
		lea	eax, [esp+174h+var_124]
		mov	ecx, edi
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		xor	eax, eax
		test	ebx, ebx
		js	loc_787CBD
		lea	ecx, [edi+esi]
		lea	eax, [edi+8]
		cmp	eax, ecx
		ja	loc_78723E
		mov	eax, [esp+174h+var_124]
		mov	ecx, [esp+174h+var_148]
		mov	dword ptr [edi], 4
		mov	[eax], ecx
		xor	eax, eax
		inc	eax
		mov	[esp+174h+var_10C], eax
		test	ebx, ebx
		js	loc_787CBD
		and	[esp+174h+var_150], 0
		mov	esi, edi
		and	[esp+174h+var_DC], 0
		and	[esp+174h+var_D8], 0
		and	[esp+174h+var_120], 0
		mov	[esp+174h+var_148], esi
		test	eax, eax
		jz	short loc_787215

loc_7871BA:				; CODE XREF: sub_785212+2001j
		mov	edx, [esi]
		lea	eax, [esp+174h+var_F8]
		and	[esp+174h+var_F8], 0
		push	eax
		push	4
		pop	ecx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7871DE
		mov	eax, [esp+174h+var_F8]
		mov	[esp+174h+var_150], eax
		jmp	short loc_7871E2
; 

loc_7871DE:				; CODE XREF: sub_785212+1FC0j
		mov	eax, [esp+174h+var_150]

loc_7871E2:				; CODE XREF: sub_785212+1FCAj
		test	ebx, ebx
		js	loc_787CBD
		lea	ecx, [esp+174h+var_148]
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CBD
		mov	eax, [esp+174h+var_120]
		mov	esi, [esp+174h+var_148]
		inc	eax
		mov	[esp+174h+var_120], eax
		cmp	eax, [esp+174h+var_10C]
		jb	short loc_7871BA

loc_787215:				; CODE XREF: sub_785212+1FA6j
		lea	eax, [esp+174h+var_D8]
		mov	ecx, esi
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CBD
		mov	ecx, [esp+174h+var_144]
		lea	eax, [esi+0Ch]
		add	ecx, edi
		cmp	eax, ecx
		jbe	short loc_787248

loc_78723E:				; CODE XREF: sub_785212+1C4Fj
					; sub_785212+1F5Fj
		mov	ebx, 0C0000023h
		jmp	loc_7862AB
; 

loc_787248:				; CODE XREF: sub_785212+202Aj
		mov	eax, [esp+174h+var_D8]
		mov	ecx, [esp+174h+var_E8]
		inc	[esp+174h+var_10C]
		mov	dword ptr [esi], 8
		mov	[eax], ecx
		mov	ecx, [esp+174h+var_E0]
		mov	[eax+4], ecx
		jmp	loc_7862AB
; 

loc_787271:				; CODE XREF: sub_785212+1B8Cj
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_A139D9
		jmp	loc_7862A9
; 

loc_787287:				; CODE XREF: sub_785212+1B83j
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_A13F62
		jmp	loc_7862A9
; 

loc_78729D:				; CODE XREF: sub_785212+1B7Aj
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_A19468
		jmp	loc_7862A9
; 

loc_7872B3:				; CODE XREF: sub_785212+1B71j
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	SPCallServerHandleGetAppPolicyValue
		jmp	loc_7862A9
; 

loc_7872C9:				; CODE XREF: sub_785212+1B68j
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_A15D28
		jmp	loc_7862A9
; 

loc_7872DF:				; CODE XREF: sub_785212+1B5Fj
		xor	eax, eax
		mov	[esp+168h+var_6C], 8
		mov	[esp+168h+var_88], eax
		mov	[esp+168h+var_68], eax
		lea	eax, [esp+168h+var_88]
		push	eax
		push	8
		lea	eax, [esp+170h+var_6C]
		push	eax
		push	67h
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		mov	edx, [esp+168h+var_158]
		push	28h
		mov	ecx, [edx+8]
		mov	[esp+16Ch+var_14C], ecx
		mov	eax, ecx
		pop	ecx
		cmp	eax, 0A0h
		jnz	loc_78665C
		mov	ebx, [edx+0Ch]
		mov	eax, offset dword_A421D0
		xor	edi, edi

loc_787338:				; CODE XREF: sub_785212+2136j
		mov	eax, [eax+edi*4]
		cmp	eax, [ebx+edi*4]
		jnz	short loc_7873B2
		inc	edi
		mov	eax, offset dword_A421D0
		cmp	edi, ecx
		jnz	short loc_787338
		cmp	dword ptr [esi+8], 0A0h
		jnz	short loc_7873B2
		mov	eax, [esi+0Ch]
		xor	edi, edi
		mov	[esp+168h+var_11C], eax

loc_78735C:				; CODE XREF: sub_785212+2162j
		mov	edx, [esp+168h+var_11C]
		mov	eax, offset dword_A41DE8
		mov	eax, [eax+edi*4]
		cmp	eax, [edx+edi*4]
		mov	edx, [esp+168h+var_158]
		jnz	short loc_7873B2
		inc	edi
		cmp	edi, ecx
		jnz	short loc_78735C
		cmp	dword ptr [edx+10h], 8
		jnz	short loc_7873B2
		mov	edi, [edx+14h]
		mov	eax, ds:dword_A41DE0
		cmp	eax, [edi]
		jnz	short loc_7873B2
		mov	eax, ds:dword_A41DE4
		cmp	eax, [edi+4]
		jnz	short loc_7873B2
		cmp	dword ptr [esi+10h], 8
		jnz	short loc_7873B2
		mov	edi, [esi+14h]
		mov	eax, ds:dword_A41D20
		cmp	eax, [edi]
		jnz	short loc_7873B2
		mov	eax, ds:dword_A41D24
		cmp	eax, [edi+4]
		jz	loc_787559

loc_7873B2:				; CODE XREF: sub_785212+212Cj
					; sub_785212+213Fj ...
		mov	eax, offset dword_A42078
		xor	edi, edi

loc_7873B9:				; CODE XREF: sub_785212+21B7j
		mov	eax, [eax+edi*4]
		cmp	eax, [ebx+edi*4]
		jnz	short loc_78742C
		inc	edi
		mov	eax, offset dword_A42078
		cmp	edi, ecx
		jnz	short loc_7873B9
		cmp	dword ptr [esi+8], 0A0h
		jnz	short loc_78742C
		mov	ebx, [esi+0Ch]
		mov	eax, offset dword_A41F30
		xor	edi, edi

loc_7873DE:				; CODE XREF: sub_785212+21DCj
		mov	eax, [eax+edi*4]
		cmp	eax, [ebx+edi*4]
		jnz	short loc_78742C
		inc	edi
		mov	eax, offset dword_A41F30
		cmp	edi, ecx
		jnz	short loc_7873DE
		cmp	dword ptr [edx+10h], 8
		jnz	short loc_78742C
		mov	edi, [edx+14h]
		mov	ebx, offset dword_A428D8
		mov	eax, [ebx]
		cmp	eax, [edi]
		jnz	short loc_78742C
		mov	eax, [ebx+4]
		cmp	eax, [edi+4]
		jnz	short loc_78742C
		cmp	dword ptr [esi+10h], 8
		jnz	short loc_78742C
		mov	edi, [esi+14h]
		mov	ebx, offset dword_A41FD0
		mov	eax, [ebx]
		cmp	eax, [edi]
		jnz	short loc_78742C
		mov	eax, [ebx+4]
		cmp	eax, [edi+4]
		jz	loc_787559

loc_78742C:				; CODE XREF: sub_785212+21ADj
					; sub_785212+21C0j ...
		mov	eax, [esp+168h+var_14C]
		cmp	eax, 0A0h
		jnz	loc_78665C
		mov	ebx, [edx+0Ch]
		mov	eax, offset dword_A425A8
		xor	edi, edi

loc_787445:				; CODE XREF: sub_785212+2243j
		mov	eax, [eax+edi*4]
		cmp	eax, [ebx+edi*4]
		jnz	short loc_7874BF
		inc	edi
		mov	eax, offset dword_A425A8
		cmp	edi, ecx
		jnz	short loc_787445
		cmp	dword ptr [esi+8], 0A0h
		jnz	short loc_7874BF
		mov	eax, [esi+0Ch]
		xor	edi, edi
		mov	[esp+168h+var_11C], eax

loc_787469:				; CODE XREF: sub_785212+226Fj
		mov	edx, [esp+168h+var_11C]
		mov	eax, offset dword_A42500
		mov	eax, [eax+edi*4]
		cmp	eax, [edx+edi*4]
		mov	edx, [esp+168h+var_158]
		jnz	short loc_7874BF
		inc	edi
		cmp	edi, ecx
		jnz	short loc_787469
		cmp	dword ptr [edx+10h], 8
		jnz	short loc_7874BF
		mov	edi, [edx+14h]
		mov	eax, ds:dword_A42128
		cmp	eax, [edi]
		jnz	short loc_7874BF
		mov	eax, ds:dword_A4212C
		cmp	eax, [edi+4]
		jnz	short loc_7874BF
		cmp	dword ptr [esi+10h], 8
		jnz	short loc_7874BF
		mov	edi, [esi+14h]
		mov	eax, ds:dword_A41DD0
		cmp	eax, [edi]
		jnz	short loc_7874BF
		mov	eax, ds:dword_A41DD4
		cmp	eax, [edi+4]
		jz	loc_787559

loc_7874BF:				; CODE XREF: sub_785212+2239j
					; sub_785212+224Cj ...
		mov	eax, offset dword_A428F0
		xor	edi, edi

loc_7874C6:				; CODE XREF: sub_785212+22C8j
		mov	eax, [eax+edi*4]
		cmp	eax, [ebx+edi*4]
		jnz	loc_78665C
		inc	edi
		mov	eax, offset dword_A428F0
		cmp	edi, ecx
		jnz	short loc_7874C6
		cmp	dword ptr [esi+8], 0A0h
		jnz	loc_78665C
		mov	ebx, [esi+0Ch]
		mov	eax, offset dword_A42838
		xor	edi, edi

loc_7874F3:				; CODE XREF: sub_785212+22F5j
		mov	eax, [eax+edi*4]
		cmp	eax, [ebx+edi*4]
		jnz	loc_78665C
		inc	edi
		mov	eax, offset dword_A42838
		cmp	edi, ecx
		jnz	short loc_7874F3
		cmp	dword ptr [edx+10h], 8
		jnz	loc_78665C
		mov	ecx, [edx+14h]
		mov	edi, offset dword_A41DD8
		mov	eax, [edi]
		cmp	eax, [ecx]
		jnz	loc_78665C
		mov	eax, [edi+4]
		cmp	eax, [ecx+4]
		jnz	loc_78665C
		cmp	dword ptr [esi+10h], 8
		jnz	loc_78665C
		mov	ecx, [esi+14h]
		mov	edx, offset dword_A41F28
		mov	eax, [edx]
		cmp	eax, [ecx]
		jnz	loc_78665C
		mov	eax, [edx+4]
		cmp	eax, [ecx+4]
		jnz	loc_78665C

loc_787559:				; CODE XREF: sub_785212+219Aj
					; sub_785212+2214j ...
		lea	eax, [esp+168h+var_100]
		mov	edx, esi
		push	eax
		push	ecx
		lea	ecx, [esp+170h+var_110]
		call	sub_693B86
		jmp	loc_7866E2
; 

loc_78756F:				; CODE XREF: sub_785212+10EAj
		test	ecx, ecx
		jnz	short loc_78757D
		mov	ebx, 0C000003Eh
		jmp	loc_787633
; 

loc_78757D:				; CODE XREF: sub_785212+235Fj
		push	20534C53h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_78759A
		mov	ebx, 0C0000017h
		jmp	loc_787633
; 

loc_78759A:				; CODE XREF: sub_785212+237Cj
		mov	eax, [esp+168h+var_100]
		mov	ecx, edi
		mov	[edi], eax
		lea	eax, [esp+168h+var_E4]
		push	eax
		push	4
		pop	edx
		mov	[esp+16Ch+var_E4], edi
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_787624
		mov	ecx, [esp+168h+var_E4]
		mov	eax, [esp+168h+var_FC]
		mov	[ecx], eax
		lea	eax, [esp+168h+var_E4]
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_787624
		mov	eax, [esp+168h+var_144]
		push	[esp+168h+var_FC] ; size_t
		mov	ecx, [esp+16Ch+var_11C]
		push	[esp+16Ch+var_F8] ; void *
		mov	[edi+eax-8], ecx
		mov	ecx, [esp+170h+var_D0]
		push	[esp+170h+var_E4] ; void *
		mov	[edi+eax-4], ecx
		call	_memcpy
		mov	eax, [esp+174h+var_144]
		add	esp, 0Ch
		mov	[esp+168h+var_B8], edi
		xor	edi, edi
		mov	[esp+168h+var_C8], eax

loc_787624:				; CODE XREF: sub_785212+23ABj
					; sub_785212+23CEj
		test	edi, edi
		jz	short loc_787633
		push	20534C53h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_787633:				; CODE XREF: sub_785212+10F5j
					; sub_785212+2366j ...
		test	ebx, ebx
		js	loc_787CC1
		cmp	[esp+168h+var_B8], 0
		jz	loc_785682
		mov	edi, [esp+168h+var_C8]
		test	edi, edi
		jz	loc_785682
		mov	esi, [esp+168h+var_15C]
		mov	eax, [esi+14h]
		test	eax, eax
		jz	loc_785FAD
		mov	ecx, [esi+10h]
		test	ecx, ecx
		jz	loc_785FAD
		mov	ebx, [esi+0Ch]
		test	ebx, ebx
		jz	loc_785FAD
		mov	edx, [esi+8]
		test	edx, edx
		jz	loc_785FAD
		cmp	ecx, 8
		jnz	loc_787CB8
		cmp	edx, 0A0h
		jnz	loc_787CB8
		mov	ecx, [eax]
		mov	eax, [eax+4]
		mov	[esp+168h+var_11C], ecx
		xor	ecx, ecx
		mov	[esp+168h+var_D0], eax
		xor	al, al
		mov	[esp+168h+var_12D], al
		test	edi, edi
		jz	short loc_7876CC
		mov	edx, [esp+168h+var_B8]

loc_7876C0:				; CODE XREF: sub_785212+24B4j
		xor	al, [ecx+edx]
		inc	ecx
		cmp	ecx, edi
		jb	short loc_7876C0
		mov	[esp+168h+var_12D], al

loc_7876CC:				; CODE XREF: sub_785212+24A5j
		push	20534C53h
		lea	eax, [edi+8]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+168h+var_E0], edi
		test	edi, edi
		jz	loc_787CB8
		mov	eax, [esp+168h+var_11C]
		mov	ecx, [esp+168h+var_C8]
		mov	[esp+168h+var_10], eax
		mov	eax, [esp+168h+var_D0]
		mov	[esp+168h+var_C], eax
		mov	eax, ecx
		shr	eax, 3
		mov	[esp+168h+var_DC], eax
		test	eax, eax
		jz	loc_787A55
		mov	esi, [esp+168h+var_B8]
		lea	eax, [ebx+81h]
		and	[esp+168h+var_114], 0
		add	edi, 7
		and	[esp+168h+var_D8], 0
		add	esi, 2
		mov	[esp+168h+var_11C], eax
		lea	eax, [ebx+2]
		mov	[esp+168h+var_D0], eax
		lea	eax, [ebx+80h]
		not	eax
		mov	[esp+168h+var_EC], edi
		mov	[esp+168h+var_144], eax
		xor	ebx, ebx

loc_787761:				; CODE XREF: sub_785212+282Bj
		movzx	ecx, byte ptr [esi-2]
		movzx	eax, byte ptr [esi-1]
		movzx	edx, byte ptr [esi+2]
		shl	ecx, 8
		or	ecx, eax
		mov	edi, [esp+168h+var_11C]
		movzx	eax, byte ptr [esi]
		shl	ecx, 8
		or	ecx, eax
		shl	edx, 8
		movzx	eax, byte ptr [esi+1]
		shl	ecx, 8
		or	ecx, eax
		movzx	eax, byte ptr [esi+3]
		or	edx, eax
		mov	[esp+168h+var_BC], ecx
		movzx	eax, byte ptr [esi+4]
		xor	ebx, ecx
		mov	ecx, [esp+168h+var_12C]
		shl	edx, 8
		or	edx, eax
		mov	[esp+168h+var_154], ebx
		movzx	eax, byte ptr [esi+5]
		add	esi, 8
		shl	edx, 8
		or	edx, eax
		mov	[esp+168h+var_C0], esi
		mov	esi, [esp+168h+var_D0]
		xor	ecx, edx
		mov	[esp+168h+var_D4], edx
		xor	edx, edx
		inc	edx
		mov	[esp+168h+var_12C], ecx
		mov	[esp+168h+var_13C], edx

loc_7877D8:				; CODE XREF: sub_785212+2659j
		mov	al, [edi-1]
		cmp	al, 1Fh
		jnb	short loc_787819
		push	[esp+168h+var_12C]
		movzx	ecx, al
		lea	eax, [esp+16Ch+var_10]
		push	eax
		movzx	eax, byte ptr [esi+1]
		push	eax
		movzx	eax, byte ptr [esi]
		push	eax
		movzx	eax, byte ptr [esi-1]
		push	eax
		movzx	eax, byte ptr [esi-2]
		push	eax
		mov	eax, [esp+180h+var_144]
		add	eax, edi
		push	eax
		call	ds:off_A93F70[ecx*4]
		mov	edx, [esp+184h+var_158]
		xor	ebx, eax
		mov	ecx, [esp+184h+var_148]

loc_787819:				; CODE XREF: sub_785212+25CBj
		mov	al, [edi]
		cmp	al, 1Fh
		jnb	short loc_787855
		movzx	ecx, al
		lea	eax, [esp+184h+var_2C]
		push	ebx
		push	eax
		movzx	eax, byte ptr [esi+5]
		push	eax
		movzx	eax, byte ptr [esi+4]
		push	eax
		movzx	eax, byte ptr [esi+3]
		push	eax
		movzx	eax, byte ptr [esi+2]
		push	eax
		push	edx
		call	ds:off_A93F70[ecx*4]
		mov	ecx, [esp+1A0h+var_164]
		mov	edx, [esp+1A0h+var_174]
		xor	ecx, eax
		mov	[esp+1A0h+var_164], ecx

loc_787855:				; CODE XREF: sub_785212+260Bj
		mov	eax, [esp+1A0h+var_17C]
		add	edi, 2
		add	edx, 2
		add	eax, edi
		add	esi, 8
		mov	[esp+1A0h+var_174], edx
		cmp	eax, 1Eh
		jle	loc_7877D8
		mov	eax, [esp+1A0h+var_48]
		movzx	edx, [esp+1A0h+var_42]
		movzx	edi, word ptr [esp+1A0h+var_48+2]
		mov	[esp+1A0h+var_18C], ebx
		movzx	ebx, ax
		mov	eax, ecx
		not	eax
		mov	esi, [esp+1A0h+var_18C]
		ror	eax, 5
		add	eax, ebx
		imul	eax, edx
		xor	esi, eax
		mov	ecx, esi
		mov	[esp+1A0h+var_18C], esi
		xor	ecx, edx
		mov	eax, esi
		imul	ecx, edi
		shr	eax, 0Ah
		xor	ecx, eax
		mov	eax, [esp+15Ch]
		xor	[esp+1A0h+var_164], ecx
		movzx	esi, ax
		mov	eax, [esp+1A0h+var_164]
		mov	ecx, eax
		xor	ecx, [esp+1A0h+var_48]
		ror	ecx, 0Ch
		imul	ecx, esi
		ror	eax, 0Ah
		xor	ecx, eax
		mov	eax, [esp+1A0h+var_18C]
		xor	eax, ecx
		mov	ecx, eax
		mov	[esp+1A0h+var_18C], eax
		sub	ecx, [esp+1A0h+var_48]
		ror	ecx, 0Eh
		imul	ecx, edx
		rol	eax, 8
		sub	ecx, eax
		xor	[esp+1A0h+var_164], ecx
		mov	ecx, [esp+1A0h+var_164]
		add	ecx, [esp+15Ch]
		mov	eax, [esp+1A0h+var_164]
		ror	ecx, 0Fh
		imul	ecx, ebx
		rol	eax, 2
		add	ecx, eax
		mov	eax, [esp+1A0h+var_18C]
		xor	eax, ecx
		mov	[esp+1A0h+var_18C], eax
		mov	ecx, eax
		xor	eax, esi
		ror	ecx, 6
		imul	eax, edi
		xor	ecx, eax
		mov	eax, [esp+1A0h+var_164]
		xor	eax, ecx
		mov	ecx, [esp+1A0h+var_48]
		xor	ecx, eax
		mov	[esp+1A0h+var_164], eax
		mov	eax, [esp+15Ch]
		sub	eax, ecx
		mov	ecx, [esp+1A0h+var_18C]
		xor	ecx, eax
		mov	[esp+1A0h+var_18C], ecx
		xor	ecx, edi
		mov	eax, [esp+1A0h+var_18C]
		rol	ecx, 6
		imul	ecx, edx
		rol	eax, 2
		sub	ecx, eax
		mov	eax, [esp+1A0h+var_164]
		xor	eax, ecx
		mov	ecx, eax
		mov	[esp+1A0h+var_164], eax
		sub	ecx, esi
		shr	eax, 0Dh
		imul	ecx, ebx
		sub	ecx, eax
		mov	eax, [esp+1A0h+var_18C]
		xor	eax, ecx
		mov	[esp+1A0h+var_18C], eax
		mov	edx, [esp+15Ch]
		lea	ecx, [eax+edx]
		rol	eax, 2
		ror	ecx, 9
		imul	ecx, edi
		sub	ecx, eax
		mov	eax, [esp+1A0h+var_164]
		xor	eax, ecx
		mov	ecx, eax
		mov	[esp+1A0h+var_164], eax
		sub	ecx, [esp+1A0h+var_48]
		rol	ecx, 5
		imul	ecx, esi
		rol	eax, 0Ah
		mov	esi, [esp+1A0h+var_F8]
		add	ecx, eax
		mov	eax, [esp+1A0h+var_124]
		xor	[esp+1A0h+var_18C], ecx
		mov	ecx, [esp+1A0h+var_164]
		mov	ebx, [esp+1A0h+var_18C]
		xor	ecx, edx
		xor	ecx, [esp+1A0h+var_48]
		xor	ecx, ebx
		xor	ebx, [esp+1A0h+var_14C]
		xor	ecx, [esp+1A0h+var_110]
		mov	[eax-4], bl
		mov	[eax], cl
		ror	ecx, 8
		ror	ebx, 8
		mov	[eax-5], bl
		mov	[eax-1], cl
		ror	ecx, 8
		ror	ebx, 8
		mov	[eax-6], bl
		mov	[eax-2], cl
		ror	ecx, 8
		ror	ebx, 8
		mov	[eax-7], bl
		mov	[eax-3], cl
		add	eax, 8
		ror	ecx, 8
		mov	[esp+1A0h+var_164], ecx
		mov	ecx, [esp+1A0h+var_F4]
		ror	ebx, 8
		sub	[esp+1A0h+var_114], 1
		mov	[esp+1A0h+var_14C], ecx
		mov	ecx, [esp+1A0h+var_10C]
		mov	[esp+1A0h+var_110], ecx
		mov	[esp+1A0h+var_124], eax
		jnz	loc_787761
		mov	esi, [esp+1A0h+var_194]
		mov	edi, [esp+1A0h+var_118]
		mov	ecx, [esp+1A0h+var_100]

loc_787A55:				; CODE XREF: sub_785212+2509j
		movzx	eax, [esp+1A0h+var_165]
		cdq
		mov	[edi+ecx], eax
		mov	[edi+ecx+4], edx
		lea	eax, [ecx+8]
		xor	ebx, ebx
		test	eax, eax
		jnz	short loc_787A72
		mov	ebx, 0C000003Eh
		jmp	short loc_787AB8
; 

loc_787A72:				; CODE XREF: sub_785212+2857j
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+1A0h+var_154], ecx
		test	ecx, ecx
		jnz	short loc_787A90
		mov	ebx, 0C0000017h
		jmp	short loc_787AB8
; 

loc_787A90:				; CODE XREF: sub_785212+2875j
		mov	eax, [esp+1A0h+var_100]
		add	eax, 8
		push	eax		; size_t
		push	edi		; void *
		push	ecx		; void *
		call	_memcpy
		mov	eax, [esp+1ACh+var_154]
		add	esp, 0Ch
		mov	[esi+4], eax
		mov	eax, [esp+1A0h+var_100]
		add	eax, 8
		mov	[esi], eax

loc_787AB8:				; CODE XREF: sub_785212+285Ej
					; sub_785212+287Cj
		push	20534C53h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		js	loc_787CBD
		mov	edx, [esi]
		lea	eax, [esp+1A0h+var_184]
		push	4
		pop	ecx
		xor	edi, edi
		mov	[esp+1A0h+var_184], ecx
		push	eax
		mov	[esp+1A4h+var_17C], edi
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CBD
		mov	ecx, [esp+1A0h+var_184]
		lea	eax, [esp+1A0h+var_184]
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CBD
		mov	edx, [esi+8]
		lea	eax, [esp+1A0h+var_184]
		mov	ecx, [esp+1A0h+var_184]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CBD
		mov	ecx, [esp+1A0h+var_184]
		lea	eax, [esp+1A0h+var_184]
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CBD
		mov	edx, [esi+10h]
		lea	eax, [esp+1A0h+var_184]
		mov	ecx, [esp+1A0h+var_184]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787CBD
		mov	edi, [esp+1A0h+var_184]
		mov	[esp+1A0h+var_17C], edi
		test	edi, edi
		jnz	short loc_787B70
		mov	ebx, 0C000003Eh
		jmp	loc_787C8A
; 

loc_787B70:				; CODE XREF: sub_785212+2952j
		push	20534C53h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_787B8D
		mov	ebx, 0C0000017h
		jmp	loc_787C8A
; 

loc_787B8D:				; CODE XREF: sub_785212+296Fj
		mov	eax, [esi]
		mov	ecx, edi
		mov	[edi], eax
		lea	eax, [esp+1A0h+var_18C]
		push	eax
		push	4
		pop	edx
		mov	[esp+1A4h+var_18C], edi
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787C7B
		push	dword ptr [esi]	; size_t
		push	dword ptr [esi+4] ; void *
		push	[esp+1A8h+var_18C] ; void *
		call	_memcpy
		mov	edx, [esi]
		lea	eax, [esp+1ACh+var_18C]
		mov	ecx, [esp+1ACh+var_18C]
		add	esp, 0Ch
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787C7B
		mov	ecx, [esp+1A0h+var_18C]
		mov	eax, [esi+8]
		mov	[ecx], eax
		lea	eax, [esp+1A0h+var_18C]
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_787C7B
		push	dword ptr [esi+8] ; size_t
		push	dword ptr [esi+0Ch] ; void *
		push	[esp+1A8h+var_18C] ; void *
		call	_memcpy
		mov	edx, [esi+8]
		lea	eax, [esp+1ACh+var_18C]
		mov	ecx, [esp+1ACh+var_18C]
		add	esp, 0Ch
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_787C7B
		mov	ecx, [esp+1A0h+var_18C]
		mov	eax, [esi+10h]
		mov	[ecx], eax
		lea	eax, [esp+1A0h+var_18C]
		push	eax
		push	4
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_787C7B
		push	dword ptr [esi+10h] ; size_t
		push	dword ptr [esi+14h] ; void *
		push	[esp+1A8h+var_18C] ; void *
		call	_memcpy
		mov	edx, [esi+10h]
		lea	eax, [esp+1ACh+var_18C]
		mov	ecx, [esp+1ACh+var_18C]
		add	esp, 0Ch
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_787C7B
		mov	eax, [esp+1A0h+var_17C]
		mov	[esp+1A0h+var_E8], edi
		xor	edi, edi
		mov	[esp+1A0h+var_D4], eax

loc_787C7B:				; CODE XREF: sub_785212+2996j
					; sub_785212+29C1j ...
		test	edi, edi
		jz	short loc_787C8A
		push	20534C53h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_787C8A:				; CODE XREF: sub_785212+2959j
					; sub_785212+2976j ...
		test	ebx, ebx
		js	short loc_787CBD
		mov	ecx, [esp+1A0h+var_BC]
		mov	eax, [esp+1A0h+var_E8]
		and	[esp+1A0h+var_E8], 0
		mov	[ecx], eax
		mov	ecx, [esp+1A0h+var_B8]
		mov	eax, [esp+1A0h+var_D4]
		mov	[ecx], eax
		jmp	short loc_787CBD
; 

loc_787CB8:				; CODE XREF: sub_785212+2479j
					; sub_785212+2485j ...
		mov	ebx, 0C0000001h

loc_787CBD:				; CODE XREF: sub_785212+B09j
					; sub_785212+B29j ...
		mov	esi, [esp+168h+var_15C]

loc_787CC1:				; CODE XREF: sub_785212+475j
					; sub_785212+1083j ...
		mov	edi, [esp+168h+var_158]

loc_787CC5:				; CODE XREF: sub_785212+C5j
					; sub_785212+115j ...
		mov	eax, [esp+168h+var_108]
		test	eax, eax
		jz	short loc_787CD8
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_787CD8:				; CODE XREF: sub_785212+D8Fj
					; sub_785212+2AB9j
		cmp	[esp+168h+var_F8], 0
		jz	short loc_787CED
		push	20534C53h
		push	[esp+16Ch+var_F8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_787CED:				; CODE XREF: sub_785212+2ACBj
		mov	eax, [esp+168h+var_AC]
		test	eax, eax
		jz	short loc_787D03
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_787D03:				; CODE XREF: sub_785212+2AE4j
		test	edi, edi
		jz	short loc_787D54
		mov	eax, [edi+4]
		test	eax, eax
		jz	short loc_787D1D
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi+4], 0

loc_787D1D:				; CODE XREF: sub_785212+2AFAj
		mov	eax, [edi+0Ch]
		test	eax, eax
		jz	short loc_787D33
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi+0Ch], 0

loc_787D33:				; CODE XREF: sub_785212+2B10j
		mov	eax, [edi+14h]
		test	eax, eax
		jz	short loc_787D49
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi+14h], 0

loc_787D49:				; CODE XREF: sub_785212+2B26j
		push	20534C53h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_787D54:				; CODE XREF: sub_785212+2AF3j
		mov	eax, [esp+168h+var_B0]
		mov	edi, 20534C53h
		test	eax, eax
		jz	short loc_787D6B
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_787D6B:				; CODE XREF: sub_785212+2B50j
		test	esi, esi
		jz	short loc_787DAC
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_787D81
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+4], 0

loc_787D81:				; CODE XREF: sub_785212+2B62j
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_787D93
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+0Ch], 0

loc_787D93:				; CODE XREF: sub_785212+2B74j
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_787DA5
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+14h], 0

loc_787DA5:				; CODE XREF: sub_785212+2B86j
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_787DAC:				; CODE XREF: sub_785212+2B5Bj
		mov	eax, [esp+168h+var_B8]
		test	eax, eax
		jz	short loc_787DBE
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_787DBE:				; CODE XREF: sub_785212+2BA3j
		mov	ecx, [esp+168h+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
sub_785212	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_787DE0	proc near		; CODE XREF: sub_785212+1462p

var_F0		= dword	ptr -0F0h
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= qword	ptr -0B0h
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= qword	ptr -58h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0BCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_40], edx
		xor	ecx, ecx
		mov	[ebp+var_18], ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_14], eax
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_78], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_98], ecx
		mov	[ebp+var_94], ecx
		mov	[ebp+var_70], ecx
		mov	[ebp+var_B8], ecx
		mov	[ebp+var_B4], ecx
		push	edi
		test	ebx, ebx
		jnz	short loc_787E59

loc_787E41:				; CODE XREF: sub_787DE0+7Bj
					; sub_787DE0+7Fj
		mov	eax, 0C000000Dh
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_787E59:				; CODE XREF: sub_787DE0+5Fj
		test	edx, edx
		jz	short loc_787E41
		test	eax, eax
		jz	short loc_787E41
		mov	edi, [ebx+8]
		test	edi, edi
		jnz	short loc_787E72
		mov	eax, 0C000000Dh
		jmp	loc_787EF6
; 

loc_787E72:				; CODE XREF: sub_787DE0+86j
		cmp	dword ptr [ebx], 3
		ja	short loc_787E7E
		mov	eax, 0C000000Dh
		jmp	short loc_787EF6
; 

loc_787E7E:				; CODE XREF: sub_787DE0+95j
		mov	eax, edi
		xor	ebx, ebx
		mov	[ebp+var_5C], eax

loc_787E85:				; CODE XREF: sub_787DE0+C5j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_787EEE
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_5C], ecx
		push	eax
		call	RtlUIntAdd
		test	eax, eax
		js	short loc_787EBC
		mov	eax, [ebp+var_5C]
		inc	ebx
		cmp	ebx, 3
		jb	short loc_787E85
		mov	ecx, [eax]
		lea	edx, [eax+4]
		cmp	edx, eax
		jb	short loc_787EEE
		mov	ebx, ecx
		xor	eax, eax
		neg	ecx
		sbb	ecx, ecx
		and	ecx, edx
		jmp	short loc_787EC0
; 

loc_787EBC:				; CODE XREF: sub_787DE0+BCj
		xor	ecx, ecx
		xor	ebx, ebx

loc_787EC0:				; CODE XREF: sub_787DE0+DAj
		test	eax, eax
		js	short loc_787EF3
		cmp	ebx, 8
		jz	short loc_787EE1
		mov	eax, 0C0000023h
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_787EE1:				; CODE XREF: sub_787DE0+E7j
		mov	edx, [ecx]
		mov	ecx, [ecx+4]
		mov	[ebp+var_4C], edx
		mov	[ebp+var_30], ecx
		jmp	short loc_787EF3
; 

loc_787EEE:				; CODE XREF: sub_787DE0+ACj
					; sub_787DE0+CEj
		mov	eax, 0C0000095h

loc_787EF3:				; CODE XREF: sub_787DE0+E2j
					; sub_787DE0+10Cj
		mov	ebx, [ebp+var_18]

loc_787EF6:				; CODE XREF: sub_787DE0+8Dj
					; sub_787DE0+9Cj
		test	eax, eax
		js	loc_788B57
		xor	ecx, ecx
		mov	[ebp+var_38], esi
		xor	edx, edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_80], ecx
		test	edi, edi
		jnz	short loc_787F19
		mov	edi, 0C000000Dh
		jmp	loc_787FEC
; 

loc_787F19:				; CODE XREF: sub_787DE0+12Dj
		cmp	dword ptr [ebx], 4
		ja	short loc_787F28
		mov	edi, 0C000000Dh
		jmp	loc_787FEC
; 

loc_787F28:				; CODE XREF: sub_787DE0+13Cj
		mov	[ebp+var_60], edi
		xor	ebx, ebx
		lea	ecx, [ecx+0]

loc_787F30:				; CODE XREF: sub_787DE0+178j
		mov	edx, [edi]
		lea	ecx, [edi+4]
		cmp	ecx, edi
		jb	loc_787FE5
		lea	eax, [ebp+var_60]
		mov	[ebp+var_60], ecx
		push	eax
		call	RtlUIntAdd
		mov	edi, eax
		test	edi, edi
		js	short loc_787F75
		inc	ebx
		cmp	ebx, 4
		jnb	short loc_787F5A
		mov	edi, [ebp+var_60]
		jmp	short loc_787F30
; 

loc_787F5A:				; CODE XREF: sub_787DE0+173j
		mov	eax, [ebp+var_60]
		mov	ebx, [eax]
		lea	edx, [eax+4]
		cmp	edx, eax
		jb	short loc_787FE5
		mov	ecx, ebx
		xor	edi, edi
		neg	ebx
		mov	[ebp+var_3C], ecx
		sbb	ebx, ebx
		and	ebx, edx
		jmp	short loc_787F79
; 

loc_787F75:				; CODE XREF: sub_787DE0+16Dj
		xor	ebx, ebx
		xor	ecx, ecx

loc_787F79:				; CODE XREF: sub_787DE0+193j
		test	edi, edi
		js	short loc_787FEA
		test	ecx, ecx
		jnz	short loc_787F8B
		mov	edi, 0C000003Eh
		jmp	loc_788036
; 

loc_787F8B:				; CODE XREF: sub_787DE0+19Fj
		test	ecx, 1
		jz	short loc_787F9D
		mov	edi, 0C000003Eh
		jmp	loc_788036
; 

loc_787F9D:				; CODE XREF: sub_787DE0+1B1j
		mov	eax, ecx
		xor	edx, edx
		shr	eax, 1
		cmp	dx, [ebx+eax*2-2]
		jz	short loc_787FB4
		mov	edi, 0C000003Eh
		jmp	loc_788036
; 

loc_787FB4:				; CODE XREF: sub_787DE0+1C8j
		lea	eax, [ebp+var_80]
		mov	edx, ecx
		push	eax
		mov	ecx, ebx
		call	_StringCbLengthW@12 ; StringCbLengthW(x,x,x)
		test	eax, eax
		jns	short loc_787FCC
		mov	edi, 0C000003Eh
		jmp	short loc_788036
; 

loc_787FCC:				; CODE XREF: sub_787DE0+1E3j
		mov	edx, [ebp+var_80]
		lea	eax, [edx+2]
		cmp	eax, [ebp+var_3C]
		jz	short loc_787FDE
		mov	edi, 0C000003Eh
		jmp	short loc_788036
; 

loc_787FDE:				; CODE XREF: sub_787DE0+1F5j
		mov	[ebp+var_38], ebx
		shr	edx, 1
		jmp	short loc_787FEC
; 

loc_787FE5:				; CODE XREF: sub_787DE0+157j
					; sub_787DE0+184j
		mov	edi, 0C0000095h

loc_787FEA:				; CODE XREF: sub_787DE0+19Bj
		xor	edx, edx

loc_787FEC:				; CODE XREF: sub_787DE0+134j
					; sub_787DE0+143j ...
		test	edi, edi
		js	loc_788B31
		lea	ebx, ds:2[edx*2]
		test	ebx, ebx
		jnz	short loc_788006
		mov	edi, 0C000003Eh
		jmp	short loc_788036
; 

loc_788006:				; CODE XREF: sub_787DE0+21Dj
		push	20534C53h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_44], eax
		test	eax, eax
		jnz	short loc_788021
		mov	edi, 0C0000017h
		jmp	short loc_788036
; 

loc_788021:				; CODE XREF: sub_787DE0+238j
		push	ebx		; size_t
		push	[ebp+var_38]	; void *
		xor	edi, edi
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_44]
		add	esp, 0Ch
		mov	[ebp+var_78], eax

loc_788036:				; CODE XREF: sub_787DE0+1A6j
					; sub_787DE0+1B8j ...
		test	edi, edi
		js	loc_788B31
		mov	ecx, [ebp+var_18]
		mov	eax, [ecx+8]
		test	eax, eax
		jnz	short loc_78804F
		mov	edi, 0C000000Dh
		jmp	short loc_7880A7
; 

loc_78804F:				; CODE XREF: sub_787DE0+266j
		cmp	dword ptr [ecx], 5
		ja	short loc_78805B
		mov	edi, 0C000000Dh
		jmp	short loc_7880A7
; 

loc_78805B:				; CODE XREF: sub_787DE0+272j
		mov	ecx, eax
		xor	edi, edi
		nop

loc_788060:				; CODE XREF: sub_787DE0+294j
		mov	ebx, [ecx]
		lea	edx, [ecx+4]
		cmp	edx, ecx
		jb	short loc_78809F
		lea	ecx, [ebx+edx]
		cmp	ecx, edx
		jb	short loc_78809F
		inc	edi
		cmp	edi, 5
		jb	short loc_788060
		mov	ebx, [ecx]
		lea	edx, [ecx+4]
		cmp	edx, ecx
		jb	short loc_78809F
		mov	ecx, ebx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, edx
		xor	edi, edi
		cmp	ebx, 4
		jz	short loc_788098
		mov	edi, 0C0000023h
		jmp	loc_788B31
; 

loc_788098:				; CODE XREF: sub_787DE0+2ACj
		mov	ecx, [ecx]
		mov	[ebp+var_48], ecx
		jmp	short loc_7880A4
; 

loc_78809F:				; CODE XREF: sub_787DE0+287j
					; sub_787DE0+28Ej ...
		mov	edi, 0C0000095h

loc_7880A4:				; CODE XREF: sub_787DE0+2BDj
		mov	ecx, [ebp+var_18]

loc_7880A7:				; CODE XREF: sub_787DE0+26Dj
					; sub_787DE0+279j
		test	edi, edi
		js	loc_788B31
		test	eax, eax
		jnz	short loc_7880BA
		mov	edi, 0C000000Dh
		jmp	short loc_78810C
; 

loc_7880BA:				; CODE XREF: sub_787DE0+2D1j
		cmp	dword ptr [ecx], 6
		ja	short loc_7880C6
		mov	edi, 0C000000Dh
		jmp	short loc_78810C
; 

loc_7880C6:				; CODE XREF: sub_787DE0+2DDj
		xor	edx, edx

loc_7880C8:				; CODE XREF: sub_787DE0+2FCj
		mov	edi, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_788107
		lea	eax, [edi+ecx]
		cmp	eax, ecx
		jb	short loc_788107
		inc	edx
		cmp	edx, 6
		jb	short loc_7880C8
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_788107
		mov	eax, edx
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		xor	edi, edi
		cmp	edx, 4
		jz	short loc_788100
		mov	edi, 0C0000023h
		jmp	loc_788B31
; 

loc_788100:				; CODE XREF: sub_787DE0+314j
		mov	ebx, [eax]
		mov	[ebp+var_20], ebx
		jmp	short loc_78810E
; 

loc_788107:				; CODE XREF: sub_787DE0+2EFj
					; sub_787DE0+2F6j ...
		mov	edi, 0C0000095h

loc_78810C:				; CODE XREF: sub_787DE0+2D8j
					; sub_787DE0+2E4j
		xor	ebx, ebx

loc_78810E:				; CODE XREF: sub_787DE0+325j
		test	edi, edi
		js	loc_788B31
		push	[ebp+var_78]
		lea	eax, [ebp+var_98]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		test	ebx, ebx
		jz	short loc_78813B
		mov	edi, 1
		cmp	ebx, 100000h
		ja	short loc_78813D
		mov	[ebp+var_20], ebx
		jmp	short loc_788195
; 

loc_78813B:				; CODE XREF: sub_787DE0+347j
		xor	edi, edi

loc_78813D:				; CODE XREF: sub_787DE0+354j
		lea	eax, [ebp+var_34]
		push	eax
		push	0
		push	0
		lea	eax, [ebp+var_74]
		push	eax
		lea	eax, [ebp+var_98]
		push	eax
		call	ds:dword_A93EE4
		mov	ebx, eax
		cmp	ebx, 0C0000023h
		jz	short loc_788180
		test	ebx, ebx
		js	short loc_788179
		mov	eax, [ebp+var_34]
		test	eax, eax
		jz	short loc_788175
		mov	edi, 8000FFFFh
		jmp	loc_788B31
; 

loc_788175:				; CODE XREF: sub_787DE0+389j
		xor	edi, edi
		jmp	short loc_78818A
; 

loc_788179:				; CODE XREF: sub_787DE0+382j
		mov	edi, ebx
		jmp	loc_788B31
; 

loc_788180:				; CODE XREF: sub_787DE0+37Ej
		mov	eax, [ebp+var_34]
		mov	ecx, [ebp+var_20]
		cmp	ecx, eax
		jb	short loc_7881EB

loc_78818A:				; CODE XREF: sub_787DE0+397j
		xor	ebx, ebx
		mov	[ebp+var_20], eax
		test	edi, edi
		jz	short loc_7881F1
		mov	ebx, eax

loc_788195:				; CODE XREF: sub_787DE0+359j
		push	20534C53h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_70], eax
		test	eax, eax
		jnz	short loc_7881B3
		mov	edi, 0C0000017h
		jmp	loc_788B31
; 

loc_7881B3:				; CODE XREF: sub_787DE0+3C7j
		lea	ecx, [ebp+var_34]
		push	ecx
		push	ebx
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		lea	eax, [ebp+var_98]
		push	eax
		call	ds:dword_A93EE4
		mov	ebx, eax
		cmp	ebx, 0C0000023h
		jz	short loc_7881DE
		mov	edi, ebx
		test	ebx, ebx
		js	loc_788B31

loc_7881DE:				; CODE XREF: sub_787DE0+3F2j
		mov	eax, [ebp+var_34]
		cmp	[ebp+var_20], eax
		jb	short loc_7881F1
		mov	[ebp+var_20], eax
		jmp	short loc_7881F1
; 

loc_7881EB:				; CODE XREF: sub_787DE0+3A8j
		test	ecx, ecx
		jnz	short loc_7881F1
		xor	ebx, ebx

loc_7881F1:				; CODE XREF: sub_787DE0+3B1j
					; sub_787DE0+404j ...
		mov	[ebp+var_18], 8
		mov	edx, 0Ch
		lea	eax, [ebp+var_18]
		push	eax
		lea	ecx, [edx-4]
		call	RtlUIntAdd
		mov	edi, eax
		test	edi, edi
		js	loc_788291
		mov	ecx, [ebp+var_18]
		lea	eax, [ebp+var_18]
		push	eax
		mov	edx, 8
		call	RtlUIntAdd
		mov	edi, eax
		test	edi, edi
		js	short loc_788291
		mov	eax, [ebp+var_20]
		add	eax, 4
		cmp	eax, 4
		jb	short loc_788239
		xor	edi, edi
		jmp	short loc_788243
; 

loc_788239:				; CODE XREF: sub_787DE0+453j
		mov	edi, 0C0000095h
		mov	eax, 8

loc_788243:				; CODE XREF: sub_787DE0+457j
		test	edi, edi
		js	short loc_788291
		lea	ecx, [ebp+var_18]
		mov	edx, eax
		push	ecx
		mov	ecx, [ebp+var_18]
		call	RtlUIntAdd
		mov	edi, eax
		test	edi, edi
		js	short loc_788291
		mov	ecx, [ebp+var_18]
		lea	eax, [ebp+var_18]
		push	eax
		mov	edx, 8
		call	RtlUIntAdd
		mov	edi, eax
		test	edi, edi
		js	short loc_788291
		mov	ecx, [ebp+var_18]
		lea	eax, [ebp+var_18]
		push	eax
		mov	edx, 8
		call	RtlUIntAdd
		mov	edi, eax
		test	edi, edi
		js	short loc_788291
		mov	eax, [ebp+var_18]
		mov	[ebp+var_2C], eax
		jmp	short loc_788293
; 

loc_788291:				; CODE XREF: sub_787DE0+42Dj
					; sub_787DE0+448j ...
		xor	eax, eax

loc_788293:				; CODE XREF: sub_787DE0+4AFj
		test	edi, edi
		js	loc_788B31
		mov	[ebp+var_84], 8
		lea	ecx, [ebp+var_84]
		mov	edx, eax
		push	ecx
		mov	ecx, 8
		call	RtlUIntAdd
		mov	edi, eax
		test	edi, edi
		js	loc_788368
		mov	eax, [ebp+var_84]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_7882DB
		mov	edi, 0C0000095h
		xor	eax, eax
		jmp	short loc_7882E8
; 

loc_7882DB:				; CODE XREF: sub_787DE0+4F0j
		lea	eax, [ecx+8]
		cmp	eax, ecx
		jb	loc_788363
		xor	edi, edi

loc_7882E8:				; CODE XREF: sub_787DE0+4F9j
		test	edi, edi
		js	short loc_788368
		mov	edx, [ebp+var_40]
		mov	[ebp+var_1C], 4
		mov	ecx, [edx+10h]
		mov	[ebp+var_40], ecx
		mov	ecx, [edx+8]
		mov	edx, eax
		mov	[ebp+var_44], ecx
		lea	ecx, [ebp+var_1C]
		push	ecx
		mov	ecx, 4
		call	RtlUIntAdd
		mov	edi, eax
		test	edi, edi
		js	short loc_78835B
		mov	eax, [ebp+var_1C]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_788363
		mov	edx, [ebp+var_44]
		lea	eax, [ebp+var_1C]
		push	eax
		mov	[ebp+var_1C], ecx
		call	RtlUIntAdd
		mov	edi, eax
		test	edi, edi
		js	short loc_78835B
		mov	eax, [ebp+var_1C]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_788363
		mov	edx, [ebp+var_40]
		lea	eax, [ebp+var_1C]
		push	eax
		mov	[ebp+var_1C], ecx
		call	RtlUIntAdd
		mov	edi, eax
		test	edi, edi
		js	short loc_78835B
		mov	eax, [ebp+var_1C]
		jmp	short loc_78835D
; 

loc_78835B:				; CODE XREF: sub_787DE0+536j
					; sub_787DE0+555j ...
		xor	eax, eax

loc_78835D:				; CODE XREF: sub_787DE0+579j
		test	edi, edi
		js	short loc_788368
		jmp	short loc_78836A
; 

loc_788363:				; CODE XREF: sub_787DE0+500j
					; sub_787DE0+540j ...
		mov	edi, 0C0000095h

loc_788368:				; CODE XREF: sub_787DE0+4DCj
					; sub_787DE0+50Aj ...
		xor	eax, eax

loc_78836A:				; CODE XREF: sub_787DE0+581j
		test	edi, edi
		js	loc_788B31
		cmp	[ebp+arg_0], eax
		jb	loc_7886D2
		test	ebx, ebx
		js	loc_7886D2
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_A0], esi
		push	eax
		mov	[ebp+var_9C], esi
		call	KeQueryTickCount
		call	_KeQueryTimeIncrement@0	; KeQueryTimeIncrement()
		push	[ebp+var_9C]
		push	[ebp+var_A0]
		push	0
		push	eax
		call	__allmul
		push	0
		push	2710h
		push	edx
		push	eax
		call	__alldiv
		mov	[ebp+var_64], eax
		mov	edi, 1
		push	offset ??_C@_1EA@KEBBLPOF@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AA?9?$AAS?$AAP?$AAP?$AA?9?$AAG?$AAe@NNGAKEGL@
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_68], edx
		push	eax
		mov	[ebp+var_A8], esi
		mov	[ebp+var_A4], esi
		mov	[ebp+var_88], esi
		mov	[ebp+var_90], esi
		mov	[ebp+var_24], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_24]
		push	eax
		push	4
		lea	eax, [ebp+var_90]
		push	eax
		lea	eax, [ebp+var_88]
		push	eax
		lea	eax, [ebp+var_A8]
		push	eax
		call	ds:dword_A93EE4
		cmp	eax, 0C0000034h
		jz	short loc_788436
		test	eax, eax
		js	short loc_788438
		cmp	[ebp+var_88], 4
		jnz	short loc_788436
		cmp	[ebp+var_90], esi
		jnz	short loc_788438

loc_788436:				; CODE XREF: sub_787DE0+63Fj
					; sub_787DE0+64Cj
		xor	edi, edi

loc_788438:				; CODE XREF: sub_787DE0+643j
					; sub_787DE0+654j
		mov	eax, [ebp+var_64]
		mov	ecx, [ebp+var_68]
		cmp	ds:_g_ulOldGenuineStateForWnf, edi
		jz	short loc_788457
		mov	ds:_g_qwSystemInitTime,	eax
		mov	ds:dword_A93F44, ecx
		mov	ds:_g_ulOldGenuineStateForWnf, edi

loc_788457:				; CODE XREF: sub_787DE0+664j
		sub	eax, ds:_g_qwSystemInitTime
		mov	dword ptr [ebp+var_58],	eax
		sbb	ecx, ds:dword_A93F44
		mov	eax, ecx
		and	ecx, 7FFFFFFFh
		mov	dword ptr [ebp+var_58+4], ecx
		and	eax, 80000000h
		fild	[ebp+var_58]
		mov	dword ptr [ebp+var_58+4], eax
		mov	dword ptr [ebp+var_58],	esi
		fild	[ebp+var_58]
		fchs
		faddp	st(1), st
		fstp	[ebp+var_B0]
		fld	[ebp+var_B0]
		fcomp	ds:__real@41612a8800000000
		fnstsw	ax
		test	ah, 1
		jnz	short loc_7884A6
		mov	eax, 1
		jmp	short loc_7884A8
; 

loc_7884A6:				; CODE XREF: sub_787DE0+6BDj
		xor	eax, eax

loc_7884A8:				; CODE XREF: sub_787DE0+6C4j
		test	edi, edi
		jnz	short loc_7884D2
		cmp	ds:_g_bWNFEventFired, esi
		jnz	short loc_7884D2
		test	eax, eax
		jz	short loc_7884D2
		push	edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	(offset	loc_409ADF+1)
		mov	ds:_g_bWNFEventFired, 1
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)

loc_7884D2:				; CODE XREF: sub_787DE0+6CAj
					; sub_787DE0+6D2j ...
		mov	ecx, [ebp+var_64]
		sub	ecx, ds:_g_qwSystemInitTime
		mov	eax, [ebp+var_68]
		sbb	eax, ds:dword_A93F44
		mov	dword ptr [ebp+var_B0+4], eax
		jnz	short loc_7884F8
		cmp	ecx, 0A4CBFBh
		jb	loc_7886D2

loc_7884F8:				; CODE XREF: sub_787DE0+70Aj
		lea	eax, [ebp+var_B8]
		push	eax
		push	0
		push	1
		push	6
		push	offset unk_6B72E0
		call	KeWaitForSingleObject
		test	eax, eax
		js	loc_7886D2
		cmp	eax, 0C0h
		jz	loc_7886D2
		cmp	eax, 102h
		jz	loc_7886D2
		cmp	ds:_g_ulOldGenuineState, edi
		jz	short loc_788580
		test	edi, edi
		jz	short loc_788545
		push	offset unk_6B72C0
		call	_KeResetEvent@4	; KeResetEvent(x)
		jmp	short loc_788580
; 

loc_788545:				; CODE XREF: sub_787DE0+757j
		lea	eax, [ebp+var_58]
		mov	dword ptr [ebp+var_58],	esi
		push	eax
		mov	dword ptr [ebp+var_58+4], esi
		call	KeQueryTickCount
		call	_KeQueryTimeIncrement@0	; KeQueryTimeIncrement()
		push	dword ptr [ebp+var_58+4]
		push	dword ptr [ebp+var_58]
		push	0
		push	eax
		call	__allmul
		push	0
		push	2710h
		push	edx
		push	eax
		call	__alldiv
		mov	ds:dword_A93F20, eax
		mov	ds:dword_A93F24, edx

loc_788580:				; CODE XREF: sub_787DE0+753j
					; sub_787DE0+763j
		mov	eax, [ebp+var_64]
		sub	eax, ds:dword_A93F20
		mov	ecx, [ebp+var_68]
		sbb	ecx, ds:dword_A93F24
		mov	ds:_g_ulOldGenuineState, edi
		mov	dword ptr [ebp+var_B0+4], ecx
		jnz	short loc_7885AB
		cmp	eax, 0ADF4FCh
		jnb	short loc_7885AB
		xor	eax, eax
		jmp	short loc_7885B0
; 

loc_7885AB:				; CODE XREF: sub_787DE0+7BEj
					; sub_787DE0+7C5j
		mov	eax, 1

loc_7885B0:				; CODE XREF: sub_787DE0+7C9j
		test	edi, edi
		jnz	loc_7886C6
		test	eax, eax
		jz	loc_7886C6
		cmp	ds:dword_A93E4C, esi
		jz	loc_7886C6
		push	edi
		push	1
		push	offset unk_6B72C0
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	offset unk_A93F28
		push	1
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_8C], 4
		push	eax
		mov	[ebp+var_6C], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_7C], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_78860A
		mov	edi, 3
		mov	[ebp+var_6C], edi
		jmp	short loc_788629
; 

loc_78860A:				; CODE XREF: sub_787DE0+81Ej
		lea	eax, [ebp+var_28]
		push	eax
		push	4
		lea	eax, [ebp+var_6C]
		push	eax
		lea	eax, [ebp+var_8C]
		push	eax
		push	offset unk_A93F54
		call	ds:dword_A93EE4
		mov	edi, [ebp+var_6C]

loc_788629:				; CODE XREF: sub_787DE0+828j
		test	eax, eax
		js	short loc_788645
		cmp	[ebp+var_8C], 4
		jnz	short loc_788645
		cmp	edi, 1
		jz	short loc_78864D
		cmp	edi, 2
		jz	short loc_78864D
		cmp	edi, 3
		jz	short loc_78864D

loc_788645:				; CODE XREF: sub_787DE0+84Bj
					; sub_787DE0+854j
		mov	edi, 1
		mov	[ebp+var_6C], edi

loc_78864D:				; CODE XREF: sub_787DE0+859j
					; sub_787DE0+85Ej ...
		mov	eax, [ebp+var_7C]
		test	eax, eax
		jz	short loc_78865A
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_78865A:				; CODE XREF: sub_787DE0+872j
		xor	eax, eax
		mov	[ebp+var_40], esi
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	0Ch
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_40]
		push	eax
		push	offset unk_A93F48
		call	ds:dword_A93EE4
		test	eax, eax
		js	short loc_7886A9
		cmp	[ebp+var_40], 3
		jnz	short loc_7886A9
		cmp	[ebp+var_44], 0Ch
		jnz	short loc_7886A9
		xor	edx, edx

loc_788696:				; CODE XREF: sub_787DE0+8C7j
		mov	eax, [ebp+edx*4+var_10]
		mov	ecx, eax
		and	ecx, 0Fh
		cmp	ecx, edi
		jz	short loc_7886B8
		inc	edx
		cmp	edx, 3
		jb	short loc_788696

loc_7886A9:				; CODE XREF: sub_787DE0+8A6j
					; sub_787DE0+8ACj ...
		mov	eax, ds:dword_A93F1C
		and	eax, 0FFFF3211h
		or	eax, 3211h

loc_7886B8:				; CODE XREF: sub_787DE0+8C1j
		mov	ds:dword_A93F1C, eax
		cmp	[ebp+var_48], esi
		jz	short loc_7886C6
		mov	esi, eax
		jmp	short loc_7886D2
; 

loc_7886C6:				; CODE XREF: sub_787DE0+7D2j
					; sub_787DE0+7DAj ...
		push	0
		push	offset unk_6B72E0
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)

loc_7886D2:				; CODE XREF: sub_787DE0+595j
					; sub_787DE0+59Dj ...
		mov	edi, [ebp+var_14]
		mov	ecx, [ebp+var_2C]
		lea	eax, [edi+4]
		mov	[ebp+var_1C], eax
		mov	[eax], ecx
		test	ecx, ecx
		jnz	short loc_7886EE
		mov	edi, 0C000003Eh
		jmp	loc_788B31
; 

loc_7886EE:				; CODE XREF: sub_787DE0+902j
		push	20534C53h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_78870B
		mov	edi, 0C0000017h
		jmp	loc_788B31
; 

loc_78870B:				; CODE XREF: sub_787DE0+91Fj
		mov	[edi+8], edx
		mov	dword ptr [edi], 0
		or	ebx, 10000000h
		lea	eax, [edx+4]
		cmp	eax, edx
		jb	loc_788B2C
		mov	ecx, [edi+4]
		lea	eax, [edx+8]
		add	ecx, edx
		cmp	eax, ecx
		jbe	short loc_78873B
		mov	edi, 0C0000023h
		jmp	loc_788B31
; 

loc_78873B:				; CODE XREF: sub_787DE0+94Fj
		mov	dword ptr [edx], 4
		mov	[edx+4], ebx
		mov	edx, edi
		inc	dword ptr [edx]
		mov	eax, [edx]
		mov	[ebp+var_28], eax
		mov	ebx, [edx+8]
		xor	ecx, ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_24], ebx
		test	ebx, ebx
		jnz	short loc_78877E
		lea	ebx, [edx+4]
		lea	edx, [ecx+0Ch]
		mov	ecx, [ebx]
		push	ebx
		call	RtlUIntAdd
		mov	edx, [ebp+var_14]
		mov	edi, eax
		test	edi, edi
		js	loc_788B31
		inc	dword ptr [edx]
		jmp	loc_78881A
; 

loc_78877E:				; CODE XREF: sub_787DE0+97Aj
		mov	[ebp+var_38], ebx
		mov	[ebp+var_2C], ecx
		test	eax, eax
		jz	short loc_7887CB

loc_788788:				; CODE XREF: sub_787DE0+9E9j
		mov	eax, [ebx]
		add	eax, 4
		cmp	eax, 4
		jb	short loc_78879B
		mov	ecx, eax
		xor	edi, edi
		mov	[ebp+var_48], ecx
		jmp	short loc_7887A0
; 

loc_78879B:				; CODE XREF: sub_787DE0+9B0j
		mov	edi, 0C0000095h

loc_7887A0:				; CODE XREF: sub_787DE0+9B9j
		test	edi, edi
		js	short loc_78880C
		lea	eax, [ebp+var_38]
		mov	edx, ecx
		push	eax
		mov	ecx, ebx
		call	RtlUIntAdd
		mov	edi, eax
		test	edi, edi
		js	short loc_78880C
		mov	ecx, [ebp+var_2C]
		mov	ebx, [ebp+var_38]
		inc	ecx
		mov	[ebp+var_2C], ecx
		cmp	ecx, [ebp+var_28]
		jnb	short loc_7887CB
		mov	ecx, [ebp+var_48]
		jmp	short loc_788788
; 

loc_7887CB:				; CODE XREF: sub_787DE0+9A6j
					; sub_787DE0+9E4j
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	loc_788B2C
		mov	eax, [ebp+var_1C]
		xor	edi, edi
		mov	ecx, [eax]
		lea	eax, [ebx+0Ch]
		add	ecx, [ebp+var_24]
		cmp	eax, ecx
		jbe	short loc_7887F1
		mov	edi, 0C0000023h
		jmp	loc_788B31
; 

loc_7887F1:				; CODE XREF: sub_787DE0+A05j
		mov	eax, [ebp+var_4C]
		mov	dword ptr [ebx], 8
		mov	[edx], eax
		mov	eax, [ebp+var_30]
		mov	[edx+4], eax
		mov	edx, [ebp+var_14]
		inc	dword ptr [edx]
		lea	ebx, [edx+4]
		jmp	short loc_788812
; 

loc_78880C:				; CODE XREF: sub_787DE0+9C2j
					; sub_787DE0+9D5j
		mov	ebx, [ebp+var_1C]
		mov	edx, [ebp+var_14]

loc_788812:				; CODE XREF: sub_787DE0+A2Aj
		test	edi, edi
		js	loc_788B31

loc_78881A:				; CODE XREF: sub_787DE0+999j
		mov	eax, [ebp+var_74]
		xor	ecx, ecx
		mov	[ebp+var_2C], eax
		mov	eax, [edx+8]
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	short loc_78884E
		lea	edx, [ecx+8]
		mov	ecx, [ebx]
		push	ebx
		call	RtlUIntAdd
		mov	edx, [ebp+var_14]
		mov	edi, eax
		test	edi, edi
		js	loc_788B31
		inc	dword ptr [edx]
		jmp	loc_7888E5
; 

loc_78884E:				; CODE XREF: sub_787DE0+A4Dj
		mov	ebx, eax
		mov	[ebp+var_30], ecx
		mov	eax, [edx]
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	short loc_7888A6
		nop

loc_788860:				; CODE XREF: sub_787DE0+AC1j
		mov	eax, [ebx]
		add	eax, 4
		cmp	eax, 4
		jb	short loc_788873
		mov	ecx, eax
		xor	edi, edi
		mov	[ebp+var_4C], ecx
		jmp	short loc_788878
; 

loc_788873:				; CODE XREF: sub_787DE0+A88j
		mov	edi, 0C0000095h

loc_788878:				; CODE XREF: sub_787DE0+A91j
		test	edi, edi
		js	short loc_7888DA
		lea	eax, [ebp+var_3C]
		mov	edx, ecx
		push	eax
		mov	ecx, ebx
		call	RtlUIntAdd
		mov	edi, eax
		test	edi, edi
		js	short loc_7888DA
		mov	ecx, [ebp+var_30]
		mov	ebx, [ebp+var_3C]
		inc	ecx
		mov	[ebp+var_30], ecx
		cmp	ecx, [ebp+var_28]
		jnb	short loc_7888A3
		mov	ecx, [ebp+var_4C]
		jmp	short loc_788860
; 

loc_7888A3:				; CODE XREF: sub_787DE0+ABCj
		mov	edx, [ebp+var_14]

loc_7888A6:				; CODE XREF: sub_787DE0+A7Dj
		lea	eax, [ebx+4]
		cmp	eax, ebx
		jb	loc_788B2C
		mov	ecx, [edx+4]
		lea	eax, [ebx+8]
		add	ecx, [ebp+var_24]
		xor	edi, edi
		cmp	eax, ecx
		jbe	short loc_7888CA
		mov	edi, 0C0000023h
		jmp	loc_788B31
; 

loc_7888CA:				; CODE XREF: sub_787DE0+ADEj
		mov	eax, [ebp+var_2C]
		mov	dword ptr [ebx], 4
		mov	[ebx+4], eax
		inc	dword ptr [edx]
		jmp	short loc_7888DD
; 

loc_7888DA:				; CODE XREF: sub_787DE0+A9Aj
					; sub_787DE0+AADj
		mov	edx, [ebp+var_14]

loc_7888DD:				; CODE XREF: sub_787DE0+AF8j
		test	edi, edi
		js	loc_788B31

loc_7888E5:				; CODE XREF: sub_787DE0+A69j
		mov	ecx, [ebp+var_20]
		xor	ebx, ebx
		cmp	[ebp+var_70], ebx
		jnz	short loc_7888FD
		test	ecx, ecx
		jz	short loc_788901

loc_7888F3:				; CODE XREF: sub_787DE0+B1Fj
		mov	edi, 0C000000Dh
		jmp	loc_7889CF
; 

loc_7888FD:				; CODE XREF: sub_787DE0+B0Dj
		test	ecx, ecx
		jz	short loc_7888F3

loc_788901:				; CODE XREF: sub_787DE0+B11j
		mov	eax, [edx+8]
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	short loc_788947
		lea	eax, [ecx+4]
		cmp	eax, 4
		jb	short loc_788919
		mov	ebx, eax
		xor	edi, edi
		jmp	short loc_78891E
; 

loc_788919:				; CODE XREF: sub_787DE0+B31j
		mov	edi, 0C0000095h

loc_78891E:				; CODE XREF: sub_787DE0+B37j
		test	edi, edi
		js	loc_788B31
		mov	eax, [ebp+var_1C]
		mov	edx, ebx
		push	eax
		mov	ecx, [eax]
		call	RtlUIntAdd
		mov	edx, [ebp+var_14]
		mov	edi, eax
		test	edi, edi
		js	loc_788B31
		inc	dword ptr [edx]
		jmp	loc_7889D7
; 

loc_788947:				; CODE XREF: sub_787DE0+B29j
		mov	edx, eax
		xor	ecx, ecx
		mov	eax, [ebp+var_14]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	short loc_788983

loc_788957:				; CODE XREF: sub_787DE0+BA1j
		mov	eax, [edx]
		add	eax, 4
		cmp	eax, 4
		jb	short loc_788967
		mov	ebx, eax
		xor	edi, edi
		jmp	short loc_78896C
; 

loc_788967:				; CODE XREF: sub_787DE0+B7Fj
		mov	edi, 0C0000095h

loc_78896C:				; CODE XREF: sub_787DE0+B85j
		test	edi, edi
		js	short loc_7889CC
		lea	eax, [ebx+edx]
		cmp	eax, edx
		jb	loc_788B2C
		inc	ecx
		mov	edx, eax
		cmp	ecx, [ebp+var_28]
		jb	short loc_788957

loc_788983:				; CODE XREF: sub_787DE0+B75j
		lea	ebx, [edx+4]
		cmp	ebx, edx
		jb	loc_788B2C
		mov	eax, [ebp+var_1C]
		xor	edi, edi
		mov	ecx, [ebp+var_20]
		add	ecx, 4
		add	ecx, edx
		mov	eax, [eax]
		add	eax, [ebp+var_24]
		cmp	ecx, eax
		jbe	short loc_7889AE
		mov	edi, 0C0000023h
		jmp	loc_788B31
; 

loc_7889AE:				; CODE XREF: sub_787DE0+BC2j
		mov	ecx, [ebp+var_70]
		mov	eax, [ebp+var_20]
		mov	[edx], eax
		test	ecx, ecx
		jz	short loc_7889C5
		push	eax		; size_t
		push	ecx		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_7889C5:				; CODE XREF: sub_787DE0+BD8j
		mov	edx, [ebp+var_14]
		inc	dword ptr [edx]
		jmp	short loc_7889CF
; 

loc_7889CC:				; CODE XREF: sub_787DE0+B8Ej
		mov	edx, [ebp+var_14]

loc_7889CF:				; CODE XREF: sub_787DE0+B18j
					; sub_787DE0+BEAj
		test	edi, edi
		js	loc_788B31

loc_7889D7:				; CODE XREF: sub_787DE0+B62j
		mov	eax, [ebp+var_34]
		xor	ebx, ebx
		mov	[ebp+var_30], eax
		mov	eax, [edx+8]
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	short loc_788A0C
		mov	ecx, [edx+4]
		lea	eax, [edx+4]
		push	eax
		lea	edx, [ebx+8]
		call	RtlUIntAdd
		mov	edi, eax
		mov	eax, [ebp+var_14]
		test	edi, edi
		js	loc_788B31
		inc	dword ptr [eax]
		jmp	loc_788A8F
; 

loc_788A0C:				; CODE XREF: sub_787DE0+C07j
		mov	edx, eax
		xor	ecx, ecx
		mov	eax, [ebp+var_14]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	short loc_788A4C
		lea	esp, [esp+0]

loc_788A20:				; CODE XREF: sub_787DE0+C6Aj
		mov	eax, [edx]
		add	eax, 4
		cmp	eax, 4
		jb	short loc_788A30
		mov	ebx, eax
		xor	edi, edi
		jmp	short loc_788A35
; 

loc_788A30:				; CODE XREF: sub_787DE0+C48j
		mov	edi, 0C0000095h

loc_788A35:				; CODE XREF: sub_787DE0+C4Ej
		test	edi, edi
		js	short loc_788A84
		lea	eax, [ebx+edx]
		cmp	eax, edx
		jb	loc_788B2C
		inc	ecx
		mov	edx, eax
		cmp	ecx, [ebp+var_28]
		jb	short loc_788A20

loc_788A4C:				; CODE XREF: sub_787DE0+C3Aj
		lea	ebx, [edx+4]
		cmp	ebx, edx
		jb	loc_788B2C
		mov	eax, [ebp+var_1C]
		xor	edi, edi
		mov	ecx, [eax]
		lea	eax, [edx+8]
		add	ecx, [ebp+var_24]
		cmp	eax, ecx
		jbe	short loc_788A72
		mov	edi, 0C0000023h
		jmp	loc_788B31
; 

loc_788A72:				; CODE XREF: sub_787DE0+C86j
		mov	eax, [ebp+var_30]
		mov	dword ptr [edx], 4
		mov	[ebx], eax
		mov	eax, [ebp+var_14]
		inc	dword ptr [eax]
		jmp	short loc_788A87
; 

loc_788A84:				; CODE XREF: sub_787DE0+C57j
		mov	eax, [ebp+var_14]

loc_788A87:				; CODE XREF: sub_787DE0+CA2j
		test	edi, edi
		js	loc_788B31

loc_788A8F:				; CODE XREF: sub_787DE0+C27j
		mov	ecx, [eax+8]
		xor	ebx, ebx
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jnz	short loc_788ABC
		mov	eax, [ebp+var_1C]
		lea	edx, [ebx+8]
		push	eax
		mov	ecx, [eax]
		call	RtlUIntAdd
		mov	edi, eax
		test	edi, edi
		js	loc_788B31
		mov	eax, [ebp+var_14]
		inc	dword ptr [eax]
		xor	edi, edi
		jmp	short loc_788B31
; 

loc_788ABC:				; CODE XREF: sub_787DE0+CB9j
		mov	eax, [eax]
		mov	edx, ecx
		xor	ecx, ecx
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	short loc_788AF8
		lea	esp, [esp+0]

loc_788AD0:				; CODE XREF: sub_787DE0+D16j
		mov	eax, [edx]
		add	eax, 4
		cmp	eax, 4
		jb	short loc_788AE0
		mov	ebx, eax
		xor	edi, edi
		jmp	short loc_788AE5
; 

loc_788AE0:				; CODE XREF: sub_787DE0+CF8j
		mov	edi, 0C0000095h

loc_788AE5:				; CODE XREF: sub_787DE0+CFEj
		test	edi, edi
		js	short loc_788B31
		lea	eax, [ebx+edx]
		cmp	eax, edx
		jb	short loc_788B2C
		inc	ecx
		mov	edx, eax
		cmp	ecx, [ebp+var_28]
		jb	short loc_788AD0

loc_788AF8:				; CODE XREF: sub_787DE0+CE7j
		lea	ebx, [edx+4]
		cmp	ebx, edx
		jb	short loc_788B2C
		mov	eax, [ebp+var_1C]
		xor	edi, edi
		mov	ecx, [eax]
		lea	eax, [edx+8]
		add	ecx, [ebp+var_24]
		cmp	eax, ecx
		jbe	short loc_788B17
		mov	edi, 0C0000023h
		jmp	short loc_788B31
; 

loc_788B17:				; CODE XREF: sub_787DE0+D2Ej
		mov	eax, [ebp+var_14]
		mov	dword ptr [edx], 4
		mov	[ebx], esi
		inc	dword ptr [eax]
		test	edi, edi
		js	short loc_788B31
		xor	edi, edi
		jmp	short loc_788B31
; 

loc_788B2C:				; CODE XREF: sub_787DE0+93Fj
					; sub_787DE0+9F0j ...
		mov	edi, 0C0000095h

loc_788B31:				; CODE XREF: sub_787DE0+20Ej
					; sub_787DE0+258j ...
		mov	eax, [ebp+var_78]
		test	eax, eax
		jz	short loc_788B43
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_788B43:				; CODE XREF: sub_787DE0+D56j
		mov	eax, [ebp+var_70]
		test	eax, eax
		jz	short loc_788B55
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_788B55:				; CODE XREF: sub_787DE0+D68j
		mov	eax, edi

loc_788B57:				; CODE XREF: sub_787DE0+118j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
sub_787DE0	endp

; 
		align 10h
; Exported entry  27.

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ntoskrnl_27
ntoskrnl_27	proc near		; CODE XREF: PAGE:00788E0Ep
					; DATA XREF: ClipInitHandles()+19o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		mov	ecx, [eax+204h]
		push	[ebp+arg_8]
		mov	eax, ds:dword_A93F08
		push	[ebp+arg_4]
		test	eax, eax
		jz	short loc_788BA1
		push	[ebp+arg_0]
		push	ecx
		call	eax

loc_788B9C:				; CODE XREF: ntoskrnl_27+39j
		pop	ecx
		pop	ebp
		retn	14h
; 

loc_788BA1:				; CODE XREF: ntoskrnl_27+24j
		mov	edx, [ebp+arg_0]
		call	SLQueryLicenseValueInternal
		jmp	short loc_788B9C
ntoskrnl_27	endp

; 
		align 10h

NtQueryLicenseValue:			; CODE XREF: ExpGetNtProductTypeFromLicenseValue+3Ap
					; MxMemoryLicense(x)+56p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1A30
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	dword ptr [ebp-40h], 0
		mov	dword ptr [ebp-3Ch], 0
		mov	dword ptr [ebp-30h], 0
		mov	dword ptr [ebp-28h], 0
		mov	dword ptr [ebp-24h], 0
		mov	dword ptr [ebp-2Ch], 0
		mov	eax, large fs:124h
		mov	dl, [eax+15Ah]
		mov	eax, [ebp+8]
		test	eax, eax
		jz	loc_788E00
		mov	ecx, [ebp+18h]
		test	ecx, ecx
		jz	loc_788E00
		mov	ebx, [ebp+10h]
		mov	edi, [ebp+14h]
		test	ebx, ebx
		jz	loc_788DF8

loc_788C3F:				; CODE XREF: PAGE:00788DFAj
		cmp	edi, (offset loc_7FFFFF+1)
		ja	loc_8DD593
		test	dl, dl
		jz	loc_788E07
		mov	dword ptr [ebp-4], 0
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	loc_8DD59D

loc_788C68:				; CODE XREF: PAGE:008DD59Fj
		nop
		mov	ecx, [eax]
		mov	[ebp-40h], ecx
		mov	eax, [eax+4]
		mov	[ebp-3Ch], eax
		test	eax, eax
		jz	loc_8DD5CB
		movzx	ecx, cx
		xor	edx, edx
		cmp	dx, cx
		jz	loc_8DD5CB
		test	cl, 1
		jnz	loc_8DD5CB
		test	al, 1
		jnz	loc_788E17
		add	ecx, eax
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		ja	loc_8DD5A4
		cmp	ecx, eax
		jb	loc_8DD5A4

loc_788CB3:				; CODE XREF: PAGE:008DD5A7j
		push	20534C53h
		movzx	eax, word ptr [ebp-40h]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp-30h], esi
		test	esi, esi
		jz	loc_8DD5AC
		movzx	eax, word ptr [ebp-40h]
		push	eax
		push	dword ptr [ebp-3Ch]
		push	esi
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp-3Ch], esi
		mov	esi, [ebp+0Ch]
		test	esi, esi
		jz	short loc_788D04
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8DD5B3

loc_788CFB:				; CODE XREF: PAGE:008DD5B5j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, [esi]
		mov	[ebp-28h], eax

loc_788D04:				; CODE XREF: PAGE:00788CEAj
		test	ebx, ebx
		jz	short loc_788D2D
		test	edi, edi
		jz	short loc_788D2D
		push	1
		push	edi
		push	ebx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	20534C53h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp-24h], eax
		test	eax, eax
		jz	loc_8DD5BA

loc_788D2D:				; CODE XREF: PAGE:00788D06j
					; PAGE:00788D0Aj
		mov	ecx, [ebp+18h]
		mov	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8DD5C4

loc_788D3F:				; CODE XREF: PAGE:008DD5C6j
		mov	eax, [edx]
		mov	[edx], eax
		mov	eax, [ecx]
		mov	[ebp-2Ch], eax
		xor	ebx, ebx

loc_788D4A:				; CODE XREF: PAGE:008DD5BFj
					; PAGE:008DD5D3j
		mov	[ebp-20h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_788D54:				; CODE XREF: PAGE:008DD5FEj
		test	ebx, ebx
		js	short loc_788DC4
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, [eax+204h]
		mov	eax, ds:dword_A93F08
		test	eax, eax
		jz	loc_8DD603
		lea	edx, [ebp-2Ch]
		push	edx
		push	edi
		push	dword ptr [ebp-24h]
		lea	edx, [ebp-28h]
		push	edx
		lea	edx, [ebp-40h]
		push	edx
		push	ecx
		call	eax

loc_788D83:				; CODE XREF: PAGE:008DD617j
		mov	ebx, eax
		mov	dword ptr [ebp-4], 1
		test	esi, esi
		jz	short loc_788D95
		mov	eax, [ebp-28h]
		mov	[esi], eax

loc_788D95:				; CODE XREF: PAGE:00788D8Ej
		mov	ecx, [ebp-2Ch]
		mov	eax, [ebp+18h]
		mov	[eax], ecx
		test	ebx, ebx
		js	short loc_788DBD
		mov	eax, [ebp+10h]
		test	eax, eax
		jz	short loc_788DBD
		cmp	edi, ecx
		jb	loc_8DD61C
		push	ecx
		push	dword ptr [ebp-24h]
		push	eax
		call	_memcpy
		add	esp, 0Ch

loc_788DBD:				; CODE XREF: PAGE:00788D9Fj
					; PAGE:00788DA6j ...
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_788DC4:				; CODE XREF: PAGE:00788D56j
					; PAGE:00788E05j ...
		mov	esi, [ebp-30h]
		test	esi, esi
		jz	short loc_788DD3
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_788DD3:				; CODE XREF: PAGE:00788DC9j
		mov	eax, [ebp-24h]
		test	eax, eax
		jz	short loc_788DE2
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_788DE2:				; CODE XREF: PAGE:00788DD8j
		mov	eax, ebx
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_788DF8:				; CODE XREF: PAGE:00788C39j
		test	edi, edi
		jz	loc_788C3F

loc_788E00:				; CODE XREF: PAGE:00788C20j
					; PAGE:00788C2Bj
		mov	ebx, 0C000000Dh
		jmp	short loc_788DC4
; 

loc_788E07:				; CODE XREF: PAGE:00788C4Dj
		push	ecx
		push	edi
		push	ebx
		push	dword ptr [ebp+0Ch]
		push	eax
		call	ntoskrnl_27
		mov	ebx, eax
		jmp	short loc_788DC4
; 

loc_788E17:				; CODE XREF: PAGE:00788C95j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 486. FsRtlCancellableWaitForMultipleObjects

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlCancellableWaitForMultipleObjects
FsRtlCancellableWaitForMultipleObjects proc near
					; CODE XREF: FsRtlCancellableWaitForSingleObject(x,x,x)+15p
					; FsRtlQueryKernelEaFile+12B9A4p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008DD64E SIZE 0000009A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_8], 0
		and	[esp+0Ch+var_4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		xor	ebx, ebx
		push	edi
		xor	edi, edi
		test	esi, esi
		jz	short loc_788E7C
		mov	ebx, [esi+4]
		mov	edi, [esi]
		test	ebx, ebx
		jl	short loc_788E54
		jg	short loc_788E7C
		test	edi, edi
		jnb	short loc_788E7C

loc_788E54:				; CODE XREF: FsRtlCancellableWaitForMultipleObjects+2Aj
		lea	eax, [esp+18h+var_8]
		push	eax
		call	KeQueryTickCount
		call	_KeQueryTimeIncrement@0	; KeQueryTimeIncrement()
		push	0
		push	eax
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		call	__alldiv
		mov	edi, [esp+18h+var_8]
		mov	ebx, [esp+18h+var_4]
		sub	edi, eax
		sbb	ebx, edx

loc_788E7C:				; CODE XREF: FsRtlCancellableWaitForMultipleObjects+21j
					; FsRtlCancellableWaitForMultipleObjects+2Cj ...
		cmp	[ebp+arg_0], 1
		jz	short loc_788EAA
		push	[ebp+arg_10]
		push	esi
		push	1
		push	0
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	KeWaitForMultipleObjects

loc_788E9A:				; CODE XREF: FsRtlCancellableWaitForMultipleObjects+99j
		cmp	eax, 101h
		jz	short loc_788EBD

loc_788EA1:				; CODE XREF: FsRtlCancellableWaitForMultipleObjects+B4j
					; FsRtlCancellableWaitForMultipleObjects+15483Ej ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_788EAA:				; CODE XREF: FsRtlCancellableWaitForMultipleObjects+5Ej
		mov	eax, [ebp+arg_4]
		push	esi
		push	1
		push	0
		push	0
		push	dword ptr [eax]
		call	KeWaitForSingleObject
		jmp	short loc_788E9A
; 

loc_788EBD:				; CODE XREF: FsRtlCancellableWaitForMultipleObjects+7Dj
		mov	eax, large fs:124h
		mov	eax, [eax+2FCh]
		test	al, 1
		jz	loc_8DD64E
		mov	eax, 0C000004Bh
		jmp	short loc_788EA1
FsRtlCancellableWaitForMultipleObjects endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtWaitForMultipleObjects proc near	; DATA XREF: .text:00580BB8o

var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008DD6E8 SIZE 00000008 BYTES
; FUNCTION CHUNK AT 008DD718 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1A58
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 120h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	edi, [ebp+arg_4]
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_120], eax
		push	100h		; size_t
		push	0		; int
		lea	eax, [ebp+var_11C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_128], 0
		mov	[ebp+var_124], 0
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	loc_8DD718
		cmp	esi, 40h
		ja	loc_8DD718
		mov	eax, [ebp+arg_8]
		cmp	eax, 1
		jnz	loc_789040

loc_788F71:				; CODE XREF: NtWaitForMultipleObjects+162j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_12C],	al
		mov	[ebp+var_4], 0
		mov	ebx, [ebp+var_120]
		test	al, al
		jz	short loc_788FBB
		test	ebx, ebx
		jnz	short loc_789014

loc_788F98:				; CODE XREF: NtWaitForMultipleObjects+15Bj
		lea	eax, ds:0[esi*4]
		test	eax, eax
		jz	short loc_788FBB
		add	eax, edi
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	loc_8DD6E8
		cmp	eax, edi
		jb	loc_8DD6E8

loc_788FBB:				; CODE XREF: NtWaitForMultipleObjects+B2j
					; NtWaitForMultipleObjects+C1j	...
		lea	eax, ds:0[esi*4]
		push	eax		; size_t
		push	edi		; void *
		lea	eax, [ebp+var_11C]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0FFFFFFFEh
		push	ebx
		push	[ebp+arg_C]
		mov	eax, [ebp+var_12C]
		push	eax
		push	[ebp+arg_8]
		push	eax
		lea	eax, [ebp+var_11C]
		push	eax
		push	esi
		call	ObWaitForMultipleObjects

loc_788FF6:				; CODE XREF: NtWaitForMultipleObjects+16Dj
					; sub_8DD703+10j ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_789014:				; CODE XREF: NtWaitForMultipleObjects+B6j
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	short loc_78904F

loc_78901D:				; CODE XREF: NtWaitForMultipleObjects+171j
		nop
		mov	eax, [ebx]
		mov	ecx, [ebx+4]
		mov	[ebp+var_128], eax
		mov	[ebp+var_124], ecx
		lea	ebx, [ebp+var_128]
		mov	[ebp+var_120], ebx
		jmp	loc_788F98
; 

loc_789040:				; CODE XREF: NtWaitForMultipleObjects+8Bj
		test	eax, eax
		jz	loc_788F71
		mov	eax, 0C00000F1h
		jmp	short loc_788FF6
; 

loc_78904F:				; CODE XREF: NtWaitForMultipleObjects+13Bj
		mov	ebx, eax
		jmp	short loc_78901D
NtWaitForMultipleObjects endp

; 
		align 10h
; Exported entry 1649. ObWaitForMultipleObjects

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObWaitForMultipleObjects
ObWaitForMultipleObjects proc near	; CODE XREF: NtWaitForMultipleObjects+111p
					; NtWaitForMultipleObjects32(x,x,x,x,x)+10Fp

var_288		= dword	ptr -288h
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_225		= byte ptr -225h
var_224		= dword	ptr -224h
var_21F		= byte ptr -21Fh
var_21E		= byte ptr -21Eh
var_21D		= byte ptr -21Dh
var_21C		= dword	ptr -21Ch
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008DD722 SIZE 00000114 BYTES
; FUNCTION CHUNK AT 008DD88E SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1A78
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 268h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_230], edi
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_244], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_26C], eax
		mov	[ebp+var_24C], 0
		mov	[ebp+var_248], 0
		push	100h		; size_t
		push	0		; int
		lea	eax, [ebp+var_21C]
		push	eax		; void *
		call	_memset
		mov	[ebp+var_234], 0
		push	100h		; size_t
		push	0		; int
		lea	eax, [ebp+var_11C]
		push	eax		; void *
		call	_memset
		add	esp, 18h
		mov	byte ptr [ebp+var_264],	0
		mov	[ebp+var_21F], 0
		xor	eax, eax
		mov	[ebp+var_23C], eax
		xor	ebx, ebx
		mov	[ebp+var_254], ebx
		cmp	edi, 3
		ja	loc_789432

loc_789124:				; CODE XREF: ObWaitForMultipleObjects+406j
					; ObWaitForMultipleObjects+1546DFj
		xor	esi, esi
		mov	[ebp+var_21E], bl
		mov	ebx, large fs:124h
		mov	[ebp+var_238], ebx
		mov	eax, [ebx+80h]
		mov	[ebp+var_250], eax
		mov	[ebp+var_278], eax
		mov	[ebp+var_21D], 1
		dec	word ptr [ebx+13Ch]
		nop
		cmp	eax, [ebx+150h]
		jnz	loc_8DD744
		mov	eax, [eax+18Ch]
		mov	[ebp+var_258], eax

loc_789172:				; CODE XREF: ObWaitForMultipleObjects+1546FCj
					; ObWaitForMultipleObjects+15470Bj
		mov	dl, [ebp+arg_8]

loc_789175:				; CODE XREF: ObWaitForMultipleObjects+154737j
		xor	eax, eax
		mov	[ebp+var_260], eax
		lea	edi, [ebp+var_21C]
		mov	ecx, [ebp+var_244]
		sub	ecx, edi
		mov	[ebp+var_244], ecx
		mov	edi, [ebp+var_234]
		jmp	short loc_7891A0
; 
		align 10h

loc_7891A0:				; CODE XREF: ObWaitForMultipleObjects+137j
					; ObWaitForMultipleObjects+291j
		shl	eax, 2
		mov	[ebp+var_25C], eax
		lea	ebx, [ebp+var_21C]
		add	eax, ebx
		mov	ebx, [eax+ecx]
		test	dl, dl
		jz	loc_789512

loc_7891BC:				; CODE XREF: ObWaitForMultipleObjects+4B4j
					; ObWaitForMultipleObjects+4BDj ...
		mov	eax, [ebp+var_258]

loc_7891C2:				; CODE XREF: ObWaitForMultipleObjects+4D7j
		mov	[ebp+var_22C], eax
		test	ebx, 7FCh
		jz	loc_78965D
		push	ebx
		mov	ecx, eax
		call	ExpLookupHandleTableEntry
		mov	[ebp+var_224], eax
		test	eax, eax
		jz	loc_78965D
		lea	ecx, [ebp+var_24C]
		push	ecx
		mov	edx, eax
		mov	ecx, [ebp+var_22C]
		call	_ExFastReferenceHandleTableEntry@12 ; ExFastReferenceHandleTableEntry(x,x,x)
		mov	[ebp+var_240], eax
		test	eax, eax
		jnz	loc_7893D8
		mov	edi, [ebp+var_24C]
		and	edi, 0FFFFFFF8h
		mov	[ebp+var_234], edi

loc_78921B:				; CODE XREF: ObWaitForMultipleObjects+3AFj
					; ObWaitForMultipleObjects+4A7j ...
		mov	eax, [ebp+var_224]

loc_789221:				; CODE XREF: ObWaitForMultipleObjects+607j
		mov	ebx, edi
		test	eax, eax
		jz	loc_789561
		mov	eax, [ebp+var_248]
		and	eax, 1FFFFFFh
		inc	esi
		mov	[ebp+var_22C], esi
		lea	ecx, [edi+18h]
		mov	[ebp+var_224], ecx
		mov	edx, [ebp+var_25C]
		mov	[ebp+edx+var_21C], ecx
		cmp	[ebp+arg_8], 1
		jnz	short loc_789271
		not	eax
		test	eax, 100000h
		jnz	loc_8DD7FF
		mov	al, [edi+0Eh]
		test	al, 40h
		jnz	loc_789609

loc_789271:				; CODE XREF: ObWaitForMultipleObjects+1F7j
					; ObWaitForMultipleObjects+5C0j ...
		shr	ebx, 8
		cmp	[ebp+arg_C], 1
		jnz	loc_78953C

loc_78927E:				; CODE XREF: ObWaitForMultipleObjects+4FBj
		push	7457624Fh
		mov	edx, 1
		mov	ecx, edi
		call	ObpTraceObjectReferenceIfActive
		movzx	ecx, byte ptr [edi+0Ch]
		movzx	eax, bl
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		mov	[ebp+var_240], eax
		mov	edx, [eax+10h]
		test	dl, 1
		jnz	loc_78941A
		test	edx, edx
		js	short loc_7892C4
		add	edx, [ebp+var_224]

loc_7892C4:				; CODE XREF: ObWaitForMultipleObjects+25Cj
					; ObWaitForMultipleObjects+3CDj ...
		mov	eax, [ebp+var_25C]
		mov	[ebp+eax+var_11C], edx
		mov	eax, [ebp+var_260]
		inc	eax
		mov	[ebp+var_260], eax
		mov	ecx, [ebp+var_230]
		cmp	eax, ecx
		jnb	short loc_7892F6
		mov	dl, [ebp+arg_8]
		mov	ecx, [ebp+var_244]
		jmp	loc_7891A0
; 

loc_7892F6:				; CODE XREF: ObWaitForMultipleObjects+286j
		cmp	[ebp+var_21E], 0
		jnz	loc_8DD809

loc_789303:				; CODE XREF: ObWaitForMultipleObjects+1547C7j
		nop
		mov	ebx, [ebp+var_238]
		add	word ptr [ebx+13Ch], 1
		jnz	short loc_789320
		nop
		lea	eax, [ebx+70h]
		cmp	[eax], eax
		jnz	loc_78966C

loc_789320:				; CODE XREF: ObWaitForMultipleObjects+2B2j
					; ObWaitForMultipleObjects+614j ...
		xor	al, al
		mov	[ebp+var_21D], al
		mov	[ebp+var_225], al
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	loc_789571

loc_789339:				; CODE XREF: ObWaitForMultipleObjects+51Dj
		mov	[ebp+var_4], 0
		push	[ebp+var_23C]
		push	[ebp+var_26C]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	6
		push	eax
		lea	eax, [ebp+var_11C]
		push	eax
		push	ecx
		call	KeWaitForMultipleObjects
		mov	edi, eax
		mov	[ebp+var_274], edi
		mov	[ebp+var_4], 0FFFFFFFEh

loc_789371:				; CODE XREF: ObWaitForMultipleObjects+50Cj
					; ObWaitForMultipleObjects+154741j ...
		mov	al, [ebp+var_21D]

loc_789377:				; CODE XREF: sub_8DD84F+3Aj
		test	esi, esi
		jz	short loc_78939C
		jmp	short loc_789380
; 
		align 10h

loc_789380:				; CODE XREF: ObWaitForMultipleObjects+31Bj
					; ObWaitForMultipleObjects+334j
		dec	esi
		mov	edx, 7457624Fh
		mov	ecx, [ebp+esi*4+var_21C]
		call	ObfDereferenceObjectWithTag
		test	esi, esi
		jnz	short loc_789380
		mov	al, [ebp+var_21D]

loc_78939C:				; CODE XREF: ObWaitForMultipleObjects+319j
		test	al, al
		jnz	loc_78968A

loc_7893A4:				; CODE XREF: ObWaitForMultipleObjects+63Ej
		mov	eax, [ebp+var_23C]
		test	eax, eax
		jnz	loc_78946B

loc_7893B2:				; CODE XREF: ObWaitForMultipleObjects+42Dj
					; ObWaitForMultipleObjects+559j ...
		mov	eax, edi
		lea	esp, [ebp-288h]
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_7893D8:				; CODE XREF: ObWaitForMultipleObjects+1A6j
		jle	loc_789492
		mov	edi, [ebp+var_24C]
		and	edi, 0FFFFFFF8h
		mov	[ebp+var_234], edi
		mov	edx, eax
		mov	ecx, edi
		call	ObpIncrPointerCountEx
		push	[ebp+var_240]
		lea	edx, [ebp+var_24C]
		mov	ecx, [ebp+var_224]
		call	ExFastReplenishHandleTableEntry
		test	eax, eax
		jz	loc_78921B
		jmp	loc_8DD7A6
; 

loc_78941A:				; CODE XREF: ObWaitForMultipleObjects+254j
		test	dl, 2
		jnz	loc_789639
		mov	eax, [ebp+var_224]
		mov	edx, [eax+edx-1]
		jmp	loc_7892C4
; 

loc_789432:				; CODE XREF: ObWaitForMultipleObjects+BEj
		lea	esi, [edi+edi*2]
		shl	esi, 3
		cmp	edi, 0Ah
		ja	loc_789582
		push	6D57624Fh
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)

loc_789451:				; CODE XREF: ObWaitForMultipleObjects+54Dj
		mov	[ebp+var_23C], eax
		test	eax, eax
		jz	loc_8DD722
		mov	[ebp+var_21F], 1
		jmp	loc_789124
; 

loc_78946B:				; CODE XREF: ObWaitForMultipleObjects+34Cj
		cmp	[ebp+var_21F], 0
		jz	loc_8DD8A4
		mov	ecx, [ebp+var_254]
		test	ecx, ecx
		jnz	loc_7895B2
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7893B2
; 

loc_789492:				; CODE XREF: ObWaitForMultipleObjects:loc_7893D8j
		mov	edx, [ebp+var_224]
		mov	ecx, [ebp+var_22C]
		call	_ExLockHandleTableEntry@8 ; ExLockHandleTableEntry(x,x)
		test	al, al
		jz	loc_78965D
		mov	ebx, [ebp+var_224]
		mov	edi, [ebx]
		and	edi, 0FFFFFFF8h
		mov	[ebp+var_234], edi
		mov	eax, [ebx]
		mov	[ebp+var_24C], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_248], eax
		mov	ecx, ebx
		call	_ExSlowReplenishHandleTableEntry@4 ; ExSlowReplenishHandleTableEntry(x)
		lea	edx, [eax+1]
		mov	ecx, edi
		call	ObpIncrPointerCountEx
		mov	eax, 1
		lock xadd [ebx], eax
		mov	ecx, [ebp+var_22C]
		add	ecx, 20h
		mov	[ebp+var_240], 0
		xor	edx, edx
		lea	eax, [ebp+var_240]
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	loc_78921B
		jmp	loc_8DD7B1
; 

loc_789512:				; CODE XREF: ObWaitForMultipleObjects+156j
		test	ebx, ebx
		jns	loc_7891BC
		cmp	ebx, 0FFFFFFFEh
		jz	loc_7891BC
		cmp	ebx, 0FFFFFFFFh
		jz	loc_7891BC
		xor	ebx, 80000000h
		mov	eax, _ObpKernelHandleTable
		jmp	loc_7891C2
; 

loc_78953C:				; CODE XREF: ObWaitForMultipleObjects+218j
		movzx	ecx, byte ptr [edi+0Ch]
		movzx	eax, bl
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		cmp	eax, ds:_IoCompletionObjectType
		jnz	loc_78927E

loc_789561:				; CODE XREF: ObWaitForMultipleObjects+1C5j
		mov	edi, 0C0000008h

loc_789566:				; CODE XREF: ObWaitForMultipleObjects+648j
					; ObWaitForMultipleObjects+1547A4j
		mov	ebx, [ebp+var_238]
		jmp	loc_789371
; 

loc_789571:				; CODE XREF: ObWaitForMultipleObjects+2D3j
		mov	eax, 1
		cmp	ecx, eax
		ja	short loc_7895C0

loc_78957A:				; CODE XREF: ObWaitForMultipleObjects+5A1j
		mov	eax, [ebp+arg_C]
		jmp	loc_789339
; 

loc_789582:				; CODE XREF: ObWaitForMultipleObjects+3DBj
		lea	ecx, [edi-0Bh]
		mov	eax, 24924925h
		mul	ecx
		sub	ecx, edx
		shr	ecx, 1
		add	ecx, edx
		shr	ecx, 3
		lea	eax, [ecx+ecx*2]
		shl	eax, 6
		add	eax, offset _ObpWaitBlockLookaside
		mov	[ebp+var_254], eax
		mov	ecx, eax
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		jmp	loc_789451
; 

loc_7895B2:				; CODE XREF: ObWaitForMultipleObjects+420j
		mov	edx, eax
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	loc_7893B2
; 
		align 10h

loc_7895C0:				; CODE XREF: ObWaitForMultipleObjects+518j
					; ObWaitForMultipleObjects+5A7j
		mov	edi, eax
		mov	edx, [ebp+eax*4+var_11C]
		mov	[ebp+var_230], edx
		nop

loc_7895D0:				; CODE XREF: ObWaitForMultipleObjects+58Fj
		mov	edx, [ebp+edi*4+var_120]
		cmp	[ebp+var_230], edx
		ja	short loc_7895F1
		jz	loc_8DD82C
		mov	[ebp+edi*4+var_11C], edx
		sub	edi, 1
		jnz	short loc_7895D0

loc_7895F1:				; CODE XREF: ObWaitForMultipleObjects+57Dj
		mov	edx, [ebp+var_230]
		mov	[ebp+edi*4+var_11C], edx
		inc	eax
		cmp	eax, ecx
		jnb	loc_78957A
		jmp	short loc_7895C0
; 

loc_789609:				; CODE XREF: ObWaitForMultipleObjects+20Bj
		movzx	eax, al
		and	eax, 7Fh
		movzx	eax, _ObpInfoMaskToOffset[eax]
		mov	ecx, edi
		sub	ecx, eax
		mov	eax, [ecx]
		cmp	byte ptr [eax+0Ch], 0
		jz	loc_789271
		mov	eax, [eax+8]
		cmp	eax, 1
		jz	short loc_7896A3
		mov	edi, [ebp+var_234]
		jmp	loc_789271
; 

loc_789639:				; CODE XREF: ObWaitForMultipleObjects+3BDj
		mov	ecx, [eax+78h]
		movzx	eax, word ptr [eax+7Ch]
		mov	ebx, [ebp+var_224]
		mov	eax, [eax+ebx]
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_8DD7ED
		add	edx, 0FFFFFFFDh
		add	edx, ebx
		jmp	loc_7892C4
; 

loc_78965D:				; CODE XREF: ObWaitForMultipleObjects+16Ej
					; ObWaitForMultipleObjects+184j ...
		test	ebx, ebx
		jnz	loc_8DD7BD

loc_789665:				; CODE XREF: ObWaitForMultipleObjects+154788j
		xor	eax, eax
		jmp	loc_789221
; 

loc_78966C:				; CODE XREF: ObWaitForMultipleObjects+2BAj
		cmp	word ptr [ebx+13Eh], 0
		jnz	loc_789320
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		mov	ecx, [ebp+var_230]
		jmp	loc_789320
; 

loc_78968A:				; CODE XREF: ObWaitForMultipleObjects+33Ej
		cmp	[ebp+var_21E], 0
		jnz	loc_8DD88E

loc_789697:				; CODE XREF: ObWaitForMultipleObjects+15483Fj
		mov	ecx, ebx
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_7893A4
; 

loc_7896A3:				; CODE XREF: ObWaitForMultipleObjects+5CCj
		mov	edi, 0C000A006h
		jmp	loc_789566
ObWaitForMultipleObjects endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfCheckDeprioritizeFile	proc near	; CODE XREF: MiDeprioritizeVad+BBp
					; MiUnmapVad+83p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DD8B4 SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_18], ecx
		xor	esi, esi
		mov	[ebp+var_4], edi
		test	edi, edi
		jz	loc_789849
		mov	ecx, offset unk_6D48DC
		call	PfLockSharedTryAcquire
		test	eax, eax
		jz	loc_789849
		mov	ecx, dword_6D48CC
		cmp	edi, [ecx+4]
		jz	short loc_789766
		mov	eax, dword_6D48C4
		or	edi, 0FFFFFFFFh
		mov	ecx, eax
		and	ecx, 1Fh
		shl	edi, cl
		mov	ebx, edi
		and	ebx, [ebp+var_4]
		mov	[ebp+var_8], ebx
		cmp	eax, 20h
		jb	loc_8DD8BB
		shr	eax, 5
		mov	[ebp+var_C], eax
		movzx	eax, bl
		add	eax, offset unk_B15DCB
		imul	ecx, eax, 25h
		movzx	eax, bh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_8+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_8+3]
		imul	edx, ecx, 25h
		mov	ecx, [ebp+var_C]
		add	edx, eax
		mov	eax, dword_6D48C8
		dec	ecx
		and	ecx, edx
		lea	ecx, [eax+ecx*4]

loc_78973E:				; CODE XREF: PfCheckDeprioritizeFile+A5j
		mov	ecx, [ecx]
		test	ecx, 1
		jnz	loc_8DD8B4
		mov	eax, [ecx+4]
		and	eax, edi
		cmp	ebx, eax
		jnz	short loc_78973E

loc_789755:				; CODE XREF: PfCheckDeprioritizeFile+154208j
		test	ecx, ecx
		jz	loc_8DD8BB
		mov	edi, [ebp+var_4]
		mov	dword_6D48CC, ecx

loc_789766:				; CODE XREF: PfCheckDeprioritizeFile+38j
		mov	ebx, [ecx+8]
		mov	edx, offset unk_6D48DC
		push	11h
		mov	[ebp+var_8], ebx
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jnz	loc_7898A4

loc_789783:				; CODE XREF: PfCheckDeprioritizeFile+202j
		mov	ecx, edx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	dword_6D48F0, ebx
		jz	loc_789835
		mov	ecx, offset unk_6D48F4
		call	PfLockSharedTryAcquire
		test	eax, eax
		jz	loc_789849
		mov	edx, dword_6D48E8
		mov	[ebp+var_10], edx
		test	edx, edx
		jz	short loc_789805
		movzx	eax, bl
		imul	ecx, eax, 25h
		movzx	eax, bh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_8+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_8+3]
		imul	ecx, 25h
		add	eax, 164B2F3Fh
		add	eax, ecx
		lea	ecx, [edx-1]
		and	ecx, eax
		mov	edx, esi
		mov	eax, dword_6D48E4
		mov	[ebp+var_8], eax
		mov	eax, ecx
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+var_8]
		shl	eax, cl
		mov	ecx, dword_6D48E0
		mov	[ebp+var_14], ecx
		mov	eax, [eax+ecx]
		test	eax, eax
		jnz	short loc_789852

loc_789805:				; CODE XREF: PfCheckDeprioritizeFile+10Aj
					; PfCheckDeprioritizeFile+1E2j
		xor	esi, esi
		push	offset dword_6D4918
		inc	esi
		call	KeQueryTickCount

loc_789812:				; CODE XREF: PfCheckDeprioritizeFile+1EEj
		push	11h
		xor	edx, edx
		mov	ebx, offset unk_6D48F4
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jnz	loc_7898B5

loc_789829:				; CODE XREF: PfCheckDeprioritizeFile+20Ej
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_789835:				; CODE XREF: PfCheckDeprioritizeFile+E7j
		mov	edx, [ebp+var_18]
		mov	ecx, esi
		neg	ecx
		sbb	ecx, ecx
		and	ecx, [ebp+arg_0]
		push	ecx
		mov	ecx, edi
		call	_PfpRpLogDeprioEvent@12	; PfpRpLogDeprioEvent(x,x,x)

loc_789849:				; CODE XREF: PfCheckDeprioritizeFile+17j
					; PfCheckDeprioritizeFile+29j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_789852:				; CODE XREF: PfCheckDeprioritizeFile+155j
		mov	edi, [ebp+var_C]
		mov	ecx, eax
		mov	esi, [ebp+var_10]

loc_78985A:				; CODE XREF: PfCheckDeprioritizeFile+1D9j
		mov	eax, ecx
		cmp	ecx, ebx
		jz	short loc_789889
		test	edx, edx
		jnz	short loc_78986F
		imul	edx, ebx, 9E3779B1h
		test	dl, 1
		jz	short loc_7898A1

loc_78986F:				; CODE XREF: PfCheckDeprioritizeFile+1B4j
					; PfCheckDeprioritizeFile+1F4j
		mov	ecx, [ebp+var_8]
		lea	eax, [esi-1]
		add	edi, edx
		and	edi, eax
		mov	eax, edi
		shl	eax, cl
		mov	ecx, [ebp+var_14]
		mov	eax, [eax+ecx]
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_78985A

loc_789889:				; CODE XREF: PfCheckDeprioritizeFile+1B0j
		mov	edi, [ebp+var_4]
		xor	esi, esi
		test	eax, eax
		jz	loc_789805
		mov	dword_6D48F0, ebx
		jmp	loc_789812
; 

loc_7898A1:				; CODE XREF: PfCheckDeprioritizeFile+1BFj
		inc	edx
		jmp	short loc_78986F
; 

loc_7898A4:				; CODE XREF: PfCheckDeprioritizeFile+CFj
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	edx, offset unk_6D48DC
		jmp	loc_789783
; 

loc_7898B5:				; CODE XREF: PfCheckDeprioritizeFile+175j
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_789829
PfCheckDeprioritizeFile	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExDupHandleTable proc near		; CODE XREF: ObInitProcess+35p

var_44		= dword	ptr -44h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008DD8E6 SIZE 00000106 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, edx
		mov	[ebp+var_8], eax
		mov	[ebp+var_1C], ecx
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [eax]
		mov	[ebp+var_14], edi
		mov	dword ptr [esi], 0
		test	ebx, ebx
		jnz	loc_789B8B
		test	edi, edi
		jz	loc_8DD8E6
		mov	ebx, eax

loc_789906:				; CODE XREF: ExDupHandleTable+306j
		lea	esi, [edi-800h]
		mov	ecx, ebx
		push	esi
		call	ExpLookupHandleTableEntry
		mov	ecx, 1FFh
		lea	esp, [esp+0]

loc_789920:				; CODE XREF: ExDupHandleTable+59j
		test	byte ptr [eax+ecx*8], 2
		jnz	short loc_78992B
		sub	ecx, 1
		jnz	short loc_789920

loc_78992B:				; CODE XREF: ExDupHandleTable+54j
		test	ecx, ecx
		jz	loc_789BD2

loc_789933:				; CODE XREF: ExDupHandleTable+30Cj
		mov	ebx, [ebp+arg_0]
		mov	esi, [ebp+arg_8]
		mov	ecx, [ebp+var_1C]

loc_78993C:				; CODE XREF: ExDupHandleTable+2F1j
		mov	[ebp+var_14], edi
		test	edi, edi
		jz	loc_8DD8E6
		xor	dl, dl
		call	ExpAllocateHandleTable
		mov	ecx, eax
		mov	[esi], ecx
		test	ecx, ecx
		jz	loc_8DD908
		cmp	[ecx], edi
		jb	loc_789B70

loc_789962:				; CODE XREF: ExDupHandleTable+2B3j
		mov	eax, large fs:124h
		or	byte ptr [ecx+1Ch], 8
		mov	[ebp+var_34], eax
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [esi]
		xor	edi, edi
		xor	esi, esi
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_20], 0
		mov	[ebp+var_4], edi
		lea	eax, [ecx+44h]
		cmp	[ebp+var_14], esi
		jbe	loc_789A5B
		mov	[ebp+var_24], eax
		lea	esp, [esp+0]

loc_7899A0:				; CODE XREF: ExDupHandleTable+17Dj
		mov	ecx, [ebp+var_8]
		push	esi
		call	ExpLookupHandleTableEntry
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_8]
		push	esi
		mov	ecx, [eax]
		call	ExpLookupHandleTableEntry
		mov	edx, eax
		lea	ecx, [esi+4]
		sub	[ebp+var_18], edx
		mov	eax, 1
		mov	[ebp+var_30], edx
		mov	[ebp+var_28], eax
		lea	edi, [edx+8]
		mov	[ebp+var_10], ecx
		mov	edx, [ebp+arg_8]
		mov	edx, [edx]
		mov	[ebp+var_C], edx
		jmp	short loc_7899E0
; 
		align 10h

loc_7899E0:				; CODE XREF: ExDupHandleTable+108j
					; ExDupHandleTable+172j
		cmp	[ebp+var_4], 0
		jl	loc_8DD952
		test	ebx, ebx
		jnz	loc_789AD4

loc_7899F2:				; CODE XREF: ExDupHandleTable+213j
		mov	ebx, [ebp+var_18]
		add	ebx, edi
		test	byte ptr [ebx],	2
		jnz	loc_789AE8

loc_789A00:				; CODE XREF: ExDupHandleTable+224j
					; ExDupHandleTable+15404Cj
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jnz	loc_8DD921

loc_789A0B:				; CODE XREF: ExDupHandleTable+20Dj
					; ExDupHandleTable+25Ej ...
		mov	eax, [ebp+var_24]
		mov	[eax], edi
		lea	eax, [edi+4]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_2C]
		mov	[eax+48h], edi
		mov	dword ptr [edi], 0

loc_789A22:				; CODE XREF: ExDupHandleTable+15407Dj
		mov	eax, [ebp+arg_8]
		mov	edx, [eax]
		mov	[ebp+var_C], edx

loc_789A2A:				; CODE XREF: ExDupHandleTable+283j
		mov	eax, [ebp+var_28]
		add	edi, 8
		mov	ecx, [ebp+var_10]
		inc	eax
		add	ecx, 4
		mov	[ebp+var_28], eax
		mov	[ebp+var_10], ecx
		cmp	eax, 200h
		jb	short loc_7899E0

loc_789A44:				; CODE XREF: ExDupHandleTable+1540A4j
		add	esi, 800h
		cmp	esi, [ebp+var_14]
		jb	loc_7899A0
		mov	eax, [ebp+var_24]
		mov	ecx, edx
		mov	edi, [ebp+var_4]

loc_789A5B:				; CODE XREF: ExDupHandleTable+C0j
		mov	dword ptr [eax], 0
		test	edi, edi
		js	loc_8DD979
		mov	eax, [ecx+4Ch]
		mov	esi, offset _HandleTableListLock
		mov	[ecx+50h], eax
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [ebp+arg_8]
		mov	ecx, ds:dword_A94E74
		mov	eax, [edx]
		add	eax, 10h
		cmp	dword ptr [ecx], offset	_HandleTableListHead
		jnz	loc_8DD98A
		mov	dword ptr [eax], offset	_HandleTableListHead
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	ds:dword_A94E74, eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_789BC6

loc_789AB8:				; CODE XREF: ExDupHandleTable+2FDj
		mov	ecx, esi
		call	KeAbPostRelease
		xor	edi, edi

loc_789AC1:				; CODE XREF: ExDupHandleTable+1540B5j
		mov	ecx, [ebp+var_34]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	eax, edi

loc_789ACB:				; CODE XREF: ExDupHandleTable+316j
					; ExDupHandleTable+154028j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_789AD4:				; CODE XREF: ExDupHandleTable+11Cj
		mov	eax, [ebp+var_20]
		mov	edx, [ebp+arg_4]
		cmp	[edx+eax*4], ecx
		jnz	loc_789A0B
		jmp	loc_7899F2
; 

loc_789AE8:				; CODE XREF: ExDupHandleTable+12Aj
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		call	_ExLockHandleTableEntry@8 ; ExLockHandleTableEntry(x,x)
		test	al, al
		jz	loc_789A00
		test	byte ptr [ebx],	2
		jz	loc_8DD912
		cmp	[ebp+arg_4], 0
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_1C]
		setnz	al
		movzx	eax, al
		push	eax
		mov	eax, [ebp+arg_8]
		push	edi
		mov	eax, [eax]
		push	eax
		push	ebx
		push	[ebp+var_8]
		call	ExpDuplicateSingleHandle
		mov	ebx, [ebp+arg_0]
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		js	loc_789A0B
		cmp	ecx, 107h
		jz	loc_8DD92D
		mov	eax, [ebp+arg_8]
		mov	edx, [eax]
		mov	[ebp+var_C], edx
		inc	dword ptr [edx+4Ch]
		test	ebx, ebx
		jnz	short loc_789B5E

loc_789B4F:				; CODE XREF: ExDupHandleTable+296j
					; ExDupHandleTable+29Cj
		cmp	dword ptr [edx+54h], 0
		jz	loc_789A2A
		jmp	loc_8DD939
; 

loc_789B5E:				; CODE XREF: ExDupHandleTable+27Dj
		mov	ecx, [ebp+var_20]
		lea	eax, [ebx-1]
		cmp	ecx, eax
		jnb	short loc_789B4F
		inc	ecx
		mov	[ebp+var_20], ecx
		jmp	short loc_789B4F
; 
		align 10h

loc_789B70:				; CODE XREF: ExDupHandleTable+8Cj
					; ExDupHandleTable+2B9j
		xor	edx, edx
		call	ExpAllocateHandleTableEntrySlow
		mov	ecx, [esi]
		test	al, al
		jz	loc_8DD8FD
		cmp	[ecx], edi
		jnb	loc_789962
		jmp	short loc_789B70
; 

loc_789B8B:				; CODE XREF: ExDupHandleTable+26j
		mov	edx, [ebp+arg_4]
		test	byte ptr [edx],	3
		jnz	short loc_789BE1
		mov	eax, 1
		cmp	ebx, eax
		jbe	short loc_789BB6
		lea	esp, [esp+0]

loc_789BA0:				; CODE XREF: ExDupHandleTable+2E1j
		mov	ecx, [edx+eax*4]
		test	cl, 3
		jnz	short loc_789BE1
		cmp	ecx, [edx+eax*4-4]
		jbe	short loc_789BE1
		inc	eax
		cmp	eax, ebx
		jb	short loc_789BA0
		mov	ecx, [ebp+var_1C]

loc_789BB6:				; CODE XREF: ExDupHandleTable+2CAj
		mov	eax, [edx+ebx*4-4]
		cmp	eax, edi
		jnb	short loc_789BE1
		lea	edi, [eax+4]
		jmp	loc_78993C
; 

loc_789BC6:				; CODE XREF: ExDupHandleTable+1E2j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_789AB8
; 

loc_789BD2:				; CODE XREF: ExDupHandleTable+5Dj
		mov	edi, esi
		test	esi, esi
		jnz	loc_789906
		jmp	loc_789933
; 

loc_789BE1:				; CODE XREF: ExDupHandleTable+2C1j
					; ExDupHandleTable+2D6j ...
		mov	eax, 0C000000Dh
		jmp	loc_789ACB
ExDupHandleTable endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpDuplicateSingleHandle proc near	; CODE XREF: ExDupHandleTable+24Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

; FUNCTION CHUNK AT 008DD9EC SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_C]
		mov	esi, edx
		mov	eax, [ebx]
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], ecx
		mov	[edi], eax
		mov	eax, [ebx+4]
		mov	ebx, [ebp+arg_0]
		or	dword ptr [edi], 1
		mov	[edi+4], eax
		and	dword ptr [edi+4], 7FFFFFFh
		cmp	dword ptr [ebx+4], 0
		jnz	loc_8DD991

loc_789C25:				; CODE XREF: ExDupHandleTable+1540CAj
					; ExDupHandleTable+1540D9j ...
		mov	eax, [ebp+arg_4]
		mov	edx, esi
		mov	ecx, [ebp+var_8]
		push	eax
		push	ebx
		call	ObInheritObjectHandle
		mov	esi, eax
		test	esi, esi
		js	loc_8DD9EC

loc_789C3E:				; CODE XREF: ExpDuplicateSingleHandle+153E12j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
ExpDuplicateSingleHandle endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObInheritObjectHandle proc near		; CODE XREF: ExpDuplicateSingleHandle+43p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008DDA03 SIZE 0000003D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_C], edx
		mov	eax, [esi]
		and	eax, 0FFFFFFF8h
		mov	ecx, eax
		mov	[ebp+var_8], eax
		lea	edi, [eax+18h]
		call	ObpIncrPointerCount
		mov	eax, [esi+4]
		and	eax, 1FFFFFFh
		mov	[ebp+var_4], eax
		xor	eax, eax
		inc	eax
		lock xadd [esi], eax
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+arg_4]
		xor	esi, esi
		add	ecx, 20h
		mov	[ebp+arg_4], esi
		xor	edx, edx
		lock or	[eax], edx
		cmp	[ecx], esi
		jnz	short loc_789CC2

loc_789C96:				; CODE XREF: ObInheritObjectHandle+81j
		push	esi
		push	esi
		push	esi
		push	edi
		push	ebx
		push	3
		lea	edx, [ebp+var_4]
		pop	ecx
		call	ObpIncrementHandleCountEx
		mov	esi, eax
		test	esi, esi
		js	short loc_789CCB
		test	byte ptr ds:dword_70EFD0, 40h
		jnz	loc_8DDA03

loc_789CB9:				; CODE XREF: ObInheritObjectHandle+8Aj
					; ObInheritObjectHandle+153DF3j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_789CC2:				; CODE XREF: ObInheritObjectHandle+4Cj
		xor	edx, edx
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	short loc_789C96
; 

loc_789CCB:				; CODE XREF: ObInheritObjectHandle+62j
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	short loc_789CB9
ObInheritObjectHandle endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcUnmapVacb	proc near		; CODE XREF: CcUnmapVacbArray+37Ap
					; CcGetVacbMiss+221p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DDA40 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		mov	ecx, [ebp+arg_0]
		mov	esi, edx
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], ebx
		test	cl, 1
		jz	short loc_789CF9
		test	byte ptr [esi+60h], 40h
		jnz	short loc_789D67

loc_789CF9:				; CODE XREF: CcUnmapVacb+1Dj
		mov	eax, [esi+60h]
		and	eax, 200200h
		cmp	eax, 200000h
		jnz	short loc_789D40
		mov	eax, large fs:124h
		mov	ecx, [esi+168h]
		mov	eax, [eax+80h]
		cmp	[eax+1DCh], ecx
		jz	loc_789E18
		call	_PfCheckDeprioritizeImage@4 ; PfCheckDeprioritizeImage(x)
		test	eax, eax

loc_789D2D:				; CODE XREF: CcUnmapVacb+14Ej
		jnz	short loc_789D6C

loc_789D2F:				; CODE XREF: CcUnmapVacb+136j
		push	0
		mov	edx, 200000h
		mov	ecx, esi
		call	CcUpdateSharedCacheMapFlag

loc_789D3D:				; CODE XREF: CcUnmapVacb+13Fj
		mov	ecx, [ebp+arg_0]

loc_789D40:				; CODE XREF: CcUnmapVacb+32j
					; CcUnmapVacb+96j
		and	ecx, 2
		mov	[ebp+arg_0], ecx
		jnz	loc_8DDA52

loc_789D4C:				; CODE XREF: CcUnmapVacb+153D81j
		mov	edx, [esi+6Ch]
		mov	ecx, [edi]
		push	ebx
		call	MmUnmapViewInSystemCache
		cmp	[ebp+arg_0], 0
		jnz	short loc_789D60
		and	dword ptr [edi], 0

loc_789D60:				; CODE XREF: CcUnmapVacb+87j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_789D67:				; CODE XREF: CcUnmapVacb+23j
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_789D40
; 

loc_789D6C:				; CODE XREF: CcUnmapVacb:loc_789D2Dj
		lea	ecx, [esi+44h]
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_789E3C

loc_789D7E:				; CODE XREF: CcUnmapVacb+171j
		mov	ecx, [esi+44h]
		mov	edx, ecx
		mov	eax, [edi+0Ch]
		xor	edx, edi
		mov	[ebp+var_14], eax
		cmp	edx, 7
		jnb	loc_789E53

loc_789D94:				; CODE XREF: CcUnmapVacb+153D73j
		lea	edx, [ecx+1]
		mov	eax, ecx
		lea	ebx, [esi+44h]
		lock cmpxchg [ebx], edx
		mov	ebx, [ebp+var_8]
		cmp	eax, ecx
		jnz	loc_8DDA40

loc_789DAB:				; CODE XREF: CcUnmapVacb+185j
		mov	edi, [ebp+var_C]
		mov	ecx, [edi+8]
		mov	eax, [edi+0Ch]
		mov	edi, [esi+0Ch]
		shrd	ecx, eax, 0Ch
		and	ecx, 0FFFFFFC0h
		mov	[ebp+var_10], ecx
		mov	ecx, [esi+8]
		mov	edx, ecx
		and	edx, 0FFFh
		mov	eax, edx
		or	eax, 0
		jz	short loc_789E36
		mov	[ebp+var_4], 1

loc_789DDA:				; CODE XREF: CcUnmapVacb+166j
		shrd	ecx, edi, 0Ch
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_8]
		add	ecx, 40h
		add	eax, [ebp+var_4]
		cmp	eax, ecx
		jb	short loc_789E27

loc_789DF1:				; CODE XREF: CcUnmapVacb+160j
		mov	edi, [ebp+var_C]
		cmp	ecx, 1
		jbe	short loc_789E4A

loc_789DF9:				; CODE XREF: CcUnmapVacb+179j
		mov	edx, [ebp+var_14]
		push	ecx
		mov	ecx, [esi+168h]
		call	PfCheckDeprioritizeFile
		test	eax, eax
		jz	loc_789D2F
		xor	ebx, ebx
		inc	ebx
		jmp	loc_789D3D
; 

loc_789E18:				; CODE XREF: CcUnmapVacb+4Cj
		test	dword ptr [eax+0FCh], 4000h
		jmp	loc_789D2D
; 

loc_789E27:				; CODE XREF: CcUnmapVacb+11Bj
		or	edx, 0
		jz	short loc_789E4F
		xor	eax, eax
		inc	eax

loc_789E2F:				; CODE XREF: CcUnmapVacb+17Dj
		mov	ecx, [ebp+var_8]
		add	ecx, eax
		jmp	short loc_789DF1
; 

loc_789E36:				; CODE XREF: CcUnmapVacb+FDj
		and	[ebp+var_4], 0
		jmp	short loc_789DDA
; 

loc_789E3C:				; CODE XREF: CcUnmapVacb+A4j
		mov	ecx, esi
		call	_CcSlowReferenceSharedCacheMapFileObject@4 ; CcSlowReferenceSharedCacheMapFileObject(x)
		mov	edi, eax
		jmp	loc_789D7E
; 

loc_789E4A:				; CODE XREF: CcUnmapVacb+123j
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_789DF9
; 

loc_789E4F:				; CODE XREF: CcUnmapVacb+156j
		xor	eax, eax
		jmp	short loc_789E2F
; 

loc_789E53:				; CODE XREF: CcUnmapVacb+BAj
					; CcUnmapVacb+153D79j
		push	edi
		call	_ObDereferenceObjectDeferDelete@4 ; ObDereferenceObjectDeferDelete(x)
		jmp	loc_789DAB
CcUnmapVacb	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfCheckDeprioritizeImage(x)
_PfCheckDeprioritizeImage@4 proc near	; CODE XREF: PfProcessCreateNotification+3Ep
					; CcUnmapVacb+52p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], ebx
		test	ebx, ebx
		jz	loc_789F53
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset unk_6D4908
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	edi, dword_6D4900
		test	edi, edi
		jz	loc_789F4F
		movzx	eax, bl
		lea	esi, [edi-1]
		imul	ecx, eax, 25h
		xor	edx, edx
		movzx	eax, bh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+3]
		imul	ecx, 25h
		add	eax, 164B2F3Fh
		add	eax, ecx
		mov	ecx, dword_6D48FC
		and	esi, eax
		mov	[ebp+var_4], ecx
		mov	eax, esi
		shl	eax, cl
		mov	ecx, dword_6D48F8
		mov	[ebp+var_8], ecx
		mov	eax, [eax+ecx]
		test	eax, eax
		jz	short loc_789F16
		mov	ecx, eax

loc_789EE7:				; CODE XREF: PfCheckDeprioritizeImage(x)+B6j
		mov	eax, ecx
		cmp	ecx, ebx
		jz	short loc_789F16
		test	edx, edx
		jnz	short loc_789EFC
		imul	edx, ebx, 9E3779B1h
		test	dl, 1
		jz	short loc_789F43

loc_789EFC:				; CODE XREF: PfCheckDeprioritizeImage(x)+91j
					; PfCheckDeprioritizeImage(x)+E6j
		mov	ecx, [ebp+var_4]
		lea	eax, [edi-1]
		add	esi, edx
		and	esi, eax
		mov	eax, esi
		shl	eax, cl
		mov	ecx, [ebp+var_8]
		mov	eax, [eax+ecx]
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_789EE7

loc_789F16:				; CODE XREF: PfCheckDeprioritizeImage(x)+85j
					; PfCheckDeprioritizeImage(x)+8Dj
		mov	esi, offset unk_6D4908

loc_789F1B:				; CODE XREF: PfCheckDeprioritizeImage(x)+F3j
		xor	ebx, ebx
		test	eax, eax
		push	11h
		setnz	bl
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_789F46

loc_789F30:				; CODE XREF: PfCheckDeprioritizeImage(x)+EFj
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		mov	eax, ebx
		pop	esi

loc_789F40:				; CODE XREF: PfCheckDeprioritizeImage(x)+F7j
		pop	ebx
		leave
		retn
; 

loc_789F43:				; CODE XREF: PfCheckDeprioritizeImage(x)+9Cj
		inc	edx
		jmp	short loc_789EFC
; 

loc_789F46:				; CODE XREF: PfCheckDeprioritizeImage(x)+D0j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_789F30
; 

loc_789F4F:				; CODE XREF: PfCheckDeprioritizeImage(x)+3Bj
		xor	eax, eax
		jmp	short loc_789F1B
; 

loc_789F53:				; CODE XREF: PfCheckDeprioritizeImage(x)+Fj
		xor	eax, eax
		jmp	short loc_789F40
_PfCheckDeprioritizeImage@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 219. CcPinRead

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcPinRead
CcPinRead	proc near

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008DDA5A SIZE 00000010 BYTES

		push	2Ch
		push	offset dword_6A1AD8
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], edx
		mov	ecx, [ebp+arg_4]
		mov	eax, [ecx]
		mov	[ebp+var_3C], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_38], eax
		mov	[ebp+var_20], edx
		lea	eax, [ebp+var_20]
		mov	[ebp+var_24], eax
		mov	[ebp+var_19], dl
		mov	eax, [ebp+arg_C]
		and	eax, 1
		inc	dword ptr fs:658h[eax*4]
		mov	eax, large fs:124h
		mov	[eax+328h], edx
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+14h]
		mov	eax, [eax+4]
		mov	[ebp+var_28], eax
		mov	[ebp+ms_exc.disabled], edx
		mov	ebx, [ebp+arg_14]
		mov	edi, [ebp+arg_8]
		mov	ecx, [ebp+var_34]
		mov	esi, [ebp+var_24]

loc_789FC2:				; CODE XREF: CcPinRead+B1j
					; CcPinRead+B7j
		cmp	[ebp+var_20], 0
		jnz	loc_78A04D

loc_789FCC:				; CODE XREF: CcPinRead+132j
		lea	ecx, [ebp+var_34]
		push	ecx
		lea	ecx, [ebp+var_2C]
		push	ecx
		push	esi
		push	[ebp+arg_C]
		push	0
		mov	eax, [eax+60h]
		shr	eax, 9
		not	al
		and	al, 1
		movzx	eax, al
		push	eax
		push	edi
		lea	edx, [ebp+var_3C]
		mov	ecx, [ebp+arg_0]
		call	CcPinFileData
		test	al, al
		jz	loc_8DDA5A
		mov	ecx, [ebp+var_34]
		mov	edx, ecx
		sub	edx, [ebp+var_3C]
		mov	eax, [ebp+var_30]
		sbb	eax, [ebp+var_38]
		mov	eax, [ebp+var_28]
		js	short loc_789FC2
		jg	short loc_78A015
		cmp	edx, edi
		jb	short loc_789FC2

loc_78A015:				; CODE XREF: CcPinRead+B3j
		mov	ecx, [ebp+arg_10]
		mov	eax, [ebp+var_20]
		mov	[ecx], eax
		lea	eax, [ebp+var_20]
		cmp	esi, eax
		jnz	short loc_78A029
		mov	eax, [ebp+var_2C]
		mov	[ebx], eax

loc_78A029:				; CODE XREF: CcPinRead+C6j
		mov	[ebp+var_19], 1

loc_78A02D:				; CODE XREF: CcPinRead+153B09j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_78A093
		mov	al, bl
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_78A04D:				; CODE XREF: CcPinRead+6Aj
		lea	eax, [ebp+var_20]
		cmp	esi, eax
		jnz	short loc_78A072
		push	[ebp+var_20]
		mov	edx, edi
		mov	ecx, [ebp+arg_4]
		call	_CcAllocateObcb@12 ; CcAllocateObcb(x,x,x)
		mov	[ebp+var_20], eax
		lea	esi, [eax+10h]
		mov	[ebp+var_24], esi
		mov	eax, [ebp+var_2C]
		mov	[ebx], eax
		mov	ecx, [ebp+var_34]

loc_78A072:				; CODE XREF: CcPinRead+F6j
		mov	eax, [ebp+var_3C]
		sub	eax, ecx
		add	edi, eax
		mov	[ebp+arg_8], edi
		mov	[ebp+var_3C], ecx
		mov	eax, [ebp+var_30]
		mov	[ebp+var_38], eax
		add	esi, 4
		mov	[ebp+var_24], esi
		mov	eax, [ebp+var_28]
		jmp	loc_789FCC
CcPinRead	endp


;  S U B	R O U T	I N E 


sub_78A093	proc near		; CODE XREF: CcPinRead+D8p sub_8DDA6Aj

; FUNCTION CHUNK AT 008DDA6F SIZE 00000017 BYTES

		mov	eax, large fs:124h
		mov	eax, [eax+328h]
		add	large fs:698h, eax
		mov	bl, [ebp-19h]
		test	bl, bl
		jz	loc_8DDA6F

locret_78A0B1:				; CODE XREF: sub_78A093+1539E0j
					; sub_78A093+1539EEj
		retn
sub_78A093	endp

; 
		align 10h
; Exported entry 218. CcPinMappedData

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcPinMappedData
CcPinMappedData	proc near

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0078A210 SIZE 00000004 BYTES
; FUNCTION CHUNK AT 008DDA86 SIZE 0000006C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1AF8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_28], 0
		mov	[ebp+var_38], 0
		mov	[ebp+var_34], 0
		mov	edi, [ebp+arg_4]
		mov	eax, [edi]
		mov	[ebp+var_30], eax
		mov	eax, [edi+4]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_20], 0
		lea	eax, [ebp+var_20]
		mov	[ebp+var_24], eax
		mov	[ebp+var_19], 0
		mov	esi, [ebp+arg_10]
		mov	eax, [esi]
		test	al, 1
		jz	loc_78A1F1
		dec	eax
		mov	[esi], eax
		mov	ebx, [ebp+arg_0]
		mov	eax, [ebx+14h]
		mov	eax, [eax+4]
		mov	[ebp+arg_0], eax
		inc	large dword ptr	fs:654h
		mov	[ebp+var_4], 0
		mov	ecx, [esi]
		mov	eax, 2FDh
		cmp	[ecx], ax
		jz	loc_8DDAD3
		mov	edx, [ebp+arg_8]

loc_78A163:				; CODE XREF: CcPinMappedData+F6j
					; CcPinMappedData+FCj
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	loc_8DDA86
		mov	ecx, [ebp+arg_8]
		mov	edx, [ebp+var_24]

loc_78A174:				; CODE XREF: CcPinMappedData+153A07j
		mov	eax, [ebp+arg_0]
		test	dword ptr [eax+60h], 200h
		jz	loc_8DDACC
		xor	al, al

loc_78A186:				; CODE XREF: CcPinMappedData+153A0Ej
		lea	esi, [ebp+var_38]
		push	esi
		lea	esi, [ebp+var_28]
		push	esi
		push	edx
		push	[ebp+arg_C]
		push	0
		push	eax
		push	ecx
		lea	edx, [ebp+var_30]
		mov	ecx, ebx
		call	CcPinFileData
		test	al, al
		mov	esi, [ebp+arg_10]
		jz	short loc_78A210
		mov	ecx, [ebp+var_38]
		sub	ecx, [ebp+var_30]
		mov	eax, [ebp+var_34]
		sbb	eax, [ebp+var_2C]
		mov	edx, [ebp+arg_8]
		js	short loc_78A163
		jg	short loc_78A1BE
		cmp	ecx, edx
		jb	short loc_78A163

loc_78A1BE:				; CODE XREF: CcPinMappedData+F8j
		mov	ecx, [esi]
		call	CcFreeVirtualAddress
		mov	eax, [ebp+var_20]
		mov	[esi], eax

loc_78A1CA:				; CODE XREF: CcPinMappedData+153A2Dj
		mov	bl, 1

loc_78A1CC:				; CODE XREF: CcPinMappedData+152j
		mov	[ebp+var_19], bl
		mov	[ebp+var_4], 0FFFFFFFEh
		call	sub_78A207
		mov	al, bl
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_78A1F1:				; CODE XREF: CcPinMappedData+6Dj
		mov	al, 1
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
CcPinMappedData	endp


;  S U B	R O U T	I N E 


sub_78A207	proc near		; CODE XREF: CcPinMappedData+116p
					; sub_8DDAF2+6j

; FUNCTION CHUNK AT 008DDAFD SIZE 00000018 BYTES

		test	bl, bl
		jz	loc_8DDAFD

locret_78A20F:				; CODE XREF: sub_78A207+1538FDj
					; sub_78A207+153909j
		retn
sub_78A207	endp

; 
; START	OF FUNCTION CHUNK FOR CcPinMappedData

loc_78A210:				; CODE XREF: CcPinMappedData+E5j
					; CcPinMappedData+153A27j
		xor	bl, bl
		jmp	short loc_78A1CC
; END OF FUNCTION CHUNK	FOR CcPinMappedData

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSegmentDelete	proc near		; CODE XREF: MiCheckControlArea+191p
					; MiProcessDereferenceList+A2p	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008DDB15 SIZE 00000031 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	eax, [ebx]
		lea	edi, [ebx+50h]
		mov	[ebp+var_8], eax
		mov	esi, [eax+8]
		mov	eax, [ebx+1Ch]
		mov	[ebp+var_4], eax
		and	al, 0A0h
		add	al, 80h
		movzx	edx, al
		neg	edx
		sbb	edx, edx
		not	edx
		and	edx, edi
		call	_MiPrepareSegmentForDeletion@8 ; MiPrepareSegmentForDeletion(x,x)
		mov	edi, eax
		mov	eax, [ebp+var_4]
		and	eax, 80h
		mov	[ebp+var_C], eax
		jnz	loc_78A2E3
		test	dword ptr ds:byte_70EFC4, 400001h
		jnz	loc_8DDB38

loc_78A269:				; CODE XREF: MiSegmentDelete+15392Dj
		mov	esi, [ebp+var_8]

loc_78A26C:				; CODE XREF: MiSegmentDelete+E5j
		mov	ecx, ebx
		call	MiDeleteSegmentPages
		mov	[ebp+var_10], eax
		xor	edi, edi
		mov	eax, [ebp+var_4]
		mov	edx, eax
		and	dl, 82h
		cmp	dl, 80h
		jz	short loc_78A2D2

loc_78A285:				; CODE XREF: MiSegmentDelete+CDj
		cmp	[ebp+var_C], 0
		jnz	short loc_78A2FE
		mov	ecx, ebx
		call	_MiDeletePageFileSectionNodes@4	; MiDeletePageFileSectionNodes(x)

loc_78A292:				; CODE XREF: MiSegmentDelete+102j
		mov	eax, [ebp+var_4]

loc_78A295:				; CODE XREF: MiSegmentDelete+ECj
		test	byte ptr [ebx+1Ch], 20h
		setz	cl
		test	al, 80h
		setnz	al
		test	cl, al
		jz	short loc_78A2CE
		mov	esi, [ebx+48h]
		shl	esi, 3

loc_78A2AB:				; CODE XREF: MiSegmentDelete+BCj
		xor	edx, edx
		mov	ecx, ebx
		call	_MiDereferenceControlAreaProbe@8 ; MiDereferenceControlAreaProbe(x,x)
		test	edi, edi
		jnz	short loc_78A31B

loc_78A2B8:				; CODE XREF: MiSegmentDelete+10Ej
		test	esi, esi
		jnz	short loc_78A324

loc_78A2BC:				; CODE XREF: MiSegmentDelete+117j
		push	0
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_10]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_78A2CE:				; CODE XREF: MiSegmentDelete+8Fj
		xor	esi, esi
		jmp	short loc_78A2AB
; 

loc_78A2D2:				; CODE XREF: MiSegmentDelete+6Fj
		xor	edx, edx
		lea	ecx, [ebx+20h]
		call	@ObFastReplaceObject@8 ; ObFastReplaceObject(x,x)
		mov	edi, eax
		mov	eax, [ebp+var_4]
		jmp	short loc_78A285
; 

loc_78A2E3:				; CODE XREF: MiSegmentDelete+3Fj
		test	esi, 2000h
		mov	esi, [ebp+var_8]
		jnz	loc_8DDB15

loc_78A2F2:				; CODE XREF: MiSegmentDelete+15391Fj
		mov	ecx, edi
		call	_MiReleaseControlAreaWaiters@4 ; MiReleaseControlAreaWaiters(x)
		jmp	loc_78A26C
; 

loc_78A2FE:				; CODE XREF: MiSegmentDelete+75j
		test	al, 20h
		jz	short loc_78A295
		mov	ecx, [ebx+38h]
		xor	edx, edx
		call	_MiUpdateSystemProtoPtesTree@8 ; MiUpdateSystemProtoPtesTree(x,x)
		push	0
		push	dword ptr [esi+28h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_78A292
; 

loc_78A31B:				; CODE XREF: MiSegmentDelete+A2j
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	short loc_78A2B8
; 

loc_78A324:				; CODE XREF: MiSegmentDelete+A6j
		mov	ecx, esi
		call	_IoDiskIoAttributionDereference@4 ; IoDiskIoAttributionDereference(x)
		jmp	short loc_78A2BC
MiSegmentDelete	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiDeletePageFileSectionNodes(x)
_MiDeletePageFileSectionNodes@4	proc near ; CODE XREF: MiSegmentDelete+79p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		lea	esi, [edi+50h]

loc_78A338:				; CODE XREF: MiDeletePageFileSectionNodes(x)+2Bj
		cmp	dword ptr [esi+4], 0
		jz	short loc_78A352
		lea	ecx, [esi+28h]
		xor	edx, edx
		call	_MiUpdateSystemProtoPtesTree@8 ; MiUpdateSystemProtoPtesTree(x,x)
		push	0
		push	dword ptr [esi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_78A352:				; CODE XREF: MiDeletePageFileSectionNodes(x)+Ej
		mov	eax, [esi+8]
		mov	esi, eax
		test	eax, eax
		jnz	short loc_78A338
		mov	ecx, edi
		call	_MiAweControlArea@4 ; MiAweControlArea(x)
		test	eax, eax
		jnz	short loc_78A36A

loc_78A366:				; CODE XREF: MiDeletePageFileSectionNodes(x)+41j
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_78A36A:				; CODE XREF: MiDeletePageFileSectionNodes(x)+36j
		call	_MiDeleteSectionAwe@4 ;	MiDeleteSectionAwe(x)
		jmp	short loc_78A366
_MiDeletePageFileSectionNodes@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocateProcessShadow	proc near	; CODE XREF: MmCreateProcessAddressSpace+E7p
					; MmInitializeHandBuiltProcess+90p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DDB46 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ds:_MiFlags, 0C00000h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		jz	short loc_78A3E1
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	edi, eax
		xor	edx, edx
		push	0
		push	0
		inc	edx
		mov	ecx, edi
		call	MiAcquireNonPagedResources
		test	eax, eax
		js	loc_8DDB50
		xor	edx, edx
		mov	ecx, offset dword_6D35E0
		inc	edx
		call	MiReservePtes
		mov	esi, eax
		test	esi, esi
		jz	loc_8DDB46
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, ebx
		call	MiAllocateTopLevelPage
		imul	ecx, eax, 1Ch
		xor	edx, edx
		add	ecx, ds:_MmPfnDatabase
		call	_MiMarkPfnTradable@8 ; MiMarkPfnTradable(x,x)
		shl	esi, 9
		mov	[ebx+304h], esi

loc_78A3E1:				; CODE XREF: MiAllocateProcessShadow+14j
		xor	eax, eax

loc_78A3E3:				; CODE XREF: MiAllocateProcessShadow+1537E3j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
MiAllocateProcessShadow	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapImageInSystemSpace	proc near	; CODE XREF: MiSetPagesModified(x,x)+A9p
					; MiRelocateImage+236p	...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DDB5A SIZE 000000AE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		xor	edx, edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_44], edx
		mov	[edi], edx
		mov	eax, [ebx]
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], edx
		mov	eax, [eax+24h]
		mov	ecx, [eax+30h]
		mov	[ebp+arg_0], ecx
		test	ecx, ecx
		jz	loc_8DDB5A
		call	_MmGetMinWsPagePriority@0 ; MmGetMinWsPagePriority()
		cmp	eax, 1
		jnz	loc_8DDB64
		mov	eax, edx

loc_78A43C:				; CODE XREF: MiMapImageInSystemSpace+153796j
		test	byte ptr [ebp+var_8], 1
		mov	[edi+4], eax
		jz	loc_78A50F
		mov	eax, [ebx]
		mov	esi, [eax+4]

loc_78A44E:				; CODE XREF: MiMapImageInSystemSpace+138j
		mov	ecx, 1000h
		mov	eax, esi
		mul	ecx
		mov	ecx, ebx
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], edx
		call	MiReferenceControlAreaFile
		mov	[ebp+var_10], eax
		mov	ecx, [eax+4]
		test	byte ptr [ecx+20h], 10h
		jnz	loc_8DDB85
		mov	[ebp+var_30], ebx

loc_78A477:				; CODE XREF: MiMapImageInSystemSpace+1537A3j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_20]
		and	eax, 7FFFFh
		shl	eax, 0Ch
		and	ecx, 80000002h
		or	eax, ecx
		or	[ebp+var_24], 20h
		and	[ebp+var_1C], 0
		lea	ecx, [ebp+var_44]
		and	[ebp+var_18], 0
		or	eax, 2
		mov	[ebp+var_20], eax
		mov	edx, offset unk_6CF5A4
		mov	eax, esi
		shl	eax, 0Ch
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_8]
		or	eax, 8
		push	eax
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_1C]
		push	1
		push	eax
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	MiMapViewInSystemSpace
		mov	edx, [ebp+var_10]
		mov	ecx, ebx
		mov	[ebp+arg_0], eax
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)
		mov	eax, [ebp+arg_0]
		test	eax, eax
		js	loc_8DDB92
		xor	ecx, ecx
		inc	ecx
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)

loc_78A4FB:				; CODE XREF: MiMapImageInSystemSpace+153819j
		mov	[edi+0Ch], eax
		mov	eax, [ebp+var_C]
		mov	[edi], eax
		xor	eax, eax
		mov	[edi+8], esi

loc_78A508:				; CODE XREF: MiMapImageInSystemSpace+153775j
					; MiMapImageInSystemSpace+15378Bj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_78A50F:				; CODE XREF: MiMapImageInSystemSpace+59j
		mov	esi, ecx
		and	esi, 0FFFh
		neg	esi
		sbb	esi, esi
		shr	ecx, 0Ch
		neg	esi
		add	esi, ecx
		jmp	loc_78A44E
MiMapImageInSystemSpace	endp

; 
		align 4

;  S U B	R O U T	I N E 


MiUnmapImageInSystemSpace proc near	; CODE XREF: MiSetPagesModified(x,x)+308p
					; MiRelocateImage+439p	...

; FUNCTION CHUNK AT 008DDC08 SIZE 00000025 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, [esi]
		cmp	edx, ds:_MmHighestUserAddress
		jbe	loc_8DDC08
		push	1
		mov	ecx, offset unk_6CF5A4
		call	MiRemoveFromSystemSpace

loc_78A547:				; CODE XREF: MiUnmapImageInSystemSpace+153700j
		mov	ecx, [esi+4]
		test	ecx, ecx
		jnz	short loc_78A550
		pop	esi
		retn
; 

loc_78A550:				; CODE XREF: MiUnmapImageInSystemSpace+24j
		pop	esi
		jmp	_MiReturnCrossPartitionControlAreaCharges@4 ; MiReturnCrossPartitionControlAreaCharges(x)
MiUnmapImageInSystemSpace endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCommitPagefileBackedSection proc near	; CODE XREF: MiAllocateVirtualMemory+3C5p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008DDC2D SIZE 00000059 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_18], ecx
		mov	edx, [ebp+arg_8]
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ebx
		mov	ecx, [edi+1Ch]
		shr	ecx, 7
		and	ecx, 1Fh
		call	_MiIsPteProtectionCompatible@8 ; MiIsPteProtectionCompatible(x,x)
		test	eax, eax
		jz	loc_8DDC2D
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_4]
		mov	esi, [ebp+arg_4]
		shr	eax, 0Ch
		push	ecx
		push	ebx
		mov	edx, eax
		mov	[ebp+var_14], eax
		mov	ecx, edi
		shr	esi, 0Ch
		call	MiGetProtoPteAddress
		mov	[ebp+var_10], eax
		mov	edx, esi
		lea	eax, [ebp+var_8]
		mov	ecx, edi
		push	eax
		push	ebx
		call	MiGetProtoPteAddress
		mov	ecx, edi
		call	_MiVadPureReserve@4 ; MiVadPureReserve(x)
		mov	ebx, [ebp+var_4]
		test	eax, eax
		jnz	loc_8DDC37
		mov	eax, [ebp+var_10]

loc_78A5CA:				; CODE XREF: MiCommitPagefileBackedSection+153712j
					; MiCommitPagefileBackedSection+15372Bj
		sub	esi, [ebp+var_14]
		mov	edx, eax
		inc	esi
		mov	ecx, ebx
		push	esi
		call	MiChargeSegmentCommit
		test	eax, eax
		jz	short loc_78A5FE
		push	[ebp+arg_18]
		mov	ecx, [ebp+var_18]
		mov	edx, edi
		push	[ebp+arg_14]
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_MiSetProtectionOnSection@32 ; MiSetProtectionOnSection(x,x,x,x,x,x,x,x)

loc_78A5F7:				; CODE XREF: MiCommitPagefileBackedSection+ADj
					; MiCommitPagefileBackedSection+1536DCj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_78A5FE:				; CODE XREF: MiCommitPagefileBackedSection+84j
		mov	eax, 0C000012Dh
		jmp	short loc_78A5F7
MiCommitPagefileBackedSection endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocateTopLevelPage proc near	; CODE XREF: MmCreateProcessAddressSpace+11Ap
					; MiAllocateProcessShadow+51p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DDC86 SIZE 000000D5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+28h+var_10], edx
		lea	edi, [esp+28h+var_C]
		mov	[esp+28h+var_1C], ecx
		stosd
		stosd
		stosd
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		push	[ebp+arg_0]
		add	ecx, 240h
		lea	edx, [esp+2Ch+var_C]
		mov	esi, eax
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		mov	ecx, edx
		call	_MiGetNextPageColor@4 ;	MiGetNextPageColor(x)
		mov	edi, eax
		mov	ebx, 302h

loc_78A64C:				; CODE XREF: MiAllocateTopLevelPage+153687j
		push	ebx
		mov	edx, edi
		mov	ecx, esi
		call	MiGetPage
		mov	[esp+28h+var_14], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_8DDC86
		imul	edi, eax, 1Ch
		xor	edx, edx
		add	edi, ds:_MmPfnDatabase
		mov	ecx, edi
		call	_MiSetPfnLink@8	; MiSetPfnLink(x,x)
		push	90000006h
		mov	edx, eax
		xor	ecx, ecx
		call	MiMakeValidPte
		mov	esi, [edi+18h]
		and	eax, 0FFFFFEFFh
		xor	esi, [esp+28h+var_14]
		mov	ebx, edx
		mov	edx, [esp+28h+var_1C]
		and	esi, offset loc_7FFFFF
		xor	[edi+18h], esi
		mov	ecx, edi
		and	dword ptr [edi], 0
		push	0
		mov	[esp+2Ch+var_18], eax
		call	_MiSetPageTablePfnBuddy@12 ; MiSetPageTablePfnBuddy(x,x,x)
		mov	ecx, 0C0600000h
		call	_MiGetPdeAddress@4 ; MiGetPdeAddress(x)
		mov	edi, [esp+28h+var_14]
		mov	esi, eax
		push	200h
		push	edi
		mov	edx, esi
		mov	ecx, edi
		call	MiInitializePfnForOtherProcess
		push	0A0000004h
		mov	edx, edi
		xor	ecx, ecx
		call	MiMakeValidPte
		and	[esp+28h+var_1C], 0
		mov	edi, eax
		mov	ecx, [esp+28h+var_10]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_8DDC92

loc_78A6F3:				; CODE XREF: MiAllocateTopLevelPage+1536DEj
		mov	eax, [esp+28h+var_1C]

loc_78A6F7:				; CODE XREF: MiAllocateTopLevelPage+1536A3j
					; MiAllocateTopLevelPage+1536B5j ...
		mov	[ecx+4], edx
		nop
		mov	[ecx], edi
		test	eax, eax
		jnz	loc_8DDCE9

loc_78A705:				; CODE XREF: MiAllocateTopLevelPage+1536EEj
		shr	esi, 3
		xor	edx, edx
		and	esi, 1FFh
		shl	ecx, 6
		add	esi, ecx
		shl	esi, 3
		mov	ecx, esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_8DDCF9
		mov	ecx, [esp+28h+var_18]

loc_78A72B:				; CODE XREF: MiAllocateTopLevelPage+15370Aj
					; MiAllocateTopLevelPage+153718j ...
		mov	[esi+4], ebx
		nop
		mov	[esi], ecx
		test	edx, edx
		jnz	loc_8DDD4D

loc_78A739:				; CODE XREF: MiAllocateTopLevelPage+153750j
		mov	eax, [esp+28h+var_14]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
MiAllocateTopLevelPage endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializePageDirectoryPages proc near ; CODE	XREF: MmCreateProcessAddressSpace+1B1p

var_3C		= dword	ptr -3Ch
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008DDD5B SIZE 0000000C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		and	[ebp+var_18], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_3C]
		mov	[ebp+var_14], edx
		stosd
		mov	[ebp+var_20], ecx
		stosd
		stosd
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	ecx, large fs:124h
		lea	edx, [ebp+var_3C]
		push	0
		mov	ebx, eax
		mov	ecx, [ecx+80h]
		add	ecx, 240h
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		mov	ecx, edx
		call	_MiGetNextPageColor@4 ;	MiGetNextPageColor(x)
		push	3
		pop	esi

loc_78A791:				; CODE XREF: MiInitializePageDirectoryPages+88j
		lea	ecx, [ebp+var_3C]
		call	_MiGetNextPageColor@4 ;	MiGetNextPageColor(x)
		mov	edi, eax

loc_78A79B:				; CODE XREF: MiInitializePageDirectoryPages+15361Cj
		push	302h
		mov	edx, edi
		mov	ecx, ebx
		call	MiGetPage
		cmp	eax, 0FFFFFFFFh
		jz	loc_8DDD5B
		mov	edx, [ebp+var_18]
		imul	edi, eax, 1Ch
		add	edi, ds:_MmPfnDatabase
		mov	ecx, edi
		mov	[ebp+var_1C], edi
		call	_MiSetPfnLink@8	; MiSetPfnLink(x,x)
		mov	[ebp+var_18], edi
		sub	esi, 1
		jnz	short loc_78A791
		mov	eax, [ebp+var_20]
		mov	esi, [ebp+var_14]
		mov	eax, [eax+194h]
		mov	ebx, [esi]
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], ebx
		nop
		mov	edx, [esi+4]
		mov	ecx, esi
		mov	[ebp+var_8], edx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_78A805
		push	edx
		push	ebx
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_8], edx
		mov	[ebp+var_10], ebx

loc_78A805:				; CODE XREF: MiInitializePageDirectoryPages+AEj
		and	ebx, 0FFFFFE19h
		and	edx, 7FFFFFFFh
		mov	[ebp+var_18], ebx
		mov	[ebp+var_4], edx
		nop
		lea	ecx, [ebp+var_30]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_78A82D
		push	edx
		push	ebx
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	ebx, eax

loc_78A82D:				; CODE XREF: MiInitializePageDirectoryPages+DCj
		mov	eax, [ebp+var_18]
		mov	ecx, 0C0600000h
		shrd	ebx, edx, 0Ch
		mov	edx, [ebp+var_C]
		add	edx, 18h
		and	ebx, 1FFFFFFh
		sub	esi, edx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_C], edx
		mov	[ebp+var_14], esi
		mov	[edx], eax
		mov	eax, [ebp+var_4]
		mov	[edx+4], eax
		call	_MiGetPdeAddress@4 ; MiGetPdeAddress(x)
		sub	eax, edx
		mov	[ebp+var_2C], eax

loc_78A862:				; CODE XREF: MiInitializePageDirectoryPages+1B8j
		mov	eax, edi
		sub	[ebp+var_C], 8
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		mov	ecx, [ebp+var_1C]
		mov	edi, eax
		call	_MiGetPfnLink@4	; MiGetPfnLink(x)
		and	dword ptr [ecx], 0
		mov	edx, edi
		mov	ebx, [ebp+var_10]
		and	edx, 1FFFFFFh
		mov	esi, [ebp+var_C]
		xor	ecx, ecx
		and	[ebp+var_4], 0FFFFFFE0h
		and	ebx, 0FFFh
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_8]
		shld	ecx, edx, 0Ch
		and	eax, 0FFFFFFE0h
		or	eax, ecx
		shl	edx, 0Ch
		mov	[ebp+var_8], eax
		or	ebx, edx
		mov	eax, [ebp+var_14]
		mov	[ebp+var_10], ebx
		push	200h
		mov	[eax+esi], ebx
		mov	ebx, [ebp+var_8]
		mov	[eax+esi+4], ebx
		mov	eax, [ebp+var_18]
		mov	ebx, [ebp+var_24]
		and	eax, 0FFFh
		or	eax, edx
		mov	edx, [ebp+var_4]
		or	edx, ecx
		mov	[ebp+var_18], eax
		mov	ecx, esi
		mov	[ebp+var_4], edx
		push	ebx
		mov	[ecx+4], edx
		mov	edx, [ebp+var_2C]
		mov	[ecx], eax
		lea	edx, [edx+ecx]
		mov	ecx, edi
		call	MiInitializePfnForOtherProcess
		mov	esi, [ebp+var_1C]
		mov	edi, esi
		mov	[ebp+var_1C], edi
		test	esi, esi
		jnz	loc_78A862
		mov	ebx, [ebp+var_20]
		mov	ecx, [ebx+304h]
		test	ecx, ecx
		jz	short loc_78A943
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	esi, [eax]
		nop
		mov	edx, [eax+4]
		mov	ecx, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_78A930
		push	edx
		push	esi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	esi, eax

loc_78A930:				; CODE XREF: MiInitializePageDirectoryPages+1DFj
		shrd	esi, edx, 0Ch
		mov	ecx, ebx
		and	esi, 1FFFFFFh
		mov	edx, esi
		call	_MiPaeInitializeProcessShadow@8	; MiPaeInitializeProcessShadow(x,x)

loc_78A943:				; CODE XREF: MiInitializePageDirectoryPages+1C9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiInitializePageDirectoryPages endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlEnumRvaListFirst(x, x, x)
_RtlEnumRvaListFirst@12	proc near	; CODE XREF: MiCopyToCfgBitMap+531p
					; MiUpdateCfgSystemWideBitmapWorker+124p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	esi, edx
		xor	eax, eax
		mov	edi, esi
		stosd
		stosd
		stosd
		mov	eax, [ecx+8]
		mov	edi, [ebp+arg_0]
		mov	eax, [eax]
		mov	[esi], eax
		mov	dword ptr [esi+8], 4
		test	edi, edi
		jz	short loc_78A976
		call	_RtlGetRvaListIteratorState@8 ;	RtlGetRvaListIteratorState(x,x)
		mov	[edi], eax
		mov	eax, [esi]

loc_78A976:				; CODE XREF: RtlEnumRvaListFirst(x,x,x)+23j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_RtlEnumRvaListFirst@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetRvaListIteratorState(x, x)
_RtlGetRvaListIteratorState@8 proc near	; CODE XREF: RtlEnumRvaListFirst(x,x,x)+25p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, [ebx+4]
		mov	[ebp+var_8], edi
		cmp	edi, 1
		jbe	short loc_78A9DC
		mov	eax, [edx+4]
		mov	edx, esi
		mov	ecx, [ebx+14h]
		imul	eax, edi
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], eax

loc_78A9A7:				; CODE XREF: RtlGetRvaListIteratorState(x,x)+57j
		mov	edi, [ebp+var_4]
		lea	ecx, [eax+edx]
		mov	eax, ecx
		and	cl, 7
		shr	eax, 3
		mov	al, [eax+edi]
		mov	edi, [ebp+var_8]
		sar	al, cl
		test	al, 1
		jz	short loc_78A9CD
		mov	eax, [ebx+18h]
		test	eax, eax
		jz	short loc_78A9E9
		mov	eax, [eax+edx*4]

loc_78A9CB:				; CODE XREF: RtlGetRvaListIteratorState(x,x)+74j
		or	esi, eax

loc_78A9CD:				; CODE XREF: RtlGetRvaListIteratorState(x,x)+43j
		mov	eax, [ebp+var_C]
		inc	edx
		cmp	edx, edi
		jb	short loc_78A9A7

loc_78A9D5:				; CODE XREF: RtlGetRvaListIteratorState(x,x):loc_78A9DCj
					; RtlGetRvaListIteratorState(x,x)+6Bj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_78A9DC:				; CODE XREF: RtlGetRvaListIteratorState(x,x)+18j
		jnz	short loc_78A9D5
		mov	esi, [ebx+18h]
		test	esi, esi
		jz	short loc_78A9F2
		mov	esi, [esi]
		jmp	short loc_78A9D5
; 

loc_78A9E9:				; CODE XREF: RtlGetRvaListIteratorState(x,x)+4Aj
		xor	eax, eax
		mov	ecx, edx
		inc	eax
		shl	eax, cl
		jmp	short loc_78A9CB
; 

loc_78A9F2:				; CODE XREF: RtlGetRvaListIteratorState(x,x)+67j
		xor	esi, esi
		inc	esi
		jmp	short loc_78A9D5
_RtlGetRvaListIteratorState@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiEliminateZeroPages proc near		; CODE XREF: MiCopyToCfgBitMap+3BFp
					; MiUpdateCfgSystemWideBitmapWorker+26Fp

var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= byte ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1B58
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_20], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	edi, edx
		mov	esi, ecx
		mov	[ebp+var_C0], esi
		mov	[ebp+var_DC], esi
		mov	[ebp+var_D0], edi
		push	98h		; size_t
		push	0		; int
		lea	eax, [ebp+var_BC]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	21h
		mov	ecx, esi
		call	_MiTbFlushType@4 ; MiTbFlushType(x)
		mov	edx, eax
		lea	ecx, [ebp+var_BC]
		call	_MiInitializeTbFlushList@12 ; MiInitializeTbFlushList(x,x,x)
		or	[ebp+var_B8], 4
		mov	ecx, edi
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	[ebp+var_CC], eax
		mov	ebx, [ebp+arg_0]
		shr	ebx, 0Ch
		mov	[ebp+var_C8], 0

loc_78AAA1:				; CODE XREF: MiEliminateZeroPages+FBj
		mov	[ebp+var_D4], ebx
		test	ebx, ebx
		jz	short loc_78AAFD
		mov	edx, edi
		lea	ecx, [edi+0FFCh]
		mov	[ebp+var_C4], ecx
		mov	[ebp+var_4], 0

loc_78AAC0:				; CODE XREF: MiEliminateZeroPages+DAj
		mov	eax, [ecx]
		or	eax, [edx]
		jnz	short loc_78AADC
		add	edx, 4
		mov	[ebp+var_D8], edx
		sub	ecx, 4
		mov	[ebp+var_C4], ecx
		cmp	edx, ecx
		jbe	short loc_78AAC0

loc_78AADC:				; CODE XREF: MiEliminateZeroPages+C4j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_78AAE3:				; CODE XREF: sub_8DDD6D+30j
		cmp	edx, ecx
		ja	short loc_78AB24

loc_78AAE7:				; CODE XREF: MiEliminateZeroPages+158j
					; MiEliminateZeroPages+167j
		add	[ebp+var_CC], 8
		add	edi, 1000h
		mov	[ebp+var_D0], edi
		dec	ebx
		jmp	short loc_78AAA1
; 

loc_78AAFD:				; CODE XREF: MiEliminateZeroPages+A9j
		cmp	[ebp+var_B0], 0
		jnz	short loc_78AB7D

loc_78AB06:				; CODE XREF: MiEliminateZeroPages+18Aj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_20]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_78AB24:				; CODE XREF: MiEliminateZeroPages+E5j
		mov	ecx, edi
		call	_MiGetPdeAddress@4 ; MiGetPdeAddress(x)
		mov	esi, eax
		cmp	[ebp+var_C8], esi
		jnz	short loc_78AB6C

loc_78AB35:				; CODE XREF: MiEliminateZeroPages+17Bj
		push	0
		push	1
		mov	edx, edi
		lea	ecx, [ebp+var_BC]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	eax, [ebp+var_B0]
		mov	esi, [ebp+var_C0]
		cmp	eax, [ebp+var_B4]
		jnz	short loc_78AAE7
		lea	edx, [ebp+var_BC]
		mov	ecx, esi
		call	_MiConvertAndFlushWsleVas@8 ; MiConvertAndFlushWsleVas(x,x)
		jmp	loc_78AAE7
; 

loc_78AB6C:				; CODE XREF: MiEliminateZeroPages+133j
		cmp	[ebp+var_B0], 0
		jnz	short loc_78AB8F

loc_78AB75:				; CODE XREF: MiEliminateZeroPages+1A0j
		mov	[ebp+var_C8], esi
		jmp	short loc_78AB35
; 

loc_78AB7D:				; CODE XREF: MiEliminateZeroPages+104j
		lea	edx, [ebp+var_BC]
		mov	ecx, esi
		call	_MiConvertAndFlushWsleVas@8 ; MiConvertAndFlushWsleVas(x,x)
		jmp	loc_78AB06
; 

loc_78AB8F:				; CODE XREF: MiEliminateZeroPages+173j
		lea	edx, [ebp+var_BC]
		mov	ecx, [ebp+var_C0]
		call	_MiConvertAndFlushWsleVas@8 ; MiConvertAndFlushWsleVas(x,x)
		jmp	short loc_78AB75
MiEliminateZeroPages endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdateCfgSystemWideBitmap(x, x, x)
_MiUpdateCfgSystemWideBitmap@12	proc near ; CODE XREF: MiRelocateImageAgain+C7p
					; MiRelocateImage+2B7p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ecx]
		or	ebx, 0FFFFFFFFh
		push	edi
		mov	edi, edx
		cmp	[ecx+30h], ebx
		jz	short loc_78AC05
		test	dword ptr [ecx+1Ch], 10000000h
		jnz	short loc_78AC05
		shr	edi, 4
		add	esi, 10h
		add	edi, edi
		mov	eax, ebx
		mov	edx, ebx
		nop
		or	ecx, ebx
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, eax
		shr	ebx, 4
		add	ebx, ebx
		xor	esi, esi

loc_78ABDD:				; CODE XREF: MiUpdateCfgSystemWideBitmap(x,x,x)+5Aj
		mov	ecx, dword_6CF4F8
		mov	edx, [ebp+arg_0]
		push	ecx
		push	ebx
		push	edi
		call	MiUpdateCfgSystemWideBitmapWorker
		test	eax, eax
		js	short loc_78ABFE
		inc	esi
		cmp	[ebp+arg_0], 0
		jz	short loc_78ABFE
		cmp	esi, 1
		jl	short loc_78ABDD

loc_78ABFE:				; CODE XREF: MiUpdateCfgSystemWideBitmap(x,x,x)+4Ej
					; MiUpdateCfgSystemWideBitmap(x,x,x)+55j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_78AC05:				; CODE XREF: MiUpdateCfgSystemWideBitmap(x,x,x)+14j
					; MiUpdateCfgSystemWideBitmap(x,x,x)+1Dj
		xor	eax, eax
		jmp	short loc_78ABFE
_MiUpdateCfgSystemWideBitmap@12	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiChargeSegmentCommit proc near		; CODE XREF: MiCommitPagefileBackedSection+7Dp
					; MiUpdateCfgSystemWideBitmapWorker+E0p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DDDA2 SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	eax, [ecx]
		mov	[ebp+var_28], edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edi
		mov	ebx, [eax]
		mov	[ebp+var_18], ecx
		mov	[ebp+var_2C], eax
		mov	[ebp+var_8], ebx
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	[ebp+var_1C], eax
		mov	esi, edx
		mov	edx, [ecx+1Ch]
		lea	eax, [ecx+1Ch]
		add	ecx, 4
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], ecx
		mov	ecx, [ecx]
		dec	word ptr [edi+13Eh]
		lea	eax, [ecx+edx*8]
		mov	[ebp+var_14], eax
		nop
		lea	ecx, [ebx+1Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		xor	ebx, ebx
		mov	[ebp+var_4], ebx

loc_78AC70:				; CODE XREF: MiChargeSegmentCommit+8Cj
					; MiChargeSegmentCommit+A3j
		mov	edi, [esi]
		nop
		mov	edx, [esi+4]
		mov	ecx, esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_78AC8A
		push	edx
		push	edi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	edi, eax

loc_78AC8A:				; CODE XREF: MiChargeSegmentCommit+6Fj
		or	edi, edx
		jz	short loc_78ACF0

loc_78AC8E:				; CODE XREF: MiChargeSegmentCommit+E3j
		mov	edi, [ebp+arg_0]
		inc	ebx
		add	esi, 8
		cmp	ebx, edi
		jz	short loc_78ACB5
		cmp	esi, [ebp+var_14]
		jnz	short loc_78AC70
		mov	eax, [ebp+var_10]
		mov	eax, [eax+8]
		mov	[ebp+var_10], eax
		mov	esi, [eax+4]
		mov	eax, [eax+1Ch]
		lea	eax, [esi+eax*8]
		mov	[ebp+var_14], eax
		jmp	short loc_78AC70
; 

loc_78ACB5:				; CODE XREF: MiChargeSegmentCommit+87j
		mov	eax, [ebp+var_4]
		test	eax, eax
		jnz	short loc_78ACF5
		mov	esi, [ebp+var_8]
		or	eax, 0FFFFFFFFh
		add	esi, 1Ch
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_78ADA9

loc_78ACD3:				; CODE XREF: MiChargeSegmentCommit+193j
					; MiChargeSegmentCommit+1A0j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_C]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, 1

loc_78ACE7:				; CODE XREF: MiChargeSegmentCommit+1531BDj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_78ACF0:				; CODE XREF: MiChargeSegmentCommit+7Cj
		inc	[ebp+var_4]
		jmp	short loc_78AC8E
; 

loc_78ACF5:				; CODE XREF: MiChargeSegmentCommit+AAj
		mov	ecx, [ebp+var_1C]
		mov	edx, eax
		push	0
		call	MiChargeCommit
		test	eax, eax
		jz	loc_8DDDA2
		mov	eax, [ebp+var_8]
		movzx	ecx, byte ptr [eax+0Ah]
		shr	ecx, 1
		and	ecx, 1Fh
		call	_MiMakeDemandZeroPte@4 ; MiMakeDemandZeroPte(x)
		mov	ecx, [ebp+var_24]
		xor	ebx, ebx
		mov	[ebp+var_14], edx
		mov	edx, [ebp+var_20]
		mov	[ebp+var_1C], eax
		mov	ecx, [ecx]
		mov	edx, [edx]
		lea	eax, [ecx+edx*8]
		mov	ecx, [ebp+var_28]

loc_78AD32:				; CODE XREF: MiChargeSegmentCommit+160j
		mov	[ebp+arg_0], eax

loc_78AD35:				; CODE XREF: MiChargeSegmentCommit+14Cj
		mov	esi, [ecx]
		nop
		mov	edx, [ecx+4]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_78AD4D
		push	edx
		push	esi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	esi, eax

loc_78AD4D:				; CODE XREF: MiChargeSegmentCommit+132j
		or	esi, edx
		jz	short loc_78AD72

loc_78AD51:				; CODE XREF: MiChargeSegmentCommit+16Dj
		inc	ebx
		add	ecx, 8
		cmp	ebx, edi
		jz	short loc_78AD7F
		cmp	ecx, [ebp+arg_0]
		jnz	short loc_78AD35
		mov	eax, [ebp+var_18]
		mov	eax, [eax+8]
		mov	[ebp+var_18], eax
		mov	ecx, [eax+4]
		mov	eax, [eax+1Ch]
		lea	eax, [ecx+eax*8]
		jmp	short loc_78AD32
; 

loc_78AD72:				; CODE XREF: MiChargeSegmentCommit+13Fj
		mov	eax, [ebp+var_1C]
		mov	[ecx], eax
		mov	eax, [ebp+var_14]
		mov	[ecx+4], eax
		jmp	short loc_78AD51
; 

loc_78AD7F:				; CODE XREF: MiChargeSegmentCommit+147j
		mov	ecx, [ebp+var_2C]
		mov	edx, [ebp+var_4]
		call	_MiUpdateProcessSharedCommit@8 ; MiUpdateProcessSharedCommit(x,x)
		mov	ecx, [ebp+var_2C]
		call	_MiUpdateControlAreaCommitCount@8 ; MiUpdateControlAreaCommitCount(x,x)
		mov	esi, [ebp+var_8]
		or	eax, 0FFFFFFFFh
		add	esi, 1Ch
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	loc_78ACD3

loc_78ADA9:				; CODE XREF: MiChargeSegmentCommit+BDj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_78ACD3
MiChargeSegmentCommit endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUpdateCfgSystemWideBitmapWorker proc near
					; CODE XREF: MiUpdateCfgSystemWideBitmap(x,x,x)+47p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008DDDD2 SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_34], edx
		lea	edi, [ebp+var_14]
		mov	[ebp+var_24], ecx
		stosd
		xor	ebx, ebx
		mov	[ebp+var_28], 0
		mov	[ebp+var_30], 0
		mov	[ebp+var_20], ebx
		stosd
		stosd
		test	edx, edx
		jz	short loc_78AE00
		mov	ebx, [edx+0Ch]
		mov	[ebp+var_20], ebx

loc_78AE00:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+38j
		mov	esi, [ebp+arg_0]
		mov	edi, [ebp+arg_4]
		mov	edx, edi
		shr	edx, 3
		shr	esi, 3
		mov	ecx, edx
		mov	eax, esi
		mov	[ebp+var_18], edx
		and	eax, 0FFFh
		shr	edx, 0Ch
		add	eax, 0FFFh
		mov	[ebp+var_54], esi
		and	ecx, 0FFFh
		mov	[ebp+var_50], 0
		add	eax, ecx
		mov	ecx, [ebp+var_24]
		shr	eax, 0Ch
		add	eax, edx
		mov	edx, offset unk_6CF5A4
		push	0
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_54]
		push	0
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		call	MiMapViewInSystemSpace
		test	eax, eax
		js	loc_78B040
		mov	eax, [ebp+var_18]
		movzx	ecx, si
		sub	eax, ecx
		or	ecx, [ebp+var_28]
		mov	[ebp+var_1C], ecx
		mov	ecx, [ebp+var_24]
		mov	[ebp+var_2C], eax
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		shr	esi, 0Ch
		lea	edx, [ebp+var_44]
		mov	[ebp+var_44], esi
		mov	[ebp+var_40], 0
		lea	ecx, [eax+50h]
		call	_MiLocatePagefileSubsection@8 ;	MiLocatePagefileSubsection(x,x)
		mov	ecx, [ebp+var_44]
		push	[ebp+var_38]
		mov	edx, [eax+4]
		lea	edx, [edx+ecx*8]
		mov	ecx, eax
		call	MiChargeSegmentCommit
		test	eax, eax
		jz	loc_8DDDD2
		mov	eax, [ebp+var_34]
		test	eax, eax
		jz	loc_78B053
		test	byte ptr [eax],	1
		jz	loc_78B053
		test	ebx, ebx
		jz	loc_78B053
		mov	esi, [ebp+var_1C]
		lea	eax, [ebp+var_4C]
		push	eax
		mov	[ebp+var_48], esi
		mov	[ebp+var_4C], edi
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		lea	eax, [ebp+var_30]
		mov	ecx, ebx
		push	eax
		lea	edx, [ebp+var_14]
		call	_RtlEnumRvaListFirst@12	; RtlEnumRvaListFirst(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_78B014
		mov	eax, [ebp+var_30]

loc_78AEF6:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+211j
		test	al, 1
		jz	short loc_78AF2A
		mov	ecx, [ebp+var_34]
		mov	edx, edi
		and	edi, 0Fh
		shr	edx, 4
		cmp	edi, [ecx+4]
		jnz	loc_78AFFD
		add	edx, edx
		test	al, 4
		jnz	loc_78AFF7

loc_78AF18:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+238j
		mov	ecx, edx
		and	edx, 7
		shr	ecx, 3
		movsx	eax, byte ptr [ecx+esi]
		bts	eax, edx
		mov	[ecx+esi], al

loc_78AF2A:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+138j
					; MiUpdateCfgSystemWideBitmapWorker+24Cj
		inc	[ebp+var_10]
		mov	eax, [ebx+8]
		mov	esi, [ebx+0Ch]
		add	eax, [ebp+var_C]
		mov	edi, [ebp+var_14]
		sub	esi, [ebp+var_C]
		jz	loc_78B011

loc_78AF42:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+21Bj
		mov	cl, [eax]
		dec	esi
		movzx	edx, cl
		inc	eax
		mov	ecx, edx
		and	edx, 3Fh
		shr	ecx, 6
		imul	edx, ds:_RtlpRvaCompressionTableScales[ecx*4]
		add	edi, edx
		mov	[ebp+var_2C], edi
		cmp	ecx, 3
		jnz	short loc_78AFD9
		mov	[ebp+var_14], edi
		sub	eax, [ebx+8]
		mov	[ebp+var_C], eax
		xor	eax, eax
		mov	ecx, [ebx+4]
		mov	[ebp+var_18], eax
		mov	[ebp+var_40], ecx
		cmp	ecx, 1
		jbe	short loc_78AFE6
		mov	eax, [ebp+var_20]
		mov	edx, ecx
		imul	edx, [ebp+var_10]
		xor	ebx, ebx
		mov	eax, [eax+14h]
		mov	[ebp+var_24], eax
		lea	esi, [ebx+1]

loc_78AF90:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+201j
		mov	edi, [ebp+var_24]
		mov	eax, edx
		shr	eax, 3
		mov	cl, dl
		and	cl, 7
		mov	al, [eax+edi]
		sar	al, cl
		test	al, 1
		jz	short loc_78AFBA
		mov	eax, [ebp+var_20]
		mov	eax, [eax+18h]
		test	eax, eax
		jz	loc_8DDDDC
		mov	eax, [eax+ebx*4]

loc_78AFB7:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+15301Ej
		or	[ebp+var_18], eax

loc_78AFBA:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+1E4j
		inc	ebx
		rol	esi, 1
		inc	edx
		cmp	ebx, [ebp+var_40]
		jb	short loc_78AF90
		mov	edi, [ebp+var_2C]
		mov	eax, [ebp+var_18]
		mov	ebx, [ebp+var_20]

loc_78AFCC:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker:loc_78AFE6j
					; MiUpdateCfgSystemWideBitmapWorker+235j ...
		mov	esi, [ebp+var_1C]
		test	edi, edi
		jnz	loc_78AEF6
		jmp	short loc_78B014
; 

loc_78AFD9:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+1A1j
		test	esi, esi
		jnz	loc_78AF42
		jmp	loc_8DDDED
; 

loc_78AFE6:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+1BAj
		jnz	short loc_78AFCC
		mov	eax, [ebx+18h]
		test	eax, eax
		jz	loc_8DDDE3
		mov	eax, [eax]
		jmp	short loc_78AFCC
; 

loc_78AFF7:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+152j
		inc	edx
		jmp	loc_78AF18
; 

loc_78AFFD:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+148j
		push	2
		lea	eax, [edx+edx]
		push	eax
		lea	eax, [ebp+var_4C]
		push	eax
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		jmp	loc_78AF2A
; 

loc_78B011:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+17Cj
		mov	esi, [ebp+var_1C]

loc_78B014:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+12Dj
					; MiUpdateCfgSystemWideBitmapWorker+217j
		mov	eax, [ebp+var_38]
		mov	ecx, 1
		shl	eax, 0Ch
		and	esi, 0FFFFF000h
		push	eax
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	edx, esi
		mov	ecx, eax
		call	MiEliminateZeroPages

loc_78B034:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+2A6j
		xor	esi, esi

loc_78B036:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+153017j
		push	[ebp+var_28]
		call	_MmUnmapViewInSystemSpace@4 ; MmUnmapViewInSystemSpace(x)
		mov	eax, esi

loc_78B040:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+9Bj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_78B053:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+F2j
					; MiUpdateCfgSystemWideBitmapWorker+FBj ...
		push	[ebp+var_2C]	; size_t
		push	0FFh		; int
		push	[ebp+var_1C]	; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_78B034
MiUpdateCfgSystemWideBitmapWorker endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1485. MmUnmapViewInSystemSpace

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmUnmapViewInSystemSpace(x)
		public _MmUnmapViewInSystemSpace@4
_MmUnmapViewInSystemSpace@4 proc near	; CODE XREF: LdrUnloadAlternateResourceModuleEx+8D0D5p
					; LdrLoadAlternateResourceModuleEx+B23EDp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, edx
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 1
		jz	short loc_78B0A0
		mov	ecx, edx
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jz	short loc_78B0A0
		mov	ecx, offset unk_6CF5A4

loc_78B093:				; CODE XREF: MmUnmapViewInSystemSpace(x)+53j
		push	1
		call	MiRemoveFromSystemSpace
		xor	eax, eax

loc_78B09C:				; CODE XREF: MmUnmapViewInSystemSpace(x)+5Aj
		pop	ebp
		retn	4
; 

loc_78B0A0:				; CODE XREF: MmUnmapViewInSystemSpace(x)+12j
					; MmUnmapViewInSystemSpace(x)+1Ej
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		test	dword ptr [ecx+0FCh], 10000h
		jz	short loc_78B0C3
		mov	ecx, [ecx+180h]
		add	ecx, 70h
		jmp	short loc_78B093
; 

loc_78B0C3:				; CODE XREF: MmUnmapViewInSystemSpace(x)+48j
		mov	eax, 0C0000019h
		jmp	short loc_78B09C
_MmUnmapViewInSystemSpace@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapViewInSystemSpace proc near	; CODE XREF: AlpcpCreateView(x,x,x)+13Ep
					; MiMapImageInSystemSpace+ECp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008DDE0A SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		test	[ebp+arg_C], 0FFFFFFFEh
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		mov	esi, ecx
		jnz	loc_8DDE00
		xor	eax, eax
		mov	[ebp+var_4], eax
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	MiCheckPurgeAndUpMapCount
		mov	edi, [ebp+arg_4]
		xor	eax, eax
		mov	ecx, [ebp+arg_8]
		mov	ebx, [edi]
		test	ebx, ebx
		jz	short loc_78B187
		mov	edx, [ecx]
		and	edx, 0FFFFh
		mov	[ebp+arg_8], ebx
		add	[ebp+arg_8], edx
		adc	eax, eax
		test	eax, eax
		ja	short loc_78B128
		jb	loc_78B1A6
		cmp	[ebp+arg_8], edx
		jb	short loc_78B1A6

loc_78B128:				; CODE XREF: MiMapViewInSystemSpace+51j
		lea	eax, [edx+ebx]
		mov	[edi], eax
		xor	eax, eax
		mov	[ecx], ax
		mov	eax, [esi+18h]
		sub	eax, [ecx]
		mov	ebx, [esi+1Ch]
		sbb	ebx, [ecx+4]
		cmp	ebx, 1
		jb	short loc_78B14A
		ja	short loc_78B1A6
		xor	edx, edx
		cmp	eax, edx
		jnb	short loc_78B1A6

loc_78B14A:				; CODE XREF: MiMapViewInSystemSpace+76j
		mov	edx, [edi]
		xor	edi, edi
		cmp	edi, ebx
		jb	short loc_78B158
		ja	short loc_78B1A6
		cmp	edx, eax
		ja	short loc_78B1A6

loc_78B158:				; CODE XREF: MiMapViewInSystemSpace+86j
					; MiMapViewInSystemSpace+DAj
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	ecx
		mov	ecx, [ebp+var_8]
		push	esi
		call	MiInsertInSystemSpace
		mov	esi, eax
		test	esi, esi
		js	loc_8DDE0A
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_4]
		mov	[ecx], eax
		xor	eax, eax

loc_78B180:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+153045j
					; MiMapViewInSystemSpace+152D4Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_78B187:				; CODE XREF: MiMapViewInSystemSpace+3Dj
		mov	[ecx], ax
		mov	edx, [esi+18h]
		sub	edx, [ecx]
		mov	eax, [esi+1Ch]
		sbb	eax, [ecx+4]
		cmp	eax, 1
		jb	short loc_78B1A2
		ja	short loc_78B1A6
		xor	eax, eax
		cmp	edx, eax
		jnb	short loc_78B1A6

loc_78B1A2:				; CODE XREF: MiMapViewInSystemSpace+CEj
		mov	[edi], edx
		jmp	short loc_78B158
; 

loc_78B1A6:				; CODE XREF: MiMapViewInSystemSpace+53j
					; MiMapViewInSystemSpace+5Cj ...
		mov	esi, 0C000001Fh
		jmp	loc_8DDE0A
MiMapViewInSystemSpace endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPfAllocateMdls proc near		; CODE XREF: MiPfPrepareReadList+5C6p
					; MiPfPrepareSequentialReadList+376p

var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DDE19 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, [ecx+28h]
		push	ebx
		mov	ebx, [ecx+4]
		mov	[ebp+var_40], eax
		mov	eax, [ecx+2Ch]
		push	esi
		mov	esi, [ecx+38h]
		mov	[ebp+var_38], edx
		mov	edx, [ecx+8]
		mov	[ebp+var_44], eax
		mov	eax, [ecx+34h]
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_8], esi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_4], edx
		push	edi
		test	edx, edx
		jz	loc_78B41C

loc_78B1EA:				; CODE XREF: MiPfAllocateMdls+272j
		add	eax, 14h
		xor	ebx, ebx
		xor	edx, edx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_30], ebx
		lea	eax, [ecx+eax*4]
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_24], eax
		mov	[ebp+var_28], edx
		cmp	esi, eax
		jnb	loc_78B3E0
		lea	edi, [esi+4]
		mov	[ebp+var_C], edi

loc_78B214:				; CODE XREF: MiPfAllocateMdls+AEj
		mov	eax, [esi]
		test	al, 2
		jnz	short loc_78B260

loc_78B21A:				; CODE XREF: MiPfAllocateMdls+BBj
		test	al, 1
		jnz	short loc_78B277
		and	eax, 0FFFFFFFCh
		test	ebx, ebx
		jz	short loc_78B272
		mov	ecx, eax
		sub	ecx, edx
		sar	ecx, 3
		cmp	ecx, dword_6D3488
		jg	loc_78B476

loc_78B238:				; CODE XREF: MiPfAllocateMdls+C5j
		mov	[ebp+var_28], eax
		mov	ebx, esi
		mov	eax, [ebp+var_24]
		mov	[ebp+var_20], ebx
		cmp	edi, eax
		jz	short loc_78B2AA

loc_78B247:				; CODE XREF: MiPfAllocateMdls+22Bj
		add	esi, 4
		add	edi, 4
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], edi
		cmp	esi, eax
		jnb	loc_78B3E0
		mov	edx, [ebp+var_28]
		jmp	short loc_78B214
; 

loc_78B260:				; CODE XREF: MiPfAllocateMdls+68j
		test	ebx, ebx
		jnz	loc_78B48F
		cmp	eax, 4
		jnb	short loc_78B21A
		jmp	loc_78B3D8
; 

loc_78B272:				; CODE XREF: MiPfAllocateMdls+73j
		mov	[ebp+var_1C], esi
		jmp	short loc_78B238
; 

loc_78B277:				; CODE XREF: MiPfAllocateMdls+6Cj
		cmp	eax, 4
		jb	short loc_78B2A2
		and	eax, 0FFFFFFFCh
		test	ebx, ebx
		jz	loc_78B487
		mov	ecx, eax
		sub	ecx, edx
		sar	ecx, 3
		cmp	ecx, dword_6D3488
		jg	loc_78B4DA

loc_78B29A:				; CODE XREF: MiPfAllocateMdls+2DAj
		mov	ebx, esi
		mov	[ebp+var_28], eax
		mov	[ebp+var_20], ebx

loc_78B2A2:				; CODE XREF: MiPfAllocateMdls+CAj
		test	ebx, ebx
		jz	loc_78B3D8

loc_78B2AA:				; CODE XREF: MiPfAllocateMdls+95j
					; MiPfAllocateMdls+2D2j ...
		mov	eax, [ebp+var_1C]
		mov	ecx, [eax]
		mov	eax, [ebx]
		and	ecx, 0FFFFFFFCh
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], eax
		sub	eax, ecx
		sar	eax, 3
		xor	ecx, ecx
		inc	eax
		mov	[ebp+var_18], eax
		call	_MiGetInPageSupportBlock@4 ; MiGetInPageSupportBlock(x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_8DDE34
		push	[ebp+var_40]
		mov	edx, [ebp+var_44]
		mov	ecx, eax
		mov	dword ptr [eax+94h], 0
		call	_MiSetInPagePriority@12	; MiSetInPagePriority(x,x,x)
		mov	edx, [ebp+var_18]
		shl	edx, 0Ch
		cmp	[ebp+var_18], 10h
		ja	loc_78B427
		mov	ecx, [ebp+var_10]
		mov	eax, edx
		add	ecx, 0A8h
		shr	eax, 0Ch
		mov	[ebp+var_18], ecx
		lea	eax, ds:1Ch[eax*4]
		mov	dword ptr [ecx], 0
		mov	[ecx+4], ax
		xor	eax, eax
		mov	[ecx+6], ax
		mov	[ecx+10h], eax
		mov	[ecx+18h], eax
		mov	[ecx+14h], edx

loc_78B330:				; CODE XREF: MiPfAllocateMdls+286j
		mov	edx, [ebp+var_2C]
		mov	esi, [ebp+var_3C]
		mov	edi, [ebp+var_4]
		mov	ebx, [ebp+var_34]
		lea	esp, [esp+0]

loc_78B340:				; CODE XREF: MiPfAllocateMdls+267j
					; MiPfAllocateMdls+310j ...
		mov	ecx, [edi+4]
		cmp	edx, ecx
		jb	loc_78B3EB
		mov	eax, [edi+1Ch]
		lea	eax, [ecx+eax*8]
		cmp	edx, eax
		jnb	loc_78B3EB

loc_78B359:				; CODE XREF: MiPfAllocateMdls+395j
					; MiPfAllocateMdls+3B3j
		push	[ebp+var_38]
		mov	ecx, edi
		mov	[ebp+var_4], edi
		call	MiStartingOffset
		mov	ebx, [ebp+var_20]
		mov	ecx, eax
		mov	eax, [ebp+var_10]
		mov	esi, [ebp+var_8]
		mov	edi, [ebp+var_C]
		mov	[ebp+var_2C], ecx
		mov	[eax+38h], ecx
		mov	[eax+3Ch], edx
		test	byte ptr [ebx],	1
		jnz	loc_78B441

loc_78B386:				; CODE XREF: MiPfAllocateMdls+298j
		mov	ecx, [ebp+var_18]

loc_78B389:				; CODE XREF: MiPfAllocateMdls+2C1j
		mov	edx, [ebp+var_1C]
		mov	[eax+90h], edx
		mov	edx, [ebp+var_34]
		mov	[eax+80h], edx
		mov	edx, [ebp+arg_0]
		mov	[eax+7Ch], ebx
		mov	[eax+88h], edx
		test	edx, edx
		jnz	loc_8DDE19

loc_78B3AF:				; CODE XREF: MiPfAllocateMdls+152C70j
		mov	ebx, [ebp+var_3C]
		mov	[eax+98h], ecx
		lea	ecx, [ebx+48h]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_8DDE25
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		inc	dword ptr [ebx+40h]
		xor	ebx, ebx
		mov	[ebp+var_20], ebx

loc_78B3D8:				; CODE XREF: MiPfAllocateMdls+BDj
					; MiPfAllocateMdls+F4j
		mov	eax, [ebp+var_24]
		jmp	loc_78B247
; 

loc_78B3E0:				; CODE XREF: MiPfAllocateMdls+58j
					; MiPfAllocateMdls+A5j
		xor	eax, eax

loc_78B3E2:				; CODE XREF: MiPfAllocateMdls+152C89j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_78B3EB:				; CODE XREF: MiPfAllocateMdls+195j
					; MiPfAllocateMdls+1A3j
		test	byte ptr [edi+12h], 2
		jnz	loc_78B4FF

loc_78B3F5:				; CODE XREF: MiPfAllocateMdls+356j
					; MiPfAllocateMdls+360j ...
		test	byte ptr [ebx+1Ch], 20h
		jz	short loc_78B40A
		mov	ecx, edi
		call	_MiGetSubsectionDriverProtos@4 ; MiGetSubsectionDriverProtos(x)
		test	eax, eax
		jnz	loc_78B54A

loc_78B40A:				; CODE XREF: MiPfAllocateMdls+249j
					; MiPfAllocateMdls+39Fj ...
		cmp	dword ptr [esi+8], 0
		jnz	loc_78B4A9
		mov	edi, [edi+8]
		jmp	loc_78B340
; 

loc_78B41C:				; CODE XREF: MiPfAllocateMdls+34j
		lea	edx, [ebx+50h]
		mov	[ebp+var_4], edx
		jmp	loc_78B1EA
; 

loc_78B427:				; CODE XREF: MiPfAllocateMdls+149j
		push	edx
		push	0
		push	0
		call	_MmCreateMdl@12	; MmCreateMdl(x,x,x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jnz	loc_78B330
		jmp	loc_8DDE2C
; 

loc_78B441:				; CODE XREF: MiPfAllocateMdls+1D0j
		mov	ecx, [ebp+var_34]
		test	byte ptr [ecx+1Ch], 20h
		jz	loc_78B386
		mov	ecx, [ebp+var_4]
		call	MiEndingOffsetWithLock
		mov	ecx, [ebp+var_18]
		sub	eax, [ebp+var_2C]
		cmp	eax, [ecx+14h]
		ja	short loc_78B46E
		add	eax, 1FFh
		and	eax, 0FFFFFE00h
		mov	[ecx+14h], eax

loc_78B46E:				; CODE XREF: MiPfAllocateMdls+2AFj
		mov	eax, [ebp+var_10]
		jmp	loc_78B389
; 

loc_78B476:				; CODE XREF: MiPfAllocateMdls+82j
		sub	esi, 4
		sub	edi, 4
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], edi
		jmp	loc_78B2AA
; 

loc_78B487:				; CODE XREF: MiPfAllocateMdls+D1j
		mov	[ebp+var_1C], esi
		jmp	loc_78B29A
; 

loc_78B48F:				; CODE XREF: MiPfAllocateMdls+B2j
		cmp	eax, 4
		jb	loc_78B2AA
		sub	esi, 4
		sub	edi, 4
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], edi
		jmp	loc_78B2AA
; 

loc_78B4A9:				; CODE XREF: MiPfAllocateMdls+25Ej
		mov	ecx, [ebp+var_30]
		test	ecx, ecx
		jz	short loc_78B4C5
		mov	eax, [ebp+var_14]
		cmp	eax, [ecx+8]
		jnb	short loc_78B4EB
		mov	edi, [ecx+eax*4+0Ch]
		inc	eax
		mov	[ebp+var_14], eax
		jmp	loc_78B340
; 

loc_78B4C5:				; CODE XREF: MiPfAllocateMdls+2FEj
		mov	edi, [esi+0Ch]
		mov	[ebp+var_30], edi
		mov	[ebp+var_14], 1
		mov	edi, [edi+0Ch]
		jmp	loc_78B340
; 

loc_78B4DA:				; CODE XREF: MiPfAllocateMdls+E4j
		sub	esi, 4
		sub	edi, 4
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], edi
		jmp	loc_78B2AA
; 

loc_78B4EB:				; CODE XREF: MiPfAllocateMdls+306j
		mov	ecx, [ecx]
		mov	[ebp+var_30], ecx
		mov	[ebp+var_14], 1
		mov	edi, [ecx+0Ch]
		jmp	loc_78B340
; 

loc_78B4FF:				; CODE XREF: MiPfAllocateMdls+23Fj
		test	dword ptr [ebx+1Ch], 4000000h
		jz	loc_78B3F5
		cmp	dword ptr [edi+0Ch], 0
		jz	loc_78B3F5
		mov	edx, [ebp+var_38]
		mov	ecx, ebx
		push	edi
		call	_MiGetSharedProtos@12 ;	MiGetSharedProtos(x,x,x)
		mov	edx, [ebp+var_2C]
		test	eax, eax
		jz	loc_78B3F5
		mov	ecx, [eax+24h]
		cmp	edx, ecx
		jb	loc_78B3F5
		mov	eax, [edi+1Ch]
		lea	eax, [ecx+eax*8]
		cmp	edx, eax
		jnb	loc_78B3F5
		jmp	loc_78B359
; 

loc_78B54A:				; CODE XREF: MiPfAllocateMdls+254j
		mov	ecx, [eax+24h]
		cmp	edx, ecx
		jb	loc_78B40A
		mov	eax, [edi+1Ch]
		lea	eax, [ecx+eax*8]
		cmp	edx, eax
		jnb	loc_78B40A
		jmp	loc_78B359
MiPfAllocateMdls endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAddMappedPtes	proc near		; CODE XREF: MiInsertInSystemSpace+4B8p
					; MiMapSystemImage+5Bp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008DDE3E SIZE 000000F3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		test	byte ptr ds:_MiFlags+2,	1
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, ecx
		mov	[ebp+var_20], 0
		mov	[ebp+var_1C], 0
		jnz	loc_8DDE3E

loc_78B59B:				; CODE XREF: MiAddMappedPtes+1528D8j
					; MiAddMappedPtes+1528E8j
		mov	[ebp+arg_C], 0

loc_78B5A2:				; CODE XREF: MiAddMappedPtes+1528E2j
		mov	ecx, [ebp+arg_4]
		lea	eax, [esi+edx*8]
		mov	[ebp+var_4], eax
		lea	edx, [ebp+var_20]
		mov	[ebp+var_C], 0
		mov	[ebp+var_10], 0
		mov	eax, [ecx+4]
		push	eax
		mov	eax, [ecx]
		mov	ecx, edi
		push	eax
		mov	[ebp+var_8], 0
		call	MiOffsetToProtos
		mov	ebx, eax
		mov	[ebp+arg_4], ebx
		test	ebx, ebx
		jz	loc_8DDE5D
		test	byte ptr [ebx+12h], 2
		jnz	loc_8DDE67

loc_78B5E8:				; CODE XREF: MiAddMappedPtes+152904j
		test	byte ptr [edi+1Ch], 20h
		jnz	loc_78B6A0

loc_78B5F2:				; CODE XREF: MiAddMappedPtes+139j
		mov	ecx, [ebx+4]
		mov	eax, [ebp+var_20]
		lea	edi, [ecx+eax*8]
		mov	eax, [ebx+1Ch]
		xor	ebx, ebx
		lea	eax, [ecx+eax*8]
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_14], eax

loc_78B609:				; CODE XREF: MiAddMappedPtes+C6j
		cmp	esi, ecx
		jnb	loc_78B695
		cmp	edi, eax
		jnb	short loc_78B638

loc_78B615:				; CODE XREF: MiAddMappedPtes+15296Cj
		test	ebx, ebx
		jnz	loc_8DDEE1

loc_78B61D:				; CODE XREF: MiAddMappedPtes+11Ej
					; MiAddMappedPtes+152915j ...
		mov	ecx, edi
		call	_MiMakePrototypePteDirect@4 ; MiMakePrototypePteDirect(x)
		mov	ecx, [ebp+var_4]

loc_78B627:				; CODE XREF: MiAddMappedPtes+152981j
		mov	[esi], eax
		nop
		mov	eax, [ebp+var_14]
		mov	[esi+4], edx
		add	esi, 8
		add	edi, 8
		jmp	short loc_78B609
; 

loc_78B638:				; CODE XREF: MiAddMappedPtes+A3j
		mov	ebx, [ebp+arg_4]
		mov	ebx, [ebx+8]
		mov	[ebp+arg_4], ebx
		test	ebx, ebx
		jz	loc_8DDEF6
		mov	eax, [ebp+arg_0]
		mov	edi, [ebx+4]
		mov	edx, [eax+1Ch]
		bt	edx, 1Ah
		mov	ax, [ebx+12h]
		mov	ebx, 1
		setb	cl
		bt	ax, bx
		mov	ebx, [ebp+arg_4]
		setb	al
		test	cl, al
		jnz	short loc_78B6B1
		test	dl, 20h
		jz	short loc_78B680
		mov	ecx, ebx
		call	_MiGetSubsectionDriverProtos@4 ; MiGetSubsectionDriverProtos(x)
		test	eax, eax
		jnz	short loc_78B6BF

loc_78B680:				; CODE XREF: MiAddMappedPtes+103j
					; MiAddMappedPtes+152j
		mov	eax, [ebx+1Ch]
		xor	ebx, ebx
		lea	edx, [edi+eax*8]
		mov	[ebp+var_14], edx
		cmp	[ebp+arg_C], ebx
		jz	short loc_78B61D
		jmp	loc_8DDE79
; 

loc_78B695:				; CODE XREF: MiAddMappedPtes+9Bj
					; MiAddMappedPtes+152996j ...
		xor	eax, eax

loc_78B697:				; CODE XREF: MiAddMappedPtes+1528F2j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_78B6A0:				; CODE XREF: MiAddMappedPtes+7Cj
		mov	ecx, ebx
		call	_MiGetSubsectionDriverProtos@4 ; MiGetSubsectionDriverProtos(x)
		test	eax, eax
		jz	loc_78B5F2
		jmp	short loc_78B6BF
; 

loc_78B6B1:				; CODE XREF: MiAddMappedPtes+FEj
		mov	edi, [ebp+arg_0]

loc_78B6B4:				; CODE XREF: MiAddMappedPtes+1528FEj
		mov	edx, [ebp+arg_8]
		mov	ecx, edi
		push	ebx
		call	_MiGetSharedProtos@12 ;	MiGetSharedProtos(x,x,x)

loc_78B6BF:				; CODE XREF: MiAddMappedPtes+10Ej
					; MiAddMappedPtes+13Fj
		mov	edi, [eax+24h]
		jmp	short loc_78B680
MiAddMappedPtes	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUnlockVadRange(x,	x, x, x)
_MiUnlockVadRange@16 proc near		; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+4A7p
					; NtUnlockVirtualMemory(x,x,x,x)+67Bp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], ebx
		push	esi
		mov	esi, large fs:124h
		mov	[ebp+var_4], esi
		cmp	edx, 0FFFFFFFFh
		jz	loc_78B76D
		mov	ecx, edx
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	edx, eax

loc_78B6EE:				; CODE XREF: MiUnlockVadRange(x,x,x,x)+BBj
		push	edi
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_78B757

loc_78B6F6:				; CODE XREF: MiUnlockVadRange(x,x,x,x)+7Fj
		mov	esi, [edx+4]
		mov	ecx, edx
		test	esi, esi
		jnz	short loc_78B712
		mov	esi, [edx+8]

loc_78B702:				; CODE XREF: MiUnlockVadRange(x,x,x,x)+4Cj
		and	esi, 0FFFFFFFCh
		jz	short loc_78B722
		cmp	[esi], ecx
		jz	short loc_78B722
		mov	ecx, esi
		mov	esi, [esi+8]
		jmp	short loc_78B702
; 

loc_78B712:				; CODE XREF: MiUnlockVadRange(x,x,x,x)+39j
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_78B722

loc_78B718:				; CODE XREF: MiUnlockVadRange(x,x,x,x)+5Cj
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_78B718

loc_78B722:				; CODE XREF: MiUnlockVadRange(x,x,x,x)+41j
					; MiUnlockVadRange(x,x,x,x)+45j ...
		cmp	edi, 1
		jz	short loc_78B74A
		lea	ebx, [edx+18h]
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_78B784

loc_78B737:				; CODE XREF: MiUnlockVadRange(x,x,x,x)+C7j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	edx, esi
		sub	edi, 1
		jnz	short loc_78B6F6
		mov	esi, [ebp+var_4]
		jmp	short loc_78B754
; 

loc_78B74A:				; CODE XREF: MiUnlockVadRange(x,x,x,x)+61j
		mov	esi, [ebp+var_4]
		mov	ecx, esi
		call	MiUnlockVad

loc_78B754:				; CODE XREF: MiUnlockVadRange(x,x,x,x)+84j
		mov	ebx, [ebp+var_8]

loc_78B757:				; CODE XREF: MiUnlockVadRange(x,x,x,x)+30j
		cmp	[ebp+arg_4], 0
		mov	edx, ebx
		pop	edi
		mov	ecx, esi
		jnz	short loc_78B78D
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)

loc_78B767:				; CODE XREF: MiUnlockVadRange(x,x,x,x)+CEj
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_78B76D:				; CODE XREF: MiUnlockVadRange(x,x,x,x)+1Bj
		mov	eax, [ebx+350h]
		xor	edx, edx
		jmp	short loc_78B77B
; 

loc_78B777:				; CODE XREF: MiUnlockVadRange(x,x,x,x)+B9j
		mov	edx, eax
		mov	eax, [eax]

loc_78B77B:				; CODE XREF: MiUnlockVadRange(x,x,x,x)+B1j
		test	eax, eax
		jnz	short loc_78B777
		jmp	loc_78B6EE
; 

loc_78B784:				; CODE XREF: MiUnlockVadRange(x,x,x,x)+71j
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_78B737
; 

loc_78B78D:				; CODE XREF: MiUnlockVadRange(x,x,x,x)+9Cj
		call	UNLOCK_ADDRESS_SPACE
		jmp	short loc_78B767
_MiUnlockVadRange@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockVadRange	proc near		; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+165p
					; NtLockVirtualMemory(x,x,x,x)+123p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008DDF31 SIZE 000000F7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+30h+var_4], edx
		xor	esi, esi
		mov	[esp+30h+var_8], edi
		mov	ebx, ecx
		mov	[esp+30h+var_1C], eax
		inc	esi
		mov	[esp+30h+var_C], ebx
		mov	[esp+30h+var_20], esi

loc_78B7C3:				; CODE XREF: MiLockVadRange+15287Fj
		cmp	[ebp+arg_4], 0
		mov	edx, ebx
		mov	ecx, eax
		jnz	loc_8DDF31
		call	_LOCK_ADDRESS_SPACE_SHARED@8 ; LOCK_ADDRESS_SPACE_SHARED(x,x)

loc_78B7D6:				; CODE XREF: MiLockVadRange+1527A2j
		test	esi, esi
		jz	loc_78B911
		test	byte ptr [ebx+0FCh], 20h
		jnz	loc_78B911
		mov	eax, [esp+30h+var_4]
		cmp	eax, 0FFFFFFFFh
		jz	loc_78B8C5
		mov	ecx, eax
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	ecx, eax
		mov	[esp+30h+var_18], eax

loc_78B805:				; CODE XREF: MiLockVadRange+147j
		mov	eax, edi
		mov	esi, edi
		mov	[esp+30h+var_14], eax

loc_78B80D:				; CODE XREF: MiLockVadRange+F7j
		mov	[esp+30h+var_10], ecx
		test	ecx, ecx
		jz	loc_78B89A
		mov	ebx, [ecx+4]
		mov	edx, ecx
		test	ebx, ebx
		jnz	short loc_78B835
		mov	ebx, [ecx+8]

loc_78B825:				; CODE XREF: MiLockVadRange+9Fj
		and	ebx, 0FFFFFFFCh
		jz	short loc_78B845
		cmp	[ebx], edx
		jz	short loc_78B845
		mov	edx, ebx
		mov	ebx, [ebx+8]
		jmp	short loc_78B825
; 

loc_78B835:				; CODE XREF: MiLockVadRange+8Cj
		mov	edx, [ebx]
		test	edx, edx
		jz	short loc_78B845

loc_78B83B:				; CODE XREF: MiLockVadRange+AFj
		mov	eax, [edx]
		mov	ebx, edx
		mov	edx, eax
		test	eax, eax
		jnz	short loc_78B83B

loc_78B845:				; CODE XREF: MiLockVadRange+94j
					; MiLockVadRange+98j ...
		cmp	[ebp+arg_0], 0FFFFFFFFh
		jnz	short loc_78B8B0

loc_78B84B:				; CODE XREF: MiLockVadRange+12Fj
					; MiLockVadRange+1527AFj ...
		call	_MiVadIsCfgBitmap@4 ; MiVadIsCfgBitmap(x)
		cmp	eax, 1
		jz	loc_78B8E0
		test	esi, esi
		jz	short loc_78B88D
		add	ecx, 18h
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx

loc_78B867:				; CODE XREF: MiLockVadRange+104j
		mov	ecx, [esp+30h+var_10]
		call	_MiVadDeleted@4	; MiVadDeleted(x)
		cmp	eax, 1
		jz	loc_8DDF5D
		cmp	[esp+30h+var_20], 0
		jz	loc_8DDF5D
		mov	eax, [esp+30h+var_14]
		inc	esi

loc_78B889:				; CODE XREF: MiLockVadRange+159j
		mov	ecx, ebx
		jmp	short loc_78B80D
; 

loc_78B88D:				; CODE XREF: MiLockVadRange+C7j
		mov	edx, ecx
		mov	ecx, [esp+30h+var_1C]
		call	_MiLockVad@8	; MiLockVad(x,x)
		jmp	short loc_78B867
; 

loc_78B89A:				; CODE XREF: MiLockVadRange+7Fj
		cmp	[esp+30h+var_20], 1
		jnz	short loc_78B8A5
		test	eax, eax
		jnz	short loc_78B8EF

loc_78B8A5:				; CODE XREF: MiLockVadRange+10Bj
					; MiLockVadRange+179j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_78B8B0:				; CODE XREF: MiLockVadRange+B5j
		mov	edx, [ecx+10h]
		mov	eax, edx
		shl	eax, 0Ch
		cmp	[ebp+arg_0], eax
		ja	loc_8DDF3B

loc_78B8C1:				; CODE XREF: MiLockVadRange+1527C4j
		mov	ebx, edi
		jmp	short loc_78B84B
; 

loc_78B8C5:				; CODE XREF: MiLockVadRange+5Ej
		mov	eax, [ebx+350h]
		mov	ecx, edi
		jmp	short loc_78B8D3
; 

loc_78B8CF:				; CODE XREF: MiLockVadRange+145j
		mov	ecx, eax
		mov	eax, [eax]

loc_78B8D3:				; CODE XREF: MiLockVadRange+139j
		mov	[esp+30h+var_18], ecx
		test	eax, eax
		jnz	short loc_78B8CF
		jmp	loc_78B805
; 

loc_78B8E0:				; CODE XREF: MiLockVadRange+BFj
		mov	eax, [esp+30h+var_14]
		mov	[esp+eax*4+30h+var_8], ecx
		inc	eax
		mov	[esp+30h+var_14], eax
		jmp	short loc_78B889
; 

loc_78B8EF:				; CODE XREF: MiLockVadRange+10Fj
		mov	ebx, [esp+30h+var_14]

loc_78B8F3:				; CODE XREF: MiLockVadRange+17Bj
		mov	ecx, [esp+edi*4+30h+var_8]
		test	esi, esi
		jz	loc_8DE018
		add	ecx, 18h
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx

loc_78B909:				; CODE XREF: MiLockVadRange+15288Fj
		inc	esi
		inc	edi
		cmp	edi, ebx
		jnb	short loc_78B8A5
		jmp	short loc_78B8F3
; 

loc_78B911:				; CODE XREF: MiLockVadRange+44j
					; MiLockVadRange+51j
		mov	esi, edi
		jmp	short loc_78B8A5
MiLockVadRange	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiVadIsCfgBitmap(x)
_MiVadIsCfgBitmap@4 proc near		; CODE XREF: MiLockVadRange:loc_78B84Bp
					; NtAreMappedFilesTheSame+59p ...
		mov	eax, large fs:124h
		xor	edx, edx
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		add	eax, 0C0h

loc_78B92F:				; CODE XREF: MiVadIsCfgBitmap(x)+24j
		cmp	[eax], ecx
		jz	short loc_78B93F
		inc	edx
		add	eax, 10h
		cmp	edx, 1
		jb	short loc_78B92F
		xor	eax, eax
		retn
; 

loc_78B93F:				; CODE XREF: MiVadIsCfgBitmap(x)+1Bj
		xor	eax, eax
		inc	eax
		retn
_MiVadIsCfgBitmap@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockUnlockCommon proc	near		; CODE XREF: NtUnlockVirtualMemory(x,x,x,x)+B4p
					; NtLockVirtualMemory(x,x,x,x)+60p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008DE028 SIZE 00000041 BYTES

		push	1Ch
		push	offset dword_6A1B98
		call	__SEH_prolog4
		mov	ebx, ecx
		and	[ebp+var_1C], 0
		test	[ebp+arg_4], 0FFFFFFFCh
		jnz	loc_78BA23
		test	byte ptr [ebp+arg_4], 3
		jz	loc_78BA23
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_20], al
		and	[ebp+ms_exc.disabled], 0
		test	al, al
		jz	short loc_78B9AB
		mov	ecx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_8DE028

loc_78B993:				; CODE XREF: MiLockUnlockCommon+1526E6j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8DE02F

loc_78B9A7:				; CODE XREF: MiLockUnlockCommon+1526EDj
		mov	eax, [ecx]
		mov	[ecx], eax

loc_78B9AB:				; CODE XREF: MiLockUnlockCommon+3Ej
		mov	edi, [edx]
		mov	[ebp+var_28], edi
		mov	eax, [ebp+arg_0]
		mov	esi, [eax]
		mov	[ebp+var_2C], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, ds:_MmHighestUserAddress
		cmp	edi, eax
		ja	short loc_78BA23
		sub	eax, edi
		inc	eax
		cmp	eax, esi
		jb	short loc_78BA23
		test	esi, esi
		jz	short loc_78BA23
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	6D566D4Dh
		push	[ebp+var_20]
		push	ds:_PsProcessType
		push	8
		push	ebx
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_78BA11
		test	byte ptr [ebp+arg_4], 2
		jnz	loc_8DE036

loc_78B9FD:				; CODE XREF: MiLockUnlockCommon+152708j
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		mov	eax, [ebp+arg_C]
		mov	[eax], esi
		mov	ecx, [ebp+arg_10]
		mov	eax, [ebp+var_1C]
		mov	[ecx], eax
		xor	eax, eax

loc_78BA11:				; CODE XREF: MiLockUnlockCommon+ADj
					; MiLockUnlockCommon+E4j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_78BA23:				; CODE XREF: MiLockUnlockCommon+19j
					; MiLockUnlockCommon+23j ...
		mov	eax, 0C000000Dh
		jmp	short loc_78BA11
MiLockUnlockCommon endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlReleaseFileForCcFlush proc	near	; CODE XREF: MmFlushSection+C8p
					; MiDestroySection+8D121p ...

var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_132		= byte ptr -132h
var_131		= byte ptr -131h
var_130		= dword	ptr -130h
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_10C		= byte ptr -10Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008DE08B SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	ebx, ecx
		push	124h		; size_t
		push	eax		; int
		lea	eax, [ebp+var_130]
		mov	[ebp+var_138], ebx
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_130]
		mov	[ebp+var_140], eax
		xor	eax, eax
		mov	esi, eax
		mov	[ebp+var_131], al
		mov	[ebp+var_132], al
		push	ebx
		mov	[ebp+var_13C], eax
		call	IoGetRelatedDeviceObject
		push	ebx
		mov	[ebp+var_144], eax
		call	_IoGetBaseFileSystemDeviceObject@4 ; IoGetBaseFileSystemDeviceObject(x)
		mov	ebx, eax
		mov	eax, [ebx+8]
		mov	ecx, [eax+28h]
		mov	eax, [eax+18h]
		mov	[ebp+var_148], ecx
		mov	edi, [eax+18h]
		test	edi, edi
		jz	short loc_78BACB
		mov	eax, [edi]
		cmp	eax, 24h
		jb	short loc_78BABD
		cmp	[edi+20h], esi
		jnz	loc_78BBF6

loc_78BABD:				; CODE XREF: FsRtlReleaseFileForCcFlush+88j
		cmp	eax, 28h
		jb	short loc_78BACB
		cmp	[edi+24h], esi
		jnz	loc_78BBF6

loc_78BACB:				; CODE XREF: FsRtlReleaseFileForCcFlush+81j
					; FsRtlReleaseFileForCcFlush+96j
		mov	al, [ebp+var_131]

loc_78BAD1:				; CODE XREF: FsRtlReleaseFileForCcFlush+1CEj
		mov	edx, [ebp+var_144]
		cmp	edx, ebx
		jz	loc_78BC40

loc_78BADF:				; CODE XREF: FsRtlReleaseFileForCcFlush+218j
		push	0
		push	[ebp+var_138]
		push	ecx
		push	edx
		mov	dl, 0FAh
		lea	ecx, [ebp+var_130]
		call	FsFilterCtrlInit
		lea	eax, [ebp+var_13C]
		xor	dl, dl
		push	eax
		push	1
		lea	ecx, [ebp+var_130]
		call	FsFilterPerformCallbacks
		mov	esi, eax
		test	esi, esi
		js	short loc_78BB85
		jnz	loc_8DE08B
		test	[ebp+var_10C], 4
		mov	edx, [ebp+var_124]
		mov	[ebp+var_138], edx
		jnz	loc_78BBCB
		mov	ecx, [ebp+var_148]

loc_78BB37:				; CODE XREF: FsRtlReleaseFileForCcFlush+1C7j
		test	edi, edi
		jz	short loc_78BB53
		mov	eax, [edi]
		cmp	eax, 24h
		jb	short loc_78BB48
		cmp	dword ptr [edi+20h], 0
		jnz	short loc_78BB7C

loc_78BB48:				; CODE XREF: FsRtlReleaseFileForCcFlush+116j
		cmp	eax, 28h
		jb	short loc_78BB53
		cmp	dword ptr [edi+24h], 0
		jnz	short loc_78BB7C

loc_78BB53:				; CODE XREF: FsRtlReleaseFileForCcFlush+10Fj
					; FsRtlReleaseFileForCcFlush+121j
		test	ecx, ecx
		jz	loc_8DE09C
		cmp	dword ptr [ecx], 70h
		jb	loc_8DE09C
		mov	eax, [ecx+6Ch]
		test	eax, eax
		jz	loc_8DE09C
		push	ebx
		push	edx
		call	eax
		mov	esi, eax

loc_78BB75:				; CODE XREF: FsRtlReleaseFileForCcFlush+152677j
		or	[ebp+var_13C], 1

loc_78BB7C:				; CODE XREF: FsRtlReleaseFileForCcFlush+11Cj
					; FsRtlReleaseFileForCcFlush+127j
		cmp	[ebp+var_132], 0
		jnz	short loc_78BBFD

loc_78BB85:				; CODE XREF: FsRtlReleaseFileForCcFlush+E6j
					; FsRtlReleaseFileForCcFlush+1DAj ...
		cmp	esi, 0C0000010h
		jz	short loc_78BC09

loc_78BB8D:				; CODE XREF: FsRtlReleaseFileForCcFlush+1E6j
		xor	ecx, ecx

loc_78BB8F:				; CODE XREF: FsRtlReleaseFileForCcFlush+211j
		mov	eax, [ebp+var_140]
		test	eax, eax
		jz	short loc_78BBB7
		cmp	[eax+2Eh], cx
		jbe	short loc_78BBAC
		mov	edx, esi
		lea	ecx, [ebp+var_130]
		call	_FsFilterPerformCompletionCallbacks@8 ;	FsFilterPerformCompletionCallbacks(x,x)

loc_78BBAC:				; CODE XREF: FsRtlReleaseFileForCcFlush+173j
		lea	ecx, [ebp+var_130]
		call	_FsFilterCtrlFree@4 ; FsFilterCtrlFree(x)

loc_78BBB7:				; CODE XREF: FsRtlReleaseFileForCcFlush+16Dj
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_78BBCB:				; CODE XREF: FsRtlReleaseFileForCcFlush+101j
		push	[ebp+var_128]
		call	_IoGetDeviceAttachmentBaseRef@4	; IoGetDeviceAttachmentBaseRef(x)
		mov	ebx, eax
		mov	[ebp+var_132], 1
		mov	eax, [ebx+8]
		mov	ecx, [eax+28h]
		mov	eax, [eax+18h]
		mov	edi, [eax+18h]

loc_78BBEB:				; CODE XREF: FsRtlReleaseFileForCcFlush+226j
		mov	edx, [ebp+var_138]
		jmp	loc_78BB37
; 

loc_78BBF6:				; CODE XREF: FsRtlReleaseFileForCcFlush+8Dj
					; FsRtlReleaseFileForCcFlush+9Bj
		mov	al, 1
		jmp	loc_78BAD1
; 

loc_78BBFD:				; CODE XREF: FsRtlReleaseFileForCcFlush+159j
		mov	ecx, ebx
		call	ObfDereferenceObject
		jmp	loc_78BB85
; 

loc_78BC09:				; CODE XREF: FsRtlReleaseFileForCcFlush+161j
		test	byte ptr [ebp+var_13C],	1
		jz	loc_78BB8D
		mov	eax, [ebp+var_138]
		mov	esi, [eax+0Ch]
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_78BC2B
		call	ExReleaseResourceLite

loc_78BC2B:				; CODE XREF: FsRtlReleaseFileForCcFlush+1FAj
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_78BC37
		call	ExReleaseResourceLite

loc_78BC37:				; CODE XREF: FsRtlReleaseFileForCcFlush+206j
		xor	ecx, ecx
		mov	esi, ecx
		jmp	loc_78BB8F
; 

loc_78BC40:				; CODE XREF: FsRtlReleaseFileForCcFlush+AFj
		test	al, al
		jnz	loc_78BADF
		xor	eax, eax
		mov	[ebp+var_140], eax
		jmp	short loc_78BBEB
FsRtlReleaseFileForCcFlush endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlAcquireFileForCcFlushEx proc near	; CODE XREF: MmFlushSection+9Ep
					; MiDeleteCachedSubsection(x)+20Ap ...

var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_132		= byte ptr -132h
var_131		= byte ptr -131h
var_130		= dword	ptr -130h
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_10C		= byte ptr -10Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008DE0A6 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	ebx, ecx
		push	124h		; size_t
		push	eax		; int
		lea	eax, [ebp+var_130]
		mov	[ebp+var_138], ebx
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_130]
		mov	[ebp+var_140], eax
		xor	eax, eax
		mov	esi, eax
		mov	[ebp+var_131], al
		mov	[ebp+var_132], al
		push	ebx
		mov	[ebp+var_13C], eax
		call	IoGetRelatedDeviceObject
		push	ebx
		mov	[ebp+var_144], eax
		call	_IoGetBaseFileSystemDeviceObject@4 ; IoGetBaseFileSystemDeviceObject(x)
		mov	ebx, eax
		mov	eax, [ebx+8]
		mov	ecx, [eax+28h]
		mov	eax, [eax+18h]
		mov	[ebp+var_148], ecx
		mov	edi, [eax+18h]
		test	edi, edi
		jz	short loc_78BCF3
		mov	eax, [edi]
		cmp	eax, 1Ch
		jb	short loc_78BCE5
		cmp	[edi+18h], esi
		jnz	loc_78BE4F

loc_78BCE5:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+88j
		cmp	eax, 20h
		jb	short loc_78BCF3
		cmp	[edi+1Ch], esi
		jnz	loc_78BE4F

loc_78BCF3:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+81j
					; FsRtlAcquireFileForCcFlushEx+96j
		mov	al, [ebp+var_131]

loc_78BCF9:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+1FFj
		mov	edx, [ebp+var_144]
		cmp	edx, ebx
		jz	loc_78BEAC

loc_78BD07:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+25Cj
		push	1
		push	[ebp+var_138]
		push	ecx
		push	edx
		mov	dl, 0FBh
		lea	ecx, [ebp+var_130]
		call	FsFilterCtrlInit
		test	eax, eax
		js	loc_78BE15
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [ebp+var_13C]
		mov	dl, 1
		push	eax
		push	1
		lea	ecx, [ebp+var_130]
		call	FsFilterPerformCallbacks
		mov	ecx, [ebp+var_148]
		lea	edx, [ebp+var_130]
		mov	esi, eax

loc_78BD58:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+278j
		test	esi, esi
		js	short loc_78BDD5
		jnz	loc_8DE0A6
		test	edx, edx
		jz	loc_78BE44
		test	[ebp+var_10C], 4
		mov	edx, [ebp+var_124]
		mov	[ebp+var_138], edx
		jnz	loc_78BE24

loc_78BD83:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+1F8j
		test	edi, edi
		jz	short loc_78BD9F
		mov	eax, [edi]
		cmp	eax, 1Ch
		jb	short loc_78BD94
		cmp	dword ptr [edi+18h], 0
		jnz	short loc_78BDC8

loc_78BD94:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+13Aj
		cmp	eax, 20h
		jb	short loc_78BD9F
		cmp	dword ptr [edi+1Ch], 0
		jnz	short loc_78BDC8

loc_78BD9F:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+133j
					; FsRtlAcquireFileForCcFlushEx+145j
		test	ecx, ecx
		jz	loc_8DE0B7
		cmp	dword ptr [ecx], 6Ch
		jb	loc_8DE0B7
		mov	eax, [ecx+68h]
		test	eax, eax
		jz	loc_8DE0B7
		push	ebx
		push	edx
		call	eax
		mov	esi, eax

loc_78BDC1:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+15246Aj
		or	[ebp+var_13C], 1

loc_78BDC8:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+140j
					; FsRtlAcquireFileForCcFlushEx+14Bj
		cmp	[ebp+var_132], 0
		jnz	loc_78BE56

loc_78BDD5:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+108j
					; FsRtlAcquireFileForCcFlushEx+20Bj ...
		cmp	esi, 0C0000010h
		jz	loc_78BE62

loc_78BDE1:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+217j
		xor	ecx, ecx

loc_78BDE3:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+255j
		mov	eax, [ebp+var_140]
		test	eax, eax
		jz	short loc_78BE0B
		cmp	[eax+2Eh], cx
		jbe	short loc_78BE00
		mov	edx, esi
		lea	ecx, [ebp+var_130]
		call	_FsFilterPerformCompletionCallbacks@8 ;	FsFilterPerformCompletionCallbacks(x,x)

loc_78BE00:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+19Fj
		lea	ecx, [ebp+var_130]
		call	_FsFilterCtrlFree@4 ; FsFilterCtrlFree(x)

loc_78BE0B:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+199j
		test	esi, esi
		js	loc_8DE0C1

loc_78BE13:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+152474j
		mov	eax, esi

loc_78BE15:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+CEj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_78BE24:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+12Bj
		push	[ebp+var_128]
		call	_IoGetDeviceAttachmentBaseRef@4	; IoGetDeviceAttachmentBaseRef(x)
		mov	ebx, eax
		mov	[ebp+var_132], 1
		mov	eax, [ebx+8]
		mov	ecx, [eax+28h]
		mov	eax, [eax+18h]
		mov	edi, [eax+18h]

loc_78BE44:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+112j
		mov	edx, [ebp+var_138]
		jmp	loc_78BD83
; 

loc_78BE4F:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+8Dj
					; FsRtlAcquireFileForCcFlushEx+9Bj
		mov	al, 1
		jmp	loc_78BCF9
; 

loc_78BE56:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+17Dj
		mov	ecx, ebx
		call	ObfDereferenceObject
		jmp	loc_78BDD5
; 

loc_78BE62:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+189j
		test	byte ptr [ebp+var_13C],	1
		jz	loc_78BDE1
		mov	eax, [ebp+var_138]
		mov	esi, [eax+0Ch]
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_78BE94
		push	eax
		call	ExIsResourceAcquiredSharedLite
		mov	ecx, [esi+8]
		push	1
		push	ecx
		test	eax, eax
		jz	short loc_78BECF
		call	ExAcquireResourceSharedLite

loc_78BE94:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+22Bj
					; FsRtlAcquireFileForCcFlushEx+282j
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_78BEA3
		push	1
		push	eax
		call	ExAcquireResourceSharedLite

loc_78BEA3:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+247j
		xor	ecx, ecx
		mov	esi, ecx
		jmp	loc_78BDE3
; 

loc_78BEAC:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+AFj
		test	al, al
		jnz	loc_78BD07
		mov	eax, large fs:124h
		xor	edx, edx
		mov	[ebp+var_140], edx
		dec	word ptr [eax+13Ch]
		nop
		jmp	loc_78BD58
; 

loc_78BECF:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+23Bj
		call	ExAcquireResourceExclusiveLite
		jmp	short loc_78BE94
FsRtlAcquireFileForCcFlushEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtDelayExecution proc near		; CODE XREF: LdrpInitMuiCrits+B20B3p
					; DATA XREF: .text:005810C4o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008DE0ED SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1BE0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_20], al
		test	al, al
		jz	loc_8DE0ED
		mov	[ebp+var_4], 0
		mov	eax, [ebp+arg_4]
		mov	edx, eax
		test	al, 3
		jnz	short loc_78BF7E
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	short loc_78BF83

loc_78BF46:				; CODE XREF: NtDelayExecution+A5j
		nop
		mov	cl, [edx]
		mov	ecx, [eax]
		mov	[ebp+var_28], ecx
		mov	eax, [eax+4]
		mov	[ebp+var_24], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_78BF5B:				; CODE XREF: NtDelayExecution+15221Bj
		lea	eax, [ebp+var_28]
		push	eax
		push	[ebp+arg_0]
		push	[ebp+var_20]
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)

loc_78BF6A:				; CODE XREF: sub_8DE0DB+Dj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_78BF7E:				; CODE XREF: NtDelayExecution+5Aj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_78BF83:				; CODE XREF: NtDelayExecution+64j
		mov	edx, ecx
		jmp	short loc_78BF46
NtDelayExecution endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiShareExistingControlArea proc	near	; CODE XREF: MiCreateImageOrDataSection+17Fp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008DE100 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, [edi+28h]
		mov	esi, [edi+24h]
		test	dword ptr [ebx+1Ch], 200h
		jnz	loc_78C073

loc_78BFB0:				; CODE XREF: MiShareExistingControlArea+F2j
					; MiShareExistingControlArea+110j
		or	dword ptr [edi], 4
		test	byte ptr [ebx+1Ch], 20h
		mov	edx, [edi]
		mov	eax, [ebx]
		setz	cl
		test	dl, 1
		mov	[ebp+var_4], eax
		setz	al
		test	cl, al
		jz	short loc_78C002
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	FsRtlGetFileSize
		push	dword ptr [edi+78h]
		mov	ebx, eax
		call	_IoSetTopLevelIrp@4 ; IoSetTopLevelIrp(x)
		push	esi
		call	FsRtlReleaseFile
		and	dword ptr [edi], 0FFFFFFFDh
		test	ebx, ebx
		js	loc_78C0AA
		mov	ebx, [ebp+var_10]
		mov	eax, ebx
		mov	edx, [ebp+var_C]
		or	eax, edx
		jz	loc_8DE100
		jmp	short loc_78C042
; 

loc_78C002:				; CODE XREF: MiShareExistingControlArea+41j
		test	dl, 2
		jz	short loc_78C018
		push	dword ptr [edi+78h]
		call	_IoSetTopLevelIrp@4 ; IoSetTopLevelIrp(x)
		push	esi
		call	FsRtlReleaseFile
		and	dword ptr [edi], 0FFFFFFFDh

loc_78C018:				; CODE XREF: MiShareExistingControlArea+7Dj
		test	dword ptr [edi+8], 1000000h
		jz	short loc_78C02C
		mov	ecx, edi
		call	_MiValidateExistingImage@4 ; MiValidateExistingImage(x)
		test	eax, eax
		js	short loc_78C059

loc_78C02C:				; CODE XREF: MiShareExistingControlArea+97j
		mov	esi, [ebp+var_4]
		add	esi, 10h
		or	ecx, 0FFFFFFFFh
		mov	eax, ecx
		mov	edx, ecx
		nop
		mov	ebx, ecx
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, eax

loc_78C042:				; CODE XREF: MiShareExistingControlArea+78j
					; MiShareExistingControlArea+15217Ej
		mov	esi, [edi+60h]
		mov	ecx, esi
		mov	eax, [edi+64h]
		or	ecx, eax
		jnz	short loc_78C05E
		or	dword ptr [edi], 8
		mov	[edi+48h], ebx
		mov	[edi+4Ch], edx

loc_78C057:				; CODE XREF: MiShareExistingControlArea+E9j
		xor	eax, eax

loc_78C059:				; CODE XREF: MiShareExistingControlArea+A2j
					; MiShareExistingControlArea+120j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_78C05E:				; CODE XREF: MiShareExistingControlArea+C4j
		cmp	edx, eax
		jb	short loc_78C09D
		ja	short loc_78C068
		cmp	ebx, esi
		jb	short loc_78C09D

loc_78C068:				; CODE XREF: MiShareExistingControlArea+DAj
		or	dword ptr [edi], 8

loc_78C06B:				; CODE XREF: MiShareExistingControlArea+119j
		mov	[edi+4Ch], eax
		mov	[edi+48h], esi
		jmp	short loc_78C057
; 

loc_78C073:				; CODE XREF: MiShareExistingControlArea+22j
		call	_PsIsCurrentThreadPrefetching@0	; PsIsCurrentThreadPrefetching()
		test	al, al
		jnz	loc_78BFB0
		test	dword ptr [edi+8], 1000000h
		mov	edx, esi
		push	0
		pop	eax
		setnz	al
		xor	ecx, ecx
		inc	eax
		push	eax
		call	MmChangeSectionBackingFile
		jmp	loc_78BFB0
; 

loc_78C09D:				; CODE XREF: MiShareExistingControlArea+D8j
					; MiShareExistingControlArea+DEj
		test	byte ptr [edi+14h], 44h
		jnz	short loc_78C06B
		mov	eax, 0C0000040h
		jmp	short loc_78C059
; 

loc_78C0AA:				; CODE XREF: MiShareExistingControlArea+62j
		mov	eax, ebx
		jmp	short loc_78C059
MiShareExistingControlArea endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCallCreateSectionFilters proc	near	; CODE XREF: MiCreateImageOrDataSection+126p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008DE116 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		push	edi
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], ecx
		test	byte ptr [esi],	1
		jnz	short loc_78C10A
		mov	edi, [esi+24h]
		lea	eax, [ebp+var_8]
		mov	edx, [esi+14h]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		mov	ecx, edi
		call	_FsRtlAcquireToCreateMappedSection@20 ;	FsRtlAcquireToCreateMappedSection(x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_78C106
		test	byte ptr [ebp+var_4], 6
		jnz	loc_8DE116
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jnz	short loc_78C11D

loc_78C0F3:				; CODE XREF: MiCallCreateSectionFilters+74j
					; MiCallCreateSectionFilters+82j ...
		mov	eax, [esi]
		cmp	edx, 12Ah
		jnz	short loc_78C10E

loc_78C0FD:				; CODE XREF: MiCallCreateSectionFilters+66j
		and	eax, 0FFFFFF7Fh

loc_78C102:				; CODE XREF: MiCallCreateSectionFilters+6Dj
		mov	[esi], eax
		mov	eax, edx

loc_78C106:				; CODE XREF: MiCallCreateSectionFilters+32j
					; MiCallCreateSectionFilters+5Ej ...
		pop	edi
		pop	esi
		leave
		retn
; 

loc_78C10A:				; CODE XREF: MiCallCreateSectionFilters+16j
		xor	eax, eax
		jmp	short loc_78C106
; 

loc_78C10E:				; CODE XREF: MiCallCreateSectionFilters+4Dj
		cmp	edx, 12Bh
		jnz	short loc_78C0FD
		or	eax, 80h
		jmp	short loc_78C102
; 

loc_78C11D:				; CODE XREF: MiCallCreateSectionFilters+43j
		lea	eax, [ecx-1]
		test	eax, ecx
		jnz	short loc_78C0F3
		or	dword ptr [esi], 2000h
		cmp	ecx, dword_6D34D4
		jnb	short loc_78C0F3
		mov	dword_6D34D4, ecx
		jmp	short loc_78C0F3
MiCallCreateSectionFilters endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlAcquireToCreateMappedSection(x, x, x, x, x)
_FsRtlAcquireToCreateMappedSection@20 proc near
					; CODE XREF: FsRtlCreateSectionForDataScan+81p
					; MiCallCreateSectionFilters+29p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		mov	ebx, edx
		mov	edx, [ebp+arg_4]
		mov	esi, ecx
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_1C], edx
		stosd
		and	dword ptr [edx], 0
		xor	edx, edx
		and	dword ptr [ecx], 0
		inc	edx
		mov	[ebp+var_20], ecx
		mov	ecx, esi
		stosd
		stosd
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+arg_0]
		mov	[ebp+var_18], 10h
		push	ebx
		call	FsRtlAcquireFileExclusiveCommon
		mov	edi, eax
		test	edi, edi
		js	short loc_78C1AE
		test	bl, 44h
		jnz	short loc_78C1C1

loc_78C192:				; CODE XREF: FsRtlAcquireToCreateMappedSection(x,x,x,x,x)+8Cj
					; FsRtlAcquireToCreateMappedSection(x,x,x,x,x)+A2j
		cmp	[ebp+var_14], 0Ch
		jb	short loc_78C1A0
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+var_10]
		mov	[ecx], eax

loc_78C1A0:				; CODE XREF: FsRtlAcquireToCreateMappedSection(x,x,x,x,x)+5Cj
		cmp	[ebp+var_14], 10h
		jb	short loc_78C1AE
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+var_C]
		mov	[ecx], eax

loc_78C1AE:				; CODE XREF: FsRtlAcquireToCreateMappedSection(x,x,x,x,x)+51j
					; FsRtlAcquireToCreateMappedSection(x,x,x,x,x)+6Aj
		mov	ecx, [ebp+var_8]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_78C1C1:				; CODE XREF: FsRtlAcquireToCreateMappedSection(x,x,x,x,x)+56j
		mov	esi, [esi+0Ch]
		test	esi, esi
		jz	short loc_78C192
		mov	ecx, [esi+28h]
		call	ExAcquireFastMutex
		mov	ecx, [esi+28h]
		or	byte ptr [esi+6], 10h
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	short loc_78C192
_FsRtlAcquireToCreateMappedSection@20 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 464. FsRtlAcquireFileExclusive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlAcquireFileExclusive(x)
		public _FsRtlAcquireFileExclusive@4
_FsRtlAcquireFileExclusive@4 proc near	; CODE XREF: CcWriteBehindInternal+322p
					; CcZeroEndOfLastPage(x)+35p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		xor	edx, edx
		call	FsRtlAcquireFileExclusiveCommon
		pop	ebp
		retn	4
_FsRtlAcquireFileExclusive@4 endp

; 
		dd 5 dup(0CCCCCCCCh)
; Exported entry 647. FsRtlReleaseFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlReleaseFile
FsRtlReleaseFile proc near		; CODE XREF: CcWriteBehindInternal+527p
					; CcDeleteSharedCacheMap+13Fp ...

var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_132		= byte ptr -132h
var_130		= dword	ptr -130h
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_10C		= byte ptr -10Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DE126 SIZE 0000008B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 150h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [ebp+var_130]
		push	edi
		push	124h		; size_t
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_138], esi
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_132], 0
		lea	eax, [ebp+var_130]
		xor	ebx, ebx
		mov	[ebp+var_144], eax
		xor	edi, edi
		mov	[ebp+var_13C], ebx
		push	esi
		call	IoGetRelatedDeviceObject
		push	esi
		mov	[ebp+var_148], eax
		call	_IoGetBaseFileSystemDeviceObject@4 ; IoGetBaseFileSystemDeviceObject(x)
		mov	[ebp+var_140], eax
		mov	esi, [eax+8]
		mov	ecx, [esi+28h]
		mov	esi, [esi+18h]
		mov	[ebp+var_14C], ecx
		mov	esi, [esi+18h]
		test	esi, esi
		jz	short loc_78C2B0
		mov	eax, [esi]
		cmp	eax, 14h
		jb	short loc_78C2A2
		cmp	[esi+10h], ebx
		jnz	loc_78C3C4

loc_78C2A2:				; CODE XREF: FsRtlReleaseFile+87j
		cmp	eax, 18h
		jb	short loc_78C2B0
		cmp	[esi+14h], ebx
		jnz	loc_78C3C4

loc_78C2B0:				; CODE XREF: FsRtlReleaseFile+80j
					; FsRtlReleaseFile+95j
		mov	dl, bl

loc_78C2B2:				; CODE XREF: FsRtlReleaseFile+1B6j
		mov	eax, [ebp+var_148]
		cmp	eax, [ebp+var_140]
		jz	loc_8DE126

loc_78C2C4:				; CODE XREF: FsRtlReleaseFile+151F18j
		push	0
		push	[ebp+var_138]
		mov	dl, 0FEh
		push	ecx
		push	eax
		lea	ecx, [ebp+var_130]
		call	FsFilterCtrlInit
		lea	eax, [ebp+var_13C]
		xor	dl, dl
		push	eax
		push	0
		lea	ecx, [ebp+var_130]
		call	FsFilterPerformCallbacks
		mov	edi, eax
		test	edi, edi
		js	loc_78C3DD
		jnz	loc_78C3CB
		test	[ebp+var_10C], 4
		mov	edx, [ebp+var_124]
		mov	[ebp+var_138], edx
		jnz	loc_8DE13F
		mov	ecx, [ebp+var_14C]

loc_78C320:				; CODE XREF: FsRtlReleaseFile+151F59j
		mov	ebx, [ebp+var_13C]

loc_78C326:				; CODE XREF: FsRtlReleaseFile+151F2Aj
		test	esi, esi
		jz	short loc_78C342
		mov	eax, [esi]
		cmp	eax, 14h
		jb	short loc_78C337
		cmp	dword ptr [esi+10h], 0
		jnz	short loc_78C36A

loc_78C337:				; CODE XREF: FsRtlReleaseFile+11Fj
		cmp	eax, 18h
		jb	short loc_78C342
		cmp	dword ptr [esi+14h], 0
		jnz	short loc_78C36A

loc_78C342:				; CODE XREF: FsRtlReleaseFile+118j
					; FsRtlReleaseFile+12Aj
		test	ecx, ecx
		jz	loc_8DE16E
		cmp	dword ptr [ecx], 34h
		jb	loc_8DE16E
		mov	eax, [ecx+30h]
		test	eax, eax
		jz	loc_8DE16E
		push	edx
		call	eax
		mov	edx, [ebp+var_138]

loc_78C367:				; CODE XREF: FsRtlReleaseFile+151F63j
		or	ebx, 1

loc_78C36A:				; CODE XREF: FsRtlReleaseFile+125j
					; FsRtlReleaseFile+130j
		cmp	[ebp+var_132], 0
		jnz	loc_8DE178

loc_78C377:				; CODE XREF: FsRtlReleaseFile+151F79j
		cmp	edi, 0C0000010h
		jz	loc_8DE18E

loc_78C383:				; CODE XREF: FsRtlReleaseFile+151F81j
					; FsRtlReleaseFile+151F9Cj
		mov	eax, [ebp+var_144]
		test	eax, eax
		jz	short loc_78C3AC

loc_78C38D:				; CODE XREF: FsRtlReleaseFile+1CBj
		cmp	word ptr [eax+2Eh], 0
		jbe	short loc_78C3A1
		mov	edx, edi
		lea	ecx, [ebp+var_130]
		call	_FsFilterPerformCompletionCallbacks@8 ;	FsFilterPerformCompletionCallbacks(x,x)

loc_78C3A1:				; CODE XREF: FsRtlReleaseFile+182j
		lea	ecx, [ebp+var_130]
		call	_FsFilterCtrlFree@4 ; FsFilterCtrlFree(x)

loc_78C3AC:				; CODE XREF: FsRtlReleaseFile+17Bj
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_78C3C4:				; CODE XREF: FsRtlReleaseFile+8Cj
					; FsRtlReleaseFile+9Aj
		mov	dl, 1
		jmp	loc_78C2B2
; 

loc_78C3CB:				; CODE XREF: FsRtlReleaseFile+EBj
		cmp	edi, 126h
		jnz	short loc_78C3DD
		xor	edi, edi
		lea	eax, [ebp+var_130]
		jmp	short loc_78C38D
; 

loc_78C3DD:				; CODE XREF: FsRtlReleaseFile+E5j
					; FsRtlReleaseFile+1C1j
		mov	ebx, [ebp+var_13C]
		jmp	loc_8DE183
FsRtlReleaseFile endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlAcquireFileExclusiveCommon	proc near
					; CODE XREF: FsRtlAcquireToCreateMappedSection(x,x,x,x,x)+48p
					; FsRtlAcquireFileExclusive(x)+Fp

var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12A		= byte ptr -12Ah
var_129		= byte ptr -129h
var_128		= dword	ptr -128h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_104		= byte ptr -104h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008DE1B1 SIZE 00000121 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 148h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		push	124h		; size_t
		mov	[ebp+var_148], eax
		mov	ebx, ecx
		lea	eax, [ebp+var_128]
		mov	[ebp+var_144], edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_130], ebx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_129], 0
		xor	esi, esi
		mov	[ebp+var_12A], 0
		lea	edi, [ebp+var_128]
		mov	[ebp+var_13C], esi
		push	ebx
		call	IoGetRelatedDeviceObject
		push	ebx
		mov	[ebp+var_138], eax
		call	_IoGetBaseFileSystemDeviceObject@4 ; IoGetBaseFileSystemDeviceObject(x)
		mov	edx, eax
		mov	[ebp+var_140], edx
		mov	eax, [edx+8]
		mov	ecx, [eax+28h]
		mov	eax, [eax+18h]
		mov	[ebp+var_134], ecx
		mov	ebx, [eax+18h]
		test	ebx, ebx
		jz	loc_8DE1BF
		mov	eax, [ebx]
		cmp	eax, 0Ch
		jb	loc_8DE1B1
		cmp	[ebx+8], esi
		jz	loc_8DE1B1

loc_78C499:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+151DC9j
		mov	al, 1

loc_78C49B:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+151DD5j
		mov	ecx, [ebp+var_138]
		cmp	ecx, edx
		jz	loc_8DE1CA

loc_78C4A9:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+151DDCj
		mov	eax, [ebp+var_144]
		mov	byte ptr [ebp+var_138],	0
		sub	eax, 1
		jz	loc_78C5A1

loc_78C4BF:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+1B8j
		mov	esi, [ebp+var_138]
		or	dl, 0FFh
		push	esi
		push	[ebp+var_130]
		push	ecx
		push	ecx
		lea	ecx, [ebp+var_128]
		call	FsFilterCtrlInit
		test	eax, eax
		js	loc_78C58E
		mov	eax, [ebp+var_144]
		mov	[ebp+var_118], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_114], eax
		mov	eax, [ebp+var_148]
		mov	[ebp+var_110], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_10C], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	dl, byte ptr [ebp+var_138]
		lea	eax, [ebp+var_13C]
		push	eax
		push	esi
		lea	ecx, [ebp+var_128]
		call	FsFilterPerformCallbacks
		mov	edx, [ebp+var_140]
		mov	esi, eax

loc_78C53D:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+151DF2j
		test	esi, esi
		js	short loc_78C553
		jz	loc_8DE1E7
		lea	ecx, [esi-126h]
		neg	ecx
		sbb	ecx, ecx
		and	esi, ecx

loc_78C553:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+14Fj
					; FsRtlAcquireFileExclusiveCommon+151EB3j
		mov	eax, [ebp+var_130]

loc_78C559:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+151EA6j
		cmp	esi, 0C0000010h
		jz	loc_8DE2A8

loc_78C565:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+151EBFj
					; FsRtlAcquireFileExclusiveCommon+151EDDj
		test	edi, edi
		jz	short loc_78C588
		cmp	word ptr [edi+2Eh], 0
		jbe	short loc_78C57D
		mov	edx, esi
		lea	ecx, [ebp+var_128]
		call	_FsFilterPerformCompletionCallbacks@8 ;	FsFilterPerformCompletionCallbacks(x,x)

loc_78C57D:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+17Ej
		lea	ecx, [ebp+var_128]
		call	_FsFilterCtrlFree@4 ; FsFilterCtrlFree(x)

loc_78C588:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+177j
		test	esi, esi
		js	short loc_78C5AD

loc_78C58C:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+1C2j
		mov	eax, esi

loc_78C58E:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+EEj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_78C5A1:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+C9j
		mov	byte ptr [ebp+var_138],	1
		jmp	loc_78C4BF
; 

loc_78C5AD:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+19Aj
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	short loc_78C58C
FsRtlAcquireFileExclusiveCommon	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiValidateExistingImage(x)
_MiValidateExistingImage@4 proc	near	; CODE XREF: MiShareExistingControlArea+9Bp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_9		= dword	ptr -9
var_5		= dword	ptr -5
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	byte ptr [ebp+var_5], 0
		mov	byte ptr [ebp+var_9], 0
		mov	byte ptr [ebp+var_18], 0
		mov	[ebp+var_14], 0
		mov	ebx, [edi+28h]
		mov	eax, [edi+24h]
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], ebx
		test	dword ptr [ebx+1Ch], 800h
		jz	short loc_78C613
		test	dword ptr [edi], 80000h
		jz	short loc_78C613
		mov	dword_6CF4F4, 0Ch
		mov	eax, 0C0000433h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_78C613:				; CODE XREF: MiValidateExistingImage(x)+33j
					; MiValidateExistingImage(x)+3Bj
		mov	eax, [edi]
		xor	edx, edx
		test	al, 40h
		jz	short loc_78C622
		mov	edx, 2
		jmp	short loc_78C62B
; 

loc_78C622:				; CODE XREF: MiValidateExistingImage(x)+59j
		test	al, 20h
		jz	short loc_78C62B
		mov	edx, 1

loc_78C62B:				; CODE XREF: MiValidateExistingImage(x)+60j
					; MiValidateExistingImage(x)+64j
		mov	ecx, ebx
		call	MiRelocateImageAgain
		test	eax, eax
		jns	short loc_78C647
		mov	dword_6CF4F4, 0Dh
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_78C647:				; CODE XREF: MiValidateExistingImage(x)+74j
		mov	eax, [edi]
		test	eax, 100h
		jz	short loc_78C657
		mov	esi, 4
		jmp	short loc_78C67C
; 

loc_78C657:				; CODE XREF: MiValidateExistingImage(x)+8Ej
		test	al, 20h
		jz	short loc_78C662
		mov	esi, 1
		jmp	short loc_78C67C
; 

loc_78C662:				; CODE XREF: MiValidateExistingImage(x)+99j
		test	al, 10h
		jz	short loc_78C67A
		mov	esi, eax
		and	esi, 1000h
		neg	esi
		sbb	esi, esi
		and	esi, 6
		add	esi, 2
		jmp	short loc_78C67C
; 

loc_78C67A:				; CODE XREF: MiValidateExistingImage(x)+A4j
		xor	esi, esi

loc_78C67C:				; CODE XREF: MiValidateExistingImage(x)+95j
					; MiValidateExistingImage(x)+A0j ...
		test	eax, 800h
		jz	short loc_78C686
		or	esi, 10h

loc_78C686:				; CODE XREF: MiValidateExistingImage(x)+C1j
		mov	ebx, [ebx]
		mov	ecx, eax
		test	eax, 400h
		jz	loc_78C727
		test	al, 10h
		jnz	loc_78C727
		mov	eax, large fs:124h
		mov	edx, esi
		mov	ecx, [ebp+var_20]
		mov	eax, [eax+80h]
		mov	eax, [eax+490h]
		mov	[ebp+var_10], eax
		lea	eax, [ebp-1]
		push	eax
		mov	al, [ebx+0Bh]
		shr	al, 4
		movzx	eax, al
		push	eax
		movzx	eax, byte ptr [edi+10h]
		push	eax
		mov	[ebp+var_1], 0
		call	_SeGetImageRequiredSigningLevel@20 ; SeGetImageRequiredSigningLevel(x,x,x,x,x)
		test	eax, eax
		jns	short loc_78C6E8
		mov	dword_6CF4F4, 0Eh
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_78C6E8:				; CODE XREF: MiValidateExistingImage(x)+115j
		mov	ecx, [edi]
		test	ecx, 800h
		jnz	short loc_78C721
		cmp	byte ptr [edi+10h], 0
		mov	eax, [ebp+var_10]
		jz	short loc_78C709
		test	eax, 800000h
		jz	short loc_78C709
		mov	[ebp+var_14], 1

loc_78C709:				; CODE XREF: MiValidateExistingImage(x)+139j
					; MiValidateExistingImage(x)+140j
		test	eax, 1000000h
		jz	short loc_78C716
		mov	byte ptr [ebp+var_5], 8
		jmp	short loc_78C721
; 

loc_78C716:				; CODE XREF: MiValidateExistingImage(x)+14Ej
		test	eax, 2000000h
		jz	short loc_78C721
		mov	byte ptr [ebp+var_5], 6

loc_78C721:				; CODE XREF: MiValidateExistingImage(x)+130j
					; MiValidateExistingImage(x)+154j ...
		mov	al, [ebp+var_1]
		mov	[edi+10h], al

loc_78C727:				; CODE XREF: MiValidateExistingImage(x)+CFj
					; MiValidateExistingImage(x)+D7j
		test	ecx, 80000h
		jz	short loc_78C73F
		or	esi, 40000000h
		cmp	byte ptr [edi+10h], 0
		jnz	short loc_78C73F
		mov	byte ptr [edi+10h], 4

loc_78C73F:				; CODE XREF: MiValidateExistingImage(x)+16Dj
					; MiValidateExistingImage(x)+179j
		test	ecx, 400000h
		jz	short loc_78C74D
		or	esi, 20000000h

loc_78C74D:				; CODE XREF: MiValidateExistingImage(x)+185j
		test	ecx, 400h
		jz	loc_78C80E
		test	cl, 10h
		jnz	loc_78C7E7
		mov	eax, dword_6BEA70
		mov	cl, [ebx+0Bh]
		mov	dl, [edi+10h]
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	short loc_78C779
		mov	byte ptr [ebp+var_10], dl
		jmp	short loc_78C79C
; 

loc_78C779:				; CODE XREF: MiValidateExistingImage(x)+1B2j
		movzx	eax, cl
		shr	eax, 1
		and	eax, 7
		shr	cl, 4
		push	eax
		movzx	eax, cl
		push	eax
		push	edx
		push	esi
		call	[ebp+var_10]
		movzx	ecx, byte ptr [edi+10h]
		mov	byte ptr [ebp+var_10], cl
		mov	cl, [ebx+0Bh]
		test	eax, eax
		jnz	short loc_78C7E7

loc_78C79C:				; CODE XREF: MiValidateExistingImage(x)+1B7j
		mov	edx, dword_6BEA40
		test	edx, edx
		jz	short loc_78C7E7
		push	[ebp+var_10]
		shr	cl, 4
		movzx	eax, cl
		push	eax
		call	edx
		mov	cl, [ebx+0Bh]
		test	eax, eax
		jz	short loc_78C7E7
		test	esi, 40000000h
		jz	short loc_78C7D3
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+34h]
		and	eax, 0C0000h
		cmp	eax, 80000h
		jnz	short loc_78C7E7

loc_78C7D3:				; CODE XREF: MiValidateExistingImage(x)+1FFj
		test	cl, 0F0h
		jnz	short loc_78C7E1
		mov	eax, [ebx+24h]
		test	byte ptr [eax+1Eh], 80h
		jnz	short loc_78C7E7

loc_78C7E1:				; CODE XREF: MiValidateExistingImage(x)+216j
		mov	byte ptr [ebp+var_9], 0
		jmp	short loc_78C7EE
; 

loc_78C7E7:				; CODE XREF: MiValidateExistingImage(x)+19Cj
					; MiValidateExistingImage(x)+1DAj ...
		mov	cl, [ebx+0Bh]
		mov	byte ptr [ebp+var_9], 1

loc_78C7EE:				; CODE XREF: MiValidateExistingImage(x)+225j
		mov	edx, dword_6BEA40
		test	edx, edx
		jnz	short loc_78C7FC
		xor	eax, eax
		jmp	short loc_78C808
; 

loc_78C7FC:				; CODE XREF: MiValidateExistingImage(x)+236j
		push	[ebp+var_5]
		shr	cl, 4
		movzx	eax, cl
		push	eax
		call	edx

loc_78C808:				; CODE XREF: MiValidateExistingImage(x)+23Aj
		test	eax, eax
		setz	byte ptr [ebp+var_18]

loc_78C80E:				; CODE XREF: MiValidateExistingImage(x)+193j
		push	[ebp+var_5]
		movzx	eax, byte ptr [edi+10h]
		mov	ecx, 1
		mov	edx, [ebp+var_20]
		push	eax
		push	[ebp+var_14]
		mov	eax, [edi+68h]
		push	[ebp+var_18]
		push	[ebp+var_9]
		push	esi
		push	eax
		mov	eax, [edi+6Ch]
		push	eax
		push	[ebp+var_1C]
		call	_MiValidateSectionSigningPolicy@44 ; MiValidateSectionSigningPolicy(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_78C846
		mov	dword_6CF4F4, 0Fh

loc_78C846:				; CODE XREF: MiValidateExistingImage(x)+27Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiValidateExistingImage@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiRelocateImageAgain proc near		; CODE XREF: MiValidateExistingImage(x)+6Dp

var_2C		= dword	ptr -2Ch
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008DE2D2 SIZE 00000052 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], edx
		push	edi
		mov	eax, [esi+38h]
		mov	[ebp+var_18], eax
		mov	ecx, [eax+10h]
		xor	eax, eax
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jz	short loc_78C8C2
		mov	[ebp+var_8], eax
		lea	edi, [ebp+var_2C]
		mov	eax, [esi]
		mov	edx, ecx
		mov	[ebp+var_14], eax
		xor	ebx, ebx
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		mov	ecx, eax
		or	[ebp+var_2C], 0FFFFFFFFh
		mov	[ebp+var_1C], eax
		call	_MI_LOCK_RELOCATIONS_EXCLUSIVE@8 ; MI_LOCK_RELOCATIONS_EXCLUSIVE(x,x)
		test	dword ptr [esi+34h], 400000h
		jz	short loc_78C8C7

loc_78C8A6:				; CODE XREF: MiRelocateImageAgain+B1j
					; MiRelocateImageAgain+DDj ...
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_1C]
		call	MI_UNLOCK_RELOCATIONS_EXCLUSIVE
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	short loc_78C930

loc_78C8B8:				; CODE XREF: MiRelocateImageAgain+F0j
		lea	ecx, [ebp+var_2C]
		call	_MiReturnImageBase@4 ; MiReturnImageBase(x)
		mov	eax, ebx

loc_78C8C2:				; CODE XREF: MiRelocateImageAgain+24j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_78C8C7:				; CODE XREF: MiRelocateImageAgain+56j
		mov	edi, [ebp+var_14]
		xor	edx, edx
		inc	edx
		mov	ecx, offset dword_6D35E0
		mov	eax, [edi+18h]
		mov	[ebp+var_14], eax
		call	MiReservePtes
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_8DE2D2
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		push	[ebp+var_C]
		mov	ecx, edi
		call	MiSelectImageBase
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_78C8A6
		or	dword ptr [esi+34h], 400000h
		mov	ecx, esi
		call	_MiGetControlAreaLoadConfig@4 ;	MiGetControlAreaLoadConfig(x)
		mov	edi, [ebp+var_4]
		mov	edx, edi
		push	eax
		call	_MiUpdateCfgSystemWideBitmap@12	; MiUpdateCfgSystemWideBitmap(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8DE2E3
		cmp	edi, [ebp+var_14]
		jnz	short loc_78C943

loc_78C929:				; CODE XREF: MiRelocateImageAgain+12Ej
		xor	ebx, ebx
		jmp	loc_78C8A6
; 

loc_78C930:				; CODE XREF: MiRelocateImageAgain+68j
		push	1
		mov	edx, eax
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		jmp	loc_78C8B8
; 

loc_78C943:				; CODE XREF: MiRelocateImageAgain+D9j
		test	ds:_MiFlags, 4000h
		jnz	loc_8DE2F5

loc_78C953:				; CODE XREF: MiRelocateImageAgain+151AAEj
					; MiRelocateImageAgain+151AD1j
		cmp	[ebp+var_C], 0
		jnz	short loc_78C97E
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edi, [ebp+var_4]

loc_78C96E:				; CODE XREF: MiRelocateImageAgain+133j
		push	eax
		mov	eax, [ebp+var_8]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	MiSwitchBaseAddress
		jmp	short loc_78C929
; 

loc_78C97E:				; CODE XREF: MiRelocateImageAgain+109j
		or	eax, 0FFFFFFFFh
		jmp	short loc_78C96E
MiRelocateImageAgain endp

; 
		align 8
; Exported entry 526. FsRtlGetFileSize

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlGetFileSize
FsRtlGetFileSize proc near		; CODE XREF: FsRtlCreateSectionForDataScan+96p
					; MiShareExistingControlArea+48p ...

var_54		= dword	ptr -54h
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008DE324 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+44h+var_4], eax
		mov	eax, [ebp+arg_4]
		and	[esp+44h+var_40], 0
		and	[esp+44h+var_3C], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	6
		mov	[esp+54h+var_34], eax
		lea	edi, [esp+54h+var_20]
		pop	ecx
		xor	eax, eax
		rep stosd
		push	ebx
		call	IoGetRelatedDeviceObject
		mov	esi, eax
		mov	ecx, [esi+8]
		mov	eax, [ecx+28h]
		test	eax, eax
		jz	short loc_78CA25
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_78CA25
		push	esi
		lea	ecx, [esp+54h+var_40]
		push	ecx
		lea	ecx, [esp+58h+var_20]
		push	ecx
		push	1
		push	ebx
		call	eax
		test	al, al
		jz	short loc_78CA25

loc_78C9ED:				; CODE XREF: FsRtlGetFileSize+142j
		mov	eax, [esp+64h+var_54]
		test	eax, eax
		js	short loc_78CA11
		cmp	byte ptr [esp+64h+var_20+1], 0
		jnz	loc_8DE343
		mov	edx, [esp+64h+var_48]
		mov	ecx, [esp+64h+var_2C]
		mov	[edx], ecx
		mov	ecx, [esp+64h+var_28]
		mov	[edx+4], ecx

loc_78CA11:				; CODE XREF: FsRtlGetFileSize+6Bj
					; FsRtlGetFileSize+1519A1j ...
		mov	ecx, [esp+64h+var_18]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_78CA25:				; CODE XREF: FsRtlGetFileSize+48j
					; FsRtlGetFileSize+4Fj	...
		xor	eax, eax
		lea	edi, [esp+50h+var_30]
		stosd
		push	0
		push	0
		stosd
		stosd
		stosd
		lea	eax, [esp+58h+var_30]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		movzx	eax, byte ptr [esi+30h]
		push	0
		push	eax
		push	esi
		call	IoAllocateIrpEx
		mov	edi, eax
		test	edi, edi
		jz	loc_8DE324
		push	0
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	ecx, [edi+60h]
		mov	edx, edi
		mov	byte ptr [esp+50h+var_38], al
		lea	eax, [esp+50h+var_40]
		mov	[edi+28h], eax
		lea	eax, [esp+50h+var_30]
		mov	[edi+2Ch], eax
		mov	eax, large fs:124h
		mov	[edi+50h], eax
		lea	eax, [esp+50h+var_20]
		mov	dword ptr [edi+8], 42h
		mov	byte ptr [edi+20h], 0
		mov	[edi+64h], ebx
		mov	[edi+0Ch], eax
		mov	byte ptr [ecx-24h], 5
		mov	[ecx-0Ch], ebx
		mov	[ecx-10h], esi
		mov	dword ptr [ecx-20h], 18h
		mov	dword ptr [ecx-1Ch], 5
		mov	ecx, esi
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jz	loc_8DE32E

loc_78CABD:				; CODE XREF: FsRtlGetFileSize+1519B6j
		test	esi, esi
		js	short loc_78CACF

loc_78CAC1:				; CODE XREF: FsRtlGetFileSize+14Bj
		push	[esp+50h+var_38]
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		jmp	loc_78C9ED
; 

loc_78CACF:				; CODE XREF: FsRtlGetFileSize+137j
		mov	[esp+50h+var_40], esi
		jmp	short loc_78CAC1
FsRtlGetFileSize endp

; 
		align 2

; __stdcall MiReleaseReadListResources(x)
_MiReleaseReadListResources@4:		; CODE XREF: MmWaitForCacheManagerPrefetch(x)+2Dp
					; MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x):loc_762C82p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+4]
		call	MiFreeReadListPages
		test	byte ptr [esi+1Ch], 20h
		jnz	short loc_78CB01
		add	edi, 0Ch
		mov	[esp+14h], edi

loc_78CAFB:				; CODE XREF: PAGE:0078CB4Cj
		mov	esi, [edi]
		cmp	esi, edi
		jnz	short loc_78CB08

loc_78CB01:				; CODE XREF: PAGE:0078CAF2j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_78CB08:				; CODE XREF: PAGE:0078CAFFj
		cmp	[esi+4], edi
		jnz	short loc_78CB4E
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_78CB4E
		and	dword ptr [esp+10h], 0
		mov	[edi], eax
		mov	[eax+4], edi
		cmp	dword ptr [esi+8], 0
		jbe	short loc_78CB44
		mov	edi, [esp+10h]
		lea	ebx, [esi+0Ch]

loc_78CB2B:				; CODE XREF: PAGE:0078CB3Ej
		mov	ecx, [ebx]
		push	0
		push	dword ptr [ecx+1Ch]
		call	_MiRemoveViewsFromSectionWithPfn@16 ; MiRemoveViewsFromSectionWithPfn(x,x,x,x)
		inc	edi
		lea	ebx, [ebx+4]
		cmp	edi, [esi+8]
		jb	short loc_78CB2B
		mov	edi, [esp+14h]

loc_78CB44:				; CODE XREF: PAGE:0078CB22j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_78CAFB
; 

loc_78CB4E:				; CODE XREF: PAGE:0078CB0Bj
					; PAGE:0078CB12j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFreeReadListPages proc near		; CODE XREF: MiPfPutPagesInTransition+3DEp
					; PAGE:0078CAE9p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008DE34D SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], 0
		push	edi
		lea	edx, [ebp+var_8]
		lea	ecx, [esi+14h]
		call	_MiFreeReadListPageList@8 ; MiFreeReadListPageList(x,x)
		mov	ecx, [ebp+var_8]
		mov	ebx, 4
		mov	edi, eax
		mov	[ebp+var_C], eax
		add	esi, 18h
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ecx

loc_78CB95:				; CODE XREF: MiFreeReadListPages+4Fj
		mov	ecx, [esi]
		xor	eax, eax
		test	ecx, ecx
		jnz	loc_8DE34D

loc_78CBA1:				; CODE XREF: MiFreeReadListPages+15181Dj
		add	edi, eax
		add	esi, 4
		sub	ebx, 1
		mov	[ebp+var_C], edi
		mov	[ebp+var_10], ebx
		jnz	short loc_78CB95
		test	edi, edi
		jnz	short loc_78CBBC

loc_78CBB5:				; CODE XREF: MiFreeReadListPages+68j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_78CBBC:				; CODE XREF: MiFreeReadListPages+53j
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		push	1
		call	_MiReturnFaultCharges@12 ; MiReturnFaultCharges(x,x,x)
		jmp	short loc_78CBB5
MiFreeReadListPages endp


;  S U B	R O U T	I N E 


; __stdcall MiFreeReadListPageList(x, x)
_MiFreeReadListPageList@8 proc near	; CODE XREF: MiFreeReadListPages+1Ap
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		xor	esi, esi

loc_78CBD5:				; CODE XREF: MiFreeReadListPageList(x,x)+29j
		mov	ecx, [edi]
		test	ecx, ecx
		jnz	short loc_78CBE1
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_78CBE1:				; CODE XREF: MiFreeReadListPageList(x,x)+Fj
		call	_MiGetPfnLink@4	; MiGetPfnLink(x)
		cmp	dword ptr [ebx], 0
		mov	[edi], eax
		jz	short loc_78CBF5

loc_78CBED:				; CODE XREF: MiFreeReadListPageList(x,x)+31j
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		inc	esi
		jmp	short loc_78CBD5
; 

loc_78CBF5:				; CODE XREF: MiFreeReadListPageList(x,x)+21j
		mov	dword ptr [ebx], offset	_MiSystemPartition
		jmp	short loc_78CBED
_MiFreeReadListPageList@8 endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1322. KeUserModeCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	KeUserModeCallback(int,void *,size_t,int,int)
		public KeUserModeCallback
KeUserModeCallback proc	near

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008DE382 SIZE 00000046 BYTES
; FUNCTION CHUNK AT 008DE422 SIZE 00000085 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1C90
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_2C], 0
		mov	esi, large fs:124h
		mov	[ebp+var_28], esi
		test	dword ptr [esi+58h], 1000h
		jnz	loc_8DE382
		mov	edi, ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		call	edi
		test	al, al
		jnz	loc_8DE393
		mov	cl, [esi+16Ah]
		test	cl, cl
		jnz	loc_8DE422
		cmp	dword ptr [esi+13Ch], 0
		jnz	loc_8DE422
		mov	cl, [esi+1BFh]
		mov	al, cl
		inc	al
		mov	[esi+1BFh], al
		cmp	al, 1Fh
		ja	loc_8DE3A8
		mov	eax, [esi+16Ch]
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	eax, [eax+338h]
		push	esi
		movzx	edx, word ptr [eax+8Ah]
		xor	ecx, ecx
		call	MmCreateKernelStack
		mov	[ebp+var_24], eax
		test	eax, eax
		jz	loc_8DE3B8
		lea	ecx, [eax-20h]
		mov	[ecx], eax
		sub	eax, ds:_KeKernelStackSize
		mov	[ecx+4], eax
		mov	eax, [esi+28h]
		mov	[ecx+10h], eax
		mov	eax, [esi+24h]
		mov	[ecx+14h], eax
		mov	eax, [esi+20h]
		mov	[ecx+1Ch], eax
		mov	eax, [esi+6Ch]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_38], eax
		mov	ecx, [eax+74h]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_34], ecx
		mov	eax, [ebp+arg_8]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		add	eax, 1Ch
		mov	ebx, ecx
		sub	ebx, eax
		and	ebx, 0FFFFFFFCh
		mov	[ebp+var_4], 0
		push	4
		push	eax
		push	ebx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		lea	edi, [ebx+1Ch]
		push	[ebp+arg_8]	; size_t
		push	[ebp+arg_4]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebx+8], edi
		mov	eax, [ebp+arg_8]
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+arg_0]
		mov	[ebx+4], eax
		mov	eax, [ebp+var_20]
		mov	[ebx+18h], eax
		mov	ecx, [ebp+var_1C]
		mov	eax, [ecx+68h]
		mov	[ebx], eax
		mov	eax, [esi+0A8h]
		mov	eax, [eax]
		mov	[ebp+arg_8], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	[ecx+74h], ebx
		mov	ebx, [ebp+var_24]
		push	ebx
		lea	eax, [ebx-20h]
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	_KiCallUserMode@16 ; KiCallUserMode(x,x,x,x)
		mov	edi, eax
		mov	[ebp+arg_4], edi
		mov	[ebp+var_4], 1
		cmp	edi, 0C0000423h
		jz	short loc_78CDA1
		mov	eax, [esi+0A8h]
		mov	ecx, [ebp+arg_8]
		mov	[eax], ecx

loc_78CDA1:				; CODE XREF: KeUserModeCallback+184j
		mov	eax, [esi+0A8h]
		mov	eax, [eax+0F70h]
		mov	[ebp+var_30], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ecx, [ebp+var_1C]

loc_78CDBA:				; CODE XREF: sub_8DE3CE+27j
		test	eax, eax
		jnz	short loc_78CDF4

loc_78CDBE:				; CODE XREF: KeUserModeCallback+1F8j
		cmp	edi, 0C0000423h
		jz	short loc_78CDCF
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_20]
		mov	[eax+74h], ecx

loc_78CDCF:				; CODE XREF: KeUserModeCallback+1B4j
					; PAGE:008DE41Dj
		dec	byte ptr [esi+1BFh]
		xor	edx, edx
		mov	ecx, ebx
		call	_MmDeleteKernelStack@8 ; MmDeleteKernelStack(x,x)
		mov	eax, edi

loc_78CDE0:				; CODE XREF: KeUserModeCallback+1517A3j
					; KeUserModeCallback+1517B3j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_78CDF4:				; CODE XREF: KeUserModeCallback+1ACj
		add	dword ptr [ecx+74h], 0FFFFFF00h
		push	0
		push	0
		push	0
		push	7
		call	PsInvokeWin32Callout
		jmp	short loc_78CDBE
KeUserModeCallback endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpReadExtendedContext	proc near	; CODE XREF: KiRaiseException(x,x,x,x,x)+D5p
					; KiContinuePreviousModeUser+75p ...

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3A		= byte ptr -3Ah
var_39		= byte ptr -39h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008DE4A7 SIZE 00000058 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1CB8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_39], dl
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_38], eax
		mov	esi, [ebp+arg_C]
		mov	[ebp+var_4C], 0
		mov	[ebp+var_44], 0
		mov	ecx, 6
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		mov	[ebp+var_48], eax
		test	esi, esi
		jnz	short loc_78CE7E
		lea	esi, [ebp+var_34]

loc_78CE7E:				; CODE XREF: RtlpReadExtendedContext+69j
		lea	edx, [ebp+var_4C]
		mov	edi, [ebp+arg_4]
		mov	ecx, edi
		call	RtlpValidateContextFlags
		test	eax, eax
		js	loc_78CF59
		push	esi
		mov	ebx, [ebp+var_4C]
		push	ebx
		push	[ebp+var_38]
		mov	edx, edi
		call	RtlpReadExtendedContextLayout
		mov	[ebp+var_54], eax
		test	eax, eax
		js	loc_78CF59
		mov	[ebp+var_4], 0
		mov	eax, edi
		and	eax, 10000h
		mov	[ebp+var_58], eax
		jz	loc_8DE43B
		mov	eax, 4
		mov	[ebp+var_44], eax
		mov	ecx, [ebp+var_38]
		add	ecx, 2CCh
		mov	[ebp+var_48], ecx

loc_78CED8:				; CODE XREF: KeUserModeCallback+151847j
					; KeUserModeCallback+151868j ...
		test	bl, 1
		jz	short loc_78CF1A
		mov	edx, [esi+0Ch]
		test	edx, edx
		jz	short loc_78CF1A
		mov	edi, [esi+8]
		mov	[ebp+var_38], edi
		add	edi, ecx
		dec	eax
		test	eax, edi
		mov	edi, [ebp+arg_4]
		jnz	loc_78D005
		add	edx, [ebp+var_38]
		add	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		mov	[ebp+var_40], eax
		cmp	edx, eax
		ja	loc_8DE4AA
		mov	eax, [ebp+var_38]
		add	eax, ecx
		cmp	edx, eax
		jb	loc_8DE4A7

loc_78CF1A:				; CODE XREF: RtlpReadExtendedContext+CBj
					; RtlpReadExtendedContext+D2j ...
		and	ebx, 2
		jnz	short loc_78CF77

loc_78CF1F:				; CODE XREF: RtlpReadExtendedContext+16Cj
					; RtlpReadExtendedContext+192j	...
		push	esi
		push	ecx
		push	edi
		push	0
		mov	edx, [ebp+var_50]
		mov	cl, [ebp+var_39]
		call	_RtlpCopyExtendedContext@24 ; RtlpCopyExtendedContext(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_54], esi
		test	esi, esi
		js	short loc_78CF50
		mov	ecx, [ebp+var_50]
		mov	eax, [ecx+8]
		add	eax, ecx
		cmp	[ebp+var_58], 0
		jz	loc_8DE4B2

loc_78CF4A:				; CODE XREF: RtlpReadExtendedContext+1516B8j
					; RtlpReadExtendedContext+1516CAj
		mov	[eax], edi

loc_78CF4C:				; CODE XREF: RtlpReadExtendedContext+1516ADj
					; RtlpReadExtendedContext+1516C4j
		test	ebx, ebx
		jnz	short loc_78CFB3

loc_78CF50:				; CODE XREF: RtlpReadExtendedContext+126j
					; RtlpReadExtendedContext+1F0j	...
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, esi

loc_78CF59:				; CODE XREF: RtlpReadExtendedContext+7Dj
					; RtlpReadExtendedContext+97j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_78CF77:				; CODE XREF: RtlpReadExtendedContext+10Dj
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_78CF1F
		mov	edx, [esi+10h]
		mov	[ebp+var_40], edx
		add	edx, ecx
		test	dl, 3Fh
		jnz	short loc_78D00A
		add	eax, [ebp+var_40]
		add	eax, ecx
		mov	edi, ds:_MmUserProbeAddress
		mov	[ebp+var_40], edi
		cmp	eax, edi
		mov	edi, [ebp+arg_4]
		ja	short loc_78CFA8
		cmp	eax, edx
		jnb	loc_78CF1F

loc_78CFA8:				; CODE XREF: RtlpReadExtendedContext+18Ej
		mov	eax, [ebp+var_40]
		mov	byte ptr [eax],	0
		jmp	loc_78CF1F
; 

loc_78CFB3:				; CODE XREF: RtlpReadExtendedContext+13Ej
		mov	edi, 0FFDF03D8h
		mov	edx, [ecx+10h]
		add	edx, ecx
		mov	ecx, ds:0FFDF0708h
		or	ecx, [edi]
		mov	eax, ds:0FFDF070Ch
		or	eax, [edi+4]
		and	ecx, 0FFFFFFFCh
		and	[edx], ecx
		and	[edx+4], eax
		test	byte ptr ds:0FFDF03ECh,	2
		jnz	loc_8DE4DF
		mov	dword ptr [edx+8], 0
		mov	dword ptr [edx+0Ch], 0

loc_78CFF0:				; CODE XREF: RtlpReadExtendedContext+1516EAj
		push	30h		; size_t
		push	0		; int
		lea	eax, [edx+10h]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_78CF50
; 

loc_78D005:				; CODE XREF: RtlpReadExtendedContext+E2j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_78D00A:				; CODE XREF: RtlpReadExtendedContext+179j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger
RtlpReadExtendedContext	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlCopyContext	proc near		; CODE XREF: PspInitializeThunkContext+193p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DE51D SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	edi
		mov	ebx, ecx
		xor	edi, edi
		xor	edx, edx
		mov	[ebp+var_10], ebx
		mov	ecx, 10017h
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		call	RtlpValidateContextFlags
		test	eax, eax
		js	loc_78D0CC
		push	esi
		mov	ecx, ebx
		call	_RtlpGetContextFlagsLocation@8 ; RtlpGetContextFlagsLocation(x,x)
		mov	ecx, [ebp+arg_0]
		mov	edx, eax
		mov	[ebp+var_18], edx
		call	_RtlpGetContextFlagsLocation@8 ; RtlpGetContextFlagsLocation(x,x)
		mov	esi, [edx]
		mov	ecx, esi
		xor	edx, edx
		mov	[ebp+var_14], esi
		mov	ebx, [eax]
		or	ecx, ebx
		or	ecx, 10017h
		call	RtlpValidateContextFlags
		test	eax, eax
		js	short loc_78D0CB
		and	ebx, 10017h
		lea	edx, [ebp+var_8]
		mov	ecx, ebx
		call	RtlpValidateContextFlags
		test	eax, eax
		js	short loc_78D0CB
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	RtlpValidateContextFlags
		mov	esi, eax
		test	esi, esi
		js	short loc_78D0CB
		mov	eax, [ebp+var_4]
		not	eax
		test	[ebp+var_8], eax
		jnz	short loc_78D0D2
		push	[ebp+arg_0]
		mov	edx, [ebp+var_10]
		mov	cl, 1
		push	ebx
		call	RtlpCopyLegacyContext
		mov	ecx, [ebp+var_18]
		mov	eax, [ebp+var_14]
		or	[ecx], eax
		test	[ebp+var_4], 0FFFFFFFEh
		jnz	loc_8DE51D

loc_78D0BD:				; CODE XREF: RtlCopyContext+151513j
		mov	eax, edi

loc_78D0BF:				; CODE XREF: RtlCopyContext+151527j
		test	byte ptr [ebp+var_8], 2
		jnz	loc_8DE53C

loc_78D0C9:				; CODE XREF: RtlCopyContext+15153Aj
		mov	eax, esi

loc_78D0CB:				; CODE XREF: RtlCopyContext+5Aj
					; RtlCopyContext+6Ej ...
		pop	esi

loc_78D0CC:				; CODE XREF: RtlCopyContext+25j
		pop	edi
		pop	ebx
		leave
		retn	4
; 

loc_78D0D2:				; CODE XREF: RtlCopyContext+88j
		mov	eax, 80000005h
		jmp	short loc_78D0CB
RtlCopyContext	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpReadExtendedContextLayout proc near	; CODE XREF: RtlpReadExtendedContext+8Dp

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008DE54F SIZE 0000009C BYTES

		push	24h
		push	offset dword_6A1CF8
		call	__SEH_prolog4
		mov	esi, edx
		xor	ebx, ebx
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_8]
		test	esi, 10000h
		jz	loc_8DE54F
		lea	ebx, [ecx+2CCh]
		mov	eax, ecx
		sub	eax, ebx
		mov	[edx+8], eax
		mov	dword ptr [edx+0Ch], 0CCh
		mov	eax, 10020h
		and	esi, eax
		cmp	esi, eax
		jz	short loc_78D147

loc_78D11B:				; CODE XREF: RtlpReadExtendedContextLayout+74j
					; RtlpReadExtendedContextLayout+1514A9j ...
		mov	eax, [edx+8]
		mov	[edx], eax
		mov	eax, ebx
		sub	eax, ecx
		add	eax, 18h
		mov	[edx+4], eax
		test	[ebp+arg_4], 0FFFFFFFEh
		jnz	short loc_78D150

loc_78D133:				; CODE XREF: RtlpReadExtendedContextLayout+176j
		xor	eax, eax

loc_78D135:				; CODE XREF: RtlpReadExtendedContextLayout+181j
					; sub_8DE5F9+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_78D147:				; CODE XREF: RtlpReadExtendedContextLayout+3Fj
		mov	dword ptr [edx+0Ch], 2CCh
		jmp	short loc_78D11B
; 

loc_78D150:				; CODE XREF: RtlpReadExtendedContextLayout+57j
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, ebx
		test	bl, 3
		jnz	loc_78D260
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8DE5A2

loc_78D16C:				; CODE XREF: RtlpReadExtendedContextLayout+1514CAj
		nop
		mov	al, [ecx]
		push	6
		pop	ecx
		mov	esi, ebx
		lea	edi, [ebp+var_34]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_2C]
		lea	esi, [ecx+ebx]
		mov	edi, [ebp+var_28]
		lea	eax, [edi+ecx]
		add	eax, ebx
		mov	[ebp+arg_0], eax
		lea	eax, [edi+ecx]
		cmp	ecx, eax
		jg	loc_78D256
		test	ecx, ecx
		jns	loc_8DE5A9
		cmp	esi, ebx
		jnb	loc_78D256

loc_78D1AC:				; CODE XREF: RtlpReadExtendedContextLayout+1514D7j
		cmp	[ebp+arg_0], esi
		jb	loc_78D256
		cmp	[edx+8], ecx
		jnz	loc_78D256
		cmp	[edx+0Ch], edi
		ja	loc_78D256
		test	byte ptr [ebp+arg_4], 2
		jz	short loc_78D215
		mov	ecx, [ebp+var_24]
		lea	esi, [ecx+ebx]
		mov	edi, [ebp+var_20]
		lea	eax, [edi+ecx]
		lea	edx, [eax+ebx]
		mov	[ebp+arg_0], edx
		cmp	ecx, eax
		mov	edx, [ebp+arg_8]
		jg	short loc_78D256
		test	ecx, ecx
		js	loc_8DE5B6
		cmp	esi, ebx
		jb	short loc_78D256

loc_78D1F2:				; CODE XREF: RtlpReadExtendedContextLayout+1514DEj
		cmp	[ebp+arg_0], esi
		jb	short loc_78D256
		mov	[edx+10h], ecx
		mov	[edx+14h], edi
		mov	edi, [edx+4]
		mov	esi, [edx]
		lea	eax, [esi+edi]
		cmp	eax, ecx
		jg	loc_8DE5C3
		sub	ecx, esi
		add	ecx, [edx+14h]
		mov	[edx+4], ecx

loc_78D215:				; CODE XREF: RtlpReadExtendedContextLayout+F1j
					; RtlpReadExtendedContextLayout+1514FFj
		mov	esi, [edx]
		lea	ecx, [esi+ebx]
		mov	eax, [edx+4]
		add	eax, esi
		mov	[ebp+arg_8], eax
		lea	edi, [eax+ebx]
		cmp	esi, eax
		jg	short loc_78D256
		test	esi, esi
		jns	loc_8DE5DE
		cmp	ecx, ebx
		jnb	short loc_78D256

loc_78D235:				; CODE XREF: RtlpReadExtendedContextLayout+15150Cj
		cmp	edi, ecx
		jb	short loc_78D256
		mov	edx, [ebp+var_34]
		cmp	esi, edx
		jl	short loc_78D256
		mov	eax, [ebp+var_30]
		add	eax, edx
		cmp	eax, [ebp+arg_8]
		jl	short loc_78D256
		cmp	ecx, ebx
		ja	short loc_78D256
		cmp	edi, ebx
		jnb	loc_78D133

loc_78D256:				; CODE XREF: RtlpReadExtendedContextLayout+BCj
					; RtlpReadExtendedContextLayout+CCj ...
		mov	eax, 0C000000Dh
		jmp	loc_78D135
; 

loc_78D260:				; CODE XREF: RtlpReadExtendedContextLayout+7Fj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger
RtlpReadExtendedContextLayout endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmPrefetchPagesEx proc near		; CODE XREF: PfSnPrefetchSections+14Fp
					; MmPrefetchPages(x,x)+Dp ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DE60B SIZE 00000080 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[esp+24h+var_14], edx
		mov	[esp+24h+var_4], esi
		push	edi
		cmp	esi, 3FFFFFFFh
		ja	loc_78D40E
		call	_MmGetCurrentProcessorColor@0 ;	MmGetCurrentProcessorColor()
		or	eax, 80000000h
		shl	ecx, 2
		push	eax
		push	0
		push	40h
		mov	edx, 6C526D4Dh
		call	ExAllocatePoolMm
		mov	edi, eax
		mov	[esp+28h+var_18], edi
		test	edi, edi
		jz	loc_8DE60B
		mov	ecx, large fs:124h
		xor	eax, eax
		and	[esp+28h+var_10], eax
		mov	[esp+28h+var_1C], eax
		mov	[esp+28h+var_C], ecx
		dec	word ptr [ecx+13Ch]
		nop
		test	esi, esi
		jz	short loc_78D311
		sub	[esp+28h+var_14], edi
		mov	ebx, edi
		mov	edi, [esp+28h+var_14]

loc_78D2DF:				; CODE XREF: MmPrefetchPagesEx+9Dj
		push	[ebp+arg_0]
		mov	ecx, [edi+ebx]
		mov	edx, ebx
		call	MiPfPrepareReadList
		test	eax, eax
		js	loc_8DE615
		cmp	dword ptr [ebx], 0
		mov	eax, [esp+28h+var_1C]
		jnz	short loc_78D32F

loc_78D2FD:				; CODE XREF: MmPrefetchPagesEx+D0j
					; MmPrefetchPagesEx+1513B7j
		add	ebx, 4
		sub	esi, 1
		jnz	short loc_78D2DF
		mov	esi, [esp+28h+var_4]
		mov	edi, [esp+28h+var_18]
		mov	ecx, [esp+28h+var_C]

loc_78D311:				; CODE XREF: MmPrefetchPagesEx+6Dj
		test	al, 1
		jnz	short loc_78D338
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+28h+var_10]

loc_78D326:				; CODE XREF: MmPrefetchPagesEx+19Aj
					; MmPrefetchPagesEx+1ADj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_78D32F:				; CODE XREF: MmPrefetchPagesEx+95j
		or	eax, 1
		mov	[esp+28h+var_1C], eax
		jmp	short loc_78D2FD
; 

loc_78D338:				; CODE XREF: MmPrefetchPagesEx+ADj
		inc	byte ptr [ecx+30Ah]
		and	eax, 0FFFFFFFEh
		and	[esp+28h+var_14], 0
		xor	ebx, ebx
		mov	[esp+28h+var_1C], eax
		test	esi, esi
		jz	short loc_78D393

loc_78D350:				; CODE XREF: MmPrefetchPagesEx+1A3j
		lea	edi, [edi+ebx*4]
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_78D38E
		and	dword ptr [eax+3Ch], 0
		mov	edx, [ebp+arg_0]
		mov	ecx, [edi]
		push	0
		call	MiPfPutPagesInTransition
		test	eax, eax
		js	loc_8DE638
		mov	ecx, [edi]
		lea	eax, [ecx+48h]
		cmp	[eax], eax
		jz	loc_8DE622
		or	[esp+28h+var_1C], 1
		xor	edx, edx
		push	0
		push	0FFFFFFFFh
		call	MiPfExecuteReadList

loc_78D38E:				; CODE XREF: MmPrefetchPagesEx+F1j
					; MmPrefetchPagesEx+1513CDj
		inc	ebx
		cmp	ebx, esi
		jb	short loc_78D405

loc_78D393:				; CODE XREF: MmPrefetchPagesEx+E8j
					; MmPrefetchPagesEx+15141Bj
		test	byte ptr [esp+28h+var_1C], 1
		mov	ebx, [esp+28h+var_18]
		jz	short loc_78D3C9
		and	[esp+28h+var_14], 0
		xor	edi, edi
		test	esi, esi
		jz	short loc_78D3C9

loc_78D3A9:				; CODE XREF: MmPrefetchPagesEx+161j
		mov	ecx, [ebx+edi*4]
		test	ecx, ecx
		jz	short loc_78D3C4
		push	0
		add	ecx, 48h
		xor	edx, edx
		call	_MiPfCompletePrefetchIos@12 ; MiPfCompletePrefetchIos(x,x,x)
		mov	ecx, [ebx+edi*4]
		call	_MiReleaseReadListResources@4 ;	MiReleaseReadListResources(x)

loc_78D3C4:				; CODE XREF: MmPrefetchPagesEx+148j
		inc	edi
		cmp	edi, esi
		jb	short loc_78D3A9

loc_78D3C9:				; CODE XREF: MmPrefetchPagesEx+136j
					; MmPrefetchPagesEx+141j
		mov	edi, [esp+28h+var_C]
		mov	ecx, edi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		dec	byte ptr [edi+30Ah]
		xor	edi, edi
		test	esi, esi
		jz	short loc_78D3F4

loc_78D3E0:				; CODE XREF: MmPrefetchPagesEx+18Cj
		mov	eax, [ebx+edi*4]
		test	eax, eax
		jz	short loc_78D3EF
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_78D3EF:				; CODE XREF: MmPrefetchPagesEx+17Fj
		inc	edi
		cmp	edi, esi
		jb	short loc_78D3E0

loc_78D3F4:				; CODE XREF: MmPrefetchPagesEx+178j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+28h+var_14]
		jmp	loc_78D326
; 

loc_78D405:				; CODE XREF: MmPrefetchPagesEx+12Bj
		mov	edi, [esp+28h+var_18]
		jmp	loc_78D350
; 

loc_78D40E:				; CODE XREF: MmPrefetchPagesEx+1Ej
		mov	eax, 0C00000EFh
		jmp	loc_78D326
MmPrefetchPagesEx endp


;  S U B	R O U T	I N E 


; __stdcall MiReturnFullProcessCommitment(x, x)
_MiReturnFullProcessCommitment@8 proc near ; CODE XREF:	MiSplitPrivatePage(x,x,x)+4B9p
					; MiSplitPrivatePage(x,x,x)+5DEp ...
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	ecx, eax
		call	MiReturnCommit
		mov	ecx, edi
		mov	edx, esi
		pop	edi
		pop	esi
		jmp	_MiReturnFullProcessCharges@8 ;	MiReturnFullProcessCharges(x,x)
_MiReturnFullProcessCommitment@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPfPrepareReadList proc near		; CODE XREF: MmPrefetchPagesEx+81p

var_74		= dword	ptr -74h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DE68B SIZE 00000141 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 78h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	dword ptr [edx], 0
		mov	esi, [ecx+10h]
		lea	edi, [ebp+var_74]
		stosd
		lea	ebx, [ecx+10h]
		mov	[ebp+var_68], edx
		mov	[ebp+var_60], 0
		mov	[ebp+var_5C], 0
		stosd
		mov	[ebp+var_C], ebx
		stosd
		test	esi, 180h
		jnz	loc_8DE7C2
		cmp	dword ptr [ecx+8], 0
		mov	eax, [ecx]
		mov	edx, [ecx+4]
		mov	[ebp+var_64], edx
		mov	eax, [eax+14h]
		jnz	loc_78D9BA

loc_78D494:				; CODE XREF: MiPfPrepareReadList+57Dj
		mov	edi, [eax]
		mov	[ebp+var_10], edi
		test	dword ptr [edi+1Ch], 400h
		jnz	loc_8DE7C2
		cmp	dword ptr [edi+20h], 0
		jz	loc_8DE7C2
		call	_MmGetCurrentProcessorColor@0 ;	MmGetCurrentProcessorColor()
		or	eax, 80000000h
		lea	ecx, ds:50h[edx*4]
		push	eax
		push	0
		push	40h
		mov	edx, 6C526D4Dh
		call	ExAllocatePoolMm
		mov	edx, eax
		mov	[ebp+var_8], edx
		test	edx, edx
		jz	loc_8DE68B
		lea	eax, [edx+48h]
		mov	[edx+4], edi
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edx+0Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[ebp+var_44], eax
		lea	eax, [edi+50h]
		mov	[ebp+var_4], eax
		mov	eax, large fs:124h
		mov	edi, [eax+80h]
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	[ebp+var_20], eax
		mov	eax, [ebp+var_10]
		test	byte ptr [eax+1Ch], 20h
		jnz	loc_78D9C2
		mov	edx, [ebx+4]
		mov	ecx, [ebx]
		cmp	edx, 3FFFFFh
		jb	short loc_78D539
		ja	loc_78DA74
		cmp	ecx, 0FFFFF000h
		ja	loc_78DA74

loc_78D539:				; CODE XREF: MiPfPrepareReadList+E5j
		push	edx
		push	ecx
		lea	edx, [ebp+var_60]
		mov	ecx, eax
		call	MiOffsetToProtos
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_78DA74
		mov	edx, [ebp+var_8]
		mov	[ebp+var_3C], 0FFFFFFFFh

loc_78D55A:				; CODE XREF: MiPfPrepareReadList+58Cj
		lea	eax, [edx+50h]
		mov	[ebp+var_14], 0
		mov	[ebp+var_24], eax
		lea	ecx, [edi+240h]
		mov	eax, esi
		mov	[ebp+var_1C], 0
		and	eax, 7
		mov	[ebp+var_28], 0
		mov	[edx+28h], eax
		mov	[ebp+var_4C], eax
		mov	eax, esi
		and	al, 40h
		mov	[ebp+var_2C], 0
		movzx	eax, al
		neg	eax
		mov	[ebp+var_34], 0
		mov	[ebp+var_48], 0
		sbb	eax, eax
		mov	[ebp+var_50], 0
		and	eax, 5
		shr	esi, 3
		mov	[edx+2Ch], eax
		and	esi, 7
		xor	eax, eax
		mov	[edx+30h], esi
		mov	[ebp+var_18], eax
		lea	edx, [ebp+var_74]
		mov	[ebp+var_38], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_40], eax
		mov	eax, [ebp+var_10]
		mov	eax, [eax+1Ch]
		shr	eax, 14h
		and	eax, 3Fh
		push	eax
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		cmp	[ebp+var_64], 0
		mov	[ebp+var_5C], 0
		jbe	loc_8DE7BB

loc_78D5F0:				; CODE XREF: MiPfPrepareReadList+257j
		mov	esi, [ebx]
		mov	edi, [ebx+4]
		and	esi, 0FFFFFF80h
		mov	eax, [ebp+var_1C]
		cmp	eax, edi
		jb	short loc_78D60E
		ja	loc_78D808
		cmp	[ebp+var_14], esi
		ja	loc_78D808

loc_78D60E:				; CODE XREF: MiPfPrepareReadList+1BDj
		cmp	edi, [ebp+var_2C]
		ja	loc_78D808
		jb	short loc_78D622
		cmp	esi, [ebp+var_28]
		jnb	loc_78D808

loc_78D622:				; CODE XREF: MiPfPrepareReadList+1D7j
		sub	esi, [ebp+var_14]
		mov	edx, [ebp+var_4]
		sbb	edi, eax
		shrd	esi, edi, 0Ch
		mov	ecx, [edx+4]
		mov	eax, [edx+1Ch]
		lea	edi, [ecx+esi*8]
		lea	eax, [ecx+eax*8]
		cmp	edi, eax
		jnb	short loc_78D69D
		test	byte ptr [edx+12h], 2
		jnz	loc_8DE695

loc_78D648:				; CODE XREF: MiPfPrepareReadList+490j
					; MiPfPrepareReadList+151265j
		cmp	edi, [ebp+var_48]
		jz	short loc_78D687
		mov	ebx, [edi]
		mov	[ebp+var_48], edi
		nop
		mov	edx, [edi+4]
		mov	ecx, edi
		mov	[ebp+var_54], edx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_78D670
		push	edx
		push	ebx
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_54], edx

loc_78D670:				; CODE XREF: MiPfPrepareReadList+222j
		mov	esi, ebx
		and	esi, 1
		or	esi, 0
		jz	short loc_78D6CA
		mov	edx, [ebp+var_4C]
		mov	ecx, edi
		call	_MiUpdatePfnPriorityByPte@8 ; MiUpdatePfnPriorityByPte(x,x)

loc_78D684:				; CODE XREF: MiPfPrepareReadList+2B0j
					; MiPfPrepareReadList+2C9j ...
		mov	ebx, [ebp+var_C]

loc_78D687:				; CODE XREF: MiPfPrepareReadList+20Bj
					; MiPfPrepareReadList+496j ...
		mov	eax, [ebp+var_5C]
		add	ebx, 8
		inc	eax
		mov	[ebp+var_C], ebx
		mov	[ebp+var_5C], eax
		cmp	eax, [ebp+var_64]
		jb	loc_78D5F0

loc_78D69D:				; CODE XREF: MiPfPrepareReadList+1FCj
					; MiPfPrepareReadList+44Bj ...
		mov	edi, [ebp+var_8]

loc_78D6A0:				; CODE XREF: MiPfPrepareReadList+32Dj
					; MiPfPrepareReadList+553j
		cmp	[ebp+var_18], 0
		jnz	loc_78D9EB
		mov	esi, [ebp+var_40]

loc_78D6AD:				; CODE XREF: MiPfPrepareReadList+1512A8j
					; MiPfPrepareReadList+151344j ...
		mov	ebx, [ebp+var_8]
		mov	ecx, ebx
		call	_MiReleaseReadListResources@4 ;	MiReleaseReadListResources(x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi

loc_78D6C1:				; CODE XREF: MiPfPrepareReadList+151250j
					; MiPfPrepareReadList+151387j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4		; struct _exception *
; 

loc_78D6CA:				; CODE XREF: MiPfPrepareReadList+238j
		mov	eax, ebx
		and	eax, 400h
		or	eax, 0
		jnz	short loc_78D6F2
		mov	eax, ebx
		and	eax, 800h
		or	eax, 0
		jz	loc_8DE6ED
		mov	edx, [ebp+var_4C]
		mov	ecx, edi
		call	_MiUpdatePfnPriorityByPte@8 ; MiUpdatePfnPriorityByPte(x,x)
		jmp	short loc_78D684
; 

loc_78D6F2:				; CODE XREF: MiPfPrepareReadList+294j
		mov	ecx, [ebp+var_10]
		call	_MiControlAreaUsingExtents@4 ; MiControlAreaUsingExtents(x)
		test	eax, eax
		jnz	loc_8DE6C4
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		test	eax, eax
		jnz	loc_78D684

loc_78D70F:				; CODE XREF: MiPfPrepareReadList+1512BCj
		cmp	[ebp+var_38], 0
		mov	ecx, [ebp+var_24]
		mov	[ecx], edi
		jz	loc_78D9E3

loc_78D71E:				; CODE XREF: MiPfPrepareReadList+5A6j
		mov	eax, [ebp+var_4]
		mov	esi, edi
		cmp	[ebp+var_30], eax
		jnz	loc_78D9D6
		mov	ecx, [ebp+var_50]
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, edi
		mov	edx, eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, [ebp+var_24]
		cmp	edx, eax
		jnz	loc_78D9D1

loc_78D748:				; CODE XREF: MiPfPrepareReadList+59Ej
		mov	[ebp+var_50], edi
		cmp	edi, [ebp+var_34]
		jz	loc_78DA2A

loc_78D754:				; CODE XREF: MiPfPrepareReadList+5EFj
		mov	edi, [ebp+var_8]
		add	ecx, 4
		mov	esi, [ebp+var_20]
		mov	[ebp+var_24], ecx
		mov	ecx, esi
		mov	edx, [edi+30h]
		inc	edx
		call	_MiPrefetchNormally@8 ;	MiPrefetchNormally(x,x)
		test	eax, eax
		jz	loc_78D6A0
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	loc_78D98F

loc_78D77E:				; CODE XREF: MiPfPrepareReadList+55Cj
		push	1
		mov	edx, 1
		mov	ecx, esi
		call	MiObtainFaultCharges
		test	eax, eax
		jz	loc_8DE789
		lea	ecx, [ebp+var_74]
		call	_MiGetNextPageColor@4 ;	MiGetNextPageColor(x)
		push	[ebp+var_54]
		mov	ecx, [ebp+var_20]
		mov	esi, eax
		push	ebx
		mov	ebx, [ebp+var_4]
		mov	edx, ebx
		push	0
		call	MiUseSlabAllocator
		test	eax, eax
		jnz	loc_8DE701
		mov	edx, esi
		mov	esi, [ebp+var_20]
		push	200h
		mov	ecx, esi
		call	MiGetPage

loc_78D7CA:				; CODE XREF: MiPfPrepareReadList+1512DAj
		cmp	eax, 0FFFFFFFFh
		jz	loc_8DE767
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	esi, [eax+ecx*4]
		mov	ecx, esi
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jnz	loc_8DE71F
		mov	edx, [edi+14h]
		mov	ecx, esi
		call	_MiSetPfnLink@8	; MiSetPfnLink(x,x)
		mov	[edi+14h], esi

loc_78D800:				; CODE XREF: MiPfPrepareReadList+151308j
		inc	[ebp+var_18]
		jmp	loc_78D684
; 

loc_78D808:				; CODE XREF: MiPfPrepareReadList+1BFj
					; MiPfPrepareReadList+1C8j ...
		mov	eax, [ebp+var_10]
		xor	ebx, ebx
		lea	ecx, [ecx+0]

loc_78D810:				; CODE XREF: MiPfPrepareReadList+4B3j
		test	byte ptr [eax+1Ch], 20h
		jz	short loc_78D822
		mov	edx, [ebp+var_4]
		cmp	[edx+14h], ebx
		jz	loc_78D9A1

loc_78D822:				; CODE XREF: MiPfPrepareReadList+3D4j
					; MiPfPrepareReadList+569j
		mov	edx, [ebp+var_3C]
		mov	ecx, [ebp+var_4]
		call	_MiStartingOffsetNeedLock@8 ; MiStartingOffsetNeedLock(x,x)
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_14], eax
		mov	[ebp+var_1C], edx
		call	MiEndingOffsetWithLock
		mov	ecx, eax
		mov	eax, edx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_2C], eax
		cmp	[ebp+var_1C], edi
		jb	short loc_78D859
		ja	loc_78D684
		cmp	[ebp+var_14], esi
		ja	loc_78D684

loc_78D859:				; CODE XREF: MiPfPrepareReadList+408j
		cmp	edi, eax
		jb	short loc_78D863
		ja	short loc_78D8DB
		cmp	esi, ecx
		jnb	short loc_78D8DB

loc_78D863:				; CODE XREF: MiPfPrepareReadList+41Bj
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+var_4]
		test	byte ptr [eax+1Ch], 20h
		jz	loc_78D907

loc_78D873:				; CODE XREF: MiPfPrepareReadList+541j
					; MiPfPrepareReadList+54Aj
		sub	esi, [ebp+var_14]
		mov	edx, [ecx+4]
		sbb	edi, [ebp+var_1C]
		mov	eax, [ecx+1Ch]
		shrd	esi, edi, 0Ch
		lea	eax, [edx+eax*8]
		lea	edi, [edx+esi*8]
		cmp	edi, eax
		jnb	loc_78D69D
		test	byte ptr [ecx+12h], 2
		jnz	loc_8DE6AA

loc_78D89B:				; CODE XREF: MiPfPrepareReadList+151274j
					; MiPfPrepareReadList+15127Fj
		mov	ecx, [ebp+var_28]
		mov	eax, ecx
		mov	esi, [ebp+var_14]
		sub	eax, esi
		test	eax, 0FFFh
		jz	short loc_78D8FE
		mov	eax, [ebp+var_2C]
		sub	ecx, esi
		sbb	eax, [ebp+var_1C]
		add	ecx, 0FFFh
		adc	eax, 0
		shrd	ecx, eax, 0Ch
		lea	eax, [ecx-1]
		lea	eax, [edx+eax*8]
		mov	[ebp+var_34], eax

loc_78D8CA:				; CODE XREF: MiPfPrepareReadList+4C5j
		cmp	ebx, 1
		mov	ebx, [ebp+var_C]
		jnz	loc_78D648
		jmp	loc_78D687
; 

loc_78D8DB:				; CODE XREF: MiPfPrepareReadList+41Dj
					; MiPfPrepareReadList+421j
		mov	eax, [ebp+var_10]
		test	byte ptr [eax+1Ch], 20h
		jz	loc_78DA34
		mov	edx, [ebp+var_4]
		mov	edx, [edx+8]

loc_78D8EE:				; CODE XREF: MiPfPrepareReadList+575j
					; MiPfPrepareReadList+61Ej
		mov	[ebp+var_4], edx
		test	edx, edx
		jnz	loc_78D810
		jmp	loc_78D69D
; 

loc_78D8FE:				; CODE XREF: MiPfPrepareReadList+46Aj
		mov	[ebp+var_34], 0
		jmp	short loc_78D8CA
; 

loc_78D907:				; CODE XREF: MiPfPrepareReadList+42Dj
		mov	eax, [ecx+1Ch]
		mov	edx, 4
		push	0
		push	eax
		call	MiAddViewsForSection
		mov	[ebp+var_40], eax
		test	eax, eax
		js	loc_78D69D
		mov	ecx, [ebp+var_44]
		mov	eax, [ebp+var_8]
		mov	eax, [eax+10h]
		cmp	[ecx], ecx
		jnz	loc_78DA63

loc_78D933:				; CODE XREF: MiPfPrepareReadList+62Fj
		push	0
		push	100h
		mov	edx, 6C536D4Dh
		mov	ecx, 20h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		test	eax, eax
		jz	loc_8DE754
		mov	edx, [ebp+var_44]
		mov	[eax+8], ebx
		mov	ecx, [edx+4]
		cmp	[ecx], edx
		jnz	loc_8DE74D
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[edx+4], eax
		mov	ecx, [eax+8]

loc_78D96F:				; CODE XREF: MiPfPrepareReadList+629j
		mov	edx, [ebp+var_4]
		mov	[eax+ecx*4+0Ch], edx
		mov	ecx, edx
		inc	dword ptr [eax+8]
		mov	eax, [ebp+var_8]
		cmp	[eax+8], ebx
		jnz	loc_78D873
		mov	[eax+8], ecx
		jmp	loc_78D873
; 

loc_78D98F:				; CODE XREF: MiPfPrepareReadList+338j
		mov	eax, [ecx]
		test	eax, eax
		jz	loc_78D6A0
		dec	eax
		mov	[ecx], eax
		jmp	loc_78D77E
; 

loc_78D9A1:				; CODE XREF: MiPfPrepareReadList+3DCj
		mov	ecx, [eax]
		mov	eax, [edx+4]
		cmp	eax, [ecx+28h]
		jz	loc_78D822
		mov	edx, [edx+8]
		mov	eax, [ebp+var_10]
		jmp	loc_78D8EE
; 

loc_78D9BA:				; CODE XREF: MiPfPrepareReadList+4Ej
		add	eax, 8
		jmp	loc_78D494
; 

loc_78D9C2:				; CODE XREF: MiPfPrepareReadList+D4j
		mov	ecx, edi
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_3C], eax
		jmp	loc_78D55A
; 

loc_78D9D1:				; CODE XREF: MiPfPrepareReadList+302j
		mov	eax, [ebp+var_4]
		mov	esi, edi

loc_78D9D6:				; CODE XREF: MiPfPrepareReadList+2E6j
		or	esi, 2
		mov	[ebp+var_30], eax
		mov	[ecx], esi
		jmp	loc_78D748
; 

loc_78D9E3:				; CODE XREF: MiPfPrepareReadList+2D8j
		mov	[ebp+var_38], ecx
		jmp	loc_78D71E
; 

loc_78D9EB:				; CODE XREF: MiPfPrepareReadList+264j
					; MiPfPrepareReadList+151339j ...
		mov	eax, [ebp+var_38]
		mov	ecx, edi
		mov	edx, [ebp+var_3C]
		mov	[edi+38h], eax
		mov	eax, [ebp+var_24]
		sub	eax, edi
		sub	eax, 50h
		sar	eax, 2
		push	0
		mov	[edi+34h], eax
		call	MiPfAllocateMdls
		mov	esi, eax
		lea	eax, [edi+48h]
		cmp	[eax], eax
		jz	loc_8DE7A5
		xor	esi, esi

loc_78DA1A:				; CODE XREF: MiPfPrepareReadList+151376j
		mov	eax, [ebp+var_68]
		mov	[eax], edi
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_78DA2A:				; CODE XREF: MiPfPrepareReadList+30Ej
		or	esi, 1
		mov	[ecx], esi
		jmp	loc_78D754
; 

loc_78DA34:				; CODE XREF: MiPfPrepareReadList+4A2j
		cmp	edi, 3FFFFFh
		jb	short loc_78DA4E
		ja	loc_78D69D
		cmp	esi, 0FFFFF000h
		ja	loc_78D69D

loc_78DA4E:				; CODE XREF: MiPfPrepareReadList+5FAj
		push	edi
		push	esi
		xor	edx, edx
		mov	ecx, eax
		call	_MiLocateSubsectionNode@16 ; MiLocateSubsectionNode(x,x,x,x)
		mov	edx, eax
		mov	eax, [ebp+var_10]
		jmp	loc_78D8EE
; 

loc_78DA63:				; CODE XREF: MiPfPrepareReadList+4EDj
		mov	ecx, [eax+8]
		cmp	ecx, 5
		jnz	loc_78D96F
		jmp	loc_78D933
; 

loc_78DA74:				; CODE XREF: MiPfPrepareReadList+E7j
					; MiPfPrepareReadList+F3j ...
		mov	eax, [ebp+var_8]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
MiPfPrepareReadList endp

; 
		align 10h
; Exported entry 1525. NtFreeVirtualMemory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtFreeVirtualMemory
NtFreeVirtualMemory proc near		; CODE XREF: RtlpInitializeStackTraceDatabase(x,x,x)+5Cp
					; DATA XREF: .text:0058102Co

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008DE7CC SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1D18
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_24], 0
		mov	[ebp+var_20], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_28], al
		mov	[ebp+var_4], 0
		mov	esi, [ebp+arg_4]
		test	al, al
		jz	loc_78DB78
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8DE7CC

loc_78DB03:				; CODE XREF: NtFreeVirtualMemory+150D3Ej
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	edi, [ebp+arg_8]
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	short loc_78DB7D

loc_78DB15:				; CODE XREF: NtFreeVirtualMemory+EFj
		mov	eax, [ecx]
		mov	[ecx], eax

loc_78DB19:				; CODE XREF: NtFreeVirtualMemory+EBj
		mov	eax, [esi]
		mov	[ebp+var_24], eax
		mov	eax, [edi]
		mov	[ebp+var_20], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		push	0
		push	[ebp+var_28]
		push	[ebp+arg_C]
		lea	eax, [ebp+var_20]
		push	eax
		lea	edx, [ebp+var_24]
		mov	ecx, [ebp+arg_0]
		call	_MmFreeVirtualMemory@24	; MmFreeVirtualMemory(x,x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+arg_8], ecx
		test	ecx, ecx
		js	short loc_78DB64
		mov	[ebp+var_4], 1
		mov	eax, [ebp+var_20]
		mov	[edi], eax
		mov	eax, [ebp+var_24]
		mov	[esi], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_78DB62:				; CODE XREF: sub_8DE7D9+Dj
		mov	eax, ecx

loc_78DB64:				; CODE XREF: NtFreeVirtualMemory+B8j
					; PAGE:008DE822j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_78DB78:				; CODE XREF: NtFreeVirtualMemory+5Ej
		mov	edi, [ebp+arg_8]
		jmp	short loc_78DB19
; 

loc_78DB7D:				; CODE XREF: NtFreeVirtualMemory+83j
		mov	ecx, eax
		jmp	short loc_78DB15
NtFreeVirtualMemory endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmFreeVirtualMemory(x, x, x, x, x, x)
_MmFreeVirtualMemory@24	proc near	; CODE XREF: NtFreeVirtualMemory+ACp

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_59		= dword	ptr -59h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+64h+var_4], eax
		xor	eax, eax
		mov	[esp+64h+var_24], edx
		push	ebx
		mov	[esp+68h+var_1C], eax
		xor	ebx, ebx
		mov	[esp+68h+var_18], eax
		mov	[esp+68h+var_14], eax
		mov	[esp+68h+var_10], eax
		mov	[esp+68h+var_C], eax
		mov	[esp+68h+var_8], eax
		mov	[esp+68h+var_48], eax
		mov	[esp+68h+var_44], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+68h+var_40], ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[esp+70h+var_28], edi
		and	eax, 0C000h
		jz	loc_78E255
		cmp	eax, 0C000h
		jz	loc_78E255
		mov	eax, large fs:124h
		mov	esi, [edx]
		mov	edx, [edi]
		mov	[esp+70h+var_20], eax
		mov	ecx, [eax+80h]
		mov	eax, ds:_MmHighestUserAddress
		mov	[esp+70h+var_2C], ebx
		mov	[esp+70h+var_3C], ecx
		mov	[esp+70h+var_30], esi
		mov	[esp+70h+var_50], edx
		cmp	esi, eax
		ja	loc_78E23C
		sub	eax, esi
		inc	eax
		cmp	eax, edx
		jb	loc_78E223
		mov	eax, [ebp+arg_4]
		test	al, 2
		jz	short loc_78DC47
		test	al, 1
		jnz	short loc_78DC4F
		and	eax, 0FFFFFFFDh
		mov	ebx, 4000000h
		mov	[ebp+arg_4], eax

loc_78DC47:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+A6j
		test	al, 1
		jz	short loc_78DC73
		test	al, 2
		jz	short loc_78DC68

loc_78DC4F:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+AAj
		mov	eax, 0C000000Dh
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+64h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_78DC68:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+BDj
		and	eax, 0FFFFFFFEh
		mov	ebx, 0C000000h
		mov	[ebp+arg_4], eax

loc_78DC73:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+B9j
		mov	edi, ebx
		and	edi, 4000000h
		mov	[esp+70h+var_34], edi
		jz	short loc_78DCB2
		cmp	eax, 8000h
		jnz	loc_78E255
		test	edx, edx
		jz	loc_78E223
		mov	eax, edx
		and	eax, 0FFFFF000h
		cmp	edx, eax
		jnz	loc_78E223
		mov	eax, esi
		and	eax, 0FFFFF000h
		cmp	esi, eax
		jnz	loc_78E23C

loc_78DCB2:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+EFj
		lea	edi, [edx-1]
		mov	eax, esi
		and	eax, 0FFFFF000h
		add	edi, esi
		or	edi, 0FFFh
		mov	[esp+70h+var_64], eax
		mov	edx, eax
		mov	[esp+70h+var_59+1], edi
		shr	edx, 0Ch
		mov	eax, edi
		shr	eax, 0Ch
		xor	esi, esi
		cmp	[esp+70h+var_40], 0FFFFFFFFh
		mov	[esp+70h+var_4C], edx
		mov	edx, [ebp+arg_8]
		mov	[esp+70h+var_54], eax
		jnz	short loc_78DCF2
		mov	eax, ecx
		mov	[esp+70h+var_60], eax
		jmp	short loc_78DD4F
; 

loc_78DCF2:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+158j
		mov	eax, ds:_PsProcessType
		lea	ecx, [esp+70h+var_48]
		push	0
		push	0
		push	ecx
		mov	ecx, [esp+7Ch+var_40]
		push	6D566D4Dh
		push	edx
		push	eax
		mov	edx, 8
		call	ObpReferenceObjectByHandleWithTag
		mov	edi, eax
		mov	[esp+70h+var_44], edi
		test	edi, edi
		js	loc_78E20D
		mov	eax, [esp+70h+var_48]
		mov	[esp+70h+var_60], eax
		cmp	[esp+70h+var_3C], eax
		jz	short loc_78DD48
		lea	ecx, [esp+70h+var_1C]
		xor	edx, edx
		push	ecx
		mov	ecx, eax
		mov	esi, 1
		call	KiStackAttachProcess
		mov	eax, [esp+70h+var_48]

loc_78DD48:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+19Fj
		mov	edx, [ebp+arg_8]
		mov	edi, [esp+70h+var_59+1]

loc_78DD4F:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+160j
		mov	ecx, [ebp+arg_4]
		mov	byte ptr [esp+70h+var_59], 0
		test	ecx, 0FFFF3FFFh
		jz	short loc_78DD82
		cmp	dword ptr [eax+3D4h], 0
		jz	short loc_78DD78
		test	ecx, 10000h
		jz	short loc_78DD78
		test	ecx, 4000h
		jz	short loc_78DD82

loc_78DD78:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+1D6j
					; MmFreeVirtualMemory(x,x,x,x,x,x)+1DEj
		mov	edi, 0C00000F2h
		jmp	loc_78E1E7
; 

loc_78DD82:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+1CDj
					; MmFreeVirtualMemory(x,x,x,x,x,x)+1E6j
		cmp	ebx, 0C000000h
		jnz	short loc_78DDD7
		push	edx
		mov	edx, [esp+74h+var_64]
		mov	ecx, eax
		push	edi
		call	_MiCoalescePlaceholderAllocations@16 ; MiCoalescePlaceholderAllocations(x,x,x,x)
		mov	edi, eax
		test	esi, esi
		jz	short loc_78DDA8
		xor	edx, edx
		lea	ecx, [esp+70h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_78DDA8:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+20Bj
		cmp	[esp+70h+var_40], 0FFFFFFFFh
		jz	loc_78E20D
		mov	ecx, [esp+70h+var_60]
		mov	edx, 6D566D4Dh
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+64h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_78DDD7:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+1F8j
		mov	eax, ecx
		mov	edx, 0
		mov	ecx, [esp+70h+var_64]
		and	eax, 8000h
		mov	[esp+70h+var_3C], eax
		lea	eax, [esp+70h+var_44]
		push	eax
		setnz	dl
		call	MiObtainReferencedVadEx
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_78E1E3

loc_78DE02:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+421j
		cmp	[esp+70h+var_50], 0
		mov	ecx, [ebx+0Ch]
		mov	edi, [ebx+10h]
		mov	edx, [esp+70h+var_4C]
		mov	[esp+70h+var_44], ecx
		mov	[esp+70h+var_38], edi
		jnz	short loc_78DE4C
		mov	eax, edi
		shl	edi, 0Ch
		or	edi, 0FFFh
		mov	[esp+70h+var_54], eax
		cmp	[esp+70h+var_3C], 0
		mov	[esp+70h+var_59+1], edi
		jz	short loc_78DE46
		cmp	edx, ecx
		jnz	loc_78E10C
		mov	edi, ecx
		shl	edi, 0Ch
		mov	[esp+70h+var_64], edi

loc_78DE46:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+2A3j
		mov	edi, [esp+70h+var_38]
		jmp	short loc_78DE50
; 

loc_78DE4C:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+289j
		mov	eax, [esp+70h+var_54]

loc_78DE50:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+2BAj
		cmp	edx, ecx
		jb	loc_78E1BF
		cmp	edx, edi
		ja	loc_78E1BF
		cmp	eax, ecx
		jb	loc_78E1BF
		cmp	eax, edi
		ja	loc_78E1BF
		mov	eax, [ebx+1Ch]
		mov	[esp+70h+var_48], eax
		and	eax, 100000h
		test	[ebp+arg_4], 10000h
		jz	short loc_78DEA2
		test	eax, eax
		jnz	loc_78E1B8
		test	byte ptr [esp+70h+var_48], 70h
		jnz	loc_78E1B8
		cmp	edx, ecx
		jnz	short loc_78DEB8
		cmp	[esp+70h+var_54], edi
		jmp	short loc_78DEB2
; 

loc_78DEA2:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+2F3j
		test	eax, eax
		jz	loc_78E1B8
		mov	eax, [esp+70h+var_48]
		and	al, 70h
		cmp	al, 10h

loc_78DEB2:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+310j
		jz	loc_78E1B8

loc_78DEB8:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+30Aj
		cmp	[esp+70h+var_34], 0
		jz	short loc_78DF0B
		mov	edx, 80h
		mov	ecx, ebx
		call	_MiLocateVadEvent@8 ; MiLocateVadEvent(x,x)
		test	eax, eax
		jnz	short loc_78DEDE
		mov	eax, [ebx+20h]
		and	eax, 7FFFFFFFh
		cmp	eax, 0FFFFDh
		jnz	short loc_78DF01

loc_78DEDE:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+33Dj
		mov	eax, [ebx+20h]
		mov	ecx, [esp+70h+var_44]
		and	eax, 7FFFFFFFh
		mov	edx, [esp+70h+var_4C]
		cmp	eax, 0FFFFDh
		mov	eax, [esp+70h+var_54]
		jnz	short loc_78DF0F
		cmp	edx, ecx
		jnz	short loc_78DF0F
		cmp	eax, edi
		jnz	short loc_78DF0F

loc_78DF01:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+34Cj
		mov	edi, 0C0000018h
		jmp	loc_78E1C4
; 

loc_78DF0B:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+32Dj
		mov	eax, [esp+70h+var_54]

loc_78DF0F:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+367j
					; MmFreeVirtualMemory(x,x,x,x,x,x)+36Bj ...
		test	byte ptr [esp+70h+var_48], 8
		jz	short loc_78DF5E
		cmp	[esp+70h+var_3C], 0
		jz	short loc_78DF39
		mov	eax, [esp+70h+var_60]
		test	byte ptr [eax+0FCh], 20h
		jz	short loc_78DF2E
		xor	edi, edi
		jmp	short loc_78DF52
; 

loc_78DF2E:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+398j
		mov	eax, edi
		mov	edx, ecx
		sub	eax, ecx
		shl	edx, 0Ch
		jmp	short loc_78DF3F
; 

loc_78DF39:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+38Bj
		sub	eax, edx
		mov	edx, [esp+70h+var_30]

loc_78DF3F:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+3A7j
		push	[ebp+arg_8]
		inc	eax
		mov	ecx, ebx
		push	55h
		shl	eax, 0Ch
		push	eax
		call	MiCheckSecuredVad
		mov	edi, eax

loc_78DF52:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+39Cj
		test	edi, edi
		js	loc_78E1C4
		mov	edi, [esp+70h+var_38]

loc_78DF5E:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+384j
		cmp	[esp+70h+var_3C], 0
		jz	loc_78E017
		mov	ecx, [esp+70h+var_60]
		mov	edx, [esp+70h+var_4C]
		test	dword ptr [ecx+3A8h], 100h
		jz	short loc_78DF89
		cmp	edx, [esp+70h+var_44]
		jnz	short loc_78DFBC
		cmp	[esp+70h+var_54], edi
		jnz	short loc_78DFBC

loc_78DF89:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+3EBj
		xor	eax, eax
		cmp	[esp+70h+var_34], eax
		push	ecx
		setnz	al
		push	eax
		push	ecx
		push	[esp+7Ch+var_54]
		mov	ecx, ebx
		push	edx
		lea	edx, [esp+84h+var_59]
		call	MiFreeVadRange
		mov	edi, eax
		test	edi, edi
		jns	short loc_78DFC6
		cmp	edi, 0C000022Dh
		jz	loc_78DE02
		jmp	loc_78E1C4
; 

loc_78DFBC:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+3F1j
					; MmFreeVirtualMemory(x,x,x,x,x,x)+3F7j
		mov	edi, 0C000010Ah
		jmp	loc_78E1C4
; 

loc_78DFC6:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+419j
		test	esi, esi
		jz	short loc_78DFD5
		xor	edx, edx
		lea	ecx, [esp+70h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_78DFD5:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+438j
		cmp	[esp+70h+var_40], 0FFFFFFFFh
		jz	short loc_78DFEA
		mov	ecx, [esp+70h+var_60]
		mov	edx, 6D566D4Dh
		call	ObfDereferenceObjectWithTag

loc_78DFEA:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+44Aj
		mov	eax, [esp+70h+var_59+1]
		mov	ecx, [esp+70h+var_64]
		sub	eax, ecx
		mov	edx, [esp+70h+var_28]
		inc	eax
		mov	[edx], eax
		mov	eax, [esp+70h+var_24]
		mov	[eax], ecx
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+64h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_78E017:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+3D3j
		mov	edx, [esp+70h+var_50]
		mov	ecx, [esp+70h+var_64]
		test	edx, edx
		jz	short loc_78E02E
		mov	edx, [esp+70h+var_59+1]
		sub	edx, ecx
		inc	edx
		mov	[esp+70h+var_50], edx

loc_78E02E:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+491j
		mov	eax, [ebx+1Ch]
		test	eax, 100000h
		jz	short loc_78E06F
		test	eax, 1000000h
		jnz	short loc_78E06F
		test	eax, 2000000h
		jz	short loc_78E06F
		push	ecx
		push	edx
		push	ecx
		mov	ecx, [esp+7Ch+var_60]
		mov	edx, ebx
		call	_MiDecommitEnclavePages@20 ; MiDecommitEnclavePages(x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000016h
		jz	short loc_78E06F
		test	edi, edi
		js	loc_78E1C4
		mov	edi, [esp+70h+var_59+1]
		jmp	loc_78E12E
; 

loc_78E06F:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+4A6j
					; MmFreeVirtualMemory(x,x,x,x,x,x)+4ADj ...
		mov	ecx, [ebx+1Ch]
		mov	eax, ecx
		and	eax, 70h
		cmp	al, 30h
		jz	short loc_78E0CD
		test	ecx, 100000h
		jz	short loc_78E0E1
		test	ecx, 400000h
		jnz	short loc_78E099
		mov	eax, ecx
		and	eax, 0C0000h
		cmp	eax, 80000h
		jb	short loc_78E0E1

loc_78E099:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+4F9j
		and	ecx, offset loc_500000
		cmp	ecx, offset loc_500000
		jnz	short loc_78E0CD
		mov	ecx, [esp+70h+var_50]
		test	ecx, ecx
		jz	short loc_78E0D7
		mov	ecx, ebx
		call	_MiGetVadPageSize@4 ; MiGetVadPageSize(x)
		mov	edi, [esp+70h+var_59+1]
		mov	ecx, eax
		mov	edx, [esp+70h+var_64]
		shl	ecx, 0Ch
		dec	ecx
		lea	eax, [edi+1]
		or	eax, edx
		test	ecx, eax
		jz	short loc_78E0E9

loc_78E0CD:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+4E9j
					; MmFreeVirtualMemory(x,x,x,x,x,x)+515j ...
		mov	edi, 0C00000A0h
		jmp	loc_78E1C4
; 

loc_78E0D7:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+51Dj
		mov	edi, [esp+70h+var_59+1]
		mov	edx, [esp+70h+var_64]
		jmp	short loc_78E0ED
; 

loc_78E0E1:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+4F1j
					; MmFreeVirtualMemory(x,x,x,x,x,x)+507j
		mov	edx, [esp+70h+var_64]
		mov	edi, [esp+70h+var_59+1]

loc_78E0E9:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+53Bj
		mov	ecx, [esp+70h+var_50]

loc_78E0ED:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+54Fj
		mov	eax, [ebx+20h]
		and	eax, 7FFFFFFFh
		cmp	eax, 0FFFFDh
		jz	short loc_78E0CD
		test	ecx, ecx
		jnz	short loc_78E122
		mov	eax, [esp+70h+var_30]
		shr	eax, 0Ch
		cmp	eax, [ebx+0Ch]
		jz	short loc_78E116

loc_78E10C:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+2A7j
		mov	edi, 0C000009Fh
		jmp	loc_78E1C4
; 

loc_78E116:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+57Aj
		mov	edi, [ebx+10h]
		shl	edi, 0Ch
		or	edi, 0FFFh

loc_78E122:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+56Ej
		push	edi
		mov	ecx, ebx
		call	_MiDecommitRegion@12 ; MiDecommitRegion(x,x,x)
		mov	[esp+70h+var_2C], eax

loc_78E12E:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+4DAj
		mov	ecx, ebx
		call	MiUnlockAndDereferenceVad
		cmp	[esp+70h+var_2C], 0
		jz	short loc_78E14D
		mov	edx, edi
		mov	edi, [esp+70h+var_64]
		push	0
		mov	ecx, edi
		call	_MiDeleteEmptyPageTables@12 ; MiDeleteEmptyPageTables(x,x,x)
		jmp	short loc_78E151
; 

loc_78E14D:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+5AAj
		mov	edi, [esp+70h+var_64]

loc_78E151:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+5BBj
		test	dword ptr ds:byte_70EFC4, 8000h
		mov	ebx, [esp+70h+var_60]
		jz	short loc_78E170
		push	[ebp+arg_4]
		mov	edx, [esp+74h+var_50]
		mov	ecx, edi
		push	ebx
		call	_PerfInfoLogVirtualFree@16 ; PerfInfoLogVirtualFree(x,x,x,x)

loc_78E170:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+5CFj
		test	esi, esi
		jz	short loc_78E17F
		xor	edx, edx
		lea	ecx, [esp+70h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_78E17F:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+5E2j
		cmp	[esp+70h+var_40], 0FFFFFFFFh
		jz	short loc_78E192
		mov	edx, 6D566D4Dh
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_78E192:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+5F4j
		mov	edx, [esp+70h+var_28]
		mov	eax, [esp+70h+var_50]
		mov	[edx], eax
		mov	eax, [esp+70h+var_24]
		mov	[eax], edi
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+64h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_78E1B8:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+2F7j
					; MmFreeVirtualMemory(x,x,x,x,x,x)+302j ...
		mov	edi, 0C000001Bh
		jmp	short loc_78E1C4
; 

loc_78E1BF:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+2C2j
					; MmFreeVirtualMemory(x,x,x,x,x,x)+2CAj ...
		mov	edi, 0C000001Ah

loc_78E1C4:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+376j
					; MmFreeVirtualMemory(x,x,x,x,x,x)+3C4j ...
		mov	ecx, ebx
		call	MiUnlockAndDereferenceVad
		cmp	byte ptr [esp+70h+var_59], 1
		jnz	short loc_78E1E7
		mov	ebx, [esp+70h+var_60]
		mov	edx, ebx
		mov	ecx, [esp+70h+var_20]
		call	UNLOCK_ADDRESS_SPACE
		jmp	short loc_78E1EB
; 

loc_78E1E3:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+26Cj
		mov	edi, [esp+70h+var_44]

loc_78E1E7:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+1EDj
					; MmFreeVirtualMemory(x,x,x,x,x,x)+640j
		mov	ebx, [esp+70h+var_60]

loc_78E1EB:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+651j
		test	esi, esi
		jz	short loc_78E1FA
		xor	edx, edx
		lea	ecx, [esp+70h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_78E1FA:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+65Dj
		cmp	[esp+70h+var_40], 0FFFFFFFFh
		jz	short loc_78E20D
		mov	ecx, ebx
		mov	edx, 6D566D4Dh
		call	ObfDereferenceObjectWithTag

loc_78E20D:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+18Dj
					; MmFreeVirtualMemory(x,x,x,x,x,x)+21Dj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+64h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_78E223:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+9Bj
					; MmFreeVirtualMemory(x,x,x,x,x,x)+FEj	...
		mov	eax, 0C00000F1h
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+64h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_78E23C:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+90j
					; MmFreeVirtualMemory(x,x,x,x,x,x)+11Cj
		mov	eax, 0C00000F0h
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+64h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_78E255:				; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+54j
					; MmFreeVirtualMemory(x,x,x,x,x,x)+5Fj	...
		mov	ecx, [esp+70h+var_4]
		mov	eax, 0C00000F2h
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_MmFreeVirtualMemory@24	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPfPrepareSequentialReadList proc near	; CODE XREF: MmPrefetchForCacheManager(x,x,x,x,x,x,x,x,x)+53p
					; MiPrefetchControlArea(x,x,x,x,x,x,x)+34p

var_7C		= dword	ptr -7Ch
var_70		= dword	ptr -70h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008DE827 SIZE 000001AB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_4C], ecx
		push	esi
		push	edi		; struct _exception *
		lea	edi, [ebp+var_70]
		mov	[ebp+var_24], 0
		stosd
		mov	ebx, edx
		mov	[ebp+var_30], ebx
		stosd
		stosd
		xor	eax, eax
		test	dword ptr [ebx+1Ch], 400h
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_10]
		mov	dword ptr [eax], 0
		jnz	loc_8DE9C8
		cmp	dword ptr [ebx+20h], 0
		jz	loc_8DE9C8
		mov	ecx, ebx
		call	_MiGetControlAreaPtes@4	; MiGetControlAreaPtes(x)
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	loc_78E841
		mov	ecx, esi
		xor	edi, edi
		shr	ecx, 0Ch
		mov	[ebp+var_48], ecx
		cmp	edi, edx
		jb	short loc_78E2E5
		ja	loc_78E86D
		cmp	ecx, eax
		ja	loc_78E86D

loc_78E2E5:				; CODE XREF: MiPfPrepareSequentialReadList+65j
					; MiPfPrepareSequentialReadList+5E1j
		cmp	ecx, 3FFFFFEAh
		ja	loc_78E86D
		push	0
		lea	ecx, ds:50h[ecx*4]
		mov	edx, 6C526D4Dh
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edx, eax
		mov	[ebp+var_10], edx
		test	edx, edx
		jz	loc_8DE919
		lea	eax, [edx+48h]
		mov	[edx+4], ebx
		mov	[eax+4], eax
		add	ebx, 50h
		mov	[eax], eax
		lea	eax, [edx+0Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		xor	eax, eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_58], eax
		movzx	eax, word ptr [ebx+10h]
		shr	eax, 1
		and	eax, 1Fh
		mov	[ebp+var_8], ebx
		mov	ebx, [ebp+var_30]
		mov	[ebp+var_20], 0
		mov	[ebp+var_1C], 0
		mov	[ebp+var_4], 0
		mov	[ebp+var_60], eax
		test	esi, esi
		jz	short loc_78E375
		push	[ebp+arg_18]
		lea	edx, [ebp+var_20]
		mov	ecx, ebx
		push	[ebp+arg_14]
		call	MiOffsetToProtos
		mov	edx, [ebp+var_10]
		mov	[ebp+var_8], eax

loc_78E375:				; CODE XREF: MiPfPrepareSequentialReadList+EDj
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	ecx, eax
		mov	[ebp+arg_4], eax
		call	_MiGetAvailablePagesExcludeSlists@4 ; MiGetAvailablePagesExcludeSlists(x)
		mov	ecx, [ebp+var_4C]
		xor	esi, esi
		xor	edi, edi
		mov	[ebp+var_5C], eax
		mov	[ebp+arg_18], edi
		mov	[ebp+var_44], esi
		mov	[ebp+var_3C], esi
		test	ecx, ecx
		jnz	loc_78E78D
		mov	[ebp+var_28], esi

loc_78E3A2:				; CODE XREF: MiPfPrepareSequentialReadList+533j
		lea	eax, [edx+50h]
		mov	dword ptr [edx+2Ch], 5
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_8]
		mov	[edx+28h], eax
		mov	eax, large fs:124h
		mov	dword ptr [edx+30h], 7
		lea	edx, [ebp+var_70]
		mov	ecx, [eax+80h]
		mov	eax, [ebx+1Ch]
		add	ecx, 240h
		shr	eax, 14h
		and	eax, 3Fh
		mov	[ebp+var_64], ecx
		push	eax
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		xor	ebx, ebx
		mov	[ebp+var_18], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_14], ebx
		cmp	[ebp+var_48], ebx
		jbe	loc_8DE977
		mov	edx, [ebp+var_20]
		mov	[ebp+var_54], edx
		lea	ecx, [ecx+0]

loc_78E400:				; CODE XREF: MiPfPrepareSequentialReadList+2A0j
		cmp	esi, edi
		jnb	loc_78E663

loc_78E408:				; CODE XREF: MiPfPrepareSequentialReadList+4D1j
					; MiPfPrepareSequentialReadList+4FAj
		mov	edi, [esi]
		nop
		mov	ebx, [esi+4]
		mov	ecx, esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_78E424
		push	ebx
		push	edi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	edi, eax
		mov	ebx, edx

loc_78E424:				; CODE XREF: MiPfPrepareSequentialReadList+1A7j
		mov	ecx, edi
		and	ecx, 1
		or	ecx, 0
		jnz	loc_78E60A
		mov	eax, edi
		and	eax, 400h
		or	eax, ecx
		jz	loc_78E644
		mov	ecx, [ebp+var_30]
		call	_MiControlAreaUsingExtents@4 ; MiControlAreaUsingExtents(x)
		test	eax, eax
		jnz	loc_8DE860
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		test	eax, eax
		jnz	loc_78E500
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jnz	loc_78E619

loc_78E469:				; CODE XREF: MiPfPrepareSequentialReadList+3CFj
					; MiPfPrepareSequentialReadList+552j
		cmp	[ebp+var_50], 0
		mov	ecx, [ebp+var_2C]
		mov	[ecx], esi
		jz	loc_78E77E

loc_78E478:				; CODE XREF: MiPfPrepareSequentialReadList+511j
		mov	edx, [ebp+var_8]
		cmp	[ebp+var_40], edx
		jnz	loc_78E76F
		mov	ecx, [ebp+var_58]
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, esi
		mov	edx, eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, [ebp+var_2C]
		cmp	edx, eax
		mov	eax, esi
		jnz	loc_78E856

loc_78E4A2:				; CODE XREF: MiPfPrepareSequentialReadList+509j
		mov	[ebp+var_58], esi
		cmp	esi, [ebp+var_44]
		jz	loc_78E837

loc_78E4AE:				; CODE XREF: MiPfPrepareSequentialReadList+5CCj
		add	ecx, 4
		mov	edx, 1
		mov	[ebp+var_2C], ecx
		mov	ecx, [ebp+arg_4]
		push	1
		call	MiObtainFaultCharges
		test	eax, eax
		jz	loc_8DE875
		push	ebx
		mov	ebx, [ebp+var_8]
		mov	edx, ebx
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ecx, edi
		push	0
		call	MiUseSlabAllocator
		test	eax, eax
		jnz	loc_8DE892
		mov	eax, [ebp+var_5C]
		mov	ebx, [ebp+var_C]
		add	eax, 0A0h
		cmp	ebx, eax
		ja	loc_8DE952
		inc	ebx
		mov	[ebp+var_C], ebx

loc_78E4FD:				; CODE XREF: MiPfPrepareSequentialReadList+150681j
		inc	[ebp+var_4]

loc_78E500:				; CODE XREF: MiPfPrepareSequentialReadList+1E8j
					; MiPfPrepareSequentialReadList+3A4j ...
		mov	edi, [ebp+arg_18]
		mov	ebx, [ebp+var_14]

loc_78E506:				; CODE XREF: MiPfPrepareSequentialReadList+1505CBj
					; MiPfPrepareSequentialReadList+1505E0j
		inc	ebx
		add	esi, 8
		mov	[ebp+var_14], ebx
		cmp	ebx, [ebp+var_48]
		jb	loc_78E400

loc_78E516:				; CODE XREF: MiPfPrepareSequentialReadList+5AEj
		mov	ebx, [ebp+var_C]
		mov	ecx, [ebp+var_4]

loc_78E51C:				; CODE XREF: MiPfPrepareSequentialReadList+15070Bj
		mov	edi, [ebp+arg_4]

loc_78E51F:				; CODE XREF: MiPfPrepareSequentialReadList+150610j
					; MiPfPrepareSequentialReadList+15061Dj ...
		mov	edx, [ebp+var_4C]
		test	edx, edx
		jnz	loc_78E7A8

loc_78E52A:				; CODE XREF: MiPfPrepareSequentialReadList+53Ej
		test	ecx, ecx
		jz	loc_78E7C7
		test	ebx, ebx
		jz	loc_8DE9AA
		mov	cl, byte_6D068C
		lea	eax, [ebp+var_54]
		mov	esi, [ebp+var_68]
		push	eax
		push	0FFFFFFFFh
		shr	esi, cl
		mov	ecx, [ebp+var_60]
		inc	esi
		push	0
		mov	[ebp+var_54], ebx
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		mov	edx, [ebp+var_64]
		mov	ecx, edi
		push	eax
		push	esi
		call	_MiGetPageChain@28 ; MiGetPageChain(x,x,x,x,x,x,x)
		mov	edi, [ebp+var_54]
		mov	esi, eax
		cmp	edi, ebx
		jnz	loc_8DE980
		mov	ecx, [ebp+var_4]

loc_78E575:				; CODE XREF: MiPfPrepareSequentialReadList+150728j
					; MiPfPrepareSequentialReadList+150735j
		mov	ebx, [ebp+var_10]
		test	esi, esi
		jz	short loc_78E5C3
		lea	esp, [esp+0]

loc_78E580:				; CODE XREF: MiPfPrepareSequentialReadList+34Ej
		mov	eax, [esi+10h]
		and	eax, offset loc_7FFFFF
		cmp	eax, offset loc_7FFFFF
		jz	loc_78E786
		lea	ecx, ds:0[eax*8]
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	edi, [eax+ecx*4]

loc_78E5A4:				; CODE XREF: MiPfPrepareSequentialReadList+518j
		mov	edx, [ebx+14h]
		mov	ecx, esi
		call	_MiSetPfnLink@8	; MiSetPfnLink(x,x)
		push	0
		xor	edx, edx
		mov	[ebx+14h], esi
		call	_MiSetPfnBlink@12 ; MiSetPfnBlink(x,x,x)
		mov	esi, edi
		test	edi, edi
		jnz	short loc_78E580
		mov	ecx, [ebp+var_4]

loc_78E5C3:				; CODE XREF: MiPfPrepareSequentialReadList+30Aj
					; MiPfPrepareSequentialReadList+15073Dj
		test	ecx, ecx
		jz	loc_78E7C7
		mov	eax, [ebp+var_50]
		mov	ecx, ebx
		mov	edx, [ebp+arg_C]
		mov	[ebx+38h], eax
		mov	eax, [ebp+var_2C]
		sub	eax, ebx
		sub	eax, 50h
		sar	eax, 2
		push	0
		mov	[ebx+34h], eax
		call	MiPfAllocateMdls
		mov	esi, eax
		lea	eax, [ebx+48h]
		cmp	[eax], eax
		jz	loc_8DE9B2
		xor	esi, esi

loc_78E5FA:				; CODE XREF: MiPfPrepareSequentialReadList+150753j
		mov	eax, [ebp+arg_10]
		mov	[eax], ebx
		mov	eax, esi

loc_78E601:				; CODE XREF: MiPfPrepareSequentialReadList+602j
					; MiPfPrepareSequentialReadList+1506AEj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_78E60A:				; CODE XREF: MiPfPrepareSequentialReadList+1BCj
		mov	edx, [ebp+arg_8]
		mov	ecx, esi
		call	_MiUpdatePfnPriorityByPte@8 ; MiUpdatePfnPriorityByPte(x,x)
		jmp	loc_78E500
; 

loc_78E619:				; CODE XREF: MiPfPrepareSequentialReadList+1F3j
		mov	eax, esi
		sub	eax, [ebp+var_3C]
		sar	eax, 3
		shl	eax, 0Ch
		cdq
		add	[ebp+var_24], eax
		mov	eax, [ebp+var_24]
		adc	[ebp+var_34], edx
		mov	[ecx], eax
		mov	eax, [ebp+var_34]
		mov	[ecx+4], eax
		add	ecx, 8
		mov	[ebp+var_28], ecx
		mov	[ebp+var_3C], esi
		jmp	loc_78E469
; 

loc_78E644:				; CODE XREF: MiPfPrepareSequentialReadList+1CBj
		mov	eax, edi
		and	eax, 800h
		or	eax, 0
		jz	loc_78E7B3
		mov	edx, [ebp+arg_8]
		mov	ecx, esi
		call	_MiUpdatePfnPriorityByPte@8 ; MiUpdatePfnPriorityByPte(x,x)
		jmp	loc_78E500
; 

loc_78E663:				; CODE XREF: MiPfPrepareSequentialReadList+192j
		test	esi, esi
		mov	esi, [ebp+var_8]
		jnz	loc_78E816

loc_78E66E:				; CODE XREF: MiPfPrepareSequentialReadList+5C2j
		mov	ecx, [ebp+var_30]
		mov	eax, [ecx+1Ch]
		test	al, 20h
		jnz	loc_78E7E5
		mov	eax, [esi+1Ch]
		mov	edx, 4
		push	0
		push	eax
		mov	ecx, esi
		call	MiAddViewsForSection
		mov	edi, eax
		mov	[ebp+var_18], edi
		test	edi, edi
		js	loc_8DE923
		mov	ebx, [ebp+var_10]
		mov	edx, [esi+4]
		mov	[ebp+var_1C], edx
		mov	ecx, [ebx+10h]
		lea	edi, [ebx+0Ch]
		cmp	[edi], edi
		jnz	loc_78E85E

loc_78E6B2:				; CODE XREF: MiPfPrepareSequentialReadList+5F8j
		push	0
		push	100h
		mov	edx, 6C536D4Dh
		mov	ecx, 20h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8DE8FD
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	loc_8DE8F6
		mov	edx, [ebp+var_1C]
		mov	[ecx], edi
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	[edi+4], ecx

loc_78E6EA:				; CODE XREF: MiPfPrepareSequentialReadList+5F2j
		cmp	dword ptr [ebx+8], 0
		jnz	short loc_78E6F3
		mov	[ebx+8], esi

loc_78E6F3:				; CODE XREF: MiPfPrepareSequentialReadList+47Ej
		mov	eax, [ecx+8]
		mov	[ecx+eax*4+0Ch], esi
		inc	dword ptr [ecx+8]

loc_78E6FD:				; CODE XREF: MiPfPrepareSequentialReadList+57Fj
					; MiPfPrepareSequentialReadList+1505BCj ...
		mov	eax, [ebp+var_54]
		mov	ecx, [ebp+var_8]
		push	[ebp+arg_C]
		lea	esi, [edx+eax*8]
		mov	eax, [ecx+1Ch]
		lea	eax, [edx+eax*8]
		mov	[ebp+arg_18], eax
		call	MiStartingOffset
		mov	ecx, [ebp+var_8]
		mov	edi, eax
		mov	ebx, edx
		call	MiEndingOffsetWithLock
		mov	ecx, eax
		sub	ecx, edi
		test	ecx, 0FFFh
		mov	ecx, [ebp+var_1C]
		jnz	loc_78E7FA
		mov	[ebp+var_44], 0

loc_78E73D:				; CODE XREF: MiPfPrepareSequentialReadList+5A1j
		cmp	[ebp+var_28], 0
		jz	loc_78E408
		mov	eax, ebx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_34], eax
		and	edi, 0FFFFFE00h
		mov	eax, [ebp+var_4C]
		mov	eax, [eax+8]
		and	eax, 1FFh
		or	eax, edi
		or	eax, 200h
		mov	[ebp+var_24], eax
		jmp	loc_78E408
; 

loc_78E76F:				; CODE XREF: MiPfPrepareSequentialReadList+20Ej
		mov	eax, esi

loc_78E771:				; CODE XREF: MiPfPrepareSequentialReadList+5E9j
		or	eax, 2
		mov	[ebp+var_40], edx
		mov	[ecx], eax
		jmp	loc_78E4A2
; 

loc_78E77E:				; CODE XREF: MiPfPrepareSequentialReadList+202j
		mov	[ebp+var_50], ecx
		jmp	loc_78E478
; 

loc_78E786:				; CODE XREF: MiPfPrepareSequentialReadList+31Dj
		xor	edi, edi
		jmp	loc_78E5A4
; 

loc_78E78D:				; CODE XREF: MiPfPrepareSequentialReadList+129j
		mov	eax, [ecx+20h]
		mov	[ebp+var_28], eax
		mov	eax, [ecx+8]
		and	eax, 1FFh
		or	eax, 200h
		mov	[ebp+var_24], eax
		jmp	loc_78E3A2
; 

loc_78E7A8:				; CODE XREF: MiPfPrepareSequentialReadList+2B4j
		mov	eax, [ebp+var_28]
		mov	[edx+18h], eax
		jmp	loc_78E52A
; 

loc_78E7B3:				; CODE XREF: MiPfPrepareSequentialReadList+3DEj
		push	ebx
		push	edi
		call	_IS_PTE_NOT_DEMAND_ZERO@8 ; IS_PTE_NOT_DEMAND_ZERO(x,x)
		test	eax, eax
		jz	loc_78E500
		jmp	loc_78E469
; 

loc_78E7C7:				; CODE XREF: MiPfPrepareSequentialReadList+2BCj
					; MiPfPrepareSequentialReadList+355j
		mov	ebx, [ebp+var_10]
		mov	ecx, ebx
		call	_MiReleaseReadListResources@4 ;	MiReleaseReadListResources(x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_18]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_78E7E5:				; CODE XREF: MiPfPrepareSequentialReadList+406j
		test	byte ptr [esi+12h], 2
		mov	edx, [esi+4]
		mov	[ebp+var_1C], edx
		jz	loc_78E6FD
		jmp	loc_8DE827
; 

loc_78E7FA:				; CODE XREF: MiPfPrepareSequentialReadList+4C0j
		sub	eax, edi
		sbb	edx, ebx
		add	eax, 0FFFh
		adc	edx, 0
		shrd	eax, edx, 0Ch
		dec	eax
		lea	eax, [ecx+eax*8]
		mov	[ebp+var_44], eax
		jmp	loc_78E73D
; 

loc_78E816:				; CODE XREF: MiPfPrepareSequentialReadList+3F8j
		mov	esi, [esi+8]
		mov	[ebp+var_8], esi
		test	esi, esi
		jz	loc_78E516
		mov	[ebp+var_54], 0
		mov	[ebp+var_1C], 0
		jmp	loc_78E66E
; 

loc_78E837:				; CODE XREF: MiPfPrepareSequentialReadList+238j
		or	eax, 1
		mov	[ecx], eax
		jmp	loc_78E4AE
; 

loc_78E841:				; CODE XREF: MiPfPrepareSequentialReadList+53j
		cmp	edx, 1
		jb	short loc_78E84C
		ja	short loc_78E86D
		test	eax, eax
		jnb	short loc_78E86D

loc_78E84C:				; CODE XREF: MiPfPrepareSequentialReadList+5D4j
		mov	ecx, eax
		mov	[ebp+var_48], ecx
		jmp	loc_78E2E5
; 

loc_78E856:				; CODE XREF: MiPfPrepareSequentialReadList+22Cj
		mov	edx, [ebp+var_8]
		jmp	loc_78E771
; 

loc_78E85E:				; CODE XREF: MiPfPrepareSequentialReadList+43Cj
		cmp	dword ptr [ecx+8], 5
		jnz	loc_78E6EA
		jmp	loc_78E6B2
; 

loc_78E86D:				; CODE XREF: MiPfPrepareSequentialReadList+67j
					; MiPfPrepareSequentialReadList+6Fj ...
		mov	eax, 0C00000F1h
		jmp	loc_78E601
MiPfPrepareSequentialReadList endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDecommitRegion(x,	x, x)
_MiDecommitRegion@12 proc near		; CODE XREF: MiFreeToSubAllocatedRegion+F6p
					; MmFreeVirtualMemory(x,x,x,x,x,x)+595p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		xor	eax, eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	esi, edx
		mov	eax, [eax+80h]
		mov	ecx, [ebp+arg_0]
		push	edi
		mov	[ebp+var_8], eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, esi
		mov	edx, eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	edi, edx
		mov	ecx, esi
		sub	edi, eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	1
		push	ebx
		push	[ebp+var_8]
		sar	edi, 3
		inc	edi
		call	_MiDecommitPages@24 ; MiDecommitPages(x,x,x,x,x,x)
		mov	ecx, [ebp+var_18]
		mov	esi, eax
		mov	[ebp+var_C], 0
		test	ecx, ecx
		jz	short loc_78E8FD
		lea	edx, [ebp+var_C]
		call	_MiFreeLargePages@8 ; MiFreeLargePages(x,x)
		mov	[ebp+var_28], eax

loc_78E8FD:				; CODE XREF: MiDecommitRegion(x,x,x)+70j
		mov	eax, [ebx+20h]
		mov	ecx, eax
		sub	edi, [ebp+var_20]
		sub	ecx, edi
		xor	ecx, eax
		and	ecx, 7FFFFFFFh
		xor	ecx, eax
		mov	eax, [ebx+1Ch]
		and	eax, offset loc_500000
		mov	[ebx+20h], ecx
		cmp	eax, offset loc_500000
		jnz	short loc_78E933
		mov	eax, [ebp+var_8]
		mov	ecx, edi
		neg	ecx
		add	eax, 35Ch
		lock xadd [eax], ecx

loc_78E933:				; CODE XREF: MiDecommitRegion(x,x,x)+A1j
		mov	ecx, ebx
		call	MiVadCommitCrossPartition
		test	eax, eax
		jnz	short loc_78E973
		lea	eax, [ebp+var_14]
		mov	ecx, edi
		push	eax
		lea	edx, [ebp+var_2C]
		call	_MiFillCommitReturnInfo@12 ; MiFillCommitReturnInfo(x,x,x)
		mov	edx, [ebp+var_14]
		test	edx, edx
		jz	short loc_78E95B
		mov	ecx, [ebp+var_8]
		call	_MiReturnFullProcessCharges@8 ;	MiReturnFullProcessCharges(x,x)

loc_78E95B:				; CODE XREF: MiDecommitRegion(x,x,x)+D1j
		mov	edx, [ebp+var_10]
		test	edx, edx
		jz	short loc_78E973
		sub	edx, [ebp+var_C]
		jz	short loc_78E973
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	ecx, eax
		call	MiReturnCommit

loc_78E973:				; CODE XREF: MiDecommitRegion(x,x,x)+BCj
					; MiDecommitRegion(x,x,x)+E0j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MiDecommitRegion@12 endp


;  S U B	R O U T	I N E 


; __stdcall PsReturnProcessPageFileQuota(x, x)
_PsReturnProcessPageFileQuota@8	proc near ; CODE XREF: MiReturnFullProcessCharges(x,x)+36j
		mov	eax, edx
		mov	edx, ecx
		cmp	edx, ds:_PsInitialSystemProcess
		jz	short locret_78E998
		mov	ecx, [edx+188h]
		push	eax
		push	2
		call	PspReturnQuota

locret_78E998:				; CODE XREF: PsReturnProcessPageFileQuota(x,x)+Aj
		retn
_PsReturnProcessPageFileQuota@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiPrepareVadDelete proc	near		; CODE XREF: MiFreeVadRange+4Bp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008DE9D2 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		mov	eax, [ebx+0Ch]
		and	dword ptr [esi], 0
		mov	edx, [ebx+10h]
		mov	[ebp+var_4], eax
		cmp	[ebp+arg_0], eax
		jnz	short loc_78E9DB
		xor	eax, eax
		cmp	[ebp+arg_4], edx
		jnz	short loc_78E9DB

loc_78E9C3:				; CODE XREF: MiPrepareVadDelete+8Cj
					; MiPrepareVadDelete+DBj
		mov	cl, [edi]
		test	eax, eax
		jnz	short loc_78EA28
		cmp	cl, 1
		jz	loc_8DE9E0

loc_78E9D2:				; CODE XREF: MiPrepareVadDelete+90j
					; MiPrepareVadDelete+15005Bj
		xor	eax, eax

loc_78E9D4:				; CODE XREF: MiPrepareVadDelete+C2j
					; MiPrepareVadDelete+CCj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_78E9DB:				; CODE XREF: MiPrepareVadDelete+20j
					; MiPrepareVadDelete+27j
		mov	ecx, [ebx+1Ch]
		mov	eax, ecx
		and	eax, 300000h
		cmp	eax, 300000h
		jz	short loc_78EA61
		mov	eax, ecx
		and	eax, 70h
		jnz	loc_8DE9D2
		test	ecx, 100000h
		jz	short loc_78EA15
		test	ecx, 400000h
		jnz	short loc_78EA61
		and	ecx, 0C0000h
		cmp	ecx, 80000h
		jnb	short loc_78EA61

loc_78EA15:				; CODE XREF: MiPrepareVadDelete+63j
					; MiPrepareVadDelete+150041j
		mov	eax, [ebp+arg_0]
		cmp	eax, [ebp+var_4]
		jnz	short loc_78EA6B
		xor	eax, eax
		mov	dword ptr [esi], 1
		inc	eax
		jmp	short loc_78E9C3
; 

loc_78EA28:				; CODE XREF: MiPrepareVadDelete+2Dj
		test	cl, cl
		jnz	short loc_78E9D2
		mov	ecx, large fs:124h
		mov	edx, ebx
		and	dword ptr [esi], 0
		mov	byte ptr [edi],	1
		mov	ecx, [ecx+80h]
		call	MiLockAddressSpaceToo
		mov	ecx, ebx
		call	_MiVadDeleted@4	; MiVadDeleted(x)
		dec	eax
		neg	eax
		sbb	eax, eax
		and	eax, 18Dh
		add	eax, 0C00000A0h
		jmp	loc_78E9D4
; 

loc_78EA61:				; CODE XREF: MiPrepareVadDelete+50j
					; MiPrepareVadDelete+6Bj ...
		mov	eax, 0C000009Fh
		jmp	loc_78E9D4
; 

loc_78EA6B:				; CODE XREF: MiPrepareVadDelete+81j
		cmp	[ebp+arg_4], edx
		jnz	short loc_78EA7A
		push	2

loc_78EA72:				; CODE XREF: MiPrepareVadDelete+E2j
		pop	eax
		mov	[esi], eax
		jmp	loc_78E9C3
; 

loc_78EA7A:				; CODE XREF: MiPrepareVadDelete+D4j
		push	3
		jmp	short loc_78EA72
MiPrepareVadDelete endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLogRelocationRva proc	near		; CODE XREF: MiLogRelocationFaults(x,x,x)+1Ap
					; MiLogRelocationFaults(x,x,x)+4Fp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008DE9FA SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4], edx
		mov	edi, ecx
		mov	[ebp+var_10], eax
		mov	ecx, [ebp+arg_4]
		lea	edx, [ebp+var_10]
		push	eax
		push	edi
		mov	[ebp+var_C], eax
		call	MiOffsetToProtos
		test	eax, eax
		jz	short loc_78EAD6
		mov	esi, [eax+14h]
		xor	ebx, ebx
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+var_C]
		shld	ebx, esi, 9
		shld	ecx, eax, 0Ch
		shl	esi, 9
		shl	eax, 0Ch
		add	esi, eax
		adc	ebx, ecx
		cmp	_PfSnNumActiveTraces, 0
		jnz	short loc_78EADD
		cmp	dword_6FB630, 0
		jnz	short loc_78EADD

loc_78EAD6:				; CODE XREF: MiLogRelocationRva+27j
					; MiLogRelocationRva+6Ej ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_78EADD:				; CODE XREF: MiLogRelocationRva+4Dj
					; MiLogRelocationRva+56j
		mov	ecx, large fs:124h
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		cmp	eax, 2
		jl	short loc_78EAD6
		mov	eax, [ebp+var_4]
		mov	ecx, 0FFFh
		and	edi, ecx
		add	eax, ecx
		add	edi, eax
		shr	edi, 0Ch
		test	esi, ecx
		jz	short loc_78EB04
		inc	edi

loc_78EB04:				; CODE XREF: MiLogRelocationRva+83j
		and	esi, 0FFFFF000h
		cmp	dword_6FB630, 0
		jnz	loc_8DE9FA

loc_78EB17:				; CODE XREF: MiLogRelocationRva+14FF93j
		cmp	_PfSnNumActiveTraces, 0
		jz	short loc_78EAD6
		test	edi, edi
		jz	short loc_78EAD6

loc_78EB24:				; CODE XREF: MiLogRelocationRva+BFj
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	2
		pop	edx
		call	_PfSnLogPageFault@16 ; PfSnLogPageFault(x,x,x,x)
		add	esi, 1000h
		adc	ebx, 0
		sub	edi, 1
		jnz	short loc_78EB24
		jmp	short loc_78EAD6
MiLogRelocationRva endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogRelocationFaults(x, x,	x)
_MiLogRelocationFaults@12 proc near	; CODE XREF: MiRelocateImage+472p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	MiReferenceControlAreaFile
		mov	edx, [esi+4]
		mov	ebx, eax
		mov	ecx, [esi]
		push	edi
		push	ebx
		call	MiLogRelocationRva
		mov	ecx, [ebp+arg_0]
		mov	esi, [ecx+8]

loc_78EB67:				; CODE XREF: MiLogRelocationFaults(x,x,x)+46j
		test	esi, esi
		jnz	short loc_78EB7B
		mov	edx, ebx
		mov	ecx, edi
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_78EB7B:				; CODE XREF: MiLogRelocationFaults(x,x,x)+27j
		mov	ecx, [esi+4]
		test	ecx, 0FFFh
		jnz	short loc_78EB8A

loc_78EB86:				; CODE XREF: MiLogRelocationFaults(x,x,x)+54j
		mov	esi, [esi]
		jmp	short loc_78EB67
; 

loc_78EB8A:				; CODE XREF: MiLogRelocationFaults(x,x,x)+42j
		push	edi
		push	ebx
		mov	edx, 2000h
		call	MiLogRelocationRva
		jmp	short loc_78EB86
_MiLogRelocationFaults@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreateImageFileMap(x, x, x, x, x,	x, x, x)
_MiCreateImageFileMap@32 proc near	; CODE XREF: MiCreateNewSection(x,x)+F5p

var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_90		= word ptr -90h
var_8E		= dword	ptr -8Eh
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= word ptr -80h
var_7E		= word ptr -7Eh
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_44], edi
		mov	ebx, ecx
		mov	[ebp+var_28], ebx
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_78], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_7C], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_14]
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_50], eax
		xor	eax, eax
		mov	[ebp+var_70], eax
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], eax
		mov	[ebp+var_68], eax
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	ebx
		mov	[ebp+var_5C], esi
		call	FsRtlGetFileSize
		test	eax, eax
		jns	short loc_78EC16
		mov	dword_6CF4F4, 21h
		cmp	eax, 0C00000BAh
		jnz	loc_78F39A

loc_78EC0C:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+8Ej
		mov	eax, 0C0000020h
		jmp	loc_78F39A
; 

loc_78EC16:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+5Dj
		cmp	[ebp+var_64], 0
		jz	short loc_78EC28
		mov	dword_6CF4F4, 22h
		jmp	short loc_78EC0C
; 

loc_78EC28:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+82j
		xor	eax, eax
		mov	edx, 1000h
		inc	eax
		mov	ecx, edi
		mov	[ebp+var_34], eax
		xor	eax, eax
		and	[ebp+var_40], eax
		and	[ebp+var_60], eax
		push	1
		push	esi
		mov	[ebp+var_20], eax
		mov	[ebp+var_6C], eax
		call	MiCreateMdl
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	short loc_78EC66
		mov	dword_6CF4F4, 23h
		mov	eax, 0C000009Ah
		jmp	loc_78F39A
; 

loc_78EC66:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+B8j
		and	dword ptr [eax+8], 0
		mov	ecx, ebx
		mov	eax, [eax+1Ch]
		mov	[ebp+var_74], eax
		call	_CcZeroEndOfLastPage@4 ; CcZeroEndOfLastPage(x)
		lea	edx, [ebp+var_70]
		mov	ecx, ebx
		call	_MiFlushDataSection@8 ;	MiFlushDataSection(x,x)
		mov	edi, eax
		cmp	edi, 0C0000054h
		jnz	short loc_78EC9A
		mov	dword_6CF4F4, 24h
		jmp	loc_78F35F
; 

loc_78EC9A:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+F1j
		cmp	[ebp+var_70], 1
		mov	eax, 100000h
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_19], 0
		jnz	short loc_78ECAE
		or	ebx, eax

loc_78ECAE:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+112j
		test	ebx, eax
		jnz	short loc_78ECB6
		test	bl, bl
		jns	short loc_78ECD7

loc_78ECB6:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+118j
		mov	[ebp+var_19], 1
		call	_PsIsCurrentThreadPrefetching@0	; PsIsCurrentThreadPrefetching()
		test	al, al
		jz	short loc_78ECD7
		mov	dword_6CF4F4, 25h
		mov	edi, 0C0000433h
		jmp	loc_78F35F
; 

loc_78ECD7:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+11Cj
					; MiCreateImageFileMap(x,x,x,x,x,x,x,x)+129j
		test	ebx, 10000h
		jz	short loc_78ECF3
		mov	edi, 0C00000BBh
		mov	dword_6CF4F4, 26h
		jmp	loc_78F35F
; 

loc_78ECF3:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+145j
		mov	edx, [ebp+var_74]
		mov	ecx, [ebp+var_28]
		call	MiCopyHeaderIfResident
		mov	edi, [ebp+var_68]
		cmp	eax, 1
		jnz	short loc_78ED16
		mov	ecx, 1000h
		mov	[ebp+var_54], ecx

loc_78ED0E:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+1F7j
		mov	edx, [ebp+var_34]
		jmp	loc_78EDE1
; 

loc_78ED16:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+16Cj
		cmp	[ebp+var_19], 0
		jnz	short loc_78ED84
		test	bl, 20h
		jnz	short loc_78ED31
		test	ebx, 400h
		jz	short loc_78ED84
		cmp	edi, 20000h
		ja	short loc_78ED84

loc_78ED31:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+187j
		mov	edx, [ebp+var_28]
		mov	eax, [edx+14h]
		cmp	dword ptr [eax], 0
		jnz	short loc_78ED87
		lea	eax, [edi+0FFFh]
		shr	eax, 0Ch
		mov	[ebp+var_34], eax
		cmp	eax, 1
		jbe	short loc_78ED87
		mov	ecx, [ebp+var_44]
		mov	edx, eax
		push	0
		shl	edx, 0Ch
		push	esi
		call	MiCreateMdl
		mov	[ebp+var_60], eax
		test	eax, eax
		jz	short loc_78ED7E
		mov	ecx, [ebp+var_24]
		xor	edx, edx
		inc	edx
		call	_MiDeleteImageCreationMdls@8 ; MiDeleteImageCreationMdls(x,x)
		mov	eax, [ebp+var_60]
		mov	edx, [ebp+var_28]
		mov	[ebp+var_24], eax
		and	dword ptr [eax+8], 0
		jmp	short loc_78ED8A
; 

loc_78ED7E:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+1CAj
		xor	eax, eax
		inc	eax
		mov	[ebp+var_34], eax

loc_78ED84:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+182j
					; MiCreateImageFileMap(x,x,x,x,x,x,x,x)+18Fj ...
		mov	edx, [ebp+var_28]

loc_78ED87:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+1A2j
					; MiCreateImageFileMap(x,x,x,x,x,x,x,x)+1B3j
		mov	eax, [ebp+var_24]

loc_78ED8A:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+1E4j
		mov	ecx, [ebp+var_54]
		test	ecx, ecx
		jnz	loc_78ED0E
		lea	ecx, [ebp+var_58]
		push	ecx		; void *
		push	eax		; int
		mov	ecx, edx
		call	MiReadImageHeaders
		mov	edi, eax
		test	edi, edi
		jns	short loc_78EDB6
		mov	dword_6CF4F4, 28h
		jmp	loc_78F35B
; 

loc_78EDB6:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+20Dj
		mov	edx, [ebp+var_34]
		mov	eax, edx
		mov	ecx, [ebp+var_54]
		shl	eax, 0Ch
		cmp	ecx, eax
		jz	short loc_78EDDE
		cmp	ecx, 40h
		jnb	short loc_78EDDE
		mov	edi, 0C000012Fh
		mov	dword_6CF4F4, 29h
		jmp	loc_78F35F
; 

loc_78EDDE:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+22Bj
					; MiCreateImageFileMap(x,x,x,x,x,x,x,x)+230j
		mov	edi, [ebp+var_68]

loc_78EDE1:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+179j
		mov	eax, [ebp+var_24]
		test	byte ptr [eax+6], 4
		jz	short loc_78EDEF
		mov	eax, [eax+10h]
		jmp	short loc_78EDF2
; 

loc_78EDEF:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+250j
		mov	eax, [eax+0Ch]

loc_78EDF2:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+255j
		mov	esi, 5A4Dh
		mov	[ebp+var_48], eax
		cmp	[eax], si
		jz	short loc_78EE09
		mov	edi, 0C000012Fh
		jmp	loc_78F35F
; 

loc_78EE09:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+265j
		mov	eax, [eax+3Ch]
		mov	[ebp+var_34], eax
		lea	esi, [eax+0F8h]
		mov	[ebp+var_3C], esi
		cmp	esi, eax
		mov	esi, [ebp+var_5C]
		ja	short loc_78EE33
		mov	edi, 0C0000130h
		mov	dword_6CF4F4, 2Ah
		jmp	loc_78F35F
; 

loc_78EE33:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+285j
		mov	[ebp+var_2C], eax
		xor	eax, eax
		add	[ebp+var_2C], 0F8h
		adc	eax, eax
		cmp	eax, [ebp+var_64]
		jb	short loc_78EE61
		ja	short loc_78EE4D
		cmp	[ebp+var_2C], edi
		jbe	short loc_78EE61

loc_78EE4D:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+2AEj
		mov	edi, 0C0000130h
		mov	dword_6CF4F4, 2Bh
		jmp	loc_78F35F
; 

loc_78EE61:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+2ACj
					; MiCreateImageFileMap(x,x,x,x,x,x,x,x)+2B3j
		mov	eax, [ebp+var_3C]
		shl	edx, 0Ch
		cmp	eax, edx
		jbe	loc_78EF3E
		mov	eax, [ebp+var_34]
		mov	ecx, 0FFFFF000h
		and	eax, ecx
		sub	edi, eax
		mov	[ebp+var_3C], eax
		add	edi, 0FFFh
		mov	eax, 2000h
		and	edi, ecx
		mov	[ebp+var_2C], eax
		cmp	edi, eax
		jnb	short loc_78EE97
		mov	eax, edi
		mov	[ebp+var_2C], edi

loc_78EE97:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+2F8j
		mov	ecx, [ebp+var_44]
		mov	edx, eax
		push	1
		push	esi
		call	MiCreateMdl
		mov	ecx, eax
		mov	[ebp+var_4C], ecx
		test	ecx, ecx
		jnz	short loc_78EEC1
		mov	edi, 0C000009Ah
		mov	dword_6CF4F4, 2Ch
		jmp	loc_78F35F
; 

loc_78EEC1:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+313j
		mov	eax, [ebp+var_3C]
		and	[ebp+var_C], 0
		shr	eax, 0Ch
		mov	[ecx+8], eax
		mov	eax, [ebp+var_24]
		mov	[ecx], eax
		lea	eax, [ebp+var_58]
		push	eax		; void *
		mov	[ebp+var_24], ecx
		push	ecx		; int
		mov	ecx, [ebp+var_28]
		call	MiReadImageHeaders
		mov	edi, eax
		test	edi, edi
		jns	short loc_78EEF8
		mov	dword_6CF4F4, 2Dh
		jmp	loc_78F35B
; 

loc_78EEF8:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+34Fj
		mov	esi, [ebp+var_34]
		mov	edx, [ebp+var_54]
		and	esi, 0FFFh
		cmp	edx, [ebp+var_2C]
		jz	short loc_78EF27
		lea	eax, [esi+0F8h]
		cmp	edx, eax
		jnb	short loc_78EF27
		mov	edi, 0C0000130h
		mov	dword_6CF4F4, 2Eh
		jmp	loc_78F35F
; 

loc_78EF27:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+36Fj
					; MiCreateImageFileMap(x,x,x,x,x,x,x,x)+379j
		mov	edi, [ebp+var_4C]
		mov	ecx, edx
		sub	ecx, esi
		mov	edi, [edi+0Ch]
		add	edi, esi
		add	edx, [ebp+var_3C]
		mov	[ebp+var_54], edx
		mov	edx, [ebp+var_48]
		jmp	short loc_78EF61
; 

loc_78EF3E:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+2D1j
		cmp	eax, ecx
		jbe	short loc_78EF56
		mov	edi, 0C0000130h
		mov	dword_6CF4F4, 2Fh
		jmp	loc_78F35F
; 

loc_78EF56:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+3A8j
		mov	eax, [ebp+var_34]
		sub	ecx, eax
		mov	edx, [ebp+var_48]
		lea	edi, [eax+edx]

loc_78EF61:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+3A4j
		mov	esi, [ebp+var_38]
		push	ecx
		push	edx
		mov	edx, edi
		mov	[ebp+var_2C], edi
		mov	ecx, esi
		call	MiVerifyImageHeader
		mov	edi, eax
		test	edi, edi
		jnz	loc_78F35D
		mov	edx, [ebp+var_34]
		mov	ecx, [ebp+var_50]
		lea	eax, [edx+34h]
		mov	[ecx], eax
		mov	eax, [esi+0Ch]
		mov	ecx, eax
		and	ecx, 0FFFh
		mov	[ebp+var_50], eax
		neg	ecx
		sbb	ecx, ecx
		shr	eax, 0Ch
		neg	ecx
		add	ecx, eax
		jnz	short loc_78EFB6
		mov	edi, 0C000007Bh
		mov	dword_6CF4F4, 31h
		jmp	loc_78F35F
; 

loc_78EFB6:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+408j
		mov	esi, [ebp+var_2C]
		lea	edi, [ebp+var_A0]
		add	esi, 4
		push	5
		pop	ecx
		rep movsd
		mov	eax, [ebp+var_A0]
		movzx	esi, [ebp+var_90]
		shr	eax, 10h
		add	esi, 18h
		imul	eax, 28h
		mov	[ebp+var_48], esi
		mov	[ebp+var_4C], eax
		lea	ecx, [esi+eax]
		add	ecx, edx
		cmp	ecx, edx
		ja	short loc_78F000
		mov	edi, 0C000007Bh
		mov	dword_6CF4F4, 32h
		jmp	loc_78F35F
; 

loc_78F000:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+452j
		mov	edx, [ebp+var_38]
		mov	eax, [edx+14h]
		mov	[ebp+var_3C], eax
		cmp	eax, ecx
		jnb	short loc_78F012
		mov	eax, ecx
		mov	[ebp+var_3C], ecx

loc_78F012:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+473j
		cmp	eax, [ebp+var_50]
		jbe	short loc_78F02B
		mov	edi, 0C000007Bh
		mov	dword_6CF4F4, 30h
		jmp	loc_78F35F
; 

loc_78F02B:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+47Dj
		mov	edi, [ebp+var_2C]
		add	edi, esi
		cmp	ecx, [ebp+var_54]
		ja	short loc_78F03D
		mov	esi, [ebp+var_5C]
		jmp	loc_78F0F7
; 

loc_78F03D:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+49Bj
		and	edi, 0FFFh
		add	edi, [ebp+var_4C]
		mov	eax, edi
		mov	[ebp+var_50], eax
		jz	loc_78F34C
		lea	edx, [eax+0FFFh]
		and	edx, 0FFFFF000h
		cmp	eax, edx
		ja	loc_78F34C
		mov	esi, [ebp+var_5C]
		mov	ecx, [ebp+var_44]
		push	1
		push	esi
		call	MiCreateMdl
		mov	ecx, eax
		mov	[ebp+var_2C], ecx
		test	ecx, ecx
		jnz	short loc_78F090
		mov	edi, 0C000009Ah
		mov	dword_6CF4F4, 34h
		jmp	loc_78F35F
; 

loc_78F090:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+4E2j
		mov	eax, [ebp+var_34]
		add	eax, [ebp+var_48]
		mov	[ebp+var_4C], eax
		shr	eax, 0Ch
		mov	[ecx+8], eax
		mov	eax, [ebp+var_24]
		mov	[ecx], eax
		lea	eax, [ebp+var_58]
		push	eax		; void *
		mov	[ebp+var_24], ecx
		push	ecx		; int
		mov	ecx, [ebp+var_28]
		call	MiReadImageHeaders
		mov	edi, eax
		test	edi, edi
		jns	short loc_78F0C9
		mov	dword_6CF4F4, 35h
		jmp	loc_78F35B
; 

loc_78F0C9:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+520j
		mov	eax, [ebp+var_50]
		cmp	[ebp+var_54], eax
		jnb	short loc_78F0E5
		mov	edi, 0C000007Bh
		mov	dword_6CF4F4, 36h
		jmp	loc_78F35F
; 

loc_78F0E5:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+537j
		mov	eax, [ebp+var_2C]
		mov	edi, [ebp+var_4C]
		mov	edx, [ebp+var_38]
		and	edi, 0FFFh
		add	edi, [eax+0Ch]

loc_78F0F7:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+4A0j
		cmp	dword ptr [edx+8], 1000h
		jnb	short loc_78F156
		test	ebx, 80000h
		jz	short loc_78F12D
		push	[ebp+var_9C]
		mov	edi, 0C000007Bh
		push	dword ptr [edx+34h]
		mov	edx, [ebp+var_28]
		call	_MiLogCreateImageFileMapFailure@16 ; MiLogCreateImageFileMapFailure(x,x,x,x)
		mov	dword_6CF4F4, 37h
		jmp	loc_78F35F
; 

loc_78F12D:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+56Ej
		mov	ecx, [ebp+var_A0]
		call	MiLegacyImageArchitecture
		test	eax, eax
		jnz	short loc_78F150
		mov	edi, 0C000007Bh
		mov	dword_6CF4F4, 38h
		jmp	loc_78F35F
; 

loc_78F150:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+5A2j
		or	ebx, 200000h

loc_78F156:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+566j
		lea	eax, [ebp+var_6C]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_68]
		push	eax
		push	ebx
		lea	eax, [ebp+var_A0]
		push	eax
		push	esi
		call	MiBuildImageControlArea
		mov	edi, eax
		test	edi, edi
		js	loc_78F347
		mov	edi, [ebp+var_6C]
		mov	ecx, [ebp+var_3C]
		mov	[ebp+var_20], edi
		mov	eax, [edi]
		mov	eax, [eax+24h]
		mov	[eax+30h], ecx
		test	ebx, 200h
		jz	short loc_78F19A
		mov	eax, [edi]
		mov	eax, [eax+24h]
		or	byte ptr [eax+23h], 10h

loc_78F19A:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+5F7j
		mov	eax, [ebp+var_24]
		mov	esi, [edi]
		mov	[ebp+var_40], esi
		mov	[ebp+var_2D], 0
		cmp	dword ptr [eax], 0
		jnz	short loc_78F1D7
		cmp	[ebp+var_60], 0
		jnz	short loc_78F1D7
		test	ebx, 210000h
		jnz	short loc_78F1D7
		mov	esi, [ebp+var_38]
		mov	eax, [esi+14h]
		mov	esi, [ebp+var_40]
		cmp	eax, 1000h
		jnb	short loc_78F1D7
		test	eax, 1FFh
		jz	short loc_78F1D3
		inc	dword ptr [esi+0Ch]

loc_78F1D3:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+636j
		mov	[ebp+var_2D], 1

loc_78F1D7:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+611j
					; MiCreateImageFileMap(x,x,x,x,x,x,x,x)+617j ...
		cmp	[ebp+var_19], 0
		jnz	short loc_78F212
		mov	eax, [ebp+var_28]
		mov	edx, [eax+4]
		mov	ecx, edx
		call	_IoIsDeviceEjectable@4 ; IoIsDeviceEjectable(x)
		test	al, al
		jnz	short loc_78F20E
		mov	eax, [ebp+var_8E]
		test	eax, 400h
		jz	short loc_78F201
		test	byte ptr [edx+20h], 1
		jnz	short loc_78F20E

loc_78F201:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+661j
		test	eax, 800h
		jz	short loc_78F212
		test	byte ptr [edx+20h], 10h
		jz	short loc_78F212

loc_78F20E:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+654j
					; MiCreateImageFileMap(x,x,x,x,x,x,x,x)+667j
		mov	[ebp+var_19], 1

loc_78F212:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+643j
					; MiCreateImageFileMap(x,x,x,x,x,x,x,x)+66Ej ...
		mov	esi, [esi+0Ch]
		test	esi, esi
		jz	short loc_78F249
		mov	ecx, [ebp+var_44]
		mov	edx, esi
		push	0
		call	MiChargeCommit
		test	eax, eax
		jnz	short loc_78F23D
		mov	dword_6CF4F4, 39h
		mov	edi, 0C000012Dh
		jmp	loc_78F35F
; 

loc_78F23D:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+68Fj
		mov	eax, [ebp+var_44]
		add	eax, 1124h
		lock xadd [eax], esi

loc_78F249:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+67Fj
		mov	eax, [edi+1Ch]
		mov	esi, [ebp+var_38]
		test	eax, 20000h
		jz	short loc_78F26F
		test	ebx, 200000h
		jnz	short loc_78F26F
		test	dword ptr [esi+10h], 1000000h
		jnz	short loc_78F26F
		or	eax, 4000000h
		mov	[edi+1Ch], eax

loc_78F26F:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+6BCj
					; MiCreateImageFileMap(x,x,x,x,x,x,x,x)+6C4j ...
		mov	eax, [ebp+var_60]
		test	eax, eax
		jz	short loc_78F27F
		mov	edx, eax
		mov	ecx, edi
		call	MiInitializeImageProtos

loc_78F27F:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+6DCj
		cmp	[ebp+var_2D], 1
		jnz	short loc_78F290
		mov	edx, [esi+14h]
		mov	ecx, [ebp+var_74]
		call	MiInitializeImageHeaderPage

loc_78F290:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+6EBj
		cmp	[ebp+var_19], 0
		jz	loc_78F333
		or	dword ptr [edi+1Ch], 800h
		mov	edx, ebx
		shr	edx, 14h
		shr	ebx, 7
		test	dl, 1
		jnz	short loc_78F2B3
		test	bl, 1
		jz	short loc_78F2BA

loc_78F2B3:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+714j
		or	dword ptr [edi+1Ch], 40000h

loc_78F2BA:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+719j
		test	byte ptr ds:_PerfGlobalGroupMask, 4
		jz	short loc_78F333
		mov	ecx, [ebp+var_28]
		mov	eax, [ecx+0Ch]
		mov	ecx, [ecx+4]
		mov	[ebp+var_88], eax
		mov	eax, [ebp+var_8E]
		mov	[ebp+var_80], ax
		mov	eax, [ecx+20h]
		mov	[ebp+var_84], eax
		call	_IoIsDeviceEjectable@4 ; IoIsDeviceEjectable(x)
		and	[ebp+var_14], 0
		xor	ecx, ecx
		and	[ebp+var_C], 0
		inc	ecx
		and	al, cl
		mov	[ebp+var_10], 0Ch
		movzx	eax, al
		and	ebx, ecx
		add	ebx, ebx
		and	edx, ecx
		or	ax, bx
		add	ax, ax
		or	ax, dx
		mov	edx, ecx
		push	offset byte_401802
		mov	[ebp+var_7E], ax
		lea	ecx, [ebp+var_18]
		push	269h
		lea	eax, [ebp+var_88]
		push	4
		mov	[ebp+var_18], eax
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_78F333:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+6FCj
					; MiCreateImageFileMap(x,x,x,x,x,x,x,x)+729j
		mov	eax, [ebp+var_78]
		xor	edi, edi
		mov	ecx, [ebp+var_7C]
		mov	ebx, [ebp+var_40]
		mov	[eax], ebx
		mov	eax, [ebp+var_24]
		mov	[ecx], eax
		jmp	short loc_78F398
; 

loc_78F347:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+5DAj
		mov	esi, [ebp+var_6C]
		jmp	short loc_78F362
; 

loc_78F34C:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+4B3j
					; MiCreateImageFileMap(x,x,x,x,x,x,x,x)+4C7j
		mov	edi, 0C000007Bh
		mov	dword_6CF4F4, 33h

loc_78F35B:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+219j
					; MiCreateImageFileMap(x,x,x,x,x,x,x,x)+35Bj ...
		test	edi, edi

loc_78F35D:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+3DEj
		jns	short loc_78F398

loc_78F35F:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+FDj
					; MiCreateImageFileMap(x,x,x,x,x,x,x,x)+13Aj ...
		mov	esi, [ebp+var_20]

loc_78F362:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+7B2j
		mov	ecx, [ebp+var_24]
		xor	edx, edx
		inc	edx
		call	_MiDeleteImageCreationMdls@8 ; MiDeleteImageCreationMdls(x,x)
		test	esi, esi
		jz	short loc_78F398
		mov	ecx, [esi+38h]
		xor	edx, edx
		call	_MiUpdateSystemProtoPtesTree@8 ; MiUpdateSystemProtoPtesTree(x,x)
		mov	ebx, [ebp+var_40]
		push	0
		push	dword ptr [ebx+28h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_78F398:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+7ADj
					; MiCreateImageFileMap(x,x,x,x,x,x,x,x):loc_78F35Dj ...
		mov	eax, edi

loc_78F39A:				; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+6Ej
					; MiCreateImageFileMap(x,x,x,x,x,x,x,x)+79j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_MiCreateImageFileMap@32 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreateMdl	proc near		; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+AEp
					; MiCreateImageFileMap(x,x,x,x,x,x,x,x)+1C0p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008DEA16 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_8], ecx
		push	edi
		mov	eax, esi
		xor	edi, edi
		shr	eax, 0Ch
		mov	[ebp+var_4], eax
		push	edi
		cmp	[ebp+arg_4], edi
		jz	short loc_78F447
		push	edi
		push	edi
		push	esi
		push	edi
		call	IoAllocateMdl
		mov	esi, eax
		test	esi, esi
		jz	loc_78F483
		mov	ebx, edi
		lea	eax, [esi+1Ch]
		mov	[ebp+arg_4], eax
		cmp	[ebp+var_4], ebx
		jbe	short loc_78F420

loc_78F3EC:				; CODE XREF: MiCreateMdl+72j
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_8]
		call	MiGetPageForHeader
		mov	ecx, eax
		cmp	ecx, 0FFFFFFFFh
		jz	loc_8DEA16
		test	ebx, ebx
		jnz	short loc_78F40F
		mov	eax, 4002h
		or	[esi+6], ax

loc_78F40F:				; CODE XREF: MiCreateMdl+58j
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		add	eax, 4
		inc	ebx
		mov	[ebp+arg_4], eax
		cmp	ebx, [ebp+var_4]
		jb	short loc_78F3EC

loc_78F420:				; CODE XREF: MiCreateMdl+3Ej
		test	byte ptr [esi+6], 5
		jnz	short loc_78F487
		push	40000020h
		push	edi
		push	edi
		push	1
		push	edi
		push	esi
		call	MmMapLockedPagesSpecifyCache

loc_78F436:				; CODE XREF: MiCreateMdl+DEj
		test	eax, eax
		jz	loc_8DEA1C

loc_78F43E:				; CODE XREF: MiCreateMdl+CEj
		mov	eax, esi

loc_78F440:				; CODE XREF: MiCreateMdl+D9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_78F447:				; CODE XREF: MiCreateMdl+1Ej
		push	40h
		mov	edx, 78786D4Dh
		mov	ecx, esi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_78F483
		push	edi
		push	edi
		push	edi
		push	esi
		push	ebx
		call	IoAllocateMdl
		mov	esi, eax
		test	esi, esi
		jz	short loc_78F47C
		push	esi
		call	MmBuildMdlForNonPagedPool
		mov	eax, 4000h
		or	[esi+6], ax
		jmp	short loc_78F43E
; 

loc_78F47C:				; CODE XREF: MiCreateMdl+BDj
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_78F483:				; CODE XREF: MiCreateMdl+2Dj
					; MiCreateMdl+ADj ...
		xor	eax, eax
		jmp	short loc_78F440
; 

loc_78F487:				; CODE XREF: MiCreateMdl+78j
		mov	eax, [esi+0Ch]
		jmp	short loc_78F436
MiCreateMdl	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreateNewSection(x, x)
_MiCreateNewSection@8 proc near		; CODE XREF: MiCreateImageOrDataSection+253p

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_73		= byte ptr -73h
var_72		= byte ptr -72h
var_71		= byte ptr -71h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_80], edx
		push	64h		; size_t
		lea	eax, [ebp+var_70]
		mov	[ebp+var_8C], ebx
		push	ebx		; int
		push	eax		; void *
		mov	edi, ecx
		mov	[ebp+var_94], ebx
		call	_memset
		mov	eax, [edi+24h]
		add	esp, 0Ch
		mov	esi, [edi+74h]
		mov	[ebp+var_78], eax
		mov	eax, [edi+8]
		mov	[ebp+var_7C], eax
		mov	eax, [edi+60h]
		mov	[ebp+var_88], eax
		mov	eax, [edi+64h]
		mov	[ebp+var_90], eax
		mov	al, [edi+10h]
		mov	[ebp+var_73], bl
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_72], bl
		mov	[ebp+var_71], al
		mov	byte ptr [ebp+var_98], al
		mov	byte ptr [ebp+var_A4], bl
		mov	[ebp+var_A8], ebx
		test	esi, esi
		jz	short loc_78F513
		mov	esi, [esi]
		jmp	short loc_78F518
; 

loc_78F513:				; CODE XREF: MiCreateNewSection(x,x)+81j
		mov	esi, offset _MiSystemPartition

loc_78F518:				; CODE XREF: MiCreateNewSection(x,x)+85j
		mov	ecx, esi
		call	MiEnablePartitionMappedWrites
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_78F544
		test	byte ptr [edi],	2
		jz	short loc_78F53D
		push	dword ptr [edi+78h]
		call	_IoSetTopLevelIrp@4 ; IoSetTopLevelIrp(x)
		push	[ebp+var_78]

loc_78F535:				; CODE XREF: MiCreateNewSection(x,x)+146j
		call	FsRtlReleaseFile
		and	dword ptr [edi], 0FFFFFFFDh

loc_78F53D:				; CODE XREF: MiCreateNewSection(x,x)+9Cj
					; MiCreateNewSection(x,x)+137j	...
		mov	eax, ebx
		jmp	loc_78FAAE
; 

loc_78F544:				; CODE XREF: MiCreateNewSection(x,x)+97j
		mov	edx, [ebp+var_7C]
		mov	ecx, edx
		and	[ebp+var_9C], 0
		and	ecx, 1000000h
		mov	eax, [edi+70h]
		mov	[ebp+var_7C], ecx
		jz	short loc_78F590
		lea	ecx, [ebp+var_A8]
		mov	edx, esi
		mov	esi, [ebp+var_78]
		push	ecx
		lea	ecx, [ebp+var_70]
		push	ecx
		lea	ecx, [ebp+var_9C]
		push	ecx
		lea	ecx, [ebp+var_8C]
		push	ecx
		push	dword ptr [edi]
		mov	ecx, esi
		push	eax
		call	_MiCreateImageFileMap@32 ; MiCreateImageFileMap(x,x,x,x,x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_84], ebx
		jmp	short loc_78F5BC
; 

loc_78F590:				; CODE XREF: MiCreateNewSection(x,x)+D0j
		push	dword ptr [edi]
		mov	esi, [ebp+var_78]
		mov	ecx, esi
		push	eax
		push	edx
		push	dword ptr [edi+14h]
		lea	eax, [ebp+var_8C]
		push	[ebp+var_90]
		push	[ebp+var_88]
		push	eax
		call	MiCreateDataFileMap
		mov	ebx, eax
		mov	[ebp+var_84], eax

loc_78F5BC:				; CODE XREF: MiCreateNewSection(x,x)+102j
		test	ebx, ebx
		jns	short loc_78F5D7
		test	byte ptr [edi],	2
		jz	loc_78F53D
		push	dword ptr [edi+78h]
		call	_IoSetTopLevelIrp@4 ; IoSetTopLevelIrp(x)
		push	esi
		jmp	loc_78F535
; 

loc_78F5D7:				; CODE XREF: MiCreateNewSection(x,x)+132j
		mov	eax, [ebp+var_80]
		mov	esi, [ebp+var_8C]
		mov	ecx, [ebp+var_88]
		mov	edx, [ebp+var_90]
		mov	[eax], esi
		mov	eax, ecx
		or	eax, edx
		jnz	short loc_78F610
		or	eax, 0FFFFFFFFh
		add	esi, 10h
		or	edx, eax
		nop
		or	ebx, eax
		or	ecx, eax
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [ebp+var_8C]
		mov	[edi+48h], eax
		jmp	short loc_78F613
; 

loc_78F610:				; CODE XREF: MiCreateNewSection(x,x)+166j
		mov	[edi+48h], ecx

loc_78F613:				; CODE XREF: MiCreateNewSection(x,x)+182j
		mov	ebx, [ebp+var_78]
		mov	[edi+4Ch], edx
		mov	edx, [edi]
		mov	ecx, edx
		mov	esi, [esi]
		mov	[ebp+var_80], esi
		test	edx, 2000h
		jz	short loc_78F64B
		mov	eax, [ebx+4]
		test	byte ptr [eax+20h], 10h
		jnz	short loc_78F64B
		cmp	[ebp+var_7C], 0
		jz	short loc_78F642
		test	[ebp+var_6C], 0FFFh
		jnz	short loc_78F64B

loc_78F642:				; CODE XREF: MiCreateNewSection(x,x)+1ABj
		or	dword ptr [esi+1Ch], 20000000h
		mov	ecx, [edi]

loc_78F64B:				; CODE XREF: MiCreateNewSection(x,x)+19Cj
					; MiCreateNewSection(x,x)+1A5j	...
		test	ecx, 4000h
		jz	short loc_78F65A
		or	dword ptr [esi+1Ch], 20000h

loc_78F65A:				; CODE XREF: MiCreateNewSection(x,x)+1C5j
		push	[ebp+var_9C]
		mov	edx, esi
		mov	ecx, ebx
		call	MiSectionCreated
		test	byte ptr [edi],	2
		mov	ebx, eax
		jz	short loc_78F683
		push	dword ptr [edi+78h]
		call	_IoSetTopLevelIrp@4 ; IoSetTopLevelIrp(x)
		push	[ebp+var_78]
		call	FsRtlReleaseFile
		and	dword ptr [edi], 0FFFFFFFDh

loc_78F683:				; CODE XREF: MiCreateNewSection(x,x)+1E2j
		cmp	[ebp+var_7C], 0
		jz	loc_78FAA1
		cmp	[ebp+var_24], 0
		mov	eax, [ebp+var_8C]
		mov	ecx, [eax+24h]
		mov	[ebp+var_88], ecx
		jnz	short loc_78F6B2
		cmp	[ebp+var_20], 0
		jnz	short loc_78F6B2
		cmp	byte ptr [ecx+22h], 0
		jnz	short loc_78F6B2
		or	byte ptr [eax+0Bh], 1

loc_78F6B2:				; CODE XREF: MiCreateNewSection(x,x)+214j
					; MiCreateNewSection(x,x)+21Aj	...
		test	dword ptr [esi+1Ch], 800h
		jz	short loc_78F6F6
		test	dword ptr [edi], 80000h
		jz	short loc_78F6D7
		mov	dword_6CF4F4, 5
		mov	ebx, 0C0000433h
		jmp	loc_78FA23
; 

loc_78F6D7:				; CODE XREF: MiCreateNewSection(x,x)+235j
		mov	edx, [edi+6Ch]
		mov	ecx, esi
		call	_MiSetPagesModified@8 ;	MiSetPagesModified(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_78F6F6
		mov	dword_6CF4F4, 6
		jmp	loc_78FA23
; 

loc_78F6F6:				; CODE XREF: MiCreateNewSection(x,x)+22Dj
					; MiCreateNewSection(x,x)+259j
		lea	eax, [ebp+var_72]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_70]
		call	_MiParseComAndCetHeaders@12 ; MiParseComAndCetHeaders(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_78F719
		mov	dword_6CF4F4, 4
		jmp	loc_78FA23
; 

loc_78F719:				; CODE XREF: MiCreateNewSection(x,x)+27Cj
		mov	ecx, [edi]
		test	ecx, 100h
		jz	short loc_78F728
		push	4
		pop	esi
		jmp	short loc_78F74D
; 

loc_78F728:				; CODE XREF: MiCreateNewSection(x,x)+295j
		test	cl, 20h
		jz	short loc_78F732
		xor	esi, esi
		inc	esi
		jmp	short loc_78F74D
; 

loc_78F732:				; CODE XREF: MiCreateNewSection(x,x)+29Fj
		test	cl, 10h
		jz	short loc_78F74B
		mov	esi, ecx
		and	esi, 1000h
		neg	esi
		sbb	esi, esi
		and	esi, 6
		add	esi, 2
		jmp	short loc_78F74D
; 

loc_78F74B:				; CODE XREF: MiCreateNewSection(x,x)+2A9j
		xor	esi, esi

loc_78F74D:				; CODE XREF: MiCreateNewSection(x,x)+29Aj
					; MiCreateNewSection(x,x)+2A4j	...
		test	ecx, 800h
		jz	short loc_78F758
		or	esi, 10h

loc_78F758:				; CODE XREF: MiCreateNewSection(x,x)+2C7j
		mov	eax, ecx
		test	ecx, 8400h
		jz	loc_78F7FF
		test	cl, 10h
		jnz	loc_78F7FF
		mov	eax, large fs:124h
		mov	edx, esi
		mov	ecx, [ebp+var_78]
		mov	eax, [eax+80h]
		mov	eax, [eax+490h]
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_73]
		push	eax
		push	0
		push	[ebp+var_98]
		call	_SeGetImageRequiredSigningLevel@20 ; SeGetImageRequiredSigningLevel(x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_78F7AF
		mov	dword_6CF4F4, 7
		jmp	loc_78FA23
; 

loc_78F7AF:				; CODE XREF: MiCreateNewSection(x,x)+312j
		test	dword ptr [edi], 800h
		jnz	short loc_78F7EF
		cmp	[ebp+var_71], 0
		mov	eax, [ebp+var_7C]
		jz	short loc_78F7D1
		test	eax, (offset loc_7FFFFF+1)
		jz	short loc_78F7D1
		mov	[ebp+var_A0], 1

loc_78F7D1:				; CODE XREF: MiCreateNewSection(x,x)+332j
					; MiCreateNewSection(x,x)+339j
		test	eax, 1000000h
		jz	short loc_78F7E1
		mov	byte ptr [ebp+var_A4], 8
		jmp	short loc_78F7EF
; 

loc_78F7E1:				; CODE XREF: MiCreateNewSection(x,x)+34Aj
		test	eax, 2000000h
		jz	short loc_78F7EF
		mov	byte ptr [ebp+var_A4], 6

loc_78F7EF:				; CODE XREF: MiCreateNewSection(x,x)+329j
					; MiCreateNewSection(x,x)+353j	...
		mov	dl, [ebp+var_73]
		mov	[edi+10h], dl
		mov	eax, [edi]
		mov	byte ptr [ebp+var_98], dl
		jmp	short loc_78F802
; 

loc_78F7FF:				; CODE XREF: MiCreateNewSection(x,x)+2D4j
					; MiCreateNewSection(x,x)+2DDj
		mov	dl, [ebp+var_71]

loc_78F802:				; CODE XREF: MiCreateNewSection(x,x)+371j
		test	eax, 80000h
		jz	short loc_78F81C
		or	esi, 40000000h
		test	dl, dl
		jnz	short loc_78F81C
		add	dl, 4
		mov	byte ptr [ebp+var_98], dl

loc_78F81C:				; CODE XREF: MiCreateNewSection(x,x)+37Bj
					; MiCreateNewSection(x,x)+385j
		test	eax, 400000h
		jz	short loc_78F829
		or	esi, 20000000h

loc_78F829:				; CODE XREF: MiCreateNewSection(x,x)+395j
		test	ds:_MiFlags, 40000h
		mov	ecx, 8000h
		jz	short loc_78F84A
		or	eax, ecx
		mov	[edi], eax
		test	dl, dl
		jnz	short loc_78F84A
		inc	dl
		mov	byte ptr [ebp+var_98], dl

loc_78F84A:				; CODE XREF: MiCreateNewSection(x,x)+3ACj
					; MiCreateNewSection(x,x)+3B4j
		mov	ebx, 400h
		test	eax, ecx
		jnz	short loc_78F872
		mov	ecx, eax
		and	ecx, ebx
		jz	short loc_78F869
		test	dl, dl
		jnz	short loc_78F872
		mov	edx, [ebp+var_88]
		test	byte ptr [edx+1Eh], 80h
		jnz	short loc_78F872

loc_78F869:				; CODE XREF: MiCreateNewSection(x,x)+3CBj
		mov	byte ptr [ebp+var_88], 0
		jmp	short loc_78F87D
; 

loc_78F872:				; CODE XREF: MiCreateNewSection(x,x)+3C5j
					; MiCreateNewSection(x,x)+3CFj	...
		mov	ecx, eax
		mov	byte ptr [ebp+var_88], 1
		and	ecx, ebx

loc_78F87D:				; CODE XREF: MiCreateNewSection(x,x)+3E4j
		test	ecx, ecx
		jz	short loc_78F891
		cmp	byte ptr [ebp+var_A4], 0
		mov	byte ptr [ebp+var_84], 1
		jnz	short loc_78F898

loc_78F891:				; CODE XREF: MiCreateNewSection(x,x)+3F3j
		mov	byte ptr [ebp+var_84], 0

loc_78F898:				; CODE XREF: MiCreateNewSection(x,x)+403j
		and	[ebp+var_90], 0
		test	al, 40h
		jz	short loc_78F8AF
		mov	[ebp+var_90], 2
		jmp	short loc_78F8BD
; 

loc_78F8AF:				; CODE XREF: MiCreateNewSection(x,x)+415j
		test	al, 20h
		jz	short loc_78F8BD
		mov	[ebp+var_90], 1

loc_78F8BD:				; CODE XREF: MiCreateNewSection(x,x)+421j
					; MiCreateNewSection(x,x)+425j
		mov	eax, [ebp+var_80]
		and	[ebp+var_7C], 0
		test	dword ptr [eax+1Ch], 40000000h
		jz	short loc_78F91F
		mov	ecx, [ebp+var_78]
		lea	edx, [ebp+var_94]
		call	_FsRtlGetDirectImageOriginalBase@8 ; FsRtlGetDirectImageOriginalBase(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_78F917
		cmp	ebx, 0C00000BBh
		jz	short loc_78F8F9
		cmp	ebx, 0C0000010h
		jz	short loc_78F8F9
		mov	eax, [ebp+var_94]
		jmp	short loc_78F904
; 

loc_78F8F9:				; CODE XREF: MiCreateNewSection(x,x)+45Bj
					; MiCreateNewSection(x,x)+463j
		xor	ebx, ebx
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_94], eax

loc_78F904:				; CODE XREF: MiCreateNewSection(x,x)+46Bj
		test	ebx, ebx
		jns	short loc_78F928
		mov	dword_6CF4F4, 8
		jmp	loc_78FA23
; 

loc_78F917:				; CODE XREF: MiCreateNewSection(x,x)+453j
		mov	eax, [ebp+var_94]
		jmp	short loc_78F928
; 

loc_78F91F:				; CODE XREF: MiCreateNewSection(x,x)+43Fj
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_94], eax

loc_78F928:				; CODE XREF: MiCreateNewSection(x,x)+47Aj
					; MiCreateNewSection(x,x)+491j
		cmp	byte ptr [ebp+var_88], 1
		jz	short loc_78F93E
		cmp	byte ptr [ebp+var_84], 1
		jnz	loc_78F9DE

loc_78F93E:				; CODE XREF: MiCreateNewSection(x,x)+4A3j
		cmp	eax, 0FFFFFFFFh
		jz	short loc_78F988
		mov	ecx, [ebp+var_8C]
		lea	edx, [ebp+var_70]
		push	0
		push	eax
		push	[ebp+var_90]
		push	[ebp+var_A8]
		call	MiRelocateImage
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_78F975
		mov	dword_6CF4F4, 9
		jmp	loc_78FA23
; 

loc_78F975:				; CODE XREF: MiCreateNewSection(x,x)+4D8j
		xor	eax, eax
		inc	eax
		mov	[ebp+var_7C], eax
		cmp	[ebp+var_72], al
		jnz	short loc_78F988
		mov	ecx, [ebp+var_80]
		call	MiMakeImageReadOnly

loc_78F988:				; CODE XREF: MiCreateNewSection(x,x)+4B5j
					; MiCreateNewSection(x,x)+4F2j
		push	[ebp+var_A4]
		mov	edx, [ebp+var_78]
		xor	ecx, ecx
		push	[ebp+var_98]
		push	[ebp+var_A0]
		push	[ebp+var_84]
		push	[ebp+var_88]
		push	esi
		push	dword ptr [edi+68h]
		push	dword ptr [edi+6Ch]
		push	[ebp+var_80]
		call	_MiValidateSectionSigningPolicy@44 ; MiValidateSectionSigningPolicy(x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_84], eax
		test	ebx, ebx
		jns	short loc_78F9D2
		mov	dword_6CF4F4, 0Ah
		jmp	short loc_78FA23
; 

loc_78F9D2:				; CODE XREF: MiCreateNewSection(x,x)+538j
		cmp	[ebp+var_7C], 0
		jnz	short loc_78FA36
		mov	eax, [ebp+var_94]

loc_78F9DE:				; CODE XREF: MiCreateNewSection(x,x)+4ACj
		mov	ecx, [ebp+var_8C]
		lea	edx, [ebp+var_70]
		push	0
		push	eax
		push	[ebp+var_90]
		push	[ebp+var_A8]
		call	MiRelocateImage
		mov	ebx, eax
		mov	[ebp+var_84], ebx
		test	ebx, ebx
		js	short loc_78FA19
		cmp	[ebp+var_72], 1
		mov	ebx, [ebp+var_80]
		jnz	short loc_78FA39
		mov	ecx, ebx
		call	MiMakeImageReadOnly
		jmp	short loc_78FA39
; 

loc_78FA19:				; CODE XREF: MiCreateNewSection(x,x)+579j
		mov	dword_6CF4F4, 0Bh

loc_78FA23:				; CODE XREF: MiCreateNewSection(x,x)+246j
					; MiCreateNewSection(x,x)+265j	...
		mov	ecx, [ebp+var_9C]
		xor	edx, edx
		inc	edx
		call	_MiDeleteImageCreationMdls@8 ; MiDeleteImageCreationMdls(x,x)
		jmp	loc_78F53D
; 

loc_78FA36:				; CODE XREF: MiCreateNewSection(x,x)+54Aj
		mov	ebx, [ebp+var_80]

loc_78FA39:				; CODE XREF: MiCreateNewSection(x,x)+582j
					; MiCreateNewSection(x,x)+58Bj
		mov	esi, [ebp+var_9C]
		test	esi, esi
		jz	short loc_78FA8B

loc_78FA43:				; CODE XREF: MiCreateNewSection(x,x)+5F7j
		test	byte ptr [esi+6], 4
		jnz	short loc_78FA7F
		mov	edi, [esi+14h]
		lea	eax, [esi+1Ch]
		shr	edi, 0Ch
		test	edi, edi
		jmp	short loc_78FA77
; 

loc_78FA56:				; CODE XREF: MiCreateNewSection(x,x)+5F1j
		mov	ecx, [eax]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_78FA71
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	MiFinalizeImageHeaderPage
		mov	eax, [ebp+var_A0]

loc_78FA71:				; CODE XREF: MiCreateNewSection(x,x)+5CFj
		add	eax, 4
		sub	edi, 1

loc_78FA77:				; CODE XREF: MiCreateNewSection(x,x)+5C8j
		mov	[ebp+var_A0], eax
		jnz	short loc_78FA56

loc_78FA7F:				; CODE XREF: MiCreateNewSection(x,x)+5BBj
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_78FA43
		mov	esi, [ebp+var_9C]

loc_78FA8B:				; CODE XREF: MiCreateNewSection(x,x)+5B5j
		xor	edx, edx
		mov	ecx, esi
		call	_MiDeleteImageCreationMdls@8 ; MiDeleteImageCreationMdls(x,x)
		push	ecx
		mov	ecx, [ebp+var_78]
		mov	edx, ebx
		call	_MiReleaseImageSection@12 ; MiReleaseImageSection(x,x,x)
		mov	ebx, eax

loc_78FAA1:				; CODE XREF: MiCreateNewSection(x,x)+1FBj
		mov	ecx, ebx
		call	_MiReleaseControlAreaWaiters@4 ; MiReleaseControlAreaWaiters(x)
		mov	eax, [ebp+var_84]

loc_78FAAE:				; CODE XREF: MiCreateNewSection(x,x)+B3j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiCreateNewSection@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiEnablePartitionMappedWrites proc near	; CODE XREF: MiCreateNewSection(x,x)+8Ep
					; MiCreatePagingFile+3E7p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008DEA2B SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_18], 3
		push	edi
		mov	[ebp+var_14], 5
		xor	ecx, ecx
		mov	[ebp+var_20], offset MiDereferenceSegmentThread
		mov	[ebp+var_1C], offset MiMappedPageWriter

loc_78FAE9:				; CODE XREF: MiEnablePartitionMappedWrites+3Aj
		mov	eax, [ebp+ecx*4+var_18]
		cmp	dword ptr [esi+eax*4+4Ch], 0
		jz	short loc_78FAFA
		inc	ecx
		cmp	ecx, 2
		jb	short loc_78FAE9

loc_78FAFA:				; CODE XREF: MiEnablePartitionMappedWrites+34j
		cmp	ecx, 2
		jnz	short loc_78FB06
		xor	eax, eax

loc_78FB01:				; CODE XREF: MiEnablePartitionMappedWrites+DDj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_78FB06:				; CODE XREF: MiEnablePartitionMappedWrites+3Fj
		mov	ecx, large fs:124h
		xor	edi, edi
		mov	eax, [esi+64h]
		mov	edx, ecx
		and	[ebp+var_4], 0
		mov	[ebp+var_10], ecx
		mov	ecx, esi
		mov	eax, [eax+38h]
		mov	[ebp+var_C], eax
		call	_MiLockPartitionSystemThreads@8	; MiLockPartitionSystemThreads(x,x)
		xor	ebx, ebx

loc_78FB2A:				; CODE XREF: MiEnablePartitionMappedWrites+CFj
		mov	eax, [ebp+ebx+var_18]
		mov	[ebp+var_8], eax
		cmp	dword ptr [esi+eax*4+4Ch], 0
		jnz	short loc_78FB87
		cmp	eax, 5
		jnz	short loc_78FB4A
		mov	ecx, esi
		call	MiAllocateMappedWriterMdls
		mov	edi, eax
		test	edi, edi
		js	short loc_78FB8F

loc_78FB4A:				; CODE XREF: MiEnablePartitionMappedWrites+7Dj
		mov	ecx, esi
		call	MiMakePartitionActive
		test	eax, eax
		jz	loc_8DEA2B
		push	esi
		push	[ebp+ebx+var_20]
		lea	eax, [ebp+var_4]
		push	0
		push	[ebp+var_C]
		push	0
		push	1FFFFFh
		push	eax
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8DEA30
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_4]
		mov	[esi+ecx*4+4Ch], eax

loc_78FB87:				; CODE XREF: MiEnablePartitionMappedWrites+78j
		add	ebx, 4
		cmp	ebx, 8
		jb	short loc_78FB2A

loc_78FB8F:				; CODE XREF: MiEnablePartitionMappedWrites+8Aj
					; MiEnablePartitionMappedWrites+14EF76j ...
		mov	edx, [ebp+var_10]
		mov	ecx, esi
		call	MiUnlockPartitionSystemThreads
		mov	eax, edi
		jmp	loc_78FB01
MiEnablePartitionMappedWrites endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreateDataFileMap proc near		; CODE XREF: MiCreateNewSection(x,x)+123p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008DEA46 SIZE 000000B0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		and	[ebp+var_20], 0
		mov	eax, ecx
		and	[ebp+var_1C], 0
		xor	edx, edx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_18]
		inc	edx
		mov	ecx, esi
		mov	[ebp+var_8], eax
		and	ecx, edx
		push	edi
		mov	[ebp+var_24], ecx
		jz	loc_78FE49
		mov	ebx, [ebp+arg_4]
		mov	edi, [ebp+arg_8]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], edi

loc_78FBD7:				; CODE XREF: MiCreateDataFileMap+2D7j
					; MiCreateDataFileMap+2E2j ...
		cmp	edi, 3FFFFFh
		jb	short loc_78FBF1
		ja	loc_8DEA5A
		cmp	ebx, 0FFFFF000h
		ja	loc_8DEA5A

loc_78FBF1:				; CODE XREF: MiCreateDataFileMap+3Dj
		mov	eax, ebx
		mov	edx, 6D536D4Dh
		add	eax, 0FFFh
		push	0
		adc	edi, 0
		shrd	eax, edi, 0Ch
		push	100h
		push	20h
		shr	edi, 0Ch
		pop	ecx
		mov	[ebp+arg_8], eax
		mov	[ebp+var_1C], edi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8DEAEC
		push	0
		push	40h
		mov	edx, 61436D4Dh
		mov	ecx, 0B0h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edx, eax
		mov	[ebp+var_4], edx
		test	edx, edx
		jz	loc_8DEA64
		xor	eax, eax
		mov	[ebp+arg_18], eax
		and	esi, 10000h
		jnz	loc_8DEA69

loc_78FC57:				; CODE XREF: MiCreateDataFileMap+14EEEAj
		mov	ecx, [ebp+arg_8]

loc_78FC5A:				; CODE XREF: MiCreateDataFileMap+14EED6j
		mov	edi, esi
		mov	edx, 4000h
		neg	edi
		sbb	edi, edi
		and	edi, 1FC000h
		add	edi, edx
		test	eax, eax
		jnz	short loc_78FC76
		mov	eax, edi
		mov	[ebp+arg_18], eax

loc_78FC76:				; CODE XREF: MiCreateDataFileMap+CFj
		mov	edx, [ebp+var_1C]
		and	[ebp+arg_C], 0
		shld	edx, ecx, 3
		shl	ecx, 3
		and	[ebp+var_14], 0
		mov	[ebp+var_8], edx
		mov	edx, [ebp+var_4]
		mov	[ebp+var_18], ecx

loc_78FC91:				; CODE XREF: MiCreateDataFileMap+140j
		cmp	[ebp+var_8], 0
		ja	short loc_78FCA2
		jb	short loc_78FC9D
		cmp	ecx, eax
		jnb	short loc_78FCA2

loc_78FC9D:				; CODE XREF: MiCreateDataFileMap+F7j
		mov	eax, ecx
		mov	[ebp+arg_18], eax

loc_78FCA2:				; CODE XREF: MiCreateDataFileMap+F5j
					; MiCreateDataFileMap+FBj
		cmp	[ebp+arg_C], 0
		jnz	loc_78FEC1
		lea	ecx, [edx+50h]
		mov	[ebp+arg_C], ecx

loc_78FCB2:				; CODE XREF: MiCreateDataFileMap+346j
		mov	edx, [ebp+arg_C]
		mov	ecx, eax
		shr	ecx, 3
		mov	[edx+1Ch], ecx
		mov	ecx, edx
		mov	edx, [ebp+var_4]
		mov	[ebp+var_14], ecx
		mov	ecx, [ebp+var_18]
		sub	ecx, eax
		mov	[ebp+var_18], ecx
		sbb	[ebp+var_8], 0
		cmp	eax, edi
		jnb	short loc_78FCD8
		mov	[ebp+arg_18], edi

loc_78FCD8:				; CODE XREF: MiCreateDataFileMap+133j
		mov	eax, ecx
		or	eax, [ebp+var_8]
		mov	eax, [ebp+arg_18]
		jnz	short loc_78FC91
		mov	eax, [ebp+arg_0]
		mov	edi, ebx
		push	8
		pop	ecx
		mov	[eax], ebx
		xor	eax, eax
		rep stosd
		and	dword ptr [edx+44h], 0
		lea	eax, [edx+4]
		mov	[eax+4], eax
		mov	edi, 8000h
		mov	[eax], eax
		xor	eax, eax
		and	dword ptr [edx+3Ch], 0
		inc	eax
		cmp	[ebp+var_24], 0
		mov	ecx, [edx+1Ch]
		mov	[edx], ebx
		mov	[edx+40h], eax
		mov	[edx+0Ch], eax
		jz	loc_78FEB9
		or	ecx, edi

loc_78FD1F:				; CODE XREF: MiCreateDataFileMap+31Cj
		mov	eax, [ebp+arg_14]
		shl	eax, 14h
		xor	eax, ecx
		mov	[ebp+arg_18], 6
		and	eax, 3F00000h
		xor	eax, ecx
		or	eax, 82h
		mov	[edx+1Ch], eax
		test	esi, esi
		jnz	loc_8DEA8F
		test	[ebp+arg_10], 10000000h
		jnz	loc_8DEA9C
		test	[ebp+arg_10], 40000000h
		jnz	loc_8DEAAC

loc_78FD5F:				; CODE XREF: MiCreateDataFileMap+14EEF7j
					; MiCreateDataFileMap+14EF07j ...
		mov	eax, [ebp+var_C]
		lea	esi, [edx+50h]
		mov	edi, [ebp+var_10]
		mov	ecx, 3FFh
		mov	[ebx+14h], eax
		mov	eax, [ebp+arg_8]
		mov	[ebx+4], eax
		mov	eax, [ebp+var_1C]
		xor	ax, [ebx+8]
		and	ax, cx
		mov	[ebx], edx
		xor	[ebx+8], ax
		mov	cl, [ebx+0Ah]
		mov	al, byte ptr [ebp+arg_18]
		and	cl, 0C1h
		add	al, al
		mov	[ebx+10h], edi
		or	cl, al
		mov	eax, [ebp+arg_18]
		mov	[ebx+0Ah], cl
		xor	ecx, ecx
		xor	ebx, ebx
		mov	[ebp+arg_10], ecx
		add	eax, eax
		mov	[ebp+arg_18], eax

loc_78FDA8:				; CODE XREF: MiCreateDataFileMap+29Aj
		mov	ax, [esi+10h]
		mov	[esi], edx
		xor	edx, edx
		inc	edx
		shl	cx, 6
		and	ax, dx
		mov	[esi+14h], ebx
		mov	edx, [esi+1Ch]
		or	cx, ax
		mov	eax, 0FFC1h
		and	cx, ax
		lea	eax, [esi+8]
		or	cx, word ptr [ebp+arg_18]
		cmp	dword ptr [eax], 0
		mov	[esi+10h], cx
		mov	[ebp+arg_C], eax
		jnz	short loc_78FE0C
		sub	edx, [ebp+arg_8]
		mov	eax, edi
		mov	cx, [esi+12h]
		add	edx, ebx
		xor	edx, [esi+24h]
		and	cx, 0Fh
		shl	eax, 4
		and	edx, 3FFFFFFFh
		xor	[esi+24h], edx
		or	cx, ax
		mov	eax, [ebp+var_C]
		mov	edx, edi
		shrd	edx, eax, 0Ch
		mov	[esi+12h], cx
		sub	edx, ebx

loc_78FE0C:				; CODE XREF: MiCreateDataFileMap+23Aj
		mov	ecx, [ebp+var_4]
		lea	eax, [esi+34h]
		mov	[esi+18h], edx
		mov	edx, esi
		add	ebx, [esi+1Ch]
		push	0
		adc	[ebp+arg_10], 0
		mov	[eax+4], eax
		mov	[eax], eax
		call	_MiInsertSubsectionNode@12 ; MiInsertSubsectionNode(x,x,x)
		mov	esi, [ebp+arg_C]
		mov	edx, [ebp+var_4]
		mov	edi, [ebp+var_10]
		mov	ecx, [ebp+arg_10]
		mov	esi, [esi]
		test	esi, esi
		jnz	loc_78FDA8
		xor	eax, eax

loc_78FE42:				; CODE XREF: MiCreateDataFileMap+2C0j
					; MiCreateDataFileMap+317j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_78FE49:				; CODE XREF: MiCreateDataFileMap+25j
		lea	ecx, [ebp+var_20]
		push	ecx
		push	eax
		call	FsRtlGetFileSize
		cmp	eax, 0C00000BAh
		jz	loc_8DEA46
		test	eax, eax
		js	short loc_78FE42
		mov	ebx, [ebp+var_20]
		mov	eax, ebx
		mov	edi, [ebp+var_1C]
		or	eax, edi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], edi
		jz	short loc_78FEEB

loc_78FE74:				; CODE XREF: MiCreateDataFileMap+351j
		cmp	[ebp+arg_8], edi
		jb	loc_78FBD7
		ja	short loc_78FE88
		cmp	[ebp+arg_4], ebx
		jbe	loc_78FBD7

loc_78FE88:				; CODE XREF: MiCreateDataFileMap+2DDj
		test	byte ptr [ebp+arg_C], 44h
		jz	loc_8DEA5A
		mov	ebx, [ebp+arg_4]
		lea	edx, [ebp+var_20]
		mov	edi, [ebp+arg_8]
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_C], edi
		mov	[ebp+var_1C], edi
		call	FsRtlSetFileSize
		test	eax, eax
		jns	loc_78FBD7
		jmp	short loc_78FE42
; 

loc_78FEB9:				; CODE XREF: MiCreateDataFileMap+177j
		mov	[edx+18h], eax
		jmp	loc_78FD1F
; 

loc_78FEC1:				; CODE XREF: MiCreateDataFileMap+106j
		push	0
		push	40h
		push	54h
		mov	edx, 63536D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+arg_C], eax
		test	eax, eax
		jz	loc_8DEAC1
		mov	ecx, [ebp+var_14]
		mov	[ecx+8], eax
		mov	eax, [ebp+arg_18]
		jmp	loc_78FCB2
; 

loc_78FEEB:				; CODE XREF: MiCreateDataFileMap+2D2j
		mov	eax, [ebp+arg_4]
		or	eax, [ebp+arg_8]
		jnz	short loc_78FE74
		jmp	loc_8DEA50
MiCreateDataFileMap endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiVerifyImageHeader proc near		; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+3D5p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008DEAF6 SIZE 00000157 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, edx
		push	esi
		mov	esi, ecx
		cmp	dword ptr [ebx], 4550h
		jnz	loc_8DEAF6
		xor	ecx, ecx
		cmp	[ebx+4], cx
		jz	loc_8DEB08

loc_78FF1B:				; CODE XREF: MiVerifyImageHeader+14EC14j
		test	byte ptr [ebx+16h], 2
		jz	loc_8DEB26
		test	bl, 3
		jnz	loc_8DEB32
		mov	ax, [ebx+18h]
		mov	[esi+24h], ax
		mov	eax, [ebx+3Ch]
		mov	[esi+4], eax
		mov	eax, [ebx+38h]
		mov	[esi+8], eax
		mov	eax, [ebx+50h]
		mov	[esi+0Ch], eax
		mov	edx, [ebx+70h]
		mov	[esi+10h], edx
		mov	eax, [ebx+34h]
		mov	[esi], eax
		mov	eax, [ebx+54h]
		mov	[esi+14h], eax
		mov	eax, [ebx+28h]
		mov	[esi+18h], eax
		mov	eax, [ebx+60h]
		mov	[esi+1Ch], eax
		mov	eax, [ebx+64h]
		mov	[esi+20h], eax
		mov	ax, [ebx+5Ch]
		mov	[esi+26h], ax
		mov	ax, [ebx+48h]
		mov	[esi+28h], ax
		mov	ax, [ebx+4Ah]
		mov	[esi+2Ah], ax
		mov	ax, [ebx+40h]
		mov	[esi+2Ch], ax
		mov	ax, [ebx+42h]
		mov	[esi+2Eh], ax
		mov	ax, [ebx+5Eh]
		mov	[esi+30h], ax
		mov	eax, [ebx+58h]
		mov	[esi+34h], eax
		mov	eax, [ebx+1Ch]
		mov	[esi+38h], eax
		mov	[esi+5Ch], ecx
		mov	[esi+60h], ecx
		mov	eax, [ebx+74h]
		push	edi
		cmp	eax, 6
		jbe	short loc_78FFCF
		mov	edi, [ebx+0A8h]
		test	edi, edi
		jz	short loc_78FFCF
		mov	[esi+5Ch], edi
		mov	eax, [ebx+0ACh]
		mov	[esi+60h], eax
		mov	eax, [ebx+74h]

loc_78FFCF:				; CODE XREF: MiVerifyImageHeader+BCj
					; MiVerifyImageHeader+C6j
		push	0Ch
		pop	edi
		cmp	eax, edi
		jbe	short loc_78FFEB
		mov	eax, [ebx+0D8h]
		mov	[esi+3Ch], eax
		mov	eax, [ebx+0DCh]
		mov	[esi+40h], eax
		mov	eax, [ebx+74h]

loc_78FFEB:				; CODE XREF: MiVerifyImageHeader+DCj
		cmp	eax, 0Eh
		jbe	loc_790128
		mov	eax, [ebx+0E8h]
		mov	[esi+44h], eax
		mov	eax, [ebx+0ECh]
		mov	[esi+48h], eax
		cmp	[ebx+0E8h], ecx
		jnz	loc_790111

loc_790012:				; CODE XREF: MiVerifyImageHeader+21Fj
					; MiVerifyImageHeader+22Bj ...
		cmp	dword ptr [ebx+74h], 5
		jbe	loc_790133
		mov	eax, [ebx+0A0h]
		mov	[esi+4Ch], eax
		mov	eax, [ebx+0A4h]

loc_79002B:				; CODE XREF: MiVerifyImageHeader+240j
		mov	[esi+50h], eax
		cmp	dword ptr [ebx+74h], 0Ah
		jbe	loc_79013D
		mov	eax, [ebx+0C8h]
		mov	[esi+54h], eax

loc_790041:				; DATA XREF: PAGE:_szDynamicDsto
					; PAGE:_szDynamicDaylightDisabledo
		mov	ecx, [ebx+0CCh]

loc_790047:				; CODE XREF: MiVerifyImageHeader+248j
					; DATA XREF: PAGE:??_C@_1DA@DMELBCDN@?$AAH?$AAy?$AAb?$AAr?$AAi?$AAd?$AAB?$AAo?$AAo?$AAt?$AAA?$AAn?$AAi?$AAm?$AAa@NNGAKEGL@o
		mov	[esi+58h], ecx
		mov	eax, dword_6CF504
		test	eax, eax

loc_790051:				; DATA XREF: PAGE:008B7090o
					; PAGE:008B72B4o ...
		jnz	loc_8DEB46

loc_790057:				; CODE XREF: MiVerifyImageHeader+14EC56j
					; MiVerifyImageHeader+14EC64j ...
		movzx	eax, word ptr [esi+24h]
		mov	ecx, 10Bh
		cmp	ax, cx

loc_790063:				; DATA XREF: PAGE:008B712Co
		jnz	loc_790145
		mov	ecx, [esi+4]
		test	ecx, 1FFh

loc_790072:				; DATA XREF: PAGE:008BF2B8o
					; PAGE:??_C@_1BG@MCEEPJDG@?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AAr?$AAo?$AAo?$AAt@NNGAKEGL@o
		jnz	loc_8DEB77

loc_790078:				; CODE XREF: MiVerifyImageHeader+14EC82j
		test	ecx, ecx
		jz	loc_8DEB8F
		mov	edx, [esi+8]
		lea	eax, [edx-1]
		test	eax, edx
		jnz	loc_8DEB9E
		lea	eax, [ecx-1]
		test	eax, ecx
		jnz	loc_8DEBAD
		cmp	edx, ecx
		jb	loc_8DEBBC
		mov	ecx, [esi+0Ch]
		cmp	ecx, 77000000h
		ja	loc_8DEBCB
		movzx	eax, word ptr [ebx+4]
		mov	edi, 14Ch
		mov	edx, eax
		cmp	ax, di
		jnz	loc_8DEBDA

loc_7900C4:				; CODE XREF: MiVerifyImageHeader+14ECEAj
		mov	edi, edx
		cmp	[esi+14h], ecx
		jnb	loc_8DEBF7
		movzx	eax, word ptr [esi]
		test	eax, eax
		jnz	loc_8DEC06
		movzx	edx, word ptr [ebx+16h]
		mov	ecx, edi
		call	MiLegacyImageArchitecture
		test	eax, eax
		jz	loc_8DEC15
		xor	eax, eax
		bt	dx, ax
		mov	ax, [esi+30h]
		push	0Ch
		setb	cl
		pop	edx
		bt	ax, dx
		setb	al
		test	cl, al
		jnz	short loc_790164

loc_790108:				; CODE XREF: MiVerifyImageHeader+14ED40j
		xor	eax, eax

loc_79010A:				; CODE XREF: MiVerifyImageHeader+26Aj
					; MiVerifyImageHeader+27Bj
		pop	edi

loc_79010B:				; CODE XREF: MiVerifyImageHeader+14EC0Bj
					; MiVerifyImageHeader+14EC29j ...
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_790111:				; CODE XREF: MiVerifyImageHeader+114j
		cmp	[ebx+0ECh], ecx
		jz	loc_790012
		or	edx, 1
		mov	[esi+10h], edx
		jmp	loc_790012
; 

loc_790128:				; CODE XREF: MiVerifyImageHeader+F6j
		mov	[esi+44h], ecx
		mov	[esi+48h], ecx
		jmp	loc_790012
; 

loc_790133:				; CODE XREF: MiVerifyImageHeader+11Ej
		mov	[esi+4Ch], ecx
		mov	eax, ecx
		jmp	loc_79002B
; 

loc_79013D:				; CODE XREF: MiVerifyImageHeader+13Aj
		mov	[esi+54h], ecx
		jmp	loc_790047
; 

loc_790145:				; CODE XREF: MiVerifyImageHeader:loc_790063j
		mov	ecx, 20Bh
		cmp	ax, cx
		jnz	loc_8DEB68
		mov	dword_6CF4F4, 4Ah
		mov	eax, 0C000035Ah
		jmp	short loc_79010A
; 

loc_790164:				; CODE XREF: MiVerifyImageHeader+20Ej
		mov	dword_6CF4F4, 57h

loc_79016E:				; CODE XREF: MiVerifyImageHeader+14EC7Aj
					; MiVerifyImageHeader+14EC92j ...
		mov	eax, 0C000007Bh
		jmp	short loc_79010A
MiVerifyImageHeader endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiBuildImageControlArea	proc near	; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+5D1p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008DEC4D SIZE 00000188 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, [ebp+arg_4]
		push	edi
		mov	[ebp+var_24], ecx
		mov	[ebp+var_8], edx
		movzx	ecx, word ptr [eax+2]
		mov	eax, [edx+0Ch]
		mov	edi, eax
		and	edi, 0FFFh
		mov	[ebp+var_20], ecx
		neg	edi
		sbb	edi, edi
		shr	eax, 0Ch
		neg	edi
		add	edi, eax
		mov	[ebp+var_14], edi
		jz	loc_8DEC4D
		mov	eax, [ebp+arg_8]
		and	eax, 200000h
		push	esi
		lea	esi, [ecx+1]
		mov	[ebp+var_18], eax
		jnz	loc_8DEC57

loc_7901C3:				; CODE XREF: MiBuildImageControlArea+14EAE4j
		mov	ecx, ds:_MiFlags
		neg	eax
		sbb	edx, edx
		shr	ecx, 0Dh
		imul	eax, esi, 0Ah
		and	ecx, 1
		and	edx, 0F8000000h
		add	edx, 69436D4Dh
		add	ecx, eax
		xor	eax, eax
		push	eax
		push	40h
		mov	[ebp+var_1C], eax
		lea	ecx, ds:68h[ecx*4]
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_8DEC5F
		push	ebx
		lea	ebx, [eax+50h]
		imul	ecx, esi, 28h
		push	2
		pop	edx
		add	ecx, ebx
		mov	[eax+38h], ecx
		mov	[ebp+var_28], ecx
		mov	eax, [ecx+0Ch]
		and	eax, 0FFFFFFFAh
		or	eax, edx
		mov	edx, 74536D4Dh
		mov	[ecx+0Ch], eax
		xor	ecx, ecx
		mov	eax, edi
		push	ecx
		shl	eax, 3
		push	112h
		mov	ecx, eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8DEC73
		mov	eax, edi
		shl	eax, 3
		push	eax		; size_t
		xor	eax, eax
		push	eax		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		mov	edx, 6765534Dh
		push	eax
		push	100h
		push	70h
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		xor	ecx, ecx
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_8DEC84
		mov	[eax+1Ch], ecx
		mov	ecx, [ebp+var_C]
		mov	[eax], ecx
		mov	ecx, 1000h
		mov	[eax+28h], esi
		mov	[eax+4], edi
		mov	eax, edi
		mul	ecx
		mov	ecx, [ebp+var_4]
		mov	[ecx+10h], eax
		mov	eax, ecx
		lea	ecx, [eax+30h]
		mov	[eax+14h], edx
		mov	edx, [ebp+var_8]
		mov	[eax+24h], ecx
		mov	[ebp+var_10], ecx
		mov	eax, [edx+14h]
		mov	[ecx+30h], eax
		mov	eax, [edx+0Ch]
		mov	[ecx+34h], eax
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+4]
		mov	[ecx+38h], eax
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]
		mov	[ecx+28h], eax
		mov	eax, [edx]
		add	eax, [edx+18h]
		mov	[ecx], eax
		mov	eax, [edx+1Ch]
		mov	[ecx+8], eax
		mov	eax, [edx+20h]
		mov	[ecx+0Ch], eax
		movzx	eax, word ptr [edx+26h]
		mov	[ecx+10h], eax
		mov	ax, [edx+28h]
		mov	[ecx+16h], ax
		mov	ax, [edx+2Ah]
		mov	[ecx+14h], ax
		mov	ax, [edx+2Ch]
		mov	[ecx+18h], ax
		mov	ax, [edx+2Eh]
		mov	[ecx+1Ah], ax
		mov	ax, [edx+30h]
		mov	[ecx+1Eh], ax
		mov	eax, [edx+34h]
		mov	[ecx+2Ch], eax
		xor	eax, eax
		cmp	[edx+38h], eax
		jz	loc_7904D4

loc_790315:				; CODE XREF: MiBuildImageControlArea+369j
		mov	cl, 1

loc_790317:				; CODE XREF: MiBuildImageControlArea+363j
		mov	eax, [ebp+var_10]
		mov	[eax+22h], cl
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+var_10]
		mov	ax, [eax+12h]
		mov	[ecx+1Ch], ax
		mov	eax, [ebp+arg_4]
		mov	ax, [eax]
		mov	[ecx+20h], ax
		mov	eax, [edx+10h]
		mov	[ecx+24h], eax
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_4]
		mov	[ecx], eax
		lea	eax, [ecx+4]
		mov	[eax+4], eax
		mov	[eax], eax
		xor	eax, eax
		mov	[ecx+44h], eax
		inc	eax
		test	byte ptr [ebp+arg_8], 1
		mov	dword ptr [ecx+40h], 1
		mov	[ecx+0Ch], eax
		jnz	short loc_790364
		mov	[ecx+18h], eax

loc_790364:				; CODE XREF: MiBuildImageControlArea+1E9j
		mov	eax, [ebp+arg_0]
		or	dword ptr [ecx+30h], 0FFFFFFFFh
		shl	eax, 14h
		xor	eax, [ecx+1Ch]
		and	eax, 3F00000h
		xor	eax, [ecx+1Ch]
		or	eax, 0A2h
		mov	[ecx+1Ch], eax
		xor	eax, eax
		mov	[ecx+3Ch], eax
		cmp	[edx+5Ch], eax
		mov	eax, [ebp+var_4]
		setz	cl
		dec	cl
		and	cl, 80h
		mov	al, [eax+0Ah]
		and	al, 7Fh
		or	cl, al
		mov	eax, [ebp+var_4]
		mov	[eax+0Ah], cl
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_C]
		mov	[ebx], eax
		mov	eax, [edx]
		mov	[ecx+18h], eax
		xor	ecx, ecx
		mov	[ebx+4], esi
		cmp	[ebp+var_18], ecx
		jnz	loc_8DECC0
		mov	eax, [edx+14h]
		test	eax, eax
		jz	loc_8DEDA1
		mov	ecx, [edx+8]
		mov	[ebp+arg_C], ecx
		dec	ecx
		add	ecx, eax
		mov	[ebp+arg_4], ecx
		cmp	ecx, eax
		jbe	loc_8DEDB5
		mov	ecx, [ebp+arg_C]
		mov	eax, [ebp+arg_4]
		dec	ecx
		shr	eax, 0Ch
		not	ecx
		mov	[ebp+arg_C], eax
		mov	eax, ecx
		and	ecx, [ebp+arg_4]
		shr	eax, 0Ch
		and	[ebp+arg_C], eax
		mov	eax, 0FFFh
		and	ecx, eax
		add	ecx, eax
		mov	eax, [ebp+arg_C]
		shr	ecx, 0Ch
		add	eax, ecx
		mov	[ebp+arg_C], eax
		mov	[ebx+1Ch], eax
		cmp	eax, edi
		ja	loc_8DEDC1
		sub	edi, eax
		mov	eax, [edx+14h]
		shr	eax, 9
		mov	[ebx+18h], eax
		mov	eax, 1FFh
		mov	cx, [edx+14h]
		and	cx, ax
		mov	[ebp+var_14], edi
		mov	ax, [ebx+12h]
		shl	cx, 4
		and	ax, 0Fh
		or	cx, ax
		mov	ax, [ebx+10h]
		mov	[ebx+12h], cx
		mov	ecx, 0FFC3h
		and	ax, cx
		push	2
		pop	ecx
		or	ax, cx
		mov	ecx, ebx
		mov	[ebx+10h], ax
		call	_MiMakeSubsectionPte@4 ; MiMakeSubsectionPte(x)
		xor	ecx, ecx
		mov	[ebp+var_18], edx
		mov	edx, [ebp+var_8]
		mov	[ebp+var_1C], eax
		mov	[ebp+arg_4], ecx
		cmp	[ebp+arg_C], ecx
		jbe	loc_790514
		mov	edi, ecx

loc_790477:				; CODE XREF: MiBuildImageControlArea+371j
		cmp	edi, [edx+14h]
		jnb	short loc_7904E9
		mov	[esi], eax
		mov	eax, [ebp+var_18]
		mov	[esi+4], eax

loc_790484:				; CODE XREF: MiBuildImageControlArea+399j
		mov	eax, [ebx+1Ch]
		add	edi, 1000h
		add	esi, 8
		inc	ecx
		mov	[ebp+arg_4], ecx
		cmp	ecx, eax
		jb	short loc_7904E4
		mov	edi, [ebp+var_14]

loc_79049B:				; CODE XREF: MiBuildImageControlArea+3A1j
		imul	eax, -8
		add	esi, eax

loc_7904A0:				; CODE XREF: MiBuildImageControlArea+14EC26j
		mov	ebx, [ebp+var_C]
		mov	ecx, ebx
		push	edi
		push	edx
		push	[ebp+var_20]
		mov	edx, [ebp+var_24]
		push	[ebp+arg_8]
		call	MiParseImageSectionHeaders
		mov	edi, eax
		test	edi, edi
		js	short loc_790519
		mov	ecx, [ebp+var_28]
		xor	edx, edx
		inc	edx
		call	_MiUpdateSystemProtoPtesTree@8 ; MiUpdateSystemProtoPtesTree(x,x)
		mov	eax, [ebp+arg_10]
		mov	[eax], ebx
		xor	eax, eax

loc_7904CD:				; CODE XREF: MiBuildImageControlArea+14EB45j
		pop	ebx

loc_7904CE:				; CODE XREF: MiBuildImageControlArea+14EAF8j
		pop	esi

loc_7904CF:				; CODE XREF: MiBuildImageControlArea+14EADCj
		pop	edi
		leave
		retn	14h
; 

loc_7904D4:				; CODE XREF: MiBuildImageControlArea+199j
		mov	cl, al
		cmp	[edx+18h], eax
		jz	loc_790317
		jmp	loc_790315
; 

loc_7904E4:				; CODE XREF: MiBuildImageControlArea+320j
		mov	eax, [ebp+var_1C]
		jmp	short loc_790477
; 

loc_7904E9:				; CODE XREF: MiBuildImageControlArea+304j
		mov	eax, ds:_ZeroPte
		mov	[esi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[esi+4], eax
		mov	eax, [ebx+24h]
		lea	ecx, [eax+1]
		xor	ecx, eax
		and	ecx, 3FFFFFFFh
		xor	ecx, eax
		mov	[ebx+24h], ecx
		mov	ecx, [ebp+arg_4]
		jmp	loc_790484
; 

loc_790514:				; CODE XREF: MiBuildImageControlArea+2F9j
		mov	eax, [ebx+1Ch]
		jmp	short loc_79049B
; 

loc_790519:				; CODE XREF: MiBuildImageControlArea+343j
					; MiBuildImageControlArea+14EC5Aj
		xor	ecx, ecx
		jmp	loc_8DEC93
MiBuildImageControlArea	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiParseImageSectionHeaders proc	near	; CODE XREF: MiBuildImageControlArea+33Ap

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008DEDD5 SIZE 00000139 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, [ecx+54h]
		push	ebx
		push	esi
		mov	esi, [ecx+6Ch]
		mov	ebx, edx
		lea	edx, [ecx+50h]
		mov	[ebp+var_4], ecx
		mov	ecx, [ecx]
		push	edi
		lea	edi, [eax+esi*8]
		mov	[ebp+var_14], edx
		mov	esi, [ebp+arg_0]
		mov	al, [ecx+0Ah]
		and	al, 0CFh
		mov	[ebp+var_18], ecx
		or	al, 0Eh
		mov	[ecx+0Ah], al
		test	esi, 200000h
		jnz	loc_8DEDD5
		mov	eax, [ebp+arg_8]
		mov	edx, [edx+1Ch]
		shl	edx, 0Ch
		add	edx, [ecx+18h]
		mov	eax, [eax+8]
		mov	[ebp+var_40], eax
		mov	eax, [ecx+24h]
		mov	[ebp+var_38], eax
		mov	[ebp+var_10], edx
		mov	eax, [eax+28h]
		lea	ecx, [eax+1]
		mov	[ebp+var_3C], ecx
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		mov	[ebp+var_24], ecx
		mov	ecx, [ebp+arg_C]
		jz	loc_790775
		lea	eax, [ebx+14h]
		mov	[ebp+var_28], ecx
		mov	[ebp+var_8], eax
		jmp	short loc_7905A0
; 
		align 10h

loc_7905A0:				; CODE XREF: MiParseImageSectionHeaders+7Bj
					; MiParseImageSectionHeaders+246j
		mov	ecx, [eax-0Ch]
		mov	ebx, [ebp+var_14]
		mov	eax, [eax-4]
		mov	[ebp+var_C], ebx
		mov	[ebp+var_1C], ecx
		test	ecx, ecx
		jz	loc_8DEE3E

loc_7905B7:				; CODE XREF: MiParseImageSectionHeaders+14E921j
		mov	ecx, [ebp+var_8]
		test	eax, eax
		jz	loc_79081D

loc_7905C2:				; CODE XREF: MiParseImageSectionHeaders+300j
					; MiParseImageSectionHeaders+14E934j
		mov	ecx, [ecx]
		add	eax, ecx
		cmp	eax, ecx
		jb	loc_8DEED2
		mov	ecx, [ebp+var_14]
		lea	eax, [ecx+28h]
		mov	[ebp+var_14], eax
		mov	[ecx+8], eax
		mov	ecx, [ebp+var_4]
		mov	[eax], ecx
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+arg_8]
		mov	eax, [eax-8]
		add	eax, [ecx]
		cmp	edx, eax
		jnz	loc_8DEEBE
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	loc_8DEEBE
		mov	edx, [ebp+var_40]
		lea	ecx, [eax-1]
		add	ecx, edx
		cmp	ecx, eax
		jbe	loc_8DEEAA
		mov	eax, edx
		shr	ecx, 0Ch
		mov	edx, [ebp+var_28]
		neg	eax
		shr	eax, 0Ch
		and	eax, ecx
		mov	[ebx+44h], eax
		cmp	eax, edx
		ja	loc_8DEE96
		cmp	[ebp+var_24], 1
		mov	ecx, eax
		jz	loc_7907E4

loc_790633:				; CODE XREF: MiParseImageSectionHeaders+2C8j
					; MiParseImageSectionHeaders+14E93Ej
		mov	eax, [ebp+var_8]
		sub	edx, ecx
		mov	ecx, [ebp+arg_8]
		mov	dword ptr [ebx+38h], 0
		mov	[ebp+var_28], edx
		mov	eax, [eax]
		shr	eax, 9
		mov	[ebx+3Ch], eax
		mov	ecx, [ecx+4]
		mov	[ebp+arg_4], eax
		mov	eax, [ebp+var_8]
		mov	edx, [eax]
		mov	eax, [eax-4]
		add	eax, ecx
		neg	ecx
		lea	ebx, [edx-1]
		add	ebx, eax
		and	ebx, ecx
		cmp	ebx, edx
		jb	loc_8DEE82
		mov	edx, [ebp+var_C]
		mov	eax, ebx
		shr	eax, 9
		and	ebx, 1FFh
		sub	eax, [ebp+arg_4]
		shl	ebx, 4
		mov	[edx+40h], eax
		mov	eax, [ebp+var_8]
		mov	[edx+3Ah], bx
		mov	[edx+2Ch], edi
		mov	ecx, [eax+10h]
		call	_MiGetSubsectionImageProtection@4 ; MiGetSubsectionImageProtection(x)
		movsx	ebx, al
		test	bl, 2
		jnz	loc_7907D8

loc_7906A3:				; CODE XREF: MiParseImageSectionHeaders+2BFj
		mov	ecx, [ebp+var_14]
		lea	eax, [ebx+ebx]
		xor	ax, [edx+38h]
		and	ax, 3Eh
		xor	[edx+38h], ax
		call	_MiMakeSubsectionPte@4 ; MiMakeSubsectionPte(x)
		mov	ecx, ebx
		mov	[ebp+var_2C], eax
		mov	[ebp+var_30], edx
		call	_MiMakeDemandZeroPte@4 ; MiMakeDemandZeroPte(x)
		mov	[ebp+var_34], edx
		mov	edx, [ebp+var_8]
		mov	[ebp+var_44], eax
		mov	ecx, [edx]
		test	ecx, ecx
		jz	loc_79082B

loc_7906DA:				; CODE XREF: MiParseImageSectionHeaders+314j
		mov	eax, [edx-4]
		add	ecx, eax
		mov	[ebp+var_3C], ecx
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_20], eax
		mov	byte ptr [ebp+arg_C+3],	0
		mov	byte ptr [ebp+arg_4+3],	0
		test	bl, 4
		jnz	loc_7907C4

loc_7906F9:				; CODE XREF: MiParseImageSectionHeaders+2B3j
		mov	edx, [ebp+var_C]
		xor	eax, eax
		xor	ebx, ebx
		cmp	[edx+44h], eax
		mov	edx, [ebp+var_10]
		jbe	short loc_790759
		mov	esi, [ebp+var_C]
		jmp	short loc_790710
; 
		align 10h

loc_790710:				; CODE XREF: MiParseImageSectionHeaders+1EBj
					; MiParseImageSectionHeaders+234j
		cmp	eax, [ebp+var_1C]
		jnb	loc_7907F3
		cmp	byte ptr [ebp+arg_C+3],	1
		jz	loc_790854

loc_790723:				; CODE XREF: MiParseImageSectionHeaders+33Dj
		cmp	byte ptr [ebp+arg_4+3],	1
		jz	short loc_79079A

loc_790729:				; CODE XREF: MiParseImageSectionHeaders+283j
		cmp	eax, [ebp+var_20]
		jnb	short loc_7907A5
		inc	dword ptr [ecx+48h]
		mov	esi, [ebp+var_2C]
		mov	[edi], esi
		mov	esi, [ebp+var_30]
		mov	[edi+4], esi
		mov	esi, [ebp+var_C]

loc_79073F:				; CODE XREF: MiParseImageSectionHeaders+29Fj
		add	edx, 1000h
		inc	ebx
		add	eax, 1000h
		mov	[ebp+var_10], edx
		add	edi, 8
		cmp	ebx, [esi+44h]
		jb	short loc_790710
		mov	esi, [ebp+arg_0]

loc_790759:				; CODE XREF: MiParseImageSectionHeaders+1E6j
		mov	eax, [ebp+var_8]
		add	eax, 28h
		sub	[ebp+var_24], 1
		mov	[ebp+var_8], eax
		jnz	loc_7905A0
		mov	eax, [ebp+var_38]
		mov	ecx, [ebp+var_28]
		mov	eax, [eax+28h]

loc_790775:				; CODE XREF: MiParseImageSectionHeaders+6Cj
		cmp	[ebp+var_3C], eax
		ja	loc_8DEEE6
		mov	eax, [ebp+arg_8]
		mov	eax, [eax+8]
		shr	eax, 0Ch
		cmp	ecx, eax
		jnb	loc_8DEEFA

loc_79078F:				; CODE XREF: MiParseImageSectionHeaders+14E8F1j
		xor	eax, eax

loc_790791:				; CODE XREF: MiParseImageSectionHeaders+14E905j
					; MiParseImageSectionHeaders+14E919j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_79079A:				; CODE XREF: MiParseImageSectionHeaders+207j
		mov	ecx, [ebp+var_18]
		inc	dword ptr [ecx+20h]
		mov	ecx, [ebp+var_4]
		jmp	short loc_790729
; 

loc_7907A5:				; CODE XREF: MiParseImageSectionHeaders+20Cj
		mov	ecx, [ebp+var_44]
		mov	[edi], ecx
		mov	ecx, [ebp+var_34]
		mov	[edi+4], ecx
		mov	cl, byte ptr [ebp+arg_4+3]
		or	cl, byte ptr [ebp+arg_C+3]
		jz	loc_8DEE63

loc_7907BC:				; CODE XREF: MiParseImageSectionHeaders+2FBj
					; MiParseImageSectionHeaders+14E949j
		mov	ecx, [ebp+var_4]
		jmp	loc_79073F
; 

loc_7907C4:				; CODE XREF: MiParseImageSectionHeaders+1D3j
		and	ebx, 5
		cmp	bl, 5
		jnz	short loc_790839
		mov	byte ptr [ebp+arg_4+3],	1

loc_7907D0:				; CODE XREF: MiParseImageSectionHeaders+32Fj
		mov	[ebp+var_20], eax
		jmp	loc_7906F9
; 

loc_7907D8:				; CODE XREF: MiParseImageSectionHeaders+17Dj
		mov	eax, [ebp+var_38]
		mov	byte ptr [eax+22h], 1
		jmp	loc_7906A3
; 

loc_7907E4:				; CODE XREF: MiParseImageSectionHeaders+10Dj
		mov	ecx, eax
		cmp	eax, edx
		jz	loc_790633
		jmp	loc_8DEE59
; 

loc_7907F3:				; CODE XREF: MiParseImageSectionHeaders+1F3j
		mov	ecx, ds:_ZeroPte
		mov	[edi], ecx
		nop
		mov	ecx, ds:dword_40F9FC
		mov	[edi+4], ecx
		mov	ecx, [esi+4Ch]
		lea	edx, [ecx+1]
		xor	edx, ecx
		and	edx, 3FFFFFFFh
		xor	edx, ecx
		mov	[esi+4Ch], edx
		mov	edx, [ebp+var_10]
		jmp	short loc_7907BC
; 

loc_79081D:				; CODE XREF: MiParseImageSectionHeaders+9Cj
		cmp	dword ptr [ecx], 0
		jz	loc_7905C2
		jmp	loc_8DEE46
; 

loc_79082B:				; CODE XREF: MiParseImageSectionHeaders+1B4j
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+var_34]
		mov	[ebp+var_30], eax
		jmp	loc_7906DA
; 

loc_790839:				; CODE XREF: MiParseImageSectionHeaders+2AAj
		mov	eax, [ebp+var_C]
		mov	byte ptr [ebp+arg_C+3],	1
		or	word ptr [eax+3Ah], 2
		or	dword ptr [ecx+1Ch], 20000h
		mov	eax, [edx-4]
		jmp	loc_7907D0
; 

loc_790854:				; CODE XREF: MiParseImageSectionHeaders+1FDj
		mov	edx, [ebp+var_18]
		inc	dword ptr [edx+0Ch]
		mov	edx, [ebp+var_10]
		jmp	loc_790723
MiParseImageSectionHeaders endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreatePagingFileMap(x)
_MiCreatePagingFileMap@4 proc near	; CODE XREF: MiCreateSection+17Fp

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	eax, eax
		mov	[ebp+var_18], edi
		mov	[ebp+var_68], eax
		mov	[ebp+var_64], eax
		mov	esi, [edi+8]
		mov	[ebp+var_60], eax
		mov	[ebp+var_14], esi
		test	esi, 1000000h
		jz	short loc_7908A5
		mov	eax, 0C0000020h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7908A5:				; CODE XREF: MiCreatePagingFileMap(x)+27j
		mov	al, [edi+7Ch]
		mov	[ebp+var_1], al
		test	al, al
		jz	short loc_7908E4
		mov	ecx, esi
		call	_MiValidateUserPhysicalExternalFlags@4 ; MiValidateUserPhysicalExternalFlags(x)
		test	eax, eax
		js	short loc_7908D8
		mov	eax, [edi+14h]
		and	al, 7
		cmp	al, 4
		jz	short loc_7908CF
		mov	eax, 0C0000045h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7908CF:				; CODE XREF: MiCreatePagingFileMap(x)+51j
		mov	eax, [edi+18h]
		and	al, 7
		cmp	al, 4
		jz	short loc_7908FC

loc_7908D8:				; CODE XREF: MiCreatePagingFileMap(x)+48j
		mov	eax, 0C000000Dh
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7908E4:				; CODE XREF: MiCreatePagingFileMap(x)+3Dj
		test	esi, esi
		jns	short loc_790925
		test	esi, 8000000h
		jnz	short loc_7908FC
		mov	eax, 0C00000F4h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7908FC:				; CODE XREF: MiCreatePagingFileMap(x)+66j
					; MiCreatePagingFileMap(x)+7Ej
		movzx	eax, byte ptr [edi+2Ch]
		push	eax
		mov	eax, ds:dword_A94A5C
		push	eax
		mov	eax, ds:_SeLockMemoryPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_790922
		mov	eax, 0C0000061h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_790922:				; CODE XREF: MiCreatePagingFileMap(x)+A4j
		mov	al, [ebp+var_1]

loc_790925:				; CODE XREF: MiCreatePagingFileMap(x)+76j
		mov	ebx, [edi+60h]
		mov	ecx, [edi+64h]
		test	al, al
		jz	short loc_79093E
		or	ebx, ecx
		jnz	loc_791031
		mov	ebx, 1
		jmp	short loc_790973
; 

loc_79093E:				; CODE XREF: MiCreatePagingFileMap(x)+BDj
		mov	eax, ebx
		or	eax, ecx
		jz	loc_791031
		cmp	ecx, 1FFh
		jb	short loc_790966
		ja	short loc_79095A
		cmp	ebx, 0FFFFF000h
		jbe	short loc_790966

loc_79095A:				; CODE XREF: MiCreatePagingFileMap(x)+E0j
		mov	eax, 0C0000040h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_790966:				; CODE XREF: MiCreatePagingFileMap(x)+DEj
					; MiCreatePagingFileMap(x)+E8j
		add	ebx, 0FFFh
		adc	ecx, 0
		shrd	ebx, ecx, 0Ch

loc_790973:				; CODE XREF: MiCreatePagingFileMap(x)+CCj
		mov	eax, large fs:124h
		mov	[ebp+var_30], eax
		mov	eax, [edi+74h]
		mov	[ebp+var_50], ebx
		mov	[ebp+var_54], 0
		mov	[ebp+var_2], 0
		test	eax, eax
		jz	short loc_790995
		mov	ecx, [eax]
		jmp	short loc_79099A
; 

loc_790995:				; CODE XREF: MiCreatePagingFileMap(x)+11Fj
		mov	ecx, offset _MiSystemPartition

loc_79099A:				; CODE XREF: MiCreatePagingFileMap(x)+123j
		mov	eax, esi
		mov	[ebp+var_10], ecx
		and	eax, 8000000h
		mov	[ebp+var_20], eax
		jz	loc_790AAF
		test	esi, 80000h
		jz	short loc_7909BE
		test	bl, 0Fh
		jnz	loc_791031

loc_7909BE:				; CODE XREF: MiCreatePagingFileMap(x)+143j
		test	esi, esi
		jns	short loc_7909CE
		test	ebx, 1FFh
		jnz	loc_791031

loc_7909CE:				; CODE XREF: MiCreatePagingFileMap(x)+150j
		push	0
		mov	edx, ebx
		call	MiChargeCommit
		test	eax, eax
		jnz	short loc_7909E7
		mov	eax, 0C000012Dh
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7909E7:				; CODE XREF: MiCreatePagingFileMap(x)+169j
		test	esi, esi
		jns	loc_790AAF
		mov	esi, [ebp+var_10]
		mov	edx, ebx
		push	0
		mov	ecx, esi
		call	_MiChargeResident@12 ; MiChargeResident(x,x,x)
		test	eax, eax
		jz	loc_790E3D
		mov	eax, [edi+70h]
		mov	[ebp+var_2], 1
		test	eax, eax
		jnz	short loc_790A29
		mov	ecx, [ebp+var_30]
		mov	eax, [ecx+16Ch]
		mov	eax, ds:_KiProcessorBlock[eax*4]
		movzx	eax, byte ptr [eax+4C1h]
		jmp	short loc_790A2A
; 

loc_790A29:				; CODE XREF: MiCreatePagingFileMap(x)+19Ej
		dec	eax

loc_790A2A:				; CODE XREF: MiCreatePagingFileMap(x)+1B7j
		movzx	esi, ds:_KeNumberNodes
		mov	ecx, dword_6D0698
		mov	edx, esi
		imul	edx, eax
		push	0
		lea	ecx, [ecx+edx*4]
		mov	edx, ebx
		mov	[ebp+var_38], ecx
		lea	ecx, [ecx+esi*4]
		mov	[ebp+var_4C], ecx
		lea	ecx, [ebp+var_68]
		push	ecx
		mov	ecx, [edi+18h]
		push	ecx
		mov	ecx, [ebp+var_10]
		push	eax
		push	200h
		call	_MiAllocateLargeZeroPages@28 ; MiAllocateLargeZeroPages(x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, ebx
		jz	short loc_790AAC
		jmp	short loc_790A70
; 
		align 10h

loc_790A70:				; CODE XREF: MiCreatePagingFileMap(x)+1F8j
					; MiCreatePagingFileMap(x)+230j
		mov	eax, [ebp+var_38]
		add	eax, 4
		mov	[ebp+var_38], eax
		cmp	eax, [ebp+var_4C]
		jz	short loc_790AA4
		mov	eax, [eax]
		lea	ecx, [ebp+var_68]
		push	0
		push	ecx
		mov	ecx, [edi+18h]
		mov	edx, ebx
		push	ecx
		mov	ecx, [ebp+var_10]
		sub	edx, esi
		push	eax
		push	200h
		call	_MiAllocateLargeZeroPages@28 ; MiAllocateLargeZeroPages(x,x,x,x,x,x,x)
		add	esi, eax
		cmp	esi, ebx
		jnz	short loc_790A70
		jmp	short loc_790AAC
; 

loc_790AA4:				; CODE XREF: MiCreatePagingFileMap(x)+20Cj
		cmp	esi, ebx
		jnz	loc_790E3A

loc_790AAC:				; CODE XREF: MiCreatePagingFileMap(x)+1F6j
					; MiCreatePagingFileMap(x)+232j
		mov	esi, [ebp+var_14]

loc_790AAF:				; CODE XREF: MiCreatePagingFileMap(x)+137j
					; MiCreatePagingFileMap(x)+179j
		mov	eax, esi
		mov	[ebp+var_1C], 0
		and	eax, 88000000h
		mov	[ebp+var_5C], eax
		cmp	eax, 8000000h
		jnz	short loc_790AD1
		mov	[ebp+var_3C], ebx
		mov	eax, 1
		jmp	short loc_790AF6
; 

loc_790AD1:				; CODE XREF: MiCreatePagingFileMap(x)+255j
		mov	ecx, esi
		xor	edx, edx
		sar	ecx, 1Fh
		mov	eax, ebx
		and	ecx, 1FC000h
		add	ecx, 4000h
		shr	ecx, 3
		div	ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_C], eax
		test	edx, edx
		jz	short loc_790AF9
		inc	eax

loc_790AF6:				; CODE XREF: MiCreatePagingFileMap(x)+25Fj
		mov	[ebp+var_C], eax

loc_790AF9:				; CODE XREF: MiCreatePagingFileMap(x)+283j
		lea	ecx, ds:0[eax*8]
		mov	edx, 61436D4Dh
		sub	ecx, eax
		push	0
		push	40h
		lea	ecx, ds:50h[ecx*8]
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_790E3A
		push	0
		push	100h
		mov	edx, 6765534Dh
		mov	ecx, 34h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edx, eax
		mov	[ebp+var_38], edx
		test	edx, edx
		jz	loc_790DD2
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_C]
		mov	dword ptr [edx+30h], 0
		mov	[ecx+38h], eax
		mov	eax, ecx
		mov	[eax], edx
		lea	ecx, [eax+4]
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		mov	ecx, [eax+1Ch]
		mov	dword ptr [eax+40h], 1
		mov	dword ptr [eax+44h], 0
		mov	dword ptr [eax+0Ch], 1
		mov	dword ptr [eax+18h], 1
		test	esi, 200000h
		jz	short loc_790B8E
		or	ecx, 40h
		mov	[eax+1Ch], ecx

loc_790B8E:				; CODE XREF: MiCreatePagingFileMap(x)+316j
		test	esi, 4000000h
		jz	short loc_790B9F
		or	ecx, 1000h
		mov	[eax+1Ch], ecx

loc_790B9F:				; CODE XREF: MiCreatePagingFileMap(x)+324j
		cmp	[ebp+var_20], 0
		jz	short loc_790BAE
		or	ecx, 2000h
		mov	[eax+1Ch], ecx

loc_790BAE:				; CODE XREF: MiCreatePagingFileMap(x)+333j
		test	esi, 80000h
		jz	short loc_790BBF
		or	ecx, 80000000h
		mov	[eax+1Ch], ecx

loc_790BBF:				; CODE XREF: MiCreatePagingFileMap(x)+344j
		mov	eax, [edi+70h]
		shl	eax, 14h
		xor	eax, ecx
		and	eax, 3F00000h
		xor	eax, ecx
		mov	ecx, [ebp+var_8]
		push	30h		; size_t
		push	0		; int
		push	edx		; void *
		mov	[ecx+1Ch], eax
		mov	dword ptr [ecx+3Ch], 0
		call	_memset
		mov	ecx, [ebp+var_38]
		add	esp, 0Ch
		test	esi, 10000000h
		jz	short loc_790BFA
		mov	eax, 8000h
		jmp	short loc_790C07
; 

loc_790BFA:				; CODE XREF: MiCreatePagingFileMap(x)+381j
		test	esi, 40000000h
		jz	short loc_790C0B
		mov	eax, 4000h

loc_790C07:				; CODE XREF: MiCreatePagingFileMap(x)+388j
		or	[ecx+8], ax

loc_790C0B:				; CODE XREF: MiCreatePagingFileMap(x)+390j
		mov	al, [edi+18h]
		mov	edx, 1000h
		add	al, al
		mov	esi, [ebp+var_8]
		xor	al, [ecx+0Ah]
		and	al, 3Eh
		xor	[ecx+0Ah], al
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+0E4h]
		mov	[ecx+20h], eax
		lea	eax, [ecx+10h]
		mov	[ebp+var_34], eax
		mov	eax, ebx
		mul	edx
		cmp	[ebp+var_1], 0
		mov	[ecx], esi
		mov	esi, [ebp+var_34]
		mov	[ecx+4], ebx
		mov	[esi], eax
		mov	eax, esi
		mov	esi, [ebp+var_8]
		mov	[eax+4], edx
		jz	short loc_790CB0
		mov	eax, [edi+8]
		xor	ecx, ecx
		test	eax, eax
		jns	short loc_790C67
		mov	ecx, 2
		jmp	short loc_790C73
; 

loc_790C67:				; CODE XREF: MiCreatePagingFileMap(x)+3EEj
		test	eax, 80000h
		jz	short loc_790C73
		mov	ecx, 1

loc_790C73:				; CODE XREF: MiCreatePagingFileMap(x)+3F5j
					; MiCreatePagingFileMap(x)+3FCj
		test	eax, 10000000h
		jz	short loc_790C7F
		or	ecx, 10h
		jmp	short loc_790C89
; 

loc_790C7F:				; CODE XREF: MiCreatePagingFileMap(x)+408j
		test	eax, 40000000h
		jz	short loc_790C89
		or	ecx, 8

loc_790C89:				; CODE XREF: MiCreatePagingFileMap(x)+40Dj
					; MiCreatePagingFileMap(x)+414j
		test	byte ptr [edi+80h], 1
		jz	short loc_790C95
		or	ecx, 4

loc_790C95:				; CODE XREF: MiCreatePagingFileMap(x)+420j
		lea	eax, [ebp+var_54]
		xor	edx, edx
		push	eax
		movzx	eax, byte ptr [edi+2Ch]
		push	eax
		push	ecx
		mov	ecx, esi
		call	_MiAllocateAweInfo@20 ;	MiAllocateAweInfo(x,x,x,x,x)
		test	eax, eax
		js	loc_790DD5

loc_790CB0:				; CODE XREF: MiCreatePagingFileMap(x)+3E5j
		cmp	[ebp+var_C], 0
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_28], 0
		mov	[ebp+var_2C], 0
		mov	[ebp+var_24], ebx
		lea	eax, [ecx+50h]
		mov	[ebp+var_40], 0
		mov	esi, eax
		mov	[ebp+var_4C], eax
		mov	edx, esi
		jbe	loc_790E73
		mov	[ebp+var_44], 0
		mov	[ebp+var_48], 0
		lea	ecx, [ecx+0]

loc_790CF0:				; CODE XREF: MiCreatePagingFileMap(x)+555j
		mov	eax, [esi+34h]
		and	eax, 0FFFFFFF9h
		mov	[esi], ecx
		mov	ecx, [ebp+var_24]
		or	eax, 1
		mov	[esi+34h], eax
		mov	ax, [edi+18h]
		add	ax, ax
		mov	[ebp+var_58], esi
		xor	ax, [esi+10h]
		and	ax, 3Eh
		xor	ax, [esi+10h]
		movzx	edx, ax
		mov	eax, [ebp+var_3C]
		cmp	ecx, eax
		jbe	short loc_790D28
		mov	ecx, eax
		mov	eax, [ebp+var_44]
		jmp	short loc_790D2B
; 

loc_790D28:				; CODE XREF: MiCreatePagingFileMap(x)+4AFj
		mov	eax, [ebp+var_48]

loc_790D2B:				; CODE XREF: MiCreatePagingFileMap(x)+4B6j
		sub	[ebp+var_24], ecx
		and	edx, 3Fh
		mov	edi, [ebp+var_28]
		movzx	eax, ax
		shl	eax, 6
		or	eax, edx
		mov	[esi+1Ch], ecx
		cmp	[ebp+var_20], 0
		mov	[esi+10h], ax
		lea	eax, ds:0[ecx*8]
		mov	[esi+14h], edi
		mov	[ebp+var_48], eax
		jz	short loc_790D8C
		push	0
		push	112h
		mov	edx, 74536D4Dh
		mov	ecx, eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	short loc_790DD2
		cmp	[ebp+var_14], 0
		jge	short loc_790D86
		push	[ebp+var_48]
		push	eax
		call	_MmObtainChargesToLockPagedPool@8 ; MmObtainChargesToLockPagedPool(x,x)
		test	eax, eax
		mov	eax, [ebp+var_1C]
		jz	short loc_790DCA

loc_790D86:				; CODE XREF: MiCreatePagingFileMap(x)+504j
		mov	ecx, [esi+1Ch]
		mov	[esi+4], eax

loc_790D8C:				; CODE XREF: MiCreatePagingFileMap(x)+4E4j
		mov	edx, [ebp+var_58]
		xor	eax, eax
		add	[ebp+var_28], ecx
		mov	ecx, [ebp+var_40]
		adc	eax, [ebp+var_2C]
		inc	ecx
		mov	[ebp+var_2C], eax
		add	esi, 38h
		mov	edi, [ebp+var_2C]
		movzx	eax, ax
		mov	[ebp+var_44], eax
		movzx	eax, di
		mov	edi, [ebp+var_18]
		mov	[edx+8], esi
		mov	[ebp+var_40], ecx
		mov	[ebp+var_48], eax
		cmp	ecx, [ebp+var_C]
		jnb	loc_790E73
		mov	ecx, [ebp+var_8]
		jmp	loc_790CF0
; 

loc_790DCA:				; CODE XREF: MiCreatePagingFileMap(x)+514j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_790DD2:				; CODE XREF: MiCreatePagingFileMap(x)+2CFj
					; MiCreatePagingFileMap(x)+4FEj
		mov	esi, [ebp+var_8]

loc_790DD5:				; CODE XREF: MiCreatePagingFileMap(x)+43Aj
		xor	edi, edi
		cmp	[ebp+var_C], edi
		jbe	short loc_790E13
		mov	ebx, [ebp+var_5C]
		add	esi, 54h

loc_790DE2:				; CODE XREF: MiCreatePagingFileMap(x)+59Ej
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_790E10
		cmp	ebx, 88000000h
		jnz	short loc_790DFF
		mov	eax, [esi+18h]
		shl	eax, 3
		push	eax
		push	ecx
		call	_MmReturnChargesToLockPagedPool@8 ; MmReturnChargesToLockPagedPool(x,x)
		mov	ecx, [esi]

loc_790DFF:				; CODE XREF: MiCreatePagingFileMap(x)+57Ej
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		inc	edi
		add	esi, 38h
		cmp	edi, [ebp+var_C]
		jb	short loc_790DE2

loc_790E10:				; CODE XREF: MiCreatePagingFileMap(x)+576j
		mov	ebx, [ebp+var_50]

loc_790E13:				; CODE XREF: MiCreatePagingFileMap(x)+56Aj
		cmp	[ebp+var_54], 0
		jz	short loc_790E21
		mov	ecx, [ebp+var_8]
		call	_MiDeleteSectionAwe@4 ;	MiDeleteSectionAwe(x)

loc_790E21:				; CODE XREF: MiCreatePagingFileMap(x)+5A7j
		push	0
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_38]
		test	esi, esi
		jz	short loc_790E3A
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_790E3A:				; CODE XREF: MiCreatePagingFileMap(x)+236j
					; MiCreatePagingFileMap(x)+2ACj ...
		mov	esi, [ebp+var_10]

loc_790E3D:				; CODE XREF: MiCreatePagingFileMap(x)+18Fj
		cmp	[ebp+var_20], 0
		jz	short loc_790E67
		push	0
		lea	edx, [ebp+var_68]
		mov	ecx, esi
		call	_MiFreeLargeZeroPages@12 ; MiFreeLargeZeroPages(x,x,x)
		cmp	[ebp+var_2], 0
		jz	short loc_790E5E
		mov	edx, ebx
		mov	ecx, esi
		call	_MiReturnResident@8 ; MiReturnResident(x,x)

loc_790E5E:				; CODE XREF: MiCreatePagingFileMap(x)+5E3j
		mov	edx, ebx
		mov	ecx, esi
		call	MiReturnCommit

loc_790E67:				; CODE XREF: MiCreatePagingFileMap(x)+5D1j
		mov	eax, 0C000009Ah
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_790E73:				; CODE XREF: MiCreatePagingFileMap(x)+469j
					; MiCreatePagingFileMap(x)+54Cj
		cmp	[ebp+var_20], 0
		mov	esi, [ebp+var_38]
		mov	eax, [ebp+var_1C]
		mov	dword ptr [edx+8], 0
		mov	[esi+28h], eax
		jz	loc_790FBC
		mov	eax, [ebp+var_30]
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		lea	ecx, [esi+1Ch]
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		call	_MiUpdateControlAreaCommitCount@8 ; MiUpdateControlAreaCommitCount(x,x)
		or	eax, 0FFFFFFFFh
		lea	ecx, [esi+1Ch]
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_790EC4
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [esi+1Ch]

loc_790EC4:				; CODE XREF: MiCreatePagingFileMap(x)+64Aj
		call	KeAbPostRelease
		mov	ecx, [ebp+var_30]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		cmp	[ebp+var_14], 0
		jge	loc_790F9F
		mov	eax, 1000h
		or	[esi+8], ax
		mov	eax, [ebp+var_8]
		or	dword ptr [eax+34h], 10000h
		cmp	[ebp+var_C], 0
		jbe	loc_790FBF
		mov	ebx, [ebp+var_4C]
		add	ebx, 1Ch
		mov	edi, edi

loc_790F00:				; CODE XREF: MiCreatePagingFileMap(x)+724j
		mov	eax, [ebx]
		mov	edi, [ebx-18h]
		shl	eax, 3
		push	eax
		push	edi
		call	_MmLockPreChargedPagedPool@8 ; MmLockPreChargedPagedPool(x,x)
		mov	eax, [ebx+4]
		and	eax, 3FFFFFFFh
		or	eax, 40000000h
		mov	[ebx+4], eax
		mov	eax, [ebx]
		push	0
		push	0
		shl	eax, 3
		push	eax
		push	edi
		call	_RtlFillMemoryUlonglong@16 ; RtlFillMemoryUlonglong(x,x,x,x)
		lea	ecx, [ebx+0Ch]
		mov	edx, 1
		call	_MiUpdateSystemProtoPtesTree@8 ; MiUpdateSystemProtoPtesTree(x,x)
		cmp	dword ptr [ebx], 0
		mov	[ebp+var_48], 0
		jz	short loc_790F8D

loc_790F48:				; CODE XREF: MiCreatePagingFileMap(x)+71Bj
		xor	edx, edx
		lea	ebx, [ebx+0]

loc_790F50:				; CODE XREF: MiCreatePagingFileMap(x)+6ECj
		mov	ecx, [ebp+edx*4+var_68]
		test	ecx, ecx
		jnz	short loc_790F60
		inc	edx
		cmp	edx, 3
		jb	short loc_790F50
		jmp	short loc_790F69
; 

loc_790F60:				; CODE XREF: MiCreatePagingFileMap(x)+6E6j
		call	_MiGetPfnLink@4	; MiGetPfnLink(x)
		mov	[ebp+edx*4+var_68], eax

loc_790F69:				; CODE XREF: MiCreatePagingFileMap(x)+6EEj
		mov	eax, [ebp+var_18]
		mov	esi, ds:_MiLargePageSizes[edx*4]
		mov	edx, edi
		mov	eax, [eax+18h]
		push	eax
		call	_MiUpdateLargePageSectionPfns@12 ; MiUpdateLargePageSectionPfns(x,x,x)
		mov	eax, [ebp+var_48]
		lea	edi, [edi+esi*8]
		add	eax, esi
		mov	[ebp+var_48], eax
		cmp	eax, [ebx]
		jnz	short loc_790F48

loc_790F8D:				; CODE XREF: MiCreatePagingFileMap(x)+6D6j
		add	ebx, 38h
		sub	[ebp+var_C], 1
		jnz	loc_790F00
		mov	edi, [ebp+var_18]
		jmp	short loc_790FBC
; 

loc_790F9F:				; CODE XREF: MiCreatePagingFileMap(x)+665j
		mov	esi, [ebp+var_4C]
		mov	edx, ebx
		push	1
		push	esi
		mov	ecx, [esi+4]
		call	MiInitializePrototypePtes
		lea	ecx, [esi+28h]
		mov	edx, 1
		call	_MiUpdateSystemProtoPtesTree@8 ; MiUpdateSystemProtoPtesTree(x,x)

loc_790FBC:				; CODE XREF: MiCreatePagingFileMap(x)+617j
					; MiCreatePagingFileMap(x)+72Dj
		mov	eax, [ebp+var_8]

loc_790FBF:				; CODE XREF: MiCreatePagingFileMap(x)+682j
		mov	[edi+28h], eax
		mov	edi, [ebp+var_10]
		add	edi, 350h
		jmp	short loc_790FD0
; 
		align 10h

loc_790FD0:				; CODE XREF: MiCreatePagingFileMap(x)+75Bj
					; MiCreatePagingFileMap(x)+77Bj ...
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[ebp+var_58], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_790FD0
		cmp	edx, [ebp+var_58]
		jnz	short loc_790FD0
		mov	edi, [ebp+var_18]
		or	eax, 0FFFFFFFFh
		or	edx, eax
		or	dword ptr [edi], 4
		nop
		mov	esi, [ebp+var_34]
		or	ebx, eax
		or	ecx, eax
		lock cmpxchg8b qword ptr [esi]
		mov	[edi+48h], eax
		mov	[edi+4Ch], edx
		test	dword ptr ds:byte_70EFC4, 400001h
		jz	short loc_791028
		mov	ecx, [ebp+var_8]
		mov	edx, 1
		call	_MiLogSectionCreate@8 ;	MiLogSectionCreate(x,x)

loc_791028:				; CODE XREF: MiCreatePagingFileMap(x)+7A9j
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_791031:				; CODE XREF: MiCreatePagingFileMap(x)+C1j
					; MiCreatePagingFileMap(x)+D2j	...
		pop	edi
		pop	esi
		mov	eax, 0C00000F2h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiCreatePagingFileMap@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializePrototypePtes proc near	; CODE XREF: MiCreatePrototypePtes+5Cp
					; MiCreatePagingFileMap(x)+73Ap ...

var_40		= dword	ptr -40h
var_2C		= dword	ptr -2Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008DEF0E SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_40]
		push	ebx		; int
		push	eax		; void *
		mov	esi, edx
		mov	edi, ecx
		call	_memset
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		shl	esi, 3
		mov	eax, [ecx]
		mov	[ebp+var_8], eax
		cmp	[eax+20h], ebx
		jnz	short loc_7910B7
		test	dword ptr [eax+1Ch], 1000h
		mov	[ebp+var_4], ebx
		jnz	loc_791107
		movzx	ecx, word ptr [ecx+10h]
		shr	ecx, 1
		and	ecx, 1Fh
		call	_MiMakeDemandZeroPte@4 ; MiMakeDemandZeroPte(x)

loc_791092:				; CODE XREF: MiInitializePrototypePtes+85j
		mov	ebx, eax
		mov	eax, edx

loc_791096:				; CODE XREF: MiInitializePrototypePtes+CBj
		mov	[ebp+arg_0], eax
		cmp	esi, 1000h
		jnb	short loc_7910C5

loc_7910A1:				; CODE XREF: MiInitializePrototypePtes+BFj
					; MiInitializePrototypePtes+14DF05j
		test	esi, esi
		jz	short loc_7910B0
		push	[ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		call	_RtlFillMemoryUlonglong@16 ; RtlFillMemoryUlonglong(x,x,x,x)

loc_7910B0:				; CODE XREF: MiInitializePrototypePtes+65j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7910B7:				; CODE XREF: MiInitializePrototypePtes+34j
		mov	[ebp+var_4], 1
		call	_MiMakeSubsectionPte@4 ; MiMakeSubsectionPte(x)
		jmp	short loc_791092
; 

loc_7910C5:				; CODE XREF: MiInitializePrototypePtes+61j
		cmp	[ebp+arg_4], 0
		jz	loc_8DEF0E
		mov	edx, eax
		mov	ecx, ebx
		mov	eax, ebx
		or	eax, [ebp+arg_0]
		jz	short loc_79110B

loc_7910DA:				; CODE XREF: MiInitializePrototypePtes+DDj
		or	ecx, 2
		cmp	[ebp+var_4], 0
		jz	short loc_7910FF

loc_7910E3:				; CODE XREF: MiInitializePrototypePtes+C7j
		push	edx
		push	ecx
		mov	edx, esi
		mov	ecx, edi
		call	MiEncodeProtoFill
		mov	eax, esi
		and	eax, 0FFFFF000h
		add	edi, eax
		and	esi, 0FFFh
		jmp	short loc_7910A1
; 

loc_7910FF:				; CODE XREF: MiInitializePrototypePtes+A3j
		or	ecx, 400h
		jmp	short loc_7910E3
; 

loc_791107:				; CODE XREF: MiInitializePrototypePtes+40j
		xor	eax, eax
		jmp	short loc_791096
; 

loc_79110B:				; CODE XREF: MiInitializePrototypePtes+9Aj
		push	4
		pop	ecx
		call	_MiMakeDemandZeroPte@4 ; MiMakeDemandZeroPte(x)
		mov	ecx, eax
		and	ecx, 0FFFFFC1Fh
		jmp	short loc_7910DA
MiInitializePrototypePtes endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiGetSubsectionImageProtection(x)
_MiGetSubsectionImageProtection@4 proc near ; CODE XREF: MiParseImageSectionHeaders+172p
		mov	eax, ecx
		shr	eax, 1Dh
		and	eax, 1
		test	ecx, 40000000h
		jz	short loc_791131
		or	eax, 2

loc_791131:				; CODE XREF: MiGetSubsectionImageProtection(x)+Ej
		test	ecx, ecx
		js	short loc_791144

loc_791135:				; CODE XREF: MiGetSubsectionImageProtection(x)+29j
		test	ecx, 10000000h
		jnz	short loc_791149

loc_79113D:				; CODE XREF: MiGetSubsectionImageProtection(x)+2Ej
		mov	al, ds:_MiImageProtectionArray[eax]
		retn
; 

loc_791144:				; CODE XREF: MiGetSubsectionImageProtection(x)+15j
		or	eax, 4
		jmp	short loc_791135
; 

loc_791149:				; CODE XREF: MiGetSubsectionImageProtection(x)+1Dj
		or	eax, 8
		jmp	short loc_79113D
_MiGetSubsectionImageProtection@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiRelocateImage	proc near		; CODE XREF: MiCreateNewSection(x,x)+4CFp
					; MiCreateNewSection(x,x)+56Ap	...

var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008DEF48 SIZE 0000012E BYTES
; FUNCTION CHUNK AT 008DF0B9 SIZE 0000027D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1D40
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 0A0h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_60], edx
		mov	ebx, ecx
		mov	[ebp+var_70], ebx
		mov	ecx, 0Ah
		xor	eax, eax
		lea	edi, [ebp+var_44]
		rep stosd
		mov	[ebp+var_A0], eax
		mov	[ebp+var_9C], eax
		mov	esi, 2
		mov	[ebp+var_48], esi
		mov	edi, [ebx+24h]
		mov	[ebp+var_98], edi
		mov	cx, [edi+20h]
		call	MiLegacyImageArchitecture
		test	eax, eax
		jz	loc_8DEF48
		mov	esi, 22h
		mov	[ebp+var_48], esi
		test	byte ptr [edi+1Ch], 1
		jnz	loc_79171D
		mov	ax, [edi+1Eh]
		mov	ecx, 1000h
		mov	[ebp+var_7C], ecx
		and	ax, cx
		movzx	ebx, ax
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 0C000007Bh
		mov	[ebp+var_68], ebx

loc_7911FE:				; CODE XREF: MiRelocateImage+14DE06j
		mov	ebx, [edx+4Ch]
		mov	[ebp+var_A0], ebx
		mov	eax, [edx+50h]
		mov	[ebp+var_58], eax
		mov	[ebp+var_9C], eax
		test	ebx, ebx
		jz	loc_7916F2
		test	eax, eax
		jz	loc_8DEF5B

loc_791223:				; CODE XREF: MiRelocateImage+5B0j
		mov	ecx, [ebp+var_70]
		test	byte ptr [ecx+0Bh], 1
		jnz	loc_79171D
		mov	eax, [ecx]
		mov	[ebp+var_50], eax
		mov	[ebp+var_90], eax
		mov	eax, [eax+38h]
		mov	[ebp+var_A8], eax
		mov	edx, [ebp+arg_0]
		mov	eax, edx
		and	eax, 0FFFh
		cmp	eax, 0FFCh
		ja	loc_8DEF63
		test	dl, 3
		jnz	loc_8DEF63
		mov	ecx, [ecx+18h]
		mov	[ebp+var_5C], ecx
		cmp	[ebp+arg_4], 0
		jnz	short loc_79127F
		cmp	esi, 20h
		jb	short loc_79127F
		movzx	eax, word ptr [edi+1Eh]
		test	al, 40h
		jz	loc_791705

loc_79127F:				; CODE XREF: MiRelocateImage+11Cj
					; MiRelocateImage+121j	...
		mov	eax, [ebp+var_70]
		mov	eax, [eax+4]
		mov	[ebp+var_54], eax
		mov	edi, esi
		and	edi, 2
		mov	[ebp+var_74], edi
		jz	loc_791721

loc_791296:				; CODE XREF: MiRelocateImage+5D8j
		shl	eax, 0Ch
		mov	[ebp+var_94], eax
		mov	edx, [ebp+var_58]
		lea	eax, [ebx+edx]
		cmp	eax, [ebp+var_94]
		ja	loc_8DEF63
		test	edi, edi
		jz	short loc_7912DD
		cmp	eax, ebx
		jbe	loc_8DEF63
		test	edi, edi
		jz	short loc_7912DD
		lea	eax, [ecx+ebx]
		cmp	eax, ecx
		jbe	loc_8DEF63
		test	edi, edi
		jz	short loc_7912DD
		lea	eax, [ebx+edx]
		add	eax, ecx
		cmp	eax, ecx
		jbe	loc_8DEF63

loc_7912DD:				; CODE XREF: MiRelocateImage+163j
					; MiRelocateImage+16Fj	...
		mov	eax, [ebp+var_54]
		shl	eax, 2
		add	eax, edx
		mov	[ebp+var_78], 0
		mov	[ebp+var_80], 0
		xor	ecx, ecx
		mov	[ebp+var_84], ecx
		mov	ecx, large fs:124h
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_88], ecx
		push	0
		push	100h
		mov	edx, 65526D4Dh
		lea	ecx, [eax+40h]
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_4C], eax
		mov	[ebp+var_8C], eax
		test	eax, eax
		jz	loc_8DEF6B
		mov	ecx, eax
		mov	edi, [ebp+var_54]
		lea	edx, ds:0[edi*4]
		mov	eax, [ebp+var_58]
		add	eax, 40h
		add	eax, edx
		mov	edx, ecx
		add	edx, eax
		mov	edi, [ebp+var_74]
		jmp	short loc_791350
; 
		align 10h

loc_791350:				; CODE XREF: MiRelocateImage+1FBj
					; MiRelocateImage+20Aj
		mov	al, [ecx]
		add	ecx, 1000h
		cmp	ecx, edx
		jb	short loc_791350
		mov	eax, [ebp+var_4C]
		mov	byte ptr [eax+24h], 0
		mov	ecx, [ebp+var_54]
		mov	[eax+1Ch], ecx
		mov	dword ptr [eax+0Ch], 0
		test	edi, edi
		jz	loc_79172D
		lea	eax, [ebp+var_44]
		push	eax
		mov	edx, 3
		mov	edi, [ebp+var_50]
		mov	ecx, edi
		call	MiMapImageInSystemSpace
		test	eax, eax
		js	loc_8DEF75
		mov	eax, [ebp+var_44]
		mov	[ebp+var_80], eax
		mov	edx, 1
		mov	ecx, [ebp+var_6C]
		call	_PsSetSystemPagePriorityThread@8 ; PsSetSystemPagePriorityThread(x,x)
		mov	[ebp+var_84], eax
		or	[ebp+var_48], 1
		mov	edi, [ebp+var_4C]
		add	edi, 28h
		push	edi
		push	ecx
		push	[ebp+var_60]
		mov	eax, [ebp+var_3C]
		shl	eax, 0Ch
		push	eax
		mov	edx, [ebp+var_80]
		mov	ecx, [ebp+var_50]
		call	MiParseImageLoadConfig
		mov	esi, eax
		test	esi, esi
		js	loc_8DEF8D
		mov	eax, [ebp+var_4C]

loc_7913DA:				; CODE XREF: MiRelocateImage+5E0j
		lea	ecx, [ebp+var_78]
		push	ecx
		mov	ecx, [ebp+arg_C]
		push	ecx
		push	[ebp+arg_4]
		mov	edx, eax
		mov	ecx, [ebp+var_70]
		call	MiSelectImageBase
		mov	esi, eax
		test	esi, esi
		js	loc_8DEF9C
		push	edi
		mov	eax, [ebp+var_78]
		mov	[ebp+var_78], eax
		mov	edx, eax
		mov	edi, [ebp+var_50]
		mov	ecx, edi
		call	_MiUpdateCfgSystemWideBitmap@12	; MiUpdateCfgSystemWideBitmap(x,x,x)
		mov	esi, eax
		mov	edx, [ebp+var_4C]
		test	esi, esi
		js	loc_8DF30C
		mov	eax, [ebp+arg_0]
		mov	[edx+20h], eax
		mov	eax, [ebp+var_78]
		mov	ecx, [ebp+var_5C]
		sub	eax, ecx
		mov	[edx+14h], eax
		mov	eax, [ebp+arg_8]
		cmp	eax, 0FFFFFFFFh
		jnz	loc_8DEFBF
		xor	eax, eax

loc_791438:				; CODE XREF: MiRelocateImage+14DE71j
		mov	[edx+18h], eax
		lea	edi, [edx+40h]
		mov	[ebp+var_60], edi
		mov	[edx], edi
		mov	eax, [ebp+var_54]
		lea	esi, ds:0[eax*4]
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		add	edi, esi
		mov	eax, [ebp+var_4C]
		mov	[eax+10h], edi
		mov	eax, [ebp+var_48]
		or	eax, 4
		mov	[ebp+var_48], eax
		mov	[ebp+var_64], eax
		test	al, 2
		jz	loc_791735
		mov	eax, [ebp+var_80]
		add	eax, ebx
		mov	[ebp+var_4], 0
		mov	ebx, [ebp+var_58]
		push	ebx		; size_t
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0FFFFFFFEh
		xor	esi, esi
		mov	[ebp+var_5C], esi
		mov	edx, ebx
		mov	[ebp+var_74], edx
		mov	eax, [ebp+var_48]
		mov	[ebp+var_48], eax
		mov	[ebp+var_64], esi
		test	ebx, ebx
		jz	loc_791586

loc_7914B1:				; CODE XREF: MiRelocateImage+42Dj
		cmp	edx, 0Ah
		jb	loc_8DF05B
		mov	ebx, [edi+4]
		cmp	ebx, edx
		ja	loc_8DF068
		test	bl, 1
		jnz	loc_8DF068
		cmp	ebx, 8
		jb	loc_8DF068
		mov	esi, [edi]
		test	esi, 0FFFh
		jnz	loc_8DEFC6

loc_7914E5:				; CODE XREF: MiRelocateImage+14DE7Cj
		lea	ecx, [esi+1000h]
		cmp	ecx, esi
		jbe	loc_8DF068
		cmp	ecx, [ebp+var_94]
		ja	loc_8DF068
		cmp	esi, [ebp+var_64]
		jb	loc_8DF068
		cmp	ebx, 8
		jz	loc_8DEFD1
		test	ds:_MiFlags, 40000h
		jnz	loc_8DEFDF

loc_791521:				; CODE XREF: MiRelocateImage+14DE99j
					; MiRelocateImage+14DECAj
		mov	eax, esi
		shr	eax, 0Ch
		cmp	eax, [ebp+var_5C]
		jbe	short loc_79152E
		mov	[ebp+var_5C], eax

loc_79152E:				; CODE XREF: MiRelocateImage+3D9j
		mov	ecx, [ebp+var_60]
		or	[ecx+eax*4], edi
		mov	eax, esi
		and	eax, 0FFFFF000h
		add	eax, 1000h
		mov	[ebp+var_64], eax
		sub	edx, ebx
		mov	[ebp+var_74], edx
		push	[ebp+var_4C]
		mov	ecx, [ebp+var_50]
		push	ecx
		lea	eax, [edi+8]
		push	eax
		lea	eax, [ebx-8]
		shr	eax, 1
		push	eax
		mov	edx, esi
		mov	ecx, [ebp+var_80]
		call	MiScanRelocationPage
		mov	esi, eax
		test	esi, esi
		js	loc_8DF02F
		mov	eax, [ebp+var_48]
		or	eax, 10h
		mov	edx, [ebp+var_74]

loc_791576:				; CODE XREF: MiRelocateImage+14DE8Aj
		mov	[ebp+var_48], eax
		add	edi, ebx
		test	edx, edx
		jnz	loc_7914B1

loc_791583:				; CODE XREF: MiRelocateImage+14DF13j
		mov	esi, [ebp+var_5C]

loc_791586:				; CODE XREF: MiRelocateImage+35Bj
		lea	ecx, [ebp+var_44]
		call	MiUnmapImageInSystemSpace
		mov	edx, [ebp+var_84]
		mov	ecx, [ebp+var_6C]
		call	_PsRevertToUserPagePriorityThread@8 ; PsRevertToUserPagePriorityThread(x,x)
		mov	eax, [ebp+var_48]
		and	eax, 0FFFFFFFEh
		mov	[ebp+var_48], eax
		mov	ecx, [ebp+var_4C]
		mov	ebx, [ecx+8]
		test	ebx, ebx
		jnz	loc_791743

loc_7915B3:				; CODE XREF: MiRelocateImage+649j
		mov	ebx, [ebp+var_4C]
		push	ebx
		lea	edx, [ebp+var_A0]
		mov	edi, [ebp+var_50]
		mov	ecx, edi
		call	_MiLogRelocationFaults@12 ; MiLogRelocationFaults(x,x,x)
		lea	eax, [esi+1]
		mov	[ebx+1Ch], eax
		mov	eax, [ebp+var_48]
		mov	ecx, eax
		and	ecx, 14h
		cmp	cl, 14h
		jnz	loc_8DF0B9
		mov	edx, [ebp+var_58]
		mov	ecx, ebx
		call	_MiCompressRelocations@8 ; MiCompressRelocations(x,x)
		mov	ebx, eax
		mov	[ebp+var_4C], ebx
		lea	edx, [ebx+40h]
		mov	[ebp+var_60], edx
		mov	eax, [ebp+var_48]

loc_7915F6:				; CODE XREF: MiRelocateImage+5EEj
					; MiRelocateImage+14DF6Cj
		mov	ecx, [ebx+20h]
		shr	ecx, 0Ch
		or	dword ptr [edx+ecx*4], 1
		test	dword ptr [edi+1Ch], 40000000h
		jnz	loc_8DF0C1

loc_79160D:				; CODE XREF: MiRelocateImage+14E135j
		or	eax, 8
		mov	[ebp+var_48], eax
		mov	edx, ebx
		mov	ecx, [ebp+var_6C]
		call	_MI_LOCK_RELOCATIONS_EXCLUSIVE@8 ; MI_LOCK_RELOCATIONS_EXCLUSIVE(x,x)
		mov	esi, [ebp+var_A8]
		mov	[esi+10h], ebx
		mov	eax, [ebp+var_70]
		mov	edx, [ebp+var_78]
		mov	[eax+18h], edx
		mov	eax, [ebx+14h]
		mov	ecx, [ebp+var_98]
		add	[ecx], eax
		or	dword ptr [edi+34h], 400000h
		test	dword ptr [edi+1Ch], 800h
		jnz	loc_8DF28A

loc_79164E:				; CODE XREF: MiRelocateImage+14E146j
		test	ds:_MiFlags, 4000h
		jnz	loc_8DF29B

loc_79165E:				; CODE XREF: MiRelocateImage+14E152j
					; MiRelocateImage+14E17Dj
		cmp	[ebp+arg_4], 0
		jnz	loc_79179E
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	esi, eax

loc_79167C:				; CODE XREF: MiRelocateImage+651j
		cmp	[ebp+arg_C], 1
		jz	loc_8DF2D2

loc_791686:				; CODE XREF: MiRelocateImage+14E186j
		test	dword ptr [edi+1Ch], 40000000h
		jnz	loc_8DF2E3

loc_791693:				; CODE XREF: MiRelocateImage+14E1A8j
					; MiRelocateImage+14E1B5j
		push	esi
		push	2
		xor	edx, edx
		mov	ecx, edi
		call	_MiWalkEntireImage@16 ;	MiWalkEntireImage(x,x,x,x)
		mov	esi, eax

loc_7916A1:				; CODE XREF: MiRelocateImage+14E177j
					; MiRelocateImage+14E18Ej
		mov	edx, ebx
		mov	ecx, [ebp+var_6C]
		call	MI_UNLOCK_RELOCATIONS_EXCLUSIVE
		test	esi, esi
		js	short loc_7916BF
		cmp	[ebp+arg_C], 0
		jnz	short loc_7916BF
		mov	eax, [ebp+var_98]
		or	byte ptr [eax+23h], 4

loc_7916BF:				; CODE XREF: MiRelocateImage+55Dj
					; MiRelocateImage+563j	...
		mov	eax, [ebp+var_48]

loc_7916C2:				; CODE XREF: MiRelocateImage+14DEFDj
					; MiRelocateImage+14DF06j ...
		test	al, 8
		jz	loc_8DF30A

loc_7916CA:				; CODE XREF: MiRelocateImage+14E1C6j
		test	al, 1
		jnz	loc_8DF31B

loc_7916D2:				; CODE XREF: MiRelocateImage+14E1E1j
		mov	eax, esi

loc_7916D4:				; CODE XREF: MiRelocateImage+5CFj
					; MiRelocateImage+14DE16j ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_7916F2:				; CODE XREF: MiRelocateImage+C5j
					; MiRelocateImage+14DE0Dj
		test	eax, eax
		jnz	loc_8DEF63
		and	esi, 0FFFFFFFDh
		mov	[ebp+var_48], esi
		jmp	loc_791223
; 

loc_791705:				; CODE XREF: MiRelocateImage+129j
		cmp	ds:_MmRegistryState, 0FFFFFFFFh
		jz	loc_79127F
		test	eax, 1000h
		jnz	loc_79127F

loc_79171D:				; CODE XREF: MiRelocateImage+89j
					; MiRelocateImage+DAj ...
		xor	eax, eax
		jmp	short loc_7916D4
; 

loc_791721:				; CODE XREF: MiRelocateImage+140j
		shr	edx, 0Ch
		inc	edx
		mov	[ebp+var_54], edx
		jmp	loc_791296
; 

loc_79172D:				; CODE XREF: MiRelocateImage+222j
		lea	edi, [eax+28h]
		jmp	loc_7913DA
; 

loc_791735:				; CODE XREF: MiRelocateImage+31Fj
		mov	ebx, [ebp+var_4C]
		mov	edi, [ebp+var_50]
		mov	edx, [ebp+var_60]
		jmp	loc_7915F6
; 

loc_791743:				; CODE XREF: MiRelocateImage+45Dj
					; MiRelocateImage+647j
		mov	edi, [ebx+8]
		mov	ecx, edi
		shr	ecx, 0Ch
		mov	edx, [ebp+var_60]
		mov	edx, [edx+ecx*4]
		cmp	ecx, esi
		ja	short loc_7917A6

loc_791755:				; CODE XREF: MiRelocateImage+65Bj
		cmp	edx, 1
		jbe	short loc_791793
		and	edx, 0FFFFFFFEh
		mov	esi, [edx+4]
		sub	esi, 8
		and	edi, 0FFFh
		add	edx, 8
		shr	esi, 1
		jz	short loc_791790

loc_791770:				; CODE XREF: MiRelocateImage+63Ej
		movzx	ecx, word ptr [edx]
		cmp	cx, word ptr [ebp+var_7C]
		jb	short loc_791788
		and	ecx, 0FFFh
		cmp	cx, di
		jb	loc_8DF068

loc_791788:				; CODE XREF: MiRelocateImage+627j
		add	edx, 2
		sub	esi, 1
		jnz	short loc_791770

loc_791790:				; CODE XREF: MiRelocateImage+61Ej
		mov	esi, [ebp+var_5C]

loc_791793:				; CODE XREF: MiRelocateImage+608j
		mov	ebx, [ebx]
		test	ebx, ebx
		jnz	short loc_791743
		jmp	loc_7915B3
; 

loc_79179E:				; CODE XREF: MiRelocateImage+512j
		or	esi, 0FFFFFFFFh
		jmp	loc_79167C
; 

loc_7917A6:				; CODE XREF: MiRelocateImage+603j
		mov	esi, ecx
		mov	[ebp+var_5C], esi
		jmp	short loc_791755
MiRelocateImage	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiScanRelocationPage proc near		; CODE XREF: MiRelocateImage+40Ep

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008DF336 SIZE 0000005C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax]
		mov	[ebp+var_C], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_10], 0
		mov	eax, [eax+24h]
		mov	[ebp+var_4], 0
		mov	[ebp+var_8], 0
		mov	[ebp+var_14], 0
		mov	eax, [eax+30h]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_79185C
		mov	edi, [ebp+arg_4]

loc_7917F5:				; CODE XREF: MiScanRelocationPage+AAj
		movzx	esi, word ptr [edi]
		dec	eax
		mov	[ebp+arg_0], eax
		mov	ax, si
		and	esi, 0FFFh
		shr	ax, 0Ch
		movzx	edx, ax
		mov	ecx, esi
		mov	ebx, ecx
		test	ax, ax
		jz	short loc_791829
		cmp	ax, 3
		jnz	loc_8DF343
		mov	eax, 0FFCh
		cmp	cx, ax
		ja	short loc_79186C

loc_791829:				; CODE XREF: MiScanRelocationPage+63j
					; MiScanRelocationPage+D1j
		mov	ecx, ebx
		mov	ebx, [ebp+var_C]
		test	dx, dx
		jz	short loc_791867
		mov	eax, ebx
		and	eax, 0FFFh
		jnz	loc_8DF336

loc_791840:				; CODE XREF: MiScanRelocationPage+14DB8Dj
		lea	eax, [ecx+ebx]
		cmp	eax, [ebp+var_18]
		jb	loc_8DF343

loc_79184C:				; CODE XREF: MiScanRelocationPage+BAj
		cmp	[ebp+var_8], 1
		jz	short loc_791883

loc_791852:				; CODE XREF: MiScanRelocationPage+111j
		mov	eax, [ebp+arg_0]
		add	edi, 2
		test	eax, eax
		jnz	short loc_7917F5

loc_79185C:				; CODE XREF: MiScanRelocationPage+40j
		xor	eax, eax

loc_79185E:				; CODE XREF: MiScanRelocationPage+F1j
					; MiScanRelocationPage+118j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_791867:				; CODE XREF: MiScanRelocationPage+81j
		lea	eax, [ecx+ebx]
		jmp	short loc_79184C
; 

loc_79186C:				; CODE XREF: MiScanRelocationPage+77j
		mov	[ebp+var_10], 2
		mov	[ebp+var_4], 4
		mov	[ebp+var_8], 1
		jmp	short loc_791829
; 

loc_791883:				; CODE XREF: MiScanRelocationPage+A0j
		cmp	[ebp+var_14], 1
		jz	short loc_7918C3
		push	[ebp+arg_C]
		mov	edx, [ebp+var_1C]
		mov	ecx, [ebp+arg_8]
		push	edi
		push	[ebp+var_4]
		push	[ebp+var_10]
		push	eax
		call	_MiCreateFixupRecord@28	; MiCreateFixupRecord(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_79185E
		test	ds:_MiFlags, 40000h
		jnz	loc_8DF34D

loc_7918B3:				; CODE XREF: MiScanRelocationPage+14DBA7j
					; MiScanRelocationPage+14DBDDj
		mov	[ebp+var_8], 0
		mov	[ebp+var_14], 1
		jmp	short loc_791852
; 

loc_7918C3:				; CODE XREF: MiScanRelocationPage+D7j
					; MiScanRelocationPage+14DBD7j
		mov	eax, 0C000007Bh
		jmp	short loc_79185E
MiScanRelocationPage endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteImageCreationMdls(x, x)
_MiDeleteImageCreationMdls@8 proc near	; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+1D2p
					; MiCreateImageFileMap(x,x,x,x,x,x,x,x)+7D0p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, edx
		mov	[ebp+var_C], edi
		test	esi, esi
		jz	short loc_791905

loc_7918E0:				; CODE XREF: MiDeleteImageCreationMdls(x,x)+39j
		movzx	eax, word ptr [esi+6]
		mov	ebx, [esi]
		mov	[ebp+var_8], ebx
		test	al, 4
		jnz	short loc_79194D
		test	al, 2
		jz	short loc_7918F9
		test	al, 1
		jnz	short loc_79193A

loc_7918F5:				; CODE XREF: MiDeleteImageCreationMdls(x,x)+79j
		test	edi, edi
		jnz	short loc_79190A

loc_7918F9:				; CODE XREF: MiDeleteImageCreationMdls(x,x)+25j
					; MiDeleteImageCreationMdls(x,x)+81j ...
		push	esi
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		mov	esi, ebx
		test	ebx, ebx
		jnz	short loc_7918E0

loc_791905:				; CODE XREF: MiDeleteImageCreationMdls(x,x)+14j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_79190A:				; CODE XREF: MiDeleteImageCreationMdls(x,x)+2Dj
		mov	eax, [esi+14h]
		lea	ebx, [esi+1Ch]
		shr	eax, 0Ch
		xor	edi, edi
		mov	[ebp+var_4], eax

loc_791918:				; CODE XREF: MiDeleteImageCreationMdls(x,x)+6Ej
		cmp	edi, eax
		jnb	short loc_791945
		mov	ecx, [ebx]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_791934
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	_MiReturnPfnReferenceCount@4 ; MiReturnPfnReferenceCount(x)
		mov	eax, [ebp+var_4]

loc_791934:				; CODE XREF: MiDeleteImageCreationMdls(x,x)+57j
		add	ebx, 4
		inc	edi
		jmp	short loc_791918
; 

loc_79193A:				; CODE XREF: MiDeleteImageCreationMdls(x,x)+29j
		push	esi
		push	dword ptr [esi+0Ch]
		call	MmUnmapLockedPages
		jmp	short loc_7918F5
; 

loc_791945:				; CODE XREF: MiDeleteImageCreationMdls(x,x)+50j
		mov	ebx, [ebp+var_8]
		mov	edi, [ebp+var_C]
		jmp	short loc_7918F9
; 

loc_79194D:				; CODE XREF: MiDeleteImageCreationMdls(x,x)+21j
		push	0
		push	dword ptr [esi+10h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7918F9
_MiDeleteImageCreationMdls@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiParseComAndCetHeaders(x, x, x)
_MiParseComAndCetHeaders@12 proc near	; CODE XREF: MiCreateNewSection(x,x)+273p

var_F4		= dword	ptr -0F4h
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_6C		= dword	ptr -6Ch
var_68		= word ptr -68h
var_66		= word ptr -66h
var_5C		= dword	ptr -5Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	0E4h
		push	offset dword_6A1D60
		call	__SEH_prolog4_GS
		mov	ebx, edx
		mov	[ebp+var_CC], ebx
		mov	esi, ecx
		mov	[ebp+var_AC], esi
		mov	[ebp+var_A8], esi
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_B4], edx
		push	0Ah
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_94]
		rep stosd
		xor	ecx, ecx
		mov	[ebp+var_C4], ecx
		mov	[ebp+var_98], eax
		mov	[ebp+var_B0], ecx
		mov	[edx], cl
		mov	edx, [ebx+44h]
		test	edx, edx
		jz	short loc_7919D4
		test	dl, 3
		jnz	short loc_7919D4
		mov	ecx, [ebx+48h]
		cmp	ecx, 48h
		jb	short loc_7919D4
		add	ecx, edx
		cmp	ecx, edx
		jbe	short loc_7919D4
		lea	ecx, [edx+48h]
		cmp	ecx, [ebx+0Ch]
		ja	short loc_7919D4
		inc	eax
		mov	[ebp+var_98], eax

loc_7919D4:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+56j
					; MiParseComAndCetHeaders(x,x,x)+5Bj ...
		mov	ecx, [ebx+5Ch]
		test	ecx, ecx
		jz	short loc_791A06
		test	cl, 3
		jnz	short loc_791A06
		mov	edx, [ebx+60h]
		push	1Ch
		pop	edi
		mov	[ebp+var_C0], edi
		cmp	edx, edi
		jb	short loc_791A10
		add	edx, ecx
		cmp	edx, ecx
		jbe	short loc_791A10
		cmp	edx, [ebx+0Ch]
		ja	short loc_791A10
		or	eax, 2
		mov	[ebp+var_98], eax
		jmp	short loc_791A10
; 

loc_791A06:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+7Fj
					; MiParseComAndCetHeaders(x,x,x)+84j
		mov	[ebp+var_C0], 1Ch

loc_791A10:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+94j
					; MiParseComAndCetHeaders(x,x,x)+9Aj ...
		test	eax, eax
		jz	loc_791D41
		lea	eax, [ebp+var_94]
		push	eax
		push	3
		pop	edx
		mov	ecx, esi
		call	MiMapImageInSystemSpace
		mov	[ebp+var_BC], eax
		test	eax, eax
		js	loc_791D04
		mov	ecx, esi
		call	MiReferenceControlAreaFile
		mov	edx, eax
		mov	[ebp+var_B0], edx
		mov	[ebp+var_A0], edx
		mov	eax, [ebp+var_98]
		or	eax, 0Ch
		mov	[ebp+var_98], eax
		mov	[ebp+var_A4], eax
		mov	ecx, [esi]
		mov	[ebp+var_B8], ecx
		mov	ecx, [ebp+var_94]
		mov	[ebp+var_9C], ecx
		test	al, 1
		jz	loc_791B56
		mov	eax, [ebx+44h]
		lea	esi, [eax+ecx]
		and	[ebp+ms_exc.disabled], 0
		push	12h
		pop	ecx
		lea	edi, [ebp+var_6C]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+var_AC]
		push	esi
		push	edx
		push	48h
		pop	edx
		mov	ecx, eax
		call	MiLogRelocationRva
		test	byte ptr [ebp+var_5C], 1
		jz	loc_791B4A
		mov	eax, [ebp+var_B4]
		mov	byte ptr [eax],	1
		mov	eax, [ebp+var_B8]
		or	byte ptr [eax+0Bh], 1
		push	2
		pop	edi
		cmp	[ebp+var_68], di
		ja	short loc_791AD7
		jnz	short loc_791B4A
		cmp	[ebp+var_66], 5
		jb	short loc_791B4A

loc_791AD7:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+172j
		mov	edx, [eax+24h]
		mov	cl, [edx+23h]
		or	cl, 2
		mov	[edx+23h], cl
		mov	eax, [ebp+var_5C]
		and	eax, 20002h
		cmp	eax, edi
		jz	short loc_791B4A
		or	cl, 1
		mov	[edx+23h], cl
		mov	eax, [ebp+var_98]
		test	[ebp+var_5C], 20000h
		jz	short loc_791B50
		or	cl, 20h
		mov	[edx+23h], cl
		jmp	short loc_791B50
; 

loc_791B0C:				; DATA XREF: .text:006A1D74o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_C8], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_791B1D:				; DATA XREF: .text:006A1D78o
		mov	ebx, [ebp+var_C8]

loc_791B23:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+357j
		mov	esp, [ebp+ms_exc.old_esp]

loc_791B26:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+39Dj
					; MiParseComAndCetHeaders(x,x,x)+3A5j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_A0]
		mov	eax, [ebp+var_A4]
		mov	[ebp+var_98], eax
		mov	esi, [ebp+var_A8]
		jmp	loc_791D1C
; 

loc_791B4A:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+152j
					; MiParseComAndCetHeaders(x,x,x)+174j ...
		mov	eax, [ebp+var_98]

loc_791B50:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+1A8j
					; MiParseComAndCetHeaders(x,x,x)+1B0j
		mov	ecx, [ebp+var_9C]

loc_791B56:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+11Dj
		test	al, 2
		jz	loc_791D04
		mov	edi, [ebx+5Ch]
		add	edi, ecx
		xor	ecx, ecx

loc_791B65:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+378j
		mov	[ebp+var_B4], edi
		mov	eax, [ebx+60h]
		xor	edx, edx
		div	[ebp+var_C0]
		cmp	ecx, eax
		jnb	loc_791D04
		push	esi
		push	[ebp+var_B0]
		imul	ecx, 1Ch
		add	ecx, [ebx+5Ch]
		push	1Ch
		pop	edx
		call	MiLogRelocationRva
		mov	[ebp+ms_exc.disabled], 1
		push	7
		pop	ecx
		mov	esi, edi
		lea	edi, [ebp+var_F4]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+var_E8], 14h
		jnz	loc_791CB6
		mov	ebx, [ebp+var_E0]
		test	ebx, ebx
		jz	loc_791D04
		test	bl, 3
		jnz	loc_791D04
		mov	eax, [ebp+var_E4]
		test	eax, eax
		jz	loc_791D04
		test	al, 3
		jnz	loc_791D04
		mov	ecx, [ebp+var_CC]
		mov	ecx, [ecx+0Ch]
		cmp	eax, ecx
		jnb	loc_791D04
		cmp	ebx, ecx
		jnb	loc_791D04
		add	eax, ebx
		cmp	eax, ecx
		jnb	loc_791D04
		mov	esi, [ebp+var_AC]
		push	esi
		mov	edi, [ebp+var_B0]
		push	edi
		push	4
		pop	edx
		mov	ecx, ebx
		call	MiLogRelocationRva
		mov	[ebp+ms_exc.disabled], 2
		mov	ecx, [ebp+var_9C]
		mov	ecx, [ebx+ecx]
		mov	[ebp+var_D8], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edx, [ebp+var_B8]
		test	cl, 1
		jz	short loc_791C52
		mov	eax, [edx+24h]
		or	dword ptr [eax+3Ch], 1

loc_791C52:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+2EFj
		test	cl, 2
		jz	short loc_791C5E
		mov	eax, [edx+24h]
		or	dword ptr [eax+3Ch], 2

loc_791C5E:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+2FBj
		test	cl, 4
		jz	short loc_791C6A
		mov	eax, [edx+24h]
		or	dword ptr [eax+3Ch], 4

loc_791C6A:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+307j
		test	cl, 8
		jz	short loc_791C76
		mov	eax, [edx+24h]
		or	dword ptr [eax+3Ch], 8

loc_791C76:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+313j
		test	cl, 10h
		jz	short loc_791C82
		mov	eax, [edx+24h]
		or	dword ptr [eax+3Ch], 10h

loc_791C82:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+31Fj
		mov	ebx, [ebp+var_BC]
		test	cl, 20h
		jz	loc_791D16
		mov	eax, [edx+24h]
		or	dword ptr [eax+3Ch], 20h
		jmp	short loc_791D16
; 

loc_791C9A:				; DATA XREF: .text:006A1D8Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_D0], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_791CAB:				; DATA XREF: .text:006A1D90o
		mov	ebx, [ebp+var_D0]
		jmp	loc_791B23
; 

loc_791CB6:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+25Bj
		mov	edi, [ebp+var_B4]
		add	edi, 1Ch
		mov	ecx, [ebp+var_C4]
		inc	ecx
		mov	[ebp+var_C4], ecx
		mov	esi, [ebp+var_AC]
		jmp	loc_791B65
; 

loc_791CD7:				; DATA XREF: .text:006A1D80o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_D4], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_791CE8:				; DATA XREF: .text:006A1D84o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_D4]
		cmp	ebx, 0C0000005h
		jnz	loc_791B26
		xor	ebx, ebx
		jmp	loc_791B26
; 

loc_791D04:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+D7j
					; MiParseComAndCetHeaders(x,x,x)+1FEj ...
		mov	esi, [ebp+var_AC]
		mov	ebx, [ebp+var_BC]
		mov	edi, [ebp+var_B0]

loc_791D16:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+331j
					; MiParseComAndCetHeaders(x,x,x)+33Ej
		mov	eax, [ebp+var_98]

loc_791D1C:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+1EBj
		test	al, 4
		jz	short loc_791D31
		lea	ecx, [ebp+var_94]
		call	MiUnmapImageInSystemSpace
		mov	eax, [ebp+var_98]

loc_791D31:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+3C4j
		cmp	eax, 8
		jb	short loc_791D3F
		mov	edx, edi
		mov	ecx, esi
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)

loc_791D3F:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+3DAj
		mov	eax, ebx

loc_791D41:				; CODE XREF: MiParseComAndCetHeaders(x,x,x)+B8j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiParseComAndCetHeaders@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSelectImageBase proc near		; CODE XREF: MiRelocateImageAgain+A8p
					; MiRelocateImage+29Ap

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008DF392 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	[ebp+var_18], edx
		mov	edx, ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, [edx]
		xor	edi, edi
		mov	esi, edi
		mov	[ebp+var_8], edx
		and	dword ptr [ebx+34h], 0FFCFFFFFh
		mov	eax, [edx+24h]
		mov	ecx, [edx+4]
		mov	[ebp+var_10], eax
		cmp	[ebp+arg_0], esi
		jnz	loc_791EA7

loc_791D86:				; CODE XREF: MiSelectImageBase+16Bj
		or	[ebp+var_14], 0FFFFFFFFh
		cmp	[ebp+arg_4], 1
		mov	eax, [edx+18h]
		mov	[ebp+var_C], eax
		jz	loc_8DF39C
		mov	edx, [ebp+var_18]
		lea	eax, [ecx+0Fh]
		shr	eax, 4
		movzx	eax, ax
		mov	[ebp+arg_4], eax
		mov	eax, [ebp+var_C]
		sub	eax, [edx+14h]
		mov	[ebp+var_C], eax
		cmp	[ebp+arg_0], esi
		jnz	loc_791EC4
		mov	ecx, [ebp+var_10]
		mov	edx, 2000h
		test	[ecx+1Ch], dx
		mov	edx, [ebp+var_8]
		jz	short loc_791E1F
		mov	eax, dword_6CF4D4
		mov	edx, offset dword_6CF4CC
		mov	ecx, [ebp+arg_4]
		movzx	ecx, cx
		push	eax
		push	ecx
		push	edx
		mov	[ebp+var_18], edi
		mov	[ebp+var_1C], edx
		mov	[ebp+arg_0], ecx
		call	RtlFindClearBits
		mov	[ebp+var_14], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_791E61
		mov	edx, [ebp+arg_4]
		lea	ecx, [ebp+var_1C]
		push	eax
		call	MiObtainRelocationBits
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_14], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_791E1C
		mov	esi, 7800h
		sub	esi, [ebp+arg_0]
		sub	esi, eax
		shl	esi, 10h

loc_791E1C:				; CODE XREF: MiSelectImageBase+B9j
					; MiSelectImageBase+113j
		mov	eax, [ebp+var_C]

loc_791E1F:				; CODE XREF: MiSelectImageBase+76j
		cmp	[ebp+var_14], 0FFFFFFFFh
		jz	short loc_791E50

loc_791E25:				; CODE XREF: MiSelectImageBase+130j
		mov	eax, [ebp+var_14]
		mov	[ebx+30h], eax
		mov	eax, [ebp+arg_4]
		mov	[ebx+34h], ax

loc_791E32:				; CODE XREF: MiSelectImageBase+10Bj
					; MiSelectImageBase+1A1j
		mov	eax, [ebx+34h]
		and	eax, 0FF7FFFFFh
		shl	edi, 17h
		or	eax, edi
		mov	[ebx+34h], eax
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		xor	eax, eax

loc_791E49:				; CODE XREF: MiSelectImageBase+14D643j
					; MiSelectImageBase+14D655j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_791E50:				; CODE XREF: MiSelectImageBase+CFj
		test	dword ptr [ebx+34h], (offset loc_7FFFFF+1)
		jz	short loc_791E69
		mov	esi, [edx+18h]
		xor	edi, edi
		inc	edi
		jmp	short loc_791E32
; 

loc_791E61:				; CODE XREF: MiSelectImageBase+9Fj
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_10]
		jmp	short loc_791E1C
; 

loc_791E69:				; CODE XREF: MiSelectImageBase+103j
		mov	edx, 2000h
		test	[ecx+1Ch], dx
		jz	short loc_791E86
		push	ecx
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		call	MiSelectOverflowDllBase

loc_791E7F:				; CODE XREF: MiSelectImageBase+14D64Bj
		mov	esi, eax

loc_791E81:				; CODE XREF: MiSelectImageBase+151j
					; MiSelectImageBase+1A8j
		xor	edi, edi
		inc	edi
		jmp	short loc_791E25
; 

loc_791E86:				; CODE XREF: MiSelectImageBase+11Ej
		xor	ecx, ecx
		inc	ecx
		call	ExGenRandom
		mov	esi, [ebp+var_C]
		movzx	eax, al
		shl	eax, 10h
		cmp	esi, 1000000h
		jnb	short loc_791EFA
		lea	esi, [eax+10000h]
		jmp	short loc_791E81
; 

loc_791EA7:				; CODE XREF: MiSelectImageBase+2Cj
		shl	ecx, 0Ch
		call	_MiBytesToMapSystemImage@4 ; MiBytesToMapSystemImage(x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8DF392
		mov	edx, [ebp+var_8]
		shr	ecx, 0Ch
		jmp	loc_791D86
; 

loc_791EC4:				; CODE XREF: MiSelectImageBase+61j
		mov	edx, ecx
		mov	ecx, [ebp+arg_0]
		call	_MiSelectSystemImageAddress@8 ;	MiSelectSystemImageAddress(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8DF3A4
		sub	eax, dword_6D07D0
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+arg_0]
		shr	eax, 10h
		mov	[ebx+34h], cx
		mov	ecx, ebx
		mov	[ebx+30h], eax
		call	_MiSetControlAreaSystemVa@8 ; MiSetControlAreaSystemVa(x,x)
		jmp	loc_791E32
; 

loc_791EFA:				; CODE XREF: MiSelectImageBase+149j
		sub	esi, eax
		jmp	short loc_791E81
MiSelectImageBase endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiObtainRelocationBits proc near	; CODE XREF: MiSelectImageBase+A8p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DF3AE SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Eh]
		mov	si, dx
		mov	edi, ecx
		mov	[ebp+var_8], eax
		nop
		xor	edx, edx
		mov	ecx, offset unk_6CF4C8
		call	ExAcquirePushLockExclusiveEx
		push	[ebp+arg_0]
		movzx	ebx, si
		push	ebx
		push	dword ptr [edi]
		call	RtlFindClearBitsAndSet
		mov	esi, eax
		or	eax, 0FFFFFFFFh
		cmp	esi, eax
		jz	short loc_791F4C
		mov	ecx, [edi+4]
		test	ecx, ecx
		jnz	loc_8DF3AE

loc_791F4C:				; CODE XREF: MiObtainRelocationBits+41j
					; MiObtainRelocationBits+14D4ECj ...
		mov	edi, offset unk_6CF4C8
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_791F73

loc_791F5B:				; CODE XREF: MiObtainRelocationBits+7Cj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_8]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_791F73:				; CODE XREF: MiObtainRelocationBits+5Bj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_791F5B
MiObtainRelocationBits endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPrefetchDriverPages(x, x)
_MiPrefetchDriverPages@8 proc near	; CODE XREF: MiLockCode(x,x,x,x)+E1p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		push	4
		mov	ebx, edx
		mov	esi, ecx
		pop	ecx
		mov	[ebp+var_C], ebx
		call	_MiMakeDemandZeroPte@4 ; MiMakeDemandZeroPte(x)
		and	[ebp+var_10], 0
		and	[ebp+var_14], 0
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], edx
		cmp	esi, ebx
		ja	short loc_791FE8
		lea	edi, [esi+8]
		shl	edi, 9

loc_791FAE:				; CODE XREF: MiPrefetchDriverPages(x,x)+66j
		mov	ebx, [esi]
		nop
		mov	edx, [esi+4]
		mov	ecx, esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_791FC8
		push	edx
		push	ebx
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	ebx, eax

loc_791FC8:				; CODE XREF: MiPrefetchDriverPages(x,x)+41j
		mov	ecx, ebx
		and	ecx, 1
		or	ecx, 0
		jz	short loc_791FED

loc_791FD2:				; CODE XREF: MiPrefetchDriverPages(x,x)+99j
					; MiPrefetchDriverPages(x,x)+A5j
		mov	eax, [ebp+var_10]

loc_791FD5:				; CODE XREF: MiPrefetchDriverPages(x,x)+8Dj
		mov	ecx, 1000h
		add	esi, 8
		add	edi, ecx
		cmp	esi, [ebp+var_C]
		jbe	short loc_791FAE
		cmp	eax, ecx
		ja	short loc_79202D

loc_791FE8:				; CODE XREF: MiPrefetchDriverPages(x,x)+2Aj
					; MiPrefetchDriverPages(x,x)+C0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_791FED:				; CODE XREF: MiPrefetchDriverPages(x,x)+54j
		mov	eax, ebx
		and	eax, 400h
		or	eax, 0
		jz	short loc_79200B

loc_791FF9:				; CODE XREF: MiPrefetchDriverPages(x,x)+9Ej
					; MiPrefetchDriverPages(x,x)+A3j
		cmp	[ebp+var_10], 0
		jz	short loc_792023
		mov	ecx, [ebp+var_14]

loc_792002:				; CODE XREF: MiPrefetchDriverPages(x,x)+AFj
		mov	eax, edi
		sub	eax, ecx
		mov	[ebp+var_10], eax
		jmp	short loc_791FD5
; 

loc_79200B:				; CODE XREF: MiPrefetchDriverPages(x,x)+7Bj
		mov	eax, ebx
		and	eax, 800h
		or	eax, 0
		jnz	short loc_791FD2
		cmp	ebx, [ebp+var_4]
		jnz	short loc_791FF9
		cmp	edx, [ebp+var_8]
		jnz	short loc_791FF9
		jmp	short loc_791FD2
; 

loc_792023:				; CODE XREF: MiPrefetchDriverPages(x,x)+81j
		mov	ecx, esi
		shl	ecx, 9
		mov	[ebp+var_14], ecx
		jmp	short loc_792002
; 

loc_79202D:				; CODE XREF: MiPrefetchDriverPages(x,x)+6Aj
		push	2Dh
		xor	ecx, ecx
		lea	edx, [ebp+var_14]
		push	1
		inc	ecx
		call	MiPrefetchVirtualMemory
		jmp	short loc_791FE8
_MiPrefetchDriverPages@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCompressRelocations(x, x)
_MiCompressRelocations@8 proc near	; CODE XREF: MiRelocateImage+493p

var_44		= dword	ptr -44h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_14], ecx
		push	esi
		xor	ah, ah
		mov	[ebp+var_8], ebx
		xor	al, al
		mov	[ebp+var_20], ebx
		push	edi
		mov	edi, [ecx+10h]
		mov	esi, edx
		mov	[ebp+var_1], ah
		mov	[ebp+var_2], al
		mov	[ebp+var_30], 0EBh
		lea	esp, [esp+0]

loc_792070:				; CODE XREF: MiCompressRelocations(x,x)+F5j
		mov	ecx, [edi+4]
		lea	edx, [edi+8]
		add	[ebp+var_20], ecx
		add	edi, ecx
		sub	esi, ecx
		mov	[ebp+var_28], edi
		mov	[ebp+var_2C], esi
		mov	esi, 0
		lea	edi, [ecx-8]
		mov	[ebp+var_18], edx
		shr	edi, 1
		mov	[ebp+var_1C], 4
		mov	[ebp+var_10], esi
		jz	short loc_79211A
		lea	esp, [esp+0]

loc_7920A0:				; CODE XREF: MiCompressRelocations(x,x)+CAj
		movzx	ecx, word ptr [edx]
		mov	edx, ecx
		shr	cx, 0Ch
		test	cx, cx
		jz	short loc_7920FE
		cmp	al, cl
		jnz	loc_7923E7
		xor	ecx, ecx

loc_7920B8:				; CODE XREF: MiCompressRelocations(x,x)+3C8j
		and	edx, 0FFFh
		add	edx, ecx
		movzx	ecx, dx
		cmp	cx, si
		jbe	loc_79231D

loc_7920CC:				; CODE XREF: MiCompressRelocations(x,x)+2E0j
		mov	ebx, ecx
		sub	ecx, esi
		cmp	cx, word ptr [ebp+var_1C]
		jz	loc_7922CC
		mov	esi, [ebp+var_10]
		test	esi, esi
		jnz	loc_7922EE

loc_7920E5:				; CODE XREF: MiCompressRelocations(x,x)+2C4j
		movzx	edx, cx
		mov	[ebp+var_1C], edx
		mov	edx, 0EBh
		cmp	cx, dx
		jnb	loc_792309
		inc	[ebp+var_8]

loc_7920FC:				; CODE XREF: MiCompressRelocations(x,x)+2A9j
					; MiCompressRelocations(x,x)+2CDj
		mov	esi, ebx

loc_7920FE:				; CODE XREF: MiCompressRelocations(x,x)+6Cj
		mov	edx, [ebp+var_18]
		dec	edi
		add	edx, 2
		mov	[ebp+var_18], edx
		test	edi, edi
		jnz	short loc_7920A0
		mov	ecx, [ebp+var_10]
		mov	ebx, [ebp+var_8]
		test	ecx, ecx
		jnz	loc_792312

loc_79211A:				; CODE XREF: MiCompressRelocations(x,x)+5Aj
					; MiCompressRelocations(x,x)+2D8j ...
		mov	ecx, ebx
		add	ebx, 2
		mov	[ebp+var_8], ebx
		test	bl, 1
		jz	short loc_79212D
		lea	ebx, [ecx+3]
		mov	[ebp+var_8], ebx

loc_79212D:				; CODE XREF: MiCompressRelocations(x,x)+E5j
		mov	esi, [ebp+var_2C]
		mov	edi, [ebp+var_28]
		test	esi, esi
		jnz	loc_792070
		test	ah, ah
		jz	loc_792326
		mov	eax, [ebp+var_14]
		mov	edx, 65526D4Dh
		push	0
		push	100h
		mov	eax, [eax+1Ch]
		add	eax, 10h
		lea	ecx, [ebx+eax*4]
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edx, eax
		mov	[ebp+var_38], edx
		test	edx, edx
		jz	loc_792326
		mov	ebx, [ebp+var_14]
		mov	edi, edx
		mov	esi, ebx
		mov	ecx, 10h
		mov	eax, [ebx+10h]
		sub	eax, [ebx]
		shr	eax, 2
		mov	[ebp+var_18], eax
		mov	al, [ebp+var_2]
		rep movsd
		mov	[edx+24h], al
		lea	ecx, [edx+40h]
		lea	eax, [ebx+40h]
		mov	[edx], ecx
		mov	[ebp+var_10], eax
		mov	eax, [ebx+1Ch]
		mov	[ebp+var_1C], ecx
		lea	ebx, [ecx+eax*4]
		mov	eax, [ebp+var_14]
		mov	[edx+10h], ebx
		xor	edx, edx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_20], edx
		mov	esi, [eax+10h]
		cmp	[ebp+var_18], edx
		jz	loc_7922BA
		mov	eax, [ebp+var_10]
		sub	eax, ecx
		mov	[ebp+var_28], 1000h
		mov	[ebp+var_10], eax
		lea	esp, [esp+0]

loc_7921D0:				; CODE XREF: MiCompressRelocations(x,x)+271j
		mov	edi, [ebp+var_14]
		cmp	edx, [edi+1Ch]
		mov	edi, [ebp+var_18]
		jnb	loc_7922A5
		mov	eax, [eax+ecx]
		cmp	eax, 1
		jbe	loc_7923B5
		mov	eax, [ebp+var_10]
		mov	[ecx], ebx
		test	byte ptr [eax+ecx], 1
		jnz	loc_7923DB

loc_7921FA:				; CODE XREF: MiCompressRelocations(x,x)+3A2j
		mov	eax, [esi+4]
		lea	edx, [esi+8]
		add	esi, eax
		mov	[ebp+var_24], 4
		mov	[ebp+var_2C], esi
		xor	esi, esi
		mov	[ebp+var_C], esi
		lea	edi, [eax-8]
		shr	edi, 1
		jz	short loc_792285
		mov	eax, [ebp+var_28]
		jmp	short loc_792220
; 
		align 10h

loc_792220:				; CODE XREF: MiCompressRelocations(x,x)+1DBj
					; MiCompressRelocations(x,x)+232j
		movzx	ecx, word ptr [edx]
		cmp	cx, ax
		jb	short loc_79226C
		and	ecx, 0FFFh
		mov	eax, ecx
		sub	eax, esi
		movzx	ebx, ax
		mov	eax, [ebp+var_C]
		cmp	bx, word ptr [ebp+var_24]
		jz	loc_792339
		test	eax, eax
		jnz	loc_792362

loc_79224A:				; CODE XREF: MiCompressRelocations(x,x)+345j
		mov	eax, ebx
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_8]
		lea	esi, [eax+1]
		mov	[ebp+var_34], esi
		cmp	bx, word ptr [ebp+var_30]
		jnb	loc_79239B
		mov	[eax], bl
		mov	[ebp+var_8], esi

loc_792267:				; CODE XREF: MiCompressRelocations(x,x)+302j
					; MiCompressRelocations(x,x)+31Dj ...
		mov	eax, [ebp+var_28]
		mov	esi, ecx

loc_79226C:				; CODE XREF: MiCompressRelocations(x,x)+1E6j
		add	edx, 2
		sub	edi, 1
		jnz	short loc_792220
		mov	edx, [ebp+var_C]
		mov	ebx, [ebp+var_8]
		mov	ecx, [ebp+var_1C]
		test	edx, edx
		jnz	loc_7923BC

loc_792285:				; CODE XREF: MiCompressRelocations(x,x)+1D6j
					; MiCompressRelocations(x,x)+388j ...
		mov	edx, [ebp+var_20]
		mov	esi, [ebp+var_2C]
		mov	edi, [ebp+var_18]
		mov	word ptr [ebx],	0F0h
		add	ebx, 2
		mov	[ebp+var_8], ebx
		test	bl, 1
		jz	short loc_7922A2
		inc	ebx
		mov	[ebp+var_8], ebx

loc_7922A2:				; CODE XREF: MiCompressRelocations(x,x)+25Cj
					; MiCompressRelocations(x,x)+377j
		mov	eax, [ebp+var_10]

loc_7922A5:				; CODE XREF: MiCompressRelocations(x,x)+199j
		inc	edx
		add	ecx, 4
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		cmp	edx, edi
		jb	loc_7921D0
		mov	eax, [ebp+var_14]

loc_7922BA:				; CODE XREF: MiCompressRelocations(x,x)+174j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_38]

loc_7922C5:				; CODE XREF: MiCompressRelocations(x,x)+2E9j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7922CC:				; CODE XREF: MiCompressRelocations(x,x)+94j
		mov	ecx, [ebp+var_10]
		lea	edx, [ecx+1]
		cmp	ecx, 0FEh
		jz	short loc_792333

loc_7922DA:				; CODE XREF: MiCompressRelocations(x,x)+2F7j
		sub	ecx, 0FEh
		neg	ecx
		sbb	ecx, ecx
		and	ecx, edx
		mov	[ebp+var_10], ecx
		jmp	loc_7920FC
; 

loc_7922EE:				; CODE XREF: MiCompressRelocations(x,x)+9Fj
		mov	edx, 4
		mov	[ebp+var_10], 0
		cmp	edx, esi
		sbb	edx, edx
		neg	edx
		inc	edx
		add	[ebp+var_8], edx
		jmp	loc_7920E5
; 

loc_792309:				; CODE XREF: MiCompressRelocations(x,x)+B3j
		add	[ebp+var_8], 2
		jmp	loc_7920FC
; 

loc_792312:				; CODE XREF: MiCompressRelocations(x,x)+D4j
		cmp	ecx, 4
		ja	short loc_79232B
		inc	ebx
		jmp	loc_79211A
; 

loc_79231D:				; CODE XREF: MiCompressRelocations(x,x)+86j
		test	si, si
		jz	loc_7920CC

loc_792326:				; CODE XREF: MiCompressRelocations(x,x)+FDj
					; MiCompressRelocations(x,x)+127j ...
		mov	eax, [ebp+var_14]
		jmp	short loc_7922C5
; 

loc_79232B:				; CODE XREF: MiCompressRelocations(x,x)+2D5j
		add	ebx, 2
		jmp	loc_79211A
; 

loc_792333:				; CODE XREF: MiCompressRelocations(x,x)+298j
		add	[ebp+var_8], 2
		jmp	short loc_7922DA
; 

loc_792339:				; CODE XREF: MiCompressRelocations(x,x)+1FCj
		inc	eax
		mov	[ebp+var_C], eax
		cmp	eax, 0FFh
		jnz	loc_792267
		mov	eax, [ebp+var_8]
		mov	[ebp+var_C], 0
		mov	word ptr [eax],	0FFEFh
		add	eax, 2
		mov	[ebp+var_8], eax
		jmp	loc_792267
; 

loc_792362:				; CODE XREF: MiCompressRelocations(x,x)+204j
		mov	esi, [ebp+var_8]
		inc	esi
		mov	[ebp+var_24], esi
		cmp	eax, 4
		ja	short loc_79238A
		mov	esi, [ebp+var_8]
		mov	al, 0EFh
		sub	al, byte ptr [ebp+var_C]
		mov	[esi], al
		mov	esi, [ebp+var_24]
		mov	[ebp+var_8], esi

loc_79237E:				; CODE XREF: MiCompressRelocations(x,x)+359j
		mov	[ebp+var_C], 0
		jmp	loc_79224A
; 

loc_79238A:				; CODE XREF: MiCompressRelocations(x,x)+32Cj
		mov	eax, [ebp+var_8]
		add	[ebp+var_8], 2
		mov	byte ptr [eax],	0EFh
		mov	eax, [ebp+var_C]
		mov	[esi], al
		jmp	short loc_79237E
; 

loc_79239B:				; CODE XREF: MiCompressRelocations(x,x)+21Cj
		mov	esi, [ebp+var_8]
		mov	al, bl
		or	al, 0F0h
		shr	ebx, 4
		add	[ebp+var_8], 2
		mov	[esi], al
		mov	esi, [ebp+var_34]
		mov	[esi], bl
		jmp	loc_792267
; 

loc_7923B5:				; CODE XREF: MiCompressRelocations(x,x)+1A5j
		mov	[ecx], eax
		jmp	loc_7922A2
; 

loc_7923BC:				; CODE XREF: MiCompressRelocations(x,x)+23Fj
		cmp	edx, 4
		ja	short loc_7923CD
		mov	al, 0EFh
		sub	al, dl
		mov	[ebx], al
		inc	ebx
		jmp	loc_792285
; 

loc_7923CD:				; CODE XREF: MiCompressRelocations(x,x)+37Fj
		mov	byte ptr [ebx],	0EFh
		mov	[ebx+1], dl
		add	ebx, 2
		jmp	loc_792285
; 

loc_7923DB:				; CODE XREF: MiCompressRelocations(x,x)+1B4j
		mov	eax, ebx
		or	eax, 1
		mov	[ecx], eax
		jmp	loc_7921FA
; 

loc_7923E7:				; CODE XREF: MiCompressRelocations(x,x)+70j
		cmp	ah, 1
		jnb	loc_792326
		movzx	eax, ah
		mov	[ebp+eax+var_2], cl
		movzx	eax, [ebp+var_1]
		mov	ecx, eax
		mov	ah, [ebp+var_1]
		mov	al, [ebp+var_2]
		inc	ah
		mov	[ebp+var_1], ah
		jmp	loc_7920B8
_MiCompressRelocations@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiParseImageLoadConfig proc near	; CODE XREF: MiRelocateImage+278p

var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_80		= dword	ptr -80h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		push	1A8h
		push	offset dword_6A1D98
		call	__SEH_prolog4_GS
		mov	eax, edx
		mov	[ebp+var_18C], eax
		mov	edi, ecx
		mov	[ebp+var_198], edi
		mov	[ebp+var_1A4], edi
		mov	[ebp+var_1B4], eax
		mov	[ebp+var_1A8], eax
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_180], ebx
		mov	[ebp+var_1B0], ebx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_194], eax
		push	0ACh		; size_t
		push	0		; int
		lea	eax, [ebp+var_17C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		and	[ebp+var_188], 0
		and	[ebp+var_190], 0
		xor	esi, esi
		push	0A8h		; size_t
		push	esi		; int
		lea	eax, [ebp+var_CC]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, [edi]
		mov	edx, [eax+24h]
		mov	[ebp+var_1B8], edx
		mov	eax, [ebx]
		mov	[ebp+var_1AC], eax
		mov	eax, [ebx+54h]
		test	eax, eax
		jz	loc_792665
		mov	edi, [ebx+58h]
		mov	[ebp+var_184], edi
		mov	ecx, 10Bh
		cmp	[ebx+24h], cx
		jnz	loc_792665
		lea	ecx, [eax+5Ch]
		cmp	ecx, eax
		jbe	loc_792665
		cmp	ecx, [ebx+0Ch]
		ja	loc_792665
		add	eax, [ebp+var_18C]
		mov	[ebp+var_18C], eax
		cmp	edi, 5Ch
		jb	loc_79269D

loc_7924F1:				; CODE XREF: MiParseImageLoadConfig+2B8j
		cmp	edi, 0ACh
		jb	short loc_792504
		mov	edi, 0ACh
		mov	[ebp+var_184], edi

loc_792504:				; CODE XREF: MiParseImageLoadConfig+E9j
		mov	eax, [ebx+54h]
		lea	ecx, [eax+edi]
		cmp	ecx, eax
		jbe	loc_792665
		cmp	ecx, [ebx+0Ch]
		ja	loc_792665
		mov	[ebp+ms_exc.disabled], 1
		push	edi		; size_t
		push	[ebp+var_18C]	; void *
		lea	eax, [ebp+var_17C]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_79253F:				; CODE XREF: sub_8DF44E+1Cj
		test	esi, esi
		js	loc_7926CE
		mov	eax, [ebp+var_198]
		mov	[ebp+var_180], eax
		mov	ecx, eax
		call	MiReferenceControlAreaFile
		mov	esi, eax
		mov	[ebp+var_188], esi
		push	[ebp+var_180]
		push	esi
		mov	edx, edi
		mov	ecx, [ebx+54h]
		call	MiLogRelocationRva
		mov	eax, [ebp+var_1A4]
		mov	[ebp+var_CC], eax
		mov	[ebp+var_C8], esi
		mov	eax, [ebp+var_1A8]
		mov	[ebp+var_C4], eax
		mov	esi, [ebp+var_1AC]
		mov	[ebp+var_C0], esi
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_BC], edx
		and	[ebp+var_B8], 0
		mov	eax, [ebp+var_1B0]
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_17C]
		mov	[ebp+var_B0], eax
		mov	[ebp+var_AC], edi
		lea	eax, [ebp+var_A8]
		push	eax
		lea	eax, [ebp+var_190]
		push	eax
		push	edi
		lea	eax, [ebp+var_17C]
		push	eax
		push	ebx
		push	ecx
		push	edx
		push	esi
		push	[ebp+var_1B4]
		mov	edx, [ebp+var_188]
		mov	ecx, [ebp+var_180]
		call	_MiCaptureImageCfgContext@44 ; MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7926CE
		mov	ecx, [ebp+var_190]
		mov	edi, [ebp+var_194]
		or	[edi], ecx
		mov	ecx, [ebp+var_1B8]
		mov	edx, 1C4h
		xor	eax, eax
		cmp	[ecx+20h], dx
		setz	al
		mov	[edi+4], eax
		mov	ax, [ecx+20h]
		mov	[edi+8], ax
		lea	eax, [ebp+var_74]
		push	eax
		lea	eax, [ebp+var_80]
		push	eax
		lea	edx, [ebp+var_70]
		mov	ecx, edi
		call	_MiInitializeRvaStates@16 ; MiInitializeRvaStates(x,x,x,x)
		cmp	[ebp+var_74], 0
		jz	short loc_792665
		lea	eax, [edi+0Ch]
		push	eax		; int
		push	ecx		; int
		lea	eax, [ebp+var_80]
		push	eax		; void *
		push	[ebp+var_74]	; int
		push	ecx		; int
		lea	ecx, [ebp+var_CC]
		call	RtlCreateRvaList
		mov	esi, eax

loc_792665:				; CODE XREF: MiParseImageLoadConfig+9Cj
					; MiParseImageLoadConfig+B4j ...
		test	esi, esi
		js	short loc_7926CE

loc_792669:				; CODE XREF: MiParseImageLoadConfig+2CBj
		mov	edx, [ebp+var_188]
		test	edx, edx
		jz	short loc_79267E
		mov	ecx, [ebp+var_198]
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)

loc_79267E:				; CODE XREF: MiParseImageLoadConfig+263j
		lea	ecx, [ebp+var_A8]
		call	_MiFreeImageCfgContext@4 ; MiFreeImageCfgContext(x)
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_79269D:				; CODE XREF: MiParseImageLoadConfig+DDj
		mov	ecx, 14Ch
		cmp	[edx+20h], cx
		jnz	short loc_792665
		and	[ebp+ms_exc.disabled], esi
		cmp	edi, 4
		jbe	short loc_7926B8
		mov	edi, [eax]
		mov	[ebp+var_184], edi

loc_7926B8:				; CODE XREF: MiParseImageLoadConfig+2A0j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7926BF:				; CODE XREF: sub_8DF41C+1Cj
		test	esi, esi
		js	short loc_7926CE
		cmp	edi, 5Ch
		jnb	loc_7924F1
		jmp	short loc_792665
; 

loc_7926CE:				; CODE XREF: MiParseImageLoadConfig+133j
					; MiParseImageLoadConfig+1F2j ...
		mov	ecx, [ebp+var_194]
		call	_MiFreeImageLoadConfig@4 ; MiFreeImageLoadConfig(x)
		jmp	short loc_792669
MiParseImageLoadConfig endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeRvaStates(x, x,	x, x)
_MiInitializeRvaStates@16 proc near	; CODE XREF: MiParseImageLoadConfig+232p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		test	byte ptr [ecx],	1
		jz	short loc_792714
		mov	eax, [ebp+arg_0]
		inc	esi
		mov	[eax], esi
		mov	dword ptr [edx+8], offset _MiImageCfgRvaIteratorFirst@12 ; MiImageCfgRvaIteratorFirst(x,x,x)
		mov	dword ptr [edx+0Ch], offset MiImageCfgRvaIteratorNext
		test	byte ptr [ecx],	8
		jz	short loc_792714
		mov	dword ptr [eax+4], 4
		and	dword ptr [edx+20h], 0
		and	dword ptr [edx+24h], 0
		push	2
		pop	esi

loc_792714:				; CODE XREF: MiInitializeRvaStates(x,x,x,x)+Bj
					; MiInitializeRvaStates(x,x,x,x)+24j
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		pop	esi
		pop	ebp
		retn	8
_MiInitializeRvaStates@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCaptureImageCfgContext(x,	x, x, x, x, x, x, x, x,	x, x)
_MiCaptureImageCfgContext@44 proc near	; CODE XREF: MiParseImageLoadConfig+1E9p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A1DC0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_38], edx
		mov	[ebp+var_3C], ecx
		xor	esi, esi
		mov	eax, [ebp+arg_1C]
		mov	[eax], esi
		xor	ecx, ecx
		mov	eax, [ebp+arg_20]
		mov	[eax], ecx
		mov	[eax+4], ecx
		mov	[eax+8], ecx
		mov	[eax+0Ch], ecx
		mov	[eax+10h], ecx
		xor	edi, edi
		mov	[ebp+var_24], edi
		xor	ebx, ebx
		xor	edx, edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_28], ecx
		xor	eax, eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_10]
		mov	edi, 10Bh
		cmp	[eax+24h], di
		mov	edi, ecx
		jnz	short loc_7927CE
		mov	eax, [ebp+arg_14]
		mov	ebx, [eax+50h]
		mov	edx, [eax+54h]
		mov	[ebp+var_1C], edx
		mov	edi, [eax+58h]
		mov	[ebp+var_24], edi
		test	edi, 4000h
		jz	short loc_7927C5
		cmp	[ebp+arg_18], 70h
		jb	short loc_7927C5
		mov	ecx, [eax+68h]
		mov	[ebp+var_28], ecx
		mov	ecx, [eax+6Ch]

loc_7927C5:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+94j
					; MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+9Aj
		mov	eax, [eax+4Ch]
		mov	[ebp+var_20], eax
		mov	[ebp+var_2C], eax

loc_7927CE:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+7Aj
		test	edi, 400h
		jz	loc_792A39
		test	ebx, ebx
		jz	loc_792A39
		mov	eax, edi
		shr	eax, 1Ch
		add	eax, 4
		mov	[ebp+arg_14], eax
		cmp	ebx, [ebp+arg_4]
		jb	loc_792A2A
		test	edx, edx
		jz	loc_792A2A
		or	eax, 0FFFFFFFFh
		xor	edx, edx
		div	[ebp+arg_14]
		mov	edx, eax
		cmp	[ebp+var_1C], edx
		jnb	loc_792A2A
		test	edi, 4000h
		jz	short loc_792869
		mov	eax, [ebp+var_28]
		test	eax, eax
		jz	short loc_792869
		mov	edi, [ebp+arg_4]
		cmp	eax, edi
		jb	short loc_79285A
		test	ecx, ecx
		jz	short loc_79285A
		cmp	ecx, edx
		jnb	short loc_79285A
		sub	eax, edi
		imul	ecx, [ebp+arg_14]
		lea	edx, [eax+ecx]
		cmp	edx, eax
		jbe	short loc_79284B
		mov	eax, [ebp+arg_10]
		cmp	edx, [eax+0Ch]
		ja	short loc_79284B
		lea	eax, [ecx+4]
		cmp	eax, ecx
		jnb	short loc_792869

loc_79284B:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+11Aj
					; MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+122j
		mov	dword_6CF500, 0Bh
		jmp	loc_792A34
; 

loc_79285A:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+105j
					; MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+109j	...
		mov	dword_6CF500, 0Ah
		jmp	loc_792A34
; 

loc_792869:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+F7j
					; MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+FEj ...
		sub	ebx, [ebp+arg_4]
		mov	[ebp+var_34], ebx
		mov	edi, [ebp+arg_14]
		imul	edi, [ebp+var_1C]
		mov	[ebp+var_28], edi
		lea	eax, [ebx+edi]
		cmp	eax, ebx
		jbe	loc_792A1E
		mov	ecx, [ebp+arg_10]
		cmp	eax, [ecx+0Ch]
		ja	loc_792A1E
		lea	eax, [edi+4]
		cmp	eax, edi
		jb	loc_792A1E
		push	0
		push	100h
		mov	edx, 5443694Dh
		mov	ecx, edi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		mov	[ebp+arg_18], ecx
		test	ecx, ecx
		jnz	short loc_7928CB
		mov	esi, 0C000009Ah
		mov	dword_6CF500, 6
		jmp	loc_792A39
; 

loc_7928CB:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+195j
		mov	eax, [ebp+arg_0]
		add	eax, ebx
		mov	[ebp+var_4], esi
		push	edi		; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_792910
; 

loc_7928E7:				; DATA XREF: .text:006A1DD4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		mov	eax, 1
		retn
; 

loc_7928F7:				; DATA XREF: .text:006A1DD8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-30h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-28h]
		mov	ebx, [ebp-34h]
		mov	eax, [ebp-2Ch]
		mov	[ebp-20h], eax

loc_792910:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+1C5j
		test	esi, esi
		jns	short loc_792923
		mov	dword_6CF500, 7
		jmp	loc_792A39
; 

loc_792923:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+1F2j
		mov	eax, [ebp+var_38]
		test	eax, eax
		jz	short loc_792937
		push	[ebp+var_3C]
		push	eax
		mov	edx, edi
		mov	ecx, ebx
		call	MiLogRelocationRva

loc_792937:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+208j
		xor	edx, edx
		xor	eax, eax
		mov	ebx, [ebp+arg_8]
		test	edi, edi
		jz	short loc_79297A

loc_792942:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+23Bj
		mov	ecx, [ebp+arg_18]
		mov	ecx, [eax+ecx]
		cmp	ecx, ebx
		jnb	short loc_79296B
		test	eax, eax
		jz	short loc_792954
		cmp	ecx, edx
		jb	short loc_79295F

loc_792954:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+22Ej
		mov	edx, ecx
		add	eax, [ebp+arg_14]
		cmp	eax, edi
		jb	short loc_792942
		jmp	short loc_79297A
; 

loc_79295F:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+232j
		mov	dword_6CF500, 9
		jmp	short loc_792975
; 

loc_79296B:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+22Aj
		mov	dword_6CF500, 8

loc_792975:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+249j
		mov	esi, 0C000007Bh

loc_79297A:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+220j
					; MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+23Dj
		test	esi, esi
		js	loc_792A39
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jz	short loc_7929B5
		mov	edx, [ebp+arg_4]
		cmp	ecx, edx
		jb	short loc_7929A1
		lea	eax, [edx+ebx]
		cmp	ecx, eax
		jnb	short loc_7929A1
		sub	ecx, edx
		mov	edx, [ebp+arg_20]
		mov	[edx+10h], ecx
		jmp	short loc_7929B8
; 

loc_7929A1:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+26Ej
					; MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+275j
		mov	esi, 0C000007Bh
		mov	dword_6CF500, 0Ah
		jmp	loc_792A39
; 

loc_7929B5:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+267j
		mov	edx, [ebp+arg_20]

loc_7929B8:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+27Fj
		mov	ebx, [ebp+arg_1C]
		mov	eax, [ebx]
		or	eax, 1
		mov	[ebx], eax
		mov	edi, 4000h
		mov	ecx, [ebp+arg_10]
		test	[ecx+30h], di
		jz	short loc_7929D5
		or	eax, 2
		mov	[ebx], eax

loc_7929D5:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+2AEj
		mov	ecx, [ebp+var_24]
		test	ecx, 8000h
		jz	short loc_7929E5
		or	eax, 10h
		mov	[ebx], eax

loc_7929E5:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+2BEj
		test	ecx, edi
		jz	short loc_7929EE
		or	eax, 8
		mov	[ebx], eax

loc_7929EE:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+2C7j
		test	ecx, 100000h
		jz	short loc_7929FB
		or	eax, 20h
		mov	[ebx], eax

loc_7929FB:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+2D4j
		test	ecx, 400000h
		jz	short loc_792A08
		or	eax, 40h
		mov	[ebx], eax

loc_792A08:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+2E1j
		mov	[edx], ecx
		mov	eax, [ebp+arg_18]
		mov	[edx+4], eax
		mov	eax, [ebp+var_1C]
		mov	[edx+8], eax
		mov	eax, [ebp+arg_14]
		mov	[edx+0Ch], eax
		jmp	short loc_792A3C
; 

loc_792A1E:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+15Ej
					; MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+16Aj	...
		mov	dword_6CF500, 5
		jmp	short loc_792A34
; 

loc_792A2A:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+D0j
					; MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+D8j ...
		mov	dword_6CF500, 4

loc_792A34:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+135j
					; MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+144j	...
		mov	esi, 0C0000005h

loc_792A39:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+B4j
					; MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+BCj ...
		mov	edx, [ebp+arg_20]

loc_792A3C:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+2FCj
		test	esi, esi
		jns	short loc_792A47
		mov	ecx, edx
		call	_MiFreeImageCfgContext@4 ; MiFreeImageCfgContext(x)

loc_792A47:				; CODE XREF: MiCaptureImageCfgContext(x,x,x,x,x,x,x,x,x,x,x)+31Ej
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
_MiCaptureImageCfgContext@44 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreateFixupRecord(x, x, x, x, x, x, x)
_MiCreateFixupRecord@28	proc near	; CODE XREF: MiScanRelocationPage+EAp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	20h
		push	offset dword_6A1DE0
		call	__SEH_prolog4
		mov	edi, [ebp+arg_0]
		lea	esi, [edi+1000h]
		shr	esi, 0Ch
		mov	eax, [ecx]
		cmp	esi, [eax+4]
		jb	short loc_792A87
		mov	eax, 0C0000005h
		jmp	loc_792B80
; 

loc_792A87:				; CODE XREF: MiCreateFixupRecord(x,x,x,x,x,x,x)+1Dj
		xor	esi, esi
		and	[ebp+var_1C], esi
		mov	ebx, [ebp+arg_C]
		movzx	ecx, word ptr [ebx]
		mov	ax, cx
		shr	ax, 0Ch
		movzx	eax, ax
		mov	[ebp+arg_C], eax
		mov	eax, edi
		and	eax, 0FFFh
		mov	[ebp+var_20], eax
		mov	edi, 1000h
		sub	edi, [ebp+arg_4]
		mov	[ebp+arg_4], edi
		cmp	eax, edi
		mov	edi, [ebp+arg_0]
		jb	short loc_792AC9
		and	ecx, 0FFFh
		mov	[ebx], cx
		mov	ebx, [ebp+arg_8]
		jmp	short loc_792AEB
; 

loc_792AC9:				; CODE XREF: MiCreateFixupRecord(x,x,x,x,x,x,x)+5Bj
		and	[ebp+ms_exc.disabled], esi
		mov	ebx, [ebp+arg_8]
		mov	esi, [edx+edi]
		mov	[ebp+var_30], esi
		cmp	ebx, 4
		jz	short loc_792AE4
		mov	eax, [edx+edi+4]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_2C], eax

loc_792AE4:				; CODE XREF: MiCreateFixupRecord(x,x,x,x,x,x,x)+7Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_792AEB:				; CODE XREF: MiCreateFixupRecord(x,x,x,x,x,x,x)+69j
		push	0
		push	100h
		mov	edx, 72466D4Dh
		push	18h
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_792B0C
		mov	eax, 0C000009Ah
		jmp	short loc_792B80
; 

loc_792B0C:				; CODE XREF: MiCreateFixupRecord(x,x,x,x,x,x,x)+A5j
		mov	eax, [ebp+arg_C]
		mov	[ecx+0Ch], ax
		lea	edx, [edi+ebx]
		mov	[ecx+8], edx
		mov	eax, [ebp+arg_4]
		cmp	[ebp+var_20], eax
		jb	short loc_792B35
		and	edi, 0FFFFF000h
		add	edi, 1000h
		mov	[ecx+4], edi
		mov	esi, [ebp+arg_10]
		jmp	short loc_792B50
; 

loc_792B35:				; CODE XREF: MiCreateFixupRecord(x,x,x,x,x,x,x)+C1j
		mov	[ecx+4], edi
		mov	[ecx+10h], esi
		mov	eax, [ebp+var_1C]
		mov	[ecx+14h], eax
		shr	edi, 0Ch
		mov	esi, [ebp+arg_10]
		mov	eax, [esi]
		or	dword ptr [eax+edi*4], 1
		mov	edx, [ecx+8]

loc_792B50:				; CODE XREF: MiCreateFixupRecord(x,x,x,x,x,x,x)+D5j
		shr	edx, 0Ch
		mov	eax, [esi]
		or	dword ptr [eax+edx*4], 1
		mov	eax, [esi+8]
		mov	[ecx], eax
		mov	[esi+8], ecx
		xor	eax, eax
		jmp	short loc_792B80
; 

loc_792B65:				; DATA XREF: .text:006A1DF4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_792B73:				; DATA XREF: .text:006A1DF8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_24]

loc_792B80:				; CODE XREF: MiCreateFixupRecord(x,x,x,x,x,x,x)+24j
					; MiCreateFixupRecord(x,x,x,x,x,x,x)+ACj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_MiCreateFixupRecord@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlCreateRvaList(int,int,void *,int,int)
RtlCreateRvaList proc near		; CODE XREF: MiParseImageLoadConfig+250p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008DF46F SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	esi
		push	edi
		mov	eax, ecx
		xor	edx, edx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_4], edx
		push	ecx
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_8], edx
		push	ecx
		push	edx
		push	ecx
		mov	edi, edx
		mov	[ebp+var_14], eax
		push	ecx
		mov	edx, eax
		xor	ecx, ecx
		call	RtlpCompressRvaList
		mov	esi, eax
		test	esi, esi
		js	loc_792C99
		push	ebx
		mov	ebx, [ebp+arg_4]
		cmp	ebx, 1
		jbe	loc_792CA6
		mov	esi, [ebp+var_4]
		imul	esi, ebx
		add	esi, 3Fh
		shr	esi, 3
		and	esi, 1FFFFFF8h

loc_792BE8:				; CODE XREF: RtlCreateRvaList+116j
		mov	eax, [ebp+var_8]
		mov	ecx, ebx
		add	eax, 3
		shl	ecx, 2
		mov	[ebp+var_C], ecx
		and	eax, 0FFFFFFFCh
		add	ecx, 20h
		add	eax, ecx
		add	eax, esi
		push	4C617652h
		push	eax
		push	1
		mov	[ebp+var_10], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8DF46F
		mov	eax, [ebp+var_4]
		mov	[edi], eax
		mov	eax, [ebp+var_8]
		mov	[edi+0Ch], eax
		mov	eax, [ebp+var_10]
		add	eax, 0FFFFFFE0h
		mov	[edi+4], ebx
		push	eax		; size_t
		lea	ebx, [edi+20h]
		push	0		; int
		push	ebx		; void *
		mov	[edi+8], ebx
		call	_memset
		mov	ecx, [ebp+var_8]
		add	esp, 0Ch
		lea	eax, [ecx+3]
		and	eax, 0FFFFFFFCh
		add	ebx, eax
		cmp	[ebp+arg_8], 0
		jz	short loc_792C66
		push	[ebp+var_C]	; size_t
		mov	[edi+18h], ebx
		push	[ebp+arg_8]	; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		add	ebx, [ebp+var_C]

loc_792C66:				; CODE XREF: RtlCreateRvaList+BDj
		test	esi, esi
		jz	short loc_792C77
		mov	eax, [ebp+var_4]
		imul	eax, [ebp+arg_4]
		mov	[edi+14h], ebx
		mov	[edi+10h], eax

loc_792C77:				; CODE XREF: RtlCreateRvaList+D6j
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	dword ptr [edi+8]
		push	ecx
		push	ecx
		mov	ecx, edi
		call	RtlpCompressRvaList
		mov	esi, eax
		test	esi, esi
		js	loc_8DF479

loc_792C98:				; CODE XREF: RtlCreateRvaList+14C8E2j
					; RtlCreateRvaList+14C8F4j
		pop	ebx

loc_792C99:				; CODE XREF: RtlCreateRvaList+31j
		mov	eax, [ebp+arg_10]
		mov	[eax], edi
		mov	eax, esi
		pop	edi
		pop	esi
		leave
		retn	14h
; 

loc_792CA6:				; CODE XREF: RtlCreateRvaList+3Ej
		xor	esi, esi
		jmp	loc_792BE8
RtlCreateRvaList endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpCompressRvaList proc near		; CODE XREF: RtlCreateRvaList+28p
					; RtlCreateRvaList+F7p

var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008DF48B SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], eax
		xor	edi, edi
		xor	ebx, ebx
		mov	[ebp+var_14], ecx
		neg	eax
		mov	[ebp+var_24], edx
		lea	ecx, [ebp+var_10]
		mov	[ebp+var_10], edi
		sbb	eax, eax
		and	eax, ecx
		push	eax
		push	edx
		mov	[ebp+var_20], eax
		call	_MiImageRvaRawEnumFirst@8 ; MiImageRvaRawEnumFirst(x,x)
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		jz	loc_8DF48B
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_792D0A
		push	[ebp+var_10]
		mov	ecx, [ebp+var_14]
		xor	edx, edx
		mov	[eax], esi
		add	eax, 4
		mov	[ebp+var_4], eax
		call	_RtlpSetRvaListRvaStateBits@12 ; RtlpSetRvaListRvaStateBits(x,x,x)

loc_792D0A:				; CODE XREF: RtlpCompressRvaList+43j
		mov	edi, esi
		mov	[ebp+var_8], 4
		mov	[ebp+var_C], 1
		mov	[ebp+var_18], edi
		lea	ecx, [ecx+0]

loc_792D20:				; CODE XREF: RtlpCompressRvaList+B6j
					; RtlpCompressRvaList+F4j ...
		cmp	esi, edi
		jnz	short loc_792D4F
		push	[ebp+var_20]
		mov	ebx, edi
		push	[ebp+var_24]
		call	MiImageRvaRawEnumNext
		mov	edi, eax
		mov	[ebp+var_18], edi
		test	edi, edi
		jz	loc_792E1F
		cmp	edi, ebx
		jbe	loc_8DF495
		cmp	[ebp+var_4], 0
		jnz	short loc_792DC7

loc_792D4C:				; CODE XREF: RtlpCompressRvaList+11Fj
					; RtlpCompressRvaList+12Ej ...
		inc	[ebp+var_C]

loc_792D4F:				; CODE XREF: RtlpCompressRvaList+72j
					; RtlpCompressRvaList+EFj
		mov	edx, edi
		sub	edx, esi
		xor	ebx, ebx

loc_792D55:				; CODE XREF: RtlpCompressRvaList+B4j
		mov	ecx, ds:_RtlpRvaCompressionTableScales[ebx*4]
		cmp	edx, ecx
		jnb	short loc_792D68
		inc	ebx
		cmp	ebx, 4
		jb	short loc_792D55
		jmp	short loc_792D20
; 

loc_792D68:				; CODE XREF: RtlpCompressRvaList+AEj
		cmp	ecx, 1
		jnz	short loc_792DBD

loc_792D6D:				; CODE XREF: RtlpCompressRvaList+115j
		cmp	edx, 3Fh
		jnb	loc_792E44

loc_792D76:				; CODE XREF: RtlpCompressRvaList+199j
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_792D92
		mov	edi, [ebp+var_4]
		mov	al, bl
		shl	al, 6
		or	al, dl
		mov	[edi], al
		mov	eax, edi
		mov	edi, [ebp+var_18]
		inc	eax
		mov	[ebp+var_4], eax

loc_792D92:				; CODE XREF: RtlpCompressRvaList+CBj
		inc	[ebp+var_8]
		imul	ecx, edx
		add	esi, ecx
		mov	[ebp+var_1C], esi
		cmp	esi, edi
		jnz	short loc_792D4F
		cmp	ebx, 3
		jz	loc_792D20
		test	eax, eax
		jz	short loc_792DB5
		mov	byte ptr [eax],	0C0h
		inc	eax
		mov	[ebp+var_4], eax

loc_792DB5:				; CODE XREF: RtlpCompressRvaList+FCj
		inc	[ebp+var_8]
		jmp	loc_792D20
; 

loc_792DBD:				; CODE XREF: RtlpCompressRvaList+BBj
		mov	eax, edx
		xor	edx, edx
		div	ecx
		mov	edx, eax
		jmp	short loc_792D6D
; 

loc_792DC7:				; CODE XREF: RtlpCompressRvaList+9Aj
		mov	eax, [ebp+var_10]
		mov	[ebp+var_2C], eax
		test	eax, eax
		jz	loc_792D4C
		mov	eax, [ebp+var_14]
		mov	eax, [eax+4]
		cmp	eax, 1
		jbe	loc_792D4C
		mov	esi, [ebp+var_14]
		mov	edi, eax
		imul	edi, [ebp+var_C]
		xor	ebx, ebx
		nop

loc_792DF0:				; CODE XREF: RtlpCompressRvaList+162j
		lea	eax, [ebp+var_2C]
		bt	[eax], ebx
		jnb	short loc_792E0E
		lea	edx, [ebx+edi]
		mov	ecx, edx
		and	edx, 7
		shr	ecx, 3
		add	ecx, [esi+14h]
		movsx	eax, byte ptr [ecx]
		bts	eax, edx
		mov	[ecx], al

loc_792E0E:				; CODE XREF: RtlpCompressRvaList+146j
		inc	ebx
		cmp	ebx, [esi+4]
		jb	short loc_792DF0
		mov	esi, [ebp+var_1C]
		mov	edi, [ebp+var_18]
		jmp	loc_792D4C
; 

loc_792E1F:				; CODE XREF: RtlpCompressRvaList+88j
		xor	eax, eax

loc_792E21:				; CODE XREF: RtlpCompressRvaList+14C7EAj
		mov	ebx, [ebp+var_8]
		mov	edi, [ebp+var_C]

loc_792E27:				; CODE XREF: RtlpCompressRvaList+14C7E0j
		cmp	[ebp+arg_8], 0
		jnz	short loc_792E32
		mov	ecx, [ebp+arg_C]
		mov	[ecx], ebx

loc_792E32:				; CODE XREF: RtlpCompressRvaList+17Bj
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	short loc_792E3B
		mov	[ecx], edi

loc_792E3B:				; CODE XREF: RtlpCompressRvaList+187j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_792E44:				; CODE XREF: RtlpCompressRvaList+C0j
		mov	edx, 3Fh
		jmp	loc_792D76
RtlpCompressRvaList endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiImageRvaRawEnumNext proc near		; CODE XREF: RtlpCompressRvaList+7Cp

var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008DF49F SIZE 00000052 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	edi
		mov	edi, [ebp+arg_0]
		cmp	dword ptr [edi+0A4h], 0
		jz	loc_79302E
		mov	eax, [edi+58h]
		xor	edx, edx
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_C], edx
		mov	ecx, eax
		push	esi
		lea	esi, [edi+5Ch]
		test	eax, eax
		jz	loc_792F97

loc_792E82:				; CODE XREF: MiImageRvaRawEnumNext+13Ej
		mov	edx, [esi+0Ch]
		test	edx, edx
		jz	loc_792F83
		mov	eax, [esi]
		cmp	eax, [edi+0A4h]
		jnz	loc_792F6F
		cmp	edx, offset MiImageCfgRvaIteratorNext
		jnz	loc_8DF4D1
		mov	ecx, [esi+14h]
		xor	eax, eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jz	loc_793011
		mov	edx, [edi+30h]
		mov	[ebp+var_1C], edx
		mov	edx, [esi+10h]
		test	ecx, ecx
		jz	loc_792F67
		jmp	short loc_792ED0
; 
		align 10h

loc_792ED0:				; CODE XREF: MiImageRvaRawEnumNext+7Bj
					; MiImageRvaRawEnumNext+1D3j
		mov	ecx, [edi+14h]
		mov	[ebp+var_14], ecx
		mov	ecx, [edi+10h]
		mov	[esi+4], eax
		mov	edi, [edx]
		cmp	edi, [ebp+var_10]
		mov	[ebp+var_18], edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1], al
		jbe	loc_8DF4C0
		mov	edi, ecx
		cmp	[ebp+var_18], edi
		mov	edi, [ebp+arg_0]
		jnb	loc_8DF4C0
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_10], 1
		cmp	[ebp+var_14], eax
		jnz	loc_8DF49F

loc_792F14:				; CODE XREF: MiImageRvaRawEnumNext+14C661j
					; MiImageRvaRawEnumNext+14C66Bj
		cmp	[ebp+var_1C], 4
		jbe	loc_792FF8
		mov	cl, [edx+4]
		mov	[ebp+var_1], cl
		mov	ecx, [ebp+var_10]
		test	[ebp+var_1], cl
		mov	ecx, [ebp+var_8]
		setnz	[ebp+var_2]

loc_792F31:				; CODE XREF: MiImageRvaRawEnumNext+1ABj
		mov	[ebp+var_14], eax
		cmp	[ebp+var_2], al
		jnz	short loc_792F4A
		mov	ecx, [ebp+var_8]
		mov	dword ptr [esi+4], 1
		mov	[ebp+var_14], 1

loc_792F4A:				; CODE XREF: MiImageRvaRawEnumNext+E7j
		test	[ebp+var_1], 2
		jnz	loc_793000

loc_792F54:				; CODE XREF: MiImageRvaRawEnumNext+1BCj
		add	edx, [ebp+var_1C]
		dec	ecx
		mov	[ebp+var_8], ecx
		cmp	[ebp+var_2], al
		jnz	loc_793018
		mov	eax, [ebp+var_18]

loc_792F67:				; CODE XREF: MiImageRvaRawEnumNext+75j
					; MiImageRvaRawEnumNext+1D9j
		mov	[esi+14h], ecx
		mov	[esi+10h], edx

loc_792F6D:				; CODE XREF: MiImageRvaRawEnumNext+1C3j
					; MiImageRvaRawEnumNext+14C67Cj ...
		mov	[esi], eax

loc_792F6F:				; CODE XREF: MiImageRvaRawEnumNext+45j
		mov	edx, eax
		test	eax, eax
		jz	short loc_792F83
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jnz	loc_8DF4E1
		mov	[ebp+var_C], eax

loc_792F83:				; CODE XREF: MiImageRvaRawEnumNext+37j
					; MiImageRvaRawEnumNext+123j ...
		mov	eax, [edi+58h]
		inc	ebx
		add	esi, 18h
		mov	ecx, eax
		cmp	ebx, eax
		jb	loc_792E82
		mov	edx, [ebp+var_C]

loc_792F97:				; CODE XREF: MiImageRvaRawEnumNext+2Cj
		cmp	[ebp+arg_4], 0
		jz	short loc_792FE7
		test	edx, edx
		jz	short loc_792FE7
		xor	ebx, ebx
		test	eax, eax
		jz	short loc_792FC1
		mov	eax, ecx
		lea	esi, [edi+5Ch]
		lea	esp, [esp+0]

loc_792FB0:				; CODE XREF: MiImageRvaRawEnumNext+16Dj
		cmp	[esi], edx
		jnz	short loc_792FB7
		or	ebx, [esi+4]

loc_792FB7:				; CODE XREF: MiImageRvaRawEnumNext+162j
		add	esi, 18h
		sub	eax, 1
		jnz	short loc_792FB0
		mov	eax, ecx

loc_792FC1:				; CODE XREF: MiImageRvaRawEnumNext+155j
		xor	ecx, ecx
		xor	edx, edx
		test	eax, eax
		jz	short loc_792FDF
		mov	eax, [edi+58h]
		lea	esi, [edi+4Ch]
		nop

loc_792FD0:				; CODE XREF: MiImageRvaRawEnumNext+18Dj
		test	[esi], ebx
		jz	short loc_792FD7
		bts	ecx, edx

loc_792FD7:				; CODE XREF: MiImageRvaRawEnumNext+182j
		inc	edx
		add	esi, 4
		cmp	edx, eax
		jb	short loc_792FD0

loc_792FDF:				; CODE XREF: MiImageRvaRawEnumNext+177j
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+var_C]
		mov	[eax], ecx

loc_792FE7:				; CODE XREF: MiImageRvaRawEnumNext+14Bj
					; MiImageRvaRawEnumNext+14Fj
		pop	esi
		mov	[edi+0A4h], edx
		mov	eax, edx
		pop	ebx

loc_792FF1:				; CODE XREF: MiImageRvaRawEnumNext+1E0j
		pop	edi
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_792FF8:				; CODE XREF: MiImageRvaRawEnumNext+C8j
		mov	[ebp+var_2], al
		jmp	loc_792F31
; 

loc_793000:				; CODE XREF: MiImageRvaRawEnumNext+FEj
		mov	edi, [ebp+var_14]
		or	edi, 4
		mov	[esi+4], edi
		mov	edi, [ebp+arg_0]
		jmp	loc_792F54
; 

loc_793011:				; CODE XREF: MiImageRvaRawEnumNext+64j
		xor	eax, eax
		jmp	loc_792F6D
; 

loc_793018:				; CODE XREF: MiImageRvaRawEnumNext+10Ej
		mov	edi, [ebp+var_18]
		mov	[ebp+var_10], edi
		mov	edi, [ebp+arg_0]
		test	ecx, ecx
		jnz	loc_792ED0
		jmp	loc_792F67
; 

loc_79302E:				; CODE XREF: MiImageRvaRawEnumNext+13j
		xor	eax, eax
		jmp	short loc_792FF1
MiImageRvaRawEnumNext endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiImageRvaRawEnumFirst(x, x)
_MiImageRvaRawEnumFirst@8 proc near	; CODE XREF: RtlpCompressRvaList+2Cp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		mov	[ebp+var_4], esi
		lea	ebx, [edi+5Ch]
		cmp	[edi+58h], esi
		jbe	short loc_79307A
		mov	eax, esi

loc_79304D:				; CODE XREF: MiImageRvaRawEnumFirst(x,x)+46j
		mov	ecx, [ebx+8]
		test	ecx, ecx
		jz	short loc_79306E
		lea	eax, [ebx+4]
		push	eax
		lea	eax, [ebx+10h]
		push	eax
		push	edi
		call	ecx
		mov	[ebx], eax
		test	eax, eax
		jz	short loc_79306B
		test	esi, esi
		jnz	short loc_79309F

loc_793069:				; CODE XREF: MiImageRvaRawEnumFirst(x,x)+71j
		mov	esi, eax

loc_79306B:				; CODE XREF: MiImageRvaRawEnumFirst(x,x)+31j
					; MiImageRvaRawEnumFirst(x,x)+6Fj
		mov	eax, [ebp+var_4]

loc_79306E:				; CODE XREF: MiImageRvaRawEnumFirst(x,x)+20j
		inc	eax
		add	ebx, 18h
		mov	[ebp+var_4], eax
		cmp	eax, [edi+58h]
		jb	short loc_79304D

loc_79307A:				; CODE XREF: MiImageRvaRawEnumFirst(x,x)+17j
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_793090
		test	esi, esi
		jz	short loc_793090
		mov	edx, esi
		mov	ecx, edi
		call	_MiImageGetRawRvaState@8 ; MiImageGetRawRvaState(x,x)
		mov	[ebx], eax

loc_793090:				; CODE XREF: MiImageRvaRawEnumFirst(x,x)+4Dj
					; MiImageRvaRawEnumFirst(x,x)+51j
		mov	[edi+0A4h], esi
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_79309F:				; CODE XREF: MiImageRvaRawEnumFirst(x,x)+35j
		cmp	esi, eax
		jb	short loc_79306B
		jmp	short loc_793069
_MiImageRvaRawEnumFirst@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiImageCfgRvaIteratorFirst(x, x, x)
_MiImageCfgRvaIteratorFirst@12 proc near ; DATA	XREF: MiInitializeRvaStates(x,x,x,x)+13o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		push	[ebp+arg_8]
		mov	eax, [edx+28h]
		push	ecx
		mov	[ecx], eax
		mov	eax, [edx+2Ch]
		push	edx
		mov	[ecx+4], eax
		call	MiImageCfgRvaIteratorNext
		pop	ebp
		retn	0Ch
_MiImageCfgRvaIteratorFirst@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiImageCfgRvaIteratorNext proc near	; CODE XREF: MiImageCfgRvaIteratorFirst(x,x,x)+1Bp
					; DATA XREF: MiInitializeRvaStates(x,x,x,x)+1Ao ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008DF4F1 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		sub	esp, 10h
		mov	eax, [ecx+4]
		push	ebx
		push	esi
		xor	esi, esi
		xor	ebx, ebx
		test	eax, eax
		jz	loc_7931A9
		push	edi
		mov	edi, [ebp+arg_0]
		mov	edx, [edi+30h]
		mov	[ebp+var_10], edx
		mov	edx, [ecx]
		test	eax, eax
		jz	loc_793180

loc_793100:				; CODE XREF: MiImageCfgRvaIteratorNext+ECj
		mov	ecx, [edi+14h]
		mov	edi, [edi+10h]
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_8], edi
		mov	[ebp+var_1], 0
		mov	dword ptr [ecx], 0
		mov	edi, [edx]
		cmp	edi, ebx
		jbe	loc_8DF50E
		cmp	edi, [ebp+var_8]
		jnb	loc_8DF50E
		mov	ebx, 1
		mov	[ebp+var_8], ebx
		mov	ebx, [ebp+var_C]
		test	ebx, ebx
		jnz	loc_8DF4F1

loc_79313F:				; CODE XREF: MiImageCfgRvaIteratorNext+14C42Dj
					; MiImageCfgRvaIteratorNext+14C439j
		cmp	[ebp+var_10], 4
		jbe	short loc_793190
		mov	bh, [edx+4]
		mov	ecx, [ebp+var_8]
		test	bh, cl
		setnz	bl

loc_793150:				; CODE XREF: MiImageCfgRvaIteratorNext+C5j
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_C], 0
		test	bl, bl
		jnz	short loc_793171
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_C], 1
		mov	dword ptr [ecx], 1
		mov	ecx, [ebp+arg_4]

loc_793171:				; CODE XREF: MiImageCfgRvaIteratorNext+8Cj
		test	bh, 2
		jnz	short loc_793197

loc_793176:				; CODE XREF: MiImageCfgRvaIteratorNext+D7j
		add	edx, [ebp+var_10]
		dec	eax
		test	bl, bl
		jnz	short loc_7931B3
		mov	esi, edi

loc_793180:				; CODE XREF: MiImageCfgRvaIteratorNext+2Aj
					; MiImageCfgRvaIteratorNext+E7j
		mov	[ecx+4], eax
		mov	[ecx], edx

loc_793185:				; CODE XREF: MiImageCfgRvaIteratorNext+14C44Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_793190:				; CODE XREF: MiImageCfgRvaIteratorNext+73j
		mov	bh, [ebp+var_1]
		xor	bl, bl
		jmp	short loc_793150
; 

loc_793197:				; CODE XREF: MiImageCfgRvaIteratorNext+A4j
		mov	esi, [ebp+arg_8]
		mov	ecx, [ebp+var_C]
		or	ecx, 4
		mov	[esi], ecx
		xor	esi, esi
		mov	ecx, [ebp+arg_4]
		jmp	short loc_793176
; 

loc_7931A9:				; CODE XREF: MiImageCfgRvaIteratorNext+16j
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7931B3:				; CODE XREF: MiImageCfgRvaIteratorNext+ACj
		mov	ebx, edi
		test	eax, eax
		jz	short loc_793180
		mov	edi, [ebp+arg_0]
		jmp	loc_793100
MiImageCfgRvaIteratorNext endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiImageGetRawRvaState(x, x)
_MiImageGetRawRvaState@8 proc near	; CODE XREF: MiImageRvaRawEnumFirst(x,x)+57p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	[ebp+var_4], edx
		xor	eax, eax
		mov	edx, ecx
		mov	ebx, eax
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		mov	edi, [edx+58h]
		lea	esi, [edx+5Ch]
		test	edi, edi
		jz	short loc_7931F9
		mov	edx, [ebp+var_4]
		mov	ecx, edi

loc_7931E7:				; CODE XREF: MiImageGetRawRvaState(x,x)+32j
		cmp	[esi], edx
		jnz	short loc_7931EE
		or	ebx, [esi+4]

loc_7931EE:				; CODE XREF: MiImageGetRawRvaState(x,x)+27j
		add	esi, 18h
		sub	ecx, 1
		jnz	short loc_7931E7
		mov	edx, [ebp+var_8]

loc_7931F9:				; CODE XREF: MiImageGetRawRvaState(x,x)+1Ej
		mov	ecx, eax
		test	edi, edi
		jz	short loc_793211
		add	edx, 4Ch

loc_793202:				; CODE XREF: MiImageGetRawRvaState(x,x)+4Dj
		test	[edx], ebx
		jz	short loc_793209
		bts	eax, ecx

loc_793209:				; CODE XREF: MiImageGetRawRvaState(x,x)+42j
		inc	ecx
		add	edx, 4
		cmp	ecx, edi
		jb	short loc_793202

loc_793211:				; CODE XREF: MiImageGetRawRvaState(x,x)+3Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiImageGetRawRvaState@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpSetRvaListRvaStateBits(x, x, x)
_RtlpSetRvaListRvaStateBits@12 proc near ; CODE	XREF: RtlpCompressRvaList+55p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	ebx
		mov	ebx, ecx
		jbe	short loc_793259
		push	edi
		mov	edi, [ebx+4]
		cmp	edi, 1
		jbe	short loc_793258
		push	esi
		imul	edi, edx
		xor	esi, esi

loc_793233:				; CODE XREF: RtlpSetRvaListRvaStateBits(x,x,x)+3Fj
		lea	eax, [ebp+arg_0]
		bt	[eax], esi
		jnb	short loc_793251
		lea	edx, [esi+edi]
		mov	ecx, edx
		and	edx, 7
		shr	ecx, 3
		add	ecx, [ebx+14h]
		movsx	eax, byte ptr [ecx]
		bts	eax, edx
		mov	[ecx], al

loc_793251:				; CODE XREF: RtlpSetRvaListRvaStateBits(x,x,x)+23j
		inc	esi
		cmp	esi, [ebx+4]
		jb	short loc_793233
		pop	esi

loc_793258:				; CODE XREF: RtlpSetRvaListRvaStateBits(x,x,x)+15j
		pop	edi

loc_793259:				; CODE XREF: RtlpSetRvaListRvaStateBits(x,x,x)+Cj
		pop	ebx
		pop	ebp
		retn	4
_RtlpSetRvaListRvaStateBits@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLockImageSection(x, x, x,	x)
_MiLockImageSection@16 proc near	; CODE XREF: MiLockPagableImageSection+11Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		push	edi
		mov	edi, edx
		mov	[esp+18h+var_8], ecx
		dec	word ptr [ebx+13Ch]
		nop

loc_793281:				; CODE XREF: MiLockImageSection(x,x,x,x)+8Fj
		mov	esi, [edi]

loc_793283:				; CODE XREF: MiLockImageSection(x,x,x,x)+A1j
		mov	[esp+18h+var_C], esi
		cmp	esi, 1
		jz	short loc_7932D8
		lea	ecx, [esi+1]
		mov	eax, esi
		lock cmpxchg [edi], ecx
		cmp	eax, esi
		jnz	short loc_7932FD
		cmp	eax, 2
		jnb	short loc_7932C8
		mov	edx, [ebp+arg_0]
		mov	ecx, [esp+18h+var_8]
		push	1
		push	[ebp+arg_4]
		call	_MiLockCode@16	; MiLockCode(x,x,x,x)
		lock inc dword ptr [edi]
		and	[esp+18h+var_4], 0
		lea	eax, [esp+18h+var_4]
		xor	edx, edx
		lock or	[eax], edx
		cmp	dword_6CF59C, edx
		jnz	short loc_7932EF

loc_7932C8:				; CODE XREF: MiLockImageSection(x,x,x,x)+3Ej
					; MiLockImageSection(x,x,x,x)+9Dj
		mov	ecx, ebx
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7932D8:				; CODE XREF: MiLockImageSection(x,x,x,x)+2Cj
		push	0
		push	4
		lea	eax, [esp+20h+var_C]
		mov	edx, edi
		push	eax
		mov	ecx, offset dword_6CF59C
		call	ExBlockOnAddressPushLock
		jmp	short loc_793281
; 

loc_7932EF:				; CODE XREF: MiLockImageSection(x,x,x,x)+68j
		xor	edx, edx
		mov	ecx, offset dword_6CF59C
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	short loc_7932C8
; 

loc_7932FD:				; CODE XREF: MiLockImageSection(x,x,x,x)+39j
		mov	esi, eax
		jmp	short loc_793283
_MiLockImageSection@16 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1463. MmResetDriverPaging

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmResetDriverPaging(x)
		public _MmResetDriverPaging@4
_MmResetDriverPaging@4 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	edx, [ebp+arg_0]
		sub	esp, 0Ch
		xor	ecx, ecx
		push	ebx
		push	esi
		push	edi
		call	_MiImagePagable@8 ; MiImagePagable(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_7933A1
		mov	eax, [ebx+18h]
		push	eax
		mov	[esp+1Ch+var_C], eax
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	ecx, ebx
		mov	esi, eax
		call	_MiCancelPhase0Locking@4 ; MiCancelPhase0Locking(x)
		movzx	ecx, word ptr [esi+14h]
		lea	edi, [esi+18h]
		movzx	esi, word ptr [esi+6]
		add	edi, ecx
		test	esi, esi
		jz	short loc_7933A1

loc_79334B:				; CODE XREF: MmResetDriverPaging(x)+99j
		test	dword ptr [edi+24h], 2000000h
		jnz	short loc_793399
		mov	ecx, edi
		call	MmImageSectionPagable
		test	eax, eax
		jnz	short loc_793399
		mov	eax, [edi+0Ch]
		add	eax, [esp+18h+var_C]
		mov	ecx, eax
		mov	[esp+18h+var_8], eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, [edi+10h]
		mov	edx, [edi+8]
		mov	[esp+18h+var_4], eax
		cmp	ecx, edx
		jb	short loc_7933AA

loc_79337F:				; CODE XREF: MmResetDriverPaging(x)+A6j
		mov	eax, [esp+18h+var_8]
		dec	eax
		push	2
		add	ecx, eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	edx, [esp+1Ch+var_4]
		mov	ecx, ebx
		push	eax
		call	_MiLockCode@16	; MiLockCode(x,x,x,x)

loc_793399:				; CODE XREF: MmResetDriverPaging(x)+4Cj
					; MmResetDriverPaging(x)+57j
		add	edi, 28h
		sub	esi, 1
		jnz	short loc_79334B

loc_7933A1:				; CODE XREF: MmResetDriverPaging(x)+1Cj
					; MmResetDriverPaging(x)+43j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7933AA:				; CODE XREF: MmResetDriverPaging(x)+77j
		mov	ecx, edx
		jmp	short loc_79337F
_MmResetDriverPaging@4 endp


;  S U B	R O U T	I N E 


MmImageSectionPagable proc near		; CODE XREF: MmResetDriverPaging(x)+50p
					; MiSnapDriverRange+19Ep ...

; FUNCTION CHUNK AT 008DF51F SIZE 0000000C BYTES

		mov	eax, [ecx]
		xor	edx, edx
		cmp	eax, 6164652Eh
		jz	short loc_7933F1
		cmp	eax, 45474150h
		jz	short loc_7933C3

loc_7933C0:				; CODE XREF: MmImageSectionPagable+21j
					; MmImageSectionPagable+27j ...
		mov	eax, edx
		retn
; 

loc_7933C3:				; CODE XREF: MmImageSectionPagable+10j
		mov	al, [ecx+4]
		xor	edx, edx
		inc	edx
		cmp	al, 4Bh
		jz	short loc_7933F6
		cmp	al, 56h
		jnz	short loc_7933C0
		cmp	byte ptr [ecx+5], 52h
		jnz	short loc_7933C0
		cmp	byte ptr [ecx+6], 46h
		jnz	short loc_7933C0
		mov	al, byte ptr ds:_MiFlags
		and	al, dl
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	edx, eax
		jmp	short loc_7933C0
; 

loc_7933F1:				; CODE XREF: MmImageSectionPagable+9j
		xor	edx, edx
		inc	edx
		jmp	short loc_7933C0
; 

loc_7933F6:				; CODE XREF: MmImageSectionPagable+1Dj
		cmp	byte ptr [ecx+5], 44h
		jnz	short loc_7933C0
		jmp	loc_8DF51F
MmImageSectionPagable endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSelectOverflowDllBase	proc near	; CODE XREF: MiSelectImageBase+126p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008DF52B SIZE 0000004D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ecx+4]
		shl	esi, 0Ch
		add	esi, 0FFFFh
		and	esi, 0FFFF0000h
		push	edi
		mov	edi, edx
		cmp	esi, 4000000h
		ja	loc_8DF52B
		mov	eax, large fs:124h
		push	ebx
		mov	ebx, dword_6CF4D8
		mov	[ebp+var_4], eax
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset unk_6CF4C8
		call	ExAcquirePushLockExclusiveEx
		mov	edi, dword_6CF4DC
		lea	ecx, [ebx+4000000h]
		mov	eax, ecx
		sub	eax, edi
		cmp	esi, eax
		ja	short loc_79349A

loc_793462:				; CODE XREF: MiSelectOverflowDllBase+9Aj
		lea	eax, [esi+edi]
		mov	dword_6CF4DC, eax
		cmp	eax, ecx
		jz	short loc_79349E

loc_79346E:				; CODE XREF: MiSelectOverflowDllBase+A2j
		or	eax, 0FFFFFFFFh
		mov	esi, offset unk_6CF4C8
		lock xadd [esi], eax
		pop	ebx
		test	al, 2
		jnz	loc_8DF564

loc_793483:				; CODE XREF: MiSelectOverflowDllBase+14C164j
					; MiSelectOverflowDllBase+14C171j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_4]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_793492:				; CODE XREF: MiSelectOverflowDllBase+14C152j
		mov	eax, edi

loc_793494:				; CODE XREF: MiSelectOverflowDllBase+14C15Dj
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_79349A:				; CODE XREF: MiSelectOverflowDllBase+5Ej
		mov	edi, ebx
		jmp	short loc_793462
; 

loc_79349E:				; CODE XREF: MiSelectOverflowDllBase+6Aj
		mov	dword_6CF4DC, ebx
		jmp	short loc_79346E
MiSelectOverflowDllBase	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcMdlReadComplete2(x, x)
_CcMdlReadComplete2@8 proc near		; CODE XREF: FsRtlMdlReadCompleteDev(x,x,x)+8p
					; CcMdlReadComplete(x,x)+39p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		push	edi
		mov	edi, edx
		test	edi, edi
		jz	short loc_7934CA

loc_7934B6:				; CODE XREF: CcMdlReadComplete2(x,x)+22j
		mov	esi, [edi]
		push	edi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	edi
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		mov	edi, esi
		test	esi, esi
		jnz	short loc_7934B6

loc_7934CA:				; CODE XREF: CcMdlReadComplete2(x,x)+Ej
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_CcMdlReadComplete2@8 endp

; 

; __stdcall MiValidateSectionCreate(x, x, x, x,	x, x, x)
_MiValidateSectionCreate@28:		; CODE XREF: MiValidateSectionSigningPolicy(x,x,x,x,x,x,x,x,x,x,x)+68p
		push	0ACh
		push	offset dword_6A1E00
		call	__SEH_prolog4_GS
		mov	ebx, edx
		mov	[ebp-88h], ecx
		mov	[ebp-0B4h], ebx
		mov	eax, [ebp+0Ch]
		mov	[ebp-0B8h], eax
		xor	edx, edx
		mov	[ebp-4Ch], edx
		mov	[ebp-4Dh], dl
		push	0Ah
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp-48h]
		rep stosd
		mov	[ebp-78h], edx
		xor	ecx, ecx
		inc	ecx
		mov	[ebp-94h], ecx
		mov	dword ptr [ebp-68h], 6
		mov	[ebp-54h], edx
		mov	[ebp-0A4h], edx
		mov	[ebp-74h], edx
		mov	[ebp-90h], edx
		test	dword ptr [ebx+1Ch], 800h
		jz	short loc_79355C
		test	dword ptr [ebp+10h], 40000000h
		jz	short loc_793553
		mov	dword_6CF4F4, 73h
		mov	eax, 0C0000433h
		jmp	loc_793B03
; 

loc_793553:				; CODE XREF: PAGE:0079353Dj
		or	dword ptr [ebp+10h], 10000000h
		jmp	short loc_79356F
; 

loc_79355C:				; CODE XREF: PAGE:00793534j
		mov	eax, [ebp-88h]
		mov	eax, [eax+4]
		test	byte ptr [eax+20h], 10h
		jz	short loc_79356F
		or	dword ptr [ebp+10h], 40h

loc_79356F:				; CODE XREF: PAGE:0079355Aj
					; PAGE:00793569j
		test	dword ptr [ebp+10h], 40000000h
		jz	short loc_793591
		cmp	[ebx+58h], edx
		jnz	short loc_793591
		mov	dword_6CF4F4, 74h
		mov	eax, 0C000007Bh
		jmp	loc_793B03
; 

loc_793591:				; CODE XREF: PAGE:00793576j
					; PAGE:0079357Bj
		test	byte ptr [ebp+10h], 5
		jz	short loc_7935A5
		mov	dword ptr [ebp-68h], 7
		mov	dword ptr [ebp-54h], 2

loc_7935A5:				; CODE XREF: PAGE:00793595j
		mov	[ebp-70h], edx
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[ebp-0BCh], eax

loc_7935BA:				; CODE XREF: PAGE:00793954j
					; PAGE:0079395Fj ...
		mov	edi, [ebp-68h]
		and	edi, ecx
		mov	[ebp-0A0h], edi
		jz	short loc_793637
		mov	esi, large fs:124h
		mov	[ebp-90h], esi
		mov	edx, ecx
		mov	ecx, esi
		call	_PsSetSystemPagePriorityThread@8 ; PsSetSystemPagePriorityThread(x,x)
		mov	[ebp-74h], eax
		test	dword ptr [ebx+1Ch], 4000000h
		jz	short loc_793613
		or	edx, 0FFFFFFFFh
		mov	ecx, ebx
		call	MiCreatePerSessionProtos
		mov	[ebp-70h], eax
		test	eax, eax
		jns	short loc_79360C
		mov	edx, [ebp-74h]
		mov	ecx, esi
		call	_PsRevertToUserPagePriorityThread@8 ; PsRevertToUserPagePriorityThread(x,x)
		mov	eax, [ebp-70h]
		jmp	loc_793B03
; 

loc_79360C:				; CODE XREF: PAGE:007935F8j
		mov	dword ptr [ebp-70h], 1

loc_793613:				; CODE XREF: PAGE:007935E7j
		cmp	dword ptr [ebp-94h], 0
		jz	short loc_793637
		push	ds:dword_40B6EC
		push	ds:_MiLargeZero
		push	0FFFFFFFFh
		push	0
		push	1
		xor	edx, edx
		mov	ecx, ebx
		call	_MiPrefetchControlArea@28 ; MiPrefetchControlArea(x,x,x,x,x,x,x)

loc_793637:				; CODE XREF: PAGE:007935C5j
					; PAGE:0079361Aj
		lea	eax, [ebp-48h]
		push	eax
		mov	edx, [ebp-68h]
		mov	ecx, ebx
		call	MiMapImageInSystemSpace
		mov	esi, eax
		mov	[ebp-64h], esi
		test	esi, esi
		jns	short loc_793677
		cmp	dword ptr [ebp-70h], 1
		jnz	short loc_79365E
		or	edx, 0FFFFFFFFh
		mov	ecx, ebx
		call	_MiDereferencePerSessionProtos@8 ; MiDereferencePerSessionProtos(x,x)

loc_79365E:				; CODE XREF: PAGE:00793652j
		test	edi, edi
		jz	short loc_793670
		mov	edx, [ebp-74h]
		mov	ecx, [ebp-90h]
		call	_PsRevertToUserPagePriorityThread@8 ; PsRevertToUserPagePriorityThread(x,x)

loc_793670:				; CODE XREF: PAGE:00793660j
					; PAGE:0079397Bj
		mov	eax, esi
		jmp	loc_793B03
; 

loc_793677:				; CODE XREF: PAGE:0079364Cj
		mov	ecx, [ebp-48h]
		mov	[ebp-5Ch], ecx
		mov	[ebp-8Ch], ecx
		mov	eax, [ebx+38h]
		mov	[ebp-60h], eax
		mov	[ebp-98h], eax
		mov	edi, [eax+14h]
		mov	[ebp-0B0h], edi
		mov	[ebp-4Ch], edi
		test	edi, edi
		jnz	short loc_7936A4
		and	[ebp-58h], edi
		jmp	short loc_7936E6
; 

loc_7936A4:				; CODE XREF: PAGE:0079369Dj
		mov	edx, edi
		and	edx, 3
		mov	[ebp-6Ch], edx
		mov	eax, edi
		and	eax, 0FFFFFFF8h
		cmp	eax, 8
		jnz	short loc_7936BF
		mov	dword ptr [ebp-58h], 1
		jmp	short loc_7936E3
; 

loc_7936BF:				; CODE XREF: PAGE:007936B4j
		test	edx, edx
		mov	edx, edi
		jz	short loc_7936D9
		and	edx, 0FFFFFFFCh
		xor	eax, eax
		cmp	dword ptr [ebp-6Ch], 1
		setnz	al
		add	eax, 2
		mov	[ebp-58h], eax
		jmp	short loc_7936E0
; 

loc_7936D9:				; CODE XREF: PAGE:007936C3j
		mov	dword ptr [ebp-58h], 4

loc_7936E0:				; CODE XREF: PAGE:007936D7j
		and	edx, 0FFFFFFFBh

loc_7936E3:				; CODE XREF: PAGE:007936BDj
		mov	[ebp-4Ch], edx

loc_7936E6:				; CODE XREF: PAGE:007936A2j
		mov	eax, [ebp-40h]
		shl	eax, 0Ch
		mov	[ebp-9Ch], eax
		mov	[ebp-6Ch], eax
		mov	byte ptr [ebp-4Dh], 1
		mov	edx, [ebp-60h]
		mov	edx, [edx+10h]
		test	edx, edx
		jz	loc_793826
		mov	eax, [edx+14h]
		sub	eax, [edx+18h]
		jz	loc_793826
		cmp	dword ptr [ebp-54h], 2
		jnz	short loc_793724
		mov	eax, [ebp-40h]
		mov	[ebp-84h], eax
		jmp	short loc_79374B
; 

loc_793724:				; CODE XREF: PAGE:00793717j
		mov	eax, [ebx]
		mov	eax, [eax+24h]
		mov	eax, [eax+30h]
		mov	ecx, eax
		and	ecx, 0FFFh
		neg	ecx
		sbb	ecx, ecx
		neg	ecx
		shr	eax, 0Ch
		add	ecx, eax
		mov	[ebp-84h], ecx
		shl	ecx, 0Ch
		mov	[ebp-6Ch], ecx

loc_79374B:				; CODE XREF: PAGE:00793722j
		push	0
		push	100h
		mov	edx, 68496D4Dh
		mov	ecx, [ebp-6Ch]
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		mov	[ebp-5Ch], ecx
		mov	[ebp-0A8h], ecx
		test	ecx, ecx
		jnz	short loc_79377B
		mov	esi, 0C000009Ah
		mov	[ebp-64h], esi
		jmp	loc_793836
; 

loc_79377B:				; CODE XREF: PAGE:0079376Cj
		xor	esi, esi
		mov	[ebp-64h], esi
		mov	[ebp-0ACh], esi
		mov	eax, ecx
		and	[ebp-7Ch], esi

loc_79378B:				; CODE XREF: PAGE:0079380Fj
		mov	[ebp-80h], eax
		mov	edx, [ebp-7Ch]
		cmp	edx, [ebp-84h]
		jnb	short loc_793814
		and	dword ptr [ebp-4], 0
		push	1000h
		shl	edx, 0Ch
		add	edx, [ebp-8Ch]
		push	edx
		push	eax
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-5Ch]
		jmp	short loc_793804
; 

loc_7937C1:				; DATA XREF: .text:006A1E14o
		xor	eax, eax
		inc	eax
		retn
; 

loc_7937C5:				; DATA XREF: .text:006A1E18o
		mov	esp, [ebp-18h]
		mov	edx, 1000h
		mov	ecx, [ebp-80h]
		call	_KeZeroPages	; KiZeroPages(x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-0A8h]
		mov	[ebp-5Ch], ecx
		mov	esi, [ebp-0ACh]
		mov	[ebp-64h], esi
		mov	edi, [ebp-0B0h]
		mov	eax, [ebp-98h]
		mov	[ebp-60h], eax
		mov	ebx, [ebp-0B4h]

loc_793804:				; CODE XREF: PAGE:007937BFj
		inc	dword ptr [ebp-7Ch]
		mov	eax, [ebp-80h]
		add	eax, 1000h
		jmp	loc_79378B
; 

loc_793814:				; CODE XREF: PAGE:00793797j
		push	dword ptr [ebp-84h]
		mov	edx, ebx
		call	MiRevertRelocations
		mov	ecx, [ebp-5Ch]
		jmp	short loc_793836
; 

loc_793826:				; CODE XREF: PAGE:00793701j
					; PAGE:0079370Dj
		cmp	dword ptr [ebp-54h], 1
		jnz	short loc_793836
		mov	dword ptr [ebp-54h], 2
		mov	[ebp-5Ch], ecx

loc_793836:				; CODE XREF: PAGE:00793776j
					; PAGE:00793824j ...
		mov	eax, [ebp-54h]
		mov	[ebp-98h], eax
		test	esi, esi
		js	loc_7938D4
		lea	eax, [ebp-0A4h]
		push	eax
		lea	eax, [ebp-4Dh]
		push	eax
		push	dword ptr [ebp+18h]
		push	dword ptr [ebp+14h]
		lea	eax, [ebp-4Ch]
		push	eax
		push	dword ptr [ebp+10h]
		push	dword ptr [ebp-0B8h]
		push	dword ptr [ebp-0BCh]
		lea	eax, [ebp-54h]
		push	eax
		push	dword ptr [ebp-9Ch]
		push	dword ptr [ebp-8Ch]
		push	dword ptr [ebp-6Ch]
		mov	edx, ecx
		mov	ecx, [ebp-88h]
		call	SeValidateImageHeader
		mov	esi, eax
		mov	[ebp-64h], esi
		cmp	esi, 12Dh
		jnz	short loc_7938A8
		mov	ecx, ebx
		call	_MiImageCantMove@4 ; MiImageCantMove(x)
		mov	dword ptr [ebp-78h], 1
		jmp	short loc_7938BD
; 

loc_7938A8:				; CODE XREF: PAGE:00793896j
		cmp	esi, 12Eh
		jnz	short loc_7938B7
		mov	dword ptr [ebp-78h], 1

loc_7938B7:				; CODE XREF: PAGE:007938AEj
		cmp	dword ptr [ebp-78h], 0
		jz	short loc_7938D4

loc_7938BD:				; CODE XREF: PAGE:007938A6j
		test	dword ptr [ebx+1Ch], 40000000h
		jnz	loc_793B15
		xor	edx, edx
		inc	edx
		mov	ecx, ebx
		call	_MiStrongCodeImage@8 ; MiStrongCodeImage(x,x)

loc_7938D4:				; CODE XREF: PAGE:00793841j
					; PAGE:007938BBj
		mov	eax, [ebp-5Ch]
		cmp	eax, [ebp-8Ch]
		jz	short loc_7938EB
		test	eax, eax
		jz	short loc_7938EB
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7938EB:				; CODE XREF: PAGE:007938DDj
					; PAGE:007938E1j
		lea	ecx, [ebp-48h]
		call	MiUnmapImageInSystemSpace
		cmp	dword ptr [ebp-70h], 1
		jnz	short loc_793903
		or	edx, 0FFFFFFFFh
		mov	ecx, ebx
		call	_MiDereferencePerSessionProtos@8 ; MiDereferencePerSessionProtos(x,x)

loc_793903:				; CODE XREF: PAGE:007938F7j
		cmp	dword ptr [ebp-0A0h], 0
		jz	short loc_79392B
		test	ds:_MiFlags, 40000h
		jz	short loc_79391D
		call	_MiFlushEntireTbDueToAttributeChange@0 ; MiFlushEntireTbDueToAttributeChange()

loc_79391D:				; CODE XREF: PAGE:00793916j
		mov	edx, [ebp-74h]
		mov	ecx, [ebp-90h]
		call	_PsRevertToUserPagePriorityThread@8 ; PsRevertToUserPagePriorityThread(x,x)

loc_79392B:				; CODE XREF: PAGE:0079390Aj
		test	esi, esi
		jns	short loc_793980
		cmp	esi, 0C0000023h
		jnz	short loc_793971
		mov	eax, [ebp-98h]
		cmp	eax, [ebp-54h]
		jge	short loc_793971
		xor	ecx, ecx
		inc	ecx
		cmp	dword ptr [ebp-0A0h], 0
		jz	short loc_793959
		mov	[ebp-94h], ecx
		jmp	loc_7935BA
; 

loc_793959:				; CODE XREF: PAGE:0079394Cj
		or	[ebp-68h], ecx
		cmp	[ebp-54h], ecx
		jnz	loc_7935BA
		and	dword ptr [ebp-94h], 0
		jmp	loc_7935BA
; 

loc_793971:				; CODE XREF: PAGE:00793935j
					; PAGE:00793940j
		mov	dword_6CF4F4, 75h
		jmp	loc_793670
; 

loc_793980:				; CODE XREF: PAGE:0079392Dj
		cmp	dword ptr [ebp-58h], 0
		jz	short loc_7939B4
		cmp	dword ptr [ebp-58h], 1
		jnz	short loc_793995
		test	dword ptr [ebp-4Ch], 0FFFFFFF8h
		jnz	short loc_7939B4

loc_793995:				; CODE XREF: PAGE:0079398Aj
		mov	eax, [ebp-58h]
		add	eax, 0FFFFFFFEh
		cmp	eax, 1
		ja	loc_793A52
		mov	eax, edi
		xor	eax, [ebp-4Ch]
		and	eax, 3
		xor	[ebp-4Ch], eax
		jmp	loc_793A52
; 

loc_7939B4:				; CODE XREF: PAGE:00793984j
					; PAGE:00793993j
		mov	ecx, [ebp-4Ch]
		test	ecx, 0FFFFFFF8h
		jz	short loc_7939D8
		cmp	dword ptr [ebp-58h], 0
		jnz	short loc_7939CD
		and	ecx, 0FFFFFFFDh
		or	ecx, 1
		jmp	short loc_7939E1
; 

loc_7939CD:				; CODE XREF: PAGE:007939C3j
		mov	ecx, [ebp-4Ch]
		and	ecx, 0FFFFFFFEh
		or	ecx, 2
		jmp	short loc_7939E1
; 

loc_7939D8:				; CODE XREF: PAGE:007939BDj
		mov	ecx, [ebp-4Ch]
		and	ecx, 7
		or	ecx, 8

loc_7939E1:				; CODE XREF: PAGE:007939CBj
					; PAGE:007939D6j
		mov	[ebp-4Ch], ecx
		mov	eax, [ebx]
		mov	eax, [eax+24h]
		test	byte ptr [eax+1Eh], 80h
		jz	short loc_7939F5
		or	ecx, 4
		mov	[ebp-4Ch], ecx

loc_7939F5:				; CODE XREF: PAGE:007939EDj
		mov	edx, [ebp-60h]
		add	edx, 14h
		mov	[ebp-9Ch], edx
		mov	eax, edi
		lock cmpxchg [edx], ecx
		mov	esi, eax
		cmp	esi, edi
		jz	short loc_793A4F
		mov	edi, edx

loc_793A0F:				; CODE XREF: PAGE:00793A3Bj
		mov	edx, [ebp-4Ch]
		mov	eax, edx
		and	eax, 0FFFFFFF8h
		cmp	eax, 8
		jbe	short loc_793A4C
		mov	eax, esi
		and	eax, 0FFFFFFF8h
		cmp	eax, 8
		jnz	short loc_793A3F
		and	edx, 0FFFFFFFEh
		or	edx, 2
		mov	[ebp-4Ch], edx
		mov	ecx, esi
		mov	eax, esi
		lock cmpxchg [edi], edx
		mov	esi, eax
		cmp	esi, ecx
		jnz	short loc_793A0F
		jmp	short loc_793A4F
; 

loc_793A3F:				; CODE XREF: PAGE:00793A24j
		and	edx, 0FFFFFFF8h
		mov	[ebp-4Ch], edx
		mov	ecx, edx
		call	_SeReleaseImageValidationContext@4 ; SeReleaseImageValidationContext(x)

loc_793A4C:				; CODE XREF: PAGE:00793A1Aj
		mov	[ebp-4Ch], esi

loc_793A4F:				; CODE XREF: PAGE:00793A0Bj
					; PAGE:00793A3Dj
		mov	edi, [ebp-4Ch]

loc_793A52:				; CODE XREF: PAGE:0079399Ej
					; PAGE:007939AFj
		test	byte ptr [ebp-4Ch], 3
		jz	short loc_793AD1
		mov	esi, [ebp-60h]
		test	ds:_MiFlags, 4000h
		jz	short loc_793A8D
		test	dword ptr [ebx+34h], 0C0000h
		jz	short loc_793A8D
		cmp	dword ptr [esi+10h], 0
		jz	short loc_793A8D
		mov	ecx, ebx
		call	_MiCaptureSecureImageBaseAddress@4 ; MiCaptureSecureImageBaseAddress(x)
		test	eax, eax
		jns	short loc_793A8D
		mov	dword_6CF4F4, 76h
		jmp	short loc_793B03
; 

loc_793A8D:				; CODE XREF: PAGE:00793A65j
					; PAGE:00793A6Ej ...
		push	dword ptr [ebp+8]
		push	1
		xor	edx, edx
		mov	ecx, ebx
		call	_MiWalkEntireImage@16 ;	MiWalkEntireImage(x,x,x,x)
		mov	[ebp-64h], eax
		test	eax, eax
		jns	short loc_793AAE
		mov	dword_6CF4F4, 77h
		jmp	short loc_793B03
; 

loc_793AAE:				; CODE XREF: PAGE:00793AA0j
		mov	edx, [ebp-4Ch]
		and	edx, 0FFFFFFFCh
		mov	[ebp-4Ch], edx
		mov	eax, [ebx]
		mov	eax, [eax+24h]
		test	byte ptr [eax+1Eh], 80h
		jz	short loc_793AC8
		or	edx, 4
		mov	[ebp-4Ch], edx

loc_793AC8:				; CODE XREF: PAGE:00793AC0j
		lea	ecx, [esi+14h]
		mov	eax, edi
		lock cmpxchg [ecx], edx

loc_793AD1:				; CODE XREF: PAGE:00793A56j
		mov	esi, [ebx]
		mov	cl, [ebp-0A4h]
		and	cl, 7
		mov	al, [ebp-4Dh]
		shl	al, 3
		or	cl, al
		add	cl, cl
		mov	al, [esi+0Bh]
		and	al, 1
		or	cl, al
		mov	[esi+0Bh], cl
		cmp	dword ptr [ebp-78h], 0
		jz	short loc_793B00
		push	2
		pop	edx
		mov	ecx, ebx
		call	_MiStrongCodeImage@8 ; MiStrongCodeImage(x,x)

loc_793B00:				; CODE XREF: PAGE:00793AF4j
		mov	eax, [ebp-64h]

loc_793B03:				; CODE XREF: PAGE:0079354Ej
					; PAGE:0079358Cj ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_793B15:				; CODE XREF: PAGE:007938C4j
		push	0
		push	esi
		push	dword ptr [ebp-88h]
		push	5150Eh
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeValidateImageHeader proc near		; CODE XREF: PAGE:00793886p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h

; FUNCTION CHUNK AT 008DF578 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		cmp	dword_6BEA30, esi
		jz	loc_8DF578
		test	byte ptr [ebp+arg_18], 1
		jnz	short loc_793B97

loc_793B51:				; CODE XREF: SeValidateImageHeader+7Cj
					; SeValidateImageHeader+81j
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		push	[ebp+arg_2C]
		push	[ebp+arg_28]
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		push	edi
		call	dword_6BEA30
		mov	esi, eax
		test	esi, esi
		js	short loc_793B8F
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jnz	short loc_793BAF

loc_793B8F:				; CODE XREF: SeValidateImageHeader+5Aj
					; SeValidateImageHeader+8Dj ...
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	30h
; 

loc_793B97:				; CODE XREF: SeValidateImageHeader+23j
		push	ebx
		xor	ecx, ecx
		mov	ebx, offset dword_6FBAD0
		xor	eax, eax
		lock cmpxchg [ebx], ecx
		pop	ebx
		test	eax, eax
		jz	short loc_793B51
		lea	esi, [ebp+var_4]
		jmp	short loc_793B51
; 

loc_793BAF:				; CODE XREF: SeValidateImageHeader+61j
		mov	edx, [ebp+var_8]
		call	_SepScheduleImageVerificationCallbacks@8 ; SepScheduleImageVerificationCallbacks(x,x)
		test	eax, eax
		jns	short loc_793B8F
		jmp	loc_8DF582
SeValidateImageHeader endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiRevertRelocations proc near		; CODE XREF: PAGE:0079381Cp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DF596 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_14], ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], ebx
		push	edi
		mov	eax, [ebx+38h]
		lea	edi, [ebx+50h]
		mov	eax, [eax+10h]
		mov	ecx, [eax+18h]
		sub	ecx, [eax+14h]
		mov	[ebp+var_10], ecx

loc_793BE7:				; CODE XREF: MiRevertRelocations+A2j
		test	edi, edi
		jz	short loc_793C64
		mov	eax, [edi+24h]
		mov	edx, [edi+1Ch]
		and	eax, 3FFFFFFFh
		sub	edx, eax
		mov	[ebp+var_8], ecx
		mov	ecx, edi
		mov	[ebp+var_4], edx
		call	_MiGetSubsectionDriverProtos@4 ; MiGetSubsectionDriverProtos(x)
		test	eax, eax
		jnz	loc_8DF596
		mov	ecx, [ebp+var_8]

loc_793C10:				; CODE XREF: MiRevertRelocations+14B9E3j
		mov	eax, [ebp+arg_0]
		sub	eax, esi
		cmp	edx, eax
		ja	short loc_793C6B

loc_793C19:				; CODE XREF: MiRevertRelocations+B0j
		test	edx, edx
		jz	short loc_793C4D
		mov	ebx, esi
		shl	ebx, 0Ch
		add	ebx, [ebp+var_14]

loc_793C25:				; CODE XREF: MiRevertRelocations+88j
		mov	edx, [ebp+var_C]
		push	3
		push	0
		push	ecx
		push	esi
		mov	ecx, ebx
		call	MiPerformFixups
		inc	esi
		add	ebx, 1000h
		cmp	esi, [ebp+arg_0]
		jnb	short loc_793C64
		sub	[ebp+var_4], 1
		mov	ecx, [ebp+var_8]
		jnz	short loc_793C25
		mov	ebx, [ebp+var_C]

loc_793C4D:				; CODE XREF: MiRevertRelocations+5Bj
		mov	eax, [edi+24h]
		and	eax, 3FFFFFFFh
		add	esi, eax
		cmp	esi, [ebp+arg_0]
		jnb	short loc_793C64
		mov	edi, [edi+8]
		mov	ecx, [ebp+var_10]
		jmp	short loc_793BE7
; 

loc_793C64:				; CODE XREF: MiRevertRelocations+29j
					; MiRevertRelocations+7Fj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_793C6B:				; CODE XREF: MiRevertRelocations+57j
		mov	edx, eax
		mov	[ebp+var_4], eax
		jmp	short loc_793C19
MiRevertRelocations endp

; 
		align 8
; Exported entry 1452. MmPageEntireDriver

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmPageEntireDriver(x)
		public _MmPageEntireDriver@4
_MmPageEntireDriver@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	edi
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	short loc_793CFC
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_MiLookupDataTableEntry@8 ; MiLookupDataTableEntry(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_793CFC
		test	ds:byte_7051AC,	1
		mov	edi, [ebx+18h]
		mov	[ebp+arg_0], edi
		jnz	short loc_793CF8
		mov	ecx, esi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 1
		jz	short loc_793CF8
		mov	ecx, esi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jz	short loc_793CF8
		call	KeFlushQueuedDpcs
		mov	ecx, edi
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, [ebx+20h]
		mov	edi, eax
		shr	ecx, 0Ch
		dec	ecx
		lea	esi, [edi+ecx*8]
		mov	ecx, ebx
		call	_MiCancelPhase0Locking@4 ; MiCancelPhase0Locking(x)
		push	esi
		mov	edx, edi
		mov	ecx, ebx
		call	MiSetPagingOfDriver
		mov	eax, [ebp+arg_0]

loc_793CF1:				; CODE XREF: MmPageEntireDriver(x)+82j
					; MmPageEntireDriver(x)+86j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_793CF8:				; CODE XREF: MmPageEntireDriver(x)+33j
					; MmPageEntireDriver(x)+3Fj ...
		mov	eax, edi
		jmp	short loc_793CF1
; 

loc_793CFC:				; CODE XREF: MmPageEntireDriver(x)+14j
					; MmPageEntireDriver(x)+24j
		xor	eax, eax
		jmp	short loc_793CF1
_MmPageEntireDriver@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1385. MmChangeImageProtection

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmChangeImageProtection(x, x, x, x)
		public _MmChangeImageProtection@16
_MmChangeImageProtection@16 proc near

var_28		= dword	ptr -28h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		cmp	[ebp+arg_C], 1
		push	ebx
		push	esi
		push	edi
		jz	short loc_793D24
		cmp	[ebp+arg_C], 2
		jnz	loc_793FB1

loc_793D24:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+12j
		mov	edi, [ebp+arg_0]
		mov	al, [edi+6]
		and	al, 7
		cmp	al, 2
		jnz	loc_793FB1
		xor	ebx, ebx
		cmp	[edi+18h], ebx
		jnz	loc_793FB1
		mov	eax, [edi+14h]
		test	eax, 0FFFh
		jnz	loc_793FB1
		shr	eax, 0Ch
		mov	[esp+20h+var_10], eax
		call	_MmAcquireLoadLock@0 ; MmAcquireLoadLock()
		mov	[esp+20h+var_8], eax
		dec	word ptr [eax+13Ch]
		nop
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceExclusiveLite
		mov	ecx, [edi+10h]
		xor	edx, edx
		call	_MiLookupDataTableEntry@8 ; MiLookupDataTableEntry(x,x)
		mov	edx, eax
		mov	[esp+20h+var_14], edx
		test	edx, edx
		jz	short loc_793E06
		mov	ecx, [edx+18h]
		mov	esi, [edx+20h]
		mov	eax, [edi+14h]
		add	esi, ecx
		add	eax, [edi+10h]
		mov	[esp+20h+var_4], ecx
		cmp	eax, esi
		ja	short loc_793DFF
		cmp	[ebp+arg_4], ecx
		jb	short loc_793DFF
		mov	eax, [ebp+arg_4]
		add	eax, [ebp+arg_8]
		cmp	eax, esi
		ja	short loc_793DFF
		dec	eax
		cmp	eax, [ebp+arg_4]
		jb	short loc_793DFF
		mov	eax, [edx+34h]
		mov	esi, 80000h
		test	eax, esi
		jz	short loc_793DCB
		mov	esi, 0C0000043h
		jmp	short loc_793E0B
; 

loc_793DCB:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+BCj
		or	eax, esi
		mov	esi, ebx
		mov	[edx+34h], eax
		mov	[esp+20h+var_C], esi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 1
		jz	short loc_793DF4
		mov	ecx, [esp+20h+var_4]
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jz	short loc_793DF4
		inc	word ptr [edx+38h]
		jmp	short loc_793E0F
; 

loc_793DF4:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+D8j
					; MmChangeImageProtection(x,x,x,x)+E6j
		mov	ecx, [esp+20h+var_4]
		call	_MiSessionReferenceImage@4 ; MiSessionReferenceImage(x)
		jmp	short loc_793E0F
; 

loc_793DFF:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+9Bj
					; MmChangeImageProtection(x,x,x,x)+A0j	...
		mov	esi, 0C0000018h
		jmp	short loc_793E0B
; 

loc_793E06:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+85j
		mov	esi, 0C0000225h

loc_793E0B:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+C3j
					; MmChangeImageProtection(x,x,x,x)+FEj
		mov	[esp+20h+var_C], esi

loc_793E0F:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+ECj
					; MmChangeImageProtection(x,x,x,x)+F7j
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite
		mov	ecx, [esp+20h+var_8]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	ecx, [esp+20h+var_8]
		call	_MmReleaseLoadLock@4 ; MmReleaseLoadLock(x)
		test	esi, esi
		js	loc_793FA2
		mov	ecx, [esp+20h+var_14]
		mov	ecx, [ecx+18h]
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jz	short loc_793E4D

loc_793E43:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+165j
		mov	esi, 0C0000018h
		jmp	loc_793F56
; 

loc_793E4D:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+13Bj
		mov	eax, ebx
		mov	[esp+20h+var_4], ebx
		cmp	[esp+20h+var_10], eax
		jbe	short loc_793E88

loc_793E59:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+180j
		imul	ecx, [edi+eax*4+1Ch], 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	_MI_PFN_IS_PROTO@4 ; MI_PFN_IS_PROTO(x)
		test	eax, eax
		jnz	short loc_793E43
		push	ebx
		xor	edx, edx
		call	_MiGetPagePrivilege@12 ; MiGetPagePrivilege(x,x,x)
		test	al, 40h
		jnz	short loc_793EC8
		mov	eax, [esp+20h+var_4]
		inc	eax
		mov	[esp+20h+var_4], eax
		cmp	eax, [esp+20h+var_10]
		jb	short loc_793E59

loc_793E88:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+151j
		mov	edx, [edi+10h]
		mov	ecx, [esp+20h+var_14]
		push	1
		push	dword ptr [edi+14h]
		call	_MiSetImageProtection@16 ; MiSetImageProtection(x,x,x,x)
		cmp	[ebp+arg_C], 1
		jnz	loc_793F27
		mov	edx, [esp+20h+var_14]
		mov	ecx, [edx+3Ch]
		test	ecx, ecx
		jz	short loc_793ED2
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	eax, [eax+38h]
		mov	eax, [eax+14h]
		mov	ecx, eax
		and	ecx, 0FFFFFFF8h
		cmp	ecx, 8
		jbe	short loc_793ED2
		and	eax, 0FFFFFFF8h
		jmp	short loc_793ED4
; 

loc_793EC8:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+171j
		mov	esi, 0C0000045h
		jmp	loc_793F56
; 

loc_793ED2:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+1A6j
					; MmChangeImageProtection(x,x,x,x)+1BBj
		mov	eax, ebx

loc_793ED4:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+1C0j
		mov	esi, dword_6BEA68
		test	esi, esi
		jnz	short loc_793EE5
		mov	esi, 0C0000002h
		jmp	short loc_793F56
; 

loc_793EE5:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+1D6j
		mov	ecx, [ebp+arg_4]
		sub	ecx, [edx+18h]
		push	ecx
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	edi
		push	eax
		call	esi
		mov	esi, eax
		test	esi, esi
		js	short loc_793F56
		test	byte ptr ds:_MiFlags+2,	1
		push	3
		pop	eax
		jz	short loc_793F13
		cmp	esi, 12Ch
		jnz	short loc_793F13
		push	13h
		pop	eax

loc_793F13:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+200j
					; MmChangeImageProtection(x,x,x,x)+208j
		mov	edx, [edi+10h]
		mov	ecx, [esp+34h+var_28]
		push	eax
		push	dword ptr [edi+14h]
		call	_MiSetImageProtection@16 ; MiSetImageProtection(x,x,x,x)
		mov	esi, ebx
		jmp	short loc_793F56
; 

loc_793F27:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+197j
		test	byte ptr ds:_MiFlags+2,	1
		jz	short loc_793F56
		cmp	[esp+20h+var_10], ebx
		jbe	short loc_793F56
		mov	esi, [esp+20h+var_10]

loc_793F3A:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+24Aj
		imul	ecx, [edi+ebx*4+1Ch], 1Ch
		push	18h
		pop	edx
		add	ecx, ds:_MmPfnDatabase
		call	MiClearPfnImageVerified
		inc	ebx
		cmp	ebx, esi
		jb	short loc_793F3A
		mov	esi, [esp+20h+var_C]

loc_793F56:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+142j
					; MmChangeImageProtection(x,x,x,x)+1C7j ...
		call	_MmAcquireLoadLock@0 ; MmAcquireLoadLock()
		mov	edi, [esp+20h+var_8]
		dec	word ptr [edi+13Ch]
		nop
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceExclusiveLite
		mov	ebx, [esp+20h+var_14]
		mov	ecx, offset _PsLoadedModuleResource
		and	dword ptr [ebx+34h], 0FFF7FFFFh
		call	ExReleaseResourceLite
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		or	edx, 0FFFFFFFFh
		mov	ecx, ebx
		call	MiUnloadSystemImage
		mov	ecx, edi
		call	_MmReleaseLoadLock@4 ; MmReleaseLoadLock(x)
		jmp	short loc_793FA6
; 

loc_793FA2:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+127j
		mov	edi, [esp+20h+var_8]

loc_793FA6:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+29Aj
		mov	ecx, edi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		jmp	short loc_793FB6
; 

loc_793FB1:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+18j
					; MmChangeImageProtection(x,x,x,x)+28j	...
		mov	eax, 0C000000Dh

loc_793FB6:				; CODE XREF: MmChangeImageProtection(x,x,x,x)+2A9j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_MmChangeImageProtection@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MmReleaseLoadLock(x)
_MmReleaseLoadLock@4 proc near		; CODE XREF: MiShutdownSystem()+14Bp
					; MmChangeImageProtection(x,x,x,x)+120p ...
		sub	dword_6CF550, 1
		push	esi
		mov	esi, ecx
		jnz	short loc_793FFF
		or	dword_6CF54C, 1
		or	eax, 0FFFFFFFFh
		push	edi
		mov	edi, offset dword_6CF548
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_793FF6

loc_793FE6:				; CODE XREF: MmReleaseLoadLock(x)+3Dj
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		mov	ecx, esi
		pop	esi
		jmp	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
; 

loc_793FF6:				; CODE XREF: MmReleaseLoadLock(x)+24j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_793FE6
; 

loc_793FFF:				; CODE XREF: MmReleaseLoadLock(x)+Aj
		pop	esi
		retn
_MmReleaseLoadLock@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MmAcquireLoadLock()
_MmAcquireLoadLock@0 proc near		; CODE XREF: MiShutdownSystem()+C4p
					; MmChangeImageProtection(x,x,x,x)+4Ep	...
		mov	edi, edi
		push	esi
		mov	esi, large fs:124h
		cmp	esi, dword_6CF54C
		jz	short loc_79403C
		dec	word ptr [esi+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset dword_6CF548
		call	ExAcquirePushLockExclusiveEx
		mov	dword_6CF54C, esi
		mov	dword_6CF550, 1

loc_794038:				; CODE XREF: MmAcquireLoadLock()+40j
		mov	eax, esi
		pop	esi
		retn
; 

loc_79403C:				; CODE XREF: MmAcquireLoadLock()+10j
		inc	dword_6CF550
		jmp	short loc_794038
_MmAcquireLoadLock@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnloadSystemImage proc near		; CODE XREF: MmChangeImageProtection(x,x,x,x)+28Ep
					; MmLoadSystemImageEx(x,x,x,x,x,x)+59Cp ...

var_C6		= byte ptr -0C6h
var_C5		= byte ptr -0C5h
var_C4		= dword	ptr -0C4h
var_BE		= byte ptr -0BEh
var_BD		= byte ptr -0BDh
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_58		= dword	ptr -58h

; FUNCTION CHUNK AT 008DF5A8 SIZE 000003B3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0C4h
		and	[esp+0C4h+var_80], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+0D0h+var_7C]
		mov	[esp+0D0h+var_B8], edx
		stosd
		mov	ebx, ecx
		push	54h		; size_t
		push	0		; int
		stosd
		stosd
		lea	eax, [esp+0D8h+var_58]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	edi, [esp+0D0h+var_70]
		xor	eax, eax
		cmp	dword ptr [ebx+4Ch], 1
		push	6
		pop	ecx
		rep stosd
		jz	short loc_794106
		mov	eax, [esp+0D0h+var_B8]
		lea	ecx, [ebx+5Ch]
		mov	edi, [ebx+18h]
		and	al, 4
		movzx	eax, al
		neg	eax
		mov	[esp+0D0h+var_BC], edi
		sbb	eax, eax
		and	eax, ecx
		mov	ecx, edi
		mov	[esp+0D0h+var_98], eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, [ebx+20h]
		xor	esi, esi
		mov	[esp+0D0h+var_9C], eax
		mov	eax, [ebx+3Ch]
		mov	[esp+0D0h+var_A4], eax
		mov	eax, ecx
		shr	eax, 0Ch
		mov	[esp+0D0h+var_A8], eax
		call	_MiBytesToMapSystemImage@4 ; MiBytesToMapSystemImage(x)
		shr	eax, 0Ch
		mov	ecx, edi
		mov	[esp+0D0h+var_84], eax
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jz	short loc_79410D
		cmp	eax, 1
		jz	short loc_79410D
		xor	eax, eax
		inc	eax
		mov	[esp+0D0h+var_A0], eax

loc_7940EF:				; CODE XREF: MiUnloadSystemImage+1F3j
		mov	ecx, 0FFFFh
		add	[ebx+38h], cx
		jz	loc_79423C
		test	eax, eax
		jz	loc_7944A2

loc_794106:				; CODE XREF: MiUnloadSystemImage+48j
					; MiUnloadSystemImage+DEj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_79410D:				; CODE XREF: MiUnloadSystemImage+9Dj
					; MiUnloadSystemImage+A2j
		and	[esp+0D0h+var_A0], esi
		lea	edx, [esp+0D0h+var_7C]
		mov	ecx, ebx
		call	MiSessionRemoveImage
		mov	[esp+0D0h+var_B0], eax
		test	eax, eax
		jz	short loc_794106
		mov	ecx, [esp+0D0h+var_A4]
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	ecx, eax
		xor	eax, eax
		mov	[esp+0D0h+var_B4], ecx
		cmp	[ebx], eax
		jz	short loc_794142
		cmp	[ebx+48h], eax
		jnz	loc_8DF5A8

loc_794142:				; CODE XREF: MiUnloadSystemImage+F3j
					; MiUnloadSystemImage+14B6D1j
		mov	eax, large fs:124h
		mov	esi, [esp+0D0h+var_B8]
		mov	eax, [eax+80h]
		mov	edi, [eax+180h]
		and	esi, 1
		jz	short loc_79417A
		call	_MiGetSessionVm@0 ; MiGetSessionVm()
		lea	edx, [esp+0CCh+var_6C]
		push	edx
		push	3
		push	[esp+0D4h+var_A4]
		mov	edx, ecx
		mov	ecx, eax
		push	[esp+0D8h+var_98]
		call	_MiDeleteSystemPagableVm@24 ; MiDeleteSystemPagableVm(x,x,x,x,x,x)

loc_79417A:				; CODE XREF: MiUnloadSystemImage+117j
		mov	ecx, [esp+0CCh+var_AC]
		call	MiReleaseSessionDriverCharges
		test	esi, esi
		jz	short loc_7941E7
		mov	esi, [esp+0CCh+var_B0]
		test	dword ptr [esi+1Ch], 4000000h
		jnz	loc_8DF71A

loc_794198:				; CODE XREF: MiUnloadSystemImage+14B6F1j
		mov	edx, [esp+0CCh+var_B8]
		mov	ecx, edx
		call	_MiGetPdeAddress@4 ; MiGetPdeAddress(x)
		mov	ecx, [esp+0CCh+var_78]
		mov	esi, eax
		test	ecx, ecx
		jz	loc_7944FF
		inc	ecx

loc_7941B2:				; CODE XREF: MiUnloadSystemImage+4BDj
		test	ecx, ecx
		jz	short loc_7941C3
		call	_MiGetPdeAddress@4 ; MiGetPdeAddress(x)
		cmp	eax, esi
		jz	loc_794506

loc_7941C3:				; CODE XREF: MiUnloadSystemImage+170j
					; MiUnloadSystemImage+4C5j
		lea	ecx, [edx-1]
		add	ecx, [ebx+20h]
		call	_MiGetPdeAddress@4 ; MiGetPdeAddress(x)
		mov	ecx, [esp+0CCh+var_74]
		mov	edx, eax
		test	ecx, ecx
		jnz	loc_8DF73A

loc_7941DC:				; CODE XREF: MiUnloadSystemImage+14B6FDj
					; MiUnloadSystemImage+14B706j
		cmp	edx, esi
		jb	short loc_7941E7
		mov	ecx, esi
		call	_MiDeleteSessionPdes@8 ; MiDeleteSessionPdes(x,x)

loc_7941E7:				; CODE XREF: MiUnloadSystemImage+141j
					; MiUnloadSystemImage+19Aj
		mov	esi, [esp+0CCh+var_70]
		test	esi, esi
		jz	short loc_794208
		mov	edx, esi
		mov	ecx, offset _MiSystemPartition
		sub	edx, [esp+0CCh+var_68]
		call	MiReturnCommit
		neg	esi
		lea	eax, [edi+20h]
		lock xadd [eax], esi

loc_794208:				; CODE XREF: MiUnloadSystemImage+1A9j
		test	byte ptr [esp+0CCh+var_B4], 10h
		mov	esi, [esp+0CCh+var_AC]
		jz	short loc_794223
		mov	ecx, [esi+30h]
		call	MiDereferenceImports
		mov	ecx, [esi+30h]
		call	_MiFreeLoadedImportList@4 ; MiFreeLoadedImportList(x)

loc_794223:				; CODE XREF: MiUnloadSystemImage+1CDj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [esp+0CCh+var_B8]
		mov	esi, [esp+0CCh+var_B0]
		mov	eax, [esp+0CCh+var_9C]
		jmp	loc_7940EF
; 

loc_79423C:				; CODE XREF: MiUnloadSystemImage+B4j
		test	eax, eax
		jz	loc_79450E

loc_794244:				; CODE XREF: MiUnloadSystemImage+4D1j
		mov	eax, [esp+0D0h+var_B8]
		test	al, 2
		jz	short loc_79425E
		mov	ecx, ebx
		call	VfDriverUnloadImage
		mov	ecx, ebx
		call	KseDriverUnloadImage
		mov	eax, [esp+0D0h+var_B8]

loc_79425E:				; CODE XREF: MiUnloadSystemImage+206j
		mov	esi, [esp+0D0h+var_A0]
		neg	esi
		sbb	esi, esi
		and	esi, [esp+0D0h+var_A8]
		mov	[esp+0D0h+var_B0], esi
		test	al, 10h
		jz	short loc_79427A
		mov	ecx, [ebx+4Ch]
		call	MiDereferenceImports

loc_79427A:				; CODE XREF: MiUnloadSystemImage+22Cj
		mov	ecx, [ebx+4Ch]
		call	_MiFreeLoadedImportList@4 ; MiFreeLoadedImportList(x)
		mov	ecx, edi
		mov	dword ptr [ebx+4Ch], 1
		call	_LdrUnloadAlternateResourceModule@4 ; LdrUnloadAlternateResourceModule(x)
		test	dword ptr [ebx+34h], 100000h
		jz	short loc_7942A5
		push	0FFFFFFFFh
		lea	ecx, [ebx+2Ch]
		mov	edx, edi
		call	_DbgUnLoadImageSymbolsUnicode@12 ; DbgUnLoadImageSymbolsUnicode(x,x,x)

loc_7942A5:				; CODE XREF: MiUnloadSystemImage+253j
		cmp	dword ptr [ebx], 0
		jz	short loc_7942B8
		test	esi, esi
		jz	short loc_7942B8
		cmp	dword ptr [ebx+48h], 0
		jnz	loc_8DF74F

loc_7942B8:				; CODE XREF: MiUnloadSystemImage+264j
					; MiUnloadSystemImage+268j ...
		mov	eax, [esp+0D0h+var_B8]
		mov	[esp+0D0h+var_BD], 0
		mov	[esp+0D0h+var_BE], 0
		test	esi, esi
		jz	loc_79451A
		test	al, 1
		jz	loc_79451A
		mov	eax, [esp+0D0h+var_84]
		lea	ecx, [ebx+2Ch]
		shl	eax, 0Ch
		mov	edx, edi
		push	eax
		call	MiRememberUnloadedDriver
		mov	eax, [esp+0D0h+var_A4]
		xor	edi, edi
		mov	[esp+0D0h+var_A8], edi
		test	eax, eax
		jz	short loc_79431B
		mov	ecx, eax
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		cmp	dword ptr [ebx], 0
		mov	edi, eax
		mov	[esp+0D0h+var_A8], edi
		jz	short loc_79431B
		mov	edx, [esp+0D0h+var_98]
		lea	ecx, [esp+0D0h+var_58]
		push	4
		mov	[esp+0D4h+var_58], edi
		call	MiManageSubsectionView

loc_79431B:				; CODE XREF: MiUnloadSystemImage+2B0j
					; MiUnloadSystemImage+2C2j
		xor	ecx, ecx
		inc	ecx
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	ecx, [esp+0D0h+var_BC]
		mov	[esp+0D0h+var_B0], eax
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	loc_8DF8FB
		cmp	[esp+0D0h+var_98], eax
		jz	short loc_794345
		mov	ecx, ebx
		call	_MiUnlockDriverCode@4 ;	MiUnlockDriverCode(x)

loc_794345:				; CODE XREF: MiUnloadSystemImage+2F8j
		mov	ecx, [esp+0D0h+var_B0]
		lea	eax, [esp+0D0h+var_70]
		push	eax
		push	5
		push	esi
		push	[esp+0DCh+var_9C]
		mov	edx, edi
		mov	dword_6CF578, ebx
		call	_MiDeleteSystemPagableVm@24 ; MiDeleteSystemPagableVm(x,x,x,x,x,x)
		mov	ecx, [esp+0D0h+var_A8]
		mov	eax, [esp+0D0h+var_64]
		mov	edi, [esp+0D0h+var_70]
		mov	[esp+0D0h+var_AC], eax
		test	ecx, ecx
		jz	short loc_794387
		push	0FFFFFFFFh
		push	4
		lea	edx, [esp+0D8h+var_80]
		call	_MiWalkEntireImage@16 ;	MiWalkEntireImage(x,x,x,x)
		mov	eax, [esp+0D8h+var_B4]

loc_794387:				; CODE XREF: MiUnloadSystemImage+330j
		and	dword_6CF578, 0
		sub	edi, eax
		mov	eax, offset unk_6CF598
		lock xadd [eax], edi
		cmp	[esp+0D8h+var_AC], 0
		jz	loc_7944B9

loc_7943A4:				; CODE XREF: MiUnloadSystemImage+4A2j
		mov	esi, [esp+0D8h+var_C4]

loc_7943A8:				; CODE XREF: MiUnloadSystemImage+14B8F5j
		mov	eax, [esp+18h]

loc_7943AC:				; CODE XREF: MiUnloadSystemImage+4DAj
		cmp	[esp+0D8h+var_A8], 1
		jnz	short loc_7943C2
		test	al, 1
		jz	short loc_7943C2
		lea	edx, [esp+0D8h+var_78]
		mov	ecx, ebx
		call	MiReturnSystemImageCommitment

loc_7943C2:				; CODE XREF: MiUnloadSystemImage+36Dj
					; MiUnloadSystemImage+371j
		cmp	dword ptr [ebx], 0
		jz	short loc_7943FF
		xor	edx, edx
		mov	ecx, ebx
		call	_MiProcessLoaderEntry@8	; MiProcessLoaderEntry(x,x)
		test	byte ptr ds:_PerfGlobalGroupMask, 4
		jz	short loc_7943FF
		movzx	ecx, word ptr [ebx+3Ah]
		xor	edx, edx
		mov	eax, ecx
		and	ecx, 0Fh
		push	0
		shr	eax, 4
		and	eax, 7
		push	eax
		push	ecx
		push	dword ptr [ebx+40h]
		lea	ecx, [ebx+24h]
		push	dword ptr [ebx+20h]
		push	esi
		push	0
		call	PerfLogImageUnload

loc_7943FF:				; CODE XREF: MiUnloadSystemImage+381j
					; MiUnloadSystemImage+393j
		cmp	[esp+0D8h+var_C6], 0
		jnz	loc_7944EB

loc_79440A:				; CODE XREF: MiUnloadSystemImage+4B6j
		mov	eax, [ebx+28h]
		test	eax, eax
		jz	short loc_794419
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_794419:				; CODE XREF: MiUnloadSystemImage+3CBj
		mov	esi, [esp+0D8h+var_AC]
		test	esi, esi
		jz	short loc_794495
		mov	eax, [esp+0D8h+var_A0]
		test	eax, eax
		jz	short loc_79443A
		mov	edx, [eax+20h]
		test	edx, edx
		jz	short loc_79443A
		mov	ecx, offset _MiSystemPartition
		call	_MiReturnResident@8 ; MiReturnResident(x,x)

loc_79443A:				; CODE XREF: MiUnloadSystemImage+3E3j
					; MiUnloadSystemImage+3EAj
		mov	ecx, esi
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		cmp	[esp+0D8h+var_C5], 0
		mov	edi, eax
		jnz	short loc_79446F
		mov	esi, [edi]
		mov	eax, [esp+0D8h+var_C4]
		cmp	eax, [esi+18h]
		jz	short loc_79446B
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	MiFreePrivateFixupEntryForSystemImage
		mov	edx, [ebx+20h]
		mov	ecx, [esp+0D8h+var_C4]
		call	_MiReturnSystemImageAddress@8 ;	MiReturnSystemImageAddress(x,x)

loc_79446B:				; CODE XREF: MiUnloadSystemImage+40Fj
		mov	esi, [esp+0D8h+var_AC]

loc_79446F:				; CODE XREF: MiUnloadSystemImage+404j
		mov	eax, [esp+0D8h+var_A0]
		test	eax, eax
		jz	short loc_794488
		cmp	[esp+0D8h+var_A8], 0
		jz	short loc_794488
		test	byte ptr [eax+14h], 80h
		jnz	loc_8DF94F

loc_794488:				; CODE XREF: MiUnloadSystemImage+431j
					; MiUnloadSystemImage+438j ...
		mov	ecx, edi
		call	_MiDereferenceControlArea@4 ; MiDereferenceControlArea(x)
		push	esi
		call	_ObDereferenceObjectDeferDelete@4 ; ObDereferenceObjectDeferDelete(x)

loc_794495:				; CODE XREF: MiUnloadSystemImage+3DBj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_794106
; 

loc_7944A2:				; CODE XREF: MiUnloadSystemImage+BCj
		test	byte ptr [esp+0D0h+var_B8], 2
		jz	loc_794106
		mov	ecx, ebx
		call	VfDriverUnloadImage
		jmp	loc_794106	; struct _exception *
; 

loc_7944B9:				; CODE XREF: MiUnloadSystemImage+35Aj
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		test	eax, eax
		jnz	short loc_7944E1
		mov	eax, [esp+0D8h+var_A4]
		mov	ecx, [esp+0D8h+var_B8]
		lea	edx, [eax+esi*8]
		shl	edx, 9
		call	_MiVaToSoftwareWsle@8 ;	MiVaToSoftwareWsle(x,x)
		mov	ecx, [esp+0D8h+var_8C]
		sub	ecx, esi
		jnz	loc_8DF93E

loc_7944E1:				; CODE XREF: MiUnloadSystemImage+47Cj
					; MiUnloadSystemImage+14B906j
		mov	[esp+0D8h+var_C6], 1
		jmp	loc_7943A4
; 

loc_7944EB:				; CODE XREF: MiUnloadSystemImage+3C0j
		push	[esp+0D8h+var_8C]
		mov	edx, [esp+0DCh+var_A4]
		xor	ecx, ecx
		call	MiReleaseDriverPtes
		jmp	loc_79440A
; 

loc_7944FF:				; CODE XREF: MiUnloadSystemImage+167j
		xor	ecx, ecx
		jmp	loc_7941B2
; 

loc_794506:				; CODE XREF: MiUnloadSystemImage+179j
		add	esi, 8
		jmp	loc_7941C3
; 

loc_79450E:				; CODE XREF: MiUnloadSystemImage+1FAj
		mov	ecx, esi
		call	MiDeleteSessionDriverProtos
		jmp	loc_794244
; 

loc_79451A:				; CODE XREF: MiUnloadSystemImage+284j
					; MiUnloadSystemImage+28Cj
		mov	esi, [esp+0D0h+var_BC]
		jmp	loc_7943AC
MiUnloadSystemImage endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiBytesToMapSystemImage(x)
_MiBytesToMapSystemImage@4 proc	near	; CODE XREF: MiSessionInsertImage+8Bp
					; MiSelectImageBase+156p ...
		lea	eax, [ecx+0FFFh]
		and	eax, 0FFFFF000h
		cmp	eax, ecx
		jb	short loc_794546
		mov	edx, dword_6CF51C
		add	edx, 3
		and	edx, 0FFFFFFFCh
		add	eax, edx
		cmp	eax, ecx
		jb	short loc_794546
		retn
; 

loc_794546:				; CODE XREF: MiBytesToMapSystemImage(x)+Dj
					; MiBytesToMapSystemImage(x)+1Fj
		xor	eax, eax
		retn
_MiBytesToMapSystemImage@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiCancelPhase0Locking(x)
_MiCancelPhase0Locking@4 proc near	; CODE XREF: MmResetDriverPaging(x)+2Fp
					; MmPageEntireDriver(x)+67p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, 400000h
		push	edi
		test	[esi+34h], ebx
		jnz	short loc_79455F
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_79455F:				; CODE XREF: MiCancelPhase0Locking(x)+Fj
		mov	edi, large fs:124h
		dec	word ptr [edi+13Ch]
		nop
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceExclusiveLite
		test	[esi+34h], ebx
		jz	short loc_79458F
		xor	edx, edx
		mov	ecx, esi
		call	_MiLockPagableSections@8 ; MiLockPagableSections(x,x)
		and	dword ptr [esi+34h], 0FFBFFFFFh

loc_79458F:				; CODE XREF: MiCancelPhase0Locking(x)+33j
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
_MiCancelPhase0Locking@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiImagePagable(x, x)
_MiImagePagable@8 proc near		; CODE XREF: MmResetDriverPaging(x)+13p
					; MiEnablePagingOfDriver(x)+16p ...
		mov	edi, edi
		push	ecx
		test	ds:byte_7051AC,	1
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jnz	short loc_7945EF
		mov	ecx, esi
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	short loc_7945EF
		test	edi, edi
		jnz	short loc_7945D1
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_MiLookupDataTableEntry@8 ; MiLookupDataTableEntry(x,x)
		mov	edi, eax

loc_7945D1:				; CODE XREF: MiImagePagable(x,x)+1Fj
		mov	ecx, esi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 1
		jz	short loc_7945EF
		mov	ecx, esi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jz	short loc_7945EF
		mov	eax, edi

loc_7945EB:				; CODE XREF: MiImagePagable(x,x)+4Dj
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_7945EF:				; CODE XREF: MiImagePagable(x,x)+10j
					; MiImagePagable(x,x)+1Bj ...
		xor	eax, eax
		jmp	short loc_7945EB
_MiImagePagable@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall SeReleaseImageValidationContext(x)
_SeReleaseImageValidationContext@4 proc	near ; CODE XREF: MiDeleteImageSecurity(x)+14j
					; PAGE:00793A47p
		mov	eax, dword_6BEA54
		test	eax, eax
		jnz	short loc_794605
		push	eax
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
; 

loc_794605:				; CODE XREF: SeReleaseImageValidationContext(x)+7j
		push	ecx
		call	eax
		retn
_SeReleaseImageValidationContext@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopGetSessionId()
_PopGetSessionId@0 proc	near		; CODE XREF: PopPowerSourceChangeCallback:loc_5F49C7p
					; NtPowerInformation+CF2p ...
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		retn
_PopGetSessionId@0 endp


;  S U B	R O U T	I N E 


; __stdcall PnpBusTypeGuidGet(x, x)
_PnpBusTypeGuidGet@8 proc near		; CODE XREF: IoGetDeviceProperty+2A5p
		mov	edi, edi
		push	ebx
		push	esi
		mov	si, cx
		mov	ebx, offset _PnpBusTypeGuidLock
		push	edi
		mov	ecx, ebx
		mov	edi, edx
		call	ExAcquireFastMutex
		movzx	esi, si
		cmp	esi, _PnpBusTypeGuidCount
		jnb	short loc_794659
		shl	esi, 4
		add	esi, _PnpBusTypeGuidArray
		movsd
		movsd
		movsd
		movsd
		xor	esi, esi

loc_79464C:				; CODE XREF: PnpBusTypeGuidGet(x,x)+42j
		mov	ecx, ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_794659:				; CODE XREF: PnpBusTypeGuidGet(x,x)+1Fj
		mov	esi, 0C0000034h
		jmp	short loc_79464C
_PnpBusTypeGuidGet@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExLockUserBuffer proc near		; CODE XREF: ExpGetLookasideInformation(x,x,x)+43p
					; ExGetSessionPoolTagInformation+71p ...

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008DF95B SIZE 00000011 BYTES

		push	10h
		push	offset dword_6A1E20
		call	__SEH_prolog4
		mov	ebx, edx
		mov	edi, ecx
		mov	eax, [ebp+arg_8]
		and	dword ptr [eax], 0
		mov	eax, [ebp+arg_C]
		and	dword ptr [eax], 0
		push	ebx
		push	edi
		call	_MmSizeOfMdl@8	; MmSizeOfMdl(x,x)
		push	6F666E49h
		push	eax
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		jz	loc_8DF962
		and	dword ptr [esi], 0
		mov	ecx, edi
		and	ecx, 0FFFh
		lea	eax, [ebx+0FFFh]
		add	eax, ecx
		shr	eax, 0Ch
		lea	eax, ds:1Ch[eax*4]
		mov	[esi+4], ax
		xor	eax, eax
		mov	[esi+6], ax
		and	edi, 0FFFFF000h
		mov	[esi+10h], edi
		mov	[esi+18h], ecx
		mov	[esi+14h], ebx
		xor	ebx, ebx
		mov	[ebp+ms_exc.disabled], ebx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	esi
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 2000h
		or	[esi+6], ax
		mov	ax, [esi+6]
		test	al, 5
		jnz	short loc_794735
		push	40000020h
		push	ebx
		push	ebx
		push	1
		push	ebx
		push	esi
		call	MmMapLockedPagesSpecifyCache

loc_79470F:				; CODE XREF: ExLockUserBuffer+D8j
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		test	eax, eax
		jz	loc_8DF95B
		mov	eax, [ebp+arg_C]
		mov	[eax], esi
		xor	eax, eax

loc_794723:				; CODE XREF: ExLockUserBuffer+14B307j
					; sub_8DF97A+17j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_794735:				; CODE XREF: ExLockUserBuffer+9Dj
		mov	eax, [esi+0Ch]
		jmp	short loc_79470F
ExLockUserBuffer endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsThawProcess	proc near		; CODE XREF: PspChangeProcessExecutionState:loc_7552DBp
					; DbgkpSendErrorMessage+305p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008DF996 SIZE 00000028 BYTES

		push	18h
		push	offset dword_6A1E40
		call	__SEH_prolog4
		mov	[ebp+var_1C], dl
		mov	esi, ecx
		mov	[ebp+var_28], esi
		mov	eax, large fs:124h
		mov	[ebp+var_20], eax
		test	dl, dl
		jz	loc_794819
		cmp	dword ptr [esi+154h], 0
		jnz	loc_794867

loc_79476C:				; CODE XREF: PsThawProcess+134j
					; PsThawProcess+151j
		xor	ebx, ebx
		and	[ebp+var_24], ebx
		mov	eax, [ebp+var_20]
		dec	word ptr [eax+13Ch]
		nop
		lea	edi, [esi+0E0h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+3C8h]
		or	eax, [esi+3CCh]
		jz	short loc_7947CD
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		mov	ebx, eax
		mov	eax, edx
		sub	ebx, [esi+3C8h]
		sbb	eax, [esi+3CCh]
		mov	[ebp+var_24], eax
		and	dword ptr [esi+3C8h], 0
		and	dword ptr [esi+3CCh], 0
		add	[esi+400h], ebx
		adc	[esi+404h], eax

loc_7947CD:				; CODE XREF: PsThawProcess+5Dj
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_794890

loc_7947DE:				; CODE XREF: PsThawProcess+15Dj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_20]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		and	[ebp+ms_exc.disabled], 0
		mov	eax, _PspFreezeTimeBiasAddress
		add	[eax], ebx
		mov	eax, _PspFreezeTimeBiasAddress
		mov	ecx, [ebp+var_24]
		adc	[eax+4], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_794819
; 

loc_79480C:				; DATA XREF: .text:006A1E58o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+var_28]

loc_794819:				; CODE XREF: PsThawProcess+1Fj
					; PsThawProcess+D0j
		mov	dl, [ebp+var_1C]
		mov	ecx, esi
		call	_KeThawProcess@8 ; KeThawProcess(x,x)
		mov	edi, eax
		cmp	edi, 1
		jnz	short loc_79483A
		test	dword ptr [esi+3A8h], 80000h
		jnz	loc_8DF996

loc_79483A:				; CODE XREF: PsThawProcess+EEj
					; PsThawProcess+14B269j
		cmp	[ebp+var_1C], 0
		jz	short loc_794857
		push	2
		pop	edx
		mov	ecx, esi
		call	PsSetProcessTelemetryAppState
		test	byte ptr ds:dword_70EFC8, 2
		jnz	loc_8DF9A8

loc_794857:				; CODE XREF: PsThawProcess+104j
					; PsThawProcess+14B270j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_794867:				; CODE XREF: PsThawProcess+2Cj
		test	byte ptr [esi+0FCh], 8
		jnz	loc_79476C
		push	esi
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	1
		push	esi
		push	17h
		call	PsInvokeWin32Callout
		jmp	loc_79476C
; 

loc_794890:				; CODE XREF: PsThawProcess+9Ej
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7947DE
PsThawProcess	endp


;  S U B	R O U T	I N E 


sub_79489C	proc near		; DATA XREF: .text:006A1E54o
		xor	eax, eax
		inc	eax
		retn
sub_79489C	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsFreezeProcess	proc near		; CODE XREF: PspChangeProcessExecutionState+120p
					; DbgkpSuspendProcess+14p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008DF9BE SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		push	edi
		test	byte ptr [esi+0FCh], 8
		jnz	loc_79496E
		call	KeFreezeProcess
		test	byte ptr [esi+0FCh], 8
		jnz	loc_8DF9BE
		mov	edi, large fs:124h
		test	eax, eax
		jnz	short loc_7948E7
		test	dword ptr [esi+3A8h], 80000h
		jnz	loc_8DF9CA

loc_7948E7:				; CODE XREF: PsFreezeProcess+35j
					; PsFreezeProcess+14B136j
		test	bl, bl
		jz	short loc_794967
		dec	word ptr [edi+13Ch]
		nop
		lea	ebx, [esi+0E0h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		mov	[esi+3C8h], eax
		or	eax, 0FFFFFFFFh
		mov	[esi+3CCh], edx
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_794972

loc_794922:				; CODE XREF: PsFreezeProcess+D9j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		cmp	dword ptr [esi+154h], 0
		jz	short loc_794950
		push	esi
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		push	esi
		push	16h
		call	PsInvokeWin32Callout

loc_794950:				; CODE XREF: PsFreezeProcess+97j
		test	byte ptr ds:dword_70EFC8, 2
		jnz	loc_8DF9DB

loc_79495D:				; CODE XREF: PsFreezeProcess+14B144j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	PsSetProcessTelemetryAppState

loc_794967:				; CODE XREF: PsFreezeProcess+49j
		mov	al, 1

loc_794969:				; CODE XREF: PsFreezeProcess+D0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_79496E:				; CODE XREF: PsFreezeProcess+14j
					; PsFreezeProcess+14B125j
		xor	al, al
		jmp	short loc_794969
; 

loc_794972:				; CODE XREF: PsFreezeProcess+80j
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_794922
PsFreezeProcess	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopGetSettingValue proc	near		; CODE XREF: NtPowerInformation+991p

var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DF9E9 SIZE 00000011 BYTES

		push	10h
		push	offset dword_6A1E60
		call	__SEH_prolog4
		mov	ebx, edx
		mov	esi, ecx
		mov	edi, offset _PopSettingLock
		mov	ecx, edi
		call	ExAcquireFastMutex
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	eax
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	edx, eax
		mov	ecx, esi
		call	_PopFindPowerSettingConfiguration@8 ; PopFindPowerSettingConfiguration(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8DF9E9
		mov	ecx, ebx
		mov	eax, [ebp+arg_0]
		sub	eax, 4
		and	[ebp+ms_exc.disabled], 0
		push	ecx
		push	eax
		lea	edx, [ebx+4]
		mov	ecx, esi
		call	PopMarshalSettingValues
		mov	esi, eax
		mov	[ebp+var_20], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7949E1:				; CODE XREF: sub_8DFA08+15j
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, esi

loc_7949EA:				; CODE XREF: PopGetSettingValue+14B079j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
PopGetSettingValue endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopMarshalSettingValues	proc near	; CODE XREF: PopGetSettingValue+54p
					; PopDispatchNotificationsToList+A4p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008DFA22 SIZE 0000000C BYTES

		push	30h
		push	offset dword_6A1E80
		call	__SEH_prolog4_GS
		mov	[ebp+var_3C], edx
		mov	ebx, ecx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_40], eax
		xor	esi, esi
		mov	[ebp+var_30], esi
		xor	eax, eax
		lea	edi, [ebp+var_28]
		stosd
		stosd
		stosd
		mov	[ebp+ms_exc.disabled], esi
		mov	edi, esi
		mov	[ebp+var_38], edi
		mov	eax, dword_6C2D0C
		mov	[ebp+var_34], eax
		mov	ecx, esi
		mov	[ebp+var_2C], ecx

loc_794A35:				; CODE XREF: PopMarshalSettingValues+6Dj
		cmp	ecx, 3
		jnb	short loc_794A6B
		test	byte ptr [ebx+24h], 8
		jz	loc_794AE7
		mov	eax, [ebx+eax*4+30h]
		mov	[ebp+ecx*4+var_28], eax

loc_794A4C:				; CODE XREF: PopMarshalSettingValues+F6j
					; PopMarshalSettingValues+100j	...
		add	edi, 8
		mov	[ebp+var_38], edi
		mov	eax, [ebp+ecx*4+var_28]
		test	eax, eax
		jz	short loc_794A62
		inc	dword ptr [eax]
		add	edi, [eax+4]
		mov	[ebp+var_38], edi

loc_794A62:				; CODE XREF: PopMarshalSettingValues+5Cj
		inc	ecx
		mov	[ebp+var_2C], ecx
		mov	eax, [ebp+var_34]
		jmp	short loc_794A35
; 

loc_794A6B:				; CODE XREF: PopMarshalSettingValues+3Cj
		cmp	[ebp+arg_0], edi
		jb	loc_794B0D
		mov	ebx, esi

loc_794A76:				; CODE XREF: PopMarshalSettingValues+BFj
		mov	[ebp+var_2C], ebx
		cmp	ebx, 3
		jnb	short loc_794ABD
		mov	ecx, [ebp+ebx*4+var_28]
		test	ecx, ecx
		jz	loc_8DFA22
		mov	eax, [ecx+8]
		mov	[edx], eax
		mov	eax, [ecx+4]
		mov	[edx+4], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_34], eax
		push	eax		; size_t
		lea	eax, [ecx+0Ch]
		push	eax		; void *
		lea	eax, [edx+8]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edx, [ebp+var_3C]
		mov	eax, [ebp+var_34]

loc_794AB2:				; CODE XREF: PopMarshalSettingValues+14B02Dj
		add	edx, 8
		add	edx, eax
		mov	[ebp+var_3C], edx
		inc	ebx
		jmp	short loc_794A76
; 

loc_794ABD:				; CODE XREF: PopMarshalSettingValues+80j
		mov	eax, [ebp+var_40]
		mov	[eax], edi
		mov	edi, esi

loc_794AC4:				; CODE XREF: PopMarshalSettingValues+116j
		mov	[ebp+var_30], edi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_794B14
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_794AE7:				; CODE XREF: PopMarshalSettingValues+42j
		mov	eax, [ebx+ecx*4+30h]
		mov	[ebp+ecx*4+var_28], eax
		cmp	ecx, 2
		jnz	loc_794A4C
		cmp	[ebp+var_20], 0
		jnz	loc_794A4C
		mov	eax, [ebp+var_24]
		mov	[ebp+var_20], eax
		jmp	loc_794A4C
; 

loc_794B0D:				; CODE XREF: PopMarshalSettingValues+72j
		mov	edi, 0C0000023h
		jmp	short loc_794AC4
PopMarshalSettingValues	endp


;  S U B	R O U T	I N E 


sub_794B14	proc near		; CODE XREF: PopMarshalSettingValues+D2p
					; sub_794B14+1Aj ...

; FUNCTION CHUNK AT 008DFA38 SIZE 00000010 BYTES

		mov	[ebp-2Ch], esi
		cmp	esi, 3
		jnb	short locret_794B30
		mov	eax, [ebp+esi*4-28h]
		test	eax, eax
		jz	short loc_794B2D
		sub	dword ptr [eax], 1
		jz	loc_8DFA38

loc_794B2D:				; CODE XREF: sub_794B14+Ej
					; sub_794B14+14AF2Fj
		inc	esi
		jmp	short sub_794B14
; 

locret_794B30:				; CODE XREF: sub_794B14+6j
		retn
sub_794B14	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDispatchNotifications(x)
_PopDispatchNotifications@4 proc near	; DATA XREF: .text:00403CD8o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		push	edi
		mov	ecx, offset _PopPowerSettings
		call	PopDispatchNotificationsToList
		push	2
		mov	esi, offset _PopSessionSpecificLists
		pop	edi

loc_794B4E:				; CODE XREF: PopDispatchNotifications(x)+29j
		mov	ecx, esi
		call	PopDispatchNotificationsToList
		add	esi, 8
		sub	edi, 1
		jnz	short loc_794B4E
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
_PopDispatchNotifications@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDispatchNotificationsToList proc near ; CODE	XREF: PopDispatchNotifications(x)+Fp
					; PopDispatchNotifications(x)+1Ep

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DFA48 SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	eax, eax
		mov	esi, ecx
		push	edi
		mov	ecx, offset _PopSettingLock
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		call	ExAcquireFastMutex
		mov	edi, [esi]
		cmp	edi, esi
		jz	short loc_794BB7

loc_794B9B:				; CODE XREF: PopDispatchNotificationsToList+4Fj
		mov	eax, [edi+24h]
		mov	ebx, edi

loc_794BA0:				; CODE XREF: PopDispatchNotificationsToList+F2j
		test	al, 1
		jnz	short loc_794BE3

loc_794BA4:				; CODE XREF: PopDispatchNotificationsToList+7Fj
					; PopDispatchNotificationsToList+14AEE8j
		mov	edi, [edi]
		test	al, 2
		jnz	short loc_794BB2
		test	al, 4
		jnz	loc_8DFA53

loc_794BB2:				; CODE XREF: PopDispatchNotificationsToList+42j
					; PopDispatchNotificationsToList+14AF05j
		cmp	edi, [ebp+var_38]
		jnz	short loc_794B9B

loc_794BB7:				; CODE XREF: PopDispatchNotificationsToList+33j
		mov	ecx, offset _PopSettingLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, large fs:124h
		cmp	dword ptr [eax+13Ch], 0
		jnz	loc_794C6A
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_794BE3:				; CODE XREF: PopDispatchNotificationsToList+3Cj
		test	al, 2
		jnz	short loc_794BA4
		mov	eax, [edi+28h]
		lea	edx, [ebp+var_28]
		mov	[ebp+var_30], eax
		mov	ecx, edi
		mov	eax, [edi+2Ch]
		mov	[ebp+var_2C], eax
		mov	eax, [edi+24h]
		and	eax, 0FFFFFFFEh
		or	eax, 2
		mov	[edi+24h], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	24h
		call	PopMarshalSettingValues
		mov	ecx, offset _PopSettingLock
		mov	esi, eax
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	esi, esi
		js	short loc_794C63
		mov	eax, [ebp+var_34]

loc_794C22:				; CODE XREF: PopDispatchNotificationsToList+102j
		push	0
		push	0
		push	0
		push	0
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	esi, eax
		call	_KeAreApcsDisabled@0 ; KeAreApcsDisabled()
		test	al, al
		jnz	short loc_794C6A
		mov	ecx, offset _PopSettingLock
		call	ExAcquireFastMutex
		mov	eax, [edi+24h]
		and	eax, 0FFFFFFFDh
		mov	[edi+24h], eax
		test	esi, esi
		jns	loc_794BA0
		jmp	loc_8DFA48
; 

loc_794C63:				; CODE XREF: PopDispatchNotificationsToList+B7j
		xor	eax, eax
		mov	[ebp+var_34], eax
		jmp	short loc_794C22
; 

loc_794C6A:				; CODE XREF: PopDispatchNotificationsToList+68j
					; PopDispatchNotificationsToList+DBj
		push	20h

loc_794C6C:				; CODE XREF: PopDispatchNotificationsToList+14AF0Cj
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall PipForAllChildDeviceNodes(x, x, x)
_PipForAllChildDeviceNodes@12:		; CODE XREF: PipForAllDeviceNodesCallback(x,x)+2Bp
					; PipForDeviceNodeSubtree(x,x,x)+21p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ecx+4]
		xor	eax, eax

loc_794C7B:				; CODE XREF: PopDispatchNotificationsToList+12Aj
		test	esi, esi
		jz	short loc_794C92
		test	eax, eax
		js	short loc_794C92
		push	[ebp+arg_0]
		mov	eax, esi
		mov	esi, [esi]
		push	eax
		call	_PipForAllDeviceNodesCallback@8	; PipForAllDeviceNodesCallback(x,x)
		jmp	short loc_794C7B
; 

loc_794C92:				; CODE XREF: PopDispatchNotificationsToList+117j
					; PopDispatchNotificationsToList+11Bj
		pop	esi
		pop	ebp
		retn	4
PopDispatchNotificationsToList endp ; sp = -4Ch

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipForAllDeviceNodesCallback(x, x)
_PipForAllDeviceNodesCallback@8	proc near ; CODE XREF: PopDispatchNotificationsToList+125p
					; DATA XREF: PipForAllDeviceNodesCallback(x,x)+24o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		push	dword ptr [edi+4]
		push	esi
		call	dword ptr [edi]
		test	eax, eax
		js	short loc_794CB5
		cmp	dword ptr [esi+4], 0
		jnz	short loc_794CBB

loc_794CB5:				; CODE XREF: PipForAllDeviceNodesCallback(x,x)+15j
					; PipForAllDeviceNodesCallback(x,x)+30j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_794CBB:				; CODE XREF: PipForAllDeviceNodesCallback(x,x)+1Bj
		push	edi
		mov	edx, offset _PipForAllDeviceNodesCallback@8 ; PipForAllDeviceNodesCallback(x,x)
		mov	ecx, esi
		call	_PipForAllChildDeviceNodes@12 ;	PipForAllChildDeviceNodes(x,x,x)
		jmp	short loc_794CB5
_PipForAllDeviceNodesCallback@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpPdoDeviceListEnumCallback(x, x)
_PiPnpPdoDeviceListEnumCallback@8 proc near ; DATA XREF: PnpGetSystemPdoList(x,x)+27o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, [eax+10h]
		mov	edx, edi
		call	PiPnpAddDeviceToPdoDeviceListEnumContext
		mov	esi, eax
		test	esi, esi
		js	short loc_794CEE
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_794CEE:				; CODE XREF: PiPnpPdoDeviceListEnumCallback(x,x)+1Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_PiPnpPdoDeviceListEnumCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiPnpAddDeviceToPdoDeviceListEnumContext proc near
					; CODE XREF: PiPnpPdoDeviceListEnumCallback(x,x)+12p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008DFA77 SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		mov	esi, [edi+4]
		test	esi, esi
		jz	short loc_794D24
		mov	eax, [esi]
		cmp	eax, [edi]
		jz	short loc_794D24

loc_794D11:				; CODE XREF: PiPnpAddDeviceToPdoDeviceListEnumContext+7Bj
		mov	ecx, [ebp+var_4]
		mov	[esi+eax*4+4], ecx
		mov	eax, [edi+4]
		inc	dword ptr [eax]
		xor	eax, eax

loc_794D1F:				; CODE XREF: PiPnpAddDeviceToPdoDeviceListEnumContext+82j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_794D24:				; CODE XREF: PiPnpAddDeviceToPdoDeviceListEnumContext+13j
					; PiPnpAddDeviceToPdoDeviceListEnumContext+19j
		mov	ebx, [edi]
		add	ebx, 100h
		push	20207050h
		lea	eax, ds:4[ebx*4]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_794D73
		and	dword ptr [esi], 0
		mov	eax, [edi]
		inc	eax
		push	400h		; size_t
		push	0		; int
		lea	eax, [esi+eax*4]
		push	eax		; void *
		call	_memset
		mov	ecx, [edi+4]
		add	esp, 0Ch
		test	ecx, ecx
		jnz	loc_8DFA77

loc_794D6A:				; CODE XREF: PiPnpAddDeviceToPdoDeviceListEnumContext+14AD9Fj
		mov	[edi], ebx
		mov	[edi+4], esi
		mov	eax, [esi]
		jmp	short loc_794D11
; 

loc_794D73:				; CODE XREF: PiPnpAddDeviceToPdoDeviceListEnumContext+4Ej
		mov	eax, 0C000009Ah
		jmp	short loc_794D1F
PiPnpAddDeviceToPdoDeviceListEnumContext endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipForDeviceNodeSubtree(x, x, x)
_PipForDeviceNodeSubtree@12 proc near	; CODE XREF: PpProcessClearProblem(x)+53p
					; PnpGetSystemPdoList(x,x)+32p	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], edx
		xor	ecx, ecx
		mov	[ebp+var_8], eax
		call	PpDevNodeLockTree
		lea	eax, [ebp+var_C]
		mov	ecx, esi
		push	eax
		call	_PipForAllChildDeviceNodes@12 ;	PipForAllChildDeviceNodes(x,x,x)
		xor	ecx, ecx
		mov	esi, eax
		call	PpDevNodeUnlockTree
		mov	eax, esi
		pop	esi
		leave
		retn	4
_PipForDeviceNodeSubtree@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmEnumerateSystemImages	proc near	; CODE XREF: EtwpSysModuleRunDown+E0p
					; PopIdleWakeGenerateDescriptionString(x,x)+17Dp ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008DFA9A SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+40h+var_24], ecx
		push	6
		pop	ecx
		lea	edi, [esp+40h+var_1C]
		mov	[esp+40h+var_2C], eax
		rep stosd
		mov	eax, large fs:124h
		mov	[esp+40h+var_28], edx
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_8DFA9A
		and	[esp+40h+var_30], 0

loc_794E01:				; CODE XREF: MmEnumerateSystemImages+14ACF4j
		call	_MmAcquireLoadLock@0 ; MmAcquireLoadLock()
		mov	ebx, eax
		mov	[esp+40h+var_20], ebx
		dec	word ptr [ebx+13Ch]
		nop
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceSharedLite
		mov	edi, _PsLoadedModuleList
		mov	ebx, [esp+40h+var_30]

loc_794E2A:				; CODE XREF: MmEnumerateSystemImages+AEj
		mov	ecx, [edi+18h]
		xor	esi, esi
		mov	[esp+40h+var_30], ecx
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		cmp	eax, 1
		jz	short loc_794E92

loc_794E3D:				; CODE XREF: MmEnumerateSystemImages+111j
					; MmEnumerateSystemImages+14AD00j
		push	[esp+40h+var_28]
		push	edi
		call	[esp+48h+var_24]
		mov	[esp+48h+var_34], eax
		test	esi, esi
		jnz	loc_794ED6

loc_794E52:				; CODE XREF: MmEnumerateSystemImages+13Cj
		test	eax, eax
		js	short loc_794E60

loc_794E56:				; CODE XREF: MmEnumerateSystemImages+F5j
		mov	edi, [edi]
		cmp	edi, offset _PsLoadedModuleList
		jnz	short loc_794E2A

loc_794E60:				; CODE XREF: MmEnumerateSystemImages+A4j
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite
		mov	ecx, [esp+48h+var_28]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	ecx, [esp+48h+var_28]
		call	_MmReleaseLoadLock@4 ; MmReleaseLoadLock(x)
		mov	ecx, [esp+48h+var_C]
		mov	eax, [esp+48h+var_34]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_794E92:				; CODE XREF: MmEnumerateSystemImages+8Bj
		test	ebx, ebx
		jnz	loc_8DFAA9

loc_794E9A:				; CODE XREF: MmEnumerateSystemImages+14AD06j
		xor	ecx, ecx

loc_794E9C:				; CODE XREF: MmEnumerateSystemImages+124j
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_794E56
		lea	edx, [esp+40h+var_1C]
		mov	ecx, esi
		call	MmAttachSession
		test	eax, eax
		js	short loc_794ED2
		mov	ecx, [esp+40h+var_30]
		call	_MiSessionLookupImage@4	; MiSessionLookupImage(x)
		test	eax, eax
		jnz	loc_794E3D
		lea	edx, [esp+40h+var_1C]
		mov	ecx, esi
		call	MmDetachSession

loc_794ED2:				; CODE XREF: MmEnumerateSystemImages+104j
		mov	ecx, esi
		jmp	short loc_794E9C
; 

loc_794ED6:				; CODE XREF: MmEnumerateSystemImages+9Cj
		lea	edx, [esp+48h+var_24]
		mov	ecx, esi
		call	MmDetachSession
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, [esp+48h+var_34]
		jmp	loc_794E52
MmEnumerateSystemImages	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpSystemImageEnumCallback(x, x)
_EtwpSystemImageEnumCallback@8 proc near ; DATA	XREF: EtwpSysModuleRunDown+A2o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		push	(offset	off_401900+3)
		mov	eax, [esi+18h]
		mov	ecx, [edi]
		mov	ebx, [edi+4]
		mov	[ecx], eax
		mov	ecx, [edi]
		mov	eax, [esi+20h]
		mov	[ecx+4], eax
		mov	ecx, [edi]
		mov	eax, [esi+40h]
		mov	[ecx+0Ch], eax
		mov	ecx, [edi]
		mov	eax, [esi+58h]
		mov	[ecx+10h], eax
		mov	cl, [esi+3Ah]
		mov	eax, [edi]
		and	cl, 0Fh
		mov	[eax+14h], cl
		mov	cl, [esi+3Ah]
		mov	eax, [edi]
		shr	cl, 4
		and	cl, 7
		mov	[eax+15h], cl
		mov	ecx, ebx
		movzx	edx, word ptr [esi+24h]
		mov	eax, [esi+28h]
		and	dword ptr [ebx+14h], 0
		and	dword ptr [ebx+1Ch], 0
		mov	[ebx+10h], eax
		mov	[ebx+18h], edx
		mov	edx, [edi+8]
		movzx	eax, word ptr [edi+0Ch]
		push	eax
		push	3
		push	dword ptr [edx]
		mov	edx, [edx+2E4h]
		call	EtwpLogKernelEvent
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	8
_EtwpSystemImageEnumCallback@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExGetSessionPoolTagInformation proc near ; CODE	XREF: PAGE:0077F480p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008DFABB SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[esp+48h+var_30], ecx
		lea	edi, [esp+48h+var_1C]
		push	6
		mov	ebx, edx
		xor	eax, eax
		mov	edx, [ebp+arg_0]
		pop	ecx
		rep stosd
		xor	edi, edi
		mov	[esp+48h+var_28], edx
		mov	[esp+48h+var_38], edi
		mov	esi, edi
		mov	[esp+48h+var_20], edi
		mov	[esp+48h+var_2C], edi
		mov	[esp+48h+var_24], edi
		mov	[edx], edi
		test	ebx, ebx
		jz	short loc_794FFC
		mov	eax, large fs:124h
		mov	edx, ebx
		mov	ecx, [esp+48h+var_30]
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+48h+var_34], al
		lea	eax, [esp+48h+var_20]
		push	eax
		lea	eax, [esp+4Ch+var_38]
		push	eax
		push	1
		push	[esp+54h+var_34]
		call	ExLockUserBuffer
		mov	esi, eax
		test	esi, esi
		js	loc_7950F3
		mov	edx, [esp+48h+var_28]

loc_794FFC:				; CODE XREF: ExGetSessionPoolTagInformation+49j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+arg_4]
		mov	ecx, [ecx]
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_795113

loc_79501C:				; CODE XREF: ExGetSessionPoolTagInformation+19Dj
		xor	ecx, ecx
		mov	[esp+48h+var_34], edi
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_7950CA
		mov	eax, [esp+48h+var_38]
		mov	[esp+48h+var_38], eax

loc_795039:				; CODE XREF: ExGetSessionPoolTagInformation+14Cj
		mov	ecx, edi
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+arg_4]
		mov	[esp+48h+var_30], eax
		mov	ecx, [ecx]
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_8DFABB

loc_795052:				; CODE XREF: ExGetSessionPoolTagInformation+14AB4Bj
		lea	edx, [esp+48h+var_1C]
		mov	ecx, edi
		call	MmAttachSession
		mov	esi, eax
		test	esi, esi
		js	short loc_7950CA
		push	[esp+48h+var_30]
		mov	ecx, [esp+4Ch+var_38]
		lea	eax, [esp+4Ch+var_2C]
		push	eax
		mov	edx, ebx
		call	_ExGetAttachedSessionPoolTagInfo@16 ; ExGetAttachedSessionPoolTagInfo(x,x,x,x)
		lea	edx, [esp+48h+var_1C]
		mov	ecx, edi
		mov	esi, eax
		call	MmDetachSession
		mov	ecx, [esp+48h+var_2C]
		test	esi, esi
		js	short loc_795107
		cmp	ecx, ebx
		ja	loc_8DFAC8
		cmp	ecx, 28h
		jb	loc_8DFAC8
		mov	eax, [esp+48h+var_38]
		mov	[esp+48h+var_24], eax
		add	eax, ecx
		mov	[esp+48h+var_38], eax
		sub	ebx, ecx

loc_7950AD:				; CODE XREF: ExGetSessionPoolTagInformation+199j
		mov	eax, [ebp+arg_4]
		add	[esp+48h+var_34], ecx
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_795132

loc_7950B9:				; CODE XREF: ExGetSessionPoolTagInformation+14AB45j
		mov	ecx, edi
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_795039

loc_7950CA:				; CODE XREF: ExGetSessionPoolTagInformation+B3j
					; ExGetSessionPoolTagInformation+E9j ...
		mov	ecx, [esp+48h+var_28]
		xor	edi, edi
		mov	eax, [esp+48h+var_34]
		mov	ebx, [esp+48h+var_24]
		mov	[ecx], eax

loc_7950DA:				; CODE XREF: ExGetSessionPoolTagInformation+1B8j
		test	esi, esi
		js	short loc_7950E4
		test	ebx, ebx
		jz	short loc_7950E4
		mov	[ebx], edi

loc_7950E4:				; CODE XREF: ExGetSessionPoolTagInformation+164j
					; ExGetSessionPoolTagInformation+168j ...
		mov	ecx, [esp+48h+var_20]
		test	ecx, ecx
		jz	short loc_7950F1
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)

loc_7950F1:				; CODE XREF: ExGetSessionPoolTagInformation+172j
		mov	eax, esi

loc_7950F3:				; CODE XREF: ExGetSessionPoolTagInformation+7Aj
		mov	ecx, [esp+48h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_795107:				; CODE XREF: ExGetSessionPoolTagInformation+112j
		cmp	esi, 0C0000004h
		jnz	short loc_795132
		xor	ebx, ebx
		jmp	short loc_7950AD
; 

loc_795113:				; CODE XREF: ExGetSessionPoolTagInformation+9Ej
		cmp	ecx, eax
		jnz	loc_79501C
		push	eax
		push	edx
		mov	edx, ebx
		mov	ebx, [esp+50h+var_38]
		mov	ecx, ebx
		call	_ExGetAttachedSessionPoolTagInfo@16 ; ExGetAttachedSessionPoolTagInfo(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7950E4
		jmp	short loc_7950DA
; 

loc_795132:				; CODE XREF: ExGetSessionPoolTagInformation+13Fj
					; ExGetSessionPoolTagInformation+195j ...
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	short loc_7950CA
ExGetSessionPoolTagInformation endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPolicySystemIdle()
_PopPolicySystemIdle@0 proc near

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_50		= dword	ptr -50h
var_3C		= byte ptr -3Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		lea	eax, [esp+7Ch+var_50]
		push	ebx
		push	esi
		push	edi
		push	4Ch		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		lea	edi, [esp+94h+var_60]
		stosd
		xor	bl, bl
		add	esp, 0Ch
		stosd
		stosd
		stosd
		cmp	_PopPlatformAoAc, bl
		jnz	loc_79530D
		xor	bh, bh
		mov	byte ptr [esp+88h+var_78], bh
		call	_PopGetConsoleDisplayRequestCount@0 ; PopGetConsoleDisplayRequestCount()
		mov	edi, eax
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		call	_PopIdleCheckForUserInput@0 ; PopIdleCheckForUserInput()
		lea	edx, [esp+88h+var_50]
		mov	ecx, offset _PopCapabilities
		call	PopFilterCapabilities
		mov	dl, [esp+88h+var_3C]
		xor	cl, cl
		mov	byte ptr [esp+88h+var_74], cl
		test	dl, dl
		jnz	short loc_7951C5
		mov	esi, dword_6C22E0
		test	esi, esi
		jz	short loc_7951C5
		mov	eax, dword_6C22A8
		sub	eax, esi
		cmp	eax, dword_6C2D20
		jnb	short loc_7951C5
		inc	cl
		mov	byte ptr [esp+88h+var_74], cl

loc_7951C5:				; CODE XREF: PopPolicySystemIdle()+68j
					; PopPolicySystemIdle()+72j ...
		mov	eax, dword_6C22AC
		test	eax, eax
		jz	short loc_7951FE
		cmp	dword_6C22A8, eax
		jb	short loc_7951FE
		test	cl, cl
		jnz	short loc_7951FE
		cmp	_PopUserShutdownInProgress, cl
		jnz	short loc_7951FE
		test	dl, dl
		jz	short loc_7951F3
		cmp	_PopConsoleDisplayState, 0
		jz	short loc_7951FC
		test	edi, edi
		jmp	short loc_7951FA
; 

loc_7951F3:				; CODE XREF: PopPolicySystemIdle()+A8j
		cmp	dword_6C22C4, 0

loc_7951FA:				; CODE XREF: PopPolicySystemIdle()+B5j
		jnz	short loc_7951FE

loc_7951FC:				; CODE XREF: PopPolicySystemIdle()+B1j
		mov	bl, 1

loc_7951FE:				; CODE XREF: PopPolicySystemIdle()+90j
					; PopPolicySystemIdle()+98j ...
		mov	byte_6C22F0, bl
		test	dl, dl
		jz	short loc_795220
		cmp	Source1, 2
		jnz	short loc_795220
		cmp	dword_6C22C0, 1
		jnz	short loc_795220
		mov	bh, 1
		mov	byte ptr [esp+88h+var_78], bh

loc_795220:				; CODE XREF: PopPolicySystemIdle()+CAj
					; PopPolicySystemIdle()+D3j ...
		test	bl, bl
		jz	short loc_795237
		test	bh, bh
		jnz	short loc_795230
		push	5
		pop	ecx
		call	_PopResetIdleTime@4 ; PopResetIdleTime(x)

loc_795230:				; CODE XREF: PopPolicySystemIdle()+EAj
		mov	byte_6C22D5, 0

loc_795237:				; CODE XREF: PopPolicySystemIdle()+E6j
		lea	ecx, [esp+88h+var_50]
		call	_PopIsHibernateSupported@4 ; PopIsHibernateSupported(x)
		mov	byte ptr [esp+88h+var_68], al
		call	PopIsDozeSupported
		push	dword_6C22C0
		cmp	dword_6C22C4, 0
		mov	dl, bl
		push	Source1
		mov	byte ptr [esp+90h+var_6C], al
		setnz	byte ptr [esp+90h+var_64]
		mov	al, byte_6C22E4
		mov	byte ptr [esp+90h+var_70], al
		push	[esp+90h+var_70]
		mov	eax, _PopPolicy
		push	[esp+94h+var_78]
		push	dword ptr [eax+58h]
		push	[esp+9Ch+var_6C]
		push	[esp+0A0h+var_68]
		push	ecx
		push	[esp+0A8h+var_74]
		mov	ecx, dword_6C22A8
		push	[esp+0ACh+var_64]
		call	_PopTraceSystemIdleUpdate@48 ; PopTraceSystemIdleUpdate(x,x,x,x,x,x,x,x,x,x,x,x)
		test	bl, bl
		jz	short loc_7952CC
		test	bh, bh
		jnz	short loc_7952CC
		push	1
		push	dword_6C22C0
		xor	edx, edx
		mov	[esp+90h+var_60], 7
		push	offset Source1
		lea	ecx, [esp+94h+var_60]
		mov	[esp+94h+var_5C], 80h
		call	PopExecutePowerAction

loc_7952CC:				; CODE XREF: PopPolicySystemIdle()+162j
					; PopPolicySystemIdle()+166j
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		test	bl, bl
		jnz	short loc_7952F0
		mov	eax, dword_6C22A8
		xor	edx, edx
		div	_PopIdleScanInterval
		mov	ecx, dword_6C22AC
		push	0
		push	eax
		call	_PopIdleDetection@12 ; PopIdleDetection(x,x,x)

loc_7952F0:				; CODE XREF: PopPolicySystemIdle()+197j
		mov	eax, large fs:124h
		cmp	dword ptr [eax+13Ch], 0
		jz	short loc_795304
		push	20h
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_795304:				; CODE XREF: PopPolicySystemIdle()+1C1j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_79530D:				; CODE XREF: PopPolicySystemIdle()+31j
		push	0
		push	0
		push	3
		push	0Ah
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_PopPolicySystemIdle@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceSystemIdleUpdate(x,	x, x, x, x, x, x, x, x,	x, x, x)
_PopTraceSystemIdleUpdate@48 proc near	; CODE XREF: PopPolicySystemIdle()+15Bp

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch
arg_C		= byte ptr  14h
arg_10		= byte ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= byte ptr  20h
arg_1C		= byte ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		push	ebx
		mov	bl, dl
		mov	[ebp+var_78], ecx
		jz	loc_795456
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_SYSTEM_IDLE_UPDATE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	loc_795454
		movzx	ecx, _PopUserShutdownInProgress
		neg	ecx
		mov	[ebp+var_6C], 4
		push	8
		sbb	ecx, ecx
		mov	[ebp+var_14], offset dword_6C22C8
		xor	eax, eax
		and	ecx, 4
		cmp	[ebp+arg_0], al
		pop	edx
		setnz	al
		mov	[ebp+var_C], edx
		or	ecx, eax
		movzx	eax, [ebp+arg_10]
		neg	eax
		push	4
		sbb	eax, eax
		and	eax, 40h
		or	ecx, eax
		movzx	eax, [ebp+arg_4]
		neg	eax
		sbb	eax, eax
		and	eax, 2
		or	ecx, eax
		movzx	eax, [ebp+arg_C]
		neg	eax
		sbb	eax, eax
		and	eax, edx
		or	ecx, eax
		movzx	eax, [ebp+arg_1C]
		neg	eax
		sbb	eax, eax
		and	eax, 20h
		or	ecx, eax
		movzx	eax, [ebp+arg_18]
		neg	eax
		sbb	eax, eax
		and	eax, 10h
		or	ecx, eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_74], eax
		movzx	eax, bl
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+arg_20]
		pop	ebx
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_24]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_14]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	7
		mov	[ebp+var_80], ecx
		xor	ecx, ecx
		push	ecx
		push	offset _POP_ETW_EVENT_SYSTEM_IDLE_UPDATE
		mov	[ebp+var_70], ecx
		mov	[ebp+var_68], ecx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], ecx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_795454:				; CODE XREF: PopTraceSystemIdleUpdate(x,x,x,x,x,x,x,x,x,x,x,x)+44j
		pop	edi
		pop	esi

loc_795456:				; CODE XREF: PopTraceSystemIdleUpdate(x,x,x,x,x,x,x,x,x,x,x,x)+22j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	28h
_PopTraceSystemIdleUpdate@48 endp

; 
		align 2

;  S U B	R O U T	I N E 


PopIsDozeSupported proc	near		; CODE XREF: PopIdleArmAoAcDozeS4Timer()+3Ep
					; PAGELK:0071F3B3p ...

; FUNCTION CHUNK AT 008DFAD2 SIZE 00000012 BYTES

		xor	dl, dl
		call	_PopIsHibernateSupported@4 ; PopIsHibernateSupported(x)
		test	al, al
		jz	loc_8DFAD2

loc_795475:				; CODE XREF: PopIsDozeSupported+14A679j
		cmp	[ecx+7], dl
		jz	short loc_79547C
		mov	dl, 1

loc_79547C:				; CODE XREF: PopIsDozeSupported+12j
					; PopIsDozeSupported+14A673j
		mov	al, dl
		retn
PopIsDozeSupported endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PopIsHibernateSupported(x)
_PopIsHibernateSupported@4 proc	near	; CODE XREF: PopCheckAndHandleThermalConditions+829D1p
					; PopCaptureSleepStudyStatistics(x,x,x,x)+3C6p	...
		xor	al, al
		cmp	[ecx+6], al
		jz	short locret_795494
		cmp	[ecx+8], al
		jz	short locret_795494
		cmp	byte ptr [ecx+16h], 2
		jnz	short locret_795494
		inc	al

locret_795494:				; CODE XREF: PopIsHibernateSupported(x)+5j
					; PopIsHibernateSupported(x)+Aj ...
		retn
_PopIsHibernateSupported@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiControlGetDeviceDepth	proc near	; DATA XREF: .text:00403B68o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008DFAE4 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		mov	esi, [ebp+arg_4]
		movzx	eax, word ptr [esi]
		mov	word ptr [ebp+var_8+2],	ax
		mov	word ptr [ebp+var_8], ax
		test	ax, ax
		jz	short loc_7954FC
		mov	ecx, 190h
		cmp	ax, cx
		ja	short loc_7954FC
		test	al, 1
		jnz	short loc_7954FC
		mov	edx, [esi+4]
		lea	ecx, [ebp+var_4]
		push	1
		push	[ebp+arg_C]
		push	2
		push	eax
		call	PiControlMakeUserModeCallersCopy
		test	eax, eax
		js	short loc_7954F7
		lea	edx, [esi+8]
		lea	ecx, [ebp+var_8]
		call	_PiGetDeviceDepth@8 ; PiGetDeviceDepth(x,x)
		cmp	byte ptr [ebp+arg_C], 0
		mov	esi, eax
		jnz	loc_8DFAE4

loc_7954F5:				; CODE XREF: PiControlGetDeviceDepth+14A652j
					; PiControlGetDeviceDepth+14A662j
		mov	eax, esi

loc_7954F7:				; CODE XREF: PiControlGetDeviceDepth+46j
					; PiControlGetDeviceDepth+6Bj
		pop	esi
		leave
		retn	10h
; 

loc_7954FC:				; CODE XREF: PiControlGetDeviceDepth+21j
					; PiControlGetDeviceDepth+2Bj ...
		mov	eax, 0C000000Dh
		jmp	short loc_7954F7
PiControlGetDeviceDepth	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpHotSwapGetDevnodeRemovalPolicy proc near ; CODE XREF:	IoGetDeviceProperty+10Ap
					; PiControlGetPropertyData+14A70Ap

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DFAFD SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		xor	ecx, ecx
		call	PpDevNodeLockTree
		test	bl, bl
		jz	short loc_795555
		mov	al, [esi+13Eh]

loc_795525:				; CODE XREF: PpHotSwapGetDevnodeRemovalPolicy+57j
		movzx	eax, al
		test	eax, eax
		jz	loc_8DFAFD
		push	3
		pop	esi
		cmp	eax, esi
		ja	short loc_79554B
		mov	esi, eax

loc_795539:				; CODE XREF: PpHotSwapGetDevnodeRemovalPolicy+4Fj
					; PpHotSwapGetDevnodeRemovalPolicy+5Ej	...
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_79554B:				; CODE XREF: PpHotSwapGetDevnodeRemovalPolicy+31j
		cmp	eax, 4
		jnz	short loc_79555D

loc_795550:				; CODE XREF: PpHotSwapGetDevnodeRemovalPolicy+5Cj
		push	2
		pop	esi
		jmp	short loc_795539
; 

loc_795555:				; CODE XREF: PpHotSwapGetDevnodeRemovalPolicy+19j
		mov	al, [esi+13Fh]
		jmp	short loc_795525
; 

loc_79555D:				; CODE XREF: PpHotSwapGetDevnodeRemovalPolicy+4Aj
		cmp	eax, 5
		jnz	short loc_795550
		jmp	short loc_795539
PpHotSwapGetDevnodeRemovalPolicy endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopDeleteDevice	proc near		; DATA XREF: IoCreateObjectTypes+D8o

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008DFB2F SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	PnpDeleteAllDependencyRelations
		mov	ecx, [esi+0B0h]
		mov	ecx, [ecx+14h]
		call	IopDestroyDeviceNode
		mov	eax, [esi+0B0h]
		test	dword ptr [eax+10h], 1000h
		jnz	loc_8DFB2F

loc_795595:				; CODE XREF: IopDeleteDevice+14A5D5j
		xor	ecx, ecx
		lea	eax, [esi+24h]
		xchg	ecx, [eax]
		test	ecx, ecx
		jnz	loc_8DFB3E

loc_7955A4:				; CODE XREF: IopDeleteDevice+14A5E2j
		mov	ecx, [esi+8]
		pop	esi
		test	ecx, ecx
		jz	short loc_7955B1
		call	ObfDereferenceObject

loc_7955B1:				; CODE XREF: IopDeleteDevice+46j
		pop	ebp
		retn	4
IopDeleteDevice	endp

; 
		align 2

;  S U B	R O U T	I N E 


IopDestroyDeviceNode proc near		; CODE XREF: IopDeleteDevice+19p
					; IopFindLegacyDeviceNode(x,x,x,x)+65p	...

; FUNCTION CHUNK AT 008DFB4B SIZE 00000099 BYTES
; FUNCTION CHUNK AT 008DFBE6 SIZE 00000159 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	esi, esi
		jnz	loc_8DFB4B

loc_7955C5:				; CODE XREF: IopDestroyDeviceNode+14A6C5j
					; IopDestroyDeviceNode+14A784j
		pop	edi
		pop	esi
		pop	ebx
		retn
IopDestroyDeviceNode endp

; 
		align 2

;  S U B	R O U T	I N E 


PnpDeleteAllDependencyRelations	proc near ; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+35Ep
					; IopDeleteDevice+Bp

; FUNCTION CHUNK AT 008DFD3F SIZE 00000013 BYTES

		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		test	esi, esi
		jz	short loc_7955FC
		mov	cl, 1
		call	_PnpAcquireDependencyRelationsLock@4 ; PnpAcquireDependencyRelationsLock(x)
		mov	eax, [esi+0B0h]
		mov	edi, [eax+2Ch]
		test	edi, edi
		jnz	loc_8DFD3F

loc_7955ED:				; CODE XREF: PnpDeleteAllDependencyRelations+14A783j
		call	_PnpReleaseDependencyRelationsLock@0 ; PnpReleaseDependencyRelationsLock()
		test	edi, edi
		jnz	short loc_795603

loc_7955F6:				; CODE XREF: PnpDeleteAllDependencyRelations+3Ej
		xor	eax, eax

loc_7955F8:				; CODE XREF: PnpDeleteAllDependencyRelations+37j
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_7955FC:				; CODE XREF: PnpDeleteAllDependencyRelations+9j
		mov	eax, 0C000000Dh
		jmp	short loc_7955F8
; 

loc_795603:				; CODE XREF: PnpDeleteAllDependencyRelations+2Aj
		call	_PipProcessRebuildPowerRelationsQueue@0	; PipProcessRebuildPowerRelationsQueue()
		jmp	short loc_7955F6
PnpDeleteAllDependencyRelations	endp


;  S U B	R O U T	I N E 


PopLogDisabledSleepReason proc near	; CODE XREF: PopFilterCapabilities:loc_7956DAp

; FUNCTION CHUNK AT 008DFD52 SIZE 00000074 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		xor	esi, esi
		mov	ecx, offset _PopDisableSleepMutex
		push	edi
		mov	ebx, esi
		mov	edi, esi
		call	ExAcquireFastMutex
		push	0Dh
		pop	ecx
		call	PopRemoveReasonRecordByReasonCode
		mov	eax, _PopDisableSleepList
		mov	ecx, offset _PopDisableSleepList
		cmp	eax, ecx
		jnz	loc_8DFD52

loc_795639:				; CODE XREF: PopLogDisabledSleepReason+14A754j
					; PopLogDisabledSleepReason+14A777j ...
		mov	ecx, offset _PopDisableSleepMutex
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
PopLogDisabledSleepReason endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFilterCapabilities proc near		; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+3B2p
					; PopIdleArmAoAcDozeS4Timer()+35p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 008DFDC6 SIZE 00000082 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		push	13h
		xor	eax, eax
		lea	edx, [ebp+var_C]
		pop	ecx
		mov	edi, ebx
		mov	[ebp+var_10], eax
		rep movsd
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_1], al
		call	IoGetLegacyVetoList
		test	eax, eax
		js	short loc_795697
		cmp	[ebp+var_C], 0
		jnz	loc_8DFDC6

loc_795687:				; CODE XREF: PopFilterCapabilities+14A7C1j
		cmp	[ebp+var_8], 0
		jnz	loc_8DFE10

loc_795691:				; CODE XREF: PopFilterCapabilities+14A7D1j
		cmp	[ebp+var_1], 0
		jnz	short loc_79569F

loc_795697:				; CODE XREF: PopFilterCapabilities+31j
		push	4
		pop	ecx
		call	PopRemoveReasonRecordByReasonCode

loc_79569F:				; CODE XREF: PopFilterCapabilities+4Bj
		lea	eax, [ebp+var_10]
		xor	edi, edi
		push	eax		; int
		inc	edi
		push	offset _EM_RULE_DISABLE_FASTS4_GUID ; void *
		mov	[ebp+var_10], edi
		call	EmClientQueryRuleState
		cmp	[ebp+var_10], 2
		jz	loc_8DFE20
		push	7
		pop	ecx
		call	PopRemoveReasonRecordByReasonCode

loc_7956C5:				; CODE XREF: PopFilterCapabilities+14A7E5j
		cmp	byte_6C2D1D, 0
		jnz	loc_8DFE34
		push	0Eh
		pop	ecx
		call	PopRemoveReasonRecordByReasonCode

loc_7956DA:				; CODE XREF: PopFilterCapabilities+14A7F9j
		call	PopLogDisabledSleepReason
		xor	ecx, ecx
		mov	esi, eax
		call	_PopCheckDisabledState@4 ; PopCheckDisabledState(x)
		test	al, al
		jz	short loc_7956F1
		xor	eax, eax
		mov	[ebx+3], al

loc_7956F1:				; CODE XREF: PopFilterCapabilities+A0j
		mov	ecx, edi
		call	_PopCheckDisabledState@4 ; PopCheckDisabledState(x)
		test	al, al
		jz	short loc_795701
		xor	eax, eax
		mov	[ebx+4], al

loc_795701:				; CODE XREF: PopFilterCapabilities+B0j
		push	2
		pop	ecx
		call	_PopCheckDisabledState@4 ; PopCheckDisabledState(x)
		test	al, al
		jnz	short loc_795754

loc_79570D:				; CODE XREF: PopFilterCapabilities+10Fj
		push	3
		pop	ecx
		call	_PopCheckDisabledState@4 ; PopCheckDisabledState(x)
		test	al, al
		jnz	short loc_79575B
		mov	al, [ebx+6]

loc_79571C:				; CODE XREF: PopFilterCapabilities+116j
		push	6
		pop	ecx
		mov	[ebp+var_1], al
		mov	[ebp+var_2], al
		call	_PopCheckDisabledState@4 ; PopCheckDisabledState(x)
		xor	edx, edx
		test	al, al
		jnz	short loc_795762

loc_795730:				; CODE XREF: PopFilterCapabilities+11Bj
		cmp	byte ptr [ebx+5], 0
		jz	short loc_795767
		mov	al, [ebp+var_1]
		mov	cl, al
		test	al, al
		jz	short loc_795746

loc_79573F:				; CODE XREF: PopFilterCapabilities+103j
					; PopFilterCapabilities+108j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_795746:				; CODE XREF: PopFilterCapabilities+F3j
					; PopFilterCapabilities+120j
		mov	al, cl
		mov	[ebx+11h], dl
		test	al, al
		jnz	short loc_79573F
		mov	[ebx+12h], dl
		jmp	short loc_79573F
; 

loc_795754:				; CODE XREF: PopFilterCapabilities+C1j
		xor	eax, eax
		mov	[ebx+5], al
		jmp	short loc_79570D
; 

loc_79575B:				; CODE XREF: PopFilterCapabilities+CDj
		xor	eax, eax
		mov	[ebx+6], al
		jmp	short loc_79571C
; 

loc_795762:				; CODE XREF: PopFilterCapabilities+E4j
		mov	[ebx+11h], dl
		jmp	short loc_795730
; 

loc_795767:				; CODE XREF: PopFilterCapabilities+EAj
		mov	cl, [ebp+var_2]
		jmp	short loc_795746
PopFilterCapabilities endp


;  S U B	R O U T	I N E 


; __stdcall PopCheckDisabledState(x)
_PopCheckDisabledState@4 proc near	; CODE XREF: PopFilterCapabilities+99p
					; PopFilterCapabilities+A9p ...
		mov	eax, _PowerStateDisableReasonListHead
		xor	dl, dl
		push	esi
		mov	esi, offset _PowerStateDisableReasonListHead

loc_795779:				; CODE XREF: PopCheckDisabledState(x)+19j
		cmp	eax, esi
		jz	short loc_795789
		cmp	[ecx+eax+8], dl
		jnz	short loc_795787
		mov	eax, [eax]
		jmp	short loc_795779
; 

loc_795787:				; CODE XREF: PopCheckDisabledState(x)+15j
		mov	dl, 1

loc_795789:				; CODE XREF: PopCheckDisabledState(x)+Fj
		mov	al, dl
		pop	esi
		retn
_PopCheckDisabledState@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


PopRemoveReasonRecordByReasonCode proc near ; CODE XREF: PopUpdateUpgradeInProgress(x)+115p
					; PopLogDisabledSleepReason+18p ...

arg_8		= dword	ptr  0Ch
arg_C		= word ptr  10h
arg_E		= word ptr  12h
arg_10		= dword	ptr  14h
arg_14		= dword	ptr  18h

; FUNCTION CHUNK AT 008DFE48 SIZE 00000059 BYTES

		call	_PopGetReasonListByReasonCode@4	; PopGetReasonListByReasonCode(x)
		test	eax, eax
		jnz	loc_8DFE48
		retn
PopRemoveReasonRecordByReasonCode endp


;  S U B	R O U T	I N E 


; __stdcall PopGetReasonListByReasonCode(x)
_PopGetReasonListByReasonCode@4	proc near ; CODE XREF: PopRemoveReasonRecordByReasonCodep
					; PopCheckDisabledReason(x,x)+5p ...
		mov	eax, _PowerStateDisableReasonListHead
		xor	edx, edx
		push	ebx
		push	esi
		mov	bl, dl
		mov	esi, offset _PowerStateDisableReasonListHead

loc_7957AC:				; CODE XREF: PopGetReasonListByReasonCode(x)+1Dj
		cmp	eax, esi
		jz	short loc_7957BD
		mov	edx, eax
		cmp	[eax+10h], ecx
		jz	short loc_7957BB
		mov	eax, [eax]
		jmp	short loc_7957AC
; 

loc_7957BB:				; CODE XREF: PopGetReasonListByReasonCode(x)+19j
		mov	bl, 1

loc_7957BD:				; CODE XREF: PopGetReasonListByReasonCode(x)+12j
		movzx	eax, bl
		neg	eax
		pop	esi
		sbb	eax, eax
		and	eax, edx
		pop	ebx
		retn
_PopGetReasonListByReasonCode@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoGetLegacyVetoList proc near		; CODE XREF: PopFilterCapabilities+2Ap
					; PnpProcessQueryRemoveAndEject(x)+20Bp ...

var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008DFEA1 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	short loc_7957E4
		mov	[esi], ebx

loc_7957E4:				; CODE XREF: IoGetLegacyVetoList+16j
		mov	[edi], ebx
		mov	[esp+28h+var_1C], ebx
		cmp	_PnPInitialized, bl
		jz	short loc_79585F
		lea	eax, [esp+28h+var_1C]
		mov	[esp+28h+var_10], esi
		lea	ecx, [esp+28h+var_10]
		mov	[esp+28h+var_C], ebx
		mov	[esp+28h+var_8], edi
		mov	[esp+28h+var_4], eax
		call	IopGetLegacyVetoListDrivers
		mov	eax, [esp+28h+var_1C]
		test	eax, eax
		js	loc_8DFEA1
		cmp	[edi], ebx
		jnz	short loc_795840
		xor	ecx, ecx
		call	PpDevNodeLockTree
		mov	ecx, _IopRootDeviceNode
		lea	edx, [esp+28h+var_10]
		call	IopGetLegacyVetoListDeviceNode
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		mov	eax, [esp+28h+var_1C]

loc_795840:				; CODE XREF: IoGetLegacyVetoList+53j
		test	eax, eax
		js	loc_8DFEA1
		cmp	[edi], ebx
		jnz	loc_8DFE6C

loc_795850:				; CODE XREF: PopRemoveReasonRecordByReasonCode+14A6E0j
					; PopRemoveReasonRecordByReasonCode+14A70Ej
		test	eax, eax
		js	loc_8DFEA1

loc_795858:				; CODE XREF: IoGetLegacyVetoList+97j
					; IoGetLegacyVetoList+14A6D9j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_79585F:				; CODE XREF: IoGetLegacyVetoList+26j
		xor	eax, eax
		jmp	short loc_795858
IoGetLegacyVetoList endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PnpReleaseDependencyRelationsLock()
_PnpReleaseDependencyRelationsLock@0 proc near ; CODE XREF: IoResolveDependency+A2p
					; IoResolveDependency:loc_5660D8p ...
		mov	edi, edi
		push	ecx
		mov	ecx, offset _PiDependencyRelationsLock
		call	ExReleaseResourceLite
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		pop	ecx
		retn
_PnpReleaseDependencyRelationsLock@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiControlGetPropertyData proc near	; DATA XREF: .text:00403B18o

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008DFEC5 SIZE 0000017B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	[esp+24h+var_8], eax
		push	edi
		mov	edi, eax
		mov	[esp+28h+var_4], eax
		mov	[esp+28h+var_10], eax
		mov	[esp+28h+var_18], eax
		movzx	eax, word ptr [ebx]
		mov	[esp+28h+var_1C], edi
		mov	word ptr [esp+28h+var_8+2], ax
		mov	word ptr [esp+28h+var_8], ax
		test	ax, ax
		jz	loc_8E0036
		mov	ecx, 190h
		cmp	ax, cx
		ja	loc_8E0036
		test	al, 1
		jnz	loc_8E0036
		mov	edx, [ebx+4]
		lea	ecx, [esp+28h+var_4]
		push	1
		push	[ebp+arg_C]
		push	2
		push	eax
		call	PiControlMakeUserModeCallersCopy
		test	eax, eax
		js	loc_7959EA
		xor	ecx, ecx
		call	PpDevNodeLockTree
		mov	edx, 43706E50h
		lea	ecx, [esp+28h+var_8]
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		cmp	byte ptr [ebp+arg_C], 0
		mov	esi, eax
		mov	[esp+28h+var_C], esi
		jnz	loc_8DFEC5

loc_795910:				; CODE XREF: PiControlGetPropertyData+14A64Fj
					; PiControlGetPropertyData+14A660j
		test	esi, esi
		jz	loc_8DFEDF
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	[esp+28h+var_14], eax
		test	eax, eax
		jz	loc_8DFEDF
		mov	eax, [eax+0ACh]
		cmp	eax, 314h
		jz	loc_8E0014
		cmp	eax, 313h
		jz	loc_8E0014
		lea	edi, [ebx+10h]
		add	ebx, 0Ch
		mov	eax, [edi]
		lea	ecx, [esp+28h+var_1C]
		mov	edx, eax
		mov	[esp+28h+var_18], eax
		push	dword ptr [ebx]
		push	[ebp+arg_C]
		call	PiControlAllocateBufferForUserModeCaller
		mov	esi, eax
		test	esi, esi
		js	loc_795A35
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax+8]
		dec	ecx
		cmp	ecx, 0Fh	; switch 16 cases
		ja	loc_8E000A	; default
		jmp	ds:off_795A42[ecx*4] ; switch jump

loc_795986:				; DATA XREF: PAGE:00795A56o
		push	13h		; case 0x5

loc_795988:				; CODE XREF: PiControlGetPropertyData+19Aj
					; PiControlGetPropertyData+1A1j ...
		pop	eax
		test	esi, esi
		js	loc_795A35
		push	edi
		mov	edi, [esp+2Ch+var_1C]
		push	edi
		push	[esp+30h+var_18]
		push	eax
		push	[esp+38h+var_C]
		call	IoGetDeviceProperty

loc_7959A5:				; CODE XREF: PiControlGetPropertyData+14A73Aj
		mov	esi, eax

loc_7959A7:				; CODE XREF: PiControlGetPropertyData+14A698j
					; PiControlGetPropertyData+14A6A3j ...
		test	esi, esi
		js	short loc_7959C3

loc_7959AB:				; CODE XREF: PiControlGetPropertyData+196j
		push	0
		push	[ebp+arg_C]
		mov	edx, edi
		mov	ecx, ebx
		push	1
		push	[esp+34h+var_18]
		call	PiControlMakeUserModeCallersCopy
		test	eax, eax
		js	short loc_795A3B

loc_7959C3:				; CODE XREF: PiControlGetPropertyData+12Fj
					; PiControlGetPropertyData+1B9j ...
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		mov	eax, [esp+28h+var_C]
		test	eax, eax
		jz	short loc_7959DE
		mov	edx, 43706E50h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag

loc_7959DE:				; CODE XREF: PiControlGetPropertyData+156j
		cmp	byte ptr [ebp+arg_C], 0
		jnz	loc_8E0021

loc_7959E8:				; CODE XREF: PiControlGetPropertyData+14A7A9j
					; PiControlGetPropertyData+14A7B7j
		mov	eax, esi

loc_7959EA:				; CODE XREF: PiControlGetPropertyData+6Bj
					; PiControlGetPropertyData+14A7C1j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_7959F3:				; CODE XREF: PiControlGetPropertyData+105j
					; DATA XREF: PAGE:00795A72o
		push	4		; case 0xC
		pop	eax
		mov	[edi], eax
		mov	edi, [esp+28h+var_1C]
		cmp	[esp+28h+var_18], eax
		jb	short loc_795A2E
		mov	ecx, [esp+28h+var_14]
		xor	esi, esi
		mov	eax, [ecx+1BCh]
		mov	[edi], eax
		jmp	short loc_7959AB
; 

loc_795A12:				; CODE XREF: PiControlGetPropertyData+105j
					; DATA XREF: PAGE:00795A4Eo
		push	0Eh		; case 0x3
		jmp	loc_795988
; 

loc_795A19:				; CODE XREF: PiControlGetPropertyData+105j
					; DATA XREF: PAGE:00795A4Ao
		push	0Dh		; case 0x2
		jmp	loc_795988
; 

loc_795A20:				; CODE XREF: PiControlGetPropertyData+105j
					; PiControlGetPropertyData+14A795j
					; DATA XREF: ...
		push	12h		; case 0xA
		jmp	loc_795988
; 

loc_795A27:				; CODE XREF: PiControlGetPropertyData+105j
					; DATA XREF: PAGE:off_795A42o
		push	0Bh		; case 0x0
		jmp	loc_795988
; 

loc_795A2E:				; CODE XREF: PiControlGetPropertyData+186j
		mov	esi, 0C0000023h
		jmp	short loc_7959C3
; 

loc_795A35:				; CODE XREF: PiControlGetPropertyData+EFj
					; PiControlGetPropertyData+111j
		mov	edi, [esp+28h+var_1C]
		jmp	short loc_7959C3
; 

loc_795A3B:				; CODE XREF: PiControlGetPropertyData+147j
		mov	esi, eax
		jmp	short loc_7959C3
PiControlGetPropertyData endp

; 
		db 8Dh
		db 49h,	0
off_795A42	dd offset loc_795A27	; DATA XREF: PiControlGetPropertyData+105r
					; jump table for switch	statement
		dd offset loc_8DFEE9	; case 0x1
		dd offset loc_795A19	; case 0x2
		dd offset loc_795A12	; case 0x3
		dd offset loc_8DFEF7	; case 0x4
		dd offset loc_795986	; case 0x5
		dd offset loc_8DFF22	; case 0x6
		dd offset loc_8DFEF0	; case 0x7
		dd offset loc_8E000A	; default
		dd offset loc_8DFF72	; case 0x9
		dd offset loc_795A20	; case 0xA
		dd offset loc_8E000A	; default
		dd offset loc_7959F3	; case 0xC
		dd offset loc_8DFFA1	; case 0xD
		dd offset loc_8DFFB9	; case 0xE
		dd offset loc_8DFFBD	; case 0xF

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiGetRelatedDevice proc	near		; CODE XREF: PiControlGetRelatedDevice+98p
					; PiCMGetRelatedDeviceInstance+196p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E0040 SIZE 00000059 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		xor	ecx, ecx
		xor	edi, edi
		call	PpDevNodeLockTree
		mov	edx, 43706E50h
		mov	ecx, esi
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		test	ebx, ebx
		jz	loc_795B37
		mov	eax, [ebx+0B0h]
		mov	esi, [eax+14h]
		test	esi, esi
		jz	short loc_795B37
		mov	eax, [esi+0ACh]
		cmp	eax, 314h
		jz	short loc_795B37
		cmp	eax, 313h
		jz	short loc_795B37
		mov	eax, [ebp+arg_4]
		sub	eax, 1
		jnz	short loc_795B3E
		mov	esi, [esi+8]

loc_795AE0:				; CODE XREF: PiGetRelatedDevice+14Bj
					; PiGetRelatedDevice+14A5EAj ...
		cmp	[ebp+arg_4], 1
		jnz	short loc_795B54

loc_795AE6:				; CODE XREF: PiGetRelatedDevice+106j
		test	esi, esi
		jz	short loc_795B37
		mov	eax, [ebp+arg_0]
		movzx	ebx, word ptr [esi+14h]
		cmp	[eax], ebx
		jbe	loc_8E008C
		push	ebx		; size_t
		push	dword ptr [esi+18h] ; void *
		mov	esi, [ebp+var_4]
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax
		mov	[ebx+esi], ax
		mov	eax, [ebp+arg_0]

loc_795B12:				; CODE XREF: PiGetRelatedDevice+14A612j
		mov	[eax], ebx
		mov	ebx, [ebp+var_8]

loc_795B17:				; CODE XREF: PiGetRelatedDevice+BAj
					; PiGetRelatedDevice+14A5C3j
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		test	ebx, ebx
		jz	short loc_795B2E
		mov	edx, 43706E50h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_795B2E:				; CODE XREF: PiGetRelatedDevice+9Ej
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_795B37:				; CODE XREF: PiGetRelatedDevice+2Cj
					; PiGetRelatedDevice+3Dj ...
		mov	edi, 0C000000Eh
		jmp	short loc_795B17
; 

loc_795B3E:				; CODE XREF: PiGetRelatedDevice+59j
		mov	ecx, 2000h
		mov	edx, 1000h
		sub	eax, 1
		jnz	short loc_795BC0
		mov	esi, [esi+4]
		test	esi, esi
		jnz	short loc_795B8D

loc_795B54:				; CODE XREF: PiGetRelatedDevice+62j
					; PiGetRelatedDevice+113j ...
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceSharedLite

loc_795B6E:				; CODE XREF: PiGetRelatedDevice+158j
		test	esi, esi
		jnz	short loc_795B9C

loc_795B72:				; CODE XREF: PiGetRelatedDevice+13Cj
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_795AE6
; 

loc_795B8D:				; CODE XREF: PiGetRelatedDevice+D0j
		mov	eax, [esi+10Ch]
		test	eax, ecx
		jz	short loc_795B54
		jmp	loc_8E004A
; 

loc_795B9C:				; CODE XREF: PiGetRelatedDevice+EEj
		cmp	[esi+18h], edi
		jz	short loc_795BD8
		lea	ecx, [esi+14h]
		mov	edx, 43706E50h
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		test	eax, eax
		jz	short loc_795BD8
		mov	edx, 43706E50h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag
		jmp	short loc_795B72
; 

loc_795BC0:				; CODE XREF: PiGetRelatedDevice+C9j
		sub	eax, 1
		jnz	loc_8E0040

loc_795BC9:				; CODE XREF: PiGetRelatedDevice+14A5DDj
					; PiGetRelatedDevice+14A605j
		mov	esi, [esi]
		test	esi, esi
		jz	loc_795AE0
		jmp	loc_8E0064
; 

loc_795BD8:				; CODE XREF: PiGetRelatedDevice+11Dj
					; PiGetRelatedDevice+12Ej
		mov	esi, [esi]
		jmp	short loc_795B6E
PiGetRelatedDevice endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiControlGetRelatedDevice proc near	; DATA XREF: .text:00403B38o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E0099 SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, [ebp+arg_4]
		xor	edx, edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edx
		movzx	eax, word ptr [esi]
		mov	word ptr [ebp+var_C+2],	ax
		mov	word ptr [ebp+var_C], ax
		test	ax, ax
		jz	loc_8E00BE
		mov	ecx, 190h
		cmp	ax, cx
		ja	loc_8E00BE
		test	al, 1
		jnz	loc_8E00BE
		mov	ecx, [esi+0Ch]
		mov	[ebp+arg_4], edx
		mov	[ebp+var_8], edx
		test	ecx, ecx
		jz	short loc_795C31
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_795C31
		lea	edx, [eax+eax]

loc_795C31:				; CODE XREF: PiControlGetRelatedDevice+49j
					; PiControlGetRelatedDevice+50j
		push	ebx
		push	edi
		push	ecx
		push	[ebp+arg_C]
		lea	ecx, [ebp+arg_4]
		mov	[ebp+var_4], edx
		call	PiControlAllocateBufferForUserModeCaller
		mov	ebx, [ebp+arg_4]
		mov	edi, eax
		test	edi, edi
		js	short loc_795CA2
		movzx	eax, word ptr [ebp+var_C]
		lea	ecx, [ebp+var_8]
		mov	edx, [esi+4]
		push	1
		push	[ebp+arg_C]
		push	2
		push	eax
		call	PiControlMakeUserModeCallersCopy
		mov	edi, eax
		test	edi, edi
		js	short loc_795CA2
		push	dword ptr [esi+8]
		lea	eax, [ebp+var_4]
		mov	edx, ebx
		push	eax
		lea	ecx, [ebp+var_C]
		call	PiGetRelatedDevice
		mov	edi, eax
		test	ebx, ebx
		jz	short loc_795C9A
		mov	eax, [esi+10h]
		lea	ecx, [esi+0Ch]
		push	0
		push	[ebp+arg_C]
		add	eax, eax
		mov	edx, ebx
		push	2
		push	eax
		call	PiControlMakeUserModeCallersCopy
		test	eax, eax
		js	short loc_795CB5

loc_795C9A:				; CODE XREF: PiControlGetRelatedDevice+A1j
					; PiControlGetRelatedDevice+DBj
		mov	eax, [ebp+var_4]
		shr	eax, 1
		mov	[esi+10h], eax

loc_795CA2:				; CODE XREF: PiControlGetRelatedDevice+6Dj
					; PiControlGetRelatedDevice+8Aj
		cmp	byte ptr [ebp+arg_C], 0
		jnz	loc_8E0099

loc_795CAC:				; CODE XREF: PiControlGetRelatedDevice+14A4CFj
					; PiControlGetRelatedDevice+14A4DDj
		mov	eax, edi
		pop	edi
		pop	ebx

loc_795CB0:				; CODE XREF: PiControlGetRelatedDevice+14A4E7j
		pop	esi
		leave
		retn	10h
; 

loc_795CB5:				; CODE XREF: PiControlGetRelatedDevice+BCj
		mov	edi, eax
		jmp	short loc_795C9A
PiControlGetRelatedDevice endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PnpAcquireDependencyRelationsLock(x)
_PnpAcquireDependencyRelationsLock@4 proc near ; CODE XREF: IoResolveDependency+10p
					; PnpDeleteAllDependencyRelations+Dp ...
		mov	edi, edi
		push	ebx
		mov	bl, cl
		xor	ecx, ecx
		call	PpDevNodeLockTree
		push	1
		push	offset _PiDependencyRelationsLock
		test	bl, bl
		jnz	short loc_795CD8
		call	ExAcquireResourceSharedLite
		pop	ebx
		retn
; 

loc_795CD8:				; CODE XREF: PnpAcquireDependencyRelationsLock(x)+15j
		call	ExAcquireResourceExclusiveLite
		pop	ebx
		retn
_PnpAcquireDependencyRelationsLock@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiControlGetSetDeviceStatus(int,int,size_t,int)
PiControlGetSetDeviceStatus proc near	; DATA XREF: .text:00403B58o

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E00C8 SIZE 00000072 BYTES
; FUNCTION CHUNK AT 008E0174 SIZE 000000A2 BYTES
; FUNCTION CHUNK AT 008E023E SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	eax, eax
		push	edi
		lea	edi, [esp+38h+var_10]
		xor	ecx, ecx
		stosd
		mov	ebx, ecx
		mov	[esp+38h+var_18], ecx
		mov	[esp+38h+var_14], ecx
		mov	[esp+38h+var_24], ecx
		stosd
		mov	[esp+38h+var_2C], ecx
		stosd
		stosd
		movzx	eax, word ptr [esi]
		mov	edi, ecx
		mov	[esp+38h+var_28], edi
		mov	word ptr [esp+38h+var_18+2], ax
		mov	word ptr [esp+38h+var_18], ax
		test	ax, ax
		jz	loc_8E024E
		mov	ecx, 190h
		cmp	ax, cx
		ja	loc_8E024E
		test	al, 1
		jnz	loc_8E024E
		mov	edx, [esi+4]
		lea	ecx, [esp+38h+var_14]
		push	1
		push	[ebp+arg_C]
		push	2
		push	eax
		call	PiControlMakeUserModeCallersCopy
		test	eax, eax
		js	loc_795DF5
		xor	ecx, ecx
		call	PpDevNodeLockTree
		mov	edx, 53706E50h
		lea	ecx, [esp+38h+var_18]
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	[esp+38h+var_20], eax
		cmp	byte ptr [ebp+arg_C], bl
		jnz	loc_8E00C8

loc_795D7F:				; CODE XREF: PiControlGetSetDeviceStatus+14A3ECj
					; PiControlGetSetDeviceStatus+14A401j
		test	eax, eax
		jz	short loc_795D8C
		mov	eax, [eax+0B0h]
		mov	ebx, [eax+14h]

loc_795D8C:				; CODE XREF: PiControlGetSetDeviceStatus+A1j
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		test	ebx, ebx
		jz	short loc_795DFE
		cmp	ebx, _IopRootDeviceNode
		jz	short loc_795E0E

loc_795D9F:				; CODE XREF: PiControlGetSetDeviceStatus+131j
		mov	eax, [esi+14h]
		and	eax, 1
		mov	[esp+38h+var_1C], eax
		mov	eax, [esi+8]
		sub	eax, 0
		jnz	loc_8E00E6
		lea	edx, [esi+0Ch]
		mov	ecx, ebx
		call	PiControlGetUserFlagsFromDeviceNode
		mov	eax, [ebx+114h]
		mov	[esi+10h], eax
		mov	eax, [ebx+118h]
		mov	[esi+18h], eax
		xor	esi, esi

loc_795DD3:				; CODE XREF: PiControlGetSetDeviceStatus+14A453j
					; sub_8E013A+35j ...
		test	edi, edi
		jnz	short loc_795E1A

loc_795DD7:				; CODE XREF: PiControlGetSetDeviceStatus+141j
		mov	edi, [esp+38h+var_2C]

loc_795DDB:				; CODE XREF: PiControlGetSetDeviceStatus+123j
					; PiControlGetSetDeviceStatus+138j ...
		mov	eax, [esp+38h+var_20]
		test	eax, eax
		jz	short loc_795DEF
		mov	edx, 53706E50h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag

loc_795DEF:				; CODE XREF: PiControlGetSetDeviceStatus+101j
		test	esi, esi
		js	short loc_795E05

loc_795DF3:				; CODE XREF: PiControlGetSetDeviceStatus+127j
					; PiControlGetSetDeviceStatus+14A569j
		mov	eax, esi

loc_795DF5:				; CODE XREF: PiControlGetSetDeviceStatus+77j
					; PiControlGetSetDeviceStatus+14A573j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_795DFE:				; CODE XREF: PiControlGetSetDeviceStatus+B5j
		mov	esi, 0C000000Eh
		jmp	short loc_795DDB
; 

loc_795E05:				; CODE XREF: PiControlGetSetDeviceStatus+111j
		test	edi, edi
		jz	short loc_795DF3
		jmp	loc_8E023E
; 

loc_795E0E:				; CODE XREF: PiControlGetSetDeviceStatus+BDj
		cmp	[esi+8], edi
		jz	short loc_795D9F
		mov	esi, 0C0000022h
		jmp	short loc_795DDB
; 

loc_795E1A:				; CODE XREF: PiControlGetSetDeviceStatus+F5j
		mov	ecx, edi
		call	_PnpDeleteDeviceActionRequest@4	; PnpDeleteDeviceActionRequest(x)
		jmp	short loc_795DD7
PiControlGetSetDeviceStatus endp

; 
		align 4

;  S U B	R O U T	I N E 


PpDevNodeUnlockTree proc near		; CODE XREF: PnpUnlockDeviceActionQueue+5Bj
					; .text:0054F166p ...

; FUNCTION CHUNK AT 008E0258 SIZE 0000002A BYTES

		mov	edi, edi
		push	ecx
		sub	ecx, 0
		jnz	short loc_795E3D
		mov	ecx, offset _IopDeviceTreeLock

loc_795E31:				; CODE XREF: PpDevNodeUnlockTree+31j
		call	ExReleaseResourceLite

loc_795E36:				; CODE XREF: PpDevNodeUnlockTree+14A449j
					; PpDevNodeUnlockTree+14A459j
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	ecx
		retn
; 

loc_795E3D:				; CODE XREF: PpDevNodeUnlockTree+6j
		sub	ecx, 1
		jnz	loc_8E0258

loc_795E46:				; CODE XREF: PpDevNodeUnlockTree+14A437j
					; PpDevNodeUnlockTree+14A440j
		mov	ecx, offset _IopDeviceTreeLock
		call	ExReleaseResourceLite
		mov	ecx, offset _PiEngineLock
		jmp	short loc_795E31
PpDevNodeUnlockTree endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDeviceObjectFromDeviceInstanceWithTag(x,	x)
_PnpDeviceObjectFromDeviceInstanceWithTag@8 proc near
					; CODE XREF: NtReplacePartitionUnit(x,x,x)+185p
					; NtReplacePartitionUnit(x,x,x)+1B4p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	[ebp+var_4], ecx
		mov	ebx, offset _PnpDeviceReferenceTableLock
		push	edi
		xor	esi, esi
		mov	ecx, ebx
		and	[ebp+var_8], esi
		mov	edi, edx
		call	ExAcquireFastMutex
		lea	eax, [ebp+var_8]
		push	eax
		push	offset _PnpDeviceReferenceTable
		call	_RtlLookupElementGenericTableAvl@8 ; RtlLookupElementGenericTableAvl(x,x)
		test	eax, eax
		jz	short loc_795EB6
		mov	esi, [eax]
		test	esi, esi
		jz	short loc_795EB6
		cmp	word ptr [esi],	3
		jnz	short loc_795EC4
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_795EC8
		cmp	[eax+10h], esi
		jnz	short loc_795EC8

loc_795EA9:				; CODE XREF: PnpDeviceObjectFromDeviceInstanceWithTag(x,x)+72j
		test	esi, esi
		jz	short loc_795EB6
		mov	edx, edi
		mov	ecx, esi
		call	ObfReferenceObjectWithTag

loc_795EB6:				; CODE XREF: PnpDeviceObjectFromDeviceInstanceWithTag(x,x)+31j
					; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)+37j ...
		mov	ecx, ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_795EC4:				; CODE XREF: PnpDeviceObjectFromDeviceInstanceWithTag(x,x)+3Dj
		xor	esi, esi
		jmp	short loc_795EB6
; 

loc_795EC8:				; CODE XREF: PnpDeviceObjectFromDeviceInstanceWithTag(x,x)+4Aj
					; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)+4Fj
		xor	esi, esi
		jmp	short loc_795EA9
_PnpDeviceObjectFromDeviceInstanceWithTag@8 endp


;  S U B	R O U T	I N E 


PpDevNodeLockTree proc near		; CODE XREF: PnpLockDeviceActionQueue+Fp
					; .text:0054EEE2p ...

; FUNCTION CHUNK AT 008E0282 SIZE 00000090 BYTES

		mov	eax, large fs:124h
		push	ebx
		xor	ebx, ebx
		push	esi
		inc	ebx
		dec	word ptr [eax+13Ch]
		push	edi
		nop
		sub	ecx, 0
		jnz	short loc_795EF6

loc_795EE5:				; CODE XREF: PpDevNodeLockTree+3Ej
					; PpDevNodeLockTree+14A434j
		push	ebx
		push	offset _IopDeviceTreeLock
		call	ExAcquireResourceSharedLite

loc_795EF0:				; CODE XREF: PpDevNodeLockTree+14A3C3j
					; PpDevNodeLockTree+14A3D9j ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		retn
; 

loc_795EF6:				; CODE XREF: PpDevNodeLockTree+17j
		sub	ecx, 1
		jnz	loc_8E0282
		push	ebx
		push	offset _PiEngineLock
		call	ExAcquireResourceExclusiveLite
		jmp	short loc_795EE5
PpDevNodeLockTree endp


;  S U B	R O U T	I N E 


PiControlGetUserFlagsFromDeviceNode proc near ;	CODE XREF: PiControlGetSetDeviceStatus+DAp

; FUNCTION CHUNK AT 008E0312 SIZE 0000002C BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		call	_PipAreDriversLoaded@4 ; PipAreDriversLoaded(x)
		neg	eax
		mov	ecx, edi
		sbb	esi, esi
		and	esi, 2
		add	esi, 1800000h
		call	_PipIsDevNodeDNStarted@4 ; PipIsDevNodeDNStarted(x)
		test	eax, eax
		jz	short loc_795F35
		or	esi, 8

loc_795F35:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+24j
		mov	ecx, [edi+18h]
		call	__CmIsRootEnumeratedDevice@4 ; _CmIsRootEnumeratedDevice(x)
		test	al, al
		jnz	loc_795FD5

loc_795F45:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+CCj
		test	byte ptr [edi+170h], 10h
		mov	edx, 4000h
		jnz	loc_795FDD

loc_795F57:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+D3j
		mov	eax, [edi+110h]
		test	al, 1
		jnz	loc_8E0312

loc_795F65:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+14A40Cj
		test	al, 2
		jnz	short loc_795FCD

loc_795F69:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+C7j
		test	al, 40h
		jnz	loc_8E031D

loc_795F71:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+14A417j
		test	al, 4
		jnz	loc_8E0328

loc_795F79:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+14A422j
		mov	ecx, [edi+10Ch]
		test	ecx, edx
		jnz	loc_8E0333

loc_795F87:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+14A42Dj
		test	ecx, 2000h
		jnz	short loc_795FE4

loc_795F8F:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+DEj
		test	ecx, 100000h
		jnz	short loc_795FEC

loc_795F97:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+E3j
		mov	edx, 1000h
		test	ecx, edx
		jnz	short loc_795FF1

loc_795FA0:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+E7j
		mov	edx, 200h
		test	ecx, 200000h
		jnz	short loc_795FF5

loc_795FAD:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+EBj
		cmp	dword ptr [edi+184h], 0
		jnz	short loc_795FBC
		or	esi, 2000h

loc_795FBC:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+A8j
		test	eax, 100h
		jnz	short loc_795FF9

loc_795FC3:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+F3j
		test	eax, edx
		jnz	short loc_796001

loc_795FC7:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+FBj
		pop	edi
		mov	[ebx], esi
		pop	esi
		pop	ebx
		retn
; 

loc_795FCD:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+5Bj
		or	esi, 40000000h
		jmp	short loc_795F69
; 

loc_795FD5:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+33j
		or	esi, 1
		jmp	loc_795F45
; 

loc_795FDD:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+45j
		or	esi, edx
		jmp	loc_795F57
; 

loc_795FE4:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+81j
		or	esi, 400h
		jmp	short loc_795F8F
; 

loc_795FEC:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+89j
		or	esi, 40h
		jmp	short loc_795F97
; 

loc_795FF1:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+92j
		or	esi, edx
		jmp	short loc_795FA0
; 

loc_795FF5:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+9Fj
		or	esi, edx
		jmp	short loc_795FAD
; 

loc_795FF9:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+B5j
		or	esi, 10000h
		jmp	short loc_795FC3
; 

loc_796001:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+B9j
		or	esi, 20000h
		jmp	short loc_795FC7
PiControlGetUserFlagsFromDeviceNode endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmIsRootEnumeratedDevice(x)
__CmIsRootEnumeratedDevice@4 proc near	; CODE XREF: PiControlGetUserFlagsFromDeviceNode+2Cp
					; PiPnpRtlSetObjectProperty+A1596p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	ecx
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_796039
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		push	offset dword_401164
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		leave
		retn
; 

loc_796039:				; CODE XREF: _CmIsRootEnumeratedDevice(x)+1Bj
		xor	al, al
		leave
		retn
__CmIsRootEnumeratedDevice@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 858. IoGetDeviceProperty

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoGetDeviceProperty
IoGetDeviceProperty proc near		; CODE XREF: PoStoreRequester(x,x,x,x)+164p
					; PoStoreRequester(x,x,x,x)+206p ...

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008E033E SIZE 000000E0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+74h+var_4], eax
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_10]
		push	esi
		push	edi
		mov	[esp+80h+var_70], eax
		lea	edi, [esp+80h+var_58]
		xor	eax, eax
		mov	[esp+80h+var_68], ecx
		stosd
		push	40h		; size_t
		push	0		; int
		mov	[esp+88h+var_6C], ebx
		stosd
		stosd
		stosd
		lea	eax, [esp+88h+var_48]
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		mov	edi, [esp+8Ch+var_68]
		add	esp, 0Ch
		and	ecx, 0FFFh
		mov	[esp+80h+var_5C], edx
		mov	[esp+80h+var_64], edx
		mov	[esp+80h+var_60], edx
		mov	[ebx], edx
		test	edi, edi
		jz	loc_8E0414
		mov	eax, [edi+0B0h]
		mov	esi, [eax+14h]
		test	esi, esi
		jz	loc_8E03F9
		test	dword ptr [esi+10Ch], 20000h
		jnz	loc_8E03F9
		cmp	ecx, 16h	; switch 23 cases
		ja	loc_8E03EF	; default
		jmp	ds:off_796472[ecx*4] ; switch jump

loc_7960E1:				; DATA XREF: PAGE:00796476o
		push	2		; case 0x1

loc_7960E3:				; CODE XREF: IoGetDeviceProperty+3D7j
		pop	ecx
		push	7

loc_7960E6:				; CODE XREF: IoGetDeviceProperty+145j
		pop	edx

loc_7960E7:				; CODE XREF: IoGetDeviceProperty+EAj
					; IoGetDeviceProperty+F1j
		cmp	dword ptr [esi+18h], 0
		jz	loc_8E0414
		mov	edi, [esp+80h+var_70]
		mov	eax, [ebp+arg_8]
		push	ebx
		push	edi
		push	ecx
		mov	[ebx], eax
		mov	ecx, [esi+18h]
		push	edx
		call	PiGetDeviceRegProperty
		mov	ebx, eax
		cmp	ebx, 0C0000225h

loc_79610E:				; CODE XREF: IoGetDeviceProperty+14A372j
		jz	short loc_79617B

loc_796110:				; CODE XREF: IoGetDeviceProperty+111j
					; IoGetDeviceProperty+137j ...
		mov	ecx, [esp+80h+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_796126:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:0079648Eo
		push	0Ah		; case 0x7

loc_796128:				; CODE XREF: IoGetDeviceProperty+322j
					; IoGetDeviceProperty+415j ...
		xor	edx, edx
		inc	edx
		pop	ecx
		jmp	short loc_7960E7
; 

loc_79612E:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:off_796472o
		xor	ecx, ecx	; case 0x0
		inc	ecx
		mov	edx, ecx
		jmp	short loc_7960E7
; 

loc_796135:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:007964BEo
		push	4		; case 0x13
		pop	edi
		mov	[ebx], edi
		cmp	[ebp+arg_8], edi
		jb	loc_796358
		mov	edi, [esp+80h+var_70]
		mov	dl, 1
		push	edi
		mov	ecx, esi
		call	PpHotSwapGetDevnodeRemovalPolicy

loc_796151:				; CODE XREF: IoGetDeviceProperty+295j
					; IoGetDeviceProperty+40Ej
		xor	ebx, ebx
		jmp	short loc_796110
; 

loc_796155:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:007964AAo
		cmp	[esi+138h], edx	; case 0xE
		jl	short loc_79617B
		push	4
		pop	edi
		mov	[ebx], edi
		cmp	[ebp+arg_8], edi
		jb	loc_796358
		mov	eax, [esi+138h]

loc_796171:				; CODE XREF: IoGetDeviceProperty+167j
		mov	edi, [esp+80h+var_70]
		mov	[edi], eax

loc_796177:				; CODE XREF: IoGetDeviceProperty+3E4j
		mov	ebx, edx
		jmp	short loc_796110
; 

loc_79617B:				; CODE XREF: IoGetDeviceProperty:loc_79610Ej
					; IoGetDeviceProperty+119j ...
		mov	ebx, 0C0000034h
		jmp	short loc_796110
; 

loc_796182:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:007964B6o
		push	11h		; case 0x11
		pop	ecx
		push	4
		jmp	loc_7960E6
; 

loc_79618C:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:007964A6o
		cmp	dword ptr [esi+134h], 0FFFFFFFFh ; case	0xD
		jz	short loc_79617B
		push	4
		pop	edi
		mov	[ebx], edi
		cmp	[ebp+arg_8], edi
		jb	loc_796358
		mov	eax, [esi+134h]
		jmp	short loc_796171
; 

loc_7961AB:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:0079649Eo
		mov	eax, [ebp+arg_8] ; case	0xB
		add	eax, 8
		push	6F697050h
		push	eax
		push	1
		mov	[esp+8Ch+var_64], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8E033E
		push	0
		push	ebx
		push	[esp+88h+var_64]
		mov	edx, esi
		mov	ecx, edi
		call	ObQueryNameStringMode
		mov	ebx, eax
		mov	edx, 0C0000023h
		cmp	ebx, 0C0000004h
		jz	loc_796315

loc_7961EF:				; CODE XREF: IoGetDeviceProperty+2D5j
		mov	ecx, [esp+80h+var_6C]
		test	ebx, ebx
		js	loc_79631C
		movzx	eax, word ptr [esi]
		test	ax, ax
		jz	loc_8E0348
		add	eax, 2
		mov	[ecx], eax
		cmp	eax, [ebp+arg_8]
		ja	loc_8E0350
		movzx	eax, word ptr [esi]
		mov	edi, [esp+80h+var_70]
		push	eax		; size_t
		push	dword ptr [esi+4] ; void *
		push	edi		; void *
		call	_memcpy
		movzx	eax, word ptr [esi]
		add	esp, 0Ch
		xor	ecx, ecx
		mov	[eax+edi], cx

loc_796232:				; CODE XREF: IoGetDeviceProperty+2DDj
					; IoGetDeviceProperty+14A309j ...
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_796110
; 

loc_79623F:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:007964C6o
		mov	ecx, offset _PiResourceListLock	; case 0x15
		call	ExAcquireFastMutex
		mov	ecx, [esi+11Ch]
		test	ecx, ecx
		jz	loc_8E03E7
		mov	eax, [esi+120h]
		mov	[esp+80h+var_68], eax
		test	eax, eax
		jz	loc_8E03E7
		call	_PnpDetermineResourceListSize@4	; PnpDetermineResourceListSize(x)
		mov	ecx, [esp+80h+var_68]
		mov	edi, eax
		mov	[esp+80h+var_6C], edi
		call	_PnpDetermineResourceListSize@4	; PnpDetermineResourceListSize(x)
		mov	[esp+80h+var_68], eax
		lea	ecx, [eax+edi]
		mov	[ebx], ecx
		cmp	ecx, [ebp+arg_8]
		jbe	loc_796324

loc_79628F:				; CODE XREF: IoGetDeviceProperty+14A392j
		mov	ebx, 0C0000023h

loc_796294:				; CODE XREF: IoGetDeviceProperty+311j
		mov	ecx, offset _PiResourceListLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	loc_796110
; 

loc_7962A3:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:007964B2o
		lea	edx, [esp+80h+var_48] ;	case 0x10
		mov	ecx, edi
		call	_PpIrpQueryCapabilities@8 ; PpIrpQueryCapabilities(x,x)
		test	eax, eax
		js	loc_79617B
		mov	eax, [esp+80h+var_40]
		cmp	eax, 0FFFFFFFFh
		jz	loc_79617B
		push	4
		pop	edi
		mov	[ebx], edi
		cmp	[ebp+arg_8], edi
		jb	loc_796358
		mov	edi, [esp+80h+var_70]
		mov	[edi], eax
		jmp	loc_796151
; 

loc_7962DC:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:007964A2o
		mov	cx, [esi+13Ch]	; case 0xC
		lea	edx, [esp+80h+var_58]
		call	_PnpBusTypeGuidGet@8 ; PnpBusTypeGuidGet(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_796110
		mov	ecx, [esp+80h+var_6C]
		push	10h
		pop	eax
		mov	[ecx], eax
		cmp	[ebp+arg_8], eax
		jb	short loc_796358
		mov	edi, [esp+80h+var_70]
		lea	esi, [esp+80h+var_58]
		movsd
		movsd
		movsd
		movsd
		jmp	loc_796110
; 

loc_796315:				; CODE XREF: IoGetDeviceProperty+1A7j
		mov	ebx, edx
		jmp	loc_7961EF
; 

loc_79631C:				; CODE XREF: IoGetDeviceProperty+1B3j
		add	dword ptr [ecx], 0FFFFFFF8h
		jmp	loc_796232
; 

loc_796324:				; CODE XREF: IoGetDeviceProperty+247j
		push	edi		; size_t
		push	dword ptr [esi+11Ch] ; void *
		mov	edi, [esp+88h+var_70]
		push	edi		; void *
		call	_memcpy
		mov	eax, [esp+8Ch+var_6C]
		add	esp, 0Ch
		add	eax, edi
		push	[esp+80h+var_68] ; size_t
		push	dword ptr [esi+120h] ; void *
		push	eax		; void *

loc_796349:				; CODE XREF: IoGetDeviceProperty+14A3A0j
		call	_memcpy
		add	esp, 0Ch

loc_796351:				; CODE XREF: IoGetDeviceProperty+14A3A8j
		xor	ebx, ebx
		jmp	loc_796294
; 

loc_796358:				; CODE XREF: IoGetDeviceProperty+FBj
					; IoGetDeviceProperty+123j ...
		mov	ebx, 0C0000023h
		jmp	loc_796110
; 

loc_796362:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:007964AEo
		push	17h		; case 0xF
		jmp	loc_796128
; 

loc_796369:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:007964BAo
		push	4		; case 0x12
		pop	edi
		cmp	esi, _IopRootDeviceNode
		jz	loc_8E0389
		cmp	[esi+18h], edx
		jz	loc_8E0414

loc_796381:				; CODE XREF: IoGetDeviceProperty+3B1j
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [esp+80h+var_64]
		push	edx
		push	eax
		lea	eax, [esp+88h+var_5C]
		mov	[esp+88h+var_64], edi
		push	eax
		lea	eax, [esp+8Ch+var_60]
		push	eax
		push	0Bh
		push	edx
		mov	edx, [esi+18h]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_79646A
		cmp	[esp+80h+var_60], edi
		jnz	loc_79646A
		cmp	[esp+80h+var_64], edi
		jnz	loc_79646A
		mov	eax, [esp+80h+var_5C]
		test	al, 20h
		jnz	loc_8E0392
		test	al, 40h
		jnz	loc_8E039A
		and	eax, 400h
		neg	eax
		sbb	eax, eax
		and	eax, 3

loc_7963E4:				; CODE XREF: IoGetDeviceProperty+14A353j
					; IoGetDeviceProperty+14A35Bj
		mov	esi, [esi+8]
		test	eax, eax
		jnz	short loc_7963F5
		push	eax
		pop	edx
		cmp	esi, _IopRootDeviceNode
		jnz	short loc_796381

loc_7963F5:				; CODE XREF: IoGetDeviceProperty+3A7j
					; IoGetDeviceProperty+42Bj
		test	ebx, ebx
		js	loc_8E03A2

loc_7963FD:				; CODE XREF: IoGetDeviceProperty+14A34Bj
		mov	ecx, [esp+80h+var_6C]
		mov	[ecx], edi
		cmp	[ebp+arg_8], edi
		jb	loc_796358
		mov	edi, [esp+80h+var_70]
		mov	[edi], eax
		jmp	loc_796110
; 

loc_796417:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:0079647Ao
		push	3		; case 0x2
		jmp	loc_7960E3
; 

loc_79641E:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:00796482o
		mov	ecx, [esi+16Ch]	; case 0x4
		test	ecx, ecx
		jz	loc_796177
		call	_PnpDetermineResourceListSize@4	; PnpDetermineResourceListSize(x)
		mov	[ebx], eax
		cmp	eax, [ebp+arg_8]
		ja	loc_796358
		mov	edi, [esp+80h+var_70]
		push	eax		; size_t
		push	dword ptr [esi+16Ch] ; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_796151
; 

loc_796455:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:00796486o
		push	8		; case 0x5
		jmp	loc_796128
; 

loc_79645C:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:0079648Ao
		push	9		; case 0x6
		jmp	loc_796128
; 

loc_796463:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:00796496o
		push	0Dh		; case 0x9
		jmp	loc_796128
; 

loc_79646A:				; CODE XREF: IoGetDeviceProperty+368j
					; IoGetDeviceProperty+372j ...
		push	2
		pop	eax
		jmp	short loc_7963F5
IoGetDeviceProperty endp

; 
		db 8Dh
		db 49h,	0
off_796472	dd offset loc_79612E	; DATA XREF: IoGetDeviceProperty+98r
					; jump table for switch	statement
		dd offset loc_7960E1	; case 0x1
		dd offset loc_796417	; case 0x2
		dd offset loc_8E0365	; case 0x3
		dd offset loc_79641E	; case 0x4
		dd offset loc_796455	; case 0x5
		dd offset loc_79645C	; case 0x6
		dd offset loc_796126	; case 0x7
		dd offset loc_8E0382	; case 0x8
		dd offset loc_796463	; case 0x9
		dd offset loc_8E0357	; case 0xA
		dd offset loc_7961AB	; case 0xB
		dd offset loc_7962DC	; case 0xC
		dd offset loc_79618C	; case 0xD
		dd offset loc_796155	; case 0xE
		dd offset loc_796362	; case 0xF
		dd offset loc_7962A3	; case 0x10
		dd offset loc_796182	; case 0x11
		dd offset loc_796369	; case 0x12
		dd offset loc_796135	; case 0x13
		dd offset loc_8E03B9	; case 0x14
		dd offset loc_79623F	; case 0x15
		dd offset loc_8E035E	; case 0x16

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiGetDeviceRegProperty proc near	; CODE XREF: IoGetDeviceProperty+BFp
					; IopPnPDispatch+249p ...

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_59		= byte ptr -59h
var_58		= dword	ptr -58h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E041E SIZE 000000E8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_C]
		xor	eax, eax
		push	esi
		push	edi
		mov	[ebp+var_68], eax
		mov	edx, ecx
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_6C], eax
		mov	[ebp+var_59], al
		mov	eax, [ebx]
		push	0
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	ecx
		lea	eax, [ebp+var_68]
		mov	[ebp+var_78], ecx
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	[ebp+arg_4]
		mov	[ebp+var_74], edx
		push	0
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+arg_0]
		cmp	eax, 1
		jz	short loc_796559
		test	esi, esi
		jns	short loc_796534

loc_79652A:				; CODE XREF: PiGetDeviceRegProperty+71j
		cmp	esi, 0C0000023h
		jnz	short loc_796546
		jmp	short loc_796541
; 

loc_796534:				; CODE XREF: PiGetDeviceRegProperty+5Aj
		cmp	[ebp+var_68], eax
		jnz	loc_8E041E

loc_79653D:				; CODE XREF: PiGetDeviceRegProperty+149F55j
		test	esi, esi
		js	short loc_79652A

loc_796541:				; CODE XREF: PiGetDeviceRegProperty+64j
		mov	eax, [ebp+var_64]
		mov	[ebx], eax

loc_796546:				; CODE XREF: PiGetDeviceRegProperty+62j
					; PiGetDeviceRegProperty+124j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi

loc_79654B:				; DATA XREF: PAGEVRFY:00A56322o
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_796559:				; CODE XREF: PiGetDeviceRegProperty+56j
		test	esi, esi
		js	loc_79661D
		cmp	[ebp+var_68], 1
		jnz	loc_8E0428

loc_79656B:				; CODE XREF: PiGetDeviceRegProperty+155j
		push	6F697050h
		push	[ebp+var_64]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8E0432
		cmp	esi, 0C0000023h
		jz	loc_79662E
		push	[ebp+var_64]	; size_t
		push	[ebp+var_78]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_79659F:				; CODE XREF: PiGetDeviceRegProperty+18Cj
		mov	edx, [ebp+var_64]
		lea	eax, [ebp+var_70]
		push	eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_60], edi
		push	eax
		mov	ecx, edi
		mov	[ebp+var_70], edx
		mov	[ebp+var_74], edi
		call	PnpFindAlternateStringData
		test	eax, eax
		mov	eax, [ebp+var_60]
		jnz	short loc_7965F7

loc_7965C1:				; CODE XREF: PiGetDeviceRegProperty+148j
					; PiGetDeviceRegProperty+149F94j ...
		mov	edx, [ebx]
		mov	ecx, [ebp+var_70]
		cmp	edx, ecx
		jb	loc_796665
		cmp	[ebp+var_6C], 0
		jnz	loc_8E04D5
		push	ecx		; size_t
		push	eax		; void *
		push	[ebp+var_78]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_7965E5:				; CODE XREF: PiGetDeviceRegProperty+14A033j
		mov	ecx, [ebp+var_70]

loc_7965E8:				; CODE XREF: PiGetDeviceRegProperty+19Cj
					; PiGetDeviceRegProperty+14A012j
		mov	[ebx], ecx

loc_7965EA:				; CODE XREF: PiGetDeviceRegProperty+149F74j
					; PiGetDeviceRegProperty+149F7Fj ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_796546
; 

loc_7965F7:				; CODE XREF: PiGetDeviceRegProperty+F1j
		push	offset ??_C@_15EFAGCOOD@?$AA?$DL?$AA?$CI@NNGAKEGL@ ; wchar_t *
		push	eax		; wchar_t *
		mov	[ebp+var_74], eax
		call	_wcsstr
		pop	ecx
		pop	ecx
		mov	ecx, [ebp+var_70]
		mov	edx, eax
		mov	eax, [ebp+var_60]
		shr	ecx, 1
		mov	[ebp+var_6C], edx
		test	edx, edx
		jz	short loc_7965C1
		jmp	loc_8E045C
; 

loc_79661D:				; CODE XREF: PiGetDeviceRegProperty+8Dj
		cmp	esi, 0C0000023h
		jz	loc_79656B
		jmp	loc_796546
; 

loc_79662E:				; CODE XREF: PiGetDeviceRegProperty+BCj
		mov	edx, [ebp+var_74]
		lea	eax, [ebp+var_64]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	eax
		push	edi
		lea	eax, [ebp+var_68]
		push	eax
		push	[ebp+arg_4]
		push	0
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8E043C
		cmp	[ebp+var_68], 1
		jz	loc_79659F
		jmp	loc_8E0452
; 

loc_796665:				; CODE XREF: PiGetDeviceRegProperty+FAj
		mov	esi, 0C0000023h
		jmp	loc_7965E8
PiGetDeviceRegProperty endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpFindAlternateStringData proc	near	; CODE XREF: PiGetDeviceRegProperty+E7p
					; PiProcessNewDeviceNode+A6Dp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E0506 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		cmp	edi, 2
		jbe	short loc_796688
		cmp	word ptr [esi],	40h
		jz	short loc_796691

loc_796688:				; CODE XREF: PnpFindAlternateStringData+10j
					; PnpFindAlternateStringData+35j ...
		xor	eax, eax

loc_79668A:				; CODE XREF: PnpFindAlternateStringData+7Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_796691:				; CODE XREF: PnpFindAlternateStringData+16j
		mov	eax, edi
		lea	edx, [esi+2]
		shr	eax, 1
		xor	ebx, ebx
		lea	ecx, [esi+eax*2]
		lea	eax, [esi+4]
		mov	[ebp+var_4], ecx
		cmp	eax, ecx
		jnb	short loc_796688
		lea	ecx, [esi+4]

loc_7966AA:				; CODE XREF: PnpFindAlternateStringData+55j
		movzx	eax, word ptr [edx]
		test	ax, ax
		jz	short loc_796688
		cmp	eax, 2Ch
		jz	short loc_7966C9
		cmp	eax, 3Bh
		jz	short loc_7966D6

loc_7966BC:				; CODE XREF: PnpFindAlternateStringData+64j
		add	ecx, 2
		add	edx, 2
		cmp	ecx, [ebp+var_4]
		jb	short loc_7966AA
		jmp	short loc_796688
; 

loc_7966C9:				; CODE XREF: PnpFindAlternateStringData+45j
		movzx	eax, word ptr [ecx]
		cmp	eax, 25h
		jnz	short loc_7966F0

loc_7966D1:				; CODE XREF: PnpFindAlternateStringData+83j
					; PnpFindAlternateStringData+149E99j
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_7966BC
; 

loc_7966D6:				; CODE XREF: PnpFindAlternateStringData+4Aj
		test	ebx, ebx
		jz	short loc_796688
		mov	ecx, [ebp+arg_0]
		add	edx, 2
		sub	esi, edx
		xor	eax, eax
		add	esi, edi
		inc	eax
		mov	[ecx], edx
		mov	ecx, [ebp+arg_4]
		mov	[ecx], esi
		jmp	short loc_79668A
; 

loc_7966F0:				; CODE XREF: PnpFindAlternateStringData+5Fj
		cmp	eax, 23h
		jz	short loc_7966D1
		jmp	loc_8E0506
PnpFindAlternateStringData endp


;  S U B	R O U T	I N E 


IopGetLegacyVetoListDeviceNode proc near ; CODE	XREF: IoGetLegacyVetoList+66p
					; IopGetLegacyVetoListDeviceNode+28p

; FUNCTION CHUNK AT 008E0514 SIZE 00000029 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	dword ptr [esi+170h], 8000h
		jnz	loc_8E0514

loc_796712:				; CODE XREF: IopGetLegacyVetoListDeviceNode+149E3Ej
		mov	esi, [esi+4]

loc_796715:				; CODE XREF: IopGetLegacyVetoListDeviceNode+33j
		test	esi, esi
		jnz	short loc_79671E
		mov	al, 1

loc_79671B:				; CODE XREF: IopGetLegacyVetoListDeviceNode+37j
		pop	edi
		pop	esi
		retn
; 

loc_79671E:				; CODE XREF: IopGetLegacyVetoListDeviceNode+1Dj
		mov	edx, edi
		mov	ecx, esi
		call	IopGetLegacyVetoListDeviceNode
		test	al, al
		jz	short loc_79672F
		mov	esi, [esi]
		jmp	short loc_796715
; 

loc_79672F:				; CODE XREF: IopGetLegacyVetoListDeviceNode+2Fj
					; IopGetLegacyVetoListDeviceNode+149E26j ...
		xor	al, al
		jmp	short loc_79671B
IopGetLegacyVetoListDeviceNode endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PiGetDeviceDepth(x,	x)
_PiGetDeviceDepth@8 proc near		; CODE XREF: PiControlGetDeviceDepth+4Ep
					; PiCMGetDeviceDepth(x,x,x,x,x,x)+7Ap
		mov	edi, edi
		push	ebx
		mov	ebx, edx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		push	edi
		and	dword ptr [ebx], 0
		mov	edi, 0C000000Eh
		call	PpDevNodeLockTree
		mov	edx, 43706E50h
		mov	ecx, esi
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_79677C
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_796772
		mov	eax, [eax+54h]
		xor	edi, edi
		mov	[ebx], eax

loc_796772:				; CODE XREF: PiGetDeviceDepth(x,x)+35j
		mov	edx, 43706E50h
		call	ObfDereferenceObjectWithTag

loc_79677C:				; CODE XREF: PiGetDeviceDepth(x,x)+28j
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_PiGetDeviceDepth@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopIdleCheckForUserInput()
_PopIdleCheckForUserInput@0 proc near	; CODE XREF: PopPolicySystemIdle()+49p
		mov	eax, 0FFDF02E4h
		mov	eax, [eax]
		cmp	eax, dword_6C22B0
		jnz	short loc_79679C
		xor	al, al
		retn
; 

loc_79679C:				; CODE XREF: PopIdleCheckForUserInput()+Dj
		xor	ecx, ecx
		mov	dword_6C22B0, eax
		inc	ecx
		call	_PopResetIdleTime@4 ; PopResetIdleTime(x)
		mov	al, 1
		retn
_PopIdleCheckForUserInput@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopInvokeWin32Callout proc near		; CODE XREF: PopGetConsoleDisplayRequestCount()+6Ep
					; ExSetResourceOwnerPointer+55p ...

var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E053D SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_18], edx
		push	edi		; struct _exception *
		push	38h		; size_t
		mov	esi, eax
		mov	[ebp+var_10], eax
		push	eax		; int
		mov	bl, al
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_54]
		push	eax		; void *
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_8], esi
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_54], 15h
		lea	eax, [ebp+var_4]
		push	4
		push	eax
		push	38h
		lea	eax, [ebp+var_54]
		push	eax
		push	57h
		call	_ZwPowerInformation@20 ; ZwPowerInformation(x,x,x,x,x)
		test	eax, eax
		js	loc_796933
		xor	ecx, ecx
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		mov	esi, [ebp+arg_0]
		mov	edi, eax

loc_79680C:				; CODE XREF: PopInvokeWin32Callout+149j
		test	edi, edi
		jz	short loc_796827
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	ecx, [edi+180h]
		cmp	[ecx+2450h], eax
		jnz	loc_8E053D

loc_796827:				; CODE XREF: PopInvokeWin32Callout+62j
		mov	eax, [ebp+arg_0]
		cmp	eax, 2
		jz	loc_79693C

loc_796833:				; CODE XREF: PopInvokeWin32Callout+192j
		mov	[ebp+var_14], eax
		mov	bl, 1
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_8E0563
		mov	eax, [eax]
		mov	[ebp+var_C], eax

loc_79684B:				; CODE XREF: PopInvokeWin32Callout+1BAj
					; PopInvokeWin32Callout+1C2j ...
		mov	esi, [ebp+var_4]
		test	esi, esi
		jz	short loc_7968AA
		push	38h		; size_t
		lea	eax, [ebp+var_54]
		push	0		; int
		push	eax		; void *
		call	_memset
		imul	eax, _PopWin32kCalloutWatchdogTimeoutSeconds, 3E8h
		add	esp, 0Ch
		mov	[ebp+var_54], 15h
		mov	[ebp+var_4C], esi
		mov	[ebp+var_40], 1A1h
		push	0
		mov	[ebp+var_48], eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_44], eax
		mov	eax, large fs:124h
		push	0
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_54]
		push	38h
		push	eax
		push	57h
		mov	[ebp+var_24], eax
		mov	[ebp+var_28], offset _PopWin32CalloutWatchdogCallbackLiveDump@24 ; PopWin32CalloutWatchdogCallbackLiveDump(x,x,x,x,x,x)
		call	_ZwPowerInformation@20 ; ZwPowerInformation(x,x,x,x,x)

loc_7968AA:				; CODE XREF: PopInvokeWin32Callout+A4j
		push	[ebp+var_8]
		push	[ebp+var_14]
		push	[ebp+var_18]
		push	[ebp+var_1C]
		call	PsInvokeWin32Callout
		mov	esi, [ebp+var_4]
		mov	[ebp+var_8], eax
		test	esi, esi
		jz	short loc_7968F0
		push	38h		; size_t
		lea	eax, [ebp+var_54]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_54], 15h
		lea	eax, [ebp+var_54]
		mov	[ebp+var_4C], esi
		push	0
		push	0
		push	38h
		push	eax
		push	57h
		call	_ZwPowerInformation@20 ; ZwPowerInformation(x,x,x,x,x)

loc_7968F0:				; CODE XREF: PopInvokeWin32Callout+117j
		mov	esi, [ebp+arg_0]

loc_7968F3:				; CODE XREF: PopInvokeWin32Callout+149DA1j
					; PopInvokeWin32Callout+149DB2j
		test	bl, bl
		jz	loc_79680C
		mov	esi, [ebp+var_4]
		test	esi, esi
		jz	short loc_796930
		push	38h		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_54]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_54], 15h
		lea	eax, [ebp+var_54]
		mov	[ebp+var_4C], esi
		mov	[ebp+var_20], 1
		push	ebx
		push	ebx
		push	38h
		push	eax
		push	57h
		call	_ZwPowerInformation@20 ; ZwPowerInformation(x,x,x,x,x)

loc_796930:				; CODE XREF: PopInvokeWin32Callout+154j
		mov	esi, [ebp+var_8]

loc_796933:				; CODE XREF: PopInvokeWin32Callout+4Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_79693C:				; CODE XREF: PopInvokeWin32Callout+81j
		test	edi, edi
		jz	loc_796833
		mov	ecx, edi
		mov	[ebp+var_14], 1
		call	_MmGetSessionId@4 ; MmGetSessionId(x)
		mov	[ebp+var_10], eax
		mov	ecx, edi
		lea	eax, [ebp+var_10]
		mov	[ebp+var_8], eax
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_79684B
		mov	bl, 1
		jmp	loc_79684B
PopInvokeWin32Callout endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall TtmIsEnabled()
_TtmIsEnabled@0	proc near		; CODE XREF: PopGetConsoleDisplayRequestCount()+2Ep
					; PopPowerSourceChangeCallback+DCp ...
		cmp	ds:_TtmpEnabled, 1
		setz	al
		retn
_TtmIsEnabled@0	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPolicyWorkerNotify()
_PopPolicyWorkerNotify@0 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	ebx, offset _PopNotifyEvents

loc_79698F:				; CODE XREF: PopPolicyWorkerNotify()+58j
		xor	esi, esi
		xchg	esi, [ebx]
		test	esi, esi
		jz	short loc_7969DA

loc_796997:				; CODE XREF: PopPolicyWorkerNotify()+40j
		and	[ebp+var_4], 0
		bsf	eax, esi
		btr	esi, eax
		mov	ecx, ds:_PopNotifyWork[eax*8]
		test	ecx, ecx
		jz	short loc_7969BE
		push	ds:dword_403CA4[eax*8]
		call	ecx ; PopDispatchFullWake(x) ; PopDispatchFullWake(x)
		call	_KeAreApcsDisabled@0 ; KeAreApcsDisabled()
		test	al, al
		jnz	short loc_7969E0

loc_7969BE:				; CODE XREF: PopPolicyWorkerNotify()+2Aj
		test	esi, esi
		jnz	short loc_796997
		or	[ebp+var_8], 0FFFFFFFFh
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		push	esi
		mov	[ebp+var_C], 0FFFE7960h
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	short loc_79698F
; 

loc_7969DA:				; CODE XREF: PopPolicyWorkerNotify()+15j
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
; 

loc_7969E0:				; CODE XREF: PopPolicyWorkerNotify()+3Cj
		push	20h
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_PopPolicyWorkerNotify@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDispatchPowerSettingCallbacks proc near ; DATA XREF:	.text:00403CC8o

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E056C SIZE 000000C3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	edi
		xor	cl, cl
		call	PopIncrementPowerSettingPendingUpdates
		mov	cl, 1
		call	PopDecrementPowerSettingPendingUpdates
		mov	eax, dword_6C2D0C
		mov	ecx, offset _PopSettingLock
		mov	[ebp+var_4], eax
		call	ExAcquireFastMutex
		mov	edi, _PopPowerSettings
		cmp	edi, offset _PopPowerSettings
		jz	short loc_796A88
		push	ebx
		push	esi

loc_796A1E:				; CODE XREF: PopDispatchPowerSettingCallbacks+95j
		lea	ebx, [edi+8]
		mov	esi, [ebx]

loc_796A23:				; CODE XREF: PopDispatchPowerSettingCallbacks+75j
					; PopDispatchPowerSettingCallbacks+149B88j
		cmp	esi, ebx
		jz	short loc_796A5D
		cmp	byte ptr [esi+44h], 0
		jnz	loc_8E056C
		mov	eax, [ebp+var_4]
		mov	byte ptr [esi+44h], 1
		mov	edx, [edi+eax*4+30h]
		cmp	[esi+34h], edx
		jnz	short loc_796A7D

loc_796A41:				; CODE XREF: PopDispatchPowerSettingCallbacks+9Ej
		mov	eax, [esi]
		mov	byte ptr [esi+44h], 0
		mov	[ebp+var_8], eax
		mov	al, [esi+11h]
		test	al, al
		jnz	short loc_796A9E
		mov	al, [esi+10h]
		test	al, al
		jnz	short loc_796A9E

loc_796A58:				; CODE XREF: PopDispatchPowerSettingCallbacks+BFj
		mov	esi, [ebp+var_8]
		jmp	short loc_796A23
; 

loc_796A5D:				; CODE XREF: PopDispatchPowerSettingCallbacks+3Fj
		xor	al, al
		cmp	[ebx], ebx
		jz	loc_8E0573

loc_796A67:				; CODE XREF: PopDispatchPowerSettingCallbacks+149B91j
					; PopDispatchPowerSettingCallbacks+149B9Bj ...
		mov	esi, [edi]
		test	al, al
		jnz	loc_8E05A8

loc_796A71:				; CODE XREF: PopDispatchPowerSettingCallbacks+149BDEj
		cmp	esi, offset _PopPowerSettings
		jz	short loc_796A86
		mov	edi, esi
		jmp	short loc_796A1E
; 

loc_796A7D:				; CODE XREF: PopDispatchPowerSettingCallbacks+59j
		mov	ecx, esi
		call	PopCallPowerSettingCallback
		jmp	short loc_796A41
; 

loc_796A86:				; CODE XREF: PopDispatchPowerSettingCallbacks+91j
		pop	esi
		pop	ebx

loc_796A88:				; CODE XREF: PopDispatchPowerSettingCallbacks+34j
		mov	ecx, offset _PopSettingLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		xor	cl, cl
		call	PopDecrementPowerSettingPendingUpdates
		pop	edi
		leave
		retn	4
; 

loc_796A9E:				; CODE XREF: PopDispatchPowerSettingCallbacks+69j
					; PopDispatchPowerSettingCallbacks+70j
		mov	ecx, esi
		call	PopUnregisterPowerSettingCallback
		jmp	short loc_796A58
PopDispatchPowerSettingCallbacks endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopCallPowerSettingCallback proc near	; CODE XREF: PopDispatchPowerSettingCallbacks+99p

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E062F SIZE 000000CB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ecx
		test	edx, edx
		jz	loc_796BC1
		test	esi, esi
		jz	loc_796BC1
		mov	[esi+34h], edx
		mov	eax, [esi+0Ch]
		test	eax, eax
		jnz	loc_796BC1
		mov	eax, large fs:124h
		push	ebx
		mov	[esi+0Ch], eax
		push	edi

loc_796AE6:				; CODE XREF: PopCallPowerSettingCallback+10Aj
		mov	edi, [esi+34h]
		mov	ecx, offset _PopSettingLock
		inc	dword ptr [edi]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		cmp	_PopDiagHandleRegistered, 0
		mov	eax, [edi+4]
		mov	[ebp+var_68], eax
		mov	[ebp+var_74], eax
		mov	eax, [esi+38h]
		mov	[ebp+var_70], eax
		jz	short loc_796B2F
		mov	ebx, dword_6C1D74
		mov	eax, _PopDiagHandle
		push	offset _POP_ETW_EVENT_POWER_SETTING_CALLBACK_START
		push	ebx
		push	eax
		mov	[ebp+var_6C], eax
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8E05CE

loc_796B2F:				; CODE XREF: PopCallPowerSettingCallback+63j
					; PopDispatchPowerSettingCallbacks+149C44j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		push	dword ptr [esi+3Ch]
		lea	ecx, [edi+0Ch]
		mov	bl, al
		push	dword ptr [edi+4]
		lea	eax, [esi+24h]
		push	ecx
		push	eax
		call	dword ptr [esi+38h]
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, bl
		jnz	loc_8E0681
		cmp	_PopDiagHandleRegistered, 0
		mov	eax, [esi+38h]
		mov	[ebp+var_6C], eax
		jz	short loc_796B87
		mov	ebx, dword_6C1D74
		mov	eax, _PopDiagHandle
		push	(offset	locret_4057EF+1)
		push	ebx
		push	eax
		mov	[ebp+var_68], eax
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8E062F

loc_796B87:				; CODE XREF: PopCallPowerSettingCallback+BBj
					; PopCallPowerSettingCallback+149BC4j
		call	_KeAreApcsDisabled@0 ; KeAreApcsDisabled()
		test	al, al
		jnz	short loc_796BD2
		mov	ecx, offset _PopSettingLock
		call	ExAcquireFastMutex
		mov	eax, [esi+34h]
		test	eax, eax
		jz	short loc_796BA5
		cmp	edi, eax
		jnz	short loc_796BCE

loc_796BA5:				; CODE XREF: PopCallPowerSettingCallback+F7j
		xor	bl, bl

loc_796BA7:				; CODE XREF: PopCallPowerSettingCallback+128j
		sub	dword ptr [edi], 1
		jz	loc_8E0671

loc_796BB0:				; CODE XREF: PopCallPowerSettingCallback+149BD4j
		test	bl, bl
		jnz	loc_796AE6
		pop	edi
		mov	dword ptr [esi+0Ch], 0
		pop	ebx

loc_796BC1:				; CODE XREF: PopCallPowerSettingCallback+17j
					; PopCallPowerSettingCallback+1Fj ...
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_796BCE:				; CODE XREF: PopCallPowerSettingCallback+FBj
		mov	bl, 1
		jmp	short loc_796BA7
; 

loc_796BD2:				; CODE XREF: PopCallPowerSettingCallback+E6j
		push	20h
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall PopTracePowerSettingChange(x, x, x,	x)
_PopTracePowerSettingChange@16:		; DATA XREF: PopSetPowerSettingValue+2FDo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		xor	cl, cl
		push	[ebp+arg_8]
		call	PopDiagTracePowerSetting
		xor	eax, eax
		pop	ebp
		retn	10h
PopCallPowerSettingCallback endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopRundownPowerSettings()
_PopRundownPowerSettings@0 proc	near	; CODE XREF: PopDiagTraceControlCallback+F0p
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, offset _PopSettingLock
		push	edi
		mov	ecx, ebx
		call	ExAcquireFastMutex
		mov	edi, dword_6C2D0C
		mov	esi, _PopPowerSettings

loc_796C11:				; CODE XREF: PopRundownPowerSettings()+40j
		cmp	esi, offset _PopPowerSettings
		jz	short loc_796C36
		mov	ecx, [esi+edi*4+30h]
		test	ecx, ecx
		jz	short loc_796C32
		lea	eax, [ecx+0Ch]
		push	eax
		push	dword ptr [ecx+4]
		lea	edx, [esi+10h]
		mov	cl, 1
		call	PopDiagTracePowerSetting

loc_796C32:				; CODE XREF: PopRundownPowerSettings()+2Bj
		mov	esi, [esi]
		jmp	short loc_796C11
; 

loc_796C36:				; CODE XREF: PopRundownPowerSettings()+23j
		mov	ecx, ebx
		pop	edi
		pop	esi
		pop	ebx
		jmp	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
_PopRundownPowerSettings@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTracePowerSetting proc near	; CODE XREF: PopCallPowerSettingCallback+140p
					; PopRundownPowerSettings()+39p

var_48		= dword	ptr -48h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	[ebp+var_48], edx
		push	esi
		mov	esi, offset _POP_ETW_EVENT_POWER_SETTING_RUNDOWN
		test	cl, cl
		jz	short loc_796C97

loc_796C5F:				; CODE XREF: PopDiagTracePowerSetting+5Cj
		cmp	_PopDiagHandleRegistered, 0
		jz	short loc_796C88
		push	ebx
		mov	ebx, _PopDiagHandle
		push	edi
		mov	edi, dword_6C1D74
		push	esi
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8E069C

loc_796C86:				; CODE XREF: PopCallPowerSettingCallback+149C4Dj
		pop	edi
		pop	ebx

loc_796C88:				; CODE XREF: PopDiagTracePowerSetting+26j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_796C97:				; CODE XREF: PopDiagTracePowerSetting+1Dj
		mov	esi, offset _POP_ETW_EVENT_POWER_SETTING_CHANGE
		jmp	short loc_796C5F
PopDiagTracePowerSetting endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExGetAttachedSessionPoolTagInfo(x, x, x, x)
_ExGetAttachedSessionPoolTagInfo@16 proc near
					; CODE XREF: ExGetSessionPoolTagInformation+FAp
					; ExGetSessionPoolTagInformation+1ADp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		xor	ecx, ecx
		mov	esi, 0C0000004h
		mov	[eax], ecx
		cmp	edx, 28h
		lea	eax, [ebp+var_C]
		mov	[ebp+var_8], ecx
		sbb	ebx, ebx
		mov	[ebp+var_C], ecx
		push	eax
		and	ebx, esi
		lea	eax, [ebp+var_8]
		cmp	edx, 28h
		push	eax
		lea	eax, [edx-0Ch]
		sbb	edx, edx
		not	edx
		and	edx, eax
		cmp	[ebp+var_4], 28h
		lea	eax, [edi+0Ch]
		sbb	ecx, ecx
		not	ecx
		and	ecx, eax
		call	ExGetSessionPoolTagInfo
		test	eax, eax
		js	short loc_796D26
		cmp	[ebp+var_4], 28h
		mov	esi, ebx
		jb	short loc_796D0E
		mov	eax, [ebp+arg_4]
		mov	[edi+4], eax
		mov	eax, [ebp+var_8]
		mov	[edi+8], eax
		dec	eax
		imul	eax, 1Ch
		add	eax, 28h
		mov	[edi], eax

loc_796D0E:				; CODE XREF: ExGetAttachedSessionPoolTagInfo(x,x,x,x)+59j
					; ExGetAttachedSessionPoolTagInfo(x,x,x,x)+8Aj
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+arg_0]
		dec	ecx
		imul	ecx, 1Ch
		add	ecx, 28h
		mov	[eax], ecx
		mov	eax, esi

loc_796D1F:				; CODE XREF: ExGetAttachedSessionPoolTagInfo(x,x,x,x)+8Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_796D26:				; CODE XREF: ExGetAttachedSessionPoolTagInfo(x,x,x,x)+51j
		cmp	eax, esi
		jz	short loc_796D0E
		jmp	short loc_796D1F
_ExGetAttachedSessionPoolTagInfo@16 endp


;  S U B	R O U T	I N E 


MmAcquireSessionPoolRundown proc near	; CODE XREF: ExGetSessionPoolTagInfo+2Dp
					; ExGetSessionPoolTagInfo+189p	...

; FUNCTION CHUNK AT 008E06FA SIZE 0000002A BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ebx, [eax+180h]
		cmp	ecx, 1
		jnz	short loc_796D73
		dec	word ptr [edi+13Eh]
		nop
		mov	esi, offset dword_6D05C8
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebx+4]
		and	al, 21h
		cmp	al, 1
		jz	short loc_796D94
		jmp	loc_8E06FA
; 

loc_796D73:				; CODE XREF: MmAcquireSessionPoolRundown+21j
		push	11h
		xor	ecx, ecx
		mov	esi, offset dword_6D05C8
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jnz	short loc_796D9B

loc_796D86:				; CODE XREF: MmAcquireSessionPoolRundown+76j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_796D94:				; CODE XREF: MmAcquireSessionPoolRundown+40j
		xor	eax, eax
		inc	eax

loc_796D97:				; CODE XREF: MmAcquireSessionPoolRundown+1499F3j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_796D9B:				; CODE XREF: MmAcquireSessionPoolRundown+58j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_796D86
MmAcquireSessionPoolRundown endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspAttachSession(x,	x, x)
_PspAttachSession@12 proc near		; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+F44p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, edx
		call	_MmGetSessionById@4 ; MmGetSessionById(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_796DD4
		mov	eax, [ebp+arg_0]
		mov	edx, edi
		mov	ecx, esi
		mov	[eax], esi
		call	MmAttachSession
		mov	edi, eax
		test	edi, edi
		js	short loc_796DDB

loc_796DCC:				; CODE XREF: PspAttachSession(x,x,x)+3Ej
		mov	eax, edi

loc_796DCE:				; CODE XREF: PspAttachSession(x,x,x)+35j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_796DD4:				; CODE XREF: PspAttachSession(x,x,x)+12j
		mov	eax, 0C000010Ah
		jmp	short loc_796DCE
; 

loc_796DDB:				; CODE XREF: PspAttachSession(x,x,x)+26j
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	short loc_796DCC
_PspAttachSession@12 endp


;  S U B	R O U T	I N E 


; __stdcall PspDetachSession(x,	x)
_PspDetachSession@8 proc near		; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+FA4p
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1026p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	MmDetachSession
		mov	ecx, esi
		pop	esi
		jmp	ObfDereferenceObject
_PspDetachSession@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExCallSessionCallBack proc near		; CODE XREF: PsInvokeWin32Callout+69p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E0724 SIZE 00000074 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_28], eax
		lea	edi, [ebp+var_1C]
		mov	eax, [ebp+arg_4]
		mov	esi, ecx
		push	6
		mov	[ebp+var_34], eax
		xor	eax, eax
		mov	[ebp+var_2C], edx
		pop	ecx
		rep stosd
		mov	edi, 0C000000Dh
		test	esi, esi
		jz	loc_8E0724
		mov	ecx, [esi]
		call	_MmGetSessionById@4 ; MmGetSessionById(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_796EB0
		lea	edx, [ebp+var_1C]
		mov	ecx, ebx
		call	MmAttachSession
		mov	esi, eax
		test	esi, esi
		js	short loc_796EB8
		call	_MmSessionGetWin32Callouts@0 ; MmSessionGetWin32Callouts()
		mov	ecx, eax
		mov	[ebp+var_24], eax
		call	ExReferenceCallBackBlock
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	short loc_796EB4
		push	[ebp+var_28]
		push	[ebp+var_2C]
		push	dword ptr [eax+8]
		call	dword ptr [eax+4]
		mov	edx, [ebp+var_20]
		mov	edi, eax
		mov	ecx, [ebp+var_24]
		call	_ExDereferenceCallBackBlock@8 ;	ExDereferenceCallBackBlock(x,x)

loc_796E7F:				; CODE XREF: ExCallSessionCallBack+C0j
		lea	edx, [ebp+var_1C]
		mov	ecx, ebx
		call	MmDetachSession

loc_796E89:				; CODE XREF: ExCallSessionCallBack+C4j
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_796E90:				; CODE XREF: ExCallSessionCallBack+14999Dj
		test	esi, esi
		js	short loc_796E9D
		mov	eax, [ebp+var_34]
		test	eax, eax
		jz	short loc_796E9D
		mov	[eax], edi

loc_796E9D:				; CODE XREF: ExCallSessionCallBack+9Cj
					; ExCallSessionCallBack+A3j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_796EB0:				; CODE XREF: ExCallSessionCallBack+48j
		mov	esi, edi
		jmp	short loc_796E9D
; 

loc_796EB4:				; CODE XREF: ExCallSessionCallBack+6Ej
		mov	esi, edi
		jmp	short loc_796E7F
; 

loc_796EB8:				; CODE XREF: ExCallSessionCallBack+58j
		mov	esi, edi
		jmp	short loc_796E89
ExCallSessionCallBack endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMGetRelatedDeviceInstance proc near	; CODE XREF: PiCMHandleIoctl+B4p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E080A SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_34]
		push	7
		pop	ecx
		xor	eax, eax
		rep stosd
		mov	eax, [ebp+arg_C]
		xor	ecx, ecx
		mov	edi, ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		mov	ebx, ecx
		mov	[ebp+var_8], ecx
		mov	[eax], ecx
		lea	eax, [ebp+var_34]
		push	eax
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_4], edi
		call	PiCMCaptureObjectInputData
		mov	esi, eax
		test	esi, esi
		js	loc_796FE3
		cmp	[ebp+var_28], ebx
		jz	loc_8E0825
		cmp	[ebp+var_30], ebx
		jnz	loc_8E0825
		cmp	[ebp+var_2C], 1
		jnz	loc_8E0825
		cmp	[ebp+arg_0], ebx
		jz	loc_7970D0
		mov	eax, [ebp+arg_4]
		cmp	eax, 14h
		jb	loc_7970D0
		push	2
		add	eax, 0FFFFFFECh
		pop	ecx
		cmp	eax, ecx
		mov	[ebp+var_C], ecx
		sbb	edi, edi
		not	edi
		and	edi, eax
		jbe	loc_8E0814
		push	34706E50h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8E080A

loc_796F5F:				; CODE XREF: PiCMGetRelatedDeviceInstance+149953j
					; PiCMGetRelatedDeviceInstance+14995Aj
		test	esi, esi
		js	loc_79705D
		mov	edx, [ebp+var_28]
		call	__CmValidateDeviceName@8 ; _CmValidateDeviceName(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_79705D
		mov	eax, [ebp+var_20]
		sub	eax, 1
		jnz	loc_79700B
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_C]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		shr	edi, 1
		push	ebx
		mov	[ebp+var_C], edi
		call	_CmGetDeviceParent
		mov	edi, [ebp+var_C]
		mov	esi, eax

loc_796FA2:				; CODE XREF: PiCMGetRelatedDeviceInstance+1F2j
		mov	[ebp+var_4], edi

loc_796FA5:				; CODE XREF: PiCMGetRelatedDeviceInstance+14996Ej
		test	esi, esi
		js	loc_79705D
		push	[ebp+arg_C]	; int
		lea	edx, [edi+edi]
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		push	[ebp+var_1C]	; int
		push	edx		; size_t
		push	ebx		; void *
		push	0		; int

loc_796FC0:				; CODE XREF: PiCMGetRelatedDeviceInstance+1B7j
		mov	ecx, esi
		call	PiCMReturnBufferResultData
		mov	esi, eax
		test	ebx, ebx
		jz	short loc_796FD8
		push	34706E50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_796FD8:				; CODE XREF: PiCMGetRelatedDeviceInstance+10Fj
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	loc_797078

loc_796FE3:				; CODE XREF: PiCMGetRelatedDeviceInstance+3Ej
					; PiCMGetRelatedDeviceInstance+1C7j
		cmp	[ebp+var_28], 0
		jz	short loc_797002
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_797002
		push	0
		push	[ebp+var_28]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_797002:				; CODE XREF: PiCMGetRelatedDeviceInstance+12Bj
					; PiCMGetRelatedDeviceInstance+13Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_79700B:				; CODE XREF: PiCMGetRelatedDeviceInstance+C3j
		sub	eax, 1
		jnz	loc_7970B3

loc_797014:				; CODE XREF: PiCMGetRelatedDeviceInstance+20Fj
		push	[ebp+var_28]
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_79705D
		mov	eax, 190h
		push	34706E50h
		push	eax
		push	1
		mov	[ebp+var_10], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_8E081B
		push	[ebp+var_C]
		lea	ecx, [ebp+var_10]
		mov	edx, eax
		push	ecx
		lea	ecx, [ebp+var_18]
		call	PiGetRelatedDevice
		mov	esi, eax
		test	esi, esi
		jns	short loc_797088

loc_79705D:				; CODE XREF: PiCMGetRelatedDeviceInstance+A5j
					; PiCMGetRelatedDeviceInstance+B7j ...
		push	[ebp+arg_C]
		mov	edx, [ebp+var_4]
		xor	eax, eax
		push	[ebp+arg_4]
		add	edx, edx
		push	[ebp+arg_0]
		push	[ebp+var_1C]
		push	eax
		push	eax
		push	eax
		jmp	loc_796FC0
; 

loc_797078:				; CODE XREF: PiCMGetRelatedDeviceInstance+121j
		push	34706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_796FE3
; 

loc_797088:				; CODE XREF: PiCMGetRelatedDeviceInstance+19Fj
		mov	eax, [ebp+var_8]
		mov	edx, edi
		push	800h
		push	0
		push	0
		push	eax
		mov	ecx, ebx
		call	RtlStringCbCopyExW
		mov	esi, eax
		cmp	esi, 80000005h
		jz	short loc_7970E1

loc_7970A8:				; CODE XREF: PiCMGetRelatedDeviceInstance+22Aj
		mov	edi, [ebp+var_10]
		shr	edi, 1
		inc	edi
		jmp	loc_796FA2
; 

loc_7970B3:				; CODE XREF: PiCMGetRelatedDeviceInstance+152j
		sub	eax, 1
		jnz	short loc_7970D0
		mov	ecx, [ebp+var_28]
		call	__CmIsRootDevice@4 ; _CmIsRootDevice(x)
		test	al, al
		jnz	short loc_7970D7
		mov	[ebp+var_C], 3
		jmp	loc_797014
; 

loc_7970D0:				; CODE XREF: PiCMGetRelatedDeviceInstance+63j
					; PiCMGetRelatedDeviceInstance+6Fj ...
		mov	esi, 0C000000Dh
		jmp	short loc_79705D
; 

loc_7970D7:				; CODE XREF: PiCMGetRelatedDeviceInstance+206j
		mov	esi, 0C000000Eh
		jmp	loc_79705D
; 

loc_7970E1:				; CODE XREF: PiCMGetRelatedDeviceInstance+1EAj
		mov	esi, 0C0000023h
		jmp	short loc_7970A8
PiCMGetRelatedDeviceInstance endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetDeviceParent proc	near		; CODE XREF: PiCMGetRelatedDeviceInstance+DCp
					; _CmGetDeviceMappedPropertyFromComposite+87Bp	...

var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E082F SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1ACh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ebx, edx
		mov	[ebp+var_1A0], eax
		xor	eax, eax
		mov	[ebp+var_19C], ecx
		mov	ecx, ebx
		mov	[ebp+var_198], eax
		mov	esi, [edi]
		mov	[ebp+var_1AC], eax
		mov	[ebp+var_1A8], eax
		mov	[ebp+var_1A4], eax
		mov	[edi], eax
		call	__CmIsRootDevice@4 ; _CmIsRootDevice(x)
		test	al, al
		jnz	short loc_7971BA
		push	ebx
		lea	eax, [ebp+var_1AC]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_7971A9
		push	ecx
		lea	eax, [ebp+var_198]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_19C]
		lea	eax, [ebp+var_194]
		push	eax
		push	1
		lea	edx, [ebp+var_1AC]
		call	__NtPlugPlayGetDeviceRelatedDevice@28 ;	_NtPlugPlayGetDeviceRelatedDevice(x,x,x,x,x,x,x)
		cmp	eax, 0C000000Eh
		jz	short loc_7971C1
		mov	ecx, [ebp+var_198]

loc_79717E:				; CODE XREF: _CmGetDeviceParent+123j
		test	eax, eax
		js	short loc_7971A9
		mov	[edi], ecx
		cmp	esi, ecx
		jb	loc_797216
		push	900h
		push	0
		push	0
		lea	eax, [ebp+var_194]
		push	eax

loc_79719C:				; CODE XREF: _CmGetDeviceParent+149762j
		mov	ecx, [ebp+var_1A0]
		mov	edx, esi
		call	RtlStringCchCopyExW

loc_7971A9:				; CODE XREF: _CmGetDeviceParent+64j
					; _CmGetDeviceParent+98j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_7971BA:				; CODE XREF: _CmGetDeviceParent+53j
		mov	eax, 0C000000Eh
		jmp	short loc_7971A9
; 

loc_7971C1:				; CODE XREF: _CmGetDeviceParent+8Ej
		xor	ecx, ecx
		lea	eax, [ebp+var_198]
		push	ecx
		push	eax
		push	190h
		lea	eax, [ebp+var_194]
		mov	edx, ebx
		push	eax
		lea	eax, [ebp+var_1A4]
		push	eax
		push	offset _DEVPKEY_Device_LastKnownParent ; "&cڃ@S?W;)\n"
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_19C]
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_198]
		test	eax, eax
		js	short loc_79721D
		shr	ecx, 1
		mov	[ebp+var_198], ecx

loc_797206:				; CODE XREF: _CmGetDeviceParent+13Aj
		cmp	eax, 0C000000Eh
		jnz	loc_79717E
		jmp	loc_8E082F
; 

loc_797216:				; CODE XREF: _CmGetDeviceParent+9Ej
					; _CmGetDeviceParent+14974Ej
		mov	eax, 0C0000023h
		jmp	short loc_7971A9
; 

loc_79721D:				; CODE XREF: _CmGetDeviceParent+114j
		mov	eax, 0C000000Eh
		jmp	short loc_797206
_CmGetDeviceParent endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmIsRootDevice(x)
__CmIsRootDevice@4 proc	near		; CODE XREF: PiCMGetRelatedDeviceInstance+1FFp
					; _CmGetDeviceParent+4Cp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	ecx
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_797253
		push	1
		push	offset dword_40116C
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		leave
		retn
; 

loc_797253:				; CODE XREF: _CmIsRootDevice(x)+1Bj
		xor	al, al
		leave
		retn
__CmIsRootDevice@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _NtPlugPlayGetDeviceRelatedDevice(x, x, x, x, x, x,	x)
__NtPlugPlayGetDeviceRelatedDevice@28 proc near	; CODE XREF: _CmGetDeviceParent+84p
					; _CmGetDeviceChildren(x,x,x,x)+86p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		push	eax
		push	3
		mov	edi, edx
		mov	esi, ecx
		pop	edx
		call	__PnpCtxGetNtPlugPlayRoutine@12	; _PnpCtxGetNtPlugPlayRoutine(x,x,x)
		test	eax, eax
		js	short loc_79729A
		cmp	[ebp+var_4], 0
		jz	short loc_7972A0
		push	0
		push	[ebp+arg_C]
		push	0C8h
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edi
		push	esi
		call	[ebp+var_4]
		cmp	eax, 80000005h
		jz	short loc_7972A7

loc_79729A:				; CODE XREF: _NtPlugPlayGetDeviceRelatedDevice(x,x,x,x,x,x,x)+1Ej
					; _NtPlugPlayGetDeviceRelatedDevice(x,x,x,x,x,x,x)+4Dj	...
		pop	edi
		pop	esi
		leave
		retn	14h
; 

loc_7972A0:				; CODE XREF: _NtPlugPlayGetDeviceRelatedDevice(x,x,x,x,x,x,x)+24j
		mov	eax, 0C0000002h
		jmp	short loc_79729A
; 

loc_7972A7:				; CODE XREF: _NtPlugPlayGetDeviceRelatedDevice(x,x,x,x,x,x,x)+40j
		mov	eax, 0C0000023h
		jmp	short loc_79729A
__NtPlugPlayGetDeviceRelatedDevice@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlGetDeviceRelatedDeviceRoutine(x, x,	x, x, x, x, x)
_PiPnpRtlGetDeviceRelatedDeviceRoutine@28 proc near ; DATA XREF: PiPnpRtlInit+C3o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_18]
		mov	edx, [ebp+arg_8]
		push	[ebp+arg_14]
		mov	ecx, [ebp+arg_4]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	_PlugPlayGetRelatedDevice@24 ; PlugPlayGetRelatedDevice(x,x,x,x,x,x)
		pop	ebp
		retn	1Ch
_PiPnpRtlGetDeviceRelatedDeviceRoutine@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PlugPlayGetRelatedDevice(x,	x, x, x, x, x)
_PlugPlayGetRelatedDevice@24 proc near	; CODE XREF: PiPnpRtlGetDeviceRelatedDeviceRoutine(x,x,x,x,x,x,x)+17p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	esi
		test	ecx, ecx
		jz	short loc_79731A
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jz	short loc_79731A
		cmp	[ebp+arg_C], 0
		jnz	short loc_79731A
		mov	eax, [ecx]
		mov	[ebp+var_14], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_14]
		push	14h
		push	eax
		push	0Ch
		mov	[ebp+var_C], edx
		call	_ZwPlugPlayControl@12 ;	ZwPlugPlayControl(x,x,x)
		mov	ecx, [ebp+var_4]
		inc	ecx
		mov	[esi], ecx

loc_797315:				; CODE XREF: PlugPlayGetRelatedDevice(x,x,x,x,x,x)+51j
		pop	esi
		leave
		retn	10h
; 

loc_79731A:				; CODE XREF: PlugPlayGetRelatedDevice(x,x,x,x,x,x)+Bj
					; PlugPlayGetRelatedDevice(x,x,x,x,x,x)+12j ...
		mov	eax, 0C000000Dh
		jmp	short loc_797315
_PlugPlayGetRelatedDevice@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmProcessWorkingSetControl proc	near	; CODE XREF: PAGE:007AA1A9p
					; VmpPauseResumeNotify(x,x)+CBp ...

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E609E SIZE 0000000A BYTES
; FUNCTION CHUNK AT 008E60CC SIZE 00000096 BYTES

		push	48h
		push	offset dword_6A1EC0
		call	__SEH_prolog4_GS
		mov	[ebp+var_3C], ecx
		xor	ebx, ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_38], ebx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		cmp	[ebp+arg_0], 0Ch
		jb	loc_8E609E
		mov	ecx, ebx
		lea	edi, [ebp+var_4C]
		stosd
		stosd
		stosd
		mov	[ebp+ms_exc.disabled], ebx
		mov	esi, edx
		lea	edi, [ebp+var_4C]
		movsd
		movsd
		movsd
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi

loc_797366:				; CODE XREF: sub_8E60B6+11j
		test	ecx, ecx
		js	loc_7974C2
		cmp	[ebp+var_4C], 3
		jnz	loc_8E60CC
		cmp	[ebp+var_48], 2
		jnb	loc_8E60D6
		cmp	[ebp+var_48], 0
		jz	loc_8E60E0

loc_79738C:				; CODE XREF: MmProcessWorkingSetControl+14EDD4j
		push	ebx
		lea	eax, [ebp+var_38]
		push	eax
		push	73576D4Dh
		push	[ebp+arg_4]
		push	ds:_PsProcessType
		push	2000h
		push	[ebp+var_3C]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7974AE
		mov	eax, large fs:124h
		mov	ebx, [ebp+var_38]
		cmp	[eax+80h], ebx
		jz	short loc_7973DB
		mov	[ebp+var_40], 1
		lea	eax, [ebp+var_34]
		push	eax
		xor	edx, edx
		mov	ecx, ebx
		call	KiStackAttachProcess

loc_7973DB:				; CODE XREF: MmProcessWorkingSetControl+A3j
		cmp	[ebp+var_48], 0
		jz	loc_8E6106
		cmp	[ebp+var_48], 1
		jnz	loc_797492
		mov	ebx, [ebp+var_44]
		test	ebx, 0FFFFFFC0h
		jnz	loc_8E612B
		mov	esi, ebx
		and	esi, 20h
		jnz	loc_8E6135

loc_797409:				; CODE XREF: MmProcessWorkingSetControl+14EE17j
		mov	ecx, ebx
		mov	edx, ebx
		and	edx, 1
		mov	[ebp+var_54], edx
		xor	eax, eax
		and	ecx, 2
		setz	al
		cmp	edx, eax
		jz	loc_8E613F
		mov	edi, ebx
		and	edi, 8
		jz	short loc_797432
		test	ecx, ecx
		jz	loc_8E613F

loc_797432:				; CODE XREF: MmProcessWorkingSetControl+106j
		mov	eax, ebx
		and	eax, 10h
		mov	[ebp+var_58], eax
		jz	short loc_797444
		test	edi, edi
		jz	loc_8E613F

loc_797444:				; CODE XREF: MmProcessWorkingSetControl+118j
		mov	eax, [ebp+var_38]
		add	eax, 240h
		mov	[ebp+var_3C], eax
		mov	edx, ebx
		mov	ecx, eax
		call	MiLogWsEmptyControl
		neg	esi
		sbb	esi, esi
		and	esi, 4
		cmp	[ebp+var_54], 0
		jz	loc_8E6149

loc_797469:				; DATA XREF: PAGE:008BF1CCo
		test	edi, edi
		jz	short loc_797472
		call	SmStoreCompressionStart

loc_797472:				; CODE XREF: MmProcessWorkingSetControl+149j
		mov	edx, esi
		mov	ecx, [ebp+var_3C]
		call	MiEmptyWorkingSetPrivatePagesByVa
		mov	esi, eax
		test	edi, edi
		jz	short loc_79748F
		xor	ecx, ecx
		cmp	[ebp+var_58], ecx
		setnz	cl
		call	SmStoreCompressionStop

loc_79748F:				; CODE XREF: MmProcessWorkingSetControl+15Ej
					; MmProcessWorkingSetControl+14EE0Ej ...
		mov	ebx, [ebp+var_38]

loc_797492:				; CODE XREF: MmProcessWorkingSetControl+C7j
					; MmProcessWorkingSetControl+14EDF0j ...
		cmp	[ebp+var_40], 1
		jnz	short loc_7974A2
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_7974A2:				; CODE XREF: MmProcessWorkingSetControl+174j
		mov	edx, 73576D4Dh
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_7974AE:				; CODE XREF: MmProcessWorkingSetControl+8Ej
		mov	eax, esi

loc_7974B0:				; CODE XREF: MmProcessWorkingSetControl+1A2j
					; MmProcessWorkingSetControl+14ED81j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7974C2:				; CODE XREF: MmProcessWorkingSetControl+46j
		mov	eax, ecx
		jmp	short loc_7974B0
MmProcessWorkingSetControl endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmStoreCompressionStop proc near	; CODE XREF: MmProcessWorkingSetControl+168p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h

; FUNCTION CHUNK AT 008E6162 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, large fs:124h
		lea	edx, [esp+2Ch+var_28]
		push	ebx
		push	esi
		mov	ebx, ecx
		xor	ecx, ecx
		push	edi
		push	ecx
		mov	[esp+3Ch+var_1C], ecx
		mov	eax, [eax+80h]
		push	ecx
		mov	ecx, offset unk_718478
		mov	[esp+40h+var_28], eax
		call	_SmpKeyedStoreEntryGet@16 ; SmpKeyedStoreEntryGet(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8E6162
		movzx	esi, word ptr [edi+8]

loc_79750A:				; CODE XREF: SmStoreCompressionStop+14ECA2j
		cmp	esi, 0FFFFFFFFh
		jz	loc_79759B
		push	0
		push	0
		lea	eax, [esp+40h+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		and	[esp+38h+var_20], 0
		lea	eax, [esp+38h+var_10]
		mov	[esp+38h+var_14], eax
		lea	eax, [esp+38h+var_20]
		push	0
		push	eax
		mov	[esp+40h+var_18], offset ?SmpFlushStorePages@@YGXPAX@Z ; SmpFlushStorePages(void *)
		call	ExQueueWorkItem
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	1Ah
		lea	eax, [esp+48h+var_10]
		push	eax
		call	KeWaitForSingleObject
		test	edi, edi
		jz	short loc_79759B
		xor	ecx, ecx
		inc	ecx
		call	_SmSwapStore@4	; SmSwapStore(x)
		test	ebx, ebx
		jz	short loc_797586
		and	esi, 3FFh
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		mov	edx, esi
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		mov	ecx, [eax]
		test	dword ptr [ecx], 40000h
		jz	short loc_797586
		xor	edx, edx
		call	SMKM_STORE_SM_TRAITS___SmStTrimWsStore

loc_797586:				; CODE XREF: SmStoreCompressionStop+9Bj
					; SmStoreCompressionStop+B7j
		mov	ecx, [esp+38h+var_28]
		lea	edx, [esp+38h+var_24]
		call	_MmQueryProcessWorkingSetSwapPages@8 ; MmQueryProcessWorkingSetSwapPages(x,x)
		test	eax, eax
		js	loc_8E616D

loc_79759B:				; CODE XREF: SmStoreCompressionStop+47j
					; SmStoreCompressionStop+8Fj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
SmStoreCompressionStop endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmStoreCompressionStart	proc near	; CODE XREF: MmProcessWorkingSetControl+14Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E617A SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		lea	edx, [ebp+var_4]
		push	esi
		push	edi
		push	0
		mov	edi, [eax+80h]
		mov	ecx, offset unk_718478
		push	0
		mov	[ebp+var_4], edi
		call	_SmpKeyedStoreEntryGet@16 ; SmpKeyedStoreEntryGet(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8E617A

loc_7975D5:				; CODE XREF: SmStoreCompressionStart+14EBE7j
		call	_MmStoreFlushOutstandingEvictions@0 ; MmStoreFlushOutstandingEvictions()
		test	esi, esi
		jz	short loc_7975F3
		lea	edx, [ebp+var_8]
		mov	ecx, edi
		call	_MmQueryProcessWorkingSetSwapPages@8 ; MmQueryProcessWorkingSetSwapPages(x,x)
		test	eax, eax
		js	short loc_7975F3
		xor	ecx, ecx
		call	_SmSwapStore@4	; SmSwapStore(x)

loc_7975F3:				; CODE XREF: SmStoreCompressionStart+3Aj
					; SmStoreCompressionStart+48j ...
		pop	edi
		pop	esi
		leave
		retn
SmStoreCompressionStart	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInSwapStoreWorker(x)
_MiInSwapStoreWorker@4 proc near	; DATA XREF: MiInSwapStore+3Do

var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+20h+var_4], eax
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+28h+var_1C]
		xor	edx, edx
		rep stosd
		mov	ecx, [esi+10h]
		lea	eax, [esp+28h+var_1C]
		push	eax
		call	KiStackAttachProcess
		push	2
		pop	ecx
		call	_SmSwapStore@4	; SmSwapStore(x)
		push	0
		push	0
		lea	ecx, [esi+14h]
		mov	edi, eax
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		test	edi, edi
		jns	short loc_797652
		mov	ecx, [esi+10h]
		mov	edx, edi
		call	EtwTraceWorkingSetInSwapStoreFail

loc_797652:				; CODE XREF: MiInSwapStoreWorker(x)+4Ej
		xor	edx, edx
		lea	ecx, [esp+28h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [esi+10h]
		mov	edx, 73576D4Dh
		call	ObfDereferenceObjectWithTag
		or	eax, 0FFFFFFFFh
		lock xadd [esi+24h], eax
		dec	eax
		jz	short loc_797688

loc_797675:				; CODE XREF: MiInSwapStoreWorker(x)+98j
		mov	ecx, [esp+28h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_797688:				; CODE XREF: MiInSwapStoreWorker(x)+7Bj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_797675
_MiInSwapStoreWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmSwapStore(x)
_SmSwapStore@4	proc near		; CODE XREF: SmStoreCompressionStop+94p
					; SmStoreCompressionStart+4Cp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		lea	edx, [ebp+var_4]
		push	esi
		push	edi
		push	0
		mov	eax, [eax+80h]
		mov	esi, ecx
		push	0
		mov	ecx, offset unk_718478
		mov	[ebp+var_4], eax
		call	_SmpKeyedStoreEntryGet@16 ; SmpKeyedStoreEntryGet(x,x,x,x)
		test	eax, eax
		jz	short loc_7976F2
		movzx	edx, word ptr [eax+8]
		mov	edi, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		and	edx, 3FFh
		mov	ecx, edi
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		push	2
		mov	edx, [eax]
		pop	eax
		cmp	esi, eax
		jz	short loc_7976E6
		xor	eax, eax
		test	esi, esi
		setnz	al

loc_7976E6:				; CODE XREF: SmSwapStore(x)+4Bj
		push	eax
		mov	ecx, edi
		call	SMKM_STORE_MGR_SM_TRAITS___SmSwapStore

loc_7976EE:				; CODE XREF: SmSwapStore(x)+65j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_7976F2:				; CODE XREF: SmSwapStore(x)+2Cj
		mov	eax, 0C0000225h
		jmp	short loc_7976EE
_SmSwapStore@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTraceWorkingSetInSwapStoreFail proc near ; CODE XREF: MiInSwapStoreWorker(x)+55p

var_2C		= dword	ptr -2Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, dword_6BC304
		mov	ebx, ecx
		push	edi
		mov	edi, _EtwpMemoryProvRegHandle
		push	0
		push	80h
		push	0
		push	esi
		push	edi
		mov	[ebp+var_2C], edx
		call	EtwProviderEnabled
		test	al, al
		jnz	sub_8E618E

loc_797738:				; CODE XREF: sub_8E618E+3Fj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
EtwTraceWorkingSetInSwapStoreFail endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall SmCrEncInitialize(x)
_SmCrEncInitialize@4 proc near		; CODE XREF: ST_STORE<SM_TRAITS>::StInitialize(ST_STORE<SM_TRAITS> *)+4Fp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		xor	eax, eax
		push	6
		pop	ecx
		push	40h
		and	dword ptr [ebx], 0
		lea	edi, [ebx+8]
		rep stosd
		pop	edi
		push	edi		; size_t
		push	eax		; int
		lea	esi, [ebx+20h]
		mov	dword ptr [ebx+4], 1
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi], edi
		mov	dword ptr [ebx+24h], 1
		pop	edi
		pop	esi
		pop	ebx
		retn
_SmCrEncInitialize@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmKmStoreAdd	proc near		; CODE XREF: SmProcessCreateRequest+1E8p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 007979BF SIZE 0000001D BYTES
; FUNCTION CHUNK AT 008E61D2 SIZE 00000111 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ecx
		mov	[ebp+var_20], edx
		mov	ecx, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_4], eax
		push	esi
		mov	ecx, [ecx]
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_1C], ecx
		mov	ecx, ebx
		push	edi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], ecx

loc_7977AD:				; CODE XREF: SmKmStoreAdd+14EABBj
		cmp	[eax+ecx*4], ebx
		jz	loc_797927

loc_7977B6:				; CODE XREF: SmKmStoreAdd+255j
		mov	edi, [eax+ecx*4]
		lea	edx, [edi+280h]
		mov	[ebp+var_18], edx
		cmp	edi, edx
		jnb	loc_8E6236
		mov	eax, [ebp+var_8]
		lea	ecx, [edi+8]
		mov	[ebp+var_14], ecx

loc_7977D3:				; CODE XREF: SmKmStoreAdd+64j
		cmp	[edi], ebx
		jz	short loc_7977EA

loc_7977D7:				; CODE XREF: SmKmStoreAdd+14EAA9j
		add	ecx, 14h
		add	edi, 14h
		inc	eax
		mov	[ebp+var_14], ecx
		mov	[ebp+var_8], eax
		cmp	edi, edx
		jb	short loc_7977D3
		jmp	short loc_79780A
; 

loc_7977EA:				; CODE XREF: SmKmStoreAdd+53j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		cmp	[edi], ebx
		jnz	loc_8E6201
		mov	edx, [ebp+var_18]

loc_79780A:				; CODE XREF: SmKmStoreAdd+66j
		cmp	edi, edx
		jnb	loc_8E6230

loc_797812:				; CODE XREF: SmKmStoreAdd+14EAC1j
		cmp	[ebp+var_8], 400h
		jnb	loc_8E6252
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		add	ecx, 0E0h
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [ebp+var_1C]
		mov	ecx, [ebp+var_4]
		test	dword ptr [edx], 100h
		jnz	loc_8E625C

loc_79784F:				; CODE XREF: SmKmStoreAdd+14EAEBj
		and	byte ptr [edi+12h], 0FEh
		and	byte ptr [edi+12h], 0FDh
		mov	eax, [edx]
		mov	edx, 80h
		shr	eax, 12h
		shl	eax, 7
		xor	ax, [edi+10h]
		and	ax, dx
		xor	[edi+10h], ax
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+8]
		mov	[edi+0Ch], eax
		mov	eax, esi
		inc	dword ptr [ecx+0E4h]
		lea	esi, [ecx+0E0h]
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_797897
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_797897:				; CODE XREF: SmKmStoreAdd+10Cj
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+var_20]
		mov	edx, [ebp+arg_4]
		mov	ebx, [ebp+var_8]
		mov	[edi], eax

loc_7978AE:				; CODE XREF: SmKmStoreAdd+14Ej
		movzx	eax, word ptr [edi+10h]
		lea	ecx, [eax+1]
		xor	ecx, eax
		and	ecx, 3Fh
		xor	ecx, eax
		mov	[edi+10h], cx
		and	ecx, 3Fh
		shl	ecx, 0Ah
		or	ecx, ebx
		mov	[edx], ecx
		cmp	ecx, 103FFh
		jz	short loc_7978AE
		xor	ecx, ecx
		call	_SmEtwEnabled@4	; SmEtwEnabled(x)
		push	0
		pop	ebx
		test	eax, eax
		jnz	loc_8E62C4

loc_7978E4:				; CODE XREF: SmKmStoreAdd+14EB50j
		lea	ecx, [edi+4]
		xor	eax, eax
		xchg	eax, [ecx]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		add	edi, 8
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_797907
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_797907:				; CODE XREF: SmKmStoreAdd+17Cj
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_797913:				; CODE XREF: SmKmStoreAdd+14EAD5j
					; SmKmStoreAdd+14EB3Dj
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_8E62D7

loc_79791E:				; CODE XREF: SmKmStoreAdd+14EACBj
					; SmKmStoreAdd+14EB5Cj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_797927:				; CODE XREF: SmKmStoreAdd+2Ej
		mov	edx, 61536D73h
		mov	ecx, 280h
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		mov	edi, eax
		mov	[ebp+var_10], edi
		test	edi, edi
		jz	loc_8E6248
		lea	ecx, [edi+280h]
		cmp	edi, ecx
		jnb	short loc_797981
		lea	esi, [edi+4]
		mov	[ebp+var_14], 20h

loc_797957:				; CODE XREF: SmKmStoreAdd+1F7j
		xor	eax, eax
		lea	edi, [esi-4]
		stosd
		mov	ecx, esi
		stosd
		stosd
		stosd
		stosd
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		mov	ecx, esi
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	[esi+4], ebx
		add	esi, 14h
		sub	[ebp+var_14], 1
		jnz	short loc_797957
		mov	edi, [ebp+var_10]
		or	esi, 0FFFFFFFFh

loc_797981:				; CODE XREF: SmKmStoreAdd+1C9j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [ebp+var_4]
		xor	edx, edx
		add	eax, 0E0h
		mov	ecx, eax
		mov	[ebp+var_14], eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_C]
		cmp	[eax+ecx*4], ebx
		jnz	loc_8E61D2
		mov	[eax+ecx*4], edi
		mov	edi, ebx
		mov	[ebp+var_10], ebx
		jmp	loc_8E61D2
SmKmStoreAdd	endp

; 
; START	OF FUNCTION CHUNK FOR SmKmStoreAdd

loc_7979BF:				; CODE XREF: SmKmStoreAdd+14EA5Dj
					; SmKmStoreAdd+14EA6Bj
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	edi, edi
		jnz	loc_8E61F2

loc_7979D1:				; CODE XREF: SmKmStoreAdd+14EA7Aj
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_4]
		jmp	loc_7977B6
; END OF FUNCTION CHUNK	FOR SmKmStoreAdd

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmProcessCreateRequest proc near	; CODE XREF: SmpDirtyStoreCreate(x,x,x,x)+CFp
					; SmSetStoreInformation+135F26p

var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E62E3 SIZE 00000064 BYTES
; FUNCTION CHUNK AT 008E6376 SIZE 0000000A BYTES
; FUNCTION CHUNK AT 008E63B7 SIZE 00000041 BYTES

		push	0A8h
		push	offset dword_6A1EE0
		call	__SEH_prolog4_GS
		mov	[ebp+var_6C], edx
		mov	eax, ecx
		mov	[ebp+var_5C], eax
		mov	[ebp+var_78], eax
		xor	ebx, ebx
		mov	[ebp+var_B0], ebx
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_8C], ebx
		mov	edi, ebx
		mov	[ebp+var_64], edi
		mov	[ebp+var_70], edi
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_60], eax
		mov	[ebp+var_74], eax
		mov	[ebp+var_7C], ebx
		push	38h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_58]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		cmp	[ebp+arg_0], 38h
		jnz	loc_8E62E3
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+arg_4]
		test	al, al
		jnz	loc_8E62ED

loc_797A4B:				; CODE XREF: SmProcessCreateRequest+14E936j
		push	0Eh
		pop	ecx
		mov	esi, [ebp+var_6C]
		lea	edi, [ebp+var_58]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+var_A8], ebx
		mov	[ebp+var_A4], ebx
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_8C], ebx
		lea	ecx, [ebp+var_A8]
		push	ecx
		lea	ecx, [ebp+var_7C]
		push	ecx
		mov	dl, al
		lea	ecx, [ebp+var_58]
		call	SmKmStoreCreatePrepare
		mov	esi, eax
		test	esi, esi
		js	loc_797C50
		mov	esi, [ebp+var_A8]
		mov	ecx, [esi]
		mov	eax, ecx
		and	eax, 400FFh
		mov	edi, 40000h
		cmp	eax, edi
		jnz	loc_8E6376
		test	ecx, 300h
		jnz	loc_8E6376
		test	cl, cl
		jnz	short loc_797AD4
		and	ecx, 160000h
		cmp	ecx, edi
		jnz	loc_8E6317

loc_797AD4:				; CODE XREF: SmProcessCreateRequest+E8j
					; SmProcessCreateRequest+14E951j
		mov	eax, [esi]
		test	al, al
		jnz	short loc_797AEB
		test	eax, edi
		jz	short loc_797AEB
		cmp	dword ptr [esi+8], 20000h
		ja	loc_8E6376

loc_797AEB:				; CODE XREF: SmProcessCreateRequest+FCj
					; SmProcessCreateRequest+100j
		mov	edx, 74536D73h
		mov	ecx, 12C0h
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8E633D
		mov	ecx, edi	; void *
		call	?SmStInitialize@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@@Z ;	SMKM_STORE<SM_TRAITS>::SmStInitialize(SMKM_STORE<SM_TRAITS> *)
		mov	edx, [esi]
		and	edx, 10000h
		neg	edx
		sbb	edx, edx
		add	edx, 4
		mov	ecx, [esi+8]
		call	SmFirstTimeInit
		mov	esi, eax
		test	esi, esi
		js	loc_797C16
		mov	[ebp+var_98], offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS	SmGlobals
		mov	eax, ds:dword_718460
		mov	[ebp+var_94], eax
		mov	eax, ds:dword_71845C
		mov	[ebp+var_90], eax
		mov	eax, [ebp+var_A8]
		or	dword ptr [eax], 8000h
		lea	edx, [ebp+var_A8]
		mov	ecx, edi
		call	SMKM_STORE_SM_TRAITS___SmStStart
		mov	esi, eax
		test	esi, esi
		js	loc_797C16
		mov	[ebp+var_B0], ebx
		lea	eax, [ebp+var_54]
		mov	[ebp+var_B8], eax
		mov	eax, [edi+1178h]
		mov	[ebp+var_B4], eax
		mov	eax, [ebp+var_44]
		mov	[ebp+var_AC], eax
		test	[ebp+var_58], 200h
		jz	short loc_797BAE
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[ebp+var_B0], eax

loc_797BAE:				; CODE XREF: SmProcessCreateRequest+1BEj
		lea	eax, [edi+10F0h]
		mov	[ebp+var_68], eax
		push	eax
		lea	eax, [ebp+var_B8]
		push	eax
		mov	edx, edi
		mov	ecx, [ebp+var_5C]
		call	SmKmStoreAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_797C16
		mov	eax, [ebp+var_68]
		mov	eax, [eax]
		mov	[ebp+var_60], eax
		mov	[ebp+var_74], eax
		mov	[ebp+var_80], ebx
		xor	edx, edx
		lea	ecx, [ebp+var_80]
		lock or	[ecx], edx
		mov	ds:byte_718468,	5
		mov	edi, ebx
		mov	[ebp+var_70], edi
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_68], ecx
		mov	esi, ebx
		mov	[ebp+ms_exc.disabled], ecx
		mov	ecx, [ebp+var_6C]
		mov	[ecx+34h], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	[ebp+var_58], 100h
		jz	short loc_797C16
		or	[ebp+var_60], 0FFFFFFFFh

loc_797C16:				; CODE XREF: SmProcessCreateRequest+14Aj
					; SmProcessCreateRequest+18Dj ...
		mov	ecx, [ebp+var_5C]

loc_797C19:				; CODE XREF: sub_8E6391+21j
		mov	eax, [ebp+var_60]
		cmp	eax, 0FFFFFFFFh
		jnz	loc_8E63B7

loc_797C25:				; CODE XREF: SmProcessCreateRequest+14E9F0j
		test	edi, edi
		jnz	loc_8E63D1

loc_797C2D:				; CODE XREF: SmProcessCreateRequest+14EA03j
		test	ebx, ebx
		jnz	loc_8E63E4

loc_797C35:				; CODE XREF: SmProcessCreateRequest+14EA17j
		mov	ecx, [ebp+var_7C]
		test	ecx, ecx
		jnz	short loc_797C55

loc_797C3C:				; CODE XREF: SmProcessCreateRequest+27Ej
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_797C50:				; CODE XREF: SmProcessCreateRequest+B8j
					; SmProcessCreateRequest+14E95Cj ...
		mov	edi, [ebp+var_64]
		jmp	short loc_797C16
; 

loc_797C55:				; CODE XREF: SmProcessCreateRequest+25Ej
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	short loc_797C3C
SmProcessCreateRequest endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1754. PsCreateSystemThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsCreateSystemThread(x, x, x, x, x,	x, x)
		public _PsCreateSystemThread@28
_PsCreateSystemThread@28 proc near	; CODE XREF: SmKmStoreHelperStart(x,x)+23p
					; SMKM_STORE_SM_TRAITS___SmStWorkerThreadStartThread+46p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	0
		push	0
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PsCreateSystemThreadEx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_PsCreateSystemThread@28 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1755. PsCreateSystemThreadEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsCreateSystemThreadEx
PsCreateSystemThreadEx proc near	; CODE XREF: MiZeroNodePages+1B3p
					; MiZeroBootLargePages+18Bp ...

var_196		= byte ptr -196h
var_195		= byte ptr -195h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= word ptr -158h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_B8		= dword	ptr -0B8h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 008E63F8 SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 19Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+19Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+19Ch+var_178], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+19Ch+var_188], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	ebx, [ebp+arg_C]
		mov	[esp+1A0h+var_17C], eax
		mov	eax, [ebp+arg_14]
		push	esi
		mov	esi, [ebp+arg_1C]
		mov	[esp+1A4h+var_180], eax
		mov	eax, [ebp+arg_18]
		push	edi
		mov	[esp+1A8h+var_184], eax
		mov	eax, [ebp+arg_20]
		push	148h		; size_t
		mov	[esp+1ACh+var_18C], eax
		lea	eax, [esp+1ACh+var_150]
		push	0		; int
		push	eax		; void *
		mov	[esp+1B4h+var_190], esi
		call	_memset
		and	[esp+1B4h+var_194], 0
		lea	edi, [esp+1B4h+var_174]
		add	esp, 0Ch
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd
		lea	edi, [esp+1A8h+var_15C]
		stosd
		stosd
		stosd
		mov	edi, ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		call	edi
		cmp	al, 1
		ja	loc_8E63F8
		xor	ecx, ecx
		xor	edx, edx
		inc	ecx
		mov	[esp+1A8h+var_195], dl
		test	ebx, ebx
		jz	loc_797E73
		mov	eax, ds:_PsProcessType
		lea	ecx, [esp+1A8h+var_194]
		push	edx
		push	edx
		push	ecx
		push	72437350h
		push	edx
		push	eax
		push	2
		pop	edx
		mov	ecx, ebx
		call	ObpReferenceObjectByHandleWithTag
		mov	esi, eax
		test	esi, esi
		js	loc_797E5A
		mov	ebx, [esp+1A8h+var_194]
		xor	ecx, ecx
		mov	esi, [esp+1A8h+var_190]
		inc	ecx
		mov	[esp+1A8h+var_195], cl

loc_797D69:				; CODE XREF: PsCreateSystemThreadEx+1EBj
		lea	eax, [ebx+3A8h]
		test	dword ptr [eax], 1000h
		mov	[esp+1A8h+var_190], eax
		jz	short loc_797DE2
		mov	eax, [esp+1A8h+var_18C]
		test	esi, esi
		jnz	short loc_797DC4
		test	eax, eax
		jnz	short loc_797DC0
		lock xadd ds:_PspSystemThreadAssignment, ecx
		inc	ecx
		movzx	esi, cx
		call	_KeQueryActiveGroupCount@0 ; KeQueryActiveGroupCount()
		movzx	ecx, ax
		xor	edx, edx
		mov	eax, esi
		lea	esi, [esp+1A8h+var_15C]
		div	ecx
		movzx	eax, dx
		mov	[esp+1A8h+var_158], ax
		mov	eax, ds:dword_70E328[eax*4]
		mov	ebx, [esp+1A8h+var_194]
		mov	[esp+1A8h+var_15C], eax
		mov	eax, [esp+1A8h+var_18C]

loc_797DC0:				; CODE XREF: PsCreateSystemThreadEx+F1j
		test	esi, esi
		jz	short loc_797DD6

loc_797DC4:				; CODE XREF: PsCreateSystemThreadEx+EDj
		mov	[esp+1A8h+var_14C], 1000h
		lea	edi, [esp+1A8h+var_8C]
		movsd
		movsd
		movsd

loc_797DD6:				; CODE XREF: PsCreateSystemThreadEx+12Ej
		test	eax, eax
		jnz	loc_797E9C

loc_797DDE:				; CODE XREF: PsCreateSystemThreadEx+219j
		mov	eax, [esp+1A8h+var_190]

loc_797DE2:				; CODE XREF: PsCreateSystemThreadEx+E5j
		mov	esi, [esp+1A8h+var_188]
		test	esi, esi
		jnz	loc_797E84
		xor	edx, edx
		mov	[esp+1A8h+var_174], 18h
		mov	[esp+1A8h+var_170], edx
		mov	[esp+1A8h+var_168], 200h
		mov	[esp+1A8h+var_16C], edx
		mov	[esp+1A8h+var_164], edx
		mov	[esp+1A8h+var_160], edx

loc_797E10:				; CODE XREF: PsCreateSystemThreadEx+203j
		mov	eax, [eax]
		lea	ecx, [esp+1A8h+var_150]
		push	edx
		push	[esp+1ACh+var_184]
		and	eax, 1000h
		push	[esp+1B0h+var_180]
		neg	eax
		push	edx
		push	edx
		push	edx
		push	[esp+1C0h+var_17C]
		sbb	eax, eax
		and	eax, ecx
		mov	ecx, [esp+1C4h+var_178]
		push	eax
		push	ebx
		push	edx
		mov	edx, [ebp+arg_4]
		lea	eax, [esp+1D0h+var_174]
		push	eax
		call	PspCreateThread
		mov	esi, eax
		cmp	[esp+1A8h+var_195], 0
		jz	short loc_797E5A
		mov	edx, 72437350h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_797E5A:				; CODE XREF: PsCreateSystemThreadEx+C0j
					; PsCreateSystemThreadEx+1B8j
		mov	ecx, [esp+1A8h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_797E73:				; CODE XREF: PsCreateSystemThreadEx+99j
		mov	eax, ds:_PspSystemPartition
		mov	ebx, [eax+34h]
		mov	[esp+1A8h+var_194], ebx
		jmp	loc_797D69
; 

loc_797E84:				; CODE XREF: PsCreateSystemThreadEx+154j
		push	6
		pop	ecx
		lea	edi, [esp+1A8h+var_174]
		rep movsd
		or	[esp+1A8h+var_168], 200h
		xor	edx, edx
		jmp	loc_797E10
; 

loc_797E9C:				; CODE XREF: PsCreateSystemThreadEx+144j
		mov	eax, [eax]
		or	[esp+1A8h+var_14C], 4000h
		mov	[esp+1A8h+var_B8], eax
		jmp	loc_797DDE
PsCreateSystemThreadEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmKmStoreCreatePrepare proc near	; CODE XREF: SmProcessCreateRequest+AFp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E642D SIZE 0000003E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx]
		push	ebx
		push	esi
		xor	esi, esi
		mov	bl, dl
		mov	edx, esi
		mov	[ebp+var_4], edx
		push	edi
		lea	edi, [ecx+4]
		cmp	al, 6
		jnz	short loc_797F04
		cmp	eax, 400h
		jnb	short loc_797F04
		test	bl, bl
		jnz	loc_8E6414
		cmp	[edi], dl
		jnz	loc_8E642D

loc_797EE4:				; CODE XREF: PsCreateSystemThreadEx+14E789j
		mov	ebx, esi
		mov	ecx, esi

loc_797EE8:				; CODE XREF: SmKmStoreCreatePrepare+14E5B4j
		mov	eax, [ebp+arg_4]
		mov	[eax], edi
		mov	[eax+4], edx
		mov	[eax+8], ebx
		mov	[eax+0Ch], ecx
		mov	eax, [ebp+arg_0]
		mov	[eax], edx

loc_797EFB:				; CODE XREF: SmKmStoreCreatePrepare+57j
					; PsCreateSystemThreadEx+14E794j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_797F04:				; CODE XREF: SmKmStoreCreatePrepare+19j
					; SmKmStoreCreatePrepare+20j
		mov	esi, 0C000000Dh
		jmp	short loc_797EFB
SmKmStoreCreatePrepare endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmpDirtyStoreCreate(x, x, x, x)
_SmpDirtyStoreCreate@16	proc near	; CODE XREF: SmpKeyedStoreCreate+2Cp
					; SmProcessConfigRequest+136p ...

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+50h+var_4], eax
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		lea	eax, [esp+58h+var_3C]
		push	38h		; size_t
		push	0		; int
		push	eax		; void *
		mov	[esp+64h+var_48], edx
		mov	[esp+64h+var_4C], ecx
		call	_memset
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		mov	esi, ds:dword_718474
		and	eax, 1
		shl	eax, 9
		mov	ecx, esi
		or	eax, 106h
		mov	[esp+64h+var_34], 80h
		and	ecx, 10h
		mov	[esp+64h+var_3C], eax
		mov	eax, [esp+64h+var_38]
		or	ecx, 40h
		and	eax, 0FFFEFF00h
		shl	ecx, 0Ch
		or	ecx, eax
		mov	[esp+64h+var_30], 20000h
		add	esp, 0Ch
		mov	eax, esi
		cmp	[ebp+arg_0], edx
		jz	short loc_797FFF
		and	al, 0Ch
		cmp	al, 8

loc_797F8B:				; CODE XREF: SmpDirtyStoreCreate(x,x,x,x)+F7j
		mov	eax, [esp+58h+var_48]
		setz	dl
		shl	edx, 4
		and	esi, 40h
		or	esi, edx
		and	ecx, 0FFF5FFFFh
		shl	esi, 0Dh
		or	esi, ecx
		mov	ecx, 400h
		mul	ecx
		mov	[esp+58h+var_38], esi
		mov	ecx, 40000h
		shld	edx, eax, 0Ah
		shl	eax, 0Ah
		shrd	eax, edx, 11h
		shr	edx, 11h
		test	edx, edx
		jnz	short loc_798005
		cmp	eax, ecx
		jnb	short loc_798005

loc_797FCB:				; CODE XREF: SmpDirtyStoreCreate(x,x,x,x)+FBj
		mov	ecx, [esp+58h+var_4C]
		lea	edx, [esp+58h+var_3C]
		push	0
		push	38h
		mov	[esp+60h+var_2C], eax
		call	SmProcessCreateRequest
		test	eax, eax
		js	short loc_797FEC
		mov	eax, [esp+58h+var_8]
		mov	[edi], eax
		xor	eax, eax

loc_797FEC:				; CODE XREF: SmpDirtyStoreCreate(x,x,x,x)+D6j
		mov	ecx, [esp+58h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_797FFF:				; CODE XREF: SmpDirtyStoreCreate(x,x,x,x)+79j
		and	al, 3
		cmp	al, 2
		jmp	short loc_797F8B
; 

loc_798005:				; CODE XREF: SmpDirtyStoreCreate(x,x,x,x)+B9j
					; SmpDirtyStoreCreate(x,x,x,x)+BDj
		mov	eax, ecx
		jmp	short loc_797FCB
_SmpDirtyStoreCreate@16	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmpKeyedStoreCreate proc near		; CODE XREF: SmProcessCreateNotification(x,x)+1Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E646B SIZE 00000040 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		or	[esp+0Ch+var_C], 0FFFFFFFFh
		mov	eax, edx
		push	ebx
		push	esi
		mov	[esp+14h+var_4], ecx
		mov	edx, 80h
		push	edi
		lea	ecx, [esp+18h+var_C]
		mov	[esp+18h+var_8], eax
		push	ecx
		push	1
		mov	ecx, eax
		xor	esi, esi
		call	_SmpDirtyStoreCreate@16	; SmpDirtyStoreCreate(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7980A8
		push	18h
		mov	edx, 53506D73h
		pop	ecx
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8E646B
		push	6
		pop	ecx
		xor	eax, eax
		lea	edx, [esi+4]
		mov	edi, esi
		rep stosd
		mov	eax, [ebp+arg_0]
		mov	edi, [esp+18h+var_C]
		mov	ecx, [esp+18h+var_4]
		push	0
		push	1
		mov	[edx], eax
		mov	[esi+8], di
		call	_SmpKeyedStoreEntryGet@16 ; SmpKeyedStoreEntryGet(x,x,x,x)
		test	eax, eax
		jz	short loc_7980A1
		or	edi, 0FFFFFFFFh
		xor	esi, esi
		xor	ebx, ebx

loc_798089:				; CODE XREF: SmpKeyedStoreCreate+9Cj
					; SmpKeyedStoreCreate+A2j
		cmp	edi, 0FFFFFFFFh
		jnz	loc_8E6475

loc_798092:				; CODE XREF: SmpKeyedStoreCreate+14E49Cj
		test	esi, esi
		jnz	short loc_7980AE

loc_798096:				; CODE XREF: SmpKeyedStoreCreate+ABj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7980A1:				; CODE XREF: SmpKeyedStoreCreate+76j
		mov	ebx, 0C000009Ah
		jmp	short loc_798089
; 

loc_7980A8:				; CODE XREF: SmpKeyedStoreCreate+35j
					; SmpKeyedStoreCreate+14E466j
		mov	edi, [esp+18h+var_C]
		jmp	short loc_798089
; 

loc_7980AE:				; CODE XREF: SmpKeyedStoreCreate+8Aj
		mov	ecx, esi
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	short loc_798096
SmpKeyedStoreCreate endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall SmCrEncCleanup(x)
_SmCrEncCleanup@4 proc near		; CODE XREF: ST_STORE<SM_TRAITS>::StCleanup(ST_STORE<SM_TRAITS>	*)+76p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+8]
		test	ecx, ecx
		jnz	short loc_7980E5

loc_7980C4:				; CODE XREF: SmCrEncCleanup(x)+32j
		mov	ecx, [esi+10h]
		test	ecx, ecx
		jnz	short loc_7980EC

loc_7980CB:				; CODE XREF: SmCrEncCleanup(x)+39j
		mov	ecx, [esi+14h]
		test	ecx, ecx
		jnz	short loc_7980F3

loc_7980D2:				; CODE XREF: SmCrEncCleanup(x)+40j
		mov	ecx, [esi+18h]
		test	ecx, ecx
		jnz	short loc_7980FA

loc_7980D9:				; CODE XREF: SmCrEncCleanup(x)+47j
		mov	ecx, [esi]
		pop	esi
		test	ecx, ecx
		jnz	_BCryptCloseAlgorithmProvider@8	; BCryptCloseAlgorithmProvider(x,x)
		retn
; 

loc_7980E5:				; CODE XREF: SmCrEncCleanup(x)+Aj
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	short loc_7980C4
; 

loc_7980EC:				; CODE XREF: SmCrEncCleanup(x)+11j
		call	_BCryptDestroyKey@4 ; BCryptDestroyKey(x)
		jmp	short loc_7980CB
; 

loc_7980F3:				; CODE XREF: SmCrEncCleanup(x)+18j
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	short loc_7980D2
; 

loc_7980FA:				; CODE XREF: SmCrEncCleanup(x)+1Fj
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	short loc_7980D9
_SmCrEncCleanup@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmKmStoreDelete	proc near		; CODE XREF: SmKmStoreDeleteWhenEmptyWorker(x)+33p
					; SmProcessCreateRequest+14EA12p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008E64AB SIZE 00000075 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, edx
		push	ebx
		push	esi
		mov	[ebp+var_4], eax
		mov	esi, ecx
		and	eax, 3FFh
		push	edi
		mov	edx, eax
		mov	[ebp+var_10], eax
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		mov	edi, eax
		mov	[ebp+var_C], edi
		test	edi, edi
		jz	loc_8E64AB
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ebx, [edi+8]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		movzx	eax, word ptr [edi+10h]
		mov	edx, [ebp+var_4]
		mov	ecx, eax
		mov	[ebp+var_8], eax
		and	ecx, 3Fh
		shr	edx, 0Ah
		or	eax, 0FFFFFFFFh
		cmp	edx, ecx
		jnz	loc_8E64F9
		mov	ecx, [edi]
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	loc_8E64F9
		cmp	ecx, eax
		jz	loc_8E64F9
		cmp	[ebp+arg_0], 0
		jnz	loc_8E64B5

loc_798186:				; CODE XREF: SmKmStoreDelete+14E3BDj
		push	7
		push	ecx
		push	esi
		call	dword ptr [esi+80h]
		lea	ecx, [edi+4]
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		xor	ecx, ecx
		call	_SmEtwEnabled@4	; SmEtwEnabled(x)
		mov	dword ptr [ebp+arg_0], eax
		test	eax, eax
		jnz	loc_8E64CC

loc_7981AA:				; CODE XREF: SmKmStoreDelete+14E3E3j
		push	2
		push	[ebp+var_4]
		push	esi
		call	dword ptr [esi+80h]
		mov	eax, [ebp+var_C]
		xor	edi, edi
		mov	[eax], edi
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+0E0h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_10]
		cmp	[esi+0ECh], eax
		jz	short loc_79824D

loc_7981E3:				; CODE XREF: SmKmStoreDelete+152j
		sub	dword ptr [esi+0E4h], 1
		jz	loc_8E64EA

loc_7981F0:				; CODE XREF: SmKmStoreDelete+14E3F2j
		or	eax, 0FFFFFFFFh
		lea	ecx, [esi+0E0h]
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_79820E
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [esi+0E0h]

loc_79820E:				; CODE XREF: SmKmStoreDelete+FFj
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_79822C
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_79822C:				; CODE XREF: SmKmStoreDelete+121j
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	1
		push	[ebp+var_4]
		push	esi
		call	dword ptr [esi+80h]

loc_798244:				; CODE XREF: SmKmStoreDelete+14E3AEj
					; SmKmStoreDelete+14E419j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_79824D:				; CODE XREF: SmKmStoreDelete+DFj
		or	dword ptr [esi+0ECh], 0FFFFFFFFh
		jmp	short loc_7981E3
SmKmStoreDelete	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmStoreSetProcessVaRanges(x, x)
_SmStoreSetProcessVaRanges@8 proc near	; CODE XREF: MmInSwapWorkingSet+A3p
					; MmOutSwapWorkingSet+582p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		mov	eax, [eax+80h]
		mov	[ebp+var_4], eax
		push	edi
		test	edx, edx
		jz	short loc_79829B
		mov	edi, edx
		mov	edx, 52566D73h
		shl	edi, 3
		mov	ecx, edi
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7982C2
		push	edi		; size_t
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	esp, 0Ch

loc_79829B:				; CODE XREF: SmStoreSetProcessVaRanges(x,x)+1Ej
		push	ecx
		push	ecx
		mov	edx, eax
		mov	ecx, offset unk_718478
		call	_SmpKeyedStoreSetVaRanges@16 ; SmpKeyedStoreSetVaRanges(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_7982C9

loc_7982AF:				; CODE XREF: SmStoreSetProcessVaRanges(x,x)+77j
		test	esi, esi
		jz	short loc_7982BB
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7982BB:				; CODE XREF: SmStoreSetProcessVaRanges(x,x)+5Bj
					; SmStoreSetProcessVaRanges(x,x)+71j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7982C2:				; CODE XREF: SmStoreSetProcessVaRanges(x,x)+35j
		mov	edi, 0C000009Ah
		jmp	short loc_7982BB
; 

loc_7982C9:				; CODE XREF: SmStoreSetProcessVaRanges(x,x)+57j
		xor	esi, esi
		xor	edi, edi
		jmp	short loc_7982AF
_SmStoreSetProcessVaRanges@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTraceWorkingSetSwap proc near	; CODE XREF: MmInSwapWorkingSet+35p
					; MmInSwapWorkingSet+14Cp ...

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E6520 SIZE 000000D6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, dword_6BC304
		mov	ebx, edx
		push	edi
		mov	edi, _EtwpMemoryProvRegHandle
		push	0
		push	80h
		push	0
		push	esi
		push	edi
		mov	[ebp+var_68], ecx
		call	EtwProviderEnabled
		test	al, al
		jnz	loc_8E6520

loc_79830E:				; CODE XREF: EtwTraceWorkingSetSwap+14E321j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
EtwTraceWorkingSetSwap endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiFreeReservationRuns(x, x,	x)
_MiFreeReservationRuns@12 proc near	; CODE XREF: MmOutSwapVirtualAddresses+289p
					; MmOutSwapWorkingSet+40Fp ...
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		lea	edi, [esi+50h]
		jmp	short loc_79833B
; 

loc_79832F:				; CODE XREF: MiFreeReservationRuns(x,x,x)+1Dj
		mov	edx, esi
		mov	ecx, ebx
		call	_MiFreeReservationRun@8	; MiFreeReservationRun(x,x)
		add	esi, 10h

loc_79833B:				; CODE XREF: MiFreeReservationRuns(x,x,x)+Dj
		cmp	esi, edi
		jb	short loc_79832F
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		retn	4
_MiFreeReservationRuns@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeReservationRun(x, x)
_MiFreeReservationRun@8	proc near	; CODE XREF: MiFreeReservationRuns(x,x,x)+13p
					; MiFreeWorkingSetSwapContext(x,x)+32p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], ecx
		push	edi
		cmp	dword ptr [esi+8], 0
		jnz	short loc_79835F

loc_79835A:				; CODE XREF: MiFreeReservationRun(x,x)+53j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_79835F:				; CODE XREF: MiFreeReservationRun(x,x)+12j
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		call	_MiGetPageFileHigh@8 ; MiGetPageFileHigh(x,x)
		mov	edi, eax
		mov	ebx, edx

loc_79836D:				; CODE XREF: MiFreeReservationRun(x,x)+51j
		push	dword ptr [esi+4]
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		push	dword ptr [esi]
		call	MiReleasePageFileInfo
		push	dword ptr [esi+4]
		add	edi, 1
		push	dword ptr [esi]
		adc	ebx, 0
		push	ebx
		push	edi
		call	_MiUpdatePageFileHighInPte@16 ;	MiUpdatePageFileHighInPte(x,x,x,x)
		sub	dword ptr [esi+8], 1
		mov	[esi], eax
		mov	[esi+4], edx
		jnz	short loc_79836D
		jmp	short loc_79835A
_MiFreeReservationRun@8	endp

; 
		align 4

;  S U B	R O U T	I N E 


MiContractWsSwapPageFile proc near	; CODE XREF: MmInSwapWorkingSet+13Cp
					; MiTrimUnusedPageFileRegionsWorker(x)+502p ...

; FUNCTION CHUNK AT 008E65F6 SIZE 00000052 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_MiNumberWsSwapPagefiles@4 ; MiNumberWsSwapPagefiles(x)
		test	eax, eax
		jz	short loc_7983C6
		mov	ecx, esi
		call	_MiWsSwapPageFileNumber@4 ; MiWsSwapPageFileNumber(x)
		mov	edx, 10000h
		mov	ecx, [esi+eax*4+0F54h]
		cmp	[ecx+0Ch], edx
		jnb	loc_8E65F6

loc_7983C6:				; CODE XREF: MiContractWsSwapPageFile+Cj
					; MiContractWsSwapPageFile+14E25Dj ...
		pop	esi
		retn
MiContractWsSwapPageFile endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtQuerySection	proc near		; DATA XREF: .text:00580E18o

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008E6648 SIZE 00000007 BYTES
; FUNCTION CHUNK AT 008E666F SIZE 00000026 BYTES

		push	18h
		push	offset dword_6A1F08
		call	__SEH_prolog4
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		test	al, al
		jz	loc_798498
		and	[ebp+ms_exc.disabled], 0
		push	4
		pop	esi
		push	esi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	short loc_798416
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8E6648

loc_798412:				; CODE XREF: NtQuerySection+14E282j
		mov	eax, [ecx]
		mov	[ecx], eax

loc_798416:				; CODE XREF: NtQuerySection+3Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_79841D:				; CODE XREF: NtQuerySection+D3j
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	short loc_79849D
		push	10h

loc_798426:				; CODE XREF: NtQuerySection+E0j
		pop	esi

loc_798427:				; CODE XREF: NtQuerySection+14E2AAj
					; NtQuerySection+14E2B3j
		cmp	[ebp+arg_C], esi
		jb	loc_8E668B
		mov	eax, ds:_MmSectionObjectType
		and	[ebp+var_1C], 0
		push	0
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_24]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_798484
		push	[ebp+arg_8]
		push	edi
		push	[ebp+var_1C]
		call	_MmGetSectionInformation@12 ; MmGetSectionInformation(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_79847C
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	short loc_79847C
		mov	[ebp+ms_exc.disabled], 1
		mov	[ecx], esi

loc_798475:				; CODE XREF: sub_8E66A3+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_79847C:				; CODE XREF: NtQuerySection+9Bj
					; NtQuerySection+A2j
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObject

loc_798484:				; CODE XREF: NtQuerySection+89j
		mov	eax, ebx

loc_798486:				; CODE XREF: sub_8E665D+Dj
					; NtQuerySection+14E2BEj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_798498:				; CODE XREF: NtQuerySection+1Dj
		push	4
		pop	esi
		jmp	short loc_79841D
; 

loc_79849D:				; CODE XREF: NtQuerySection+5Aj
		cmp	edi, 1
		jnz	loc_8E666F
		push	30h
		jmp	loc_798426
NtQuerySection	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1413. MmGetSectionInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmGetSectionInformation(x, x, x)
		public _MmGetSectionInformation@12
_MmGetSectionInformation@12 proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+5D0p
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A73p ...

var_58		= dword	ptr -58h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	48h
		push	offset dword_6A1F30
		call	__SEH_prolog4
		push	34h		; size_t
		xor	ebx, ebx
		push	ebx		; int
		lea	eax, [ebp+var_58]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, [ebp+arg_0]
		mov	edx, [ecx+20h]
		mov	esi, ebx
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		call	_MiAweControlArea@4 ; MiAweControlArea(x)
		test	eax, eax
		jz	short loc_7984F4
		mov	eax, 0C000000Dh
		jmp	loc_7986DC
; 

loc_7984F4:				; CODE XREF: MmGetSectionInformation(x,x,x)+36j
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	short loc_798570
		mov	esi, edx
		and	esi, 1000h
		shl	esi, 0Eh
		test	edx, 2000h
		jz	short loc_798514
		or	esi, 8000000h

loc_798514:				; CODE XREF: MmGetSectionInformation(x,x,x)+5Aj
		test	dl, 20h
		jz	short loc_79851E
		mov	esi, 1000000h

loc_79851E:				; CODE XREF: MmGetSectionInformation(x,x,x)+65j
		test	dl, 40h
		jz	short loc_798529
		or	esi, 200000h

loc_798529:				; CODE XREF: MmGetSectionInformation(x,x,x)+6Fj
		test	dl, dl
		jns	short loc_798533
		or	esi, 800000h

loc_798533:				; CODE XREF: MmGetSectionInformation(x,x,x)+79j
		test	edx, edx
		jns	short loc_79853D
		or	esi, 80000h

loc_79853D:				; CODE XREF: MmGetSectionInformation(x,x,x)+83j
		mov	eax, [ecx]
		movzx	eax, word ptr [eax+8]
		test	ax, ax
		jns	short loc_79854E
		or	esi, 10000000h

loc_79854E:				; CODE XREF: MmGetSectionInformation(x,x,x)+94j
		test	eax, 4000h
		jz	short loc_79855B
		or	esi, 40000000h

loc_79855B:				; CODE XREF: MmGetSectionInformation(x,x,x)+A1j
		mov	eax, [ecx+1Ch]
		and	eax, 20020h
		cmp	eax, 20020h
		jnz	short loc_798570
		or	esi, 20000000h

loc_798570:				; CODE XREF: MmGetSectionInformation(x,x,x)+47j
					; MmGetSectionInformation(x,x,x)+B6j
		mov	[ebp+ms_exc.disabled], ebx
		test	edi, edi
		jnz	short loc_798599
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+0Ch]
		shl	eax, 0Ch
		mov	edx, [ebp+arg_8]
		mov	[edx], eax
		mov	eax, [ecx+18h]
		mov	ecx, [ecx+1Ch]
		mov	[edx+8], eax
		mov	[edx+0Ch], ecx
		mov	[edx+4], esi
		jmp	loc_7986D3
; 

loc_798599:				; CODE XREF: MmGetSectionInformation(x,x,x)+C3j
		cmp	edi, 1
		jz	short loc_7985EF
		cmp	edi, 4
		jz	short loc_7985EF
		test	dl, 20h
		jz	short loc_7985F4
		mov	eax, [ecx+38h]
		mov	edx, [eax+10h]
		test	edx, edx
		jnz	short loc_7985B6
		mov	edx, ebx
		jmp	short loc_7985B9
; 

loc_7985B6:				; CODE XREF: MmGetSectionInformation(x,x,x)+FEj
		mov	edx, [edx+14h]

loc_7985B9:				; CODE XREF: MmGetSectionInformation(x,x,x)+102j
		cmp	edi, 2
		jnz	short loc_7985DE
		test	dword ptr [ecx+1Ch], 10000000h
		jz	short loc_7985D4
		mov	eax, [ecx]
		mov	ecx, dword_6D05F0
		sub	ecx, [eax+18h]
		add	edx, ecx

loc_7985D4:				; CODE XREF: MmGetSectionInformation(x,x,x)+113j
		mov	eax, [ebp+arg_8]
		mov	[eax], edx
		jmp	loc_7986D3
; 

loc_7985DE:				; CODE XREF: MmGetSectionInformation(x,x,x)+10Aj
		mov	eax, [ecx]
		mov	ecx, [eax+18h]
		sub	ecx, edx
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		jmp	loc_7986D3
; 

loc_7985EF:				; CODE XREF: MmGetSectionInformation(x,x,x)+EAj
					; MmGetSectionInformation(x,x,x)+EFj
		test	dl, 20h
		jnz	short loc_7985FE

loc_7985F4:				; CODE XREF: MmGetSectionInformation(x,x,x)+F4j
		mov	ebx, 0C0000049h
		jmp	loc_7986D0
; 

loc_7985FE:				; CODE XREF: MmGetSectionInformation(x,x,x)+140j
		mov	eax, [ecx]
		mov	eax, [eax+24h]
		mov	[ebp+arg_0], eax
		push	0Ch
		pop	ecx
		mov	esi, eax
		lea	edi, [ebp+var_58]
		rep movsd
		mov	ecx, [ebp+var_20]
		test	dword ptr [ecx+1Ch], 10000000h
		jz	short loc_79862E
		mov	eax, [ebp+var_58]
		movzx	eax, ax
		mov	[ebp+var_58], eax
		or	eax, dword_6D05F0
		mov	[ebp+var_58], eax

loc_79862E:				; CODE XREF: MmGetSectionInformation(x,x,x)+168j
		cmp	[ebp+arg_4], 4
		jnz	short loc_7986AF
		call	_MiGetControlAreaLoadConfig@4 ;	MiGetControlAreaLoadConfig(x)
		mov	ecx, eax
		mov	eax, ebx
		mov	[ebp+var_28], eax
		mov	edx, ebx
		test	ecx, ecx
		jz	short loc_798654
		test	byte ptr [ecx],	10h
		jz	short loc_798654
		xor	eax, eax
		inc	eax
		mov	[ebp+var_28], eax
		xor	edx, edx
		inc	edx

loc_798654:				; CODE XREF: MmGetSectionInformation(x,x,x)+192j
					; MmGetSectionInformation(x,x,x)+197j
		mov	ecx, [ebp+arg_0]
		mov	ecx, [ecx+3Ch]
		test	cl, 1
		jz	short loc_798669
		mov	eax, edx
		or	eax, 2
		mov	[ebp+var_28], eax
		mov	edx, eax

loc_798669:				; CODE XREF: MmGetSectionInformation(x,x,x)+1ABj
		test	cl, 2
		jz	short loc_798678
		mov	eax, edx
		or	eax, 8
		mov	[ebp+var_28], eax
		mov	edx, eax

loc_798678:				; CODE XREF: MmGetSectionInformation(x,x,x)+1BAj
		test	cl, 4
		jz	short loc_798685
		mov	eax, edx
		or	eax, 10h
		mov	[ebp+var_28], eax

loc_798685:				; CODE XREF: MmGetSectionInformation(x,x,x)+1C9j
		test	cl, 8
		jz	short loc_798690
		or	eax, 20h
		mov	[ebp+var_28], eax

loc_798690:				; CODE XREF: MmGetSectionInformation(x,x,x)+1D6j
		test	cl, 10h
		jz	short loc_79869B
		or	eax, 40h
		mov	[ebp+var_28], eax

loc_79869B:				; CODE XREF: MmGetSectionInformation(x,x,x)+1E1j
		test	cl, 20h
		jz	short loc_7986A8
		or	eax, 80h
		mov	[ebp+var_28], eax

loc_7986A8:				; CODE XREF: MmGetSectionInformation(x,x,x)+1ECj
		push	0Dh
		lea	esi, [ebp+var_58]
		jmp	short loc_7986B4
; 

loc_7986AF:				; CODE XREF: MmGetSectionInformation(x,x,x)+180j
		push	0Ch
		lea	esi, [ebp+var_58]

loc_7986B4:				; CODE XREF: MmGetSectionInformation(x,x,x)+1FBj
		pop	ecx
		mov	edi, [ebp+arg_8]
		rep movsd
		jmp	short loc_7986D3
; 

loc_7986BC:				; DATA XREF: .text:006A1F44o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7986CA:				; DATA XREF: .text:006A1F48o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_24]

loc_7986D0:				; CODE XREF: MmGetSectionInformation(x,x,x)+147j
		mov	[ebp+var_1C], ebx

loc_7986D3:				; CODE XREF: MmGetSectionInformation(x,x,x)+E2j
					; MmGetSectionInformation(x,x,x)+127j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, ebx

loc_7986DC:				; CODE XREF: MmGetSectionInformation(x,x,x)+3Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MmGetSectionInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpMapLegacyPortView(x, x, x)
_AlpcpMapLegacyPortView@12 proc	near	; CODE XREF: PAGE:0079A502p
					; AlpcpFormatConnectionRequest+127p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+38h+var_28], ecx
		lea	edi, [esp+38h+var_10]
		mov	esi, edx
		stosd
		xor	ebx, ebx
		mov	[esp+38h+var_14], esi
		mov	[esp+38h+var_24], ebx
		mov	ecx, [esi+4]
		stosd
		mov	[esp+38h+var_20], ebx
		mov	[esp+38h+var_18], ecx
		stosd
		stosd
		test	ecx, ecx
		jnz	short loc_79872F
		mov	eax, 0C0000008h
		jmp	loc_798879
; 

loc_79872F:				; CODE XREF: AlpcpMapLegacyPortView(x,x,x)+35j
		mov	eax, large fs:124h
		lea	edx, [esp+38h+var_2C]
		push	ebx
		push	edx
		mov	[esp+40h+var_2C], ebx
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+40h+var_1C], al
		push	[esp+40h+var_1C]
		mov	eax, ds:_MmSectionObjectType
		push	eax
		push	6
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_798877
		lea	eax, [esp+38h+var_10]
		push	eax
		push	ebx
		push	[esp+40h+var_2C]
		call	_MmGetSectionInformation@12 ; MmGetSectionInformation(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_79886E
		test	[esp+38h+var_C], 800000h
		jnz	loc_798869
		mov	edi, [esp+38h+var_8]
		cmp	ebx, [esp+38h+var_4]
		jnz	loc_798869
		mov	ecx, ds:_AlpcpViewGranularity
		lea	ebx, [ecx-1]
		add	ebx, [esi+8]
		lea	edx, [ecx-1]
		mov	esi, [esi+0Ch]
		not	edx
		dec	esi
		and	ebx, edx
		add	esi, ecx
		and	esi, edx
		lea	eax, [esi+ebx]
		cmp	eax, ebx
		jnb	short loc_7987C6
		mov	edi, 0C000000Dh
		jmp	loc_79886E
; 

loc_7987C6:				; CODE XREF: AlpcpMapLegacyPortView(x,x,x)+CCj
		cmp	eax, edi
		jbe	short loc_7987D4
		mov	edi, 0C000009Ah
		jmp	loc_79886E
; 

loc_7987D4:				; CODE XREF: AlpcpMapLegacyPortView(x,x,x)+DAj
		test	esi, esi
		jnz	short loc_7987DC
		mov	esi, edi
		sub	esi, ebx

loc_7987DC:				; CODE XREF: AlpcpMapLegacyPortView(x,x,x)+E8j
		mov	ecx, [esp+38h+var_28]
		lea	eax, [esp+38h+var_24]
		push	eax
		push	edi
		push	[esp+40h+var_18]
		xor	dl, dl
		push	0
		call	_AlpcpCreateSection@24 ; AlpcpCreateSection(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_79886E
		mov	edx, [esp+38h+var_28]
		lea	eax, [esp+38h+var_20]
		push	eax
		push	esi
		push	ebx
		mov	ebx, [esp+44h+var_24]
		mov	ecx, ebx
		call	_AlpcpCreateSectionView@20 ; AlpcpCreateSectionView(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_798830
		mov	ecx, ebx
		call	AlpcpDeleteBlob
		test	al, al
		jz	short loc_798827
		mov	ecx, ebx
		call	_AlpcpDereferenceView@4	; AlpcpDereferenceView(x)

loc_798827:				; CODE XREF: AlpcpMapLegacyPortView(x,x,x)+130j
					; AlpcpMapLegacyPortView(x,x,x)+179j
		mov	ecx, ebx
		call	_AlpcpDereferenceView@4	; AlpcpDereferenceView(x)
		jmp	short loc_79886E
; 

loc_798830:				; CODE XREF: AlpcpMapLegacyPortView(x,x,x)+125j
		mov	ecx, [esp+38h+var_14]
		mov	esi, [esp+38h+var_20]
		mov	dword ptr [ecx], 18h
		mov	eax, [esi+14h]
		mov	[ecx+10h], eax
		mov	eax, [esi+18h]
		and	dword ptr [ecx+14h], 0
		mov	[ecx+0Ch], eax
		mov	eax, [ebp+arg_0]
		mov	[eax+14h], esi
		mov	ecx, [esi+8]
		call	AlpcpLockForCachedReferenceBlob
		inc	dword ptr [esi+28h]
		mov	ecx, [esi+8]
		call	AlpcpUnlockBlob
		jmp	short loc_798827
; 

loc_798869:				; CODE XREF: AlpcpMapLegacyPortView(x,x,x)+98j
					; AlpcpMapLegacyPortView(x,x,x)+A6j
		mov	edi, 0C00000BBh

loc_79886E:				; CODE XREF: AlpcpMapLegacyPortView(x,x,x)+8Aj
					; AlpcpMapLegacyPortView(x,x,x)+D3j ...
		mov	ecx, [esp+38h+var_2C]
		call	ObfDereferenceObject

loc_798877:				; CODE XREF: AlpcpMapLegacyPortView(x,x,x)+71j
		mov	eax, edi

loc_798879:				; CODE XREF: AlpcpMapLegacyPortView(x,x,x)+3Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_AlpcpMapLegacyPortView@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtPulseEvent	proc near		; DATA XREF: .text:00580EB8o

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E66AE SIZE 00000028 BYTES
; FUNCTION CHUNK AT 008E66F6 SIZE 0000000F BYTES
; FUNCTION CHUNK AT 008E6708 SIZE 0000000C BYTES
; FUNCTION CHUNK AT 008E6718 SIZE 00000007 BYTES

		push	14h
		push	offset dword_6A1F50
		call	__SEH_prolog4
		xor	esi, esi
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_24], bl
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	loc_8E66AE

loc_7988AA:				; CODE XREF: NtPulseEvent+14DE2Ej
					; NtPulseEvent+14DE4Fj
		mov	eax, ds:_ExEventObjectType
		mov	[ebp+var_1C], esi
		push	esi
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_24]
		push	eax
		push	2
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	short loc_7988D9
		push	esi
		push	1
		push	[ebp+var_1C]
		call	KePulseEvent
		mov	esi, eax

loc_7988D9:				; CODE XREF: NtPulseEvent+48j
		cmp	[ebp+arg_4], 0
		jl	short loc_7988E7
		test	edi, edi
		jnz	loc_8E66F6

loc_7988E7:				; CODE XREF: NtPulseEvent+5Bj
					; NtPulseEvent+14DE8Dj	...
		mov	ecx, [ebp+var_1C]
		test	ecx, ecx
		jz	short loc_7988F3
		call	ObfDereferenceObject

loc_7988F3:				; CODE XREF: NtPulseEvent+6Aj
		mov	eax, [ebp+arg_4]

loc_7988F6:				; CODE XREF: sub_8E66E4+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
NtPulseEvent	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAlpcCreatePortSection(x, x, x, x,	x, x)
_NtAlpcCreatePortSection@24 proc near	; DATA XREF: .text:00581238o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		push	18h
		push	offset dword_6A1F78
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp+var_1C], edx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		test	[ebp+arg_4], 0FFFBFFFFh
		jz	short loc_798946

loc_79893C:				; CODE XREF: NtAlpcCreatePortSection(x,x,x,x,x,x)+50j
		mov	edi, 0C000000Dh
		jmp	loc_798A82
; 

loc_798946:				; CODE XREF: NtAlpcCreatePortSection(x,x,x,x,x,x)+32j
		mov	esi, [ebp+arg_8]
		test	[ebp+arg_4], 40000h
		jnz	short loc_798956
		mov	bh, dl
		jmp	short loc_79895C
; 

loc_798956:				; CODE XREF: NtAlpcCreatePortSection(x,x,x,x,x,x)+48j
		test	esi, esi
		jnz	short loc_79893C
		mov	bh, 1

loc_79895C:				; CODE XREF: NtAlpcCreatePortSection(x,x,x,x,x,x)+4Cj
		test	bl, bl
		jz	short loc_79898E
		mov	[ebp+ms_exc.disabled], edx
		mov	ecx, [ebp+arg_10]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_798971
		mov	ecx, eax

loc_798971:				; CODE XREF: NtAlpcCreatePortSection(x,x,x,x,x,x)+65j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_14]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_798983
		mov	ecx, eax

loc_798983:				; CODE XREF: NtAlpcCreatePortSection(x,x,x,x,x,x)+77j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_79898E:				; CODE XREF: NtAlpcCreatePortSection(x,x,x,x,x,x)+56j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_4], al
		mov	eax, ds:_AlpcPortObjectType
		mov	[ebp+var_20], edx
		push	edx
		lea	ecx, [ebp+var_20]
		push	ecx
		push	[ebp+arg_4]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_798A82
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+arg_C]
		push	esi
		push	1
		mov	dl, bh
		mov	ecx, [ebp+var_20]
		call	_AlpcpCreateSection@24 ; AlpcpCreateSection(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_798A7A
		test	bl, bl
		jz	short loc_798A5D
		mov	[ebp+ms_exc.disabled], 1
		mov	ebx, [ebp+var_1C]
		mov	ecx, [ebx+0Ch]
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx
		mov	ecx, [ebx+4]
		mov	eax, [ebp+arg_14]
		mov	[eax], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_798A42
; 

loc_798A07:				; DATA XREF: .text:006A1F8Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_798A15:				; DATA XREF: .text:006A1F90o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_24]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_798A82
; 

loc_798A24:				; DATA XREF: .text:006A1F98o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_798A32:				; DATA XREF: .text:006A1F9Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_28]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_1C]

loc_798A42:				; CODE XREF: NtAlpcCreatePortSection(x,x,x,x,x,x)+FDj
		test	edi, edi
		jns	short loc_798A70
		mov	ecx, ebx
		call	AlpcpDeleteBlob
		test	al, al
		jz	short loc_798A70
		xor	edx, edx
		inc	edx
		mov	ecx, ebx
		call	AlpcpDereferenceBlobEx
		jmp	short loc_798A70
; 

loc_798A5D:				; CODE XREF: NtAlpcCreatePortSection(x,x,x,x,x,x)+DAj
		mov	ebx, [ebp+var_1C]
		mov	esi, [ebx+0Ch]
		mov	eax, [ebp+arg_10]
		mov	[eax], esi
		mov	esi, [ebx+4]
		mov	eax, [ebp+arg_14]
		mov	[eax], esi

loc_798A70:				; CODE XREF: NtAlpcCreatePortSection(x,x,x,x,x,x)+13Cj
					; NtAlpcCreatePortSection(x,x,x,x,x,x)+147j ...
		xor	edx, edx
		inc	edx
		mov	ecx, ebx
		call	AlpcpDereferenceBlobEx

loc_798A7A:				; CODE XREF: NtAlpcCreatePortSection(x,x,x,x,x,x)+D2j
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObject

loc_798A82:				; CODE XREF: NtAlpcCreatePortSection(x,x,x,x,x,x)+39j
					; NtAlpcCreatePortSection(x,x,x,x,x,x)+B4j ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_NtAlpcCreatePortSection@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpCreateSection(x, x, x,	x, x, x)
_AlpcpCreateSection@24 proc near	; CODE XREF: AlpcpMapLegacyPortView(x,x,x)+100p
					; NtAlpcCreatePortSection(x,x,x,x,x,x)+C9p

var_16		= byte ptr -16h
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		cmp	[ebp+arg_8], 0
		mov	al, dl
		push	ebx
		push	esi
		push	edi
		mov	[esp+28h+var_15], al
		mov	[esp+28h+var_14], ecx
		jz	loc_798CAD
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_798AD3
		test	al, al
		jnz	loc_798CAD

loc_798AD3:				; CODE XREF: AlpcpCreateSection(x,x,x,x,x,x)+27j
		push	1
		push	28h
		pop	edx
		mov	ecx, offset _AlpcSectionType
		call	@AlpcpAllocateBlob@12 ;	AlpcpAllocateBlob(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_798AF2

loc_798AE8:				; CODE XREF: AlpcpCreateSection(x,x,x,x,x,x)+1C3j
		mov	eax, 0C000009Ah
		jmp	loc_798CB2
; 

loc_798AF2:				; CODE XREF: AlpcpCreateSection(x,x,x,x,x,x)+44j
		xor	eax, eax
		mov	edi, esi
		push	0Ah
		pop	ecx
		rep stosd
		mov	eax, large fs:124h
		mov	ecx, [ebp+arg_8]
		dec	ecx
		mov	eax, [eax+80h]
		mov	[esi+10h], eax
		mov	eax, ds:_AlpcpRegionGranularity
		add	ecx, eax
		dec	eax
		not	eax
		and	ecx, eax
		lea	eax, [esi+20h]
		mov	[esi+4], ecx
		mov	[eax+4], eax
		mov	[eax], eax
		test	ebx, ebx
		jz	short loc_798B63
		mov	eax, large fs:124h
		lea	ecx, [esp+28h+var_10]
		xor	ebx, ebx
		push	ebx
		push	ecx
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+30h+var_C], al
		push	[esp+30h+var_C]
		mov	eax, ds:_MmSectionObjectType
		push	eax
		push	6
		push	[ebp+arg_4]
		mov	[esp+40h+var_10], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		mov	eax, [esp+28h+var_10]
		mov	[esi], eax
		jmp	short loc_798BA2
; 

loc_798B63:				; CODE XREF: AlpcpCreateSection(x,x,x,x,x,x)+85j
		mov	eax, [esi+4]
		xor	ebx, ebx
		mov	[esp+28h+var_8], eax
		movzx	eax, [esp+28h+var_15]
		add	eax, eax
		mov	[esp+28h+var_4], ebx
		xor	eax, [esi+18h]
		push	ebx
		and	eax, 2
		xor	eax, [esi+18h]
		push	ebx
		push	8000000h
		or	eax, 1
		push	4
		mov	[esi+18h], eax
		lea	eax, [esp+38h+var_8]
		push	eax
		push	ebx
		push	0F001Fh
		push	esi
		call	MmCreateSection
		mov	edi, eax

loc_798BA2:				; CODE XREF: AlpcpCreateSection(x,x,x,x,x,x)+BFj
		test	edi, edi
		js	short loc_798BE7
		mov	edi, [esp+28h+var_14]
		xor	edx, edx
		add	edi, 0D0h
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	eax, [esp+28h+var_14]
		test	byte ptr [eax+0F4h], 20h
		jz	short loc_798BF8
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jz	short loc_798BDB
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_798BDB:				; CODE XREF: AlpcpCreateSection(x,x,x,x,x,x)+130j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	edi, 0C0000037h

loc_798BE7:				; CODE XREF: AlpcpCreateSection(x,x,x,x,x,x)+102j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	AlpcpDereferenceBlobEx
		mov	eax, edi
		jmp	loc_798CB2
; 

loc_798BF8:				; CODE XREF: AlpcpCreateSection(x,x,x,x,x,x)+122j
		lea	ecx, [esi-4]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [esi-10h], 4
		mov	ecx, esi
		call	AlpcpReferenceBlob
		cmp	[ebp+arg_0], 0
		jz	short loc_798C6A
		mov	eax, [esp+28h+var_14]
		lea	edx, [esp+28h+var_C]
		mov	[esp+28h+var_C], esi
		mov	ecx, [eax+8]
		add	ecx, 14h
		mov	[esi+8], ecx
		call	@AlpcAddHandleTableEntry@8 ; AlpcAddHandleTableEntry(x,x)
		mov	[esi+0Ch], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_798C6A
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jz	short loc_798C4A
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_798C4A:				; CODE XREF: AlpcpCreateSection(x,x,x,x,x,x)+19Fj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, esi
		mov	[esi+8], ebx
		call	@AlpcpEndInitialization@4 ; AlpcpEndInitialization(x)
		push	2
		pop	edx
		mov	ecx, esi
		call	AlpcpDereferenceBlobEx
		jmp	loc_798AE8
; 

loc_798C6A:				; CODE XREF: AlpcpCreateSection(x,x,x,x,x,x)+16Fj
					; AlpcpCreateSection(x,x,x,x,x,x)+191j
		mov	ebx, [esp+28h+var_14]
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edx, esi
		mov	[esi+14h], ebx
		mov	ecx, ebx
		call	_AlpcpInsertResourcePort@8 ; AlpcpInsertResourcePort(x,x)
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_798C96
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_798C96:				; CODE XREF: AlpcpCreateSection(x,x,x,x,x,x)+1EBj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, esi
		call	@AlpcpEndInitialization@4 ; AlpcpEndInitialization(x)
		mov	eax, [ebp+arg_C]
		mov	[eax], esi
		xor	eax, eax
		jmp	short loc_798CB2
; 

loc_798CAD:				; CODE XREF: AlpcpCreateSection(x,x,x,x,x,x)+1Cj
					; AlpcpCreateSection(x,x,x,x,x,x)+2Bj
		mov	eax, 0C000000Dh

loc_798CB2:				; CODE XREF: AlpcpCreateSection(x,x,x,x,x,x)+4Bj
					; AlpcpCreateSection(x,x,x,x,x,x)+151j	...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_AlpcpCreateSection@24 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAlpcConnectPortEx(x, x, x, x, x, x, x, x,	x, x, x)
_NtAlpcConnectPortEx@44	proc near	; DATA XREF: .text:00581244o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_28]
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	0
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	AlpcpConnectPort
		pop	ebp
		retn	2Ch
_NtAlpcConnectPortEx@44	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 799. IoCreateStreamFileObjectLite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCreateStreamFileObjectLite(x, x)
		public _IoCreateStreamFileObjectLite@8
_IoCreateStreamFileObjectLite@8	proc near ; CODE XREF: RawMountVolume+DAp
					; IopInvalidateVolumesForDevice(x)+64p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	3
		pop	eax
		xor	ecx, ecx
		push	8
		mov	[ebp+var_C], ecx
		mov	word ptr [ebp+var_C+2],	ax
		pop	eax
		push	ecx
		mov	word ptr [ebp+var_C], ax
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		lea	eax, [ebp+var_C]
		mov	[ebp+var_4], ecx
		push	[ebp+arg_0]
		mov	[ebp+var_8], ecx
		push	eax
		call	IoCreateStreamFileObjectEx2
		mov	eax, [ebp+var_4]
		leave
		retn	8
_IoCreateStreamFileObjectLite@8	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 797. IoCreateStreamFileObjectEx2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoCreateStreamFileObjectEx2
IoCreateStreamFileObjectEx2 proc near	; CODE XREF: IoCreateStreamFileObjectLite(x,x)+30p
					; IoCreateStreamFileObjectEx(x,x,x)+30p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008E671F SIZE 000000B4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	ecx, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+arg_10]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		mov	[esp+38h+var_28], esi
		mov	[esp+38h+var_20], esi
		mov	ax, [edi+2]
		and	ax, 2
		mov	[ecx], esi
		movzx	eax, ax
		mov	[esp+38h+var_1C], eax
		test	ebx, ebx
		jnz	loc_798ECA

loc_798D70:				; CODE XREF: IoCreateStreamFileObjectEx2+196j
		cmp	word ptr [edi],	8
		jnz	loc_8E671F
		test	ax, ax
		jz	short loc_798D87
		test	ebx, ebx
		jnz	loc_8E6748

loc_798D87:				; CODE XREF: IoCreateStreamFileObjectEx2+47j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	loc_8E673C
		mov	eax, [ebp+arg_8]
		mov	[esp+38h+var_24], eax
		test	eax, eax
		jz	loc_8E6748

loc_798DA1:				; CODE XREF: IoCreateStreamFileObjectEx2+14DA0Dj
		mov	dl, 1
		mov	ecx, eax
		call	IopIncrementDeviceObjectRefCount
		mov	edx, ds:_IoFileObjectType
		xor	eax, eax
		mov	word ptr [esp+38h+var_2C], ax
		lea	eax, [esp+38h+var_2C]
		push	eax
		lea	eax, [esp+3Ch+var_28]
		mov	[esp+3Ch+var_18], 18h
		push	eax
		push	esi
		mov	eax, 80h
		mov	[esp+44h+var_14], esi
		push	eax
		push	eax
		push	ecx
		push	esi
		lea	eax, [esp+54h+var_18]
		mov	[esp+54h+var_C], 200h
		push	eax
		xor	cl, cl
		mov	[esp+58h+var_10], esi
		mov	[esp+58h+var_8], esi
		mov	[esp+58h+var_4], esi
		mov	byte ptr [esp+58h+var_2C], 1
		call	ObCreateObjectEx
		mov	esi, eax
		test	esi, esi
		js	loc_8E675F
		mov	eax, 80h
		push	eax		; size_t
		push	0		; int
		push	[esp+40h+var_28] ; void	*
		call	_memset
		mov	eax, [esp+44h+var_28]
		add	esp, 0Ch
		push	5
		pop	ecx
		mov	[eax], cx
		add	ecx, 7Bh
		mov	eax, [esp+38h+var_28]
		push	0
		push	1
		mov	[eax+2], cx
		mov	eax, [esp+40h+var_28]
		mov	ecx, [esp+40h+var_24]
		mov	[eax+4], ecx
		mov	eax, [esp+40h+var_28]
		mov	dword ptr [eax+2Ch], 100h
		mov	eax, [esp+40h+var_28]
		add	eax, 5Ch
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [esp+38h+var_28]
		and	dword ptr [eax+70h], 0
		mov	eax, [esp+38h+var_28]
		add	eax, 74h
		cmp	word ptr [esp+38h+var_1C], 0
		mov	[eax+4], eax
		mov	[eax], eax
		mov	ecx, [esp+38h+var_28]
		jz	short loc_798ED1
		mov	ecx, [ecx-8]
		call	@ObFreeObjectCreateInfoBuffer@4	; ObFreeObjectCreateInfoBuffer(x)
		mov	eax, [esp+38h+var_28]
		and	dword ptr [eax-8], 0

loc_798E86:				; CODE XREF: IoCreateStreamFileObjectEx2+1B6j
		mov	eax, [esp+38h+var_28]
		or	dword ptr [eax+2Ch], 40000h
		mov	eax, [esp+38h+var_24]
		mov	ecx, [eax+24h]
		test	ecx, ecx
		jz	short loc_798EA3
		mov	dl, 1
		call	IopIncrementVpbRefCount

loc_798EA3:				; CODE XREF: IoCreateStreamFileObjectEx2+164j
		cmp	word ptr [esp+38h+var_1C], 0
		jz	short loc_798EF3

loc_798EAB:				; CODE XREF: IoCreateStreamFileObjectEx2+1D4j
					; IoCreateStreamFileObjectEx2+14DA58j
		xor	eax, eax
		cmp	[edi+4], eax
		jnz	loc_8E6793

loc_798EB6:				; CODE XREF: IoCreateStreamFileObjectEx2+14DA98j
		mov	ecx, [ebp+arg_C]
		mov	eax, [esp+38h+var_28]
		mov	[ecx], eax

loc_798EBF:				; CODE XREF: IoCreateStreamFileObjectEx2+14DA45j
		mov	eax, esi

loc_798EC1:				; CODE XREF: IoCreateStreamFileObjectEx2+14DA01j
					; IoCreateStreamFileObjectEx2+14DA24j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_798ECA:				; CODE XREF: IoCreateStreamFileObjectEx2+34j
		mov	[ebx], esi
		jmp	loc_798D70
; 

loc_798ED1:				; CODE XREF: IoCreateStreamFileObjectEx2+13Ej
		lea	eax, [esp+38h+var_20]
		xor	edx, edx
		push	eax
		lea	eax, [esp+3Ch+var_28]
		push	eax
		push	0
		push	1
		push	1
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_798E86
		jmp	loc_8E6777
; 

loc_798EF3:				; CODE XREF: IoCreateStreamFileObjectEx2+173j
		test	ebx, ebx
		jz	loc_8E6783
		mov	eax, [esp+38h+var_20]
		mov	ecx, [esp+38h+var_28]
		mov	[ebx], eax
		call	ObfDereferenceObject
		jmp	short loc_798EAB
IoCreateStreamFileObjectEx2 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ExpQuerySystemPerformanceInformation(size_t)
ExpQuerySystemPerformanceInformation proc near ; CODE XREF: PAGE:0077E0E5p

var_1B8		= dword	ptr -1B8h
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E67D3 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1ACh
		push	ebx
		push	esi
		push	edi		; struct _exception *
		xor	eax, eax
		mov	[esp+1B8h+var_138], 0
		mov	esi, ecx
		mov	[esp+1B8h+var_174], edx
		mov	ecx, 6
		mov	[esp+1B8h+var_17C], esi
		lea	edi, [esp+1B8h+var_100]
		rep stosd
		push	78h		; size_t
		push	eax		; int
		mov	[esp+1C0h+var_D8], eax
		mov	[esp+1C0h+var_D4], eax
		lea	eax, [esp+1C0h+var_C0]
		push	eax		; void *
		call	_memset
		mov	edx, _IoReadTransferCount
		lea	edi, [esp+1C4h+var_38]
		mov	ebx, _IoOtherTransferCount
		xor	eax, eax
		mov	ecx, 8
		mov	[esp+1C4h+var_1A0], edx
		mov	edx, dword_6CCBD4
		add	esp, 0Ch
		rep stosd
		mov	ecx, _IoReadOperationCount
		lea	edi, [esp+1B8h+var_14]
		stosd
		mov	[esp+1B8h+var_19C], edx
		mov	edx, _IoWriteOperationCount
		mov	[esp+1B8h+var_190], edx
		mov	edx, _IoWriteTransferCount
		stosd
		mov	[esp+1B8h+var_198], edx
		mov	edx, dword_6CCBCC
		mov	[esp+1B8h+var_194], edx
		xor	edx, edx
		stosd
		mov	[esp+1B8h+var_1A4], ecx
		stosd
		mov	eax, dword_6CCC14
		mov	edi, _IoOtherOperationCount
		mov	[esp+1B8h+var_1A8], eax
		test	esi, esi
		jz	short loc_799048
		lea	esp, [esp+0]

loc_798FE0:				; CODE XREF: ExpQuerySystemPerformanceInformation+12Ej
		mov	ecx, ds:_KiProcessorBlock[edx*4]
		mov	eax, [ecx+504h]
		add	edi, eax
		add	ebx, [ecx+518h]
		mov	eax, [ecx+51Ch]
		adc	[esp+1B8h+var_1A8], eax
		mov	eax, [ecx+4FCh]
		add	[esp+1B8h+var_1A4], eax
		mov	eax, [ecx+508h]
		add	[esp+1B8h+var_1A0], eax
		mov	eax, [ecx+50Ch]
		adc	[esp+1B8h+var_19C], eax
		mov	eax, [ecx+500h]
		add	[esp+1B8h+var_190], eax
		mov	eax, [ecx+510h]
		add	[esp+1B8h+var_198], eax
		mov	eax, [ecx+514h]
		adc	[esp+1B8h+var_194], eax
		inc	edx
		cmp	edx, esi
		jb	short loc_798FE0
		mov	eax, [esp+1B8h+var_1A8]
		mov	ecx, [esp+1B8h+var_1A4]

loc_799048:				; CODE XREF: ExpQuerySystemPerformanceInformation+C7j
		mov	edx, [esp+1B8h+var_1A0]
		mov	[esp+1B8h+var_168], edx
		mov	edx, [esp+1B8h+var_19C]
		mov	[esp+1B8h+var_164], edx
		mov	edx, [esp+1B8h+var_198]
		mov	[esp+1B8h+var_160], edx
		mov	edx, [esp+1B8h+var_194]
		mov	[esp+1B8h+var_154], eax
		mov	eax, [esp+1B8h+var_190]
		mov	[esp+1B8h+var_15C], edx
		xor	edx, edx
		mov	[esp+1B8h+var_14C], eax
		xor	eax, eax
		mov	[esp+1B8h+var_148], edi
		xor	edi, edi
		mov	[esp+1B8h+var_158], ebx
		mov	[esp+1B8h+var_150], ecx
		test	esi, esi
		jz	short loc_7990A8
		lea	ebx, [ebx+0]

loc_799090:				; CODE XREF: ExpQuerySystemPerformanceInformation+196j
		mov	ecx, ds:_KiProcessorBlock[eax*4]
		inc	eax
		add	edi, [ecx-110h]
		add	edx, [ecx+590h]
		cmp	eax, esi
		jb	short loc_799090

loc_7990A8:				; CODE XREF: ExpQuerySystemPerformanceInformation+178j
		mov	[esp+1B8h+var_48], edi
		mov	[esp+1B8h+var_44], 0
		mov	[esp+1B8h+var_40], 0
		mov	[esp+1B8h+var_3C], edx
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		movzx	ebx, ax
		mov	ecx, ebx
		mov	[esp+1B8h+var_178], ebx
		call	_MmGetAvailablePages@4 ; MmGetAvailablePages(x)
		mov	ecx, ebx
		mov	[esp+1B8h+var_144], eax
		call	_MmGetTotalCommittedPages@4 ; MmGetTotalCommittedPages(x)
		mov	edx, eax
		mov	ecx, ebx
		mov	[esp+1B8h+var_140], edx
		call	_MmGetTotalCommitLimit@4 ; MmGetTotalCommitLimit(x)
		mov	ecx, ebx
		mov	[esp+1B8h+var_13C], eax
		call	_MmGetPeakCommitment@4 ; MmGetPeakCommitment(x)
		mov	[esp+1B8h+var_138], eax
		cmp	eax, edx
		jb	loc_8E67D3

loc_799111:				; CODE XREF: ExpQuerySystemPerformanceInformation+14D8CAj
		xor	eax, eax
		xor	ecx, ecx
		xor	edi, edi
		mov	[esp+1B8h+var_190], eax
		xor	ebx, ebx
		mov	[esp+1B8h+var_194], ecx
		xor	edx, edx
		mov	[esp+1B8h+var_198], eax
		mov	[esp+1B8h+var_19C], eax
		mov	[esp+1B8h+var_1A0], eax
		mov	[esp+1B8h+var_1A4], eax
		mov	[esp+1B8h+var_1A8], eax
		mov	[esp+1B8h+var_188], eax
		mov	[esp+1B8h+var_184], eax
		mov	[esp+1B8h+var_180], eax
		mov	[esp+1B8h+var_18C], eax
		test	esi, esi
		jz	loc_7991E6
		nop

loc_799150:				; CODE XREF: ExpQuerySystemPerformanceInformation+2C8j
		mov	ecx, ds:_KiProcessorBlock[edx*4]
		inc	edx
		mov	eax, [ecx+3CF8h]
		add	edi, eax
		mov	eax, [ecx+3CFCh]
		add	ebx, eax
		mov	eax, [ecx+3D00h]
		add	[esp+1B8h+var_190], eax
		mov	eax, [ecx+3D04h]
		add	[esp+1B8h+var_194], eax
		mov	eax, [ecx+3D08h]
		add	[esp+1B8h+var_198], eax
		mov	eax, [ecx+3D0Ch]
		add	[esp+1B8h+var_19C], eax
		mov	eax, [ecx+3D10h]
		add	[esp+1B8h+var_1A0], eax
		mov	eax, [ecx+3D14h]
		add	[esp+1B8h+var_1A4], eax
		mov	eax, [ecx+3D18h]
		add	[esp+1B8h+var_1A8], eax
		mov	eax, [ecx+3D1Ch]
		add	[esp+1B8h+var_188], eax
		mov	eax, [ecx+3D20h]
		add	[esp+1B8h+var_184], eax
		mov	eax, [ecx+3D24h]
		add	[esp+1B8h+var_180], eax
		mov	eax, [ecx+3D28h]
		add	[esp+1B8h+var_18C], eax
		cmp	edx, esi
		jb	loc_799150
		mov	eax, [esp+1B8h+var_190]
		mov	ecx, [esp+1B8h+var_194]

loc_7991E6:				; CODE XREF: ExpQuerySystemPerformanceInformation+239j
		mov	[esp+1B8h+var_12C], eax
		mov	eax, [esp+1B8h+var_198]
		mov	[esp+1B8h+var_124], eax
		mov	eax, [esp+1B8h+var_19C]
		mov	[esp+1B8h+var_120], eax
		mov	eax, [esp+1B8h+var_1A0]
		mov	[esp+1B8h+var_11C], eax
		mov	eax, [esp+1B8h+var_1A4]
		mov	[esp+1B8h+var_118], eax
		mov	eax, [esp+1B8h+var_1A8]
		mov	[esp+1B8h+var_114], eax
		mov	eax, [esp+1B8h+var_188]
		mov	[esp+1B8h+var_110], eax
		mov	eax, [esp+1B8h+var_184]
		mov	[esp+1B8h+var_10C], eax
		mov	eax, [esp+1B8h+var_180]
		mov	[esp+1B8h+var_108], eax
		mov	eax, [esp+1B8h+var_18C]
		mov	[esp+1B8h+var_134], edi
		mov	[esp+1B8h+var_130], ebx
		mov	[esp+1B8h+var_128], ecx
		mov	[esp+1B8h+var_104], eax
		call	_MmGetNumberOfFreeSystemPtes@0 ; MmGetNumberOfFreeSystemPtes()
		lea	ecx, [esp+1B8h+var_14]
		mov	[esp+1B8h+var_E8], eax
		call	_MmGetSystemPageCounts@4 ; MmGetSystemPageCounts(x)
		mov	eax, [esp+1B8h+var_14]
		mov	ecx, 2
		mov	[esp+1B8h+var_E4], eax
		call	_MmGetWorkingSetLeafSize@4 ; MmGetWorkingSetLeafSize(x)
		mov	ecx, 3
		mov	[esp+1B8h+var_CC], eax
		call	_MmGetWorkingSetLeafSize@4 ; MmGetWorkingSetLeafSize(x)
		mov	[esp+1B8h+var_C8], eax
		mov	ecx, 6
		mov	eax, [esp+1B8h+var_10]
		mov	[esp+1B8h+var_C4], eax
		mov	eax, [esp+1B8h+var_C]
		mov	[esp+1B8h+var_DC], eax
		mov	eax, [esp+1B8h+var_8]
		mov	[esp+1B8h+var_E0], eax
		call	MiFreePoolPagesLeft
		mov	edx, eax
		call	_MiMaximumCommitmentAvailable@4	; MiMaximumCommitmentAvailable(x)
		cmp	edx, eax
		ja	loc_8E67DF

loc_7992F0:				; CODE XREF: ExpQuerySystemPerformanceInformation+14D8D1j
		mov	ecx, ds:_PsIdleProcess
		mov	[esp+1B8h+var_D0], edx
		lea	edx, [esp+1B8h+var_4]
		call	_PsQueryRuntimeProcess@8 ; PsQueryRuntimeProcess(x,x)
		mul	ds:_KeMaximumIncrement
		lea	ecx, [esp+1B8h+var_100]
		mov	[esp+1B8h+var_170], eax
		lea	eax, [esp+1B8h+var_D8]
		push	eax
		lea	eax, [esp+1BCh+var_EC]
		mov	[esp+1BCh+var_16C], edx
		push	eax
		lea	eax, [esp+1C0h+var_F0]
		push	eax
		lea	eax, [esp+1C4h+var_D4]
		push	eax
		lea	eax, [esp+1C8h+var_F4]
		push	eax
		lea	eax, [esp+1CCh+var_F8]
		push	eax
		lea	edx, [esp+1D0h+var_FC]
		call	_ExQueryPoolUsage@32 ; ExQueryPoolUsage(x,x,x,x,x,x,x,x)
		mov	eax, _CcFastMdlReadWait
		xor	edx, edx
		xor	edi, edi
		mov	[esp+1B8h+var_C0], edx
		xor	ebx, ebx
		mov	[esp+1B8h+var_BC], edi
		xor	ecx, ecx
		mov	[esp+1B8h+var_B8], ebx
		mov	[esp+1B8h+var_B4], edx
		mov	[esp+1B8h+var_B0], edx
		mov	[esp+1B8h+var_18C], eax
		mov	[esp+1B8h+var_AC], eax
		mov	[esp+1B8h+var_A8], edx
		mov	[esp+1B8h+var_A4], edx
		mov	[esp+1B8h+var_A0], edx
		mov	[esp+1B8h+var_9C], edx
		mov	[esp+1B8h+var_98], edx
		mov	[esp+1B8h+var_94], edx
		mov	[esp+1B8h+var_90], edx
		mov	[esp+1B8h+var_8C], edx
		mov	[esp+1B8h+var_88], edx
		mov	[esp+1B8h+var_84], edx
		mov	[esp+1B8h+var_80], edx
		mov	[esp+1B8h+var_7C], edx
		mov	[esp+1B8h+var_78], edx
		mov	[esp+1B8h+var_74], edx
		mov	[esp+1B8h+var_70], edx
		mov	[esp+1B8h+var_6C], edx
		mov	[esp+1B8h+var_68], edx
		mov	[esp+1B8h+var_64], edx
		mov	[esp+1B8h+var_60], edx
		mov	[esp+1B8h+var_5C], edx
		mov	[esp+1B8h+var_58], edx
		mov	[esp+1B8h+var_54], edx
		mov	[esp+1B8h+var_50], edx
		mov	[esp+1B8h+var_4C], edx
		test	esi, esi
		jz	loc_7996A6
		jmp	short loc_799450
; 
		align 10h

loc_799450:				; CODE XREF: ExpQuerySystemPerformanceInformation+535j
					; ExpQuerySystemPerformanceInformation+77Bj
		mov	eax, ds:_KiProcessorBlock[ecx*4]
		mov	esi, [esp+1B8h+var_B4]
		add	esi, [eax+4E8h]
		mov	[esp+1B8h+var_B4], esi
		mov	esi, [esp+1B8h+var_B0]
		add	esi, [eax+520h]
		mov	[esp+1B8h+var_B0], esi
		mov	esi, [esp+1B8h+var_18C]
		add	esi, [eax+524h]
		mov	[esp+1B8h+var_18C], esi
		mov	[esp+1B8h+var_AC], esi
		mov	esi, [esp+1B8h+var_A8]
		add	esi, [eax+568h]
		mov	[esp+1B8h+var_A8], esi
		mov	esi, [esp+1B8h+var_A4]
		add	esi, [eax+528h]
		mov	[esp+1B8h+var_A4], esi
		mov	esi, [esp+1B8h+var_A0]
		add	esi, [eax+52Ch]
		mov	[esp+1B8h+var_A0], esi
		mov	esi, [esp+1B8h+var_9C]
		add	esi, [eax+530h]
		mov	[esp+1B8h+var_9C], esi
		mov	esi, [esp+1B8h+var_98]
		add	esi, [eax+56Ch]
		mov	[esp+1B8h+var_98], esi
		mov	esi, [esp+1B8h+var_94]
		add	esi, [eax+570h]
		mov	[esp+1B8h+var_94], esi
		mov	esi, [esp+1B8h+var_90]
		add	esi, [eax+534h]
		mov	[esp+1B8h+var_90], esi
		mov	esi, [esp+1B8h+var_8C]
		add	esi, [eax+538h]
		mov	[esp+1B8h+var_8C], esi
		mov	esi, [esp+1B8h+var_88]
		add	esi, [eax+53Ch]
		mov	[esp+1B8h+var_88], esi
		mov	esi, [esp+1B8h+var_84]
		add	esi, [eax+574h]
		mov	[esp+1B8h+var_84], esi
		mov	esi, [esp+1B8h+var_80]
		add	esi, [eax+578h]
		mov	[esp+1B8h+var_80], esi
		mov	esi, [esp+1B8h+var_7C]
		add	esi, [eax+4ECh]
		mov	[esp+1B8h+var_7C], esi
		mov	esi, [esp+1B8h+var_78]
		add	esi, [eax+4F0h]
		mov	[esp+1B8h+var_78], esi
		mov	esi, [esp+1B8h+var_74]
		add	esi, [eax+4F4h]
		mov	[esp+1B8h+var_74], esi
		mov	esi, [esp+1B8h+var_70]
		add	esi, [eax+564h]
		mov	[esp+1B8h+var_70], esi
		mov	esi, [esp+1B8h+var_6C]
		add	esi, [eax+540h]
		mov	[esp+1B8h+var_6C], esi
		mov	esi, [esp+1B8h+var_68]
		add	esi, [eax+544h]
		add	edx, [eax+4E0h]
		add	edi, [eax+4E4h]
		add	ebx, [eax+560h]
		mov	[esp+1B8h+var_68], esi
		mov	esi, [esp+1B8h+var_64]
		add	esi, [eax+57Ch]
		mov	[esp+1B8h+var_64], esi
		mov	esi, [esp+1B8h+var_60]
		add	esi, [eax+580h]
		mov	[esp+1B8h+var_60], esi
		mov	esi, [esp+1B8h+var_5C]
		add	esi, [eax+584h]
		mov	[esp+1B8h+var_5C], esi
		mov	esi, [esp+1B8h+var_58]
		add	esi, [eax+54Ch]
		mov	[esp+1B8h+var_58], esi
		mov	esi, [esp+1B8h+var_54]
		add	esi, [eax+550h]
		mov	[esp+1B8h+var_54], esi
		mov	esi, [esp+1B8h+var_50]
		add	esi, [eax+554h]
		inc	ecx
		mov	[esp+1B8h+var_50], esi
		mov	esi, [esp+1B8h+var_4C]
		add	esi, [eax+558h]
		mov	[esp+1B8h+var_4C], esi
		cmp	ecx, [esp+1B8h+var_17C]
		jb	loc_799450
		mov	[esp+1B8h+var_C0], edx
		mov	[esp+1B8h+var_BC], edi
		mov	[esp+1B8h+var_B8], ebx

loc_7996A6:				; CODE XREF: ExpQuerySystemPerformanceInformation+52Fj
		mov	eax, _CcSystemPartitionDirtyPageStatistics
		mov	ecx, [esp+1B8h+var_178]
		mov	[esp+1B8h+var_34], 0
		mov	[esp+1B8h+var_2C], 0
		mov	eax, [eax]
		mov	[esp+1B8h+var_38], eax
		mov	eax, _CcSystemPartitionDirtyPageThresholds
		mov	eax, [eax]
		mov	[esp+1B8h+var_30], eax
		call	_MmGetResidentAvailablePages@4 ; MmGetResidentAvailablePages(x)
		mov	[esp+1B8h+var_28], eax
		mov	[esp+1B8h+var_24], 0
		call	_MmGetSharedCommit@0 ; MmGetSharedCommit()
		push	[ebp+arg_0]	; size_t
		mov	[esp+1BCh+var_20], eax
		lea	eax, [esp+1BCh+var_170]
		push	eax		; void *
		push	[esp+1C0h+var_174] ; void *
		mov	[esp+1C4h+var_1C], 0
		call	_memcpy
		add	esp, 0Ch
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
ExpQuerySystemPerformanceInformation endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpAllocateCompletionPacketLookaside proc near
					; CODE XREF: AlpcpAssociateIoCompletionPort+A4p
					; AlpcpInitializeCompletionList+2D0p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E67E6 SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		push	6E496C41h
		lea	eax, [ebx+3]
		mov	[ebp+var_8], ebx
		imul	edi, eax, 0Ch
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8E67EE
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		and	dword ptr [esi], 0
		xor	edi, edi
		mov	[esi+1Ch], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+4], ebx
		mov	[esi+20h], eax
		test	ebx, ebx
		jz	short loc_7997AB
		lea	ebx, [esi+24h]

loc_799781:				; CODE XREF: AlpcpAllocateCompletionPacketLookaside+81j
		push	ebx
		push	offset AlpcpLookasidePacketCallbackRoutine
		mov	[ebx+8], esi
		call	_IoAllocateMiniCompletionPacket@8 ; IoAllocateMiniCompletionPacket(x,x)
		mov	[ebx+4], eax
		test	eax, eax
		jz	loc_8E67F5
		mov	eax, [esi+18h]
		inc	edi
		mov	[ebx], eax
		mov	[esi+18h], ebx
		add	ebx, 0Ch
		cmp	edi, [ebp+var_8]
		jb	short loc_799781

loc_7997AB:				; CODE XREF: AlpcpAllocateCompletionPacketLookaside+54j
		mov	eax, esi

loc_7997AD:				; CODE XREF: AlpcpAllocateCompletionPacketLookaside+14D0C8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
AlpcpAllocateCompletionPacketLookaside endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 745. IoAllocateMiniCompletionPacket

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoAllocateMiniCompletionPacket(x, x)
		public _IoAllocateMiniCompletionPacket@8
_IoAllocateMiniCompletionPacket@8 proc near ; CODE XREF: sub_759647-AEp
					; AlpcpAllocateCompletionPacketLookaside+62p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	dl, dl
		mov	cl, 4
		call	IopAllocateMiniCompletionPacket
		test	eax, eax
		jz	short loc_7997DC
		mov	ecx, [ebp+arg_0]
		mov	[eax+1Ch], ecx
		mov	ecx, [ebp+arg_4]
		mov	[eax+20h], ecx
		mov	byte ptr [eax+24h], 1

loc_7997DC:				; CODE XREF: IoAllocateMiniCompletionPacket(x,x)+10j
		pop	ebp
		retn	8
_IoAllocateMiniCompletionPacket@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopAllocateMiniCompletionPacket	proc near ; CODE XREF: IoSetIoCompletionEx2+12Cp
					; IoSetIoCompletionEx+EBp ...

var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	10h
		push	offset dword_6A1FA0
		call	__SEH_prolog4
		mov	bl, dl
		mov	[ebp+var_1C], cl
		cmp	cl, 4
		jnz	short loc_799827
		push	0
		push	20706349h
		push	28h

loc_7997FF:				; CODE XREF: IopAllocateMiniCompletionPacket+BCj
		push	200h
		call	ExAllocatePoolWithTagPriority
		mov	ecx, eax

loc_79980B:				; CODE XREF: IopAllocateMiniCompletionPacket+AEj
					; sub_8E681A+Dj
		test	ecx, ecx
		jz	short loc_799815

loc_79980F:				; CODE XREF: IopAllocateMiniCompletionPacket+65j
					; IopAllocateMiniCompletionPacket+81j
		mov	al, [ebp+var_1C]
		mov	[ecx+8], al

loc_799815:				; CODE XREF: IopAllocateMiniCompletionPacket+2Dj
		mov	eax, ecx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_799827:				; CODE XREF: IopAllocateMiniCompletionPacket+14j
		mov	edi, large fs:20h
		mov	esi, [edi+5D8h]
		inc	dword ptr [esi+0Ch]
		mov	ecx, esi
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_79980F
		inc	dword ptr [esi+10h]
		mov	esi, [edi+5DCh]
		inc	dword ptr [esi+0Ch]
		mov	ecx, esi
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_79980F
		inc	dword ptr [esi+10h]
		test	bl, bl
		jz	short loc_799893
		mov	[ebp+var_1C], 3
		and	[ebp+ms_exc.disabled], eax
		push	20706349h
		push	1Ch
		push	200h
		call	ExAllocatePoolWithQuotaTag
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_79980B
; 

loc_799893:				; CODE XREF: IopAllocateMiniCompletionPacket+88j
		push	0
		push	20706349h
		push	1Ch
		jmp	loc_7997FF
IopAllocateMiniCompletionPacket	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCreateDirectoryObject(x, x, x)
_NtCreateDirectoryObject@12 proc near	; CODE XREF: ObInitSystem+429p
					; IopCreateRootDirectories()+4Ep ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	0
		push	[ebp+arg_8]
		call	ObpCreateDirectoryObject
		pop	ecx
		pop	ebp
		retn	0Ch
_NtCreateDirectoryObject@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpCreateDirectoryObject proc near	; CODE XREF: NtCreateDirectoryObject(x,x,x)+13p
					; NtCreateDirectoryObjectEx(x,x,x,x,x)+14p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E682C SIZE 00000011 BYTES
; FUNCTION CHUNK AT 008E686C SIZE 00000014 BYTES

		push	2Ch
		push	offset dword_6A1FC0
		call	__SEH_prolog4
		mov	[ebp+var_38], edx
		mov	edx, ecx
		mov	[ebp+var_3C], edx
		xor	edi, edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], edi
		test	[ebp+arg_8], 0FFFFFFFCh
		jnz	loc_8E682C
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		mov	byte ptr [ebp+var_28], al
		test	al, al
		jz	short loc_799927
		test	byte ptr [ebp+arg_8], 2
		jnz	loc_8E682C
		mov	[ebp+ms_exc.disabled], edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_8E6836

loc_79991C:				; CODE XREF: ObpCreateDirectoryObject+14CF78j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_799927:				; CODE XREF: ObpCreateDirectoryObject+40j
		cmp	[ebp+arg_4], 0
		jnz	loc_799A03

loc_799931:				; CODE XREF: ObpCreateDirectoryObject+168j
		mov	edx, _ObpDirectoryObjectType
		push	edi
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		push	edi
		push	0B0h
		push	ecx
		push	[ebp+var_28]
		push	[ebp+arg_0]
		mov	cl, [ebp+var_19]
		call	ObCreateObjectEx
		mov	esi, eax
		test	esi, esi
		jns	short loc_799982

loc_799958:				; CODE XREF: ObpCreateDirectoryObject+13Ej
					; ObpCreateDirectoryObject+16Ej ...
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jnz	loc_8E686C

loc_799963:				; CODE XREF: ObpCreateDirectoryObject+14CFB1j
		mov	ecx, [ebp+var_24]
		test	ecx, ecx
		jnz	loc_8E6876

loc_79996E:				; CODE XREF: ObpCreateDirectoryObject+14CFBBj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_799982:				; CODE XREF: ObpCreateDirectoryObject+96j
		push	0B0h		; size_t
		push	edi		; int
		mov	edi, [ebp+var_24]
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		and	dword ptr [edi+94h], 0
		or	dword ptr [edi+0ACh], 0FFFFFFFFh
		xor	esi, esi
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jnz	loc_799A33

loc_7999AF:				; CODE XREF: ObpCreateDirectoryObject+18Cj
					; ObpCreateDirectoryObject+195j
		test	byte ptr [ebp+arg_8], 1
		jnz	loc_799A5A

loc_7999B9:				; CODE XREF: ObpCreateDirectoryObject+19Dj
		test	byte ptr [ebp+arg_8], 2
		jnz	loc_799A62

loc_7999C3:				; CODE XREF: ObpCreateDirectoryObject+1A5j
		or	[edi+0A8h], esi
		lea	eax, [ebp+var_30]
		push	eax
		push	0
		push	0
		push	0
		push	[ebp+var_38]
		xor	edx, edx
		mov	ecx, edi
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+arg_8], esi
		and	[ebp+var_24], 0
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_30]
		mov	ecx, [ebp+var_3C]
		mov	[ecx], eax

loc_7999F7:				; CODE XREF: sub_8E684B+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_799958
; 

loc_799A03:				; CODE XREF: ObpCreateDirectoryObject+6Bj
		mov	eax, _ObpDirectoryObjectType
		mov	[ebp+var_2C], edi
		push	edi
		lea	ecx, [ebp+var_2C]
		push	ecx
		push	[ebp+var_28]
		push	eax
		push	3
		push	[ebp+arg_4]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_20], eax
		test	esi, esi
		jns	loc_799931
		jmp	loc_799958
; 

loc_799A33:				; CODE XREF: ObpCreateDirectoryObject+E9j
		push	4
		pop	esi
		mov	[edi+9Ch], ecx
		and	[ebp+var_20], 0
		push	[ebp+var_28]
		push	0
		call	RtlIsSandboxedToken
		test	al, al
		jz	loc_7999AF
		push	14h
		pop	esi
		jmp	loc_7999AF
; 

loc_799A5A:				; CODE XREF: ObpCreateDirectoryObject+F3j
		or	esi, 8
		jmp	loc_7999B9
; 

loc_799A62:				; CODE XREF: ObpCreateDirectoryObject+FDj
		or	esi, 20h
		jmp	loc_7999C3
ObpCreateDirectoryObject endp

; 
		align 10h
; Exported entry 1612. ObCreateObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObCreateObject(x, x, x, x, x, x, x,	x, x)
		public _ObCreateObject@36
_ObCreateObject@36 proc	near		; CODE XREF: SepCreateTokenEx+4DAp
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+321p ...

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	0
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	ecx
		push	[ebp+arg_C]
		mov	cl, [ebp+arg_0]
		push	[ebp+arg_8]
		call	ObCreateObjectEx
		pop	ebp
		retn	24h
_ObCreateObject@36 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCreateTimer2	proc near		; CODE XREF: NtCreateIRTimer(x,x,x)+12p
					; DATA XREF: .text:0058115Co

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008E6880 SIZE 0000001B BYTES
; FUNCTION CHUNK AT 008E68BB SIZE 00000012 BYTES

		push	14h
		push	offset dword_6A1FE8
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	edi, [ebp+arg_C]
		mov	ecx, edi
		call	_ExpExTimerAttributesAreValid@4	; ExpExTimerAttributesAreValid(x)
		test	al, al
		jz	loc_8E6880
		cmp	[ebp+arg_8], ebx
		jnz	loc_8E688A
		mov	esi, edi
		and	esi, 2
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jnz	loc_799BA7

loc_799AD9:				; CODE XREF: NtCreateTimer2+10Fj
		mov	[ebp+arg_C], ebx
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+arg_8], bl
		test	bl, bl
		jz	loc_8E68BB
		and	[ebp+ms_exc.disabled], 0
		mov	edx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_8E6894

loc_799B07:				; CODE XREF: NtCreateTimer2+14CDFCj
		mov	eax, [edx]
		mov	[edx], eax
		test	ecx, ecx
		jnz	loc_799BB6

loc_799B13:				; CODE XREF: NtCreateTimer2+12Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_799B1A:				; CODE XREF: NtCreateTimer2+14CE23j
					; NtCreateTimer2+14CE2Ej
		test	esi, esi
		jnz	loc_799BCA

loc_799B22:				; CODE XREF: NtCreateTimer2+13Cj
		mov	edx, ds:_ExpIRTimerObjectType
		xor	ecx, ecx
		push	ecx
		lea	eax, [ebp+var_1C]
		push	eax
		push	ecx
		push	ecx
		push	78h
		push	ecx
		push	[ebp+arg_8]
		push	ecx
		mov	cl, bl
		call	ObCreateObjectEx
		mov	[ebp+arg_8], eax
		test	eax, eax
		js	short loc_799B92
		push	edi
		xor	ebx, ebx
		test	esi, esi
		mov	esi, [ebp+var_1C]
		jnz	loc_799BDE
		push	ebx
		push	ebx
		push	esi
		call	_KeInitializeTimer2@16 ; KeInitializeTimer2(x,x,x,x)

loc_799B5C:				; CODE XREF: NtCreateTimer2+152j
		mov	[esi+58h], ebx
		mov	[esi+70h], edi
		lea	eax, [ebp+var_20]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+arg_10]
		xor	edx, edx
		mov	ecx, esi
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	[ebp+arg_8], eax
		test	eax, eax
		js	short loc_799B92
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_799B8B:				; CODE XREF: sub_8E68D1+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_799B92:				; CODE XREF: NtCreateTimer2+AAj
					; NtCreateTimer2+E0j
		mov	eax, [ebp+arg_8]

loc_799B95:				; CODE XREF: NtCreateTimer2+11Aj
					; NtCreateTimer2+142j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_799BA7:				; CODE XREF: NtCreateTimer2+39j
		test	esi, esi
		jnz	loc_799AD9
		mov	eax, 0C00000F0h
		jmp	short loc_799B95
; 

loc_799BB6:				; CODE XREF: NtCreateTimer2+73j
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_799BF1

loc_799BBF:				; CODE XREF: NtCreateTimer2+159j
		mov	eax, [ecx]
		mov	[ebp+arg_C], eax
		nop
		jmp	loc_799B13
; 

loc_799BCA:				; CODE XREF: NtCreateTimer2+82j
		push	[ebp+arg_C]
		mov	cl, bl
		call	ExpCheckIRTimerAccess
		test	eax, eax
		jns	loc_799B22
		jmp	short loc_799B95
; 

loc_799BDE:				; CODE XREF: NtCreateTimer2+B4j
		lea	eax, [ebp+arg_C]
		push	eax
		push	ebx
		xor	edx, edx
		mov	ecx, esi
		call	_KeInitializeIRTimer@20	; KeInitializeIRTimer(x,x,x,x,x)
		jmp	loc_799B5C
; 

loc_799BF1:				; CODE XREF: NtCreateTimer2+123j
		mov	ecx, eax
		jmp	short loc_799BBF
NtCreateTimer2	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCreateWorkerFactory proc near		; DATA XREF: .text:005810D4o

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

; FUNCTION CHUNK AT 008E68D9 SIZE 00000007 BYTES
; FUNCTION CHUNK AT 008E6900 SIZE 00000063 BYTES

		push	34h
		push	offset dword_6A2010
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_1C], ecx
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_20], bl
		test	bl, bl
		jz	short loc_799C41
		mov	[ebp+ms_exc.disabled], ecx
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8E68D9

loc_799C36:				; CODE XREF: NtCreateWorkerFactory+14CCE5j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_799C41:				; CODE XREF: NtCreateWorkerFactory+2Bj
		push	63577054h
		push	18h
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	esi, eax
		test	esi, esi
		jz	loc_8E6900
		xor	ecx, ecx
		mov	[esi], ecx
		mov	[esi+0Ch], ecx
		mov	[esi+10h], ecx
		mov	[esi+14h], cx
		mov	[esi+16h], cl
		mov	eax, ds:_IoCompletionObjectType
		mov	[ebp+var_28], ecx
		push	ecx
		lea	ecx, [ebp+var_28]
		push	ecx
		push	[ebp+var_20]
		push	eax
		push	2
		push	[ebp+arg_C]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		mov	ecx, [ebp+var_28]
		mov	[esi+4], ecx
		test	edi, edi
		js	loc_8E6921
		call	_KeDisableQueueingPriorityIncrement@8 ;	KeDisableQueueingPriorityIncrement(x,x)
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	66577845h
		push	[ebp+var_20]
		push	ds:_PsProcessType
		push	2Ah
		push	[ebp+arg_10]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8E6919
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	edx, [ebp+var_1C]
		cmp	eax, edx
		jnz	loc_8E6907
		lea	eax, [ebp+var_24]
		push	eax
		push	0
		push	ds:_PsProcessType
		push	2Ah
		push	0
		push	200h
		push	edx
		call	ObOpenObjectByPointer
		mov	edi, eax
		test	edi, edi
		js	loc_8E690C
		push	esi
		push	offset ExpWorkerFactoryCompletionPacketRoutine
		call	_IoAllocateMiniCompletionPacket@8 ; IoAllocateMiniCompletionPacket(x,x)
		mov	[esi+8], eax
		test	eax, eax
		jz	loc_8E6930
		mov	edx, ds:_ExpWorkerFactoryObjectType
		xor	ecx, ecx
		push	ecx
		lea	eax, [ebp+var_2C]
		push	eax
		push	ecx
		push	ecx
		push	108h
		push	ecx
		push	[ebp+var_20]
		push	[ebp+arg_8]
		mov	cl, bl
		call	ObCreateObjectEx
		mov	edi, eax
		test	edi, edi
		js	loc_8E6937
		mov	ebx, [ebp+var_2C]
		mov	[ebx+4], esi
		mov	eax, _ExpWorkerFactoryThreadIdleTimeoutInSeconds
		mov	ecx, 0FF676980h
		imul	ecx
		mov	[ebx+38h], eax
		mov	[ebx+3Ch], edx
		xor	edx, edx
		mov	[ebx+48h], edx
		mov	eax, [ebp+arg_1C]
		mov	[ebx+4Ch], eax
		mov	[ebx+5Ch], edx
		mov	[ebx+50h], edx
		mov	[ebx+54h], edx
		mov	eax, [ebp+arg_20]
		test	eax, eax
		jz	loc_8E694F

loc_799D7A:				; CODE XREF: NtCreateWorkerFactory+14CD5Ej
		mov	[ebx+18h], eax
		mov	eax, [ebp+arg_24]
		test	eax, eax
		jz	loc_8E6959

loc_799D88:				; CODE XREF: NtCreateWorkerFactory+14CD68j
		mov	[ebx+40h], edx
		mov	[ebx+44h], edx
		mov	[ebx+6Ch], edx
		mov	[ebx+1Ch], eax
		mov	eax, [ebp+arg_14]
		mov	[ebx+8], eax
		mov	eax, [ebp+arg_18]
		mov	[ebx+0Ch], eax
		mov	[ebx+60h], edx
		mov	[ebx+68h], edx
		mov	[ebx+64h], edx
		mov	[ebx+70h], edx
		mov	eax, [ebp+var_24]
		mov	[ebx+10h], eax
		mov	ecx, [ebp+var_1C]
		mov	[ebx+14h], ecx
		mov	[ebx+58h], edx
		mov	[ebx+104h], edx
		mov	dword ptr [ebx+0E8h], 1
		lea	edi, [ebx+78h]
		push	8
		push	edx
		push	edx
		push	edi
		call	_KeInitializeTimer2@16 ; KeInitializeTimer2(x,x,x,x)
		mov	ecx, ebx
		call	_ExpInitializeThreadHistory@4 ;	ExpInitializeThreadHistory(x)
		xor	esi, esi
		mov	[ebx+30h], esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		lea	eax, [ebx+0D0h]
		push	eax
		mov	edx, offset _ExpWorkerFactoryManagerQueue
		mov	ecx, edi
		call	KeRegisterObjectNotification
		mov	[ebp+var_44], esi
		mov	[ebp+var_40], esi
		or	[ebp+var_3C], 0FFFFFFFFh
		or	[ebp+var_38], 0FFFFFFFFh
		mov	esi, [ebx+38h]
		mov	edx, [ebx+3Ch]
		lea	eax, [ebp+var_44]
		push	eax
		mov	ecx, esi
		neg	ecx
		mov	eax, edx
		adc	eax, 0
		neg	eax
		push	eax
		push	ecx
		push	edx
		push	esi
		push	edi
		call	KeSetTimer2
		lea	eax, [ebp+var_30]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_4]
		xor	edx, edx
		mov	ecx, ebx
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	[ebp+arg_C], eax
		test	eax, eax
		js	short loc_799E5B
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_30]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_799E54:				; CODE XREF: sub_8E6969+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_799E5B:				; CODE XREF: NtCreateWorkerFactory+24Dj
		mov	eax, [ebp+arg_C]

loc_799E5E:				; CODE XREF: sub_8E68EE+Dj
					; NtCreateWorkerFactory+14CD35j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	28h
NtCreateWorkerFactory endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1392. MmCreateSection

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmCreateSection
MmCreateSection	proc near		; CODE XREF: AlpcpCreateSection(x,x,x,x,x,x)+F9p
					; EtwpCoverageEnsureContext()+1FCp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 008E6971 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	ecx, [ebp+arg_14]
		sub	esp, 10h
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [esp+18h+var_10]
		stosd
		stosd
		stosd
		stosd
		mov	eax, ecx
		xor	edi, edi
		mov	edx, edi
		mov	esi, edi
		and	eax, 1Fh
		jnz	loc_8E6971

loc_799EA1:				; CODE XREF: MmCreateSection+14CB1Aj
		mov	eax, [ebp+arg_C]
		push	edx
		mov	edx, [ebp+arg_8]
		push	esi
		push	edi
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	ecx
		push	[ebp+arg_10]
		mov	ecx, [ebp+arg_0]
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		call	_MmCreateSectionEx@44 ;	MmCreateSectionEx(x,x,x,x,x,x,x,x,x,x,x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	20h
MmCreateSection	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAlpcAcceptConnectPort(x, x, x, x,	x, x, x, x, x)
_NtAlpcAcceptConnectPort@36 proc near	; DATA XREF: .text:0058124Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_4]
		call	_AlpcpAcceptConnectPort@48 ; AlpcpAcceptConnectPort(x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, large fs:124h
		mov	esi, eax
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	24h
_NtAlpcAcceptConnectPort@36 endp ; sp =	-28h

; 
		align 2

; __stdcall AlpcpAcceptConnectPort(x, x, x, x, x, x, x,	x, x, x, x, x)
_AlpcpAcceptConnectPort@48:		; CODE XREF: NtAlpcAcceptConnectPort(x,x,x,x,x,x,x,x,x)+31p
					; NtAcceptConnectPort(x,x,x,x,x,x)+2Ep
		push	12Ch
		push	offset dword_6A2038
		call	__SEH_prolog4_GS
		mov	[ebp-8Ch], ecx
		mov	eax, [ebp+8]
		mov	[ebp-58h], eax
		mov	eax, [ebp+0Ch]
		mov	[ebp-9Ch], eax
		mov	edx, [ebp+10h]
		mov	[ebp-6Ch], edx
		mov	esi, [ebp+18h]
		mov	[ebp-80h], esi
		mov	eax, [ebp+1Ch]
		mov	[ebp-0A0h], eax
		mov	ebx, [ebp+24h]
		mov	[ebp-90h], ebx
		mov	eax, [ebp+28h]
		mov	[ebp-68h], eax
		push	9
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp-114h]
		rep stosd
		push	2Ch
		push	eax
		lea	eax, [ebp-48h]
		push	eax
		call	_memset
		add	esp, 0Ch
		push	0Ah
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp-13Ch]
		rep stosd
		push	6
		pop	ecx
		lea	edi, [ebp-0F0h]
		rep stosd
		lea	edi, [ebp-0D8h]
		stosd
		stosd
		stosd
		xor	ecx, ecx
		mov	[ebp-54h], ecx
		mov	[ebp-94h], ecx
		mov	[ebp-78h], ecx
		mov	[ebp-74h], ecx
		mov	[ebp-84h], ecx
		mov	[ebp-4Ch], ecx
		mov	[ebp-64h], ecx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp-59h], al
		mov	[ebp-88h], al
		test	al, al
		jz	loc_79A0ED
		mov	[ebp-4], ecx
		cmp	[ebp+2Ch], cl
		jnz	short loc_799FE2
		cmp	[ebp+20h], cl
		jz	short loc_799FF7

loc_799FE2:				; CODE XREF: PAGE:00799FDBj
		mov	ecx, [ebp-8Ch]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_799FF3
		mov	ecx, eax

loc_799FF3:				; CODE XREF: PAGE:00799FEFj
		mov	eax, [ecx]
		mov	[ecx], eax

loc_799FF7:				; CODE XREF: PAGE:00799FE0j
		mov	eax, ds:_MmUserProbeAddress
		cmp	[ebp-80h], eax
		jb	short loc_79A003
		mov	esi, eax

loc_79A003:				; CODE XREF: PAGE:00799FFFj
		push	6
		pop	ecx
		lea	edi, [ebp-0C0h]
		rep movsd
		nop
		mov	edx, [ebp-6Ch]
		test	edx, edx
		jz	short loc_79A02C
		mov	esi, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_79A023
		mov	esi, eax

loc_79A023:				; CODE XREF: PAGE:0079A01Fj
		push	0Bh
		pop	ecx
		lea	edi, [ebp-48h]
		rep movsd
		nop

loc_79A02C:				; CODE XREF: PAGE:0079A014j
		test	ebx, ebx
		jz	short loc_79A082
		mov	esi, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_79A03D
		mov	esi, eax

loc_79A03D:				; CODE XREF: PAGE:0079A039j
		push	6
		pop	ecx
		lea	edi, [ebp-0F0h]
		rep movsd
		nop
		cmp	dword ptr [ebp-0F0h], 18h
		jz	short loc_79A063

loc_79A052:				; CODE XREF: PAGE:0079A09Dj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C000000Dh
		jmp	loc_79A723
; 

loc_79A063:				; CODE XREF: PAGE:0079A050j
		test	bl, 3
		jnz	loc_79A735
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_79A078
		mov	byte ptr [eax],	0

loc_79A078:				; CODE XREF: PAGE:0079A073j
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+14h]
		mov	[ebx+14h], al

loc_79A082:				; CODE XREF: PAGE:0079A02Ej
		mov	edx, [ebp-68h]
		test	edx, edx
		jz	short loc_79A0BE
		mov	eax, edx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		jb	short loc_79A097
		mov	eax, ecx

loc_79A097:				; CODE XREF: PAGE:0079A093j
		nop
		mov	eax, [eax]
		cmp	eax, 0Ch
		jnz	short loc_79A052
		test	dl, 3
		jnz	loc_79A735
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_79A0B4
		mov	byte ptr [eax],	0

loc_79A0B4:				; CODE XREF: PAGE:0079A0AFj
		mov	al, [edx]
		mov	[edx], al
		mov	al, [edx+8]
		mov	[edx+8], al

loc_79A0BE:				; CODE XREF: PAGE:0079A087j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_79A10C
; 

loc_79A0C7:				; DATA XREF: .text:006A204Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-98h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_79A0D8:				; DATA XREF: .text:006A2050o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-98h]
		jmp	loc_79A723
; 

loc_79A0ED:				; CODE XREF: PAGE:00799FCFj
		mov	edx, [ebp-6Ch]
		test	edx, edx
		jz	short loc_79A101
		push	0Bh
		pop	ecx
		mov	esi, edx
		lea	edi, [ebp-48h]
		rep movsd
		mov	esi, [ebp-80h]

loc_79A101:				; CODE XREF: PAGE:0079A0F2j
		push	6
		pop	ecx
		lea	edi, [ebp-0C0h]
		rep movsd

loc_79A10C:				; CODE XREF: PAGE:0079A0C5j
		cmp	dword ptr [ebp-0B0h], 0
		jnz	short loc_79A11F
		mov	eax, 0C000021Fh
		jmp	loc_79A723
; 

loc_79A11F:				; CODE XREF: PAGE:0079A113j
		xor	ebx, ebx
		mov	[ebp-60h], ebx
		mov	ecx, [ebp-58h]
		test	ecx, ecx
		jz	short loc_79A163
		mov	eax, ds:_AlpcPortObjectType
		and	[ebp-7Ch], ebx
		push	ebx
		lea	edx, [ebp-7Ch]
		push	edx
		push	dword ptr [ebp-88h]
		push	eax
		push	1
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, [ebp-7Ch]
		mov	[ebp-60h], ebx
		test	eax, eax
		js	loc_79A723
		mov	[ebp-94h], ebx
		mov	eax, [ebp-0ACh]
		jmp	short loc_79A174
; 

loc_79A163:				; CODE XREF: PAGE:0079A129j
		cmp	[ebp+2Ch], bl
		jz	loc_79A71E
		xor	eax, eax
		mov	[ebp-0ACh], eax

loc_79A174:				; CODE XREF: PAGE:0079A161j
		lea	ecx, [ebp-4Ch]
		push	ecx
		push	ecx
		push	eax
		mov	edx, [ebp-0B0h]
		mov	ecx, ebx
		call	AlpcpLookupMessage
		mov	esi, eax
		mov	edi, [ebp-4Ch]
		test	esi, esi
		js	loc_79A698
		test	ebx, ebx
		jnz	short loc_79A19E
		mov	ebx, [edi+8]
		mov	[ebp-60h], ebx

loc_79A19E:				; CODE XREF: PAGE:0079A196j
		mov	ecx, [edi+14h]
		mov	[ebp-58h], ecx
		test	cl, cl
		jns	short loc_79A1B9
		mov	dword ptr [ebp-78h], 1
		mov	esi, 0C0000703h
		jmp	loc_79A695
; 

loc_79A1B9:				; CODE XREF: PAGE:0079A1A6j
		movzx	eax, word ptr [edi+84h]
		and	eax, 0FFFF00FFh
		cmp	eax, 0Ah
		jz	short loc_79A1D4
		mov	esi, 0C000021Fh
		jmp	loc_79A695
; 

loc_79A1D4:				; CODE XREF: PAGE:0079A1C8j
		mov	edx, [edi+8]
		cmp	edx, [edi+68h]
		jnz	loc_79A690
		and	ecx, 7
		cmp	edx, ebx
		jz	loc_79A28A
		test	ecx, ecx
		jnz	short loc_79A266
		mov	eax, [edi+0Ch]
		mov	[ebp-58h], eax
		test	eax, eax
		jz	loc_79A690
		mov	esi, [eax+8]
		lea	eax, [esi-4]
		mov	[ebp-7Ch], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp-58h]
		mov	eax, [ecx+0F4h]
		shr	eax, 1
		and	eax, 3
		sub	eax, 1
		jz	short loc_79A23B
		sub	eax, 1
		jnz	short loc_79A23B
		cmp	[esi], ebx
		jz	short loc_79A235
		cmp	[esi+4], ebx
		jz	short loc_79A235
		mov	[ebp-4Dh], al
		jmp	short loc_79A242
; 

loc_79A235:				; CODE XREF: PAGE:0079A229j
					; PAGE:0079A22Ej
		mov	byte ptr [ebp-4Dh], 1
		jmp	short loc_79A242
; 

loc_79A23B:				; CODE XREF: PAGE:0079A220j
					; PAGE:0079A225j
		cmp	[esi+8], ebx
		setz	byte ptr [ebp-4Dh]

loc_79A242:				; CODE XREF: PAGE:0079A233j
					; PAGE:0079A239j
		xor	edx, edx
		push	11h
		pop	eax
		mov	esi, [ebp-7Ch]
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_79A25A
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_79A25A:				; CODE XREF: PAGE:0079A251j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	al, [ebp-4Dh]
		jmp	short loc_79A2A2
; 

loc_79A266:				; CODE XREF: PAGE:0079A1EDj
		mov	eax, [ebx+0F4h]
		and	eax, 6
		cmp	al, 6
		jnz	loc_79A690
		mov	eax, [ebx+8]
		test	eax, eax
		jz	loc_79A690
		cmp	[eax], edx
		jnz	loc_79A690

loc_79A28A:				; CODE XREF: PAGE:0079A1E5j
		cmp	ecx, 3
		jnz	loc_79A690
		test	dword ptr [ebp-58h], 2000h
		jnz	loc_79A690
		mov	al, 1

loc_79A2A2:				; CODE XREF: PAGE:0079A264j
		test	al, al
		jz	loc_79A690
		push	dword ptr [ebp+2Ch]
		lea	edx, [ebp-0C0h]
		mov	ecx, ebx
		call	AlpcpValidateConnectionMessage
		mov	esi, eax
		test	esi, esi
		js	loc_79A695
		mov	esi, [edi+0Ch]
		mov	[ebp-58h], esi
		mov	eax, [esi+8]
		mov	[ebp-70h], eax
		test	byte ptr [esi+0F4h], 20h
		jz	short loc_79A2EA
		mov	dword ptr [ebp-78h], 1
		mov	esi, 0C0000037h
		jmp	loc_79A695
; 

loc_79A2EA:				; CODE XREF: PAGE:0079A2D7j
		test	dword ptr [ebx+98h], 100000h
		jnz	short loc_79A317
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, [ebp-60h]
		mov	edi, [ebp-4Ch]
		cmp	eax, [ecx+0Ch]
		jz	short loc_79A317
		mov	esi, 0C000021Fh
		jmp	loc_79A698
; 

loc_79A317:				; CODE XREF: PAGE:0079A2F4j
					; PAGE:0079A30Bj
		cmp	byte ptr [ebp+20h], 0
		jnz	short loc_79A36E
		lea	edi, [esi+0D0h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		or	dword ptr [esi+0F4h], 10h
		test	dword ptr [esi+0F4h], 100h
		jz	short loc_79A345
		mov	eax, [ebp+14h]
		mov	[esi+1Ch], eax

loc_79A345:				; CODE XREF: PAGE:0079A33Dj
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_79A359
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_79A359:				; CODE XREF: PAGE:0079A350j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	dword ptr [ebp-78h], 1
		xor	esi, esi
		jmp	loc_79A695
; 

loc_79A36E:				; CODE XREF: PAGE:0079A31Bj
		lea	eax, [ebp-54h]
		push	eax
		mov	edx, [ebp-9Ch]
		mov	cl, [ebp-59h]
		call	_AlpcpCreatePort@12 ; AlpcpCreatePort(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_79A695
		push	0
		push	3
		pop	edx
		mov	ebx, [ebp-54h]
		mov	ecx, ebx
		call	_AlpcpInitializePort@12	; AlpcpInitializePort(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_79A68B
		push	dword ptr [ebp+2Ch]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	dword ptr [ebp-60h]
		mov	edx, [ebp-6Ch]
		neg	edx
		sbb	edx, edx
		lea	eax, [ebp-48h]
		and	edx, eax
		mov	ecx, ebx
		call	_AlpcpValidateAndSetPortAttributes@28 ;	AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_79A68B
		mov	eax, [ebp-6Ch]
		neg	eax
		sbb	eax, eax
		lea	edx, [ebp-48h]
		and	edx, eax
		mov	ecx, ebx
		call	_AlpcpSetOwnerProcessPort@8 ; AlpcpSetOwnerProcessPort(x,x)
		mov	esi, 1000h
		cmp	byte ptr [ebp+2Ch], 0
		jz	short loc_79A3EF
		or	[ebx+0F4h], esi

loc_79A3EF:				; CODE XREF: PAGE:0079A3E7j
		mov	ecx, [ebp-70h]
		call	AlpcpReferenceBlob
		mov	ecx, [ebp-70h]
		lea	ecx, [ecx-4]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp-70h]
		mov	[ebx+8], eax
		mov	[eax+4], ebx
		mov	eax, [ebp-60h]
		mov	ecx, [ebp-58h]
		mov	[ecx+0F8h], eax
		mov	[ecx+0FCh], ebx
		mov	[ebx+0F8h], ecx
		mov	[ebx+0FCh], ecx
		mov	eax, [ecx+0F4h]
		test	eax, esi
		jz	short loc_79A450
		test	[ebx+0F4h], esi
		jz	short loc_79A450
		mov	edx, 2000h
		or	eax, edx
		mov	[ecx+0F4h], eax
		or	[ebx+0F4h], edx

loc_79A450:				; CODE XREF: PAGE:0079A433j
					; PAGE:0079A43Bj
		or	eax, 0FFFFFFFFh
		mov	esi, [ebp-70h]
		add	esi, 0FFFFFFFCh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_79A46A
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_79A46A:				; CODE XREF: PAGE:0079A461j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp-0C0h]
		lea	eax, [ecx+18h]
		mov	[ebp-0F8h], ax
		push	0Bh
		pop	eax
		mov	[ebp-0F6h], ax
		xor	eax, eax
		mov	[ebp-0F4h], ax
		push	dword ptr [ebp-88h]
		push	eax
		push	ecx
		push	ecx
		mov	edx, [ebp-80h]
		mov	ecx, edi
		call	_AlpcpSetupMessageDataForDeferredCopy@24 ; AlpcpSetupMessageDataForDeferredCopy(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_79A68B
		cmp	byte ptr [ebp+2Ch], 0
		jz	short loc_79A4D8
		cmp	dword ptr [edi+4Ch], 0
		jz	short loc_79A4D8
		lea	eax, [ebp-0D8h]
		push	eax
		lea	edx, [edi+38h]
		mov	ecx, ebx
		call	_AlpcpMapLegacyPortRemoteView@12 ; AlpcpMapLegacyPortRemoteView(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_79A68B

loc_79A4D8:				; CODE XREF: PAGE:0079A4B5j
					; PAGE:0079A4BBj
		mov	dword ptr [ebp-74h], 1
		cmp	dword ptr [ebp-90h], 0
		jz	short loc_79A53D
		xor	eax, eax
		lea	edi, [ebp-0CCh]
		stosd
		stosd
		stosd
		lea	eax, [ebp-13Ch]
		push	eax
		lea	edx, [ebp-0F0h]
		mov	ecx, ebx
		call	_AlpcpMapLegacyPortView@12 ; AlpcpMapLegacyPortView(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_79A559
		lea	eax, [ebp-0CCh]
		push	eax
		lea	edx, [ebp-13Ch]
		mov	ecx, [ebp-58h]
		call	_AlpcpMapLegacyPortRemoteView@12 ; AlpcpMapLegacyPortRemoteView(x,x,x)
		mov	esi, eax
		mov	edi, [ebp-4Ch]
		test	esi, esi
		js	loc_79A68B
		mov	eax, [ebp-0C4h]
		mov	[ebp-0DCh], eax
		jmp	short loc_79A55C
; 

loc_79A53D:				; CODE XREF: PAGE:0079A4E6j
		lea	eax, [ebp-13Ch]
		push	eax
		push	edi
		push	dword ptr [ebp-0A0h]
		xor	edx, edx
		mov	ecx, [ebp-60h]
		call	AlpcpCaptureAttributes
		mov	esi, eax
		jmp	short loc_79A55C
; 

loc_79A559:				; CODE XREF: PAGE:0079A50Bj
		mov	edi, [ebp-4Ch]

loc_79A55C:				; CODE XREF: PAGE:0079A53Bj
					; PAGE:0079A557j
		test	esi, esi
		js	loc_79A68B
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		lea	eax, [ebp-64h]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	1F0001h
		xor	edx, edx
		mov	ecx, ebx
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_79A68B
		add	edi, 38h
		mov	ecx, edi
		call	AlpcpReleaseAttributes
		push	0Ah
		pop	ecx
		lea	esi, [ebp-13Ch]
		rep movsd
		and	dword ptr [ebp-74h], 0
		mov	esi, [ebp-4Ch]
		mov	eax, [esi+70h]
		test	eax, eax
		jz	short loc_79A5BF
		push	dword ptr [esi+90h]
		push	eax
		call	_PsReleaseProcessWakeCounter@8 ; PsReleaseProcessWakeCounter(x,x)
		and	dword ptr [esi+70h], 0

loc_79A5BF:				; CODE XREF: PAGE:0079A5ADj
		mov	eax, [esi+74h]
		test	eax, eax
		jz	short loc_79A5D6
		push	dword ptr [esi+90h]
		push	eax
		call	_PsReleaseProcessWakeCounter@8 ; PsReleaseProcessWakeCounter(x,x)
		and	dword ptr [esi+74h], 0

loc_79A5D6:				; CODE XREF: PAGE:0079A5C4j
		mov	dword ptr [ebp-4], 1
		mov	eax, [ebp-64h]
		mov	ecx, [ebp-8Ch]
		mov	[ecx], eax
		mov	ecx, [ebp+14h]
		test	ecx, ecx
		jnz	short loc_79A5F4
		mov	[ebx+1Ch], eax
		jmp	short loc_79A5F7
; 

loc_79A5F4:				; CODE XREF: PAGE:0079A5EDj
		mov	[ebx+1Ch], ecx

loc_79A5F7:				; CODE XREF: PAGE:0079A5F2j
		mov	eax, [ebp-90h]
		test	eax, eax
		jz	short loc_79A60E
		push	6
		pop	ecx
		lea	esi, [ebp-0F0h]
		mov	edi, eax
		rep movsd

loc_79A60E:				; CODE XREF: PAGE:0079A5FFj
		mov	eax, [ebp-68h]
		test	eax, eax
		jz	short loc_79A620
		lea	esi, [ebp-0D8h]
		mov	edi, eax
		movsd
		movsd
		movsd

loc_79A620:				; CODE XREF: PAGE:0079A613j
		mov	[ebp-114h], ebx
		mov	edi, [ebp-4Ch]
		mov	[ebp-110h], edi
		mov	dword ptr [ebp-0FCh], 10000h
		lea	ecx, [ebp-114h]
		call	_AlpcpDispatchMessage@4	; AlpcpDispatchMessage(x)
		mov	esi, eax
		mov	[ebp-0A8h], esi
		test	esi, esi
		js	short loc_79A654
		and	dword ptr [ebp-64h], 0

loc_79A654:				; CODE XREF: PAGE:0079A64Ej
		xor	edi, edi
		mov	[ebp-4Ch], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_79A69B
; 

loc_79A662:				; DATA XREF: .text:006A2058o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0A4h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_79A673:				; DATA XREF: .text:006A205Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0A4h]
		mov	[ebp-0A8h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_79A695
; 

loc_79A68B:				; CODE XREF: PAGE:0079A39Dj
					; PAGE:0079A3C5j ...
		mov	edi, [ebp-4Ch]
		jmp	short loc_79A69B
; 

loc_79A690:				; CODE XREF: PAGE:0079A1DAj
					; PAGE:0079A1F7j ...
		mov	esi, 0C0000702h

loc_79A695:				; CODE XREF: PAGE:0079A1B4j
					; PAGE:0079A1CFj ...
		mov	edi, [ebp-4Ch]

loc_79A698:				; CODE XREF: PAGE:0079A18Ej
					; PAGE:0079A312j
		mov	ebx, [ebp-54h]

loc_79A69B:				; CODE XREF: PAGE:0079A660j
					; PAGE:0079A68Ej
		test	edi, edi
		jz	short loc_79A6E2
		cmp	dword ptr [ebp-74h], 0
		jz	short loc_79A6B0
		lea	ecx, [ebp-13Ch]
		call	AlpcpReleaseAttributes

loc_79A6B0:				; CODE XREF: PAGE:0079A6A3j
		xor	eax, eax
		cmp	[ebp-74h], eax
		setnz	al
		mov	[ebp-68h], eax
		cmp	dword ptr [ebp-78h], 0
		jz	short loc_79A6D2
		push	10000h
		mov	edx, edi
		mov	ecx, [ebp-60h]
		call	@AlpcpCancelMessage@12 ; AlpcpCancelMessage(x,x,x)
		jmp	short loc_79A6D9
; 

loc_79A6D2:				; CODE XREF: PAGE:0079A6BFj
		mov	ecx, edi
		call	_AlpcpUnlockMessage@4 ;	AlpcpUnlockMessage(x)

loc_79A6D9:				; CODE XREF: PAGE:0079A6D0j
		mov	eax, [ebp-68h]
		mov	[ebp-84h], eax

loc_79A6E2:				; CODE XREF: PAGE:0079A69Dj
		mov	ecx, [ebp-94h]
		test	ecx, ecx
		jz	short loc_79A6F1
		call	_AlpcpDereferencePort@4	; AlpcpDereferencePort(x)

loc_79A6F1:				; CODE XREF: PAGE:0079A6EAj
		test	ebx, ebx
		jz	short loc_79A70C
		cmp	dword ptr [ebp-84h], 0
		jz	short loc_79A705
		mov	ecx, ebx
		call	_AlpcpFlushResourcesPort@4 ; AlpcpFlushResourcesPort(x)

loc_79A705:				; CODE XREF: PAGE:0079A6FCj
		mov	ecx, ebx
		call	_AlpcpDereferencePort@4	; AlpcpDereferencePort(x)

loc_79A70C:				; CODE XREF: PAGE:0079A6F3j
		cmp	dword ptr [ebp-64h], 0
		jz	short loc_79A71A
		push	dword ptr [ebp-64h]
		call	NtClose

loc_79A71A:				; CODE XREF: PAGE:0079A710j
		mov	eax, esi
		jmp	short loc_79A723
; 

loc_79A71E:				; CODE XREF: PAGE:0079A166j
		mov	eax, 0C0000140h

loc_79A723:				; CODE XREF: PAGE:0079A05Ej
					; PAGE:0079A0E8j ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	28h
; 

loc_79A735:				; CODE XREF: PAGE:0079A066j
					; PAGE:0079A0A2j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpValidateConnectionMessage proc near ; CODE	XREF: PAGE:0079A2B5p
					; AlpcpFormatConnectionRequest+EDp

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008E6995 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	esi
		mov	esi, edx
		mov	edx, ecx
		jnz	short loc_79A75A
		xor	dl, dl
		mov	ecx, esi
		call	_AlpcpValidateMessage@8	; AlpcpValidateMessage(x,x)

loc_79A755:				; CODE XREF: AlpcpValidateConnectionMessage+38j
		pop	esi
		pop	ebp
		retn	4
; 

loc_79A75A:				; CODE XREF: AlpcpValidateConnectionMessage+Ej
		mov	ecx, [edx+0A8h]
		movzx	eax, word ptr [esi]
		push	edi
		push	18h
		pop	edi
		sub	ecx, edi
		cmp	eax, ecx
		ja	loc_8E6995

loc_79A771:				; CODE XREF: AlpcpValidateConnectionMessage+14C266j
		xor	eax, eax
		pop	edi
		jmp	short loc_79A755
AlpcpValidateConnectionMessage endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpValidateMessage(x, x)
_AlpcpValidateMessage@8	proc near	; CODE XREF: AlpcpValidateConnectionMessage+14p
					; AlpcpReplyLegacySynchronousRequest(x,x,x)+42p ...
		movzx	eax, word ptr [ecx]
		push	ebx
		push	esi
		mov	bl, dl
		mov	edx, eax
		lea	esi, [eax+18h]
		cmp	ax, si
		jnb	short loc_79A7A3
		lea	eax, [edx+18h]
		movzx	edx, word ptr [ecx+2]
		test	bl, bl
		jz	short loc_79A79F
		cmp	eax, edx
		ja	short loc_79A7A3
		mov	[ecx+2], si

loc_79A79A:				; CODE XREF: AlpcpValidateMessage(x,x)+2Bj
		xor	eax, eax

loc_79A79C:				; CODE XREF: AlpcpValidateMessage(x,x)+32j
		pop	esi
		pop	ebx
		retn
; 

loc_79A79F:				; CODE XREF: AlpcpValidateMessage(x,x)+1Aj
		cmp	eax, edx
		jz	short loc_79A79A

loc_79A7A3:				; CODE XREF: AlpcpValidateMessage(x,x)+Fj
					; AlpcpValidateMessage(x,x)+1Ej
		mov	eax, 0C000000Dh
		jmp	short loc_79A79C
_AlpcpValidateMessage@8	endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpDispatchMessage(x)
_AlpcpDispatchMessage@4	proc near	; CODE XREF: PAGE:0079A63Fp
		mov	edi, edi
		push	ecx
		mov	eax, [ecx+4]
		cmp	dword ptr [eax+0Ch], 0
		jz	short loc_79A7CA
		cmp	dword ptr [eax+10h], 0
		jz	short loc_79A7C3
		call	@AlpcpDispatchReplyToWaitingThread@4 ; AlpcpDispatchReplyToWaitingThread(x)
		pop	ecx
		retn
; 

loc_79A7C3:				; CODE XREF: AlpcpDispatchMessage(x)+10j
		call	_AlpcpDispatchReplyToPort@4 ; AlpcpDispatchReplyToPort(x)
		pop	ecx
		retn
; 

loc_79A7CA:				; CODE XREF: AlpcpDispatchMessage(x)+Aj
		call	@AlpcpDispatchNewMessage@4 ; AlpcpDispatchNewMessage(x)
		pop	ecx
		retn
_AlpcpDispatchMessage@4	endp

; 
		align 2

;  S U B	R O U T	I N E 


AlpcpReleaseAttributes proc near	; CODE XREF: PAGE:0079A591p
					; PAGE:0079A6ABp ...

; FUNCTION CHUNK AT 008E69A7 SIZE 0000001A BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	ecx, [esi+10h]
		test	ecx, ecx
		jnz	short loc_79A815

loc_79A7E1:				; CODE XREF: AlpcpReleaseAttributes+4Ej
		mov	ecx, [esi+14h]
		test	ecx, ecx
		jnz	short loc_79A80B

loc_79A7E8:				; CODE XREF: AlpcpReleaseAttributes+41j
		mov	ecx, [esi+18h]
		test	ecx, ecx
		jnz	short loc_79A7FE

loc_79A7EF:				; CODE XREF: AlpcpReleaseAttributes+37j
		mov	ecx, [esi+1Ch]
		test	cl, 1
		jnz	loc_8E69A7

loc_79A7FB:				; CODE XREF: AlpcpReleaseAttributes+14C1EAj
		pop	edi
		pop	esi
		retn
; 

loc_79A7FE:				; CODE XREF: AlpcpReleaseAttributes+1Bj
		xor	edx, edx
		inc	edx
		call	AlpcpDereferenceBlobEx
		mov	[esi+18h], edi
		jmp	short loc_79A7EF
; 

loc_79A80B:				; CODE XREF: AlpcpReleaseAttributes+14j
		call	_AlpcpReleaseViewAttribute@4 ; AlpcpReleaseViewAttribute(x)
		mov	[esi+14h], edi
		jmp	short loc_79A7E8
; 

loc_79A815:				; CODE XREF: AlpcpReleaseAttributes+Dj
		xor	edx, edx
		inc	edx
		call	AlpcpDereferenceBlobEx
		mov	[esi+10h], edi
		jmp	short loc_79A7E1
AlpcpReleaseAttributes endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpSetupMessageDataForDeferredCopy(x, x, x, x, x,	x)
_AlpcpSetupMessageDataForDeferredCopy@24 proc near ; CODE XREF:	PAGE:0079A4A2p
					; AlpcpFormatConnectionRequest+107p

arg_4		= word ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, [ebp+arg_4]
		push	esi
		push	edi
		xor	edi, edi
		cmp	[ebp+arg_8], 0
		jnz	short loc_79A838
		add	edx, 18h

loc_79A838:				; CODE XREF: AlpcpSetupMessageDataForDeferredCopy(x,x,x,x,x,x)+11j
		cmp	[ebp+arg_C], 0
		mov	esi, eax
		jz	short loc_79A852
		lea	eax, [esi+edx]
		cmp	eax, ds:_MmUserProbeAddress
		jbe	short loc_79A852
		mov	eax, 0C0000005h
		jmp	short loc_79A86A
; 

loc_79A852:				; CODE XREF: AlpcpSetupMessageDataForDeferredCopy(x,x,x,x,x,x)+1Cj
					; AlpcpSetupMessageDataForDeferredCopy(x,x,x,x,x,x)+27j
		mov	[ecx+60h], edx
		call	_AlpcpAvailableBufferSize@4 ; AlpcpAvailableBufferSize(x)
		cmp	esi, eax
		jbe	short loc_79A868
		push	edi		; void *
		mov	edx, esi
		call	@AlpcpCaptureMessageData@12 ; AlpcpCaptureMessageData(x,x,x)
		mov	edi, eax

loc_79A868:				; CODE XREF: AlpcpSetupMessageDataForDeferredCopy(x,x,x,x,x,x)+3Aj
		mov	eax, edi

loc_79A86A:				; CODE XREF: AlpcpSetupMessageDataForDeferredCopy(x,x,x,x,x,x)+2Ej
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
_AlpcpSetupMessageDataForDeferredCopy@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAlpcConnectPort(x, x, x, x, x, x,	x, x, x, x, x)
_NtAlpcConnectPort@44 proc near		; DATA XREF: .text:00581240o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_28]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_24]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	0
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	0
		call	AlpcpConnectPort
		pop	ebp
		retn	2Ch
_NtAlpcConnectPort@44 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpConnectPort proc near		; CODE XREF: NtAlpcConnectPortEx(x,x,x,x,x,x,x,x,x,x,x)+2Ap
					; NtAlpcConnectPort(x,x,x,x,x,x,x,x,x,x,x)+2Ap

var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= byte ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

; FUNCTION CHUNK AT 008E69C1 SIZE 0000000E BYTES
; FUNCTION CHUNK AT 008E69D8 SIZE 0000000C BYTES
; FUNCTION CHUNK AT 008E69F2 SIZE 00000011 BYTES
; FUNCTION CHUNK AT 008E6A0A SIZE 0000000C BYTES

		push	90h
		push	offset dword_6A2060
		call	__SEH_prolog4_GS
		mov	[ebp+var_8C], edx
		mov	eax, ecx
		mov	[ebp+var_78], eax
		mov	[ebp+var_68], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_88], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_84], eax
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_64], esi
		mov	edi, [ebp+arg_10]
		mov	[ebp+var_80], edi
		mov	[ebp+var_70], edi
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_74], eax
		mov	[ebp+var_6C], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_9C], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_98], eax
		mov	eax, [ebp+arg_20]
		mov	[ebp+var_94], eax
		mov	eax, [ebp+arg_24]
		mov	[ebp+var_90], eax
		and	[ebp+var_58], 0
		and	[ebp+var_5C], 0
		push	2Ch		; size_t
		push	0		; int
		lea	eax, [ebp+var_48]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_50], al
		and	[ebp+arg_C], 0FFFF0000h
		mov	ecx, [ebp+var_74]
		mov	[ebp+var_54], ecx
		mov	[ebp+var_60], edi
		test	al, al
		jz	loc_79AB14
		and	[ebp+ms_exc.disabled], 0
		mov	eax, ds:_MmUserProbeAddress
		mov	ecx, [ebp+var_78]
		cmp	ecx, eax
		jnb	loc_8E69C1

loc_79A970:				; CODE XREF: AlpcpConnectPort+14C11Fj
		mov	eax, [ecx]
		mov	[ecx], eax
		test	esi, esi
		jz	short loc_79A992
		mov	edx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8E69C8

loc_79A987:				; CODE XREF: AlpcpConnectPort+14C126j
		push	0Bh
		pop	ecx
		mov	esi, edx
		lea	edi, [ebp+var_48]
		rep movsd
		nop

loc_79A992:				; CODE XREF: AlpcpConnectPort+D2j
		mov	eax, [ebp+var_6C]
		test	eax, eax
		jz	short loc_79A9B7
		lea	ecx, [ebp+var_54]
		push	ecx
		push	1
		sub	esp, 0Ch
		mov	dl, [ebp+var_50]
		mov	ecx, eax
		call	SeCaptureSid
		mov	[ebp+var_4C], eax
		test	eax, eax
		js	loc_8E69D8

loc_79A9B7:				; CODE XREF: AlpcpConnectPort+F3j
		mov	eax, [ebp+var_70]
		test	eax, eax
		jnz	loc_79AADE

loc_79A9C2:				; CODE XREF: AlpcpConnectPort+250j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_60]
		mov	eax, [ebp+var_64]

loc_79A9CF:				; CODE XREF: AlpcpConnectPort+274j
					; AlpcpConnectPort+285j
		push	0
		push	0
		push	[ebp+var_54]
		push	edi
		neg	eax
		sbb	eax, eax
		lea	ecx, [ebp+var_48]
		and	eax, ecx
		push	eax
		push	[ebp+var_84]
		push	[ebp+var_88]
		push	[ebp+var_8C]
		mov	esi, [ebp+arg_C]
		push	esi
		lea	edx, [ebp+var_58]
		lea	ecx, [ebp+var_5C]
		call	AlpcpCreateClientPort
		mov	[ebp+var_4C], eax
		test	eax, eax
		jns	short loc_79AA56

loc_79AA09:				; CODE XREF: AlpcpConnectPort+20Ej
					; AlpcpConnectPort+21Cj ...
		mov	eax, [ebp+var_54]
		test	eax, eax
		jz	short loc_79AA2A
		cmp	eax, [ebp+var_6C]
		jz	short loc_79AA2A
		mov	al, [ebp+var_50]
		test	al, al
		jz	short loc_79AA20
		cmp	al, 1
		jnz	short loc_79AA2A

loc_79AA20:				; CODE XREF: AlpcpConnectPort+176j
		push	0
		push	[ebp+var_54]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_79AA2A:				; CODE XREF: AlpcpConnectPort+16Aj
					; AlpcpConnectPort+16Fj ...
		mov	eax, [ebp+var_60]
		test	eax, eax
		jnz	loc_79AAC5

loc_79AA35:				; CODE XREF: AlpcpConnectPort+224j
					; AlpcpConnectPort+235j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [ebp+var_4C]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	2Ch
; 

loc_79AA56:				; CODE XREF: AlpcpConnectPort+163j
		push	dword ptr [ebp+var_50]
		push	[ebp+arg_28]
		push	[ebp+var_90]
		push	[ebp+var_94]
		push	[ebp+var_98]
		push	[ebp+var_9C]
		mov	edx, esi
		mov	esi, [ebp+var_58]
		mov	ecx, esi
		call	AlpcpProcessConnectionRequest
		mov	[ebp+var_4C], eax
		cmp	eax, 0C0000041h
		jz	short loc_79AAFF

loc_79AA8A:				; CODE XREF: AlpcpConnectPort+265j
					; AlpcpConnectPort+14C16Dj
		cmp	[ebp+var_4C], 0
		jnz	short loc_79AAA6
		mov	[ebp+ms_exc.disabled], 2
		mov	ecx, [ebp+var_5C]
		mov	eax, [ebp+var_68]
		mov	[eax], ecx

loc_79AA9F:				; CODE XREF: sub_8E6A27+Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_79AAA6:				; CODE XREF: AlpcpConnectPort+1EAj
		mov	ecx, [ebp+var_58]
		call	ObfDereferenceObject
		cmp	[ebp+var_4C], 0
		jz	loc_79AA09
		push	[ebp+var_5C]
		call	NtClose
		jmp	loc_79AA09
; 

loc_79AAC5:				; CODE XREF: AlpcpConnectPort+18Bj
		cmp	eax, [ebp+var_70]
		jz	loc_79AA35
		push	0
		push	dword ptr [ebp+var_50]
		push	eax
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)
		jmp	loc_79AA35
; 

loc_79AADE:				; CODE XREF: AlpcpConnectPort+118j
		lea	ecx, [ebp+var_60]
		push	ecx		; int
		push	0		; int
		push	1		; int
		push	dword ptr [ebp+var_50] ; char
		push	eax		; size_t
		call	SeCaptureSecurityDescriptor
		mov	[ebp+var_4C], eax
		test	eax, eax
		jns	loc_79A9C2
		jmp	loc_8E69D8
; 

loc_79AAFF:				; CODE XREF: AlpcpConnectPort+1E4j
		test	dword ptr [esi+0F4h], 100h
		jz	loc_79AA8A
		jmp	loc_8E69F2
; 

loc_79AB14:				; CODE XREF: AlpcpConnectPort+B2j
		mov	eax, esi
		test	eax, eax
		jz	loc_79A9CF
		push	0Bh
		pop	ecx
		lea	edi, [ebp+var_48]
		rep movsd
		mov	edi, [ebp+var_80]
		jmp	loc_79A9CF
AlpcpConnectPort endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpCreateClientPort proc near		; CODE XREF: AlpcpConnectPort+159p
					; NtSecureConnectPort+20Bp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= byte ptr  28h

; FUNCTION CHUNK AT 008E6A38 SIZE 0000006D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, large fs:124h
		mov	[ebp+var_1C], edx
		xor	edx, edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_18], ecx
		mov	al, [eax+15Ah]
		mov	ecx, [ebp+arg_8]
		mov	byte ptr [ebp+var_14], al
		mov	[ebp+var_1], al
		lea	eax, [ebp+var_8]
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edx
		push	eax
		push	edx
		push	[ebp+var_14]
		push	ds:_AlpcPortObjectType
		push	1
		test	ecx, ecx
		jnz	loc_79AE1D
		push	edx
		push	edx
		push	[ebp+arg_4]
		call	ObReferenceObjectByName

loc_79AB7E:				; CODE XREF: AlpcpCreateClientPort+2F6j
		test	eax, eax
		jns	short loc_79AB86

locret_79AB82:				; CODE XREF: AlpcpCreateClientPort+2EAj
		leave
		retn	24h
; 

loc_79AB86:				; CODE XREF: AlpcpCreateClientPort+52j
		push	ebx
		mov	ebx, [ebp+var_8]
		push	esi
		push	edi
		mov	ecx, [ebx+0F4h]
		mov	eax, ecx
		and	al, 6
		cmp	al, 2
		jnz	loc_8E6A38
		or	esi, 0FFFFFFFFh
		cmp	[ebp+arg_20], 0
		jnz	short loc_79ABB3
		test	ecx, 1000h
		jnz	loc_8E6A42

loc_79ABB3:				; CODE XREF: AlpcpCreateClientPort+77j
					; AlpcpCreateClientPort+14BF47j
		cmp	[ebp+arg_18], 0
		jnz	short loc_79ABBF
		cmp	[ebp+arg_14], 0
		jz	short loc_79AC3B

loc_79ABBF:				; CODE XREF: AlpcpCreateClientPort+89j
		lea	ecx, [ebx+0D0h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebx+0Ch]
		mov	eax, ecx
		and	al, 1
		movzx	edi, al
		neg	edi
		sbb	edi, edi
		not	edi
		and	edi, ecx
		jz	short loc_79ABEC
		mov	edx, 63706C41h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag

loc_79ABEC:				; CODE XREF: AlpcpCreateClientPort+B0j
		push	11h
		xor	edx, edx
		lea	ecx, [ebx+0D0h]
		pop	eax
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	loc_79AE9F

loc_79AC04:				; CODE XREF: AlpcpCreateClientPort+37Cj
		call	KeAbPostRelease
		test	edi, edi
		jz	loc_79AE87
		push	[ebp+arg_14]
		mov	dl, [ebp+var_1]
		mov	ecx, edi
		push	[ebp+arg_18]
		call	AlpcpCheckConnectionSecurity
		mov	edx, 63706C41h
		mov	[ebp+arg_14], eax
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	edi, [ebp+arg_14]

loc_79AC33:				; CODE XREF: AlpcpCreateClientPort+35Ej
		test	edi, edi
		js	loc_79AE91

loc_79AC3B:				; CODE XREF: AlpcpCreateClientPort+8Fj
		mov	edx, [ebp+arg_C]
		lea	eax, [ebp+var_C]
		mov	cl, [ebp+var_1]
		push	eax
		call	_AlpcpCreatePort@12 ; AlpcpCreatePort(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_79AE91
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_79AC67
		test	dword ptr [eax], 40000h
		mov	byte ptr [ebp+arg_14], 1
		jnz	short loc_79AC6B

loc_79AC67:				; CODE XREF: AlpcpCreateClientPort+12Bj
		mov	byte ptr [ebp+arg_14], 0

loc_79AC6B:				; CODE XREF: AlpcpCreateClientPort+137j
		push	[ebp+arg_14]
		mov	edi, [ebp+var_C]
		mov	ecx, edi
		push	2
		pop	edx
		call	_AlpcpInitializePort@12	; AlpcpInitializePort(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8E6A7F
		or	dword ptr [edi+0F4h], 8
		mov	ecx, offset _AlpcConnectionType
		push	1
		push	28h
		pop	edx
		call	@AlpcpAllocateBlob@12 ;	AlpcpAllocateBlob(x,x,x)
		mov	[ebp+arg_18], eax
		test	eax, eax
		jz	loc_8E6A7A
		mov	ebx, [ebp+var_8]
		xor	edx, edx
		mov	[edi+8], eax
		and	dword ptr [eax+4], 0
		and	dword ptr [eax+24h], 0
		mov	[eax], ebx
		mov	[eax+8], edi
		mov	ecx, [ebx+8]
		sub	ecx, 4
		call	ExAcquirePushLockExclusiveEx
		lea	ecx, [ebx+0D0h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebx+8]
		mov	ecx, [ebp+arg_18]
		add	eax, 0Ch
		add	ecx, 0Ch
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_79AEAF
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		mov	eax, esi
		lea	esi, [ebx+0D0h]
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_79AE6F

loc_79AD0A:				; CODE XREF: AlpcpCreateClientPort+348j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	esi, [ebx+8]
		or	eax, 0FFFFFFFFh
		sub	esi, 4
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_79AE7B

loc_79AD28:				; CODE XREF: AlpcpCreateClientPort+354j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+arg_18]
		lea	ecx, [ecx+14h]
		call	_AlpcInitializeHandleTable@8 ; AlpcInitializeHandleTable(x,x)
		test	eax, eax
		js	loc_79AE4A
		push	dword ptr [ebp+arg_20]
		mov	esi, [ebp+arg_10]
		mov	ecx, edi
		push	[ebp+arg_14]
		mov	edx, esi
		push	0
		push	[ebp+arg_1C]
		push	ebx
		call	_AlpcpValidateAndSetPortAttributes@28 ;	AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_79AE4A
		mov	ebx, [ebp+arg_18]
		push	1
		push	20h
		pop	edx
		lea	ecx, [ebx+24h]
		call	@AlpcpAllocateMessage@12 ; AlpcpAllocateMessage(x,x,x)
		test	eax, eax
		js	loc_79AE4A
		mov	eax, [ebx+24h]
		inc	word ptr [eax-0Eh]
		mov	eax, [ebx+24h]
		or	dword ptr [eax+90h], 80000000h
		cmp	_AlpcpMessageLogEnabled, 0
		mov	ebx, [ebx+24h]
		jnz	loc_8E6A89

loc_79AD9E:				; CODE XREF: AlpcpCreateClientPort+14BF62j
		mov	ecx, ebx
		call	AlpcpUnlockBlob
		cmp	[ebp+arg_20], 0
		jnz	loc_79AE51

loc_79ADAF:				; CODE XREF: AlpcpCreateClientPort+32Dj
		test	[ebp+arg_0], 80000h
		jnz	loc_79AE60

loc_79ADBC:				; CODE XREF: AlpcpCreateClientPort+33Cj
		cmp	byte ptr [edi+0A4h], 1
		jnz	short loc_79AE29
		or	dword ptr [edi+0F4h], 400h

loc_79ADCF:				; CODE XREF: AlpcpCreateClientPort+31Aj
		mov	edx, esi
		mov	ecx, edi
		call	_AlpcpSetOwnerProcessPort@8 ; AlpcpSetOwnerProcessPort(x,x)
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		lea	eax, [ebp+var_10]
		xor	edx, edx
		push	eax
		xor	eax, eax
		mov	ecx, edi
		push	eax
		push	eax
		push	eax
		push	1F0001h
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	loc_8E6A95
		mov	edx, [ebp+var_18]
		mov	eax, [ebp+var_10]
		mov	[edi+1Ch], eax
		mov	eax, [ebp+var_10]
		mov	[edx], eax
		mov	eax, [ebp+var_1C]
		mov	[eax], edi
		mov	eax, ecx

loc_79AE15:				; CODE XREF: AlpcpCreateClientPort+36Cj
					; AlpcpCreateClientPort+14BF72j
		pop	edi
		pop	esi
		pop	ebx
		jmp	locret_79AB82
; 

loc_79AE1D:				; CODE XREF: AlpcpCreateClientPort+40j
		xor	edx, edx
		call	ObReferenceObjectByNameEx
		jmp	loc_79AB7E
; 

loc_79AE29:				; CODE XREF: AlpcpCreateClientPort+295j
		mov	ecx, large fs:124h
		mov	edi, [ebp+var_C]
		lea	eax, [edi+20h]
		push	eax
		push	0
		lea	eax, [edi+9Ch]
		push	eax
		push	ecx
		call	_SeCreateClientSecurity@16 ; SeCreateClientSecurity(x,x,x,x)
		test	eax, eax
		jns	short loc_79ADCF

loc_79AE4A:				; CODE XREF: AlpcpCreateClientPort+20Ej
					; AlpcpCreateClientPort+22Ej ...
		mov	ebx, eax
		jmp	loc_8E6A97
; 

loc_79AE51:				; CODE XREF: AlpcpCreateClientPort+27Bj
		or	dword ptr [edi+0F4h], 1000h
		jmp	loc_79ADAF
; 

loc_79AE60:				; CODE XREF: AlpcpCreateClientPort+288j
		or	dword ptr [edi+0F4h], 100h
		jmp	loc_79ADBC
; 

loc_79AE6F:				; CODE XREF: AlpcpCreateClientPort+1D6j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_79AD0A
; 

loc_79AE7B:				; CODE XREF: AlpcpCreateClientPort+1F4j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_79AD28
; 

loc_79AE87:				; CODE XREF: AlpcpCreateClientPort+DDj
		mov	edi, 0C00002A0h
		jmp	loc_79AC33
; 

loc_79AE91:				; CODE XREF: AlpcpCreateClientPort+107j
					; AlpcpCreateClientPort+120j ...
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	eax, edi
		jmp	loc_79AE15
; 

loc_79AE9F:				; CODE XREF: AlpcpCreateClientPort+D0j
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		lea	ecx, [ebx+0D0h]
		jmp	loc_79AC04
; 

loc_79AEAF:				; CODE XREF: AlpcpCreateClientPort+1B6j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
AlpcpCreateClientPort endp		; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall AlpcpSetOwnerProcessPort(x,	x)
_AlpcpSetOwnerProcessPort@8 proc near	; CODE XREF: PAGE:0079A3D9p
					; AlpcpCreateClientPort+2A5p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		test	edx, edx
		jz	short loc_79AEC6
		test	dword ptr [edx], 100000h
		jnz	short loc_79AEE4

loc_79AEC6:				; CODE XREF: AlpcpSetOwnerProcessPort(x,x)+8j
		mov	eax, large fs:124h
		mov	esi, [eax+80h]

loc_79AED2:				; CODE XREF: AlpcpSetOwnerProcessPort(x,x)+36j
		mov	edx, 63706C41h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	[edi+0Ch], esi
		pop	edi
		pop	esi
		retn
; 

loc_79AEE4:				; CODE XREF: AlpcpSetOwnerProcessPort(x,x)+10j
		mov	esi, ds:_PsInitialSystemProcess
		jmp	short loc_79AED2
_AlpcpSetOwnerProcessPort@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpValidateAndSetPortAttributes(x, x, x, x, x, x,	x)
_AlpcpValidateAndSetPortAttributes@28 proc near	; CODE XREF: PAGE:0079A3BCp
					; AlpcpCreateClientPort+227p ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= byte ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	2Ch		; size_t
		lea	eax, [ebp+var_30]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		mov	ebx, edx
		mov	[ebp+var_34], esi
		call	_memset
		add	esp, 0Ch
		test	ebx, ebx
		jz	loc_79AFC9
		mov	eax, [ebx+10h]
		cmp	eax, 18h
		jb	loc_79B06D
		cmp	eax, 0FFEFh
		ja	loc_79B06D
		mov	ecx, [ebx]
		test	ecx, 100000h
		jnz	loc_79B059

loc_79AF45:				; CODE XREF: AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+17Bj
		and	ecx, 3FF0000h
		and	dword ptr [ebx+28h], 0FFDh
		mov	[ebx], ecx
		mov	cl, [ebp+arg_10]

loc_79AF57:				; CODE XREF: AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+ECj
					; AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+F9j
		mov	eax, [esi+0F4h]
		shr	eax, 1
		and	eax, 3
		sub	eax, 1
		jz	loc_79B016
		sub	eax, 1
		jnz	short loc_79AF8F
		lea	eax, [ebp+var_30]
		cmp	ebx, eax
		jz	short loc_79AFEA

loc_79AF77:				; CODE XREF: AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+104j
		test	cl, cl
		jnz	short loc_79AFF2
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+0A8h]
		cmp	[ebx+10h], eax
		ja	loc_79B051
		jmp	short loc_79AF9D
; 

loc_79AF8F:				; CODE XREF: AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+82j
		and	dword ptr [ebx], 0FFFDFFFFh
		test	cl, cl
		jnz	loc_79B040

loc_79AF9D:				; CODE XREF: AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+A1j
					; AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+128j ...
		lea	ecx, [ebx+4]
		call	_SeValidateSecurityQos@4 ; SeValidateSecurityQos(x)
		test	eax, eax
		js	short loc_79AFB8
		lea	edi, [esi+98h]
		xor	eax, eax
		push	0Bh
		pop	ecx
		mov	esi, ebx
		rep movsd

loc_79AFB8:				; CODE XREF: AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+BBj
					; AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+186j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
; 

loc_79AFC9:				; CODE XREF: AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+2Ej
		lea	ecx, [ebp+var_30]
		call	_AlpcpInitializeDefaultPortAttributes@4	; AlpcpInitializeDefaultPortAttributes(x)
		mov	ebx, ecx
		mov	cl, [ebp+arg_10]
		test	cl, cl
		jz	loc_79AF57
		or	[ebp+var_30], 1000h
		jmp	loc_79AF57
; 

loc_79AFEA:				; CODE XREF: AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+89j
		or	dword ptr [ebx], 10000h
		jmp	short loc_79AF77
; 

loc_79AFF2:				; CODE XREF: AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+8Dj
		or	dword ptr [ebx], 20000h
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_79B005
		lea	edi, [ebx+4]
		movsd
		movsd
		movsd

loc_79B005:				; CODE XREF: AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+111j
		mov	eax, [ebp+arg_0]
		mov	esi, [ebp+var_34]
		mov	eax, [eax+0A8h]
		mov	[ebx+10h], eax
		jmp	short loc_79AF9D
; 

loc_79B016:				; CODE XREF: AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+79j
		mov	eax, [ebx]
		or	eax, 20000h
		mov	[ebx], eax
		test	cl, cl
		jz	loc_79AF9D
		mov	ecx, [ebp+arg_8]
		cmp	ecx, ds:_LpcLegacyMaxMessageLength
		ja	short loc_79B06D
		cmp	[ebp+arg_C], 0
		jnz	short loc_79B077

loc_79B038:				; CODE XREF: AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+192j
		mov	[ebx+10h], ecx
		jmp	loc_79AF9D
; 

loc_79B040:				; CODE XREF: AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+ABj
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+0A8h]
		cmp	eax, ds:_LpcLegacyMaxMessageLength
		ja	short loc_79B06D

loc_79B051:				; CODE XREF: AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+9Bj
		mov	[ebx+10h], eax
		jmp	loc_79AF9D
; 

loc_79B059:				; CODE XREF: AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+53j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	loc_79AF45

loc_79B06D:				; CODE XREF: AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+3Aj
					; AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+45j	...
		mov	eax, 0C000000Dh
		jmp	loc_79AFB8
; 

loc_79B077:				; CODE XREF: AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+14Aj
		or	eax, 40000h
		mov	[ebx], eax
		jmp	short loc_79B038
_AlpcpValidateAndSetPortAttributes@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeCopyClientToken proc near		; CODE XREF: SepCreateClientSecurityEx+108p
					; PsImpersonateClient+1B2p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E6AA5 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 20h
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+28h+var_18], 18h
		lea	eax, [esp+28h+var_1C]
		mov	[esp+28h+var_1C], edi
		push	eax		; int
		push	edi		; int
		push	edi		; int
		push	edx		; size_t
		push	2		; int
		push	edi		; char
		lea	edx, [esp+40h+var_18]
		mov	[esp+40h+var_14], edi
		mov	[esp+40h+var_C], edi
		mov	[esp+40h+var_10], edi
		mov	[esp+40h+var_8], edi
		mov	[esp+40h+var_4], edi
		call	_SepDuplicateToken@32 ;	SepDuplicateToken(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_79B14D
		cmp	[ebp+arg_4], 0
		jnz	short loc_79B13D

loc_79B0D3:				; CODE XREF: SeCopyClientToken+CBj
		test	esi, esi
		js	short loc_79B14D
		mov	ecx, [esp+28h+var_1C]
		xor	edx, edx
		push	edi
		push	edi
		push	edi
		push	edi
		push	edi
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_79B14D
		mov	ecx, [esp+28h+var_1C]
		test	dword ptr [ecx+0B0h], 4000h
		jnz	short loc_79B119

loc_79B0FD:				; CODE XREF: SeCopyClientToken+A1j
					; SeCopyClientToken+14BA2Ej
		test	esi, esi
		js	short loc_79B14D

loc_79B101:				; CODE XREF: SeCopyClientToken+B6j
		call	_SepFinalizeTokenAcls@4	; SepFinalizeTokenAcls(x)
		mov	ecx, [ebp+arg_C]
		mov	eax, [esp+28h+var_1C]
		mov	[ecx], eax

loc_79B10F:				; CODE XREF: SeCopyClientToken+D2j
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_79B119:				; CODE XREF: SeCopyClientToken+7Bj
		mov	eax, [ecx+1E0h]
		test	eax, eax
		jz	short loc_79B0FD
		push	eax
		mov	edx, 0F01FFh
		call	SepAppendAceToTokenObjectAcl
		mov	ecx, [esp+28h+var_1C]
		mov	esi, eax
		test	esi, esi
		jns	short loc_79B101
		jmp	loc_8E6AA5
; 

loc_79B13D:				; CODE XREF: SeCopyClientToken+51j
		mov	edx, [ebp+arg_8]
		mov	ecx, [esp+28h+var_1C]
		call	_SepSetTokenTrust@8 ; SepSetTokenTrust(x,x)
		mov	esi, eax
		jmp	short loc_79B0D3
; 

loc_79B14D:				; CODE XREF: SeCopyClientToken+47j
					; SeCopyClientToken+55j ...
		mov	eax, [ebp+arg_C]
		mov	[eax], edi
		jmp	short loc_79B10F
SeCopyClientToken endp

; 
		align 10h
; Exported entry 1522. NtDuplicateToken

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtDuplicateToken
NtDuplicateToken proc near		; DATA XREF: .text:00581084o

var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008E6AB3 SIZE 00000018 BYTES
; FUNCTION CHUNK AT 008E6AED SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A2098
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 58h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		xor	eax, eax
		lea	edi, [ebp+var_48]
		stosd
		stosd
		stosd
		mov	[ebp+var_1A], 0
		mov	[ebp+var_1B], 0
		mov	[ebp+var_2C], 0
		mov	[ebp+var_3C], 0
		mov	[ebp+var_38], 0
		xor	eax, eax
		lea	edi, [ebp+var_58]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_19], 0
		xor	eax, eax
		lea	edi, [ebp+var_68]
		stosd
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		mov	dl, [eax+15Ah]
		mov	[ebp+var_1C], dl
		mov	byte ptr [ebp+var_28], dl
		test	dl, dl
		jz	loc_79B402
		mov	[ebp+var_4], 0
		mov	eax, [ebp+arg_10]
		dec	eax
		cmp	eax, 1
		ja	loc_8E6ABA
		mov	ebx, [ebp+arg_14]
		mov	ecx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8E6AB3

loc_79B210:				; CODE XREF: NtDuplicateToken+14B955j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_79B21B:				; CODE XREF: NtDuplicateToken+2A5j
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_1A]
		push	eax
		mov	esi, [ebp+arg_8]
		mov	ecx, esi
		call	SeCaptureSecurityQos
		test	eax, eax
		js	loc_79B348
		lea	eax, [ebp+var_1B]
		push	eax
		mov	dl, [ebp+var_1C]
		mov	ecx, esi
		call	SeCaptureObjectAttributeSecurityDescriptorPresent
		test	eax, eax
		js	loc_79B348
		mov	eax, ds:_SeTokenObjectType
		mov	[ebp+var_20], 0
		lea	ecx, [ebp+var_3C]
		push	ecx
		lea	ecx, [ebp+var_20]
		push	ecx
		mov	edi, [ebp+var_28]
		push	edi
		push	eax
		push	2
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	loc_79B348
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	loc_79B40A
		lea	eax, [ebp+var_58]
		push	eax
		call	SeCaptureSubjectContext
		mov	eax, [ebp+var_50]
		mov	[ebp+var_60], eax
		push	edi
		lea	eax, [ebp+var_58]
		push	eax
		call	RtlIsSandboxedToken
		test	al, al
		jnz	loc_79B35C

loc_79B2A2:				; CODE XREF: NtDuplicateToken+208j
		mov	[ebp+arg_14], esi
		mov	edi, [ebp+var_20]

loc_79B2A8:				; CODE XREF: NtDuplicateToken+24Dj
		lea	eax, [ebp+var_58]
		push	eax
		call	SeReleaseSubjectContext

loc_79B2B1:				; CODE XREF: NtDuplicateToken+2B3j
		cmp	[ebp+var_1A], 0
		jz	loc_79B418
		mov	ecx, [ebp+var_44]

loc_79B2BE:				; CODE XREF: NtDuplicateToken+2BEj
		mov	eax, [edi+0A8h]
		cmp	eax, 2
		jz	loc_79B3B2

loc_79B2CD:				; CODE XREF: NtDuplicateToken+263j
		mov	eax, [ebp+arg_10]

loc_79B2D0:				; CODE XREF: NtDuplicateToken+26Fj
					; NtDuplicateToken+27Cj
		mov	[ebp+var_24], 0
		lea	edx, [ebp+var_24]
		push	edx		; int
		push	0		; int
		push	[ebp+var_28]	; int
		push	ecx		; size_t
		push	eax		; int
		push	dword ptr [ebp+arg_C] ;	char
		mov	edx, [ebp+arg_8]
		mov	ecx, edi
		call	_SepDuplicateToken@32 ;	SepDuplicateToken(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_79B328
		lea	eax, [ebp+var_2C]
		push	eax
		push	0
		push	0
		push	1
		push	[ebp+arg_14]
		xor	edx, edx
		mov	ecx, [ebp+var_24]
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_79B328
		cmp	[ebp+var_1B], 0
		jnz	short loc_79B320
		mov	ecx, [ebp+var_24]
		call	_SepFinalizeTokenAcls@4	; SepFinalizeTokenAcls(x)

loc_79B320:				; CODE XREF: NtDuplicateToken+1B6j
		mov	ecx, [ebp+var_24]
		call	ObfDereferenceObject

loc_79B328:				; CODE XREF: NtDuplicateToken+193j
					; NtDuplicateToken+1B0j
		mov	ecx, edi
		call	ObfDereferenceObject
		test	esi, esi
		js	short loc_79B346
		mov	[ebp+var_4], 1
		mov	eax, [ebp+var_2C]
		mov	[ebx], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_79B346:				; CODE XREF: NtDuplicateToken+1D1j
		mov	eax, esi

loc_79B348:				; CODE XREF: NtDuplicateToken+CFj
					; NtDuplicateToken+E5j	...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_79B35C:				; CODE XREF: NtDuplicateToken+13Cj
		push	edi
		lea	eax, [ebp+var_68]
		push	eax
		call	RtlIsSandboxedToken
		test	al, al
		jz	loc_79B2A2
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	eax, [ebp+var_50]
		mov	eax, [eax+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		lea	eax, [ebp-19h]
		push	eax
		mov	edx, [ebp+var_50]
		mov	edi, [ebp+var_20]
		mov	ecx, edi
		call	SepNewTokenAsRestrictedAsProcessToken
		mov	ecx, [ebp+var_50]
		cmp	edi, ecx
		jnz	loc_79B423

loc_79B39D:				; CODE XREF: NtDuplicateToken+2CFj
		mov	[ebp+arg_14], esi

loc_79B3A0:				; CODE XREF: NtDuplicateToken+14B99Aj
		mov	ecx, [ecx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_79B2A8
; 

loc_79B3B2:				; CODE XREF: NtDuplicateToken+167j
		cmp	[ebp+arg_10], 2
		jnz	short loc_79B3C0
		cmp	ecx, [edi+0ACh]
		jg	short loc_79B3E2

loc_79B3C0:				; CODE XREF: NtDuplicateToken+256j
		cmp	eax, 2
		jnz	loc_79B2CD
		mov	eax, [ebp+arg_10]
		cmp	eax, 1
		jnz	loc_79B2D0
		cmp	dword ptr [edi+0ACh], 2
		jge	loc_79B2D0

loc_79B3E2:				; CODE XREF: NtDuplicateToken+25Ej
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, 0C00000A5h
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_79B402:				; CODE XREF: NtDuplicateToken+84j
		mov	ebx, [ebp+arg_14]
		jmp	loc_79B21B
; 

loc_79B40A:				; CODE XREF: NtDuplicateToken+11Bj
		mov	eax, [ebp+var_38]
		mov	[ebp+arg_14], eax
		mov	edi, [ebp+var_20]
		jmp	loc_79B2B1
; 

loc_79B418:				; CODE XREF: NtDuplicateToken+155j
		mov	ecx, [edi+0ACh]
		jmp	loc_79B2BE
; 

loc_79B423:				; CODE XREF: NtDuplicateToken+237j
		test	eax, eax
		js	loc_8E6AED
		cmp	[ebp+var_19], 0
		jnz	loc_79B39D
		jmp	loc_8E6AED
NtDuplicateToken endp

; 
		align 10h
; Exported entry 2222. RtlIsSandboxedToken

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlIsSandboxedToken
RtlIsSandboxedToken proc near		; CODE XREF: IopCheckInitiatorHint(x,x)+60p
					; RtlIsSandboxedTokenHandle+55p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E6B21 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 20h
		xor	eax, eax
		push	ebx
		push	esi
		mov	[esp+28h+var_10], eax
		xor	esi, esi
		mov	[esp+28h+var_C], eax
		xor	bl, bl
		mov	[esp+28h+var_8], eax
		mov	[esp+28h+var_4], eax
		mov	[esp+28h+var_1C], eax
		mov	[esp+28h+var_14], eax
		mov	[esp+28h+var_18], eax
		mov	eax, [ebp+arg_4]
		test	al, al
		jz	short loc_79B4B7
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_79B4D4

loc_79B47D:				; CODE XREF: RtlIsSandboxedToken+B7j
		lea	ecx, [esp+28h+var_18]
		push	ecx
		lea	ecx, [esp+2Ch+var_14]
		push	ecx
		push	eax
		mov	eax, ds:_SeMediumDaclSd
		push	offset _RtlpRestrictedMapping
		push	0
		push	0
		push	20000h
		push	0
		push	esi
		push	8
		push	eax
		call	_SeAccessCheckWithHint@44 ; SeAccessCheckWithHint(x,x,x,x,x,x,x,x,x,x,x)
		cmp	al, 1
		jnz	short loc_79B4B9
		call	_KeIsCetCapable@0 ; KeIsCetCapable()
		test	al, al
		jnz	loc_8E6B21

loc_79B4B7:				; CODE XREF: RtlIsSandboxedToken+34j
					; RtlIsSandboxedToken+14B70Aj
		mov	bl, 1

loc_79B4B9:				; CODE XREF: RtlIsSandboxedToken+68j
					; RtlIsSandboxedToken+14B6F9j ...
		lea	eax, [esp+28h+var_10]
		cmp	esi, eax
		jz	short loc_79B4F9

loc_79B4C1:				; CODE XREF: RtlIsSandboxedToken+BFj
		cmp	bl, 1
		jnz	short loc_79B4D0
		xor	al, al

loc_79B4C8:				; CODE XREF: RtlIsSandboxedToken+92j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_79B4D0:				; CODE XREF: RtlIsSandboxedToken+84j
		mov	al, 1
		jmp	short loc_79B4C8
; 

loc_79B4D4:				; CODE XREF: RtlIsSandboxedToken+3Bj
		lea	esi, [esp+28h+var_10]
		mov	eax, esi
		push	eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	eax
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	eax, [ebp+arg_4]
		jmp	short loc_79B47D
; 

loc_79B4F9:				; CODE XREF: RtlIsSandboxedToken+7Fj
		push	esi
		call	SeReleaseSubjectContext
		jmp	short loc_79B4C1
RtlIsSandboxedToken endp

; 
		align 2

SeCaptureSecurityQos:			; CODE XREF: NtDuplicateToken+C8p
					; NtCreateTokenEx+2A0p
		push	10h
		push	offset dword_6A20E0
		call	__SEH_prolog4
		xor	eax, eax
		mov	ebx, [ebp+8]
		mov	[ebx], al
		test	dl, dl
		jz	loc_79B5B1
		mov	[ebp-4], eax
		test	ecx, ecx
		jz	short loc_79B585
		mov	edx, ecx
		test	cl, 3
		jnz	loc_79B5D4
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8E6B4F

loc_79B53C:				; CODE XREF: PAGE:008E6B51j
		nop
		mov	al, [edx]
		mov	eax, [ecx+14h]
		mov	[ebp+8], eax
		test	eax, eax
		jz	short loc_79B585
		test	al, 3
		jnz	loc_79B5D4
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	loc_8E6B56

loc_79B55F:				; CODE XREF: PAGE:008E6B58j
		nop
		mov	al, [eax]
		mov	eax, [ebp+8]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		push	0Ch
		pop	ecx
		cmp	eax, ecx
		jnz	loc_8E6B5D
		mov	byte ptr [ebx],	1
		mov	esi, [ebp+8]
		mov	eax, [ebp+0Ch]
		mov	edi, eax
		movsd
		movsd
		movsd
		mov	[eax], ecx

loc_79B585:				; CODE XREF: PAGE:0079B522j
					; PAGE:0079B547j
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_79B58C:				; CODE XREF: PAGE:0079B5B3j
					; PAGE:0079B5B8j ...
		cmp	byte ptr [ebx],	0
		jz	short loc_79B59D
		mov	ecx, [ebp+0Ch]
		call	_SeValidateSecurityQos@4 ; SeValidateSecurityQos(x)
		test	eax, eax
		js	short loc_79B59F

loc_79B59D:				; CODE XREF: PAGE:0079B58Fj
		xor	eax, eax

loc_79B59F:				; CODE XREF: PAGE:0079B59Bj
					; PAGE:0079B5D2j ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_79B5B1:				; CODE XREF: PAGE:0079B517j
		test	ecx, ecx
		jz	short loc_79B58C
		cmp	[ecx+14h], eax
		jz	short loc_79B58C
		mov	byte ptr [ebx],	1
		mov	esi, [ecx+14h]
		cmp	dword ptr [esi], 0Ch
		jnz	short loc_79B5CD
		mov	edi, [ebp+0Ch]
		movsd
		movsd
		movsd
		jmp	short loc_79B58C
; 

loc_79B5CD:				; CODE XREF: PAGE:0079B5C3j
					; PAGE:008E6B64j
		mov	eax, 0C000000Dh
		jmp	short loc_79B59F
; 

loc_79B5D4:				; CODE XREF: PAGE:0079B529j
					; PAGE:0079B54Bj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		db 3 dup(0CCh)
		db 2 dup(0CCh)
; Exported entry 1625. ObInsertObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObInsertObject(x, x, x, x, x, x)
		public _ObInsertObject@24
_ObInsertObject@24 proc	near		; CODE XREF: FsRtlCreateSectionForDataScan+135p
					; SepCreateTokenEx+885p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_14]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_10]
		mov	ecx, [ebp+arg_0]
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		pop	ebp
		retn	18h
_ObInsertObject@24 endp


;  S U B	R O U T	I N E 


; __stdcall SeValidateSecurityQos(x)
_SeValidateSecurityQos@4 proc near	; CODE XREF: AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+B4p
					; PAGE:0079B594p
		mov	al, [ecx+8]
		cmp	al, 1
		jnz	short loc_79B615

loc_79B607:				; CODE XREF: SeValidateSecurityQos(x)+17j
		push	3
		pop	eax
		cmp	eax, [ecx+4]
		sbb	eax, eax
		and	eax, 0C00000A5h
		retn
; 

loc_79B615:				; CODE XREF: SeValidateSecurityQos(x)+5j
		test	al, al
		jz	short loc_79B607
		mov	eax, 0C000000Dh
		retn
_SeValidateSecurityQos@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSetTokenTrust(x,	x)
_SepSetTokenTrust@8 proc near		; CODE XREF: SepSetTrustLevelForProcessToken(x,x,x)+42p
					; SepCreateTokenEx+A11p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	eax, edx
		xor	edi, edi
		xor	esi, esi
		mov	[ebp+var_4], edi
		mov	ebx, ecx
		test	eax, eax
		jnz	short loc_79B659

loc_79B638:				; CODE XREF: SepSetTokenTrust(x,x)+4Cj
		mov	eax, [ebx+280h]
		test	eax, eax
		jnz	short loc_79B64F

loc_79B642:				; CODE XREF: SepSetTokenTrust(x,x)+37j
		mov	[ebx+280h], edi
		mov	eax, esi

loc_79B64A:				; CODE XREF: SepSetTokenTrust(x,x)+47j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_79B64F:				; CODE XREF: SepSetTokenTrust(x,x)+20j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_79B642
; 

loc_79B659:				; CODE XREF: SepSetTokenTrust(x,x)+16j
		lea	edx, [ebp+var_4]
		mov	ecx, eax
		call	_SepDuplicateSid@8 ; SepDuplicateSid(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_79B64A
		mov	edi, [ebp+var_4]
		jmp	short loc_79B638
_SepSetTokenTrust@8 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcInitializeHandleTable(x, x)
_AlpcInitializeHandleTable@8 proc near	; CODE XREF: AlpcpCreateClientPort+207p
					; AlpcpCreateConnectionPort+13Ep
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	offset unk_6FB180
		and	dword ptr [esi+0Ch], 0
		and	dword ptr [esi+4], 0
		call	_ExAllocateFromPagedLookasideList@4 ; ExAllocateFromPagedLookasideList(x)
		mov	[esi], eax
		test	eax, eax
		jz	short loc_79B6A3
		push	40h		; size_t
		push	0		; int
		push	eax		; void *
		mov	dword ptr [esi+8], 10h
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		pop	esi
		retn
; 

loc_79B6A3:				; CODE XREF: AlpcInitializeHandleTable(x,x)+1Bj
		mov	eax, 0C000009Ah
		pop	esi
		retn
_AlpcInitializeHandleTable@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpInitializePort(x, x, x)
_AlpcpInitializePort@12	proc near	; CODE XREF: PAGE:0079A394p
					; AlpcpCreateClientPort+148p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	bl, [ebp+arg_0]
		and	edx, 3
		push	esi
		mov	esi, ecx
		movzx	ecx, bl
		push	edi
		xor	edi, edi
		and	ecx, 1
		shl	ecx, 8
		mov	[esi+0D0h], edi
		lea	eax, [esi+0C8h]
		mov	[esi+0C4h], edi
		or	ecx, edx
		mov	[eax+4], eax
		add	ecx, ecx
		mov	[eax], eax
		lea	eax, [esi+60h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+74h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+68h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+0E0h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+80h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+8Ch]
		mov	[esi+5Ch], edi
		mov	[esi+70h], edi
		mov	[esi+7Ch], edi
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [esi+0F4h]
		and	eax, 0FFFFFDF9h
		mov	[esi+88h], edi
		or	ecx, eax
		mov	[esi+0F4h], ecx
		test	bl, bl
		jnz	short loc_79B799

loc_79B73F:				; CODE XREF: AlpcpInitializePort(x,x,x)+FBj
		mov	eax, ds:_AlpcpDummyEvent
		mov	[esi+94h], eax

loc_79B74A:				; CODE XREF: AlpcpInitializePort(x,x,x)+123j
		or	ecx, 1
		mov	edi, offset _AlpcpPortListLock
		mov	[esi+0F4h], ecx
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, dword_6C6F14
		mov	edx, offset _AlpcpPortList
		cmp	[eax], edx
		jnz	short loc_79B7E2
		mov	[esi+4], eax
		mov	[esi], edx
		mov	[eax], esi
		or	eax, 0FFFFFFFFh
		mov	dword_6C6F14, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_79B7D2

loc_79B789:				; CODE XREF: AlpcpInitializePort(x,x,x)+12Fj
		mov	ecx, edi
		call	KeAbPostRelease
		xor	eax, eax

loc_79B792:				; CODE XREF: AlpcpInitializePort(x,x,x)+136j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_79B799:				; CODE XREF: AlpcpInitializePort(x,x,x)+93j
		or	dword ptr [esi+98h], 40000h
		test	bl, bl
		jz	short loc_79B73F
		mov	ecx, offset _AlpcpNPLookasides
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	[esi+94h], eax
		test	eax, eax
		jz	short loc_79B7DB
		push	7FFFFFFFh
		push	edi
		push	eax
		call	_KeInitializeSemaphore@12 ; KeInitializeSemaphore(x,x,x)
		mov	ecx, [esi+0F4h]
		jmp	loc_79B74A
; 

loc_79B7D2:				; CODE XREF: AlpcpInitializePort(x,x,x)+DDj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_79B789
; 

loc_79B7DB:				; CODE XREF: AlpcpInitializePort(x,x,x)+10Fj
		mov	eax, 0C000009Ah
		jmp	short loc_79B792
; 

loc_79B7E2:				; CODE XREF: AlpcpInitializePort(x,x,x)+C3j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_AlpcpInitializePort@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpCreatePort(x, x, x)
_AlpcpCreatePort@12 proc near		; CODE XREF: PAGE:0079A37Bp
					; AlpcpCreateClientPort+117p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		push	ebx
		push	edi
		push	ebx
		push	ebx
		push	11Ch
		push	ecx
		mov	eax, edx
		mov	edx, ds:_AlpcPortObjectType
		push	ecx
		push	eax
		call	ObCreateObjectEx
		mov	esi, eax
		test	esi, esi
		js	short loc_79B824
		push	11Ch		; size_t
		push	ebx		; int
		push	dword ptr [edi]	; void *
		call	_memset
		add	esp, 0Ch

loc_79B824:				; CODE XREF: AlpcpCreatePort(x,x,x)+2Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_AlpcpCreatePort@12 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1883. PsReleaseProcessWakeCounter

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsReleaseProcessWakeCounter(x, x)
		public _PsReleaseProcessWakeCounter@8
_PsReleaseProcessWakeCounter@8 proc near ; CODE	XREF: AlpcpCancelMessagesByRequestor+1EFp
					; PAGE:0079A5B6p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	esi
		mov	esi, ecx
		and	ecx, 0FFFFFFF8h
		and	esi, 7
		cmp	esi, 7
		jnz	short loc_79B84D
		push	2
		pop	edx

loc_79B84D:				; CODE XREF: PsReleaseProcessWakeCounter(x,x)+16j
		push	0
		push	1
		lea	eax, [esi-7]
		neg	eax
		push	0FFFFFFFFh
		push	[ebp+arg_4]
		sbb	eax, eax
		and	eax, esi
		push	eax
		call	_PspChargeProcessWakeCounter@28	; PspChargeProcessWakeCounter(x,x,x,x,x,x,x)
		pop	esi
		pop	ebp
		retn	8
_PsReleaseProcessWakeCounter@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpProcessConnectionRequest proc near	; CODE XREF: AlpcpConnectPort+1D7p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch

; FUNCTION CHUNK AT 008E6B89 SIZE 0000002D BYTES
; FUNCTION CHUNK AT 008E6BCC SIZE 00000091 BYTES
; FUNCTION CHUNK AT 008E6C7D SIZE 0000000E BYTES
; FUNCTION CHUNK AT 008E6CAB SIZE 0000000C BYTES

		push	6Ch
		push	offset dword_6A2100
		call	__SEH_prolog4
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], ecx
		xor	ecx, ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_70], ecx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], ecx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ecx
		test	edx, 10000h
		jnz	loc_8E6B89
		mov	[ebp+var_20], ecx
		or	[ebp+var_2C], 0FFFFFFFFh
		cmp	[ebp+arg_14], cl
		jz	loc_79BB3B
		mov	[ebp+ms_exc.disabled], ecx
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jnz	loc_79BA30
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_58]
		rep stosd

loc_79B8D0:				; CODE XREF: AlpcpProcessConnectionRequest+1FEj
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	loc_79BA6D

loc_79B8DB:				; CODE XREF: AlpcpProcessConnectionRequest+22Bj
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jz	short loc_79B8F1
		push	1
		mov	edx, esi
		call	AlpcpProbeMessageAttributes
		mov	[ebp+var_20], eax
		mov	edx, [ebp+var_28]

loc_79B8F1:				; CODE XREF: AlpcpProcessConnectionRequest+76j
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jnz	loc_79BAF0

loc_79B8FC:				; CODE XREF: AlpcpProcessConnectionRequest+2A5j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_79B903:				; CODE XREF: AlpcpProcessConnectionRequest+2EEj
					; AlpcpProcessConnectionRequest+2F9j
		push	dword ptr [ebp+arg_14]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_8]
		lea	eax, [ebp+var_58]
		push	eax
		push	ebx
		mov	ecx, [ebp+var_24]
		push	ecx
		lea	ecx, [ebp+var_1C]
		call	AlpcpFormatConnectionRequest
		test	eax, eax
		js	loc_79BA1E
		mov	esi, [ebp+var_1C]
		mov	eax, [esi+90h]
		mov	[ebp+arg_0], eax
		cmp	_AlpcpLogEnabled, 0
		jnz	loc_8E6BCC

loc_79B940:				; CODE XREF: AlpcpProcessConnectionRequest+14B369j
		mov	eax, [ebp+var_24]
		mov	[ebp+var_7C], eax
		mov	[ebp+var_78], esi
		mov	eax, [ebp+var_28]
		mov	[ebp+var_64], eax
		lea	ecx, [ebp+var_7C]
		call	AlpcpDispatchConnectionRequest
		mov	dword ptr [ebp+arg_14],	eax
		test	eax, eax
		js	loc_8E6BD8
		mov	ecx, [ebp+var_28]
		test	ecx, 20000h
		jz	loc_79BA1E
		test	ecx, 100000h
		jnz	loc_79BB75
		mov	eax, large fs:124h
		mov	dl, [eax+15Ah]

loc_79B989:				; CODE XREF: AlpcpProcessConnectionRequest+30Dj
		and	[ebp+var_1C], 0
		push	[ebp+arg_10]
		push	[ebp+var_20]
		lea	eax, [ebp+var_1C]
		push	eax
		lea	ecx, [ebp+var_7C]
		call	@AlpcpReceiveSynchronousReply@20 ; AlpcpReceiveSynchronousReply(x,x,x,x,x)
		mov	dword ptr [ebp+arg_14],	eax
		test	eax, eax
		jnz	loc_79BB14
		cmp	_AlpcpLogEnabled, al
		jnz	loc_8E6C1C

loc_79B9B6:				; CODE XREF: AlpcpProcessConnectionRequest+14B3BAj
		mov	esi, [ebp+var_1C]
		lea	edx, [esi+80h]
		movzx	eax, word ptr [edx]
		add	eax, 18h
		mov	[ebp+arg_0], eax
		test	edi, edi
		jnz	loc_79BA9A

loc_79B9D0:				; CODE XREF: AlpcpProcessConnectionRequest+233j
		mov	[ebp+ms_exc.disabled], 2
		test	ebx, ebx
		jnz	loc_79BAAF

loc_79B9DF:				; CODE XREF: AlpcpProcessConnectionRequest+27Aj
		test	edi, edi
		jnz	loc_79BAA8

loc_79B9E7:				; CODE XREF: AlpcpProcessConnectionRequest+240j
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_79B9FB
		push	eax
		push	[ebp+var_20]
		push	esi
		mov	ecx, [ebp+var_24]
		call	AlpcpExposeAttributes

loc_79B9FB:				; CODE XREF: AlpcpProcessConnectionRequest+182j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, dword ptr [ebp+arg_14]

loc_79BA05:				; CODE XREF: sub_8E6C99+Dj
		mov	esi, [ebp+var_1C]
		cmp	_AlpcpMessageLogEnabled, 0
		jnz	loc_8E6CAB

loc_79BA15:				; CODE XREF: AlpcpProcessConnectionRequest+14B448j
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	eax, edi

loc_79BA1E:				; CODE XREF: AlpcpProcessConnectionRequest+B7j
					; AlpcpProcessConnectionRequest+101j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_79BA30:				; CODE XREF: AlpcpProcessConnectionRequest+56j
		test	bl, 3
		jnz	loc_79BB7C
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8E6B93

loc_79BA46:				; CODE XREF: AlpcpProcessConnectionRequest+14B32Bj
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+14h]
		mov	[ebx+14h], al
		mov	esi, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8E6B9A

loc_79BA5F:				; CODE XREF: AlpcpProcessConnectionRequest+14B332j
		push	6
		pop	ecx
		lea	edi, [ebp+var_58]
		rep movsd
		nop
		jmp	loc_79B8D0
; 

loc_79BA6D:				; CODE XREF: AlpcpProcessConnectionRequest+6Bj
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	loc_8E6BA1

loc_79BA7C:				; CODE XREF: AlpcpProcessConnectionRequest+14B339j
		nop
		mov	eax, [ecx]
		mov	[ebp+var_2C], eax
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	loc_8E6BA8

loc_79BA91:				; CODE XREF: AlpcpProcessConnectionRequest+14B340j
		mov	eax, [ecx]
		mov	[ecx], eax
		jmp	loc_79B8DB
; 

loc_79BA9A:				; CODE XREF: AlpcpProcessConnectionRequest+160j
		cmp	eax, [ebp+var_2C]
		jbe	loc_79B9D0
		jmp	loc_8E6C29
; 

loc_79BAA8:				; CODE XREF: AlpcpProcessConnectionRequest+177j
		mov	[edi], eax
		jmp	loc_79B9E7
; 

loc_79BAAF:				; CODE XREF: AlpcpProcessConnectionRequest+16Fj
		push	6
		pop	ecx
		mov	esi, edx
		mov	edi, ebx
		rep movsd
		mov	eax, [ebp+var_24]
		test	dword ptr [eax+98h], 1000h
		jnz	loc_8E6C7D

loc_79BACB:				; CODE XREF: AlpcpProcessConnectionRequest+14B41Cj
		lea	edx, [ebx+18h]
		mov	esi, [ebp+var_1C]
		mov	ecx, esi
		cmp	dword ptr [esi+60h], 0
		jz	short loc_79BAE9
		call	AlpcpGetDataFromUserVaSafe

loc_79BADE:				; CODE XREF: AlpcpProcessConnectionRequest+284j
		mov	eax, [ebp+arg_0]
		mov	edi, [ebp+arg_4]
		jmp	loc_79B9DF
; 

loc_79BAE9:				; CODE XREF: AlpcpProcessConnectionRequest+26Dj
		call	@AlpcpReadMessageData@8	; AlpcpReadMessageData(x,x)
		jmp	short loc_79BADE
; 

loc_79BAF0:				; CODE XREF: AlpcpProcessConnectionRequest+8Cj
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8E6BAF

loc_79BAFD:				; CODE XREF: AlpcpProcessConnectionRequest+14B347j
		nop
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], ecx
		lea	eax, [ebp+var_40]
		mov	[ebp+arg_10], eax
		jmp	loc_79B8FC
; 

loc_79BB14:				; CODE XREF: AlpcpProcessConnectionRequest+13Aj
		cmp	_AlpcpLogEnabled, 0
		jnz	loc_8E6C0A

loc_79BB21:				; CODE XREF: AlpcpProcessConnectionRequest+14B3ADj
		mov	ecx, [ebp+var_24]
		test	byte ptr [ecx+0F4h], 10h
		jz	loc_79BA1E
		mov	eax, 0C0000041h
		jmp	loc_79BA1E
; 

loc_79BB3B:				; CODE XREF: AlpcpProcessConnectionRequest+48j
		mov	ebx, [ebp+arg_0]
		push	6
		lea	edi, [ebp+var_58]
		pop	ecx
		test	ebx, ebx
		jnz	short loc_79BB68
		xor	eax, eax
		rep stosd

loc_79BB4C:				; CODE XREF: AlpcpProcessConnectionRequest+302j
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	short loc_79BB6E

loc_79BB53:				; CODE XREF: AlpcpProcessConnectionRequest+309j
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jz	loc_79B903
		mov	eax, [esi]
		mov	[ebp+var_20], eax
		jmp	loc_79B903
; 

loc_79BB68:				; CODE XREF: AlpcpProcessConnectionRequest+2DCj
		mov	esi, ebx
		rep movsd
		jmp	short loc_79BB4C
; 

loc_79BB6E:				; CODE XREF: AlpcpProcessConnectionRequest+2E7j
		mov	eax, [edi]
		mov	[ebp+var_2C], eax
		jmp	short loc_79BB53
; 

loc_79BB75:				; CODE XREF: AlpcpProcessConnectionRequest+10Dj
		mov	dl, 1
		jmp	loc_79B989
; 

loc_79BB7C:				; CODE XREF: AlpcpProcessConnectionRequest+1C9j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger
AlpcpProcessConnectionRequest endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpDispatchConnectionRequest proc near ; CODE	XREF: AlpcpProcessConnectionRequest+E8p
					; NtSecureConnectPort+2A7p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E6CB7 SIZE 00000177 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	edx, [eax]
		mov	ecx, [eax+18h]
		mov	esi, [eax+4]
		mov	[ebp+var_C], ecx
		xor	ecx, ecx
		mov	[eax+10h], ecx
		mov	[eax+0Ch], ecx
		mov	[eax+14h], ecx
		mov	ebx, [edx+8]
		mov	[ebp+var_14], edx
		xor	edx, edx
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], ebx
		lea	edi, [ebx-4]
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	ebx, [ebx]
		test	ebx, ebx
		jz	loc_8E6E07
		mov	ecx, ebx
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, ebx
		mov	[ebp+var_4], eax
		jz	loc_8E6E07
		lea	ebx, [eax+0D0h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	edx, [ebp+var_4]
		test	byte ptr [edx+0F4h], 20h
		jnz	loc_8E6CB7
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx]
		test	dword ptr [eax+98h], (offset loc_7FFFFF+1)
		jnz	loc_8E6CF8

loc_79BC14:				; CODE XREF: AlpcpDispatchConnectionRequest+14B180j
					; AlpcpDispatchConnectionRequest+14B198j ...
		movzx	eax, word ptr [esi+82h]
		cmp	eax, [edx+0A8h]
		ja	loc_8E6D7E
		test	[ebp+var_C], 20000h
		jz	short loc_79BC5D
		mov	eax, large fs:124h
		mov	[ebp+var_C], eax
		test	byte ptr [eax+300h], 20h
		jnz	loc_8E6DBC
		inc	word ptr [esi-0Eh]
		mov	ecx, esi
		add	eax, 314h
		xchg	ecx, [eax]
		mov	eax, [ebp+var_C]
		inc	word ptr [esi-0Eh]
		mov	[esi+10h], eax

loc_79BC5D:				; CODE XREF: AlpcpDispatchConnectionRequest+ACj
		and	dword ptr [esi+14h], 0FFFFFDFFh
		mov	eax, 2000h
		or	[esi+84h], ax
		xor	eax, eax
		inc	eax
		lock xadd [edx+0E8h], eax
		inc	eax
		mov	edi, [ebp+var_10]
		and	dword ptr [esi+40h], 0
		mov	[esi+68h], edx
		mov	edx, [ebp+var_14]
		push	ecx
		mov	ecx, esi
		mov	[esi+18h], eax
		mov	[esi+64h], edi
		call	_AlpcpSetOwnerPortMessage@12 ; AlpcpSetOwnerPortMessage(x,x,x)
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_4]
		mov	[ecx+10h], eax
		mov	[ecx+8], edi
		call	AlpcpCompleteDispatchMessage
		xor	eax, eax

loc_79BCAA:				; CODE XREF: AlpcpDispatchConnectionRequest+14B280j
					; AlpcpDispatchConnectionRequest+14B2A7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
AlpcpDispatchConnectionRequest endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpFormatConnectionRequest proc near	; CODE XREF: AlpcpProcessConnectionRequest+B0p
					; NtSecureConnectPort+25Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 008E6E2E SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		cmp	[ebp+arg_4], 0
		push	ebx
		mov	ebx, [ebp+arg_18]
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], ecx
		jnz	loc_79BD91

loc_79BCD0:				; CODE XREF: AlpcpFormatConnectionRequest+F4j
		push	esi
		push	0
		xor	edx, edx
		lea	ecx, [ebp+var_4]
		call	@AlpcpAllocateMessage@12 ; AlpcpAllocateMessage(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_79BD89
		push	edi
		mov	edi, [ebp+var_4]
		test	bl, bl
		jnz	loc_79BDC7
		mov	edx, [ebp+var_8]
		lea	eax, [edi+38h]
		mov	ecx, [ebp+arg_0]
		push	eax
		push	edi
		push	[ebp+arg_C]
		call	AlpcpCaptureAttributes
		mov	esi, eax

loc_79BD08:				; CODE XREF: AlpcpFormatConnectionRequest+13Aj
					; AlpcpFormatConnectionRequest+159j
		test	esi, esi
		js	loc_8E6E2E
		mov	ecx, large fs:124h
		mov	edx, [ebp+var_4]
		mov	eax, [ecx+2ACh]
		mov	[edx+88h], eax
		mov	eax, [ecx+2B0h]
		mov	ecx, [ebp+arg_8]
		mov	[edx+8Ch], eax
		movzx	eax, word ptr [ecx]
		mov	[edx+80h], ax
		add	eax, 18h
		mov	[edx+82h], ax
		mov	eax, large fs:124h
		mov	byte ptr [edx+84h], 0
		or	word ptr [edx+84h], 0Ah
		mov	di, [edx+84h]
		cmp	byte ptr [eax+15Ah], 0
		jz	loc_79BE0E

loc_79BD72:				; CODE XREF: AlpcpFormatConnectionRequest+177j
		movzx	eax, word ptr [ecx]
		xor	ecx, ecx
		mov	edi, [ebp+var_4]
		cmp	cx, ax
		jnz	short loc_79BDAC

loc_79BD7F:				; CODE XREF: AlpcpFormatConnectionRequest+110j
		test	bl, bl
		jnz	short loc_79BDEF

loc_79BD83:				; CODE XREF: AlpcpFormatConnectionRequest+144j
					; AlpcpFormatConnectionRequest+150j
		mov	eax, [ebp+var_C]
		mov	[eax], edi

loc_79BD88:				; CODE XREF: AlpcpFormatConnectionRequest+14B195j
		pop	edi

loc_79BD89:				; CODE XREF: AlpcpFormatConnectionRequest+31j
		mov	eax, esi
		pop	esi

loc_79BD8C:				; CODE XREF: AlpcpFormatConnectionRequest+FAj
		pop	ebx
		leave
		retn	20h
; 

loc_79BD91:				; CODE XREF: AlpcpFormatConnectionRequest+1Aj
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_8]
		push	ebx
		mov	eax, [eax+8]
		mov	ecx, [eax]
		call	AlpcpValidateConnectionMessage
		test	eax, eax
		jns	loc_79BCD0
		jmp	short loc_79BD8C
; 

loc_79BDAC:				; CODE XREF: AlpcpFormatConnectionRequest+CDj
		push	[ebp+arg_1C]
		mov	edx, [ebp+arg_4]
		push	ebx
		push	eax
		push	ecx
		mov	ecx, edi
		call	_AlpcpSetupMessageDataForDeferredCopy@24 ; AlpcpSetupMessageDataForDeferredCopy(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_79BD7F
		jmp	loc_8E6E2E
; 

loc_79BDC7:				; CODE XREF: AlpcpFormatConnectionRequest+3Dj
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	short loc_79BE02
		lea	eax, [edi+38h]
		mov	edx, ecx
		mov	ecx, [ebp+arg_0]
		push	eax
		call	_AlpcpMapLegacyPortView@12 ; AlpcpMapLegacyPortView(x,x,x)
		mov	esi, eax
		mov	eax, [ebp+arg_10]
		mov	eax, [eax+0Ch]
		mov	[edi+94h], eax
		jmp	loc_79BD08
; 

loc_79BDEF:				; CODE XREF: AlpcpFormatConnectionRequest+D1j
		mov	ecx, [edi+4Ch]
		test	ecx, ecx
		jz	short loc_79BD83
		mov	eax, [ebp+arg_14]
		mov	[eax], ecx
		call	AlpcpReferenceBlob
		jmp	short loc_79BD83
; 

loc_79BE02:				; CODE XREF: AlpcpFormatConnectionRequest+11Cj
		and	dword ptr [edi+94h], 0
		jmp	loc_79BD08
; 

loc_79BE0E:				; CODE XREF: AlpcpFormatConnectionRequest+BCj
		mov	ax, [ecx+4]
		mov	[ebp+arg_0], 0FFFF8000h
		and	ax, word ptr [ebp+arg_0]
		or	ax, di
		mov	[edx+84h], ax
		jmp	loc_79BD72
AlpcpFormatConnectionRequest endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpCheckConnectionSecurity proc near	; CODE XREF: AlpcpCreateClientPort+EEp

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_50		= dword	ptr -50h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E6E4A SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+74h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, ecx
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ecx, ecx
		mov	[esp+80h+var_64], edx
		mov	[esp+80h+var_68], esi
		mov	[esp+80h+var_70], ecx
		test	edi, edi
		jz	loc_79BEEC
		push	44h		; size_t
		push	ecx		; int
		lea	eax, [esp+88h+var_50]
		mov	[esp+88h+var_6C], ecx
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	ebx
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	esi, eax
		lea	eax, [esp+80h+var_6C]
		push	eax
		push	1Dh
		push	esi
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	[esp+80h+var_70], eax
		test	eax, eax
		js	short loc_79BEB2
		cmp	[esp+80h+var_6C], 0
		jnz	loc_8E6E4A

loc_79BE9F:				; CODE XREF: AlpcpCheckConnectionSecurity+14B027j
		test	eax, eax
		js	short loc_79BEB2
		push	0
		push	44h
		lea	edx, [esp+88h+var_50]
		mov	ecx, esi
		call	_SeQueryUserSidToken@16	; SeQueryUserSidToken(x,x,x,x)

loc_79BEB2:				; CODE XREF: AlpcpCheckConnectionSecurity+66j
					; AlpcpCheckConnectionSecurity+75j
		lea	ecx, [ebx+12Ch]
		mov	edx, esi
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		mov	esi, [esp+80h+var_70]
		test	esi, esi
		js	loc_79BF80
		lea	eax, [esp+80h+var_50]
		push	eax
		push	edi
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	loc_8E6E58

loc_79BEDE:				; CODE XREF: AlpcpCheckConnectionSecurity+14B035j
		test	esi, esi
		js	loc_79BF80
		mov	esi, [esp+80h+var_68]
		xor	ecx, ecx

loc_79BEEC:				; CODE XREF: AlpcpCheckConnectionSecurity+31j
		test	esi, esi
		jnz	short loc_79BF06

loc_79BEF0:				; CODE XREF: AlpcpCheckConnectionSecurity+14Ej
		xor	eax, eax

loc_79BEF2:				; CODE XREF: AlpcpCheckConnectionSecurity+156j
		mov	ecx, [esp+80h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_79BF06:				; CODE XREF: AlpcpCheckConnectionSecurity+C2j
		xor	eax, eax
		mov	[esp+80h+var_6C], ecx
		lea	edi, [esp+80h+var_60]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esp+80h+var_60]
		push	eax
		push	ebx
		push	ecx
		call	SeCaptureSubjectContextEx
		lea	eax, [esp+80h+var_70]
		push	eax
		lea	eax, [esp+84h+var_6C]
		push	eax
		push	[esp+88h+var_64]
		mov	eax, ds:_AlpcPortObjectType
		add	eax, 34h
		push	eax
		push	0
		push	0
		push	2000000h
		push	0
		lea	eax, [esp+0A0h+var_60]
		push	eax
		push	esi
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		mov	eax, ds:_AlpcPortObjectType
		add	eax, 34h
		push	eax
		lea	eax, [esp+84h+var_6C]
		push	eax
		call	_RtlMapGenericMask@8 ; RtlMapGenericMask(x,x)
		test	[esp+80h+var_6C], 1
		jz	short loc_79BF87

loc_79BF6A:				; CODE XREF: AlpcpCheckConnectionSecurity+163j
		lea	eax, [esp+80h+var_60]
		push	eax
		call	SeReleaseSubjectContext
		mov	esi, [esp+80h+var_70]
		test	esi, esi
		jns	loc_79BEF0

loc_79BF80:				; CODE XREF: AlpcpCheckConnectionSecurity+99j
					; AlpcpCheckConnectionSecurity+B4j
		mov	eax, esi
		jmp	loc_79BEF2
; 

loc_79BF87:				; CODE XREF: AlpcpCheckConnectionSecurity+13Cj
		mov	[esp+80h+var_70], 0C00002A0h
		jmp	short loc_79BF6A
AlpcpCheckConnectionSecurity endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepNewTokenAsRestrictedAsProcessToken proc near	; CODE XREF: NtDuplicateToken+22Dp
					; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+84Ap

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E6E66 SIZE 000000BE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, edx
		mov	byte ptr [eax],	0
		mov	eax, 800h
		push	edi
		mov	edi, ecx
		mov	[ebp+var_14], esi
		mov	ebx, [esi+0B0h]
		mov	[ebp+var_18], edi
		test	ebx, eax
		jz	short loc_79BFC8
		test	[edi+0B0h], eax
		jz	loc_79C0D4

loc_79BFC8:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+28j
		push	esi
		call	_SeTokenIsRestricted@4 ; SeTokenIsRestricted(x)
		test	al, al
		jnz	loc_8E6E66

loc_79BFD6:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+14AEE2j
		push	esi
		call	_SeTokenIsWriteRestricted@4 ; SeTokenIsWriteRestricted(x)
		test	al, al
		jnz	loc_8E6E79

loc_79BFE4:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+14AEF5j
		push	esi
		call	_SeTokenIsRestricted@4 ; SeTokenIsRestricted(x)
		test	al, al
		jnz	loc_8E6E8C

loc_79BFF2:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+14AF0Cj
		mov	ecx, [esi+48h]
		mov	eax, [esi+4Ch]
		not	ecx
		and	ecx, [edi+48h]
		not	eax
		and	eax, [edi+4Ch]
		or	ecx, eax
		jnz	loc_79C0D4
		mov	ecx, [esi+40h]
		mov	eax, [esi+44h]
		not	ecx
		and	ecx, [edi+40h]
		not	eax
		and	eax, [edi+44h]
		or	ecx, eax
		jnz	loc_79C0D4
		mov	eax, [edi+0B0h]
		not	ebx
		and	eax, ebx
		test	eax, 1000h
		jnz	loc_79C0D4
		push	esi
		call	_SeTokenIsRestricted@4 ; SeTokenIsRestricted(x)
		test	al, al
		jnz	loc_8E6EA3

loc_79C045:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+14AF21j
					; SepNewTokenAsRestrictedAsProcessToken+14AF8Dj
		mov	ecx, [esi+7Ch]
		xor	ebx, ebx
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jz	short loc_79C06A
		mov	edx, [esi+94h]
		mov	[ebp+var_10], edx
		lea	esi, [edx+4]

loc_79C05D:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+D6j
		test	byte ptr [esi],	10h
		jnz	short loc_79C079

loc_79C062:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+F4j
					; SepNewTokenAsRestrictedAsProcessToken+140j
		inc	ebx
		add	esi, 8
		cmp	ebx, ecx
		jb	short loc_79C05D

loc_79C06A:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+BDj
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax],	1
		xor	eax, eax

loc_79C072:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+147j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_79C079:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+CEj
		xor	eax, eax
		mov	[ebp+var_4], eax
		mov	eax, [edi+7Ch]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	short loc_79C062
		mov	eax, [edi+94h]
		mov	ecx, eax
		mov	edx, [edx+ebx*8]
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], edx
		mov	[ebp+var_C], eax

loc_79C09C:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+12Cj
		push	dword ptr [ecx]
		push	edx
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		mov	eax, [ebp+var_4]
		jnz	short loc_79C0C2
		mov	ecx, [ebp+var_C]
		inc	eax
		mov	edx, [ebp+var_18]
		add	ecx, 8
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], ecx
		cmp	eax, [ebp+var_1C]
		jb	short loc_79C09C
		jmp	short loc_79C0CC
; 

loc_79C0C2:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+117j
		mov	ecx, [ebp+var_14]
		test	byte ptr [ecx+eax*8+4],	10h
		jz	short loc_79C0D4

loc_79C0CC:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+12Ej
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_8]
		jmp	short loc_79C062
; 

loc_79C0D4:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+30j
					; SepNewTokenAsRestrictedAsProcessToken+72j ...
		mov	eax, 0C0000061h
		jmp	short loc_79C072
SepNewTokenAsRestrictedAsProcessToken endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MmGetFileObjectForSection(x)
_MmGetFileObjectForSection@4 proc near	; CODE XREF: FsRtlCreateSectionForDataScan+E8p
					; DbgkCreateThread+1ABp
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	ecx, eax
		jmp	MiReferenceControlAreaFile
_MmGetFileObjectForSection@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmCreateSectionEx(x, x, x, x, x, x,	x, x, x, x, x)
_MmCreateSectionEx@44 proc near		; CODE XREF: FsRtlCreateSectionForDataScan+CDp
					; MmCreateSection+46p

var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= byte ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_C], edx
		mov	edx, [ebp+arg_20]
		lea	edi, [ebp+var_20]
		stosd
		xor	ebx, ebx
		mov	[ebp+var_10], ecx
		mov	ecx, [ebp+arg_1C]
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_20]
		push	eax
		push	ebx
		call	MiCaptureSectionCreateExtendedParameters
		test	eax, eax
		js	loc_79C19C
		mov	eax, large fs:124h
		mov	esi, [eax+80h]
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_20], al
		cmp	al, 1
		jnz	short loc_79C1A3
		mov	al, [esi+3A5h]
		push	esi
		mov	byte ptr [ebp+var_8], al
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	ebx, eax

loc_79C14C:				; CODE XREF: MmCreateSectionEx(x,x,x,x,x,x,x,x,x,x,x)+BEj
		mov	edx, [ebp+arg_14]
		neg	edx
		sbb	edx, edx
		and	edx, 2
		test	[ebp+arg_18], 2
		jnz	short loc_79C1A8

loc_79C15C:				; CODE XREF: MmCreateSectionEx(x,x,x,x,x,x,x,x,x,x,x)+C3j
		mov	ecx, esi
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		lea	ecx, [ebp+var_20]
		push	ecx
		push	eax
		push	[ebp+arg_20]
		mov	ecx, [ebp+var_10]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+var_8]
		push	ebx
		push	edx
		push	[ebp+arg_C]
		mov	edx, [ebp+var_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	MiCreateSection
		mov	esi, eax
		test	ebx, ebx
		jz	short loc_79C19A
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_79C19A:				; CODE XREF: MmCreateSectionEx(x,x,x,x,x,x,x,x,x,x,x)+A9j
		mov	eax, esi

loc_79C19C:				; CODE XREF: MmCreateSectionEx(x,x,x,x,x,x,x,x,x,x,x)+2Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_79C1A3:				; CODE XREF: MmCreateSectionEx(x,x,x,x,x,x,x,x,x,x,x)+51j
		mov	byte ptr [ebp+var_8], bl
		jmp	short loc_79C14C
; 

loc_79C1A8:				; CODE XREF: MmCreateSectionEx(x,x,x,x,x,x,x,x,x,x,x)+72j
		or	edx, 4
		jmp	short loc_79C15C
_MmCreateSectionEx@44 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpProbeMessageAttributes proc near	; CODE XREF: AlpcpProcessConnectionRequest+7Cp

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008E6F24 SIZE 0000005F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:_MmUserProbeAddress
		mov	ecx, edx
		cmp	edx, eax
		jnb	short loc_79C209

loc_79C1BE:				; CODE XREF: AlpcpProbeMessageAttributes+5Dj
		push	esi
		nop
		mov	esi, [ecx]
		mov	ecx, esi
		call	_AlpcpGetMessageAttributeSize@4	; AlpcpGetMessageAttributeSize(x)
		cmp	[ebp+arg_0], 0
		mov	ecx, eax
		jz	loc_8E6F24

loc_79C1D5:				; CODE XREF: AlpcpProbeMessageAttributes+14AD7Cj
		test	ecx, ecx
		jz	short loc_79C217
		cmp	ecx, 1000h
		jnb	short loc_79C217
		test	dl, 3
		jnz	short loc_79C212
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	short loc_79C20D

loc_79C1EF:				; CODE XREF: AlpcpProbeMessageAttributes+62j
		mov	al, [edx]
		mov	[edx], al
		cmp	ecx, 4
		jbe	short loc_79C202
		dec	ecx
		and	ecx, 0FFFFFFFCh
		mov	al, [ecx+edx]
		mov	[ecx+edx], al

loc_79C202:				; CODE XREF: AlpcpProbeMessageAttributes+48j
					; AlpcpProbeMessageAttributes+72j ...
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
; 

loc_79C209:				; CODE XREF: AlpcpProbeMessageAttributes+Ej
		mov	ecx, eax
		jmp	short loc_79C1BE
; 

loc_79C20D:				; CODE XREF: AlpcpProbeMessageAttributes+3Fj
		mov	byte ptr [eax],	0
		jmp	short loc_79C1EF
; 

loc_79C212:				; CODE XREF: AlpcpProbeMessageAttributes+36j
					; AlpcpProbeMessageAttributes+14AD99j ...
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_79C217:				; CODE XREF: AlpcpProbeMessageAttributes+29j
					; AlpcpProbeMessageAttributes+31j
		push	4
		push	ecx
		push	edx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		jmp	short loc_79C202
AlpcpProbeMessageAttributes endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpGetMessageAttributeSize(x)
_AlpcpGetMessageAttributeSize@4	proc near ; CODE XREF: AlpcpProbeMessageAttributes+16p
		mov	eax, ecx
		sar	eax, 1Fh
		and	eax, 0Ch
		add	eax, 8
		test	ecx, 40000000h
		jnz	short loc_79C25E

loc_79C235:				; CODE XREF: AlpcpGetMessageAttributeSize(x)+3Fj
		test	ecx, 20000000h
		jnz	short loc_79C263

loc_79C23D:				; CODE XREF: AlpcpGetMessageAttributeSize(x)+44j
		test	ecx, 10000000h
		jnz	short loc_79C268

loc_79C245:				; CODE XREF: AlpcpGetMessageAttributeSize(x)+49j
		test	ecx, 8000000h
		jnz	short loc_79C26D

loc_79C24D:				; CODE XREF: AlpcpGetMessageAttributeSize(x)+4Ej
		test	ecx, 4000000h
		jnz	short loc_79C272

loc_79C255:				; CODE XREF: AlpcpGetMessageAttributeSize(x)+53j
		test	ecx, 2000000h
		jnz	short loc_79C277
		retn
; 

loc_79C25E:				; CODE XREF: AlpcpGetMessageAttributeSize(x)+11j
		add	eax, 10h
		jmp	short loc_79C235
; 

loc_79C263:				; CODE XREF: AlpcpGetMessageAttributeSize(x)+19j
		add	eax, 14h
		jmp	short loc_79C23D
; 

loc_79C268:				; CODE XREF: AlpcpGetMessageAttributeSize(x)+21j
		add	eax, 10h
		jmp	short loc_79C245
; 

loc_79C26D:				; CODE XREF: AlpcpGetMessageAttributeSize(x)+29j
		add	eax, 18h
		jmp	short loc_79C24D
; 

loc_79C272:				; CODE XREF: AlpcpGetMessageAttributeSize(x)+31j
		add	eax, 4
		jmp	short loc_79C255
; 

loc_79C277:				; CODE XREF: AlpcpGetMessageAttributeSize(x)+39j
		add	eax, 8
		retn
_AlpcpGetMessageAttributeSize@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpInitializeDefaultPortAttributes(x)
_AlpcpInitializeDefaultPortAttributes@4	proc near
					; CODE XREF: AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)+E0p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		push	edi
		xor	edx, edx
		mov	[ebp+var_C], 0Ch
		mov	[ebp+var_8], edx
		lea	edi, [ecx+4]
		mov	[ebp+var_4], 101h
		lea	esi, [ebp+var_C]
		movsd
		mov	eax, 4000h
		mov	[ecx], edx
		mov	dword ptr [ecx+10h], 100h
		mov	[ecx+18h], eax
		movsd
		mov	[ecx+1Ch], eax
		mov	dword ptr [ecx+24h], 20000h
		mov	[ecx+20h], edx
		movsd
		pop	edi
		mov	[ecx+14h], edx
		mov	[ecx+28h], edx
		pop	esi
		leave
		retn
_AlpcpInitializeDefaultPortAttributes@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpDeleteTimer2(x)
_ExpDeleteTimer2@4 proc	near		; DATA XREF: ExpTimerInitialization()+B6o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		push	0
		push	1
		call	KeDisableTimer2
		pop	ebp
		retn	4
_ExpDeleteTimer2@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCloseWorkerFactory(x, x,	x, x)
_ExpCloseWorkerFactory@16 proc near	; DATA XREF: ExpWorkerFactoryInitialization+FBo

arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 1
		jnz	short loc_79C2F5
		mov	ecx, [ebp+arg_4]
		call	_ExpShutdownWorkerFactory@4 ; ExpShutdownWorkerFactory(x)

loc_79C2F5:				; CODE XREF: ExpCloseWorkerFactory(x,x,x,x)+9j
		pop	ebp
		retn	10h
_ExpCloseWorkerFactory@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObReferenceObjectByNameEx proc near	; CODE XREF: CmObReferenceObjectByName(x,x,x,x,x,x,x)+1Ep
					; CmUnloadKey+204p ...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008E6F83 SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+40h+var_1C]
		mov	ebx, edx
		mov	[esp+40h+var_24], eax
		mov	edx, ecx
		mov	[esp+40h+var_20], eax
		mov	[esp+40h+var_28], edx
		mov	[esp+40h+var_30], eax
		push	7
		pop	ecx
		rep stosd
		test	edx, edx
		jz	loc_8E6FAF
		cmp	[ebp+arg_4], eax
		jz	loc_8E6FAF
		mov	eax, large fs:20h
		mov	[esp+40h+var_2C], eax
		mov	esi, [eax+5E0h]
		mov	ecx, esi
		inc	dword ptr [esi+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_79C500

loc_79C35C:				; CODE XREF: ObReferenceObjectByNameEx+221j
					; ObReferenceObjectByNameEx+23Aj
		mov	eax, [esp+40h+var_2C]
		lea	esi, [edi+74h]
		mov	dl, byte ptr [ebp+arg_8]
		push	1
		push	esi
		mov	eax, [eax+3CCh]
		mov	cl, dl
		mov	[edi], eax
		lea	eax, [esp+48h+var_24]
		push	eax
		push	[esp+4Ch+var_28]
		call	ObpCaptureObjectCreateInformation
		mov	[esp+50h+var_44], eax
		test	eax, eax
		js	loc_79C4D2
		test	ebx, ebx
		jnz	short loc_79C3CE
		mov	eax, large fs:124h
		mov	ecx, [ebp+arg_4]
		mov	esi, large fs:124h
		add	ecx, 34h
		push	ecx		; int
		push	[ebp+arg_0]	; int
		mov	edx, [eax+80h]
		lea	eax, [edi+0A0h]
		push	eax		; void *
		push	edi		; void *
		push	edx		; int
		push	esi		; int
		call	_SeCreateAccessStateEx@24 ; SeCreateAccessStateEx(x,x,x,x,x,x)
		mov	[esp+50h+var_44], eax
		test	eax, eax
		js	loc_79C4A0
		mov	ebx, edi
		lea	esi, [edi+74h]

loc_79C3CE:				; CODE XREF: ObReferenceObjectByNameEx+95j
		mov	ecx, ebx
		call	ObpAdjustAccessMask
		mov	[esp+50h+var_44], eax
		test	eax, eax
		js	loc_79C4A0
		lea	ecx, [esp+50h+var_40]
		push	ecx
		push	0
		lea	eax, [edi+164h]
		push	eax
		push	ebx
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		mov	ecx, [edi+78h]
		lea	edx, [esp+60h+var_34]
		push	eax
		push	0
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	dword ptr [esi]
		call	_ObpLookupObjectName@52	; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	[esp+50h+var_44], eax
		test	eax, eax
		js	loc_79C4A0
		lea	ecx, [edi+164h]
		call	_ObpReleaseLookupContext@4 ; ObpReleaseLookupContext(x)
		mov	esi, [esp+50h+var_40]
		lea	eax, [esi-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	ecx, ds:_ObTypeIndexTable[edx*4]
		mov	eax, [ecx+30h]
		test	[edi+74h], eax
		jnz	loc_8E6F83
		lea	eax, [ecx+8]
		mov	[esp+50h+var_24], eax
		lea	ecx, [esp+50h+var_2C]
		lea	eax, [esp+50h+var_34]
		mov	[esp+50h+var_20], eax
		mov	eax, [edi+78h]
		mov	[esp+50h+var_1C], eax
		call	SeSetLearningModeObjectInformation
		lea	eax, [esp+50h+var_44]
		mov	edx, ebx
		push	eax
		push	[ebp+arg_8]
		push	ecx
		mov	ecx, [esp+5Ch+var_40]
		call	ObpCheckObjectReference
		test	al, al
		jz	loc_79C560
		mov	ecx, [ebp+arg_10]
		mov	eax, [esp+50h+var_40]
		mov	[ecx], eax

loc_79C49B:				; CODE XREF: ObReferenceObjectByNameEx+26Fj
		call	SeClearLearningModeObjectInformation

loc_79C4A0:				; CODE XREF: ObReferenceObjectByNameEx+C9j
					; ObReferenceObjectByNameEx+E1j ...
		cmp	ebx, edi
		jnz	short loc_79C4B4
		mov	ecx, ebx
		call	SepDeleteAccessState
		lea	eax, [ebx+1Ch]
		push	eax
		call	SeReleaseSubjectContext

loc_79C4B4:				; CODE XREF: ObReferenceObjectByNameEx+1A8j
		mov	ecx, [edi+8Ch]
		test	ecx, ecx
		jnz	loc_8E6F96

loc_79C4C2:				; CODE XREF: ObReferenceObjectByNameEx+14ACB0j
		cmp	[esp+50h+var_30], 0
		jz	short loc_79C4D2
		lea	ecx, [esp+50h+var_34]
		call	ObpFreeObjectNameBuffer

loc_79C4D2:				; CODE XREF: ObReferenceObjectByNameEx+8Dj
					; ObReferenceObjectByNameEx+1CDj
		mov	edx, large fs:20h
		mov	ecx, [edx+5E0h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jnb	short loc_79C541

loc_79C4EC:				; CODE XREF: ObReferenceObjectByNameEx+25Bj
		mov	edx, edi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_79C4F3:				; CODE XREF: ObReferenceObjectByNameEx+264j
		mov	eax, [esp+50h+var_44]

loc_79C4F7:				; CODE XREF: ObReferenceObjectByNameEx+245j
					; ObReferenceObjectByNameEx+14ACBAj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_79C500:				; CODE XREF: ObReferenceObjectByNameEx+5Cj
		inc	dword ptr [esi+10h]
		mov	esi, [esp+40h+var_2C]
		mov	esi, [esi+5E4h]
		mov	ecx, esi
		inc	dword ptr [esi+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_79C35C
		push	dword ptr [esi+20h]
		inc	dword ptr [esi+10h]
		push	dword ptr [esi+24h]
		push	dword ptr [esi+1Ch]
		call	dword ptr [esi+28h]
		mov	edi, eax
		test	edi, edi
		jnz	loc_79C35C
		mov	eax, 0C000009Ah
		jmp	short loc_79C4F7
; 

loc_79C541:				; CODE XREF: ObReferenceObjectByNameEx+1F0j
		inc	dword ptr [ecx+18h]
		mov	ecx, [edx+5E4h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	short loc_79C4EC
		inc	dword ptr [ecx+18h]
		push	edi
		call	dword ptr [ecx+2Ch]
		jmp	short loc_79C4F3
; 

loc_79C560:				; CODE XREF: ObReferenceObjectByNameEx+192j
		push	[esp+50h+var_40]
		call	_ObDereferenceObject@4 ; ObDereferenceObject(x)
		jmp	loc_79C49B
ObReferenceObjectByNameEx endp


;  S U B	R O U T	I N E 


ObpAdjustAccessMask proc near		; CODE XREF: ObReferenceObjectByNameEx+D6p

; FUNCTION CHUNK AT 008E6FB9 SIZE 0000003A BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+2Ch]
		test	esi, esi
		jnz	loc_8E6FB9

loc_79C57F:				; CODE XREF: ObpAdjustAccessMask+14AA63j
					; ObpAdjustAccessMask+14AA70j ...
		xor	eax, eax

loc_79C581:				; CODE XREF: ObpAdjustAccessMask+14AA5Aj
		pop	edi
		pop	esi
		retn
ObpAdjustAccessMask endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2518. SeTokenIsAdmin

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeTokenIsAdmin
SeTokenIsAdmin	proc near		; CODE XREF: IoComputeRedirectionTrustLevel(x,x,x,x)+4Bp
					; SepMandatorySubProcessToken+EEA48p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E6FF3 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	dword ptr [esi+0B0h], 4000h
		jnz	short loc_79C5DD
		cmp	dword ptr [esi+0A8h], 2
		jz	short loc_79C5E1

loc_79C5A8:				; CODE XREF: SeTokenIsAdmin+5Ej
		push	ebx
		push	edi
		mov	edi, ds:_SeAliasAdminsSid
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	edi
		xor	edx, edx
		mov	ecx, esi
		call	_SepSidInToken@28 ; SepSidInToken(x,x,x,x,x,x,x)
		mov	bl, al
		test	bl, bl
		jz	short loc_79C5D4
		push	esi
		call	_SeTokenIsRestricted@4 ; SeTokenIsRestricted(x)
		test	al, al
		jnz	loc_8E6FF3

loc_79C5D4:				; CODE XREF: SeTokenIsAdmin+3Aj
					; SeTokenIsAdmin+14AA7Cj
		pop	edi
		mov	al, bl
		pop	ebx

loc_79C5D8:				; CODE XREF: SeTokenIsAdmin+55j
		pop	esi
		pop	ebp
		retn	4
; 

loc_79C5DD:				; CODE XREF: SeTokenIsAdmin+13j
					; SeTokenIsAdmin+60j
		xor	al, al
		jmp	short loc_79C5D8
; 

loc_79C5E1:				; CODE XREF: SeTokenIsAdmin+1Cj
		cmp	dword ptr [esi+0ACh], 2
		jge	short loc_79C5A8
		jmp	short loc_79C5DD
SeTokenIsAdmin	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpCheckObjectReference	proc near	; CODE XREF: ObReferenceObjectByNameEx+18Bp
					; ObReferenceObjectByName+1A2p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E700B SIZE 0000000C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		xor	eax, eax
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], eax
		mov	byte ptr [ebp+var_C], al
		mov	[ebp+var_10], eax
		mov	[ebp+var_4], eax
		lea	eax, [ebx-18h]
		mov	[ebp+var_14], ebx
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [ebx-0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		push	esi
		xor	ecx, eax
		lea	eax, [ebp+var_C]
		push	edi
		push	[ebp+arg_4]
		mov	edi, edx
		lea	edx, [ebp+var_4]
		mov	esi, ds:_ObTypeIndexTable[ecx*4]
		mov	ecx, ebx
		push	eax
		call	ObpGetObjectSecurity
		test	eax, eax
		js	loc_8E700B
		lea	ebx, [edi+1Ch]
		push	ebx
		call	_SeLockSubjectContext@4	; SeLockSubjectContext(x)
		push	[ebp+arg_8]
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_4]
		lea	eax, [esi+34h]
		mov	esi, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	dword ptr [edi+14h]
		push	dword ptr [edi+10h]
		push	1
		push	ebx
		push	esi
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		mov	byte ptr [ebp+arg_8], al
		test	al, al
		jz	short loc_79C683
		mov	ecx, [ebp+var_8]
		or	[edi+14h], ecx
		not	ecx
		and	[edi+10h], ecx

loc_79C683:				; CODE XREF: ObpCheckObjectReference+8Aj
		test	esi, esi
		jz	short loc_79C69F
		push	[ebp+arg_4]
		mov	eax, [edi+14h]
		push	[ebp+arg_8]
		or	eax, [edi+10h]
		mov	edx, [ebp+var_14]
		push	ecx
		push	eax
		push	ebx
		push	esi
		call	SeObjectReferenceAuditAlarm

loc_79C69F:				; CODE XREF: ObpCheckObjectReference+99j
		push	ebx
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)
		push	[ebp+var_C]
		push	esi
		call	_ObReleaseObjectSecurity@8 ; ObReleaseObjectSecurity(x,x)
		mov	al, byte ptr [ebp+arg_8]

loc_79C6B1:				; CODE XREF: ObpCheckObjectReference+14AA26j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
ObpCheckObjectReference	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeObjectReferenceAuditAlarm proc near	; CODE XREF: ObpCheckObjectReference+AEp

var_8		= dword	ptr -8
var_2		= dword	ptr -2
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch

; FUNCTION CHUNK AT 008E7017 SIZE 000000E6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_8], edx
		push	esi
		push	edi
		mov	byte ptr [ebp+var_2+1],	bl
		mov	byte ptr [ebp+var_2], bl
		cmp	[ebp+arg_14], bl
		jnz	short loc_79C6DA

loc_79C6D3:				; CODE XREF: SeObjectReferenceAuditAlarm+27j
					; SeObjectReferenceAuditAlarm+3Bj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_79C6DA:				; CODE XREF: SeObjectReferenceAuditAlarm+19j
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_79C6D3
		mov	edi, [ebp+arg_4]
		mov	dl, byte ptr [ebp+arg_10]
		push	edi
		push	ebx
		push	79h
		pop	ecx
		call	SepAdtAuditThisEventWithContext
		test	al, al
		jz	short loc_79C6D3
		jmp	loc_8E7017
SeObjectReferenceAuditAlarm endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAccessCheckByTypeAndAuditAlarm(x,	x, x, x, x, x, x, x, x,	x, x, x, x, x, x, x)
_NtAccessCheckByTypeAndAuditAlarm@64 proc near ; DATA XREF: .text:005812A0o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_34		= dword	ptr  3Ch
arg_38		= dword	ptr  40h
arg_3C		= dword	ptr  44h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_3C]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_38]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_34]
		push	[ebp+arg_2C]
		push	[ebp+arg_28]
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	0
		call	_SepAccessCheckAndAuditAlarm@68	; SepAccessCheckAndAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	40h
_NtAccessCheckByTypeAndAuditAlarm@64 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAccessCheckAndAuditAlarm(x, x, x,	x, x, x, x, x, x, x, x)
_NtAccessCheckAndAuditAlarm@44 proc near ; DATA	XREF: .text:005812A8o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		xor	eax, eax
		mov	edx, [ebp+arg_4]
		push	eax
		push	eax
		push	[ebp+arg_28]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_18]
		push	eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_14]
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	eax
		call	SepAccessCheckAndAuditAlarmWithAdminlessChecks
		mov	esp, ebp
		pop	ebp
		retn	2Ch
_NtAccessCheckAndAuditAlarm@44 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtPrivilegeCheck proc near		; DATA XREF: .text:00580ED0o

var_40		= dword	ptr -40h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E70FD SIZE 0000002D BYTES

		push	30h
		push	offset dword_6A2158
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_28], al
		mov	eax, ds:_SeTokenObjectType
		mov	[ebp+var_1C], ebx
		push	ebx
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_28]
		push	eax
		push	8
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	[ebp+var_2C], eax
		test	eax, eax
		js	loc_79C8CD
		mov	ecx, [ebp+var_1C]
		cmp	dword ptr [ecx+0A8h], 2
		jnz	short loc_79C7DE
		cmp	dword ptr [ecx+0ACh], 1
		jl	loc_8E70FD

loc_79C7DE:				; CODE XREF: NtPrivilegeCheck+59j
		mov	[ebp+ms_exc.disabled], ebx
		mov	ebx, [ebp+arg_4]
		test	bl, 3
		jnz	loc_79C8DF
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8E710E

loc_79C7FA:				; CODE XREF: NtPrivilegeCheck+14A99Bj
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+10h]
		mov	[ebx+10h], al
		mov	ecx, [ebx]
		mov	[ebp+var_24], ecx
		mov	eax, ds:_MmSystemRangeStart
		neg	eax
		xor	edx, edx
		push	0Ch
		pop	esi
		div	esi
		cmp	ecx, eax
		jnb	loc_8E7116
		mov	eax, ecx
		dec	eax
		imul	eax, 0Ch
		add	eax, 14h
		mov	[ebp+var_40], eax
		push	4
		push	eax
		push	ebx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	ecx, [ebp+arg_8]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8E7123

loc_79C844:				; CODE XREF: NtPrivilegeCheck+14A9AFj
		mov	al, [ecx]
		mov	[ecx], al
		mov	eax, [ebx+4]
		mov	[ebp+var_30], eax
		mov	esi, [ebp+var_2C]

loc_79C851:				; CODE XREF: NtPrivilegeCheck+14A9A8j
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi

loc_79C857:				; CODE XREF: sub_8E7138+12j
		test	esi, esi
		js	loc_79C8E4
		add	ebx, 8
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		sub	esp, 10h
		push	1
		mov	edx, [ebp+var_24]
		mov	ecx, ebx
		call	SeCaptureLuidAndAttributesArray
		mov	esi, eax
		test	esi, esi
		js	short loc_79C8E4
		push	[ebp+var_28]
		push	[ebp+var_30]
		push	[ebp+var_24]
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_1C]
		call	_SepPrivilegeCheck@20 ;	SepPrivilegeCheck(x,x,x,x,x)
		mov	byte ptr [ebp+arg_4+3],	al
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObject
		mov	[ebp+ms_exc.disabled], 1
		push	[ebp+var_34]	; size_t
		push	[ebp+var_20]	; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+arg_8]
		mov	cl, byte ptr [ebp+arg_4+3]
		mov	[eax], cl
		mov	[ebp+ms_exc.disabled], edi
		push	ecx
		mov	dl, byte ptr [ebp+var_28]
		mov	ecx, [ebp+var_20]
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)
		xor	eax, eax

loc_79C8CD:				; CODE XREF: NtPrivilegeCheck+49j
					; NtPrivilegeCheck+14A993j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_79C8DF:				; CODE XREF: NtPrivilegeCheck+71j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_79C8E4:				; CODE XREF: NtPrivilegeCheck+E3j
					; NtPrivilegeCheck+107j
		mov	ecx, [ebp+var_1C]
		jmp	loc_8E7102
NtPrivilegeCheck endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; 
; Exported entry 1496. NtAdjustPrivilegesToken

		public NtAdjustPrivilegesToken
NtAdjustPrivilegesToken:		; CODE XREF: RtlpSysVolTakeOwnership(x)+6Ep
					; DATA XREF: .text:00581274o
		push	58h
		push	offset dword_6A2180
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp-24h], edx
		mov	[ebp-20h], edx
		mov	[ebp-40h], edx
		mov	[ebp-28h], edx
		mov	[ebp-34h], edx
		mov	[ebp-19h], dl
		mov	ecx, [ebp+0Ch]
		mov	ebx, [ebp+10h]
		test	cl, cl
		jnz	short loc_79C924
		test	ebx, ebx
		jz	loc_8E717B

loc_79C924:				; CODE XREF: PAGE:0079C91Aj
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+13h], al
		mov	[ebp-30h], al
		test	al, al
		jz	loc_79CB16
		mov	[ebp-4], edx
		test	cl, cl
		jnz	short loc_79C989
		mov	edx, ebx
		test	bl, 3
		jnz	loc_79CB2E
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8E7185

loc_79C95D:				; CODE XREF: PAGE:008E7187j
		nop
		mov	al, [edx]
		mov	eax, [ebx]
		mov	[ebp-24h], eax
		dec	eax
		imul	eax, 0Ch
		add	eax, 10h
		mov	[ebp-64h], eax
		jz	short loc_79C989
		lea	edx, [eax+ebx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	loc_8E718C
		cmp	edx, ebx
		jb	loc_8E718C

loc_79C989:				; CODE XREF: PAGE:0079C943j
					; PAGE:0079C96Fj ...
		mov	edi, [ebp+18h]
		test	edi, edi
		jz	short loc_79C9B2
		push	4
		push	dword ptr [ebp+14h]
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	ecx, [ebp+1Ch]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8E7194

loc_79C9AB:				; CODE XREF: PAGE:008E7196j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+0Ch]

loc_79C9B2:				; CODE XREF: PAGE:0079C98Ej
		push	0FFFFFFFEh
		pop	esi
		mov	[ebp-4], esi

loc_79C9B8:				; CODE XREF: PAGE:0079CB29j
		test	cl, cl
		jnz	short loc_79C9EA
		mov	dword ptr [ebp-4], 1
		lea	eax, [ebp-40h]
		push	eax
		lea	eax, [ebp-20h]
		push	eax
		sub	esp, 10h
		push	dword ptr [ebp-30h]
		lea	ecx, [ebx+4]
		mov	edx, [ebp-24h]
		call	SeCaptureLuidAndAttributesArray
		mov	[ebp-38h], eax
		mov	[ebp-4], esi
		test	eax, eax
		js	loc_79CAFA

loc_79C9EA:				; CODE XREF: PAGE:0079C9BAj
					; PAGE:0079CB1Ej
		mov	eax, ds:_SeTokenObjectType
		and	dword ptr [ebp-2Ch], 0
		push	0
		lea	ecx, [ebp-2Ch]
		push	ecx
		push	dword ptr [ebp-30h]
		push	eax
		xor	eax, eax
		test	edi, edi
		setnz	al
		lea	eax, ds:20h[eax*8]
		push	eax
		push	dword ptr [ebp+8]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8E71C4
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	ebx, [ebp-2Ch]
		push	1
		push	dword ptr [ebx+30h]
		call	ExAcquireResourceExclusiveLite
		and	dword ptr [ebp-48h], 0
		xor	ecx, ecx
		lea	eax, [ebp-48h]
		lock or	[eax], ecx
		lea	eax, [ebp-19h]
		push	eax
		lea	eax, [ebp-34h]
		push	eax
		lea	eax, [ebp-28h]
		push	eax
		push	edi
		push	dword ptr [ebp-20h]
		push	dword ptr [ebp-24h]
		push	dword ptr [ebp+0Ch]
		xor	dl, dl
		mov	ecx, ebx
		call	SepAdjustPrivileges
		test	edi, edi
		jz	short loc_79CA7E
		mov	dword ptr [ebp-4], 2
		mov	ecx, [ebp+1Ch]
		mov	eax, [ebp-28h]
		mov	[ecx], eax
		mov	[ebp-4], esi
		test	edi, edi
		jz	short loc_79CA7E
		cmp	eax, [ebp+14h]
		ja	loc_8E722E

loc_79CA7E:				; CODE XREF: PAGE:0079CA5Dj
					; PAGE:0079CA73j
		mov	dword ptr [ebp-4], 3
		lea	eax, [ebp-19h]
		push	eax
		lea	eax, [ebp-34h]
		push	eax
		lea	eax, [ebp-28h]
		push	eax
		push	edi
		push	dword ptr [ebp-20h]
		push	dword ptr [ebp-24h]
		push	dword ptr [ebp+0Ch]
		mov	dl, 1
		mov	ecx, ebx
		call	SepAdjustPrivileges
		mov	[ebp-38h], eax
		test	edi, edi
		jz	short loc_79CABC
		mov	ecx, [ebp-34h]
		mov	[edi], ecx
		test	ecx, ecx
		jnz	short loc_79CABC
		xor	eax, eax
		add	edi, 4
		stosd
		stosd
		stosd

loc_79CABC:				; CODE XREF: PAGE:0079CAA9j
					; PAGE:0079CAB2j
		mov	[ebp-4], esi
		cmp	byte ptr [ebp-19h], 0
		jnz	short loc_79CB0C

loc_79CAC5:				; CODE XREF: PAGE:0079CB14j
		and	dword ptr [ebp-58h], 0
		xor	ecx, ecx
		lea	eax, [ebp-58h]
		lock or	[eax], ecx
		mov	ecx, [ebx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, ebx
		call	ObfDereferenceObject
		cmp	dword ptr [ebp-20h], 0
		jz	short loc_79CAF7
		push	ecx
		mov	dl, [ebp+13h]
		mov	ecx, [ebp-20h]
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)

loc_79CAF7:				; CODE XREF: PAGE:0079CAE9j
		mov	eax, [ebp-38h]

loc_79CAFA:				; CODE XREF: PAGE:0079C9E4j
					; PAGE:008E7180j ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_79CB0C:				; CODE XREF: PAGE:0079CAC3j
		lea	ecx, [ebx+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		jmp	short loc_79CAC5
; 

loc_79CB16:				; CODE XREF: PAGE:0079C938j
		push	0FFFFFFFEh
		mov	edi, [ebp+18h]
		pop	esi
		test	cl, cl
		jnz	loc_79C9EA
		mov	eax, [ebx]
		mov	[ebp-24h], eax
		jmp	loc_79C9B8
; 

loc_79CB2E:				; CODE XREF: PAGE:0079C94Aj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		db 0CCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepAdjustPrivileges proc near		; CODE XREF: PAGE:0079CA56p
					; PAGE:0079CA9Fp

var_3D4		= dword	ptr -3D4h
var_3D0		= dword	ptr -3D0h
var_3CC		= dword	ptr -3CCh
var_3C8		= dword	ptr -3C8h
var_3C4		= dword	ptr -3C4h
var_3C0		= dword	ptr -3C0h
var_3BC		= dword	ptr -3BCh
var_3B8		= dword	ptr -3B8h
var_3B4		= dword	ptr -3B4h
var_3B0		= dword	ptr -3B0h
var_3AC		= dword	ptr -3ACh
var_3A8		= dword	ptr -3A8h
var_3A4		= dword	ptr -3A4h
var_3A0		= dword	ptr -3A0h
var_39C		= dword	ptr -39Ch
var_398		= dword	ptr -398h
var_394		= dword	ptr -394h
var_390		= dword	ptr -390h
var_38C		= dword	ptr -38Ch
var_388		= dword	ptr -388h
var_384		= dword	ptr -384h
var_380		= dword	ptr -380h
var_37C		= dword	ptr -37Ch
var_375		= byte ptr -375h
var_374		= dword	ptr -374h
var_36F		= byte ptr -36Fh
var_36D		= byte ptr -36Dh
var_36C		= dword	ptr -36Ch
var_1BC		= dword	ptr -1BCh
var_8		= dword	ptr -8
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008E72C5 SIZE 00000156 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3D8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_380], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	[ebp+var_3D4], eax
		mov	ebx, ecx
		mov	eax, [ebp+arg_18]
		push	esi
		mov	esi, [ebp+arg_14]
		push	edi
		mov	[ebp+var_39C], eax
		lea	edi, [ebp+var_3D0]
		xor	eax, eax
		mov	[ebp+var_36D], dl
		mov	[ebp+var_390], eax
		mov	[ebp+var_374], eax
		stosd
		push	1B0h		; size_t
		push	0		; int
		mov	[ebp+var_388], esi
		stosd
		mov	byte ptr [ebp-36Eh], 0
		mov	[ebp+var_36F], 0
		mov	[ebp+var_375], 0
		stosd
		lea	eax, [ebp+var_1BC]
		push	eax		; void *
		mov	[ebp+var_3CC], 0
		mov	[ebp+var_3C8], 0
		mov	[ebp+var_398], 0
		mov	[ebp+var_3BC], 0
		call	_memset
		push	1B0h		; size_t
		lea	eax, [ebp+var_36C]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_39C]
		lea	edx, [ebp+var_3CC]
		add	esp, 18h
		mov	dword ptr [esi], 0
		mov	ecx, ebx
		mov	byte ptr [eax],	0
		call	_SepCopyTokenIntegrity@8 ; SepCopyTokenIntegrity(x,x)
		mov	esi, [ebp+var_3CC]
		lea	eax, [ebp-36Eh]
		mov	edx, _SeHighMandatorySid
		mov	ecx, esi
		push	eax
		call	RtlSidDominates
		mov	[ebp+var_3A4], eax
		test	eax, eax
		js	loc_79CDD2
		cmp	byte ptr [ebp-36Eh], 0
		jz	loc_79CE8A

loc_79CC52:				; CODE XREF: SepAdjustPrivileges+373j
					; SepAdjustPrivileges+380j
		cmp	[ebp+arg_0], 0
		jnz	loc_8E72C5
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	loc_79CE79
		mov	esi, [ebp+arg_8]
		lea	eax, [ebp+var_1BC]
		mov	[ebp+var_38C], eax
		lea	eax, [ebp+var_36C]
		mov	[ebp+var_3C4], eax
		mov	[ebp+var_3B4], ecx
		jmp	short loc_79CC90
; 
		align 10h

loc_79CC90:				; CODE XREF: SepAdjustPrivileges+148j
					; SepAdjustPrivileges+240j
		mov	ecx, [esi]
		mov	eax, 1
		xor	edx, edx
		call	__allshl
		mov	ecx, [ebx+40h]
		mov	edi, [ebx+44h]
		mov	[ebp+var_3C0], edi
		mov	edi, ecx
		mov	[ebp+var_3C8], ecx
		and	edi, eax
		mov	ecx, [ebp+var_3C0]
		and	ecx, edx
		mov	[ebp+var_3A8], eax
		or	edi, ecx
		mov	[ebp+var_3AC], edx
		jz	loc_79CD76
		mov	eax, [esi+4]
		xor	edx, edx
		mov	ecx, [esi]
		inc	[ebp+var_390]
		mov	[ebp+var_3A0], eax
		mov	eax, 1
		mov	[ebp+var_394], ecx
		call	__allshl
		mov	ecx, eax
		mov	[ebp+var_37C], edx
		mov	edx, [ebx+48h]
		mov	edi, edx
		mov	eax, [ebx+4Ch]
		and	edi, ecx
		mov	[ebp+var_384], ecx
		mov	ecx, eax
		and	ecx, [ebp+var_37C]
		or	edi, ecx
		mov	[ebp+var_3B8], eax
		jz	loc_79CDEC
		mov	edi, 2

loc_79CD26:				; CODE XREF: SepAdjustPrivileges+2AEj
		mov	ecx, [ebx+50h]
		mov	eax, [ebx+54h]
		and	ecx, [ebp+var_384]
		and	eax, [ebp+var_37C]
		or	ecx, eax
		jz	loc_79CDE5
		mov	ecx, 1

loc_79CD45:				; CODE XREF: SepAdjustPrivileges+2A7j
		mov	eax, [esi+8]
		or	ecx, edi
		mov	[ebp+var_3B0], ecx
		test	al, 4
		jnz	loc_79CF3E
		test	al, 2
		jz	loc_79CFE4
		mov	eax, [ebp+var_3B8]
		and	edx, [ebp+var_3A8]
		and	eax, [ebp+var_3AC]
		or	edx, eax
		jz	short loc_79CDF3

loc_79CD76:				; CODE XREF: SepAdjustPrivileges+18Aj
					; SepAdjustPrivileges+2C4j ...
		add	esi, 0Ch
		sub	[ebp+var_3B4], 1
		jnz	loc_79CC90
		mov	eax, [ebp+var_390]
		cmp	eax, [ebp+arg_4]
		jnb	loc_79CE6C

loc_79CD95:				; CODE XREF: SepAdjustPrivileges+333j
		mov	cl, [ebp+var_36D]
		mov	edi, 106h

loc_79CDA0:				; CODE XREF: SepAdjustPrivileges+345j
		mov	esi, [ebp+var_388]
		cmp	dword ptr [esi], 0
		ja	loc_79CEC5

loc_79CDAF:				; CODE XREF: SepAdjustPrivileges+387j
					; SepAdjustPrivileges+3CBj
		cmp	[ebp+var_380], 0
		jz	short loc_79CDD0
		mov	eax, [esi]
		cmp	eax, 1
		ja	loc_79D0A2
		mov	eax, 10h

loc_79CDC8:				; CODE XREF: SepAdjustPrivileges+56Cj
		mov	ecx, [ebp+var_3D4]
		mov	[ecx], eax

loc_79CDD0:				; CODE XREF: SepAdjustPrivileges+276j
		mov	eax, edi

loc_79CDD2:				; CODE XREF: SepAdjustPrivileges+FFj
					; SepAdjustPrivileges+366j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_79CDE5:				; CODE XREF: SepAdjustPrivileges+1FAj
		xor	ecx, ecx
		jmp	loc_79CD45
; 

loc_79CDEC:				; CODE XREF: SepAdjustPrivileges+1DBj
		xor	edi, edi
		jmp	loc_79CD26
; 

loc_79CDF3:				; CODE XREF: SepAdjustPrivileges+234j
		cmp	[ebp+var_36D], 0
		jnz	short loc_79CE09

loc_79CDFC:				; CODE XREF: SepAdjustPrivileges+4C9j
					; SepAdjustPrivileges+55Dj ...
		mov	eax, [ebp+var_388]
		inc	dword ptr [eax]
		jmp	loc_79CD76
; 

loc_79CE09:				; CODE XREF: SepAdjustPrivileges+2BAj
		mov	edi, [ebp+var_380]
		mov	edx, [ebp+var_394]
		test	edi, edi
		jnz	loc_79CF10
		mov	edi, [ebp+var_3A0]

loc_79CE23:				; CODE XREF: SepAdjustPrivileges+3F9j
		mov	eax, [ebp+var_3C4]
		inc	[ebp+var_3BC]
		mov	[eax], edx
		mov	[eax+4], edi
		mov	[eax+8], ecx
		add	eax, 0Ch
		cmp	byte ptr [ebp-36Eh], 0
		mov	[ebp+var_3C4], eax
		jz	loc_79CF9A
		mov	eax, [ebp+var_384]
		or	[ebx+48h], eax
		mov	eax, [ebp+var_37C]
		or	[ebx+4Ch], eax
		mov	eax, [ebp+var_388]
		inc	dword ptr [eax]
		jmp	loc_79CD76
; 

loc_79CE6C:				; CODE XREF: SepAdjustPrivileges+24Fj
		cmp	[ebp+var_374], 0
		ja	loc_79CD95

loc_79CE79:				; CODE XREF: SepAdjustPrivileges+121j
		mov	cl, [ebp+var_36D]

loc_79CE7F:				; CODE XREF: SepAdjustPrivileges+14A8B8j
		mov	edi, [ebp+var_3A4]
		jmp	loc_79CDA0
; 

loc_79CE8A:				; CODE XREF: SepAdjustPrivileges+10Cj
		mov	edx, _SeMediumMandatorySid
		lea	eax, [ebp+var_36F]
		push	eax
		mov	ecx, esi
		call	RtlSidDominates
		mov	[ebp+var_3A4], eax
		test	eax, eax
		js	loc_79CDD2
		cmp	[ebp+var_36F], 0
		jnz	loc_79CC52
		mov	[ebp+var_375], 1
		jmp	loc_79CC52
; 

loc_79CEC5:				; CODE XREF: SepAdjustPrivileges+269j
		test	cl, cl
		jz	loc_79CDAF
		mov	eax, [ebp+var_39C]
		mov	byte ptr [eax],	1
		test	edi, edi
		js	loc_8E740F
		mov	byte ptr [ebp+var_39C],	1

loc_79CEE5:				; CODE XREF: SepAdjustPrivileges+14A8D6j
		push	[ebp+var_39C]
		lea	eax, [ebp+var_36C]
		mov	ecx, ebx
		push	[ebp+var_3BC]
		lea	edx, [ebp+var_1BC]
		push	eax
		push	[ebp+var_398]
		call	SepAdtTokenRightAdjusted
		jmp	loc_79CDAF
; 

loc_79CF10:				; CODE XREF: SepAdjustPrivileges+2D7j
		mov	eax, [ebp+var_388]
		mov	eax, [eax]
		lea	eax, [eax+eax*2]
		mov	[edi+eax*4+4], edx
		mov	edx, [ebp+var_380]
		mov	edi, [ebp+var_3A0]
		mov	[edx+eax*4+8], edi
		mov	[edx+eax*4+0Ch], ecx
		mov	edx, [ebp+var_394]
		jmp	loc_79CE23
; 

loc_79CF3E:				; CODE XREF: SepAdjustPrivileges+212j
		cmp	[ebp+var_36D], 0
		jz	loc_79CD76
		mov	eax, [ebp+var_37C]
		mov	edi, [ebp+var_3B8]
		not	eax
		mov	ecx, [ebp+var_384]
		and	edi, eax
		not	ecx
		mov	[ebp+var_37C], eax
		mov	eax, [ebp+var_3C8]
		and	edx, ecx
		and	eax, ecx
		mov	[ebx+48h], edx
		mov	ecx, [ebp+var_3C0]
		and	ecx, [ebp+var_37C]
		or	dword ptr [ebx+0B0h], 800h
		mov	[ebx+4Ch], edi
		mov	[ebx+40h], eax
		mov	[ebx+44h], ecx
		jmp	loc_79CD76
; 

loc_79CF9A:				; CODE XREF: SepAdjustPrivileges+307j
		cmp	[ebp+var_36F], 0
		jz	loc_79D0B1
		mov	ecx, [esi]
		mov	eax, 1
		xor	edx, edx
		call	__allshl
		and	eax, 20160684h
		and	edx, 11h
		or	eax, edx
		jnz	loc_79D0EC

loc_79CFC5:				; CODE XREF: SepAdjustPrivileges+5A6j
					; SepAdjustPrivileges+14A8CAj
		mov	eax, [ebp+var_384]
		or	[ebx+48h], eax
		mov	eax, [ebp+var_37C]
		or	[ebx+4Ch], eax
		mov	eax, [ebp+var_388]
		inc	dword ptr [eax]
		jmp	loc_79CD76
; 

loc_79CFE4:				; CODE XREF: SepAdjustPrivileges+21Aj
		mov	edi, [ebp+var_3B8]
		mov	ecx, edx
		and	ecx, [ebp+var_3A8]
		mov	eax, edi
		and	eax, [ebp+var_3AC]
		or	ecx, eax
		jz	loc_79CD76
		cmp	[ebp+var_36D], 0
		jz	loc_79CDFC
		mov	ecx, [ebp+var_380]
		test	ecx, ecx
		jz	short loc_79D04E
		mov	eax, [ebp+var_388]
		mov	edx, [ebp+var_394]
		mov	edi, [ebp+var_3A0]
		mov	eax, [eax]
		lea	eax, [eax+eax*2]
		mov	[ecx+eax*4+4], edx
		mov	edx, [ebp+var_380]
		mov	[ecx+eax*4+8], edi
		mov	ecx, [ebp+var_3B0]
		mov	[edx+eax*4+0Ch], ecx
		mov	edx, [ebx+48h]
		mov	edi, [ebx+4Ch]

loc_79D04E:				; CODE XREF: SepAdjustPrivileges+4D7j
		mov	ecx, [ebp+var_38C]
		mov	eax, [ebp+var_394]
		inc	[ebp+var_398]
		mov	[ecx], eax
		mov	eax, [ebp+var_3A0]
		mov	[ecx+4], eax
		mov	eax, [ebp+var_38C]
		mov	ecx, [ebp+var_3B0]
		mov	[eax+8], ecx
		add	eax, 0Ch
		mov	ecx, [ebp+var_37C]
		mov	[ebp+var_38C], eax
		not	ecx
		mov	eax, [ebp+var_384]
		not	eax
		and	eax, edx
		and	ecx, edi
		mov	[ebx+48h], eax
		mov	[ebx+4Ch], ecx
		jmp	loc_79CDFC
; 

loc_79D0A2:				; CODE XREF: SepAdjustPrivileges+27Dj
		lea	eax, [eax+eax*2]
		lea	eax, ds:4[eax*4]
		jmp	loc_79CDC8
; 

loc_79D0B1:				; CODE XREF: SepAdjustPrivileges+461j
		cmp	[ebp+var_375], 0
		jz	loc_79CDFC
		mov	ecx, [esi]
		mov	eax, 1
		xor	edx, edx
		call	__allshl
		and	edx, 2
		test	dword ptr [ebx+0B0h], 4000h
		jnz	loc_8E73FD
		and	eax, 2800000h
		or	eax, edx
		jnz	loc_79CFC5

loc_79D0EC:				; CODE XREF: SepAdjustPrivileges+47Fj
					; SepAdjustPrivileges+14A8C4j
		inc	[ebp+var_374]
		jmp	loc_79CDFC
SepAdjustPrivileges endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeCaptureLuidAndAttributesArray	proc near ; CODE XREF: NtPrivilegeCheck+FEp
					; PAGE:0079C9D7p ...

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008E741B SIZE 0000000A BYTES

		push	10h
		push	offset dword_6A21C0
		call	__SEH_prolog4
		mov	ebx, ecx
		test	edx, edx
		jz	loc_79D192
		cmp	edx, 42h
		ja	loc_8E741B
		imul	esi, edx, 0Ch
		lea	ecx, [esi+3]
		and	ecx, 0FFFFFFFCh
		mov	eax, [ebp+arg_18]
		mov	[eax], ecx
		cmp	[ebp+arg_0], 0
		jz	short loc_79D14F
		and	[ebp+ms_exc.disabled], 0
		test	esi, esi
		jz	short loc_79D148
		test	bl, 3
		jnz	short loc_79D1A0
		lea	ecx, [esi+ebx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_79D1A5
		cmp	ecx, ebx
		jb	short loc_79D1A5

loc_79D148:				; CODE XREF: SeCaptureLuidAndAttributesArray+39j
					; SeCaptureLuidAndAttributesArray+B0j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_79D14F:				; CODE XREF: SeCaptureLuidAndAttributesArray+31j
		push	754C6553h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+arg_14]
		mov	[ecx], eax
		test	eax, eax
		jz	short loc_79D1AA
		mov	[ebp+ms_exc.disabled], 1
		push	esi		; size_t
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_79D17E:				; CODE XREF: SeCaptureLuidAndAttributesArray+A6j
		xor	eax, eax

loc_79D180:				; CODE XREF: SeCaptureLuidAndAttributesArray+B7j
					; SeCaptureLuidAndAttributesArray+14A328j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_79D192:				; CODE XREF: SeCaptureLuidAndAttributesArray+10j
		mov	eax, [ebp+arg_14]
		and	dword ptr [eax], 0
		mov	eax, [ebp+arg_18]
		and	dword ptr [eax], 0
		jmp	short loc_79D17E
; 

loc_79D1A0:				; CODE XREF: SeCaptureLuidAndAttributesArray+3Ej
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_79D1A5:				; CODE XREF: SeCaptureLuidAndAttributesArray+4Aj
					; SeCaptureLuidAndAttributesArray+4Ej
		mov	byte ptr [eax],	0
		jmp	short loc_79D148
; 

loc_79D1AA:				; CODE XREF: SeCaptureLuidAndAttributesArray+6Bj
		mov	eax, 0C000009Ah
		jmp	short loc_79D180
SeCaptureLuidAndAttributesArray	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall SeReleaseLuidAndAttributesArray(x, x, x)
_SeReleaseLuidAndAttributesArray@12 proc near ;	CODE XREF: NtPrivilegeCheck+150p
					; PAGE:0079CAF2p ...
		test	dl, dl
		jz	short loc_79D1BB
		cmp	dl, 1
		jnz	short locret_79D1C7

loc_79D1BB:				; CODE XREF: SeReleaseLuidAndAttributesArray(x,x,x)+2j
		test	ecx, ecx
		jz	short locret_79D1C7
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

locret_79D1C7:				; CODE XREF: SeReleaseLuidAndAttributesArray(x,x,x)+7j
					; SeReleaseLuidAndAttributesArray(x,x,x)+Bj
		retn	4
_SeReleaseLuidAndAttributesArray@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAccessCheckAndAuditAlarm(x, x, x, x, x, x, x, x,	x, x, x, x, x, x, x, x,	x)
_SepAccessCheckAndAuditAlarm@68	proc near
					; CODE XREF: NtAccessCheckByTypeAndAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+36p
					; NtAccessCheckByTypeResultListAndAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+36p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch
arg_38		= dword	ptr  40h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	0
		push	[ebp+arg_38]
		push	[ebp+arg_34]
		push	[ebp+arg_30]
		push	[ebp+arg_2C]
		push	[ebp+arg_28]
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	SepAccessCheckAndAuditAlarmWithAdminlessChecks
		mov	esp, ebp
		pop	ebp
		retn	3Ch
_SepAccessCheckAndAuditAlarm@68	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepAccessCheckAndAuditAlarmWithAdminlessChecks proc near
					; CODE XREF: NtAccessCheckAndAuditAlarm(x,x,x,x,x,x,x,x,x,x,x)+30p
					; SepAccessCheckAndAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+37p

var_18C		= dword	ptr -18Ch
var_178		= dword	ptr -178h
var_16C		= dword	ptr -16Ch
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_9C		= dword	ptr -9Ch
var_98		= byte ptr -98h
var_97		= byte ptr -97h
var_96		= byte ptr -96h
var_94		= byte ptr -94h
var_90		= dword	ptr -90h
var_8B		= dword	ptr -8Bh
var_87		= dword	ptr -87h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= byte ptr -6Ch
var_6B		= byte ptr -6Bh
var_6A		= dword	ptr -6Ah
var_64		= dword	ptr -64h
var_5E		= byte ptr -5Eh
var_5D		= byte ptr -5Dh
var_5C		= dword	ptr -5Ch
var_56		= byte ptr -56h
var_55		= byte ptr -55h
var_54		= dword	ptr -54h
var_4F		= byte ptr -4Fh
var_4E		= byte ptr -4Eh
var_4D		= byte ptr -4Dh
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_2C		= dword	ptr -2Ch
var_23		= byte ptr -23h
var_22		= byte ptr -22h
var_21		= byte ptr -21h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= byte ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch
arg_38		= dword	ptr  40h
arg_3C		= dword	ptr  44h

; FUNCTION CHUNK AT 008E7474 SIZE 00000092 BYTES
; FUNCTION CHUNK AT 008E7591 SIZE 000000D3 BYTES
; FUNCTION CHUNK AT 008E76E3 SIZE 00000B8C BYTES
; FUNCTION CHUNK AT 008E82A9 SIZE 0000008D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A21E8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 180h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_154], ecx
		mov	[ebp+var_134], ecx
		mov	[ebp+var_124], edx
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_87+3],	esi
		mov	[ebp+var_158], esi
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_138], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_14C], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_70], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_80], eax
		mov	eax, [ebp+arg_20]
		mov	[ebp+var_104], eax
		mov	eax, [ebp+arg_24]
		mov	[ebp+var_64], eax
		mov	[ebp+var_130], eax
		mov	[ebp+var_12C], eax
		mov	ebx, [ebp+arg_28]
		mov	eax, [ebp+arg_2C]
		mov	[ebp+var_E4], eax
		mov	eax, [ebp+arg_30]
		mov	[ebp+var_E0], eax
		mov	eax, [ebp+arg_34]
		mov	[ebp+var_114], eax
		xor	eax, eax
		lea	edi, [ebp+var_C8]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_5C], 0
		mov	[ebp+var_90], 0
		mov	[ebp+var_4C], 0
		mov	[ebp+var_6B], 0
		mov	[ebp+var_74], 0C0000001h
		mov	[ebp+var_160], 0
		mov	[ebp+var_54], 0
		mov	[ebp+var_164], 0
		xor	eax, eax
		mov	[ebp+var_D8], eax
		mov	[ebp+var_13C], eax
		mov	[ebp+var_EC], eax
		xor	al, al
		mov	[ebp+var_5D], al
		mov	[ebp+var_F4], 0
		mov	[ebp+var_CC], 0
		mov	[ebp+var_F8], 0
		mov	[ebp+var_6A+2],	0
		mov	[ebp+var_DC], 0
		mov	[ebp+var_B8], 0
		mov	[ebp+var_B4], 0
		xor	eax, eax
		lea	edi, [ebp+var_48]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_E8], 0
		mov	byte ptr [ebp+var_8B], 0
		mov	byte ptr [ebp+var_9C], 0
		mov	byte ptr [ebp+var_87], 0
		mov	byte ptr [ebp+var_6A], 0
		mov	byte ptr [ebp-95h], 0
		xor	al, al
		mov	[ebp+var_4E], al
		mov	[ebp+var_4F], al
		mov	[ebp+var_97], 1
		mov	[ebp+var_96], al
		mov	[ebp+var_128], 0
		mov	[ebp+var_148], 0
		mov	[ebp+var_94], al
		xor	eax, eax
		lea	edi, [ebp+var_178]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_144], 0
		mov	[ebp+var_140], 0
		xor	eax, eax
		mov	[ebp+var_D4], eax
		mov	[ebp+var_108], eax
		lea	edi, [ebp+var_18C]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_FC], 0
		mov	[ebp+var_6C], 0
		xor	al, al
		mov	[ebp+var_55], al
		mov	byte ptr [ebp+var_AC], al
		mov	[ebp+var_98], al
		mov	[ebp+var_F0], 3E7h
		mov	ecx, 7
		xor	eax, eax
		lea	edi, [ebp+var_38]
		rep stosd
		xor	al, al
		mov	[ebp+var_4D], al
		xor	eax, eax
		mov	[ebp+var_7C], eax
		mov	[ebp+var_A4], eax
		mov	[ebp+var_D0], eax
		mov	[ebp+var_10C], eax
		xor	al, al
		mov	byte ptr [ebp+var_6A+1], al
		mov	byte ptr [ebp+var_87+2], al
		mov	byte ptr [ebp+var_87+1], al
		mov	[ebp+var_118], 0
		mov	[ebp+var_11C], 0FFFFFFFFh
		mov	[ebp+var_144], 0FFFFFFFFh
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_56], al
		mov	byte ptr [ebp+var_B0], al
		lea	eax, [ebp+var_C8]
		push	eax
		call	SeCaptureSubjectContext
		mov	eax, [ebp+arg_18]
		test	eax, eax
		jnz	loc_8E7474
		mov	[ebp+var_120], 2

loc_79D4BA:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A277j
		test	esi, esi
		mov	esi, [ebp+var_C8]
		mov	[ebp+var_A8], esi
		jnz	short loc_79D4DF
		test	esi, esi
		jz	loc_8E748C
		cmp	[ebp+var_C4], 1
		jl	loc_8E7496

loc_79D4DF:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+2B8j
		mov	[ebp+var_4], 0
		cmp	byte ptr [ebp+arg_38], 0
		jnz	loc_8E74A0
		mov	ecx, [ebp+var_E0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8E74F1

loc_79D503:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A2E3j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+var_E4]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8E74F8

loc_79D51A:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A2EAj
		mov	eax, [ecx]
		mov	[ecx], eax

loc_79D51E:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A2DCj
		mov	ecx, ebx
		test	bl, 3
		jnz	loc_79DDCD
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8E74FF

loc_79D536:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A2F1j
		nop
		mov	al, [ecx]
		mov	eax, [ebx]
		mov	[ebp+var_48], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_44], eax
		mov	eax, [ebx+8]
		mov	[ebp+var_40], eax
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_3C], eax
		mov	esi, [ebp+var_C8]
		mov	[ebp+var_A8], esi
		mov	edi, [ebp+var_5C]

loc_79D55F:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A29Fj
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A2B3j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ecx, [ebp+var_87+3]
		mov	al, [ebp+var_56]

loc_79D56F:				; CODE XREF: sub_8E7519+73j
		test	edi, edi
		js	loc_8E82AE
		mov	ebx, [ebp+var_B0]
		test	ecx, ecx
		jnz	loc_8E7591

loc_79D585:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A3F3j
		test	esi, esi
		jz	loc_8E7608

loc_79D58D:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A404j
		mov	[ebp+var_87+3],	esi
		mov	dl, al
		lea	ecx, [ebp+var_C8]
		call	_SeCheckAuditPrivilege@8 ; SeCheckAuditPrivilege(x,x)
		test	al, al
		jz	loc_8E7619

loc_79D5A8:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A416j
		test	[ebp+arg_14], 0F0000000h
		jnz	loc_8E7635
		lea	eax, [ebp+var_6A+2]
		push	eax		; int
		push	0		; int
		push	1		; int
		push	ebx		; char
		push	[ebp+var_70]	; size_t
		call	SeCaptureSecurityDescriptor
		mov	edi, eax
		mov	[ebp+var_5C], edi
		test	edi, edi
		js	loc_8E763F
		mov	eax, [ebp+var_6A+2]
		test	eax, eax
		jz	loc_8E764B
		movzx	edx, word ptr [eax+2]
		mov	ecx, [eax+4]
		test	dx, dx
		jns	short loc_79D5F4
		test	ecx, ecx
		jz	loc_8E764B
		add	ecx, eax

loc_79D5F4:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+3D8j
		test	ecx, ecx
		jz	loc_8E764B
		test	dx, dx
		jns	loc_8E7655
		mov	ecx, [eax+8]
		test	ecx, ecx
		jz	loc_8E764B
		add	eax, ecx

loc_79D612:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A448j
		test	eax, eax
		jz	loc_8E764B
		mov	[ebp+var_4], 1
		mov	edx, [ebp+var_114]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_8E765D

loc_79D634:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A44Fj
		mov	al, [edx]
		mov	[edx], al
		lea	edx, [ebp+var_F4]
		mov	ecx, [ebp+var_134]
		call	SepProbeAndCaptureString_U
		mov	edi, eax
		mov	[ebp+var_5C], edi
		test	edi, edi
		js	short loc_79D682
		lea	edx, [ebp+var_CC]
		mov	ecx, [ebp+var_138]
		call	SepProbeAndCaptureString_U
		mov	edi, eax
		mov	[ebp+var_5C], edi
		test	edi, edi
		js	short loc_79D682
		lea	edx, [ebp+var_F8]
		mov	ecx, [ebp+var_14C]
		call	SepProbeAndCaptureString_U
		mov	edi, eax
		mov	[ebp+var_5C], edi

loc_79D682:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+440j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+45Aj
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	cl, [ebp+var_56]

loc_79D68C:				; CODE XREF: sub_8E7677+67j
		mov	eax, [ebp+var_80]
		test	edi, edi
		js	loc_8E82AE
		test	eax, eax
		jnz	loc_8E76E3

loc_79D69F:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A4ECj
		lea	eax, [ebp+var_B8]
		push	eax
		push	ebx
		mov	edx, [ebp+var_64]
		mov	ecx, [ebp+var_104]
		call	SeCaptureObjectTypeList
		mov	edi, eax
		test	edi, edi
		js	loc_8E82AE
		lea	eax, [ebp+var_11C]
		push	eax
		push	1
		push	0
		push	0
		lea	eax, [ebp+var_C8]
		push	eax
		mov	edx, [ebp+var_6A+2]
		call	SepTrustLevelCheck
		mov	edi, eax
		test	edi, edi
		js	loc_8E82AE
		mov	ebx, [ebp+arg_14]
		mov	edx, ebx
		lea	ecx, [ebp+var_11C]
		call	_SepFilterToDiscretionary@8 ; SepFilterToDiscretionary(x,x)
		mov	edi, eax
		mov	[ebp+var_80], edi
		mov	[ebp+var_5C], edi
		test	edi, edi
		js	loc_8E7711
		lea	eax, [ebp+var_144]
		push	eax
		push	1
		push	esi
		lea	edx, [ebp+var_D0]
		mov	ecx, [ebp+var_6A+2]
		call	SepFilterCheck
		mov	edi, eax
		test	edi, edi
		js	loc_8E82AE
		mov	edx, ebx
		lea	ecx, [ebp+var_144]
		call	_SepFilterToDiscretionary@8 ; SepFilterToDiscretionary(x,x)
		mov	edi, eax
		mov	[ebp+var_80], edi
		mov	[ebp+var_5C], edi
		test	edi, edi
		js	loc_8E771A

loc_79D744:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A519j
		lea	eax, [ebp+var_178]
		push	eax
		push	[ebp+arg_3C]
		push	1
		push	esi
		push	0
		mov	edx, [ebp+var_6A+2]
		lea	ecx, [ebp+var_48]
		call	SepMandatoryIntegrityCheck
		mov	edi, eax
		test	edi, edi
		js	loc_8E82AE
		mov	edx, ebx
		lea	ecx, [ebp+var_178]
		call	_SepMandatoryToDiscretionary@8 ; SepMandatoryToDiscretionary(x,x)
		mov	edi, eax
		mov	[ebp+var_80], edi
		mov	[ebp+var_5C], edi
		test	edi, edi
		js	loc_79DBB0
		test	ebx, 2000000h
		jnz	loc_79DBB0

loc_79D791:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+9AAj
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+9BAj
		mov	al, [ebp+var_4D]

loc_79D794:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+9C5j
		test	edi, edi
		js	loc_8E772E

loc_79D79C:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A526j
		push	[ebp+var_B0]
		lea	eax, [ebp+var_E8]
		push	eax
		push	0
		lea	eax, [ebp+var_C8]
		push	eax
		lea	edx, [ebp+var_B4]
		lea	ecx, [ebp+arg_14]
		call	SePrivilegePolicyCheck
		mov	edi, eax
		mov	[ebp+var_80], edi
		mov	[ebp+var_5C], edi
		mov	ebx, [ebp+arg_14]
		test	ebx, ebx
		jz	loc_8E773B

loc_79D7D3:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A513j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A520j
		mov	eax, [ebp+var_B4]
		mov	[ebp+var_78], eax

loc_79D7DC:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A536j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A540j
		lea	eax, [ebp+var_C8]
		push	eax
		call	_SeLockSubjectContext@4	; SeLockSubjectContext(x)
		test	edi, edi
		js	loc_8E7755

loc_79D7F0:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A549j
		push	[ebp+arg_3C]
		push	ecx
		mov	edx, [ebp+var_6A+2]
		mov	ecx, esi
		call	SepTokenIsOwner
		mov	cl, al
		mov	byte ptr [ebp+var_AC], cl
		cmp	_SepRmEnforceCap, 0
		jnz	loc_8E7808

loc_79D813:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A6A5j
		mov	eax, [ebp+var_6A+2]

loc_79D816:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A5FFj
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A62Dj ...
		mov	edi, [ebp+var_5C]

loc_79D819:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A69Aj
		mov	[ebp+var_80], edi
		mov	ebx, [ebp+arg_14]
		test	ebx, 2060000h
		jnz	loc_79DB44

loc_79D82B:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+936j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+967j
		mov	eax, [ebp+var_B4]

loc_79D831:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+99Bj
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+A96j
		mov	[ebp+var_78], eax
		test	ebx, ebx
		jz	loc_79DD63

loc_79D83C:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A6C4j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A6D3j
		mov	eax, [ebp+var_12C]
		shl	eax, 3
		mov	[ebp+var_12C], eax
		mov	ecx, [ebp+arg_38]
		test	cl, cl
		jnz	loc_8E797D
		lea	edx, [ebp+var_90]
		mov	[ebp+var_4C], edx
		lea	eax, [ebp+var_74]
		mov	edi, [ebp+var_130]
		shl	edi, 2

loc_79D86B:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A7B3j
		mov	[ebp+var_70], eax
		mov	esi, [ebp+var_7C]
		mov	[ebp+var_38], esi
		push	[ebp+arg_3C]
		lea	esi, [ebp+var_9C]
		push	esi
		lea	esi, [ebp+var_8B]
		push	esi
		lea	esi, [ebp+var_D0]
		push	esi
		lea	esi, [ebp+var_38]
		push	esi
		push	[ebp+var_AC]
		push	ecx
		push	eax
		push	0
		push	edx
		push	[ebp+var_B0]
		push	[ebp+var_78]
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_64]
		push	[ebp+var_B8]
		push	ebx
		mov	esi, [ebp+var_A8]
		push	esi
		push	[ebp+var_C0]
		mov	edx, [ebp+var_DC]
		mov	ecx, [ebp+var_6A+2]
		call	SepAccessCheck
		cmp	_SepRmEnforceCap, 0
		mov	eax, [ebp+var_70]
		jnz	loc_8E79C8

loc_79D8DD:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A7BBj
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A7C5j
		mov	ebx, [ebp+arg_14]
		mov	edi, [ebp+var_5C]
		mov	edx, [ebp+var_B4]
		mov	[ebp+var_78], edx

loc_79D8EC:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AB7Dj
		mov	ecx, ebx
		and	ecx, 2000000h
		mov	[ebp+var_A4], ecx
		jnz	loc_79DBDA
		cmp	[ebp+var_4D], 0
		jnz	loc_8E7DB9

loc_79D90A:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+9FAj
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+BB2j ...
		mov	eax, [ebp+arg_38]

loc_79D90D:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AC14j
		test	ecx, ecx
		jnz	loc_79DC0F

loc_79D915:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+A4Fj
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+BA9j ...
		cmp	[ebp+var_6A+2],	0
		jz	short loc_79D95D
		test	esi, esi
		jz	short loc_79D95D
		cmp	byte ptr [ebp+var_87+2], 0
		jnz	loc_8E7E80
		cmp	byte ptr [ebp+var_87+1], 0
		jnz	loc_8E7E80
		cmp	[ebp+var_2C], 0
		jnz	short loc_79D94F
		test	dword ptr [esi+0B0h], 4000h
		jnz	loc_79DC64

loc_79D94F:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+72Dj
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+A6Aj ...
		test	edi, edi
		js	short loc_79D95D
		cmp	[ebp+var_74], 0
		jl	loc_79DD1A

loc_79D95D:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+709j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+70Dj ...
		cmp	byte ptr [ebp-95h], 0
		jnz	loc_79D9F5
		mov	edi, [ebp+var_120]
		cmp	edi, 2
		jnz	loc_8E7F01
		cmp	byte ptr [ebp+var_8B], 0
		jz	loc_79DD29
		lea	eax, [ebp+var_F0]
		push	eax
		push	0
		lea	eax, [ebp+var_C8]
		push	eax
		push	0
		push	[ebp+var_8B]
		mov	edx, [ebp+var_CC]
		xor	ecx, ecx
		call	SepAdtAuditObjectAccessWithContext
		mov	[ebp+var_4E], al

loc_79D9AE:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+B1Cj
		cmp	byte ptr [ebp+var_9C], 0
		jnz	loc_79DD31

loc_79D9BB:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AD27j
		mov	cl, [ebp+var_4F]

loc_79D9BE:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+B4Ej
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AD58j
		test	al, al
		jnz	loc_8E7F6D
		test	cl, cl
		jnz	loc_8E7F6D
		mov	ebx, [ebp+arg_38]

loc_79D9D1:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AE4Dj
		mov	al, byte ptr [ebp+var_87]
		test	al, al
		jnz	loc_8E8062
		cmp	byte ptr [ebp+var_6A], al
		jnz	loc_8E8062
		cmp	[ebp+var_E8], 0
		jnz	loc_79DCAB

loc_79D9F5:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+754j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+AA2j ...
		mov	ebx, [ebp+var_4C]

loc_79D9F8:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AF77j
		lea	eax, [ebp+var_C8]
		push	eax
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)
		mov	[ebp+var_4], 2
		cmp	byte ptr [ebp+arg_38], 0
		jnz	loc_8E818C
		mov	eax, [ebp+var_74]
		mov	ecx, [ebp+var_E0]
		mov	[ecx], eax
		mov	eax, [ebp+var_90]
		mov	edx, [ebp+var_E4]
		mov	[edx], eax
		cmp	_SepRmEnforceCap, 0
		jnz	loc_8E8245

loc_79DA3B:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AFA7j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AFECj
		mov	esi, [ebp+var_54]

loc_79DA3E:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14B03Cj
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14B046j ...
		mov	eax, [ebp+var_114]
		mov	cl, [ebp+var_5D]
		mov	[eax], cl
		xor	edi, edi
		mov	[ebp+var_5C], edi
		mov	[ebp+var_4], 0FFFFFFFEh

loc_79DA55:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A3C3j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A3D0j ...
		cmp	[ebp+var_94], 0
		jnz	loc_8E82B8

loc_79DA62:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14B0BFj
		mov	eax, [ebp+var_E8]
		test	eax, eax
		jnz	loc_79DD0D

loc_79DA70:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+B05j
		lea	eax, [ebp+var_C8]
		push	eax
		call	SeReleaseSubjectContext
		push	0
		push	[ebp+var_B0]
		push	[ebp+var_6A+2]
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)
		mov	eax, [ebp+var_F4]
		test	eax, eax
		jz	short loc_79DA9E
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_79DA9E:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+884j
		mov	eax, [ebp+var_CC]
		test	eax, eax
		jz	short loc_79DAB0
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_79DAB0:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+896j
		mov	eax, [ebp+var_F8]
		test	eax, eax
		jz	short loc_79DAC2
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_79DAC2:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+8A8j
		mov	ecx, [ebp+var_DC]
		test	ecx, ecx
		jnz	loc_8E82D4

loc_79DAD0:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14B0CEj
		mov	ecx, [ebp+var_B8]
		test	ecx, ecx
		jnz	loc_8E82E3

loc_79DADE:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14B0D8j
		cmp	[ebp+var_6B], 0
		jnz	loc_8E82ED

loc_79DAE8:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14B0EBj
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14B0F9j
		cmp	[ebp+var_6C], 0
		jnz	loc_8E830E

loc_79DAF2:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14B109j
		mov	eax, [ebp+var_118]
		test	eax, eax
		jnz	loc_8E831E

loc_79DB00:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14B116j
		mov	ecx, [ebp+var_D0]
		call	_SepFreeResourceInfo@4 ; SepFreeResourceInfo(x)
		cmp	edi, 0C000009Ah
		jz	loc_8E832B
		cmp	[ebp+var_98], 0
		jnz	loc_8E832B

loc_79DB24:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14B121j
		mov	eax, edi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	40h
; 

loc_79DB44:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+615j
		test	cl, cl
		jz	loc_79D82B
		movzx	ecx, word ptr [eax+2]
		test	cl, 4
		jz	loc_8E78BA
		test	cx, cx
		jns	loc_8E78C8
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jz	loc_8E78C1
		add	eax, ecx

loc_79DB6F:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A6ACj
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A6B3j ...
		push	eax
		call	_RtlOwnerAcesPresent@4 ; RtlOwnerAcesPresent(x)
		test	al, al
		jnz	loc_79D82B
		test	ebx, 2000000h
		jnz	loc_79DC85
		mov	ecx, ebx
		and	ecx, 60000h
		mov	[ebp+var_7C], ecx
		mov	eax, ecx
		or	eax, [ebp+var_B4]
		mov	[ebp+var_B4], eax
		and	ebx, 0FFF9FFFFh
		mov	[ebp+arg_14], ebx
		jmp	loc_79D831
; 

loc_79DBB0:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+56Fj
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+57Bj
		test	dword ptr [esi+0B0h], 4000h
		jz	loc_79D791
		cmp	[ebp+var_16C], 2000h
		ja	loc_79D791
		mov	al, 1
		mov	[ebp+var_4D], al
		jmp	loc_79D794
; 

loc_79DBDA:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+6EAj
		cmp	[ebp+var_4D], 0
		jnz	loc_79DDBE

loc_79DBE4:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AB9Cj
		cmp	byte ptr [ebp+arg_38], 0
		jnz	loc_8E7DB1
		xor	ecx, ecx

loc_79DBF0:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14ABA4j
		push	ecx
		push	0
		push	eax
		push	[ebp+var_4C]
		mov	edx, ebx
		lea	ecx, [ebp+var_178]
		call	SepConstrainByMandatory

loc_79DC04:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AC5Bj
		mov	ecx, [ebp+var_A4]
		jmp	loc_79D90A
; 

loc_79DC0F:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+6FFj
		test	al, al
		jnz	loc_8E7E70
		xor	eax, eax

loc_79DC19:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AC63j
		lea	ecx, [ebp+var_87+2]
		push	ecx
		push	eax
		push	0
		push	[ebp+var_70]
		push	[ebp+var_4C]
		mov	edx, ebx
		mov	ecx, [ebp+var_11C]
		call	SepConstrainByConstraintMask
		cmp	byte ptr [ebp+arg_38], 0
		jnz	loc_8E7E78
		xor	eax, eax

loc_79DC42:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AC6Bj
		lea	ecx, [ebp+var_87+1]
		push	ecx
		push	eax
		push	0
		push	[ebp+var_70]
		push	[ebp+var_4C]
		mov	edx, ebx
		mov	ecx, [ebp+var_144]
		call	SepConstrainByConstraintMask
		jmp	loc_79D915
; 

loc_79DC64:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+739j
		test	edi, edi
		js	loc_79D95D
		cmp	[ebp+var_74], 0
		jl	loc_8E7E80
		cmp	[ebp+var_21], 0
		jz	loc_79D94F
		jmp	loc_8E7E80
; 

loc_79DC85:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+973j
		mov	[ebp+var_7C], 60000h
		mov	eax, [ebp+var_B4]
		or	eax, 60000h
		mov	[ebp+var_B4], eax
		and	ebx, 0FFF9FFFFh
		mov	[ebp+arg_14], ebx
		jmp	loc_79D831
; 

loc_79DCAB:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+7DFj
		cmp	byte ptr [ebp+var_8B], 0
		jz	loc_79D9F5
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	[ebp+var_8B]
		push	[ebp+var_E8]
		push	[ebp+arg_14]
		mov	eax, [eax+0E4h]
		push	eax
		push	[ebp+var_C0]
		push	[ebp+var_C8]
		lea	eax, [ebp+var_124]
		push	eax
		push	[ebp+var_F8]
		mov	edx, [ebp+var_CC]
		mov	ecx, [ebp+var_F4]
		call	SepAdtPrivilegeObjectAuditAlarm
		mov	[ebp+var_5D], 0
		jmp	loc_79D9F5
; 

loc_79DD0D:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+85Aj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_79DA70
; 

loc_79DD1A:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+747j
		cmp	[ebp+var_2C], 0
		jnz	loc_79D95D
		jmp	loc_8E7ED5
; 

loc_79DD29:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+770j
		mov	al, [ebp+var_4E]
		jmp	loc_79D9AE
; 

loc_79DD31:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+7A5j
		lea	eax, [ebp+var_F0]
		push	eax
		push	0
		lea	eax, [ebp+var_C8]
		push	eax
		push	[ebp+var_9C]
		push	0
		mov	edx, [ebp+var_CC]
		xor	ecx, ecx
		call	SepAdtAuditObjectAccessWithContext
		mov	cl, al
		mov	[ebp+var_4F], cl
		mov	al, [ebp+var_4E]
		jmp	loc_79D9BE
; 

loc_79DD63:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+626j
		cmp	[ebp+var_6C], 0
		jnz	loc_8E78D0

loc_79DD6D:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A6CAj
		test	dword ptr [esi+0B0h], 2000h
		jz	loc_8E78DF

loc_79DD7D:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A6D9j
		mov	[ebp+var_90], eax
		test	eax, eax
		jz	loc_8E78EE
		xor	eax, eax
		xor	cl, cl
		mov	dl, 1

loc_79DD91:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A6E7j
		mov	byte ptr [ebp+var_8B], dl
		mov	byte ptr [ebp+var_9C], cl
		mov	[ebp+var_74], eax
		cmp	byte ptr [ebp+arg_38], 0
		jnz	loc_8E78FC
		lea	ecx, [ebp+var_90]
		mov	[ebp+var_4C], ecx
		lea	eax, [ebp+var_74]
		mov	[ebp+var_70], eax
		jmp	loc_79D915
; 

loc_79DDBE:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+9CEj
		cmp	[ebp+var_23], 0
		jnz	loc_79D90A
		jmp	loc_8E7D92
; 

loc_79DDCD:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+313j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
SepAccessCheckAndAuditAlarmWithAdminlessChecks endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepProbeAndCaptureString_U proc	near	; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+434p
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+44Ep ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008E8336 SIZE 00000007 BYTES

		push	20h
		push	offset dword_6A2220
		call	__SEH_prolog4
		mov	esi, edx
		mov	[ebp+var_28], esi
		xor	ebx, ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		mov	[esi], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8E8336

loc_79DE00:				; CODE XREF: SepProbeAndCaptureString_U+14A566j
		nop
		mov	eax, [ecx]
		mov	[ebp+var_30], eax
		mov	ecx, [ecx+4]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_2C], ecx
		movzx	eax, ax
		mov	edi, eax
		test	ax, ax
		jz	short loc_79DE2E
		test	cl, 1
		jnz	short loc_79DE94
		lea	edx, [ecx+eax]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_79DE99
		cmp	edx, ecx
		jb	short loc_79DE99

loc_79DE2E:				; CODE XREF: SepProbeAndCaptureString_U+45j
					; SepProbeAndCaptureString_U+C9j
		mov	ebx, edi
		test	bl, 1
		jnz	short loc_79DEA6
		cmp	ebx, 0FFFEh
		jz	short loc_79DEA6
		push	73556553h
		lea	eax, [ebx+8]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi], eax
		test	eax, eax
		jz	short loc_79DE9D
		mov	[eax], di
		mov	eax, [esi]
		mov	[eax+2], di
		mov	ecx, [esi]
		lea	eax, [ecx+8]
		mov	[ecx+4], eax
		test	di, di
		jz	short loc_79DE7A
		push	ebx		; size_t
		push	[ebp+var_20]	; void *
		mov	eax, [esi]
		push	dword ptr [eax+4] ; void *
		call	_memcpy
		add	esp, 0Ch

loc_79DE7A:				; CODE XREF: SepProbeAndCaptureString_U+95j
					; SepProbeAndCaptureString_U+D2j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_79DE94:				; CODE XREF: SepProbeAndCaptureString_U+4Aj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_79DE99:				; CODE XREF: SepProbeAndCaptureString_U+56j
					; SepProbeAndCaptureString_U+5Aj
		mov	[eax], bl
		jmp	short loc_79DE2E
; 

loc_79DE9D:				; CODE XREF: SepProbeAndCaptureString_U+7Fj
		mov	[ebp+var_1C], 0C000009Ah
		jmp	short loc_79DE7A
; 

loc_79DEA6:				; CODE XREF: SepProbeAndCaptureString_U+61j
					; SepProbeAndCaptureString_U+69j
		mov	[ebp+var_1C], 0C000000Dh
		jmp	short loc_79DE7A
SepProbeAndCaptureString_U endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepAdtAuditObjectAccessWithContext proc	near
					; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+796p
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+B41p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008E8373 SIZE 00000054 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_10]
		mov	esi, edx
		push	77h
		pop	eax
		mov	ebx, ecx
		mov	[edi], ax
		mov	eax, [ebp+arg_0]
		movzx	edx, al
		neg	edx
		sbb	edx, edx
		and	edx, 3
		cmp	byte ptr [ebp+arg_4], 0
		jnz	short loc_79DEF8

loc_79DEDC:				; CODE XREF: SepAdtAuditObjectAccessWithContext+4Bj
		push	[ebp+arg_8]
		push	2
		pop	ecx
		call	SepAdtAuditThisEventByCategoryWithContext
		test	al, al
		jnz	loc_8E8373

loc_79DEEF:				; CODE XREF: SepAdtAuditObjectAccessWithContext+14A512j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_79DEF8:				; CODE XREF: SepAdtAuditObjectAccessWithContext+2Aj
		or	edx, 30h
		jmp	short loc_79DEDC
SepAdtAuditObjectAccessWithContext endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepAdtPrivilegedServiceAuditAlarm proc near
					; CODE XREF: SePrivilegedServiceAuditAlarm(x,x,x,x)+75p
					; NtPrivilegedServiceAuditAlarm+174p ...

var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_290		= word ptr -290h
var_28E		= word ptr -28Eh
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1EC		= dword	ptr -1ECh
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

; FUNCTION CHUNK AT 008E83C7 SIZE 000001D9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2BCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2BCh+var_4], eax
		and	[esp+2BCh+var_2BC], 0
		lea	eax, [esp+2BCh+var_2B4]
		and	[esp+2BCh+var_2B4], 0
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		push	eax
		push	ecx
		mov	cl, [ebp+arg_10]
		test	cl, cl
		mov	[esp+2D0h+var_2B8], edx
		mov	dl, cl
		mov	ecx, ebx
		setz	al
		movzx	eax, al
		push	eax
		call	SepAdtAuditPrivilegeUseWithContext
		test	al, al
		jnz	loc_8E83C7

loc_79DF50:				; CODE XREF: SepAdtPrivilegedServiceAuditAlarm+14A691j
					; SepAdtPrivilegedServiceAuditAlarm+14A69Dj
		mov	ecx, [esp+2C8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
SepAdtPrivilegedServiceAuditAlarm endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepAdtPrivilegeObjectAuditAlarm	proc near
					; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+AEFp
					; PAGE:008175C5p ...

var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_290		= word ptr -290h
var_28E		= word ptr -28Eh
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B0		= dword	ptr -1B0h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= byte ptr  24h

; FUNCTION CHUNK AT 008E85A0 SIZE 0000024F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2BCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2BCh+var_4], eax
		push	ebx
		push	esi
		push	edi
		lea	eax, [esp+2C8h+var_2B4]
		mov	[esp+2C8h+var_2A8], edx
		xor	edx, edx
		mov	ebx, ecx
		mov	ecx, [ebp+arg_18]
		push	eax
		push	edx
		mov	[esp+2D0h+var_2B4], edx
		mov	[esp+2D0h+var_2B8], edx
		mov	dl, [ebp+arg_1C]
		test	dl, dl
		mov	[esp+2D0h+var_2A4], ecx
		setz	al
		movzx	eax, al
		push	eax
		call	SepAdtAuditPrivilegeUseWithContext
		test	al, al
		jnz	loc_8E85A0

loc_79DFBD:				; CODE XREF: SepAdtPrivilegeObjectAuditAlarm+14A664j
					; SepAdtPrivilegeObjectAuditAlarm+14A684j
		xor	al, al

loc_79DFBF:				; CODE XREF: SepAdtPrivilegeObjectAuditAlarm+14A882j
		mov	ecx, [esp+2C8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	20h
SepAdtPrivilegeObjectAuditAlarm	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepAdtAuditPrivilegeUseWithContext proc	near
					; CODE XREF: SepAdtPrivilegedServiceAuditAlarm+45p
					; SepAdtPrivilegeObjectAuditAlarm+48p ...

var_2A		= byte ptr -2Ah
var_29		= byte ptr -29h
var_28		= byte ptr -28h
var_27		= byte ptr -27h
var_26		= dword	ptr -26h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E87EF SIZE 0000017B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		xor	dh, dh
		mov	[esp+38h+var_29], dl
		mov	edi, ecx
		mov	[esp+38h+var_2A], dh
		push	esi
		mov	ecx, 83h
		mov	byte ptr [esp+3Ch+var_26], dh
		mov	byte ptr [esp+3Ch+var_26+1], dh
		mov	[esp+3Ch+var_10], eax
		mov	[esp+3Ch+var_C], eax
		mov	[esp+3Ch+var_8], eax
		mov	[esp+3Ch+var_4], eax
		call	_SepAuditingEnabledForSubcategory@12 ; SepAuditingEnabledForSubcategory(x,x,x)
		cmp	dword_6BE63C, 0
		mov	bh, al
		mov	[esp+38h+var_28], bh
		jnz	loc_8E87EF

loc_79E035:				; CODE XREF: SepAdtAuditPrivilegeUseWithContext+14A88Cj
		xor	eax, eax
		mov	ecx, 84h
		push	esi
		mov	[esp+3Ch+var_20], eax
		mov	[esp+3Ch+var_1C], eax
		mov	[esp+3Ch+var_18], eax
		mov	[esp+3Ch+var_14], eax
		call	_SepAuditingEnabledForSubcategory@12 ; SepAuditingEnabledForSubcategory(x,x,x)
		cmp	dword_6BE640, 0
		mov	bl, al
		mov	[esp+38h+var_27], bl
		jnz	loc_8E8871

loc_79E065:				; CODE XREF: SepAdtAuditPrivilegeUseWithContext+14A914j
		test	bh, bh
		jnz	loc_8E88F9
		test	bl, bl
		jnz	loc_8E88F9
		mov	al, dh

loc_79E077:				; CODE XREF: SepAdtAuditPrivilegeUseWithContext+14A95Fj
					; SepAdtAuditPrivilegeUseWithContext+14A97Cj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
SepAdtAuditPrivilegeUseWithContext endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepAdtAuditThisEventWithContext	proc near
					; CODE XREF: SeAuditingAnyFileEventsWithContextEx(x,x,x)+1Ep
					; SeAuditingAnyFileEventsWithContextEx(x,x,x)+2Fp ...

var_16		= byte ptr -16h
var_15		= dword	ptr -15h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E896A SIZE 00000094 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		push	ebx
		xor	eax, eax
		mov	bl, dl
		push	esi
		mov	esi, ecx
		mov	[esp+20h+var_10], eax
		mov	[esp+20h+var_C], eax
		mov	[esp+20h+var_8], eax
		mov	[esp+20h+var_4], eax
		cmp	esi, 8
		jbe	loc_8E896A
		push	[ebp+arg_0]
		call	_SepAuditingEnabledForSubcategory@12 ; SepAuditingEnabledForSubcategory(x,x,x)
		cmp	_ViVerifierEnabled[esi*4], 0
		mov	byte ptr [esp+20h+var_15], al
		jnz	loc_8E8986

loc_79E0C6:				; CODE XREF: SepAdtAuditThisEventWithContext+14A969j
					; SepAdtAuditThisEventWithContext+14A979j
		mov	al, byte ptr [esp+20h+var_15]

loc_79E0CA:				; CODE XREF: SepAdtAuditThisEventWithContext+14A901j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
SepAdtAuditThisEventWithContext	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepAdtAuditThisEventByCategoryWithContext proc near
					; CODE XREF: SeAuditingAnyFileEventsWithContextEx(x,x,x)+41p
					; SeAuditingFileEventsWithContextEx(x,x,x,x)+5Fp ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E89FE SIZE 00000109 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_18], edx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	eax, _SeAuditingStateByCategory[esi*4]
		push	edi
		test	eax, eax
		jz	short loc_79E128
		test	eax, edx
		jnz	short loc_79E133
		xor	bl, bl
		cmp	_SepTokenPolicyCounterByCategory[esi*4], 0
		jnz	loc_8E89FE

loc_79E11D:				; CODE XREF: SepAdtAuditThisEventByCategoryWithContext+55j
					; SepAdtAuditThisEventByCategoryWithContext+14A9CEj ...
		mov	al, bl
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_79E128:				; CODE XREF: SepAdtAuditThisEventByCategoryWithContext+27j
		pop	edi
		pop	esi
		xor	al, al
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_79E133:				; CODE XREF: SepAdtAuditThisEventByCategoryWithContext+2Bj
		mov	bl, 1
		jmp	short loc_79E11D
SepAdtAuditThisEventByCategoryWithContext endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeCheckAuditPrivilege(x, x)
_SeCheckAuditPrivilege@8 proc near	; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+38Bp
					; NtPrivilegedServiceAuditAlarm+3Dp ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ds:_SeAuditPrivilege
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_10], eax
		mov	eax, ds:dword_A94CAC
		mov	ebx, edx
		xor	ecx, ecx
		mov	[ebp+var_C], eax
		inc	ecx
		lea	edx, [ebp+var_10]
		push	ebx
		push	ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		push	ecx
		mov	ecx, [esi+8]
		call	_SepPrivilegeCheck@20 ;	SepPrivilegeCheck(x,x,x,x,x)
		mov	byte ptr [ebp+var_1C], al
		test	bl, bl
		jz	short loc_79E195
		push	[ebp+var_1C]
		lea	eax, [ebp+var_18]
		mov	edx, esi
		push	eax
		xor	ecx, ecx
		call	_SePrivilegedServiceAuditAlarm@16 ; SePrivilegedServiceAuditAlarm(x,x,x,x)
		mov	al, byte ptr [ebp+var_1C]

loc_79E195:				; CODE XREF: SeCheckAuditPrivilege(x,x)+48j
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_SeCheckAuditPrivilege@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SePrivilegedServiceAuditAlarm(x, x,	x, x)
_SePrivilegedServiceAuditAlarm@16 proc near
					; CODE XREF: SeSinglePrivilegeCheckEx(x,x,x,x)+4Ep
					; SeCheckAuditPrivilege(x,x)+55p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_8], ecx
		push	edi
		mov	edi, [esi]
		mov	eax, edi
		test	edi, edi
		jz	short loc_79E231

loc_79E1BB:				; CODE XREF: SePrivilegedServiceAuditAlarm(x,x,x,x)+90j
		mov	eax, [eax+94h]
		mov	ebx, [eax]
		push	ebx
		push	_SeLocalSystemSid
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	short loc_79E1DA

loc_79E1D3:				; CODE XREF: SePrivilegedServiceAuditAlarm(x,x,x,x)+7Aj
					; SePrivilegedServiceAuditAlarm(x,x,x,x)+89j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_79E1DA:				; CODE XREF: SePrivilegedServiceAuditAlarm(x,x,x,x)+2Dj
		mov	eax, ds:_SeExports
		push	ebx
		mov	[ebp+var_4], eax
		push	dword ptr [eax+12Ch]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	short loc_79E220
		mov	eax, [ebp+var_4]
		push	ebx
		push	dword ptr [eax+128h]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	short loc_79E220

loc_79E205:				; CODE XREF: SePrivilegedServiceAuditAlarm(x,x,x,x)+8Bj
		push	[ebp+arg_4]
		mov	edx, offset _SeSubsystemName
		mov	ecx, esi
		push	[ebp+arg_0]
		push	dword ptr [esi+8]
		push	edi
		push	[ebp+var_8]
		call	SepAdtPrivilegedServiceAuditAlarm
		jmp	short loc_79E1D3
; 

loc_79E220:				; CODE XREF: SePrivilegedServiceAuditAlarm(x,x,x,x)+4Cj
					; SePrivilegedServiceAuditAlarm(x,x,x,x)+5Fj
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		inc	ecx
		call	SepFilterPrivilegeAudits
		test	al, al
		jz	short loc_79E1D3
		jmp	short loc_79E205
; 

loc_79E231:				; CODE XREF: SePrivilegedServiceAuditAlarm(x,x,x,x)+15j
		mov	eax, [esi+8]
		jmp	short loc_79E1BB
_SePrivilegedServiceAuditAlarm@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepAdtTokenRightAdjusted proc near	; CODE XREF: SepAdjustPrivileges+3C6p

var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_2CC		= dword	ptr -2CCh
var_2C8		= dword	ptr -2C8h
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2A8		= dword	ptr -2A8h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_290		= word ptr -290h
var_28E		= word ptr -28Eh
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1EC		= dword	ptr -1ECh
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 008E8B07 SIZE 000002BE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2DCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2DCh+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	[esp+2E0h+var_2CC], eax
		xor	ebx, ebx
		and	[esp+2E0h+var_2D4], 0
		xor	eax, eax
		push	esi
		push	edi
		and	[esp+2E8h+var_2D8], 0
		lea	edi, [esp+2E8h+var_2B0]
		stosd
		mov	[esp+2E8h+var_2C8], edx
		mov	[esp+2E8h+var_2D0], ecx
		stosd
		stosd
		stosd
		lea	eax, [esp+2E8h+var_2B0]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	esi, [esp+2E8h+var_2B0]
		mov	edx, esi
		test	esi, esi
		jz	short loc_79E2F3

loc_79E2A1:				; CODE XREF: SepAdtTokenRightAdjusted+C1j
		mov	ecx, 8Bh
		call	SeAuditingWithTokenForSubcategory
		test	al, al
		jnz	loc_8E8B07

loc_79E2B3:				; CODE XREF: SepAdtTokenRightAdjusted+14A8F1j
					; SepAdtTokenRightAdjusted+14A940j ...
		mov	esi, [esp+2E8h+var_2D8]

loc_79E2B7:				; CODE XREF: SepAdtTokenRightAdjusted+14A9C0j
					; SepAdtTokenRightAdjusted+14AB60j
		cmp	[esp+2E8h+var_2D4], 0
		jnz	loc_8E8D9B

loc_79E2C2:				; CODE XREF: SepAdtTokenRightAdjusted+14AB70j
		test	esi, esi
		jnz	loc_8E8DAB

loc_79E2CA:				; CODE XREF: SepAdtTokenRightAdjusted+14AB7Dj
		test	ebx, ebx
		jnz	loc_8E8DB8

loc_79E2D2:				; CODE XREF: SepAdtTokenRightAdjusted+14AB8Aj
		lea	eax, [esp+2E8h+var_2B0]
		push	eax
		call	SeReleaseSubjectContext
		mov	ecx, [esp+2E8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_79E2F3:				; CODE XREF: SepAdtTokenRightAdjusted+69j
		mov	edx, [esp+2E8h+var_2A8]
		jmp	short loc_79E2A1
SepAdtTokenRightAdjusted endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 171. SeAuditingWithTokenForSubcategory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeAuditingWithTokenForSubcategory
SeAuditingWithTokenForSubcategory proc near ; CODE XREF: PspExitThread+446p
					; SepAdtTokenRightAdjusted+70p	...

var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 008E8DC5 SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		mov	esi, edx
		mov	dl, 1
		mov	ebx, ecx
		stosd
		stosd
		stosd
		call	_SepAuditingForSubCategory@8 ; SepAuditingForSubCategory(x,x)
		cmp	_ViVerifierEnabled[ebx*4], 0
		mov	byte ptr [ebp+var_1], al
		jnz	loc_8E8DC5

loc_79E32E:				; CODE XREF: SeAuditingWithTokenForSubcategory+14AB08j
					; SeAuditingWithTokenForSubcategory+14AB17j
		mov	al, byte ptr [ebp+var_1]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
SeAuditingWithTokenForSubcategory endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiIsUserQueryVmCallerTrusted(x)
_MiIsUserQueryVmCallerTrusted@4	proc near ; CODE XREF: MmQueryVirtualMemory+7D4p

var_9		= byte ptr -9
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10h
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	eax, [esp+18h+var_8]
		push	ebx
		push	eax
		lea	eax, [esp+17h]
		mov	[esp+20h+var_9], bl
		push	eax
		lea	edx, [esp+24h+var_4]
		call	PsReferenceEffectiveToken
		mov	esi, eax
		push	esi
		call	SeTokenIsAdmin
		test	al, al
		jz	short loc_79E37B

loc_79E369:				; CODE XREF: MiIsUserQueryVmCallerTrusted(x)+5Cj
		xor	ebx, ebx
		inc	ebx

loc_79E36C:				; CODE XREF: MiIsUserQueryVmCallerTrusted(x)+5Aj
		mov	ecx, esi
		call	ObfDereferenceObject
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_79E37B:				; CODE XREF: MiIsUserQueryVmCallerTrusted(x)+31j
		push	1
		push	ds:dword_A949EC
		push	ds:_SeProfileSingleProcessPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	short loc_79E36C
		jmp	short loc_79E369
_MiIsUserQueryVmCallerTrusted@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspInsertProcess proc near		; CODE XREF: PAGE:007A3523p
					; PspCreateProcess+257p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008E8E1A SIZE 00000087 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], eax
		mov	eax, [eax+80h]
		mov	ebx, edx
		mov	[ebp+var_8], eax
		xor	edx, edx
		mov	ecx, 86h
		mov	byte ptr [ebp+var_1], 0
		mov	esi, [edi+18Ch]
		mov	eax, [edi+0E4h]
		mov	[esi+18h], eax
		call	SeAuditingWithTokenForSubcategory
		test	al, al
		jnz	loc_79E57D

loc_79E3DC:				; CODE XREF: PspInsertProcess+1F3j
		test	ebx, ebx
		jz	short loc_79E403
		cmp	dword ptr [ebx+158h], 0
		jz	short loc_79E403
		push	[ebp+arg_4]
		mov	ecx, [ebx+158h]
		mov	edx, edi
		call	_PspImplicitAssignProcessToJob@12 ; PspImplicitAssignProcessToJob(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8E8E8A

loc_79E403:				; CODE XREF: PspInsertProcess+4Aj
					; PspInsertProcess+53j
		mov	esi, [ebp+var_C]
		mov	ecx, esi
		call	_PspLockProcessListExclusive@4 ; PspLockProcessListExclusive(x)
		mov	ecx, dword_6BEEDC
		lea	eax, [edi+0E8h]
		mov	edx, offset _PsActiveProcessHead
		cmp	[ecx], edx
		jnz	loc_79E58C
		mov	[eax+4], ecx
		mov	[eax], edx
		mov	[ecx], eax
		mov	ecx, _PspProcessSequenceNumber
		mov	dword_6BEEDC, eax
		add	ecx, 1
		mov	eax, dword_6BEEE4
		adc	eax, 0
		mov	_PspProcessSequenceNumber, ecx
		mov	[edi+3E8h], ecx
		mov	ecx, esi
		mov	dword_6BEEE4, eax
		mov	[edi+3ECh], eax
		call	PspUnlockProcessListExclusive
		mov	eax, [ebp+var_8]
		test	byte ptr [eax+0FCh], 8
		jnz	loc_8E8E1A
		cmp	[ebp+arg_8], 0
		push	2
		pop	edx
		jnz	loc_8E8E21
		xor	eax, eax
		mov	[ebp+arg_8], eax

loc_79E483:				; CODE XREF: PspInsertProcess+14AAC4j
		mov	edx, [ebp+var_8]
		lea	ecx, [ebp+var_1]
		push	ecx
		push	eax
		mov	ecx, edi
		call	DbgkCopyProcessDebugPort
		mov	ecx, [ebp+arg_8]
		mov	esi, eax
		test	ecx, ecx
		jnz	loc_8E8E5D

loc_79E49F:				; CODE XREF: PspInsertProcess+14AACEj
		test	esi, esi
		js	loc_8E8E8A
		cmp	byte ptr [ebp+var_1], 0
		jnz	loc_8E8E67

loc_79E4B1:				; CODE XREF: PspInsertProcess+14AAD7j
					; PspInsertProcess+14AAE9j
		and	[ebp+arg_8], 0
		test	ebx, ebx
		jz	short loc_79E4C3
		mov	ecx, ds:_PsInitialSystemProcess
		cmp	ebx, ecx
		jz	short loc_79E4D0

loc_79E4C3:				; CODE XREF: PspInsertProcess+123j
		test	[ebp+arg_C], 2
		jnz	loc_79E567
		mov	ecx, [ebp+var_8] ; int

loc_79E4D0:				; CODE XREF: PspInsertProcess+12Dj
		mov	ebx, [ebp+arg_8]

loc_79E4D3:				; CODE XREF: PspInsertProcess+1D8j
		mov	eax, ds:_PsProcessType
		push	[ebp+arg_14]	; void *
		mov	edx, [ebp+arg_0] ; int
		add	eax, 34h
		push	eax		; int
		call	_PspGenerateObjectAccessState@16 ; PspGenerateObjectAccessState(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8E8E8A
		mov	edx, 72437350h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag
		mov	edx, [ebp+arg_14]
		xor	eax, eax
		push	eax
		push	eax
		push	ebx
		push	eax
		push	[ebp+arg_0]
		mov	ecx, edi
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8E8E82
		mov	edx, 72437350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	ecx, [edi+158h]
		test	ecx, ecx
		jz	short loc_79E557
		mov	edx, edi
		call	PspValidateJobAffinityState
		mov	esi, eax
		test	esi, esi
		js	loc_8E8E82

loc_79E541:				; CODE XREF: PspInsertProcess+1D1j
		mov	ecx, edi
		call	ObCheckRefTraceProcess
		test	[ebp+arg_C], 1
		jnz	short loc_79E571

loc_79E54E:				; CODE XREF: PspInsertProcess+1E7j
		xor	eax, eax

loc_79E550:				; CODE XREF: PspInsertProcess+14AB08j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_79E557:				; CODE XREF: PspInsertProcess+19Aj
		mov	ecx, 4000000h
		lea	eax, [edi+0FCh]
		lock or	[eax], ecx
		jmp	short loc_79E541
; 

loc_79E567:				; CODE XREF: PspInsertProcess+133j
		xor	ebx, ebx
		mov	ecx, edi
		inc	ebx
		jmp	loc_79E4D3
; 

loc_79E571:				; CODE XREF: PspInsertProcess+1B8j
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		call	PspUnlockProcessExclusive
		jmp	short loc_79E54E
; 

loc_79E57D:				; CODE XREF: PspInsertProcess+42j
		mov	edx, [ebp+arg_10]
		mov	ecx, edi
		call	SeAuditProcessCreation
		jmp	loc_79E3DC
; 

loc_79E58C:				; CODE XREF: PspInsertProcess+8Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PspInsertProcess endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObCheckRefTraceProcess proc near	; CODE XREF: PspInsertProcess+1AFp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E8EA1 SIZE 000000B5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10h
		xor	eax, eax
		test	byte ptr ds:_ObpTraceFlags, 20h
		push	esi
		push	edi
		mov	esi, ecx
		mov	[esp+18h+var_10], eax
		mov	[esp+18h+var_C], eax
		mov	[esp+18h+var_8], eax
		mov	[esp+18h+var_4], eax
		jnz	loc_8E8EA1

loc_79E5C0:				; CODE XREF: ObCheckRefTraceProcess+14A926j
					; ObCheckRefTraceProcess+14A9BFj
		xor	eax, eax

loc_79E5C2:				; CODE XREF: ObCheckRefTraceProcess+14A93Fj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
ObCheckRefTraceProcess endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DbgkCopyProcessDebugPort proc near	; CODE XREF: PspInsertProcess+F9p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E8F56 SIZE 000000B6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		and	dword ptr [ebx+190h], 0
		mov	edi, edx
		test	esi, esi
		jnz	loc_8E8F8A
		mov	esi, [edi+190h]
		test	esi, esi
		jnz	loc_8E8F56

loc_79E5F5:				; CODE XREF: DbgkCopyProcessDebugPort+14A9CBj
					; DbgkCopyProcessDebugPort+14AA30j ...
		mov	eax, [ebp+arg_4]
		setnz	cl
		mov	[eax], cl
		xor	eax, eax

loc_79E5FF:				; CODE XREF: DbgkCopyProcessDebugPort+14A9F4j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
DbgkCopyProcessDebugPort endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSetProcessUniqueAttribute(x)
_SepSetProcessUniqueAttribute@4	proc near ; CODE XREF: SeSubProcessToken+25Fp

var_38		= dword	ptr -38h
var_30		= word ptr -30h
var_2E		= word ptr -2Eh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_38]
		push	6
		xor	eax, eax
		and	[ebp+var_4], eax
		pop	ecx
		rep stosd
		lea	ecx, [ebp+var_18]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		lea	eax, [ebp+var_4]
		push	eax
		lea	edx, [ebp+var_20]
		lea	ecx, [ebp+var_18]
		call	SepAddLuidToIndexEntry
		test	eax, eax
		js	short loc_79E6AE
		mov	ecx, [esi+290h]
		test	ecx, ecx
		jz	short loc_79E64B
		call	_SepDereferenceLuidToIndexEntry@4 ; SepDereferenceLuidToIndexEntry(x)

loc_79E64B:				; CODE XREF: SepSetProcessUniqueAttribute(x)+3Cj
		mov	eax, [ebp+var_4]
		mov	[esi+290h], eax
		lea	eax, [ebp+var_38]
		push	offset ??_C@_1CC@DJOPDNMF@?$AAT?$AAS?$AAA?$AA?3?$AA?1?$AA?1?$AAP?$AAr?$AAo?$AAc?$AAU?$AAn?$AAi?$AAq?$AAu@NNGAKEGL@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		mov	[ebp+var_2C], 41h
		mov	[ebp+var_2E], ax
		lea	edx, [ebp+var_4]
		push	2
		pop	eax
		mov	[ebp+var_30], ax
		xor	ecx, ecx
		mov	[ebp+var_28], eax
		inc	ecx
		lea	eax, [ebp+var_20]
		mov	word ptr [ebp+var_10], cx
		mov	[ebp+var_24], eax
		xor	eax, eax
		mov	word ptr [ebp+var_10+2], ax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_C], ecx
		mov	ecx, [esi+1DCh]
		push	eax
		mov	[ebp+var_4], 4
		call	AuthzBasepSetSecurityAttributesToken

loc_79E6AE:				; CODE XREF: SepSetProcessUniqueAttribute(x)+32j
		pop	edi
		pop	esi
		leave
		retn
_SepSetProcessUniqueAttribute@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepAddLuidToIndexEntry proc near	; CODE XREF: SepSetProcessUniqueAttribute(x)+2Bp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E900C SIZE 00000061 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		and	dword ptr [eax], 0
		push	74446553h
		push	28h
		push	1
		mov	[ebp+var_18], edx
		mov	[ebp+var_C], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8E900C
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, ds:_SeLuidToIndexMapping
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, ds:_SeLuidToIndexMapping
		push	0
		push	1
		mov	ecx, [eax+4]
		add	eax, 8
		push	eax
		mov	[ebp+var_14], ecx
		mov	[ebp+var_4], eax
		call	RtlFindClearBitsAndSet
		mov	ebx, eax
		or	esi, 0FFFFFFFFh
		cmp	ebx, esi
		jz	loc_79E7B8

loc_79E724:				; CODE XREF: SepAddLuidToIndexEntry+11Bj
					; SepAddLuidToIndexEntry+18Fj
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		mov	[edi+18h], ebx
		mov	[edi+1Ch], edx
		mov	dword ptr [edi+0Ch], 1
		mov	eax, [ecx]
		mov	[edi+10h], eax
		mov	eax, [ecx+4]
		mov	[edi+14h], eax
		mov	[edi+20h], dl
		mov	eax, [ecx]
		test	eax, eax
		jz	loc_8E901D

loc_79E74E:				; CODE XREF: SepAddLuidToIndexEntry+14A96Ej
		push	edx
		push	eax
		push	edi
		push	[ebp+var_14]
		call	RtlInsertEntryHashTable
		test	al, al
		jz	loc_8E9025
		mov	ecx, [ebp+var_C]
		xor	esi, esi
		push	dword ptr [ecx+4]
		push	dword ptr [ecx]
		mov	ecx, ebx
		call	_SepInitSingletonEntry@12 ; SepInitSingletonEntry(x,x,x)
		mov	ecx, [ebp+var_18]
		mov	eax, [edi+18h]
		mov	[ecx], eax
		mov	eax, [edi+1Ch]
		mov	[ecx+4], eax
		mov	eax, [ebp+arg_0]
		mov	[eax], edi

loc_79E785:				; CODE XREF: SepAddLuidToIndexEntry+14A995j
					; SepAddLuidToIndexEntry+14A9A8j ...
		mov	edi, ds:_SeLuidToIndexMapping
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_79E846

loc_79E79C:				; CODE XREF: SepAddLuidToIndexEntry+19Bj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_79E7AF:				; CODE XREF: SepAddLuidToIndexEntry+14A95Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_79E7B8:				; CODE XREF: SepAddLuidToIndexEntry+6Cj
		call	_SepCleanupMarkedForDeletionEntries@0 ;	SepCleanupMarkedForDeletionEntries()
		push	0
		push	1
		push	[ebp+var_4]
		call	RtlFindClearBitsAndSet
		mov	ebx, eax
		cmp	ebx, esi
		jnz	loc_79E724
		mov	ebx, [ebp+var_4]
		push	ebx
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		add	eax, 40h
		mov	ecx, eax
		mov	[ebp+var_10], eax
		push	74446553h
		shr	ecx, 3
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_8E9016
		call	SepExpandSingletonArrays
		mov	esi, eax
		test	esi, esi
		js	loc_8E904D
		push	0
		push	dword ptr [ebx+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_8]
		mov	esi, [ebp+var_10]
		push	ebx
		mov	[ebx], esi
		mov	[ebx+4], eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		lea	eax, [esi-40h]
		push	eax
		push	0
		push	ebx
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		push	0
		push	1
		push	ebx
		call	RtlFindClearBitsAndSet
		mov	ebx, eax
		jmp	loc_79E724
; 

loc_79E846:				; CODE XREF: SepAddLuidToIndexEntry+E4j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_79E79C
SepAddLuidToIndexEntry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObInitProcess	proc near		; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+121Ap

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E906D SIZE 00000077 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		and	[esp+14h+var_10], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		test	esi, esi
		jz	short loc_79E8DA
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_79E8E8
		lea	eax, [esp+20h+var_10]
		mov	edx, edi
		push	eax
		push	[ebp+arg_4]
		mov	ecx, ebx
		push	[ebp+arg_0]
		call	ExDupHandleTable
		mov	[esp+20h+var_C], eax
		test	eax, eax
		js	loc_8E906D
		mov	eax, [esp+20h+var_10]

loc_79E89C:				; CODE XREF: ObInitProcess+94j
		mov	[esp+20h+var_10], eax
		test	eax, eax
		jz	loc_8E90C4
		push	7Ch
		xor	edx, edx
		mov	[ebx+18Ch], eax
		pop	ecx
		call	SeAuditingWithTokenForSubcategory
		test	al, al
		jnz	loc_8E90A2

loc_79E8C0:				; CODE XREF: ObInitProcess+14A86Dj
		test	edi, edi
		jz	short loc_79E8CF
		lea	ecx, [esi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_79E8CF:				; CODE XREF: ObInitProcess+70j
		xor	eax, eax

loc_79E8D1:				; CODE XREF: ObInitProcess+9Bj
					; ObInitProcess+14A84Bj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_79E8DA:				; CODE XREF: ObInitProcess+19j
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		xor	edi, edi
		call	ExCreateHandleTable
		jmp	short loc_79E89C
; 

loc_79E8E8:				; CODE XREF: ObInitProcess+24j
		mov	eax, 0C000010Ah
		jmp	short loc_79E8D1
ObInitProcess	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeSubProcessToken proc near		; CODE XREF: PspInitializeProcessSecurity+98p

var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= byte ptr -158h
var_156		= byte ptr -156h
var_155		= byte ptr -155h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_84		= dword	ptr -84h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 008E90E4 SIZE 00000209 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1B0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_150], 0
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+arg_20]
		push	edi
		mov	[ebp+var_178], eax
		lea	edi, [ebp+var_19C]
		mov	eax, [ebp+arg_14]
		push	6
		mov	[ebp+var_17C], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_170], ecx
		pop	ecx
		mov	[ebp+var_180], eax
		xor	eax, eax
		push	74h		; size_t
		push	eax		; int
		rep stosd
		lea	eax, [ebp+var_84]
		mov	[ebp+var_164], edx
		push	eax		; void *
		mov	[ebp+var_15C], ebx
		mov	[ebp+var_184], esi
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_14C]
		push	0C4h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_178]
		lea	edx, [ebp-152h]
		xor	ecx, ecx
		add	esp, 0Ch
		mov	[ebp+var_158], cl
		mov	[ebp+var_168], ecx
		mov	[eax], ecx
		lea	eax, [ebp-153h]
		push	eax
		lea	eax, [ebp+var_154]
		mov	[ebp+var_160], ecx
		mov	byte ptr [ebp+var_154+2], cl
		mov	byte ptr [ebp+var_154],	cl
		mov	byte ptr [ebp+var_154+1], cl
		mov	[esi], cx
		mov	[esi+2], cl
		mov	byte ptr [ebp+var_154+3], cl
		mov	[ebp+var_155], cl
		mov	[ebp+var_156], cl
		mov	[ebp-157h], cl
		mov	[ebp+var_174], ecx
		mov	ecx, [ebp+var_164]
		push	eax
		call	_SeTokenGetNoChildProcessRestricted@16 ; SeTokenGetNoChildProcessRestricted(x,x,x,x)
		cmp	byte ptr [ebp+var_154+2], 1
		jz	loc_8E90E4
		cmp	byte ptr [ebp+var_154+1], 1
		jz	loc_8E90E4

loc_79EA08:				; CODE XREF: SeSubProcessToken+14A8AAj
					; SeSubProcessToken+14A8C6j ...
		mov	ecx, [ebp+var_164]
		lea	eax, [ebp+var_150]
		xor	esi, esi
		mov	[ebp+var_19C], 18h
		push	eax		; int
		push	1		; int
		push	esi		; int
		push	esi		; size_t
		push	1		; int
		push	esi		; char
		lea	edx, [ebp+var_19C]
		mov	[ebp+var_198], esi
		mov	[ebp+var_190], esi
		mov	[ebp+var_194], esi
		mov	[ebp+var_18C], esi
		mov	[ebp+var_188], esi
		call	_SepDuplicateToken@32 ;	SepDuplicateToken(x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8E9204
		mov	ecx, [ebp+var_150]
		mov	esi, [ebp+arg_8]
		test	dword ptr [ecx+0B0h], 4000h
		jnz	loc_79ECE6

loc_79EA74:				; CODE XREF: SeSubProcessToken+3FBj
					; SeSubProcessToken+14A970j
		xor	edi, edi
		mov	edx, esi
		push	edi
		push	edi
		push	edi
		call	_SepSetTokenSessionById@20 ; SepSetTokenSessionById(x,x,x,x,x)
		mov	eax, [ebp+var_150]
		mov	[eax+78h], esi
		mov	eax, [ebp+var_150]
		and	dword ptr [eax+0B0h], 0FFDFFFFFh
		test	byte ptr [ebx],	1
		jnz	loc_79ECF6

loc_79EAA2:				; CODE XREF: SeSubProcessToken+419j
					; SeSubProcessToken+14A985j
		mov	ecx, [ebp+var_150]
		xor	dl, dl
		push	edi
		push	edi
		push	edi
		call	SepSetTokenBnoIsolation
		mov	edi, eax
		test	edi, edi
		js	loc_8E92D5
		mov	esi, [ebp+arg_4]
		lea	eax, [ebp+var_156]
		mov	ecx, [ebp+var_150]
		and	esi, 2
		push	eax
		lea	eax, [ebp-155h]
		mov	[ebp+var_15C], esi
		push	eax
		push	dword ptr [ebx+4]
		mov	ebx, [ebp+var_170]
		mov	edx, ebx
		call	_SepDesktopAppxSubProcessToken@20 ; SepDesktopAppxSubProcessToken(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8E92D5
		mov	edx, [ebp+var_150]
		lea	eax, [ebp+var_174]
		mov	ecx, esi
		neg	ecx
		push	eax
		sbb	ecx, ecx
		and	ecx, [ebp+var_164]
		push	ebx
		call	SepMandatorySubProcessToken
		mov	edi, eax
		test	edi, edi
		js	loc_8E92D5
		mov	ecx, [ebp+var_150]
		lea	eax, [ebp+var_154+3]
		push	eax
		mov	edx, ebx
		call	_SepSetTrustLevelForProcessToken@12 ; SepSetTrustLevelForProcessToken(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8E92D5
		mov	eax, _SepTokenSingletonAttributesConfig
		and	eax, 3
		cmp	al, 3
		jnz	short loc_79EB5E
		mov	ecx, [ebp+var_150]
		call	_SepSetProcessUniqueAttribute@4	; SepSetProcessUniqueAttribute(x)
		mov	edi, eax
		test	edi, edi
		js	loc_8E92D5

loc_79EB5E:				; CODE XREF: SeSubProcessToken+257j
		mov	esi, [ebp+var_150]
		mov	edx, [ebp+arg_10]
		test	dword ptr [esi+0B0h], 4000h
		setnz	cl
		test	dl, 1
		setnz	al
		test	cl, al
		jnz	loc_8E927A

loc_79EB82:				; CODE XREF: SeSubProcessToken+14A99Dj
		mov	eax, [ebp+var_17C]
		test	eax, eax
		jnz	loc_8E9292

loc_79EB90:				; CODE XREF: SeSubProcessToken+14A9B3j
		mov	eax, [ebp+var_180]
		test	eax, eax
		jnz	loc_8E92A8

loc_79EB9E:				; CODE XREF: SeSubProcessToken+14A9D5j
		cmp	[ebp+var_15C], 0
		jz	loc_79ECDA
		cmp	[ebp+var_174], 0
		jnz	loc_79ECDA

loc_79EBB8:				; CODE XREF: SeSubProcessToken+3F1j
		xor	ebx, ebx
		push	ebx		; int
		push	ebx		; int
		cmp	byte ptr [ebp+var_154+3], bl
		jnz	loc_79EC86
		lea	eax, [ebp+var_14C]
		push	eax		; void *
		lea	eax, [ebp+var_84]
		push	eax		; void *
		call	SeCreateAccessState

loc_79EBDB:				; CODE XREF: SeSubProcessToken+3D8j
		mov	ecx, [ebp+var_150]
		lea	edx, [ebp+var_84]
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		mov	byte ptr [ebp-157h], 1
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8E92CA
		mov	ecx, [ebp+var_150]
		call	_SepFinalizeTokenAcls@4	; SepFinalizeTokenAcls(x)
		mov	eax, [ebp+var_150]
		mov	ecx, [ebp+arg_4]
		and	cl, 1
		mov	[eax+0B4h], cl
		mov	ecx, [ebp+var_178]
		mov	eax, [ebp+var_150]
		mov	[ecx], eax
		mov	ecx, [ebp+var_184]
		mov	al, byte ptr [ebp+var_154+3]
		mov	[ecx], al
		mov	al, [ebp+var_155]
		mov	[ecx+1], al
		mov	al, [ebp+var_156]
		mov	[ecx+2], al

loc_79EC4D:				; CODE XREF: SeSubProcessToken+14A903j
					; SeSubProcessToken+14A91Aj ...
		test	edi, edi
		js	loc_8E92D5

loc_79EC55:				; CODE XREF: SeSubProcessToken+14A9EDj
					; SeSubProcessToken+14A9F8j
		cmp	byte ptr [ebp-157h], 0
		jz	short loc_79EC73
		cmp	byte ptr [ebp+var_154+3], 0
		jnz	short loc_79ECCD
		lea	eax, [ebp+var_84]
		push	eax
		call	SeDeleteAccessState

loc_79EC73:				; CODE XREF: SeSubProcessToken+36Cj
					; SeSubProcessToken+3E8j
		mov	ecx, [ebp+var_8]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	24h		; int
; 

loc_79EC86:				; CODE XREF: SeSubProcessToken+2D2j
		mov	eax, large fs:124h
		lea	edx, [ebp+var_84] ; void *
		lea	ecx, [ebp+var_1AC] ; int
		mov	[ebp+var_1A4], esi
		mov	[ebp+var_1AC], ebx
		mov	[ebp+var_1A8], ebx
		mov	eax, [eax+80h]
		mov	eax, [eax+0E4h]
		mov	[ebp+var_1A0], eax
		lea	eax, [ebp+var_14C]
		push	eax		; void *
		call	_SepCreateAccessStateFromSubjectContext@20 ; SepCreateAccessStateFromSubjectContext(x,x,x,x,x)
		jmp	loc_79EBDB
; 

loc_79ECCD:				; CODE XREF: SeSubProcessToken+375j
		lea	ecx, [ebp+var_84]
		call	SepDeleteAccessState
		jmp	short loc_79EC73
; 

loc_79ECDA:				; CODE XREF: SeSubProcessToken+2B5j
					; SeSubProcessToken+2C2j
		mov	byte ptr [ebp+var_154+3], 1
		jmp	loc_79EBB8
; 

loc_79ECE6:				; CODE XREF: SeSubProcessToken+17Ej
		mov	eax, [ecx+78h]
		cmp	eax, esi
		jz	loc_79EA74
		jmp	loc_8E920F
; 

loc_79ECF6:				; CODE XREF: SeSubProcessToken+1ACj
		mov	eax, [ebp+var_150]
		or	dword ptr [eax+0B0h], 80000h
		test	byte ptr [ebx],	4
		jz	loc_79EAA2
		jmp	loc_8E9265
SeSubProcessToken endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 439. ExSubscribeWnfStateChange

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExSubscribeWnfStateChange(x, x, x, x, x, x)
		public _ExSubscribeWnfStateChange@24
_ExSubscribeWnfStateChange@24 proc near	; CODE XREF: PopEnsureErratumSubscribed(x)+75p
					; PopEsWorker+1BDp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_4]
		call	ExpWnfSubscribeWnfStateChange
		mov	esi, eax
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, esi
		pop	esi
		pop	ecx
		pop	ebp
		retn	18h
_ExSubscribeWnfStateChange@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWnfDeleteNameInstance proc near	; CODE XREF: NtDeleteWnfStateName+134p
					; ExpWnfDeleteNameInstanceCallback(x,x)+19p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008E92ED SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	eax, ecx
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_8], eax
		lea	ebx, [eax+1Ch]
		mov	[ebp+var_C], esi
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	edi, eax
		lock bts dword ptr [ebx], 0
		jnb	short loc_79ED90
		push	ebx
		mov	edx, edi
		mov	ecx, ebx
		call	ExfAcquirePushLockExclusiveEx

loc_79ED90:				; CODE XREF: ExpWnfDeleteNameInstance+2Aj
		test	edi, edi
		jnz	loc_79EF10

loc_79ED98:				; CODE XREF: ExpWnfDeleteNameInstance+1BAj
		cmp	dword ptr [esi+20h], 0
		jz	loc_8E92ED
		lea	edi, [esi+40h]
		xor	edx, edx
		push	0
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	[ebp+var_4], eax
		lock bts dword ptr [edi], 0
		jnb	short loc_79EDC7
		push	edi
		mov	edx, eax
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_4]

loc_79EDC7:				; CODE XREF: ExpWnfDeleteNameInstance+5Ej
		test	eax, eax
		jnz	loc_79EF19

loc_79EDCF:				; CODE XREF: ExpWnfDeleteNameInstance+1C3j
		cmp	[ebp+arg_0], 0
		jz	short loc_79EDE5
		lea	eax, [esi+8]
		push	eax
		mov	eax, [ebp+var_8]
		add	eax, 20h
		push	eax
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)

loc_79EDE5:				; CODE XREF: ExpWnfDeleteNameInstance+79j
		and	dword ptr [esi+20h], 0
		or	esi, 0FFFFFFFFh
		mov	eax, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_79EF34

loc_79EDFC:				; CODE XREF: ExpWnfDeleteNameInstance+1E1j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, esi
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_79EF40

loc_79EE13:				; CODE XREF: ExpWnfDeleteNameInstance+1EDj
		mov	ecx, ebx
		call	KeAbPostRelease
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	ebx, eax
		lock bts dword ptr [edi], 0
		jnb	short loc_79EE38
		push	edi
		mov	edx, ebx
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_79EE38:				; CODE XREF: ExpWnfDeleteNameInstance+D2j
		test	ebx, ebx
		jnz	loc_79EF22

loc_79EE40:				; CODE XREF: ExpWnfDeleteNameInstance+1CCj
		mov	ebx, [ebp+var_C]

loc_79EE43:				; CODE XREF: ExpWnfDeleteNameInstance+2D7j
		lea	ecx, [ebx+44h]
		mov	eax, [ecx]
		mov	[ebp+var_4], eax
		cmp	eax, ecx
		jnz	loc_79EF64
		mov	eax, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_79EF4C

loc_79EE63:				; CODE XREF: ExpWnfDeleteNameInstance+1F9j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, [ebx+54h]
		test	eax, eax
		jz	short loc_79EEDA
		mov	esi, [eax+39Ch]
		xor	edx, edx
		add	esi, 1Ch
		push	0
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	edi, eax
		lock bts dword ptr [esi], 0
		jnb	short loc_79EE98
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockExclusiveEx

loc_79EE98:				; CODE XREF: ExpWnfDeleteNameInstance+132j
		test	edi, edi
		jnz	loc_79EF2B

loc_79EEA0:				; CODE XREF: ExpWnfDeleteNameInstance+1D5j
		lea	eax, [ebx+4Ch]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_79F052
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_79F052
		mov	[ecx], edx
		or	eax, 0FFFFFFFFh
		mov	[edx+4], ecx
		and	dword ptr [ebx+54h], 0
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_79EF58

loc_79EED3:				; CODE XREF: ExpWnfDeleteNameInstance+205j
		mov	ecx, esi
		call	KeAbPostRelease

loc_79EEDA:				; CODE XREF: ExpWnfDeleteNameInstance+115j
		lea	ecx, [ebx+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		lea	ecx, [ebx+4]
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	ecx, ebx
		call	_ExpWnfDeleteStateData@4 ; ExpWnfDeleteStateData(x)
		push	1
		push	dword ptr [ebx+2Ch]
		call	ObDereferenceSecurityDescriptor
		push	20666E57h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		inc	eax

loc_79EF09:				; CODE XREF: ExpWnfDeleteNameInstance+14A5B0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_79EF10:				; CODE XREF: ExpWnfDeleteNameInstance+38j
		or	byte ptr [edi+0Eh], 1
		jmp	loc_79ED98
; 

loc_79EF19:				; CODE XREF: ExpWnfDeleteNameInstance+6Fj
		or	byte ptr [eax+0Eh], 1
		jmp	loc_79EDCF
; 

loc_79EF22:				; CODE XREF: ExpWnfDeleteNameInstance+E0j
		or	byte ptr [ebx+0Eh], 1
		jmp	loc_79EE40
; 

loc_79EF2B:				; CODE XREF: ExpWnfDeleteNameInstance+140j
		or	byte ptr [edi+0Eh], 1
		jmp	loc_79EEA0
; 

loc_79EF34:				; CODE XREF: ExpWnfDeleteNameInstance+9Cj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_79EDFC
; 

loc_79EF40:				; CODE XREF: ExpWnfDeleteNameInstance+B3j
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_79EE13
; 

loc_79EF4C:				; CODE XREF: ExpWnfDeleteNameInstance+103j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_79EE63
; 

loc_79EF58:				; CODE XREF: ExpWnfDeleteNameInstance+173j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_79EED3
; 

loc_79EF64:				; CODE XREF: ExpWnfDeleteNameInstance+F3j
		add	eax, 0FFFFFFDCh
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	eax, [ebp+var_4]
		mov	eax, [eax-10h]
		mov	dword ptr [ebp+arg_0], eax
		mov	eax, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_79F03C

loc_79EF8A:				; CODE XREF: ExpWnfDeleteNameInstance+2E9j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, dword ptr [ebp+arg_0]
		xor	edx, edx
		push	0
		mov	eax, [ecx+39Ch]
		add	eax, 28h
		mov	ecx, eax
		mov	dword ptr [ebp+arg_0], eax
		call	KeAbPreAcquire
		mov	ecx, eax
		mov	eax, dword ptr [ebp+arg_0]
		mov	[ebp+var_C], ecx
		lock bts dword ptr [eax], 0
		jnb	short loc_79EFC7
		mov	edx, ecx
		mov	ecx, eax
		push	eax
		call	ExfAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_C]

loc_79EFC7:				; CODE XREF: ExpWnfDeleteNameInstance+25Ej
		test	ecx, ecx
		jz	short loc_79EFCF
		or	byte ptr [ecx+0Eh], 1

loc_79EFCF:				; CODE XREF: ExpWnfDeleteNameInstance+26Fj
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	[ebp+var_C], eax
		lock bts dword ptr [edi], 0
		jnb	short loc_79EFF1
		push	edi
		mov	edx, eax
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_C]

loc_79EFF1:				; CODE XREF: ExpWnfDeleteNameInstance+288j
		test	eax, eax
		jnz	short loc_79F036

loc_79EFF5:				; CODE XREF: ExpWnfDeleteNameInstance+2E0j
		mov	eax, [ebp+var_4]
		cmp	dword ptr [eax-0Ch], 0
		jz	short loc_79F015
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_79F052
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_79F052
		mov	[edx], ecx
		mov	[ecx+4], edx
		and	dword ptr [eax-0Ch], 0

loc_79F015:				; CODE XREF: ExpWnfDeleteNameInstance+2A2j
		mov	ecx, dword ptr [ebp+arg_0]
		mov	eax, esi
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_79F048

loc_79F024:				; CODE XREF: ExpWnfDeleteNameInstance+2F6j
		call	KeAbPostRelease
		mov	ecx, [ebp+var_8]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_79EE43
; 

loc_79F036:				; CODE XREF: ExpWnfDeleteNameInstance+299j
		or	byte ptr [eax+0Eh], 1
		jmp	short loc_79EFF5
; 

loc_79F03C:				; CODE XREF: ExpWnfDeleteNameInstance+22Aj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_79EF8A
; 

loc_79F048:				; CODE XREF: ExpWnfDeleteNameInstance+2C8j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, dword ptr [ebp+arg_0]
		jmp	short loc_79F024
; 

loc_79F052:				; CODE XREF: ExpWnfDeleteNameInstance+14Ej
					; ExpWnfDeleteNameInstance+159j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
ExpWnfDeleteNameInstance endp


;  S U B	R O U T	I N E 


; __stdcall ExpWnfDeleteStateData(x)
_ExpWnfDeleteStateData@4 proc near	; CODE XREF: ExpWnfDeleteNameInstance+192p
					; ExpNtDeleteWnfStateData+170p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		xor	edx, edx
		push	esi
		push	edi
		push	0
		lea	esi, [ebx+30h]
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	edi, eax
		lock bts dword ptr [esi], 0
		jnb	short loc_79F080
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockExclusiveEx

loc_79F080:				; CODE XREF: ExpWnfDeleteStateData(x)+1Cj
		test	edi, edi
		jnz	short loc_79F0A7

loc_79F084:				; CODE XREF: ExpWnfDeleteStateData(x)+53j
		mov	edi, [ebx+34h]
		or	eax, 0FFFFFFFFh
		and	dword ptr [ebx+34h], 0
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_79F0BF

loc_79F098:				; CODE XREF: ExpWnfDeleteStateData(x)+6Ej
		mov	ecx, esi
		call	KeAbPostRelease
		test	edi, edi
		jnz	short loc_79F0AD

loc_79F0A3:				; CODE XREF: ExpWnfDeleteStateData(x)+58j
					; ExpWnfDeleteStateData(x)+65j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_79F0A7:				; CODE XREF: ExpWnfDeleteStateData(x)+2Aj
		or	byte ptr [edi+0Eh], 1
		jmp	short loc_79F084
; 

loc_79F0AD:				; CODE XREF: ExpWnfDeleteStateData(x)+49j
		cmp	edi, 1
		jz	short loc_79F0A3
		push	20666E57h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_79F0A3
; 

loc_79F0BF:				; CODE XREF: ExpWnfDeleteStateData(x)+3Ej
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_79F098
_ExpWnfDeleteStateData@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtDeleteWnfStateName proc near		; DATA XREF: .text:0058109Co

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E930F SIZE 0000003F BYTES

		push	34h
		push	offset dword_6A2240
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], ecx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		mov	byte ptr [ebp+var_38], al
		mov	edi, ecx
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], ecx
		mov	ebx, ecx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+ms_exc.disabled], ecx
		push	[ebp+var_38]
		lea	edx, [ebp+var_44]
		mov	ecx, [ebp+arg_0]
		call	ExpCaptureWnfStateName
		mov	esi, eax
		mov	[ebp+var_34], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	esi, esi
		js	loc_79F22C
		mov	ecx, [ebp+var_44]
		mov	esi, ecx
		mov	edx, [ebp+var_40]
		mov	eax, edx
		shrd	esi, eax, 4
		and	esi, 3
		mov	[ebp+var_30], esi
		mov	[ebp+arg_0], ecx
		shrd	[ebp+arg_0], eax, 6
		and	[ebp+arg_0], 0Fh
		test	esi, esi
		jz	loc_8E930F
		xor	eax, eax
		cmp	[ebp+var_19], al
		setz	al
		mov	[ebp+var_24], eax
		cmp	esi, 3
		jnz	loc_79F2B1

loc_79F16D:				; CODE XREF: NtDeleteWnfStateName+243j
		cmp	[ebp+var_19], 0
		jnz	loc_79F275
		mov	eax, ds:_PsInitialSystemProcess

loc_79F17C:				; CODE XREF: NtDeleteWnfStateName+1B9j
		mov	[ebp+var_38], eax
		cmp	esi, 3
		jnz	loc_79F322
		push	0		; void *
		push	[ebp+arg_0]	; int
		push	0		; int
		mov	edx, eax
		lea	ecx, [ebp+var_28]
		call	ExpWnfResolveScopeInstance
		mov	esi, eax
		mov	ebx, [ebp+var_28]
		test	esi, esi
		js	loc_79F22C

loc_79F1A6:				; CODE XREF: NtDeleteWnfStateName+268j
		test	ebx, ebx
		jz	short loc_79F217
		push	[ebp+var_40]
		push	[ebp+var_44]
		lea	edx, [ebp+var_20]
		mov	ecx, ebx
		call	_ExpWnfLookupNameInstance@16 ; ExpWnfLookupNameInstance(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_79F20D
		cmp	[ebp+var_24], 0
		jz	loc_79F286

loc_79F1CA:				; CODE XREF: NtDeleteWnfStateName+1DAj
		cmp	[ebp+var_30], 3
		jnz	short loc_79F1DF
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+var_38]
		cmp	[eax+54h], ecx
		jnz	loc_8E9334

loc_79F1DF:				; CODE XREF: NtDeleteWnfStateName+106j
		xor	eax, eax
		cmp	[ebp+var_19], al
		setnz	al
		push	eax
		push	1
		push	10h
		pop	edx
		mov	ecx, [ebp+var_20]
		call	_ExpWnfNotifyNameSubscribers@16	; ExpWnfNotifyNameSubscribers(x,x,x,x)
		push	1
		mov	edx, [ebp+var_20]
		mov	ecx, ebx
		call	ExpWnfDeleteNameInstance
		test	eax, eax
		jz	loc_8E9319
		and	[ebp+var_20], 0

loc_79F20D:				; CODE XREF: NtDeleteWnfStateName+F6j
					; NtDeleteWnfStateName+14A256j
		cmp	[ebp+var_30], 3
		jnz	loc_79F335

loc_79F217:				; CODE XREF: NtDeleteWnfStateName+E0j
		mov	edx, [ebp+var_44]
		mov	ecx, edx
		mov	eax, [ebp+var_40]
		shrd	ecx, eax, 0Ah
		test	cl, 1
		jnz	loc_8E933E

loc_79F22C:				; CODE XREF: NtDeleteWnfStateName+63j
					; NtDeleteWnfStateName+D8j ...
		neg	edi
		sbb	edi, edi
		not	edi
		and	edi, esi
		mov	[ebp+var_34], edi
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	short loc_79F2A7

loc_79F23E:				; CODE XREF: NtDeleteWnfStateName+1E7j
		test	ebx, ebx
		jz	short loc_79F24A
		lea	ecx, [ebx+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_79F24A:				; CODE XREF: NtDeleteWnfStateName+178j
		cmp	[ebp+var_2C], 0
		jnz	loc_79F310

loc_79F254:				; CODE XREF: NtDeleteWnfStateName+255j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [ebp+var_34]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_79F275:				; CODE XREF: NtDeleteWnfStateName+A9j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		jmp	loc_79F17C
; 

loc_79F286:				; CODE XREF: NtDeleteWnfStateName+FCj
		mov	edx, 10000h
		mov	ecx, [ebp+var_20]
		mov	ecx, [ecx+2Ch]
		call	_ExpWnfCheckCallerAccess@8 ; ExpWnfCheckCallerAccess(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_79F22C
		xor	eax, eax
		inc	eax
		mov	[ebp+var_24], eax
		jmp	loc_79F1CA
; 

loc_79F2A7:				; CODE XREF: NtDeleteWnfStateName+174j
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	short loc_79F23E
; 

loc_79F2B1:				; CODE XREF: NtDeleteWnfStateName+9Fj
		mov	[ebp+var_24], eax
		cmp	[ebp+var_19], 0
		jz	short loc_79F2F4
		push	edx
		push	ecx
		lea	ecx, [ebp+var_2C]
		call	ExpWnfLookupPermanentName
		mov	esi, eax
		test	esi, esi
		js	loc_79F22C
		mov	edx, 10000h
		mov	ecx, [ebp+var_2C]
		mov	ecx, [ecx+8]
		call	_ExpWnfCheckCallerAccess@8 ; ExpWnfCheckCallerAccess(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_79F22C
		xor	eax, eax
		inc	eax
		mov	[ebp+var_24], eax
		mov	ecx, [ebp+var_44]
		mov	edx, [ebp+var_40]

loc_79F2F4:				; CODE XREF: NtDeleteWnfStateName+1F0j
		push	edx
		push	ecx
		call	_ExpWnfDeletePermanentName@8 ; ExpWnfDeletePermanentName(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_79F22C
		xor	edi, edi
		inc	edi
		mov	esi, [ebp+var_30]
		jmp	loc_79F16D
; 

loc_79F310:				; CODE XREF: NtDeleteWnfStateName+186j
		push	20666E57h
		push	[ebp+var_2C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_79F254
; 

loc_79F322:				; CODE XREF: NtDeleteWnfStateName+BAj
		xor	esi, esi
		xor	edx, edx

loc_79F326:				; CODE XREF: NtDeleteWnfStateName+27Aj
		mov	ecx, [ebp+arg_0]
		call	ExpWnfEnumerateScopeInstances
		mov	ebx, eax
		jmp	loc_79F1A6
; 

loc_79F335:				; CODE XREF: NtDeleteWnfStateName+149j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	loc_8E9323

loc_79F340:				; CODE XREF: NtDeleteWnfStateName+14A267j
		mov	edx, ebx
		jmp	short loc_79F326
NtDeleteWnfStateName endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepIsNgenImage	proc near		; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+E8p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E9379 SIZE 0000004E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		mov	ecx, eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	edx, [eax+1B8h]
		test	edx, edx
		jz	short loc_79F375
		mov	esi, [edx]
		test	esi, esi
		jz	short loc_79F375
		movzx	ecx, word ptr [edi]
		cmp	cx, [edx+4]
		jnb	short loc_79F37C

loc_79F375:				; CODE XREF: SepIsNgenImage+20j
					; SepIsNgenImage+26j ...
		xor	al, al

loc_79F377:				; CODE XREF: SepIsNgenImage+14A07Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_79F37C:				; CODE XREF: SepIsNgenImage+2Fj
		cmp	cx, [edx+6]
		ja	short loc_79F375
		jmp	loc_8E9379
SepIsNgenImage	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeQuerySigningPolicyWorker(x, x, x,	x, x, x, x, x)
_SeQuerySigningPolicyWorker@32 proc near ; CODE	XREF: SeQuerySigningPolicy+5Cp

var_2E		= byte ptr -2Eh
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ecx
		xor	ecx, ecx
		push	ebx
		push	esi
		mov	[esp+3Ch+var_2D], cl
		mov	[esp+3Ch+var_20], ecx
		mov	[esp+3Ch+var_1C], ecx
		mov	[esp+3Ch+var_2C], ecx
		mov	[esp+3Ch+var_18], ecx
		mov	[esp+3Ch+var_14], ecx
		mov	[esp+3Ch+var_10], ecx
		mov	[esp+3Ch+var_C], ecx
		lea	ecx, [esp+3Ch+var_18]
		push	edi
		push	ecx
		lea	ecx, [esp+44h+var_20]
		mov	[esp+44h+var_24], eax
		push	ecx
		lea	ecx, [esp+48h+var_2C]
		mov	edi, edx
		push	ecx
		mov	ecx, eax
		call	_AppModelPolicy_GetPolicy_Internal@20 ;	AppModelPolicy_GetPolicy_Internal(x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	loc_79F5E6
		mov	esi, [esp+40h+var_2C]
		mov	bl, [ebp+arg_4]
		cmp	esi, 2E0001h
		jz	short loc_79F3F7
		cmp	esi, 2E0002h
		jnz	short loc_79F463

loc_79F3F7:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+65j
		call	_CmIsStateSeparationEnabled@0 ;	CmIsStateSeparationEnabled()
		test	al, al
		jz	short loc_79F41E
		mov	eax, _Feature_WCOSDeveloperMode__private_featureState
		xor	edx, edx
		test	al, 10h
		jnz	short loc_79F418
		push	edx
		push	eax
		call	_Feature_WCOSDeveloperMode__private_ReportUsageFallback@12 ; Feature_WCOSDeveloperMode__private_ReportUsageFallback(x,x,x)
		mov	esi, [esp+40h+var_2C]
		jmp	short loc_79F423
; 

loc_79F418:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+81j
		mov	esi, [esp+40h+var_2C]
		jmp	short loc_79F425
; 

loc_79F41E:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+76j
		call	_Feature_WldpDeveloperMode__private_ReportDeviceUsage@0	; Feature_WldpDeveloperMode__private_ReportDeviceUsage()

loc_79F423:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+8Ej
		xor	edx, edx

loc_79F425:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+94j
		mov	eax, [esp+40h+var_1C]
		cmp	esi, 2E0002h
		jnz	short loc_79F43E
		movzx	ecx, al
		cmp	ecx, 5
		jz	short loc_79F43E
		cmp	ecx, 4
		jnz	short loc_79F463

loc_79F43E:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+A7j
					; SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+AFj
		test	[ebp+arg_0], 1
		jz	loc_79F57A
		test	bl, bl
		jnz	short loc_79F463
		mov	eax, [ebp+arg_C]
		mov	byte ptr [eax],	4
		mov	eax, [ebp+arg_10]
		mov	byte ptr [eax],	4
		mov	eax, [ebp+arg_14]
		mov	byte ptr [eax],	12h
		jmp	loc_79F5E4
; 

loc_79F463:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+6Dj
					; SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+B4j ...
		mov	esi, [ebp+arg_C]
		test	edi, edi
		jz	loc_79F526
		mov	ecx, edi
		call	SepIsNgenImage
		test	al, al
		jz	loc_79F526
		and	[esp+40h+var_28], 0
		lea	eax, [esp+40h+var_28]
		push	eax
		push	1Dh
		push	[esp+48h+var_24]
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	loc_79F5E6
		test	[ebp+arg_0], 1
		mov	byte ptr [esi],	0Bh
		jz	short loc_79F4CA
		test	bl, bl
		jnz	short loc_79F526
		cmp	[esp+40h+var_28], 0
		mov	eax, [ebp+arg_10]
		setz	cl
		lea	ecx, ds:6[ecx*2]
		mov	[eax], cl
		mov	eax, [ebp+arg_14]
		mov	byte ptr [eax],	21h

loc_79F4C3:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+182j
					; SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+19Cj ...
		xor	ecx, ecx
		jmp	loc_79F5E6
; 

loc_79F4CA:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+11Bj
		cmp	[esp+40h+var_28], 0
		jz	short loc_79F50C
		mov	bl, [ebp+arg_8]
		lea	edx, [esp+13h]
		mov	cl, bl
		call	_SepIsLockedDown@8 ; SepIsLockedDown(x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	loc_79F5E6
		cmp	[esp+40h+var_2D], 0
		jz	short loc_79F4F4
		mov	cl, 6
		jmp	short loc_79F4FF
; 

loc_79F4F4:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+166j
		cmp	bl, 2
		setnz	cl
		dec	cl
		and	cl, 2

loc_79F4FF:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+16Aj
					; SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+1F0j
		mov	eax, [ebp+arg_10]
		mov	[eax], cl
		mov	eax, [ebp+arg_14]
		mov	byte ptr [eax],	0
		jmp	short loc_79F4C3
; 

loc_79F50C:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+147j
		mov	cl, [ebp+arg_8]
		mov	eax, [ebp+arg_10]
		cmp	cl, 2
		mov	[eax], cl
		setb	cl
		mov	eax, [ebp+arg_14]
		dec	cl
		and	cl, 21h
		mov	[eax], cl
		jmp	short loc_79F4C3
; 

loc_79F526:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+E0j
					; SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+EFj ...
		test	[ebp+arg_0], 1
		jz	short loc_79F573
		test	bl, bl
		jnz	short loc_79F533
		add	bl, 12h

loc_79F533:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+1A6j
		mov	ecx, [ebp+arg_14]
		movzx	eax, bl
		shr	eax, 4
		mov	[ecx], bl
		mov	al, ds:_SeProtectedMapping[eax*2]
		mov	[esi], al
		movzx	eax, byte ptr [ecx]
		mov	ecx, [ebp+arg_10]
		shr	eax, 4
		mov	dl, ds:byte_A40CE1[eax*2]
		mov	al, [ebp+arg_8]
		mov	[ecx], dl
		cmp	al, [esi]
		jbe	short loc_79F564
		mov	[esi], al
		mov	dl, [ecx]

loc_79F564:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+1D6j
		cmp	al, dl
		jbe	loc_79F4C3
		mov	[ecx], al
		jmp	loc_79F4C3
; 

loc_79F573:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+1A2j
		mov	cl, [ebp+arg_8]
		mov	[esi], cl
		jmp	short loc_79F4FF
; 

loc_79F57A:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+BAj
		movzx	eax, al
		cmp	eax, 1
		jbe	short loc_79F5D2
		cmp	eax, 2
		jz	short loc_79F5C2
		cmp	eax, 3
		jz	short loc_79F5B4
		jbe	short loc_79F5E4
		cmp	eax, 5
		jbe	short loc_79F5A6
		cmp	eax, 6
		jnz	short loc_79F5E4
		cmp	[ebp+arg_8], 2
		setnz	cl
		dec	cl
		and	cl, 2
		jmp	short loc_79F5D5
; 

loc_79F5A6:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+209j
		cmp	[ebp+arg_8], 0
		setz	cl
		dec	cl
		and	cl, 3
		jmp	short loc_79F5D5
; 

loc_79F5B4:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+202j
		mov	eax, [ebp+arg_C]
		mov	byte ptr [eax],	6
		mov	eax, [ebp+arg_10]
		mov	byte ptr [eax],	6
		jmp	short loc_79F5DF
; 

loc_79F5C2:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+1FDj
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+arg_10]
		mov	byte ptr [eax],	8
		mov	al, [ebp+arg_8]
		mov	[ecx], al
		jmp	short loc_79F5DF
; 

loc_79F5D2:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+1F8j
		mov	cl, [ebp+arg_8]

loc_79F5D5:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+21Cj
					; SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+22Aj
		mov	eax, [ebp+arg_C]
		mov	[eax], cl
		mov	eax, [ebp+arg_10]
		mov	[eax], cl

loc_79F5DF:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+238j
					; SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+248j
		mov	eax, [ebp+arg_14]
		mov	[eax], dl

loc_79F5E4:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+D6j
					; SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+204j ...
		mov	ecx, edx

loc_79F5E6:				; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+52j
					; SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+10Ej ...
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
_SeQuerySigningPolicyWorker@32 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2490. SeQuerySecurityAttributesToken

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SeQuerySecurityAttributesToken(int,int,int,int,size_t,int)
		public _SeQuerySecurityAttributesToken@24
_SeQuerySecurityAttributesToken@24 proc	near
					; CODE XREF: SepVerifyDesktopAppxPackageName+A2p
					; RtlpQueryPackageIdentityAttributes+42p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_10], 0
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		jz	short loc_79F652
		test	esi, esi
		jz	short loc_79F656

loc_79F60A:				; CODE XREF: SeQuerySecurityAttributesToken(x,x,x,x,x,x)+5Ej
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [ebp+arg_0]
		push	1
		push	dword ptr [edi+30h]
		call	ExAcquireResourceSharedLite
		push	[ebp+arg_14]	; int
		mov	ecx, edi
		push	[ebp+arg_10]	; size_t
		push	esi		; size_t
		push	0		; int
		push	[ebp+arg_8]	; int
		push	[ebp+arg_4]	; int
		call	SepInternalQuerySecurityAttributesTokenEx
		mov	ecx, [edi+30h]
		mov	esi, eax
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, esi

loc_79F64C:				; CODE XREF: SeQuerySecurityAttributesToken(x,x,x,x,x,x)+65j
		pop	edi
		pop	esi
		pop	ebp
		retn	18h
; 

loc_79F652:				; CODE XREF: SeQuerySecurityAttributesToken(x,x,x,x,x,x)+Ej
		test	esi, esi
		jz	short loc_79F60A

loc_79F656:				; CODE XREF: SeQuerySecurityAttributesToken(x,x,x,x,x,x)+12j
		mov	eax, 0C000000Dh
		jmp	short loc_79F64C
_SeQuerySecurityAttributesToken@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspCaptureCreateInfo proc near		; CODE XREF: PAGE:007A2BC4p

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E93C7 SIZE 00000007 BYTES

		push	10h
		push	offset dword_6A2260
		call	__SEH_prolog4
		mov	ebx, edx
		xor	edx, edx
		mov	[ebp+ms_exc.disabled], edx
		test	cl, cl
		jz	short loc_79F695
		test	bl, 3
		jnz	loc_79F714
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8E93C7

loc_79F68B:				; CODE XREF: PspCaptureCreateInfo+149D6Bj
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+44h]
		mov	[ebx+44h], al

loc_79F695:				; CODE XREF: PspCaptureCreateInfo+15j
		cmp	[ebx+4], edx
		jnz	short loc_79F719
		cmp	dword ptr [ebx], 48h
		jnz	short loc_79F719
		mov	esi, [ebp+arg_0]
		mov	dl, [ebx+8]
		shl	dl, 5
		xor	dl, [esi+8]
		and	dl, 7Fh
		mov	al, [ebx+8]
		shl	al, 5
		xor	dl, al
		mov	[esi+8], dl
		mov	al, [ebx+8]
		shr	al, 3
		xor	al, [esi+9]
		and	al, 1
		xor	[esi+9], al
		mov	eax, [ebx+0Ch]
		mov	[esi+64h], eax
		mov	cl, [ebx+8]
		add	cl, cl
		xor	cl, dl
		and	cl, 2
		xor	cl, dl
		mov	[esi+8], cl
		mov	al, [ebx+8]
		shl	al, 3
		xor	al, cl
		and	al, 10h
		xor	al, cl
		mov	[esi+8], al
		mov	ax, [ebx+0Ah]
		mov	[esi+0Ah], ax
		mov	[esi+18h], ebx
		xor	eax, eax

loc_79F6F8:				; CODE XREF: PspCaptureCreateInfo+C0j
					; sub_8E93DC+6j
		mov	[ebp+var_1C], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_79F714:				; CODE XREF: PspCaptureCreateInfo+1Aj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_79F719:				; CODE XREF: PspCaptureCreateInfo+3Aj
					; PspCaptureCreateInfo+3Fj
		mov	eax, 0C000000Dh
		jmp	short loc_79F6F8
PspCaptureCreateInfo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspEstimateNewProcessServerSilo	proc near ; CODE XREF: PAGE:007A2C31p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E93E7 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, edx
		push	esi
		test	ecx, ecx
		jz	short loc_79F73F
		push	ecx
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		mov	esi, eax
		push	esi
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jz	short loc_79F757

loc_79F73F:				; CODE XREF: PspEstimateNewProcessServerSilo+Bj
		xor	esi, esi
		push	edi		; struct _exception *
		cmp	[ebp+arg_0], esi
		ja	loc_8E93E7

loc_79F74B:				; CODE XREF: PspEstimateNewProcessServerSilo+149CE1j
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)

loc_79F750:				; CODE XREF: PspEstimateNewProcessServerSilo+149CE8j
		pop	edi

loc_79F751:				; CODE XREF: PspEstimateNewProcessServerSilo+39j
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_79F757:				; CODE XREF: PspEstimateNewProcessServerSilo+1Dj
		mov	eax, esi
		jmp	short loc_79F751
PspEstimateNewProcessServerSilo	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCreateWnfStateName proc near		; DATA XREF: .text:005810D8o

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= byte ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008E940D SIZE 00000038 BYTES
; FUNCTION CHUNK AT 008E9472 SIZE 00000034 BYTES

		push	5Ch
		push	offset dword_6A2280
		call	__SEH_prolog4_GS
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_5C], ecx
		mov	esi, [ebp+arg_10]
		mov	ebx, [ebp+arg_18]
		mov	[ebp+var_54], ebx
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		stosd
		stosd
		stosd
		stosd
		xor	edx, edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_50], edx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_31], al
		mov	[ebp+var_48], al
		mov	[ebp+var_44], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_4C], esi
		test	al, al
		jnz	loc_79F91F
		lea	eax, [ebp+var_38]
		push	eax		; int
		push	1		; int
		push	1		; int
		push	edx		; char
		push	ebx		; size_t
		call	SeCaptureSecurityDescriptor
		mov	[ebp+var_30], eax
		test	eax, eax
		js	loc_79F8D9

loc_79F7D6:				; CODE XREF: NtCreateWnfStateName+210j
		mov	ecx, [ebp+var_38]
		call	_ExpWnfSpecializeSecurityDescriptor@4 ;	ExpWnfSpecializeSecurityDescriptor(x)
		mov	esi, [ebp+arg_4]
		push	3
		pop	eax
		cmp	esi, eax
		ja	loc_8E948E
		test	esi, esi
		jz	loc_8E948E
		mov	edi, [ebp+arg_8]
		cmp	edi, 5
		ja	loc_8E948E
		cmp	byte ptr [ebp+arg_C], 0
		jnz	loc_8E9472

loc_79F80A:				; CODE XREF: NtCreateWnfStateName+149D23j
					; NtCreateWnfStateName+149D2Cj
		cmp	[ebp+arg_14], 1000h
		ja	loc_8E948E
		cmp	edi, eax
		jz	loc_79F982

loc_79F81F:				; CODE XREF: NtCreateWnfStateName+228j
		cmp	edi, 5
		jz	loc_8E948E
		cmp	esi, eax
		jnz	loc_79F98F

loc_79F830:				; CODE XREF: NtCreateWnfStateName+249j
		push	[ebp+arg_C]
		push	edi
		mov	edx, esi
		lea	ecx, [ebp+var_40]
		call	ExpWnfGenerateStateName
		mov	[ebp+var_30], eax
		test	eax, eax
		js	loc_79F8D9
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_40]
		xor	ecx, 0A3BC0074h
		mov	eax, [ebp+var_3C]
		xor	eax, 41C64E6Dh
		mov	edx, [ebp+var_5C]
		mov	[edx], ecx
		mov	[edx+4], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_6C], eax
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_68], eax
		mov	eax, [ebp+var_38]
		mov	[ebp+var_64], eax
		cmp	esi, 3
		jnz	loc_79F9B0
		cmp	[ebp+var_31], 0
		jnz	loc_79F971
		mov	esi, ds:_PsInitialSystemProcess

loc_79F89B:				; CODE XREF: NtCreateWnfStateName+221j
		push	0		; void *
		push	edi		; int
		push	0		; int
		mov	edx, esi
		lea	ecx, [ebp+var_44]
		call	ExpWnfResolveScopeInstance
		mov	[ebp+var_30], eax
		test	eax, eax
		js	short loc_79F8D9
		push	[ebp+var_3C]
		push	[ebp+var_40]
		lea	eax, [ebp+var_50]
		push	eax
		push	esi
		lea	edx, [ebp+var_6C]
		mov	ecx, [ebp+var_44]
		call	ExpWnfCreateNameInstance
		mov	[ebp+var_30], eax
		test	eax, eax
		js	short loc_79F8D9
		mov	ecx, [ebp+var_50]
		lea	ecx, [ecx+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_79F8D9:				; CODE XREF: NtCreateWnfStateName+74j
					; NtCreateWnfStateName+E7j ...
		mov	ecx, [ebp+var_44]
		test	ecx, ecx
		jz	short loc_79F8E8
		add	ecx, 4
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_79F8E8:				; CODE XREF: NtCreateWnfStateName+182j
		mov	eax, [ebp+var_38]
		test	eax, eax
		jz	short loc_79F8FE
		cmp	eax, ebx
		jz	short loc_79F8FE
		push	1
		push	dword ptr [ebp+var_48]
		push	eax
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)

loc_79F8FE:				; CODE XREF: NtCreateWnfStateName+191j
					; NtCreateWnfStateName+195j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [ebp+var_30]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_79F91F:				; CODE XREF: NtCreateWnfStateName+5Aj
		mov	[ebp+ms_exc.disabled], edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8E940D

loc_79F92F:				; CODE XREF: NtCreateWnfStateName+149CB3j
		mov	al, [ecx]
		mov	[ecx], al
		mov	al, [ecx+7]
		mov	[ecx+7], al
		test	esi, esi
		jnz	loc_8E9414

loc_79F941:				; CODE XREF: NtCreateWnfStateName+149CD1j
		test	ebx, ebx
		jz	loc_8E9432
		lea	eax, [ebp+var_38]
		push	eax		; int
		push	1		; int
		push	1		; int
		push	dword ptr [ebp+var_48] ; char
		push	ebx		; size_t
		call	SeCaptureSecurityDescriptor
		mov	[ebp+var_30], eax
		test	eax, eax
		js	loc_8E9439
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_79F7D6
; 

loc_79F971:				; CODE XREF: NtCreateWnfStateName+133j
		mov	eax, large fs:124h
		mov	esi, [eax+80h]
		jmp	loc_79F89B
; 

loc_79F982:				; CODE XREF: NtCreateWnfStateName+BDj
		cmp	esi, eax
		jnz	loc_79F81F
		jmp	loc_8E948E
; 

loc_79F98F:				; CODE XREF: NtCreateWnfStateName+CEj
		push	dword ptr [ebp+var_48]
		push	ds:dword_A94A34
		push	ds:_SeCreatePermanentPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	loc_79F830
		jmp	loc_8E949A
; 

loc_79F9B0:				; CODE XREF: NtCreateWnfStateName+129j
		push	[ebp+var_3C]
		push	[ebp+var_40]
		lea	ecx, [ebp+var_6C]
		call	ExpWnfRegisterPermanentName
		mov	[ebp+var_30], eax
		jmp	loc_79F8D9
NtCreateWnfStateName endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWnfGenerateStateName	proc near	; CODE XREF: NtCreateWnfStateName+DDp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 008E94B6 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		mov	[ebp+var_14], ecx
		push	ebx
		mov	[ebp+var_C], eax
		mov	ebx, edx
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_10], ebx
		push	esi
		push	edi		; struct _exception *
		cmp	eax, 4
		jnz	loc_79FAB5

loc_79F9ED:				; CODE XREF: ExpWnfGenerateStateName+F2j
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	esi, eax
		mov	ecx, esi
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)

loc_79F9FB:				; CODE XREF: ExpWnfGenerateStateName+104j
		add	eax, 208h
		cmp	ebx, 3
		jnz	loc_79FACF

loc_79FA09:				; CODE XREF: ExpWnfGenerateStateName+10Cj
		add	eax, 28h
		mov	[ebp+var_4], eax

loc_79FA0F:				; CODE XREF: ExpWnfGenerateStateName+6Fj
					; ExpWnfGenerateStateName+73j ...
		mov	edi, [eax]
		mov	ebx, edi
		mov	esi, [eax+4]
		add	ebx, 1
		mov	ecx, esi
		mov	[ebp+var_8], esi
		adc	ecx, 0
		mov	eax, edi
		mov	edx, esi
		nop
		mov	esi, [ebp+var_4]
		lock cmpxchg8b qword ptr [esi]
		mov	esi, [ebp+var_8]
		cmp	eax, edi
		mov	eax, [ebp+var_4]
		jnz	short loc_79FA0F
		cmp	edx, esi
		jnz	short loc_79FA0F
		add	edi, 1
		push	0
		pop	ecx
		adc	esi, ecx
		cmp	edi, ecx
		jnz	short loc_79FA4B
		cmp	esi, ecx
		jz	short loc_79FA0F

loc_79FA4B:				; CODE XREF: ExpWnfGenerateStateName+7Fj
					; ExpWnfGenerateStateName+149B0Aj
		mov	eax, esi
		and	eax, 0FFE00000h
		cmp	eax, ecx
		jnz	loc_8E94D5
		xor	ebx, ebx
		cmp	[ebp+arg_4], bl
		setnz	bl
		xor	eax, eax
		shld	eax, ebx, 4
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		and	al, 0Fh
		shl	ebx, 4
		movzx	eax, al
		cdq
		or	ebx, eax
		mov	eax, [ebp+var_10]
		and	ebx, 1Fh
		and	al, 3
		shld	esi, edi, 5
		movzx	eax, al
		shl	edi, 5
		or	ecx, esi
		or	ebx, edi
		cdq
		shld	ecx, ebx, 2
		shl	ebx, 2
		or	ecx, edx
		or	ebx, eax
		mov	eax, [ebp+var_14]
		shld	ecx, ebx, 4
		shl	ebx, 4
		or	ebx, 1
		mov	[eax+4], ecx
		mov	[eax], ebx
		xor	eax, eax

loc_79FAAE:				; CODE XREF: ExpWnfGenerateStateName+149AFCj
					; ExpWnfGenerateStateName+149B14j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_79FAB5:				; CODE XREF: ExpWnfGenerateStateName+21j
		cmp	eax, 5
		jz	loc_79F9ED
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		mov	esi, eax
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		jmp	loc_79F9FB
; 

loc_79FACF:				; CODE XREF: ExpWnfGenerateStateName+3Dj
		cmp	ebx, 2
		jz	loc_79FA09
		jmp	loc_8E94B6
ExpWnfGenerateStateName	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtGetCompleteWnfStateSubscription proc near ; DATA XREF: .text:00581018o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008E94DF SIZE 0000001F BYTES

		push	20h
		push	offset dword_6A22A8
		call	__SEH_prolog4_GS
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		mov	ebx, [ebp+arg_10]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, 0C000000Dh
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+39Ch]
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	loc_79FBC1
		test	ecx, ecx
		jz	short loc_79FB8E
		test	edx, edx
		jz	short loc_79FB8E
		cmp	[ebp+arg_8], 0
		jz	loc_79FBC1
		mov	edi, [ebp+arg_C]
		test	edi, edi
		jnz	loc_8E94DF

loc_79FB40:				; CODE XREF: NtGetCompleteWnfStateSubscription+149A0Dj
		and	[ebp+ms_exc.disabled], 0
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8E94F0

loc_79FB51:				; CODE XREF: NtGetCompleteWnfStateSubscription+149A14j
		mov	eax, [ecx]
		mov	[ebp+var_24], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_20], eax
		nop
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_8E94F7

loc_79FB6A:				; CODE XREF: NtGetCompleteWnfStateSubscription+149A1Bj
		mov	eax, [edx]
		mov	ecx, [edx+4]
		nop
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	edi
		push	[ebp+arg_8]
		push	ecx
		push	eax
		lea	edx, [ebp+var_24]
		mov	ecx, [ebp+var_28]
		call	ExpWnfCompleteThreadSubscriptions
		mov	esi, eax
		test	esi, esi
		js	short loc_79FBC1

loc_79FB8E:				; CODE XREF: NtGetCompleteWnfStateSubscription+47j
					; NtGetCompleteWnfStateSubscription+4Bj
		mov	edi, [ebp+arg_14]
		test	edi, edi
		jz	short loc_79FBC1
		cmp	edi, 1030h
		jb	short loc_79FBE1
		mov	[ebp+ms_exc.disabled], 1
		push	8
		push	edi
		push	ebx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	edi
		mov	edx, ebx
		mov	ecx, [ebp+var_28]
		call	ExpWnfDeliverThreadNotifications
		mov	esi, eax

loc_79FBC1:				; CODE XREF: NtGetCompleteWnfStateSubscription+3Fj
					; NtGetCompleteWnfStateSubscription+51j ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_79FBE1:				; CODE XREF: NtGetCompleteWnfStateSubscription+BDj
		mov	esi, 0C0000023h
		jmp	short loc_79FBC1
NtGetCompleteWnfStateSubscription endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWnfDeliverThreadNotifications proc near
					; CODE XREF: NtGetCompleteWnfStateSubscription+DCp

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E9535 SIZE 00000029 BYTES
; FUNCTION CHUNK AT 008E9583 SIZE 000000CE BYTES

		push	50h
		push	offset dword_6A22D0
		call	__SEH_prolog4
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		and	[ebp+var_34], 0
		mov	[ebp+var_30], 8000001Ah
		and	[ebp+var_38], 0
		and	[ebp+var_24], 0
		mov	eax, [ebp+arg_0]
		add	eax, 0FFFFFFD0h
		mov	[ebp+var_48], eax
		or	esi, 0FFFFFFFFh

loc_79FC19:				; CODE XREF: ExpWnfDeliverThreadNotifications+149A43j
		lea	ebx, [ecx+28h]
		mov	[ebp+var_5C], ebx
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	edi, eax
		push	11h
		pop	ecx
		xor	eax, eax
		lock cmpxchg [ebx], ecx
		test	eax, eax
		jz	short loc_79FC43
		push	ebx
		mov	edx, edi
		mov	ecx, ebx
		call	ExfAcquirePushLockSharedEx

loc_79FC43:				; CODE XREF: ExpWnfDeliverThreadNotifications+4Fj
		test	edi, edi
		jz	short loc_79FC4B
		or	byte ptr [edi+0Eh], 1

loc_79FC4B:				; CODE XREF: ExpWnfDeliverThreadNotifications+5Dj
		mov	ebx, [ebp+var_1C]
		add	ebx, 34h
		mov	[ebp+var_58], ebx
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	edi, eax
		lock bts dword ptr [ebx], 0
		jnb	short loc_79FC72
		push	ebx
		mov	edx, edi
		mov	ecx, ebx
		call	ExfAcquirePushLockExclusiveEx

loc_79FC72:				; CODE XREF: ExpWnfDeliverThreadNotifications+7Ej
		test	edi, edi
		jnz	loc_79FE08

loc_79FC7A:				; CODE XREF: ExpWnfDeliverThreadNotifications+224j
		mov	eax, [ebp+var_1C]
		add	eax, 38h
		mov	[ebp+var_54], eax
		mov	edi, [eax]
		xor	ebx, ebx

loc_79FC87:				; CODE XREF: ExpWnfDeliverThreadNotifications+22Ej
		mov	[ebp+var_44], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_50], edi
		cmp	edi, eax
		jz	loc_79FE03
		lea	eax, [edi+8]
		mov	[ebp+var_40], eax
		cmp	dword ptr [eax], 1
		jnz	loc_79FE11
		mov	ebx, [edi-24h]
		mov	[ebp+var_3C], ebx
		test	ebx, ebx
		jz	short loc_79FCC5
		lea	ecx, [ebx+4]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	ebx, eax
		mov	[ebp+var_3C], ebx

loc_79FCC5:				; CODE XREF: ExpWnfDeliverThreadNotifications+C7j
		lea	edx, [edi+0Ch]
		mov	[ebp+var_2C], edx
		mov	eax, [edi-4]
		and	eax, [edx]
		mov	[ebp+arg_0], eax
		test	ebx, ebx
		jz	loc_79FE2C

loc_79FCDB:				; CODE XREF: ExpWnfDeliverThreadNotifications+24Aj
		test	eax, eax
		jz	loc_8E9583
		and	[ebp+ms_exc.disabled], 0
		push	30h		; size_t
		push	0		; int
		push	[ebp+var_20]	; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, [edi-20h]
		xor	eax, 0A3BC0074h
		mov	ecx, [edi-1Ch]
		xor	ecx, 41C64E6Dh
		mov	edx, [ebp+var_20]
		mov	[edx+8], eax
		mov	[edx+0Ch], ecx
		mov	eax, [edi-38h]
		mov	[edx], eax
		mov	eax, [edi-34h]
		mov	[edx+4], eax
		mov	eax, [ebp+arg_0]
		test	al, 1
		jz	short loc_79FD5E
		mov	eax, [ebx+28h]
		test	eax, eax
		jnz	loc_8E9535

loc_79FD2D:				; CODE XREF: ExpWnfDeliverThreadNotifications+14995Cj
		lea	eax, [ebp+var_34]
		push	eax		; int
		push	[ebp+var_48]	; int
		lea	eax, [edx+30h]
		push	eax		; void *
		lea	edx, [ebp+var_24]
		mov	ecx, ebx
		call	ExpWnfReadStateData
		mov	[ebp+var_38], eax
		mov	[ebp+var_60], eax
		test	eax, eax
		js	short loc_79FD68
		mov	eax, [ebp+var_24]
		mov	edx, [ebp+var_20]
		mov	[edx+10h], eax
		mov	eax, [ebp+var_34]
		mov	[edx+14h], eax
		mov	eax, [ebp+arg_0]

loc_79FD5E:				; CODE XREF: ExpWnfDeliverThreadNotifications+138j
		mov	dword ptr [edx+2Ch], 30h
		mov	[edx+18h], eax

loc_79FD68:				; CODE XREF: ExpWnfDeliverThreadNotifications+162j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	ebx, ebx
		jz	short loc_79FD7D
		lea	ecx, [ebx+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		xor	ebx, ebx

loc_79FD7D:				; CODE XREF: ExpWnfDeliverThreadNotifications+189j
		mov	eax, [ebp+var_38]
		test	eax, eax
		js	loc_8E9549
		mov	eax, [ebp+arg_0]
		cmp	[ebp+var_24], 0
		jz	loc_79FE24

loc_79FD95:				; CODE XREF: ExpWnfDeliverThreadNotifications+23Fj
		test	eax, eax
		jz	loc_8E9583
		mov	[edi+10h], eax
		mov	eax, [ebp+var_2C]
		and	dword ptr [eax], 0
		mov	eax, [ebp+var_40]
		mov	dword ptr [eax], 2
		xor	edi, edi

loc_79FDB1:				; CODE XREF: ExpWnfDeliverThreadNotifications+21Ej
					; sub_8E956E+10j
		or	eax, 0FFFFFFFFh
		mov	esi, [ebp+var_58]
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_79FE1B

loc_79FDC1:				; CODE XREF: ExpWnfDeliverThreadNotifications+23Aj
		mov	ecx, esi
		call	KeAbPostRelease
		xor	edx, edx
		push	11h
		pop	eax
		mov	esi, [ebp+var_5C]
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_79FDE0
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_79FDE0:				; CODE XREF: ExpWnfDeliverThreadNotifications+1EFj
		mov	ecx, esi
		call	KeAbPostRelease
		test	ebx, ebx
		jnz	loc_8E9644

loc_79FDEF:				; CODE XREF: ExpWnfDeliverThreadNotifications+149A64j
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_79FE03:				; CODE XREF: ExpWnfDeliverThreadNotifications+AAj
		mov	edi, [ebp+var_30]
		jmp	short loc_79FDB1
; 

loc_79FE08:				; CODE XREF: ExpWnfDeliverThreadNotifications+8Cj
		or	byte ptr [edi+0Eh], 1
		jmp	loc_79FC7A
; 

loc_79FE11:				; CODE XREF: ExpWnfDeliverThreadNotifications+B9j
					; ExpWnfDeliverThreadNotifications+149968j ...
		mov	edi, [edi]
		mov	eax, [ebp+var_54]
		jmp	loc_79FC87
; 

loc_79FE1B:				; CODE XREF: ExpWnfDeliverThreadNotifications+1D7j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_79FDC1
; 

loc_79FE24:				; CODE XREF: ExpWnfDeliverThreadNotifications+1A7j
		and	eax, 0FFFFFFFEh
		jmp	loc_79FD95
; 

loc_79FE2C:				; CODE XREF: ExpWnfDeliverThreadNotifications+EDj
		and	eax, 0FFFFFFFEh
		mov	[ebp+arg_0], eax
		jmp	loc_79FCDB
ExpWnfDeliverThreadNotifications endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWnfCompleteThreadSubscriptions proc near
					; CODE XREF: NtGetCompleteWnfStateSubscription+A5p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008E9651 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	esi, esi
		mov	eax, edx
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_10], esi
		push	esi
		lea	edx, [ebp+var_10]
		mov	[ebp+var_4], ebx
		mov	ecx, eax
		mov	[ebp+var_C], esi
		mov	edi, esi
		mov	[ebp+var_8], esi
		call	ExpCaptureWnfStateName
		test	eax, eax
		js	loc_8E9651
		add	ebx, 28h
		xor	edx, edx
		push	esi
		mov	ecx, ebx
		call	KeAbPreAcquire
		push	11h
		mov	esi, eax
		xor	eax, eax
		pop	ecx
		lock cmpxchg [ebx], ecx
		test	eax, eax
		jz	short loc_79FE90
		push	ebx
		mov	edx, esi
		mov	ecx, ebx
		call	ExfAcquirePushLockSharedEx

loc_79FE90:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+4Cj
		test	esi, esi
		jz	short loc_79FE98
		or	byte ptr [esi+0Eh], 1

loc_79FE98:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+5Aj
		mov	ebx, [ebp+var_4]
		xor	edx, edx
		add	ebx, 34h
		push	0
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	esi, eax
		lock bts dword ptr [ebx], 0
		jnb	short loc_79FEBC
		push	ebx
		mov	edx, esi
		mov	ecx, ebx
		call	ExfAcquirePushLockExclusiveEx

loc_79FEBC:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+78j
		test	esi, esi
		jnz	loc_79FFF6

loc_79FEC4:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+1C2j
		mov	ecx, [ebp+var_4]
		add	ecx, 38h
		or	edx, 0FFFFFFFFh
		mov	esi, [ecx]

loc_79FECF:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+1C9j
		cmp	esi, ecx
		jz	loc_79FF94
		mov	eax, [esi-38h]
		cmp	eax, [ebp+arg_0]
		jnz	loc_79FFFF
		mov	eax, [esi-34h]
		cmp	eax, [ebp+arg_4]
		jnz	loc_79FFFF
		mov	eax, [ebp+var_10]
		cmp	eax, [esi-20h]
		jnz	loc_79FFFF
		mov	eax, [ebp+var_C]
		cmp	eax, [esi-1Ch]
		jnz	loc_79FFFF
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_8], ecx
		cmp	eax, [esi+10h]
		jnz	short loc_79FF94
		cmp	[esi+8], ecx
		jle	short loc_79FF94
		mov	eax, [esi+0Ch]
		test	eax, eax
		jnz	loc_7A0063
		push	3
		pop	eax
		cmp	[ebp+arg_C], edi
		jnz	loc_8E966D
		and	[esi+8], edi
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	loc_7A008E
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	loc_7A008E
		mov	[eax], ecx
		mov	[ecx+4], eax
		xor	ecx, ecx
		mov	eax, [esi+8]
		inc	ecx

loc_79FF55:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+149838j
		cmp	eax, 3
		jz	short loc_79FF94

loc_79FF5A:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+235j
					; ExpWnfCompleteThreadSubscriptions+149825j ...
		test	[esi+0Ch], cl
		setz	cl
		test	byte ptr [esi+10h], 1
		setnz	al
		test	cl, al
		jz	short loc_79FF90
		mov	ecx, [esi-24h]
		test	ecx, ecx
		jz	short loc_79FF90
		mov	eax, edx
		lock xadd [ecx+5Ch], eax
		jnz	short loc_79FF90
		mov	ecx, [esi-24h]
		lea	ecx, [ecx+4]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		or	edx, 0FFFFFFFFh
		test	al, al
		jz	short loc_79FF90
		mov	edi, [esi-24h]

loc_79FF90:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+131j
					; ExpWnfCompleteThreadSubscriptions+138j ...
		and	dword ptr [esi+10h], 0

loc_79FF94:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+99j
					; ExpWnfCompleteThreadSubscriptions+DBj ...
		mov	eax, edx
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_7A0078

loc_79FFA4:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+247j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ebx, [ebp+var_4]
		xor	edx, edx
		push	11h
		pop	eax
		lea	esi, [ebx+28h]
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_79FFC6
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_79FFC6:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+185j
		mov	ecx, esi
		call	KeAbPostRelease
		cmp	[ebp+var_8], 0
		jz	short loc_7A0006

loc_79FFD3:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+1D2j
					; ExpWnfCompleteThreadSubscriptions+226j
		test	edi, edi
		jz	short loc_79FFED
		push	1
		push	1
		push	8
		pop	edx
		mov	ecx, edi
		call	_ExpWnfNotifyNameSubscribers@16	; ExpWnfNotifyNameSubscribers(x,x,x,x)
		lea	ecx, [edi+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_79FFED:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+19Dj
		xor	eax, eax

loc_79FFEF:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+14981Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_79FFF6:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+86j
		or	byte ptr [esi+0Eh], 1
		jmp	loc_79FEC4
; 

loc_79FFFF:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+A5j
					; ExpWnfCompleteThreadSubscriptions+B1j ...
		mov	esi, [esi]
		jmp	loc_79FECF
; 

loc_7A0006:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+199j
		test	byte ptr [ebp+arg_8], 1
		jz	short loc_79FFD3
		mov	esi, [ebp+var_C]
		xor	edx, edx
		mov	ecx, [ebp+var_10]
		mov	eax, esi
		shrd	ecx, eax, 6
		push	edx		; void *
		and	ecx, 0Fh
		mov	[ebp+arg_8], edx
		push	ecx		; int
		mov	[ebp+arg_C], edx
		lea	ecx, [ebp+arg_C]
		push	edx		; int
		mov	edx, [ebx+4]
		call	ExpWnfResolveScopeInstance
		push	esi
		push	[ebp+var_10]
		mov	esi, [ebp+arg_C]
		lea	edx, [ebp+arg_8]
		mov	ecx, esi
		call	_ExpWnfLookupNameInstance@16 ; ExpWnfLookupNameInstance(x,x,x,x)
		test	eax, eax
		js	short loc_7A0056
		mov	ecx, [ebp+arg_8]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+5Ch], eax
		dec	eax
		jnz	short loc_7A0084
		mov	edi, ecx

loc_7A0056:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+20Cj
					; ExpWnfCompleteThreadSubscriptions+254j
		lea	ecx, [esi+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_79FFD3
; 

loc_7A0063:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+E7j
		cmp	[ebp+arg_C], 0C000022Dh
		mov	[esi+8], ecx
		jnz	loc_79FF5A
		jmp	loc_8E965B
; 

loc_7A0078:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+166j
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_79FFA4
; 

loc_7A0084:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+21Aj
		add	ecx, 4
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	short loc_7A0056
; 

loc_7A008E:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+101j
					; ExpWnfCompleteThreadSubscriptions+10Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall NtUpdateWnfStateData(x, x, x, x, x,	x, x)
_NtUpdateWnfStateData@28:		; CODE XREF: SepSecureBootCheckForUpdates()+93p
					; DATA XREF: .text:00580BD0o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_4]
		push	ecx
		push	[ebp+arg_18]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	ExpNtUpdateWnfStateData
		pop	ecx
		pop	ebp
		retn	1Ch
ExpWnfCompleteThreadSubscriptions endp ; sp = -20h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpNtUpdateWnfStateData	proc near	; CODE XREF: ExpWnfCompleteThreadSubscriptions+278p
					; PfSnPowerBoostUpdate(x)+53p

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008E9675 SIZE 00000086 BYTES
; FUNCTION CHUNK AT 008E9722 SIZE 00000099 BYTES

		push	78h
		push	offset dword_6A22F0
		call	__SEH_prolog4_GS
		mov	[ebp+var_74], edx
		mov	[ebp+var_4C], ecx
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_60], esi
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_50], eax
		xor	ebx, ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_54], ebx
		xor	eax, eax
		lea	edi, [ebp+var_3C]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_6C], ebx
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_44], al
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_68], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_88], ebx
		mov	[ebp+var_84], ebx
		mov	[ebp+var_70], esi
		mov	[ebp+ms_exc.disabled], ebx
		push	[ebp+var_44]
		lea	edx, [ebp+var_58]
		mov	ecx, [ebp+var_4C]
		call	ExpCaptureWnfStateName
		mov	esi, eax
		mov	[ebp+var_64], esi
		test	esi, esi
		js	loc_7A03BD
		mov	edi, [ebp+var_58]
		mov	ecx, edi
		mov	edx, [ebp+var_54]
		mov	eax, edx
		shrd	ecx, eax, 4
		and	ecx, 3
		mov	[ebp+var_78], ecx
		shrd	edi, edx, 6
		and	edi, 0Fh
		mov	[ebp+var_48], edi
		mov	edi, [ebp+arg_0]
		cmp	byte ptr [ebp+var_44], bl
		jz	short loc_7A018A
		test	edi, edi
		jz	short loc_7A017F
		mov	edx, [ebp+var_74]
		lea	eax, [edx+edi]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	loc_8E9675
		cmp	eax, edx
		jb	loc_8E9675

loc_7A017F:				; CODE XREF: ExpNtUpdateWnfStateData+A7j
					; ExpNtUpdateWnfStateData+1495BDj
		mov	eax, [ebp+var_60]
		test	eax, eax
		jnz	loc_8E967C

loc_7A018A:				; CODE XREF: ExpNtUpdateWnfStateData+A3j
					; ExpNtUpdateWnfStateData+1495E1j
		lea	eax, [ebp+var_88]
		push	eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	[ebp+var_44]
		mov	edx, [ebp+var_50]
		mov	ecx, [ebp+var_48]
		call	_ExpWnfCaptureScopeInstanceId@20 ; ExpWnfCaptureScopeInstanceId(x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_64], esi
		test	esi, esi
		js	loc_7A03BD
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	byte ptr [ebp+var_44], 0
		jz	loc_7A0300
		mov	[ebp+var_60], ebx
		cmp	[ebp+var_50], 0
		jnz	loc_7A0393

loc_7A01CE:				; CODE XREF: ExpNtUpdateWnfStateData+24Dj
					; ExpNtUpdateWnfStateData+2E8j
		cmp	byte ptr [ebp+var_44], 0
		jz	loc_7A030C
		mov	eax, large fs:124h
		mov	[ebp+var_4C], eax
		mov	ecx, [eax+80h]
		mov	[ebp+var_50], ecx
		cmp	[ebp+var_48], 3
		jz	loc_8E96A0

loc_7A01F4:				; CODE XREF: ExpNtUpdateWnfStateData+25Ej
					; ExpNtUpdateWnfStateData+1495EFj
		cmp	[ebp+var_48], 5
		jz	loc_8E96B9

loc_7A01FE:				; CODE XREF: ExpNtUpdateWnfStateData+14963Cj
		push	[ebp+var_6C]	; void *
		push	[ebp+var_48]	; int
		push	[ebp+var_4C]	; int
		mov	edx, [ebp+var_50]
		lea	ecx, [ebp+var_68]
		call	ExpWnfResolveScopeInstance
		mov	esi, eax
		test	esi, esi
		js	loc_7A02AD
		mov	eax, [ebp+var_54]
		mov	[ebp+var_4C], eax
		push	eax
		mov	edi, [ebp+var_58]
		push	edi
		lea	edx, [ebp+var_40]
		mov	ecx, [ebp+var_68]
		call	_ExpWnfLookupNameInstance@16 ; ExpWnfLookupNameInstance(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_7A031D

loc_7A0240:				; CODE XREF: ExpNtUpdateWnfStateData+267j
		test	esi, esi
		js	short loc_7A02AD
		push	[ebp+var_60]	; int
		push	[ebp+var_70]	; void *
		mov	edi, [ebp+arg_0]
		push	edi		; int
		mov	edx, [ebp+var_40]
		lea	edx, [edx+24h]
		push	2
		pop	ecx
		call	_ExpWnfValidatePubSubPreconditions@20 ;	ExpWnfValidatePubSubPreconditions(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7A02AD

loc_7A0262:				; CODE XREF: ExpNtUpdateWnfStateData+2D4j
		mov	[ebp+ms_exc.disabled], 1
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	edi
		mov	edx, [ebp+var_74]
		mov	ecx, [ebp+var_40]
		call	ExpWnfWriteStateData
		mov	esi, eax
		mov	[ebp+var_64], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7A0287:				; CODE XREF: sub_8E970B+12j
		test	esi, esi
		js	short loc_7A02AD
		cmp	[ebp+var_48], 5
		jz	loc_8E9722

loc_7A0295:				; CODE XREF: ExpNtUpdateWnfStateData+1496FCj
		xor	eax, eax
		cmp	byte ptr [ebp+var_44], al
		setnz	al
		push	eax
		push	1
		xor	edx, edx
		inc	edx
		mov	ecx, [ebp+var_40]
		call	_ExpWnfNotifyNameSubscribers@16	; ExpWnfNotifyNameSubscribers(x,x,x,x)
		mov	esi, ebx

loc_7A02AD:				; CODE XREF: ExpNtUpdateWnfStateData+15Cj
					; ExpNtUpdateWnfStateData+188j	...
		mov	ecx, [ebp+var_40]
		test	ecx, ecx
		jz	short loc_7A02BC
		add	ecx, 4
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_7A02BC:				; CODE XREF: ExpNtUpdateWnfStateData+1F8j
		mov	eax, [ebp+var_68]
		test	eax, eax
		jz	short loc_7A02CB
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_7A02CB:				; CODE XREF: ExpNtUpdateWnfStateData+207j
		mov	eax, [ebp+var_5C]
		test	eax, eax
		jnz	loc_7A03AD

loc_7A02D6:				; CODE XREF: ExpNtUpdateWnfStateData+2FEj
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	[ebp+var_44]
		lea	edx, [ebp+var_88]
		mov	ecx, [ebp+var_48]
		call	_ExpWnfReleaseCapturedScopeInstanceId@12 ; ExpWnfReleaseCapturedScopeInstanceId(x,x,x)
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7A0300:				; CODE XREF: ExpNtUpdateWnfStateData+101j
		mov	[ebp+var_60], 1
		jmp	loc_7A01CE
; 

loc_7A030C:				; CODE XREF: ExpNtUpdateWnfStateData+118j
		mov	[ebp+var_4C], ebx
		mov	ecx, ds:_PsInitialSystemProcess
		mov	[ebp+var_50], ecx
		jmp	loc_7A01F4
; 

loc_7A031D:				; CODE XREF: ExpNtUpdateWnfStateData+180j
		cmp	[ebp+var_78], 3
		jz	loc_7A0240
		push	[ebp+var_4C]
		push	edi
		lea	ecx, [ebp+var_5C]
		call	ExpWnfLookupPermanentName
		mov	esi, eax
		test	esi, esi
		js	loc_7A02AD
		push	[ebp+var_60]	; int
		push	[ebp+var_70]	; void *
		push	[ebp+arg_0]	; int
		mov	edx, [ebp+var_5C]
		push	2
		pop	ecx
		call	_ExpWnfValidatePubSubPreconditions@20 ;	ExpWnfValidatePubSubPreconditions(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7A02AD
		push	[ebp+var_4C]
		push	edi
		lea	eax, [ebp+var_40]
		push	eax
		push	[ebp+var_50]
		mov	edi, [ebp+var_5C]
		mov	edx, edi
		mov	ecx, [ebp+var_68]
		call	ExpWnfCreateNameInstance
		mov	esi, eax
		push	20666E57h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+var_5C], ebx
		test	esi, esi
		js	loc_7A02AD
		mov	edi, [ebp+arg_0]
		jmp	loc_7A0262
; 

loc_7A0393:				; CODE XREF: ExpNtUpdateWnfStateData+10Ej
		push	[ebp+var_54]
		push	[ebp+var_58]
		call	_ExpWnfCheckCrossScopeAccess@8 ; ExpWnfCheckCrossScopeAccess(x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_7A01CE
		jmp	loc_7A02AD
; 

loc_7A03AD:				; CODE XREF: ExpNtUpdateWnfStateData+216j
		push	20666E57h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7A02D6
; 

loc_7A03BD:				; CODE XREF: ExpNtUpdateWnfStateData+79j
					; ExpNtUpdateWnfStateData+F0j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_7A02AD
ExpNtUpdateWnfStateData	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtSubscribeWnfStateChange proc near	; DATA XREF: .text:00580C2Co

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	18h
		push	offset dword_6A2318
		call	__SEH_prolog4
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edi, edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], edi
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jz	short loc_7A040C
		mov	[ebp+ms_exc.disabled], edi
		push	1
		push	8
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	[esi], edi
		mov	[esi+4], edi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7A040C:				; CODE XREF: NtSubscribeWnfStateChange+27j
		push	1
		push	[ebp+arg_8]
		push	edi
		push	edi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		mov	ecx, esi
		neg	ecx
		sbb	ecx, ecx
		lea	eax, [ebp+var_28]
		and	ecx, eax
		xor	edx, edx
		call	ExpWnfSubscribeWnfStateChange
		mov	edi, eax
		test	edi, edi
		js	short loc_7A044E
		test	esi, esi
		jz	short loc_7A044E
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_28]
		mov	[esi], eax
		mov	eax, [ebp+var_24]
		mov	[esi+4], eax

loc_7A0447:				; CODE XREF: sub_8E97E9+1Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7A044E:				; CODE XREF: NtSubscribeWnfStateChange+65j
					; NtSubscribeWnfStateChange+69j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
NtSubscribeWnfStateChange endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWnfSubscribeWnfStateChange proc near	; CODE XREF: ExSubscribeWnfStateChange(x,x,x,x,x,x)+2Bp
					; NtSubscribeWnfStateChange+5Cp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008E9809 SIZE 0000000A BYTES
; FUNCTION CHUNK AT 008E9838 SIZE 00000010 BYTES

		push	40h
		push	offset dword_6A2340
		call	__SEH_prolog4
		mov	[ebp+var_38], edx
		mov	[ebp+var_3C], ecx
		xor	eax, eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_4C], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_2C], eax
		mov	ebx, eax
		mov	[ebp+ms_exc.disabled], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_28], eax
		push	eax
		lea	edx, [ebp+var_50]
		mov	ecx, [ebp+arg_0]
		call	ExpCaptureWnfStateName
		mov	esi, eax
		mov	[ebp+var_44], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	esi, esi
		js	loc_7A05DE
		test	[ebp+arg_10], 0FFFFFFE0h
		jnz	loc_8E9809
		mov	edi, [ebp+var_50]
		mov	edx, edi
		mov	eax, [ebp+var_4C]
		shrd	edx, eax, 4
		and	edx, 3
		mov	[ebp+var_34], edx
		mov	edx, edi
		shrd	edx, eax, 6
		and	edx, 0Fh
		mov	eax, [ebp+var_28]
		test	al, al
		jz	loc_7A062A
		and	[ebp+arg_0], ebx
		test	[ebp+arg_10], 11h
		setnz	bl
		test	[ebp+arg_10], 0FFFFFFEEh
		jnz	loc_7A06D6

loc_7A050F:				; CODE XREF: ExpWnfSubscribeWnfStateChange+1C3j
					; ExpWnfSubscribeWnfStateChange+26Bj
		test	al, al
		jz	loc_7A0636
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	edi, [ebp+var_50]

loc_7A0526:				; CODE XREF: ExpWnfSubscribeWnfStateChange+1CDj
		mov	[ebp+var_28], eax
		push	0		; void *
		push	edx		; int
		push	0		; int
		mov	edx, eax
		lea	ecx, [ebp+var_24]
		call	ExpWnfResolveScopeInstance
		mov	esi, eax
		test	esi, esi
		js	loc_7A05DE
		push	[ebp+var_4C]
		push	edi
		lea	edx, [ebp+var_1C]
		mov	ecx, [ebp+var_24]
		call	_ExpWnfLookupNameInstance@16 ; ExpWnfLookupNameInstance(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_7A066B

loc_7A055F:				; CODE XREF: ExpWnfSubscribeWnfStateChange+201j
		test	esi, esi
		js	short loc_7A05DE
		cmp	[ebp+arg_0], 0
		jnz	short loc_7A057C
		mov	edx, ebx
		mov	ecx, [ebp+var_1C]
		mov	ecx, [ecx+2Ch]
		call	_ExpWnfCheckCallerAccess@8 ; ExpWnfCheckCallerAccess(x,x)
		mov	esi, eax

loc_7A0578:				; CODE XREF: ExpWnfSubscribeWnfStateChange+263j
		test	esi, esi
		js	short loc_7A05DE

loc_7A057C:				; CODE XREF: ExpWnfSubscribeWnfStateChange+F9j
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	[ebp+var_38]
		push	[ebp+var_3C]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		mov	ebx, [ebp+arg_4]
		push	ebx
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		mov	edx, [ebp+var_28]
		mov	edi, [ebp+var_1C]
		mov	ecx, edi
		call	ExpWnfSubscribeNameInstance
		mov	esi, eax
		test	esi, esi
		js	short loc_7A05DE
		xor	edx, edx
		mov	ecx, edx
		cmp	ebx, [edi+38h]
		jnz	loc_7A0640

loc_7A05BA:				; CODE XREF: ExpWnfSubscribeWnfStateChange+1D5j
					; ExpWnfSubscribeWnfStateChange+1DEj
		mov	eax, [ebp+var_1C]
		cmp	[eax+5Ch], edx
		jnz	short loc_7A05C5
		or	ecx, 8

loc_7A05C5:				; CODE XREF: ExpWnfSubscribeWnfStateChange+152j
		cmp	[ebp+var_30], edx
		jnz	short loc_7A05D9
		mov	eax, [ebp+var_1C]
		cmp	[eax+58h], edx
		jz	loc_7A06DE
		or	ecx, 2

loc_7A05D9:				; CODE XREF: ExpWnfSubscribeWnfStateChange+15Aj
					; ExpWnfSubscribeWnfStateChange+273j
		and	ecx, [ebp+arg_10]
		jnz	short loc_7A0651

loc_7A05DE:				; CODE XREF: ExpWnfSubscribeWnfStateChange+4Ej
					; ExpWnfSubscribeWnfStateChange+CEj ...
		mov	ecx, [ebp+var_2C]
		test	ecx, ecx
		jz	short loc_7A05ED
		add	ecx, 4
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_7A05ED:				; CODE XREF: ExpWnfSubscribeWnfStateChange+175j
		mov	edi, [ebp+var_1C]
		test	edi, edi
		jz	short loc_7A05FC
		lea	ecx, [edi+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_7A05FC:				; CODE XREF: ExpWnfSubscribeWnfStateChange+184j
		mov	ecx, [ebp+var_24]
		test	ecx, ecx
		jz	short loc_7A060B
		add	ecx, 4
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_7A060B:				; CODE XREF: ExpWnfSubscribeWnfStateChange+193j
		mov	edi, [ebp+var_20]
		test	edi, edi
		jnz	loc_8E9838

loc_7A0616:				; CODE XREF: ExpWnfSubscribeWnfStateChange+1493D5j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7A062A:				; CODE XREF: ExpWnfSubscribeWnfStateChange+81j
		mov	[ebp+arg_0], 1
		jmp	loc_7A050F
; 

loc_7A0636:				; CODE XREF: ExpWnfSubscribeWnfStateChange+A3j
		mov	eax, ds:_PsInitialSystemProcess
		jmp	loc_7A0526
; 

loc_7A0640:				; CODE XREF: ExpWnfSubscribeWnfStateChange+146j
		cmp	[edi+34h], edx
		jz	loc_7A05BA
		xor	ecx, ecx
		inc	ecx
		jmp	loc_7A05BA
; 

loc_7A0651:				; CODE XREF: ExpWnfSubscribeWnfStateChange+16Ej
		xor	eax, eax
		cmp	byte ptr [ebp+arg_14], al
		setnz	al
		push	eax
		push	ecx
		mov	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_1C]
		call	_ExpWnfNotifySubscription@16 ; ExpWnfNotifySubscription(x,x,x,x)
		jmp	loc_7A05DE
; 

loc_7A066B:				; CODE XREF: ExpWnfSubscribeWnfStateChange+EBj
		cmp	[ebp+var_34], 3
		jz	loc_7A055F
		push	[ebp+var_4C]
		push	edi
		lea	ecx, [ebp+var_20]
		call	ExpWnfLookupPermanentName
		mov	esi, eax
		test	esi, esi
		js	loc_7A05DE
		cmp	[ebp+arg_0], 0
		jnz	short loc_7A06A8
		mov	edx, ebx
		mov	ecx, [ebp+var_20]
		mov	ecx, [ecx+8]
		call	_ExpWnfCheckCallerAccess@8 ; ExpWnfCheckCallerAccess(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7A05DE

loc_7A06A8:				; CODE XREF: ExpWnfSubscribeWnfStateChange+221j
		push	[ebp+var_4C]
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_28]
		mov	edi, [ebp+var_20]
		mov	edx, edi
		mov	ecx, [ebp+var_24]
		call	ExpWnfCreateNameInstance
		mov	esi, eax
		push	20666E57h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[ebp+var_20], 0
		jmp	loc_7A0578
; 

loc_7A06D6:				; CODE XREF: ExpWnfSubscribeWnfStateChange+9Bj
		or	ebx, 2
		jmp	loc_7A050F
; 

loc_7A06DE:				; CODE XREF: ExpWnfSubscribeWnfStateChange+162j
		or	ecx, 4
		jmp	loc_7A05D9
ExpWnfSubscribeWnfStateChange endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtQueryWnfStateData proc near		; DATA XREF: .text:00580DD4o

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008E9848 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A2360
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_54], ecx
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_64], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_70], eax
		mov	esi, [ebp+arg_14]
		mov	[ebp+var_4C], 0
		mov	[ebp+var_48], 0
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_60], 0
		mov	[ebp+var_6C], 0
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_34], bl
		mov	[ebp+var_40], 0
		mov	[ebp+var_50], 0
		mov	[ebp+var_3C], 0
		mov	[ebp+var_68], 0
		mov	[ebp+var_8C], 0
		mov	[ebp+var_88], 0
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_4], 0
		mov	edi, [ebp+var_34]
		push	edi
		lea	edx, [ebp+var_4C]
		mov	ecx, [ebp+arg_0]
		call	ExpCaptureWnfStateName
		mov	[ebp+var_30], eax
		test	eax, eax
		js	loc_8E9848
		test	bl, bl
		jz	loc_7A0AA7
		mov	ecx, [ebp+var_54]
		test	ecx, ecx
		jnz	loc_7A09A6

loc_7A07EC:				; CODE XREF: NtQueryWnfStateData+2E1j
		mov	ecx, [ebp+var_64]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8E985B

loc_7A07FC:				; CODE XREF: NtQueryWnfStateData+14916Dj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8E9862

loc_7A080F:				; CODE XREF: NtQueryWnfStateData+149174j
		nop
		mov	ecx, [ecx]
		mov	[ebp+var_60], ecx
		mov	edx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8E9869

loc_7A0824:				; CODE XREF: NtQueryWnfStateData+14917Bj
		mov	eax, [edx]
		mov	[edx], eax
		test	ecx, ecx
		jz	short loc_7A0837
		push	1
		push	ecx
		push	[ebp+var_70]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_7A0837:				; CODE XREF: NtQueryWnfStateData+13Aj
					; NtQueryWnfStateData+3BCj
		mov	edi, [ebp+var_4C]
		mov	eax, [ebp+var_48]
		shrd	edi, eax, 4
		and	edi, 3
		mov	[ebp+var_54], edi
		mov	[ebp+var_74], edi
		mov	edi, [ebp+var_4C]
		shrd	edi, eax, 6
		and	edi, 0Fh
		mov	[ebp+var_68], edi
		lea	eax, [ebp+var_8C]
		push	eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	[ebp+var_34]
		mov	edx, [ebp+var_44]
		mov	ecx, edi
		call	_ExpWnfCaptureScopeInstanceId@20 ; ExpWnfCaptureScopeInstanceId(x,x,x,x,x)
		mov	[ebp+var_30], eax
		test	eax, eax
		js	loc_7A0937
		mov	[ebp+var_4], 0FFFFFFFEh
		test	bl, bl
		jz	loc_7A0AB1
		mov	[ebp+var_58], 0
		cmp	[ebp+var_44], 0
		jnz	loc_7A0A8C

loc_7A089A:				; CODE XREF: NtQueryWnfStateData+3ACj
					; NtQueryWnfStateData+3C8j
		test	bl, bl
		jz	loc_7A0ABD
		mov	eax, large fs:124h
		mov	edx, [eax+80h]
		mov	ecx, [ebp+var_74]
		mov	[ebp+var_54], ecx
		mov	edi, [ebp+var_68]

loc_7A08B7:				; CODE XREF: NtQueryWnfStateData+3D5j
		mov	[ebp+var_44], edx
		push	[ebp+var_6C]	; void *
		push	edi		; int
		push	eax		; int
		lea	ecx, [ebp+var_50]
		call	ExpWnfResolveScopeInstance
		mov	[ebp+var_30], eax
		test	eax, eax
		js	short loc_7A093E
		push	[ebp+var_48]
		mov	ebx, [ebp+var_4C]
		push	ebx
		lea	edx, [ebp+var_3C]
		mov	ecx, [ebp+var_50]
		call	_ExpWnfLookupNameInstance@16 ; ExpWnfLookupNameInstance(x,x,x,x)
		mov	[ebp+var_30], eax
		cmp	eax, 0C0000034h
		jz	loc_7A09D6

loc_7A08EE:				; CODE XREF: NtQueryWnfStateData+2EAj
		test	eax, eax
		js	short loc_7A093E
		push	[ebp+var_58]	; int
		push	[ebp+var_5C]	; void *
		push	0		; int
		mov	edx, [ebp+var_3C]
		lea	edx, [edx+24h]
		mov	ecx, 1
		call	_ExpWnfValidatePubSubPreconditions@20 ;	ExpWnfValidatePubSubPreconditions(x,x,x,x,x)
		mov	[ebp+var_30], eax
		test	eax, eax

loc_7A090F:				; CODE XREF: NtQueryWnfStateData+36Fj
		js	short loc_7A093E

loc_7A0911:				; CODE XREF: NtQueryWnfStateData+338j
		mov	[ebp+var_4], 1
		mov	edx, [ebp+var_64]
		cmp	[ebp+var_3C], 0
		jz	loc_7A0A74
		push	esi		; int
		push	[ebp+var_60]	; int
		push	[ebp+var_70]	; void *
		mov	ecx, [ebp+var_3C]
		call	ExpWnfReadStateData

loc_7A0934:				; CODE XREF: sub_7A0ACA+37j
		mov	[ebp+var_30], eax

loc_7A0937:				; CODE XREF: NtQueryWnfStateData+184j
					; NtQueryWnfStateData+397j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_7A093E:				; CODE XREF: NtQueryWnfStateData+1DCj
					; NtQueryWnfStateData+200j ...
		mov	edi, [ebp+var_34]

loc_7A0941:				; CODE XREF: NtQueryWnfStateData+14915Fj
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jz	short loc_7A0950
		add	ecx, 4
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_7A0950:				; CODE XREF: NtQueryWnfStateData+256j
		mov	ecx, [ebp+var_50]
		test	ecx, ecx
		jz	short loc_7A095F
		add	ecx, 4
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_7A095F:				; CODE XREF: NtQueryWnfStateData+265j
		mov	ebx, [ebp+var_40]
		test	ebx, ebx
		jnz	loc_7A0A64

loc_7A096A:				; CODE XREF: NtQueryWnfStateData+37Fj
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	edi
		lea	edx, [ebp+var_8C]
		mov	ecx, [ebp+var_68]
		call	_ExpWnfReleaseCapturedScopeInstanceId@12 ; ExpWnfReleaseCapturedScopeInstanceId(x,x,x)
		mov	eax, [ebp+var_30]
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_7A09A6:				; CODE XREF: NtQueryWnfStateData+F6j
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8E9854

loc_7A09B3:				; CODE XREF: NtQueryWnfStateData+149166j
		mov	eax, [ecx]
		mov	[ebp+var_2C], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_28], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_24], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_20], eax
		nop
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_5C], eax
		jmp	loc_7A07EC
; 

loc_7A09D6:				; CODE XREF: NtQueryWnfStateData+1F8j
		cmp	[ebp+var_54], 3
		jz	loc_7A08EE
		push	[ebp+var_48]
		push	ebx
		lea	ecx, [ebp+var_40]
		call	ExpWnfLookupPermanentName
		mov	[ebp+var_30], eax
		test	eax, eax
		js	loc_7A093E
		push	[ebp+var_58]	; int
		push	[ebp+var_5C]	; void *
		push	0		; int
		mov	edx, [ebp+var_40]
		mov	ecx, 1
		call	_ExpWnfValidatePubSubPreconditions@20 ;	ExpWnfValidatePubSubPreconditions(x,x,x,x,x)
		mov	[ebp+var_30], eax
		test	eax, eax
		js	loc_7A093E
		cmp	edi, 5
		jz	short loc_7A0A2E
		mov	ecx, ebx
		mov	eax, [ebp+var_48]
		shrd	ecx, eax, 0Ah
		test	cl, 1
		jz	loc_7A0911

loc_7A0A2E:				; CODE XREF: NtQueryWnfStateData+32Aj
		push	[ebp+var_48]
		push	ebx
		lea	eax, [ebp+var_3C]
		push	eax
		push	[ebp+var_44]
		mov	ebx, [ebp+var_40]
		mov	edx, ebx
		mov	ecx, [ebp+var_50]
		call	ExpWnfCreateNameInstance
		mov	edi, eax
		mov	[ebp+var_30], edi
		push	20666E57h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+var_40], 0
		test	edi, edi
		jmp	loc_7A090F
; 

loc_7A0A64:				; CODE XREF: NtQueryWnfStateData+274j
		push	20666E57h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7A096A
; 

loc_7A0A74:				; CODE XREF: NtQueryWnfStateData+22Fj
		mov	dword ptr [edx], 0
		mov	dword ptr [esi], 0
		mov	[ebp+var_30], 0
		jmp	loc_7A0937
; 

loc_7A0A8C:				; CODE XREF: NtQueryWnfStateData+1A4j
		push	[ebp+var_48]
		push	[ebp+var_4C]
		call	_ExpWnfCheckCrossScopeAccess@8 ; ExpWnfCheckCrossScopeAccess(x,x)
		mov	[ebp+var_30], eax
		test	eax, eax
		jns	loc_7A089A
		jmp	loc_7A093E
; 

loc_7A0AA7:				; CODE XREF: NtQueryWnfStateData+EBj
		mov	eax, [esi]
		mov	[ebp+var_60], eax
		jmp	loc_7A0837
; 

loc_7A0AB1:				; CODE XREF: NtQueryWnfStateData+193j
		mov	[ebp+var_58], 1
		jmp	loc_7A089A
; 

loc_7A0ABD:				; CODE XREF: NtQueryWnfStateData+1ACj
		xor	eax, eax
		mov	edx, ds:_PsInitialSystemProcess
		jmp	loc_7A08B7
NtQueryWnfStateData endp


;  S U B	R O U T	I N E 


sub_7A0ACA	proc near		; DATA XREF: .text:006A2374o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-84h], eax
		mov	eax, large fs:124h
		mov	[ebp-80h], eax
		mov	eax, [ebp-80h]
		mov	al, [eax+15Ah]
		mov	[ebp-36h], al
		cmp	byte ptr [ebp-36h], 0
		jz	short loc_7A0B06
		mov	eax, 1
		retn
; 

loc_7A0AF8:				; DATA XREF: .text:006A2378o
		mov	eax, [ebp-84h]

loc_7A0AFE:				; CODE XREF: sub_8E989A+3j
		mov	esp, [ebp-18h]
		jmp	loc_7A0934
; 

loc_7A0B06:				; CODE XREF: sub_7A0ACA+26j
		xor	eax, eax
		retn
sub_7A0ACA	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWnfReleaseCapturedScopeInstanceId(x, x, x)
_ExpWnfReleaseCapturedScopeInstanceId@12 proc near ; CODE XREF:	ExpNtUpdateWnfStateData+22Dp
					; NtQueryWnfStateData+290p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	ecx, 1
		jz	short loc_7A0B38
		sub	ecx, 1
		jz	short loc_7A0B22
		sub	ecx, 1
		jz	short loc_7A0B45

loc_7A0B1E:				; CODE XREF: ExpWnfReleaseCapturedScopeInstanceId(x,x,x)+1Cj
					; ExpWnfReleaseCapturedScopeInstanceId(x,x,x)+22j ...
		pop	ebp
		retn	4
; 

loc_7A0B22:				; CODE XREF: ExpWnfReleaseCapturedScopeInstanceId(x,x,x)+Dj
		mov	eax, [edx]
		test	eax, eax
		jz	short loc_7A0B1E
		cmp	[ebp+arg_0], 1
		jnz	short loc_7A0B1E
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7A0B1E
; 

loc_7A0B38:				; CODE XREF: ExpWnfReleaseCapturedScopeInstanceId(x,x,x)+8j
		mov	ecx, [edx]
		test	ecx, ecx
		jz	short loc_7A0B1E
		call	ObfDereferenceObject
		jmp	short loc_7A0B1E
; 

loc_7A0B45:				; CODE XREF: ExpWnfReleaseCapturedScopeInstanceId(x,x,x)+12j
		mov	ecx, [edx]
		test	ecx, ecx
		jz	short loc_7A0B1E
		mov	edx, 20666E57h
		call	ObfDereferenceObjectWithTag
		jmp	short loc_7A0B1E
_ExpWnfReleaseCapturedScopeInstanceId@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpCaptureWnfStateName proc near	; CODE XREF: NtDeleteWnfStateName+50p
					; ExpWnfCompleteThreadSubscriptions+25p ...

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008E98A2 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	esi
		push	edi
		mov	edi, edx
		jz	short loc_7A0BBD
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_7A0BC4

loc_7A0B70:				; CODE XREF: ExpCaptureWnfStateName+6Ej
		mov	edx, [ecx]
		mov	esi, [ecx+4]
		nop

loc_7A0B76:				; CODE XREF: ExpCaptureWnfStateName+6Aj
		xor	edx, 0A3BC0074h
		xor	esi, 41C64E6Dh
		mov	eax, edx
		mov	[edi], edx
		and	eax, 0Fh
		mov	[edi+4], esi
		cmp	eax, 1
		jnz	short loc_7A0BC8
		mov	ecx, edx
		mov	eax, esi
		shrd	ecx, eax, 6
		shrd	edx, esi, 0Ah
		and	ecx, 0Fh
		and	edx, 1
		cmp	ecx, 5
		ja	short loc_7A0BC8
		test	edx, edx
		jnz	short loc_7A0BB4

loc_7A0BAC:				; CODE XREF: ExpCaptureWnfStateName+5Ej
					; ExpCaptureWnfStateName+148D4Dj ...
		xor	eax, eax

loc_7A0BAE:				; CODE XREF: ExpCaptureWnfStateName+75j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_7A0BB4:				; CODE XREF: ExpCaptureWnfStateName+52j
		test	ecx, ecx
		jz	short loc_7A0BAC
		jmp	loc_8E98A2
; 

loc_7A0BBD:				; CODE XREF: ExpCaptureWnfStateName+Dj
		mov	edx, [ecx]
		mov	esi, [ecx+4]
		jmp	short loc_7A0B76
; 

loc_7A0BC4:				; CODE XREF: ExpCaptureWnfStateName+16j
		mov	ecx, eax
		jmp	short loc_7A0B70
; 

loc_7A0BC8:				; CODE XREF: ExpCaptureWnfStateName+37j
					; ExpCaptureWnfStateName+4Ej ...
		mov	eax, 0C000000Dh
		jmp	short loc_7A0BAE
ExpCaptureWnfStateName endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWnfCreateNameInstance proc near	; CODE XREF: NtCreateWnfStateName+166p
					; ExpNtUpdateWnfStateData+2B4p	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E98B9 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [edx+4]
		push	edi
		mov	edi, [ebp+arg_8]
		neg	esi
		push	60h
		sbb	esi, esi
		mov	[esp+24h+var_8], edx
		and	esi, 10h
		mov	[esp+24h+var_10], ecx
		pop	eax
		add	esi, eax
		mov	eax, [ebp+arg_C]
		shrd	edi, eax, 4
		and	edi, 3
		mov	[esp+20h+var_C], edi
		cmp	edi, 3
		jnz	short loc_7A0C1A
		mov	eax, [ebp+arg_0]
		cmp	ds:_PsInitialSystemProcess, eax
		jnz	loc_7A0E08

loc_7A0C1A:				; CODE XREF: ExpWnfCreateNameInstance+39j
		push	20666E57h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)

loc_7A0C27:				; CODE XREF: ExpWnfCreateNameInstance+245j
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8E98C4
		push	60h
		pop	esi
		push	esi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	ecx, [esp+2Ch+var_8]
		mov	eax, 903h
		mov	[ebx], ax
		add	esp, 0Ch
		mov	eax, [ebp+arg_8]
		mov	[ebx+2], si
		mov	esi, [esp+20h+var_10]
		mov	[ebx+18h], eax
		mov	eax, [ebp+arg_C]
		mov	[ebx+20h], esi
		mov	[ebx+1Ch], eax
		mov	eax, [ecx]
		mov	[ebx+24h], eax
		cmp	dword ptr [ecx+4], 0
		jnz	loc_7A0EC4

loc_7A0C72:				; CODE XREF: ExpWnfCreateNameInstance+309j
		push	1
		lea	eax, [ebx+2Ch]
		push	eax
		push	dword ptr [ecx+8]
		call	ObLogSecurityDescriptor
		test	eax, eax
		js	loc_8E98B9
		mov	ecx, [ebp+arg_8]
		lea	eax, [ebx+44h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [ebp+arg_C]
		and	dword ptr [ebx+40h], 0
		and	dword ptr [ebx+30h], 0
		shrd	ecx, eax, 0Ah
		test	cl, 1
		jnz	loc_7A0E29

loc_7A0CAB:				; CODE XREF: ExpWnfCreateNameInstance+26Aj
		mov	ecx, ebx
		call	ExpWnfPopulateStateData
		mov	esi, eax
		test	esi, esi
		jnz	loc_7A0E45
		mov	edi, [esp+20h+var_10]
		xor	edx, edx
		add	edi, 1Ch
		push	eax
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	esi, eax
		lock bts dword ptr [edi], 0
		jnb	short loc_7A0CE0
		push	edi
		mov	edx, esi
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_7A0CE0:				; CODE XREF: ExpWnfCreateNameInstance+104j
		test	esi, esi
		jnz	loc_7A0E1A

loc_7A0CE8:				; CODE XREF: ExpWnfCreateNameInstance+24Ej
		push	[ebp+arg_C]
		mov	ecx, [esp+24h+var_10]
		push	[ebp+arg_8]
		call	_ExpWnfFindStateName@12	; ExpWnfFindStateName(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_7A0E73
		lea	ecx, [ebx+4]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	edx, [esp+20h+var_10]
		add	edx, 20h
		mov	byte ptr [esp+20h+var_10], 0
		mov	ecx, [edx]
		test	ecx, ecx
		jz	short loc_7A0D59
		mov	eax, [ebx+18h]
		mov	[esp+20h+var_4], eax
		mov	eax, [ebx+1Ch]
		mov	[esp+20h+var_8], eax

loc_7A0D29:				; CODE XREF: ExpWnfCreateNameInstance+176j
		mov	eax, [ecx+14h]
		mov	esi, [ecx+10h]
		cmp	[esp+20h+var_8], eax
		jb	short loc_7A0D48
		ja	short loc_7A0D3D
		cmp	[esp+20h+var_4], esi
		jb	short loc_7A0D48

loc_7A0D3D:				; CODE XREF: ExpWnfCreateNameInstance+165j
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_7A0D54

loc_7A0D44:				; CODE XREF: ExpWnfCreateNameInstance+17Cj
		mov	ecx, eax
		jmp	short loc_7A0D29
; 

loc_7A0D48:				; CODE XREF: ExpWnfCreateNameInstance+163j
					; ExpWnfCreateNameInstance+16Bj
		mov	eax, [ecx]
		test	eax, eax
		jnz	short loc_7A0D44
		mov	byte ptr [esp+20h+var_10], al
		jmp	short loc_7A0D59
; 

loc_7A0D54:				; CODE XREF: ExpWnfCreateNameInstance+172j
		mov	byte ptr [esp+20h+var_10], 1

loc_7A0D59:				; CODE XREF: ExpWnfCreateNameInstance+149j
					; ExpWnfCreateNameInstance+182j
		lea	eax, [ebx+8]
		push	eax
		push	[esp+24h+var_10]
		push	ecx
		push	edx
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		or	eax, 0FFFFFFFFh
		cmp	[esp+20h+var_C], 3
		jnz	short loc_7A0DE7
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		mov	[ebx+54h], eax
		push	0
		mov	eax, [eax+39Ch]
		mov	[esp+24h+var_8], eax
		lea	esi, [eax+1Ch]
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	[esp+20h+var_4], eax
		lock bts dword ptr [esi], 0
		jnb	short loc_7A0DA9
		push	esi
		mov	edx, eax
		mov	ecx, esi
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [esp+20h+var_4]

loc_7A0DA9:				; CODE XREF: ExpWnfCreateNameInstance+1C9j
		test	eax, eax
		jnz	short loc_7A0E23

loc_7A0DAD:				; CODE XREF: ExpWnfCreateNameInstance+257j
		mov	eax, [esp+20h+var_8]
		lea	edx, [ebx+4Ch]
		add	eax, 20h
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_7A0EDE
		mov	[edx], eax
		mov	[edx+4], ecx
		mov	[ecx], edx
		mov	[eax+4], edx
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_7A0E67

loc_7A0DDD:				; CODE XREF: ExpWnfCreateNameInstance+29Ej
		mov	ecx, esi
		call	KeAbPostRelease
		or	eax, 0FFFFFFFFh

loc_7A0DE7:				; CODE XREF: ExpWnfCreateNameInstance+1A0j
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7A0E5E

loc_7A0DF1:				; CODE XREF: ExpWnfCreateNameInstance+295j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx

loc_7A0DFD:				; CODE XREF: ExpWnfCreateNameInstance+2E6j
		xor	eax, eax

loc_7A0DFF:				; CODE XREF: ExpWnfCreateNameInstance+28Cj
					; ExpWnfCreateNameInstance+148CF9j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_7A0E08:				; CODE XREF: ExpWnfCreateNameInstance+44j
		push	20666E57h
		push	esi
		push	9
		call	ExAllocatePoolWithQuotaTag
		jmp	loc_7A0C27
; 

loc_7A0E1A:				; CODE XREF: ExpWnfCreateNameInstance+112j
		or	byte ptr [esi+0Eh], 1
		jmp	loc_7A0CE8
; 

loc_7A0E23:				; CODE XREF: ExpWnfCreateNameInstance+1DBj
		or	byte ptr [eax+0Eh], 1
		jmp	short loc_7A0DAD
; 

loc_7A0E29:				; CODE XREF: ExpWnfCreateNameInstance+D5j
		lea	eax, [ebx+3Ch]
		mov	edx, edi
		push	eax
		push	1
		mov	ecx, esi
		call	ExpWnfGetPermanentDataStoreHandle
		test	eax, eax
		jns	loc_7A0CAB
		mov	esi, 0C000009Ah

loc_7A0E45:				; CODE XREF: ExpWnfCreateNameInstance+E6j
		push	1
		push	dword ptr [ebx+2Ch]
		call	ObDereferenceSecurityDescriptor
		push	20666E57h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		jmp	short loc_7A0DFF
; 

loc_7A0E5E:				; CODE XREF: ExpWnfCreateNameInstance+21Fj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7A0DF1
; 

loc_7A0E67:				; CODE XREF: ExpWnfCreateNameInstance+207j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7A0DDD
; 

loc_7A0E73:				; CODE XREF: ExpWnfCreateNameInstance+12Bj
		lea	ecx, [esi+4]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		or	ecx, 0FFFFFFFFh
		lock xadd [edi], ecx
		and	cl, 6
		cmp	cl, 2
		jz	short loc_7A0EBB

loc_7A0E8A:				; CODE XREF: ExpWnfCreateNameInstance+2F2j
		mov	ecx, edi
		call	KeAbPostRelease
		push	1
		push	dword ptr [ebx+2Ch]
		call	ObDereferenceSecurityDescriptor
		mov	eax, [ebx+34h]
		test	eax, eax
		jnz	loc_8E98CE

loc_7A0EA6:				; CODE XREF: ExpWnfCreateNameInstance+148D09j
		push	20666E57h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		jmp	loc_7A0DFD
; 

loc_7A0EBB:				; CODE XREF: ExpWnfCreateNameInstance+2B8j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7A0E8A
; 

loc_7A0EC4:				; CODE XREF: ExpWnfCreateNameInstance+9Cj
		lea	edi, [ebx+60h]
		mov	[ebx+28h], edi
		mov	esi, [ecx+4]
		movsd
		movsd
		movsd
		movsd
		mov	edi, [esp+20h+var_C]
		mov	esi, [esp+20h+var_10]
		jmp	loc_7A0C72
; 

loc_7A0EDE:				; CODE XREF: ExpWnfCreateNameInstance+1ECj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
ExpWnfCreateNameInstance endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWnfLookupNameInstance(x,	x, x, x)
_ExpWnfLookupNameInstance@16 proc near	; CODE XREF: NtDeleteWnfStateName+EDp
					; ExpWnfCompleteThreadSubscriptions+205p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[esp+8+var_4], edx
		push	esi
		push	edi
		push	0
		lea	edi, [ebx+1Ch]
		xor	edx, edx
		mov	ecx, edi
		call	KeAbPreAcquire
		push	11h
		mov	esi, eax
		xor	eax, eax
		pop	ecx
		lock cmpxchg [edi], ecx
		test	eax, eax
		jz	short loc_7A0F1D
		push	edi
		mov	edx, esi
		mov	ecx, edi
		call	ExfAcquirePushLockSharedEx

loc_7A0F1D:				; CODE XREF: ExpWnfLookupNameInstance(x,x,x,x)+2Dj
		test	esi, esi
		jnz	short loc_7A0F76

loc_7A0F21:				; CODE XREF: ExpWnfLookupNameInstance(x,x,x,x)+96j
		push	[ebp+arg_4]
		mov	ecx, ebx
		push	[ebp+arg_0]
		call	_ExpWnfFindStateName@12	; ExpWnfFindStateName(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7A0F45
		lea	ecx, [esi+4]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		movzx	ecx, al
		neg	ecx
		sbb	ecx, ecx
		and	esi, ecx

loc_7A0F45:				; CODE XREF: ExpWnfLookupNameInstance(x,x,x,x)+4Ej
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_7A0F5A
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7A0F5A:				; CODE XREF: ExpWnfLookupNameInstance(x,x,x,x)+6Dj
		mov	ecx, edi
		call	KeAbPostRelease
		test	esi, esi
		jz	short loc_7A0F7C
		mov	eax, [esp+10h+var_4]
		mov	[eax], esi
		xor	eax, eax

loc_7A0F6D:				; CODE XREF: ExpWnfLookupNameInstance(x,x,x,x)+9Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7A0F76:				; CODE XREF: ExpWnfLookupNameInstance(x,x,x,x)+3Bj
		or	byte ptr [esi+0Eh], 1
		jmp	short loc_7A0F21
; 

loc_7A0F7C:				; CODE XREF: ExpWnfLookupNameInstance(x,x,x,x)+7Fj
		mov	eax, 0C0000034h
		jmp	short loc_7A0F6D
_ExpWnfLookupNameInstance@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWnfFindStateName(x, x, x)
_ExpWnfFindStateName@12	proc near	; CODE XREF: ExpWnfCreateNameInstance+122p
					; ExpWnfLookupNameInstance(x,x,x,x)+45p

var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+20h]
		push	esi
		push	edi
		test	eax, eax
		jnz	short loc_7A0FA6

loc_7A0F9E:				; CODE XREF: ExpWnfFindStateName(x,x,x)+4Dj
		pop	edi
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	8
; 

loc_7A0FA6:				; CODE XREF: ExpWnfFindStateName(x,x,x)+Cj
		mov	edi, [ebp+arg_4]
		mov	esi, [ebp+arg_0]
		lea	esp, [esp+0]

loc_7A0FB0:				; CODE XREF: ExpWnfFindStateName(x,x,x)+34j
		mov	edx, [eax+14h]
		mov	ecx, [eax+10h]
		cmp	edi, edx
		jb	short loc_7A0FC0
		ja	short loc_7A0FD6
		cmp	esi, ecx
		jnb	short loc_7A0FCC

loc_7A0FC0:				; CODE XREF: ExpWnfFindStateName(x,x,x)+28j
		mov	eax, [eax]

loc_7A0FC2:				; CODE XREF: ExpWnfFindStateName(x,x,x)+49j
		test	eax, eax
		jnz	short loc_7A0FB0
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_7A0FCC:				; CODE XREF: ExpWnfFindStateName(x,x,x)+2Ej
		cmp	edi, edx
		jb	short loc_7A0FDB
		ja	short loc_7A0FD6
		cmp	esi, ecx
		jbe	short loc_7A0FDB

loc_7A0FD6:				; CODE XREF: ExpWnfFindStateName(x,x,x)+2Aj
					; ExpWnfFindStateName(x,x,x)+40j
		mov	eax, [eax+4]
		jmp	short loc_7A0FC2
; 

loc_7A0FDB:				; CODE XREF: ExpWnfFindStateName(x,x,x)+3Ej
					; ExpWnfFindStateName(x,x,x)+44j
		test	eax, eax
		jz	short loc_7A0F9E
		pop	edi
		add	eax, 0FFFFFFF8h
		pop	esi
		pop	ebp
		retn	8
_ExpWnfFindStateName@12	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ExpWnfResolveScopeInstance(int,int,void	*)
ExpWnfResolveScopeInstance proc	near	; CODE XREF: NtDeleteWnfStateName+CCp
					; NtCreateWnfStateName+149p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E98DE SIZE 00000082 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		cmp	byte ptr [eax+15Ah], 0
		push	edi
		mov	edi, edx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], 0
		mov	[ebp+var_18], 0
		mov	[ebp+var_24], 0
		jz	loc_7A1232
		cmp	esi, 4
		jz	loc_7A1232
		cmp	esi, 5
		jz	loc_7A1232
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()

loc_7A1045:				; CODE XREF: ExpWnfResolveScopeInstance+24Ej
		cmp	dword ptr [eax+208h], 0
		lea	ebx, [eax+208h]
		jz	loc_7A1386

loc_7A1058:				; CODE XREF: ExpWnfResolveScopeInstance+3B3j
					; ExpWnfResolveScopeInstance+1488F9j
		mov	eax, [edi+39Ch]
		mov	ecx, eax
		mov	[ebp+var_10], eax
		test	ecx, ecx
		jz	loc_7A125D

loc_7A106B:				; CODE XREF: ExpWnfResolveScopeInstance+282j
		mov	eax, [ebp+arg_8]
		mov	edx, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_7A1079
		test	edx, edx
		jz	short loc_7A10CE

loc_7A1079:				; CODE XREF: ExpWnfResolveScopeInstance+83j
		xor	edi, edi

loc_7A107B:				; CODE XREF: ExpWnfResolveScopeInstance+E3j
		mov	[ebp+var_4], edi
		test	esi, esi
		jnz	short loc_7A10D5
		mov	edi, [ebx]
		add	edi, 4
		mov	[ebp+var_4], 1

loc_7A108E:				; CODE XREF: ExpWnfResolveScopeInstance+FDj
					; ExpWnfResolveScopeInstance+25Fj ...
		mov	[ebp+var_C], edi
		mov	edi, [edi]
		cmp	[ebp+var_4], 0
		mov	[ebp+var_14], edi
		jz	short loc_7A10EF
		test	edi, edi
		jz	short loc_7A10EF

loc_7A10A0:				; CODE XREF: ExpWnfResolveScopeInstance+18Cj
		lea	ecx, [edi+4]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_8E98F8

loc_7A10B0:				; CODE XREF: ExpWnfResolveScopeInstance+224j
					; ExpWnfResolveScopeInstance+354j ...
		mov	eax, [ebp+var_28]
		mov	[eax], edi
		xor	eax, eax

loc_7A10B7:				; CODE XREF: ExpWnfResolveScopeInstance+14890Dj
					; ExpWnfResolveScopeInstance+148917j ...
		mov	[ebp+arg_4], eax

loc_7A10BA:				; CODE XREF: ExpWnfResolveScopeInstance+16Aj
					; ExpWnfResolveScopeInstance+2D3j
		mov	ecx, [ebp+var_24]
		test	ecx, ecx
		jnz	loc_7A121F

loc_7A10C5:				; CODE XREF: ExpWnfResolveScopeInstance+23Dj
					; ExpWnfResolveScopeInstance+279j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch		; struct _exception *
; 

loc_7A10CE:				; CODE XREF: ExpWnfResolveScopeInstance+87j
		mov	edi, 1
		jmp	short loc_7A107B
; 

loc_7A10D5:				; CODE XREF: ExpWnfResolveScopeInstance+90j
		cmp	esi, 4
		jz	loc_7A1243
		cmp	esi, 5
		jz	loc_7A136C
		lea	edi, [esi+3]
		lea	edi, [ecx+edi*4]
		jmp	short loc_7A108E
; 

loc_7A10EF:				; CODE XREF: ExpWnfResolveScopeInstance+AAj
					; ExpWnfResolveScopeInstance+AEj
		test	eax, eax
		jnz	loc_7A1277
		mov	ecx, [ebp+var_20]
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], 4
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		call	ExpWnfGetCurrentScopeInstance
		mov	[ebp+arg_4], eax
		cmp	eax, 0C0000023h
		jnz	short loc_7A1158
		push	20666E57h
		push	[ebp+var_8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_24], eax
		test	eax, eax
		jz	loc_8E98EE
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_4]
		push	ecx
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_18], eax
		push	ecx
		mov	ecx, [ebp+var_20]
		push	eax
		push	esi
		call	ExpWnfGetCurrentScopeInstance
		mov	[ebp+arg_4], eax

loc_7A1158:				; CODE XREF: ExpWnfResolveScopeInstance+131j
		test	eax, eax
		js	loc_7A10BA
		mov	eax, [ebp+var_8]
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	short loc_7A1170
		mov	eax, [ebp+var_18]
		mov	[ebp+arg_8], eax

loc_7A1170:				; CODE XREF: ExpWnfResolveScopeInstance+178j
		mov	eax, [ebp+var_4]
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	short loc_7A1182
		test	edi, edi
		jnz	loc_7A10A0

loc_7A1182:				; CODE XREF: ExpWnfResolveScopeInstance+188j
		mov	edi, [ebp+var_8]

loc_7A1185:				; CODE XREF: ExpWnfResolveScopeInstance+29Cj
		mov	ecx, [ebx]
		lea	edx, [esi+esi*2]
		lea	eax, [edx+5]
		lea	edx, [edx+4]
		push	0
		lea	ebx, [ecx+edx*4]
		xor	edx, edx
		lea	eax, [ecx+eax*4]
		mov	[ebp+arg_0], ebx
		mov	ecx, ebx
		mov	[ebp+var_20], eax
		call	KeAbPreAcquire
		mov	edx, eax
		mov	ecx, 11h
		mov	[ebp+var_10], edx
		xor	eax, eax
		lock cmpxchg [ebx], ecx
		test	eax, eax
		jz	short loc_7A11C6
		push	ebx
		mov	ecx, ebx
		call	ExfAcquirePushLockSharedEx
		mov	edx, [ebp+var_10]

loc_7A11C6:				; CODE XREF: ExpWnfResolveScopeInstance+1C9j
		test	edx, edx
		jnz	loc_7A1254

loc_7A11CE:				; CODE XREF: ExpWnfResolveScopeInstance+268j
		mov	ebx, [ebp+arg_8]
		mov	edx, ebx	; void *
		mov	ecx, [ebp+var_20] ; int
		push	edi		; size_t
		call	_ExpWnfFindScopeInstance@12 ; ExpWnfFindScopeInstance(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_7A1291
		lea	ecx, [edi+4]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	ebx, [ebp+arg_0]
		xor	edx, edx
		movzx	esi, al
		mov	eax, 11h
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_7A120B
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7A120B:				; CODE XREF: ExpWnfResolveScopeInstance+212j
		mov	ecx, ebx
		call	KeAbPostRelease
		test	esi, esi
		jnz	loc_7A10B0
		jmp	loc_8E9902
; 

loc_7A121F:				; CODE XREF: ExpWnfResolveScopeInstance+CFj
		push	20666E57h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_4]
		jmp	loc_7A10C5
; 

loc_7A1232:				; CODE XREF: ExpWnfResolveScopeInstance+38j
					; ExpWnfResolveScopeInstance+41j ...
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	ecx, eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		jmp	loc_7A1045
; 

loc_7A1243:				; CODE XREF: ExpWnfResolveScopeInstance+E8j
		mov	edi, [ebx]
		add	edi, 8
		mov	[ebp+var_4], 1
		jmp	loc_7A108E
; 

loc_7A1254:				; CODE XREF: ExpWnfResolveScopeInstance+1D8j
		or	byte ptr [edx+0Eh], 1
		jmp	loc_7A11CE
; 

loc_7A125D:				; CODE XREF: ExpWnfResolveScopeInstance+75j
		lea	edx, [ebp+var_10]
		mov	ecx, edi
		call	ExpWnfCreateProcessContext
		test	eax, eax
		js	loc_7A10C5
		mov	ecx, [ebp+var_10]
		jmp	loc_7A106B
; 

loc_7A1277:				; CODE XREF: ExpWnfResolveScopeInstance+101j
		mov	edx, eax
		mov	ecx, esi
		call	_ExpWnfGetScopeInstanceIdSize@8	; ExpWnfGetScopeInstanceIdSize(x,x)
		mov	edi, eax
		mov	[ebp+var_18], 0
		mov	[ebp+arg_4], edi
		jmp	loc_7A1185
; 

loc_7A1291:				; CODE XREF: ExpWnfResolveScopeInstance+1F0j
		mov	edi, [ebp+arg_0]
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jnz	loc_7A135A

loc_7A12A8:				; CODE XREF: ExpWnfResolveScopeInstance+371j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	edi, [ebp+arg_4]
		lea	ecx, [ebp+var_14]
		push	edi		; int
		push	ebx		; void *
		mov	edx, esi
		call	_ExpWnfAllocateScopeInstance@16	; ExpWnfAllocateScopeInstance(x,x,x,x)
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	loc_7A10BA
		mov	esi, [ebp+arg_0]
		xor	edx, edx
		push	0
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	[ebp+arg_8], eax
		lock bts dword ptr [esi], 0
		jnb	short loc_7A12EE
		push	esi
		mov	edx, eax
		mov	ecx, esi
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [ebp+arg_8]

loc_7A12EE:				; CODE XREF: ExpWnfResolveScopeInstance+2EFj
		test	eax, eax
		jnz	short loc_7A1366

loc_7A12F2:				; CODE XREF: ExpWnfResolveScopeInstance+37Aj
		mov	edx, ebx	; void *
		mov	ebx, [ebp+var_20]
		push	edi		; size_t
		mov	ecx, ebx	; int
		call	_ExpWnfFindScopeInstance@12 ; ExpWnfFindScopeInstance(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_8E990C
		mov	edi, [ebp+var_14]
		lea	ecx, [edi+4]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	ecx, [ebx]
		lea	eax, [edi+14h]
		cmp	[ecx+4], ebx
		jnz	loc_8E994E
		mov	[eax], ecx
		mov	[eax+4], ebx
		mov	[ecx+4], eax
		mov	[ebx], eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7A137D

loc_7A1339:				; CODE XREF: ExpWnfResolveScopeInstance+394j
		mov	ecx, esi
		call	KeAbPostRelease
		cmp	[ebp+var_18], 0
		jz	loc_7A10B0
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		xor	eax, eax
		lock cmpxchg [edx], ecx
		jmp	loc_7A10B0
; 

loc_7A135A:				; CODE XREF: ExpWnfResolveScopeInstance+2B2j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_7A12A8
; 

loc_7A1366:				; CODE XREF: ExpWnfResolveScopeInstance+300j
		or	byte ptr [eax+0Eh], 1
		jmp	short loc_7A12F2
; 

loc_7A136C:				; CODE XREF: ExpWnfResolveScopeInstance+F1j
		mov	edi, [ebx]
		add	edi, 0Ch
		mov	[ebp+var_4], 1
		jmp	loc_7A108E
; 

loc_7A137D:				; CODE XREF: ExpWnfResolveScopeInstance+347j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7A1339
; 

loc_7A1386:				; CODE XREF: ExpWnfResolveScopeInstance+62j
		lea	ecx, [ebp+var_18]
		call	_ExpWnfAllocateScopeMap@4 ; ExpWnfAllocateScopeMap(x)
		test	eax, eax
		js	loc_7A10C5
		mov	edx, [ebp+var_18]
		xor	eax, eax
		mov	ecx, edx
		lock cmpxchg [ebx], ecx
		test	eax, eax
		jz	loc_7A1058
		jmp	loc_8E98DE
ExpWnfResolveScopeInstance endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWnfCaptureScopeInstanceId(x, x, x, x, x)
_ExpWnfCaptureScopeInstanceId@20 proc near ; CODE XREF:	ExpNtUpdateWnfStateData+E4p
					; NtQueryWnfStateData+17Ap ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, edx
		push	edi
		mov	edi, [ebp+arg_8]
		test	eax, eax
		jnz	short loc_7A13C9
		mov	eax, [ebp+arg_4]
		and	[eax], edx
		xor	eax, eax

loc_7A13C4:				; CODE XREF: ExpWnfCaptureScopeInstanceId(x,x,x,x,x)+4Cj
		pop	edi
		pop	ebp
		retn	0Ch
; 

loc_7A13C9:				; CODE XREF: ExpWnfCaptureScopeInstanceId(x,x,x,x,x)+Dj
		push	ebx
		push	esi
		xor	esi, esi
		sub	ecx, esi
		jz	loc_7A1458
		sub	ecx, 1
		jnz	short loc_7A13FC
		cmp	byte ptr [ebp+arg_0], cl
		jnz	short loc_7A142A

loc_7A13DF:				; CODE XREF: ExpWnfCaptureScopeInstanceId(x,x,x,x,x)+87j
		mov	ecx, [eax]
		lea	ebx, [edi+4]
		mov	[ebx], ecx
		call	_MmGetSessionById@4 ; MmGetSessionById(x)
		mov	[edi], eax
		test	eax, eax
		jz	short loc_7A1458
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx

loc_7A13F6:				; CODE XREF: ExpWnfCaptureScopeInstanceId(x,x,x,x,x)+73j
					; ExpWnfCaptureScopeInstanceId(x,x,x,x,x)+7Aj ...
		mov	eax, esi
		pop	esi
		pop	ebx
		jmp	short loc_7A13C4
; 

loc_7A13FC:				; CODE XREF: ExpWnfCaptureScopeInstanceId(x,x,x,x,x)+2Aj
		sub	ecx, 1
		jz	short loc_7A1437
		sub	ecx, 1
		jnz	short loc_7A1455
		push	esi
		push	edi
		push	20666E57h
		push	[ebp+arg_0]
		push	ds:_PsProcessType
		push	esi
		push	eax
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7A13F6
		mov	ecx, [ebp+arg_4]
		mov	[ecx], edi
		jmp	short loc_7A13F6
; 

loc_7A142A:				; CODE XREF: ExpWnfCaptureScopeInstanceId(x,x,x,x,x)+2Fj
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	short loc_7A145F

loc_7A1434:				; CODE XREF: ExpWnfCaptureScopeInstanceId(x,x,x,x,x)+B3j
		nop
		jmp	short loc_7A13DF
; 

loc_7A1437:				; CODE XREF: ExpWnfCaptureScopeInstanceId(x,x,x,x,x)+51j
		mov	dl, byte ptr [ebp+arg_0]
		mov	ecx, eax
		push	edi
		push	esi
		sub	esp, 0Ch
		call	SeCaptureSid
		mov	esi, eax
		test	esi, esi
		js	short loc_7A13F6
		mov	eax, [ebp+arg_4]
		mov	ecx, [edi]
		mov	[eax], ecx
		jmp	short loc_7A13F6
; 

loc_7A1455:				; CODE XREF: ExpWnfCaptureScopeInstanceId(x,x,x,x,x)+56j
		sub	ecx, 1

loc_7A1458:				; CODE XREF: ExpWnfCaptureScopeInstanceId(x,x,x,x,x)+21j
					; ExpWnfCaptureScopeInstanceId(x,x,x,x,x)+41j
		mov	esi, 0C000000Dh
		jmp	short loc_7A13F6
; 

loc_7A145F:				; CODE XREF: ExpWnfCaptureScopeInstanceId(x,x,x,x,x)+84j
		mov	eax, ecx
		jmp	short loc_7A1434
_ExpWnfCaptureScopeInstanceId@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ExpWnfValidatePubSubPreconditions(int,void *,int)
_ExpWnfValidatePubSubPreconditions@20 proc near	; CODE XREF: ExpNtUpdateWnfStateData+19Dp
					; ExpNtUpdateWnfStateData+292p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_8], 0
		push	esi
		mov	esi, edx
		jnz	short loc_7A1480
		mov	edx, ecx
		mov	ecx, [esi+8]
		call	_ExpWnfCheckCallerAccess@8 ; ExpWnfCheckCallerAccess(x,x)
		test	eax, eax
		js	short loc_7A1493

loc_7A1480:				; CODE XREF: ExpWnfValidatePubSubPreconditions(x,x,x,x,x)+Cj
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_7A1498

loc_7A1487:				; CODE XREF: ExpWnfValidatePubSubPreconditions(x,x,x,x,x)+4Aj
		mov	eax, [esi]
		cmp	eax, [ebp+arg_0]
		sbb	eax, eax
		and	eax, 0C000000Dh

loc_7A1493:				; CODE XREF: ExpWnfValidatePubSubPreconditions(x,x,x,x,x)+1Aj
					; ExpWnfValidatePubSubPreconditions(x,x,x,x,x)+51j
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_7A1498:				; CODE XREF: ExpWnfValidatePubSubPreconditions(x,x,x,x,x)+21j
		cmp	[ebp+arg_4], 0
		jz	short loc_7A14B0
		push	10h		; size_t
		push	[ebp+arg_4]	; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_7A1487

loc_7A14B0:				; CODE XREF: ExpWnfValidatePubSubPreconditions(x,x,x,x,x)+38j
		mov	eax, 0C000000Dh
		jmp	short loc_7A1493
_ExpWnfValidatePubSubPreconditions@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ExpWnfReadStateData(void *,int,int)
ExpWnfReadStateData proc near		; CODE XREF: ExpWnfDeliverThreadNotifications+155p
					; NtQueryWnfStateData+23Fp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	14h
		push	offset dword_6A2388
		call	__SEH_prolog4
		mov	[ebp+var_1C], edx
		mov	edi, ecx
		mov	[ebp+var_24], edi
		xor	esi, esi
		mov	[ebp+var_20], esi
		lea	ecx, [edi+30h]
		push	esi
		xor	edx, edx
		call	KeAbPreAcquire
		mov	ebx, eax
		push	11h
		pop	edx
		xor	eax, eax
		lea	ecx, [edi+30h]
		lock cmpxchg [ecx], edx
		test	eax, eax
		jz	short loc_7A14F6
		push	ecx
		mov	edx, ebx
		call	ExfAcquirePushLockSharedEx

loc_7A14F6:				; CODE XREF: ExpWnfReadStateData+34j
		test	ebx, ebx
		jnz	short loc_7A1554

loc_7A14FA:				; CODE XREF: ExpWnfReadStateData+A0j
		mov	[ebp+ms_exc.disabled], esi
		mov	edx, [edi+34h]
		mov	ecx, [ebp+var_1C]
		test	edx, edx
		jz	short loc_7A155A
		cmp	edx, 1
		jz	short loc_7A1563
		mov	eax, [edx+0Ch]
		mov	[ecx], eax
		mov	ecx, [edx+8]
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		mov	eax, [edx+8]
		cmp	[ebp+arg_4], eax
		jb	short loc_7A156A
		push	eax		; size_t
		lea	eax, [edx+10h]
		push	eax		; void *
		push	[ebp+arg_0]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_7A1531:				; CODE XREF: ExpWnfReadStateData+B7j
		mov	[ebp+var_20], esi

loc_7A1534:				; CODE XREF: ExpWnfReadStateData+A9j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_7A1571
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7A1554:				; CODE XREF: ExpWnfReadStateData+40j
		or	byte ptr [ebx+0Eh], 1
		jmp	short loc_7A14FA
; 

loc_7A155A:				; CODE XREF: ExpWnfReadStateData+4Dj
		mov	[ecx], esi

loc_7A155C:				; CODE XREF: ExpWnfReadStateData+B0j
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		jmp	short loc_7A1534
; 

loc_7A1563:				; CODE XREF: ExpWnfReadStateData+52j
		mov	eax, [edi+38h]
		mov	[ecx], eax
		jmp	short loc_7A155C
; 

loc_7A156A:				; CODE XREF: ExpWnfReadStateData+67j
		mov	esi, 0C0000023h
		jmp	short loc_7A1531
ExpWnfReadStateData endp


;  S U B	R O U T	I N E 


sub_7A1571	proc near		; CODE XREF: ExpWnfReadStateData+83p
					; ExpWnfResolveScopeInstance+14896Bj
		add	edi, 30h
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_7A1589
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7A1589:				; CODE XREF: sub_7A1571+Fj
		mov	ecx, edi
		call	KeAbPostRelease
		retn
sub_7A1571	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWnfGetCurrentScopeInstance proc near	; CODE XREF: ExpWnfResolveScopeInstance+124p
					; ExpWnfResolveScopeInstance+160p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E9960 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, ecx
		sub	eax, esi
		jz	short loc_7A161F
		sub	eax, 1
		jz	short loc_7A15C6
		sub	eax, 1
		jnz	short loc_7A15F5
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	ExpWnfQueryCurrentUserSID
		mov	esi, eax

loc_7A15BE:				; CODE XREF: ExpWnfGetCurrentScopeInstance+61j
					; ExpWnfGetCurrentScopeInstance+9Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	10h
; 

loc_7A15C6:				; CODE XREF: ExpWnfGetCurrentScopeInstance+15j
		call	_KeIsAttachedProcess@0 ; KeIsAttachedProcess()
		mov	ecx, [ebp+arg_C]
		xor	edx, edx
		test	al, al
		setz	dl
		mov	[ecx], edx
		test	al, al
		jnz	loc_8E9971

loc_7A15DF:				; CODE XREF: ExpWnfGetCurrentScopeInstance+1483EBj
		push	edi
		call	_PsGetProcessSessionId@4 ; PsGetProcessSessionId(x)
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax

loc_7A15EA:				; CODE XREF: ExpWnfGetCurrentScopeInstance+88j
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 4
		jmp	short loc_7A15BE
; 

loc_7A15F5:				; CODE XREF: ExpWnfGetCurrentScopeInstance+1Aj
		sub	eax, 1
		jnz	short loc_7A161C
		call	_KeIsAttachedProcess@0 ; KeIsAttachedProcess()
		mov	dl, al
		xor	ecx, ecx
		mov	eax, [ebp+arg_C]
		test	dl, dl
		setz	cl
		mov	[eax], ecx
		test	dl, dl
		jnz	loc_8E9960

loc_7A1615:				; CODE XREF: ExpWnfGetCurrentScopeInstance+1483DAj
		mov	eax, [ebp+arg_4]
		mov	[eax], edi
		jmp	short loc_7A15EA
; 

loc_7A161C:				; CODE XREF: ExpWnfGetCurrentScopeInstance+66j
		sub	eax, 1

loc_7A161F:				; CODE XREF: ExpWnfGetCurrentScopeInstance+10j
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		mov	eax, [ebp+arg_C]
		mov	dword ptr [eax], 1
		jmp	short loc_7A15BE
ExpWnfGetCurrentScopeInstance endp

; 
		align 10h

ExpWnfSubscribeNameInstance:		; CODE XREF: ExpWnfSubscribeWnfStateChange+134p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		mov	eax, edx
		mov	[ebp-4], ecx
		mov	ecx, [ebp+28h]
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp-28h], eax
		mov	eax, [eax+39Ch]
		or	esi, 0FFFFFFFFh
		cmp	byte ptr [ebp+18h], 1
		mov	[ebp-10h], edi
		mov	[ebp-18h], eax
		mov	[ebp-0Ch], edi
		mov	[ebp-24h], edi
		mov	[ecx], edi
		jnz	short loc_7A16DF
		lea	ebx, [eax+28h]
		xor	edx, edx
		push	edi
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	edx, eax
		xor	eax, eax
		push	11h
		mov	[ebp-20h], edx
		pop	ecx
		lock cmpxchg [ebx], ecx
		test	eax, eax
		jz	short loc_7A168F
		push	ebx
		mov	ecx, ebx
		call	ExfAcquirePushLockSharedEx
		mov	edx, [ebp-20h]

loc_7A168F:				; CODE XREF: PAGE:007A1682j
		test	edx, edx
		jz	short loc_7A1697
		or	byte ptr [edx+0Eh], 1

loc_7A1697:				; CODE XREF: PAGE:007A1691j
		push	dword ptr [ebp+1Ch]
		mov	edx, [ebp-18h]
		lea	eax, [ebp-24h]
		mov	ecx, [ebp-4]
		push	eax
		lea	eax, [ebp-0Ch]
		push	eax
		lea	eax, [ebp-10h]
		push	eax
		push	dword ptr [ebp+14h]
		push	dword ptr [ebp+0Ch]
		push	dword ptr [ebp+8]
		call	ExpWnfUpdateSubscription
		push	11h
		mov	[ebp-20h], eax
		xor	edx, edx
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jnz	loc_7A1971

loc_7A16CF:				; CODE XREF: PAGE:007A1978j
		mov	ecx, ebx
		call	KeAbPostRelease
		cmp	[ebp-20h], edi
		jge	loc_7A193F

loc_7A16DF:				; CODE XREF: PAGE:007A1663j
		mov	eax, [ebp-28h]
		push	20666E57h
		push	58h
		cmp	ds:_PsInitialSystemProcess, eax
		jz	loc_7A1986
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	ebx, eax
		mov	[ebp-1Ch], ebx

loc_7A1701:				; CODE XREF: PAGE:007A1992j
		test	ebx, ebx
		jz	loc_8E9982
		push	58h
		push	edi
		push	ebx
		call	_memset
		mov	ecx, [ebp-4]
		add	esp, 0Ch
		cmp	byte ptr [ebp+18h], 0
		mov	eax, 905h
		mov	[ebx], ax
		push	58h
		pop	eax
		mov	[ebx+2], ax
		mov	eax, [ebp+8]
		mov	[ebx+30h], eax
		mov	eax, [ebp+0Ch]
		mov	[ebx+34h], eax
		mov	eax, [ebp+10h]
		mov	[ebx+38h], eax
		mov	eax, [ebp+14h]
		mov	[ebx+3Ch], eax
		mov	[ebx+4], edi
		mov	eax, [ecx+18h]
		mov	[ebx+20h], eax
		mov	eax, [ecx+1Ch]
		mov	[ebx+24h], eax
		jz	loc_7A1997

loc_7A1758:				; CODE XREF: PAGE:007A1783j
					; PAGE:007A1787j ...
		mov	eax, ds:_ExpWnfSubcriptionIdCounter
		mov	ebx, eax
		mov	esi, ds:dword_A9AAC4
		add	ebx, 1
		mov	ecx, esi
		mov	[ebp-14h], eax
		adc	ecx, edi
		mov	edx, esi
		mov	edi, offset _ExpWnfSubcriptionIdCounter
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [ebp-14h]
		push	0
		pop	edi
		cmp	eax, ecx
		jnz	short loc_7A1758
		cmp	edx, esi
		jnz	short loc_7A1758
		add	ecx, 1
		mov	[ebp-14h], ecx
		adc	esi, edi
		mov	[ebp-20h], esi
		cmp	ecx, edi
		jnz	short loc_7A179C
		cmp	esi, edi
		jz	short loc_7A1758

loc_7A179C:				; CODE XREF: PAGE:007A1796j
		mov	edx, [ebp+1Ch]
		mov	ebx, [ebp-1Ch]
		push	0FFFFFFFFh
		pop	esi
		test	edx, edx
		jz	short loc_7A17B1
		mov	eax, [ebp-20h]
		mov	[edx], ecx
		mov	[edx+4], eax

loc_7A17B1:				; CODE XREF: PAGE:007A17A7j
					; PAGE:007A19A2j ...
		mov	eax, [ebp-18h]
		xor	edx, edx
		add	eax, 28h
		push	edi
		mov	ecx, eax
		mov	[ebp-8], eax
		call	KeAbPreAcquire
		mov	ecx, eax
		mov	eax, [ebp-8]
		mov	[ebp+10h], ecx
		lock bts dword ptr [eax], 0
		jnb	short loc_7A17E0
		mov	edx, ecx
		mov	ecx, eax
		push	eax
		call	ExfAcquirePushLockExclusiveEx
		mov	ecx, [ebp+10h]

loc_7A17E0:				; CODE XREF: PAGE:007A17D1j
		test	ecx, ecx
		jz	short loc_7A17E8
		or	byte ptr [ecx+0Eh], 1

loc_7A17E8:				; CODE XREF: PAGE:007A17E2j
		mov	eax, [ebp-4]
		xor	edx, edx
		add	eax, 40h
		push	edi
		mov	ecx, eax
		mov	[ebp+10h], eax
		call	KeAbPreAcquire
		mov	ecx, [ebp+10h]
		mov	[ebp-2Ch], eax
		lock bts dword ptr [ecx], 0
		jnb	short loc_7A1816
		push	ecx
		mov	edx, eax
		call	ExfAcquirePushLockExclusiveEx
		mov	ecx, [ebp+10h]
		mov	eax, [ebp-2Ch]

loc_7A1816:				; CODE XREF: PAGE:007A1806j
		test	eax, eax
		jnz	loc_7A197D

loc_7A181E:				; CODE XREF: PAGE:007A1981j
		mov	eax, [ebp-4]
		cmp	[eax+20h], edi
		jz	loc_8E998C
		cmp	byte ptr [ebp+18h], 1
		jnz	short loc_7A185D
		push	dword ptr [ebp+1Ch]
		mov	edx, [ebp-18h]
		lea	ecx, [ebp-24h]
		push	ecx
		lea	ecx, [ebp-0Ch]
		push	ecx
		lea	ecx, [ebp-10h]
		push	ecx
		push	dword ptr [ebp+14h]
		mov	ecx, eax
		push	dword ptr [ebp+0Ch]
		push	dword ptr [ebp+8]
		call	ExpWnfUpdateSubscription
		test	eax, eax
		jns	loc_8E99DB
		mov	eax, [ebp-4]

loc_7A185D:				; CODE XREF: PAGE:007A182Ej
		mov	[ebx+1Ch], eax
		lea	ecx, [ebx+4]
		mov	eax, [ebp-28h]
		mov	[ebx+18h], eax
		mov	eax, [ebp-14h]
		mov	[ebx+8], eax
		mov	eax, [ebp-20h]
		mov	[ebx+0Ch], eax
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		cmp	dword ptr [ebp+20h], 0
		jnz	loc_7A19AF

loc_7A1884:				; CODE XREF: PAGE:007A19B7j
		mov	eax, [ebp-18h]
		lea	ecx, [ebx+10h]
		add	eax, 2Ch
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_7A19F2
		mov	[ecx+4], edx
		mov	[ecx], eax
		mov	[edx], ecx
		mov	edx, [ebp-4]
		add	edx, 44h
		mov	[eax+4], ecx
		lea	eax, [ebx+28h]
		mov	ecx, [edx+4]
		mov	[ebp+1Ch], ecx
		cmp	[ecx], edx
		mov	ecx, [ebp-4]
		jnz	loc_7A19F2
		mov	ebx, [ebp+1Ch]
		mov	[eax], edx
		mov	[eax+4], ebx
		mov	[ebx], eax
		mov	ebx, [ebp-1Ch]
		mov	[edx+4], eax
		xor	edx, edx
		inc	edx
		test	[ebx+3Ch], edx
		jz	short loc_7A18E4
		mov	eax, edx
		lock xadd [ecx+58h], eax
		inc	eax
		cmp	eax, edx
		jz	loc_7A1964

loc_7A18E4:				; CODE XREF: PAGE:007A18D2j
					; PAGE:007A1967j
		mov	ecx, [ebp+10h]
		mov	eax, esi
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_7A19C4

loc_7A18F7:				; CODE XREF: PAGE:007A19CCj
		call	KeAbPostRelease
		mov	ecx, [ebp-8]
		mov	eax, esi
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_7A19D1

loc_7A190F:				; CODE XREF: PAGE:007A19D9j
		call	KeAbPostRelease
		mov	eax, [ebp+24h]
		mov	[eax], ebx

loc_7A1919:				; CODE XREF: PAGE:007A1947j
		cmp	dword ptr [ebp-24h], 0
		mov	ecx, [ebp-4]
		jl	loc_7A19DE

loc_7A1926:				; CODE XREF: PAGE:007A19E4j
					; PAGE:007A19EDj
		cmp	dword ptr [ebp-0Ch], 0
		jg	short loc_7A196C
		jl	loc_7A19BC

loc_7A1932:				; CODE XREF: PAGE:007A196Fj
					; PAGE:007A19BFj
		test	edi, edi
		jnz	short loc_7A1949

loc_7A1936:				; CODE XREF: PAGE:007A1962j
		xor	eax, eax

loc_7A1938:				; CODE XREF: PAGE:008E9987j
					; PAGE:008E99D6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_7A193F:				; CODE XREF: PAGE:007A16D9j
					; PAGE:008E9A1Ej
		mov	ecx, [ebp+24h]
		mov	eax, [ebp-10h]
		mov	[ecx], eax
		jmp	short loc_7A1919
; 

loc_7A1949:				; CODE XREF: PAGE:007A1934j
		xor	eax, eax
		mov	edx, edi
		cmp	[ebp+18h], al
		setnz	al
		xor	ebx, ebx
		push	eax
		inc	ebx
		push	ebx
		call	_ExpWnfNotifyNameSubscribers@16	; ExpWnfNotifyNameSubscribers(x,x,x,x)
		mov	eax, [ebp+28h]
		mov	[eax], ebx
		jmp	short loc_7A1936
; 

loc_7A1964:				; CODE XREF: PAGE:007A18DEj
		mov	[ebp-0Ch], edx
		jmp	loc_7A18E4
; 

loc_7A196C:				; CODE XREF: PAGE:007A192Aj
		or	edi, 2
		jmp	short loc_7A1932
; 

loc_7A1971:				; CODE XREF: PAGE:007A16C9j
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_7A16CF
; 

loc_7A197D:				; CODE XREF: PAGE:007A1818j
		or	byte ptr [eax+0Eh], 1
		jmp	loc_7A181E
; 

loc_7A1986:				; CODE XREF: PAGE:007A16EFj
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp-1Ch], eax
		jmp	loc_7A1701
; 

loc_7A1997:				; CODE XREF: PAGE:007A1752j
		mov	eax, [ebp+20h]
		mov	[ebp-14h], ebx
		mov	[ebp-20h], edi
		test	eax, eax
		jz	loc_7A17B1
		mov	[eax], ebx
		jmp	loc_7A17B1
; 

loc_7A19AF:				; CODE XREF: PAGE:007A187Ej
		lea	ecx, [ebx+4]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		jmp	loc_7A1884
; 

loc_7A19BC:				; CODE XREF: PAGE:007A192Cj
		or	edi, 4
		jmp	loc_7A1932
; 

loc_7A19C4:				; CODE XREF: PAGE:007A18F1j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+10h]
		jmp	loc_7A18F7
; 

loc_7A19D1:				; CODE XREF: PAGE:007A1909j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp-8]
		jmp	loc_7A190F
; 

loc_7A19DE:				; CODE XREF: PAGE:007A1920j
		lock xadd [ecx+5Ch], esi
		dec	esi
		jnz	loc_7A1926
		push	8
		pop	edi
		jmp	loc_7A1926
; 

loc_7A19F2:				; CODE XREF: PAGE:007A1892j
					; PAGE:007A18B6j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWnfUpdateSubscription proc near	; CODE XREF: PAGE:007A16B5p
					; PAGE:007A184Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008E9A23 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		mov	eax, [edx+2Ch]
		push	ebx
		push	esi
		push	edi
		lea	edi, [edx+2Ch]
		mov	[ebp+var_8], edx
		mov	ebx, ecx
		cmp	eax, edi
		jz	short loc_7A1A2E
		lea	ebx, [ebx+0]

loc_7A1A20:				; CODE XREF: ExpWnfUpdateSubscription+2Cj
		cmp	[eax+0Ch], ebx
		lea	esi, [eax-10h]
		jz	short loc_7A1A3C
		mov	eax, [eax]
		cmp	eax, edi
		jnz	short loc_7A1A20

loc_7A1A2E:				; CODE XREF: ExpWnfUpdateSubscription+18j
		mov	eax, 0C0000034h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_7A1A3C:				; CODE XREF: ExpWnfUpdateSubscription+26j
		mov	eax, [ebp+arg_10]
		lea	edi, [edx+34h]
		push	0
		xor	edx, edx
		mov	ecx, edi
		mov	dword ptr [eax], 0
		mov	eax, [ebp+arg_14]
		mov	dword ptr [eax], 0
		call	KeAbPreAcquire
		mov	[ebp+var_4], eax
		lock bts dword ptr [edi], 0
		jnb	short loc_7A1A73
		push	edi
		mov	edx, eax
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_4]

loc_7A1A73:				; CODE XREF: ExpWnfUpdateSubscription+64j
		test	eax, eax
		jnz	loc_7A1B1A

loc_7A1A7B:				; CODE XREF: ExpWnfUpdateSubscription+11Ej
		mov	ecx, [esi+3Ch]
		or	eax, 0FFFFFFFFh
		and	ecx, 1
		test	[ebp+arg_8], 1
		jz	loc_7A1B23
		test	ecx, ecx
		jz	loc_8E9A23

loc_7A1A99:				; CODE XREF: ExpWnfUpdateSubscription+125j
					; ExpWnfUpdateSubscription+132j ...
		mov	edi, [esi+48h]
		cmp	edi, 2
		jz	short loc_7A1AB7
		test	byte ptr [esi+4Ch], 1
		setnz	dl
		test	byte ptr [ebp+arg_8], 1
		setz	cl
		test	dl, cl
		jnz	loc_7A1B72

loc_7A1AB7:				; CODE XREF: ExpWnfUpdateSubscription+9Fj
					; ExpWnfUpdateSubscription+17Bj
		mov	ecx, [ebp+arg_0]
		mov	edx, [esi+4Ch]
		mov	[esi+30h], ecx
		mov	ecx, [ebp+arg_4]
		mov	[esi+34h], ecx
		mov	ecx, [ebp+arg_8]
		and	edx, ecx
		mov	[esi+3Ch], ecx
		mov	[esi+4Ch], edx
		test	edi, edi
		jnz	short loc_7A1B46

loc_7A1AD5:				; CODE XREF: ExpWnfUpdateSubscription+148j
					; ExpWnfUpdateSubscription+14Dj ...
		mov	edi, [ebp+var_8]
		add	edi, 34h
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_7A1B80

loc_7A1AE9:				; CODE XREF: ExpWnfUpdateSubscription+187j
		mov	ecx, edi
		call	KeAbPostRelease
		lea	ecx, [esi+4]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+arg_18]
		mov	[eax], esi
		test	ecx, ecx
		jz	short loc_7A1B0F
		mov	eax, [esi+8]
		mov	[ecx], eax
		mov	eax, [esi+0Ch]
		mov	[ecx+4], eax

loc_7A1B0F:				; CODE XREF: ExpWnfUpdateSubscription+102j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_7A1B1A:				; CODE XREF: ExpWnfUpdateSubscription+75j
		or	byte ptr [eax+0Eh], 1
		jmp	loc_7A1A7B
; 

loc_7A1B23:				; CODE XREF: ExpWnfUpdateSubscription+8Bj
		test	ecx, ecx
		jz	loc_7A1A99
		mov	ecx, eax
		lock xadd [ebx+58h], ecx
		jnz	loc_7A1A99
		mov	ecx, [ebp+arg_10]
		mov	dword ptr [ecx], 0FFFFFFFFh
		jmp	loc_7A1A99
; 

loc_7A1B46:				; CODE XREF: ExpWnfUpdateSubscription+D3j
		test	edx, edx
		jnz	short loc_7A1AD5
		cmp	[esi+50h], edx
		jnz	short loc_7A1AD5
		mov	edi, [esi+40h]
		lea	ecx, [esi+40h]
		cmp	[edi+4], ecx
		jnz	short loc_7A1B8C
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_7A1B8C
		mov	[edx], edi
		mov	[edi+4], edx
		mov	dword ptr [esi+48h], 0
		jmp	loc_7A1AD5
; 

loc_7A1B72:				; CODE XREF: ExpWnfUpdateSubscription+B1j
		mov	ecx, [ebp+arg_14]
		mov	dword ptr [ecx], 0FFFFFFFFh
		jmp	loc_7A1AB7
; 

loc_7A1B80:				; CODE XREF: ExpWnfUpdateSubscription+E3j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7A1AE9
; 

loc_7A1B8C:				; CODE XREF: ExpWnfUpdateSubscription+158j
					; ExpWnfUpdateSubscription+15Fj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
ExpWnfUpdateSubscription endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWnfQueryCurrentUserSID proc near	; CODE XREF: ExpWnfGetCurrentScopeInstance+25p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E9A45 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	eax, ecx
		mov	esi, edx
		xor	ecx, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], ecx
		mov	byte ptr [ebp+var_1], cl
		mov	[ebp+var_C], ecx
		push	edi
		test	esi, esi
		jnz	short loc_7A1C01
		push	eax
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		xor	edi, edi
		mov	esi, eax
		inc	edi

loc_7A1BC0:				; CODE XREF: ExpWnfQueryCurrentUserSID+88j
					; ExpWnfQueryCurrentUserSID+8Dj
		mov	eax, [ebp+arg_4]
		mov	ecx, esi
		mov	edx, [ebp+arg_0]
		push	eax
		push	dword ptr [eax]
		call	_SeQueryUserSidToken@16	; SeQueryUserSidToken(x,x,x,x)
		mov	ebx, eax
		cmp	edi, 1
		jnz	short loc_7A1C28
		mov	ecx, [ebp+var_10]
		mov	edx, esi
		add	ecx, 12Ch
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)

loc_7A1BE7:				; CODE XREF: ExpWnfQueryCurrentUserSID+96j
					; ExpWnfQueryCurrentUserSID+9Fj
		test	ebx, ebx
		js	short loc_7A1BF8
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		cmp	edi, 1
		setz	cl
		mov	[eax], ecx

loc_7A1BF8:				; CODE XREF: ExpWnfQueryCurrentUserSID+55j
		mov	eax, ebx

loc_7A1BFA:				; CODE XREF: ExpWnfQueryCurrentUserSID+147EC1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7A1C01:				; CODE XREF: ExpWnfQueryCurrentUserSID+1Fj
		push	ecx
		lea	eax, [ebp+var_C]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_1]
		push	eax
		lea	edx, [ebp+var_8]
		call	PsReferenceEffectiveToken
		mov	edi, [ebp+var_8]
		mov	esi, eax
		cmp	edi, 2
		jnz	short loc_7A1BC0
		cmp	[ebp+var_C], edi
		jge	short loc_7A1BC0
		jmp	loc_8E9A45
; 

loc_7A1C28:				; CODE XREF: ExpWnfQueryCurrentUserSID+41j
		test	esi, esi
		jz	short loc_7A1BE7
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	short loc_7A1BE7
ExpWnfQueryCurrentUserSID endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ExpWnfFindScopeInstance(int,void *,size_t)
_ExpWnfFindScopeInstance@12 proc near	; CODE XREF: ExpWnfDeleteScopeById(x,x,x)+56p
					; ExpWnfResolveScopeInstance+1E7p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		mov	esi, [ebx]
		cmp	esi, ebx
		jz	short loc_7A1C6F
		mov	eax, [ebp+arg_0]

loc_7A1C4D:				; CODE XREF: ExpWnfFindScopeInstance(x,x,x)+37j
		cmp	eax, [esi-8]
		jnz	short loc_7A1C69
		push	eax		; size_t
		push	dword ptr [esi-4] ; void *
		push	edx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_7A1C73
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+var_4]

loc_7A1C69:				; CODE XREF: ExpWnfFindScopeInstance(x,x,x)+1Aj
		mov	esi, [esi]
		cmp	esi, ebx
		jnz	short loc_7A1C4D

loc_7A1C6F:				; CODE XREF: ExpWnfFindScopeInstance(x,x,x)+12j
		xor	eax, eax
		jmp	short loc_7A1C76
; 

loc_7A1C73:				; CODE XREF: ExpWnfFindScopeInstance(x,x,x)+2Bj
		lea	eax, [esi-14h]

loc_7A1C76:				; CODE XREF: ExpWnfFindScopeInstance(x,x,x)+3Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ExpWnfFindScopeInstance@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWnfWriteStateData proc near		; CODE XREF: ExpNtUpdateWnfStateData+1BCp

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_44		= dword	ptr -44h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E9A5A SIZE 00000051 BYTES

		push	74h
		push	offset dword_6A23A8
		call	__SEH_prolog4_GS
		mov	[ebp+var_70], edx
		mov	esi, ecx
		mov	[ebp+var_84], esi
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_64], eax
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_5C]
		rep stosd
		xor	ecx, ecx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_78], ecx
		push	22h
		pop	eax
		mov	word ptr [ebp+var_7C+2], ax
		lea	eax, [ebp+var_44]
		mov	[ebp+var_78], eax
		cmp	[esi+3Ch], ecx
		jnz	loc_7A1F26

loc_7A1CC6:				; CODE XREF: ExpWnfWriteStateData+2B8j
		mov	ebx, ecx
		mov	[ebp+var_68], ebx
		mov	[ebp+var_6C], ecx
		lea	edi, [esi+30h]
		push	ecx
		xor	edx, edx
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	[ebp+var_60], eax
		lock bts dword ptr [edi], 0
		jnb	short loc_7A1CF2
		push	edi
		mov	edx, eax
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_60]

loc_7A1CF2:				; CODE XREF: ExpWnfWriteStateData+65j
		test	eax, eax
		jnz	loc_7A1DA8

loc_7A1CFA:				; CODE XREF: ExpWnfWriteStateData+12Ej
		cmp	[ebp+arg_8], 0
		jnz	loc_7A1EC8

loc_7A1D04:				; CODE XREF: ExpWnfWriteStateData+25Aj
		mov	eax, [esi+34h]
		lea	ecx, [eax-1]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		jz	loc_7A1DB1
		mov	eax, [ebp+var_64]

loc_7A1D19:				; CODE XREF: ExpWnfWriteStateData+13Ej
		mov	edi, ecx
		test	ecx, ecx
		jz	short loc_7A1D28
		cmp	[ecx+4], eax
		jb	loc_7A1F63

loc_7A1D28:				; CODE XREF: ExpWnfWriteStateData+9Fj
					; ExpWnfWriteStateData+223j ...
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [esi+38h]
		inc	eax

loc_7A1D30:				; CODE XREF: ExpWnfWriteStateData+147E19j
		mov	[ebp+var_80], eax
		mov	[ebp+var_60], eax
		test	eax, eax
		jz	loc_8E9A94
		test	edi, edi
		jz	loc_7A1EBC
		push	[ebp+var_64]	; size_t
		push	[ebp+var_70]	; void *
		lea	eax, [edi+10h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [ebp+var_64]
		mov	[edi+8], ecx
		lea	edx, [edi+0Ch]
		mov	eax, [ebp+var_60]
		mov	[edx], eax
		mov	ecx, [esi+3Ch]
		mov	[ebp+var_70], ecx
		test	ecx, ecx
		mov	ecx, [ebp+var_64]
		jnz	loc_7A1F3B

loc_7A1D77:				; CODE XREF: ExpWnfWriteStateData+2E0j
		cmp	edi, ebx
		jz	loc_7A1EA6

loc_7A1D7F:				; CODE XREF: ExpWnfWriteStateData+239j
					; ExpWnfWriteStateData+245j
		lea	ecx, [esi+38h]
		xchg	eax, [ecx]

loc_7A1D84:				; CODE XREF: ExpWnfWriteStateData+147E28j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		or	eax, 0FFFFFFFFh
		call	sub_7A1F8F
		mov	eax, [ebp+var_74]

loc_7A1D96:				; CODE XREF: ExpWnfWriteStateData+280j
					; ExpWnfWriteStateData+147DE1j	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7A1DA8:				; CODE XREF: ExpWnfWriteStateData+76j
		or	byte ptr [eax+0Eh], 1
		jmp	loc_7A1CFA
; 

loc_7A1DB1:				; CODE XREF: ExpWnfWriteStateData+92j
		cmp	dword ptr [esi+3Ch], 0
		jnz	short loc_7A1DC2
		mov	eax, [ebp+var_64]
		test	eax, eax
		jz	loc_7A1D19

loc_7A1DC2:				; CODE XREF: ExpWnfWriteStateData+137j
					; ExpWnfWriteStateData+2E8j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_7A1F83

loc_7A1DD3:				; CODE XREF: ExpWnfWriteStateData+30Cj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [esi+18h]
		mov	eax, [esi+1Ch]
		shrd	ecx, eax, 4
		and	ecx, 3
		cmp	cl, 3
		jnz	loc_7A1F09
		mov	eax, ds:_PsInitialSystemProcess
		cmp	eax, [esi+54h]
		jz	loc_7A1F09
		mov	ecx, [esi+54h]
		test	ecx, ecx
		jz	loc_8E9A5A
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	ecx, eax
		jnz	loc_8E9A64
		and	[ebp+var_60], 0

loc_7A1E21:				; CODE XREF: ExpWnfWriteStateData+147DF8j
		push	20666E57h
		mov	eax, [ebp+var_64]
		add	eax, 10h
		push	eax
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	ebx, eax
		mov	[ebp+var_68], ebx
		cmp	[ebp+var_60], 0
		jnz	loc_8E9A7B

loc_7A1E43:				; CODE XREF: ExpWnfWriteStateData+2A3j
					; ExpWnfWriteStateData+147E07j
		test	ebx, ebx
		jz	loc_8E9A8A
		xor	ecx, ecx
		mov	[ebx+8], ecx
		mov	[ebx+0Ch], ecx
		mov	eax, 904h
		mov	[ebx], ax
		push	10h
		pop	eax
		mov	[ebx+2], ax
		mov	eax, [ebp+var_64]
		mov	[ebx+4], eax
		push	ecx
		xor	edx, edx
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	[ebp+var_60], eax
		lock bts dword ptr [edi], 0
		jnb	short loc_7A1E89
		push	edi
		mov	edx, eax
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_60]

loc_7A1E89:				; CODE XREF: ExpWnfWriteStateData+1FCj
		test	eax, eax
		jnz	short loc_7A1F03

loc_7A1E8D:				; CODE XREF: ExpWnfWriteStateData+289j
		mov	eax, [esi+34h]
		lea	edi, [eax-1]
		neg	edi
		sbb	edi, edi
		and	edi, eax
		jnz	loc_7A1F6B

loc_7A1E9F:				; CODE XREF: ExpWnfWriteStateData+2F3j
		mov	edi, ebx
		jmp	loc_7A1D28
; 

loc_7A1EA6:				; CODE XREF: ExpWnfWriteStateData+FBj
		mov	eax, [esi+34h]
		mov	[ebp+var_6C], eax
		mov	[esi+34h], edi
		xor	ebx, ebx
		mov	[ebp+var_68], ebx
		mov	eax, [ebp+var_60]
		jmp	loc_7A1D7F
; 

loc_7A1EBC:				; CODE XREF: ExpWnfWriteStateData+C2j
		mov	dword ptr [esi+34h], 1
		jmp	loc_7A1D7F
; 

loc_7A1EC8:				; CODE XREF: ExpWnfWriteStateData+80j
		cmp	dword ptr [esi+34h], 0
		jz	loc_7A1F7C
		mov	eax, [esi+38h]

loc_7A1ED5:				; CODE XREF: ExpWnfWriteStateData+300j
		cmp	eax, [ebp+arg_4]
		jz	loc_7A1D04
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_7A1EF2
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_7A1EF2:				; CODE XREF: ExpWnfWriteStateData+26Bj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, 0C0000001h
		jmp	loc_7A1D96
; 

loc_7A1F03:				; CODE XREF: ExpWnfWriteStateData+20Dj
		or	byte ptr [eax+0Eh], 1
		jmp	short loc_7A1E8D
; 

loc_7A1F09:				; CODE XREF: ExpWnfWriteStateData+16Cj
					; ExpWnfWriteStateData+17Aj
		push	20666E57h
		mov	eax, [ebp+var_64]
		add	eax, 10h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_68], ebx
		jmp	loc_7A1E43
; 

loc_7A1F26:				; CODE XREF: ExpWnfWriteStateData+42j
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		lea	ecx, [ebp+var_7C]
		call	_ExpWnfComposeValueName@12 ; ExpWnfComposeValueName(x,x,x)
		xor	ecx, ecx
		jmp	loc_7A1CC6
; 

loc_7A1F3B:				; CODE XREF: ExpWnfWriteStateData+F3j
		lea	eax, [ecx+4]
		push	eax
		push	edx
		push	3
		push	0
		lea	eax, [ebp+var_7C]
		push	eax
		push	[ebp+var_70]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	[ebp+var_74], eax
		test	eax, eax
		js	loc_8E9A9C
		mov	eax, [ebp+var_60]
		jmp	loc_7A1D77
; 

loc_7A1F63:				; CODE XREF: ExpWnfWriteStateData+A4j
		lea	edi, [esi+30h]
		jmp	loc_7A1DC2
; 

loc_7A1F6B:				; CODE XREF: ExpWnfWriteStateData+21Bj
		mov	eax, [ebp+var_64]
		cmp	[edi+4], eax
		jb	loc_7A1E9F
		jmp	loc_7A1D28
; 

loc_7A1F7C:				; CODE XREF: ExpWnfWriteStateData+24Ej
		xor	eax, eax
		jmp	loc_7A1ED5
; 

loc_7A1F83:				; CODE XREF: ExpWnfWriteStateData+14Fj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7A1DD3
ExpWnfWriteStateData endp


;  S U B	R O U T	I N E 


sub_7A1F8F	proc near		; CODE XREF: ExpWnfWriteStateData+110p
					; sub_8E9AAB+Cj

; FUNCTION CHUNK AT 008E9ABC SIZE 00000010 BYTES

		add	esi, 30h
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7A1FC5

loc_7A1F9C:				; CODE XREF: sub_7A1F8F+3Dj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	eax, [ebp-6Ch]
		test	eax, eax
		jnz	short loc_7A1FB3

loc_7A1FAA:				; CODE XREF: sub_7A1F8F+27j
					; sub_7A1F8F+34j
		test	ebx, ebx
		jnz	loc_8E9ABC

locret_7A1FB2:				; CODE XREF: sub_7A1F8F+147B38j
		retn
; 

loc_7A1FB3:				; CODE XREF: sub_7A1F8F+19j
		cmp	eax, 1
		jz	short loc_7A1FAA
		push	20666E57h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7A1FAA
; 

loc_7A1FC5:				; CODE XREF: sub_7A1F8F+Bj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7A1F9C
sub_7A1F8F	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWnfNotifyNameSubscribers(x, x, x, x)
_ExpWnfNotifyNameSubscribers@16	proc near ; CODE XREF: ExpWnfDeleteSubscription+240p
					; ExpWnfDeleteSubscription+32Ap ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		and	[esp+14h+var_14], 0
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		lea	ebx, [eax+40h]
		mov	[esp+20h+var_8], edx
		xor	esi, esi
		mov	[esp+20h+var_10], eax
		inc	esi
		mov	[esp+20h+var_4], ebx
		push	0
		xor	edx, edx
		mov	[esp+24h+var_C], esi
		mov	ecx, ebx
		call	KeAbPreAcquire
		push	11h
		mov	edi, eax
		xor	eax, eax
		pop	ecx
		lock cmpxchg [ebx], ecx
		test	eax, eax
		jz	short loc_7A201C
		push	ebx
		mov	edx, edi
		mov	ecx, ebx
		call	ExfAcquirePushLockSharedEx

loc_7A201C:				; CODE XREF: ExpWnfNotifyNameSubscribers(x,x,x,x)+42j
		test	edi, edi
		jnz	short loc_7A209E

loc_7A2020:				; CODE XREF: ExpWnfNotifyNameSubscribers(x,x,x,x)+D4j
		mov	eax, [esp+20h+var_10]
		add	eax, 44h
		mov	edi, [eax]
		cmp	edi, eax
		jz	short loc_7A2068
		mov	ebx, esi

loc_7A202F:				; CODE XREF: ExpWnfNotifyNameSubscribers(x,x,x,x)+90j
		test	ebx, ebx
		jz	short loc_7A203A
		test	[edi+14h], esi
		jz	short loc_7A203A
		xor	ebx, ebx

loc_7A203A:				; CODE XREF: ExpWnfNotifyNameSubscribers(x,x,x,x)+63j
					; ExpWnfNotifyNameSubscribers(x,x,x,x)+68j
		mov	edx, [esp+20h+var_8]
		lea	ecx, [edi-28h]
		call	_ExpWnfInsertSubscriptionInPendingQueue@8 ; ExpWnfInsertSubscriptionInPendingQueue(x,x)
		mov	ecx, [edi-10h]
		mov	edx, [ecx+39Ch]
		test	eax, eax
		jnz	short loc_7A20CA

loc_7A2053:				; CODE XREF: ExpWnfNotifyNameSubscribers(x,x,x,x)+109j
					; ExpWnfNotifyNameSubscribers(x,x,x,x)+118j ...
		mov	eax, [esp+20h+var_10]
		mov	edi, [edi]
		add	eax, 44h
		cmp	edi, eax
		jnz	short loc_7A202F
		mov	[esp+20h+var_C], ebx
		mov	ebx, [esp+20h+var_4]

loc_7A2068:				; CODE XREF: ExpWnfNotifyNameSubscribers(x,x,x,x)+5Dj
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jnz	short loc_7A20A7

loc_7A2076:				; CODE XREF: ExpWnfNotifyNameSubscribers(x,x,x,x)+E0j
		mov	ecx, ebx
		call	KeAbPostRelease
		cmp	[esp+20h+var_C], 0
		mov	edi, [ebp+arg_0]
		mov	ebx, [esp+20h+var_14]
		jz	short loc_7A2091
		test	[esp+20h+var_8], esi
		jnz	short loc_7A20B0

loc_7A2091:				; CODE XREF: ExpWnfNotifyNameSubscribers(x,x,x,x)+BBj
					; ExpWnfNotifyNameSubscribers(x,x,x,x)+FAj
		test	ebx, ebx
		jnz	short loc_7A20F4

loc_7A2095:				; CODE XREF: ExpWnfNotifyNameSubscribers(x,x,x,x)+128j
					; ExpWnfNotifyNameSubscribers(x,x,x,x)+132j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7A209E:				; CODE XREF: ExpWnfNotifyNameSubscribers(x,x,x,x)+50j
		or	byte ptr [edi+0Eh], 1
		jmp	loc_7A2020
; 

loc_7A20A7:				; CODE XREF: ExpWnfNotifyNameSubscribers(x,x,x,x)+A6j
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_7A2076
; 

loc_7A20B0:				; CODE XREF: ExpWnfNotifyNameSubscribers(x,x,x,x)+C1j
		test	ebx, ebx
		jnz	short loc_7A2102
		test	edi, edi
		jz	short loc_7A2102

loc_7A20B8:				; CODE XREF: ExpWnfNotifyNameSubscribers(x,x,x,x)+136j
		push	[ebp+arg_4]
		mov	ecx, [esp+24h+var_10]
		push	esi
		push	8
		pop	edx
		call	_ExpWnfNotifyNameSubscribers@16	; ExpWnfNotifyNameSubscribers(x,x,x,x)
		jmp	short loc_7A2091
; 

loc_7A20CA:				; CODE XREF: ExpWnfNotifyNameSubscribers(x,x,x,x)+83j
		cmp	ecx, ds:_PsInitialSystemProcess
		jz	short loc_7A20EB
		mov	eax, [edx+40h]
		test	eax, eax
		jz	loc_7A2053
		push	0
		push	esi
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_7A2053
; 

loc_7A20EB:				; CODE XREF: ExpWnfNotifyNameSubscribers(x,x,x,x)+102j
		mov	[esp+20h+var_14], esi
		jmp	loc_7A2053
; 

loc_7A20F4:				; CODE XREF: ExpWnfNotifyNameSubscribers(x,x,x,x)+C5j
		test	edi, edi
		jz	short loc_7A2095
		mov	ecx, [ebp+arg_4]
		call	_ExpWnfStartKernelDispatcher@4 ; ExpWnfStartKernelDispatcher(x)
		jmp	short loc_7A2095
; 

loc_7A2102:				; CODE XREF: ExpWnfNotifyNameSubscribers(x,x,x,x)+E4j
					; ExpWnfNotifyNameSubscribers(x,x,x,x)+E8j
		xor	esi, esi
		jmp	short loc_7A20B8
_ExpWnfNotifyNameSubscribers@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWnfInsertSubscriptionInPendingQueue(x, x)
_ExpWnfInsertSubscriptionInPendingQueue@8 proc near
					; CODE XREF: ExpWnfNotifyNameSubscribers(x,x,x,x)+73p
					; ExpWnfNotifySubscription(x,x,x,x)+45p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_7A2177
		mov	eax, [eax+39Ch]
		xor	ebx, ebx
		push	ebx
		xor	edx, edx
		mov	[ebp+var_C], eax
		lea	edi, [eax+34h]
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	[ebp+var_8], eax
		lock bts dword ptr [edi], 0
		jnb	short loc_7A214C
		push	edi
		mov	edx, eax
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_8]

loc_7A214C:				; CODE XREF: ExpWnfInsertSubscriptionInPendingQueue(x,x)+37j
		test	eax, eax
		jnz	loc_7A21EC

loc_7A2154:				; CODE XREF: ExpWnfInsertSubscriptionInPendingQueue(x,x)+EAj
		mov	eax, [ebp+var_4]
		and	eax, [esi+3Ch]
		mov	[ebp+var_4], eax
		jnz	short loc_7A217E
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_7A21FC

loc_7A2170:				; CODE XREF: ExpWnfInsertSubscriptionInPendingQueue(x,x)+FDj
		mov	ecx, edi
		call	KeAbPostRelease

loc_7A2177:				; CODE XREF: ExpWnfInsertSubscriptionInPendingQueue(x,x)+15j
		xor	eax, eax

loc_7A2179:				; CODE XREF: ExpWnfInsertSubscriptionInPendingQueue(x,x)+E4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7A217E:				; CODE XREF: ExpWnfInsertSubscriptionInPendingQueue(x,x)+57j
		mov	eax, [esi+48h]
		test	eax, eax
		jnz	short loc_7A21F5
		mov	ecx, [ebp+var_C]
		lea	eax, [esi+40h]
		add	ecx, 38h
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_7A2211
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax

loc_7A219F:				; CODE XREF: ExpWnfInsertSubscriptionInPendingQueue(x,x)+F4j
		xor	ebx, ebx
		inc	ebx
		mov	[esi+48h], ebx

loc_7A21A5:				; CODE XREF: ExpWnfInsertSubscriptionInPendingQueue(x,x)+F2j
		mov	eax, [esi+50h]
		mov	edx, [esi+4Ch]
		or	eax, edx
		test	al, 1
		setz	cl
		test	byte ptr [ebp+var_4], 1
		setnz	al
		test	cl, al
		jz	short loc_7A21C9
		mov	eax, [esi+1Ch]
		add	eax, 5Ch
		lock inc dword ptr [eax]
		mov	edx, [esi+4Ch]

loc_7A21C9:				; CODE XREF: ExpWnfInsertSubscriptionInPendingQueue(x,x)+B5j
		or	edx, [ebp+var_4]
		and	edx, [esi+3Ch]
		mov	[esi+4Ch], edx
		or	edx, 0FFFFFFFFh
		lock xadd [edi], edx
		and	dl, 6
		cmp	dl, 2
		jz	short loc_7A2208

loc_7A21E1:				; CODE XREF: ExpWnfInsertSubscriptionInPendingQueue(x,x)+109j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, ebx
		jmp	short loc_7A2179
; 

loc_7A21EC:				; CODE XREF: ExpWnfInsertSubscriptionInPendingQueue(x,x)+48j
		or	byte ptr [eax+0Eh], 1
		jmp	loc_7A2154
; 

loc_7A21F5:				; CODE XREF: ExpWnfInsertSubscriptionInPendingQueue(x,x)+7Dj
		cmp	eax, 3
		jnz	short loc_7A21A5
		jmp	short loc_7A219F
; 

loc_7A21FC:				; CODE XREF: ExpWnfInsertSubscriptionInPendingQueue(x,x)+64j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7A2170
; 

loc_7A2208:				; CODE XREF: ExpWnfInsertSubscriptionInPendingQueue(x,x)+D9j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7A21E1
; 

loc_7A2211:				; CODE XREF: ExpWnfInsertSubscriptionInPendingQueue(x,x)+8Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ExpWnfInsertSubscriptionInPendingQueue@8 endp ; AL = character	to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWnfPopulateStateData	proc near	; CODE XREF: ExpWnfCreateNameInstance+DDp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E9ACC SIZE 00000065 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, [edi+18h]
		mov	edx, ecx
		mov	esi, [edi+1Ch]
		mov	eax, esi
		shrd	edx, eax, 6
		and	edx, 0Fh
		cmp	dl, 5
		jz	loc_7A232D

loc_7A224B:				; CODE XREF: ExpWnfPopulateStateData+13Aj
					; ExpWnfPopulateStateData+1478D3j
		cmp	dword ptr [edi+34h], 0
		jnz	short loc_7A2257
		cmp	dword ptr [edi+3Ch], 0
		jnz	short loc_7A226B

loc_7A2257:				; CODE XREF: ExpWnfPopulateStateData+39j
					; ExpWnfPopulateStateData+108j	...
		xor	eax, eax

loc_7A2259:				; CODE XREF: ExpWnfPopulateStateData+1478E3j
					; ExpWnfPopulateStateData+14790Cj ...
		mov	ecx, [esp+48h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7A226B:				; CODE XREF: ExpWnfPopulateStateData+3Fj
		mov	ebx, [edi+24h]
		lea	eax, [ebx+10h]

loc_7A2271:				; CODE XREF: ExpWnfPopulateStateData+1478FAj
		push	20666E57h
		push	eax
		push	1
		mov	[esp+54h+var_30], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8E9B27
		and	[esp+48h+var_38], 0
		lea	ecx, [esp+48h+var_38]
		push	22h
		pop	eax
		push	dword ptr [edi+1Ch]
		mov	word ptr [esp+4Ch+var_38+2], ax
		lea	eax, [esp+4Ch+var_28]
		push	dword ptr [edi+18h]
		mov	[esp+50h+var_34], eax
		call	_ExpWnfComposeValueName@12 ; ExpWnfComposeValueName(x,x,x)
		lea	ecx, [esp+48h+var_3C]
		push	ecx
		lea	eax, [ebx+10h]
		push	eax
		push	esi
		mov	[esp+54h+var_3C], eax
		lea	eax, [esp+54h+var_38]
		push	2
		push	eax
		push	dword ptr [edi+3Ch]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	ebx, eax
		cmp	ebx, 0C0000034h
		jz	short loc_7A2323
		cmp	ebx, 0C0000023h
		jz	loc_8E9AFE
		test	ebx, ebx
		js	loc_8E9B15
		cmp	dword ptr [esi+4], 3
		jnz	short loc_7A235B
		mov	eax, [esi+8]
		cmp	eax, 4
		jb	short loc_7A235B
		add	eax, 0FFFFFFFCh
		mov	[esi+8], eax

loc_7A22FF:				; CODE XREF: ExpWnfPopulateStateData+115j
		mov	eax, 904h
		mov	[esi], ax
		push	10h
		pop	eax
		mov	[esi+2], ax
		mov	eax, [esp+48h+var_30]
		mov	[esi+4], eax
		mov	eax, [esi+0Ch]
		mov	[edi+38h], eax
		mov	[edi+34h], esi
		jmp	loc_7A2257
; 

loc_7A2323:				; CODE XREF: ExpWnfPopulateStateData+BFj
		and	dword ptr [esi+8], 0
		and	dword ptr [esi+0Ch], 0
		jmp	short loc_7A22FF
; 

loc_7A232D:				; CODE XREF: ExpWnfPopulateStateData+2Fj
		mov	ebx, _ExpCrossVmIntExtensionHostGuest
		xor	ecx, 0A3BC0074h
		mov	[esp+48h+var_30], ecx
		xor	esi, 41C64E6Dh
		mov	ecx, ebx
		mov	[esp+48h+var_2C], esi
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	loc_7A224B
		jmp	loc_8E9ACC
; 

loc_7A235B:				; CODE XREF: ExpWnfPopulateStateData+D9j
					; ExpWnfPopulateStateData+E1j
		mov	ebx, 0C0000001h
		jmp	loc_8E9B15
ExpWnfPopulateStateData	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWnfSpecializeSecurityDescriptor(x)
_ExpWnfSpecializeSecurityDescriptor@4 proc near	; CODE XREF: ExpWnfLookupPermanentName+E9p
					; NtCreateWnfStateName+7Dp

var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp-2]
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_8]
		mov	byte ptr [ebp+var_1], 0
		push	eax
		lea	eax, [ebp+var_1]
		mov	esi, ecx
		push	eax
		push	esi
		call	_RtlGetDaclSecurityDescriptor@16 ; RtlGetDaclSecurityDescriptor(x,x,x,x)
		mov	edi, offset _ExpWnfNotificationMapping
		test	eax, eax
		js	short loc_7A23A8
		cmp	byte ptr [ebp+var_1], 0
		jz	short loc_7A23A8
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_7A23A8
		mov	edx, edi
		call	_RtlpApplyAclToObject@8	; RtlpApplyAclToObject(x,x)

loc_7A23A8:				; CODE XREF: ExpWnfSpecializeSecurityDescriptor(x)+2Cj
					; ExpWnfSpecializeSecurityDescriptor(x)+32j ...
		lea	eax, [ebp-2]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_1]
		push	eax
		push	esi
		call	_RtlGetSaclSecurityDescriptor@16 ; RtlGetSaclSecurityDescriptor(x,x,x,x)
		test	eax, eax
		js	short loc_7A23C4
		cmp	byte ptr [ebp+var_1], 0
		jnz	short loc_7A23C8

loc_7A23C4:				; CODE XREF: ExpWnfSpecializeSecurityDescriptor(x)+56j
					; ExpWnfSpecializeSecurityDescriptor(x)+67j ...
		pop	edi
		pop	esi
		leave
		retn
; 

loc_7A23C8:				; CODE XREF: ExpWnfSpecializeSecurityDescriptor(x)+5Cj
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_7A23C4
		mov	edx, edi
		call	_RtlpApplyAclToObject@8	; RtlpApplyAclToObject(x,x)
		jmp	short loc_7A23C4
_ExpWnfSpecializeSecurityDescriptor@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2137. RtlGetSaclSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetSaclSecurityDescriptor(x, x, x, x)
		public _RtlGetSaclSecurityDescriptor@16
_RtlGetSaclSecurityDescriptor@16 proc near ; CODE XREF:	AdtpGetCapID(x,x)+25p
					; ExpWnfSpecializeSecurityDescriptor(x)+4Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		cmp	byte ptr [esi],	1
		jnz	short loc_7A243E
		mov	ax, [esi+2]
		and	ax, 10h
		movzx	edx, ax
		mov	eax, [ebp+arg_4]
		test	dx, dx
		setnz	cl
		mov	[eax], cl
		test	dx, dx
		jnz	short loc_7A240E

loc_7A2407:				; CODE XREF: RtlGetSaclSecurityDescriptor(x,x,x,x)+5Ej
		xor	eax, eax

loc_7A2409:				; CODE XREF: RtlGetSaclSecurityDescriptor(x,x,x,x)+65j
		pop	esi
		pop	ebp
		retn	10h
; 

loc_7A240E:				; CODE XREF: RtlGetSaclSecurityDescriptor(x,x,x,x)+27j
		movzx	eax, word ptr [esi+2]
		mov	ecx, eax
		test	al, 10h
		jz	short loc_7A2445
		test	cx, cx
		mov	ecx, [esi+0Ch]
		jns	short loc_7A2429
		lea	eax, [ecx+esi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_7A2429:				; CODE XREF: RtlGetSaclSecurityDescriptor(x,x,x,x)+40j
					; RtlGetSaclSecurityDescriptor(x,x,x,x)+69j
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		mov	cl, [esi+2]
		mov	eax, [ebp+arg_C]
		shr	cl, 5
		and	cl, 1
		mov	[eax], cl
		jmp	short loc_7A2407
; 

loc_7A243E:				; CODE XREF: RtlGetSaclSecurityDescriptor(x,x,x,x)+Cj
		mov	eax, 0C0000058h
		jmp	short loc_7A2409
; 

loc_7A2445:				; CODE XREF: RtlGetSaclSecurityDescriptor(x,x,x,x)+38j
		xor	ecx, ecx
		jmp	short loc_7A2429
_RtlGetSaclSecurityDescriptor@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspReferenceTokenForNewProcess(x, x, x, x)
_PspReferenceTokenForNewProcess@16 proc	near ; CODE XREF: PAGE:007A2C70p
					; PspCreateProcess+165p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		test	edx, edx
		jnz	short loc_7A246D
		test	ecx, ecx
		jz	short loc_7A2491
		push	ecx
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	esi, eax

loc_7A2461:				; CODE XREF: PspReferenceTokenForNewProcess(x,x,x,x)+43j
					; PspReferenceTokenForNewProcess(x,x,x,x)+54j
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		xor	eax, eax

loc_7A2468:				; CODE XREF: PspReferenceTokenForNewProcess(x,x,x,x)+45j
		pop	esi
		leave
		retn	8
; 

loc_7A246D:				; CODE XREF: PspReferenceTokenForNewProcess(x,x,x,x)+9j
		mov	eax, ds:_SeTokenObjectType
		lea	ecx, [ebp+var_4]
		and	[ebp+var_4], 0
		push	0
		push	ecx
		push	[ebp+arg_0]
		push	eax
		push	1
		push	edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, [ebp+var_4]
		test	eax, eax
		jns	short loc_7A2461
		jmp	short loc_7A2468
; 

loc_7A2491:				; CODE XREF: PspReferenceTokenForNewProcess(x,x,x,x)+Dj
		mov	esi, ds:_PspBootAccessToken
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		jmp	short loc_7A2461
_PspReferenceTokenForNewProcess@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeQuerySigningPolicy proc near		; CODE XREF: PAGE:007A2D4Ep
					; PAGE:007A2FD9p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008E9B31 SIZE 0000009B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	bl, ds:_SeILSigningPolicy
		mov	eax, edx
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], ecx
		push	esi
		push	edi
		test	bl, bl
		jnz	short loc_7A24C3
		mov	bl, _SeILSigningPolicyRuntime

loc_7A24C3:				; CODE XREF: SeQuerySigningPolicy+1Bj
		push	[ebp+arg_10]
		mov	edi, [ebp+arg_C]
		mov	ecx, eax
		mov	esi, [ebp+arg_8]
		mov	edx, [ebp+arg_0]
		push	edi
		push	esi
		mov	byte ptr [ebp+var_4], bl
		push	[ebp+var_4]
		push	[ebp+arg_4]
		call	SepIsMinTCB
		mov	[ebp+arg_C], eax
		test	eax, eax
		jns	short loc_7A2562
		push	[ebp+arg_10]
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		push	edi
		push	esi
		push	[ebp+var_4]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_SeQuerySigningPolicyWorker@32 ; SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+arg_C], ecx
		test	ecx, ecx
		js	short loc_7A253D

loc_7A250A:				; CODE XREF: SeQuerySigningPolicy+C4j
		mov	eax, [ebp+arg_10]
		movzx	eax, byte ptr [eax]
		and	eax, 7
		sub	eax, 1
		jz	short loc_7A255D
		sub	eax, 1
		jz	short loc_7A2566

loc_7A251D:				; CODE XREF: SeQuerySigningPolicy+C0j
					; SeQuerySigningPolicy+CCj
		test	ecx, ecx
		js	short loc_7A253D
		mov	cl, [esi]
		mov	al, cl
		and	al, 0Fh
		cmp	al, 8
		jz	short loc_7A253D
		mov	eax, dword_6BEA40
		test	eax, eax
		jz	short loc_7A253D
		push	8
		push	ecx
		call	eax
		test	eax, eax
		jnz	short loc_7A2547

loc_7A253D:				; CODE XREF: SeQuerySigningPolicy+68j
					; SeQuerySigningPolicy+7Fj ...
		mov	eax, [ebp+arg_C]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7A2547:				; CODE XREF: SeQuerySigningPolicy+9Bj
		mov	eax, _SeCiDebugOptions
		test	al, 4
		jnz	loc_8E9B4B
		test	al, 2
		jz	short loc_7A253D
		jmp	loc_8E9B31
; 

loc_7A255D:				; CODE XREF: SeQuerySigningPolicy+76j
		or	byte ptr [esi],	30h
		jmp	short loc_7A251D
; 

loc_7A2562:				; CODE XREF: SeQuerySigningPolicy+46j
		mov	ecx, eax
		jmp	short loc_7A250A
; 

loc_7A2566:				; CODE XREF: SeQuerySigningPolicy+7Bj
		or	byte ptr [esi],	10h
		or	byte ptr [edi],	10h
		jmp	short loc_7A251D
SeQuerySigningPolicy endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepIsMinTCB	proc near		; CODE XREF: SeQuerySigningPolicy+3Cp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008E9BCC SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_18], 0
		and	[ebp+var_14], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], edx
		mov	esi, ecx
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		mov	ecx, eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		xor	edx, edx
		lea	ecx, [eax+1A4h]
		xor	eax, eax
		lea	edi, [ecx+10h]
		lock cmpxchg [edi], edx
		test	eax, eax
		jz	loc_7A266A

loc_7A25AB:				; CODE XREF: SepIsMinTCB+103j
		test	esi, esi
		jz	short loc_7A25E6
		mov	edx, [edi]
		push	2Ah
		pop	eax
		movzx	edi, word ptr [edx]
		cmp	di, ax
		jb	loc_8E9BCC

loc_7A25C0:				; CODE XREF: SepIsMinTCB+147660j
		movzx	ebx, word ptr [esi]
		mov	ecx, ebx
		mov	[ebp+var_8], ecx
		cmp	ecx, eax
		jbe	short loc_7A25E6
		mov	eax, [esi+4]
		push	1
		mov	[ebp+var_C], eax
		push	esi
		cmp	word ptr [eax+2], 3Fh
		jnz	short loc_7A2653
		push	edx
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_7A25F2

loc_7A25E6:				; CODE XREF: SepIsMinTCB+3Fj
					; SepIsMinTCB+5Cj ...
		mov	eax, 0C0000225h

loc_7A25EB:				; CODE XREF: SepIsMinTCB+CCj
					; SepIsMinTCB+D5j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7A25F2:				; CODE XREF: SepIsMinTCB+76j
		mov	word ptr [ebp+var_18], di

loc_7A25F6:				; CODE XREF: SepIsMinTCB+FAj
		push	[ebp+arg_10]
		sub	ebx, [ebp+var_18]
		push	[ebp+arg_C]
		mov	ecx, [ebp+var_8]
		push	[ebp+arg_8]
		mov	esi, [ebp+var_10]
		push	[ebp+arg_4]
		movzx	eax, bx
		push	[ebp+arg_0]
		sub	ecx, eax
		mov	word ptr [ebp+var_18], bx
		mov	eax, [ebp+var_C]
		shr	ecx, 1
		push	esi
		mov	word ptr [ebp+var_18+2], bx
		lea	eax, [eax+ecx*2]
		mov	ecx, offset _SeMsMinTCBList
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	10h
		pop	edx
		call	SepIsImageInMinTcbList
		test	eax, eax
		jns	short loc_7A25EB
		test	byte ptr _SeCiDebugOptions, 1
		jnz	short loc_7A25EB
		cmp	_KdDebuggerEnabled, 0
		jz	short loc_7A25EB
		jmp	loc_8E9BD3
; 

loc_7A2653:				; CODE XREF: SepIsMinTCB+6Cj
		push	offset dword_4010F0
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_7A25E6
		push	2Ah
		pop	eax
		mov	word ptr [ebp+var_18], ax
		jmp	short loc_7A25F6
; 

loc_7A266A:				; CODE XREF: SepIsMinTCB+37j
		call	SepSetSystemPaths
		test	eax, eax
		jns	loc_7A25AB
		jmp	loc_7A25EB
SepIsMinTCB	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspCreateUserProcessEcp(x, x)
_PspCreateUserProcessEcp@8 proc	near	; CODE XREF: PAGE:007A2DCDp

var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	esi, offset _GUID_ECP_CREATE_USER_PROCESS
		mov	[ebp+var_C], edx
		lea	edi, [ebp+var_20]
		mov	[ebp+var_10], ecx
		xor	eax, eax
		xor	ebx, ebx
		and	[ebp+var_4], ebx
		movsd
		push	14h
		mov	[ebp+var_8], ebx
		movsd
		movsd
		movsd
		mov	edi, ecx
		stosd
		stosd
		stosd
		stosd
		stosd
		pop	eax
		mov	[ecx], ax
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		mov	dword ptr [ecx+10h], 1
		call	FsRtlAllocateExtraCreateParameterList
		mov	edi, eax
		test	edi, edi
		js	short loc_7A2720
		lea	eax, [ebp+var_8]
		push	eax
		push	70437350h
		push	ebx
		push	ebx
		push	8
		pop	esi
		push	esi
		lea	eax, [ebp+var_20]
		push	eax
		call	FsRtlAllocateExtraCreateParameter
		mov	ebx, [ebp+var_8]
		mov	edi, eax
		test	edi, edi
		js	short loc_7A2720
		mov	[ebx], si
		xor	eax, eax
		mov	esi, [ebp+var_4]
		mov	[ebx+2], ax
		mov	eax, [ebp+var_C]
		push	ebx
		push	esi
		mov	[ebx+4], eax
		call	FsRtlInsertExtraCreateParameter
		mov	edi, eax
		test	edi, edi
		js	short loc_7A2711
		mov	eax, [ebp+var_10]
		xor	ebx, ebx
		mov	[eax+4], esi
		xor	esi, esi

loc_7A2711:				; CODE XREF: PspCreateUserProcessEcp(x,x)+89j
					; PspCreateUserProcessEcp(x,x)+A7j
		test	esi, esi
		jnz	short loc_7A2725

loc_7A2715:				; CODE XREF: PspCreateUserProcessEcp(x,x)+AFj
		test	ebx, ebx
		jnz	short loc_7A272D

loc_7A2719:				; CODE XREF: PspCreateUserProcessEcp(x,x)+B7j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7A2720:				; CODE XREF: PspCreateUserProcessEcp(x,x)+49j
					; PspCreateUserProcessEcp(x,x)+6Aj
		mov	esi, [ebp+var_4]
		jmp	short loc_7A2711
; 

loc_7A2725:				; CODE XREF: PspCreateUserProcessEcp(x,x)+97j
		push	esi
		call	FsRtlFreeExtraCreateParameterList
		jmp	short loc_7A2715
; 

loc_7A272D:				; CODE XREF: PspCreateUserProcessEcp(x,x)+9Bj
		push	ebx
		call	_FsRtlFreeExtraCreateParameter@4 ; FsRtlFreeExtraCreateParameter(x)
		jmp	short loc_7A2719
_PspCreateUserProcessEcp@8 endp

; 
		align 10h
; Exported entry 556. FsRtlInsertExtraCreateParameter

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlInsertExtraCreateParameter
FsRtlInsertExtraCreateParameter	proc near ; CODE XREF: PspCreateUserProcessEcp(x,x)+80p
					; IopSymlinkAllocateAndAddECP+5Ap ...

var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E9C06 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		add	edi, 8
		mov	ebx, [edi]
		cmp	ebx, edi
		jnz	short loc_7A2778

loc_7A2754:				; CODE XREF: FsRtlInsertExtraCreateParameter+6Ej
		mov	ecx, [edi+4]
		mov	eax, [ebp+arg_4]
		add	eax, 0FFFFFFD4h
		cmp	[ecx], edi
		jnz	loc_8E9C06
		mov	[eax], edi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[edi+4], eax
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_7A2778:				; CODE XREF: FsRtlInsertExtraCreateParameter+12j
		mov	eax, [ebp+arg_4]
		add	eax, 0FFFFFFDCh
		mov	[ebp+arg_0], eax

loc_7A2781:				; CODE XREF: FsRtlInsertExtraCreateParameter+70j
		lea	edx, [ebx+8]
		mov	esi, 0Ch
		lea	esp, [esp+0]

loc_7A2790:				; CODE XREF: FsRtlInsertExtraCreateParameter+5Fj
		mov	ecx, [edx]
		cmp	ecx, [eax]
		jnz	short loc_7A27B2
		add	edx, 4
		add	eax, 4
		sub	esi, 4
		jnb	short loc_7A2790

loc_7A27A1:				; CODE XREF: FsRtlInsertExtraCreateParameter+8Cj
		xor	eax, eax

loc_7A27A3:				; CODE XREF: FsRtlInsertExtraCreateParameter+93j
		test	eax, eax
		jz	short loc_7A27D5
		mov	ebx, [ebx]
		mov	eax, [ebp+arg_0]
		cmp	ebx, edi
		jz	short loc_7A2754
		jmp	short loc_7A2781
; 

loc_7A27B2:				; CODE XREF: FsRtlInsertExtraCreateParameter+54j
		cmp	cl, [eax]
		jnz	short loc_7A27CE
		mov	cl, [edx+1]
		cmp	cl, [eax+1]
		jnz	short loc_7A27CE
		mov	cl, [edx+2]
		cmp	cl, [eax+2]
		jnz	short loc_7A27CE
		mov	cl, [edx+3]
		cmp	cl, [eax+3]
		jz	short loc_7A27A1

loc_7A27CE:				; CODE XREF: FsRtlInsertExtraCreateParameter+74j
					; FsRtlInsertExtraCreateParameter+7Cj ...
		sbb	eax, eax
		or	eax, 1
		jmp	short loc_7A27A3
; 

loc_7A27D5:				; CODE XREF: FsRtlInsertExtraCreateParameter+65j
		or	dword ptr [ebx+1Ch], 4
		mov	eax, 0C000000Dh
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
FsRtlInsertExtraCreateParameter	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 472. FsRtlAllocateExtraCreateParameter

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlAllocateExtraCreateParameter
FsRtlAllocateExtraCreateParameter proc near ; CODE XREF: PspCreateUserProcessEcp(x,x)+5Ep
					; FsRtlAllocateExtraCreateParameterFromLookasideList+13CAA4p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008E9C17 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_14]
		mov	edx, [ebp+arg_4]
		push	esi
		xor	esi, esi
		mov	[eax], esi
		lea	eax, [ebp+var_4]
		push	eax
		push	34h
		pop	ecx
		mov	[ebp+var_4], esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jnz	loc_8E9C0D
		mov	eax, [ebp+arg_8]
		and	eax, 2
		push	ebx
		push	[ebp+arg_10]
		mov	ebx, eax
		push	[ebp+var_4]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 40h
		add	ebx, 2
		neg	eax
		sbb	eax, eax
		and	eax, 1FFh
		inc	eax
		test	byte ptr [ebp+arg_8], 1
		jnz	loc_8E9C17
		push	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)

loc_7A2845:				; CODE XREF: FsRtlAllocateExtraCreateParameter+147436j
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_7A288D
		mov	eax, [ebp+arg_C]
		mov	[ecx+4], esi
		mov	[ecx+0Ch], esi
		mov	[ecx+8], esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	dword ptr [ecx], 48706345h
		lea	edi, [ecx+10h]
		movsd
		movsd
		movsd
		movsd
		and	dword ptr [ecx+2Ch], 0
		and	dword ptr [ecx+30h], 0
		mov	[ecx+20h], eax
		mov	eax, [ebp+var_4]
		mov	[ecx+28h], eax
		lea	eax, [ecx+34h]
		mov	[ecx+24h], ebx
		mov	ecx, [ebp+arg_14]
		pop	edi
		mov	[ecx], eax
		xor	eax, eax

loc_7A2887:				; CODE XREF: FsRtlAllocateExtraCreateParameter+A8j
		pop	ebx

loc_7A2888:				; CODE XREF: FsRtlInsertExtraCreateParameter+1474D2j
		pop	esi
		leave
		retn	18h
; 

loc_7A288D:				; CODE XREF: FsRtlAllocateExtraCreateParameter+5Fj
		mov	eax, 0C000009Ah
		jmp	short loc_7A2887
FsRtlAllocateExtraCreateParameter endp

; 
		align 10h
; Exported entry 474. FsRtlAllocateExtraCreateParameterList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlAllocateExtraCreateParameterList
FsRtlAllocateExtraCreateParameterList proc near
					; CODE XREF: PspCreateUserProcessEcp(x,x)+40p
					; IopSymlinkAllocateAndAddECP+12514Fp

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E9C25 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_0], 1
		push	esi
		mov	esi, [ebp+arg_4]
		mov	dword ptr [esi], 0
		jnz	loc_8E9C25
		inc	dword_6F9E0C
		mov	ecx, offset _FsRtlEcpListLookaside
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jz	short loc_7A28F0

loc_7A28CD:				; CODE XREF: FsRtlAllocateExtraCreateParameterList+6Ej
		mov	edx, 6

loc_7A28D2:				; CODE XREF: FsRtlAllocateExtraCreateParameterList+147398j
		test	eax, eax
		jz	short loc_7A2910
		lea	ecx, [eax+8]
		mov	[eax+4], edx
		mov	dword ptr [eax], 4C706345h
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		mov	[esi], eax
		xor	eax, eax

loc_7A28EB:				; CODE XREF: FsRtlAllocateExtraCreateParameterList+75j
		pop	esi
		pop	ebp
		retn	8
; 

loc_7A28F0:				; CODE XREF: FsRtlAllocateExtraCreateParameterList+2Bj
		mov	eax, dword_6F9E20
		inc	dword_6F9E10
		push	eax
		mov	eax, dword_6F9E24
		push	eax
		mov	eax, dword_6F9E1C
		push	eax
		call	dword_6F9E28
		jmp	short loc_7A28CD
; 

loc_7A2910:				; CODE XREF: FsRtlAllocateExtraCreateParameterList+34j
		mov	eax, 0C000009Ah
		jmp	short loc_7A28EB
FsRtlAllocateExtraCreateParameterList endp

; 
		align 4

; __stdcall NtCreateUserProcess(x, x, x, x, x, x, x, x,	x, x, x)
_NtCreateUserProcess@44:		; DATA XREF: .text:005810E4o
		push	4C8h
		push	offset dword_6A23C8
		call	__SEH_prolog4_GS
		mov	eax, [ebp+8]
		mov	[ebp-410h], eax
		mov	eax, [ebp+0Ch]
		mov	[ebp-45Ch], eax
		mov	eax, [ebp+18h]
		mov	[ebp-43Ch], eax
		mov	eax, [ebp+1Ch]
		mov	[ebp-474h], eax
		mov	eax, [ebp+28h]
		mov	[ebp-430h], eax
		mov	eax, [ebp+2Ch]
		mov	[ebp-444h], eax
		mov	eax, [ebp+30h]
		mov	[ebp-4A4h], eax
		xor	ebx, ebx
		mov	[ebp-464h], ebx
		mov	[ebp-460h], ebx
		mov	[ebp-418h], ebx
		mov	[ebp-488h], ebx
		mov	[ebp-484h], ebx
		mov	[ebp-404h], ebx
		mov	[ebp-44Ch], ebx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp-4A0h]
		rep stosd
		mov	[ebp-41Ch], ebx
		mov	esi, 144h
		push	esi
		push	ebx
		lea	eax, [ebp-2B8h]
		push	eax
		call	_memset
		mov	[ebp-46Ch], ebx
		mov	[ebp-468h], ebx
		mov	[ebp-420h], bl
		mov	[ebp-414h], bl
		mov	[ebp-438h], bl
		mov	[ebp-428h], bl
		xor	eax, eax
		lea	edi, [ebp-2Ch]
		stosd
		stosd
		stosd
		stosd
		push	esi
		push	ebx
		lea	eax, [ebp-3FCh]
		push	eax
		call	_memset
		add	esp, 18h
		mov	[ebp-470h], ebx
		mov	[ebp-448h], ebx
		mov	[ebp-454h], ebx
		xor	eax, eax
		lea	edi, [ebp-4C4h]
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		mov	[ebp-440h], eax
		mov	esi, [eax+80h]
		mov	[ebp-450h], esi
		mov	[ebp-47Ch], esi
		mov	cl, [eax+15Ah]
		mov	[ebp-3FDh], cl
		mov	[ebp-424h], cl
		mov	[ebp-42Ch], ebx
		mov	[ebp-405h], bl
		xor	eax, eax
		lea	edi, [ebp-4B8h]
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp-4D8h]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	edi, [ebp+20h]
		test	edi, 0FFFB6838h
		jnz	loc_7A3779
		test	dword ptr [ebp+24h], 0FFFFFFFEh
		jnz	loc_7A3779
		mov	eax, edi
		mov	edx, 8400h
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_7A2A9C
		mov	eax, 0C0000030h
		jmp	loc_7A377E
; 

loc_7A2A9C:				; CODE XREF: PAGE:007A2A90j
		mov	[ebp-17Ch], cl
		mov	[ebp-4], ebx
		test	cl, cl
		jz	short loc_7A2AD3
		mov	edx, [ebp-410h]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_7A2ABA
		mov	edx, eax

loc_7A2ABA:				; CODE XREF: PAGE:007A2AB6j
		mov	eax, [edx]
		mov	[edx], eax
		mov	edx, [ebp-45Ch]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_7A2ACF
		mov	edx, eax

loc_7A2ACF:				; CODE XREF: PAGE:007A2ACBj
		mov	eax, [edx]
		mov	[edx], eax

loc_7A2AD3:				; CODE XREF: PAGE:007A2AA7j
		mov	eax, [ebp-43Ch]
		test	eax, eax
		jz	short loc_7A2B18
		test	cl, cl
		jz	short loc_7A2AFF
		mov	edx, eax
		test	al, 3
		jnz	loc_7A3796
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_7A2AF6
		mov	edx, eax

loc_7A2AF6:				; CODE XREF: PAGE:007A2AF2j
		nop
		mov	al, [edx]
		mov	eax, [ebp-43Ch]

loc_7A2AFF:				; CODE XREF: PAGE:007A2ADFj
		mov	eax, [eax+0Ch]
		test	cl, cl
		jnz	short loc_7A2B0D
		and	eax, 11FF2h
		jmp	short loc_7A2B12
; 

loc_7A2B0D:				; CODE XREF: PAGE:007A2B04j
		and	eax, 1DF2h

loc_7A2B12:				; CODE XREF: PAGE:007A2B0Bj
		mov	[ebp-180h], eax

loc_7A2B18:				; CODE XREF: PAGE:007A2ADBj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	148h
		push	ebx
		lea	eax, [ebp-174h]
		push	eax
		call	_memset
		add	esp, 0Ch
		mov	eax, [ebp-4A4h]
		test	eax, eax
		jz	short loc_7A2B5E
		lea	ecx, [ebp-174h]
		push	ecx
		push	ebx
		mov	bl, [ebp-3FDh]
		mov	dl, bl
		mov	ecx, eax
		call	_PspBuildCreateProcessContext@16 ; PspBuildCreateProcessContext(x,x,x,x)
		test	eax, eax
		jns	short loc_7A2B64
		jmp	loc_7A377E
; 

loc_7A2B5E:				; CODE XREF: PAGE:007A2B3Cj
		mov	bl, [ebp-3FDh]

loc_7A2B64:				; CODE XREF: PAGE:007A2B57j
		mov	eax, [ebp+20h]
		mov	edi, 20000h
		test	al, 40h
		jz	short loc_7A2B91
		test	[ebp-170h], edi
		jz	short loc_7A2B91
		cmp	byte ptr [ebp-8Ch], 0
		jnz	short loc_7A2B91
		and	eax, 0FFFFFFBFh
		mov	[ebp+20h], eax
		and	dword ptr [ebp-170h], 0FFFDFFFFh

loc_7A2B91:				; CODE XREF: PAGE:007A2B6Ej
					; PAGE:007A2B76j ...
		test	al, 4
		jnz	short loc_7A2BA5
		test	dword ptr [ebp-170h], 800h
		jnz	loc_7A370B

loc_7A2BA5:				; CODE XREF: PAGE:007A2B93j
		test	[ebp-170h], edi
		jz	short loc_7A2BB5
		test	al, 40h
		jz	loc_7A370B

loc_7A2BB5:				; CODE XREF: PAGE:007A2BABj
		lea	eax, [ebp-174h]
		push	eax
		mov	edx, [ebp-444h]
		mov	cl, bl
		call	PspCaptureCreateInfo
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7A3710
		test	byte ptr [ebp-170h], 1
		jz	short loc_7A2C1E
		push	0
		lea	eax, [ebp-41Ch]
		push	eax
		push	72437350h
		push	dword ptr [ebp-424h]
		push	ds:_PsProcessType
		push	80h
		push	dword ptr [ebp-124h]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7A3710
		mov	ebx, [ebp-41Ch]
		mov	[ebp-120h], ebx
		jmp	short loc_7A2C20
; 

loc_7A2C1E:				; CODE XREF: PAGE:007A2BDAj
		mov	ebx, esi

loc_7A2C20:				; CODE XREF: PAGE:007A2C1Cj
		mov	[ebp-41Ch], ebx
		push	dword ptr [ebp-7Ch]
		mov	edx, [ebp-84h]
		mov	ecx, ebx
		call	PspEstimateNewProcessServerSilo
		mov	[ebp-5Ch], eax
		mov	al, [ebp-16Bh]
		and	al, 0Ch
		cmp	al, 4
		jnz	short loc_7A2C5B
		cmp	ebx, esi
		jnz	loc_7A370B
		push	esi
		call	_PsIsSystemProcess@4 ; PsIsSystemProcess(x)
		test	al, al
		jnz	loc_7A370B

loc_7A2C5B:				; CODE XREF: PAGE:007A2C43j
		lea	eax, [ebp-114h]
		push	eax
		push	dword ptr [ebp-424h]
		mov	edx, [ebp-118h]
		mov	ecx, ebx
		call	_PspReferenceTokenForNewProcess@16 ; PspReferenceTokenForNewProcess(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_7A2C87
		and	dword ptr [ebp-114h], 0
		jmp	loc_7A3710
; 

loc_7A2C87:				; CODE XREF: PAGE:007A2C79j
		cmp	dword ptr [ebp-118h], 0
		jz	short loc_7A2CBC
		lea	eax, [ebp-454h]
		push	eax
		push	dword ptr [ebp-114h]
		call	_SeQueryServerSiloToken@8 ; SeQueryServerSiloToken(x,x)
		test	eax, eax
		js	short loc_7A2CBC
		mov	edx, [ebp-5Ch]
		mov	ecx, [ebp-454h]
		call	PspIsSiloInSilo
		test	al, al
		jz	loc_7A370B

loc_7A2CBC:				; CODE XREF: PAGE:007A2C8Ej
					; PAGE:007A2CA4j
		mov	al, [ebp-170h]
		test	al, 20h
		jz	loc_7A314D
		mov	eax, [ebp-170h]
		and	eax, edi
		neg	eax
		sbb	al, al
		and	al, [ebp-8Ch]
		mov	[ebp-409h], al
		test	_NtGlobalFlag, 40000h
		jz	short loc_7A2D1B
		mov	eax, [ebp-0E8h]
		mov	[ebp-46Ch], eax
		mov	eax, [ebp-0E4h]
		mov	[ebp-468h], eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	8
		lea	eax, [ebp-46Ch]
		push	eax
		push	26h
		call	_ZwSystemDebugControl@24 ; ZwSystemDebugControl(x,x,x,x,x,x)

loc_7A2D1B:				; CODE XREF: PAGE:007A2CECj
		lea	eax, [ebp-409h]
		push	eax
		lea	eax, [ebp-438h]
		push	eax
		lea	eax, [ebp-414h]
		push	eax
		push	dword ptr [ebp-409h]
		mov	edi, [ebp+20h]
		mov	eax, edi
		shr	eax, 6
		and	eax, 1
		push	eax
		lea	edx, [ebp-0E8h]
		mov	ecx, [ebp-114h]
		call	SeQuerySigningPolicy
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7A3710
		mov	dword ptr [ebp-4A0h], 18h
		xor	ecx, ecx
		mov	[ebp-49Ch], ecx
		xor	eax, eax
		cmp	byte ptr [ebp-3FDh], 1
		setz	al
		dec	eax
		and	eax, 0FFFFFC00h
		add	eax, 640h
		mov	[ebp-494h], eax
		lea	eax, [ebp-0E8h]
		mov	[ebp-498h], eax
		mov	[ebp-490h], ecx
		mov	[ebp-48Ch], ecx
		mov	ebx, ecx
		mov	eax, ds:dword_A93EA8
		test	eax, eax
		jz	short loc_7A2DB9
		push	dword ptr [ebp-114h]
		call	eax
		mov	ebx, eax

loc_7A2DB9:				; CODE XREF: PAGE:007A2DADj
		test	ebx, ebx
		js	loc_7A3710
		mov	edx, [ebp-114h]
		lea	ecx, [ebp-4B8h]
		call	_PspCreateUserProcessEcp@8 ; PspCreateUserProcessEcp(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7A3710
		lea	eax, [ebp-4B8h]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	60h
		push	1
		push	5
		push	80h
		push	eax
		lea	eax, [ebp-488h]
		push	eax
		lea	eax, [ebp-4A0h]
		push	eax
		mov	eax, [ebp-110h]
		or	eax, 100020h
		push	eax
		lea	eax, [ebp-10Ch]
		push	eax
		call	_IoCreateFileEx@60 ; IoCreateFileEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_7A2E86
		cmp	dword ptr [ebp-110h], 0
		jz	short loc_7A2E66
		lea	eax, [ebp-4B8h]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	60h
		push	1
		push	5
		push	80h
		push	eax
		lea	eax, [ebp-488h]
		push	eax
		lea	eax, [ebp-4A0h]
		push	eax
		push	100020h
		lea	eax, [ebp-10Ch]
		push	eax
		call	_IoCreateFileEx@60 ; IoCreateFileEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax

loc_7A2E66:				; CODE XREF: PAGE:007A2E29j
		test	ebx, ebx
		jns	short loc_7A2E86
		and	dword ptr [ebp-10Ch], 0
		push	0
		xor	ecx, ecx
		inc	ecx

loc_7A2E76:				; CODE XREF: PAGE:007A3096j
		lea	edx, [ebp-174h]
		call	PspUpdateCreateInfo
		jmp	loc_7A3710
; 

loc_7A2E86:				; CODE XREF: PAGE:007A2E20j
					; PAGE:007A2E68j
		mov	eax, ds:_IoFileObjectType
		xor	ecx, ecx
		mov	[ebp-458h], ecx
		push	ecx
		lea	edx, [ebp-458h]
		push	edx
		push	ecx
		push	eax
		push	100020h
		push	dword ptr [ebp-10Ch]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, eax
		mov	eax, [ebp-458h]
		mov	[ebp-108h], eax
		test	ebx, ebx
		jns	short loc_7A2ECB
		and	dword ptr [ebp-108h], 0
		jmp	loc_7A371F
; 

loc_7A2ECB:				; CODE XREF: PAGE:007A2EBDj
		and	dword ptr [ebp-498h], 0
		mov	edx, [ebp-70h]
		test	edx, edx
		jz	short loc_7A2EF9
		lea	eax, [ebp-42Ch]
		push	eax
		push	dword ptr [ebp-6Ch]
		mov	ecx, [ebp-114h]
		call	_SeDuplicateTokenAndAddOriginClaim@16 ;	SeDuplicateTokenAndAddOriginClaim(x,x,x,x)
		test	eax, eax
		js	short loc_7A2EF9
		mov	byte ptr [ebp-405h], 1

loc_7A2EF9:				; CODE XREF: PAGE:007A2ED7j
					; PAGE:007A2EF0j
		cmp	byte ptr [ebp-405h], 0
		jnz	short loc_7A2F0E
		mov	eax, [ebp-114h]
		mov	[ebp-42Ch], eax

loc_7A2F0E:				; CODE XREF: PAGE:007A2F00j
		push	1
		push	dword ptr [ebp-10Ch]
		push	dword ptr [ebp-414h]
		push	dword ptr [ebp-42Ch]
		lea	edx, [ebp-4A0h]
		lea	ecx, [ebp-104h]
		call	MmCreateSpecialImageSection
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7A308A
		mov	al, [ebp-414h]
		mov	[ebp-40Ah], al

loc_7A2F49:				; CODE XREF: PAGE:007A3084j
		mov	eax, ds:_MmSectionObjectType
		xor	ecx, ecx
		mov	[ebp-434h], ecx
		push	ecx
		lea	edx, [ebp-434h]
		push	edx
		push	ecx
		push	eax
		push	8
		push	dword ptr [ebp-104h]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, eax
		mov	ecx, [ebp-434h]
		mov	[ebp-0FCh], ecx
		test	ebx, ebx
		js	loc_7A3141
		push	dword ptr [ebp-409h]
		lea	edx, [ebp-420h]
		call	PspGetProcessProtectionRequirementsFromImage
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7A3710
		mov	al, [ebp-420h]
		cmp	al, [ebp-409h]
		jz	loc_7A309B
		lea	eax, [ebp-409h]
		push	eax
		lea	eax, [ebp-438h]
		push	eax
		lea	eax, [ebp-428h]
		push	eax
		push	dword ptr [ebp-420h]
		push	1
		lea	edx, [ebp-0E8h]
		mov	ecx, [ebp-114h]
		call	SeQuerySigningPolicy
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7A3710
		mov	cl, [ebp-40Ah]
		mov	al, [ebp-428h]
		cmp	al, cl
		jz	loc_7A309B
		and	cl, 30h
		jz	short loc_7A300B
		and	al, 30h
		cmp	al, cl
		jnz	loc_7A370B

loc_7A300B:				; CODE XREF: PAGE:007A2FFFj
		push	dword ptr [ebp-414h]
		push	dword ptr [ebp-428h]
		call	_SeCompareSigningLevels@8 ; SeCompareSigningLevels(x,x)
		test	eax, eax
		jz	loc_7A370B
		xor	ebx, ebx
		push	ebx
		push	dword ptr [ebp-104h]
		call	ObCloseHandle
		mov	ecx, [ebp-0FCh]
		call	ObfDereferenceObject
		mov	[ebp-104h], ebx
		mov	[ebp-0FCh], ebx
		mov	al, [ebp-428h]
		mov	[ebp-40Ah], al
		mov	[ebp-414h], al
		push	1
		push	dword ptr [ebp-10Ch]
		push	dword ptr [ebp-428h]
		push	dword ptr [ebp-42Ch]
		lea	edx, [ebp-4A0h]
		lea	ecx, [ebp-104h]
		call	MmCreateSpecialImageSection
		mov	ebx, eax
		test	ebx, ebx
		jns	loc_7A2F49

loc_7A308A:				; CODE XREF: PAGE:007A2F37j
		and	dword ptr [ebp-104h], 0
		push	0
		push	2
		pop	ecx
		jmp	loc_7A2E76
; 

loc_7A309B:				; CODE XREF: PAGE:007A2FAAj
					; PAGE:007A2FF6j
		push	dword ptr [ebp-409h]
		push	edi
		push	dword ptr [ebp-424h]
		lea	edx, [ebp-174h]
		mov	ecx, esi
		call	_PspValidateCreateProcessProtection@20 ; PspValidateCreateProcessProtection(x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7A3710
		mov	eax, 40000h
		test	edi, eax
		jnz	short loc_7A30FB
		push	esi
		call	_PsGetProcessProtection@4 ; PsGetProcessProtection(x)
		mov	[ebp-444h], al
		mov	al, [ebp-409h]
		and	al, 7
		cmp	al, 1
		jz	short loc_7A3102
		push	dword ptr [ebp-409h]
		push	dword ptr [ebp-444h]
		mov	cl, [ebp-3FDh]
		call	_PspCheckForInvalidAccessByProtection@12 ; PspCheckForInvalidAccessByProtection(x,x,x)
		test	al, al
		jz	short loc_7A3102

loc_7A30FB:				; CODE XREF: PAGE:007A30C6j
		or	byte ptr [ebp-16Ch], 8

loc_7A3102:				; CODE XREF: PAGE:007A30DEj
					; PAGE:007A30F9j
		xor	edx, edx
		lea	ecx, [ebp-174h]
		call	PspGetProcessParameterOverrides
		lea	eax, [ebp-174h]
		push	eax
		mov	edx, [ebp-430h]
		mov	cl, [ebp-3FDh]
		call	_PspCaptureProcessParameters@12	; PspCaptureProcessParameters(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_7A3139
		and	byte ptr [ebp-16Ch], 0FBh
		jmp	loc_7A3710
; 

loc_7A3139:				; CODE XREF: PAGE:007A312Bj
		lea	eax, [ebp-2Ch]
		jmp	loc_7A320E
; 

loc_7A3141:				; CODE XREF: PAGE:007A2F7Dj
		and	dword ptr [ebp-0FCh], 0
		jmp	loc_7A3710
; 

loc_7A314D:				; CODE XREF: PAGE:007A2CC4j
		mov	ebx, [ebp-41Ch]
		cmp	ebx, esi
		jnz	loc_7A370B
		cmp	byte ptr [ebp-3FDh], 0
		jz	loc_7A370B
		cmp	dword ptr [ebp-430h], 0
		jnz	loc_7A370B
		test	byte ptr [ebp-16Bh], 0Ch
		jnz	loc_7A370B
		test	al, al
		js	loc_7A370B
		test	[ebp-170h], edi
		jnz	loc_7A370B
		mov	al, [ebp-16Ch]
		test	al, 10h
		jnz	loc_7A370B
		and	al, 0FBh
		mov	[ebp-16Ch], al
		push	ebx
		call	_PsGetProcessProtection@4 ; PsGetProcessProtection(x)
		mov	[ebp-409h], al
		lea	eax, [ebp-438h]
		push	eax
		push	ebx
		call	_PsGetProcessSignatureLevel@8 ;	PsGetProcessSignatureLevel(x,x)
		mov	[ebp-414h], al
		mov	eax, [ebp+20h]
		test	al, 40h
		jz	short loc_7A31E5
		test	byte ptr [ebp-409h], 7
		jnz	short loc_7A31E5
		mov	ebx, 0C0000022h
		jmp	loc_7A3710
; 

loc_7A31E5:				; CODE XREF: PAGE:007A31D0j
					; PAGE:007A31D9j
		push	dword ptr [ebp-409h]
		push	eax
		push	dword ptr [ebp-424h]
		lea	edx, [ebp-174h]
		mov	ecx, esi
		call	_PspValidateCreateProcessProtection@20 ; PspValidateCreateProcessProtection(x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7A3710
		xor	eax, eax
		mov	edi, [ebp+20h]

loc_7A320E:				; CODE XREF: PAGE:007A313Cj
		mov	[ebp-420h], eax
		xor	eax, eax
		cmp	[ebp-118h], eax
		setnz	al
		lea	ecx, [ebp-404h]
		push	ecx
		lea	ecx, [ebp-464h]
		push	ecx
		push	0
		push	eax
		lea	eax, [ebp-174h]
		push	eax
		push	0
		push	edi
		push	dword ptr [ebp-114h]
		push	dword ptr [ebp-0FCh]
		push	dword ptr [ebp-438h]
		push	dword ptr [ebp-414h]
		push	dword ptr [ebp-409h]
		push	dword ptr [ebp-43Ch]
		mov	dl, [ebp-3FDh]
		mov	ecx, [ebp-41Ch]
		call	_PspAllocateProcess@60 ; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7A3710
		mov	esi, [ebp-0FCh]
		neg	esi
		sbb	esi, esi
		and	esi, 0FFFFFFF0h
		xor	ebx, ebx
		push	ebx
		push	ebx
		lea	edx, [ebp-448h]
		lea	ecx, [esi+10017h]
		call	RtlGetExtendedContextLength2
		mov	eax, [ebp-448h]
		call	__alloca_probe_16
		mov	[ebp-18h], esp
		mov	eax, esp
		mov	[ebp-430h], eax
		push	dword ptr [ebp-448h]
		push	ebx
		push	eax
		call	_memset
		add	esp, 0Ch
		push	ebx
		push	ebx
		lea	eax, [ebp-470h]
		push	eax
		lea	edx, [esi+10017h]
		mov	esi, [ebp-430h]
		mov	ecx, esi
		call	RtlInitializeExtendedContext2
		cmp	[ebp-0FCh], ebx
		jz	short loc_7A3309
		mov	eax, [ebp-404h]
		push	dword ptr [eax+17Ch]
		push	dword ptr [ebp-158h]
		push	ds:_PspUserThreadStart
		xor	edx, edx
		inc	edx
		mov	ecx, esi
		call	_PspCreateUserContext@20 ; PspCreateUserContext(x,x,x,x,x)
		jmp	short loc_7A3350
; 

loc_7A3309:				; CODE XREF: PAGE:007A32E3j
		push	1
		push	1
		push	ebx
		mov	edx, esi
		mov	ecx, [ebp-440h]
		call	PspGetContextThreadInternal
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_7A3344
		mov	edx, [ebp-440h]
		mov	ecx, [ebp-404h]
		call	PspUnlockProcessExclusive
		xor	dl, dl
		mov	ecx, [ebp-404h]
		call	_PspRundownSingleProcess@8 ; PspRundownSingleProcess(x,x)
		jmp	loc_7A3710
; 

loc_7A3344:				; CODE XREF: PAGE:007A331Fj
		mov	dword ptr [esi+0B0h], 129h
		xor	ebx, ebx

loc_7A3350:				; CODE XREF: PAGE:007A3307j
		mov	edx, 72437350h
		mov	ecx, [ebp-404h]
		call	ObfReferenceObjectWithTag
		mov	esi, [ebp-420h]
		test	esi, esi
		jz	short loc_7A3394
		mov	[esi], bl
		mov	eax, 40000h
		cmp	[ebp-150h], eax
		jb	short loc_7A337F
		mov	eax, [ebp-150h]

loc_7A337F:				; CODE XREF: PAGE:007A3377j
		mov	[esi+0Ch], eax
		mov	eax, [ebp-14Ch]
		mov	[esi+8], eax
		mov	eax, [ebp-154h]
		mov	[esi+4], eax

loc_7A3394:				; CODE XREF: PAGE:007A3368j
		mov	[ebp-434h], ebx
		lea	edx, [ebp-418h]
		mov	ecx, [ebp+24h]
		call	_PspMapThreadCreationFlags@8 ; PspMapThreadCreationFlags(x,x)
		cmp	dword ptr [ebp-464h], 0
		jz	short loc_7A33C2
		mov	dword ptr [ebp-434h], 2
		or	dword ptr [ebp-418h], 10h

loc_7A33C2:				; CODE XREF: PAGE:007A33AFj
		cmp	dword ptr [ebp-460h], 0
		jz	short loc_7A33D5
		or	dword ptr [ebp+20h], 400h
		mov	edi, [ebp+20h]

loc_7A33D5:				; CODE XREF: PAGE:007A33C9j
		lea	eax, [ebp-4D8h]
		mov	[ebp-4C4h], eax
		or	dword ptr [ebp-418h], 60h
		lea	eax, [ebp-3FCh]
		push	eax
		push	esi
		lea	eax, [ebp-44Ch]
		push	eax
		lea	eax, [ebp-418h]
		push	eax
		push	ebx
		push	ebx
		lea	eax, [ebp-4C4h]
		push	eax
		mov	eax, [ebp-430h]
		push	eax
		lea	eax, [ebp-174h]
		push	eax
		push	dword ptr [ebp-424h]
		mov	edx, [ebp-474h]
		mov	ecx, [ebp-404h]
		call	PspAllocateThread
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_7A3455
		mov	edx, [ebp-440h]
		mov	ecx, [ebp-404h]
		call	PspUnlockProcessExclusive
		xor	dl, dl
		mov	ecx, [ebp-404h]
		call	_PspRundownSingleProcess@8 ; PspRundownSingleProcess(x,x)
		jmp	loc_7A36F9
; 

loc_7A3455:				; CODE XREF: PAGE:007A3430j
		push	dword ptr [ebp-404h]
		mov	ebx, [ebp-450h]
		mov	edx, ebx
		mov	cl, [ebp-3FDh]
		call	_PsTestProtectedProcessIncompatibility@12 ; PsTestProtectedProcessIncompatibility(x,x,x)
		mov	ecx, [ebp+10h]
		test	al, al
		jz	short loc_7A34ED
		mov	edx, 2000000h
		test	ecx, edx
		jz	short loc_7A34B1
		movzx	eax, byte ptr [ebp-409h]
		shr	eax, 4
		imul	eax, 0Ch
		mov	eax, ds:dword_A407E4[eax]
		not	eax
		and	eax, 1FFFFFh
		or	ecx, eax
		and	ecx, 0FDFFFFFFh
		mov	eax, [ebp-120h]
		test	eax, eax
		jz	short loc_7A34AE
		cmp	ebx, eax
		jnz	short loc_7A34B1

loc_7A34AE:				; CODE XREF: PAGE:007A34A8j
		or	ecx, 1

loc_7A34B1:				; CODE XREF: PAGE:007A347Cj
					; PAGE:007A34ACj
		mov	esi, [ebp+14h]
		test	esi, edx
		jz	short loc_7A34F0
		movzx	eax, byte ptr [ebp-409h]
		shr	eax, 4
		imul	eax, 0Ch
		mov	eax, ds:dword_A407E8[eax]
		not	eax
		and	eax, 1FFFFFh
		or	esi, eax
		and	esi, 0FDFFFFFFh
		mov	eax, [ebp-120h]
		test	eax, eax
		jz	short loc_7A34E8
		cmp	ebx, eax
		jnz	short loc_7A34F0

loc_7A34E8:				; CODE XREF: PAGE:007A34E2j
		or	esi, 1
		jmp	short loc_7A34F0
; 

loc_7A34ED:				; CODE XREF: PAGE:007A3473j
		mov	esi, [ebp+14h]

loc_7A34F0:				; CODE XREF: PAGE:007A34B6j
					; PAGE:007A34E6j ...
		mov	eax, [ebp-0F8h]
		test	eax, eax
		jz	short loc_7A34FF
		add	eax, 40h
		jmp	short loc_7A3501
; 

loc_7A34FF:				; CODE XREF: PAGE:007A34F8j
		xor	eax, eax

loc_7A3501:				; CODE XREF: PAGE:007A34FDj
		lea	edx, [ebp-2B8h]
		push	edx
		push	eax
		push	dword ptr [ebp-434h]
		push	dword ptr [ebp-11Ch]
		push	edi
		push	ecx
		mov	edx, [ebp-41Ch]
		mov	ecx, [ebp-404h]
		call	PspInsertProcess
		mov	edi, eax
		push	dword ptr [ebp-168h]
		push	dword ptr [ebp-45Ch]
		lea	eax, [ebp-3FCh]
		push	eax
		push	0
		lea	eax, [ebp-174h]
		push	eax
		mov	eax, [ebp-420h]
		push	eax
		push	esi
		lea	eax, [ebp-418h]
		push	eax
		lea	eax, [ebp-4D8h]
		push	eax
		mov	edx, [ebp-404h]
		mov	ecx, [ebp-44Ch]
		call	_PspInsertThread@44 ; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		mov	ecx, [ebp-440h]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		test	edi, edi
		jns	short loc_7A3592
		xor	dl, dl
		mov	ecx, [ebp-404h]
		call	_PspRundownSingleProcess@8 ; PspRundownSingleProcess(x,x)
		mov	ebx, edi
		jmp	loc_7A36EE
; 

loc_7A3592:				; CODE XREF: PAGE:007A357Cj
		test	ebx, ebx
		js	loc_7A36E1
		push	dword ptr [ebp-404h]
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		cmp	eax, [ebp-5Ch]
		jz	short loc_7A35B4
		mov	ebx, 0C000022Dh
		jmp	loc_7A36E1
; 

loc_7A35B4:				; CODE XREF: PAGE:007A35A8j
		push	ds:_PsProcessType
		lea	edx, [ebp-2B8h]
		mov	ecx, [ebp-404h]
		call	PspCreateObjectHandle
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7A3693
		mov	dword ptr [ebp-4], 1
		mov	edi, [ebp-160h]
		test	edi, edi
		jz	short loc_7A35F1
		push	0Ch
		pop	ecx
		lea	esi, [ebp-158h]
		rep movsd

loc_7A35F1:				; CODE XREF: PAGE:007A35E4j
		mov	eax, [ebp-178h]
		mov	ecx, [ebp-410h]
		mov	[ecx], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-450h]
		jmp	short loc_7A363E
; 

loc_7A360E:				; DATA XREF: .text:006A23E8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-478h], eax
		xor	eax, eax
		cmp	byte ptr [ebp-424h], 1
		setz	al
		retn
; 

loc_7A3628:				; DATA XREF: .text:006A23ECo
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-478h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-47Ch]

loc_7A363E:				; CODE XREF: PAGE:007A360Cj
		test	ebx, ebx
		js	short loc_7A365C
		push	dword ptr [ebp-404h]
		lea	edx, [ebp-174h]
		push	6
		pop	ecx
		call	PspUpdateCreateInfo
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_7A36D2

loc_7A365C:				; CODE XREF: PAGE:007A3640j
		test	dword ptr [ebp-180h], 200h
		jnz	short loc_7A3679
		push	esi
		call	_PsIsSystemProcess@4 ; PsIsSystemProcess(x)
		test	al, al
		mov	byte ptr [ebp-410h], 1
		jz	short loc_7A3680

loc_7A3679:				; CODE XREF: PAGE:007A3666j
		mov	byte ptr [ebp-410h], 0

loc_7A3680:				; CODE XREF: PAGE:007A3677j
		push	dword ptr [ebp-410h]
		push	dword ptr [ebp-178h]
		call	ObCloseHandle
		jmp	short loc_7A3699
; 

loc_7A3693:				; CODE XREF: PAGE:007A35CFj
		mov	esi, [ebp-450h]

loc_7A3699:				; CODE XREF: PAGE:007A3691j
		test	ebx, ebx
		jns	short loc_7A36D2
		test	dword ptr [ebp-2C4h], 200h
		jnz	short loc_7A36BA
		push	esi
		call	_PsIsSystemProcess@4 ; PsIsSystemProcess(x)
		test	al, al
		mov	byte ptr [ebp-410h], 1
		jz	short loc_7A36C1

loc_7A36BA:				; CODE XREF: PAGE:007A36A7j
		mov	byte ptr [ebp-410h], 0

loc_7A36C1:				; CODE XREF: PAGE:007A36B8j
		push	dword ptr [ebp-410h]
		push	dword ptr [ebp-2BCh]
		call	ObCloseHandle

loc_7A36D2:				; CODE XREF: PAGE:007A365Aj
					; PAGE:007A369Bj
		lea	ecx, [ebp-2B8h]
		call	_PspDeleteObjectAccessState@4 ;	PspDeleteObjectAccessState(x)
		test	ebx, ebx
		jns	short loc_7A36EE

loc_7A36E1:				; CODE XREF: PAGE:007A3594j
					; PAGE:007A35AFj
		mov	edx, ebx
		mov	ecx, [ebp-404h]
		call	_PsTerminateProcess@8 ;	PsTerminateProcess(x,x)

loc_7A36EE:				; CODE XREF: PAGE:007A358Dj
					; PAGE:007A36DFj
		mov	ecx, [ebp-44Ch]
		call	ObfDereferenceObject

loc_7A36F9:				; CODE XREF: PAGE:007A3450j
		mov	edx, 72437350h
		mov	ecx, [ebp-404h]
		call	ObfDereferenceObjectWithTag
		jmp	short loc_7A3710
; 

loc_7A370B:				; CODE XREF: PAGE:007A2B9Fj
					; PAGE:007A2BAFj ...
		mov	ebx, 0C000000Dh

loc_7A3710:				; CODE XREF: PAGE:007A2BCDj
					; PAGE:007A2C0Aj ...
		mov	ecx, [ebp-108h]
		test	ecx, ecx
		jz	short loc_7A371F
		call	_SeDeleteCodeIntegrityOriginClaimForFileObject@4 ; SeDeleteCodeIntegrityOriginClaimForFileObject(x)

loc_7A371F:				; CODE XREF: PAGE:007A2EC6j
					; PAGE:007A3718j
		lea	ecx, [ebp-174h]
		call	PspDeleteCreateProcessContext
		cmp	dword ptr [ebp-4B4h], 0
		jz	short loc_7A373E
		push	dword ptr [ebp-4B4h]
		call	FsRtlFreeExtraCreateParameterList

loc_7A373E:				; CODE XREF: PAGE:007A3731j
		cmp	byte ptr [ebp-405h], 0
		jz	short loc_7A3752
		mov	ecx, [ebp-42Ch]
		call	ObfDereferenceObject

loc_7A3752:				; CODE XREF: PAGE:007A3745j
		mov	eax, ebx
		jmp	short loc_7A377E
; 

loc_7A3756:				; DATA XREF: .text:006A23DCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-480h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7A3767:				; DATA XREF: .text:006A23E0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-480h]
		jmp	short loc_7A377E
; 

loc_7A3779:				; CODE XREF: PAGE:007A2A72j
					; PAGE:007A2A7Fj
		mov	eax, 0C000000Dh

loc_7A377E:				; CODE XREF: PAGE:007A2A97j
					; PAGE:007A2B59j ...
		lea	esp, [ebp-4E8h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	2Ch
; 

loc_7A3796:				; CODE XREF: PAGE:007A2AE5j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger

; __stdcall AlpcConnectionDestroyProcedure(x)
_AlpcConnectionDestroyProcedure@4:	; DATA XREF: .text:004011F4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+8]
		push	edi
		mov	edi, [esi]
		test	edi, edi
		jz	short loc_7A381D
		mov	ecx, [edi+8]
		xor	edx, edx
		push	ebx
		sub	ecx, 4
		call	ExAcquirePushLockExclusiveEx
		lea	ebx, [edi+0D0h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [esi+0Ch]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_7A3871
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_7A3871
		mov	[ecx], edx
		or	eax, 0FFFFFFFFh
		mov	[edx+4], ecx
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7A3848

loc_7A37F4:				; CODE XREF: PAGE:007A384Fj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	edi, [edi+8]
		or	eax, 0FFFFFFFFh
		sub	edi, 4
		lock xadd [edi], eax
		and	al, 6
		pop	ebx
		cmp	al, 2
		jz	short loc_7A3851

loc_7A380F:				; CODE XREF: PAGE:007A3858j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [esi]
		call	ObfDereferenceObject

loc_7A381D:				; CODE XREF: PAGE:007A37AAj
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_7A3835
		cmp	dword ptr [esi+1Ch], 10h
		jnz	short loc_7A3864
		push	eax
		push	offset unk_6FB180
		call	_ExFreeToPagedLookasideList@8 ;	ExFreeToPagedLookasideList(x,x)

loc_7A3835:				; CODE XREF: PAGE:007A3822j
					; PAGE:007A386Fj
		xor	ecx, ecx
		lea	eax, [esi+24h]
		xchg	ecx, [eax]
		pop	edi
		pop	esi
		test	ecx, ecx
		jnz	short loc_7A385A

loc_7A3842:				; CODE XREF: PAGE:007A3862j
		xor	eax, eax
		pop	ebp
		retn	4
; 

loc_7A3848:				; CODE XREF: PAGE:007A37F2j
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7A37F4
; 

loc_7A3851:				; CODE XREF: PAGE:007A380Dj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7A380F
; 

loc_7A385A:				; CODE XREF: PAGE:007A3840j
		xor	edx, edx
		inc	edx
		call	AlpcpDereferenceBlobEx
		jmp	short loc_7A3842
; 

loc_7A3864:				; CODE XREF: PAGE:007A3828j
		push	61486C41h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7A3835
; 

loc_7A3871:				; CODE XREF: PAGE:007A37D1j
					; PAGE:007A37DCj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dw 0CCCCh
		dd 0CCCCCCCCh
; Exported entry 793. IoCreateFileEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCreateFileEx(x, x, x, x, x, x, x,	x, x, x, x, x, x, x, x)
		public _IoCreateFileEx@60
_IoCreateFileEx@60 proc	near		; CODE XREF: PAGE:007A2E17p
					; PAGE:007A2E5Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch
arg_38		= dword	ptr  40h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_34]
		mov	eax, ebx
		push	esi
		shr	eax, 0Ah
		push	edi
		mov	edi, [ebp+arg_38]
		and	eax, 2
		mov	esi, eax
		test	edi, edi
		jz	short loc_7A38C0
		cmp	dword ptr [edi+8], 0
		jnz	short loc_7A38FC

loc_7A389E:				; CODE XREF: IoCreateFileEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+83j
		mov	ecx, [edi+4]
		test	ecx, ecx
		jz	short loc_7A38AE
		call	FsRtlpPrepareExtraCreateParametersForCreate
		test	eax, eax
		js	short loc_7A38F5

loc_7A38AE:				; CODE XREF: IoCreateFileEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+27j
		cmp	dword ptr [edi+0Ch], 0
		jnz	short loc_7A3906

loc_7A38B4:				; CODE XREF: IoCreateFileEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8Dj
		cmp	word ptr [edi],	14h
		jb	short loc_7A38C0
		cmp	dword ptr [edi+10h], 1
		jnz	short loc_7A3901

loc_7A38C0:				; CODE XREF: IoCreateFileEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1Aj
					; IoCreateFileEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3Cj ...
		push	edi		; void *
		push	esi		; int
		or	ebx, 100h
		mov	edx, [ebp+arg_4]
		push	ebx		; int
		push	[ebp+arg_30]	; int
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_2C]	; int
		push	[ebp+arg_28]	; int
		push	[ebp+arg_24]	; void *
		push	[ebp+arg_20]	; int
		push	[ebp+arg_1C]	; int
		push	[ebp+arg_18]	; int
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		call	_IopCreateFile@64 ; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)

loc_7A38F5:				; CODE XREF: IoCreateFileEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+30j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	3Ch
; 

loc_7A38FC:				; CODE XREF: IoCreateFileEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+20j
		or	esi, 1
		jmp	short loc_7A389E
; 

loc_7A3901:				; CODE XREF: IoCreateFileEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+42j
		or	esi, 40h
		jmp	short loc_7A38C0
; 

loc_7A3906:				; CODE XREF: IoCreateFileEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+36j
		or	esi, 4
		jmp	short loc_7A38B4
_IoCreateFileEx@60 endp

; 
		align 10h
; Exported entry 1513. NtCreateFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCreateFile(x, x, x, x, x,	x, x, x, x, x, x)
		public _NtCreateFile@44
_NtCreateFile@44 proc near		; DATA XREF: .text:00581164o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		xor	eax, eax
		mov	edx, [ebp+arg_4]
		push	eax		; void *
		push	20h		; int
		push	eax		; int
		push	eax		; int
		push	eax		; int
		push	[ebp+arg_28]	; int
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_24]	; void *
		push	[ebp+arg_20]	; int
		push	[ebp+arg_1C]	; int
		push	[ebp+arg_18]	; int
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		call	_IopCreateFile@64 ; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		pop	ecx
		pop	ebp
		retn	2Ch
_NtCreateFile@44 endp

; 
		align 10h
; Exported entry 1538. NtOpenFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtOpenFile(x, x, x,	x, x, x)
		public _NtOpenFile@24
_NtOpenFile@24	proc near		; CODE XREF: PfSnGetPrefetchInstructions+120p
					; RtlpSysVolTakeOwnership(x)+ACp
					; DATA XREF: ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0		; void *
		push	20h		; int
		push	0		; int
		push	0		; int
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0		; int
		push	0		; int
		push	0		; void *
		push	[ebp+arg_14]	; int
		push	1		; int
		push	[ebp+arg_10]	; int
		push	0		; int
		push	0		; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		call	_IopCreateFile@64 ; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	18h
_NtOpenFile@24	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IopCreateFile(int,int,int,int,int,int,int,void *,int,int,int,int,int,void *)
_IopCreateFile@64 proc near		; CODE XREF: IoCreateFileEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+74p
					; NtCreateFile(x,x,x,x,x,x,x,x,x,x,x)+2Fp ...

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A23F0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 48h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_24], edx
		mov	[ebp+var_38], ecx
		mov	ebx, [ebp+arg_18]
		mov	[ebp+var_20], 0
		mov	[ebp+var_28], 0
		mov	[ebp+var_2C], 0
		mov	[ebp+var_58], 0
		mov	[ebp+var_54], 0
		mov	ecx, [ebp+arg_2C]
		and	ecx, 100h
		mov	eax, large fs:124h
		neg	ecx
		sbb	cl, cl
		not	cl
		and	cl, [eax+15Ah]
		mov	byte ptr [ebp+var_30], cl
		mov	eax, large fs:20h
		mov	[ebp+var_34], eax
		mov	edi, [eax+5E0h]
		inc	dword ptr [edi+0Ch]
		mov	ecx, edi
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	esi, eax
		mov	[ebp+arg_18], esi
		test	esi, esi
		jnz	short loc_7A3A71
		inc	dword ptr [edi+10h]
		mov	edi, [ebp+var_34]
		mov	edi, [edi+5E4h]
		inc	dword ptr [edi+0Ch]
		mov	ecx, edi
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	esi, eax
		mov	[ebp+arg_18], esi
		test	esi, esi
		jnz	short loc_7A3A71
		inc	dword ptr [edi+10h]
		mov	eax, [edi+20h]
		push	eax
		mov	eax, [edi+24h]
		push	eax
		mov	eax, [edi+1Ch]
		push	eax
		mov	eax, [edi+28h]
		call	eax
		mov	esi, eax
		mov	[ebp+arg_18], eax
		test	esi, esi
		jz	loc_7A4185

loc_7A3A71:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+9Fj
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+BEj
		mov	eax, [ebp+var_34]
		mov	eax, [eax+3CCh]
		mov	[esi], eax
		test	esi, esi
		jz	loc_7A4185
		cmp	byte ptr [ebp+var_30], 0
		jnz	short loc_7A3A98
		mov	eax, [ebp+arg_2C]
		test	eax, 200h
		jz	loc_7A3CAA

loc_7A3A98:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+F8j
		test	[ebp+arg_C], 0FFA50048h
		jnz	loc_7A3C2F
		mov	edx, [ebp+arg_10]
		test	edx, 0FFFFFFF8h
		jnz	loc_7A3C2F
		mov	ecx, [ebp+arg_14]
		cmp	ecx, 5
		ja	loc_7A3C2F
		test	ebx, 0EF000000h
		jnz	loc_7A3C2F
		mov	eax, ebx
		and	eax, 30h
		mov	edi, [ebp+var_24]
		jz	short loc_7A3AE2
		test	edi, 100000h
		jz	loc_7A3C2F

loc_7A3AE2:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+144j
		test	ebx, 1000h
		jz	short loc_7A3AF6
		test	edi, 10000h
		jz	loc_7A3C2F

loc_7A3AF6:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+158j
		cmp	eax, 30h
		jz	loc_7A3C2F
		mov	eax, ebx
		and	al, 41h
		cmp	al, 1
		jnz	short loc_7A3B26
		test	ebx, 0EF5E0ACCh
		jnz	loc_7A3C2F
		cmp	ecx, 2
		jz	short loc_7A3B26
		cmp	ecx, 1
		jz	short loc_7A3B26
		cmp	ecx, 3
		jnz	loc_7A3C2F

loc_7A3B26:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+175j
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+186j ...
		mov	eax, ebx
		and	eax, 100100h
		cmp	eax, 100100h
		jz	loc_7A3C2F
		mov	eax, ebx
		and	eax, 10100h
		cmp	eax, 10100h
		jz	loc_7A3C2F
		mov	eax, ebx
		and	eax, 110000h
		cmp	eax, 110000h
		jz	loc_7A3C2F
		mov	eax, [ebp+var_24]
		test	bl, 8
		jz	short loc_7A3B6C
		test	al, 4
		jnz	loc_7A3C2F

loc_7A3B6C:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1D2j
		cmp	_IopFailZeroAccessCreate, 0
		jz	short loc_7A3BEB
		test	eax, eax
		jnz	short loc_7A3BEB
		mov	edx, large fs:20h
		mov	ecx, [edx+5E0h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	short loc_7A3BCB
		inc	dword ptr [ecx+18h]
		mov	ecx, [edx+5E4h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	short loc_7A3BCB
		inc	dword ptr [ecx+18h]
		push	esi
		mov	eax, [ecx+2Ch]
		call	eax
		mov	eax, 0C0000022h
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7A3BCB:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+201j
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+217j
		mov	edx, esi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		mov	eax, 0C0000022h
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7A3BEB:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1E3j
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1E7j
		mov	eax, [ebp+arg_24]
		test	eax, eax
		jz	loc_7A3CA7
		cmp	eax, 1
		jnz	loc_7A3C89
		mov	eax, [ebp+arg_28]
		test	eax, eax
		jz	short loc_7A3C2F
		test	dword ptr [eax], 0FFFFFFFCh
		jnz	short loc_7A3C2F
		cmp	dword ptr [eax+4], 1
		ja	short loc_7A3C2F
		cmp	dword ptr [eax+8], 1
		ja	short loc_7A3C2F
		test	dl, 4
		jnz	short loc_7A3C2F
		lea	eax, [ecx-1]
		cmp	eax, 2
		ja	short loc_7A3C2F

loc_7A3C27:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+315j
		test	ebx, 0FFFFFFCDh
		jz	short loc_7A3CA7

loc_7A3C2F:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+10Fj
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+11Ej ...
		mov	edx, large fs:20h
		mov	ecx, [edx+5E0h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	loc_7A46EF
		inc	dword ptr [ecx+18h]
		mov	ecx, [edx+5E4h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	loc_7A46EF
		inc	dword ptr [ecx+18h]
		push	esi
		mov	eax, [ecx+2Ch]
		call	eax
		mov	eax, 0C000000Dh
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7A3C89:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+269j
		cmp	eax, 2
		jnz	short loc_7A3CA7
		cmp	[ebp+arg_28], 0
		jz	short loc_7A3C2F
		test	dl, 4
		jnz	short loc_7A3C2F
		test	edx, 0FFFFFFFDh
		jz	short loc_7A3C2F
		cmp	ecx, eax
		jnz	short loc_7A3C2F
		jmp	short loc_7A3C27
; 

loc_7A3CA7:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+260j
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+29Dj ...
		mov	eax, [ebp+arg_2C]

loc_7A3CAA:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+102j
		cmp	byte ptr [ebp+var_30], 0
		jz	loc_7A409B
		mov	[ebp+var_4], 0
		mov	ecx, [ebp+var_38]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_7A3CC9
		mov	ecx, eax

loc_7A3CC9:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+335j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_4]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_7A3CDB
		mov	ecx, eax

loc_7A3CDB:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+347j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_7A3D1E
		mov	edx, ecx
		test	cl, 3
		jnz	loc_7A470F
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_7A3CFC
		mov	edx, eax

loc_7A3CFC:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+368j
		nop
		mov	al, [edx]
		mov	edx, [ecx]
		mov	eax, [ecx+4]
		mov	[ebp+var_58], edx
		mov	[ebp+var_54], eax
		test	eax, eax
		jg	short loc_7A3D2C
		jl	loc_7A4714
		test	edx, edx
		jb	loc_7A4714
		jmp	short loc_7A3D2C
; 

loc_7A3D1E:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+354j
		mov	[ebp+var_58], 0
		mov	[ebp+var_54], 0

loc_7A3D2C:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+37Cj
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+38Cj
		mov	[ebp+var_4], 0FFFFFFFEh
		test	ebx, 10000000h
		jz	loc_7A3EB4
		mov	[ebp+var_4], 1
		mov	eax, [ebp+arg_20]
		mov	edx, [ebp+arg_1C]
		test	eax, eax
		jz	short loc_7A3D6D
		test	dl, 3
		jnz	loc_7A471E
		lea	ecx, [edx+eax]
		mov	edi, ds:_MmUserProbeAddress
		cmp	ecx, edi
		ja	short loc_7A3D6A
		cmp	ecx, edx
		jnb	short loc_7A3D6D

loc_7A3D6A:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3D4j
		mov	byte ptr [edi],	0

loc_7A3D6D:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3BEj
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3D8j
		cmp	eax, 10h
		jnb	loc_7A3DF6
		mov	edx, large fs:20h
		mov	ecx, [edx+5E0h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	short loc_7A3DCF
		inc	dword ptr [ecx+18h]
		mov	ecx, [edx+5E4h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	short loc_7A3DCF
		inc	dword ptr [ecx+18h]
		push	esi
		mov	eax, [ecx+2Ch]
		call	eax
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, 0C000000Dh
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7A3DCF:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3FEj
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+414j
		mov	edx, esi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, 0C000000Dh
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7A3DF6:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3E0j
		mov	eax, [edx]
		mov	ecx, [edx+4]
		mov	[esi+88h], eax
		mov	[esi+8Ch], ecx
		mov	eax, [edx+8]
		mov	[ebp+arg_1C], eax
		mov	[ebp+var_28], eax
		mov	edi, [edx+0Ch]
		mov	[ebp+var_2C], edi
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_7A3ED7
; 

loc_7A3E22:				; DATA XREF: .text:006A2410o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3Ch], eax
		mov	eax, 1
		retn
; 

loc_7A3E32:				; DATA XREF: .text:006A2414o
		mov	esp, [ebp-18h]
		mov	edx, large fs:20h
		mov	ecx, [edx+5E0h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	short loc_7A3E8E
		inc	dword ptr [ecx+18h]
		mov	ecx, [edx+5E4h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	short loc_7A3E8E
		inc	dword ptr [ecx+18h]
		push	dword ptr [ebp+20h]
		mov	eax, [ecx+2Ch]
		call	eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3Ch]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7A3E8E:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4BDj
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4D3j
		mov	edx, [ebp+20h]
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3Ch]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7A3EB4:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3A9j
		mov	dword ptr [esi+88h], 0
		mov	dword ptr [esi+8Ch], 0
		mov	eax, [ebp+arg_1C]
		mov	[ebp+arg_1C], eax
		mov	[ebp+var_28], eax
		mov	edi, [ebp+arg_20]
		mov	[ebp+var_2C], edi

loc_7A3ED7:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+48Dj
		mov	dword ptr [esi+30h], 0
		test	eax, eax
		jz	loc_7A425A
		test	edi, edi
		jz	loc_7A425A
		mov	[ebp+var_19], 0
		mov	[ebp+var_4], 2
		test	al, 3
		jnz	loc_7A4723
		lea	ecx, [edi+eax]
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		ja	short loc_7A3F12
		cmp	ecx, eax
		jnb	short loc_7A3F15

loc_7A3F12:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+57Cj
		mov	byte ptr [edx],	0

loc_7A3F15:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+580j
		push	61456F49h
		push	edi
		push	200h
		call	ExAllocatePoolWithQuotaTag
		mov	[esi+30h], eax
		mov	[esi+34h], edi
		push	edi		; size_t
		push	[ebp+arg_1C]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+arg_4]
		add	eax, 4
		push	eax
		push	edi
		mov	eax, [esi+30h]
		push	eax
		call	IoCheckEaBufferValidity
		mov	[ebp+var_20], eax
		test	eax, eax
		js	loc_7A4728
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_7A4261
; 

loc_7A3F60:				; DATA XREF: .text:006A241Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		mov	eax, 1
		retn
; 

loc_7A3F70:				; DATA XREF: .text:006A2420o
		mov	esp, [ebp-18h]
		mov	esi, [ebp+20h]
		mov	eax, [esi+30h]
		test	eax, eax
		jz	short loc_7A3F85
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7A3F85:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+5EBj
		mov	edx, large fs:20h
		mov	ecx, [edx+5E0h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	short loc_7A3FC0
		inc	dword ptr [ecx+18h]
		mov	ecx, [edx+5E4h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	short loc_7A3FC0
		inc	dword ptr [ecx+18h]
		push	esi
		mov	eax, [ecx+2Ch]
		call	eax
		jmp	short loc_7A3FC7
; 

loc_7A3FC0:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+60Dj
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+623j
		mov	edx, esi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_7A3FC7:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+62Ej
		cmp	[ebp+var_19], 0
		jz	short loc_7A3FEB
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7A3FEB:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+63Bj
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+var_40]
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7A4009:				; DATA XREF: .text:006A2404o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44h], eax
		mov	eax, 1
		retn
; 

loc_7A4019:				; DATA XREF: .text:006A2408o
		mov	esp, [ebp-18h]
		mov	edx, large fs:20h
		mov	ecx, [edx+5E0h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	short loc_7A4075
		inc	dword ptr [ecx+18h]
		mov	ecx, [edx+5E4h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	short loc_7A4075
		inc	dword ptr [ecx+18h]
		push	dword ptr [ebp+20h]
		mov	eax, [ecx+2Ch]
		call	eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-44h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7A4075:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+6A4j
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+6BAj
		mov	edx, [ebp+20h]
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-44h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7A409B:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+31Ej
		test	ebx, ebx
		jns	short loc_7A40AD
		or	eax, 400h
		mov	[ebp+arg_2C], eax
		and	ebx, 7FFFFFFFh

loc_7A40AD:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+70Dj
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_7A40D1
		mov	ecx, [eax]
		mov	eax, [eax+4]
		test	eax, eax
		jg	short loc_7A40CB
		jl	loc_7A3C2F
		test	ecx, ecx
		jb	loc_7A3C2F

loc_7A40CB:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+72Bj
		mov	[ebp+var_58], ecx
		mov	[ebp+var_54], eax

loc_7A40D1:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+722j
		test	ebx, 10000000h
		jz	short loc_7A4102
		cmp	[ebp+arg_20], 10h
		jb	loc_7A3C2F
		mov	ecx, [ebp+arg_1C]
		mov	eax, [ecx]
		mov	[esi+88h], eax
		mov	eax, [ecx+4]
		mov	[esi+8Ch], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_28], eax
		mov	edi, [ecx+0Ch]
		jmp	short loc_7A411F
; 

loc_7A4102:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+747j
		mov	dword ptr [esi+88h], 0
		mov	dword ptr [esi+8Ch], 0
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_28], eax
		mov	edi, [ebp+arg_20]

loc_7A411F:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+770j
		mov	[ebp+var_2C], edi
		mov	[ebp+arg_1C], eax
		test	eax, eax
		jz	loc_7A4253
		test	edi, edi
		jz	loc_7A4253
		push	61456F49h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+30h], eax
		test	eax, eax
		jnz	short loc_7A41A7
		mov	edx, large fs:20h
		mov	ecx, [edx+5E0h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	short loc_7A419E
		inc	dword ptr [ecx+18h]
		mov	ecx, [edx+5E4h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	short loc_7A419E
		inc	dword ptr [ecx+18h]
		push	esi
		mov	eax, [ecx+2Ch]
		call	eax

loc_7A4185:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+DBj
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+EEj ...
		mov	eax, 0C000009Ah
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7A419E:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7D4j
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7EAj
		mov	edx, esi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		jmp	short loc_7A4185
; 

loc_7A41A7:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7BAj
		mov	[esi+34h], edi
		push	edi		; size_t
		push	[ebp+arg_1C]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+arg_4]
		add	eax, 4
		push	eax
		push	edi
		mov	eax, [esi+30h]
		push	eax
		call	IoCheckEaBufferValidity
		mov	edi, eax
		mov	[ebp+var_20], edi
		test	edi, edi
		jns	loc_7A4261
		push	0
		mov	ecx, [esi+30h]
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_4]
		mov	[eax], edi
		mov	edx, large fs:20h
		mov	ecx, [edx+5E0h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	short loc_7A4235
		inc	dword ptr [ecx+18h]
		mov	ecx, [edx+5E4h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	short loc_7A4235
		inc	dword ptr [ecx+18h]
		push	esi
		mov	eax, [ecx+2Ch]
		call	eax
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7A4235:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+86Dj
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+883j ...
		mov	edx, esi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_7A423C:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+D5Aj
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7A4253:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+797j
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+79Fj
		mov	dword ptr [esi+30h], 0

loc_7A425A:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+550j
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+558j
		mov	dword ptr [esi+34h], 0

loc_7A4261:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+5CBj
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+83Fj
		mov	dword ptr [esi], offset	loc_900008
		mov	dword ptr [esi+10h], 0
		mov	dword ptr [esi+0Ch], 0
		mov	eax, [ebp+var_58]
		mov	[esi+20h], eax
		mov	eax, [ebp+var_54]
		mov	[esi+24h], eax
		and	ebx, 0FFFFFFh
		mov	[esi+28h], ebx
		mov	eax, [ebp+arg_C]
		mov	[esi+2Ch], ax
		mov	eax, [ebp+arg_10]
		mov	[esi+2Eh], ax
		mov	eax, [ebp+arg_14]
		mov	[esi+3Ch], eax
		mov	word ptr [esi+54h], 0
		mov	byte ptr [esi+56h], 0
		mov	eax, [ebp+arg_2C]
		mov	[esi+38h], eax
		mov	dword ptr [esi+14h], 0
		mov	edi, [ebp+arg_0]
		mov	[esi+18h], edi
		mov	eax, [ebp+arg_24]
		mov	[esi+4Ch], eax
		mov	eax, [ebp+arg_28]
		mov	[esi+50h], eax
		mov	eax, [ebp+arg_30]
		mov	[esi+5Ch], eax
		mov	ebx, [ebp+var_30]
		mov	[esi+60h], bl
		lea	ecx, [esi+64h]
		xor	eax, eax
		mov	[ecx], eax
		mov	[ecx+4], eax
		mov	[ecx+8], eax
		mov	[ecx+0Ch], eax
		mov	eax, 14h
		mov	[ecx], ax
		mov	dword ptr [ecx+10h], 1
		mov	edx, [ebp+arg_34]
		test	edx, edx
		jz	short loc_7A4311
		movsx	eax, word ptr [edx]
		cmp	eax, 14h
		jbe	short loc_7A4306
		mov	eax, 14h

loc_7A4306:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+96Fj
		push	eax		; size_t
		push	edx		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_7A4311:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+967j
		cmp	dword ptr [esi+74h], 1
		jnz	short loc_7A431F
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		mov	[esi+74h], eax

loc_7A431F:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+985j
		mov	dword ptr [esi+8], 0
		mov	dword ptr [esi+4], 0
		cmp	_IoCountOperations, 1
		jnz	short loc_7A435D
		mov	eax, large fs:124h
		mov	ecx, 1
		mov	eax, [eax+150h]
		add	eax, 200h
		lock add [eax],	ecx
		jnb	short loc_7A4356
		lock adc dword ptr [eax+4], 0

loc_7A4356:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+9BFj
		inc	large dword ptr	fs:624h

loc_7A435D:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+9A4j
		lea	eax, [ebp+var_58]
		push	eax
		mov	eax, [esi+74h]
		push	eax
		push	esi
		push	[ebp+var_24]
		push	0
		push	ebx
		mov	eax, ds:_IoFileObjectType
		push	eax
		push	edi
		call	ObOpenObjectByNameEx
		mov	[ebp+var_20], eax
		mov	eax, [esi+30h]
		test	eax, eax
		jz	short loc_7A438A
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7A438A:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+9F0j
		mov	ecx, [esi+68h]
		mov	[ebp+arg_20], ecx
		test	ecx, ecx
		jz	loc_7A44D0
		mov	eax, [ecx+4]
		test	eax, 3F0h
		jz	short loc_7A43AD
		add	eax, 0FFFFFFF0h
		mov	[ecx+4], eax
		jmp	loc_7A44C9
; 

loc_7A43AD:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A10j
		lea	ebx, [ecx+8]
		test	al, 1
		jnz	loc_7A4530
		jmp	short loc_7A43C0
; 
		align 10h

loc_7A43C0:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A28j
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+AE0j ...
		mov	eax, [ebx]
		cmp	eax, ebx
		jz	loc_7A4486
		mov	ecx, [eax]
		cmp	[eax+4], ebx
		jnz	loc_7A4572
		cmp	[ecx+4], eax
		jnz	loc_7A4572
		mov	[ebx], ecx
		mov	[ecx+4], ebx
		mov	dword ptr [eax+4], 0
		mov	dword ptr [eax], 0
		lea	edx, [eax+2Ch]
		mov	[ebp+arg_1C], edx
		lea	edi, [edx-34h]
		mov	[ebp+arg_2C], 0
		mov	ecx, [edi+20h]
		test	ecx, ecx
		jz	short loc_7A4411
		lea	eax, [edi+10h]
		push	eax
		push	edx
		call	ecx
		mov	edx, [ebp+arg_1C]

loc_7A4411:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A75j
		test	byte ptr [edi+24h], 20h
		jz	short loc_7A442C
		mov	eax, _FltMgrCallbacks
		test	eax, eax
		jz	short loc_7A442C
		mov	ecx, [edi+30h]
		mov	[ebp+arg_2C], ecx
		push	edx
		push	ecx
		mov	eax, [eax]
		call	eax

loc_7A442C:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A85j
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A8Ej
		mov	ecx, [edi+2Ch]
		test	ecx, ecx
		jz	short loc_7A4463
		test	byte ptr [edi+24h], 40h
		jz	short loc_7A4442
		mov	edx, edi
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	short loc_7A446B
; 

loc_7A4442:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+AA7j
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	short loc_7A445A
		inc	dword ptr [ecx+18h]
		push	edi
		mov	eax, [ecx+2Ch]
		call	eax
		jmp	short loc_7A446B
; 

loc_7A445A:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+ABDj
		mov	edx, edi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		jmp	short loc_7A446B
; 

loc_7A4463:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+AA1j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7A446B:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+AB0j
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+AC8j ...
		mov	eax, [ebp+arg_2C]
		test	eax, eax
		jz	loc_7A43C0
		push	eax
		mov	eax, _FltMgrCallbacks
		mov	eax, [eax+4]
		call	eax
		jmp	loc_7A43C0
; 

loc_7A4486:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A34j
		mov	ecx, [ebp+arg_20]
		test	byte ptr [ecx+4], 4
		jz	short loc_7A44C1
		inc	dword_6F9E14
		mov	ax, word_6F9E04
		cmp	ax, word_6F9E08
		jb	short loc_7A44B3
		inc	dword_6F9E18
		push	ecx
		call	dword_6F9E2C
		jmp	short loc_7A44C9
; 

loc_7A44B3:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B12j
		mov	edx, ecx
		mov	ecx, offset _FsRtlEcpListLookaside
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		jmp	short loc_7A44C9
; 

loc_7A44C1:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+AFDj
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7A44C9:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A18j
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B21j ...
		mov	dword ptr [esi+68h], 0

loc_7A44D0:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A02j
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+BA4j ...
		mov	edi, [esi+10h]
		mov	[ebp+arg_2C], edi
		mov	ebx, [ebp+var_20]
		test	ebx, ebx
		js	loc_7A45BB
		cmp	edi, 0BEAA0251h
		jnz	loc_7A45A4
		mov	eax, [esi+4]
		or	dword ptr [eax+2Ch], 40000h
		mov	eax, [esi+4]
		and	dword ptr [eax+2Ch], 0FDFFFFFFh
		mov	[ebp+var_4], 4
		mov	eax, [ebp+var_58]
		mov	ecx, [ebp+var_38]
		mov	[ecx], eax
		mov	eax, [esi+0Ch]
		mov	ecx, [ebp+arg_4]
		mov	[ecx+4], eax
		mov	eax, [esi+8]
		mov	[ecx], eax
		mov	eax, [esi+8]
		mov	[ebp+var_20], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_7A4695
; 

loc_7A4530:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A22j
		mov	edi, [ebx]
		cmp	edi, ebx
		jz	short loc_7A44D0

loc_7A4536:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+BDBj
		mov	eax, edi
		mov	edi, [edi]
		test	byte ptr [eax+1Ch], 1
		jnz	short loc_7A4569
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_7A4572
		cmp	[ecx], eax
		jnz	short loc_7A4572
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	dword ptr [eax+4], 0
		mov	dword ptr [eax], 0
		add	eax, 2Ch
		push	eax
		call	_FsRtlFreeExtraCreateParameter@4 ; FsRtlFreeExtraCreateParameter(x)

loc_7A4569:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+BAEj
		cmp	edi, ebx
		jnz	short loc_7A4536
		jmp	loc_7A44D0
; 

loc_7A4572:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A3Fj
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A48j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_7A4579:				; DATA XREF: .text:006A2434o
		mov	eax, [ebp+var_14]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_48], eax
		mov	eax, 1
		retn
; 

loc_7A4589:				; DATA XREF: .text:006A2438o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-48h]
		mov	[ebp-20h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp+20h]
		mov	edi, [ebp+34h]
		jmp	loc_7A4695
; 

loc_7A45A4:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B57j
		test	ebx, ebx
		js	short loc_7A45BB
		push	[ebp+var_30]
		push	[ebp+var_58]
		call	ObCloseHandle
		mov	ebx, 0C0000024h
		mov	[ebp+var_20], ebx

loc_7A45BB:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B4Bj
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+C16j
		mov	ecx, [esi+8]
		test	ecx, ecx
		jns	short loc_7A4624
		mov	eax, ecx
		mov	[ebp+var_20], eax
		and	eax, 0C0000000h
		mov	ebx, ecx
		cmp	eax, 80000000h
		jz	short loc_7A45E1
		cmp	ebx, 0C0000279h
		jnz	loc_7A466E

loc_7A45E1:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+C43j
		mov	[ebp+var_4], 3
		mov	edx, [ebp+arg_4]
		mov	[edx], ecx
		mov	eax, [esi+0Ch]
		mov	[edx+4], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_7A466E
; 

loc_7A45FC:				; DATA XREF: .text:006A2428o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		mov	eax, 1
		retn
; 

loc_7A460C:				; DATA XREF: .text:006A242Co
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-4Ch]
		mov	[ebp-20h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp+20h]
		mov	edi, [ebp+34h]
		jmp	short loc_7A466E
; 

loc_7A4624:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+C30j
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_7A466E
		cmp	edi, 0BEAA0251h
		jz	short loc_7A4659
		cmp	word ptr [eax+30h], 0
		jz	short loc_7A4648
		push	0
		mov	eax, [eax+34h]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi+4]

loc_7A4648:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+CA8j
		mov	dword ptr [eax+4], 0
		mov	ecx, [esi+4]
		call	ObfDereferenceObject
		jmp	short loc_7A466E
; 

loc_7A4659:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+CA1j
		test	dword ptr [eax+2Ch], 40000h
		jnz	short loc_7A466E
		push	1
		push	1
		push	eax
		push	0
		call	_IopCloseFile@16 ; IopCloseFile(x,x,x,x)

loc_7A466E:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+C4Bj
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+C6Aj ...
		cmp	ebx, 0C0000034h
		jnz	short loc_7A4695
		mov	eax, [esi+0Ch]
		cmp	eax, 0A0000003h
		jz	short loc_7A468E
		cmp	eax, 0A000000Ch
		jz	short loc_7A468E
		cmp	eax, 0A0000019h
		jnz	short loc_7A4695

loc_7A468E:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+CEEj
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+CF5j
		mov	[ebp+var_20], 0C0000280h

loc_7A4695:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B9Bj
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+C0Fj ...
		cmp	edi, 0BEAA0251h
		jnz	short loc_7A46A9
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_7A46A9
		call	ObfDereferenceObject

loc_7A46A9:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+D0Bj
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+D12j
		mov	edx, large fs:20h
		mov	ecx, [edx+5E0h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	loc_7A4235
		inc	dword ptr [ecx+18h]
		mov	ecx, [edx+5E4h]
		inc	dword ptr [ecx+14h]
		mov	ax, [ecx+4]
		cmp	ax, [ecx+8]
		jb	loc_7A4235
		inc	dword ptr [ecx+18h]
		push	esi
		mov	eax, [ecx+2Ch]
		call	eax
		jmp	loc_7A423C
; 

loc_7A46EF:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2B7j
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2D1j
		mov	edx, esi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		mov	eax, 0C000000Dh
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7A470F:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+35Bj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7A4714:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+37Ej
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+386j
		push	0C000000Dh
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_7A471E:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3C3j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7A4723:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+56Bj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7A4728:				; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+5BEj
		mov	[ebp+var_19], 1
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		push	eax
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger
_IopCreateFile@64 endp


;  S U B	R O U T	I N E 


FsRtlpPrepareExtraCreateParametersForCreate proc near
					; CODE XREF: IoQueryInformationByName+16Ep
					; IoCreateFileEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+29p

; FUNCTION CHUNK AT 008E9C3D SIZE 0000001F BYTES

		mov	edx, [ecx+4]
		push	ebx
		test	dl, 9
		jnz	short loc_7A4768
		mov	bl, 1
		or	edx, 1

loc_7A4746:				; CODE XREF: FsRtlpPrepareExtraCreateParametersForCreate+44j
		mov	[ecx+4], edx
		lea	edx, [ecx+8]
		mov	eax, [edx]
		cmp	eax, edx
		jz	loc_8E9C3D

loc_7A4756:				; CODE XREF: FsRtlpPrepareExtraCreateParametersForCreate+2Aj
		test	bl, bl
		jz	short loc_7A475E
		or	dword ptr [eax+1Ch], 1

loc_7A475E:				; CODE XREF: FsRtlpPrepareExtraCreateParametersForCreate+20j
		mov	eax, [eax]
		cmp	eax, edx
		jnz	short loc_7A4756
		xor	eax, eax
		pop	ebx
		retn
; 

loc_7A4768:				; CODE XREF: FsRtlpPrepareExtraCreateParametersForCreate+7j
		push	esi
		mov	esi, 3F0h
		mov	eax, edx
		and	eax, esi
		xor	bl, bl
		cmp	eax, esi
		pop	esi
		jz	short loc_7A477E
		add	edx, 10h
		jmp	short loc_7A4746
; 

loc_7A477E:				; CODE XREF: FsRtlpPrepareExtraCreateParametersForCreate+3Fj
		mov	eax, 0C000042Bh
		pop	ebx
		retn
FsRtlpPrepareExtraCreateParametersForCreate endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 521. FsRtlFreeExtraCreateParameterList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlFreeExtraCreateParameterList
FsRtlFreeExtraCreateParameterList proc near ; CODE XREF: PspCreateUserProcessEcp(x,x)+AAp
					; PAGE:007A3739p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [esi+8]

loc_7A4797:				; CODE XREF: FsRtlFreeExtraCreateParameterList+34j
		mov	eax, [edi]
		cmp	eax, edi
		jz	short loc_7A47C0
		cmp	[eax+4], edi
		jnz	short loc_7A47DB
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_7A47DB
		mov	[edi], ecx
		mov	[ecx+4], edi
		and	dword ptr [eax+4], 0
		and	dword ptr [eax], 0
		add	eax, 2Ch
		push	eax
		call	_FsRtlFreeExtraCreateParameter@4 ; FsRtlFreeExtraCreateParameter(x)
		jmp	short loc_7A4797
; 

loc_7A47C0:				; CODE XREF: FsRtlFreeExtraCreateParameterList+11j
		test	byte ptr [esi+4], 4
		jz	loc_8E9C4F
		push	esi
		push	offset _FsRtlEcpListLookaside
		call	_ExFreeToPagedLookasideList@8 ;	ExFreeToPagedLookasideList(x,x)

loc_7A47D5:				; CODE XREF: FsRtlpPrepareExtraCreateParametersForCreate+14551Fj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_7A47DB:				; CODE XREF: FsRtlFreeExtraCreateParameterList+16j
					; FsRtlFreeExtraCreateParameterList+1Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
FsRtlFreeExtraCreateParameterList endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall AlpcpDestroyBlob(x, x)
@AlpcpDestroyBlob@8 proc near		; CODE XREF: PAGE:0082FD77p
					; AlpcpCompleteDispatchMessage+9EAp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		lea	ebx, [ecx-18h]
		mov	[ebp+var_4], ecx
		movzx	eax, byte ptr [ebx+9]
		push	esi
		push	edi
		push	ecx
		mov	edi, ds:_AlpcpRegisteredTypes[eax*4]
		mov	esi, edx
		call	dword ptr [edi+14h]
		test	esi, esi
		mov	esi, [ebp+var_4]
		jz	short loc_7A481C
		lea	ecx, [esi-4]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7A4858

loc_7A4817:				; CODE XREF: AlpcpDestroyBlob(x,x)+80j
		call	KeAbPostRelease

loc_7A481C:				; CODE XREF: AlpcpDestroyBlob(x,x)+25j
		push	esi
		call	dword ptr [edi+1Ch]
		test	eax, eax
		js	short loc_7A483D
		test	byte ptr [ebx+8], 2
		jz	short loc_7A4842
		imul	eax, [edi+8], 0C0h
		push	ebx
		add	eax, offset _AlpcpLookasides
		push	eax
		call	_ExFreeToPagedLookasideList@8 ;	ExFreeToPagedLookasideList(x,x)

loc_7A483D:				; CODE XREF: AlpcpDestroyBlob(x,x)+42j
					; AlpcpDestroyBlob(x,x)+76j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7A4842:				; CODE XREF: AlpcpDestroyBlob(x,x)+48j
		cmp	dword ptr [edi+20h], 0
		jbe	short loc_7A4862
		imul	eax, [edi+8], 0C0h
		push	ebx
		call	dword_6FB02C[eax]
		jmp	short loc_7A483D
; 

loc_7A4858:				; CODE XREF: AlpcpDestroyBlob(x,x)+35j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [esi-4]
		jmp	short loc_7A4817
; 

loc_7A4862:				; CODE XREF: AlpcpDestroyBlob(x,x)+66j
		push	dword ptr [edi+4]
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7A483D
@AlpcpDestroyBlob@8 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 520. FsRtlFreeExtraCreateParameter

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlFreeExtraCreateParameter(x)
		public _FsRtlFreeExtraCreateParameter@4
_FsRtlFreeExtraCreateParameter@4 proc near ; CODE XREF:	IopDeleteFileObjectExtension+107p
					; FsRtlCheckOplockEx2+C63A5p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		xor	edi, edi
		lea	esi, [ebx-34h]
		mov	ecx, [esi+20h]
		test	ecx, ecx
		jnz	short loc_7A48D6

loc_7A4889:				; CODE XREF: FsRtlFreeExtraCreateParameter(x)+6Bj
		test	byte ptr [esi+24h], 20h
		jnz	short loc_7A48AE

loc_7A488F:				; CODE XREF: FsRtlFreeExtraCreateParameter(x)+43j
					; FsRtlFreeExtraCreateParameter(x)+4Cj
		mov	eax, [esi+2Ch]
		test	eax, eax
		jz	short loc_7A48DF
		test	byte ptr [esi+24h], 40h
		jnz	short loc_7A48CB
		push	esi
		push	eax
		call	_ExFreeToPagedLookasideList@8 ;	ExFreeToPagedLookasideList(x,x)

loc_7A48A3:				; CODE XREF: FsRtlFreeExtraCreateParameter(x)+62j
					; FsRtlFreeExtraCreateParameter(x)+75j
		test	edi, edi
		jnz	short loc_7A48C0

loc_7A48A7:				; CODE XREF: FsRtlFreeExtraCreateParameter(x)+57j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_7A48AE:				; CODE XREF: FsRtlFreeExtraCreateParameter(x)+1Bj
		mov	eax, _FltMgrCallbacks
		test	eax, eax
		jz	short loc_7A488F
		mov	edi, [esi+30h]
		push	ebx
		push	edi
		call	dword ptr [eax]
		jmp	short loc_7A488F
; 

loc_7A48C0:				; CODE XREF: FsRtlFreeExtraCreateParameter(x)+33j
		mov	eax, _FltMgrCallbacks
		push	edi
		call	dword ptr [eax+4]
		jmp	short loc_7A48A7
; 

loc_7A48CB:				; CODE XREF: FsRtlFreeExtraCreateParameter(x)+28j
		mov	edx, esi
		mov	ecx, eax
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	short loc_7A48A3
; 

loc_7A48D6:				; CODE XREF: FsRtlFreeExtraCreateParameter(x)+15j
		lea	eax, [esi+10h]
		push	eax
		push	ebx
		call	ecx
		jmp	short loc_7A4889
; 

loc_7A48DF:				; CODE XREF: FsRtlFreeExtraCreateParameter(x)+22j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7A48A3
_FsRtlFreeExtraCreateParameter@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpFreeMessageFunction proc near	; DATA XREF: AlpcpInitSystem+137o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E9C5C SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebx+0A8h]
		and	esi, 7FFFFFFFh
		jz	short loc_7A495B
		mov	eax, large fs:124h
		push	edi
		mov	[ebp+var_4], eax
		dec	word ptr [eax+13Ch]
		nop
		test	esi, 0FC000000h
		jnz	loc_8E9C5C
		mov	edi, ds:_AlpcMessageTable

loc_7A4927:				; CODE XREF: AlpcpFreeMessageFunction+14537Aj
					; AlpcpFreeMessageFunction+145388j
		mov	eax, large fs:124h
		and	esi, 3FFFFFFh
		mov	edx, esi
		mov	ecx, edi
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_0], al
		push	[ebp+arg_0]
		call	ExMapHandleToPointerEx
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	ExDestroyHandle
		mov	ecx, [ebp+var_4]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi

loc_7A495B:				; CODE XREF: AlpcpFreeMessageFunction+17j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		pop	ebx
		leave
		retn	4
AlpcpFreeMessageFunction endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspThreadDelete	proc near		; DATA XREF: PspInitPhase0+3D3o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E9C77 SIZE 00000069 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	edi
		call	_KeCleanupThreadState@4	; KeCleanupThreadState(x)
		mov	eax, [esi+338h]
		test	eax, eax
		jnz	loc_8E9C77
		mov	eax, [esi+32Ch]
		test	eax, eax
		jnz	loc_8E9C94
		mov	eax, [esi+330h]
		test	eax, eax
		jnz	loc_8E9CA7
		mov	eax, [esi+334h]
		test	eax, eax
		jnz	loc_8E9C9A
		lea	eax, [esi+3A4h]
		mov	ecx, [eax]
		cmp	ecx, eax
		jnz	loc_8E9C84
		lea	eax, [esi+3B0h]
		mov	ecx, [eax]
		cmp	ecx, eax
		jnz	loc_8E9CAD
		xor	edi, edi
		cmp	[esi+20h], edi
		jnz	loc_8E9CB5

loc_7A49E0:				; CODE XREF: PspThreadDelete+145358j
		mov	ebx, large fs:124h
		cmp	[esi+2B0h], edi
		jz	short loc_7A4A29
		dec	word ptr [ebx+13Ch]
		nop
		mov	edx, [esi+2B0h]
		mov	ecx, ds:_PspCidTable
		call	ExMapHandleToPointer
		test	eax, eax
		jz	loc_8E9CC7
		mov	edx, [esi+2B0h]
		mov	ecx, ds:_PspCidTable
		push	eax
		call	ExDestroyHandle
		mov	ecx, ebx
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_7A4A29:				; CODE XREF: PspThreadDelete+83j
		mov	ecx, esi
		call	PspDeleteThreadSecurity
		mov	eax, [esi+394h]
		test	eax, eax
		jnz	loc_7A4AFF

loc_7A4A3E:				; CODE XREF: PspThreadDelete+1A0j
		mov	eax, [esi+150h]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	loc_7A4AF8
		cmp	[esi+2E4h], edi
		jz	loc_7A4B0F
		dec	word ptr [ebx+13Ch]
		nop
		add	eax, 0E0h
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	ExAcquirePushLockExclusiveEx
		mov	edi, [ebp+arg_0]
		xor	edx, edx
		lea	ecx, [edi+398h]
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, esi
		call	_KeFoldProcessStatisticsThread@4 ; KeFoldProcessStatisticsThread(x)
		lea	eax, [esi+2E4h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_7A4B2D
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_7A4B2D
		mov	[ecx], edx
		or	eax, 0FFFFFFFFh
		mov	[edx+4], ecx
		lea	ecx, [edi+398h]
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7A4B13

loc_7A4ABF:				; CODE XREF: PspThreadDelete+1B4j
		call	KeAbPostRelease
		mov	ecx, [ebp+var_4]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7A4B20

loc_7A4AD4:				; CODE XREF: PspThreadDelete+1C1j
		call	KeAbPostRelease
		mov	ecx, ebx
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)

loc_7A4AE0:				; CODE XREF: PspThreadDelete+1A7j
		test	dword ptr [esi+2FCh], 100000h
		jnz	short loc_7A4B32

loc_7A4AEC:				; CODE XREF: PspThreadDelete+1CFj
		mov	edx, 72437350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_7A4AF8:				; CODE XREF: PspThreadDelete+DFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7A4AFF:				; CODE XREF: PspThreadDelete+CEj
		push	6D4E6854h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7A4A3E
; 

loc_7A4B0F:				; CODE XREF: PspThreadDelete+EBj
		mov	edi, eax
		jmp	short loc_7A4AE0
; 

loc_7A4B13:				; CODE XREF: PspThreadDelete+153j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [edi+398h]
		jmp	short loc_7A4ABF
; 

loc_7A4B20:				; CODE XREF: PspThreadDelete+168j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [edi+0E0h]
		jmp	short loc_7A4AD4
; 

loc_7A4B2D:				; CODE XREF: PspThreadDelete+12Cj
					; PspThreadDelete+137j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_7A4B32:				; CODE XREF: PspThreadDelete+180j
		push	esi
		call	dword_6BEDE8
		jmp	short loc_7A4AEC
PspThreadDelete	endp

; 
		align 4

;  S U B	R O U T	I N E 


PspDeleteThreadSecurity	proc near	; CODE XREF: PspThreadDelete+C1p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [esi+2FCh]
		mov	eax, [edi]
		test	al, 8
		jnz	short loc_7A4B58

loc_7A4B4E:				; CODE XREF: PspDeleteThreadSecurity+3Ej
		and	dword ptr [esi+2C8h], 0
		pop	edi
		pop	esi
		retn
; 

loc_7A4B58:				; CODE XREF: PspDeleteThreadSecurity+10j
		mov	ecx, [esi+2C8h]
		and	ecx, 0FFFFFFF8h
		call	ObfDereferenceObject
		mov	ecx, [esi+368h]
		test	ecx, ecx
		jnz	loc_8E9CCF

loc_7A4B74:				; CODE XREF: PspThreadDelete+145371j
		push	0FFFFFFF7h
		pop	eax
		lock and [edi],	eax
		jmp	short loc_7A4B4E
PspDeleteThreadSecurity	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExDestroyHandle	proc near		; CODE XREF: .text:00511783p
					; PspProcessDelete+19Ap ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E9CE0 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		cmp	dword ptr [esi+54h], 0
		jnz	loc_8E9CE0

loc_7A4B93:				; CODE XREF: ExDestroyHandle+145173j
		mov	ebx, [ebp+arg_0]
		lea	ecx, [esi+20h]
		and	[ebp+var_4], 0
		xor	edx, edx
		mov	eax, [ebx+4]
		shr	eax, 1Bh
		mov	[ebp+arg_0], eax
		lea	eax, [ebp+var_4]
		mov	dword ptr [ebx], 0
		lock or	[eax], edx
		cmp	[ecx], edx
		jnz	short loc_7A4BCC

loc_7A4BB8:				; CODE XREF: ExDestroyHandle+57j
		push	edi
		mov	edx, ebx
		mov	ecx, esi
		call	ExpFreeHandleTableEntry
		mov	eax, [ebp+arg_0]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7A4BCC:				; CODE XREF: ExDestroyHandle+3Aj
		xor	edx, edx
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	short loc_7A4BB8
ExDestroyHandle	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpFreeHandleTableEntry	proc near	; CODE XREF: ExDestroyHandle+41p
					; PAGE:00817495p ...

arg_3		= byte ptr  0Bh

; FUNCTION CHUNK AT 008E9CF4 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, edx
		cmp	[ebx+4], esi
		jnz	loc_8E9CF4

loc_7A4BED:				; CODE XREF: ExpFreeHandleTableEntry+14512Bj
					; ExpFreeHandleTableEntry+145136j
		mov	[edi+4], esi
		mov	al, [ebx+1Ch]
		and	al, 1
		mov	[ebp+arg_3], al
		jz	short loc_7A4C3A

loc_7A4BFA:				; CODE XREF: ExpFreeHandleTableEntry+6Cj
		inc	esi
		xor	edx, edx
		shl	esi, 6
		add	esi, ebx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		cmp	[ebp+arg_3], 0
		jz	short loc_7A4C44
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_7A4C61
		mov	[eax+4], edi

loc_7A4C19:				; CODE XREF: ExpFreeHandleTableEntry+8Ej
		mov	[esi+8], edi

loc_7A4C1C:				; CODE XREF: ExpFreeHandleTableEntry+7Bj
		dec	dword ptr [esi+0Ch]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7A4C58

loc_7A4C2C:				; CODE XREF: ExpFreeHandleTableEntry+89j
		mov	ecx, esi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_7A4C3A:				; CODE XREF: ExpFreeHandleTableEntry+22j
		movzx	esi, large byte	ptr fs:51h
		jmp	short loc_7A4BFA
; 

loc_7A4C44:				; CODE XREF: ExpFreeHandleTableEntry+37j
		mov	eax, [esi+4]
		mov	[edi+4], eax
		test	eax, eax
		jz	short loc_7A4C53

loc_7A4C4E:				; CODE XREF: ExpFreeHandleTableEntry+80j
		mov	[esi+4], edi
		jmp	short loc_7A4C1C
; 

loc_7A4C53:				; CODE XREF: ExpFreeHandleTableEntry+76j
		mov	[esi+8], edi
		jmp	short loc_7A4C4E
; 

loc_7A4C58:				; CODE XREF: ExpFreeHandleTableEntry+54j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7A4C2C
; 

loc_7A4C61:				; CODE XREF: ExpFreeHandleTableEntry+3Ej
		mov	[esi+4], edi
		jmp	short loc_7A4C19
ExpFreeHandleTableEntry	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExMapHandleToPointerEx proc near	; CODE XREF: AlpcpFreeMessageFunction+59p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E9D11 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		call	ExMapHandleToPointer
		mov	esi, eax
		test	esi, esi
		jz	loc_8E9D11

loc_7A4C81:				; CODE XREF: ExMapHandleToPointerEx+1450B7j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
ExMapHandleToPointerEx endp

; 
		align 10h
; Exported entry 763. IoCheckEaBufferValidity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoCheckEaBufferValidity
IoCheckEaBufferValidity	proc near	; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+5B4p
					; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+833p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E9D22 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		cmp	edx, 7FFFFFFFh
		ja	loc_8E9D22
		push	esi

loc_7A4CA8:				; CODE XREF: IoCheckEaBufferValidity+58j
		cmp	edx, 8
		jb	short loc_7A4CEA
		movzx	eax, word ptr [ecx+6]
		movzx	esi, byte ptr [ecx+5]
		add	eax, 9
		add	eax, esi
		cmp	edx, eax
		jb	short loc_7A4CEA
		cmp	byte ptr [esi+ecx+8], 0
		jnz	short loc_7A4CEA
		mov	esi, [ecx]
		test	esi, esi
		jnz	short loc_7A4CD2
		xor	eax, eax

loc_7A4CCD:				; CODE XREF: IoCheckEaBufferValidity+67j
		pop	esi

loc_7A4CCE:				; CODE XREF: IoCheckEaBufferValidity+14509Dj
		pop	ebp
		retn	0Ch
; 

loc_7A4CD2:				; CODE XREF: IoCheckEaBufferValidity+39j
		add	eax, 3
		and	eax, 0FFFFFFFCh
		cmp	eax, esi
		jnz	short loc_7A4CEA
		test	esi, esi
		js	short loc_7A4CEA
		cmp	edx, esi
		jb	short loc_7A4CEA
		sub	edx, esi
		add	ecx, esi
		jmp	short loc_7A4CA8
; 

loc_7A4CEA:				; CODE XREF: IoCheckEaBufferValidity+1Bj
					; IoCheckEaBufferValidity+2Cj ...
		mov	eax, [ebp+arg_8]
		sub	ecx, [ebp+arg_0]
		mov	[eax], ecx
		mov	eax, 80000014h
		jmp	short loc_7A4CCD
IoCheckEaBufferValidity	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpGrantAccess	proc near		; CODE XREF: ObDuplicateObject+465p
					; ObpInsertOrLocateNamedObject+2D8p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E9D32 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, edx
		mov	dl, 1
		push	esi
		push	edi
		lea	eax, [ebx-18h]
		shr	eax, 8
		movzx	edi, al
		movzx	eax, byte ptr [ebx-0Ch]
		xor	edi, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edi, eax
		test	[ebp+arg_8], 400h
		mov	eax, ds:_ObTypeIndexTable[edi*4]
		jnz	short loc_7A4D36
		mov	dl, byte ptr [ebp+arg_4]

loc_7A4D36:				; CODE XREF: ObpGrantAccess+37j
		mov	byte ptr [ebp+arg_4], dl
		cmp	ecx, 1
		jnz	short loc_7A4D66

loc_7A4D3E:				; CODE XREF: ObpGrantAccess+6Fj
		mov	esi, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		push	1
		push	esi
		push	ebx
		call	ObCheckObjectAccess
		test	al, al
		jz	short loc_7A4D70

loc_7A4D55:				; CODE XREF: ObpGrantAccess+145046j
		mov	eax, [ebp+arg_C]
		mov	ecx, [esi+14h]
		mov	[eax], ecx
		xor	eax, eax

loc_7A4D5F:				; CODE XREF: ObpGrantAccess+79j
					; ObpGrantAccess+14504Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7A4D66:				; CODE XREF: ObpGrantAccess+42j
		cmp	ecx, 2
		jz	short loc_7A4D3E
		jmp	loc_8E9D32
; 

loc_7A4D70:				; CODE XREF: ObpGrantAccess+59j
		mov	eax, [ebp+var_4]
		jmp	short loc_7A4D5F
ObpGrantAccess	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1610. ObCheckObjectAccess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObCheckObjectAccess
ObCheckObjectAccess proc near		; CODE XREF: ObpGrantAccess+52p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008E9D4B SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		push	[ebp+arg_C]
		mov	ecx, esi
		mov	[ebp+var_C], ebx
		lea	eax, [esi-18h]
		mov	byte ptr [ebp+var_14], bl
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	edx, eax
		mov	[ebp+var_4], ebx
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	[ebp+var_8], ebx
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		lea	edx, [ebp+var_8]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_14]
		push	eax
		call	ObpGetObjectSecurity
		mov	edx, eax
		test	edx, edx
		js	loc_8E9D56
		mov	edi, [ebp+var_8]
		mov	esi, [ebp+arg_4]
		test	edi, edi
		jz	loc_8E9D4B
		lea	eax, [esi+1Ch]
		push	eax
		call	_SeLockSubjectContext@4	; SeLockSubjectContext(x)
		push	[ebp+arg_10]
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+arg_C]
		mov	eax, [ebp+var_10]
		add	eax, 34h
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	dword ptr [esi+14h]
		lea	eax, [esi+1Ch]
		push	dword ptr [esi+10h]
		push	1
		push	eax
		push	edi
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		mov	byte ptr [ebp+arg_10], al
		cmp	[ebp+var_4], ebx
		jnz	short loc_7A4E6C

loc_7A4E19:				; CODE XREF: ObCheckObjectAccess+106j
		test	al, al
		jz	short loc_7A4E2D
		mov	eax, [ebp+var_C]
		or	[esi+14h], eax
		or	eax, 2000000h
		not	eax
		and	[esi+10h], eax

loc_7A4E2D:				; CODE XREF: ObCheckObjectAccess+A1j
		cmp	byte ptr [ebp+arg_C], bl
		jz	short loc_7A4E50
		lea	eax, [esi+0Ah]
		push	eax
		mov	eax, [ebp+var_10]
		push	ebx
		push	[ebp+arg_C]
		add	eax, 8
		push	[ebp+arg_10]
		push	ebx
		push	esi
		push	edi
		push	ebx
		push	[ebp+arg_0]
		push	eax
		call	SeOpenObjectAuditAlarmWithTransaction

loc_7A4E50:				; CODE XREF: ObCheckObjectAccess+B6j
		lea	eax, [esi+1Ch]
		push	eax
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)
		push	[ebp+var_14]
		push	edi
		call	_ObReleaseObjectSecurity@8 ; ObReleaseObjectSecurity(x,x)
		mov	al, byte ptr [ebp+arg_10]

loc_7A4E65:				; CODE XREF: ObCheckObjectAccess+144FE3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7A4E6C:				; CODE XREF: ObCheckObjectAccess+9Dj
		push	[ebp+var_4]
		push	esi
		call	SeAppendPrivileges
		push	[ebp+var_4]
		call	_SeFreePrivileges@4 ; SeFreePrivileges(x)
		mov	al, byte ptr [ebp+arg_10]
		jmp	short loc_7A4E19
ObCheckObjectAccess endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExEnableRaiseUMExceptionOnInvalidHandleClose proc near ; CODE XREF: PAGE:007AA76Bp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E9D62 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	esi, ecx
		dec	word ptr [ebx+13Ch]
		nop
		lea	edi, [esi+24h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_4]
		test	eax, eax
		jnz	loc_8E9D62
		and	byte ptr [esi+1Ch], 0EFh

loc_7A4EBA:				; CODE XREF: ExEnableRaiseUMExceptionOnInvalidHandleClose+144EE3j
					; ExEnableRaiseUMExceptionOnInvalidHandleClose+144EEDj
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7A4EDA

loc_7A4EC7:				; CODE XREF: ExEnableRaiseUMExceptionOnInvalidHandleClose+5Fj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, ebx
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7A4EDA:				; CODE XREF: ExEnableRaiseUMExceptionOnInvalidHandleClose+43j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7A4EC7
ExEnableRaiseUMExceptionOnInvalidHandleClose endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspUpdateCreateInfo proc near		; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+728p
					; PAGE:007A2E7Cp ...

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E9D74 SIZE 0000002E BYTES
; FUNCTION CHUNK AT 008E9DC9 SIZE 00000024 BYTES
; FUNCTION CHUNK AT 008E9E00 SIZE 00000013 BYTES

		push	3Ch
		push	offset dword_6A2440
		call	__SEH_prolog4
		mov	ebx, edx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_3C], ecx
		xor	esi, esi
		mov	edi, esi
		mov	eax, [ebx+18h]
		mov	[ebp+var_24], eax
		mov	[ebp+var_4C], esi
		mov	[ebp+var_48], esi
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_1D], al
		mov	byte ptr [ebp+var_44], al
		test	byte ptr [ebx+8], 2
		jz	loc_7A504F
		dec	ecx
		sub	ecx, 1
		jz	loc_7A508A
		sub	ecx, 1
		jz	loc_8E9E00
		dec	ecx
		sub	ecx, 1
		jz	loc_8E9DC9
		sub	ecx, 1
		jnz	loc_7A504F
		test	byte ptr [ebx+4], 20h
		jz	short loc_7A4F81
		lea	ecx, [ebp+var_4C]
		push	ecx
		lea	edx, [ebx+68h]
		mov	cl, al
		call	PspPropagateHandle
		mov	edi, eax
		test	edi, edi
		js	loc_8E9D79
		lea	eax, [ebp+var_48]
		push	eax
		lea	edx, [ebx+70h]
		mov	cl, [ebp+var_1D]
		call	PspPropagateHandle
		mov	edi, eax
		test	edi, edi
		js	loc_8E9D74

loc_7A4F81:				; CODE XREF: PspUpdateCreateInfo+6Aj
					; PspUpdateCreateInfo+144E9Aj
		mov	[ebp+ms_exc.disabled], 3
		mov	eax, [ebp+var_24]
		mov	[eax+8], esi
		mov	ecx, [ebp+arg_0]
		push	ecx
		call	_PsIsProtectedProcess@4	; PsIsProtectedProcess(x)
		test	eax, eax
		setnz	bl
		mov	eax, [ebp+var_24]
		mov	[eax+8], bl
		push	[ebp+arg_0]
		call	_PsIsProtectedProcessLight@4 ; PsIsProtectedProcessLight(x)
		neg	eax
		sbb	al, al
		and	al, 10h
		or	al, bl
		mov	ebx, [ebp+var_24]
		mov	[ebx+8], al
		mov	ecx, [ebp+arg_0]
		mov	cl, [ecx+0FEh]
		and	cl, 2
		or	cl, al
		mov	[ebx+8], cl
		mov	dl, byte ptr ds:_PspGlobalFlags
		and	dl, 1
		shl	dl, 2
		or	dl, cl
		mov	[ebx+8], dl
		mov	ecx, [ebp+var_28]
		mov	al, [ecx+8]
		shr	al, 2
		and	al, 8
		or	al, dl
		mov	[ebx+8], al
		test	al, 8
		jz	short loc_7A5004
		mov	eax, [ecx+0B8h]
		cdq
		mov	[ebx+38h], eax
		mov	[ebx+3Ch], edx
		mov	eax, [ecx+0BCh]
		mov	[ebx+40h], eax

loc_7A5004:				; CODE XREF: PspUpdateCreateInfo+108j
		mov	eax, [ebp+var_4C]
		mov	edx, ebx
		mov	[edx+0Ch], eax
		mov	eax, [ebp+var_48]
		mov	[edx+10h], eax
		mov	eax, [ecx+80h]
		mov	[edx+18h], eax
		mov	[edx+1Ch], esi
		mov	eax, [ecx+84h]
		mov	[edx+20h], eax
		mov	eax, [ecx+7Ch]
		mov	eax, [eax+8]
		mov	[edx+24h], eax
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+17Ch]
		mov	[edx+28h], eax
		mov	[edx+2Ch], esi
		mov	eax, [ecx+88h]
		mov	[edx+30h], eax

loc_7A5048:				; CODE XREF: PspUpdateCreateInfo+1CAj
					; PspUpdateCreateInfo+144F2Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7A504F:				; CODE XREF: PspUpdateCreateInfo+3Aj
					; PspUpdateCreateInfo+60j ...
		test	edi, edi
		js	loc_8E9D84
		mov	[ebp+ms_exc.disabled], 4
		mov	ecx, [ebp+var_3C]
		mov	eax, [ebp+var_24]
		mov	[eax+4], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7A506E:				; CODE XREF: sub_8E9E42+Fj
		test	edi, edi
		js	loc_8E9D84
		xor	eax, eax

loc_7A5078:				; CODE XREF: PspUpdateCreateInfo+144EB9j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7A508A:				; CODE XREF: PspUpdateCreateInfo+44j
		lea	ecx, [ebp+var_4C]
		push	ecx
		lea	edx, [ebx+68h]
		mov	cl, al
		call	PspPropagateHandle
		mov	edi, eax
		test	edi, edi
		js	short loc_7A50B0
		mov	[ebp+ms_exc.disabled], 1

loc_7A50A5:				; CODE XREF: PspUpdateCreateInfo+144F04j
		mov	ecx, [ebp+var_4C]
		mov	eax, [ebp+var_24]
		mov	[eax+8], ecx
		jmp	short loc_7A5048
; 

loc_7A50B0:				; CODE XREF: PspUpdateCreateInfo+1B8j
					; PspUpdateCreateInfo+144EF7j
		mov	[ebp+var_4C], esi
		jmp	short loc_7A504F
PspUpdateCreateInfo endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspPropagateHandle proc	near		; CODE XREF: PspUpdateCreateInfo+75p
					; PspUpdateCreateInfo+8Ep ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E9E56 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	edi, [edx]
		mov	esi, [eax+80h]
		test	cl, cl
		jz	loc_8E9E56
		xor	eax, eax
		push	eax
		push	2
		push	eax
		push	eax
		push	[ebp+arg_0]
		push	esi
		push	edi
		push	esi
		call	ObDuplicateObject

loc_7A50E5:				; CODE XREF: PspPropagateHandle+144DA9j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
PspPropagateHandle endp

; 
		align 10h
; Exported entry 1621. ObFindHandleForObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObFindHandleForObject(x, x,	x, x, x)
		public _ObFindHandleForObject@20
_ObFindHandleForObject@20 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		mov	ecx, esi
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_7A5148
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_7A5150
		add	eax, 0FFFFFFE8h
		mov	[ebp+var_C], eax

loc_7A5119:				; CODE XREF: ObFindHandleForObject(x,x,x,x,x)+63j
		mov	eax, [ebp+arg_8]
		push	[ebp+arg_10]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_C]
		push	eax
		push	offset ObpEnumFindHandleProcedure
		push	ecx
		call	ExEnumHandleTable
		test	al, al
		jz	short loc_7A513D
		mov	bl, 1

loc_7A513D:				; CODE XREF: ObFindHandleForObject(x,x,x,x,x)+49j
		lea	ecx, [esi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_7A5148:				; CODE XREF: ObFindHandleForObject(x,x,x,x,x)+1Aj
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	14h
; 

loc_7A5150:				; CODE XREF: ObFindHandleForObject(x,x,x,x,x)+21j
		mov	[ebp+var_C], ebx
		jmp	short loc_7A5119
_ObFindHandleForObject@20 endp

; 
		align 10h
; Exported entry 352. ExEnumHandleTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExEnumHandleTable
ExEnumHandleTable proc near		; CODE XREF: IoRevokeHandlesForProcess(x,x)+106p
					; ObFindHandleForObject(x,x,x,x,x)+42p	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E9E64 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	[ebp+var_8], 0
		mov	[ebp+var_C], eax
		mov	[ebp+var_1], 0
		nop
		mov	edi, [ebp+arg_0]
		lea	eax, [ebp+var_8]
		push	eax
		xor	edx, edx
		mov	ecx, edi
		call	_ExpGetNextHandleTableEntry@12 ; ExpGetNextHandleTableEntry(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_7A51F6
		lea	ecx, [ecx+0]

loc_7A51A0:				; CODE XREF: ExEnumHandleTable+6Ej
					; ExEnumHandleTable+7Bj ...
		mov	edx, [ebx]
		mov	esi, [ebp+var_8]
		test	dl, 1
		jnz	short loc_7A51D0
		test	edx, edx
		jnz	loc_8E9E64

loc_7A51B2:				; CODE XREF: ExEnumHandleTable+8Bj
		lea	edi, [esi+4]
		mov	ecx, edi
		xor	ecx, esi
		cmp	ecx, 800h
		jnb	short loc_7A520A
		add	ebx, 8

loc_7A51C4:				; CODE XREF: ExEnumHandleTable+B8j
		mov	[ebp+var_8], edi
		test	ebx, ebx
		jz	short loc_7A51F6
		mov	edi, [ebp+arg_0]
		jmp	short loc_7A51A0
; 

loc_7A51D0:				; CODE XREF: ExEnumHandleTable+48j
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	short loc_7A51A0
		push	[ebp+arg_8]
		push	esi
		push	ebx
		push	edi
		call	[ebp+arg_4]
		mov	[ebp+var_1], al
		test	al, al
		jz	short loc_7A51B2
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_7A51F6
		mov	[eax], esi

loc_7A51F6:				; CODE XREF: ExEnumHandleTable+3Bj
					; ExEnumHandleTable+69j ...
		mov	ecx, [ebp+var_C]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	al, [ebp+var_1]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_7A520A:				; CODE XREF: ExEnumHandleTable+5Fj
		mov	ecx, [ebp+arg_0]
		add	edi, 4
		push	edi
		call	ExpLookupHandleTableEntry
		mov	ebx, eax
		jmp	short loc_7A51C4
ExEnumHandleTable endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpEnumFindHandleProcedure proc	near	; DATA XREF: ObFindHandleForObject(x,x,x,x,x)+3Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E9E73 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_C]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ecx, [edx]
		mov	eax, [esi]
		and	eax, 0FFFFFFF8h
		test	ecx, ecx
		jz	short loc_7A5268
		cmp	ecx, eax
		jz	short loc_7A5268
		xor	bl, bl

loc_7A523E:				; CODE XREF: ObpEnumFindHandleProcedure+73j
		mov	eax, 1
		lock xadd [esi], eax
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+arg_4]
		add	ecx, 20h
		mov	[ebp+arg_4], 0
		xor	edx, edx
		lock or	[eax], edx
		cmp	[ecx], edx
		jnz	short loc_7A52A4

loc_7A5260:				; CODE XREF: ObpEnumFindHandleProcedure+8Bj
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_7A5268:				; CODE XREF: ObpEnumFindHandleProcedure+16j
					; ObpEnumFindHandleProcedure+1Aj
		push	edi
		mov	edi, [edx+4]
		test	edi, edi
		jz	short loc_7A5295
		mov	ecx, eax
		movzx	eax, byte ptr [eax+0Ch]
		shr	ecx, 8
		movzx	ecx, cl
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		cmp	edi, ds:_ObTypeIndexTable[ecx*4]
		jz	short loc_7A5295
		xor	bl, bl

loc_7A5292:				; CODE XREF: ObpEnumFindHandleProcedure+82j
					; ObpEnumFindHandleProcedure+144C76j
		pop	edi
		jmp	short loc_7A523E
; 

loc_7A5295:				; CODE XREF: ObpEnumFindHandleProcedure+4Ej
					; ObpEnumFindHandleProcedure+6Ej
		mov	edi, [edx+8]
		test	edi, edi
		jnz	loc_8E9E73

loc_7A52A0:				; CODE XREF: ObpEnumFindHandleProcedure+144C6Ej
		mov	bl, 1
		jmp	short loc_7A5292
; 

loc_7A52A4:				; CODE XREF: ObpEnumFindHandleProcedure+3Ej
		xor	edx, edx
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	short loc_7A5260
ObpEnumFindHandleProcedure endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpGetNextHandleTableEntry(x, x, x)
_ExpGetNextHandleTableEntry@12 proc near ; CODE	XREF: ExEnumHandleTable+32p
					; ExQueryProcessHandleInformation+45p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, [edi]
		mov	esi, eax
		test	edx, edx
		jz	short loc_7A52D9
		add	esi, 4
		xor	eax, esi
		cmp	eax, 800h
		jnb	short loc_7A52E6
		add	edx, 8

loc_7A52CF:				; CODE XREF: ExpGetNextHandleTableEntry(x,x,x)+36j
		mov	[edi], esi
		mov	eax, edx
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_7A52D9:				; CODE XREF: ExpGetNextHandleTableEntry(x,x,x)+10j
		push	4
		pop	esi

loc_7A52DC:				; CODE XREF: ExpGetNextHandleTableEntry(x,x,x)+3Bj
		push	esi
		call	ExpLookupHandleTableEntry
		mov	edx, eax
		jmp	short loc_7A52CF
; 

loc_7A52E6:				; CODE XREF: ExpGetNextHandleTableEntry(x,x,x)+1Cj
		add	esi, 4
		jmp	short loc_7A52DC
_ExpGetNextHandleTableEntry@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtAlpcQueryInformationMessage proc near	; DATA XREF: .text:00581200o

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008E9E9B SIZE 00000036 BYTES

		push	20h
		push	offset dword_6A2490
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], esi
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_2C], bl
		mov	[ebp+ms_exc.disabled], esi
		lea	eax, [ebp+var_24]
		push	eax
		lea	edx, [ebp+var_20]
		mov	ecx, [ebp+arg_4]
		call	_AlpcpCaptureIdMessage@12 ; AlpcpCaptureIdMessage(x,x,x)
		test	bl, bl
		jz	loc_7A546F
		push	4
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	edi, [ebp+arg_14]
		test	edi, edi
		jnz	loc_7A5445

loc_7A5352:				; CODE XREF: NtAlpcQueryInformationMessage+168j
					; NtAlpcQueryInformationMessage+186j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+var_20], 0
		jz	loc_8E9E9B
		mov	eax, ds:_AlpcPortObjectType
		mov	[ebp+var_1C], esi
		push	esi
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_2C]
		push	eax
		push	20000h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7A53FF
		lea	eax, [ebp+var_28]
		push	eax
		push	ecx
		push	[ebp+var_24]
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_1C]
		call	AlpcpLookupMessage
		mov	esi, eax
		test	esi, esi
		js	short loc_7A53F7
		mov	ebx, [ebp+var_28]
		cmp	dword ptr [ebx+0Ch], 0
		jz	loc_8E9EA5
		mov	eax, [ebp+arg_8]
		sub	eax, 0
		jz	loc_7A5459
		sub	eax, 1
		jz	loc_8E9EAF
		sub	eax, 1
		jz	short loc_7A541F
		sub	eax, 1
		jnz	loc_7A547B
		push	edi
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		mov	edx, ebx
		mov	ecx, [ebp+var_1C]
		call	AlpcpQueryHandleInformationMessage

loc_7A53E1:				; CODE XREF: NtAlpcQueryInformationMessage+17Ej
					; NtAlpcQueryInformationMessage+144BD4j
		mov	esi, eax

loc_7A53E3:				; CODE XREF: NtAlpcQueryInformationMessage+157j
					; NtAlpcQueryInformationMessage+194j ...
		cmp	_AlpcpMessageLogEnabled, 0
		jnz	loc_8E9EC5

loc_7A53F0:				; CODE XREF: NtAlpcQueryInformationMessage+144BE0j
		mov	ecx, ebx
		call	AlpcpUnlockBlob

loc_7A53F7:				; CODE XREF: NtAlpcQueryInformationMessage+B2j
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObject

loc_7A53FF:				; CODE XREF: NtAlpcQueryInformationMessage+99j
					; NtAlpcQueryInformationMessage+144BB4j ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7A541F:				; CODE XREF: NtAlpcQueryInformationMessage+D9j
		cmp	[ebp+arg_C], 0
		jnz	short loc_7A547B
		cmp	[ebp+arg_10], 0
		jnz	short loc_7A547B
		test	edi, edi
		jnz	short loc_7A547B
		mov	eax, [ebx+14h]
		and	al, 7
		sub	al, 4
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 103h
		jmp	short loc_7A53E3
; 

loc_7A5445:				; CODE XREF: NtAlpcQueryInformationMessage+60j
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	short loc_7A5477

loc_7A5450:				; CODE XREF: NtAlpcQueryInformationMessage+18Dj
		mov	eax, [ecx]
		mov	[ecx], eax
		jmp	loc_7A5352
; 

loc_7A5459:				; CODE XREF: NtAlpcQueryInformationMessage+C7j
		push	edi
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		mov	edx, ebx
		mov	ecx, [ebp+var_1C]
		call	_AlpcpQuerySidMessage@20 ; AlpcpQuerySidMessage(x,x,x,x,x)
		jmp	loc_7A53E1
; 

loc_7A546F:				; CODE XREF: NtAlpcQueryInformationMessage+48j
		mov	edi, [ebp+arg_14]
		jmp	loc_7A5352
; 

loc_7A5477:				; CODE XREF: NtAlpcQueryInformationMessage+162j
		mov	ecx, eax
		jmp	short loc_7A5450
; 

loc_7A547B:				; CODE XREF: NtAlpcQueryInformationMessage+DEj
					; NtAlpcQueryInformationMessage+137j ...
		mov	esi, 0C000000Dh
		jmp	loc_7A53E3
NtAlpcQueryInformationMessage endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpCaptureIdMessage(x, x,	x)
_AlpcpCaptureIdMessage@12 proc near	; CODE XREF: NtAlpcQueryInformationMessage+41p
					; NtAlpcImpersonateClientContainerOfPort(x,x,x)+4Dp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		mov	esi, edx
		mov	al, [eax+15Ah]
		test	al, al
		jz	short loc_7A54B2
		mov	eax, ecx
		test	cl, 3
		jnz	short loc_7A54C4
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		jnb	short loc_7A54C9

loc_7A54AF:				; CODE XREF: AlpcpCaptureIdMessage(x,x,x)+45j
		nop
		mov	al, [eax]

loc_7A54B2:				; CODE XREF: AlpcpCaptureIdMessage(x,x,x)+16j
		mov	eax, [ecx+10h]
		mov	[esi], eax
		mov	eax, [ebp+arg_0]
		mov	ecx, [ecx+14h]
		pop	esi
		mov	[eax], ecx
		pop	ebp
		retn	4
; 

loc_7A54C4:				; CODE XREF: AlpcpCaptureIdMessage(x,x,x)+1Dj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7A54C9:				; CODE XREF: AlpcpCaptureIdMessage(x,x,x)+27j
		mov	eax, edx
		jmp	short loc_7A54AF
_AlpcpCaptureIdMessage@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpQueryHandleInformationMessage proc	near ; CODE XREF: NtAlpcQueryInformationMessage+F0p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E9EF1 SIZE 00000014 BYTES
; FUNCTION CHUNK AT 008E9F13 SIZE 0000000A BYTES

		push	24h
		push	offset dword_6A24B0
		call	__SEH_prolog4
		xor	eax, eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_24], eax
		cmp	[ebp+arg_4], 14h
		jnz	loc_8E9EF1
		mov	[ebp+ms_exc.disabled], eax
		mov	ebx, [ebp+arg_0]
		mov	edi, [ebx]
		mov	[ebp+var_34], edi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [edx+50h]
		test	esi, esi
		jz	loc_8E9F13
		cmp	edi, [esi+4]
		jnb	loc_8E9F13
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_0], al
		imul	eax, [ebp+var_34], 24h
		mov	eax, [eax+esi]
		mov	[ebp+arg_4], eax
		test	[ecx+0C0h], eax
		jz	loc_8E9EFB
		mov	ecx, [ecx+0Ch]
		mov	eax, ecx
		and	al, 1
		movzx	edx, al
		neg	edx
		sbb	edx, edx
		not	edx
		and	edx, ecx
		jz	short loc_7A55B0
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+arg_0]
		imul	eax, edi, 24h
		lea	ecx, [esi+8]
		add	ecx, eax
		call	ObCompleteObjectDuplication
		mov	[ebp+arg_4], eax
		mov	ecx, [ebp+var_1C]
		mov	[ebp+var_2C], ecx
		test	eax, eax
		js	short loc_7A559B
		mov	[ebp+ms_exc.disabled], 1
		push	5
		pop	ecx
		lea	esi, [ebp+var_34]
		mov	edi, ebx
		rep movsd
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jnz	short loc_7A55B7

loc_7A5594:				; CODE XREF: AlpcpQueryHandleInformationMessage+EFj
					; sub_8E9F0B+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7A559B:				; CODE XREF: AlpcpQueryHandleInformationMessage+ACj
		mov	eax, [ebp+arg_4]

loc_7A559E:				; CODE XREF: AlpcpQueryHandleInformationMessage+E7j
					; AlpcpQueryHandleInformationMessage+144A28j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7A55B0:				; CODE XREF: AlpcpQueryHandleInformationMessage+81j
		mov	eax, 0C0000022h
		jmp	short loc_7A559E
; 

loc_7A55B7:				; CODE XREF: AlpcpQueryHandleInformationMessage+C4j
		mov	dword ptr [eax], 14h
		jmp	short loc_7A5594
AlpcpQueryHandleInformationMessage endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpCaptureHandleAttribute proc near	; CODE XREF: AlpcpCompleteDispatchMessage+D7Bp

var_30		= dword	ptr -30h
ms_exc		= CPPEH_RECORD ptr -18h

		push	20h
		push	offset dword_6A24D8
		call	__SEH_prolog4
		xor	eax, eax
		lea	edi, [ebp+var_30]
		stosd
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	short loc_7A55FC
		and	[ebp+ms_exc.disabled], 0
		mov	esi, ecx
		lea	edi, [ebp+var_30]
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		lea	ecx, [ebp+var_30]

loc_7A55FC:				; CODE XREF: AlpcpCaptureHandleAttribute+23j
		call	AlpcpCaptureHandleAttributeInternal

loc_7A5601:				; CODE XREF: sub_8E9F4F+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
AlpcpCaptureHandleAttribute endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpCaptureHandleAttributeInternal proc near
					; CODE XREF: AlpcpCaptureHandleAttribute:loc_7A55FCp

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008E9F61 SIZE 00000028 BYTES
; FUNCTION CHUNK AT 008E9FB4 SIZE 0000002D BYTES

		push	40h
		push	offset dword_6A24F8
		call	__SEH_prolog4
		mov	[ebp+var_48], edx
		mov	[ebp+var_24], ecx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		mov	byte ptr [ebp+var_44], al
		mov	eax, [ecx]
		test	eax, 0FFF0FFFFh
		jnz	loc_8E9FD7
		xor	esi, esi
		inc	esi
		mov	[ebp+var_2C], esi
		xor	edi, edi
		mov	[ebp+var_40], edi
		xor	ebx, ebx
		test	eax, 40000h
		jnz	loc_7A5768

loc_7A565B:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+222j
		imul	eax, esi, 24h
		mov	[ebp+var_40], eax
		push	0
		mov	edx, eax
		mov	ecx, offset _AlpcHandleDataType
		call	@AlpcpAllocateBlob@12 ;	AlpcpAllocateBlob(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8E9FB4
		push	[ebp+var_40]	; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[edi+4], esi
		cmp	[ebp+var_19], 0
		jz	loc_7A575E
		mov	eax, large fs:124h
		mov	eax, [eax+80h]

loc_7A56A0:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+151j
		mov	[ebp+var_30], eax
		xor	esi, esi
		and	[ebp+var_28], esi
		lea	edx, [edi+10h]
		mov	ecx, [ebp+var_24]
		add	ecx, 4
		mov	eax, [ebp+var_28]

loc_7A56B4:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+120j
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edx
		cmp	eax, [ebp+var_2C]
		jnb	short loc_7A5734
		lea	eax, [edx-8]
		push	eax
		push	[ebp+var_44]
		mov	eax, [ecx-4]
		and	eax, 10000h
		or	eax, 40000h
		shr	eax, 0Fh
		push	eax
		push	dword ptr [ecx+8]
		mov	edx, [ecx]
		mov	ecx, [ebp+var_30]
		call	ObCaptureObjectStateForDuplication
		mov	esi, eax
		mov	edx, [ebp+var_20]
		test	esi, esi
		js	short loc_7A5722
		mov	edx, [edx]
		lea	ecx, [edx-18h]
		shr	ecx, 8
		movzx	ecx, cl
		movzx	eax, byte ptr [edx-0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		mov	eax, [eax+2Ch]
		mov	edx, [ebp+var_20]
		mov	[edx-10h], eax
		test	eax, 0FFDh
		jz	loc_8E9FBE

loc_7A5722:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+D9j
		mov	eax, [ebp+var_28]
		inc	eax
		mov	[ebp+var_28], eax
		mov	ecx, [ebp+var_24]
		add	ecx, 10h
		add	edx, 24h
		jmp	short loc_7A56B4
; 

loc_7A5734:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+ABj
		mov	eax, [ebp+var_48]
		mov	[eax+18h], edi
		xor	edi, edi

loc_7A573C:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+144972j
					; sub_8E9F99+16j ...
		test	edi, edi
		jnz	loc_8E9FC8

loc_7A5744:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+1449C0j
		test	ebx, ebx
		jnz	loc_7A5839

loc_7A574C:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+232j
		mov	eax, esi

loc_7A574E:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+144954j
					; AlpcpCaptureHandleAttributeInternal+14495Ej ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7A575E:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+7Cj
		mov	eax, ds:_PsInitialSystemProcess
		jmp	loc_7A56A0
; 

loc_7A5768:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+43j
		mov	esi, [ecx+8]
		mov	[ebp+var_2C], esi
		mov	ecx, 200h
		cmp	esi, ecx
		ja	loc_8E9F61
		cmp	esi, 1
		jbe	loc_8E9FD7
		mov	eax, esi
		shl	eax, 4
		mov	[ebp+var_30], eax
		push	4863704Ch
		push	eax
		push	ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_28], ebx
		test	ebx, ebx
		jz	loc_8E9F6B
		mov	eax, [ebp+var_24]
		mov	ecx, [eax+4]
		mov	[ebp+var_20], ecx
		and	[ebp+ms_exc.disabled], edi
		mov	eax, large fs:124h
		mov	[ebp+var_4C], eax
		mov	al, [eax+15Ah]
		mov	[ebp+var_1A], al
		test	al, al
		jz	short loc_7A57E3
		mov	eax, [ebp+var_30]
		test	eax, eax
		jz	short loc_7A57E3
		test	cl, 3
		jnz	short loc_7A5849
		add	eax, ecx
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	short loc_7A584E
		cmp	eax, ecx
		jb	short loc_7A584E

loc_7A57E3:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+1B3j
					; AlpcpCaptureHandleAttributeInternal+1BAj ...
		xor	edx, edx

loc_7A57E5:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+216j
		mov	[ebp+var_34], edx
		cmp	edx, esi
		jnb	short loc_7A582A
		mov	ecx, edx
		add	ecx, ecx
		mov	eax, [ebp+var_20]
		mov	eax, [eax+ecx*8]
		mov	[ebx+ecx*8], eax
		mov	eax, [ebp+var_20]
		mov	eax, [eax+ecx*8+4]
		mov	[ebx+ecx*8+4], eax
		mov	eax, [ebp+var_20]
		mov	eax, [eax+ecx*8+8]
		mov	[ebx+ecx*8+8], eax
		mov	eax, [ebp+var_20]
		mov	eax, [eax+ecx*8+0Ch]
		mov	[ebx+ecx*8+0Ch], eax
		test	dword ptr [ebx+ecx*8], 0FFF4FFFFh
		jnz	loc_8E9F75
		inc	edx
		jmp	short loc_7A57E5
; 

loc_7A582A:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+1D8j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+var_24], ebx
		jmp	loc_7A565B
; 

loc_7A5839:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+134j
		push	4863704Ch
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7A574C
; 

loc_7A5849:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+1BFj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7A584E:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+1CBj
					; AlpcpCaptureHandleAttributeInternal+1CFj
		mov	byte ptr [edx],	0
		jmp	short loc_7A57E3
AlpcpCaptureHandleAttributeInternal endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObCaptureObjectStateForDuplication proc	near
					; CODE XREF: AlpcpCaptureHandleAttributeInternal+CDp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E9FE1 SIZE 00000067 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		xor	eax, eax
		mov	ebx, edx
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, ecx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_4], eax
		and	edi, 2
		jnz	short loc_7A588C
		test	[ebp+arg_0], 0CE00000h
		jnz	loc_8E9FF9

loc_7A588C:				; CODE XREF: ObCaptureObjectStateForDuplication+29j
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		test	eax, eax
		jz	loc_8EA003
		lea	ecx, [ebp+var_1C]
		mov	edx, esi
		push	ecx
		lea	ecx, [ebp+var_14]
		push	ecx
		lea	ecx, [ebp+var_4]
		push	ecx
		push	7544624Fh
		push	[ebp+arg_8]
		mov	ecx, ebx
		push	eax
		call	ObpReferenceProcessObjectByHandle
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8EA036
		mov	ebx, [ebp+var_14]
		test	bl, 4
		jnz	loc_8EA00D
		mov	ecx, [ebp+var_1C]

loc_7A58D0:				; CODE XREF: ObCaptureObjectStateForDuplication+1447BBj
		mov	eax, [ebp+var_10]
		test	edi, edi
		jnz	loc_7A599A

loc_7A58DB:				; CODE XREF: ObCaptureObjectStateForDuplication+149j
		and	ebx, 0Ch
		test	byte ptr [ebp+arg_4], 8
		jz	short loc_7A58E7
		or	ebx, 8

loc_7A58E7:				; CODE XREF: ObCaptureObjectStateForDuplication+8Ej
		mov	edi, [ebp+arg_C]
		mov	eax, [ebp+var_18]
		mov	[edi+10h], ecx
		mov	ecx, [ebp+var_4]
		mov	[edi+14h], eax
		lea	eax, [ecx-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [ecx-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		test	[ebp+arg_0], 0F0000000h
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		mov	[ebp+arg_4], eax
		jnz	loc_8EA014

loc_7A5925:				; CODE XREF: ObCaptureObjectStateForDuplication+1447D0j
		mov	eax, [eax+44h]
		mov	ecx, [ebp+var_10]
		or	eax, 1000000h
		and	eax, [ebp+arg_0]
		not	ecx
		mov	[ebp+var_8], eax
		test	ecx, eax
		jnz	loc_8E9FE1
		push	0
		push	ebx
		push	[ebp+arg_8]
		lea	edx, [ebp+var_8]
		push	[ebp+var_4]
		push	esi
		push	2
		pop	ecx
		call	ObpIncrementHandleCountEx
		lea	ecx, [esi+0F0h]
		mov	[ebp+arg_0], eax
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		cmp	[ebp+arg_0], 0
		mov	edx, 7544624Fh
		jl	loc_8EA029
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_C]
		mov	[edi+0Ch], ecx
		mov	ecx, esi
		mov	[edi+4], eax
		mov	[edi+18h], ebx
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+var_4]
		mov	[edi], esi
		mov	[edi+8], eax

loc_7A5990:				; CODE XREF: ObCaptureObjectStateForDuplication+1447DDj
		mov	eax, [ebp+arg_0]

loc_7A5993:				; CODE XREF: ObCaptureObjectStateForDuplication+1447AAj
					; ObCaptureObjectStateForDuplication+1447B4j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7A599A:				; CODE XREF: ObCaptureObjectStateForDuplication+81j
		mov	[ebp+arg_0], eax
		jmp	loc_7A58DB
ObCaptureObjectStateForDuplication endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObCompleteObjectDuplication proc near	; CODE XREF: AlpcpQueryHandleInformationMessage+9Cp
					; AlpcpExposeHandleAttribute+162p

var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008EA048 SIZE 000000C3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		and	dword ptr [eax], 0
		mov	edi, edx
		mov	esi, ecx
		mov	ecx, edi
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		mov	[esp+30h+var_10], eax
		test	eax, eax
		jz	loc_8EA048
		cmp	eax, _ObpKernelHandleTable
		lea	edx, [esp+30h+var_18]
		mov	eax, [esi+0Ch]
		mov	ecx, [esi+8]
		setz	[esp+30h+var_1D]
		push	0
		mov	[esp+34h+var_18], eax
		mov	eax, [esi+18h]
		push	eax
		push	[ebp+arg_0]
		push	ecx
		push	edi
		push	2
		pop	ecx
		call	ObpIncrementHandleCountEx
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8EA060
		mov	eax, [esi+8]
		mov	[esp+30h+var_14], eax
		lea	edx, [eax-18h]
		mov	eax, edx
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [edx+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		lea	ecx, [esp+30h+var_8]
		mov	[esp+30h+var_4], ecx
		mov	[esp+30h+var_8], ecx
		mov	ecx, eax
		mov	[esp+30h+var_C], eax
		call	_ObpFilterOperation@4 ;	ObpFilterOperation(x)
		test	al, al
		jnz	loc_7A5ADA

loc_7A5A4A:				; CODE XREF: ObCompleteObjectDuplication+169j
					; ObCompleteObjectDuplication+177j
		mov	ecx, [esi+8]
		mov	edx, 6E48624Fh
		call	ObfReferenceObjectWithTag
		mov	edx, [esp+30h+var_14]
		lea	eax, [esi+10h]
		mov	ecx, [esp+30h+var_10]
		push	eax
		push	dword ptr [esi+18h]
		lea	edx, [edx-18h]
		push	[esp+38h+var_18]
		call	ExCreateHandleEx
		mov	[esp+30h+var_1C], eax
		test	eax, eax
		jz	loc_8EA08F
		test	byte ptr [esi+18h], 4
		jnz	loc_8EA070

loc_7A5A88:				; CODE XREF: ObCompleteObjectDuplication+144711j
		cmp	[esp+30h+var_1D], 1
		jz	loc_8EA0B8

loc_7A5A93:				; CODE XREF: ObCompleteObjectDuplication+14471Fj
		lea	ecx, [edi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		lea	eax, [esp+30h+var_8]
		cmp	[esp+30h+var_8], eax
		jnz	loc_8EA0C6

loc_7A5AAC:				; CODE XREF: ObCompleteObjectDuplication+14473Aj
		mov	edx, [esp+30h+var_1C]
		test	ebx, ebx
		js	short loc_7A5AC2
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		mov	[eax], edx
		mov	eax, [esp+30h+var_18]
		mov	[ecx], eax

loc_7A5AC2:				; CODE XREF: ObCompleteObjectDuplication+110j
		test	byte ptr ds:dword_70EFD0, 40h
		jnz	loc_8EA0E1

loc_7A5ACF:				; CODE XREF: ObCompleteObjectDuplication+1446C9j
					; ObCompleteObjectDuplication+144741j ...
		mov	eax, ebx

loc_7A5AD1:				; CODE XREF: ObCompleteObjectDuplication+1446ABj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7A5ADA:				; CODE XREF: ObCompleteObjectDuplication+A2j
		mov	eax, [esp+30h+var_18]
		mov	dl, [esp+30h+var_1D]
		mov	ecx, [esp+30h+var_14]
		mov	[esp+30h+var_1C], eax
		lea	eax, [esp+30h+var_8]
		push	eax
		push	edi
		push	dword ptr [esi]
		lea	eax, [esp+3Ch+var_1C]
		push	eax
		call	_ObpPreInterceptHandleDuplicate@24 ; ObpPreInterceptHandleDuplicate(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8EA052
		cmp	[esp+30h+var_1D], 0
		jnz	loc_7A5A4A
		mov	eax, [esp+30h+var_1C]
		mov	[esp+30h+var_18], eax
		jmp	loc_7A5A4A
ObCompleteObjectDuplication endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1521. NtDuplicateObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtDuplicateObject
NtDuplicateObject proc near		; DATA XREF: .text:00581088o

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008EA10B SIZE 00000007 BYTES
; FUNCTION CHUNK AT 008EA134 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A2518
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_2C], 0
		mov	[ebp+var_24], 0
		mov	[ebp+var_20], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_28], al
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jz	short loc_7A5BBB
		test	al, al
		jz	short loc_7A5BBB
		mov	[ebp+var_4], 0
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8EA10B

loc_7A5BAA:				; CODE XREF: NtDuplicateObject+1445DDj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	dword ptr [esi], 0
		mov	[ebp+var_4], 0FFFFFFFEh

loc_7A5BBB:				; CODE XREF: NtDuplicateObject+5Ej
					; NtDuplicateObject+62j
		push	0
		lea	eax, [ebp+var_24]
		push	eax
		push	7544624Fh
		mov	ebx, [ebp+var_28]
		push	ebx
		mov	eax, ds:_PsProcessType
		push	eax
		push	40h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7A5C73
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	loc_7A5C87
		push	0
		lea	eax, [ebp+var_20]
		push	eax
		push	7544624Fh
		push	ebx
		mov	eax, ds:_PsProcessType
		push	eax
		push	40h
		push	ecx
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+arg_0], edi
		test	edi, edi
		js	loc_8EA134

loc_7A5C14:				; CODE XREF: NtDuplicateObject+15Cj
		mov	ebx, [ebp+var_20]

loc_7A5C17:				; CODE XREF: NtDuplicateObject+144609j
		push	[ebp+var_28]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		lea	eax, [ebp+var_2C]
		push	eax
		push	ebx
		push	[ebp+arg_4]
		push	[ebp+var_24]
		call	ObDuplicateObject
		mov	[ebp+arg_C], eax
		test	esi, esi
		jz	short loc_7A5C4D
		mov	[ebp+var_4], 1
		mov	eax, [ebp+var_2C]
		mov	[esi], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_7A5C4D:				; CODE XREF: NtDuplicateObject+108j
					; sub_8EA15E+10j
		mov	esi, [ebp+arg_C]
		mov	edx, 7544624Fh
		mov	ecx, [ebp+var_24]
		call	ObfDereferenceObjectWithTag
		test	ebx, ebx
		jz	short loc_7A5C6D
		mov	edx, 7544624Fh
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_7A5C6D:				; CODE XREF: NtDuplicateObject+12Fj
		test	edi, edi
		js	short loc_7A5C8E

loc_7A5C71:				; CODE XREF: NtDuplicateObject+160j
		mov	eax, esi

loc_7A5C73:				; CODE XREF: NtDuplicateObject+ACj
					; sub_8EA122+Dj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_7A5C87:				; CODE XREF: NtDuplicateObject+B7j
		xor	edi, edi
		mov	[ebp+arg_0], edi
		jmp	short loc_7A5C14
; 

loc_7A5C8E:				; CODE XREF: NtDuplicateObject+13Fj
		mov	esi, edi
		jmp	short loc_7A5C71
NtDuplicateObject endp

; 
		align 10h
; Exported entry 1620. ObDuplicateObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObDuplicateObject
ObDuplicateObject proc near		; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+212p
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+261p ...

var_1A2		= byte ptr -1A2h
var_1A1		= byte ptr -1A1h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_195		= byte ptr -195h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_D0		= dword	ptr -0D0h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 008EA173 SIZE 00000155 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1A4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1A4h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_14]
		push	esi
		mov	esi, [ebp+arg_8]
		mov	[esp+1ACh+var_1A0], eax
		mov	eax, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_C]
		mov	[esp+1B0h+var_17C], eax
		xor	eax, eax
		push	0C4h		; size_t
		push	eax		; int
		mov	[esp+1B8h+var_160], eax
		mov	[esp+1B8h+var_15C], eax
		mov	[esp+1B8h+var_158], eax
		mov	[esp+1B8h+var_154], eax
		mov	[esp+1B8h+var_150], eax
		mov	[esp+1B8h+var_14C], eax
		lea	eax, [esp+1B8h+var_D0]
		push	eax		; void *
		mov	[esp+1BCh+var_194], esi
		call	_memset
		add	esp, 0Ch
		mov	[esp+1B0h+var_18C], 0
		lea	eax, [esp+1B0h+var_148]
		mov	[esp+1B0h+var_188], 0
		push	74h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+1B0h+var_16C], 0
		mov	[esp+1B0h+var_168], 0
		mov	[esp+1B0h+var_19C], 0
		test	ebx, 200h
		jnz	loc_7A606F

loc_7A5D4F:				; CODE XREF: ObDuplicateObject+3D3j
					; ObDuplicateObject+3E2j
		and	ebx, 0FFFFFDFFh
		test	edi, edi
		jz	short loc_7A5D5F
		mov	dword ptr [edi], 0

loc_7A5D5F:				; CODE XREF: ObDuplicateObject+B7j
		mov	esi, [ebp+arg_18]
		and	esi, 2
		jz	loc_7A5FE4

loc_7A5D6B:				; CODE XREF: ObDuplicateObject+34Bj
		mov	ecx, [esp+1B0h+var_1A0]
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		test	eax, eax
		jz	loc_8EA1C2
		mov	edx, [esp+1B0h+var_1A0]
		lea	ecx, [esp+1B0h+var_16C]
		push	ecx
		lea	ecx, [esp+1B4h+var_18C]
		push	ecx
		lea	ecx, [esp+1B8h+var_19C]
		push	ecx
		mov	ecx, [esp+1BCh+var_17C]
		push	6E48624Fh
		push	[ebp+arg_1C]
		push	eax
		call	ObpReferenceProcessObjectByHandle
		mov	[esp+1B0h+var_180], eax
		test	eax, eax
		js	loc_7A61F2
		test	byte ptr [esp+1B0h+var_18C], 4
		jnz	short loc_7A5DBC
		mov	[esp+1B0h+var_16C], 0

loc_7A5DBC:				; CODE XREF: ObDuplicateObject+112j
		mov	eax, [esp+1B0h+var_194]
		test	eax, eax
		jz	loc_7A618C
		mov	ecx, eax
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		mov	[esp+1B0h+var_164], eax
		test	eax, eax
		jz	loc_8EA17D
		cmp	eax, _ObpKernelHandleTable
		jz	loc_7A6087
		mov	[esp+1B0h+var_1A1], 0

loc_7A5DEC:				; CODE XREF: ObDuplicateObject+3ECj
		test	esi, esi
		mov	esi, [esp+1B0h+var_188]
		jz	loc_7A5FF6
		mov	edx, esi
		mov	[ebp+arg_10], edx

loc_7A5DFD:				; CODE XREF: ObDuplicateObject+359j
		mov	ecx, [ebp+arg_18]
		test	cl, 4
		jnz	loc_7A615F
		mov	eax, [esp+1B0h+var_18C]
		and	eax, 0Ch
		or	ebx, eax

loc_7A5E12:				; CODE XREF: ObDuplicateObject+4C3j
		test	cl, 8
		jnz	loc_7A6157

loc_7A5E1B:				; CODE XREF: ObDuplicateObject+4BAj
		mov	eax, [esp+1B0h+var_19C]
		add	eax, 0FFFFFFE8h
		mov	[esp+1B0h+var_178], eax
		shr	eax, 8
		movzx	ecx, al
		mov	eax, [esp+1B0h+var_178]
		movzx	eax, byte ptr [eax+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	ecx, ds:_ObTypeIndexTable[ecx*4]
		mov	[esp+1B0h+var_180], ecx
		test	edx, 0F0000000h
		jnz	loc_7A6173

loc_7A5E56:				; CODE XREF: ObDuplicateObject+4E7j
		mov	eax, [ecx+44h]
		not	esi
		or	eax, 1000000h
		mov	[esp+1B0h+var_195], 0
		and	eax, edx
		mov	[esp+1B0h+var_184], eax
		test	esi, eax
		jnz	loc_7A60A0
		xor	esi, esi

loc_7A5E75:				; CODE XREF: ObDuplicateObject+470j
		push	0
		push	ebx
		push	[ebp+arg_1C]
		lea	edx, [esp+1BCh+var_184]
		mov	ecx, 2
		push	[esp+1BCh+var_19C]
		push	[esp+1C0h+var_194]
		call	ObpIncrementHandleCountEx
		mov	[esp+1B0h+var_18C], eax

loc_7A5E95:				; CODE XREF: ObDuplicateObject+476j
		cmp	[esp+1B0h+var_195], 0
		jnz	loc_7A621F

loc_7A5EA0:				; CODE XREF: ObDuplicateObject+589j
					; ObDuplicateObject+144536j
		mov	eax, [ebp+arg_18]
		test	al, 1
		jnz	loc_7A5FFE

loc_7A5EAB:				; CODE XREF: ObDuplicateObject+37Fj
		cmp	[esp+1B0h+var_18C], 0
		jl	loc_7A5F95
		test	esi, esi
		jnz	loc_7A611B

loc_7A5EBE:				; CODE XREF: ObDuplicateObject+47Fj
					; ObDuplicateObject+144548j
		mov	ecx, [esp+1B0h+var_180]
		lea	eax, [esp+1B0h+var_174]
		mov	[esp+1B0h+var_170], eax
		mov	[esp+1B0h+var_174], eax
		call	_ObpFilterOperation@4 ;	ObpFilterOperation(x)
		test	al, al
		jnz	loc_7A6024

loc_7A5EDB:				; CODE XREF: ObDuplicateObject+3BCj
					; ObDuplicateObject+3CAj
		mov	edx, [esp+1B0h+var_178]
		lea	eax, [esp+1B0h+var_16C]
		mov	ecx, [esp+1B0h+var_164]
		push	eax
		push	ebx
		push	[esp+1B8h+var_184]
		call	ExCreateHandleEx
		mov	edx, eax
		mov	[esp+1B0h+var_190], edx
		test	edx, edx
		jz	loc_8EA26A
		test	esi, esi
		jnz	loc_7A612A

loc_7A5F08:				; CODE XREF: ObDuplicateObject+4A7j
		test	bl, 4
		jnz	loc_8EA227
		mov	ebx, [esp+1B0h+var_194]

loc_7A5F15:				; CODE XREF: ObDuplicateObject+1445ADj
					; ObDuplicateObject+1445C5j ...
		cmp	[esp+1B0h+var_1A1], 0
		jnz	loc_7A6091

loc_7A5F20:				; CODE XREF: ObDuplicateObject+3FBj
		test	edi, edi
		jz	short loc_7A5F26
		mov	[edi], edx

loc_7A5F26:				; CODE XREF: ObDuplicateObject+282j
		test	esi, esi
		jnz	loc_7A614C

loc_7A5F2E:				; CODE XREF: ObDuplicateObject+4B2j
		mov	edi, [esp+1B0h+var_1A0]
		lea	ecx, [edi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		lea	ecx, [ebx+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	esi, [esp+1B0h+var_18C]
		lea	eax, [esp+1B0h+var_174]
		cmp	[esp+1B0h+var_174], eax
		jnz	short loc_7A5F7C

loc_7A5F56:				; CODE XREF: ObDuplicateObject+2F3j
		test	byte ptr ds:dword_70EFD0, 40h
		jnz	loc_8EA298

loc_7A5F63:				; CODE XREF: ObDuplicateObject+1445FAj
					; ObDuplicateObject+144623j
		mov	eax, esi

loc_7A5F65:				; CODE XREF: ObDuplicateObject+565j
					; ObDuplicateObject+1444D8j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+1A4h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_7A5F7C:				; CODE XREF: ObDuplicateObject+2B4j
		mov	dl, [esp+1B0h+var_1A1]
		lea	eax, [esp+1B0h+var_174]
		mov	ecx, [esp+1B0h+var_19C]
		push	eax
		push	[esp+1B4h+var_184]
		push	esi
		call	_ObpPostInterceptHandleDuplicate@20 ; ObpPostInterceptHandleDuplicate(x,x,x,x,x)
		jmp	short loc_7A5F56
; 

loc_7A5F95:				; CODE XREF: ObDuplicateObject+210j
		test	esi, esi
		jnz	loc_7A6168

loc_7A5F9D:				; CODE XREF: ObDuplicateObject+4CEj
		mov	ecx, [esp+1B0h+var_1A0]
		lea	ecx, [ecx+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, [esp+1B0h+var_194]
		lea	ecx, [ecx+0F0h]

loc_7A5FB6:				; CODE XREF: ObDuplicateObject+14457Bj
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, [esp+1B0h+var_19C]
		mov	edx, 6E48624Fh
		call	ObfDereferenceObjectWithTag
		mov	eax, [esp+1B0h+var_18C]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+1A4h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_7A5FE4:				; CODE XREF: ObDuplicateObject+C5j
		test	[ebp+arg_10], 0CE00000h
		jz	loc_7A5D6B
		jmp	loc_8EA173
; 

loc_7A5FF6:				; CODE XREF: ObDuplicateObject+152j
		mov	edx, [ebp+arg_10]
		jmp	loc_7A5DFD
; 

loc_7A5FFE:				; CODE XREF: ObDuplicateObject+205j
		lea	eax, [esp+1B0h+var_160]
		push	eax
		push	[esp+1B4h+var_1A0]
		call	KeStackAttachProcess
		push	[esp+1B0h+var_17C]
		call	NtClose
		lea	eax, [esp+1B0h+var_160]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		jmp	loc_7A5EAB
; 

loc_7A6024:				; CODE XREF: ObDuplicateObject+235j
		mov	eax, [esp+1B0h+var_184]
		mov	dl, [esp+1B0h+var_1A1]
		mov	ecx, [esp+1B0h+var_19C]
		mov	[esp+1B0h+var_190], eax
		lea	eax, [esp+1B0h+var_174]
		push	eax
		push	[esp+1B4h+var_194]
		lea	eax, [esp+1B8h+var_190]
		push	[esp+1B8h+var_1A0]
		push	eax
		call	_ObpPreInterceptHandleDuplicate@24 ; ObpPreInterceptHandleDuplicate(x,x,x,x,x,x)
		mov	[esp+1B0h+var_18C], eax
		test	eax, eax
		js	loc_8EA1ED
		cmp	[esp+1B0h+var_1A1], 0
		jnz	loc_7A5EDB
		mov	eax, [esp+1B0h+var_190]
		mov	[esp+1B0h+var_184], eax
		jmp	loc_7A5EDB
; 

loc_7A606F:				; CODE XREF: ObDuplicateObject+A9j
		cmp	byte ptr [ebp+arg_1C], 0
		jnz	loc_7A5D4F
		mov	eax, ds:_PsInitialSystemProcess
		mov	[esp+1B0h+var_194], eax
		jmp	loc_7A5D4F
; 

loc_7A6087:				; CODE XREF: ObDuplicateObject+141j
		mov	[esp+1B0h+var_1A1], 1
		jmp	loc_7A5DEC
; 

loc_7A6091:				; CODE XREF: ObDuplicateObject+27Aj
		or	edx, 80000000h
		mov	[esp+1B0h+var_190], edx
		jmp	loc_7A5F20
; 

loc_7A60A0:				; CODE XREF: ObDuplicateObject+1CDj
		test	byte ptr [esp+1B0h+var_18C], 8
		jnz	loc_8EA1CC
		cmp	dword ptr [ecx+6Ch], offset SeDefaultObjectMethod
		jnz	loc_8EA1CC
		mov	eax, large fs:124h
		mov	ecx, [esp+1B0h+var_194]
		cmp	[eax+80h], ecx
		jnz	loc_7A620A

loc_7A60CE:				; CODE XREF: ObDuplicateObject+57Aj
		mov	eax, [esp+1B0h+var_180]
		add	eax, 34h
		push	eax		; int
		push	[esp+1B4h+var_184] ; int
		lea	eax, [esp+1B8h+var_D0]
		push	eax		; void *
		lea	eax, [esp+1BCh+var_148]
		push	eax		; void *
		call	SeCreateAccessState
		mov	edx, [esp+1B0h+var_19C]
		lea	eax, [esp+1B0h+var_184]
		push	eax
		push	ebx
		push	[ebp+arg_1C]
		lea	esi, [esp+1BCh+var_148]
		mov	ecx, 2
		mov	eax, esi
		push	eax
		call	ObpGrantAccess
		mov	[esp+1B0h+var_18C], eax
		test	eax, eax
		jns	loc_7A5E75
		jmp	loc_7A5E95
; 

loc_7A611B:				; CODE XREF: ObDuplicateObject+218j
		cmp	byte ptr [esi+0Ah], 0
		jz	loc_7A5EBE
		jmp	loc_8EA1DB
; 

loc_7A612A:				; CODE XREF: ObDuplicateObject+262j
		mov	ecx, [esp+1B0h+var_178]
		call	OBJECT_HEADER_TO_AUDIT_INFO
		test	eax, eax
		jnz	loc_8EA220

loc_7A613B:				; CODE XREF: ObDuplicateObject+144582j
		push	eax
		mov	ecx, esi
		call	SeAuditHandleCreation
		mov	edx, [esp+1B0h+var_190]
		jmp	loc_7A5F08
; 

loc_7A614C:				; CODE XREF: ObDuplicateObject+288j
		push	esi
		call	SeDeleteAccessState
		jmp	loc_7A5F2E
; 

loc_7A6157:				; CODE XREF: ObDuplicateObject+175j
		or	ebx, 8
		jmp	loc_7A5E1B
; 

loc_7A615F:				; CODE XREF: ObDuplicateObject+163j
		mov	ebx, [esp+1B0h+var_18C]
		jmp	loc_7A5E12
; 

loc_7A6168:				; CODE XREF: ObDuplicateObject+2F7j
		push	esi
		call	SeDeleteAccessState
		jmp	loc_7A5F9D
; 

loc_7A6173:				; CODE XREF: ObDuplicateObject+1B0j
		lea	eax, [ecx+34h]
		push	eax
		lea	eax, [ebp+arg_10]
		push	eax
		call	_RtlMapGenericMask@8 ; RtlMapGenericMask(x,x)
		mov	edx, [ebp+arg_10]
		mov	ecx, [esp+1B0h+var_180]
		jmp	loc_7A5E56
; 

loc_7A618C:				; CODE XREF: ObDuplicateObject+122j
		mov	eax, [ebp+arg_18]
		test	al, 1
		jz	loc_7A622E
		lea	eax, [esp+1B0h+var_160]
		push	eax
		push	[esp+1B4h+var_1A0]
		call	KeStackAttachProcess
		push	[esp+1B0h+var_17C]
		call	NtClose
		lea	eax, [esp+1B0h+var_160]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		mov	esi, [esp+1B0h+var_180]

loc_7A61BC:				; CODE XREF: ObDuplicateObject+593j
		mov	ecx, [esp+1B0h+var_1A0]
		lea	ecx, [ecx+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, [esp+1B0h+var_19C]
		mov	edx, 6E48624Fh
		call	ObfDereferenceObjectWithTag
		mov	ecx, [esp+1B0h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_7A61F2:				; CODE XREF: ObDuplicateObject+107j
		mov	ecx, [esp+1B0h+var_1A0]
		lea	ecx, [ecx+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	eax, [esp+1B0h+var_180]
		jmp	loc_7A5F65
; 

loc_7A620A:				; CODE XREF: ObDuplicateObject+428j
		lea	eax, [esp+1B0h+var_160]
		push	eax
		push	ecx
		call	KeStackAttachProcess
		mov	[esp+1B0h+var_195], 1
		jmp	loc_7A60CE
; 

loc_7A621F:				; CODE XREF: ObDuplicateObject+1FAj
		lea	eax, [esp+1B0h+var_160]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		jmp	loc_7A5EA0
; 

loc_7A622E:				; CODE XREF: ObDuplicateObject+4F1j
		mov	esi, 0C000000Dh
		jmp	short loc_7A61BC
ObDuplicateObject endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall ObReferenceProcessHandleTable(x)
_ObReferenceProcessHandleTable@4 proc near ; CODE XREF:	IoRevokeHandlesForProcess(x,x)+29p
					; ObGetProcessHandleCount(x,x)+12p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [esi+0F0h]
		mov	ecx, edi
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_7A6266
		mov	esi, [esi+18Ch]
		test	esi, esi
		jz	short loc_7A626A

loc_7A6261:				; CODE XREF: ObReferenceProcessHandleTable(x)+31j
		mov	eax, esi

loc_7A6263:				; CODE XREF: ObReferenceProcessHandleTable(x)+28j
		pop	edi
		pop	esi
		retn
; 

loc_7A6266:				; CODE XREF: ObReferenceProcessHandleTable(x)+15j
		xor	eax, eax
		jmp	short loc_7A6263
; 

loc_7A626A:				; CODE XREF: ObReferenceProcessHandleTable(x)+1Fj
		mov	ecx, edi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	short loc_7A6261
_ObReferenceProcessHandleTable@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpReferenceProcessObjectByHandle proc near
					; CODE XREF: ObCaptureObjectStateForDuplication+5Ep
					; ObDuplicateObject+FCp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008EA2C8 SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		mov	dword ptr [eax], 0
		mov	[ebp+var_C], ebx
		test	edi, edi
		js	loc_7A63B5
		mov	eax, [ebp+arg_0]

loc_7A62AE:				; CODE XREF: ObpReferenceProcessObjectByHandle+154j
		dec	word ptr [ebx+13Ch]
		mov	[ebp+arg_4], eax
		nop
		test	edi, 7FCh
		jz	loc_7A642D
		push	edi
		mov	ecx, eax
		call	ExpLookupHandleTableEntry
		mov	esi, eax
		test	esi, esi
		jz	loc_7A642D
		jmp	short loc_7A62E0
; 
		align 10h

loc_7A62E0:				; CODE XREF: ObpReferenceProcessObjectByHandle+57j
					; ObpReferenceProcessObjectByHandle+76j ...
		mov	edx, [esi]
		test	dl, 1
		jz	loc_7A6429
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_7A62E0
		mov	edx, [esi+4]
		mov	eax, edx
		mov	ecx, [esi]
		and	eax, 1FFFFFFh
		mov	[ebp+var_8], eax
		mov	ebx, ecx
		mov	eax, [ebp+arg_4]
		and	ebx, 0FFFFFFF8h
		cmp	dword ptr [eax+4], 0
		jnz	loc_8EA2C8

loc_7A6319:				; CODE XREF: ObpReferenceProcessObjectByHandle+14405Fj
		mov	eax, [ebp+arg_14]
		mov	dword ptr [eax], 0
		mov	dword ptr [eax+4], 0

loc_7A6329:				; CODE XREF: ObpReferenceProcessObjectByHandle+144078j
		mov	edi, [ebp+arg_10]
		and	ecx, 6
		mov	eax, [ebp+var_8]
		mov	[edi+4], eax
		mov	edi, [ebp+arg_4]
		test	edx, 4000000h
		jnz	loc_7A63E1

loc_7A6344:				; CODE XREF: ObpReferenceProcessObjectByHandle+164j
		test	edx, 2000000h
		jnz	loc_7A63D9

loc_7A6350:				; CODE XREF: ObpReferenceProcessObjectByHandle+15Cj
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx
		mov	eax, 1
		lock xadd [ebx], eax
		inc	eax
		cmp	eax, 1
		jle	loc_8EA2FD
		mov	eax, 1
		lock xadd [esi], eax
		lea	ecx, [edi+20h]
		mov	[ebp+var_8], 0
		xor	edx, edx
		lea	eax, [ebp+var_8]
		lock or	[eax], edx
		cmp	[ecx], edx
		jnz	loc_7A6492

loc_7A638B:				; CODE XREF: ObpReferenceProcessObjectByHandle+219j
		mov	ecx, [ebp+var_C]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		push	[ebp+arg_8]
		mov	edx, 1
		mov	ecx, ebx
		call	ObpTraceObjectReferenceIfActive
		mov	ecx, [ebp+arg_C]
		lea	eax, [ebx+18h]
		mov	[ecx], eax
		xor	eax, eax

loc_7A63AC:				; CODE XREF: ObpReferenceProcessObjectByHandle+1B9j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_7A63B5:				; CODE XREF: ObpReferenceProcessObjectByHandle+25j
		cmp	edi, 0FFFFFFFFh
		jz	loc_7A643E
		cmp	edi, 0FFFFFFFEh
		jz	short loc_7A63E9
		cmp	byte ptr [ebp+arg_4], 0
		jnz	short loc_7A6434
		mov	eax, _ObpKernelHandleTable
		xor	edi, 80000000h
		jmp	loc_7A62AE
; 

loc_7A63D9:				; CODE XREF: ObpReferenceProcessObjectByHandle+CAj
		or	ecx, 1
		jmp	loc_7A6350
; 

loc_7A63E1:				; CODE XREF: ObpReferenceProcessObjectByHandle+BEj
		or	ecx, 8
		jmp	loc_7A6344
; 

loc_7A63E9:				; CODE XREF: ObpReferenceProcessObjectByHandle+141j
		mov	eax, [ebp+arg_10]
		xor	ecx, ecx
		push	[ebp+arg_8]
		mov	dword ptr [eax+4], 1FFFFFh
		lea	edx, [ecx+1]
		mov	dword ptr [eax], 0
		mov	eax, [ebp+arg_14]
		mov	[eax], ecx
		mov	[eax+4], ecx
		lea	ecx, [ebx-18h]
		call	ObpTraceObjectReferenceIfActive
		lea	ecx, [ebx-18h]
		call	ObpIncrPointerCount
		mov	eax, [ebp+arg_C]
		mov	[eax], ebx
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_7A6429:				; CODE XREF: ObpReferenceProcessObjectByHandle+65j
		test	edx, edx
		jnz	short loc_7A6482

loc_7A642D:				; CODE XREF: ObpReferenceProcessObjectByHandle+3Fj
					; ObpReferenceProcessObjectByHandle+51j
		mov	ecx, ebx
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)

loc_7A6434:				; CODE XREF: ObpReferenceProcessObjectByHandle+147j
		mov	eax, 0C0000008h
		jmp	loc_7A63AC
; 

loc_7A643E:				; CODE XREF: ObpReferenceProcessObjectByHandle+138j
		mov	eax, [ebp+arg_10]
		lea	esi, [edx-18h]
		push	[ebp+arg_8]
		xor	ecx, ecx
		mov	dword ptr [eax+4], 1FFFFFh
		mov	dword ptr [eax], 0
		mov	eax, [ebp+arg_14]
		lea	edx, [ecx+1]
		mov	[eax], ecx
		mov	[eax+4], ecx
		mov	ecx, esi
		call	ObpTraceObjectReferenceIfActive
		mov	ecx, esi
		call	ObpIncrPointerCount
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		mov	[eax], ecx
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_7A6482:				; CODE XREF: ObpReferenceProcessObjectByHandle+1ABj
		mov	ecx, [ebp+arg_4]
		push	edx
		mov	edx, esi
		call	_ExpBlockOnLockedHandleEntry@12	; ExpBlockOnLockedHandleEntry(x,x,x)
		jmp	loc_7A62E0
; 

loc_7A6492:				; CODE XREF: ObpReferenceProcessObjectByHandle+105j
		xor	edx, edx
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	loc_7A638B
ObpReferenceProcessObjectByHandle endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExCreateHandleEx proc near		; CODE XREF: PspAllocateThread+2C0p
					; ObCompleteObjectDuplication+CBp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008EA319 SIZE 0000003D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		xor	ebx, eax
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		and	ebx, 6
		and	edi, 1FFFFFFh
		xor	ebx, edx
		test	al, 8
		jnz	short loc_7A653B

loc_7A64C7:				; CODE XREF: ExCreateHandleEx+A1j
		test	al, 1
		jnz	loc_8EA30E

loc_7A64CF:				; CODE XREF: ObpReferenceProcessObjectByHandle+144094j
		mov	eax, large fs:124h
		or	ebx, 1
		mov	[ebp+var_8], eax
		dec	word ptr [eax+13Ch]
		nop
		lea	edx, [ebp+arg_4]
		mov	[ebp+arg_4], 0
		call	_ExpAllocateHandleTableEntry@8 ; ExpAllocateHandleTableEntry(x,x)
		mov	esi, [ebp+arg_4]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_7A6528
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_7A6516
		cmp	dword ptr [ecx], 0
		jnz	loc_8EA319
		cmp	dword ptr [ecx+4], 0
		jnz	loc_8EA319

loc_7A6516:				; CODE XREF: ExCreateHandleEx+61j
					; ExCreateHandleEx+143E9Ej
		mov	ecx, [ebp+var_4]
		cmp	dword ptr [ecx+54h], 0
		jnz	loc_8EA343

loc_7A6523:				; CODE XREF: ExCreateHandleEx+143EB1j
		mov	[eax+4], edi
		mov	[eax], ebx

loc_7A6528:				; CODE XREF: ExCreateHandleEx+5Aj
					; ExCreateHandleEx+143E96j
		mov	ecx, [ebp+var_8]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7A653B:				; CODE XREF: ExCreateHandleEx+25j
		or	edi, 4000000h
		jmp	short loc_7A64C7
ExCreateHandleEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpAllocateHandleTableEntry(x, x)
_ExpAllocateHandleTableEntry@8 proc near ; CODE	XREF: ExCreateHandleEx+4Dp

var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_1C], edx
		push	esi
		push	edi
		mov	[ebp+var_14], ebx
		mov	al, [ebx+1Ch]
		test	al, 4
		jnz	loc_7A66BB
		test	al, 1
		jnz	loc_7A6697
		movzx	eax, large byte	ptr fs:51h

loc_7A657E:				; CODE XREF: ExpAllocateHandleTableEntry(x,x)+149j
		mov	edx, ds:_ExpFreeListCount
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], edx
		lea	ebx, [ebx+0]

loc_7A6590:				; CODE XREF: ExpAllocateHandleTableEntry(x,x)+136j
		mov	ecx, [ebx]
		mov	edi, eax
		mov	[ebp+var_18], ecx
		xor	ecx, ecx
		mov	[ebp+var_C], ecx
		lea	esp, [esp+0]

loc_7A65A0:				; CODE XREF: ExpAllocateHandleTableEntry(x,x)+E6j
		lea	esi, [edi+1]
		shl	esi, 6
		add	esi, ebx
		cmp	dword ptr [esi+4], 0
		jz	short loc_7A6623
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ebx, [esi+4]
		test	ebx, ebx
		jz	short loc_7A65DB
		mov	eax, [ebx+4]
		mov	[esi+4], eax
		test	eax, eax
		jz	loc_7A668B

loc_7A65CC:				; CODE XREF: ExpAllocateHandleTableEntry(x,x)+142j
		inc	dword ptr [esi+0Ch]
		mov	eax, [esi+0Ch]
		cmp	eax, [esi+10h]
		jg	loc_7A669E

loc_7A65DB:				; CODE XREF: ExpAllocateHandleTableEntry(x,x)+6Cj
					; ExpAllocateHandleTableEntry(x,x)+151j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_7A66A6

loc_7A65EC:				; CODE XREF: ExpAllocateHandleTableEntry(x,x)+15Dj
		mov	ecx, esi
		call	KeAbPostRelease
		test	ebx, ebx
		jz	short loc_7A661A
		mov	ecx, ebx
		mov	edx, ebx
		and	ecx, 0FFFFF000h
		mov	eax, ebx
		sub	edx, ecx
		sar	edx, 3
		mov	ecx, [ecx+4]
		lea	ecx, [ecx+edx*4]
		mov	edx, [ebp+var_1C]
		mov	[edx], ecx

loc_7A6613:				; CODE XREF: ExpAllocateHandleTableEntry(x,x)+16Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7A661A:				; CODE XREF: ExpAllocateHandleTableEntry(x,x)+A5j
		mov	ebx, [ebp+var_14]
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+var_10]

loc_7A6623:				; CODE XREF: ExpAllocateHandleTableEntry(x,x)+5Cj
		lea	eax, [edi+1]
		inc	ecx
		mov	edi, eax
		mov	[ebp+var_C], ecx
		sub	edi, edx
		neg	edi
		sbb	edi, edi
		and	edi, eax
		cmp	ecx, edx
		jb	loc_7A65A0
		lea	esi, [ebx+24h]
		mov	[ebp+var_1], 1
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_18]
		cmp	eax, [ebx]
		jnz	short loc_7A6666
		mov	edx, [ebp+var_8]
		mov	ecx, ebx
		inc	edx
		shl	edx, 6
		add	edx, ebx
		call	ExpAllocateHandleTableEntrySlow
		mov	[ebp+var_1], al

loc_7A6666:				; CODE XREF: ExpAllocateHandleTableEntry(x,x)+101j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7A66B2

loc_7A6673:				; CODE XREF: ExpAllocateHandleTableEntry(x,x)+169j
		mov	ecx, esi
		call	KeAbPostRelease
		cmp	[ebp+var_1], 0
		jz	short loc_7A66BB
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_10]
		jmp	loc_7A6590
; 

loc_7A668B:				; CODE XREF: ExpAllocateHandleTableEntry(x,x)+76j
		mov	dword ptr [esi+8], 0
		jmp	loc_7A65CC
; 

loc_7A6697:				; CODE XREF: ExpAllocateHandleTableEntry(x,x)+20j
		xor	eax, eax
		jmp	loc_7A657E
; 

loc_7A669E:				; CODE XREF: ExpAllocateHandleTableEntry(x,x)+85j
		mov	[esi+10h], eax
		jmp	loc_7A65DB
; 

loc_7A66A6:				; CODE XREF: ExpAllocateHandleTableEntry(x,x)+96j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7A65EC
; 

loc_7A66B2:				; CODE XREF: ExpAllocateHandleTableEntry(x,x)+121j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7A6673
; 

loc_7A66BB:				; CODE XREF: ExpAllocateHandleTableEntry(x,x)+18j
					; ExpAllocateHandleTableEntry(x,x)+12Ej
		xor	eax, eax
		jmp	loc_7A6613
_ExpAllocateHandleTableEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpPreInterceptHandleDuplicate(x, x, x, x, x, x)
_ObpPreInterceptHandleDuplicate@24 proc	near ; CODE XREF: ObCompleteObjectDuplication+155p
					; ObDuplicateObject+3A6p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		and	[ebp+var_28], 0
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_1], dl
		push	esi
		push	edi
		push	[ebp+arg_C]
		lea	eax, [ebx-18h]
		xor	ecx, ecx
		shr	eax, 8
		movzx	edi, al
		movzx	eax, byte ptr [ebx-0Ch]
		xor	edi, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edi, eax
		mov	esi, ds:_ObTypeIndexTable[edi*4]
		mov	edi, [ebp+arg_0]
		mov	eax, [esi+48h]
		mov	edx, [edi]
		and	eax, edx
		and	[ebp+var_1C], 0
		mov	[ebp+arg_0], eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_18], eax
		movzx	eax, [ebp+var_1]
		xor	eax, ecx
		mov	[ebp+var_10], edx
		and	eax, 1
		mov	[ebp+var_14], edx
		xor	ecx, eax
		mov	[ebp+var_2C], 2
		mov	eax, [ebp+arg_4]
		lea	edx, [ebp+var_2C]
		mov	[ebp+var_28], ecx
		mov	ecx, esi
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], esi
		mov	[ebp+var_8], eax
		call	ObpCallPreOperationCallbacks
		test	eax, eax
		js	short loc_7A675A
		cmp	[ebp+var_1], 0
		jnz	short loc_7A675A
		mov	ecx, [ebp+var_14]
		or	ecx, [ebp+arg_0]
		and	[edi], ecx

loc_7A675A:				; CODE XREF: ObpPreInterceptHandleDuplicate(x,x,x,x,x,x)+88j
					; ObpPreInterceptHandleDuplicate(x,x,x,x,x,x)+8Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_ObpPreInterceptHandleDuplicate@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpThreadEnumCallback(x, x, x)
_EtwpThreadEnumCallback@12 proc	near	; CODE XREF: EtwpProcessEnumCallback+25Dp
					; EtwpProcessEnumCallback+2BFp
					; DATA XREF: ...

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	ecx, [ebp+arg_4]
		mov	eax, [ecx+2FCh]
		test	al, 1
		jnz	short loc_7A6794

loc_7A6777:				; CODE XREF: EtwpThreadEnumCallback(x,x,x)+38j
		mov	edx, [ebp+arg_8]
		cmp	byte ptr [edx+26h], 0
		mov	dword ptr [edx+14h], 601903h
		jnz	short loc_7A679C
		call	EtwpTraceThreadRundown

loc_7A678C:				; CODE XREF: EtwpThreadEnumCallback(x,x,x)+36j
					; EtwpThreadEnumCallback(x,x,x)+3Fj
		xor	eax, eax
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7A6794:				; CODE XREF: EtwpThreadEnumCallback(x,x,x)+13j
		cmp	byte ptr [ecx+4], 0
		jnz	short loc_7A678C
		jmp	short loc_7A6777
; 

loc_7A679C:				; CODE XREF: EtwpThreadEnumCallback(x,x,x)+23j
		call	_EtwpTraceThreadRundownWithStack@8 ; EtwpTraceThreadRundownWithStack(x,x)
		jmp	short loc_7A678C
_EtwpThreadEnumCallback@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsEnumProcessThreads proc near		; CODE XREF: EtwpProcessEnumCallback+137p
					; EtwpProcessEnumCallback+1BFp	...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008EA356 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edx
		mov	ebx, ecx
		push	edi

loc_7A67B5:				; CODE XREF: PsEnumProcessThreads+30j
		push	ebx
		call	_PsGetNextProcessThread@8 ; PsGetNextProcessThread(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7A67D6
		push	[ebp+arg_0]
		push	esi
		push	ebx
		call	[ebp+var_4]
		mov	edi, eax
		test	edi, edi
		js	loc_8EA356
		push	esi
		jmp	short loc_7A67B5
; 

loc_7A67D6:				; CODE XREF: PsEnumProcessThreads+1Bj
					; PsEnumProcessThreads+143BBEj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
PsEnumProcessThreads endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtTerminateThread proc near		; DATA XREF: .text:00580C10o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EA367 SIZE 0000006E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		mov	ecx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, large fs:124h
		test	ecx, ecx
		jnz	short loc_7A6821
		mov	eax, [edi+80h]
		cmp	dword ptr [eax+1D8h], 1
		jz	loc_8EA367

loc_7A680F:				; CODE XREF: NtTerminateThread+44j
					; NtTerminateThread+143BCFj
		push	1
		push	[ebp+arg_4]
		push	edi
		call	PspTerminateThreadByPointer

loc_7A681A:				; CODE XREF: NtTerminateThread+143BF0j
		mov	eax, esi
		jmp	loc_8EA36C
; 

loc_7A6821:				; CODE XREF: NtTerminateThread+1Aj
		cmp	ecx, 0FFFFFFFEh
		jz	short loc_7A680F
		jmp	loc_8EA372
NtTerminateThread endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspTerminateThreadByPointer proc near	; CODE XREF: PspSystemThreadStartup+56p
					; NtTerminateThread+35p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 008EA3D5 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [esi+150h]
		lea	ebx, [esi+2FCh]
		test	byte ptr [ebx],	20h
		jnz	loc_8EA3D5

loc_7A6850:				; CODE XREF: PspTerminateThreadByPointer+143BB4j
					; PspTerminateThreadByPointer+143BD7j
		cmp	[ebp+arg_8], 0
		jnz	short loc_7A688A

loc_7A6856:				; CODE XREF: PspTerminateThreadByPointer+65j
		test	dword ptr [esi+58h], 400h
		jnz	short loc_7A68A1
		test	byte ptr [edi+3A8h], 1
		jnz	short loc_7A68A8
		lock bts dword ptr [ebx], 0
		jb	short loc_7A6878
		mov	eax, [ebp+arg_4]
		mov	[esi+324h], eax

loc_7A6878:				; CODE XREF: PspTerminateThreadByPointer+41j
		mov	ecx, esi
		call	KeRequestTerminationThread
		xor	eax, eax

loc_7A6881:				; CODE XREF: PspTerminateThreadByPointer+7Aj
					; PspTerminateThreadByPointer+81j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7A688A:				; CODE XREF: PspTerminateThreadByPointer+28j
		cmp	esi, large fs:124h
		jnz	short loc_7A6856
		xor	eax, eax
		inc	eax
		lock or	[ebx], eax
		mov	ecx, [ebp+arg_4]
		call	PspExitThread

loc_7A68A1:				; CODE XREF: PspTerminateThreadByPointer+31j
		mov	eax, 0C0000022h
		jmp	short loc_7A6881
; 

loc_7A68A8:				; CODE XREF: PspTerminateThreadByPointer+3Aj
		mov	eax, 0C00000BBh
		jmp	short loc_7A6881
PspTerminateThreadByPointer endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmAllocateUserStack(x, x, x, x, x)
_MmAllocateUserStack@20	proc near	; CODE XREF: PAGE:007A8FA0p

var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		push	38h		; size_t
		xor	ebx, ebx
		lea	eax, [esp+4Ch+var_38]
		push	ebx		; int
		push	eax		; void *
		mov	esi, edx
		mov	edi, ecx
		call	_memset
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		mov	[esp+48h+var_28], eax
		mov	edx, edi
		lea	eax, [esp+48h+var_38]
		or	ecx, 0FFFFFFFFh
		push	ebx
		push	ebx
		push	80000000h
		push	ebx
		push	eax
		push	4
		push	2000h
		push	[ebp+arg_0]
		push	esi
		call	MiAllocateVirtualMemoryCommon
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_MmAllocateUserStack@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspTerminateAllThreads proc near	; CODE XREF: NtTerminateProcess+12Fp
					; PspTerminateProcess+B0p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EA408 SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	[ebp+var_8], ebx
		test	dword ptr [esi+0FCh], 2000h
		jnz	loc_8EA408

loc_7A6928:				; CODE XREF: PspTerminateAllThreads+143B1Fj
		mov	eax, [ebx+80h]
		xor	edx, edx
		mov	ecx, esi
		mov	[ebp+var_C], eax
		call	_PspGetPreviousProcessThread@8 ; PspGetPreviousProcessThread(x,x)
		mov	edx, [ebp+arg_4]
		mov	edi, eax
		mov	eax, edx
		mov	ecx, edx
		shr	eax, 1
		and	ecx, 1
		and	eax, 1
		add	ecx, ecx
		or	eax, ecx
		and	edx, 4
		or	eax, edx
		mov	ebx, 122h
		mov	[ebp+arg_4], eax
		test	edi, edi
		jz	loc_7A6A57
		test	al, 1
		jnz	loc_7A6AAC
		xor	ebx, ebx
		mov	[ebp+var_14], edi
		mov	edx, 65547350h
		mov	[ebp+var_10], ebx
		mov	ecx, edi
		mov	[ebp+var_18], edi
		call	ObfReferenceObjectWithTag
		mov	ebx, [ebp+var_8]
		xor	edx, edx
		mov	[ebp+var_4], edx

loc_7A698B:				; CODE XREF: PspTerminateAllThreads+D6j
		cmp	edi, ebx
		jz	short loc_7A69CC
		mov	eax, [ebp+arg_4]
		test	al, 4
		jnz	loc_7A6A21
		lea	ecx, [edi+2ECh]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_7A6AD2
		mov	eax, [ebp+arg_4]
		or	eax, 8

loc_7A69B3:				; CODE XREF: PspTerminateAllThreads+1EDj
		mov	edx, [ebp+var_4]

loc_7A69B6:				; CODE XREF: PspTerminateAllThreads+12Bj
		mov	[ebp+arg_4], eax
		test	al, 8
		jz	short loc_7A69CC
		push	0
		push	[ebp+arg_0]
		inc	edx
		push	edi
		mov	[ebp+var_4], edx
		call	PspTerminateThreadByPointer

loc_7A69CC:				; CODE XREF: PspTerminateAllThreads+87j
					; PspTerminateAllThreads+B5j
		mov	edx, edi
		mov	ecx, esi
		call	_PspGetPreviousProcessThread@8 ; PspGetPreviousProcessThread(x,x)
		mov	edx, [ebp+var_4]
		mov	edi, eax
		test	edi, edi
		jnz	short loc_7A698B
		test	edx, edx
		jbe	short loc_7A69EE
		cmp	esi, [ebp+var_C]
		jnz	short loc_7A69EE
		xor	cl, cl
		call	_KeFlushProcessWriteBuffers@4 ;	KeFlushProcessWriteBuffers(x)

loc_7A69EE:				; CODE XREF: PspTerminateAllThreads+DAj
					; PspTerminateAllThreads+DFj
		push	0

loc_7A69F0:				; CODE XREF: PspTerminateAllThreads+119j
		push	esi
		call	_PsGetNextProcessThread@8 ; PsGetNextProcessThread(x,x)
		mov	edi, eax
		cmp	edi, ebx
		jz	short loc_7A6A19
		test	byte ptr [ebp+arg_4], 4
		jnz	short loc_7A6A19
		test	dword ptr [edi+2FCh], 8000h
		jnz	short loc_7A6A19
		lea	ecx, [edi+2ECh]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_7A6A19:				; CODE XREF: PspTerminateAllThreads+F4j
					; PspTerminateAllThreads+FAj ...
		cmp	edi, [ebp+var_14]
		jz	short loc_7A6A33
		push	edi
		jmp	short loc_7A69F0
; 

loc_7A6A21:				; CODE XREF: PspTerminateAllThreads+8Ej
		mov	ecx, [edi+300h]
		shr	ecx, 3
		xor	ecx, eax
		and	ecx, 8
		xor	eax, ecx
		jmp	short loc_7A69B6
; 

loc_7A6A33:				; CODE XREF: PspTerminateAllThreads+116j
		mov	edx, 6E457350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	ebx, [ebp+var_10]
		mov	edx, 65547350h
		mov	eax, [ebp+var_18]

loc_7A6A4A:				; CODE XREF: PspTerminateAllThreads+1B2j
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag
		test	byte ptr [ebp+arg_4], 2
		jnz	short loc_7A6A94

loc_7A6A57:				; CODE XREF: PspTerminateAllThreads+58j
					; PspTerminateAllThreads+197j ...
		mov	eax, [ebp+var_C]
		cmp	esi, eax
		jnz	short loc_7A6A7D

loc_7A6A5E:				; CODE XREF: PspTerminateAllThreads+17Ej
					; PspTerminateAllThreads+18Cj
		mov	edi, 122h
		cmp	ebx, edi
		jz	short loc_7A6ABA
		cmp	dword ptr [esi+190h], 0
		jnz	loc_8EA42A

loc_7A6A74:				; CODE XREF: PspTerminateAllThreads+1BFj
					; PspTerminateAllThreads+1C3j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_7A6A7D:				; CODE XREF: PspTerminateAllThreads+156j
		cmp	[ebp+arg_0], 40010004h
		jnz	short loc_7A6A5E
		xor	edx, edx
		mov	ecx, esi
		call	DbgkClearProcessDebugObject
		mov	eax, [ebp+var_C]
		jmp	short loc_7A6A5E
; 

loc_7A6A94:				; CODE XREF: PspTerminateAllThreads+14Fj
		mov	eax, [ebp+var_8]
		cmp	[eax+150h], esi
		jnz	short loc_7A6A57
		push	0
		push	[ebp+arg_0]
		push	eax
		call	PspTerminateThreadByPointer
		jmp	short loc_7A6A57
; 

loc_7A6AAC:				; CODE XREF: PspTerminateAllThreads+60j
		mov	ebx, 0C000010Ah
		mov	eax, edi
		mov	edx, 6E457350h
		jmp	short loc_7A6A4A
; 

loc_7A6ABA:				; CODE XREF: PspTerminateAllThreads+15Fj
					; PspTerminateAllThreads+143B2Cj
		xor	dl, dl
		mov	ecx, esi
		call	_PspRundownSingleProcess@8 ; PspRundownSingleProcess(x,x)
		test	al, al
		jnz	short loc_7A6A74
		cmp	ebx, edi
		jnz	short loc_7A6A74
		mov	ebx, 0C000010Ah
		jmp	short loc_7A6A74
; 

loc_7A6AD2:				; CODE XREF: PspTerminateAllThreads+A1j
		lea	eax, [edi+2FCh]
		lock bts dword ptr [eax], 0Fh
		setb	al
		movzx	ecx, al
		mov	eax, [ebp+arg_4]
		shl	ecx, 4
		xor	ecx, eax
		and	ecx, 10h
		xor	eax, ecx
		and	eax, 0FFFFFFF7h
		jmp	loc_7A69B3
PspTerminateAllThreads endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspGetPreviousProcessThread(x, x)
_PspGetPreviousProcessThread@8 proc near ; CODE	XREF: PspTerminateAllThreads+2Fp
					; PspTerminateAllThreads+CAp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	ebx, edx
		xor	eax, eax
		mov	edx, large fs:124h
		mov	esi, eax
		push	edi
		lea	edi, [ecx+1D0h]
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], edx
		dec	word ptr [edx+13Ch]
		mov	[ebp+var_4], edi
		nop
		lea	eax, [ecx+0E0h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	ExAcquirePushLockSharedEx
		test	ebx, ebx
		jz	short loc_7A6BA2
		mov	edi, [ebx+2E8h]

loc_7A6B43:				; CODE XREF: PspGetPreviousProcessThread(x,x)+ADj
		cmp	edi, [ebp+var_4]
		jz	short loc_7A6B64
		lea	eax, [edi-2E4h]
		mov	edx, 6E457350h
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jz	short loc_7A6BA2
		xor	esi, esi
		inc	esi

loc_7A6B64:				; CODE XREF: PspGetPreviousProcessThread(x,x)+4Ej
		mov	edi, [ebp+var_C]
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_7A6BA7

loc_7A6B75:				; CODE XREF: PspGetPreviousProcessThread(x,x)+B6j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_10]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		test	ebx, ebx
		jz	short loc_7A6B94
		mov	edx, 6E457350h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_7A6B94:				; CODE XREF: PspGetPreviousProcessThread(x,x)+8Ej
		neg	esi
		pop	edi
		sbb	esi, esi
		and	esi, [ebp+var_8]
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7A6BA2:				; CODE XREF: PspGetPreviousProcessThread(x,x)+43j
					; PspGetPreviousProcessThread(x,x)+67j
		mov	edi, [edi+4]
		jmp	short loc_7A6B43
; 

loc_7A6BA7:				; CODE XREF: PspGetPreviousProcessThread(x,x)+7Bj
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_7A6B75
_PspGetPreviousProcessThread@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCancelIrpsInThreadListForCurrentProcess(x, x)
_IopCancelIrpsInThreadListForCurrentProcess@8 proc near
					; CODE XREF: IopRevokeFileObjectForProcess(x,x)+4Cp
					; PfSnOpenVolumesForPrefetch+50Fp

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= byte ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax+80h]
		xor	ebx, ebx
		push	50h		; size_t
		lea	eax, [esp+6Ch+var_50]
		mov	[esp+6Ch+var_58], ecx
		mov	esi, edx
		push	ebx		; int
		push	eax		; void *
		mov	[esp+74h+var_54], esi
		call	_memset
		mov	eax, [esp+74h+var_58]
		add	esp, 0Ch
		mov	[esp+68h+var_20], eax
		lea	eax, [esp+68h+var_18]
		mov	[esp+68h+var_1C], esi
		mov	[esp+68h+var_8], bl
		push	ebx
		push	ebx
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	ebx

loc_7A6C03:				; CODE XREF: IopCancelIrpsInThreadListForCurrentProcess(x,x)+73j
		push	edi
		call	_PsGetNextProcessThread@8 ; PsGetNextProcessThread(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7A6C25
		push	[esp+68h+var_54]
		mov	edx, [esp+6Ch+var_58]
		mov	ecx, esi
		call	IopCancelApcRequired
		test	eax, eax
		jnz	short loc_7A6C2E

loc_7A6C22:				; CODE XREF: IopCancelIrpsInThreadListForCurrentProcess(x,x)+8Bj
		push	esi
		jmp	short loc_7A6C03
; 

loc_7A6C25:				; CODE XREF: IopCancelIrpsInThreadListForCurrentProcess(x,x)+5Dj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7A6C2E:				; CODE XREF: IopCancelIrpsInThreadListForCurrentProcess(x,x)+70j
		lea	edx, [esp+68h+var_50]
		mov	ecx, esi
		call	_IopCancelIrpsInThreadList@8 ; IopCancelIrpsInThreadList(x,x)
		or	ebx, eax
		jmp	short loc_7A6C22
_IopCancelIrpsInThreadListForCurrentProcess@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KeSetAutoAlignmentProcess(x, x)
_KeSetAutoAlignmentProcess@8 proc near	; CODE XREF: PspSetProcessDefaultHardErrorMode(x,x,x)+5Ep
					; PAGE:007A7AECp
		add	ecx, 64h
		test	edx, edx
		jnz	short loc_7A6C51
		lock btr dword ptr [ecx], 0

loc_7A6C4A:				; CODE XREF: KeSetAutoAlignmentProcess(x,x)+18j
		setb	al
		movzx	eax, al
		retn
; 

loc_7A6C51:				; CODE XREF: KeSetAutoAlignmentProcess(x,x)+5j
		lock bts dword ptr [ecx], 0
		jmp	short loc_7A6C4A
_KeSetAutoAlignmentProcess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetProcessDefaultHardErrorMode(x, x, x)
_PspSetProcessDefaultHardErrorMode@12 proc near	; CODE XREF: PAGE:007A7553p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	edi, ecx
		dec	word ptr [ebx+13Ch]
		nop
		lea	esi, [edi+0E0h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [ebp+arg_0]
		cmp	[edi+1E0h], edx
		jnz	short loc_7A6CA8

loc_7A6C86:				; CODE XREF: PspSetProcessDefaultHardErrorMode(x,x,x)+63j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7A6CBD

loc_7A6C93:				; CODE XREF: PspSetProcessDefaultHardErrorMode(x,x,x)+6Cj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, ebx
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_7A6CA8:				; CODE XREF: PspSetProcessDefaultHardErrorMode(x,x,x)+2Cj
		mov	[edi+1E0h], edx
		mov	ecx, edi
		shr	edx, 2
		and	edx, 1
		call	_KeSetAutoAlignmentProcess@8 ; KeSetAutoAlignmentProcess(x,x)
		jmp	short loc_7A6C86
; 

loc_7A6CBD:				; CODE XREF: PspSetProcessDefaultHardErrorMode(x,x,x)+39j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7A6C93
_PspSetProcessDefaultHardErrorMode@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetNextProcessThread(x, x)
_PsGetNextProcessThread@8 proc near	; CODE XREF: PsEnumProcessThreads+12p
					; PspTerminateAllThreads+EBp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		mov	ecx, large fs:124h
		push	ebx
		push	esi
		lea	ebx, [eax+1D0h]
		mov	[ebp+var_4], 0
		dec	word ptr [ecx+13Ch]
		xor	esi, esi
		push	edi
		mov	[ebp+var_C], ecx
		mov	[ebp+arg_0], ebx
		nop
		add	eax, 0E0h
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	ExAcquirePushLockSharedEx
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_7A6D92
		mov	ebx, [edi+2E4h]

loc_7A6D20:				; CODE XREF: PsGetNextProcessThread(x,x)+C4j
		cmp	ebx, [ebp+arg_0]
		jz	short loc_7A6D4E
		jmp	short loc_7A6D30
; 
		align 10h

loc_7A6D30:				; CODE XREF: PsGetNextProcessThread(x,x)+55j
					; PsGetNextProcessThread(x,x)+D4j
		lea	eax, [ebx-2E4h]
		mov	edx, 6E457350h
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jz	short loc_7A6D9F
		mov	esi, 1

loc_7A6D4E:				; CODE XREF: PsGetNextProcessThread(x,x)+53j
					; PsGetNextProcessThread(x,x)+D6j
		mov	ebx, [ebp+var_8]
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [ebx], ecx
		cmp	eax, 11h
		jnz	short loc_7A6D96

loc_7A6D61:				; CODE XREF: PsGetNextProcessThread(x,x)+CDj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [ebp+var_C]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		test	edi, edi
		jz	short loc_7A6D80
		mov	edx, 6E457350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_7A6D80:				; CODE XREF: PsGetNextProcessThread(x,x)+A2j
		neg	esi
		pop	edi
		sbb	esi, esi
		and	esi, [ebp+var_4]
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7A6D92:				; CODE XREF: PsGetNextProcessThread(x,x)+48j
		mov	ebx, [ebx]
		jmp	short loc_7A6D20
; 

loc_7A6D96:				; CODE XREF: PsGetNextProcessThread(x,x)+8Fj
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_7A6D61
; 

loc_7A6D9F:				; CODE XREF: PsGetNextProcessThread(x,x)+77j
		mov	ebx, [ebx]
		cmp	ebx, [ebp+arg_0]
		jnz	short loc_7A6D30
		jmp	short loc_7A6D4E
_PsGetNextProcessThread@8 endp

; 
		align 10h
; Exported entry 1590. NtSetInformationProcess

; __stdcall NtSetInformationProcess(x, x, x, x)
		public _NtSetInformationProcess@16
_NtSetInformationProcess@16:		; DATA XREF: .text:00580CC0o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A2580
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 3B0h
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		mov	[ebp-1Ch], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	ebx, [ebp+10h]
		mov	edi, [ebp+8]
		mov	[ebp-164h], edi
		mov	[ebp-170h], ebx
		mov	ecx, [ebp+14h]
		mov	[ebp-150h], ecx
		mov	[ebp-15Ch], ecx
		mov	dword ptr [ebp-140h], 0
		xor	eax, eax
		mov	[ebp-1A0h], eax
		mov	[ebp-19Ch], eax
		mov	[ebp-198h], eax
		mov	[ebp-174h], eax
		mov	[ebp-190h], ax
		mov	[ebp-2D4h], eax
		mov	[ebp-2D0h], eax
		mov	[ebp-180h], eax
		mov	[ebp-1C8h], eax
		mov	[ebp-1C4h], eax
		mov	[ebp-16Ch], eax
		mov	[ebp-0ACh], eax
		mov	[ebp-0A8h], eax
		mov	[ebp-0A4h], eax
		mov	eax, large fs:124h
		mov	[ebp-14Ch], eax
		mov	dl, [eax+15Ah]
		mov	[ebp-145h], dl
		mov	[ebp-144h], dl
		mov	esi, [ebp+0Ch]
		test	dl, dl
		jz	loc_7A6FA9
		cmp	esi, 5
		jz	loc_7A6F63
		cmp	esi, 11h
		jnz	short loc_7A6EAC
		lea	eax, [esi-10h]
		jmp	loc_7A6F68
; 

loc_7A6EAC:				; CODE XREF: PAGE:007A6EA2j
		cmp	esi, 19h
		jnz	short loc_7A6EB9
		lea	eax, [esi-18h]
		jmp	loc_7A6F68
; 

loc_7A6EB9:				; CODE XREF: PAGE:007A6EAFj
		cmp	esi, 12h
		jnz	short loc_7A6EC6
		lea	eax, [esi-11h]
		jmp	loc_7A6F68
; 

loc_7A6EC6:				; CODE XREF: PAGE:007A6EBCj
		cmp	esi, 15h
		jz	loc_7A6F63
		cmp	esi, 21h
		jz	loc_7A6F63
		cmp	esi, 27h
		jz	loc_7A6F63
		cmp	esi, 23h
		jz	short loc_7A6F63
		cmp	esi, 8
		jz	short loc_7A6F63
		cmp	esi, 28h
		jz	short loc_7A6F63
		cmp	esi, 29h
		jz	short loc_7A6F63
		cmp	esi, 62h
		jz	short loc_7A6F63
		cmp	esi, 63h
		jz	short loc_7A6F63
		cmp	esi, 2Dh
		jz	short loc_7A6F63
		cmp	esi, 2Eh
		jz	short loc_7A6F63
		cmp	esi, 31h
		jz	short loc_7A6F63
		cmp	esi, 35h
		jz	short loc_7A6F63
		cmp	esi, 38h
		jz	short loc_7A6F63
		cmp	esi, 3Eh
		jz	short loc_7A6F63
		cmp	esi, 41h
		jz	short loc_7A6F63
		cmp	esi, 46h
		jnz	short loc_7A6F2C
		lea	eax, [esi-45h]
		jmp	short loc_7A6F68
; 

loc_7A6F2C:				; CODE XREF: PAGE:007A6F25j
		cmp	esi, 4Ah
		jnz	short loc_7A6F36
		lea	eax, [esi-49h]
		jmp	short loc_7A6F68
; 

loc_7A6F36:				; CODE XREF: PAGE:007A6F2Fj
		cmp	esi, 53h
		jz	short loc_7A6F63
		cmp	esi, 5Ah
		jnz	short loc_7A6F45
		lea	eax, [esi-59h]
		jmp	short loc_7A6F68
; 

loc_7A6F45:				; CODE XREF: PAGE:007A6F3Ej
		cmp	esi, 5Bh
		jz	short loc_7A6F63
		cmp	esi, 5Dh
		jz	short loc_7A6F63
		cmp	esi, 5Fh
		jz	short loc_7A6F63
		mov	eax, 1
		cmp	esi, 57h
		jz	short loc_7A6F68
		cmp	esi, 64h
		jz	short loc_7A6F68

loc_7A6F63:				; CODE XREF: PAGE:007A6E99j
					; PAGE:007A6EC9j ...
		mov	eax, 4

loc_7A6F68:				; CODE XREF: PAGE:007A6EA7j
					; PAGE:007A6EB4j ...
		mov	dword ptr [ebp-4], 0
		test	ecx, ecx
		jz	short loc_7A6FA2
		dec	eax
		test	eax, ebx
		jnz	loc_7AB08B
		lea	eax, [ecx+ebx]
		mov	edi, ds:_MmUserProbeAddress
		mov	[ebp-168h], edi
		cmp	eax, edi
		mov	edi, [ebp-164h]
		ja	short loc_7A6F99
		cmp	eax, ebx
		jnb	short loc_7A6FA2

loc_7A6F99:				; CODE XREF: PAGE:007A6F93j
		mov	eax, [ebp-168h]
		mov	byte ptr [eax],	0

loc_7A6FA2:				; CODE XREF: PAGE:007A6F71j
					; PAGE:007A6F97j
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_7A6FA9:				; CODE XREF: PAGE:007A6E90j
		lea	eax, [esi-1]
		cmp	eax, 65h
		ja	loc_7AB068
		movzx	eax, ds:byte_7AB180[eax]
		jmp	ds:off_7AB09C[eax*4]
; 

loc_7A6FC3:				; DATA XREF: .text:006A2594o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1D4h], eax
		mov	eax, 1
		retn
; 

loc_7A6FD6:				; DATA XREF: .text:006A2598o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1D4h]
		jmp	loc_7AB06D
; 

loc_7A6FEB:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0C0o
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		push	3018h
		mov	edi, [ebp-140h]
		push	edi
		call	_PsChargeProcessNonPagedPoolQuota@8 ; PsChargeProcessNonPagedPoolQuota(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7A70AB
		push	73577350h
		push	3018h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_7A7050
		mov	esi, 0C0000017h
		jmp	short loc_7A70A0
; 

loc_7A7050:				; CODE XREF: PAGE:007A7047j
		mov	_PsWatchEnabled, 1
		mov	dword ptr [esi], 0
		mov	dword ptr [esi+4], 0
		lea	ecx, [esi+8]
		call	@KeInitializeGate@8 ; KeInitializeGate(x,x)
		lea	edx, [edi+168h]
		mov	ecx, esi
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	short loc_7A7093
		xor	esi, esi
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7A7093:				; CODE XREF: PAGE:007A707Cj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, 0C0000048h

loc_7A70A0:				; CODE XREF: PAGE:007A704Ej
		push	3018h
		push	edi
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)

loc_7A70AB:				; CODE XREF: PAGE:007A702Dj
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_7A70B7:				; CODE XREF: PAGE:007A7B98j
					; PAGE:007A7F6Ej ...
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7A70BE:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB134o
		cmp	ecx, 0Ch
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 1
		mov	ecx, [ebx]
		mov	eax, [ebx+4]
		mov	esi, [ebx+8]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		cmp	cx, 1
		jnz	loc_7AA068
		cmp	eax, 1
		jge	loc_7AA068
		test	eax, eax
		jnz	loc_7AA068
		push	eax
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		mov	ecx, [ebp-140h]
		lea	eax, [ecx+0FCh]
		test	esi, esi
		jz	short loc_7A714D
		mov	edx, 100h
		lock or	[eax], edx
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_7AB06D
; 

loc_7A714D:				; CODE XREF: PAGE:007A7132j
		mov	edx, 0FFFFFEFFh
		lock and [eax],	edx
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag

loc_7A715F:				; CODE XREF: PAGE:007AAA39j
		xor	eax, eax
		jmp	loc_7AB06D
; 

loc_7A7166:				; DATA XREF: .text:006A25A0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1D8h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7A7179:				; DATA XREF: .text:006A25A4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1D8h]
		jmp	loc_7AB06D
; 

loc_7A718E:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0A0o
		cmp	ecx, 4
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 2
		mov	esi, [ebx]
		mov	[ebp-380h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, esi
		and	ebx, 80000000h
		jz	short loc_7A71BD
		and	esi, 7FFFFFFFh

loc_7A71BD:				; CODE XREF: PAGE:007A71B5j
		neg	ebx
		sbb	bl, bl
		and	bl, 2
		lea	eax, [esi-1]
		cmp	eax, 1Eh
		ja	loc_7AA068
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		mov	eax, [ebp-140h]
		movsx	eax, byte ptr [eax+68h]
		cmp	esi, eax
		jle	short loc_7A7247
		mov	eax, ds:dword_A949F4
		push	eax
		mov	eax, ds:_SeIncreaseBasePriorityPrivilege
		push	eax
		push	dword ptr [ebp-144h]
		mov	edx, 200h
		mov	ecx, edi
		call	_SeCheckPrivilegedObject@20 ; SeCheckPrivilegedObject(x,x,x,x,x)
		test	al, al
		jnz	short loc_7A7247
		mov	edx, 79517350h
		mov	ecx, [ebp-140h]
		call	ObfDereferenceObjectWithTag

loc_7A723D:				; CODE XREF: PAGE:007A7649j
					; PAGE:007A7A1Ej ...
		mov	eax, 0C0000061h
		jmp	loc_7AB06D
; 

loc_7A7247:				; CODE XREF: PAGE:007A7209j
					; PAGE:007A722Bj
		push	0
		push	0
		push	0
		mov	edx, esi
		mov	esi, [ebp-140h]
		mov	ecx, esi
		call	KeSetPriorityAndQuantumProcess
		mov	dl, bl
		mov	ecx, esi
		call	MmSetMemoryPriorityProcess
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_7AB06D
; 

loc_7A7278:				; DATA XREF: .text:006A25ACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1DCh], eax
		mov	eax, 1
		retn
; 

loc_7A728B:				; DATA XREF: .text:006A25B0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1DCh]
		jmp	loc_7AB06D
; 

loc_7A72A0:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0CCo
		cmp	ecx, 2
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 3
		mov	ax, [ebx]
		mov	[ebp-14Ah], ax
		mov	[ebp-190h], ax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		mov	esi, [ebp-144h]
		push	esi
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		push	esi
		push	edi
		mov	dl, [ebp-149h]
		mov	esi, [ebp-140h]
		mov	ecx, esi
		call	PspSetProcessPriorityClass
		mov	edi, eax
		test	edi, edi
		js	short loc_7A7323
		xor	edx, edx
		cmp	[ebp-14Ah], dl
		setnz	dl
		push	edx
		push	esi
		call	_PsSetProcessPriorityByClass@8 ; PsSetProcessPriorityByClass(x,x)

loc_7A7323:				; CODE XREF: PAGE:007A730Fj
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_7A732F:				; CODE XREF: PAGE:007A8425j
					; PAGE:007AA11Fj
		mov	eax, edi
		jmp	loc_7AB06D
; 

loc_7A7336:				; DATA XREF: .text:006A25B8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1E0h], eax
		mov	eax, 1
		retn
; 

loc_7A7349:				; DATA XREF: .text:006A25BCo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1E0h]
		jmp	loc_7AB06D
; 

loc_7A735E:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0E4o
		cmp	ecx, 1
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 4
		mov	al, [ebx]
		mov	[ebp-145h], al
		mov	[ebp-189h], al
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	2000h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		xor	eax, eax
		cmp	[ebp-145h], al
		setnz	al
		push	eax
		mov	esi, [ebp-140h]
		push	esi
		call	_PsSetProcessPriorityByClass@8 ; PsSetProcessPriorityByClass(x,x)
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_7AB06D
; 

loc_7A73DB:				; DATA XREF: .text:006A25C4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1E4h], eax
		mov	eax, 1
		retn
; 

loc_7A73EE:				; DATA XREF: .text:006A25C8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1E4h]
		jmp	loc_7AB06D
; 

loc_7A7403:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0A4o
		cmp	ecx, 4
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 5
		mov	ebx, [ebx]
		mov	[ebp-35Ch], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp-180h], eax
		test	eax, eax
		js	loc_7AB06D
		mov	edi, [ebp-140h]
		lea	ecx, [edi+0F0h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_7A74BA
		push	0
		push	edi
		call	_PsGetNextProcessThread@8 ; PsGetNextProcessThread(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7A7496
		jmp	short loc_7A7480
; 
		align 10h

loc_7A7480:				; CODE XREF: PAGE:007A7478j
					; PAGE:007A7494j
		mov	edx, ebx
		mov	ecx, esi
		call	KeBoostPriorityThread
		push	esi
		push	edi
		call	_PsGetNextProcessThread@8 ; PsGetNextProcessThread(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_7A7480

loc_7A7496:				; CODE XREF: PAGE:007A7476j
		lea	ecx, [edi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	esi, [ebp-180h]
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7A74BA:				; CODE XREF: PAGE:007A7468j
		mov	esi, 0C000010Ah
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7A74D2:				; DATA XREF: .text:006A25D0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1E8h], eax
		mov	eax, 1
		retn
; 

loc_7A74E5:				; DATA XREF: .text:006A25D4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1E8h]
		jmp	loc_7AB06D
; 

loc_7A74FA:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0B8o
		cmp	ecx, 4
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 6
		mov	esi, [ebx]
		mov	[ebp-370h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		push	esi
		mov	edx, [ebp-14Ch]
		mov	ecx, [ebp-140h]
		call	_PspSetProcessDefaultHardErrorMode@12 ;	PspSetProcessDefaultHardErrorMode(x,x,x)
		mov	edx, 79517350h
		mov	ecx, [ebp-140h]
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_7AB06D
; 

loc_7A756F:				; DATA XREF: .text:006A25DCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1ECh], eax
		mov	eax, 1
		retn
; 

loc_7A7582:				; DATA XREF: .text:006A25E0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1ECh]
		jmp	loc_7AB06D
; 

loc_7A7597:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:off_7AB09Co
		push	dword ptr [ebp-144h]
		push	ecx
		mov	edx, ebx
		mov	ecx, edi
		call	PspSetQuotaLimits
		jmp	loc_7AB06D
; 

loc_7A75AC:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0A8o
		cmp	ecx, 4
		jnz	short loc_7A75FB
		mov	dword ptr [ebp-168h], 0
		mov	dword ptr [ebp-4], 7
		mov	esi, [ebx]
		mov	[ebp-1F4h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_7A7630
; 

loc_7A75D3:				; DATA XREF: .text:006A25E8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1F0h], eax
		mov	eax, 1
		retn
; 

loc_7A75E6:				; DATA XREF: .text:006A25ECo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1F0h]
		jmp	loc_7AB06D
; 

loc_7A75FB:				; CODE XREF: PAGE:007A75AFj
		cmp	ecx, 8
		jnz	loc_7AAF78
		mov	[ebp-4], ecx
		mov	esi, [ebx]
		mov	[ebp-1F4h], esi
		mov	eax, [ebx+4]
		mov	[ebp-168h], eax
		mov	[ebp-374h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	eax, 0FFFFFFF8h
		jnz	loc_7AA068

loc_7A7630:				; CODE XREF: PAGE:007A75D1j
		push	dword ptr [ebp-144h]
		mov	eax, ds:dword_A949B4
		push	eax
		mov	eax, ds:_SeTcbPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7A723D
		mov	eax, ds:_LpcPortObjectType
		mov	dword ptr [ebp-1B8h], 0
		push	0
		lea	ecx, [ebp-1B8h]
		push	ecx
		push	dword ptr [ebp-144h]
		push	eax
		push	0
		push	esi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, [ebp-1B8h]
		mov	[ebp-1B4h], esi
		test	eax, eax
		js	loc_7AB06D
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	800h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp-164h], edi
		test	edi, edi
		jns	short loc_7A76C9
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, edi
		jmp	loc_7AB06D
; 

loc_7A76C9:				; CODE XREF: PAGE:007A76B9j
		mov	edx, esi
		or	edx, [ebp-168h]
		mov	[ebp-154h], edx
		mov	[ebp-168h], edx
		mov	eax, [ebp-140h]
		mov	eax, [eax+128h]
		mov	[ebp-144h], eax
		mov	esi, [ebp-150h]

loc_7A76F5:				; CODE XREF: PAGE:007A789Bj
		mov	ecx, eax
		and	ecx, 7
		cmp	esi, 8
		jnz	loc_7A7783
		mov	dword ptr [ebp-4], 9
		mov	[ebx+4], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_7A775D
; 

loc_7A7716:				; DATA XREF: .text:006A2600o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1F8h], eax
		mov	eax, 1
		retn
; 

loc_7A7729:				; DATA XREF: .text:006A2604o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-1F8h]
		mov	[ebp-164h], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-168h]
		mov	[ebp-154h], eax
		mov	ebx, [ebp-170h]
		mov	esi, [ebp-15Ch]
		mov	eax, [ebp-144h]

loc_7A775D:				; CODE XREF: PAGE:007A7714j
		test	edi, edi
		jns	short loc_7A77AE
		mov	ecx, [ebp-1B4h]
		call	ObfDereferenceObject
		mov	edx, 79517350h
		mov	ecx, [ebp-140h]
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_7AB06D
; 

loc_7A7783:				; CODE XREF: PAGE:007A76FDj
		test	ecx, ecx
		jz	short loc_7A77AE
		mov	ecx, [ebp-1B4h]
		call	ObfDereferenceObject
		mov	edi, 0C000000Dh
		mov	edx, 79517350h
		mov	ecx, [ebp-140h]
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_7AB06D
; 

loc_7A77AE:				; CODE XREF: PAGE:007A775Fj
					; PAGE:007A7785j
		mov	edx, [ebp-140h]
		add	edx, 128h
		mov	ecx, [ebp-154h]
		lock cmpxchg [edx], ecx
		mov	edi, eax
		cmp	edi, [ebp-144h]
		jnz	loc_7A788D
		test	edi, edi
		jz	loc_7A7874
		mov	dword ptr [ebp-348h], 0
		mov	dword ptr [ebp-344h], 0
		mov	dword ptr [ebp-340h], 0
		mov	dword ptr [ebp-33Ch], 0
		mov	dword ptr [ebp-334h], 0
		and	edi, 0FFFFFFF8h
		mov	dword ptr [ebp-350h], 200008h
		mov	dword ptr [ebp-34Ch], 0Dh
		mov	ebx, [ebp-140h]
		mov	eax, [ebx+0E4h]
		mov	[ebp-338h], eax

loc_7A7835:				; CODE XREF: PAGE:007A785Ej
		lea	eax, [ebp-350h]
		push	eax
		push	edi
		call	_LpcRequestPort@8 ; LpcRequestPort(x,x)
		cmp	eax, 0C0000017h
		jz	short loc_7A7850
		cmp	eax, 0C000009Ah
		jnz	short loc_7A7860

loc_7A7850:				; CODE XREF: PAGE:007A7847j
		push	offset _PspShortTime
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	short loc_7A7835
; 

loc_7A7860:				; CODE XREF: PAGE:007A784Ej
		mov	edx, [ebp-14Ch]
		mov	ecx, ebx
		call	_PspLockUnlockProcessExclusive@8 ; PspLockUnlockProcessExclusive(x,x)
		mov	ecx, edi
		call	ObfDereferenceObject

loc_7A7874:				; CODE XREF: PAGE:007A77D4j
		xor	edi, edi
		mov	edx, 79517350h
		mov	ecx, [ebp-140h]
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_7AB06D
; 

loc_7A788D:				; CODE XREF: PAGE:007A77CCj
		mov	eax, edi
		mov	[ebp-144h], edi
		mov	edi, [ebp-164h]
		jmp	loc_7A76F5
; 

loc_7A78A0:				; DATA XREF: .text:006A25F4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1FCh], eax
		mov	eax, 1
		retn
; 

loc_7A78B3:				; DATA XREF: .text:006A25F8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1FCh]
		jmp	loc_7AB06D
; 

loc_7A78C8:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0ACo
		cmp	ecx, 8
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 0Ah
		mov	eax, [ebx]
		mov	[ebp-378h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	eax
		push	edi
		mov	ecx, [ebp-14Ch]
		call	PspAssignPrimaryToken
		jmp	loc_7AB06D
; 

loc_7A78F9:				; DATA XREF: .text:006A260Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-200h], eax
		mov	eax, 1
		retn
; 

loc_7A790C:				; DATA XREF: .text:006A2610o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-200h]
		jmp	loc_7AB06D
; 

loc_7A7921:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0B0o
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	220h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		mov	esi, [ebp-150h]
		push	esi
		mov	edx, ebx
		mov	ecx, [ebp-140h]
		call	_PspSetLdtInformation@12 ; PspSetLdtInformation(x,x,x)

loc_7A7962:				; CODE XREF: PAGE:007A79BCj
					; PAGE:007A79FFj ...
		mov	esi, eax

loc_7A7964:				; CODE XREF: PAGE:007A7FB2j
		mov	edx, 79517350h

loc_7A7969:				; CODE XREF: PAGE:007AAF35j
		mov	ecx, [ebp-140h]
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7A797B:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0B4o
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	220h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		mov	esi, [ebp-150h]
		push	esi
		mov	edx, ebx
		mov	ecx, [ebp-140h]
		call	_PspSetLdtSize@12 ; PspSetLdtSize(x,x,x)
		jmp	short loc_7A7962
; 

loc_7A79BE:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0BCo
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		mov	esi, [ebp-150h]
		push	esi
		mov	edx, ebx
		mov	ecx, [ebp-140h]
		call	_PspSetProcessIoHandlers@12 ; PspSetProcessIoHandlers(x,x,x)
		jmp	loc_7A7962
; 

loc_7A7A04:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0C4o
		mov	esi, [ebp-144h]
		push	esi
		mov	eax, ds:dword_A949B4
		push	eax
		mov	eax, ds:_SeTcbPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7A723D
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	esi
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D

loc_7A7A4C:				; CODE XREF: PAGE:007AAF46j
		mov	edx, 79517350h
		mov	ecx, [ebp-140h]
		call	ObfDereferenceObjectWithTag

loc_7A7A5C:				; CODE XREF: PAGE:007AA8FDj
		mov	eax, 0C0000002h
		jmp	loc_7AB06D
; 

loc_7A7A66:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0C8o
		cmp	ecx, 1
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 0Bh
		mov	al, [ebx]
		mov	[ebp-145h], al
		mov	[ebp-18Ah], al
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		mov	ebx, [ebp-14Ch]
		mov	edx, ebx
		mov	esi, [ebp-140h]
		mov	ecx, esi
		call	_PspLockProcessExclusive@8 ; PspLockProcessExclusive(x,x)
		mov	al, [ebp-145h]
		test	al, al
		jz	short loc_7A7AE0
		or	dword ptr [esi+1E0h], 4
		jmp	short loc_7A7AE7
; 

loc_7A7AE0:				; CODE XREF: PAGE:007A7AD5j
		and	dword ptr [esi+1E0h], 0FFFFFFFBh

loc_7A7AE7:				; CODE XREF: PAGE:007A7ADEj
		movzx	edx, al
		mov	ecx, esi
		call	_KeSetAutoAlignmentProcess@8 ; KeSetAutoAlignmentProcess(x,x)
		mov	edx, ebx
		mov	ecx, esi
		call	PspUnlockProcessExclusive
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_7AB06D
; 

loc_7A7B0D:				; DATA XREF: .text:006A2618o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-204h], eax
		mov	eax, 1
		retn
; 

loc_7A7B20:				; DATA XREF: .text:006A261Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-204h]
		jmp	loc_7AB06D
; 

loc_7A7B35:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0D0o
		cmp	ecx, 4
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 0Ch
		mov	ebx, [ebx]
		mov	[ebp-37Ch], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-144h]
		push	esi
		mov	eax, ds:dword_A949B4
		push	eax
		mov	eax, ds:_SeTcbPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7A723D
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	esi
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7A70B7
		mov	ecx, [ebp-140h]
		cmp	dword ptr [ecx+3D4h], 0
		jz	short loc_7A7BC3
		mov	esi, 0C0000022h
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7A7BC3:				; CODE XREF: PAGE:007A7BABj
		lea	eax, [ecx+0FCh]
		test	ebx, ebx
		jz	short loc_7A7BE6
		mov	edx, 1000000h
		lock or	[eax], edx
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7A7BE6:				; CODE XREF: PAGE:007A7BCBj
		mov	edx, 0FEFFFFFFh
		lock and [eax],	edx
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7A7BFF:				; DATA XREF: .text:006A2624o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-208h], eax
		mov	eax, 1
		retn
; 

loc_7A7C12:				; DATA XREF: .text:006A2628o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-208h]
		jmp	loc_7AB06D
; 

loc_7A7C27:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0D4o
		cmp	ecx, 4
		jnz	short loc_7A7C78
		mov	dword ptr [ebp-4], 0Dh
		mov	eax, [ebx]
		mov	[ebp-1A0h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	eax, eax
		jnz	short loc_7A7CBE
		mov	eax, 0C000000Dh
		jmp	loc_7AB06D
; 

loc_7A7C50:				; DATA XREF: .text:006A2630o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20Ch], eax
		mov	eax, 1
		retn
; 

loc_7A7C63:				; DATA XREF: .text:006A2634o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20Ch]
		jmp	loc_7AB06D
; 

loc_7A7C78:				; CODE XREF: PAGE:007A7C2Aj
		cmp	ecx, 0Ch
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 0Eh
		mov	eax, [ebx]
		mov	[ebp-1A0h], eax
		mov	eax, [ebx+4]
		mov	[ebp-19Ch], eax
		mov	eax, [ebx+8]
		mov	[ebp-198h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	dl, dl
		lea	ecx, [ebp-1A0h]
		call	_KeVerifyGroupAffinity@8 ; KeVerifyGroupAffinity(x,x)
		test	al, al
		jz	loc_7AA068

loc_7A7CBE:				; CODE XREF: PAGE:007A7C44j
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		call	_MmGetMinWsPagePriority@0 ; MmGetMinWsPagePriority()
		lea	ecx, [eax-1]
		test	ecx, eax
		jz	short loc_7A7D15

loc_7A7CF7:				; CODE XREF: PAGE:007A7D3Aj
		mov	edi, 0C000000Dh
		mov	esi, [ebp-140h]
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_7AB06D
; 

loc_7A7D15:				; CODE XREF: PAGE:007A7CF5j
		cmp	dword ptr [ebp-150h], 4
		jnz	short loc_7A7D50
		bsf	eax, eax
		mov	[ebp-174h], eax
		mov	ecx, ds:dword_70E328[eax*4]
		and	ecx, [ebp-1A0h]
		cmp	ecx, [ebp-1A0h]
		jnz	short loc_7A7CF7
		mov	ax, [ebp-174h]
		mov	[ebp-19Ch], ax
		mov	[ebp-1A0h], ecx

loc_7A7D50:				; CODE XREF: PAGE:007A7D1Cj
		mov	ebx, [ebp-14Ch]
		dec	word ptr [ebx+13Ch]
		nop
		mov	esi, [ebp-140h]
		lea	ecx, [esi+0F0h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_7A7DCD
		mov	ecx, esi
		call	_PspLockProcessSharedUnsafe@4 ;	PspLockProcessSharedUnsafe(x)
		lea	eax, [ebp-16Ch]
		push	eax
		lea	eax, [ebp-1A0h]
		push	eax
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	_PspSetProcessAffinitySafe@20 ;	PspSetProcessAffinitySafe(x,x,x,x,x)
		mov	edi, eax
		mov	ecx, esi
		call	_PspUnlockProcessSharedUnsafe@4	; PspUnlockProcessSharedUnsafe(x)
		lea	ecx, [esi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		test	edi, edi
		js	short loc_7A7DD2
		cmp	dword ptr [ebp-16Ch], 0
		jz	short loc_7A7DBD
		mov	edx, esi
		mov	ecx, ebx
		call	PspWritePebAffinityInfo

loc_7A7DBD:				; CODE XREF: PAGE:007A7DB2j
		mov	ecx, 200000h
		lea	eax, [esi+0F8h]
		lock or	[eax], ecx
		jmp	short loc_7A7DD2
; 

loc_7A7DCD:				; CODE XREF: PAGE:007A7D71j
		mov	edi, 0C000010Ah

loc_7A7DD2:				; CODE XREF: PAGE:007A7DA9j
					; PAGE:007A7DCBj
		mov	ecx, ebx
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_7AB06D
; 

loc_7A7DEC:				; DATA XREF: .text:006A263Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-210h], eax
		mov	eax, 1
		retn
; 

loc_7A7DFF:				; DATA XREF: .text:006A2640o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-210h]
		jmp	loc_7AB06D
; 

loc_7A7E14:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0D8o
		cmp	ecx, 4
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 0Fh
		mov	ecx, [ebx]
		mov	[ebp-3ACh], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	eax, eax
		test	ecx, ecx
		setnz	al
		mov	[ebp-15Ch], eax
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp-170h], eax
		test	eax, eax
		js	loc_7AB06D
		mov	edi, [ebp-140h]
		lea	ecx, [edi+0F0h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_7A7EA0
		mov	esi, 0C000010Ah
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7A7EA0:				; CODE XREF: PAGE:007A7E86j
		mov	ebx, [ebp-14Ch]
		mov	edx, ebx
		mov	ecx, edi
		call	_PspLockProcessExclusive@8 ; PspLockProcessExclusive(x,x)
		mov	edx, [ebp-15Ch]
		mov	ecx, edi
		call	_KeSetDisableBoostProcess@8 ; KeSetDisableBoostProcess(x,x)
		lea	eax, [edi+1D0h]
		mov	esi, [eax]
		cmp	esi, eax
		jz	short loc_7A7EE7
		jmp	short loc_7A7ED0
; 
		align 10h

loc_7A7ED0:				; CODE XREF: PAGE:007A7EC8j
					; PAGE:007A7EE5j
		lea	ecx, [esi-2E4h]
		call	_KeSetDisableBoostThread@8 ; KeSetDisableBoostThread(x,x)
		mov	esi, [esi]
		lea	eax, [edi+1D0h]
		cmp	esi, eax
		jnz	short loc_7A7ED0

loc_7A7EE7:				; CODE XREF: PAGE:007A7EC6j
		mov	edx, ebx
		mov	ecx, edi
		call	PspUnlockProcessExclusive
		lea	ecx, [edi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	esi, [ebp-170h]
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7A7F14:				; DATA XREF: .text:006A2648o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-214h], eax
		mov	eax, 1
		retn
; 

loc_7A7F27:				; DATA XREF: .text:006A264Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-214h]
		jmp	loc_7AB06D
; 

loc_7A7F3C:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0ECo
		cmp	ecx, 4
		jnz	loc_7AAF78
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7A70B7
		mov	dword ptr [ebp-4], 10h
		mov	eax, [ebx]
		mov	[ebp-218h], eax
		jmp	short loc_7A7FA9
; 

loc_7A7F85:				; DATA XREF: .text:006A2654o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-21Ch], eax
		mov	eax, 1
		retn
; 

loc_7A7F98:				; DATA XREF: .text:006A2658o
		mov	esp, [ebp-18h]
		xor	eax, eax
		mov	[ebp-218h], eax
		mov	esi, [ebp-21Ch]

loc_7A7FA9:				; CODE XREF: PAGE:007A7F83j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	esi, esi
		js	loc_7A7964
		test	eax, 0FFFFFFFEh
		jz	short loc_7A7FDB
		mov	esi, 0C000000Dh
		mov	edx, 79517350h
		mov	ecx, [ebp-140h]
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7A7FDB:				; CODE XREF: PAGE:007A7FBDj
		test	al, 1
		mov	eax, [ebp-140h]
		jz	short loc_7A8009
		mov	ecx, 0FFFFFFFDh
		add	eax, 0FCh
		lock and [eax],	ecx
		mov	edx, 79517350h
		mov	ecx, [ebp-140h]
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7A8009:				; CODE XREF: PAGE:007A7FE3j
		mov	ecx, 2
		add	eax, 0FCh
		lock or	[eax], ecx
		mov	edx, 79517350h
		mov	ecx, [ebp-140h]
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7A802D:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0DCo
		cmp	ecx, 4
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 11h
		mov	ebx, [ebx]
		mov	[ebp-384h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-144h]
		push	esi
		push	0
		call	RtlIsSandboxedToken
		test	al, al
		jnz	loc_7AAFCB
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	esi
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		push	esi
		mov	edx, ebx
		mov	ecx, [ebp-140h]
		call	_ObSetProcessDeviceMap@12 ; ObSetProcessDeviceMap(x,x,x)
		jmp	loc_7A7962
; 

loc_7A809D:				; DATA XREF: .text:006A2660o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-220h], eax
		mov	eax, 1
		retn
; 

loc_7A80B0:				; DATA XREF: .text:006A2664o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-220h]
		jmp	loc_7AB06D
; 

loc_7A80C5:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0E0o
		cmp	ecx, 4
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 12h
		mov	ebx, [ebx]
		mov	[ebp-394h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-144h]
		push	esi
		mov	eax, ds:dword_A949B4
		push	eax
		mov	eax, ds:_SeTcbPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7A723D
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	esi
		mov	eax, ds:_PsProcessType
		push	eax
		push	204h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		mov	ecx, [ebp-140h]
		call	_MmGetSessionId@4 ; MmGetSessionId(x)
		sub	ebx, eax
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 0C0000022h
		mov	edx, 79517350h
		mov	ecx, [ebp-140h]
		call	ObfDereferenceObjectWithTag
		mov	eax, ebx
		jmp	loc_7AB06D
; 

loc_7A815A:				; DATA XREF: .text:006A266Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-224h], eax
		mov	eax, 1
		retn
; 

loc_7A816D:				; DATA XREF: .text:006A2670o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-224h]
		jmp	loc_7AB06D
; 

loc_7A8182:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0E8o
		cmp	ecx, 4
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 13h
		mov	esi, [ebx]
		mov	[ebp-398h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-144h]
		push	ebx
		mov	eax, ds:dword_A94A14
		push	eax
		mov	eax, ds:_SeDebugPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7A723D
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	ebx
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		mov	ecx, [ebp-140h]
		lea	eax, [ecx+0FCh]
		test	esi, esi
		jz	short loc_7A8212
		mov	edx, 2000h
		lock or	[eax], edx
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_7AB06D
; 

loc_7A8212:				; CODE XREF: PAGE:007A81F7j
		mov	edx, 0FFFFDFFFh
		lock and [eax],	edx
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_7AB06D
; 

loc_7A822B:				; DATA XREF: .text:006A2678o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-228h], eax
		mov	eax, 1
		retn
; 

loc_7A823E:				; DATA XREF: .text:006A267Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-228h]
		jmp	loc_7AB06D
; 

loc_7A8253:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0F0o
		mov	dword ptr [ebp-1C0h], 0
		mov	dword ptr [ebp-1BCh], 0
		test	ecx, ecx
		jz	short loc_7A82B1
		cmp	ecx, 4
		jz	short loc_7A8279
		cmp	ecx, 8
		jnz	loc_7AAF78

loc_7A8279:				; CODE XREF: PAGE:007A826Ej
		mov	dword ptr [ebp-4], 14h
		mov	edx, [ebx]
		mov	[ebp-1C0h], edx
		cmp	ecx, 8
		jnz	short loc_7A8298
		mov	eax, [ebx+4]
		mov	[ebp-1BCh], eax
		jmp	short loc_7A82A2
; 

loc_7A8298:				; CODE XREF: PAGE:007A828Bj
		mov	dword ptr [ebp-1BCh], 0

loc_7A82A2:				; CODE XREF: PAGE:007A8296j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	edx, edx
		jnz	loc_7AA068

loc_7A82B1:				; CODE XREF: PAGE:007A8269j
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		mov	esi, [ebp-140h]
		mov	ecx, esi
		cmp	dword ptr [ebp-150h], 0
		jz	short loc_7A831F
		lea	edx, [ebp-1C0h]
		jmp	short loc_7A8321
; 

loc_7A82F7:				; DATA XREF: .text:006A2684o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-22Ch], eax
		mov	eax, 1
		retn
; 

loc_7A830A:				; DATA XREF: .text:006A2688o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-22Ch]
		jmp	loc_7AB06D
; 

loc_7A831F:				; CODE XREF: PAGE:007A82EDj
		xor	edx, edx

loc_7A8321:				; CODE XREF: PAGE:007A82F5j
		call	_PsSetProcessHandleTracingInformation@8	; PsSetProcessHandleTracingInformation(x,x)

loc_7A8326:				; CODE XREF: PAGE:007AA454j
					; PAGE:007AA46Cj
		mov	edi, eax
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_7AB06D
; 

loc_7A833B:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0F4o
		cmp	ecx, 4
		jz	short loc_7A834E
		cmp	ecx, 8
		jnz	loc_7AAF78
		cmp	ecx, 4
		jnz	short loc_7A8395

loc_7A834E:				; CODE XREF: PAGE:007A833Ej
		mov	dword ptr [ebp-4], 15h
		mov	eax, [ebx]
		mov	[ebp-1ACh], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	byte ptr [ebp-164h], 0
		jmp	short loc_7A83C6
; 

loc_7A836D:				; DATA XREF: .text:006A2690o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-230h], eax
		mov	eax, 1
		retn
; 

loc_7A8380:				; DATA XREF: .text:006A2694o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-230h]
		jmp	loc_7AB06D
; 

loc_7A8395:				; CODE XREF: PAGE:007A834Cj
		mov	dword ptr [ebp-4], 16h
		mov	eax, [ebx]
		mov	[ebp-1C8h], eax
		mov	ecx, [ebx+4]
		mov	[ebp-164h], ecx
		mov	[ebp-1C4h], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1C8h]
		mov	[ebp-1ACh], eax

loc_7A83C6:				; CODE XREF: PAGE:007A836Bj
		cmp	eax, 4
		jnb	loc_7AA068
		mov	esi, [ebp-144h]
		cmp	eax, 3
		jb	short loc_7A83FB
		mov	eax, ds:dword_A949F4
		push	eax
		mov	eax, ds:_SeIncreaseBasePriorityPrivilege
		push	eax
		push	esi
		mov	edx, 200h
		mov	ecx, edi
		call	_SeCheckPrivilegedObject@20 ; SeCheckPrivilegedObject(x,x,x,x,x)
		test	al, al
		jz	loc_7A723D

loc_7A83FB:				; CODE XREF: PAGE:007A83D8j
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	esi
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp-168h], edi
		test	edi, edi
		js	loc_7A732F
		mov	ebx, [ebp-140h]
		lea	eax, [ebx+0F0h]
		mov	[ebp-170h], eax
		mov	ecx, eax
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_7A8460
		mov	edi, 0C000010Ah
		mov	edx, 79517350h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_7AB06D
; 

loc_7A8460:				; CODE XREF: PAGE:007A8446j
		mov	edx, [ebp-14Ch]
		mov	ecx, ebx
		call	_PspLockProcessExclusive@8 ; PspLockProcessExclusive(x,x)
		lea	eax, [ebx+0FCh]
		mov	[ebp-15Ch], eax
		mov	eax, [eax]
		mov	ebx, [ebp-1ACh]
		mov	esi, ebx
		shl	esi, 1Bh

loc_7A8486:				; CODE XREF: PAGE:007A84A4j
		mov	edx, eax
		mov	ecx, eax
		and	ecx, 0C7FFFFFFh
		or	ecx, esi
		mov	edi, [ebp-15Ch]
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		mov	edi, [ebp-168h]
		jnz	short loc_7A8486
		mov	eax, [ebp-140h]
		add	eax, 1D0h
		mov	[ebp-15Ch], eax
		mov	esi, [eax]
		cmp	esi, eax
		jz	short loc_7A8502
		lea	ecx, [ecx+0]

loc_7A84C0:				; CODE XREF: PAGE:007A84FAj
		cmp	byte ptr [ebp-164h], 1
		jnz	short loc_7A84E5
		mov	eax, [esi+18h]
		shr	eax, 9
		and	eax, 7
		cmp	eax, ebx
		jge	short loc_7A84E5
		push	0
		mov	edx, ebx
		lea	ecx, [esi-2E4h]
		call	IoBoostThreadIoPriority

loc_7A84E5:				; CODE XREF: PAGE:007A84C7j
					; PAGE:007A84D4j
		mov	edx, ebx
		lea	ecx, [esi-2E4h]
		call	PsSetIoPriorityThread
		mov	esi, [esi]
		cmp	esi, [ebp-15Ch]
		jnz	short loc_7A84C0
		mov	edi, [ebp-168h]

loc_7A8502:				; CODE XREF: PAGE:007A84BBj
		mov	edx, [ebp-14Ch]
		mov	ebx, [ebp-140h]
		mov	ecx, ebx
		call	PspUnlockProcessExclusive
		mov	ecx, [ebp-170h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	edx, 79517350h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_7AB06D
; 

loc_7A8533:				; DATA XREF: .text:006A269Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2C0h], eax
		mov	eax, 1
		retn
; 

loc_7A8546:				; DATA XREF: .text:006A26A0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2C0h]
		jmp	loc_7AB06D
; 

loc_7A855B:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0F8o
		cmp	ecx, 4
		jnz	loc_7AAF78
		cmp	edi, 0FFFFFFFFh
		jnz	loc_7AA068
		mov	dword ptr [ebp-4], 17h
		mov	ebx, [ebx]
		mov	[ebp-39Ch], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	edx, ebx
		mov	ecx, eax
		call	KeSetExecuteOptions
		mov	esi, eax
		test	esi, esi
		js	loc_7A70B7
		and	bl, 3
		cmp	bl, 1
		jnz	loc_7A70B7
		call	_MmRemoveExecuteGrants@0 ; MmRemoveExecuteGrants()
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7A85B3:				; DATA XREF: .text:006A26A8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-234h], eax
		mov	eax, 1
		retn
; 

loc_7A85C6:				; DATA XREF: .text:006A26ACo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-234h]
		jmp	loc_7AB06D
; 

loc_7A85DB:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB100o
		cmp	ecx, 4
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 18h
		mov	esi, [ebx]
		mov	[ebp-238h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		call	_MmGetDefaultPagePriority@0 ; MmGetDefaultPagePriority()
		cmp	esi, eax
		ja	loc_7AA068
		call	_MmGetMinWsPagePriority@0 ; MmGetMinWsPagePriority()
		cmp	esi, eax
		jb	loc_7AA068
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp-164h], eax
		test	eax, eax
		js	loc_7AB06D
		mov	edi, [ebp-140h]
		lea	eax, [edi+0F0h]
		mov	[ebp-170h], eax
		mov	ecx, eax
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_7A867C
		mov	esi, 0C000010Ah
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7A867C:				; CODE XREF: PAGE:007A8662j
		mov	ebx, [ebp-14Ch]
		mov	edx, ebx
		mov	ecx, edi
		call	_PspLockProcessExclusive@8 ; PspLockProcessExclusive(x,x)
		shl	esi, 0Ch
		add	edi, 0F8h
		mov	eax, [edi]

loc_7A8696:				; CODE XREF: PAGE:007A86A8j
		mov	edx, eax
		mov	ecx, eax
		and	ecx, 0FFFF8FFFh
		or	ecx, esi
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_7A8696
		mov	eax, [ebp-140h]
		add	eax, 1D0h
		mov	[ebp-15Ch], eax
		mov	edi, [eax]
		cmp	edi, eax
		jz	short loc_7A86E7
		mov	esi, [ebp-238h]
		jmp	short loc_7A86D0
; 
		align 10h

loc_7A86D0:				; CODE XREF: PAGE:007A86C7j
					; PAGE:007A86E5j
		lea	ecx, [edi-2E4h]
		mov	edx, esi
		call	PsSetPagePriorityThread
		mov	edi, [edi]
		cmp	edi, [ebp-15Ch]
		jnz	short loc_7A86D0

loc_7A86E7:				; CODE XREF: PAGE:007A86BFj
		mov	edx, ebx
		mov	edi, [ebp-140h]
		mov	ecx, edi
		call	PspUnlockProcessExclusive
		mov	ecx, [ebp-170h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	esi, [ebp-164h]
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7A871A:				; DATA XREF: .text:006A26B4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-23Ch], eax
		mov	eax, 1
		retn
; 

loc_7A872D:				; DATA XREF: .text:006A26B8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-23Ch]
		jmp	loc_7AB06D
; 

loc_7A8742:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB0FCo
		xor	eax, eax
		mov	[ebp-0A0h], eax
		mov	[ebp-9Ch], eax
		mov	[ebp-98h], eax
		mov	[ebp-94h], eax
		mov	[ebp-90h], eax
		mov	[ebp-8Ch], eax
		mov	[ebp-88h], eax
		mov	[ebp-160h], eax
		mov	[ebp-17Ch], eax
		mov	[ebp-1A8h], eax
		cmp	edi, 0FFFFFFFFh
		jnz	loc_7AA068
		cmp	dl, 1
		jz	short loc_7A8798
		mov	eax, 0C0000001h
		jmp	loc_7AB06D
; 

loc_7A8798:				; CODE XREF: PAGE:007A878Cj
		cmp	ecx, 1Ch
		jb	loc_7AAF78
		lea	eax, [ecx-10h]
		xor	edx, edx
		mov	esi, 0Ch
		div	esi
		mov	edi, eax
		test	edx, edx
		jnz	loc_7AAF78
		cmp	ecx, 1Ch
		jnz	short loc_7A87CA
		lea	esi, [ebp-0A0h]
		mov	[ebp-154h], esi
		jmp	short loc_7A87ED
; 

loc_7A87CA:				; CODE XREF: PAGE:007A87BAj
		push	736C5450h
		push	ecx
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	esi, eax
		mov	[ebp-154h], esi
		test	esi, esi
		jz	loc_7AA0B8
		mov	ecx, [ebp-150h]

loc_7A87ED:				; CODE XREF: PAGE:007A87C8j
		mov	dword ptr [ebp-4], 19h
		mov	[ebp-170h], esi
		push	ecx
		push	ebx
		push	esi
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		cmp	dword ptr [esi+4], 2
		jnb	loc_7A8CBE
		mov	eax, [esi]
		mov	[ebp-15Ch], eax
		test	eax, 0FFFFFFFEh
		jnz	loc_7A8CBE
		mov	edx, [esi+8]
		cmp	edx, 1
		jb	loc_7A8CBE
		cmp	edi, edx
		jnz	loc_7A8CBE
		xor	ecx, ecx
		mov	[ebp-160h], ecx

loc_7A8845:				; CODE XREF: PAGE:007A8858j
		lea	eax, [ecx+ecx*2]
		cmp	dword ptr [esi+eax*4+10h], 0
		jnz	short loc_7A886E
		inc	ecx
		mov	[ebp-160h], ecx
		cmp	ecx, edx
		jb	short loc_7A8845
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	[ebp-140h], eax
		test	byte ptr [ebp-15Ch], 1
		jz	short loc_7A8878

loc_7A886E:				; CODE XREF: PAGE:007A884Dj
		mov	ebx, 0C000000Dh
		jmp	loc_7A8CE8
; 

loc_7A8878:				; CODE XREF: PAGE:007A886Cj
		mov	[ebp-14Ch], ebx
		xor	edi, edi
		mov	[ebp-160h], edi
		xor	ebx, ebx
		mov	[ebp-144h], ebx
		push	ebx

loc_7A888F:				; CODE XREF: PAGE:007A8CA7j
		push	dword ptr [ebp-140h]
		call	_PsGetNextProcessThread@8 ; PsGetNextProcessThread(x,x)
		mov	[ebp-150h], eax
		test	eax, eax
		jz	loc_7A8CAC
		cmp	edi, [esi+8]
		jnb	loc_7A8CAC
		test	dword ptr [eax+58h], 400h
		jnz	loc_7A8CA1
		lea	ecx, [eax+2ECh]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_7A8CA1
		mov	eax, [ebp-150h]
		mov	edx, [eax+0A8h]
		mov	dword ptr [ebp-4], 1Ah
		add	edx, 2Ch
		mov	[ebp-164h], edx
		mov	[ebp-1A8h], edx
		mov	ecx, [edx]
		mov	[ebp-168h], ecx
		mov	[ebp-17Ch], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	ecx, ecx
		jz	loc_7A8C86
		cmp	dword ptr [esi+4], 1
		jnz	loc_7A8B0F
		cmp	ecx, edx
		jz	loc_7A89EE
		mov	dword ptr [ebp-4], 1Bh
		mov	edx, [esi+0Ch]
		lea	eax, ds:0[edx*4]
		test	eax, eax
		jz	short loc_7A896E
		test	cl, 3
		jnz	loc_7AB090
		add	eax, ecx
		mov	esi, ds:_MmUserProbeAddress
		mov	[ebp-15Ch], esi
		cmp	eax, esi
		mov	esi, [ebp-154h]
		ja	short loc_7A895C
		cmp	eax, ecx
		jnb	short loc_7A896E

loc_7A895C:				; CODE XREF: PAGE:007A8956j
		mov	eax, [ebp-15Ch]
		mov	byte ptr [eax],	0
		mov	eax, [ebp-170h]
		mov	edx, [eax+0Ch]

loc_7A896E:				; CODE XREF: PAGE:007A8935j
					; PAGE:007A895Aj
		lea	eax, [edi+edi*2]
		lea	esi, [esi+eax*4]
		push	4
		lea	eax, ds:0[edx*4]
		push	eax
		mov	eax, [esi+14h]
		push	eax
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	ecx, [ebp-154h]
		mov	eax, [ecx+0Ch]
		shl	eax, 2
		push	eax
		push	dword ptr [ebp-168h]
		mov	eax, [esi+14h]
		push	eax
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [ebp-240h], 0
		xor	ecx, ecx
		lea	eax, [ebp-240h]
		lock or	[eax], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-154h]
		mov	edx, [ebp-164h]
		jmp	short loc_7A89FC
; 

loc_7A89D0:				; DATA XREF: .text:006A26D8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-244h], eax
		mov	eax, 1
		retn
; 

loc_7A89E3:				; DATA XREF: .text:006A26DCo
		mov	ebx, [ebp-244h]
		jmp	loc_7A8C70
; 

loc_7A89EE:				; CODE XREF: PAGE:007A891Cj
		xor	ecx, ecx
		mov	[ebp-168h], ecx
		mov	[ebp-17Ch], ecx

loc_7A89FC:				; CODE XREF: PAGE:007A89CEj
		mov	dword ptr [ebp-4], 1Ch
		lea	ecx, [edi+edi*2]
		mov	eax, [ebp-14Ch]
		or	dword ptr [eax+ecx*4+10h], 1
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	dword ptr [ebp-4], 1Dh
		mov	eax, [esi+ecx*4+14h]
		mov	[edx], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-168h]
		jmp	short loc_7A8A69
; 

loc_7A8A34:				; DATA XREF: .text:006A26F0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-248h], eax
		mov	eax, 1
		retn
; 

loc_7A8A47:				; DATA XREF: .text:006A26F4o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-248h]
		mov	[ebp-144h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-160h]
		mov	esi, [ebp-17Ch]

loc_7A8A69:				; CODE XREF: PAGE:007A8A32j
		test	ebx, ebx
		js	short loc_7A8ACA
		mov	dword ptr [ebp-4], 1Eh
		mov	eax, [ebp-150h]
		mov	edx, [eax+2B0h]
		lea	eax, [edi+edi*2]
		mov	ecx, [ebp-14Ch]
		mov	[ecx+eax*4+18h], edx
		lea	eax, [edi+edi*2]
		mov	[ecx+eax*4+14h], esi
		xor	dword ptr [ecx+eax*4+10h], 3
		inc	edi
		mov	[ebp-160h], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7A8C86
; 

loc_7A8AAC:				; DATA XREF: .text:006A26FCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2F8h], eax
		mov	eax, 1
		retn
; 

loc_7A8ABF:				; DATA XREF: .text:006A2700o
		mov	ebx, [ebp-2F8h]
		jmp	loc_7A8C70
; 

loc_7A8ACA:				; CODE XREF: PAGE:007A8A6Bj
		mov	dword ptr [ebp-4], 1Fh
		jmp	loc_7A8C0D
; 

loc_7A8AD6:				; DATA XREF: .text:006A2708o
		mov	eax, 1
		retn
; 

loc_7A8ADC:				; DATA XREF: .text:006A270Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-144h]
		jmp	loc_7A8C80
; 

loc_7A8AF1:				; DATA XREF: .text:006A26E4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2F4h], eax
		mov	eax, 1
		retn
; 

loc_7A8B04:				; DATA XREF: .text:006A26E8o
		mov	ebx, [ebp-2F4h]
		jmp	loc_7A8C70
; 

loc_7A8B0F:				; CODE XREF: PAGE:007A8914j
		mov	dword ptr [ebp-4], 20h
		lea	edx, [edi+edi*2]
		mov	eax, [ebp-14Ch]
		or	dword ptr [eax+edx*4+10h], 1
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	dword ptr [ebp-4], 21h
		mov	eax, [esi+0Ch]
		lea	eax, [ecx+eax*4]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_7A8B44
		mov	eax, ecx

loc_7A8B44:				; CODE XREF: PAGE:007A8B40j
		nop
		mov	edi, [eax]
		mov	[ebp-15Ch], edi
		mov	[ebp-1A8h], edi
		mov	ecx, [esi+0Ch]
		mov	eax, [ebp-17Ch]
		lea	ecx, [eax+ecx*4]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_7A8B6A
		mov	ecx, eax

loc_7A8B6A:				; CODE XREF: PAGE:007A8B66j
		nop
		mov	eax, [esi+edx*4+14h]
		mov	[ecx], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, [ebp-15Ch]
		jmp	short loc_7A8BAF
; 

loc_7A8B80:				; DATA XREF: .text:006A2720o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2F0h], eax
		mov	eax, 1
		retn
; 

loc_7A8B93:				; DATA XREF: .text:006A2724o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-2F0h]
		mov	[ebp-144h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, [ebp-1A8h]

loc_7A8BAF:				; CODE XREF: PAGE:007A8B7Ej
		test	ebx, ebx
		js	short loc_7A8C00
		mov	dword ptr [ebp-4], 22h
		mov	edi, [ebp-160h]
		lea	ecx, [edi+edi*2]
		mov	eax, [ebp-14Ch]
		mov	[eax+ecx*4+14h], edx
		xor	dword ptr [eax+ecx*4+10h], 3
		inc	edi
		mov	[ebp-160h], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7A8C86
; 

loc_7A8BE5:				; DATA XREF: .text:006A272Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2DCh], eax
		mov	eax, 1
		retn
; 

loc_7A8BF8:				; DATA XREF: .text:006A2730o
		mov	ebx, [ebp-2DCh]
		jmp	short loc_7A8C70
; 

loc_7A8C00:				; CODE XREF: PAGE:007A8BB1j
		mov	dword ptr [ebp-4], 23h
		mov	edi, [ebp-160h]

loc_7A8C0D:				; CODE XREF: PAGE:007A8AD1j
		lea	ecx, [edi+edi*2]
		mov	eax, [ebp-14Ch]
		and	dword ptr [eax+ecx*4+10h], 0FFFFFFFEh
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_7A8C86
; 

loc_7A8C24:				; DATA XREF: .text:006A2738o
		mov	eax, 1
		retn
; 

loc_7A8C2A:				; DATA XREF: .text:006A273Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-144h]
		jmp	short loc_7A8C80
; 

loc_7A8C3C:				; DATA XREF: .text:006A2714o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2D8h], eax
		mov	eax, 1
		retn
; 

loc_7A8C4F:				; DATA XREF: .text:006A2718o
		mov	ebx, [ebp-2D8h]
		jmp	short loc_7A8C70
; 

loc_7A8C57:				; DATA XREF: .text:006A26CCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2B4h], eax
		mov	eax, 1
		retn
; 

loc_7A8C6A:				; DATA XREF: .text:006A26D0o
		mov	ebx, [ebp-2B4h]

loc_7A8C70:				; CODE XREF: PAGE:007A89E9j
					; PAGE:007A8AC5j ...
		mov	[ebp-144h], ebx
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_7A8C80:				; CODE XREF: PAGE:007A8AECj
					; PAGE:007A8C3Aj
		mov	edi, [ebp-160h]

loc_7A8C86:				; CODE XREF: PAGE:007A890Aj
					; PAGE:007A8AA7j ...
		mov	ecx, [ebp-150h]
		lea	ecx, [ecx+2ECh]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		test	ebx, ebx
		js	short loc_7A8CAC
		mov	esi, [ebp-154h]

loc_7A8CA1:				; CODE XREF: PAGE:007A88B8j
					; PAGE:007A88CBj
		push	dword ptr [ebp-150h]
		jmp	loc_7A888F
; 

loc_7A8CAC:				; CODE XREF: PAGE:007A88A2j
					; PAGE:007A88ABj ...
		mov	eax, [ebp-150h]
		test	eax, eax
		jz	short loc_7A8CE8
		push	eax
		call	_PsQuitNextProcessThread@4 ; PsQuitNextProcessThread(x)
		jmp	short loc_7A8CE8
; 

loc_7A8CBE:				; CODE XREF: PAGE:007A8810j
					; PAGE:007A8823j ...
		mov	ebx, 0C0000004h
		jmp	short loc_7A8CE8
; 

loc_7A8CC5:				; DATA XREF: .text:006A26C0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2BCh], eax
		mov	eax, 1
		retn
; 

loc_7A8CD8:				; DATA XREF: .text:006A26C4o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-2BCh]
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_7A8CE8:				; CODE XREF: PAGE:007A8873j
					; PAGE:007A8CB4j ...
		lea	eax, [ebp-0A0h]
		mov	ecx, [ebp-154h]
		cmp	ecx, eax
		jz	short loc_7A8D00
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7A8D00:				; CODE XREF: PAGE:007A8CF6j
		mov	eax, ebx
		jmp	loc_7AB06D
; 

loc_7A8D07:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB104o
		xor	eax, eax
		mov	[ebp-84h], eax
		mov	[ebp-80h], eax
		mov	[ebp-7Ch], eax
		mov	[ebp-78h], eax
		mov	[ebp-74h], eax
		mov	[ebp-70h], eax
		cmp	ecx, 4
		jz	short loc_7A8D2C
		cmp	ecx, 0Ch
		jnz	loc_7AAF78

loc_7A8D2C:				; CODE XREF: PAGE:007A8D21j
		mov	dword ptr [ebp-4], 24h
		cmp	ecx, 4
		jnz	short loc_7A8D62
		mov	dword ptr [ebp-330h], 0
		mov	dword ptr [ebp-32Ch], 0
		mov	eax, [ebx]
		mov	[ebp-328h], eax
		mov	edx, [ebp-32Ch]
		mov	ecx, [ebp-330h]
		jmp	short loc_7A8D6A
; 

loc_7A8D62:				; CODE XREF: PAGE:007A8D36j
		mov	ecx, [ebx]
		mov	edx, [ebx+4]
		mov	eax, [ebx+8]

loc_7A8D6A:				; CODE XREF: PAGE:007A8D60j
		mov	[ebp-16Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	edx, edx
		jnz	loc_7AA068
		cmp	ecx, 1
		jz	short loc_7A8D8E
		mov	eax, 0C0000058h
		jmp	loc_7AB06D
; 

loc_7A8D8E:				; CODE XREF: PAGE:007A8D82j
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		mov	esi, [ebp-144h]
		push	esi
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	edi, eax
		push	esi
		mov	ecx, ds:dword_A94A14
		push	ecx
		mov	ecx, ds:_SeDebugPrivilege
		push	ecx
		call	SeSinglePrivilegeCheck
		mov	esi, [ebp-140h]
		test	al, al
		jnz	short loc_7A8DFB
		cmp	esi, edi
		jz	short loc_7A8DFB
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, 0C0000061h
		jmp	loc_7AB06D
; 

loc_7A8DFB:				; CODE XREF: PAGE:007A8DDFj
					; PAGE:007A8DE3j
		lea	ecx, [esi+0F0h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_7A8E20
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, 0C000010Ah
		jmp	loc_7AB06D
; 

loc_7A8E20:				; CODE XREF: PAGE:007A8E08j
		xor	ebx, ebx
		mov	[ebp-174h], ebx
		lea	eax, [ebp-84h]
		push	eax
		push	esi
		call	KeStackAttachProcess
		mov	edi, [ebp-16Ch]
		mov	ecx, edi
		call	_MmValidateUserCallTarget@8 ; MmValidateUserCallTarget(x,x)
		test	eax, eax
		jnz	short loc_7A8E51
		mov	ebx, 0C000000Dh
		mov	[ebp-174h], ebx

loc_7A8E51:				; CODE XREF: PAGE:007A8E44j
		lea	eax, [ebp-84h]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		test	ebx, ebx
		js	short loc_7A8EAD
		mov	ebx, [ebp-14Ch]
		mov	edx, ebx
		mov	ecx, esi
		call	_PspLockProcessExclusive@8 ; PspLockProcessExclusive(x,x)
		mov	[esi+3DCh], edi
		lea	edx, [esi+1D0h]
		mov	ecx, [edx]
		cmp	ecx, edx
		jz	short loc_7A8E9E

loc_7A8E82:				; CODE XREF: PAGE:007A8E9Cj
		lea	eax, [ecx-2E4h]
		test	edi, edi
		jz	short loc_7A8E93
		lock bts dword ptr [eax], 17h
		jmp	short loc_7A8E98
; 

loc_7A8E93:				; CODE XREF: PAGE:007A8E8Aj
		lock btr dword ptr [eax], 17h

loc_7A8E98:				; CODE XREF: PAGE:007A8E91j
		mov	ecx, [ecx]
		cmp	ecx, edx
		jnz	short loc_7A8E82

loc_7A8E9E:				; CODE XREF: PAGE:007A8E80j
		mov	edx, ebx
		mov	ecx, esi
		call	PspUnlockProcessExclusive
		mov	ebx, [ebp-174h]

loc_7A8EAD:				; CODE XREF: PAGE:007A8E5Fj
		lea	ecx, [esi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, ebx
		jmp	loc_7AB06D
; 

loc_7A8ECB:				; DATA XREF: .text:006A2744o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2B8h], eax
		mov	eax, 1
		retn
; 

loc_7A8EDE:				; DATA XREF: .text:006A2748o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2B8h]
		jmp	loc_7AB06D
; 

loc_7A8EF3:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB108o
		xor	eax, eax
		mov	[ebp-324h], eax
		mov	[ebp-320h], eax
		mov	[ebp-31Ch], eax
		mov	[ebp-318h], eax
		mov	[ebp-314h], eax
		mov	[ebp-310h], eax
		mov	[ebp-30Ch], eax
		cmp	edi, 0FFFFFFFFh
		jnz	loc_7AA068
		xor	esi, esi
		cmp	ecx, 1Ch
		jnz	loc_7A8FFE
		test	dl, dl
		jz	short loc_7A8F5D
		mov	dword ptr [ebp-4], 26h
		mov	ecx, 7
		mov	esi, ebx
		lea	edi, [ebp-324h]
		rep movsd
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		lea	esi, [ebx+18h]
		lea	ebx, [ebp-324h]

loc_7A8F5D:				; CODE XREF: PAGE:007A8F35j
		mov	ecx, [ebx]
		cmp	ecx, 10h
		ja	loc_7AA068
		mov	eax, [ebx+0Ch]
		or	eax, [ebx+8]
		or	eax, [ebx+4]
		jnz	loc_7AA068
		add	ebx, 10h

loc_7A8F7A:				; CODE XREF: PAGE:007A900Bj
					; PAGE:007A9039j
		mov	eax, [ebx]
		test	eax, eax
		jz	loc_7AA068
		mov	[ebp-194h], eax
		mov	dword ptr [ebx+8], 0
		push	ecx
		push	ecx
		lea	eax, [ebp-194h]
		push	eax
		mov	edx, [ebx+4]
		lea	ecx, [ebx+8]
		call	_MmAllocateUserStack@20	; MmAllocateUserStack(x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	loc_7A9089
		cmp	byte ptr [ebp-145h], 0
		jz	loc_7A9089
		mov	dword ptr [ebp-4], 28h
		mov	eax, [ebx+8]
		mov	[esi], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, ecx
		jmp	loc_7AB06D
; 

loc_7A8FD6:				; DATA XREF: .text:006A275Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2B0h], eax
		mov	eax, 1
		retn
; 

loc_7A8FE9:				; DATA XREF: .text:006A2760o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2B0h]
		jmp	loc_7AB06D
; 

loc_7A8FFE:				; CODE XREF: PAGE:007A8F2Dj
		cmp	ecx, 0Ch
		jnz	loc_7AAF78
		xor	ecx, ecx
		test	dl, dl
		jz	loc_7A8F7A
		mov	dword ptr [ebp-4], 27h
		mov	eax, [ebx]
		mov	[ebp-314h], eax
		mov	eax, [ebx+4]
		mov	[ebp-310h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		lea	esi, [ebx+8]
		lea	ebx, [ebp-314h]
		jmp	loc_7A8F7A
; 

loc_7A903E:				; DATA XREF: .text:006A2768o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24Ch], eax
		mov	eax, 1
		retn
; 

loc_7A9051:				; DATA XREF: .text:006A276Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-24Ch]
		jmp	loc_7AB06D
; 

loc_7A9066:				; DATA XREF: .text:006A2774o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2C4h], eax
		mov	eax, 1
		retn
; 

loc_7A9079:				; DATA XREF: .text:006A2778o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-2C4h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_7A9089:				; CODE XREF: PAGE:007A8FA9j
					; PAGE:007A8FB6j
		mov	eax, ecx
		jmp	loc_7AB06D
; 

loc_7A9090:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB10Co
		cmp	edi, 0FFFFFFFFh
		jnz	loc_7AA068
		cmp	ecx, 4
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 29h
		mov	eax, [ebx]
		mov	[ebp-158h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		cmp	eax, ecx
		jnb	loc_7AA068
		lea	edx, [ebp-158h]
		mov	ecx, [ebp-14Ch]
		call	@PspSetProcessAffinityUpdateMode@8 ; PspSetProcessAffinityUpdateMode(x,x)
		jmp	loc_7AB06D
; 

loc_7A90D6:				; DATA XREF: .text:006A2780o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-250h], eax
		mov	eax, 1
		retn
; 

loc_7A90E9:				; DATA XREF: .text:006A2784o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-250h]
		jmp	loc_7AB06D
; 

loc_7A90FE:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB110o
		cmp	ecx, 4
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 2Ah
		mov	eax, [ebx]
		mov	[ebp-158h], eax
		mov	[ebp-3A0h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	eax, 0FFFFFFFEh
		jnz	loc_7AA068
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		mov	ecx, [ebp-140h]
		lea	eax, [ecx+0FCh]
		test	byte ptr [ebp-158h], 1
		jz	short loc_7A9189
		mov	edx, 200000h
		lock or	[eax], edx
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_7AB06D
; 

loc_7A9189:				; CODE XREF: PAGE:007A916Ej
		mov	edx, 0FFDFFFFFh
		lock and [eax],	edx
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_7AB06D
; 

loc_7A91A2:				; DATA XREF: .text:006A278Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-254h], eax
		mov	eax, 1
		retn
; 

loc_7A91B5:				; DATA XREF: .text:006A2790o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-254h]
		jmp	loc_7AB06D
; 

loc_7A91CA:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB114o
		cmp	ecx, 4
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 2Bh
		mov	ebx, [ebx]
		mov	[ebp-3A4h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		mov	edi, [ebp-140h]
		push	edi
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	esi, eax
		mov	edx, ebx
		mov	ecx, esi
		call	_SeSetVirtualizationToken@8 ; SeSetVirtualizationToken(x,x)
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_7AB06D
; 

loc_7A9247:				; DATA XREF: .text:006A2798o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-258h], eax
		mov	eax, 1
		retn
; 

loc_7A925A:				; DATA XREF: .text:006A279Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-258h]
		jmp	loc_7AB06D
; 

loc_7A926F:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB118o
		cmp	ecx, 4
		jnz	loc_7AAF78
		cmp	edi, 0FFFFFFFFh
		jnz	loc_7AA068
		mov	dword ptr [ebp-4], 2Ch
		mov	esi, [ebx]
		mov	[ebp-3A8h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, esi
		and	al, 3
		cmp	al, 1
		jnz	loc_7AA068
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	[eax+178h], esi
		xor	eax, eax
		jmp	loc_7AB06D
; 

loc_7A92B5:				; DATA XREF: .text:006A27A4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-25Ch], eax
		mov	eax, 1
		retn
; 

loc_7A92C8:				; DATA XREF: .text:006A27A8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-25Ch]
		jmp	loc_7AB06D
; 

loc_7A92DD:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB11Co
		mov	byte ptr [ebp-145h], 0
		cmp	ecx, 8
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 2Dh
		mov	eax, [ebx]
		mov	[ebp-2CCh], eax
		mov	ebx, [ebx+4]
		mov	[ebp-2C8h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-2CCh]
		cmp	edi, 0FFFFFFFFh
		jz	short loc_7A9320
		cmp	esi, 2
		jnz	loc_7AA068

loc_7A9320:				; CODE XREF: PAGE:007A9315j
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	edi, eax
		mov	[ebp-140h], edi
		dec	esi
		cmp	esi, 0Fh	; switch 16 cases
		ja	loc_7A9EF2	; default
		jmp	ds:off_7AB1E8[esi*4] ; switch jump

loc_7A933E:				; DATA XREF: PAGE:off_7AB1E8o
		test	ebx, 0FFFFFFF0h	; case 0x0
		jz	short loc_7A9350
		mov	esi, 0C000000Dh
		jmp	loc_7A9EF7
; 

loc_7A9350:				; CODE XREF: PAGE:007A9344j
		mov	eax, ebx
		shr	eax, 1
		and	eax, 1
		jnz	short loc_7A9362
		test	byte ptr [edi+490h], 10h
		jnz	short loc_7A9383

loc_7A9362:				; CODE XREF: PAGE:007A9357j
		mov	ecx, ebx
		and	ecx, 1
		jnz	short loc_7A9372
		test	byte ptr [edi+490h], 40h
		jz	short loc_7A9383

loc_7A9372:				; CODE XREF: PAGE:007A9367j
		shr	ebx, 3
		and	ebx, 1
		jnz	short loc_7A938D
		test	byte ptr [edi+490h], 8
		jz	short loc_7A938D

loc_7A9383:				; CODE XREF: PAGE:007A9360j
					; PAGE:007A9370j ...
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A938D:				; CODE XREF: PAGE:007A9378j
					; PAGE:007A9381j
		test	ebx, ebx
		jz	short loc_7A939F
		test	eax, eax
		jnz	short loc_7A93A3
		mov	esi, 0C0000030h
		jmp	loc_7A9EF7
; 

loc_7A939F:				; CODE XREF: PAGE:007A938Fj
		test	eax, eax
		jz	short loc_7A93B1

loc_7A93A3:				; CODE XREF: PAGE:007A9393j
		mov	edx, 10h
		lea	eax, [edi+490h]
		lock or	[eax], edx

loc_7A93B1:				; CODE XREF: PAGE:007A93A1j
		test	ecx, ecx
		jz	short loc_7A93C3
		mov	ecx, 0FFFFFFBFh
		lea	eax, [edi+490h]
		lock and [eax],	ecx

loc_7A93C3:				; CODE XREF: PAGE:007A93B3j
		test	ebx, ebx
		jz	short loc_7A93D5
		mov	ecx, 8
		lea	eax, [edi+490h]
		lock or	[eax], ecx

loc_7A93D5:				; CODE XREF: PAGE:007A93C5j
					; PAGE:007A9D03j ...
		xor	esi, esi
		jmp	loc_7A9EF7
; 

loc_7A93DC:				; CODE XREF: PAGE:007A9337j
					; DATA XREF: PAGE:007AB1F0o
		test	ebx, 0FFFFFFFCh	; case 0x2
		jz	short loc_7A93EE
		mov	esi, 0C000000Dh
		jmp	loc_7A9EF7
; 

loc_7A93EE:				; CODE XREF: PAGE:007A93E2j
		mov	eax, ebx
		shr	eax, 1
		and	eax, 1
		jnz	short loc_7A9406
		test	bl, 1
		jz	short loc_7A9406
		mov	esi, 0C000000Dh
		jmp	loc_7A9EF7
; 

loc_7A9406:				; CODE XREF: PAGE:007A93F5j
					; PAGE:007A93FAj
		test	eax, eax
		jz	short loc_7A9419
		test	bl, 1
		jnz	short loc_7A9419
		mov	esi, 0C000000Dh
		jmp	loc_7A9EF7
; 

loc_7A9419:				; CODE XREF: PAGE:007A9408j
					; PAGE:007A940Dj
		mov	ecx, edi
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		test	eax, eax
		jnz	short loc_7A942E
		mov	esi, 0C000010Ah
		jmp	loc_7A9EF7
; 

loc_7A942E:				; CODE XREF: PAGE:007A9422j
		and	bl, 1
		mov	dl, bl
		mov	ecx, eax
		call	ExEnableHandleExceptions
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 3FFFFFDEh
		add	esi, 0C0000022h
		mov	ecx, edi
		call	_ObDereferenceProcessHandleTable@4 ; ObDereferenceProcessHandleTable(x)
		jmp	loc_7A9EF7
; 

loc_7A9459:				; CODE XREF: PAGE:007A9337j
					; DATA XREF: PAGE:007AB1F4o
		test	ebx, 0FFFFFFF0h	; case 0x3
		jz	short loc_7A946B
		mov	esi, 0C000000Dh
		jmp	loc_7A9EF7
; 

loc_7A946B:				; CODE XREF: PAGE:007A945Fj
		test	bl, 1
		jz	short loc_7A9478
		test	bl, 2
		jz	short loc_7A9478
		and	ebx, 0FFFFFFFDh

loc_7A9478:				; CODE XREF: PAGE:007A946Ej
					; PAGE:007A9473j
		test	bl, 4
		jz	short loc_7A9485
		test	bl, 8
		jz	short loc_7A9485
		and	ebx, 0FFFFFFF7h

loc_7A9485:				; CODE XREF: PAGE:007A947Bj
					; PAGE:007A9480j
		mov	ecx, ebx
		and	ecx, 1
		mov	[ebp-194h], ecx
		jnz	short loc_7A94A8
		test	dword ptr [edi+490h], 1000h
		jz	short loc_7A94A8
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A94A8:				; CODE XREF: PAGE:007A9490j
					; PAGE:007A949Cj
		mov	edx, ebx
		shr	edx, 2
		and	edx, 1
		jnz	short loc_7A94C5
		test	byte ptr [edi+4D0h], 2
		jz	short loc_7A94C5
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A94C5:				; CODE XREF: PAGE:007A94B0j
					; PAGE:007A94B9j
		mov	eax, ebx
		shr	eax, 1
		and	eax, 1
		mov	[ebp-158h], eax
		jnz	short loc_7A94EE
		test	ecx, ecx
		jnz	short loc_7A94EE
		test	dword ptr [edi+490h], 2000h
		jz	short loc_7A94EE
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A94EE:				; CODE XREF: PAGE:007A94D2j
					; PAGE:007A94D6j ...
		shr	ebx, 3
		and	ebx, 1
		jnz	short loc_7A950D
		test	edx, edx
		jnz	short loc_7A950D
		test	byte ptr [edi+4D0h], 4
		jz	short loc_7A950D
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A950D:				; CODE XREF: PAGE:007A94F4j
					; PAGE:007A94F8j ...
		test	ecx, ecx
		jnz	short loc_7A9515
		test	eax, eax
		jz	short loc_7A953A

loc_7A9515:				; CODE XREF: PAGE:007A950Fj
		mov	ecx, [ebp-14Ch]
		call	_PsIsGuiThread@4 ; PsIsGuiThread(x)
		test	al, al
		jz	short loc_7A952E
		mov	esi, 0C0000189h
		jmp	loc_7A9EF7
; 

loc_7A952E:				; CODE XREF: PAGE:007A9522j
		mov	eax, [ebp-158h]
		mov	ecx, [ebp-194h]

loc_7A953A:				; CODE XREF: PAGE:007A9513j
		xor	esi, esi
		test	ecx, ecx
		jz	short loc_7A9547
		mov	ecx, 3000h
		jmp	short loc_7A9550
; 

loc_7A9547:				; CODE XREF: PAGE:007A953Ej
		test	eax, eax
		jz	short loc_7A9559
		mov	ecx, 2000h

loc_7A9550:				; CODE XREF: PAGE:007A9545j
		lea	eax, [edi+490h]
		lock or	[eax], ecx

loc_7A9559:				; CODE XREF: PAGE:007A9549j
		test	edx, edx
		jz	short loc_7A9570
		mov	ecx, 6
		lea	eax, [edi+4D0h]
		lock or	[eax], ecx
		jmp	loc_7A9EF7
; 

loc_7A9570:				; CODE XREF: PAGE:007A955Bj
		test	ebx, ebx
		jz	loc_7A9EF7
		mov	ecx, 4
		lea	eax, [edi+4D0h]
		lock or	[eax], ecx
		jmp	loc_7A9EF7
; 

loc_7A958B:				; CODE XREF: PAGE:007A9337j
					; DATA XREF: PAGE:007AB1ECo
		test	ebx, 0FFFFFFF0h	; case 0x1
		jz	short loc_7A959D
		mov	esi, 0C000000Dh
		jmp	loc_7A9EF7
; 

loc_7A959D:				; CODE XREF: PAGE:007A9591j
		test	bl, 1
		jz	short loc_7A95AA
		test	bl, 8
		jz	short loc_7A95AA
		and	ebx, 0FFFFFFF7h

loc_7A95AA:				; CODE XREF: PAGE:007A95A0j
					; PAGE:007A95A5j
		mov	esi, ebx
		and	esi, 1
		mov	[ebp-154h], esi
		jnz	short loc_7A95C6
		test	bl, 6
		jz	short loc_7A95C6
		mov	esi, 0C000000Dh
		jmp	loc_7A9EF7
; 

loc_7A95C6:				; CODE XREF: PAGE:007A95B5j
					; PAGE:007A95BAj
		call	_PsIsSystemWideMitigationOptionSet@8 ; PsIsSystemWideMitigationOptionSet(x,x)
		test	eax, eax
		jnz	loc_7A9EF2	; default
		mov	ecx, [ebp-164h]
		cmp	ecx, 0FFFFFFFFh
		jz	loc_7A976A
		push	eax
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	ecx
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7A9759
		mov	byte ptr [ebp-145h], 1
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	edi, [ebp-140h]
		cmp	edi, eax
		jz	loc_7A9764
		lea	esi, [edi+490h]
		mov	eax, [esi]
		test	eax, 100h
		jz	loc_7A96CC
		xor	eax, eax
		mov	[ebp-308h], eax
		mov	[ebp-304h], eax
		mov	[ebp-300h], eax
		mov	[ebp-2FCh], eax
		lea	eax, [ebp-308h]
		push	eax
		push	edi
		push	0
		call	SeCaptureSubjectContextEx
		push	1
		lea	eax, [ebp-308h]
		push	eax
		call	RtlIsSandboxedToken
		mov	[ebp-149h], al
		lea	eax, [ebp-308h]
		push	eax
		call	SeReleaseSubjectContext
		push	dword ptr [ebp-144h]
		push	0
		call	RtlIsSandboxedToken
		test	al, al
		jnz	short loc_7A96A7
		cmp	[ebp-149h], al
		jz	short loc_7A96A7
		test	dword ptr [esi], 400h
		jnz	short loc_7A96EC

loc_7A96A7:				; CODE XREF: PAGE:007A9695j
					; PAGE:007A969Dj
		push	dword ptr [ebp-144h]
		mov	eax, ds:dword_A94A14
		push	eax
		mov	eax, ds:_SeDebugPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_7A96EC
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A96CC:				; CODE XREF: PAGE:007A9637j
		mov	ecx, [ebp-154h]
		test	bl, 8
		jnz	short loc_7A96F2
		test	ecx, ecx
		jnz	short loc_7A96F2
		test	eax, 800h
		jz	short loc_7A96F2
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A96EC:				; CODE XREF: PAGE:007A96A5j
					; PAGE:007A96C0j
		mov	ecx, [ebp-154h]

loc_7A96F2:				; CODE XREF: PAGE:007A96D5j
					; PAGE:007A96D9j ...
		mov	eax, ecx
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFF700h
		add	eax, 900h
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 900h
		mov	edx, ecx
		test	bl, 8
		jz	short loc_7A9719
		or	edx, 800h

loc_7A9719:				; CODE XREF: PAGE:007A9711j
		test	bl, 2
		jz	short loc_7A9726
		or	edx, 200h
		jmp	short loc_7A972B
; 

loc_7A9726:				; CODE XREF: PAGE:007A971Cj
		or	eax, 200h

loc_7A972B:				; CODE XREF: PAGE:007A9724j
		test	bl, 4
		jz	short loc_7A9745
		or	edx, 400h
		push	eax
		mov	ecx, esi
		call	@RtlInterlockedSetClearBits@12 ; RtlInterlockedSetClearBits(x,x,x)
		xor	esi, esi
		jmp	loc_7A9EF7
; 

loc_7A9745:				; CODE XREF: PAGE:007A972Ej
		or	eax, 400h
		push	eax
		mov	ecx, esi
		call	@RtlInterlockedSetClearBits@12 ; RtlInterlockedSetClearBits(x,x,x)
		xor	esi, esi
		jmp	loc_7A9EF7
; 

loc_7A9759:				; CODE XREF: PAGE:007A960Aj
		mov	edi, [ebp-140h]
		jmp	loc_7A9EF7
; 

loc_7A9764:				; CODE XREF: PAGE:007A9624j
		mov	esi, [ebp-154h]

loc_7A976A:				; CODE XREF: PAGE:007A95DCj
		test	esi, esi
		jnz	short loc_7A9784
		test	dword ptr [edi+490h], 100h
		jz	short loc_7A9784
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A9784:				; CODE XREF: PAGE:007A976Cj
					; PAGE:007A9778j
		mov	ecx, ebx
		shr	ecx, 3
		and	ecx, 1
		jnz	short loc_7A97A8
		test	esi, esi
		jnz	short loc_7A97A8
		test	dword ptr [edi+490h], 800h
		jz	short loc_7A97A8
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A97A8:				; CODE XREF: PAGE:007A978Cj
					; PAGE:007A9790j ...
		mov	eax, ebx
		shr	eax, 1
		and	eax, 1
		jz	short loc_7A97D1
		mov	edx, [edi+490h]
		test	edx, 100h
		jz	short loc_7A97D1
		test	edx, 200h
		jnz	short loc_7A97D1
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A97D1:				; CODE XREF: PAGE:007A97AFj
					; PAGE:007A97BDj ...
		shr	ebx, 2
		and	ebx, 1
		jz	short loc_7A97F9
		mov	edx, [edi+490h]
		test	edx, 100h
		jz	short loc_7A97F9
		test	edx, 400h
		jnz	short loc_7A97F9
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A97F9:				; CODE XREF: PAGE:007A97D7j
					; PAGE:007A97E5j ...
		xor	edx, edx
		test	esi, esi
		jz	short loc_7A9806
		mov	edx, 900h
		jmp	short loc_7A980F
; 

loc_7A9806:				; CODE XREF: PAGE:007A97FDj
		test	ecx, ecx
		jz	short loc_7A980F
		mov	edx, 800h

loc_7A980F:				; CODE XREF: PAGE:007A9804j
					; PAGE:007A9808j
		test	eax, eax
		jz	short loc_7A9819
		or	edx, 200h

loc_7A9819:				; CODE XREF: PAGE:007A9811j
		xor	eax, 1
		shl	eax, 9
		test	ebx, ebx
		jz	short loc_7A982B
		or	edx, 400h
		jmp	short loc_7A9830
; 

loc_7A982B:				; CODE XREF: PAGE:007A9821j
		or	eax, 400h

loc_7A9830:				; CODE XREF: PAGE:007A9829j
		lea	esi, [edi+490h]
		push	eax
		mov	ecx, esi
		call	@RtlInterlockedSetClearBits@12 ; RtlInterlockedSetClearBits(x,x,x)
		xor	esi, esi
		jmp	loc_7A9EF7
; 

loc_7A9845:				; CODE XREF: PAGE:007A9337j
					; DATA XREF: PAGE:007AB1FCo
		test	ebx, 0FFFFFFFEh	; case 0x5
		jz	short loc_7A9857
		mov	esi, 0C000000Dh
		jmp	loc_7A9EF7
; 

loc_7A9857:				; CODE XREF: PAGE:007A984Bj
		and	ebx, 1
		jnz	short loc_7A986F
		test	byte ptr [edi+490h], 80h
		jz	short loc_7A986F
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A986F:				; CODE XREF: PAGE:007A985Aj
					; PAGE:007A9863j
		xor	esi, esi
		test	ebx, ebx
		jz	loc_7A9EF7
		mov	ecx, 80h
		lea	eax, [edi+490h]
		lock or	[eax], ecx
		jmp	loc_7A9EF7
; 

loc_7A988C:				; CODE XREF: PAGE:007A9337j
					; DATA XREF: PAGE:007AB200o
		test	ebx, 0FFFFFFF8h	; case 0x6
		jz	short loc_7A989E
		mov	esi, 0C000000Dh
		jmp	loc_7A9EF7
; 

loc_7A989E:				; CODE XREF: PAGE:007A9892j
		test	byte ptr [edi+490h], 1
		jnz	short loc_7A98B1
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A98B1:				; CODE XREF: PAGE:007A98A5j
		test	bl, 4
		jnz	short loc_7A98C0
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A98C0:				; CODE XREF: PAGE:007A98B4j
		mov	ecx, 4
		lea	eax, [edi+490h]
		lock or	[eax], ecx
		xor	esi, esi
		jmp	loc_7A9EF7
; 

loc_7A98D5:				; CODE XREF: PAGE:007A9337j
					; DATA XREF: PAGE:007AB204o
		test	ebx, 0FFFFFFE0h	; case 0x7
		jz	short loc_7A98E7
		mov	esi, 0C000000Dh
		jmp	loc_7A9EF7
; 

loc_7A98E7:				; CODE XREF: PAGE:007A98DBj
		test	bl, 1
		jz	short loc_7A98F4
		test	bl, 18h
		jz	short loc_7A98F4
		and	ebx, 0FFFFFFE7h

loc_7A98F4:				; CODE XREF: PAGE:007A98EAj
					; PAGE:007A98EFj
		test	bl, 2
		jz	short loc_7A9901
		test	bl, 10h
		jz	short loc_7A9901
		and	ebx, 0FFFFFFEFh

loc_7A9901:				; CODE XREF: PAGE:007A98F7j
					; PAGE:007A98FCj
		mov	esi, ebx
		shr	esi, 3
		and	esi, 1
		mov	[ebp-158h], esi
		jz	short loc_7A9920
		test	bl, 10h
		jz	short loc_7A9920
		mov	esi, 0C000000Dh
		jmp	loc_7A9EF7
; 

loc_7A9920:				; CODE XREF: PAGE:007A990Fj
					; PAGE:007A9914j
		mov	ecx, ebx
		shr	ecx, 1
		and	ecx, 1
		mov	[ebp-16Ch], ecx
		mov	edx, ebx
		and	edx, 1
		mov	[ebp-174h], edx
		lea	eax, [edx+ecx]
		cmp	eax, 1
		jbe	short loc_7A994A
		mov	esi, 0C000000Dh
		jmp	loc_7A9EF7
; 

loc_7A994A:				; CODE XREF: PAGE:007A993Ej
		test	edx, edx
		jnz	short loc_7A99AE
		cmp	byte ptr [edi+3A4h], 8
		jb	short loc_7A996A
		cmp	byte ptr [edi+3A5h], 8
		jb	short loc_7A996A
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A996A:				; CODE XREF: PAGE:007A9955j
					; PAGE:007A995Ej
		test	edx, edx
		jnz	short loc_7A99AE
		test	ecx, ecx
		jnz	short loc_7A99AE
		push	6
		movzx	eax, byte ptr [edi+3A4h]
		push	eax
		call	_SeCompareSigningLevels@8 ; SeCompareSigningLevels(x,x)
		test	eax, eax
		jz	short loc_7A99A2
		push	6
		movzx	eax, byte ptr [edi+3A5h]
		push	eax
		call	_SeCompareSigningLevels@8 ; SeCompareSigningLevels(x,x)
		test	eax, eax
		jz	short loc_7A99A2
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A99A2:				; CODE XREF: PAGE:007A9983j
					; PAGE:007A9996j
		mov	edx, [ebp-174h]
		mov	ecx, [ebp-16Ch]

loc_7A99AE:				; CODE XREF: PAGE:007A994Cj
					; PAGE:007A996Cj ...
		test	dword ptr [edi+490h], 3000000h
		jz	short loc_7A99D5
		test	bl, 10h
		jnz	short loc_7A99D5
		test	ecx, ecx
		jnz	short loc_7A99D5
		test	esi, esi
		jnz	short loc_7A99D5
		test	edx, edx
		jnz	short loc_7A99D5
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A99D5:				; CODE XREF: PAGE:007A99B8j
					; PAGE:007A99BDj ...
		xor	esi, esi
		test	edx, edx
		jz	short loc_7A99FD
		cmp	byte ptr [edi+3A4h], 8
		jnb	short loc_7A99EB
		mov	byte ptr [edi+3A4h], 8

loc_7A99EB:				; CODE XREF: PAGE:007A99E2j
		cmp	byte ptr [edi+3A5h], 8
		jnb	short loc_7A9A38
		mov	byte ptr [edi+3A5h], 8
		jmp	short loc_7A9A38
; 

loc_7A99FD:				; CODE XREF: PAGE:007A99D9j
		test	ecx, ecx
		jz	short loc_7A9A38
		push	6
		movzx	eax, byte ptr [edi+3A4h]
		push	eax
		call	_SeCompareSigningLevels@8 ; SeCompareSigningLevels(x,x)
		test	eax, eax
		jnz	short loc_7A9A1E
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A9A1E:				; CODE XREF: PAGE:007A9A12j
		movzx	eax, byte ptr [edi+3A5h]
		push	eax
		push	6
		call	_SeCompareSigningLevels@8 ; SeCompareSigningLevels(x,x)
		test	eax, eax
		jz	short loc_7A9A38
		mov	byte ptr [edi+3A5h], 6

loc_7A9A38:				; CODE XREF: PAGE:007A99F2j
					; PAGE:007A99FBj ...
		xor	edx, edx
		test	ebx, ebx
		jz	short loc_7A9A43
		mov	edx, (offset loc_7FFFFF+1)

loc_7A9A43:				; CODE XREF: PAGE:007A9A3Cj
		mov	eax, [ebp-158h]
		test	eax, eax
		jz	short loc_7A9A53
		or	edx, 1000000h

loc_7A9A53:				; CODE XREF: PAGE:007A9A4Bj
		xor	eax, 1
		shl	eax, 18h
		test	bl, 10h
		jz	short loc_7A9A75
		or	edx, 2000000h
		push	eax
		lea	ecx, [edi+490h]
		call	@RtlInterlockedSetClearBits@12 ; RtlInterlockedSetClearBits(x,x,x)
		jmp	loc_7A9EF7
; 

loc_7A9A75:				; CODE XREF: PAGE:007A9A5Cj
		or	eax, 2000000h
		push	eax
		lea	ecx, [edi+490h]
		call	@RtlInterlockedSetClearBits@12 ; RtlInterlockedSetClearBits(x,x,x)
		jmp	loc_7A9EF7
; 

loc_7A9A8B:				; CODE XREF: PAGE:007A9337j
					; DATA XREF: PAGE:007AB208o
		test	ebx, 0FFFFFFFCh	; case 0x8
		jz	short loc_7A9A9D
		mov	esi, 0C000000Dh
		jmp	loc_7A9EF7
; 

loc_7A9A9D:				; CODE XREF: PAGE:007A9A91j
		mov	eax, ebx
		and	eax, 1
		jnz	short loc_7A9ABA
		test	dword ptr [edi+490h], 10000h
		jz	short loc_7A9ABA
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A9ABA:				; CODE XREF: PAGE:007A9AA2j
					; PAGE:007A9AAEj
		test	eax, eax
		jnz	short loc_7A9AD9
		test	bl, 2
		jnz	short loc_7A9AD9
		test	dword ptr [edi+490h], 20000h
		jz	short loc_7A9AD9
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A9AD9:				; CODE XREF: PAGE:007A9ABCj
					; PAGE:007A9AC1j ...
		xor	esi, esi
		test	eax, eax
		jz	short loc_7A9AF9
		push	20000h
		lea	ecx, [edi+490h]
		mov	edx, 10000h
		call	@RtlInterlockedSetClearBits@12 ; RtlInterlockedSetClearBits(x,x,x)
		jmp	loc_7A9EF7
; 

loc_7A9AF9:				; CODE XREF: PAGE:007A9ADDj
		test	bl, 2
		jz	loc_7A9EF7
		push	10000h
		lea	ecx, [edi+490h]
		mov	edx, 20000h
		call	@RtlInterlockedSetClearBits@12 ; RtlInterlockedSetClearBits(x,x,x)
		jmp	loc_7A9EF7
; 

loc_7A9B1C:				; CODE XREF: PAGE:007A9337j
					; DATA XREF: PAGE:007AB20Co
		test	ebx, 0FFFFFFE0h	; case 0x9
		jz	short loc_7A9B2E
		mov	esi, 0C000000Dh
		jmp	loc_7A9EF7
; 

loc_7A9B2E:				; CODE XREF: PAGE:007A9B22j
		test	bl, 1
		jz	short loc_7A9B3B
		test	bl, 8
		jz	short loc_7A9B3B
		and	ebx, 0FFFFFFF7h

loc_7A9B3B:				; CODE XREF: PAGE:007A9B31j
					; PAGE:007A9B36j
		test	bl, 2
		jz	short loc_7A9B48
		test	bl, 10h
		jz	short loc_7A9B48
		and	ebx, 0FFFFFFEFh

loc_7A9B48:				; CODE XREF: PAGE:007A9B3Ej
					; PAGE:007A9B43j
		mov	edx, ebx
		and	edx, 1
		mov	[ebp-158h], edx
		jnz	short loc_7A9B65
		test	dword ptr [edi+490h], 80000h
		jnz	loc_7A9383

loc_7A9B65:				; CODE XREF: PAGE:007A9B53j
		mov	eax, ebx
		shr	eax, 1
		and	eax, 1
		jnz	short loc_7A9B7E
		test	dword ptr [edi+490h], 200000h
		jnz	loc_7A9383

loc_7A9B7E:				; CODE XREF: PAGE:007A9B6Cj
		mov	ecx, ebx
		shr	ecx, 2
		and	ecx, 1
		jnz	short loc_7A9B9E
		test	dword ptr [edi+490h], 40000h
		jz	short loc_7A9B9E
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A9B9E:				; CODE XREF: PAGE:007A9B86j
					; PAGE:007A9B92j
		mov	esi, ebx
		shr	esi, 3
		and	esi, 1
		jnz	short loc_7A9BBC
		test	edx, edx
		jnz	short loc_7A9BBC
		test	dword ptr [edi+490h], 100000h
		jnz	loc_7A9383

loc_7A9BBC:				; CODE XREF: PAGE:007A9BA6j
					; PAGE:007A9BAAj
		shr	ebx, 4
		and	ebx, 1
		jnz	short loc_7A9BDE
		test	eax, eax
		jnz	short loc_7A9BDE
		test	dword ptr [edi+490h], 400000h
		jz	short loc_7A9BDE
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A9BDE:				; CODE XREF: PAGE:007A9BC2j
					; PAGE:007A9BC6j ...
		xor	edx, edx
		mov	[ebp-16Ch], edx
		cmp	[ebp-158h], edx
		jz	short loc_7A9BFA
		mov	edx, 80000h
		mov	esi, 100000h
		jmp	short loc_7A9C0D
; 

loc_7A9BFA:				; CODE XREF: PAGE:007A9BECj
		test	esi, esi
		jz	short loc_7A9C0B
		mov	edx, 100000h
		mov	esi, [ebp-16Ch]
		jmp	short loc_7A9C0D
; 

loc_7A9C0B:				; CODE XREF: PAGE:007A9BFCj
		mov	esi, edx

loc_7A9C0D:				; CODE XREF: PAGE:007A9BF8j
					; PAGE:007A9C09j
		test	eax, eax
		jz	short loc_7A9C1F
		or	edx, 200000h
		or	esi, 400000h
		jmp	short loc_7A9C29
; 

loc_7A9C1F:				; CODE XREF: PAGE:007A9C0Fj
		test	ebx, ebx
		jz	short loc_7A9C29
		or	edx, 400000h

loc_7A9C29:				; CODE XREF: PAGE:007A9C1Dj
					; PAGE:007A9C21j
		test	ecx, ecx
		jz	short loc_7A9C33
		or	edx, 40000h

loc_7A9C33:				; CODE XREF: PAGE:007A9C2Bj
		push	esi
		lea	ecx, [edi+490h]
		call	@RtlInterlockedSetClearBits@12 ; RtlInterlockedSetClearBits(x,x,x)
		xor	esi, esi
		jmp	loc_7A9EF7
; 

loc_7A9C46:				; CODE XREF: PAGE:007A9337j
					; DATA XREF: PAGE:007AB218o
		test	ebx, 0FFFFFFF8h	; case 0xC
		jz	short loc_7A9C58
		mov	esi, 0C000000Dh
		jmp	loc_7A9EF7
; 

loc_7A9C58:				; CODE XREF: PAGE:007A9C4Cj
		mov	eax, ebx
		and	eax, 1
		jnz	short loc_7A9C6E
		test	bl, 4
		jz	short loc_7A9C6E
		mov	esi, 0C000000Dh
		jmp	loc_7A9EF7
; 

loc_7A9C6E:				; CODE XREF: PAGE:007A9C5Dj
					; PAGE:007A9C62j
		test	eax, eax
		jz	short loc_7A9C7A
		test	bl, 2
		jz	short loc_7A9C7A
		and	ebx, 0FFFFFFFDh

loc_7A9C7A:				; CODE XREF: PAGE:007A9C70j
					; PAGE:007A9C75j
		mov	ecx, edi
		call	PspGetNoChildProcessRestrictedPolicy
		mov	ecx, eax
		mov	edx, ebx
		and	edx, 1
		jnz	short loc_7A9CA2
		cmp	ecx, 1
		jz	loc_7A9383
		cmp	ecx, 2
		jnz	short loc_7A9CA2
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A9CA2:				; CODE XREF: PAGE:007A9C88j
					; PAGE:007A9C96j
		mov	eax, ebx
		shr	eax, 2
		and	eax, 1
		jz	short loc_7A9CBB
		cmp	ecx, 1
		jnz	short loc_7A9CBB
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A9CBB:				; CODE XREF: PAGE:007A9CAAj
					; PAGE:007A9CAFj
		shr	ebx, 1
		and	ebx, 1
		jnz	short loc_7A9CD5
		test	edx, edx
		jnz	short loc_7A9CD9
		cmp	ecx, 3
		jnz	short loc_7A9CD5
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A9CD5:				; CODE XREF: PAGE:007A9CC0j
					; PAGE:007A9CC9j
		test	edx, edx
		jz	short loc_7A9D01

loc_7A9CD9:				; CODE XREF: PAGE:007A9CC4j
		mov	ecx, edi
		test	eax, eax
		jz	short loc_7A9CF0
		mov	edx, 2
		call	_PspSetNoChildProcessRestrictedPolicy@8	; PspSetNoChildProcessRestrictedPolicy(x,x)
		xor	esi, esi
		jmp	loc_7A9EF7
; 

loc_7A9CF0:				; CODE XREF: PAGE:007A9CDDj
		mov	edx, 1
		call	_PspSetNoChildProcessRestrictedPolicy@8	; PspSetNoChildProcessRestrictedPolicy(x,x)
		xor	esi, esi
		jmp	loc_7A9EF7
; 

loc_7A9D01:				; CODE XREF: PAGE:007A9CD7j
		test	ebx, ebx
		jz	loc_7A93D5
		mov	edx, 3
		mov	ecx, edi
		call	_PspSetNoChildProcessRestrictedPolicy@8	; PspSetNoChildProcessRestrictedPolicy(x,x)
		xor	esi, esi
		jmp	loc_7A9EF7
; 

loc_7A9D1C:				; CODE XREF: PAGE:007A9337j
					; DATA XREF: PAGE:007AB224o
		test	ebx, 0FFFFFFFCh	; case 0xF
		jz	short loc_7A9D2E
		mov	esi, 0C000000Dh
		jmp	loc_7A9EF7
; 

loc_7A9D2E:				; CODE XREF: PAGE:007A9D22j
		test	bl, 1
		jz	short loc_7A9D3B
		test	bl, 2
		jz	short loc_7A9D3B
		and	ebx, 0FFFFFFFDh

loc_7A9D3B:				; CODE XREF: PAGE:007A9D31j
					; PAGE:007A9D36j
		mov	ecx, edi
		call	_PspGetRedirectionTrustPolicy@4	; PspGetRedirectionTrustPolicy(x)
		mov	ecx, ebx
		and	ecx, 1
		jnz	short loc_7A9D58
		cmp	eax, 1
		jnz	short loc_7A9D58
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A9D58:				; CODE XREF: PAGE:007A9D47j
					; PAGE:007A9D4Cj
		shr	ebx, 1
		and	ebx, 1
		jnz	short loc_7A9D72
		test	ecx, ecx
		jnz	short loc_7A9D76
		cmp	eax, 2
		jnz	short loc_7A9D72
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A9D72:				; CODE XREF: PAGE:007A9D5Dj
					; PAGE:007A9D66j
		test	ecx, ecx
		jz	short loc_7A9D89

loc_7A9D76:				; CODE XREF: PAGE:007A9D61j
		mov	edx, 1
		mov	ecx, edi
		call	_PspSetRedirectionTrustPolicy@8	; PspSetRedirectionTrustPolicy(x,x)
		xor	esi, esi
		jmp	loc_7A9EF7
; 

loc_7A9D89:				; CODE XREF: PAGE:007A9D74j
		test	ebx, ebx
		jz	loc_7A93D5
		mov	edx, 2
		mov	ecx, edi
		call	_PspSetRedirectionTrustPolicy@8	; PspSetRedirectionTrustPolicy(x,x)
		xor	esi, esi
		jmp	loc_7A9EF7
; 

loc_7A9DA4:				; CODE XREF: PAGE:007A9337j
					; DATA XREF: PAGE:007AB21Co
		test	ebx, 0FFFFFFF0h	; case 0xD
		jz	short loc_7A9DB6
		mov	esi, 0C000000Dh
		jmp	loc_7A9EF7
; 

loc_7A9DB6:				; CODE XREF: PAGE:007A9DAAj
		mov	eax, ebx
		and	eax, 1
		jnz	short loc_7A9DCD
		test	dword ptr [edi+490h], 40000000h
		jnz	loc_7A9383

loc_7A9DCD:				; CODE XREF: PAGE:007A9DBBj
		mov	ecx, ebx
		shr	ecx, 1
		and	ecx, 1
		jnz	short loc_7A9DE2
		cmp	[edi+490h], ecx
		jl	loc_7A9383

loc_7A9DE2:				; CODE XREF: PAGE:007A9DD4j
		mov	edx, ebx
		shr	edx, 3
		and	edx, 1
		mov	[ebp-164h], edx
		jnz	short loc_7A9E02
		test	dword ptr [edi+494h], 2000h
		jnz	loc_7A9383

loc_7A9E02:				; CODE XREF: PAGE:007A9DF0j
		shr	ebx, 2
		and	ebx, 1
		mov	[ebp-170h], ebx
		jnz	short loc_7A9E26
		test	dword ptr [edi+494h], 1000h
		jz	short loc_7A9E26
		mov	esi, 0C0000022h
		jmp	loc_7A9EF7
; 

loc_7A9E26:				; CODE XREF: PAGE:007A9E0Ej
					; PAGE:007A9E1Aj
		test	eax, eax
		jz	short loc_7A9E38
		mov	esi, 40000000h
		lea	eax, [edi+490h]
		lock or	[eax], esi

loc_7A9E38:				; CODE XREF: PAGE:007A9E28j
		test	ecx, ecx
		jz	loc_7A9ECA
		mov	ecx, 80000000h
		lea	eax, [edi+490h]
		lock or	[eax], ecx
		mov	ecx, 200000h
		lea	eax, [edi+3A8h]
		lock or	[eax], ecx
		mov	dword ptr [ebp-15Ch], offset _PsNextSecurityDomain
		jmp	short loc_7A9E70
; 
		align 10h

loc_7A9E70:				; CODE XREF: PAGE:007A9E66j
					; PAGE:007A9EA3j ...
		mov	edi, _PsNextSecurityDomain
		mov	esi, dword_6B5BC4
		mov	[ebp-158h], esi
		mov	ebx, edi
		add	ebx, 1
		mov	ecx, esi
		adc	ecx, 0
		mov	eax, edi
		mov	edx, esi
		nop
		mov	esi, [ebp-15Ch]
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, edi
		mov	esi, [ebp-158h]
		jnz	short loc_7A9E70
		cmp	edx, esi
		jnz	short loc_7A9E70
		add	edi, 1
		adc	esi, 0
		push	esi
		push	edi
		mov	edi, [ebp-140h]
		mov	ecx, edi
		call	PspWriteProcessSecurityDomain
		mov	ebx, [ebp-170h]
		mov	edx, [ebp-164h]

loc_7A9ECA:				; CODE XREF: PAGE:007A9E3Aj
		test	ebx, ebx
		jz	short loc_7A9EDC
		mov	ecx, 1000h
		lea	eax, [edi+494h]
		lock or	[eax], ecx

loc_7A9EDC:				; CODE XREF: PAGE:007A9ECCj
		test	edx, edx
		jz	short loc_7A9EEE
		mov	ecx, 2000h
		lea	eax, [edi+494h]
		lock or	[eax], ecx

loc_7A9EEE:				; CODE XREF: PAGE:007A9EDEj
		xor	esi, esi
		jmp	short loc_7A9EF7
; 

loc_7A9EF2:				; CODE XREF: PAGE:007A9331j
					; PAGE:007A9337j ...
		mov	esi, 0C00000BBh	; default

loc_7A9EF7:				; CODE XREF: PAGE:007A934Bj
					; PAGE:007A9388j ...
		cmp	byte ptr [ebp-145h], 1
		jnz	loc_7A70B7
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7A9F17:				; DATA XREF: .text:006A27B0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-260h], eax
		mov	eax, 1
		retn
; 

loc_7A9F2A:				; DATA XREF: .text:006A27B4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-260h]
		jmp	loc_7AB06D
; 

loc_7A9F3F:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB124o
		cmp	ecx, 4
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 2Eh
		mov	ebx, [ebx]
		mov	[ebp-354h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	ebx, 0FFFFFFFEh
		jnz	loc_7AA068
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		mov	esi, [ebp-140h]
		mov	ecx, esi
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		test	eax, eax
		jz	short loc_7A9FD0
		and	bl, 1
		mov	dl, bl
		mov	ecx, eax
		call	ExEnableHandleExceptions
		mov	ecx, esi
		call	_ObDereferenceProcessHandleTable@4 ; ObDereferenceProcessHandleTable(x)
		xor	edi, edi
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_7AB06D
; 

loc_7A9FD0:				; CODE XREF: PAGE:007A9FA6j
		mov	edi, 0C000010Ah
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_7AB06D
; 

loc_7A9FE8:				; DATA XREF: .text:006A27BCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-264h], eax
		mov	eax, 1
		retn
; 

loc_7A9FFB:				; DATA XREF: .text:006A27C0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-264h]
		jmp	loc_7AB06D
; 

loc_7AA010:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB128o
		mov	dword ptr [ebp-188h], 0
		mov	dword ptr [ebp-184h], 0
		xor	esi, esi
		mov	[ebp-1B0h], esi
		cmp	dl, 1
		jnz	loc_7AA0F2
		mov	dword ptr [ebp-4], 2Fh
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_7AA047
		mov	ebx, eax

loc_7AA047:				; CODE XREF: PAGE:007AA043j
		nop
		mov	eax, [ebx]
		mov	[ebp-188h], eax
		mov	ecx, [ebx+4]
		mov	[ebp-184h], ecx
		movzx	eax, ax
		test	ax, ax
		jnz	short loc_7AA072
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_7AA068:				; CODE XREF: PAGE:007A70E1j
					; PAGE:007A70EAj ...
		mov	eax, 0C000000Dh
		jmp	loc_7AB06D
; 

loc_7AA072:				; CODE XREF: PAGE:007AA05Fj
		test	cl, 1
		jnz	loc_7AB095
		lea	edx, [ecx+eax]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_7AA08B
		cmp	edx, ecx
		jnb	short loc_7AA08E

loc_7AA08B:				; CODE XREF: PAGE:007AA085j
		mov	byte ptr [eax],	0

loc_7AA08E:				; CODE XREF: PAGE:007AA089j
		push	6E497350h
		movzx	eax, word ptr [ebp-188h]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp-1B0h], esi
		test	esi, esi
		jnz	short loc_7AA0C2
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_7AA0B8:				; CODE XREF: PAGE:007A87E1j
		mov	eax, 0C000009Ah
		jmp	loc_7AB06D
; 

loc_7AA0C2:				; CODE XREF: PAGE:007AA0AFj
		movzx	eax, word ptr [ebp-188h]
		push	eax
		push	dword ptr [ebp-184h]
		push	esi
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp-184h], esi
		lea	ebx, [ebp-188h]
		mov	[ebp-358h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_7AA0F2:				; CODE XREF: PAGE:007AA02Fj
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	2000h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_7AA16E
		test	esi, esi
		jz	loc_7A732F
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		jmp	loc_7AB06D
; 

loc_7AA134:				; DATA XREF: .text:006A27C8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-268h], eax
		mov	eax, 1
		retn
; 

loc_7AA147:				; DATA XREF: .text:006A27CCo
		mov	esp, [ebp-18h]
		mov	eax, [ebp-1B0h]
		test	eax, eax
		jz	short loc_7AA15C
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7AA15C:				; CODE XREF: PAGE:007AA152j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-268h]
		jmp	loc_7AB06D
; 

loc_7AA16E:				; CODE XREF: PAGE:007AA11Bj
		mov	edi, [ebp-140h]
		mov	edx, edi
		mov	ecx, ebx
		call	_IoRevokeHandlesForProcess@8 ; IoRevokeHandlesForProcess(x,x)
		mov	ebx, eax
		test	esi, esi
		jz	short loc_7AA18B
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7AA18B:				; CODE XREF: PAGE:007AA181j
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, ebx
		jmp	loc_7AB06D
; 

loc_7AA19E:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB12Co
		push	dword ptr [ebp-144h]
		push	ecx
		mov	edx, ebx
		mov	ecx, edi
		call	MmProcessWorkingSetControl
		jmp	loc_7AB06D
; 

loc_7AA1B3:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB130o
		cmp	ecx, 4
		jnz	loc_7AAF78
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		mov	dword ptr [ebp-4], 30h
		xor	eax, eax
		cmp	[ebx], eax
		setnz	al
		mov	[ebp-158h], eax
		mov	[ebp-390h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	esi, [ebp-140h]
		cmp	eax, esi
		jnz	short loc_7AA231
		mov	edi, 0C0000022h
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_7AB06D
; 

loc_7AA231:				; CODE XREF: PAGE:007AA217j
		push	dword ptr [ebp-144h]
		mov	eax, ds:dword_A94A14
		push	eax
		mov	eax, ds:_SeDebugPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_7AA264
		mov	edi, 0C0000061h
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_7AB06D
; 

loc_7AA264:				; CODE XREF: PAGE:007AA24Aj
		xor	edi, edi
		mov	edx, [ebp-158h]
		mov	ecx, esi
		call	_KeSetCheckStackExtentsProcess@8 ; KeSetCheckStackExtentsProcess(x,x)
		test	edx, edx
		jnz	short loc_7AA28D
		lea	eax, [esi+0F8h]
		test	dword ptr [eax], 20000h
		jz	short loc_7AA28D
		mov	ecx, 0FFFDFFFFh
		lock and [eax],	ecx

loc_7AA28D:				; CODE XREF: PAGE:007AA275j
					; PAGE:007AA283j
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_7AB06D
; 

loc_7AA2A0:				; DATA XREF: .text:006A27D4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-26Ch], eax
		mov	eax, 1
		retn
; 

loc_7AA2B3:				; DATA XREF: .text:006A27D8o
		mov	esp, [ebp-18h]
		mov	edx, 79517350h
		mov	ecx, [ebp-140h]
		call	ObfDereferenceObjectWithTag
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-26Ch]
		jmp	loc_7AB06D
; 

loc_7AA2D8:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB138o
		mov	dword ptr [ebp-1D0h], 0
		mov	dword ptr [ebp-1CCh], 0
		cmp	ecx, 8
		jnz	loc_7AAF78
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		mov	dword ptr [ebp-4], 31h
		mov	eax, [ebx]
		mov	[ebp-1D0h], eax
		mov	eax, [ebx+4]
		mov	[ebp-1CCh], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		lea	eax, [ebp-1D0h]
		push	eax
		mov	edi, [ebp-140h]
		push	edi
		call	PsSetProcessFaultInformation
		mov	esi, eax
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7AA369:				; DATA XREF: .text:006A27E0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-270h], eax
		mov	eax, 1
		retn
; 

loc_7AA37C:				; DATA XREF: .text:006A27E4o
		mov	esp, [ebp-18h]
		mov	edx, 79517350h
		mov	ecx, [ebp-140h]
		call	ObfDereferenceObjectWithTag
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-270h]
		jmp	loc_7AB06D
; 

loc_7AA3A1:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB13Co
		cmp	ecx, 14h
		jnz	loc_7AAF78
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	2001h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		mov	dword ptr [ebp-4], 32h
		mov	edi, [ebx]
		mov	edx, [ebx+4]
		mov	esi, [ebx+8]
		mov	ecx, [ebx+0Ch]
		mov	eax, [ebx+10h]
		mov	[ebp-3B0h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		cmp	edi, 3
		jz	short loc_7AA418
		mov	edx, 79517350h
		mov	ecx, [ebp-140h]
		call	ObfDereferenceObjectWithTag
		mov	eax, 0C0000059h
		jmp	loc_7AB06D
; 

loc_7AA418:				; CODE XREF: PAGE:007AA3FCj
		test	edx, 0FFFFFFF8h
		jnz	short loc_7AA471
		test	esi, esi
		jnz	short loc_7AA471
		test	ecx, ecx
		jnz	short loc_7AA471
		mov	eax, edx
		shr	eax, 1
		and	eax, 1
		jnz	short loc_7AA436
		test	dl, 4
		jz	short loc_7AA43B

loc_7AA436:				; CODE XREF: PAGE:007AA42Fj
		test	dl, 1
		jz	short loc_7AA471

loc_7AA43B:				; CODE XREF: PAGE:007AA434j
		test	eax, eax
		jnz	short loc_7AA459
		test	dl, 4
		jnz	short loc_7AA459
		and	edx, 1
		mov	esi, [ebp-140h]
		mov	ecx, esi
		call	_MmSetCommitReleaseEligibility@8 ; MmSetCommitReleaseEligibility(x,x)
		jmp	loc_7A8326
; 

loc_7AA459:				; CODE XREF: PAGE:007AA43Dj
					; PAGE:007AA442j
		shr	edx, 2
		and	edx, 1
		mov	esi, [ebp-140h]
		mov	ecx, esi
		call	_MmReleaseCommitForMemResetPages@8 ; MmReleaseCommitForMemResetPages(x,x)
		jmp	loc_7A8326
; 

loc_7AA471:				; CODE XREF: PAGE:007AA41Ej
					; PAGE:007AA422j ...
		mov	edx, 79517350h
		mov	ecx, [ebp-140h]
		call	ObfDereferenceObjectWithTag
		mov	eax, 0C000000Dh
		jmp	loc_7AB06D
; 

loc_7AA48B:				; DATA XREF: .text:006A27ECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-274h], eax
		mov	eax, 1
		retn
; 

loc_7AA49E:				; DATA XREF: .text:006A27F0o
		mov	esp, [ebp-18h]
		mov	edx, 79517350h
		mov	ecx, [ebp-140h]
		call	ObfDereferenceObjectWithTag
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-274h]
		jmp	loc_7AB06D
; 

loc_7AA4C3:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB140o
		test	cl, 7
		jnz	loc_7AAF78
		cmp	ecx, 8
		ja	loc_7AAF78
		mov	dword ptr [ebp-4], 33h
		push	ecx
		push	ebx
		lea	eax, [ebp-38Ch]
		push	eax
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-150h]
		shr	esi, 3
		mov	ebx, [ebp+0Ch]
		cmp	ebx, 43h
		jnz	short loc_7AA518
		mov	cl, [ebp-145h]
		call	_ExCpuSetResourceManagerAccessCheck@4 ;	ExCpuSetResourceManagerAccessCheck(x)
		test	eax, eax
		js	loc_7AB06D

loc_7AA518:				; CODE XREF: PAGE:007AA503j
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	2000h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		xor	eax, eax
		cmp	ebx, 43h
		setz	al
		push	eax
		lea	eax, [ebp-38Ch]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp-140h]
		call	_KeSetCpuSetsProcess@16	; KeSetCpuSetsProcess(x,x,x,x)
		jmp	loc_7A7962
; 

loc_7AA567:				; DATA XREF: .text:006A27F8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-278h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7AA57A:				; DATA XREF: .text:006A27FCo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-278h]
		jmp	loc_7AB06D
; 

loc_7AA58F:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB158o
		mov	cl, dl
		call	_ExCpuSetResourceManagerAccessCheck@4 ;	ExCpuSetResourceManagerAccessCheck(x)
		test	eax, eax
		js	loc_7AB06D
		cmp	dword ptr [ebp-150h], 1
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 34h
		mov	bl, [ebx]
		mov	[ebp-18Bh], bl
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	2000h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		mov	esi, [ebp-140h]
		lea	eax, [esi+0F8h]
		test	bl, bl
		jz	short loc_7AA608
		mov	ecx, 8000000h
		lock or	[eax], ecx
		jmp	short loc_7AA610
; 

loc_7AA608:				; CODE XREF: PAGE:007AA5FCj
		mov	ecx, 0F7FFFFFFh
		lock and [eax],	ecx

loc_7AA610:				; CODE XREF: PAGE:007AA606j
		mov	ecx, esi
		call	_KeRecomputeCpuSetAffinityProcess@4 ; KeRecomputeCpuSetAffinityProcess(x)
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_7AB06D
; 

loc_7AA62A:				; DATA XREF: .text:006A2804o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-27Ch], eax
		mov	eax, 1
		retn
; 

loc_7AA63D:				; DATA XREF: .text:006A2808o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-27Ch]
		jmp	loc_7AB06D
; 

loc_7AA652:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB144o
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		test	byte ptr [eax+2A1h], 1
		jz	loc_7A723D
		mov	eax, ds:_PsProcessType
		mov	dword ptr [ebp-178h], 0
		push	0
		lea	ecx, [ebp-178h]
		push	ecx
		push	dword ptr [ebp-144h]
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7A70B7
		mov	edx, 40h
		mov	ecx, [ebp-178h]
		lea	eax, [ecx+3A8h]
		lock or	[eax], edx
		call	ObfDereferenceObject
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7AA6B8:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB148o
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		mov	edx, 80000000h
		mov	ecx, [ebp-140h]
		lea	eax, [ecx+0F8h]
		lock or	[eax], edx
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_7AB06D
; 

loc_7AA70A:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB14Co
		cmp	ecx, 4
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 35h
		mov	ebx, [ebx]
		mov	[ebp-360h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		mov	esi, [ebp-140h]
		mov	ecx, esi
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		test	eax, eax
		jz	short loc_7AA78C
		mov	edx, ebx
		mov	ecx, eax
		call	ExEnableRaiseUMExceptionOnInvalidHandleClose
		mov	ecx, esi
		call	_ObDereferenceProcessHandleTable@4 ; ObDereferenceProcessHandleTable(x)
		xor	edi, edi
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_7AB06D
; 

loc_7AA78C:				; CODE XREF: PAGE:007AA765j
		mov	edi, 0C000010Ah
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_7AB06D
; 

loc_7AA7A4:				; DATA XREF: .text:006A2810o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-280h], eax
		mov	eax, 1
		retn
; 

loc_7AA7B7:				; DATA XREF: .text:006A2814o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-280h]
		jmp	loc_7AB06D
; 

loc_7AA7CC:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB150o
		cmp	ecx, 1
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 36h
		mov	bl, [ebx]
		mov	[ebp-18Ch], bl
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-144h]
		push	esi
		mov	eax, ds:dword_A949B4
		push	eax
		mov	eax, ds:_SeTcbPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7A723D
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	esi
		mov	eax, ds:_PsProcessType
		push	eax
		push	2000h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		mov	ecx, [ebp-140h]
		lea	eax, [ecx+3A8h]
		test	bl, bl
		jz	short loc_7AA85C
		mov	edx, 200h
		lock or	[eax], edx
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_7AB06D
; 

loc_7AA85C:				; CODE XREF: PAGE:007AA841j
		mov	edx, 0FFFFFDFFh
		lock and [eax],	edx
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_7AB06D
; 

loc_7AA875:				; DATA XREF: .text:006A281Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-284h], eax
		mov	eax, 1
		retn
; 

loc_7AA888:				; DATA XREF: .text:006A2820o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-284h]
		jmp	loc_7AB06D
; 

loc_7AA89D:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB154o
		xor	eax, eax
		mov	[ebp-6Ch], eax
		mov	[ebp-68h], eax
		mov	[ebp-64h], eax
		cmp	ecx, 0Ch
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 37h
		mov	ecx, [ebx]
		mov	[ebp-6Ch], ecx
		mov	eax, [ebx+4]
		mov	[ebp-68h], eax
		mov	edx, [ebx+8]
		mov	[ebp-64h], edx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		cmp	ecx, 1
		jnz	loc_7AA068
		test	eax, 0FFFFFFFCh
		jnz	loc_7AA068
		not	eax
		test	eax, edx
		jnz	loc_7AA068
		mov	ecx, ds:_PspBamExtensionHost
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_7A7A5C
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	2000h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_7AA940
		mov	ecx, ds:_PspBamExtensionHost
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7AA940:				; CODE XREF: PAGE:007AA92Cj
		lea	eax, [ebp-6Ch]
		push	eax
		mov	esi, [ebp-140h]
		push	esi
		mov	eax, [ebx+4]
		call	eax
		mov	edi, eax
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	ecx, ds:_PspBamExtensionHost
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)
		mov	eax, edi
		jmp	loc_7AB06D
; 

loc_7AA970:				; DATA XREF: .text:006A2828o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-288h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7AA983:				; DATA XREF: .text:006A282Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-288h]
		jmp	loc_7AB06D
; 

loc_7AA998:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB15Co
		cmp	ecx, 8
		jb	loc_7AAF78
		push	90h
		push	0
		lea	eax, [ebp-13Ch]
		push	eax
		call	_memset
		add	esp, 0Ch
		mov	esi, [ebp-150h]
		cmp	esi, 90h
		jb	short loc_7AA9CA
		mov	esi, 90h

loc_7AA9CA:				; CODE XREF: PAGE:007AA9C3j
		mov	dword ptr [ebp-4], 38h
		push	esi
		push	ebx
		lea	eax, [ebp-13Ch]
		push	eax
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	200h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		lea	edx, [ebp-13Ch]
		mov	esi, [ebp-140h]
		mov	ecx, esi
		call	PoSetProcessEnergyTrackingState
		mov	edi, eax
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		test	edi, edi
		jns	loc_7A715F
		mov	eax, edi
		jmp	loc_7AB06D
; 

loc_7AAA46:				; DATA XREF: .text:006A2834o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28Ch], eax
		mov	eax, 1
		retn
; 

loc_7AAA59:				; DATA XREF: .text:006A2838o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-28Ch]
		jmp	loc_7AB06D
; 

loc_7AAA6E:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB160o
		cmp	ecx, 10h
		jnz	loc_7AAF78
		push	41h
		push	0
		lea	eax, [ebp-60h]
		push	eax
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 39h
		mov	ecx, [ebx]
		mov	[ebp-2ECh], ecx
		mov	eax, [ebx+4]
		mov	[ebp-2E8h], eax
		mov	eax, [ebx+8]
		mov	[ebp-2E4h], eax
		mov	eax, [ebx+0Ch]
		mov	[ebp-2E0h], eax
		lea	edx, [ecx+41h]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_7AAAC1
		cmp	edx, ecx
		jnb	short loc_7AAAC4

loc_7AAAC1:				; CODE XREF: PAGE:007AAABBj
		mov	byte ptr [eax],	0

loc_7AAAC4:				; CODE XREF: PAGE:007AAABFj
		push	ecx
		mov	edx, 41h
		lea	ecx, [ebp-60h]
		call	_RtlStringCbCopyA@12 ; RtlStringCbCopyA(x,x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	220h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		lea	eax, [ebp-60h]
		mov	[ebp-2ECh], eax
		mov	byte ptr [ebp-20h], 0
		lea	edx, [ebp-2ECh]
		mov	ecx, [ebp-140h]
		call	EtwSetProcessTelemetryCoverage
		mov	edi, eax
		mov	edx, 79517350h
		mov	ecx, [ebp-140h]
		call	ObfDereferenceObjectWithTag
		mov	dword ptr [ebp-4], 3Ah
		mov	eax, [ebp-2E4h]
		mov	[ebx+8], eax
		mov	eax, [ebp-2E0h]
		mov	[ebx+0Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, edi
		jmp	loc_7AB06D
; 

loc_7AAB5D:				; DATA XREF: .text:006A284Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-290h], eax
		mov	eax, 1
		retn
; 

loc_7AAB70:				; DATA XREF: .text:006A2850o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-290h]
		jmp	loc_7AB06D
; 

loc_7AAB85:				; DATA XREF: .text:006A2840o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-294h], eax
		mov	eax, 1
		retn
; 

loc_7AAB98:				; DATA XREF: .text:006A2844o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-294h]
		jmp	loc_7AB06D
; 

loc_7AABAD:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB164o
		cmp	esi, 57h
		jnz	short loc_7AABBB
		cmp	ecx, 1
		jb	loc_7AAF78

loc_7AABBB:				; CODE XREF: PAGE:007AABB0j
		cmp	esi, 60h
		jnz	short loc_7AABC9
		cmp	ecx, 4
		jb	loc_7AAF78

loc_7AABC9:				; CODE XREF: PAGE:007AABBEj
		push	dword ptr [ebp-144h]
		mov	eax, ds:dword_A94A14
		push	eax
		mov	eax, ds:_SeDebugPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_7AAC03
		push	dword ptr [ebp-144h]
		mov	eax, ds:dword_A949B4
		push	eax
		mov	eax, ds:_SeTcbPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7A723D

loc_7AAC03:				; CODE XREF: PAGE:007AABE2j
		mov	dword ptr [ebp-4], 3Bh
		mov	dword ptr [ebp-1A4h], 0
		cmp	esi, 57h
		jnz	short loc_7AAC30
		movzx	ecx, byte ptr [ebx]
		mov	eax, ecx
		and	eax, 1
		mov	[ebp-1A4h], eax
		xor	ecx, eax
		and	ecx, 2
		xor	eax, ecx
		jmp	short loc_7AAC32
; 

loc_7AAC30:				; CODE XREF: PAGE:007AAC17j
		mov	eax, [ebx]

loc_7AAC32:				; CODE XREF: PAGE:007AAC2Ej
		mov	[ebp-1A4h], eax
		mov	[ebp-178h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	eax, 0FFFFFFF0h
		jnz	loc_7AA068
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	2000h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		mov	esi, [ebp-140h]
		lea	edx, [esi+3A8h]
		mov	eax, 0FFE7FFFFh
		lock and [edx],	eax
		mov	eax, [ebp-178h]
		mov	ecx, eax
		shr	ecx, 2
		and	ecx, 1
		shl	ecx, 13h
		test	al, 8
		jz	short loc_7AACAC
		or	ecx, 100000h

loc_7AACAC:				; CODE XREF: PAGE:007AACA4j
		lock or	[edx], ecx
		lea	ecx, [esi+0F8h]
		mov	edx, 0FCFFFFFFh
		lock and [ecx],	edx
		mov	edx, eax
		and	edx, 1
		shl	edx, 18h
		test	al, 2
		jz	short loc_7AACCF
		or	edx, 2000000h

loc_7AACCF:				; CODE XREF: PAGE:007AACC7j
		lock or	[ecx], edx
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_7AB06D
; 

loc_7AACE5:				; DATA XREF: .text:006A2858o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-298h], eax
		mov	eax, 1
		retn
; 

loc_7AACF8:				; DATA XREF: .text:006A285Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-298h]
		jmp	loc_7AB06D
; 

loc_7AAD0D:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB168o
		push	ecx
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	_SeCodeIntegritySetInformationProcess@16 ; SeCodeIntegritySetInformationProcess(x,x,x,x)
		jmp	loc_7AB06D
; 

loc_7AAD1D:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB16Co
		cmp	ecx, 4
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 3Ch
		mov	eax, [ebx]
		mov	[ebp-158h], eax
		mov	[ebp-364h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	eax, 0FFFFFFFEh
		jnz	loc_7AA068
		mov	esi, [ebp-144h]
		push	esi
		mov	eax, ds:dword_A949B4
		push	eax
		mov	eax, ds:_SeTcbPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7A723D
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	esi
		mov	eax, ds:_PsProcessType
		push	eax
		push	2000h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		push	1
		mov	edx, [ebp-158h]
		and	dl, 1
		mov	ecx, [ebp-140h]
		call	_PspSetProcessForegroundBackgroundRequest@12 ; PspSetProcessForegroundBackgroundRequest(x,x,x)
		mov	edx, 79517350h
		mov	ecx, [ebp-140h]
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_7AB06D
; 

loc_7AADC2:				; DATA XREF: .text:006A2864o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-29Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7AADD5:				; DATA XREF: .text:006A2868o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-29Ch]
		jmp	loc_7AB06D
; 

loc_7AADEA:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB170o
		cmp	ecx, 4
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 3Dh
		mov	ebx, [ebx]
		mov	[ebp-368h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-144h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	2000h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7A70B7
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	edi, [ebp-140h]
		cmp	edi, eax
		jnz	short loc_7AAE7F
		test	ebx, ebx
		jz	short loc_7AAE7F
		mov	ecx, ds:_PspBamExtensionHost
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_7AAE84
		push	ebx
		push	edi
		mov	eax, [eax+14h]
		call	eax
		mov	ecx, ds:_PspBamExtensionHost
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7AAE7F:				; CODE XREF: PAGE:007AAE45j
					; PAGE:007AAE49j
		mov	esi, 0C000000Dh

loc_7AAE84:				; CODE XREF: PAGE:007AAE58j
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_7AB06D
; 

loc_7AAE97:				; DATA XREF: .text:006A2870o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2A0h], eax
		mov	eax, 1
		retn
; 

loc_7AAEAA:				; DATA XREF: .text:006A2874o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2A0h]
		jmp	loc_7AB06D
; 

loc_7AAEBF:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB174o
		cmp	ecx, 4
		jnz	loc_7AAF78
		mov	dword ptr [ebp-4], 3Eh
		mov	esi, [ebx]
		mov	[ebp-36Ch], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp-140h]
		push	eax
		push	79517350h
		mov	ebx, [ebp-144h]
		push	ebx
		mov	eax, ds:_PsProcessType
		push	eax
		push	2000h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7AB06D
		push	0
		lea	eax, [ebp-180h]
		push	eax
		push	79517350h
		push	ebx
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	edx, 79517350h
		test	esi, esi
		js	loc_7A7969
		mov	ecx, [ebp-180h]
		call	ObfDereferenceObjectWithTag
		jmp	loc_7A7A4C
; 

loc_7AAF4B:				; DATA XREF: .text:006A287Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2A4h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7AAF5E:				; DATA XREF: .text:006A2880o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2A4h]
		jmp	loc_7AB06D
; 

loc_7AAF73:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB178o
		cmp	ecx, 8
		jz	short loc_7AAF82

loc_7AAF78:				; CODE XREF: PAGE:007A70C1j
					; PAGE:007A7191j ...
		mov	eax, 0C0000004h
		jmp	loc_7AB06D
; 

loc_7AAF82:				; CODE XREF: PAGE:007AAF76j
		mov	dword ptr [ebp-4], 3Fh
		mov	ecx, [ebx]
		mov	[ebp-158h], ecx
		mov	eax, [ebx+4]
		mov	[ebp-2D4h], ecx
		mov	[ebp-2D0h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	ecx, 0FFFFFFFEh
		jnz	loc_7AA068
		cmp	edi, 0FFFFFFFFh
		jnz	loc_7AA068
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	ecx, [eax+17Ch]
		test	ecx, ecx
		jnz	short loc_7AAFD5

loc_7AAFCB:				; CODE XREF: PAGE:007A805Cj
		mov	eax, 0C0000022h
		jmp	loc_7AB06D
; 

loc_7AAFD5:				; CODE XREF: PAGE:007AAFC9j
		xor	edx, edx
		mov	dword ptr [ebp-4], 40h
		mov	eax, [ecx+474h]
		test	byte ptr [ebp-158h], 1
		jz	short loc_7AB001
		or	eax, 1
		mov	[ecx+474h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, edx
		jmp	short loc_7AB06D
; 

loc_7AB001:				; CODE XREF: PAGE:007AAFEBj
		and	eax, 0FFFFFFFEh
		mov	[ecx+474h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, edx
		jmp	short loc_7AB06D
; 

loc_7AB015:				; DATA XREF: .text:006A2894o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2A8h], eax
		mov	eax, 1
		retn
; 

loc_7AB028:				; DATA XREF: .text:006A2898o
		mov	esp, [ebp-18h]
		mov	edx, [ebp-2A8h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, edx
		jmp	short loc_7AB06D
; 

loc_7AB03C:				; DATA XREF: .text:006A2888o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2ACh], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7AB04F:				; DATA XREF: .text:006A288Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2ACh]
		jmp	short loc_7AB06D
; 

loc_7AB061:				; CODE XREF: PAGE:007A6FBCj
					; DATA XREF: PAGE:007AB120o
		mov	eax, 0C00000BBh
		jmp	short loc_7AB06D
; 

loc_7AB068:				; CODE XREF: PAGE:007A6FAFj
					; PAGE:007A6FBCj
					; DATA XREF: ...
		mov	eax, 0C0000003h

loc_7AB06D:				; CODE XREF: PAGE:007A6FE6j
					; PAGE:007A7012j ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-1Ch]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_7AB08B:				; CODE XREF: PAGE:007A6F76j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7AB090:				; CODE XREF: PAGE:007A893Aj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7AB095:				; CODE XREF: PAGE:007AA075j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		mov	edi, edi
; 
off_7AB09C	dd offset loc_7A7597	; DATA XREF: PAGE:007A6FBCr
		dd offset loc_7A718E
		dd offset loc_7A7403
		dd offset loc_7A75AC
		dd offset loc_7A78C8
		dd offset loc_7A7921
		dd offset loc_7A797B
		dd offset loc_7A74FA
		dd offset loc_7A79BE
		dd offset loc_7A6FEB
		dd offset loc_7A7A04
		dd offset loc_7A7A66
		dd offset loc_7A72A0
		dd offset loc_7A7B35
		dd offset loc_7A7C27
		dd offset loc_7A7E14
		dd offset loc_7A802D
		dd offset loc_7A80C5
		dd offset loc_7A735E
		dd offset loc_7A8182
		dd offset loc_7A7F3C
		dd offset loc_7A8253
		dd offset loc_7A833B
		dd offset loc_7A855B
		dd offset loc_7A8742
		dd offset loc_7A85DB
		dd offset loc_7A8D07
		dd offset loc_7A8EF3
		dd offset loc_7A9090
		dd offset loc_7A90FE
		dd offset loc_7A91CA
		dd offset loc_7A926F
		dd offset loc_7A92DD
		dd offset loc_7AB061
		dd offset loc_7A9F3F
		dd offset loc_7AA010
		dd offset loc_7AA19E
		dd offset loc_7AA1B3
		dd offset loc_7A70BE
		dd offset loc_7AA2D8
		dd offset loc_7AA3A1
		dd offset loc_7AA4C3
		dd offset loc_7AA652
		dd offset loc_7AA6B8
		dd offset loc_7AA70A
		dd offset loc_7AA7CC
		dd offset loc_7AA89D
		dd offset loc_7AA58F
		dd offset loc_7AA998
		dd offset loc_7AAA6E
		dd offset loc_7AABAD
		dd offset loc_7AAD0D
		dd offset loc_7AAD1D
		dd offset loc_7AADEA
		dd offset loc_7AAEBF
		dd offset loc_7AAF73
		dd offset loc_7AB068
byte_7AB180	db 0			; DATA XREF: PAGE:007A6FB5r
		db 3 dup(38h)
		dd 3380201h, 7060504h, 0A093808h, 380D0C0Bh, 11100F0Eh
		dd 38383812h, 15143813h, 38181716h, 1A193838h, 3838091Bh
		dd 1E381D1Ch, 2038381Fh, 23382221h, 38253824h, 38272638h
		dd 2A292928h, 382C2B38h, 38382D38h, 2F38382Eh, 38213038h
		dd 38323831h, 38343338h, 32363835h, 21212137h, 0FF8B2121h
off_7AB1E8	dd offset loc_7A933E	; DATA XREF: PAGE:007A9337r
					; jump table for switch	statement
		dd offset loc_7A958B	; case 0x1
		dd offset loc_7A93DC	; case 0x2
		dd offset loc_7A9459	; case 0x3
		dd offset loc_7A9EF2	; default
		dd offset loc_7A9845	; case 0x5
		dd offset loc_7A988C	; case 0x6
		dd offset loc_7A98D5	; case 0x7
		dd offset loc_7A9A8B	; case 0x8
		dd offset loc_7A9B1C	; case 0x9
		dd offset loc_7A9EF2	; default
		dd offset loc_7A9EF2	; default
		dd offset loc_7A9C46	; case 0xC
		dd offset loc_7A9DA4	; case 0xD
		dd offset loc_7A9EF2	; default
		dd offset loc_7A9D1C	; case 0xF
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlpInheritAcl2(int,int,int,char,int,int,int,int,int,int,int,int,int,void *,int,int)
RtlpInheritAcl2	proc near		; CODE XREF: RtlpNewSecurityObject+959p
					; RtlpNewSecurityObject+E87p ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch
arg_38		= dword	ptr  40h
arg_3C		= dword	ptr  44h

; FUNCTION CHUNK AT 008EA437 SIZE 000000B1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, [ebp+arg_30]
		push	ebx
		push	esi
		push	edi
		mov	esi, [eax]
		mov	edi, [ebp+arg_34]
		mov	[ebp+var_10], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_8], 0
		mov	[ebp+var_C], 0
		mov	[ebp+var_30], 0
		mov	[ebp+var_2C], 0
		mov	[ebp+var_28], 0
		mov	[ebp+var_1], 0
		mov	[ebp+var_2], 0
		mov	[ebp+var_3], 1
		mov	[ebp+var_18], 2
		cmp	esi, 8
		jb	short loc_7AB2AC
		cmp	esi, 0FFFCh
		ja	short loc_7AB2AC
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		and	esi, 0FFFCh
		mov	word ptr [edi],	2
		add	esp, 0Ch
		mov	[edi+2], si
		xor	eax, eax
		mov	[edi+4], eax

loc_7AB2AC:				; CODE XREF: RtlpInheritAcl2+52j
					; RtlpInheritAcl2+5Aj
		mov	eax, [ebp+arg_38]
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_3C]
		mov	ebx, [ebp+arg_0]
		mov	esi, ebx
		mov	byte ptr [eax],	0
		movzx	eax, dl
		neg	eax
		sbb	eax, eax
		and	eax, 400h
		mov	[ecx], eax
		and	esi, 8
		jnz	loc_7AB390
		mov	ecx, ebx
		and	ecx, 1000h
		jnz	loc_7AB5F8

loc_7AB2E2:				; CODE XREF: RtlpInheritAcl2+3D9j
		mov	eax, ebx
		and	eax, 1004h
		jz	loc_7AB390
		cmp	[ebp+var_10], 0
		jz	loc_7AB60E
		mov	eax, [ebp+var_10]
		movzx	eax, byte ptr [eax]
		cmp	eax, 2
		jb	short loc_7AB307
		mov	[ebp+var_18], eax

loc_7AB307:				; CODE XREF: RtlpInheritAcl2+D2j
		mov	[ebp+var_3], 0
		test	dl, dl
		jz	loc_7AB577
		test	ecx, ecx
		jnz	loc_7AB645
		mov	eax, 1
		mov	byte ptr [ebp+arg_3C], al

loc_7AB323:				; CODE XREF: RtlpInheritAcl2+350j
		mov	byte ptr [ebp+arg_0], 0

loc_7AB327:				; CODE XREF: RtlpInheritAcl2+422j
		push	edi
		mov	edx, [ebp+arg_20]
		lea	ecx, [ebp+var_8]
		push	ecx
		push	[ebp+arg_24]
		mov	ecx, [ebp+var_10]
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_3C]
		push	[ebp+arg_0]
		push	eax
		call	RtlpCopyAces
		mov	ecx, eax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_C], eax
		cmp	ecx, 0C0000023h
		jz	loc_7AB5EF
		test	ecx, ecx
		js	loc_8EA437

loc_7AB36E:				; CODE XREF: RtlpInheritAcl2+3C3j
		cmp	[ebp+arg_C], 0
		jnz	loc_8EA43E

loc_7AB378:				; CODE XREF: RtlpInheritAcl2+13F210j
					; RtlpInheritAcl2+13F229j
		mov	edx, [ebp+arg_8]

loc_7AB37B:				; CODE XREF: RtlpInheritAcl2+3E0j
		mov	ecx, [ebp+arg_24]
		cmp	ecx, 1
		jz	loc_7AB5B8

loc_7AB387:				; CODE XREF: RtlpInheritAcl2+3ECj
		cmp	ecx, 2
		jz	loc_7AB58E

loc_7AB390:				; CODE XREF: RtlpInheritAcl2+9Ej
					; RtlpInheritAcl2+B9j ...
		test	dl, dl
		jz	loc_7AB569

loc_7AB398:				; CODE XREF: RtlpInheritAcl2+33Cj
		test	esi, esi
		jnz	short loc_7AB3AE
		test	dl, dl
		jz	loc_7AB4D8
		cmp	[ebp+var_2], 0
		jnz	loc_7AB4D8

loc_7AB3AE:				; CODE XREF: RtlpInheritAcl2+16Aj
					; RtlpInheritAcl2+342j
		mov	esi, [ebp+var_1C]
		test	esi, esi
		jz	loc_7AB4D8
		mov	cl, [esi]
		mov	al, cl
		sub	al, 2
		cmp	al, 2
		ja	loc_8EA4DE
		movzx	eax, cl
		cmp	[ebp+var_18], eax
		ja	short loc_7AB3D2
		mov	[ebp+var_18], eax

loc_7AB3D2:				; CODE XREF: RtlpInheritAcl2+19Dj
		mov	eax, [ebp+var_1C]
		xor	ecx, ecx
		xor	edi, edi
		mov	[ebp+var_20], 0
		xor	ebx, ebx
		mov	[ebp+var_24], 0
		add	esi, 8
		mov	byte ptr [ebp+arg_0+3],	0
		cmp	di, [eax+4]
		mov	edi, [ebp+arg_34]
		mov	byte ptr [ebp+arg_3C+3], 0
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_2], cl
		jnb	loc_7AB4AB
		lea	ebx, [ebx+0]

loc_7AB410:				; CODE XREF: RtlpInheritAcl2+268j
		cmp	byte ptr [esi],	11h
		jz	loc_7AB545
		cmp	[ebp+arg_24], 3
		jz	short loc_7AB488

loc_7AB41F:				; CODE XREF: RtlpInheritAcl2+334j
		lea	eax, [ebp+arg_3C+3]
		mov	ecx, esi
		push	eax		; int
		lea	eax, [ebp+var_24]
		push	eax		; int
		push	edi		; void *
		lea	eax, [ebp+var_20]
		push	eax		; int
		push	[ebp+arg_2C]	; int
		push	[ebp+arg_28]	; int
		push	[ebp+arg_20]	; int
		push	[ebp+arg_1C]	; int
		push	[ebp+arg_18]	; int
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; int
		push	edx		; int
		mov	dl, byte ptr [ebp+arg_4]
		call	RtlpGenerateInheritedAce
		cmp	eax, 0C0000023h
		jz	loc_7AB585
		test	eax, eax
		js	loc_7AB657

loc_7AB45F:				; CODE XREF: RtlpInheritAcl2+359j
		cmp	byte ptr [ebp+arg_3C+3], 0
		jnz	loc_8EA47C

loc_7AB469:				; CODE XREF: RtlpInheritAcl2+13F250j
		mov	eax, [ebp+var_20]
		add	[ebp+var_14], eax
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_24]
		cmp	eax, edx
		ja	short loc_7AB482
		sub	edx, eax
		mov	[ebp+var_10], edx
		cmp	edx, ecx
		ja	short loc_7AB485

loc_7AB482:				; CODE XREF: RtlpInheritAcl2+247j
		mov	[ebp+var_10], ecx

loc_7AB485:				; CODE XREF: RtlpInheritAcl2+250j
		mov	edx, [ebp+arg_8]

loc_7AB488:				; CODE XREF: RtlpInheritAcl2+1EDj
					; RtlpInheritAcl2+319j
		movzx	eax, word ptr [esi+2]
		inc	ebx
		add	esi, eax
		mov	eax, [ebp+var_1C]
		movzx	eax, word ptr [eax+4]
		cmp	ebx, eax
		jb	loc_7AB410

loc_7AB49E:				; CODE XREF: RtlpInheritAcl2+32Bj
		cmp	byte ptr [ebp+arg_0+3],	0
		jnz	loc_7AB5D1
		mov	ecx, [ebp+var_14]

loc_7AB4AB:				; CODE XREF: RtlpInheritAcl2+1D4j
		mov	bl, [ebp+var_1]
		test	bl, bl
		jnz	loc_7AB5D1
		mov	esi, ecx
		xor	eax, eax
		xor	ecx, ecx

loc_7AB4BC:				; CODE XREF: RtlpInheritAcl2+3BAj
					; RtlpInheritAcl2+42Ej
		sub	eax, 0C0000023h
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		jl	short loc_7AB519
		cmp	[ebp+arg_C], 0
		mov	edx, [ebp+var_8]
		jnz	loc_8EA485
		jmp	short loc_7AB4DD
; 

loc_7AB4D8:				; CODE XREF: RtlpInheritAcl2+16Ej
					; RtlpInheritAcl2+178j	...
		mov	edx, [ebp+var_8]
		xor	esi, esi

loc_7AB4DD:				; CODE XREF: RtlpInheritAcl2+2A6j
					; RtlpInheritAcl2+13F257j ...
		mov	ecx, [ebp+var_C]

loc_7AB4E0:				; CODE XREF: RtlpInheritAcl2+13F2A9j
		lea	eax, [esi+ecx]
		test	eax, eax
		jz	short loc_7AB522

loc_7AB4E7:				; CODE XREF: RtlpInheritAcl2+3FBj
		add	eax, 8
		cmp	eax, 0FFFFh
		ja	loc_8EA45F
		lea	eax, [edx+8]
		mov	edx, [ebp+arg_30]
		add	eax, esi
		cmp	[ebp+var_1], 0
		mov	[edx], eax
		jnz	loc_7AB5C3
		lea	eax, [esi+8]
		add	eax, ecx
		mov	[edi+2], ax
		mov	eax, [ebp+var_18]
		mov	[edi], al
		xor	eax, eax

loc_7AB519:				; CODE XREF: RtlpInheritAcl2+297j
					; RtlpInheritAcl2+13F209j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	40h
; 

loc_7AB522:				; CODE XREF: RtlpInheritAcl2+2B5j
		mov	ebx, [ebp+arg_38]
		cmp	byte ptr [ebx],	0
		jnz	loc_7AB627
		mov	eax, [ebp+arg_30]
		pop	edi
		pop	esi
		pop	ebx
		mov	dword ptr [eax], 0
		mov	eax, 8000000Bh
		mov	esp, ebp
		pop	ebp
		retn	40h
; 

loc_7AB545:				; CODE XREF: RtlpInheritAcl2+1E3j
		cmp	[ebp+arg_24], 3
		jnz	loc_7AB488
		push	0
		push	11h
		push	edi
		call	_RtlFindAceByType@12 ; RtlFindAceByType(x,x,x)
		test	eax, eax
		jnz	loc_7AB49E
		mov	edx, [ebp+arg_8]
		jmp	loc_7AB41F
; 

loc_7AB569:				; CODE XREF: RtlpInheritAcl2+162j
		test	bl, 4
		jnz	loc_7AB398
		jmp	loc_7AB3AE
; 

loc_7AB577:				; CODE XREF: RtlpInheritAcl2+DDj
		mov	eax, 2
		mov	byte ptr [ebp+arg_3C], 0
		jmp	loc_7AB323
; 

loc_7AB585:				; CODE XREF: RtlpInheritAcl2+221j
		mov	byte ptr [ebp+arg_0+3],	1
		jmp	loc_7AB45F
; 

loc_7AB58E:				; CODE XREF: RtlpInheritAcl2+15Aj
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	short loc_7AB5B8
		cmp	[ebp+var_2], al
		jnz	short loc_7AB5B8
		test	eax, eax
		jnz	loc_7AB390
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	loc_7AB390
		cmp	word ptr [eax+4], 0
		jnz	loc_7AB390

loc_7AB5B8:				; CODE XREF: RtlpInheritAcl2+151j
					; RtlpInheritAcl2+363j	...
		mov	eax, [ebp+arg_38]
		mov	byte ptr [eax],	1
		jmp	loc_7AB390
; 

loc_7AB5C3:				; CODE XREF: RtlpInheritAcl2+2D3j
		pop	edi
		pop	esi
		mov	eax, 0C0000023h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	40h
; 

loc_7AB5D1:				; CODE XREF: RtlpInheritAcl2+272j
					; RtlpInheritAcl2+280j
		mov	esi, [ebp+var_10]
		mov	eax, 0C0000023h
		add	esi, [ebp+var_14]

loc_7AB5DC:				; CODE XREF: RtlpInheritAcl2+429j
		mov	ecx, eax
		cmp	eax, 0C0000023h
		jnz	short loc_7AB65B
		mov	bl, 1
		mov	[ebp+var_1], bl
		jmp	loc_7AB4BC
; 

loc_7AB5EF:				; CODE XREF: RtlpInheritAcl2+130j
		mov	[ebp+var_1], 1
		jmp	loc_7AB36E
; 

loc_7AB5F8:				; CODE XREF: RtlpInheritAcl2+ACj
		mov	edi, [ebp+arg_3C]
		or	eax, 1000h
		mov	[ebp+var_2], 1
		mov	[edi], eax
		mov	edi, [ebp+arg_34]
		jmp	loc_7AB2E2
; 

loc_7AB60E:				; CODE XREF: RtlpInheritAcl2+C3j
		test	dl, dl
		jz	loc_7AB37B
		mov	ecx, [ebp+arg_24]
		cmp	ecx, 1
		jnz	loc_7AB387
		jmp	loc_8EA469
; 

loc_7AB627:				; CODE XREF: RtlpInheritAcl2+2F8j
		cmp	[ebp+var_3], 0
		jz	loc_7AB4E7
		mov	eax, [ebp+arg_30]
		pop	edi
		pop	esi
		pop	ebx
		mov	dword ptr [eax], 0
		xor	eax, eax
		mov	esp, ebp
		pop	ebp
		retn	40h
; 

loc_7AB645:				; CODE XREF: RtlpInheritAcl2+E5j
		mov	eax, 2
		mov	byte ptr [ebp+arg_0], 10h
		mov	byte ptr [ebp+arg_3C], 1
		jmp	loc_7AB327
; 

loc_7AB657:				; CODE XREF: RtlpInheritAcl2+229j
		xor	esi, esi
		jmp	short loc_7AB5DC
; 

loc_7AB65B:				; CODE XREF: RtlpInheritAcl2+3B3j
		mov	bl, [ebp+var_1]
		jmp	loc_7AB4BC
RtlpInheritAcl2	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlpGenerateInheritedAce(int,int,int,int,int,int,int,int,int,void *,int,int)
RtlpGenerateInheritedAce proc near	; CODE XREF: RtlpInheritAcl2+217p

var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= byte ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h

; FUNCTION CHUNK AT 008EA4E8 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	bh, dl
		mov	[ebp+var_8], 0
		mov	edx, [ebp+arg_2C]
		mov	eax, ecx
		xor	ecx, ecx
		mov	byte ptr [ebp+var_4], bh
		xor	bl, bl
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], 0
		mov	[ebp+var_1C], 0
		mov	[ebp+var_14], ecx
		mov	byte ptr [ebp+var_4+2],	cl
		mov	byte ptr [ebp+var_4+1],	bl
		mov	byte ptr [ebp+var_4+3],	bl
		mov	[edx], cl
		push	esi
		push	edi
		test	bh, bh
		jnz	loc_7AB7CA

loc_7AB6B7:				; CODE XREF: RtlpGenerateInheritedAce+15Fj
					; RtlpGenerateInheritedAce+171j
		mov	[ebp+var_18], cl

loc_7AB6BA:				; CODE XREF: RtlpGenerateInheritedAce+16Bj
		mov	edi, [ebp+arg_24]
		xor	eax, eax
		movzx	edx, word ptr [edi+4]
		lea	esi, [edi+8]
		test	edx, edx
		jnz	short loc_7AB723

loc_7AB6CA:				; CODE XREF: RtlpGenerateInheritedAce+DBj
		movzx	eax, word ptr [edi+2]
		add	eax, edi
		cmp	esi, eax
		ja	loc_8EA4E8
		mov	[ebp+arg_24], esi
		test	esi, esi
		jz	loc_8EA4E8
		mov	edx, [ebp+var_10]
		test	bh, bh
		mov	bh, byte ptr [ebp+arg_0]
		mov	al, [edx+1]
		jnz	short loc_7AB750
		test	al, 1
		jnz	short loc_7AB754

loc_7AB6F4:				; CODE XREF: RtlpGenerateInheritedAce+E2j
		xor	eax, eax

loc_7AB6F6:				; CODE XREF: RtlpGenerateInheritedAce+155j
					; RtlpGenerateInheritedAce+23Cj
		cmp	[ebp+var_18], 0
		jnz	loc_7AB7E6

loc_7AB700:				; CODE XREF: RtlpGenerateInheritedAce+18Dj
					; RtlpGenerateInheritedAce+1B5j ...
		mov	edx, [ebp+var_C]

loc_7AB703:				; CODE XREF: RtlpGenerateInheritedAce+25Cj
					; RtlpGenerateInheritedAce+267j
		mov	ecx, [ebp+var_8]

loc_7AB706:				; CODE XREF: RtlpGenerateInheritedAce+209j
		mov	eax, [ebp+arg_20]
		mov	[eax], ecx
		mov	eax, [ebp+arg_28]
		mov	[eax], edx
		test	bl, bl
		jnz	loc_7AB87E
		xor	eax, eax

loc_7AB71A:				; CODE XREF: RtlpGenerateInheritedAce+13EE7Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	30h
; 

loc_7AB723:				; CODE XREF: RtlpGenerateInheritedAce+58j
		movzx	ebx, word ptr [edi+2]
		add	ebx, edi
		lea	esp, [esp+0]

loc_7AB730:				; CODE XREF: RtlpGenerateInheritedAce+D1j
		cmp	esi, ebx
		jnb	loc_8EA4E8
		movzx	ecx, word ptr [esi+2]
		inc	eax
		add	esi, ecx
		cmp	eax, edx
		jb	short loc_7AB730
		mov	bl, byte ptr [ebp+var_4+1]
		xor	ecx, ecx
		mov	bh, byte ptr [ebp+var_4]
		jmp	loc_7AB6CA
; 

loc_7AB750:				; CODE XREF: RtlpGenerateInheritedAce+7Ej
		test	al, 2
		jz	short loc_7AB6F4

loc_7AB754:				; CODE XREF: RtlpGenerateInheritedAce+82j
		lea	eax, [ebp+var_4+3]
		mov	ecx, [ebp+var_10] ; void *
		push	eax		; int
		lea	eax, [ebp+var_4+2]
		mov	[ebp+var_1C], esi
		push	eax		; int
		push	[ebp+arg_2C]	; int
		lea	eax, [ebp+var_14]
		mov	dl, bh		; int
		push	edi		; int
		push	eax		; int
		lea	eax, [ebp+arg_24]
		push	eax		; int
		push	[ebp+arg_1C]	; int
		push	[ebp+arg_18]	; int
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		push	[ebp+arg_4]	; int
		push	dword ptr [ebp+var_18] ; char
		call	RtlpCopyEffectiveAce
		test	al, al
		jz	loc_8EA4E8
		mov	bl, byte ptr [ebp+var_4+3]
		mov	ecx, [ebp+var_14]
		test	bl, bl
		jnz	short loc_7AB7BA
		mov	[ebp+arg_0], ecx
		test	ecx, ecx
		jz	short loc_7AB7BA
		mov	edx, esi
		mov	ecx, edi
		call	RtlpIsDuplicateAce
		test	al, al
		jnz	loc_7AB893
		mov	ecx, [ebp+arg_0]

loc_7AB7BA:				; CODE XREF: RtlpGenerateInheritedAce+12Dj
					; RtlpGenerateInheritedAce+134j
		mov	esi, [ebp+arg_24]
		mov	eax, ecx
		mov	edx, [ebp+var_10]
		mov	[ebp+var_8], eax
		jmp	loc_7AB6F6
; 

loc_7AB7CA:				; CODE XREF: RtlpGenerateInheritedAce+41j
		mov	al, [eax+1]
		test	al, 4
		jnz	loc_7AB6B7
		mov	[ebp+var_18], 1
		test	al, 3
		jnz	loc_7AB6BA
		jmp	loc_7AB6B7
; 

loc_7AB7E6:				; CODE XREF: RtlpGenerateInheritedAce+8Aj
		test	ecx, ecx
		jz	short loc_7AB7F4
		cmp	byte ptr [ebp+var_4+2],	0
		jz	loc_7AB8B1

loc_7AB7F4:				; CODE XREF: RtlpGenerateInheritedAce+178j
		cmp	byte ptr [edx],	8
		ja	short loc_7AB803
		cmp	dword ptr [edx+4], 0
		jz	loc_7AB700

loc_7AB803:				; CODE XREF: RtlpGenerateInheritedAce+187j
		movzx	ecx, word ptr [edx+2]
		add	eax, ecx
		mov	[ebp+var_8], eax
		cmp	eax, 0FFFFh
		ja	loc_8EA4E8
		movzx	eax, word ptr [edi+2]
		sub	eax, esi
		add	eax, edi
		cmp	ecx, eax
		jg	short loc_7AB88C
		test	bl, bl
		jnz	loc_7AB700
		push	ecx		; size_t
		push	edx		; void *
		push	esi		; void *
		call	_memcpy
		or	byte ptr [esi+1], 8
		add	esp, 0Ch
		inc	word ptr [edi+4]
		test	bh, bh
		jz	loc_7AB700
		or	byte ptr [esi+1], 10h
		mov	edx, esi
		mov	ecx, edi
		call	RtlpIsDuplicateAce
		test	al, al
		jz	loc_7AB700
		mov	edx, [ebp+var_C]
		mov	eax, 0FFFFh
		add	[edi+4], ax
		mov	eax, [ebp+var_10]
		movzx	eax, word ptr [eax+2]
		cmp	edx, eax
		ja	short loc_7AB874
		mov	edx, eax

loc_7AB874:				; CODE XREF: RtlpGenerateInheritedAce+200j
		mov	ecx, [ebp+var_8]
		sub	ecx, eax
		jmp	loc_7AB706
; 

loc_7AB87E:				; CODE XREF: RtlpGenerateInheritedAce+A2j
		pop	edi
		pop	esi
		mov	eax, 0C0000023h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	30h
; 

loc_7AB88C:				; CODE XREF: RtlpGenerateInheritedAce+1B1j
		mov	bl, 1
		jmp	loc_7AB700
; 

loc_7AB893:				; CODE XREF: RtlpGenerateInheritedAce+141j
		mov	edx, [ebp+var_10]
		mov	eax, 0FFFFh
		add	[edi+4], ax
		xor	ecx, ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C], eax
		mov	eax, ecx
		mov	[ebp+var_8], eax
		jmp	loc_7AB6F6
; 

loc_7AB8B1:				; CODE XREF: RtlpGenerateInheritedAce+17Ej
		test	bl, bl
		jnz	loc_7AB700
		mov	al, [edx+1]
		mov	ecx, [ebp+var_1C]
		and	al, 3
		mov	edx, [ebp+var_C]
		or	al, [ecx+1]
		mov	[ecx+1], al
		test	bh, bh
		jz	loc_7AB703
		or	al, 10h
		mov	[ecx+1], al
		jmp	loc_7AB703
RtlpGenerateInheritedAce endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpCopyAces	proc near		; CODE XREF: RtlpInheritAcl2+11Dp
					; RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+82p ...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_F		= dword	ptr -0Fh
var_8		= word ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= byte ptr  24h
arg_20		= byte ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h

; FUNCTION CHUNK AT 008EA4F2 SIZE 00000085 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_40], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_18]
		push	ebx
		mov	ebx, [ebp+arg_2C]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_28]
		mov	[ebp+var_44], eax
		mov	al, [ebx]
		sub	al, 2
		mov	[ebp+var_2C], edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_14], ebx
		mov	byte ptr [ebp+var_F+2],	0
		cmp	al, 2
		ja	loc_7ABCCF
		movzx	edx, word ptr [ebx+4]
		lea	ecx, [ebx+8]
		push	esi
		push	edi
		xor	esi, esi
		xor	edi, edi
		test	edx, edx
		jnz	loc_8EA4F2

loc_7AB942:				; CODE XREF: RtlpCopyAces+13EC2Dj
		movzx	eax, word ptr [ebx+2]
		add	eax, ebx
		cmp	ecx, eax
		ja	short loc_7AB94E
		mov	esi, ecx

loc_7AB94E:				; CODE XREF: RtlpCopyAces+6Aj
		mov	eax, [ebp+var_30]
		xor	ebx, ebx
		xor	ecx, ecx
		xor	edx, edx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_1C], edx
		cmp	bx, [eax+4]
		lea	edi, [eax+8]
		mov	ebx, [ebp+var_14]
		jnb	loc_7ABA82
		mov	eax, [ebp+arg_24]

loc_7AB970:				; CODE XREF: RtlpCopyAces+190j
		cmp	byte ptr [edi],	11h
		jz	loc_7ABB65
		cmp	eax, 3
		jz	loc_7ABA57

loc_7AB982:				; CODE XREF: RtlpCopyAces+2A6j
		mov	eax, [ebp+arg_0]
		sub	eax, 0
		jz	loc_8EA512
		sub	eax, 1
		jz	loc_7ABB56
		sub	eax, 1
		jnz	loc_7ABA57

loc_7AB9A0:				; CODE XREF: RtlpCopyAces+27Aj
					; RtlpCopyAces+13EC3Cj
		cmp	[ebp+arg_8], 0
		jnz	loc_7ABAA7
		movzx	ebx, word ptr [edi+2]
		mov	ecx, [ebp+var_14]
		test	esi, esi
		jz	loc_7ABBCE
		movzx	eax, word ptr [ecx+2]
		sub	eax, esi
		add	eax, ecx
		cmp	ebx, eax
		ja	loc_7ABBCE
		cmp	byte ptr [ebp+var_F+2],	0
		jnz	loc_7ABBD2
		push	ebx		; size_t
		push	edi		; void *
		push	esi		; void *
		call	_memcpy
		mov	al, [esi]
		add	esp, 0Ch
		cmp	al, 8
		ja	loc_7ABCA3

loc_7AB9E8:				; CODE XREF: RtlpCopyAces+3C5j
					; RtlpCopyAces+3D5j
		test	byte ptr [esi+1], 8
		jnz	short loc_7ABA3B
		mov	ecx, [esi+4]
		mov	edx, [ebp+var_2C]
		test	ecx, ecx
		js	loc_7ABB93

loc_7AB9FC:				; CODE XREF: RtlpCopyAces+2BCj
		test	ecx, 40000000h
		jnz	loc_7ABBB0

loc_7ABA08:				; CODE XREF: RtlpCopyAces+2DAj
		test	ecx, 20000000h
		jnz	loc_7ABBA1

loc_7ABA14:				; CODE XREF: RtlpCopyAces+2CBj
		test	ecx, 10000000h
		jnz	loc_7ABB8B

loc_7ABA20:				; CODE XREF: RtlpCopyAces+2AEj
		and	ecx, 0FFFFFFFh
		mov	[esi+4], ecx
		mov	al, [esi]
		test	al, al
		jnz	loc_7ABCBA

loc_7ABA33:				; CODE XREF: RtlpCopyAces+3DCj
					; RtlpCopyAces+3E4j ...
		mov	eax, [edx+0Ch]

loc_7ABA36:				; CODE XREF: RtlpCopyAces+13EC88j
		and	eax, ecx
		mov	[esi+4], eax

loc_7ABA3B:				; CODE XREF: RtlpCopyAces+10Cj
					; RtlpCopyAces+3CFj
		mov	al, [ebp+arg_4]
		not	al
		and	[esi+1], al

loc_7ABA43:				; CODE XREF: RtlpCopyAces+384j
		mov	eax, [ebp+var_14]
		inc	word ptr [eax+4]

loc_7ABA4A:				; CODE XREF: RtlpCopyAces+26Bj
					; RtlpCopyAces+3BEj
		add	esi, ebx

loc_7ABA4C:				; CODE XREF: RtlpCopyAces+2F8j
		mov	ecx, [ebp+var_24]
		mov	edx, [ebp+var_1C]
		add	ecx, ebx
		mov	[ebp+var_24], ecx

loc_7ABA57:				; CODE XREF: RtlpCopyAces+9Cj
					; RtlpCopyAces+BAj ...
		movzx	eax, word ptr [edi+2]
		inc	edx
		mov	ebx, [ebp+var_14]
		add	edi, eax
		mov	eax, [ebp+var_30]
		mov	[ebp+var_1C], edx
		movzx	eax, word ptr [eax+4]
		cmp	edx, eax
		mov	eax, [ebp+arg_24]
		jb	loc_7AB970

loc_7ABA76:				; CODE XREF: RtlpCopyAces+29Dj
		cmp	ecx, 0FFFFh
		ja	loc_8EA56D

loc_7ABA82:				; CODE XREF: RtlpCopyAces+87j
		mov	eax, [ebp+var_44]
		mov	[eax], ecx
		movzx	eax, byte ptr [ebp+var_F+2]
		neg	eax
		sbb	eax, eax
		and	eax, 0C0000023h

loc_7ABA94:				; CODE XREF: RtlpCopyAces+13EC92j
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	30h
; 

loc_7ABAA7:				; CODE XREF: RtlpCopyAces+C4j
		mov	al, [edi+1]
		xor	ecx, ecx
		xor	ebx, ebx
		mov	[ebp+var_18], ecx
		mov	byte ptr [ebp+var_F], cl
		mov	[ebp+var_28], esi
		cmp	[ebp+arg_1C], cl
		jnz	loc_7ABBBF

loc_7ABAC0:				; CODE XREF: RtlpCopyAces+2E1j
		xor	cl, cl

loc_7ABAC2:				; CODE XREF: RtlpCopyAces+2E9j
		mov	[ebp+var_20], cl
		test	al, 8
		jnz	short loc_7ABB3E
		xor	dl, dl		; int
		mov	byte ptr [ebp+var_F+1],	bl
		cmp	[ebp+arg_20], bl
		jnz	loc_8EA521

loc_7ABAD7:				; CODE XREF: RtlpCopyAces+13EC43j
					; RtlpCopyAces+13EC4Bj
		lea	eax, [ebp+var_F+1]
		mov	ecx, edi	; void *
		push	eax		; int
		lea	eax, [ebp+var_F]
		push	eax		; int
		mov	eax, [ebp+var_14]
		push	0		; int
		push	eax		; int
		lea	eax, [ebp+var_18]
		push	eax		; int
		lea	eax, [ebp+var_28]
		push	eax		; int
		push	0		; int
		push	0		; int
		push	[ebp+var_2C]	; int
		push	[ebp+var_34]	; int
		push	[ebp+var_38]	; int
		push	[ebp+var_3C]	; int
		push	[ebp+var_40]	; int
		push	dword ptr [ebp+var_20] ; char
		call	RtlpCopyEffectiveAce
		test	al, al
		jz	loc_8EA56D
		cmp	byte ptr [ebp+var_F+1],	bl
		jnz	loc_7ABC71
		mov	al, byte ptr [ebp+var_F+2]

loc_7ABB1E:				; CODE XREF: RtlpCopyAces+396j
		mov	ecx, [ebp+var_18]
		mov	ebx, ecx
		test	al, al
		jnz	loc_7ABC69
		test	ecx, ecx
		jz	loc_7ABC69
		mov	al, [ebp+arg_4]
		mov	cl, [ebp+var_20]
		not	al
		and	[esi+1], al

loc_7ABB3E:				; CODE XREF: RtlpCopyAces+1E7j
		mov	al, byte ptr [ebp+var_F+2]

loc_7ABB41:				; CODE XREF: RtlpCopyAces+38Cj
		test	cl, cl
		jnz	loc_7ABBDD

loc_7ABB49:				; CODE XREF: RtlpCopyAces+13EC5Bj
		test	al, al
		jz	loc_7ABA4A

loc_7ABB51:				; CODE XREF: RtlpCopyAces+3A5j
		mov	ecx, [ebp+var_14]
		jmp	short loc_7ABBD2
; 

loc_7ABB56:				; CODE XREF: RtlpCopyAces+B1j
		test	byte ptr [edi+1], 10h
		jz	loc_7AB9A0
		jmp	loc_7ABA57
; 

loc_7ABB65:				; CODE XREF: RtlpCopyAces+93j
		cmp	eax, 3
		jnz	loc_7ABA57
		push	0
		push	11h
		push	ebx
		call	_RtlFindAceByType@12 ; RtlFindAceByType(x,x,x)
		mov	ecx, [ebp+var_24]
		test	eax, eax
		jnz	loc_7ABA76
		mov	edx, [ebp+var_1C]
		jmp	loc_7AB982
; 

loc_7ABB8B:				; CODE XREF: RtlpCopyAces+13Aj
		or	ecx, [edx+0Ch]
		jmp	loc_7ABA20
; 

loc_7ABB93:				; CODE XREF: RtlpCopyAces+116j
		mov	eax, [edx]
		or	eax, ecx
		mov	[esi+4], eax
		mov	ecx, eax
		jmp	loc_7AB9FC
; 

loc_7ABBA1:				; CODE XREF: RtlpCopyAces+12Ej
		mov	eax, [edx+8]
		or	eax, ecx
		mov	[esi+4], eax
		mov	ecx, eax
		jmp	loc_7ABA14
; 

loc_7ABBB0:				; CODE XREF: RtlpCopyAces+122j
		mov	eax, [edx+4]
		or	eax, ecx
		mov	[esi+4], eax
		mov	ecx, eax
		jmp	loc_7ABA08
; 

loc_7ABBBF:				; CODE XREF: RtlpCopyAces+1DAj
		test	al, 3
		jz	loc_7ABAC0
		mov	cl, 1
		jmp	loc_7ABAC2
; 

loc_7ABBCE:				; CODE XREF: RtlpCopyAces+D3j
					; RtlpCopyAces+E3j ...
		mov	byte ptr [ebp+var_F+2],	1

loc_7ABBD2:				; CODE XREF: RtlpCopyAces+EDj
					; RtlpCopyAces+274j ...
		movzx	esi, word ptr [ecx+2]
		add	esi, ecx
		jmp	loc_7ABA4C
; 

loc_7ABBDD:				; CODE XREF: RtlpCopyAces+263j
		push	6		; size_t
		lea	eax, [ebp+var_F+3]
		mov	[ebp+var_F+3], 0
		push	eax		; void *
		lea	eax, [edi+0Ah]
		mov	[ebp+var_8], 300h
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		setz	al
		cmp	[ebp+var_18], 0
		jnz	short loc_7ABC7B

loc_7ABC07:				; CODE XREF: RtlpCopyAces+39Fj
		cmp	byte ptr [edi],	8
		ja	short loc_7ABC16
		cmp	dword ptr [edi+4], 0
		jz	loc_8EA530

loc_7ABC16:				; CODE XREF: RtlpCopyAces+32Aj
					; RtlpCopyAces+13EC52j
		movzx	eax, word ptr [edi+2]
		add	ebx, eax
		mov	[ebp+var_18], eax
		cmp	ebx, 0FFFFh
		ja	loc_8EA56D
		mov	ecx, [ebp+var_14]
		mov	edx, [ebp+var_28]
		movzx	eax, word ptr [ecx+2]
		sub	eax, edx
		add	eax, ecx
		cmp	[ebp+var_18], eax
		jg	short loc_7ABBCE
		cmp	byte ptr [ebp+var_F+2],	0
		jnz	short loc_7ABBD2
		push	[ebp+var_18]	; size_t
		push	edi		; void *
		push	edx		; void *
		call	_memcpy
		mov	edx, [ebp+var_28]
		add	esp, 0Ch
		mov	al, [ebp+arg_4]
		not	al
		mov	cl, [edx+1]
		or	cl, 8
		and	cl, al
		mov	[edx+1], cl
		jmp	loc_7ABA43
; 

loc_7ABC69:				; CODE XREF: RtlpCopyAces+245j
					; RtlpCopyAces+24Dj
		mov	cl, [ebp+var_20]
		jmp	loc_7ABB41
; 

loc_7ABC71:				; CODE XREF: RtlpCopyAces+235j
		mov	al, 1
		mov	byte ptr [ebp+var_F+2],	al
		jmp	loc_7ABB1E
; 

loc_7ABC7B:				; CODE XREF: RtlpCopyAces+325j
		cmp	byte ptr [ebp+var_F], 0
		jnz	short loc_7ABC07
		cmp	byte ptr [ebp+var_F+2],	0
		jnz	loc_7ABB51
		mov	cl, [edi+1]
		mov	al, [ebp+arg_4]
		and	cl, 1Fh
		or	cl, [esi+1]
		not	al
		and	cl, al
		mov	[esi+1], cl
		jmp	loc_7ABA4A
; 

loc_7ABCA3:				; CODE XREF: RtlpCopyAces+102j
		cmp	al, 0Ah
		jbe	loc_7AB9E8
		sub	al, 0Dh
		cmp	al, 1
		ja	loc_7ABA3B
		jmp	loc_7AB9E8
; 

loc_7ABCBA:				; CODE XREF: RtlpCopyAces+14Dj
		cmp	al, 9
		jz	loc_7ABA33
		cmp	al, 1
		jz	loc_7ABA33
		jmp	loc_8EA540
; 

loc_7ABCCF:				; CODE XREF: RtlpCopyAces+47j
		mov	ecx, [ebp+var_4]
		mov	eax, 0C0000058h
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	30h
RtlpCopyAces	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall RtlpCopyEffectiveAce(void *,int,char,int,int,int,int,int,int,int,int,int,int,int,int,int)
RtlpCopyEffectiveAce proc near		; CODE XREF: RtlpGenerateInheritedAce+118p
					; RtlpCopyAces+225p

var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= word ptr -84h
var_80		= dword	ptr -80h
var_79		= byte ptr -79h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_6D		= byte ptr -6Dh
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4E		= word ptr -4Eh
var_4C		= dword	ptr -4Ch
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch

; FUNCTION CHUNK AT 008EA577 SIZE 0000028A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_79], dl
		mov	edx, ecx
		mov	[ebp+var_58], edx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_9C], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_98], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_94], eax
		cmp	[ebp+var_94], 0
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_90], eax
		mov	eax, [ebp+arg_24]
		mov	[ebp+var_A0], eax
		mov	eax, [ebp+arg_30]
		mov	ebx, [ebp+arg_28]
		mov	[ebp+var_60], eax
		mov	[ebp+var_88], 0
		mov	eax, [ebp+var_88]
		mov	esi, [ebp+arg_2C]
		mov	ecx, [ebp+arg_34]
		mov	[ebp+var_84], 300h
		mov	[ebp+var_54+2],	eax
		mov	ax, [ebp+var_84]
		mov	edi, [ebp+arg_20]
		mov	[ebp+var_78], esi
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_6D], 0
		mov	word ptr [ebp+var_54], 101h
		mov	[ebp+var_4E], ax
		mov	[ebp+var_4C], 0
		jz	loc_8EA577

loc_7ABD9A:				; CODE XREF: RtlpCopyEffectiveAce+13E893j
		cmp	[ebp+var_90], 0
		jz	loc_8EA588

loc_7ABDA7:				; CODE XREF: RtlpCopyEffectiveAce+13E8A4j
		mov	eax, [ebp+var_60]
		mov	byte ptr [eax],	0
		test	esi, esi
		jnz	loc_7ABF8F

loc_7ABDB5:				; CODE XREF: RtlpCopyEffectiveAce+2A2j
		mov	byte ptr [ecx],	0
		mov	ah, [edx]
		movzx	esi, word ptr [edx+2]
		cmp	ah, 8
		jbe	loc_7ABE54
		cmp	ah, 0Ah
		jbe	loc_7ABE54
		mov	al, ah
		sub	al, 0Dh
		cmp	al, 1
		jbe	short loc_7ABE54
		mov	eax, [edi]
		mov	[ebp+var_8C], eax
		movzx	eax, word ptr [ebx+2]
		sub	eax, [ebp+var_8C]
		add	eax, ebx
		cmp	esi, eax
		ja	loc_8EA599
		push	esi		; size_t
		push	edx		; void *
		push	[ebp+var_8C]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_7ABE04:				; CODE XREF: RtlpCopyEffectiveAce+29Aj
					; RtlpCopyEffectiveAce+2FEj
		mov	ecx, [ebp+var_5C]

loc_7ABE07:				; CODE XREF: RtlpCopyEffectiveAce+19Aj
		cmp	byte ptr [ecx],	0
		jnz	short loc_7ABE24
		test	esi, esi
		jz	short loc_7ABE24
		mov	eax, [edi]
		and	byte ptr [eax+1], 0E0h
		cmp	[ebp+var_79], 0
		jnz	loc_7ABF97

loc_7ABE20:				; CODE XREF: RtlpCopyEffectiveAce+2ADj
		inc	word ptr [ebx+4]

loc_7ABE24:				; CODE XREF: RtlpCopyEffectiveAce+11Aj
					; RtlpCopyEffectiveAce+11Ej ...
		cmp	esi, 0FFFFh
		ja	loc_8EA7FA
		cmp	byte ptr [ecx],	0
		jnz	short loc_7ABE37

loc_7ABE35:				; CODE XREF: RtlpCopyEffectiveAce+13EA5Ej
		add	[edi], esi

loc_7ABE37:				; CODE XREF: RtlpCopyEffectiveAce+143j
		mov	eax, [ebp+var_A0]
		mov	[eax], esi
		mov	al, 1

loc_7ABE41:				; CODE XREF: RtlpCopyEffectiveAce+13EB0Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7ABE54:				; CODE XREF: RtlpCopyEffectiveAce+D1j
					; RtlpCopyEffectiveAce+DAj ...
		mov	[ebp+var_80], edx
		mov	[ebp+var_6C], 0
		mov	[ebp+var_88], 0
		mov	[ebp+var_8C], 0
		cmp	ah, 3
		ja	loc_7AC034
		lea	eax, [edx+8]
		mov	[ebp+var_64], 8
		mov	[ebp+var_68], eax

loc_7ABE88:				; CODE XREF: RtlpCopyEffectiveAce+38Fj
		test	esi, esi
		jz	loc_7ABE07
		mov	eax, [edx+4]
		push	[ebp+arg_14]
		mov	[ebp+var_78], eax
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_74]
		push	eax
		call	_RtlMapGenericMask@8 ; RtlMapGenericMask(x,x)
		mov	ecx, [ebp+var_58]
		mov	al, [ecx]
		test	al, al
		jnz	loc_7ABFF3

loc_7ABEB2:				; CODE XREF: RtlpCopyEffectiveAce+305j
					; RtlpCopyEffectiveAce+30Dj ...
		mov	eax, [ebp+arg_14]
		mov	ecx, [eax+0Ch]

loc_7ABEB8:				; CODE XREF: RtlpCopyEffectiveAce+33Fj
		and	ecx, [ebp+var_74]
		cmp	ecx, [ebp+var_78]
		jz	short loc_7ABEC6
		mov	eax, [ebp+var_60]
		mov	byte ptr [eax],	1

loc_7ABEC6:				; CODE XREF: RtlpCopyEffectiveAce+1CEj
		and	ecx, 11FFFFFh
		mov	[ebp+var_74], ecx
		jz	loc_7ABFD9

loc_7ABED5:				; CODE XREF: RtlpCopyEffectiveAce+2F6j
		mov	ecx, [ebp+var_68]
		lea	edx, [ebp+var_54]
		call	RtlEqualPrefixSid
		test	al, al
		jnz	loc_7ABFA2

loc_7ABEE8:				; CODE XREF: RtlpCopyEffectiveAce+3A5j
					; RtlpCopyEffectiveAce+13EA6Bj
		mov	eax, [ebp+var_60]

loc_7ABEEB:				; CODE XREF: RtlpCopyEffectiveAce+2D9j
		cmp	[ebp+var_6D], 0
		jnz	loc_8EA766

loc_7ABEF5:				; CODE XREF: RtlpCopyEffectiveAce+13EA79j
		mov	edx, [ebp+var_80]

loc_7ABEF8:				; CODE XREF: RtlpCopyEffectiveAce+13EAA9j
					; RtlpCopyEffectiveAce+13EAD7j
		mov	ecx, [edi]
		mov	[ebp+var_78], ecx
		test	ecx, ecx
		jz	loc_7ABFCE
		movzx	eax, word ptr [ebx+2]
		sub	eax, ecx
		add	eax, ebx
		cmp	esi, eax
		ja	loc_7ABFCE
		push	[ebp+var_64]	; size_t
		push	edx		; void *
		push	ecx		; void *
		call	_memcpy
		mov	edx, [ebp+var_78]
		add	esp, 0Ch
		add	edx, [ebp+var_64]
		mov	ecx, [ebp+var_6C]
		mov	[ebp+var_80], edx
		test	ecx, ecx
		jnz	loc_8EA7CC

loc_7ABF36:				; CODE XREF: RtlpCopyEffectiveAce+13EB05j
		mov	ecx, [ebp+var_68]
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcpy
		mov	eax, [ebp+var_68]
		add	esp, 0Ch
		mov	ecx, [ebp+var_80]
		add	ecx, 8
		movzx	eax, byte ptr [eax+1]
		lea	eax, [ecx+eax*4]
		mov	ecx, [ebp+var_88]
		mov	[ebp+var_78], eax
		test	ecx, ecx
		jnz	loc_7AC0A6

loc_7ABF70:				; CODE XREF: RtlpCopyEffectiveAce+3BEj
					; RtlpCopyEffectiveAce+3D8j
		mov	ecx, [edi]
		sub	eax, ecx
		cmp	esi, eax
		jb	loc_8EA7FA
		mov	esi, eax
		mov	[ecx+2], si
		mov	eax, [edi]
		mov	ecx, [ebp+var_74]
		mov	[eax+4], ecx
		jmp	loc_7ABE04
; 

loc_7ABF8F:				; CODE XREF: RtlpCopyEffectiveAce+BFj
		mov	byte ptr [esi],	0
		jmp	loc_7ABDB5
; 

loc_7ABF97:				; CODE XREF: RtlpCopyEffectiveAce+12Aj
		mov	eax, [edi]
		or	byte ptr [eax+1], 10h
		jmp	loc_7ABE20
; 

loc_7ABFA2:				; CODE XREF: RtlpCopyEffectiveAce+1F2j
		mov	eax, [ebp+var_68]
		mov	eax, [eax+8]
		test	eax, eax
		jnz	loc_7AC084
		mov	eax, [ebp+var_9C]

loc_7ABFB6:				; CODE XREF: RtlpCopyEffectiveAce+3B1j
					; RtlpCopyEffectiveAce+3E3j ...
		mov	[ebp+var_68], eax
		movzx	eax, byte ptr [eax+1]
		lea	esi, [esi+eax*4]
		mov	eax, [ebp+var_60]
		add	esi, 0FFFFFFFCh
		mov	byte ptr [eax],	1
		jmp	loc_7ABEEB
; 

loc_7ABFCE:				; CODE XREF: RtlpCopyEffectiveAce+20Fj
					; RtlpCopyEffectiveAce+21Fj
		mov	ecx, [ebp+var_5C]
		mov	byte ptr [ecx],	1
		jmp	loc_7ABE24
; 

loc_7ABFD9:				; CODE XREF: RtlpCopyEffectiveAce+1DFj
		mov	ecx, [ebp+var_68]
		lea	edx, [ebp+var_54]
		call	RtlEqualPrefixSid
		test	al, al
		jnz	loc_7ABED5
		xor	esi, esi
		jmp	loc_7ABE04
; 

loc_7ABFF3:				; CODE XREF: RtlpCopyEffectiveAce+1BCj
		cmp	al, 1
		jz	loc_7ABEB2
		cmp	al, 9
		jz	loc_7ABEB2
		cmp	al, 4
		jz	loc_7ABEB2
		cmp	al, 5
		jz	loc_7ABEB2
		cmp	al, 6
		jz	loc_7ABEB2
		cmp	al, 0Ah
		jz	loc_7ABEB2
		mov	eax, [ebp+arg_14]
		mov	ecx, [eax+0Ch]
		or	ecx, 1000000h
		jmp	loc_7ABEB8
; 

loc_7AC034:				; CODE XREF: RtlpCopyEffectiveAce+185j
		cmp	ah, 9
		jb	loc_8EA5A1
		cmp	ah, 0Ah
		ja	loc_8EA5A1

loc_7AC046:				; CODE XREF: RtlpCopyEffectiveAce+13E8B7j
		lea	eax, [edx+8]
		mov	[ebp+var_64], 8
		push	eax
		mov	[ebp+var_68], eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		mov	ecx, eax
		mov	eax, [ebp+var_68]
		add	ecx, eax
		push	eax
		mov	[ebp+var_88], ecx
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		mov	ecx, esi
		sub	ecx, eax
		sub	ecx, 8
		mov	[ebp+var_8C], ecx

loc_7AC079:				; CODE XREF: RtlpCopyEffectiveAce+13E926j
					; RtlpCopyEffectiveAce+13E97Ej	...
		mov	edx, [ebp+var_58]

loc_7AC07C:				; CODE XREF: RtlpCopyEffectiveAce+13E93Ej
					; RtlpCopyEffectiveAce+13E959j	...
		mov	ecx, [ebp+var_5C]
		jmp	loc_7ABE88
; 

loc_7AC084:				; CODE XREF: RtlpCopyEffectiveAce+2BAj
		sub	eax, 1
		jz	loc_8EA753
		sub	eax, 1
		jz	short loc_7AC0CD
		sub	eax, 1
		jnz	loc_7ABEE8
		mov	eax, [ebp+var_90]
		jmp	loc_7ABFB6
; 

loc_7AC0A6:				; CODE XREF: RtlpCopyEffectiveAce+27Aj
		mov	edx, [ebp+var_8C]
		test	edx, edx
		jle	loc_7ABF70
		push	edx		; size_t
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_78]
		add	esp, 0Ch
		add	eax, [ebp+var_8C]
		jmp	loc_7ABF70
; 

loc_7AC0CD:				; CODE XREF: RtlpCopyEffectiveAce+3A0j
		mov	eax, [ebp+var_94]
		jmp	loc_7ABFB6
RtlpCopyEffectiveAce endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlEqualPrefixSid proc near		; CODE XREF: RtlpCopyEffectiveAce+1EBp
					; RtlpCopyEffectiveAce+2EFp ...

var_D		= byte ptr -0Dh
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008EA813 SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	al, [edi]
		cmp	al, [esi]
		jnz	short loc_7AC129
		lea	ecx, [edi+2]
		mov	al, [ecx]
		cmp	al, [esi+2]
		jnz	short loc_7AC129
		mov	al, [edi+3]
		cmp	al, [esi+3]
		jnz	short loc_7AC129
		mov	al, [edi+4]
		cmp	al, [esi+4]
		jnz	short loc_7AC129
		mov	al, [edi+5]
		cmp	al, [esi+5]
		jnz	short loc_7AC129
		mov	al, [edi+6]
		cmp	al, [esi+6]
		jnz	short loc_7AC129
		mov	al, [edi+7]
		cmp	al, [esi+7]
		jz	short loc_7AC13A

loc_7AC129:				; CODE XREF: RtlEqualPrefixSid+1Dj
					; RtlEqualPrefixSid+27j ...
		xor	al, al

loc_7AC12B:				; CODE XREF: RtlEqualPrefixSid+97j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_7AC13A:				; CODE XREF: RtlEqualPrefixSid+4Fj
		mov	al, [edi+1]
		mov	[ebp+var_D], al
		cmp	al, [esi+1]
		jnz	short loc_7AC129
		xor	ebx, ebx
		mov	[ebp+var_8], 0B00h
		mov	[ebp+var_C], ebx
		test	al, al
		jz	short loc_7AC16D
		cmp	al, 0Bh
		jz	loc_8EA813

loc_7AC15C:				; CODE XREF: RtlEqualPrefixSid+13E74Cj
		xor	ecx, ecx
		inc	ecx

loc_7AC15F:				; CODE XREF: RtlEqualPrefixSid+13E755j
		movzx	eax, [ebp+var_D]
		sub	eax, ecx
		test	eax, eax
		jg	loc_8EA832

loc_7AC16D:				; CODE XREF: RtlEqualPrefixSid+7Aj
					; RtlEqualPrefixSid+13E772j
		mov	al, 1
		jmp	short loc_7AC12B
RtlEqualPrefixSid endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeCodeIntegrityQueryPolicyInformation(x, x,	x, x, x, x)
_SeCodeIntegrityQueryPolicyInformation@24 proc near ; CODE XREF: SepIsSModeEnabled()+29p
					; PAGE:00780E6Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, dword_6BEA64
		test	eax, eax
		jz	short loc_7AC1A2
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	eax
		pop	ebp
		retn	10h
; 

loc_7AC1A2:				; CODE XREF: SeCodeIntegrityQueryPolicyInformation(x,x,x,x,x,x)+Cj
		mov	eax, 0C0000001h
		pop	ebp
		retn	10h
_SeCodeIntegrityQueryPolicyInformation@24 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspChangeJobMemoryUsageByProcess proc near ; CODE XREF:	MiReturnFullProcessCharges(x,x)+20p
					; MmAssignProcessToJob+8Ap ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EA84F SIZE 00000166 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ecx
		mov	[ebp+var_8], edx
		mov	[ebp+var_2C], eax
		push	esi
		test	al, 2
		jz	loc_8EA9AE
		mov	esi, [ebp+arg_0]
		cmp	dword ptr [esi+158h], 0
		jz	loc_8EA9AE
		push	edi
		mov	edi, large fs:124h
		mov	eax, [esi+144h]
		mov	[ebp+var_20], edi
		mov	[ebp+var_1], 1
		mov	[ebp+var_1C], 0
		mov	eax, [eax+248h]
		mov	[ebp+var_24], eax
		mov	ecx, [ebp+var_24]
		mov	[ebp+var_28], 0
		test	edi, edi
		jz	short loc_7AC214
		dec	word ptr [edi+13Eh]
		nop

loc_7AC214:				; CODE XREF: PspChangeJobMemoryUsageByProcess+5Aj
		test	ecx, ecx
		jz	short loc_7AC228
		add	ecx, 230h
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [ebp+var_8]

loc_7AC228:				; CODE XREF: PspChangeJobMemoryUsageByProcess+66j
		test	byte ptr [ebp+var_2C], 4
		push	ebx
		mov	ebx, [ebp+var_24]
		mov	[ebp+var_18], ebx
		jnz	loc_8EA84F
		mov	ecx, [esi+144h]
		mov	eax, [ebp+arg_4]

loc_7AC242:				; CODE XREF: PspChangeJobMemoryUsageByProcess+13E6A4j
		mov	esi, ecx
		mov	[ebp+var_24], ecx
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_38], eax
		cmp	esi, eax
		jz	loc_7AC38C
		mov	eax, edx
		cdq
		mov	[ebp+var_3C], eax
		mov	[ebp+var_40], edx
		mov	edi, edi

loc_7AC260:				; CODE XREF: PspChangeJobMemoryUsageByProcess+1BFj
		mov	[ebp+var_14], 0
		cmp	esi, ebx
		jnz	loc_7AC3EF

loc_7AC26F:				; CODE XREF: PspChangeJobMemoryUsageByProcess+24Fj
		mov	edx, [esi+208h]
		mov	edi, edx
		add	edi, [ebp+var_3C]
		mov	eax, [esi+20Ch]
		mov	ebx, eax
		adc	ebx, [ebp+var_40]
		cmp	[ebp+var_8], 0
		jle	loc_7AC3CC
		cmp	ebx, eax
		ja	short loc_7AC2A1
		jb	loc_8EA859
		cmp	edi, edx
		jb	loc_8EA859

loc_7AC2A1:				; CODE XREF: PspChangeJobMemoryUsageByProcess+E1j
					; PspChangeJobMemoryUsageByProcess+21Ej ...
		mov	edx, [esi+31Ch]
		xor	eax, eax
		add	edx, edi
		mov	[ebp+var_10], edx
		adc	eax, ebx
		xor	edx, edx
		mov	[ebp+var_C], eax
		mov	eax, [esi+0B0h]
		test	eax, 200000h
		jnz	loc_8EA882

loc_7AC2C6:				; CODE XREF: PspChangeJobMemoryUsageByProcess+13E6E3j
					; PspChangeJobMemoryUsageByProcess+13E6F6j ...
		test	eax, 200h
		jnz	loc_7AC4E6

loc_7AC2D1:				; CODE XREF: PspChangeJobMemoryUsageByProcess+33Ej
					; PspChangeJobMemoryUsageByProcess+34Cj ...
		test	edx, edx
		jnz	loc_8EA8C9
		mov	al, [ebp+var_1]
		test	al, al
		jz	short loc_7AC2FE
		mov	[esi+208h], edi
		mov	[esi+20Ch], ebx

loc_7AC2EC:				; CODE XREF: PspChangeJobMemoryUsageByProcess+13E743j
					; PspChangeJobMemoryUsageByProcess+13E753j ...
		test	al, al
		jz	short loc_7AC2FE
		mov	edx, [esi+210h]
		test	edx, edx
		jnz	loc_7AC429

loc_7AC2FE:				; CODE XREF: PspChangeJobMemoryUsageByProcess+12Ej
					; PspChangeJobMemoryUsageByProcess+13Ej ...
		cmp	[ebp+var_8], 0
		jle	loc_7AC3E7
		test	ebx, ebx
		jnz	loc_8EA945
		cmp	edi, 0FFFFFFFFh
		ja	loc_8EA945

loc_7AC319:				; CODE XREF: PspChangeJobMemoryUsageByProcess+13E79Aj
		mov	eax, [esi+158h]
		test	ebx, ebx
		jb	short loc_7AC331
		ja	loc_7AC48E
		cmp	edi, eax
		ja	loc_7AC48E

loc_7AC331:				; CODE XREF: PspChangeJobMemoryUsageByProcess+171j
					; PspChangeJobMemoryUsageByProcess+2E4j
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+224h]
		mov	[ebp+var_14], eax

loc_7AC33D:				; CODE XREF: PspChangeJobMemoryUsageByProcess+23Aj
		mov	ebx, [ebp+var_18]
		cmp	esi, ebx
		jnz	loc_7AC404

loc_7AC348:				; CODE XREF: PspChangeJobMemoryUsageByProcess+274j
		test	eax, eax
		jz	short loc_7AC35E
		cmp	eax, [esi+154h]
		lea	edi, [esi+154h]
		ja	loc_7AC499

loc_7AC35E:				; CODE XREF: PspChangeJobMemoryUsageByProcess+19Aj
					; PspChangeJobMemoryUsageByProcess+303j
		mov	al, [ebp+var_1]

loc_7AC361:				; CODE XREF: PspChangeJobMemoryUsageByProcess+13E6C5j
		mov	esi, [esi+244h]
		mov	ecx, 0FFFFFFFFh
		cmp	esi, [ebp+var_38]
		jnz	loc_7AC260
		test	al, al
		jz	loc_8EA95C
		cmp	[ebp+var_28], 0
		jnz	loc_7AC4D7

loc_7AC387:				; CODE XREF: PspChangeJobMemoryUsageByProcess+13E7B4j
		or	ecx, ecx

loc_7AC389:				; CODE XREF: PspChangeJobMemoryUsageByProcess+331j
					; PspChangeJobMemoryUsageByProcess+13E7EFj
		mov	edi, [ebp+var_20]

loc_7AC38C:				; CODE XREF: PspChangeJobMemoryUsageByProcess+9Fj
		test	ebx, ebx
		jz	short loc_7AC3AD
		lea	esi, [ebx+230h]
		lock xadd [esi], ecx
		and	cl, 6
		cmp	cl, 2
		jz	loc_7AC518

loc_7AC3A6:				; CODE XREF: PspChangeJobMemoryUsageByProcess+36Fj
		mov	ecx, esi
		call	KeAbPostRelease

loc_7AC3AD:				; CODE XREF: PspChangeJobMemoryUsageByProcess+1DEj
		pop	ebx
		test	edi, edi
		jz	short loc_7AC3C1
		nop
		add	word ptr [edi+13Eh], 1
		jz	loc_7AC507

loc_7AC3C1:				; CODE XREF: PspChangeJobMemoryUsageByProcess+200j
					; PspChangeJobMemoryUsageByProcess+35Dj ...
		mov	al, [ebp+var_1]
		pop	edi

loc_7AC3C5:				; CODE XREF: PspChangeJobMemoryUsageByProcess+13E800j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7AC3CC:				; CODE XREF: PspChangeJobMemoryUsageByProcess+D9j
		cmp	ebx, eax
		jb	loc_7AC2A1
		ja	loc_8EA87A
		cmp	edi, edx
		jbe	loc_7AC2A1
		jmp	loc_8EA87A
; 

loc_7AC3E7:				; CODE XREF: PspChangeJobMemoryUsageByProcess+152j
		mov	eax, [ebp+var_14]
		jmp	loc_7AC33D
; 

loc_7AC3EF:				; CODE XREF: PspChangeJobMemoryUsageByProcess+B9j
		lea	ecx, [esi+230h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		or	ecx, 0FFFFFFFFh
		jmp	loc_7AC26F
; 

loc_7AC404:				; CODE XREF: PspChangeJobMemoryUsageByProcess+192j
		lea	edi, [esi+230h]
		mov	eax, ecx
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_7AC524

loc_7AC41A:				; CODE XREF: PspChangeJobMemoryUsageByProcess+37Bj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, [ebp+var_14]
		jmp	loc_7AC348
; 

loc_7AC429:				; CODE XREF: PspChangeJobMemoryUsageByProcess+148j
		test	dword ptr [edx], 200000h
		jz	loc_7AC53C

loc_7AC435:				; CODE XREF: PspChangeJobMemoryUsageByProcess+392j
		mov	eax, [edx+28h]
		mov	[ebp+var_34], eax
		mov	eax, [edx+2Ch]
		mov	[ebp+var_30], eax
		mov	eax, [ebp+var_34]
		or	eax, [ebp+var_30]
		mov	[ebp+arg_4], 0
		jz	short loc_7AC470
		cmp	[ebp+var_8], 0
		jle	short loc_7AC470
		mov	eax, [ebp+var_C]
		cmp	eax, [ebp+var_30]
		jb	short loc_7AC470
		ja	loc_7AC530
		mov	eax, [ebp+var_10]
		cmp	eax, [ebp+var_34]
		ja	loc_7AC530

loc_7AC470:				; CODE XREF: PspChangeJobMemoryUsageByProcess+29Ej
					; PspChangeJobMemoryUsageByProcess+2A4j ...
		mov	eax, [edx+20h]
		mov	edx, [edx+24h]
		mov	[ebp+var_34], eax
		or	eax, edx
		jz	short loc_7AC483
		cmp	[ebp+var_8], 0
		jle	short loc_7AC4B8

loc_7AC483:				; CODE XREF: PspChangeJobMemoryUsageByProcess+2CBj
					; PspChangeJobMemoryUsageByProcess+30Bj ...
		mov	eax, [ebp+arg_4]
		or	[ebp+var_28], eax
		jmp	loc_7AC2FE
; 

loc_7AC48E:				; CODE XREF: PspChangeJobMemoryUsageByProcess+173j
					; PspChangeJobMemoryUsageByProcess+17Bj
		mov	[esi+158h], edi
		jmp	loc_7AC331
; 

loc_7AC499:				; CODE XREF: PspChangeJobMemoryUsageByProcess+1A8j
		mov	eax, [edi]
		mov	ebx, [ebp+var_14]
		mov	edi, edi

loc_7AC4A0:				; CODE XREF: PspChangeJobMemoryUsageByProcess+13E7A1j
		mov	edx, eax
		mov	ecx, ebx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	loc_8EA94F

loc_7AC4B0:				; CODE XREF: PspChangeJobMemoryUsageByProcess+13E7A7j
		mov	ebx, [ebp+var_18]
		jmp	loc_7AC35E
; 

loc_7AC4B8:				; CODE XREF: PspChangeJobMemoryUsageByProcess+2D1j
		cmp	[ebp+var_C], edx
		ja	short loc_7AC483
		jb	short loc_7AC4C7
		mov	eax, [ebp+var_10]
		cmp	eax, [ebp+var_34]
		jnb	short loc_7AC483

loc_7AC4C7:				; CODE XREF: PspChangeJobMemoryUsageByProcess+30Dj
		mov	eax, [ebp+arg_4]
		or	eax, 8000h
		or	[ebp+var_28], eax
		jmp	loc_7AC2FE
; 

loc_7AC4D7:				; CODE XREF: PspChangeJobMemoryUsageByProcess+1D1j
		mov	ecx, ebx
		call	_PspScheduleEnforcementWorker@4	; PspScheduleEnforcementWorker(x)
		or	ecx, 0FFFFFFFFh
		jmp	loc_7AC389
; 

loc_7AC4E6:				; CODE XREF: PspChangeJobMemoryUsageByProcess+11Bj
		mov	eax, [esi+14Ch]
		test	ebx, ebx
		jb	loc_7AC2D1
		ja	loc_8EA8BF
		cmp	edi, eax
		jbe	loc_7AC2D1
		jmp	loc_8EA8BF
; 

loc_7AC507:				; CODE XREF: PspChangeJobMemoryUsageByProcess+20Bj
		nop
		lea	ecx, [edi+70h]
		cmp	[ecx], ecx
		jz	loc_7AC3C1
		jmp	loc_8EA9A4
; 

loc_7AC518:				; CODE XREF: PspChangeJobMemoryUsageByProcess+1F0j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7AC3A6
; 

loc_7AC524:				; CODE XREF: PspChangeJobMemoryUsageByProcess+264j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7AC41A
; 

loc_7AC530:				; CODE XREF: PspChangeJobMemoryUsageByProcess+2AEj
					; PspChangeJobMemoryUsageByProcess+2BAj
		mov	[ebp+arg_4], 200h
		jmp	loc_7AC470
; 

loc_7AC53C:				; CODE XREF: PspChangeJobMemoryUsageByProcess+27Fj
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], ebx
		jmp	loc_7AC435
PspChangeJobMemoryUsageByProcess endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PspScheduleEnforcementWorker(x)
_PspScheduleEnforcementWorker@4	proc near ; CODE XREF: sub_759647-207p
					; PspChangeJobMemoryUsageByProcess+329p
		mov	edi, edi
		push	esi
		mov	eax, 100000h
		add	ecx, 310h
		lock or	[ecx], eax
		push	6
		pop	esi
		mov	edx, offset _PspJobTimeLimitsWorkItemFlags
		mov	eax, [edx]

loc_7AC563:				; CODE XREF: PspScheduleEnforcementWorker(x)+23j
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_7AC563
		pop	esi
		test	al, 4
		jz	short loc_7AC573
		retn
; 

loc_7AC573:				; CODE XREF: PspScheduleEnforcementWorker(x)+28j
		push	1
		push	offset _PspJobTimeLimitsWorkItem
		call	ExQueueWorkItem
		retn
_PspScheduleEnforcementWorker@4	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2009. RtlCreateAtomTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCreateAtomTable(x, x)
		public _RtlCreateAtomTable@8
_RtlCreateAtomTable@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		push	0
		push	[ebp+arg_0]
		call	RtlCreateAtomTableEx
		pop	ebp
		retn	8
_RtlCreateAtomTable@8 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpInitializeLockAtomTable(x)
_RtlpInitializeLockAtomTable@4 proc near ; CODE	XREF: RtlCreateAtomTableEx+89p
		and	dword ptr [ecx+8], 0
		retn
_RtlpInitializeLockAtomTable@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall RtlpInitializeHandleTableForAtomTable(x)
_RtlpInitializeHandleTableForAtomTable@4 proc near ; CODE XREF:	RtlCreateAtomTableEx+7Ap
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	edx, edx
		xor	ecx, ecx
		call	ExCreateHandleTable
		test	eax, eax
		mov	[esi+0Ch], eax
		pop	esi
		setnz	al
		retn
_RtlpInitializeHandleTableForAtomTable@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpAllocateMidLevelTable proc near	; CODE XREF: ExpAllocateHandleTableEntrySlow+2Ap
					; ExpAllocateHandleTableEntrySlow+13E3DAp ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008EA9B5 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	edx, 1000h
		mov	ecx, [edi+0Ch]
		call	_ExpAllocateTablePagedPool@8 ; ExpAllocateTablePagedPool(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7AC5F8
		push	[ebp+arg_0]
		mov	ecx, edi
		call	_ExpAllocateLowLevelTable@8 ; ExpAllocateLowLevelTable(x,x)
		mov	[ebx], eax
		test	eax, eax
		jz	loc_8EA9B5
		mov	[esi], eax
		mov	eax, esi

loc_7AC5F1:				; CODE XREF: ExpAllocateMidLevelTable+40j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_7AC5F8:				; CODE XREF: ExpAllocateMidLevelTable+1Dj
					; ExpAllocateMidLevelTable+13E40Bj ...
		xor	eax, eax
		jmp	short loc_7AC5F1
ExpAllocateMidLevelTable endp


;  S U B	R O U T	I N E 


; __stdcall ExpAllocateTablePagedPool(x, x)
_ExpAllocateTablePagedPool@8 proc near	; CODE XREF: ExpAllocateMidLevelTable+14p
					; ExpAllocateHandleTableEntrySlow+13E3C5p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		call	ExpAllocateTablePagedPoolNoZero
		mov	esi, eax
		test	esi, esi
		jz	short loc_7AC619
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch

loc_7AC619:				; CODE XREF: ExpAllocateTablePagedPool(x,x)+Fj
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_ExpAllocateTablePagedPool@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpAllocateHandleTableEntrySlow	proc near ; CODE XREF: ExDupHandleTable+2A2p
					; ExpAllocateHandleTableEntry(x,x)+10Ep ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008EA9DB SIZE 000000BE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10], edx
		mov	ebx, [edi+8]
		mov	eax, ebx
		mov	esi, [edi]
		and	ebx, 0FFFFFFFCh
		mov	[ebp+var_C], ebx
		and	eax, 3
		jnz	short loc_7AC680
		push	esi
		lea	edx, [ebp+var_4]
		call	ExpAllocateMidLevelTable
		test	eax, eax
		jz	short loc_7AC6B1
		mov	ecx, [eax]
		mov	[eax+4], ecx
		lea	ecx, [edi+8]
		mov	[eax], ebx
		or	eax, 1
		xchg	eax, [ecx]

loc_7AC660:				; CODE XREF: ExpAllocateHandleTableEntrySlow+13E41Bj
					; ExpAllocateHandleTableEntrySlow+13E452j
		mov	eax, [ebp+var_4]

loc_7AC663:				; CODE XREF: ExpAllocateHandleTableEntrySlow+91j
					; ExpAllocateHandleTableEntrySlow+13E476j
		mov	edx, [ebp+var_10]
		test	edx, edx
		setnz	cl
		movzx	ecx, cl
		push	ecx
		push	edx
		mov	edx, eax
		mov	ecx, edi
		call	_ExpInsertLowLevelTableIntoFreeList@16 ; ExpInsertLowLevelTableIntoFreeList(x,x,x,x)
		mov	al, 1

loc_7AC67B:				; CODE XREF: ExpAllocateHandleTableEntrySlow+95j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7AC680:				; CODE XREF: ExpAllocateHandleTableEntrySlow+24j
		cmp	eax, 1
		mov	eax, esi
		jnz	loc_8EAA3E
		shr	eax, 0Bh
		mov	[ebp+var_8], eax
		cmp	eax, 400h
		jnb	loc_8EA9DB
		push	esi
		call	_ExpAllocateLowLevelTable@8 ; ExpAllocateLowLevelTable(x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_7AC6B1
		mov	ecx, [ebp+var_8]
		mov	[ebx+ecx*4], eax
		jmp	short loc_7AC663
; 

loc_7AC6B1:				; CODE XREF: ExpAllocateHandleTableEntrySlow+31j
					; ExpAllocateHandleTableEntrySlow+89j ...
		xor	al, al
		jmp	short loc_7AC67B
ExpAllocateHandleTableEntrySlow	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExCreateHandleTable proc near		; CODE XREF: ObInitProcess+8Fp
					; RtlpInitializeHandleTableForAtomTable(x)+9p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008EAA99 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, large fs:124h
		mov	[ebp+var_4], edx
		mov	dl, 1
		push	edi
		call	ExpAllocateHandleTable
		mov	edi, eax
		test	edi, edi
		jz	short loc_7AC73E
		cmp	[ebp+var_4], 0
		push	esi
		lea	esi, [edi+10h]
		jz	short loc_7AC737
		dec	word ptr [ebx+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _HandleTableListLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, ds:dword_A94E74
		mov	ecx, offset _HandleTableListHead
		cmp	[eax], ecx
		jnz	short loc_7AC742
		mov	[esi+4], eax
		mov	[esi], ecx
		mov	[eax], esi
		or	eax, 0FFFFFFFFh
		mov	ds:dword_A94E74, esi
		mov	esi, offset _HandleTableListLock
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_8EAA99

loc_7AC722:				; CODE XREF: ExCreateHandleTable+13E3E5j
					; ExCreateHandleTable+13E3F2j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, ebx
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi

loc_7AC732:				; CODE XREF: ExCreateHandleTable+86j
		pop	esi

loc_7AC733:				; CODE XREF: ExCreateHandleTable+8Aj
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_7AC737:				; CODE XREF: ExCreateHandleTable+27j
		mov	[esi+4], esi
		mov	[esi], esi
		jmp	short loc_7AC732
; 

loc_7AC73E:				; CODE XREF: ExCreateHandleTable+1Dj
		xor	eax, eax
		jmp	short loc_7AC733
; 

loc_7AC742:				; CODE XREF: ExCreateHandleTable+49j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
ExCreateHandleTable endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpAllocateHandleTable proc near	; CODE XREF: ExDupHandleTable+79p
					; ExCreateHandleTable+14p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008EAAAD SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ds:_ExpFreeListCount
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_8], edx
		inc	eax
		mov	ebx, ecx
		shl	eax, 6
		push	6274624Fh
		push	eax
		push	5
		mov	[ebp+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_7AC80F
		test	ebx, ebx
		jz	short loc_7AC793
		push	80h
		push	ebx
		call	_PsChargeProcessPagedPoolQuota@8 ; PsChargeProcessPagedPoolQuota(x,x)
		test	eax, eax
		js	loc_8EAAAD

loc_7AC793:				; CODE XREF: ExpAllocateHandleTable+36j
		push	[ebp+var_4]	; size_t
		push	esi		; int
		push	edi		; void *
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		mov	ecx, ds:_ExpFreeListCount
		mov	[edi+0Ch], ebx
		mov	eax, [eax+80h]
		mov	eax, [eax+0E4h]
		mov	[edi+18h], eax
		test	ecx, ecx
		jz	short loc_7AC7CF
		lea	eax, [edi+40h]

loc_7AC7C5:				; CODE XREF: ExpAllocateHandleTable+85j
		mov	[eax], esi
		lea	eax, [eax+40h]
		sub	ecx, 1
		jnz	short loc_7AC7C5

loc_7AC7CF:				; CODE XREF: ExpAllocateHandleTable+78j
		push	esi
		mov	ecx, edi
		call	_ExpAllocateLowLevelTable@8 ; ExpAllocateLowLevelTable(x,x)
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	loc_8EAABD
		push	[ebp+var_8]
		lea	eax, [edi+40h]
		mov	edx, ecx
		push	eax
		mov	ecx, edi
		call	_ExpInsertLowLevelTableIntoFreeList@16 ; ExpInsertLowLevelTableIntoFreeList(x,x,x,x)
		mov	eax, [ebp+var_4]
		mov	[edi+8], eax
		test	ebx, ebx
		jz	short loc_7AC802
		or	byte ptr [edi+1Ch], 10h

loc_7AC802:				; CODE XREF: ExpAllocateHandleTable+B4j
		mov	[edi+24h], esi
		mov	eax, edi
		mov	[edi+20h], esi

loc_7AC80A:				; CODE XREF: ExpAllocateHandleTable+C9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7AC80F:				; CODE XREF: ExpAllocateHandleTable+2Ej
					; ExpAllocateHandleTable+13E370j ...
		xor	eax, eax
		jmp	short loc_7AC80A
ExpAllocateHandleTable endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpInsertLowLevelTableIntoFreeList(x, x, x,	x)
_ExpInsertLowLevelTableIntoFreeList@16 proc near
					; CODE XREF: ExpAllocateHandleTableEntrySlow+56p
					; ExpAllocateHandleTable+A7p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	[ebp+var_4], ecx
		mov	cl, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, edx
		test	cl, cl
		jnz	short loc_7AC846
		lea	ebx, [edi+0FF8h]

loc_7AC82F:				; CODE XREF: ExpInsertLowLevelTableIntoFreeList(x,x,x,x)+59j
		mov	edx, [ebp+var_4]
		mov	eax, 800h
		lock xadd [edx], eax
		test	cl, cl
		jnz	short loc_7AC86F

loc_7AC83F:				; CODE XREF: ExpInsertLowLevelTableIntoFreeList(x,x,x,x)+8Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7AC846:				; CODE XREF: ExpInsertLowLevelTableIntoFreeList(x,x,x,x)+13j
		lea	edx, [edi+0Ch]
		mov	esi, 1FEh

loc_7AC84E:				; CODE XREF: ExpInsertLowLevelTableIntoFreeList(x,x,x,x)+49j
		and	dword ptr [edx-4], 0
		lea	eax, [edx+4]
		mov	[edx], eax
		lea	edx, [edx+8]
		sub	esi, 1
		jnz	short loc_7AC84E
		lea	ebx, [edi+0FF8h]
		and	[ebx], esi
		and	[edi+0FFCh], esi
		jmp	short loc_7AC82F
; 

loc_7AC86F:				; CODE XREF: ExpInsertLowLevelTableIntoFreeList(x,x,x,x)+29j
		mov	esi, [ebp+arg_0]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		add	edi, 8
		cmp	dword ptr [esi+4], 0
		jnz	short loc_7AC8A9
		mov	[esi+4], edi

loc_7AC887:				; CODE XREF: ExpInsertLowLevelTableIntoFreeList(x,x,x,x)+9Bj
		mov	[esi+8], ebx
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7AC8A0

loc_7AC897:				; CODE XREF: ExpInsertLowLevelTableIntoFreeList(x,x,x,x)+93j
		mov	ecx, esi
		call	KeAbPostRelease
		jmp	short loc_7AC83F
; 

loc_7AC8A0:				; CODE XREF: ExpInsertLowLevelTableIntoFreeList(x,x,x,x)+81j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7AC897
; 

loc_7AC8A9:				; CODE XREF: ExpInsertLowLevelTableIntoFreeList(x,x,x,x)+6Ej
		mov	eax, [esi+8]
		mov	[eax+4], edi
		jmp	short loc_7AC887
_ExpInsertLowLevelTableIntoFreeList@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpAllocateLowLevelTable(x,	x)
_ExpAllocateLowLevelTable@8 proc near	; CODE XREF: ExpAllocateMidLevelTable+24p
					; ExpAllocateHandleTableEntrySlow+7Fp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ecx+0Ch]
		mov	edx, 1000h
		call	ExpAllocateTablePagedPoolNoZero
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_7AC8D9
		mov	eax, [ebp+arg_0]
		and	dword ptr [ecx], 0
		mov	[ecx+4], eax
		mov	eax, ecx

loc_7AC8D5:				; CODE XREF: ExpAllocateLowLevelTable(x,x)+29j
		pop	ebp
		retn	4
; 

loc_7AC8D9:				; CODE XREF: ExpAllocateLowLevelTable(x,x)+16j
		xor	eax, eax
		jmp	short loc_7AC8D5
_ExpAllocateLowLevelTable@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


ExpAllocateTablePagedPoolNoZero	proc near ; CODE XREF: ExpAllocateTablePagedPool(x,x)+6p
					; ExpAllocateLowLevelTable(x,x)+Dp

; FUNCTION CHUNK AT 008EAAE0 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	6274624Fh
		mov	ebx, edx
		mov	edi, ecx
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7AC90D
		test	edi, edi
		jz	short loc_7AC90D
		push	ebx
		push	edi
		call	_PsChargeProcessPagedPoolQuota@8 ; PsChargeProcessPagedPoolQuota(x,x)
		test	eax, eax
		js	loc_8EAAE0

loc_7AC90D:				; CODE XREF: ExpAllocateTablePagedPoolNoZero+1Aj
					; ExpAllocateTablePagedPoolNoZero+1Ej ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
ExpAllocateTablePagedPoolNoZero	endp

; 
		align 8
; Exported entry 1750. PsChargeProcessPagedPoolQuota

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsChargeProcessPagedPoolQuota(x, x)
		public _PsChargeProcessPagedPoolQuota@8
_PsChargeProcessPagedPoolQuota@8 proc near ; CODE XREF:	AlpcpChargePagedPoolQuota(x,x)+2Bp
					; ExpAllocateHandleTable+3Ep ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		cmp	edx, ds:_PsInitialSystemProcess
		jz	short loc_7AC93C
		push	[ebp+arg_4]
		mov	ecx, [edx+188h]
		push	1
		call	@PspChargeQuota@16 ; PspChargeQuota(x,x,x,x)

loc_7AC938:				; CODE XREF: PsChargeProcessPagedPoolQuota(x,x)+26j
		pop	ebp
		retn	8
; 

loc_7AC93C:				; CODE XREF: PsChargeProcessPagedPoolQuota(x,x)+Ej
		xor	eax, eax
		jmp	short loc_7AC938
_PsChargeProcessPagedPoolQuota@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry   1.

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsCaptureUserProcessParameters(x, x)
		public _PsCaptureUserProcessParameters@8
_PsCaptureUserProcessParameters@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	eax
		push	3
		push	0
		call	PspCaptureUserProcessParameters
		pop	ebp
		retn	8
_PsCaptureUserProcessParameters@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpValidateMultiSz(x, x)
_PnpValidateMultiSz@8 proc near		; CODE XREF: PiDqQueryValidateQueryData+D6p
					; PiSwValidateCreateData+E0p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, ecx
		mov	[ebp+var_4], esi
		mov	ebx, edx
		mov	[ebp+var_8], esi
		mov	eax, 0C000000Dh
		test	edi, edi
		jz	short loc_7AC9C7

loc_7AC983:				; CODE XREF: PnpValidateMultiSz(x,x)+61j
		lea	eax, [ebp+var_8]
		mov	edx, ebx
		push	eax
		sub	edx, esi
		lea	ecx, [edi+esi*2]
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		test	eax, eax
		js	short loc_7AC9C7
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_7AC9C7
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		xor	edx, edx
		push	eax
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_7AC9C7
		cmp	[ebp+var_8], 0
		jz	short loc_7AC9C7
		mov	esi, [ebp+var_4]
		jmp	short loc_7AC983
; 

loc_7AC9C7:				; CODE XREF: PnpValidateMultiSz(x,x)+1Dj
					; PnpValidateMultiSz(x,x)+31j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PnpValidateMultiSz@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspCaptureProcessParameters(x, x, x)
_PspCaptureProcessParameters@12	proc near ; CODE XREF: PAGE:007A3122p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	al, [esi+8]
		test	cl, cl
		jz	short loc_7ACA13
		push	dword ptr [esi+118h]
		movzx	eax, al
		lea	ecx, [esi+7Ch]
		shr	eax, 3
		and	eax, 1
		push	eax
		push	dword ptr [esi+140h]
		call	PspCaptureUserProcessParameters
		test	eax, eax
		js	short loc_7ACA0D
		mov	al, [esi+8]
		test	al, 8
		jnz	short loc_7ACA1A

loc_7ACA06:				; CODE XREF: PspCaptureProcessParameters(x,x,x)+52j
		or	al, 4

loc_7ACA08:				; CODE XREF: PspCaptureProcessParameters(x,x,x)+4Cj
		mov	[esi+8], al
		xor	eax, eax

loc_7ACA0D:				; CODE XREF: PspCaptureProcessParameters(x,x,x)+31j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_7ACA13:				; CODE XREF: PspCaptureProcessParameters(x,x,x)+Fj
		and	al, 0FBh
		mov	[esi+7Ch], edx
		jmp	short loc_7ACA08
; 

loc_7ACA1A:				; CODE XREF: PspCaptureProcessParameters(x,x,x)+38j
		and	byte ptr [esi+9], 0F3h
		jmp	short loc_7ACA06
_PspCaptureProcessParameters@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspCaptureUserProcessParameters	proc near
					; CODE XREF: PsCaptureUserProcessParameters(x,x)+15p
					; PspCaptureProcessParameters(x,x,x)+2Ap

var_98		= dword	ptr -98h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008EAAF2 SIZE 00000054 BYTES
; FUNCTION CHUNK AT 008EAB6C SIZE 00000087 BYTES
; FUNCTION CHUNK AT 008EAC1E SIZE 00000064 BYTES
; FUNCTION CHUNK AT 008EACA8 SIZE 00000095 BYTES

		push	90h
		push	offset dword_6A2900
		call	__SEH_prolog4
		mov	[ebp+var_20], edx
		mov	[ebp+var_98], ecx
		xor	ebx, ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_7C], ebx
		mov	[ebp+var_78], ebx
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_68], ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, edx
		test	dl, 3
		jnz	loc_7ACEE4
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_8EAAF2

loc_7ACA91:				; CODE XREF: PspCaptureUserProcessParameters+13E0D4j
		nop
		mov	al, [ecx]
		mov	ecx, [edx+8]
		and	ecx, 0FFFFBFFFh
		mov	[ebp+var_4C], ecx
		xor	ecx, 1
		test	ecx, 0F7010E11h
		jnz	loc_8EAAF9
		mov	eax, [ebp+var_4C]
		and	eax, 0FFFFFFE0h
		dec	eax
		and	eax, [ebp+var_4C]
		test	al, 60h
		jnz	loc_8EAAF9
		mov	ecx, [edx+48h]
		mov	[ebp+var_3C], ecx
		mov	eax, [edx+290h]
		mov	[ebp+var_30], eax
		test	eax, eax
		jz	loc_8EAAF9
		test	al, 1
		jnz	loc_8EAAF9
		lea	esi, [eax+ecx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		ja	loc_8EAB0A
		cmp	esi, ecx
		jb	loc_8EAB0A

loc_7ACAF8:				; CODE XREF: PspCaptureUserProcessParameters+13E0ECj
		push	0FFFFFFFEh
		pop	esi
		mov	[ebp+ms_exc.disabled], esi
		test	byte ptr [ebp+arg_4], 1
		jnz	loc_7ACE83
		lea	ecx, [edx+24h]
		lea	edx, [ebp+var_38]
		call	PspCaptureAndValidateUnicodeString
		mov	edi, eax
		test	edi, edi
		js	loc_7ACE5B
		mov	eax, 208h
		cmp	word ptr [ebp+var_38], ax
		jnb	loc_8EAB00
		mov	word ptr [ebp+var_38+2], ax
		mov	[ebp+ms_exc.disabled], 1
		mov	edx, [ebp+var_20]
		mov	eax, [edx+88h]
		mov	[ebp+var_28], eax
		mov	ecx, [edx+8Ch]
		mov	[ebp+var_24], ecx
		mov	[ebp+ms_exc.disabled], esi
		test	ecx, ecx
		jnz	loc_8EAB11
		test	ax, ax
		jnz	loc_8EAB00
		xor	eax, eax
		mov	word ptr [ebp+var_28+2], ax

loc_7ACB66:				; CODE XREF: PspCaptureUserProcessParameters+495j
					; PspCaptureUserProcessParameters+4AEj	...
		lea	ecx, [edx+30h]
		lea	edx, [ebp+var_54]
		call	PspCaptureAndValidateUnicodeString
		test	eax, eax
		js	loc_7ACE5B
		mov	edi, [ebp+var_20]
		lea	ecx, [edi+38h]
		lea	edx, [ebp+var_5C]
		call	PspCaptureAndValidateUnicodeString
		test	eax, eax
		js	loc_7ACE5B
		lea	ecx, [edi+40h]
		lea	edx, [ebp+var_64]
		call	PspCaptureAndValidateUnicodeString
		test	eax, eax
		js	loc_7ACE5B
		lea	ecx, [edi+70h]
		lea	edx, [ebp+var_6C]
		call	PspCaptureAndValidateUnicodeString
		test	eax, eax
		js	loc_7ACE5B
		lea	ecx, [edi+78h]
		lea	edx, [ebp+var_74]
		call	PspCaptureAndValidateUnicodeString
		test	eax, eax
		js	loc_7ACE5B
		lea	ecx, [edi+80h]
		lea	edx, [ebp+var_7C]
		call	PspCaptureAndValidateUnicodeString
		test	eax, eax
		js	loc_7ACE5B
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jnz	loc_8EAB87

loc_7ACBE9:				; CODE XREF: PspCaptureUserProcessParameters+13E16Bj
		lea	ecx, [edi+2A4h]
		lea	edx, [ebp+var_44]
		call	PspCaptureAndValidateUnicodeString
		test	eax, eax
		js	loc_7ACE5B

loc_7ACBFF:				; CODE XREF: PspCaptureUserProcessParameters+13E17Dj
		test	esi, esi
		jnz	loc_8EABA2

loc_7ACC07:				; CODE XREF: PspCaptureUserProcessParameters+13E186j
		mov	ecx, ebx
		mov	[ebp+var_80], ebx

loc_7ACC0C:				; CODE XREF: PspCaptureUserProcessParameters+13E195j
		mov	[ebp+var_84], ecx
		shr	ecx, 10h
		movzx	eax, word ptr [ebp+var_44+2]
		add	ecx, eax
		movzx	eax, word ptr [ebp+var_7C+2]
		add	ecx, eax
		movzx	eax, word ptr [ebp+var_74+2]
		add	ecx, eax
		movzx	eax, word ptr [ebp+var_6C+2]
		add	ecx, eax
		movzx	eax, word ptr [ebp+var_64+2]
		add	ecx, eax
		movzx	eax, word ptr [ebp+var_5C+2]
		add	ecx, eax
		movzx	eax, word ptr [ebp+var_54+2]
		add	ecx, eax
		movzx	eax, word ptr [ebp+var_28+2]
		add	ecx, eax
		movzx	eax, word ptr [ebp+var_38+2]
		add	eax, 2C1h
		add	ecx, eax
		and	ecx, 0FFFFFFFEh
		mov	[ebp+var_2C], ecx
		test	esi, esi
		jnz	loc_8EABBA

loc_7ACC5E:				; CODE XREF: PspCaptureUserProcessParameters+13E19Ej
					; PspCaptureUserProcessParameters+13E1C4j
		lea	eax, [ebp+var_48]
		push	eax
		mov	edx, [ebp+var_30]
		mov	ecx, [ebp+var_2C]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		js	loc_8EAB00
		push	62507350h
		push	[ebp+var_48]
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	[ebp+arg_8], eax
		test	eax, eax
		jz	loc_8EABE9
		mov	[ebp+ms_exc.disabled], 3
		mov	ecx, 0B0h
		mov	esi, edi
		mov	edi, eax
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_20]

loc_7ACCB1:				; CODE XREF: sub_8EAC04+15j
		test	edi, edi
		js	loc_8EAB79
		mov	eax, [ebp+var_4C]
		mov	esi, [ebp+arg_8]
		mov	[esi+8], eax
		mov	eax, [ebp+var_2C]
		mov	[esi+4], eax
		mov	[esi], eax
		lea	eax, [esi+2C0h]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	loc_8EAC1E

loc_7ACCDE:				; CODE XREF: PspCaptureUserProcessParameters+13E202j
					; PspCaptureUserProcessParameters+13E211j
		lea	eax, [ebp+var_1C]
		push	eax
		lea	edx, [esi+24h]
		lea	ecx, [ebp+var_38]
		call	PspCopyUnicodeString
		mov	edi, eax
		test	edi, edi
		js	loc_8EAB76
		lea	eax, [ebp+var_1C]
		push	eax
		lea	edx, [esi+30h]
		lea	ecx, [ebp+var_54]
		call	PspCopyUnicodeString
		mov	edi, eax
		test	edi, edi
		js	loc_8EAB76
		lea	eax, [ebp+var_1C]
		push	eax
		lea	edx, [esi+38h]
		lea	ecx, [ebp+var_5C]
		call	PspCopyUnicodeString
		mov	edi, eax
		test	edi, edi
		js	loc_8EAB76
		lea	eax, [ebp+var_1C]
		push	eax
		lea	edx, [esi+40h]
		lea	ecx, [ebp+var_64]
		call	PspCopyUnicodeString
		mov	edi, eax
		test	edi, edi
		js	loc_8EAB76
		lea	eax, [ebp+var_1C]
		push	eax
		lea	edx, [esi+70h]
		lea	ecx, [ebp+var_6C]
		call	PspCopyUnicodeString
		mov	edi, eax
		test	edi, edi
		js	loc_8EAB76
		lea	eax, [ebp+var_1C]
		push	eax
		lea	edx, [esi+78h]
		lea	ecx, [ebp+var_74]
		call	PspCopyUnicodeString
		mov	edi, eax
		test	edi, edi
		js	loc_8EAB76
		lea	eax, [ebp+var_1C]
		push	eax
		lea	edx, [esi+80h]
		lea	ecx, [ebp+var_7C]
		call	PspCopyUnicodeString
		mov	edi, eax
		test	edi, edi
		js	loc_8EAB76
		lea	eax, [ebp+var_1C]
		push	eax
		lea	edx, [esi+2A4h]
		lea	ecx, [ebp+var_44]
		call	PspCopyUnicodeString
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	loc_8EAC36

loc_7ACDAD:				; CODE XREF: PspCaptureUserProcessParameters+13E21Aj
		mov	[esi+2ACh], ebx
		mov	[esi+2B0h], ebx

loc_7ACDB9:				; CODE XREF: PspCaptureUserProcessParameters+13E235j
		mov	eax, [ebp+var_28]
		mov	[esi+88h], eax
		mov	edx, [ebp+var_24]
		mov	[esi+8Ch], edx
		test	edx, edx
		jnz	loc_8EAC5A

loc_7ACDD3:				; CODE XREF: PspCaptureUserProcessParameters+13E294j
					; PspCaptureUserProcessParameters+13E2A1j
		mov	[esi+2B4h], ebx
		mov	[esi+2B8h], ebx
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	loc_8EACC6

loc_7ACDEA:				; CODE XREF: PspCaptureUserProcessParameters+13E2AAj
					; PspCaptureUserProcessParameters+13E2E6j ...
		mov	ecx, esi
		mov	edx, [ebp+var_1C]
		mov	[ebp+var_20], edx
		sub	ecx, edx
		mov	eax, [ebp+var_2C]
		add	eax, ecx
		mov	[ebp+arg_0], eax
		jnz	loc_8EAD1D

loc_7ACE02:				; CODE XREF: PspCaptureUserProcessParameters+13E30Cj
					; PspCaptureUserProcessParameters+13E318j
		mov	[ebp+ms_exc.disabled], 5
		push	[ebp+var_30]	; size_t
		push	[ebp+var_3C]	; void *
		push	[ebp+var_1C]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7ACE21:				; CODE XREF: sub_8EAD4E+15j
		test	edi, edi
		js	loc_8EAB76
		mov	eax, [ebp+arg_4]
		and	al, 3
		cmp	al, 1
		jnz	short loc_7ACE6D

loc_7ACE32:				; CODE XREF: PspCaptureUserProcessParameters+45Cj
		test	byte ptr [ebp+arg_4], 1
		jnz	loc_7ACED3

loc_7ACE3C:				; CODE XREF: PspCaptureUserProcessParameters+4BFj
		mov	eax, [ebp+var_1C]
		mov	[esi+48h], eax
		mov	eax, [ebp+var_30]
		mov	[esi+290h], eax
		mov	[esi+294h], ebx
		mov	eax, [ebp+var_98]
		mov	[eax], esi
		xor	eax, eax

loc_7ACE5B:				; CODE XREF: PspCaptureUserProcessParameters+F7j
					; PspCaptureUserProcessParameters+153j	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7ACE6D:				; CODE XREF: PspCaptureUserProcessParameters+410j
		lea	edx, [ebp+var_30]
		mov	ecx, [ebp+var_1C]
		call	PspValidateEnvironmentBlock
		mov	edi, eax
		test	edi, edi
		jns	short loc_7ACE32
		jmp	loc_8EAB76
; 

loc_7ACE83:				; CODE XREF: PspCaptureUserProcessParameters+E2j
		mov	ecx, [ebp+arg_8]
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	esi, eax
		mov	ecx, [esi+248h]
		mov	[ebp+var_38], ecx
		mov	ecx, [esi+24Ch]
		mov	[ebp+var_34], ecx
		mov	ecx, ds:_PspProtectedRuntimeData
		mov	[ebp+var_28], ecx
		mov	ecx, ds:dword_A40528
		mov	[ebp+var_24], ecx
		test	byte ptr [ebp+arg_4], 2
		jnz	loc_7ACB66
		mov	eax, [esi+254h]
		mov	[ebp+var_3C], eax
		movzx	eax, word ptr [esi+252h]
		mov	[ebp+var_30], eax
		jmp	loc_7ACB66
; 

loc_7ACED3:				; CODE XREF: PspCaptureUserProcessParameters+416j
		mov	[esi+10h], ebx
		mov	[esi+18h], ebx
		mov	[esi+1Ch], ebx
		mov	[esi+20h], ebx
		jmp	loc_7ACE3C
; 

loc_7ACEE4:				; CODE XREF: PspCaptureUserProcessParameters+5Ej
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger
PspCaptureUserProcessParameters	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspCopyUnicodeString proc near		; CODE XREF: PspCaptureUserProcessParameters+2C8p
					; PspCaptureUserProcessParameters+2E1p	...

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	0Ch
		push	offset dword_6A2958
		call	__SEH_prolog4
		mov	esi, ecx
		mov	eax, [esi]
		mov	[edx], eax
		mov	eax, [esi+4]
		mov	[edx+4], eax
		cmp	dword ptr [esi+4], 0
		jz	short loc_7ACF52
		mov	edi, [ebp+arg_0]
		mov	ecx, [edi]
		mov	[edx+4], ecx
		and	[ebp+ms_exc.disabled], 0
		movzx	eax, word ptr [esi]
		push	eax		; size_t
		push	dword ptr [esi+4] ; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		movzx	ecx, word ptr [esi]
		movzx	eax, word ptr [esi+2]
		sub	eax, ecx
		push	eax		; size_t
		push	0		; int
		mov	eax, [edi]
		add	eax, ecx
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_7ACF52
		movzx	eax, word ptr [esi+2]
		add	eax, ecx
		mov	[edi], eax

loc_7ACF52:				; CODE XREF: PspCopyUnicodeString+1Cj
					; PspCopyUnicodeString+5Ej
		xor	eax, eax

loc_7ACF54:				; CODE XREF: PAGE:008EADCFj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
PspCopyUnicodeString endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspCaptureAndValidateUnicodeString proc	near
					; CODE XREF: PspCaptureUserProcessParameters+EEp
					; PspCaptureUserProcessParameters+14Cp	...

ms_exc		= CPPEH_RECORD ptr -18h

		push	10h
		push	offset dword_6A2978
		call	__SEH_prolog4
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [ecx]
		mov	[edx], eax
		mov	eax, [ecx+4]
		mov	[edx+4], eax
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi
		movzx	ecx, word ptr [edx]
		test	cl, 1
		jnz	short loc_7ACFE2
		mov	esi, eax
		test	esi, esi
		jz	short loc_7ACFD0
		lea	eax, [ecx+2]
		mov	[edx+2], ax
		cmp	ax, cx
		jb	short loc_7ACFE2

loc_7ACFA0:				; CODE XREF: PspCaptureAndValidateUnicodeString+75j
		mov	[ebp+ms_exc.disabled], 1
		test	cx, cx
		jz	short loc_7ACFBB
		add	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_7ACFDD
		cmp	ecx, esi
		jb	short loc_7ACFDD

loc_7ACFBB:				; CODE XREF: PspCaptureAndValidateUnicodeString+44j
					; PspCaptureAndValidateUnicodeString+7Aj
		mov	[ebp+ms_exc.disabled], edi
		xor	eax, eax

loc_7ACFC0:				; CODE XREF: PspCaptureAndValidateUnicodeString+81j
					; PAGE:008EADEFj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7ACFD0:				; CODE XREF: PspCaptureAndValidateUnicodeString+2Cj
		test	cx, cx
		jnz	short loc_7ACFE2
		xor	eax, eax
		mov	[edx+2], ax
		jmp	short loc_7ACFA0
; 

loc_7ACFDD:				; CODE XREF: PspCaptureAndValidateUnicodeString+4Fj
					; PspCaptureAndValidateUnicodeString+53j
		mov	byte ptr [eax],	0
		jmp	short loc_7ACFBB
; 

loc_7ACFE2:				; CODE XREF: PspCaptureAndValidateUnicodeString+26j
					; PspCaptureAndValidateUnicodeString+38j ...
		mov	eax, 0C000000Dh
		jmp	short loc_7ACFC0
PspCaptureAndValidateUnicodeString endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpAllocateAtom proc near		; CODE XREF: RtlpLookupOrCreateLowBox+6Fp
					; RtlCreateAtomTableEx+5Cp ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008EAE14 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	edi
		push	eax
		push	8
		mov	edi, edx
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_7AD04A
		push	esi
		push	edi
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7AD044
		mov	ecx, large fs:124h
		push	ebx
		mov	ebx, [ebp+var_4]
		mov	edx, ebx
		push	0
		mov	ecx, [ecx+80h]
		call	PsChargeSharedPoolQuota
		mov	[esi], eax
		test	eax, eax
		jz	loc_8EAE14
		mov	[esi+4], ebx
		add	esi, 8

loc_7AD043:				; CODE XREF: RtlpAllocateAtom+13DE33j
		pop	ebx

loc_7AD044:				; CODE XREF: RtlpAllocateAtom+2Dj
		mov	eax, esi
		pop	esi

loc_7AD047:				; CODE XREF: RtlpAllocateAtom+62j
		pop	edi
		leave
		retn
; 

loc_7AD04A:				; CODE XREF: RtlpAllocateAtom+1Bj
		xor	eax, eax
		jmp	short loc_7AD047
RtlpAllocateAtom endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspValidateEnvironmentBlock proc near	; CODE XREF: PspCaptureUserProcessParameters+453p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008EAE22 SIZE 0000000B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	eax, edx
		xor	bh, bh
		cmp	word ptr [ecx],	0
		push	esi
		push	edi
		mov	esi, [eax]
		mov	[ebp+var_4], eax
		jz	loc_8EAE22

loc_7AD06C:				; CODE XREF: PspValidateEnvironmentBlock+13DDD8j
		test	esi, esi
		jz	short loc_7AD0C3

loc_7AD070:				; CODE XREF: PspValidateEnvironmentBlock+56j
		movzx	eax, word ptr [ecx]
		xor	edi, edi
		add	ecx, 2
		xor	edx, edx
		xor	bl, bl
		sub	esi, 2
		jz	short loc_7AD0CA

loc_7AD081:				; CODE XREF: PspValidateEnvironmentBlock+46j
		test	ax, ax
		jz	short loc_7AD098
		cmp	ax, 3Dh
		jz	short loc_7AD0B5

loc_7AD08C:				; CODE XREF: PspValidateEnvironmentBlock+68j
					; PspValidateEnvironmentBlock+6Cj
		movzx	eax, word ptr [ecx]
		inc	edx
		add	ecx, 2
		sub	esi, 2
		jnz	short loc_7AD081

loc_7AD098:				; CODE XREF: PspValidateEnvironmentBlock+34j
		test	edx, edx
		jz	short loc_7AD0CA

loc_7AD09C:				; CODE XREF: PspValidateEnvironmentBlock+7Dj
		test	edi, edi
		jz	short loc_7AD0C3
		test	bl, bl
		jnz	short loc_7AD0BE

loc_7AD0A4:				; CODE XREF: PspValidateEnvironmentBlock+71j
					; PspValidateEnvironmentBlock+8Cj
		test	esi, esi
		jnz	short loc_7AD070
		test	bh, bh
		jz	short loc_7AD0C3
		xor	eax, eax

loc_7AD0AE:				; CODE XREF: PspValidateEnvironmentBlock+78j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7AD0B5:				; CODE XREF: PspValidateEnvironmentBlock+3Aj
		inc	edi
		test	edx, edx
		jnz	short loc_7AD08C
		mov	bl, 1
		jmp	short loc_7AD08C
; 

loc_7AD0BE:				; CODE XREF: PspValidateEnvironmentBlock+52j
		cmp	edi, 2
		jnb	short loc_7AD0A4

loc_7AD0C3:				; CODE XREF: PspValidateEnvironmentBlock+1Ej
					; PspValidateEnvironmentBlock+4Ej ...
		mov	eax, 0C000000Dh
		jmp	short loc_7AD0AE
; 

loc_7AD0CA:				; CODE XREF: PspValidateEnvironmentBlock+2Fj
					; PspValidateEnvironmentBlock+4Aj
		test	ax, ax
		jnz	short loc_7AD09C
		test	esi, esi
		jz	short loc_7AD0DA
		mov	eax, [ebp+var_4]
		sub	[eax], esi
		xor	esi, esi

loc_7AD0DA:				; CODE XREF: PspValidateEnvironmentBlock+81j
		mov	bh, 1
		jmp	short loc_7AD0A4
PspValidateEnvironmentBlock endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpValidateComponents(x, x)
_CmpValidateComponents@8 proc near	; CODE XREF: CmpGetSymbolicLinkTarget+84Fp
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+47Fp ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	eax, eax
		test	edi, edi
		jz	short loc_7AD10A
		lea	esi, [eax+20h]
		mov	ebx, 200h

loc_7AD0F5:				; CODE XREF: CmpValidateComponents(x,x)+28j
		cmp	eax, 8
		jnb	short loc_7AD110
		mov	ecx, edx

loc_7AD0FC:				; CODE XREF: CmpValidateComponents(x,x)+33j
		cmp	[esi+ecx], bx
		ja	short loc_7AD115
		inc	eax
		add	esi, 8
		cmp	eax, edi
		jb	short loc_7AD0F5

loc_7AD10A:				; CODE XREF: CmpValidateComponents(x,x)+Bj
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_7AD110:				; CODE XREF: CmpValidateComponents(x,x)+18j
		mov	ecx, [edx+60h]
		jmp	short loc_7AD0FC
; 

loc_7AD115:				; CODE XREF: CmpValidateComponents(x,x)+20j
		pop	edi
		pop	esi
		mov	eax, 0C000000Dh
		pop	ebx
		retn
_CmpValidateComponents@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepRemoveDisabledGroupsAndPrivileges(x, x, x, x, x,	x)
_SepRemoveDisabledGroupsAndPrivileges@24 proc near
					; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+7C0p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	eax, edx
		xor	edx, edx
		mov	[ebp+var_8], eax
		push	edi
		mov	[ebp+var_10], edx
		mov	ebx, edx
		mov	[ebp+var_2], dl
		mov	[ebp+var_1], dl
		cmp	[esi+7Ch], edx
		jbe	short loc_7AD178

loc_7AD142:				; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+58j
		mov	ecx, [esi+94h]
		mov	edi, ebx
		shl	edi, 3
		test	byte ptr [edi+ecx+4], 30h
		jnz	short loc_7AD16A
		push	dword ptr [edi+ecx]
		mov	edx, [ebp+arg_0]
		push	ecx
		mov	ecx, [ebp+arg_4]
		call	_SepSidInSidAndAttributes@16 ; SepSidInSidAndAttributes(x,x,x,x)
		test	al, al
		jnz	short loc_7AD1CE
		mov	eax, [ebp+var_8]

loc_7AD16A:				; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+34j
		test	al, 4
		jnz	loc_7AD20D

loc_7AD172:				; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+DDj
					; SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+EAj ...
		inc	ebx
		cmp	ebx, [esi+7Ch]
		jb	short loc_7AD142

loc_7AD178:				; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+22j
		mov	edi, [esi+0B0h]
		mov	eax, edi
		and	eax, 800h
		mov	[ebp+var_C], edi
		mov	[ebp+var_14], eax
		jz	loc_7AD289

loc_7AD191:				; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+175j
		mov	eax, [ebp+var_8]
		test	al, 1
		jz	loc_7AD227
		mov	eax, 800000h
		xor	ecx, ecx
		and	[esi+48h], eax
		mov	bl, 1
		and	[esi+50h], eax
		and	[esi+40h], eax
		mov	[esi+4Ch], ecx
		mov	[esi+54h], ecx
		mov	[esi+44h], ecx

loc_7AD1B7:				; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+118j
					; SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+166j
		cmp	[ebp+var_14], 0
		jz	loc_7AD298

loc_7AD1C1:				; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+184j
					; SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+196j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	10h
; 

loc_7AD1CA:				; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+FFj
		mov	[ebp+var_2], 1

loc_7AD1CE:				; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+47j
		mov	eax, [esi+94h]
		mov	[ebp+var_1], 1
		and	dword ptr [edi+eax+4], 0FFFFFFF0h
		mov	eax, [esi+94h]
		or	dword ptr [edi+eax+4], 10h
		or	dword ptr [esi+0B0h], 800h
		mov	eax, [ebp+var_8]
		cmp	ebx, [esi+90h]
		jnz	loc_7AD172
		and	dword ptr [esi+90h], 0
		jmp	loc_7AD172
; 

loc_7AD20D:				; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+4Ej
		mov	eax, [esi+94h]
		add	eax, edi
		push	eax
		call	_RtlIsElevatedRid@4 ; RtlIsElevatedRid(x)
		test	al, al
		jnz	short loc_7AD1CA
		mov	eax, [ebp+var_8]
		jmp	loc_7AD172
; 

loc_7AD227:				; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+78j
		test	al, 4
		jnz	loc_7AD2B9
		mov	bl, [ebp+var_1]

loc_7AD232:				; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+1F0j
		cmp	[ebp+arg_8], 0
		jbe	loc_7AD1B7
		mov	ebx, [ebp+arg_C]
		mov	edi, [ebp+arg_8]

loc_7AD242:				; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+15Ej
		mov	ecx, [ebx]
		lea	eax, [ecx-2]
		cmp	eax, 22h
		ja	short loc_7AD276
		xor	eax, eax
		xor	edx, edx
		inc	eax
		call	__allshl
		not	eax
		not	edx
		and	[esi+48h], eax
		xor	eax, eax
		and	[esi+4Ch], edx
		inc	eax
		mov	ecx, [ebx]
		xor	edx, edx
		call	__allshl
		not	eax
		not	edx
		and	[esi+40h], eax
		and	[esi+44h], edx

loc_7AD276:				; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+12Cj
		add	ebx, 0Ch
		sub	edi, 1
		jnz	short loc_7AD242
		mov	edi, [ebp+var_C]
		mov	bl, [ebp+var_1]
		jmp	loc_7AD1B7
; 

loc_7AD289:				; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+6Dj
		mov	ecx, esi
		call	_SepTokenPrivilegeCount@4 ; SepTokenPrivilegeCount(x)
		mov	[ebp+var_10], eax
		jmp	loc_7AD191
; 

loc_7AD298:				; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+9Dj
		mov	ecx, esi
		call	_SepTokenPrivilegeCount@4 ; SepTokenPrivilegeCount(x)
		cmp	eax, [ebp+var_10]
		jnb	loc_7AD1C1
		or	edi, 800h
		mov	[esi+0B0h], edi
		jmp	loc_7AD1C1
; 

loc_7AD2B9:				; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+10Bj
		cmp	[ebp+var_2], 0
		mov	edi, [esi+40h]
		mov	eax, [esi+48h]
		mov	ecx, [esi+4Ch]
		mov	edx, [esi+50h]
		mov	ebx, [esi+54h]
		mov	[ebp+arg_0], edi
		mov	edi, [esi+44h]
		mov	[ebp+arg_4], edi
		mov	edi, [ebp+var_C]
		jnz	short loc_7AD313
		and	eax, 0DFE9F97Bh
		and	ecx, 0FFFFFFEEh
		mov	[esi+4Ch], ecx
		and	ebx, 0FFFFFFEEh
		mov	[esi+48h], eax
		mov	ecx, 0DFE9F97Bh
		mov	eax, [ebp+arg_0]
		and	edx, ecx
		and	eax, ecx
		mov	ecx, [ebp+arg_4]
		and	ecx, 0FFFFFFEEh

loc_7AD2FD:				; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+218j
		mov	[esi+54h], ebx
		mov	bl, 1
		mov	[esi+50h], edx
		mov	[esi+40h], eax
		mov	[esi+44h], ecx
		mov	[ebp+var_1], bl
		jmp	loc_7AD232
; 

loc_7AD313:				; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+1BAj
		and	eax, 2880000h
		and	ecx, 6
		mov	[esi+4Ch], ecx
		and	ebx, 6
		mov	[esi+48h], eax
		mov	ecx, 2880000h
		mov	eax, [ebp+arg_0]
		and	edx, ecx
		and	eax, ecx
		mov	ecx, [ebp+arg_4]
		and	ecx, 6
		jmp	short loc_7AD2FD
_SepRemoveDisabledGroupsAndPrivileges@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSidInSidAndAttributes(x,	x, x, x)
_SepSidInSidAndAttributes@16 proc near	; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+40p
					; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+5A5p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		push	edi
		test	esi, esi
		jz	short loc_7AD388
		mov	ebx, [ebp+arg_4]
		xor	edi, edi
		movzx	eax, byte ptr [ebx+1]
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_4], eax
		test	edx, edx
		jz	short loc_7AD388
		mov	al, [ebx]
		mov	byte ptr [ebp+arg_4+3],	al

loc_7AD367:				; CODE XREF: SepSidInSidAndAttributes(x,x,x,x)+4Ej
		mov	ecx, [esi]
		cmp	al, [ecx]
		jnz	short loc_7AD380
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:8[eax*4]
		cmp	[ebp+var_4], eax
		jz	short loc_7AD391

loc_7AD37D:				; CODE XREF: SepSidInSidAndAttributes(x,x,x,x)+6Dj
		mov	al, byte ptr [ebp+arg_4+3]

loc_7AD380:				; CODE XREF: SepSidInSidAndAttributes(x,x,x,x)+33j
		add	esi, 8
		inc	edi
		cmp	edi, edx
		jb	short loc_7AD367

loc_7AD388:				; CODE XREF: SepSidInSidAndAttributes(x,x,x,x)+11j
					; SepSidInSidAndAttributes(x,x,x,x)+28j
		xor	al, al

loc_7AD38A:				; CODE XREF: SepSidInSidAndAttributes(x,x,x,x)+71j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7AD391:				; CODE XREF: SepSidInSidAndAttributes(x,x,x,x)+43j
		push	[ebp+var_4]	; size_t
		push	ecx		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_7AD3A7
		mov	edx, [ebp+var_8]
		jmp	short loc_7AD37D
; 

loc_7AD3A7:				; CODE XREF: SepSidInSidAndAttributes(x,x,x,x)+68j
		mov	al, 1
		jmp	short loc_7AD38A
_SepSidInSidAndAttributes@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepCopyTokenAccessInformation(x, x,	x, x, x, x, x, x, x, x,	x, x, x, x, x)
_SepCopyTokenAccessInformation@60 proc near ; CODE XREF: SeQueryInformationToken(x,x,x)+565p
					; NtQueryInformationToken(x,x,x,x,x)+14FDp

var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_88		= dword	ptr -88h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= byte ptr  34h
arg_30		= dword	ptr  38h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0CCh+var_4], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+0CCh+var_BC], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+0CCh+var_C4], eax
		mov	eax, [ebp+arg_10]
		mov	[esp+0CCh+var_B4], eax
		mov	eax, [ebp+arg_14]
		mov	[esp+0CCh+var_B8], eax
		mov	eax, [ebp+arg_18]
		mov	[esp+0CCh+var_A8], eax
		mov	eax, [ebp+arg_1C]
		mov	[esp+0CCh+var_AC], eax
		mov	eax, [ebp+arg_20]
		push	ebx
		mov	[esp+0D0h+var_B0], eax
		mov	ebx, ecx
		mov	eax, [ebp+arg_24]
		push	esi
		mov	[esp+0D4h+var_A0], eax
		xor	esi, esi
		mov	eax, [ebp+arg_28]
		push	edi
		mov	[esp+0D8h+var_94], eax
		mov	edi, edx
		mov	eax, [ebp+arg_30]
		push	88h		; size_t
		mov	[esp+0DCh+var_9C], eax
		lea	eax, [esp+0DCh+var_90]
		push	esi		; int
		push	eax		; void *
		mov	[esp+0E4h+var_C0], edi
		mov	[esp+0E4h+var_A4], esi
		call	_memset
		add	esp, 0Ch
		call	_Feature_693672248__private_IsEnabledDeviceUsage@0 ; Feature_693672248__private_IsEnabledDeviceUsage()
		mov	eax, [ebp+arg_0]
		lea	edx, [edi+1Ch]
		add	eax, edi
		mov	ecx, ebx
		mov	[esp+0D8h+var_98], eax
		mov	eax, [ebx+18h]
		mov	[edi+0Ch], eax
		mov	eax, [ebx+1Ch]
		mov	[edi+10h], eax
		mov	eax, [ebx+0A8h]
		mov	[edi+14h], eax
		mov	eax, [ebx+0ACh]
		mov	[edi+18h], eax
		mov	eax, [ebx+0B0h]
		mov	[edi+20h], eax
		call	_SeQueryMandatoryPolicyToken@8 ; SeQueryMandatoryPolicyToken(x,x)
		mov	eax, [ebx+274h]
		test	eax, eax
		jnz	short loc_7AD47F
		mov	eax, esi
		jmp	short loc_7AD482
; 

loc_7AD47F:				; CODE XREF: SepCopyTokenAccessInformation(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+CDj
		mov	eax, [eax+14h]

loc_7AD482:				; CODE XREF: SepCopyTokenAccessInformation(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+D1j
		mov	[edi+24h], eax
		lea	ecx, [edi+38h]
		mov	eax, [ebx+7Ch]
		lea	edx, [ecx+88h]
		mov	[ecx], eax
		lea	eax, [esp+0D8h+var_CC]
		push	eax		; int
		mov	[ecx+4], edx
		mov	[edi], ecx
		push	eax		; int
		mov	[esp+0E0h+var_C8], ecx
		mov	ecx, [esp+0E0h+var_C4]
		lea	eax, [ecx+edx]
		push	eax		; void *
		mov	eax, [esp+0E4h+var_BC]
		push	edx		; int
		sub	eax, ecx
		push	eax		; int
		push	dword ptr [ebx+94h] ; int
		push	dword ptr [ebx+7Ch] ; int
		call	_RtlCopySidAndAttributesArray@28 ; RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)
		call	_Feature_693672248__private_IsEnabledDeviceUsage@0 ; Feature_693672248__private_IsEnabledDeviceUsage()
		mov	ecx, [ebx+94h]
		neg	eax
		sbb	eax, eax
		neg	eax
		mov	eax, [ebx+7Ch]
		jz	short loc_7AD511
		lea	edx, [esp+0D8h+var_90]
		push	edx		; void *
		push	eax		; int
		push	ecx		; int
		call	RtlSidHashInitialize
		push	84h		; size_t
		lea	eax, [edi+3Ch]
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	eax, [esp+0E4h+var_90]
		lea	esi, [esp+0E4h+var_88]
		add	esp, 0Ch
		mov	[edi+38h], eax
		add	edi, 40h
		push	20h
		pop	ecx
		rep movsd
		mov	edi, [esp+0D8h+var_C0]
		mov	esi, [esp+0D8h+var_C8]
		jmp	short loc_7AD51C
; 

loc_7AD511:				; CODE XREF: SepCopyTokenAccessInformation(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+128j
		lea	esi, [edi+38h]
		push	esi		; void *
		push	eax		; int
		push	ecx		; int
		call	RtlSidHashInitialize

loc_7AD51C:				; CODE XREF: SepCopyTokenAccessInformation(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+163j
		lea	eax, [esi+88h]
		mov	[esi+4], eax
		mov	esi, [esp+0D8h+var_BC]
		add	esi, eax
		mov	eax, [ebx+80h]
		mov	[esp+0D8h+var_C8], esi
		lea	ecx, [esi+88h]
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[edi+4], esi
		mov	edx, [ebx+80h]
		test	edx, edx
		jz	short loc_7AD5C2
		lea	eax, [esp+0D8h+var_CC]
		push	eax		; int
		push	eax		; int
		mov	eax, [esp+0E0h+var_B8]
		add	eax, ecx
		push	eax		; void *
		mov	eax, [esp+0E4h+var_B4]
		sub	eax, [esp+0E4h+var_B8]
		push	ecx		; int
		push	eax		; int
		push	dword ptr [ebx+98h] ; int
		push	edx		; int
		call	_RtlCopySidAndAttributesArray@28 ; RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)
		call	_Feature_693672248__private_IsEnabledDeviceUsage@0 ; Feature_693672248__private_IsEnabledDeviceUsage()
		mov	ecx, [ebx+98h]
		neg	eax
		sbb	eax, eax
		neg	eax
		mov	eax, [ebx+80h]
		jz	short loc_7AD5B1
		lea	edx, [esp+0D8h+var_90]
		push	edx		; void *
		push	eax		; int
		push	ecx		; int
		call	RtlSidHashInitialize
		mov	eax, [esp+0D8h+var_90]
		lea	edi, [esi+8]
		mov	[esi], eax
		lea	esi, [esp+0D8h+var_88]
		push	20h
		pop	ecx
		rep movsd
		mov	edi, [esp+0D8h+var_C0]
		mov	esi, [esp+0D8h+var_C8]
		jmp	short loc_7AD5B9
; 

loc_7AD5B1:				; CODE XREF: SepCopyTokenAccessInformation(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1DBj
		push	esi		; void *
		push	eax		; int
		push	ecx		; int
		call	RtlSidHashInitialize

loc_7AD5B9:				; CODE XREF: SepCopyTokenAccessInformation(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+203j
		lea	ecx, [esi+88h]
		mov	[esi+4], ecx

loc_7AD5C2:				; CODE XREF: SepCopyTokenAccessInformation(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+19Fj
		mov	esi, [esp+0D8h+var_B4]
		mov	eax, [ebx+1E8h]
		add	esi, ecx
		mov	[esp+0D8h+var_C8], esi
		lea	ecx, [esi+88h]
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[edi+2Ch], esi
		mov	edx, [ebx+1E8h]
		test	edx, edx
		jz	short loc_7AD65F
		lea	eax, [esp+0D8h+var_CC]
		push	eax		; int
		push	eax		; int
		mov	eax, [esp+0E0h+var_B0]
		add	eax, ecx
		push	eax		; void *
		mov	eax, [esp+0E4h+var_AC]
		sub	eax, [esp+0E4h+var_B0]
		push	ecx		; int
		push	eax		; int
		push	dword ptr [ebx+1E4h] ; int
		push	edx		; int
		call	_RtlCopySidAndAttributesArray@28 ; RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)
		call	_Feature_693672248__private_IsEnabledDeviceUsage@0 ; Feature_693672248__private_IsEnabledDeviceUsage()
		mov	ecx, [ebx+1E4h]
		neg	eax
		sbb	eax, eax
		neg	eax
		mov	eax, [ebx+1E8h]
		jz	short loc_7AD64E
		lea	edx, [esp+0D8h+var_90]
		push	edx		; void *
		push	eax		; int
		push	ecx		; int
		call	RtlSidHashInitialize
		mov	eax, [esp+0D8h+var_90]
		lea	edi, [esi+8]
		mov	[esi], eax
		lea	esi, [esp+0D8h+var_88]
		push	20h
		pop	ecx
		rep movsd
		mov	esi, [esp+0D8h+var_C8]
		mov	edi, [esp+0D8h+var_C0]
		jmp	short loc_7AD656
; 

loc_7AD64E:				; CODE XREF: SepCopyTokenAccessInformation(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+278j
		push	esi		; void *
		push	eax		; int
		push	ecx		; int
		call	RtlSidHashInitialize

loc_7AD656:				; CODE XREF: SepCopyTokenAccessInformation(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2A0j
		lea	ecx, [esi+88h]
		mov	[esi+4], ecx

loc_7AD65F:				; CODE XREF: SepCopyTokenAccessInformation(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+23Cj
		mov	esi, [esp+0D8h+var_AC]
		xor	eax, eax
		mov	edx, [esp+0D8h+var_A8]
		add	esi, ecx
		test	edx, edx
		jz	short loc_7AD691
		mov	ecx, [ebx+1E0h]
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcpy
		mov	edx, [esp+0E4h+var_A8]
		add	esp, 0Ch
		mov	eax, esi

loc_7AD691:				; CODE XREF: SepCopyTokenAccessInformation(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2C1j
		cmp	[ebp+arg_2C], 0
		mov	ecx, [esp+0D8h+var_9C]
		mov	[edi+28h], eax
		jnz	short loc_7AD6A4
		mov	ecx, [ebx+280h]

loc_7AD6A4:				; CODE XREF: SepCopyTokenAccessInformation(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2F0j
		add	esi, edx
		cmp	[esp+0D8h+var_A0], 0
		jbe	short loc_7AD6C7
		movzx	eax, byte ptr [ecx+1]
		mov	[esp+0D8h+var_A4], esi
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_7AD6C7:				; CODE XREF: SepCopyTokenAccessInformation(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2FFj
		mov	eax, [esp+0D8h+var_A4]
		add	esi, [esp+0D8h+var_A0]
		mov	[edi+30h], eax
		mov	edx, esi
		mov	ecx, [ebx+1DCh]
		lea	eax, [esp+0D8h+var_CC]
		push	eax
		mov	eax, [esp+0DCh+var_98]
		sub	eax, esi
		push	eax
		call	_AuthzBasepQueryInternalSecurityAttributesToken@16 ; AuthzBasepQueryInternalSecurityAttributesToken(x,x,x,x)
		mov	edx, [esp+0D8h+var_94]
		mov	ecx, ebx
		mov	eax, [ebp+arg_4]
		add	edx, esi
		mov	[edi+34h], esi
		mov	[edx], eax
		mov	[edi+8], edx
		add	edx, 4
		call	_SepConvertTokenPrivilegesToLuidAndAttributes@8	; SepConvertTokenPrivilegesToLuidAndAttributes(x,x)
		mov	ecx, [esp+0D8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	34h
_SepCopyTokenAccessInformation@60 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepGetTokenAccessInformationBufferSize(x, x, x, x, x, x, x,	x, x, x, x, x, x)
_SepGetTokenAccessInformationBufferSize@52 proc	near
					; CODE XREF: SeQueryInformationToken(x,x,x)+516p
					; NtQueryInformationToken(x,x,x,x,x)+149Ap

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		and	[ebp+var_20], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_1], dl
		mov	esi, ecx
		call	_SepTokenPrivilegeCount@4 ; SepTokenPrivilegeCount(x)
		imul	ecx, eax, 0Ch
		mov	[ebp+var_28], eax
		lea	edi, [ecx+10h]
		mov	[ebp+var_24], edi
		test	eax, eax
		jz	short loc_7AD74D
		lea	eax, [ecx+4]
		mov	[ebp+var_24], eax

loc_7AD74D:				; CODE XREF: SepGetTokenAccessInformationBufferSize(x,x,x,x,x,x,x,x,x,x,x,x,x)+27j
		mov	ecx, [esi+7Ch]
		mov	eax, ecx
		mov	ebx, [esi+1E8h]
		mov	edi, ebx
		mov	edx, [esi+80h]
		shl	eax, 3
		mov	[ebp+var_C], eax
		mov	eax, edx
		shl	edi, 3
		shl	eax, 3
		mov	[ebp+var_1C], edi
		mov	edi, [ebp+var_C]
		mov	[ebp+var_14], eax
		mov	[ebp+var_8], edi
		test	ecx, ecx
		jz	short loc_7AD7A2
		mov	edi, [esi+94h]

loc_7AD784:				; CODE XREF: SepGetTokenAccessInformationBufferSize(x,x,x,x,x,x,x,x,x,x,x,x,x)+7Fj
		mov	eax, [edi]
		lea	edi, [edi+8]
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	[ebp+var_8], eax
		sub	ecx, 1
		jnz	short loc_7AD784
		mov	eax, [ebp+var_14]

loc_7AD7A2:				; CODE XREF: SepGetTokenAccessInformationBufferSize(x,x,x,x,x,x,x,x,x,x,x,x,x)+5Ej
		mov	[ebp+var_10], eax
		mov	edi, eax
		test	edx, edx
		jnz	loc_7AD8AF

loc_7AD7AF:				; CODE XREF: SepGetTokenAccessInformationBufferSize(x,x,x,x,x,x,x,x,x,x,x,x,x)+1B4j
		mov	edx, [ebp+var_1C]
		mov	[ebp+var_18], edx
		test	ebx, ebx
		jnz	loc_7AD861

loc_7AD7BD:				; CODE XREF: SepGetTokenAccessInformationBufferSize(x,x,x,x,x,x,x,x,x,x,x,x,x)+166j
		mov	eax, [esi+1E0h]
		xor	ebx, ebx
		test	eax, eax
		jnz	loc_7AD889

loc_7AD7CD:				; CODE XREF: SepGetTokenAccessInformationBufferSize(x,x,x,x,x,x,x,x,x,x,x,x,x)+179j
		cmp	[ebp+var_1], 0
		mov	eax, [ebp+arg_0]
		jnz	short loc_7AD7DC
		mov	eax, [esi+280h]

loc_7AD7DC:				; CODE XREF: SepGetTokenAccessInformationBufferSize(x,x,x,x,x,x,x,x,x,x,x,x,x)+B6j
		xor	edi, edi
		test	eax, eax
		jnz	loc_7AD89C

loc_7AD7E6:				; CODE XREF: SepGetTokenAccessInformationBufferSize(x,x,x,x,x,x,x,x,x,x,x,x,x)+18Cj
		mov	ecx, [esi+1DCh]
		lea	eax, [ebp+var_20]
		push	eax
		push	0
		xor	edx, edx
		call	_AuthzBasepQueryInternalSecurityAttributesToken@16 ; AuthzBasepQueryInternalSecurityAttributesToken(x,x,x,x)
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+var_28]
		mov	esi, [ebp+var_10]
		mov	edx, [ebp+var_18]
		mov	[eax], ecx
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_8]
		mov	[eax], ecx
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+var_C]
		mov	[eax], ecx
		mov	eax, [ebp+arg_10]
		mov	ecx, [ebp+var_14]
		mov	[eax], esi
		mov	eax, [ebp+arg_14]
		mov	[eax], ecx
		mov	eax, [ebp+arg_18]
		mov	ecx, [ebp+var_1C]
		mov	[eax], ebx
		mov	eax, [ebp+arg_1C]
		mov	[eax], edx
		mov	eax, [ebp+arg_20]
		mov	[eax], ecx
		mov	eax, [ebp+arg_24]
		mov	ecx, [ebp+var_20]
		mov	[eax], edi
		mov	eax, [ebp+arg_28]
		mov	[eax], ecx
		lea	eax, [ecx+edi]
		mov	ecx, [ebp+var_24]
		add	eax, edx
		add	eax, ebx
		add	ecx, 1D0h
		add	eax, esi
		add	eax, [ebp+var_8]
		pop	edi
		pop	esi
		add	eax, ecx
		pop	ebx
		leave
		retn	2Ch
; 

loc_7AD861:				; CODE XREF: SepGetTokenAccessInformationBufferSize(x,x,x,x,x,x,x,x,x,x,x,x,x)+99j
		mov	ecx, [esi+1E4h]

loc_7AD867:				; CODE XREF: SepGetTokenAccessInformationBufferSize(x,x,x,x,x,x,x,x,x,x,x,x,x)+161j
		mov	eax, [ecx]
		lea	ecx, [ecx+8]
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	edx, eax
		sub	ebx, 1
		jnz	short loc_7AD867
		mov	[ebp+var_18], edx
		jmp	loc_7AD7BD
; 

loc_7AD889:				; CODE XREF: SepGetTokenAccessInformationBufferSize(x,x,x,x,x,x,x,x,x,x,x,x,x)+A9j
		movzx	eax, byte ptr [eax+1]
		lea	ebx, ds:0Bh[eax*4]
		and	ebx, 0FFFFFFFCh
		jmp	loc_7AD7CD
; 

loc_7AD89C:				; CODE XREF: SepGetTokenAccessInformationBufferSize(x,x,x,x,x,x,x,x,x,x,x,x,x)+C2j
		movzx	eax, byte ptr [eax+1]
		lea	edi, ds:0Bh[eax*4]
		and	edi, 0FFFFFFFCh
		jmp	loc_7AD7E6
; 

loc_7AD8AF:				; CODE XREF: SepGetTokenAccessInformationBufferSize(x,x,x,x,x,x,x,x,x,x,x,x,x)+8Bj
		mov	ecx, [esi+98h]

loc_7AD8B5:				; CODE XREF: SepGetTokenAccessInformationBufferSize(x,x,x,x,x,x,x,x,x,x,x,x,x)+1AFj
		mov	eax, [ecx]
		lea	ecx, [ecx+8]
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	edi, eax
		sub	edx, 1
		jnz	short loc_7AD8B5
		mov	[ebp+var_10], edi
		jmp	loc_7AD7AF
_SepGetTokenAccessInformationBufferSize@52 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepQueryInternalSecurityAttributesToken(x, x, x, x)
_AuthzBasepQueryInternalSecurityAttributesToken@16 proc	near
					; CODE XREF: SepCopyTokenAccessInformation(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+33Ap
					; SepGetTokenAccessInformationBufferSize(x,x,x,x,x,x,x,x,x,x,x,x,x)+D6p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		mov	eax, ecx
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], eax
		push	esi
		push	edi
		test	eax, eax
		jz	short loc_7AD927
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_7AD927
		cmp	[ebp+arg_0], 0
		jnz	short loc_7AD923

loc_7AD8FF:				; CODE XREF: AuthzBasepQueryInternalSecurityAttributesToken(x,x,x,x)+4Dj
		and	dword ptr [esi], 0
		lea	edx, [ebp+var_4]
		call	AuthzBasepGetInternalSecurityAttributesCopyoutBufferSize
		test	eax, eax
		js	short loc_7AD91D
		mov	edi, [ebp+var_4]
		cmp	[ebp+arg_0], edi
		jnb	short loc_7AD92E
		mov	eax, 0C0000023h

loc_7AD91B:				; CODE XREF: AuthzBasepQueryInternalSecurityAttributesToken(x,x,x,x)+64j
		mov	[esi], edi

loc_7AD91D:				; CODE XREF: AuthzBasepQueryInternalSecurityAttributesToken(x,x,x,x)+34j
					; AuthzBasepQueryInternalSecurityAttributesToken(x,x,x,x)+54j
		pop	edi
		pop	esi
		leave
		retn	8
; 

loc_7AD923:				; CODE XREF: AuthzBasepQueryInternalSecurityAttributesToken(x,x,x,x)+25j
		test	edx, edx
		jnz	short loc_7AD8FF

loc_7AD927:				; CODE XREF: AuthzBasepQueryInternalSecurityAttributesToken(x,x,x,x)+18j
					; AuthzBasepQueryInternalSecurityAttributesToken(x,x,x,x)+1Fj
		mov	eax, 0C000000Dh
		jmp	short loc_7AD91D
; 

loc_7AD92E:				; CODE XREF: AuthzBasepQueryInternalSecurityAttributesToken(x,x,x,x)+3Cj
		push	[ebp+arg_0]	; int
		mov	edx, [ebp+var_8] ; void	*
		mov	ecx, [ebp+var_C] ; int
		call	_AuthzBasepCopyoutInternalSecurityAttributes@12	; AuthzBasepCopyoutInternalSecurityAttributes(x,x,x)
		jmp	short loc_7AD91B
_AuthzBasepQueryInternalSecurityAttributesToken@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepGetInternalSecurityAttributesCopyoutBufferSize proc near
					; CODE XREF: AuthzBasepQueryInternalSecurityAttributesToken(x,x,x,x)+2Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008EAE2D SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		test	edi, edi
		jz	loc_8EAE2D
		test	ebx, ebx
		jz	loc_8EAE2D
		mov	eax, [edi]
		push	18h
		pop	esi
		push	40h
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_4], esi
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_7AD9D6
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_7AD9D6
		add	edi, 4
		mov	esi, [edi]

loc_7AD996:				; CODE XREF: AuthzBasepGetInternalSecurityAttributesCopyoutBufferSize+91j
		cmp	esi, edi
		jz	short loc_7AD9D1
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+1]
		and	ecx, 0FFFFFFFEh
		cmp	ecx, eax
		jb	short loc_7AD9DD
		movzx	edx, word ptr [esi+10h]
		lea	eax, [ebp+var_4]
		push	eax
		mov	[ebp+var_4], ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_7AD9D6
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	AuthzBasepGetInternalSecurityAttributeValueCopyoutBufferSize
		mov	edx, eax
		test	edx, edx
		js	short loc_7AD9D6
		mov	esi, [esi]
		jmp	short loc_7AD996
; 

loc_7AD9D1:				; CODE XREF: AuthzBasepGetInternalSecurityAttributesCopyoutBufferSize+5Aj
		mov	eax, [ebp+var_4]
		mov	[ebx], eax

loc_7AD9D6:				; CODE XREF: AuthzBasepGetInternalSecurityAttributesCopyoutBufferSize+3Dj
					; AuthzBasepGetInternalSecurityAttributesCopyoutBufferSize+51j	...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn
; 

loc_7AD9DD:				; CODE XREF: AuthzBasepGetInternalSecurityAttributesCopyoutBufferSize+67j
		mov	edx, 0C0000095h
		jmp	short loc_7AD9D6
AuthzBasepGetInternalSecurityAttributesCopyoutBufferSize endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall AuthzBasepCopyoutInternalSecurityAttributes(int,void *,int)
_AuthzBasepCopyoutInternalSecurityAttributes@12	proc near
					; CODE XREF: AuthzBasepQueryInternalSecurityAttributesToken(x,x,x,x)+5Fp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[esp+28h+var_14], ecx
		mov	[esp+28h+var_C], edi
		test	edi, edi
		jz	loc_7ADB75
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	loc_7ADB75
		lea	esi, [edi+edx]
		mov	[esp+28h+var_10], esi
		cmp	esi, edi
		jnb	short loc_7ADA24
		mov	edx, 0C000000Dh
		jmp	loc_7ADB7E
; 

loc_7ADA24:				; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributes(x,x,x)+34j
		push	edx		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		lea	ebx, [edi+18h]
		mov	[esp+34h+var_1C], 18h
		add	esp, 0Ch
		cmp	ebx, esi
		jbe	short loc_7ADA49

loc_7ADA3F:				; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributes(x,x,x)+A2j
					; AuthzBasepCopyoutInternalSecurityAttributes(x,x,x)+118j
		mov	edx, 80000005h
		jmp	loc_7ADB7E
; 

loc_7ADA49:				; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributes(x,x,x)+59j
		and	dword ptr [edi], 0
		lea	eax, [edi+4]
		and	dword ptr [edi+0Ch], 0
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edi+10h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [esp+28h+var_14]
		push	40h
		pop	ecx
		mov	eax, [eax]
		mul	ecx
		lea	ecx, [esp+28h+var_1C]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	edx, eax
		test	edx, edx
		js	loc_7ADB7E
		add	ebx, [esp+28h+var_1C]
		cmp	ebx, esi
		ja	short loc_7ADA3F
		mov	ecx, [esp+28h+var_14]
		add	ecx, 4
		mov	eax, [ecx]
		mov	[esp+28h+var_18], eax
		cmp	eax, ecx
		jz	loc_7ADB7A
		lea	esi, [edi+54h]

loc_7ADAA0:				; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributes(x,x,x)+189j
		lea	edx, [esi-3Ch]
		lea	ecx, [edi+4]
		call	_AuthzBasepProbeAndInsertTailList@8 ; AuthzBasepProbeAndInsertTailList(x,x)
		mov	edx, eax
		test	edx, edx
		js	loc_7ADB7E
		inc	dword ptr [edi]
		xor	edx, edx
		mov	ecx, [esp+28h+var_18]
		inc	ebx
		mov	ax, [ecx+18h]
		mov	[esi-24h], ax
		mov	eax, [ecx+1Ch]
		mov	[esi-20h], eax
		lea	eax, [esi-10h]
		mov	[esi-0Ch], eax
		mov	[eax], eax
		lea	eax, [esi-4]
		mov	[esi], eax
		mov	[eax], eax
		mov	eax, ebx
		mov	[esi-1Ch], edx
		and	eax, 0FFFFFFFEh
		mov	[esi-18h], edx
		mov	[esi-14h], edx
		mov	[esi-8], edx
		lea	edx, [ecx+10h]
		movzx	ecx, word ptr [edx]
		add	eax, ecx
		mov	[esp+28h+var_1C], ecx
		cmp	eax, [esp+28h+var_10]
		ja	loc_7ADA3F
		and	[esp+28h+var_8], 0
		lea	eax, [esp+28h+var_8]
		push	edx
		and	ebx, 0FFFFFFFEh
		mov	word ptr [esp+2Ch+var_8+2], cx
		push	eax
		mov	[esp+30h+var_4], ebx
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		mov	eax, [esp+28h+var_8]
		lea	edx, [esi-3Ch]
		add	ebx, [esp+28h+var_1C]
		mov	ecx, [esp+28h+var_18]
		mov	[esi-2Ch], eax
		mov	eax, [esp+28h+var_4]
		mov	[esi-28h], eax
		lea	eax, [esp+28h+var_1C]
		push	eax
		mov	eax, [esp+2Ch+var_10]
		sub	eax, ebx
		push	eax
		push	ebx
		call	_AuthzBasepCopyoutInternalSecurityAttributeValues@20 ; AuthzBasepCopyoutInternalSecurityAttributeValues(x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_7ADB7E
		mov	eax, [esp+28h+var_18]
		add	esi, 40h
		mov	ecx, [esp+28h+var_14]
		add	ebx, [esp+28h+var_1C]
		add	ecx, 4
		mov	edi, [esp+28h+var_C]
		mov	eax, [eax]
		mov	[esp+28h+var_18], eax
		cmp	eax, ecx
		jnz	loc_7ADAA0
		jmp	short loc_7ADB7A
; 

loc_7ADB75:				; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributes(x,x,x)+1Aj
					; AuthzBasepCopyoutInternalSecurityAttributes(x,x,x)+25j
		mov	edx, 0C000000Dh

loc_7ADB7A:				; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributes(x,x,x)+B3j
					; AuthzBasepCopyoutInternalSecurityAttributes(x,x,x)+18Fj
		test	edx, edx
		jns	short loc_7ADB8B

loc_7ADB7E:				; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributes(x,x,x)+3Bj
					; AuthzBasepCopyoutInternalSecurityAttributes(x,x,x)+60j ...
		cmp	[ebp+arg_0], 18h
		jb	short loc_7ADB8B
		push	6
		pop	ecx
		xor	eax, eax
		rep stosd

loc_7ADB8B:				; CODE XREF: AuthzBasepCopyoutInternalSecurityAttributes(x,x,x)+198j
					; AuthzBasepCopyoutInternalSecurityAttributes(x,x,x)+19Ej
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_AuthzBasepCopyoutInternalSecurityAttributes@12	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2314. RtlRemoveUnicodePrefix

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlRemoveUnicodePrefix
RtlRemoveUnicodePrefix proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EAE37 SIZE 00000092 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	edx, 801h
		mov	ecx, [ebp+arg_4]
		and	dword ptr [eax+8], 0
		movzx	eax, word ptr [ecx]
		cmp	ax, dx
		jl	short loc_7ADC24
		push	ebx
		lea	ebx, [edx+1]
		push	esi
		cmp	ax, bx
		jg	loc_8EAE37
		mov	eax, [ecx+8]
		push	edi
		cmp	eax, ecx
		jnz	loc_8EAE5D
		lea	edx, [ecx+0Ch]
		mov	esi, edx
		mov	ecx, [esi]
		cmp	ecx, esi
		jz	short loc_7ADBE7

loc_7ADBDD:				; CODE XREF: RtlRemoveUnicodePrefix+49j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		cmp	eax, esi
		jnz	short loc_7ADBDD

loc_7ADBE7:				; CODE XREF: RtlRemoveUnicodePrefix+3Fj
		push	edx
		lea	edi, [esi-0Ch]
		call	_RtlDelete@4	; RtlDelete(x)
		test	eax, eax
		jz	short loc_7ADC28
		cmp	esi, eax
		jz	short loc_7ADC21
		lea	edx, [eax-0Ch]
		mov	eax, [esi-8]
		jmp	short loc_7ADC02
; 

loc_7ADC00:				; CODE XREF: RtlRemoveUnicodePrefix+6Bj
		mov	eax, ecx

loc_7ADC02:				; CODE XREF: RtlRemoveUnicodePrefix+62j
		mov	ecx, [eax+4]
		cmp	ecx, edi
		jnz	short loc_7ADC00
		mov	ecx, 801h
		mov	[edx], cx
		mov	[eax+4], edx
		mov	eax, [esi-8]
		mov	[edx+4], eax
		and	dword ptr [esi-8], 0
		mov	[edi], bx

loc_7ADC21:				; CODE XREF: RtlRemoveUnicodePrefix+5Aj
					; RtlRemoveUnicodePrefix+9Fj ...
		pop	edi

loc_7ADC22:				; CODE XREF: RtlRemoveUnicodePrefix+13D2A3j
					; RtlRemoveUnicodePrefix+13D2BCj
		pop	esi
		pop	ebx

loc_7ADC24:				; CODE XREF: RtlRemoveUnicodePrefix+1Aj
		pop	ebp
		retn	8
; 

loc_7ADC28:				; CODE XREF: RtlRemoveUnicodePrefix+56j
		mov	edx, [esi-8]
		mov	eax, edx
		jmp	short loc_7ADC31
; 

loc_7ADC2F:				; CODE XREF: RtlRemoveUnicodePrefix+9Aj
		mov	eax, ecx

loc_7ADC31:				; CODE XREF: RtlRemoveUnicodePrefix+91j
		mov	ecx, [eax+4]
		cmp	ecx, edi
		jnz	short loc_7ADC2F
		mov	[eax+4], edx
		jmp	short loc_7ADC21
RtlRemoveUnicodePrefix endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 504. FsRtlDeleteKeyFromTunnelCache

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlDeleteKeyFromTunnelCache(x, x,	x)
		public _FsRtlDeleteKeyFromTunnelCache@12
_FsRtlDeleteKeyFromTunnelCache@12 proc near

var_A		= byte ptr -0Ah
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	esi, esi
		mov	byte ptr [esp+0Bh], 1
		push	edi
		cmp	ds:_TunnelMaxEntries, esi
		jz	loc_7ADCF3
		mov	edi, [ebp+arg_0]
		lea	eax, [esp+18h+var_8]
		mov	ecx, edi
		mov	[esp+18h+var_4], eax
		mov	[esp+18h+var_8], eax
		call	ExAcquireFastMutex
		mov	eax, [edi+20h]
		jmp	short loc_7ADC83
; 

loc_7ADC7E:				; CODE XREF: FsRtlDeleteKeyFromTunnelCache(x,x,x)+5Aj
					; FsRtlDeleteKeyFromTunnelCache(x,x,x)+61j
		mov	esi, eax

loc_7ADC80:				; CODE XREF: FsRtlDeleteKeyFromTunnelCache(x,x,x)+50j
					; FsRtlDeleteKeyFromTunnelCache(x,x,x)+55j
		mov	eax, [eax+4]

loc_7ADC83:				; CODE XREF: FsRtlDeleteKeyFromTunnelCache(x,x,x)+3Aj
					; FsRtlDeleteKeyFromTunnelCache(x,x,x)+6Aj
		test	eax, eax
		jz	short loc_7ADCAE
		mov	edx, [eax+24h]
		mov	ecx, [eax+20h]
		cmp	edx, [ebp+arg_8]
		jb	short loc_7ADCA5
		ja	short loc_7ADC80
		cmp	ecx, [ebp+arg_4]
		ja	short loc_7ADC80
		cmp	edx, [ebp+arg_8]
		ja	short loc_7ADC7E
		jb	short loc_7ADCA5
		cmp	ecx, [ebp+arg_4]
		jnb	short loc_7ADC7E

loc_7ADCA5:				; CODE XREF: FsRtlDeleteKeyFromTunnelCache(x,x,x)+4Ej
					; FsRtlDeleteKeyFromTunnelCache(x,x,x)+5Cj
		test	esi, esi
		jnz	short loc_7ADCB2
		mov	eax, [eax+8]
		jmp	short loc_7ADC83
; 

loc_7ADCAE:				; CODE XREF: FsRtlDeleteKeyFromTunnelCache(x,x,x)+43j
		test	esi, esi
		jz	short loc_7ADCE3

loc_7ADCB2:				; CODE XREF: FsRtlDeleteKeyFromTunnelCache(x,x,x)+65j
					; FsRtlDeleteKeyFromTunnelCache(x,x,x)+9Fj
		push	esi
		call	_RtlRealSuccessor@4 ; RtlRealSuccessor(x)
		mov	ecx, [esi+20h]
		mov	ebx, eax
		cmp	ecx, [ebp+arg_4]
		jnz	short loc_7ADCE3
		mov	ecx, [esi+24h]
		cmp	ecx, [ebp+arg_8]
		jnz	short loc_7ADCE3
		lea	eax, [esp+0Fh]
		mov	edx, esi
		push	eax
		lea	eax, [esp+1Ch+var_8]
		mov	ecx, edi
		push	eax
		call	_FsRtlRemoveNodeFromTunnel@16 ;	FsRtlRemoveNodeFromTunnel(x,x,x,x)
		mov	esi, ebx
		test	ebx, ebx
		jnz	short loc_7ADCB2

loc_7ADCE3:				; CODE XREF: FsRtlDeleteKeyFromTunnelCache(x,x,x)+6Ej
					; FsRtlDeleteKeyFromTunnelCache(x,x,x)+7Ej ...
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		lea	ecx, [esp+18h+var_8]
		call	_FsRtlEmptyFreePoolList@4 ; FsRtlEmptyFreePoolList(x)

loc_7ADCF3:				; CODE XREF: FsRtlDeleteKeyFromTunnelCache(x,x,x)+1Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_FsRtlDeleteKeyFromTunnelCache@12 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2179. RtlInsertUnicodePrefix

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlInsertUnicodePrefix
RtlInsertUnicodePrefix proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008EAEC9 SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		call	_ComputeUnicodeNameLength@4 ; ComputeUnicodeNameLength(x)
		mov	esi, [ebp+arg_8]
		mov	ecx, eax
		mov	edx, [ebp+arg_4]
		lea	eax, [esi+0Ch]
		mov	[esi+2], cx
		and	dword ptr [eax+4], 0
		and	dword ptr [eax+8], 0
		mov	[eax], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+18h], edx
		mov	ebx, [eax+4]
		jmp	short loc_7ADD3D
; 

loc_7ADD35:				; CODE XREF: RtlInsertUnicodePrefix+3Fj
		mov	eax, ebx
		mov	ebx, [ebx+4]
		mov	[ebp+arg_0], eax

loc_7ADD3D:				; CODE XREF: RtlInsertUnicodePrefix+31j
		cmp	[ebx+2], cx
		jg	short loc_7ADD35
		jnz	loc_7ADDF8
		push	edi
		mov	edi, ebx

loc_7ADD4C:				; CODE XREF: RtlInsertUnicodePrefix+70j
		mov	ecx, [edi+18h]
		push	0
		call	CompareUnicodeStrings
		mov	ecx, 802h
		cmp	eax, 2
		jz	short loc_7ADDD9
		cmp	eax, 3
		jz	short loc_7ADD74
		mov	eax, [edi+14h]
		test	eax, eax
		jz	short loc_7ADDC4

loc_7ADD6C:				; CODE XREF: RtlInsertUnicodePrefix+77j
		mov	edx, [ebp+arg_4]
		lea	edi, [eax-0Ch]
		jmp	short loc_7ADD4C
; 

loc_7ADD74:				; CODE XREF: RtlInsertUnicodePrefix+61j
		mov	eax, [edi+10h]
		test	eax, eax
		jnz	short loc_7ADD6C
		and	[esi+4], eax
		lea	eax, [edi+0Ch]
		mov	[esi], cx
		lea	ecx, [esi+0Ch]
		mov	[esi+8], esi
		mov	[eax+4], ecx

loc_7ADD8D:				; CODE XREF: RtlInsertUnicodePrefix+D5j
		mov	[ecx], eax

loc_7ADD8F:				; CODE XREF: RtlInsertUnicodePrefix+13D1EDj
		mov	esi, [ebx+4]
		mov	eax, 802h
		and	dword ptr [ebx+4], 0
		mov	[ebx], ax
		lea	eax, [edi+0Ch]
		push	eax
		call	_RtlSplay@4	; RtlSplay(x)
		sub	eax, 0Ch
		mov	ecx, 801h
		mov	[eax], cx
		mov	ecx, [ebp+arg_0]
		mov	[ecx+4], eax
		mov	[eax+4], esi
		mov	al, 1

loc_7ADDBD:				; CODE XREF: RtlInsertUnicodePrefix+F4j
		pop	edi

loc_7ADDBE:				; CODE XREF: RtlInsertUnicodePrefix+109j
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_7ADDC4:				; CODE XREF: RtlInsertUnicodePrefix+68j
		and	dword ptr [esi+4], 0
		lea	eax, [edi+0Ch]
		mov	[esi], cx
		lea	ecx, [esi+0Ch]
		mov	[esi+8], esi
		mov	[eax+8], ecx
		jmp	short loc_7ADD8D
; 

loc_7ADDD9:				; CODE XREF: RtlInsertUnicodePrefix+5Cj
		mov	eax, edi
		mov	[ebp+arg_8], edi

loc_7ADDDE:				; CODE XREF: RtlInsertUnicodePrefix+13D1D2j
		mov	edx, [ebp+arg_4]
		mov	ecx, [eax+18h]
		push	0FFFFFFFFh
		call	CompareUnicodeStrings
		cmp	eax, 2
		jnz	loc_8EAEC9
		xor	al, al
		jmp	short loc_7ADDBD
; 

loc_7ADDF8:				; CODE XREF: RtlInsertUnicodePrefix+41j
		mov	[eax+4], esi
		mov	eax, 801h
		mov	[esi], ax
		mov	al, 1
		mov	[esi+4], ebx
		mov	[esi+8], esi
		jmp	short loc_7ADDBE
RtlInsertUnicodePrefix endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2094. RtlFindUnicodePrefix

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlFindUnicodePrefix
RtlFindUnicodePrefix proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008EAEF4 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+4]
		mov	ecx, [ebp+arg_4]
		call	_ComputeUnicodeNameLength@4 ; ComputeUnicodeNameLength(x)
		jmp	short loc_7ADE30
; 

loc_7ADE2A:				; CODE XREF: RtlFindUnicodePrefix+22j
		mov	[ebp+arg_0], edi
		mov	edi, [edi+4]

loc_7ADE30:				; CODE XREF: RtlFindUnicodePrefix+16j
		cmp	[edi+2], ax
		jg	short loc_7ADE2A
		xor	eax, eax

loc_7ADE38:				; CODE XREF: RtlFindUnicodePrefix+62j
		cmp	[edi+2], ax
		jle	short loc_7ADEB4
		lea	ebx, [edi+0Ch]
		test	ebx, ebx
		jz	short loc_7ADE6E

loc_7ADE45:				; CODE XREF: RtlFindUnicodePrefix+58j
		mov	edx, [ebp+arg_4]
		lea	esi, [ebx-0Ch]
		mov	ecx, [esi+18h]
		push	eax
		call	CompareUnicodeStrings
		cmp	eax, 3
		jz	short loc_7ADE62
		test	eax, eax
		jnz	short loc_7ADE76
		mov	ebx, [ebx+8]
		jmp	short loc_7ADE65
; 

loc_7ADE62:				; CODE XREF: RtlFindUnicodePrefix+45j
		mov	ebx, [ebx+4]

loc_7ADE65:				; CODE XREF: RtlFindUnicodePrefix+4Ej
		push	0
		pop	eax
		test	ebx, ebx
		jnz	short loc_7ADE45

loc_7ADE6C:				; CODE XREF: RtlFindUnicodePrefix+13D0EDj
		xor	eax, eax

loc_7ADE6E:				; CODE XREF: RtlFindUnicodePrefix+31j
		mov	[ebp+arg_0], edi
		mov	edi, [edi+4]
		jmp	short loc_7ADE38
; 

loc_7ADE76:				; CODE XREF: RtlFindUnicodePrefix+49j
		cmp	[ebp+arg_8], 0
		jnz	short loc_7ADEB8
		mov	ecx, 802h
		lea	eax, [ebx-0Ch]
		cmp	[eax], cx
		jnz	short loc_7ADEAD
		mov	esi, [edi+4]
		and	dword ptr [edi+4], 0
		push	ebx
		mov	[edi], cx
		call	_RtlSplay@4	; RtlSplay(x)
		sub	eax, 0Ch
		mov	ecx, 801h
		mov	[eax], cx
		mov	ecx, [ebp+arg_0]
		mov	[ecx+4], eax
		mov	[eax+4], esi

loc_7ADEAD:				; CODE XREF: RtlFindUnicodePrefix+75j
					; RtlFindUnicodePrefix+A4j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_7ADEB4:				; CODE XREF: RtlFindUnicodePrefix+2Aj
		xor	eax, eax
		jmp	short loc_7ADEAD
; 

loc_7ADEB8:				; CODE XREF: RtlFindUnicodePrefix+68j
		mov	ebx, esi

loc_7ADEBA:				; CODE XREF: RtlFindUnicodePrefix+13D0E7j
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebx+18h]
		call	CompareUnicodeStrings
		cmp	eax, 2
		jnz	short loc_7ADED1

loc_7ADECD:				; CODE XREF: RtlFindUnicodePrefix+C2j
		mov	eax, ebx
		jmp	short loc_7ADEAD
; 

loc_7ADED1:				; CODE XREF: RtlFindUnicodePrefix+B9j
		cmp	eax, 1
		jz	short loc_7ADECD
		jmp	loc_8EAEF4
RtlFindUnicodePrefix endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CompareUnicodeStrings proc near		; CODE XREF: RtlInsertUnicodePrefix+4Fp
					; RtlInsertUnicodePrefix+E4p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008EAF04 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		movzx	ebx, word ptr [edx]
		mov	eax, ecx
		push	esi
		push	edi
		shr	ebx, 1
		movzx	edi, word ptr [eax]
		shr	edi, 1
		mov	[ebp+var_C], edx
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], edi
		mov	[ebp+var_18], ebx
		push	5Ch
		pop	ecx
		cmp	edi, 1
		jz	loc_8EAF04

loc_7ADF0B:				; CODE XREF: CompareUnicodeStrings+13D02Ej
					; CompareUnicodeStrings+13D049j
		cmp	edi, ebx
		jnb	loc_7ADFC9
		mov	edx, edi
		mov	[ebp+var_8], edx

loc_7ADF18:				; CODE XREF: CompareUnicodeStrings+F2j
		cmp	[ebp+arg_0], edx
		ja	loc_7AE02E

loc_7ADF21:				; CODE XREF: CompareUnicodeStrings+155j
		xor	esi, esi
		mov	eax, esi
		mov	ecx, esi
		mov	[ebp+var_4], ecx
		cmp	[ebp+arg_0], eax
		ja	loc_7ADFEC

loc_7ADF33:				; CODE XREF: CompareUnicodeStrings+13Cj
		cmp	ecx, [ebp+arg_0]
		jnz	short loc_7ADFA7
		mov	esi, [ebp+var_10]
		lea	eax, [ecx+ecx]
		mov	esi, [esi+4]
		add	esi, eax
		mov	[ebp+var_10], esi
		mov	esi, [ebp+var_C]
		mov	esi, [esi+4]
		add	esi, eax
		mov	[ebp+arg_0], esi
		cmp	ecx, edx
		jnb	loc_7ADFDF
		mov	ebx, [ebp+var_10]

loc_7ADF5C:				; CODE XREF: CompareUnicodeStrings+A2j
		mov	eax, [ebp+arg_0]
		movzx	esi, word ptr [ebx]
		lea	ebx, [ebx+2]
		movzx	edi, word ptr [eax]
		add	eax, 2
		mov	[ebp+var_10], edi
		mov	[ebp+arg_0], eax
		cmp	si, di
		jnz	short loc_7ADF82
		mov	eax, edi

loc_7ADF78:				; CODE XREF: CompareUnicodeStrings+FDj
		inc	ecx
		mov	[ebp+var_4], ecx
		cmp	ecx, edx
		jb	short loc_7ADF5C
		jmp	short loc_7ADFA1
; 

loc_7ADF82:				; CODE XREF: CompareUnicodeStrings+98j
		mov	ecx, esi
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	ecx, edi
		movzx	esi, ax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		movzx	eax, ax
		cmp	si, ax
		jz	short loc_7ADFD3
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_8]

loc_7ADFA1:				; CODE XREF: CompareUnicodeStrings+A4j
		mov	edi, [ebp+var_14]
		mov	ebx, [ebp+var_18]

loc_7ADFA7:				; CODE XREF: CompareUnicodeStrings+5Aj
		push	5Ch
		cmp	ecx, edx
		pop	edx
		jnb	short loc_7ADFE2
		cmp	si, dx
		jz	short loc_7ADFDB
		cmp	ax, dx
		jz	short loc_7ADFBF
		cmp	si, ax
		jb	short loc_7ADFDB
		jbe	short loc_7ADFE2

loc_7ADFBF:				; CODE XREF: CompareUnicodeStrings+DAj
					; CompareUnicodeStrings+10Aj
		push	3

loc_7ADFC1:				; CODE XREF: CompareUnicodeStrings+10Ej
		pop	eax

loc_7ADFC2:				; CODE XREF: CompareUnicodeStrings+101j
					; CompareUnicodeStrings+150j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7ADFC9:				; CODE XREF: CompareUnicodeStrings+31j
					; CompareUnicodeStrings+13D037j
		mov	edx, ebx
		mov	[ebp+var_8], ebx
		jmp	loc_7ADF18
; 

loc_7ADFD3:				; CODE XREF: CompareUnicodeStrings+BDj
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_8]
		jmp	short loc_7ADF78
; 

loc_7ADFDB:				; CODE XREF: CompareUnicodeStrings+D5j
					; CompareUnicodeStrings+DFj ...
		xor	eax, eax
		jmp	short loc_7ADFC2
; 

loc_7ADFDF:				; CODE XREF: CompareUnicodeStrings+77j
		push	5Ch
		pop	edx

loc_7ADFE2:				; CODE XREF: CompareUnicodeStrings+D0j
					; CompareUnicodeStrings+E1j
		cmp	edi, ebx
		jb	short loc_7AE01D
		ja	short loc_7ADFBF
		push	2
		jmp	short loc_7ADFC1
; 

loc_7ADFEC:				; CODE XREF: CompareUnicodeStrings+51j
		mov	eax, [ebp+var_C]
		mov	edi, [eax+4]
		mov	eax, [ebp+var_10]
		mov	ebx, [eax+4]
		sub	ebx, edi

loc_7ADFFA:				; CODE XREF: CompareUnicodeStrings+131j
		movzx	esi, word ptr [ebx+edi]
		movzx	eax, word ptr [edi]
		cmp	si, ax
		jnz	short loc_7AE00F
		inc	ecx
		add	edi, 2
		cmp	ecx, [ebp+arg_0]
		jb	short loc_7ADFFA

loc_7AE00F:				; CODE XREF: CompareUnicodeStrings+128j
		mov	edi, [ebp+var_14]
		mov	ebx, [ebp+var_18]
		mov	[ebp+var_4], ecx
		jmp	loc_7ADF33
; 

loc_7AE01D:				; CODE XREF: CompareUnicodeStrings+108j
		mov	eax, [ebp+var_C]
		mov	ecx, [eax+4]
		cmp	[ecx+edi*2], dx
		jnz	short loc_7ADFDB

loc_7AE029:				; CODE XREF: CompareUnicodeStrings+13D043j
		xor	eax, eax
		inc	eax
		jmp	short loc_7ADFC2
; 

loc_7AE02E:				; CODE XREF: CompareUnicodeStrings+3Fj
		mov	[ebp+arg_0], edx
		jmp	loc_7ADF21
CompareUnicodeStrings endp


;  S U B	R O U T	I N E 


; __stdcall ComputeUnicodeNameLength(x)
_ComputeUnicodeNameLength@4 proc near	; CODE XREF: RtlInsertUnicodePrefix+Ap
					; RtlFindUnicodePrefix+11p
		movzx	edx, word ptr [ecx]
		shr	edx, 1
		jz	short loc_7AE059
		xor	eax, eax
		inc	eax
		sub	edx, eax
		jz	short locret_7AE055
		mov	ecx, [ecx+4]

loc_7AE047:				; CODE XREF: ComputeUnicodeNameLength(x)+1Dj
		cmp	word ptr [ecx],	5Ch
		jz	short loc_7AE056

loc_7AE04D:				; CODE XREF: ComputeUnicodeNameLength(x)+21j
		add	ecx, 2
		sub	edx, 1
		jnz	short loc_7AE047

locret_7AE055:				; CODE XREF: ComputeUnicodeNameLength(x)+Cj
		retn
; 

loc_7AE056:				; CODE XREF: ComputeUnicodeNameLength(x)+15j
		inc	eax
		jmp	short loc_7AE04D
; 

loc_7AE059:				; CODE XREF: ComputeUnicodeNameLength(x)+5j
		xor	eax, eax
		inc	eax
		retn
_ComputeUnicodeNameLength@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; 
; Exported entry 471. FsRtlAddToTunnelCacheEx

		public FsRtlAddToTunnelCacheEx
FsRtlAddToTunnelCacheEx:		; CODE XREF: FsRtlAddToTunnelCache(x,x,x,x,x,x,x,x)+26p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, [ebp+1Ch]
		mov	[esp+1Ch], eax
		mov	[esp+13h], al
		mov	eax, edi
		and	eax, 1
		and	edi, 2
		cmp	ds:_TunnelMaxEntries, 0
		mov	[esp+24h], eax
		mov	[esp+2Ch], edi
		jz	loc_7AE25A
		lea	eax, [esp+30h]
		mov	[esp+34h], eax
		mov	[esp+30h], eax
		mov	eax, [ebp+14h]
		movzx	ebx, word ptr [eax]
		mov	eax, [ebp+18h]
		add	ebx, [ebp+20h]
		movzx	eax, word ptr [eax]
		add	eax, 48h
		add	ebx, eax
		cmp	ebx, 88h
		jbe	loc_8EAF2A

loc_7AE0C6:				; CODE XREF: PAGE:008EAF42j
		push	506E7554h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[esp+18h], eax
		test	esi, esi
		jz	loc_7AE25A
		mov	byte ptr [esp+13h], 1

loc_7AE0E6:				; CODE XREF: PAGE:008EAF3Cj
		mov	eax, [ebp+14h]
		test	edi, edi
		jnz	short loc_7AE0F0
		mov	eax, [ebp+18h]

loc_7AE0F0:				; CODE XREF: PAGE:007AE0EBj
		mov	ebx, [ebp+8]
		mov	ecx, ebx
		mov	[esp+14h], eax
		call	ExAcquireFastMutex
		lea	ecx, [ebx+20h]
		mov	edi, ecx
		mov	[esp+28h], ecx
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_7AE14A
		mov	esi, [esp+24h]
		mov	ebx, eax

loc_7AE113:				; CODE XREF: PAGE:007AE13Dj
		mov	edx, [esp+14h]
		mov	ecx, ebx
		push	esi
		push	dword ptr [ebp+10h]
		mov	[esp+24h], ebx
		push	dword ptr [ebp+0Ch]
		call	FsRtlCompareNodeAndKey
		test	eax, eax
		jg	loc_7AE263
		jns	short loc_7AE13F
		push	8

loc_7AE135:				; CODE XREF: PAGE:007AE265j
		pop	eax
		lea	edi, [eax+ebx]
		mov	ebx, [edi]
		test	ebx, ebx
		jnz	short loc_7AE113

loc_7AE13F:				; CODE XREF: PAGE:007AE131j
		mov	esi, [esp+18h]
		mov	ebx, [ebp+8]
		mov	ecx, [esp+28h]

loc_7AE14A:				; CODE XREF: PAGE:007AE10Bj
		and	dword ptr [esi+4], 0
		and	dword ptr [esi+8], 0
		mov	edx, [esp+1Ch]
		mov	[esi], esi
		test	edx, edx
		jz	loc_7AE2D9
		mov	eax, [edi]
		test	eax, eax
		jnz	loc_7AE26A
		mov	[esi], edx
		mov	[edi], esi

loc_7AE16E:				; CODE XREF: PAGE:007AE2D4j
					; PAGE:007AE2DBj
		lea	eax, [esi+18h]
		push	eax
		call	KeQuerySystemTime
		lea	eax, [ebx+24h]
		mov	ecx, [eax+4]
		lea	edx, [esi+0Ch]
		cmp	[ecx], eax
		jnz	loc_7AE2F6
		mov	[edx], eax
		mov	[edx+4], ecx
		mov	[ecx], edx
		mov	ecx, [ebp+14h]
		mov	[eax+4], edx
		lea	edx, [esi+48h]
		inc	word ptr [ebx+2Ch]
		mov	eax, [ebp+0Ch]
		mov	edi, [ebp+18h]
		mov	[esi+20h], eax
		mov	eax, [ebp+10h]
		mov	[esi+24h], eax
		mov	eax, [esp+2Ch]
		neg	eax
		sbb	eax, eax
		and	eax, 2
		mov	[esi+28h], eax
		mov	[esi+38h], edx
		movzx	eax, word ptr [ecx]
		add	eax, 48h
		add	eax, esi
		mov	[esi+30h], eax
		movzx	eax, word ptr [ecx]
		mov	[esi+36h], ax
		mov	[esi+34h], ax
		movzx	eax, word ptr [edi]
		mov	[esi+2Eh], ax
		mov	[esi+2Ch], ax
		movzx	eax, word ptr [ecx]
		test	ax, ax
		jz	short loc_7AE1F2
		push	eax
		push	dword ptr [ecx+4]
		push	edx
		call	_memcpy
		add	esp, 0Ch

loc_7AE1F2:				; CODE XREF: PAGE:007AE1E3j
		movzx	eax, word ptr [edi]
		mov	edx, eax
		test	ax, ax
		jz	short loc_7AE20E
		push	eax
		push	dword ptr [edi+4]
		push	dword ptr [esi+30h]
		call	_memcpy
		movzx	edx, word ptr [edi]
		add	esp, 0Ch

loc_7AE20E:				; CODE XREF: PAGE:007AE1FAj
		mov	eax, [ebp+14h]
		movzx	ecx, word ptr [eax]
		add	ecx, 48h
		movzx	eax, dx
		add	ecx, esi
		add	eax, ecx
		mov	ecx, [ebp+20h]
		push	ecx
		push	dword ptr [ebp+24h]
		mov	[esi+3Ch], eax
		push	eax
		mov	[esi+40h], ecx
		call	_memcpy
		add	esp, 0Ch
		cmp	byte ptr [esp+13h], 0
		jz	short loc_7AE23F
		or	dword ptr [esi+28h], 1

loc_7AE23F:				; CODE XREF: PAGE:007AE239j
		lea	edx, [esp+30h]
		mov	ecx, ebx
		call	_FsRtlPruneTunnelCache@8 ; FsRtlPruneTunnelCache(x,x)
		mov	ecx, ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		lea	ecx, [esp+30h]
		call	_FsRtlEmptyFreePoolList@4 ; FsRtlEmptyFreePoolList(x)

loc_7AE25A:				; CODE XREF: PAGE:007AE094j
					; PAGE:007AE0DBj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_7AE263:				; CODE XREF: PAGE:007AE12Bj
		push	4
		jmp	loc_7AE135
; 

loc_7AE26A:				; CODE XREF: PAGE:007AE164j
		mov	eax, [eax+8]
		mov	[esi+8], eax
		mov	eax, [edi]
		mov	eax, [eax+4]
		mov	[esi+4], eax
		mov	eax, [edi]
		mov	ecx, [eax+8]
		test	ecx, ecx
		jnz	short loc_7AE2EA

loc_7AE281:				; CODE XREF: PAGE:007AE2EEj
		mov	ecx, [eax+4]
		test	ecx, ecx
		jnz	short loc_7AE2F0

loc_7AE288:				; CODE XREF: PAGE:007AE2F4j
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_7AE2E0
		mov	[esi], ecx
		mov	eax, [edi]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_7AE2E5
		mov	[ecx+4], esi

loc_7AE29C:				; CODE XREF: PAGE:007AE2E3j
					; PAGE:007AE2E8j
		lea	eax, [edx+0Ch]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_7AE2F6
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_7AE2F6
		mov	[ecx], edx
		mov	[edx+4], ecx
		lea	edx, [esp+30h]
		mov	ecx, [esp+30h]
		cmp	[ecx+4], edx
		jnz	short loc_7AE2F6
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[ecx+4], eax
		mov	[esp+30h], eax
		mov	eax, 0FFFFh
		add	[ebx+2Ch], ax
		jmp	loc_7AE16E
; 

loc_7AE2D9:				; CODE XREF: PAGE:007AE15Aj
		mov	[ecx], esi
		jmp	loc_7AE16E
; 

loc_7AE2E0:				; CODE XREF: PAGE:007AE28Cj
		mov	[ebx+20h], esi
		jmp	short loc_7AE29C
; 

loc_7AE2E5:				; CODE XREF: PAGE:007AE297j
		mov	[ecx+8], esi
		jmp	short loc_7AE29C
; 

loc_7AE2EA:				; CODE XREF: PAGE:007AE27Fj
		mov	[ecx], esi
		mov	eax, [edi]
		jmp	short loc_7AE281
; 

loc_7AE2F0:				; CODE XREF: PAGE:007AE286j
		mov	[ecx], esi
		mov	eax, [edi]
		jmp	short loc_7AE288
; 

loc_7AE2F6:				; CODE XREF: PAGE:007AE182j
					; PAGE:007AE2A4j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		align 10h
; Exported entry 519. FsRtlFindInTunnelCacheEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	FsRtlFindInTunnelCacheEx(int,int,int,int,int,int,int,int,void *)
		public FsRtlFindInTunnelCacheEx
FsRtlFindInTunnelCacheEx proc near	; CODE XREF: FsRtlFindInTunnelCache(x,x,x,x,x,x,x,x)+1Fp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 008EAF47 SIZE 00000007 BYTES

		push	14h
		push	offset dword_6A29A0
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	edi, ebx
		and	[ebp+arg_18], 1
		mov	[ebp+var_19], bl
		cmp	ds:_TunnelMaxEntries, ebx
		jz	loc_8EAF47
		lea	eax, [ebp+var_24]
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], eax
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	ExAcquireFastMutex
		lea	edx, [ebp+var_24]
		mov	ecx, esi
		call	_FsRtlPruneTunnelCache@8 ; FsRtlPruneTunnelCache(x,x)
		mov	esi, [esi+20h]
		test	esi, esi
		jz	short loc_7AE36C
		mov	ebx, [ebp+arg_18]

loc_7AE34A:				; CODE XREF: FsRtlFindInTunnelCacheEx+68j
		mov	edi, esi
		push	ebx
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_C]
		mov	ecx, esi
		call	FsRtlCompareNodeAndKey
		test	eax, eax
		jg	short loc_7AE393
		jns	short loc_7AE36A
		mov	esi, [esi+8]

loc_7AE366:				; CODE XREF: FsRtlFindInTunnelCacheEx+96j
		test	esi, esi
		jnz	short loc_7AE34A

loc_7AE36A:				; CODE XREF: FsRtlFindInTunnelCacheEx+61j
		xor	ebx, ebx

loc_7AE36C:				; CODE XREF: FsRtlFindInTunnelCacheEx+45j
		mov	[ebp+ms_exc.disabled], ebx
		test	esi, esi
		jnz	short loc_7AE398

loc_7AE373:				; CODE XREF: FsRtlFindInTunnelCacheEx+D8j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_7AE408
		mov	al, bl

loc_7AE381:				; CODE XREF: FsRtlFindInTunnelCacheEx+13CC49j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_7AE393:				; CODE XREF: FsRtlFindInTunnelCacheEx+5Fj
		mov	esi, [esi+4]
		jmp	short loc_7AE366
; 

loc_7AE398:				; CODE XREF: FsRtlFindInTunnelCacheEx+71j
		lea	eax, [edi+34h]
		push	eax
		push	[ebp+arg_10]
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		lea	ebx, [edi+2Ch]
		mov	esi, [ebp+arg_14]
		movzx	eax, word ptr [ebx]
		cmp	[esi+2], ax
		jb	short loc_7AE3DA
		push	ebx
		push	esi
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)

loc_7AE3BA:				; CODE XREF: FsRtlFindInTunnelCacheEx+106j
		push	dword ptr [edi+40h] ; size_t
		push	dword ptr [edi+3Ch] ; void *
		push	[ebp+arg_20]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [edi+40h]
		mov	eax, [ebp+arg_1C]
		mov	[eax], ecx
		mov	bl, 1
		mov	[ebp+var_19], bl
		jmp	short loc_7AE373
; 

loc_7AE3DA:				; CODE XREF: FsRtlFindInTunnelCacheEx+B1j
		push	346E7554h
		push	eax
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esi+4], ecx
		movzx	eax, word ptr [ebx]
		mov	[esi+2], ax
		mov	[esi], ax
		movzx	eax, word ptr [ebx]
		push	eax		; size_t
		push	dword ptr [edi+30h] ; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_7AE3BA
FsRtlFindInTunnelCacheEx endp


;  S U B	R O U T	I N E 


sub_7AE408	proc near		; CODE XREF: FsRtlFindInTunnelCacheEx+7Ap
					; sub_8EAF4E+3j
		mov	ecx, [ebp+8]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		lea	ecx, [ebp-24h]
		call	_FsRtlEmptyFreePoolList@4 ; FsRtlEmptyFreePoolList(x)
		retn
sub_7AE408	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlPruneTunnelCache(x, x)
_FsRtlPruneTunnelCache@8 proc near	; CODE XREF: PAGE:007AE245p
					; FsRtlFindInTunnelCacheEx+3Bp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_14]
		mov	[ebp+var_8], edx
		xor	edi, edi
		mov	byte ptr [ebp+var_1], 1
		push	eax
		mov	esi, ecx
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		call	KeQuerySystemTime
		mov	ebx, [ebp+var_14]
		sub	ebx, ds:_TunnelMaxAge
		mov	eax, [ebp+var_10]
		sbb	eax, edi
		lea	edi, [esi+24h]
		mov	[ebp+var_C], eax

loc_7AE453:				; CODE XREF: FsRtlPruneTunnelCache(x,x)+7Ej
		mov	eax, [edi]
		cmp	eax, edi
		jz	short loc_7AE479
		lea	edx, [eax-0Ch]
		mov	ecx, [edx+1Ch]
		mov	eax, [edx+18h]
		cmp	ecx, [ebp+var_C]
		jl	short loc_7AE48A
		jg	short loc_7AE46D
		cmp	eax, ebx
		jb	short loc_7AE48A

loc_7AE46D:				; CODE XREF: FsRtlPruneTunnelCache(x,x)+4Dj
		cmp	ecx, [ebp+var_10]
		jl	short loc_7AE479
		jg	short loc_7AE48A
		cmp	eax, [ebp+var_14]
		ja	short loc_7AE48A

loc_7AE479:				; CODE XREF: FsRtlPruneTunnelCache(x,x)+3Dj
					; FsRtlPruneTunnelCache(x,x)+56j ...
		movzx	eax, word ptr [esi+2Ch]
		cmp	eax, ds:_TunnelMaxEntries
		ja	short loc_7AE49A
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7AE48A:				; CODE XREF: FsRtlPruneTunnelCache(x,x)+4Bj
					; FsRtlPruneTunnelCache(x,x)+51j ...
		lea	eax, [ebp+var_1]
		mov	ecx, esi
		push	eax
		push	[ebp+var_8]
		call	_FsRtlRemoveNodeFromTunnel@16 ;	FsRtlRemoveNodeFromTunnel(x,x,x,x)
		jmp	short loc_7AE453
; 

loc_7AE49A:				; CODE XREF: FsRtlPruneTunnelCache(x,x)+69j
		mov	edx, [edi]
		lea	eax, [ebp+var_1]
		push	eax
		push	[ebp+var_8]
		sub	edx, 0Ch
		mov	ecx, esi
		call	_FsRtlRemoveNodeFromTunnel@16 ;	FsRtlRemoveNodeFromTunnel(x,x,x,x)
		jmp	short loc_7AE479
_FsRtlPruneTunnelCache@8 endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 473. FsRtlAllocateExtraCreateParameterFromLookasideList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlAllocateExtraCreateParameterFromLookasideList
FsRtlAllocateExtraCreateParameterFromLookasideList proc	near
					; CODE XREF: IopSymlinkAllocateAndAddECP+40p
					; IopSymlinkPropagateToExtensionIfNeeded+FE934p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008EAF56 SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_8]
		mov	eax, edx
		mov	ecx, [ebp+arg_4]
		and	eax, 2
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_10]
		lea	ebx, [ecx+34h]
		mov	esi, [edi+20h]
		mov	[ebp+arg_4], esi
		mov	esi, eax
		neg	esi
		sbb	esi, esi
		and	esi, 40h
		add	esi, 2
		cmp	ebx, [edi+24h]
		ja	loc_8EAF56
		mov	ecx, edi
		test	eax, eax
		jnz	short loc_7AE562
		inc	dword ptr [edi+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jz	short loc_7AE570

loc_7AE506:				; CODE XREF: FsRtlAllocateExtraCreateParameterFromLookasideList+A9j
		mov	edx, [ebp+arg_0]
		mov	dword ptr [eax], 48706345h
		mov	dword ptr [eax+4], 0
		mov	dword ptr [eax+0Ch], 0
		mov	dword ptr [eax+8], 0
		mov	ecx, [edx]
		mov	[eax+10h], ecx
		mov	ecx, [edx+4]
		mov	[eax+14h], ecx
		mov	ecx, [edx+8]
		mov	[eax+18h], ecx
		mov	ecx, [edx+0Ch]
		mov	[eax+1Ch], ecx
		mov	ecx, [ebp+arg_C]
		mov	[eax+20h], ecx
		lea	ecx, [eax+34h]
		mov	[eax+24h], esi
		mov	[eax+28h], ebx
		mov	[eax+2Ch], edi
		mov	dword ptr [eax+30h], 0
		mov	eax, [ebp+arg_14]
		mov	[eax], ecx
		xor	eax, eax

loc_7AE55B:				; CODE XREF: FsRtlAllocateExtraCreateParameterFromLookasideList+13CAA9j
					; FsRtlAllocateExtraCreateParameterFromLookasideList+13CABCj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	18h
; 

loc_7AE562:				; CODE XREF: FsRtlAllocateExtraCreateParameterFromLookasideList+38j
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)

loc_7AE567:				; CODE XREF: FsRtlAllocateExtraCreateParameterFromLookasideList+C4j
		test	eax, eax
		jnz	short loc_7AE506
		jmp	loc_8EAF6E
; 

loc_7AE570:				; CODE XREF: FsRtlAllocateExtraCreateParameterFromLookasideList+44j
		mov	eax, [edi+20h]
		inc	dword ptr [edi+10h]
		push	eax
		mov	eax, [edi+24h]
		push	eax
		mov	eax, [edi+1Ch]
		push	eax
		mov	eax, [edi+28h]
		call	eax
		jmp	short loc_7AE567
FsRtlAllocateExtraCreateParameterFromLookasideList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopWaitAndAcquireFileObjectLock	proc near ; CODE XREF: .text:00522013p
					; .text:00591621p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008CA178 SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_1], dl
		push	esi
		push	edi
		mov	[ebp+var_C], ebx
		lea	edi, [ebx+40h]
		lock inc dword ptr [edi]
		mov	esi, [ebp+arg_4]
		lea	ecx, [ebx+44h]
		mov	[ebp+var_8], ecx

loc_7AE5A8:				; CODE XREF: IopWaitAndAcquireFileObjectLock+63j
		cmp	dword ptr [ecx], 0
		jz	short loc_7AE5EB

loc_7AE5AD:				; CODE XREF: IopWaitAndAcquireFileObjectLock+6Cj
		test	esi, esi
		jz	short loc_7AE5B8
		mov	ecx, esi
		call	_KeAbPreWait@4	; KeAbPreWait(x)

loc_7AE5B8:				; CODE XREF: IopWaitAndAcquireFileObjectLock+29j
		push	[ebp+arg_0]
		mov	dl, [ebp+var_1]
		add	ebx, 4Ch
		mov	ecx, ebx
		call	IopWaitForLockAlertable
		mov	[ebp+arg_4], eax
		test	esi, esi
		jz	short loc_7AE5DF
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	esi, eax
		mov	eax, [ebp+arg_4]

loc_7AE5DF:				; CODE XREF: IopWaitAndAcquireFileObjectLock+47j
		test	eax, eax
		js	short loc_7AE60F
		mov	ebx, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		jmp	short loc_7AE5A8
; 

loc_7AE5EB:				; CODE XREF: IopWaitAndAcquireFileObjectLock+25j
		xor	eax, eax
		inc	eax
		xchg	eax, [ecx]
		test	eax, eax
		jnz	short loc_7AE5AD
		test	esi, esi
		jz	short loc_7AE5FC
		or	byte ptr [esi+0Eh], 1

loc_7AE5FC:				; CODE XREF: IopWaitAndAcquireFileObjectLock+70j
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		lock dec dword ptr [edi]
		xor	eax, eax

loc_7AE608:				; CODE XREF: IopWaitAndAcquireFileObjectLock+B8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7AE60F:				; CODE XREF: IopWaitAndAcquireFileObjectLock+5Bj
		lock dec dword ptr [edi]
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		cmp	[eax], ecx
		jnz	short loc_7AE623
		cmp	[edi], ecx
		jnz	loc_8CA178

loc_7AE623:				; CODE XREF: IopWaitAndAcquireFileObjectLock+93j
					; IopWaitAndAcquireFileObjectLock+11BC14j
		test	esi, esi
		jz	short loc_7AE630
		mov	edx, esi
		mov	ecx, ebx
		call	KeAbPostReleaseEx

loc_7AE630:				; CODE XREF: IopWaitAndAcquireFileObjectLock+9Fj
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	1
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+arg_4]
		jmp	short loc_7AE608
IopWaitAndAcquireFileObjectLock	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopMountVolume	proc near		; CODE XREF: IopCheckVpbMounted+15Bp
					; IoVerifyVolume(x,x)+151p

var_70		= dword	ptr -70h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008EAF81 SIZE 00000418 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_58], eax
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_70]
		mov	[ebp+var_19], dl
		stosd
		mov	ebx, ecx
		xor	ecx, ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], ecx
		stosd
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_30], ecx
		stosd
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_1C], cl
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_18]
		mov	[ebp+var_1A], cl
		stosd
		stosd
		stosd
		stosd
		call	_MmIsThisAnNtAsSystem@0	; MmIsThisAnNtAsSystem()
		mov	edi, large fs:124h
		mov	ecx, offset _IopFilesystemDatabaseShutdownRundown
		mov	[ebp+var_1B], al
		mov	[ebp+var_28], edi
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_8EAF81
		cmp	[ebp+var_1B], 0
		jnz	loc_8EAF8B

loc_7AE6BD:				; CODE XREF: IopMountVolume+13C967j
		cmp	[ebp+arg_0], 0
		jnz	short loc_7AE6EA
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	[ebp+arg_4]
		mov	dl, [edi+15Ah]
		lea	ecx, [ebx+9Ch]
		call	IopWaitForLockAlertable
		mov	esi, eax
		test	esi, esi
		js	loc_8EAFAC
		mov	[ebp+var_1A], 1

loc_7AE6EA:				; CODE XREF: IopMountVolume+81j
		dec	word ptr [edi+13Ch]
		nop
		push	1
		push	offset _IopDatabaseResource
		call	ExAcquireResourceSharedLite
		mov	ecx, ebx
		call	IopQueryVpbFlagsSafe
		movzx	eax, ax
		test	al, 9
		jnz	loc_7AE930
		cmp	[ebp+var_1B], 0
		jnz	loc_8EAFCA

loc_7AE71A:				; CODE XREF: IopMountVolume+13C99Dj
		push	0
		push	0
		lea	eax, [ebp+var_70]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		and	dword ptr [ebx+1Ch], 0FFFFFFFDh
		mov	esi, 0C0000001h
		mov	eax, [ebx+10h]
		mov	[ebp+var_20], ebx
		test	eax, eax
		jz	short loc_7AE74B

loc_7AE73A:				; CODE XREF: IopMountVolume+104j
		mov	esi, eax
		mov	[ebp+var_20], esi
		mov	eax, [esi+10h]
		test	eax, eax
		jnz	short loc_7AE73A
		mov	esi, 0C0000001h

loc_7AE74B:				; CODE XREF: IopMountVolume+F8j
		mov	ecx, [ebp+var_20]
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [ebx+2Ch]
		cmp	eax, 7
		jnz	loc_8EAFE2

loc_7AE75F:				; CODE XREF: IopMountVolume+13C9A5j
		mov	edi, offset _IopDiskFileSystemQueueHead

loc_7AE764:				; CODE XREF: IopMountVolume+13C9B5j
					; IopMountVolume+13C9BFj
		mov	eax, [ebx+24h]
		mov	ecx, [edi]
		mov	[ebp+var_24], ecx
		movzx	eax, word ptr [eax+4]
		and	eax, 10h
		mov	[ebp+var_48], eax
		cmp	ecx, edi
		jz	loc_8EB145
		mov	ah, [ebp+var_19]

loc_7AE781:				; CODE XREF: IopMountVolume+16Bj
		test	esi, esi
		jns	short loc_7AE7B5
		mov	edx, [ecx]
		cmp	edx, edi
		mov	[ebp+var_60], edx
		setz	al
		mov	byte ptr [ebp+var_54], al
		test	ah, ah
		jz	loc_7AE944

loc_7AE79A:				; CODE XREF: IopMountVolume+306j
					; IopMountVolume+13C9CCj
		cmp	edx, edi
		jz	short loc_7AE811
		cmp	[ebp+var_48], 0
		jz	short loc_7AE811

loc_7AE7A4:				; CODE XREF: IopMountVolume+2EBj
		mov	ecx, [ecx]
		mov	[ebp+var_24], ecx
		cmp	ecx, edi
		jnz	short loc_7AE781

loc_7AE7AD:				; CODE XREF: IopMountVolume+37Cj
					; IopMountVolume+13C9C6j ...
		test	esi, esi
		js	loc_8EB145

loc_7AE7B5:				; CODE XREF: IopMountVolume+143j
					; IopMountVolume+2FFj ...
		mov	ecx, offset _IopDatabaseResource
		call	ExReleaseResourceLite

loc_7AE7BF:				; CODE XREF: IopMountVolume+13CAE5j
		cmp	[ebp+var_1A], 0
		lea	eax, [ebx+9Ch]
		jz	short loc_7AE7DA
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_7AE7DA:				; CODE XREF: IopMountVolume+189j
		mov	ecx, [ebp+var_28]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		cmp	[ebp+var_1B], 0
		jnz	loc_8EB152

loc_7AE7EC:				; CODE XREF: IopMountVolume+13CB38j
					; IopMountVolume+13CB48j
		test	esi, esi
		js	loc_8EB18D

loc_7AE7F4:				; CODE XREF: IopMountVolume+13C975j
					; IopMountVolume+13C985j ...
		mov	ecx, offset _IopFilesystemDatabaseShutdownRundown
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	eax, esi

loc_7AE800:				; CODE XREF: IopMountVolume+13C946j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_7AE811:				; CODE XREF: IopMountVolume+15Cj
					; IopMountVolume+162j
		lea	esi, [ecx-34h]
		xor	ecx, ecx
		mov	eax, [esi+10h]
		inc	ecx
		mov	[ebp+var_2C], esi
		mov	[ebp+var_34], ecx
		test	eax, eax
		jz	short loc_7AE831

loc_7AE824:				; CODE XREF: IopMountVolume+1ECj
		mov	esi, eax
		inc	ecx
		mov	eax, [esi+10h]
		test	eax, eax
		jnz	short loc_7AE824
		mov	[ebp+var_34], ecx

loc_7AE831:				; CODE XREF: IopMountVolume+1E2j
		lea	eax, [ebp+var_70]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	eax, [ebp+var_20]
		push	dword ptr [ebp+4]
		push	0
		mov	dl, [eax+30h]
		add	dl, byte ptr [ebp+var_34]
		call	_IopAllocateIrpWithExtension@16	; IopAllocateIrpWithExtension(x,x,x,x)
		mov	[ebp+var_34], eax
		test	eax, eax
		jz	loc_8EB140
		lea	ecx, [ebp+var_70]
		mov	dword ptr [eax+8], 42h
		mov	[eax+2Ch], ecx
		lea	ecx, [ebp+var_44]
		mov	[eax+28h], ecx
		mov	ecx, [ebp+var_28]
		mov	[eax+50h], ecx
		mov	ecx, [eax+60h]
		mov	byte ptr [eax+20h], 0
		mov	al, [ebp+var_19]
		mov	[ecx-22h], al
		mov	word ptr [ecx-24h], 10Dh
		mov	eax, [ebx+24h]
		mov	[ecx-20h], eax
		mov	eax, [ebp+var_20]
		mov	[ecx-1Ch], eax
		mov	ecx, esi
		mov	eax, _IopFsRegistrationOps
		mov	[ebp+var_5C], eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, [ebp+var_2C]
		mov	dl, 1
		call	IopIncrementDeviceObjectRefCount
		lock inc _IopMountsInProgress
		mov	ecx, offset _IopDatabaseResource
		call	ExReleaseResourceLite
		mov	edx, [ebp+var_34]
		mov	ecx, esi
		call	IofCallDriver
		cmp	eax, 103h
		jz	loc_8EB011
		and	[ebp+var_40], 0
		mov	[ebp+var_44], eax

loc_7AE8D6:				; CODE XREF: IopMountVolume+13C9E0j
		push	1
		push	offset _IopDatabaseResource
		call	ExAcquireResourceSharedLite
		lock dec _IopMountsInProgress
		cmp	_IopMountCompletionWaiters, 0
		jnz	loc_8EB025

loc_7AE8F6:				; CODE XREF: IopMountVolume+13C9F3j
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	ecx, [ebp+var_2C]
		xor	dl, dl
		push	0
		call	IopDecrementDeviceObjectRef
		mov	esi, [ebp+var_44]
		test	esi, esi
		js	short loc_7AE951
		push	[ebp+var_54]
		mov	edx, [ebp+var_20]
		mov	ecx, ebx
		push	[ebp+var_48]
		call	IopMountInitializeVpb
		mov	ecx, [ebp+var_58]
		mov	[ecx], eax

loc_7AE925:				; CODE XREF: IopMountVolume+13CAB4j
		mov	ecx, [ebp+var_24]

loc_7AE928:				; CODE XREF: IopMountVolume+36Dj
					; IopMountVolume+13CAD3j
		mov	ah, [ebp+var_19]
		jmp	loc_7AE7A4
; 

loc_7AE930:				; CODE XREF: IopMountVolume+CAj
		and	al, 8
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 0C00000C0h
		jmp	loc_7AE7B5
; 

loc_7AE944:				; CODE XREF: IopMountVolume+154j
		cmp	edx, edi
		jnz	loc_7AE79A
		jmp	loc_8EB004
; 

loc_7AE951:				; CODE XREF: IopMountVolume+2CEj
		cmp	esi, 0C00000A3h
		jz	short loc_7AE9B8
		cmp	esi, 0C00000B5h
		jz	short loc_7AE9B8
		cmp	esi, 0C00000A2h
		jz	short loc_7AE9B8
		cmp	esi, 0C0000013h
		jz	short loc_7AE9B8
		cmp	esi, 80000016h
		jz	short loc_7AE9B8
		cmp	esi, 0C0000014h
		jz	short loc_7AE9B8
		cmp	esi, 0C0000012h
		jz	short loc_7AE9B8

loc_7AE989:				; CODE XREF: IopMountVolume+382j
		mov	eax, [ebp+var_5C]
		cmp	eax, _IopFsRegistrationOps
		jnz	loc_8EB038
		mov	ecx, [ebp+var_24]

loc_7AE99B:				; CODE XREF: IopMountVolume+13CA08j
		cmp	esi, 0C000019Ch
		jz	loc_8EB04D

loc_7AE9A7:				; CODE XREF: IopMountVolume+13CAA7j
		cmp	esi, 0C000014Fh
		jz	loc_7AE928
		jmp	loc_8EB0EC
; 

loc_7AE9B8:				; CODE XREF: IopMountVolume+317j
					; IopMountVolume+31Fj ...
		cmp	[ebp+var_40], 1
		jz	loc_7AE7AD
		jmp	short loc_7AE989
IopMountVolume	endp

; 
		align 10h
; Exported entry 524. FsRtlGetEcpListFromIrp
; Exported entry 874. IoGetIrpExtraCreateParameter

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlGetEcpListFromIrp(x, x)
		public _FsRtlGetEcpListFromIrp@8
_FsRtlGetEcpListFromIrp@8 proc near	; CODE XREF: FsRtlCheckOplockEx2+E1p
					; FsRtlpAttachOplockKey+39p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi	; FsRtlGetEcpListFromIrp
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	byte ptr [eax+8], 80h
		jz	short loc_7AE9EC
		mov	ecx, [eax+3Ch]
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		xor	eax, eax

loc_7AE9E8:				; CODE XREF: FsRtlGetEcpListFromIrp(x,x)+21j
		pop	ebp
		retn	8
; 

loc_7AE9EC:				; CODE XREF: FsRtlGetEcpListFromIrp(x,x)+Cj
		mov	eax, 0C000000Dh
		jmp	short loc_7AE9E8
_FsRtlGetEcpListFromIrp@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpVEExecuteOpenLogic proc near		; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1CB1p
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1F19p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008EB399 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		push	0
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], 0
		mov	ebx, edx
		mov	[ebp+var_14], 0
		push	eax
		mov	[ebp+var_8], ebx
		mov	esi, ecx
		mov	[ebp+var_10], 0
		mov	[ebp+var_C], 0
		mov	[ebp+var_4], 0
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		mov	[ebp+var_20], 0
		mov	[ebp+var_1C], 0
		mov	[ebp+var_20], 0FFFFFFFFh
		mov	word ptr [ebp+var_1C], ax
		cmp	_CmpVEEnabled, al
		jz	short loc_7AEAA5
		test	byte ptr [ebx+14h], 10h
		jnz	short loc_7AEA9E
		cmp	[esi+22h], ax
		jnz	short loc_7AEA97
		test	dword ptr [esi+68h], 2000000h
		jnz	loc_8EB1B8
		mov	edi, 0C0000271h

loc_7AEA81:				; CODE XREF: CmpVEExecuteOpenLogic+9Cj
					; CmpVEExecuteOpenLogic+A3j ...
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	loc_8EB399

loc_7AEA8C:				; CODE XREF: CmpVEExecuteOpenLogic+13C9A1j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_7AEA97:				; CODE XREF: CmpVEExecuteOpenLogic+6Dj
		mov	edi, 0C0000271h
		jmp	short loc_7AEA81
; 

loc_7AEA9E:				; CODE XREF: CmpVEExecuteOpenLogic+67j
		mov	edi, 0C0000271h
		jmp	short loc_7AEA81
; 

loc_7AEAA5:				; CODE XREF: CmpVEExecuteOpenLogic+61j
		mov	edi, 0C0000271h
		jmp	short loc_7AEA81
CmpVEExecuteOpenLogic endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspNotificationPacketCallback proc near	; DATA XREF: sub_759647-B3o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EB3A6 SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		mov	edx, eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ecx, edi
		mov	[ebp+var_8], eax
		call	_PspLockJobExclusive@8 ; PspLockJobExclusive(x,x)
		lea	ebx, [edi+310h]
		mov	edx, [ebx]
		nop

loc_7AEAD5:				; CODE XREF: PspNotificationPacketCallback+13C934j
		xor	esi, esi
		mov	ecx, edx
		test	edx, 4000h
		jnz	loc_7AEB8F

loc_7AEAE5:				; CODE XREF: PspNotificationPacketCallback+F5j
		test	ecx, 10000h
		jnz	loc_8EB3A6

loc_7AEAF1:				; CODE XREF: PspNotificationPacketCallback+13C90Aj
		test	ecx, 8000h
		jnz	loc_8EB3C3

loc_7AEAFD:				; CODE XREF: PspNotificationPacketCallback+13C924j
					; PspNotificationPacketCallback+13C92Dj
		test	esi, esi
		jnz	short loc_7AEB04
		and	ecx, 0FFFFFFF7h

loc_7AEB04:				; CODE XREF: PspNotificationPacketCallback+53j
					; PspNotificationPacketCallback+FEj
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	loc_8EB3DE
		mov	ecx, [edi+0D4h]
		mov	eax, ecx
		neg	eax
		sbb	eax, eax
		and	eax, esi
		mov	[ebp+var_C], eax
		jnz	short loc_7AEB48

loc_7AEB25:				; CODE XREF: PspNotificationPacketCallback+E1j
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		cmp	[ebp+var_C], 0
		jnz	short loc_7AEB41
		mov	edx, 624A7350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_7AEB41:				; CODE XREF: PspNotificationPacketCallback+87j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7AEB48:				; CODE XREF: PspNotificationPacketCallback+77j
		push	dword ptr [edi+218h]
		xor	edx, edx
		push	edx
		push	eax
		push	edx
		push	edx
		push	dword ptr [edi+0D8h]
		push	ecx
		call	IoSetIoCompletionEx
		lea	eax, [edi+0E0h]
		mov	edi, eax

loc_7AEB68:				; CODE XREF: PspNotificationPacketCallback+D7j
					; PspNotificationPacketCallback+DCj
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[ebp+var_4], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_7AEB68
		cmp	edx, [ebp+var_4]
		jnz	short loc_7AEB68
		mov	edi, [ebp+arg_4]
		jmp	short loc_7AEB25
; 

loc_7AEB8F:				; CODE XREF: PspNotificationPacketCallback+33j
		mov	ecx, edx
		and	ecx, 0FFFFBFFFh
		test	dword ptr [edi+1A8h], 800h
		jz	loc_7AEAE5
		push	0Bh

loc_7AEBA9:				; CODE XREF: PspNotificationPacketCallback+13C912j
		pop	esi
		jmp	loc_7AEB04
PspNotificationPacketCallback endp

; 
		align 10h

;  S U B	R O U T	I N E 


PspJobNotificationWorker proc near	; DATA XREF: PspInitializeJobStructures+31o

; FUNCTION CHUNK AT 008EB3E5 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	eax, offset _PspJobNotificationList
		push	edi

loc_7AEBBA:				; CODE XREF: PspJobNotificationWorker+7Bj
		or	esi, 0FFFFFFFFh
		xchg	esi, [eax]

loc_7AEBBF:				; CODE XREF: PspJobNotificationWorker+13C838j
		mov	edi, [esi+204h]
		lea	edx, [esi+310h]
		mov	ebx, 0FFFDDFFFh
		mov	eax, [edx]

loc_7AEBD2:				; CODE XREF: PspJobNotificationWorker+2Aj
		mov	ecx, eax
		and	ecx, ebx
		lock cmpxchg [edx], ecx
		jnz	short loc_7AEBD2
		mov	ebx, eax
		test	ebx, 2000h
		jz	short loc_7AEBFA
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esi+1B0h]
		push	eax
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)

loc_7AEBFA:				; CODE XREF: PspJobNotificationWorker+34j
		test	ebx, 20000h
		jnz	short loc_7AEC33

loc_7AEC02:				; CODE XREF: PspJobNotificationWorker+BBj
		mov	edx, 6F4E7350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	esi, edi
		test	edi, edi
		jnz	loc_8EB3E5

loc_7AEC18:				; CODE XREF: PspJobNotificationWorker+13C83Ej
		xor	ecx, ecx
		or	eax, 0FFFFFFFFh
		mov	edx, offset _PspJobNotificationList
		lock cmpxchg [edx], ecx
		cmp	eax, 0FFFFFFFFh
		mov	eax, edx
		jnz	short loc_7AEBBA
		pop	edi
		pop	esi
		pop	ebx
		retn	4
; 

loc_7AEC33:				; CODE XREF: PspJobNotificationWorker+50j
		mov	ebx, large fs:124h
		mov	ecx, esi
		mov	edx, ebx
		call	_PspLockJobExclusive@8 ; PspLockJobExclusive(x,x)
		cmp	dword ptr [esi+0D4h], 0
		jz	short loc_7AEC62
		test	dword ptr [esi+1A8h], 1000h
		jz	short loc_7AEC62
		push	0Ch
		pop	edx
		mov	ecx, esi
		call	PspSendReliableJobNotification

loc_7AEC62:				; CODE XREF: PspJobNotificationWorker+9Aj
					; PspJobNotificationWorker+A6j
		mov	edx, ebx
		mov	ecx, esi
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		jmp	short loc_7AEC02
PspJobNotificationWorker endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSendReliableJobNotification proc near ; CODE	XREF: PspEnforceLimitsJobPostCallback+427p
					; PspEvaluateAndNotifyEmptyJob(x,x,x)+7Fp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008EB3F3 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], esi
		cmp	edi, 0Bh
		jnz	loc_7AED44
		push	0Ch
		mov	eax, 400Ch

loc_7AEC93:				; CODE XREF: PspSendReliableJobNotification+E0j
					; PspSendReliableJobNotification+EBj
		mov	[ebp+var_4], eax
		lea	eax, [esi+310h]
		mov	edx, [eax]
		pop	ebx
		nop
		mov	edi, [ebp+var_4]
		mov	esi, eax

loc_7AECA5:				; CODE XREF: PspSendReliableJobNotification+13C787j
		mov	ecx, ebx
		mov	eax, edx
		or	ecx, edx
		and	eax, 8
		mov	[ebp+var_8], eax
		jnz	loc_7AED5E

loc_7AECB7:				; CODE XREF: PspSendReliableJobNotification+F4j
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	loc_8EB3F3
		cmp	[ebp+var_8], 0
		mov	esi, [ebp+var_C]
		mov	edi, [ebp+var_10]
		jnz	short loc_7AED3F
		mov	edx, 624A7350h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		test	ds:_PerfGlobalGroupMask, 80000h
		jnz	loc_8EB3FA

loc_7AECED:				; CODE XREF: PspSendReliableJobNotification+13C795j
		push	dword ptr [esi+218h]
		xor	eax, eax
		push	eax
		push	edi
		push	eax
		push	eax
		push	dword ptr [esi+0D8h]
		push	dword ptr [esi+0D4h]
		call	IoSetIoCompletionEx
		lea	eax, [esi+0E0h]
		mov	[ebp+var_4], eax

loc_7AED13:				; CODE XREF: PspSendReliableJobNotification+CBj
					; PspSendReliableJobNotification+CFj
		mov	esi, [eax]
		mov	ebx, esi
		mov	edi, [eax+4]
		add	ebx, 1
		mov	ecx, edi
		mov	[ebp+var_10], edi
		adc	ecx, 0
		mov	eax, esi
		mov	edx, edi
		nop
		mov	edi, [ebp+var_4]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_10]
		cmp	eax, esi
		mov	eax, [ebp+var_4]
		jnz	short loc_7AED13
		cmp	edx, edi
		jnz	short loc_7AED13

loc_7AED3F:				; CODE XREF: PspSendReliableJobNotification+61j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7AED44:				; CODE XREF: PspSendReliableJobNotification+18j
		mov	eax, 10008h
		push	8
		cmp	edi, 0Ch
		jz	loc_7AEC93
		mov	eax, 8008h
		jmp	loc_7AEC93
; 

loc_7AED5E:				; CODE XREF: PspSendReliableJobNotification+43j
		mov	ecx, edi
		or	ecx, edx
		jmp	loc_7AECB7
PspSendReliableJobNotification endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtSetIoCompletionEx proc near		; DATA XREF: .text:00580C9Co

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008EB408 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_4]
		push	ebx
		push	esi
		push	edi
		mov	al, [eax+15Ah]
		push	0
		push	ecx
		mov	byte ptr [ebp+var_8], al
		push	[ebp+var_8]
		mov	eax, ds:_IoCompletionObjectType
		push	eax
		push	2
		push	[ebp+arg_0]
		mov	[ebp+var_4], 0
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7AEE2B
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_8]
		push	0
		push	ecx
		mov	[ebp+var_8], 0
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_0], al
		push	[ebp+arg_0]
		mov	eax, ds:dword_70EF24
		push	eax
		push	2
		push	[ebp+arg_4]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	short loc_7AEE1E
		mov	ebx, [ebp+var_8]
		mov	ecx, 1
		xor	eax, eax
		lock cmpxchg [ebx], ecx
		test	eax, eax
		jnz	loc_8EB408
		lea	eax, [ebx+4]
		push	eax
		push	0
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	edi
		call	IoSetIoCompletionEx
		mov	esi, eax
		test	esi, esi
		js	loc_8EB40F

loc_7AEE1E:				; CODE XREF: NtSetIoCompletionEx+74j
					; NtSetIoCompletionEx+13C6A7j ...
		test	edi, edi
		jz	short loc_7AEE29
		mov	ecx, edi
		call	ObfDereferenceObject

loc_7AEE29:				; CODE XREF: NtSetIoCompletionEx+B0j
		mov	eax, esi

loc_7AEE2B:				; CODE XREF: NtSetIoCompletionEx+3Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
NtSetIoCompletionEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlpCombineAcls(int,int,void *,int,int,void *)
RtlpCombineAcls	proc near		; CODE XREF: RtlpNewSecurityObject+9ABp
					; RtlpSetSecurityObject+6ABp

var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008EB429 SIZE 00000138 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	[ebp+var_10], esi
		mov	ebx, 2
		mov	[ebp+var_C], ebx
		test	edi, edi
		jnz	short loc_7AEE66
		test	esi, esi
		jz	loc_7AF01C

loc_7AEE66:				; CODE XREF: RtlpCombineAcls+1Cj
					; RtlpCombineAcls+1E0j	...
		mov	[ebp+var_4], 8
		test	edi, edi
		jnz	loc_7AF257

loc_7AEE75:				; CODE XREF: RtlpCombineAcls+428j
					; RtlpCombineAcls+44Fj
		test	esi, esi
		jz	short loc_7AEED2
		xor	ecx, ecx
		lea	edx, [esi+8]
		xor	eax, eax
		mov	[ebp+var_18], ecx
		cmp	ax, [esi+4]
		jnb	short loc_7AEED2
		lea	esp, [esp+0]

loc_7AEE90:				; CODE XREF: RtlpCombineAcls+90j
		cmp	byte ptr [edx],	11h
		jnz	short loc_7AEEC0
		movzx	eax, word ptr [edx+2]
		add	eax, [ebp+var_4]
		cmp	eax, [ebp+var_4]
		jb	loc_8EB433
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_14]
		test	eax, eax
		jz	short loc_7AEEB2
		or	dword ptr [eax], 10h

loc_7AEEB2:				; CODE XREF: RtlpCombineAcls+6Dj
		movzx	eax, byte ptr [esi]
		mov	ecx, [ebp+var_18]
		cmp	eax, ebx
		ja	loc_7AF3B7

loc_7AEEC0:				; CODE XREF: RtlpCombineAcls+53j
					; RtlpCombineAcls+57Cj
		movzx	eax, word ptr [edx+2]
		inc	ecx
		add	edx, eax
		mov	[ebp+var_18], ecx
		movzx	eax, word ptr [esi+4]
		cmp	ecx, eax
		jb	short loc_7AEE90

loc_7AEED2:				; CODE XREF: RtlpCombineAcls+37j
					; RtlpCombineAcls+47j
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jnz	loc_7AF0D7

loc_7AEEDD:				; CODE XREF: RtlpCombineAcls+2ABj
					; RtlpCombineAcls+2D0j
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jnz	loc_7AF118

loc_7AEEE8:				; CODE XREF: RtlpCombineAcls+2ECj
					; RtlpCombineAcls+311j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	loc_7AF058

loc_7AEEF3:				; CODE XREF: RtlpCombineAcls+22Cj
					; RtlpCombineAcls+251j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	loc_7AF159

loc_7AEEFE:				; CODE XREF: RtlpCombineAcls+32Dj
					; RtlpCombineAcls+352j
		mov	ecx, [ebp+var_4]
		lea	ebx, [ecx+3]
		cmp	ebx, ecx
		jb	loc_8EB433
		push	64536553h
		and	ebx, 0FFFFFFFCh
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_8EB4DC
		cmp	ebx, 8
		jb	loc_8EB4E9
		mov	ecx, [ebp+var_C]
		cmp	ecx, 2
		jb	loc_8EB546
		cmp	ecx, 4
		ja	loc_8EB546
		cmp	ebx, 0FFFCh
		ja	loc_8EB546
		push	ebx		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		mov	eax, [ebp+var_C]
		add	esp, 0Ch
		mov	[ebp+var_8], edx
		mov	[ebp+arg_14], edx
		mov	[ecx], al
		movzx	eax, bx
		mov	[ecx+2], ax
		add	eax, ecx
		mov	[ecx+4], edx
		lea	edx, [ecx+8]
		mov	byte ptr [ecx+1], 0
		cmp	edx, eax
		ja	short loc_7AEF87
		mov	[ebp+arg_14], edx

loc_7AEF87:				; CODE XREF: RtlpCombineAcls+142j
		mov	ebx, [ebp+var_4]
		test	edi, edi
		jnz	loc_7AF297

loc_7AEF92:				; CODE XREF: RtlpCombineAcls+468j
					; RtlpCombineAcls+49Bj
		test	esi, esi
		jz	short loc_7AEFDD
		xor	ecx, ecx
		lea	edi, [esi+8]
		xor	eax, eax
		mov	[ebp+var_18], ecx
		cmp	ax, [esi+4]
		jnb	short loc_7AEFDD

loc_7AEFA6:				; CODE XREF: RtlpCombineAcls+19Bj
		cmp	byte ptr [edi],	11h
		movzx	eax, word ptr [edi+2]
		jnz	short loc_7AEFCC
		push	eax		; size_t
		push	edi		; void *
		push	[ebp+arg_14]	; void *
		call	_memcpy
		inc	word ptr [ebx+4]
		add	esp, 0Ch
		movzx	ecx, word ptr [edi+2]
		add	[ebp+arg_14], ecx
		mov	eax, ecx
		mov	ecx, [ebp+var_18]

loc_7AEFCC:				; CODE XREF: RtlpCombineAcls+16Dj
		movzx	eax, ax
		inc	ecx
		add	edi, eax
		mov	[ebp+var_18], ecx
		movzx	eax, word ptr [esi+4]
		cmp	ecx, eax
		jb	short loc_7AEFA6

loc_7AEFDD:				; CODE XREF: RtlpCombineAcls+154j
					; RtlpCombineAcls+164j
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jnz	loc_7AF19A

loc_7AEFE8:				; CODE XREF: RtlpCombineAcls+36Bj
					; RtlpCombineAcls+390j
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jnz	loc_7AF1D8

loc_7AEFF3:				; CODE XREF: RtlpCombineAcls+3A9j
					; RtlpCombineAcls+3CFj
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jnz	loc_7AF099

loc_7AEFFE:				; CODE XREF: RtlpCombineAcls+26Aj
					; RtlpCombineAcls+28Fj
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jnz	loc_7AF217

loc_7AF009:				; CODE XREF: RtlpCombineAcls+40Fj
					; RtlpCombineAcls+617j
		mov	esi, [ebp+var_8]

loc_7AF00C:				; CODE XREF: RtlpCombineAcls+13C5FAj
					; RtlpCombineAcls+13C6A4j ...
		mov	eax, [ebp+arg_10]
		pop	edi
		mov	[eax], ebx
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_7AF01C:				; CODE XREF: RtlpCombineAcls+20j
		cmp	[ebp+arg_0], 0
		jnz	loc_7AEE66
		cmp	[ebp+arg_4], 0
		jnz	loc_7AEE66
		cmp	[ebp+arg_8], 0
		jnz	loc_7AEE66
		cmp	[ebp+arg_C], 0
		jnz	loc_7AEE66
		mov	eax, [ebp+arg_10]
		pop	edi
		pop	esi
		pop	ebx
		mov	dword ptr [eax], 0
		xor	eax, eax
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_7AF058:				; CODE XREF: RtlpCombineAcls+ADj
		xor	esi, esi
		lea	ecx, [eax+8]
		xor	edx, edx
		mov	[ebp+var_14], ecx
		cmp	si, [eax+4]
		mov	esi, [ebp+var_10]
		mov	[ebp+var_18], edx
		jnb	loc_7AEEF3

loc_7AF072:				; CODE XREF: RtlpCombineAcls+257j
		cmp	byte ptr [ecx],	12h
		jz	loc_7AF34E

loc_7AF07B:				; CODE XREF: RtlpCombineAcls+541j
					; RtlpCombineAcls+13C654j
		movzx	eax, word ptr [ecx+2]
		inc	edx
		add	ecx, eax
		mov	[ebp+var_18], edx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_14], ecx
		movzx	eax, word ptr [eax+4]
		cmp	edx, eax
		jnb	loc_7AEEF3
		jmp	short loc_7AF072
; 

loc_7AF099:				; CODE XREF: RtlpCombineAcls+1B8j
		xor	edx, edx
		lea	ecx, [esi+8]
		xor	eax, eax
		mov	[ebp+arg_C], edx
		mov	[ebp+arg_8], ecx
		cmp	ax, [esi+4]
		jnb	loc_7AEFFE

loc_7AF0B0:				; CODE XREF: RtlpCombineAcls+295j
		cmp	byte ptr [ecx],	12h
		movzx	eax, word ptr [ecx+2]
		jz	loc_7AF38C

loc_7AF0BD:				; CODE XREF: RtlpCombineAcls+572j
		movzx	eax, ax
		inc	edx
		add	ecx, eax
		mov	[ebp+arg_C], edx
		movzx	eax, word ptr [esi+4]
		mov	[ebp+arg_8], ecx
		cmp	edx, eax
		jnb	loc_7AEFFE
		jmp	short loc_7AF0B0
; 

loc_7AF0D7:				; CODE XREF: RtlpCombineAcls+97j
		xor	esi, esi
		lea	ecx, [eax+8]
		xor	edx, edx
		mov	[ebp+var_14], ecx
		cmp	si, [eax+4]
		mov	esi, [ebp+var_10]
		mov	[ebp+var_18], edx
		jnb	loc_7AEEDD

loc_7AF0F1:				; CODE XREF: RtlpCombineAcls+2D6j
		cmp	byte ptr [ecx],	14h
		jz	loc_7AF2E0

loc_7AF0FA:				; CODE XREF: RtlpCombineAcls+4D0j
					; RtlpCombineAcls+13C604j
		movzx	eax, word ptr [ecx+2]
		inc	edx
		add	ecx, eax
		mov	[ebp+var_18], edx
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_14], ecx
		movzx	eax, word ptr [eax+4]
		cmp	edx, eax
		jnb	loc_7AEEDD
		jmp	short loc_7AF0F1
; 

loc_7AF118:				; CODE XREF: RtlpCombineAcls+A2j
		xor	esi, esi
		lea	ecx, [eax+8]
		xor	edx, edx
		mov	[ebp+var_14], ecx
		cmp	si, [eax+4]
		mov	esi, [ebp+var_10]
		mov	[ebp+var_18], edx
		jnb	loc_7AEEE8

loc_7AF132:				; CODE XREF: RtlpCombineAcls+317j
		cmp	byte ptr [ecx],	15h
		jz	loc_8EB449

loc_7AF13B:				; CODE XREF: RtlpCombineAcls+13C63Fj
					; RtlpCombineAcls+13C64Aj
		movzx	eax, word ptr [ecx+2]
		inc	edx
		add	ecx, eax
		mov	[ebp+var_18], edx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_14], ecx
		movzx	eax, word ptr [eax+4]
		cmp	edx, eax
		jnb	loc_7AEEE8
		jmp	short loc_7AF132
; 

loc_7AF159:				; CODE XREF: RtlpCombineAcls+B8j
		xor	esi, esi
		lea	ecx, [eax+8]
		xor	edx, edx
		mov	[ebp+var_14], ecx
		cmp	si, [eax+4]
		mov	esi, [ebp+var_10]
		mov	[ebp+var_18], edx
		jnb	loc_7AEEFE

loc_7AF173:				; CODE XREF: RtlpCombineAcls+358j
		cmp	byte ptr [ecx],	13h
		jz	loc_8EB499

loc_7AF17C:				; CODE XREF: RtlpCombineAcls+13C68Cj
					; RtlpCombineAcls+13C697j
		movzx	eax, word ptr [ecx+2]
		inc	edx
		add	ecx, eax
		mov	[ebp+var_18], edx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_14], ecx
		movzx	eax, word ptr [eax+4]
		cmp	edx, eax
		jnb	loc_7AEEFE
		jmp	short loc_7AF173
; 

loc_7AF19A:				; CODE XREF: RtlpCombineAcls+1A2j
		xor	edx, edx
		lea	ecx, [esi+8]
		xor	eax, eax
		mov	[ebp+var_18], edx
		mov	[ebp+arg_8], ecx
		cmp	ax, [esi+4]
		jnb	loc_7AEFE8

loc_7AF1B1:				; CODE XREF: RtlpCombineAcls+396j
		cmp	byte ptr [ecx],	14h
		movzx	eax, word ptr [ecx+2]
		jz	loc_7AF31B

loc_7AF1BE:				; CODE XREF: RtlpCombineAcls+501j
		movzx	eax, ax
		inc	edx
		add	ecx, eax
		mov	[ebp+var_18], edx
		movzx	eax, word ptr [esi+4]
		mov	[ebp+arg_8], ecx
		cmp	edx, eax
		jnb	loc_7AEFE8
		jmp	short loc_7AF1B1
; 

loc_7AF1D8:				; CODE XREF: RtlpCombineAcls+1ADj
		xor	edx, edx
		lea	ecx, [esi+8]
		xor	eax, eax
		mov	[ebp+arg_C], edx
		mov	[ebp+arg_8], ecx
		cmp	ax, [esi+4]
		jnb	loc_7AEFF3
		nop

loc_7AF1F0:				; CODE XREF: RtlpCombineAcls+3D5j
		cmp	byte ptr [ecx],	15h
		movzx	eax, word ptr [ecx+2]
		jz	loc_8EB4F0

loc_7AF1FD:				; CODE XREF: RtlpCombineAcls+13C6D6j
		movzx	eax, ax
		inc	edx
		add	ecx, eax
		mov	[ebp+arg_C], edx
		movzx	eax, word ptr [esi+4]
		mov	[ebp+arg_8], ecx
		cmp	edx, eax
		jnb	loc_7AEFF3
		jmp	short loc_7AF1F0
; 

loc_7AF217:				; CODE XREF: RtlpCombineAcls+1C3j
		xor	edx, edx
		lea	ecx, [esi+8]
		xor	eax, eax
		mov	[ebp+arg_C], edx
		mov	[ebp+arg_8], ecx
		cmp	ax, [esi+4]
		jnb	loc_8EB55A
		mov	edi, edi

loc_7AF230:				; CODE XREF: RtlpCombineAcls+415j
		cmp	byte ptr [ecx],	13h
		movzx	eax, word ptr [ecx+2]
		jz	loc_8EB51B

loc_7AF23D:				; CODE XREF: RtlpCombineAcls+13C701j
		movzx	eax, ax
		inc	edx
		add	ecx, eax
		mov	[ebp+arg_C], edx
		movzx	eax, word ptr [esi+4]
		mov	[ebp+arg_8], ecx
		cmp	edx, eax
		jnb	loc_7AF009
		jmp	short loc_7AF230
; 

loc_7AF257:				; CODE XREF: RtlpCombineAcls+2Fj
		xor	edx, edx
		lea	ecx, [edi+8]
		xor	eax, eax
		mov	[ebp+var_14], edx
		mov	[ebp+var_18], ecx
		cmp	ax, [edi+4]
		jnb	loc_7AEE75
		mov	edi, edi

loc_7AF270:				; CODE XREF: RtlpCombineAcls+455j
		movzx	eax, byte ptr [ecx]
		cmp	eax, 10h
		jbe	loc_7AF3C1

loc_7AF27C:				; CODE XREF: RtlpCombineAcls+587j
					; RtlpCombineAcls+594j	...
		movzx	eax, word ptr [ecx+2]
		inc	edx
		add	ecx, eax
		mov	[ebp+var_14], edx
		movzx	eax, word ptr [edi+4]
		mov	[ebp+var_18], ecx
		cmp	edx, eax
		jnb	loc_7AEE75
		jmp	short loc_7AF270
; 

loc_7AF297:				; CODE XREF: RtlpCombineAcls+14Cj
		xor	edx, edx
		lea	ecx, [edi+8]
		xor	eax, eax
		mov	[ebp+var_14], edx
		mov	[ebp+var_18], ecx
		cmp	ax, [edi+4]
		jnb	loc_7AEF92
		mov	esi, [ebp+arg_14]

loc_7AF2B1:				; CODE XREF: RtlpCombineAcls+493j
		movzx	eax, byte ptr [ecx]
		cmp	eax, 10h
		jbe	loc_7AF412

loc_7AF2BD:				; CODE XREF: RtlpCombineAcls+5D8j
					; RtlpCombineAcls+5E5j
					; DATA XREF: ...
		movzx	eax, word ptr [ecx+2]

loc_7AF2C1:				; CODE XREF: RtlpCombineAcls+610j
		movzx	eax, ax
		inc	edx
		add	ecx, eax
		mov	[ebp+var_14], edx
		movzx	eax, word ptr [edi+4]
		mov	[ebp+var_18], ecx
		cmp	edx, eax
		jb	short loc_7AF2B1
		mov	[ebp+arg_14], esi
		mov	esi, [ebp+var_10]
		jmp	loc_7AEF92
; 

loc_7AF2E0:				; CODE XREF: RtlpCombineAcls+2B4j
		movzx	edx, word ptr [ecx+2]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		js	loc_7AF455
		mov	eax, [ebp+arg_14]
		test	eax, eax
		jnz	short loc_7AF346

loc_7AF302:				; CODE XREF: RtlpCombineAcls+50Cj
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_14]
		mov	edx, [ebp+var_18]
		movzx	eax, byte ptr [eax]
		cmp	eax, ebx
		jbe	loc_7AF0FA
		jmp	loc_8EB43F
; 

loc_7AF31B:				; CODE XREF: RtlpCombineAcls+378j
		mov	edi, [ebp+arg_14]
		push	eax		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [ebp+arg_8]
		add	esp, 0Ch
		inc	word ptr [ebx+4]
		mov	edx, [ebp+var_18]
		movzx	ecx, word ptr [eax+2]
		add	edi, ecx
		mov	eax, ecx
		mov	ecx, [ebp+arg_8]
		mov	[ebp+arg_14], edi
		jmp	loc_7AF1BE
; 

loc_7AF346:				; CODE XREF: RtlpCombineAcls+4C0j
		or	dword ptr [eax], 80h
		jmp	short loc_7AF302
; 

loc_7AF34E:				; CODE XREF: RtlpCombineAcls+235j
		movzx	edx, word ptr [ecx+2]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		js	loc_7AF455
		mov	eax, [ebp+arg_14]
		test	eax, eax
		jz	short loc_7AF373
		or	dword ptr [eax], 20h

loc_7AF373:				; CODE XREF: RtlpCombineAcls+52Ej
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_14]
		mov	edx, [ebp+var_18]
		movzx	eax, byte ptr [eax]
		cmp	eax, ebx
		jbe	loc_7AF07B
		jmp	loc_8EB48F
; 

loc_7AF38C:				; CODE XREF: RtlpCombineAcls+277j
		mov	edi, [ebp+arg_14]
		push	eax		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [ebp+arg_8]
		add	esp, 0Ch
		inc	word ptr [ebx+4]
		mov	edx, [ebp+arg_C]
		movzx	ecx, word ptr [eax+2]
		add	edi, ecx
		mov	eax, ecx
		mov	ecx, [ebp+arg_8]
		mov	[ebp+arg_14], edi
		jmp	loc_7AF0BD
; 

loc_7AF3B7:				; CODE XREF: RtlpCombineAcls+7Aj
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		jmp	loc_7AEEC0
; 

loc_7AF3C1:				; CODE XREF: RtlpCombineAcls+436j
		add	eax, 0FFFFFFFEh
		cmp	eax, 0Eh
		ja	loc_7AF27C
		movzx	eax, ds:byte_7AF464[eax]
		jmp	ds:off_7AF45C[eax*4]

loc_7AF3DB:				; DATA XREF: PAGE:off_7AF45Co
		movzx	edx, word ptr [ecx+2]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		js	short loc_7AF455
		mov	eax, [ebp+arg_14]
		test	eax, eax
		jz	short loc_7AF3FC
		or	dword ptr [eax], 8

loc_7AF3FC:				; CODE XREF: RtlpCombineAcls+5B7j
		movzx	eax, byte ptr [edi]
		mov	ecx, [ebp+var_18]
		mov	edx, [ebp+var_14]
		cmp	eax, ebx
		jbe	loc_7AF27C
		jmp	loc_8EB429
; 

loc_7AF412:				; CODE XREF: RtlpCombineAcls+477j
		add	eax, 0FFFFFFFEh
		cmp	eax, 0Eh
		ja	loc_7AF2BD
		movzx	eax, ds:byte_7AF47C[eax]
		jmp	ds:off_7AF474[eax*4]

loc_7AF42C:				; DATA XREF: PAGE:off_7AF474o
		movzx	eax, word ptr [ecx+2]
		push	eax		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+var_18]
		add	esp, 0Ch
		inc	word ptr [ebx+4]
		mov	edx, [ebp+var_14]
		movzx	ecx, word ptr [eax+2]
		add	esi, ecx
		mov	eax, ecx
		mov	ecx, [ebp+var_18]
		jmp	loc_7AF2C1
; 

loc_7AF455:				; CODE XREF: RtlpCombineAcls+4B5j
					; RtlpCombineAcls+523j	...
		xor	ebx, ebx
		jmp	loc_7AF009
RtlpCombineAcls	endp

; 
off_7AF45C	dd offset loc_7AF3DB	; DATA XREF: RtlpCombineAcls+594r
		dd offset loc_7AF27C
byte_7AF464	db 0			; DATA XREF: RtlpCombineAcls+58Dr
		align 2
		dw 101h
		dd 1000001h, 10101h, 90000000h
off_7AF474	dd offset loc_7AF42C	; DATA XREF: RtlpCombineAcls+5E5r
		dd offset loc_7AF2BD
byte_7AF47C	db 0			; DATA XREF: RtlpCombineAcls+5DEr
		align 2
		dw 101h
		dd 1000001h, 10101h, 0CC000000h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReserveWorkingSetSwapSpace(x, x, x, x, x,	x)
_MiReserveWorkingSetSwapSpace@24 proc near ; CODE XREF:	MmOutSwapVirtualAddresses+FBp
					; MmOutSwapWorkingSet+F70EEp

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ebx, ecx
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_4], edx
		mov	eax, [ebx+edi*4+0F54h]

loc_7AF4A7:				; CODE XREF: MiReserveWorkingSetSwapSpace(x,x,x,x,x,x)+80j
		cmp	edi, esi
		jz	short loc_7AF4D8
		cmp	esi, 10h
		jz	short loc_7AF4D8
		test	byte ptr [eax+74h], 20h
		mov	ecx, [eax]
		jnz	short loc_7AF50E
		mov	eax, ecx
		shr	eax, 6
		sub	ecx, eax

loc_7AF4BF:				; CODE XREF: MiReserveWorkingSetSwapSpace(x,x,x,x,x,x)+4Fj
					; MiReserveWorkingSetSwapSpace(x,x,x,x,x,x)+84j
		push	ecx
		push	edx
		mov	edx, [ebp+arg_C]
		push	ecx
		push	edi
		mov	ecx, ebx
		call	_MiReserveWorkingSetSwapSpaceRuns@24 ; MiReserveWorkingSetSwapSpaceRuns(x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_7AF4DD

loc_7AF4D1:				; CODE XREF: MiReserveWorkingSetSwapSpace(x,x,x,x,x,x)+8Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7AF4D8:				; CODE XREF: MiReserveWorkingSetSwapSpace(x,x,x,x,x,x)+1Dj
					; MiReserveWorkingSetSwapSpace(x,x,x,x,x,x)+22j
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_7AF4BF
; 

loc_7AF4DD:				; CODE XREF: MiReserveWorkingSetSwapSpace(x,x,x,x,x,x)+43j
		mov	edx, [ebp+var_4]
		push	ecx
		mov	ecx, ebx
		call	_MiFreeReservationRuns@12 ; MiFreeReservationRuns(x,x,x)
		push	50h		; size_t
		push	0		; int
		push	[ebp+var_4]	; void *
		call	_memset
		add	esp, 0Ch
		cmp	edi, esi
		jz	short loc_7AF512
		cmp	esi, 10h
		jnb	short loc_7AF512
		mov	eax, [ebx+esi*4+0F54h]
		mov	edi, esi
		mov	edx, [ebp+var_4]
		jmp	short loc_7AF4A7
; 

loc_7AF50E:				; CODE XREF: MiReserveWorkingSetSwapSpace(x,x,x,x,x,x)+2Aj
		shr	ecx, 1
		jmp	short loc_7AF4BF
; 

loc_7AF512:				; CODE XREF: MiReserveWorkingSetSwapSpace(x,x,x,x,x,x)+6Dj
					; MiReserveWorkingSetSwapSpace(x,x,x,x,x,x)+72j
		mov	eax, 0C0000225h
		jmp	short loc_7AF4D1
_MiReserveWorkingSetSwapSpace@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReserveWorkingSetSwapSpaceRuns(x,	x, x, x, x, x)
_MiReserveWorkingSetSwapSpaceRuns@24 proc near
					; CODE XREF: MiReserveWorkingSetSwapSpace(x,x,x,x,x,x)+3Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ecx
		mov	ecx, [ebp+arg_0]
		push	ebx
		mov	[ebp+var_4], eax
		push	esi
		mov	eax, [eax+ecx*4+0F54h]
		push	edi
		mov	edi, edx
		cmp	[eax+18h], edi
		jb	short loc_7AF5AE
		mov	ebx, [ebp+arg_8]
		lea	eax, [ebx+50h]
		mov	[ebp+var_8], eax
		cmp	ebx, eax
		jnb	short loc_7AF5AE
		mov	[ebp+arg_8], 50h

loc_7AF54F:				; CODE XREF: MiReserveWorkingSetSwapSpaceRuns(x,x,x,x,x,x)+92j
		test	edi, edi
		jz	short loc_7AF5AE
		push	0
		push	[ebp+arg_4]
		call	_MiMakePageFilePte@8 ; MiMakePageFilePte(x,x)
		mov	ecx, [ebp+arg_0]
		mov	esi, eax
		and	ecx, 0Fh
		xor	eax, eax
		shld	eax, ecx, 0Ch
		and	esi, 0FFFF0FFFh
		shl	ecx, 0Ch
		or	edx, eax
		or	esi, ecx
		mov	[ebx+4], edx
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		push	29h
		push	edi
		mov	[ebx], esi
		call	MiFindFreePageFileSpace
		mov	ecx, [ebp+arg_8]
		mov	edx, eax
		mov	eax, ecx
		mov	[ebx+8], edx
		sar	eax, 4
		imul	eax, edx
		cmp	eax, edi
		jb	short loc_7AF5AE
		add	ebx, 10h
		sub	ecx, 10h
		sub	edi, edx
		mov	[ebp+arg_8], ecx
		cmp	ebx, [ebp+var_8]
		jb	short loc_7AF54F

loc_7AF5AE:				; CODE XREF: MiReserveWorkingSetSwapSpaceRuns(x,x,x,x,x,x)+1Fj
					; MiReserveWorkingSetSwapSpaceRuns(x,x,x,x,x,x)+2Cj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_MiReserveWorkingSetSwapSpaceRuns@24 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoWritethroughReparse(x,	x, x, x, x, x, x)
_CmpDoWritethroughReparse@28 proc near	; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1715p
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1C73p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		push	0
		lea	eax, [ebp+var_10]
		mov	[ebp+var_10], 0
		push	eax
		mov	ebx, edx
		mov	[ebp+var_C], 0
		mov	edi, ecx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		mov	[ebp+var_8], 0
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		or	eax, 0FFFFFFFFh
		mov	word ptr [ebp+var_20+2], ax
		cmp	[edi+14h], eax
		jz	short loc_7AF613
		mov	esi, 0C0000271h
		jmp	loc_7AF7A7
; 

loc_7AF613:				; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+47j
		mov	eax, [edi+10h]
		test	dword ptr [eax+980h], 2000h
		jnz	short loc_7AF62C
		mov	esi, 0C0000271h
		jmp	loc_7AF7A7
; 

loc_7AF62C:				; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+60j
		cmp	[ebp+arg_4], 0
		jz	short loc_7AF695
		mov	eax, [edi+24h]
		cmp	byte ptr [eax+21h], 0
		jz	short loc_7AF645
		mov	esi, 0C0000271h
		jmp	loc_7AF7A7
; 

loc_7AF645:				; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+79j
		movzx	ecx, word ptr [edi+22h]
		mov	eax, [ebp+arg_0]
		movsx	edx, cx
		cmp	cx, 2
		jle	short loc_7AF65E
		mov	eax, [eax+0Ch]
		mov	edx, [eax+edx*4-0Ch]
		jmp	short loc_7AF661
; 

loc_7AF65E:				; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+93j
		mov	edx, [eax+edx*4]

loc_7AF661:				; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+9Cj
		lea	ecx, [ebp+var_20]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_7AF67D
		mov	ecx, [ebp+arg_C]
		mov	edx, 10100h
		push	esi
		jmp	loc_7AF7A2
; 

loc_7AF67D:				; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+ADj
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		call	CmpIsKeyStackDeleted
		test	al, al
		jz	short loc_7AF695
		mov	esi, 0C0000271h
		jmp	loc_7AF7A7
; 

loc_7AF695:				; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+70j
					; CmpDoWritethroughReparse(x,x,x,x,x,x,x)+C9j
		movzx	eax, word ptr [edi+22h]
		movsx	ecx, ax
		lfence	eax
		cmp	ax, 2
		jle	short loc_7AF6AE
		mov	eax, [ebx+0Ch]
		mov	esi, [eax+ecx*4-0Ch]
		jmp	short loc_7AF6B1
; 

loc_7AF6AE:				; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+E3j
		mov	esi, [ebx+ecx*4]

loc_7AF6B1:				; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+ECj
		mov	ecx, esi
		call	_CmpKeyFullNameLength@4	; CmpKeyFullNameLength(x)
		mov	ebx, eax
		cmp	ebx, 0FFFFh
		jbe	short loc_7AF6D5
		mov	ecx, [ebp+arg_C]
		mov	esi, 0C000000Dh
		push	esi
		mov	edx, 10150h
		jmp	loc_7AF7A2
; 

loc_7AF6D5:				; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+100j
		mov	edi, [ebp+arg_C]
		test	byte ptr [edi+60h], 1
		jnz	short loc_7AF6EA
		lea	ecx, [edi+64h]
		call	CmpAttachToRegistryProcess
		or	dword ptr [edi+60h], 1

loc_7AF6EA:				; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+11Cj
		cmp	[ebp+arg_4], 0
		lea	edx, [ebp+var_8]
		jz	short loc_7AF70C
		mov	ecx, [esi+24h]
		call	CmpConstructNameWithStatus
		mov	esi, eax
		test	esi, esi
		jns	short loc_7AF721
		push	esi
		mov	edx, 10200h
		jmp	loc_7AF7A0
; 

loc_7AF70C:				; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+131j
		mov	ecx, esi
		call	CmpConstructNameWithStatus
		mov	esi, eax
		test	esi, esi
		jns	short loc_7AF721
		push	esi
		mov	edx, 10300h
		jmp	short loc_7AF7A0
; 

loc_7AF721:				; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+13Fj
					; CmpDoWritethroughReparse(x,x,x,x,x,x,x)+157j
		push	36364D43h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	short loc_7AF742
		mov	esi, 0C000009Ah
		mov	edx, 10400h
		push	esi
		jmp	short loc_7AF7A0
; 

loc_7AF742:				; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+173j
		mov	edx, [ebp+var_8]
		lea	ecx, [ebp+var_10]
		xor	eax, eax
		mov	word ptr [ebp+var_10+2], bx
		mov	word ptr [ebp+var_10], ax
		call	_RtlUnicodeStringCopy@8	; RtlUnicodeStringCopy(x,x)
		cmp	[ebp+arg_4], 0
		jz	short loc_7AF76D
		lea	ecx, [ebp+var_10]
		call	_CmpUnicodeStringAppendCharacter@8 ; CmpUnicodeStringAppendCharacter(x,x)
		mov	edx, [ebp+arg_8]
		call	_RtlUnicodeStringCat@8 ; RtlUnicodeStringCat(x,x)

loc_7AF76D:				; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+19Bj
		mov	esi, [ebp+arg_10]
		push	0
		mov	eax, [esi+4]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_10]
		mov	[esi], eax
		mov	eax, [ebp+var_C]
		mov	[esi+4], eax
		lea	eax, [ebp+var_10]
		push	0
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		or	dword ptr [edi+14h], 10h
		mov	esi, 368h
		push	esi
		mov	edx, 10500h

loc_7AF7A0:				; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+147j
					; CmpDoWritethroughReparse(x,x,x,x,x,x,x)+15Fj	...
		mov	ecx, edi

loc_7AF7A2:				; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+B8j
					; CmpDoWritethroughReparse(x,x,x,x,x,x,x)+110j
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)

loc_7AF7A7:				; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+4Ej
					; CmpDoWritethroughReparse(x,x,x,x,x,x,x)+67j ...
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_7AF7B6
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7AF7B6:				; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+1ECj
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_7AF7C2
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_7AF7C2:				; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+1FBj
		mov	ecx, [ebp+var_14]
		test	ecx, ecx
		jz	short loc_7AF7CE
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_7AF7CE:				; CODE XREF: CmpDoWritethroughReparse(x,x,x,x,x,x,x)+207j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
_CmpDoWritethroughReparse@28 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRecordParseFailure(x, x,	x)
_CmpRecordParseFailure@12 proc near	; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+F6p
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+470p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_7AF817
		mov	al, [esi+92h]
		cmp	al, 4
		jnb	short loc_7AF817
		movzx	ecx, al
		mov	eax, [ebp+arg_0]
		mov	[esi+ecx*8+94h], eax
		movzx	eax, byte ptr [esi+92h]
		mov	[esi+eax*8+98h], edx
		inc	byte ptr [esi+92h]

loc_7AF817:				; CODE XREF: CmpRecordParseFailure(x,x,x)+Aj
					; CmpRecordParseFailure(x,x,x)+14j
		pop	esi
		pop	ebp
		retn	4
_CmpRecordParseFailure@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtWaitForAlertByThreadId proc near	; DATA XREF: .text:00580BC4o

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A2A20
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_24], 0
		mov	[ebp+var_20], 0
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jnz	short loc_7AF894

loc_7AF876:				; CODE XREF: NtWaitForAlertByThreadId+76j
					; NtWaitForAlertByThreadId+A1j
		push	[ebp+arg_0]
		mov	cl, bl
		call	KeWaitForAlertByThreadId

loc_7AF880:				; CODE XREF: sub_8EB571+Dj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7AF894:				; CODE XREF: NtWaitForAlertByThreadId+54j
		test	bl, bl
		jz	short loc_7AF876
		mov	[ebp+var_4], 0
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	short loc_7AF8C3

loc_7AF8A8:				; CODE XREF: NtWaitForAlertByThreadId+A5j
		nop
		mov	eax, [edx]
		mov	ecx, [edx+4]
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], ecx
		lea	edx, [ebp+var_24]
		mov	[ebp+arg_4], edx
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_7AF876
; 

loc_7AF8C3:				; CODE XREF: NtWaitForAlertByThreadId+86j
		mov	edx, eax
		jmp	short loc_7AF8A8
NtWaitForAlertByThreadId endp

; 
		align 10h
; Exported entry 2422. SeAdjustAccessStateForAccessConstraints

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeAdjustAccessStateForAccessConstraints
SeAdjustAccessStateForAccessConstraints	proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= dword	ptr -5
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008EB583 SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		or	ebx, 0FFFFFFFFh
		push	edi
		or	edi, 0FFFFFFFFh
		mov	byte ptr [ebp+var_5], 0
		mov	[ebp+var_10], 0
		test	byte ptr [esi+0Ch], 6
		mov	[ebp+var_C], 0
		jnz	short loc_7AF905

loc_7AF8FC:				; CODE XREF: SeAdjustAccessStateForAccessConstraints+9Fj
					; SeAdjustAccessStateForAccessConstraints+B8j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7AF905:				; CODE XREF: SeAdjustAccessStateForAccessConstraints+2Aj
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+2Ch]
		cmp	eax, 1
		jnz	loc_8EB583
		mov	eax, 1120089h
		mov	[ebp+arg_8], eax
		mov	eax, 11F0116h

loc_7AF921:				; CODE XREF: SeAdjustAccessStateForAccessConstraints+13BCC7j
					; SeAdjustAccessStateForAccessConstraints+13BCD1j
		mov	[ebp+arg_0], eax
		mov	eax, [esi+1Ch]
		test	eax, eax
		jnz	short loc_7AF92E
		mov	eax, [esi+24h]

loc_7AF92E:				; CODE XREF: SeAdjustAccessStateForAccessConstraints+59j
		lea	ecx, [ebp+var_10]
		xor	edx, edx
		push	ecx
		mov	ecx, [ebp+arg_4]
		push	1
		push	eax
		call	SepFilterCheck
		cmp	byte ptr [ebp+var_C], 0
		jnz	loc_8EB5A6

loc_7AF949:				; CODE XREF: SeAdjustAccessStateForAccessConstraints+13BCD9j
		mov	ecx, [ebp+arg_4]
		call	_SeGetTrustLabelAce@4 ;	SeGetTrustLabelAce(x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	short loc_7AF98D

loc_7AF958:				; CODE XREF: SeAdjustAccessStateForAccessConstraints+E1j
					; SeAdjustAccessStateForAccessConstraints+E9j
		mov	ecx, [ebp+arg_8]
		mov	eax, ebx
		mov	edx, [ebp+arg_0]
		and	eax, edi
		not	eax
		and	ecx, eax
		and	edx, eax
		cmp	ebx, 0FFFFFFFFh
		jnz	short loc_7AF971
		cmp	edi, ebx
		jz	short loc_7AF8FC

loc_7AF971:				; CODE XREF: SeAdjustAccessStateForAccessConstraints+9Bj
		mov	ebx, [esi+0Ch]
		mov	eax, [esi+14h]
		test	bl, 2
		jz	short loc_7AF980
		not	ecx
		and	eax, ecx

loc_7AF980:				; CODE XREF: SeAdjustAccessStateForAccessConstraints+AAj
		test	bl, 4
		jnz	short loc_7AF9BB

loc_7AF985:				; CODE XREF: SeAdjustAccessStateForAccessConstraints+EFj
		mov	[esi+14h], eax
		jmp	loc_7AF8FC
; 

loc_7AF98D:				; CODE XREF: SeAdjustAccessStateForAccessConstraints+86j
		lea	ecx, [eax+8]
		mov	[ebp+arg_4], ecx
		test	ecx, ecx
		jz	short loc_7AF9B6
		lea	ecx, [esi+1Ch]
		call	_SepLocateTokenTrustLevel@4 ; SepLocateTokenTrustLevel(x)
		mov	edx, [ebp+arg_4]
		lea	ecx, [ebp+var_5]
		push	ecx
		mov	ecx, eax
		call	_RtlSidDominatesForTrust@12 ; RtlSidDominatesForTrust(x,x,x)
		cmp	byte ptr [ebp+var_5], 0
		jnz	short loc_7AF958
		mov	eax, [ebp+var_C]

loc_7AF9B6:				; CODE XREF: SeAdjustAccessStateForAccessConstraints+C5j
		mov	ebx, [eax+4]
		jmp	short loc_7AF958
; 

loc_7AF9BB:				; CODE XREF: SeAdjustAccessStateForAccessConstraints+B3j
		not	edx
		and	eax, edx
		jmp	short loc_7AF985
SeAdjustAccessStateForAccessConstraints	endp

; 
		align 10h
; Exported entry 2511. SeShouldCheckForAccessRightsFromParent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeShouldCheckForAccessRightsFromParent(x, x, x)
		public _SeShouldCheckForAccessRightsFromParent@12
_SeShouldCheckForAccessRightsFromParent@12 proc	near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	bh, 1
		mov	[ebp+var_8], 0
		xor	bl, bl
		mov	[ebp+var_4], 0
		call	_SeGetTrustLabelAce@4 ;	SeGetTrustLabelAce(x)
		mov	edi, [ebp+arg_8]
		mov	esi, eax
		lea	eax, [esi+8]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jnz	short loc_7AFA41

loc_7AFA05:				; CODE XREF: SeShouldCheckForAccessRightsFromParent(x,x,x)+8Dj
		mov	eax, [edi+1Ch]
		test	eax, eax
		jnz	short loc_7AFA0F
		mov	eax, [edi+24h]

loc_7AFA0F:				; CODE XREF: SeShouldCheckForAccessRightsFromParent(x,x,x)+3Aj
		lea	ecx, [ebp+var_8]
		xor	edx, edx
		push	ecx
		mov	ecx, [ebp+arg_4]
		push	1
		push	eax
		call	SepFilterCheck
		mov	ecx, [edi+10h]
		mov	eax, [ebp+var_8]
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_7AFA2E
		mov	bl, 1

loc_7AFA2E:				; CODE XREF: SeShouldCheckForAccessRightsFromParent(x,x,x)+5Aj
		test	bh, bh
		jz	short loc_7AFA5F
		test	bl, bl
		jz	short loc_7AFA5F
		mov	al, 1

loc_7AFA38:				; CODE XREF: SeShouldCheckForAccessRightsFromParent(x,x,x)+91j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7AFA41:				; CODE XREF: SeShouldCheckForAccessRightsFromParent(x,x,x)+33j
		lea	ecx, [edi+1Ch]
		mov	byte ptr [ebp+arg_8+3],	0
		call	_SepLocateTokenTrustLevel@4 ; SepLocateTokenTrustLevel(x)
		lea	ecx, [ebp+arg_8+3]
		mov	edx, esi
		push	ecx
		mov	ecx, eax
		call	_RtlSidDominatesForTrust@12 ; RtlSidDominatesForTrust(x,x,x)
		mov	bh, byte ptr [ebp+arg_8+3]
		jmp	short loc_7AFA05
; 

loc_7AFA5F:				; CODE XREF: SeShouldCheckForAccessRightsFromParent(x,x,x)+60j
					; SeShouldCheckForAccessRightsFromParent(x,x,x)+64j
		xor	al, al
		jmp	short loc_7AFA38
_SeShouldCheckForAccessRightsFromParent@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtAlpcQueryInformation proc near	; DATA XREF: .text:00581204o

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008EB5AE SIZE 0000000D BYTES
; FUNCTION CHUNK AT 008EB5E0 SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A2A40
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		jz	loc_8EB5AE
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_8], al
		test	al, al
		jz	loc_7AFBDB
		mov	[ebp+var_4], 0
		mov	esi, [ebp+arg_4]
		cmp	esi, 3
		jz	short loc_7AFB36
		cmp	esi, 0Bh
		jz	short loc_7AFB36
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	loc_7AFC79
		mov	eax, ebx
		test	bl, 3
		jnz	loc_7AFC84
		lea	edx, [ecx-1]
		add	edx, ebx
		cmp	ebx, edx
		ja	loc_7AFC7F
		cmp	edx, ds:_MmUserProbeAddress
		jnb	loc_7AFC7F
		and	edx, 0FFFFF000h
		add	edx, 1000h

loc_7AFB24:				; CODE XREF: NtAlpcQueryInformation+C4j
		mov	cl, [eax]
		mov	[eax], cl
		and	eax, 0FFFFF000h
		add	eax, 1000h
		cmp	eax, edx
		jnz	short loc_7AFB24

loc_7AFB36:				; CODE XREF: NtAlpcQueryInformation+72j
					; NtAlpcQueryInformation+77j ...
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jnz	loc_7AFC13

loc_7AFB41:				; CODE XREF: NtAlpcQueryInformation+1B3j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_7AFB48:				; CODE XREF: NtAlpcQueryInformation+16Ej
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	loc_8EB5E0
		mov	eax, ds:_AlpcPortObjectType
		mov	[ebp+var_1C], 0
		push	0
		lea	edx, [ebp+var_1C]
		push	edx
		push	[ebp+arg_8]
		push	eax
		push	20000h
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edx, eax
		mov	[ebp+arg_4], edx
		mov	edi, [ebp+var_1C]
		test	edx, edx
		js	short loc_7AFBA7

loc_7AFB80:				; CODE XREF: NtAlpcQueryInformation+13BB72j
		test	esi, esi
		jnz	short loc_7AFBE3
		push	ecx
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		mov	edx, ebx
		mov	ecx, edi
		call	AlpcpPortQueryBasicInfo
		mov	edx, eax
		mov	[ebp+arg_4], eax

loc_7AFB99:				; CODE XREF: NtAlpcQueryInformation+1A1j
					; NtAlpcQueryInformation+1CDj ...
		test	edi, edi
		jz	short loc_7AFBA7
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	edx, [ebp+arg_4]

loc_7AFBA7:				; CODE XREF: NtAlpcQueryInformation+10Ej
					; NtAlpcQueryInformation+12Bj ...
		mov	ecx, large fs:124h
		nop
		add	word ptr [ecx+13Ch], 1
		jnz	short loc_7AFBC5
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jnz	loc_7AFC5E

loc_7AFBC5:				; CODE XREF: NtAlpcQueryInformation+147j
					; NtAlpcQueryInformation+1F6j ...
		mov	eax, edx
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7AFBDB:				; CODE XREF: NtAlpcQueryInformation+5Fj
		mov	esi, [ebp+arg_4]
		jmp	loc_7AFB48
; 

loc_7AFBE3:				; CODE XREF: NtAlpcQueryInformation+112j
		add	esi, 0FFFFFFFDh
		cmp	esi, 9
		ja	loc_8EB603
		movzx	eax, ds:byte_7AFCA4[esi]
		jmp	ds:off_7AFC90[eax*4]

loc_7AFBFD:				; DATA XREF: PAGE:007AFC9Co
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		mov	edx, ebx
		mov	ecx, edi
		call	AlpcpPortQueryServerSessionInfo
		mov	edx, eax
		mov	[ebp+arg_4], edx
		jmp	short loc_7AFB99
; 

loc_7AFC13:				; CODE XREF: NtAlpcQueryInformation+CBj
		mov	ecx, eax
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		jnb	short loc_7AFC89

loc_7AFC1F:				; CODE XREF: NtAlpcQueryInformation+21Bj
		mov	eax, [ecx]
		mov	[ecx], eax
		jmp	loc_7AFB41
; 

loc_7AFC28:				; CODE XREF: NtAlpcQueryInformation+186j
					; DATA XREF: PAGE:off_7AFC90o
		push	[ebp+arg_8]
		push	[ebp+arg_10]
		push	ecx
		mov	edx, ebx
		mov	ecx, edi
		call	AlpcpPortQueryConnectedSidInfo
		mov	edx, eax
		mov	[ebp+arg_4], edx
		jmp	loc_7AFB99
; 

loc_7AFC42:				; CODE XREF: NtAlpcQueryInformation+186j
					; DATA XREF: PAGE:007AFC98o
		push	[ebp+arg_8]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		mov	edx, ebx
		mov	ecx, edi
		call	AlpcpWaitForPortReferences
		mov	edx, eax
		mov	[ebp+arg_4], edx
		jmp	loc_7AFB99
; 

loc_7AFC5E:				; CODE XREF: NtAlpcQueryInformation+14Fj
		cmp	word ptr [ecx+13Eh], 0
		jnz	loc_7AFBC5
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		mov	edx, [ebp+arg_4]
		jmp	loc_7AFBC5
; 

loc_7AFC79:				; CODE XREF: NtAlpcQueryInformation+7Ej
		nop
		jmp	loc_7AFB36
; 

loc_7AFC7F:				; CODE XREF: NtAlpcQueryInformation+96j
					; NtAlpcQueryInformation+A2j
		call	_ExRaiseAccessViolation@0 ; ExRaiseAccessViolation()

loc_7AFC84:				; CODE XREF: NtAlpcQueryInformation+89j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7AFC89:				; CODE XREF: NtAlpcQueryInformation+1ADj
		mov	ecx, edx
		jmp	short loc_7AFC1F
NtAlpcQueryInformation endp

; 
		align 10h
off_7AFC90	dd offset loc_7AFC28	; DATA XREF: NtAlpcQueryInformation+186r
		dd offset loc_8EB5E7
		dd offset loc_7AFC42
		dd offset loc_7AFBFD
		dd offset loc_8EB603
byte_7AFCA4	db 0			; DATA XREF: NtAlpcQueryInformation+17Fr
		db 1, 2	dup(4)
		dd 4040404h, 0CCCC0302h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpPortQueryBasicInfo	proc near	; CODE XREF: NtAlpcQueryInformation+11Fp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A2A60
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		test	ecx, ecx
		jz	short loc_7AFD43
		mov	[ebp+var_4], 0
		cmp	[ebp+arg_0], 0Ch
		jb	short loc_7AFD4A
		mov	eax, [ecx+98h]
		and	eax, 3FF0000h
		mov	[edx], eax
		mov	eax, [ecx+0E8h]
		mov	[edx+4], eax
		mov	eax, [ecx+1Ch]
		mov	[edx+8], eax
		xor	ecx, ecx

loc_7AFD14:				; CODE XREF: AlpcpPortQueryBasicInfo+9Fj
		mov	[ebp+var_1C], ecx
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	short loc_7AFD3B

loc_7AFD1E:				; CODE XREF: AlpcpPortQueryBasicInfo+91j
					; sub_8EB620+9j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, ecx

loc_7AFD27:				; CODE XREF: AlpcpPortQueryBasicInfo+98j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7AFD3B:				; CODE XREF: AlpcpPortQueryBasicInfo+6Cj
		mov	dword ptr [eax], 0Ch
		jmp	short loc_7AFD1E
; 

loc_7AFD43:				; CODE XREF: AlpcpPortQueryBasicInfo+37j
		mov	eax, 0C000000Dh
		jmp	short loc_7AFD27
; 

loc_7AFD4A:				; CODE XREF: AlpcpPortQueryBasicInfo+44j
		mov	ecx, 0C0000004h
		jmp	short loc_7AFD14
AlpcpPortQueryBasicInfo	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpPortQueryServerSessionInfo	proc near ; CODE XREF: NtAlpcQueryInformation+197p

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	10h
		push	offset dword_6A2A80
		call	__SEH_prolog4
		mov	[ebp+var_1C], edx
		test	ecx, ecx
		jz	loc_7AFE2A
		call	AlpcpReferenceConnectedPort
		mov	edi, eax
		test	edi, edi
		jz	loc_7AFE2A
		lea	ebx, [edi+0D0h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	edx, [edi+0Ch]
		mov	ecx, edx
		and	cl, 1
		movzx	esi, cl
		neg	esi
		sbb	esi, esi
		not	esi
		and	esi, edx
		jz	short loc_7AFDA8
		mov	edx, 63706C41h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag

loc_7AFDA8:				; CODE XREF: AlpcpPortQueryServerSessionInfo+48j
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jnz	short loc_7AFE21

loc_7AFDB6:				; CODE XREF: AlpcpPortQueryServerSessionInfo+D6j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, edi
		call	ObfDereferenceObject
		test	esi, esi
		jz	short loc_7AFE2A
		mov	edi, [esi+0E4h]
		mov	ecx, esi
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ebx, eax
		mov	edx, 63706C41h
		call	ObfDereferenceObjectWithTag
		and	[ebp+ms_exc.disabled], 0
		push	8
		pop	edx
		cmp	[ebp+arg_0], edx
		sbb	eax, eax
		and	eax, 0C0000004h
		cmp	[ebp+arg_0], edx
		jb	short loc_7AFDFF
		mov	ecx, [ebp+var_1C]
		mov	[ecx], ebx
		mov	[ecx+4], edi

loc_7AFDFF:				; CODE XREF: AlpcpPortQueryServerSessionInfo+A3j
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_7AFE08
		mov	[ecx], edx

loc_7AFE08:				; CODE XREF: AlpcpPortQueryServerSessionInfo+B2j
					; sub_8EB63C+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7AFE0F:				; CODE XREF: AlpcpPortQueryServerSessionInfo+DDj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7AFE21:				; CODE XREF: AlpcpPortQueryServerSessionInfo+62j
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_7AFDB6
; 

loc_7AFE2A:				; CODE XREF: AlpcpPortQueryServerSessionInfo+11j
					; AlpcpPortQueryServerSessionInfo+20j ...
		mov	eax, 0C000000Dh
		jmp	short loc_7AFE0F
AlpcpPortQueryServerSessionInfo	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpPortQueryConnectedSidInfo proc near ; CODE	XREF: NtAlpcQueryInformation+1C3p

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 008EB647 SIZE 00000011 BYTES
; FUNCTION CHUNK AT 008EB67D SIZE 0000001B BYTES

		push	64h
		push	offset dword_6A2AA0
		call	__SEH_prolog4_GS
		mov	esi, ecx
		mov	[ebp+var_74], esi
		mov	[ebp+var_68], edx
		mov	edi, [ebp+arg_4]
		xor	ebx, ebx
		mov	[ebp+var_64], ebx
		push	44h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_60]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		jz	loc_8EB647
		cmp	[ebp+arg_8], bl
		jz	loc_8EB67D
		mov	[ebp+ms_exc.disabled], ebx
		test	edi, edi
		jnz	loc_8EB651

loc_7AFE79:				; CODE XREF: AlpcpPortQueryConnectedSidInfo+13B821j
		lea	eax, [ebp+var_64]
		push	eax
		push	1
		sub	esp, 0Ch
		mov	dl, [ebp+arg_8]
		mov	ecx, [ebp+var_68]
		call	SeCaptureSid
		mov	[ebp+var_70], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7AFE97:				; CODE XREF: sub_8EB666+12j
		test	eax, eax
		js	loc_7AFF67

loc_7AFE9F:				; CODE XREF: AlpcpPortQueryConnectedSidInfo+13B857j
		mov	edi, ebx
		mov	ecx, [ebp+var_74]
		call	AlpcpReferenceConnectedPort
		mov	esi, eax
		test	esi, esi
		jz	short loc_7AFF01
		lea	ecx, [esi+0D0h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	edx, [esi+0Ch]
		mov	ecx, edx
		and	cl, 1
		movzx	edi, cl
		neg	edi
		sbb	edi, edi
		not	edi
		and	edi, edx
		jz	short loc_7AFEDD
		mov	edx, 63706C41h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag

loc_7AFEDD:				; CODE XREF: AlpcpPortQueryConnectedSidInfo+9Dj
		xor	edx, edx
		push	11h
		pop	eax
		lea	ecx, [esi+0D0h]
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	loc_7AFF79

loc_7AFEF5:				; CODE XREF: AlpcpPortQueryConnectedSidInfo+152j
		call	KeAbPostRelease
		mov	ecx, esi
		call	ObfDereferenceObject

loc_7AFF01:				; CODE XREF: AlpcpPortQueryConnectedSidInfo+7Bj
		test	edi, edi
		jz	loc_8EB68E
		push	edi
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	esi, eax
		push	ebx
		push	44h
		lea	edx, [ebp+var_60]
		mov	ecx, esi
		call	_SeQueryUserSidToken@16	; SeQueryUserSidToken(x,x,x,x)
		lea	ecx, [edi+12Ch]
		mov	edx, esi
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		mov	esi, ebx
		lea	eax, [ebp+var_60]
		push	eax
		push	[ebp+var_64]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	short loc_7AFF89

loc_7AFF3D:				; CODE XREF: AlpcpPortQueryConnectedSidInfo+15Cj
		mov	edx, 63706C41h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_7AFF49:				; CODE XREF: AlpcpPortQueryConnectedSidInfo+13B861j
		mov	eax, [ebp+var_64]
		cmp	eax, [ebp+var_68]
		jz	short loc_7AFF65
		mov	al, [ebp+arg_8]
		test	al, al
		jz	short loc_7AFF5C
		cmp	al, 1
		jnz	short loc_7AFF65

loc_7AFF5C:				; CODE XREF: AlpcpPortQueryConnectedSidInfo+124j
		push	ebx
		push	[ebp+var_64]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7AFF65:				; CODE XREF: AlpcpPortQueryConnectedSidInfo+11Dj
					; AlpcpPortQueryConnectedSidInfo+128j
		mov	eax, esi

loc_7AFF67:				; CODE XREF: AlpcpPortQueryConnectedSidInfo+67j
					; AlpcpPortQueryConnectedSidInfo+13B81Aj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7AFF79:				; CODE XREF: AlpcpPortQueryConnectedSidInfo+BDj
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		lea	ecx, [esi+0D0h]
		jmp	loc_7AFEF5
; 

loc_7AFF89:				; CODE XREF: AlpcpPortQueryConnectedSidInfo+109j
		mov	esi, 0C00002A0h
		jmp	short loc_7AFF3D
AlpcpPortQueryConnectedSidInfo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpWaitForPortReferences proc	near	; CODE XREF: NtAlpcQueryInformation+1DFp

var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 008EB6B8 SIZE 000000D4 BYTES

		push	24h
		push	offset dword_6A2AC0
		call	__SEH_prolog4
		mov	ebx, ecx
		mov	[ebp+var_20], ebx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		stosd
		stosd
		stosd
		stosd
		stosd
		test	ebx, ebx
		jz	short loc_7B000C
		cmp	[ebp+arg_0], 4
		jnz	short loc_7B000C
		xor	esi, esi
		cmp	[ebp+arg_8], 0
		jz	loc_8EB6B8
		mov	[ebp+ms_exc.disabled], esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	short loc_7B0004

loc_7AFFCD:				; CODE XREF: AlpcpWaitForPortReferences+76j
		nop
		mov	eax, [edx]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	short loc_7B0008

loc_7AFFDA:				; CODE XREF: AlpcpWaitForPortReferences+7Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7AFFE1:				; CODE XREF: AlpcpWaitForPortReferences+13B732j
					; AlpcpWaitForPortReferences+13B73Aj
		mov	eax, [ebx+0ECh]
		cmp	eax, [ebp+var_24]
		jnz	loc_8EB6CF
		xor	eax, eax

loc_7AFFF2:				; CODE XREF: AlpcpWaitForPortReferences+81j
					; sub_8EB6A6+Dj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7B0004:				; CODE XREF: AlpcpWaitForPortReferences+3Bj
		mov	edx, eax
		jmp	short loc_7AFFCD
; 

loc_7B0008:				; CODE XREF: AlpcpWaitForPortReferences+48j
		mov	[eax], esi
		jmp	short loc_7AFFDA
; 

loc_7B000C:				; CODE XREF: AlpcpWaitForPortReferences+1Dj
					; AlpcpWaitForPortReferences+23j
		mov	eax, 0C000000Dh
		jmp	short loc_7AFFF2
AlpcpWaitForPortReferences endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAllocateFixupVad(x)
_MiAllocateFixupVad@4 proc near		; CODE XREF: MiMapViewOfImageSection+81Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], esi
		mov	eax, [esi+2Ch]
		mov	ecx, [eax]

loc_7B0027:				; DATA XREF: PAGE:??_C@_1GK@MCFCFGIP@?$AA?$CI?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAx?$AA?9?$AA?$CF?$AA0?$AA4@NNGAKEGL@o
		mov	[ebp+var_8], ecx
		mov	eax, [ecx+38h]
		cmp	dword ptr [eax+10h], 0
		jz	short loc_7B0099
		call	_MiBytesForFixupVad@4 ;	MiBytesForFixupVad(x)
		push	0
		push	40h
		mov	edx, 49646156h
		mov	ecx, eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_7B0099
		mov	edx, [ebp+var_8]
		push	edi
		push	13h
		pop	ecx
		mov	edi, ebx
		rep movsd

loc_7B0059:				; DATA XREF: PAGE:??_C@_15JEEKIBPF@?$AA?$FL?$AA?$HL@NNGAKEGL@o
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+30h]
		sub	eax, [edx+54h]
		mov	ecx, [ecx+0Ch]
		sar	eax, 3
		sub	ecx, eax
		mov	eax, [edx]
		shl	ecx, 0Ch
		sub	ecx, [eax+18h]
		mov	[ebx+4Ch], ecx
		lea	ecx, [ebx+50h]
		call	_MiInitializePrivateFixupBitmap@8 ; MiInitializePrivateFixupBitmap(x,x)
		mov	ecx, [ebx+20h]
		xor	ecx, eax
		mov	eax, ebx
		and	ecx, 7FFFFFFFh
		xor	[ebx+20h], ecx
		or	dword ptr [ebx+1Ch], 200000h
		pop	edi

loc_7B0095:				; CODE XREF: MiAllocateFixupVad(x)+87j
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7B0099:				; CODE XREF: MiAllocateFixupVad(x)+1Dj
					; MiAllocateFixupVad(x)+38j
		xor	eax, eax
		jmp	short loc_7B0095
_MiAllocateFixupVad@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializePrivateFixupBitmap(x, x)
_MiInitializePrivateFixupBitmap@8 proc near ; CODE XREF: .text:005634F2p
					; MiAllocateFixupVad(x)+64p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_C], ecx
		push	edi
		push	ecx
		mov	eax, [esi]
		mov	ebx, [esi+38h]
		mov	eax, [eax+4]
		mov	[ecx], eax
		lea	eax, [ecx+8]
		mov	[ecx+4], eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		xor	ecx, ecx
		xor	eax, eax
		add	esi, 50h
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], esi

loc_7B00D3:				; CODE XREF: MiInitializePrivateFixupBitmap(x,x)+88j
		mov	edi, [esi+1Ch]
		mov	edx, [esi+4]
		shl	edi, 3
		lea	ecx, [edi+edx]
		cmp	edx, ecx
		jnb	short loc_7B0120
		dec	edi
		shr	edi, 3
		inc	edi

loc_7B00E8:				; CODE XREF: MiInitializePrivateFixupBitmap(x,x)+7Ej
		mov	ecx, [ebx+10h]
		mov	edx, [ecx]
		cmp	eax, [ecx+1Ch]
		jnb	short loc_7B0140
		xor	esi, esi
		lea	ecx, [edx+eax*4]

loc_7B00F7:				; CODE XREF: MiInitializePrivateFixupBitmap(x,x)+9Bj
		cmp	dword ptr [ecx], 0
		jz	short loc_7B0134
		mov	ecx, [ebp+var_C]
		mov	esi, eax
		shr	esi, 3
		add	esi, [ecx+4]
		mov	ecx, eax
		and	ecx, 7
		movsx	edx, byte ptr [esi]
		bts	edx, ecx
		mov	[esi], dl
		mov	esi, [ebp+var_8]

loc_7B0117:				; CODE XREF: MiInitializePrivateFixupBitmap(x,x)+ABj
		inc	[ebp+var_4]

loc_7B011A:				; CODE XREF: MiInitializePrivateFixupBitmap(x,x)+A9j
		inc	eax
		sub	edi, 1
		jnz	short loc_7B00E8

loc_7B0120:				; CODE XREF: MiInitializePrivateFixupBitmap(x,x)+41j
		mov	esi, [esi+8]
		mov	[ebp+var_8], esi
		test	esi, esi
		jnz	short loc_7B00D3
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7B0134:				; CODE XREF: MiInitializePrivateFixupBitmap(x,x)+5Aj
		inc	esi
		add	ecx, 4
		cmp	esi, 1
		jb	short loc_7B00F7
		mov	esi, [ebp+var_8]

loc_7B0140:				; CODE XREF: MiInitializePrivateFixupBitmap(x,x)+50j
		mov	cl, [esi+10h]
		and	cl, 0Ah
		cmp	cl, 0Ah
		jnz	short loc_7B011A
		jmp	short loc_7B0117
_MiInitializePrivateFixupBitmap@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiBytesForFixupVad(x)
_MiBytesForFixupVad@4 proc near		; CODE XREF: MiAllocateFixupVad(x)+1Fp
					; MiAllocateChildVads+270p ...
		mov	eax, [ecx]
		push	0
		mov	ecx, [eax+4]
		test	cl, 1Fh
		pop	eax
		setnz	al
		shr	ecx, 5
		add	eax, 16h
		add	eax, ecx
		shl	eax, 2
		retn
_MiBytesForFixupVad@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtReleaseSemaphore proc	near		; DATA XREF: .text:00580D8Co

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008EB7AE SIZE 0000001A BYTES
; FUNCTION CHUNK AT 008EB7DA SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A2AE0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_20], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		mov	byte ptr [ebp+var_28], al
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		jnz	short loc_7B0244

loc_7B01C5:				; CODE XREF: NtReleaseSemaphore+D6j
					; NtReleaseSemaphore+F9j
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jle	loc_8EB7AE
		mov	eax, ds:_ExSemaphoreObjectType
		mov	[ebp+var_24], 0
		push	0
		lea	ecx, [ebp+var_24]
		push	ecx
		push	[ebp+var_28]
		push	eax
		push	2
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+arg_4], eax
		test	esi, esi
		js	short loc_7B022E
		mov	[ebp+var_20], 0
		mov	[ebp+var_4], 1
		push	0
		push	edi
		push	1
		mov	edi, [ebp+var_24]
		push	edi
		call	KeReleaseSemaphore
		mov	[ebp+var_20], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_7B021F:				; CODE XREF: NtReleaseSemaphore+154j
		mov	ecx, edi
		call	ObfDereferenceObject
		test	esi, esi
		js	short loc_7B022E
		test	ebx, ebx
		jnz	short loc_7B026E

loc_7B022E:				; CODE XREF: NtReleaseSemaphore+87j
					; NtReleaseSemaphore+B8j ...
		mov	eax, esi

loc_7B0230:				; CODE XREF: sub_8EB79C+Dj
					; NtReleaseSemaphore+13B643j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7B0244:				; CODE XREF: NtReleaseSemaphore+53j
		test	al, al
		jz	loc_7B01C5
		mov	[ebp+var_4], 0
		mov	ecx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	short loc_7B02C9

loc_7B025E:				; CODE XREF: NtReleaseSemaphore+15Bj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_7B01C5
; 

loc_7B026E:				; CODE XREF: NtReleaseSemaphore+BCj
		cmp	[ebp+var_19], 0
		jz	loc_8EB7DA
		mov	[ebp+var_4], 2
		mov	eax, [ebp+var_20]
		mov	[ebx], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_7B022E
; 

loc_7B028D:				; DATA XREF: .text:006A2B00o
		mov	edx, [ebp-14h]
		mov	eax, [edx]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		cmp	eax, 0C0000047h
		jnz	loc_8EB7B8
		mov	eax, 1
		retn
; 

loc_7B02A8:				; DATA XREF: .text:006A2B04o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-30h]
		mov	[ebp+0Ch], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp+10h]
		mov	edi, [ebp-24h]
		mov	al, [ebp-28h]
		mov	[ebp-19h], al
		jmp	loc_7B021F
; 

loc_7B02C9:				; CODE XREF: NtReleaseSemaphore+ECj
		mov	ecx, eax
		jmp	short loc_7B025E
NtReleaseSemaphore endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1587. NtSetEvent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtSetEvent
NtSetEvent	proc near		; CODE XREF: VdmpLeaveIcaLock(x)+45p
					; SepAdtInitializeAuditingOptions()+25p
					; DATA XREF: ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A2B18
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		mov	byte ptr [ebp+var_24], al
		mov	[ebp+var_4], 0
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jnz	short loc_7B039B

loc_7B0335:				; CODE XREF: NtSetEvent+BDj
					; NtSetEvent+CEj
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, ds:_ExEventObjectType
		mov	[ebp+var_20], 0
		push	0
		lea	ecx, [ebp+var_20]
		push	ecx
		push	[ebp+var_24]
		push	eax
		push	2
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+arg_4], esi
		mov	edi, [ebp+var_20]
		test	esi, esi
		js	short loc_7B03BA
		push	0
		push	1
		push	edi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_7B0372:				; CODE XREF: NtSetEvent+DCj
		test	esi, esi
		js	short loc_7B037A
		test	ebx, ebx
		jnz	short loc_7B03B0

loc_7B037A:				; CODE XREF: NtSetEvent+94j
					; NtSetEvent+D8j ...
		test	edi, edi
		jz	short loc_7B0385
		mov	ecx, edi
		call	ObfDereferenceObject

loc_7B0385:				; CODE XREF: NtSetEvent+9Cj
		mov	eax, esi

loc_7B0387:				; CODE XREF: PAGE:008EB81Cj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7B039B:				; CODE XREF: NtSetEvent+53j
		test	al, al
		jz	short loc_7B0335
		mov	ecx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	short loc_7B03D0

loc_7B03AA:				; CODE XREF: NtSetEvent+F2j
		mov	eax, [ecx]
		mov	[ecx], eax
		jmp	short loc_7B0335
; 

loc_7B03B0:				; CODE XREF: NtSetEvent+98j
		cmp	[ebp+var_19], 0
		jnz	short loc_7B03BE
		mov	[ebx], eax
		jmp	short loc_7B037A
; 

loc_7B03BA:				; CODE XREF: NtSetEvent+86j
		xor	eax, eax
		jmp	short loc_7B0372
; 

loc_7B03BE:				; CODE XREF: NtSetEvent+D4j
		mov	[ebp+var_4], 1
		mov	[ebx], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_7B037A
; 

loc_7B03D0:				; CODE XREF: NtSetEvent+C8j
		mov	ecx, eax
		jmp	short loc_7B03AA
NtSetEvent	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpGetOrCreateContextForSiloNoRef proc near ; CODE XREF: CmInitSiloNamespace(x)+Ep
					; CmpInitSiloSupport(x)+2Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008EB821 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	[ebp+var_8], esi
		call	_CmpGetContextForSiloNoRef@4 ; CmpGetContextForSiloNoRef(x)
		test	eax, eax
		jnz	short loc_7B044A
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	_CmpAllocateSiloContext@8 ; CmpAllocateSiloContext(x,x)
		mov	edi, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	short loc_7B0433
		mov	edx, _CmpSiloContextSlot
		mov	ecx, [ebp+var_8]
		push	0
		push	edi
		call	PsInsertPermanentSiloContextEx
		mov	esi, eax
		test	esi, esi
		js	short loc_7B041F
		xor	esi, esi

loc_7B041F:				; CODE XREF: CmpGetOrCreateContextForSiloNoRef+47j
		cmp	esi, 0C00000BBh
		jz	loc_8EB821
		test	esi, esi
		js	short loc_7B0433
		xor	esi, esi
		mov	[ebx], edi

loc_7B0433:				; CODE XREF: CmpGetOrCreateContextForSiloNoRef+30j
					; CmpGetOrCreateContextForSiloNoRef+59j ...
		test	edi, edi
		jz	short loc_7B0443
		mov	edx, 20314D43h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_7B0443:				; CODE XREF: CmpGetOrCreateContextForSiloNoRef+61j
					; CmpGetOrCreateContextForSiloNoRef+7Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7B044A:				; CODE XREF: CmpGetOrCreateContextForSiloNoRef+1Dj
		xor	esi, esi
		mov	[ebx], eax
		jmp	short loc_7B0443
CmpGetOrCreateContextForSiloNoRef endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsInsertPermanentSiloContextEx proc near ; CODE	XREF: CmpGetOrCreateContextForSiloNoRef+3Ep
					; PsInsertPermanentSiloContext(x,x,x)+11p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EB832 SIZE 00000045 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		test	[ebp+arg_4], 0FFFFFFFEh
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		mov	esi, ecx
		jnz	short loc_7B04DE
		mov	eax, ds:dword_717F7C
		test	esi, esi
		jnz	short loc_7B04D2

loc_7B0472:				; CODE XREF: PsInsertPermanentSiloContextEx+88j
		mov	ebx, [ebp+arg_0]
		mov	ecx, ebx
		mov	[ebp+var_4], eax
		call	_PspIsSiloContext@4 ; PspIsSiloContext(x)
		xor	edi, edi
		test	al, al
		jz	short loc_7B04A7
		lea	ecx, [ebx-18h]
		mov	al, [ecx+0Eh]
		test	al, 40h
		jz	short loc_7B04DA
		movzx	eax, al
		and	eax, 7Fh
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		mov	eax, [ecx]
		add	eax, 10h

loc_7B04A3:				; CODE XREF: PsInsertPermanentSiloContextEx+8Cj
		cmp	[eax], esi
		jnz	short loc_7B04DE

loc_7B04A7:				; CODE XREF: PsInsertPermanentSiloContextEx+33j
		test	byte ptr [ebp+arg_4], 1
		jnz	loc_8EB832

loc_7B04B1:				; CODE XREF: PsInsertPermanentSiloContextEx+13B409j
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		push	ebx
		push	1
		call	PspStorageInsertObject
		mov	ebx, eax

loc_7B04C1:				; CODE XREF: PsInsertPermanentSiloContextEx+13B414j
		test	edi, edi
		jnz	loc_8EB869

loc_7B04C9:				; CODE XREF: PsInsertPermanentSiloContextEx+13B422j
		mov	eax, ebx

loc_7B04CB:				; CODE XREF: PsInsertPermanentSiloContextEx+93j
					; PsInsertPermanentSiloContextEx+13B3EBj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7B04D2:				; CODE XREF: PsInsertPermanentSiloContextEx+20j
		mov	eax, [esi+308h]
		jmp	short loc_7B0472
; 

loc_7B04DA:				; CODE XREF: PsInsertPermanentSiloContextEx+3Dj
		mov	eax, edi
		jmp	short loc_7B04A3
; 

loc_7B04DE:				; CODE XREF: PsInsertPermanentSiloContextEx+17j
					; PsInsertPermanentSiloContextEx+55j
		mov	eax, 0C000000Dh
		jmp	short loc_7B04CB
PsInsertPermanentSiloContextEx endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspStorageInsertObject proc near	; CODE XREF: PsInsertSiloContext(x,x,x)+39p
					; PsInsertPermanentSiloContextEx+6Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EB877 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	PspGetStorageArray
		test	eax, eax
		js	short locret_7B055A
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		mov	eax, [ebp+var_8]
		lea	edi, [eax+ecx*8]
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		cmp	[ebp+arg_0], 0
		mov	edx, [ebp+arg_4]
		jz	short loc_7B052E
		or	edx, 1

loc_7B052E:				; CODE XREF: PspStorageInsertObject+43j
		lea	ecx, [edi+4]
		xor	eax, eax
		lock cmpxchg [ecx], edx
		push	11h
		mov	ebx, eax
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_7B055E

loc_7B0547:				; CODE XREF: PspStorageInsertObject+7Fj
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		test	ebx, ebx
		pop	ebx
		jnz	loc_8EB877
		xor	eax, eax

locret_7B055A:				; CODE XREF: PspStorageInsertObject+1Ej
					; PspStorageInsertObject+13B39Ej
		leave
		retn	8
; 

loc_7B055E:				; CODE XREF: PspStorageInsertObject+5Fj
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_7B0547
PspStorageInsertObject endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspGetStorageArray proc	near		; CODE XREF: PspStorageMakeSlotReadOnly+18p
					; PspStorageInsertObject+17p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EB889 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	[ebp+arg_4]
		mov	edi, edx
		mov	esi, ecx
		push	ebx
		call	PspGetStorageArrayIfPossible
		cmp	eax, 0C0000225h
		jz	loc_8EB889

loc_7B058B:				; CODE XREF: PspGetStorageArray+13B34Aj
		test	eax, eax
		js	short loc_7B05AF
		mov	edx, dword_6BED3C
		cmp	edi, 20h
		jnb	short loc_7B05B6

loc_7B059A:				; CODE XREF: PspGetStorageArray+54j
		mov	ecx, [ebx]
		mov	eax, ecx
		shr	eax, 5
		and	ecx, 1Fh
		mov	eax, [edx+eax*4]
		sar	eax, cl
		test	al, 1
		jz	short loc_7B05BE
		xor	eax, eax

loc_7B05AF:				; CODE XREF: PspGetStorageArray+25j
					; PspGetStorageArray+13B328j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_7B05B6:				; CODE XREF: PspGetStorageArray+30j
		mov	edx, dword_6BED34
		jmp	short loc_7B059A
; 

loc_7B05BE:				; CODE XREF: PspGetStorageArray+43j
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PspGetStorageArray endp


;  S U B	R O U T	I N E 


; __stdcall PspIsSiloContext(x)
_PspIsSiloContext@4 proc near		; CODE XREF: PsInsertSiloContext(x,x,x)+1Dp
					; PsInsertPermanentSiloContextEx+2Ap ...
		lea	eax, [ecx-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [ecx-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		cmp	eax, _PsSiloContextNonPagedType
		jnz	short loc_7B05EE

loc_7B05EB:				; CODE XREF: PspIsSiloContext(x)+30j
		mov	al, 1
		retn
; 

loc_7B05EE:				; CODE XREF: PspIsSiloContext(x)+25j
		cmp	eax, _PsSiloContextPagedType
		jz	short loc_7B05EB
		xor	al, al
		retn
_PspIsSiloContext@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAllocateSiloContext(x, x)
_CmpAllocateSiloContext@8 proc near	; CODE XREF: CmpGetOrCreateContextForSiloNoRef+24p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		push	eax
		push	offset _CmpFreeSiloContextCallback@4 ; CmpFreeSiloContextCallback(x)
		push	1
		push	14h
		push	ecx
		mov	esi, edx
		call	PsCreateSiloContext
		test	eax, eax
		js	short loc_7B063B
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		mov	edi, ecx
		mov	[esi], ecx
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ecx+8]
		and	dword ptr [ecx], 0
		mov	[eax+4], eax
		mov	[eax], eax
		xor	eax, eax

loc_7B063B:				; CODE XREF: CmpAllocateSiloContext(x,x)+24j
		pop	edi
		pop	esi
		leave
		retn
_CmpAllocateSiloContext@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1753. PsCreateSiloContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsCreateSiloContext
PsCreateSiloContext proc near		; CODE XREF: CmpAllocateSiloContext(x,x)+1Dp
					; PspAssignSiloSystemRootPath(x,x)+65p	...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008EB8B7 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		cmp	[ebp+arg_8], 1
		push	edi
		mov	[ebp+var_4], esi
		jz	short loc_7B06CD
		cmp	[ebp+arg_8], 200h
		jnz	loc_8EB8B7
		mov	edx, _PsSiloContextNonPagedType

loc_7B066B:				; CODE XREF: PsCreateSiloContext+8Fj
		xor	eax, eax
		mov	word ptr [ebp+arg_8], ax
		lea	eax, [ebp+arg_8]
		push	eax
		lea	eax, [ebp+var_4]
		mov	byte ptr [ebp+arg_8+1],	1
		push	eax
		push	esi
		push	esi
		push	[ebp+arg_4]
		push	ecx
		push	esi
		push	esi
		xor	cl, cl
		call	ObCreateObjectEx
		mov	edi, eax
		test	edi, edi
		js	short loc_7B06C4
		mov	edx, [ebp+var_4]
		lea	ecx, [edx-18h]
		mov	bl, [ecx+0Eh]
		test	bl, 40h
		jz	short loc_7B06B4
		movzx	eax, bl
		and	eax, 7Fh
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		mov	esi, [ecx]
		add	esi, 10h

loc_7B06B4:				; CODE XREF: PsCreateSiloContext+5Aj
		mov	eax, [ebp+arg_0]
		mov	[esi], eax
		mov	eax, [ebp+arg_C]
		mov	[esi+4], eax
		mov	eax, [ebp+arg_10]
		mov	[eax], edx

loc_7B06C4:				; CODE XREF: PsCreateSiloContext+4Cj
		mov	eax, edi

loc_7B06C6:				; CODE XREF: PsCreateSiloContext+13B278j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7B06CD:				; CODE XREF: PsCreateSiloContext+12j
		mov	edx, _PsSiloContextPagedType
		jmp	short loc_7B066B
PsCreateSiloContext endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGetContextForSiloNoRef(x)
_CmpGetContextForSiloNoRef@4 proc near	; CODE XREF: CmpGetOrCreateContextForSiloNoRef+16p
					; CmpGetOrCreateContextForSiloNoRef+13B452p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		push	_CmpSiloContextSlot
		push	ecx
		call	PsGetPermanentSiloContext
		mov	eax, [ebp+var_4]
		leave
		retn
_CmpGetContextForSiloNoRef@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpGetRegistryNamespaceRootForSilo proc	near ; CODE XREF: CmpParseKey+30Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008EB8C1 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		lea	esp, [esp+0]

loc_7B0710:				; CODE XREF: CmpGetRegistryNamespaceRootForSilo+42j
					; CmpGetRegistryNamespaceRootForSilo+13B1CEj
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], 0
		push	eax
		mov	eax, _CmpSiloContextSlot
		push	eax
		push	esi
		call	PsGetPermanentSiloContext
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_7B073A
		mov	eax, [eax+10h]
		test	eax, eax
		jz	short loc_7B073A
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7B073A:				; CODE XREF: CmpGetRegistryNamespaceRootForSilo+2Cj
					; CmpGetRegistryNamespaceRootForSilo+33j
		test	esi, esi
		jnz	loc_8EB8C1
		jmp	short loc_7B0710
CmpGetRegistryNamespaceRootForSilo endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFindEmptyAddressRangeInTree proc near	; CODE XREF: MiFindEmptyAddressRange+1A6p
					; MiFindEmptyAddressRange+1EAp

var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008EB8D3 SIZE 00000084 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	ebx, [edx+0FFFh]
		shr	edi, 0Ch
		mov	esi, ecx
		mov	ecx, [ebp+arg_4]
		mov	eax, edi
		neg	eax
		shr	ecx, 0Ch
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		lea	edx, [edi-1]
		shr	eax, 0Ch
		add	edx, eax
		shr	ebx, 0Ch
		and	edx, [ebp+var_8]
		mov	[ebp+arg_4], ecx
		mov	[ebp+var_4], ebx
		mov	[ebp+arg_0], edx
		test	ecx, ecx
		jnz	loc_8EB8D3

loc_7B0798:				; CODE XREF: MiFindEmptyAddressRangeInTree+13B195j
		mov	ebx, [ebp+arg_C]
		shr	ebx, 0Ch
		cmp	edx, ebx
		ja	loc_7B0881
		mov	eax, ebx
		sub	eax, edx
		inc	eax
		cmp	[ebp+var_4], eax
		ja	loc_7B0881
		mov	eax, [esi]
		test	eax, eax
		jz	loc_8EB8EA
		mov	edi, edi

loc_7B07C0:				; CODE XREF: MiFindEmptyAddressRangeInTree+76j
		mov	esi, eax
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_7B07C0
		mov	eax, [esi+0Ch]
		mov	edx, esi
		mov	ecx, [ebp+arg_0]
		cmp	eax, ecx
		ja	loc_7B0888

loc_7B07D8:				; CODE XREF: MiFindEmptyAddressRangeInTree+E0j
					; MiFindEmptyAddressRangeInTree+13Dj
		mov	eax, [esi+4]
		mov	ecx, esi
		test	eax, eax
		jz	short loc_7B0832
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_7B07FA
		lea	esp, [esp+0]

loc_7B07F0:				; CODE XREF: MiFindEmptyAddressRangeInTree+A8j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_7B07F0

loc_7B07FA:				; CODE XREF: MiFindEmptyAddressRangeInTree+97j
					; MiFindEmptyAddressRangeInTree+E8j ...
		test	esi, esi
		jz	loc_8EB91A
		mov	edx, [edx+10h]
		lea	ecx, [edi-1]
		add	edx, edi
		not	ecx
		lea	eax, [edx-1]
		and	eax, ecx
		cmp	eax, [ebp+arg_0]
		jb	short loc_7B0875
		and	ecx, edx

loc_7B0818:				; CODE XREF: MiFindEmptyAddressRangeInTree+12Fj
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	loc_8EB908

loc_7B0823:				; CODE XREF: MiFindEmptyAddressRangeInTree+13B1C5j
		cmp	ecx, ebx
		ja	short loc_7B0881
		mov	eax, [esi+0Ch]
		cmp	eax, ecx
		ja	short loc_7B0850

loc_7B082E:				; CODE XREF: MiFindEmptyAddressRangeInTree+107j
					; MiFindEmptyAddressRangeInTree+110j ...
		mov	edx, esi
		jmp	short loc_7B07D8
; 

loc_7B0832:				; CODE XREF: MiFindEmptyAddressRangeInTree+8Fj
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jz	short loc_7B07FA
		lea	ebx, [ebx+0]

loc_7B0840:				; CODE XREF: MiFindEmptyAddressRangeInTree+FCj
		cmp	[esi], ecx
		jz	short loc_7B07FA
		mov	ecx, esi
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_7B0840
		jmp	short loc_7B07FA
; 

loc_7B0850:				; CODE XREF: MiFindEmptyAddressRangeInTree+DCj
		mov	edx, [ebp+var_4]
		sub	eax, ecx
		cmp	edx, eax
		ja	short loc_7B082E
		mov	eax, ebx
		sub	eax, ecx
		inc	eax
		cmp	edx, eax
		ja	short loc_7B082E

loc_7B0862:				; CODE XREF: MiFindEmptyAddressRangeInTree+13B202j
		mov	eax, [ebp+arg_10]
		shl	ecx, 0Ch
		mov	[eax], ecx
		xor	eax, eax

loc_7B086C:				; CODE XREF: MiFindEmptyAddressRangeInTree+136j
					; MiFindEmptyAddressRangeInTree+13B1A4j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7B0875:				; CODE XREF: MiFindEmptyAddressRangeInTree+C4j
		mov	eax, [ebp+arg_0]
		cmp	[esi+0Ch], eax
		jbe	short loc_7B082E
		mov	ecx, eax
		jmp	short loc_7B0818
; 

loc_7B0881:				; CODE XREF: MiFindEmptyAddressRangeInTree+50j
					; MiFindEmptyAddressRangeInTree+5Ej ...
		mov	eax, 0C0000017h
		jmp	short loc_7B086C
; 

loc_7B0888:				; CODE XREF: MiFindEmptyAddressRangeInTree+82j
		sub	eax, ecx
		cmp	[ebp+var_4], eax
		ja	loc_7B07D8
		jmp	loc_8EB8F9
MiFindEmptyAddressRangeInTree endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpReturnMessageOnInsufficientBuffer(x, x, x)
_AlpcpReturnMessageOnInsufficientBuffer@12 proc	near ; CODE XREF: PAGE:0082FB34p
					; PAGE:00832B14p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	eax, eax
		mov	ebx, ecx
		mov	esi, edx
		xor	edx, edx
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	edi, [ebx+0D0h]
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebx+0F4h]
		xor	ecx, ecx
		and	eax, 40h
		cmp	[esi+24h], ebx
		jnz	short loc_7B08E8
		test	eax, eax
		jnz	short loc_7B08E0
		inc	word ptr [esi-0Eh]
		mov	edx, esi
		mov	ecx, ebx
		call	_AlpcpInsertMessageCanceledQueue@8 ; AlpcpInsertMessageCanceledQueue(x,x)
		jmp	short loc_7B0928
; 

loc_7B08E0:				; CODE XREF: AlpcpReturnMessageOnInsufficientBuffer(x,x,x)+37j
		mov	[esi+24h], ecx
		mov	[esi+20h], ecx
		jmp	short loc_7B0928
; 

loc_7B08E8:				; CODE XREF: AlpcpReturnMessageOnInsufficientBuffer(x,x,x)+33j
		test	eax, eax
		jz	short loc_7B090F
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jz	short loc_7B0901
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7B0901:				; CODE XREF: AlpcpReturnMessageOnInsufficientBuffer(x,x,x)+60j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, 0C0000700h
		jmp	short loc_7B0957
; 

loc_7B090F:				; CODE XREF: AlpcpReturnMessageOnInsufficientBuffer(x,x,x)+52j
		cmp	[esi+8], ecx
		jz	short loc_7B091B
		mov	ecx, esi
		call	_AlpcpRemoveMessageFromPendingQueue@4 ;	AlpcpRemoveMessageFromPendingQueue(x)

loc_7B091B:				; CODE XREF: AlpcpReturnMessageOnInsufficientBuffer(x,x,x)+7Aj
		inc	word ptr [esi-0Eh]
		mov	edx, esi
		mov	ecx, ebx
		call	_AlpcpInsertMessageLargeMessageQueue@8 ; AlpcpInsertMessageLargeMessageQueue(x,x)

loc_7B0928:				; CODE XREF: AlpcpReturnMessageOnInsufficientBuffer(x,x,x)+46j
					; AlpcpReturnMessageOnInsufficientBuffer(x,x,x)+4Ej
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_7B093D
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7B093D:				; CODE XREF: AlpcpReturnMessageOnInsufficientBuffer(x,x,x)+9Cj
		mov	ecx, edi
		call	KeAbPostRelease
		push	0
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, ebx
		call	@AlpcpExposeContextAttribute@16	; AlpcpExposeContextAttribute(x,x,x,x)
		mov	eax, 0C0000023h

loc_7B0957:				; CODE XREF: AlpcpReturnMessageOnInsufficientBuffer(x,x,x)+75j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_AlpcpReturnMessageOnInsufficientBuffer@12 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpInsertMessageLargeMessageQueue(x, x)
_AlpcpInsertMessageLargeMessageQueue@8 proc near
					; CODE XREF: AlpcpReturnMessageOnInsufficientBuffer(x,x,x)+8Bp
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		xor	edx, edx
		lea	ecx, [ebx+5Ch]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+14h]
		lea	ecx, [ebx+68h]
		mov	[edi+8], ebx
		and	eax, 0FFFFFF82h
		mov	esi, [ebx+0F4h]
		and	esi, 6
		shl	esi, 2
		or	esi, eax
		or	esi, 2
		mov	[edi+14h], esi
		lea	esi, [ebx+5Ch]
		mov	eax, [ecx+4]
		mov	[edi+4], eax
		mov	[edi], ecx
		mov	eax, [ecx+4]
		mov	[eax], edi
		or	eax, 0FFFFFFFFh
		inc	dword ptr [ebx+108h]
		mov	[ecx+4], edi
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7B09C1

loc_7B09B7:				; CODE XREF: AlpcpInsertMessageLargeMessageQueue(x,x)+6Aj
		pop	edi
		mov	ecx, esi
		pop	esi
		pop	ebx
		jmp	KeAbPostRelease
; 

loc_7B09C1:				; CODE XREF: AlpcpInsertMessageLargeMessageQueue(x,x)+57j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7B09B7
_AlpcpInsertMessageLargeMessageQueue@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpFlushMessagesByRequestor proc near	; CODE XREF: AlpcpFlushMessagesPort(x)+ECp
					; AlpcpFlushMessagesPort(x)+FBp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EB957 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_8], ecx
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], esi
		cmp	ebx, 2
		jbe	short loc_7B0A2F
		xor	eax, eax
		cmp	ebx, 3
		setz	al
		dec	eax
		and	eax, 0Ch
		add	eax, 70h

loc_7B09F2:				; CODE XREF: AlpcpFlushMessagesByRequestor+68j
		push	edi
		lea	ecx, [eax+esi]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+arg_0]
		or	eax, 0FFFFFFFFh
		mov	edi, [ecx]
		cmp	edi, ecx
		jnz	short loc_7B0A43

loc_7B0A09:				; CODE XREF: AlpcpFlushMessagesByRequestor+99j
		push	2
		pop	ecx
		pop	edi
		cmp	ebx, ecx
		ja	short loc_7B0A34
		add	esi, 5Ch

loc_7B0A14:				; CODE XREF: AlpcpFlushMessagesByRequestor+72j
					; AlpcpFlushMessagesByRequestor+77j
		lock xadd [esi], eax
		and	al, 6
		cmp	al, cl
		jz	loc_7B0AD4

loc_7B0A22:				; CODE XREF: AlpcpFlushMessagesByRequestor+111j
		mov	ecx, esi
		call	KeAbPostRelease
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7B0A2F:				; CODE XREF: AlpcpFlushMessagesByRequestor+17j
		push	5Ch
		pop	eax
		jmp	short loc_7B09F2
; 

loc_7B0A34:				; CODE XREF: AlpcpFlushMessagesByRequestor+45j
		cmp	ebx, 3
		jz	short loc_7B0A3E
		add	esi, 7Ch
		jmp	short loc_7B0A14
; 

loc_7B0A3E:				; CODE XREF: AlpcpFlushMessagesByRequestor+6Dj
		add	esi, 70h
		jmp	short loc_7B0A14
; 

loc_7B0A43:				; CODE XREF: AlpcpFlushMessagesByRequestor+3Dj
		mov	eax, [ebp+var_8]
		or	esi, 0FFFFFFFFh

loc_7B0A49:				; CODE XREF: AlpcpFlushMessagesByRequestor+91j
		cmp	[edi+0Ch], eax
		jz	short loc_7B0A65
		test	dword ptr [edi+14h], 8000h
		jnz	short loc_7B0A65
		mov	edi, [edi]

loc_7B0A59:				; CODE XREF: AlpcpFlushMessagesByRequestor+108j
		cmp	edi, ecx
		jnz	short loc_7B0A49
		mov	esi, [ebp+var_4]
		or	eax, 0FFFFFFFFh
		jmp	short loc_7B0A09
; 

loc_7B0A65:				; CODE XREF: AlpcpFlushMessagesByRequestor+82j
					; AlpcpFlushMessagesByRequestor+8Bj
		mov	ecx, edi
		call	AlpcpReferenceBlob
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		push	2
		pop	edx
		cmp	ebx, edx
		ja	short loc_7B0AE7
		add	ecx, 5Ch

loc_7B0A7B:				; CODE XREF: AlpcpFlushMessagesByRequestor+125j
					; AlpcpFlushMessagesByRequestor+13Bj
		mov	[ebp+arg_4], ecx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, dl
		jz	short loc_7B0AE0

loc_7B0A88:				; CODE XREF: AlpcpFlushMessagesByRequestor+11Bj
		mov	ecx, [ebp+arg_4]
		call	KeAbPostRelease
		mov	ecx, edi
		call	AlpcpLockForCachedReferenceBlob
		dec	word ptr [edi-0Eh]
		mov	eax, [ebp+var_8]
		cmp	[edi+0Ch], eax
		jnz	loc_8EB957
		mov	edx, edi
		mov	edi, [ebp+var_4]
		push	10000h
		mov	ecx, edi
		call	@AlpcpCancelMessage@12 ; AlpcpCancelMessage(x,x,x)

loc_7B0AB8:				; CODE XREF: AlpcpFlushMessagesByRequestor+13AFA7j
		cmp	ebx, 2
		ja	short loc_7B0AF1
		push	5Ch
		pop	eax

loc_7B0AC0:				; CODE XREF: AlpcpFlushMessagesByRequestor+136j
		lea	ecx, [eax+edi]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_8]
		mov	edi, [ecx]
		jmp	short loc_7B0A59
; 

loc_7B0AD4:				; CODE XREF: AlpcpFlushMessagesByRequestor+52j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7B0A22
; 

loc_7B0AE0:				; CODE XREF: AlpcpFlushMessagesByRequestor+BCj
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7B0A88
; 

loc_7B0AE7:				; CODE XREF: AlpcpFlushMessagesByRequestor+ACj
		cmp	ebx, 3
		jnz	short loc_7B0B02
		add	ecx, 70h
		jmp	short loc_7B0A7B
; 

loc_7B0AF1:				; CODE XREF: AlpcpFlushMessagesByRequestor+F1j
		xor	eax, eax
		cmp	ebx, 3
		setz	al
		dec	eax
		and	eax, 0Ch
		add	eax, 70h
		jmp	short loc_7B0AC0
; 

loc_7B0B02:				; CODE XREF: AlpcpFlushMessagesByRequestor+120j
		add	ecx, 7Ch
		jmp	loc_7B0A7B
AlpcpFlushMessagesByRequestor endp

; 
		align 10h
; Exported entry 1508. NtConnectPort

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtConnectPort(x, x,	x, x, x, x, x, x)
		public _NtConnectPort@32
_NtConnectPort@32 proc near		; DATA XREF: .text:00581194o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	NtSecureConnectPort
		pop	ebp
		retn	20h
_NtConnectPort@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtSecureConnectPort proc near		; CODE XREF: NtConnectPort(x,x,x,x,x,x,x,x)+1Fp
					; IopConnectLinkTrackingPort(x)+7Cp
					; DATA XREF: ...

var_D8		= dword	ptr -0D8h
var_C0		= dword	ptr -0C0h
var_A8		= dword	ptr -0A8h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 008EB976 SIZE 0000001E BYTES
; FUNCTION CHUNK AT 008EB99D SIZE 00000050 BYTES
; FUNCTION CHUNK AT 008EB9FB SIZE 00000082 BYTES
; FUNCTION CHUNK AT 008EBA99 SIZE 0000000D BYTES

		push	0C8h
		push	offset dword_6A2B40
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_60], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_6C], eax
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_44], esi
		mov	ebx, [ebp+arg_C]
		mov	[ebp+var_74], ebx
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_34], eax
		mov	edx, [ebp+arg_14]
		mov	[ebp+var_4C], edx
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_64], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_48], eax
		mov	ecx, [ebp+arg_20]
		mov	[ebp+var_50], ecx
		xor	eax, eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_94], eax
		mov	[ebp+var_90], eax
		mov	[ebp+var_8C], eax
		mov	[ebp+var_88], eax
		mov	[ebp+var_80], eax
		mov	[ebp+var_7C], eax
		mov	[ebp+var_58], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_5C], eax
		push	6
		pop	ecx
		lea	edi, [ebp+var_D8]
		rep stosd
		and	[ebp+var_3C], eax
		lea	edi, [ebp+var_28]
		stosd
		stosd
		stosd
		and	[ebp+var_54], 0
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	eax, eax
		lea	edi, [ebp+var_A8]
		stosd
		stosd
		stosd
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_C0]
		rep stosd
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_29], al
		mov	byte ptr [ebp+var_70], al
		test	al, al
		jz	loc_7B0EC8
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, [ebp+var_60]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8EB976

loc_7B0C15:				; CODE XREF: NtSecureConnectPort+13AE40j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, [ebp+var_50]
		test	eax, eax
		jz	short loc_7B0C44
		mov	edx, eax
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	loc_8EB97D

loc_7B0C30:				; CODE XREF: NtSecureConnectPort+13AE47j
		nop
		mov	eax, [edx]
		mov	[ebp+var_3C], eax
		push	1
		push	eax
		push	[ebp+var_48]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	edx, [ebp+var_4C]

loc_7B0C44:				; CODE XREF: NtSecureConnectPort+E6j
		test	ebx, ebx
		jz	short loc_7B0C93
		mov	esi, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8EB984

loc_7B0C57:				; CODE XREF: NtSecureConnectPort+13AE4Ej
		push	6
		pop	ecx
		lea	edi, [ebp+var_C0]
		rep movsd
		nop
		cmp	[ebp+var_C0], 18h
		jnz	loc_8EB98B
		test	bl, 3
		jnz	loc_7B0EFB
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8EB9A9

loc_7B0C86:				; CODE XREF: NtSecureConnectPort+13AE74j
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+14h]
		mov	[ebx+14h], al
		mov	esi, [ebp+var_44]

loc_7B0C93:				; CODE XREF: NtSecureConnectPort+10Ej
		test	edx, edx
		jz	short loc_7B0CD3
		mov	eax, edx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		jnb	loc_8EB9B1

loc_7B0CA7:				; CODE XREF: NtSecureConnectPort+13AE7Bj
		nop
		mov	eax, [eax]
		cmp	eax, 0Ch
		jnz	loc_8EB98B
		test	dl, 3
		jnz	loc_7B0EFB
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_8EB9B8

loc_7B0CC9:				; CODE XREF: NtSecureConnectPort+13AE83j
		mov	al, [edx]
		mov	[edx], al
		mov	al, [edx+8]
		mov	[edx+8], al

loc_7B0CD3:				; CODE XREF: NtSecureConnectPort+15Dj
		mov	edx, [ebp+var_64]
		test	edx, edx
		jz	short loc_7B0CED
		mov	ecx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_8EB9C0

loc_7B0CE9:				; CODE XREF: NtSecureConnectPort+13AE8Aj
		mov	eax, [ecx]
		mov	[ecx], eax

loc_7B0CED:				; CODE XREF: NtSecureConnectPort+1A0j
		test	esi, esi
		jz	short loc_7B0D0C
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8EB9C7

loc_7B0D00:				; CODE XREF: NtSecureConnectPort+13AE91j
		mov	esi, ecx
		lea	edi, [ebp+var_28]
		movsd
		movsd
		movsd
		nop
		mov	esi, [ebp+var_44]

loc_7B0D0C:				; CODE XREF: NtSecureConnectPort+1B7j
		mov	eax, [ebp+var_34]
		mov	[ebp+var_38], eax
		test	eax, eax
		jnz	loc_8EB9CE

loc_7B0D1A:				; CODE XREF: NtSecureConnectPort+13AEB0j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_34]

loc_7B0D24:				; CODE XREF: NtSecureConnectPort+3BEj
		push	1
		neg	esi
		sbb	esi, esi
		lea	eax, [ebp+var_28]
		and	esi, eax
		push	esi
		push	[ebp+var_38]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	[ebp+var_6C]
		push	eax
		lea	edx, [ebp+var_40]
		lea	ecx, [ebp+var_58]
		call	AlpcpCreateClientPort
		mov	esi, eax
		mov	[ebp+var_30], esi
		cmp	[ebp+var_38], edi
		jnz	loc_8EB9FB

loc_7B0D56:				; CODE XREF: NtSecureConnectPort+13AECCj
					; NtSecureConnectPort+13AEDCj
		test	esi, esi
		js	loc_7B0EA7
		mov	ax, word ptr [ebp+var_3C]
		mov	word ptr [ebp+var_D8], ax
		mov	edi, ebx
		neg	edi
		sbb	edi, edi
		lea	eax, [ebp+var_C0]
		and	edi, eax
		push	[ebp+var_70]
		push	1
		lea	eax, [ebp+var_54]
		push	eax
		push	edi
		push	0
		lea	eax, [ebp+var_D8]
		push	eax
		push	[ebp+var_48]
		push	[ebp+var_40]
		xor	edx, edx
		lea	ecx, [ebp+var_5C]
		call	AlpcpFormatConnectionRequest
		mov	ebx, eax
		mov	[ebp+var_30], ebx
		test	ebx, ebx
		js	loc_7B0E88
		mov	esi, [ebp+var_5C]
		mov	eax, [esi+90h]
		mov	[ebp+var_34], eax
		cmp	_AlpcpLogEnabled, 0
		jnz	loc_8EBA19

loc_7B0DC0:				; CODE XREF: NtSecureConnectPort+13AEE8j
		mov	eax, [ebp+var_40]
		mov	[ebp+var_9C], eax
		mov	[ebp+var_98], esi
		mov	[ebp+var_84], 20000h
		lea	ecx, [ebp+var_9C]
		call	AlpcpDispatchConnectionRequest
		mov	ebx, eax
		mov	[ebp+var_30], ebx
		test	ebx, ebx
		js	loc_8EBA25
		mov	eax, [ebp+var_4C]
		neg	eax
		sbb	eax, eax
		lea	ecx, [ebp+var_A8]
		and	eax, ecx
		push	eax
		push	edi
		push	[ebp+var_54]
		lea	eax, [ebp+var_3C]
		push	eax
		mov	edx, [ebp+var_48]
		lea	ecx, [ebp+var_9C]
		call	AlpcpReceiveLegacyConnectionReply
		mov	ebx, eax
		mov	[ebp+var_30], ebx
		test	ebx, ebx
		jnz	loc_8EBA54
		cmp	_AlpcpLogEnabled, al
		jnz	loc_8EBA70

loc_7B0E30:				; CODE XREF: NtSecureConnectPort+13AF40j
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_58]
		mov	edx, [ebp+var_60]
		mov	[edx], eax
		mov	edi, [ebp+var_74]
		test	edi, edi
		jz	short loc_7B0E51
		push	6
		pop	ecx
		lea	esi, [ebp+var_C0]
		rep movsd

loc_7B0E51:				; CODE XREF: NtSecureConnectPort+30Cj
		mov	eax, [ebp+var_4C]
		test	eax, eax
		jz	short loc_7B0E63
		lea	esi, [ebp+var_A8]
		mov	edi, eax
		movsd
		movsd
		movsd

loc_7B0E63:				; CODE XREF: NtSecureConnectPort+31Ej
		mov	ecx, [ebp+var_50]
		test	ecx, ecx
		jz	short loc_7B0E6F
		mov	eax, [ebp+var_3C]
		mov	[ecx], eax

loc_7B0E6F:				; CODE XREF: NtSecureConnectPort+330j
		mov	ecx, [ebp+var_64]
		test	ecx, ecx
		jz	short loc_7B0E81
		mov	eax, [ebp+var_40]
		mov	eax, [eax+0A8h]
		mov	[ecx], eax

loc_7B0E81:				; CODE XREF: NtSecureConnectPort+33Cj
					; sub_8EBA8B+9j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7B0E88:				; CODE XREF: NtSecureConnectPort+269j
					; NtSecureConnectPort+13AF17j ...
		mov	ecx, [ebp+var_40]
		call	ObfDereferenceObject
		mov	ecx, [ebp+var_54]
		test	ecx, ecx
		jz	short loc_7B0E9F
		xor	edx, edx
		inc	edx
		call	AlpcpDereferenceBlobEx

loc_7B0E9F:				; CODE XREF: NtSecureConnectPort+35Dj
		test	ebx, ebx
		jnz	loc_8EBA99

loc_7B0EA7:				; CODE XREF: NtSecureConnectPort+220j
					; NtSecureConnectPort+13AE6Cj ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [ebp+var_30]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_7B0EC8:				; CODE XREF: NtSecureConnectPort+C3j
		mov	eax, [ebp+var_50]
		test	eax, eax
		jnz	short loc_7B0F00

loc_7B0ECF:				; CODE XREF: NtSecureConnectPort+3CDj
		test	ebx, ebx
		jz	short loc_7B0EE3
		push	6
		pop	ecx
		mov	esi, ebx
		lea	edi, [ebp+var_C0]
		rep movsd
		mov	esi, [ebp+var_44]

loc_7B0EE3:				; CODE XREF: NtSecureConnectPort+399j
		test	esi, esi
		jz	short loc_7B0EF0
		lea	edi, [ebp+var_28]
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_44]

loc_7B0EF0:				; CODE XREF: NtSecureConnectPort+3ADj
		mov	edi, [ebp+var_34]
		mov	[ebp+var_38], edi
		jmp	loc_7B0D24
; 

loc_7B0EFB:				; CODE XREF: NtSecureConnectPort+13Bj
					; NtSecureConnectPort+17Ej
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7B0F00:				; CODE XREF: NtSecureConnectPort+395j
		mov	eax, [eax]
		mov	[ebp+var_3C], eax
		jmp	short loc_7B0ECF
NtSecureConnectPort endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpReceiveLegacyConnectionReply proc near ; CODE XREF: NtSecureConnectPort+2DAp

var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008EBAA6 SIZE 0000004B BYTES
; FUNCTION CHUNK AT 008EBB0A SIZE 0000001C BYTES

		push	20h
		push	offset dword_6A2B68
		call	__SEH_prolog4
		mov	ebx, edx
		mov	eax, large fs:124h
		mov	dl, [eax+15Ah]
		xor	eax, eax
		mov	[ebp+var_1C], eax
		mov	edi, [ecx]
		mov	[ebp+var_20], edi
		push	eax
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	@AlpcpReceiveSynchronousReply@20 ; AlpcpReceiveSynchronousReply(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_8EBAA6
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_7B0F69
		lea	edi, [ebp+var_30]
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_30]
		push	eax
		mov	ecx, [ebp+var_20]
		call	AlpcpQueryRemoteView
		mov	esi, eax
		test	esi, esi
		js	short loc_7B0FC6
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+var_28]
		mov	[ecx+14h], eax

loc_7B0F69:				; CODE XREF: AlpcpReceiveLegacyConnectionReply+3Ej
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	short loc_7B0F7E
		mov	eax, [ebp+var_1C]
		mov	edx, [eax+4Ch]
		test	edx, edx
		jnz	loc_8EBAC5

loc_7B0F7E:				; CODE XREF: AlpcpReceiveLegacyConnectionReply+66j
					; AlpcpReceiveLegacyConnectionReply+13ABD2j
		test	ebx, ebx
		jz	short loc_7B0FC6
		and	[ebp+arg_4], 0
		mov	edx, [ebp+var_1C]
		movzx	edi, word ptr [edx+80h]
		mov	eax, edi
		mov	ecx, [ebp+arg_0]
		cmp	[ecx], eax
		jb	loc_8EBADF
		mov	[ecx], eax

loc_7B0F9F:				; CODE XREF: AlpcpReceiveLegacyConnectionReply+13ABE4j
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, [ebp+var_1C]
		mov	edx, ebx
		cmp	dword ptr [ecx+60h], 0
		jnz	short loc_7B0FEF
		call	@AlpcpReadMessageData@8	; AlpcpReadMessageData(x,x)

loc_7B0FB3:				; CODE XREF: AlpcpReceiveLegacyConnectionReply+ECj
					; sub_8EBAFF+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+arg_4]
		test	cx, cx
		jnz	loc_8EBB0A

loc_7B0FC6:				; CODE XREF: AlpcpReceiveLegacyConnectionReply+56j
					; AlpcpReceiveLegacyConnectionReply+78j ...
		cmp	_AlpcpMessageLogEnabled, 0
		jnz	loc_8EBB19

loc_7B0FD3:				; CODE XREF: AlpcpReceiveLegacyConnectionReply+13AC19j
		mov	ecx, [ebp+var_1C]
		call	AlpcpUnlockBlob

loc_7B0FDB:				; CODE XREF: AlpcpReceiveLegacyConnectionReply+13ABADj
					; AlpcpReceiveLegacyConnectionReply+13ABB8j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7B0FEF:				; CODE XREF: AlpcpReceiveLegacyConnectionReply+A4j
		call	AlpcpGetDataFromUserVaSafe
		jmp	short loc_7B0FB3
AlpcpReceiveLegacyConnectionReply endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtReplyWaitReceivePort(x, x, x, x)
_NtReplyWaitReceivePort@16 proc	near	; DATA XREF: .text:00580D64o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	NtReplyWaitReceivePortEx
		pop	ebp
		retn	10h
_NtReplyWaitReceivePort@16 endp	; sp = -14h

; 
		align 10h

NtReplyWaitReceivePortEx:		; CODE XREF: NtReplyWaitReceivePort(x,x,x,x)+13p
					; NtListenPort+1Bp
					; DATA XREF: ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A2B88
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 38h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	dword ptr [ebp-44h], 0
		mov	dword ptr [ebp-40h], 0
		mov	dword ptr [ebp-3Ch], 0
		mov	dword ptr [ebp-38h], 0
		mov	dword ptr [ebp-34h], 0
		mov	dword ptr [ebp-2Ch], 0
		mov	dword ptr [ebp-28h], 0
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp-1Ch], al
		test	al, al
		jz	loc_7B119B
		mov	dword ptr [ebp-4], 0
		mov	ebx, [ebp+14h]
		test	bl, 3
		jnz	loc_7B11A3
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8EBB26

loc_7B10CB:				; CODE XREF: PAGE:008EBB29j
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+14h]
		mov	[ebx+14h], al
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_7B10DC:				; CODE XREF: PAGE:007B119Ej
		mov	eax, ds:_AlpcPortObjectType
		mov	dword ptr [ebp-20h], 0
		push	0
		lea	ecx, [ebp-20h]
		push	ecx
		push	dword ptr [ebp-1Ch]
		push	eax
		push	1
		push	dword ptr [ebp+8]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7B1137
		mov	edi, [ebp-20h]
		mov	[ebp-48h], edi
		mov	dword ptr [ebp-30h], 0
		mov	edx, [ebp+10h]
		test	edx, edx
		jnz	short loc_7B1159

loc_7B1116:				; CODE XREF: PAGE:007B1194j
		push	dword ptr [ebp+0Ch]
		push	dword ptr [ebp+18h]
		mov	edx, ebx
		lea	ecx, [ebp-48h]
		call	AlpcpReceiveLegacyMessage
		mov	esi, eax
		lea	ecx, [ebp-48h]
		call	AlpcpCompleteDeferSignalRequest
		mov	ecx, edi
		call	ObfDereferenceObject

loc_7B1137:				; CODE XREF: PAGE:007B1100j
					; PAGE:008EBB4Bj ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7B1159:				; CODE XREF: PAGE:007B1114j
		mov	dword ptr [ebp-38h], 0
		mov	dword ptr [ebp-3Ch], 0
		mov	dword ptr [ebp-34h], 0
		push	dword ptr [ebp-1Ch]
		lea	ecx, [ebp-48h]
		test	dword ptr [edi+0F4h], 2000h
		jz	loc_8EBB50
		mov	dword ptr [ebp-30h], 4
		call	_AlpcpReplyLegacySynchronousRequest@12 ; AlpcpReplyLegacySynchronousRequest(x,x,x)

loc_7B1190:				; CODE XREF: PAGE:008EBB5Ej
		mov	esi, eax
		test	esi, esi
		jns	short loc_7B1116
		jmp	loc_8EBB63
; 

loc_7B119B:				; CODE XREF: PAGE:007B10A5j
		mov	ebx, [ebp+14h]
		jmp	loc_7B10DC
; 

loc_7B11A3:				; CODE XREF: PAGE:007B10B8j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		dd 2 dup(0CCCCCCCCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpReceiveLegacyMessage proc near	; CODE XREF: PAGE:007B1121p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EBB80 SIZE 00000034 BYTES
; FUNCTION CHUNK AT 008EBBD6 SIZE 00000061 BYTES
; FUNCTION CHUNK AT 008EBC65 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A2BA8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	ebx, edx
		mov	[ebp+var_44], ebx
		mov	esi, ecx
		mov	[ebp+var_30], esi
		mov	[ebp+var_28], 0
		mov	ecx, large fs:124h
		mov	[ebp+var_3C], ecx
		mov	eax, large fs:124h
		mov	dl, [eax+15Ah]
		mov	[ebp+var_19], dl
		mov	[ebp+var_4C], 0
		mov	[ebp+var_48], 0
		mov	eax, [esi]
		mov	[ebp+var_24], eax
		mov	[ebp+var_34], eax
		test	dl, dl
		jz	loc_7B13AE
		mov	[ebp+var_4], 0
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	loc_8EBB80

loc_7B1242:				; CODE XREF: AlpcpReceiveLegacyMessage+13A9F0j
		test	ebx, ebx
		jz	short loc_7B126C
		test	bl, 3
		jnz	loc_7B1448
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8EBBA5

loc_7B125C:				; CODE XREF: AlpcpReceiveLegacyMessage+13A9F8j
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+14h]
		mov	[ebx+14h], al
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_20], ecx

loc_7B126C:				; CODE XREF: AlpcpReceiveLegacyMessage+94j
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_7B128C
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	loc_8EBBAD

loc_7B1282:				; CODE XREF: AlpcpReceiveLegacyMessage+13A9FFj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_20], ecx

loc_7B128C:				; CODE XREF: AlpcpReceiveLegacyMessage+C1j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+var_24]

loc_7B1296:				; CODE XREF: AlpcpReceiveLegacyMessage+20Ej
					; AlpcpReceiveLegacyMessage+218j
		mov	[ebp+var_2C], 0
		mov	eax, [eax+0F4h]
		and	eax, 6
		cmp	al, 6
		jz	loc_7B13CD
		mov	edi, edi

loc_7B12B0:				; CODE XREF: AlpcpReceiveLegacyMessage+27Bj
					; AlpcpReceiveLegacyMessage+13AA82j
		push	0
		lea	eax, [ebp+var_28]
		push	eax
		push	ecx
		mov	dl, [ebp+var_19]
		mov	ecx, esi
		call	@AlpcpReceiveMessagePort@20 ; AlpcpReceiveMessagePort(x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+arg_4], ecx
		test	ecx, ecx
		jnz	loc_7B1386
		mov	esi, [ebp+var_28]
		test	byte ptr [esi+14h], 80h
		jnz	loc_8EBC01
		mov	eax, [ebp+var_3C]
		mov	[esi+6Ch], eax
		mov	[ebp+var_4], 1
		test	ebx, ebx
		jz	short loc_7B134C
		mov	eax, [esi+80h]
		mov	[ebx], eax
		mov	eax, [esi+84h]
		mov	[ebx+4], eax
		mov	eax, [esi+88h]
		mov	[ebx+8], eax
		mov	eax, [esi+8Ch]
		mov	[ebx+0Ch], eax
		mov	eax, [esi+90h]
		mov	[ebx+10h], eax
		mov	eax, [esi+94h]
		mov	[ebx+14h], eax
		mov	eax, [ebp+var_24]
		test	dword ptr [eax+98h], 1000h
		jz	short loc_7B1339
		mov	eax, 0FFFFC00Fh
		and	[ebx+4], ax

loc_7B1339:				; CODE XREF: AlpcpReceiveLegacyMessage+17Ej
		lea	edx, [ebx+18h]
		mov	ecx, esi
		cmp	dword ptr [esi+60h], 0
		jz	short loc_7B13A7
		call	AlpcpGetDataFromUserVaSafe

loc_7B1349:				; CODE XREF: AlpcpReceiveLegacyMessage+1FCj
		mov	ecx, [ebp+arg_4]

loc_7B134C:				; CODE XREF: AlpcpReceiveLegacyMessage+13Aj
		test	edi, edi
		jz	short loc_7B1355
		mov	eax, [esi+40h]
		mov	[edi], eax

loc_7B1355:				; CODE XREF: AlpcpReceiveLegacyMessage+19Ej
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+var_24]

loc_7B135F:				; CODE XREF: sub_8EBC47+19j
		test	ebx, ebx
		jz	loc_8EBC71
		test	ecx, ecx
		js	loc_8EBC71
		cmp	_AlpcpMessageLogEnabled, 0
		jnz	loc_8EBC65

loc_7B137C:				; CODE XREF: AlpcpReceiveLegacyMessage+13AABCj
		mov	ecx, esi
		call	AlpcpUnlockBlob

loc_7B1383:				; CODE XREF: AlpcpReceiveLegacyMessage+13AAD6j
		mov	ecx, [ebp+arg_4]

loc_7B1386:				; CODE XREF: AlpcpReceiveLegacyMessage+118j
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jnz	loc_7B1430

loc_7B1391:				; CODE XREF: AlpcpReceiveLegacyMessage+28Aj
		mov	eax, ecx

loc_7B1393:				; CODE XREF: sub_8EBBC4+Dj
					; AlpcpReceiveLegacyMessage+13AA4Cj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7B13A7:				; CODE XREF: AlpcpReceiveLegacyMessage+192j
		call	@AlpcpReadMessageData@8	; AlpcpReadMessageData(x,x)
		jmp	short loc_7B1349
; 

loc_7B13AE:				; CODE XREF: AlpcpReceiveLegacyMessage+77j
		mov	edi, [ebp+arg_4]
		test	dword ptr [ecx+58h], 400h
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_20], ecx
		jz	loc_7B1296
		mov	[ebp+var_19], 1
		jmp	loc_7B1296
; 

loc_7B13CD:				; CODE XREF: AlpcpReceiveLegacyMessage+F8j
		mov	eax, [ebp+var_24]
		mov	esi, [eax+8]
		lea	eax, [esi-4]
		mov	[ebp+arg_4], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockSharedEx
		mov	eax, [esi]
		mov	[ebp+var_2C], eax
		test	eax, eax
		jz	loc_8EBBD6
		mov	ecx, eax
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		test	al, al
		jz	loc_8EBBD6
		xor	ecx, ecx
		mov	eax, 11h
		mov	esi, [ebp+arg_4]
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jnz	short loc_7B143F

loc_7B1411:				; CODE XREF: AlpcpReceiveLegacyMessage+296j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	eax, [ebp+var_2C]
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		mov	[ebp+var_34], ecx
		mov	esi, [ebp+var_30]
		mov	[esi], eax
		mov	ecx, [ebp+var_20]
		jmp	loc_7B12B0
; 

loc_7B1430:				; CODE XREF: AlpcpReceiveLegacyMessage+1DBj
		mov	ecx, eax
		call	ObfDereferenceObject
		mov	ecx, [ebp+arg_4]
		jmp	loc_7B1391
; 

loc_7B143F:				; CODE XREF: AlpcpReceiveLegacyMessage+25Fj
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_7B1411
; 

loc_7B1448:				; CODE XREF: AlpcpReceiveLegacyMessage+99j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger
AlpcpReceiveLegacyMessage endp


;  S U B	R O U T	I N E 


AlpcpCompleteDeferSignalRequest	proc near ; CODE XREF: PAGE:007B112Bp

; FUNCTION CHUNK AT 008EBC8B SIZE 0000001A BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		btr	dword ptr [esi+18h], 2
		setb	al
		test	al, al
		jnz	loc_8EBC8B

loc_7B1463:				; CODE XREF: AlpcpCompleteDeferSignalRequest+13A84Bj
		pop	esi
		retn
AlpcpCompleteDeferSignalRequest	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall AlpcpReadMessageData(x, x)
@AlpcpReadMessageData@8	proc near	; CODE XREF: AlpcpProcessConnectionRequest:loc_79BAE9p
					; AlpcpReceiveLegacyConnectionReply+A6p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		call	_AlpcpAvailableBufferSize@4 ; AlpcpAvailableBufferSize(x)
		movzx	esi, word ptr [ecx+80h]
		mov	ebx, eax
		add	ecx, 98h
		cmp	esi, ebx
		ja	short loc_7B1499
		push	esi		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_7B14B6
; 

loc_7B1499:				; CODE XREF: AlpcpReadMessageData(x,x)+24j
		push	ebx		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		sub	esi, ebx
		push	esi		; size_t
		push	dword ptr [eax+78h] ; void *
		lea	eax, [ebx+edi]
		push	eax		; void *
		call	_memcpy
		add	esp, 18h

loc_7B14B6:				; CODE XREF: AlpcpReadMessageData(x,x)+31j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
@AlpcpReadMessageData@8	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpQueryRemoteView proc near		; CODE XREF: AlpcpReceiveLegacyConnectionReply+4Dp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008EBCA5 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ecx+8]
		push	esi
		mov	[ebp+var_4], edx
		xor	edx, edx
		push	edi
		lea	esi, [ebx-4]
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	edi, [ebx]
		test	edi, edi
		jz	loc_8EBCA5
		mov	eax, [ebx+4]
		test	eax, eax
		jz	loc_8EBCA5
		test	dword ptr [edi+0F4h], 1000h
		jnz	short loc_7B1562

loc_7B14F8:				; CODE XREF: AlpcpQueryRemoteView+A8j
		mov	ecx, edi
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		xor	ecx, ecx
		test	al, al
		push	11h
		pop	eax
		jz	short loc_7B156F
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jnz	short loc_7B1566

loc_7B1511:				; CODE XREF: AlpcpQueryRemoteView+B1j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ebx, [ebp+var_4]
		mov	ebx, [ebx+8]
		mov	ecx, ebx
		call	AlpcpLockForCachedReferenceBlob
		mov	edx, edi
		mov	ecx, ebx
		call	_AlpcpLocateView@8 ; AlpcpLocateView(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_7B1578
		mov	edx, [ebp+arg_0]
		xor	esi, esi
		mov	dword ptr [edx], 0Ch
		mov	eax, [ecx+14h]
		mov	[edx+8], eax
		mov	eax, [ecx+18h]
		mov	[edx+4], eax

loc_7B154B:				; CODE XREF: AlpcpQueryRemoteView+C1j
		mov	ecx, ebx
		call	AlpcpUnlockBlob
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, esi

loc_7B155B:				; CODE XREF: AlpcpQueryRemoteView+13A80Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7B1562:				; CODE XREF: AlpcpQueryRemoteView+3Aj
		mov	edi, eax
		jmp	short loc_7B14F8
; 

loc_7B1566:				; CODE XREF: AlpcpQueryRemoteView+53j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_7B1511
; 

loc_7B156F:				; CODE XREF: AlpcpQueryRemoteView+4Aj
		lock cmpxchg [esi], ecx
		jmp	loc_8EBCAE
; 

loc_7B1578:				; CODE XREF: AlpcpQueryRemoteView+76j
		mov	esi, 0C000009Ah
		jmp	short loc_7B154B
AlpcpQueryRemoteView endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtReplyPort	proc near		; DATA XREF: .text:00580D68o

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EBCCB SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 30h
		mov	eax, large fs:124h
		push	esi
		push	edi
		xor	edi, edi
		dec	word ptr [eax+13Ch]
		mov	[esp+38h+var_20], edi
		mov	[esp+38h+var_1C], edi
		mov	[esp+38h+var_18], edi
		mov	[esp+38h+var_14], edi
		mov	[esp+38h+var_10], edi
		mov	[esp+38h+var_8], edi
		mov	[esp+38h+var_4], edi
		nop
		mov	eax, large fs:124h
		lea	ecx, [esp+38h+var_2C]
		push	edi
		push	ecx
		mov	[esp+40h+var_2C], edi
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+40h+var_28], al
		push	[esp+40h+var_28]
		mov	eax, ds:_AlpcPortObjectType
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7B1634
		mov	eax, [esp+38h+var_2C]
		lea	ecx, [esp+38h+var_24]
		mov	edx, [ebp+arg_4]
		mov	[esp+38h+var_24], eax
		mov	[esp+38h+var_C], edi
		test	dword ptr [eax+0F4h], 2000h
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+38h+var_28], al
		push	[esp+38h+var_28]
		jz	loc_8EBCCB
		call	_AlpcpReplyLegacySynchronousRequest@12 ; AlpcpReplyLegacySynchronousRequest(x,x,x)
		mov	esi, eax

loc_7B162B:				; CODE XREF: NtReplyPort+13A761j
					; NtReplyPort+13A76Cj
		mov	ecx, [esp+38h+var_2C]
		call	ObfDereferenceObject

loc_7B1634:				; CODE XREF: NtReplyPort+6Bj
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
NtReplyPort	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpReplyLegacySynchronousRequest(x, x, x)
_AlpcpReplyLegacySynchronousRequest@12 proc near ; CODE	XREF: PAGE:007B118Bp
					; NtReplyPort+A4p

var_5C		= dword	ptr -5Ch
var_56		= word ptr -56h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8

		push	4Ch
		push	offset dword_6A2BD0
		call	__SEH_prolog4
		mov	[ebp+var_28], edx
		mov	[ebp+var_40], ecx
		xor	eax, eax
		mov	[ebp+var_24], eax
		mov	ebx, [ecx]
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_3C], ebx
		cmp	[ebp+arg_0], al
		jz	short loc_7B16E3
		mov	[ebp+ms_exc.disabled], eax
		mov	esi, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_7B167E
		mov	esi, eax

loc_7B167E:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+30j
		push	6
		pop	ecx
		lea	edi, [ebp+var_5C]
		rep movsd
		nop
		mov	dl, 1
		lea	ecx, [ebp+var_5C]
		call	_AlpcpValidateMessage@8	; AlpcpValidateMessage(x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		jns	short loc_7B16A6

loc_7B169A:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+75j
					; AlpcpReplyLegacySynchronousRequest(x,x,x)+97j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_7B19FC
; 

loc_7B16A6:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+4Ej
		cmp	[ebp+var_56], 0
		jz	short loc_7B16C1
		lea	edx, [ebp+var_5C]
		mov	ecx, [ebp+var_28]
		call	_AlpcpValidateDataInformation@8	; AlpcpValidateDataInformation(x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		js	short loc_7B169A

loc_7B16C1:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+61j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_7B1704
; 

loc_7B16CA:				; DATA XREF: .text:006A2BE4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7B16D8:				; DATA XREF: .text:006A2BE8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_30]
		mov	[ebp+var_20], esi
		jmp	short loc_7B169A
; 

loc_7B16E3:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+22j
		push	6
		pop	ecx
		mov	esi, edx
		lea	edi, [ebp+var_5C]
		rep movsd
		mov	[ebp+var_48], eax
		mov	dl, 1
		lea	ecx, [ebp+var_5C]
		call	_AlpcpValidateMessage@8	; AlpcpValidateMessage(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7B19FC

loc_7B1704:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+7Ej
		lea	eax, [ebp+var_24]
		push	eax
		push	ecx
		push	[ebp+var_48]
		mov	edx, [ebp+var_4C]
		mov	ecx, ebx
		call	AlpcpLookupMessage
		mov	esi, eax
		test	esi, esi
		js	loc_7B19FC
		mov	edi, [ebp+var_24]
		mov	edx, [edi+14h]
		test	dl, dl
		jns	short loc_7B1742
		push	10000h
		mov	edx, edi
		mov	ecx, ebx
		call	@AlpcpCancelMessage@12 ; AlpcpCancelMessage(x,x,x)
		mov	esi, 0C0000037h
		jmp	loc_7B19FC
; 

loc_7B1742:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+DEj
		test	edx, 200h
		jnz	loc_7B19E0
		cmp	dword ptr [edi+10h], 0
		jz	loc_7B19E0
		mov	esi, [edi+8]
		mov	ecx, edx
		and	ecx, 7
		cmp	esi, ebx
		jz	loc_7B1800
		test	ecx, ecx
		jnz	short loc_7B17DC
		mov	eax, [edi+0Ch]
		mov	dword ptr [ebp+arg_0], eax
		test	eax, eax
		jz	loc_7B19E0
		mov	esi, [eax+8]
		lea	eax, [esi-4]
		mov	[ebp+var_34], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockSharedEx
		mov	ecx, dword ptr [ebp+arg_0]
		mov	eax, [ecx+0F4h]
		shr	eax, 1
		and	eax, 3
		sub	eax, 1
		jz	short loc_7B17B5
		sub	eax, 1
		jnz	short loc_7B17B5
		cmp	[esi], ebx
		jz	short loc_7B17B1
		cmp	[esi+4], ebx
		jz	short loc_7B17B1
		xor	bl, bl
		jmp	short loc_7B17BB
; 

loc_7B17B1:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+15Cj
					; AlpcpReplyLegacySynchronousRequest(x,x,x)+161j
		mov	bl, 1
		jmp	short loc_7B17BB
; 

loc_7B17B5:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+153j
					; AlpcpReplyLegacySynchronousRequest(x,x,x)+158j
		cmp	[esi+8], ebx
		setz	bl

loc_7B17BB:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+165j
					; AlpcpReplyLegacySynchronousRequest(x,x,x)+169j
		xor	edx, edx
		push	11h
		pop	eax
		mov	esi, [ebp+var_34]
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_7B17D3
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7B17D3:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+180j
		mov	ecx, esi
		call	KeAbPostRelease
		jmp	short loc_7B1817
; 

loc_7B17DC:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+120j
		mov	eax, [ebx+0F4h]
		and	eax, 6
		cmp	al, 6
		jnz	loc_7B19E0
		mov	eax, [ebx+8]
		test	eax, eax
		jz	loc_7B19E0
		cmp	[eax], esi
		jnz	loc_7B19E0

loc_7B1800:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+118j
		cmp	ecx, 3
		jnz	loc_7B19E0
		test	edx, 2000h
		jnz	loc_7B19E0
		mov	bl, 1

loc_7B1817:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+190j
		test	bl, bl
		jz	loc_7B19E0
		mov	[ebp+ms_exc.disabled], 1
		mov	esi, [ebp+var_28]
		add	esi, 18h
		movsx	edx, word ptr [ebp+var_5C]
		mov	ecx, edi
		call	_AlpcpAvailableBufferSize@4 ; AlpcpAvailableBufferSize(x)
		cmp	edx, eax
		ja	short loc_7B1850
		push	edx		; size_t
		push	esi		; void *
		lea	eax, [edi+98h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	esi, esi
		jmp	short loc_7B185A
; 

loc_7B1850:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+1EFj
		push	esi		; void *
		mov	ecx, edi
		call	@AlpcpCaptureMessageData@12 ; AlpcpCaptureMessageData(x,x,x)
		mov	esi, eax

loc_7B185A:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+204j
		mov	[ebp+var_20], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_7B188D
; 

loc_7B1866:				; DATA XREF: .text:006A2BF0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_38], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7B1874:				; DATA XREF: .text:006A2BF4o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_38]
		mov	[ebp+var_20], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_24]
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_2C], eax

loc_7B188D:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+21Aj
		test	esi, esi
		jns	short loc_7B18AD
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_7B18A1
		mov	ecx, edi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_7B18A1:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+24Ej
		mov	ecx, edi
		call	AlpcpUnlockBlob
		jmp	loc_7B19FC
; 

loc_7B18AD:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+245j
		or	dword ptr [edi+14h], 8000h
		and	dword ptr [ebp+arg_0], 0
		xor	ecx, ecx
		lea	eax, [ebp+arg_0]
		lock or	[eax], ecx
		mov	esi, [edi+0Ch]
		mov	ecx, edi
		call	_AlpcpRemoveMessageFromPendingQueue@4 ;	AlpcpRemoveMessageFromPendingQueue(x)
		mov	eax, [ebp+var_5C]
		mov	[edi+80h], eax
		push	2
		pop	eax
		mov	[edi+84h], ax
		mov	ecx, large fs:124h
		mov	eax, [ecx+2ACh]
		mov	ebx, [ebp+var_24]
		mov	[ebx+88h], eax
		mov	eax, [ecx+2B0h]
		mov	[ebx+8Ch], eax
		or	dword ptr [edi+14h], 200h
		mov	eax, [edi+14h]
		mov	ecx, [esi+0F4h]
		and	ecx, 6
		shl	ecx, 2
		and	eax, 0FFFFFF87h
		or	ecx, eax
		mov	[edi+14h], ecx
		shr	ecx, 3
		and	ecx, 0Fh
		sub	ecx, 1
		jz	short loc_7B1933
		sub	ecx, 1
		mov	eax, [esi+1Ch]
		mov	[ebx+40h], eax
		jmp	short loc_7B1976
; 

loc_7B1933:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+2DCj
		mov	esi, [esi+8]
		lea	eax, [esi-4]
		mov	dword ptr [ebp+arg_0], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockSharedEx
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_7B1951
		and	[ebx+40h], eax
		jmp	short loc_7B1957
; 

loc_7B1951:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+300j
		mov	eax, [eax+1Ch]
		mov	[ebx+40h], eax

loc_7B1957:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+305j
		xor	edx, edx
		push	11h
		pop	eax
		mov	esi, dword ptr [ebp+arg_0]
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_7B196F
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7B196F:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+31Cj
		mov	ecx, esi
		call	KeAbPostRelease

loc_7B1976:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+2E7j
		mov	esi, [ebx+10h]
		and	dword ptr [ebx+10h], 0
		dec	word ptr [ebx-0Eh]
		mov	eax, [edi+14h]
		and	eax, 0FFFF7FFDh
		or	eax, 105h
		mov	[edi+14h], eax
		mov	ecx, ebx
		call	_AlpcpClearOwnerPortMessage@4 ;	AlpcpClearOwnerPortMessage(x)
		push	ecx
		mov	edx, [ebp+var_2C]
		mov	ecx, ebx
		call	_AlpcpSetOwnerPortMessage@12 ; AlpcpSetOwnerPortMessage(x,x,x)
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_7B19B3
		mov	ecx, ebx
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_7B19B3:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+360j
		mov	ecx, ebx
		call	AlpcpUnlockBlob
		mov	ecx, [ebp+var_40]
		test	byte ptr [ecx+18h], 4
		jz	short loc_7B19CB
		mov	[ecx+0Ch], esi

loc_7B19C6:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+394j
		mov	esi, [ebp+var_20]
		jmp	short loc_7B19FC
; 

loc_7B19CB:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+377j
		push	2
		push	ecx
		push	1
		lea	ecx, [esi+2B4h]
		xor	edx, edx
		inc	edx
		call	KeReleaseSemaphoreEx
		jmp	short loc_7B19C6
; 

loc_7B19E0:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+FEj
					; AlpcpReplyLegacySynchronousRequest(x,x,x)+108j ...
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_7B19F0
		mov	ecx, edi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_7B19F0:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+39Dj
		mov	ecx, edi
		call	AlpcpUnlockBlob
		mov	esi, 0C0000022h

loc_7B19FC:				; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+57j
					; AlpcpReplyLegacySynchronousRequest(x,x,x)+B4j ...
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_AlpcpReplyLegacySynchronousRequest@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall AlpcpCancelMessage(x, x, x)
@AlpcpCancelMessage@12 proc near	; CODE XREF: AlpcpFlushQueue+C7p
					; PAGE:0079A6CBp ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	esi, edx
		xor	ebx, ebx
		mov	edx, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_1C], edx
		mov	eax, [esi+14h]
		mov	ecx, eax
		and	ecx, 80h
		mov	[ebp+var_10], ecx
		mov	ecx, [esi+8]
		mov	[ebp+var_8], ecx
		mov	ecx, eax
		and	ecx, 7
		mov	[ebp+var_18], ecx
		mov	ecx, [edx+0F4h]
		shr	ecx, 1
		and	ecx, 3
		sub	ecx, 1
		jz	loc_7B1B4A
		sub	ecx, 1
		jz	loc_7B1AFA
		and	eax, 78h
		xor	ecx, ecx
		cmp	eax, 8
		mov	[ebp+var_C], eax
		setz	cl
		mov	[ebp+var_4], ecx
		cmp	[ebp+var_10], ebx
		jnz	loc_7B1BFD
		mov	eax, [edx+8]
		xor	edx, edx
		mov	[ebp+var_10], eax
		add	eax, 0FFFFFFFCh
		mov	ecx, eax
		mov	[ebp+var_14], eax
		call	ExAcquirePushLockSharedEx
		test	dword ptr [esi+14h], 200h
		jnz	short loc_7B1AD4
		cmp	[ebp+var_C], 8
		mov	ebx, [ebp+var_10]
		jnz	short loc_7B1AA7
		mov	edi, [ebx+8]
		mov	ebx, edi
		jmp	short loc_7B1AAC
; 

loc_7B1AA7:				; CODE XREF: AlpcpCancelMessage(x,x,x)+8Ej
					; AlpcpCancelMessage(x,x,x)+12Bj
		mov	edi, [ebx]
		mov	ebx, [ebx+4]

loc_7B1AAC:				; CODE XREF: AlpcpCancelMessage(x,x,x)+95j
					; AlpcpCancelMessage(x,x,x)+135j
		test	edi, edi
		jz	short loc_7B1AC0
		mov	ecx, edi
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	edi, eax

loc_7B1AC0:				; CODE XREF: AlpcpCancelMessage(x,x,x)+9Ej
		test	ebx, ebx
		jz	short loc_7B1AD4
		mov	ecx, ebx
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	ebx, eax

loc_7B1AD4:				; CODE XREF: AlpcpCancelMessage(x,x,x)+85j
					; AlpcpCancelMessage(x,x,x)+B2j ...
		mov	ecx, [ebp+var_14]
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_7B1AED
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp+var_14]

loc_7B1AED:				; CODE XREF: AlpcpCancelMessage(x,x,x)+D3j
		call	KeAbPostRelease
		mov	ecx, [ebp+var_4]
		jmp	loc_7B1BFA
; 

loc_7B1AFA:				; CODE XREF: AlpcpCancelMessage(x,x,x)+49j
		and	eax, 78h
		xor	ecx, ecx
		cmp	eax, 10h
		mov	[ebp+var_C], eax
		setz	cl
		mov	[ebp+var_4], ecx
		cmp	[ebp+var_10], ebx
		jnz	loc_7B1BFD
		mov	eax, [edx+8]
		xor	edx, edx
		mov	[ebp+var_10], eax
		add	eax, 0FFFFFFFCh
		mov	ecx, eax
		mov	[ebp+var_14], eax
		call	ExAcquirePushLockSharedEx
		test	dword ptr [esi+14h], 200h
		jnz	short loc_7B1AD4
		cmp	[ebp+var_C], 10h
		jnz	short loc_7B1B40
		mov	ebx, [ebp+var_10]
		jmp	loc_7B1AA7
; 

loc_7B1B40:				; CODE XREF: AlpcpCancelMessage(x,x,x)+126j
		mov	ebx, [ebp+var_1C]
		mov	edi, ebx
		jmp	loc_7B1AAC
; 

loc_7B1B4A:				; CODE XREF: AlpcpCancelMessage(x,x,x)+40j
		and	eax, 78h
		xor	edx, edx
		cmp	eax, 8
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_8]
		setz	dl
		mov	ecx, edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_4], ecx
		cmp	[ebp+var_10], ebx
		jnz	loc_7B1C00
		mov	[ebp+var_4], ecx
		test	eax, eax
		jz	loc_7B1C00
		mov	eax, [esi+64h]
		mov	[ebp+var_14], eax
		mov	[ebp+var_4], ecx
		test	eax, eax
		jz	short loc_7B1BFD
		add	eax, 0FFFFFFFCh
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_10], eax
		call	ExAcquirePushLockSharedEx
		test	dword ptr [esi+14h], 200h
		jnz	short loc_7B1BD9
		cmp	[ebp+var_C], 8
		mov	ebx, [ebp+var_14]
		jnz	short loc_7B1BAC
		mov	edi, [ebx+8]
		mov	ebx, edi
		jmp	short loc_7B1BB1
; 

loc_7B1BAC:				; CODE XREF: AlpcpCancelMessage(x,x,x)+193j
		mov	edi, [ebx]
		mov	ebx, [ebx+4]

loc_7B1BB1:				; CODE XREF: AlpcpCancelMessage(x,x,x)+19Aj
		test	edi, edi
		jz	short loc_7B1BC5
		mov	ecx, edi
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	edi, eax

loc_7B1BC5:				; CODE XREF: AlpcpCancelMessage(x,x,x)+1A3j
		test	ebx, ebx
		jz	short loc_7B1BD9
		mov	ecx, ebx
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	ebx, eax

loc_7B1BD9:				; CODE XREF: AlpcpCancelMessage(x,x,x)+18Aj
					; AlpcpCancelMessage(x,x,x)+1B7j
		mov	ecx, [ebp+var_10]
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_7B1BF2
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp+var_10]

loc_7B1BF2:				; CODE XREF: AlpcpCancelMessage(x,x,x)+1D8j
		call	KeAbPostRelease
		mov	ecx, [ebp+var_1C]

loc_7B1BFA:				; CODE XREF: AlpcpCancelMessage(x,x,x)+E5j
		mov	[ebp+var_4], ecx

loc_7B1BFD:				; CODE XREF: AlpcpCancelMessage(x,x,x)+63j
					; AlpcpCancelMessage(x,x,x)+FEj ...
		mov	eax, [ebp+var_8]

loc_7B1C00:				; CODE XREF: AlpcpCancelMessage(x,x,x)+156j
					; AlpcpCancelMessage(x,x,x)+161j
		test	ecx, ecx
		jnz	short loc_7B1C38
		test	eax, eax
		jz	short loc_7B1C1E
		cmp	[ebp+var_18], 3
		jnz	short loc_7B1C17
		test	dword ptr [esi+14h], 2000h
		jz	short loc_7B1C1E

loc_7B1C17:				; CODE XREF: AlpcpCancelMessage(x,x,x)+1FCj
		xor	edx, edx
		and	[ebp+var_10], edx
		jmp	short loc_7B1C28
; 

loc_7B1C1E:				; CODE XREF: AlpcpCancelMessage(x,x,x)+1F6j
					; AlpcpCancelMessage(x,x,x)+205j
		xor	edx, edx
		mov	[ebp+var_10], 4000002Eh
		inc	edx

loc_7B1C28:				; CODE XREF: AlpcpCancelMessage(x,x,x)+20Cj
		test	[ebp+arg_0], 1
		jz	short loc_7B1C67
		test	edx, edx
		jnz	loc_7B1E6F
		jmp	short loc_7B1C67
; 

loc_7B1C38:				; CODE XREF: AlpcpCancelMessage(x,x,x)+1F2j
		test	eax, eax
		jz	short loc_7B1C50
		cmp	[ebp+var_18], 3
		jnz	short loc_7B1C50
		test	dword ptr [esi+14h], 2000h
		jnz	short loc_7B1C50
		xor	edx, edx
		inc	edx
		jmp	short loc_7B1C52
; 

loc_7B1C50:				; CODE XREF: AlpcpCancelMessage(x,x,x)+22Aj
					; AlpcpCancelMessage(x,x,x)+230j ...
		xor	edx, edx

loc_7B1C52:				; CODE XREF: AlpcpCancelMessage(x,x,x)+23Ej
		test	[ebp+arg_0], 1
		mov	[ebp+var_10], 103h
		jz	short loc_7B1C67
		test	edx, edx
		jz	loc_7B1E6F

loc_7B1C67:				; CODE XREF: AlpcpCancelMessage(x,x,x)+21Cj
					; AlpcpCancelMessage(x,x,x)+226j ...
		or	dword ptr [esi+14h], 80h
		xor	eax, eax
		push	18h
		mov	[esi+80h], ax
		mov	ecx, esi
		pop	eax
		mov	byte ptr [esi+84h], 0
		or	word ptr [esi+84h], 0Ch
		mov	[esi+82h], ax
		call	AlpcpReleaseMessageAttributesOnCancel
		or	dword ptr [esi+14h], 8200h
		mov	eax, 0FFFFDFFFh
		and	[esi+84h], ax
		xor	ecx, ecx
		and	[ebp+var_1C], 0
		lea	eax, [ebp+var_1C]
		lock or	[eax], ecx
		mov	ecx, esi
		call	_AlpcpClearOwnerPortMessage@4 ;	AlpcpClearOwnerPortMessage(x)
		mov	ecx, esi
		call	_AlpcpTransferQuotaMessage@4 ; AlpcpTransferQuotaMessage(x)
		mov	eax, [esi+70h]
		test	eax, eax
		jz	short loc_7B1CDB
		push	dword ptr [esi+90h]
		push	eax
		call	_PsReleaseProcessWakeCounter@8 ; PsReleaseProcessWakeCounter(x,x)
		and	dword ptr [esi+70h], 0

loc_7B1CDB:				; CODE XREF: AlpcpCancelMessage(x,x,x)+2B9j
		mov	eax, [esi+74h]
		test	eax, eax
		jz	short loc_7B1CF2
		push	dword ptr [esi+90h]
		push	eax
		call	_PsReleaseProcessWakeCounter@8 ; PsReleaseProcessWakeCounter(x,x)
		and	dword ptr [esi+74h], 0

loc_7B1CF2:				; CODE XREF: AlpcpCancelMessage(x,x,x)+2D0j
		mov	eax, [esi+10h]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	short loc_7B1D30
		xor	ecx, ecx
		add	eax, 314h
		xchg	ecx, [eax]
		cmp	ecx, esi
		jnz	loc_7B1DB3
		and	dword ptr [esi+10h], 0
		xor	edx, edx
		add	word ptr [esi-0Eh], 0FFFEh
		inc	edx
		push	2
		push	ecx
		mov	ecx, [ebp+var_1C]
		push	edx
		add	ecx, 2B4h
		call	KeReleaseSemaphoreEx
		jmp	loc_7B1DB3
; 

loc_7B1D30:				; CODE XREF: AlpcpCancelMessage(x,x,x)+2EAj
		test	edi, edi
		jz	short loc_7B1DB3
		test	ebx, ebx
		jz	short loc_7B1DB3
		cmp	[ebp+var_4], 0
		jnz	short loc_7B1D48
		test	[ebp+arg_0], 2
		jz	loc_7B1E57

loc_7B1D48:				; CODE XREF: AlpcpCancelMessage(x,x,x)+32Cj
		lea	ecx, [edi+0D0h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		test	byte ptr [edi+0F4h], 40h
		jz	short loc_7B1D84
		push	11h
		xor	edx, edx
		lea	ecx, [edi+0D0h]
		pop	eax
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_7B1D7D
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		lea	ecx, [edi+0D0h]

loc_7B1D7D:				; CODE XREF: AlpcpCancelMessage(x,x,x)+360j
		call	KeAbPostRelease
		jmp	short loc_7B1DB3
; 

loc_7B1D84:				; CODE XREF: AlpcpCancelMessage(x,x,x)+34Cj
		inc	word ptr [esi-0Eh]
		xor	eax, eax
		mov	[esi+24h], edi
		inc	eax
		mov	[esi+20h], ebx
		lock xadd [ebx+0E8h], eax
		inc	eax
		mov	[esi+28h], eax
		mov	edx, esi
		mov	eax, [ebx+1Ch]
		mov	ecx, edi
		mov	[esi+44h], eax
		call	_AlpcpInsertMessageCanceledQueue@8 ; AlpcpInsertMessageCanceledQueue(x,x)
		mov	ecx, edi
		call	AlpcpSignalPortAndUnlock

loc_7B1DB3:				; CODE XREF: AlpcpCancelMessage(x,x,x)+2F7j
					; AlpcpCancelMessage(x,x,x)+31Bj ...
		cmp	[ebp+var_4], 0
		jz	loc_7B1E57
		test	dword ptr [ebp+arg_0], 10000h
		jz	loc_7B1E57
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	loc_7B1E57
		mov	eax, [esi+14h]
		and	eax, 7
		cmp	eax, 3
		jnz	short loc_7B1DE9
		mov	ecx, esi
		call	_AlpcpRemoveMessageFromPendingQueue@4 ;	AlpcpRemoveMessageFromPendingQueue(x)
		jmp	short loc_7B1E57
; 

loc_7B1DE9:				; CODE XREF: AlpcpCancelMessage(x,x,x)+3CEj
		xor	edx, edx
		cmp	eax, 4
		jnz	short loc_7B1E1F
		lea	eax, [ecx+7Ch]
		mov	ecx, eax
		mov	dword ptr [ebp+arg_0], eax
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_8]
		dec	dword ptr [ecx+110h]
		and	dword ptr [esi+14h], 0FFFFFFF8h
		and	dword ptr [esi+8], 0
		mov	ecx, [esi+4]
		mov	eax, [esi]
		mov	[ecx], eax
		mov	ecx, [esi]
		mov	eax, [esi+4]
		mov	[ecx+4], eax
		jmp	short loc_7B1E36
; 

loc_7B1E1F:				; CODE XREF: AlpcpCancelMessage(x,x,x)+3DEj
		lea	eax, [ecx+5Ch]
		mov	ecx, eax
		mov	dword ptr [ebp+arg_0], eax
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	_AlpcpRemoveMessagePort@8 ; AlpcpRemoveMessagePort(x,x)

loc_7B1E36:				; CODE XREF: AlpcpCancelMessage(x,x,x)+40Dj
		mov	ecx, dword ptr [ebp+arg_0]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_7B1E4E
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, dword ptr [ebp+arg_0]

loc_7B1E4E:				; CODE XREF: AlpcpCancelMessage(x,x,x)+434j
		call	KeAbPostRelease
		dec	word ptr [esi-0Eh]

loc_7B1E57:				; CODE XREF: AlpcpCancelMessage(x,x,x)+332j
					; AlpcpCancelMessage(x,x,x)+3A7j ...
		mov	eax, [esi+14h]
		test	eax, 2000h
		jz	short loc_7B1E6F
		and	eax, 7
		cmp	al, 3
		jnz	short loc_7B1E6F
		mov	ecx, esi
		call	_AlpcpRemoveMessageFromPendingQueue@4 ;	AlpcpRemoveMessageFromPendingQueue(x)

loc_7B1E6F:				; CODE XREF: AlpcpCancelMessage(x,x,x)+220j
					; AlpcpCancelMessage(x,x,x)+251j ...
		and	dword ptr [esi+14h], 0FFFF7FFFh
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_7B1E86
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_7B1E86:				; CODE XREF: AlpcpCancelMessage(x,x,x)+46Dj
		mov	ecx, esi
		call	AlpcpUnlockBlob
		test	edi, edi
		jz	short loc_7B1E98
		mov	ecx, edi
		call	ObfDereferenceObject

loc_7B1E98:				; CODE XREF: AlpcpCancelMessage(x,x,x)+47Fj
		test	ebx, ebx
		jz	short loc_7B1EA3
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_7B1EA3:				; CODE XREF: AlpcpCancelMessage(x,x,x)+48Aj
		mov	eax, [ebp+var_10]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
@AlpcpCancelMessage@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall AlpcpTransferQuotaMessage(x)
_AlpcpTransferQuotaMessage@4 proc near	; CODE XREF: AlpcpCancelMessagesByRequestor+19Dp
					; AlpcpCancelMessage(x,x,x)+2AFp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi+1Ch]
		test	edi, edi
		jnz	short loc_7B1EBE

loc_7B1EBB:				; CODE XREF: AlpcpTransferQuotaMessage(x)+4Aj
		pop	edi
		pop	esi
		retn
; 

loc_7B1EBE:				; CODE XREF: AlpcpTransferQuotaMessage(x)+Bj
		push	ebx
		mov	ebx, 400h
		test	[esi+14h], ebx
		jnz	short loc_7B1EF7
		cmp	dword ptr [esi+34h], 0
		jnz	short loc_7B1EF7
		cmp	dword ptr [esi+78h], 0
		mov	edx, 198h
		jz	short loc_7B1EDD
		add	edx, [esi+7Ch]

loc_7B1EDD:				; CODE XREF: AlpcpTransferQuotaMessage(x)+2Aj
		push	ecx
		mov	ecx, edi
		call	_PsTransferProcessQuotaToSharedQuota@12	; PsTransferProcessQuotaToSharedQuota(x,x,x)
		mov	edx, 63706C41h
		mov	[esi+1Ch], eax
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		or	[esi+14h], ebx

loc_7B1EF7:				; CODE XREF: AlpcpTransferQuotaMessage(x)+19j
					; AlpcpTransferQuotaMessage(x)+1Fj
		pop	ebx
		jmp	short loc_7B1EBB
_AlpcpTransferQuotaMessage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpDispatchReplyToPort(x)
_AlpcpDispatchReplyToPort@4 proc near	; CODE XREF: AlpcpDispatchMessage(x):loc_79A7C3p
					; PAGE:loc_830E08p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	edx, edx
		mov	[ebp+var_4], edx
		mov	[ebp+var_C], edx
		mov	ecx, [edi+18h]
		mov	esi, [edi+4]
		mov	eax, [edi]
		mov	[ebp+var_10], ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		mov	[edi+10h], edx
		lea	ecx, [ebp+var_4]
		mov	[edi+0Ch], edx
		mov	[edi+14h], edx
		mov	edx, eax
		mov	ebx, [esi+0Ch]
		push	ecx
		mov	ecx, ebx
		mov	[ebp+var_8], eax
		call	AlpcpLockCommunicationInfoForReply
		mov	ecx, eax
		mov	edx, 1000h
		mov	eax, [ebp+var_8]
		mov	[ebp+var_14], ecx
		test	byte ptr [eax+0F4h], 20h
		jz	short loc_7B1F58
		test	[eax+98h], edx
		jz	short loc_7B1F69

loc_7B1F58:				; CODE XREF: AlpcpDispatchReplyToPort(x)+54j
		test	byte ptr [ebx+0F4h], 20h
		jz	short loc_7B1F92
		test	[ebx+98h], edx
		jnz	short loc_7B1F92

loc_7B1F69:				; CODE XREF: AlpcpDispatchReplyToPort(x)+5Cj
		push	11h
		lea	edi, [ecx-4]
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_7B1F81
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7B1F81:				; CODE XREF: AlpcpDispatchReplyToPort(x)+7Ej
		mov	ecx, edi
		call	KeAbPostRelease
		mov	edi, 0C0000037h
		jmp	loc_7B2018
; 

loc_7B1F92:				; CODE XREF: AlpcpDispatchReplyToPort(x)+65j
					; AlpcpDispatchReplyToPort(x)+6Dj
		mov	edx, [ebp+var_4]
		movzx	eax, word ptr [edi+1Ch]
		cmp	eax, [edx+0A8h]
		jbe	short loc_7B1FE1
		push	11h
		lea	edi, [ecx-4]
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_7B1FB9
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7B1FB9:				; CODE XREF: AlpcpDispatchReplyToPort(x)+B6j
		mov	ecx, edi
		call	KeAbPostRelease
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_7B1FD0
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_7B1FD0:				; CODE XREF: AlpcpDispatchReplyToPort(x)+CDj
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	eax, 0C0000023h
		jmp	loc_7B2192
; 

loc_7B1FE1:				; CODE XREF: AlpcpDispatchReplyToPort(x)+A5j
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_4]
		call	AlpcpReferenceReplyTargetPorts
		mov	[ebp+var_18], eax
		test	eax, eax
		jns	short loc_7B202E
		mov	edi, [ebp+var_14]
		xor	edx, edx
		push	11h
		add	edi, 0FFFFFFFCh
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_7B200E
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7B200E:				; CODE XREF: AlpcpDispatchReplyToPort(x)+10Bj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	edi, [ebp+var_18]

loc_7B2018:				; CODE XREF: AlpcpDispatchReplyToPort(x)+93j
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		push	10000h
		call	@AlpcpCancelMessage@12 ; AlpcpCancelMessage(x,x,x)
		mov	eax, edi
		jmp	loc_7B2192
; 

loc_7B202E:				; CODE XREF: AlpcpDispatchReplyToPort(x)+F7j
		and	dword ptr [esi+6Ch], 0
		cmp	word ptr [edi+1Eh], 0Bh
		jnz	short loc_7B2070
		lea	eax, [ebx+0D0h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_18], eax
		call	ExAcquirePushLockExclusiveEx
		and	dword ptr [ebx+0F4h], 0FFFFFFF7h
		or	eax, 0FFFFFFFFh
		mov	ebx, [ebp+var_18]
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_7B2069
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_7B2069:				; CODE XREF: AlpcpDispatchReplyToPort(x)+166j
		mov	ecx, ebx
		call	KeAbPostRelease

loc_7B2070:				; CODE XREF: AlpcpDispatchReplyToPort(x)+13Dj
		mov	edx, large fs:124h
		mov	ax, [edi+1Ch]
		mov	[esi+82h], ax
		mov	ax, [edi+1Ch]
		sub	ax, 18h
		mov	[ebp+var_1C], edx
		test	[ebp+var_10], 10000h
		mov	[esi+80h], ax
		movzx	eax, word ptr [edi+1Eh]
		mov	ecx, eax
		mov	[esi+84h], ax
		mov	ax, [edi+20h]
		mov	[esi+86h], ax
		mov	eax, [edx+2ACh]
		mov	[esi+88h], eax
		mov	eax, [edx+2B0h]
		mov	[esi+8Ch], eax
		mov	eax, [esi+14h]
		jz	short loc_7B20DD
		and	ecx, 0FFFFDFFFh
		or	eax, 200h
		jmp	short loc_7B20E8
; 

loc_7B20DD:				; CODE XREF: AlpcpDispatchReplyToPort(x)+1D4j
		or	ecx, 2000h
		and	eax, 0FFFFFDFFh

loc_7B20E8:				; CODE XREF: AlpcpDispatchReplyToPort(x)+1E1j
		and	[ebp+var_18], 0
		or	eax, 8000h
		movzx	ecx, cx
		mov	[esi+84h], cx
		xor	ecx, ecx
		mov	[esi+14h], eax
		lea	eax, [ebp+var_18]
		lock or	[eax], ecx
		mov	ecx, esi
		call	_AlpcpClearOwnerPortMessage@4 ;	AlpcpClearOwnerPortMessage(x)
		mov	edx, [ebp+var_8]
		push	ecx
		mov	ecx, esi
		call	_AlpcpSetOwnerPortMessage@12 ; AlpcpSetOwnerPortMessage(x,x,x)
		mov	ecx, [ebp+var_C]
		xor	eax, eax
		inc	eax
		lock xadd [ecx+0E8h], eax
		inc	eax
		mov	[esi+18h], eax
		mov	eax, [ecx+1Ch]
		mov	[esi+40h], eax
		call	ObfDereferenceObject
		cmp	dword ptr [esi+8], 0
		jz	short loc_7B2142
		mov	ecx, esi
		call	_AlpcpRemoveMessageFromPendingQueue@4 ;	AlpcpRemoveMessageFromPendingQueue(x)

loc_7B2142:				; CODE XREF: AlpcpDispatchReplyToPort(x)+23Fj
		mov	ebx, [ebp+var_4]
		xor	edx, edx
		lea	ecx, [ebx+0D0h]
		call	ExAcquirePushLockSharedEx
		test	[ebp+var_10], 20000h
		jz	short loc_7B2176
		mov	eax, [ebp+var_1C]
		mov	ecx, esi
		and	dword ptr [esi+14h], 0FFFFFEFFh
		add	word ptr [esi-0Eh], 2
		mov	[esi+10h], eax
		add	eax, 314h
		xchg	ecx, [eax]

loc_7B2176:				; CODE XREF: AlpcpDispatchReplyToPort(x)+25Fj
		mov	eax, [ebp+var_14]
		mov	[edi+10h], ebx
		mov	[edi+8], eax
		test	byte ptr [esi+54h], 1
		jz	short loc_7B2189
		or	dword ptr [edi+18h], 8

loc_7B2189:				; CODE XREF: AlpcpDispatchReplyToPort(x)+289j
		mov	ecx, edi
		call	AlpcpCompleteDispatchMessage
		xor	eax, eax

loc_7B2192:				; CODE XREF: AlpcpDispatchReplyToPort(x)+E2j
					; AlpcpDispatchReplyToPort(x)+12Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AlpcpDispatchReplyToPort@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall AlpcpRemoveMessageFromPendingQueue(x)
_AlpcpRemoveMessageFromPendingQueue@4 proc near
					; CODE XREF: AlpcpReturnMessageOnInsufficientBuffer(x,x,x)+7Ep
					; AlpcpReplyLegacySynchronousRequest(x,x,x)+27Bp ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	edx, edx
		mov	esi, [edi+8]
		lea	ebx, [esi+70h]
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		dec	dword ptr [esi+10Ch]
		and	dword ptr [edi+14h], 0FFFFFFF8h
		and	dword ptr [edi+8], 0
		mov	ecx, [edi+4]
		mov	eax, [edi]
		mov	[ecx], eax
		mov	ecx, [edi]
		mov	eax, [edi+4]
		mov	[ecx+4], eax
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7B21E7

loc_7B21D8:				; CODE XREF: AlpcpRemoveMessageFromPendingQueue(x)+56j
		mov	ecx, ebx
		call	KeAbPostRelease
		dec	word ptr [edi-0Eh]
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_7B21E7:				; CODE XREF: AlpcpRemoveMessageFromPendingQueue(x)+3Ej
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7B21D8
_AlpcpRemoveMessageFromPendingQueue@4 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpClearOwnerPortMessage(x)
_AlpcpClearOwnerPortMessage@4 proc near	; CODE XREF: AlpcpCancelMessagesByRequestor+196p
					; AlpcpReplyLegacySynchronousRequest(x,x,x)+349p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_7B220E
		test	dword ptr [esi+14h], 1000h
		jz	short loc_7B220A
		call	ObfDereferenceObject

loc_7B220A:				; CODE XREF: AlpcpClearOwnerPortMessage(x)+13j
		and	dword ptr [esi+0Ch], 0

loc_7B220E:				; CODE XREF: AlpcpClearOwnerPortMessage(x)+Aj
		pop	esi
		retn
_AlpcpClearOwnerPortMessage@4 endp


;  S U B	R O U T	I N E 


AlpcpReferenceReplyTargetPorts proc near ; CODE	XREF: AlpcpDispatchReplyToPort(x)+EDp

; FUNCTION CHUNK AT 008EBCF1 SIZE 0000001C BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		test	edi, edi
		jz	short loc_7B222A
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	edi, eax

loc_7B222A:				; CODE XREF: AlpcpReferenceReplyTargetPorts+Aj
		test	esi, esi
		jz	short loc_7B223E
		mov	ecx, esi
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	esi, eax

loc_7B223E:				; CODE XREF: AlpcpReferenceReplyTargetPorts+1Cj
		test	edi, edi
		jz	loc_8EBCF8
		test	esi, esi
		jz	loc_8EBCF1
		test	byte ptr [edi+0F4h], 20h
		jnz	short loc_7B2265
		test	byte ptr [esi+0F4h], 20h
		jnz	short loc_7B2265
		xor	eax, eax

loc_7B2262:				; CODE XREF: AlpcpReferenceReplyTargetPorts+139AF8j
		pop	edi
		pop	esi
		retn
; 

loc_7B2265:				; CODE XREF: AlpcpReferenceReplyTargetPorts+45j
					; AlpcpReferenceReplyTargetPorts+4Ej
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	loc_8EBCFC
AlpcpReferenceReplyTargetPorts endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpLockCommunicationInfoForReply proc	near ; CODE XREF: AlpcpDispatchReplyToPort(x)+3Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EBD0D SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	eax, [edi+0F4h]
		shr	eax, 1
		and	eax, 3
		sub	eax, 1
		jz	loc_8EBD0D
		mov	esi, [edi+8]
		lea	ecx, [esi-4]
		sub	eax, 1
		jnz	short loc_7B22BC
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	eax, [esi+8]
		mov	edx, eax

loc_7B22A9:				; CODE XREF: AlpcpLockCommunicationInfoForReply+56j
					; AlpcpLockCommunicationInfoForReply+139AAEj
		mov	ecx, [ebp+arg_0]
		pop	edi
		mov	[ecx], eax
		mov	eax, esi
		mov	ecx, [ebp+arg_4]
		pop	esi
		pop	ebx
		mov	[ecx], edx
		pop	ebp
		retn	8
; 

loc_7B22BC:				; CODE XREF: AlpcpLockCommunicationInfoForReply+29j
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	eax, [esi]

loc_7B22C5:				; CODE XREF: AlpcpLockCommunicationInfoForReply+139AB4j
		mov	edx, [esi+4]
		jmp	short loc_7B22A9
AlpcpLockCommunicationInfoForReply endp


;  S U B	R O U T	I N E 


AlpcpReleaseMessageAttributesOnCancel proc near
					; CODE XREF: AlpcpCancelMessagesByRequestor+17Cp
					; AlpcpCancelMessage(x,x,x)+282p

; FUNCTION CHUNK AT 008EBD2B SIZE 00000010 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, edx
		mov	ecx, [esi+48h]
		test	ecx, ecx
		jnz	short loc_7B22FA

loc_7B22DC:				; CODE XREF: AlpcpReleaseMessageAttributesOnCancel+3Bj
		mov	ecx, [esi+4Ch]
		test	ecx, ecx
		jnz	short loc_7B231E

loc_7B22E3:				; CODE XREF: AlpcpReleaseMessageAttributesOnCancel+60j
					; AlpcpReleaseMessageAttributesOnCancel+69j
		mov	ecx, [esi+50h]
		test	ecx, ecx
		jnz	loc_8EBD2B

loc_7B22EE:				; CODE XREF: AlpcpReleaseMessageAttributesOnCancel+139A6Cj
		mov	ecx, [esi+54h]
		test	cl, 1
		jnz	short loc_7B2307

loc_7B22F6:				; CODE XREF: AlpcpReleaseMessageAttributesOnCancel+52j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_7B22FA:				; CODE XREF: AlpcpReleaseMessageAttributesOnCancel+10j
		xor	edx, edx
		inc	edx
		call	AlpcpDereferenceBlobEx
		mov	[esi+48h], ebx
		jmp	short loc_7B22DC
; 

loc_7B2307:				; CODE XREF: AlpcpReleaseMessageAttributesOnCancel+2Aj
		cmp	ecx, 4
		jb	short loc_7B2319
		test	cl, 2
		jz	short loc_7B2319
		and	ecx, 0FFFFFFFCh
		call	ObfDereferenceObject

loc_7B2319:				; CODE XREF: AlpcpReleaseMessageAttributesOnCancel+40j
					; AlpcpReleaseMessageAttributesOnCancel+45j
		mov	[esi+54h], ebx
		jmp	short loc_7B22F6
; 

loc_7B231E:				; CODE XREF: AlpcpReleaseMessageAttributesOnCancel+17j
		test	edi, edi
		jnz	short loc_7B232C

loc_7B2322:				; CODE XREF: AlpcpReleaseMessageAttributesOnCancel+6Bj
		call	_AlpcpReleaseViewAttribute@4 ; AlpcpReleaseViewAttribute(x)
		mov	[esi+4Ch], ebx
		jmp	short loc_7B22E3
; 

loc_7B232C:				; CODE XREF: AlpcpReleaseMessageAttributesOnCancel+56j
		test	dword ptr [esi+14h], 4000h
		jnz	short loc_7B22E3
		jmp	short loc_7B2322
AlpcpReleaseMessageAttributesOnCancel endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall AlpcpRemoveMessagePort(x, x)
_AlpcpRemoveMessagePort@8 proc near	; CODE XREF: AlpcpCancelMessage(x,x,x)+421p
		mov	eax, [edx+14h]
		and	eax, 7
		sub	eax, 1
		jnz	short loc_7B2361
		dec	dword ptr [ecx+104h]

loc_7B2349:				; CODE XREF: AlpcpRemoveMessagePort(x,x)+2Fj
		and	dword ptr [edx+14h], 0FFFFFFF8h
		and	dword ptr [edx+8], 0
		mov	ecx, [edx+4]
		mov	eax, [edx]
		mov	[ecx], eax
		mov	ecx, [edx]
		mov	eax, [edx+4]
		mov	[ecx+4], eax
		retn
; 

loc_7B2361:				; CODE XREF: AlpcpRemoveMessagePort(x,x)+9j
		dec	dword ptr [ecx+108h]
		jmp	short loc_7B2349
_AlpcpRemoveMessagePort@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall AlpcpReleaseViewAttribute(x)
_AlpcpReleaseViewAttribute@4 proc near	; CODE XREF: AlpcpReleaseAttributes:loc_79A80Bp
					; AlpcpReleaseMessageAttributesOnCancel:loc_7B2322p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+8]
		call	AlpcpLockForCachedReferenceBlob
		mov	ecx, [esi+8]
		dec	dword ptr [esi+28h]
		call	AlpcpUnlockBlob
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		pop	esi
		jmp	AlpcpDereferenceBlobEx
_AlpcpReleaseViewAttribute@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpInsertMessageCanceledQueue(x, x)
_AlpcpInsertMessageCanceledQueue@8 proc	near ; CODE XREF: AlpcpDisconnectPort+27Dp
					; AlpcpReturnMessageOnInsufficientBuffer(x,x,x)+41p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		xor	edx, edx
		mov	[ebp+var_4], esi
		lea	eax, [esi+5Ch]
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+0E4h]
		lea	edi, [ebx+2Ch]
		add	esi, 0E0h
		mov	[edi+4], eax
		mov	[edi], esi
		mov	eax, [esi+4]
		mov	[eax], edi
		mov	eax, [ebp+var_4]
		mov	[esi+4], edi
		or	dword ptr [ebx+14h], 10000h
		mov	esi, [ebp+var_8]
		inc	dword ptr [eax+114h]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7B23F6

loc_7B23EA:				; CODE XREF: AlpcpInsertMessageCanceledQueue(x,x)+6Fj
		mov	ecx, esi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7B23F6:				; CODE XREF: AlpcpInsertMessageCanceledQueue(x,x)+5Aj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7B23EA
_AlpcpInsertMessageCanceledQueue@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpReleaseHandleInfo proc near		; CODE XREF: ObpDecrementHandleCount(x,x)+BFp
					; PAGE:008102F5p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008CA19F SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		call	_OBJECT_HEADER_TO_HANDLE_INFO@4	; OBJECT_HEADER_TO_HANDLE_INFO(x)
		test	byte ptr [esi+0Fh], 40h
		mov	edi, eax
		jnz	loc_8CA19F
		mov	eax, [edi]
		mov	edx, [eax]
		lea	edi, [eax+4]
		test	edx, edx
		jz	short loc_7B244D

loc_7B2428:				; CODE XREF: ObpReleaseHandleInfo+6Ej
		mov	ecx, [edi+4]
		mov	esi, ecx
		and	esi, 0FFFFFFh
		jz	short loc_7B2468
		cmp	[edi], ebx
		jnz	short loc_7B2468
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		lea	eax, [ecx-1]
		xor	eax, ecx
		and	eax, 0FFFFFFh
		xor	eax, ecx

loc_7B244A:				; CODE XREF: ObpReleaseHandleInfo+117DBBj
		mov	[edi+4], eax

loc_7B244D:				; CODE XREF: ObpReleaseHandleInfo+26j
					; ObpReleaseHandleInfo+70j
		cmp	byte ptr [edi+7], 0
		jnz	short loc_7B245C
		test	dword ptr [edi+4], 0FFFFFFh
		jz	short loc_7B2463

loc_7B245C:				; CODE XREF: ObpReleaseHandleInfo+51j
					; ObpReleaseHandleInfo+66j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_7B2463:				; CODE XREF: ObpReleaseHandleInfo+5Aj
		and	dword ptr [edi], 0
		jmp	short loc_7B245C
; 

loc_7B2468:				; CODE XREF: ObpReleaseHandleInfo+33j
					; ObpReleaseHandleInfo+37j
		add	edi, 8
		sub	edx, 1
		jnz	short loc_7B2428
		jmp	short loc_7B244D
ObpReleaseHandleInfo endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpLockHandleDataBaseEntry proc	near	; CODE XREF: ObpIncrementHandleCountEx+24Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008EBD3B SIZE 00000043 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		movzx	eax, byte ptr [edi+0Eh]
		and	eax, 7
		movzx	esi, _ObpInfoMaskToOffset[eax]
		mov	eax, edi
		sub	eax, esi
		test	byte ptr [edi+0Fh], 40h
		mov	ecx, [eax]
		jz	short loc_7B24CE
		test	ecx, ecx
		jnz	short loc_7B2523
		mov	byte ptr [eax+7], 1
		and	dword ptr [eax+4], 0FF000000h
		mov	[eax], ebx
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 1

loc_7B24C3:				; CODE XREF: ObpLockHandleDataBaseEntry+9Cj
					; ObpLockHandleDataBaseEntry+D5j ...
		xor	eax, eax

loc_7B24C5:				; CODE XREF: ObpLockHandleDataBaseEntry+147j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7B24CE:				; CODE XREF: ObpLockHandleDataBaseEntry+27j
		mov	edx, [ecx]
		lea	esi, [ecx+4]
		xor	ecx, ecx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], ecx
		test	edx, edx
		jz	loc_7B25B3

loc_7B24E6:				; CODE XREF: ObpLockHandleDataBaseEntry+79j
		mov	ecx, [esi]
		cmp	ecx, ebx
		jz	short loc_7B255A
		test	ecx, ecx
		jz	short loc_7B251E

loc_7B24F0:				; CODE XREF: ObpLockHandleDataBaseEntry+A1j
					; ObpLockHandleDataBaseEntry+1398F9j
		add	esi, 8
		sub	edx, 1
		mov	[ebp+var_C], edx
		jnz	short loc_7B24E6
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	loc_7B25AA

loc_7B2506:				; CODE XREF: ObpLockHandleDataBaseEntry+13Cj
		and	dword ptr [eax+4], 0FF000000h
		mov	ecx, [ebp+var_4]
		mov	byte ptr [eax+7], 1
		inc	ecx
		mov	[eax], ebx
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jmp	short loc_7B24C3
; 

loc_7B251E:				; CODE XREF: ObpLockHandleDataBaseEntry+6Ej
		mov	[ebp+var_8], esi
		jmp	short loc_7B24F0
; 

loc_7B2523:				; CODE XREF: ObpLockHandleDataBaseEntry+2Bj
		cmp	ecx, ebx
		jz	short loc_7B2584

loc_7B2527:				; CODE XREF: ObpLockHandleDataBaseEntry+10Aj
		xor	esi, esi
		cmp	ecx, ebx
		jz	loc_8EBD3B

loc_7B2531:				; CODE XREF: ObpLockHandleDataBaseEntry+1398D6j
		mov	ecx, edi
		call	_ObpInsertHandleCount@4	; ObpInsertHandleCount(x)
		test	eax, eax
		jz	loc_7B25C2
		and	dword ptr [eax+4], 0FF000000h
		lea	ecx, [esi+1]
		mov	byte ptr [eax+7], 1
		mov	[eax], ebx
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jmp	loc_7B24C3
; 

loc_7B255A:				; CODE XREF: ObpLockHandleDataBaseEntry+6Aj
		cmp	byte ptr [eax+7], 0FFh
		jnb	loc_8EBD5B
		inc	byte ptr [esi+7]
		mov	ecx, [eax+4]
		mov	eax, ecx
		shr	eax, 18h
		and	ecx, 0FFFFFFh
		add	eax, [ebp+var_4]
		add	ecx, eax
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jmp	loc_7B24C3
; 

loc_7B2584:				; CODE XREF: ObpLockHandleDataBaseEntry+A5j
		mov	dl, [eax+7]
		cmp	dl, 0FFh
		jnb	short loc_7B2527
		inc	dl
		mov	[eax+7], dl
		mov	eax, [eax+4]
		mov	ecx, eax
		and	eax, 0FFFFFFh
		shr	ecx, 18h
		add	ecx, eax
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jmp	loc_7B24C3
; 

loc_7B25AA:				; CODE XREF: ObpLockHandleDataBaseEntry+80j
		cmp	[ebp+var_4], 0FFFF01h
		jnb	short loc_7B25C2

loc_7B25B3:				; CODE XREF: ObpLockHandleDataBaseEntry+60j
		mov	ecx, edi
		call	_ObpInsertHandleCount@4	; ObpInsertHandleCount(x)
		test	eax, eax
		jnz	loc_7B2506

loc_7B25C2:				; CODE XREF: ObpLockHandleDataBaseEntry+BAj
					; ObpLockHandleDataBaseEntry+131j ...
		mov	eax, 0C000009Ah
		jmp	loc_7B24C5
ObpLockHandleDataBaseEntry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpInsertHandleCount(x)
_ObpInsertHandleCount@4	proc near	; CODE XREF: ObpLockHandleDataBaseEntry+B3p
					; ObpLockHandleDataBaseEntry+135p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		mov	edx, ecx
		mov	[ebp+var_1C], edx
		stosd
		stosd
		call	_OBJECT_HEADER_TO_HANDLE_INFO@4	; OBJECT_HEADER_TO_HANDLE_INFO(x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_7B26AB
		xor	ebx, ebx
		inc	ebx
		test	byte ptr [edx+0Fh], 40h
		jz	short loc_7B2687
		push	2
		mov	[ebp+var_10], ebx
		lea	esi, [ebp+var_10]
		mov	eax, [ecx]
		pop	edi
		mov	[ebp+var_C], eax
		mov	eax, [ecx+4]
		push	14h
		mov	[ebp+var_8], eax
		mov	[ebp+var_14], 0Ch
		pop	eax

loc_7B2627:				; CODE XREF: ObpInsertHandleCount(x)+D3j
		push	6448624Fh
		push	eax
		push	ebx
		mov	[ebp+var_18], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_7B26AB
		push	[ebp+var_14]	; size_t
		push	esi		; void *
		push	ebx		; void *
		call	_memcpy
		mov	ecx, [ebp+var_1C]
		add	esp, 0Ch
		mov	al, [ecx+0Fh]
		test	al, 40h
		jz	short loc_7B26A1
		and	al, 0BFh
		mov	[ecx+0Fh], al

loc_7B2658:				; CODE XREF: ObpInsertHandleCount(x)+DDj
		mov	ecx, [ebp+var_14]
		mov	eax, [ebp+var_18]
		sub	eax, ecx
		push	eax		; size_t
		lea	esi, [ecx+ebx]
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_20]
		add	esp, 0Ch
		mov	[ebx], edi
		mov	[eax], ebx
		mov	eax, esi

loc_7B2678:				; CODE XREF: ObpInsertHandleCount(x)+E1j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_7B2687:				; CODE XREF: ObpInsertHandleCount(x)+3Bj
		mov	esi, [ecx]
		mov	edi, [esi]
		lea	eax, ds:4[edi*8]
		add	edi, 4
		mov	[ebp+var_14], eax
		lea	eax, ds:4[edi*8]
		jmp	short loc_7B2627
; 

loc_7B26A1:				; CODE XREF: ObpInsertHandleCount(x)+85j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7B2658
; 

loc_7B26AB:				; CODE XREF: ObpInsertHandleCount(x)+2Ej
					; ObpInsertHandleCount(x)+6Ej
		xor	eax, eax
		jmp	short loc_7B2678
_ObpInsertHandleCount@4	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 619. FsRtlOplockBreakH

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlOplockBreakH
FsRtlOplockBreakH proc near

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008EBD7E SIZE 0000000A BYTES

		push	14h
		push	offset dword_6A2BF8
		call	__SEH_prolog4
		mov	eax, [ebp+arg_0]
		mov	edi, [eax]
		mov	[ebp+var_24], edi
		mov	eax, [ebp+arg_4]
		mov	ebx, [eax+60h]
		xor	ecx, ecx
		mov	byte ptr [ebp+arg_0+3],	cl
		mov	esi, ecx
		mov	[ebp+var_20], esi
		mov	[ebp+var_19], cl
		test	edi, edi
		jnz	short loc_7B26F3

loc_7B26DF:				; CODE XREF: FsRtlOplockBreakH+CFj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7B26F3:				; CODE XREF: FsRtlOplockBreakH+29j
		mov	[ebp+ms_exc.disabled], ecx
		mov	ecx, eax
		call	FsRtlpAttachOplockKey
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		jnz	short loc_7B2777
		cmp	[ebx], al
		jnz	short loc_7B272A
		mov	eax, [ebx+4]
		test	dword ptr [eax+8], 0FFEFFE7Fh
		jz	loc_8EBD7E
		test	dword ptr [ebx+8], 10000h
		jz	short loc_7B272A
		or	[ebp+arg_8], 10000000h

loc_7B272A:				; CODE XREF: FsRtlOplockBreakH+54j
					; FsRtlOplockBreakH+6Dj ...
		mov	[ebp+var_19], 0
		cmp	byte ptr [ebp+arg_0+3],	0
		jnz	short loc_7B2740
		mov	ecx, [edi+4Ch]
		call	ExAcquireFastMutexUnsafe
		mov	byte ptr [ebp+arg_0+3],	1

loc_7B2740:				; CODE XREF: FsRtlOplockBreakH+7Ej
		lea	eax, [ebp+var_19]
		push	eax
		lea	eax, [ebp+arg_0+3]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	2000h
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		mov	edx, ebx
		mov	ecx, edi
		call	_FsRtlpOplockBreakByCacheFlags@60 ; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		cmp	[ebp+var_19], 0
		jnz	short loc_7B272A

loc_7B2777:				; CODE XREF: FsRtlOplockBreakH+50j
					; FsRtlOplockBreakH+1396CFj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_7B2788
		jmp	loc_7B26DF
FsRtlOplockBreakH endp


;  S U B	R O U T	I N E 


sub_7B2788	proc near		; CODE XREF: FsRtlOplockBreakH+CAp
					; sub_8EBD88+6j
		cmp	byte ptr [ebp+0Bh], 0
		jz	short locret_7B2796
		mov	ecx, [edi+4Ch]
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)

locret_7B2796:				; CODE XREF: sub_7B2788+4j
		retn
sub_7B2788	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspValidateCreateProcessProtection(x, x, x,	x, x)
_PspValidateCreateProcessProtection@20 proc near ; CODE	XREF: PAGE:007A30B0p
					; PAGE:007A31FAp

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		test	[ebp+arg_4], 4
		jz	short loc_7B27D0
		cmp	byte ptr [ebp+arg_0], 0
		jz	short loc_7B27D0
		test	dword ptr [edx+4], 800h
		jnz	short loc_7B27D0
		mov	al, [ecx+3A6h]
		mov	byte ptr [ebp+arg_0], al
		movzx	eax, al
		shr	eax, 4
		imul	eax, 0Ch
		test	byte ptr ds:dword_A407E4[eax], 40h
		jnz	short loc_7B27D7

loc_7B27D0:				; CODE XREF: PspValidateCreateProcessProtection(x,x,x,x,x)+Cj
					; PspValidateCreateProcessProtection(x,x,x,x,x)+12j ...
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_7B27D7:				; CODE XREF: PspValidateCreateProcessProtection(x,x,x,x,x)+36j
		push	[ebp+arg_0]
		push	[ebp+arg_8]
		call	_RtlTestProtectedAccess@8 ; RtlTestProtectedAccess(x,x)
		test	al, al
		jnz	short loc_7B27D0
		mov	esi, 0C000000Dh
		jmp	short loc_7B27D0
_PspValidateCreateProcessProtection@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspThreadOpen	proc near		; DATA XREF: PspInitPhase0+3DDo

arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008EBD93 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+arg_8]
		push	ebx
		push	esi
		mov	edx, [edx+150h]
		push	edi
		movzx	eax, byte ptr [edx+3A6h]
		shr	eax, 4
		imul	eax, 0Ch
		mov	edi, ds:dword_A407E8[eax]
		call	_PspIsParentProcess@8 ;	PspIsParentProcess(x,x)
		test	al, al
		jnz	short loc_7B2877

loc_7B281E:				; CODE XREF: PspThreadOpen+8Cj
		mov	esi, [ebp+arg_10]
		mov	bl, [ebp+arg_4]
		test	[esi], edi
		jnz	short loc_7B2864

loc_7B2828:				; CODE XREF: PspThreadOpen+87j
		mov	eax, [ebp+arg_C]
		cmp	dword ptr [eax+37Ch], 0
		jnz	loc_8EBD93

loc_7B2838:				; CODE XREF: PspThreadOpen+1395ACj
					; PspThreadOpen+1395B4j ...
		mov	eax, [esi]
		test	al, 40h
		jz	short loc_7B2845
		or	eax, 800h
		mov	[esi], eax

loc_7B2845:				; CODE XREF: PspThreadOpen+4Ej
		test	al, 20h
		jz	short loc_7B2850
		or	eax, 400h
		mov	[esi], eax

loc_7B2850:				; CODE XREF: PspThreadOpen+59j
		test	al, 2
		jz	short loc_7B285B
		or	eax, 1000h
		mov	[esi], eax

loc_7B285B:				; CODE XREF: PspThreadOpen+64j
		xor	eax, eax

loc_7B285D:				; CODE XREF: PspThreadOpen+93j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	18h
; 

loc_7B2864:				; CODE XREF: PspThreadOpen+38j
		push	edx
		mov	edx, ecx
		mov	cl, bl
		call	_PsTestProtectedProcessIncompatibility@12 ; PsTestProtectedProcessIncompatibility(x,x,x)
		test	al, al
		jnz	short loc_7B287C
		mov	ecx, [ebp+arg_8]
		jmp	short loc_7B2828
; 

loc_7B2877:				; CODE XREF: PspThreadOpen+2Ej
		and	edi, 0FFFFFFFEh
		jmp	short loc_7B281E
; 

loc_7B287C:				; CODE XREF: PspThreadOpen+82j
					; PspThreadOpen+1395C9j
		mov	eax, 0C0000022h
		jmp	short loc_7B285D
PspThreadOpen	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspProcessOpen(x, x, x, x, x, x)
_PspProcessOpen@24 proc	near		; DATA XREF: PspInitPhase0+339o

arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_C]
		mov	edx, edi
		movzx	eax, byte ptr [edi+3A6h]
		shr	eax, 4
		lea	eax, [eax+eax*2]
		mov	ebx, ds:dword_A407E4[eax*4]
		call	_PspIsParentProcess@8 ;	PspIsParentProcess(x,x)
		test	al, al
		jz	short loc_7B28C0
		and	ebx, 0FFFFFFFEh

loc_7B28C0:				; CODE XREF: PspProcessOpen(x,x,x,x,x,x)+2Bj
		mov	esi, [ebp+arg_10]
		test	[esi], ebx
		mov	bl, [ebp+arg_4]
		jz	short loc_7B28DB
		mov	edx, ecx
		mov	cl, bl
		push	edi
		call	_PsTestProtectedProcessIncompatibility@12 ; PsTestProtectedProcessIncompatibility(x,x,x)
		test	al, al
		jnz	short loc_7B2914
		mov	ecx, [ebp+arg_8]

loc_7B28DB:				; CODE XREF: PspProcessOpen(x,x,x,x,x,x)+38j
		cmp	dword ptr [edi+3D4h], 0
		jz	short loc_7B28FC
		cmp	dword ptr [ecx+3D4h], 0
		jnz	short loc_7B28FC
		test	bl, bl
		jz	short loc_7B28FC
		mov	eax, dword_6BEE04
		not	eax
		test	[esi], eax
		jnz	short loc_7B2914

loc_7B28FC:				; CODE XREF: PspProcessOpen(x,x,x,x,x,x)+52j
					; PspProcessOpen(x,x,x,x,x,x)+5Bj ...
		mov	edx, [esi]
		test	dl, 1
		jz	short loc_7B2920
		cmp	bl, 1
		jnz	short loc_7B2920
		test	dword ptr [edi+3A8h], 8000000h
		jz	short loc_7B2920

loc_7B2914:				; CODE XREF: PspProcessOpen(x,x,x,x,x,x)+46j
					; PspProcessOpen(x,x,x,x,x,x)+6Aj
		pop	edi
		pop	esi
		mov	eax, 0C0000022h
		pop	ebx
		pop	ebp
		retn	18h
; 

loc_7B2920:				; CODE XREF: PspProcessOpen(x,x,x,x,x,x)+71j
					; PspProcessOpen(x,x,x,x,x,x)+76j ...
		mov	eax, edx
		and	eax, 28h
		cmp	al, 28h
		setnz	cl
		bt	edx, 0Ah
		setnb	al
		test	cl, al
		jnz	short loc_7B293D
		or	edx, 1000h
		mov	[esi], edx

loc_7B293D:				; CODE XREF: PspProcessOpen(x,x,x,x,x,x)+A3j
		test	edx, 200h
		jz	short loc_7B294D
		or	edx, 2000h
		mov	[esi], edx

loc_7B294D:				; CODE XREF: PspProcessOpen(x,x,x,x,x,x)+B3j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	18h
_PspProcessOpen@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsTestProtectedProcessIncompatibility(x, x,	x)
_PsTestProtectedProcessIncompatibility@12 proc near ; CODE XREF: PAGE:007A3469p
					; PspThreadOpen+7Bp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, edx
		cmp	esi, edi
		jnz	short loc_7B296F

loc_7B2967:				; CODE XREF: PsTestProtectedProcessIncompatibility(x,x,x)+38j
					; PsTestProtectedProcessIncompatibility(x,x,x)+49j
		xor	al, al

loc_7B2969:				; CODE XREF: PsTestProtectedProcessIncompatibility(x,x,x)+4Dj
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_7B296F:				; CODE XREF: PsTestProtectedProcessIncompatibility(x,x,x)+Fj
		mov	al, [esi+3A6h]
		mov	byte ptr [ebp+var_4], al
		mov	al, [edi+3A6h]
		mov	byte ptr [ebp+arg_0], al
		push	[ebp+arg_0]
		push	[ebp+var_4]
		call	_PspCheckForInvalidAccessByProtection@12 ; PspCheckForInvalidAccessByProtection(x,x,x)
		test	al, al
		jz	short loc_7B2967
		mov	eax, dword_6BEA80
		test	eax, eax
		jz	short loc_7B29A1
		push	edi
		push	esi
		call	eax
		test	al, al
		jnz	short loc_7B2967

loc_7B29A1:				; CODE XREF: PsTestProtectedProcessIncompatibility(x,x,x)+41j
		mov	al, 1
		jmp	short loc_7B2969
_PsTestProtectedProcessIncompatibility@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspCheckForInvalidAccessByProtection(x, x, x)
_PspCheckForInvalidAccessByProtection@12 proc near ; CODE XREF:	PAGE:007A30F2p
					; PsTestProtectedProcessIncompatibility(x,x,x)+31p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	cl, cl
		jnz	short loc_7B29B5

loc_7B29AF:				; CODE XREF: PspCheckForInvalidAccessByProtection(x,x,x)+1Cj
		xor	al, al

loc_7B29B1:				; CODE XREF: PspCheckForInvalidAccessByProtection(x,x,x)+20j
		pop	ebp
		retn	8
; 

loc_7B29B5:				; CODE XREF: PspCheckForInvalidAccessByProtection(x,x,x)+7j
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_RtlTestProtectedAccess@8 ; RtlTestProtectedAccess(x,x)
		test	al, al
		jnz	short loc_7B29AF
		inc	al
		jmp	short loc_7B29B1
_PspCheckForInvalidAccessByProtection@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlTestProtectedAccess(x, x)
_RtlTestProtectedAccess@8 proc near	; CODE XREF: PspValidateCreateProcessProtection(x,x,x,x,x)+45p
					; PspCheckForInvalidAccessByProtection(x,x,x)+15p ...

arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	al, [ebp+arg_4]
		push	ebx
		mov	bl, al
		and	bl, 7
		jnz	short loc_7B29DF

loc_7B29D8:				; CODE XREF: RtlTestProtectedAccess(x,x)+45j
		mov	al, 1

loc_7B29DA:				; CODE XREF: RtlTestProtectedAccess(x,x)+25j
		pop	ebx
		pop	ebp
		retn	8
; 

loc_7B29DF:				; CODE XREF: RtlTestProtectedAccess(x,x)+Ej
		mov	dl, [ebp+arg_0]
		mov	cl, dl
		and	cl, 7
		cmp	cl, bl
		jnb	short loc_7B29EF

loc_7B29EB:				; CODE XREF: RtlTestProtectedAccess(x,x)+43j
		xor	al, al
		jmp	short loc_7B29DA
; 

loc_7B29EF:				; CODE XREF: RtlTestProtectedAccess(x,x)+21j
		movzx	ecx, al
		movzx	eax, dl
		shr	eax, 4
		push	esi
		xor	esi, esi
		imul	eax, 0Ch
		inc	esi
		shr	ecx, 4
		shl	esi, cl
		test	ds:_RtlProtectedAccess[eax], esi
		pop	esi
		jz	short loc_7B29EB
		jmp	short loc_7B29D8
_RtlTestProtectedAccess@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpFindSubKeyByNameWithStatus proc near	; CODE XREF: CmpFindPathByNameEx(x,x,x,x,x,x)+1D0p
					; CmpMarkCurrentValueDirty(x,x)+32p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EBDBC SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], 0FFFFFFFFh
		mov	dword ptr [eax], 0FFFFFFFFh
		mov	ebx, 0C0000034h
		xor	eax, eax
		mov	[ebp+var_10], 0
		push	edi
		mov	[ebp+var_4], 0
		mov	[ebp+var_C], 0
		mov	[ebp+var_8], eax
		cmp	[esi+98h], eax
		jbe	short loc_7B2ABF
		lea	edi, [edx+1Ch]

loc_7B2A57:				; CODE XREF: CmpFindSubKeyByNameWithStatus+D4j
		cmp	dword ptr [edi-8], 0
		jz	short loc_7B2AD7
		mov	eax, [edi]
		lea	ecx, [ebp+var_14]
		push	ecx
		push	eax
		mov	eax, [esi+4]
		push	esi
		call	eax
		test	eax, eax
		jz	loc_8EBDBC
		mov	ecx, 6972h
		cmp	[eax], cx
		jz	loc_7B2B0F

loc_7B2A80:				; CODE XREF: CmpFindSubKeyByNameWithStatus+138j
		mov	ecx, 686Ch
		mov	edx, eax
		cmp	[eax], cx
		jz	short loc_7B2AFF
		lea	ecx, [ebp+var_C]
		push	ecx
		lea	ecx, [ebp+var_4]
		push	ecx
		push	0
		push	[ebp+arg_0]
		mov	ecx, esi
		call	_CmpFindSubKeyInLeafWithStatus@24 ; CmpFindSubKeyInLeafWithStatus(x,x,x,x,x,x)

loc_7B2AA0:				; CODE XREF: CmpFindSubKeyByNameWithStatus+FDj
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7B2AF5

loc_7B2AA6:				; CODE XREF: CmpFindSubKeyByNameWithStatus+EBj
		mov	eax, [ebp+var_4]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_7B2ACA
		mov	ecx, [ebp+arg_4]
		xor	ebx, ebx
		mov	[ecx], eax

loc_7B2AB5:				; CODE XREF: CmpFindSubKeyByNameWithStatus+EDj
					; CmpFindSubKeyByNameWithStatus+1393BBj
		lea	eax, [ebp+var_14]
		push	eax
		mov	eax, [esi+8]
		push	esi
		call	eax

loc_7B2ABF:				; CODE XREF: CmpFindSubKeyByNameWithStatus+42j
		mov	eax, ebx

loc_7B2AC1:				; CODE XREF: CmpFindSubKeyByNameWithStatus+1393B1j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7B2ACA:				; CODE XREF: CmpFindSubKeyByNameWithStatus+9Cj
		lea	eax, [ebp+var_14]
		push	eax
		mov	eax, [esi+8]
		push	esi
		call	eax

loc_7B2AD4:				; CODE XREF: CmpFindSubKeyByNameWithStatus+129j
		mov	eax, [ebp+var_8]

loc_7B2AD7:				; CODE XREF: CmpFindSubKeyByNameWithStatus+4Bj
		inc	eax
		add	edi, 4
		mov	[ebp+var_8], eax
		cmp	eax, [esi+98h]
		jb	loc_7B2A57
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7B2AF5:				; CODE XREF: CmpFindSubKeyByNameWithStatus+94j
		cmp	ebx, 0C0000034h
		jz	short loc_7B2AA6
		jmp	short loc_7B2AB5
; 

loc_7B2AFF:				; CODE XREF: CmpFindSubKeyByNameWithStatus+7Aj
		lea	ecx, [ebp+var_4]
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, esi
		call	_CmpFindSubKeyByHashWithStatus@16 ; CmpFindSubKeyByHashWithStatus(x,x,x,x)
		jmp	short loc_7B2AA0
; 

loc_7B2B0F:				; CODE XREF: CmpFindSubKeyByNameWithStatus+6Aj
		lea	ecx, [ebp+var_4]
		mov	edx, eax
		push	ecx
		push	0
		push	[ebp+arg_0]
		mov	ecx, esi
		call	_CmpFindSubKeyInRoot@20	; CmpFindSubKeyInRoot(x,x,x,x,x)
		test	eax, eax
		js	loc_8EBDC6
		lea	eax, [ebp+var_14]
		push	eax
		mov	eax, [esi+8]
		push	esi
		call	eax
		mov	eax, [ebp+var_4]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_7B2AD4
		lea	ecx, [ebp+var_14]
		push	ecx
		push	eax
		mov	eax, [esi+4]
		push	esi
		call	eax
		test	eax, eax
		jnz	loc_7B2A80
		jmp	loc_8EBDBC
CmpFindSubKeyByNameWithStatus endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFindSubKeyByHashWithStatus(x, x,	x, x)
_CmpFindSubKeyByHashWithStatus@16 proc near ; CODE XREF: CmpFindSubKeyByNameWithStatus+F8p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	[ebp+var_4], ecx
		mov	ebx, edx
		mov	ecx, [ebp+arg_0]
		push	edi
		call	_CmpHashUnicodeComponent@4 ; CmpHashUnicodeComponent(x)
		mov	esi, eax
		xor	edi, edi
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 0FFFFFFFFh
		xor	eax, eax
		cmp	ax, [ebx+2]
		jnb	short loc_7B2BA3
		lea	ecx, [ecx+0]

loc_7B2B90:				; CODE XREF: CmpFindSubKeyByHashWithStatus(x,x,x,x)+41j
		movzx	eax, di
		mov	[ebp+var_8], eax
		cmp	esi, [ebx+eax*8+8]
		jz	short loc_7B2BB1

loc_7B2B9C:				; CODE XREF: CmpFindSubKeyByHashWithStatus(x,x,x,x)+6Aj
		inc	edi
		cmp	di, [ebx+2]
		jb	short loc_7B2B90

loc_7B2BA3:				; CODE XREF: CmpFindSubKeyByHashWithStatus(x,x,x,x)+2Bj
		mov	eax, 0C0000034h

loc_7B2BA8:				; CODE XREF: CmpFindSubKeyByHashWithStatus(x,x,x,x)+88j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7B2BB1:				; CODE XREF: CmpFindSubKeyByHashWithStatus(x,x,x,x)+3Aj
		mov	eax, [ebx+eax*8+4]
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		push	eax
		push	0
		call	_CmpDoCompareKeyName@16	; CmpDoCompareKeyName(x,x,x,x)
		cmp	eax, 2
		jz	short loc_7B2BE3
		test	eax, eax
		jnz	short loc_7B2B9C
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+arg_4]
		pop	edi
		pop	esi
		mov	eax, [ebx+eax*8+4]
		mov	[ecx], eax
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7B2BE3:				; CODE XREF: CmpFindSubKeyByHashWithStatus(x,x,x,x)+66j
		mov	eax, 0C000009Ah
		jmp	short loc_7B2BA8
_CmpFindSubKeyByHashWithStatus@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpReleaseCellFlat(x, x)
_HvpReleaseCellFlat@8 proc near		; DATA XREF: HvHiveStartMemoryBacked+39Bo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0
		and	dword ptr [eax+4], 0
		or	dword ptr [eax], 0FFFFFFFFh
		pop	ebp
		retn	8
_HvpReleaseCellFlat@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtAlpcOpenSenderThread proc near	; DATA XREF: .text:00581208o

var_60		= dword	ptr -60h
var_48		= dword	ptr -48h
Source2		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008EBDD0 SIZE 00000015 BYTES
; FUNCTION CHUNK AT 008EBE06 SIZE 0000007A BYTES

		push	50h
		push	offset dword_6A2C38
		call	__SEH_prolog4
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_48]
		rep stosd
		xor	edi, edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_24], bl
		mov	eax, ds:_AlpcPortObjectType
		mov	[ebp+var_1C], edi
		push	edi
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_24]
		push	eax
		push	20000h
		push	[ebp+arg_4]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7B2D69
		test	bl, bl
		jz	loc_8EBE06
		mov	[ebp+ms_exc.disabled], edi
		mov	ebx, [ebp+arg_0]
		mov	ecx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8EBDD0

loc_7B2C80:				; CODE XREF: NtAlpcOpenSenderThread+1391D2j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	esi, [ebp+arg_8]
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8EBDD7

loc_7B2C94:				; CODE XREF: NtAlpcOpenSenderThread+1391D9j
		push	6
		pop	ecx
		lea	edi, [ebp+var_48]
		rep movsd
		nop
		mov	esi, [ebp+arg_14]
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8EBDDE

loc_7B2CAD:				; CODE XREF: NtAlpcOpenSenderThread+1391E0j
		push	6
		pop	ecx
		lea	edi, [ebp+var_60]
		rep movsd
		nop
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7B2CBD:				; CODE XREF: NtAlpcOpenSenderThread+13921Fj
		lea	eax, [ebp+var_20]
		push	eax
		push	ecx
		push	[ebp+var_34]
		mov	edx, [ebp+var_38]
		mov	edi, [ebp+var_1C]
		mov	ecx, edi
		call	AlpcpLookupMessage
		mov	esi, eax
		test	esi, esi
		js	loc_8EBE24
		mov	esi, [ebp+var_20]
		test	byte ptr [esi+14h], 80h
		jnz	loc_8EBE30
		mov	eax, [esi+10h]
		mov	[ebp+arg_8], eax
		test	eax, eax
		jz	loc_8EBE58
		push	8		; Length
		lea	ecx, [ebp+Source2]
		push	ecx		; Source2
		add	eax, 2ACh
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 8
		jnz	loc_8EBE58
		mov	ecx, [ebp+arg_8]
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		cmp	_AlpcpMessageLogEnabled, 0
		jnz	short loc_7B2D89

loc_7B2D22:				; CODE XREF: NtAlpcOpenSenderThread+190j
		mov	ecx, esi
		call	AlpcpUnlockBlob
		push	[ebp+var_24]
		push	0
		lea	eax, [ebp+Source2]
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		mov	edx, [ebp+arg_10]
		lea	ecx, [ebp+var_28]
		call	PsOpenThread
		mov	esi, eax
		mov	ecx, [ebp+arg_8]
		call	ObfDereferenceObject
		mov	ecx, edi
		call	ObfDereferenceObject
		test	esi, esi
		js	short loc_7B2D69
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_28]
		mov	[ebx], eax

loc_7B2D62:				; CODE XREF: sub_8EBDF3+Ej
					; sub_8EBE8E+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7B2D69:				; CODE XREF: NtAlpcOpenSenderThread+5Dj
					; NtAlpcOpenSenderThread+154j ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7B2D89:				; CODE XREF: NtAlpcOpenSenderThread+120j
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)
		jmp	short loc_7B2D22
NtAlpcOpenSenderThread endp

; 
		align 8
; Exported entry 1543. NtOpenThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtOpenThread(x, x, x, x)
		public _NtOpenThread@16
_NtOpenThread@16 proc near		; DATA XREF: .text:00580F04o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_4], al
		push	[ebp+var_4]
		push	[ebp+var_4]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	PsOpenThread
		leave
		retn	10h
_NtOpenThread@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsOpenThread	proc near		; CODE XREF: NtAlpcOpenSenderThread+13Cp
					; NtOpenThread(x,x,x,x)+27p

var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= byte ptr -1F4h
var_1F1		= byte ptr -1F1h
var_1F0		= dword	ptr -1F0h
var_128		= dword	ptr -128h
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_10C		= dword	ptr -10Ch
var_B0		= dword	ptr -0B0h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008EBE99 SIZE 00000022 BYTES
; FUNCTION CHUNK AT 008EBEEF SIZE 00000165 BYTES
; FUNCTION CHUNK AT 008EC065 SIZE 0000003A BYTES

		push	228h
		push	offset dword_6A2C60
		call	__SEH_prolog4_GS
		mov	edi, edx
		mov	[ebp+var_214], edi
		mov	ebx, ecx
		mov	[ebp+var_21C], ebx
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_20C], esi
		xor	eax, eax
		mov	[ebp+var_210], eax
		mov	[ebp+var_1F8], eax
		mov	[ebp+var_200], eax
		mov	[ebp+var_1FC], eax
		push	74h		; size_t
		push	eax		; int
		lea	eax, [ebp+var_128]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	0C4h		; size_t
		push	0		; int
		lea	eax, [ebp+var_1F0]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	ecx, ecx
		mov	[ebp+var_208], ecx
		cmp	[ebp+arg_8], cl
		jz	loc_7B3083
		mov	[ebp+ms_exc.disabled], ecx
		mov	ecx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8EBE99

loc_7B2E55:				; CODE XREF: PsOpenThread+1390D3j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ebx, [ebp+arg_0]
		mov	ecx, ebx
		test	bl, 3
		jnz	loc_7B30D5
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8EBEA0

loc_7B2E74:				; CODE XREF: PsOpenThread+1390DAj
		nop
		mov	al, [ecx]
		cmp	dword ptr [ebx+8], 0
		setnz	dl
		mov	[ebp+var_1F1], dl
		mov	ebx, [ebx+0Ch]
		and	ebx, 1DF2h
		mov	[ebp+var_204], ebx
		mov	ecx, [ebp+var_20C]
		test	ecx, ecx
		jz	loc_8EBEAE
		mov	edx, ecx
		test	cl, 3
		jnz	loc_7B30D5
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8EBEA7

loc_7B2EB9:				; CODE XREF: PsOpenThread+1390E1j
		nop
		mov	al, [edx]
		mov	eax, [ecx]
		mov	[ebp+var_200], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_1FC], eax
		mov	al, 1
		mov	[ebp-1F2h], al
		mov	dl, [ebp+var_1F1]
		mov	ebx, [ebp+var_204]

loc_7B2EE1:				; CODE XREF: PsOpenThread+1390EEj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7B2EE8:				; CODE XREF: PsOpenThread+2F9j
					; PsOpenThread+314j
		test	dl, dl
		jnz	loc_8EC095
		test	al, al
		jz	loc_8EC095
		and	ebx, 400h

loc_7B2EFE:				; CODE XREF: PsOpenThread+1392C8j
		mov	ecx, ds:_PsThreadType
		add	ecx, 34h
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	edx, large fs:124h
		push	ecx		; int
		push	edi		; int
		lea	ecx, [ebp+var_1F0]
		push	ecx		; void *
		lea	ecx, [ebp+var_128]
		push	ecx		; void *
		push	eax		; int
		push	edx		; int
		call	_SeCreateAccessStateEx@24 ; SeCreateAccessStateEx(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7B303F
		test	ebx, ebx
		jnz	loc_8EBEEF

loc_7B2F43:				; CODE XREF: PsOpenThread+13912Ej
		mov	eax, [ebp+arg_C]
		mov	byte ptr [ebp+var_20C],	al

loc_7B2F4C:				; CODE XREF: PsOpenThread+13913Bj
		push	[ebp+var_20C]
		push	ds:dword_A94A14
		push	ds:_SeDebugPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	short loc_7B2F85
		mov	eax, [ebp+var_118]
		test	eax, 2000000h
		jnz	loc_7B30C6
		or	[ebp+var_114], eax

loc_7B2F7E:				; CODE XREF: PsOpenThread+308j
		and	[ebp+var_118], 0

loc_7B2F85:				; CODE XREF: PsOpenThread+19Dj
		lea	eax, [ebp+var_1F8]
		push	eax
		cmp	[ebp+var_200], 0
		jnz	loc_7B3066
		push	[ebp+var_1FC]
		call	_PsLookupThreadByThreadId@8 ; PsLookupThreadByThreadId(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8EBF08
		mov	eax, [ebp+var_1F8]
		mov	eax, [eax+2ACh]
		mov	[ebp+var_200], eax

loc_7B2FC0:				; CODE XREF: PsOpenThread+2B0j
		lea	eax, [ebp+var_210]
		push	eax
		push	[ebp+arg_C]
		push	ds:_PsThreadType
		push	0
		lea	eax, [ebp+var_128]
		push	eax
		push	[ebp+var_204]
		push	[ebp+var_1F8]
		call	ObOpenObjectByPointer
		mov	esi, eax
		lea	ecx, [ebp+var_128]
		call	SepDeleteAccessState
		lea	eax, [ebp+var_10C]
		push	eax
		call	SeReleaseSubjectContext
		mov	ecx, [ebp+var_1F8]
		call	ObfDereferenceObject
		test	esi, esi
		js	loc_8EC065
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_210]
		mov	ecx, [ebp+var_21C]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+var_208], 0
		jnz	loc_8EBF24

loc_7B303F:				; CODE XREF: PsOpenThread+16Dj
					; sub_8EBECC+1Ej ...
		push	esi
		push	edi
		mov	edx, [ebp+var_1FC]
		mov	ecx, [ebp+var_200]
		call	_PspLogAuditOpenThreadEvent@16 ; PspLogAuditOpenThreadEvent(x,x,x,x)
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7B3066:				; CODE XREF: PsOpenThread+1CBj
		push	0
		lea	eax, [ebp+var_200]
		push	eax
		call	PsLookupProcessThreadByCid
		mov	esi, eax
		test	esi, esi
		jns	loc_7B2FC0
		jmp	loc_8EBF08
; 

loc_7B3083:				; CODE XREF: PsOpenThread+75j
		mov	eax, [ebp+arg_0]
		cmp	[eax+8], ecx
		setnz	dl
		xor	ebx, ebx
		cmp	byte ptr [ebp+arg_C], cl
		setz	bl
		dec	ebx
		and	ebx, 0FFFEFE00h
		add	ebx, 11FF2h
		and	ebx, [eax+0Ch]
		mov	[ebp+var_204], ebx
		test	esi, esi
		jz	short loc_7B30DA
		mov	eax, [esi]
		mov	[ebp+var_200], eax
		mov	eax, [esi+4]
		mov	[ebp+var_1FC], eax
		mov	al, 1
		jmp	loc_7B2EE8
; 

loc_7B30C6:				; CODE XREF: PsOpenThread+1AAj
		or	[ebp+var_114], 1FFFFFh
		jmp	loc_7B2F7E
; 

loc_7B30D5:				; CODE XREF: PsOpenThread+99j
					; PsOpenThread+DEj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7B30DA:				; CODE XREF: PsOpenThread+2E4j
		mov	al, cl
		jmp	loc_7B2EE8
PsOpenThread	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspLogAuditOpenThreadEvent(x, x, x,	x)
_PspLogAuditOpenThreadEvent@16 proc near ; CODE	XREF: PsOpenThread+285p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_0]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		mov	[ebp+var_4C], edx
		xor	edx, edx
		push	edx
		push	offset _KERNEL_AUDIT_API_OPENTHREAD
		push	dword_6BC5D4
		mov	[ebp+var_40], edx
		push	_EtwApiCallsProvRegHandle
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PspLogAuditOpenThreadEvent@16 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1865. PsLookupProcessThreadByCid

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsLookupProcessThreadByCid
PsLookupProcessThreadByCid proc	near	; CODE XREF: PsOpenThread+2A7p
					; PAGE:007B3F70p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008EC09F SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	eax
		push	dword ptr [esi+4]
		call	_PsLookupThreadByThreadId@8 ; PsLookupThreadByThreadId(x,x)
		test	eax, eax
		js	short loc_7B31BE
		mov	edi, [ebp+var_4]
		mov	eax, [edi+2ACh]
		cmp	eax, [esi]
		jnz	loc_8EC09F
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_7B31B7
		mov	esi, [edi+150h]
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	[ebx], esi

loc_7B31B7:				; CODE XREF: PsLookupProcessThreadByCid+37j
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		xor	eax, eax

loc_7B31BE:				; CODE XREF: PsLookupProcessThreadByCid+1Fj
					; PsLookupProcessThreadByCid+138F41j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
PsLookupProcessThreadByCid endp

; 
		align 2

; __stdcall NtSetSystemInformation(x, x, x)
_NtSetSystemInformation@12:		; CODE XREF: WmipRegisterFirmwareProviders()+34p
					; WmipRegisterFirmwareProviders()+64p
					; DATA XREF: ...
		push	19Ch
		push	offset dword_6A2C88
		call	__SEH_prolog4_GS
		mov	edx, [ebp+0Ch]
		mov	[ebp-50h], edx
		xor	ebx, ebx
		mov	[ebp-88h], ebx
		mov	[ebp-55h], bl
		mov	[ebp-68h], ebx
		mov	[ebp-64h], ebx
		mov	[ebp-70h], ebx
		mov	[ebp-98h], ebx
		mov	[ebp-60h], ebx
		mov	[ebp-78h], ebx
		mov	[ebp-94h], ebx
		mov	[ebp-80h], ebx
		mov	[ebp-7Ch], ebx
		push	0Ah
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp-48h]
		rep stosd
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp-49h], al
		mov	[ebp-54h], al
		mov	edi, [ebp+8]
		test	al, al
		jz	short loc_7B3283
		cmp	edi, 59h
		jnz	short loc_7B3234
		xor	eax, eax
		inc	eax
		jmp	short loc_7B3237
; 

loc_7B3234:				; CODE XREF: PAGE:007B322Dj
		push	3
		pop	eax

loc_7B3237:				; CODE XREF: PAGE:007B3232j
		mov	[ebp-4], ebx
		mov	ecx, [ebp+10h]
		mov	[ebp-5Ch], ecx
		test	ecx, ecx
		jz	short loc_7B325F
		test	edx, eax
		jnz	loc_7B4BB9
		lea	eax, [edx+ecx]
		mov	esi, ds:_MmUserProbeAddress
		cmp	eax, esi
		ja	short loc_7B325D
		cmp	eax, edx
		jnb	short loc_7B325F

loc_7B325D:				; CODE XREF: PAGE:007B3257j
		mov	[esi], bl

loc_7B325F:				; CODE XREF: PAGE:007B3242j
					; PAGE:007B325Bj
		push	0FFFFFFFEh
		pop	esi
		mov	[ebp-4], esi
		jmp	short loc_7B328C
; 

loc_7B3267:				; DATA XREF: .text:006A2C9Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0A4h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7B3278:				; DATA XREF: .text:006A2CA0o
		mov	eax, [ebp-0A4h]
		jmp	loc_7B3728
; 

loc_7B3283:				; CODE XREF: PAGE:007B3228j
		push	0FFFFFFFEh
		pop	esi
		mov	ecx, [ebp+10h]
		mov	[ebp-5Ch], ecx

loc_7B328C:				; CODE XREF: PAGE:007B3265j
		lea	eax, [edi-9]
		cmp	eax, 0D8h
		ja	loc_7B4BA0
		movzx	eax, ds:byte_7B4CD6[eax]
		jmp	ds:off_7B4BBE[eax*4]

loc_7B32A8:				; DATA XREF: PAGE:off_7B4BBEo
		cmp	ecx, 4
		jnz	loc_7B4619
		push	dword ptr [ebp-54h]
		push	ds:dword_A94A14
		push	ds:_SeDebugPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_7B32D3

loc_7B32C9:				; CODE XREF: PAGE:007B40AFj
					; PAGE:007B416Fj
		mov	ebx, 0C0000022h
		jmp	loc_7B4BA5
; 

loc_7B32D3:				; CODE XREF: PAGE:007B32C7j
		mov	dword ptr [ebp-4], 1
		mov	edi, [ebp-50h]
		mov	eax, [edi]
		xor	eax, _NtGlobalFlag
		and	eax, 6DCE640Fh
		xor	eax, [edi]
		mov	_NtGlobalFlag, eax

loc_7B32F1:				; CODE XREF: PAGE:007B3371j
		mov	[edi], eax

loc_7B32F3:				; CODE XREF: PAGE:007B3A76j
					; PAGE:007B43DDj
		mov	[ebp-4], esi
		jmp	loc_7B4BA5
; 

loc_7B32FB:				; DATA XREF: .text:006A2CA8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0A8h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B330E:				; DATA XREF: .text:006A2CACo
		mov	ebx, [ebp-0A8h]

loc_7B3314:				; CODE XREF: PAGE:007B3A92j
		mov	esp, [ebp-18h]

loc_7B3317:				; CODE XREF: PAGE:007B44A9j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7B4BA5
; 

loc_7B3323:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4CC6o
		cmp	ecx, 4
		jnz	loc_7B4B75
		push	dword ptr [ebp-54h]
		push	ds:dword_A94A14
		push	ds:_SeDebugPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B4769
		xor	ecx, ecx
		mov	[ebp-0ACh], ecx
		mov	dword ptr [ebp-4], 2
		mov	edi, [ebp-50h]
		mov	eax, [edi]
		mov	[ebp-0ACh], eax
		mov	[ebp-4], esi
		mov	_NtGlobalFlag2,	eax
		mov	dword ptr [ebp-4], 3
		jmp	loc_7B32F1
; 

loc_7B3376:				; DATA XREF: .text:006A2CC0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B0h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B3389:				; DATA XREF: .text:006A2CC4o
		mov	eax, [ebp-0B0h]
		jmp	loc_7B3728
; 

loc_7B3394:				; DATA XREF: .text:006A2CB4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B4h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B33A7:				; DATA XREF: .text:006A2CB8o
		mov	eax, [ebp-0B4h]
		jmp	loc_7B3728
; 

loc_7B33B2:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4CC2o
		cmp	ecx, 8
		jnz	loc_7B4B75
		cmp	byte ptr [ebp-49h], 0
		jz	short loc_7B33DD
		push	dword ptr [ebp-54h]
		push	ds:dword_A94C94
		push	ds:_SeSystemtimePrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B379A

loc_7B33DD:				; CODE XREF: PAGE:007B33BFj
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_7B4769
		mov	dword ptr [ebp-4], 4
		mov	edi, [ebp-50h]
		mov	eax, [edi]
		mov	[ebp-48h], eax
		mov	eax, [edi+4]
		mov	[ebp-44h], eax
		mov	[ebp-4], esi
		cmp	byte ptr [ebp-48h], 0
		setnz	cl
		mov	[ebp-55h], cl
		call	_ExSetLeapSecondEnabled@4 ; ExSetLeapSecondEnabled(x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7B4BA5
		mov	cl, [ebp-55h]
		mov	eax, _ExLeapSecondData
		mov	[eax], cl
		jmp	loc_7B4BA5
; 

loc_7B342A:				; DATA XREF: .text:006A2CCCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B8h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B343D:				; DATA XREF: .text:006A2CD0o
		mov	eax, [ebp-0B8h]
		jmp	loc_7B3728
; 

loc_7B3448:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4BD2o
		cmp	ecx, 8
		jz	short loc_7B3456
		cmp	ecx, 10h
		jnz	loc_7B4B75

loc_7B3456:				; CODE XREF: PAGE:007B344Bj
		cmp	byte ptr [ebp-49h], 0
		jz	short loc_7B3478
		push	dword ptr [ebp-54h]
		push	ds:dword_A94C94
		push	ds:_SeSystemtimePrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B379A

loc_7B3478:				; CODE XREF: PAGE:007B345Aj
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_7B4769
		mov	dword ptr [ebp-4], 5
		mov	edi, [ebp-50h]
		cmp	dword ptr [ebp-5Ch], 10h
		jnz	short loc_7B34A8
		mov	cl, [edi+8]
		mov	[ebp-55h], cl
		mov	eax, [edi]
		mov	[ebp-80h], eax
		mov	eax, [edi+4]
		mov	[ebp-7Ch], eax
		jmp	short loc_7B34ED
; 

loc_7B34A8:				; CODE XREF: PAGE:007B3493j
		mov	cl, [edi+4]
		mov	[ebp-49h], cl
		mov	[ebp-55h], cl
		mov	edi, [edi]
		mov	[ebp-80h], edi
		xor	ebx, ebx
		mov	[ebp-7Ch], ebx
		mov	eax, edi
		or	eax, ebx
		jz	short loc_7B34ED
		mov	eax, ds:0FFDF0304h
		mul	ds:_KeMaximumIncrement
		mov	esi, eax
		mov	eax, ds:0FFDF0300h
		mul	ds:_KeMaximumIncrement
		add	esi, edx
		push	ebx
		push	edi
		push	esi
		push	eax
		call	__aulldiv
		mov	[ebp-80h], eax
		mov	[ebp-7Ch], edx
		mov	cl, [ebp-49h]

loc_7B34ED:				; CODE XREF: PAGE:007B34A6j
					; PAGE:007B34BFj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	cl, cl
		jz	short loc_7B3508
		mov	eax, ds:0FFDF0300h
		mov	[ebp-80h], eax
		mov	eax, ds:0FFDF0304h
		mov	[ebp-7Ch], eax

loc_7B3508:				; CODE XREF: PAGE:007B34F6j
		mov	cl, 1
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		lea	eax, [ebp-55h]
		push	eax
		lea	edx, [ebp-80h]
		xor	ecx, ecx
		call	_ExpUpdateTimerConfiguration@12	; ExpUpdateTimerConfiguration(x,x,x)
		mov	ebx, eax
		call	_ExReleaseTimeRefreshLock@0 ; ExReleaseTimeRefreshLock()
		jmp	loc_7B4BA5
; 

loc_7B3529:				; DATA XREF: .text:006A2CD8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0BCh], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B353C:				; DATA XREF: .text:006A2CDCo
		mov	eax, [ebp-0BCh]
		jmp	loc_7B3728
; 

loc_7B3547:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4BF2o
		cmp	ecx, 4
		jnz	loc_7B4B75
		cmp	byte ptr [ebp-49h], 0
		jz	short loc_7B3572
		push	dword ptr [ebp-54h]
		push	ds:dword_A94C94
		push	ds:_SeSystemtimePrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B379A

loc_7B3572:				; CODE XREF: PAGE:007B3554j
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_7B4769
		mov	dword ptr [ebp-4], 6
		mov	edi, [ebp-50h]
		mov	edx, [edi]
		mov	[ebp-0F4h], edx
		mov	[ebp-4], esi
		xor	ecx, ecx
		test	edx, edx
		jnz	short loc_7B359E
		mov	ebx, ecx
		jmp	short loc_7B35CD
; 

loc_7B359E:				; CODE XREF: PAGE:007B3598j
		mov	eax, ds:_ExEventObjectType
		mov	[ebp-90h], ecx
		push	ecx
		lea	ecx, [ebp-90h]
		push	ecx
		push	dword ptr [ebp-54h]
		push	eax
		push	2
		push	edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, eax
		mov	ecx, [ebp-90h]
		test	ebx, ebx
		js	loc_7B4BA5

loc_7B35CD:				; CODE XREF: PAGE:007B359Cj
		call	_KdUpdateTimeSlipEvent@4 ; KdUpdateTimeSlipEvent(x)
		jmp	loc_7B4BA5
; 

loc_7B35D7:				; DATA XREF: .text:006A2CE4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C0h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B35EA:				; DATA XREF: .text:006A2CE8o
		mov	eax, [ebp-0C0h]
		jmp	loc_7B3728
; 

loc_7B35F5:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C3Eo
		mov	esi, 0ACh
		cmp	ecx, esi
		jnz	loc_7B4B75
		cmp	byte ptr [ebp-49h], 0
		jz	short loc_7B3632
		mov	ecx, offset _TimeZoneCapability
		call	_ExpCapabilityCheck@4 ;	ExpCapabilityCheck(x)
		test	al, al
		jnz	short loc_7B3632
		push	dword ptr [ebp-54h]
		push	ds:dword_A94ABC
		push	ds:_SeTimeZonePrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B379A

loc_7B3632:				; CODE XREF: PAGE:007B3606j
					; PAGE:007B3614j
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		cmp	byte ptr [eax+261h], 0

loc_7B363E:				; CODE XREF: PAGE:007B368Cj
		jz	loc_7B379A

loc_7B3644:				; CODE XREF: PAGE:007B3666j
					; PAGE:007B3674j
		mov	edx, esi
		mov	ecx, [ebp-50h]
		call	_ExpSetTimeZoneInformation@8 ; ExpSetTimeZoneInformation(x,x)

loc_7B364E:				; CODE XREF: PAGE:007B36C3j
					; PAGE:007B39D9j ...
		mov	ebx, eax
		jmp	loc_7B4BA5
; 

loc_7B3655:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C4Eo
		mov	esi, 1B0h
		cmp	ecx, esi
		jnz	loc_7B4B75
		cmp	byte ptr [ebp-49h], 0
		jz	short loc_7B3644
		mov	ecx, offset _TimeZoneCapability
		call	_ExpCapabilityCheck@4 ;	ExpCapabilityCheck(x)
		test	al, al
		jnz	short loc_7B3644
		push	dword ptr [ebp-54h]
		push	ds:dword_A94ABC
		push	ds:_SeTimeZonePrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jmp	short loc_7B363E
; 

loc_7B368E:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4BE2o
		cmp	ecx, 0Ch
		jnz	loc_7B4B75
		cmp	byte ptr [ebp-49h], 0
		jz	short loc_7B36BC
		push	dword ptr [ebp-54h]
		push	ds:dword_A94A1C
		push	ds:_SeIncreaseQuotaPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B379A
		mov	edx, [ebp-50h]

loc_7B36BC:				; CODE XREF: PAGE:007B369Bj
		mov	ecx, edx
		call	_CmSetRegistryQuotaInformation@4 ; CmSetRegistryQuotaInformation(x)
		jmp	short loc_7B364E
; 

loc_7B36C5:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4BEAo
		cmp	ecx, 4
		jnz	loc_7B4B75
		push	dword ptr [ebp-54h]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B379A
		mov	dword ptr [ebp-4], 7
		mov	edi, [ebp-50h]
		mov	edx, [edi]
		mov	[ebp-140h], edx
		mov	[ebp-4], esi
		mov	cl, 1
		call	PsChangeQuantumTable

loc_7B3706:				; CODE XREF: PAGE:007B38D4j
					; PAGE:007B434Dj
		xor	ecx, ecx
		mov	ebx, ecx
		jmp	loc_7B4BA5
; 

loc_7B370F:				; DATA XREF: .text:006A2CF0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C4h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B3722:				; DATA XREF: .text:006A2CF4o
		mov	eax, [ebp-0C4h]

loc_7B3728:				; CODE XREF: PAGE:007B327Ej
					; PAGE:007B338Fj ...
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7B4BA7
; 

loc_7B3737:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4BE6o
		push	8
		pop	ebx
		cmp	ecx, ebx
		jnz	loc_7B4B75
		cmp	byte ptr [ebp-49h], 0
		jz	loc_7B380E
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		xor	ecx, ecx
		inc	ecx
		test	[eax+2A1h], cl
		jz	short loc_7B379A
		push	ecx
		push	ds:dword_A94E04
		push	ds:_SeLoadDriverPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	short loc_7B379A
		mov	[ebp-4], ebx
		mov	eax, ds:_MmUserProbeAddress
		mov	edi, [ebp-50h]
		cmp	edi, eax
		jb	short loc_7B3783
		mov	edi, eax

loc_7B3783:				; CODE XREF: PAGE:007B377Fj
		nop
		mov	eax, [edi]
		mov	[ebp-68h], eax
		mov	ecx, [edi+4]
		mov	[ebp-64h], ecx
		push	3Eh
		pop	edi
		cmp	ax, di
		jz	short loc_7B37A4

loc_7B3797:				; CODE XREF: PAGE:007B37C5j
		mov	[ebp-4], esi

loc_7B379A:				; CODE XREF: PAGE:007B33D7j
					; PAGE:007B3472j ...
		mov	eax, 0C0000061h
		jmp	loc_7B4BA7
; 

loc_7B37A4:				; CODE XREF: PAGE:007B3795j
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_7B37AF
		mov	ecx, eax

loc_7B37AF:				; CODE XREF: PAGE:007B37ABj
		nop
		mov	al, [ecx]
		push	edi
		push	offset off_40A808
		push	dword ptr [ebp-64h]
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7B3797
		mov	dword ptr [ebp-64h], offset off_40A808
		mov	[ebp-66h], di
		mov	[ebp-4], esi
		push	ebx
		lea	eax, [ebp-68h]
		push	eax
		push	26h
		call	_ZwSetSystemInformation@12 ; ZwSetSystemInformation(x,x,x)
		jmp	loc_7B4BA7
; 

loc_7B37E6:				; DATA XREF: .text:006A2CFCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C8h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B37F9:				; DATA XREF: .text:006A2D00o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0C8h]
		jmp	loc_7B4BA7
; 

loc_7B380E:				; CODE XREF: PAGE:007B3746j
		mov	eax, [edx]
		mov	[ebp-68h], eax
		mov	eax, [edx+4]
		mov	[ebp-64h], eax
		push	3Eh
		push	offset off_40A808
		push	eax
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7B3834
		mov	eax, 80000005h
		jmp	short loc_7B3837
; 

loc_7B3834:				; CODE XREF: PAGE:007B382Bj
		xor	eax, eax
		inc	eax

loc_7B3837:				; CODE XREF: PAGE:007B3832j
		lea	ecx, [ebp-70h]
		push	ecx
		lea	ecx, [ebp-78h]
		push	ecx
		push	eax
		xor	ecx, ecx
		push	ecx
		xor	edx, edx
		lea	ecx, [ebp-68h]
		call	_MmLoadSystemImageEx@24	; MmLoadSystemImageEx(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_7B3866
		cmp	eax, 0C000019Dh
		jnz	loc_7B4BA7
		mov	eax, 0C000010Eh
		jmp	loc_7B4BA7
; 

loc_7B3866:				; CODE XREF: PAGE:007B384Fj
		push	dword ptr [ebp-70h]
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jnz	short loc_7B3884
		push	dword ptr [ebp-78h]
		call	MmUnloadSystemImage
		mov	eax, 0C000007Bh
		jmp	loc_7B4BA7
; 

loc_7B3884:				; CODE XREF: PAGE:007B3870j
		mov	ecx, [eax+28h]
		mov	edx, [ebp-70h]
		lea	ecx, [edx+ecx]
		call	_ExpInitializeSessionDriver@8 ;	ExpInitializeSessionDriver(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	loc_7B4BA5
		push	dword ptr [ebp-78h]
		call	MmUnloadSystemImage
		jmp	loc_7B4BA5
; 

loc_7B38A9:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4BCEo
		cmp	ecx, 4
		jnz	loc_7B4B75
		cmp	byte ptr [ebp-49h], 0
		jnz	loc_7B379A
		mov	dword ptr [ebp-4], 9
		mov	eax, [edx]
		mov	[ebp-15Ch], eax
		mov	[ebp-4], esi
		push	eax
		call	MmUnloadSystemImage
		jmp	loc_7B3706
; 

loc_7B38D9:				; DATA XREF: .text:006A2D08o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0CCh], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7B38EA:				; DATA XREF: .text:006A2D0Co
		mov	eax, [ebp-0CCh]
		jmp	loc_7B3728
; 

loc_7B38F5:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4CAEo
		cmp	ecx, 4
		jnz	loc_7B39A9
		push	dword ptr [ebp-54h]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B379A
		mov	dword ptr [ebp-4], 0Ah
		mov	edi, [ebp-50h]
		mov	edx, [edi]
		mov	[ebp-160h], edx
		mov	[ebp-4], esi
		mov	eax, ds:_PsProcessType
		xor	ecx, ecx
		mov	[ebp-84h], ecx
		push	ecx
		lea	ecx, [ebp-84h]
		push	ecx
		push	dword ptr [ebp-54h]
		push	eax
		push	1000h
		push	edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7B4BA5
		mov	ecx, [ebp-84h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp-74h], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_7B3980
		lea	eax, [ebp-74h]
		push	eax
		push	1
		push	ecx
		push	20h
		call	PsInvokeWin32Callout
		mov	ebx, eax

loc_7B3980:				; CODE XREF: PAGE:007B396Ej
		mov	ecx, [ebp-84h]
		jmp	loc_7B3FA2
; 

loc_7B398B:				; DATA XREF: .text:006A2D14o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0D0h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B399E:				; DATA XREF: .text:006A2D18o
		mov	eax, [ebp-0D0h]
		jmp	loc_7B3728
; 

loc_7B39A9:				; CODE XREF: PAGE:007B38F8j
		test	ecx, ecx
		jnz	loc_7B4B75
		mov	ebx, ecx
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	ecx, eax
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp-74h], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_7B4BA5
		lea	eax, [ebp-74h]
		push	eax
		push	1
		push	ecx
		push	20h
		call	PsInvokeWin32Callout
		jmp	loc_7B364E
; 

loc_7B39DE:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C02o
		xor	ebx, ebx
		mov	edi, ebx
		jmp	short loc_7B39E9
; 

loc_7B39E4:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4BCAo
		xor	ebx, ebx
		xor	edi, edi
		inc	edi

loc_7B39E9:				; CODE XREF: PAGE:007B39E2j
		cmp	ecx, 1Ch
		jnz	loc_7B4B75
		cmp	byte ptr [ebp-49h], 0
		jnz	loc_7B379A
		mov	dword ptr [ebp-4], 0Bh
		mov	eax, [edx]
		mov	[ebp-68h], eax
		mov	eax, [edx+4]
		mov	[ebp-64h], eax
		mov	[ebp-4], esi
		lea	eax, [ebp-70h]
		push	eax
		lea	eax, [ebp-78h]
		push	eax
		push	edi
		push	ebx
		push	ebx
		lea	eax, [ebp-68h]
		push	eax
		call	_MmLoadSystemImage@24 ;	MmLoadSystemImage(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7B3A97
		lea	eax, [ebp-164h]
		push	eax
		xor	ecx, ecx
		push	ecx
		push	1
		push	dword ptr [ebp-70h]
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	[ebp-60h], eax
		push	dword ptr [ebp-70h]
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	edi, eax
		mov	dword ptr [ebp-4], 0Ch
		mov	edx, [ebp-50h]
		mov	eax, [ebp-60h]
		mov	[edx+14h], eax
		mov	ecx, [edi+28h]
		mov	eax, [ebp-70h]
		add	ecx, eax
		mov	[edx+8], eax
		mov	eax, [ebp-78h]
		mov	[edx+0Ch], eax
		mov	[edx+10h], ecx
		mov	eax, [edi+50h]
		mov	[edx+18h], eax
		jmp	loc_7B32F3
; 

loc_7B3A7B:				; DATA XREF: .text:006A2D2Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0D4h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7B3A8C:				; DATA XREF: .text:006A2D30o
		mov	ebx, [ebp-0D4h]
		jmp	loc_7B3314
; 

loc_7B3A97:				; CODE XREF: PAGE:007B3A29j
		cmp	ebx, 0C000019Dh
		jnz	loc_7B4BA5
		mov	ebx, 0C000010Eh
		jmp	loc_7B4BA5
; 

loc_7B3AAD:				; DATA XREF: .text:006A2D20o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0D8h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7B3ABE:				; DATA XREF: .text:006A2D24o
		mov	eax, [ebp-0D8h]
		jmp	loc_7B3728
; 

loc_7B3AC9:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4BC2o
		xor	ebx, ebx
		mov	[ebp-69h], bl
		cmp	ecx, 24h
		jb	loc_7B4B75
		cmp	edi, 15h
		jz	short loc_7B3B15
		mov	dword ptr [ebp-4], 0Dh
		mov	ebx, [edx+20h]
		mov	[ebp-1ACh], ebx
		mov	[ebp-4], esi
		test	ebx, 0FFFFFFF0h
		jnz	loc_7B3B9D
		mov	eax, ebx
		and	eax, 0Ch
		cmp	al, 0Ch
		jz	loc_7B3B9D
		mov	eax, ebx
		and	eax, 3
		cmp	al, 3
		jz	loc_7B3B9D

loc_7B3B15:				; CODE XREF: PAGE:007B3ADAj
		push	dword ptr [ebp-54h]
		push	ds:dword_A94A1C
		push	ds:_SeIncreaseQuotaPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B4769
		mov	dword ptr [ebp-4], 0Eh
		mov	edi, [ebp-50h]
		mov	eax, [edi+0Ch]
		mov	[ebp-60h], eax
		mov	[ebp-144h], eax
		mov	edx, [edi+10h]
		mov	[ebp-148h], edx
		mov	[ebp-4], esi
		push	2
		pop	ecx
		mov	eax, [ebp+8]
		cmp	eax, 77h
		jnz	short loc_7B3B62
		push	3
		jmp	short loc_7B3B69
; 

loc_7B3B62:				; CODE XREF: PAGE:007B3B5Cj
		cmp	eax, 78h
		jnz	short loc_7B3B6A
		push	4

loc_7B3B69:				; CODE XREF: PAGE:007B3B60j
		pop	ecx

loc_7B3B6A:				; CODE XREF: PAGE:007B3B65j
		lea	eax, [ebp-69h]
		push	eax
		push	ebx
		push	1
		push	ecx
		mov	ecx, [ebp-60h]
		call	MmAdjustWorkingSetSizeEx
		jmp	loc_7B4BA7
; 

loc_7B3B7F:				; DATA XREF: .text:006A2D44o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0DCh], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B3B92:				; DATA XREF: .text:006A2D48o
		mov	eax, [ebp-0DCh]
		jmp	loc_7B3728
; 

loc_7B3B9D:				; CODE XREF: PAGE:007B3AF5j
					; PAGE:007B3B02j ...
		mov	eax, 0C00000F0h
		jmp	loc_7B4BA7
; 

loc_7B3BA7:				; DATA XREF: .text:006A2D38o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0E0h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B3BBA:				; DATA XREF: .text:006A2D3Co
		mov	eax, [ebp-0E0h]
		jmp	loc_7B3728
; 

loc_7B3BC5:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4BC6o
		cmp	ecx, 14h
		jnz	loc_7B4B75
		cmp	byte ptr [ebp-49h], 0
		jz	short loc_7B3BF3
		push	dword ptr [ebp-54h]
		push	ds:dword_A94E04
		push	ds:_SeLoadDriverPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B379A
		mov	edx, [ebp-50h]

loc_7B3BF3:				; CODE XREF: PAGE:007B3BD2j
		mov	dword ptr [ebp-4], 0Fh
		push	5
		pop	ecx
		mov	esi, edx
		lea	edi, [ebp-48h]
		rep movsd
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-44h]
		mov	ds:_KiMaximumDpcQueueDepth, eax
		mov	eax, [ebp-40h]
		mov	ds:_KiMinimumDpcRate, eax
		mov	eax, [ebp-3Ch]
		mov	ds:_KiAdjustDpcThreshold, eax
		mov	eax, [ebp-38h]
		mov	ds:_KiIdealDpcRate, eax
		call	KeSynchronizeWithDynamicProcessors
		push	0FFFFh
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_7B4BA5
		xor	eax, eax

loc_7B3C46:				; CODE XREF: PAGE:007B3C73j
		mov	edx, ds:_KiProcessorBlock[eax*4]
		mov	ecx, ds:_KiMaximumDpcQueueDepth
		mov	[edx+2214h], ecx
		mov	eax, ds:_KiMinimumDpcRate
		mov	[edx+221Ch], eax
		mov	eax, [ebp-88h]
		inc	eax
		mov	[ebp-88h], eax
		cmp	eax, esi
		jb	short loc_7B3C46
		jmp	loc_7B4BA5
; 

loc_7B3C7A:				; DATA XREF: .text:006A2D50o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0E4h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B3C8D:				; DATA XREF: .text:006A2D54o
		mov	eax, [ebp-0E4h]
		jmp	loc_7B3728
; 

loc_7B3C98:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4BDEo
		mov	bl, [ebp-49h]
		test	bl, bl
		jz	short loc_7B3CBB
		push	dword ptr [ebp-54h]
		push	ds:dword_A94A14
		push	ds:_SeDebugPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B379A

loc_7B3CBB:				; CODE XREF: PAGE:007B3C9Dj
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_7B379A
		cmp	dword ptr [ebp-5Ch], 4
		jnz	short loc_7B3D4D
		test	bl, bl
		jz	short loc_7B3D2A
		mov	dword ptr [ebp-4], 10h
		mov	eax, [ebp-50h]
		test	al, 3
		jnz	loc_7B4BB9
		lea	ecx, [eax+4]
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		ja	short loc_7B3CF5
		cmp	ecx, eax
		jnb	short loc_7B3CFB

loc_7B3CF5:				; CODE XREF: PAGE:007B3CEFj
		xor	ecx, ecx
		mov	[edx], cl
		jmp	short loc_7B3CFD
; 

loc_7B3CFB:				; CODE XREF: PAGE:007B3CF3j
		xor	ecx, ecx

loc_7B3CFD:				; CODE XREF: PAGE:007B3CF9j
		mov	eax, [eax]
		mov	[ebp-14Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_7B3D31
; 

loc_7B3D0E:				; DATA XREF: .text:006A2D5Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0E8h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7B3D1F:				; DATA XREF: .text:006A2D60o
		mov	eax, [ebp-0E8h]
		jmp	loc_7B3728
; 

loc_7B3D2A:				; CODE XREF: PAGE:007B3CD0j
		mov	edi, [ebp-50h]
		mov	eax, [edi]
		xor	ecx, ecx

loc_7B3D31:				; CODE XREF: PAGE:007B3D0Cj
		sub	eax, ecx
		jz	short loc_7B3D54
		sub	eax, 1
		jz	short loc_7B3D4D
		sub	eax, 1
		jnz	loc_7B4B50
		call	_WheaCrashDumpInitializationComplete@0 ; WheaCrashDumpInitializationComplete()
		jmp	loc_7B364E
; 

loc_7B3D4D:				; CODE XREF: PAGE:007B3CCCj
					; PAGE:007B3D38j
		xor	dl, dl
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_7B3D58
; 

loc_7B3D54:				; CODE XREF: PAGE:007B3D33j
		xor	dl, dl
		xor	ecx, ecx

loc_7B3D58:				; CODE XREF: PAGE:007B3D52j
		call	IoConfigureCrashDump
		jmp	loc_7B364E
; 

loc_7B3D62:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4BFEo
		cmp	byte ptr [ebp-49h], 0
		jnz	loc_7B379A
		push	ecx
		push	edx
		call	_MmAddVerifierThunks@8 ; MmAddVerifierThunks(x,x)
		jmp	loc_7B364E
; 

loc_7B3D78:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4BFAo
		push	dword ptr [ebp-54h]
		push	ds:dword_A94A14
		push	ds:_SeDebugPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B4769
		xor	ecx, ecx
		push	ecx
		mov	edx, [ebp-5Ch]
		mov	ecx, [ebp-50h]
		call	_VfSetVerifierInformation@12 ; VfSetVerifierInformation(x,x,x)
		jmp	loc_7B364E
; 

loc_7B3DA7:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C3Ao
		push	dword ptr [ebp-54h]
		push	ds:dword_A94A14
		push	ds:_SeDebugPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B4769
		cmp	dword ptr [ebp-5Ch], 24h
		jnz	loc_7B4B75
		mov	ecx, [ebp-50h]
		call	_VfSetVerifierInformationEx@4 ;	VfSetVerifierInformationEx(x)
		jmp	loc_7B364E
; 

loc_7B3DDA:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4BEEo
		cmp	ecx, 8
		jnz	loc_7B4B75
		cmp	byte ptr [ebp-49h], 0
		jz	short loc_7B3E34
		push	dword ptr [ebp-54h]
		push	ds:dword_A94A14
		push	ds:_SeDebugPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B379A
		push	1
		mov	edx, [ebp-50h]
		lea	ecx, [ebp-68h]
		call	_VfProbeAndCaptureUnicodeString@12 ; VfProbeAndCaptureUnicodeString(x,x,x)
		test	eax, eax
		js	loc_7B4BA7
		lea	edx, [ebp-68h]
		mov	[ebp-50h], edx
		cmp	word ptr [ebp-68h], 0
		jnz	short loc_7B3E31
		mov	eax, 0C00000EFh
		jmp	loc_7B4BA7
; 

loc_7B3E31:				; CODE XREF: PAGE:007B3E25j
		mov	edi, [ebp+8]

loc_7B3E34:				; CODE XREF: PAGE:007B3DE7j
		sub	edi, 28h
		jz	short loc_7B3E4E
		sub	edi, 1
		jz	short loc_7B3E45
		mov	ebx, 0C0000003h
		jmp	short loc_7B3E57
; 

loc_7B3E45:				; CODE XREF: PAGE:007B3E3Cj
		mov	ecx, edx
		call	_VfRemoveVerifierEntry@4 ; VfRemoveVerifierEntry(x)
		jmp	short loc_7B3E55
; 

loc_7B3E4E:				; CODE XREF: PAGE:007B3E37j
		mov	ecx, edx
		call	_VfAddVerifierEntry@4 ;	VfAddVerifierEntry(x)

loc_7B3E55:				; CODE XREF: PAGE:007B3E4Cj
		mov	ebx, eax

loc_7B3E57:				; CODE XREF: PAGE:007B3E43j
		cmp	byte ptr [ebp-49h], 0
		jz	loc_7B4BA5
		mov	ecx, [ebp-50h]

loc_7B3E64:				; CODE XREF: PAGE:007B42AFj
					; PAGE:007B4A58j
		call	_VfFreeCapturedUnicodeString@4 ; VfFreeCapturedUnicodeString(x)
		jmp	loc_7B4BA5
; 

loc_7B3E6E:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4BD6o
		call	_MmCreateMirror@0 ; MmCreateMirror()
		jmp	loc_7B364E
; 

loc_7B3E78:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C06o
		push	dword ptr [ebp-54h]
		push	ecx
		call	PfSnSetPrefetcherInformation
		jmp	loc_7B364E
; 

loc_7B3E86:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C0Ao
		cmp	ecx, 4
		jnz	loc_7B4B75
		mov	dword ptr [ebp-4], 11h
		mov	edi, [edx]
		mov	[ebp-150h], edi
		mov	[ebp-4], esi
		mov	ecx, edi
		call	_ExpUpdateComPlusPackage@4 ; ExpUpdateComPlusPackage(x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7B4BA5
		mov	ds:0FFDF02E0h, edi
		jmp	loc_7B4BA5
; 

loc_7B3EBD:				; DATA XREF: .text:006A2D68o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-130h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B3ED0:				; DATA XREF: .text:006A2D6Co
		mov	eax, [ebp-130h]
		jmp	loc_7B3728
; 

loc_7B3EDB:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C26o
		cmp	ecx, 0Ch
		jb	loc_7B4B75
		push	dword ptr [ebp-54h]
		push	ds:dword_A949F4
		push	ds:_SeIncreaseBasePriorityPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B379A
		cmp	byte ptr [ebp-49h], 0
		jz	short loc_7B3F3E
		mov	dword ptr [ebp-4], 12h
		mov	esi, [ebp-50h]
		lea	edi, [ebp-48h]
		movsd
		movsd
		movsd
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		lea	edi, [ebp-48h]
		jmp	short loc_7B3F41
; 

loc_7B3F22:				; DATA XREF: .text:006A2D74o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-12Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7B3F33:				; DATA XREF: .text:006A2D78o
		mov	eax, [ebp-12Ch]
		jmp	loc_7B3728
; 

loc_7B3F3E:				; CODE XREF: PAGE:007B3F04j
		mov	edi, [ebp-50h]

loc_7B3F41:				; CODE XREF: PAGE:007B3F20j
		mov	eax, [edi+8]
		dec	eax
		cmp	eax, 1Eh
		ja	loc_7B4B50
		mov	eax, [edi]
		mov	[ebp-13Ch], eax
		mov	eax, [edi+4]
		mov	[ebp-138h], eax
		lea	eax, [ebp-94h]
		push	eax
		xor	ecx, ecx
		push	ecx
		lea	eax, [ebp-13Ch]
		push	eax
		call	PsLookupProcessThreadByCid
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7B4BA5
		mov	esi, [ebp-94h]
		cmp	byte ptr [esi+4], 0
		jz	short loc_7B3F92
		mov	ebx, 0C000004Bh
		jmp	short loc_7B3FA0
; 

loc_7B3F92:				; CODE XREF: PAGE:007B3F89j
		push	dword ptr [edi+8]
		push	esi
		call	KeSetActualBasePriorityThread
		mov	ebx, 103h

loc_7B3FA0:				; CODE XREF: PAGE:007B3F90j
		mov	ecx, esi

loc_7B3FA2:				; CODE XREF: PAGE:007B3986j
		call	ObfDereferenceObject
		jmp	loc_7B4BA5
; 

loc_7B3FAC:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4BF6o
		mov	eax, 0C0000002h
		jmp	loc_7B4BA7
; 

loc_7B3FB6:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C12o
		mov	eax, 0C00000BBh
		jmp	loc_7B4BA7
; 

loc_7B3FC0:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C16o
		cmp	byte ptr [ebp-49h], 0
		jnz	loc_7B4B50
		test	edx, edx
		jz	loc_7B4B50
		cmp	ecx, 8
		jnz	loc_7B4B50
		mov	eax, [edx]
		xor	ebx, ebx
		sub	eax, ebx
		jz	loc_7B4AAB
		sub	eax, 1
		jz	short loc_7B404B
		sub	eax, 1
		jz	short loc_7B4040
		sub	eax, 1
		jz	short loc_7B4035
		sub	eax, 1
		jz	loc_7B4AAB
		dec	eax
		sub	eax, 1
		jz	short loc_7B4028
		sub	eax, 1
		jnz	loc_7B4A7F
		cmp	off_6B13B4, offset _xKdReleasePciDeviceForDebugging@4 ;	xKdReleasePciDeviceForDebugging(x)
		jnz	loc_7B4BA5

loc_7B401E:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C5Eo
		mov	ebx, 0C0000002h
		jmp	loc_7B4BA5
; 

loc_7B4028:				; CODE XREF: PAGE:007B4003j
		push	1
		call	off_6B13B4	; xKdReleasePciDeviceForDebugging(x)
		jmp	loc_7B364E
; 

loc_7B4035:				; CODE XREF: PAGE:007B3FF4j
		call	off_6B13A4	; SymCryptFatalIntercept(x)
		jmp	loc_7B4BA5
; 

loc_7B4040:				; CODE XREF: PAGE:007B3FEFj
		call	off_6B13AC	; SymCryptFatalIntercept(x)
		jmp	loc_7B4BA5
; 

loc_7B404B:				; CODE XREF: PAGE:007B3FEAj
		call	off_6B13A8	; SymCryptFatalIntercept(x)
		jmp	loc_7B4BA5
; 

loc_7B4056:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C1Ao
		push	dword ptr [ebp-54h]
		mov	edx, ecx
		mov	ecx, [ebp-50h]
		call	ExpRegisterFirmwareTableInformationHandler
		jmp	loc_7B364E
; 

loc_7B4068:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C1Eo
		push	dword ptr [ebp-54h]
		push	ecx
		mov	ecx, edi
		call	PfSetSuperfetchInformation
		jmp	loc_7B364E
; 

loc_7B4078:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C22o
		push	dword ptr [ebp-54h]
		mov	edx, ecx
		mov	ecx, [ebp-50h]
		call	MmIssueMemoryListCommand
		jmp	loc_7B364E
; 

loc_7B408A:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C2Ao
		mov	edx, ecx
		mov	ecx, [ebp-50h]
		call	_ObSetRefTraceInformation@8 ; ObSetRefTraceInformation(x,x)
		jmp	loc_7B364E
; 

loc_7B4099:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C2Eo
		push	dword ptr [ebp-54h]
		push	ds:dword_A94A14
		push	ds:_SeDebugPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B32C9
		cmp	dword ptr [ebp-5Ch], 8
		jnz	loc_7B4619
		mov	dword ptr [ebp-4], 13h
		mov	edi, [ebp-50h]
		mov	ecx, [edi]
		mov	[ebp-48h], ecx
		mov	eax, [edi+4]
		mov	[ebp-44h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ds:_MmSpecialPoolTag, ecx
		movzx	eax, al
		and	eax, 1
		mov	ds:_MmSpecialPoolCatchOverruns,	eax
		jmp	loc_7B4BA5
; 

loc_7B40F1:				; DATA XREF: .text:006A2D80o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-128h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B4104:				; DATA XREF: .text:006A2D84o
		mov	eax, [ebp-128h]
		jmp	loc_7B3728
; 

loc_7B410F:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C32o
		xor	eax, eax
		inc	eax
		cmp	[ebp-49h], al
		jnz	loc_7B4AAB
		push	eax
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_7B413B
		mov	ebx, 0C0000061h
		jmp	loc_7B4BA5
; 

loc_7B413B:				; CODE XREF: PAGE:007B412Fj
		mov	edx, [ebp-5Ch]
		mov	ecx, [ebp-50h]
		call	DbgkRegisterErrorPort
		jmp	loc_7B364E
; 

loc_7B414B:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C36o
		push	dword ptr [ebp-54h]
		push	ecx
		call	_HvlSetEnlightenmentInfo@16 ; HvlSetEnlightenmentInfo(x,x,x,x)
		jmp	loc_7B364E
; 

loc_7B4159:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C42o
		push	dword ptr [ebp-54h]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B32C9
		cmp	dword ptr [ebp-5Ch], 8
		jnz	loc_7B4619
		mov	dword ptr [ebp-4], 14h
		mov	edi, [ebp-50h]
		mov	ecx, [edi]
		mov	[ebp-48h], ecx
		mov	eax, [edi+4]
		mov	[ebp-44h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, 0FFDF03A0h
		lock or	[edx], ecx
		mov	eax, [ebp-44h]
		not	eax
		lock and [edx],	eax
		jmp	loc_7B4BA5
; 

loc_7B41B0:				; DATA XREF: .text:006A2D8Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-134h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B41C3:				; DATA XREF: .text:006A2D90o
		mov	eax, [ebp-134h]
		jmp	loc_7B3728
; 

loc_7B41CE:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C46o
		cmp	byte ptr [ebp-49h], 0
		jz	loc_7B4769
		push	dword ptr [ebp-54h]
		push	ds:dword_A94A14
		push	ds:_SeDebugPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B4769
		mov	esi, [ebp-5Ch]
		cmp	esi, 14h
		jb	loc_7B4B75
		mov	edx, esi
		mov	ecx, [ebp-50h]
		call	_ExpCovResetInformation@8 ; ExpCovResetInformation(x,x)
		jmp	loc_7B364E
; 

loc_7B420F:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C4Ao
		cmp	ecx, 18h
		jnz	loc_7B4B75
		cmp	byte ptr [ebp-49h], 0
		jz	short loc_7B428E
		push	dword ptr [ebp-54h]
		push	ds:dword_A94A14
		push	ds:_SeDebugPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B379A
		mov	dword ptr [ebp-4], 15h
		push	6
		pop	ecx
		mov	esi, [ebp-50h]
		lea	edi, [ebp-48h]
		rep movsd
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		lea	edx, [ebx+1]
		lea	ecx, [ebp-40h]
		call	_VfProbeAndCaptureUnicodeStringBuffer@8	; VfProbeAndCaptureUnicodeStringBuffer(x,x)
		test	eax, eax
		js	loc_7B4BA7
		lea	edx, [ebx+1]
		lea	ecx, [ebp-38h]
		call	_VfProbeAndCaptureUnicodeStringBuffer@8	; VfProbeAndCaptureUnicodeStringBuffer(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_7B4288
		lea	ecx, [ebp-40h]
		call	_VfFreeCapturedUnicodeString@4 ; VfFreeCapturedUnicodeString(x)
		mov	eax, esi
		jmp	loc_7B4BA7
; 

loc_7B4288:				; CODE XREF: PAGE:007B4277j
		lea	edx, [ebp-48h]
		mov	[ebp-50h], edx

loc_7B428E:				; CODE XREF: PAGE:007B421Cj
		mov	ecx, edx
		call	_VfFaultsSetParameters@4 ; VfFaultsSetParameters(x)
		mov	ebx, eax
		cmp	byte ptr [ebp-49h], 0
		jz	loc_7B4BA5
		mov	edi, [ebp-50h]
		lea	ecx, [edi+8]
		call	_VfFreeCapturedUnicodeString@4 ; VfFreeCapturedUnicodeString(x)
		lea	ecx, [edi+10h]
		jmp	loc_7B3E64
; 

loc_7B42B4:				; DATA XREF: .text:006A2D98o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0ECh], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7B42C5:				; DATA XREF: .text:006A2D9Co
		mov	eax, [ebp-0ECh]
		jmp	loc_7B3728
; 

loc_7B42D0:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4BDAo
		push	dword ptr [ebp-54h]
		mov	edx, ecx
		mov	ecx, [ebp-50h]
		call	_EtwSetPerformanceTraceInformation@12 ;	EtwSetPerformanceTraceInformation(x,x,x)
		jmp	loc_7B364E
; 

loc_7B42E2:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C52o
		push	dword ptr [ebp-54h]
		mov	edx, ecx
		mov	ecx, [ebp-50h]
		call	_ExpSetProcessorMicrocodeUpdateInformation@12 ;	ExpSetProcessorMicrocodeUpdateInformation(x,x,x)
		jmp	loc_7B364E
; 

loc_7B42F4:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C56o
		push	dword ptr [ebp-54h]
		mov	edx, ecx
		mov	ecx, [ebp-50h]
		call	_MmSetSystemVaInformation@12 ; MmSetSystemVaInformation(x,x,x)
		jmp	loc_7B364E
; 

loc_7B4306:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C5Ao
		push	dword ptr [ebp-54h]
		push	ecx
		call	SmSetStoreInformation
		jmp	loc_7B364E
; 

loc_7B4314:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C62o
		cmp	ecx, 4
		jnz	loc_7B4B75
		push	dword ptr [ebp-54h]
		push	ds:dword_A949EC
		push	ds:_SeProfileSingleProcessPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B4769
		mov	dword ptr [ebp-4], 16h
		mov	edi, [ebp-50h]
		mov	eax, [edi]
		mov	ds:0FFDF0248h, eax
		mov	[ebp-4], esi
		jmp	loc_7B3706
; 

loc_7B4352:				; DATA XREF: .text:006A2DA4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0F0h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B4365:				; DATA XREF: .text:006A2DA8o
		mov	eax, [ebp-0F0h]
		jmp	loc_7B3728
; 

loc_7B4370:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C66o
		push	dword ptr [ebp-54h]
		mov	edx, ecx
		mov	ecx, [ebp-50h]
		call	_PsSetCpuQuotaInformation@12 ; PsSetCpuQuotaInformation(x,x,x)
		jmp	loc_7B364E
; 

loc_7B4382:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C6Eo
		cmp	ecx, 8
		jnz	loc_7B4B75
		push	dword ptr [ebp-54h]
		push	ds:dword_A949EC
		push	ds:_SeProfileSingleProcessPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B379A
		mov	dword ptr [ebp-4], 17h
		mov	edi, [ebp-50h]
		mov	edx, [edi]
		mov	[ebp-0F4h], edx
		mov	[ebp-4], esi
		lea	eax, [ebp-98h]
		push	eax
		call	_MmScrubMemory@12 ; MmScrubMemory(x,x,x)
		mov	ebx, eax
		mov	[ebp-74h], ebx
		mov	dword ptr [ebp-4], 18h
		mov	eax, [ebp-98h]
		mov	[edi+4], eax
		jmp	loc_7B32F3
; 

loc_7B43E2:				; DATA XREF: .text:006A2DBCo
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B43E8:				; CODE XREF: PAGE:loc_7B44B4j
					; DATA XREF: .text:006A2DC0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-74h]
		jmp	loc_7B4BA5
; 

loc_7B43FA:				; DATA XREF: .text:006A2DB0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0F8h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B440D:				; DATA XREF: .text:006A2DB4o
		mov	eax, [ebp-0F8h]
		jmp	loc_7B3728
; 

loc_7B4418:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C72o
		push	dword ptr [ebp-54h]
		mov	edx, ecx
		mov	ecx, [ebp-50h]
		call	_KeProcessorProfileControlArea@12 ; KeProcessorProfileControlArea(x,x,x)
		jmp	loc_7B364E
; 

loc_7B442A:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C76o
		cmp	ecx, 8
		jz	short loc_7B443D
		cmp	ecx, 0Ch
		jz	short loc_7B443D
		cmp	ecx, 10h
		jnz	loc_7B4B75

loc_7B443D:				; CODE XREF: PAGE:007B442Dj
					; PAGE:007B4432j
		push	dword ptr [ebp-54h]
		push	ds:dword_A949EC
		push	ds:_SeProfileSingleProcessPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B379A
		mov	dword ptr [ebp-4], 19h
		mov	esi, [ebp-5Ch]
		push	esi
		mov	edi, [ebp-50h]
		push	edi
		lea	eax, [ebp-48h]
		push	eax
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		cmp	esi, 10h
		jnz	short loc_7B4485
		mov	ecx, [ebp-3Ch]
		jmp	short loc_7B4487
; 

loc_7B4485:				; CODE XREF: PAGE:007B447Ej
		xor	ecx, ecx

loc_7B4487:				; CODE XREF: PAGE:007B4483j
		lea	eax, [ebp-60h]
		push	eax
		push	ecx
		mov	edx, [ebp-40h]
		mov	ecx, [ebp-48h]
		call	_MmCombineIdenticalPages@16 ; MmCombineIdenticalPages(x,x,x,x)
		mov	ebx, eax
		mov	[ebp-74h], ebx
		mov	dword ptr [ebp-4], 1Ah
		mov	eax, [ebp-60h]
		mov	[edi+4], eax
		jmp	loc_7B3317
; 

loc_7B44AE:				; DATA XREF: .text:006A2DD4o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B44B4:				; DATA XREF: .text:006A2DD8o
		jmp	loc_7B43E8
; 

loc_7B44B9:				; DATA XREF: .text:006A2DC8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0FCh], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B44CC:				; DATA XREF: .text:006A2DCCo
		mov	eax, [ebp-0FCh]
		jmp	loc_7B3728
; 

loc_7B44D7:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C7Ao
		cmp	byte ptr [ebp-49h], 0
		jnz	loc_7B4769
		cmp	ecx, 0Ch
		jnz	loc_7B4B75
		push	dword ptr [edx+8]
		mov	edx, [edx+4]
		mov	edi, [ebp-50h]
		mov	ecx, [edi]
		call	_KeInitializeEntropySystem@12 ;	KeInitializeEntropySystem(x,x,x)
		jmp	loc_7B364E
; 

loc_7B44FF:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C7Eo
		cmp	ecx, 4
		jnz	loc_7B4B75
		push	74h
		pop	eax
		mov	[ebp-0A0h], ax
		push	76h
		pop	eax
		mov	[ebp-9Eh], ax
		mov	dword ptr [ebp-9Ch], offset ??_C@_1HG@OLNFIFKD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		mov	dword ptr [ebp-4], 1Bh
		mov	al, [edx]
		and	al, 1
		mov	[ebp-89h], al
		mov	[ebp-4], esi
		jz	short loc_7B4582
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	edx, edx
		mov	esi, offset _ExpConDrvLoadLock
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [ebp-0A0h]
		push	eax
		call	_ZwLoadDriver@4	; ZwLoadDriver(x)
		mov	ebx, eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_7B4571
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_7B4571:				; CODE XREF: PAGE:007B4568j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_7B4BA5
; 

loc_7B4582:				; CODE XREF: PAGE:007B453Aj
		push	dword ptr [ebp-54h]
		push	ds:dword_A94E04
		push	ds:_SeLoadDriverPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B379A
		lea	eax, [ebp-0A0h]
		push	eax
		call	_ZwUnloadDriver@4 ; ZwUnloadDriver(x)
		jmp	loc_7B364E
; 

loc_7B45AF:				; DATA XREF: .text:006A2DE0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-100h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B45C2:				; DATA XREF: .text:006A2DE4o
		mov	eax, [ebp-100h]
		jmp	loc_7B3728
; 

loc_7B45CD:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C8Ao
		push	dword ptr [ebp-54h]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B379A
		cmp	dword ptr [ebp-5Ch], 0
		jnz	loc_7B4B75
		mov	ecx, _ExBootLoaderMetadata
		test	ecx, ecx
		jz	loc_7B4BA5
		xor	eax, eax
		xchg	eax, [ecx]
		jmp	loc_7B4BA5
; 

loc_7B460A:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C6Ao
		cmp	byte ptr [ebp-49h], 0
		jnz	loc_7B379A
		cmp	ecx, 20h
		jz	short loc_7B4623

loc_7B4619:				; CODE XREF: PAGE:007B32ABj
					; PAGE:007B40B9j ...
		mov	ebx, 0C0000004h
		jmp	loc_7B4BA5
; 

loc_7B4623:				; CODE XREF: PAGE:007B4617j
		call	_BgkSetBootGraphicsInformation@8 ; BgkSetBootGraphicsInformation(x,x)
		jmp	loc_7B364E
; 

loc_7B462D:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C8Eo
		push	dword ptr [ebp-54h]
		xor	ecx, ecx
		push	ecx
		push	13h
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B379A
		mov	esi, [ebp-5Ch]
		sub	esi, 1
		jz	short loc_7B468C
		sub	esi, 3
		jnz	loc_7B4B75
		mov	dword ptr [ebp-4], 1Dh
		mov	edi, [ebp-50h]
		mov	eax, [edi]
		mov	[ebp-154h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_7B46D1
; 

loc_7B466E:				; DATA XREF: .text:006A2DF8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-104h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B4681:				; DATA XREF: .text:006A2DFCo
		mov	eax, [ebp-104h]
		jmp	loc_7B3728
; 

loc_7B468C:				; CODE XREF: PAGE:007B4648j
		mov	dword ptr [ebp-4], 1Ch
		mov	edi, [ebp-50h]
		mov	bl, [edi]
		mov	[ebp-8Ah], bl
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	bl, bl
		jz	short loc_7B46C9
		push	dword ptr [ebp-54h]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B379A
		test	bl, bl
		jnz	short loc_7B46CE

loc_7B46C9:				; CODE XREF: PAGE:007B46A7j
		push	5
		pop	eax
		jmp	short loc_7B46D1
; 

loc_7B46CE:				; CODE XREF: PAGE:007B46C7j
		xor	eax, eax
		inc	eax

loc_7B46D1:				; CODE XREF: PAGE:007B466Cj
					; PAGE:007B46CCj
		mov	ecx, eax
		call	_ExpSetSoftRebootFlags@4 ; ExpSetSoftRebootFlags(x)
		jmp	loc_7B364E
; 

loc_7B46DD:				; DATA XREF: .text:006A2DECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-108h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B46F0:				; DATA XREF: .text:006A2DF0o
		mov	eax, [ebp-108h]
		jmp	loc_7B3728
; 

loc_7B46FB:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C82o
		cmp	ecx, 14h
		jnz	loc_7B4B75
		call	ExHandleSPCall2
		jmp	loc_7B364E
; 

loc_7B470E:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C92o
		cmp	ecx, 4
		jnz	loc_7B4B75
		cmp	byte ptr [ebp-49h], 0
		jz	loc_7B4B50
		mov	dword ptr [ebp-4], 1Eh
		mov	ecx, [edx]
		mov	[ebp-158h], ecx
		mov	[ebp-4], esi
		call	_ExpQueryElamCertInfo@4	; ExpQueryElamCertInfo(x)
		jmp	loc_7B364E
; 

loc_7B473D:				; DATA XREF: .text:006A2E04o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-10Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7B474E:				; DATA XREF: .text:006A2E08o
		mov	eax, [ebp-10Ch]
		jmp	loc_7B3728
; 

loc_7B4759:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C96o
		call	_CmReconcileAndValidateAllHives@0 ; CmReconcileAndValidateAllHives()
		jmp	loc_7B364E
; 

loc_7B4763:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C9Ao
		cmp	byte ptr [ebp-49h], 0
		jz	short loc_7B4773

loc_7B4769:				; CODE XREF: PAGE:007B3342j
					; PAGE:007B33E4j ...
		mov	eax, 0C0000022h
		jmp	loc_7B4BA7
; 

loc_7B4773:				; CODE XREF: PAGE:007B4767j
		cmp	ecx, 8
		jnz	loc_7B4B75
		push	offset _KdpContext
		push	edx
		push	3
		call	ds:__imp__KdInitialize@12 ; KdInitialize(x,x,x)
		jmp	loc_7B364E
; 

loc_7B478F:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C86o
		cmp	ecx, 28h
		jnz	loc_7B4B75
		push	dword ptr [ebp-54h]
		push	ds:dword_A949BC
		push	ds:_SeShutdownPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B379A
		cmp	_CriticalProcessExceptionData, 0
		jz	short loc_7B47C4
		xor	eax, eax
		jmp	loc_7B4BA7
; 

loc_7B47C4:				; CODE XREF: PAGE:007B47BBj
		mov	dword ptr [ebp-4], 1Fh
		push	0Ah
		pop	ecx
		mov	esi, [ebp-50h]
		lea	edi, [ebp-48h]
		rep movsd
		mov	ebx, [ebp-38h]
		mov	[ebp-16Ch], ebx
		mov	edx, [ebp-34h]
		mov	[ebp-88h], edx
		mov	[ebp-168h], edx
		xor	eax, eax
		mov	[ebp-38h], eax
		mov	[ebp-34h], eax
		test	bx, bx
		jz	short loc_7B4850
		xor	ecx, ecx
		inc	ecx
		test	bl, cl
		jnz	short loc_7B4850
		test	dl, cl
		jnz	loc_7B4BB9
		movzx	edi, bx
		lea	ecx, [edx+edi]
		mov	esi, ds:_MmUserProbeAddress
		cmp	ecx, esi
		ja	short loc_7B481E
		cmp	ecx, edx
		jnb	short loc_7B4820

loc_7B481E:				; CODE XREF: PAGE:007B4818j
		mov	[esi], al

loc_7B4820:				; CODE XREF: PAGE:007B481Cj
		push	50535845h
		push	edi
		push	9
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7B484E
		push	edi
		push	dword ptr [ebp-88h]
		push	esi
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp-34h], esi
		mov	[ebp-38h], bx
		mov	[ebp-36h], bx

loc_7B484E:				; CODE XREF: PAGE:007B4831j
		xor	eax, eax

loc_7B4850:				; CODE XREF: PAGE:007B47F9j
					; PAGE:007B4800j
		push	0Ah
		pop	ecx
		lea	esi, [ebp-48h]
		mov	edi, offset _CriticalProcessExceptionData
		rep movsd
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7B364E
; 

loc_7B4869:				; DATA XREF: .text:006A2E10o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-110h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B487C:				; DATA XREF: .text:006A2E14o
		mov	eax, [ebp-110h]
		jmp	loc_7B3728
; 

loc_7B4887:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4CA2o
		test	cl, 7
		jnz	loc_7B4B75
		cmp	ecx, 8
		ja	loc_7B4B75
		mov	dword ptr [ebp-4], 20h
		push	ecx
		push	edx
		lea	eax, [ebp-178h]
		push	eax
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp-4], esi
		mov	cl, [ebp-49h]
		call	_ExCpuSetResourceManagerAccessCheck@4 ;	ExCpuSetResourceManagerAccessCheck(x)
		test	eax, eax
		js	loc_7B4BA7
		xor	ecx, ecx
		push	ecx
		lea	edx, [ebp-178h]

loc_7B48CD:				; CODE XREF: PAGE:007B4B4Bj
		mov	ecx, [ebp-5Ch]
		shr	ecx, 3
		call	KeSetSystemAllowedCpuSets
		jmp	loc_7B364E
; 

loc_7B48DD:				; DATA XREF: .text:006A2E1Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-114h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B48F0:				; DATA XREF: .text:006A2E20o
		mov	eax, [ebp-114h]
		jmp	loc_7B3728
; 

loc_7B48FB:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4CA6o
		cmp	ecx, 10h
		jnz	loc_7B4B75
		push	dword ptr [ebp-54h]
		push	ds:dword_A949F4
		push	ds:_SeIncreaseBasePriorityPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B379A
		mov	dword ptr [ebp-4], 21h
		mov	esi, [ebp-50h]
		lea	edi, [ebp-1A8h]
		movsd
		movsd
		movsd
		movsd
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	dword ptr [ebp-1A0h]
		mov	edx, [ebp-1A4h]
		mov	ecx, [ebp-1A8h]
		call	_KeIntSteerAssignCpuSetForGsiv@12 ; KeIntSteerAssignCpuSetForGsiv(x,x,x)
		jmp	loc_7B364E
; 

loc_7B4957:				; DATA XREF: .text:006A2E28o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-118h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B496A:				; DATA XREF: .text:006A2E2Co
		mov	eax, [ebp-118h]
		jmp	loc_7B3728
; 

loc_7B4975:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4CAAo
		push	8
		pop	ebx
		cmp	ecx, ebx
		jb	loc_7B4B75
		sub	ecx, ebx
		mov	[ebp-5Ch], ecx
		test	cl, 7
		jnz	loc_7B4B75
		cmp	ecx, ebx
		ja	loc_7B4B75
		mov	dword ptr [ebp-4], 22h
		mov	edi, [edx]
		mov	[ebp-180h], edi
		mov	eax, [edx+4]
		mov	[ebp-60h], eax
		mov	[ebp-17Ch], eax
		push	ecx
		lea	eax, [edx+8]
		push	eax
		lea	eax, [ebp-188h]
		push	eax
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp-4], esi
		mov	cl, [ebp-49h]
		call	_ExCpuSetResourceManagerAccessCheck@4 ;	ExCpuSetResourceManagerAccessCheck(x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7B4BA5
		push	dword ptr [ebp-60h]
		push	edi
		mov	ecx, [ebp-5Ch]
		shr	ecx, 3
		lea	edx, [ebp-188h]
		call	_KeSetTagCpuSets@16 ; KeSetTagCpuSets(x,x,x,x)
		jmp	loc_7B364E
; 

loc_7B49F4:				; DATA XREF: .text:006A2E34o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-11Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B4A07:				; DATA XREF: .text:006A2E38o
		mov	eax, [ebp-11Ch]
		jmp	loc_7B3728
; 

loc_7B4A12:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4CB2o
		cmp	ecx, 10h
		jnz	loc_7B4B75
		mov	dword ptr [ebp-4], 23h
		mov	esi, edx
		lea	edi, [ebp-48h]
		movsd
		movsd
		movsd
		movsd
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	edx, edx
		inc	edx
		lea	ecx, [ebp-48h]
		call	_VfProbeAndCaptureUnicodeStringBuffer@8	; VfProbeAndCaptureUnicodeStringBuffer(x,x)
		test	eax, eax
		js	loc_7B4BA7
		push	dword ptr [ebp-3Ch]
		mov	edx, [ebp-40h]
		lea	ecx, [ebp-48h]
		call	_PsSetExeModerationState@12 ; PsSetExeModerationState(x,x,x)
		mov	ebx, eax
		lea	ecx, [ebp-48h]
		jmp	loc_7B3E64
; 

loc_7B4A5D:				; DATA XREF: .text:006A2E40o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-120h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B4A70:				; DATA XREF: .text:006A2E44o
		mov	eax, [ebp-120h]
		jmp	loc_7B3728
; 

loc_7B4A7B:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4CB6o
		test	ecx, ecx
		jz	short loc_7B4A89

loc_7B4A7F:				; CODE XREF: PAGE:007B4008j
					; PAGE:007B4AC4j
		mov	ebx, 0C000000Dh
		jmp	loc_7B4BA5
; 

loc_7B4A89:				; CODE XREF: PAGE:007B4A7Dj
		cmp	byte ptr [ebp-49h], 0
		jz	short loc_7B4AAB
		push	dword ptr [ebp-54h]
		push	ds:dword_A94A14
		push	ds:_SeDebugPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7B379A

loc_7B4AAB:				; CODE XREF: PAGE:007B32A1j
					; PAGE:007B3FE1j ...
		mov	ebx, 0C00000BBh
		jmp	loc_7B4BA5
; 

loc_7B4AB5:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4C9Eo
		push	ecx
		mov	ecx, edi
		call	_SeCodeIntegritySetInformation@12 ; SeCodeIntegritySetInformation(x,x,x)
		jmp	loc_7B364E
; 

loc_7B4AC2:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4CBAo
		test	ecx, ecx
		jnz	short loc_7B4A7F
		push	dword ptr [ebp-54h]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_7B4AAB
		jmp	loc_7B379A
; 

loc_7B4AE3:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4CBEo
		push	8
		pop	ebx
		cmp	ecx, ebx
		jb	loc_7B4B75
		sub	ecx, ebx
		mov	[ebp-5Ch], ecx
		test	cl, 7
		jnz	short loc_7B4B75
		cmp	ecx, ebx
		ja	short loc_7B4B75
		mov	dword ptr [ebp-4], 24h
		mov	edi, [edx]
		mov	ebx, [edx+4]
		mov	[ebp-190h], edi
		mov	[ebp-18Ch], ebx
		push	ecx
		lea	eax, [edx+8]
		push	eax
		lea	eax, [ebp-198h]
		push	eax
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp-4], esi
		xor	ecx, ecx
		cmp	ebx, ecx
		ja	short loc_7B4B50
		cmp	edi, 2
		jnb	short loc_7B4B50
		mov	cl, [ebp-49h]
		call	_ExCpuSetResourceManagerAccessCheck@4 ;	ExCpuSetResourceManagerAccessCheck(x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7B4BA5
		push	edi
		lea	edx, [ebp-198h]
		jmp	loc_7B48CD
; 

loc_7B4B50:				; CODE XREF: PAGE:007B3D3Dj
					; PAGE:007B3F48j ...
		mov	eax, 0C000000Dh
		jmp	short loc_7B4BA7
; 

loc_7B4B57:				; DATA XREF: .text:006A2E4Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-124h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_7B4B6A:				; DATA XREF: .text:006A2E50o
		mov	eax, [ebp-124h]
		jmp	loc_7B3728
; 

loc_7B4B75:				; CODE XREF: PAGE:007B3326j
					; PAGE:007B33B5j ...
		mov	eax, 0C0000004h
		jmp	short loc_7B4BA7
; 

loc_7B4B7C:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4CCAo
		push	dword ptr [ebp-54h]
		mov	edx, ecx
		mov	ecx, [ebp-50h]
		call	_CmUpdateFeatureConfiguration@12 ; CmUpdateFeatureConfiguration(x,x,x)
		jmp	loc_7B364E
; 

loc_7B4B8E:				; CODE XREF: PAGE:007B32A1j
					; DATA XREF: PAGE:007B4CCEo
		push	dword ptr [ebp-54h]
		mov	edx, ecx
		mov	ecx, [ebp-50h]
		call	_CmUpdateFeatureUsageSubscription@12 ; CmUpdateFeatureUsageSubscription(x,x,x)
		jmp	loc_7B364E
; 

loc_7B4BA0:				; CODE XREF: PAGE:007B3294j
					; PAGE:007B32A1j
					; DATA XREF: ...
		mov	ebx, 0C0000003h

loc_7B4BA5:				; CODE XREF: PAGE:007B32CEj
					; PAGE:007B32F6j ...
		mov	eax, ebx

loc_7B4BA7:				; CODE XREF: PAGE:007B3732j
					; PAGE:007B379Fj ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7B4BB9:				; CODE XREF: PAGE:007B3246j
					; PAGE:007B3CDEj ...
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
off_7B4BBE	dd offset loc_7B32A8	; DATA XREF: PAGE:007B32A1r
		dd offset loc_7B3AC9
		dd offset loc_7B3BC5
		dd offset loc_7B39E4
		dd offset loc_7B38A9
		dd offset loc_7B3448
		dd offset loc_7B3E6E
		dd offset loc_7B42D0
		dd offset loc_7B3C98
		dd offset loc_7B368E
		dd offset loc_7B3737
		dd offset loc_7B36C5
		dd offset loc_7B3DDA
		dd offset loc_7B3547
		dd offset loc_7B3FAC
		dd offset loc_7B3D78
		dd offset loc_7B3D62
		dd offset loc_7B39DE
		dd offset loc_7B3E78
		dd offset loc_7B3E86
		dd offset loc_7B4AAB
		dd offset loc_7B3FB6
		dd offset loc_7B3FC0
		dd offset loc_7B4056
		dd offset loc_7B4068
		dd offset loc_7B4078
		dd offset loc_7B3EDB
		dd offset loc_7B408A
		dd offset loc_7B4099
		dd offset loc_7B410F
		dd offset loc_7B414B
		dd offset loc_7B3DA7
		dd offset loc_7B35F5
		dd offset loc_7B4159
		dd offset loc_7B41CE
		dd offset loc_7B420F
		dd offset loc_7B3655
		dd offset loc_7B42E2
		dd offset loc_7B42F4
		dd offset loc_7B4306
		dd offset loc_7B401E
		dd offset loc_7B4314
		dd offset loc_7B4370
		dd offset loc_7B460A
		dd offset loc_7B4382
		dd offset loc_7B4418
		dd offset loc_7B442A
		dd offset loc_7B44D7
		dd offset loc_7B44FF
		dd offset loc_7B46FB
		dd offset loc_7B478F
		dd offset loc_7B45CD
		dd offset loc_7B462D
		dd offset loc_7B470E
		dd offset loc_7B4759
		dd offset loc_7B4763
		dd offset loc_7B4AB5
		dd offset loc_7B4887
		dd offset loc_7B48FB
		dd offset loc_7B4975
		dd offset loc_7B38F5
		dd offset loc_7B4A12
		dd offset loc_7B4A7B
		dd offset loc_7B4AC2
		dd offset loc_7B4AE3
		dd offset loc_7B33B2
		dd offset loc_7B3323
		dd offset loc_7B4B7C
		dd offset loc_7B4B8E
		dd offset loc_7B4BA0
byte_7B4CD6	db 0			; DATA XREF: PAGE:007B329Ar
		db 45h
		dd 2 dup(45454545h), 45014545h,	3450245h, 6450504h, 8454507h
		dd 0A094545h, 450C0C0Bh, 0D454545h, 45450E0Eh, 1145100Fh
		dd 45451245h, 45454513h, 45454545h, 45144545h, 0E451615h
		dd 45454517h, 1A011918h, 1B454545h, 451D451Ch, 21201F1Eh
		dd 45234522h, 24454545h, 26452545h, 28274545h, 452A4529h
		dd 2 dup(45454545h), 2B454545h,	2E2D452Ch, 3145302Fh, 45454545h
		dd 32454545h, 45454545h, 33454545h, 45453534h, 45454536h
		dd 45374514h, 45453845h, 3A453945h, 45454545h, 453C3B45h
		dd 2 dup(45454545h), 3845453Dh,	3F45453Eh, 45454545h, 45454538h
		dd 41454045h, 43454542h
		db 45h
		db 44h
; 
		inc	ebp
		inc	ebp
		inc	ebp
		inc	ebp
		inc	ebp
		inc	ebp
		inc	ebp
		inc	ebp
		inc	ebp
		inc	ebp
		inc	ebp
		cmp	[eax], bh
		int	3		; Trap to Debugger

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSetSuperfetchInformation proc	near	; CODE XREF: PAGE:007B406Ep

var_B8		= dword	ptr -0B8h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_68		= dword	ptr -68h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EC0B0 SIZE 00000014 BYTES
; FUNCTION CHUNK AT 008EC0DD SIZE 00000007 BYTES
; FUNCTION CHUNK AT 008EC0FA SIZE 00000057 BYTES
; FUNCTION CHUNK AT 008EC167 SIZE 00000022 BYTES
; FUNCTION CHUNK AT 008EC19C SIZE 00000031 BYTES
; FUNCTION CHUNK AT 008EC1E0 SIZE 0000000A BYTES
; FUNCTION CHUNK AT 008EC20F SIZE 00000019 BYTES
; FUNCTION CHUNK AT 008EC23B SIZE 00000007 BYTES
; FUNCTION CHUNK AT 008EC255 SIZE 00000020 BYTES
; FUNCTION CHUNK AT 008EC28B SIZE 00000078 BYTES

		push	0A8h
		push	offset dword_6A2E58
		call	__SEH_prolog4_GS
		mov	esi, edx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_B8]
		rep stosd
		and	[ebp+var_7C], eax
		and	[ebp+var_78], eax
		and	[ebp+var_38], eax
		lea	edi, [ebp+var_48]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_98]
		stosd
		stosd
		stosd
		and	[ebp+var_68], 0
		and	[ebp+var_8C], 0
		and	[ebp+var_88], 0
		and	[ebp+var_3C], 0
		push	[ebp+arg_4]
		push	ds:dword_A949EC
		push	ds:_SeProfileSingleProcessPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_8EC0B0
		cmp	[ebp+arg_0], 14h
		jnz	loc_8EC0BA
		xor	ebx, ebx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		stosd
		stosd
		stosd
		stosd
		stosd
		and	[ebp+ms_exc.disabled], ebx
		push	5
		pop	ecx
		lea	edi, [ebp+var_34]
		rep movsd

loc_7B4E3B:				; CODE XREF: sub_8EC0D2+6j
		push	0FFFFFFFEh
		pop	edx
		mov	[ebp+ms_exc.disabled], edx
		test	ebx, ebx
		js	short loc_7B4E9E
		cmp	[ebp+var_34], 2Dh
		jnz	loc_7B52B3
		cmp	[ebp+var_30], 6B756843h
		jnz	loc_7B52B3
		mov	eax, [ebp+var_2C]
		cmp	eax, 0Eh
		jz	short loc_7B4EBD
		jg	short loc_7B4ECA
		push	3
		pop	ecx
		sub	eax, ecx
		jz	loc_7B505D
		sub	eax, 1
		jz	loc_7B5200
		sub	eax, 1
		jz	loc_7B4F05
		dec	eax
		sub	eax, 1
		jnz	loc_7B501A

loc_7B4E8D:				; CODE XREF: PfSetSuperfetchInformation+139j
					; PfSetSuperfetchInformation+137461j
		lea	eax, [ebp+var_68]
		push	eax
		mov	dl, byte ptr [ebp+arg_4]
		lea	ecx, [ebp+var_34]
		call	PfpPfnPrioRequest

loc_7B4E9C:				; CODE XREF: PfSetSuperfetchInformation+118j
					; PfSetSuperfetchInformation+153j ...
		mov	ebx, eax

loc_7B4E9E:				; CODE XREF: PfSetSuperfetchInformation+93j
					; PfSetSuperfetchInformation+1BDj ...
		mov	esi, [ebp+var_3C]
		test	esi, esi
		jnz	loc_7B516B

loc_7B4EA9:				; CODE XREF: PfSetSuperfetchInformation+3C3j
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7B4EBD:				; CODE XREF: PfSetSuperfetchInformation+B2j
		mov	dl, byte ptr [ebp+arg_4]
		lea	ecx, [ebp+var_34]
		call	PfpRpControlRequest
		jmp	short loc_7B4E9C
; 

loc_7B4ECA:				; CODE XREF: PfSetSuperfetchInformation+B4j
		sub	eax, 0Fh
		jz	loc_8EC28B
		push	3
		pop	ecx
		sub	eax, ecx
		jz	loc_7B5213
		sub	eax, 1
		jz	loc_7B4F72
		sub	eax, ecx
		jz	short loc_7B4E8D
		sub	eax, ecx
		jz	short loc_7B4F12
		sub	eax, 1
		jnz	loc_8EC20F
		mov	dl, byte ptr [ebp+arg_4]
		lea	ecx, [ebp+var_34]
		call	PfpDeprioritizeOldPagesInWs
		jmp	short loc_7B4E9C
; 

loc_7B4F05:				; CODE XREF: PfSetSuperfetchInformation+CDj
		mov	dl, byte ptr [ebp+arg_4]
		lea	ecx, [ebp+var_34]
		call	PfpPrefetchRequest
		jmp	short loc_7B4E9C
; 

loc_7B4F12:				; CODE XREF: PfSetSuperfetchInformation+13Dj
		cmp	[ebp+var_24], 8
		jnz	loc_8EC19C
		xor	ebx, ebx
		mov	[ebp+ms_exc.disabled], 9
		cmp	byte ptr [ebp+arg_4], bl
		jz	short loc_7B4F46
		mov	eax, [ebp+var_28]
		test	al, cl
		jnz	loc_7B52AA
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	loc_8EC221

loc_7B4F43:				; CODE XREF: PfSetSuperfetchInformation+137473j
		nop
		mov	al, [eax]

loc_7B4F46:				; CODE XREF: PfSetSuperfetchInformation+178j
		mov	eax, [ebp+var_28]
		mov	ecx, [eax]
		mov	[ebp+var_8C], ecx
		mov	eax, [eax+4]
		mov	[ebp+var_88], eax
		mov	[ebp+ms_exc.disabled], edx
		cmp	ecx, 1
		jnz	loc_7B52B3
		mov	ecx, eax
		call	_MmSetMinimumAgeRate@4 ; MmSetMinimumAgeRate(x)
		jmp	loc_7B4E9E
; 

loc_7B4F72:				; CODE XREF: PfSetSuperfetchInformation+131j
		cmp	[ebp+var_24], 0Ch
		jnz	loc_8EC19C
		xor	ebx, ebx
		mov	[ebp+ms_exc.disabled], 8
		cmp	byte ptr [ebp+arg_4], bl
		jz	short loc_7B4FA6
		mov	eax, [ebp+var_28]
		test	al, cl
		jnz	loc_7B52AA
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	loc_8EC23B

loc_7B4FA3:				; CODE XREF: PfSetSuperfetchInformation+13748Dj
		nop
		mov	al, [eax]

loc_7B4FA6:				; CODE XREF: PfSetSuperfetchInformation+1D8j
		mov	esi, [ebp+var_28]
		lea	edi, [ebp+var_98]
		movsd
		movsd
		movsd
		mov	[ebp+ms_exc.disabled], edx
		cmp	[ebp+var_98], 2
		jnz	loc_7B52B3
		cmp	[ebp+var_94], 5
		jge	loc_7B52B3
		mov	ecx, [ebp+var_90]
		cmp	cl, 7
		ja	loc_7B52B3
		mov	edx, ecx
		shr	edx, 8
		cmp	dl, 7
		ja	loc_7B52B3
		mov	eax, ecx
		shr	eax, 10h
		test	ax, ax
		jnz	loc_7B52B3
		and	[ebp+var_20], 0
		mov	eax, [ebp+var_94]
		mov	byte ptr [ebp+var_20], al
		mov	byte ptr [ebp+var_20+1], cl
		mov	byte ptr [ebp+var_20+2], dl
		push	[ebp+var_20]
		call	_MmSetTrimWhileAgingState@4 ; MmSetTrimWhileAgingState(x)
		jmp	loc_7B4E9E
; 

loc_7B501A:				; CODE XREF: PfSetSuperfetchInformation+D7j
		sub	eax, ecx
		jnz	loc_7B5178
		cmp	[ebp+var_24], 18h
		jnz	loc_8EC19C
		mov	[ebp+ms_exc.disabled], ecx
		mov	eax, [ebp+arg_4]
		test	al, al
		jnz	loc_8EC167

loc_7B503A:				; CODE XREF: PfSetSuperfetchInformation+1373D4j
		push	6
		pop	ecx
		mov	esi, [ebp+var_28]
		lea	edi, [ebp+var_B8]
		rep movsd
		mov	[ebp+ms_exc.disabled], edx
		mov	dl, al
		lea	ecx, [ebp+var_B8]
		call	PfpProcessScenarioPhase
		jmp	loc_7B4E9C
; 

loc_7B505D:				; CODE XREF: PfSetSuperfetchInformation+BBj
		cmp	[ebp+var_24], 8
		jnz	loc_8EC19C
		mov	[ebp+ms_exc.disabled], 1
		mov	ebx, [ebp+arg_4]
		test	bl, bl
		jz	short loc_7B5091
		mov	eax, [ebp+var_28]
		test	al, cl
		jnz	loc_7B52AA
		mov	esi, ds:_MmUserProbeAddress
		cmp	eax, esi
		jnb	loc_8EC1A6

loc_7B508E:				; CODE XREF: PfSetSuperfetchInformation+1373F8j
		nop
		mov	al, [eax]

loc_7B5091:				; CODE XREF: PfSetSuperfetchInformation+2C3j
		mov	eax, [ebp+var_28]
		mov	esi, [eax]
		mov	[ebp+var_84], esi
		mov	eax, [eax+4]
		mov	[ebp+var_20], eax
		mov	[ebp+var_80], eax
		mov	[ebp+ms_exc.disabled], edx
		test	eax, eax
		jz	loc_7B52B3
		mov	edi, esi
		shr	edi, 7
		test	edi, edi
		jz	loc_7B52B3
		and	esi, 1Fh
		cmp	esi, 2
		jb	loc_8EC1E0
		cmp	esi, ecx
		jbe	loc_8EC1B4
		cmp	esi, 5
		jz	loc_8EC1AD
		cmp	esi, 1Bh
		jnz	loc_8EC1E0
		push	8

loc_7B50E5:				; CODE XREF: PfSetSuperfetchInformation+1373FFj
					; PfSetSuperfetchInformation+137406j
		pop	eax
		cmp	edi, eax
		jb	loc_7B52B3
		cmp	edi, 0FF8h
		jnb	loc_7B52B3
		push	44456650h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_3C], esi
		test	esi, esi
		jz	loc_8EC1BB
		mov	[ebp+ms_exc.disabled], 2
		mov	eax, [ebp+var_20]
		test	bl, bl
		jz	short loc_7B5143
		test	al, 1
		jnz	loc_7B52AA
		lea	edx, [edi+eax]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		ja	loc_8EC1C5
		cmp	edx, eax
		jb	loc_8EC1C5

loc_7B5143:				; CODE XREF: PfSetSuperfetchInformation+370j
					; PfSetSuperfetchInformation+137418j
		push	edi		; size_t
		push	eax		; void *
		mov	esi, [ebp+var_3C]
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+var_80], esi
		lea	ecx, [ebp+var_84]
		call	PfpLogEventRequest
		jmp	loc_7B4E9C
; 

loc_7B516B:				; CODE XREF: PfSetSuperfetchInformation+F3j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7B4EA9
; 

loc_7B5178:				; CODE XREF: PfSetSuperfetchInformation+26Cj
		sub	eax, 1
		jz	loc_8EC0FA
		dec	eax
		sub	eax, 1
		jnz	loc_8EC217
		cmp	[ebp+var_24], 8
		jnz	loc_8EC19C
		mov	[ebp+ms_exc.disabled], 4
		cmp	byte ptr [ebp+arg_4], al
		jz	short loc_7B51BD
		mov	eax, [ebp+var_28]
		test	al, cl
		jnz	loc_7B52AA
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	loc_8EC0DD

loc_7B51BA:				; CODE XREF: PfSetSuperfetchInformation+13732Fj
		nop
		mov	al, [eax]

loc_7B51BD:				; CODE XREF: PfSetSuperfetchInformation+3EFj
		mov	eax, [ebp+var_28]
		mov	ecx, [eax]
		mov	[ebp+var_7C], ecx
		mov	esi, [eax+4]
		mov	[ebp+var_78], esi
		mov	[ebp+ms_exc.disabled], edx
		xor	edx, edx
		inc	edx
		cmp	cx, dx
		jnz	loc_7B52B3
		lea	eax, [esi-1]
		cmp	eax, 4
		ja	loc_7B52B3
		push	0
		shr	ecx, 10h
		and	ecx, edx
		inc	ecx
		push	ecx
		mov	edx, esi
		mov	ecx, offset unk_6D4870
		call	PfpScenCtxPrefetchStateSet
		jmp	loc_7B4E9C
; 

loc_7B5200:				; CODE XREF: PfSetSuperfetchInformation+C4j
		xor	edx, edx
		mov	ecx, offset dword_6D42C0
		call	PfGenerateTrace

loc_7B520C:				; CODE XREF: PfSetSuperfetchInformation+137391j
		xor	ebx, ebx
		jmp	loc_7B4E9E
; 

loc_7B5213:				; CODE XREF: PfSetSuperfetchInformation+128j
		cmp	[ebp+var_24], 0Ch
		jnz	loc_8EC19C
		mov	[ebp+ms_exc.disabled], 7
		cmp	byte ptr [ebp+arg_4], 0
		jz	short loc_7B523E
		mov	eax, [ebp+var_28]
		test	al, cl
		jnz	short loc_7B52AA
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	short loc_7B52AF

loc_7B523B:				; CODE XREF: PfSetSuperfetchInformation+501j
		nop
		mov	al, [eax]

loc_7B523E:				; CODE XREF: PfSetSuperfetchInformation+478j
		mov	esi, [ebp+var_28]
		lea	edi, [ebp+var_48]
		movsd
		movsd
		movsd
		mov	[ebp+ms_exc.disabled], edx
		cmp	[ebp+var_48], 2
		jnz	short loc_7B52B3
		mov	edi, [ebp+var_44]
		cmp	edi, 2
		jnb	short loc_7B52B3
		test	[ebp+var_40], 0FFFFFFFCh
		jnz	short loc_7B52B3
		mov	ebx, offset _PfTGlobals
		mov	ecx, ebx
		call	_PfLockExclusiveAcquire@4 ; PfLockExclusiveAcquire(x)
		test	edi, edi
		jnz	loc_8EC255
		mov	esi, dword_6D4284
		not	esi
		and	esi, [ebp+var_40]

loc_7B5280:				; CODE XREF: PfSetSuperfetchInformation+1374C0j
		push	esi
		mov	ecx, ebx
		call	PfTStart
		mov	ebx, eax
		mov	ecx, offset _PfTGlobals
		call	PfLockExclusiveRelease
		xor	edx, edx
		test	edi, edi
		setz	dl
		mov	ecx, offset unk_6D4870
		call	PfpScenCtxServiceThreadSet
		jmp	loc_7B4E9E
; 

loc_7B52AA:				; CODE XREF: PfSetSuperfetchInformation+17Fj
					; PfSetSuperfetchInformation+1DFj ...
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7B52AF:				; CODE XREF: PfSetSuperfetchInformation+489j
		mov	eax, ecx
		jmp	short loc_7B523B
; 

loc_7B52B3:				; CODE XREF: PfSetSuperfetchInformation+99j
					; PfSetSuperfetchInformation+A6j ...
		mov	ebx, 0C000000Dh
		jmp	loc_7B4E9E
PfSetSuperfetchInformation endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnSetPrefetcherInformation proc near	; CODE XREF: PAGE:007B3E7Cp

var_C8		= dword	ptr -0C8h
var_BC		= dword	ptr -0BCh
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EC311 SIZE 00000070 BYTES
; FUNCTION CHUNK AT 008EC39D SIZE 00000011 BYTES
; FUNCTION CHUNK AT 008EC3E0 SIZE 00000007 BYTES
; FUNCTION CHUNK AT 008EC400 SIZE 0000000A BYTES

		push	0B8h
		push	offset dword_6A2EE0
		call	__SEH_prolog4_GS
		cmp	[ebp+arg_0], 14h
		jnz	loc_8EC311
		and	[ebp+ms_exc.disabled], 0
		push	5
		pop	ecx
		mov	esi, edx
		lea	edi, [ebp+var_80]
		rep movsd
		push	0FFFFFFFEh
		pop	edx
		mov	[ebp+ms_exc.disabled], edx
		cmp	[ebp+var_80], 1
		jnz	loc_8EC400
		cmp	[ebp+var_7C], 6B756843h
		jnz	loc_8EC400
		mov	esi, [ebp+var_78]
		push	3
		pop	edi
		cmp	esi, edi
		jz	loc_7B53BC
		cmp	esi, 5
		jz	loc_7B53BC
		cmp	esi, 8
		jz	loc_7B53BC
		mov	ebx, [ebp+arg_4]
		push	ebx
		push	ds:dword_A949EC
		push	ds:_SeProfileSingleProcessPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_8EC31B
		push	0FFFFFFFEh
		pop	edx

loc_7B5342:				; CODE XREF: PfSnSetPrefetcherInformation+101j
		sub	esi, edi
		jz	short loc_7B53C1
		dec	esi
		sub	esi, 1
		jz	loc_7B545E
		sub	esi, 1
		jnz	loc_8EC325
		cmp	[ebp+var_70], 48h
		jnz	loc_8EC39D
		mov	[ebp+ms_exc.disabled], edi
		test	bl, bl
		jz	short loc_7B5386
		mov	eax, [ebp+var_74]
		test	al, 3
		jnz	loc_7B54B2
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	loc_8EC3A7

loc_7B5383:				; CODE XREF: PfSnSetPrefetcherInformation+1370EBj
		nop
		mov	al, [eax]

loc_7B5386:				; CODE XREF: PfSnSetPrefetcherInformation+AAj
		push	12h
		pop	ecx
		mov	esi, [ebp+var_74]
		lea	edi, [ebp+var_6C]
		rep movsd
		mov	[ebp+ms_exc.disabled], edx
		cmp	[ebp+var_6C], 2
		jnz	loc_8EC400
		lea	ecx, [ebp+var_6C]
		call	_PfSnPrefetchCacheEntryUpdate@4	; PfSnPrefetchCacheEntryUpdate(x)

loc_7B53A6:				; CODE XREF: PfSnSetPrefetcherInformation+195j
		xor	esi, esi

loc_7B53A8:				; CODE XREF: PfSnSetPrefetcherInformation+19Bj
					; PfSnSetPrefetcherInformation+137058j	...
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7B53BC:				; CODE XREF: PfSnSetPrefetcherInformation+4Cj
					; PfSnSetPrefetcherInformation+55j ...
		mov	ebx, [ebp+arg_4]
		jmp	short loc_7B5342
; 

loc_7B53C1:				; CODE XREF: PfSnSetPrefetcherInformation+86j
		cmp	[ebp+var_70], 4
		jnz	loc_8EC400
		mov	[ebp+ms_exc.disabled], 1
		test	bl, bl
		jz	short loc_7B53F2
		mov	eax, [ebp+var_74]
		test	al, 3
		jnz	loc_7B54B2
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	loc_8EC3E0

loc_7B53EF:				; CODE XREF: PfSnSetPrefetcherInformation+137124j
		nop
		mov	al, [eax]

loc_7B53F2:				; CODE XREF: PfSnSetPrefetcherInformation+116j
		mov	eax, [ebp+var_74]
		mov	edi, [eax]
		mov	[ebp+var_B0], edi
		mov	[ebp+ms_exc.disabled], edx
		cmp	edi, 2
		jnz	loc_7B54A5

loc_7B5409:				; CODE XREF: PfSnSetPrefetcherInformation+1E9j
		mov	ecx, edi
		call	PfSnBeginBootPhase
		mov	esi, eax
		cmp	edi, 2
		jnz	short loc_7B5451
		xor	eax, eax
		mov	[ebp+var_A0], eax
		mov	[ebp+var_9C], eax
		mov	[ebp+var_98], eax
		push	4
		pop	eax
		mov	[ebp+var_AC], eax
		mov	[ebp+var_A8], eax
		mov	[ebp+var_A4], 1
		mov	dl, bl
		lea	ecx, [ebp+var_AC]
		call	PfpProcessScenarioPhase

loc_7B5451:				; CODE XREF: PfSnSetPrefetcherInformation+157j
					; PfSnSetPrefetcherInformation+1E5j
		test	esi, esi
		jns	loc_7B53A6
		jmp	loc_7B53A8
; 

loc_7B545E:				; CODE XREF: PfSnSetPrefetcherInformation+8Cj
		cmp	[ebp+var_70], 0Ch
		jnz	loc_8EC400
		mov	[ebp+ms_exc.disabled], 2
		test	bl, bl
		jz	short loc_7B5487
		mov	eax, [ebp+var_74]
		test	al, 3
		jnz	short loc_7B54B2
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	short loc_7B54B7

loc_7B5484:				; CODE XREF: PfSnSetPrefetcherInformation+1FBj
		nop
		mov	al, [eax]

loc_7B5487:				; CODE XREF: PfSnSetPrefetcherInformation+1B3j
		mov	esi, [ebp+var_74]
		lea	edi, [ebp+var_C8]
		movsd
		movsd
		movsd
		mov	[ebp+ms_exc.disabled], edx
		lea	ecx, [ebp+var_C8]
		call	PfSnOperationProcess

loc_7B54A1:				; CODE XREF: PfSnSetPrefetcherInformation+1370BEj
		mov	esi, eax
		jmp	short loc_7B5451
; 

loc_7B54A5:				; CODE XREF: PfSnSetPrefetcherInformation+145j
		test	bl, bl
		jz	loc_7B5409
		jmp	loc_8EC31B
; 

loc_7B54B2:				; CODE XREF: PfSnSetPrefetcherInformation+B1j
					; PfSnSetPrefetcherInformation+11Dj ...
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7B54B7:				; CODE XREF: PfSnSetPrefetcherInformation+1C4j
		mov	eax, ecx
		jmp	short loc_7B5484
PfSnSetPrefetcherInformation endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnPrefetchCacheEntryUpdate(x)
_PfSnPrefetchCacheEntryUpdate@4	proc near ; CODE XREF: PfSnSetPrefetcherInformation+E3p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	esi, 4CB2Fh
		push	8
		pop	edi
		lea	edx, [ebx+4]

loc_7B54D2:				; CODE XREF: PfSnPrefetchCacheEntryUpdate(x)+69j
		movzx	eax, byte ptr [edx+1]
		imul	ecx, eax, 25h
		movzx	eax, byte ptr [edx+2]
		add	ecx, eax
		movzx	eax, byte ptr [edx+3]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx+4]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx+5]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx+6]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx]
		imul	ecx, 25h
		lea	edx, [edx+8]
		imul	eax, 1A617D0Dh
		add	ecx, eax
		imul	eax, esi, 2FE8ED1Fh
		movzx	esi, byte ptr [edx-1]
		sub	ecx, eax
		add	esi, ecx
		sub	edi, 1
		jnz	short loc_7B54D2
		mov	eax, large fs:124h
		mov	[ebp+var_4], esi
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset unk_6D49AC
		call	ExAcquireResourceExclusiveLite
		mov	esi, dword_6D49A4
		lea	edi, [ebx+4]
		add	esi, 0FFFFFFF8h
		push	40h		; size_t
		push	edi		; void *
		lea	eax, [esi+10h]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_7B557A
		push	0
		push	[ebp+var_4]
		mov	edx, edi
		mov	ecx, offset unk_6D4994
		call	_PfSnPrefetchCacheEntryGet@16 ;	PfSnPrefetchCacheEntryGet(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7B5580

loc_7B557A:				; CODE XREF: PfSnPrefetchCacheEntryUpdate(x)+A5j
		mov	edx, [ebx+44h]
		mov	[esi+60h], edx

loc_7B5580:				; CODE XREF: PfSnPrefetchCacheEntryUpdate(x)+BCj
		mov	ecx, offset unk_6D49AC
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PfSnPrefetchCacheEntryUpdate@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpRpControlRequest proc near		; CODE XREF: PfSetSuperfetchInformation+113p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008EC430 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+38h+var_24]
		and	[esp+38h+var_28], eax
		mov	esi, ecx
		test	byte ptr dword_6D4920, 1
		mov	ebx, edx
		push	8
		pop	ecx
		rep stosd
		jz	loc_8EC430
		mov	edx, [esi+10h]
		cmp	edx, 14h
		jb	short loc_7B563D
		mov	ecx, [esi+0Ch]
		lea	eax, [esp+38h+var_24]
		push	ebx
		push	eax
		lea	eax, [esp+40h+var_28]
		push	eax
		call	PfpRpControlRequestCopy
		mov	edi, [esp+38h+var_28]
		mov	esi, eax
		test	esi, esi
		js	short loc_7B5613
		mov	ecx, edi
		call	_PfpRpControlRequestVerify@4 ; PfpRpControlRequestVerify(x)
		test	eax, eax
		jnz	short loc_7B5644
		mov	edx, edi
		mov	ecx, offset unk_6D48C0
		call	_PfpRpControlRequestPerform@8 ;	PfpRpControlRequestPerform(x,x)
		mov	esi, eax

loc_7B5613:				; CODE XREF: PfpRpControlRequest+5Cj
					; PfpRpControlRequest+ADj
		test	edi, edi
		jz	short loc_7B561F
		lea	eax, [esp+38h+var_24]
		cmp	edi, eax
		jnz	short loc_7B5633

loc_7B561F:				; CODE XREF: PfpRpControlRequest+79j
					; PfpRpControlRequest+9Fj ...
		mov	ecx, [esp+38h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7B5633:				; CODE XREF: PfpRpControlRequest+81j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7B561F
; 

loc_7B563D:				; CODE XREF: PfpRpControlRequest+3Fj
		mov	esi, 0C0000206h
		jmp	short loc_7B561F
; 

loc_7B5644:				; CODE XREF: PfpRpControlRequest+67j
		mov	esi, 0C000007Bh
		jmp	short loc_7B5613
PfpRpControlRequest endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PfpRpControlRequestPerform(x, x)
_PfpRpControlRequestPerform@8 proc near	; CODE XREF: PfpRpControlRequest+70p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		lea	ebx, [esi+50h]
		mov	ecx, ebx
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_7B5692
		movzx	eax, word ptr [edi+2]
		sub	eax, 0
		jnz	short loc_7B5684
		mov	edx, edi
		mov	ecx, esi
		call	_PfpRpControlRequestUpdate@8 ; PfpRpControlRequestUpdate(x,x)

loc_7B5675:				; CODE XREF: PfpRpControlRequestPerform(x,x)+44j
		mov	esi, eax

loc_7B5677:				; CODE XREF: PfpRpControlRequestPerform(x,x)+52j
		mov	ecx, ebx
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_7B567E:				; CODE XREF: PfpRpControlRequestPerform(x,x)+4Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_7B5684:				; CODE XREF: PfpRpControlRequestPerform(x,x)+1Ej
		sub	eax, 1
		jnz	short loc_7B5699
		mov	ecx, esi
		call	_PfpRpControlRequestReset@8 ; PfpRpControlRequestReset(x,x)
		jmp	short loc_7B5675
; 

loc_7B5692:				; CODE XREF: PfpRpControlRequestPerform(x,x)+15j
		mov	esi, 0C0000080h
		jmp	short loc_7B567E
; 

loc_7B5699:				; CODE XREF: PfpRpControlRequestPerform(x,x)+3Bj
		mov	esi, 0C000000Dh
		jmp	short loc_7B5677
_PfpRpControlRequestPerform@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpRpControlRequestCopy	proc near	; CODE XREF: PfpRpControlRequest+4Fp

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 008EC43A SIZE 00000012 BYTES
; FUNCTION CHUNK AT 008EC45F SIZE 0000000A BYTES
; FUNCTION CHUNK AT 008EC48F SIZE 00000015 BYTES

		push	54h
		push	offset dword_6A2F30
		call	__SEH_prolog4_GS
		mov	esi, edx
		mov	[ebp+var_54], esi
		mov	edx, ecx
		mov	[ebp+var_58], edx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_5C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_44], eax
		mov	[ebp+var_4C], eax
		and	[ebp+var_2C], 0
		and	[ebp+var_28], 0
		and	[ebp+var_24], 0
		and	[ebp+var_50], 0
		xor	ebx, ebx
		mov	[ebp+var_48], ebx
		and	[ebp+ms_exc.disabled], ebx
		cmp	[ebp+arg_8], bl
		jz	short loc_7B5708
		test	esi, esi
		jz	short loc_7B5708
		test	dl, 3
		jnz	loc_7B5836
		lea	ecx, [edx+esi]
		mov	esi, ds:_MmUserProbeAddress
		cmp	ecx, esi
		ja	loc_8EC43A
		cmp	ecx, edx
		jb	loc_8EC43A

loc_7B5708:				; CODE XREF: PfpRpControlRequestCopy+40j
					; PfpRpControlRequestCopy+44j ...
		mov	[ebp+var_50], 14h
		push	5
		pop	ecx
		mov	esi, edx
		lea	edi, [ebp+var_40]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	3
		pop	ecx
		cmp	word ptr [ebp+var_40], cx
		jnz	loc_7B582F
		cmp	word ptr [ebp+var_40+2], 4
		jnb	loc_7B582F
		xor	ecx, ecx
		inc	ecx
		cmp	word ptr [ebp+var_40+2], cx
		jz	loc_7B5813

loc_7B5745:				; CODE XREF: PfpRpControlRequestCopy+189j
		mov	eax, [ebp+var_38]
		push	8
		pop	ecx
		mul	ecx
		mov	edi, eax
		mov	esi, edx
		mov	eax, [ebp+var_3C]
		mul	ecx
		add	edi, eax
		adc	esi, edx
		add	edi, 14h
		adc	esi, 0
		mov	ecx, [ebp+var_30]
		xor	edx, edx
		add	ecx, [ebp+var_34]
		adc	edx, edx
		lea	eax, [edi-1]
		and	eax, 3
		shld	edx, ecx, 2
		shl	ecx, 2
		sub	ecx, eax
		sbb	edx, 0
		add	ecx, 3
		adc	edx, 0
		add	edi, ecx
		adc	esi, edx
		jnz	loc_8EC45F
		cmp	edi, 0FFFFFFFFh
		ja	loc_8EC45F
		cmp	edi, [ebp+var_54]
		jnz	loc_8EC442
		cmp	edi, 20h
		ja	short loc_7B57F6
		mov	ebx, [ebp+var_44]
		mov	[ebp+var_48], ebx

loc_7B57A9:				; CODE XREF: PfpRpControlRequestCopy+16Aj
		mov	[ebp+ms_exc.disabled], 1
		push	edi		; size_t
		push	[ebp+var_58]	; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	5
		pop	ecx
		lea	esi, [ebp+var_40]
		mov	edi, ebx
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_5C]
		mov	[eax], ebx
		xor	ebx, ebx
		xor	esi, esi

loc_7B57D7:				; CODE XREF: PfpRpControlRequestCopy+171j
					; PfpRpControlRequestCopy+136DA7j ...
		mov	eax, [ebp+var_44]

loc_7B57DA:				; CODE XREF: PfpRpControlRequestCopy+194j
					; sub_8EC477+13j
		test	ebx, ebx
		jnz	loc_8EC48F

loc_7B57E2:				; CODE XREF: PfpRpControlRequestCopy+136DF1j
					; PfpRpControlRequestCopy+136DFFj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7B57F6:				; CODE XREF: PfpRpControlRequestCopy+101j
		push	43526650h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_48], ebx
		test	ebx, ebx
		jnz	short loc_7B57A9
		mov	esi, 0C000009Ah
		jmp	short loc_7B57D7
; 

loc_7B5813:				; CODE XREF: PfpRpControlRequestCopy+9Fj
		cmp	[ebp+var_3C], 0
		jnz	short loc_7B582F
		cmp	[ebp+var_38], 0
		jnz	short loc_7B582F
		cmp	[ebp+var_34], 0
		jnz	short loc_7B582F
		cmp	[ebp+var_30], 0
		jz	loc_7B5745

loc_7B582F:				; CODE XREF: PfpRpControlRequestCopy+87j
					; PfpRpControlRequestCopy+92j ...
		mov	esi, 0C000000Dh
		jmp	short loc_7B57DA
; 

loc_7B5836:				; CODE XREF: PfpRpControlRequestCopy+49j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger

; __stdcall PfpRpControlRequestUpdate(x, x)
_PfpRpControlRequestUpdate@8:		; CODE XREF: PfpRpControlRequestPerform(x,x)+24p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+ms_exc.msEH_ptr], 0
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	[ebp+ms_exc.old_esp], edi
		mov	edx, [esi+8]
		lea	eax, [esi+17h]
		mov	ecx, [esi+4]
		lea	ebx, [esi+14h]
		add	edx, ecx
		mov	[ebp+ms_exc.exc_ptr], edx
		lea	eax, [eax+edx*8]
		and	eax, 0FFFFFFFCh
		mov	[ebp+ms_exc.handler], eax
		mov	eax, ebx
		xor	ebx, ebx
		mov	[ebp+ms_exc.disabled], eax
		test	edx, edx
		jnz	short loc_7B58C6

loc_7B5877:				; CODE XREF: PfpRpControlRequestCopy+25Cj
		push	ecx
		lea	ecx, [esi+14h]
		push	ecx
		lea	eax, [edi+48h]
		mov	ecx, edi
		push	eax
		lea	edx, [edi+38h]
		call	PfpRpCHashAddEntries
		test	eax, eax
		js	short loc_7B58C1
		mov	ecx, [esi+8]
		test	ecx, ecx
		jnz	loc_7B5938

loc_7B5899:				; CODE XREF: PfpRpControlRequestCopy+29Cj
					; PfpRpControlRequestCopy+2BDj
		mov	eax, [esi+0Ch]
		lea	ecx, [edi+34h]
		mov	edx, [ebp+ms_exc.handler]
		push	dword ptr [esi+10h]
		lea	eax, [edx+eax*4]
		push	eax
		push	ecx
		lea	edx, [edi+20h]
		mov	ecx, edi
		call	PfpRpCHashAddEntries
		mov	eax, [esi+0Ch]
		test	eax, eax
		jnz	loc_7B5968

loc_7B58BF:				; CODE XREF: PfpRpControlRequestCopy+2CCj
					; PfpRpControlRequestCopy+2F0j
		xor	eax, eax

loc_7B58C1:				; CODE XREF: PfpRpControlRequestCopy+1ECj
					; PfpRpControlRequestCopy+2C3j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7B58C6:				; CODE XREF: PfpRpControlRequestCopy+1D5j
		mov	edi, eax

loc_7B58C8:				; CODE XREF: PfpRpControlRequestCopy+254j
		mov	edx, [eax+4]
		mov	ecx, [eax]
		mov	[edi], ecx
		lea	edi, [edi+4]
		mov	[ebp+ms_exc.prev_er], ecx
		test	edx, edx
		jz	short loc_7B58EA
		lea	eax, [ebp+ms_exc.msEH_ptr]
		push	eax
		push	edx
		call	PsLookupProcessByProcessId
		test	eax, eax
		jns	short loc_7B5901

loc_7B58E7:				; CODE XREF: PfpRpControlRequestCopy+28Cj
		mov	eax, [ebp+ms_exc.disabled]

loc_7B58EA:				; CODE XREF: PfpRpControlRequestCopy+237j
		inc	ebx
		add	eax, 8
		mov	[ebp+ms_exc.disabled], eax
		cmp	ebx, [ebp+ms_exc.exc_ptr]
		jb	short loc_7B58C8
		mov	ecx, [esi+4]
		mov	edi, [ebp+ms_exc.old_esp]
		jmp	loc_7B5877
; 

loc_7B5901:				; CODE XREF: PfpRpControlRequestCopy+245j
		mov	ecx, [ebp+ms_exc.msEH_ptr]
		mov	eax, [ebp+ms_exc.prev_er]
		cmp	[ecx+1DCh], eax
		jnz	short loc_7B5922
		lea	eax, [ecx+0FCh]
		cmp	ebx, [esi+4]
		jb	short loc_7B592E
		mov	edx, 0FFFFBFFFh
		lock and [eax],	edx

loc_7B5922:				; CODE XREF: PfpRpControlRequestCopy+26Dj
					; PfpRpControlRequestCopy+296j
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag
		jmp	short loc_7B58E7
; 

loc_7B592E:				; CODE XREF: PfpRpControlRequestCopy+278j
		mov	edx, 4000h
		lock or	[eax], edx
		jmp	short loc_7B5922
; 

loc_7B5938:				; CODE XREF: PfpRpControlRequestCopy+1F3j
		cmp	dword ptr [edi+44h], 0
		jz	loc_7B5899
		mov	eax, [esi+4]
		lea	edx, [edi+38h]
		add	eax, 5
		lea	eax, [esi+eax*4]
		push	eax
		push	ecx
		lea	eax, [edi+48h]
		mov	ecx, edi
		push	eax
		call	PfpRpCHashDeleteEntries
		test	eax, eax
		jns	loc_7B5899
		jmp	loc_7B58C1
; 

loc_7B5968:				; CODE XREF: PfpRpControlRequestCopy+219j
		cmp	dword ptr [edi+2Ch], 0
		jz	loc_7B58BF
		push	[ebp+ms_exc.handler]
		lea	edx, [edi+20h]
		mov	ecx, edi
		push	eax
		lea	eax, [edi+34h]
		push	eax
		call	PfpRpCHashDeleteEntries
		test	eax, eax
		js	loc_7B58C1
		and	dword ptr [edi+30h], 0
		jmp	loc_7B58BF
PfpRpControlRequestCopy	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpRpCHashAddEntries proc near		; CODE XREF: PfpRpControlRequestCopy+1E5p
					; PfpRpControlRequestCopy+20Fp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008EC4A4 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_18], ecx
		mov	ebx, edx
		inc	eax
		push	esi
		xor	esi, esi
		mov	[ebp+var_28], ebx
		push	edi
		mov	ecx, [ebx+4]
		mov	edi, [ebp+arg_0]
		shl	eax, cl
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_8]
		shl	eax, cl
		add	eax, [ebp+arg_4]
		mov	[ebp+var_4], esi
		mov	[ebp+var_14], eax
		cmp	[ebp+arg_8], esi
		jnz	loc_7B5AF7

loc_7B59D0:				; CODE XREF: PfpRpCHashAddEntries+17Bj
		mov	ecx, [ebp+var_14]
		or	eax, 0FFFFFFFFh
		cmp	[ebp+arg_4], ecx
		jb	short loc_7B59FA

loc_7B59DB:				; CODE XREF: PfpRpCHashAddEntries+12Cj
		cmp	[ebp+arg_8], 0
		jnz	loc_7B5ADC

loc_7B59E5:				; CODE XREF: PfpRpCHashAddEntries+15Cj
		xor	edi, edi

loc_7B59E7:				; CODE XREF: PfpRpCHashAddEntries+1BFj
					; PfpRpCHashAddEntries+136B1Bj
		mov	eax, esi
		test	eax, eax
		jnz	loc_7B5B4B
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7B59FA:				; CODE XREF: PfpRpCHashAddEntries+43j
		mov	esi, [ebp+arg_4]

loc_7B59FD:				; CODE XREF: PfpRpCHashAddEntries+123j
		mov	ecx, [ebx+0Ch]
		add	ecx, ecx
		cmp	ecx, [ebx+8]
		jnb	loc_7B5B16

loc_7B5A0B:				; CODE XREF: PfpRpCHashAddEntries+1AAj
		mov	eax, [ebx+8]
		mov	edx, [esi]
		mov	[ebp+var_1C], edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_8EC4A4
		movzx	eax, dl
		imul	ecx, eax, 25h
		movzx	eax, dh
		xor	edx, edx
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_8+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_8+3]
		imul	ecx, 25h
		add	eax, 164B2F3Fh
		add	eax, ecx
		mov	ecx, [ebp+var_C]
		dec	ecx
		mov	[ebp+var_24], ecx
		and	ecx, eax
		mov	eax, [ebx+4]
		mov	[ebp+var_8], eax
		mov	eax, [ebx]
		mov	[ebp+var_C], eax
		mov	eax, ecx
		mov	[ebp+var_20], ecx
		mov	ecx, [ebp+var_8]
		shl	eax, cl
		add	eax, [ebp+var_C]
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_7B5ACA
		mov	edi, [ebp+var_1C]
		mov	ebx, ecx
		mov	esi, [ebp+var_20]

loc_7B5A74:				; CODE XREF: PfpRpCHashAddEntries+108j
		mov	ecx, ebx
		cmp	ebx, edi
		jz	short loc_7B5AA0
		test	edx, edx
		jnz	short loc_7B5A89
		imul	edx, edi, 9E3779B1h
		test	dl, 1
		jz	short loc_7B5AC7

loc_7B5A89:				; CODE XREF: PfpRpCHashAddEntries+E6j
					; PfpRpCHashAddEntries+132j
		mov	ecx, [ebp+var_8]
		add	esi, edx
		and	esi, [ebp+var_24]
		mov	eax, esi
		shl	eax, cl
		add	eax, [ebp+var_C]
		mov	ecx, [eax]
		mov	ebx, ecx
		test	ecx, ecx
		jnz	short loc_7B5A74

loc_7B5AA0:				; CODE XREF: PfpRpCHashAddEntries+E2j
		mov	edi, [ebp+arg_0]
		mov	ebx, [ebp+var_28]
		mov	esi, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_7B5ACA

loc_7B5AAD:				; CODE XREF: PfpRpCHashAddEntries+144j
		add	esi, [ebp+var_10]
		or	eax, 0FFFFFFFFh
		mov	[ebp+arg_4], esi
		cmp	esi, [ebp+var_14]
		jb	loc_7B59FD
		mov	esi, [ebp+var_4]
		jmp	loc_7B59DB
; 

loc_7B5AC7:				; CODE XREF: PfpRpCHashAddEntries+F1j
		inc	edx
		jmp	short loc_7B5A89
; 

loc_7B5ACA:				; CODE XREF: PfpRpCHashAddEntries+D4j
					; PfpRpCHashAddEntries+115j ...
		push	[ebp+var_10]	; size_t
		push	esi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		inc	dword ptr [ebx+0Ch]
		jmp	short loc_7B5AAD
; 

loc_7B5ADC:				; CODE XREF: PfpRpCHashAddEntries+49j
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7B5B63

loc_7B5AE6:				; CODE XREF: PfpRpCHashAddEntries+1D4j
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_7B59E5
; 

loc_7B5AF7:				; CODE XREF: PfpRpCHashAddEntries+34j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [ebp+var_4]
		jmp	loc_7B59D0
; 

loc_7B5B16:				; CODE XREF: PfpRpCHashAddEntries+6Fj
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7B5B5A

loc_7B5B20:				; CODE XREF: PfpRpCHashAddEntries+1CBj
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebp+var_18]
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		mov	edx, ebx
		call	PfpRpCHashGrow
		mov	[ebp+var_24], eax
		test	eax, eax
		jns	loc_7B5A0B
		jmp	loc_8EC4AB
; 

loc_7B5B4B:				; CODE XREF: PfpRpCHashAddEntries+55j
		mov	esi, [esi]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7B59E7
; 

loc_7B5B5A:				; CODE XREF: PfpRpCHashAddEntries+188j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7B5B20
; 

loc_7B5B63:				; CODE XREF: PfpRpCHashAddEntries+14Ej
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7B5AE6
PfpRpCHashAddEntries endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpPrefetchRequest proc	near		; CODE XREF: PfSetSuperfetchInformation+15Bp

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008EC4B6 SIZE 00000030 BYTES

		push	38h
		push	offset dword_6A2F58
		call	__SEH_prolog4
		mov	[ebp+var_1C], edx
		mov	esi, ecx
		xor	ebx, ebx
		and	[ebp+var_30], ebx
		cmp	dword ptr [esi+8], 5
		jnz	loc_8EC4B6
		mov	eax, [esi+10h]
		cmp	eax, 68h
		jb	loc_8EC4C0
		push	51526650h
		push	eax
		xor	edi, edi
		inc	edi
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_2C], ebx
		test	ebx, ebx
		jz	loc_8EC4CA
		and	[ebp+ms_exc.disabled], 0
		cmp	byte ptr [ebp+var_1C], 0
		jz	short loc_7B5BED
		mov	ecx, [esi+10h]
		test	ecx, ecx
		jz	short loc_7B5BED
		mov	eax, [esi+0Ch]
		test	al, 3
		jnz	loc_7B5CF5
		lea	edx, [eax+ecx]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		ja	loc_8EC4D4
		cmp	edx, eax
		jb	loc_8EC4D4

loc_7B5BED:				; CODE XREF: PfpPrefetchRequest+50j
					; PfpPrefetchRequest+57j ...
		push	dword ptr [esi+10h] ; size_t
		push	dword ptr [esi+0Ch] ; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edx, [esi+10h]
		mov	ecx, ebx
		call	PfPrefetchRequestVerify
		test	eax, eax
		jnz	loc_8EC4DC
		mov	ecx, [ebx+34h]
		test	ecx, ecx
		jz	short loc_7B5C49
		mov	eax, ds:_ExEventObjectType
		and	[ebp+var_24], 0
		push	0
		lea	edx, [ebp+var_24]
		push	edx
		push	[ebp+var_1C]
		push	eax
		push	edi
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edx, eax
		mov	eax, [ebp+var_24]
		mov	[ebx+34h], eax
		test	edx, edx
		js	loc_7B5CFA
		mov	[ebp+var_30], edi

loc_7B5C49:				; CODE XREF: PfpPrefetchRequest+AAj
		mov	ecx, ebx
		call	PfpPrefetchRequestPerform
		mov	[ebp+var_20], eax
		mov	ecx, [ebx+24h]
		lea	edx, [ecx+ebx]
		mov	[ebp+var_24], edx
		mov	eax, [ebx+0Ch]
		shl	eax, 5
		add	eax, edx
		mov	[ebp+var_28], eax
		mov	edi, [esi+0Ch]
		mov	[ebp+var_34], edi
		add	edi, ecx
		mov	ecx, [ebp+var_34]
		lea	edx, [ecx+3Ch]
		mov	[ebp+var_34], edx
		mov	[ebp+ms_exc.disabled], 1
		mov	edx, [ebp+var_24]
		cmp	byte ptr [ebp+var_1C], 0
		jz	short loc_7B5C99
		push	4
		push	dword ptr [esi+10h]
		push	ecx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	edx, [ebp+var_24]

loc_7B5C96:				; CODE XREF: PfpPrefetchRequest+142j
		mov	eax, [ebp+var_28]

loc_7B5C99:				; CODE XREF: PfpPrefetchRequest+116j
		cmp	edx, eax
		jnb	short loc_7B5CB4
		mov	eax, [edx]
		xor	eax, [edi]
		and	eax, 8
		xor	[edi], eax
		add	edx, 20h
		mov	[ebp+var_40], edx
		add	edi, 20h
		mov	[ebp+var_44], edi
		jmp	short loc_7B5C96
; 

loc_7B5CB4:				; CODE XREF: PfpPrefetchRequest+12Bj
		lea	esi, [ebx+3Ch]
		push	0Bh
		pop	ecx
		mov	edi, [ebp+var_34]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+var_20]

loc_7B5CC9:				; CODE XREF: PfpPrefetchRequest+18Cj
					; PfpPrefetchRequest+13694Bj ...
		cmp	[ebp+var_30], 0
		jz	short loc_7B5CD7
		mov	ecx, [ebx+34h]
		call	ObfDereferenceObject

loc_7B5CD7:				; CODE XREF: PfpPrefetchRequest+15Dj
		test	ebx, ebx
		jz	short loc_7B5CE3
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7B5CE3:				; CODE XREF: PfpPrefetchRequest+169j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7B5CF5:				; CODE XREF: PfpPrefetchRequest+5Ej
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7B5CFA:				; CODE XREF: PfpPrefetchRequest+D0j
		mov	esi, edx
		jmp	short loc_7B5CC9
PfpPrefetchRequest endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpPrefetchRequestPerform proc near	; CODE XREF: PfpPrefetchRequest+DBp

var_96		= byte ptr -96h
var_95		= byte ptr -95h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008EC51C SIZE 00000184 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+9Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+0A8h+var_88]
		stosd
		mov	ebx, ecx
		push	6Ch		; size_t
		push	0		; int
		stosd
		stosd
		stosd
		lea	eax, [esp+0B0h+var_74]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+0A8h+var_78], ebx
		lea	eax, [esp+0A8h+var_88]
		push	0
		push	0
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, large fs:124h
		push	43536650h
		push	5Ch
		push	200h
		mov	al, [eax+15Ah]
		mov	[esp+0B4h+var_95], al
		mov	eax, large fs:124h
		mov	byte ptr [eax+15Ah], 0
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+0A8h+var_64], eax
		test	eax, eax
		jz	loc_8EC51C
		mov	ecx, eax	; void *
		call	_PfpPrefetchSharedInitialize@4 ; PfpPrefetchSharedInitialize(x)
		mov	eax, [esp+0A8h+var_64]
		lea	ecx, [esp+0A8h+var_78]
		mov	[eax+0Ch], ecx
		mov	eax, [esp+0A8h+var_78]
		test	byte ptr [eax+38h], 4
		mov	eax, [esp+0A8h+var_64]
		jz	loc_8EC526
		mov	dword ptr [eax+20h], 0EA60h
		mov	eax, [esp+0A8h+var_64]
		mov	dword ptr [eax+1Ch], 96h

loc_7B5DBC:				; CODE XREF: PfpPrefetchRequestPerform+13683Aj
		mov	ecx, [esp+0A8h+var_64]
		call	_PfpPrefetchSharedStart@4 ; PfpPrefetchSharedStart(x)
		mov	esi, eax
		test	esi, esi
		js	loc_7B5F77
		mov	eax, [esp+0A8h+var_78]
		movzx	ecx, byte ptr [eax+39h]
		mov	[esp+0A8h+var_8C], ecx
		test	ecx, ecx
		jnz	loc_8EC53D

loc_7B5DE3:				; CODE XREF: PfpPrefetchRequestPerform+136878j
					; PfpPrefetchRequestPerform+136885j
		imul	esi, [ebx+8], 28h
		test	esi, esi
		jz	short loc_7B5E4A
		push	48566650h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+0A8h+var_70], eax
		test	eax, eax
		jz	loc_8EC588
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		xor	esi, esi
		add	esp, 0Ch
		cmp	[ebx+8], esi
		jbe	short loc_7B5E4A
		xor	edx, edx

loc_7B5E19:				; CODE XREF: PfpPrefetchRequestPerform+14Aj
		mov	ecx, [esp+0A8h+var_70]
		xor	eax, eax
		add	ecx, edx
		mov	edi, ecx
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		or	dword ptr [ecx+10h], 2
		mov	ecx, [esp+0A8h+var_70]
		lea	edi, [ecx+14h]
		add	edi, edx
		stosd
		stosd
		stosd
		stosd
		stosd
		or	dword ptr [ecx+edx+24h], 2
		inc	esi
		add	edx, 28h
		cmp	esi, [ebx+8]
		jb	short loc_7B5E19

loc_7B5E4A:				; CODE XREF: PfpPrefetchRequestPerform+EBj
					; PfpPrefetchRequestPerform+117j
		mov	eax, [esp+0A8h+var_78]
		push	504D6650h
		mov	ecx, [eax+38h]
		and	ecx, 4
		mov	eax, ecx
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFD10h
		add	eax, 300h
		neg	ecx
		mov	[esp+0ACh+var_68], eax
		sbb	ecx, ecx
		and	ecx, 0FFFFE880h
		add	ecx, 1810h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+0A8h+var_6C], eax
		test	eax, eax
		jz	loc_8EC588
		mov	eax, [esp+0A8h+var_78]
		test	byte ptr [eax+38h], 4
		jz	loc_8EC592

loc_7B5E9F:				; CODE XREF: PfpPrefetchRequestPerform+136899j
					; PfpPrefetchRequestPerform+1368C0j ...
		mov	ecx, ebx
		call	_PfpPrefetchRequestPatchOffsets@4 ; PfpPrefetchRequestPatchOffsets(x)
		xor	edx, edx
		cmp	[ebx+1Eh], dx
		jnz	short loc_7B5EC0
		movzx	eax, word ptr [ebx+1Ch]
		test	eax, eax
		jz	short loc_7B5EC0
		mov	ax, [ebx+1Ch]
		dec	ax
		mov	[ebx+1Eh], ax

loc_7B5EC0:				; CODE XREF: PfpPrefetchRequestPerform+1AEj
					; PfpPrefetchRequestPerform+1B6j
		cmp	[ebx+14h], edx
		jnz	loc_7B5FEB

loc_7B5EC9:				; CODE XREF: PfpPrefetchRequestPerform+312j
		mov	edi, edx
		cmp	[ebx+8], edx
		jbe	short loc_7B5F29
		mov	ecx, edx
		mov	[esp+0A8h+var_94], edx
		mov	[esp+0A8h+var_90], ecx

loc_7B5EDA:				; CODE XREF: PfpPrefetchRequestPerform+229j
		mov	eax, [ebx+20h]
		add	eax, edx
		mov	edx, [esp+0A8h+var_70]
		push	eax
		lea	edx, [ecx+edx]
		mov	ecx, [esp+0ACh+var_64]
		call	PfpVolumeOpenAndVerify
		test	eax, eax
		js	short loc_7B5F0D
		mov	edx, edi
		lea	ecx, [esp+0A8h+var_78]
		call	PfpVolumePrefetchMetadata
		mov	esi, eax
		cmp	esi, 0C0000240h
		jz	loc_7B6015

loc_7B5F0D:				; CODE XREF: PfpPrefetchRequestPerform+1F4j
		mov	edx, [esp+0A8h+var_94]
		inc	edi
		mov	ecx, [esp+0A8h+var_90]
		add	edx, 20h
		add	ecx, 28h
		mov	[esp+0A8h+var_94], edx
		mov	[esp+0A8h+var_90], ecx
		cmp	edi, [ebx+8]
		jb	short loc_7B5EDA

loc_7B5F29:				; CODE XREF: PfpPrefetchRequestPerform+1D0j
		mov	eax, [esp+0A8h+var_78]
		lea	ecx, [esp+0A8h+var_78]
		test	byte ptr [eax+38h], 4
		jz	loc_8EC5EB
		call	PfpPrefetchFilesTrickle
		mov	esi, eax
		cmp	esi, 0C0000240h
		jz	loc_7B6015
		mov	edi, 0C000009Ah

loc_7B5F53:				; CODE XREF: PfpPrefetchRequestPerform+136945j
		cmp	esi, edi
		jz	loc_7B6015
		cmp	esi, 0C0000017h
		jz	loc_7B6015
		xor	eax, eax
		mov	esi, eax

loc_7B5F6B:				; CODE XREF: PfpPrefetchRequestPerform+319j
		mov	edx, [esp+0A8h+var_8C]
		test	edx, edx
		jnz	loc_8EC648

loc_7B5F77:				; CODE XREF: PfpPrefetchRequestPerform+CBj
					; PfpPrefetchRequestPerform+136823j ...
		xor	ebx, ebx
		cmp	[esp+0A8h+var_74], ebx
		jnz	loc_8EC662

loc_7B5F83:				; CODE XREF: PfpPrefetchRequestPerform+13699Dj
		lea	ecx, [esp+0A8h+var_78]
		call	_PfpPrefetchVolumesCleanup@4 ; PfpPrefetchVolumesCleanup(x)
		cmp	[esp+0A8h+var_6C], 0
		jz	short loc_7B5F9D
		push	ebx
		push	[esp+0ACh+var_6C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7B5F9D:				; CODE XREF: PfpPrefetchRequestPerform+293j
		mov	ecx, [esp+0A8h+var_64]
		test	ecx, ecx
		jz	short loc_7B5FC4
		call	_PfpPrefetchSharedCleanup@4 ; PfpPrefetchSharedCleanup(x)
		mov	ecx, [esp+0A8h+var_64]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+50h], eax
		dec	eax
		test	eax, eax
		jg	short loc_7B5FC4
		jnz	short loc_7B601C
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7B5FC4:				; CODE XREF: PfpPrefetchRequestPerform+2A5j
					; PfpPrefetchRequestPerform+2BBj ...
		mov	eax, large fs:124h
		mov	cl, [esp+0A8h+var_95]
		pop	edi
		mov	[eax+15Ah], cl
		mov	eax, esi
		mov	ecx, [esp+0A4h+var_4]
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7B5FEB:				; CODE XREF: PfpPrefetchRequestPerform+1C5j
		lea	ecx, [esp+0A8h+var_78]
		call	PfpPrefetchPrivatePages
		mov	esi, eax
		cmp	esi, 0C0000240h
		jz	short loc_7B6015
		cmp	esi, 0C000009Ah
		jz	short loc_7B6015
		cmp	esi, 0C0000017h
		jz	short loc_7B6015
		xor	edx, edx
		jmp	loc_7B5EC9
; 

loc_7B6015:				; CODE XREF: PfpPrefetchRequestPerform+209j
					; PfpPrefetchRequestPerform+24Aj ...
		xor	eax, eax
		jmp	loc_7B5F6B
; 

loc_7B601C:				; CODE XREF: PfpPrefetchRequestPerform+2BDj
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_7B5FC4
PfpPrefetchRequestPerform endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpVolumeOpenAndVerify proc near	; CODE XREF: PfpPrefetchRequestPerform+1EDp

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008EC6A0 SIZE 000000AF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 98h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, [ebp+arg_0]
		lea	edi, [ebp+var_24]
		push	6
		xor	eax, eax
		mov	[ebp+var_28], ecx
		pop	ecx
		push	2
		rep stosd
		xor	edi, edi
		and	[ebp+var_7C], 0
		pop	eax
		push	edi		; void *
		push	20h		; int
		push	edi		; int
		and	[ebp+var_78], 0
		lea	ecx, [ebp+var_2C]
		push	edi		; int
		push	edi		; int
		mov	[ebp+var_44], eax
		mov	[ebp+var_58], eax
		mov	eax, [ebx+18h]
		push	edi		; int
		mov	[ebp+var_38], eax
		mov	ax, [ebx+14h]
		push	edi		; void *
		add	ax, ax
		mov	[ebp+var_74], edx
		push	20h		; int
		mov	word ptr [ebp+var_3C], ax
		mov	edx, 100080h
		push	1		; int
		add	eax, 2
		mov	[ebp+var_70], edi
		push	7		; int
		mov	word ptr [ebp+var_3C+2], ax
		lea	eax, [ebp+var_3C]
		push	edi		; int
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_70]
		push	edi		; int
		push	eax		; int
		lea	eax, [ebp+var_94]
		mov	[ebp+var_6C], edi
		push	eax		; int
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], edi
		mov	[ebp+var_48], edi
		mov	[ebp+var_68], edi
		mov	[ebp+var_64], edi
		mov	[ebp+var_60], edi
		mov	[ebp+var_5C], edi
		mov	[ebp+var_2C], edi
		mov	[ebp+var_94], 18h
		mov	[ebp+var_90], edi
		mov	[ebp+var_88], 240h
		mov	[ebp+var_84], edi
		mov	[ebp+var_80], edi
		call	_IopCreateFile@64 ; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8EC6CD
		cmp	esi, 103h
		jz	loc_8EC6A0
		push	4
		push	8
		lea	eax, [ebp+var_7C]
		push	eax
		lea	eax, [ebp+var_70]
		push	eax
		push	[ebp+var_2C]
		call	_NtQueryVolumeInformationFile@20 ; NtQueryVolumeInformationFile(x,x,x,x,x)
		mov	ecx, 0C0000000h
		mov	esi, eax
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_8EC6CD
		cmp	esi, 103h
		jz	loc_8EC6BE
		lea	ecx, [ebp+var_7C]
		call	PfVolumeSupportedForPrefetch
		test	eax, eax
		jnz	loc_8EC6C8
		test	byte ptr [ebx+0Ch], 1
		jnz	loc_8EC6D5

loc_7B6159:				; CODE XREF: PfpVolumeOpenAndVerify+1366C6j
					; PfpVolumeOpenAndVerify+1366D0j
		push	[ebp+var_2C]
		call	NtClose
		push	edi
		push	edi
		push	20h
		push	100180h
		push	edi
		mov	[ebp+var_2C], edi
		lea	eax, [ebp+var_3C]
		mov	edi, [ebp+var_28]
		lea	ecx, [ebp+var_54]
		push	eax
		mov	edx, edi
		call	PfpOpenHandleCreate
		mov	esi, eax
		test	esi, esi
		js	loc_7B62EF
		mov	eax, [ebx]
		or	eax, [ebx+4]
		jz	loc_8EC701

loc_7B6194:				; CODE XREF: PfpVolumeOpenAndVerify+1366E7j
		push	1
		push	18h
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_70]
		push	eax
		push	[ebp+var_54]
		call	_NtQueryVolumeInformationFile@20 ; NtQueryVolumeInformationFile(x,x,x,x,x)
		mov	ecx, 0C0000000h
		mov	esi, eax
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_7B62EF
		cmp	esi, 103h
		jz	loc_8EC6AA
		mov	eax, [ebp+var_24]
		cmp	eax, [ebx]
		jnz	loc_8EC71A
		mov	eax, [ebp+var_20]
		cmp	eax, [ebx+4]
		jnz	loc_8EC71A
		mov	eax, [ebp+var_1C]
		cmp	eax, [ebx+8]
		jnz	loc_8EC71A

loc_7B61E8:				; CODE XREF: PfpVolumeOpenAndVerify+1366E1j
		mov	eax, [ebp+var_3C]
		add	eax, 2
		mov	word ptr [ebp+var_34], ax
		add	eax, 2
		mov	word ptr [ebp+var_34+2], ax
		push	44526650h
		movzx	eax, ax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_30], eax
		test	eax, eax
		jz	loc_8EC710
		movzx	eax, word ptr [ebp+var_3C]
		push	eax		; size_t
		push	[ebp+var_38]	; void *
		push	[ebp+var_30]	; void *
		call	_memcpy
		movzx	ecx, word ptr [ebp+var_3C]
		add	esp, 0Ch
		mov	eax, [ebp+var_30]
		shr	ecx, 1
		push	5Ch
		pop	edx
		mov	[eax+ecx*2], dx
		xor	edx, edx
		movzx	ecx, word ptr [ebp+var_34]
		mov	eax, [ebp+var_30]
		shr	ecx, 1
		mov	[eax+ecx*2], dx
		lea	eax, [ebp+var_54]
		push	eax
		push	80h
		push	21h
		push	120089h
		push	edx
		lea	eax, [ebp+var_34]
		mov	edx, edi
		push	eax
		lea	ecx, [ebp+var_68]
		call	PfpOpenHandleCreate
		mov	esi, eax
		test	esi, esi
		js	short loc_7B62EA
		mov	eax, [ebp+var_74]
		lea	esi, [ebp+var_54]
		push	5
		pop	ecx
		push	2
		pop	ebx
		xor	edx, edx
		mov	edi, eax
		rep movsd
		push	5
		lea	edi, [eax+14h]
		mov	[ebp+var_54], edx
		pop	ecx
		lea	esi, [ebp+var_68]
		mov	[ebp+var_50], edx
		rep movsd
		mov	edi, [ebp+var_28]
		mov	esi, edx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_68], edx
		mov	[ebp+var_64], edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], edx
		mov	[ebp+var_58], ebx

loc_7B62AB:				; CODE XREF: PfpVolumeOpenAndVerify+2C9j
					; PfpVolumeOpenAndVerify+2CEj
		cmp	[ebp+var_2C], 0
		jnz	loc_8EC724

loc_7B62B5:				; CODE XREF: PfpVolumeOpenAndVerify+136708j
		test	bl, 4
		jnz	loc_8EC731

loc_7B62BE:				; CODE XREF: PfpVolumeOpenAndVerify+136717j
		test	byte ptr [ebp+var_44], 4
		jnz	loc_8EC740

loc_7B62C8:				; CODE XREF: PfpVolumeOpenAndVerify+136726j
		mov	eax, [ebp+var_30]
		test	eax, eax
		jz	short loc_7B62D7
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7B62D7:				; CODE XREF: PfpVolumeOpenAndVerify+2A9j
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_7B62EA:				; CODE XREF: PfpVolumeOpenAndVerify+245j
		mov	ebx, [ebp+var_58]
		jmp	short loc_7B62AB
; 

loc_7B62EF:				; CODE XREF: PfpVolumeOpenAndVerify+15Fj
					; PfpVolumeOpenAndVerify+18Fj ...
		push	2
		pop	ebx
		jmp	short loc_7B62AB
PfpVolumeOpenAndVerify endp


;  S U B	R O U T	I N E 


; __stdcall PfpPrefetchSharedCleanup(x)
_PfpPrefetchSharedCleanup@4 proc near	; CODE XREF: PfpPrefetchRequestPerform+2A7p
					; PfSnCleanupPrefetchHeader(x)+A7p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		cmp	[esi+54h], edi
		jz	short loc_7B6307
		call	KeAbPostRelease

loc_7B6307:				; CODE XREF: PfpPrefetchSharedCleanup(x)+Cj
		cmp	[esi+58h], edi
		jz	short loc_7B6316
		mov	ecx, offset _PfGlobals
		call	KeAbPostRelease

loc_7B6316:				; CODE XREF: PfpPrefetchSharedCleanup(x)+16j
		cmp	[esi], edi
		jz	short loc_7B6362
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset dword_6D4934
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_7B63AB
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_7B63AB
		mov	[eax], ecx
		mov	[ecx+4], eax
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7B63A2

loc_7B6356:				; CODE XREF: PfpPrefetchSharedCleanup(x)+B5j
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_7B6362:				; CODE XREF: PfpPrefetchSharedCleanup(x)+24j
		mov	eax, [esi+28h]
		test	al, 1
		jz	short loc_7B637A
		mov	ecx, offset unk_6D492C
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		and	dword ptr [esi+28h], 0FFFFFFFEh
		mov	eax, [esi+28h]

loc_7B637A:				; CODE XREF: PfpPrefetchSharedCleanup(x)+73j
		cmp	[esi+8], edi
		jz	short loc_7B638F
		shr	eax, 1
		and	al, 1
		movzx	eax, al
		push	eax
		call	_PsSetCurrentThreadPrefetching@4 ; PsSetCurrentThreadPrefetching(x)
		mov	eax, [esi+28h]

loc_7B638F:				; CODE XREF: PfpPrefetchSharedCleanup(x)+89j
		test	al, 8
		jz	short loc_7B63B0
		mov	ecx, large fs:124h
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
; 

loc_7B63A2:				; CODE XREF: PfpPrefetchSharedCleanup(x)+60j
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7B6356
; 

loc_7B63AB:				; CODE XREF: PfpPrefetchSharedCleanup(x)+47j
					; PfpPrefetchSharedCleanup(x)+4Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_7B63B0:				; CODE XREF: PfpPrefetchSharedCleanup(x)+9Dj
		pop	edi
		pop	esi
		pop	ebx
		retn
_PfpPrefetchSharedCleanup@4 endp


;  S U B	R O U T	I N E 


; __stdcall PfpPrefetchVolumesCleanup(x)
_PfpPrefetchVolumesCleanup@4 proc near	; CODE XREF: PfpPrefetchRequestPerform+289p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edx, [esi+8]
		test	edx, edx
		jz	short loc_7B6419
		mov	eax, [esi]
		xor	ebx, ebx
		cmp	[eax+8], ebx
		jbe	short loc_7B640D
		xor	edi, edi

loc_7B63CD:				; CODE XREF: PfpPrefetchVolumesCleanup(x)+55j
		test	byte ptr [edi+edx+24h],	4
		mov	ecx, edx
		jz	short loc_7B63E8
		lea	ecx, [edx+14h]
		mov	edx, [esi+14h]
		add	ecx, edi
		call	_PfpOpenHandleClose@8 ;	PfpOpenHandleClose(x,x)
		mov	edx, [esi+8]
		mov	ecx, edx

loc_7B63E8:				; CODE XREF: PfpPrefetchVolumesCleanup(x)+20j
		lea	eax, [edi+ecx]
		test	byte ptr [eax+10h], 4
		jz	short loc_7B6400
		mov	edx, [esi+14h]
		mov	ecx, eax
		call	_PfpOpenHandleClose@8 ;	PfpOpenHandleClose(x,x)
		mov	edx, [esi+8]
		mov	ecx, edx

loc_7B6400:				; CODE XREF: PfpPrefetchVolumesCleanup(x)+3Bj
		mov	eax, [esi]
		inc	ebx
		add	edi, 28h
		cmp	ebx, [eax+8]
		jb	short loc_7B63CD
		mov	edx, ecx

loc_7B640D:				; CODE XREF: PfpPrefetchVolumesCleanup(x)+15j
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+8], 0

loc_7B6419:				; CODE XREF: PfpPrefetchVolumesCleanup(x)+Cj
		pop	edi
		pop	esi
		pop	ebx
		retn
_PfpPrefetchVolumesCleanup@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfpPrefetchRequestPatchOffsets(x)
_PfpPrefetchRequestPatchOffsets@4 proc near ; CODE XREF: PfpPrefetchRequestPerform+1A3p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		add	[ecx+20h], ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edi
		cmp	[ecx+8], edi
		jbe	short loc_7B6495
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_8], ebx

loc_7B643B:				; CODE XREF: PfpPrefetchRequestPatchOffsets(x)+74j
		mov	edx, [ecx+20h]
		and	[ebp+var_C], 0
		add	edx, ebx
		add	[edx+18h], ecx
		add	[edx+10h], ecx
		test	dword ptr [edx+0Ch], 0FFFFFFFEh
		jbe	short loc_7B6485
		mov	ebx, [ebp+var_C]
		xor	edi, edi

loc_7B6458:				; CODE XREF: PfpPrefetchRequestPatchOffsets(x)+5Fj
		mov	esi, [edx+10h]
		add	esi, edi
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_7B6469
		add	eax, ecx
		mov	[esi+18h], eax

loc_7B6469:				; CODE XREF: PfpPrefetchRequestPatchOffsets(x)+44j
		cmp	dword ptr [esi+10h], 0
		jz	short loc_7B6472
		add	[esi+14h], ecx

loc_7B6472:				; CODE XREF: PfpPrefetchRequestPatchOffsets(x)+4Fj
		mov	eax, [edx+0Ch]
		inc	ebx
		shr	eax, 1
		add	edi, 20h
		cmp	ebx, eax
		jb	short loc_7B6458
		mov	edi, [ebp+var_4]
		mov	ebx, [ebp+var_8]

loc_7B6485:				; CODE XREF: PfpPrefetchRequestPatchOffsets(x)+33j
		inc	edi
		add	ebx, 20h
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], ebx
		cmp	edi, [ecx+8]
		jb	short loc_7B643B
		pop	ebx

loc_7B6495:				; CODE XREF: PfpPrefetchRequestPatchOffsets(x)+15j
		add	[ecx+2Ch], ecx
		xor	edx, edx
		cmp	[ecx+14h], edx
		ja	short loc_7B64A3

loc_7B649F:				; CODE XREF: PfpPrefetchRequestPatchOffsets(x)+9Cj
		pop	edi
		pop	esi
		leave
		retn
; 

loc_7B64A3:				; CODE XREF: PfpPrefetchRequestPatchOffsets(x)+7Fj
		xor	esi, esi

loc_7B64A5:				; CODE XREF: PfpPrefetchRequestPatchOffsets(x)+9Ej
		mov	eax, [ecx+2Ch]
		cmp	dword ptr [eax+esi+10h], 0
		jz	short loc_7B64B3
		add	[eax+esi+14h], ecx

loc_7B64B3:				; CODE XREF: PfpPrefetchRequestPatchOffsets(x)+8Fj
		inc	edx
		add	esi, 18h
		cmp	edx, [ecx+14h]
		jnb	short loc_7B649F
		jmp	short loc_7B64A5
_PfpPrefetchRequestPatchOffsets@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfPrefetchRequestVerifyRanges proc near	; CODE XREF: PfPrefetchRequestVerify+163p
					; PfPrefetchRequestVerify+1D3p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EC74F SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		mov	eax, [edi]
		mov	edx, [edi+4]
		test	eax, eax
		jz	loc_8EC74F
		test	edx, edx
		jz	loc_8EC761
		cmp	eax, [ebx+20h]
		ja	loc_8EC76B
		xor	esi, esi
		shl	eax, 4
		push	esi
		push	8
		push	eax
		lea	ecx, [ebx+18h]
		call	_PfRequestRangeCheck@20	; PfRequestRangeCheck(x,x,x,x,x)
		test	al, al
		jz	loc_8EC775
		mov	edx, [edi+4]
		mov	ecx, esi
		add	edx, [ebp+var_4]
		mov	eax, esi
		mov	ebx, [edi]
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], ebx
		test	ebx, ebx
		jz	short loc_7B6579

loc_7B651D:				; CODE XREF: PfPrefetchRequestVerifyRanges+B9j
		mov	ebx, [edx+4]
		mov	edi, [edx]
		cmp	ebx, eax
		ja	short loc_7B652C
		jb	short loc_7B659E
		cmp	edi, ecx
		jb	short loc_7B659E

loc_7B652C:				; CODE XREF: PfPrefetchRequestVerifyRanges+66j
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		dec	ecx
		and	eax, ebx
		and	ecx, edi
		or	ecx, eax
		jnz	short loc_7B6597
		mov	eax, [edx+8]
		mov	ecx, eax
		and	[ebp+arg_0], 0
		add	ecx, edi
		adc	[ebp+arg_0], ebx
		cmp	[ebp+arg_0], ebx
		ja	short loc_7B6553
		jb	short loc_7B6590
		cmp	ecx, edi
		jb	short loc_7B6590

loc_7B6553:				; CODE XREF: PfPrefetchRequestVerifyRanges+8Dj
		test	eax, eax
		jz	short loc_7B6589
		shr	eax, 0Ch
		add	eax, 2
		add	eax, esi
		cmp	eax, esi
		jb	short loc_7B6582
		mov	esi, eax
		add	edx, 10h
		mov	eax, [ebp+var_4]
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, [ebp+var_8]
		jnb	short loc_7B6579
		mov	eax, [ebp+arg_0]
		jmp	short loc_7B651D
; 

loc_7B6579:				; CODE XREF: PfPrefetchRequestVerifyRanges+5Dj
					; PfPrefetchRequestVerifyRanges+B4j ...
		xor	eax, eax

loc_7B657B:				; CODE XREF: PfPrefetchRequestVerifyRanges+C9j
					; PfPrefetchRequestVerifyRanges+D0j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7B6582:				; CODE XREF: PfPrefetchRequestVerifyRanges+A3j
		mov	eax, 6590h
		jmp	short loc_7B657B
; 

loc_7B6589:				; CODE XREF: PfPrefetchRequestVerifyRanges+97j
		mov	eax, 61A8h
		jmp	short loc_7B657B
; 

loc_7B6590:				; CODE XREF: PfPrefetchRequestVerifyRanges+8Fj
					; PfPrefetchRequestVerifyRanges+93j
		mov	eax, 60AEh
		jmp	short loc_7B657B
; 

loc_7B6597:				; CODE XREF: PfPrefetchRequestVerifyRanges+7Aj
		mov	eax, 5FB4h
		jmp	short loc_7B657B
; 

loc_7B659E:				; CODE XREF: PfPrefetchRequestVerifyRanges+68j
					; PfPrefetchRequestVerifyRanges+6Cj
		mov	eax, 5DC0h
		jmp	short loc_7B657B
PfPrefetchRequestVerifyRanges endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfPrefetchRequestVerify	proc near	; CODE XREF: PfpPrefetchRequest+98p

var_54		= dword	ptr -54h
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_30		= dword	ptr -30h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008EC77F SIZE 00000086 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		lea	eax, [ebp+var_54]
		push	ebx
		push	esi
		push	edi
		push	3Ch		; size_t
		xor	edi, edi
		mov	ebx, edx
		push	edi		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		add	esp, 0Ch
		cmp	ebx, 68h
		jb	loc_8EC77F
		cmp	dword ptr [esi], 0Dh
		jnz	loc_8EC789
		mov	eax, [esi+4]
		cmp	ebx, eax
		jnz	loc_8EC793
		add	eax, esi
		cmp	eax, esi
		jb	loc_8EC79D
		movzx	eax, word ptr [esi+1Ch]
		push	8
		pop	ecx
		cmp	eax, ecx
		jnb	loc_8EC7A7
		cmp	[esi+1Eh], cx
		jnb	loc_8EC7B1
		test	byte ptr [esi+38h], 0C0h
		jnz	loc_8EC7BB
		cmp	byte ptr [esi+39h], 6
		jnb	loc_8EC7C5
		lea	eax, [ebp+var_54]
		mov	edx, ebx
		push	eax		; void *
		mov	ecx, esi
		call	PfPrefetchRequestPrepareForVerify
		test	eax, eax
		jnz	loc_7B6764
		mov	eax, [esi+8]
		lea	ecx, [ebp+var_54]
		mov	edx, [esi+20h]
		push	1
		push	8
		shl	eax, 5
		push	eax
		call	_PfRequestRangeCheck@20	; PfRequestRangeCheck(x,x,x,x,x)
		test	al, al
		jz	loc_8EC7CF
		lfence	eax
		mov	ebx, [esi+20h]
		add	ebx, 14h
		mov	[ebp+var_C], edi
		cmp	[esi+8], edi
		jbe	loc_7B673E
		add	ebx, esi

loc_7B6664:				; CODE XREF: PfPrefetchRequestVerify+192j
		mov	eax, [ebx+4]
		lea	edx, [ebp+var_54]
		mov	[ebp+var_18], eax
		mov	ecx, esi
		mov	eax, [ebx]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_PfPrefetchRequestVerifyPath@12	; PfPrefetchRequestVerifyPath(x,x,x)
		test	eax, eax
		jnz	loc_7B6764
		mov	eax, [ebx-8]
		shr	eax, 1
		mov	[ebp+var_4], eax
		jz	loc_8EC7FB
		cmp	eax, [ebp+var_40]
		ja	loc_8EC7F1
		mov	ecx, [ebx-4]
		mov	edx, ecx
		push	1
		push	8
		shl	eax, 5
		mov	[ebp+var_10], ecx
		lea	ecx, [ebp+var_48]
		push	eax
		call	_PfRequestRangeCheck@20	; PfRequestRangeCheck(x,x,x,x,x)
		test	al, al
		jz	loc_8EC7E7
		mov	[ebp+var_8], edi
		cmp	[ebp+var_4], edi
		jbe	short loc_7B672B
		mov	ecx, [ebp+var_10]
		add	ecx, 18h
		add	ecx, esi
		mov	[ebp+var_4], ecx

loc_7B66CF:				; CODE XREF: PfPrefetchRequestVerify+183j
		cmp	[ecx], edi
		jz	loc_8EC7D9

loc_7B66D7:				; CODE XREF: PfPrefetchRequestVerify+13623Cj
		push	ecx
		lea	edx, [ebp+var_54]
		mov	ecx, esi
		call	_PfPrefetchRequestVerifyPath@12	; PfPrefetchRequestVerifyPath(x,x,x)
		test	eax, eax
		jnz	short loc_7B6764
		mov	ecx, [ebp+var_4]

loc_7B66E9:				; CODE XREF: PfPrefetchRequestVerify+136236j
		mov	eax, [ecx-18h]
		lea	edx, [ebp+var_54]
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFF200h
		add	eax, 1000h
		push	eax
		lea	eax, [ecx-8]
		mov	ecx, esi
		push	eax
		call	PfPrefetchRequestVerifyRanges
		test	eax, eax
		jnz	short loc_7B6764
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		inc	edx
		mov	eax, [ebx-8]
		add	ecx, 20h
		shr	eax, 1
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], ecx
		cmp	edx, eax
		jb	short loc_7B66CF

loc_7B672B:				; CODE XREF: PfPrefetchRequestVerify+11Cj
		mov	eax, [ebp+var_C]
		add	ebx, 20h
		inc	eax
		mov	[ebp+var_C], eax
		cmp	eax, [esi+8]
		jb	loc_7B6664

loc_7B673E:				; CODE XREF: PfPrefetchRequestVerify+B6j
		mov	eax, [esi+14h]
		lea	ecx, [ebp+var_30]
		mov	ebx, [esi+2Ch]
		mov	edx, ebx
		mov	[ebp+var_10], eax
		imul	eax, 18h
		push	1
		push	4
		push	eax
		call	_PfRequestRangeCheck@20	; PfRequestRangeCheck(x,x,x,x,x)
		test	al, al
		jz	short loc_7B678D
		cmp	[ebp+var_10], edi
		ja	short loc_7B6769

loc_7B6762:				; CODE XREF: PfPrefetchRequestVerify+1E3j
		xor	eax, eax

loc_7B6764:				; CODE XREF: PfPrefetchRequestVerify+83j
					; PfPrefetchRequestVerify+D9j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7B6769:				; CODE XREF: PfPrefetchRequestVerify+1BAj
		add	ebx, 10h
		add	ebx, esi

loc_7B676E:				; CODE XREF: PfPrefetchRequestVerify+1E5j
		push	1000h
		push	ebx
		lea	edx, [ebp+var_54]
		mov	ecx, esi
		call	PfPrefetchRequestVerifyRanges
		test	eax, eax
		jnz	short loc_7B6764
		inc	edi
		add	ebx, 18h
		cmp	edi, [esi+14h]
		jnb	short loc_7B6762
		jmp	short loc_7B676E
; 

loc_7B678D:				; CODE XREF: PfPrefetchRequestVerify+1B5j
		mov	eax, 9C40h
		jmp	short loc_7B6764
PfPrefetchRequestVerify	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfPrefetchRequestVerifyPath(x, x, x)
_PfPrefetchRequestVerifyPath@12	proc near ; CODE XREF: PfPrefetchRequestVerify+D2p
					; PfPrefetchRequestVerify+137p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		mov	eax, [esi+4]
		cmp	eax, 7FFFh
		jnb	short loc_7B67EB
		test	eax, eax
		jz	short loc_7B67F2
		mov	edx, [esi]
		test	edx, edx
		jz	short loc_7B67F9
		push	1
		push	2
		lea	eax, ds:2[eax*2]
		push	eax
		lea	ecx, [ebx+30h]
		call	_PfRequestRangeCheck@20	; PfRequestRangeCheck(x,x,x,x,x)
		test	al, al
		jz	short loc_7B6800
		mov	ecx, [esi]
		mov	eax, [esi+4]
		lea	eax, [ecx+eax*2]
		movzx	eax, word ptr [eax+edi]
		neg	eax
		sbb	eax, eax
		and	eax, 2EE0h

loc_7B67E4:				; CODE XREF: PfPrefetchRequestVerifyPath(x,x,x)+5Cj
					; PfPrefetchRequestVerifyPath(x,x,x)+63j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_7B67EB:				; CODE XREF: PfPrefetchRequestVerifyPath(x,x,x)+17j
		mov	eax, 2710h
		jmp	short loc_7B67E4
; 

loc_7B67F2:				; CODE XREF: PfPrefetchRequestVerifyPath(x,x,x)+1Bj
		mov	eax, 2904h
		jmp	short loc_7B67E4
; 

loc_7B67F9:				; CODE XREF: PfPrefetchRequestVerifyPath(x,x,x)+21j
		mov	eax, 29FEh
		jmp	short loc_7B67E4
; 

loc_7B6800:				; CODE XREF: PfPrefetchRequestVerifyPath(x,x,x)+39j
		mov	eax, 2AF8h
		jmp	short loc_7B67E4
_PfPrefetchRequestVerifyPath@12	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfRequestRangeCheck(x, x, x, x, x)
_PfRequestRangeCheck@20	proc near	; CODE XREF: PfPrefetchRequestVerifyRanges+3Cp
					; PfPrefetchRequestVerify+9Ap ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ecx]
		cmp	edx, esi
		jb	short loc_7B6843
		mov	eax, [ecx+4]
		cmp	edx, eax
		jnb	short loc_7B683D

loc_7B681B:				; CODE XREF: PfRequestRangeCheck(x,x,x,x,x)+39j
		add	edx, [ebp+arg_0]
		cmp	edx, esi
		jb	short loc_7B6843
		cmp	edx, eax
		ja	short loc_7B6843
		mov	eax, [ebp+arg_4]
		dec	eax
		test	eax, edx
		jnz	short loc_7B6843
		cmp	[ebp+arg_8], 0
		jz	short loc_7B6836
		mov	[ecx], edx

loc_7B6836:				; CODE XREF: PfRequestRangeCheck(x,x,x,x,x)+2Aj
		mov	al, 1

loc_7B6838:				; CODE XREF: PfRequestRangeCheck(x,x,x,x,x)+3Dj
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_7B683D:				; CODE XREF: PfRequestRangeCheck(x,x,x,x,x)+11j
		cmp	[ebp+arg_0], 0
		jbe	short loc_7B681B

loc_7B6843:				; CODE XREF: PfRequestRangeCheck(x,x,x,x,x)+Aj
					; PfRequestRangeCheck(x,x,x,x,x)+18j ...
		xor	al, al
		jmp	short loc_7B6838
_PfRequestRangeCheck@20	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PfPrefetchRequestPrepareForVerify(void *)
PfPrefetchRequestPrepareForVerify proc near ; CODE XREF: PfPrefetchRequestVerify+7Cp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008EC805 SIZE 000000F2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	68h
		pop	esi
		push	3Ch		; size_t
		push	0		; int
		push	[ebp+arg_0]	; void *
		mov	edi, edx
		mov	ebx, ecx
		call	_memset
		mov	edx, [ebx+8]
		add	esp, 0Ch
		mov	ecx, [ebx+20h]
		test	edx, edx
		jz	loc_7B6A3A
		test	ecx, ecx
		jz	loc_8EC805
		cmp	ecx, esi
		jb	loc_8EC819
		mov	eax, edi
		shr	eax, 5
		cmp	edx, eax
		ja	loc_8EC823
		shl	edx, 5
		cmp	ecx, edi
		jnb	loc_8EC82D
		cmp	edx, edi
		jnb	loc_8EC82D
		mov	eax, edi
		sub	eax, edx
		cmp	ecx, eax
		ja	loc_8EC82D
		lea	esi, [ecx+edx]
		mov	edx, [ebp+arg_0]
		mov	[edx], ecx
		mov	[edx+4], esi
		mov	eax, [ebx+8]
		mov	[edx+8], eax

loc_7B68C2:				; CODE XREF: PfPrefetchRequestPrepareForVerify+1F4j
		mov	edx, [ebx+0Ch]
		mov	ecx, [ebx+24h]
		test	edx, edx
		jz	loc_7B6A47
		test	ecx, ecx
		jz	loc_8EC837
		cmp	ecx, esi
		jb	loc_8EC84B
		mov	eax, edi
		shr	eax, 5
		cmp	edx, eax
		ja	loc_8EC855
		shl	edx, 5
		cmp	ecx, edi
		jnb	loc_8EC85F
		cmp	edx, edi
		jnb	loc_8EC85F
		mov	eax, edi
		sub	eax, edx
		cmp	ecx, eax
		ja	loc_8EC85F
		lea	esi, [ecx+edx]
		mov	edx, [ebp+arg_0]
		mov	[edx+0Ch], ecx
		mov	[edx+10h], esi
		mov	eax, [ebx+0Ch]
		mov	[edx+14h], eax

loc_7B691E:				; CODE XREF: PfPrefetchRequestPrepareForVerify+201j
		mov	edx, [ebx+10h]
		mov	ecx, [ebx+28h]
		test	edx, edx
		jz	loc_8EC873
		test	ecx, ecx
		jz	loc_8EC869
		cmp	ecx, esi
		jb	loc_8EC881
		mov	eax, edi
		shr	eax, 4
		cmp	edx, eax
		ja	loc_8EC88B
		shl	edx, 4
		cmp	ecx, edi
		jnb	loc_8EC895
		cmp	edx, edi
		jnb	loc_8EC895
		mov	eax, edi
		sub	eax, edx
		cmp	ecx, eax
		ja	loc_8EC895
		lea	esi, [ecx+edx]
		mov	edx, [ebp+arg_0]
		mov	[edx+18h], ecx
		mov	[edx+1Ch], esi
		mov	eax, [ebx+10h]
		mov	[edx+20h], eax

loc_7B697A:				; CODE XREF: PfPrefetchRequestPrepareForVerify+13605Aj
		mov	eax, [ebx+14h]
		mov	ecx, [ebx+2Ch]
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	short loc_7B69EC
		test	ecx, ecx
		jnz	loc_8EC8B1

loc_7B698F:				; CODE XREF: PfPrefetchRequestPrepareForVerify+1EDj
		mov	eax, [ebx+18h]
		mov	ecx, [ebx+30h]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	loc_7B6A54
		test	ecx, ecx
		jz	loc_8EC8CF
		cmp	ecx, esi
		jb	loc_8EC8E3
		cmp	ecx, edi
		jnb	loc_8EC8ED
		cmp	eax, edi
		jnb	loc_8EC8ED
		mov	esi, [ebp+arg_0]
		mov	eax, edi
		sub	eax, esi
		cmp	ecx, eax
		ja	loc_8EC8ED
		add	esi, ecx
		mov	[edx+30h], ecx
		mov	[edx+34h], esi

loc_7B69D7:				; CODE XREF: PfPrefetchRequestPrepareForVerify+20Ej
		sub	esi, edi
		neg	esi
		sbb	esi, esi
		and	esi, 2328h
		mov	eax, esi

loc_7B69E5:				; CODE XREF: PfPrefetchRequestPrepareForVerify+21Ej
					; PfPrefetchRequestPrepareForVerify+135FC2j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7B69EC:				; CODE XREF: PfPrefetchRequestPrepareForVerify+13Dj
		test	ecx, ecx
		jz	loc_8EC8A7
		cmp	ecx, esi
		jb	loc_8EC8BB
		xor	edx, edx
		mov	eax, edi
		push	18h
		pop	esi
		div	esi
		mov	edx, [ebp+var_4]
		cmp	edx, eax
		ja	loc_8EC8C5
		imul	edx, 18h
		cmp	ecx, edi
		jnb	short loc_7B6A61
		cmp	edx, edi
		jnb	short loc_7B6A61
		mov	eax, edi
		sub	eax, edx
		cmp	ecx, eax
		ja	short loc_7B6A61
		lea	esi, [ecx+edx]
		mov	edx, [ebp+arg_0]
		mov	[edx+24h], ecx
		mov	[edx+28h], esi
		mov	eax, [ebx+14h]
		mov	[edx+2Ch], eax
		jmp	loc_7B698F
; 

loc_7B6A3A:				; CODE XREF: PfPrefetchRequestPrepareForVerify+27j
		test	ecx, ecx
		jz	loc_7B68C2
		jmp	loc_8EC80F
; 

loc_7B6A47:				; CODE XREF: PfPrefetchRequestPrepareForVerify+82j
		test	ecx, ecx
		jz	loc_7B691E
		jmp	loc_8EC841
; 

loc_7B6A54:				; CODE XREF: PfPrefetchRequestPrepareForVerify+152j
		test	ecx, ecx
		jz	loc_7B69D7
		jmp	loc_8EC8D9
; 

loc_7B6A61:				; CODE XREF: PfPrefetchRequestPrepareForVerify+1CDj
					; PfPrefetchRequestPrepareForVerify+1D1j ...
		mov	eax, 1CE8h
		jmp	loc_7B69E5
PfPrefetchRequestPrepareForVerify endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmSetStoreInformation proc near		; CODE XREF: PAGE:007B430Ap

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EC8F7 SIZE 00000107 BYTES

		push	20h
		push	offset dword_6A2F80
		call	__SEH_prolog4
		cmp	[ebp+arg_0], 10h
		jnz	loc_8EC8F7
		and	[ebp+ms_exc.disabled], 0
		mov	esi, edx
		lea	edi, [ebp+var_30]
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+var_30], 1
		jnz	loc_8EC901
		mov	esi, [ebp+arg_4]
		push	esi
		push	ds:dword_A949EC
		push	ds:_SeProfileSingleProcessPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	short loc_7B6B11
		mov	eax, [ebp+var_2C]
		cmp	eax, 0Ch
		jle	loc_8EC90B
		sub	eax, 11h
		jz	loc_8EC9E8
		sub	eax, 1
		jz	loc_8EC9D2
		sub	eax, 1
		jz	short loc_7B6B03
		sub	eax, 1
		jnz	loc_8EC9B2
		push	esi
		mov	edx, [ebp+var_24]
		mov	ecx, [ebp+var_28]
		call	SmProcessStoreMemoryPriorityRequest

loc_7B6AF1:				; CODE XREF: SmSetStoreInformation+A3j
					; SmSetStoreInformation+AAj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7B6B03:				; CODE XREF: SmSetStoreInformation+6Ej
		push	esi
		mov	edx, [ebp+var_24]
		mov	ecx, [ebp+var_28]
		call	SmProcessConfigRequest
		jmp	short loc_7B6AF1
; 

loc_7B6B11:				; CODE XREF: SmSetStoreInformation+4Bj
		mov	eax, 0C0000022h
		jmp	short loc_7B6AF1
SmSetStoreInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmProcessStoreMemoryPriorityRequest proc near ;	CODE XREF: SmSetStoreInformation+80p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008ECA1E SIZE 00000076 BYTES
; FUNCTION CHUNK AT 008ECAB7 SIZE 0000000E BYTES

		push	44h
		push	offset dword_6A2FA0
		call	__SEH_prolog4_GS
		mov	ebx, ecx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_38]
		rep stosd
		xor	ecx, ecx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ecx
		mov	edi, ecx
		mov	[ebp+var_4C], edi
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], ecx
		cmp	edx, 8
		jnz	loc_8ECA1E
		mov	[ebp+ms_exc.disabled], ecx
		cmp	[ebp+arg_0], cl
		jz	short loc_7B6B74
		test	bl, 3
		jnz	loc_7B6BF5
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8ECA28

loc_7B6B6A:				; CODE XREF: SmProcessStoreMemoryPriorityRequest+135F12j
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+4]
		mov	[ebx+4], al

loc_7B6B74:				; CODE XREF: SmProcessStoreMemoryPriorityRequest+3Aj
		mov	eax, [ebx]
		mov	[ebp+var_44], eax
		mov	[ebp+var_54], eax
		mov	ecx, [ebx+4]
		mov	[ebp+var_50], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	al, 1
		jnz	short loc_7B6BFA
		test	eax, 0FFFFFC00h
		jnz	short loc_7B6C01
		test	eax, 100h
		jz	short loc_7B6C08
		lea	eax, [ebp+var_3C]
		push	eax
		push	dword ptr [ebp+arg_0]
		call	_SmRereferenceProcessObject@16 ; SmRereferenceProcessObject(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7B6BCD
		mov	eax, 40000h
		mov	ecx, [ebp+var_3C]
		add	ecx, 3A8h
		lock or	[ecx], eax
		test	[ebp+var_44], 200h
		jnz	loc_8ECA2F
		xor	esi, esi

loc_7B6BCD:				; CODE XREF: SmProcessStoreMemoryPriorityRequest+93j
					; SmProcessStoreMemoryPriorityRequest+E7j ...
		test	edi, edi
		jnz	loc_8ECAB7

loc_7B6BD5:				; CODE XREF: SmProcessStoreMemoryPriorityRequest+135FA8j
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jz	short loc_7B6BE1
		call	ObfDereferenceObject

loc_7B6BE1:				; CODE XREF: SmProcessStoreMemoryPriorityRequest+C2j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7B6BF5:				; CODE XREF: SmProcessStoreMemoryPriorityRequest+3Fj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7B6BFA:				; CODE XREF: SmProcessStoreMemoryPriorityRequest+73j
		mov	esi, 0C0000059h
		jmp	short loc_7B6BCD
; 

loc_7B6C01:				; CODE XREF: SmProcessStoreMemoryPriorityRequest+7Aj
		mov	esi, 0C000000Dh
		jmp	short loc_7B6BCD
; 

loc_7B6C08:				; CODE XREF: SmProcessStoreMemoryPriorityRequest+81j
		mov	esi, 0C00000BBh
		jmp	short loc_7B6BCD
SmProcessStoreMemoryPriorityRequest endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpRpCHashDeleteEntries	proc near	; CODE XREF: PfpRpControlRequestCopy+2B6p
					; PfpRpControlRequestCopy+2DFp

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008ECAC5 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, edx
		dec	word ptr [eax+13Ch]
		push	edi
		mov	[ebp+var_34], esi
		nop
		lea	edi, [ecx+4Ch]
		xor	edx, edx
		mov	ecx, edi
		mov	[ebp+var_38], edi
		call	ExAcquirePushLockExclusiveEx
		mov	ebx, [esi+8]
		or	eax, 0FFFFFFFFh
		mov	ecx, [esi+4]
		shl	ebx, cl
		test	ebx, ebx
		jz	loc_8ECAC5
		push	48436650h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_8ECACC
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lea	edi, [ebp+var_48]
		or	eax, 0FFFFFFFFh
		movsd
		mov	edx, eax
		mov	[ebp+var_8], eax
		movsd
		movsd
		movsd
		mov	ecx, [ebp+var_44]
		xor	esi, esi
		inc	esi
		shl	esi, cl
		mov	[ebp+var_10], esi
		mov	ecx, esi
		test	esi, esi
		jz	short loc_7B6CA8

loc_7B6CA0:				; CODE XREF: PfpRpCHashDeleteEntries+93j
		inc	edx
		shr	ecx, 1
		jnz	short loc_7B6CA0
		mov	[ebp+var_8], edx

loc_7B6CA8:				; CODE XREF: PfpRpCHashDeleteEntries+8Ej
		lea	ecx, [esi-1]
		test	ecx, esi
		jz	short loc_7B6CB3
		inc	edx
		mov	[ebp+var_8], edx

loc_7B6CB3:				; CODE XREF: PfpRpCHashDeleteEntries+9Dj
		mov	ecx, edx
		shr	ebx, cl
		mov	[ebp+var_24], ebx
		lea	ecx, [ebx-1]
		test	ecx, ebx
		jnz	loc_7B6E6C

loc_7B6CC5:				; CODE XREF: PfpRpCHashDeleteEntries+26Fj
		mov	ecx, edx
		mov	eax, ebx
		shl	eax, cl
		xor	esi, esi
		push	eax		; size_t
		push	esi		; int
		push	[ebp+var_C]	; void *
		mov	[ebp+var_1C], esi
		call	_memset
		mov	edx, [ebp+var_40]
		add	esp, 0Ch
		mov	edi, [ebp+var_48]
		mov	ecx, [ebp+var_44]
		shl	edx, cl
		add	edx, edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edx
		cmp	edi, edx
		jnb	short loc_7B6D0C
		mov	ecx, [ebp+var_10]
		mov	eax, edx

loc_7B6CF9:				; CODE XREF: PfpRpCHashDeleteEntries+FAj
		mov	edx, [edi]
		test	edx, edx
		jnz	loc_7B6D9C

loc_7B6D03:				; CODE XREF: PfpRpCHashDeleteEntries+1ECj
		add	edi, ecx
		mov	[ebp+var_18], edi
		cmp	edi, eax
		jb	short loc_7B6CF9

loc_7B6D0C:				; CODE XREF: PfpRpCHashDeleteEntries+E2j
		mov	eax, [ebp+var_34]
		mov	ecx, [ebp+var_C]
		mov	ebx, [ebp+arg_0]
		push	11h
		mov	[eax], ecx
		mov	ecx, [ebp+var_1C]
		mov	[eax+0Ch], ecx
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [ebx], ecx
		cmp	eax, 11h
		jnz	loc_7B6E90

loc_7B6D2F:				; CODE XREF: PfpRpCHashDeleteEntries+287j
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	[ebp+var_30], esi
		lea	eax, [ebp+var_30]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, [ebx]
		test	al, 1
		jnz	loc_8ECAD6

loc_7B6D5E:				; CODE XREF: PfpRpCHashDeleteEntries+135ECDj
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	esi
		push	[ebp+var_48]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [ebp+var_38]

loc_7B6D76:				; CODE XREF: PfpRpCHashDeleteEntries+135EC1j
		or	eax, 0FFFFFFFFh

loc_7B6D79:				; CODE XREF: PfpRpCHashDeleteEntries+135EB7j
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_7B6E84

loc_7B6D87:				; CODE XREF: PfpRpCHashDeleteEntries+27Bj
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7B6D9C:				; CODE XREF: PfpRpCHashDeleteEntries+EDj
		cmp	[ebp+arg_8], 0
		jz	short loc_7B6DC0
		cmp	[ebp+arg_4], 0
		mov	eax, esi
		jbe	short loc_7B6DC0
		mov	edi, [ebp+arg_8]

loc_7B6DAD:				; CODE XREF: PfpRpCHashDeleteEntries+1A6j
		cmp	[edi+eax*4], edx
		jz	short loc_7B6DB8
		inc	eax
		cmp	eax, [ebp+arg_4]
		jb	short loc_7B6DAD

loc_7B6DB8:				; CODE XREF: PfpRpCHashDeleteEntries+1A0j
		mov	edi, [ebp+var_18]
		cmp	eax, [ebp+arg_4]
		jb	short loc_7B6DF9

loc_7B6DC0:				; CODE XREF: PfpRpCHashDeleteEntries+190j
					; PfpRpCHashDeleteEntries+198j
		mov	[ebp+var_20], edx
		test	ebx, ebx
		jnz	short loc_7B6E20
		mov	eax, esi
		jmp	short loc_7B6DE8
; 

loc_7B6DCB:				; CODE XREF: PfpRpCHashDeleteEntries+200j
					; PfpRpCHashDeleteEntries+20Bj	...
		add	esi, ebx
		and	esi, [ebp+var_30]
		mov	eax, esi
		shl	eax, cl
		add	eax, [ebp+var_C]
		mov	edi, [eax]
		test	edi, edi
		jnz	short loc_7B6E0A

loc_7B6DDD:				; CODE XREF: PfpRpCHashDeleteEntries+1FCj
		mov	ebx, [ebp+var_24]
		xor	esi, esi
		mov	edi, [ebp+var_18]

loc_7B6DE5:				; CODE XREF: PfpRpCHashDeleteEntries+254j
		mov	ecx, [ebp+var_10]

loc_7B6DE8:				; CODE XREF: PfpRpCHashDeleteEntries+1B9j
		push	ecx		; size_t
		push	edi		; void *
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+var_10]
		add	esp, 0Ch
		inc	[ebp+var_1C]

loc_7B6DF9:				; CODE XREF: PfpRpCHashDeleteEntries+1AEj
		mov	eax, [ebp+var_14]
		jmp	loc_7B6D03
; 

loc_7B6E01:				; CODE XREF: PfpRpCHashDeleteEntries+25Aj
		mov	ebx, [ebp+var_20]
		mov	esi, [ebp+var_28]
		mov	edi, [ebp+var_2C]

loc_7B6E0A:				; CODE XREF: PfpRpCHashDeleteEntries+1CBj
		cmp	edi, edx
		jz	short loc_7B6DDD
		test	ebx, ebx
		jnz	short loc_7B6DCB
		imul	ebx, edx, 9E3779B1h
		test	bl, 1
		jnz	short loc_7B6DCB
		inc	ebx
		jmp	short loc_7B6DCB
; 

loc_7B6E20:				; CODE XREF: PfpRpCHashDeleteEntries+1B5j
		movzx	eax, dl
		imul	ecx, eax, 25h
		movzx	eax, dh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_20+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_20+3]
		imul	ecx, 25h
		add	eax, 164B2F3Fh
		mov	[ebp+var_20], esi
		add	eax, ecx
		lea	ecx, [ebx-1]
		mov	[ebp+var_30], ecx
		and	ecx, eax
		mov	eax, ecx
		mov	[ebp+var_28], ecx
		mov	ecx, [ebp+var_8]
		shl	eax, cl
		add	eax, [ebp+var_C]
		mov	ecx, [eax]
		test	ecx, ecx
		mov	[ebp+var_2C], ecx
		mov	ecx, [ebp+var_8]
		jz	loc_7B6DE5
		jmp	short loc_7B6E01
; 

loc_7B6E6C:				; CODE XREF: PfpRpCHashDeleteEntries+AFj
		test	ebx, ebx
		jz	short loc_7B6E75

loc_7B6E70:				; CODE XREF: PfpRpCHashDeleteEntries+263j
		inc	eax
		shr	ebx, 1
		jnz	short loc_7B6E70

loc_7B6E75:				; CODE XREF: PfpRpCHashDeleteEntries+25Ej
		xor	ebx, ebx
		mov	ecx, eax
		inc	ebx
		shl	ebx, cl
		mov	[ebp+var_24], ebx
		jmp	loc_7B6CC5
; 

loc_7B6E84:				; CODE XREF: PfpRpCHashDeleteEntries+171j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7B6D87
; 

loc_7B6E90:				; CODE XREF: PfpRpCHashDeleteEntries+119j
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_7B6D2F
PfpRpCHashDeleteEntries	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpPrefetchPrivatePages	proc near	; CODE XREF: PfpPrefetchRequestPerform+2F1p

var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008ECAE2 SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		and	[ebp+var_20], 0
		xor	eax, eax
		and	[ebp+var_14], 0
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_3C]
		mov	esi, ecx
		stosd
		mov	[ebp+var_4], esi
		mov	ebx, [esi]
		stosd
		stosd
		call	_PFP_GET_CURRENT_TICK_COUNT_MS@0 ; PFP_GET_CURRENT_TICK_COUNT_MS()
		mov	esi, [esi]
		mov	[ebp+var_28], eax
		movzx	eax, word ptr [esi+1Eh]
		mov	esi, [esi+1Ch]
		mov	ecx, eax
		and	ecx, 7
		mov	[ebp+var_24], eax
		mov	eax, [ebx+38h]
		and	esi, 7
		shl	ecx, 3
		or	esi, ecx
		test	al, 10h
		jnz	short loc_7B6EEC
		or	esi, 100h

loc_7B6EEC:				; CODE XREF: PfpPrefetchPrivatePages+48j
		test	al, 8
		jnz	loc_8ECAE2

loc_7B6EF4:				; CODE XREF: PfpPrefetchPrivatePages+135C4Cj
		test	al, 20h
		jz	short loc_7B6EFE
		or	esi, 800h

loc_7B6EFE:				; CODE XREF: PfpPrefetchPrivatePages+5Aj
		and	[ebp+var_1C], 0
		cmp	dword ptr [ebx+14h], 0
		mov	edi, [ebp+var_34]
		jbe	loc_7B701A
		and	[ebp+var_18], 0

loc_7B6F13:				; CODE XREF: PfpPrefetchPrivatePages+178j
		and	[ebp+var_30], 0
		and	[ebp+var_2C], 0
		mov	ecx, [ebp+var_4]
		call	_PfpCheckPrefetchAbort@4 ; PfpCheckPrefetchAbort(x)
		test	eax, eax
		jnz	loc_7B703F
		mov	eax, [ebx+2Ch]
		lea	edx, [ebp+var_3C]
		add	eax, [ebp+var_18]
		mov	ecx, eax
		mov	[ebp+var_10], eax
		call	PfpSourceBuildVaArray
		mov	edi, [ebp+var_34]
		test	eax, eax
		js	loc_7B7006
		mov	ecx, [ebp+var_10]
		lea	edx, [ebp+var_30]
		call	PfpSourceGetPrefetchSupport
		test	eax, eax
		js	loc_7B6FF2
		test	byte ptr [ebx+38h], 4
		jz	loc_8ECAED
		mov	edx, [ebp+var_4]
		lea	ecx, [ebp+var_20]
		mov	eax, [ebp+var_3C]
		push	ecx
		push	ecx
		lea	edx, [edx+18h]
		mov	[ebp+var_C], edi
		push	58h
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_10], eax
		call	MmQueryMemoryListInformation
		cmp	[ebp+var_3C], 0
		jz	short loc_7B6FEF

loc_7B6F8A:				; CODE XREF: PfpPrefetchPrivatePages+151j
		mov	ecx, [ebp+var_4]
		call	_PfpCheckPrefetchAbort@4 ; PfpCheckPrefetchAbort(x)
		test	eax, eax
		jnz	loc_8ECB02
		mov	edx, [ebp+var_24]
		lea	ecx, [ecx+18h]
		call	_PfpAvailablePagesForPrefetch@8	; PfpAvailablePagesForPrefetch(x,x)
		test	eax, eax
		jz	loc_8ECB02
		mov	eax, [ebp+var_10]
		cmp	eax, 10h
		jbe	short loc_7B6FB8
		push	10h
		pop	eax

loc_7B6FB8:				; CODE XREF: PfpPrefetchPrivatePages+117j
		mov	ecx, [ebp+var_2C]
		mov	edx, eax
		push	esi
		push	[ebp+var_C]
		mov	[ebp+var_8], eax
		call	MmPrefetchVirtualMemory
		mov	edx, [ebp+var_8]
		test	eax, eax
		js	short loc_7B6FD3
		add	[ebx+50h], edx

loc_7B6FD3:				; CODE XREF: PfpPrefetchPrivatePages+132j
		mov	ecx, [ebp+var_4]
		lea	ecx, [ecx+18h]
		call	_PfpUpdateRepurposedByPrefetch@8 ; PfpUpdateRepurposedByPrefetch(x,x)
		mov	eax, [ebp+var_8]
		sub	[ebp+var_10], eax
		mov	ecx, [ebp+var_C]
		lea	ecx, [ecx+eax*8]
		mov	[ebp+var_C], ecx
		jnz	short loc_7B6F8A

loc_7B6FEF:				; CODE XREF: PfpPrefetchPrivatePages+ECj
					; PfpPrefetchPrivatePages+135C61j
		inc	dword ptr [ebx+44h]

loc_7B6FF2:				; CODE XREF: PfpPrefetchPrivatePages+BAj
					; PfpPrefetchPrivatePages+135C6Dj
		cmp	[ebp+var_2C], 0
		jz	short loc_7B7000
		push	[ebp+var_2C]
		call	NtClose

loc_7B7000:				; CODE XREF: PfpPrefetchPrivatePages+15Aj
		cmp	[ebp+var_14], 0
		jnz	short loc_7B703F

loc_7B7006:				; CODE XREF: PfpPrefetchPrivatePages+A7j
		mov	eax, [ebp+var_1C]
		add	[ebp+var_18], 18h
		inc	eax
		mov	[ebp+var_1C], eax
		cmp	eax, [ebx+14h]
		jb	loc_7B6F13

loc_7B701A:				; CODE XREF: PfpPrefetchPrivatePages+6Dj
		xor	esi, esi

loc_7B701C:				; CODE XREF: PfpPrefetchPrivatePages+1A8j
		test	edi, edi
		jz	short loc_7B7028
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7B7028:				; CODE XREF: PfpPrefetchPrivatePages+182j
		call	_PFP_GET_CURRENT_TICK_COUNT_MS@0 ; PFP_GET_CURRENT_TICK_COUNT_MS()
		mov	ecx, [ebp+var_4]
		sub	eax, [ebp+var_28]
		pop	edi
		mov	ecx, [ecx]
		add	[ecx+60h], eax
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7B703F:				; CODE XREF: PfpPrefetchPrivatePages+89j
					; PfpPrefetchPrivatePages+168j
		mov	esi, 0C0000240h
		jmp	short loc_7B701C
PfpPrefetchPrivatePages	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1454. MmPrefetchVirtualAddresses

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmPrefetchVirtualAddresses
MmPrefetchVirtualAddresses proc	near	; CODE XREF: VmpPrefetchForVirtualFault(x,x,x)+7Ep

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008ECB0E SIZE 00000043 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		cmp	dword ptr [edi], 1
		jnz	short loc_7B70BE
		mov	edx, [edi+4]
		cmp	edx, 8
		jnb	short loc_7B70BE
		mov	eax, edx
		and	al, 6
		cmp	al, 4
		ja	short loc_7B70BE
		test	dl, 6
		jnz	loc_8ECB0E
		push	5
		pop	esi

loc_7B7078:				; CODE XREF: MmPrefetchVirtualAddresses+135AE3j
					; MmPrefetchVirtualAddresses+135AECj
		mov	eax, esi
		and	eax, 7
		shl	eax, 3
		or	esi, eax
		mov	eax, esi
		and	eax, 7
		cmp	al, 5
		jb	loc_8ECB3D

loc_7B708F:				; CODE XREF: MmPrefetchVirtualAddresses+135AF4j
					; MmPrefetchVirtualAddresses+135B00j
		mov	ecx, large fs:124h
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		cmp	eax, 1
		jle	short loc_7B70B6

loc_7B70A0:				; CODE XREF: MmPrefetchVirtualAddresses+70j
		mov	edx, [edi+0Ch]
		mov	ecx, [edi+8]
		push	esi
		push	dword ptr [edi+10h]
		call	MmPrefetchVirtualMemory

loc_7B70AF:				; CODE XREF: MmPrefetchVirtualAddresses+77j
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
; 

loc_7B70B6:				; CODE XREF: MmPrefetchVirtualAddresses+52j
		or	esi, 400h
		jmp	short loc_7B70A0
; 

loc_7B70BE:				; CODE XREF: MmPrefetchVirtualAddresses+Ej
					; MmPrefetchVirtualAddresses+16j ...
		mov	eax, 0C00000EFh
		jmp	short loc_7B70AF
MmPrefetchVirtualAddresses endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmPrefetchVirtualMemory	proc near	; CODE XREF: MiProcessWsInSwapRanges(x,x,x)+33p
					; PfpPrefetchPrivatePages+128p	...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008ECB51 SIZE 000000B5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[esp+40h+var_20], eax
		push	6
		xor	eax, eax
		mov	[esp+44h+var_28], edx
		xor	esi, esi
		lea	edi, [esp+44h+var_1C]
		mov	[esp+44h+var_24], esi
		mov	[esp+44h+var_34], esi
		mov	[esp+44h+var_2C], esi
		pop	ecx
		rep stosd
		mov	eax, large fs:124h
		mov	[esp+40h+var_30], eax
		test	ebx, ebx
		jz	loc_8ECB51
		cmp	ebx, 0FFFFFFFFh
		jz	loc_7B71A9
		cmp	ebx, 0FFFFFFFDh
		jnz	loc_7B71B7
		mov	edi, [eax+80h]
		test	dword ptr [edi+0FCh], 10000h
		jz	loc_8ECB56
		call	_MiGetSessionVm@0 ; MiGetSessionVm()

loc_7B7144:				; CODE XREF: MmPrefetchVirtualMemory+EFj
					; MmPrefetchVirtualMemory+135B0Cj
		push	[ebp+arg_4]
		mov	edx, [esp+40h+var_1C]
		mov	ecx, [esp+40h+var_24]
		push	eax
		call	MiPrefetchVirtualMemory
		mov	[esp+3Ch+var_24], eax
		test	esi, esi
		jnz	loc_7B720D

loc_7B7161:				; CODE XREF: MmPrefetchVirtualMemory+152j
		mov	esi, [esp+3Ch+var_28]
		test	esi, esi
		jnz	loc_8ECBD7

loc_7B716D:				; CODE XREF: MmPrefetchVirtualMemory+135B23j
		cmp	ebx, 0FFFFFFFDh
		jnz	short loc_7B718A

loc_7B7172:				; CODE XREF: MmPrefetchVirtualMemory+C7j
					; MmPrefetchVirtualMemory+CBj ...
		mov	eax, [esp+3Ch+var_24]

loc_7B7176:				; CODE XREF: MmPrefetchVirtualMemory+135A95j
					; MmPrefetchVirtualMemory+135A9Fj ...
		mov	ecx, [esp+3Ch]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7B718A:				; CODE XREF: MmPrefetchVirtualMemory+AAj
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_7B7172
		test	ebx, ebx
		jz	short loc_7B7172
		test	edi, edi
		jz	loc_8ECBEE
		mov	edx, 66506D4Dh
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		jmp	short loc_7B7172
; 

loc_7B71A9:				; CODE XREF: MmPrefetchVirtualMemory+54j
		mov	edi, [eax+80h]

loc_7B71AF:				; CODE XREF: MmPrefetchVirtualMemory+132j
					; MmPrefetchVirtualMemory+145j
		lea	eax, [edi+240h]
		jmp	short loc_7B7144
; 

loc_7B71B7:				; CODE XREF: MmPrefetchVirtualMemory+5Dj
		push	ebx
		call	_ObIsKernelHandle@4 ; ObIsKernelHandle(x)
		test	al, al
		jz	loc_8ECB60
		mov	eax, ds:_PsProcessType
		lea	ecx, [esp+40h+var_34]
		push	esi
		push	esi
		push	ecx
		push	66506D4Dh
		push	esi
		push	eax
		push	8
		pop	edx
		mov	ecx, ebx
		call	ObpReferenceObjectByHandleWithTag
		test	eax, eax
		js	loc_8ECB6A
		mov	eax, [esp+40h+var_30]
		mov	edi, [esp+40h+var_34]
		cmp	[eax+80h], edi
		jz	short loc_7B71AF
		lea	eax, [esp+40h+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, edi
		call	KiStackAttachProcess
		xor	esi, esi
		inc	esi
		jmp	short loc_7B71AF
; 

loc_7B720D:				; CODE XREF: MmPrefetchVirtualMemory+95j
		xor	edx, edx
		lea	ecx, [esp+3Ch+var_18]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_7B7161
MmPrefetchVirtualMemory	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpSourceGetPrefetchSupport proc near	; CODE XREF: PfpPrefetchPrivatePages+B3p

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= word ptr -58h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008ECC06 SIZE 000000A1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+94h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[esp+0A0h+var_84], edx
		xor	eax, eax
		mov	[esp+0A0h+var_64], esi
		and	[esp+0A0h+var_60], eax
		lea	edi, [esp+0A0h+var_7C]
		and	[esp+0A0h+var_5C], eax
		xor	ebx, ebx
		push	6
		pop	ecx
		rep stosd
		mov	eax, [esi]
		xor	ecx, ecx
		mov	[edx], eax
		xor	edi, edi
		mov	eax, [esi]
		mov	[esp+0A0h+var_94], ebx
		mov	[esp+0A0h+var_90], edi
		mov	[esp+0A0h+var_80], ecx
		mov	[esp+0A0h+var_8C], ecx
		sub	eax, ecx
		jz	loc_7B7383
		sub	eax, 1
		jz	loc_8ECC10
		sub	eax, 1
		jnz	loc_8ECC06
		mov	eax, [esi+4]
		mov	edi, 1FFFFFh
		mov	[esp+0A0h+var_8C], eax
		lea	eax, [esp+0A0h+var_8C]
		push	eax
		lea	eax, [esp+0A4h+var_7C]
		mov	[esp+0A4h+var_7C], 18h
		push	eax
		push	edi
		lea	eax, [esp+0ACh+var_90]
		mov	[esp+0ACh+var_78], ebx
		push	eax
		mov	[esp+0B0h+var_70], 200h
		mov	[esp+0B0h+var_74], ebx
		mov	[esp+0B0h+var_6C], ebx
		mov	[esp+0B0h+var_68], ebx
		mov	[esp+0B0h+var_88], ebx
		call	_NtOpenProcess@16 ; NtOpenProcess(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7B737D
		mov	eax, ds:_PsProcessType
		lea	ecx, [esp+0A0h+var_94]
		push	ebx
		push	ebx
		push	ecx
		push	73576650h
		push	ebx
		mov	edx, edi
		mov	edi, [esp+0B4h+var_90]
		push	eax
		mov	ecx, edi
		call	ObpReferenceObjectByHandleWithTag
		mov	ebx, [esp+0A0h+var_94]
		mov	esi, eax
		test	esi, esi
		js	short loc_7B7347
		mov	eax, [esp+0A0h+var_64]
		mov	edx, [eax+0Ch]
		test	edx, edx
		jz	short loc_7B733C
		mov	eax, [ebx+104h]
		xor	eax, [ebx+0E4h]
		mov	ecx, [ebx+100h]
		xor	eax, ecx
		shr	ecx, 3
		and	eax, 1FFFFFFFh
		and	ecx, 1C000000h
		xor	eax, ecx
		cmp	edx, eax
		jnz	short loc_7B7376

loc_7B733C:				; CODE XREF: PfpSourceGetPrefetchSupport+F4j
		mov	ecx, [esp+0A0h+var_84]
		mov	[ecx+4], edi
		xor	edi, edi

loc_7B7345:				; CODE XREF: PfpSourceGetPrefetchSupport+168j
					; PfpSourceGetPrefetchSupport+135A67j
		xor	esi, esi

loc_7B7347:				; CODE XREF: PfpSourceGetPrefetchSupport+E9j
					; PfpSourceGetPrefetchSupport+15Dj
		test	ebx, ebx
		jz	short loc_7B7357
		mov	edx, 73576650h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_7B7357:				; CODE XREF: PfpSourceGetPrefetchSupport+12Bj
					; PfpSourceGetPrefetchSupport+163j
		test	edi, edi
		jnz	loc_8ECC8A

loc_7B735F:				; CODE XREF: PfpSourceGetPrefetchSupport+1359EDj
					; PfpSourceGetPrefetchSupport+135A78j ...
		mov	ecx, [esp+0A0h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7B7376:				; CODE XREF: PfpSourceGetPrefetchSupport+11Cj
		mov	esi, 0C0000225h
		jmp	short loc_7B7347
; 

loc_7B737D:				; CODE XREF: PfpSourceGetPrefetchSupport+BBj
		mov	edi, [esp+0A0h+var_90]
		jmp	short loc_7B7357
; 

loc_7B7383:				; CODE XREF: PfpSourceGetPrefetchSupport+5Aj
		and	[edx+4], ecx
		jmp	short loc_7B7345
PfpSourceGetPrefetchSupport endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpSourceBuildVaArray proc near		; CODE XREF: PfpPrefetchPrivatePages+9Dp

var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008ECCA7 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	eax, ecx
		mov	ebx, edx
		push	esi
		push	edi
		mov	[ebp+var_10], ebx
		mov	edi, [eax+10h]
		mov	[ebp+var_4], eax
		test	edi, edi
		jz	loc_8ECCA7
		xor	esi, esi
		cmp	[ebx+4], edi
		jnb	short loc_7B73EA
		mov	eax, [ebx+8]
		test	eax, eax
		jnz	loc_8ECCB1

loc_7B73BA:				; CODE XREF: PfpSourceBuildVaArray+135936j
		push	8
		mov	eax, edi
		pop	ecx
		mul	ecx
		cmp	edx, esi
		ja	short loc_7B7431
		cmp	eax, 0FFFFFFFFh
		ja	short loc_7B7431
		push	41566650h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+8], eax
		test	eax, eax
		jz	short loc_7B742A
		mov	eax, [ebp+var_4]
		mov	[ebx+4], edi
		mov	edi, [eax+10h]

loc_7B73EA:				; CODE XREF: PfpSourceBuildVaArray+25j
		mov	edx, [ebx+8]
		mov	[ebp+var_8], esi
		test	edi, edi
		jz	short loc_7B7421
		mov	ebx, [ebp+var_4]

loc_7B73F7:				; CODE XREF: PfpSourceBuildVaArray+92j
		mov	ecx, [ebx+14h]
		push	8
		mov	eax, [ecx+esi]
		lea	esi, [esi+10h]
		mov	[edx], eax
		mov	eax, [ecx+esi-8]
		mov	[edx+4], eax
		mov	eax, [ebp+var_8]
		mov	edi, [ebx+10h]
		inc	eax
		pop	ecx
		add	edx, ecx
		mov	[ebp+var_8], eax
		cmp	eax, edi
		jb	short loc_7B73F7
		mov	ebx, [ebp+var_10]
		xor	esi, esi

loc_7B7421:				; CODE XREF: PfpSourceBuildVaArray+6Aj
		mov	[ebx], edi

loc_7B7423:				; CODE XREF: PfpSourceBuildVaArray+A7j
					; PfpSourceBuildVaArray+AEj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7B742A:				; CODE XREF: PfpSourceBuildVaArray+57j
		mov	esi, 0C000009Ah
		jmp	short loc_7B7423
; 

loc_7B7431:				; CODE XREF: PfpSourceBuildVaArray+3Bj
					; PfpSourceBuildVaArray+40j
		mov	esi, 0C0000095h
		jmp	short loc_7B7423
PfpSourceBuildVaArray endp


;  S U B	R O U T	I N E 


; __stdcall MmSetMinimumAgeRate(x)
_MmSetMinimumAgeRate@4 proc near	; CODE XREF: PfSetSuperfetchInformation+1B8p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		call	_PsGetNextPartition@4 ;	PsGetNextPartition(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7B748E
		push	ebx

loc_7B744C:				; CODE XREF: MmSetMinimumAgeRate(x)+53j
		mov	ecx, [esi]
		mov	ebx, [ecx+0F00h]
		test	edi, edi
		jz	short loc_7B7491
		cmp	edi, 0Ch
		jb	short loc_7B7495
		push	6
		pop	ecx
		mov	eax, edi
		xor	edx, edx
		div	ecx
		mov	ecx, eax

loc_7B7468:				; CODE XREF: MmSetMinimumAgeRate(x)+60j
		xor	edx, edx
		mov	eax, 3E8h
		div	ecx
		cmp	eax, 1
		jbe	short loc_7B749A

loc_7B7476:				; CODE XREF: MmSetMinimumAgeRate(x)+65j
		movzx	eax, ax

loc_7B7479:				; CODE XREF: MmSetMinimumAgeRate(x)+5Bj
		mov	ecx, esi
		mov	[ebx+4C0h], ax
		call	_PsGetNextPartition@4 ;	PsGetNextPartition(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_7B744C
		pop	ebx

loc_7B748E:				; CODE XREF: MmSetMinimumAgeRate(x)+11j
		pop	edi
		pop	esi
		retn
; 

loc_7B7491:				; CODE XREF: MmSetMinimumAgeRate(x)+1Ej
		xor	eax, eax
		jmp	short loc_7B7479
; 

loc_7B7495:				; CODE XREF: MmSetMinimumAgeRate(x)+23j
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_7B7468
; 

loc_7B749A:				; CODE XREF: MmSetMinimumAgeRate(x)+3Cj
		xor	eax, eax
		inc	eax
		jmp	short loc_7B7476
_MmSetMinimumAgeRate@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtManagePartition proc near		; DATA XREF: .text:00580F7Co

var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A3		= byte ptr -0A3h
var_A2		= byte ptr -0A2h
var_A1		= byte ptr -0A1h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 007B7683 SIZE 00000016 BYTES
; FUNCTION CHUNK AT 007B76C6 SIZE 00000006 BYTES
; FUNCTION CHUNK AT 008ECCC3 SIZE 00000026 BYTES
; FUNCTION CHUNK AT 008ECD10 SIZE 0000005B BYTES

		push	0ACh
		push	offset dword_6A2FC0
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_B8], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_AC], eax
		mov	edi, [ebp+arg_C]
		push	80h		; size_t
		xor	ebx, ebx
		push	ebx		; int
		lea	eax, [ebp+var_9C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_A2], bl
		mov	[ebp+var_A1], bl
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	[ebp+var_A3], bl
		mov	byte ptr [ebp+var_B4], bl
		and	[ebp+var_A8], 0
		and	[ebp+var_A0], 0
		mov	esi, [ebp+arg_8]
		cmp	esi, 9
		jnb	loc_8ECCC3
		mov	dl, ds:byte_A4079F[esi*8]
		test	dl, 8
		jz	loc_8ECCCD
		movzx	eax, ds:word_A4079C[esi*8]
		mov	ecx, [ebp+arg_10]
		cmp	ecx, eax
		jnz	loc_8ECCD7
		test	dl, 1
		jz	short loc_7B7593
		test	bl, bl
		jz	loc_7B7683
		and	[ebp+ms_exc.disabled], 0
		test	ecx, ecx
		jz	short loc_7B757B
		movzx	eax, ds:byte_A4079E[esi*8]
		dec	eax
		test	eax, edi
		jnz	loc_7B76C6
		lea	eax, [edi+ecx]
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	loc_8ECCE1
		cmp	eax, edi
		jb	loc_8ECCE1

loc_7B757B:				; CODE XREF: NtManagePartition+AFj
					; NtManagePartition+135844j
		push	ecx		; size_t
		push	edi		; void *
		lea	eax, [ebp+var_9C]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7B7593:				; CODE XREF: NtManagePartition+9Fj
					; NtManagePartition+1F4j
		push	ecx
		lea	eax, [ebp+var_A0]
		push	eax
		push	704D7350h
		mov	ebx, [ebp+var_B4]
		push	ebx
		mov	edx, ds:_PspPartitionInfoDetails[esi*8]
		mov	ecx, [ebp+var_B8]
		call	_PsReferencePartitionByHandle@24 ; PsReferencePartitionByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7B764E
		mov	[ebp+var_A1], 1
		mov	eax, [ebp+arg_8]
		test	ds:byte_A4079F[eax*8], 4
		jnz	loc_8ECD10
		cmp	[ebp+var_AC], 0
		jnz	loc_8ECD59

loc_7B75E8:				; CODE XREF: NtManagePartition+1358C6j
		jmp	ds:off_7B76CC[eax*4]

loc_7B75EF:				; DATA XREF: PAGE:off_7B76CCo
		lea	edx, [ebp+var_9C]
		mov	ecx, [ebp+var_A0]
		call	MmManagePartitionMemoryInformation
NtManagePartition endp

; START	OF FUNCTION CHUNK FOR sub_7B76AF

loc_7B7600:				; CODE XREF: sub_7B76AF+12j
					; sub_8ECD6B+19j ...
		mov	esi, eax
		test	esi, esi
		js	short loc_7B764E
		mov	eax, [ebp+10h]
		test	ds:byte_A4079F[eax*8], 2
		jz	short loc_7B764E
		cmp	byte ptr [ebp-0A3h], 0
		jz	short loc_7B7699
		mov	dword ptr [ebp-4], 1
		movzx	eax, ds:byte_A4079E[eax*8]
		push	eax
		mov	ebx, [ebp+18h]
		push	ebx
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	ebx		; size_t
		lea	eax, [ebp-9Ch]
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_7B7647:				; CODE XREF: PAGE:008ECD0Bj
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_7B764E:				; CODE XREF: NtManagePartition+11Dj
					; sub_7B76AF-ABj ...
		cmp	byte ptr [ebp-0A1h], 0
		jz	short loc_7B7662
		mov	ecx, [ebp-0A0h]
		call	PsDereferencePartition

loc_7B7662:				; CODE XREF: sub_7B76AF-5Aj
		cmp	byte ptr [ebp-0A2h], 0
		jnz	loc_8ECE34

loc_7B766F:				; CODE XREF: sub_7B76AF+135790j
		mov	eax, esi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; END OF FUNCTION CHUNK	FOR sub_7B76AF
; 
; START	OF FUNCTION CHUNK FOR NtManagePartition

loc_7B7683:				; CODE XREF: NtManagePartition+A3j
		push	ecx		; size_t
		push	edi		; void *
		lea	eax, [ebp+var_9C]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_7B7593
; END OF FUNCTION CHUNK	FOR NtManagePartition
; 
; START	OF FUNCTION CHUNK FOR sub_7B76AF

loc_7B7699:				; CODE XREF: sub_7B76AF-95j
		mov	ebx, [ebp+18h]
		push	ebx		; size_t
		lea	eax, [ebp-9Ch]
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_7B764E
; END OF FUNCTION CHUNK	FOR sub_7B76AF

;  S U B	R O U T	I N E 


sub_7B76AF	proc near		; CODE XREF: NtManagePartition:loc_7B75E8j
					; DATA XREF: PAGE:007B76E0o

; FUNCTION CHUNK AT 007B7600 SIZE 00000083 BYTES
; FUNCTION CHUNK AT 007B7699 SIZE 00000016 BYTES
; FUNCTION CHUNK AT 008ECE34 SIZE 00000010 BYTES

		push	ebx
		lea	edx, [ebp-9Ch]
		mov	ecx, [ebp-0A0h]
		call	MmManagePartitionGetMemoryEvents
		jmp	loc_7B7600
sub_7B76AF	endp

; 
; START	OF FUNCTION CHUNK FOR NtManagePartition

loc_7B76C6:				; CODE XREF: NtManagePartition+BCj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		nop
; END OF FUNCTION CHUNK	FOR NtManagePartition
; 
off_7B76CC	dd offset loc_7B75EF	; DATA XREF: NtManagePartition:loc_7B75E8r
		dd offset sub_8ECD6B
		dd offset sub_8ECD89
		dd offset sub_8ECDAC
		dd offset sub_8ECDC4
		dd offset sub_7B76AF
		dd offset sub_8ECDDC
		dd offset sub_8ECDF3
		dd offset sub_8ECE0A

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsReferencePartitionByHandle(x, x, x, x, x,	x)
_PsReferencePartitionByHandle@24 proc near ; CODE XREF:	EtwpSetPartitionContext(x,x)+4Ap
					; NtManagePartition+114p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		mov	[ebp+var_4], edi
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_7B772B

loc_7B7704:				; CODE XREF: PsReferencePartitionByHandle(x,x,x,x,x,x)+3Ej
		mov	ecx, ds:_PspSystemPartition
		mov	[ebp+var_4], ecx

loc_7B770D:				; CODE XREF: PsReferencePartitionByHandle(x,x,x,x,x,x)+5Fj
		call	PsReferencePartitionSafe
		mov	ecx, [ebp+var_4]
		test	al, al
		jz	short loc_7B7760
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx

loc_7B771E:				; CODE XREF: PsReferencePartitionByHandle(x,x,x,x,x,x)+75j
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_7B7751

loc_7B7723:				; CODE XREF: PsReferencePartitionByHandle(x,x,x,x,x,x)+64j
					; PsReferencePartitionByHandle(x,x,x,x,x,x)+6Ej
		mov	eax, edi

loc_7B7725:				; CODE XREF: PsReferencePartitionByHandle(x,x,x,x,x,x)+5Aj
		pop	edi
		pop	esi
		leave
		retn	10h
; 

loc_7B772B:				; CODE XREF: PsReferencePartitionByHandle(x,x,x,x,x,x)+12j
		cmp	esi, 0FFFFFFFEh
		jz	short loc_7B7704
		push	edi
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	ds:_PsPartitionType
		push	edx
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7B7725
		mov	ecx, [ebp+var_4]
		jmp	short loc_7B770D
; 

loc_7B7751:				; CODE XREF: PsReferencePartitionByHandle(x,x,x,x,x,x)+31j
		cmp	esi, 0FFFFFFFEh
		jz	short loc_7B7723
		mov	edx, [ebp+arg_4]
		call	ObfDereferenceObjectWithTag
		jmp	short loc_7B7723
; 

loc_7B7760:				; CODE XREF: PsReferencePartitionByHandle(x,x,x,x,x,x)+27j
		mov	edi, 0C00004A0h
		jmp	short loc_7B771E
_PsReferencePartitionByHandle@24 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmManagePartitionMemoryInformation proc	near ; CODE XREF: NtManagePartition+15Bp
					; VfUtilGetAvailableSystemPages(x)+64p	...

var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_74		= dword	ptr -74h
var_54		= dword	ptr -54h
var_30		= dword	ptr -30h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008ECE44 SIZE 0000005C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0A4h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ecx]
		lea	eax, [esp+0ACh+var_88]
		push	edi
		xor	edi, edi
		mov	ebx, edx
		push	58h		; size_t
		push	edi		; int
		push	eax		; void *
		mov	[esp+0BCh+var_8C], ebx
		mov	[esp+0BCh+var_94], edi
		call	_memset
		add	esp, 0Ch
		mov	[esp+0B0h+var_A0], esi
		cmp	[ebx], edi
		jnz	loc_8ECE4C
		mov	ecx, [ebx+4]
		movzx	eax, ds:_KeNumberNodes
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_8ECE44

loc_7B77C4:				; CODE XREF: MmManagePartitionMemoryInformation+1356DEj
		cmp	dword ptr [ebx+8], 0FFFFFFFFh
		jnz	loc_8ECE4C
		lea	edx, [ebx+54h]
		lea	edi, [ebx+34h]

loc_7B77D4:				; CODE XREF: MmManagePartitionMemoryInformation+23Ej
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_8ECE6E
		movzx	eax, ds:_KeNumberNodes
		lea	edx, [esp+0B0h+var_88]
		mov	[ebx+0Ch], eax
		mov	ecx, esi
		mov	eax, [esi+1000h]
		mov	[ebx+10h], eax
		mov	eax, [esi+10BCh]
		mov	[ebx+14h], eax
		mov	eax, [esi+1114h]
		mov	[ebx+18h], eax
		mov	eax, [esi+0D80h]
		mov	[ebx+1Ch], eax
		mov	eax, esi
		sub	eax, offset _MiSystemPartition
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, dword_6D301C
		mov	[ebx+78h], eax
		call	MiQueryMemoryListInformation
		mov	edx, [esp+0B0h+var_A0]
		lea	esi, [esp+0B0h+var_74]
		push	8
		pop	ecx
		rep movsd
		push	8
		pop	ecx
		lea	esi, [esp+0B0h+var_54]
		lea	edi, [ebx+54h]
		rep movsd
		mov	eax, [edx+0D84h]
		mov	[ebx+74h], eax
		nop
		mov	ecx, [ebx+18h]
		cmp	ecx, [ebx+74h]
		ja	loc_8ECE56

loc_7B785B:				; CODE XREF: MmManagePartitionMemoryInformation+1356F1j
		mov	eax, [ebx+14h]
		cmp	[ebx+1Ch], eax
		jb	loc_8ECE5E

loc_7B7867:				; CODE XREF: MmManagePartitionMemoryInformation+1356F9j
		cmp	eax, ecx
		ja	loc_8ECE66

loc_7B786F:				; CODE XREF: MmManagePartitionMemoryInformation+135701j
		movzx	edi, ds:_KeNumberNodes
		xor	esi, esi

loc_7B7878:				; CODE XREF: MmManagePartitionMemoryInformation+135733j
		and	dword ptr [ebx+28h], 0
		xor	eax, eax
		and	dword ptr [ebx+2Ch], 0
		and	dword ptr [ebx+30h], 0
		and	dword ptr [ebx+20h], 0
		and	[esp+0B0h+var_A4], eax
		and	[esp+0B0h+var_9C], eax
		imul	ecx, esi, 280h
		add	ecx, [edx+10h]
		xor	edx, edx
		cmp	esi, edi
		jnb	loc_7B7946
		lea	eax, [ecx+1DCh]
		mov	[esp+0B0h+var_98], eax

loc_7B78AF:				; CODE XREF: MmManagePartitionMemoryInformation+1D4j
		mov	ecx, [esp+0B0h+var_A0]
		lea	eax, [esp+0B0h+var_94]
		push	eax
		push	esi
		lea	edx, [esp+0B8h+var_30]
		call	MiGetChannelInformation
		mov	eax, [esp+0B0h+var_94]
		xor	edx, edx
		push	28h
		pop	ecx
		div	ecx
		mov	edx, [ebx+30h]
		mov	ecx, eax
		mov	eax, [ebx+28h]
		mov	[esp+0B0h+var_A4], eax
		mov	eax, [ebx+2Ch]
		mov	[esp+0B0h+var_9C], ecx
		mov	[esp+0B0h+var_90], eax
		test	ecx, ecx
		jz	short loc_7B7914
		mov	ebx, [esp+0B0h+var_A4]
		lea	ecx, [esp+0B0h+var_18]

loc_7B78F6:				; CODE XREF: MmManagePartitionMemoryInformation+19Ej
		add	ebx, [ecx-8]
		add	eax, [ecx]
		lea	ecx, [ecx+28h]
		add	edx, [ecx-20h]
		sub	[esp+0B0h+var_9C], 1
		jnz	short loc_7B78F6
		mov	[esp+0B0h+var_A4], ebx
		mov	ebx, [esp+0B0h+var_8C]
		mov	[esp+0B0h+var_90], eax

loc_7B7914:				; CODE XREF: MmManagePartitionMemoryInformation+181j
		mov	ecx, [esp+0B0h+var_A4]
		mov	[ebx+2Ch], eax
		mov	eax, [esp+0B0h+var_98]
		add	[esp+0B0h+var_98], 280h
		mov	[ebx+28h], ecx
		mov	[ebx+30h], edx
		mov	eax, [eax]
		add	eax, [ebx+20h]
		inc	esi
		mov	[esp+0B0h+var_9C], eax
		mov	[ebx+20h], eax
		cmp	esi, edi
		jb	loc_7B78AF
		mov	eax, [esp+0B0h+var_90]

loc_7B7946:				; CODE XREF: MmManagePartitionMemoryInformation+137j
		mov	ecx, [ebx+4]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_7B79AB
		and	dword ptr [ebx+30h], 0
		lea	esi, [ebx+34h]
		push	8
		xor	edx, edx
		pop	edi

loc_7B795A:				; CODE XREF: MmManagePartitionMemoryInformation+1FDj
		add	edx, [esi]
		lea	esi, [esi+4]
		mov	[ebx+30h], edx
		sub	edi, 1
		jnz	short loc_7B795A
		mov	eax, [ebx+2Ch]
		mov	esi, [ebx+28h]
		mov	edi, [ebx+20h]

loc_7B7970:				; CODE XREF: MmManagePartitionMemoryInformation+24Bj
		add	eax, esi
		add	eax, edx
		lea	edx, [ebx+54h]
		cmp	eax, edi
		mov	[ebx+24h], eax
		lea	edi, [ebx+34h]
		ja	short loc_7B79A2
		mov	eax, [esp+0B0h+var_A0]
		movzx	eax, word ptr [eax]
		mov	[ebx+7Ch], eax
		xor	eax, eax

loc_7B798D:				; CODE XREF: MmManagePartitionMemoryInformation+1356E9j
		mov	ecx, [esp+0B0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7B79A2:				; CODE XREF: MmManagePartitionMemoryInformation+217j
		mov	esi, [esp+0B0h+var_A0]
		jmp	loc_7B77D4
; 

loc_7B79AB:				; CODE XREF: MmManagePartitionMemoryInformation+1E4j
		mov	esi, [esp+0B0h+var_A4]
		mov	edi, [esp+0B0h+var_9C]
		jmp	short loc_7B7970
MmManagePartitionMemoryInformation endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetChannelInformation	proc near	; CODE XREF: MmManagePartitionMemoryInformation+158p
					; MmGetChannelInformation(x,x,x,x)+40p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008ECEA0 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		mov	[ebp+var_10], ecx
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		imul	eax, esi, 280h
		push	edi
		mov	edi, edx
		mov	edx, ebx
		add	eax, [ecx+10h]
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 28h
		call	_MiLockDynamicMemoryExclusive@8	; MiLockDynamicMemoryExclusive(x,x)
		dec	word ptr [ebx+13Eh]
		nop
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		add	eax, 1FCh
		mov	ecx, eax
		mov	[ebp+arg_4], eax
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp+arg_0]
		and	dword ptr [edi], 0
		test	byte ptr [ecx+1F0h], 1
		jnz	loc_8ECEA0
		or	dword ptr [edi+4], 0FFFFFFFFh

loc_7B7A2A:				; CODE XREF: MiGetChannelInformation+1354FCj
					; MiGetChannelInformation+135504j
		mov	eax, [ecx+1D8h]
		xor	edx, edx
		mov	ecx, [ebp+var_10]
		and	dword ptr [edi+0Ch], 0
		mov	[edi+8], eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		call	_MiGetNodeChannelPageCounts@24 ; MiGetNodeChannelPageCounts(x,x,x,x,x,x)
		mov	eax, [ebp+var_4]
		xor	ecx, ecx
		mov	esi, [ebp+arg_4]
		xor	edx, edx
		mov	[edi+10h], eax
		mov	eax, [ebp+var_8]
		mov	[edi+18h], eax
		mov	eax, [ebp+var_C]
		push	11h
		mov	[edi+20h], eax
		mov	[edi+14h], ecx
		mov	[edi+1Ch], ecx
		mov	[edi+24h], ecx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_7B7A9B

loc_7B7A7C:				; CODE XREF: MiGetChannelInformation+ECj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, ebx
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [ebp+var_10]
		mov	edx, ebx
		call	MiUnlockDynamicMemoryExclusive
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7B7A9B:				; CODE XREF: MiGetChannelInformation+C4j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_7B7A7C
MiGetChannelInformation	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpRpCHashGrow	proc near		; CODE XREF: PfpRpCHashAddEntries+1A0p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008ECEBF SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	edi, edx
		mov	[ebp+var_24], edi
		nop
		lea	esi, [ecx+4Ch]
		xor	edx, edx
		mov	ecx, esi
		mov	[ebp+var_28], esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+0Ch]
		mov	ebx, [edi+8]
		add	eax, eax
		cmp	eax, ebx
		jb	loc_8ECEC9
		add	ebx, ebx
		cmp	ebx, 8
		jb	loc_7B7CA0

loc_7B7AEC:				; CODE XREF: PfpRpCHashGrow+1FFj
		mov	ecx, [edi+4]
		push	48436650h
		shl	ebx, cl
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_8ECEBF
		mov	esi, edi
		xor	edx, edx
		lea	edi, [ebp+var_48]
		inc	edx
		or	eax, 0FFFFFFFFh
		movsd
		movsd
		movsd
		movsd
		mov	ecx, [ebp+var_44]
		mov	esi, eax
		shl	edx, cl
		mov	[ebp+var_8], edx
		mov	ecx, edx
		test	edx, edx
		jz	short loc_7B7B2D

loc_7B7B28:				; CODE XREF: PfpRpCHashGrow+87j
		inc	esi
		shr	ecx, 1
		jnz	short loc_7B7B28

loc_7B7B2D:				; CODE XREF: PfpRpCHashGrow+82j
		lea	ecx, [edx-1]
		test	ecx, edx
		jz	short loc_7B7B35
		inc	esi

loc_7B7B35:				; CODE XREF: PfpRpCHashGrow+8Ej
		mov	ecx, esi
		shr	ebx, cl
		mov	[ebp+var_10], ebx
		lea	ecx, [ebx-1]
		test	ecx, ebx
		jz	short loc_7B7B56
		test	ebx, ebx
		jz	short loc_7B7B4C

loc_7B7B47:				; CODE XREF: PfpRpCHashGrow+A6j
		inc	eax
		shr	ebx, 1
		jnz	short loc_7B7B47

loc_7B7B4C:				; CODE XREF: PfpRpCHashGrow+A1j
		xor	ebx, ebx
		mov	ecx, eax
		inc	ebx
		shl	ebx, cl
		mov	[ebp+var_10], ebx

loc_7B7B56:				; CODE XREF: PfpRpCHashGrow+9Dj
		mov	edi, [ebp+var_4]
		mov	ecx, esi
		mov	eax, ebx
		mov	[ebp+var_34], esi
		shl	eax, cl
		xor	edx, edx
		push	eax		; size_t
		push	edx		; int
		push	edi		; void *
		mov	[ebp+var_2C], edx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_38], edi
		call	_memset
		mov	eax, [ebp+var_40]
		add	esp, 0Ch
		mov	edi, [ebp+var_48]
		mov	ecx, [ebp+var_44]
		shl	eax, cl
		add	eax, edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], eax
		cmp	edi, eax
		jnb	short loc_7B7BC6
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_14]

loc_7B7B95:				; CODE XREF: PfpRpCHashGrow+120j
		mov	edx, [edi]
		mov	[ebp+var_1C], edx
		test	edx, edx
		jz	short loc_7B7BBD
		mov	[ebp+var_C], edx
		test	ebx, ebx
		jnz	short loc_7B7C23
		xor	eax, eax

loc_7B7BA7:				; CODE XREF: PfpRpCHashGrow+1BBj
					; PfpRpCHashGrow+1E9j
		push	[ebp+var_8]	; size_t
		push	edi		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		inc	[ebp+var_2C]
		mov	ecx, [ebp+var_14]

loc_7B7BBD:				; CODE XREF: PfpRpCHashGrow+F8j
		add	edi, eax
		mov	[ebp+var_18], edi
		cmp	edi, ecx
		jb	short loc_7B7B95

loc_7B7BC6:				; CODE XREF: PfpRpCHashGrow+E9j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	edi, [ebp+var_24]
		lea	esi, [ebp+var_38]
		mov	edx, [ebp+var_48]
		movsd
		movsd
		movsd
		movsd
		test	edx, edx
		jz	short loc_7B7BF8
		mov	ecx, [ebp+arg_4]
		mov	eax, [ecx]
		mov	[edx], eax
		mov	[ecx], edx

loc_7B7BF8:				; CODE XREF: PfpRpCHashGrow+149j
		mov	esi, [ebp+var_28]
		xor	ebx, ebx

loc_7B7BFD:				; CODE XREF: PfpRpCHashGrow+135420j
					; PfpRpCHashGrow+13543Fj
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_7B7CA8

loc_7B7C0E:				; CODE XREF: PfpRpCHashGrow+20Bj
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_7B7C23:				; CODE XREF: PfpRpCHashGrow+FFj
		movzx	eax, dl
		imul	ecx, eax, 25h
		movzx	eax, dh
		xor	edx, edx
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_C+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_C+3]
		imul	ecx, 25h
		add	eax, 164B2F3Fh
		add	eax, ecx
		lea	ecx, [ebx-1]
		mov	[ebp+var_20], ecx
		and	ecx, eax
		mov	eax, ecx
		mov	[ebp+var_C], ecx
		mov	ecx, esi
		shl	eax, cl
		add	eax, [ebp+var_4]
		mov	ecx, [eax]
		test	ecx, ecx
		jz	loc_7B7BA7
		mov	edi, [ebp+var_1C]
		mov	ebx, [ebp+var_C]

loc_7B7C6B:				; CODE XREF: PfpRpCHashGrow+1E1j
		cmp	ecx, edi
		jz	short loc_7B7C87
		test	edx, edx
		jz	short loc_7B7C92

loc_7B7C73:				; CODE XREF: PfpRpCHashGrow+1F7j
					; PfpRpCHashGrow+1FAj
		add	ebx, edx
		mov	ecx, esi
		and	ebx, [ebp+var_20]
		mov	eax, ebx
		shl	eax, cl
		add	eax, [ebp+var_4]
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_7B7C6B

loc_7B7C87:				; CODE XREF: PfpRpCHashGrow+1C9j
		mov	ebx, [ebp+var_10]
		mov	edi, [ebp+var_18]
		jmp	loc_7B7BA7
; 

loc_7B7C92:				; CODE XREF: PfpRpCHashGrow+1CDj
		imul	edx, edi, 9E3779B1h
		test	dl, 1
		jnz	short loc_7B7C73
		inc	edx
		jmp	short loc_7B7C73
; 

loc_7B7CA0:				; CODE XREF: PfpRpCHashGrow+42j
		push	8
		pop	ebx
		jmp	loc_7B7AEC
; 

loc_7B7CA8:				; CODE XREF: PfpRpCHashGrow+164j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7B7C0E
PfpRpCHashGrow	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnOperationProcess proc near		; CODE XREF: PfSnSetPrefetcherInformation+1DEp

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= word ptr -48h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008ECEE8 SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+5Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	40h		; size_t
		xor	esi, esi
		lea	eax, [esp+6Ch+var_48]
		push	esi		; int
		push	eax		; void *
		mov	ebx, ecx
		call	_memset
		add	esp, 0Ch
		mov	[esp+68h+var_54], esi
		cmp	byte ptr [ebx],	1
		mov	edi, esi
		mov	[esp+68h+var_58], edi
		jnz	loc_8ECF05
		mov	cl, [ebx+1]
		cmp	cl, 2
		jnb	loc_8ECF05
		cmp	[ebx+2], si
		jnz	loc_8ECF05
		mov	eax, [ebx+4]
		test	cl, 1
		jz	loc_7B7DD0
		cmp	eax, 2

loc_7B7D19:				; CODE XREF: PfSnOperationProcess+127j
		jnb	loc_8ECEE8
		xor	ecx, ecx
		lea	edx, [esp+68h+var_54]
		inc	ecx
		call	_PfSnCheckScenario@8 ; PfSnCheckScenario(x,x)
		test	eax, eax
		js	loc_7B7DBC
		mov	eax, large fs:124h
		lea	ecx, [esp+68h+var_58]
		push	ecx
		mov	eax, [eax+80h]
		push	eax
		mov	[esp+70h+var_50], eax
		call	PfCalculateProcessHash
		mov	edi, [esp+68h+var_58]
		mov	esi, eax
		test	esi, esi
		js	short loc_7B7DB0
		lea	edx, [esp+68h+var_4C]
		mov	ecx, edi
		call	_PfSnFindImageFileName@8 ; PfSnFindImageFileName(x,x)
		test	eax, eax
		jz	loc_8ECEFB
		mov	esi, [esp+68h+var_50]
		push	dword ptr [esi+1DCh]
		push	eax		; char
		push	offset ??_C@_1BM@LEAOIFGH@?$AAO?$AAp?$AA?9?$AA?$CF?$AA?4?$AA1?$AA7?$AAs?$AA?9?$AA?$CF?$AA0?$AA8?$AAX@NNGAKEGL@ ; "Op-%.17s-%08X"
		lea	eax, [esp+74h+var_48]
		push	3Ch		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	eax, [ebx+8]
		add	esp, 14h
		mov	[esp+68h+var_C], eax
		mov	eax, [ebx+4]
		mov	edx, eax
		and	edx, 1
		test	byte ptr [ebx+1], 1
		jz	short loc_7B7DE0
		lea	eax, [esp+68h+var_48]
		add	edx, 8
		push	eax		; void *
		mov	ecx, esi
		call	_PfSnEndProcessTrace@12	; PfSnEndProcessTrace(x,x,x)

loc_7B7DAE:				; CODE XREF: PfSnOperationProcess+14Bj
		xor	esi, esi

loc_7B7DB0:				; CODE XREF: PfSnOperationProcess+A2j
					; PfSnOperationProcess+13524Cj	...
		test	edi, edi
		jz	short loc_7B7DBC
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7B7DBC:				; CODE XREF: PfSnOperationProcess+79j
					; PfSnOperationProcess+FEj ...
		mov	ecx, [esp+68h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7B7DD0:				; CODE XREF: PfSnOperationProcess+5Cj
		test	al, 4
		jnz	loc_8ECEF2

loc_7B7DD8:				; CODE XREF: PfSnOperationProcess+135242j
		cmp	eax, 8
		jmp	loc_7B7D19
; 

loc_7B7DE0:				; CODE XREF: PfSnOperationProcess+E9j
		test	al, 2
		jnz	short loc_7B7E06
		cmp	[esp+68h+var_54], 2
		jz	short loc_7B7E06
		test	al, 4
		jnz	short loc_7B7E01

loc_7B7DEF:				; CODE XREF: PfSnOperationProcess+150j
					; PfSnOperationProcess+155j
		push	0
		push	edx
		push	1
		lea	edx, [esp+74h+var_48]
		mov	ecx, esi
		call	PfSnBeginScenario
		jmp	short loc_7B7DAE
; 

loc_7B7E01:				; CODE XREF: PfSnOperationProcess+139j
		or	edx, 4
		jmp	short loc_7B7DEF
; 

loc_7B7E06:				; CODE XREF: PfSnOperationProcess+12Ej
					; PfSnOperationProcess+135j
		or	edx, 2
		jmp	short loc_7B7DEF
PfSnOperationProcess endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopQueryInformation(x, x, x, x, x)
_IopQueryInformation@20	proc near	; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+C03p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A2FE8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_20], edx
		mov	edi, ecx
		mov	[ebp+var_1C], 0
		cmp	byte ptr [edi+80h], 0
		jz	loc_7B7EEF
		lea	eax, [ebp+var_1C]
		push	eax
		push	edx
		call	_FsRtlGetSupportedFeatures@8 ; FsRtlGetSupportedFeatures(x,x)
		test	eax, eax
		js	loc_7B800A
		test	byte ptr [ebp+var_1C], 4
		jnz	short loc_7B7E92
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	0
		xor	eax, eax
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7B7E92:				; CODE XREF: IopQueryInformation(x,x,x,x,x)+64j
		mov	esi, [ebp+arg_0]
		dec	byte ptr [esi+23h]
		add	dword ptr [esi+60h], 0FFFFFFDCh
		mov	eax, [edi+78h]
		push	eax
		lea	eax, [edi+7Ch]
		push	eax
		mov	eax, [edi+48h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp+var_20]
		call	_FsRtlQueryOpen@20 ; FsRtlQueryOpen(x,x,x,x,x)
		mov	ebx, eax
		inc	byte ptr [esi+23h]
		add	dword ptr [esi+60h], 24h
		mov	ecx, [esi+3Ch]
		mov	[edi+68h], ecx
		test	ebx, ebx
		js	short loc_7B7ED7
		mov	dword ptr [edi+10h], 0BEAA0251h
		mov	ecx, [ebp+arg_8]
		mov	byte ptr [ecx],	1
		jmp	loc_7B8008
; 

loc_7B7ED7:				; CODE XREF: IopQueryInformation(x,x,x,x,x)+B3j
		cmp	ebx, 0C01C0004h
		jnz	loc_7B8008
		xor	ebx, ebx
		mov	eax, [ebp+arg_8]
		mov	[eax], bl
		jmp	loc_7B8008
; 

loc_7B7EEF:				; CODE XREF: IopQueryInformation(x,x,x,x,x)+48j
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	0
		xor	ebx, ebx
		mov	eax, [edx+8]
		mov	eax, [eax+28h]
		test	eax, eax
		jz	loc_7B8008
		cmp	dword ptr [eax], 60h
		jbe	loc_7B8008
		mov	eax, [eax+60h]
		mov	[ebp+var_24], eax
		test	eax, eax
		jz	loc_7B8008
		mov	esi, [ebp+arg_0]
		dec	byte ptr [esi+23h]
		add	dword ptr [esi+60h], 0FFFFFFDCh
		mov	eax, [ebp+arg_4]
		mov	[eax+14h], edx
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_7B7F3F
		call	_VfFastIoSnapState@0 ; VfFastIoSnapState()
		mov	edx, [ebp+var_20]
		jmp	short loc_7B7F41
; 

loc_7B7F3F:				; CODE XREF: IopQueryInformation(x,x,x,x,x)+123j
		xor	eax, eax

loc_7B7F41:				; CODE XREF: IopQueryInformation(x,x,x,x,x)+12Dj
		mov	[ebp+arg_0], eax
		push	edx
		mov	eax, [edi+44h]
		push	eax
		push	esi
		call	[ebp+var_24]
		mov	ecx, [ebp+arg_8]
		mov	[ecx], al
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_7B7F63
		mov	edx, [ebp+var_24]
		mov	ecx, eax
		call	_VfFastIoCheckState@8 ;	VfFastIoCheckState(x,x)

loc_7B7F63:				; CODE XREF: IopQueryInformation(x,x,x,x,x)+147j
		mov	eax, [esi+3Ch]
		mov	[edi+68h], eax
		mov	eax, [ebp+arg_8]
		cmp	[eax], bl
		jz	loc_7B8001
		mov	dword ptr [edi+10h], 0BEAA0251h
		cmp	[edi+57h], bl
		jnz	loc_7B8008
		mov	[ebp+var_4], ebx
		mov	eax, [edi+44h]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	eax, [edi+40h]
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	eax, [edi+44h]
		mov	ecx, [eax+8]
		mov	edx, [eax+0Ch]
		mov	eax, [edi+40h]
		mov	[eax+8], ecx
		mov	[eax+0Ch], edx
		mov	eax, [edi+44h]
		mov	ecx, [eax+10h]
		mov	edx, [eax+14h]
		mov	eax, [edi+40h]
		mov	[eax+10h], ecx
		mov	[eax+14h], edx
		mov	eax, [edi+44h]
		mov	ecx, [eax+18h]
		mov	edx, [eax+1Ch]
		mov	eax, [edi+40h]
		mov	[eax+18h], ecx
		mov	[eax+1Ch], edx
		mov	eax, [edi+44h]
		mov	ecx, [edi+40h]
		mov	eax, [eax+30h]
		mov	[ecx+20h], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_7B8008
; 

loc_7B7FE2:				; DATA XREF: .text:006A2FFCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		mov	eax, 1
		retn
; 

loc_7B7FF2:				; DATA XREF: .text:006A3000o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-28h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_7B8008
; 

loc_7B8001:				; CODE XREF: IopQueryInformation(x,x,x,x,x)+15Ej
		add	dword ptr [esi+60h], 24h
		inc	byte ptr [esi+23h]

loc_7B8008:				; CODE XREF: IopQueryInformation(x,x,x,x,x)+C2j
					; IopQueryInformation(x,x,x,x,x)+CDj ...
		mov	eax, ebx

loc_7B800A:				; CODE XREF: IopQueryInformation(x,x,x,x,x)+5Aj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_IopQueryInformation@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCopyOffloadCapable proc near		; CODE XREF: PAGE:0081D1DBp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008ECF0F SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		test	dword ptr [ecx+2Ch], 800h
		push	esi
		mov	esi, edx
		jnz	loc_8ECF0F
		push	ecx
		call	IoGetRelatedDeviceObject

loc_7B803E:				; CODE XREF: IopCopyOffloadCapable+134EF9j
		lea	ecx, [ebp+var_4]
		push	ecx
		push	eax
		call	_FsRtlGetSupportedFeatures@8 ; FsRtlGetSupportedFeatures(x,x)
		test	eax, eax
		js	short loc_7B805E
		cmp	esi, 94264h
		jnz	loc_8ECF1C
		test	byte ptr [ebp+var_4], 1
		jz	short loc_7B8061

loc_7B805E:				; CODE XREF: IopCopyOffloadCapable+2Cj
					; IopCopyOffloadCapable+48j ...
		pop	esi
		leave
		retn
; 

loc_7B8061:				; CODE XREF: IopCopyOffloadCapable+3Ej
		mov	eax, 0C000A2A1h
		jmp	short loc_7B805E
IopCopyOffloadCapable endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpProcessRemoveObjectQueue proc near	; DATA XREF: ObInitSystem+176o

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008ECF30 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	eax, offset _ObpRemoveObjectList
		push	edi
		inc	ebx

loc_7B8079:				; CODE XREF: ObpProcessRemoveObjectQueue+46j
					; ObpProcessRemoveObjectQueue+59j
		mov	esi, ebx
		xchg	esi, [eax]

loc_7B807D:				; CODE XREF: ObpProcessRemoveObjectQueue+7Cj
		mov	ecx, esi
		call	_OBJECT_HEADER_TO_HANDLE_REVOCATION_INFO@4 ; OBJECT_HEADER_TO_HANDLE_REVOCATION_INFO(x)
		test	eax, eax
		jnz	short loc_7B80E8

loc_7B8088:				; CODE XREF: ObpProcessRemoveObjectQueue+87j
		cmp	ds:_ObpTraceFlags, 0
		jnz	short loc_7B80F1

loc_7B8091:				; CODE XREF: ObpProcessRemoveObjectQueue+90j
		mov	edi, [esi+4]
		mov	dl, bl
		mov	ecx, esi
		call	ObpRemoveObjectRoutine
		mov	esi, edi
		test	edi, edi
		jnz	short loc_7B80E2

loc_7B80A3:				; CODE XREF: ObpProcessRemoveObjectQueue+7Ej
		mov	eax, offset _ObpRemoveObjectList
		cmp	_ObpRemoveObjectList, ebx
		jnz	short loc_7B8079
		xor	ecx, ecx
		mov	eax, ebx
		mov	edx, offset _ObpRemoveObjectList
		lock cmpxchg [edx], ecx
		cmp	eax, ebx
		mov	eax, edx
		jnz	short loc_7B8079
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		pop	edi
		pop	esi
		pop	ebx
		cmp	_ObpRemoveObjectWait, ecx
		jnz	loc_8ECF30

locret_7B80DE:				; CODE XREF: ObpProcessRemoveObjectQueue+134ED4j
		leave
		retn	4
; 

loc_7B80E2:				; CODE XREF: ObpProcessRemoveObjectQueue+39j
		cmp	edi, ebx
		jnz	short loc_7B807D
		jmp	short loc_7B80A3
; 

loc_7B80E8:				; CODE XREF: ObpProcessRemoveObjectQueue+1Ej
		mov	ecx, eax
		call	ObpHandleRevocationBlockRemoveObject
		jmp	short loc_7B8088
; 

loc_7B80F1:				; CODE XREF: ObpProcessRemoveObjectQueue+27j
		mov	ecx, esi
		call	_ObpDeregisterObject@4 ; ObpDeregisterObject(x)
		jmp	short loc_7B8091
ObpProcessRemoveObjectQueue endp

; 
		align 10h

;  S U B	R O U T	I N E 


ObpHandleRevocationBlockRemoveObject proc near ; CODE XREF: ObfDereferenceObject+76p
					; ObfDereferenceObjectWithTag+89p ...

; FUNCTION CHUNK AT 008ECF41 SIZE 0000000A BYTES

		mov	edx, [ecx+8]
		cmp	edx, 2
		ja	loc_8ECF41
		retn
ObpHandleRevocationBlockRemoveObject endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRecordParseKcbCacheResult(x, x, x)
_CmpRecordParseKcbCacheResult@12 proc near
					; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+769p

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ecx, ecx
		jz	short loc_7B812E
		mov	al, [ebp+arg_0]
		mov	[ecx+84h], edx
		mov	[ecx+90h], al
		mov	[ecx+8Ch], edx

loc_7B812E:				; CODE XREF: CmpRecordParseKcbCacheResult(x,x,x)+7j
		pop	ebp
		retn	4
_CmpRecordParseKcbCacheResult@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall AlpciDestroyDeferredMessageContext(x)
_AlpciDestroyDeferredMessageContext@4 proc near	; CODE XREF: .text:0052AA6Dp
		mov	eax, large fs:124h
		push	esi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [esi]
		test	ecx, ecx
		jnz	short loc_7B8185

loc_7B8157:				; CODE XREF: AlpciDestroyDeferredMessageContext(x)+50j
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_7B816A
		call	ObfDereferenceObject
		mov	dword ptr [esi+4], 0

loc_7B816A:				; CODE XREF: AlpciDestroyDeferredMessageContext(x)+1Cj
		mov	eax, large fs:124h
		nop
		add	word ptr [eax+13Ch], 1
		pop	esi
		jnz	short locret_7B8184
		nop
		lea	ecx, [eax+70h]
		cmp	[ecx], ecx
		jnz	short loc_7B8192

locret_7B8184:				; CODE XREF: AlpciDestroyDeferredMessageContext(x)+3Aj
		retn
; 

loc_7B8185:				; CODE XREF: AlpciDestroyDeferredMessageContext(x)+15j
		call	ObfDereferenceObject
		mov	dword ptr [esi], 0
		jmp	short loc_7B8157
; 

loc_7B8192:				; CODE XREF: AlpciDestroyDeferredMessageContext(x)+42j
		cmp	word ptr [eax+13Eh], 0
		jz	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		retn
_AlpciDestroyDeferredMessageContext@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall RtlpRegTziFormatToTzi(x, x)
_RtlpRegTziFormatToTzi@8 proc near	; CODE XREF: RtlpCheckDynamicTimeZoneInformation+86p
		mov	edi, edi
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	eax, [esi]
		lea	edx, [esi+0Ch]
		mov	[edi], eax
		lea	ecx, [edi+44h]
		mov	eax, [esi+4]
		mov	[edi+54h], eax
		mov	eax, [esi+8]
		mov	[edi+0A8h], eax
		call	_RtlpSystemTimeToTimeFields@8 ;	RtlpSystemTimeToTimeFields(x,x)
		lea	ecx, [edi+98h]
		pop	edi
		lea	edx, [esi+1Ch]
		pop	esi
		jmp	$+5
_RtlpRegTziFormatToTzi@8 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpSystemTimeToTimeFields(x, x)
_RtlpSystemTimeToTimeFields@8 proc near	; CODE XREF: RtlpRegTziFormatToTzi(x,x)+21p
		mov	ax, [edx]
		mov	[ecx], ax
		mov	ax, [edx+2]
		mov	[ecx+2], ax
		mov	ax, [edx+4]
		mov	[ecx+0Eh], ax
		mov	ax, [edx+6]
		mov	[ecx+4], ax
		mov	ax, [edx+8]
		mov	[ecx+6], ax
		mov	ax, [edx+0Ah]
		mov	[ecx+8], ax
		mov	ax, [edx+0Ch]
		mov	[ecx+0Ah], ax
		mov	ax, [edx+0Eh]
		mov	[ecx+0Ch], ax
		retn
_RtlpSystemTimeToTimeFields@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpCheckDynamicTimeZoneInformation proc near
					; CODE XREF: ExpRefreshTimeZoneInformation(x)+22Fp

var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_30		= dword	ptr -30h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008ECF4B SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ECh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	2Ch		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_30]
		mov	esi, ecx
		mov	edi, edx
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_E8], esi
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_E4], ebx
		lea	ecx, [esi+0ACh]
		lea	edx, [ebp+var_E4]
		call	RtlpGetDynamicTimeZoneInfoHandle
		test	eax, eax
		jns	short loc_7B8277

loc_7B8266:				; CODE XREF: RtlpCheckDynamicTimeZoneInformation+B9j
		mov	ecx, [ebp+var_4]
		mov	al, bl
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_7B8277:				; CODE XREF: RtlpCheckDynamicTimeZoneInformation+4Cj
		mov	edx, [ebp+var_E4] ; int
		lea	ecx, [ebp+var_30] ; void *
		push	edi		; __int16
		call	RtlpFindRegTziForCurrentYear
		test	eax, eax
		js	short loc_7B82C6
		push	2Bh
		pop	ecx
		lea	edi, [ebp+var_E0]
		rep movsd
		lea	edx, [ebp+var_30]
		lea	ecx, [ebp+var_E0]
		call	_RtlpRegTziFormatToTzi@8 ; RtlpRegTziFormatToTzi(x,x)
		mov	edi, [ebp+var_E8]
		lea	eax, [ebp+var_E0]
		push	0ACh		; size_t
		push	edi		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8ECF4B

loc_7B82C6:				; CODE XREF: RtlpCheckDynamicTimeZoneInformation+70j
					; RtlpCheckDynamicTimeZoneInformation+134D40j
		push	[ebp+var_E4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_7B8266
RtlpCheckDynamicTimeZoneInformation endp

; 
		align 8
; Exported entry 2286. RtlQueryDynamicTimeZoneInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlQueryDynamicTimeZoneInformation(x)
		public _RtlQueryDynamicTimeZoneInformation@4
_RtlQueryDynamicTimeZoneInformation@4 proc near
					; CODE XREF: ExpRefreshTimeZoneInformation(x)+14Cp
					; ExpRefreshTimeZoneInformation(x)+18Bp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, 1B0h
		call	_RtlpQueryTimeZoneInformationWorker@8 ;	RtlpQueryTimeZoneInformationWorker(x,x)
		pop	ebp
		retn	4
_RtlQueryDynamicTimeZoneInformation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlSetActiveTimeBias proc near		; CODE XREF: ExpRefreshTimeZoneInformation(x)+6DEp

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 007B831B SIZE 00000018 BYTES
; FUNCTION CHUNK AT 008ECF5D SIZE 00000065 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		mov	[ebp+var_C], ecx
		lea	edx, [ebp+var_4]
		xor	esi, esi
		mov	cl, 1
		push	edi
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		call	RtlpGetTimeZoneInfoHandle
		test	eax, eax
		jns	loc_8ECF5D

loc_7B8316:				; CODE XREF: RtlSetActiveTimeBias+43j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
RtlSetActiveTimeBias endp

; 
; START	OF FUNCTION CHUNK FOR RtlSetActiveTimeBias

loc_7B831B:				; CODE XREF: RtlSetActiveTimeBias+134CB5j
		mov	ecx, [ebp+var_8]
		cmp	ecx, [ebp+var_C]
		jnz	loc_8ECFA9

loc_7B8327:				; CODE XREF: RtlSetActiveTimeBias+134CCFj
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, esi
		jmp	short loc_7B8316
; END OF FUNCTION CHUNK	FOR RtlSetActiveTimeBias
; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpGetDynamicTimeZoneInfoHandle proc near
					; CODE XREF: RtlpCheckDynamicTimeZoneInformation+45p

var_208		= dword	ptr -208h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008ECFC2 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	eax, eax
		mov	ebx, edx
		cmp	ax, [edi]
		jz	loc_8ECFC2
		lea	edx, [ebp+var_208]
		mov	ecx, offset _szTimeZonesSlash ;	"Time Zones\\"
		mov	eax, edx
		mov	esi, 100h
		sub	ecx, eax

loc_7B836F:				; CODE XREF: RtlpGetDynamicTimeZoneInfoHandle+57j
		lea	eax, [esi+7FFFFEFEh]
		test	eax, eax
		jz	short loc_7B838D
		movzx	eax, word ptr [ecx+edx]
		test	ax, ax
		jz	short loc_7B838D
		mov	[edx], ax
		add	edx, 2
		sub	esi, 1
		jnz	short loc_7B836F

loc_7B838D:				; CODE XREF: RtlpGetDynamicTimeZoneInfoHandle+43j
					; RtlpGetDynamicTimeZoneInfoHandle+4Cj
		test	esi, esi
		jz	short loc_7B83F7

loc_7B8391:				; CODE XREF: RtlpGetDynamicTimeZoneInfoHandle+C6j
		xor	eax, eax
		mov	[edx], ax
		mov	eax, esi
		neg	eax
		sbb	eax, eax
		and	eax, 7FFFFFFBh
		add	eax, 80000005h
		test	esi, esi
		jz	short loc_7B83E8
		mov	esi, 200h
		lea	ecx, [ebp+var_208]
		push	edi
		mov	edx, esi
		call	_RtlStringCbCatW@12 ; RtlStringCbCatW(x,x,x)
		test	eax, eax
		js	short loc_7B83E8
		push	offset _szSlashDynamicDst ; "\\Dynamic DST"
		mov	edx, esi
		lea	ecx, [ebp+var_208]
		call	_RtlStringCbCatW@12 ; RtlStringCbCatW(x,x,x)
		test	eax, eax
		js	short loc_7B83E8
		push	ebx
		push	0
		push	3
		lea	edx, [ebp+var_208]
		pop	ecx
		call	RtlpGetRegistryHandle

loc_7B83E8:				; CODE XREF: RtlpGetDynamicTimeZoneInfoHandle+74j
					; RtlpGetDynamicTimeZoneInfoHandle+8Bj	...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_7B83F7:				; CODE XREF: RtlpGetDynamicTimeZoneInfoHandle+5Bj
		sub	edx, 2
		jmp	short loc_7B8391
RtlpGetDynamicTimeZoneInfoHandle endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpFinalizeHeader proc	near		; CODE XREF: EtwpCreateLogFile+1CEp
					; EtwpLogger(x)+12Bp ...

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_22		= byte ptr -22h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008ECFCC SIZE 00000098 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_22], dl
		push	6
		xor	eax, eax
		lea	edi, [ebp+var_20]
		pop	ecx
		rep stosd
		xor	ecx, ecx
		lea	eax, [esi+48h]
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], ecx
		cmp	[eax], eax
		jz	loc_7B8622

loc_7B8433:				; CODE XREF: EtwpFinalizeHeader+22Ej
					; EtwpFinalizeHeader+237j ...
		mov	bl, 1
		mov	[ebp+var_21], bl

loc_7B8438:				; CODE XREF: EtwpFinalizeHeader+24Ej
		push	3
		push	18h
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_44]
		push	eax
		push	dword ptr [esi+248h]
		call	_ZwQueryVolumeInformationFile@20 ; ZwQueryVolumeInformationFile(x,x,x,x,x)
		test	eax, eax
		js	loc_7B8613
		mov	eax, [ebp+var_C]
		mov	[ebp+var_3C], eax
		lea	ecx, [eax-1]
		add	eax, 177h
		not	ecx
		and	eax, ecx
		mov	[ebp+var_30], ecx
		test	bl, bl
		mov	[ebp+var_2C], eax
		mov	ebx, eax
		jz	short loc_7B8478
		mov	ebx, [esi+4]

loc_7B8478:				; CODE XREF: EtwpFinalizeHeader+77j
		push	50777445h
		lea	eax, [ebx+0FFFh]
		and	eax, 0FFFFF000h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8ECFCC
		xor	ecx, ecx
		lea	eax, [ebp+var_38]
		push	ecx
		push	eax
		push	[ebp+var_2C]
		lea	eax, [ebp+var_44]
		mov	[ebp+var_38], ecx
		push	edi
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	dword ptr [esi+248h]
		mov	[ebp+var_34], ecx
		call	_ZwReadFile@36	; ZwReadFile(x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_28], eax
		test	eax, eax
		js	loc_7B8606
		and	[ebp+var_34], 0
		cmp	[ebp+var_22], 0
		mov	ecx, [ebp+var_2C]
		mov	[ebp+var_38], ecx
		jnz	short loc_7B851C
		mov	eax, [esi+0B0h]
		mov	ecx, esi
		mov	[edi+8Ch], eax
		call	EtwpQueryUsedProcessorCount
		mov	[edi+74h], eax
		mov	eax, [esi+0A8h]
		add	[edi+98h], eax
		lea	eax, [edi+78h]
		push	eax
		call	_KeQuerySystemTimePrecise@4 ; KeQuerySystemTimePrecise(x)
		mov	eax, [esi+0B4h]
		add	[edi+174h], eax
		movzx	eax, word ptr _NtBuildNumber
		mov	[edi+70h], eax
		mov	ecx, [ebp+var_38]

loc_7B851C:				; CODE XREF: EtwpFinalizeHeader+DAj
		mov	eax, [edi+4]
		mov	[ebp+var_2C], eax
		cmp	eax, ecx
		jbe	short loc_7B8570
		cmp	[ebp+var_21], 0
		jz	loc_7B85BA
		cmp	eax, ebx
		jnb	loc_8ECFD6

loc_7B8538:				; CODE XREF: EtwpFinalizeHeader+134BDCj
		mov	edx, [ebp+var_3C]
		sub	eax, ecx
		push	0
		dec	edx
		add	eax, edx
		lea	edx, [ebp+var_38]
		and	eax, [ebp+var_30]
		push	edx
		push	eax
		lea	eax, [ecx+edi]
		push	eax
		lea	eax, [ebp+var_44]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	dword ptr [esi+248h]
		call	_ZwReadFile@36	; ZwReadFile(x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_28], eax
		test	eax, eax
		js	loc_7B8606
		mov	eax, [ebp+var_2C]

loc_7B8570:				; CODE XREF: EtwpFinalizeHeader+128j
		cmp	[ebp+var_21], 0
		jz	short loc_7B85BA
		cmp	eax, ebx
		jnb	short loc_7B85BA
		cmp	eax, 178h
		jb	short loc_7B85BA
		mov	[edi+30h], eax
		cmp	dword ptr [esi+368h], 0
		jnz	loc_8ECFDD

loc_7B8591:				; CODE XREF: EtwpFinalizeHeader+134BEBj
		lea	eax, [esi+48h]
		cmp	[eax], eax
		jz	loc_8ECFEC

loc_7B859C:				; CODE XREF: EtwpFinalizeHeader+134BFAj
		push	3
		lea	eax, [edi+58h]
		mov	edx, edi
		push	eax
		push	ebx
		mov	ecx, esi
		call	EtwpAddDebugInfoEvents

loc_7B85AC:				; CODE XREF: EtwpFinalizeHeader+134BF4j
		lea	eax, [esi+2C8h]
		cmp	[eax], eax
		jnz	loc_8ECFFB

loc_7B85BA:				; CODE XREF: EtwpFinalizeHeader+12Ej
					; EtwpFinalizeHeader+178j ...
		xor	edx, edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], edx
		mov	eax, [edi+30h]
		cmp	eax, ebx
		jnb	loc_7B864F

loc_7B85CD:				; CODE XREF: EtwpFinalizeHeader+255j
		push	edx
		lea	ecx, [ebp+var_38]
		push	ecx
		mov	ecx, [ebp+var_3C]
		dec	ecx
		add	eax, ecx
		and	eax, [ebp+var_30]
		push	eax
		push	edi
		lea	eax, [ebp+var_44]
		push	eax
		push	edx
		push	edx
		push	edx
		push	dword ptr [esi+248h]
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		cmp	[ebp+var_22], 0
		mov	[ebp+var_28], eax
		jnz	short loc_7B8606
		test	eax, eax
		js	short loc_7B8606
		test	byte ptr [esi+0Ch], 20h
		jnz	loc_8ED00C

loc_7B8606:				; CODE XREF: EtwpFinalizeHeader+C6j
					; EtwpFinalizeHeader+16Bj ...
		mov	esi, [ebp+var_28]

loc_7B8609:				; CODE XREF: EtwpFinalizeHeader+134C63j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi

loc_7B8613:				; CODE XREF: EtwpFinalizeHeader+55j
					; EtwpFinalizeHeader+134BD5j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_7B8622:				; CODE XREF: EtwpFinalizeHeader+31j
		lea	eax, [esi+2C8h]
		cmp	[eax], eax
		jnz	loc_7B8433
		cmp	[esi+54h], ecx
		jnz	loc_7B8433
		cmp	[esi+368h], ecx
		jnz	loc_7B8433
		mov	bl, cl
		mov	[ebp+var_21], cl
		jmp	loc_7B8438
; 

loc_7B864F:				; CODE XREF: EtwpFinalizeHeader+1CBj
		mov	eax, ebx
		jmp	loc_7B85CD
EtwpFinalizeHeader endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpAddDebugInfoEvents proc near	; CODE XREF: EtwpFinalizeHeader+1ABp
					; EtwpAddLogHeader+50Bp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008ED064 SIZE 00000080 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, edx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], eax
		xor	ecx, ecx
		mov	[ebp+var_10], esi
		sub	ebx, [eax+30h]
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_4], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+arg_0], ebx
		test	edi, edi
		jz	loc_8ED064

loc_7B868A:				; CODE XREF: EtwpAddDebugInfoEvents+134A14j
		mov	edx, [ebp+arg_8]
		mov	eax, edx
		and	eax, 2
		mov	[ebp+var_18], eax
		jz	short loc_7B86A7
		lea	ecx, [esi+1F0h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [ebp+arg_8]

loc_7B86A7:				; CODE XREF: EtwpAddDebugInfoEvents+3Fj
		test	dl, 1
		jz	short loc_7B86EB
		lea	eax, [esi+48h]
		cmp	[eax], eax
		jz	short loc_7B86EB
		mov	ecx, offset _NtBuildLabEx
		lea	edx, [ecx+1]

loc_7B86BB:				; CODE XREF: EtwpAddDebugInfoEvents+6Aj
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_7B86BB
		sub	ecx, edx
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	ebx		; int
		lea	eax, [ecx+1]
		mov	ecx, [ebp+var_C]
		push	eax		; size_t
		push	offset _NtBuildLabEx ; void *
		push	edi		; int
		push	42h
		pop	edx
		call	_EtwpAddEventToBuffer@28 ; EtwpAddEventToBuffer(x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_7B8741
		sub	ebx, [ebp+var_4]
		mov	edx, [ebp+arg_8]
		mov	[ebp+arg_0], ebx

loc_7B86EB:				; CODE XREF: EtwpAddDebugInfoEvents+54j
					; EtwpAddDebugInfoEvents+5Bj
		and	edx, 4
		mov	[ebp+arg_8], edx
		jnz	loc_8ED06F
		mov	eax, [esi+54h]
		mov	[ebp+var_8], eax

loc_7B86FD:				; CODE XREF: EtwpAddDebugInfoEvents+134A2Dj
					; EtwpAddDebugInfoEvents+134A3Dj
		test	eax, eax
		jnz	loc_8ED098

loc_7B8705:				; CODE XREF: EtwpAddDebugInfoEvents+134A23j
					; EtwpAddDebugInfoEvents+134A89j
		lea	edi, [esi+48h]
		mov	esi, [edi]

loc_7B870A:				; CODE XREF: EtwpAddDebugInfoEvents+E6j
		cmp	esi, edi
		jz	short loc_7B873E
		test	edx, edx
		jnz	short loc_7B8771

loc_7B8712:				; CODE XREF: EtwpAddDebugInfoEvents+121j
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_4]
		push	eax		; int
		mov	eax, [esi+0Ch]
		push	ebx		; int
		sub	eax, 4
		push	eax		; size_t
		lea	eax, [esi+14h]
		push	eax		; void *
		push	[ebp+arg_4]	; int
		push	40h
		pop	edx
		call	_EtwpAddEventToBuffer@28 ; EtwpAddEventToBuffer(x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_7B873E
		sub	ebx, [ebp+var_4]
		mov	edx, [ebp+arg_8]

loc_7B873A:				; CODE XREF: EtwpAddDebugInfoEvents+11Fj
		mov	esi, [esi]
		jmp	short loc_7B870A
; 

loc_7B873E:				; CODE XREF: EtwpAddDebugInfoEvents+B6j
					; EtwpAddDebugInfoEvents+DCj
		mov	esi, [ebp+var_10]

loc_7B8741:				; CODE XREF: EtwpAddDebugInfoEvents+8Aj
		cmp	[ebp+var_18], 0
		jz	short loc_7B8761
		add	esi, 1F0h
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7B8768

loc_7B875A:				; CODE XREF: EtwpAddDebugInfoEvents+119j
		mov	ecx, esi
		call	KeAbPostRelease

loc_7B8761:				; CODE XREF: EtwpAddDebugInfoEvents+EFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7B8768:				; CODE XREF: EtwpAddDebugInfoEvents+102j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7B875A
; 

loc_7B8771:				; CODE XREF: EtwpAddDebugInfoEvents+BAj
		cmp	byte ptr [esi+8], 0
		jnz	short loc_7B873A
		jmp	short loc_7B8712
EtwpAddDebugInfoEvents endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwpAddEventToBuffer(int,void *,size_t,int,int)
_EtwpAddEventToBuffer@28 proc near	; CODE XREF: EtwpAddLastDroppedEvent(x,x,x)+43p
					; EtwpAddDebugInfoEvents+83p ...

var_2		= word ptr -2
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_2], dx
		lea	ecx, [ebx+10h]
		lea	esi, [ecx+7]
		and	esi, 0FFFFFFF8h
		mov	[eax], esi
		cmp	esi, [ebp+arg_C]
		ja	short loc_7B87EE
		mov	edx, [edi+30h]
		lea	eax, [edx+esi]
		mov	[edi+30h], eax
		lea	esi, [edi+10h]
		mov	ax, [ebp+var_2]
		add	esi, edx
		cmp	[ebp+arg_4], 0
		mov	[edx+edi+4], cx
		mov	ecx, [ebp+arg_0]
		mov	dword ptr [edx+edi], 0C0100002h
		mov	[edx+edi+6], ax
		mov	eax, [ecx]
		mov	[edx+edi+8], eax
		mov	eax, [ecx+4]
		mov	[edx+edi+0Ch], eax
		jz	short loc_7B87E5
		push	ebx		; size_t
		push	[ebp+arg_4]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_7B87E5:				; CODE XREF: EtwpAddEventToBuffer(x,x,x,x,x,x,x)+5Cj
		mov	eax, esi

loc_7B87E7:				; CODE XREF: EtwpAddEventToBuffer(x,x,x,x,x,x,x)+76j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7B87EE:				; CODE XREF: EtwpAddEventToBuffer(x,x,x,x,x,x,x)+23j
		xor	eax, eax
		jmp	short loc_7B87E7
_EtwpAddEventToBuffer@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpCreateLogFile proc near		; CODE XREF: EtwpStartLogger+622p
					; EtwpLogger(x)+1F2p ...

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_39		= byte ptr -39h
var_38		= dword	ptr -38h
var_33		= byte ptr -33h
var_32		= byte ptr -32h
var_31		= dword	ptr -31h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008ED0E4 SIZE 000000BC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	ebx, ecx
		mov	[ebp+var_39], dl
		xor	edx, edx
		lea	edi, [ebp+var_31+1]
		pop	ecx
		xor	eax, eax
		mov	byte ptr [ebp+var_31], dl
		rep stosd
		push	edx
		lea	eax, [ebp+var_48]
		mov	[ebp+var_40], edx
		push	eax
		mov	[ebp+var_33], dl
		mov	[ebp+var_32], dl
		mov	[ebp+var_58], edx
		mov	[ebp+var_54], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_44], edx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		test	byte ptr [ebx+258h], 4
		jz	loc_7B8A86
		push	0FFFFFFFCh
		pop	ecx
		lea	eax, [ebx+25Ch]
		lock and [eax],	ecx
		xor	edx, edx
		cmp	[ebx+68h], edx
		jz	loc_8ED0E4

loc_7B885E:				; CODE XREF: EtwpCreateLogFile+1348FBj
		or	esi, 0FFFFFFFFh
		cmp	[ebx+78h], edx
		jnz	loc_7B89B1
		test	byte ptr [ebx+258h], 2
		jnz	loc_7B8A47

loc_7B8877:				; CODE XREF: EtwpCreateLogFile+28Fj
		mov	eax, [ebx+64h]
		mov	ecx, [ebx+68h]

loc_7B887D:				; CODE XREF: EtwpCreateLogFile+1C5j
		test	byte ptr [ebx+0Ch], 4
		mov	[ebp+var_50], eax
		mov	[ebp+var_4C], ecx
		jnz	loc_8ED106

loc_7B888D:				; CODE XREF: EtwpCreateLogFile+134918j
		mov	eax, [ebx+258h]
		shr	eax, 1
		and	al, 1
		cmp	[ebp+var_39], 1
		mov	[ebp+var_38], eax
		jz	loc_7B896D

loc_7B88A4:				; CODE XREF: EtwpCreateLogFile+181j
					; EtwpCreateLogFile+1A1j
		push	eax
		mov	eax, [ebx+0Ch]
		lea	edx, [ebp+var_50]
		shr	eax, 1Ah
		lea	ecx, [ebp+var_40]
		not	al
		xor	edi, edi
		and	al, 1
		push	edi
		movzx	eax, al
		push	eax
		lea	eax, [ebp+var_31]
		push	eax
		call	EtwpDelayCreate
		cmp	[ebp+var_32], 1
		mov	[ebp+var_38], eax
		jz	loc_7B8998

loc_7B88D2:				; CODE XREF: EtwpCreateLogFile+1BAj
		mov	edi, [ebp+var_40]
		test	eax, eax
		js	loc_7B8A3A
		push	4
		push	28h
		lea	eax, [ebp+var_31+1]
		mov	[ebp+var_10], 2000h
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		push	edi
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		cmp	dword ptr [ebx+248h], 0
		jnz	loc_7B89BC
		and	[ebp+var_40], 0
		mov	[ebp+var_33], 1

loc_7B890B:				; CODE XREF: EtwpCreateLogFile+1DCj
		cmp	dword ptr [ebx+78h], 0
		mov	[ebx+248h], edi
		jnz	loc_7B89D3

loc_7B891B:				; CODE XREF: EtwpCreateLogFile+22Cj
		mov	dl, byte ptr [ebp+var_31]
		mov	ecx, ebx
		call	EtwpUpdateFileHeader
		mov	[ebp+var_38], eax
		test	eax, eax
		js	loc_8ED123
		cmp	[ebp+var_33], 0
		jz	loc_7B8A23

loc_7B893A:				; CODE XREF: EtwpCreateLogFile+23Dj
		xor	edi, edi
		mov	eax, [ebp+var_40]
		test	eax, eax
		jnz	loc_7B8A34

loc_7B8947:				; CODE XREF: EtwpCreateLogFile+24Aj
					; EtwpCreateLogFile+13494Cj ...
		mov	edi, [ebp+var_38]

loc_7B894A:				; CODE XREF: EtwpCreateLogFile+19Cj
		lea	eax, [ebx+74h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, edi

loc_7B895E:				; CODE XREF: EtwpCreateLogFile+296j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_7B896D:				; CODE XREF: EtwpCreateLogFile+ACj
		cmp	[ebx+204h], edx
		jz	loc_7B88A4
		push	edx
		lea	eax, [ebx+1F8h]
		push	eax
		call	_SeImpersonateClientEx@8 ; SeImpersonateClientEx(x,x)
		mov	edi, eax
		mov	[ebp+var_32], 1
		test	edi, edi
		js	short loc_7B894A
		mov	eax, [ebp+var_38]
		jmp	loc_7B88A4
; 

loc_7B8998:				; CODE XREF: EtwpCreateLogFile+DAj
		mov	eax, large fs:124h
		push	2
		push	edi
		push	edi
		push	edi
		push	eax
		call	PsImpersonateClient
		mov	eax, [ebp+var_38]
		jmp	loc_7B88D2
; 

loc_7B89B1:				; CODE XREF: EtwpCreateLogFile+72j
		mov	eax, [ebx+74h]
		mov	ecx, [ebx+78h]
		jmp	loc_7B887D
; 

loc_7B89BC:				; CODE XREF: EtwpCreateLogFile+10Bj
		xor	dl, dl
		mov	ecx, ebx
		call	EtwpFinalizeHeader
		mov	eax, [ebx+248h]
		mov	[ebp+var_40], eax
		jmp	loc_7B890B
; 

loc_7B89D3:				; CODE XREF: EtwpCreateLogFile+123j
		lea	ecx, [ebx+1F0h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebx+64h]
		mov	[ebp+var_48], eax
		mov	eax, [ebx+68h]
		mov	[ebp+var_44], eax
		mov	eax, [ebx+74h]
		mov	[ebx+64h], eax
		mov	eax, [ebx+78h]
		mov	[ebx+68h], eax
		mov	eax, esi
		lea	esi, [ebx+1F0h]
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_8ED10F

loc_7B8A0C:				; CODE XREF: EtwpCreateLogFile+13491Fj
					; EtwpCreateLogFile+13492Cj
		mov	ecx, esi
		call	KeAbPostRelease
		push	0
		lea	eax, [ebx+74h]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	loc_7B891B
; 

loc_7B8A23:				; CODE XREF: EtwpCreateLogFile+142j
		xor	edx, edx
		mov	ecx, ebx
		push	0
		inc	edx
		call	_EtwpSendSessionNotification@12	; EtwpSendSessionNotification(x,x,x)
		jmp	loc_7B893A
; 

loc_7B8A34:				; CODE XREF: EtwpCreateLogFile+14Fj
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_7B8A3A:				; CODE XREF: EtwpCreateLogFile+E5j
					; EtwpCreateLogFile+13493Aj
		test	edi, edi
		jz	loc_7B8947
		jmp	loc_8ED131
; 

loc_7B8A47:				; CODE XREF: EtwpCreateLogFile+7Fj
		lea	edi, [ebx+1F0h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [ebx+5Ch]
		xor	cl, cl
		push	eax
		push	dword ptr [ebx+0DCh]
		lea	edx, [ebx+64h]
		call	EtwpExpandFileName
		mov	eax, esi
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_8ED0F2

loc_7B8A78:				; CODE XREF: EtwpCreateLogFile+134902j
					; EtwpCreateLogFile+13490Fj
		mov	ecx, edi
		call	KeAbPostRelease
		xor	edx, edx
		jmp	loc_7B8877
; 

loc_7B8A86:				; CODE XREF: EtwpCreateLogFile+4Fj
					; EtwpCreateLogFile+1348F5j
		xor	eax, eax
		jmp	loc_7B895E
EtwpCreateLogFile endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpUpdateFileHeader proc near		; CODE XREF: EtwpCreateLogFile+12Ep

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_39		= byte ptr -39h
var_38		= dword	ptr -38h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008ED1A0 SIZE 00000221 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		mov	esi, ecx
		lea	edi, [ebp+var_20]
		pop	ecx
		xor	eax, eax
		mov	bl, dl
		and	[ebp+var_48], eax
		and	[ebp+var_44], eax
		push	6
		rep stosd
		pop	ecx
		push	3
		lea	edi, [ebp+var_38]
		mov	[ebp+var_39], bl
		rep stosd
		push	18h
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		push	dword ptr [esi+248h]
		call	_ZwQueryVolumeInformationFile@20 ; ZwQueryVolumeInformationFile(x,x,x,x,x)
		test	eax, eax
		js	loc_7B8B99
		mov	ecx, [ebp+var_24]
		mov	[ebp+var_64], ecx
		lea	eax, [ecx-1]
		test	bl, bl
		jnz	loc_8ED1A0
		mov	edi, [esi+4]
		mov	[ebp+var_40], edi
		test	eax, edi
		jnz	loc_8ED1B2

loc_7B8B00:				; CODE XREF: EtwpUpdateFileHeader+13471Fj
		push	50777445h
		lea	eax, [edi+0FFFh]
		and	eax, 0FFFFF000h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8ED1BC
		cmp	[ebp+var_39], 0
		jnz	loc_8ED1C6
		mov	edx, ebx
		mov	ecx, esi
		call	EtwpInitializeBufferHeader
		push	4
		pop	edx
		mov	ecx, ebx
		call	@EtwpResetBufferHeader@8 ; EtwpResetBufferHeader(x,x)
		mov	edx, ebx
		mov	ecx, esi
		call	EtwpAddLogHeader
		xor	ecx, ecx
		lea	eax, [ebp+var_48]
		push	ecx
		push	ecx
		push	edi
		push	ebx
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	dword ptr [esi+248h]
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_7B8B8F
		test	byte ptr [esi+0Ch], 20h
		jnz	short loc_7B8BA8

loc_7B8B6C:				; CODE XREF: EtwpUpdateFileHeader+148j
		test	edi, edi
		js	short loc_7B8B8F
		xor	eax, eax
		inc	eax
		mov	[esi+0B0h], eax
		mov	[esi+80h], eax
		mov	eax, [ebp+var_40]

loc_7B8B82:				; CODE XREF: EtwpUpdateFileHeader+13490Cj
		and	dword ptr [esi+94h], 0
		mov	[esi+90h], eax

loc_7B8B8F:				; CODE XREF: EtwpUpdateFileHeader+D6j
					; EtwpUpdateFileHeader+E0j ...
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi

loc_7B8B99:				; CODE XREF: EtwpUpdateFileHeader+4Dj
					; EtwpUpdateFileHeader+134729j	...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_7B8BA8:				; CODE XREF: EtwpUpdateFileHeader+DCj
		and	[ebp+var_60], 0
		mov	ecx, esi
		and	[ebp+var_5C], 0
		call	_EtwpQueryMaximumFileSize@4 ; EtwpQueryMaximumFileSize(x)
		push	14h
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_50]
		push	8
		push	eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_4C], edx
		push	eax
		push	dword ptr [esi+248h]
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		mov	edi, eax
		jmp	short loc_7B8B6C
EtwpUpdateFileHeader endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpAddLogHeader proc near		; CODE XREF: EtwpUpdateFileHeader+B5p
					; EtwpPreserveLogger(x)+E2p

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008ED3C1 SIZE 00000043 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		xor	eax, eax
		mov	[esp+54h+var_50], edx
		push	ebx
		mov	[esp+58h+var_24], eax
		mov	ebx, ecx
		mov	[esp+58h+var_48], eax
		mov	ecx, 114h
		mov	[esp+58h+var_44], eax
		push	esi
		push	edi
		lea	edi, [esp+60h+var_10]
		mov	[esp+60h+var_54], ebx
		stosd
		stosd
		stosd
		mov	ax, [ebx+5Ch]
		add	ax, [ebx+64h]
		add	ax, cx
		movzx	esi, ax
		mov	eax, esi
		mov	[esp+60h+var_3C], eax
		add	eax, 68h
		cmp	[ebx+4], eax
		jb	loc_7B9030
		lea	eax, [esp+60h+var_24]
		push	eax
		lea	eax, [esp+64h+var_10]
		push	eax
		push	0Ch
		push	19h
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	loc_8ED3C1

loc_7B8C51:				; CODE XREF: EtwpAddLogHeader+1347F2j
		mov	ecx, large fs:124h
		xor	eax, eax
		mov	edi, [esp+70h+var_60]
		push	[esp+70h+var_4C] ; size_t
		mov	[esp+74h+var_48], ecx
		push	0		; int
		mov	[edi+4Eh], ax
		lea	eax, [esi+20h]
		mov	[edi+4Ch], ax
		lea	esi, [edi+68h]
		mov	dword ptr [edi+48h], 0C0010002h
		mov	eax, [ecx+2B0h]
		mov	[edi+50h], eax
		mov	eax, [ecx+2ACh]
		mov	[edi+54h], eax
		mov	eax, [ecx+194h]
		mov	[edi+60h], eax
		mov	eax, [ecx+1C0h]
		lea	ecx, [ebx+0F0h]
		mov	[edi+64h], eax
		mov	eax, [ecx]
		mov	[edi+58h], eax
		mov	eax, [ecx+4]
		push	esi		; void *
		mov	[esp+7Ch+var_24], ecx
		mov	[edi+5Ch], eax
		call	_memset
		mov	eax, [ebx+4]
		add	esp, 0Ch
		mov	[esi], eax
		mov	ecx, ebx
		mov	word ptr [edi+6Ch], 0Ah
		movzx	eax, word ptr _NtBuildNumber
		mov	[edi+70h], eax
		call	EtwpQueryUsedProcessorCount
		mov	[edi+74h], eax
		test	dword ptr [ebx+0Ch], 4000000h
		push	5
		pop	ecx
		jnz	loc_8ED3CF
		cmp	dword ptr [ebx+4], 100000h
		ja	loc_8ED3CF
		cmp	eax, 100h
		ja	loc_8ED3CF
		mov	al, cl
		mov	cl, 1

loc_7B8D0A:				; CODE XREF: EtwpAddLogHeader+1347FBj
		mov	[edi+6Eh], cl
		mov	[edi+6Fh], al
		mov	dword ptr [edi+90h], 1
		mov	eax, [ebx+0Ch]
		and	eax, 0FF3FFEFFh
		mov	[edi+88h], eax
		mov	eax, [ebx+0D8h]
		mov	[edi+84h], eax
		mov	eax, ds:_KeMaximumIncrement
		mov	[edi+80h], eax
		mov	eax, _EtwCPUSpeedInMHz
		mov	[edi+9Ch], eax
		lea	eax, [esp+70h+var_58]
		push	eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	edi, [esp+74h+var_5C]
		mov	eax, [esp+74h+var_58]
		mov	[esp+74h+var_2C], edi
		mov	[esp+74h+var_34], eax

loc_7B8D65:				; CODE XREF: EtwpAddLogHeader+1BEj
					; EtwpAddLogHeader+1C4j
		mov	esi, _EtwPerfFreq
		mov	eax, esi
		mov	ecx, dword_6BC154
		mov	edx, ecx
		mov	[esp+74h+var_60], ecx
		mov	[esp+74h+var_30], offset _EtwPerfFreq
		nop
		mov	ecx, [esp+74h+var_34]
		mov	ebx, edi
		mov	edi, [esp+74h+var_30]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [esp+74h+var_2C]
		cmp	eax, esi
		jnz	short loc_7B8D65
		cmp	edx, [esp+74h+var_60]
		jnz	short loc_7B8D65
		mov	edi, [esp+74h+var_64]
		mov	esi, [esp+74h+var_68]
		mov	eax, [esp+74h+var_5C]
		push	4
		mov	[edi+160h], eax
		mov	eax, [esp+78h+var_58]
		mov	[edi+164h], eax
		mov	eax, [esi+0E8h]
		mov	[edi+168h], eax
		mov	eax, [esi+0ECh]
		mov	[edi+16Ch], eax
		mov	eax, _EtwpBootTime
		mov	[edi+158h], eax
		mov	eax, dword_6BC194
		pop	ecx
		mov	[edi+15Ch], eax
		mov	[edi+94h], ecx
		mov	eax, [esi+7Ch]
		cmp	eax, ecx
		jz	loc_8ED3D8

loc_7B8DFC:				; CODE XREF: EtwpAddLogHeader+134803j
		mov	[edi+170h], eax
		lea	ecx, [edi+17Ah]
		mov	eax, [esp+74h+var_20]
		lea	ebx, [edi+0A8h]
		mov	[edi+0A0h], eax
		mov	edx, 0ACh
		mov	eax, [esp+74h+var_1C]
		mov	[edi+0A4h], eax
		movzx	eax, word ptr [esi+5Ch]
		add	eax, ecx
		mov	ecx, ebx
		mov	[esp+74h+var_60], eax
		call	_RtlpQueryTimeZoneInformationWorker@8 ;	RtlpQueryTimeZoneInformationWorker(x,x)
		lea	esi, [ebx+44h]
		lea	edi, [esp+74h+var_48]
		movsd
		movsd
		movsd
		movsd
		mov	eax, [esp+74h+var_48]
		lea	edi, [esp+74h+var_48]
		mov	edx, [esp+74h+var_3C]
		mov	[ebx+44h], ax
		mov	ecx, [esp+74h+var_44]
		shr	eax, 10h
		mov	[ebx+46h], ax
		mov	eax, edx
		mov	[ebx+4Ah], cx
		shr	eax, 10h
		mov	[ebx+48h], ax
		mov	eax, [esp+74h+var_40]
		mov	[ebx+4Eh], ax
		mov	[ebx+52h], dx
		shr	eax, 10h
		mov	[ebx+50h], ax
		shr	ecx, 10h
		mov	[ebx+4Ch], cx
		mov	ebx, [esp+74h+var_64]
		add	ebx, 140h
		mov	esi, ebx
		movsd
		movsd
		movsd
		movsd
		mov	eax, [esp+74h+var_48]
		mov	edx, [esp+74h+var_3C]
		mov	ecx, [esp+74h+var_44]
		mov	esi, [esp+74h+var_68]
		mov	[ebx], ax
		shr	eax, 10h
		mov	[ebx+2], ax
		mov	eax, edx
		shr	eax, 10h
		mov	[ebx+4], ax
		mov	eax, [esp+74h+var_40]
		mov	[ebx+0Ah], ax
		mov	[ebx+6], cx
		shr	eax, 10h
		mov	[ebx+0Ch], ax
		shr	ecx, 10h
		mov	[ebx+8], cx
		mov	[ebx+0Eh], dx
		movzx	eax, word ptr [esi+5Ch]
		mov	ebx, [esp+74h+var_64]
		add	eax, 2
		push	eax		; size_t
		push	dword ptr [esi+60h] ; void *
		lea	eax, [ebx+178h]
		push	eax		; void *
		call	_memcpy
		movzx	eax, word ptr [esi+64h]
		add	esp, 0Ch
		add	eax, 2
		push	eax		; size_t
		push	dword ptr [esi+68h] ; void *
		push	[esp+7Ch+var_60] ; void	*
		call	_memcpy
		mov	eax, [esp+80h+var_50]
		add	esp, 0Ch
		add	eax, 27h
		and	eax, 0FFFFFFF8h
		add	eax, [ebx+8]
		mov	[ebx+8], eax
		test	dword ptr [esi+0Ch], 2000000h
		push	50h
		pop	edx
		jnz	loc_7B9042

loc_7B8F2B:				; CODE XREF: EtwpAddLogHeader+472j
					; EtwpAddLogHeader+4FAj
		mov	eax, [ebx+8]
		add	eax, 50h
		cmp	eax, [ebx]
		ja	loc_8ED3E0
		mov	ecx, [ebx+8]
		add	ecx, ebx
		push	50h
		mov	[ecx+6], dx
		lea	edi, [ecx+30h]
		mov	[ecx+4], dx
		mov	edx, [esp+78h+var_4C]
		mov	dword ptr [ecx], 0C0010002h
		mov	eax, [edx+2B0h]
		mov	[ecx+8], eax
		mov	eax, [edx+2ACh]
		mov	[ecx+0Ch], eax
		mov	eax, [edx+194h]
		mov	[ecx+18h], eax
		mov	eax, [edx+1C0h]
		lea	edx, [esi+0F0h]
		mov	[ecx+1Ch], eax
		mov	eax, [edx]
		mov	[ecx+10h], eax
		mov	eax, [edx+4]
		mov	[ecx+14h], eax
		xor	eax, eax
		mov	[ecx+20h], eax
		mov	eax, [esi+2E4h]
		mov	edx, [esp+78h+var_68]
		mov	eax, [eax+910h]
		mov	[ecx+24h], eax
		mov	esi, [esi+2E4h]
		add	esi, 8E0h
		movsd
		movsd
		movsd
		movsd
		mov	eax, [edx+358h]
		lea	edi, [ecx+40h]
		mov	[ecx+28h], eax
		mov	eax, [edx+35Ch]
		mov	[ecx+2Ch], eax
		mov	esi, [edx+2E4h]
		add	esi, 8F0h
		pop	eax
		movsd
		movsd
		movsd
		movsd
		add	[ebx+8], eax

loc_7B8FDB:				; CODE XREF: EtwpAddLogHeader+13480Cj
		mov	eax, [ebx+8]
		mov	ecx, [ebx]
		push	3
		mov	[ebx+30h], eax
		pop	edi
		cmp	[ebx+8], ecx
		jnb	loc_8ED3FB
		lea	eax, [edx+48h]
		cmp	[eax], eax
		jnz	loc_7B90D7
		cmp	dword ptr [edx+54h], 0
		jnz	loc_7B90D7

loc_7B9004:				; CODE XREF: EtwpAddLogHeader+514j
		mov	esi, [esp+74h+var_68]
		lea	eax, [edx+2C8h]
		cmp	[eax], eax
		jnz	loc_8ED3E9

loc_7B9016:				; CODE XREF: EtwpAddLogHeader+13481Ej
					; EtwpAddLogHeader+134827j
		mov	eax, [ebx+30h]
		mov	edx, ebx
		push	1
		mov	ecx, esi
		mov	[ebx+4], eax
		mov	[ebx+2Ch], edi
		call	_EtwpPrepareHeader@12 ;	EtwpPrepareHeader(x,x,x)
		mov	eax, [ebx+8]
		mov	[ebx+4], eax

loc_7B9030:				; CODE XREF: EtwpAddLogHeader+57j
		mov	ecx, [esp+74h+var_18]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7B9042:				; CODE XREF: EtwpAddLogHeader+34Dj
		mov	eax, [ebx+8]
		add	eax, 44h
		cmp	eax, [ebx]
		ja	loc_7B8F2B
		mov	edx, [ebx+8]
		mov	ecx, [esp+74h+var_4C]
		add	edx, ebx
		push	5
		pop	eax
		push	44h
		mov	[edx+6], ax
		lea	edi, [edx+20h]
		mov	dword ptr [edx], 0C0010002h
		pop	eax
		mov	[edx+4], ax
		mov	eax, [ecx+2B0h]
		mov	[edx+8], eax
		mov	eax, [ecx+2ACh]
		mov	[edx+0Ch], eax
		mov	eax, [ecx+194h]
		mov	[edx+18h], eax
		mov	eax, [ecx+1C0h]
		lea	ecx, [esi+0F0h]
		mov	[edx+1Ch], eax
		mov	eax, [ecx]
		mov	[edx+10h], eax
		mov	eax, [ecx+4]
		mov	[edx+14h], eax
		movzx	ecx, byte ptr [esi+25Ah]
		mov	esi, [esi+2E4h]
		shl	ecx, 5
		add	esi, 948h
		push	8
		add	esi, ecx
		pop	ecx
		push	50h
		pop	eax
		rep movsd
		mov	esi, [esp+74h+var_68]
		mov	[edx+40h], eax
		add	dword ptr [ebx+8], 48h
		push	eax
		pop	edx
		jmp	loc_7B8F2B
; 

loc_7B90D7:				; CODE XREF: EtwpAddLogHeader+41Cj
					; EtwpAddLogHeader+426j
		push	edi
		push	[esp+78h+var_28]
		mov	edx, ebx
		push	ecx
		mov	ecx, [esp+80h+var_68]
		call	EtwpAddDebugInfoEvents
		mov	edx, [esp+74h+var_68]
		jmp	loc_7B9004
EtwpAddLogHeader endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpQueryTimeZoneInformationWorker(x, x)
_RtlpQueryTimeZoneInformationWorker@8 proc near
					; CODE XREF: RtlQueryDynamicTimeZoneInformation(x)+Dp
					; EtwpAddLogHeader+25Bp ...

var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 144h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+144h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, edx
		mov	esi, ecx
		mov	[esp+150h+var_140], edi
		lea	edx, [esp+150h+var_140]
		mov	[esp+150h+var_138], edi
		xor	cl, cl
		mov	[esp+150h+var_134], edi
		mov	[esp+150h+var_13C], edi
		call	RtlpGetTimeZoneInfoHandle
		test	eax, eax
		js	loc_7B92BF
		push	ebx		; size_t
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+150h+var_120]
		push	118h		; size_t
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+150h+var_118], offset _szBias ; "Bias"
		lea	eax, [esi+4]
		mov	[esp+150h+var_114], esi
		mov	[esp+150h+var_12C], eax
		mov	edx, 4000000h
		xor	eax, eax
		mov	[esp+150h+var_110], edx
		mov	word ptr [esp+150h+var_130], ax
		mov	ecx, 120h
		push	40h
		pop	eax
		mov	word ptr [esp+150h+var_130+2], ax
		mov	edi, 1000000h
		lea	eax, [esp+150h+var_130]
		mov	[esp+150h+var_D8], edx
		mov	[esp+150h+var_F8], eax
		lea	eax, [esi+54h]
		mov	[esp+150h+var_DC], eax
		lea	eax, [esi+44h]
		push	0FFFFFFF0h
		mov	[esp+154h+var_C0], eax
		pop	edx
		mov	[eax], edx
		lea	eax, [esi+58h]
		mov	[esp+150h+var_124], eax
		xor	eax, eax
		mov	word ptr [esp+150h+var_128], ax
		mov	[esp+150h+var_11C], ecx
		mov	[esp+150h+var_100], ecx
		mov	[esp+150h+var_F4], edi
		mov	[esp+150h+var_E4], ecx
		mov	[esp+150h+var_C8], ecx
		mov	ecx, 3000000h
		mov	[esp+150h+var_A0], edi
		mov	edi, 120h
		mov	[esp+150h+var_FC], offset _szStandardName
		mov	[esp+150h+var_E0], offset _szStandardBias
		mov	[esp+150h+var_C4], offset _szStandardStart
		mov	[esp+150h+var_BC], ecx
		mov	[esp+150h+var_AC], 120h
		mov	[esp+150h+var_A8], offset _szDaylightName
		mov	[esp+150h+var_90], edi
		mov	[esp+150h+var_8C], offset _szDaylightBias
		mov	[esp+150h+var_84], 4000000h
		mov	[esp+150h+var_74], edi
		mov	[esp+150h+var_70], offset _szDaylightStart ; "DaylightStart"
		mov	[esp+150h+var_68], ecx
		push	40h
		pop	eax
		mov	word ptr [esp+150h+var_128+2], ax
		lea	eax, [esp+150h+var_128]
		mov	[esp+150h+var_A4], eax
		lea	eax, [esi+0A8h]
		mov	[esp+150h+var_88], eax
		lea	eax, [esi+98h]
		mov	[esp+150h+var_6C], eax
		mov	[eax], edx
		cmp	ebx, 1B0h
		jnb	short loc_7B92D4

loc_7B928A:				; CODE XREF: RtlpQueryTimeZoneInformationWorker(x,x)+245j
		mov	edx, [esp+150h+var_140]
		lea	eax, [esp+150h+var_120]
		push	1
		push	ecx
		push	0
		push	eax
		mov	ecx, 40000000h
		call	RtlpQueryRegistryValues
		mov	edi, eax
		test	edi, edi
		js	short loc_7B92B4
		cmp	ebx, 1B0h
		jnb	loc_7B933C

loc_7B92B4:				; CODE XREF: RtlpQueryTimeZoneInformationWorker(x,x)+1B4j
					; RtlpQueryTimeZoneInformationWorker(x,x)+258j
		push	[esp+150h+var_140]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, edi

loc_7B92BF:				; CODE XREF: RtlpQueryTimeZoneInformationWorker(x,x)+42j
		mov	ecx, [esp+150h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7B92D4:				; CODE XREF: RtlpQueryTimeZoneInformationWorker(x,x)+196j
		and	[esp+150h+var_4C], 0
		lea	eax, [esi+0ACh]
		mov	[esp+150h+var_134], eax
		lea	eax, [esp+150h+var_138]
		mov	[esp+150h+var_50], eax
		lea	eax, [esp+150h+var_13C]
		mov	[esp+150h+var_138], 1000000h
		mov	[esp+150h+var_5C], offset _RtlpQueryTimeZoneKeyNameRoutine@24 ;	RtlpQueryTimeZoneKeyNameRoutine(x,x,x,x,x,x)
		mov	[esp+150h+var_54], offset _szTimeZoneKeyName ; "TimeZoneKeyName"
		mov	[esp+150h+var_3C], edi
		mov	[esp+150h+var_38], offset _szDynamicDaylightDisabled
		mov	[esp+150h+var_34], eax
		mov	[esp+150h+var_30], 4000000h
		jmp	loc_7B928A
; 

loc_7B933C:				; CODE XREF: RtlpQueryTimeZoneInformationWorker(x,x)+1BCj
		cmp	[esp+150h+var_13C], 0
		setnz	cl
		mov	[esi+1ACh], cl
		jmp	loc_7B92B4
_RtlpQueryTimeZoneInformationWorker@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpGetTimeZoneInfoHandle proc near	; CODE XREF: RtlSetActiveTimeBias+1Bp
					; RtlpQueryTimeZoneInformationWorker(x,x)+3Bp ...

var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008ED404 SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 214h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+214h+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	2
		pop	ebx
		mov	edi, edx
		mov	esi, ecx
		cmp	dword_6CEA5C, ebx
		jnz	short loc_7B93A1

loc_7B937E:				; CODE XREF: RtlpGetTimeZoneInfoHandle+88j
					; RtlpGetTimeZoneInfoHandle+1340D0j
		push	edi
		push	esi
		mov	edx, offset ??_C@_1CI@GMLPCOJB@?$AAT?$AAi?$AAm?$AAe?$AAZ?$AAo?$AAn?$AAe?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa@NNGAKEGL@ ; "TimeZoneInformation"
		mov	ecx, ebx
		call	RtlpGetRegistryHandle

loc_7B938C:				; CODE XREF: RtlpGetTimeZoneInfoHandle+80j
					; RtlpGetTimeZoneInfoHandle+1340D6j
		mov	ecx, [esp+220h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7B93A1:				; CODE XREF: RtlpGetTimeZoneInfoHandle+2Cj
		lea	eax, [esp+220h+var_214]
		push	eax		; int
		push	208h		; int
		lea	eax, [esp+228h+var_210]
		push	eax		; void *
		push	0		; int
		push	0		; void *
		push	offset ??_C@_1BK@CIGKBGGO@?$AAT?$AAa?$AAr?$AAg?$AAe?$AAt?$AAN?$AAt?$AAP?$AAa?$AAt?$AAh@NNGAKEGL@ ; "TargetNtPath"
		push	offset ??_C@_1DI@PGKLJCOI@?$AAT?$AAi?$AAm?$AAe?$AAZ?$AAo?$AAn?$AAe?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa@NNGAKEGL@	; "TimeZoneInformationSettings"
		call	RtlGetPersistedStateLocation
		test	eax, eax
		jns	loc_8ED404
		cmp	eax, 0C0000034h
		jnz	short loc_7B938C
		mov	dword_6CEA5C, ebx
		jmp	short loc_7B937E
RtlpGetTimeZoneInfoHandle endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipDeleteMethod(x)
_WmipDeleteMethod@4 proc near		; DATA XREF: WmipInitializeSecurity+1D5o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, offset _WmipSMMutex
		push	edi
		xor	edi, edi
		mov	ecx, [esi+28h]
		test	ecx, ecx
		jz	short loc_7B942D
		cmp	byte ptr [esi+64h], 0
		jnz	short loc_7B9460

loc_7B93F9:				; CODE XREF: WmipDeleteMethod(x)+8Ej
		push	edi
		push	edi
		push	edi
		push	edi
		push	ebx
		call	KeWaitForSingleObject
		lea	eax, [esi+20h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_7B946A
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_7B946A
		push	edi
		mov	[ecx], edx
		push	ebx
		mov	[edx+4], ecx
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	edx, [esi+28h]
		mov	ecx, offset _WmipGEChunkInfo
		call	WmipUnreferenceEntry

loc_7B942D:				; CODE XREF: WmipDeleteMethod(x)+17j
		test	byte ptr [esi+68h], 2
		jnz	short loc_7B9459
		mov	eax, [esi+3Ch]
		test	eax, eax
		jnz	short loc_7B946F

loc_7B943A:				; CODE XREF: WmipDeleteMethod(x)+9Cj
		mov	eax, [esi+50h]
		test	eax, eax
		jnz	short loc_7B9478

loc_7B9441:				; CODE XREF: WmipDeleteMethod(x)+A5j
		push	edi
		push	edi
		push	edi
		push	edi
		push	ebx
		call	KeWaitForSingleObject
		mov	ecx, esi
		call	WmipCompleteGuidIrpWithError
		push	edi
		push	ebx
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)

loc_7B9459:				; CODE XREF: WmipDeleteMethod(x)+57j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_7B9460:				; CODE XREF: WmipDeleteMethod(x)+1Dj
		mov	edx, [esi+2Ch]
		call	_WmipDisableCollectOrEvent@8 ; WmipDisableCollectOrEvent(x,x)
		jmp	short loc_7B93F9
; 

loc_7B946A:				; CODE XREF: WmipDeleteMethod(x)+31j
					; WmipDeleteMethod(x)+38j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_7B946F:				; CODE XREF: WmipDeleteMethod(x)+5Ej
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7B943A
; 

loc_7B9478:				; CODE XREF: WmipDeleteMethod(x)+65j
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7B9441
_WmipDeleteMethod@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipInsertStaticNames proc near		; CODE XREF: WmipQueryAllData+254p
					; WmipIncludeStaticNames(x,x)+107p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008ED42B SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	[ebp+var_1C], edx
		mov	edi, ecx
		mov	[ebp+var_28], esi
		test	byte ptr [esi+8], 3
		jz	loc_7B95C1
		mov	eax, [esi+24h]
		lea	edx, [ebp+var_18]
		push	4
		mov	[ebp+var_24], eax
		mov	eax, [edi]
		pop	ecx
		mov	[ebp+var_18], eax
		call	_WmipAlign@8	; WmipAlign(x,x)
		test	al, al
		jz	loc_7B95C1
		push	ebx
		mov	ecx, esi
		call	_WmipStaticInstanceNameSize@4 ;	WmipStaticInstanceNameSize(x)
		mov	ebx, eax
		mov	eax, [ebp+var_18]
		mov	ecx, eax
		not	ecx
		cmp	ebx, ecx
		ja	loc_7B95C0
		lea	ecx, [ebx+eax]
		mov	[ebp+var_30], ecx
		cmp	ecx, [ebp+var_1C]
		ja	loc_8ED42B
		mov	ecx, [ebp+var_24]
		mov	[edi+38h], eax
		add	eax, edi
		mov	[ebp+var_20], eax
		lea	edx, [eax+ecx*4]
		mov	eax, [esi+8]
		mov	[ebp+var_1C], edx
		test	al, 1
		jz	loc_7B95D1
		test	eax, 20000h
		jz	short loc_7B951B
		or	dword ptr [edi+2Ch], 10000h

loc_7B951B:				; CODE XREF: WmipInsertStaticNames+90j
		and	[ebp+var_18], 0
		test	ecx, ecx
		jz	loc_7B95BB

loc_7B9527:				; CODE XREF: WmipInsertStaticNames+133j
		mov	ecx, [ebp+var_20]
		lea	esi, [edx+2]
		mov	eax, edx
		sub	ebx, 2
		sub	eax, edi
		mov	edx, ebx
		mov	[ecx], eax
		add	ecx, 4
		mov	eax, [ebp+var_28]
		mov	[ebp+var_20], ecx
		mov	ecx, esi
		mov	eax, [eax+30h]
		add	eax, 4
		push	eax
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		mov	ecx, [ebp+var_28]
		mov	eax, [ecx+30h]
		mov	eax, [eax]
		add	eax, [ebp+var_18]
		push	eax		; char
		push	offset ??_C@_15KNBIKKIN@?$AA?$CF?$AAd@NNGAKEGL@	; wchar_t *
		lea	eax, [ebp+var_14]
		push	0Eh		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 10h
		lea	eax, [ebp+var_14]
		mov	edx, ebx
		mov	ecx, esi
		push	eax
		call	_RtlStringCbCatW@12 ; RtlStringCbCatW(x,x,x)
		lea	edx, [esi+2]
		xor	ecx, ecx

loc_7B9580:				; CODE XREF: WmipInsertStaticNames+107j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, cx
		jnz	short loc_7B9580
		sub	esi, edx
		mov	edx, [ebp+var_1C]
		sar	esi, 1
		lea	ecx, ds:2[esi*2]
		mov	eax, ecx
		mov	[edx], cx
		shr	eax, 1
		sub	ebx, ecx
		lea	edx, [edx+eax*2]
		mov	eax, [ebp+var_18]
		add	edx, 2
		inc	eax
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], eax
		cmp	eax, [ebp+var_24]
		jb	loc_7B9527

loc_7B95BB:				; CODE XREF: WmipInsertStaticNames+9Fj
					; WmipInsertStaticNames+151j ...
		mov	eax, [ebp+var_30]
		mov	[edi], eax

loc_7B95C0:				; CODE XREF: WmipInsertStaticNames+5Aj
					; WmipInsertStaticNames+133FB9j
		pop	ebx

loc_7B95C1:				; CODE XREF: WmipInsertStaticNames+23j
					; WmipInsertStaticNames+41j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_7B95D1:				; CODE XREF: WmipInsertStaticNames+85j
		test	al, 2
		jz	short loc_7B95BB
		xor	ecx, ecx
		mov	[ebp+var_18], ecx
		cmp	[ebp+var_24], ecx
		jbe	short loc_7B95BB

loc_7B95DF:				; CODE XREF: WmipInsertStaticNames+1CEj
		mov	esi, [ebp+var_20]
		mov	eax, edx
		sub	eax, edi
		add	[ebp+var_20], 4
		mov	[esi], eax
		mov	esi, [ebp+var_28]
		mov	eax, [esi+30h]
		mov	esi, [ebp+var_18]
		mov	eax, [eax+esi*4]
		mov	esi, eax
		mov	[ebp+var_2C], eax
		lea	eax, [esi+2]
		mov	[ebp+var_1C], eax

loc_7B9603:				; CODE XREF: WmipInsertStaticNames+18Aj
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, cx
		jnz	short loc_7B9603
		sub	esi, [ebp+var_1C]
		sub	ebx, 2
		push	[ebp+var_2C]
		sar	esi, 1
		lea	esi, ds:2[esi*2]
		mov	[edx], si
		add	edx, 2
		mov	[ebp+var_1C], edx
		mov	edx, ebx
		mov	ecx, [ebp+var_1C]
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		mov	eax, [ebp+var_18]
		sub	ebx, esi
		mov	edx, [ebp+var_1C]
		shr	esi, 1
		inc	eax
		push	0
		mov	[ebp+var_18], eax
		pop	ecx
		lea	edx, [edx+esi*2]
		cmp	eax, [ebp+var_24]
		jnb	loc_7B95BB
		jmp	short loc_7B95DF
WmipInsertStaticNames endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipStaticInstanceNameSize(x)
_WmipStaticInstanceNameSize@4 proc near	; CODE XREF: WmipInsertStaticNames+4Ap
					; WmipQueryAllData+364p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		mov	edx, [esi+28h]
		test	edx, edx
		jz	short loc_7B9668

loc_7B9663:				; CODE XREF: WmipStaticInstanceNameSize(x)+53j
		mov	eax, edx
		pop	esi
		leave
		retn
; 

loc_7B9668:				; CODE XREF: WmipStaticInstanceNameSize(x)+Fj
		mov	eax, [esi+8]
		push	ebx
		push	edi
		mov	edi, [esi+24h]
		mov	edx, edi
		shl	edx, 2
		test	al, 1
		jz	short loc_7B96A7
		mov	ecx, [esi+30h]
		add	ecx, 4
		xor	ebx, ebx
		lea	eax, [ecx+2]
		mov	[ebp+var_4], eax

loc_7B9687:				; CODE XREF: WmipStaticInstanceNameSize(x)+3Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_7B9687
		sub	ecx, [ebp+var_4]
		sar	ecx, 1
		lea	eax, [ecx+8]
		imul	eax, edi
		lea	edx, [edx+eax*2]

loc_7B96A0:				; CODE XREF: WmipStaticInstanceNameSize(x)+57j
					; WmipStaticInstanceNameSize(x)+5Bj ...
		pop	edi
		mov	[esi+28h], edx
		pop	ebx
		jmp	short loc_7B9663
; 

loc_7B96A7:				; CODE XREF: WmipStaticInstanceNameSize(x)+25j
		test	al, 2
		jz	short loc_7B96A0
		test	edi, edi
		jz	short loc_7B96A0
		mov	eax, [esi+30h]
		xor	ebx, ebx
		mov	[ebp+var_4], eax

loc_7B96B7:				; CODE XREF: WmipStaticInstanceNameSize(x)+91j
		mov	ecx, [eax]
		lea	eax, [ecx+2]
		mov	[ebp+var_8], eax

loc_7B96BF:				; CODE XREF: WmipStaticInstanceNameSize(x)+76j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_7B96BF
		sub	ecx, [ebp+var_8]
		mov	eax, [ebp+var_4]
		sar	ecx, 1
		add	eax, 4
		mov	[ebp+var_4], eax
		lea	edx, [edx+ecx*2]
		add	edx, 4
		sub	edi, 1
		jz	short loc_7B96A0
		jmp	short loc_7B96B7
_WmipStaticInstanceNameSize@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipQueryAllData proc near		; CODE XREF: WmipIoControl+206p
					; IoWMIQueryAllData(x,x,x)+63p	...

var_E8		= dword	ptr -0E8h
var_E0		= dword	ptr -0E0h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_92		= dword	ptr -92h
var_48		= dword	ptr -48h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008ED440 SIZE 0000009D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ECh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, ecx
		push	edi
		push	40h		; size_t
		mov	[ebp+var_BC], eax
		lea	eax, [ebp+var_48]
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_D0], edx
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_C8], esi
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_92+2]
		push	48h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		lea	edi, [ebp+var_E0]
		stosd
		xor	edx, edx
		add	esp, 0Ch
		mov	byte ptr [ebp+var_92], dl
		stosd
		stosd
		stosd
		test	ebx, ebx
		jnz	loc_7B9AA8
		mov	eax, ds:_WmipGuidObjectType
		mov	ecx, [esi+10h]
		push	edx
		mov	[ebp+var_A0], edx
		lea	edx, [ebp+var_A0]
		push	edx
		push	[ebp+arg_0]
		push	eax
		push	1
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, eax
		mov	eax, [ebp+var_A0]
		mov	[ebp+var_A0], eax

loc_7B978D:				; CODE XREF: WmipQueryAllData+3DBj
		test	ebx, ebx
		js	loc_7B99FA
		lea	ecx, [ebp+var_48]
		mov	[ebp+var_B8], 10h
		mov	[ebp+var_AC], ecx
		lea	edx, [ebp+var_E0]
		lea	ecx, [ebp+var_92]
		push	ecx
		lea	ecx, [ebp+var_AC]
		push	ecx
		lea	ecx, [ebp+var_B8]
		push	ecx
		mov	ecx, eax
		call	_WmipPrepareForWnodeAD@20 ; WmipPrepareForWnodeAD(x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7B99EF
		cmp	byte ptr [ebp+var_92], 0
		mov	ecx, [esi+2Ch]
		mov	[ebp+var_C4], ecx
		jnz	loc_8ED440
		and	[ebp+var_98], 0
		xor	edx, edx
		mov	edi, [ebp+var_AC]
		xor	al, al
		xor	bl, bl
		mov	[ebp+var_B0], esi
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_A4], esi
		mov	byte ptr [ebp+var_92+1], al
		mov	byte ptr [ebp+var_92], bl
		mov	[ebp+var_C0], edx
		mov	[ebp+var_B4], edx
		mov	[ebp+var_CC], 0C0000295h
		cmp	[ebp+var_B8], edx
		jbe	loc_8ED4BD
		jmp	short loc_7B9848
; 

loc_7B983C:				; CODE XREF: WmipQueryAllData+2D9j
		mov	al, byte ptr [ebp+var_92+1]
		mov	bl, byte ptr [ebp+var_92]

loc_7B9848:				; CODE XREF: WmipQueryAllData+154j
		mov	edi, [edi+edx*4]
		mov	[ebp+var_A8], edi
		test	al, al
		jnz	loc_7B9AC6
		test	bl, bl
		jnz	loc_7B9AC6
		cmp	esi, 48h
		jb	loc_7B9AC6
		mov	ebx, [ebp+var_B0]

loc_7B9870:				; CODE XREF: WmipQueryAllData+410j
		mov	dword ptr [ebx], 30h
		lea	esi, [ebp+var_E0]
		mov	eax, [edi+8]
		and	eax, 3
		mov	[ebp+var_9C], eax
		neg	eax
		sbb	eax, eax
		and	eax, 80h
		or	eax, ecx
		lea	ecx, [ebx+18h]
		mov	edi, ecx
		mov	[ebx+2Ch], eax
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_AC]
		mov	esi, [ebp+var_A4]
		mov	eax, [edi+edx*4]
		mov	edx, [eax+2Ch]
		and	dword ptr [ebx+0Ch], 0
		mov	eax, [ebp+var_D0]
		mov	[ebx+4], edx
		test	eax, eax
		jz	loc_7B9AFB
		push	ebx
		push	esi
		push	ecx
		push	edx
		xor	dl, dl
		mov	ecx, eax
		call	WmipForwardWmiIrp

loc_7B98D3:				; CODE XREF: WmipQueryAllData+426j
		and	dword ptr [ebx+4], 0
		test	eax, eax
		js	loc_8ED4B2
		mov	ecx, [ebx+2Ch]
		and	ecx, 20h
		jnz	loc_7B9A0D
		cmp	[ebx+34h], ecx
		jz	loc_8ED47D

loc_7B98F4:				; CODE XREF: WmipQueryAllData+32Aj
					; WmipQueryAllData+133D92j ...
		test	eax, eax
		js	loc_8ED4B2
		test	ecx, ecx
		jnz	loc_7B9A1B
		cmp	byte ptr [ebp+var_92], cl
		jnz	loc_8ED488
		mov	ecx, [ebp+var_C0]
		test	ecx, ecx
		jz	short loc_7B9921
		mov	eax, ebx
		sub	eax, ecx
		mov	[ecx+0Ch], eax

loc_7B9921:				; CODE XREF: WmipQueryAllData+232j
		cmp	[ebp+var_9C], 0
		mov	[ebp+var_C0], ebx
		jz	short loc_7B9949
		push	[ebp+var_A8]
		mov	edx, esi
		mov	ecx, ebx
		call	WmipInsertStaticNames
		test	byte ptr [ebx+2Ch], 20h
		jnz	loc_8ED497

loc_7B9949:				; CODE XREF: WmipQueryAllData+248j
					; WmipQueryAllData+133DBBj
		mov	eax, [ebx]
		lea	edx, [ebp+var_9C]
		push	8
		pop	ecx
		mov	[ebp+var_9C], eax
		call	_WmipAlign@8	; WmipAlign(x,x)
		mov	ebx, [ebp+var_98]
		mov	eax, [ebp+var_9C]
		add	ebx, eax
		cmp	byte ptr [ebp+var_92+1], 0
		mov	[ebp+var_98], ebx
		jnz	loc_8ED4A6
		cmp	esi, eax
		jb	loc_8ED4A6
		sub	esi, eax
		add	[ebp+var_B0], eax
		mov	[ebp+var_A4], esi

loc_7B9996:				; CODE XREF: WmipQueryAllData+390j
					; WmipQueryAllData+133DC7j ...
		mov	edx, [ebp+var_A8]
		mov	ecx, offset _WmipISChunkInfo
		call	WmipUnreferenceEntry
		mov	edx, [ebp+var_B4]
		mov	ecx, [ebp+var_C4]
		inc	edx
		mov	[ebp+var_B4], edx
		cmp	edx, [ebp+var_B8]
		jb	loc_7B983C
		test	ebx, ebx
		jz	loc_8ED4BD
		cmp	byte ptr [ebp+var_92+1], 0
		jnz	loc_7B9A7B
		mov	eax, [ebp+var_BC]
		mov	[eax], ebx

loc_7B99E2:				; CODE XREF: WmipQueryAllData+3BDj
		xor	ebx, ebx

loc_7B99E4:				; CODE XREF: WmipQueryAllData+133DDDj
		lea	eax, [ebp+var_48]
		cmp	edi, eax
		jnz	loc_8ED4C8

loc_7B99EF:				; CODE XREF: WmipQueryAllData+E8j
					; WmipQueryAllData+133D88j ...
		mov	ecx, [ebp+var_A0]
		call	ObfDereferenceObject

loc_7B99FA:				; CODE XREF: WmipQueryAllData+A9j
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_7B9A0D:				; CODE XREF: WmipQueryAllData+1FFj
		cmp	[ebx+30h], esi
		ja	loc_7B98F4
		jmp	loc_8ED473
; 

loc_7B9A1B:				; CODE XREF: WmipQueryAllData+218j
		mov	ecx, [ebx+30h]

loc_7B9A1E:				; CODE XREF: WmipQueryAllData+133DA4j
		cmp	ecx, 48h
		jb	loc_8ED48F

loc_7B9A27:				; CODE XREF: WmipQueryAllData+133DACj
		add	[ebp+var_98], ecx
		cmp	[ebp+var_9C], 0
		jz	short loc_7B9A55
		push	4
		lea	edx, [ebp+var_98]
		pop	ecx
		call	_WmipAlign@8	; WmipAlign(x,x)
		mov	ecx, [ebp+var_A8]
		call	_WmipStaticInstanceNameSize@4 ;	WmipStaticInstanceNameSize(x)
		add	[ebp+var_98], eax

loc_7B9A55:				; CODE XREF: WmipQueryAllData+34Ej
		push	8
		lea	edx, [ebp+var_98]
		pop	ecx
		call	_WmipAlign@8	; WmipAlign(x,x)
		mov	ebx, [ebp+var_98]
		mov	byte ptr [ebp+var_92+1], 1
		mov	[ebp+var_98], ebx
		jmp	loc_7B9996
; 

loc_7B9A7B:				; CODE XREF: WmipQueryAllData+2EEj
		mov	eax, [ebp+arg_8]
		cmp	ebx, eax
		jbe	loc_7B9B11

loc_7B9A86:				; CODE XREF: WmipQueryAllData+42Ej
		mov	eax, [ebp+var_C8]
		push	38h
		pop	ecx
		mov	[eax], ecx
		mov	dword ptr [eax+2Ch], 20h
		mov	[eax+30h], ebx
		mov	eax, [ebp+var_BC]
		mov	[eax], ecx
		jmp	loc_7B99E2
; 

loc_7B9AA8:				; CODE XREF: WmipQueryAllData+71j
		push	[ebp+arg_0]
		push	ds:_WmipGuidObjectType
		push	1
		push	ebx
		call	ObReferenceObjectByPointer
		mov	ebx, eax
		mov	eax, [ebp+var_A0]
		jmp	loc_7B978D
; 

loc_7B9AC6:				; CODE XREF: WmipQueryAllData+16Dj
					; WmipQueryAllData+175j ...
		push	48h
		pop	esi
		push	esi		; size_t
		lea	ebx, [ebp+var_92+2]
		mov	eax, ebx
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+var_C4]
		add	esp, 0Ch
		mov	edx, [ebp+var_B4]
		mov	[ebp+var_A4], esi
		mov	byte ptr [ebp+var_92], 1
		jmp	loc_7B9870
; 

loc_7B9AFB:				; CODE XREF: WmipQueryAllData+1DAj
		lea	eax, [ebp+var_E8]
		push	eax
		push	ebx
		push	esi
		push	ecx
		xor	cl, cl
		call	_WmipSendWmiIrp@24 ; WmipSendWmiIrp(x,x,x,x,x,x)
		jmp	loc_7B98D3
; 

loc_7B9B11:				; CODE XREF: WmipQueryAllData+39Aj
		lea	ebx, [eax+40h]
		jmp	loc_7B9A86
WmipQueryAllData endp

; 
		align 2

;  S U B	R O U T	I N E 


WmipUnreferenceEntry proc near		; CODE XREF: WmipDeleteMethod(x)+4Ep
					; WmipQueryAllData+2BBp ...

; FUNCTION CHUNK AT 008ED4DD SIZE 00000067 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	esi, edx
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		mov	ebx, ecx
		call	KeWaitForSingleObject
		or	edi, 0FFFFFFFFh
		lock xadd [esi+0Ch], edi
		dec	edi
		jz	short loc_7B9B58
		push	0
		test	edi, edi
		js	loc_8ED503
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)

loc_7B9B52:				; CODE XREF: WmipUnreferenceEntry+71j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_7B9B58:				; CODE XREF: WmipUnreferenceEntry+22j
		mov	eax, [esi+8]
		mov	ecx, [esi]
		or	eax, 20000000h
		mov	[esi+8], eax
		test	ecx, ecx
		jnz	loc_8ED4DD

loc_7B9B6D:				; CODE XREF: WmipUnreferenceEntry+1339C8j
					; WmipUnreferenceEntry+1339DFj
		push	0
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, [ebx+8]
		test	eax, eax
		jz	short loc_7B9B83
		push	esi
		call	eax

loc_7B9B83:				; CODE XREF: WmipUnreferenceEntry+64j
		push	esi
		push	dword ptr [ebx]
		call	_ExFreeToPagedLookasideList@8 ;	ExFreeToPagedLookasideList(x,x)
		jmp	short loc_7B9B52
WmipUnreferenceEntry endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDqOpenObjectRegKey(x, x, x, x, x,	x, x, x, x)
_PiDqOpenObjectRegKey@36 proc near	; CODE XREF: PiDqActionDataGetRequestedProperties+10Fp
					; PiDqIrpPropertySet+C3p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, [ebp+arg_10]
		push	esi
		mov	esi, edx
		xor	edx, edx
		mov	[eax], edx
		sub	ecx, edx
		jz	short loc_7B9BC7
		sub	ecx, 1
		jnz	short loc_7B9BE2
		push	edx
		push	edx
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	eax
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	PiDqOpenUserObjectRegKey

loc_7B9BC0:				; CODE XREF: PiDqOpenObjectRegKey(x,x,x,x,x,x,x,x,x)+52j
					; PiDqOpenObjectRegKey(x,x,x,x,x,x,x,x,x)+59j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_7B9BC7:				; CODE XREF: PiDqOpenObjectRegKey(x,x,x,x,x,x,x,x,x)+15j
		mov	ecx, _PiPnpRtlCtx
		push	edx
		push	edx
		push	eax
		push	[ebp+arg_8]
		mov	edx, esi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PnpOpenObjectRegKey
		jmp	short loc_7B9BC0
; 

loc_7B9BE2:				; CODE XREF: PiDqOpenObjectRegKey(x,x,x,x,x,x,x,x,x)+1Aj
		mov	eax, 0C000000Dh
		jmp	short loc_7B9BC0
_PiDqOpenObjectRegKey@36 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqOpenUserObjectRegKey proc near	; CODE XREF: PiDqOpenObjectRegKey(x,x,x,x,x,x,x,x,x)+2Dp

var_90		= dword	ptr -90h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_51		= byte ptr -51h
var_50		= dword	ptr -50h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008ED544 SIZE 000000A7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	esi, [ebp+arg_C]
		lea	edi, [ebp+var_90]
		mov	[ebp+var_80], eax
		xor	eax, eax
		stosd
		push	44h		; size_t
		mov	[ebp+var_6C], edx
		mov	[ebp+var_70], ecx
		stosd
		mov	[ebp+var_74], esi
		stosd
		stosd
		xor	eax, eax
		mov	edi, eax
		mov	[ebp+var_64], eax
		push	eax		; int
		mov	[ebp+var_7C], eax
		mov	[ebp+var_78], eax
		mov	[ebp+var_58], eax
		mov	[ebp+var_60], eax
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_50]
		push	eax		; void *
		mov	[ebp+var_5C], edi
		call	_memset
		mov	edx, [ebp+var_70]
		add	esp, 0Ch
		and	[esi], edi
		mov	[ebp+var_51], 0
		push	[ebp+arg_14]
		push	[ebp+var_6C]
		call	_PnpValidateObjectName
		mov	esi, eax
		test	esi, esi
		js	loc_7B9DF1
		test	ebx, ebx
		jz	loc_8ED513
		mov	eax, ebx

loc_7B9C73:				; CODE XREF: WmipUnreferenceEntry+133A25j
		cmp	dword ptr [eax], 0
		jnz	loc_8ED544
		test	ebx, ebx
		jz	loc_8ED555

loc_7B9C84:				; CODE XREF: PiDqOpenUserObjectRegKey+133971j
		mov	ebx, [ebx+8]

loc_7B9C87:				; CODE XREF: PiDqOpenUserObjectRegKey+133966j
		lea	eax, [ebp+var_64]
		push	eax
		push	9
		push	ebx
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_8ED560
		cmp	esi, 0C0000003h
		jnz	loc_7B9DF1

loc_7B9CA9:				; CODE XREF: PiDqOpenUserObjectRegKey+13397Cj
		push	0
		push	44h
		lea	edx, [ebp+var_50]
		mov	ecx, ebx
		call	_SeQueryUserSidToken@16	; SeQueryUserSidToken(x,x,x,x)
		push	1
		lea	eax, [ebp+var_50]
		push	eax
		lea	eax, [ebp+var_7C]
		push	eax
		call	RtlConvertSidToUnicodeString
		mov	esi, eax
		test	esi, esi
		js	loc_7B9DF1
		push	[ebp+var_78]
		lea	eax, [ebp+var_58]
		push	offset ??_C@_1CA@BAGEJGFP@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAU?$AAS?$AAE?$AAR?$AA?2@NNGAKEGL@ ; "\\REGISTRY\\USER\\"
		push	2
		push	eax
		push	58706E50h
		push	7FFFFFFFh
		call	PnpConcatPWSTR
		mov	esi, eax
		add	esp, 18h
		test	esi, esi
		js	loc_7B9DF1
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jz	loc_7B9DE3
		mov	ecx, [eax+74h]

loc_7B9D0A:				; CODE XREF: PiDqOpenUserObjectRegKey+1FBj
		mov	ebx, [ebp+var_58]
		lea	eax, [ebp+var_60]
		push	eax
		push	4
		push	0
		push	ebx
		xor	edx, edx
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7B9D7B
		mov	edx, [ebp+var_6C]
		lea	eax, [ebp+var_5C]
		mov	ecx, [ebp+var_70]
		push	eax
		call	PiDqGetRelativeObjectRegPath
		mov	esi, eax
		test	esi, esi
		js	loc_8ED5B9
		cmp	[ebp+arg_4], 0
		mov	eax, _PiPnpRtlCtx
		jnz	loc_8ED579
		mov	[ebp+var_68], 2
		test	eax, eax
		jz	loc_7B9DEA
		mov	ecx, [eax+74h]

loc_7B9D5D:				; CODE XREF: PiDqOpenUserObjectRegKey+202j
		push	[ebp+var_74]
		mov	edi, [ebp+var_5C]
		push	[ebp+arg_0]
		mov	edx, [ebp+var_60]
		push	0
		push	edi
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)

loc_7B9D71:				; CODE XREF: PiDqOpenUserObjectRegKey+1339B5j
		mov	esi, eax
		test	esi, esi
		jns	loc_8ED5A4

loc_7B9D7B:				; CODE XREF: PiDqOpenUserObjectRegKey+137j
					; PiDqOpenUserObjectRegKey+20Aj ...
		cmp	esi, 0C000017Ch
		jz	loc_8ED5C1

loc_7B9D87:				; CODE XREF: PiDqOpenUserObjectRegKey+1339DCj
		test	edi, edi
		jz	short loc_7B9D96
		push	58706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7B9D96:				; CODE XREF: PiDqOpenUserObjectRegKey+19Fj
					; PiDqOpenUserObjectRegKey+13398Aj
		cmp	[ebp+var_60], 0
		jz	short loc_7B9DA4
		push	[ebp+var_60]
		call	_ZwClose@4	; ZwClose(x)

loc_7B9DA4:				; CODE XREF: PiDqOpenUserObjectRegKey+1B0j
		test	ebx, ebx
		jz	short loc_7B9DB3
		push	58706E50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7B9DB3:				; CODE XREF: PiDqOpenUserObjectRegKey+1BCj
		lea	eax, [ebp+var_7C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	[ebp+var_51], 0
		jnz	loc_8ED5CB

loc_7B9DC6:				; CODE XREF: PiDqOpenUserObjectRegKey+1339EDj
		cmp	[ebp+var_64], 0
		jnz	loc_8ED5DC

loc_7B9DD0:				; CODE XREF: PiDqOpenUserObjectRegKey+1339FCj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_7B9DE3:				; CODE XREF: PiDqOpenUserObjectRegKey+117j
		xor	ecx, ecx
		jmp	loc_7B9D0A
; 

loc_7B9DEA:				; CODE XREF: PiDqOpenUserObjectRegKey+16Aj
		xor	ecx, ecx
		jmp	loc_7B9D5D
; 

loc_7B9DF1:				; CODE XREF: PiDqOpenUserObjectRegKey+79j
					; PiDqOpenUserObjectRegKey+B9j	...
		mov	ebx, [ebp+var_58]
		jmp	short loc_7B9D7B
PiDqOpenUserObjectRegKey endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqGetRelativeObjectRegPath proc near	; CODE XREF: PiDqOpenUserObjectRegKey+143p
					; PiDqDeleteUserObject(x,x,x)+1Ep

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008ED5EB SIZE 00000069 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	58706E50h
		push	800h
		push	1
		mov	esi, edx
		mov	edi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, [ebp+arg_0]
		xor	ecx, ecx
		mov	[ebx], eax
		test	eax, eax
		jz	loc_8ED5EB
		sub	esi, 1
		jnz	short loc_7B9E52
		push	ecx		; int
		push	400h		; int
		push	eax		; void *
		push	ecx		; int
		push	ecx		; int
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	10h		; int
		call	_CmGetDeviceRegKeyPath

loc_7B9E3F:				; CODE XREF: PiDqGetRelativeObjectRegPath+8Ej
					; PiDqGetRelativeObjectRegPath+A2j ...
		mov	esi, eax
		test	esi, esi
		js	loc_8ED5F0

loc_7B9E49:				; CODE XREF: PiDqGetRelativeObjectRegPath+1337FEj
					; PiDqGetRelativeObjectRegPath+133812j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_7B9E52:				; CODE XREF: PiDqGetRelativeObjectRegPath+2Fj
		sub	esi, 1
		jz	loc_8ED63D
		sub	esi, 1
		jz	short loc_7B9E86
		sub	esi, 1
		jz	loc_8ED630
		sub	esi, 1
		jnz	loc_8ED60D
		push	ecx		; int
		push	400h		; int
		push	eax		; void *
		push	ecx		; int
		push	ecx		; int
		push	50h		; int
		mov	edx, edi
		call	__CmGetDeviceContainerRegKeyPath@32 ; _CmGetDeviceContainerRegKeyPath(x,x,x,x,x,x,x,x)
		jmp	short loc_7B9E3F
; 

loc_7B9E86:				; CODE XREF: PiDqGetRelativeObjectRegPath+68j
		push	ecx
		push	400h
		push	eax
		push	ecx
		push	ecx
		push	30h
		mov	edx, edi
		call	_CmGetDeviceInterfaceRegKeyPath
		jmp	short loc_7B9E3F
PiDqGetRelativeObjectRegPath endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpConcatPWSTR	proc near		; CODE XREF: PiSwStopDestroy(x,x,x,x)+62p
					; PiDqOpenUserObjectRegKey+FEp	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008ED654 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	eax, eax
		xor	ebx, ebx
		push	edi
		mov	edi, [ebp+arg_8]
		inc	ebx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	[ebp+arg_8], eax
		mov	[edi], eax
		cmp	[ebp+arg_C], eax
		jbe	short loc_7B9EF6
		lea	ecx, [ebp+arg_C]

loc_7B9EC0:				; CODE XREF: PnpConcatPWSTR+5Aj
		add	ecx, 4
		mov	[ebp+var_C], ecx
		mov	esi, [ecx]
		test	esi, esi
		jz	short loc_7B9EED
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_8]
		push	eax
		mov	ecx, esi
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7B9F6E
		add	ebx, [ebp+var_8]
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_C]

loc_7B9EED:				; CODE XREF: PnpConcatPWSTR+30j
		inc	eax
		mov	[ebp+arg_8], eax
		cmp	eax, [ebp+arg_C]
		jb	short loc_7B9EC0

loc_7B9EF6:				; CODE XREF: PnpConcatPWSTR+21j
		cmp	ebx, [ebp+arg_0]
		ja	loc_8ED654
		push	2
		pop	ecx
		mov	eax, ebx
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7B9F6E
		push	[ebp+arg_4]
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi], eax
		test	eax, eax
		jz	loc_8ED65E
		xor	ecx, ecx
		xor	ebx, ebx
		mov	[eax], cx
		cmp	[ebp+arg_C], ecx
		jbe	short loc_7B9F66
		lea	eax, [ebp+arg_C]

loc_7B9F3C:				; CODE XREF: PnpConcatPWSTR+CAj
		add	eax, 4
		mov	[ebp+arg_8], eax
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_7B9F60
		mov	edx, [ebp+var_4]
		push	ecx
		mov	ecx, [edi]
		call	_RtlStringCbCatW@12 ; RtlStringCbCatW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8ED663
		mov	eax, [ebp+arg_8]

loc_7B9F60:				; CODE XREF: PnpConcatPWSTR+ACj
		inc	ebx
		cmp	ebx, [ebp+arg_C]
		jb	short loc_7B9F3C

loc_7B9F66:				; CODE XREF: PnpConcatPWSTR+9Dj
		test	esi, esi
		js	loc_8ED663

loc_7B9F6E:				; CODE XREF: PnpConcatPWSTR+44j
					; PnpConcatPWSTR+7Aj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
PnpConcatPWSTR	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpValidateObjectName proc near	; CODE XREF: PiDqOpenUserObjectRegKey+70p
					; PiDmObjectCreate+19Fp

var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008ED67E SIZE 00000050 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		mov	ebx, _PiPnpRtlCtx
		xor	eax, eax
		push	esi
		push	edi
		push	0Ah
		pop	ecx
		lea	edi, [ebp+var_30]
		mov	esi, edx
		rep stosd
		mov	edi, [ebx+0F8h]
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_4], esi
		mov	[ebp+var_28], eax
		test	edi, edi
		jz	short loc_7B9FC2
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	1
		push	[ebp+arg_0]
		push	esi
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jnz	loc_8ED67E
		xor	edi, edi

loc_7B9FC2:				; CODE XREF: _PnpValidateObjectName+2Ej
					; _PnpValidateObjectName+133713j
		push	[ebp+var_28]
		mov	edx, esi
		mov	ecx, ebx
		push	[ebp+arg_0]
		call	__PnpValidateObjectNameDispatch@16 ; _PnpValidateObjectNameDispatch(x,x,x,x)
		mov	esi, eax
		test	edi, edi
		jnz	loc_8ED696

loc_7B9FDB:				; CODE XREF: _PnpValidateObjectName+13371Bj
					; _PnpValidateObjectName+133739j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_PnpValidateObjectName endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpValidateObjectNameDispatch(x, x, x, x)
__PnpValidateObjectNameDispatch@16 proc	near ; CODE XREF: _PnpValidateObjectName+56p

var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_4], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_24]
		push	8
		pop	ecx
		rep stosd
		mov	edi, [ebp+arg_4]
		mov	ebx, edx
		test	di, di
		jnz	short loc_7BA037
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, esi
		call	__PnpCtxGetObjectDispatchCallback@12 ; _PnpCtxGetObjectDispatchCallback(x,x,x)
		test	eax, eax
		js	short loc_7BA030
		cmp	[ebp+var_4], 0
		jz	short loc_7BA03E
		lea	eax, [ebp+var_24]
		mov	[ebp+var_24], edi
		push	eax
		push	1
		push	edx
		push	ebx
		push	esi
		call	[ebp+var_4]

loc_7BA030:				; CODE XREF: _PnpValidateObjectNameDispatch(x,x,x,x)+35j
					; _PnpValidateObjectNameDispatch(x,x,x,x)+58j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7BA037:				; CODE XREF: _PnpValidateObjectNameDispatch(x,x,x,x)+23j
		mov	eax, 0C000000Dh
		jmp	short loc_7BA030
; 

loc_7BA03E:				; CODE XREF: _PnpValidateObjectNameDispatch(x,x,x,x)+3Bj
		mov	eax, 0C0000002h
		jmp	short loc_7BA030
__PnpValidateObjectNameDispatch@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpDispatchDeviceContainer proc near	; DATA XREF: _PnpCtxOpenMachine+16Co

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008ED6CE SIZE 0000005C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_C]
		xor	edx, edx
		dec	eax
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edx
		push	esi
		mov	esi, edx
		cmp	eax, 8		; switch 9 cases
		ja	loc_8ED720	; default
		jmp	ds:off_7BA0FE[eax*4] ; switch jump

loc_7BA06C:				; DATA XREF: PAGE:007BA11Ao
		mov	eax, [ebp+arg_10] ; case 0x7
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	dword ptr [eax+18h] ; int
		push	dword ptr [eax+14h] ; int
		push	dword ptr [eax+10h] ; int
		push	dword ptr [eax+0Ch] ; int
		push	dword ptr [eax+8] ; void *
		push	dword ptr [eax+4] ; int
		push	dword ptr [eax]	; int
		call	_CmGetDeviceContainerMappedProperty

loc_7BA08E:				; CODE XREF: _PnpDispatchDeviceContainer+6Bj
					; _PnpDispatchDeviceContainer+75j ...
		pop	esi
		leave
		retn	14h
; 

loc_7BA093:				; CODE XREF: _PnpDispatchDeviceContainer+1Fj
					; DATA XREF: PAGE:007BA102o
		mov	ecx, [ebp+arg_10] ; case 0x1
		mov	edx, [ebp+arg_4]
		lea	eax, [ecx+0Ch]
		push	eax
		push	dword ptr [ecx+8]
		movzx	eax, byte ptr [ecx+4]
		push	eax
		push	dword ptr [ecx]
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		call	_CmOpenDeviceContainerRegKey
		jmp	short loc_7BA08E
; 

loc_7BA0B3:				; CODE XREF: _PnpDispatchDeviceContainer+1Fj
					; DATA XREF: PAGE:off_7BA0FEo
		mov	edx, [ebp+arg_4] ; case	0x0
		call	__CmValidateDeviceContainerName@8 ; _CmValidateDeviceContainerName(x,x)
		jmp	short loc_7BA08E
; 

loc_7BA0BD:				; CODE XREF: _PnpDispatchDeviceContainer+1Fj
					; DATA XREF: PAGE:007BA11Eo
		mov	eax, [ebp+arg_10] ; case 0x8
		sub	esp, 0Ch
		push	dword ptr [eax+8]
		push	dword ptr [eax+4]
		push	ecx
		call	_CmSetDeviceContainerMappedProperty
		jmp	short loc_7BA08E
; 

loc_7BA0D1:				; CODE XREF: _PnpDispatchDeviceContainer+1Fj
					; DATA XREF: PAGE:007BA10Eo
		mov	ecx, [ebp+arg_10] ; case 0x4
		mov	eax, [ecx]
		test	eax, eax
		jnz	loc_8ED6D8

loc_7BA0DE:				; CODE XREF: _PnpDispatchDeviceContainer+1336A3j
		mov	eax, [ecx+14h]
		and	eax, 0FFFF0000h
		push	eax
		push	dword ptr [ecx+10h]
		push	dword ptr [ecx+0Ch]
		push	dword ptr [ecx+8]
		mov	ecx, [ebp+arg_0]
		push	esi
		call	_CmGetMatchingDeviceContainerList
		jmp	short loc_7BA08E
_PnpDispatchDeviceContainer endp

; 
		db 8Dh
		db 49h,	0
off_7BA0FE	dd offset loc_7BA0B3	; DATA XREF: _PnpDispatchDeviceContainer+1Fr
					; jump table for switch	statement
		dd offset loc_7BA093	; case 0x1
		dd offset loc_8ED6CE	; case 0x2
		dd offset loc_8ED6CE	; case 0x2
		dd offset loc_7BA0D1	; case 0x4
		dd offset loc_8ED6EE	; case 0x5
		dd offset loc_8ED706	; case 0x6
		dd offset loc_7BA06C	; case 0x7
		dd offset loc_7BA0BD	; case 0x8

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmGetDeviceContainerMappedProperty(int,int,void	*,int,int,int,int)
_CmGetDeviceContainerMappedProperty proc near ;	CODE XREF: _PnpDispatchDeviceContainer+43p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008ED72A SIZE 0000007F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_18]
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		mov	esi, 0C0000016h
		and	dword ptr [edi], 0
		cmp	[ebp+arg_4], 0
		jz	short loc_7BA14B

loc_7BA142:				; CODE XREF: _CmGetDeviceContainerMappedProperty+49j
					; _CmGetDeviceContainerMappedProperty+5Dj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_7BA14B:				; CODE XREF: _CmGetDeviceContainerMappedProperty+1Ej
		mov	eax, [ebp+arg_8]
		mov	ecx, [eax+10h]
		cmp	ecx, 46h
		jz	short loc_7BA186
		cmp	ecx, 53h
		jz	loc_8ED734
		cmp	ecx, 37h
		jz	loc_8ED75D
		cmp	ecx, 6Ch
		jnz	short loc_7BA142
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceContainer_IsRebootRequired ; void	*
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7BA142
		jmp	loc_8ED786
; 

loc_7BA186:				; CODE XREF: _CmGetDeviceContainerMappedProperty+32j
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceContainer_IsLocalMachine ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7BA142
		mov	eax, [ebp+arg_C]
		mov	dword ptr [eax], 11h
		xor	eax, eax
		inc	eax
		mov	[edi], eax
		cmp	[ebp+arg_14], eax
		jb	loc_8ED72A
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		call	__CmIsLocalMachineContainer@8 ;	_CmIsLocalMachineContainer(x,x)
		mov	ecx, [ebp+arg_10]
		neg	al
		sbb	al, al
		xor	esi, esi
		mov	[ecx], al
		jmp	loc_7BA142
_CmGetDeviceContainerMappedProperty endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmOpenDeviceContainerRegKey proc near	; CODE XREF: _PnpDispatchDeviceContainer+66p
					; _CmCreateDeviceContainerWorker+27p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008ED7A9 SIZE 0000005A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_14]
		lea	eax, [ebp+var_30]
		push	esi
		mov	esi, [ebp+arg_10]
		push	edi
		push	2Ch		; size_t
		mov	edi, ecx
		mov	[ebp+var_34], edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_38], edi
		call	_memset
		mov	eax, [ebp+arg_8]
		add	esp, 0Ch
		mov	edi, [edi+100h]
		and	[ebp+var_24], 0
		mov	[ebp+var_20], eax
		mov	al, [ebp+arg_C]
		mov	[ebp+var_18], esi
		mov	esi, [ebp+var_38]
		mov	[ebp+var_28], 50h
		mov	byte ptr [ebp+var_1C], al
		test	edi, edi
		jz	short loc_7BA243
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	0Bh
		push	5
		push	[ebp+var_34]
		push	esi
		call	edi
		cmp	eax, 0C0000002h
		jnz	loc_8ED7A9
		xor	edi, edi

loc_7BA243:				; CODE XREF: _CmOpenDeviceContainerRegKey+58j
					; _CmOpenDeviceContainerRegKey+1335E6j
		mov	edx, [ebp+var_34]
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_18]
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	ecx
		push	[ebp+var_28]
		mov	ecx, esi
		call	_CmOpenDeviceContainerRegKeyWorker
		mov	esi, eax
		test	edi, edi
		jnz	loc_8ED7CA

loc_7BA268:				; CODE XREF: _CmOpenDeviceContainerRegKey+1335F9j
					; _CmOpenDeviceContainerRegKey+133618j	...
		test	esi, esi
		js	short loc_7BA275
		test	ebx, ebx
		jz	short loc_7BA275
		mov	eax, [ebp+var_14]
		mov	[ebx], eax

loc_7BA275:				; CODE XREF: _CmOpenDeviceContainerRegKey+9Ej
					; _CmOpenDeviceContainerRegKey+A2j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_CmOpenDeviceContainerRegKey endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmOpenDeviceContainerRegKeyWorker proc	near ; CODE XREF: _CmOpenDeviceContainerRegKey+8Dp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008ED803 SIZE 0000008D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		xor	eax, eax
		mov	[esp+1Ch+var_C], edx
		push	ebx
		mov	ebx, ecx
		mov	[esp+20h+var_14], eax
		push	esi
		push	edi
		mov	edi, eax
		mov	[esp+28h+var_10], eax
		mov	[esp+28h+var_18], eax
		mov	[esp+28h+var_8], eax
		mov	[esp+28h+var_4], eax
		cmp	[ebp+arg_0], eax
		jz	loc_8ED878
		test	[ebp+arg_0], 0FFFFFEAFh
		jnz	loc_8ED878
		mov	esi, 104h
		mov	[esp+28h+var_1C], esi

loc_7BA2D3:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+1335A7j
		push	52504E50h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8ED834
		mov	edx, [esp+28h+var_C]
		lea	eax, [esp+28h+var_14]
		push	eax		; int
		mov	ecx, esi
		shr	ecx, 1
		push	ecx		; int
		push	edi		; void *
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_0]	; int
		call	__CmGetDeviceContainerRegKeyPath@32 ; _CmGetDeviceContainerRegKeyPath(x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	loc_8ED803

loc_7BA311:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+1335B1j
		test	esi, esi
		js	loc_7BA409
		test	[ebp+arg_0], 100h
		jnz	loc_8ED83E
		push	edi
		lea	eax, [esp+2Ch+var_8]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7BA409
		mov	cx, word ptr [esp+28h+var_8]
		movzx	eax, cx
		cmp	eax, [esp+28h+var_1C]
		jnb	loc_8ED878
		push	32h
		pop	eax
		cmp	cx, ax
		jbe	loc_8ED878
		push	1
		lea	eax, [esp+2Ch+var_8]
		push	eax
		push	offset ?ObjectPathRootPrefix@?1??_CmOpenDeviceInterfaceRegKeyWorker@@9@9 ; `_CmOpenDeviceInterfaceRegKeyWorker'::`2'::ObjectPathRootPrefix
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	loc_8ED878
		mov	eax, 0FFCEh
		lea	esi, [edi+32h]
		add	word ptr [esp+28h+var_8], ax
		add	word ptr [esp+28h+var_8+2], ax
		lea	eax, [esp+28h+var_8]
		push	1
		push	eax
		push	offset ?DeviceContainersKeyPrefix@?1??_CmOpenDeviceContainerRegKeyWorker@@9@9 ;	`_CmOpenDeviceContainerRegKeyWorker'::`2'::DeviceContainersKeyPrefix
		mov	[esp+34h+var_1C], esi
		mov	[esp+34h+var_4], esi
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_7BA3A8
		add	esi, 32h
		mov	[esp+28h+var_1C], esi

loc_7BA3A8:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+117j
		xor	edx, edx
		lea	ecx, [esp+28h+var_10]
		test	al, al
		push	ecx
		setnz	dl
		mov	ecx, ebx
		dec	edx
		and	edx, 0FFFFFFFAh
		add	edx, 0Ah
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7BA409
		mov	edx, [esp+28h+var_10]

loc_7BA3CC:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+1335E4j
		cmp	[ebp+arg_C], 0
		jnz	short loc_7BA42B
		test	ebx, ebx
		jz	loc_8ED871
		mov	ecx, [ebx+74h]

loc_7BA3DD:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+1335EBj
		push	[ebp+arg_10]
		push	[ebp+arg_8]
		push	0
		push	[esp+34h+var_1C]
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_7BA3FD
		mov	eax, [ebp+arg_14]
		mov	dword ptr [eax], 2

loc_7BA3FD:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+16Aj
					; _CmOpenDeviceContainerRegKeyWorker+1C3j
		cmp	ecx, 0C000017Ch
		jz	short loc_7BA451
		test	ecx, ecx
		js	short loc_7BA458

loc_7BA409:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+8Bj
					; _CmOpenDeviceContainerRegKeyWorker+ADj ...
		cmp	[esp+28h+var_18], 0
		jnz	loc_8ED882

loc_7BA414:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+133603j
		test	edi, edi
		jz	short loc_7BA420
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7BA420:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+18Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_7BA42B:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+148j
		test	ebx, ebx
		jz	short loc_7BA44D
		mov	ecx, [ebx+74h]

loc_7BA432:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+1C7j
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	ecx
		push	0
		push	[ebp+arg_8]
		push	0
		push	[esp+40h+var_1C]
		call	__SysCtxRegCreateTree@36 ; _SysCtxRegCreateTree(x,x,x,x,x,x,x,x,x)
		mov	ecx, eax
		jmp	short loc_7BA3FD
; 

loc_7BA44D:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+1A5j
		xor	ecx, ecx
		jmp	short loc_7BA432
; 

loc_7BA451:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+17Bj
		mov	esi, 0C00000E5h
		jmp	short loc_7BA409
; 

loc_7BA458:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+17Fj
		mov	esi, ecx
		jmp	short loc_7BA409
_CmOpenDeviceContainerRegKeyWorker endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipIoControl	proc near		; DATA XREF: WmipDriverEntry+100o

var_B0		= dword	ptr -0B0h
var_A8		= dword	ptr -0A8h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_68		= dword	ptr -68h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008ED890 SIZE 00000183 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0A4h+var_4], eax
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	eax, [ecx+60h]
		xor	esi, esi
		mov	edi, [ecx+0Ch]
		mov	[esp+0B0h+var_9C], ecx
		mov	[esp+0B0h+var_90], edi
		mov	edx, [eax+8]
		mov	ebx, [eax+4]
		mov	eax, [eax+0Ch]
		mov	[esp+0B0h+var_98], edx
		mov	[esp+0B0h+var_A0], ebx
		mov	[esp+0B0h+var_8C], eax
		cmp	eax, 224158h
		jbe	loc_7BA55F
		cmp	eax, 22811Ch
		ja	loc_7BA66C
		jz	loc_8ED954
		mov	ecx, eax
		sub	ecx, 224160h
		jz	loc_8ED933
		sub	ecx, 3EA8h
		jz	loc_8ED91E
		sub	ecx, 4
		jz	loc_8ED8D7
		sub	ecx, 18h
		jnz	loc_8ED973
		push	ebx
		mov	ecx, edi
		call	_WmipProbeWnodeMethodItem@12 ; WmipProbeWnodeMethodItem(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7BA51D
		mov	eax, [esp+0B0h+var_98]
		mov	[esp+0B0h+var_A0], eax
		lea	eax, [esp+0B0h+var_A0]
		push	eax
		push	ebx
		push	edi
		push	9

loc_7BA50A:				; CODE XREF: WmipIoControl+2BFj
		mov	edx, [esp+0C0h+var_9C]
		xor	ecx, ecx
		push	1
		call	WmipQuerySetExecuteSI

loc_7BA517:				; CODE XREF: WmipIoControl+20Bj
					; WmipIoControl+259j ...
		mov	ebx, [esp+0B0h+var_A0]
		mov	esi, eax

loc_7BA51D:				; CODE XREF: WmipIoControl+9Bj
					; WmipIoControl+169j ...
		mov	ecx, [esp+0B0h+var_9C]

loc_7BA521:				; CODE XREF: WmipIoControl+13352Aj
					; WmipIoControl+133574j
		cmp	esi, 103h
		jz	short loc_7BA546
		cmp	esi, 0C0000120h
		jz	short loc_7BA546

loc_7BA531:				; CODE XREF: WmipIoControl+133456j
					; WmipIoControl+133460j ...
		mov	[ecx+18h], esi
		test	esi, esi
		js	loc_7BA720

loc_7BA53C:				; CODE XREF: WmipIoControl+2C6j
		xor	dl, dl
		mov	[ecx+1Ch], ebx
		call	IofCompleteRequest

loc_7BA546:				; CODE XREF: WmipIoControl+CBj
					; WmipIoControl+D3j
		mov	ecx, [esp+0B0h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7BA55F:				; CODE XREF: WmipIoControl+4Cj
		jz	loc_7BA6C8
		cmp	eax, 224134h
		jbe	loc_7BA627
		sub	eax, 224138h
		jz	loc_8ED8C1
		sub	eax, 4
		jnz	loc_7BA6BA

loc_7BA584:				; CODE XREF: WmipIoControl+261j
					; WmipIoControl+133439j
		push	6
		pop	ecx
		xor	eax, eax
		mov	[esp+0B0h+var_88], esi
		push	ebx		; int
		push	edx		; int
		lea	edi, [esp+0B8h+var_80]
		mov	[esp+0B8h+var_84], esi
		rep stosd
		mov	edi, [esp+0B8h+var_90]
		lea	eax, [esp+0B8h+var_98]
		push	edi		; int
		push	eax		; int
		lea	eax, [esp+0C0h+var_68]
		mov	[esp+0C0h+var_94], esi
		push	eax		; void *
		lea	edx, [esp+0C4h+var_88]
		mov	[esp+0C4h+var_98], esi
		lea	ecx, [esp+0C4h+var_80]
		mov	[esp+0C4h+var_A0], esi
		call	_WmipProbeWmiOpenGuidBlock@28 ;	WmipProbeWmiOpenGuidBlock(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7BA51D
		mov	ecx, [esp+0B0h+var_8C]
		lea	eax, [esp+0B0h+var_A0]
		push	eax
		push	[esp+0B4h+var_98]
		lea	eax, [esp+0B8h+var_80]
		mov	dl, 1
		push	eax
		call	WmipOpenBlock
		mov	esi, eax
		test	esi, esi
		js	loc_7BA51D
		lea	eax, [esp+0B0h+var_94]
		push	eax
		push	1
		push	ds:_WmipGuidObjectType
		push	[esp+0BCh+var_98]
		push	0
		push	0
		push	[esp+0C8h+var_A0]
		call	ObOpenObjectByPointer
		mov	esi, eax
		test	esi, esi
		js	short loc_7BA619
		mov	eax, [esp+0B0h+var_94]
		mov	[edi+8], eax

loc_7BA619:				; CODE XREF: WmipIoControl+1B4j
		mov	ecx, [esp+0B0h+var_A0]
		call	ObfDereferenceObject
		jmp	loc_7BA51D
; 

loc_7BA627:				; CODE XREF: WmipIoControl+10Ej
		jz	loc_8ED937
		sub	eax, 224000h
		jnz	loc_7BA6E4
		cmp	ebx, 48h
		jb	loc_8ED8B7
		push	ebx
		mov	ecx, edi
		call	_WmipProbeWnodeAllData@12 ; WmipProbeWnodeAllData(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7BA51D
		mov	edx, [esp+0B0h+var_9C]
		lea	eax, [esp+0B0h+var_A0]
		push	eax
		push	ebx
		push	edi
		push	1
		xor	ecx, ecx
		call	WmipQueryAllData
		jmp	loc_7BA517
; 

loc_7BA66C:				; CODE XREF: WmipIoControl+57j
		sub	eax, 22812Ch
		jz	loc_8ED9D5
		sub	eax, 4
		jz	loc_8ED98B
		sub	eax, 14h
		jnz	loc_8ED977
		cmp	edx, 10h
		jb	loc_8ED981
		cmp	ebx, 38h
		jb	loc_8ED981
		lea	eax, [edx-8]
		shr	eax, 3
		cmp	[edi], eax
		ja	loc_8ED981
		push	ecx
		lea	edx, [esp+0B4h+var_A0]
		mov	ecx, edi
		call	WmipReceiveNotifications
		jmp	loc_7BA517
; 

loc_7BA6BA:				; CODE XREF: WmipIoControl+122j
		sub	eax, 4
		jz	loc_7BA584
		jmp	loc_8ED977
; 

loc_7BA6C8:				; CODE XREF: WmipIoControl:loc_7BA55Fj
		cmp	ebx, 10h
		jb	loc_8ED9CB
		lea	eax, [esp+0B0h+var_A0]
		mov	edx, ebx
		push	eax
		mov	ecx, edi
		call	WmipEnumerateMofResources
		jmp	loc_7BA517
; 

loc_7BA6E4:				; CODE XREF: WmipIoControl+1D6j
		sub	eax, 4
		jnz	loc_8ED890
		cmp	ebx, 38h
		jb	loc_8ED8B7
		push	1
		push	ebx
		mov	ecx, edi
		call	_WmipProbeWnodeSingleInstance@16 ; WmipProbeWnodeSingleInstance(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7BA51D
		mov	eax, [esp+0B0h+var_98]
		mov	[esp+0B0h+var_A0], eax
		lea	eax, [esp+0B0h+var_A0]
		push	eax
		push	ebx
		push	edi
		push	1
		jmp	loc_7BA50A
; 

loc_7BA720:				; CODE XREF: WmipIoControl+DAj
		xor	ebx, ebx
		jmp	loc_7BA53C
WmipIoControl	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipOpenBlock	proc near		; CODE XREF: WmipIoControl+183p
					; IoWMIOpenBlock(x,x,x)+EAp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008EDA13 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1], dl
		mov	[ebp+var_C], edi
		cmp	edi, 22413Ch
		jnz	loc_7BA810

loc_7BA74B:				; CODE XREF: WmipOpenBlock+EEj
					; WmipOpenBlock+FAj
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_4]
		call	_WmipOpenGuidObject@16 ; WmipOpenGuidObject(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7BA807
		mov	ebx, [ebp+var_8]
		mov	[ebx+2Ch], edi
		cmp	edi, 224108h
		jz	loc_7BA8BC
		lea	ecx, [ebx+10h]
		xor	dl, dl
		call	_WmipFindGEByGuid@8 ; WmipFindGEByGuid(x,x)
		mov	esi, eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		test	esi, esi
		jz	short loc_7BA7B1
		lea	ecx, [esi+18h]
		mov	edx, [ecx+4]
		lea	eax, [ebx+20h]
		cmp	[edx], ecx
		jnz	loc_7BA8C5
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax

loc_7BA7B1:				; CODE XREF: WmipOpenBlock+6Cj
		push	0
		push	offset _WmipSMMutex
		mov	[ebx+28h], esi
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, edi
		sub	eax, 22413Ch
		jnz	short loc_7BA82D
		test	esi, esi
		jz	short loc_7BA83A
		cmp	[esi+14h], eax
		jz	short loc_7BA83A
		mov	ecx, esi
		call	_WmipIsQuerySetGuid@4 ;	WmipIsQuerySetGuid(x)
		test	al, al
		jz	short loc_7BA83A

loc_7BA7DD:				; CODE XREF: WmipOpenBlock+108j
		cmp	[ebp+var_1], 0
		jz	short loc_7BA834

loc_7BA7E3:				; CODE XREF: WmipOpenBlock+110j
		test	esi, esi
		jz	short loc_7BA84A

loc_7BA7E7:				; CODE XREF: WmipOpenBlock+18Fj
		lea	eax, [ebx+64h]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	WmipEnableCollectOrEvent
		mov	esi, eax
		test	esi, esi
		js	short loc_7BA803

loc_7BA7FA:				; CODE XREF: WmipOpenBlock+10Aj
					; WmipOpenBlock+198j
		mov	eax, [ebp+arg_8]
		mov	[eax], ebx
		xor	ebx, ebx
		xor	esi, esi

loc_7BA803:				; CODE XREF: WmipOpenBlock+D0j
					; WmipOpenBlock+117j ...
		test	ebx, ebx
		jnz	short loc_7BA841

loc_7BA807:				; CODE XREF: WmipOpenBlock+36j
					; WmipOpenBlock+120j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7BA810:				; CODE XREF: WmipOpenBlock+1Dj
		cmp	edi, 224140h
		jz	loc_7BA74B
		cmp	edi, 224108h
		jz	loc_7BA74B
		jmp	loc_8EDA13
; 

loc_7BA82D:				; CODE XREF: WmipOpenBlock+9Fj
		sub	eax, 4
		jz	short loc_7BA7DD
		jmp	short loc_7BA7FA
; 

loc_7BA834:				; CODE XREF: WmipOpenBlock+B9j
		or	dword ptr [ebx+68h], 2
		jmp	short loc_7BA7E3
; 

loc_7BA83A:				; CODE XREF: WmipOpenBlock+A3j
					; WmipOpenBlock+A8j ...
		mov	esi, 0C0000295h
		jmp	short loc_7BA803
; 

loc_7BA841:				; CODE XREF: WmipOpenBlock+DDj
		mov	ecx, ebx
		call	ObfDereferenceObject
		jmp	short loc_7BA807
; 

loc_7BA84A:				; CODE XREF: WmipOpenBlock+BDj
		xor	esi, esi
		mov	edi, offset _WmipSMMutex
		push	esi
		push	esi
		push	esi
		push	esi
		push	edi
		call	KeWaitForSingleObject
		call	_WmipAllocGuidEntry@0 ;	WmipAllocGuidEntry()
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	loc_8EDA1D
		lea	edi, [eax+28h]
		mov	eax, _WmipGEHeadPtr
		lea	esi, [ebx+10h]
		movsd
		movsd
		movsd
		movsd
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_7BA8C5
		mov	esi, [ebp+arg_4]
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[ecx+4], esi
		lea	ecx, [esi+18h]
		mov	[eax], esi
		lea	eax, [ebx+20h]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_7BA8C5
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		push	0
		mov	[ecx+4], eax
		push	offset _WmipSMMutex
		mov	[ebx+28h], esi
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	edi, [ebp+var_C]
		jmp	loc_7BA7E7
; 

loc_7BA8BC:				; CODE XREF: WmipOpenBlock+48j
		or	dword ptr [ebx+68h], 1
		jmp	loc_7BA7FA
; 

loc_7BA8C5:				; CODE XREF: WmipOpenBlock+79j
					; WmipOpenBlock+157j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
WmipOpenBlock	endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipOpenGuidObject(x, x, x,	x)
_WmipOpenGuidObject@16 proc near	; CODE XREF: WmipOpenBlock+2Dp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		and	[ebp+var_18], 0
		lea	edi, [ebp+var_14]
		mov	[ebp+var_1C], eax
		mov	ebx, ecx
		xor	eax, eax
		stosd
		push	10h		; size_t
		push	offset ??_C@_1BE@BICDJNGE@?$AA?2?$AAW?$AAm?$AAi?$AAG?$AAu?$AAi?$AAd?$AA?2@NNGAKEGL@ ; "\\WmiGuid\\"
		stosd
		stosd
		stosd
		mov	eax, [ebx+8]
		mov	esi, [eax+4]
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7BA94E
		lea	ecx, [esi+12h]
		lea	edx, [ebp+var_14]
		call	_WmipUuidFromString@8 ;	WmipUuidFromString(x,x)
		test	eax, eax
		js	short loc_7BA93D
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_14]
		mov	ecx, ebx
		push	eax
		call	_WmipCreateGuidObject@16 ; WmipCreateGuidObject(x,x,x,x)
		test	eax, eax
		js	short loc_7BA93D
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+var_18]
		mov	[ecx], eax
		xor	eax, eax

loc_7BA93D:				; CODE XREF: WmipOpenGuidObject(x,x,x,x)+51j
					; WmipOpenGuidObject(x,x,x,x)+67j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_7BA94E:				; CODE XREF: WmipOpenGuidObject(x,x,x,x)+42j
		mov	eax, 0C000000Dh
		jmp	short loc_7BA93D
_WmipOpenGuidObject@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipCreateGuidObject(x, x, x, x)
_WmipCreateGuidObject@16 proc near	; CODE XREF: WmipOpenGuidObject(x,x,x,x)+60p

var_188		= dword	ptr -188h
var_178		= dword	ptr -178h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_80		= dword	ptr -80h
var_64		= dword	ptr -64h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_158], eax
		push	74h		; size_t
		lea	eax, [ebp+var_80]
		mov	[ebp+var_154], edx
		push	ebx		; int
		push	eax		; void *
		mov	esi, ecx
		mov	[ebp+var_150], ebx
		mov	[ebp+var_160], ebx
		mov	[ebp+var_15C], ebx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_148]
		push	0C4h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	eax, [esi+8]
		add	esp, 0Ch
		mov	[ebp+var_14C], ebx
		mov	eax, [eax+4]
		add	eax, 12h
		push	eax
		lea	eax, [ebp+var_160]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ecx
		lea	edx, [ebp+var_150]
		lea	ecx, [ebp+var_160]
		call	WmipGetGuidSecurityDescriptor
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7BAB27
		mov	eax, [ebp+var_150]
		lea	edi, [ebp+var_178]
		push	6
		pop	ecx
		push	offset _WmipGenericMapping ; int
		push	[ebp+var_154]	; int
		rep movsd
		and	[ebp+var_170], 0
		lea	edx, [ebp+var_148]
		mov	[ebp+var_168], eax
		mov	eax, large fs:124h
		mov	ecx, large fs:124h
		push	edx		; void *
		lea	edx, [ebp+var_80]
		mov	[ebp+var_16C], 280h
		mov	eax, [eax+80h]
		push	edx		; void *
		push	eax		; int
		push	ecx		; int
		call	_SeCreateAccessStateEx@24 ; SeCreateAccessStateEx(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7BAB0D
		lea	esi, [ebp+var_64]
		mov	edx, ds:_WmipGuidObjectType
		lea	edi, [ebp+var_188]
		movsd
		lea	eax, [ebp+var_14C]
		movsd
		movsd
		movsd
		mov	esi, offset _WmipSystemSubjectContext
		lea	edi, [ebp+var_64]
		movsd
		movsd
		movsd
		movsd
		xor	esi, esi
		push	esi
		push	eax
		push	esi
		push	esi
		push	6Ch
		push	ecx
		push	esi
		lea	eax, [ebp+var_178]
		xor	cl, cl
		push	eax
		call	ObCreateObjectEx
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7BAAEF
		mov	ebx, [ebp+var_14C]
		push	6Ch		; size_t
		push	esi		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		push	esi
		push	esi
		push	ebx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	esi, [ebp+arg_0]
		lea	edi, [ebx+10h]
		mov	eax, 1000h
		lea	edx, [ebp+var_80]
		mov	[ebx+44h], eax
		mov	ecx, ebx
		mov	[ebx+58h], eax
		movsd
		movsd
		movsd
		movsd
		xor	esi, esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	[ebp+var_154]
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7BAAEF
		mov	ecx, [ebp+var_158]
		mov	ebx, esi
		mov	eax, [ebp+var_14C]
		mov	[ecx], eax

loc_7BAAEF:				; CODE XREF: WmipCreateGuidObject(x,x,x,x)+13Cj
					; WmipCreateGuidObject(x,x,x,x)+187j
		lea	esi, [ebp+var_188]
		lea	edi, [ebp+var_64]
		movsd
		lea	ecx, [ebp+var_80]
		movsd
		movsd
		movsd
		call	SepDeleteAccessState
		lea	eax, [ebp+var_64]
		push	eax
		call	SeReleaseSubjectContext

loc_7BAB0D:				; CODE XREF: WmipCreateGuidObject(x,x,x,x)+F5j
		mov	eax, [ebp+var_150]
		test	eax, eax
		jz	short loc_7BAB27
		cmp	eax, ds:_WmipDefaultAccessSd
		jz	short loc_7BAB27
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7BAB27:				; CODE XREF: WmipCreateGuidObject(x,x,x,x)+93j
					; WmipCreateGuidObject(x,x,x,x)+1BFj ...
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_WmipCreateGuidObject@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipGetGuidSecurityDescriptor proc near	; CODE XREF: WmipCreateGuidObject(x,x,x,x)+8Ap

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008EDA2E SIZE 00000086 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_70], edx
		push	edi
		push	54h		; size_t
		mov	ebx, eax
		mov	[ebp+var_68], eax
		push	eax		; int
		mov	[ebp+var_64], eax
		mov	edi, eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_6C], ebx
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		and	[ebp+var_40], ebx
		lea	eax, [ebp+var_68]
		add	esp, 0Ch
		mov	[ebp+var_54], eax
		mov	eax, [esi+4]
		mov	edx, offset _WmipSDRegistryQueryRoutine@24 ; WmipSDRegistryQueryRoutine(x,x,x,x,x,x)
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_60]
		push	3
		pop	ecx
		push	1
		push	ecx
		push	ebx
		push	eax
		push	2
		mov	[ebp+var_60], edx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_44], edx
		mov	edx, offset ??_C@_1BK@FCPONPHF@?$AAW?$AAM?$AAI?$AA?2?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy@NNGAKEGL@
		mov	[ebp+var_34], ecx
		pop	ecx
		mov	[ebp+var_3C], offset ??_C@_1EK@ELAFIBPG@?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA?9?$AA0?$AA0?$AA0?$AA0?$AA?9?$AA0@NNGAKEGL@	; "00000000-0000-0000-0000-000000000000"
		call	RtlpQueryRegistryValues
		mov	esi, [ebp+var_70]
		and	[esi], ebx
		test	eax, eax
		js	short loc_7BAC28

loc_7BABC0:				; CODE XREF: WmipGetGuidSecurityDescriptor+132F25j
		test	ebx, ebx
		jnz	loc_8EDA2E

loc_7BABC8:				; CODE XREF: WmipGetGuidSecurityDescriptor+132F05j
		lea	eax, [ebp+var_6C]
		push	eax		; int
		push	ebx		; int
		push	edi		; void *
		xor	ebx, ebx
		push	ebx		; int
		push	ebx		; void *
		push	ebx		; int
		push	offset ??_C@_1CA@GCICNJFG@?$AAE?$AAT?$AAW?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AAP?$AAa?$AAt?$AAh@NNGAKEGL@	; "ETWSecurityPath"
		call	RtlGetPersistedStateLocation
		cmp	eax, 80000005h
		jz	loc_8EDA4F
		test	eax, eax
		jz	loc_8EDA64

loc_7BABF0:				; CODE XREF: WmipGetGuidSecurityDescriptor+132F67j
		mov	eax, [ebp+var_68]
		test	eax, eax
		jz	short loc_7BAC1D
		mov	[esi], eax
		cmp	[ebp+var_64], ebx
		jnz	loc_8EDAA6

loc_7BAC02:				; CODE XREF: WmipGetGuidSecurityDescriptor+E8j
					; WmipGetGuidSecurityDescriptor+ECj ...
		cmp	[esi], ebx
		jz	short loc_7BAC2A

loc_7BAC06:				; CODE XREF: WmipGetGuidSecurityDescriptor+F7j
		test	edi, edi
		jnz	short loc_7BAC33

loc_7BAC0A:				; CODE XREF: WmipGetGuidSecurityDescriptor+100j
		xor	eax, eax

loc_7BAC0C:				; CODE XREF: WmipGetGuidSecurityDescriptor+132F10j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_7BAC1D:				; CODE XREF: WmipGetGuidSecurityDescriptor+BBj
		mov	eax, [ebp+var_64]
		test	eax, eax
		jz	short loc_7BAC02
		mov	[esi], eax
		jmp	short loc_7BAC02
; 

loc_7BAC28:				; CODE XREF: WmipGetGuidSecurityDescriptor+84j
		xor	ebx, ebx

loc_7BAC2A:				; CODE XREF: WmipGetGuidSecurityDescriptor+CAj
		mov	eax, ds:_WmipDefaultAccessSd
		mov	[esi], eax
		jmp	short loc_7BAC06
; 

loc_7BAC33:				; CODE XREF: WmipGetGuidSecurityDescriptor+CEj
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7BAC0A
WmipGetGuidSecurityDescriptor endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1973. RtlCheckRegistryKey

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCheckRegistryKey(x, x)
		public _RtlCheckRegistryKey@8
_RtlCheckRegistryKey@8 proc near	; CODE XREF: RtlCheckPortableOperatingSystem+15p
					; WheapCommitPolicy()+10p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		and	[ebp+var_4], 0
		push	eax
		push	0
		call	RtlpGetRegistryHandle
		test	eax, eax
		jns	short loc_7BAC65

locret_7BAC61:				; CODE XREF: RtlCheckRegistryKey(x,x)+36j
		leave
		retn	8
; 

loc_7BAC65:				; CODE XREF: RtlCheckRegistryKey(x,x)+1Dj
		test	[ebp+arg_0], 40000000h
		jnz	short loc_7BAC76
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_7BAC76:				; CODE XREF: RtlCheckRegistryKey(x,x)+2Aj
		xor	eax, eax
		jmp	short locret_7BAC61
_RtlCheckRegistryKey@8 endp

; 
		align 10h
; Exported entry 2410. RtlWriteRegistryValue

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlWriteRegistryValue(x, x,	x, x, x, x)
		public _RtlWriteRegistryValue@24
_RtlWriteRegistryValue@24 proc near	; CODE XREF: RtlSetPortableOperatingSystem(x)+21p
					; ExpWriteSiloTimeZoneMarker(x)+21p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		push	eax
		push	1
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		call	RtlpGetRegistryHandle
		test	eax, eax
		js	short loc_7BACDE
		push	[ebp+arg_8]
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	[ebp+arg_14]
		mov	eax, [ebp+arg_C]
		push	[ebp+arg_10]
		and	eax, 0FFFFFFh
		push	eax
		push	esi
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		test	[ebp+arg_0], 40000000h
		mov	esi, eax
		jz	short loc_7BACE3

loc_7BACDC:				; CODE XREF: RtlWriteRegistryValue(x,x,x,x,x,x)+6Bj
		mov	eax, esi

loc_7BACDE:				; CODE XREF: RtlWriteRegistryValue(x,x,x,x,x,x)+27j
		pop	esi
		leave
		retn	18h
; 

loc_7BACE3:				; CODE XREF: RtlWriteRegistryValue(x,x,x,x,x,x)+5Aj
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_7BACDC
_RtlWriteRegistryValue@24 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2298. RtlQueryRegistryValuesEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlQueryRegistryValuesEx(x,	x, x, x, x)
		public _RtlQueryRegistryValuesEx@20
_RtlQueryRegistryValuesEx@20 proc near	; CODE XREF: RtlCheckPortableOperatingSystem+55p
					; RtlpFindRegTziForCurrentYear+DCp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	1
		push	ecx
		push	[ebp+arg_C]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_8]
		call	RtlpQueryRegistryValues
		pop	ebp
		retn	14h
_RtlQueryRegistryValuesEx@20 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2297. RtlQueryRegistryValues

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlQueryRegistryValues(x, x, x, x, x)
		public _RtlQueryRegistryValues@20
_RtlQueryRegistryValues@20 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	0
		push	ecx
		push	[ebp+arg_C]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_8]
		call	RtlpQueryRegistryValues
		pop	ebp
		retn	14h
_RtlQueryRegistryValues@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpQueryRegistryValues	proc near	; CODE XREF: ExpReadTimeZoneInformation+53p
					; RtlpQueryTimeZoneInformationWorker(x,x)+1ABp	...

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008EDAB4 SIZE 000000E2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [esp+58h+var_18]
		push	6
		pop	ecx
		xor	eax, eax
		mov	esi, edx
		rep stosd
		xor	ecx, ecx
		lea	eax, [esp+58h+var_40]
		push	eax
		mov	[esp+5Ch+var_20], ecx
		mov	[esp+5Ch+var_1C], ecx
		mov	[esp+5Ch+var_28], ecx
		mov	[esp+5Ch+var_24], ecx
		mov	[esp+5Ch+var_40], ecx
		mov	[esp+5Ch+var_48], ecx
		push	ecx
		mov	ecx, ebx
		call	RtlpGetRegistryHandle
		mov	[esp+58h+var_4C], eax
		test	eax, eax
		js	loc_7BAF69
		and	ebx, 40000000h
		mov	eax, ebx
		mov	[esp+58h+var_2C], ebx
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, esi
		push	eax
		lea	eax, [esp+5Ch+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+58h+var_4C]
		mov	[esp+58h+var_38], 84h
		push	eax
		push	ecx
		xor	edx, edx
		lea	ecx, [esp+60h+var_38]
		call	_RtlpAllocDeallocQueryBuffer@16	; RtlpAllocDeallocQueryBuffer(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8EDAB4
		and	dword ptr [edi+8], 0
		mov	eax, [esp+58h+var_40]
		mov	ebx, [ebp+arg_0]
		mov	esi, [esp+58h+var_4C]
		mov	[esp+58h+var_3C], 82h
		mov	[esp+58h+var_44], eax

loc_7BADDF:				; CODE XREF: RtlpQueryRegistryValues+1A0j
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_7BADEF
		test	byte ptr [ebx+4], 21h
		jz	loc_7BAF32

loc_7BADEF:				; CODE XREF: RtlpQueryRegistryValues+B1j
		mov	ecx, [ebx+4]
		test	cl, 20h
		jz	short loc_7BAE12
		cmp	dword ptr [ebx+8], 0
		jz	loc_8EDB6D
		test	cl, 1
		jnz	loc_8EDB6D
		test	eax, eax
		jnz	loc_8EDB6D

loc_7BAE12:				; CODE XREF: RtlpQueryRegistryValues+C3j
		test	cl, 3
		jnz	loc_7BB000

loc_7BAE1B:				; CODE XREF: RtlpQueryRegistryValues+2D6j
					; RtlpQueryRegistryValues+132DA9j
		mov	eax, [ebx+8]
		test	cl, 1
		jnz	loc_7BAED7
		test	eax, eax
		jz	loc_7BB013
		push	eax
		lea	eax, [esp+5Ch+var_28]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, [esp+58h+var_3C]
		xor	ecx, ecx

loc_7BAE40:				; CODE XREF: RtlpQueryRegistryValues+2BBj
		mov	eax, ecx
		inc	ecx
		mov	[esp+58h+var_30], ecx
		cmp	eax, 4
		jg	loc_8EDB80
		lea	eax, [esp+58h+var_48]
		push	eax
		push	edx
		push	edi
		push	1
		lea	eax, [esp+68h+var_28]
		push	eax
		push	[esp+6Ch+var_44]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		mov	[esp+58h+var_4C], esi
		cmp	esi, 80000005h
		jz	loc_7BAFF2

loc_7BAE79:				; CODE XREF: RtlpQueryRegistryValues+2C9j
		test	esi, esi
		js	loc_7BAF72
		cmp	dword ptr [edi+4], 7
		jz	loc_7BB109

loc_7BAE8B:				; CODE XREF: RtlpQueryRegistryValues+3E5j
		push	[ebp+arg_C]
		mov	eax, [esp+5Ch+var_3C]
		mov	edx, ebx
		push	ecx
		push	[ebp+arg_4]
		mov	ecx, [esp+64h+var_44]
		mov	[esp+64h+var_48], eax
		lea	eax, [esp+64h+var_48]
		push	eax
		push	edi
		call	RtlpCallQueryRegistryRoutine
		mov	esi, eax
		mov	[esp+58h+var_4C], esi
		cmp	esi, 0C0000023h
		jz	loc_7BAFB4
		test	esi, esi
		js	short loc_7BAF32
		test	byte ptr [ebx+4], 40h
		jnz	loc_8EDAE0

loc_7BAECB:				; CODE XREF: RtlpQueryRegistryValues+27Cj
					; RtlpQueryRegistryValues+3D2j	...
		test	esi, esi
		js	short loc_7BAF32
		add	ebx, 1Ch
		jmp	loc_7BADDF
; 

loc_7BAED7:				; CODE XREF: RtlpQueryRegistryValues+EFj
		test	eax, eax
		jz	loc_8EDB6D
		push	eax
		lea	eax, [esp+5Ch+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [esp+58h+var_40]
		and	[esp+58h+var_8], 0
		and	[esp+58h+var_4], 0
		mov	[esp+58h+var_14], eax
		lea	eax, [esp+58h+var_20]
		mov	[esp+58h+var_10], eax
		lea	eax, [esp+58h+var_18]
		push	eax
		push	2000000h
		lea	eax, [esp+60h+var_44]
		mov	[esp+60h+var_18], 18h
		push	eax
		mov	[esp+64h+var_C], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_7BB12A

loc_7BAF32:				; CODE XREF: RtlpQueryRegistryValues+B7j
					; RtlpQueryRegistryValues+18Dj	...
		cmp	[esp+58h+var_2C], 0
		jnz	short loc_7BAF49
		cmp	[esp+58h+var_40], 0
		jz	short loc_7BAF49
		push	[esp+58h+var_40]
		call	_ZwClose@4	; ZwClose(x)

loc_7BAF49:				; CODE XREF: RtlpQueryRegistryValues+205j
					; RtlpQueryRegistryValues+20Cj
		mov	eax, [esp+58h+var_44]
		test	eax, eax
		jz	short loc_7BAF5B
		cmp	eax, [esp+58h+var_40]
		jnz	loc_7BB138

loc_7BAF5B:				; CODE XREF: RtlpQueryRegistryValues+21Dj
					; RtlpQueryRegistryValues+40Cj
		push	0
		push	ecx
		mov	edx, edi
		xor	ecx, ecx
		call	_RtlpAllocDeallocQueryBuffer@16	; RtlpAllocDeallocQueryBuffer(x,x,x,x)
		mov	eax, esi

loc_7BAF69:				; CODE XREF: RtlpQueryRegistryValues+4Aj
					; RtlpQueryRegistryValues+132D93j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_7BAF72:				; CODE XREF: RtlpQueryRegistryValues+149j
		cmp	esi, 0C0000034h
		jnz	short loc_7BAFA8
		push	[ebp+arg_C]
		and	dword ptr [edi+4], 0
		mov	edx, ebx
		and	dword ptr [edi+0Ch], 0
		mov	eax, [esp+5Ch+var_3C]
		push	ecx
		push	[ebp+arg_4]
		mov	ecx, [esp+64h+var_44]
		mov	[esp+64h+var_48], eax
		lea	eax, [esp+64h+var_48]
		push	eax
		push	edi
		call	RtlpCallQueryRegistryRoutine
		mov	esi, eax
		mov	[esp+58h+var_4C], esi

loc_7BAFA8:				; CODE XREF: RtlpQueryRegistryValues+246j
		cmp	esi, 0C0000023h
		jnz	loc_7BAECB

loc_7BAFB4:				; CODE XREF: RtlpQueryRegistryValues+185j
		mov	esi, [esp+58h+var_48]
		lea	eax, [esp+58h+var_4C]
		push	eax
		push	ecx
		add	esi, 6
		lea	ecx, [esp+60h+var_38]
		mov	edx, edi
		mov	[esp+60h+var_38], esi
		call	_RtlpAllocDeallocQueryBuffer@16	; RtlpAllocDeallocQueryBuffer(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8EDB77
		and	dword ptr [edi+8], 0
		lea	edx, [esi-2]
		mov	esi, [esp+58h+var_4C]
		mov	ecx, [esp+58h+var_30]
		mov	[esp+58h+var_3C], edx
		jmp	loc_7BAE40
; 

loc_7BAFF2:				; CODE XREF: RtlpQueryRegistryValues+141j
		mov	esi, 0C0000023h
		mov	[esp+58h+var_4C], esi
		jmp	loc_7BAE79
; 

loc_7BB000:				; CODE XREF: RtlpQueryRegistryValues+E3j
		mov	eax, [esp+58h+var_44]
		cmp	eax, [esp+58h+var_40]
		jz	loc_7BAE1B
		jmp	loc_8EDACA
; 

loc_7BB013:				; CODE XREF: RtlpQueryRegistryValues+F7j
		test	cl, 8
		jnz	loc_8EDAF3

loc_7BB01C:				; CODE XREF: RtlpQueryRegistryValues+3FBj
		xor	eax, eax
		xor	ecx, ecx
		mov	[esp+58h+var_30], eax

loc_7BB024:				; CODE XREF: RtlpQueryRegistryValues+379j
		lea	eax, [esp+58h+var_48]
		mov	[esp+58h+var_34], ecx
		push	eax
		push	[esp+5Ch+var_3C]
		push	edi
		push	1
		push	ecx
		push	[esp+6Ch+var_44]
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		mov	esi, eax
		mov	[esp+58h+var_4C], esi
		cmp	esi, 80000005h
		jz	loc_7BB11C

loc_7BB050:				; CODE XREF: RtlpQueryRegistryValues+3F3j
		cmp	esi, 8000001Ah
		jz	loc_7BB0F7
		test	esi, esi
		js	short loc_7BB086
		push	[ebp+arg_C]
		mov	eax, [esp+5Ch+var_3C]
		mov	edx, ebx
		push	ecx
		push	[ebp+arg_4]
		mov	ecx, [esp+64h+var_44]
		mov	[esp+64h+var_48], eax
		lea	eax, [esp+64h+var_48]
		push	eax
		push	edi
		call	RtlpCallQueryRegistryRoutine
		mov	esi, eax
		mov	[esp+58h+var_4C], esi

loc_7BB086:				; CODE XREF: RtlpQueryRegistryValues+32Cj
		cmp	esi, 0C0000023h
		jz	short loc_7BB0B0
		test	esi, esi
		js	loc_7BAF32
		xor	eax, eax
		test	byte ptr [ebx+4], 40h
		mov	[esp+58h+var_30], eax
		jnz	loc_8EDB0A
		mov	ecx, [esp+58h+var_34]

loc_7BB0AA:				; CODE XREF: RtlpQueryRegistryValues+3BEj
					; RtlpQueryRegistryValues+132E05j ...
		inc	ecx
		jmp	loc_7BB024
; 

loc_7BB0B0:				; CODE XREF: RtlpQueryRegistryValues+35Aj
		mov	esi, [esp+58h+var_48]
		lea	eax, [esp+58h+var_4C]
		push	eax
		push	ecx
		add	esi, 6
		lea	ecx, [esp+60h+var_38]
		mov	edx, edi
		mov	[esp+60h+var_38], esi
		call	_RtlpAllocDeallocQueryBuffer@16	; RtlpAllocDeallocQueryBuffer(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_7BB143
		and	dword ptr [edi+8], 0
		lea	eax, [esi-2]
		mov	edx, [esp+58h+var_30]
		mov	ecx, [esp+58h+var_34]
		mov	[esp+58h+var_3C], eax
		dec	ecx
		mov	eax, edx
		inc	edx
		mov	[esp+58h+var_30], edx
		cmp	eax, 4
		jle	short loc_7BB0AA
		jmp	loc_8EDB43
; 

loc_7BB0F7:				; CODE XREF: RtlpQueryRegistryValues+324j
		cmp	[esp+58h+var_34], 0
		jz	loc_8EDB59

loc_7BB102:				; CODE XREF: RtlpQueryRegistryValues+132E2Bj
		xor	esi, esi
		jmp	loc_7BAECB
; 

loc_7BB109:				; CODE XREF: RtlpQueryRegistryValues+153j
		mov	eax, [esp+58h+var_48]
		xor	ecx, ecx
		mov	[eax+edi], cx
		add	dword ptr [edi+0Ch], 2
		jmp	loc_7BAE8B
; 

loc_7BB11C:				; CODE XREF: RtlpQueryRegistryValues+318j
		mov	esi, 0C0000023h
		mov	[esp+58h+var_4C], esi
		jmp	loc_7BB050
; 

loc_7BB12A:				; CODE XREF: RtlpQueryRegistryValues+1FAj
		cmp	dword ptr [ebx], 0
		jnz	loc_7BB01C
		jmp	loc_7BAECB
; 

loc_7BB138:				; CODE XREF: RtlpQueryRegistryValues+223j
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7BAF5B
; 

loc_7BB143:				; CODE XREF: RtlpQueryRegistryValues+39Ej
					; RtlpQueryRegistryValues+132E22j
		mov	esi, [esp+58h+var_4C]
		jmp	loc_7BAECB
RtlpQueryRegistryValues	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpCallQueryRegistryRoutine proc near	; CODE XREF: RtlpQueryRegistryValues+174p
					; RtlpQueryRegistryValues+26Bp	...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= byte ptr  18h

; FUNCTION CHUNK AT 008EDB96 SIZE 000000C4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_18], ecx
		mov	edx, [ebp+arg_4]
		xor	ecx, ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, [edx]
		mov	[ebp+var_14], eax
		add	eax, edi
		mov	[edx], ecx
		movzx	edx, byte ptr [ebx+10h]
		mov	[ebp+var_C], eax
		mov	eax, [edi+4]
		mov	[ebp+var_8], edi
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	loc_7BB2BF
		mov	esi, [edi+8]
		mov	[ebp+var_10], esi
		cmp	esi, 0FFFFFFFFh
		jz	loc_7BB2BF
		mov	esi, [edi+0Ch]
		test	esi, esi
		jz	loc_8EDB96

loc_7BB19F:				; CODE XREF: RtlpCallQueryRegistryRoutine+132A52j
		test	byte ptr [ebx+4], 20h
		jz	loc_7BB236
		mov	eax, [ebx+8]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+var_10]

loc_7BB1B2:				; CODE XREF: RtlpCallQueryRegistryRoutine+157j
		add	edi, eax

loc_7BB1B4:				; CODE XREF: RtlpCallQueryRegistryRoutine+253j
					; RtlpCallQueryRegistryRoutine+132A85j
		mov	edx, [ebp+arg_0]

loc_7BB1B7:				; CODE XREF: RtlpCallQueryRegistryRoutine+18Cj
					; RtlpCallQueryRegistryRoutine+1B1j
		mov	ecx, [ebx+4]
		mov	eax, ecx
		and	eax, 20h
		mov	[ebp+var_10], eax
		jz	short loc_7BB1DC
		test	ecx, 100h
		jz	loc_7BB3A4
		movzx	eax, byte ptr [ebx+13h]
		cmp	eax, edx
		jnz	loc_8EDBD6

loc_7BB1DC:				; CODE XREF: RtlpCallQueryRegistryRoutine+76j
					; RtlpCallQueryRegistryRoutine+25Aj ...
		test	cl, 10h
		jnz	short loc_7BB1F3
		cmp	edx, 7
		jz	loc_7BB32C
		cmp	edx, 2
		jz	loc_7BB3B1

loc_7BB1F3:				; CODE XREF: RtlpCallQueryRegistryRoutine+93j
					; RtlpCallQueryRegistryRoutine+26Dj ...
		cmp	[ebp+var_10], 0
		jz	short loc_7BB226
		cmp	[ebp+arg_10], 0
		jnz	loc_7BB2A8

loc_7BB203:				; CODE XREF: RtlpCallQueryRegistryRoutine+168j
		push	dword ptr [ebx+0Ch] ; void *
		mov	ecx, [ebp+arg_0] ; int
		mov	edx, edi	; void *
		push	esi		; size_t
		call	RtlpQueryRegistryDirect

loc_7BB211:				; CODE XREF: RtlpCallQueryRegistryRoutine+E8j
		mov	ecx, eax
		lea	eax, [ecx+3FFFFFDDh]
		neg	eax
		sbb	eax, eax
		and	eax, ecx

loc_7BB21F:				; CODE XREF: RtlpCallQueryRegistryRoutine+16Ej
					; RtlpCallQueryRegistryRoutine+1C1j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7BB226:				; CODE XREF: RtlpCallQueryRegistryRoutine+ABj
		push	dword ptr [ebx+0Ch]
		push	[ebp+arg_8]
		push	esi
		push	edi
		push	edx
		push	[ebp+var_4]
		call	dword ptr [ebx]
		jmp	short loc_7BB211
; 

loc_7BB236:				; CODE XREF: RtlpCallQueryRegistryRoutine+57j
		mov	edx, [edi+10h]
		test	esi, esi
		jz	loc_8EDBA3
		mov	ecx, [ebp+var_10]
		add	ecx, esi
		add	ecx, edi

loc_7BB248:				; CODE XREF: RtlpCallQueryRegistryRoutine+132A5Cj
		add	ecx, 7
		lea	esi, [edx+2]
		and	ecx, 0FFFFFFF8h
		mov	[ebp+var_4], ecx
		cmp	esi, 2
		jb	loc_7BB3EC
		mov	eax, [ebp+var_C]
		sub	eax, ecx
		cmp	eax, esi
		jl	loc_7BB312
		push	edx		; size_t
		lea	eax, [edi+14h]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		mov	eax, [edi+10h]
		xor	edx, edx
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		mov	[ecx+eax], dx
		add	ecx, 7
		mov	eax, [ebp+var_C]
		add	ecx, esi
		mov	esi, [edi+0Ch]
		and	ecx, 0FFFFFFF8h
		sub	eax, ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_14], eax
		mov	eax, [edi+4]
		mov	[ebp+arg_0], eax
		mov	eax, [edi+8]
		jmp	loc_7BB1B2
; 

loc_7BB2A8:				; CODE XREF: RtlpCallQueryRegistryRoutine+B1j
		mov	edx, ecx
		mov	ecx, [ebp+var_18]
		call	RtlpValidateKeyTrust
		test	eax, eax
		jns	loc_7BB203
		jmp	loc_7BB21F
; 

loc_7BB2BF:				; CODE XREF: RtlpCallQueryRegistryRoutine+33j
					; RtlpCallQueryRegistryRoutine+42j ...
		mov	eax, edx
		test	eax, eax
		jz	short loc_7BB302
		mov	edx, [ebx+8]
		mov	esi, [ebx+18h]
		mov	edi, [ebx+14h]
		mov	[ebp+var_4], edx
		mov	edx, eax
		mov	[ebp+arg_0], edx
		test	esi, esi
		jnz	loc_7BB1B7
		mov	edx, edi
		cmp	eax, 1
		jz	loc_7BB38C
		cmp	eax, 2
		jz	loc_7BB38C
		cmp	eax, 7
		jz	loc_8EDBAD
		mov	edx, eax
		jmp	loc_7BB1B7
; 

loc_7BB302:				; CODE XREF: RtlpCallQueryRegistryRoutine+177j
		test	byte ptr [ebx+4], 4

loc_7BB306:				; CODE XREF: RtlpCallQueryRegistryRoutine+132AAAj
		jz	short loc_7BB325
		mov	eax, 0C0000034h
		jmp	loc_7BB21F
; 

loc_7BB312:				; CODE XREF: RtlpCallQueryRegistryRoutine+118j
		mov	eax, [ebp+arg_4]
		sub	esi, edi
		add	esi, ecx
		mov	[eax], esi
		mov	eax, 0C0000023h
		jmp	loc_7BB21F
; 

loc_7BB325:				; CODE XREF: RtlpCallQueryRegistryRoutine:loc_7BB306j
					; RtlpCallQueryRegistryRoutine+1ECj
		xor	eax, eax
		jmp	loc_7BB21F
; 

loc_7BB32C:				; CODE XREF: RtlpCallQueryRegistryRoutine+98j
		lea	eax, [esi-4]
		mov	esi, edi
		add	eax, edi
		mov	[ebp+arg_0], eax
		cmp	edi, eax
		jnb	short loc_7BB325

loc_7BB33A:				; CODE XREF: RtlpCallQueryRegistryRoutine+1F7j
					; RtlpCallQueryRegistryRoutine+236j
		movzx	eax, word ptr [esi]
		add	esi, 2
		test	ax, ax
		jnz	short loc_7BB33A
		mov	edx, [ebx+4]
		mov	eax, esi
		sub	eax, edi
		mov	[ebp+arg_4], eax
		test	dl, 20h
		jnz	loc_8EDBFB
		push	dword ptr [ebx+0Ch]
		push	[ebp+arg_8]
		push	eax
		push	edi
		push	1
		push	[ebp+var_4]
		call	dword ptr [ebx]

loc_7BB367:				; CODE XREF: RtlpCallQueryRegistryRoutine+132ADAj
		mov	ecx, eax
		lea	eax, [ecx+3FFFFFDDh]
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+arg_4], eax
		jl	short loc_7BB384
		mov	edi, esi
		mov	[ebp+arg_4], eax
		cmp	esi, [ebp+arg_0]
		jb	short loc_7BB33A

loc_7BB384:				; CODE XREF: RtlpCallQueryRegistryRoutine+22Cj
		mov	eax, [ebp+arg_4]
		jmp	loc_7BB21F
; 

loc_7BB38C:				; CODE XREF: RtlpCallQueryRegistryRoutine+197j
					; RtlpCallQueryRegistryRoutine+1A0j
		test	edi, edi
		jz	short loc_7BB3EC

loc_7BB390:				; CODE XREF: RtlpCallQueryRegistryRoutine+24Dj
		movzx	eax, word ptr [edx]
		add	edx, 2
		test	ax, ax
		jnz	short loc_7BB390
		mov	esi, edx
		sub	esi, edi
		jmp	loc_7BB1B4
; 

loc_7BB3A4:				; CODE XREF: RtlpCallQueryRegistryRoutine+7Ej
		test	cl, cl
		jns	loc_7BB1DC
		jmp	loc_8EDBE0
; 

loc_7BB3B1:				; CODE XREF: RtlpCallQueryRegistryRoutine+A1j
		lea	eax, [esi-2]
		cmp	eax, 0FFFAh
		ja	loc_7BB1F3
		mov	edx, [ebp+arg_0]
		mov	[ebp+arg_4], edi
		test	eax, eax
		jz	loc_7BB1F3

loc_7BB3CD:				; CODE XREF: RtlpCallQueryRegistryRoutine+299j
		mov	edx, [ebp+arg_4]
		cmp	word ptr [edx],	25h
		mov	edx, [ebp+arg_0]
		jz	loc_8EDC2B
		add	[ebp+arg_4], 2
		dec	eax
		sub	eax, 1
		jnz	short loc_7BB3CD
		jmp	loc_7BB1F3
; 

loc_7BB3EC:				; CODE XREF: RtlpCallQueryRegistryRoutine+10Bj
					; RtlpCallQueryRegistryRoutine+242j ...
		mov	eax, 0C000003Ch
		jmp	loc_7BB21F
RtlpCallQueryRegistryRoutine endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall RtlpQueryRegistryDirect(int,void *,size_t,void	*)
RtlpQueryRegistryDirect	proc near	; CODE XREF: RtlpCallQueryRegistryRoutine+C0p
					; RtlpCallQueryRegistryRoutine+132AD1p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EDC5A SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		cmp	esi, 1
		jz	short loc_7BB44C
		cmp	esi, 2
		jz	short loc_7BB44C
		cmp	esi, 7
		jz	short loc_7BB44C
		mov	ecx, [ebp+arg_0]
		cmp	ecx, 4
		ja	short loc_7BB438
		cmp	[ebp+arg_4], ebx
		jz	short loc_7BB42F
		test	ecx, ecx
		jz	short loc_7BB42F
		push	ecx		; size_t
		push	ebx		; void *
		push	[ebp+arg_4]	; void *

loc_7BB427:				; CODE XREF: RtlpQueryRegistryDirect+54j
					; RtlpQueryRegistryDirect+BAj
		call	_memcpy

loc_7BB42C:				; CODE XREF: RtlpQueryRegistryDirect+86j
		add	esp, 0Ch

loc_7BB42F:				; CODE XREF: RtlpQueryRegistryDirect+26j
					; RtlpQueryRegistryDirect+2Aj
		xor	eax, eax

loc_7BB431:				; CODE XREF: RtlpQueryRegistryDirect+C4j
					; RtlpQueryRegistryDirect+132869j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_7BB438:				; CODE XREF: RtlpQueryRegistryDirect+21j
		mov	edi, [ebp+arg_4]
		mov	edx, [edi]
		test	edx, edx
		jns	short loc_7BB49E
		neg	edx
		cmp	edx, ecx
		jb	short loc_7BB4B5
		push	ecx
		push	ebx
		push	edi
		jmp	short loc_7BB427
; 

loc_7BB44C:				; CODE XREF: RtlpQueryRegistryDirect+Fj
					; RtlpQueryRegistryDirect+14j ...
		mov	eax, [ebp+arg_0]
		mov	esi, 0FFFEh
		cmp	eax, esi
		ja	short loc_7BB45B
		movzx	esi, ax

loc_7BB45B:				; CODE XREF: RtlpQueryRegistryDirect+60j
		mov	edi, [ebp+arg_4]
		mov	eax, [edi+4]
		test	eax, eax
		jz	short loc_7BB47E
		cmp	si, [edi+2]
		ja	short loc_7BB4B5
		movzx	ecx, si

loc_7BB46E:				; CODE XREF: RtlpQueryRegistryDirect+A6j
		push	ecx		; size_t
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		lea	eax, [esi-2]
		mov	[edi], ax
		jmp	short loc_7BB42C
; 

loc_7BB47E:				; CODE XREF: RtlpQueryRegistryDirect+6Dj
		movzx	eax, si
		push	eax
		mov	[ebp+arg_4], eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[edi+4], eax
		test	eax, eax
		jz	loc_8EDC5A
		mov	ecx, [ebp+arg_4]
		mov	[edi+2], si
		jmp	short loc_7BB46E
; 

loc_7BB49E:				; CODE XREF: RtlpQueryRegistryDirect+49j
		lea	eax, [ecx+8]
		cmp	edx, eax
		jb	short loc_7BB4B5
		push	ecx
		push	ebx
		lea	eax, [edi+8]
		mov	[edi], ecx
		mov	[edi+4], esi
		push	eax
		jmp	loc_7BB427
; 

loc_7BB4B5:				; CODE XREF: RtlpQueryRegistryDirect+4Fj
					; RtlpQueryRegistryDirect+73j ...
		mov	eax, 0C0000023h
		jmp	loc_7BB431
RtlpQueryRegistryDirect	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpAllocDeallocQueryBuffer(x, x, x, x)
_RtlpAllocDeallocQueryBuffer@16	proc near ; CODE XREF: RtlpQueryRegistryValues+83p
					; RtlpQueryRegistryValues+230p	...

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		push	edi
		mov	edi, esi
		test	edx, edx
		jz	short loc_7BB4D9
		push	esi
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7BB4D9:				; CODE XREF: RtlpAllocDeallocQueryBuffer(x,x,x,x)+10j
		test	ebx, ebx
		jz	short loc_7BB4F1
		push	76727152h
		push	dword ptr [ebx]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7BB503

loc_7BB4F1:				; CODE XREF: RtlpAllocDeallocQueryBuffer(x,x,x,x)+1Bj
					; RtlpAllocDeallocQueryBuffer(x,x,x,x)+48j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_7BB4FA
		mov	[eax], edi

loc_7BB4FA:				; CODE XREF: RtlpAllocDeallocQueryBuffer(x,x,x,x)+36j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_7BB503:				; CODE XREF: RtlpAllocDeallocQueryBuffer(x,x,x,x)+2Fj
		mov	edi, 0C0000017h
		jmp	short loc_7BB4F1
_RtlpAllocDeallocQueryBuffer@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpGetRegistryHandle proc near		; CODE XREF: ExpRefreshTimeZoneInformation(x)+284p
					; RtlpGetDynamicTimeZoneInfoHandle+AFp	...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EDC64 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4], edx
		and	[ebp+var_14], eax
		lea	edi, [ebp+var_2C]
		and	[ebp+var_10], eax
		mov	esi, ecx
		push	6
		pop	ecx
		rep stosd
		test	esi, 40000000h
		jnz	loc_7BB62D
		test	esi, esi
		js	loc_7BB64A

loc_7BB53E:				; CODE XREF: RtlpGetRegistryHandle+146j
		cmp	esi, 6
		jnb	loc_8EDC64
		mov	ebx, large fs:20h
		mov	edi, [ebx+5E0h]
		mov	ecx, edi
		inc	dword ptr [edi+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_7BB655

loc_7BB568:				; CODE XREF: RtlpGetRegistryHandle+162j
					; RtlpGetRegistryHandle+17Bj
		mov	eax, [ebx+3CCh]
		mov	[ecx], eax

loc_7BB570:				; CODE XREF: RtlpGetRegistryHandle+181j
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jz	loc_8EDC6E
		mov	[ebp+var_C], 20C0000h
		test	esi, esi
		jz	short loc_7BB5B9
		cmp	esi, 5
		jz	loc_7BB6B6

loc_7BB58F:				; CODE XREF: RtlpGetRegistryHandle+1B7j
		push	ds:_RtlpRegistryPaths[esi*4] ; void *
		lea	eax, [ebp+var_C]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax

loc_7BB5A1:				; CODE XREF: RtlpGetRegistryHandle+1D5j
		test	esi, esi
		js	short loc_7BB602
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@ ; void	*
		lea	eax, [ebp+var_C]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7BB602

loc_7BB5B9:				; CODE XREF: RtlpGetRegistryHandle+7Aj
		push	[ebp+var_4]	; void *
		lea	eax, [ebp+var_C]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7BB602
		xor	ecx, ecx
		mov	[ebp+var_2C], 18h
		lea	eax, [ebp+var_C]
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_20], 240h
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ecx
		cmp	[ebp+arg_0], cl
		jnz	short loc_7BB636
		push	eax
		push	82000000h
		push	[ebp+arg_4]
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)

loc_7BB600:				; CODE XREF: RtlpGetRegistryHandle+13Ej
		mov	esi, eax

loc_7BB602:				; CODE XREF: RtlpGetRegistryHandle+99j
					; RtlpGetRegistryHandle+ADj ...
		mov	edi, large fs:20h
		mov	edx, [ebp+var_8]
		mov	ecx, [edi+5E0h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jnb	short loc_7BB690

loc_7BB61F:				; CODE XREF: RtlpGetRegistryHandle+19Aj
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_7BB624:				; CODE XREF: RtlpGetRegistryHandle+1A7j
		mov	eax, esi

loc_7BB626:				; CODE XREF: RtlpGetRegistryHandle+12Aj
					; RtlpGetRegistryHandle+13275Fj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7BB62D:				; CODE XREF: RtlpGetRegistryHandle+26j
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		xor	eax, eax
		jmp	short loc_7BB626
; 

loc_7BB636:				; CODE XREF: RtlpGetRegistryHandle+E6j
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	eax
		push	40000000h
		push	[ebp+arg_4]
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		jmp	short loc_7BB600
; 

loc_7BB64A:				; CODE XREF: RtlpGetRegistryHandle+2Ej
		and	esi, 7FFFFFFFh
		jmp	loc_7BB53E
; 

loc_7BB655:				; CODE XREF: RtlpGetRegistryHandle+58j
		inc	dword ptr [edi+10h]
		mov	edi, [ebx+5E4h]
		mov	ecx, edi
		inc	dword ptr [edi+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	loc_7BB568
		push	dword ptr [edi+20h]
		inc	dword ptr [edi+10h]
		push	dword ptr [edi+24h]
		push	dword ptr [edi+1Ch]
		call	dword ptr [edi+28h]
		mov	ecx, eax
		test	ecx, ecx
		jnz	loc_7BB568
		jmp	loc_7BB570
; 

loc_7BB690:				; CODE XREF: RtlpGetRegistryHandle+113j
		inc	dword ptr [ecx+18h]
		mov	ecx, [edi+5E4h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	loc_7BB61F
		inc	dword ptr [ecx+18h]
		push	edx
		call	dword ptr [ecx+2Ch]
		jmp	loc_7BB624
; 

loc_7BB6B6:				; CODE XREF: RtlpGetRegistryHandle+7Fj
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlFormatCurrentUserKeyPath@4 ; RtlFormatCurrentUserKeyPath(x)
		test	eax, eax
		js	loc_7BB58F
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	loc_7BB5A1
RtlpGetRegistryHandle endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpValidateKeyTrust proc near		; CODE XREF: RtlpCallQueryRegistryRoutine+161p
					; RtlpCallQueryRegistryRoutine+132AB8p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008EDC78 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		and	[ebp+var_8], 0
		test	edx, 100h
		jz	short loc_7BB6FF

loc_7BB6FB:				; CODE XREF: RtlpValidateKeyTrust+39j
		xor	eax, eax

locret_7BB6FD:				; CODE XREF: RtlpValidateKeyTrust+13259Ej
		leave
		retn
; 

loc_7BB6FF:				; CODE XREF: RtlpValidateKeyTrust+15j
		lea	eax, [ebp+var_8]
		push	eax
		push	4
		lea	eax, [ebp+var_4]
		push	eax
		push	8
		push	ecx
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		test	eax, eax
		js	loc_8EDC7D
		test	byte ptr [ebp+var_4], 1
		jnz	short loc_7BB6FB
		jmp	loc_8EDC78
RtlpValidateKeyTrust endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	WmipSDRegistryQueryRoutine(int,int,void	*,size_t,int,int)
_WmipSDRegistryQueryRoutine@24 proc near ; DATA	XREF: WmipGetGuidSecurityDescriptor+44o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		xor	edi, edi
		cmp	[ebp+arg_8], edi
		jnz	short loc_7BB738

loc_7BB731:				; CODE XREF: WmipSDRegistryQueryRoutine(x,x,x,x,x,x)+18j
					; WmipSDRegistryQueryRoutine(x,x,x,x,x,x)+27j ...
		mov	eax, edi
		pop	edi
		pop	ebp
		retn	18h
; 

loc_7BB738:				; CODE XREF: WmipSDRegistryQueryRoutine(x,x,x,x,x,x)+Bj
		cmp	[ebp+arg_4], 3
		jnz	short loc_7BB731
		push	[ebp+arg_8]
		push	[ebp+arg_C]
		call	_SeValidSecurityDescriptor@8 ; SeValidSecurityDescriptor(x,x)
		test	al, al
		jz	short loc_7BB731
		push	70696D57h
		push	[ebp+arg_C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+arg_14]
		mov	[eax], ecx
		test	ecx, ecx
		jz	short loc_7BB778
		push	[ebp+arg_C]	; size_t
		push	[ebp+arg_8]	; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_7BB731
; 

loc_7BB778:				; CODE XREF: WmipSDRegistryQueryRoutine(x,x,x,x,x,x)+41j
		mov	edi, 0C000009Ah
		jmp	short loc_7BB731
_WmipSDRegistryQueryRoutine@24 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KGetAppModelStateSeparatedRegKeyPath proc near ; CODE XREF: KIsUnlockSettingEnabled+5Dp
					; KIsUnlockSettingEnabled+A2p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008EDC8F SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	eax, ecx
		xor	edx, edx
		mov	[ebp+var_8], eax
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		cmp	[ebp+arg_0], edx
		jz	loc_8EDC8F
		lea	ecx, [ebp+var_4]
		push	ecx		; int
		push	edx		; int
		push	edx		; void *
		push	edx		; int
		push	ebx		; void *
		push	offset ??_C@_1BK@CIGKBGGO@?$AAT?$AAa?$AAr?$AAg?$AAe?$AAt?$AAN?$AAt?$AAP?$AAa?$AAt?$AAh@NNGAKEGL@ ; "TargetNtPath"
		push	eax		; int
		call	RtlGetPersistedStateLocation
		mov	esi, eax
		test	esi, esi
		jns	short loc_7BB815
		cmp	esi, 80000005h
		jnz	short loc_7BB80C
		push	4D707041h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_7BB81C
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	[ebp+var_4]	; int
		push	edi		; void *
		push	0		; int
		push	ebx		; void *
		push	offset ??_C@_1BK@CIGKBGGO@?$AAT?$AAa?$AAr?$AAg?$AAe?$AAt?$AAN?$AAt?$AAP?$AAa?$AAt?$AAh@NNGAKEGL@ ; "TargetNtPath"
		push	[ebp+var_8]	; int
		call	RtlGetPersistedStateLocation
		mov	esi, eax
		test	esi, esi
		js	short loc_7BB804
		push	edi
		push	[ebp+arg_0]
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7BB804
		xor	edi, edi

loc_7BB804:				; CODE XREF: KGetAppModelStateSeparatedRegKeyPath+71j
					; KGetAppModelStateSeparatedRegKeyPath+80j
		test	edi, edi
		jnz	loc_8EDC99

loc_7BB80C:				; CODE XREF: KGetAppModelStateSeparatedRegKeyPath+3Ej
					; KGetAppModelStateSeparatedRegKeyPath+9Aj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7BB815:				; CODE XREF: KGetAppModelStateSeparatedRegKeyPath+36j
		mov	esi, 0C0000001h
		jmp	short loc_7BB80C
; 

loc_7BB81C:				; CODE XREF: KGetAppModelStateSeparatedRegKeyPath+53j
		mov	esi, 0C000009Ah
		jmp	short loc_7BB80C
KGetAppModelStateSeparatedRegKeyPath endp

; 
		align 8
; Exported entry 2135. RtlGetPersistedStateLocation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlGetPersistedStateLocation(int,int,void *,int,void *,int,int)
		public RtlGetPersistedStateLocation
RtlGetPersistedStateLocation proc near	; CODE XREF: PipUpdateDeviceProducts+CEp
					; PipUpdateDeviceProducts+11Ap	...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008EDCA9 SIZE 00000151 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	edi, [ebp+var_30]
		push	6
		xor	eax, eax
		mov	[ebp+var_C], ebx
		pop	ecx
		rep stosd
		mov	eax, [ebp+arg_C]
		mov	edi, ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_8], ebx
		test	eax, eax
		jnz	loc_7BB8DF

loc_7BB85B:				; CODE XREF: RtlGetPersistedStateLocation+BAj
		cmp	byte_6CEA59, bl
		jz	loc_7BB8EF
		mov	esi, 0C0000034h

loc_7BB86C:				; CODE XREF: RtlGetPersistedStateLocation+10Fj
					; RtlGetPersistedStateLocation+1324CFj
		mov	edx, [ebp+arg_8]
		test	edx, edx
		jz	short loc_7BB8BE
		mov	ecx, edx
		lea	esi, [ecx+2]

loc_7BB878:				; CODE XREF: RtlGetPersistedStateLocation+59j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_7BB878
		sub	ecx, esi
		sar	ecx, 1
		lea	eax, [ecx+1]
		lea	ecx, [eax+eax]
		mov	[ebp+var_8], ecx
		cmp	ecx, eax
		jb	loc_8EDD2F
		cmp	[ebp+arg_14], ecx
		mov	eax, [ebp+arg_18]
		sbb	esi, esi
		and	esi, 80000005h
		test	eax, eax
		jz	short loc_7BB8AC
		mov	[eax], ecx

loc_7BB8AC:				; CODE XREF: RtlGetPersistedStateLocation+80j
		cmp	ecx, [ebp+arg_14]
		ja	short loc_7BB8BE
		push	ecx		; size_t
		push	edx		; void *
		push	[ebp+arg_10]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_7BB8BE:				; CODE XREF: RtlGetPersistedStateLocation+49j
					; RtlGetPersistedStateLocation+87j ...
		cmp	[ebp+var_C], 0
		jnz	loc_8EDDE0

loc_7BB8C8:				; CODE XREF: RtlGetPersistedStateLocation+1325C0j
		cmp	[ebp+var_10], 0
		jnz	loc_8EDDED

loc_7BB8D2:				; CODE XREF: RtlGetPersistedStateLocation+1325CDj
		test	edi, edi
		jnz	short loc_7BB93C

loc_7BB8D6:				; CODE XREF: RtlGetPersistedStateLocation+11Bj
		mov	eax, esi

loc_7BB8D8:				; CODE XREF: RtlGetPersistedStateLocation+C5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_7BB8DF:				; CODE XREF: RtlGetPersistedStateLocation+2Dj
		cmp	eax, 1
		jz	loc_7BB85B
		mov	eax, 0C00000F1h
		jmp	short loc_7BB8D8
; 

loc_7BB8EF:				; CODE XREF: RtlGetPersistedStateLocation+39j
		lea	eax, dword_A4090C[eax*8]
		mov	[ebp+var_30], 18h
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_30]
		push	eax
		push	20019h
		lea	eax, [ebp+var_C]
		mov	[ebp+var_2C], ebx
		push	eax
		mov	[ebp+var_24], 240h
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	loc_8EDCA9
		mov	byte_6CEA59, 1
		jmp	loc_7BB86C
; 

loc_7BB93C:				; CODE XREF: RtlGetPersistedStateLocation+ACj
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7BB8D6
RtlGetPersistedStateLocation endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipUuidFromString(x, x)
_WmipUuidFromString@8 proc near		; CODE XREF: WmipOpenGuidObject(x,x,x,x)+4Ap

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		push	2Dh
		push	8
		mov	edi, edx
		mov	esi, ecx
		call	_WmipHexStringToDword@16 ; WmipHexStringToDword(x,x,x,x)
		test	al, al
		jz	loc_7BBA7C
		push	2Dh
		push	4
		lea	edx, [ebp+var_4]
		lea	ecx, [esi+12h]
		call	_WmipHexStringToDword@16 ; WmipHexStringToDword(x,x,x,x)
		test	al, al
		jz	loc_7BBA7C
		mov	ax, word ptr [ebp+var_4]
		lea	edx, [ebp+var_4]
		push	2Dh
		push	4
		lea	ecx, [esi+1Ch]
		mov	[edi+4], ax
		call	_WmipHexStringToDword@16 ; WmipHexStringToDword(x,x,x,x)
		test	al, al
		jz	loc_7BBA7C
		mov	ax, word ptr [ebp+var_4]
		lea	edx, [ebp+var_4]
		push	0
		push	2
		pop	ebx
		push	ebx
		lea	ecx, [esi+26h]
		mov	[edi+6], ax
		call	_WmipHexStringToDword@16 ; WmipHexStringToDword(x,x,x,x)
		test	al, al
		jz	loc_7BBA7C
		mov	al, byte ptr [ebp+var_4]
		lea	edx, [ebp+var_4]
		push	2Dh
		push	ebx
		lea	ecx, [esi+2Ah]
		mov	[edi+8], al
		call	_WmipHexStringToDword@16 ; WmipHexStringToDword(x,x,x,x)
		test	al, al
		jz	loc_7BBA7C
		mov	al, byte ptr [ebp+var_4]
		lea	edx, [ebp+var_4]
		push	0
		push	ebx
		lea	ecx, [esi+30h]
		mov	[edi+9], al
		call	_WmipHexStringToDword@16 ; WmipHexStringToDword(x,x,x,x)
		test	al, al
		jz	loc_7BBA7C
		mov	al, byte ptr [ebp+var_4]
		lea	edx, [ebp+var_4]
		push	0
		push	ebx
		lea	ecx, [esi+34h]
		mov	[edi+0Ah], al
		call	_WmipHexStringToDword@16 ; WmipHexStringToDword(x,x,x,x)
		test	al, al
		jz	short loc_7BBA7C
		mov	al, byte ptr [ebp+var_4]
		lea	edx, [ebp+var_4]
		push	0
		push	ebx
		lea	ecx, [esi+38h]
		mov	[edi+0Bh], al
		call	_WmipHexStringToDword@16 ; WmipHexStringToDword(x,x,x,x)
		test	al, al
		jz	short loc_7BBA7C
		mov	al, byte ptr [ebp+var_4]
		lea	edx, [ebp+var_4]
		push	0
		push	ebx
		lea	ecx, [esi+3Ch]
		mov	[edi+0Ch], al
		call	_WmipHexStringToDword@16 ; WmipHexStringToDword(x,x,x,x)
		test	al, al
		jz	short loc_7BBA7C
		mov	al, byte ptr [ebp+var_4]
		lea	edx, [ebp+var_4]
		push	0
		push	ebx
		lea	ecx, [esi+40h]
		mov	[edi+0Dh], al
		call	_WmipHexStringToDword@16 ; WmipHexStringToDword(x,x,x,x)
		test	al, al
		jz	short loc_7BBA7C
		mov	al, byte ptr [ebp+var_4]
		lea	ecx, [esi+44h]
		push	0
		push	ebx
		lea	edx, [ebp+var_4]
		mov	[edi+0Eh], al
		call	_WmipHexStringToDword@16 ; WmipHexStringToDword(x,x,x,x)
		test	al, al
		jz	short loc_7BBA7C
		mov	al, byte ptr [ebp+var_4]
		mov	[edi+0Fh], al
		xor	eax, eax

loc_7BBA77:				; CODE XREF: WmipUuidFromString(x,x)+13Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7BBA7C:				; CODE XREF: WmipUuidFromString(x,x)+1Cj
					; WmipUuidFromString(x,x)+33j ...
		mov	eax, 0C000000Dh
		jmp	short loc_7BBA77
_WmipUuidFromString@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipHexStringToDword(x, x, x, x)
_WmipHexStringToDword@16 proc near	; CODE XREF: WmipUuidFromString(x,x)+15p
					; WmipUuidFromString(x,x)+2Cp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, edx
		mov	edx, esi
		push	edi
		mov	edi, ecx
		cmp	[ebp+arg_0], edx
		jbe	short loc_7BBAC0
		mov	[ebp+var_4], 5

loc_7BBAA1:				; CODE XREF: WmipHexStringToDword(x,x,x,x)+3Aj
		movzx	ecx, word ptr [edi]
		lea	eax, [ecx-30h]
		cmp	ax, 9
		ja	short loc_7BBAD4
		shl	esi, 4
		add	esi, 0FFFFFFD0h

loc_7BBAB3:				; CODE XREF: WmipHexStringToDword(x,x,x,x)+5Fj
					; WmipHexStringToDword(x,x,x,x)+78j
		mov	eax, ecx
		add	edi, 2
		add	esi, eax
		inc	edx
		cmp	edx, [ebp+arg_0]
		jb	short loc_7BBAA1

loc_7BBAC0:				; CODE XREF: WmipHexStringToDword(x,x,x,x)+14j
		mov	ax, [ebp+arg_4]
		mov	[ebx], esi
		test	ax, ax
		jnz	short loc_7BBAE5
		mov	al, 1

loc_7BBACD:				; CODE XREF: WmipHexStringToDword(x,x,x,x)+67j
					; WmipHexStringToDword(x,x,x,x)+7Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7BBAD4:				; CODE XREF: WmipHexStringToDword(x,x,x,x)+27j
		lea	eax, [ecx-41h]
		cmp	ax, word ptr [ebp+var_4]
		ja	short loc_7BBAED
		shl	esi, 4
		add	esi, 0FFFFFFC9h
		jmp	short loc_7BBAB3
; 

loc_7BBAE5:				; CODE XREF: WmipHexStringToDword(x,x,x,x)+45j
		cmp	[edi], ax
		setz	al
		jmp	short loc_7BBACD
; 

loc_7BBAED:				; CODE XREF: WmipHexStringToDword(x,x,x,x)+57j
		lea	eax, [ecx-61h]
		cmp	ax, word ptr [ebp+var_4]
		ja	short loc_7BBAFE
		shl	esi, 4
		add	esi, 0FFFFFFA9h
		jmp	short loc_7BBAB3
; 

loc_7BBAFE:				; CODE XREF: WmipHexStringToDword(x,x,x,x)+70j
		xor	al, al
		jmp	short loc_7BBACD
_WmipHexStringToDword@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipPrepareForWnodeAD(x, x,	x, x, x)
_WmipPrepareForWnodeAD@20 proc near	; CODE XREF: WmipQueryAllData+DFp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ecx+28h]
		push	esi
		push	edi
		test	ebx, ebx
		jz	loc_7BBBCE
		xor	ecx, ecx
		cmp	[ebx+14h], ecx
		jbe	loc_7BBBCE
		test	byte ptr [ebx+8], 1
		lea	esi, [ebx+28h]
		mov	eax, [ebp+arg_8]
		mov	edi, edx
		movsd
		movsd
		movsd
		movsd
		mov	esi, ecx
		jnz	loc_7BBBC9
		mov	[eax], cl
		mov	eax, [ebp+arg_4]
		push	ecx
		push	ecx
		push	ecx
		mov	eax, [eax]
		mov	[ebp+var_4], eax
		mov	[ebp+arg_8], eax
		mov	eax, [ebp+arg_0]
		push	ecx
		push	offset _WmipSMMutex
		mov	[ebp+var_8], ecx
		mov	eax, [eax]
		mov	[ebp+var_C], eax
		call	KeWaitForSingleObject
		lea	eax, [ebx+20h]
		mov	ebx, [ebp+var_4]
		mov	edi, [eax]
		mov	[ebp+var_10], eax
		cmp	edi, eax
		jz	short loc_7BBBA3

loc_7BBB70:				; CODE XREF: WmipPrepareForWnodeAD(x,x,x,x,x)+9Cj
		test	esi, esi
		js	short loc_7BBBA0
		test	dword ptr [edi+8], 89000h
		jnz	short loc_7BBB9A
		mov	ecx, edi
		call	WmipReferenceEntry
		push	edi
		push	ebx
		lea	eax, [ebp+var_C]
		push	eax
		lea	edx, [ebp+var_8]
		lea	ecx, [ebp+arg_8]
		call	WmipAddProviderIdToPIList
		mov	esi, eax
		mov	eax, [ebp+var_10]

loc_7BBB9A:				; CODE XREF: WmipPrepareForWnodeAD(x,x,x,x,x)+79j
		mov	edi, [edi]
		cmp	edi, eax
		jnz	short loc_7BBB70

loc_7BBBA0:				; CODE XREF: WmipPrepareForWnodeAD(x,x,x,x,x)+70j
		mov	ebx, [ebp+arg_8]

loc_7BBBA3:				; CODE XREF: WmipPrepareForWnodeAD(x,x,x,x,x)+6Cj
		push	0
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_7BBBCE
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx

loc_7BBBC0:				; CODE XREF: WmipPrepareForWnodeAD(x,x,x,x,x)+CAj
					; WmipPrepareForWnodeAD(x,x,x,x,x)+D1j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7BBBC9:				; CODE XREF: WmipPrepareForWnodeAD(x,x,x,x,x)+33j
		mov	byte ptr [eax],	1
		jmp	short loc_7BBBC0
; 

loc_7BBBCE:				; CODE XREF: WmipPrepareForWnodeAD(x,x,x,x,x)+10j
					; WmipPrepareForWnodeAD(x,x,x,x,x)+1Bj	...
		mov	esi, 0C0000301h
		jmp	short loc_7BBBC0
_WmipPrepareForWnodeAD@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipAddProviderIdToPIList proc near	; CODE XREF: WmipPrepareForWnodeAD(x,x,x,x,x)+8Ep
					; WmipPrepareWnodeSI+10Dp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008EDDFA SIZE 000000B0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_8], 0
		mov	eax, edx
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	edx, ecx
		push	esi
		mov	ecx, [eax]
		push	edi
		mov	ebx, [ebx]
		xor	edi, edi
		mov	[ebp+var_18], eax
		mov	eax, [edx]
		mov	[ebp+var_C], edx
		mov	edx, [ebp+arg_8]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_4], eax
		cmp	ecx, ebx
		jz	loc_8EDDFA

loc_7BBC0B:				; CODE XREF: WmipAddProviderIdToPIList+1322CFj
		mov	[eax+ecx*4], edx
		lea	eax, [ecx+1]
		mov	ecx, [ebp+var_18]
		mov	[ecx], eax

loc_7BBC16:				; CODE XREF: WmipAddProviderIdToPIList+1322C0j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
WmipAddProviderIdToPIList endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipFindGEByGuid(x,	x)
_WmipFindGEByGuid@8 proc near		; CODE XREF: WmipOpenBlock+53p
					; WmipProcessEvent+36p	...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4], ecx
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		mov	bl, dl
		call	KeWaitForSingleObject
		mov	edi, _WmipGEHeadPtr
		mov	esi, [edi]

loc_7BBC46:				; CODE XREF: WmipFindGEByGuid(x,x)+41j
		cmp	esi, edi
		jz	short loc_7BBC81
		push	10h		; size_t
		lea	eax, [esi+28h]
		push	eax		; void *
		push	[ebp+var_4]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_7BBC63
		mov	esi, [esi]
		jmp	short loc_7BBC46
; 

loc_7BBC63:				; CODE XREF: WmipFindGEByGuid(x,x)+3Dj
		mov	ecx, esi
		call	WmipReferenceEntry
		test	bl, bl
		jnz	short loc_7BBC91

loc_7BBC6E:				; CODE XREF: WmipFindGEByGuid(x,x)+9Aj
		push	0
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, esi

loc_7BBC7C:				; CODE XREF: WmipFindGEByGuid(x,x)+6Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7BBC81:				; CODE XREF: WmipFindGEByGuid(x,x)+28j
		push	0
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		xor	eax, eax
		jmp	short loc_7BBC7C
; 

loc_7BBC91:				; CODE XREF: WmipFindGEByGuid(x,x)+4Cj
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_7BBCBC
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_7BBCBC
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	eax, _WmipGEHeadPtr
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_7BBCBC
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[ecx+4], esi
		mov	[eax], esi
		jmp	short loc_7BBC6E
; 

loc_7BBCBC:				; CODE XREF: WmipFindGEByGuid(x,x)+76j
					; WmipFindGEByGuid(x,x)+7Dj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_WmipFindGEByGuid@8 endp


;  S U B	R O U T	I N E 


WmipReferenceEntry proc	near		; CODE XREF: WmipPrepareForWnodeAD(x,x,x,x,x)+7Dp
					; WmipFindGEByGuid(x,x)+45p ...

; FUNCTION CHUNK AT 008EDEAA SIZE 00000029 BYTES

		xor	eax, eax
		inc	eax
		lock xadd [ecx+0Ch], eax
		inc	eax
		cmp	eax, 1
		jle	loc_8EDEAA
		retn
WmipReferenceEntry endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipEnableCollectOrEvent proc near	; CODE XREF: WmipOpenBlock+C7p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	eax, eax
		mov	[ebp+var_4], ecx
		mov	[edi], al
		sub	edx, 22413Ch
		jnz	short loc_7BBD4D
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		mov	esi, eax
		mov	bl, al
		call	KeWaitForSingleObject
		mov	edx, [ebp+var_4]
		add	edx, 20h
		mov	eax, [edx]

loc_7BBD0C:				; CODE XREF: WmipEnableCollectOrEvent+5Cj
		cmp	eax, edx
		jz	short loc_7BBD34
		mov	ecx, [eax+8]
		test	ecx, 1000h
		jnz	short loc_7BBD30
		test	ecx, 8000h
		jnz	loc_8EDEC6

loc_7BBD27:				; CODE XREF: WmipReferenceEntry+13220Cj
		test	esi, esi
		jnz	short loc_7BBD83
		test	cl, 4
		jnz	short loc_7BBD83

loc_7BBD30:				; CODE XREF: WmipEnableCollectOrEvent+43j
					; WmipEnableCollectOrEvent+B0j	...
		mov	eax, [eax]
		jmp	short loc_7BBD0C
; 

loc_7BBD34:				; CODE XREF: WmipEnableCollectOrEvent+38j
		push	0
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		test	esi, esi
		jnz	short loc_7BBD88

loc_7BBD44:				; CODE XREF: WmipEnableCollectOrEvent+A6j
					; WmipEnableCollectOrEvent+ABj
		mov	eax, esi

loc_7BBD46:				; CODE XREF: WmipEnableCollectOrEvent+BBj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7BBD4D:				; CODE XREF: WmipEnableCollectOrEvent+1Aj
		sub	edx, 4
		jnz	short loc_7BBD8C
		mov	bl, 1

loc_7BBD54:				; CODE XREF: WmipEnableCollectOrEvent+B4j
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		mov	ecx, [ebp+var_4]
		mov	dl, bl
		call	WmipSendEnableRequest
		push	0
		push	offset _WmipSMMutex
		mov	esi, eax
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		test	esi, esi
		js	short loc_7BBD44
		mov	byte ptr [edi],	1
		jmp	short loc_7BBD44
; 

loc_7BBD83:				; CODE XREF: WmipEnableCollectOrEvent+53j
					; WmipEnableCollectOrEvent+58j
		xor	esi, esi
		inc	esi
		jmp	short loc_7BBD30
; 

loc_7BBD88:				; CODE XREF: WmipEnableCollectOrEvent+6Cj
		xor	eax, eax
		jmp	short loc_7BBD54
; 

loc_7BBD8C:				; CODE XREF: WmipEnableCollectOrEvent+7Aj
		mov	eax, 0C00000AFh
		jmp	short loc_7BBD46
WmipEnableCollectOrEvent endp

; 
		align 8
; Exported entry 2527. SeValidSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeValidSecurityDescriptor(x, x)
		public _SeValidSecurityDescriptor@8
_SeValidSecurityDescriptor@8 proc near	; CODE XREF: RtlNormalizeSecurityDescriptor(x,x,x,x,x)+27p
					; WmipSDRegistryQueryRoutine(x,x,x,x,x,x)+20p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		cmp	esi, 14h
		jb	loc_7BBECC
		mov	edi, [ebp+arg_4]
		cmp	byte ptr [edi],	1
		jnz	loc_7BBECC
		cmp	word ptr [edi+2], 0
		jge	loc_7BBECC
		mov	ecx, [edi+4]
		test	ecx, ecx
		jz	loc_7BBECC
		lea	eax, [ecx+3]
		and	eax, 0FFFFFFFCh
		cmp	eax, ecx
		jnz	loc_7BBECC
		cmp	ecx, esi
		ja	loc_7BBECC
		mov	edx, esi
		sub	edx, ecx
		cmp	edx, 0Ch
		jb	loc_7BBECC
		cmp	byte ptr [ecx+edi], 1
		jnz	loc_7BBECC
		mov	al, [ecx+edi+1]
		cmp	al, 0Fh
		ja	loc_7BBECC
		movzx	eax, al
		lea	eax, ds:8[eax*4]
		cmp	edx, eax
		jb	loc_7BBECC
		mov	ecx, [edi+8]
		test	ecx, ecx
		jz	short loc_7BBE62
		lea	eax, [ecx+3]
		and	eax, 0FFFFFFFCh
		cmp	eax, ecx
		jnz	loc_7BBECC
		cmp	ecx, esi
		ja	loc_7BBECC
		mov	edx, esi
		sub	edx, ecx
		cmp	edx, 0Ch
		jb	loc_7BBECC
		cmp	byte ptr [ecx+edi], 1
		jnz	loc_7BBECC
		mov	al, [ecx+edi+1]
		cmp	al, 0Fh
		ja	short loc_7BBECC
		movzx	eax, al
		lea	eax, ds:8[eax*4]
		cmp	edx, eax
		jb	short loc_7BBECC

loc_7BBE62:				; CODE XREF: SeValidSecurityDescriptor(x,x)+85j
		mov	ecx, [edi+10h]
		test	ecx, ecx
		jz	short loc_7BBE94
		lea	eax, [ecx+3]
		and	eax, 0FFFFFFFCh
		cmp	eax, ecx
		jnz	short loc_7BBECC
		cmp	ecx, esi
		ja	short loc_7BBECC
		mov	edx, esi
		sub	edx, ecx
		cmp	edx, 8
		jb	short loc_7BBECC
		add	ecx, edi
		movzx	eax, word ptr [ecx+2]
		cmp	edx, eax
		jb	short loc_7BBECC
		push	ecx
		call	RtlValidAcl
		test	al, al
		jz	short loc_7BBECC

loc_7BBE94:				; CODE XREF: SeValidSecurityDescriptor(x,x)+CFj
		mov	ecx, [edi+0Ch]
		test	ecx, ecx
		jnz	short loc_7BBEA3

loc_7BBE9B:				; CODE XREF: SeValidSecurityDescriptor(x,x)+132j
		mov	al, 1

loc_7BBE9D:				; CODE XREF: SeValidSecurityDescriptor(x,x)+136j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_7BBEA3:				; CODE XREF: SeValidSecurityDescriptor(x,x)+101j
		lea	eax, [ecx+3]
		and	eax, 0FFFFFFFCh
		cmp	eax, ecx
		jnz	short loc_7BBECC
		cmp	ecx, esi
		ja	short loc_7BBECC
		sub	esi, ecx
		cmp	esi, 8
		jb	short loc_7BBECC
		add	ecx, edi
		movzx	eax, word ptr [ecx+2]
		cmp	esi, eax
		jb	short loc_7BBECC
		push	ecx
		call	RtlValidAcl
		test	al, al
		jnz	short loc_7BBE9B

loc_7BBECC:				; CODE XREF: SeValidSecurityDescriptor(x,x)+Dj
					; SeValidSecurityDescriptor(x,x)+19j ...
		xor	al, al
		jmp	short loc_7BBE9D
_SeValidSecurityDescriptor@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	WmipProbeWmiOpenGuidBlock(void *,int,int,int,int)
_WmipProbeWmiOpenGuidBlock@28 proc near	; CODE XREF: WmipIoControl+160p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 10h
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		jnz	short loc_7BBF28
		cmp	[ebp+arg_10], 10h
		jnz	short loc_7BBF28
		mov	eax, [ebp+arg_8]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		mov	eax, [ebp+arg_4]
		push	edx		; int
		push	[ebp+arg_0]	; void *
		mov	edx, edi
		mov	[eax], ecx
		mov	ecx, esi
		call	WmipProbeAndCaptureGuidObjectAttributes
		test	eax, eax
		js	short loc_7BBF1B
		xor	ecx, ecx
		cmp	[esi+4], ecx
		jnz	short loc_7BBF21
		cmp	[esi+0Ch], ecx
		jnz	short loc_7BBF21
		cmp	[esi+10h], ecx
		jnz	short loc_7BBF21
		cmp	[esi+14h], ecx
		jnz	short loc_7BBF21

loc_7BBF1B:				; CODE XREF: WmipProbeWmiOpenGuidBlock(x,x,x,x,x,x,x)+33j
					; WmipProbeWmiOpenGuidBlock(x,x,x,x,x,x,x)+56j	...
		pop	edi
		pop	esi
		pop	ebp
		retn	14h
; 

loc_7BBF21:				; CODE XREF: WmipProbeWmiOpenGuidBlock(x,x,x,x,x,x,x)+3Aj
					; WmipProbeWmiOpenGuidBlock(x,x,x,x,x,x,x)+3Fj	...
		mov	eax, 0C000000Dh
		jmp	short loc_7BBF1B
; 

loc_7BBF28:				; CODE XREF: WmipProbeWmiOpenGuidBlock(x,x,x,x,x,x,x)+Fj
					; WmipProbeWmiOpenGuidBlock(x,x,x,x,x,x,x)+15j
		mov	eax, 0C0000001h
		jmp	short loc_7BBF1B
_WmipProbeWmiOpenGuidBlock@28 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	WmipProbeAndCaptureGuidObjectAttributes(void *,int)
WmipProbeAndCaptureGuidObjectAttributes	proc near
					; CODE XREF: WmipProbeWmiOpenGuidBlock(x,x,x,x,x,x,x)+2Cp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EDED3 SIZE 0000000E BYTES
; FUNCTION CHUNK AT 008EDEF5 SIZE 0000000F BYTES

		push	20h
		push	offset dword_6A3008
		call	__SEH_prolog4
		mov	[ebp+var_24], edx
		mov	eax, ecx
		mov	[ebp+var_20], eax
		xor	ebx, ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	esi, [ebp+arg_4]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	esi, ecx
		jnb	loc_8EDED3

loc_7BBF5A:				; CODE XREF: WmipProbeAndCaptureGuidObjectAttributes+131FA5j
		push	6
		pop	ecx
		mov	edi, eax
		rep movsd
		nop
		mov	ecx, [eax+8]
		test	ecx, ecx
		jz	loc_7BBFFA
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8EDEDA

loc_7BBF80:				; CODE XREF: WmipProbeAndCaptureGuidObjectAttributes+131FACj
		nop
		mov	eax, [ecx]
		mov	[ebp+var_30], eax
		mov	ecx, [ecx+4]
		mov	[ebp+var_2C], ecx
		mov	eax, [ebp+var_30]
		mov	[edx], eax
		mov	[edx+4], ecx
		mov	esi, [ebp+var_20]
		cmp	[esi+10h], ebx
		jnz	short loc_7BBFFA
		cmp	[esi+14h], ebx
		jnz	short loc_7BBFFA
		push	5Ah
		pop	eax
		cmp	[edx], ax
		jnz	short loc_7BBFFA
		lea	edi, [ecx+5Ah]
		mov	[ebp+arg_4], edi
		mov	edi, ds:_MmUserProbeAddress
		cmp	[ebp+arg_4], edi
		ja	short loc_7BC004
		cmp	[ebp+arg_4], ecx
		jb	short loc_7BC004

loc_7BBFBF:				; CODE XREF: WmipProbeAndCaptureGuidObjectAttributes+DCj
		movzx	eax, ax
		push	eax		; size_t
		push	ecx		; void *
		mov	edi, [ebp+arg_0]
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		mov	[edi+5Ah], ax
		mov	eax, [ebp+var_24]
		mov	[eax+4], edi
		mov	[esi+8], eax

loc_7BBFE6:				; CODE XREF: WmipProbeAndCaptureGuidObjectAttributes+131FCFj
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7BBFFA:				; CODE XREF: WmipProbeAndCaptureGuidObjectAttributes+37j
					; WmipProbeAndCaptureGuidObjectAttributes+6Aj ...
		mov	ebx, 0C000000Dh
		jmp	loc_8EDEF5
; 

loc_7BC004:				; CODE XREF: WmipProbeAndCaptureGuidObjectAttributes+88j
					; WmipProbeAndCaptureGuidObjectAttributes+8Dj
		mov	[edi], bl
		movzx	eax, word ptr [edx]
		mov	ecx, [edx+4]
		jmp	short loc_7BBFBF
WmipProbeAndCaptureGuidObjectAttributes	endp


;  S U B	R O U T	I N E 


; __stdcall WmipIsQuerySetGuid(x)
_WmipIsQuerySetGuid@4 proc near		; CODE XREF: WmipOpenBlock+ACp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edi, offset _WmipSMMutex
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	edi
		mov	esi, ecx
		call	KeWaitForSingleObject
		add	esi, 20h
		mov	eax, [esi]

loc_7BC02B:				; CODE XREF: WmipIsQuerySetGuid(x)+3Cj
		cmp	eax, esi
		jz	short loc_7BC03A
		test	dword ptr [eax+8], 89000h
		jnz	short loc_7BC048
		mov	bl, 1

loc_7BC03A:				; CODE XREF: WmipIsQuerySetGuid(x)+1Fj
		push	0
		push	edi
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		retn
; 

loc_7BC048:				; CODE XREF: WmipIsQuerySetGuid(x)+28j
		mov	eax, [eax]
		jmp	short loc_7BC02B
_WmipIsQuerySetGuid@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipProbeWnodeAllData(x, x,	x)
_WmipProbeWnodeAllData@12 proc near	; CODE XREF: WmipIoControl+1E8p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 48h
		jb	short loc_7BC074
		cmp	edx, 30h
		jb	short loc_7BC074
		mov	eax, [ecx+2Ch]
		test	al, 1
		jz	short loc_7BC074
		cmp	edx, [ecx]
		jnz	short loc_7BC074
		test	eax, 0FFFFFF7Eh
		jnz	short loc_7BC074
		xor	eax, eax

loc_7BC070:				; CODE XREF: WmipProbeWnodeAllData(x,x,x)+2Dj
		pop	ebp
		retn	4
; 

loc_7BC074:				; CODE XREF: WmipProbeWnodeAllData(x,x,x)+9j
					; WmipProbeWnodeAllData(x,x,x)+Ej ...
		mov	eax, 0C0000001h
		jmp	short loc_7BC070
_WmipProbeWnodeAllData@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpDelayCreate	proc near		; CODE XREF: EtwpCreateLogFile+CEp
					; EtwpRealtimeCreateLogfile+13Fp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 008EDF04 SIZE 0000009F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	[ebp+var_C], ecx
		mov	eax, edx
		xor	ecx, ecx
		lea	edx, [ebp+var_4]
		push	esi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], ecx
		lea	ecx, [ebp+var_8]
		push	edi
		push	ecx
		mov	ecx, [eax+4]
		call	EtwpCreateNtFileName
		mov	ebx, [ebp+var_4]
		mov	esi, eax
		mov	edi, [ebp+arg_0]
		test	esi, esi
		js	short loc_7BC0D7
		movzx	eax, byte ptr [edi]
		xor	dl, dl
		push	eax
		lea	eax, [ebp+var_14]
		mov	ecx, ebx
		push	eax
		push	[ebp+var_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	EtwpCreateDirectoryFile
		cmp	[ebp+arg_C], 1
		mov	esi, eax
		jz	short loc_7BC0F5

loc_7BC0D7:				; CODE XREF: EtwpDelayCreate+37j
					; EtwpDelayCreate+7Fj ...
		test	ebx, ebx
		jz	short loc_7BC0E3
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7BC0E3:				; CODE XREF: EtwpDelayCreate+5Dj
		test	esi, esi
		js	short loc_7BC0EC
		cmp	byte ptr [edi],	1
		jz	short loc_7BC102

loc_7BC0EC:				; CODE XREF: EtwpDelayCreate+69j
					; EtwpDelayCreate+8Aj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7BC0F5:				; CODE XREF: EtwpDelayCreate+59j
		cmp	esi, 0C000003Ah
		jnz	short loc_7BC0D7
		jmp	loc_8EDF04
; 

loc_7BC102:				; CODE XREF: EtwpDelayCreate+6Ej
		cmp	[ebp+var_10], 2
		jnz	short loc_7BC0EC
		mov	byte ptr [edi],	0
		jmp	short loc_7BC0EC
EtwpDelayCreate	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpCreateDirectoryFile	proc near	; CODE XREF: EtwpDelayCreate+4Ep
					; EtwpDelayCreate+131EE3p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008EDFA3 SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	bl, dl
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		test	bl, bl
		jnz	short loc_7BC135
		test	esi, esi
		jz	loc_8EDFA3

loc_7BC135:				; CODE XREF: EtwpCreateDirectoryFile+1Dj
		push	ecx
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	cl, [ebp+arg_4]
		xor	eax, eax
		test	cl, cl
		mov	[ebp+var_28], 18h
		mov	[ebp+var_24], edi
		setz	al
		mov	[ebp+var_18], edi
		dec	eax
		mov	[ebp+var_14], edi
		and	eax, 0FFFFFC00h
		add	eax, 640h
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_20], eax
		test	bl, bl
		jnz	loc_8EDFAD
		xor	eax, eax
		test	cl, cl
		setnz	al
		xor	edx, edx
		dec	eax
		and	eax, 0FFFF0000h
		add	eax, 13008Bh
		cmp	[ebp+arg_0], dl
		setnz	dl
		xor	ecx, ecx
		cmp	[ebp+arg_10], ecx
		setz	cl
		lea	edx, ds:20h[edx*8]
		lea	ecx, ds:3[ecx*2]

loc_7BC1A5:				; CODE XREF: EtwpCreateDirectoryFile+131EAAj
		push	edi
		push	edi
		push	edx
		push	ecx
		push	5
		push	80h
		push	edi
		push	[ebp+arg_C]
		lea	ecx, [ebp+var_28]
		push	ecx
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		mov	eax, [ebp+var_8]
		test	edi, edi
		js	short loc_7BC1D3
		test	bl, bl
		jnz	loc_8EDFBD

loc_7BC1D3:				; CODE XREF: EtwpCreateDirectoryFile+BBj
					; EtwpCreateDirectoryFile+131EB1j
		test	esi, esi
		jz	short loc_7BC1D9
		mov	[esi], eax

loc_7BC1D9:				; CODE XREF: EtwpCreateDirectoryFile+C7j
					; EtwpCreateDirectoryFile+131EBFj ...
		cmp	bl, 1
		jz	loc_8EDFDB

loc_7BC1E2:				; CODE XREF: EtwpCreateDirectoryFile+131ED9j
		mov	eax, edi

loc_7BC1E4:				; CODE XREF: EtwpCreateDirectoryFile+131E9Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
EtwpCreateDirectoryFile	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpCreateNtFileName proc near		; CODE XREF: EtwpDelayCreate+28p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008EDFEC SIZE 00000068 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	[ebp+var_4], edx
		mov	esi, ecx
		lea	edx, [ecx+2]
		xor	ebx, ebx

loc_7BC1FE:				; CODE XREF: EtwpCreateNtFileName+1Bj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_7BC1FE
		sub	ecx, edx
		sar	ecx, 1
		add	ecx, ecx
		jz	short loc_7BC284
		add	ecx, 2
		push	5Ch
		pop	eax
		cmp	ecx, 0Ah
		jbe	loc_8EE005
		cmp	[esi], ax
		jz	loc_8EDFEC

loc_7BC229:				; CODE XREF: EtwpCreateNtFileName+131E1Cj
					; EtwpCreateNtFileName+131E26j
		push	18h

loc_7BC22B:				; CODE XREF: EtwpCreateNtFileName+131E2Ej
		mov	eax, [ebp+arg_0]
		pop	edx
		push	edi
		push	50777445h
		mov	[eax], edx
		lea	ebx, [edx+ecx]
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8EE01F
		push	5Ch
		pop	ecx
		cmp	[esi], cx
		jz	loc_8EE026

loc_7BC258:				; CODE XREF: EtwpCreateNtFileName+131E40j
		mov	ecx, offset ??_C@_1BK@LABJKOM@?$AA?2?$AAD?$AAo?$AAs?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAs?$AA?2@NNGAKEGL@
		mov	eax, esi

loc_7BC25F:				; CODE XREF: EtwpCreateNtFileName+131E4Bj
		push	eax
		push	ecx		; char
		push	offset ??_C@_1O@PEBEJIFE@?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAs@NNGAKEGL@	; wchar_t *
		push	ebx		; int
		push	edi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 14h
		test	eax, eax
		jnz	loc_8EE03C
		mov	ecx, [ebp+var_4]
		mov	[ecx], edi

loc_7BC27D:				; CODE XREF: EtwpCreateNtFileName+131E63j
		pop	edi

loc_7BC27E:				; CODE XREF: EtwpCreateNtFileName+9Dj
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7BC284:				; CODE XREF: EtwpCreateNtFileName+23j
		mov	eax, 0C0000033h
		jmp	short loc_7BC27E
EtwpCreateNtFileName endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipSendEnableRequest proc near		; CODE XREF: WmipEnableCollectOrEvent+91p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008EE054 SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		push	edi
		test	bl, bl
		jz	short loc_7BC30E
		mov	ecx, [esi+38h]
		push	2
		lea	eax, [ecx+1]
		mov	[esi+38h], eax

loc_7BC2AA:				; CODE XREF: WmipSendEnableRequest+8Dj
		pop	edi
		test	ecx, ecx
		jz	short loc_7BC2BA

loc_7BC2AF:				; CODE XREF: WmipSendEnableRequest+31j
		test	bl, bl
		jz	short loc_7BC31B

loc_7BC2B3:				; CODE XREF: WmipSendEnableRequest+92j
					; WmipSendEnableRequest+131E02j
		xor	eax, eax

loc_7BC2B5:				; CODE XREF: WmipSendEnableRequest+80j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7BC2BA:				; CODE XREF: WmipSendEnableRequest+21j
		test	[esi+8], edi
		jnz	short loc_7BC2AF
		mov	ecx, esi
		call	WmipReferenceEntry
		or	[esi+8], edi
		test	bl, bl
		setz	al
		lea	eax, ds:4[eax*2]
		mov	[ebp+var_8], eax

loc_7BC2D8:				; CODE XREF: WmipSendEnableRequest+131DF0j
		push	ebx
		mov	edx, esi
		mov	cl, al
		call	WmipSendEnableDisableRequest
		mov	[ebp+var_4], eax
		test	bl, bl
		jz	short loc_7BC325
		mov	eax, [esi+38h]

loc_7BC2EC:				; CODE XREF: WmipSendEnableRequest+9Cj
		test	eax, eax
		jz	loc_8EE054

loc_7BC2F4:				; CODE XREF: WmipSendEnableRequest+131DF6j
		not	edi
		and	[esi+8], edi
		test	bl, bl
		jz	short loc_7BC32A

loc_7BC2FD:				; CODE XREF: WmipSendEnableRequest+A5j
		mov	edx, esi
		mov	ecx, offset _WmipGEChunkInfo
		call	WmipUnreferenceEntry
		mov	eax, [ebp+var_4]
		jmp	short loc_7BC2B5
; 

loc_7BC30E:				; CODE XREF: WmipSendEnableRequest+11j
		mov	ecx, [esi+3Ch]
		push	4
		lea	eax, [ecx+1]
		mov	[esi+3Ch], eax
		jmp	short loc_7BC2AA
; 

loc_7BC31B:				; CODE XREF: WmipSendEnableRequest+25j
		test	[esi+8], edi
		jz	short loc_7BC2B3
		jmp	loc_8EE087
; 

loc_7BC325:				; CODE XREF: WmipSendEnableRequest+5Bj
		mov	eax, [esi+3Ch]
		jmp	short loc_7BC2EC
; 

loc_7BC32A:				; CODE XREF: WmipSendEnableRequest+6Fj
		mov	ecx, esi
		call	WmipReleaseCollectionEnabled
		jmp	short loc_7BC2FD
WmipSendEnableRequest endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipEnumerateMofResources proc near	; CODE XREF: WmipIoControl+27Ep

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008EE093 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_8], edx
		push	esi
		push	esi
		push	esi
		push	esi
		push	offset _WmipSMMutex
		mov	[ebp+var_4], ecx
		mov	[ebp+var_14], eax
		mov	[ebp+arg_0], esi
		call	KeWaitForSingleObject
		mov	eax, _WmipMRHeadPtr
		mov	ebx, esi
		mov	edi, [eax]
		cmp	edi, eax
		jz	loc_8EE099

loc_7BC36F:				; CODE XREF: WmipEnumerateMofResources+7Ej
		mov	ecx, [edi+14h]
		inc	ebx
		lea	edx, [ecx+2]

loc_7BC376:				; CODE XREF: WmipEnumerateMofResources+4Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+arg_0]
		jnz	short loc_7BC376
		sub	ecx, edx
		mov	edx, [edi+18h]
		sar	ecx, 1
		lea	eax, [edx+2]
		mov	[ebp+var_C], eax

loc_7BC38F:				; CODE XREF: WmipEnumerateMofResources+65j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [ebp+arg_0]
		jnz	short loc_7BC38F
		sub	edx, [ebp+var_C]
		mov	edi, [edi]
		sar	edx, 1
		lea	eax, [edx+ecx]
		lea	esi, [esi+eax*2]
		mov	eax, _WmipMRHeadPtr
		add	esi, 4
		cmp	edi, eax
		jnz	short loc_7BC36F
		test	ebx, ebx
		jz	loc_8EE099
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		imul	edi, ebx, 0Ch
		add	edi, 4
		add	esi, edi
		mov	[ebp+var_10], esi
		cmp	edx, esi
		jb	loc_8EE093
		mov	[ecx], ebx
		mov	ebx, [eax]
		cmp	ebx, eax
		jz	loc_7BC46E
		mov	esi, ecx
		lea	eax, [esi+4]

loc_7BC3E6:				; CODE XREF: WmipEnumerateMofResources+131j
		mov	ecx, eax
		sub	edx, edi
		add	eax, 0Ch
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], eax
		mov	eax, [ebx+8]
		and	eax, 1
		mov	[ecx], edi
		mov	[ecx+8], eax
		lea	ecx, [edi+esi]
		push	dword ptr [ebx+14h]
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		mov	ecx, [ebx+14h]
		lea	edx, [ecx+2]

loc_7BC40F:				; CODE XREF: WmipEnumerateMofResources+E5j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+arg_0]
		jnz	short loc_7BC40F
		mov	eax, [ebp+var_C]
		sub	ecx, edx
		mov	edx, [ebp+var_8]
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2
		mov	[eax+4], edi
		sub	edx, edi
		push	dword ptr [ebx+18h]
		lea	ecx, [edi+esi]
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		mov	ecx, [ebx+18h]
		lea	edx, [ecx+2]

loc_7BC441:				; CODE XREF: WmipEnumerateMofResources+117j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+arg_0]
		jnz	short loc_7BC441
		mov	ebx, [ebx]
		sub	ecx, edx
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+var_8]
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2
		cmp	ebx, _WmipMRHeadPtr
		jnz	loc_7BC3E6
		mov	esi, [ebp+var_10]

loc_7BC46E:				; CODE XREF: WmipEnumerateMofResources+A7j
					; WmipEnumerateMofResources+131D6Fj
		mov	eax, [ebp+var_14]
		mov	[eax], esi
		xor	eax, eax
		push	eax
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	4
WmipEnumerateMofResources endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall WmipDisableCollectOrEvent(x, x)
_WmipDisableCollectOrEvent@8 proc near	; CODE XREF: WmipDeleteMethod(x)+89p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	0
		pop	eax
		sub	edx, 22413Ch
		jz	short loc_7BC4CB
		sub	edx, 4
		jnz	short loc_7BC4CF
		mov	bl, 1

loc_7BC4A2:				; CODE XREF: WmipDisableCollectOrEvent(x,x)+43j
		push	edi
		push	eax
		push	eax
		push	eax
		push	eax
		mov	edi, offset _WmipSMMutex
		push	edi
		call	KeWaitForSingleObject
		mov	dl, bl
		mov	ecx, esi
		call	_WmipSendDisableRequest@8 ; WmipSendDisableRequest(x,x)
		push	0
		push	edi
		mov	esi, eax
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, esi
		pop	edi

loc_7BC4C8:				; CODE XREF: WmipDisableCollectOrEvent(x,x)+4Aj
		pop	esi
		pop	ebx
		retn
; 

loc_7BC4CB:				; CODE XREF: WmipDisableCollectOrEvent(x,x)+Fj
		mov	bl, al
		jmp	short loc_7BC4A2
; 

loc_7BC4CF:				; CODE XREF: WmipDisableCollectOrEvent(x,x)+14j
		mov	eax, 0C00000AFh
		jmp	short loc_7BC4C8
_WmipDisableCollectOrEvent@8 endp


;  S U B	R O U T	I N E 


; __stdcall WmipSendDisableRequest(x, x)
_WmipSendDisableRequest@8 proc near	; CODE XREF: WmipDisableCollectOrEvent(x,x)+2Cp
		mov	edi, edi
		push	ebx
		mov	bl, dl
		test	bl, bl
		jz	short loc_7BC4F5
		mov	edx, [ecx+38h]
		push	2
		pop	eax
		test	edx, edx
		jz	short loc_7BC4F1
		dec	edx
		mov	[ecx+38h], edx

loc_7BC4ED:				; CODE XREF: WmipSendDisableRequest(x,x)+28j
		test	edx, edx
		jz	short loc_7BC500

loc_7BC4F1:				; CODE XREF: WmipSendDisableRequest(x,x)+11j
					; WmipSendDisableRequest(x,x)+2Fj
		xor	eax, eax
		pop	ebx
		retn
; 

loc_7BC4F5:				; CODE XREF: WmipSendDisableRequest(x,x)+7j
		dec	dword ptr [ecx+3Ch]
		mov	edx, [ecx+3Ch]
		push	4
		pop	eax
		jmp	short loc_7BC4ED
; 

loc_7BC500:				; CODE XREF: WmipSendDisableRequest(x,x)+19j
		mov	edx, [ecx+8]
		test	edx, eax
		jnz	short loc_7BC4F1
		or	edx, eax
		mov	[ecx+8], edx
		mov	dl, bl
		push	eax
		call	WmipDoDisableRequest
		pop	ebx
		retn
_WmipSendDisableRequest@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2097. RtlFormatCurrentUserKeyPath

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlFormatCurrentUserKeyPath(x)
		public _RtlFormatCurrentUserKeyPath@4
_RtlFormatCurrentUserKeyPath@4 proc near ; CODE	XREF: RtlpGetRegistryHandle+1B0p
					; RtlOpenCurrentUser+21p ...

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_64], 0
		lea	eax, [ebp+var_64]
		and	[ebp+var_58], 0
		push	esi
		mov	esi, [ebp+arg_0]
		push	eax
		push	50h
		lea	eax, [ebp+var_54]
		push	eax
		push	1
		push	0FFFFFFFAh
		call	_ZwQueryInformationToken@20 ; ZwQueryInformationToken(x,x,x,x,x)
		test	eax, eax
		js	short loc_7BC5C1
		mov	ecx, [ebp+var_54]
		lea	edx, [ebp+var_58]
		call	_RtlLengthSidAsUnicodeString@8 ; RtlLengthSidAsUnicodeString(x,x)
		test	eax, eax
		js	short loc_7BC5C1
		push	edi
		mov	edi, [ebp+var_58]
		xor	eax, eax
		mov	[esi], ax
		lea	eax, [edi+22h]
		mov	[esi+2], ax
		movzx	eax, ax
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[esi+4], eax
		test	eax, eax
		jz	short loc_7BC5D0
		push	offset ??_C@_1CA@BAGEJGFP@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAU?$AAS?$AAE?$AAR?$AA?2@NNGAKEGL@ ; "\\REGISTRY\\USER\\"
		push	esi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		movzx	ecx, word ptr [esi]
		xor	eax, eax
		mov	word ptr [ebp+var_60], ax
		mov	eax, [esi+4]
		shr	ecx, 1
		push	0
		push	[ebp+var_54]
		mov	word ptr [ebp+var_60+2], di
		lea	eax, [eax+ecx*2]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_60]
		push	eax
		call	RtlConvertSidToUnicodeString
		mov	edi, eax
		test	edi, edi
		js	short loc_7BC5D7
		mov	ax, word ptr [ebp+var_60]
		add	[esi], ax

loc_7BC5BE:				; CODE XREF: RtlFormatCurrentUserKeyPath(x)+C1j
		mov	eax, edi

loc_7BC5C0:				; CODE XREF: RtlFormatCurrentUserKeyPath(x)+B9j
		pop	edi

loc_7BC5C1:				; CODE XREF: RtlFormatCurrentUserKeyPath(x)+33j
					; RtlFormatCurrentUserKeyPath(x)+42j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_7BC5D0:				; CODE XREF: RtlFormatCurrentUserKeyPath(x)+62j
		mov	eax, 0C0000017h
		jmp	short loc_7BC5C0
; 

loc_7BC5D7:				; CODE XREF: RtlFormatCurrentUserKeyPath(x)+99j
		push	esi
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	short loc_7BC5BE
_RtlFormatCurrentUserKeyPath@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall RtlLengthSidAsUnicodeString(x, x)
_RtlLengthSidAsUnicodeString@8 proc near ; CODE	XREF: RtlFormatCurrentUserKeyPath(x)+3Bp
					; ExpWnfGetPermanentPerUserDataStoreHandle(x,x)+25p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, edx
		push	esi
		call	_RtlValidSid@4	; RtlValidSid(x)
		cmp	al, 1
		jnz	short loc_7BC611
		cmp	byte ptr [esi+2], 0
		jnz	short loc_7BC618
		cmp	byte ptr [esi+3], 0
		jnz	short loc_7BC618
		push	1Ch

loc_7BC600:				; CODE XREF: RtlLengthSidAsUnicodeString(x,x)+3Aj
		movzx	eax, byte ptr [esi+1]
		imul	eax, 16h
		pop	ecx
		add	eax, ecx
		mov	[edi], eax
		xor	eax, eax

loc_7BC60E:				; CODE XREF: RtlLengthSidAsUnicodeString(x,x)+36j
		pop	edi
		pop	esi
		retn
; 

loc_7BC611:				; CODE XREF: RtlLengthSidAsUnicodeString(x,x)+10j
		mov	eax, 0C0000078h
		jmp	short loc_7BC60E
; 

loc_7BC618:				; CODE XREF: RtlLengthSidAsUnicodeString(x,x)+16j
					; RtlLengthSidAsUnicodeString(x,x)+1Cj
		push	24h
		jmp	short loc_7BC600
_RtlLengthSidAsUnicodeString@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCancelIoFile	proc near		; DATA XREF: .text:005811D8o

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EE0A8 SIZE 00000007 BYTES
; FUNCTION CHUNK AT 008EE0CF SIZE 0000001A BYTES

		push	1Ch
		push	offset dword_6A3028
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp+var_1C], edx
		mov	bl, dl
		mov	esi, large fs:124h
		mov	al, [esi+15Ah]
		mov	byte ptr [ebp+var_24], al
		test	al, al
		jz	short loc_7BC661
		mov	[ebp+ms_exc.disabled], edx
		mov	ecx, [ebp+arg_4]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8EE0A8

loc_7BC656:				; CODE XREF: NtCancelIoFile+131A8Ej
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7BC661:				; CODE XREF: NtCancelIoFile+25j
		push	edx
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_24]
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		call	IopReferenceFileObject
		test	eax, eax
		js	loc_7BC724
		call	_IopUpdateOtherOperationCount@0	; IopUpdateOtherOperationCount()
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bh, al
		lea	edi, [esi+2CCh]
		mov	esi, [edi]

loc_7BC692:				; CODE XREF: NtCancelIoFile+8Fj
		cmp	edi, esi
		jz	short loc_7BC6AD
		lea	ecx, [esi-10h]
		mov	eax, [ecx+64h]
		cmp	eax, [ebp+var_1C]
		jnz	short loc_7BC6A9
		mov	bl, 1
		push	ecx
		call	IoCancelIrp

loc_7BC6A9:				; CODE XREF: NtCancelIoFile+83j
		mov	esi, [esi]
		jmp	short loc_7BC692
; 

loc_7BC6AD:				; CODE XREF: NtCancelIoFile+78j
		mov	cl, bh
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		call	esi
		test	bl, bl
		jz	short loc_7BC6E2
		mov	[ebp+var_2C], 0FFFE7960h
		or	[ebp+var_28], 0FFFFFFFFh

loc_7BC6C6:				; CODE XREF: NtCancelIoFile+131AC2j
		xor	bl, bl
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edx, [edi]

loc_7BC6D2:				; CODE XREF: NtCancelIoFile+124j
		cmp	edi, edx
		jnz	short loc_7BC736

loc_7BC6D6:				; CODE XREF: NtCancelIoFile+128j
		mov	cl, al
		call	esi
		test	bl, bl
		jnz	loc_8EE0CF

loc_7BC6E2:				; CODE XREF: NtCancelIoFile+9Dj
					; NtCancelIoFile+131AC8j
		mov	ecx, large fs:124h
		mov	eax, large fs:124h
		mov	edx, [eax+80h]
		xor	ebx, ebx
		push	ebx
		push	1
		push	ecx
		push	ebx
		mov	ecx, [ebp+var_1C]
		call	IopCancelIrpsInFileObjectList
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+arg_4]
		mov	[ecx], ebx
		mov	[ecx+4], ebx

loc_7BC713:				; CODE XREF: sub_8EE0ED+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObject
		xor	eax, eax

loc_7BC724:				; CODE XREF: NtCancelIoFile+59j
					; sub_8EE0BD+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7BC736:				; CODE XREF: NtCancelIoFile+B8j
		mov	ecx, [edx+54h]
		cmp	ecx, [ebp+var_1C]
		jz	short loc_7BC742
		mov	edx, [edx]
		jmp	short loc_7BC6D2
; 

loc_7BC742:				; CODE XREF: NtCancelIoFile+120j
		mov	bl, 1
		jmp	short loc_7BC6D6
NtCancelIoFile	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCancelIrpsInCurrentThreadListApcRoutine(x, x, x)
_IopCancelIrpsInCurrentThreadListApcRoutine@12 proc near
					; DATA XREF: IopCancelIrpsInThreadList(x,x)+7Eo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, large fs:124h
		push	esi
		mov	esi, [ebp+arg_0]
		movzx	eax, byte ptr [esi+48h]
		mov	ecx, [esi+30h]
		push	eax
		push	dword ptr [esi+34h]
		call	IopCancelIrpsInCurrentThreadList
		or	[esi+4Ch], eax
		lea	eax, [esi+38h]
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	esi
		pop	ebp
		retn	0Ch
_IopCancelIrpsInCurrentThreadListApcRoutine@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCancelIrpsInThreadList(x, x)
_IopCancelIrpsInThreadList@8 proc near	; CODE XREF: IopCancelIrpsInThreadListForCurrentProcess(x,x)+84p
					; IopCancelSynchronousIrpsForThread(x,x)+4Bp

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		mov	edx, large fs:124h
		xor	eax, eax
		mov	[ebp+var_1], al
		push	edi
		cmp	ebx, edx
		jnz	short loc_7BC7AE
		movzx	eax, byte ptr [esi+48h]
		mov	ecx, [esi+30h]
		push	eax
		push	dword ptr [esi+34h]
		call	IopCancelIrpsInCurrentThreadList

loc_7BC7A9:				; CODE XREF: IopCancelIrpsInThreadList(x,x)+B3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7BC7AE:				; CODE XREF: IopCancelIrpsInThreadList(x,x)+1Bj
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset IopCancelIrpsInCurrentThreadListSpecialApc
		push	eax
		push	ebx
		push	esi
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		push	0
		push	0
		lea	eax, [ebp-1]
		push	eax
		push	esi
		call	KeInsertQueueApc
		test	al, al
		jz	short loc_7BC82C
		xor	eax, eax
		lea	edi, [esi+38h]
		push	eax
		push	eax
		push	eax
		push	eax
		push	edi
		call	KeWaitForSingleObject
		push	edi
		call	_KeResetEvent@4	; KeResetEvent(x)
		cmp	[ebp+var_1], 0
		jz	short loc_7BC82C
		push	0
		push	0
		push	edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	esi
		xor	eax, eax
		push	eax
		push	offset _IopCancelIrpsInCurrentThreadListApcRoutine@12 ;	IopCancelIrpsInCurrentThreadListApcRoutine(x,x,x)
		push	eax
		push	offset _IopCancelIrpsInCurrentThreadListDummyApc@20 ; IopCancelIrpsInCurrentThreadListDummyApc(x,x,x,x,x)
		push	eax
		push	ebx
		push	esi
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	ebx
		push	esi
		call	KeInsertQueueApc
		test	al, al
		jz	short loc_7BC82C
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	edi
		call	KeWaitForSingleObject
		push	edi
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_7BC82C:				; CODE XREF: IopCancelIrpsInThreadList(x,x)+53j
					; IopCancelIrpsInThreadList(x,x)+6Ej ...
		mov	eax, [esi+4Ch]
		jmp	loc_7BC7A9
_IopCancelIrpsInThreadList@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpGetComponentNameAtIndex(x, x)
_CmpGetComponentNameAtIndex@8 proc near	; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+7A9p
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+A34p ...
		lea	eax, ds:20h[edx*8]
		cmp	edx, 8
		jnb	short loc_7BC84F

loc_7BC84C:				; CODE XREF: CmpGetComponentNameAtIndex(x,x)+12j
		add	eax, ecx
		retn
; 

loc_7BC84F:				; CODE XREF: CmpGetComponentNameAtIndex(x,x)+Aj
		mov	ecx, [ecx+60h]
		jmp	short loc_7BC84C
_CmpGetComponentNameAtIndex@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCreateKey(x, x, x, x, x, x, x)
_NtCreateKey@28	proc near		; DATA XREF: .text:0058114Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	0
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	ecx
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		call	CmCreateKey
		pop	ebp
		retn	1Ch
_NtCreateKey@28	endp ; sp = -18h

; 
		align 10h

CmCreateKey:				; CODE XREF: NtCreateKey(x,x,x,x,x,x,x)+1Ap
					; NtCreateKeyTransacted+B0p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A3098
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 150h
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		mov	[ebp-1Ch], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	[ebp-0F8h], edx
		mov	eax, ecx
		mov	[ebp-118h], eax
		mov	[ebp-150h], eax
		mov	ebx, [ebp+8]
		mov	[ebp-154h], ebx
		mov	eax, [ebp+10h]
		mov	[ebp-104h], eax
		mov	esi, [ebp+18h]
		mov	[ebp-124h], esi
		mov	[ebp-120h], esi
		mov	dword ptr [ebp-100h], 0
		mov	dword ptr [ebp-0FCh], 0
		mov	dword ptr [ebp-10Ch], 0
		mov	dword ptr [ebp-108h], 0
		mov	dword ptr [ebp-114h], 0
		mov	dword ptr [ebp-110h], 0
		mov	byte ptr [ebp-0F1h], 0
		mov	dword ptr [ebp-11Ch], 0
		mov	dword ptr [ebp-15Ch], 0
		mov	ecx, 8
		xor	eax, eax
		lea	edi, [ebp-3Ch]
		rep stosd
		mov	[ebp-130h], eax
		cmp	ds:_CmpTraceRoutine, eax
		jnz	loc_8EE0F5

loc_7BC965:				; CODE XREF: PAGE:008EE102j
		push	0B4h
		push	0
		lea	eax, [ebp-0F0h]
		push	eax
		call	_memset
		mov	dword ptr [ebp-0B4h], 0FFFFFFFFh
		xor	eax, eax
		mov	[ebp-98h], eax
		mov	[ebp-94h], eax
		lea	eax, [ebp-98h]
		mov	[ebp-94h], eax
		mov	[ebp-98h], eax
		push	38h
		push	0
		lea	eax, [ebp-74h]
		push	eax
		call	_memset
		add	esp, 18h
		mov	ecx, [ebp-0F8h]
		mov	eax, ecx
		and	eax, 300h
		mov	[ebp-0D8h], eax
		and	ecx, 0FFFFFCFFh
		mov	[ebp-0F8h], ecx
		mov	[ebp-14Ch], ecx
		call	CmpAcquireShutdownRundown
		mov	[ebp-0F2h], al
		test	al, al
		jz	loc_8EE107
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp-12Ch], al
		cmp	al, 1
		jnz	loc_7BCC7F
		mov	dword ptr [ebp-4], 0
		mov	eax, [ebp-104h]
		test	eax, eax
		jz	short loc_7BCA81
		mov	dword ptr [ebp-138h], 0
		mov	dword ptr [ebp-134h], 0
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	loc_8EE131

loc_7BCA37:				; CODE XREF: PAGE:008EE133j
		nop
		mov	ecx, [eax]
		mov	[ebp-138h], ecx
		mov	edx, [eax+4]
		mov	[ebp-144h], edx
		mov	[ebp-134h], edx
		mov	eax, [ebp-138h]
		mov	[ebp-114h], eax
		mov	[ebp-110h], edx
		movzx	eax, cx
		mov	ecx, eax
		test	ax, ax
		jnz	loc_7BCCAF

loc_7BCA6F:				; CODE XREF: PAGE:007BCCC6j
					; PAGE:007BCCCFj
		test	cl, 1
		jnz	loc_8EE138
		test	cx, cx
		jnz	loc_7BCCD4

loc_7BCA81:				; CODE XREF: PAGE:007BCA13j
					; PAGE:007BCD13j
		mov	eax, [ebp-118h]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	loc_8EE158

loc_7BCA95:				; CODE XREF: PAGE:008EE15Aj
		mov	dword ptr [eax], 0
		test	esi, esi
		jz	short loc_7BCAB2
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8EE15F

loc_7BCAAE:				; CODE XREF: PAGE:008EE161j
		mov	eax, [ecx]
		mov	[ecx], eax

loc_7BCAB2:				; CODE XREF: PAGE:007BCA9Dj
		mov	ecx, ebx
		test	bl, 3
		jnz	loc_7BCD3F
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8EE166

loc_7BCACA:				; CODE XREF: PAGE:008EE168j
		nop
		mov	al, [ecx]
		mov	edx, [ebx+8]
		mov	[ebp-160h], edx
		mov	dword ptr [ebp-140h], 0
		mov	dword ptr [ebp-13Ch], 0
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_8EE16D

loc_7BCAF7:				; CODE XREF: PAGE:008EE16Fj
		nop
		mov	ecx, [edx]
		mov	[ebp-140h], ecx
		mov	edx, [edx+4]
		mov	[ebp-13Ch], edx
		mov	eax, [ebp-140h]
		mov	[ebp-10Ch], eax
		mov	[ebp-108h], edx
		movzx	eax, cx
		test	ax, ax
		jz	short loc_7BCB44
		test	dl, 1
		jnz	loc_7BCD44
		add	eax, edx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	loc_8EE174
		cmp	eax, edx
		jb	loc_8EE174

loc_7BCB44:				; CODE XREF: PAGE:007BCB21j
					; PAGE:008EE177j
		test	byte ptr [ebp-10Ch], 1
		jnz	loc_8EE17C
		mov	eax, [ebx+4]
		mov	[ebp-0FCh], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_7BCB61:				; CODE XREF: PAGE:007BCCAAj
		mov	edx, [ebp-0F8h]
		mov	edi, [ebp-124h]
		mov	esi, [ebp-100h]

loc_7BCB73:				; CODE XREF: PAGE:008EE1F2j
		test	esi, esi
		js	loc_7BCC29
		cmp	ds:_CmpTraceRoutine, 0
		jnz	loc_8EE1F7

loc_7BCB88:				; CODE XREF: PAGE:008EE1F9j
					; PAGE:008EE25Bj
		mov	ecx, [ebp+14h]
		mov	eax, ecx
		and	eax, 100001Fh
		cmp	eax, ecx
		jnz	loc_8EE260
		mov	[ebp-0DCh], ecx
		mov	dword ptr [ebp-0F0h], 1
		mov	eax, [ebp-110h]
		mov	[ebp-0E8h], eax
		mov	ax, [ebp-114h]
		mov	[ebp-0ECh], ax
		mov	eax, [ebp+1Ch]
		mov	[ebp-0C0h], eax
		lea	eax, [ebp-0FCh]
		push	eax
		lea	eax, [ebp-0F0h]
		push	eax
		push	edx
		push	0
		push	dword ptr [ebp-12Ch]
		mov	eax, ds:_CmKeyObjectType
		push	eax
		push	ebx
		call	_ObOpenObjectByName@28 ; ObOpenObjectByName(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7BCBFD
		mov	byte ptr [ebp-0F1h], 1

loc_7BCBFD:				; CODE XREF: PAGE:007BCBF4j
		mov	dword ptr [ebp-4], 1
		test	esi, esi
		js	short loc_7BCC22
		mov	eax, [ebp-0FCh]
		mov	ecx, [ebp-118h]
		mov	[ecx], eax
		test	edi, edi
		jz	short loc_7BCC22
		mov	eax, [ebp-0D4h]
		mov	[edi], eax

loc_7BCC22:				; CODE XREF: PAGE:007BCC06j
					; PAGE:007BCC18j ...
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_7BCC29:				; CODE XREF: PAGE:007BCB75j
					; PAGE:008EE12Cj ...
		mov	eax, ds:_CmpTraceRoutine
		test	eax, eax
		jnz	loc_8EE2A9

loc_7BCC36:				; CODE XREF: PAGE:008EE2C1j
		mov	edi, [ebp-11Ch]
		test	edi, edi
		jnz	loc_7BCD18

loc_7BCC44:				; CODE XREF: PAGE:007BCD1Fj
		xor	dl, dl
		lea	ecx, [ebp-0F0h]
		call	CmpCleanupParseContext
		cmp	byte ptr [ebp-0F2h], 0
		jz	short loc_7BCC5F
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_7BCC5F:				; CODE XREF: PAGE:007BCC58j
		mov	eax, esi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-1Ch]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_7BCC7F:				; CODE XREF: PAGE:007BC9FEj
		mov	ecx, [ebp-104h]
		test	ecx, ecx
		jnz	loc_7BCD24

loc_7BCC8D:				; CODE XREF: PAGE:007BCD35j
		mov	ecx, [ebx+8]
		mov	eax, [ecx]
		mov	[ebp-10Ch], eax
		mov	eax, [ecx+4]
		mov	[ebp-108h], eax
		mov	eax, [ebx+4]
		mov	[ebp-0FCh], eax
		jmp	loc_7BCB61
; 

loc_7BCCAF:				; CODE XREF: PAGE:007BCA69j
		test	dl, 1
		jnz	loc_7BCD3A
		add	eax, edx
		mov	edi, ds:_MmUserProbeAddress
		cmp	eax, edi
		ja	short loc_7BCCCC
		cmp	eax, edx
		jnb	loc_7BCA6F

loc_7BCCCC:				; CODE XREF: PAGE:007BCCC2j
		mov	byte ptr [edi],	0
		jmp	loc_7BCA6F
; 

loc_7BCCD4:				; CODE XREF: PAGE:007BCA7Bj
		mov	eax, ecx
		mov	[ebp-104h], eax
		push	78634D43h
		mov	edx, eax
		call	_CmpAllocateTransientPoolWithQuotaTag@12 ; CmpAllocateTransientPoolWithQuotaTag(x,x,x)
		mov	edi, eax
		mov	[ebp-11Ch], edi
		test	edi, edi
		jz	loc_8EE148
		push	dword ptr [ebp-104h]
		push	dword ptr [ebp-144h]
		push	edi
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp-110h], edi
		jmp	loc_7BCA81
; 

loc_7BCD18:				; CODE XREF: PAGE:007BCC3Ej
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	loc_7BCC44
; 

loc_7BCD24:				; CODE XREF: PAGE:007BCC87j
		mov	eax, [ecx]
		mov	[ebp-114h], eax
		mov	eax, [ecx+4]
		mov	[ebp-110h], eax
		jmp	loc_7BCC8D
; 

loc_7BCD3A:				; CODE XREF: PAGE:007BCCB2j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7BCD3F:				; CODE XREF: PAGE:007BCAB7j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7BCD44:				; CODE XREF: PAGE:007BCB26j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		db 3 dup(0CCh)
		align 10h
; Exported entry 1797. PsGetProcessDxgProcess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessDxgProcess(x)
		public _PsGetProcessDxgProcess@4
_PsGetProcessDxgProcess@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+434h]
		pop	ebp
		retn	4
_PsGetProcessDxgProcess@4 endp

; 
		align 10h
; Exported entry 1520. NtDeviceIoControlFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtDeviceIoControlFile(x, x,	x, x, x, x, x, x, x, x)
		public _NtDeviceIoControlFile@40
_NtDeviceIoControlFile@40 proc near	; CODE XREF: PopFlushVolumeWorker+723Fp
					; DATA XREF: .text:00581098o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	1
		push	[ebp+arg_24]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_20]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_IopXxxControlFile@44 ;	IopXxxControlFile(x,x,x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	28h
_NtDeviceIoControlFile@40 endp ; sp = -24h

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1497. NtAllocateLocallyUniqueId

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtAllocateLocallyUniqueId
NtAllocateLocallyUniqueId proc near	; DATA XREF: .text:00581264o

var_3C		= dword	ptr -3Ch
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A30C0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_4], 0
		mov	eax, large fs:124h
		mov	[ebp+var_3C], eax
		mov	al, [eax+15Ah]
		mov	[ebp+var_1A], al
		test	al, al
		jnz	short loc_7BCE80

loc_7BCE02:				; CODE XREF: NtAllocateLocallyUniqueId+EBj
		mov	[ebp+var_2C], 0
		mov	[ebp+var_28], 0
		mov	esi, _ExpLuid
		mov	[ebp+var_20], esi
		mov	edi, dword_6B5B94
		mov	eax, esi
		mov	[ebp+var_24], esi
		mov	edx, edi
		mov	[ebp+var_30], offset _ExpLuid

loc_7BCE2D:				; CODE XREF: NtAllocateLocallyUniqueId+FAj
		mov	[ebp+var_28], edi
		mov	[ebp+var_28], edx
		mov	[ebp+var_2C], esi
		mov	ebx, eax
		add	ebx, ds:_ExpLuidIncrement
		mov	ecx, edx
		adc	ecx, ds:dword_40AA94
		nop
		mov	esi, [ebp+var_30]
		lock cmpxchg8b qword ptr [esi]
		cmp	[ebp+var_24], eax
		mov	esi, [ebp+var_20]
		jnz	short loc_7BCEA0
		cmp	[ebp+var_28], edx
		jnz	short loc_7BCEA0
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		mov	[eax+4], edi
		mov	[ebp+var_4], 0FFFFFFFEh
		xor	eax, eax

loc_7BCE6C:				; CODE XREF: PAGE:008EE2FDj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7BCE80:				; CODE XREF: NtAllocateLocallyUniqueId+50j
		mov	eax, [ebp+arg_0]
		test	al, 3
		jnz	short loc_7BCEAC
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	short loc_7BCEB1

loc_7BCE91:				; CODE XREF: NtAllocateLocallyUniqueId+104j
		mov	cl, [eax]
		mov	[eax], cl
		mov	cl, [eax+4]
		mov	[eax+4], cl
		jmp	loc_7BCE02
; 

loc_7BCEA0:				; CODE XREF: NtAllocateLocallyUniqueId+A4j
					; NtAllocateLocallyUniqueId+A9j
		mov	esi, eax
		mov	[ebp+var_20], eax
		mov	edi, edx
		mov	[ebp+var_24], eax
		jmp	short loc_7BCE2D
; 

loc_7BCEAC:				; CODE XREF: NtAllocateLocallyUniqueId+D5j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7BCEB1:				; CODE XREF: NtAllocateLocallyUniqueId+DFj
		mov	byte ptr [ecx],	0
		jmp	short loc_7BCE91
NtAllocateLocallyUniqueId endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpRecordParseStartingKcb(x, x)
_CmpRecordParseStartingKcb@8 proc near	; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+608p
		test	ecx, ecx
		jz	short locret_7BCED0
		mov	[ecx+80h], edx
		mov	[ecx+8Ch], edx

locret_7BCED0:				; CODE XREF: CmpRecordParseStartingKcb(x,x)+2j
		retn
_CmpRecordParseStartingKcb@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlPTeardownPerFileObjectContexts(x)
_FsRtlPTeardownPerFileObjectContexts@4 proc near ; CODE	XREF: PAGE:0081CB2Ap

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		xor	ebx, ebx
		lea	edx, [ebp+var_4]
		push	ebx
		mov	edi, ecx
		mov	[ebp+var_4], ebx
		call	_IoGetFileObjectFilterContext@12 ; IoGetFileObjectFilterContext(x,x,x)
		cmp	[ebp+var_4], ebx
		jnz	short loc_7BCEF3

loc_7BCEEF:				; CODE XREF: FsRtlPTeardownPerFileObjectContexts(x)+35j
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_7BCEF3:				; CODE XREF: FsRtlPTeardownPerFileObjectContexts(x)+1Bj
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		push	ebx
		call	_IoChangeFileObjectFilterContext@12 ; IoChangeFileObjectFilterContext(x,x,x)
		push	ebx
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7BCEEF
_FsRtlPTeardownPerFileObjectContexts@4 endp

; 
		align 10h
; Exported entry 662. FsRtlSetEcpListIntoIrp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlSetEcpListIntoIrp(x, x)
		public _FsRtlSetEcpListIntoIrp@8
_FsRtlSetEcpListIntoIrp@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	byte ptr [eax+8], 80h
		jz	short loc_7BCF34
		cmp	dword ptr [eax+3Ch], 0
		jnz	short loc_7BCF3B
		mov	ecx, [ebp+arg_4]
		mov	[eax+3Ch], ecx
		or	dword ptr [ecx+4], 8
		xor	eax, eax

loc_7BCF30:				; CODE XREF: FsRtlSetEcpListIntoIrp(x,x)+29j
					; FsRtlSetEcpListIntoIrp(x,x)+30j
		pop	ebp
		retn	8
; 

loc_7BCF34:				; CODE XREF: FsRtlSetEcpListIntoIrp(x,x)+Cj
		mov	eax, 0C00000EFh
		jmp	short loc_7BCF30
; 

loc_7BCF3B:				; CODE XREF: FsRtlSetEcpListIntoIrp(x,x)+12j
		mov	eax, 0C00000F0h
		jmp	short loc_7BCF30
_FsRtlSetEcpListIntoIrp@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpParseIndirectResourceString	proc near
					; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+2E5p
					; _PnpRegQueryValueIndirect+B8p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008EE302 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		xor	eax, eax
		mov	edx, 7FFFh
		push	esi
		mov	[ebp+var_4], eax
		mov	esi, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_4]
		push	edi
		push	eax
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		test	eax, eax
		js	short loc_7BCF78
		cmp	[ebp+var_4], 5
		jb	short loc_7BCF78
		cmp	word ptr [esi],	40h
		jz	short loc_7BCF81

loc_7BCF78:				; CODE XREF: _PnpParseIndirectResourceString+28j
					; _PnpParseIndirectResourceString+2Ej ...
		xor	al, al

loc_7BCF7A:				; CODE XREF: _PnpParseIndirectResourceString+10Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7BCF81:				; CODE XREF: _PnpParseIndirectResourceString+34j
		movzx	eax, word ptr [esi+2]
		xor	ecx, ecx
		push	2Ch
		inc	ecx
		pop	edi
		jmp	short loc_7BCF97
; 

loc_7BCF8D:				; CODE XREF: _PnpParseIndirectResourceString+5Aj
		cmp	dx, di
		jz	short loc_7BCF9E
		inc	ecx
		movzx	eax, word ptr [esi+ecx*2]

loc_7BCF97:				; CODE XREF: _PnpParseIndirectResourceString+49j
		mov	edx, eax
		test	ax, ax
		jnz	short loc_7BCF8D

loc_7BCF9E:				; CODE XREF: _PnpParseIndirectResourceString+4Ej
		cmp	[esi+ecx*2], di
		jnz	short loc_7BCF78
		lea	ebx, [ecx+1]
		movzx	eax, word ptr [esi+ebx*2]
		cmp	eax, 23h
		jnz	loc_8EE302

loc_7BCFB4:				; CODE XREF: _PnpParseIndirectResourceString+1313C3j
		push	3Bh
		lea	edi, [ebx+1]
		pop	ecx
		jmp	short loc_7BCFC2
; 

loc_7BCFBC:				; CODE XREF: _PnpParseIndirectResourceString+87j
		cmp	ax, cx
		jz	short loc_7BCFCB
		inc	edi

loc_7BCFC2:				; CODE XREF: _PnpParseIndirectResourceString+78j
		movzx	eax, word ptr [esi+edi*2]
		test	ax, ax
		jnz	short loc_7BCFBC

loc_7BCFCB:				; CODE XREF: _PnpParseIndirectResourceString+7Dj
		cmp	[esi+edi*2], cx
		jnz	loc_8EE310

loc_7BCFD5:				; CODE XREF: _PnpParseIndirectResourceString+1313D0j
		lea	eax, [esi+2]
		lea	eax, [eax+ebx*2]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_7BCF78
		test	edi, edi
		jz	short loc_7BD000
		mov	eax, edi
		sub	eax, ebx
		lea	eax, ds:0FFFFFFFEh[eax*2]
		mov	word ptr [ebp+var_10], ax
		mov	word ptr [ebp+var_10+2], ax

loc_7BD000:				; CODE XREF: _PnpParseIndirectResourceString+A9j
		lea	eax, [ebp+var_8]
		push	eax
		push	0Ah
		lea	eax, [ebp+var_10]
		push	eax
		call	RtlUnicodeStringToInteger
		test	eax, eax
		js	loc_7BCF78
		test	edi, edi
		jz	short loc_7BD04C
		inc	edi
		movzx	eax, word ptr [esi+edi*2]
		test	ax, ax
		jz	short loc_7BD04C
		push	3Bh
		pop	ecx

loc_7BD028:				; CODE XREF: _PnpParseIndirectResourceString+F3j
		cmp	ax, cx
		jz	short loc_7BD039

loc_7BD02D:				; CODE XREF: _PnpParseIndirectResourceString+FDj
					; _PnpParseIndirectResourceString+108j
		inc	edi
		movzx	eax, word ptr [esi+edi*2]
		test	ax, ax
		jnz	short loc_7BD028
		jmp	short loc_7BD04C
; 

loc_7BD039:				; CODE XREF: _PnpParseIndirectResourceString+E9j
		cmp	word ptr [esi+edi*2+2],	28h
		jnz	short loc_7BD02D
		mov	eax, [ebp+var_4]
		cmp	word ptr [esi+eax*2-2],	29h
		jnz	short loc_7BD02D

loc_7BD04C:				; CODE XREF: _PnpParseIndirectResourceString+D7j
					; _PnpParseIndirectResourceString+E1j ...
		mov	al, 1
		jmp	loc_7BCF7A
_PnpParseIndirectResourceString	endp

; 
		align 10h
; Exported entry 2377. RtlUnicodeStringToInteger

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlUnicodeStringToInteger
RtlUnicodeStringToInteger proc near	; CODE XREF: RtlpMuiRegAddAlternateCodePage+87F73p
					; RtlGetIntegerAtom+6Dp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008EE317 SIZE 0000007D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A3100
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		xor	edx, edx
		mov	edi, [ebp+arg_0]
		movzx	eax, word ptr [edi]
		test	ax, ax
		jz	loc_7BD215
		test	al, 1
		jnz	loc_7BD215
		mov	edi, [edi+4]
		mov	esi, eax
		shr	esi, 1
		mov	ecx, edx
		mov	[ebp+arg_0], ecx
		jz	loc_8EE329

loc_7BD0C0:				; CODE XREF: RtlUnicodeStringToInteger+1312B9j
		dec	esi
		movzx	ecx, word ptr [edi]
		mov	[ebp+arg_0], ecx
		add	edi, 2
		cmp	ecx, 20h
		jbe	loc_8EE317

loc_7BD0D3:				; CODE XREF: RtlUnicodeStringToInteger+1312C4j
					; RtlUnicodeStringToInteger+1312CCj
		movzx	eax, cx
		cmp	cx, 2Dh
		jz	loc_7BD1AE
		cmp	cx, 2Bh
		jz	loc_7BD1AE

loc_7BD0EA:				; CODE XREF: RtlUnicodeStringToInteger+15Dj
					; RtlUnicodeStringToInteger+1312D3j
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], esi
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	loc_7BD1C6
		cmp	ecx, 10h
		jnz	loc_7BD190
		lea	ebx, [ecx-0Ch]

loc_7BD107:				; CODE XREF: RtlUnicodeStringToInteger+149j
					; RtlUnicodeStringToInteger+173j ...
		xor	edx, edx
		test	ax, ax
		jz	short loc_7BD159
		mov	edi, edi

loc_7BD110:				; CODE XREF: RtlUnicodeStringToInteger+DEj
		lea	ecx, [eax-30h]
		cmp	cx, 9
		ja	short loc_7BD142
		movzx	eax, ax
		sub	eax, 30h

loc_7BD11F:				; CODE XREF: RtlUnicodeStringToInteger+1C5j
					; RtlUnicodeStringToInteger+13132Fj
		mov	ecx, [ebp+arg_4]
		cmp	eax, ecx
		jnb	short loc_7BD159
		test	ebx, ebx
		jz	short loc_7BD189
		mov	ecx, ebx
		shl	edx, cl
		or	edx, eax

loc_7BD130:				; CODE XREF: RtlUnicodeStringToInteger+12Ej
		test	esi, esi
		jz	short loc_7BD159
		dec	esi
		movzx	eax, word ptr [edi]
		add	edi, 2
		test	ax, ax
		jnz	short loc_7BD110
		jmp	short loc_7BD159
; 

loc_7BD142:				; CODE XREF: RtlUnicodeStringToInteger+B7j
		lea	ecx, [eax-41h]
		cmp	cx, 5
		jbe	loc_7BD21F
		cmp	ax, 61h
		jnb	loc_8EE37F

loc_7BD159:				; CODE XREF: RtlUnicodeStringToInteger+ACj
					; RtlUnicodeStringToInteger+C4j ...
		cmp	word ptr [ebp+arg_0], 2Dh
		jz	short loc_7BD1C2

loc_7BD160:				; CODE XREF: RtlUnicodeStringToInteger+164j
		xor	eax, eax

loc_7BD162:				; CODE XREF: RtlUnicodeStringToInteger+1BAj
		mov	[ebp+var_4], 0
		mov	ecx, [ebp+arg_8]
		mov	[ecx], edx
		mov	[ebp+var_4], 0FFFFFFFEh

loc_7BD175:				; CODE XREF: sub_8EE3A4+Dj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7BD189:				; CODE XREF: RtlUnicodeStringToInteger+C8j
		imul	edx, ecx
		add	edx, eax
		jmp	short loc_7BD130
; 

loc_7BD190:				; CODE XREF: RtlUnicodeStringToInteger+9Ej
		sub	ecx, 2
		jz	loc_8EE375
		sub	ecx, 6
		jz	loc_8EE36B
		sub	ecx, 2
		jnz	short loc_7BD215
		xor	ebx, ebx
		jmp	loc_7BD107
; 

loc_7BD1AE:				; CODE XREF: RtlUnicodeStringToInteger+7Aj
					; RtlUnicodeStringToInteger+84j
		test	esi, esi
		jz	loc_8EE331
		dec	esi
		movzx	eax, word ptr [edi]
		add	edi, 2
		jmp	loc_7BD0EA
; 

loc_7BD1C2:				; CODE XREF: RtlUnicodeStringToInteger+FEj
		neg	edx
		jmp	short loc_7BD160
; 

loc_7BD1C6:				; CODE XREF: RtlUnicodeStringToInteger+95j
		mov	[ebp+arg_4], 0Ah
		xor	ebx, ebx
		cmp	ax, 30h
		jnz	loc_7BD107
		test	esi, esi
		jz	short loc_7BD22A
		dec	esi
		movzx	eax, word ptr [edi]
		add	edi, 2
		cmp	eax, 78h
		jz	loc_8EE338
		cmp	eax, 6Fh
		jz	loc_8EE349
		cmp	eax, 62h
		jz	loc_8EE35A
		mov	esi, [ebp+var_1C]
		mov	edi, [ebp+var_20]

loc_7BD205:				; CODE XREF: RtlUnicodeStringToInteger+1312E4j
					; RtlUnicodeStringToInteger+1312F5j ...
		test	esi, esi
		jz	short loc_7BD22A
		dec	esi
		movzx	eax, word ptr [edi]
		add	edi, 2
		jmp	loc_7BD107
; 

loc_7BD215:				; CODE XREF: RtlUnicodeStringToInteger+40j
					; RtlUnicodeStringToInteger+48j ...
		mov	eax, 0C000000Dh
		jmp	loc_7BD162
; 

loc_7BD21F:				; CODE XREF: RtlUnicodeStringToInteger+E9j
		movzx	eax, ax
		sub	eax, 37h
		jmp	loc_7BD11F
; 

loc_7BD22A:				; CODE XREF: RtlUnicodeStringToInteger+17Bj
					; RtlUnicodeStringToInteger+1A7j
		xor	eax, eax
		jmp	loc_7BD107
RtlUnicodeStringToInteger endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpCleanupPathInfo(x)
_CmpCleanupPathInfo@4 proc near		; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+546p
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+2158p
		mov	edx, [ecx+60h]
		test	edx, edx
		jnz	short loc_7BD248
		retn
; 

loc_7BD248:				; CODE XREF: CmpCleanupPathInfo(x)+5j
		push	esi
		mov	esi, large fs:20h
		mov	ecx, [esi+5E0h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jnb	short loc_7BD269

loc_7BD263:				; CODE XREF: CmpCleanupPathInfo(x)+3Dj
		pop	esi
		jmp	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
; 

loc_7BD269:				; CODE XREF: CmpCleanupPathInfo(x)+21j
		inc	dword ptr [ecx+18h]
		mov	ecx, [esi+5E4h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	short loc_7BD263
		mov	eax, [ecx+2Ch]
		inc	dword ptr [ecx+18h]
		push	edx
		call	eax
		pop	esi
		retn
_CmpCleanupPathInfo@4 endp

; 
		align 10h
; Exported entry 2425. SeAppendPrivileges

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeAppendPrivileges
SeAppendPrivileges proc	near		; CODE XREF: IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)+9Ep
					; ObCheckObjectAccess+F6p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EE3B6 SIZE 000000A9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ebx, [ebx+30h]
		mov	edx, [edi]
		mov	esi, [ebx]
		mov	ecx, [esi]
		lea	eax, [ecx+edx]
		cmp	eax, 3
		ja	loc_8EE3B6
		test	esi, esi
		jz	short loc_7BD2F0
		test	ecx, ecx
		jnz	short loc_7BD2E4
		mov	ecx, 8

loc_7BD2C0:				; CODE XREF: SeAppendPrivileges+5Ej
					; SeAppendPrivileges+62j
		lea	eax, [edx+edx*2]
		shl	eax, 2
		push	eax		; size_t
		lea	eax, [edi+8]
		push	eax		; void *
		lea	eax, [ecx+esi]
		push	eax		; void *
		call	_memmove
		mov	eax, [edi]
		add	esp, 0Ch
		add	[esi], eax

loc_7BD2DB:				; CODE XREF: SeAppendPrivileges+1311CAj
		xor	eax, eax

loc_7BD2DD:				; CODE XREF: SeAppendPrivileges+131175j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_7BD2E4:				; CODE XREF: SeAppendPrivileges+29j
		lea	eax, [ecx+ecx*2]
		lea	ecx, ds:8[eax*4]
		jmp	short loc_7BD2C0
; 

loc_7BD2F0:				; CODE XREF: SeAppendPrivileges+25j
		xor	ecx, ecx
		jmp	short loc_7BD2C0
SeAppendPrivileges endp

; 
		align 10h

NtQuerySymbolicLinkObject:		; CODE XREF: AdtpInitializeDriveLetters+D0p
					; AdtpInitializeDriveLetters+8CC76p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A3160
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	dword ptr [ebp-2Ch], 0
		mov	dword ptr [ebp-28h], 0
		mov	dword ptr [ebp-34h], 0
		mov	dword ptr [ebp-30h], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp-24h], al
		test	al, al
		jz	loc_7BD4C8
		mov	dword ptr [ebp-4], 0
		mov	ebx, [ebp+0Ch]
		mov	ecx, ebx
		test	bl, 1
		jnz	loc_7BD502
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8EE45F

loc_7BD38A:				; CODE XREF: PAGE:008EE461j
		nop
		mov	al, [ecx]
		mov	ecx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8EE466

loc_7BD39C:				; CODE XREF: PAGE:008EE468j
		mov	ax, [ecx]
		movzx	eax, ax
		mov	[ecx], ax
		lea	ecx, [ebx+2]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8EE46D

loc_7BD3B5:				; CODE XREF: PAGE:008EE46Fj
		mov	ax, [ecx]
		movzx	eax, ax
		mov	[ecx], ax
		mov	ecx, [ebx]
		mov	edi, [ebx+4]
		mov	[ebp+0Ch], edi
		mov	[ebp-2Ch], ecx
		mov	[ebp-28h], edi
		push	1
		mov	eax, edi
		shrd	ecx, eax, 10h
		movzx	eax, cx
		push	eax
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	esi, [ebp+10h]
		test	esi, esi
		jz	short loc_7BD3FE
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8EE474

loc_7BD3F4:				; CODE XREF: PAGE:008EE476j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	edi, [ebp-28h]
		mov	[ebp+0Ch], edi

loc_7BD3FE:				; CODE XREF: PAGE:007BD3E3j
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_7BD405:				; CODE XREF: PAGE:007BD4D9j
		mov	eax, _ObpSymbolicLinkObjectType
		mov	dword ptr [ebp-1Ch], 0
		push	0
		lea	ecx, [ebp-1Ch]
		push	ecx
		push	dword ptr [ebp-24h]
		push	eax
		push	1
		push	dword ptr [ebp+8]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	[ebp+10h], eax
		test	eax, eax
		js	short loc_7BD4A6
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	edi, [ebp-1Ch]
		lea	ecx, [edi-10h]
		mov	[ebp+8], ecx
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		test	byte ptr [edi+14h], 10h
		jnz	loc_8EE49D
		mov	ecx, [edi+8]
		mov	[ebp-34h], ecx
		mov	edx, [edi+0Ch]
		mov	[ebp-30h], edx

loc_7BD457:				; CODE XREF: PAGE:008EE4B1j
		test	esi, esi
		jz	short loc_7BD4BD
		mov	eax, ecx
		shr	eax, 10h
		cmp	ax, [ebp-2Ah]
		ja	short loc_7BD4DE

loc_7BD466:				; CODE XREF: PAGE:007BD4C6j
		mov	dword ptr [ebp-4], 1
		push	eax
		push	edx
		push	dword ptr [ebp+0Ch]
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp-34h]
		mov	[ebx], ax
		test	esi, esi
		jz	short loc_7BD489
		shr	eax, 10h
		mov	[esi], eax

loc_7BD489:				; CODE XREF: PAGE:007BD482j
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_7BD490:				; CODE XREF: PAGE:007BD4EBj
					; PAGE:007BD500j ...
		xor	edx, edx
		mov	ecx, [ebp+8]
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, edi
		call	ObfDereferenceObject

loc_7BD4A6:				; CODE XREF: PAGE:007BD42Aj
		mov	eax, [ebp+10h]

loc_7BD4A9:				; CODE XREF: PAGE:008EE498j
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7BD4BD:				; CODE XREF: PAGE:007BD459j
					; PAGE:007BD4E0j
		cmp	cx, [ebp-2Ah]
		ja	short loc_7BD4E2
		movzx	eax, cx
		jmp	short loc_7BD466
; 

loc_7BD4C8:				; CODE XREF: PAGE:007BD362j
		mov	ebx, [ebp+0Ch]
		mov	eax, [ebx]
		mov	[ebp-2Ch], eax
		mov	eax, [ebx+4]
		mov	[ebp+0Ch], eax
		mov	esi, [ebp+10h]
		jmp	loc_7BD405
; 

loc_7BD4DE:				; CODE XREF: PAGE:007BD464j
		test	esi, esi
		jz	short loc_7BD4BD

loc_7BD4E2:				; CODE XREF: PAGE:007BD4C1j
		mov	dword ptr [ebp+10h], 0C0000023h
		test	esi, esi
		jz	short loc_7BD490
		mov	dword ptr [ebp-4], 2
		shr	ecx, 10h
		mov	[esi], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_7BD490
; 

loc_7BD502:				; CODE XREF: PAGE:007BD377j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		db 0CCh
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpRecordParseCachedSymlinkKcb(x, x)
_CmpRecordParseCachedSymlinkKcb@8 proc near
					; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1C7p
		test	ecx, ecx
		jz	short locret_7BD517
		mov	[ecx+7Ch], edx

locret_7BD517:				; CODE XREF: CmpRecordParseCachedSymlinkKcb(x,x)+2j
		retn
_CmpRecordParseCachedSymlinkKcb@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtExtendSection	proc near		; DATA XREF: .text:00581064o

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EE4D6 SIZE 0000003C BYTES

		push	1Ch
		push	offset dword_6A31B8
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ecx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		test	al, al
		jnz	loc_8EE4D6
		mov	ebx, [ebp+arg_4]
		mov	eax, [ebx]
		mov	[ebp+var_2C], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_28], eax

loc_7BD551:				; CODE XREF: NtExtendSection+130FF5j
		mov	eax, ds:_MmSectionObjectType
		mov	[ebp+var_1C], ecx
		push	ecx
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_24]
		push	eax
		push	10h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7BD5A4
		push	0
		lea	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_1C]
		call	MmExtendSection
		mov	[ebp+arg_4], eax
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObject
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_2C]
		mov	[ebx], eax
		mov	eax, [ebp+var_28]
		mov	[ebx+4], eax

loc_7BD59A:				; CODE XREF: sub_8EE536+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+arg_4]

loc_7BD5A4:				; CODE XREF: NtExtendSection+56j
					; sub_8EE520+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
NtExtendSection	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmExtendSection	proc near		; CODE XREF: CcSetFileSizesEx+3DAp
					; NtExtendSection+60p ...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008EE53E SIZE 0000008E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		push	7
		mov	[esp+54h+var_38], edx
		lea	edi, [esp+54h+var_1C]
		mov	edx, ecx
		xor	eax, eax
		pop	ecx
		rep stosd
		xor	ebx, ebx
		mov	[esp+50h+var_3C], edx
		mov	ecx, edx
		mov	[esp+50h+var_28], ebx
		mov	[esp+50h+var_24], ebx
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	esi, eax
		mov	[esp+50h+var_34], esi
		test	dword ptr [esi+1Ch], 420h
		jnz	loc_8EE5C2
		cmp	[esi+20h], ebx
		jz	loc_8EE5C2
		mov	edi, [esp+50h+var_38]
		mov	eax, [edi+4]
		mov	ebx, [edi]
		cmp	eax, 3FFFFFh
		jb	short loc_7BD628
		ja	loc_8EE53E
		cmp	ebx, 0FFFFF000h
		ja	loc_8EE53E

loc_7BD628:				; CODE XREF: MmExtendSection+5Ej
		mov	ecx, [esi]
		lea	edx, [esp+50h+var_1C]
		add	ebx, 0FFFh
		mov	[esp+50h+var_40], ecx
		mov	ecx, esi
		mov	[esp+50h+var_18], 10h
		adc	eax, 0
		shrd	ebx, eax, 0Ch
		shr	eax, 0Ch
		mov	[esp+50h+var_20], eax
		call	MiLockControlAreaSectionExtend
		test	dword ptr [esi+1Ch], 8000h
		jz	loc_7BD8CB

loc_7BD662:				; CODE XREF: MmExtendSection+322j
					; MmExtendSection+330j
		cmp	[ebp+arg_0], 0
		jz	loc_7BD791

loc_7BD66C:				; CODE XREF: MmExtendSection+2C0j
		and	[esp+50h+var_30], 0
		xor	edx, edx
		and	[esp+50h+var_2C], 0
		mov	ecx, esi
		call	_MiFindLastSubsection@8	; MiFindLastSubsection(x,x)
		mov	[esp+50h+var_44], eax
		mov	eax, [esp+50h+var_40]
		mov	cx, [eax+8]
		mov	eax, 3FFh
		and	cx, ax
		movzx	eax, cx
		mov	ecx, [esp+50h+var_20]
		cdq
		mov	[esp+50h+var_28], eax
		xor	edx, edx
		mov	eax, [esp+50h+var_40]
		or	edx, [eax+4]
		mov	eax, [esp+50h+var_28]
		cmp	ecx, eax
		ja	short loc_7BD6BE
		jb	loc_7BD87B
		cmp	ebx, edx
		jbe	loc_7BD87B

loc_7BD6BE:				; CODE XREF: MmExtendSection+F8j
		sub	ebx, edx
		mov	edx, [esp+50h+var_44]
		sbb	ecx, eax
		mov	eax, [edx+24h]
		and	eax, 3FFFFFFFh
		test	ecx, ecx
		ja	short loc_7BD6E0
		jb	loc_7BD771
		cmp	ebx, eax
		jbe	loc_7BD771

loc_7BD6E0:				; CODE XREF: MmExtendSection+11Aj
		sub	ebx, eax
		lea	edx, [esp+50h+var_2C]
		push	edx
		sbb	ecx, 0
		mov	edx, edi
		push	ecx
		mov	ecx, [esp+58h+var_44]
		push	ebx
		push	eax
		call	MiExtendSection

loc_7BD6F8:				; CODE XREF: MmExtendSection+1D6j
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7BD74F
		mov	ebx, [edi]
		mov	eax, [edi+4]
		mov	edi, [esp+50h+var_40]
		mov	[esp+50h+var_30], ebx
		add	edi, 10h
		mov	[esp+50h+var_20], eax

loc_7BD712:				; CODE XREF: MmExtendSection+178j
					; MmExtendSection+17Ej
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[esp+50h+var_28], ecx
		nop
		mov	ecx, [esp+50h+var_20]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [esp+50h+var_30]
		cmp	eax, esi
		jnz	short loc_7BD712
		cmp	edx, [esp+50h+var_28]
		jnz	short loc_7BD712
		mov	edi, [esp+50h+var_38]
		xor	ebx, ebx
		mov	ecx, [esp+50h+var_3C]
		mov	esi, [esp+50h+var_34]
		mov	eax, [edi]
		mov	[ecx+18h], eax
		mov	eax, [edi+4]
		mov	[ecx+1Ch], eax

loc_7BD74F:				; CODE XREF: MmExtendSection+146j
					; MmExtendSection+310j
		lea	edx, [esp+50h+var_1C]
		mov	ecx, esi
		call	MiUnlockControlAreaSectionExtend
		mov	ecx, [esp+50h+var_2C]
		test	ecx, ecx
		jnz	loc_8EE5B6

loc_7BD766:				; CODE XREF: MmExtendSection+131007j
		mov	eax, ebx

loc_7BD768:				; CODE XREF: MmExtendSection+130F8Dj
					; MmExtendSection+130FA4j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7BD771:				; CODE XREF: MmExtendSection+11Cj
					; MmExtendSection+124j
		mov	ecx, esi
		call	_MiControlAreaUsingExtents@4 ; MiControlAreaUsingExtents(x)
		test	eax, eax
		jnz	loc_8EE598

loc_7BD780:				; CODE XREF: MmExtendSection+130FE6j
		mov	ecx, [esp+50h+var_44]

loc_7BD784:				; CODE XREF: MmExtendSection+130FFBj
		push	ebx
		mov	edx, edi
		call	_MiUpdateLastSubsectionSize@12 ; MiUpdateLastSubsectionSize(x,x,x)
		jmp	loc_7BD6F8
; 

loc_7BD791:				; CODE XREF: MmExtendSection+B0j
		lea	edx, [esp+50h+var_1C]
		mov	ecx, esi
		call	MiUnlockControlAreaSectionExtend
		mov	ecx, esi
		call	MiReferenceControlAreaFile
		lea	edx, [esp+50h+var_1C]
		mov	[esp+50h+var_44], eax
		mov	ecx, esi
		mov	[esp+50h+var_18], 20h
		call	MiLockControlAreaSectionExtend
		lea	eax, [esp+50h+var_28]
		push	eax
		push	[esp+54h+var_44]
		call	FsRtlGetFileSize
		test	eax, eax
		js	loc_7BD91C
		mov	edx, [edi+4]
		mov	ecx, [edi]
		cmp	edx, [esp+50h+var_24]
		jb	short loc_7BD7EB
		ja	loc_7BD8F1
		cmp	ecx, [esp+50h+var_28]
		ja	loc_7BD8F1

loc_7BD7EB:				; CODE XREF: MmExtendSection+223j
					; MmExtendSection+360j
		mov	eax, [esp+50h+var_40]
		cmp	dword ptr [eax+18h], 0
		jz	short loc_7BD84D
		mov	eax, large fs:124h
		mov	[esp+50h+var_2C], eax
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset dword_6CF3C8
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esp+50h+var_40]
		mov	ecx, [eax+18h]
		test	ecx, ecx
		jz	short loc_7BD82B
		mov	eax, [esp+50h+var_28]
		mov	[ecx], eax
		mov	eax, [esp+50h+var_24]
		mov	[ecx+4], eax

loc_7BD82B:				; CODE XREF: MmExtendSection+266j
		or	eax, 0FFFFFFFFh
		mov	ecx, offset dword_6CF3C8
		lock xadd [ecx], eax
		test	al, 2
		jnz	loc_8EE581

loc_7BD83F:				; CODE XREF: MmExtendSection+130FCDj
					; MmExtendSection+130FDDj
		call	KeAbPostRelease
		mov	ecx, [esp+50h+var_2C]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_7BD84D:				; CODE XREF: MmExtendSection+23Dj
		lea	edx, [esp+50h+var_1C]
		mov	ecx, esi
		call	MiUnlockControlAreaSectionExtend
		mov	edx, [esp+50h+var_44]
		mov	ecx, esi
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)
		lea	edx, [esp+50h+var_1C]
		mov	[esp+50h+var_18], 10h
		mov	ecx, esi
		call	MiLockControlAreaSectionExtend
		jmp	loc_7BD66C
; 

loc_7BD87B:				; CODE XREF: MmExtendSection+FAj
					; MmExtendSection+102j
		mov	ecx, [esp+50h+var_3C]
		mov	eax, [edi]
		mov	[ecx+18h], eax
		mov	eax, [edi+4]
		mov	[ecx+1Ch], eax
		or	ecx, 0FFFFFFFFh
		mov	eax, [esp+50h+var_40]
		mov	edx, ecx
		add	eax, 10h
		mov	[esp+50h+var_3C], eax
		mov	eax, ecx
		nop
		mov	esi, [esp+50h+var_3C]
		mov	ebx, ecx
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, [edi+4]
		mov	ecx, [edi]
		mov	esi, [esp+50h+var_34]
		mov	[esp+50h+var_40], ecx
		mov	[esp+50h+var_20], ebx
		cmp	edx, ebx
		ja	short loc_7BD8C2
		jb	short loc_7BD923
		cmp	eax, ecx
		jb	short loc_7BD923

loc_7BD8C2:				; CODE XREF: MmExtendSection+304j
					; MmExtendSection+3B0j
		mov	ebx, [esp+50h+var_30]
		jmp	loc_7BD74F
; 

loc_7BD8CB:				; CODE XREF: MmExtendSection+A6j
		mov	eax, [esp+50h+var_3C]
		mov	edx, [eax+1Ch]
		mov	ecx, [eax+18h]
		cmp	[edi+4], edx
		ja	loc_7BD662
		jb	loc_8EE548
		cmp	[edi], ecx
		ja	loc_7BD662
		jmp	loc_8EE548
; 

loc_7BD8F1:				; CODE XREF: MmExtendSection+225j
					; MmExtendSection+22Fj
		mov	eax, [esp+50h+var_3C]
		test	byte ptr [eax+24h], 44h
		jz	loc_8EE55F
		mov	[esp+50h+var_28], ecx
		mov	ecx, [esp+50h+var_44]
		mov	[esp+50h+var_24], edx
		lea	edx, [esp+50h+var_28]
		call	FsRtlSetFileSize
		test	eax, eax
		jns	loc_7BD7EB

loc_7BD91C:				; CODE XREF: MmExtendSection+214j
		mov	edi, eax
		jmp	loc_8EE564
; 

loc_7BD923:				; CODE XREF: MmExtendSection+306j
					; MmExtendSection+30Aj
		mov	edi, ecx

loc_7BD925:				; CODE XREF: MmExtendSection+395j
					; MmExtendSection+39Bj
		mov	eax, [esp+50h+var_3C]
		mov	esi, [eax]
		mov	ecx, [eax+4]
		mov	eax, esi
		mov	[esp+50h+var_28], ecx
		mov	edx, ecx
		nop
		mov	ecx, [esp+50h+var_20]
		mov	ebx, edi
		mov	edi, [esp+50h+var_3C]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [esp+50h+var_40]
		cmp	eax, esi
		jnz	short loc_7BD925
		cmp	edx, [esp+50h+var_28]
		jnz	short loc_7BD925
		mov	edx, [esp+50h+var_38]
		mov	ecx, [esp+50h+var_44]
		push	0
		call	_MiUpdateLastSubsectionSize@12 ; MiUpdateLastSubsectionSize(x,x,x)
		mov	esi, [esp+50h+var_34]
		jmp	loc_7BD8C2
MmExtendSection	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiExtendSection	proc near		; CODE XREF: MmExtendSection+13Dp

var_A0		= dword	ptr -0A0h
var_98		= dword	ptr -98h
var_7C		= dword	ptr -7Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008EE5CC SIZE 000000EC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_20], edx
		mov	ecx, [ebp+arg_8]
		push	edi
		xor	edi, edi
		mov	[ebp+var_18], esi
		mov	edx, [esi]
		mov	[eax], edi
		mov	[ebp+var_28], edx
		mov	[ebp+var_30], edi
		mov	eax, [edx]
		mov	ebx, [edx+1Ch]
		mov	edx, edi
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_4]
		shld	ecx, eax, 3
		mov	[ebp+var_2C], edi
		shl	eax, 3
		mov	[ebp+var_44], eax
		add	eax, 0FFFh
		mov	[ebp+var_40], ecx
		adc	ecx, edi
		and	eax, 0FFFFF000h
		and	ebx, 40000000h
		mov	[ebp+var_1C], ecx
		neg	ebx
		mov	[ebp+var_8], eax
		push	15h
		sbb	ebx, ebx
		lea	edi, [ebp+var_A0]
		and	[ebp+var_C], edx
		and	ebx, 1FC000h
		pop	ecx
		rep movsd
		add	ebx, 4000h
		lea	esi, [ebp+var_A0]
		mov	[ebp+var_34], ebx
		mov	[ebp+var_10], esi
		cmp	[ebp+arg_0], edx
		jnz	loc_7BDBF2

loc_7BD9FC:				; CODE XREF: MiExtendSection+29Dj
		and	[ebp+var_4], edx
		mov	edi, edx
		and	[ebp+var_24], edx

loc_7BDA04:				; CODE XREF: MiExtendSection+203j
					; MiExtendSection+3AEj
		mov	ecx, eax
		mov	eax, [ebp+var_1C]
		sub	ecx, edx
		sbb	eax, edi
		test	eax, eax
		jb	short loc_7BDA1F
		ja	loc_7BDBD2
		cmp	ecx, ebx
		ja	loc_7BDBD2

loc_7BDA1F:				; CODE XREF: MiExtendSection+A3j
		mov	edi, [ebp+var_8]
		sub	edi, edx

loc_7BDA24:				; CODE XREF: MiExtendSection+268j
		push	0
		push	40h
		push	54h
		mov	edx, 64536D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8EE63A
		mov	edx, [ebp+var_30]
		lea	eax, [esi+34h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [ebp+var_10]
		mov	[eax+8], esi
		mov	eax, [ebp+var_28]
		mov	[esi], eax
		mov	eax, edi
		shr	eax, 3
		add	edx, edi
		mov	edi, [ebp+var_2C]
		adc	edi, 0
		mov	[ebp+var_38], eax
		mov	[esi+1Ch], eax
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], edi
		cmp	edi, [ebp+var_40]
		jb	short loc_7BDA91
		ja	short loc_7BDA7A
		cmp	edx, [ebp+var_44]
		jbe	short loc_7BDA91

loc_7BDA7A:				; CODE XREF: MiExtendSection+107j
		mov	ecx, edx
		mov	eax, edi
		shrd	ecx, eax, 3
		sub	ecx, [ebp+arg_4]
		xor	ecx, [esi+24h]
		and	ecx, 3FFFFFFFh
		xor	[esi+24h], ecx

loc_7BDA91:				; CODE XREF: MiExtendSection+105j
					; MiExtendSection+10Cj
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_14], 0FFC1h
		mov	al, [eax+0Ah]
		shr	al, 1
		and	al, 1Fh
		movzx	ecx, al
		mov	ax, [esi+10h]
		add	cx, cx
		and	ax, word ptr [ebp+var_14]
		or	cx, ax
		movzx	eax, cx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_A0]
		mov	[esi+10h], cx
		mov	ecx, [ebp+var_10]
		cmp	ecx, eax
		jnz	loc_7BDBD9
		mov	eax, [ecx+1Ch]
		mov	[ecx+18h], eax
		mov	[ebp+var_14], eax
		push	0Fh
		pop	eax
		and	[ecx+12h], ax
		mov	ax, [ecx+10h]
		shr	ax, 6
		movzx	eax, ax
		cdq
		xor	edx, edx
		mov	[ebp+var_24], eax
		or	edx, [ecx+14h]
		movzx	ecx, word ptr [esi+10h]
		mov	eax, [ebp+var_14]
		mov	[ebp+var_4], edx
		mov	edx, [ebp+var_30]

loc_7BDAFF:				; CODE XREF: MiExtendSection+276j
		add	[ebp+var_4], eax
		mov	eax, [ebp+var_4]
		adc	[ebp+var_24], 0
		and	ecx, 3Fh
		mov	[esi+14h], eax
		mov	eax, [ebp+var_24]
		shl	eax, 6
		or	ecx, eax
		mov	[esi+10h], cx
		cmp	edi, [ebp+var_1C]
		ja	short loc_7BDB2F
		jb	loc_7BDBE7
		cmp	edx, [ebp+var_8]
		jb	loc_7BDBE7

loc_7BDB2F:				; CODE XREF: MiExtendSection+1B2j
		mov	eax, [ebp+var_20]
		push	0Fh
		mov	ecx, [eax]
		mov	eax, [eax+4]
		shrd	ecx, eax, 0Ch
		pop	eax
		sub	ecx, [ebp+var_4]
		mov	[esi+18h], ecx
		mov	cx, [esi+12h]
		and	cx, ax
		mov	eax, [ebp+var_20]
		mov	ax, [eax]
		shl	ax, 4
		or	cx, ax
		mov	[esi+12h], cx

loc_7BDB5C:				; CODE XREF: MiExtendSection+281j
		mov	[ebp+var_10], esi
		cmp	edi, [ebp+var_1C]
		jb	loc_7BDD17
		ja	short loc_7BDB75
		mov	eax, [ebp+var_8]
		cmp	edx, eax
		jb	loc_7BDA04

loc_7BDB75:				; CODE XREF: MiExtendSection+1FCj
		cmp	[ebp+arg_0], 0
		jnz	loc_7BDC0E

loc_7BDB7F:				; CODE XREF: MiExtendSection+2ACj
		mov	ecx, [ebp+var_18]

loc_7BDB82:				; CODE XREF: MiExtendSection+130C69j
					; MiExtendSection+130C7Cj
		push	0
		lea	edx, [ebp+var_A0]
		call	MiAppendSubsectionChain
		test	eax, eax
		jnz	loc_7BDC23

loc_7BDB97:				; CODE XREF: MiExtendSection+39Dj
		mov	ebx, [ebp+var_3C]
		xor	ecx, ecx
		mov	edi, 3FFh
		movzx	esi, word ptr [ebx+8]
		or	ecx, [ebx+4]
		mov	eax, esi
		and	eax, edi
		add	ecx, [ebp+arg_0]
		cdq
		adc	eax, 0
		add	ecx, [ebp+arg_4]
		mov	[ebx+4], ecx
		adc	eax, [ebp+arg_8]
		xor	ax, si
		and	ax, di
		xor	ax, si
		mov	[ebx+8], ax
		xor	eax, eax

loc_7BDBCB:				; CODE XREF: MiExtendSection+130D47j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7BDBD2:				; CODE XREF: MiExtendSection+A5j
					; MiExtendSection+ADj
		mov	edi, ebx
		jmp	loc_7BDA24
; 

loc_7BDBD9:				; CODE XREF: MiExtendSection+15Cj
		mov	eax, [ecx+18h]
		mov	ecx, [ebp+var_14]
		movzx	ecx, cx
		jmp	loc_7BDAFF
; 

loc_7BDBE7:				; CODE XREF: MiExtendSection+1B4j
					; MiExtendSection+1BDj
		mov	eax, [ebp+var_38]
		mov	[esi+18h], eax
		jmp	loc_7BDB5C
; 

loc_7BDBF2:				; CODE XREF: MiExtendSection+8Aj
		mov	ecx, [ebp+var_7C]
		mov	eax, ecx
		sub	eax, [ebp+arg_0]
		xor	eax, ecx
		and	eax, 3FFFFFFFh
		xor	ecx, eax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_7C], ecx
		jmp	loc_7BD9FC
; 

loc_7BDC0E:				; CODE XREF: MiExtendSection+20Dj
		mov	ecx, [ebp+var_28]
		call	_MiControlAreaUsingExtents@4 ; MiControlAreaUsingExtents(x)
		test	eax, eax
		jz	loc_7BDB7F
		jmp	loc_8EE5CC
; 

loc_7BDC23:				; CODE XREF: MiExtendSection+225j
		mov	edi, [ebp+var_98]

loc_7BDC29:				; CODE XREF: MiExtendSection+3A6j
		test	al, 1
		jz	loc_8EE60D
		or	[ebp+var_C], 1
		xor	ecx, ecx
		mov	eax, [ebp+var_8]
		xor	esi, esi
		mov	[ebp+var_4], edi

loc_7BDC3F:				; CODE XREF: MiExtendSection+37Cj
					; MiExtendSection+384j
		mov	edx, eax
		mov	eax, [ebp+var_1C]
		sub	edx, ecx
		sbb	eax, esi
		test	eax, eax
		jb	short loc_7BDC52
		ja	short loc_7BDC57
		cmp	edx, ebx
		ja	short loc_7BDC57

loc_7BDC52:				; CODE XREF: MiExtendSection+2DEj
		mov	ebx, [ebp+var_8]
		sub	ebx, ecx

loc_7BDC57:				; CODE XREF: MiExtendSection+2E0j
					; MiExtendSection+2E4j
		add	ecx, ebx
		mov	edx, 74536D4Dh
		push	0
		mov	[ebp+var_20], ecx
		adc	esi, 0
		push	112h
		mov	ecx, ebx
		mov	[ebp+var_14], esi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_38], eax
		test	eax, eax
		jz	loc_8EE640
		mov	ecx, [ebp+var_28]
		push	0
		mov	esi, [ecx+1Ch]
		pop	ecx
		and	esi, 40000000h
		setz	cl
		shr	ebx, 3
		push	ecx
		push	[ebp+var_4]
		mov	edx, ebx
		mov	ecx, eax
		call	MiInitializePrototypePtes
		mov	ecx, [ebp+var_4]
		test	esi, esi
		jnz	loc_8EE5ED
		test	byte ptr [ebp+var_C], 2
		jnz	loc_8EE600

loc_7BDCB7:				; CODE XREF: MiExtendSection+130C87j
					; MiExtendSection+130C8Fj ...
		mov	edx, [ebp+var_38]
		push	ecx
		call	_MiSetSubsectionBase@12	; MiSetSubsectionBase(x,x,x)
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		inc	edx
		lea	ecx, [ecx+44h]
		call	_MiUpdateSystemProtoPtesTree@8 ; MiUpdateSystemProtoPtesTree(x,x)
		mov	ecx, [ebp+var_4]
		mov	esi, [ebp+var_14]
		mov	ebx, [ebp+var_34]
		mov	eax, [ebp+var_8]
		mov	ecx, [ecx+8]
		mov	[ebp+var_4], ecx
		mov	ecx, [ebp+var_20]
		cmp	esi, [ebp+var_1C]
		ja	short loc_7BDCF6
		jb	loc_7BDC3F
		cmp	ecx, eax
		jb	loc_7BDC3F

loc_7BDCF6:				; CODE XREF: MiExtendSection+37Aj
					; MiExtendSection+130CC9j
		push	[ebp+var_C]
		mov	ecx, [ebp+var_18]
		lea	edx, [ebp+var_A0]
		call	MiAppendSubsectionChain
		test	eax, eax
		jz	loc_7BDB97
		mov	ebx, [ebp+var_34]
		jmp	loc_7BDC29
; 

loc_7BDD17:				; CODE XREF: MiExtendSection+1F6j
		mov	eax, [ebp+var_8]
		jmp	loc_7BDA04
MiExtendSection	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlSetFileSize proc near		; CODE XREF: MiCreateDataFileMap+30Ap
					; MmExtendSection+359p

var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008EE6B8 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_28]
		stosd
		mov	ebx, ecx
		xor	ecx, ecx
		push	ecx
		push	ecx
		stosd
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		stosd
		stosd
		mov	eax, [edx]
		mov	[ebp+var_18], eax
		mov	eax, [edx+4]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_28]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	ebx
		call	IoGetRelatedDeviceObject
		mov	edi, eax
		push	0
		movzx	ecx, byte ptr [edi+30h]
		push	ecx
		push	edi
		call	IoAllocateIrpEx
		mov	esi, eax
		test	esi, esi
		jz	loc_8EE6B8
		push	0
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	ecx, [esi+60h]
		mov	edx, esi
		mov	byte ptr [ebp+var_4], al
		lea	eax, [ebp+var_C]
		mov	[esi+28h], eax
		lea	eax, [ebp+var_28]
		mov	[esi+2Ch], eax
		mov	eax, large fs:124h
		mov	[esi+50h], eax
		lea	eax, [ebp+var_18]
		mov	dword ptr [esi+8], 42h
		mov	byte ptr [esi+20h], 0
		mov	[esi+64h], ebx
		mov	[esi+0Ch], eax
		mov	byte ptr [ecx-24h], 6
		mov	[ecx-0Ch], ebx
		mov	[ecx-10h], edi
		mov	dword ptr [ecx-20h], 8
		mov	dword ptr [ecx-1Ch], 14h
		mov	ecx, edi
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jz	loc_8EE6C2

loc_7BDDD8:				; CODE XREF: FsRtlSetFileSize+1309B1j
		test	esi, esi
		js	short loc_7BDDEC

loc_7BDDDC:				; CODE XREF: FsRtlSetFileSize+CFj
		push	[ebp+var_4]
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	eax, [ebp+var_C]

loc_7BDDE7:				; CODE XREF: FsRtlSetFileSize+13099Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7BDDEC:				; CODE XREF: FsRtlSetFileSize+BAj
		mov	[ebp+var_C], esi
		jmp	short loc_7BDDDC
FsRtlSetFileSize endp

; 
		align 10h

;  S U B	R O U T	I N E 


CmRmIsKCBVisible proc near		; CODE XREF: CmpGetSecurityCacheEntryForKcbStack(x,x,x)+41p
					; CmRmIsKcbStackVisible(x,x)+2Cj ...

; FUNCTION CHUNK AT 008EE6D6 SIZE 00000010 BYTES

		mov	eax, edx
		mov	edx, [ecx+80h]
		test	edx, edx
		jnz	loc_8EE6D6

loc_7BDE10:				; CODE XREF: CmRmIsKCBVisible+1308DFj
		mov	al, 1
		retn
CmRmIsKCBVisible endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtClearEvent(x)
_NtClearEvent@4	proc near		; DATA XREF: .text:005811C4o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_4]
		push	esi
		push	edi
		push	0
		mov	al, [eax+15Ah]
		push	ecx
		mov	byte ptr [ebp+var_8], al
		push	[ebp+var_8]
		mov	eax, ds:_ExEventObjectType
		push	eax
		push	2
		push	[ebp+arg_0]
		mov	[ebp+var_4], 0
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	short loc_7BDE68
		push	edi
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_7BDE68:				; CODE XREF: NtClearEvent(x)+40j
		test	edi, edi
		jz	short loc_7BDE73
		mov	ecx, edi
		call	ObfDereferenceObject

loc_7BDE73:				; CODE XREF: NtClearEvent(x)+4Aj
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
_NtClearEvent@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopDeleteIoCompletion(x)
_IopDeleteIoCompletion@4 proc near	; DATA XREF: IoCreateObjectTypes+193o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	dl, dl
		call	IopDeleteIoCompletionInternal
		pop	ebp
		retn	4
_IopDeleteIoCompletion@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCloseIoCompletion(x, x, x, x)
_IopCloseIoCompletion@16 proc near	; DATA XREF: IoCreateObjectTypes+182o

arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 1
		jnz	short loc_7BDEA7
		mov	ecx, [ebp+arg_4]
		mov	dl, 1
		call	IopDeleteIoCompletionInternal

loc_7BDEA7:				; CODE XREF: IopCloseIoCompletion(x,x,x,x)+9j
		pop	ebp
		retn	10h
_IopCloseIoCompletion@16 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall IopFreeCompletionListPackets(x, x)
_IopFreeCompletionListPackets@8	proc near ; CODE XREF: IopDeleteIoCompletionInternal+13Ep
		mov	edi, edi
		push	esi
		mov	esi, ecx
		jmp	short loc_7BDEC9
; 

loc_7BDEB3:				; CODE XREF: IopFreeCompletionListPackets(x,x)+29j
		lea	eax, [ecx-58h]
		test	dword ptr [eax+8], 2000h
		jz	short loc_7BDEE0
		mov	edx, [eax+64h]
		mov	ecx, eax
		call	IopDropIrp

loc_7BDEC9:				; CODE XREF: IopFreeCompletionListPackets(x,x)+5j
					; IopFreeCompletionListPackets(x,x)+30j ...
		test	esi, esi
		jz	short loc_7BDEDE
		mov	ecx, esi
		mov	esi, [esi]
		cmp	byte ptr [ecx+8], 0
		jz	short loc_7BDEB3
		call	_IopFreeMiniCompletionPacket@4 ; IopFreeMiniCompletionPacket(x)
		jmp	short loc_7BDEC9
; 

loc_7BDEDE:				; CODE XREF: IopFreeCompletionListPackets(x,x)+1Fj
		pop	esi
		retn
; 

loc_7BDEE0:				; CODE XREF: IopFreeCompletionListPackets(x,x)+11j
		push	eax
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		jmp	short loc_7BDEC9
_IopFreeCompletionListPackets@8	endp

; 
		dd 6 dup(0CCCCCCCCh)
; 
; Exported entry 1603. NtUnlockFile

; __stdcall NtUnlockFile(x, x, x, x, x)
		public _NtUnlockFile@20
_NtUnlockFile@20:			; DATA XREF: .text:00580BE0o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A31E0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 50h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	dword ptr [ebp-50h], 0
		mov	dword ptr [ebp-4Ch], 0
		mov	dword ptr [ebp-48h], 0
		mov	dword ptr [ebp-44h], 0
		mov	dword ptr [ebp-58h], 0
		mov	dword ptr [ebp-54h], 0
		mov	dword ptr [ebp-60h], 0
		mov	dword ptr [ebp-5Ch], 0
		mov	eax, large fs:124h
		mov	[ebp-28h], eax
		mov	bl, [eax+15Ah]
		mov	[ebp-19h], bl
		mov	[ebp-24h], bl
		mov	eax, ds:_IoFileObjectType
		mov	dword ptr [ebp-20h], 0
		lea	ecx, [ebp-58h]
		push	ecx
		lea	ecx, [ebp-20h]
		push	ecx
		mov	ecx, [ebp-24h]
		mov	[ebp-34h], ecx
		push	ecx
		push	eax
		push	0
		push	dword ptr [ebp+8]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, [ebp-20h]
		mov	[ebp-24h], esi
		test	eax, eax
		js	loc_7BE403
		test	bl, bl
		jz	loc_7BE092
		test	byte ptr [ebp-54h], 3
		jnz	short loc_7BDFE4
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, 0C0000022h
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7BDFE4:				; CODE XREF: PAGE:007BDFC2j
		mov	dword ptr [ebp-4], 0
		mov	edi, [ebp+0Ch]
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jb	short loc_7BDFFB
		mov	ecx, eax

loc_7BDFFB:				; CODE XREF: PAGE:007BDFF7j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ebx, [ebp+10h]
		mov	ecx, ebx
		test	bl, 3
		jnz	loc_7BE417
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_7BE018
		mov	ecx, eax

loc_7BE018:				; CODE XREF: PAGE:007BE014j
		nop
		mov	al, [ecx]
		mov	eax, [ebx]
		mov	[ebp-50h], eax
		mov	eax, [ebx+4]
		mov	[ebp-4Ch], eax
		mov	ebx, [ebp+14h]
		mov	ecx, ebx
		test	bl, 3
		jnz	loc_7BE41C
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_7BE03F
		mov	ecx, eax

loc_7BE03F:				; CODE XREF: PAGE:007BE03Bj
		nop
		mov	al, [ecx]
		mov	eax, [ebx]
		mov	[ebp-48h], eax
		mov	eax, [ebx+4]
		mov	[ebp-44h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-20h]
		jmp	short loc_7BE0B1
; 

loc_7BE059:				; DATA XREF: .text:006A31F4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		mov	eax, 1
		retn
; 

loc_7BE069:				; DATA XREF: .text:006A31F8o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2Ch]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7BE092:				; CODE XREF: PAGE:007BDFB8j
		mov	ecx, [ebp+10h]
		mov	eax, [ecx]
		mov	[ebp-50h], eax
		mov	eax, [ecx+4]
		mov	[ebp-4Ch], eax
		mov	ecx, [ebp+14h]
		mov	eax, [ecx]
		mov	[ebp-48h], eax
		mov	eax, [ecx+4]
		mov	[ebp-44h], eax
		mov	edi, [ebp+0Ch]

loc_7BE0B1:				; CODE XREF: PAGE:007BE057j
		test	dword ptr [esi+2Ch], 800h
		jnz	short loc_7BE0C7
		push	esi
		call	IoGetRelatedDeviceObject
		mov	ebx, eax
		mov	[ebp+14h], ebx
		jmp	short loc_7BE0D5
; 

loc_7BE0C7:				; CODE XREF: PAGE:007BE0B8j
		mov	eax, [esi+4]
		push	eax
		call	_IoGetAttachedDevice@4 ; IoGetAttachedDevice(x)
		mov	ebx, eax
		mov	[ebp+14h], eax

loc_7BE0D5:				; CODE XREF: PAGE:007BE0C5j
		mov	eax, [ebx+8]
		mov	eax, [eax+28h]
		test	eax, eax
		jz	loc_7BE1CD
		mov	eax, [eax+1Ch]
		mov	[ebp+10h], eax
		test	eax, eax
		jz	loc_7BE1CD
		mov	dword ptr [ebp-3Ch], 0
		mov	dword ptr [ebp-38h], 0
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_7BE10F
		call	_VfFastIoSnapState@0 ; VfFastIoSnapState()
		jmp	short loc_7BE111
; 

loc_7BE10F:				; CODE XREF: PAGE:007BE106j
		xor	eax, eax

loc_7BE111:				; CODE XREF: PAGE:007BE10Dj
		mov	[ebp+8], eax
		mov	eax, [ebp-28h]
		mov	eax, [eax+80h]
		push	ebx
		lea	ecx, [ebp-3Ch]
		push	ecx
		mov	ecx, [ebp+18h]
		push	ecx
		push	eax
		lea	eax, [ebp-48h]
		push	eax
		lea	eax, [ebp-50h]
		push	eax
		push	esi
		mov	ebx, [ebp+10h]
		call	ebx
		mov	[ebp+13h], al
		mov	eax, [ebp+8]
		test	eax, eax
		jz	short loc_7BE148
		mov	edx, ebx
		mov	ecx, eax
		call	_VfFastIoCheckState@8 ;	VfFastIoCheckState(x,x)

loc_7BE148:				; CODE XREF: PAGE:007BE13Dj
		cmp	byte ptr [ebp+13h], 0
		jz	short loc_7BE1CD
		mov	dword ptr [ebp-4], 1
		mov	eax, [ebp-3Ch]
		mov	[edi], eax
		mov	eax, [ebp-38h]
		mov	[edi+4], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, [ebp-3Ch]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7BE185:				; DATA XREF: .text:006A3200o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		mov	eax, 1
		retn
; 

loc_7BE195:				; DATA XREF: .text:006A3204o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-30h]
		mov	[ebp-3Ch], eax
		mov	dword ptr [ebp-38h], 0
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-20h]
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, [ebp-3Ch]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7BE1CD:				; CODE XREF: PAGE:007BE0DDj
					; PAGE:007BE0EBj ...
		mov	eax, [esi+2Ch]
		test	al, 2
		jz	loc_7BE269
		shr	eax, 2
		and	al, 1
		mov	[ebp+10h], al
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	0
		mov	esi, [ebp-20h]
		lea	ecx, [esi+4Ch]
		xor	edx, edx
		call	KeAbPreAcquire
		xor	bl, bl
		mov	[ebp-1Ah], bl
		mov	edx, 1
		lea	ecx, [esi+44h]
		xchg	edx, [ecx]
		test	edx, edx
		jnz	short loc_7BE226
		test	eax, eax
		jz	short loc_7BE218
		or	byte ptr [eax+0Eh], 1

loc_7BE218:				; CODE XREF: PAGE:007BE212j
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	edi, edi
		mov	bh, [ebp-19h]
		jmp	short loc_7BE23F
; 

loc_7BE226:				; CODE XREF: PAGE:007BE20Ej
		lea	ecx, [ebp-1Ah]
		push	ecx
		push	eax
		push	dword ptr [ebp+10h]
		mov	bh, [ebp-19h]
		mov	dl, bh
		mov	ecx, esi
		call	IopWaitAndAcquireFileObjectLock
		mov	edi, eax
		mov	bl, [ebp-1Ah]

loc_7BE23F:				; CODE XREF: PAGE:007BE224j
		test	bl, bl
		jz	short loc_7BE260
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, edi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7BE260:				; CODE XREF: PAGE:007BE241j
		mov	bl, 1
		xor	edi, edi
		mov	[ebp+8], edi
		jmp	short loc_7BE2AB
; 

loc_7BE269:				; CODE XREF: PAGE:007BE1D2j
		mov	edx, 10h
		call	sub_4FC146
		mov	edi, eax
		mov	[ebp+8], edi
		test	edi, edi
		jnz	short loc_7BE29C
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, 0C000009Ah
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7BE29C:				; CODE XREF: PAGE:007BE27Aj
		push	0
		push	1
		push	edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	bl, bl
		mov	bh, [ebp-19h]

loc_7BE2AB:				; CODE XREF: PAGE:007BE267j
		mov	[ebp+10h], bl
		mov	ecx, esi
		call	_IopResetEvent@4 ; IopResetEvent(x)
		mov	eax, [ebp+4]
		push	eax
		push	0
		mov	eax, [ebp+14h]
		mov	dl, [eax+30h]
		mov	ecx, eax
		call	IopAllocateIrpExReturn
		mov	esi, eax
		mov	[ebp-38h], esi
		test	esi, esi
		jnz	short loc_7BE2FF
		test	edi, edi
		jz	short loc_7BE2DC
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7BE2DC:				; CODE XREF: PAGE:007BE2D3j
		xor	edx, edx
		mov	ecx, [ebp-20h]
		call	_IopAllocateIrpCleanup@8 ; IopAllocateIrpCleanup(x,x)
		mov	eax, 0C000009Ah
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7BE2FF:				; CODE XREF: PAGE:007BE2CFj
		mov	eax, [ebp-20h]
		mov	[esi+64h], eax
		mov	eax, [ebp-28h]
		mov	[esi+50h], eax
		mov	[esi+20h], bh
		test	bl, bl
		jz	short loc_7BE319
		mov	eax, [ebp+0Ch]
		xor	ecx, ecx
		jmp	short loc_7BE325
; 

loc_7BE319:				; CODE XREF: PAGE:007BE310j
		mov	dword ptr [esi+8], 4
		lea	eax, [ebp-60h]
		mov	ecx, edi

loc_7BE325:				; CODE XREF: PAGE:007BE317j
		mov	[esi+2Ch], ecx
		mov	[esi+28h], eax
		mov	dword ptr [esi+30h], 0
		mov	ebx, [esi+60h]
		mov	word ptr [ebx-24h], 211h
		mov	eax, [ebp-24h]
		mov	[ebx-0Ch], eax
		mov	dword ptr [ebp-4], 2
		call	sub_565698
		mov	ecx, [ebp-48h]
		mov	[eax], ecx
		mov	ecx, [ebp-44h]
		mov	[eax+4], ecx
		mov	[esi+54h], eax
		mov	[ebx-20h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp+18h]
		mov	[ebx-1Ch], eax
		mov	eax, [ebp-50h]
		mov	[ebx-18h], eax
		mov	eax, [ebp-4Ch]
		mov	[ebx-14h], eax
		push	2
		push	dword ptr [ebp+10h]
		mov	ebx, [ebp-34h]
		push	ebx
		push	0
		push	dword ptr [ebp-24h]
		mov	edx, esi
		mov	ecx, [ebp+14h]
		call	_IopSynchronousServiceTail@28 ;	IopSynchronousServiceTail(x,x,x,x,x,x,x)
		cmp	byte ptr [ebp+10h], 0
		jnz	short loc_7BE403
		push	dword ptr [ebp+0Ch]
		lea	ecx, [ebp-60h]
		push	ecx
		push	ebx
		push	esi
		mov	edx, edi
		mov	ecx, eax
		call	IopSynchronousApiServiceTail
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7BE3BB:				; DATA XREF: .text:006A320Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		mov	eax, 1
		retn
; 

loc_7BE3CB:				; DATA XREF: .text:006A3210o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-24h]
		test	byte ptr [esi+2Ch], 2
		jnz	short loc_7BE3E1
		push	0
		push	dword ptr [ebp+8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7BE3E1:				; CODE XREF: PAGE:007BE3D5j
		movzx	eax, byte ptr [esi+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		push	0
		push	0
		mov	edx, [ebp-38h]
		mov	ecx, esi
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-40h]

loc_7BE403:				; CODE XREF: PAGE:007BDFB0j
					; PAGE:007BE393j
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7BE417:				; CODE XREF: PAGE:007BE007j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7BE41C:				; CODE XREF: PAGE:007BE02Ej
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		db 3 dup(0CCh)
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtOpenSymbolicLinkObject proc near	; CODE XREF: AdtpInitializeDriveLetters+7Bp
					; AdtpInitializeDriveLetters+127p ...

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A3218
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_1C], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		test	al, al
		jz	short loc_7BE4EC
		mov	[ebp+var_4], 0
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	short loc_7BE4F1

loc_7BE494:				; CODE XREF: NtOpenSymbolicLinkObject+C3j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_7BE49F:				; CODE XREF: NtOpenSymbolicLinkObject+BFj
		mov	edi, _ObpSymbolicLinkObjectType
		lea	eax, [ebp+var_1C]
		push	eax
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		push	0
		push	[ebp+arg_4]
		push	0
		push	[ebp+var_24]
		push	edi
		push	[ebp+arg_8]
		call	ObOpenObjectByNameEx
		mov	[ebp+arg_0], eax
		mov	[ebp+var_4], 1
		mov	ecx, [ebp+var_1C]
		mov	[esi], ecx
		mov	[ebp+var_4], 0FFFFFFFEh

loc_7BE4D8:				; CODE XREF: sub_8EE6F6+Dj
					; sub_8EE70E+Dj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7BE4EC:				; CODE XREF: NtOpenSymbolicLinkObject+4Dj
		mov	esi, [ebp+arg_0]
		jmp	short loc_7BE49F
; 

loc_7BE4F1:				; CODE XREF: NtOpenSymbolicLinkObject+62j
		mov	ecx, eax
		jmp	short loc_7BE494
NtOpenSymbolicLinkObject endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopTrackLink	proc near		; CODE XREF: .text:00522198p
					; IopTrackLink+1305F1p	...

var_280		= dword	ptr -280h
var_270		= byte ptr -270h
var_240		= dword	ptr -240h
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_221		= byte ptr -221h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_104		= dword	ptr -104h
var_F4		= dword	ptr -0F4h
var_C4		= dword	ptr -0C4h
var_B4		= dword	ptr -0B4h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_70		= dword	ptr -70h
var_60		= byte ptr -60h
var_50		= dword	ptr -50h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 007BE72D SIZE 00000007 BYTES
; FUNCTION CHUNK AT 008EE75C SIZE 00000621 BYTES

		push	270h
		push	offset dword_6A3240
		call	__SEH_prolog4_GS
		mov	[ebp+var_238], edx
		mov	[ebp+var_21C], ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_22C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_234], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_214], eax
		mov	[ebp+var_240], eax
		xor	ebx, ebx
		mov	[ebp+var_228], ebx
		mov	esi, ebx
		mov	[ebp+var_220], esi
		xor	eax, eax
		lea	edi, [ebp+var_84]
		stosd
		stosd
		stosd
		stosd
		stosd
		push	40h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_70]
		push	eax		; void *
		call	_memset
		push	40h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_C4]
		push	eax		; void *
		call	_memset
		xor	eax, eax
		lea	edi, [ebp+var_30]
		stosd
		stosd
		stosd
		stosd
		stosd
		push	40h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_104]
		push	eax		; void *
		call	_memset
		push	10Ch		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_210]
		push	eax		; void *
		call	_memset
		add	esp, 30h
		mov	[ebp+var_218], ebx
		mov	[ebp+var_230], ebx
		mov	eax, [ebp+arg_C]
		test	al, al
		jz	loc_8EE75C
		mov	[ebp+ms_exc.disabled], ebx
		mov	edx, [ebp+var_234]
		xor	ecx, ecx
		inc	ecx
		call	sub_4F0630
		mov	edi, eax
		mov	[ebp+var_228], edi
		push	[ebp+var_234]	; size_t
		push	[ebp+var_22C]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+arg_C]

loc_7BE5E7:				; CODE XREF: IopTrackLink+130272j
		mov	ecx, [edi]
		mov	[ebp+var_22C], ecx
		test	ecx, ecx
		jz	loc_8EE76D

loc_7BE5F7:				; CODE XREF: IopTrackLink+130279j
		lea	eax, [ebp+var_230]
		push	eax
		push	8
		pop	edx
		mov	ecx, [ebp+var_234]
		call	_RtlULongPtrSub@12 ; RtlULongPtrSub(x,x,x)
		test	eax, eax
		js	loc_8EE786
		mov	eax, [edi+4]
		cmp	[ebp+var_230], eax
		jb	loc_8EE79D
		add	eax, 24h
		cmp	eax, 100h
		ja	loc_8EE7A5
		mov	ecx, [ebp+var_22C]
		test	ecx, ecx
		jz	short loc_7BE67A
		mov	eax, ds:_IoFileObjectType
		mov	[ebp+var_230], ebx
		push	ebx
		lea	edx, [ebp+var_230]
		push	edx
		push	[ebp+arg_C]
		push	eax
		push	2
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	[ebp+var_22C], eax
		mov	esi, [ebp+var_230]
		mov	[ebp+var_220], esi
		mov	[ebp+var_218], eax
		test	eax, eax
		js	loc_8EE7BC

loc_7BE67A:				; CODE XREF: IopTrackLink+143j
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_21C]
		mov	eax, [ecx+4]
		test	byte ptr [eax+20h], 10h
		jnz	loc_8EEC26
		cmp	[edi], ebx
		jz	loc_8EEB61
		mov	eax, [esi+4]
		push	9009Ch
		lea	edx, [ebp+var_70]
		push	40h
		test	byte ptr [eax+20h], 10h
		jnz	loc_8EEA0B
		mov	[ebp+var_221], bl
		call	IopGetSetObjectId
		mov	esi, eax
		mov	[ebp+var_218], esi
		cmp	esi, 0C0000034h
		jz	short loc_7BE72D
		test	esi, esi
		jns	loc_8EE7D8

loc_7BE6D6:				; CODE XREF: IopTrackLink+130337j
					; IopTrackLink+13035Bj	...
		mov	edi, [ebp+var_214]

loc_7BE6DC:				; CODE XREF: IopTrackLink+130847j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_7BE6FC
		mov	eax, esi

loc_7BE6EA:				; CODE XREF: sub_8EE731+26j
					; IopTrackLink+13028Bj	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
IopTrackLink	endp


;  S U B	R O U T	I N E 


sub_7BE6FC	proc near		; CODE XREF: IopTrackLink+1EDp
					; sub_8EED7D+Ej
		cmp	byte ptr [ebp+14h], 0
		jz	short loc_7BE713
		mov	eax, [ebp-228h]
		test	eax, eax
		jz	short loc_7BE713
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7BE713:				; CODE XREF: sub_7BE6FC+4j
					; sub_7BE6FC+Ej
		mov	eax, [ebp-220h]
		test	eax, eax
		jz	short loc_7BE724
		mov	ecx, eax
		call	ObfDereferenceObject

loc_7BE724:				; CODE XREF: sub_7BE6FC+1Fj
		push	ebx
		push	ebx
		push	edi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		retn
sub_7BE6FC	endp

; 
; START	OF FUNCTION CHUNK FOR IopTrackLink

loc_7BE72D:				; CODE XREF: IopTrackLink+1D6j
					; IopTrackLink+1302F1j	...
		mov	esi, ebx
		jmp	loc_8EED72
; END OF FUNCTION CHUNK	FOR IopTrackLink

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopGetSetObjectId proc near		; CODE XREF: IopTrackLink+1C3p
					; IopTrackLink+13036Bp	...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EED90 SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+30h+var_20], edx
		lea	edi, [esp+30h+var_10]
		xor	esi, esi
		stosd
		mov	ebx, ecx
		push	esi
		push	esi
		mov	[esp+38h+var_18], esi
		stosd
		mov	[esp+38h+var_14], esi
		stosd
		stosd
		lea	eax, [esp+38h+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	ebx
		call	IoGetRelatedDeviceObject
		mov	edi, [ebp+arg_4]
		lea	ecx, [esp+30h+var_18]
		push	ecx
		lea	ecx, [esp+34h+var_10]
		mov	[esp+34h+var_1C], eax
		push	ecx
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	eax
		push	edi
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7BE7E6
		mov	ecx, [esi+60h]
		or	dword ptr [esi+8], 4
		mov	eax, [esp+30h+var_20]
		mov	[esi+3Ch], eax
		mov	[esi+0Ch], eax
		mov	[esi+64h], ebx
		mov	[ecx-0Ch], ebx
		mov	word ptr [ecx-24h], 40Dh
		cmp	edi, 9009Ch
		jnz	loc_8EED90

loc_7BE7BA:				; CODE XREF: IopGetSetObjectId+130662j
					; IopGetSetObjectId+13066Ej
		mov	eax, [ebp+arg_0]
		mov	[ecx-20h], eax

loc_7BE7C0:				; CODE XREF: IopGetSetObjectId+13067Aj
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, [esp+30h+var_1C]
		mov	edx, esi
		call	IofCallDriver
		cmp	eax, 103h
		jz	loc_8EEDB3

loc_7BE7DD:				; CODE XREF: IopGetSetObjectId+B7j
					; IopGetSetObjectId+130693j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7BE7E6:				; CODE XREF: IopGetSetObjectId+5Bj
		mov	eax, 0C000009Ah
		jmp	short loc_7BE7DD
IopGetSetObjectId endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1467. MmSecureVirtualMemory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmSecureVirtualMemory(x, x,	x)
		public _MmSecureVirtualMemory@12
_MmSecureVirtualMemory@12 proc near	; CODE XREF: RtlFileMapMapView(x,x)+E0p
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1974p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_8]
		cmp	eax, 2
		jz	short loc_7BE803
		push	4
		pop	eax

loc_7BE803:				; CODE XREF: MmSecureVirtualMemory(x,x,x)+Cj
		push	0
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	MmSecureVirtualMemoryEx
		pop	ecx
		pop	ebp
		retn	0Ch
_MmSecureVirtualMemory@12 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1468. MmSecureVirtualMemoryEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmSecureVirtualMemoryEx
MmSecureVirtualMemoryEx	proc near	; CODE XREF: MmSecureVirtualMemory(x,x,x)+1Ap
					; VmSecureBackingMemory(x,x)+22p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008EEDCC SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		test	[ebp+arg_C], 0FFFFFFF0h
		push	ebx
		push	esi
		push	edi
		jnz	loc_7BE926
		mov	ecx, [ebp+arg_0]
		mov	ebx, [ebp+arg_4]
		add	ebx, ecx
		cmp	ebx, ecx
		jbe	loc_7BE926
		mov	eax, ds:_MmHighestUserAddress
		inc	eax
		cmp	ebx, eax
		ja	loc_7BE926
		mov	esi, [ebp+arg_8]
		cmp	esi, 4
		jnz	loc_7BE905

loc_7BE860:				; CODE XREF: MmSecureVirtualMemoryEx+ECj
					; MmSecureVirtualMemoryEx+1305B3j ...
		test	esi, esi
		js	loc_7BE926
		lea	eax, [ebp+arg_8]
		and	ecx, 0FFFFF000h
		push	eax
		xor	edx, edx
		call	MiObtainReferencedVadEx
		mov	edi, eax
		test	edi, edi
		jz	loc_7BE926
		lea	ecx, [ebx-1]
		shr	ecx, 0Ch
		cmp	ecx, [edi+10h]
		ja	loc_8EEDE6
		mov	ecx, [edi+1Ch]
		mov	eax, ecx
		and	eax, 70h
		cmp	al, 30h
		jz	loc_8EEDE6
		test	ecx, 100000h
		jz	short loc_7BE8BF
		mov	eax, ecx
		shr	eax, 12h
		and	eax, 3
		test	ecx, 400000h
		jnz	short loc_7BE913
		cmp	eax, 2
		jnb	short loc_7BE913

loc_7BE8BF:				; CODE XREF: MmSecureVirtualMemoryEx+8Cj
					; MmSecureVirtualMemoryEx+100j
		test	byte ptr [ebp+arg_C], 2
		jnz	short loc_7BE91E

loc_7BE8C5:				; CODE XREF: MmSecureVirtualMemoryEx+108j
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_C]
		mov	ecx, edi
		push	esi
		push	[ebp+arg_4]
		call	_MiSecureVad@24	; MiSecureVad(x,x,x,x,x,x)
		mov	ecx, edi
		mov	esi, eax
		call	MiUnlockAndDereferenceVad
		test	esi, esi
		js	short loc_7BE926
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		xor	ecx, dword_6D061C
		mov	eax, [ebp+var_4]
		xor	eax, ecx

loc_7BE8FE:				; CODE XREF: MmSecureVirtualMemoryEx+10Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7BE905:				; CODE XREF: MmSecureVirtualMemoryEx+3Ej
		cmp	esi, 2
		jz	loc_7BE860
		jmp	loc_8EEDCC
; 

loc_7BE913:				; CODE XREF: MmSecureVirtualMemoryEx+9Cj
					; MmSecureVirtualMemoryEx+A1j
		cmp	eax, 2
		jnb	loc_8EEDE6
		jmp	short loc_7BE8BF
; 

loc_7BE91E:				; CODE XREF: MmSecureVirtualMemoryEx+A7j
		or	esi, 80000000h
		jmp	short loc_7BE8C5
; 

loc_7BE926:				; CODE XREF: MmSecureVirtualMemoryEx+14j
					; MmSecureVirtualMemoryEx+24j ...
		xor	eax, eax
		jmp	short loc_7BE8FE
MmSecureVirtualMemoryEx	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSecureVad(x, x, x, x, x, x)
_MiSecureVad@24	proc near		; CODE XREF: MiReserveUserMemory+409p
					; MmSecureVirtualMemoryEx+B9p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, edx
		dec	edi
		and	esi, 0FFFFF000h
		add	edi, edx
		mov	ebx, ecx
		or	edi, 0FFFh
		test	byte ptr [ebp+arg_4], 1
		jnz	short loc_7BE96C
		xor	eax, eax
		mov	edx, esi
		cmp	[ebp+arg_4], 2
		push	0
		setz	al
		dec	eax
		and	eax, 3
		inc	eax
		push	eax
		push	edi
		call	_MiComparePteProtections@20 ; MiComparePteProtections(x,x,x,x,x)
		test	eax, eax
		js	short loc_7BE98F

loc_7BE96C:				; CODE XREF: MiSecureVad(x,x,x,x,x,x)+23j
		push	[ebp+arg_8]
		mov	edx, esi
		mov	ecx, ebx
		push	[ebp+arg_4]
		push	edi
		call	MiAddSecureEntry
		mov	ecx, [ebp+arg_C]
		mov	[ecx], eax
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFF66h
		add	eax, 0C000009Ah

loc_7BE98F:				; CODE XREF: MiSecureVad(x,x,x,x,x,x)+40j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	10h
_MiSecureVad@24	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtOpenDirectoryObject proc near		; DATA XREF: .text:00580F64o

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A3268
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_1C], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		test	al, al
		jz	short loc_7BEA5C
		mov	[ebp+var_4], 0
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	short loc_7BEA61

loc_7BEA04:				; CODE XREF: NtOpenDirectoryObject+C3j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_7BEA0F:				; CODE XREF: NtOpenDirectoryObject+BFj
		mov	edi, _ObpDirectoryObjectType
		lea	eax, [ebp+var_1C]
		push	eax
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		push	0
		push	[ebp+arg_4]
		push	0
		push	[ebp+var_24]
		push	edi
		push	[ebp+arg_8]
		call	ObOpenObjectByNameEx
		mov	[ebp+arg_0], eax
		mov	[ebp+var_4], 1
		mov	ecx, [ebp+var_1C]
		mov	[esi], ecx
		mov	[ebp+var_4], 0FFFFFFFEh

loc_7BEA48:				; CODE XREF: sub_8EEE02+Dj
					; sub_8EEE1A+Dj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7BEA5C:				; CODE XREF: NtOpenDirectoryObject+4Dj
		mov	esi, [ebp+arg_0]
		jmp	short loc_7BEA0F
; 

loc_7BEA61:				; CODE XREF: NtOpenDirectoryObject+62j
		mov	ecx, eax
		jmp	short loc_7BEA04
NtOpenDirectoryObject endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtUnsubscribeWnfStateChange proc near	; DATA XREF: .text:00580BCCo

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	20h
		push	offset dword_6A3290
		call	__SEH_prolog4
		xor	edi, edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edi
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		mov	[ebp+ms_exc.disabled], edi
		push	[ebp+var_24]
		lea	edx, [ebp+var_30]
		mov	ecx, [ebp+arg_0]
		call	ExpCaptureWnfStateName
		mov	[ebp+var_1C], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	eax, eax
		js	short loc_7BEAF1
		mov	eax, large fs:124h
		mov	esi, [eax+80h]
		mov	ecx, [esi+39Ch]
		test	ecx, ecx
		jz	short loc_7BEB12
		push	[ebp+var_2C]
		push	[ebp+var_30]
		lea	edx, [ebp+var_20]
		call	_ExpWnfAcquireSubscriptionByName@16 ; ExpWnfAcquireSubscriptionByName(x,x,x,x)
		mov	[ebp+var_1C], eax
		test	eax, eax
		js	short loc_7BEAF1
		mov	edx, esi
		mov	ecx, [ebp+var_20]
		call	ExpWnfDeleteSubscription
		mov	[ebp+var_1C], edi

loc_7BEAF1:				; CODE XREF: NtUnsubscribeWnfStateChange+51j
					; NtUnsubscribeWnfStateChange+7Cj ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7BEB12:				; CODE XREF: NtUnsubscribeWnfStateChange+67j
		mov	[ebp+var_1C], 0C0000034h
		jmp	short loc_7BEAF1
NtUnsubscribeWnfStateChange endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWnfAcquireSubscriptionByName(x, x, x, x)
_ExpWnfAcquireSubscriptionByName@16 proc near ;	CODE XREF: NtUnsubscribeWnfStateChange+72p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		push	edi
		push	0
		xor	edx, edx
		lea	ebx, [esi+28h]
		mov	ecx, ebx
		mov	[ebp+var_4], ebx
		call	KeAbPreAcquire
		mov	edi, eax
		mov	ecx, 11h
		xor	eax, eax
		lock cmpxchg [ebx], ecx
		test	eax, eax
		jz	short loc_7BEB5C
		push	ebx
		mov	edx, edi
		mov	ecx, ebx
		call	ExfAcquirePushLockSharedEx

loc_7BEB5C:				; CODE XREF: ExpWnfAcquireSubscriptionByName(x,x,x,x)+30j
		test	edi, edi
		jnz	loc_7BEBE8

loc_7BEB64:				; CODE XREF: ExpWnfAcquireSubscriptionByName(x,x,x,x)+CCj
		mov	eax, [esi+2Ch]
		lea	edx, [esi+2Ch]
		cmp	eax, edx
		jz	short loc_7BEB8A
		mov	edi, [ebp+arg_4]
		mov	ebx, [ebp+arg_0]

loc_7BEB74:				; CODE XREF: ExpWnfAcquireSubscriptionByName(x,x,x,x)+65j
		cmp	[eax+10h], ebx
		lea	esi, [eax-10h]
		jnz	short loc_7BEB81
		cmp	[esi+24h], edi
		jz	short loc_7BEBAF

loc_7BEB81:				; CODE XREF: ExpWnfAcquireSubscriptionByName(x,x,x,x)+5Aj
		mov	eax, [eax]
		cmp	eax, edx
		jnz	short loc_7BEB74
		mov	ebx, [ebp+var_4]

loc_7BEB8A:				; CODE XREF: ExpWnfAcquireSubscriptionByName(x,x,x,x)+4Cj
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_7BEBA1
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7BEBA1:				; CODE XREF: ExpWnfAcquireSubscriptionByName(x,x,x,x)+78j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	eax, 0C0000034h
		jmp	short loc_7BEBDF
; 

loc_7BEBAF:				; CODE XREF: ExpWnfAcquireSubscriptionByName(x,x,x,x)+5Fj
		lea	ecx, [esi+4]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	edi, [ebp+var_4]
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jz	short loc_7BEBD1
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7BEBD1:				; CODE XREF: ExpWnfAcquireSubscriptionByName(x,x,x,x)+A8j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, [ebp+var_8]
		mov	[eax], esi
		xor	eax, eax

loc_7BEBDF:				; CODE XREF: ExpWnfAcquireSubscriptionByName(x,x,x,x)+8Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7BEBE8:				; CODE XREF: ExpWnfAcquireSubscriptionByName(x,x,x,x)+3Ej
		or	byte ptr [edi+0Eh], 1
		jmp	loc_7BEB64
_ExpWnfAcquireSubscriptionByName@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsSwapImpersonationToken proc near	; CODE XREF: NtOpenThreadTokenEx+2B6p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008EEE51 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], 0
		mov	eax, [esi+2FCh]
		mov	ebx, edx
		push	edi
		lea	edi, [esi+2FCh]
		test	al, 8
		jz	loc_8EEE51
		mov	eax, large fs:124h
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_4], eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		call	_PspLockThreadSecurityExclusive@8 ; PspLockThreadSecurityExclusive(x,x)
		mov	eax, [edi]
		test	al, 8
		jz	loc_8EEE5B
		mov	ecx, [esi+2C8h]
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	eax, ebx
		jnz	short loc_7BECBD
		test	dword ptr [edi], 100h
		jz	short loc_7BECBD
		mov	eax, [esi+368h]
		and	ecx, 7
		or	ecx, [ebp+arg_0]
		mov	[ebp+var_8], eax
		mov	eax, 0FFFFFEFFh
		mov	[esi+2C8h], ecx
		mov	dword ptr [esi+368h], 0
		lock and [edi],	eax
		xor	edi, edi

loc_7BEC8F:				; CODE XREF: PsSwapImpersonationToken+C2j
					; PsSwapImpersonationToken+130260j
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		call	PspUnlockThreadSecurityExclusive
		test	edi, edi
		js	short loc_7BECC4
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jnz	short loc_7BECB6

loc_7BECAB:				; CODE XREF: PsSwapImpersonationToken+BBj
		mov	eax, edi

loc_7BECAD:				; CODE XREF: PsSwapImpersonationToken+130256j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7BECB6:				; CODE XREF: PsSwapImpersonationToken+A9j
					; PsSwapImpersonationToken+C7j
		call	ObfDereferenceObject
		jmp	short loc_7BECAB
; 

loc_7BECBD:				; CODE XREF: PsSwapImpersonationToken+5Cj
					; PsSwapImpersonationToken+64j
		mov	edi, 0C0000001h
		jmp	short loc_7BEC8F
; 

loc_7BECC4:				; CODE XREF: PsSwapImpersonationToken+9Bj
		mov	ecx, [ebp+arg_0]
		jmp	short loc_7BECB6
PsSwapImpersonationToken endp

; 
		align 10h
; Exported entry 625. FsRtlOplockIsFastIoPossible

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlOplockIsFastIoPossible(x)
		public _FsRtlOplockIsFastIoPossible@4
_FsRtlOplockIsFastIoPossible@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	cl, 1
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_7BECE6

loc_7BECE0:				; CODE XREF: FsRtlOplockIsFastIoPossible(x)+1Cj
					; FsRtlOplockIsFastIoPossible(x)+26j
		mov	al, cl
		pop	ebp
		retn	4
; 

loc_7BECE6:				; CODE XREF: FsRtlOplockIsFastIoPossible(x)+Ej
		mov	eax, [eax+48h]
		cmp	eax, 1
		jz	short loc_7BECE0
		and	eax, 1F00F40h
		cmp	eax, 40h
		jz	short loc_7BECE0
		xor	al, al
		pop	ebp
		retn	4
_FsRtlOplockIsFastIoPossible@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpGetComponentHashAtIndex(x, x)
_CmpGetComponentHashAtIndex@8 proc near	; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+A42p
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+EEEp
		cmp	edx, 8
		jnb	short loc_7BED09
		mov	eax, [ecx+edx*4]
		retn
; 

loc_7BED09:				; CODE XREF: CmpGetComponentHashAtIndex(x,x)+3j
		mov	eax, [ecx+60h]
		mov	eax, [eax+edx*4-20h]
		retn
_CmpGetComponentHashAtIndex@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSetLogonSessionToken(x)
_SepSetLogonSessionToken@4 proc	near	; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+69Bp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		mov	eax, [esi+0C0h]
		cmp	[eax+20h], ecx
		jz	short loc_7BED2D

loc_7BED2A:				; CODE XREF: SepSetLogonSessionToken(x)+23j
					; SepSetLogonSessionToken(x)+54j ...
		pop	esi
		leave
		retn
; 

loc_7BED2D:				; CODE XREF: SepSetLogonSessionToken(x)+16j
		mov	eax, [esi+0B0h]
		test	al, 18h
		jnz	short loc_7BED2A
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ecx
		push	eax		; int
		push	ecx		; int
		push	ecx		; int
		push	ecx		; size_t
		push	1		; int
		mov	[ebp+var_18], ecx
		lea	edx, [ebp+var_1C]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		push	ecx		; char
		mov	ecx, esi
		mov	[ebp+var_1C], 18h
		call	_SepDuplicateToken@32 ;	SepDuplicateToken(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7BED2A
		mov	ecx, [ebp+var_4]
		call	_SepStopReferencingLogonSession@4 ; SepStopReferencingLogonSession(x)
		mov	ecx, [ebp+var_4]
		test	eax, eax
		js	short loc_7BED8D
		mov	edx, [esi+0C0h]
		xor	eax, eax
		add	edx, 20h
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	short loc_7BED2A
		mov	ecx, [ebp+var_4]

loc_7BED8D:				; CODE XREF: SepSetLogonSessionToken(x)+63j
		call	ObfDereferenceObject
		jmp	short loc_7BED2A
_SepSetLogonSessionToken@4 endp


;  S U B	R O U T	I N E 


; __stdcall SepStopReferencingLogonSession(x)
_SepStopReferencingLogonSession@4 proc near ; CODE XREF: SepLinkLogonSessions+1C6p
					; SepLinkLogonSessions+1D5p ...
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		call	SepConvertToOwnTokenClaims
		mov	edi, eax
		test	edi, edi
		js	short loc_7BEDBA
		mov	ecx, [esi+0C0h]
		call	_SepDeReferenceLogonSessionDirect@4 ; SepDeReferenceLogonSessionDirect(x)
		or	dword ptr [esi+0B0h], 20h
		mov	eax, edi

loc_7BEDBA:				; CODE XREF: SepStopReferencingLogonSession(x)+10j
		pop	edi
		pop	esi
		pop	ecx
		retn
_SepStopReferencingLogonSession@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtQuerySystemEnvironmentValueEx	proc near ; DATA XREF: .text:00580DFCo

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008EEE65 SIZE 000001AA BYTES

		push	4Ch
		push	offset dword_6A32B0
		call	__SEH_prolog4_GS
		mov	ebx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_40], eax
		mov	esi, [ebp+arg_10]
		mov	[ebp+var_4C], esi
		xor	ecx, ecx
		mov	[ebp+var_44], ecx
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_34], ecx
		mov	[ebp+var_48], ecx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jnz	short loc_7BEE2F
		cmp	dword_6BBFD0, 2
		jz	loc_8EEE65
		mov	esi, 0C0000002h

loc_7BEE1B:				; CODE XREF: NtQuerySystemEnvironmentValueEx+1300B9j
					; NtQuerySystemEnvironmentValueEx+1300DCj
		mov	eax, esi

loc_7BEE1D:				; CODE XREF: NtQuerySystemEnvironmentValueEx+9Dj
					; NtQuerySystemEnvironmentValueEx+CEj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7BEE2F:				; CODE XREF: NtQuerySystemEnvironmentValueEx+49j
		push	1
		push	ds:dword_A94CA4
		push	ds:_SeSystemEnvironmentPrivilege
		call	SeSinglePrivilegeCheck
		mov	[ebp+var_2D], al
		test	al, al
		jz	short loc_7BEE5D

loc_7BEE49:				; CODE XREF: NtQuerySystemEnvironmentValueEx+BEj
					; NtQuerySystemEnvironmentValueEx+C7j
		cmp	dword_6BBFD0, 2
		jz	loc_8EEEAC
		mov	eax, 0C0000002h
		jmp	short loc_7BEE1D
; 

loc_7BEE5D:				; CODE XREF: NtQuerySystemEnvironmentValueEx+89j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_PsIsProcessAppContainer@4 ; PsIsProcessAppContainer(x)
		test	al, al
		jnz	loc_8EEE9F
		mov	al, [ebp+var_2D]

loc_7BEE7A:				; CODE XREF: NtQuerySystemEnvironmentValueEx+1300E9j
		test	al, al
		jnz	short loc_7BEE49
		call	_ExpUmdfSidCheck@0 ; ExpUmdfSidCheck()
		test	al, al
		jnz	short loc_7BEE49
		mov	eax, 0C0000061h
		jmp	short loc_7BEE1D
NtQuerySystemEnvironmentValueEx	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 367. ExGetFirmwareEnvironmentVariable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExGetFirmwareEnvironmentVariable
ExGetFirmwareEnvironmentVariable proc near ; CODE XREF:	PopCheckShutdownMarker+27340p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008EF063 SIZE 0000003E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	dword_6BBFD0, 2
		push	esi
		push	edi
		jz	loc_8EF063
		mov	eax, 0C0000002h

loc_7BEEAE:				; CODE XREF: ExGetFirmwareEnvironmentVariable+1301E2j
					; ExGetFirmwareEnvironmentVariable+130208j
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	14h
ExGetFirmwareEnvironmentVariable endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipSystemControl(x, x)
_WmipSystemControl@8 proc near		; DATA XREF: WmipDriverEntry+10Do

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	ecx, offset _WmipWmiLibInfo
		call	IoWMISystemControl
		pop	ebp
		retn	8
_WmipSystemControl@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoWMISystemControl proc	near		; CODE XREF: WmipSystemControl(x,x)+10p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008EF0A1 SIZE 0000013D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	ecx, ecx
		and	[ebp+var_2C], ecx
		push	esi
		mov	esi, edx
		mov	[ebp+var_1C], ecx
		mov	edx, [ebx+60h]
		push	edi
		xor	edi, edi
		mov	[ebp+var_14], esi
		mov	[ebp+var_24], edi
		mov	al, [edx+1]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_1], al
		cmp	al, 0Bh
		ja	loc_8EF0A9
		cmp	[edx+4], esi
		jnz	loc_8EF0A9
		cmp	ds:off_A40FD0, ecx
		jz	loc_7BF1C8

loc_7BEF19:				; CODE XREF: IoWMISystemControl+2FAj
					; IoWMISystemControl+1301D3j
		mov	esi, [edx+10h]
		mov	ecx, [edx+0Ch]
		mov	[ebp+var_30], esi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], 7
		cmp	al, 0Bh
		jz	short loc_7BEF84
		cmp	al, 8
		jz	short loc_7BEF84
		mov	ecx, ds:off_A40FD0 ; void *
		lea	eax, [ebp+var_10]
		push	eax		; int
		lea	eax, [ebp+var_24]
		push	eax		; int
		push	dword ptr [edx+8] ; void *
		mov	edx, [ebp+var_18] ; int
		call	_WmipFindGuid@20 ; WmipFindGuid(x,x,x,x,x)
		test	al, al
		jz	loc_8EF0BF
		mov	al, [ebp+var_1]
		cmp	al, 1
		jz	loc_8EF0C6
		cmp	al, 2
		jz	loc_8EF0C6
		cmp	al, 3
		jz	loc_8EF0C6
		cmp	al, 9
		jz	loc_8EF0C6

loc_7BEF78:				; CODE XREF: IoWMISystemControl+130200j
		mov	ecx, [ebp+var_10]
		mov	edi, [ebp+var_24]
		mov	[ebp+var_1C], ecx
		mov	ecx, [ebp+var_20]

loc_7BEF84:				; CODE XREF: IoWMISystemControl+5Ej
					; IoWMISystemControl+62j
		movzx	eax, al
		cmp	eax, 0Bh	; switch 12 cases
		ja	loc_8EF1D4	; default
		jmp	ds:off_7BF1D8[eax*4] ; switch jump

loc_7BEF97:				; DATA XREF: PAGE:off_7BF1D8o
		cmp	ecx, 3Ch	; case 0x0
		jb	loc_8EF107
		test	edi, edi
		jz	loc_8EF124
		cmp	edi, 1
		jz	loc_8EF124

loc_7BEFB1:				; CODE XREF: IoWMISystemControl+13028Bj
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	loc_8EF111
		and	dword ptr [esi+2Ch], 0FFFFFFEFh
		lea	edx, ds:43h[eax*8]
		and	edx, 0FFFFFFF8h
		mov	[esi+34h], eax
		mov	[esi+30h], edx
		cmp	edx, ecx
		ja	loc_8EF160
		lea	ebx, [esi+3Ch]
		add	esi, edx
		mov	[ebp+var_30], ebx
		sub	ecx, edx
		mov	ebx, [ebp+arg_0]

loc_7BEFE5:				; CODE XREF: IoWMISystemControl+130298j
		push	esi
		push	ecx
		push	[ebp+var_30]
		push	eax
		push	0

loc_7BEFED:				; CODE XREF: IoWMISystemControl+1302D5j
		push	edi
		push	ebx
		push	[ebp+var_14]
		call	WmipQueryWmiDataBlock

loc_7BEFF7:				; CODE XREF: IoWMISystemControl+13024Fj
		mov	esi, eax

loc_7BEFF9:				; CODE XREF: IoWMISystemControl+1301EAj
					; IoWMISystemControl+130309j
		mov	eax, esi

loc_7BEFFB:				; CODE XREF: IoWMISystemControl+2F3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7BF002:				; CODE XREF: IoWMISystemControl+C0j
					; DATA XREF: PAGE:off_7BF1D8o
		xor	eax, eax	; case 0x8
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_40]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+var_14]
		call	_WmipQueryWmiRegInfo@16	; WmipQueryWmiRegInfo(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_7BF1A0
		mov	eax, [ebp+var_C]
		and	eax, 20h
		mov	[ebp+var_14], eax
		jnz	short loc_7BF058
		cmp	[ebp+var_3C], 0
		jz	loc_8EF0DD

loc_7BF058:				; CODE XREF: IoWMISystemControl+17Cj
		mov	eax, ds:off_A40FD0
		lea	ecx, [ebp+var_28]
		push	0
		push	0C4h
		mov	[ebp+var_34], eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_7BF1A0
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_1C]
		push	eax
		push	14h
		pop	ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_7BF1A0
		cmp	[ebp+var_14], 0
		mov	eax, [ebp+var_40]
		mov	ecx, [ebp+var_1C]
		mov	[ebp+var_14], eax
		jnz	loc_8EF0E7
		or	[ebp+var_C], 4
		movzx	edx, ax
		add	edx, 2
		mov	[ebp+var_28], ecx

loc_7BF0B2:				; CODE XREF: IoWMISystemControl+13021Cj
		cmp	[ebp+var_8], 0
		jz	loc_8EF0F1

loc_7BF0BC:				; CODE XREF: IoWMISystemControl+130227j
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_7BF1A0
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_2C]
		push	eax
		mov	eax, [ebp+var_8]
		movzx	edx, word ptr [eax]
		add	edx, 2
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_7BF1A0
		mov	ecx, [ebp+var_2C]
		xor	edi, edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_24], ecx
		mov	[esi], ecx
		cmp	ecx, [ebp+var_20]
		ja	loc_8EF0FC
		mov	edx, [ebp+var_10]
		lea	ebx, [esi+2Ch]
		and	[esi+4], edi
		and	[esi+0Ch], edi
		mov	eax, [ebp+var_18]
		mov	ecx, [ebp+var_C]
		mov	[esi+8], edx
		mov	edx, [ebp+var_34]
		mov	[esi+10h], eax
		add	edx, 10h

loc_7BF122:				; CODE XREF: IoWMISystemControl+278j
		lea	esi, [edx-10h]
		lea	edi, [ebx-18h]
		movsd
		movsd
		movsd
		movsd
		mov	eax, [edx+4]
		or	eax, ecx
		sub	[ebp+var_18], 1
		mov	[ebx-8], eax
		mov	eax, [ebp+var_28]
		mov	[ebx], eax
		lea	ebx, [ebx+1Ch]
		mov	eax, [edx]
		lea	edx, [edx+18h]
		mov	[ebx-20h], eax
		jnz	short loc_7BF122
		mov	ebx, [ebp+arg_0]
		mov	edx, [ebp+var_10]
		mov	esi, [ebp+var_30]
		test	cl, 4
		jz	short loc_7BF17B
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+var_14]
		mov	[ecx+esi], ax
		movzx	eax, word ptr [ebp+var_40]
		push	eax		; size_t
		push	[ebp+var_3C]	; void *
		lea	eax, [ecx+2]
		add	eax, esi
		push	eax		; void *
		call	_memcpy
		mov	edx, [ebp+var_10]
		add	esp, 0Ch

loc_7BF17B:				; CODE XREF: IoWMISystemControl+286j
		mov	eax, [ebp+var_8]
		mov	ax, [eax]
		mov	[edx+esi], ax
		mov	ecx, [ebp+var_8]
		movzx	eax, word ptr [ecx]
		push	eax		; size_t
		push	dword ptr [ecx+4] ; void *
		lea	eax, [edx+2]
		add	eax, esi
		push	eax		; void *
		call	_memcpy
		mov	edi, [ebp+var_38]
		add	esp, 0Ch

loc_7BF1A0:				; CODE XREF: IoWMISystemControl+16Dj
					; IoWMISystemControl+1A3j ...
		mov	eax, [ebp+var_3C]
		test	eax, eax
		jz	short loc_7BF1AF
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7BF1AF:				; CODE XREF: IoWMISystemControl+2D5j
					; IoWMISystemControl+130212j
		mov	eax, [ebp+var_24]
		xor	dl, dl
		mov	ecx, ebx
		mov	[ebx+18h], edi
		mov	[ebx+1Ch], eax
		call	IofCompleteRequest
		mov	eax, edi
		jmp	loc_7BEFFB
; 

loc_7BF1C8:				; CODE XREF: IoWMISystemControl+43j
		cmp	al, 0Bh
		jz	loc_7BEF19
		jmp	loc_8EF0A1
IoWMISystemControl endp

; 
		align 4
off_7BF1D8	dd offset loc_7BEF97	; DATA XREF: IoWMISystemControl+C0r
		dd offset loc_8EF16D	; jump table for switch	statement
		dd offset loc_8EF1AA
		dd offset loc_8EF1AA
		dd offset loc_8EF1C7
		dd offset loc_8EF1C7
		dd offset loc_8EF1C7
		dd offset loc_8EF1C7
		dd offset loc_7BF002
		dd offset loc_8EF1B6
		dd offset loc_8EF1D4
		dd offset loc_7BF002

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipQueryWmiDataBlock proc near		; CODE XREF: IoWMISystemControl+122p
					; DATA XREF: PAGE:00A40FD8o

var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 008EF1DE SIZE 00000328 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+9Ch+var_4], eax
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	ebx
		mov	[esp+0A0h+var_7C], eax
		xor	ebx, ebx
		mov	eax, [ebp+arg_14]
		push	esi
		mov	[esp+0A4h+var_88], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+0A4h+var_9C], ebx
		push	edi
		mov	edi, [ebp+arg_1C]
		test	eax, eax
		jz	loc_8EF42A
		cmp	eax, 1
		jz	loc_8EF376
		cmp	eax, 2
		jz	loc_8EF2C4
		cmp	eax, 3
		jnz	loc_8EF1DE
		mov	ecx, [ebp+arg_18]
		cmp	ecx, 8
		jb	short loc_7BF2C0
		lea	ebx, [edi+4]
		add	ecx, 0FFFFFFF8h
		lea	eax, [edi+8]

loc_7BF278:				; CODE XREF: WmipQueryWmiDataBlock+BEj
		mov	[esp+0A8h+var_98], ecx
		lea	edx, [esp+0A8h+var_98]
		push	edi
		mov	ecx, eax
		call	WmipGetSMBiosTableData
		mov	ecx, [esp+0A8h+var_98]
		mov	esi, eax
		lea	eax, [ecx+8]
		test	esi, esi
		js	short loc_7BF29D
		mov	[ebx], ecx

loc_7BF297:				; CODE XREF: WmipQueryWmiDataBlock+130010j
		mov	ecx, [esp+0A8h+var_88]
		mov	[ecx], eax

loc_7BF29D:				; CODE XREF: WmipQueryWmiDataBlock+8Bj
					; WmipQueryWmiDataBlock+13000Aj ...
		push	ecx
		push	eax
		push	esi
		push	[esp+0B4h+var_7C]
		call	IoWMICompleteRequest
		mov	ecx, [esp+0A8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_7BF2C0:				; CODE XREF: WmipQueryWmiDataBlock+65j
		mov	eax, ebx
		mov	edi, ebx
		mov	ecx, ebx
		jmp	short loc_7BF278
WmipQueryWmiDataBlock endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoWMICompleteRequest proc near		; CODE XREF: WmipQueryWmiDataBlock+9Cp
					; IoWMISystemControl+13024Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008EF506 SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		push	ebx
		push	esi
		push	edi
		mov	edx, [edx+60h]
		movzx	eax, byte ptr [edx+1]
		mov	edi, [edx+10h]
		sub	eax, ecx
		jnz	loc_8EF506
		mov	ebx, [edi+30h]
		mov	esi, [ebp+arg_8]
		mov	eax, [edi+34h]
		add	esi, ebx
		mov	[ebp+var_8], ebx
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_4], eax
		mov	eax, 0C0000023h
		mov	[ebp+arg_8], esi
		test	ebx, ebx
		js	loc_7BF38D
		cmp	esi, [edx+0Ch]
		ja	loc_8EF55C

loc_7BF316:				; CODE XREF: IoWMICompleteRequest+130296j
		test	ebx, ebx
		js	short loc_7BF38D
		lea	eax, [edi+10h]
		push	eax
		call	KeQuerySystemTime
		mov	edx, [ebp+var_4]
		mov	[edi], esi
		mov	[ebp+arg_4], edx
		test	edx, edx
		jz	short loc_7BF372
		lea	ecx, [edx+7]
		add	edx, 0Eh
		lea	ecx, [edi+ecx*8]
		lea	esi, [edi+edx*4]
		mov	edx, [ebp+arg_4]

loc_7BF33E:				; CODE XREF: IoWMICompleteRequest+83j
		mov	eax, [esi]
		lea	esi, [esi-4]
		mov	[ecx], eax
		lea	ecx, [ecx-8]
		sub	edx, 1
		jnz	short loc_7BF33E
		mov	edx, [ebp+var_4]
		mov	esi, [ebp+arg_8]
		test	edx, edx
		jz	short loc_7BF372
		mov	esi, [ebp+var_8]
		xor	ecx, ecx

loc_7BF35C:				; CODE XREF: IoWMICompleteRequest+A5j
		mov	[edi+ecx*8+3Ch], esi
		add	esi, 7
		add	esi, [edi+ecx*8+40h]
		and	esi, 0FFFFFFF8h
		inc	ecx
		cmp	ecx, edx
		jb	short loc_7BF35C
		mov	esi, [ebp+arg_8]

loc_7BF372:				; CODE XREF: IoWMICompleteRequest+65j
					; IoWMICompleteRequest+8Dj ...
		mov	eax, [ebp+arg_0]
		xor	dl, dl
		mov	ecx, eax
		mov	[eax+18h], ebx
		mov	[eax+1Ch], esi
		call	IofCompleteRequest
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
; 

loc_7BF38D:				; CODE XREF: IoWMICompleteRequest+3Fj
					; IoWMICompleteRequest+50j
		cmp	ebx, eax

loc_7BF38F:				; CODE XREF: IoWMICompleteRequest+130275j
		jnz	short loc_7BF3A6
		push	38h
		pop	eax
		mov	[edi+30h], esi
		mov	ebx, ecx
		mov	[edi], eax
		mov	esi, eax
		mov	dword ptr [edi+2Ch], 20h
		jmp	short loc_7BF372
; 

loc_7BF3A6:				; CODE XREF: IoWMICompleteRequest:loc_7BF38Fj
					; IoWMICompleteRequest+130249j
		mov	esi, ecx
		jmp	short loc_7BF372
IoWMICompleteRequest endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpGetSystemFirmwareTableInformation proc near ; CODE XREF: PAGE:0078082Cp
					; ExpGetSystemPlatformBinary+F3p ...

var_70		= dword	ptr -70h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_51		= byte ptr -51h
var_50		= dword	ptr -50h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EF563 SIZE 00000093 BYTES

		push	64h
		push	offset dword_6A32D8
		call	__SEH_prolog4_GS
		mov	[ebp+var_51], dl
		mov	[ebp+var_5C], ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_64], eax
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_68], edx
		xor	ebx, ebx
		mov	edi, ebx
		mov	esi, ebx
		mov	[ebp+var_60], esi
		cmp	eax, 10h
		jb	loc_8EF563
		mov	[ebp+var_58], ecx
		lea	edx, [eax-10h]
		mov	[ebp+var_70], edx
		cmp	[ebp+var_51], bl
		jnz	loc_7BF498

loc_7BF3EC:				; CODE XREF: ExpGetSystemFirmwareTableInformation+140j
					; ExpGetSystemFirmwareTableInformation+1301E9j
		mov	eax, [ebp+var_70]
		mov	[ecx+0Ch], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _ExpFirmwareTableResource
		call	ExAcquireResourceSharedLite
		mov	ecx, _ExpFirmwareTableProviderListHead
		add	ecx, 0FFFFFFF0h
		lea	eax, [ecx+10h]
		cmp	eax, offset _ExpFirmwareTableProviderListHead
		jz	short loc_7BF42B
		mov	eax, [ebp+var_58]
		mov	edx, [eax]

loc_7BF424:				; CODE XREF: ExpGetSystemFirmwareTableInformation+EAj
		cmp	[ecx], edx
		jnz	short loc_7BF489
		mov	ebx, [ecx+8]

loc_7BF42B:				; CODE XREF: ExpGetSystemFirmwareTableInformation+73j
					; ExpGetSystemFirmwareTableInformation+ECj
		test	ebx, ebx
		jz	short loc_7BF437
		push	[ebp+var_58]
		call	ebx
		pop	ecx
		mov	edi, eax

loc_7BF437:				; CODE XREF: ExpGetSystemFirmwareTableInformation+83j
		mov	ecx, offset _ExpFirmwareTableResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	ebx, ebx
		jz	loc_7BF543
		cmp	[ebp+var_51], 0
		jnz	loc_7BF4EF
		mov	eax, [ebp+var_58]
		mov	eax, [eax+0Ch]

loc_7BF465:				; CODE XREF: ExpGetSystemFirmwareTableInformation+16Bj
		mov	ecx, [ebp+var_68]
		add	eax, 10h
		mov	[ecx], eax

loc_7BF46D:				; CODE XREF: ExpGetSystemFirmwareTableInformation+19Ej
					; ExpGetSystemFirmwareTableInformation+1301C4j	...
		test	esi, esi
		jnz	loc_7BF51A

loc_7BF475:				; CODE XREF: ExpGetSystemFirmwareTableInformation+17Bj
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7BF489:				; CODE XREF: ExpGetSystemFirmwareTableInformation+7Cj
		mov	eax, [ecx+10h]
		lea	ecx, [eax-10h]
		cmp	eax, offset _ExpFirmwareTableProviderListHead
		jnz	short loc_7BF424
		jmp	short loc_7BF42B
; 

loc_7BF498:				; CODE XREF: ExpGetSystemFirmwareTableInformation+3Cj
		push	54465241h
		push	eax
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	esi, eax
		mov	[ebp+var_60], esi
		test	esi, esi
		jz	loc_8EF573
		mov	[ebp+ms_exc.disabled], ebx
		push	[ebp+var_64]	; size_t
		push	[ebp+var_5C]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+var_58], esi
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_PsIsProcessAppContainer@4 ; PsIsProcessAppContainer(x)
		test	al, al
		jnz	loc_8EF57D
		mov	ecx, esi
		jmp	loc_7BF3EC
; 

loc_7BF4EF:				; CODE XREF: ExpGetSystemFirmwareTableInformation+AFj
		mov	[ebp+ms_exc.disabled], 1
		mov	ebx, [ebp+var_5C]
		test	edi, edi
		jns	short loc_7BF52A

loc_7BF4FD:				; CODE XREF: ExpGetSystemFirmwareTableInformation+197j
		cmp	edi, 0C0000023h
		jnz	short loc_7BF50B

loc_7BF505:				; CODE XREF: ExpGetSystemFirmwareTableInformation+195j
		mov	eax, [esi+0Ch]
		mov	[ebx+0Ch], eax

loc_7BF50B:				; CODE XREF: ExpGetSystemFirmwareTableInformation+159j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [esi+0Ch]
		jmp	loc_7BF465
; 

loc_7BF51A:				; CODE XREF: ExpGetSystemFirmwareTableInformation+C5j
		push	54465241h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7BF475
; 

loc_7BF52A:				; CODE XREF: ExpGetSystemFirmwareTableInformation+151j
		push	dword ptr [esi+0Ch] ; size_t
		lea	eax, [esi+10h]
		push	eax		; void *
		lea	eax, [ebx+10h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		test	edi, edi
		jns	short loc_7BF505
		jmp	short loc_7BF4FD
; 

loc_7BF543:				; CODE XREF: ExpGetSystemFirmwareTableInformation+A5j
		mov	edi, 0C0000002h
		jmp	loc_7BF46D
ExpGetSystemFirmwareTableInformation endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipGetSMBiosTableData proc near	; CODE XREF: WmipRawSMBiosTableHandler+2Ep
					; WmipRawSMBiosTableHandler+5Ep ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008EF62C SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	[esp+10h+var_4], ebx
		test	edi, edi
		jz	loc_8EF62C
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _WmipSMBiosLock
		call	ExAcquireResourceSharedLite
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_7BF5CF

loc_7BF58B:				; CODE XREF: WmipGetSMBiosTableData+88j
		mov	ecx, ds:_WmipSMBiosTableLength
		cmp	[edi], ecx
		jnb	short loc_7BF5D8
		mov	esi, 0C0000023h

loc_7BF59A:				; CODE XREF: WmipGetSMBiosTableData+D1j
					; WmipGetSMBiosTableData+1300EDj
		mov	eax, ds:_WmipSMBiosTableLength
		mov	[edi], eax
		call	WmipGetRegistryHideMachine
		test	al, al
		jnz	loc_8EF640

loc_7BF5AE:				; CODE XREF: WmipGetSMBiosTableData+1300F4j
					; WmipGetSMBiosTableData+130103j
		mov	ecx, offset _WmipSMBiosLock
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi

loc_7BF5C6:				; CODE XREF: WmipGetSMBiosTableData+1300E3j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7BF5CF:				; CODE XREF: WmipGetSMBiosTableData+3Bj
		mov	eax, ds:_WmipSMBiosVersionInfo
		mov	[ecx], eax
		jmp	short loc_7BF58B
; 

loc_7BF5D8:				; CODE XREF: WmipGetSMBiosTableData+45j
		mov	edx, ds:_WmipSMBiosTablePhysicalAddress
		mov	eax, edx
		mov	esi, ds:dword_A93DB4
		or	eax, esi
		jz	loc_8EF636
		push	4
		push	ecx
		push	esi
		push	edx
		call	_MmMapIoSpaceEx@16 ; MmMapIoSpaceEx(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_7BF624
		mov	esi, ds:_WmipSMBiosTableLength
		push	esi		; size_t
		push	ebx		; void *
		push	[esp+18h+var_4]	; void *
		call	_memcpy
		add	esp, 0Ch
		push	esi
		push	ebx
		call	MmUnmapIoSpace
		xor	esi, esi

loc_7BF61B:				; CODE XREF: WmipGetSMBiosTableData+DBj
		mov	ebx, [esp+10h+var_4]
		jmp	loc_7BF59A
; 

loc_7BF624:				; CODE XREF: WmipGetSMBiosTableData+AEj
		mov	esi, 0C000009Ah
		jmp	short loc_7BF61B
WmipGetSMBiosTableData endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipGetRegistryHideMachine proc	near	; CODE XREF: WmipGetSMBiosTableData+53p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008EF656 SIZE 00000088 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_10]
		push	offset ??_C@_1II@OLBDKLDD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		push	eax
		mov	[ebp+var_10], ebx
		mov	edi, ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_10]
		mov	[ebp+var_28], 18h
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_24], ebx
		push	eax
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		jns	loc_8EF656

loc_7BF68C:				; CODE XREF: WmipGetRegistryHideMachine+130051j
					; WmipGetRegistryHideMachine+13006Aj ...
		cmp	[ebp+var_4], ebx
		jnz	loc_8EF6D1

loc_7BF695:				; CODE XREF: WmipGetRegistryHideMachine+1300ADj
		test	edi, edi
		pop	edi
		pop	esi
		setnz	al
		pop	ebx
		leave
		retn
WmipGetRegistryHideMachine endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsIsProcessAppContainer(x)
_PsIsProcessAppContainer@4 proc	near	; CODE XREF: IopFileObjectRevoked+CAE73p
					; IoRevokeHandlesForProcess(x,x)+17p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		push	ecx
		mov	[ebp+var_4], ebx
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	edi, eax
		lea	eax, [ebp+var_4]
		push	eax
		push	1Dh
		push	edi
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	ecx, edi
		mov	esi, eax
		call	ObfDereferenceObject
		test	esi, esi
		js	short loc_7BF6D4
		cmp	[ebp+var_4], ebx
		jnz	short loc_7BF6DB

loc_7BF6D4:				; CODE XREF: PsIsProcessAppContainer(x)+2Dj
					; PsIsProcessAppContainer(x)+3Dj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_7BF6DB:				; CODE XREF: PsIsProcessAppContainer(x)+32j
		mov	bl, 1
		jmp	short loc_7BF6D4
_PsIsProcessAppContainer@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall WmipFindGuid(void *,int,void *,int,int)
_WmipFindGuid@20 proc near		; CODE XREF: IoWMISystemControl+78p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	ebx, edx
		mov	eax, ecx
		xor	esi, esi
		mov	[ebp+var_4], eax
		push	edi
		test	ebx, ebx
		jz	short loc_7BF712
		mov	edi, eax

loc_7BF6F8:				; CODE XREF: WmipFindGuid(x,x,x,x,x)+30j
		push	10h		; size_t
		push	edi		; void *
		push	[ebp+arg_0]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_7BF716
		inc	esi
		add	edi, 18h
		cmp	esi, ebx
		jb	short loc_7BF6F8

loc_7BF712:				; CODE XREF: WmipFindGuid(x,x,x,x,x)+14j
		xor	al, al
		jmp	short loc_7BF72C
; 

loc_7BF716:				; CODE XREF: WmipFindGuid(x,x,x,x,x)+28j
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+var_4]
		mov	[eax], esi
		imul	eax, esi, 18h
		mov	ecx, [eax+ecx+10h]
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		mov	al, 1

loc_7BF72C:				; CODE XREF: WmipFindGuid(x,x,x,x,x)+34j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_WmipFindGuid@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFindEmptyAddressRangeDown proc near	; CODE XREF: MiSelectUserAddress(x,x,x,x,x,x,x,x,x,x)+B3p
					; MiMapViewOfDataSection+6EFp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008EF6DE SIZE 00000047 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, edx
		mov	edx, [ebp+arg_C]
		mov	eax, edx
		mov	[ebp+var_4], esi
		sub	eax, ebx
		inc	eax
		push	edi
		cmp	eax, esi
		jb	loc_8EF6DE
		mov	eax, large fs:124h
		lea	edi, [edx+1]
		mov	[ebp+arg_8], edi
		mov	eax, [eax+80h]
		mov	[ebp+var_C], eax
		mov	eax, [ecx+18h]
		cmp	edi, eax
		jbe	short loc_7BF775
		mov	edi, eax

loc_7BF775:				; CODE XREF: MiFindEmptyAddressRangeDown+3Dj
		mov	eax, [ecx+20h]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_7BF7C6

loc_7BF77F:				; CODE XREF: MiFindEmptyAddressRangeDown+99j
		mov	esi, [ecx+1Ch]
		cmp	esi, ebx
		jb	short loc_7BF7CF

loc_7BF786:				; CODE XREF: MiFindEmptyAddressRangeDown+9Dj
					; MiFindEmptyAddressRangeDown+12FFC6j ...
		cmp	esi, edx
		jnb	short loc_7BF7D3
		mov	eax, edx
		sub	eax, esi
		inc	eax
		cmp	eax, [ebp+var_4]
		jb	short loc_7BF7D3
		push	[ebp+arg_14]
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+var_4]
		push	edi
		push	esi
		push	[ebp+arg_4]
		lea	ecx, [ecx+350h]
		push	[ebp+arg_0]
		call	MiFindEmptyAddressRangeDownTree
		mov	edx, [ebp+arg_C]
		mov	ecx, eax

loc_7BF7B5:				; CODE XREF: MiFindEmptyAddressRangeDown+A4j
		test	ecx, ecx
		js	loc_8EF6E8

loc_7BF7BD:				; CODE XREF: MiFindEmptyAddressRangeDown+12FFE4j
		mov	eax, ecx

loc_7BF7BF:				; CODE XREF: MiFindEmptyAddressRangeDown+12FFAFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7BF7C6:				; CODE XREF: MiFindEmptyAddressRangeDown+49j
		mov	[ebp+var_8], 1
		jmp	short loc_7BF77F
; 

loc_7BF7CF:				; CODE XREF: MiFindEmptyAddressRangeDown+50j
		mov	esi, ebx
		jmp	short loc_7BF786
; 

loc_7BF7D3:				; CODE XREF: MiFindEmptyAddressRangeDown+54j
					; MiFindEmptyAddressRangeDown+5Ej
		mov	ecx, 0C0000017h
		jmp	short loc_7BF7B5
MiFindEmptyAddressRangeDown endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFindEmptyAddressRangeDownTree	proc near ; CODE XREF: MiFindEmptyAddressRangeDown+77p
					; MiFinishCreateSection+F777Bp

var_40		= dword	ptr -40h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008EF725 SIZE 0000006E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		shr	[ebp+arg_4], 0Ch
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_8]
		add	edx, 0FFFh
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_40]
		push	0Ah
		pop	ecx
		rep stosd
		mov	ecx, [ebp+arg_C]
		and	edx, 0FFFFF000h
		mov	edi, edx
		shr	edi, 0Ch
		mov	[ebp+var_14], edi
		cmp	ebx, ecx
		jnb	loc_7BF94B
		mov	eax, ecx
		sub	eax, ebx
		cmp	eax, edx
		jb	loc_7BF94B
		mov	eax, ecx
		sub	ecx, edx
		mov	edx, [ebp+arg_4]
		shr	eax, 0Ch
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+arg_C], eax
		neg	eax
		shr	[ebp+arg_C], 0Ch
		and	ecx, eax
		mov	eax, ecx
		shr	eax, 0Ch
		mov	[ebp+var_C], eax
		test	edx, edx
		jnz	loc_8EF725

loc_7BF84E:				; CODE XREF: MiFindEmptyAddressRangeDownTree+12FF69j
		cmp	ecx, ebx
		jb	loc_7BF94B
		mov	eax, [esi]
		xor	esi, esi
		test	eax, eax
		jz	loc_7BF923
		mov	edi, esi

loc_7BF864:				; CODE XREF: MiFindEmptyAddressRangeDownTree+94j
		mov	ecx, eax
		mov	eax, [eax+4]
		mov	[ebp+var_18], ecx
		test	eax, eax
		jnz	short loc_7BF864
		shr	ebx, 0Ch
		mov	[ebp+var_8], ecx
		mov	[ebp+arg_8], ebx

loc_7BF879:				; CODE XREF: MiFindEmptyAddressRangeDownTree+116j
		test	ecx, ecx
		jnz	loc_7BF931
		mov	eax, [edi]
		mov	ecx, edi
		test	eax, eax
		jnz	short loc_7BF89A

loc_7BF889:				; CODE XREF: MiFindEmptyAddressRangeDownTree+BEj
		mov	edi, [edi+8]
		and	edi, 0FFFFFFFCh
		jz	short loc_7BF8AB
		cmp	[edi+4], ecx
		jz	short loc_7BF8AB
		mov	ecx, edi
		jmp	short loc_7BF889
; 

loc_7BF89A:				; CODE XREF: MiFindEmptyAddressRangeDownTree+ADj
		mov	edi, eax
		cmp	[edi+4], esi
		jz	short loc_7BF8AB

loc_7BF8A1:				; CODE XREF: MiFindEmptyAddressRangeDownTree+CFj
		mov	eax, [edi+4]
		mov	edi, eax
		cmp	[eax+4], esi
		jnz	short loc_7BF8A1

loc_7BF8AB:				; CODE XREF: MiFindEmptyAddressRangeDownTree+B5j
					; MiFindEmptyAddressRangeDownTree+BAj ...
		test	edi, edi
		jz	loc_8EF748
		mov	eax, [edi+10h]
		inc	eax
		mov	[ebp+arg_0], edi
		cmp	eax, ebx
		jb	loc_8EF75D

loc_7BF8C2:				; CODE XREF: MiFindEmptyAddressRangeDownTree+12FF8Bj
		mov	ecx, [ebp+arg_C]
		lea	ebx, [ecx-1]
		add	ebx, eax
		mov	eax, ecx

loc_7BF8CC:				; CODE XREF: MiFindEmptyAddressRangeDownTree+12FF7Ej
		neg	eax
		and	ebx, eax
		test	edx, edx
		jnz	loc_8EF76A

loc_7BF8D8:				; CODE XREF: MiFindEmptyAddressRangeDownTree+12FFA1j
		cmp	ebx, [ebp+var_C]
		jbe	short loc_7BF8F2

loc_7BF8DD:				; CODE XREF: MiFindEmptyAddressRangeDownTree+127j
					; MiFindEmptyAddressRangeDownTree+132j
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_40]
		cmp	eax, ecx
		jz	short loc_7BF94B
		mov	ebx, [ebp+arg_8]
		mov	ecx, [ebp+var_18]
		mov	[ebp+var_8], eax
		jmp	short loc_7BF879
; 

loc_7BF8F2:				; CODE XREF: MiFindEmptyAddressRangeDownTree+101j
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_10]
		mov	ecx, [ecx+0Ch]
		cmp	ecx, eax
		ja	short loc_7BF947

loc_7BF8FF:				; CODE XREF: MiFindEmptyAddressRangeDownTree+16Fj
		cmp	ecx, ebx
		jbe	short loc_7BF8DD
		mov	eax, ecx
		sub	eax, ebx
		mov	ebx, [ebp+var_14]
		cmp	ebx, eax
		ja	short loc_7BF8DD
		mov	edi, [ebp+arg_C]
		sub	ecx, ebx
		dec	edi
		not	edi
		and	ecx, edi
		test	edx, edx
		jnz	loc_8EF780

loc_7BF920:				; CODE XREF: MiFindEmptyAddressRangeDownTree+12FFB4j
		shl	ecx, 0Ch

loc_7BF923:				; CODE XREF: MiFindEmptyAddressRangeDownTree+82j
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx

loc_7BF928:				; CODE XREF: MiFindEmptyAddressRangeDownTree+176j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7BF931:				; CODE XREF: MiFindEmptyAddressRangeDownTree+A1j
		mov	eax, [ebp+var_10]
		mov	edi, ecx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_18], esi
		mov	[ebp+var_8], eax
		jmp	loc_7BF8AB
; 

loc_7BF947:				; CODE XREF: MiFindEmptyAddressRangeDownTree+123j
		mov	ecx, eax
		jmp	short loc_7BF8FF
; 

loc_7BF94B:				; CODE XREF: MiFindEmptyAddressRangeDownTree+37j
					; MiFindEmptyAddressRangeDownTree+43j ...
		mov	esi, 0C0000017h
		jmp	short loc_7BF928
MiFindEmptyAddressRangeDownTree	endp

; 
		align 8
; Exported entry 2106. RtlGenerate8dot3Name

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlGenerate8dot3Name
RtlGenerate8dot3Name proc near

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_15		= byte ptr -15h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008EF793 SIZE 00000152 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		xor	ebx, ebx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_38], esi
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], edi
		mov	[ebp+var_1D], 1
		cmp	byte ptr [ebp+arg_4], bl
		jnz	loc_8EF793

loc_7BF98E:				; CODE XREF: RtlGenerate8dot3Name+12FE4Bj
		mov	[ebp+var_15], bl

loc_7BF991:				; CODE XREF: RtlGenerate8dot3Name+12FE45j
		push	7Fh
		pop	edx
		mov	[ebp+var_3C], edx
		cmp	[esi+3], bl
		jnz	loc_7BFABB
		mov	esi, [ebp+var_2C]
		or	edi, 0FFFFFFFFh
		push	2Eh
		mov	[ebp+var_24], edi
		mov	[ebp+var_34], ebx
		pop	ecx
		cmp	[esi], bx
		jbe	short loc_7BF9C0
		mov	eax, [esi+4]
		mov	byte ptr [ebp+var_1C], 1
		cmp	[eax], cx
		jz	short loc_7BF9C3

loc_7BF9C0:				; CODE XREF: RtlGenerate8dot3Name+5Aj
		mov	byte ptr [ebp+var_1C], bl

loc_7BF9C3:				; CODE XREF: RtlGenerate8dot3Name+66j
					; RtlGenerate8dot3Name+8Cj ...
		push	[ebp+arg_4]
		lea	edx, [ebp+var_34]
		mov	ecx, esi
		push	[ebp+var_1C]
		call	GetNextWchar
		movzx	eax, ax
		test	ax, ax
		jz	short loc_7BF9EE
		push	2Eh
		pop	ecx
		mov	byte ptr [ebp+var_1C], bl
		cmp	ax, cx
		jnz	short loc_7BF9C3
		mov	edi, [ebp+var_34]
		mov	[ebp+var_24], edi
		jmp	short loc_7BF9C3
; 

loc_7BF9EE:				; CODE XREF: RtlGenerate8dot3Name+81j
		movzx	eax, word ptr [esi]
		mov	esi, [ebp+var_38]
		shr	eax, 1
		cmp	edi, eax
		jz	loc_8EF7A8

loc_7BF9FE:				; CODE XREF: RtlGenerate8dot3Name+12FE54j
		mov	[ebp+var_34], ebx
		mov	edi, ebx
		mov	[esi+3], bl
		mov	ebx, [ebp+var_24]

loc_7BFA09:				; CODE XREF: RtlGenerate8dot3Name+EDj
		push	[ebp+arg_4]
		mov	ecx, [ebp+var_2C]
		lea	edx, [ebp+var_34]
		push	1
		call	GetNextWchar
		movzx	edx, ax
		test	dx, dx
		jz	short loc_7BFA47
		cmp	[ebp+var_34], ebx
		jnb	short loc_7BFA47
		mov	al, [esi+3]
		mov	[ebp+var_25], al
		cmp	al, 6
		jnb	short loc_7BFA47
		cmp	[ebp+var_15], 0
		jnz	loc_8EF7B1

loc_7BFA3A:				; CODE XREF: RtlGenerate8dot3Name+12FE85j
		movzx	eax, al
		mov	[esi+eax*2+4], dx
		inc	byte ptr [esi+3]
		jmp	short loc_7BFA09
; 

loc_7BFA47:				; CODE XREF: RtlGenerate8dot3Name+C7j
					; RtlGenerate8dot3Name+CCj ...
		cmp	[ebp+var_15], 0
		jnz	short loc_7BFA51
		movzx	edi, byte ptr [esi+3]

loc_7BFA51:				; CODE XREF: RtlGenerate8dot3Name+F3j
		push	0
		pop	ebx
		cmp	edi, 2
		jbe	loc_7BFC63

loc_7BFA5D:				; CODE XREF: RtlGenerate8dot3Name+35Dj
		cmp	[ebp+var_24], 0FFFFFFFFh
		jz	short loc_7BFAB2
		push	2Eh
		pop	eax
		mov	[esi+18h], ax
		mov	[ebp+var_1C], 1
		mov	dword ptr [esi+14h], 1

loc_7BFA78:				; CODE XREF: RtlGenerate8dot3Name+158j
		push	[ebp+arg_4]
		mov	edi, [ebp+var_2C]
		lea	edx, [ebp+var_24]
		push	1
		mov	ecx, edi
		call	GetNextWchar
		movzx	edx, ax
		test	dx, dx
		jz	short loc_7BFAB8
		mov	edi, [esi+14h]
		cmp	edi, 4
		jnb	loc_7BFBBF
		cmp	[ebp+var_15], 0
		jnz	loc_8EF7E2

loc_7BFAA8:				; CODE XREF: RtlGenerate8dot3Name+12FEB9j
		mov	[esi+edi*2+18h], dx
		inc	dword ptr [esi+14h]
		jmp	short loc_7BFA78
; 

loc_7BFAB2:				; CODE XREF: RtlGenerate8dot3Name+109j
		mov	[esi+14h], ebx

loc_7BFAB5:				; CODE XREF: RtlGenerate8dot3Name+26Ej
					; RtlGenerate8dot3Name+12FEC6j
		mov	edi, [ebp+var_2C]

loc_7BFAB8:				; CODE XREF: RtlGenerate8dot3Name+138j
		push	7Fh
		pop	edx

loc_7BFABB:				; CODE XREF: RtlGenerate8dot3Name+42j
		mov	ecx, [esi+20h]
		inc	ecx
		mov	[esi+20h], ecx
		cmp	ecx, 4
		ja	loc_7BFBD1

loc_7BFACB:				; CODE XREF: RtlGenerate8dot3Name+27Dj
					; RtlGenerate8dot3Name+306j
		xor	edi, edi
		lea	ebx, [ebp-6]
		inc	edi

loc_7BFAD1:				; CODE XREF: RtlGenerate8dot3Name+1A1j
		test	ecx, ecx
		jz	short loc_7BFAFB
		xor	edx, edx
		mov	eax, ecx
		push	0Ah
		pop	ecx
		div	ecx
		add	edx, 30h
		mov	ecx, eax
		inc	edi
		mov	[ebx], dx
		sub	ebx, 2
		cmp	dx, 39h
		setnz	al
		dec	al
		and	[ebp+var_1D], al
		cmp	edi, 7
		jbe	short loc_7BFAD1

loc_7BFAFB:				; CODE XREF: RtlGenerate8dot3Name+17Bj
		lea	ecx, [edi+edi]
		lea	eax, [ebp+var_4]
		sub	eax, ecx
		push	7Eh
		pop	ecx
		mov	[ebp+var_1C], eax
		mov	[eax], cx
		mov	al, [esi+3]
		push	0
		pop	ebx
		test	al, al
		jz	loc_8EF86C
		cmp	al, 0Ch
		ja	loc_8EF86C
		movzx	eax, al
		add	eax, eax
		push	eax		; size_t
		lea	eax, [esi+4]
		push	eax		; void *
		mov	eax, [ebp+var_30]
		push	dword ptr [eax+4] ; void *
		call	_memcpy
		movzx	eax, byte ptr [esi+3]
		add	esp, 0Ch
		add	ax, ax
		movzx	ecx, ax

loc_7BFB44:				; CODE XREF: RtlGenerate8dot3Name+12FF16j
		mov	edx, [ebp+var_30]
		movzx	eax, cx
		mov	[edx], cx
		lea	ecx, [edi+edi]
		push	ecx		; size_t
		push	[ebp+var_1C]	; void *
		mov	ecx, eax
		mov	eax, [edx+4]
		shr	ecx, 1
		lea	eax, [eax+ecx*2]
		push	eax		; void *
		call	_memcpy
		mov	edx, [ebp+var_30]
		lea	eax, [edi+edi]
		add	esp, 0Ch
		add	ax, [edx]
		movzx	ecx, ax
		mov	[edx], ax
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_7BFBA2
		add	eax, eax
		shr	ecx, 1
		push	eax		; size_t
		lea	eax, [esi+18h]
		push	eax		; void *
		mov	eax, [edx+4]
		lea	eax, [eax+ecx*2]
		push	eax		; void *
		call	_memcpy
		mov	ax, [esi+14h]
		add	esp, 0Ch
		mov	ecx, [ebp+var_30]
		add	ax, ax
		add	[ecx], ax

loc_7BFBA2:				; CODE XREF: RtlGenerate8dot3Name+223j
		cmp	[ebp+var_1D], 0
		jnz	loc_8EF873

loc_7BFBAC:				; CODE XREF: RtlGenerate8dot3Name+12FF7Dj
		xor	eax, eax

loc_7BFBAE:				; CODE XREF: RtlGenerate8dot3Name+12FF88j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_7BFBBF:				; CODE XREF: RtlGenerate8dot3Name+140j
					; RtlGenerate8dot3Name+12FEB3j
		cmp	ds:_FsRtlSafeExtensions, 0
		jz	loc_7BFAB5
		jmp	loc_8EF816
; 

loc_7BFBD1:				; CODE XREF: RtlGenerate8dot3Name+16Dj
		cmp	byte ptr [esi+2], 0
		jnz	loc_7BFACB
		cmp	[ebp+var_15], 0
		jnz	loc_8EF823
		mov	[ebp+var_24], ebx

loc_7BFBE8:				; CODE XREF: RtlGenerate8dot3Name+12FF0Fj
		mov	ecx, edi
		call	_RtlComputeLfnChecksum@4 ; RtlComputeLfnChecksum(x)
		mov	ecx, [ebp+var_24]
		push	2
		movzx	edx, ax
		mov	[esi], ax
		pop	eax
		push	6
		pop	edi
		sub	eax, ecx
		mov	[ebp+var_1C], edx
		sub	edi, ecx
		cmp	eax, edi
		jnb	short loc_7BFC48
		lea	ecx, [esi+4]
		sub	edi, eax
		push	9
		lea	ecx, [ecx+eax*2]
		mov	bx, dx
		pop	esi

loc_7BFC17:				; CODE XREF: RtlGenerate8dot3Name+2E6j
		and	edx, 0Fh
		cmp	si, dx
		sbb	eax, eax
		shr	bx, 4
		and	eax, 7
		mov	word ptr [ebp+var_1C], bx
		add	eax, 30h
		add	ax, dx
		mov	[ecx], ax
		lea	ecx, [ecx+2]
		sub	edi, 1
		jz	short loc_7BFC40
		mov	edx, [ebp+var_1C]
		jmp	short loc_7BFC17
; 

loc_7BFC40:				; CODE XREF: RtlGenerate8dot3Name+2E1j
		mov	esi, [ebp+var_38]
		xor	ebx, ebx
		mov	ecx, [ebp+var_24]

loc_7BFC48:				; CODE XREF: RtlGenerate8dot3Name+2AFj
		push	6
		pop	eax
		sub	al, cl
		mov	dword ptr [esi+20h], 1
		xor	ecx, ecx
		mov	[esi+3], al
		mov	byte ptr [esi+2], 1
		inc	ecx
		jmp	loc_7BFACB
; 

loc_7BFC63:				; CODE XREF: RtlGenerate8dot3Name+FFj
		mov	ecx, [ebp+var_2C]
		call	_RtlComputeLfnChecksum@4 ; RtlComputeLfnChecksum(x)
		mov	[esi], ax
		mov	edx, ebx
		movzx	eax, ax
		push	9
		mov	[ebp+var_1C], eax
		mov	di, ax
		pop	ebx

loc_7BFC7C:				; CODE XREF: RtlGenerate8dot3Name+351j
		and	eax, 0Fh
		cmp	bx, ax
		sbb	ecx, ecx
		shr	di, 4
		and	ecx, 7
		mov	word ptr [ebp+var_1C], di
		add	ecx, 30h
		add	cx, ax
		movzx	eax, byte ptr [esi+3]
		add	eax, edx
		inc	edx
		mov	[esi+eax*2+4], cx
		cmp	edx, 4
		jnb	short loc_7BFCAB
		mov	eax, [ebp+var_1C]
		jmp	short loc_7BFC7C
; 

loc_7BFCAB:				; CODE XREF: RtlGenerate8dot3Name+34Cj
		add	byte ptr [esi+3], 4
		xor	ebx, ebx
		mov	byte ptr [esi+2], 1
		jmp	loc_7BFA5D
RtlGenerate8dot3Name endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

GetNextWchar	proc near		; CODE XREF: RtlGenerate8dot3Name+76p
					; RtlGenerate8dot3Name+BCp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 008EF8E5 SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_8], ecx

loc_7BFCC9:				; CODE XREF: GetNextWchar+86j
		movzx	eax, word ptr [ecx]
		xor	esi, esi
		mov	edi, [ebx]
		shr	eax, 1
		cmp	edi, eax
		jnb	short loc_7BFD2D
		mov	eax, [ecx+4]
		movzx	ecx, word ptr [eax+edi*2]
		lea	eax, [edi+1]
		mov	[ebx], eax
		mov	esi, ecx
		mov	[ebp+var_4], esi
		cmp	ecx, 20h
		jbe	short loc_7BFD3D
		cmp	ecx, 7Fh
		jnb	loc_8EF8E5

loc_7BFCF5:				; CODE XREF: GetNextWchar+12FC49j
		cmp	si, 2Eh
		jz	short loc_7BFD37
		mov	eax, 80h
		cmp	si, ax
		jnb	short loc_7BFD1E

loc_7BFD05:				; CODE XREF: GetNextWchar+81j
		movzx	edx, si
		xor	eax, eax
		mov	ecx, edx
		inc	eax
		and	ecx, 1Fh
		shr	edx, 5
		shl	eax, cl
		test	ds:_RtlFatIllegalTable[edx*4], eax
		jnz	short loc_7BFD42

loc_7BFD1E:				; CODE XREF: GetNextWchar+49j
					; GetNextWchar+8Bj
		lea	ecx, [esi-61h]
		cmp	cx, 19h
		ja	short loc_7BFD2D
		add	esi, 0FFE0h

loc_7BFD2D:				; CODE XREF: GetNextWchar+1Aj
					; GetNextWchar+6Bj
		pop	edi
		mov	ax, si
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7BFD37:				; CODE XREF: GetNextWchar+3Fj
		cmp	[ebp+arg_0], 0
		jz	short loc_7BFD05

loc_7BFD3D:				; CODE XREF: GetNextWchar+30j
					; GetNextWchar+12FC2Fj	...
		mov	ecx, [ebp+var_8]
		jmp	short loc_7BFCC9
; 

loc_7BFD42:				; CODE XREF: GetNextWchar+62j
		push	5Fh
		pop	esi
		jmp	short loc_7BFD1E
GetNextWchar	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall RtlComputeLfnChecksum(x)
_RtlComputeLfnChecksum@4 proc near	; CODE XREF: RtlGenerate8dot3Name+292p
					; RtlGenerate8dot3Name+30Ep
		mov	edx, [ecx+4]
		movzx	ecx, word ptr [ecx]
		shr	ecx, 1
		push	ebx
		xor	ebx, ebx
		push	esi
		lea	eax, [edx+ecx*2]
		mov	esi, ebx
		cmp	eax, edx
		push	edi
		sbb	edi, edi
		not	edi
		and	edi, ecx
		jbe	short loc_7BFD75

loc_7BFD64:				; CODE XREF: RtlComputeLfnChecksum(x)+2Bj
		imul	eax, ebx, 25h
		add	ax, [edx]
		inc	esi
		movzx	ebx, ax
		lea	edx, [edx+2]
		cmp	esi, edi
		jb	short loc_7BFD64

loc_7BFD75:				; CODE XREF: RtlComputeLfnChecksum(x)+1Aj
		movzx	eax, bx
		mov	ecx, 3B9ACA07h
		imul	eax, 12B9B0A5h
		pop	edi
		pop	esi
		pop	ebx
		cdq
		xor	eax, edx
		sub	eax, edx
		cdq
		idiv	ecx
		mov	ax, dx
		retn
_RtlComputeLfnChecksum@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiValidateImagePfn proc	near		; CODE XREF: .text:00478D18p
					; MiValidateInPage+276p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= byte ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008EF908 SIZE 00000124 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ecx
		mov	[ebp+var_18], edx
		push	ebx
		push	esi
		push	edi
		mov	ecx, [eax+38h]
		imul	edi, [ebp+arg_14], arg_14
		mov	[ebp+var_C], eax
		mov	[ebp+var_14], ecx
		mov	esi, [ecx+14h]
		and	esi, 0FFFFFFF8h
		add	edi, ds:_MmPfnDatabase
		test	dword ptr [eax+34h], 0C0000h
		mov	[ebp+var_10], edi
		jnz	loc_8EF908

loc_7BFDCB:				; CODE XREF: MiValidateImagePfn+12FB7Aj
					; MiValidateImagePfn+12FB8Dj
		xor	edx, edx
		mov	ecx, offset dword_6D35E0
		inc	edx
		call	MiReservePtes
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8EF924
		mov	[ebp+var_1], 0

loc_7BFDE6:				; CODE XREF: MiValidateImagePfn+12FBBFj
		mov	eax, ebx
		xor	ecx, ecx
		shl	eax, 9
		mov	edx, edi
		inc	ecx
		mov	[ebp+var_8], eax
		call	_MiMakeProtectionPfnCompatible@8 ; MiMakeProtectionPfnCompatible(x,x)
		mov	edx, [ebp+arg_14]
		or	eax, 20000000h
		push	eax
		mov	ecx, ebx
		call	MiMakeValidPte
		and	[ebp+arg_14], 0
		mov	ecx, ebx
		mov	edi, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_8EF960
		mov	ecx, [ebp+arg_14]

loc_7BFE20:				; CODE XREF: MiValidateImagePfn+12FBE1j
					; MiValidateImagePfn+12FBEFj ...
		mov	[ebx+4], edx
		nop
		mov	[ebx], edi
		test	ecx, ecx
		jnz	loc_8EF9B2

loc_7BFE2E:				; CODE XREF: MiValidateImagePfn+12FC29j
		mov	eax, [ebp+arg_18]
		xor	edi, edi
		test	[ebp+arg_10], 2
		jz	short loc_7BFE3C
		or	eax, 2

loc_7BFE3C:				; CODE XREF: MiValidateImagePfn+A5j
		test	ds:_MiFlags, 4000h
		mov	ecx, [ebp+var_C]
		mov	[ebp+arg_14], eax
		jnz	loc_8EF9C0

loc_7BFE52:				; CODE XREF: MiValidateImagePfn+12FC35j
		cmp	[ebp+arg_8], 0FFFFFFFFh
		jz	loc_7BFEF7
		push	ecx
		push	[ebp+arg_8]
		mov	edx, ecx
		mov	ecx, [ebp+var_8]
		call	_MiRevertRelocatedImagePfn@16 ;	MiRevertRelocatedImagePfn(x,x,x,x)
		mov	edi, eax
		cmp	edi, 0FFFFFFFFh
		jz	loc_7BFEF5
		test	edi, edi
		jz	loc_8EF9F1
		mov	edx, edi

loc_7BFE7F:				; CODE XREF: MiValidateImagePfn+168j
					; MiValidateImagePfn+12FC4Ej ...
		push	[ebp+var_18]
		mov	ecx, esi
		push	[ebp+arg_14]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	1000h
		call	_SeValidateImageData@28	; SeValidateImageData(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+arg_8], esi
		test	esi, esi
		js	short loc_7BFEFC
		mov	esi, [ebp+var_10]
		xor	edx, edx
		test	ds:_MiFlags, 40000h
		jnz	loc_8EF9FB

loc_7BFEB5:				; CODE XREF: MiValidateImagePfn+12FC8Cj
					; MiValidateImagePfn+12FC95j
		mov	eax, [esi+8]
		and	eax, 400h
		or	eax, 0
		jz	short loc_7BFEC9
		mov	ecx, esi
		call	_MiMarkPfnVerified@8 ; MiMarkPfnVerified(x,x)

loc_7BFEC9:				; CODE XREF: MiValidateImagePfn+12Ej
		mov	esi, [ebp+arg_8]

loc_7BFECC:				; CODE XREF: MiValidateImagePfn+171j
					; MiValidateImagePfn+12FC64j
		cmp	[ebp+var_1], 0
		jnz	short loc_7BFF05
		push	1
		mov	edx, ebx
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_7BFEE0:				; CODE XREF: MiValidateImagePfn+17Aj
		test	edi, edi
		jz	short loc_7BFEEC
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7BFEEC:				; CODE XREF: MiValidateImagePfn+150j
		mov	eax, esi

loc_7BFEEE:				; CODE XREF: MiValidateImagePfn+12FB87j
					; MiValidateImagePfn+12FBC9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_7BFEF5:				; CODE XREF: MiValidateImagePfn+DDj
		xor	edi, edi

loc_7BFEF7:				; CODE XREF: MiValidateImagePfn+C4j
					; MiValidateImagePfn+12FC3Fj
		mov	edx, [ebp+var_8]
		jmp	short loc_7BFE7F
; 

loc_7BFEFC:				; CODE XREF: MiValidateImagePfn+10Cj
		lock inc dword_6CF510
		jmp	short loc_7BFECC
; 

loc_7BFF05:				; CODE XREF: MiValidateImagePfn+13Ej
		mov	ecx, ebx
		call	_MiReleaseFaultPte@4 ; MiReleaseFaultPte(x)
		jmp	short loc_7BFEE0
MiValidateImagePfn endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeValidateImageData(x, x, x, x, x, x, x)
_SeValidateImageData@28	proc near	; CODE XREF: MiValidateInPage+2F2p
					; MiValidateImagePfn+100p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, dword_6BEA34
		test	eax, eax
		jz	short loc_7BFF33
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	eax

loc_7BFF2F:				; CODE XREF: SeValidateImageData(x,x,x,x,x,x,x)+2Aj
		pop	ebp
		retn	14h
; 

loc_7BFF33:				; CODE XREF: SeValidateImageData(x,x,x,x,x,x,x)+Cj
		mov	eax, 0C0000428h
		jmp	short loc_7BFF2F
_SeValidateImageData@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRevertRelocatedImagePfn(x, x, x, x)
_MiRevertRelocatedImagePfn@16 proc near	; CODE XREF: MiValidateImagePfn+D3p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		push	esi
		push	edi
		mov	ecx, [ebx+38h]
		mov	esi, [ecx+10h]
		test	esi, esi
		jz	short loc_7BFFAB
		mov	edx, [ebp+arg_0]
		call	_MiPageHasRelocations@8	; MiPageHasRelocations(x,x)
		test	eax, eax
		jz	short loc_7BFFAB
		push	0
		push	100h
		mov	edx, 68496D4Dh
		mov	ecx, 1000h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_7BFFB0
		push	1000h		; size_t
		push	[ebp+var_4]	; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [esi+18h]
		add	esp, 0Ch
		sub	eax, [esi+14h]
		mov	edx, ebx
		mov	ecx, edi
		push	3
		push	0
		push	eax
		push	[ebp+arg_0]
		call	MiPerformFixups
		mov	eax, edi

loc_7BFFA4:				; CODE XREF: MiRevertRelocatedImagePfn(x,x,x,x)+74j
					; MiRevertRelocatedImagePfn(x,x,x,x)+78j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7BFFAB:				; CODE XREF: MiRevertRelocatedImagePfn(x,x,x,x)+16j
					; MiRevertRelocatedImagePfn(x,x,x,x)+22j
		or	eax, 0FFFFFFFFh
		jmp	short loc_7BFFA4
; 

loc_7BFFB0:				; CODE XREF: MiRevertRelocatedImagePfn(x,x,x,x)+3Ej
		xor	eax, eax
		jmp	short loc_7BFFA4
_MiRevertRelocatedImagePfn@16 endp


;  S U B	R O U T	I N E 


; __stdcall MiPageHasRelocations(x, x)
_MiPageHasRelocations@8	proc near	; CODE XREF: .text:00478654p
					; .text:00478AA1p ...
		mov	eax, [ecx+10h]
		push	esi
		mov	esi, [eax]
		cmp	edx, [eax+1Ch]
		jnb	short loc_7BFFD7
		xor	ecx, ecx
		lea	eax, [esi+edx*4]

loc_7BFFC4:				; CODE XREF: MiPageHasRelocations(x,x)+21j
		cmp	dword ptr [eax], 0
		jz	short loc_7BFFCE
		xor	eax, eax
		inc	eax
		pop	esi
		retn
; 

loc_7BFFCE:				; CODE XREF: MiPageHasRelocations(x,x)+13j
		inc	ecx
		add	eax, 4
		cmp	ecx, 1
		jb	short loc_7BFFC4

loc_7BFFD7:				; CODE XREF: MiPageHasRelocations(x,x)+9j
		xor	eax, eax
		pop	esi
		retn
_MiPageHasRelocations@8	endp

; 
		align 10h
; Exported entry 1740. ProbeForRead

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ProbeForRead(x, x, x)
		public _ProbeForRead@12
_ProbeForRead@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_7C0008
		mov	eax, [ebp+arg_8]
		mov	edx, [ebp+arg_0]
		dec	eax
		test	eax, edx
		jnz	short loc_7C000C
		lea	eax, [edx+ecx]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_7C0011
		cmp	eax, edx
		jb	short loc_7C0011

loc_7C0008:				; CODE XREF: ProbeForRead(x,x,x)+Aj
					; ProbeForRead(x,x,x)+34j
		pop	ebp
		retn	0Ch
; 

loc_7C000C:				; CODE XREF: ProbeForRead(x,x,x)+15j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7C0011:				; CODE XREF: ProbeForRead(x,x,x)+22j
					; ProbeForRead(x,x,x)+26j
		mov	eax, [ecx]
		nop
		jmp	short loc_7C0008
_ProbeForRead@12 endp


;  S U B	R O U T	I N E 


; __stdcall SepRefDerefLuidToIndexEntryIfNecessary(x, x)
_SepRefDerefLuidToIndexEntryIfNecessary@8 proc near
					; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+417p
					; SepTokenDeleteMethod+98p
		mov	ecx, [ecx+290h]
		test	ecx, ecx
		jz	short locret_7C002D
		test	dl, dl
		jnz	_SepDereferenceLuidToIndexEntry@4 ; SepDereferenceLuidToIndexEntry(x)
		jmp	_SepReferenceLuidToIndexEntry@4	; SepReferenceLuidToIndexEntry(x)
; 

locret_7C002D:				; CODE XREF: SepRefDerefLuidToIndexEntryIfNecessary(x,x)+8j
		retn
_SepRefDerefLuidToIndexEntryIfNecessary@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1595. NtSetInformationVirtualMemory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtSetInformationVirtualMemory
NtSetInformationVirtualMemory proc near	; DATA XREF: .text:00580ED4o

var_19C		= dword	ptr -19Ch
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_11C		= dword	ptr -11Ch
var_9C		= dword	ptr -9Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008EFA2C SIZE 0000004E BYTES
; FUNCTION CHUNK AT 008EFAA0 SIZE 000001C8 BYTES
; FUNCTION CHUNK AT 008EFCC3 SIZE 00000049 BYTES

		push	18Ch
		push	offset dword_6A3300
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_16C], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_144], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_154], eax
		mov	esi, [ebp+arg_10]
		mov	[ebp+var_148], esi
		xor	edx, edx
		mov	[ebp+var_150], edx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_134]
		rep stosd
		mov	[ebp+var_170], edx
		mov	[ebp+var_168], edx
		mov	[ebp+var_15C], edx
		mov	[ebp+var_140], eax
		mov	[ebp+var_19C], eax
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_13C], eax
		mov	ebx, edx
		mov	[ebp+var_14C], edx
		mov	edx, [ebp+arg_4]
		test	edx, edx
		js	loc_8EFD02
		xor	edi, edi
		inc	edi
		cmp	edx, edi
		jle	short loc_7C00D4
		cmp	edx, 2
		jz	short loc_7C0102
		jle	loc_8EFD02
		cmp	edx, 6
		jg	loc_8EFD02

loc_7C00D4:				; CODE XREF: NtSetInformationVirtualMemory+8Aj
		test	esi, esi
		jz	loc_7C064B
		cmp	[ebp+arg_14], 4
		jnz	loc_8EFA2C
		cmp	edx, 4
		jnz	short loc_7C010C
		mov	eax, 0C00000BBh

loc_7C00F0:				; CODE XREF: NtSetInformationVirtualMemory+400j
					; NtSetInformationVirtualMemory+61Cj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7C0102:				; CODE XREF: NtSetInformationVirtualMemory+8Fj
		cmp	[ebp+arg_14], 20h
		jnz	loc_8EFA2C

loc_7C010C:				; CODE XREF: NtSetInformationVirtualMemory+B5j
		mov	eax, [ebp+var_144]
		test	eax, eax
		jz	loc_8EFCF8
		cmp	eax, 1FFFFFFFh
		ja	loc_8EFCF8
		mov	ecx, large fs:124h
		mov	[ebp+var_164], ecx
		mov	eax, [ecx+80h]
		mov	[ebp+var_138], eax
		cmp	edx, 2
		jnz	short loc_7C0153
		test	dword ptr [eax+490h], 100h
		jnz	loc_8EFA36

loc_7C0153:				; CODE XREF: NtSetInformationVirtualMemory+10Dj
					; NtSetInformationVirtualMemory+12FA0Cj ...
		push	8
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_190]
		rep stosd
		mov	eax, [ebp+var_164]
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_160],	al
		test	al, al
		jz	loc_7C0439
		xor	eax, eax
		mov	[ebp+ms_exc.disabled], eax
		mov	ecx, [ebp+var_144]
		shl	ecx, 3
		test	ecx, ecx
		jz	short loc_7C01BC
		test	byte ptr [ebp+var_154],	3
		mov	edx, [ebp+arg_4]
		jnz	loc_7C0646
		add	ecx, [ebp+var_154]
		mov	edi, ds:_MmUserProbeAddress
		cmp	ecx, edi
		ja	loc_8EFA51
		cmp	ecx, [ebp+var_154]
		jb	loc_8EFA51

loc_7C01BC:				; CODE XREF: NtSetInformationVirtualMemory+156j
					; NtSetInformationVirtualMemory+12FA1Fj
		cmp	edx, 2
		jnz	loc_7C0572
		mov	edx, [ebp+arg_14]
		test	edx, edx
		jz	short loc_7C01F9
		mov	ecx, [ebp+var_148]
		test	cl, 3
		jnz	loc_7C0646
		add	edx, ecx
		mov	esi, ds:_MmUserProbeAddress
		cmp	edx, esi
		ja	loc_8EFA58
		cmp	edx, ecx
		jb	loc_8EFA58

loc_7C01F3:				; CODE XREF: NtSetInformationVirtualMemory+12FA26j
		mov	esi, [ebp+var_148]

loc_7C01F9:				; CODE XREF: NtSetInformationVirtualMemory+196j
		push	8
		pop	ecx
		lea	edi, [ebp+var_190]
		rep movsd
		mov	esi, [ebp+var_190]
		mov	[ebp+var_148], esi
		test	esi, esi
		jz	loc_8EFA67
		cmp	esi, 1FFFFFFFh
		ja	loc_8EFA67
		cmp	[ebp+var_18C], 0
		jnz	loc_8EFA67
		push	4
		push	4
		push	[ebp+var_188]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		shl	esi, 3
		test	esi, esi
		jz	short loc_7C0273
		test	byte ptr [ebp+var_184],	3
		jnz	loc_7C0646
		mov	eax, [ebp+var_184]
		lea	ecx, [esi+eax]
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		ja	loc_8EFA5F
		cmp	ecx, eax
		jb	loc_8EFA5F

loc_7C0273:				; CODE XREF: NtSetInformationVirtualMemory+211j
					; NtSetInformationVirtualMemory+573j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+arg_4]

loc_7C027D:				; CODE XREF: NtSetInformationVirtualMemory+424j
					; NtSetInformationVirtualMemory+60Dj
		cmp	[ebp+var_16C], 0FFFFFFFFh
		jnz	loc_7C0527
		mov	eax, [ebp+var_138]
		mov	[ebp+var_150], eax

loc_7C0296:				; CODE XREF: NtSetInformationVirtualMemory+51Ej
		lea	esi, [ebp+var_11C]
		mov	[ebp+var_138], esi
		mov	eax, [ebp+var_144]
		cmp	eax, 10h
		ja	loc_8EFAA0

loc_7C02B1:				; CODE XREF: NtSetInformationVirtualMemory+12FA89j
		cmp	edi, 2
		jnz	short loc_7C02D2
		mov	eax, [ebp+var_148]
		cmp	eax, 10h
		ja	loc_8EFAD9

loc_7C02C5:				; CODE XREF: NtSetInformationVirtualMemory+12FAC0j
		cmp	[ebp+var_180], 0
		jnz	loc_8EFB0A

loc_7C02D2:				; CODE XREF: NtSetInformationVirtualMemory+280j
					; NtSetInformationVirtualMemory+12FB15j
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_144]
		shl	eax, 3
		push	eax		; size_t
		push	[ebp+var_154]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	edi, 2
		jnz	short loc_7C0315
		mov	eax, [ebp+var_148]
		shl	eax, 3
		push	eax		; size_t
		push	[ebp+var_184]	; void *
		push	[ebp+var_13C]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_7C0315:				; CODE XREF: NtSetInformationVirtualMemory+2C1j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_164]
		mov	eax, [eax+80h]
		cmp	eax, [ebp+var_150]
		jnz	loc_7C05AC

loc_7C0334:				; CODE XREF: NtSetInformationVirtualMemory+5A6j
		push	0
		mov	edx, [ebp+var_144]
		mov	ecx, esi
		call	_MiValidateMemoryRangeEntries@12 ; MiValidateMemoryRangeEntries(x,x,x)
		test	eax, eax
		jz	loc_8EFB58
		sub	edi, 0
		jz	loc_7C0498
		sub	edi, 1
		jz	loc_7C045D
		sub	edi, 1
		jnz	loc_8EFB62
		mov	edi, [ebp+var_13C]
		cmp	[ebp+var_144], 1
		jnz	loc_8EFC5E
		push	[ebp+var_174]
		push	[ebp+var_178]
		push	[ebp+var_168]
		push	[ebp+var_15C]
		lea	eax, [ebp+var_170]
		push	eax
		push	[ebp+var_148]
		push	edi
		push	dword ptr [esi+4]
		mov	edx, [esi]
		mov	ecx, [ebp+var_150]
		call	MiCfgMarkValidEntries
		mov	ebx, eax
		mov	[ebp+var_15C], ebx
		cmp	[ebp+var_140], 0
		jnz	loc_7C05DF

loc_7C03C4:				; CODE XREF: NtSetInformationVirtualMemory+5B7j
		mov	[ebp+ms_exc.disabled], 2
		and	[ebp+var_158], 0
		mov	ecx, [ebp+var_170]
		mov	eax, [ebp+var_188]
		mov	[eax], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C03E7:				; CODE XREF: sub_8EFC6E+16j
		mov	esi, [ebp+var_138]
		mov	eax, [ebp+var_158]

loc_7C03F3:				; CODE XREF: NtSetInformationVirtualMemory+45Fj
					; NtSetInformationVirtualMemory+12FBFAj ...
		test	al, 1
		jnz	loc_8EFCC3

loc_7C03FB:				; CODE XREF: NtSetInformationVirtualMemory+12FC9Bj
		mov	ecx, [ebp+var_168]
		test	ecx, ecx
		jnz	loc_8EFCD4

loc_7C0409:				; CODE XREF: NtSetInformationVirtualMemory+12FCA5j
		cmp	[ebp+var_16C], 0FFFFFFFFh
		jnz	loc_7C055D

loc_7C0416:				; CODE XREF: NtSetInformationVirtualMemory+539j
		lea	eax, [ebp+var_11C]
		cmp	esi, eax
		jnz	loc_8EFCDE

loc_7C0424:				; CODE XREF: NtSetInformationVirtualMemory+12FCB2j
		lea	eax, [ebp+var_9C]
		cmp	edi, eax
		jnz	loc_8EFCEB

loc_7C0432:				; CODE XREF: NtSetInformationVirtualMemory+524j
					; NtSetInformationVirtualMemory+12FCBFj
		mov	eax, ebx
		jmp	loc_7C00F0
; 

loc_7C0439:				; CODE XREF: NtSetInformationVirtualMemory+140j
		mov	edi, edx
		cmp	edi, 2
		jz	loc_7C0615
		mov	eax, [esi]
		mov	[ebp+var_14C], eax
		mov	eax, [ebp+var_190]
		mov	[ebp+var_148], eax
		jmp	loc_7C027D
; 

loc_7C045D:				; CODE XREF: NtSetInformationVirtualMemory+323j
		cmp	[ebp+var_14C], 5
		ja	loc_8EFC54
		push	[ebp+var_14C]
		push	1

loc_7C0472:				; CODE XREF: NtSetInformationVirtualMemory+12FC1Bj
		mov	edx, esi
		mov	ecx, [ebp+var_144]
		call	MiProcessVaRangesInfoClass

loc_7C047F:				; CODE XREF: NtSetInformationVirtualMemory+12FB6Fj
					; NtSetInformationVirtualMemory+12FBBDj
		mov	ebx, eax

loc_7C0481:				; CODE XREF: NtSetInformationVirtualMemory+12FB0Fj
					; NtSetInformationVirtualMemory+12FB1Fj ...
		mov	edi, [ebp+var_13C]

loc_7C0487:				; CODE XREF: NtSetInformationVirtualMemory+12FAD1j
					; NtSetInformationVirtualMemory+12FC2Fj
		mov	esi, [ebp+var_138]

loc_7C048D:				; CODE XREF: NtSetInformationVirtualMemory+4EEj
					; NtSetInformationVirtualMemory+12FAA0j
		mov	eax, [ebp+var_140]
		jmp	loc_7C03F3
; 

loc_7C0498:				; CODE XREF: NtSetInformationVirtualMemory+31Aj
		cmp	[ebp+var_14C], 0
		jnz	loc_8EFC54
		mov	edx, [ebp+var_164]
		mov	ecx, edx
		call	_MiGetEffectivePagePriorityThread@4 ; MiGetEffectivePagePriorityThread(x)
		and	eax, 7
		mov	esi, eax
		or	esi, 40000h
		mov	ecx, eax
		and	ecx, 7
		cmp	cl, 5
		jb	loc_7C05F0

loc_7C04CB:				; CODE XREF: NtSetInformationVirtualMemory+5C4j
		mov	eax, esi
		and	eax, 7
		shl	eax, 3
		or	esi, eax
		mov	eax, esi
		and	eax, 38h
		cmp	al, 28h
		jb	loc_7C05FD

loc_7C04E2:				; CODE XREF: NtSetInformationVirtualMemory+5CFj
		mov	edi, esi
		or	esi, 4000h
		mov	ecx, edx
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		cmp	eax, 1
		jle	loc_7C0608

loc_7C04FA:				; CODE XREF: NtSetInformationVirtualMemory+5DCj
		push	esi
		mov	eax, [ebp+var_150]
		add	eax, 240h
		push	eax
		mov	esi, [ebp+var_138]
		mov	edx, esi
		mov	ecx, [ebp+var_144]
		call	MiPrefetchVirtualMemory
		mov	ebx, eax
		mov	edi, [ebp+var_13C]
		jmp	loc_7C048D
; 

loc_7C0527:				; CODE XREF: NtSetInformationVirtualMemory+250j
		push	0
		lea	eax, [ebp+var_150]
		push	eax
		push	66506D4Dh
		push	[ebp+var_160]
		push	ds:_PsProcessType
		push	8
		push	[ebp+var_16C]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	loc_7C0296
		jmp	loc_7C0432
; 

loc_7C055D:				; CODE XREF: NtSetInformationVirtualMemory+3DCj
		mov	edx, 66506D4Dh
		mov	ecx, [ebp+var_150]
		call	ObfDereferenceObjectWithTag
		jmp	loc_7C0416
; 

loc_7C0572:				; CODE XREF: NtSetInformationVirtualMemory+18Bj
		mov	ecx, [ebp+var_148]
		mov	edx, ecx
		test	cl, 3
		jnz	loc_7C0646
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8EFA73

loc_7C0590:				; CODE XREF: NtSetInformationVirtualMemory+12FA41j
		nop
		mov	al, [edx]
		mov	eax, [ecx]
		mov	[ebp+var_14C], eax
		mov	eax, [ebp+var_190]
		mov	[ebp+var_148], eax
		jmp	loc_7C0273
; 

loc_7C05AC:				; CODE XREF: NtSetInformationVirtualMemory+2FAj
		cmp	edi, 3
		jz	loc_8EFB4E
		cmp	edi, 4
		jz	loc_8EFB4E
		lea	eax, [ebp+var_134]
		push	eax
		push	[ebp+var_150]
		call	KeStackAttachProcess
		mov	[ebp+var_140], 1
		jmp	loc_7C0334
; 

loc_7C05DF:				; CODE XREF: NtSetInformationVirtualMemory+38Aj
		lea	eax, [ebp+var_134]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		jmp	loc_7C03C4
; 

loc_7C05F0:				; CODE XREF: NtSetInformationVirtualMemory+491j
		mov	esi, eax
		or	esi, 40040h
		jmp	loc_7C04CB
; 

loc_7C05FD:				; CODE XREF: NtSetInformationVirtualMemory+4A8j
		and	esi, 0FFFFFFEFh
		or	esi, 28h
		jmp	loc_7C04E2
; 

loc_7C0608:				; CODE XREF: NtSetInformationVirtualMemory+4C0j
		mov	esi, edi
		or	esi, 4400h
		jmp	loc_7C04FA
; 

loc_7C0615:				; CODE XREF: NtSetInformationVirtualMemory+40Aj
		push	8
		pop	ecx
		lea	edi, [ebp+var_190]
		rep movsd
		mov	eax, [ebp+var_190]
		mov	[ebp+var_148], eax
		test	eax, eax
		jz	short loc_7C064B
		cmp	eax, 1FFFFFFFh
		ja	short loc_7C064B
		cmp	[ebp+var_18C], ebx
		jnz	short loc_7C064B
		mov	edi, edx
		jmp	loc_7C027D
; 

loc_7C0646:				; CODE XREF: NtSetInformationVirtualMemory+162j
					; NtSetInformationVirtualMemory+1A1j ...
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7C064B:				; CODE XREF: NtSetInformationVirtualMemory+A2j
					; NtSetInformationVirtualMemory+5FAj ...
		mov	eax, 0C00000F3h
		jmp	loc_7C00F0
NtSetInformationVirtualMemory endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiValidateMemoryRangeEntries(x, x, x)
_MiValidateMemoryRangeEntries@12 proc near ; CODE XREF:	MmOutSwapVirtualAddresses+B3p
					; NtSetInformationVirtualMemory+30Ap

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		xor	edi, edi
		test	esi, esi
		jnz	short loc_7C06C3

loc_7C0668:				; CODE XREF: MiValidateMemoryRangeEntries(x,x,x)+6Fj
		lea	eax, [ecx+edx*8]
		mov	[ebp+var_4], eax
		cmp	ecx, eax
		jnb	short loc_7C06B5

loc_7C0672:				; CODE XREF: MiValidateMemoryRangeEntries(x,x,x)+5Dj
		mov	eax, ds:_MmHighestUserAddress
		mov	edx, [ecx]
		mov	[ebp+arg_0], eax
		cmp	edx, eax
		ja	short loc_7C06CB
		mov	ebx, [ecx+4]
		test	ebx, ebx
		jz	short loc_7C06CB
		lea	eax, [ebx+edx]
		cmp	eax, edx
		jb	short loc_7C06CB
		dec	eax
		cmp	eax, [ebp+arg_0]
		ja	short loc_7C06CB
		and	edx, 0FFFh
		lea	eax, [ebx+0FFFh]
		add	eax, edx
		shr	eax, 0Ch
		add	eax, edi
		cmp	eax, edi
		jb	short loc_7C06CB
		add	ecx, 8
		mov	edi, eax
		cmp	ecx, [ebp+var_4]
		jb	short loc_7C0672

loc_7C06B5:				; CODE XREF: MiValidateMemoryRangeEntries(x,x,x)+1Aj
		test	esi, esi
		jnz	short loc_7C06C7

loc_7C06B9:				; CODE XREF: MiValidateMemoryRangeEntries(x,x,x)+73j
		xor	eax, eax
		inc	eax

loc_7C06BC:				; CODE XREF: MiValidateMemoryRangeEntries(x,x,x)+77j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7C06C3:				; CODE XREF: MiValidateMemoryRangeEntries(x,x,x)+10j
		mov	[esi], edi
		jmp	short loc_7C0668
; 

loc_7C06C7:				; CODE XREF: MiValidateMemoryRangeEntries(x,x,x)+61j
		mov	[esi], edi
		jmp	short loc_7C06B9
; 

loc_7C06CB:				; CODE XREF: MiValidateMemoryRangeEntries(x,x,x)+28j
					; MiValidateMemoryRangeEntries(x,x,x)+2Fj ...
		xor	eax, eax
		jmp	short loc_7C06BC
_MiValidateMemoryRangeEntries@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCfgMarkValidEntries proc near		; CODE XREF: NtSetInformationVirtualMemory+376p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 008EFD0C SIZE 0000009C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_8], 0
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [ebp+var_18]
		mov	[ebp+var_4], edx
		stosd
		mov	[ebp+var_C], ecx
		stosd
		stosd
		mov	eax, [ebp+arg_C]
		and	dword ptr [eax], 0
		mov	eax, edx
		or	eax, esi
		test	eax, 0FFFh
		jnz	loc_8EFD9E
		mov	edi, [ebp+arg_8]
		xor	ecx, ecx
		mov	ebx, [ebp+arg_4]
		inc	ecx
		cmp	edi, ecx
		ja	loc_8EFD0C

loc_7C0716:				; CODE XREF: MiCfgMarkValidEntries+12F64Ej
		cmp	[ebx+edi*8-8], esi
		jnb	loc_8EFD9E
		mov	ecx, [ebp+var_C]
		xor	esi, esi
		mov	ecx, [ecx+24Ch]
		add	ecx, 0B8h
		mov	[ebp+arg_8], ecx
		test	edi, edi
		jz	short loc_7C0770

loc_7C0738:				; CODE XREF: MiCfgMarkValidEntries+9Ej
		mov	eax, [ebx+esi*8]
		mov	[ebp+arg_4], eax
		and	eax, 0Fh
		cmp	eax, [ecx+0Ch]
		jnz	loc_8EFD9E
		mov	eax, [ebx+esi*8+4]
		test	eax, 0FFFFFFF8h
		jnz	loc_8EFD9E
		test	[ebp+arg_10], 1
		jnz	loc_8EFD23

loc_7C0763:				; CODE XREF: MiCfgMarkValidEntries+12F65Bj
		test	al, 4
		jnz	loc_7C080A

loc_7C076B:				; CODE XREF: MiCfgMarkValidEntries+15Bj
		inc	esi
		cmp	esi, edi
		jb	short loc_7C0738

loc_7C0770:				; CODE XREF: MiCfgMarkValidEntries+66j
		mov	eax, [ebp+arg_C]
		cmp	[eax], edi
		jz	loc_7C0849
		call	_MiIsProcessCfgEnabled@0 ; MiIsProcessCfgEnabled()
		test	eax, eax
		jz	loc_8EFD30
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		xor	edx, edx
		call	MiObtainReferencedVadEx
		mov	esi, eax
		test	esi, esi
		jz	loc_7C084D
		mov	ecx, [ebp+arg_0]
		mov	eax, [esi+10h]
		dec	ecx
		mov	edx, [ebp+var_4]
		add	ecx, edx
		shl	eax, 0Ch
		or	eax, 0FFFh
		cmp	ecx, eax
		ja	loc_8EFD94
		mov	ecx, [ebp+arg_14]
		test	ecx, ecx
		jnz	loc_8EFD3A

loc_7C07C7:				; CODE XREF: MiCfgMarkValidEntries+12F6BFj
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_0]
		add	eax, 0FFEh
		mov	[ebp+var_18], edi
		add	eax, edx
		mov	[ebp+var_14], ebx
		and	eax, 0FFFFF000h
		push	eax
		push	edx
		push	1
		push	ecx
		mov	ecx, [ebp+arg_8]
		lea	edx, [ebp+var_18]
		call	MiPopulateCfgBitMap
		mov	edi, eax
		test	edi, edi
		js	short loc_7C07FA
		xor	edi, edi

loc_7C07FA:				; CODE XREF: MiCfgMarkValidEntries+126j
					; MiCfgMarkValidEntries+12F6C9j
		mov	ecx, esi
		call	MiUnlockAndDereferenceVad
		mov	eax, edi

loc_7C0803:				; CODE XREF: MiCfgMarkValidEntries+177j
					; MiCfgMarkValidEntries+17Bj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
; 

loc_7C080A:				; CODE XREF: MiCfgMarkValidEntries+95j
		call	_MiIsProcessCfgExportSuppressionEnabled@0 ; MiIsProcessCfgExportSuppressionEnabled()
		test	eax, eax
		jz	short loc_7C0842
		mov	ecx, [ebp+arg_4]
		lea	ecx, [ecx+edx]
		mov	edx, [ebp+arg_8]
		call	_MiValidateExportSuppressedUserCallTarget@8 ; MiValidateExportSuppressedUserCallTarget(x,x)
		test	eax, eax
		jz	short loc_7C0830

loc_7C0825:				; CODE XREF: MiCfgMarkValidEntries+170j
		mov	ecx, [ebp+arg_8]
		mov	edx, [ebp+var_4]
		jmp	loc_7C076B
; 

loc_7C0830:				; CODE XREF: MiCfgMarkValidEntries+153j
		mov	ecx, [ebx+esi*8]
		add	ecx, [ebp+var_4]
		mov	edx, [ebp+arg_8]
		call	MiValidateUserCallTarget
		test	eax, eax
		jnz	short loc_7C0825

loc_7C0842:				; CODE XREF: MiCfgMarkValidEntries+141j
					; MiCfgMarkValidEntries+12F655j
		mov	eax, 0C0000022h
		jmp	short loc_7C0803
; 

loc_7C0849:				; CODE XREF: MiCfgMarkValidEntries+A5j
		xor	eax, eax
		jmp	short loc_7C0803
; 

loc_7C084D:				; CODE XREF: MiCfgMarkValidEntries+CAj
		mov	eax, [ebp+var_8]
		jmp	short loc_7C0803
MiCfgMarkValidEntries endp


;  S U B	R O U T	I N E 


; __stdcall MiValidateExportSuppressedUserCallTarget(x,	x)
_MiValidateExportSuppressedUserCallTarget@8 proc near
					; CODE XREF: MiCfgMarkValidEntries+14Cp
		mov	edx, [edx]
		push	ecx
		call	CfgAddressToBitState
		cmp	eax, 2
		jnz	short loc_7C086C
		call	_MiIsProcessCfgExportSuppressionEnabled@0 ; MiIsProcessCfgExportSuppressionEnabled()
		test	eax, eax
		jz	short loc_7C086C
		xor	eax, eax
		inc	eax
		retn
; 

loc_7C086C:				; CODE XREF: MiValidateExportSuppressedUserCallTarget(x,x)+Bj
					; MiValidateExportSuppressedUserCallTarget(x,x)+14j
		xor	eax, eax
		retn
_MiValidateExportSuppressedUserCallTarget@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiProcessVaRangesInfoClass proc	near	; CODE XREF: NtSetInformationVirtualMemory+446p
					; MmSetPriorityVaRanges(x,x,x)+Ap

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EFDA8 SIZE 00000059 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		and	[esp+24h+var_8], 0
		mov	eax, edx
		push	ebx
		push	esi
		xor	esi, esi
		mov	[esp+2Ch+var_C], eax
		and	[esp+2Ch+var_10], esi
		mov	[esp+2Ch+var_4], ecx
		push	edi
		test	ecx, ecx
		jz	loc_7C0945

loc_7C089B:				; CODE XREF: MiProcessVaRangesInfoClass+CFj
		mov	ecx, [eax]
		mov	eax, [eax+4]
		mov	[esp+30h+var_14], ecx
		mov	[esp+30h+var_1C], eax

loc_7C08A8:				; CODE XREF: MiProcessVaRangesInfoClass+B5j
		lea	eax, [esp+30h+var_8]
		mov	edi, ecx
		push	eax
		xor	edx, edx
		mov	[esp+34h+var_20], edi
		call	MiObtainReferencedVadEx
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_7C0957
		mov	edx, [esp+30h+var_1C]
		dec	edi
		and	[esp+30h+var_18], 0
		add	edi, edx
		mov	ecx, [ebx+10h]
		or	edi, 0FFFh
		mov	eax, edi
		shr	eax, 0Ch
		cmp	eax, ecx
		ja	loc_8EFDA8

loc_7C08E6:				; CODE XREF: MiProcessVaRangesInfoClass+12F55Fj
		mov	ecx, ebx
		call	_MiVadSupportsPrivateCommit@4 ;	MiVadSupportsPrivateCommit(x)
		test	eax, eax
		jz	short loc_7C0950
		call	_MiIsVadLarge@4	; MiIsVadLarge(x)
		test	eax, eax
		jnz	short loc_7C0950
		cmp	[ebp+arg_0], 1
		jnz	loc_8EFDD4
		push	[ebp+arg_4]
		mov	ecx, [esp+34h+var_20]
		mov	edx, edi
		push	2
		push	ebx
		call	MiWalkVaRange

loc_7C0915:				; CODE XREF: MiProcessVaRangesInfoClass+E5j
					; MiProcessVaRangesInfoClass+12F582j ...
		mov	ecx, ebx
		call	MiUnlockAndDereferenceVad
		cmp	[esp+30h+var_18], 1
		mov	ecx, [esp+30h+var_14]
		jz	short loc_7C08A8
		mov	ecx, [esp+30h+var_10]
		mov	eax, [esp+30h+var_C]
		inc	ecx
		add	eax, 8
		mov	[esp+30h+var_10], ecx
		mov	[esp+30h+var_C], eax
		cmp	ecx, [esp+30h+var_4]
		jb	loc_7C089B

loc_7C0945:				; CODE XREF: MiProcessVaRangesInfoClass+25j
					; MiProcessVaRangesInfoClass+EBj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7C0950:				; CODE XREF: MiProcessVaRangesInfoClass+7Fj
					; MiProcessVaRangesInfoClass+88j
		mov	esi, 40000019h
		jmp	short loc_7C0915
; 

loc_7C0957:				; CODE XREF: MiProcessVaRangesInfoClass+4Ej
		mov	esi, [esp+30h+var_8]
		jmp	short loc_7C0945
MiProcessVaRangesInfoClass endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtOpenSection	proc near		; DATA XREF: .text:00580F14o

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	14h
		push	offset dword_6A3358
		call	__SEH_prolog4
		xor	edi, edi
		mov	[ebp+var_1C], edi
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		test	al, al
		jz	short loc_7C099C
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_7C09EC

loc_7C0991:				; CODE XREF: NtOpenSection+90j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C099C:				; CODE XREF: NtOpenSection+22j
		mov	esi, ds:_MmSectionObjectType
		lea	eax, [ebp+var_1C]
		push	eax
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		push	edi
		push	[ebp+arg_4]
		push	edi
		push	[ebp+var_24]
		push	esi
		push	[ebp+arg_8]
		call	ObOpenObjectByNameEx
		mov	edx, eax
		mov	[ebp+arg_4], edx
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, edx

loc_7C09DA:				; CODE XREF: sub_8EFE0F+Dj
					; sub_8EFE25+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7C09EC:				; CODE XREF: NtOpenSection+31j
		mov	ecx, eax
		jmp	short loc_7C0991
NtOpenSection	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtOpenKey(x, x, x)
_NtOpenKey@12	proc near		; CODE XREF: ExpWatchProductTypeInitialization+A6p
					; ExpWatchProductTypeInitialization+1E5p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	0
		push	[ebp+arg_8]
		call	CmOpenKey
		pop	ecx
		pop	ebp
		retn	0Ch
_NtOpenKey@12	endp ; sp = -0Ch

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepAssemblePrivileges proc near		; CODE XREF: SepAccessCheck+43Fp
					; SepAccessCheck+CEA1Cp ...

arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008EFE37 SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	bl, dl
		test	esi, esi
		jz	short loc_7C0A82
		test	ecx, ecx
		jz	short loc_7C0A82
		lea	eax, [ecx-1]
		imul	eax, 0Ch
		push	72506553h
		add	eax, 14h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_7C0A82
		xor	eax, eax
		mov	[edx], eax
		mov	[edx+4], eax
		push	edi
		mov	edi, 80000000h
		test	bl, bl
		jnz	short loc_7C0A88

loc_7C0A4F:				; CODE XREF: SepAssemblePrivileges+95j
		cmp	[ebp+arg_0], 0
		jz	short loc_7C0A75
		imul	ecx, eax, 0Ch
		mov	eax, ds:_SeTakeOwnershipPrivilege
		mov	[ecx+edx+8], eax
		mov	eax, ds:dword_A94CBC
		mov	[ecx+edx+0Ch], eax
		imul	eax, [edx], 0Ch
		mov	[eax+edx+10h], edi
		inc	dword ptr [edx]
		mov	eax, [edx]

loc_7C0A75:				; CODE XREF: SepAssemblePrivileges+45j
		cmp	[ebp+arg_4], 0
		jnz	loc_8EFE37

loc_7C0A7F:				; CODE XREF: SepAssemblePrivileges+12F447j
		mov	[esi], edx
		pop	edi

loc_7C0A82:				; CODE XREF: SepAssemblePrivileges+Ej
					; SepAssemblePrivileges+12j ...
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_7C0A88:				; CODE XREF: SepAssemblePrivileges+3Fj
		mov	eax, ds:_SeSecurityPrivilege
		mov	[edx+8], eax
		mov	eax, ds:dword_A94A3C
		mov	[edx+0Ch], eax
		imul	eax, [edx], 0Ch
		mov	[eax+edx+10h], edi
		inc	dword ptr [edx]
		mov	eax, [edx]
		jmp	short loc_7C0A4F
SepAssemblePrivileges endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1608. ObAssignSecurity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObAssignSecurity(x,	x, x, x)
		public _ObAssignSecurity@16
_ObAssignSecurity@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	ObpAssignSecurity
		pop	ebp
		retn	10h
_ObAssignSecurity@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpAssignSecurity proc near		; CODE XREF: ObAssignSecurity(x,x,x,x)+15p
					; ObpInsertOrLocateNamedObject+21Ep

var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 008EFE69 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	eax, edx
		push	edi
		mov	edi, ecx
		mov	[esp+28h+var_C], eax
		xor	ecx, ecx
		mov	[esp+28h+var_8], 8
		mov	[esp+28h+var_10], ecx
		mov	[esp+28h+var_14], ecx
		mov	edx, [edi+2Ch]
		mov	[esp+28h+var_18], ecx
		mov	[esp+28h+var_4], ecx
		lea	ecx, [esp+28h+var_8]
		push	ecx
		lea	ecx, [esp+2Ch+var_10]
		push	ecx
		push	eax
		mov	ecx, esi
		call	SeComputeAutoInheritByObjectTypeEx
		test	eax, eax
		js	loc_7C0BAC
		mov	ebx, [esp+28h+var_10]
		or	ebx, [ebp+arg_8]
		cmp	[ebp+arg_C], 0
		jnz	loc_7C0BB5

loc_7C0B29:				; CODE XREF: ObpAssignSecurity+11Bj
		cmp	esi, _ObpDirectoryObjectType
		lea	ecx, [esi+34h]
		mov	edx, [esp+28h+var_18]
		setz	al
		mov	byte ptr [esp+28h+var_10], al
		test	edx, edx
		jnz	short loc_7C0B44
		mov	edx, [edi+2Ch]

loc_7C0B44:				; CODE XREF: ObpAssignSecurity+77j
		push	ecx
		push	ecx
		mov	ecx, [esp+30h+var_C]
		lea	eax, [edi+1Ch]
		push	eax
		lea	eax, [esp+34h+var_8]
		push	eax
		push	ebx
		push	[esp+3Ch+var_10]
		xor	ebx, ebx
		lea	eax, [esp+40h+var_14]
		push	ebx
		push	eax
		call	_SeAssignSecurityEx2@40	; SeAssignSecurityEx2(x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_7C0BFA
		cmp	[esp+28h+var_18], ebx
		jnz	short loc_7C0BEB

loc_7C0B75:				; CODE XREF: ObpAssignSecurity+12Dj
		mov	eax, large fs:124h
		mov	ecx, [esi+6Ch]
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+28h+var_C], al
		lea	eax, [esi+34h]
		push	[esp+28h+var_C]
		push	eax
		push	1
		push	ebx
		push	ebx
		push	[esp+3Ch+var_14]
		push	ebx
		push	3
		push	[ebp+arg_0]
		call	ecx
		mov	esi, eax
		test	esi, esi
		js	loc_8EFE69

loc_7C0BAA:				; CODE XREF: ObpAssignSecurity+12F3ABj
		mov	eax, esi

loc_7C0BAC:				; CODE XREF: ObpAssignSecurity+4Aj
					; ObpAssignSecurity+121j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_7C0BB5:				; CODE XREF: ObpAssignSecurity+5Bj
		cmp	esi, _ObpDirectoryObjectType
		lea	ecx, [edi+1Ch]
		mov	edx, [edi+2Ch]
		lea	eax, [esi+34h]
		push	ecx
		push	eax
		push	ecx
		setz	byte ptr [esp+34h+var_10]
		xor	eax, eax
		push	eax
		push	eax
		push	[esp+3Ch+var_10]
		xor	ecx, ecx
		push	eax
		lea	eax, [esp+44h+var_18]
		push	eax
		call	_SeAssignSecurityEx2@40	; SeAssignSecurityEx2(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	loc_7C0B29
		jmp	short loc_7C0BAC
; 

loc_7C0BEB:				; CODE XREF: ObpAssignSecurity+ABj
		push	ebx
		push	[esp+2Ch+var_18]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7C0B75
; 

loc_7C0BFA:				; CODE XREF: ObpAssignSecurity+A1j
		cmp	[esp+28h+var_18], ebx
		jnz	sub_8EFE5A

loc_7C0C04:				; CODE XREF: sub_8EFE5A+Aj
		mov	eax, edi
		jmp	short loc_7C0BAC
ObpAssignSecurity endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2320. RtlRunOnceExecuteOnce

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlRunOnceExecuteOnce
RtlRunOnceExecuteOnce proc near		; CODE XREF: RtlpHpMetadataHeapStart(x,x,x)+20p
					; ExCheckFullProcessInformationAccess+25p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008EFE78 SIZE 00000054 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [ebp+arg_C]
		push	edi
		push	0
		push	[ebp+arg_0]
		call	RtlRunOnceBeginInitialize
		mov	esi, eax
		test	esi, esi
		js	loc_8EFE78
		cmp	esi, 103h
		jz	short loc_7C0C57

loc_7C0C43:				; CODE XREF: RtlRunOnceExecuteOnce+74j
					; RtlRunOnceExecuteOnce+8Dj
		mov	ecx, large fs:124h
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	10h
; 

loc_7C0C57:				; CODE XREF: RtlRunOnceExecuteOnce+33j
		push	edi
		push	[ebp+arg_8]
		push	[ebp+arg_0]
		call	[ebp+arg_4]
		test	eax, eax
		jz	short loc_7C0C88
		test	edi, edi
		jz	short loc_7C0C84
		mov	eax, [edi]

loc_7C0C6B:				; CODE XREF: RtlRunOnceExecuteOnce+78j
		push	eax
		push	0
		push	[ebp+arg_0]
		call	RtlRunOnceComplete
		mov	esi, eax
		test	esi, esi
		js	loc_8EFE78
		xor	esi, esi
		jmp	short loc_7C0C43
; 

loc_7C0C84:				; CODE XREF: RtlRunOnceExecuteOnce+59j
		xor	eax, eax
		jmp	short loc_7C0C6B
; 

loc_7C0C88:				; CODE XREF: RtlRunOnceExecuteOnce+55j
		push	0
		push	4
		push	[ebp+arg_0]
		mov	esi, 0C0000001h
		call	RtlRunOnceComplete
		test	eax, eax
		jns	short loc_7C0C43
		mov	esi, eax
		jmp	loc_8EFE78
RtlRunOnceExecuteOnce endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2318. RtlRunOnceBeginInitialize

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlRunOnceBeginInitialize
RtlRunOnceBeginInitialize proc near	; CODE XREF: RtlRunOnceExecuteOnce+1Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	eax, ebx
		push	esi
		push	edi
		lea	ecx, [ebx-1]
		and	ecx, ebx
		neg	ecx
		sbb	cl, cl
		and	eax, 0FFFFFFFCh
		inc	cl
		neg	eax
		sbb	al, al
		inc	al
		test	cl, al
		jz	short loc_7C0D34
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		mov	eax, [edi]
		mov	ecx, eax
		and	cl, 3
		cmp	cl, 2
		jnz	short loc_7C0CFB

loc_7C0CE4:				; CODE XREF: RtlRunOnceExecuteOnce+12F2A1j
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_7C0CF0
		and	eax, 0FFFFFFFCh
		mov	[ecx], eax

loc_7C0CF0:				; CODE XREF: RtlRunOnceBeginInitialize+3Fj
					; RtlRunOnceBeginInitialize+81j ...
		mov	eax, esi

loc_7C0CF2:				; CODE XREF: RtlRunOnceBeginInitialize+88j
					; RtlRunOnceBeginInitialize+8Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7C0CFB:				; CODE XREF: RtlRunOnceBeginInitialize+38j
		test	bl, 1
		jnz	short loc_7C0D2D
		and	ebx, 2

loc_7C0D03:				; CODE XREF: RtlRunOnceBeginInitialize+7Aj
					; RtlRunOnceExecuteOnce+12F28Fj
		mov	ecx, eax
		and	ecx, 3
		jnz	loc_8EFE8B
		xor	edx, edx
		mov	ecx, eax
		test	ebx, ebx
		setnz	dl
		lea	edx, ds:1[edx*2]
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jnz	short loc_7C0D03
		mov	esi, 103h
		jmp	short loc_7C0CF0
; 

loc_7C0D2D:				; CODE XREF: RtlRunOnceBeginInitialize+54j
		mov	eax, 0C0000001h
		jmp	short loc_7C0CF2
; 

loc_7C0D34:				; CODE XREF: RtlRunOnceBeginInitialize+27j
		mov	eax, 0C00000F0h
		jmp	short loc_7C0CF2
RtlRunOnceBeginInitialize endp

; 
		align 10h
; Exported entry 2319. RtlRunOnceComplete

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlRunOnceComplete
RtlRunOnceComplete proc	near		; CODE XREF: RtlRunOnceExecuteOnce+63p
					; RtlRunOnceExecuteOnce+86p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008EFECC SIZE 00000031 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	ecx, eax
		push	esi
		push	edi
		lea	edx, [eax-1]
		and	edx, eax
		neg	edx
		sbb	dl, dl
		and	ecx, 0FFFFFFF9h
		inc	dl
		neg	ecx
		sbb	cl, cl
		inc	cl
		test	dl, cl
		jz	short loc_7C0DDB
		mov	esi, [ebp+arg_8]
		shr	eax, 1
		not	eax
		and	eax, 3
		test	esi, esi
		jz	short loc_7C0D91
		mov	edx, esi
		and	dl, 3
		neg	dl
		sbb	dl, dl
		inc	dl
		test	al, 2
		setnz	cl
		test	dl, cl
		jnz	short loc_7C0D91
		mov	eax, 0C00000F1h

loc_7C0D8B:				; CODE XREF: RtlRunOnceComplete+92j
					; RtlRunOnceComplete+99j ...
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_7C0D91:				; CODE XREF: RtlRunOnceComplete+30j
					; RtlRunOnceComplete+44j
		mov	edi, [ebp+arg_0]
		cmp	eax, 2
		mov	ecx, [edi]
		mov	[ebp+arg_4], ecx
		sbb	ecx, ecx
		mov	edx, [ebp+arg_4]
		and	ecx, 0FFFFFFFEh
		add	ecx, 2
		and	esi, 0FFFFFFFCh
		and	edx, 3
		or	ecx, esi
		cmp	edx, 1
		jnz	loc_8EFECC
		test	al, dl
		jz	short loc_7C0DDB
		xchg	ecx, [edi]
		mov	[ebp+arg_4], ecx
		and	cl, 3
		cmp	cl, dl
		jnz	short loc_7C0DD4
		lea	ecx, [ebp+arg_4]
		call	RtlpRunOnceWakeAll

loc_7C0DD0:				; CODE XREF: RtlRunOnceComplete+12F1A3j
		xor	eax, eax
		jmp	short loc_7C0D8B
; 

loc_7C0DD4:				; CODE XREF: RtlRunOnceComplete+86j
		mov	eax, 0C000005Ah
		jmp	short loc_7C0D8B
; 

loc_7C0DDB:				; CODE XREF: RtlRunOnceComplete+22j
					; RtlRunOnceComplete+7Aj ...
		mov	eax, 0C00000F0h
		jmp	short loc_7C0D8B
RtlRunOnceComplete endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpRunOnceWakeAll proc	near		; CODE XREF: RtlRunOnceComplete+8Bp

; FUNCTION CHUNK AT 008EFEFD SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, [ecx]
		push	esi
		and	eax, 0FFFFFFFCh
		jnz	loc_8EFEFD

loc_7C0DF7:				; CODE XREF: RtlpRunOnceWakeAll+12F133j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
RtlpRunOnceWakeAll endp


;  S U B	R O U T	I N E 


AlpcpTrackPortReferences proc near	; CODE XREF: ExpWorkerFactoryStartDeferredWork(x,x)+96p
					; NtAlpcSendWaitReceivePort+1AEp

; FUNCTION CHUNK AT 008EFF1A SIZE 00000047 BYTES

		mov	edi, edi
		push	ebx
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		inc	ebx
		lock xadd [edi+0ECh], ebx
		inc	ebx
		cmp	dword ptr [edi+0F0h], 0
		jnz	loc_8EFF1A
		pop	edi
		pop	ebx
		retn
AlpcpTrackPortReferences endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtQueryPerformanceCounter proc near	; DATA XREF: .text:00580E24o

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008EFF81 SIZE 0000002D BYTES

		push	14h
		push	offset dword_6A33E0
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], edx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	loc_8EFF81
		mov	[ebp+ms_exc.disabled], edx
		mov	ecx, [ebp+arg_0]
		test	cl, 3
		jnz	short loc_7C0ECB
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_7C0EC3

loc_7C0E5A:				; CODE XREF: NtQueryPerformanceCounter+A7j
		mov	al, [ecx]
		mov	[ecx], al
		mov	al, [ecx+4]
		mov	[ecx+4], al
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jnz	short loc_7C0E9C

loc_7C0E6B:				; CODE XREF: NtQueryPerformanceCounter+96j
		lea	eax, [ebp+var_24]
		push	eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	[ecx+4], edx
		test	ebx, ebx
		jnz	short loc_7C0EB6

loc_7C0E81:				; CODE XREF: NtQueryPerformanceCounter+A3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C0E88:				; CODE XREF: NtQueryPerformanceCounter+12F17Aj
					; NtQueryPerformanceCounter+12F18Bj
		xor	eax, eax

loc_7C0E8A:				; CODE XREF: sub_8EFF6F+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7C0E9C:				; CODE XREF: NtQueryPerformanceCounter+4Bj
		test	bl, 3
		jnz	short loc_7C0ECB
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	short loc_7C0EC7

loc_7C0EAA:				; CODE XREF: NtQueryPerformanceCounter+ABj
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+4]
		mov	[ebx+4], al
		jmp	short loc_7C0E6B
; 

loc_7C0EB6:				; CODE XREF: NtQueryPerformanceCounter+61j
		mov	eax, [ebp+var_24]
		mov	[ebx], eax
		mov	eax, [ebp+var_20]
		mov	[ebx+4], eax
		jmp	short loc_7C0E81
; 

loc_7C0EC3:				; CODE XREF: NtQueryPerformanceCounter+3Aj
		mov	[eax], dl
		jmp	short loc_7C0E5A
; 

loc_7C0EC7:				; CODE XREF: NtQueryPerformanceCounter+8Aj
		mov	[eax], dl
		jmp	short loc_7C0EAA
; 

loc_7C0ECB:				; CODE XREF: NtQueryPerformanceCounter+31j
					; NtQueryPerformanceCounter+81j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

; __stdcall EtwpFreeLoggerContext(x)
_EtwpFreeLoggerContext@4:		; CODE XREF: EtwpLogger(x)+421p
					; EtwpStopTrace+1297BFp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	ebx, [esi+2E4h]
		mov	[ebp+ms_exc.msEH_ptr], ebx
		call	EtwpShutdownConsumers
		mov	edi, [esi]
		mov	ecx, esi
		mov	[ebp+ms_exc.disabled], edi
		call	EtwpCancelPendingStackwalkApcs
		mov	ecx, [ebx+188h]
		xor	edx, edx
		inc	edx
		mov	ecx, [ecx+edi*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		mov	ecx, [ebx+188h]
		mov	ecx, [ecx+edi*4]
		call	@ExWaitForRundownProtectionReleaseCacheAware@4 ; ExWaitForRundownProtectionReleaseCacheAware(x)
		lea	ecx, [esi+2D4h]
		call	EtwpFreeDisallowedGuids
		mov	eax, [esi+2DCh]
		test	eax, eax
		jz	short loc_7C0F76
		mov	ecx, [eax+8]
		test	ecx, ecx
		jz	short loc_7C0F52
		xor	eax, eax
		lea	edi, [ebp+ms_exc]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+ms_exc]
		push	eax
		push	1
		push	1
		push	ecx
		call	ExDeleteTimer
		mov	eax, [esi+2DCh]
		mov	edi, [ebp+ms_exc.disabled]

loc_7C0F52:				; CODE XREF: NtQueryPerformanceCounter+112j
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jz	short loc_7C0F67
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi+2DCh]

loc_7C0F67:				; CODE XREF: NtQueryPerformanceCounter+139j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+2DCh], 0

loc_7C0F76:				; CODE XREF: NtQueryPerformanceCounter+10Bj
		cmp	dword ptr [esi+0E0h], 1
		jz	short loc_7C0F84
		call	_EtwpSynchronizeWithElevatedIrqlLogging@0 ; EtwpSynchronizeWithElevatedIrqlLogging()

loc_7C0F84:				; CODE XREF: NtQueryPerformanceCounter+15Fj
		mov	ecx, esi
		call	EtwpFreeCompression
		lea	eax, [esi+188h]
		push	eax
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		lea	eax, [esi+1B0h]
		push	eax
		call	_KeRemoveQueueDpc@4 ; KeRemoveQueueDpc(x)
		mov	ecx, esi
		call	EtwpFreeSoftRestartContext
		mov	ecx, esi
		call	_EtwpFreeTraceBufferPool@4 ; EtwpFreeTraceBufferPool(x)
		mov	edx, ds:_KeNumberProcessors
		test	edx, edx
		jz	short loc_7C0FDE
		xor	ecx, ecx

loc_7C0FBD:				; CODE XREF: NtQueryPerformanceCounter+1BEj
		mov	eax, [esi+2E4h]
		lea	ecx, [ecx+40h]
		mov	eax, [eax+8D8h]
		mov	eax, [eax+ecx-3Ch]
		and	dword ptr [eax+edi*8], 0
		and	dword ptr [eax+edi*8+4], 0
		sub	edx, 1
		jnz	short loc_7C0FBD

loc_7C0FDE:				; CODE XREF: NtQueryPerformanceCounter+19Bj
		lea	eax, [esi+64h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+6Ch]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+74h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+114h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [esi+204h]
		test	ecx, ecx
		jz	short loc_7C1014
		call	ObfDereferenceObject

loc_7C1014:				; CODE XREF: NtQueryPerformanceCounter+1EFj
		mov	eax, [esi+234h]
		xor	edi, edi
		test	eax, eax
		jz	short loc_7C1027
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7C1027:				; CODE XREF: NtQueryPerformanceCounter+200j
		mov	ecx, esi
		call	_EtwpFreeLoggerSecurityDescriptor@4 ; EtwpFreeLoggerSecurityDescriptor(x)
		mov	eax, [esi+258h]
		test	al, al
		jns	short loc_7C1056
		push	edi
		push	dword ptr [esi+2B4h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	edi
		push	dword ptr [esi+298h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi+258h]

loc_7C1056:				; CODE XREF: NtQueryPerformanceCounter+218j
		test	eax, 2000h
		jz	short loc_7C1068
		call	_EtwpReleaseStackLookasideList@0 ; EtwpReleaseStackLookasideList()
		mov	eax, [esi+258h]

loc_7C1068:				; CODE XREF: NtQueryPerformanceCounter+23Dj
		test	eax, 1000000h
		jz	short loc_7C107A
		mov	ecx, [esi+2B8h]
		call	_EtwpFreeStackCache@4 ;	EtwpFreeStackCache(x)

loc_7C107A:				; CODE XREF: NtQueryPerformanceCounter+24Fj
		test	dword ptr [esi+0Ch], 2000000h
		jz	short loc_7C1091
		movzx	edx, byte ptr [esi+25Ah]
		mov	ecx, ebx
		call	_EtwpFreeSystemLoggerIndex@8 ; EtwpFreeSystemLoggerIndex(x,x)

loc_7C1091:				; CODE XREF: NtQueryPerformanceCounter+263j
		cmp	[esi+2BCh], edi
		jz	short loc_7C10A0
		mov	ecx, esi
		call	_EtwpFreePmcData@4 ; EtwpFreePmcData(x)

loc_7C10A0:				; CODE XREF: NtQueryPerformanceCounter+279j
		cmp	[esi+2C0h], edi
		jz	short loc_7C10AF
		mov	ecx, esi
		call	_EtwpFreeLbrData@4 ; EtwpFreeLbrData(x)

loc_7C10AF:				; CODE XREF: NtQueryPerformanceCounter+288j
		cmp	[esi+2C4h], edi
		jz	short loc_7C10BE
		mov	ecx, esi
		call	_EtwpDestructIptData@4 ; EtwpDestructIptData(x)

loc_7C10BE:				; CODE XREF: NtQueryPerformanceCounter+297j
		mov	eax, [esi+360h]
		test	eax, eax
		jz	short loc_7C10CF
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7C10CF:				; CODE XREF: NtQueryPerformanceCounter+2A8j
		lea	ebx, [esi+48h]
		mov	edi, [ebx]
		jmp	short loc_7C10E2
; 

loc_7C10D6:				; CODE XREF: NtQueryPerformanceCounter+2C6j
		mov	eax, edi
		mov	edi, [edi]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7C10E2:				; CODE XREF: NtQueryPerformanceCounter+2B6j
		cmp	edi, ebx
		jnz	short loc_7C10D6
		lea	ebx, [esi+2C8h]
		mov	edi, [ebx]
		jmp	short loc_7C10FC
; 

loc_7C10F0:				; CODE XREF: NtQueryPerformanceCounter+2E0j
		mov	eax, edi
		mov	edi, [edi]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7C10FC:				; CODE XREF: NtQueryPerformanceCounter+2D0j
		cmp	edi, ebx
		jnz	short loc_7C10F0
		xor	ebx, ebx
		jmp	short loc_7C1113
; 

loc_7C1104:				; CODE XREF: NtQueryPerformanceCounter+2F8j
		mov	ecx, [esi+50h]
		push	ebx
		push	ecx
		mov	eax, [ecx]
		mov	[esi+50h], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7C1113:				; CODE XREF: NtQueryPerformanceCounter+2E4j
		cmp	[esi+50h], ebx
		jnz	short loc_7C1104
		lea	ecx, [esi+378h]
		call	EtwpClearPartitionContext
		mov	eax, [esi+37Ch]
		test	eax, eax
		jz	short loc_7C1134
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7C1134:				; CODE XREF: NtQueryPerformanceCounter+30Dj
		mov	edi, [ebp+ms_exc.msEH_ptr]
		mov	ebx, [ebp+ms_exc.disabled]
		mov	ecx, [edi+188h]
		mov	ecx, [ecx+ebx*4]
		call	@ExReInitializeRundownProtectionCacheAware@4 ; ExReInitializeRundownProtectionCacheAware(x)
		mov	eax, [edi+18Ch]
		push	0
		push	esi
		mov	dword ptr [eax+ebx*4], 1
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lock dec dword ptr [edi+8C8h]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
NtQueryPerformanceCounter endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall EtwpFreeLoggerSecurityDescriptor(x)
_EtwpFreeLoggerSecurityDescriptor@4 proc near ;	CODE XREF: NtQueryPerformanceCounter+20Bp
		xor	eax, eax
		add	ecx, 238h
		xchg	eax, [ecx]
		mov	ecx, eax
		and	eax, 0FFFFFFF8h
		and	ecx, 7
		inc	ecx
		push	ecx
		push	eax
		call	ObDereferenceSecurityDescriptor
		retn
_EtwpFreeLoggerSecurityDescriptor@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpFreeTraceBufferPool(x)
_EtwpFreeTraceBufferPool@4 proc	near	; CODE XREF: NtQueryPerformanceCounter+18Ep
					; EtwpStartLogger+120B0Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		test	dword ptr [edi+0Ch], 40000h
		mov	eax, [edi]
		mov	[ebp+var_C], eax
		jnz	loc_7C1306
		lea	ecx, [edi+30h]
		push	esi

loc_7C11AA:				; CODE XREF: EtwpFreeTraceBufferPool(x)+52j
		mov	edx, ecx
		mov	ecx, edi
		call	EtwpDequeueBuffer
		mov	esi, eax
		test	esi, esi
		jz	short loc_7C11D5
		lea	eax, [edi+0A0h]
		lock dec dword ptr [eax]
		lock dec dword ptr [edi+9Ch]
		mov	edx, esi
		mov	ecx, edi
		inc	ebx
		call	EtwpFreeTraceBuffer
		test	esi, esi

loc_7C11D5:				; CODE XREF: EtwpFreeTraceBufferPool(x)+31j
		lea	ecx, [edi+30h]
		jnz	short loc_7C11AA

loc_7C11DA:				; CODE XREF: EtwpFreeTraceBufferPool(x)+7Cj
		lea	edx, [edi+38h]
		mov	ecx, edi
		call	EtwpDequeueBuffer
		mov	edx, eax
		test	edx, edx
		jz	short loc_7C1204
		lea	eax, [edi+0A0h]
		lock dec dword ptr [eax]
		lock dec dword ptr [edi+9Ch]
		mov	ecx, edi
		inc	ebx
		call	EtwpFreeTraceBuffer
		jmp	short loc_7C11DA
; 

loc_7C1204:				; CODE XREF: EtwpFreeTraceBufferPool(x)+62j
		mov	ecx, edi
		call	EtwpQueryUsedProcessorCount
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_7C127A
		xor	ecx, ecx
		mov	[ebp+var_4], ecx

loc_7C1217:				; CODE XREF: EtwpFreeTraceBufferPool(x)+F2j
		test	dword ptr [edi+0Ch], 10000000h
		jz	short loc_7C1225
		lea	edx, [edi+58h]
		jmp	short loc_7C123A
; 

loc_7C1225:				; CODE XREF: EtwpFreeTraceBufferPool(x)+98j
		mov	eax, [edi+2E4h]
		mov	edx, [ebp+var_C]
		mov	eax, [eax+8D8h]
		mov	eax, [eax+ecx]
		lea	edx, [eax+edx*4]

loc_7C123A:				; CODE XREF: EtwpFreeTraceBufferPool(x)+9Dj
		xor	eax, eax
		xchg	eax, [edx]
		mov	edx, eax
		and	edx, 0FFFFFFF8h
		jz	short loc_7C126E
		and	eax, 7
		lea	ecx, [edx+0Ch]
		neg	eax
		lock xadd [ecx], eax

loc_7C1251:				; CODE XREF: EtwpFreeTraceBufferPool(x)+E3j
		mov	esi, [edx+20h]
		lea	eax, [edi+0A0h]
		lock dec dword ptr [eax]
		mov	ecx, edi
		inc	ebx
		call	EtwpFreeTraceBuffer
		mov	edx, esi
		test	esi, esi
		jnz	short loc_7C1251
		mov	ecx, [ebp+var_4]

loc_7C126E:				; CODE XREF: EtwpFreeTraceBufferPool(x)+BDj
		add	ecx, 40h
		sub	[ebp+var_8], 1
		mov	[ebp+var_4], ecx
		jnz	short loc_7C1217

loc_7C127A:				; CODE XREF: EtwpFreeTraceBufferPool(x)+8Aj
		cmp	dword ptr [edi+300h], 0
		jz	short loc_7C129A
		lea	eax, [edi+0A0h]
		lock dec dword ptr [eax]
		mov	edx, [edi+300h]
		mov	ecx, edi
		inc	ebx
		call	EtwpFreeTraceBuffer

loc_7C129A:				; CODE XREF: EtwpFreeTraceBufferPool(x)+FBj
					; EtwpFreeTraceBufferPool(x)+131j
		mov	ecx, [edi+318h]
		test	ecx, ecx
		jz	short loc_7C12B9
		mov	eax, [ecx]
		mov	[edi+318h], eax
		lea	eax, [ecx-20h]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7C129A
; 

loc_7C12B9:				; CODE XREF: EtwpFreeTraceBufferPool(x)+11Cj
		lea	esi, [edi+40h]

loc_7C12BC:				; CODE XREF: EtwpFreeTraceBufferPool(x)+155j
		mov	eax, [esi]
		cmp	eax, esi
		jz	short loc_7C12E2
		cmp	[eax+4], esi
		jnz	short loc_7C12DD
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_7C12DD
		push	0
		mov	[esi], ecx
		push	eax
		mov	[ecx+4], esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7C12BC
; 

loc_7C12DD:				; CODE XREF: EtwpFreeTraceBufferPool(x)+13Fj
					; EtwpFreeTraceBufferPool(x)+146j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_7C12E2:				; CODE XREF: EtwpFreeTraceBufferPool(x)+13Aj
		mov	ecx, [edi+0E0h]
		mov	edx, [edi+4]
		and	ecx, 1
		mov	eax, [edi+2E4h]
		imul	edx, ebx
		lea	eax, [eax+ecx*4]
		add	eax, 8C0h
		neg	edx
		lock xadd [eax], edx
		pop	esi

loc_7C1306:				; CODE XREF: EtwpFreeTraceBufferPool(x)+1Aj
		pop	edi
		xor	eax, eax
		pop	ebx
		leave
		retn
_EtwpFreeTraceBufferPool@4 endp


;  S U B	R O U T	I N E 


EtwpFreeSoftRestartContext proc	near	; CODE XREF: NtQueryPerformanceCounter+187p

; FUNCTION CHUNK AT 008EFFAE SIZE 00000022 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi+2E0h]
		test	edi, edi
		jnz	loc_8EFFAE

loc_7C1320:				; CODE XREF: EtwpFreeSoftRestartContext+12ECBFj
		pop	edi
		pop	esi
		retn
EtwpFreeSoftRestartContext endp

; 
		align 4

;  S U B	R O U T	I N E 


EtwpFreeDisallowedGuids	proc near	; CODE XREF: NtQueryPerformanceCounter+FEp

; FUNCTION CHUNK AT 008EFFD0 SIZE 00000016 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		cmp	[esi], di
		jnz	loc_8EFFD0

loc_7C1335:				; CODE XREF: EtwpFreeDisallowedGuids+12ECBDj
		pop	edi
		pop	esi
		retn
EtwpFreeDisallowedGuids	endp


;  S U B	R O U T	I N E 


EtwpShutdownConsumers proc near		; CODE XREF: NtQueryPerformanceCounter+C8p

; FUNCTION CHUNK AT 008EFFE6 SIZE 0000003F BYTES

		mov	edi, edi
		push	ebx
		push	edi
		mov	edi, ecx
		call	EtwpRealtimeDisconnectAllConsumers
		lea	ebx, [edi+1F0h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		or	dword ptr [edi+258h], 200h
		lea	ecx, [edi+25Ch]
		mov	eax, [ecx]
		test	al, 20h
		jnz	loc_8EFFE6

loc_7C136C:				; CODE XREF: EtwpShutdownConsumers+12ECE8j
		pop	edi
		mov	ecx, ebx
		xor	edx, edx
		pop	ebx
		jmp	ExReleasePushLockEx
EtwpShutdownConsumers endp

; 
		align 4

;  S U B	R O U T	I N E 


EtwpRealtimeDisconnectAllConsumers proc	near ; CODE XREF: EtwpShutdownConsumers+6p
					; EtwpLogger(x)+1ABp

; FUNCTION CHUNK AT 008F0025 SIZE 0000003F BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		lea	edi, [ebx+100h]

loc_7C1385:				; CODE XREF: EtwpRealtimeDisconnectAllConsumers+12ECDBj
		mov	esi, [edi]
		cmp	esi, edi
		jnz	loc_8F0025
		pop	edi
		pop	esi
		pop	ebx
		retn
EtwpRealtimeDisconnectAllConsumers endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall EtwpFreeSystemLoggerIndex(x, x)
_EtwpFreeSystemLoggerIndex@8 proc near	; CODE XREF: NtQueryPerformanceCounter+26Ep
		lea	eax, [ecx+924h]
		lock btr [eax],	edx
		retn
_EtwpFreeSystemLoggerIndex@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtAlpcOpenSenderProcess	proc near	; DATA XREF: .text:0058120Co

var_60		= dword	ptr -60h
var_48		= dword	ptr -48h
Source2		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008F0064 SIZE 0000000E BYTES
; FUNCTION CHUNK AT 008F0093 SIZE 000000D1 BYTES

		push	50h
		push	offset dword_6A3420
		call	__SEH_prolog4
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_48]
		rep stosd
		xor	edi, edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_24], bl
		mov	eax, ds:_AlpcPortObjectType
		mov	[ebp+var_1C], edi
		push	edi
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_24]
		push	eax
		push	20000h
		push	[ebp+arg_4]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7C151B
		test	bl, bl
		jz	loc_7C15A4
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, [ebp+arg_0]
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		jnb	loc_8F005D

loc_7C141F:				; CODE XREF: EtwpRealtimeDisconnectAllConsumers+12ECE7j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	esi, [ebp+arg_8]
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8F0064

loc_7C1433:				; CODE XREF: NtAlpcOpenSenderProcess+12ECC6j
		push	6
		pop	ecx
		lea	edi, [ebp+var_48]
		rep movsd
		nop
		mov	esi, [ebp+arg_14]
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8F006B

loc_7C144C:				; CODE XREF: NtAlpcOpenSenderProcess+12ECCDj
		push	6
		pop	ecx
		lea	edi, [ebp+var_60]
		rep movsd
		nop
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C145C:				; CODE XREF: NtAlpcOpenSenderProcess+21Aj
		lea	eax, [ebp+var_20]
		push	eax
		push	ecx
		push	[ebp+var_34]
		mov	edx, [ebp+var_38]
		mov	ebx, [ebp+var_1C]
		mov	ecx, ebx
		call	AlpcpLookupMessage
		mov	esi, eax
		test	esi, esi
		js	loc_8F0093
		mov	esi, [ebp+var_20]
		test	byte ptr [esi+14h], 80h
		jnz	loc_7C15BF
		mov	edi, [esi+10h]
		test	edi, edi
		jz	loc_7C153B
		push	8		; Length
		lea	eax, [ebp+Source2]
		push	eax		; Source2
		lea	eax, [edi+2ACh]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 8
		jnz	loc_8F009F
		mov	edi, [edi+150h]
		mov	edx, 63706C41h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag

loc_7C14C0:				; CODE XREF: NtAlpcOpenSenderProcess+1FFj
		cmp	_AlpcpMessageLogEnabled, 0
		jnz	loc_8F0158

loc_7C14CD:				; CODE XREF: NtAlpcOpenSenderProcess+12EDBFj
		mov	ecx, esi
		call	AlpcpUnlockBlob
		push	[ebp+var_24]
		push	0
		lea	eax, [ebp+Source2]
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		mov	edx, [ebp+arg_10]
		lea	ecx, [ebp+var_28]
		call	_PsOpenProcess@24 ; PsOpenProcess(x,x,x,x,x,x)
		mov	esi, eax
		mov	edx, 63706C41h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	ecx, ebx
		call	ObfDereferenceObject
		test	esi, esi
		js	short loc_7C151B
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_28]
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax

loc_7C1514:				; CODE XREF: sub_8F0080+Ej
					; sub_8F0172+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C151B:				; CODE XREF: NtAlpcOpenSenderProcess+5Dj
					; NtAlpcOpenSenderProcess+163j	...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7C153B:				; CODE XREF: NtAlpcOpenSenderProcess+EDj
		mov	eax, [esi+0Ch]
		mov	[ebp+arg_8], eax
		test	eax, eax
		jz	loc_8F00D5
		lea	edi, [eax+0D0h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebp+arg_8]
		test	byte ptr [eax+0F4h], 40h
		jnz	loc_8F00FD
		mov	ecx, [eax+0Ch]
		mov	[ebp+arg_8], ecx
		mov	eax, [ecx+0E4h]
		cmp	eax, [ebp+Source2]
		jnz	loc_8F0141
		mov	edx, 63706C41h
		call	ObfReferenceObjectWithTag
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_7C15E0

loc_7C1595:				; CODE XREF: NtAlpcOpenSenderProcess+247j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	edi, [ebp+arg_8]
		jmp	loc_7C14C0
; 

loc_7C15A4:				; CODE XREF: NtAlpcOpenSenderProcess+65j
		push	6
		pop	ecx
		mov	esi, [ebp+arg_8]
		lea	edi, [ebp+var_48]
		rep movsd
		push	6
		pop	ecx
		mov	esi, [ebp+arg_14]
		lea	edi, [ebp+var_60]
		rep movsd
		jmp	loc_7C145C
; 

loc_7C15BF:				; CODE XREF: NtAlpcOpenSenderProcess+E2j
		cmp	_AlpcpMessageLogEnabled, 0
		jnz	short loc_7C15E9

loc_7C15C8:				; CODE XREF: NtAlpcOpenSenderProcess+250j
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	esi, 0C0000703h
		jmp	loc_7C151B
; 

loc_7C15E0:				; CODE XREF: NtAlpcOpenSenderProcess+1F3j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_7C1595
; 

loc_7C15E9:				; CODE XREF: NtAlpcOpenSenderProcess+226j
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)
		jmp	short loc_7C15C8
NtAlpcOpenSenderProcess	endp

; 
		align 8
; Exported entry 667. FsRtlTeardownPerFileContexts

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlTeardownPerFileContexts
FsRtlTeardownPerFileContexts proc near

var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 007C16D3 SIZE 00000005 BYTES

		push	0Ch
		push	offset dword_6A3448
		call	__SEH_prolog4
		xor	esi, esi
		mov	eax, [ebp+arg_0]
		xchg	esi, [eax]
		mov	[ebp+arg_0], esi
		test	esi, esi
		jnz	short loc_7C1624

loc_7C1612:				; CODE XREF: FsRtlTeardownPerFileContexts+BCj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7C1624:				; CODE XREF: FsRtlTeardownPerFileContexts+18j
		lea	edi, [esi+4]
		cmp	[edi], edi
		jz	short loc_7C16A9
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	al, 1
		mov	[ebp+var_19], al
		and	[ebp+ms_exc.disabled], 0

loc_7C164B:				; CODE XREF: FsRtlTeardownPerFileContexts+A3j
		mov	ebx, [edi]
		cmp	ebx, edi
		jz	short loc_7C169D
		mov	eax, [ebx]
		cmp	[ebx+4], edi
		jnz	short loc_7C16D3
		cmp	[eax+4], ebx
		jnz	short loc_7C16D3
		mov	[edi], eax
		mov	[eax+4], edi
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	[ebp+var_19], 0
		push	ebx
		call	dword ptr [ebx+10h]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	al, 1
		mov	[ebp+var_19], al
		jmp	short loc_7C164B
; 

loc_7C169D:				; CODE XREF: FsRtlTeardownPerFileContexts+57j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_7C16B9

loc_7C16A9:				; CODE XREF: FsRtlTeardownPerFileContexts+31j
		push	63665346h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7C1612
FsRtlTeardownPerFileContexts endp


;  S U B	R O U T	I N E 


sub_7C16B9	proc near		; CODE XREF: FsRtlTeardownPerFileContexts+ACp
					; sub_8F017D+6j
		test	al, al
		jz	short locret_7C16D2
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

locret_7C16D2:				; CODE XREF: sub_7C16B9+2j
		retn
sub_7C16B9	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlTeardownPerFileContexts

loc_7C16D3:				; CODE XREF: FsRtlTeardownPerFileContexts+5Ej
					; FsRtlTeardownPerFileContexts+63j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
; END OF FUNCTION CHUNK	FOR FsRtlTeardownPerFileContexts ; AL =	character to display

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspDeleteKernelStack(x, x, x)
_PspDeleteKernelStack@12 proc near	; DATA XREF: PspReaper+3Eo
					; PspThreadDelete+14534Co ...

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		push	2
		pop	edx
		mov	ecx, [ecx]
		call	_MmDeleteKernelStack@8 ; MmDeleteKernelStack(x,x)
		pop	ebp
		retn	0Ch
_PspDeleteKernelStack@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnVolumeKeyQuery proc	near		; CODE XREF: PfSnNameQueryWorker(x)+5Dp

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F0188 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	edx, [esi+190h]
		lea	edi, [esi+188h]
		mov	eax, [edi]
		lea	ecx, [eax+edx*4]

loc_7C170B:				; CODE XREF: PfSnVolumeKeyQuery+71j
		cmp	eax, ecx
		jnb	short loc_7C171C
		cmp	[eax], ebx
		jnz	short loc_7C175C

loc_7C1713:				; CODE XREF: PfSnVolumeKeyQuery+6Aj
		xor	eax, eax

loc_7C1715:				; CODE XREF: PfSnVolumeKeyQuery+6Cj
					; PfSnVolumeKeyQuery+12EAA6j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_7C171C:				; CODE XREF: PfSnVolumeKeyQuery+1Fj
		push	edi
		lea	eax, [esi+18Ch]
		push	eax
		push	ecx
		mov	ecx, edx
		call	PfSnArrayGrow
		test	eax, eax
		jz	loc_8F0188
		mov	ecx, [esi+190h]
		mov	eax, [edi]
		push	[ebp+arg_0]
		mov	[eax+ecx*4], ebx
		inc	dword ptr [esi+190h]
		mov	eax, dword_6D4928
		push	dword ptr [esi+100h]
		call	dword ptr [eax+0Ch]
		test	eax, eax
		jns	short loc_7C1713
		jmp	short loc_7C1715
; 

loc_7C175C:				; CODE XREF: PfSnVolumeKeyQuery+23j
		add	eax, 4
		jmp	short loc_7C170B
PfSnVolumeKeyQuery endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnArrayGrow	proc near		; CODE XREF: PfSnVolumeKeyQuery+39p

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F0199 SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		xor	esi, esi
		mov	eax, [eax]
		mov	[ebp+var_4], esi
		push	edi
		cmp	ecx, eax
		jb	short loc_7C17D6
		imul	edi, eax, 3
		push	4
		pop	edx
		shr	edi, 1
		cmp	edi, edx
		jnb	short loc_7C1787
		mov	edi, edx

loc_7C1787:				; CODE XREF: PfSnArrayGrow+21j
		cmp	ecx, edi
		jnb	short loc_7C17E2

loc_7C178B:				; CODE XREF: PfSnArrayGrow+87j
		mov	eax, edi
		lea	ecx, [ebp+var_4]
		mul	edx
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_7C17D9
		push	56506343h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_7C17D9
		mov	eax, [ebp+arg_4]
		mov	eax, [eax]
		shl	eax, 2
		test	eax, eax
		jnz	loc_8F0199

loc_7C17C2:				; CODE XREF: PfSnArrayGrow+12EA46j
		mov	eax, [ebp+arg_8]
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	loc_8F01AD

loc_7C17CF:				; CODE XREF: PfSnArrayGrow+12EA55j
		mov	[eax], ebx
		mov	eax, [ebp+arg_4]
		mov	[eax], edi

loc_7C17D6:				; CODE XREF: PfSnArrayGrow+15j
		xor	esi, esi
		inc	esi

loc_7C17D9:				; CODE XREF: PfSnArrayGrow+39j
					; PfSnArrayGrow+4Ej ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7C17E2:				; CODE XREF: PfSnArrayGrow+27j
		lea	edi, [ecx+4]
		cmp	edi, ecx
		jb	short loc_7C17D9
		jmp	short loc_7C178B
PfSnArrayGrow	endp

; 
		align 10h
; Exported entry 500. FsRtlCurrentBatchOplock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlCurrentBatchOplock(x)
		public _FsRtlCurrentBatchOplock@4
_FsRtlCurrentBatchOplock@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		xor	cl, cl
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_7C1806
		test	byte ptr [eax+48h], 0Ch
		jnz	short loc_7C180C

loc_7C1806:				; CODE XREF: FsRtlCurrentBatchOplock(x)+Ej
					; FsRtlCurrentBatchOplock(x)+1Ej
		mov	al, cl
		pop	ebp
		retn	4
; 

loc_7C180C:				; CODE XREF: FsRtlCurrentBatchOplock(x)+14j
		mov	cl, 1
		jmp	short loc_7C1806
_FsRtlCurrentBatchOplock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExHandleSPCall2	proc near		; CODE XREF: PAGE:007812B8p
					; PAGE:007B4704p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008F01BC SIZE 00000028 BYTES
; FUNCTION CHUNK AT 008F01F8 SIZE 00000023 BYTES

		push	40h
		push	offset dword_6A3468
		call	__SEH_prolog4
		mov	[ebp+var_34], edx
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		xor	eax, eax
		lea	edi, [ebp+var_50]
		stosd
		stosd
		stosd
		stosd
		stosd
		and	[ebp+var_20], ebx
		and	[ebp+var_30], ebx
		and	[ebp+var_24], ebx
		and	[ebp+var_28], ebx
		and	[ebp+var_2C], ebx
		test	edx, edx
		jz	loc_8F01BC
		and	[ebp+ms_exc.disabled], ebx
		lea	ecx, [edx+14h]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	loc_8F01C6
		cmp	ecx, edx
		jb	loc_8F01C6

loc_7C1860:				; CODE XREF: ExHandleSPCall2+12E9B9j
		push	5
		pop	ecx
		mov	esi, edx
		lea	edi, [ebp+var_50]
		rep movsd
		mov	esi, [ebp+var_48]
		test	esi, esi
		jz	short loc_7C188C
		mov	ecx, [ebp+var_50]
		lea	edx, [ecx+esi]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	loc_8F01CE
		cmp	edx, ecx
		jb	loc_8F01CE

loc_7C188C:				; CODE XREF: ExHandleSPCall2+5Fj
					; ExHandleSPCall2+12E9C1j
		cmp	[ebp+var_50], 0
		jz	loc_8F01DD
		test	esi, esi
		jz	loc_8F01DD
		mov	[ebp+var_30], esi
		push	20534C53h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	loc_8F01D6
		push	esi		; size_t
		push	[ebp+var_50]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	[ebp+var_4C], 0
		jz	short loc_7C18D2
		mov	eax, [ebp+var_44]
		mov	[ebp+var_2C], eax

loc_7C18D2:				; CODE XREF: ExHandleSPCall2+BAj
					; ExHandleSPCall2+12E9EBj
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi
		test	ebx, ebx
		js	short loc_7C193B
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_2C]
		mov	edx, [ebp+var_30]
		mov	ecx, [ebp+var_20]
		call	sub_7C1970
		mov	ebx, eax
		mov	[ebp+var_1C], ebx
		mov	[ebp+ms_exc.disabled], 1
		test	ebx, ebx
		js	short loc_7C1938
		cmp	[ebp+var_4C], 0
		jz	loc_8F0200
		mov	esi, [ebp+var_28]
		cmp	[ebp+var_44], esi
		jb	loc_8F020E
		push	1
		push	esi
		push	[ebp+var_4C]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	esi		; size_t
		push	[ebp+var_24]	; void *
		push	[ebp+var_4C]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [ebp+var_34]
		mov	[ecx+0Ch], esi

loc_7C1938:				; CODE XREF: ExHandleSPCall2+F0j
					; ExHandleSPCall2+12E9F9j ...
		mov	[ebp+ms_exc.disabled], edi

loc_7C193B:				; CODE XREF: ExHandleSPCall2+CAj
					; ExHandleSPCall2+12E9B1j ...
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_7C194A
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7C194A:				; CODE XREF: ExHandleSPCall2+130j
		cmp	[ebp+var_24], 0
		jz	short loc_7C195D
		push	20534C53h
		push	[ebp+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7C195D:				; CODE XREF: ExHandleSPCall2+13Ej
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
ExHandleSPCall2	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_7C1970	proc near		; CODE XREF: ExHandleSPCall2+DDp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_14], eax
		xor	eax, eax
		push	eax
		push	eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_1C]
		push	3000h
		push	eax
		push	offset sub_7851EC
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		call	_KeExpandKernelStackAndCalloutEx@20 ; KeExpandKernelStackAndCalloutEx(x,x,x,x,x)
		test	eax, eax
		js	short locret_7C19BB
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_10]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+var_C]
		mov	[ecx], eax
		mov	eax, [ebp+var_8]

locret_7C19BB:				; CODE XREF: sub_7C1970+36j
		leave
		retn	0Ch
sub_7C1970	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmGetDeviceMappedPropertyFromRegProp(int,void *,int,int,int,int,int)
_CmGetDeviceMappedPropertyFromRegProp proc near	; CODE XREF: _CmGetDeviceMappedProperty+DFp
					; _CmGetDeviceCompoundFilters+93p ...

var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_5C		= dword	ptr -5Ch
var_10		= word ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008F023E SIZE 00000139 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[ebp+var_90], eax
		xor	ebx, ebx
		xor	eax, eax
		mov	[ebp+var_80], edx
		mov	edx, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+arg_14]
		push	edi
		lea	edi, [ebp+var_6C]
		mov	[ebp+var_84], ecx
		mov	ecx, [ebp+arg_8]
		stosd
		mov	[ebp+var_94], ecx
		mov	[ebp+var_78], edx
		mov	[ebp+var_98], esi
		stosd
		mov	[ebp+var_74], ebx
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_70], ebx
		stosd
		mov	[ebp+var_B4], ebx
		mov	[ebp+var_B0], ebx
		mov	[ebp+var_A0], ebx
		stosd
		mov	eax, [ebp+arg_18]
		movzx	eax, ax
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_A4], ebx
		test	eax, eax
		jnz	loc_8F023E
		mov	[ecx], ebx
		mov	[esi], ebx
		test	edx, edx
		jz	short loc_7C1A5B
		mov	ebx, [ebp+arg_10]
		mov	eax, ebx
		neg	eax
		sbb	eax, eax
		and	eax, edx
		mov	[ebp+var_78], eax

loc_7C1A5B:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+8Bj
		mov	[ebp+var_7C], ebx
		xor	ecx, ecx
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_9C], ecx
		mov	eax, [ebx+10h]
		mov	[ebp+var_A8], eax
		mov	eax, offset __CmDeviceRegPropMap
		mov	esi, [ebp+var_A8]
		mov	[ebp+var_88], eax

loc_7C1A83:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+E6j
		mov	edx, [eax]
		mov	edi, eax
		cmp	esi, [edx+10h]
		jz	short loc_7C1AAA

loc_7C1A8C:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+12E894j
		add	ecx, 10h
		add	eax, 10h
		xor	edi, edi
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_88], eax
		cmp	ecx, 210h
		jb	short loc_7C1A83
		jmp	short loc_7C1ABE
; 

loc_7C1AAA:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+CAj
		push	10h		; size_t
		push	edx		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8F0248

loc_7C1ABE:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+E8j
		mov	esi, [ebp+var_98]
		mov	ebx, [ebp+var_7C]
		test	edi, edi
		jz	loc_8F0259
		mov	edx, [edi+8]
		mov	eax, edx
		mov	[ebp+var_98], edx
		sub	eax, 9
		jz	loc_7C1BCC
		sub	eax, 10h
		jz	loc_8F0315
		dec	eax
		sub	eax, 1
		jz	loc_8F0298
		sub	eax, 0Ah
		jz	loc_7C1BCC
		push	[ebp+arg_18]
		mov	ecx, [ebp+var_78]
		lea	eax, [ebp+var_74]
		push	esi
		push	ecx
		mov	ecx, [ebp+var_84]
		push	eax
		push	edx
		push	[ebp+var_90]
		mov	edx, [ebp+var_80]
		mov	[esi], ebx
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	ebx, eax
		mov	ecx, 0C0000023h
		test	ebx, ebx
		jnz	short loc_7C1B95

loc_7C1B2D:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+1D7j
		mov	eax, [ebp+var_74]
		cmp	eax, [edi+0Ch]
		jnz	loc_8F023E
		mov	eax, [edi+4]
		mov	edi, [ebp+var_94]
		mov	[edi], eax
		cmp	eax, 12h
		jnz	short loc_7C1B9F
		mov	eax, [esi]
		mov	[ebp+var_70], eax
		test	ebx, ebx
		jnz	loc_7C1CB7
		cmp	[ebp+var_7C], 2
		jb	short loc_7C1BA7
		mov	eax, [ebp+var_78]

loc_7C1B5F:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+35Bj
		mov	[ebp+var_88], eax
		test	eax, eax
		jz	short loc_7C1B81
		sub	esp, 0Ch
		mov	ecx, eax
		call	_PnpParseIndirectInfString
		test	al, al
		jz	loc_7C1C9C

loc_7C1B7B:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+2F2j
		mov	dword ptr [edi], 19h

loc_7C1B81:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+1A7j
					; _CmGetDeviceMappedPropertyFromRegProp+2ECj ...
		mov	eax, [ebp+var_8C]
		test	eax, eax
		jz	short loc_7C1B9F
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7C1B9F
; 

loc_7C1B95:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+16Bj
		cmp	ebx, ecx
		jz	short loc_7C1B2D
		mov	edi, [ebp+var_94]

loc_7C1B9F:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+187j
					; _CmGetDeviceMappedPropertyFromRegProp+1C9j ...
		test	ebx, ebx
		jnz	loc_7C1C61

loc_7C1BA7:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+19Aj
		mov	eax, [edi]
		cmp	eax, 2012h
		jz	loc_7C1C81

loc_7C1BB4:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+2D7j
		cmp	eax, 12h
		jnz	loc_7C1C6E
		xor	eax, eax
		cmp	[esi], eax
		jnz	loc_7C1C6E
		jmp	loc_8F028F
; 

loc_7C1BCC:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+11Dj
					; _CmGetDeviceMappedPropertyFromRegProp+139j
		push	[ebp+arg_18]
		mov	ecx, [ebp+var_84]
		lea	eax, [ebp+var_70]
		push	eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_70], 4Eh
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		push	edx
		push	[ebp+var_90]
		mov	edx, [ebp+var_80]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7C1C61
		mov	eax, [ebp+var_74]
		cmp	eax, [edi+0Ch]
		jnz	loc_8F023E
		mov	ecx, [ebp+var_94]
		mov	dword ptr [esi], 10h
		mov	eax, [edi+4]
		mov	[ecx], eax
		mov	eax, [ebp+var_7C]
		cmp	eax, [esi]
		jb	loc_8F030B
		xor	eax, eax
		mov	[ebp+var_10], ax
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_B4]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7C1C61
		lea	eax, [ebp+var_6C]
		push	eax
		lea	eax, [ebp+var_B4]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7C1C61
		mov	edi, [ebp+var_78]
		lea	esi, [ebp+var_6C]
		movsd
		movsd
		movsd
		movsd

loc_7C1C61:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+1E1j
					; _CmGetDeviceMappedPropertyFromRegProp+23Bj ...
		mov	esi, 0C000000Eh
		cmp	ebx, esi
		jz	loc_8F031F

loc_7C1C6E:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+1F7j
					; _CmGetDeviceMappedPropertyFromRegProp+201j ...
		mov	ecx, [ebp+var_8]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
; 

loc_7C1C81:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+1EEj
		mov	ecx, [ebp+var_78]
		call	__PnpMultiSzGetLen@4 ; _PnpMultiSzGetLen(x)
		add	eax, eax
		cmp	eax, [esi]
		ja	loc_8F0282
		mov	[esi], eax
		mov	eax, [edi]
		jmp	loc_7C1BB4
; 

loc_7C1C9C:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+1B5j
		mov	ecx, [ebp+var_88]
		sub	esp, 10h
		call	_PnpParseIndirectResourceString
		test	al, al
		jz	loc_7C1B81
		jmp	loc_7C1B7B
; 

loc_7C1CB7:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+190j
		cmp	ebx, ecx
		jnz	loc_7C1B9F
		push	52504E50h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_8C], eax
		test	eax, eax
		jz	loc_8F0263
		push	[ebp+arg_18]
		mov	edx, [ebp+var_80]
		lea	ecx, [ebp+var_70]
		push	ecx
		mov	ecx, [ebp+var_84]
		push	eax
		lea	eax, [ebp+var_AC]
		push	eax
		push	[ebp+var_98]
		push	[ebp+var_90]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_8F026D
		cmp	[ebp+var_70], 2
		jb	loc_7C1B81
		mov	eax, [ebp+var_8C]
		jmp	loc_7C1B5F
_CmGetDeviceMappedPropertyFromRegProp endp


;  S U B	R O U T	I N E 


; __stdcall _PnpMultiSzGetLen(x)
__PnpMultiSzGetLen@4 proc near		; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+2C4p
					; _CmGetDeviceMappedPropertyFromComposite+119EBCp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	edx, edx
		test	esi, esi
		jz	short loc_7C1D5C
		push	edi
		mov	edi, esi
		cmp	[esi], dx
		jz	short loc_7C1D54
		push	ebx

loc_7C1D34:				; CODE XREF: _PnpMultiSzGetLen(x)+31j
		mov	ecx, edi
		lea	ebx, [ecx+2]

loc_7C1D39:				; CODE XREF: _PnpMultiSzGetLen(x)+22j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, dx
		jnz	short loc_7C1D39
		sub	ecx, ebx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2
		cmp	[edi], dx
		jnz	short loc_7C1D34
		pop	ebx

loc_7C1D54:				; CODE XREF: _PnpMultiSzGetLen(x)+11j
		mov	edx, edi
		sub	edx, esi
		sar	edx, 1
		inc	edx
		pop	edi

loc_7C1D5C:				; CODE XREF: _PnpMultiSzGetLen(x)+9j
		mov	eax, edx
		pop	esi
		retn
__PnpMultiSzGetLen@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpCreateCacheEntry(x, x, x, x)
_ObpCreateCacheEntry@16	proc near	; CODE XREF: ObLogSecurityDescriptor+D0p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		lea	eax, [edi+18h]
		cmp	eax, edi
		jb	short loc_7C1DB6
		push	6353624Fh
		push	eax
		push	5
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7C1DB6
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		mov	[esi], eax
		mov	[esi+10h], eax
		mov	[esi+14h], eax
		mov	eax, [ebp+arg_4]
		push	edi		; size_t
		mov	[esi+8], ecx
		lea	ecx, [esi+10h]
		push	ebx		; void *
		push	ecx		; void *
		mov	[esi+4], eax
		mov	[esi+0Ch], edi
		call	_memcpy
		add	esp, 0Ch
		mov	eax, esi

loc_7C1DAF:				; CODE XREF: ObpCreateCacheEntry(x,x,x,x)+58j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_7C1DB6:				; CODE XREF: ObpCreateCacheEntry(x,x,x,x)+11j
					; ObpCreateCacheEntry(x,x,x,x)+24j
		xor	eax, eax
		jmp	short loc_7C1DAF
_ObpCreateCacheEntry@16	endp

; 
		align 10h
; Exported entry 2044. RtlDowncaseUnicodeString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlDowncaseUnicodeString
RtlDowncaseUnicodeString proc near	; CODE XREF: ExpKdPullRemoteFileForUser(x)+108p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 007C1E54 SIZE 00000007 BYTES
; FUNCTION CHUNK AT 008F0377 SIZE 00000023 BYTES

		push	14h
		push	offset dword_6A3490
		call	__SEH_prolog4
		mov	esi, [ebp+arg_0]
		mov	ebx, [ebp+arg_4]
		movzx	eax, word ptr [ebx]
		mov	ecx, eax
		cmp	[ebp+arg_8], 0
		jnz	loc_8F0377
		cmp	ax, [esi+2]
		ja	short loc_7C1E54

loc_7C1DE7:				; CODE XREF: RtlDowncaseUnicodeString+12E5D5j
		movzx	eax, cx
		shr	eax, 1
		mov	[ebp+var_20], eax
		and	[ebp+ms_exc.disabled], 0
		mov	[ebp+var_24], 1
		xor	edi, edi

loc_7C1DFC:				; CODE XREF: RtlDowncaseUnicodeString+5Aj
		mov	[ebp+var_1C], edi
		cmp	edi, eax
		jnb	short loc_7C1E1C
		mov	eax, [ebx+4]
		mov	cx, [eax+edi*2]
		call	NLS_DOWNCASE
		mov	ecx, [esi+4]
		mov	[ecx+edi*2], ax
		inc	edi
		mov	eax, [ebp+var_20]
		jmp	short loc_7C1DFC
; 

loc_7C1E1C:				; CODE XREF: RtlDowncaseUnicodeString+41j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+var_24], 0
		call	sub_7C1E49
		mov	ax, [ebx]
		mov	[esi], ax
		xor	eax, eax

loc_7C1E37:				; CODE XREF: RtlDowncaseUnicodeString+99j
					; RtlDowncaseUnicodeString+12E5CDj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
RtlDowncaseUnicodeString endp


;  S U B	R O U T	I N E 


sub_7C1E49	proc near		; CODE XREF: RtlDowncaseUnicodeString+6Ap
					; sub_8F039A+6j

; FUNCTION CHUNK AT 008F03A5 SIZE 00000017 BYTES

		cmp	dword ptr [ebp-24h], 0
		jnz	loc_8F03A5

locret_7C1E53:				; CODE XREF: sub_7C1E49+12E560j
		retn
sub_7C1E49	endp

; 
; START	OF FUNCTION CHUNK FOR RtlDowncaseUnicodeString

loc_7C1E54:				; CODE XREF: RtlDowncaseUnicodeString+25j
		mov	eax, 80000005h
		jmp	short loc_7C1E37
; END OF FUNCTION CHUNK	FOR RtlDowncaseUnicodeString
; 
		align 10h
; Exported entry 1527. NtFsControlFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtFsControlFile(x, x, x, x,	x, x, x, x, x, x)
		public _NtFsControlFile@40
_NtFsControlFile@40 proc near		; DATA XREF: .text:00581020o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_24]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_20]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_IopXxxControlFile@44 ;	IopXxxControlFile(x,x,x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	28h
_NtFsControlFile@40 endp ; sp =	-24h


;  S U B	R O U T	I N E 


AuthzBasepQuerySystemSecurityAttributeAndValues	proc near
					; CODE XREF: AuthzBasepQuerySecurityAttributeAndValues+3Cj

; FUNCTION CHUNK AT 008F03BC SIZE 0000001D BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		push	0
		pop	edi
		mov	eax, [esi+20h]
		or	eax, [esi+24h]
		jnz	loc_8F03BC
		lea	ecx, [esi+8]
		call	AuthzBasepFindSystemSecurityAttribute
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_7C1EDF
		mov	eax, [ecx+24h]
		mov	edx, [ecx+2Ch]
		mov	[esi+18h], eax
		mov	ax, [ecx+18h]
		mov	[esi+10h], ax
		mov	eax, [ecx+1Ch]
		mov	[esi+14h], eax
		mov	[esi+20h], ecx
		mov	[esi+24h], edi

loc_7C1ECE:				; CODE XREF: AuthzBasepQuerySystemSecurityAttributeAndValues+12E53Bj
		lea	eax, [edx+18h]
		mov	[esi+28h], edx
		mov	[esi+2Ch], edi
		mov	[esi+1Ch], eax

loc_7C1EDA:				; CODE XREF: AuthzBasepQuerySystemSecurityAttributeAndValues+56j
					; AuthzBasepQuerySystemSecurityAttributeAndValues+12E546j
		mov	eax, edi
		pop	edi
		pop	esi
		retn
; 

loc_7C1EDF:				; CODE XREF: AuthzBasepQuerySystemSecurityAttributeAndValues+21j
		mov	edi, 0C0000225h
		jmp	short loc_7C1EDA
AuthzBasepQuerySystemSecurityAttributeAndValues	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepFindSystemSecurityAttribute proc near
					; CODE XREF: AuthzBasepQuerySystemSecurityAttributeAndValues+18p

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 008F03D9 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _WindowsSystemAttributes
		push	ebx
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1], bl
		mov	[ebp+var_8], ebx
		lea	ecx, [ebp+var_8]
		xchg	eax, [ecx]
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_7C1F51
		lea	eax, [ecx+4]
		push	esi
		mov	esi, [eax]

loc_7C1F10:				; CODE XREF: AuthzBasepFindSystemSecurityAttribute+57j
		cmp	esi, eax
		jz	short loc_7C1F3F
		push	ecx
		lea	ecx, [esi+10h]
		mov	edx, edi
		mov	ebx, esi
		call	AuthzBasepEqualUnicodeString
		test	al, al
		jz	short loc_7C1F35

loc_7C1F25:				; CODE XREF: AuthzBasepFindSystemSecurityAttribute+12E509j
		mov	al, 1

loc_7C1F27:				; CODE XREF: AuthzBasepFindSystemSecurityAttribute+69j
		pop	esi

loc_7C1F28:				; CODE XREF: AuthzBasepFindSystemSecurityAttribute+6Dj
		movzx	eax, al
		neg	eax
		pop	edi
		sbb	eax, eax
		and	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_7C1F35:				; CODE XREF: AuthzBasepFindSystemSecurityAttribute+3Dj
		mov	ecx, [ebp+var_8]
		mov	esi, [esi]
		lea	eax, [ecx+4]
		jmp	short loc_7C1F10
; 

loc_7C1F3F:				; CODE XREF: AuthzBasepFindSystemSecurityAttribute+2Cj
		lea	eax, [ecx+10h]
		mov	esi, [eax]

loc_7C1F44:				; CODE XREF: AuthzBasepFindSystemSecurityAttribute+12E517j
		cmp	esi, eax
		jnz	loc_8F03D9
		mov	al, [ebp+var_1]
		jmp	short loc_7C1F27
; 

loc_7C1F51:				; CODE XREF: AuthzBasepFindSystemSecurityAttribute+22j
		mov	al, bl
		jmp	short loc_7C1F28
AuthzBasepFindSystemSecurityAttribute endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtEnergyTrackerQuery(x, x, x)
_PopEtEnergyTrackerQuery@12 proc near	; CODE XREF: NtPowerInformation+8B5p

var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	0FCh
		push	offset dword_6A34B0
		call	__SEH_prolog4
		mov	[ebp+var_40], edx
		mov	edx, ecx
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		push	7
		pop	esi
		mov	ecx, esi
		xor	eax, eax
		lea	edi, [ebp+var_E8]
		rep stosd
		mov	ecx, esi
		lea	edi, [ebp+var_C4]
		rep stosd
		mov	ecx, esi
		lea	edi, [ebp+var_94]
		rep stosd
		lea	edi, [ebp+var_10C]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	ecx, esi
		xor	eax, eax
		lea	edi, [ebp+var_78]
		rep stosd
		mov	[ebp+var_CC], ebx
		mov	[ebp+var_C8], ebx
		cmp	_PopEtGlobals, eax
		jnz	short loc_7C1FC4
		mov	esi, 0C00000BBh
		jmp	loc_7C2983
; 

loc_7C1FC4:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+62j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_38], al
		push	ebx
		lea	eax, [ebp+var_20]
		push	eax
		push	74456F50h
		push	[ebp+var_38]
		mov	eax, _PopEtGlobals
		push	dword ptr [eax+10h]
		push	1
		push	edx
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7C2981
		mov	[ebp+var_108], ebx
		mov	[ebp+var_104], ebx
		mov	[ebp+var_FC], ebx
		mov	[ebp+var_10C], 2
		mov	eax, [ebp+var_20]
		mov	[ebp+var_100], eax
		lea	edx, [ebp+var_10C]
		mov	ecx, offset _PopEtProcessEnumSnapshotCallback@8	; PopEtProcessEnumSnapshotCallback(x,x)
		call	PsEnumProcesses
		mov	esi, eax
		test	esi, esi
		js	loc_7C2981
		mov	esi, [ebp+var_20]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [esi+8]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+0Ch], eax
		mov	al, 1
		mov	[ebp+var_19], al
		mov	[ebp+var_21], al
		mov	ecx, [ebp+var_20]
		mov	[ebp+var_30], ecx
		mov	eax, [ecx+1Ch]
		mov	[ebp+var_38], eax
		mov	esi, ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_4C], 2Ch
		mov	edi, ebx

loc_7C207F:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+A15j
					; PopEtEnergyTrackerQuery(x,x,x)+A26j
		test	edi, edi
		jz	short loc_7C20D1
		mov	esi, [ecx+20h]
		mov	ecx, esi
		and	ecx, 1Fh
		or	edx, 0FFFFFFFFh
		shl	edx, cl
		and	edx, [edi+4]
		mov	[ebp+var_34], edx
		shr	esi, 5
		movzx	eax, dl
		imul	ecx, eax, 25h
		movzx	eax, dh
		add	ecx, eax
		imul	ecx, 25h
		movzx	eax, byte ptr [ebp+var_34+2]
		add	ecx, eax
		imul	ecx, 25h
		movzx	eax, byte ptr [ebp+var_34+3]
		add	eax, 164B2F3Fh
		add	eax, ecx
		lea	ecx, [esi-1]
		and	ecx, eax
		mov	eax, [ebp+var_30]
		mov	eax, [eax+24h]
		lea	edx, [eax+ecx*4]
		mov	esi, [ebp+var_28]
		mov	ecx, [ebp+var_30]
		jmp	short loc_7C20D6
; 

loc_7C20D1:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+12Bj
		mov	edi, [ecx+24h]
		mov	edx, edi

loc_7C20D6:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+179j
		test	edi, edi
		jz	short loc_7C20F8
		mov	eax, [edi]
		and	eax, 80000002h
		cmp	eax, 80000002h
		jnz	short loc_7C20EA
		mov	eax, [ebx]

loc_7C20EA:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+190j
		test	edi, edi
		jz	short loc_7C20F8
		mov	edi, [edi]
		test	edi, 1
		jz	short loc_7C211F

loc_7C20F8:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+182j
					; PopEtEnergyTrackerQuery(x,x,x)+196j
		add	edx, 4
		mov	ecx, [ecx+20h]
		shr	ecx, 5
		mov	eax, [ebp+var_30]
		mov	eax, [eax+24h]
		lea	eax, [eax+ecx*4]
		jmp	short loc_7C2119
; 

loc_7C210C:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+1C5j
		mov	edi, [edx]
		test	edi, 1
		jz	short loc_7C211F
		add	edx, 4

loc_7C2119:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+1B4j
		cmp	edx, eax
		jb	short loc_7C210C
		mov	edi, ebx

loc_7C211F:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+1A0j
					; PopEtEnergyTrackerQuery(x,x,x)+1BEj
		test	edi, edi
		jnz	loc_7C2935
		mov	[ebp+var_28], 48h
		mov	[ebp+var_C4], ebx
		mov	[ebp+var_C0], ebx
		mov	[ebp+var_BC], ebx
		mov	[ebp+var_B0], ebx
		mov	[ebp+var_AC], ebx
		push	60h
		pop	eax
		mov	[ebp+var_B8], eax
		mov	[ebp+var_B4], 8
		lea	eax, [ebp+var_28]
		push	eax
		mov	edx, [ebp+var_38]
		lea	ecx, [ebp+var_C4]
		call	_PopEtDataSectionReserve@12 ; PopEtDataSectionReserve(x,x,x)
		mov	[ebp+var_E8], ebx
		mov	[ebp+var_E4], ebx
		mov	[ebp+var_E0], ebx
		mov	[ebp+var_D4], ebx
		mov	[ebp+var_D0], ebx
		mov	[ebp+var_DC], 1B0h
		mov	[ebp+var_D8], 8
		lea	eax, [ebp+var_28]
		push	eax
		mov	edx, [ebp+var_38]
		lea	ecx, [ebp+var_E8]
		call	_PopEtDataSectionReserve@12 ; PopEtDataSectionReserve(x,x,x)
		mov	[ebp+var_94], ebx
		mov	[ebp+var_90], ebx
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_80], ebx
		mov	[ebp+var_7C], ebx
		mov	[ebp+var_88], 1
		mov	[ebp+var_84], 4
		lea	eax, [ebp+var_28]
		push	eax
		mov	edx, [ebp+var_4C]
		lea	ecx, [ebp+var_94]
		call	_PopEtDataSectionReserve@12 ; PopEtDataSectionReserve(x,x,x)
		mov	[ebp+var_78], ebx
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], ebx
		push	2
		pop	eax
		mov	[ebp+var_6C], eax
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_28]
		push	eax
		mov	edx, esi
		lea	ecx, [ebp+var_78]
		call	_PopEtDataSectionReserve@12 ; PopEtDataSectionReserve(x,x,x)
		mov	edx, [ebp+var_28]
		cmp	edx, [ebp+arg_0]
		ja	loc_7C28D9
		cmp	edx, 7FFFFFFFh
		jnb	loc_7C28D9
		mov	[ebp+ms_exc.disabled], 1
		push	edx		; size_t
		push	ebx		; int
		mov	esi, [ebp+var_40]
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, [ebp+var_C0]
		cmp	eax, [ebp+var_B8]
		jb	short loc_7C2269
		mov	ecx, [ebp+var_C4]
		lea	eax, [ecx+esi]
		mov	[ebp+var_AC], eax
		mov	[ebp+var_B0], ecx

loc_7C2269:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+2FCj
		mov	eax, [ebp+var_E4]
		cmp	eax, [ebp+var_DC]
		jb	short loc_7C228C
		mov	ecx, [ebp+var_E8]
		lea	eax, [ecx+esi]
		mov	[ebp+var_D0], eax
		mov	[ebp+var_D4], ecx

loc_7C228C:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+31Fj
		mov	eax, [ebp+var_90]
		cmp	eax, [ebp+var_88]
		jb	short loc_7C22A9
		mov	ecx, [ebp+var_94]
		lea	eax, [ecx+esi]
		mov	[ebp+var_7C], eax
		mov	[ebp+var_80], ecx

loc_7C22A9:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+342j
		mov	eax, [ebp+var_74]
		cmp	eax, [ebp+var_6C]
		jb	short loc_7C22BD
		mov	ecx, [ebp+var_78]
		lea	eax, [ecx+esi]
		mov	[ebp+var_60], eax
		mov	[ebp+var_64], ecx

loc_7C22BD:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+359j
		mov	[ebp+var_34], esi
		push	12h
		pop	eax
		mov	[esi], ax
		push	20h
		pop	eax
		mov	[esi+2], ax
		mov	dword ptr [esi+4], 48h
		mov	eax, [ebp+var_28]
		mov	[esi+8], eax
		mov	eax, [ebp+var_20]
		mov	eax, [eax+230h]
		mov	[esi+0Ch], eax
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ebx
		mov	edi, ds:0FFDF0004h
		mov	edx, 0FFDF0328h

loc_7C22F7:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+965j
		mov	ecx, 0FFDF0320h
		lea	eax, [ecx+4]
		mov	esi, [eax]
		mov	[ebp+var_40], esi
		mov	eax, [ecx]
		mov	[ebp+var_44], eax
		mov	ecx, [edx]
		cmp	esi, ecx
		jnz	loc_7C28B9
		mul	edi
		shrd	eax, edx, 18h
		shl	esi, 8
		imul	esi, edi
		add	eax, esi
		mov	ebx, [ebp+var_34]
		mov	[ebx+18h], eax
		mov	eax, [ebp+var_C4]
		mov	[ebx+24h], eax
		mov	eax, [ebp+var_38]
		mov	[ebx+28h], eax
		push	60h
		pop	eax
		mov	[ebx+38h], ax
		push	10h
		pop	esi
		mov	[ebx+3Ah], si
		mov	eax, [ebp+var_80]
		mov	[ebx+34h], eax
		push	0Ch
		pop	eax
		mov	[ebx+3Ch], ax
		push	eax		; size_t
		mov	edx, [ebp+var_20]
		lea	edx, [edx+10h]	; void *
		lea	ecx, [ebp+var_94] ; int
		call	_PopEtDataSectionCopyData@12 ; PopEtDataSectionCopyData(x,x,x)
		mov	eax, [ebp+var_80]
		mov	[ebx+2Ch], eax
		push	esi		; size_t
		mov	edx, [ebp+var_20]
		lea	edx, [edx+234h]	; void *
		lea	ecx, [ebp+var_94] ; int
		call	_PopEtDataSectionCopyData@12 ; PopEtDataSectionCopyData(x,x,x)
		mov	ecx, [ebp+var_20]
		lea	esi, [ecx+244h]
		lea	edi, [ebp+var_A8]
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ebp+var_A8]
		add	eax, [ecx+234h]
		mov	[ebp+var_A8], eax
		mov	eax, [ebp+var_A4]
		add	eax, [ecx+238h]
		mov	[ebp+var_A4], eax
		mov	eax, [ebp+var_A0]
		add	eax, [ecx+23Ch]
		mov	[ebp+var_A0], eax
		mov	eax, [ebp+var_9C]
		add	eax, [ecx+240h]
		mov	[ebp+var_9C], eax
		mov	eax, [ebp+var_80]
		mov	[ebx+30h], eax
		push	10h		; size_t
		lea	edx, [ebp+var_A8] ; void *
		lea	ecx, [ebp+var_94] ; int
		call	_PopEtDataSectionCopyData@12 ; PopEtDataSectionCopyData(x,x,x)
		xor	ebx, ebx
		mov	edi, ebx

loc_7C23F6:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+95Ej
		mov	eax, [ebp+var_20]
		add	eax, 1Ch
		mov	[ebp+var_40], eax
		mov	[ebp+var_5C], eax
		test	edi, edi
		jz	loc_7C2525
		mov	[ebp+var_58], edi
		mov	edx, [eax+4]
		mov	ecx, edx
		and	ecx, 1Fh
		or	eax, 0FFFFFFFFh
		shl	eax, cl
		and	eax, [edi+4]
		shr	edx, 5
		mov	[ebp+arg_0], edx
		mov	[ebp+var_50], eax
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_48], ebx
		lea	edx, [ebp+var_50]
		push	4
		pop	eax
		mov	esi, 4CB2Fh

loc_7C2437:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+542j
		mov	[ebp+var_48], eax
		mov	[ebp+var_2C], edx
		cmp	eax, 8
		jl	short loc_7C249A
		movzx	eax, byte ptr [edx+1]
		imul	ecx, eax, 25h
		movzx	eax, byte ptr [edx+2]
		add	ecx, eax
		imul	ecx, 25h
		movzx	eax, byte ptr [edx+3]
		add	ecx, eax
		imul	ecx, 25h
		movzx	eax, byte ptr [edx+4]
		add	ecx, eax
		imul	ecx, 25h
		movzx	eax, byte ptr [edx+5]
		add	ecx, eax
		imul	ecx, 25h
		movzx	eax, byte ptr [edx+6]
		add	ecx, eax
		imul	ecx, 25h
		imul	eax, esi, 2FE8ED1Fh
		sub	ecx, eax
		movzx	eax, byte ptr [edx]
		imul	esi, eax, 1A617D0Dh
		add	esi, ecx
		movzx	eax, byte ptr [edx+7]
		add	esi, eax
		add	edx, 8
		mov	eax, [ebp+var_48]
		sub	eax, 8
		jmp	short loc_7C2437
; 

loc_7C249A:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+4EAj
		sub	eax, 1
		jz	short loc_7C2505
		sub	eax, 1
		jz	short loc_7C24F9
		sub	eax, 1
		jz	short loc_7C24ED
		sub	eax, 1
		jz	short loc_7C24E1
		sub	eax, 1
		jz	short loc_7C24D5
		sub	eax, 1
		jz	short loc_7C24C9
		sub	eax, 1
		jnz	short loc_7C2511
		imul	esi, 25h
		movzx	eax, byte ptr [edx]
		add	esi, eax
		inc	edx
		mov	[ebp+var_2C], edx

loc_7C24C9:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+560j
		imul	esi, 25h
		movzx	eax, byte ptr [edx]
		add	esi, eax
		inc	edx
		mov	[ebp+var_2C], edx

loc_7C24D5:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+55Bj
		imul	esi, 25h
		movzx	eax, byte ptr [edx]
		add	esi, eax
		inc	edx
		mov	[ebp+var_2C], edx

loc_7C24E1:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+556j
		imul	esi, 25h
		movzx	eax, byte ptr [edx]
		add	esi, eax
		inc	edx
		mov	[ebp+var_2C], edx

loc_7C24ED:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+551j
		imul	esi, 25h
		movzx	eax, byte ptr [edx]
		add	esi, eax
		inc	edx
		mov	[ebp+var_2C], edx

loc_7C24F9:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+54Cj
		imul	esi, 25h
		movzx	eax, byte ptr [edx]
		add	esi, eax
		inc	edx
		mov	[ebp+var_2C], edx

loc_7C2505:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+547j
		imul	esi, 25h
		movzx	eax, byte ptr [edx]
		add	esi, eax
		inc	edx
		mov	[ebp+var_2C], edx

loc_7C2511:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+565j
		mov	ecx, [ebp+arg_0]
		dec	ecx
		and	ecx, esi
		mov	eax, [ebp+var_40]
		mov	eax, [eax+8]
		lea	edx, [eax+ecx*4]
		mov	[ebp+var_54], edx
		jmp	short loc_7C2530
; 

loc_7C2525:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+4AEj
		mov	edx, [eax+8]
		mov	[ebp+var_54], edx
		mov	edi, edx
		mov	[ebp+var_58], edi

loc_7C2530:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+5CDj
		mov	[ebp+var_98], ebx
		test	edi, edi
		jz	short loc_7C2565
		mov	eax, [edi]
		mov	ecx, 80000002h
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_7C254F
		mov	eax, [ebx]
		mov	edx, [ebp+var_54]
		mov	edi, [ebp+var_58]

loc_7C254F:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+5EFj
		test	edi, edi
		jz	short loc_7C2565
		mov	edi, [edi]
		mov	[ebp+arg_0], edi
		test	edi, 1
		jnz	short loc_7C2565

loc_7C2560:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+63Bj
		mov	[ebp+var_58], edi
		jmp	short loc_7C259D
; 

loc_7C2565:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+5E2j
					; PopEtEnergyTrackerQuery(x,x,x)+5FBj ...
		add	edx, 4
		mov	eax, [ebp+var_5C]
		mov	ecx, [eax+4]
		shr	ecx, 5
		mov	eax, [eax+8]
		lea	eax, [eax+ecx*4]

loc_7C2577:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+640j
		mov	[ebp+var_98], edx
		cmp	edx, eax
		jnb	short loc_7C2598
		mov	edi, [edx]
		mov	[ebp+arg_0], edi
		test	edi, 1
		jnz	short loc_7C2593
		mov	[ebp+var_54], edx
		jmp	short loc_7C2560
; 

loc_7C2593:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+636j
		add	edx, 4
		jmp	short loc_7C2577
; 

loc_7C2598:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+629j
		mov	edi, ebx
		mov	[ebp+arg_0], edi

loc_7C259D:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+60Dj
		test	edi, edi
		jnz	loc_7C276A
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		mov	edx, ds:0FFDF0004h
		mov	[ebp+arg_0], edx
		mov	edi, 0FFDF0324h

loc_7C25B9:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+80Fj
		mov	esi, [edi]
		mov	[ebp+var_38], esi
		mov	eax, 0FFDF0320h
		mov	eax, [eax]
		mov	[ebp+var_3C], eax
		mov	ecx, 0FFDF0328h
		mov	ecx, [ecx]
		cmp	esi, ecx
		jnz	loc_7C2763
		mul	edx
		mov	edi, eax
		shrd	edi, edx, 18h
		shl	esi, 8
		imul	esi, [ebp+arg_0]
		add	edi, esi
		mov	[ebp+var_EC], edi
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		push	ebx
		push	2710h
		push	edx
		push	eax
		call	__aulldiv
		mov	esi, eax
		mov	[ebp+var_F0], esi
		lea	eax, [ebp+var_CC]
		push	eax
		call	KeQuerySystemTime
		mov	edx, edi
		mov	ecx, [ebp+var_20]
		sub	edx, [ecx+228h]
		mov	ecx, [ebp+var_34]
		mov	[ecx+10h], edx
		mov	eax, [ebp+var_20]
		sub	esi, [eax+22Ch]
		mov	[ecx+14h], esi
		mov	[ecx+1Ch], edi
		call	_KeQueryTimelineBitmapTime@0 ; KeQueryTimelineBitmapTime()
		mov	[ecx+20h], eax
		mov	eax, [ebp+var_CC]
		mov	[ecx+40h], eax
		mov	eax, [ebp+var_C8]
		mov	[ecx+44h], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, ebx

loc_7C2659:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+7B0j
		mov	esi, [ebp+var_20]
		add	esi, 28h
		mov	[ebp+var_50], esi
		test	edi, edi
		jz	short loc_7C26AE
		mov	esi, [esi+4]
		mov	ecx, esi
		and	ecx, 1Fh
		or	edx, 0FFFFFFFFh
		shl	edx, cl
		and	edx, [edi+4]
		mov	[ebp+arg_0], edx
		shr	esi, 5
		movzx	eax, dl
		imul	ecx, eax, 25h
		movzx	eax, dh
		add	ecx, eax
		imul	ecx, 25h
		movzx	eax, byte ptr [ebp+arg_0+2]
		add	ecx, eax
		imul	ecx, 25h
		movzx	eax, byte ptr [ebp+arg_0+3]
		add	eax, 164B2F3Fh
		add	eax, ecx
		lea	ecx, [esi-1]
		and	ecx, eax
		mov	esi, [ebp+var_50]
		mov	eax, [esi+8]
		lea	edx, [eax+ecx*4]
		jmp	short loc_7C26B3
; 

loc_7C26AE:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+70Ej
		mov	edi, [esi+8]
		mov	edx, edi

loc_7C26B3:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+756j
		test	edi, edi
		jz	short loc_7C26D4
		mov	eax, [edi]
		mov	ecx, 80000002h
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_7C26C6
		mov	eax, [ebx]

loc_7C26C6:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+76Cj
		test	edi, edi
		jz	short loc_7C26D4
		mov	edi, [edi]
		test	edi, 1
		jz	short loc_7C26F8

loc_7C26D4:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+75Fj
					; PopEtEnergyTrackerQuery(x,x,x)+772j
		add	edx, 4
		mov	ecx, [esi+4]
		shr	ecx, 5
		mov	eax, [esi+8]
		lea	eax, [eax+ecx*4]
		jmp	short loc_7C26F2
; 

loc_7C26E5:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+79Ej
		mov	edi, [edx]
		test	edi, 1
		jz	short loc_7C26F8
		add	edx, 4

loc_7C26F2:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+78Dj
		cmp	edx, eax
		jb	short loc_7C26E5
		mov	edi, ebx

loc_7C26F8:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+77Cj
					; PopEtEnergyTrackerQuery(x,x,x)+797j
		test	edi, edi
		jz	short loc_7C270B
		and	dword ptr [edi+1D4h], 7FFFFFFFh
		jmp	loc_7C2659
; 

loc_7C270B:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+7A4j
		mov	ecx, [ebp+var_20]
		call	PopEtEnergyTrackerCleanupAggregates
		mov	eax, [ebp+var_20]
		inc	dword ptr [eax+230h]
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+var_EC]
		mov	[ecx+228h], eax
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+var_F0]
		mov	[ecx+22Ch], eax
		xor	eax, eax
		mov	edi, [ebp+var_20]
		lea	edi, [edi+234h]
		stosd
		stosd
		stosd
		stosd
		mov	edi, [ebp+var_20]
		lea	edi, [edi+244h]
		lea	esi, [ebp+var_A8]
		movsd
		movsd
		movsd
		movsd
		mov	esi, ebx
		jmp	loc_7C2908
; 

loc_7C2763:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+67Bj
		pause
		jmp	loc_7C25B9
; 

loc_7C276A:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+649j
		mov	ebx, [edi+8]
		mov	eax, [edi+10h]
		mov	ecx, [ebp+var_AC]
		mov	[ecx], eax
		mov	eax, [edi+14h]
		mov	[ecx+4], eax
		mov	eax, [edi+18h]
		mov	[ecx+8], eax
		movzx	eax, word ptr [edi+1Ch]
		mov	[ecx+0Ch], eax
		mov	eax, [edi+1E8h]
		mov	[ecx+40h], eax
		mov	eax, [edi+1ECh]
		mov	[ecx+44h], eax
		lea	esi, [edi+1D0h]
		lea	edi, [ecx+48h]
		push	6
		pop	ecx
		rep movsd
		mov	eax, [ebx+10h]
		mov	eax, [eax]
		mov	esi, [ebp+var_AC]
		mov	[esi+14h], eax
		mov	eax, [ebx+10h]
		mov	eax, [eax+4]
		mov	[esi+18h], eax
		mov	eax, [ebp+var_80]
		mov	[esi+28h], eax
		mov	ax, [ebx+2Ah]
		mov	[esi+34h], ax
		movzx	eax, word ptr [ebx+2Ah]
		push	eax		; size_t
		mov	edx, [ebx+20h]	; void *
		lea	ecx, [ebp+var_94] ; int
		call	_PopEtDataSectionCopyData@12 ; PopEtDataSectionCopyData(x,x,x)
		mov	ax, [ebx+24h]
		mov	[esi+2Ch], ax
		mov	eax, [ebp+var_64]
		mov	[esi+10h], eax
		movzx	eax, word ptr [ebx+24h]
		mov	edx, [ebx+14h]	; void *
		add	eax, eax
		push	eax		; size_t
		lea	ecx, [ebp+var_78] ; int
		call	_PopEtDataSectionCopyData@12 ; PopEtDataSectionCopyData(x,x,x)
		mov	ax, [ebx+26h]
		mov	[esi+2Eh], ax
		mov	eax, [ebp+var_64]
		mov	[esi+1Ch], eax
		movzx	eax, word ptr [ebx+26h]
		mov	edx, [ebx+18h]	; void *
		add	eax, eax
		push	eax		; size_t
		lea	ecx, [ebp+var_78] ; int
		call	_PopEtDataSectionCopyData@12 ; PopEtDataSectionCopyData(x,x,x)
		mov	ax, [ebx+28h]
		mov	[esi+30h], ax
		mov	eax, [ebp+var_64]
		mov	[esi+20h], eax
		movzx	eax, word ptr [ebx+28h]
		mov	edx, [ebx+1Ch]	; void *
		add	eax, eax
		push	eax		; size_t
		lea	ecx, [ebp+var_78] ; int
		call	_PopEtDataSectionCopyData@12 ; PopEtDataSectionCopyData(x,x,x)
		mov	edi, [ebp+arg_0]
		mov	eax, [edi+0Ch]
		test	eax, eax
		jz	short loc_7C2877
		mov	eax, [eax+0Ch]
		shr	eax, 0Ah
		shr	ax, 1
		mov	[esi+32h], ax
		mov	eax, [ebp+var_64]
		mov	[esi+24h], eax
		movzx	eax, word ptr [esi+32h]
		mov	edx, [edi+0Ch]
		add	edx, 10h	; void *
		add	eax, eax
		push	eax		; size_t
		lea	ecx, [ebp+var_78] ; int
		call	_PopEtDataSectionCopyData@12 ; PopEtDataSectionCopyData(x,x,x)
		jmp	short loc_7C2883
; 

loc_7C2877:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+8F5j
		xor	eax, eax
		mov	[esi+32h], ax
		mov	eax, [ebp+var_64]
		mov	[esi+24h], eax

loc_7C2883:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+91Fj
		mov	eax, [ebp+var_D4]
		mov	[esi+38h], eax
		mov	dword ptr [esi+3Ch], 1B0h
		push	[ebp+var_DC]	; size_t
		lea	edx, [edi+20h]	; void *
		lea	ecx, [ebp+var_E8] ; int
		call	_PopEtDataSectionCopyData@12 ; PopEtDataSectionCopyData(x,x,x)
		lea	ecx, [ebp+var_C4]
		call	_PopEtDataSectionAdvance@4 ; PopEtDataSectionAdvance(x)
		xor	ebx, ebx
		jmp	loc_7C23F6
; 

loc_7C28B9:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+3B7j
		pause
		jmp	loc_7C22F7
; 

loc_7C28C0:				; DATA XREF: .text:006A34D0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_F4], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7C28D1:				; DATA XREF: .text:006A34D4o
		mov	esi, [ebp+var_F4]
		jmp	short loc_7C2924
; 

loc_7C28D9:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+2C9j
					; PopEtEnergyTrackerQuery(x,x,x)+2D5j
		cmp	[ebp+arg_0], 0Ch
		jb	short loc_7C2903
		mov	[ebp+ms_exc.disabled], ebx
		xor	eax, eax
		mov	ecx, [ebp+var_40]
		mov	edi, ecx
		stosd
		stosd
		stosd
		push	12h
		pop	eax
		mov	[ecx], ax
		push	20h
		pop	eax
		mov	[ecx+2], ax
		mov	[ecx+8], edx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C2903:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+987j
		mov	esi, 0C0000023h

loc_7C2908:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+808j
					; PopEtEnergyTrackerQuery(x,x,x)+9EFj
		mov	al, [ebp+var_19]
		jmp	short loc_7C2983
; 

loc_7C290D:				; DATA XREF: .text:006A34C4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_F8], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7C291E:				; DATA XREF: .text:006A34C8o
		mov	esi, [ebp+var_F8]

loc_7C2924:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+981j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	al, [ebp+var_21]
		jmp	short loc_7C2983
; 

loc_7C2935:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+1CBj
		mov	edx, [edi+8]
		cmp	esi, 10000000h
		jb	short loc_7C2947
		mov	esi, 0C00000CDh
		jmp	short loc_7C2908
; 

loc_7C2947:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+9E8j
		movzx	eax, word ptr [edx+2Ah]
		add	[ebp+var_4C], eax
		movzx	ecx, word ptr [edx+28h]
		movzx	eax, word ptr [edx+26h]
		add	ecx, eax
		movzx	eax, word ptr [edx+24h]
		add	esi, eax
		add	esi, ecx
		mov	[ebp+var_28], esi
		mov	eax, [edi+0Ch]
		test	eax, eax
		mov	ecx, [ebp+var_30]
		jz	loc_7C207F
		mov	eax, [eax+0Ch]
		shr	eax, 0Bh
		add	esi, eax
		mov	[ebp+var_28], esi
		jmp	loc_7C207F
; 

loc_7C2981:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+9Ej
					; PopEtEnergyTrackerQuery(x,x,x)+DDj
		mov	al, bl

loc_7C2983:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+69j
					; PopEtEnergyTrackerQuery(x,x,x)+9B5j ...
		test	al, al
		jz	short loc_7C29A1
		mov	ecx, [ebp+var_20]
		add	ecx, 8
		cmp	[ecx+4], ebx
		jz	short loc_7C2995
		mov	[ecx+4], ebx

loc_7C2995:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+A3Aj
		xor	edx, edx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_7C29A1:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+A2Fj
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jz	short loc_7C29B2
		mov	edx, 74456F50h
		call	ObfDereferenceObjectWithTag

loc_7C29B2:				; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+A50j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopEtEnergyTrackerQuery@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PopEtDataSectionCopyData(int,void *,size_t)
_PopEtDataSectionCopyData@12 proc near	; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+408p
					; PopEtEnergyTrackerQuery(x,x,x)+423p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, [esi+14h]
		add	eax, edi
		cmp	eax, [esi+8]
		ja	short loc_7C29EF
		push	edi		; size_t
		push	edx		; void *
		push	dword ptr [esi+18h] ; void *
		call	_memcpy
		add	[esi+18h], edi
		add	esp, 0Ch
		add	[esi+14h], edi

loc_7C29EF:				; CODE XREF: PopEtDataSectionCopyData(x,x,x)+14j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_PopEtDataSectionCopyData@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopEtDataSectionAdvance(x)
_PopEtDataSectionAdvance@4 proc	near	; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+957p
		mov	eax, [ecx+14h]
		mov	edx, [ecx+0Ch]
		add	eax, edx
		cmp	eax, [ecx+8]
		ja	short loc_7C2A0F
		mov	[ecx+14h], eax
		mov	eax, [ecx+18h]
		add	eax, edx
		mov	[ecx+18h], eax
		retn
; 

loc_7C2A0F:				; CODE XREF: PopEtDataSectionAdvance(x)+Bj
		xor	eax, eax
		retn
_PopEtDataSectionAdvance@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtDataSectionReserve(x, x, x)
_PopEtDataSectionReserve@12 proc near	; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+216p
					; PopEtEnergyTrackerQuery(x,x,x)+25Ap ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, edx
		push	esi
		mov	esi, ecx
		push	edi
		mov	ecx, [ebx]
		mul	dword ptr [esi+0Ch]
		mov	edi, eax
		mov	eax, edx
		mov	[ebp+var_4], eax
		cmp	ecx, 7FFFFFFFh
		jnb	short loc_7C2A78
		test	eax, eax
		jb	short loc_7C2A44
		ja	short loc_7C2A78
		cmp	edi, 7FFFFFFFh
		jnb	short loc_7C2A78

loc_7C2A44:				; CODE XREF: PopEtDataSectionReserve(x,x,x)+26j
		mov	eax, [esi+10h]
		lea	edx, [ecx-1]
		add	edx, eax
		neg	eax
		and	edx, eax
		xor	eax, eax
		mov	ecx, edx
		add	ecx, edi
		adc	eax, [ebp+var_4]
		test	eax, eax
		jb	short loc_7C2A67
		ja	short loc_7C2A78
		cmp	ecx, 7FFFFFFFh
		jnb	short loc_7C2A78

loc_7C2A67:				; CODE XREF: PopEtDataSectionReserve(x,x,x)+49j
		mov	[esi], edx
		mov	[esi+4], edi
		mov	[esi+8], ecx

loc_7C2A6F:				; CODE XREF: PopEtDataSectionReserve(x,x,x)+6Bj
		pop	edi
		pop	esi
		mov	[ebx], ecx
		pop	ebx
		leave
		retn	4
; 

loc_7C2A78:				; CODE XREF: PopEtDataSectionReserve(x,x,x)+22j
					; PopEtDataSectionReserve(x,x,x)+28j ...
		mov	ecx, 7FFFFFFFh
		jmp	short loc_7C2A6F
_PopEtDataSectionReserve@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopEtEnergyTrackerCleanupAggregates proc near
					; CODE XREF: PopEtEnergyTrackerQuery(x,x,x)+7B8p
					; PopEtEnergyTrackerCleanup(x)+6Ep

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F0402 SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	edx, [edi+24h]
		mov	esi, edx
		mov	[ebp+var_4], edx

loc_7C2A93:				; CODE XREF: PopEtEnergyTrackerCleanupAggregates+A4j
		xor	ebx, ebx

loc_7C2A95:				; CODE XREF: PopEtEnergyTrackerCleanupAggregates+12D9A9j
		test	esi, esi
		jz	short loc_7C2AB5
		mov	ecx, [esi]
		mov	eax, ecx
		and	eax, 80000002h
		cmp	eax, 80000002h
		jz	loc_8F0402

loc_7C2AAD:				; CODE XREF: PopEtEnergyTrackerCleanupAggregates+12D986j
		test	ecx, 1
		jz	short loc_7C2B29

loc_7C2AB5:				; CODE XREF: PopEtEnergyTrackerCleanupAggregates+17j
		mov	ecx, [edi+20h]
		add	edx, 4
		mov	eax, [edi+24h]
		shr	ecx, 5
		lea	ecx, [eax+ecx*4]

loc_7C2AC4:				; CODE XREF: PopEtEnergyTrackerCleanupAggregates+B0j
		cmp	edx, ecx
		jnb	short loc_7C2B32
		mov	eax, [edx]
		test	al, 1
		jnz	short loc_7C2B2D
		mov	esi, eax
		mov	[ebp+var_4], edx
		mov	ecx, esi

loc_7C2AD5:				; CODE XREF: PopEtEnergyTrackerCleanupAggregates+ABj
					; PopEtEnergyTrackerCleanupAggregates+B7j
		test	ecx, ecx
		jz	short loc_7C2B39
		mov	eax, [esi]
		mov	ecx, 80000002h
		and	eax, ecx
		mov	ebx, esi
		cmp	eax, ecx
		jz	short loc_7C2B3E

loc_7C2AE8:				; CODE XREF: PopEtEnergyTrackerCleanupAggregates+C2j
		mov	ecx, edx

loc_7C2AEA:				; CODE XREF: PopEtEnergyTrackerCleanupAggregates+C6j
		mov	eax, [ecx]
		test	al, 1
		jnz	short loc_7C2B48
		cmp	eax, esi
		jnz	short loc_7C2B44
		mov	eax, [esi]
		mov	[ecx], eax
		dec	dword ptr [edi+1Ch]
		or	dword ptr [esi], 80000002h
		mov	esi, ecx

loc_7C2B03:				; CODE XREF: PopEtEnergyTrackerCleanupAggregates+CEj
		lea	eax, [edi+38h]
		cmp	ebx, eax
		jz	loc_8F040B
		lea	ecx, [ebx+8]
		call	_PopEtAggregateKeyCleanup@4 ; PopEtAggregateKeyCleanup(x)
		push	54456F50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, [ebp+var_4]
		jmp	loc_7C2A93
; 

loc_7C2B29:				; CODE XREF: PopEtEnergyTrackerCleanupAggregates+33j
		mov	esi, ecx
		jmp	short loc_7C2AD5
; 

loc_7C2B2D:				; CODE XREF: PopEtEnergyTrackerCleanupAggregates+4Cj
		add	edx, 4
		jmp	short loc_7C2AC4
; 

loc_7C2B32:				; CODE XREF: PopEtEnergyTrackerCleanupAggregates+46j
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		jmp	short loc_7C2AD5
; 

loc_7C2B39:				; CODE XREF: PopEtEnergyTrackerCleanupAggregates+57j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7C2B3E:				; CODE XREF: PopEtEnergyTrackerCleanupAggregates+66j
		xor	eax, eax
		mov	eax, [eax]
		jmp	short loc_7C2AE8
; 

loc_7C2B44:				; CODE XREF: PopEtEnergyTrackerCleanupAggregates+72j
		mov	ecx, eax
		jmp	short loc_7C2AEA
; 

loc_7C2B48:				; CODE XREF: PopEtEnergyTrackerCleanupAggregates+6Ej
		xor	ecx, ecx
		mov	ebx, ecx
		mov	eax, [ecx]
		jmp	short loc_7C2B03
PopEtEnergyTrackerCleanupAggregates endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1035. IoUpdateLinkShareAccessEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoUpdateLinkShareAccessEx(x, x, x, x)
		public _IoUpdateLinkShareAccessEx@16
_IoUpdateLinkShareAccessEx@16 proc near	; CODE XREF: IoUpdateShareAccess(x,x)+Fp
					; IoUpdateLinkShareAccess(x,x,x)+10p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, [edx+7Ch]
		test	eax, eax
		jnz	short loc_7C2BCF

loc_7C2B65:				; CODE XREF: IoUpdateLinkShareAccessEx(x,x,x,x)+7Cj
		xor	al, al

loc_7C2B67:				; CODE XREF: IoUpdateLinkShareAccessEx(x,x,x,x)+80j
		cmp	byte ptr [edx+26h], 0
		jnz	short loc_7C2B7D
		cmp	byte ptr [edx+27h], 0
		jnz	short loc_7C2B7D
		cmp	byte ptr [edx+28h], 0
		jnz	short loc_7C2B7D

loc_7C2B79:				; CODE XREF: IoUpdateLinkShareAccessEx(x,x,x,x)+29j
					; IoUpdateLinkShareAccessEx(x,x,x,x)+5Fj ...
		pop	ebp
		retn	10h
; 

loc_7C2B7D:				; CODE XREF: IoUpdateLinkShareAccessEx(x,x,x,x)+15j
					; IoUpdateLinkShareAccessEx(x,x,x,x)+1Bj ...
		test	al, al
		jnz	short loc_7C2B79
		mov	ecx, [ebp+arg_4]
		inc	dword ptr [ecx]
		movzx	eax, byte ptr [edx+26h]
		add	[ecx+4], eax
		movzx	eax, byte ptr [edx+27h]
		add	[ecx+8], eax
		movzx	eax, byte ptr [edx+29h]
		add	[ecx+10h], eax
		movzx	eax, byte ptr [edx+2Ah]
		add	[ecx+14h], eax
		movzx	eax, byte ptr [edx+28h]
		add	[ecx+0Ch], eax
		movzx	eax, byte ptr [edx+2Bh]
		add	[ecx+18h], eax
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_7C2B79
		inc	dword ptr [ecx]
		test	[ebp+arg_C], 80h
		jnz	short loc_7C2BC6
		movzx	eax, byte ptr [edx+28h]
		add	[ecx+4], eax

loc_7C2BC6:				; CODE XREF: IoUpdateLinkShareAccessEx(x,x,x,x)+67j
		movzx	eax, byte ptr [edx+2Bh]
		add	[ecx+8], eax
		jmp	short loc_7C2B79
; 

loc_7C2BCF:				; CODE XREF: IoUpdateLinkShareAccessEx(x,x,x,x)+Dj
		test	byte ptr [eax],	1
		jz	short loc_7C2B65
		mov	al, 1
		jmp	short loc_7C2B67
_IoUpdateLinkShareAccessEx@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall AlpcpReceiveDirectMessagePort(x, x, x, x, x)
@AlpcpReceiveDirectMessagePort@20 proc near ; CODE XREF: PAGE:00832AA5p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		test	edx, edx
		jnz	short loc_7C2BF1
		mov	eax, 0C000000Dh
		jmp	locret_7C2DC4
; 

loc_7C2BF1:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+Dj
		push	ebx
		mov	ebx, [ecx]
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, ebx
		call	AlpcpLookupMessage
		test	eax, eax
		js	loc_7C2DC3
		push	esi
		mov	esi, [ebp+var_4]
		push	edi
		cmp	ebx, [esi+8]
		jz	short loc_7C2C1C
		mov	edi, 0C0000702h
		jmp	short loc_7C2C47
; 

loc_7C2C1C:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+3Bj
		mov	ecx, [esi+14h]
		test	ecx, 10000h
		jz	short loc_7C2C31
		cmp	ebx, [esi+24h]
		jnz	short loc_7C2C31
		xor	eax, eax
		inc	eax
		jmp	short loc_7C2C33
; 

loc_7C2C31:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+4Dj
					; AlpcpReceiveDirectMessagePort(x,x,x,x,x)+52j
		xor	eax, eax

loc_7C2C33:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+57j
		and	ecx, 7
		mov	[ebp+arg_0], eax
		cmp	cl, 4
		jz	short loc_7C2C55
		test	eax, eax
		jnz	short loc_7C2C55
		mov	edi, 0C000000Dh

loc_7C2C47:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+42j
		mov	ecx, esi
		call	_AlpcpUnlockMessage@4 ;	AlpcpUnlockMessage(x)
		mov	eax, edi
		jmp	loc_7C2DC1
; 

loc_7C2C55:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+64j
					; AlpcpReceiveDirectMessagePort(x,x,x,x,x)+68j
		lea	edi, [ebx+0D0h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebx+0F4h]
		test	al, 40h
		jz	short loc_7C2C9B
		mov	ecx, esi
		call	_AlpcpUnlockMessage@4 ;	AlpcpUnlockMessage(x)
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jz	short loc_7C2C8A
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7C2C8A:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+A9j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, 0C0000700h
		jmp	loc_7C2DC1
; 

loc_7C2C9B:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+94j
		test	al, 10h
		jz	short loc_7C2CCC
		mov	ecx, esi
		call	_AlpcpUnlockMessage@4 ;	AlpcpUnlockMessage(x)
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jz	short loc_7C2CBB
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7C2CBB:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+DAj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, 0C0000041h
		jmp	loc_7C2DC1
; 

loc_7C2CCC:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+C5j
		xor	edx, edx
		lea	ecx, [ebx+5Ch]
		mov	[ebp+var_8], ecx
		cmp	[ebp+arg_0], edx
		jz	short loc_7C2D04
		call	ExAcquirePushLockExclusiveEx
		and	dword ptr [esi+14h], 0FFFEFFFFh
		mov	ecx, [esi+30h]
		mov	eax, [esi+2Ch]
		mov	[ecx], eax
		mov	ecx, [esi+2Ch]
		mov	eax, [esi+30h]
		mov	[ecx+4], eax
		lea	eax, [ebx+7Ch]
		dec	dword ptr [ebx+114h]
		mov	[ebp+var_4], eax
		jmp	short loc_7C2D2E
; 

loc_7C2D04:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+FFj
		lea	eax, [ebx+7Ch]
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	ExAcquirePushLockExclusiveEx
		dec	dword ptr [ebx+110h]
		and	dword ptr [esi+14h], 0FFFFFFF8h
		and	dword ptr [esi+8], 0
		mov	ecx, [esi+4]
		mov	eax, [esi]
		mov	[ecx], eax
		mov	ecx, [esi]
		mov	eax, [esi+4]
		mov	[ecx+4], eax

loc_7C2D2E:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+12Aj
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_7C2D65
		lea	ecx, [esi+38h]
		call	sub_8339C2
		test	[ebp+arg_8], eax
		jz	short loc_7C2D59
		mov	eax, 2000h
		mov	edx, esi
		or	[esi+84h], ax
		mov	ecx, ebx
		call	_AlpcpInsertMessagePendingQueue@8 ; AlpcpInsertMessagePendingQueue(x,x)
		jmp	short loc_7C2D70
; 

loc_7C2D59:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+168j
		mov	eax, 0FFFFDFFFh
		and	[esi+84h], ax

loc_7C2D65:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+15Bj
		dec	word ptr [esi-0Eh]
		mov	ebx, [ebp+var_8]
		test	edx, edx
		jnz	short loc_7C2D73

loc_7C2D70:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+17Fj
		mov	ebx, [ebp+var_4]

loc_7C2D73:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+196j
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_7C2D87
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_7C2D87:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+1A6j
		mov	ecx, ebx
		call	KeAbPostRelease
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_7C2DA3
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7C2DA3:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+1C2j
		mov	ecx, edi
		call	KeAbPostRelease
		cmp	_AlpcpLogEnabled, 0
		jz	short loc_7C2DBA
		mov	ecx, esi
		call	_AlpcpLogReceiveMessage@4 ; AlpcpLogReceiveMessage(x)

loc_7C2DBA:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+1D9j
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		xor	eax, eax

loc_7C2DC1:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+78j
					; AlpcpReceiveDirectMessagePort(x,x,x,x,x)+BEj	...
		pop	edi
		pop	esi

loc_7C2DC3:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+2Dj
		pop	ebx

locret_7C2DC4:				; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+14j
		leave
		retn	0Ch
@AlpcpReceiveDirectMessagePort@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpSendLegacySynchronousRequest(x, x, x, x)
_AlpcpSendLegacySynchronousRequest@16 proc near	; CODE XREF: PAGE:0082FA90p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		push	40h
		push	offset dword_6A34F8
		call	__SEH_prolog4
		mov	[ebp+var_24], edx
		mov	edx, ecx
		mov	[ebp+var_20], edx
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		cmp	[ebp+arg_4], bl
		jz	short loc_7C2E2D
		mov	[ebp+ms_exc.disabled], ebx
		mov	esi, [ebp+arg_0]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	esi, ecx
		jb	short loc_7C2DF8
		mov	esi, ecx

loc_7C2DF8:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+2Cj
		push	6
		pop	ecx
		lea	edi, [ebp+var_50]
		rep movsd
		nop
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_7C2E38
; 

loc_7C2E0A:				; DATA XREF: .text:006A350Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7C2E18:				; DATA XREF: .text:006A3510o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_2C]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+var_1C]
		jmp	loc_7C3242
; 

loc_7C2E2D:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+1Cj
		push	6
		pop	ecx
		mov	esi, [ebp+arg_0]
		lea	edi, [ebp+var_50]
		rep movsd

loc_7C2E38:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+40j
		cmp	[ebp+var_40], 0
		jnz	loc_7C3265
		mov	ecx, [edx+0F4h]
		test	ecx, 2000h
		jz	loc_7C3265
		mov	eax, ecx
		and	al, 6
		cmp	al, 4
		jnz	loc_7C3265
		test	cl, 38h
		jnz	loc_7C3265
		mov	eax, [ebp+var_4C]
		shr	eax, 10h
		test	ax, ax
		jnz	loc_7C3265
		mov	eax, [ebp+var_50]
		shr	eax, 10h
		cmp	eax, [edx+0A8h]
		jbe	short loc_7C2E90
		mov	eax, 0C000002Fh
		jmp	loc_7C3274
; 

loc_7C2E90:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+BCj
		mov	dl, 1
		lea	ecx, [ebp+var_50]
		call	_AlpcpValidateMessage@8	; AlpcpValidateMessage(x,x)
		test	eax, eax
		js	loc_7C3274
		xor	edi, edi
		mov	eax, [ebp+var_20]
		add	eax, 100h
		xchg	edi, [eax]
		mov	[ebp+var_1C], edi
		test	edi, edi
		jz	short loc_7C2F07
		mov	ecx, edi
		call	AlpcpLockForCachedReferenceBlob
		dec	word ptr [edi-0Eh]
		mov	esi, [edi+90h]
		and	esi, 7FFFFFFFh
		push	98h		; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[edi+90h], esi

loc_7C2EE1:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+125j
		xor	eax, eax
		inc	eax
		lock xadd ds:_AlpcpNextCallbackId, eax
		inc	eax
		jz	short loc_7C2EE1
		mov	[edi+94h], eax
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_7C2F1A
		mov	ecx, edi
		call	_AlpcpEnterAllocationEventMessageLog@4 ; AlpcpEnterAllocationEventMessageLog(x)
		jmp	short loc_7C2F1A
; 

loc_7C2F07:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+EBj
		push	ebx
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	@AlpcpAllocateMessage@12 ; AlpcpAllocateMessage(x,x,x)
		test	eax, eax
		js	loc_7C3274

loc_7C2F1A:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+134j
					; AlpcpSendLegacySynchronousRequest(x,x,x,x)+13Dj
		mov	edx, large fs:124h
		mov	[ebp+var_38], edx
		mov	eax, [edx+2ACh]
		mov	esi, [ebp+var_1C]
		mov	[esi+88h], eax
		mov	eax, [edx+2B0h]
		mov	[esi+8Ch], eax
		mov	ecx, [ebp+var_50]
		mov	[esi+80h], ecx
		mov	eax, 2001h
		mov	[esi+84h], ax
		cmp	[ebp+arg_4], 0
		jz	short loc_7C2FC5
		mov	[ebp+ms_exc.disabled], 1
		mov	edi, [ebp+arg_0]
		add	edi, 18h
		movsx	edx, cx
		mov	ecx, esi
		call	_AlpcpAvailableBufferSize@4 ; AlpcpAvailableBufferSize(x)
		cmp	edx, eax
		ja	short loc_7C2F8A
		push	edx		; size_t
		push	edi		; void *
		lea	eax, [esi+98h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edi, ebx
		jmp	short loc_7C2F94
; 

loc_7C2F8A:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+1ABj
		push	edi		; void *
		mov	ecx, esi
		call	@AlpcpCaptureMessageData@12 ; AlpcpCaptureMessageData(x,x,x)
		mov	edi, eax

loc_7C2F94:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+1C0j
		mov	[ebp+var_28], edi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_7C2FF6
; 

loc_7C2FA0:				; DATA XREF: .text:006A3518o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7C2FAE:				; DATA XREF: .text:006A351Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_30]
		mov	[ebp+var_28], edi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp+var_1C]
		jmp	short loc_7C2FF6
; 

loc_7C2FC5:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+190j
		mov	edi, [ebp+arg_0]
		add	edi, 18h
		movsx	edx, cx
		mov	ecx, esi
		call	_AlpcpAvailableBufferSize@4 ; AlpcpAvailableBufferSize(x)
		cmp	edx, eax
		ja	short loc_7C2FEE
		push	edx		; size_t
		push	edi		; void *
		lea	eax, [esi+98h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edi, ebx
		jmp	short loc_7C2FFE
; 

loc_7C2FEE:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+20Fj
		push	edi		; void *
		call	@AlpcpCaptureMessageData@12 ; AlpcpCaptureMessageData(x,x,x)
		mov	edi, eax

loc_7C2FF6:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+1D6j
					; AlpcpSendLegacySynchronousRequest(x,x,x,x)+1FBj
		test	edi, edi
		js	loc_7C3246

loc_7C2FFE:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+224j
		mov	eax, [ebp+var_20]
		mov	eax, [eax+8]
		mov	[ebp+var_1C], eax
		lea	ecx, [eax-4]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebp+var_20]
		mov	ecx, [eax+0F8h]
		mov	[ebp+arg_0], ecx
		mov	eax, [eax+0FCh]
		mov	[ebp+var_34], eax
		test	ecx, ecx
		jz	loc_7C321B
		test	eax, eax
		jz	loc_7C321B
		add	eax, 0D0h
		mov	dword ptr [ebp+arg_4], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebp+var_34]
		push	11h
		test	byte ptr [eax+0F4h], 20h
		jz	short loc_7C307C
		mov	edi, 0C0000037h
		xor	ecx, ecx
		pop	eax
		mov	ebx, dword ptr [ebp+arg_4]
		lock cmpxchg [ebx], ecx

loc_7C3064:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+44Ej
		cmp	eax, 11h
		jz	short loc_7C3070
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7C3070:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+29Fj
		mov	ecx, ebx
		call	KeAbPostRelease
		jmp	loc_7C3220
; 

loc_7C307C:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+28Bj
		mov	eax, [eax+1Ch]
		mov	[esi+40h], eax
		xor	edx, edx
		pop	eax
		mov	ecx, dword ptr [ebp+arg_4]
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_7C3099
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, dword ptr [ebp+arg_4]

loc_7C3099:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+2C7j
		call	KeAbPostRelease
		mov	eax, [ebp+arg_0]
		add	eax, 0D0h
		mov	[ebp+var_34], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebp+arg_0]
		test	byte ptr [eax+0F4h], 20h
		jz	short loc_7C30C8
		mov	edi, 0C0000037h
		jmp	loc_7C320A
; 

loc_7C30C8:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+2F4j
		push	3
		pop	eax
		add	[esi-0Eh], ax
		mov	ecx, esi
		mov	edx, [ebp+var_38]
		lea	eax, [edx+314h]
		xchg	ecx, [eax]
		mov	[esi+10h], edx
		push	ecx
		mov	edx, [ebp+var_20]
		mov	ecx, esi
		call	_AlpcpSetOwnerPortMessage@12 ; AlpcpSetOwnerPortMessage(x,x,x)
		mov	eax, [ebp+var_1C]
		mov	[esi+64h], eax
		mov	eax, [eax]
		mov	[esi+68h], eax
		mov	ecx, [ebp+var_24]
		mov	[ecx+4], esi
		cmp	_AlpcpLogEnabled, 0
		jz	short loc_7C311B
		mov	ecx, esi
		call	_AlpcpLogSendMessage@4 ; AlpcpLogSendMessage(x)
		cmp	_AlpcpLogEnabled, 0
		jz	short loc_7C311B
		mov	ecx, esi
		call	_AlpcpLogWaitForReply@4	; AlpcpLogWaitForReply(x)

loc_7C311B:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+33Aj
					; AlpcpSendLegacySynchronousRequest(x,x,x,x)+34Aj
		mov	edx, ebx
		mov	dword ptr [ebp+arg_4], edx
		mov	eax, [ebp+arg_0]
		lea	ecx, [eax+8Ch]
		mov	[ebp+var_38], ecx
		cmp	[ecx], ecx
		jz	short loc_7C31AE
		add	eax, 88h
		mov	[ebp+var_20], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_38]
		mov	eax, [ecx]
		mov	[ebp+var_38], eax
		cmp	eax, ecx
		jz	short loc_7C318B
		add	eax, 0FFFFFCE4h
		mov	dword ptr [ebp+arg_4], eax
		mov	edx, esi
		mov	ecx, [ebp+arg_0]
		call	_AlpcpInsertMessagePendingQueue@8 ; AlpcpInsertMessagePendingQueue(x,x)
		inc	word ptr [esi-0Eh]
		or	dword ptr [esi+14h], 2000h
		mov	eax, dword ptr [ebp+arg_4]
		mov	[eax+318h], esi
		mov	eax, [ebp+var_38]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_7C31C3
		cmp	[ecx], eax
		jnz	short loc_7C31C3
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	[eax], ebx

loc_7C318B:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+383j
		or	eax, 0FFFFFFFFh
		mov	ecx, [ebp+var_20]
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_7C31A3
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_20]

loc_7C31A3:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+3D1j
		call	KeAbPostRelease
		mov	eax, [ebp+arg_0]
		mov	edx, dword ptr [ebp+arg_4]

loc_7C31AE:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+366j
		mov	ecx, [ebp+var_24]
		mov	[ecx+10h], ebx
		mov	[ecx+0Ch], ebx
		mov	[ecx+14h], ebx
		test	edx, edx
		jz	short loc_7C31C8
		mov	[ecx+0Ch], edx
		jmp	short loc_7C31F3
; 

loc_7C31C3:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+3B6j
					; AlpcpSendLegacySynchronousRequest(x,x,x,x)+3BAj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_7C31C8:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+3F4j
		mov	edx, esi
		mov	ecx, eax
		call	_AlpcpInsertMessageMainQueue@8 ; AlpcpInsertMessageMainQueue(x,x)
		mov	eax, [ebp+arg_0]
		test	dword ptr [eax+0F4h], 200h
		jz	short loc_7C31F3
		mov	ecx, eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_24]
		mov	[ecx+10h], eax
		mov	[ecx+22h], bl

loc_7C31F3:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+3F9j
					; AlpcpSendLegacySynchronousRequest(x,x,x,x)+416j
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_7C3203
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_7C3203:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+432j
		mov	ecx, esi
		call	AlpcpUnlockBlob

loc_7C320A:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+2FBj
		xor	edx, edx
		push	11h
		pop	eax
		mov	ebx, [ebp+var_34]
		lock cmpxchg [ebx], edx
		jmp	loc_7C3064
; 

loc_7C321B:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+260j
					; AlpcpSendLegacySynchronousRequest(x,x,x,x)+268j
		mov	edi, 0C0000037h

loc_7C3220:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+2AFj
		xor	edx, edx
		push	11h
		pop	eax
		mov	ebx, [ebp+var_1C]
		add	ebx, 0FFFFFFFCh
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_7C323B
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7C323B:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+46Aj
		mov	ecx, ebx
		call	KeAbPostRelease

loc_7C3242:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+60j
		test	edi, edi
		jns	short loc_7C3261

loc_7C3246:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+230j
		test	esi, esi
		jz	short loc_7C3261
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_7C325A
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_7C325A:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+489j
		mov	ecx, esi
		call	AlpcpUnlockBlob

loc_7C3261:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+47Cj
					; AlpcpSendLegacySynchronousRequest(x,x,x,x)+480j
		mov	eax, edi
		jmp	short loc_7C3274
; 

loc_7C3265:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+74j
					; AlpcpSendLegacySynchronousRequest(x,x,x,x)+86j ...
		push	dword ptr [ebp+arg_4]
		push	ebx
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_24]
		call	@AlpcpSendMessage@16 ; AlpcpSendMessage(x,x,x,x)

loc_7C3274:				; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+C3j
					; AlpcpSendLegacySynchronousRequest(x,x,x,x)+D4j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_AlpcpSendLegacySynchronousRequest@16 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpInsertMessagePendingQueue(x, x)
_AlpcpInsertMessagePendingQueue@8 proc near
					; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+17Ap
					; AlpcpSendLegacySynchronousRequest(x,x,x,x)+392p ...
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		xor	edx, edx
		lea	ecx, [ebx+70h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+14h]
		lea	ecx, [ebx+74h]
		mov	[edi+8], ebx
		and	eax, 0FFFFFF83h
		mov	esi, [ebx+0F4h]
		and	esi, 6
		shl	esi, 2
		or	esi, eax
		or	esi, 3
		mov	[edi+14h], esi
		lea	esi, [ebx+70h]
		mov	eax, [ecx+4]
		mov	[edi+4], eax
		mov	[edi], ecx
		mov	eax, [ecx+4]
		mov	[eax], edi
		or	eax, 0FFFFFFFFh
		inc	dword ptr [ebx+10Ch]
		mov	[ecx+4], edi
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7C32E9

loc_7C32DF:				; CODE XREF: AlpcpInsertMessagePendingQueue(x,x)+6Aj
		pop	edi
		mov	ecx, esi
		pop	esi
		pop	ebx
		jmp	KeAbPostRelease
; 

loc_7C32E9:				; CODE XREF: AlpcpInsertMessagePendingQueue(x,x)+57j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7C32DF
_AlpcpInsertMessagePendingQueue@8 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpInsertMessageMainQueue(x, x)
_AlpcpInsertMessageMainQueue@8 proc near
					; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+404p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		xor	edx, edx
		lea	ecx, [ebx+5Ch]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+14h]
		lea	ecx, [ebx+60h]
		mov	[edi+8], ebx
		and	eax, 0FFFFFF81h
		mov	esi, [ebx+0F4h]
		and	esi, 6
		shl	esi, 2
		or	esi, eax
		or	esi, 1
		mov	[edi+14h], esi
		lea	esi, [ebx+5Ch]
		mov	eax, [ecx+4]
		mov	[edi+4], eax
		mov	[edi], ecx
		mov	eax, [ecx+4]
		mov	[eax], edi
		or	eax, 0FFFFFFFFh
		inc	dword ptr [ebx+104h]
		mov	[ecx+4], edi
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7C3355

loc_7C334B:				; CODE XREF: AlpcpInsertMessageMainQueue(x,x)+6Aj
		pop	edi
		mov	ecx, esi
		pop	esi
		pop	ebx
		jmp	KeAbPostRelease
; 

loc_7C3355:				; CODE XREF: AlpcpInsertMessageMainQueue(x,x)+57j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7C334B
_AlpcpInsertMessageMainQueue@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepMakeTokenEffectiveOnly proc near	; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+89Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F042E SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	edx, [ecx+4Ch]
		and	[ecx+44h], edx
		and	[ecx+54h], edx
		xor	edx, edx
		mov	eax, [ecx+48h]
		inc	edx
		and	[ecx+40h], eax
		and	[ecx+50h], eax
		push	esi
		mov	esi, [ecx+7Ch]
		cmp	esi, edx
		jbe	short loc_7C339E
		push	ebx
		push	edi
		lea	ebx, [esi-1]

loc_7C3387:				; CODE XREF: SepMakeTokenEffectiveOnly+3Cj
		mov	edi, [ecx+94h]
		mov	[ebp+var_8], edi
		test	byte ptr [edi+edx*8+4],	34h
		jz	short loc_7C33A4
		inc	edx

loc_7C3398:				; CODE XREF: SepMakeTokenEffectiveOnly+81j
		cmp	edx, esi
		jb	short loc_7C3387
		pop	edi
		pop	ebx

loc_7C339E:				; CODE XREF: SepMakeTokenEffectiveOnly+22j
		mov	[ecx+7Ch], esi
		pop	esi
		leave
		retn
; 

loc_7C33A4:				; CODE XREF: SepMakeTokenEffectiveOnly+37j
		mov	eax, [ecx+90h]
		cmp	edx, eax
		jz	loc_8F042E

loc_7C33B2:				; CODE XREF: SepMakeTokenEffectiveOnly+12D0D9j
		mov	edi, [ecx+0B8h]
		cmp	edx, edi
		mov	[ebp+var_4], edi
		mov	edi, [ebp+var_8]
		jz	loc_8F043C

loc_7C33C6:				; CODE XREF: SepMakeTokenEffectiveOnly+12D0E9j
		cmp	ebx, [ebp+var_4]
		jz	short loc_7C33E1

loc_7C33CB:				; CODE XREF: SepMakeTokenEffectiveOnly+89j
		cmp	ebx, eax
		jz	short loc_7C33E9

loc_7C33CF:				; CODE XREF: SepMakeTokenEffectiveOnly+91j
		dec	esi
		dec	ebx
		mov	eax, [edi+esi*8]
		mov	[edi+edx*8], eax
		mov	eax, [edi+esi*8+4]
		mov	[edi+edx*8+4], eax
		jmp	short loc_7C3398
; 

loc_7C33E1:				; CODE XREF: SepMakeTokenEffectiveOnly+6Bj
		mov	[ecx+0B8h], edx
		jmp	short loc_7C33CB
; 

loc_7C33E9:				; CODE XREF: SepMakeTokenEffectiveOnly+6Fj
		mov	[ecx+90h], edx
		jmp	short loc_7C33CF
SepMakeTokenEffectiveOnly endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtRemoveIoCompletion proc near		; DATA XREF: .text:00580D84o

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008F044C SIZE 00000015 BYTES
; FUNCTION CHUNK AT 008F0483 SIZE 00000013 BYTES
; FUNCTION CHUNK AT 008F04AF SIZE 00000023 BYTES

		push	3Ch
		push	offset dword_6A3520
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+var_30], esi
		xor	eax, eax
		lea	edi, [ebp+var_4C]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_2C], esi
		mov	[ebp+var_3C], esi
		mov	[ebp+var_38], esi
		mov	[ebp+var_1C], esi
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_24], bl
		test	bl, bl
		jz	loc_8F0483
		mov	[ebp+ms_exc.disabled], esi
		mov	ecx, [ebp+arg_8]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8F044C

loc_7C3442:				; CODE XREF: NtRemoveIoCompletion+12D05Cj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_4]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8F0453

loc_7C3456:				; CODE XREF: NtRemoveIoCompletion+12D063j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_C]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8F045A

loc_7C346A:				; CODE XREF: NtRemoveIoCompletion+12D06Aj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jnz	loc_7C350F

loc_7C3479:				; CODE XREF: NtRemoveIoCompletion+138j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C3480:				; CODE XREF: NtRemoveIoCompletion+12D096j
					; NtRemoveIoCompletion+12D09Fj
		mov	eax, ds:_IoCompletionObjectType
		mov	[ebp+var_20], esi
		push	esi
		lea	ecx, [ebp+var_20]
		push	ecx
		push	[ebp+var_24]
		push	eax
		push	2
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7C34FD
		push	esi
		push	[ebp+var_1C]
		push	[ebp+var_24]
		lea	eax, [ebp+var_2C]
		push	eax
		xor	edi, edi
		inc	edi
		push	edi
		lea	eax, [ebp+var_30]
		push	eax
		lea	edx, [ebp+var_4C]
		mov	ecx, [ebp+var_20]
		call	IoRemoveIoCompletion
		mov	esi, eax
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObject
		test	esi, esi
		jnz	short loc_7C34FB
		test	bl, bl
		jz	loc_8F04AF
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, [ebp+var_4C]
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		mov	ecx, [ebp+var_48]
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		mov	eax, [ebp+var_44]
		mov	ecx, [ebp+arg_C]
		mov	[ecx], eax
		mov	eax, [ebp+var_40]
		mov	[ecx+4], eax

loc_7C34F4:				; CODE XREF: sub_8F04A4+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C34FB:				; CODE XREF: NtRemoveIoCompletion+D7j
					; NtRemoveIoCompletion+12D0DBj
		mov	eax, esi

loc_7C34FD:				; CODE XREF: NtRemoveIoCompletion+ABj
					; sub_8F0471+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7C350F:				; CODE XREF: NtRemoveIoCompletion+81j
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_1C], eax
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_7C352F

loc_7C351E:				; CODE XREF: NtRemoveIoCompletion+13Fj
		nop
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], ecx
		jmp	loc_7C3479
; 

loc_7C352F:				; CODE XREF: NtRemoveIoCompletion+12Aj
		mov	ecx, eax
		jmp	short loc_7C351E
NtRemoveIoCompletion endp

; 
		align 4

;  S U B	R O U T	I N E 


RawCleanupVcb	proc near		; CODE XREF: .text:0043DFA7p
					; RawCheckForDeleteVolume(x)+55p ...

; FUNCTION CHUNK AT 008F04D2 SIZE 00000021 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	eax, [esi+90h]
		test	eax, eax
		jz	loc_8F04D2
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+90h], edi

loc_7C3557:				; CODE XREF: RawCleanupVcb+12CFA2j
					; RawCleanupVcb+12CFBAj
		test	byte ptr [esi+48h], 10h
		jz	short loc_7C3563
		push	esi
		call	FsRtlTeardownPerStreamContexts

loc_7C3563:				; CODE XREF: RawCleanupVcb+27j
		mov	eax, [esi+9Ch]
		test	eax, eax
		jz	short loc_7C3573
		push	eax
		call	_ExFreeCacheAwareRundownProtection@4 ; ExFreeCacheAwareRundownProtection(x)

loc_7C3573:				; CODE XREF: RawCleanupVcb+37j
		mov	[esi+9Ch], edi
		pop	edi
		pop	esi
		retn
RawCleanupVcb	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 668. FsRtlTeardownPerStreamContexts

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlTeardownPerStreamContexts
FsRtlTeardownPerStreamContexts proc near ; CODE	XREF: RawCleanupVcb+2Ap

var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 007C3687 SIZE 00000005 BYTES
; FUNCTION CHUNK AT 008F04F3 SIZE 00000027 BYTES

		push	0Ch
		push	offset dword_6A3548
		call	__SEH_prolog4
		mov	esi, [ebp+arg_0]
		lea	edi, [esi+2Ch]
		cmp	[edi], edi
		jnz	short loc_7C35AA

loc_7C3598:				; CODE XREF: FsRtlTeardownPerStreamContexts+D8j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7C35AA:				; CODE XREF: FsRtlTeardownPerStreamContexts+14j
		mov	al, [esi+7]
		and	al, 0F0h
		cmp	al, 10h
		jb	loc_8F04F3
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+34h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx

loc_7C35CF:				; CODE XREF: FsRtlTeardownPerStreamContexts+12CF79j
		mov	al, 1
		mov	[ebp+var_19], al
		and	[ebp+ms_exc.disabled], 0

loc_7C35D8:				; CODE XREF: FsRtlTeardownPerStreamContexts+CAj
		mov	ebx, [edi]
		cmp	ebx, edi
		jz	short loc_7C364E
		mov	eax, [ebx]
		cmp	[ebx+4], edi
		jnz	loc_7C3687
		cmp	[eax+4], ebx
		jnz	loc_7C3687
		mov	[edi], eax
		mov	[eax+4], edi
		lea	ecx, [esi+34h]
		mov	al, [esi+7]
		and	al, 0F0h
		cmp	al, 10h
		jb	loc_8F0500
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_7C361A:				; CODE XREF: FsRtlTeardownPerStreamContexts+12CF86j
		mov	[ebp+var_19], 0
		push	ebx
		call	dword ptr [ebx+10h]
		mov	al, [esi+7]
		and	al, 0F0h
		cmp	al, 10h
		jb	loc_8F050D
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [esi+34h]
		call	ExAcquirePushLockExclusiveEx

loc_7C3647:				; CODE XREF: FsRtlTeardownPerStreamContexts+12CF93j
		mov	al, 1
		mov	[ebp+var_19], al
		jmp	short loc_7C35D8
; 

loc_7C364E:				; CODE XREF: FsRtlTeardownPerStreamContexts+5Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_7C365F
		jmp	loc_7C3598
FsRtlTeardownPerStreamContexts endp


;  S U B	R O U T	I N E 


sub_7C365F	proc near		; CODE XREF: FsRtlTeardownPerStreamContexts+D3p
					; sub_8F051A+6j

; FUNCTION CHUNK AT 008F0525 SIZE 00000009 BYTES

		test	al, al
		jz	short locret_7C3686
		mov	al, [esi+7]
		and	al, 0F0h
		cmp	al, 10h
		jb	loc_8F0525
		lea	ecx, [esi+34h]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

locret_7C3686:				; CODE XREF: sub_7C365F+2j
		retn
sub_7C365F	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlTeardownPerStreamContexts

loc_7C3687:				; CODE XREF: FsRtlTeardownPerStreamContexts+61j
					; FsRtlTeardownPerStreamContexts+6Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
; END OF FUNCTION CHUNK	FOR FsRtlTeardownPerStreamContexts ; AL	= character to display

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCreateWaitCompletionPacket proc near	; DATA XREF: .text:005810DCo

var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F052E SIZE 00000007 BYTES

		push	18h
		push	offset dword_6A3568
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_20], ecx
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_28], bl
		test	bl, bl
		jz	short loc_7C36D3
		mov	[ebp+ms_exc.disabled], ecx
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8F052E

loc_7C36C6:				; CODE XREF: NtCreateWaitCompletionPacket+12CEA4j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ecx, ecx

loc_7C36D3:				; CODE XREF: NtCreateWaitCompletionPacket+25j
		mov	edx, ds:_IopWaitCompletionPacketObjectType
		push	ecx
		lea	eax, [ebp+var_20]
		push	eax
		push	ecx
		push	ecx
		push	38h
		push	ecx
		push	[ebp+var_28]
		push	[ebp+arg_8]
		mov	cl, bl
		call	ObCreateObjectEx
		mov	[ebp+arg_8], eax
		test	eax, eax
		js	short loc_7C3735
		mov	ecx, [ebp+var_20]
		xor	edx, edx
		mov	[ecx+30h], edx
		mov	[ecx+34h], dl
		mov	[ecx+2Ch], edx
		lea	eax, [ebp+var_1C]
		push	eax
		push	edx
		push	edx
		push	edx
		push	[ebp+arg_4]
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	[ebp+arg_8], eax
		test	eax, eax
		js	short loc_7C3735
		test	bl, bl
		jz	short loc_7C374A
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_7C372E:				; CODE XREF: sub_8F055D+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C3735:				; CODE XREF: NtCreateWaitCompletionPacket+69j
					; NtCreateWaitCompletionPacket+8Dj ...
		mov	eax, [ebp+arg_8]

loc_7C3738:				; CODE XREF: sub_8F0545+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7C374A:				; CODE XREF: NtCreateWaitCompletionPacket+91j
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jmp	short loc_7C3735
NtCreateWaitCompletionPacket endp


;  S U B	R O U T	I N E 


; __stdcall CmpNameSize(x)
_CmpNameSize@4	proc near		; CODE XREF: CcUninitializeAsyncRead(x):CmpHKeyNodeSize(x)p
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+33Cp ...
		mov	edi, edi
		push	esi
		movzx	esi, word ptr [ecx]
		xor	edx, edx
		mov	eax, esi
		shr	eax, 1
		push	edi
		jz	short loc_7C3778
		mov	ecx, [ecx+4]

loc_7C3766:				; CODE XREF: CmpNameSize(x)+22j
		mov	edi, 0FFh
		cmp	[ecx], di
		ja	short loc_7C377B
		inc	edx
		add	ecx, 2
		cmp	edx, eax
		jb	short loc_7C3766

loc_7C3778:				; CODE XREF: CmpNameSize(x)+Dj
					; CmpNameSize(x)+2Aj
		pop	edi
		pop	esi
		retn
; 

loc_7C377B:				; CODE XREF: CmpNameSize(x)+1Aj
		mov	ax, si
		jmp	short loc_7C3778
_CmpNameSize@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspQueryQuotaLimits proc near		; CODE XREF: PAGE:0083BB9Ep

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	78h
		push	offset dword_6A3590
		call	__SEH_prolog4_GS
		mov	esi, ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_40], eax
		mov	ebx, [ebp+arg_8]
		push	38h		; size_t
		xor	edi, edi
		push	edi		; int
		lea	eax, [ebp+var_88]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_38], edi
		mov	[ebp+var_3C], edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		mov	edi, [ebp+arg_4]
		cmp	edi, 20h
		jnz	loc_7C38B6

loc_7C37C7:				; CODE XREF: PspQueryQuotaLimits+139j
		push	0
		lea	eax, [ebp+var_38]
		push	eax
		push	79517350h
		push	[ebp+arg_C]
		push	ds:_PsProcessType
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7C38A4
		mov	eax, [ebp+var_38]
		mov	ecx, [eax+188h]
		mov	eax, [ecx+0C0h]
		mov	[ebp+var_88], eax
		mov	eax, [ecx+40h]
		mov	[ebp+var_84], eax
		mov	eax, [ecx+140h]
		mov	[ebp+var_78], eax
		mov	eax, [ecx+1C0h]
		mov	[ebp+var_68], eax
		or	[ebp+var_70], 0FFFFFFFFh
		or	[ebp+var_6C], 0FFFFFFFFh
		lea	eax, [ebp+var_34]
		push	eax
		push	[ebp+var_38]
		call	KeStackAttachProcess
		lea	eax, [ebp+var_3C]
		push	eax
		lea	eax, [ebp+var_7C]
		push	eax
		lea	eax, [ebp+var_80]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		lea	edx, [ebp+var_4C]
		lea	ecx, [ebp+var_50]
		call	_MmQueryWorkingSetInformation@24 ; MmQueryWorkingSetInformation(x,x,x,x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_34]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		test	byte ptr [ebp+var_3C], 4
		push	0
		pop	ecx
		setz	cl
		inc	ecx
		test	byte ptr [ebp+var_3C], 1
		jnz	short loc_7C38CA
		or	ecx, 8

loc_7C386C:				; CODE XREF: PspQueryQuotaLimits+14Dj
		mov	[ebp+var_58], ecx
		mov	edx, 79517350h
		mov	ecx, [ebp+var_38]
		call	ObfDereferenceObjectWithTag
		test	esi, esi
		js	short loc_7C38A2
		and	[ebp+ms_exc.disabled], 0
		push	edi		; size_t
		lea	eax, [ebp+var_88]
		push	eax		; void *
		push	[ebp+var_40]	; void *
		call	_memcpy
		add	esp, 0Ch
		test	ebx, ebx
		jnz	short loc_7C38C6

loc_7C389B:				; CODE XREF: PspQueryQuotaLimits+148j
					; sub_8F0573+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C38A2:				; CODE XREF: PspQueryQuotaLimits+FEj
		mov	eax, esi

loc_7C38A4:				; CODE XREF: PspQueryQuotaLimits+68j
					; PspQueryQuotaLimits+144j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7C38B6:				; CODE XREF: PspQueryQuotaLimits+41j
		cmp	edi, 38h
		jz	loc_7C37C7
		mov	eax, 0C0000004h
		jmp	short loc_7C38A4
; 

loc_7C38C6:				; CODE XREF: PspQueryQuotaLimits+119j
		mov	[ebx], edi
		jmp	short loc_7C389B
; 

loc_7C38CA:				; CODE XREF: PspQueryQuotaLimits+E7j
		or	ecx, 4
		jmp	short loc_7C386C
PspQueryQuotaLimits endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2261. RtlNtStatusToDosError

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlNtStatusToDosError
RtlNtStatusToDosError proc near		; CODE XREF: EtwpEnumerateAutologgerPath+23Ap
					; LocalConvertStringSDToSD_Rev1+AE7D5p	...

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	8
		push	offset dword_6A35B0
		call	__SEH_prolog4
		mov	eax, large fs:124h
		test	dword ptr [eax+58h], 400h
		jnz	short loc_7C3930
		cmp	byte ptr [eax+16Ah], 1
		jz	short loc_7C3930
		mov	ecx, [eax+0A8h]

loc_7C38FE:				; CODE XREF: RtlNtStatusToDosError+5Ej
		test	ecx, ecx
		jz	short loc_7C3916
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [ebp+arg_0]
		mov	[ecx+0BF4h], eax

loc_7C390F:				; CODE XREF: sub_8F0582+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C3916:				; CODE XREF: RtlNtStatusToDosError+2Cj
		push	[ebp+arg_0]
		call	RtlNtStatusToDosErrorNoTeb
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7C3930:				; CODE XREF: RtlNtStatusToDosError+19j
					; RtlNtStatusToDosError+22j
		xor	ecx, ecx
		jmp	short loc_7C38FE
RtlNtStatusToDosError endp


;  S U B	R O U T	I N E 


; __stdcall CmpIsBufferGloballyVisible(x)
_CmpIsBufferGloballyVisible@4 proc near	; CODE XREF: CmpBounceContextStart+B2p
					; CmpDoesBufferRequireCapturing(x,x)+12p
		cmp	ecx, ds:_MmHighestUserAddress
		jbe	short loc_7C3948
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		test	eax, eax
		jnz	short loc_7C3948
		mov	al, 1
		retn
; 

loc_7C3948:				; CODE XREF: CmpIsBufferGloballyVisible(x)+6j
					; CmpIsBufferGloballyVisible(x)+Fj
		xor	al, al
		retn
_CmpIsBufferGloballyVisible@4 endp

; 
		align 10h
; Exported entry 2494. SeQuerySessionIdToken

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeQuerySessionIdToken(x, x)
		public _SeQuerySessionIdToken@8
_SeQuerySessionIdToken@8 proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+EA5p
					; SeQueryInformationToken(x,x,x)+A3Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+arg_0]
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceSharedLite
		mov	eax, [ebp+arg_4]
		mov	ecx, [esi+78h]
		mov	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	eax, eax
		pop	esi
		pop	ecx
		pop	ebp
		retn	8
_SeQuerySessionIdToken@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 606. FsRtlNotifyFilterReportChange

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlNotifyFilterReportChange(x, x,	x, x, x, x, x, x, x, x)
		public _FsRtlNotifyFilterReportChange@40
_FsRtlNotifyFilterReportChange@40 proc near
					; CODE XREF: FsRtlNotifyFullReportChange(x,x,x,x,x,x,x,x,x)+22p
					; FsRtlNotifyReportChange(x,x,x,x,x)+26p

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
var_1C		= byte ptr -1Ch
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= word ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		push	78h
		push	offset dword_6A35D0
		call	__SEH_prolog4
		mov	cx, [ebp+arg_C]
		movzx	eax, cx
		mov	[ebp+var_4C], eax
		xor	ebx, ebx
		mov	[ebp+var_88], ebx
		mov	[ebp+var_84], ebx
		mov	[ebp+var_78], ebx
		mov	[ebp+var_74], ebx
		mov	[ebp+var_80], ebx
		mov	[ebp+var_7C], ebx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_1B], bl
		mov	[ebp+var_34], ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_50], ebx
		test	cx, cx
		jnz	short loc_7C39E4
		cmp	[ebp+arg_8], ebx
		jnz	loc_7C3FF7

loc_7C39E4:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+45j
		mov	edi, large fs:124h
		mov	esi, [ebp+arg_0]
		cmp	edi, [esi+20h]
		jz	short loc_7C39FD
		mov	ecx, esi
		call	ExAcquireFastMutexUnsafe
		mov	[esi+20h], edi

loc_7C39FD:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+5Dj
		mov	eax, [ebp+arg_0]
		inc	dword ptr [eax+24h]
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+arg_4]

loc_7C3A09:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+652j
		mov	eax, [eax]
		mov	[ebp+var_48], eax
		mov	esi, eax
		cmp	esi, [ebp+arg_4]
		jz	loc_7C3FEB
		add	esi, 0FFFFFFF0h
		mov	[ebp+var_44], esi
		mov	[ebp+var_5C], esi
		cmp	[ebp+arg_8], 0
		jnz	short loc_7C3A4B
		mov	eax, [ebp+arg_20]
		cmp	eax, [esi+0Ch]
		jnz	loc_7C3FE3
		mov	[ebp+var_6C], ebx
		xor	eax, eax
		mov	word ptr [ebp+var_70], ax
		mov	[ebp+var_1B], 1
		mov	dl, bl
		mov	[ebp+var_19], dl
		jmp	loc_7C3B73
; 

loc_7C3A4B:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+92j
		mov	ecx, [esi+50h]
		movzx	eax, word ptr [ecx]
		mov	edx, eax
		test	ax, ax
		jz	loc_7C3FE3
		mov	eax, [ebp+arg_18]
		test	[esi+28h], eax
		jz	loc_7C3FE3
		mov	eax, edx
		mov	edi, ecx
		cmp	[ebp+arg_14], 0
		jnz	short loc_7C3AC3
		mov	eax, [ebp+arg_8]
		mov	eax, [eax+4]
		mov	[ebp+var_84], eax
		mov	cx, [ebp+arg_C]
		mov	word ptr [ebp+var_88], cx
		mov	al, [esi+54h]
		mov	[ebp+var_1C], al
		movzx	eax, al
		mov	edx, [ebp+var_4C]
		cmp	dx, ax
		jz	short loc_7C3AAB
		movzx	eax, [ebp+var_1C]
		mov	cx, dx
		sub	cx, ax
		mov	word ptr [ebp+var_88], cx

loc_7C3AAB:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+104j
		mov	word ptr [ebp+var_88+2], cx
		lea	eax, [ebp+var_88]
		mov	[ebp+arg_14], eax
		mov	ecx, [esi+50h]
		mov	edi, ecx
		movzx	eax, word ptr [edi]

loc_7C3AC3:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+DCj
		movzx	edx, ax
		mov	eax, [ebp+arg_14]
		movzx	eax, word ptr [eax]
		cmp	dx, ax
		ja	loc_7C3FE3
		jnz	short loc_7C3ADB
		mov	al, 1
		jmp	short loc_7C3B12
; 

loc_7C3ADB:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+141j
		movzx	eax, word ptr [esi+24h]
		test	al, 1
		jz	loc_7C3FE3
		test	al, 10h
		jnz	short loc_7C3B10
		movzx	eax, word ptr [edi]
		mov	edi, [ebp+arg_14]
		add	eax, [edi+4]
		cmp	byte ptr [esi+54h], 1
		jnz	short loc_7C3B04
		cmp	byte ptr [eax],	5Ch
		jz	short loc_7C3B10
		jmp	loc_7C3FE3
; 

loc_7C3B04:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+164j
		push	5Ch
		pop	edi
		cmp	[eax], di
		jnz	loc_7C3FE3

loc_7C3B10:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+155j
					; FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+169j
		mov	al, bl

loc_7C3B12:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+145j
		mov	[ebp+var_19], al
		push	edx		; size_t
		mov	eax, [ebp+arg_14]
		push	dword ptr [eax+4] ; void *
		push	dword ptr [ecx+4] ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7C3FE3
		mov	dl, [ebp+var_19]
		test	dl, dl
		jnz	short loc_7C3B53
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_7C3B53
		push	dword ptr [esi+0Ch]
		push	[ebp+arg_20]
		push	dword ptr [esi+4]
		call	eax
		test	al, al
		jz	loc_7C3FE3
		mov	dl, [ebp+var_19]

loc_7C3B53:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+1A0j
					; FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+1A7j
		mov	eax, [esi+20h]
		test	eax, eax
		jz	short loc_7C3B73
		cmp	[ebp+arg_24], 0
		jz	short loc_7C3B73
		push	[ebp+arg_24]
		push	dword ptr [esi+4]
		call	eax
		test	al, al
		jz	loc_7C3FE3
		mov	dl, [ebp+var_19]

loc_7C3B73:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+B2j
					; FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+1C4j ...
		movzx	eax, word ptr [esi+24h]
		mov	[ebp+var_30], eax
		test	al, 2
		jnz	loc_7C3FB4
		mov	edi, [esi+34h]
		mov	[ebp+var_2C], edi
		test	edi, edi
		jz	loc_7C3FB4
		mov	[ebp+var_38], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_54], ebx
		mov	ecx, [esi+38h]
		test	ecx, ecx
		jnz	short loc_7C3BB8
		lea	eax, [esi+18h]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_7C3C0F
		lea	eax, [ecx-58h]
		mov	[ebp+var_54], eax
		mov	eax, [eax+60h]
		mov	ecx, [eax+4]
		mov	eax, [ebp+var_30]

loc_7C3BB8:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+20Aj
		mov	[ebp+var_38], ecx
		mov	[ebp+var_2C], ecx

loc_7C3BBE:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+281j
		test	dl, dl
		jnz	loc_7C3D31
		cmp	[ebp+var_1B], dl
		jnz	loc_7C3D37
		and	eax, 10h
		mov	[ebp+var_30], eax
		jnz	short loc_7C3C17
		mov	eax, [ebp+arg_14]
		mov	edi, [eax+4]
		mov	eax, [ebp+arg_8]
		cmp	edi, [eax+4]
		jnz	short loc_7C3C17
		mov	eax, [esi+50h]
		movzx	edx, word ptr [eax]
		movzx	ecx, byte ptr [esi+54h]
		lea	eax, [ecx+edx]
		add	eax, edi
		mov	[ebp+var_6C], eax
		mov	eax, [ebp+arg_14]
		mov	ax, [eax]
		sub	ax, cx
		sub	ax, dx

loc_7C3C03:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+392j
		mov	word ptr [ebp+var_70+2], ax
		mov	dl, [ebp+var_19]
		jmp	loc_7C3D33
; 

loc_7C3C0F:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+213j
		mov	[ebp+var_38], edi
		mov	eax, [ebp+var_30]
		jmp	short loc_7C3BBE
; 

loc_7C3C17:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+241j
					; FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+24Fj
		cmp	[ebp+var_74], 0
		jnz	short loc_7C3C51
		mov	eax, [ebp+arg_8]
		mov	eax, [eax+4]
		mov	[ebp+var_74], eax
		mov	cx, [ebp+arg_C]
		mov	word ptr [ebp+var_78], cx
		mov	al, [esi+54h]
		mov	[ebp+var_1C], al
		movzx	eax, al
		mov	edx, [ebp+var_4C]
		cmp	dx, ax
		jz	short loc_7C3C4D
		movzx	eax, [ebp+var_1C]
		mov	cx, dx
		sub	cx, ax
		mov	word ptr [ebp+var_78], cx

loc_7C3C4D:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+2A9j
		mov	word ptr [ebp+var_78+2], cx

loc_7C3C51:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+287j
		mov	[ebp+var_1A], bl
		mov	ecx, ebx
		mov	[ebp+var_34], ecx
		cmp	word ptr [ebp+var_30], 0
		jnz	loc_7C3D10
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_40], ebx
		xor	edi, edi
		inc	edi
		mov	[ebp+var_3C], edi
		mov	edx, ebx
		mov	[ebp+var_40], edx
		mov	al, [esi+54h]
		mov	[ebp+var_1C], al
		mov	eax, [esi+50h]
		mov	[ebp+var_30], eax
		cmp	[ebp+var_1C], 1
		jnz	short loc_7C3CC5

loc_7C3C87:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+311j
		movzx	eax, word ptr [eax]
		cmp	edx, eax
		jnb	short loc_7C3CA7
		mov	eax, [ebp+var_30]
		mov	eax, [eax+4]
		cmp	byte ptr [edx+eax], 5Ch
		jnz	short loc_7C3C9E
		inc	edi
		mov	[ebp+var_3C], edi

loc_7C3C9E:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+304j
		inc	edx
		mov	[ebp+var_40], edx
		mov	eax, [ebp+var_30]
		jmp	short loc_7C3C87
; 

loc_7C3CA7:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+2F8j
					; FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+32Fj
		mov	eax, [ebp+var_74]
		cmp	byte ptr [eax+ecx], 5Ch
		jnz	short loc_7C3CBF
		mov	al, [ebp+var_1A]
		inc	al
		mov	[ebp+var_1A], al
		movzx	eax, al
		cmp	eax, edi
		jz	short loc_7C3D10

loc_7C3CBF:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+31Aj
		inc	ecx
		mov	[ebp+var_34], ecx
		jmp	short loc_7C3CA7
; 

loc_7C3CC5:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+2F1j
					; FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+357j
		movzx	eax, word ptr [eax]
		shr	eax, 1
		push	5Ch
		cmp	edx, eax
		jnb	short loc_7C3CED
		mov	eax, [ebp+var_30]
		mov	eax, [eax+4]
		pop	esi
		cmp	[eax+edx*2], si
		mov	esi, [ebp+var_44]
		jnz	short loc_7C3CE4
		inc	edi
		mov	[ebp+var_3C], edi

loc_7C3CE4:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+34Aj
		inc	edx
		mov	[ebp+var_40], edx
		mov	eax, [ebp+var_30]
		jmp	short loc_7C3CC5
; 

loc_7C3CED:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+33Aj
		pop	edx

loc_7C3CEE:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+39Bj
		mov	eax, [ebp+var_74]
		cmp	[eax+ecx*2], dx
		jnz	short loc_7C3D2B
		mov	al, [ebp+var_1A]
		inc	al
		mov	[ebp+var_1A], al
		movzx	eax, al
		cmp	eax, edi
		jnz	short loc_7C3D2B
		movzx	eax, [ebp+var_1C]
		imul	ecx, eax
		mov	[ebp+var_34], ecx

loc_7C3D10:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+2CAj
					; FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+329j
		movzx	eax, byte ptr [esi+54h]
		add	ecx, eax
		mov	[ebp+var_34], ecx
		mov	eax, [ebp+var_74]
		add	eax, ecx
		mov	[ebp+var_6C], eax
		mov	eax, [ebp+var_78]
		sub	eax, ecx
		jmp	loc_7C3C03
; 

loc_7C3D2B:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+361j
					; FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+370j
		inc	ecx
		mov	[ebp+var_34], ecx
		jmp	short loc_7C3CEE
; 

loc_7C3D31:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+22Cj
		xor	eax, eax

loc_7C3D33:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+276j
		mov	word ptr [ebp+var_70], ax

loc_7C3D37:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+235j
		push	0Ch
		pop	edi
		mov	[ebp+var_24], edi
		cmp	[ebp+var_1B], 0
		jz	short loc_7C3D51
		mov	eax, [ebp+arg_10]
		movzx	edi, word ptr [eax]
		add	edi, 0Ch
		jmp	loc_7C3DD6
; 

loc_7C3D51:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+3ADj
		test	dl, dl
		jnz	short loc_7C3D79
		cmp	byte ptr [esi+54h], 1
		jnz	short loc_7C3D69
		lea	eax, [ebp+var_70]
		push	eax
		call	_RtlxOemStringToUnicodeSize@4 ;	RtlxOemStringToUnicodeSize(x)
		lea	edi, [eax+0Ah]
		jmp	short loc_7C3D70
; 

loc_7C3D69:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+3C5j
		movzx	edi, word ptr [ebp+var_70]
		add	edi, 0Ch

loc_7C3D70:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+3D3j
		mov	[ebp+var_24], edi
		add	edi, 2
		mov	[ebp+var_24], edi

loc_7C3D79:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+3BFj
		cmp	[ebp+var_7C], 0
		jnz	short loc_7C3D9C
		movzx	edx, [ebp+arg_C]
		mov	ecx, [ebp+arg_8]
		mov	eax, [ecx+4]
		add	eax, edx
		mov	[ebp+var_7C], eax
		mov	ax, [ecx]
		sub	ax, dx
		mov	word ptr [ebp+var_80], ax
		mov	word ptr [ebp+var_80+2], ax

loc_7C3D9C:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+3E9j
		cmp	byte ptr [esi+54h], 1
		jnz	short loc_7C3DB0
		lea	eax, [ebp+var_80]
		push	eax
		call	_RtlxOemStringToUnicodeSize@4 ;	RtlxOemStringToUnicodeSize(x)
		add	edi, 0FFFFFFFEh
		jmp	short loc_7C3DB4
; 

loc_7C3DB0:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+40Cj
		movzx	eax, word ptr [ebp+var_80]

loc_7C3DB4:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+41Aj
		add	edi, eax
		mov	[ebp+var_24], edi
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_7C3DD9
		cmp	byte ptr [esi+54h], 2
		jnz	short loc_7C3DCE
		movzx	eax, word ptr [eax]
		add	eax, 2
		jmp	short loc_7C3DD4
; 

loc_7C3DCE:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+430j
		push	eax
		call	_RtlxOemStringToUnicodeSize@4 ;	RtlxOemStringToUnicodeSize(x)

loc_7C3DD4:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+438j
		add	edi, eax

loc_7C3DD6:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+3B8j
		mov	[ebp+var_24], edi

loc_7C3DD9:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+42Aj
		mov	eax, [esi+3Ch]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_30], eax
		mov	[ebp+var_60], eax
		lea	ecx, [ebp+var_50]
		push	ecx
		mov	edx, edi
		mov	ecx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	[ebp+var_64], eax
		mov	ecx, [ebp+var_2C]
		cmp	edi, ecx
		ja	loc_7C3F78
		test	eax, eax
		jnz	loc_7C3F78
		cmp	[ebp+var_50], ecx
		ja	loc_7C3F78
		mov	[ebp+var_28], ebx
		mov	eax, [esi+30h]
		test	eax, eax
		jz	short loc_7C3E41
		mov	ecx, [esi+40h]
		lea	edx, [ecx+eax]
		mov	[ebp+var_28], edx
		mov	eax, [ebp+var_30]
		sub	eax, ecx
		mov	[edx], eax
		mov	ecx, [ebp+var_30]
		mov	[esi+40h], ecx
		mov	eax, [esi+30h]
		add	eax, ecx
		mov	[ebp+var_28], eax
		mov	ecx, [ebp+var_2C]
		jmp	short loc_7C3E82
; 

loc_7C3E41:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+488j
		mov	edx, [ebp+var_54]
		test	edx, edx
		jz	short loc_7C3E82
		mov	eax, [edx+0Ch]
		test	eax, eax
		jz	short loc_7C3E54
		mov	[ebp+var_28], eax
		jmp	short loc_7C3E7C
; 

loc_7C3E54:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+4B9j
		mov	eax, [edx+4]
		test	eax, eax
		jz	short loc_7C3E82
		test	byte ptr [eax+6], 5
		jz	short loc_7C3E66
		mov	eax, [eax+0Ch]
		jmp	short loc_7C3E79
; 

loc_7C3E66:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+4CBj
		push	40000010h
		push	ebx
		push	ebx
		push	1
		push	ebx
		push	eax
		call	MmMapLockedPagesSpecifyCache
		mov	ecx, [ebp+var_2C]

loc_7C3E79:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+4D0j
		mov	[ebp+var_28], eax

loc_7C3E7C:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+4BEj
		mov	[esi+30h], eax
		mov	[esi+38h], ecx

loc_7C3E82:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+4ABj
					; FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+4B2j ...
		cmp	[esi+30h], ebx
		jnz	short loc_7C3EC2
		mov	[ebp+var_1D], bl
		xor	eax, eax
		inc	eax
		mov	[ebp+ms_exc.disabled], eax
		push	ecx
		push	eax
		push	dword ptr [esi+48h]
		call	_PsChargePoolQuota@12 ;	PsChargePoolQuota(x,x,x)
		mov	[ebp+var_1D], 1
		push	4E725346h
		push	[ebp+var_2C]
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+30h], eax
		mov	[esi+2Ch], eax
		mov	eax, [ebp+var_2C]
		mov	[esi+38h], eax
		mov	eax, [esi+30h]
		mov	[ebp+var_28], eax
		mov	[ebp+ms_exc.disabled], ebx

loc_7C3EC2:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+4F1j
		mov	eax, [ebp+var_30]

loc_7C3EC5:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+5CFj
		cmp	[ebp+var_28], 0
		jz	loc_7C3F6F
		mov	ecx, [esi+3Ch]
		cmp	eax, ecx
		jbe	short loc_7C3EE8
		sub	eax, ecx
		push	eax		; size_t
		push	ebx		; int
		mov	eax, [esi+30h]
		add	eax, ecx
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_7C3EE8:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+540j
		push	edi
		cmp	byte ptr [esi+54h], 2
		setz	al
		movzx	eax, al
		push	eax
		push	[ebp+arg_10]
		lea	eax, [ebp+var_80]
		push	eax
		lea	eax, [ebp+var_70]
		push	eax
		mov	edx, [ebp+arg_1C]
		mov	ecx, [ebp+var_28]
		call	FsRtlNotifyUpdateBuffer
		test	al, al
		jz	short loc_7C3F68
		mov	eax, [ebp+var_30]
		add	eax, edi
		mov	[esi+3Ch], eax
		jmp	short loc_7C3F6F
; 

loc_7C3F18:				; DATA XREF: .text:006A35F0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_68], eax
		mov	[ebp+var_58], eax
		push	[ebp+var_58]
		call	_FsRtlIsNtstatusExpected@4 ; FsRtlIsNtstatusExpected(x)
		xor	ecx, ecx
		test	al, al
		setnz	cl
		mov	eax, ecx
		retn
; 

loc_7C3F37:				; DATA XREF: .text:006A35F4o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_44]
		cmp	[ebp+var_1D], 0
		jz	short loc_7C3F4E
		push	[ebp+var_38]
		push	dword ptr [esi+48h]
		call	_PsReturnProcessPagedPoolQuota@8 ; PsReturnProcessPagedPoolQuota(x,x)

loc_7C3F4E:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+5ADj
		push	2
		pop	eax
		or	[esi+24h], ax
		xor	ebx, ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	edi, [ebp+var_24]
		mov	eax, [ebp+var_60]
		mov	[ebp+var_30], eax
		jmp	loc_7C3EC5
; 

loc_7C3F68:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+578j
		push	2
		pop	eax
		or	[esi+24h], ax

loc_7C3F6F:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+535j
					; FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+582j
		mov	eax, [ebp+var_5C]
		movzx	eax, word ptr [eax+24h]
		jmp	short loc_7C3F83
; 

loc_7C3F78:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+469j
					; FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+471j ...
		push	2
		pop	eax
		or	[esi+24h], ax
		movzx	eax, word ptr [esi+24h]

loc_7C3F83:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+5E2j
		test	al, 2
		jz	short loc_7C3FB4
		cmp	[esi+30h], ebx
		jz	short loc_7C3FB4
		cmp	[esi+2Ch], ebx
		jz	short loc_7C3FA5
		push	dword ptr [esi+38h]
		push	dword ptr [esi+48h]
		call	_PsReturnProcessPagedPoolQuota@8 ; PsReturnProcessPagedPoolQuota(x,x)
		push	ebx
		push	dword ptr [esi+2Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7C3FA5:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+5FBj
		mov	[esi+30h], ebx
		mov	[esi+2Ch], ebx
		mov	[esi+40h], ebx
		mov	[esi+3Ch], ebx
		mov	[esi+38h], ebx

loc_7C3FB4:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+1E8j
					; FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+1F6j ...
		mov	ecx, [ebp+var_5C]
		movzx	eax, word ptr [ecx+24h]
		cmp	[ebp+arg_1C], 4
		jnz	short loc_7C3FCA
		or	eax, 8
		mov	[ecx+24h], ax
		jmp	short loc_7C3FE3
; 

loc_7C3FCA:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+62Bj
		and	eax, 0FFF7h
		mov	[ecx+24h], ax
		lea	eax, [esi+18h]
		cmp	[eax], eax
		jz	short loc_7C3FE3
		xor	edx, edx
		mov	ecx, esi
		call	_FsRtlNotifyCompleteIrpList@8 ;	FsRtlNotifyCompleteIrpList(x,x)

loc_7C3FE3:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+9Aj
					; FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+C2j ...
		mov	eax, [ebp+var_48]
		jmp	loc_7C3A09
; 

loc_7C3FEB:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+7Fj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_7C400B

loc_7C3FF7:				; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+4Aj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	28h
_FsRtlNotifyFilterReportChange@40 endp


;  S U B	R O U T	I N E 


sub_7C4009	proc near		; DATA XREF: .text:006A35E8o
		xor	ebx, ebx
sub_7C4009	endp


;  S U B	R O U T	I N E 


sub_7C400B	proc near		; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+65Ep
		mov	esi, [ebp+8]
		sub	dword ptr [esi+24h], 1
		jnz	short locret_7C401E
		mov	[esi+20h], ebx
		mov	ecx, esi
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)

locret_7C401E:				; CODE XREF: sub_7C400B+7j
		retn
sub_7C400B	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 604. FsRtlNotifyFilterChangeDirectory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlNotifyFilterChangeDirectory
FsRtlNotifyFilterChangeDirectory proc near
					; CODE XREF: FsRtlNotifyChangeDirectory(x,x,x,x,x,x,x)+21p
					; FsRtlNotifyFullChangeDirectory(x,x,x,x,x,x,x,x,x,x)+25p

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

; FUNCTION CHUNK AT 007C4203 SIZE 00000005 BYTES
; FUNCTION CHUNK AT 008F058A SIZE 000000D1 BYTES

		push	0Ch
		push	offset dword_6A35F8
		call	__SEH_prolog4
		mov	esi, [ebp+arg_4]
		mov	edi, [ebp+arg_1C]
		cmp	[esi], esi
		jz	loc_7C4121

loc_7C403E:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+FFj
		mov	eax, large fs:124h
		mov	[ebp+arg_1C], eax
		mov	ebx, [ebp+arg_0]
		cmp	eax, [ebx+20h]
		jz	short loc_7C405C
		mov	ecx, ebx
		call	ExAcquireFastMutexUnsafe
		mov	eax, [ebp+arg_1C]
		mov	[ebx+20h], eax

loc_7C405C:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+29j
		inc	dword ptr [ebx+24h]
		and	[ebp+ms_exc.disabled], 0
		test	edi, edi
		jz	loc_8F058A
		mov	edx, [edi+60h]
		mov	[ebp+arg_1C], edx
		and	dword ptr [edi+18h], 0
		and	dword ptr [edi+1Ch], 0
		mov	eax, [edx+18h]
		test	dword ptr [eax+2Ch], 4000h
		jnz	loc_8F059C
		mov	edx, [ebp+arg_8]
		mov	ecx, esi
		call	_FsRtlIsNotifyOnList@8 ; FsRtlIsNotifyOnList(x,x)
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		jz	loc_7C412B
		movzx	eax, word ptr [esi+24h]
		mov	ecx, eax
		test	al, 4
		jnz	loc_8F0599
		test	al, 20h
		jnz	loc_8F0617
		and	ecx, 8
		test	al, 2
		jnz	loc_8F0629

loc_7C40C1:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+12C608j
		mov	eax, [esi+3Ch]
		mov	[ebp+arg_10], eax
		mov	edx, [ebp+arg_1C]
		test	eax, eax
		jnz	loc_8F0637

loc_7C40D2:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+12C616j
		xor	ecx, ecx
		inc	ecx

loc_7C40D5:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+1B7j
		mov	[edi+1Ch], esi
		or	[edx+3], cl
		lea	eax, [edi+58h]
		lea	ecx, [esi+18h]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_7C4203
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		lock inc dword ptr [esi+44h]
		xor	edx, edx
		mov	ecx, edi
		call	FsRtlNotifySetCancelRoutine

loc_7C4103:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+12C570j
					; FsRtlNotifyFilterChangeDirectory+12C5A9j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_7C41E0

loc_7C410F:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+105j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	2Ch
; 

loc_7C4121:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+14j
		test	edi, edi
		jnz	loc_7C403E
		jmp	short loc_7C410F
; 

loc_7C412B:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+76j
		push	4E725346h
		push	58h
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_1C], esi
		push	58h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi], ebx
		mov	eax, [ebp+arg_8]
		mov	[esi+4], eax
		mov	edx, [ebp+arg_1C]
		mov	eax, [edx+18h]
		mov	eax, [eax+0Ch]
		mov	[esi+4Ch], eax
		mov	eax, [ebp+arg_20]
		mov	[esi+8], eax
		mov	eax, [ebp+arg_24]
		mov	[esi+0Ch], eax
		and	[ebp+arg_24], 0
		mov	eax, [ebp+arg_28]
		mov	[esi+20h], eax
		mov	eax, [ebp+arg_C]
		mov	[esi+50h], eax
		lea	eax, [esi+18h]
		mov	[eax+4], eax
		mov	[eax], eax
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr [ebp+arg_10], 0
		jnz	loc_8F05D2

loc_7C4190:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+12C5B2j
		cmp	[ebp+arg_C], 0
		jnz	loc_8F05DB
		mov	[esi+54h], cl

loc_7C419D:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+12C5E3j
					; FsRtlNotifyFilterChangeDirectory+12C5EEj
		mov	eax, [ebp+arg_18]
		mov	[esi+28h], eax
		cmp	[ebp+arg_14], 0
		jnz	short loc_7C41AF
		mov	eax, [edx+4]
		mov	[esi+34h], eax

loc_7C41AF:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+183j
		mov	eax, [edi+50h]
		mov	eax, [eax+150h]
		mov	[esi+48h], eax
		lea	edx, [esi+10h]
		mov	eax, [ebp+arg_4]
		mov	ebx, [eax+4]
		cmp	[ebx], eax
		jnz	short loc_7C4203
		mov	[edx], eax
		mov	[edx+4], ebx
		mov	[ebx], edx
		mov	[eax+4], edx
		mov	[esi+44h], ecx
		mov	edx, [edi+60h]
		mov	ebx, [ebp+arg_0]
		jmp	loc_7C40D5
FsRtlNotifyFilterChangeDirectory endp


;  S U B	R O U T	I N E 


sub_7C41E0	proc near		; CODE XREF: FsRtlNotifyFilterChangeDirectory+E6p
					; sub_8F065B+3j

; FUNCTION CHUNK AT 008F0663 SIZE 00000013 BYTES

		sub	dword ptr [ebx+24h], 1
		jnz	short loc_7C41F1
		and	dword ptr [ebx+20h], 0
		mov	ecx, ebx
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)

loc_7C41F1:				; CODE XREF: sub_7C41E0+4j
		mov	esi, [ebp+2Ch]
		test	esi, esi
		jz	short locret_7C4202
		cmp	dword ptr [ebp+14h], 0
		jnz	loc_8F0663

locret_7C4202:				; CODE XREF: sub_7C41E0+16j
					; sub_7C41E0+12C491j
		retn
sub_7C41E0	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlNotifyFilterChangeDirectory

loc_7C4203:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+C2j
					; FsRtlNotifyFilterChangeDirectory+1A2j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
; END OF FUNCTION CHUNK	FOR FsRtlNotifyFilterChangeDirectory ; AL = character to display
; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 608. FsRtlNotifyFilterReportChangeLiteEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlNotifyFilterReportChangeLiteEx(x, x, x, x, x, x, x, x,	x, x)
		public _FsRtlNotifyFilterReportChangeLiteEx@40
_FsRtlNotifyFilterReportChangeLiteEx@40	proc near
					; CODE XREF: FsRtlNotifyFilterReportChangeLite(x,x,x,x,x,x,x,x,x)+22p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= byte ptr  28h
arg_24		= dword	ptr  2Ch

		push	54h
		push	offset dword_6A3618
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	eax, [ebp+arg_4]
		cmp	[eax], eax
		jz	loc_7C467C
		mov	eax, [ebp+arg_24]
		test	eax, eax
		jz	short loc_7C423D
		cmp	dword ptr [eax], 50h
		jb	loc_7C467C

loc_7C423D:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+24j
		mov	esi, [ebp+arg_0]
		cmp	[esi], ebx
		jnz	short loc_7C4266
		mov	[ebp+var_34], ebx
		lea	eax, [ebp+var_34]
		push	eax
		call	_FsRtlNotifyInitializeSync@4 ; FsRtlNotifyInitializeSync(x)
		mov	ecx, [ebp+var_34]
		xor	eax, eax
		lock cmpxchg [esi], ecx
		test	eax, eax
		jz	short loc_7C4266
		lea	eax, [ebp+var_34]
		push	eax
		call	_FsRtlNotifyUninitializeSync@4 ; FsRtlNotifyUninitializeSync(x)

loc_7C4266:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+34j
					; FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+4Dj
		mov	edi, large fs:124h
		mov	esi, [ebp+arg_0]
		mov	eax, [esi]
		cmp	edi, [eax+20h]
		jz	short loc_7C4285
		mov	ecx, eax
		call	ExAcquireFastMutexUnsafe
		mov	eax, [esi]
		mov	[eax+20h], edi
		mov	eax, [esi]

loc_7C4285:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+67j
		inc	dword ptr [eax+24h]
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+arg_4]

loc_7C428E:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+45Dj
		mov	eax, [eax]
		mov	[ebp+var_40], eax
		mov	esi, eax
		cmp	esi, [ebp+arg_4]
		jz	loc_7C4670
		add	esi, 0FFFFFFF0h
		mov	[ebp+var_3C], esi
		mov	[ebp+var_58], esi
		lea	edi, [esi+24h]
		mov	[ebp+var_50], edi
		movzx	ecx, word ptr [edi]
		mov	al, cl
		shr	al, 7
		and	al, 1
		mov	[ebp+var_1A], al
		mov	eax, [ebp+arg_10]
		test	[esi+28h], eax
		jz	loc_7C4668
		test	[ebp+arg_20], 1
		jnz	short loc_7C42EF
		test	cl, 1
		jz	loc_7C4668
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_7C42EF
		push	dword ptr [esi+0Ch]
		push	[ebp+arg_18]
		push	dword ptr [esi+4]
		call	eax
		test	al, al
		jz	loc_7C4668

loc_7C42EF:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+BCj
					; FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+CCj
		mov	eax, [esi+20h]
		test	eax, eax
		jz	short loc_7C430C
		cmp	[ebp+arg_1C], 0
		jz	short loc_7C430C
		push	[ebp+arg_1C]
		push	dword ptr [esi+4]
		call	eax
		test	al, al
		jz	loc_7C4668

loc_7C430C:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+E6j
					; FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+ECj
		movzx	eax, word ptr [edi]
		mov	[ebp+var_5C], eax
		test	al, 2
		jnz	loc_7C463F
		mov	edi, [esi+34h]
		mov	[ebp+var_2C], edi
		test	edi, edi
		jz	loc_7C463C
		mov	[ebp+var_30], ebx
		mov	[ebp+var_48], ebx
		mov	eax, [esi+38h]
		test	eax, eax
		jnz	short loc_7C4354
		lea	eax, [esi+18h]
		mov	edx, [eax]
		cmp	edx, eax
		jz	short loc_7C434F
		add	edx, 0FFFFFFA8h
		mov	[ebp+var_48], edx
		mov	eax, [edx+60h]
		mov	edi, [eax+4]
		mov	[ebp+var_30], edi
		jmp	short loc_7C4359
; 

loc_7C434F:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+12Ej
		mov	[ebp+var_30], edi
		jmp	short loc_7C435C
; 

loc_7C4354:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+125j
		mov	edi, eax
		mov	[ebp+var_30], eax

loc_7C4359:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+13Fj
		mov	[ebp+var_2C], edi

loc_7C435C:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+144j
		xor	ecx, ecx
		cmp	[ebp+var_1A], cl
		setz	cl
		dec	ecx
		and	ecx, 48h
		add	ecx, 0Ch
		mov	[ebp+var_38], ecx
		mov	eax, [ebp+arg_8]
		movzx	eax, word ptr [eax]
		add	ecx, eax
		mov	[ebp+var_24], ecx
		mov	[ebp+var_38], ecx
		mov	edx, [ebp+arg_C]
		test	edx, edx
		jz	short loc_7C4391
		movzx	eax, word ptr [edx]
		add	eax, 2
		add	ecx, eax
		mov	[ebp+var_24], ecx
		mov	[ebp+var_38], ecx

loc_7C4391:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+173j
		mov	eax, [esi+3Ch]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_28], eax
		mov	[ebp+var_54], eax
		lea	edx, [ebp+var_44]
		push	edx
		mov	edx, ecx
		mov	ecx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	[ebp+var_60], eax
		cmp	[ebp+var_24], edi
		ja	loc_7C45FA
		test	eax, eax
		jnz	loc_7C45FA
		cmp	[ebp+var_44], edi
		ja	loc_7C45FA
		mov	edi, ebx
		mov	[ebp+var_20], edi
		mov	eax, [esi+30h]
		test	eax, eax
		jz	short loc_7C43F6
		mov	ecx, [esi+40h]
		lea	edx, [ecx+eax]
		mov	[ebp+var_20], edx
		mov	eax, [ebp+var_28]
		sub	eax, ecx
		mov	[edx], eax
		mov	eax, [ebp+var_28]
		mov	[esi+40h], eax
		mov	edi, [esi+30h]
		add	edi, eax
		mov	[ebp+var_20], edi
		jmp	short loc_7C4438
; 

loc_7C43F6:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+1C6j
		mov	eax, [ebp+var_48]
		test	eax, eax
		jz	short loc_7C4438
		mov	ecx, [eax+0Ch]
		test	ecx, ecx
		jz	short loc_7C4408
		mov	edi, ecx
		jmp	short loc_7C442C
; 

loc_7C4408:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+1F4j
		mov	eax, [eax+4]
		test	eax, eax
		jz	short loc_7C4438
		test	byte ptr [eax+6], 5
		jz	short loc_7C441A
		mov	edi, [eax+0Ch]
		jmp	short loc_7C442C
; 

loc_7C441A:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+205j
		push	40000010h
		push	ebx
		push	ebx
		push	1
		push	ebx
		push	eax
		call	MmMapLockedPagesSpecifyCache
		mov	edi, eax

loc_7C442C:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+1F8j
					; FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+20Aj
		mov	[ebp+var_20], edi
		mov	[esi+30h], edi
		mov	eax, [ebp+var_2C]
		mov	[esi+38h], eax

loc_7C4438:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+1E6j
					; FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+1EDj ...
		cmp	[esi+30h], ebx
		jnz	short loc_7C4478
		mov	[ebp+var_19], bl
		mov	[ebp+ms_exc.disabled], 1
		mov	edi, [ebp+var_2C]
		push	edi
		push	1
		push	dword ptr [esi+48h]
		call	_PsChargePoolQuota@12 ;	PsChargePoolQuota(x,x,x)
		mov	[ebp+var_19], 1
		push	4E725346h
		push	edi
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+30h], eax
		mov	[esi+2Ch], eax
		mov	[esi+38h], edi
		mov	edi, [esi+30h]
		mov	[ebp+var_20], edi
		mov	[ebp+ms_exc.disabled], ebx

loc_7C4478:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+22Dj
		push	2
		pop	ecx
		mov	eax, [ebp+var_28]

loc_7C447E:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+374j
		mov	[ebp+ms_exc.disabled], ecx
		test	edi, edi
		jz	loc_7C45EC
		mov	ecx, [esi+3Ch]
		cmp	eax, ecx
		jbe	short loc_7C44A2
		sub	eax, ecx
		push	eax		; size_t
		push	ebx		; int
		mov	eax, [esi+30h]
		add	eax, ecx
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_7C44A2:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+280j
		mov	[edi], ebx
		mov	eax, [ebp+arg_14]
		mov	[edi+4], eax
		cmp	[ebp+var_1A], 0
		jz	loc_7C4587
		mov	edx, [ebp+arg_24]
		mov	eax, [edx+8]
		mov	[edi+8], eax
		mov	eax, [edx+0Ch]
		mov	[edi+0Ch], eax
		mov	eax, [edx+10h]
		mov	ecx, [edx+14h]
		mov	[edi+10h], eax
		mov	[edi+14h], ecx
		mov	eax, [edx+18h]
		mov	ecx, [edx+1Ch]
		mov	[edi+18h], eax
		mov	[edi+1Ch], ecx
		mov	eax, [edx+20h]
		mov	ecx, [edx+24h]
		mov	[edi+20h], eax
		mov	[edi+24h], ecx
		mov	eax, [edx+28h]
		mov	ecx, [edx+2Ch]
		mov	[edi+28h], eax
		mov	[edi+2Ch], ecx
		mov	eax, [edx+30h]
		mov	ecx, [edx+34h]
		mov	[edi+30h], eax
		mov	[edi+34h], ecx
		mov	eax, [edx+38h]
		mov	[edi+38h], eax
		mov	eax, [edx+3Ch]
		mov	[edi+3Ch], eax
		mov	eax, [edx+40h]
		mov	ecx, [edx+44h]
		mov	[edi+40h], eax
		mov	[edi+44h], ecx
		mov	eax, [edx+48h]
		mov	ecx, [edx+4Ch]
		mov	[edi+48h], eax
		mov	[edi+4Ch], ecx
		mov	eax, [ebp+var_24]
		add	eax, 0FFFFFFACh
		mov	[edi+50h], eax
		add	edi, 54h
		jmp	short loc_7C4593
; 

loc_7C4531:				; DATA XREF: .text:006A3638o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_64], eax
		mov	[ebp+var_4C], eax
		push	[ebp+var_4C]
		call	_FsRtlIsNtstatusExpected@4 ; FsRtlIsNtstatusExpected(x)
		xor	ecx, ecx
		test	al, al
		setnz	cl
		mov	eax, ecx
		retn
; 

loc_7C4550:				; DATA XREF: .text:006A363Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_3C]
		cmp	[ebp+var_19], 0
		jz	short loc_7C4567
		push	[ebp+var_30]
		push	dword ptr [esi+48h]
		call	_PsReturnProcessPagedPoolQuota@8 ; PsReturnProcessPagedPoolQuota(x,x)

loc_7C4567:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+34Cj
		push	2
		pop	ecx
		or	[esi+24h], cx
		xor	ebx, ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+var_38]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_54]
		mov	[ebp+var_28], eax
		mov	edi, [ebp+var_20]
		jmp	loc_7C447E
; 

loc_7C4587:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+2A0j
		mov	eax, [ebp+var_24]
		add	eax, 0FFFFFFF4h
		mov	[edi+8], eax
		add	edi, 0Ch

loc_7C4593:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+321j
		mov	ecx, [ebp+arg_8]
		movzx	eax, word ptr [ecx]
		push	eax		; size_t
		push	dword ptr [ecx+4] ; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edx, [ebp+arg_C]
		test	edx, edx
		jz	short loc_7C45CE
		mov	eax, [ebp+arg_8]
		movzx	eax, word ptr [eax]
		add	edi, eax
		push	3Ah
		pop	eax
		mov	[edi], ax
		add	edi, 2
		movzx	eax, word ptr [edx]
		push	eax		; size_t
		push	dword ptr [edx+4] ; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_7C45CE:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+39Dj
		mov	eax, [ebp+var_24]
		add	eax, [ebp+var_28]
		mov	[esi+3Ch], eax
		jmp	short loc_7C45EC
; 

loc_7C45D9:				; DATA XREF: .text:006A3644o
		xor	eax, eax
		inc	eax
		retn
; 

loc_7C45DD:				; DATA XREF: .text:006A3648o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_3C]
		push	2
		pop	eax
		or	[esi+24h], ax
		xor	ebx, ebx

loc_7C45EC:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+275j
					; FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+3C9j
		mov	[ebp+ms_exc.disabled], ebx
		mov	edi, [ebp+var_58]
		add	edi, 24h
		movzx	eax, word ptr [edi]
		jmp	short loc_7C4609
; 

loc_7C45FA:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+1A5j
					; FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+1ADj ...
		mov	eax, [ebp+var_5C]
		or	eax, 2
		mov	edi, [ebp+var_50]
		mov	[edi], ax
		movzx	eax, ax

loc_7C4609:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+3EAj
		test	al, 2
		jz	short loc_7C463F
		cmp	[esi+30h], ebx
		jz	short loc_7C463F
		cmp	[esi+2Ch], ebx
		jz	short loc_7C462B
		push	dword ptr [esi+38h]
		push	dword ptr [esi+48h]
		call	_PsReturnProcessPagedPoolQuota@8 ; PsReturnProcessPagedPoolQuota(x,x)
		push	ebx
		push	dword ptr [esi+2Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7C462B:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+407j
		mov	[esi+30h], ebx
		mov	[esi+2Ch], ebx
		mov	[esi+40h], ebx
		mov	[esi+3Ch], ebx
		mov	[esi+38h], ebx
		jmp	short loc_7C463F
; 

loc_7C463C:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+114j
		mov	edi, [ebp+var_50]

loc_7C463F:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+106j
					; FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+3FDj ...
		movzx	eax, word ptr [edi]
		cmp	[ebp+arg_14], 4
		jnz	short loc_7C4650
		or	eax, 8
		mov	[edi], ax
		jmp	short loc_7C4668
; 

loc_7C4650:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+438j
		and	eax, 0FFF7h
		mov	[edi], ax
		lea	eax, [esi+18h]
		cmp	[eax], eax
		jz	short loc_7C4668
		xor	edx, edx
		mov	ecx, esi
		call	_FsRtlNotifyCompleteIrpList@8 ;	FsRtlNotifyCompleteIrpList(x,x)

loc_7C4668:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+B2j
					; FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+C1j	...
		mov	eax, [ebp+var_40]
		jmp	loc_7C428E
; 

loc_7C4670:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+8Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_7C4690

loc_7C467C:				; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+19j
					; FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+29j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	28h
_FsRtlNotifyFilterReportChangeLiteEx@40	endp


;  S U B	R O U T	I N E 


sub_7C468E	proc near		; DATA XREF: .text:006A3630o
		xor	ebx, ebx
sub_7C468E	endp


;  S U B	R O U T	I N E 


sub_7C4690	proc near		; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+469p
		mov	esi, [ebp+8]
		mov	eax, [esi]
		dec	dword ptr [eax+24h]
		mov	eax, [esi]
		cmp	[eax+24h], ebx
		jnz	short locret_7C46A9
		mov	[eax+20h], ebx
		mov	ecx, [esi]
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)

locret_7C46A9:				; CODE XREF: sub_7C4690+Dj
		retn
sub_7C4690	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlNotifyCompleteIrpList(x, x)
_FsRtlNotifyCompleteIrpList@8 proc near	; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+64Ap
					; FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+455p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, 0FFFDh
		mov	ebx, edx
		mov	edx, [edi+3Ch]
		lea	esi, [edi+18h]
		and	[edi+24h], ax
		and	dword ptr [edi+3Ch], 0
		and	dword ptr [edi+40h], 0
		mov	eax, [esi]
		mov	[ebp+var_4], edx

loc_7C46D3:				; CODE XREF: FsRtlNotifyCompleteIrpList(x,x)+5Dj
		cmp	[eax+4], esi
		jnz	short loc_7C4709
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_7C4709
		push	1
		mov	[esi], ecx
		push	ebx
		mov	[ecx+4], esi
		lea	ecx, [eax-58h]
		and	dword ptr [eax], 0
		push	edx
		mov	edx, edi
		call	FsRtlNotifyCompleteIrp
		test	ebx, ebx
		jnz	short loc_7C46FE

loc_7C46F9:				; CODE XREF: FsRtlNotifyCompleteIrpList(x,x)+58j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7C46FE:				; CODE XREF: FsRtlNotifyCompleteIrpList(x,x)+4Dj
		mov	eax, [esi]
		cmp	eax, esi
		jz	short loc_7C46F9
		mov	edx, [ebp+var_4]
		jmp	short loc_7C46D3
; 

loc_7C4709:				; CODE XREF: FsRtlNotifyCompleteIrpList(x,x)+2Cj
					; FsRtlNotifyCompleteIrpList(x,x)+33j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_FsRtlNotifyCompleteIrpList@8 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlNotifyCompleteIrp proc near	; CODE XREF: FsRtlNotifyCompleteIrpList(x,x)+46p
					; FsRtlNotifyFilterChangeDirectoryLite+21Fp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F0676 SIZE 00000043 BYTES

		push	14h
		push	offset dword_6A3650
		call	__SEH_prolog4
		mov	ebx, edx
		mov	[ebp+var_1C], ebx
		mov	esi, ecx
		mov	[ebp+var_24], esi
		call	FsRtlNotifySetCancelRoutine
		test	al, al
		jz	loc_7C47F0

loc_7C4731:				; CODE XREF: FsRtlNotifyCompleteIrp+E6j
		mov	ecx, [ebp+arg_4]
		mov	[ebp+arg_8], ecx
		test	ecx, ecx
		jnz	loc_7C47C4
		mov	eax, [esi+60h]
		mov	[ebp+var_20], eax
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	loc_7C47E9
		cmp	[eax+4], edi
		jb	loc_7C47E9
		mov	edx, [ebx+2Ch]
		xor	ebx, ebx
		test	edx, edx
		jz	loc_7C4820
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [esi+0Ch]
		test	eax, eax
		jnz	loc_7C481B
		mov	eax, [esi+4]
		test	eax, eax
		jnz	loc_8F0676
		mov	eax, [ebp+var_20]
		test	byte ptr [eax+3], 1
		jz	short loc_7C47FC
		or	dword ptr [esi+8], 70h
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+2Ch]
		mov	[esi+0Ch], eax

loc_7C4795:				; CODE XREF: FsRtlNotifyCompleteIrp+FBj
					; FsRtlNotifyCompleteIrp+12BFA6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C479C:				; CODE XREF: sub_8F06BD+1Fj
		mov	eax, [ebp+var_1C]
		push	dword ptr [eax+38h]
		push	dword ptr [eax+48h]
		call	_PsReturnProcessPagedPoolQuota@8 ; PsReturnProcessPagedPoolQuota(x,x)
		mov	eax, [ebp+var_1C]
		mov	ecx, [eax+2Ch]
		cmp	ecx, [esi+0Ch]
		jnz	short loc_7C480B

loc_7C47B5:				; CODE XREF: FsRtlNotifyCompleteIrp+FFj
					; FsRtlNotifyCompleteIrp+10Bj
		mov	[eax+2Ch], ebx
		mov	[eax+38h], ebx
		mov	ecx, [ebp+arg_8]

loc_7C47BE:				; CODE XREF: FsRtlNotifyCompleteIrp+115j
		mov	[esi+1Ch], edi
		mov	[eax+30h], ebx

loc_7C47C4:				; CODE XREF: FsRtlNotifyCompleteIrp+2Bj
					; FsRtlNotifyCompleteIrp+E0j
		mov	eax, [esi+60h]
		or	byte ptr [eax+3], 1
		mov	[esi+18h], ecx
		mov	dl, 1
		mov	ecx, esi
		call	IofCompleteRequest

loc_7C47D7:				; CODE XREF: FsRtlNotifyCompleteIrp+ECj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7C47E9:				; CODE XREF: FsRtlNotifyCompleteIrp+3Cj
					; FsRtlNotifyCompleteIrp+45j
		mov	ecx, 10Ch
		jmp	short loc_7C47C4
; 

loc_7C47F0:				; CODE XREF: FsRtlNotifyCompleteIrp+1Dj
		cmp	[ebp+arg_8], 0
		jz	loc_7C4731
		jmp	short loc_7C47D7
; 

loc_7C47FC:				; CODE XREF: FsRtlNotifyCompleteIrp+78j
		push	edi		; size_t
		push	edx		; void *
		push	dword ptr [esi+3Ch] ; void *

loc_7C4801:				; CODE XREF: FsRtlNotifyCompleteIrp+110j
					; FsRtlNotifyCompleteIrp+12BF91j
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_7C4795
; 

loc_7C480B:				; CODE XREF: FsRtlNotifyCompleteIrp+A5j
		test	ecx, ecx
		jz	short loc_7C47B5
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_1C]
		jmp	short loc_7C47B5
; 

loc_7C481B:				; CODE XREF: FsRtlNotifyCompleteIrp+60j
		push	edi
		push	edx
		push	eax
		jmp	short loc_7C4801
; 

loc_7C4820:				; CODE XREF: FsRtlNotifyCompleteIrp+52j
		mov	eax, [ebp+var_1C]
		jmp	short loc_7C47BE
FsRtlNotifyCompleteIrp endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 602. FsRtlNotifyCleanup

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlNotifyCleanup
FsRtlNotifyCleanup proc	near

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	0Ch
		push	offset dword_6A3670
		call	__SEH_prolog4
		and	[ebp+var_1C], 0
		mov	edi, large fs:124h
		mov	esi, [ebp+arg_0]
		cmp	edi, [esi+20h]
		jz	short loc_7C4853
		mov	ecx, esi
		call	ExAcquireFastMutexUnsafe
		mov	[esi+20h], edi

loc_7C4853:				; CODE XREF: FsRtlNotifyCleanup+1Dj
		inc	dword ptr [esi+24h]
		and	[ebp+ms_exc.disabled], 0
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		call	_FsRtlIsNotifyOnList@8 ; FsRtlIsNotifyOnList(x,x)
		test	eax, eax
		jz	short loc_7C4873
		lea	edx, [ebp+var_1C]
		mov	ecx, eax
		call	_FsRtlNotifyCleanupOneEntry@8 ;	FsRtlNotifyCleanupOneEntry(x,x)

loc_7C4873:				; CODE XREF: FsRtlNotifyCleanup+3Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_7C4891
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
FsRtlNotifyCleanup endp


;  S U B	R O U T	I N E 


sub_7C4891	proc near		; CODE XREF: FsRtlNotifyCleanup+50p
					; sub_8F06E1+3j

; FUNCTION CHUNK AT 008F06E9 SIZE 0000000F BYTES

		sub	dword ptr [esi+24h], 1
		jnz	short loc_7C48A2
		and	dword ptr [esi+20h], 0
		mov	ecx, esi
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)

loc_7C48A2:				; CODE XREF: sub_7C4891+4j
		mov	esi, [ebp-1Ch]
		test	esi, esi
		jnz	loc_8F06E9
		retn
sub_7C4891	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 605. FsRtlNotifyFilterChangeDirectoryLite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlNotifyFilterChangeDirectoryLite
FsRtlNotifyFilterChangeDirectoryLite proc near

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 007C4B02 SIZE 00000006 BYTES
; FUNCTION CHUNK AT 008F06F8 SIZE 0000005B BYTES

		push	10h
		push	offset dword_6A3690
		call	__SEH_prolog4
		mov	eax, [ebp+arg_4]
		mov	edi, [ebp+arg_14]
		cmp	[eax], eax
		jz	loc_7C4A34

loc_7C48CE:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+182j
		xor	ebx, ebx
		mov	esi, [ebp+arg_0]
		cmp	[esi], ebx
		jz	loc_7C4A77

loc_7C48DB:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+1DAj
					; FsRtlNotifyFilterChangeDirectoryLite+12BE4Dj
		mov	ecx, large fs:124h
		mov	[ebp+var_1C], ecx
		mov	eax, [esi]
		cmp	ecx, [eax+20h]
		jz	short loc_7C48FD
		mov	ecx, eax
		call	ExAcquireFastMutexUnsafe
		mov	eax, [esi]
		mov	ecx, [ebp+var_1C]
		mov	[eax+20h], ecx
		mov	eax, [esi]

loc_7C48FD:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+36j
		inc	dword ptr [eax+24h]
		mov	[ebp+ms_exc.disabled], ebx
		test	edi, edi
		jz	loc_8F0706
		mov	edx, [edi+60h]
		mov	[ebp+var_1C], edx
		mov	[edi+18h], ebx
		mov	[edi+1Ch], ebx
		mov	eax, [edx+18h]
		test	dword ptr [eax+2Ch], 4000h
		jnz	loc_8F0713
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		call	_FsRtlIsNotifyOnList@8 ; FsRtlIsNotifyOnList(x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		jnz	loc_7C4A3E
		push	4E725346h
		push	4Ch
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		push	4Ch		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		or	word ptr [esi+24h], 40h
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		mov	[esi], eax
		mov	eax, [ebp+arg_8]
		mov	[esi+4], eax
		mov	eax, [ebp+arg_18]
		mov	[esi+8], eax
		mov	eax, [ebp+arg_1C]
		mov	[esi+0Ch], eax
		mov	[ebp+arg_1C], ebx
		mov	eax, [ebp+arg_20]
		mov	[esi+20h], eax
		lea	eax, [esi+18h]
		mov	[eax+4], eax
		mov	[eax], eax
		xor	ecx, ecx
		inc	ecx
		test	[ebp+arg_C], cl
		jnz	loc_7C4A6E

loc_7C4999:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+1BEj
		test	[ebp+arg_C], 4
		jnz	loc_8F0730

loc_7C49A3:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+12BE85j
		mov	eax, [ebp+arg_10]
		mov	[esi+28h], eax
		test	[ebp+arg_C], 2
		jnz	short loc_7C49B8
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+4]
		mov	[esi+34h], eax

loc_7C49B8:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+F9j
		mov	eax, [edi+50h]
		mov	eax, [eax+150h]
		mov	[esi+48h], eax
		lea	edx, [esi+10h]
		mov	eax, [ebp+arg_4]
		mov	edi, [eax+4]
		cmp	[edi], eax
		jnz	loc_7C4B02
		mov	[edx], eax
		mov	[edx+4], edi
		mov	[edi], edx
		mov	[eax+4], edx
		mov	[esi+44h], ecx
		mov	edi, [ebp+arg_14]
		mov	eax, [edi+60h]

loc_7C49E8:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+1B5j
		mov	[edi+1Ch], esi
		or	[eax+3], cl
		lea	eax, [edi+58h]
		lea	ecx, [esi+18h]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_7C4B02
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		lock inc dword ptr [esi+44h]
		xor	edx, edx
		mov	ecx, edi
		call	FsRtlNotifySetCancelRoutine

loc_7C4A16:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+208j
					; FsRtlNotifyFilterChangeDirectoryLite+224j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_7C4ADD

loc_7C4A22:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+188j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_7C4A34:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+14j
		test	edi, edi
		jnz	loc_7C48CE
		jmp	short loc_7C4A22
; 

loc_7C4A3E:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+85j
		movzx	ecx, word ptr [esi+24h]
		test	cl, 4
		jnz	loc_8F071B
		test	cl, 20h
		jnz	loc_8F073E
		mov	al, cl
		and	al, 0Ah
		cmp	al, 2
		jz	short loc_7C4A99
		mov	edx, [esi+3Ch]
		mov	eax, [ebp+var_1C]
		test	edx, edx
		jnz	short loc_7C4AC1

loc_7C4A66:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+210j
		xor	ecx, ecx
		inc	ecx
		jmp	loc_7C49E8
; 

loc_7C4A6E:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+DFj
		or	[esi+24h], cx
		jmp	loc_7C4999
; 

loc_7C4A77:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+21j
		mov	[ebp+var_1C], ebx
		lea	eax, [ebp+var_1C]
		push	eax
		call	_FsRtlNotifyInitializeSync@4 ; FsRtlNotifyInitializeSync(x)
		mov	ecx, [ebp+var_1C]
		xor	eax, eax
		lock cmpxchg [esi], ecx
		test	eax, eax
		jz	loc_7C48DB
		jmp	loc_8F06F8
; 

loc_7C4A99:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+1A6j
		and	ecx, 0FFFDh
		mov	[esi+24h], cx
		mov	eax, [edi+60h]
		xor	ecx, ecx
		inc	ecx
		or	[eax+3], cl
		mov	dword ptr [edi+18h], 10Ch

loc_7C4AB3:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+12BE77j
					; FsRtlNotifyFilterChangeDirectoryLite+12BE9Aj
		mov	dl, cl
		mov	ecx, edi
		call	IofCompleteRequest
		jmp	loc_7C4A16
; 

loc_7C4AC1:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+1B0j
		test	cl, 8
		jnz	short loc_7C4A66
		mov	[esi+3Ch], ebx
		mov	[esi+40h], ebx
		push	ebx
		push	ebx
		push	edx
		mov	edx, esi
		mov	ecx, edi
		call	FsRtlNotifyCompleteIrp
		jmp	loc_7C4A16
FsRtlNotifyFilterChangeDirectoryLite endp


;  S U B	R O U T	I N E 


sub_7C4ADD	proc near		; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+169p
					; sub_8F0753+2j

; FUNCTION CHUNK AT 008F075A SIZE 00000012 BYTES

		mov	ecx, [ebp+8]
		mov	eax, [ecx]
		dec	dword ptr [eax+24h]
		mov	eax, [ecx]
		cmp	[eax+24h], ebx
		jnz	short loc_7C4AF6
		mov	[eax+20h], ebx
		mov	ecx, [ecx]
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)

loc_7C4AF6:				; CODE XREF: sub_7C4ADD+Dj
		mov	esi, [ebp+24h]
		test	esi, esi
		jnz	loc_8F075A

locret_7C4B01:				; CODE XREF: sub_7C4ADD+12BC8Aj
		retn
sub_7C4ADD	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlNotifyFilterChangeDirectoryLite

loc_7C4B02:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+11Bj
					; FsRtlNotifyFilterChangeDirectoryLite+145j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
; END OF FUNCTION CHUNK	FOR FsRtlNotifyFilterChangeDirectoryLite

;  S U B	R O U T	I N E 


; __stdcall FsRtlIsNotifyOnList(x, x)
_FsRtlIsNotifyOnList@8 proc near	; CODE XREF: FsRtlNotifyFilterChangeDirectory+6Ap
					; FsRtlNotifyCleanup+36p ...
		mov	eax, [ecx]
		push	esi
		push	edi
		mov	edi, edx
		xor	esi, esi

loc_7C4B10:				; CODE XREF: FsRtlIsNotifyOnList(x,x)+1Bj
		cmp	eax, ecx
		jz	short loc_7C4B1C
		cmp	[eax-0Ch], edi
		jnz	short loc_7C4B21
		lea	esi, [eax-10h]

loc_7C4B1C:				; CODE XREF: FsRtlIsNotifyOnList(x,x)+Aj
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_7C4B21:				; CODE XREF: FsRtlIsNotifyOnList(x,x)+Fj
		mov	eax, [eax]
		jmp	short loc_7C4B10
_FsRtlIsNotifyOnList@8 endp

; 
		align 2

; __stdcall FsRtlNotifyCleanupOneEntry(x, x)
_FsRtlNotifyCleanupOneEntry@8:		; CODE XREF: FsRtlNotifyCleanup+44p
					; FsRtlNotifyCleanupAll(x,x)+41p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		or	word ptr [esi+24h], 4
		lea	eax, [esi+18h]
		cmp	[eax], eax
		jnz	short loc_7C4B78

loc_7C4B3B:				; CODE XREF: PAGE:007C4B82j
		lea	eax, [esi+10h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_7C4BA3
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_7C4BA3
		mov	[ecx], edx
		lea	eax, [esi+44h]
		mov	[edx+4], ecx
		lock dec dword ptr [eax]
		xor	ebx, ebx
		cmp	[eax], ebx
		jnz	short loc_7C4B74
		cmp	[esi+2Ch], ebx
		jnz	short loc_7C4B84

loc_7C4B62:				; CODE XREF: PAGE:007C4B98j
		test	byte ptr [esi+24h], 40h
		jz	short loc_7C4B9A

loc_7C4B68:				; CODE XREF: PAGE:007C4B9Dj
		mov	eax, [esi+0Ch]

loc_7C4B6B:				; CODE XREF: PAGE:007C4BA1j
		push	ebx
		push	esi
		mov	[edi], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7C4B74:				; CODE XREF: PAGE:007C4B5Bj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_7C4B78:				; CODE XREF: PAGE:007C4B39j
		mov	edx, 10Bh
		call	_FsRtlNotifyCompleteIrpList@8 ;	FsRtlNotifyCompleteIrpList(x,x)
		jmp	short loc_7C4B3B
; 

loc_7C4B84:				; CODE XREF: PAGE:007C4B60j
		push	dword ptr [esi+38h]
		push	dword ptr [esi+48h]
		call	_PsReturnProcessPagedPoolQuota@8 ; PsReturnProcessPagedPoolQuota(x,x)
		push	ebx
		push	dword ptr [esi+2Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7C4B62
; 

loc_7C4B9A:				; CODE XREF: PAGE:007C4B66j
		cmp	[esi+50h], ebx
		jnz	short loc_7C4B68
		mov	eax, ebx
		jmp	short loc_7C4B6B
; 

loc_7C4BA3:				; CODE XREF: PAGE:007C4B43j
					; PAGE:007C4B4Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 611. FsRtlNotifyInitializeSync

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlNotifyInitializeSync(x)
		public _FsRtlNotifyInitializeSync@4
_FsRtlNotifyInitializeSync@4 proc near	; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+3Dp
					; FsRtlNotifyFilterChangeDirectoryLite+1CAp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		push	4E725346h
		push	28h
		push	210h
		mov	[edi], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		xor	eax, eax
		inc	eax
		push	ebx
		push	eax
		lea	ecx, [esi+0Ch]
		mov	[esi], eax
		push	ecx
		mov	[esi+4], ebx
		mov	[esi+8], ebx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	[esi+20h], ebx
		mov	[esi+24h], ebx
		mov	[edi], esi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_FsRtlNotifyInitializeSync@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlNotifyUpdateBuffer	proc near	; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+571p

var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008F076C SIZE 000000F1 BYTES

		push	0Ch
		push	offset dword_6A36B0
		call	__SEH_prolog4
		mov	edi, ecx
		xor	esi, esi
		mov	[ebp+ms_exc.disabled], esi
		mov	[edi], esi
		mov	[edi+4], edx
		mov	eax, [ebp+arg_10]
		lea	ecx, [eax-0Ch]
		test	ecx, ecx
		jz	loc_8F076C
		mov	[edi+8], ecx
		mov	ebx, [ebp+arg_0]
		movzx	eax, word ptr [ebx]
		cmp	byte ptr [ebp+arg_C], 0
		jnz	loc_8F077A
		mov	[ebp+arg_C], esi
		mov	edx, eax
		mov	[ebp+arg_10], edx
		test	ax, ax
		jnz	loc_8F07EA

loc_7C4C40:				; CODE XREF: FsRtlNotifyUpdateBuffer+12BC17j
		lea	edx, [edi+0Ch]
		add	edx, esi
		test	ax, ax
		jnz	loc_8F0812
		mov	ecx, [ebp+arg_8]
		movzx	eax, word ptr [ecx]
		push	eax		; size_t
		push	dword ptr [ecx+4] ; void *
		push	edx		; void *

loc_7C4C59:				; CODE XREF: FsRtlNotifyUpdateBuffer+12BBEFj
		call	_memcpy
		add	esp, 0Ch

loc_7C4C61:				; CODE XREF: FsRtlNotifyUpdateBuffer+12BBCFj
					; FsRtlNotifyUpdateBuffer+12BC38j ...
		mov	al, 1

loc_7C4C63:				; CODE XREF: sub_8F0861+5j
		mov	[ebp+var_19], al
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C4C6D:				; CODE XREF: FsRtlNotifyUpdateBuffer+12BB7Fj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
FsRtlNotifyUpdateBuffer	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtOpenEvent	proc near		; DATA XREF: .text:00580F5Co

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	14h
		push	offset dword_6A36F0
		call	__SEH_prolog4
		xor	edi, edi
		mov	[ebp+var_1C], edi
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_24], bl
		test	bl, bl
		jz	short loc_7C4CBE
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_7C4D21

loc_7C4CB3:				; CODE XREF: NtOpenEvent+A3j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C4CBE:				; CODE XREF: NtOpenEvent+22j
		mov	esi, ds:_ExEventObjectType
		lea	eax, [ebp+var_1C]
		push	eax
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		push	edi
		push	[ebp+arg_4]
		push	edi
		push	[ebp+var_24]
		push	esi
		push	[ebp+arg_8]
		call	ObOpenObjectByNameEx
		mov	[ebp+arg_4], eax
		test	eax, eax
		jns	short loc_7C4CFB

loc_7C4CE6:				; CODE XREF: NtOpenEvent+95j
					; NtOpenEvent+9Fj
		mov	eax, [ebp+arg_4]

loc_7C4CE9:				; CODE XREF: sub_8F0879+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7C4CFB:				; CODE XREF: NtOpenEvent+64j
		test	bl, bl
		jz	short loc_7C4D17
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_7C4D0E:				; CODE XREF: sub_8F088F+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_7C4CE6
; 

loc_7C4D17:				; CODE XREF: NtOpenEvent+7Dj
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jmp	short loc_7C4CE6
; 

loc_7C4D21:				; CODE XREF: NtOpenEvent+31j
		mov	ecx, eax
		jmp	short loc_7C4CB3
NtOpenEvent	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 563. FsRtlIsEcpAcknowledged

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlIsEcpAcknowledged(x)
		public _FsRtlIsEcpAcknowledged@4
_FsRtlIsEcpAcknowledged@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax-10h]
		shr	eax, 3
		and	al, 1
		pop	ebp
		retn	4
_FsRtlIsEcpAcknowledged@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpInsertDirectoryEntry(x, x, x)
_ObpInsertDirectoryEntry@12 proc near	; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+12E2p
					; ObCreateObjectTypeEx+429p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	6944624Fh
		push	0Ch
		push	1
		mov	edi, edx
		mov	ebx, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7C4DA6
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edx, [ebp+arg_0]
		movzx	eax, word ptr [edx+10h]
		lea	ecx, [ebx+eax*4]
		mov	eax, [edx+0Ch]
		mov	[esi+8], eax
		mov	eax, [ecx]
		mov	[esi], eax
		mov	[ecx], esi
		mov	[esi+4], edi
		mov	[edx+8], ecx
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		lea	edx, [edi-18h]
		mov	al, 1
		movzx	ecx, byte ptr [edx+0Eh]
		and	ecx, 3
		movzx	ecx, _ObpInfoMaskToOffset[ecx]
		sub	edx, ecx
		mov	[edx], ebx

loc_7C4D9F:				; CODE XREF: ObpInsertDirectoryEntry(x,x,x)+6Aj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_7C4DA6:				; CODE XREF: ObpInsertDirectoryEntry(x,x,x)+1Ej
		xor	al, al
		jmp	short loc_7C4D9F
_ObpInsertDirectoryEntry@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtTestAlert()
_NtTestAlert@0	proc near		; DATA XREF: .text:00580C0Co

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_4], al
		push	[ebp+var_4]
		call	KeTestAlertThread
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 101h
		leave
		retn
_NtTestAlert@0	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpRpRehashIfNeeded proc near		; CODE XREF: PfpRpFileKeyUpdate+19Dp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F0897 SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	edi
		mov	[ebp+var_C], edx
		mov	edi, ecx
		xor	ebx, ebx
		mov	[ebp+var_18], edi
		lea	edx, [ebp+var_4]
		mov	[ebp+var_4], ebx
		call	_PfpRpIsRehashNeeded@8 ; PfpRpIsRehashNeeded(x,x)
		test	eax, eax
		jnz	short loc_7C4E06

loc_7C4DF9:				; CODE XREF: PfpRpRehashIfNeeded+133j
		cmp	dword ptr [edi+4], 20h
		pop	edi
		sbb	eax, eax
		inc	eax
		pop	ebx
		leave
		retn	4
; 

loc_7C4E06:				; CODE XREF: PfpRpRehashIfNeeded+21j
		push	esi
		mov	esi, [ebp+arg_0]
		cmp	[ebp+var_4], esi
		ja	loc_7C4F08
		mov	ecx, [ebp+var_C]
		lea	eax, [esi-1]
		mov	ecx, [ecx]
		mov	[ebp+arg_0], ecx
		test	eax, esi
		jnz	loc_7C4F0E

loc_7C4E26:				; CODE XREF: PfpRpRehashIfNeeded+14Cj
		mov	eax, 4000000h
		cmp	esi, eax
		ja	loc_8F0897

loc_7C4E33:				; CODE XREF: PfpRpRehashIfNeeded+12BAC3j
		mov	[ebp+var_8], ecx
		mov	edx, esi
		shl	edx, 2
		mov	eax, edi
		add	ecx, edx
		mov	[ebp+var_4], ebx
		or	eax, 1
		shr	edx, 2
		cmp	ecx, [ebp+arg_0]
		sbb	ecx, ecx
		not	ecx
		and	ecx, edx
		jbe	short loc_7C4E63
		mov	edx, [ebp+var_8]

loc_7C4E56:				; CODE XREF: PfpRpRehashIfNeeded+8Bj
		inc	[ebp+var_4]
		mov	[edx], eax
		lea	edx, [edx+4]
		cmp	[ebp+var_4], ecx
		jb	short loc_7C4E56

loc_7C4E63:				; CODE XREF: PfpRpRehashIfNeeded+7Bj
		mov	eax, [edi+4]
		or	edx, 0FFFFFFFFh
		mov	ecx, eax
		and	ecx, 1Fh
		shl	edx, cl
		mov	[ebp+var_10], edx
		test	eax, 0FFFFFFE0h
		jbe	short loc_7C4EEC

loc_7C4E7A:				; CODE XREF: PfpRpRehashIfNeeded+114j
		mov	edx, [edi+8]
		mov	edi, [ebp+var_10]
		mov	[ebp+var_14], edx

loc_7C4E83:				; CODE XREF: PfpRpRehashIfNeeded+106j
		mov	ecx, [edx+ebx*4]
		mov	[ebp+var_8], ecx
		test	ecx, 1
		jnz	short loc_7C4EDE
		mov	eax, [ecx]
		mov	[edx+ebx*4], eax
		mov	edx, [ecx+4]
		and	edx, edi
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	[ebp+var_4], edx
		imul	ecx, eax, 25h
		movzx	eax, dh
		lea	edx, [esi-1]
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+3]
		imul	ecx, 25h
		add	ecx, eax
		and	edx, ecx
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+edx*4]
		mov	ecx, [ebp+var_8]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_8]
		mov	[ecx+edx*4], eax
		mov	edx, [ebp+var_14]
		jmp	short loc_7C4E83
; 

loc_7C4EDE:				; CODE XREF: PfpRpRehashIfNeeded+B9j
		mov	edi, [ebp+var_18]
		inc	ebx
		mov	eax, [edi+4]
		shr	eax, 5
		cmp	ebx, eax
		jb	short loc_7C4E7A

loc_7C4EEC:				; CODE XREF: PfpRpRehashIfNeeded+A2j
		mov	ecx, [edi+8]
		mov	eax, [ebp+arg_0]
		mov	[edi+8], eax
		mov	eax, [edi+4]
		and	eax, 1Fh
		shl	esi, 5
		or	eax, esi
		mov	[edi+4], eax
		mov	eax, [ebp+var_C]
		mov	[eax], ecx

loc_7C4F08:				; CODE XREF: PfpRpRehashIfNeeded+37j
		pop	esi
		jmp	loc_7C4DF9
; 

loc_7C4F0E:				; CODE XREF: PfpRpRehashIfNeeded+4Aj
		or	ecx, 0FFFFFFFFh
		test	esi, esi
		jz	short loc_7C4F1A

loc_7C4F15:				; CODE XREF: PfpRpRehashIfNeeded+142j
		inc	ecx
		shr	esi, 1
		jnz	short loc_7C4F15

loc_7C4F1A:				; CODE XREF: PfpRpRehashIfNeeded+13Dj
		xor	esi, esi
		inc	esi
		shl	esi, cl
		mov	ecx, [ebp+arg_0]
		jmp	loc_7C4E26
PfpRpRehashIfNeeded endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 638. FsRtlQueryKernelEaFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlQueryKernelEaFile
FsRtlQueryKernelEaFile proc near	; CODE XREF: sub_A16A58+269p

var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 008F089E SIZE 0000005A BYTES

		push	24h
		push	offset dword_6A3738
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	esi, ebx
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], ebx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		stosd
		stosd
		stosd
		stosd
		push	ebx
		push	ebx
		lea	eax, [ebp+var_34]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	[ebp+ms_exc.disabled], ebx
		mov	edi, [ebp+arg_0]
		test	dword ptr [edi+2Ch], 800h
		jnz	loc_8F089E
		push	edi
		call	IoGetRelatedDeviceObject
		mov	ecx, eax
		mov	[ebp+arg_0], ecx
		push	ebx
		movzx	eax, byte ptr [ecx+30h]
		push	eax
		push	ecx
		call	IoAllocateIrpEx
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		jz	loc_8F08A5
		lea	edx, [esi+60h]
		mov	ecx, [edx]
		mov	byte ptr [ecx-24h], 7
		mov	[ecx-0Ch], edi
		mov	eax, [ebp+arg_4]
		mov	[esi+3Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx-20h], eax
		mov	eax, [ebp+arg_10]
		mov	[ecx-1Ch], eax
		mov	eax, [ebp+arg_14]
		mov	[ecx-18h], eax
		mov	eax, [ebp+arg_18]
		test	eax, eax
		jnz	loc_8F08B2
		mov	[ecx-14h], ebx

loc_7C4FBF:				; CODE XREF: FsRtlQueryKernelEaFile+12B98Fj
		cmp	byte ptr [ebp+arg_1C], 0
		jz	short loc_7C4FC9
		or	byte ptr [ecx-22h], 1

loc_7C4FC9:				; CODE XREF: FsRtlQueryKernelEaFile+97j
		cmp	[ebp+arg_C], 0
		jnz	short loc_7C5049

loc_7C4FCF:				; CODE XREF: FsRtlQueryKernelEaFile+121j
		mov	eax, large fs:124h
		mov	esi, [ebp+var_24]
		mov	[esi+50h], eax
		mov	dword ptr [esi+8], 4
		mov	[esi+20h], bl
		mov	eax, [edx]
		mov	dword ptr [eax-8], offset _SmKmGenericCompletion@12 ; SmKmGenericCompletion(x,x,x)
		lea	ecx, [ebp+var_34]
		mov	[eax-4], ecx
		mov	[eax-21h], bl
		mov	byte ptr [eax-21h], 40h
		mov	byte ptr [eax-21h], 0C0h
		mov	byte ptr [eax-21h], 0E0h
		mov	edx, esi
		mov	ecx, [ebp+arg_0]
		call	IofCallDriver
		mov	[ebp+var_20], eax
		cmp	eax, 103h
		jz	loc_8F08C0

loc_7C501B:				; CODE XREF: FsRtlQueryKernelEaFile+12B9AEj
					; FsRtlQueryKernelEaFile+12B9C7j
		mov	edi, [esi+18h]
		mov	[ebp+var_20], edi
		mov	ecx, [esi+1Ch]
		mov	eax, [ebp+arg_20]
		mov	[eax], ecx

loc_7C5029:				; CODE XREF: FsRtlQueryKernelEaFile+12B981j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_7C504F
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_7C5049:				; CODE XREF: FsRtlQueryKernelEaFile+A1j
		or	byte ptr [ecx-22h], 2
		jmp	short loc_7C4FCF
FsRtlQueryKernelEaFile endp


;  S U B	R O U T	I N E 


sub_7C504F	proc near		; CODE XREF: FsRtlQueryKernelEaFile+104p
					; sub_8F08F8+8j

; FUNCTION CHUNK AT 008F0905 SIZE 0000000D BYTES

		test	esi, esi
		jz	short locret_7C5064
		mov	ecx, [esi+4]
		test	ecx, ecx
		jnz	loc_8F0905

loc_7C505E:				; CODE XREF: sub_7C504F+12B8BEj
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)

locret_7C5064:				; CODE XREF: sub_7C504F+2j
		retn
sub_7C504F	endp

; 
		align 2

; __stdcall NtRaiseHardError(x,	x, x, x, x, x)
_NtRaiseHardError@24:			; DATA XREF: .text:00580DC0o
		push	70h
		push	offset dword_6A3758
		call	__SEH_prolog4_GS
		mov	ecx, [ebp+14h]
		mov	ebx, [ebp+1Ch]
		and	dword ptr [ebp-74h], 0
		mov	esi, [ebp+0Ch]
		cmp	esi, 5
		ja	loc_7C522A
		test	ecx, ecx
		jz	short loc_7C5098
		test	esi, esi
		jz	loc_7C522A
		test	ecx, ecx
		jnz	short loc_7C50A0

loc_7C5098:				; CODE XREF: PAGE:007C508Aj
		test	esi, esi
		jnz	loc_7C522A

loc_7C50A0:				; CODE XREF: PAGE:007C5096j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	loc_7C5209
		cmp	dword ptr [ebp+18h], 8
		ja	loc_7C5202
		and	dword ptr [ebp-4], 0
		mov	edx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_7C50CF
		mov	edx, eax

loc_7C50CF:				; CODE XREF: PAGE:007C50CBj
		mov	eax, [edx]
		mov	[edx], eax
		test	ecx, ecx
		jz	loc_7C519F
		mov	edi, esi
		shl	edi, 2
		test	edi, edi
		jz	short loc_7C5101
		test	cl, 3
		jnz	loc_7C5241
		lea	eax, [edi+ecx]
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	short loc_7C50FE
		cmp	eax, ecx
		jnb	short loc_7C5101

loc_7C50FE:				; CODE XREF: PAGE:007C50F8j
		mov	byte ptr [edx],	0

loc_7C5101:				; CODE XREF: PAGE:007C50E2j
					; PAGE:007C50FCj
		push	edi
		push	ecx
		lea	eax, [ebp-30h]
		push	eax
		call	_memcpy
		push	edi
		lea	eax, [ebp-30h]
		push	eax
		lea	eax, [ebp-44h]
		push	eax
		call	_memcpy
		add	esp, 18h
		cmp	dword ptr [ebp+10h], 0
		jz	short loc_7C519F
		xor	edx, edx

loc_7C5125:				; CODE XREF: PAGE:007C519Dj
		mov	[ebp-78h], edx
		cmp	edx, esi
		jnb	short loc_7C519F
		xor	eax, eax
		inc	eax
		mov	ecx, edx
		shl	eax, cl
		test	[ebp+10h], eax
		jz	short loc_7C519C
		mov	eax, edx
		shl	eax, 2
		mov	[ebp-7Ch], eax
		mov	edi, [ebp+eax-30h]
		mov	eax, edi
		test	al, 3
		jnz	loc_7C5241
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_7C515A
		mov	eax, ecx

loc_7C515A:				; CODE XREF: PAGE:007C5156j
		nop
		mov	al, [eax]
		mov	edx, [ebp-78h]
		mov	eax, [edi]
		mov	ecx, [edi+4]
		lea	edi, [ebp-6Ch]
		lea	edi, [edi+edx*8]
		mov	[edi], eax
		mov	[edi+4], ecx
		movzx	eax, word ptr [ebp+edx*8-6Ah]
		test	ax, ax
		jz	short loc_7C5195
		mov	ecx, [ebp+edx*8-68h]
		add	eax, ecx
		mov	[ebp-70h], eax
		mov	eax, ds:_MmUserProbeAddress
		cmp	[ebp-70h], eax
		ja	short loc_7C5192
		cmp	[ebp-70h], ecx
		jnb	short loc_7C5195

loc_7C5192:				; CODE XREF: PAGE:007C518Bj
		mov	byte ptr [eax],	0

loc_7C5195:				; CODE XREF: PAGE:007C5178j
					; PAGE:007C5190j
		mov	eax, [ebp-7Ch]
		mov	[ebp+eax-44h], edi

loc_7C519C:				; CODE XREF: PAGE:007C5136j
		inc	edx
		jmp	short loc_7C5125
; 

loc_7C519F:				; CODE XREF: PAGE:007C50D5j
					; PAGE:007C5121j ...
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		lea	eax, [ebp-74h]
		push	eax
		push	dword ptr [ebp+18h]
		lea	eax, [ebp-44h]
		push	eax
		lea	eax, [ebp-30h]
		push	eax
		push	dword ptr [ebp+10h]
		mov	edx, esi
		mov	ecx, [ebp+8]
		call	ExpRaiseHardError
		mov	[ebp-70h], eax
		mov	dword ptr [ebp-4], 1
		mov	eax, [ebp-74h]
		mov	[ebx], eax
		mov	[ebp-4], edi
		jmp	short loc_7C5225
; 

loc_7C51D5:				; DATA XREF: .text:006A3778o
		xor	eax, eax
		inc	eax
		retn
; 

loc_7C51D9:				; DATA XREF: .text:006A377Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_7C5225
; 

loc_7C51E5:				; DATA XREF: .text:006A376Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-80h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7C51F3:				; DATA XREF: .text:006A3770o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-80h]
		jmp	short loc_7C522F
; 

loc_7C5202:				; CODE XREF: PAGE:007C50B8j
		mov	eax, 0C00000F2h
		jmp	short loc_7C522F
; 

loc_7C5209:				; CODE XREF: PAGE:007C50AEj
		lea	eax, [ebp-74h]
		push	eax
		push	dword ptr [ebp+18h]
		push	ecx
		push	dword ptr [ebp+10h]
		push	esi
		push	dword ptr [ebp+8]
		call	_ExRaiseHardError@24 ; ExRaiseHardError(x,x,x,x,x,x)
		mov	[ebp-70h], eax
		mov	eax, [ebp-74h]
		mov	[ebx], eax

loc_7C5225:				; CODE XREF: PAGE:007C51D3j
					; PAGE:007C51E3j
		mov	eax, [ebp-70h]
		jmp	short loc_7C522F
; 

loc_7C522A:				; CODE XREF: PAGE:007C5082j
					; PAGE:007C508Ej ...
		mov	eax, 0C00000F0h

loc_7C522F:				; CODE XREF: PAGE:007C5200j
					; PAGE:007C5207j ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7C5241:				; CODE XREF: PAGE:007C50E7j
					; PAGE:007C5148j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpRaiseHardError proc near		; CODE XREF: PAGE:007C51BCp
					; ExRaiseHardError(x,x,x,x,x,x)+1CFp

var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_186		= byte ptr -186h
var_185		= byte ptr -185h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_16C		= dword	ptr -16Ch
var_164		= dword	ptr -164h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008F0912 SIZE 000000D6 BYTES
; FUNCTION CHUNK AT 008F0A03 SIZE 0000001F BYTES

		push	19Ch
		push	offset dword_6A3780
		call	__SEH_prolog4_GS
		mov	[ebp+var_198], edx
		mov	edi, ecx
		mov	[ebp+var_1AC], edi
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_1A4], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_18C], eax
		mov	esi, [ebp+arg_10]
		mov	[ebp+var_1A8], esi
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	[ebp+var_194], eax
		mov	ecx, large fs:124h
		mov	al, [ecx+15Ah]
		mov	[ebp+var_186], al
		mov	byte ptr [ebp+var_190],	al
		xor	ebx, ebx
		mov	[esi], ebx
		mov	edx, [ebp+var_198]
		cmp	edx, 4Ah
		ja	loc_8F0912
		mov	[ebp+var_185], bl
		cmp	[ebp+arg_C], 6
		jz	loc_8F091C
		mov	esi, [ebp+var_194]

loc_7C52CD:				; CODE XREF: ExpRaiseHardError+12B725j
		mov	ecx, large fs:124h
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[ebp+var_190], eax
		mov	ecx, [ecx+2FCh]
		and	ecx, 10h
		mov	[ebp+var_19C], ecx
		mov	ecx, 0C0000000h
		jnz	short loc_7C5322
		mov	eax, edi
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_7C531C
		cmp	[esi+200h], ebx
		jz	loc_8F0972
		cmp	[ebp+var_185], bl
		jnz	loc_8F0972

loc_7C531C:				; CODE XREF: ExpRaiseHardError+BAj
		mov	eax, [ebp+var_190]

loc_7C5322:				; CODE XREF: ExpRaiseHardError+B2j
		cmp	eax, [esi+1F8h]
		jz	loc_8F0994
		mov	[ebp+var_18C], ebx
		mov	[ebp+var_185], bl
		cmp	[ebp+var_19C], ebx
		jnz	short loc_7C5379
		test	byte ptr [eax+1E0h], 1
		setz	dl
		bt	edi, 1Ch
		setnb	al
		test	dl, al
		jnz	short loc_7C5379
		mov	ecx, [ebp+var_190]
		call	_PsCaptureExceptionPort@4 ; PsCaptureExceptionPort(x)
		mov	esi, eax
		mov	[ebp+var_18C], esi
		test	esi, esi
		jz	loc_8F09C2
		mov	[ebp+var_185], 1

loc_7C5379:				; CODE XREF: ExpRaiseHardError+F8j
					; ExpRaiseHardError+10Dj ...
		cmp	[ebp+var_18C], ebx
		jnz	short loc_7C53A6

loc_7C5381:				; CODE XREF: ExpRaiseHardError+17Aj
					; ExpRaiseHardError+1A0j ...
		cmp	[ebp+var_18C], 0
		jnz	short loc_7C53F7

loc_7C538A:				; CODE XREF: ExpRaiseHardError+12B752j
					; ExpRaiseHardError+12B775j
		mov	eax, [ebp+var_1A8]
		mov	[eax], ebx

loc_7C5392:				; CODE XREF: ExpRaiseHardError+12B747j
		xor	eax, eax

loc_7C5394:				; CODE XREF: ExpRaiseHardError+287j
					; ExpRaiseHardError+12B6CFj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7C53A6:				; CODE XREF: ExpRaiseHardError+137j
		mov	eax, large fs:124h
		test	dword ptr [eax+58h], 400h
		jnz	short loc_7C53BE
		cmp	byte ptr [eax+16Ah], 1
		jnz	short loc_7C53EF

loc_7C53BE:				; CODE XREF: ExpRaiseHardError+16Bj
		mov	eax, ebx

loc_7C53C0:				; CODE XREF: ExpRaiseHardError+1ADj
		test	eax, eax
		jz	short loc_7C5381
		mov	[ebp+var_1A0], ebx
		mov	[ebp+ms_exc.disabled], ebx
		test	byte ptr [eax+0F28h], 10h
		jnz	loc_8F09D9

loc_7C53DA:				; CODE XREF: ExpRaiseHardError+12B79Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C53E1:				; CODE XREF: sub_8F09EC+12j
		cmp	[ebp+var_1A0], 0
		jge	short loc_7C5381
		jmp	loc_8F0A03
; 

loc_7C53EF:				; CODE XREF: ExpRaiseHardError+174j
		mov	eax, [eax+0A8h]
		jmp	short loc_7C53C0
; 

loc_7C53F7:				; CODE XREF: ExpRaiseHardError+140j
		mov	[ebp+var_184], 500038h
		mov	[ebp+var_180], 9
		and	edi, 0EFFFFFFFh
		mov	[ebp+var_16C], edi
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_15C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_150], eax
		mov	eax, [ebp+var_198]
		mov	[ebp+var_154], eax
		cmp	[ebp+var_1A4], 0
		jz	short loc_7C5465
		mov	[ebp+ms_exc.disabled], 1
		shl	eax, 2
		push	eax		; size_t
		push	[ebp+var_1A4]	; void *
		lea	eax, [ebp+var_14C]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C5465:				; CODE XREF: ExpRaiseHardError+1F4j
					; sub_8F0A26+Cj
		lea	eax, [ebp+var_164]
		push	eax
		call	KeQuerySystemTime
		mov	[ebp+var_19C], 160h
		push	ebx
		lea	eax, [ebp+var_19C]
		push	eax
		lea	eax, [ebp+var_184]
		push	eax
		push	eax
		push	20000h
		mov	esi, [ebp+var_18C]
		push	esi
		call	_LpcSendWaitReceivePort@24 ; LpcSendWaitReceivePort(x,x,x,x,x,x)
		mov	edi, eax
		cmp	[ebp+var_185], 1
		jnz	short loc_7C54AE
		mov	ecx, esi
		call	ObfDereferenceObject

loc_7C54AE:				; CODE XREF: ExpRaiseHardError+25Dj
		test	edi, edi
		js	short loc_7C54CD
		push	0Ah
		pop	eax
		cmp	eax, [ebp+var_158]
		sbb	ecx, ecx
		not	ecx
		and	ecx, [ebp+var_158]
		mov	eax, [ebp+var_1A8]
		mov	[eax], ecx

loc_7C54CD:				; CODE XREF: ExpRaiseHardError+268j
		mov	eax, edi
		jmp	loc_7C5394
ExpRaiseHardError endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1355. LpcSendWaitReceivePort

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LpcSendWaitReceivePort(x, x, x, x, x, x)
		public _LpcSendWaitReceivePort@24
_LpcSendWaitReceivePort@24 proc	near	; CODE XREF: ExpRaiseHardError+24Fp
					; DbgkpSendApiMessageLpc+60p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		mov	ecx, [ebp+arg_0]
		or	edx, 2
		push	eax
		push	[ebp+arg_14]
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	eax
		push	[ebp+arg_8]
		call	_AlpcpProcessSynchronousRequest@36 ; AlpcpProcessSynchronousRequest(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000703h
		jz	short loc_7C552D

loc_7C5518:				; CODE XREF: LpcSendWaitReceivePort(x,x,x,x,x,x)+58j
		cmp	esi, 0C0000701h
		jz	short loc_7C5534

loc_7C5520:				; CODE XREF: LpcSendWaitReceivePort(x,x,x,x,x,x)+5Fj
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, esi
		pop	esi
		pop	ecx
		pop	ebp
		retn	18h
; 

loc_7C552D:				; CODE XREF: LpcSendWaitReceivePort(x,x,x,x,x,x)+3Cj
		mov	esi, 0C0000037h
		jmp	short loc_7C5518
; 

loc_7C5534:				; CODE XREF: LpcSendWaitReceivePort(x,x,x,x,x,x)+44j
		mov	esi, 0C0000253h
		jmp	short loc_7C5520
_LpcSendWaitReceivePort@24 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExGetPoolTagInfo proc near		; CODE XREF: PAGE:0077F514p
					; EtwpPoolRunDown(x,x)+86p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F0A37 SIZE 0000000C BYTES
; FUNCTION CHUNK AT 008F0A69 SIZE 0000000A BYTES

		push	3Ch
		push	offset dword_6A37C8
		call	__SEH_prolog4
		mov	[ebp+var_30], edx
		mov	edi, ecx
		and	[ebp+var_24], 0
		lea	eax, [edi+4]
		mov	[ebp+var_28], eax
		mov	[ebp+var_20], 4
		and	[ebp+ms_exc.disabled], 0
		and	dword ptr [edi], 0
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, _PoolTrackTableSize
		mov	[ebp+var_2C], eax
		mov	ebx, _PoolTrackTableExpansionSize
		imul	ecx, eax, 30h
		imul	eax, ebx, 30h
		add	eax, ecx
		cmp	eax, ecx
		jb	loc_8F0A69
		push	6F666E49h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_38], esi
		test	esi, esi
		jz	loc_8F0A69
		mov	[ebp+var_4C], esi
		mov	ecx, _PoolTrackTableSize
		mov	[ebp+var_48], ecx
		imul	ecx, 30h
		add	ecx, esi
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], ebx
		lea	eax, [ebp+var_4C]
		push	eax
		push	offset ExpGetPoolTagInfoTarget
		call	_KeGenericCallDpc@8 ; KeGenericCallDpc(x,x)
		mov	ecx, esi
		mov	[ebp+var_1C], ecx
		mov	eax, [ebp+var_2C]
		add	eax, ebx
		imul	ebx, eax, 30h
		add	ebx, esi
		mov	[ebp+ms_exc.disabled], 1

loc_7C55E2:				; CODE XREF: ExGetPoolTagInfo+B9j
		cmp	ecx, ebx
		jnb	short loc_7C5665
		mov	eax, [ecx]
		test	eax, eax
		jnz	short loc_7C55F7

loc_7C55EC:				; CODE XREF: ExGetPoolTagInfo+127j
		mov	ecx, [ebp+var_1C]

loc_7C55EF:				; CODE XREF: ExGetPoolTagInfo+11Ej
		add	ecx, 30h
		mov	[ebp+var_1C], ecx
		jmp	short loc_7C55E2
; 

loc_7C55F7:				; CODE XREF: ExGetPoolTagInfo+AEj
		inc	dword ptr [edi]
		mov	eax, [ebp+var_20]
		add	eax, 1Ch
		mov	[ebp+var_20], eax
		cmp	eax, 1Ch
		jb	loc_8F0A37
		mov	eax, [ebp+var_30]
		cmp	eax, [ebp+var_20]
		jb	short loc_7C565C
		mov	eax, [ebp+var_1C]
		mov	eax, [eax]
		mov	edx, [ebp+var_28]
		mov	[edx], eax
		mov	ecx, [ebp+var_1C]
		mov	eax, [ecx+20h]
		mov	[edx+4], eax
		mov	eax, [ecx+28h]
		mov	[edx+8], eax
		mov	eax, [ecx+18h]
		mov	[edx+0Ch], eax
		mov	eax, [ecx+8]
		mov	[edx+10h], eax
		mov	eax, [ecx+10h]
		mov	[edx+14h], eax
		mov	eax, [ecx+4]
		mov	[edx+18h], eax
		mov	eax, [edx+8]
		cmp	[edx+4], eax
		jb	short loc_7C5695

loc_7C564C:				; CODE XREF: ExGetPoolTagInfo+15Cj
		mov	eax, [edx+14h]
		cmp	[edx+10h], eax
		jb	short loc_7C569A

loc_7C5654:				; CODE XREF: ExGetPoolTagInfo+161j
		add	edx, 1Ch
		mov	[ebp+var_28], edx
		jmp	short loc_7C55EF
; 

loc_7C565C:				; CODE XREF: ExGetPoolTagInfo+D5j
		mov	[ebp+var_24], 0C0000004h
		jmp	short loc_7C55EC
; 

loc_7C5665:				; CODE XREF: ExGetPoolTagInfo+A8j
					; ExGetPoolTagInfo+12B502j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C566C:				; CODE XREF: sub_8F0A51+13j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_7C5680
		mov	eax, [ebp+var_20]
		mov	[ecx], eax

loc_7C5680:				; CODE XREF: ExGetPoolTagInfo+13Dj
		mov	eax, [ebp+var_24]

loc_7C5683:				; CODE XREF: ExGetPoolTagInfo+12B532j
					; sub_8F0A81+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7C5695:				; CODE XREF: ExGetPoolTagInfo+10Ej
		mov	[edx+4], eax
		jmp	short loc_7C564C
; 

loc_7C569A:				; CODE XREF: ExGetPoolTagInfo+116j
		mov	[edx+10h], eax
		jmp	short loc_7C5654
ExGetPoolTagInfo endp

; 
		align 10h

;  S U B	R O U T	I N E 


EtwpIsGuidAllowed proc near		; CODE XREF: EtwpAddRegEntryToGroup+341p
					; EtwpIsRegEntryAllowed+11F607p ...

; FUNCTION CHUNK AT 008F0A93 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		xor	edx, edx
		lea	esi, [edi+1F0h]
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		movzx	eax, word ptr [edi+2D4h]
		test	ax, ax
		jnz	loc_8F0A93
		mov	bl, 1

loc_7C56CA:				; CODE XREF: EtwpIsGuidAllowed+12B412j
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_7C56E5

loc_7C56D8:				; CODE XREF: EtwpIsGuidAllowed+4Cj
		mov	ecx, esi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		retn
; 

loc_7C56E5:				; CODE XREF: EtwpIsGuidAllowed+36j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_7C56D8
EtwpIsGuidAllowed endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpDispatchCloseMessage proc near	; CODE XREF: AlpcpSendCloseMessage(x)+E0p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F0AB7 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	edx, [ebp+var_8]
		xor	eax, eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_8], eax
		mov	ebx, [edi]
		mov	ecx, [edi+4]
		mov	[edi+10h], eax
		mov	[edi+0Ch], eax
		mov	[edi+14h], eax
		mov	esi, [ebx+8]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_C], ecx
		mov	ecx, ebx
		push	eax
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], esi
		call	AlpcpReferenceAndLockTargetPortsAndCommunicationInfo
		test	eax, eax
		js	loc_7C57E4
		mov	ebx, [ebp+var_8]
		test	dword ptr [ebx+98h], 20000h
		jz	loc_7C5817
		mov	ecx, [ebp+var_C]
		mov	eax, 0FFFFDFFFh
		mov	esi, [ebp+var_4]
		and	[ecx+84h], ax
		xor	eax, eax
		or	dword ptr [ecx+14h], 200h
		inc	eax
		lock xadd [esi+0E8h], eax
		inc	eax
		mov	edx, [ebp+var_18]
		mov	[ecx+18h], eax
		mov	eax, [esi+1Ch]
		mov	[ecx+40h], eax
		mov	eax, [ebp+var_10]
		mov	[ecx+64h], eax
		push	ecx
		mov	eax, [eax]
		mov	[ecx+68h], eax
		test	dword ptr [edx+98h], 1000h
		jnz	short loc_7C57E9
		call	_AlpcpSetOwnerPortMessage@12 ; AlpcpSetOwnerPortMessage(x,x,x)
		cmp	esi, ebx
		jz	short loc_7C57B8
		push	11h
		lea	ecx, [esi+0D0h]
		xor	edx, edx
		pop	eax
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	loc_7C5833

loc_7C57B3:				; CODE XREF: AlpcpDispatchCloseMessage+150j
		call	KeAbPostRelease

loc_7C57B8:				; CODE XREF: AlpcpDispatchCloseMessage+ABj
					; AlpcpDispatchCloseMessage+106j
		cmp	_AlpcpLogEnabled, 0
		jnz	loc_8F0AB7

loc_7C57C5:				; CODE XREF: AlpcpDispatchCloseMessage+12B3D1j
		mov	eax, [ebp+var_10]
		mov	ecx, edi
		mov	[edi+10h], ebx
		mov	[edi+8], eax
		call	AlpcpCompleteDispatchMessage
		cmp	byte ptr [ebp+var_14], 0
		jnz	short loc_7C57F6

loc_7C57DB:				; CODE XREF: AlpcpDispatchCloseMessage+10Aj
					; AlpcpDispatchCloseMessage+127j
		mov	ecx, esi
		call	ObfDereferenceObject
		xor	eax, eax

loc_7C57E4:				; CODE XREF: AlpcpDispatchCloseMessage+42j
					; AlpcpDispatchCloseMessage+13Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7C57E9:				; CODE XREF: AlpcpDispatchCloseMessage+A2j
		mov	edx, esi
		call	_AlpcpSetOwnerPortMessage@12 ; AlpcpSetOwnerPortMessage(x,x,x)
		mov	byte ptr [ebp+var_14], 1
		jmp	short loc_7C57B8
; 

loc_7C57F6:				; CODE XREF: AlpcpDispatchCloseMessage+EBj
		cmp	esi, ebx
		jz	short loc_7C57DB
		push	11h
		lea	edi, [esi+0D0h]
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_7C582A

loc_7C580E:				; CODE XREF: AlpcpDispatchCloseMessage+143j
		mov	ecx, edi
		call	KeAbPostRelease
		jmp	short loc_7C57DB
; 

loc_7C5817:				; CODE XREF: AlpcpDispatchCloseMessage+55j
		push	[ebp+var_4]
		mov	edx, ebx
		mov	ecx, esi
		call	@AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo@12 ; AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo(x,x,x)
		mov	eax, 0C0000707h
		jmp	short loc_7C57E4
; 

loc_7C582A:				; CODE XREF: AlpcpDispatchCloseMessage+11Ej
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_7C580E
; 

loc_7C5833:				; CODE XREF: AlpcpDispatchCloseMessage+BFj
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		lea	ecx, [esi+0D0h]
		jmp	loc_7C57B3
AlpcpDispatchCloseMessage endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpReferenceAndLockTargetPortsAndCommunicationInfo proc near
					; CODE XREF: AlpcpDispatchCloseMessage+3Bp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F0AC4 SIZE 0000000C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ecx+8]
		push	esi
		mov	esi, [ecx+0F4h]
		mov	[ebp+var_4], edx
		xor	edx, edx
		shr	esi, 1
		lea	ecx, [ebx-4]
		push	edi
		and	esi, 3
		call	ExAcquirePushLockSharedEx
		sub	esi, 1
		jz	loc_7C5939
		sub	esi, 1
		jnz	short loc_7C58EE
		mov	esi, [ebx]
		mov	edi, [ebx+4]

loc_7C587B:				; CODE XREF: AlpcpReferenceAndLockTargetPortsAndCommunicationInfo+AFj
		test	esi, esi
		jz	short loc_7C588F
		mov	ecx, esi
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	esi, eax

loc_7C588F:				; CODE XREF: AlpcpReferenceAndLockTargetPortsAndCommunicationInfo+39j
		test	edi, edi
		jz	short loc_7C58A3
		mov	ecx, edi
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	edi, eax

loc_7C58A3:				; CODE XREF: AlpcpReferenceAndLockTargetPortsAndCommunicationInfo+4Dj
		test	esi, esi
		jz	short loc_7C5906
		test	edi, edi
		jz	short loc_7C5906
		lea	ecx, [esi+0D0h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		cmp	edi, esi
		jz	short loc_7C58C9
		lea	ecx, [edi+0D0h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx

loc_7C58C9:				; CODE XREF: AlpcpReferenceAndLockTargetPortsAndCommunicationInfo+76j
		test	byte ptr [esi+0F4h], 20h
		jnz	short loc_7C58F5
		test	byte ptr [edi+0F4h], 20h
		jnz	short loc_7C58F5
		mov	eax, [ebp+var_4]
		mov	[eax], esi
		mov	eax, [ebp+arg_0]
		mov	[eax], edi
		xor	eax, eax

loc_7C58E7:				; CODE XREF: AlpcpReferenceAndLockTargetPortsAndCommunicationInfo+C0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7C58EE:				; CODE XREF: AlpcpReferenceAndLockTargetPortsAndCommunicationInfo+30j
		mov	esi, [ebx+8]

loc_7C58F1:				; CODE XREF: AlpcpReferenceAndLockTargetPortsAndCommunicationInfo+F7j
		mov	edi, esi
		jmp	short loc_7C587B
; 

loc_7C58F5:				; CODE XREF: AlpcpReferenceAndLockTargetPortsAndCommunicationInfo+8Cj
					; AlpcpReferenceAndLockTargetPortsAndCommunicationInfo+95j
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	@AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo@12 ; AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo(x,x,x)

loc_7C58FF:				; CODE XREF: AlpcpReferenceAndLockTargetPortsAndCommunicationInfo+EEj
					; AlpcpReferenceAndLockTargetPortsAndCommunicationInfo+12B287j
		mov	eax, 0C0000037h
		jmp	short loc_7C58E7
; 

loc_7C5906:				; CODE XREF: AlpcpReferenceAndLockTargetPortsAndCommunicationInfo+61j
					; AlpcpReferenceAndLockTargetPortsAndCommunicationInfo+65j
		push	11h
		add	ebx, 0FFFFFFFCh
		xor	edx, edx
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_7C591E
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7C591E:				; CODE XREF: AlpcpReferenceAndLockTargetPortsAndCommunicationInfo+D1j
		mov	ecx, ebx
		call	KeAbPostRelease
		test	esi, esi
		jz	short loc_7C5930
		mov	ecx, esi
		call	ObfDereferenceObject

loc_7C5930:				; CODE XREF: AlpcpReferenceAndLockTargetPortsAndCommunicationInfo+E3j
		test	edi, edi
		jz	short loc_7C58FF
		jmp	loc_8F0AC4
; 

loc_7C5939:				; CODE XREF: AlpcpReferenceAndLockTargetPortsAndCommunicationInfo+27j
		mov	esi, [ebx]
		jmp	short loc_7C58F1
AlpcpReferenceAndLockTargetPortsAndCommunicationInfo endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo(x, x, x)
@AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo@12 proc near
					; CODE XREF: AlpcpDispatchCloseMessage+130p
					; AlpcpReferenceAndLockTargetPortsAndCommunicationInfo+B6p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	11h
		mov	ebx, edx
		lea	edi, [ecx-4]
		xor	esi, esi
		pop	eax
		lock cmpxchg [edi], esi
		cmp	eax, 11h
		jnz	short loc_7C59BD

loc_7C5959:				; CODE XREF: AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo(x,x,x)+86j
		mov	ecx, edi
		call	KeAbPostRelease
		push	11h
		lea	esi, [ebx+0D0h]
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_7C59B4

loc_7C5974:				; CODE XREF: AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo(x,x,x)+7Dj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	esi, [ebp+arg_0]
		cmp	esi, ebx
		jnz	short loc_7C5997

loc_7C5982:				; CODE XREF: AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo(x,x,x)+74j
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	ecx, esi
		call	ObfDereferenceObject
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_7C5997:				; CODE XREF: AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo(x,x,x)+42j
		push	11h
		lea	edi, [esi+0D0h]
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_7C59C6

loc_7C59AB:				; CODE XREF: AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo(x,x,x)+8Fj
		mov	ecx, edi
		call	KeAbPostRelease
		jmp	short loc_7C5982
; 

loc_7C59B4:				; CODE XREF: AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo(x,x,x)+34j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_7C5974
; 

loc_7C59BD:				; CODE XREF: AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo(x,x,x)+19j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_7C5959
; 

loc_7C59C6:				; CODE XREF: AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo(x,x,x)+6Bj
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_7C59AB
@AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PfSnNameRemoveAll(x)
_PfSnNameRemoveAll@4 proc near		; CODE XREF: PfFileInfoNotify+5AAp
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx

loc_7C59D9:				; CODE XREF: PfSnNameRemoveAll(x)+24j
		call	PfSnActiveTraceGetNext
		mov	esi, eax
		test	esi, esi
		jz	short loc_7C59F6
		mov	edx, [edi+8]
		mov	ecx, esi
		call	_PfSnNameRemove@8 ; PfSnNameRemove(x,x)
		test	eax, eax
		jnz	short loc_7C59FA

loc_7C59F2:				; CODE XREF: PfSnNameRemoveAll(x)+33j
		mov	ecx, esi
		jmp	short loc_7C59D9
; 

loc_7C59F6:				; CODE XREF: PfSnNameRemoveAll(x)+12j
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_7C59FA:				; CODE XREF: PfSnNameRemoveAll(x)+20j
		mov	edx, esi
		mov	ecx, edi
		call	_PfSnLogStreamDelete@8 ; PfSnLogStreamDelete(x,x)
		jmp	short loc_7C59F2
_PfSnNameRemoveAll@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnLogStreamDelete(x, x)
_PfSnLogStreamDelete@8 proc near	; CODE XREF: PfSnNameRemoveAll(x)+2Ep

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		push	esi
		push	edi
		push	eax
		mov	edi, edx
		mov	ebx, ecx
		push	5
		pop	edx
		mov	ecx, edi
		call	PfSnTraceGetLogEntry
		mov	esi, eax
		test	esi, esi
		js	short loc_7C5A6C
		mov	ecx, [ebp+var_4]
		and	dword ptr [ecx], 0
		and	dword ptr [ecx+4], 0
		mov	dword ptr [ecx], 25h
		mov	eax, [ebx+8]
		mov	[ecx+4], eax
		add	ecx, 0Fh
		and	ecx, 0FFFFFFF8h
		mov	dword ptr [ecx], 143h
		mov	eax, [ebx+18h]
		mov	[ecx+4], eax
		mov	eax, [ebx+1Ch]
		and	dword ptr [ecx+10h], 0FFFFFFFCh
		xor	esi, esi
		mov	[ecx+8], eax
		mov	eax, [ebx+8]
		mov	[ecx+14h], eax

loc_7C5A65:				; CODE XREF: PfSnLogStreamDelete(x,x)+6Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7C5A6C:				; CODE XREF: PfSnLogStreamDelete(x,x)+23j
		mov	ecx, edi
		call	_PfSnFailProcessTrace@4	; PfSnFailProcessTrace(x)
		jmp	short loc_7C5A65
_PfSnLogStreamDelete@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 626. FsRtlOplockIsSharedRequest

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlOplockIsSharedRequest(x)
		public _FsRtlOplockIsSharedRequest@4
_FsRtlOplockIsSharedRequest@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+60h]
		mov	eax, [eax+0Ch]
		cmp	eax, 90240h
		jnz	short loc_7C5A9E
		mov	eax, [ecx+0Ch]
		test	byte ptr [eax+4], 4
		jnz	short loc_7C5AA5

loc_7C5A98:				; CODE XREF: FsRtlOplockIsSharedRequest(x)+29j
		mov	al, 1

loc_7C5A9A:				; CODE XREF: FsRtlOplockIsSharedRequest(x)+2Dj
		pop	ebp
		retn	4
; 

loc_7C5A9E:				; CODE XREF: FsRtlOplockIsSharedRequest(x)+13j
		cmp	eax, 90004h
		jz	short loc_7C5A98

loc_7C5AA5:				; CODE XREF: FsRtlOplockIsSharedRequest(x)+1Cj
		xor	al, al
		jmp	short loc_7C5A9A
_FsRtlOplockIsSharedRequest@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAlpcCreateSectionView(x, x, x)
_NtAlpcCreateSectionView@12 proc near	; DATA XREF: .text:00581230o

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	28h
		push	offset dword_6A37F0
		call	__SEH_prolog4
		xor	eax, eax
		lea	edi, [ebp+var_38]
		stosd
		stosd
		stosd
		stosd
		xor	ecx, ecx
		mov	[ebp+var_1C], ecx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		cmp	[ebp+arg_4], ecx
		jnz	loc_7C5C59
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_4+3],	al
		test	al, al
		jz	short loc_7C5B44
		mov	[ebp+ms_exc.disabled], ecx
		mov	ebx, [ebp+arg_8]
		test	bl, 3
		jnz	loc_7C5C7E
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_7C5B08
		mov	[eax], cl

loc_7C5B08:				; CODE XREF: NtAlpcCreateSectionView(x,x,x)+5Aj
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+0Ch]
		mov	[ebx+0Ch], al
		mov	esi, ebx
		lea	edi, [ebp+var_38]
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_7C5B50
; 

loc_7C5B24:				; DATA XREF: .text:006A3804o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7C5B32:				; DATA XREF: .text:006A3808o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_24]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_7C5C5E
; 

loc_7C5B44:				; CODE XREF: NtAlpcCreateSectionView(x,x,x)+42j
		mov	ebx, [ebp+arg_8]
		mov	esi, ebx
		lea	edi, [ebp+var_38]
		movsd
		movsd
		movsd
		movsd

loc_7C5B50:				; CODE XREF: NtAlpcCreateSectionView(x,x,x)+78j
		cmp	[ebp+var_38], 0
		jnz	loc_7C5C59
		cmp	[ebp+var_2C], 0
		jz	loc_7C5C59
		cmp	[ebp+var_30], 0
		jnz	loc_7C5C59
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_8], al
		mov	eax, ds:_AlpcPortObjectType
		mov	[ebp+var_20], ecx
		push	ecx
		lea	ecx, [ebp+var_20]
		push	ecx
		push	[ebp+arg_8]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7C5C5E
		push	offset _AlpcSectionType
		mov	eax, [ebp+var_20]
		mov	ecx, [eax+8]
		add	ecx, 14h
		mov	edx, [ebp+var_34]
		call	AlpcReferenceBlobByHandle
		mov	[ebp+arg_8], eax
		test	eax, eax
		jnz	short loc_7C5BC9
		mov	esi, 0C0000008h
		jmp	loc_7C5C4F
; 

loc_7C5BC9:				; CODE XREF: NtAlpcCreateSectionView(x,x,x)+113j
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_2C]
		push	0
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+arg_8]
		call	_AlpcpCreateSectionView@20 ; AlpcpCreateSectionView(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7C5C44
		cmp	byte ptr [ebp+arg_4+3],	0
		jz	short loc_7C5C2A
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_1C]
		mov	eax, [ecx+14h]
		mov	[ebx+8], eax
		mov	eax, [ecx+18h]
		mov	[ebx+0Ch], eax
		jmp	short loc_7C5C15
; 

loc_7C5C01:				; DATA XREF: .text:006A3810o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7C5C0F:				; DATA XREF: .text:006A3814o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_28]

loc_7C5C15:				; CODE XREF: NtAlpcCreateSectionView(x,x,x)+155j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	esi, esi
		jns	short loc_7C5C39
		mov	ecx, [ebp+var_1C]
		call	_AlpcpDeleteView@4 ; AlpcpDeleteView(x)
		jmp	short loc_7C5C39
; 

loc_7C5C2A:				; CODE XREF: NtAlpcCreateSectionView(x,x,x)+13Dj
		mov	ecx, [ebp+var_1C]
		mov	eax, [ecx+14h]
		mov	[ebx+8], eax
		mov	eax, [ecx+18h]
		mov	[ebx+0Ch], eax

loc_7C5C39:				; CODE XREF: NtAlpcCreateSectionView(x,x,x)+174j
					; NtAlpcCreateSectionView(x,x,x)+17Ej
		xor	edx, edx
		inc	edx
		mov	ecx, [ebp+var_1C]
		call	AlpcpDereferenceBlobEx

loc_7C5C44:				; CODE XREF: NtAlpcCreateSectionView(x,x,x)+137j
		xor	edx, edx
		inc	edx
		mov	ecx, [ebp+arg_8]
		call	AlpcpDereferenceBlobEx

loc_7C5C4F:				; CODE XREF: NtAlpcCreateSectionView(x,x,x)+11Aj
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObject
		jmp	short loc_7C5C5E
; 

loc_7C5C59:				; CODE XREF: NtAlpcCreateSectionView(x,x,x)+2Bj
					; NtAlpcCreateSectionView(x,x,x)+AAj ...
		mov	esi, 0C000000Dh

loc_7C5C5E:				; CODE XREF: NtAlpcCreateSectionView(x,x,x)+95j
					; NtAlpcCreateSectionView(x,x,x)+F2j ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7C5C7E:				; CODE XREF: NtAlpcCreateSectionView(x,x,x)+4Dj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger
_NtAlpcCreateSectionView@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpExpandPathInfo(x)
_CmpExpandPathInfo@4 proc near		; CODE XREF: CmpComputeComponentHashes+227p
					; CmpComputeComponentHashes+270p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, large fs:20h
		push	esi
		mov	[ebp+var_4], ecx
		push	edi
		mov	esi, [ebx+5E0h]
		mov	ecx, esi
		inc	dword ptr [esi+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_7C5CCB

loc_7C5CAD:				; CODE XREF: CmpExpandPathInfo(x)+5Ej
					; CmpExpandPathInfo(x)+73j
		push	120h		; size_t
		xor	esi, esi
		push	esi		; int
		push	edi		; void *
		call	_memset
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		mov	[eax+60h], edi

loc_7C5CC4:				; CODE XREF: CmpExpandPathInfo(x)+7Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7C5CCB:				; CODE XREF: CmpExpandPathInfo(x)+27j
		inc	dword ptr [esi+10h]
		mov	esi, [ebx+5E4h]
		mov	ecx, esi
		inc	dword ptr [esi+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_7C5CAD
		push	dword ptr [esi+20h]
		inc	dword ptr [esi+10h]
		push	dword ptr [esi+24h]
		push	dword ptr [esi+1Ch]
		call	dword ptr [esi+28h]
		mov	edi, eax
		test	edi, edi
		jnz	short loc_7C5CAD
		mov	esi, 0C000009Ah
		jmp	short loc_7C5CC4
_CmpExpandPathInfo@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpRecordParseWalkResult(x,	x)
_CmpRecordParseWalkResult@8 proc near	; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+B63p
		test	ecx, ecx
		jz	short locret_7C5D16
		inc	byte ptr [ecx+91h]
		mov	[ecx+88h], edx
		mov	[ecx+8Ch], edx

locret_7C5D16:				; CODE XREF: CmpRecordParseWalkResult(x,x)+2j
		retn
_CmpRecordParseWalkResult@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpQueryKeyName	proc near		; DATA XREF: CmpCreateObjectTypes()+9Co

var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	10h
		push	offset dword_6A3818
		call	__SEH_prolog4
		and	[ebp+ms_exc.disabled], 0
		push	ecx
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		call	CmpDoQueryKeyName

loc_7C5D3A:				; CODE XREF: sub_8F0AD0+15j
		mov	[ebp+var_20], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
CmpQueryKeyName	endp

; 
		retn
; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtQueryEvent	proc near		; DATA XREF: .text:00580E88o

var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008F0AEA SIZE 0000001B BYTES
; FUNCTION CHUNK AT 008F0B25 SIZE 00000008 BYTES
; FUNCTION CHUNK AT 008F0B39 SIZE 0000001B BYTES

		push	10h
		push	offset dword_6A3858
		call	__SEH_prolog4
		xor	edi, edi
		mov	ebx, edi
		cmp	[ebp+arg_4], ebx
		jnz	loc_8F0AEA
		cmp	[ebp+arg_C], 8
		jnz	loc_8F0AF4
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_4+3],	al
		mov	byte ptr [ebp+var_20], al
		test	al, al
		jz	loc_8F0B25
		mov	[ebp+ms_exc.disabled], edi
		push	4
		push	8
		push	[ebp+arg_8]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	esi, [ebp+arg_10]
		test	esi, esi
		jz	short loc_7C5DBE
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8F0AFE

loc_7C5DBA:				; CODE XREF: NtQueryEvent+12ADA8j
		mov	eax, [ecx]
		mov	[ecx], eax

loc_7C5DBE:				; CODE XREF: NtQueryEvent+51j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C5DC5:				; CODE XREF: NtQueryEvent+12ADD0j
		mov	eax, ds:_ExEventObjectType
		mov	[ebp+arg_C], edi
		push	edi
		lea	ecx, [ebp+arg_C]
		push	ecx
		push	[ebp+var_20]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	[ebp+arg_10], eax
		test	eax, eax
		js	short loc_7C5DF3
		mov	ecx, [ebp+arg_C]
		mov	ebx, [ecx+4]
		movzx	edi, byte ptr [ecx]
		and	edi, 7Fh

loc_7C5DF3:				; CODE XREF: NtQueryEvent+8Dj
		cmp	[ebp+arg_10], 0
		jl	short loc_7C5E23
		cmp	byte ptr [ebp+arg_4+3],	0
		jz	loc_8F0B39
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		mov	[eax+4], ebx
		test	esi, esi
		jz	short loc_7C5E1C
		mov	dword ptr [esi], 8

loc_7C5E1C:				; CODE XREF: NtQueryEvent+BCj
					; sub_8F0B31+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C5E23:				; CODE XREF: NtQueryEvent+9Fj
					; NtQueryEvent+12ADEBj	...
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	short loc_7C5E2F
		call	ObfDereferenceObject

loc_7C5E2F:				; CODE XREF: NtQueryEvent+D0j
		mov	eax, [ebp+arg_10]

loc_7C5E32:				; CODE XREF: NtQueryEvent+12AD97j
					; NtQueryEvent+12ADA1j	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
NtQueryEvent	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceImageRundown(x, x,	x, x, x, x, x)
_EtwpTraceImageRundown@28 proc near	; CODE XREF: EtwpEnumerateAddressSpace+2A3p

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= byte ptr -58h
var_57		= byte ptr -57h
var_56		= word ptr -56h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= byte ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		and	[ebp+var_40], 0
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	edi, ecx
		test	eax, eax
		jz	loc_7C5F15
		movzx	edx, word ptr [eax]
		test	dx, dx
		jz	loc_7C5F15
		mov	esi, [eax+4]
		test	esi, esi
		jz	loc_7C5F15
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_64], eax
		and	[ebp+var_5C], 0
		mov	eax, [ecx+4]
		mov	[ebp+var_6C], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_68], eax
		mov	eax, [ecx+14h]
		mov	[ebp+var_60], eax
		mov	al, [ebp+arg_C]
		mov	[ebp+var_58], al
		mov	al, [ebp+arg_10]
		mov	[ebp+var_57], al
		mov	eax, [ecx+8]
		xor	ecx, ecx
		mov	[ebp+var_54], eax
		xor	eax, eax
		push	offset byte_401803
		mov	[ebp+var_56], ax
		lea	eax, [ebp+var_6C]
		push	ebx
		push	3
		push	dword ptr [edi]
		mov	[ebp+var_3C], eax
		mov	eax, edx
		mov	edx, [edi+2E4h]
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		lea	ecx, [ebp+var_3C]
		mov	[ebp+var_34], 2Ch
		mov	[ebp+var_2C], esi
		mov	[ebp+var_24], eax
		mov	[ebp+var_1C], offset _EtwpNull
		mov	[ebp+var_14], 2
		call	EtwpLogKernelEvent

loc_7C5F15:				; CODE XREF: EtwpTraceImageRundown(x,x,x,x,x,x,x)+22j
					; EtwpTraceImageRundown(x,x,x,x,x,x,x)+2Ej ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_EtwpTraceImageRundown@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpGetCallbackObjectContext proc near	; CODE XREF: CmpCallCallBacksEx+609p
					; CmpCallCallBacksEx+61Ap ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F0B54 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, edx
		test	ecx, ecx
		jz	short loc_7C5F46
		cmp	dword ptr [ecx], 6B793032h
		jnz	short loc_7C5F46
		lea	esi, [ecx+28h]
		cmp	[esi], esi
		jnz	short loc_7C5F4D

loc_7C5F46:				; CODE XREF: CmpGetCallbackObjectContext+Fj
					; CmpGetCallbackObjectContext+17j
		xor	eax, eax

loc_7C5F48:				; CODE XREF: CmpGetCallbackObjectContext+83j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7C5F4D:				; CODE XREF: CmpGetCallbackObjectContext+1Ej
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _CmpContextListLock
		call	ExAcquirePushLockSharedEx
		mov	eax, [esi]
		cmp	eax, esi
		jz	short loc_7C5F8F
		mov	ecx, [ebx]
		mov	edx, [ebx+4]
		mov	[ebp+var_4], ecx

loc_7C5F75:				; CODE XREF: CmpGetCallbackObjectContext+12AC45j
		mov	ebx, [eax+10h]
		mov	ecx, [eax+14h]
		cmp	ebx, [ebp+var_4]
		jnz	loc_8F0B54
		cmp	ecx, edx
		jnz	loc_8F0B54
		mov	edi, [eax+20h]

loc_7C5F8F:				; CODE XREF: CmpGetCallbackObjectContext+45j
					; CmpGetCallbackObjectContext+12AC30j ...
		xor	edx, edx
		mov	ecx, offset _CmpContextListLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		jmp	short loc_7C5F48
CmpGetCallbackObjectContext endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCheckForUserStackOverflow proc near	; CODE XREF: .text:004680AEp
					; .text:005B2737p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008F0B76 SIZE 000000F8 BYTES
; FUNCTION CHUNK AT 008F0C93 SIZE 0000000A BYTES

		push	38h
		push	offset dword_6A3880
		call	__SEH_prolog4
		mov	esi, edx
		mov	edx, ecx
		mov	[ebp+var_34], edx
		xor	ecx, ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_3C], ecx
		mov	edi, large fs:124h
		mov	[ebp+var_38], edi
		mov	bl, [edi+304h]
		test	bl, bl
		js	loc_8F0C93
		and	bl, 3
		neg	bl
		sbb	bl, bl
		inc	bl
		mov	al, [edi+305h]
		shr	al, 6
		not	al
		and	bl, al
		test	bl, 1
		jz	loc_8F0C93
		cmp	byte ptr [edi+16Ah], 1
		jz	loc_8F0C93
		test	esi, esi
		jnz	loc_8F0C29
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ecx
		mov	ebx, ecx
		mov	edi, ecx
		test	ds:_MiFlags, 2000000h
		jnz	loc_8F0B76

loc_7C602D:				; CODE XREF: MiCheckForUserStackOverflow+12ABDFj
					; MiCheckForUserStackOverflow+12ABF4j ...
		mov	esi, 113h

loc_7C6032:				; CODE XREF: MiCheckForUserStackOverflow+12AC5Bj
					; MiCheckForUserStackOverflow+12AC64j
		test	edi, edi
		jnz	loc_8F0C1D

loc_7C603A:				; CODE XREF: MiCheckForUserStackOverflow+12AC78j
		test	ebx, ebx
		jnz	loc_7C6152
		mov	edx, [ebp+var_34]
		mov	edi, [ebp+var_38]

loc_7C6048:				; CODE XREF: MiCheckForUserStackOverflow+12AC82j
		mov	ecx, [edi+0A8h]
		mov	[ebp+var_34], ecx
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [ecx+4]
		mov	[ebp+var_38], eax
		mov	[ebp+var_40], eax
		mov	eax, [ecx+0E0Ch]
		mov	[ebp+var_44], eax
		mov	ecx, [ecx+0F78h]
		mov	[ebp+var_1C], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		and	eax, 0FFFFF000h
		add	ecx, 0FFFh
		and	ecx, 0FFFFF000h
		mov	[ebp+var_1C], ecx
		mov	ebx, ecx
		jnz	loc_7C6142

loc_7C6093:				; CODE XREF: MiCheckForUserStackOverflow+1A1j
		cmp	ebx, 2000h
		jnb	short loc_7C60A5
		mov	ebx, 2000h
		mov	ecx, ebx
		mov	[ebp+var_1C], ecx

loc_7C60A5:				; CODE XREF: MiCheckForUserStackOverflow+EDj
		cmp	edx, [ebp+var_38]
		jnb	loc_8F0C93
		cmp	edx, eax
		jb	loc_8F0C93
		and	edx, 0FFFFF000h
		sub	edx, ebx
		mov	[ebp+var_20], edx
		cmp	edx, eax
		jbe	loc_8F0C33
		mov	eax, [edi+80h]
		mov	eax, [eax+17Ch]
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [eax+68h]
		mov	[ebp+var_48], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	eax, 10000h
		jnz	short loc_7C6157
		push	104h
		push	1000h
		lea	eax, [ebp+var_1C]
		push	eax
		push	0
		lea	eax, [ebp+var_20]
		push	eax
		push	0FFFFFFFFh
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_1C]

loc_7C6111:				; CODE XREF: MiCheckForUserStackOverflow+1B0j
		test	eax, eax
		js	loc_8F0C3A
		lea	eax, [ecx+edx]

loc_7C611C:				; CODE XREF: MiCheckForUserStackOverflow+12ACBDj
		mov	[ebp+ms_exc.disabled], 2
		mov	ecx, [ebp+var_34]
		mov	[ecx+8], eax

loc_7C6129:				; CODE XREF: sub_8F0C72+8j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi

loc_7C6132:				; CODE XREF: MiCheckForUserStackOverflow+1A9j
					; MiCheckForUserStackOverflow+12ACECj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7C6142:				; CODE XREF: MiCheckForUserStackOverflow+E1j
		lea	ebx, [ecx+1000h]
		mov	ecx, ebx
		mov	[ebp+var_1C], ecx
		jmp	loc_7C6093
; 

loc_7C6152:				; CODE XREF: MiCheckForUserStackOverflow+90j
		mov	eax, [ebp+var_28]
		jmp	short loc_7C6132
; 

loc_7C6157:				; CODE XREF: MiCheckForUserStackOverflow+142j
		mov	eax, 0C000012Dh
		jmp	short loc_7C6111
MiCheckForUserStackOverflow endp


;  S U B	R O U T	I N E 


; __stdcall ObpDeleteDirectoryEntry(x)
_ObpDeleteDirectoryEntry@4 proc	near	; CODE XREF: ObpDeleteNameCheck+183p
					; ObpInsertOrLocateNamedObject+450p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, [ecx]
		mov	ecx, [ecx+8]
		mov	esi, [ecx]
		mov	eax, [esi]
		mov	[ecx], eax
		mov	edx, [esi+4]
		and	dword ptr [esi], 0
		sub	edx, 18h
		movzx	eax, byte ptr [edx+0Eh]
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	edx, eax
		and	dword ptr [edx], 0
		mov	ecx, [esi+4]
		call	ObfDereferenceObject
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, edi
		call	ObfDereferenceObject
		pop	edi
		mov	al, 1
		pop	esi
		retn
_ObpDeleteDirectoryEntry@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1540. NtOpenProcessToken

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtOpenProcessToken(x, x, x)
		public _NtOpenProcessToken@12
_NtOpenProcessToken@12 proc near	; DATA XREF: .text:00580F24o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	NtOpenProcessTokenEx
		pop	ebp
		retn	0Ch
_NtOpenProcessToken@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopParseFile(x, x, x, x, x,	x, x, x, x, x, x)
_IopParseFile@44 proc near		; DATA XREF: IoCreateObjectTypes+279o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	edi
		cmp	ebx, ds:_IoFileObjectType
		jnz	short loc_7C6222
		mov	edi, [ebp+arg_1C]
		test	edi, edi
		jz	short loc_7C6222
		cmp	word ptr [edi],	8
		jnz	short loc_7C6222
		mov	eax, 90h
		cmp	[edi+2], ax
		jnz	short loc_7C6222
		push	esi
		mov	esi, [ebp+arg_0]
		push	esi
		call	IoGetRelatedDeviceObject
		push	[ebp+arg_28]
		mov	[edi+14h], esi
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	edi
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	ebx
		push	eax
		call	_IopParseDevice@44 ; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)
		pop	esi

loc_7C621C:				; CODE XREF: IopParseFile(x,x,x,x,x,x,x,x,x,x,x)+63j
		pop	edi
		pop	ebx
		pop	ebp
		retn	2Ch
; 

loc_7C6222:				; CODE XREF: IopParseFile(x,x,x,x,x,x,x,x,x,x,x)+10j
					; IopParseFile(x,x,x,x,x,x,x,x,x,x,x)+17j ...
		mov	eax, 0C0000024h
		jmp	short loc_7C621C
_IopParseFile@44 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCheckTopDeviceHint proc near		; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+80Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F0C9D SIZE 000000A9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	byte ptr [ebp+arg_0], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	ebx, [edi]
		jnz	short loc_7C6272
		mov	eax, [ebx+2Ch]
		cmp	eax, 8
		jnz	short loc_7C6268

loc_7C6246:				; CODE XREF: IopCheckTopDeviceHint+41j
					; IopCheckTopDeviceHint+12AA76j ...
		mov	edx, [esi+6Ch]
		mov	ecx, ebx
		push	1
		call	IopVerifyDeviceObjectOnStack
		test	al, al
		jz	loc_8F0CCF
		mov	eax, [esi+6Ch]
		mov	[edi], eax
		xor	eax, eax

loc_7C6261:				; CODE XREF: IopCheckTopDeviceHint+4Dj
					; IopCheckTopDeviceHint+12AADDj ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_7C6268:				; CODE XREF: IopCheckTopDeviceHint+1Aj
		cmp	eax, 14h
		jz	short loc_7C6246
		jmp	loc_8F0C9D
; 

loc_7C6272:				; CODE XREF: IopCheckTopDeviceHint+12j
					; IopCheckTopDeviceHint+12AA9Aj
		mov	eax, 0C000000Dh
		jmp	short loc_7C6261
IopCheckTopDeviceHint endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpAdjustCreatorAccessState proc near	; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+5F6p
					; ObpGrantAccess+14503Fp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F0D46 SIZE 0000005E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	[ebp+var_20], eax
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	[ebp+var_1C], edx
		stosd
		mov	esi, ecx
		stosd
		stosd
		stosd
		stosd
		lea	edi, [esi+10h]
		mov	eax, [edi]
		test	eax, 2000000h
		jnz	short loc_7C631A

loc_7C62B0:				; CODE XREF: ObpAdjustCreatorAccessState+ACj
		test	eax, 0F0000000h
		jnz	short loc_7C6328

loc_7C62B7:				; CODE XREF: ObpAdjustCreatorAccessState+C1j
		xor	ecx, ecx
		lea	ebx, [esi+1Ch]
		inc	ecx
		test	eax, 1000000h
		jnz	loc_8F0D46

loc_7C62C8:				; CODE XREF: ObpAdjustCreatorAccessState+12AB25j
		or	[esi+14h], eax
		mov	eax, [ebp+arg_0]
		and	dword ptr [edi], 0
		mov	ecx, [ebp+var_20]
		add	ecx, 0FFFFFFE8h
		mov	eax, [eax+44h]
		or	eax, 1000000h
		and	[esi+14h], eax
		call	ObpReferenceSecurityDescriptor
		mov	edi, eax
		mov	edx, esi
		push	edi
		push	dword ptr [esi+14h]
		mov	ecx, ebx
		call	_SeComputeCreatorDeniedRights@16 ; SeComputeCreatorDeniedRights(x,x,x,x)
		not	eax
		and	[esi+14h], eax
		test	edi, edi
		jz	short loc_7C6307
		push	1
		push	edi
		call	ObDereferenceSecurityDescriptor

loc_7C6307:				; CODE XREF: ObpAdjustCreatorAccessState+83j
		xor	eax, eax

loc_7C6309:				; CODE XREF: ObpAdjustCreatorAccessState+12AB09j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_7C631A:				; CODE XREF: ObpAdjustCreatorAccessState+34j
		and	eax, 0FDFFFFFFh
		or	eax, 10000000h
		mov	[edi], eax
		jmp	short loc_7C62B0
; 

loc_7C6328:				; CODE XREF: ObpAdjustCreatorAccessState+3Bj
		mov	eax, [ebp+arg_0]
		add	eax, 34h
		push	eax
		push	edi
		call	_RtlMapGenericMask@8 ; RtlMapGenericMask(x,x)
		mov	eax, [esi+10h]
		mov	edx, [ebp+var_1C]
		jmp	loc_7C62B7
ObpAdjustCreatorAccessState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspIoMiniPacketCallbackRoutine(x, x)
_PspIoMiniPacketCallbackRoutine@8 proc near ; DATA XREF: NtAllocateReserveObject+9Eo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	dword ptr [ecx], 0
		call	ObfDereferenceObject
		pop	ebp
		retn	8
_PspIoMiniPacketCallbackRoutine@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpCaptureDirectAttribute proc near	; CODE XREF: AlpcpCompleteDispatchMessage+D53p

var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	10h
		push	offset dword_6A38B8
		call	__SEH_prolog4
		mov	edx, [ebp+arg_4]
		and	edx, 10010h
		neg	edx
		sbb	dl, dl
		inc	dl
		bt	[ebp+arg_8], 1Dh
		setb	al
		and	dl, al
		movzx	edx, dl
		neg	edx
		sbb	edx, edx
		and	edx, 3FFFFFF3h
		add	edx, 0C000000Dh
		js	short loc_7C63E0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	short loc_7C63F4
		xor	edx, edx
		mov	[ebp+ms_exc.disabled], edx
		mov	ecx, [ecx]
		mov	[ebp+var_20], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, ds:_ExEventObjectType
		mov	[ebp+arg_4], edx
		push	edx
		lea	edx, [ebp+arg_4]
		push	edx
		push	1
		push	eax
		push	2
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_7C63E0
		mov	eax, [ebp+arg_4]
		or	eax, 2

loc_7C63D7:				; CODE XREF: AlpcpCaptureDirectAttribute+9Ej
		or	eax, 1
		mov	ecx, [ebp+arg_0]
		mov	[ecx+1Ch], eax

loc_7C63E0:				; CODE XREF: AlpcpCaptureDirectAttribute+38j
					; AlpcpCaptureDirectAttribute+77j ...
		mov	eax, edx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7C63F4:				; CODE XREF: AlpcpCaptureDirectAttribute+48j
		mov	eax, [ecx]
		jmp	short loc_7C63D7
AlpcpCaptureDirectAttribute endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMOpenClassKey proc near		; CODE XREF: PiCMHandleIoctl+F9p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F0DC4 SIZE 000000C5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		push	9
		xor	eax, eax
		lea	edi, [ebp+var_38]
		mov	esi, ecx
		pop	ecx
		rep stosd
		mov	eax, [ebp+arg_C]
		xor	edi, edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_4], edi
		mov	[eax], edi
		mov	eax, large fs:124h
		mov	[ebp+var_8], edi
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_C], al
		lea	eax, [ebp+var_38]
		push	eax
		push	ecx
		mov	ecx, esi
		call	PiCMCaptureRegistryInputData
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7C6526
		cmp	[ebp+var_34], edi
		jnz	loc_8F0DCD
		cmp	[ebp+var_1C], edi
		jnz	loc_8F0DCD
		cmp	[ebp+arg_0], edi
		jz	loc_8F0DCD
		cmp	[ebp+arg_4], 10h
		jb	loc_8F0DCD
		mov	ebx, [ebp+var_30]
		cmp	ebx, 2
		jnz	loc_8F0DC4

loc_7C6478:				; CODE XREF: PiCMOpenClassKey+12A9CFj
		cmp	[ebp+var_2C], edi
		jz	loc_8F0E53
		push	[ebp+var_2C]
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7C64EE
		push	edi
		lea	eax, [ebp+var_14]
		push	eax
		push	eax
		call	RtlUpcaseUnicodeString
		mov	esi, eax
		test	esi, esi
		js	short loc_7C64EE
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_4]
		mov	edx, [ebp+var_2C]
		push	edi
		push	eax
		push	edi
		mov	edi, [ebp+var_24]
		push	edi
		cmp	ebx, 3
		jz	loc_8F0DD7
		xor	ebx, ebx
		push	ebx
		push	20h
		call	_CmOpenCommonClassRegKey
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_8F0E26

loc_7C64D8:				; CODE XREF: PiCMOpenClassKey+12A9F1j
					; PiCMOpenClassKey+12AA76j
		test	esi, esi
		js	short loc_7C64EE
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_C]
		push	edi
		call	_PiCMDuplicateRegistryHandle@20	; PiCMDuplicateRegistryHandle(x,x,x,x,x)
		mov	esi, eax

loc_7C64EE:				; CODE XREF: PiCMOpenClassKey+99j
					; PiCMOpenClassKey+AAj	...
		push	[ebp+arg_C]
		mov	edi, [ebp+var_8]
		mov	ecx, esi
		push	[ebp+arg_4]
		mov	edx, edi
		push	[ebp+arg_0]
		push	[ebp+var_18]
		call	PiCMReturnHandleResultData
		cmp	[ebp+var_4], 0
		mov	ebx, eax
		jz	short loc_7C6516
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_7C6516:				; CODE XREF: PiCMOpenClassKey+114j
		test	ebx, ebx
		js	loc_8F0E73
		test	esi, esi
		js	loc_8F0E73

loc_7C6526:				; CODE XREF: PiCMOpenClassKey+49j
					; PiCMOpenClassKey+12AA7Dj ...
		lea	ecx, [ebp+var_38]
		call	_PiCMReleaseObjectInputData@8 ;	PiCMReleaseObjectInputData(x,x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
PiCMOpenClassKey endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMOpenDeviceKey proc near		; CODE XREF: PiCMHandleIoctl+78p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F0E89 SIZE 00000053 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		mov	ebx, [ebp+arg_C]
		xor	eax, eax
		push	esi
		push	edi
		push	9
		mov	esi, ecx
		mov	[ebx], eax
		pop	ecx
		lea	edi, [ebp+var_30]
		mov	[ebp+var_8], eax
		rep stosd
		mov	[ebp+arg_C], eax
		mov	[ebp+var_4], eax
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_C], al
		lea	eax, [ebp+var_30]
		push	eax
		push	ecx
		mov	ecx, esi
		call	PiCMCaptureRegistryInputData
		mov	edi, eax
		test	edi, edi
		js	loc_7C662A
		cmp	[ebp+var_24], 0
		jz	loc_8F0EC4
		cmp	[ebp+var_28], 1
		jnz	loc_8F0EC4
		cmp	[ebp+arg_0], 0
		jz	loc_8F0EC4
		cmp	[ebp+arg_4], 10h
		jb	loc_8F0EC4
		mov	ecx, [ebp+var_2C]
		lea	edx, [ebp+var_4]
		call	PiCMConvertDeviceKeyType
		mov	esi, eax
		test	esi, esi
		js	short loc_7C65FC
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+arg_C]
		mov	ecx, _PiPnpRtlCtx
		xor	edi, edi
		push	edi
		push	eax
		push	edi
		push	[ebp+var_1C]
		push	[ebp+var_14]
		push	[ebp+var_4]
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_7C6652

loc_7C65E4:				; CODE XREF: PiCMOpenDeviceKey+12A987j
		test	esi, esi
		js	short loc_7C65FC
		mov	ecx, [ebp+arg_C]
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_C]
		push	[ebp+var_1C]
		call	_PiCMDuplicateRegistryHandle@20	; PiCMDuplicateRegistryHandle(x,x,x,x,x)
		mov	esi, eax

loc_7C65FC:				; CODE XREF: PiCMOpenDeviceKey+81j
					; PiCMOpenDeviceKey+AEj ...
		push	ebx
		push	[ebp+arg_4]
		mov	ebx, [ebp+var_8]
		mov	ecx, esi
		push	[ebp+arg_0]
		mov	edx, ebx
		push	[ebp+var_10]
		call	PiCMReturnHandleResultData
		cmp	[ebp+arg_C], 0
		mov	edi, eax
		jz	short loc_7C6622
		push	[ebp+arg_C]
		call	_ZwClose@4	; ZwClose(x)

loc_7C6622:				; CODE XREF: PiCMOpenDeviceKey+E0j
		test	edi, edi
		js	short loc_7C665D
		test	esi, esi
		js	short loc_7C665D

loc_7C662A:				; CODE XREF: PiCMOpenDeviceKey+44j
					; PiCMOpenDeviceKey+127j ...
		cmp	[ebp+var_24], 0
		jz	short loc_7C6649
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_7C6649
		push	0
		push	[ebp+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7C6649:				; CODE XREF: PiCMOpenDeviceKey+F6j
					; PiCMOpenDeviceKey+105j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7C6652:				; CODE XREF: PiCMOpenDeviceKey+AAj
		cmp	[ebp+var_18], 1
		jnz	short loc_7C65FC
		jmp	loc_8F0E89
; 

loc_7C665D:				; CODE XREF: PiCMOpenDeviceKey+ECj
					; PiCMOpenDeviceKey+F0j
		test	ebx, ebx
		jz	short loc_7C662A
		jmp	loc_8F0ECE
PiCMOpenDeviceKey endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMOpenObjectKey proc near		; CODE XREF: PiCMHandleIoctl+69p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F0EDC SIZE 0000007B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		push	9
		pop	ebx
		xor	eax, eax
		lea	edi, [ebp+var_30]
		mov	esi, ecx
		mov	ecx, ebx
		rep stosd
		mov	eax, [ebp+arg_C]
		xor	edi, edi
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], edi
		mov	[eax], edi
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_C], al
		lea	eax, [ebp+var_30]
		push	eax
		push	ecx
		mov	ecx, esi
		call	PiCMCaptureRegistryInputData
		mov	esi, eax
		test	esi, esi
		js	loc_7C6791
		cmp	[ebp+var_24], edi
		jz	loc_8F0F37
		cmp	[ebp+var_2C], edi
		jnz	loc_8F0F37
		cmp	[ebp+var_14], edi
		jnz	loc_8F0F37
		cmp	[ebp+arg_0], edi
		jz	loc_8F0F37
		cmp	[ebp+arg_4], 10h
		jb	loc_8F0F37
		mov	eax, [ebp+var_28]
		push	6
		pop	ecx
		cmp	eax, ecx
		jle	loc_7C67A2
		sub	eax, 10001h
		jz	loc_7C67BA
		sub	eax, 1
		jnz	loc_7C67CC
		push	8

loc_7C6703:				; CODE XREF: PiCMOpenObjectKey+156j
					; PiCMOpenObjectKey+17Fj ...
		pop	ebx

loc_7C6704:				; CODE XREF: PiCMOpenObjectKey+169j
		mov	edi, _PiDrvDbCtx
		neg	edi
		sbb	edi, edi
		and	edi, ebx

loc_7C6710:				; CODE XREF: PiCMOpenObjectKey+177j
					; PiCMOpenObjectKey+12A879j
		test	edi, edi
		jz	loc_8F0F37
		cmp	edi, ecx
		jbe	loc_8F0EF0

loc_7C6720:				; CODE XREF: PiCMOpenObjectKey+14Fj
					; PiCMOpenObjectKey+1A2j ...
		test	esi, esi
		js	short loc_7C6761
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	eax
		push	ecx
		push	[ebp+var_1C]
		mov	ecx, _PiPnpRtlCtx
		push	edi
		call	_PnpOpenObjectRegKey
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_7C67C1

loc_7C6749:				; CODE XREF: PiCMOpenObjectKey+12A8CCj
		test	esi, esi
		js	short loc_7C6761
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_C]
		push	[ebp+var_1C]
		call	_PiCMDuplicateRegistryHandle@20	; PiCMDuplicateRegistryHandle(x,x,x,x,x)
		mov	esi, eax

loc_7C6761:				; CODE XREF: PiCMOpenObjectKey+BCj
					; PiCMOpenObjectKey+E5j ...
		push	[ebp+arg_C]
		mov	edi, [ebp+var_8]
		mov	ecx, esi
		push	[ebp+arg_4]
		mov	edx, edi
		push	[ebp+arg_0]
		push	[ebp+var_10]
		call	PiCMReturnHandleResultData
		cmp	[ebp+var_4], 0
		mov	esi, eax
		jz	short loc_7C6789
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_7C6789:				; CODE XREF: PiCMOpenObjectKey+119j
		test	esi, esi
		js	loc_8F0F41

loc_7C6791:				; CODE XREF: PiCMOpenObjectKey+45j
					; PiCMOpenObjectKey+12A8DDj ...
		lea	ecx, [ebp+var_30]
		call	_PiCMReleaseObjectInputData@8 ;	PiCMReleaseObjectInputData(x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7C67A2:				; CODE XREF: PiCMOpenObjectKey+81j
		jz	loc_8F0EEC
		sub	eax, 1
		jnz	short loc_7C67EA
		xor	edi, edi
		inc	edi

loc_7C67B0:				; CODE XREF: PiCMOpenObjectKey+12A89Dj
		mov	esi, 0C00000BBh
		jmp	loc_7C6720
; 

loc_7C67BA:				; CODE XREF: PiCMOpenObjectKey+8Cj
		push	7
		jmp	loc_7C6703
; 

loc_7C67C1:				; CODE XREF: PiCMOpenObjectKey+E1j
		cmp	[ebp+var_18], 1
		jnz	short loc_7C6761
		jmp	loc_8F0F08
; 

loc_7C67CC:				; CODE XREF: PiCMOpenObjectKey+95j
		sub	eax, 1
		jz	loc_7C6704
		sub	eax, 1
		jz	short loc_7C6811
		sub	eax, 1
		jnz	loc_7C6710
		push	0Bh
		jmp	loc_7C6703
; 

loc_7C67EA:				; CODE XREF: PiCMOpenObjectKey+145j
		sub	eax, 1
		jz	short loc_7C680D
		sub	eax, 1
		jz	short loc_7C6805
		sub	eax, 1
		jnz	loc_8F0EDC
		push	3

loc_7C67FF:				; CODE XREF: PiCMOpenObjectKey+12A881j
		pop	edi
		jmp	loc_8F0EF9
; 

loc_7C6805:				; CODE XREF: PiCMOpenObjectKey+18Cj
		push	4

loc_7C6807:				; CODE XREF: PiCMOpenObjectKey+1A9j
		pop	edi
		jmp	loc_7C6720
; 

loc_7C680D:				; CODE XREF: PiCMOpenObjectKey+187j
		push	2
		jmp	short loc_7C6807
; 

loc_7C6811:				; CODE XREF: PiCMOpenObjectKey+172j
		push	0Ah
		jmp	loc_7C6703
PiCMOpenObjectKey endp


;  S U B	R O U T	I N E 


; __stdcall PiCMReleaseObjectInputData(x, x)
_PiCMReleaseObjectInputData@8 proc near	; CODE XREF: PiCMOpenClassKey+131p
					; PiCMOpenObjectKey+12Ep ...
		mov	ecx, [ecx+0Ch]
		test	ecx, ecx
		jz	short loc_7C6836
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_7C6836
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7C6836:				; CODE XREF: PiCMReleaseObjectInputData(x,x)+5j
					; PiCMReleaseObjectInputData(x,x)+14j
		xor	eax, eax
		retn
_PiCMReleaseObjectInputData@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMReturnHandleResultData proc	near	; CODE XREF: PiCMOpenClassKey+109p
					; PiCMOpenDeviceKey+D5p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	14h
		push	offset dword_6A38D8
		call	__SEH_prolog4
		mov	[ebp+var_1C], ecx
		xor	edi, edi
		mov	eax, [ebp+arg_C]
		mov	[eax], edi
		push	10h
		pop	ebx
		cmp	[ebp+arg_8], ebx
		jb	short loc_7C68AF
		cmp	[ebp+arg_0], ebx
		jnz	short loc_7C68AF
		mov	eax, edx
		cdq
		mov	[ebp+arg_0], eax
		mov	[ebp+var_20], edx
		mov	[ebp+ms_exc.disabled], edi
		push	4
		push	[ebp+arg_8]
		mov	esi, [ebp+arg_4]
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	[esi], ebx
		mov	eax, [ebp+var_1C]
		mov	[esi+4], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+8], eax
		mov	eax, [ebp+var_20]
		mov	[esi+0Ch], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C6892:				; CODE XREF: sub_8F0F65+10j
		test	edi, edi
		js	short loc_7C689B
		mov	ecx, [ebp+arg_C]
		mov	[ecx], ebx

loc_7C689B:				; CODE XREF: PiCMReturnHandleResultData+5Aj
					; PiCMReturnHandleResultData+7Aj
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7C68AF:				; CODE XREF: PiCMReturnHandleResultData+1Cj
					; PiCMReturnHandleResultData+21j
		mov	edi, 0C000000Dh
		jmp	short loc_7C689B
PiCMReturnHandleResultData endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMCaptureRegistryInputData proc near	; CODE XREF: PiCMOpenClassKey+40p
					; PiCMOpenDeviceKey+3Bp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F0F7A SIZE 0000000F BYTES
; FUNCTION CHUNK AT 008F0F9D SIZE 0000005F BYTES

		push	18h
		push	offset dword_6A38F8
		call	__SEH_prolog4
		mov	esi, edx
		mov	edx, ecx
		and	[ebp+var_20], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		test	edx, edx
		jz	loc_8F0FEF
		test	esi, esi
		jz	loc_8F0FEF
		and	[ebp+ms_exc.disabled], ebx
		test	dl, 3
		jnz	loc_7C69A6
		lea	ecx, [edx+esi]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	loc_8F0F7A
		cmp	ecx, edx
		jb	loc_8F0F7A

loc_7C6912:				; CODE XREF: PiCMCaptureRegistryInputData+12A6C7j
		cmp	esi, 24h
		jb	loc_8F0F82
		push	9
		pop	ecx
		mov	esi, edx
		mov	eax, [ebp+arg_4]
		mov	edi, eax
		rep movsd
		cmp	dword ptr [eax], 24h
		jnz	loc_8F0F82

loc_7C6930:				; CODE XREF: PiCMCaptureRegistryInputData+12A6EAj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+arg_4]
		test	ebx, ebx
		js	loc_8F0FC6
		lea	edi, [esi+0Ch]
		mov	eax, [edi]
		and	dword ptr [edi], 0
		test	eax, eax
		jz	loc_8F0FA9
		mov	ecx, [esi+10h]
		cmp	ecx, 2
		jb	loc_8F0FA5
		push	1
		push	[ebp+var_24]
		push	2
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	PiControlMakeUserModeCallersCopy
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7C69AB
		mov	[ebp+var_20], 1
		mov	edx, [esi+10h]
		shr	edx, 1
		mov	ecx, [edi]
		xor	eax, eax
		mov	[ecx+edx*2-2], ax

loc_7C698A:				; CODE XREF: PiCMCaptureRegistryInputData+FCj
					; PiCMCaptureRegistryInputData+12A6FBj	...
		test	ebx, ebx
		js	loc_8F0FC6

loc_7C6992:				; CODE XREF: PiCMCaptureRegistryInputData+12A734j
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7C69A6:				; CODE XREF: PiCMCaptureRegistryInputData+3Ej
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7C69AB:				; CODE XREF: PiCMCaptureRegistryInputData+BDj
		and	dword ptr [edi], 0
		and	dword ptr [esi+10h], 0
		jmp	short loc_7C698A
PiCMCaptureRegistryInputData endp


;  S U B	R O U T	I N E 


; __stdcall _PnpCtxRegCloseKey(x, x)
__PnpCtxRegCloseKey@8 proc near		; CODE XREF: PipUpdateDeviceProducts+1D8p
					; PipUpdateDeviceProducts+309p	...
		mov	edi, edi
		push	edx
		call	_ZwClose@4	; ZwClose(x)
		retn
__PnpCtxRegCloseKey@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMDuplicateRegistryHandle(x, x, x, x, x)
_PiCMDuplicateRegistryHandle@20	proc near ; CODE XREF: PiCMOpenClassKey+EFp
					; PiCMOpenDeviceKey+BDp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_CmKeyObjectType
		lea	edx, [ebp+var_4]
		push	ebx
		push	edi
		xor	ebx, ebx
		push	ebx
		push	edx
		push	ebx
		push	eax
		push	ebx
		push	ecx
		mov	[ebp+var_4], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_7C6A03
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	ds:_CmKeyObjectType
		push	[ebp+arg_0]
		push	ebx
		push	440h
		push	[ebp+var_4]
		call	ObOpenObjectByPointer
		mov	edi, eax

loc_7C6A03:				; CODE XREF: PiCMDuplicateRegistryHandle(x,x,x,x,x)+24j
		cmp	[ebp+var_4], ebx
		jz	short loc_7C6A10
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject

loc_7C6A10:				; CODE XREF: PiCMDuplicateRegistryHandle(x,x,x,x,x)+48j
		mov	eax, edi
		pop	edi
		pop	ebx
		leave
		retn	0Ch
_PiCMDuplicateRegistryHandle@20	endp


;  S U B	R O U T	I N E 


PiCMConvertDeviceKeyType proc near	; CODE XREF: PiCMOpenDeviceKey+78p
					; PiCMDeleteDeviceKey(x,x,x,x,x,x)+9Ep

; FUNCTION CHUNK AT 008F0FFC SIZE 00000037 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, ecx
		xor	esi, esi
		push	11h
		movzx	eax, bl
		pop	ecx
		mov	[edx], esi
		sub	eax, ecx
		jnz	short loc_7C6A49
		mov	[edx], ecx
		mov	eax, 111h
		mov	ecx, 211h

loc_7C6A38:				; CODE XREF: PiCMConvertDeviceKeyType+54j
					; PiCMConvertDeviceKeyType+66j	...
		and	ebx, 0FF00h
		jnz	loc_8F1011

loc_7C6A44:				; CODE XREF: PiCMConvertDeviceKeyType+6Dj
					; PiCMConvertDeviceKeyType+12A60Fj ...
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_7C6A49:				; CODE XREF: PiCMConvertDeviceKeyType+12j
		sub	eax, 1
		jz	short loc_7C6A6E
		sub	eax, 1
		jz	loc_8F0FFC
		sub	eax, 1
		jnz	short loc_7C6A80
		mov	dword ptr [edx], 14h
		mov	ecx, 214h
		mov	eax, 114h
		jmp	short loc_7C6A38
; 

loc_7C6A6E:				; CODE XREF: PiCMConvertDeviceKeyType+34j
		mov	dword ptr [edx], 12h
		mov	ecx, 212h
		mov	eax, 112h
		jmp	short loc_7C6A38
; 

loc_7C6A80:				; CODE XREF: PiCMConvertDeviceKeyType+42j
					; PiCMConvertDeviceKeyType+12A607j
		mov	esi, 0C000000Dh
		jmp	short loc_7C6A44
PiCMConvertDeviceKeyType endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepQueryClaimAttributesToken proc near
					; CODE XREF: SeQueryInformationToken(x,x,x)+B6Ep
					; SeQueryInformationToken(x,x,x)+BE1p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F1033 SIZE 0000004E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		xor	ecx, ecx
		mov	[ebx], ecx
		mov	[ebp+var_4], ecx
		cmp	[edi], ecx
		jnz	loc_8F1033
		push	0Ch
		pop	esi
		cmp	[ebp+arg_0], esi
		jb	short loc_7C6AC9
		xor	eax, eax
		mov	edi, edx
		stosd
		stosd
		stosd
		xor	eax, eax
		inc	eax
		mov	[edx], ax
		mov	eax, ecx

loc_7C6AC0:				; CODE XREF: AuthzBasepQueryClaimAttributesToken+46j
					; AuthzBasepQueryClaimAttributesToken+12A5F4j
		mov	[ebx], esi

loc_7C6AC2:				; CODE XREF: AuthzBasepQueryClaimAttributesToken+12A5B7j
					; AuthzBasepQueryClaimAttributesToken+12A5C9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7C6AC9:				; CODE XREF: AuthzBasepQueryClaimAttributesToken+27j
					; AuthzBasepQueryClaimAttributesToken+12A5D1j
		mov	eax, 0C0000023h
		jmp	short loc_7C6AC0
AuthzBasepQueryClaimAttributesToken endp


;  S U B	R O U T	I N E 


; __stdcall IopGetModeInformation(x)
_IopGetModeInformation@4 proc near	; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+609p
					; NtQueryInformationFile(x,x,x,x,x)+771p
		mov	ecx, [ecx+2Ch]
		mov	eax, ecx
		shr	eax, 3
		and	eax, 2
		test	cl, 20h
		jnz	short loc_7C6AFB

loc_7C6AE0:				; CODE XREF: IopGetModeInformation(x)+2Ej
		test	cl, 8
		jnz	short loc_7C6B00

loc_7C6AE5:				; CODE XREF: IopGetModeInformation(x)+33j
		test	cl, 2
		jz	short loc_7C6AF2
		test	cl, 4
		jnz	short loc_7C6B05
		or	eax, 20h

loc_7C6AF2:				; CODE XREF: IopGetModeInformation(x)+18j
					; IopGetModeInformation(x)+38j
		test	ecx, 10000h
		jnz	short loc_7C6B0A
		retn
; 

loc_7C6AFB:				; CODE XREF: IopGetModeInformation(x)+Ej
		or	eax, 4
		jmp	short loc_7C6AE0
; 

loc_7C6B00:				; CODE XREF: IopGetModeInformation(x)+13j
		or	eax, 8
		jmp	short loc_7C6AE5
; 

loc_7C6B05:				; CODE XREF: IopGetModeInformation(x)+1Dj
		or	eax, 10h
		jmp	short loc_7C6AF2
; 

loc_7C6B0A:				; CODE XREF: IopGetModeInformation(x)+28j
		or	eax, 1000h
		retn
_IopGetModeInformation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCreateIoCompletion proc near		; DATA XREF: .text:00581160o

var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F1081 SIZE 00000007 BYTES

		push	18h
		push	offset dword_6A3938
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_20], ecx
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_28], bl
		test	bl, bl
		jz	short loc_7C6B57
		mov	[ebp+ms_exc.disabled], ecx
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8F1081

loc_7C6B4A:				; CODE XREF: NtCreateIoCompletion+12A573j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ecx, ecx

loc_7C6B57:				; CODE XREF: NtCreateIoCompletion+25j
		mov	edx, ds:_IoCompletionObjectType
		push	ecx
		lea	eax, [ebp+var_20]
		push	eax
		push	ecx
		push	ecx
		push	30h
		push	ecx
		push	[ebp+var_28]
		push	[ebp+arg_8]
		mov	cl, bl
		call	ObCreateObjectEx
		mov	[ebp+arg_8], eax
		test	eax, eax
		js	short loc_7C6BC3
		push	[ebp+arg_C]
		mov	esi, [ebp+var_20]
		push	esi
		call	_KeInitializeQueue@8 ; KeInitializeQueue(x,x)
		xor	ecx, ecx
		mov	[esi+28h], ecx
		mov	[esi+2Ch], cl
		lea	eax, [ebp+var_1C]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+arg_4]
		xor	edx, edx
		mov	ecx, esi
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	[ebp+arg_8], eax
		test	eax, eax
		js	short loc_7C6BC3
		test	bl, bl
		jz	short loc_7C6BD8
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_7C6BBC:				; CODE XREF: sub_8F10B0+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C6BC3:				; CODE XREF: NtCreateIoCompletion+69j
					; NtCreateIoCompletion+97j ...
		mov	eax, [ebp+arg_8]

loc_7C6BC6:				; CODE XREF: sub_8F1098+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7C6BD8:				; CODE XREF: NtCreateIoCompletion+9Bj
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jmp	short loc_7C6BC3
NtCreateIoCompletion endp

; 
		align 8
; Exported entry 1960. RtlAreAllAccessesGranted

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlAreAllAccessesGranted(x,	x)
		public _RtlAreAllAccessesGranted@8
_RtlAreAllAccessesGranted@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		not	eax
		and	eax, [ebp+arg_4]
		neg	eax
		sbb	al, al
		inc	al
		pop	ebp
		retn	8
_RtlAreAllAccessesGranted@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpGetIndexElementSize(x)
_CmpGetIndexElementSize@4 proc near	; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+10C3p
					; CmpCheckKey(x,x,x,x,x,x,x)+10DBp ...
		movzx	eax, word ptr [ecx]
		mov	ecx, 666Ch
		cmp	ax, cx
		jz	short loc_7C6C17
		mov	ecx, 686Ch
		cmp	ax, cx
		jnz	short loc_7C6C1B

loc_7C6C17:				; CODE XREF: CmpGetIndexElementSize(x)+Bj
		push	8
		pop	eax
		retn
; 

loc_7C6C1B:				; CODE XREF: CmpGetIndexElementSize(x)+15j
		push	4
		pop	eax
		retn
_CmpGetIndexElementSize@4 endp

; 
		align 10h

; __stdcall CmpAddToDelayedClose(x)
_CmpAddToDelayedClose@4:		; CODE XREF: CmpDereferenceKeyControlBlockWithLock:loc_8057BFp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, offset _CmpDelayedCloseTableLock
		mov	ecx, edi
		xor	ebx, ebx
		call	ExAcquireFastMutex
		lea	eax, [esi+78h]
		cmp	[eax], eax
		jnz	short loc_7C6C9C
		mov	ecx, _CmpDelayedLRUListHead
		mov	edx, offset _CmpDelayedLRUListHead
		cmp	[ecx+4], edx
		jz	short loc_7C6C51
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_7C6C51:				; CODE XREF: PAGE:007C6C4Aj
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[ecx+4], eax
		mov	_CmpDelayedLRUListHead,	eax
		or	byte ptr [esi+20h], 2
		mov	eax, _CmpDelayedCloseElements
		inc	eax
		add	ds:dword_A94398, 1
		mov	_CmpDelayedCloseElements, eax
		adc	ds:dword_A9439C, ebx
		cmp	eax, _CmpDelayedCloseSize
		jbe	short loc_7C6C84
		mov	bl, 1

loc_7C6C84:				; CODE XREF: PAGE:007C6C80j
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		cmp	bl, 1
		jnz	short loc_7C6C98
		pop	edi
		pop	esi
		pop	ebx
		jmp	_CmpArmDelayedCloseTimer@0 ; CmpArmDelayedCloseTimer()
; 

loc_7C6C98:				; CODE XREF: PAGE:007C6C8Ej
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_7C6C9C:				; CODE XREF: PAGE:007C6C3Aj
		push	ebx
		push	ebx
		push	esi
		push	34h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall AlpcpCompleteDeferSignalRequestAndWait(x, x, x, x,	x)
@AlpcpCompleteDeferSignalRequestAndWait@20 proc	near
					; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+223p
					; AlpcpReceiveMessagePort(x,x,x,x,x)+297p

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		btr	dword ptr [ecx+18h], 2
		push	esi
		setb	al
		mov	esi, edx
		test	al, al
		jnz	short loc_7C6CDF
		mov	eax, [ecx+18h]
		mov	ecx, esi
		push	[ebp+arg_8]
		shr	eax, 15h
		and	al, 1
		movzx	eax, al
		push	eax
		push	[ebp+arg_4]
		push	10h
		pop	edx
		call	_AlpcpWaitForSingleObject@20 ; AlpcpWaitForSingleObject(x,x,x,x,x)

loc_7C6CDA:				; CODE XREF: AlpcpCompleteDeferSignalRequestAndWait(x,x,x,x,x)+44j
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_7C6CDF:				; CODE XREF: AlpcpCompleteDeferSignalRequestAndWait(x,x,x,x,x)+12j
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	10h
		call	AlpcpSignalAndWait
		jmp	short loc_7C6CDA
@AlpcpCompleteDeferSignalRequestAndWait@20 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2486. SeQueryAuthenticationIdToken

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeQueryAuthenticationIdToken(x, x)
		public _SeQueryAuthenticationIdToken@8
_SeQueryAuthenticationIdToken@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	eax, [edx+18h]
		mov	[ecx], eax
		mov	eax, [edx+1Ch]
		mov	[ecx+4], eax
		xor	eax, eax
		pop	ebp
		retn	8
_SeQueryAuthenticationIdToken@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpParseIndirectInfString proc	near	; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+1AEp
					; _PnpRegQueryValueIndirect+AAp ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F10B8 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		push	esi
		push	edi
		push	eax
		mov	edx, 7FFFh
		mov	esi, ecx
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		test	eax, eax
		js	loc_7C6DBD
		mov	edi, [ebp+var_4]
		cmp	edi, 5
		jb	short loc_7C6DBD
		cmp	word ptr [esi],	40h
		jnz	short loc_7C6DBD
		movzx	eax, word ptr [esi+2]
		xor	ecx, ecx
		push	2Ch
		inc	ecx
		pop	ebx
		jmp	short loc_7C6D5B
; 

loc_7C6D51:				; CODE XREF: _PnpParseIndirectInfString+4Ej
		cmp	dx, bx
		jz	short loc_7C6D62
		inc	ecx
		movzx	eax, word ptr [esi+ecx*2]

loc_7C6D5B:				; CODE XREF: _PnpParseIndirectInfString+3Dj
		mov	edx, eax
		test	ax, ax
		jnz	short loc_7C6D51

loc_7C6D62:				; CODE XREF: _PnpParseIndirectInfString+42j
		cmp	[esi+ecx*2], bx
		jnz	short loc_7C6DBD
		push	25h
		pop	ebx
		cmp	[esi+ecx*2+2], bx
		jnz	short loc_7C6DBD
		push	3Bh
		lea	eax, [ecx+2]
		pop	edx
		jmp	short loc_7C6D80
; 

loc_7C6D7A:				; CODE XREF: _PnpParseIndirectInfString+75j
		cmp	cx, dx
		jz	short loc_7C6D89
		inc	eax

loc_7C6D80:				; CODE XREF: _PnpParseIndirectInfString+66j
		movzx	ecx, word ptr [esi+eax*2]
		test	cx, cx
		jnz	short loc_7C6D7A

loc_7C6D89:				; CODE XREF: _PnpParseIndirectInfString+6Bj
		cmp	[esi+eax*2], dx
		jnz	short loc_7C6DC1

loc_7C6D8F:				; CODE XREF: _PnpParseIndirectInfString+B1j
		lea	ecx, [eax-1]
		test	eax, eax
		jz	short loc_7C6DC5

loc_7C6D96:				; CODE XREF: _PnpParseIndirectInfString+B6j
		cmp	[esi+ecx*2], bx
		jnz	short loc_7C6DBD
		test	eax, eax

loc_7C6D9E:				; CODE XREF: _PnpParseIndirectInfString+12A3B8j
		jz	short loc_7C6DB4

loc_7C6DA0:				; CODE XREF: _PnpParseIndirectInfString+9Bj
					; _PnpParseIndirectInfString+12A3ACj
		inc	eax
		movzx	ecx, word ptr [esi+eax*2]
		test	cx, cx
		jz	short loc_7C6DB4
		cmp	cx, dx
		jnz	short loc_7C6DA0
		jmp	loc_8F10B8
; 

loc_7C6DB4:				; CODE XREF: _PnpParseIndirectInfString:loc_7C6D9Ej
					; _PnpParseIndirectInfString+96j
		mov	al, 1

loc_7C6DB6:				; CODE XREF: _PnpParseIndirectInfString+ADj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7C6DBD:				; CODE XREF: _PnpParseIndirectInfString+1Fj
					; _PnpParseIndirectInfString+2Bj ...
		xor	al, al
		jmp	short loc_7C6DB6
; 

loc_7C6DC1:				; CODE XREF: _PnpParseIndirectInfString+7Bj
		xor	eax, eax
		jmp	short loc_7C6D8F
; 

loc_7C6DC5:				; CODE XREF: _PnpParseIndirectInfString+82j
		lea	ecx, [edi-1]
		jmp	short loc_7C6D96
_PnpParseIndirectInfString endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObSetCurrentProcessDeviceMap proc near	; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+5B6p
					; ObpReferenceDeviceMap:loc_926073p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F10CF SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax+80h]
		xor	edi, edi
		push	eax
		mov	esi, edi
		mov	[ebp+var_10], eax
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8F10CF
		cmp	dword ptr [ebx+18h], 3E7h
		mov	ecx, [ebx+1Ch]
		mov	[ebp+var_C], edi
		jz	loc_7C6E95

loc_7C6E0B:				; CODE XREF: ObSetCurrentProcessDeviceMap+CDj
		lea	edx, [ebp+var_4]
		mov	[ebp+var_4], edi
		mov	ecx, ebx
		call	SeGetTokenDeviceMap
		mov	[ebp+var_C], eax
		test	eax, eax
		js	loc_8F10D9
		mov	eax, [ebp+var_4]

loc_7C6E26:				; CODE XREF: ObSetCurrentProcessDeviceMap+DCj
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_8F10D9
		test	esi, esi
		jnz	short loc_7C6E3C
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	esi, eax

loc_7C6E3C:				; CODE XREF: ObSetCurrentProcessDeviceMap+69j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		lea	ecx, [esi+70h]
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_8]
		mov	edi, [ecx+198h]
		mov	[ecx+198h], eax
		lock inc dword ptr [eax+0Ch]
		xor	edx, edx
		lea	ecx, [esi+70h]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	esi, [ebp+var_C]

loc_7C6E83:				; CODE XREF: ObSetCurrentProcessDeviceMap+12A314j
		mov	ecx, ebx
		call	ObfDereferenceObject
		test	edi, edi
		jnz	short loc_7C6EAB

loc_7C6E8E:				; CODE XREF: ObSetCurrentProcessDeviceMap+E8j
		mov	eax, esi

loc_7C6E90:				; CODE XREF: ObSetCurrentProcessDeviceMap+12A30Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7C6E95:				; CODE XREF: ObSetCurrentProcessDeviceMap+3Bj
		test	ecx, ecx
		jnz	loc_7C6E0B
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	esi, eax
		mov	eax, [esi]
		jmp	loc_7C6E26
; 

loc_7C6EAB:				; CODE XREF: ObSetCurrentProcessDeviceMap+C2j
		mov	ecx, edi
		call	ObfDereferenceDeviceMap
		jmp	short loc_7C6E8E
ObSetCurrentProcessDeviceMap endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeGetTokenDeviceMap proc near		; CODE XREF: ObSetCurrentProcessDeviceMap+49p
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+57Fp ...

var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F10E3 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0BCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_9C], eax
		mov	[ebp+var_98], eax
		mov	[ebp+var_BC], eax
		mov	[ebp+var_B8], eax
		mov	[ebp+var_8C], eax
		mov	[ebp+var_94], eax
		mov	[ebp+var_90], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		test	ecx, ecx
		jz	loc_8F10FD
		test	edi, edi
		jz	loc_8F10FD
		test	byte ptr [ecx+0B0h], 20h
		jnz	loc_8F10F3
		mov	esi, [ecx+0C0h]
		test	esi, esi
		jz	loc_8F10F3
		lea	ebx, [esi+1Ch]
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_7C6F41
		mov	[edi], eax
		xor	eax, eax

loc_7C6F32:				; CODE XREF: SeGetTokenDeviceMap+113j
					; SeGetTokenDeviceMap+1F1j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_7C6F41:				; CODE XREF: SeGetTokenDeviceMap+78j
		push	dword ptr [ecx+18h]
		push	dword ptr [ecx+1Ch]
		push	dword ptr [esi+58h]
		call	_PsGetServerSiloServiceSessionId@4 ; PsGetServerSiloServiceSessionId(x)
		push	eax
		push	offset ??_C@_1EE@FDNCMIA@?$AA?2?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAs?$AA?2?$AA?$CF?$AAd?$AA?2?$AAD?$AAo@NNGAKEGL@ ; "\\Sessions\\%d\\DosDevices\\%08x-%08x"
		lea	eax, [ebp+var_88]
		push	40h
		push	eax
		call	_swprintf_s
		add	esp, 18h
		lea	eax, [ebp+var_88]
		push	eax
		lea	eax, [ebp+var_9C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_B4], 18h
		mov	[ebp+var_AC], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_B4]
		mov	[ebp+var_B0], ecx
		push	eax
		push	0F000Fh
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_A8], 2C0h
		push	eax
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_A0], ecx
		call	_ZwCreateDirectoryObject@12 ; ZwCreateDirectoryObject(x,x,x)
		test	eax, eax
		js	loc_7C6F32
		mov	ecx, [esi+58h]
		lea	eax, [ebp+var_90]
		push	eax
		push	2
		push	0
		push	[ebp+var_8C]
		xor	edx, edx
		call	ObpSetDeviceMap
		mov	esi, eax
		test	esi, esi
		js	loc_7C7098
		push	(offset	loc_8BC071+1)
		lea	eax, [ebp+var_BC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1BE@MJMHDIJM@?$AA?2?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AA?$DP?$AA?$DP@NNGAKEGL@ ; "\\Global??"
		lea	eax, [ebp+var_9C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_8C]
		and	[ebp+var_A4], 0
		and	[ebp+var_A0], 0
		mov	[ebp+var_B0], eax
		lea	eax, [ebp+var_BC]
		mov	[ebp+var_AC], eax
		lea	eax, [ebp+var_9C]
		push	eax
		lea	eax, [ebp+var_B4]
		mov	[ebp+var_B4], 18h
		push	eax
		push	0F0001h
		lea	eax, [ebp+var_94]
		mov	[ebp+var_A8], 2D0h
		push	eax
		call	_ZwCreateSymbolicLinkObject@16 ; ZwCreateSymbolicLinkObject(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8F10E3
		push	[ebp+var_94]
		call	_ZwClose@4	; ZwClose(x)
		mov	ecx, [ebp+var_90]
		xor	eax, eax
		mov	edx, ecx
		lock cmpxchg [ebx], edx
		test	eax, eax
		jnz	short loc_7C70AA

loc_7C7094:				; CODE XREF: SeGetTokenDeviceMap+1FBj
		mov	eax, [ebx]
		mov	[edi], eax

loc_7C7098:				; CODE XREF: SeGetTokenDeviceMap+138j
					; SeGetTokenDeviceMap+12A23Aj
		push	[ebp+var_8C]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, esi
		jmp	loc_7C6F32
; 

loc_7C70AA:				; CODE XREF: SeGetTokenDeviceMap+1DEj
		call	ObfDereferenceDeviceMap
		jmp	short loc_7C7094
SeGetTokenDeviceMap endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DbgkForwardException proc near		; CODE XREF: KiDispatchException+37Dp
					; KiDispatchException+667p ...

var_C2		= byte ptr -0C2h
var_C1		= byte ptr -0C1h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_40		= dword	ptr -40h
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008F1107 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0C4h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[esp+0D0h+var_C0], edx
		push	0A8h		; size_t
		lea	eax, [esp+0D4h+var_B0]
		mov	[esp+0D4h+var_BC], ecx
		push	ebx		; int
		push	eax		; void *
		mov	[esp+0DCh+var_B8], ebx
		mov	[esp+0DCh+var_B4], ebx
		call	_memset
		add	esp, 0Ch
		cmp	[ebp+arg_0], bl
		jnz	short loc_7C715F

loc_7C70FB:				; CODE XREF: DbgkForwardException+CBj
		mov	eax, large fs:124h
		mov	ecx, [esp+0D0h+var_C0]
		mov	[esp+0D0h+var_B0], offset loc_74005C
		mov	[esp+0D0h+var_AC], 8
		mov	[esp+0D0h+var_98], ebx
		mov	edi, [eax+80h]
		test	cl, cl
		jz	short loc_7C7182
		mov	eax, large fs:124h
		mov	esi, ebx
		test	byte ptr [eax+2FCh], 4
		jnz	short loc_7C713A
		mov	esi, [edi+190h]

loc_7C713A:				; CODE XREF: DbgkForwardException+80j
		mov	[esp+0D0h+var_C1], bl

loc_7C713E:				; CODE XREF: DbgkForwardException+EAj
		test	esi, esi
		jnz	short loc_7C719E
		test	cl, cl
		jz	short loc_7C719E

loc_7C7146:				; CODE XREF: DbgkForwardException+134j
					; DbgkForwardException+14Aj ...
		xor	al, al

loc_7C7148:				; CODE XREF: DbgkForwardException+168j
		mov	ecx, [esp+0D0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7C715F:				; CODE XREF: DbgkForwardException+47j
		lea	eax, [esp+0D0h+var_B8]
		mov	[esp+0D0h+var_B8], 1
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	PsSetProcessFaultInformation
		jmp	loc_7C70FB
; 

loc_7C7182:				; CODE XREF: DbgkForwardException+6Fj
		mov	ecx, edi
		call	_PsCaptureExceptionPort@4 ; PsCaptureExceptionPort(x)
		mov	ecx, [esp+0D0h+var_C0]
		mov	esi, eax
		mov	[esp+0D0h+var_AC], 7
		mov	[esp+0D0h+var_C1], 1
		jmp	short loc_7C713E
; 

loc_7C719E:				; CODE XREF: DbgkForwardException+8Ej
					; DbgkForwardException+92j
		mov	edx, [esp+0D0h+var_BC]
		lea	ecx, [esp+0D0h+var_90] ; void *
		call	_KeCopyExceptionRecord@8 ; KeCopyExceptionRecord(x,x)
		xor	eax, eax
		cmp	[ebp+arg_0], al
		setz	al
		mov	[esp+0D0h+var_40], eax
		cmp	[esp+0D0h+var_C1], bl
		jz	loc_8F1114
		test	esi, esi
		jz	loc_8F1107
		push	[esp+0D0h+var_C0]
		mov	edx, esi
		lea	ecx, [esp+0D4h+var_B0]
		call	DbgkpSendApiMessageLpc
		mov	ecx, esi
		mov	ebx, eax
		call	ObfDereferenceObject

loc_7C71E4:				; CODE XREF: DbgkForwardException+12A05Dj
					; DbgkForwardException+12A079j
		test	ebx, ebx
		js	loc_7C7146
		mov	eax, [esp+0D0h+var_94]
		cmp	eax, 80010001h
		jnz	short loc_7C7210
		cmp	byte ptr [esp+0D0h+var_C0], 0
		jnz	loc_7C7146
		lea	ecx, [esp+0D0h+var_B0]
		push	ecx
		mov	ecx, [esp+0D4h+var_BC]
		call	DbgkpSendErrorMessage

loc_7C7210:				; CODE XREF: DbgkForwardException+143j
		test	eax, eax
		js	loc_7C7146
		mov	al, 1
		jmp	loc_7C7148
DbgkForwardException endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtOpenMutant	proc near		; DATA XREF: .text:00580F34o

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F115C SIZE 0000000D BYTES

		push	14h
		push	offset dword_6A3960
		call	__SEH_prolog4
		xor	edi, edi
		mov	[ebp+var_1C], edi
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_24], bl
		test	bl, bl
		jz	short loc_7C725E
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_7C72B9

loc_7C7253:				; CODE XREF: NtOpenMutant+9Bj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C725E:				; CODE XREF: NtOpenMutant+22j
		mov	esi, ds:_ExMutantObjectType
		lea	eax, [ebp+var_1C]
		push	eax
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		push	edi
		push	[ebp+arg_4]
		push	edi
		push	[ebp+var_24]
		push	esi
		push	[ebp+arg_8]
		call	ObOpenObjectByNameEx
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	short loc_7C72A4
		test	bl, bl
		jz	loc_8F115C
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_7C729D:				; CODE XREF: sub_8F1154+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C72A4:				; CODE XREF: NtOpenMutant+64j
					; NtOpenMutant+129F44j
		mov	eax, [ebp+arg_4]

loc_7C72A7:				; CODE XREF: sub_8F113E+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7C72B9:				; CODE XREF: NtOpenMutant+31j
		mov	ecx, eax
		jmp	short loc_7C7253
NtOpenMutant	endp

; 
		align 2

; __stdcall NtQueryMultipleValueKey(x, x, x, x,	x, x)
_NtQueryMultipleValueKey@24:		; DATA XREF: .text:00580E38o
		push	110h
		push	offset dword_6A3988
		call	__SEH_prolog4_GS
		mov	esi, [ebp+8]
		mov	eax, [ebp+0Ch]
		mov	[ebp-0B8h], eax
		mov	eax, [ebp+14h]
		mov	[ebp-0C0h], eax
		mov	eax, [ebp+18h]
		mov	[ebp-0A8h], eax
		mov	[ebp-0D4h], eax
		mov	eax, [ebp+1Ch]
		mov	[ebp-0C8h], eax
		xor	ebx, ebx
		mov	[ebp-0ACh], ebx
		mov	[ebp-0D0h], ebx
		mov	[ebp-0FCh], ebx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp-34h]
		rep stosd
		push	4Ch
		push	ebx
		lea	eax, [ebp-0A0h]
		push	eax
		call	_memset
		add	esp, 0Ch
		push	8
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp-54h]
		rep stosd
		mov	[ebp-0D8h], ebx
		cmp	ds:_CmpTraceRoutine, eax
		jz	short loc_7C734F
		mov	edx, 20000h
		lea	ecx, [ebp-54h]
		call	@EtwGetKernelTraceTimestamp@8 ;	EtwGetKernelTraceTimestamp(x,x)

loc_7C734F:				; CODE XREF: PAGE:007C7340j
		mov	[ebp-0A2h], bl
		mov	[ebp-0A3h], bl
		mov	[ebp-0B4h], ebx
		push	9
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp-120h]
		rep stosd
		lea	eax, [ebp-0E8h]
		mov	[ebp-0E4h], eax
		mov	[ebp-0E8h], eax
		mov	[ebp-0C4h], ebx
		mov	[ebp-0BCh], ebx
		mov	[ebp-0DCh], ebx
		mov	[ebp-0E0h], ebx
		call	CmpAcquireShutdownRundown
		mov	[ebp-0ADh], al
		test	al, al
		jnz	loc_7C7459
		mov	esi, 0C0000189h

loc_7C73B0:				; CODE XREF: PAGE:007C748Ej
					; PAGE:007C7572j ...
		mov	edi, [ebp-0A8h]

loc_7C73B6:				; CODE XREF: PAGE:007C7609j
					; PAGE:007C7611j ...
		mov	ecx, [ebp-0C4h]
		test	ecx, ecx
		jz	short loc_7C73C5
		call	ObfDereferenceObject

loc_7C73C5:				; CODE XREF: PAGE:007C73BEj
		cmp	byte ptr [ebp-0A2h], 0
		jz	short loc_7C73ED
		lea	eax, [ebp-0E8h]
		push	eax
		lea	eax, [ebp-120h]
		push	eax
		push	esi
		mov	edx, [ebp-0B4h]
		push	18h
		pop	ecx
		call	_CmPostCallbackNotification@20 ; CmPostCallbackNotification(x,x,x,x,x)
		mov	esi, eax

loc_7C73ED:				; CODE XREF: PAGE:007C73CCj
		cmp	dword ptr [ebp-0BCh], 0
		jz	loc_7C775B
		mov	dword ptr [ebp-4], 2
		mov	eax, [ebp-0ACh]
		mov	[edi], eax
		test	esi, esi
		jns	short loc_7C7419
		cmp	esi, 80000005h
		jnz	loc_7C772F

loc_7C7419:				; CODE XREF: PAGE:007C740Bj
		mov	edi, ebx

loc_7C741B:				; CODE XREF: PAGE:007C7457j
		mov	[ebp-0F4h], edi
		cmp	edi, [ebp+10h]
		jnb	loc_7C772F
		mov	edx, edi
		add	edx, edx
		mov	ecx, [ebp-0BCh]
		mov	eax, [ecx+edx*8+4]
		mov	ebx, [ebp-0B8h]
		mov	[ebx+edx*8+4], eax
		mov	eax, [ecx+edx*8+8]
		mov	[ebx+edx*8+8], eax
		mov	eax, [ecx+edx*8+0Ch]
		mov	ecx, ebx
		mov	[ecx+edx*8+0Ch], eax
		xor	ebx, ebx
		inc	edi
		jmp	short loc_7C741B
; 

loc_7C7459:				; CODE XREF: PAGE:007C73A5j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp-0A1h], al
		mov	[ebp-0CCh], al
		push	ebx
		lea	eax, [ebp-0B4h]
		push	eax
		push	dword ptr [ebp-0CCh]
		push	ecx
		xor	edx, edx
		inc	edx
		mov	ecx, esi
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7C73B0
		cmp	ds:_CmpTraceRoutine, ebx
		jz	short loc_7C74AF
		mov	ecx, [ebp-0B4h]
		test	ecx, ecx
		jz	short loc_7C74AF
		mov	eax, [ecx+8]
		mov	[ebp-0D8h], eax

loc_7C74AF:				; CODE XREF: PAGE:007C749Aj
					; PAGE:007C74A4j
		mov	[ebp-4], ebx
		cmp	byte ptr [ebp-0A1h], 1
		jnz	short loc_7C7528
		mov	ecx, [ebp-0A8h]
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		jb	short loc_7C74CD
		mov	ecx, edx

loc_7C74CD:				; CODE XREF: PAGE:007C74C9j
		nop
		mov	eax, [ecx]
		mov	[ebp-0ACh], eax
		cmp	dword ptr [ebp+10h], 10000h
		ja	loc_7C77EE
		push	4
		mov	eax, [ebp+10h]
		shl	eax, 4
		push	eax
		mov	esi, [ebp-0B8h]
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	edi, [ebp-0C8h]
		test	edi, edi
		jz	short loc_7C7513
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jb	short loc_7C750F
		mov	ecx, eax

loc_7C750F:				; CODE XREF: PAGE:007C750Bj
		mov	eax, [ecx]
		mov	[ecx], eax

loc_7C7513:				; CODE XREF: PAGE:007C7500j
		push	4
		push	dword ptr [ebp-0ACh]
		push	dword ptr [ebp-0C0h]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		jmp	short loc_7C7542
; 

loc_7C7528:				; CODE XREF: PAGE:007C74B9j
		mov	eax, [ebp-0A8h]
		mov	eax, [eax]
		mov	[ebp-0ACh], eax
		mov	edi, [ebp-0C8h]
		mov	esi, [ebp-0B8h]

loc_7C7542:				; CODE XREF: PAGE:007C7526j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		lea	eax, [ebp-0E0h]
		push	eax
		lea	eax, [ebp-0DCh]
		push	eax
		lea	eax, [ebp-0BCh]
		push	eax
		push	dword ptr [ebp-0CCh]
		mov	edx, [ebp+10h]
		mov	ecx, esi
		call	_CmpCaptureKeyValueArray@24 ; CmpCaptureKeyValueArray(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7C73B0
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	byte ptr [ebp-0A3h], 1
		cmp	_CmpCallBackCount, 0
		jz	loc_7C761D
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredSharedLite
		test	eax, eax
		jnz	short loc_7C761D
		mov	ecx, [ebp-0B4h]
		mov	[ebp-120h], ecx
		mov	eax, [ebp-0BCh]
		mov	[ebp-11Ch], eax
		mov	eax, [ebp+10h]
		mov	[ebp-118h], eax
		mov	eax, [ebp-0C0h]
		mov	[ebp-114h], eax
		lea	eax, [ebp-0ACh]
		mov	[ebp-110h], eax
		mov	[ebp-10Ch], edi
		lea	eax, [ebp-0E8h]
		push	eax
		push	ecx
		push	18h
		push	ecx
		lea	edx, [ebp-120h]
		push	9
		pop	ecx
		call	_CmpCallCallBacks@24 ; CmpCallCallBacks(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_7C7616
		mov	edi, [ebp-0A8h]
		cmp	esi, 0C0000503h
		jnz	loc_7C73B6
		mov	esi, ebx
		jmp	loc_7C73B6
; 

loc_7C7616:				; CODE XREF: PAGE:007C75FBj
		mov	byte ptr [ebp-0A2h], 1

loc_7C761D:				; CODE XREF: PAGE:007C758Bj
					; PAGE:007C759Dj
		lea	eax, [ebp-0C4h]
		push	eax
		push	1
		mov	dl, [ebp-0A1h]
		lea	ecx, [ebp-0B4h]
		call	_CmKeyBodyRemapToVirtualForEnum@16 ; CmKeyBodyRemapToVirtualForEnum(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7C73B0
		push	4
		movsx	eax, byte ptr [ebp-0A1h]
		push	eax
		push	dword ptr [ebp-0ACh]
		mov	edx, [ebp-0C0h]
		lea	ecx, [ebp-0A0h]
		call	CmpBounceContextStart
		mov	esi, eax
		test	esi, esi
		js	loc_7C73B0
		lea	ecx, [ebp-34h]
		call	CmpAttachToRegistryProcess
		lea	eax, [ebp-0D0h]
		push	eax
		lea	eax, [ebp-0ACh]
		push	eax
		push	dword ptr [ebp-9Ch]
		push	dword ptr [ebp+10h]
		push	dword ptr [ebp-0BCh]
		mov	edx, [ebp-0C4h]
		mov	ecx, [ebp-0B4h]
		call	CmQueryMultipleValueKey
		mov	esi, eax
		lea	ecx, [ebp-34h]
		call	_CmpDetachFromRegistryProcess@4	; CmpDetachFromRegistryProcess(x)
		mov	dword ptr [ebp-4], 1
		test	edi, edi
		jz	short loc_7C76BF
		mov	eax, [ebp-0D0h]
		mov	[edi], eax

loc_7C76BF:				; CODE XREF: PAGE:007C76B5j
		test	esi, esi
		jns	short loc_7C76CB
		cmp	esi, 80000005h
		jnz	short loc_7C76DC

loc_7C76CB:				; CODE XREF: PAGE:007C76C1j
		mov	edx, [ebp-0ACh]
		lea	ecx, [ebp-0A0h]
		call	_CmpBounceContextCopyDataToCallerBuffer@8 ; CmpBounceContextCopyDataToCallerBuffer(x,x)

loc_7C76DC:				; CODE XREF: PAGE:007C76C9j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7C73B0
; 

loc_7C76E8:				; DATA XREF: .text:006A39A8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0ECh], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7C76F9:				; DATA XREF: .text:006A39ACo
		mov	esi, [ebp-0ECh]
		jmp	short loc_7C7718
; 

loc_7C7701:				; DATA XREF: .text:006A399Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0F0h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7C7712:				; DATA XREF: .text:006A39A0o
		mov	esi, [ebp-0F0h]

loc_7C7718:				; CODE XREF: PAGE:007C76FFj
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-0D4h]
		xor	ebx, ebx
		jmp	loc_7C73B6
; 

loc_7C772F:				; CODE XREF: PAGE:007C7413j
					; PAGE:007C7424j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_7C775B
; 

loc_7C7738:				; DATA XREF: .text:006A39B4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0F8h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7C7749:				; DATA XREF: .text:006A39B8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0F8h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx

loc_7C775B:				; CODE XREF: PAGE:007C73F4j
					; PAGE:007C7736j
		cmp	byte ptr [ebp-0A3h], 0
		jz	short loc_7C7769
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_7C7769:				; CODE XREF: PAGE:007C7762j
		mov	ecx, [ebp-0B4h]
		test	ecx, ecx
		jz	short loc_7C7778
		call	ObfDereferenceObject

loc_7C7778:				; CODE XREF: PAGE:007C7771j
		lea	ecx, [ebp-0A0h]
		call	_CmpBounceContextCleanup@4 ; CmpBounceContextCleanup(x)
		mov	eax, ds:_CmpTraceRoutine
		test	eax, eax
		jz	short loc_7C779F
		push	ebx
		push	dword ptr [ebp-0D8h]
		push	dword ptr [ebp+10h]
		push	esi
		lea	ecx, [ebp-54h]
		push	ecx
		push	13h
		call	eax

loc_7C779F:				; CODE XREF: PAGE:007C778Aj
		cmp	byte ptr [ebp-0ADh], 0
		jz	short loc_7C77AD
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_7C77AD:				; CODE XREF: PAGE:007C77A6j
		mov	ecx, [ebp-0BCh]
		test	ecx, ecx
		jz	short loc_7C77BC
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_7C77BC:				; CODE XREF: PAGE:007C77B5j
		mov	ecx, [ebp-0DCh]
		test	ecx, ecx
		jz	short loc_7C77CB
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_7C77CB:				; CODE XREF: PAGE:007C77C4j
		mov	ecx, [ebp-0E0h]
		test	ecx, ecx
		jz	short loc_7C77DA
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_7C77DA:				; CODE XREF: PAGE:007C77D3j
		mov	eax, esi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7C77EE:				; CODE XREF: PAGE:007C74DDj
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmQueryMultipleValueKey	proc near	; CODE XREF: PAGE:007C769Dp

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_22		= byte ptr -22h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008F1169 SIZE 00000202 BYTES
; FUNCTION CHUNK AT 008F13A9 SIZE 0000003D BYTES

		push	84h
		push	offset dword_6A39C0
		call	__SEH_prolog4
		mov	[ebp+var_2C], edx
		mov	esi, ecx
		xor	edx, edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_34], edx
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_60], edi
		mov	[ebp+var_5C], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_1A], dl
		mov	[ebp+var_68], edi
		mov	[ebp+var_64], edx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_94], edi
		mov	[ebp+var_90], edx
		mov	ebx, edx
		mov	[ebp+var_54], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_22], dl
		mov	[ebp+var_21], dl
		mov	[ebp+var_44], edx
		mov	[ebp+var_19], dl
		mov	[ebp+var_8C], edi
		mov	[ebp+var_88], edx
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	edi, [esi+8]
		mov	[ebp+var_6C], edi
		mov	[ebp+var_84], edi
		xor	eax, eax
		cmp	[edi+22h], ax
		jnz	loc_8F1169
		cmp	[esi+20h], eax
		jnz	loc_8F118D
		cmp	[esi+24h], eax
		jnz	loc_8F118D

loc_7C788C:				; CODE XREF: CmQueryMultipleValueKey+129A08j
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jnz	loc_8F1215

loc_7C7897:				; CODE XREF: CmQueryMultipleValueKey+129A21j
		mov	edx, edi
		mov	ecx, ebx
		call	_CmpLockTwoKcbsShared@8	; CmpLockTwoKcbsShared(x,x)
		mov	edx, [ebp+var_20]
		mov	ecx, esi
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	loc_8F11C3
		mov	esi, [ebp+var_2C]
		test	esi, esi
		jnz	loc_8F1220

loc_7C78BD:				; CODE XREF: CmQueryMultipleValueKey+129A34j
		mov	eax, [edi+10h]
		mov	[ebp+var_40], eax
		mov	[ebp+var_78], eax
		lea	esi, [eax+24h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	eax, [edi+14h]
		lea	ecx, [ebp+var_68]
		push	ecx
		push	eax
		mov	eax, [ebp+var_40]
		push	eax
		call	dword ptr [eax+4]
		mov	[ebp+var_70], eax
		test	eax, eax
		jz	loc_8F1233
		push	dword ptr [edi+14h]
		mov	edx, eax
		mov	ecx, [ebp+var_40]
		call	_CmpUpdateKeyNodeAccessBits@12 ; CmpUpdateKeyNodeAccessBits(x,x,x)
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	loc_7C7B38

loc_7C790B:				; CODE XREF: CmQueryMultipleValueKey+345j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	esi, [ebp+var_20]
		test	esi, esi
		jnz	loc_8F1274

loc_7C791D:				; CODE XREF: CmQueryMultipleValueKey+129A80j
					; CmQueryMultipleValueKey+129A8Aj
		test	ebx, ebx
		jnz	loc_8F1289

loc_7C7925:				; CODE XREF: CmQueryMultipleValueKey+129AADj
					; CmQueryMultipleValueKey+129AB9j ...
		xor	edx, edx
		mov	eax, edx
		mov	[ebp+var_38], eax
		mov	ecx, edx
		mov	[ebp+var_48], edx

loc_7C7931:				; CODE XREF: CmQueryMultipleValueKey+2DBj
		mov	esi, edx
		cmp	ecx, [ebp+arg_4]
		jnb	loc_7C7ADA
		mov	eax, ecx
		shl	eax, 4
		mov	[ebp+var_74], eax
		mov	ecx, [ebp+arg_0]
		mov	ecx, [eax+ecx]
		mov	[ebp+var_28], ecx
		movzx	eax, word ptr [ecx]
		test	ax, ax
		jz	short loc_7C7971
		mov	esi, [ecx+4]
		mov	edx, eax
		xor	edi, edi

loc_7C795C:				; CODE XREF: CmQueryMultipleValueKey+129AD4j
		movzx	eax, dx
		shr	eax, 1
		cmp	[esi+eax*2-2], di
		jz	loc_8F12C2

loc_7C796C:				; CODE XREF: CmQueryMultipleValueKey+129ADAj
		mov	edi, [ebp+var_6C]
		xor	edx, edx

loc_7C7971:				; CODE XREF: CmQueryMultipleValueKey+159j
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_20], eax
		mov	[ebp+var_2C], eax
		test	ebx, ebx
		jnz	loc_8F12D9
		mov	esi, [ebp+var_34]

loc_7C7985:				; CODE XREF: CmQueryMultipleValueKey+129B2Dj
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_7C79C6
		mov	eax, [ebp+var_40]
		mov	esi, eax
		mov	[ebp+var_34], esi
		cmp	[ebp+var_22], 0
		jnz	loc_8F132C
		xor	edx, edx
		mov	[ebp+var_28], edx
		lea	edx, [ebp+var_28]
		push	edx
		xor	edx, edx
		push	edx
		push	edx
		push	ecx
		mov	edx, [ebp+var_70]
		lea	edx, [edx+24h]
		mov	ecx, eax
		call	_CmpFindNameInList@24 ;	CmpFindNameInList(x,x,x,x,x,x)
		mov	eax, [ebp+var_28]

loc_7C79BA:				; CODE XREF: CmQueryMultipleValueKey+129B4Bj
		mov	[ebp+var_20], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_8F13B2

loc_7C79C6:				; CODE XREF: CmQueryMultipleValueKey+18Ej
		lea	ecx, [ebp+var_60]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	esi, eax
		mov	[ebp+var_2C], esi
		test	esi, esi
		jz	loc_8F134A
		mov	eax, [esi+4]
		cmp	eax, 80000000h
		jb	short loc_7C79EB
		add	eax, 80000000h

loc_7C79EB:				; CODE XREF: CmQueryMultipleValueKey+1EAj
		mov	[ebp+var_28], eax
		mov	edx, [ebp+var_30]
		add	edx, 3
		and	edx, 0FFFFFFFCh
		mov	[ebp+var_30], edx
		mov	[ebp+var_80], edx
		mov	ecx, [ebp+var_3C]
		add	ecx, 3
		and	ecx, 0FFFFFFFCh
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_7C], ecx
		lea	ecx, [eax+edx]
		mov	edx, [ebp+arg_C]
		cmp	ecx, [edx]
		mov	edx, [ebp+var_30]
		ja	loc_8F13A9
		cmp	ecx, edx
		jb	loc_8F13A9
		cmp	[ebp+var_1A], 0
		jnz	loc_8F13A9
		lea	eax, [ebp+var_8C]
		push	eax
		lea	eax, [ebp+var_19]
		push	eax
		lea	eax, [ebp+var_44]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		push	esi
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_34]
		call	CmpGetValueData
		test	al, al
		jz	loc_8F134A
		xor	eax, eax
		mov	[ebp+ms_exc.disabled], eax
		mov	eax, [ebp+var_28]
		mov	[ebp+var_28], eax
		push	eax		; size_t
		push	[ebp+var_44]	; void *
		mov	eax, [ebp+var_30]
		add	eax, [ebp+arg_8]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [esi+0Ch]
		mov	ecx, [ebp+var_74]
		mov	edx, [ebp+arg_0]
		mov	[ecx+edx+0Ch], eax
		mov	eax, [ebp+var_28]
		mov	[ecx+edx+4], eax
		mov	esi, [ebp+var_30]
		mov	[ecx+edx+8], esi
		cmp	[ebp+var_19], 0
		jnz	loc_8F1356
		lea	eax, [ebp+var_8C]
		push	eax
		mov	eax, [ebp+var_34]
		push	eax
		call	dword ptr [eax+8]
		xor	eax, eax

loc_7C7AB0:				; CODE XREF: CmQueryMultipleValueKey+129B6Cj
		mov	[ebp+var_44], eax
		mov	eax, [ebp+var_28]
		add	esi, eax
		mov	[ebp+var_30], esi

loc_7C7ABB:				; CODE XREF: CmQueryMultipleValueKey+129BB3j
		add	[ebp+var_3C], eax
		lea	eax, [ebp+var_60]
		push	eax
		mov	eax, [ebp+var_34]
		push	eax
		call	dword ptr [eax+8]
		mov	ecx, [ebp+var_48]
		inc	ecx
		mov	[ebp+var_48], ecx
		mov	eax, [ebp+var_38]
		xor	edx, edx
		jmp	loc_7C7931
; 

loc_7C7ADA:				; CODE XREF: CmQueryMultipleValueKey+13Cj
					; CmQueryMultipleValueKey+129BC4j
		mov	edx, [ebp+var_3C]
		mov	ecx, [ebp+var_30]

loc_7C7AE0:				; CODE XREF: sub_8F1379+2Bj
		test	eax, eax
		js	short loc_7C7AF8
		cmp	[ebp+var_1A], 0
		jnz	short loc_7C7B44

loc_7C7AEA:				; CODE XREF: CmQueryMultipleValueKey+351j
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_7C7AF8
		mov	[eax], edx

loc_7C7AF8:				; CODE XREF: CmQueryMultipleValueKey+2E8j
					; CmQueryMultipleValueKey+2FAj	...
		test	esi, esi
		jnz	loc_8F13C3

loc_7C7B00:				; CODE XREF: CmQueryMultipleValueKey+129BD4j
		cmp	[ebp+var_4C], 0
		jnz	loc_8F13D3

loc_7C7B0A:				; CODE XREF: CmQueryMultipleValueKey+129BE7j
		lea	eax, [ebp+var_68]
		push	eax
		mov	eax, [ebp+var_40]
		push	eax
		call	dword ptr [eax+8]
		mov	edx, edi
		mov	ecx, ebx
		call	CmpUnlockTwoKcbs
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	eax, [ebp+var_38]

loc_7C7B26:				; CODE XREF: CmQueryMultipleValueKey+12998Ej
					; CmQueryMultipleValueKey+1299EFj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7C7B38:				; CODE XREF: CmQueryMultipleValueKey+10Bj
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_7C790B
; 

loc_7C7B44:				; CODE XREF: CmQueryMultipleValueKey+2EEj
		mov	[ebp+var_38], 80000005h
		jmp	short loc_7C7AEA
CmQueryMultipleValueKey	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFindNameInList(x, x, x, x, x, x)
_CmpFindNameInList@24 proc near		; CODE XREF: CmQueryMultipleValueKey+1B8p
					; CmpLightWeightPrepareSetValueKeyUoW+197p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_CmpFindNameInListWithStatus@24	; CmpFindNameInListWithStatus(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7C7B6E

loc_7C7B68:				; CODE XREF: CmpFindNameInList(x,x,x,x,x,x)+25j
		mov	al, 1

loc_7C7B6A:				; CODE XREF: CmpFindNameInList(x,x,x,x,x,x)+29j
		pop	ebp
		retn	10h
; 

loc_7C7B6E:				; CODE XREF: CmpFindNameInList(x,x,x,x,x,x)+18j
		cmp	eax, 0C0000034h
		jz	short loc_7C7B68
		xor	al, al
		jmp	short loc_7C7B6A
_CmpFindNameInList@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DrvDbLoadDatabaseNode proc near		; CODE XREF: DrvDbAcquireDatabaseNodeBaseKey+8Fp
					; DrvDbAcquireDatabaseNodeBaseKey+D6p ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F13E6 SIZE 00000141 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		xor	eax, eax
		mov	ebx, ecx
		and	[esp+24h+var_8], eax
		xor	ecx, ecx
		and	[esp+24h+var_C], eax
		xor	esi, esi
		and	[esp+24h+var_14], eax
		push	edi
		mov	edi, edx
		mov	[esp+28h+var_1C], eax
		xor	edx, edx
		mov	[esp+28h+var_10], ecx
		inc	edx
		mov	[esp+28h+var_18], edx
		test	[edi+1Ch], dl
		jnz	loc_7C7C38
		mov	ecx, [edi+28h]
		mov	[esp+28h+var_10], ecx
		test	ecx, ecx
		jz	short loc_7C7BEB
		push	dword ptr [edi+2Ch]
		lea	eax, [edi+30h]
		mov	[esp+2Ch+var_C], eax
		lea	eax, [esp+2Ch+var_C]
		push	eax
		push	edx
		push	edx
		push	dword ptr [edi+0Ch]
		push	ebx
		call	ecx
		cmp	eax, 0C0000002h
		jz	loc_8F144A
		test	eax, eax
		js	loc_8F1455

loc_7C7BEB:				; CODE XREF: DrvDbLoadDatabaseNode+45j
					; DrvDbLoadDatabaseNode+1298D6j
		lea	eax, [edi+30h]
		cmp	[eax], esi
		jz	loc_8F145C

loc_7C7BF6:				; CODE XREF: DrvDbLoadDatabaseNode+21Ej
		mov	ecx, [edi+1Ch]
		test	cl, 8
		jz	short loc_7C7C47

loc_7C7BFE:				; CODE XREF: DrvDbLoadDatabaseNode+1A5j
					; DrvDbLoadDatabaseNode+1298DDj ...
		mov	eax, [esp+40h+var_28]
		test	eax, eax
		jz	short loc_7C7C20
		push	dword ptr [edi+2Ch]
		lea	ecx, [esp+44h+var_24]
		push	ecx
		push	2
		push	1
		push	dword ptr [edi+0Ch]
		push	ebx
		call	eax
		test	eax, eax
		js	loc_8F1500

loc_7C7C20:				; CODE XREF: DrvDbLoadDatabaseNode+8Aj
					; DrvDbLoadDatabaseNode+CBj ...
		mov	eax, [esp+58h+var_38]
		mov	[edi+50h], esi
		test	eax, eax
		jnz	loc_8F151A

loc_7C7C2F:				; CODE XREF: DrvDbLoadDatabaseNode+1299A8j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7C7C38:				; CODE XREF: DrvDbLoadDatabaseNode+36j
		lea	ecx, [edi+30h]
		cmp	[ecx], eax
		jz	loc_7C7D2A
		xor	esi, esi
		jmp	short loc_7C7C20
; 

loc_7C7C47:				; CODE XREF: DrvDbLoadDatabaseNode+82j
		mov	edx, [edi+0Ch]	; wchar_t *
		lea	esi, [edi+20h]
		or	ecx, 8
		mov	[edi+1Ch], ecx
		lea	ecx, [esp+40h+var_2C]
		push	ecx		; int
		push	4		; int
		push	esi		; void *
		lea	ecx, [esp+4Ch+var_30]
		push	ecx		; int
		push	offset _DEVPKEY_DriverDatabase_Version ; void *
		push	dword ptr [eax]	; int
		mov	ecx, ebx	; int
		call	DrvDbGetDriverDatabaseMappedProperty
		cmp	eax, 0C0000225h
		jz	loc_8F14A9
		test	eax, eax
		js	loc_8F14C5
		cmp	[esp+40h+var_30], 7
		jnz	loc_8F14CD
		cmp	[esp+40h+var_2C], 4
		jnz	loc_8F14CD

loc_7C7C97:				; CODE XREF: DrvDbLoadDatabaseNode+129946j
					; DrvDbLoadDatabaseNode+12994Ej ...
		mov	edx, [edi+0Ch]	; wchar_t *
		lea	ecx, [esp+40h+var_2C]
		push	ecx		; int
		push	4		; int
		lea	eax, [edi+24h]
		mov	ecx, ebx	; int
		push	eax		; void *
		lea	eax, [esp+4Ch+var_30]
		push	eax		; int
		push	offset _DEVPKEY_DriverDatabase_SchemaVersion ; void *
		push	dword ptr [edi+30h] ; int
		call	DrvDbGetDriverDatabaseMappedProperty
		mov	esi, eax
		cmp	esi, 0C0000225h
		jz	loc_8F14D5
		test	esi, esi
		js	loc_8F14D5
		cmp	[esp+40h+var_30], 7
		jnz	loc_8F14E0
		cmp	[esp+40h+var_2C], 4
		jnz	loc_8F14E0

loc_7C7CE5:				; CODE XREF: DrvDbLoadDatabaseNode+129961j
					; DrvDbLoadDatabaseNode+12996Aj
		mov	edx, [edi+20h]
		test	edx, edx
		jz	short loc_7C7D15
		cmp	edx, 0FFFFFFFFh
		jz	loc_8F14E9
		mov	ecx, 0FFFF0000h
		and	edx, ecx
		cmp	edx, 6020000h
		jb	loc_8F14E9
		mov	eax, [ebx+4]
		and	eax, ecx
		cmp	edx, eax
		ja	loc_8F14E9

loc_7C7D15:				; CODE XREF: DrvDbLoadDatabaseNode+170j
		mov	ecx, [edi+24h]
		call	DrvDbCheckSchemaVersionSupported
		test	al, al
		jnz	loc_7C7BFE
		jmp	loc_8F14E9
; 

loc_7C7D2A:				; CODE XREF: DrvDbLoadDatabaseNode+C3j
		cmp	[ebx+14h], eax
		jnz	loc_8F13E6
		mov	edx, [edi+10h]
		test	edx, edx
		jz	short loc_7C7D57
		mov	ecx, [ebx]
		lea	eax, [esp+28h+var_1C]
		push	eax
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7C7C20
		mov	eax, [esp+28h+var_1C]
		lea	ecx, [edi+30h]

loc_7C7D57:				; CODE XREF: DrvDbLoadDatabaseNode+1BEj
		mov	edx, [edi+18h]
		mov	[esp+28h+var_4], edx
		mov	edx, [ebx]
		test	edx, edx
		jz	short loc_7C7D9D
		mov	esi, [edx+74h]

loc_7C7D67:				; CODE XREF: DrvDbLoadDatabaseNode+225j
		push	ecx
		push	2000000h
		push	0
		push	[esp+34h+var_4]
		mov	edx, eax
		mov	ecx, esi
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_8F13F0
		test	esi, esi
		js	loc_7C7C20

loc_7C7D92:				; CODE XREF: DrvDbLoadDatabaseNode+1298CBj
		mov	[ebx+14h], edi

loc_7C7D95:				; CODE XREF: DrvDbLoadDatabaseNode+12992Aj
		lea	eax, [edi+30h]
		jmp	loc_7C7BF6
; 

loc_7C7D9D:				; CODE XREF: DrvDbLoadDatabaseNode+1E8j
		xor	esi, esi
		jmp	short loc_7C7D67
DrvDbLoadDatabaseNode endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DrvDbUnloadDatabaseNode	proc near	; CODE XREF: DrvDbReleaseDatabaseNodeBaseKey(x,x,x,x)+5Dp
					; DrvDbLoadDatabaseNode+129973p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F1527 SIZE 0000007D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_10], ecx
		xor	esi, esi
		and	[ebp+var_4], esi
		mov	ebx, [edi+28h]
		test	ebx, ebx
		jz	short loc_7C7DE0
		push	dword ptr [edi+2Ch]
		lea	eax, [edi+30h]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		push	2
		push	dword ptr [edi+0Ch]
		push	ecx
		call	ebx
		cmp	eax, 0C0000002h
		jz	short loc_7C7E0F
		test	eax, eax
		js	short loc_7C7E13

loc_7C7DE0:				; CODE XREF: DrvDbUnloadDatabaseNode+1Aj
					; DrvDbUnloadDatabaseNode+6Fj
		cmp	[edi+30h], esi
		jnz	loc_8F1527

loc_7C7DE9:				; CODE XREF: DrvDbUnloadDatabaseNode+73j
					; DrvDbUnloadDatabaseNode+1297A6j ...
		test	ebx, ebx
		jz	short loc_7C7E08
		push	dword ptr [edi+2Ch]
		lea	eax, [ebp+var_4]
		push	eax
		push	2
		push	2
		push	dword ptr [edi+0Ch]
		push	[ebp+var_10]
		call	ebx
		test	eax, eax
		js	loc_8F158A

loc_7C7E08:				; CODE XREF: DrvDbUnloadDatabaseNode+49j
					; DrvDbUnloadDatabaseNode+1297EDj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7C7E0F:				; CODE XREF: DrvDbUnloadDatabaseNode+38j
		xor	ebx, ebx
		jmp	short loc_7C7DE0
; 

loc_7C7E13:				; CODE XREF: DrvDbUnloadDatabaseNode+3Cj
		mov	esi, eax
		jmp	short loc_7C7DE9
DrvDbUnloadDatabaseNode	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDrvDbNodeActionCallback(x, x, x, x, x, x)
_PiDrvDbNodeActionCallback@24 proc near	; DATA XREF: DrvDbRegisterDatabase(x,x,x,x,x,x,x)+34o

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_14]
		xor	eax, eax
		test	byte ptr [esi+20h], 4
		jz	short loc_7C7E61
		mov	ecx, [ebp+arg_8]
		sub	ecx, 1
		jz	short loc_7C7E4D
		sub	ecx, 1
		jnz	short loc_7C7E61
		cmp	[ebp+arg_C], 1
		jnz	short loc_7C7E48
		mov	edx, [ebp+arg_10]
		mov	ecx, esi
		mov	edx, [edx]
		call	PiDrvDbUnloadNode

loc_7C7E48:				; CODE XREF: PiDrvDbNodeActionCallback(x,x,x,x,x,x)+22j
					; PiDrvDbNodeActionCallback(x,x,x,x,x,x)+39j ...
		pop	esi
		pop	ebp
		retn	18h
; 

loc_7C7E4D:				; CODE XREF: PiDrvDbNodeActionCallback(x,x,x,x,x,x)+17j
		cmp	[ebp+arg_C], 1
		jnz	short loc_7C7E48
		mov	edx, [ebp+arg_10]
		mov	ecx, esi
		mov	edx, [edx]
		call	PiDrvDbLoadNode
		jmp	short loc_7C7E48
; 

loc_7C7E61:				; CODE XREF: PiDrvDbNodeActionCallback(x,x,x,x,x,x)+Fj
					; PiDrvDbNodeActionCallback(x,x,x,x,x,x)+1Cj
		mov	eax, 0C0000002h
		jmp	short loc_7C7E48
_PiDrvDbNodeActionCallback@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDrvDbLoadNode	proc near		; CODE XREF: PiDrvDbNodeActionCallback(x,x,x,x,x,x)+42p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F15A4 SIZE 00000091 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_10], edx
		and	[ebp+var_8], esi
		mov	ebx, ecx
		dec	word ptr [eax+13Ch]
		push	edi
		nop
		lea	edi, [ebx+2Ch]
		push	1
		push	edi
		mov	[ebp+var_4], edi
		call	ExAcquireResourceExclusiveLite
		cmp	byte ptr [ebx+28h], 0
		jnz	loc_8F15A4
		cmp	byte ptr [ebx+110h], 0
		jz	short loc_7C7EBF
		lea	eax, [ebx+90h]
		push	eax
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		mov	byte ptr [ebx+110h], 0

loc_7C7EBF:				; CODE XREF: PiDrvDbLoadNode+42j
		lea	eax, [ebx+24h]
		mov	[ebp+var_C], eax
		cmp	[eax], esi
		jz	short loc_7C7EED

loc_7C7EC9:				; CODE XREF: PiDrvDbLoadNode+111j
					; PiDrvDbLoadNode+129768j
		mov	ebx, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		mov	eax, [ebx]
		mov	[ecx], eax

loc_7C7ED3:				; CODE XREF: PiDrvDbLoadNode+129741j
					; PiDrvDbLoadNode+129778j
		mov	ecx, edi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7C7EED:				; CODE XREF: PiDrvDbLoadNode+5Fj
		mov	eax, [ebx+14h]
		lea	ecx, [ebp+var_8]
		push	ecx
		mov	esi, 2000000h
		xor	edx, edx
		push	esi
		push	0
		push	eax
		xor	ecx, ecx
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_8F15AE

loc_7C7F0E:				; CODE XREF: PiDrvDbLoadNode+12976Ej
		cmp	dword_6CC5E4, 0
		jnz	loc_8F15DB
		push	0
		push	0
		push	dword ptr [ebx+100h]
		call	_ZwWaitForSingleObject@12 ; ZwWaitForSingleObject(x,x,x)
		cmp	byte ptr [ebx+111h], 0
		mov	edi, eax
		jz	loc_8F15E5

loc_7C7F39:				; CODE XREF: PiDrvDbLoadNode+1297A0j
		push	0
		lea	esi, [ebx+78h]
		and	dword ptr [esi], 0
		lea	edi, [ebx+68h]
		push	1
		push	edi
		mov	dword ptr [esi+8], offset PiDrvDbLoadNodeWorkerCallback
		mov	[esi+0Ch], ebx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	0
		push	esi
		call	ExQueueWorkItem
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	edi
		call	KeWaitForSingleObject
		cmp	dword ptr [ebx+24h], 0
		jz	loc_8F160D
		xor	esi, esi

loc_7C7F76:				; CODE XREF: PiDrvDbLoadNode+1297B0j
					; PiDrvDbLoadNode+1297BDj ...
		mov	edi, [ebp+var_4]
		jmp	loc_7C7EC9
PiDrvDbLoadNode	endp


;  S U B	R O U T	I N E 


PiDrvDbUnloadNode proc near		; CODE XREF: PiDrvDbNodeActionCallback(x,x,x,x,x,x)+2Bp

; FUNCTION CHUNK AT 008F1635 SIZE 0000001F BYTES

		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	ebx, edx
		mov	esi, ecx
		nop
		push	1
		lea	edi, [esi+2Ch]
		push	edi
		call	ExAcquireResourceExclusiveLite
		cmp	dword ptr [esi+24h], 0
		jz	short loc_7C7FE7
		mov	edx, [esi+108h]
		mov	eax, edx
		mov	ecx, [esi+10Ch]
		or	eax, ecx
		jz	loc_8F1635
		test	ecx, ecx
		jl	short loc_7C7FC4
		jg	short loc_7C7FE0
		test	edx, edx
		jnb	short loc_7C7FE0

loc_7C7FC4:				; CODE XREF: PiDrvDbUnloadNode+3Ej
		lea	eax, [esi+0B8h]
		push	eax
		push	3A98h
		push	0
		push	ecx
		push	edx
		lea	eax, [esi+90h]
		push	eax
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)

loc_7C7FE0:				; CODE XREF: PiDrvDbUnloadNode+40j
					; PiDrvDbUnloadNode+44j ...
		mov	byte ptr [esi+110h], 1

loc_7C7FE7:				; CODE XREF: PiDrvDbUnloadNode+24j
		and	dword ptr [ebx], 0
		mov	ecx, edi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		retn
PiDrvDbUnloadNode endp

; 
		align 8
; Exported entry 544. FsRtlIncrementCcFastReadWait

;  S U B	R O U T	I N E 


; __stdcall FsRtlIncrementCcFastReadWait()
		public _FsRtlIncrementCcFastReadWait@0
_FsRtlIncrementCcFastReadWait@0	proc near
		inc	large dword ptr	fs:604h
		retn
_FsRtlIncrementCcFastReadWait@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFindClearVadBitsAligned(x, x, x, x)
_MiFindClearVadBitsAligned@16 proc near	; CODE XREF: MiFindEmptyAddressRange+23Cp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ecx
		shr	edx, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_4], eax
		mov	eax, [eax]
		push	edi
		cmp	esi, eax
		jnb	short loc_7C807B
		mov	edi, [ebp+arg_4]
		mov	ebx, eax
		sub	ebx, esi
		mov	ecx, edx
		cmp	edi, edx
		jbe	short loc_7C8046
		cmp	edi, eax
		jnb	short loc_7C8046
		lea	ecx, [edi-1]
		mov	eax, edx
		add	ecx, edx
		neg	eax
		and	ecx, eax

loc_7C8046:				; CODE XREF: MiFindClearVadBitsAligned(x,x,x,x)+25j
					; MiFindClearVadBitsAligned(x,x,x,x)+29j
		cmp	ecx, ebx
		ja	short loc_7C807B
		mov	eax, [ebp+var_4]
		mov	edi, [eax+4]
		mov	[ebp+arg_0], edi

loc_7C8053:				; CODE XREF: MiFindClearVadBitsAligned(x,x,x,x)+69j
		mov	eax, ecx
		shr	eax, 5
		lea	edi, [edi+eax*4]
		xor	eax, eax
		test	esi, esi
		jz	short loc_7C8066

loc_7C8061:				; CODE XREF: MiFindClearVadBitsAligned(x,x,x,x)+7Aj
		cmp	dword ptr [edi], 0
		jz	short loc_7C8080

loc_7C8066:				; CODE XREF: MiFindClearVadBitsAligned(x,x,x,x)+4Fj
					; MiFindClearVadBitsAligned(x,x,x,x)+78j
		cmp	eax, esi
		jz	short loc_7C808C
		mov	edi, [ebp+arg_0]
		add	ecx, eax
		mov	eax, edx
		neg	eax
		and	ecx, eax
		add	ecx, edx
		cmp	ecx, ebx
		jbe	short loc_7C8053

loc_7C807B:				; CODE XREF: MiFindClearVadBitsAligned(x,x,x,x)+18j
					; MiFindClearVadBitsAligned(x,x,x,x)+38j
		or	eax, 0FFFFFFFFh
		jmp	short loc_7C808E
; 

loc_7C8080:				; CODE XREF: MiFindClearVadBitsAligned(x,x,x,x)+54j
		add	eax, 20h
		add	edi, 4
		cmp	eax, esi
		jnb	short loc_7C8066
		jmp	short loc_7C8061
; 

loc_7C808C:				; CODE XREF: MiFindClearVadBitsAligned(x,x,x,x)+58j
		mov	eax, ecx

loc_7C808E:				; CODE XREF: MiFindClearVadBitsAligned(x,x,x,x)+6Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiFindClearVadBitsAligned@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtQuerySystemTime proc near		; DATA XREF: .text:00580DF0o

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F1674 SIZE 0000000D BYTES

		push	14h
		push	offset dword_6A3A20
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ecx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	loc_8F1674
		mov	[ebp+ms_exc.disabled], ecx
		mov	ebx, [ebp+arg_0]
		test	bl, 3
		jnz	short loc_7C810B
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	short loc_7C8110

loc_7C80D2:				; CODE XREF: NtQuerySystemTime+7Cj
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+4]
		mov	[ebx+4], al
		lea	eax, [ebp+var_24]
		push	eax
		call	KeQuerySystemTime
		mov	eax, [ebp+var_24]
		mov	[ebx], eax
		mov	eax, [ebp+var_20]
		mov	[ebx+4], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C80F7:				; CODE XREF: NtQuerySystemTime+1295E6j
		xor	eax, eax

loc_7C80F9:				; CODE XREF: sub_8F1662+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7C810B:				; CODE XREF: NtQuerySystemTime+31j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7C8110:				; CODE XREF: NtQuerySystemTime+3Aj
		mov	[eax], cl
		jmp	short loc_7C80D2
NtQuerySystemTime endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoQuerySystemDeviceName	proc near	; CODE XREF: PAGE:00780DC5p
					; PAGE:00780DE2p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F1681 SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	edi
		mov	edi, ecx
		mov	eax, edi
		sub	eax, 62h
		jnz	short loc_7C8150
		mov	ecx, offset _SyspartDirectGetSystemPartition@12	; SyspartDirectGetSystemPartition(x,x,x)

loc_7C812D:				; CODE XREF: IoQuerySystemDeviceName+4Bj
					; IoQuerySystemDeviceName+59j
		push	ebx
		push	esi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	IopRetrieveSystemDeviceName
		mov	esi, eax
		mov	ebx, 0C0000452h
		cmp	esi, ebx
		jz	loc_8F1681

loc_7C8149:				; CODE XREF: IoQuerySystemDeviceName+129576j
					; IoQuerySystemDeviceName+129584j ...
		pop	esi
		pop	ebx

loc_7C814B:				; CODE XREF: IoQuerySystemDeviceName+52j
		pop	edi
		leave
		retn	8
; 

loc_7C8150:				; CODE XREF: IoQuerySystemDeviceName+12j
		sub	eax, 1
		jz	short loc_7C8168
		sub	eax, 65h
		jnz	short loc_7C8161
		mov	ecx, offset _SyspartDirectGetFirmwareSystemPartition@12	; SyspartDirectGetFirmwareSystemPartition(x,x,x)
		jmp	short loc_7C812D
; 

loc_7C8161:				; CODE XREF: IoQuerySystemDeviceName+44j
		mov	eax, 0C0000003h
		jmp	short loc_7C814B
; 

loc_7C8168:				; CODE XREF: IoQuerySystemDeviceName+3Fj
		mov	ecx, offset _SyspartDirectGetSystemDisk@12 ; SyspartDirectGetSystemDisk(x,x,x)
		jmp	short loc_7C812D
IoQuerySystemDeviceName	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopRetrieveSystemDeviceName proc near	; CODE XREF: IoQuerySystemDeviceName+21p

var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F16EF SIZE 00000007 BYTES

		push	1Ch
		push	offset dword_6A3A40
		call	__SEH_prolog4
		mov	[ebp+var_20], edx
		mov	[ebp+var_28], ecx
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		test	edx, edx
		jz	loc_7C821C
		cmp	[ebp+arg_0], 8
		jbe	loc_7C821C
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jnz	loc_7C823A

loc_7C81AD:				; CODE XREF: IopRetrieveSystemDeviceName+F0j
		mov	edi, [ebp+arg_0]
		add	edi, 0FFFFFFF8h
		lea	eax, [edx+8]
		mov	[ebp+arg_0], eax

loc_7C81B9:				; CODE XREF: IopRetrieveSystemDeviceName+B3j
		mov	ecx, 0FFFFh
		cmp	edi, ecx
		ja	loc_8F16EF

loc_7C81C6:				; CODE XREF: IopRetrieveSystemDeviceName+129581j
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	edi
		push	eax
		call	[ebp+var_28]
		mov	esi, eax
		test	esi, esi
		js	short loc_7C8225
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_1C]
		add	eax, 0FFFFFFFEh
		mov	ecx, [ebp+var_20]
		mov	[ecx], ax
		mov	[ecx+2], di
		mov	eax, [ebp+arg_0]
		mov	[ecx+4], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C81F9:				; CODE XREF: sub_8F1704+Fj
		test	esi, esi
		js	short loc_7C8203
		mov	ebx, [ebp+var_1C]
		add	ebx, 8

loc_7C8203:				; CODE XREF: IopRetrieveSystemDeviceName+8Bj
					; IopRetrieveSystemDeviceName+BBj
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx

loc_7C8208:				; CODE XREF: IopRetrieveSystemDeviceName+C8j
					; IopRetrieveSystemDeviceName+F6j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7C821C:				; CODE XREF: IopRetrieveSystemDeviceName+19j
					; IopRetrieveSystemDeviceName+23j
		mov	edi, ebx
		mov	eax, ebx
		mov	[ebp+arg_0], ebx
		jmp	short loc_7C81B9
; 

loc_7C8225:				; CODE XREF: IopRetrieveSystemDeviceName+63j
		cmp	esi, 0C0000023h
		jnz	short loc_7C8203
		mov	ecx, [ebp+var_1C]
		add	ecx, 8
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		jmp	short loc_7C8208
; 

loc_7C823A:				; CODE XREF: IopRetrieveSystemDeviceName+37j
		mov	esi, ebx
		mov	[ebp+ms_exc.disabled], ebx
		test	dl, 3
		jnz	short loc_7C8268
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	short loc_7C826D

loc_7C824D:				; CODE XREF: IopRetrieveSystemDeviceName+FFj
		mov	al, [edx]
		mov	[edx], al
		mov	al, [edx+4]
		mov	[edx+4], al
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C825E:				; CODE XREF: sub_8F16D8+12j
		test	esi, esi
		jns	loc_7C81AD
		jmp	short loc_7C8208
; 

loc_7C8268:				; CODE XREF: IopRetrieveSystemDeviceName+D2j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7C826D:				; CODE XREF: IopRetrieveSystemDeviceName+DBj
		mov	[eax], bl
		jmp	short loc_7C824D
IopRetrieveSystemDeviceName endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SyspartDirectGetSystemPartition(x, x, x)
_SyspartDirectGetSystemPartition@12 proc near ;	DATA XREF: IoQuerySystemDeviceName+14o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		mov	ecx, offset _SiGetSystemPartition@8 ; SiGetSystemPartition(x,x)
		push	[ebp+arg_4]
		call	SiGetSystemDeviceName
		pop	ecx
		pop	ebp
		retn	0Ch
_SyspartDirectGetSystemPartition@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SiGetSystemDeviceName proc near		; CODE XREF: SyspartDirectGetSystemPartition(x,x,x)+14p
					; SyspartDirectGetFirmwareSystemPartition(x,x,x)+14p ...

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	18h
		push	offset dword_6A3A68
		call	__SEH_prolog4
		mov	ebx, edx
		mov	esi, ecx
		xor	edi, edi
		mov	eax, [ebp+arg_4]
		mov	[eax], edi
		mov	[ebp+var_1C], edi
		call	_SiGetFirmwareType@0 ; SiGetFirmwareType()
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	eax
		call	esi
		mov	esi, eax
		test	esi, esi
		js	short loc_7C8305
		mov	ecx, [ebp+var_1C]
		lea	edx, [ecx+2]

loc_7C82C2:				; CODE XREF: SiGetSystemDeviceName+3Bj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_7C82C2
		sub	ecx, edx
		sar	ecx, 1
		lea	ecx, ds:2[ecx*2]
		mov	[ebp+var_24], ecx
		test	ebx, ebx
		jz	short loc_7C8328
		cmp	[ebp+arg_0], ecx
		jb	short loc_7C8328
		mov	esi, edi
		mov	[ebp+ms_exc.disabled], edi
		push	ecx		; size_t
		push	[ebp+var_1C]	; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C82FD:				; CODE XREF: SiGetSystemDeviceName+9Dj
					; sub_8CA1CE+Fj
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_24]
		mov	[ecx], eax

loc_7C8305:				; CODE XREF: SiGetSystemDeviceName+2Aj
		cmp	[ebp+var_1C], 0
		jz	short loc_7C8314
		push	edi
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7C8314:				; CODE XREF: SiGetSystemDeviceName+79j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7C8328:				; CODE XREF: SiGetSystemDeviceName+4Dj
					; SiGetSystemDeviceName+52j
		mov	esi, 0C0000023h
		jmp	short loc_7C82FD
SiGetSystemDeviceName endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SiGetFirmwareType()
_SiGetFirmwareType@0 proc near		; CODE XREF: SiGetSystemDeviceName+1Ap

var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	8
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_28]
		push	eax
		rep stosd
		push	20h
		lea	eax, [ebp+var_28]
		xor	esi, esi
		push	eax
		push	5Ah
		inc	esi
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_7C836B
		mov	esi, [ebp+var_18]
		cmp	esi, 3
		jge	short loc_7C837B

loc_7C836B:				; CODE XREF: SiGetFirmwareType()+31j
					; SiGetFirmwareType()+4Dj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_7C837B:				; CODE XREF: SiGetFirmwareType()+39j
		xor	esi, esi
		jmp	short loc_7C836B
_SiGetFirmwareType@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SiGetSystemPartition(x, x)
_SiGetSystemPartition@8	proc near	; DATA XREF: SyspartDirectGetSystemPartition(x,x,x)+Co
					; SyspartGetSystemPartition(x,x,x)+2Ao

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		xor	eax, eax
		xor	ecx, ecx
		push	eax
		push	eax
		push	eax
		mov	edx, offset ??_C@_1CK@LADPALDF@?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AAS?$AAy?$AAs?$AAP?$AAa?$AAr?$AAt?$AAD@NNGAKEGL@ ; "WindowsSysPartDevice"
		inc	ecx
		call	SiGetBootDeviceName
		test	eax, eax
		jns	short loc_7C83A4
		pop	ebp
		jmp	SiGetFirmwareSystemPartition
; 

loc_7C83A4:				; CODE XREF: SiGetSystemPartition(x,x)+1Cj
		pop	ebp
		retn	8
_SiGetSystemPartition@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SiGetFirmwareSystemPartition proc near	; CODE XREF: SiGetSystemPartition(x,x)+1Fj
					; DATA XREF: SyspartDirectGetFirmwareSystemPartition(x,x,x)+Co	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F1718 SIZE 00000076 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], 1
		push	edi
		mov	[ebp+var_4], esi
		call	_SiIsWinPEBoot@0 ; SiIsWinPEBoot()
		mov	edi, [ebp+arg_4]
		mov	bl, al
		test	bl, bl
		jnz	loc_8F1718
		push	edi
		push	esi
		push	esi
		xor	ecx, ecx
		mov	edx, offset ??_C@_1CG@EEKKLGPP@?$AAF?$AAi?$AAr?$AAm?$AAw?$AAa?$AAr?$AAe?$AAB?$AAo?$AAo?$AAt?$AAD?$AAe?$AAv@NNGAKEGL@
		push	1
		inc	ecx
		call	SiGetBootDeviceName
		mov	esi, eax
		test	esi, esi
		js	loc_8F1718

loc_7C83ED:				; CODE XREF: SiGetFirmwareSystemPartition+129386j
					; SiGetFirmwareSystemPartition+12938Ej	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
SiGetFirmwareSystemPartition endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SiGetBootDeviceName proc near		; CODE XREF: SiGetSystemPartition(x,x)+15p
					; SiGetFirmwareSystemPartition+36p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F178E SIZE 000000D0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		mov	[esp+28h+var_4], ecx
		mov	eax, edx
		xor	ecx, ecx
		lea	edx, [esp+28h+var_1C]
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+30h+var_14], ecx
		mov	[esp+30h+var_18], ecx
		mov	ebx, ecx
		mov	[esp+30h+var_C], ecx
		mov	[esp+30h+var_8], ecx
		mov	[esp+30h+var_10], ecx
		mov	[esp+30h+var_1C], ecx
		mov	ecx, eax
		mov	[esp+30h+var_20], edi
		call	_SiGetBootDeviceNameFromRegistry@8 ; SiGetBootDeviceNameFromRegistry(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7C8539
		mov	ecx, [esp+30h+var_1C]
		xor	esi, esi
		lea	edx, [ecx+2]

loc_7C844A:				; CODE XREF: SiGetBootDeviceName+5Dj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_7C844A
		lea	eax, [esp+30h+var_C]
		sub	ecx, edx
		push	eax
		lea	eax, [esp+34h+var_8]
		sar	ecx, 1
		push	eax
		lea	eax, [esp+38h+var_14]
		push	eax
		lea	eax, [esp+3Ch+var_18]
		push	eax
		lea	esi, [ecx+1]
		push	offset ??_C@_1FA@CDDKIFEO@?$AAm?$AAu?$AAl?$AAt?$AAi?$AA?$CI?$AA?$CF?$AAd?$AA?$CJ?$AAd?$AAi?$AAs?$AAk?$AA?$CI?$AA?$CF@NNGAKEGL@
		push	esi
		push	[esp+48h+var_1C]
		call	__snwscanf_s
		add	esp, 1Ch
		cmp	eax, 4
		jnz	loc_8F178E
		cmp	[esp+30h+var_18], ebx
		jnz	loc_8F1846
		cmp	[esp+30h+var_14], ebx
		jnz	loc_8F1846
		add	esi, 0Ah
		push	4B505953h
		lea	eax, [esi+esi]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8F1798
		push	[esp+30h+var_1C]
		push	offset ??_C@_1BE@HOPMDIJK@?$AA?2?$AAA?$AAr?$AAc?$AAN?$AAa?$AAm?$AAe?$AA?2@NNGAKEGL@
		push	offset ??_C@_19LJDFFCJJ@?$AA?$CF?$AAs?$AA?$CF?$AAs@NNGAKEGL@ ; "%s%s"
		push	esi
		push	ebx
		call	_swprintf_s
		add	esp, 14h
		lea	edx, [esp+30h+var_20]
		mov	ecx, ebx
		call	SiTranslateSymbolicLink
		mov	esi, eax
		test	esi, esi
		js	short loc_7C8557
		cmp	[ebp+arg_0], 0
		mov	edi, [esp+30h+var_20]
		jz	short loc_7C8508
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		push	ecx
		push	ecx
		mov	ecx, edi
		call	SiValidateSystemPartition
		mov	esi, eax
		test	esi, esi
		js	loc_8F17F5

loc_7C8508:				; CODE XREF: SiGetBootDeviceName+F7j
		cmp	[esp+30h+var_4], 0
		jz	loc_8F17A2

loc_7C8513:				; CODE XREF: SiGetBootDeviceName+12944Bj
		mov	eax, [ebp+arg_C]
		mov	[eax], edi

loc_7C8518:				; CODE XREF: SiGetBootDeviceName+129455j
		test	esi, esi
		js	loc_8F17F5

loc_7C8520:				; CODE XREF: SiGetBootDeviceName+129401j
					; SiGetBootDeviceName+129410j
		test	ebx, ebx
		jz	short loc_7C852D
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7C852D:				; CODE XREF: SiGetBootDeviceName+12Cj
		mov	eax, [esp+30h+var_10]
		test	eax, eax
		jnz	loc_8F1850

loc_7C8539:				; CODE XREF: SiGetBootDeviceName+45j
					; SiGetBootDeviceName+12939Dj ...
		xor	ebx, ebx

loc_7C853B:				; CODE XREF: SiGetBootDeviceName+129463j
		cmp	[esp+30h+var_1C], 0
		jz	short loc_7C854C
		push	ebx
		push	[esp+34h+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7C854C:				; CODE XREF: SiGetBootDeviceName+14Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_7C8557:				; CODE XREF: SiGetBootDeviceName+EDj
					; SiGetBootDeviceName+129441j
		mov	edi, [esp+30h+var_20]
		jmp	loc_8F17F5
SiGetBootDeviceName endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SiGetBootDeviceNameFromRegistry(x, x)
_SiGetBootDeviceNameFromRegistry@8 proc	near ; CODE XREF: SiGetBootDeviceName+3Cp
					; SiIsWinPeHardDiskZeroUfdBoot()+4Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_8]
		mov	ebx, edx
		push	eax
		push	ecx
		push	(offset	loc_8C7FB5+1)
		mov	edx, ecx
		call	_SiGetRegistryValue@24 ; SiGetRegistryValue(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_7C85A1
		cmp	[ebp+var_4], 4
		jb	short loc_7C85A8
		mov	esi, [ebp+var_8]
		push	esi		; wchar_t *
		call	__wcslwr
		pop	ecx
		mov	[ebx], esi

loc_7C85A1:				; CODE XREF: SiGetBootDeviceNameFromRegistry(x,x)+2Dj
					; SiGetBootDeviceNameFromRegistry(x,x)+4Dj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7C85A8:				; CODE XREF: SiGetBootDeviceNameFromRegistry(x,x)+33j
		mov	edi, 0C0000001h
		jmp	short loc_7C85A1
_SiGetBootDeviceNameFromRegistry@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SiGetRegistryValue(x, x, x,	x, x, x)
_SiGetRegistryValue@24 proc near	; CODE XREF: SiGetBootDeviceNameFromRegistry(x,x)+24p
					; SiIsWinPEBoot()+25p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[eax], esi
		mov	ebx, esi
		mov	eax, [ebp+arg_C]
		push	edi
		push	edx
		mov	edi, esi
		mov	[esp+24h+var_C], esi
		mov	[eax], esi
		lea	eax, [esp+24h+var_8]
		push	eax
		mov	[esp+28h+var_14], esi
		mov	[esp+28h+var_8], esi
		mov	[esp+28h+var_4], esi
		mov	[esp+28h+var_10], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	short loc_7C860F
		lea	eax, [esp+20h+var_10]
		push	eax
		push	ecx
		call	SiOpenRegistryKey
		mov	edi, [esp+20h+var_10]
		mov	esi, eax
		test	esi, esi
		js	loc_7C86AD
		xor	esi, esi

loc_7C860F:				; CODE XREF: SiGetRegistryValue(x,x,x,x,x,x)+42j
		lea	eax, [esp+20h+var_14]
		push	eax
		push	esi
		push	esi
		push	2
		lea	eax, [esp+30h+var_8]
		push	eax
		push	edi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	loc_7C86CE
		push	4B505953h
		push	[esp+24h+var_14]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_7C86D9
		lea	eax, [esp+20h+var_C]
		push	eax
		push	[esp+24h+var_14]
		lea	eax, [esp+28h+var_8]
		push	ebx
		push	2
		push	eax
		push	edi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7C86AD
		cmp	dword ptr [ebx+4], 1
		jnz	short loc_7C86E0
		mov	eax, [esp+20h+var_14]
		sub	eax, 0Ch
		push	4B505953h
		push	eax
		push	1
		mov	[esp+2Ch+var_14], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		test	ecx, ecx
		jz	short loc_7C86D9
		push	[esp+20h+var_14] ; size_t
		lea	eax, [ebx+0Ch]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		mov	ecx, [ebp+arg_C]
		add	esp, 0Ch
		mov	eax, [esp+20h+var_14]
		xor	esi, esi
		mov	[ecx], eax

loc_7C86AD:				; CODE XREF: SiGetRegistryValue(x,x,x,x,x,x)+57j
					; SiGetRegistryValue(x,x,x,x,x,x)+B6j ...
		test	edi, edi
		jz	short loc_7C86B7
		push	edi
		call	_ZwClose@4	; ZwClose(x)

loc_7C86B7:				; CODE XREF: SiGetRegistryValue(x,x,x,x,x,x)+FFj
		test	ebx, ebx
		jz	short loc_7C86C3
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7C86C3:				; CODE XREF: SiGetRegistryValue(x,x,x,x,x,x)+109j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_7C86CE:				; CODE XREF: SiGetRegistryValue(x,x,x,x,x,x)+7Bj
		test	esi, esi
		js	short loc_7C86AD
		mov	esi, 0C0000001h
		jmp	short loc_7C86AD
; 

loc_7C86D9:				; CODE XREF: SiGetRegistryValue(x,x,x,x,x,x)+95j
					; SiGetRegistryValue(x,x,x,x,x,x)+DFj
		mov	esi, 0C000009Ah
		jmp	short loc_7C86AD
; 

loc_7C86E0:				; CODE XREF: SiGetRegistryValue(x,x,x,x,x,x)+BCj
		mov	esi, 0C0000024h
		jmp	short loc_7C86AD
_SiGetRegistryValue@24 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SiOpenRegistryKey proc near		; CODE XREF: SiGetRegistryValue(x,x,x,x,x,x)+4Ap

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F185E SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	esi
		xor	esi, esi
		lea	eax, [ebp+var_C]
		push	edx
		push	eax
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_C]
		mov	[ebp+var_24], 18h
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_20], esi
		push	eax
		mov	[ebp+var_18], 240h
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8F185E
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_4]
		mov	[edx], ecx

loc_7C8747:				; CODE XREF: SiOpenRegistryKey+12917Aj
					; SiOpenRegistryKey+129188j
		mov	eax, esi
		pop	esi
		leave
		retn	8
SiOpenRegistryKey endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SiGetDiskPartitionInformation(x, x)
_SiGetDiskPartitionInformation@8 proc near ; CODE XREF:	SiValidateSystemPartition+3Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edi, edx
		lea	edx, [ebp+var_4]
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	_SiOpenDevice@8	; SiOpenDevice(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7C8792
		push	90h
		push	edi
		push	ebx
		push	ebx
		push	70048h
		lea	eax, [ebp+var_C]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+var_4]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax

loc_7C8792:				; CODE XREF: SiGetDiskPartitionInformation(x,x)+24j
		cmp	[ebp+var_4], ebx
		jz	short loc_7C879F
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_7C879F:				; CODE XREF: SiGetDiskPartitionInformation(x,x)+47j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_SiGetDiskPartitionInformation@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SiOpenDevice(x, x)
_SiOpenDevice@8	proc near		; CODE XREF: SiGetDiskPartitionInformation(x,x)+1Bp
					; SiGetDeviceNumberInformation(x,x,x)+35p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		push	edi
		mov	esi, edx
		lea	eax, [ebp+var_8]
		xor	edi, edi
		push	ecx
		push	eax
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		mov	[esi], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	20h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_28], 18h
		push	3
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_24], edi
		push	eax
		push	80100000h
		push	esi
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		pop	edi
		pop	esi
		leave
		retn
_SiOpenDevice@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SiTranslateSymbolicLink	proc near	; CODE XREF: SiGetBootDeviceName+E4p
					; SiGetFirmwareSystemPartition+1293C8p	...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F1875 SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		lea	eax, [esp+40h+var_20]
		push	ecx
		push	eax
		mov	ebx, edx
		mov	[esp+48h+var_20], esi
		mov	[esp+48h+var_1C], esi
		mov	[esp+48h+var_28], esi
		mov	[esp+48h+var_24], esi
		mov	[esp+48h+var_30], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+40h+var_20]
		mov	[esp+40h+var_18], 18h
		mov	[esp+40h+var_10], eax
		lea	eax, [esp+40h+var_18]
		push	eax
		push	1
		lea	eax, [esp+48h+var_30]
		mov	[esp+48h+var_14], esi
		push	eax
		mov	[esp+4Ch+var_C], 240h
		mov	[esp+4Ch+var_8], esi
		mov	[esp+4Ch+var_4], esi
		call	_ZwOpenSymbolicLinkObject@12 ; ZwOpenSymbolicLinkObject(x,x,x)
		test	eax, eax
		js	loc_7C892A
		push	esi
		lea	eax, [esp+44h+var_28]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edi, esi
		mov	[esp+40h+var_2C], esi

loc_7C8883:				; CODE XREF: SiTranslateSymbolicLink+105j
					; SiTranslateSymbolicLink+157j
		lea	eax, [esp+40h+var_2C]
		push	eax
		lea	eax, [esp+44h+var_28]
		push	eax
		push	[esp+48h+var_30]
		call	_ZwQuerySymbolicLinkObject@12 ;	ZwQuerySymbolicLinkObject(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	loc_7C8931
		push	[esp+40h+var_30]
		call	_ZwClose@4	; ZwClose(x)
		and	[esp+40h+var_30], 0
		mov	eax, [esp+40h+var_24]
		test	esi, esi
		js	loc_8F189C
		movzx	ecx, word ptr [esp+40h+var_28]
		xor	edx, edx
		shr	ecx, 1
		xor	esi, esi
		mov	[eax+ecx*2], dx
		lea	eax, [esp+40h+var_28]
		mov	[esp+40h+var_10], eax
		lea	eax, [esp+40h+var_18]
		push	eax
		push	1
		lea	eax, [esp+48h+var_30]
		mov	word ptr [esp+48h+var_28+2], di
		push	eax
		mov	[esp+4Ch+var_18], 18h
		mov	[esp+4Ch+var_14], esi
		mov	[esp+4Ch+var_C], 240h
		mov	[esp+4Ch+var_8], esi
		mov	[esp+4Ch+var_4], esi
		call	_ZwOpenSymbolicLinkObject@12 ; ZwOpenSymbolicLinkObject(x,x,x)
		test	eax, eax
		jns	loc_7C8883
		mov	eax, [esp+40h+var_24]
		mov	[ebx], eax

loc_7C8915:				; CODE XREF: SiTranslateSymbolicLink+162j
		cmp	[esp+40h+var_30], 0
		jnz	loc_8F1885

loc_7C8920:				; CODE XREF: SiTranslateSymbolicLink+129093j
		test	esi, esi
		js	loc_8F189C

loc_7C8928:				; CODE XREF: SiTranslateSymbolicLink+12909Aj
					; SiTranslateSymbolicLink+1290A8j
		mov	eax, esi

loc_7C892A:				; CODE XREF: SiTranslateSymbolicLink+68j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7C8931:				; CODE XREF: SiTranslateSymbolicLink+9Aj
		cmp	[esp+40h+var_24], 0
		jnz	loc_8F1875

loc_7C893C:				; CODE XREF: SiTranslateSymbolicLink+12907Cj
		mov	eax, [esp+40h+var_2C]
		push	4B505953h
		mov	word ptr [esp+44h+var_28+2], ax
		lea	edi, [eax+2]
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+40h+var_24], eax
		test	eax, eax
		jnz	loc_7C8883
		mov	esi, 0C000009Ah
		jmp	short loc_7C8915
SiTranslateSymbolicLink	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SiIsWinPEBoot()
_SiIsWinPEBoot@0 proc near		; CODE XREF: SiGetFirmwareSystemPartition+17p
					; SiGetSystemDisk(x,x)+16p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		mov	edx, offset ??_C@_1CG@BLIBLCJE@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAS?$AAt?$AAa?$AAr?$AAt?$AAO?$AAp?$AAt?$AAi@NNGAKEGL@
		push	ebx
		push	eax
		lea	eax, [ebp+var_4]
		xor	bl, bl
		push	eax
		push	ecx
		push	(offset	loc_8C7FB5+1)
		call	_SiGetRegistryValue@24 ; SiGetRegistryValue(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7C89B3
		push	(offset	loc_8C801B+1) ;	wchar_t	*
		push	[ebp+var_4]	; wchar_t *
		call	_wcsstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_7C89B8

loc_7C89A9:				; CODE XREF: SiIsWinPEBoot()+52j
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7C89B3:				; CODE XREF: SiIsWinPEBoot()+2Cj
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_7C89B8:				; CODE XREF: SiIsWinPEBoot()+3Fj
		mov	bl, 1
		jmp	short loc_7C89A9
_SiIsWinPEBoot@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsConvertToGuiThread proc near		; CODE XREF: _KiEndUnexpectedRange+7p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch

; FUNCTION CHUNK AT 008F18B1 SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, large fs:124h
		push	edi
		mov	byte ptr [esp+28h+var_18], 0
		cmp	byte ptr [esi+15Ah], 0
		jz	loc_8F18B1
		cmp	dword ptr [esi+3Ch], offset _KeServiceDescriptorTable
		jnz	loc_8F18BB
		mov	ebx, [esi+80h]
		mov	eax, [ebx+490h]
		mov	edi, eax
		mov	[esp+28h+var_14], eax
		and	eax, 2000h
		and	edi, 1000h
		jnz	loc_8F18C5
		test	eax, eax
		jnz	loc_8F18C5

loc_7C8A1B:				; CODE XREF: PsConvertToGuiThread+128F1Aj
		lea	eax, [esp+28h+var_18]
		mov	[esp+28h+var_10], ebx
		xor	edi, edi
		push	eax
		inc	edi
		push	ebx
		mov	[esp+30h+var_C], edi
		call	_PsQuerySectionSignatureInformation@8 ;	PsQuerySectionSignatureInformation(x,x)
		test	eax, eax
		js	short loc_7C8A57
		mov	eax, dword_6BEA40
		test	eax, eax
		jz	short loc_7C8AB8
		push	0Ch
		push	[esp+2Ch+var_18]
		call	eax
		mov	edi, [esp+30h+var_14]

loc_7C8A4A:				; CODE XREF: PsConvertToGuiThread+FEj
		add	eax, eax
		xor	eax, edi
		and	eax, 2
		xor	edi, eax
		mov	[esp+30h+var_14], edi

loc_7C8A57:				; CODE XREF: PsConvertToGuiThread+77j
		lea	eax, [esp+30h+var_18]
		push	eax
		call	_MmSessionGetWin32Callouts@0 ; MmSessionGetWin32Callouts()
		xor	edx, edx
		mov	ecx, eax
		call	_ExCallCallBack@12 ; ExCallCallBack(x,x,x)
		test	eax, eax
		js	short loc_7C8AAA
		test	[esp+30h+var_1C], 0C000h
		mov	eax, offset _KeServiceDescriptorTableShadow
		jnz	short loc_7C8AB1

loc_7C8A7D:				; CODE XREF: PsConvertToGuiThread+FAj
		mov	[esi+3Ch], eax
		lea	eax, [esp+30h+var_10]
		and	[esp+30h+var_C], 0
		push	eax
		mov	[esp+34h+var_10], esi
		call	_MmSessionGetWin32Callouts@0 ; MmSessionGetWin32Callouts()
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	_ExCallCallBack@12 ; ExCallCallBack(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_7C8ABC

loc_7C8AA3:				; CODE XREF: PsConvertToGuiThread+107j
		call	_SeCaptureAtomTableCallout@0 ; SeCaptureAtomTableCallout()
		mov	eax, edi

loc_7C8AAA:				; CODE XREF: PsConvertToGuiThread+B0j
					; PsConvertToGuiThread+128EFAj	...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7C8AB1:				; CODE XREF: PsConvertToGuiThread+BFj
		mov	eax, offset _KeServiceDescriptorTableFilter
		jmp	short loc_7C8A7D
; 

loc_7C8AB8:				; CODE XREF: PsConvertToGuiThread+80j
		xor	eax, eax
		jmp	short loc_7C8A4A
; 

loc_7C8ABC:				; CODE XREF: PsConvertToGuiThread+E5j
		mov	dword ptr [esi+3Ch], offset _KeServiceDescriptorTable
		jmp	short loc_7C8AA3
PsConvertToGuiThread endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsQuerySectionSignatureInformation(x, x)
_PsQuerySectionSignatureInformation@8 proc near	; CODE XREF: PsConvertToGuiThread+70p
					; DATA XREF: .text:004037E0o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		mov	ecx, [ebp+arg_0]
		cmp	ecx, [eax+150h]
		jnz	short loc_7C8AFE
		mov	ecx, [ecx+15Ch]
		test	ecx, ecx
		jz	short loc_7C8B05
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	eax, [eax]
		mov	cl, [eax+0Bh]
		mov	eax, [ebp+arg_4]
		shr	cl, 4
		mov	[eax], cl
		xor	eax, eax

loc_7C8AFA:				; CODE XREF: PsQuerySectionSignatureInformation(x,x)+3Dj
					; PsQuerySectionSignatureInformation(x,x)+44j
		pop	ebp
		retn	8
; 

loc_7C8AFE:				; CODE XREF: PsQuerySectionSignatureInformation(x,x)+14j
		mov	eax, 0C00000BBh
		jmp	short loc_7C8AFA
; 

loc_7C8B05:				; CODE XREF: PsQuerySectionSignatureInformation(x,x)+1Ej
		mov	eax, 0C0000001h
		jmp	short loc_7C8AFA
_PsQuerySectionSignatureInformation@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpDereferenceKeyControlBlockUnsafe proc near
					; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+22Ep
					; CmpFreezeHive(x,x)+4Bp ...

; FUNCTION CHUNK AT 008F18E6 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		dec	eax
		jz	loc_8F18E6
		leave
		retn
CmpDereferenceKeyControlBlockUnsafe endp


;  S U B	R O U T	I N E 


SeObjectCreateSaclAccessBits proc near	; CODE XREF: ObOpenObjectByNameEx+545p
					; ObInsertObjectEx(x,x,x,x,x,x,x)+3AEp	...
		mov	edx, ecx
		push	esi
		push	edi
		movzx	eax, word ptr [edx+2]
		mov	ecx, eax
		test	al, 10h
		jz	short loc_7C8B73
		test	cx, cx
		mov	ecx, [edx+0Ch]
		jns	short loc_7C8B41
		lea	eax, [ecx+edx]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_7C8B41:				; CODE XREF: SeObjectCreateSaclAccessBits+14j
		xor	edx, edx
		test	ecx, ecx
		jz	short loc_7C8B73
		lea	esi, [ecx+8]
		mov	edi, edx
		movzx	ecx, word ptr [ecx+4]
		test	ecx, ecx
		jz	short loc_7C8B65

loc_7C8B54:				; CODE XREF: SeObjectCreateSaclAccessBits+41j
		mov	al, [esi]
		cmp	al, 11h
		jnz	short loc_7C8B6A

loc_7C8B5A:				; CODE XREF: SeObjectCreateSaclAccessBits+4Aj
					; CmpDereferenceKeyControlBlockUnsafe+128DEBj ...
		movzx	eax, word ptr [esi+2]
		inc	edi
		add	esi, eax
		cmp	edi, ecx
		jb	short loc_7C8B54

loc_7C8B65:				; CODE XREF: SeObjectCreateSaclAccessBits+30j
					; SeObjectCreateSaclAccessBits+56j
		pop	edi
		mov	eax, edx
		pop	esi
		retn
; 

loc_7C8B6A:				; CODE XREF: SeObjectCreateSaclAccessBits+36j
		cmp	al, 14h
		jz	short loc_7C8B5A
		jmp	loc_8F18F5
; 

loc_7C8B73:				; CODE XREF: SeObjectCreateSaclAccessBits+Cj
					; SeObjectCreateSaclAccessBits+23j ...
		mov	edx, 1000000h
		jmp	short loc_7C8B65
SeObjectCreateSaclAccessBits endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmQueryFeatureConfigurationSections proc near ;	CODE XREF: PAGE:0078230Ep

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_5C		= dword	ptr -5Ch
var_4C		= dword	ptr -4Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F190A SIZE 0000000A BYTES
; FUNCTION CHUNK AT 008F194B SIZE 0000000E BYTES

		push	70h
		push	offset dword_6A3A88
		call	__SEH_prolog4_GS
		mov	esi, edx
		mov	edi, ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_78], eax
		mov	ebx, [ebp+arg_8]
		push	38h		; size_t
		push	0		; int
		lea	eax, [ebp+var_5C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		cmp	esi, 18h
		jnz	loc_8F190A
		and	[ebp+ms_exc.disabled], 0
		push	6
		pop	ecx
		mov	esi, edi
		lea	edi, [ebp+var_74]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	38h
		pop	eax
		cmp	[ebp+arg_4], eax
		jnz	short loc_7C8C39
		push	[ebp+arg_C]
		lea	eax, [ebp+var_5C]
		push	eax
		lea	edx, [ebp+var_74]
		call	CmFcManagerQueryFeatureConfigurationSectionInformation
		mov	esi, eax
		test	esi, esi
		js	short loc_7C8C0D
		mov	[ebp+ms_exc.disabled], 1
		push	0Eh
		pop	ecx
		lea	esi, [ebp+var_5C]
		mov	edi, [ebp+var_78]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	38h
		pop	eax
		mov	[ebx], eax
		push	eax		; size_t
		push	0		; int
		lea	eax, [ebp+var_5C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	esi, esi

loc_7C8C0D:				; CODE XREF: CmQueryFeatureConfigurationSections+62j
					; CmQueryFeatureConfigurationSections+C6j ...
		lea	edi, [ebp+var_4C]
		push	3
		pop	ebx

loc_7C8C13:				; CODE XREF: CmQueryFeatureConfigurationSections+A9j
		mov	eax, [edi]
		test	eax, eax
		jnz	loc_8F194B

loc_7C8C1D:				; CODE XREF: CmQueryFeatureConfigurationSections+128DDAj
		add	edi, 10h
		sub	ebx, 1
		jnz	short loc_7C8C13
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7C8C39:				; CODE XREF: CmQueryFeatureConfigurationSections+4Dj
		mov	esi, 0C0000004h
		mov	[ebx], eax
		jmp	short loc_7C8C0D
CmQueryFeatureConfigurationSections endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmFcManagerQueryFeatureConfigurationSectionInformation proc near
					; CODE XREF: CmQueryFeatureConfigurationSections+59p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 008F1959 SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_50], eax
		lea	edi, [ebp+var_10]
		xor	eax, eax
		xor	esi, esi
		stosd
		mov	ebx, edx
		push	30h		; size_t
		push	esi		; int
		stosd
		stosd
		lea	eax, [ebp+var_40]
		push	eax		; void *
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset unk_6CE124
		call	ExAcquirePushLockSharedEx
		mov	eax, dword_6CE12C
		mov	edi, esi
		mov	[ebp+var_54], eax
		mov	eax, dword_6CE130
		mov	[ebp+var_58], eax

loc_7C8CA4:				; CODE XREF: CmFcManagerQueryFeatureConfigurationSectionInformation+8Bj
		mov	eax, [ebx+4]
		lea	edx, dword_6CE138[edi]
		cmp	eax, [edx+4]
		jb	short loc_7C8CBA
		ja	short loc_7C8CC4
		mov	eax, [ebx]
		cmp	eax, [edx]
		jnb	short loc_7C8CC4

loc_7C8CBA:				; CODE XREF: CmFcManagerQueryFeatureConfigurationSectionInformation+6Ej
		lea	ecx, [ebp+var_40]
		add	ecx, edi
		call	_CmFcpCopySectionState@8 ; CmFcpCopySectionState(x,x)

loc_7C8CC4:				; CODE XREF: CmFcManagerQueryFeatureConfigurationSectionInformation+70j
					; CmFcManagerQueryFeatureConfigurationSectionInformation+76j
		add	edi, 10h
		add	ebx, 8
		cmp	edi, 30h
		jb	short loc_7C8CA4
		push	11h
		xor	edx, edx
		mov	edi, offset unk_6CE124
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	loc_7C8DB0

loc_7C8CE6:				; CODE XREF: CmFcManagerQueryFeatureConfigurationSectionInformation+175j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	edx, esi
		mov	[ebp+var_4C], esi
		cmp	[ebp+arg_4], dl
		jz	loc_8F1959

loc_7C8D07:				; CODE XREF: CmFcManagerQueryFeatureConfigurationSectionInformation+128D1Fj
		mov	eax, esi
		lea	ecx, [ebp+var_10]
		mov	[ebp+var_44], eax
		lea	edi, [ebp+var_38]
		mov	[ebp+var_48], ecx

loc_7C8D15:				; CODE XREF: CmFcManagerQueryFeatureConfigurationSectionInformation+F0j
		mov	ebx, [edi]
		test	ebx, ebx
		jnz	loc_8F1966

loc_7C8D1F:				; CODE XREF: CmFcManagerQueryFeatureConfigurationSectionInformation+128D48j
		mov	edx, [ebp+var_4C]
		inc	eax
		add	ecx, 4
		mov	[ebp+var_44], eax
		add	edi, 10h
		mov	[ebp+var_48], ecx
		cmp	eax, 3
		jb	short loc_7C8D15
		mov	ebx, [ebp+var_50]
		push	38h		; size_t
		push	esi		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [ebp+var_54]
		lea	edi, [ebp+var_34]
		mov	[ebx], eax
		lea	ecx, [ebx+14h]
		mov	eax, [ebp+var_58]
		add	esp, 0Ch
		mov	[ebx+4], eax
		mov	edx, esi

loc_7C8D56:				; CODE XREF: CmFcManagerQueryFeatureConfigurationSectionInformation+139j
		mov	eax, [edi-0Ch]
		mov	[ecx-0Ch], eax
		mov	eax, [edi-8]
		mov	[ecx-8], eax
		mov	eax, [edi]
		lea	edi, [edi+10h]
		mov	[ecx], eax
		lea	ecx, [ecx+10h]
		mov	eax, [ebp+edx*4+var_10]
		mov	[ebp+edx*4+var_10], esi
		inc	edx
		mov	[ecx-14h], eax
		cmp	edx, 3
		jb	short loc_7C8D56
		mov	ebx, esi

loc_7C8D7F:				; CODE XREF: CmFcManagerQueryFeatureConfigurationSectionInformation+128D3Cj
		lea	edi, [ebp+var_38]

loc_7C8D82:				; CODE XREF: CmFcManagerQueryFeatureConfigurationSectionInformation+159j
		mov	ecx, [edi]
		test	ecx, ecx
		jnz	short loc_7C8DBC

loc_7C8D88:				; CODE XREF: CmFcManagerQueryFeatureConfigurationSectionInformation+17Fj
		mov	eax, [ebp+esi*4+var_10]
		test	eax, eax
		jnz	loc_8F198F

loc_7C8D94:				; CODE XREF: CmFcManagerQueryFeatureConfigurationSectionInformation+128D56j
		inc	esi
		add	edi, 10h
		cmp	esi, 3
		jb	short loc_7C8D82
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_7C8DB0:				; CODE XREF: CmFcManagerQueryFeatureConfigurationSectionInformation+9Ej
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_7C8CE6
; 

loc_7C8DBC:				; CODE XREF: CmFcManagerQueryFeatureConfigurationSectionInformation+144j
		call	ObfDereferenceObject
		jmp	short loc_7C8D88
CmFcManagerQueryFeatureConfigurationSectionInformation endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmFcpCopySectionState(x, x)
_CmFcpCopySectionState@8 proc near	; CODE XREF: CmFcManagerQueryFeatureConfigurationSectionInformation+7Dp
					; CmFcManagerStartRuntimePhase(x)+E4p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		movsd
		movsd
		movsd
		movsd
		mov	ecx, [ecx+8]
		pop	edi
		pop	esi
		test	ecx, ecx
		jnz	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		retn
_CmFcpCopySectionState@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpRegisterCallbackInternal proc near	; CODE XREF: CmRegisterInternalCallback(x,x,x,x,x,x)+1Ap
					; CmRegisterCallback(x,x,x)+17p ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F199D SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	62634D43h
		push	30h
		push	1
		mov	edi, edx
		mov	ebx, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8F199D
		push	30h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		lea	eax, [esi+28h]
		mov	[esi+18h], edi
		mov	edi, [ebp+arg_0]
		add	esp, 0Ch
		mov	[eax+4], eax
		mov	[eax], eax
		movzx	eax, [ebp+arg_8]
		xor	eax, [esi+0Ch]
		and	eax, 1
		mov	[esi+4], esi
		xor	[esi+0Ch], eax
		mov	[esi], esi
		mov	dword ptr [esi+8], 0
		mov	[esi+1Ch], ebx
		movzx	eax, word ptr [edi]
		mov	[esi+22h], ax
		mov	[esi+20h], ax
		movzx	eax, word ptr [edi]
		push	61634D43h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esi+24h], ecx
		test	ecx, ecx
		jz	loc_8F19A7
		movzx	eax, word ptr [edi]
		push	eax		; size_t
		push	dword ptr [edi+4] ; void *
		push	ecx		; void *
		call	_memcpy
		mov	dl, [ebp+arg_4]
		add	esp, 0Ch
		mov	ecx, esi
		call	CmpInsertCallbackInListByAltitude
		mov	edx, [ebp+arg_C]
		mov	edi, eax
		mov	ecx, [esi+10h]
		mov	[edx], ecx
		mov	ecx, [esi+14h]
		mov	[edx+4], ecx
		test	edi, edi
		js	loc_8F19AC

loc_7C8E93:				; CODE XREF: CmpRegisterCallbackInternal+128BE5j
		mov	eax, edi

loc_7C8E95:				; CODE XREF: CmpRegisterCallbackInternal+128BC4j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
CmpRegisterCallbackInternal endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpInsertCallbackInListByAltitude proc near ; CODE XREF: CmpRegisterCallbackInternal+98p

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 008F19C8 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_1], dl
		dec	word ptr [eax+13Ch]
		mov	esi, ecx
		push	edi
		nop
		xor	edx, edx
		mov	ecx, offset _CmpCallbackListLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, _CmpCallbackCookie
		add	eax, 1
		mov	_CmpCallbackCookie, eax
		adc	dword_6CE374, ebx
		mov	[esi+10h], eax
		mov	eax, dword_6CE374
		mov	[esi+14h], eax
		mov	edi, _CallbackListHead
		cmp	edi, offset _CallbackListHead
		jnz	short loc_7C8F2C

loc_7C8EF2:				; CODE XREF: CmpInsertCallbackInListByAltitude+B6j
					; CmpInsertCallbackInListByAltitude+128B39j
		mov	eax, [edi+4]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_7C8F59
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[ecx+4], esi
		mov	[eax], esi
		lock inc _CmpCallBackCount

loc_7C8F0D:				; CODE XREF: CmpInsertCallbackInListByAltitude+128B44j
		xor	edx, edx
		mov	ecx, offset _CmpCallbackListLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_7C8F2C:				; CODE XREF: CmpInsertCallbackInListByAltitude+54j
		lea	ecx, [esi+20h]

loc_7C8F2F:				; CODE XREF: CmpInsertCallbackInListByAltitude+B2j
		push	ecx
		lea	eax, [edi+20h]
		push	eax
		call	RtlCompareAltitudes
		test	eax, eax
		jz	loc_8F19C8
		js	short loc_7C8F50

loc_7C8F43:				; CODE XREF: CmpInsertCallbackInListByAltitude+128B31j
		mov	edi, [edi]
		lea	ecx, [esi+20h]
		cmp	edi, offset _CallbackListHead
		jnz	short loc_7C8F2F

loc_7C8F50:				; CODE XREF: CmpInsertCallbackInListByAltitude+A5j
		test	eax, eax
		jnz	short loc_7C8EF2
		jmp	loc_8F19D2
; 

loc_7C8F59:				; CODE XREF: CmpInsertCallbackInListByAltitude+5Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
CmpInsertCallbackInListByAltitude endp	; AL = character to display


CcCreateVacbArray:			; CODE XREF: CcInitializeCacheMapEx+874p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	dword ptr [ebp-10h], 0
		and	dword ptr [ebp-0Ch], 0
		mov	eax, [ebp+0Ch]
		push	ebx
		mov	ebx, ecx
		mov	[ebp-18h], ebx
		push	esi
		push	edi
		mov	edi, [ebp+8]
		test	eax, eax
		jnz	loc_8F19E5
		cmp	edi, 100000h
		ja	short loc_7C8FDE
		push	10h
		pop	esi

loc_7C8F8F:				; CODE XREF: PAGE:008F19E8j
		mov	ecx, esi
		mov	[ebp-4], ecx
		test	eax, eax
		js	loc_8F19ED

loc_7C8F9C:				; CODE XREF: PAGE:007C8FEBj
		cmp	esi, 10h
		jnz	short loc_7C8FED
		lea	edi, [ebx+30h]

loc_7C8FA4:				; CODE XREF: PAGE:007C9017j
		push	dword ptr [ebp-4]
		push	0
		push	edi
		call	_memset
		add	esp, 0Ch
		cmp	dword ptr [ebp-0Ch], 0
		jnz	loc_7C9079

loc_7C8FBC:				; CODE XREF: PAGE:007C9085j
		cmp	dword ptr [ebp-10h], 0
		jnz	loc_7C90B4

loc_7C8FC6:				; CODE XREF: PAGE:007C90BDj
					; PAGE:007C90DFj
		mov	eax, [ebp+8]
		mov	[ebx+18h], eax
		mov	eax, [ebp+0Ch]
		mov	[ebx+1Ch], eax
		xor	eax, eax
		mov	[ebx+40h], edi

loc_7C8FD7:				; CODE XREF: PAGE:008F19F2j
					; PAGE:008F1A0Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7C8FDE:				; CODE XREF: PAGE:007C8F8Aj
		mov	esi, edi
		shr	esi, 12h
		shl	esi, 2
		mov	ecx, esi
		mov	[ebp-4], ecx
		jmp	short loc_7C8F9C
; 

loc_7C8FED:				; CODE XREF: PAGE:007C8F9Fj
		mov	edx, 200h
		cmp	esi, edx
		ja	short loc_7C901E
		test	[ebx+60h], edx
		jnz	loc_7C908A

loc_7C8FFF:				; CODE XREF: PAGE:007C908Cj
					; PAGE:007C909Aj ...
		cmp	ecx, edx
		jz	loc_8F19F7

loc_7C9007:				; CODE XREF: PAGE:007C906Cj
					; PAGE:007C9077j ...
		push	70566343h
		push	esi
		push	edx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_7C8FA4
		jmp	loc_8F1A06
; 

loc_7C901E:				; CODE XREF: PAGE:007C8FF4j
		mov	ebx, [ebp+0Ch]
		mov	esi, 208h
		xor	eax, eax
		mov	[ebp-14h], esi
		push	19h
		pop	ecx
		mov	[ebp-4], edx
		mov	esi, eax
		mov	dword ptr [ebp-0Ch], 1

loc_7C903A:				; CODE XREF: PAGE:007C9052j
					; PAGE:007C9056j
		xor	eax, eax
		add	ecx, 7
		inc	eax
		mov	[ebp-8], ecx
		xor	edx, edx
		inc	esi
		call	__allshl
		mov	ecx, [ebp-8]
		cmp	ebx, edx
		jl	short loc_7C9058
		jg	short loc_7C903A
		cmp	edi, eax
		ja	short loc_7C903A

loc_7C9058:				; CODE XREF: PAGE:007C9050j
		cmp	esi, _CcMaxVacbLevelsSeen
		mov	edx, 200h
		mov	ebx, [ebp-18h]
		mov	[ebp-8], esi
		mov	esi, [ebp-14h]
		jb	short loc_7C9007
		mov	eax, [ebp-8]
		inc	eax
		mov	_CcMaxVacbLevelsSeen, eax
		jmp	short loc_7C9007
; 

loc_7C9079:				; CODE XREF: PAGE:007C8FB6j
		sub	esi, 8
		and	dword ptr [esi+edi], 0
		and	dword ptr [esi+edi+4], 0
		jmp	loc_7C8FBC
; 

loc_7C908A:				; CODE XREF: PAGE:007C8FF9j
		test	eax, eax
		jl	loc_7C8FFF
		jg	short loc_7C90A0
		cmp	edi, 200000h
		jbe	loc_7C8FFF

loc_7C90A0:				; CODE XREF: PAGE:007C9092j
		lea	eax, [esi+7]
		mov	dword ptr [ebp-10h], 1
		and	eax, 0FFFFFFF8h
		add	esi, eax
		jmp	loc_7C8FFF
; 

loc_7C90B4:				; CODE XREF: PAGE:007C8FC0j
		mov	eax, [ebp-4]
		add	esi, edi
		add	eax, edi
		cmp	eax, esi
		jnb	loc_7C8FC6
		lea	edx, [ebx+10h]
		mov	ecx, [edx]

loc_7C90C8:				; CODE XREF: PAGE:007C90E8j
		mov	[ebp-18h], eax
		cmp	[ecx+4], edx
		jnz	short loc_7C90EA
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[ecx+4], eax
		mov	[edx], eax
		add	eax, 8
		cmp	eax, esi
		jnb	loc_7C8FC6
		mov	ecx, [ebp-18h]
		jmp	short loc_7C90C8
; 

loc_7C90EA:				; CODE XREF: PAGE:007C90CEj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		dd 0CCCCCCCCh
; Exported entry 221. CcPreparePinWrite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CcPreparePinWrite
CcPreparePinWrite proc near

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008F1A13 SIZE 00000053 BYTES

		push	30h
		push	offset dword_6A3AB0
		call	__SEH_prolog4
		and	[ebp+var_24], 0
		xor	edx, edx
		mov	[ebp+var_40], edx
		and	[ebp+var_3C], edx
		mov	ebx, [ebp+arg_4]
		mov	ecx, [ebx]
		mov	[ebp+var_38], ecx
		mov	eax, [ebx+4]
		mov	[ebp+var_34], eax
		xor	eax, eax
		mov	[ebp+var_20], eax
		lea	edi, [ebp+var_20]
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_30], esi
		mov	[ebp+var_19], al
		test	byte ptr [ebp+arg_10], 20h
		jz	short loc_7C9156
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	esi
		mov	edx, ebx
		mov	ecx, [ebp+arg_0]
		call	CcMapDataForOverwrite
		mov	al, 1

loc_7C9144:				; CODE XREF: CcPreparePinWrite+FBj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_7C9156:				; CODE XREF: CcPreparePinWrite+3Bj
		mov	[ebp+ms_exc.disabled], eax
		xor	ebx, ebx
		inc	ebx

loc_7C915C:				; CODE XREF: CcPreparePinWrite+A8j
					; CcPreparePinWrite+AFj
		cmp	[ebp+var_20], 0
		jnz	loc_8F1A13

loc_7C9166:				; CODE XREF: CcPreparePinWrite+128960j
		lea	eax, [ebp+var_40]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		push	[ebp+arg_10]
		push	ebx
		push	0
		push	esi
		lea	edx, [ebp+var_38]
		mov	ecx, [ebp+arg_0]
		call	CcPinFileData
		test	al, al
		jz	loc_8F1A59
		mov	edx, [ebp+var_40]
		mov	eax, edx
		mov	ecx, [ebp+var_38]
		sub	eax, ecx
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+var_3C]
		sbb	eax, [ebp+var_34]
		js	short loc_7C915C
		jg	short loc_7C91A5
		cmp	[ebp+var_2C], esi
		jb	short loc_7C915C

loc_7C91A5:				; CODE XREF: CcPreparePinWrite+AAj
		lea	eax, [ebp+var_20]
		cmp	edi, eax
		jnz	short loc_7C91B4
		mov	ecx, [ebp+var_24]
		mov	eax, [ebp+arg_18]
		mov	[eax], ecx

loc_7C91B4:				; CODE XREF: CcPreparePinWrite+B6j
		cmp	[ebp+arg_C], 0
		jz	short loc_7C91CC
		push	[ebp+var_30]	; size_t
		push	0		; int
		mov	eax, [ebp+arg_18]
		push	dword ptr [eax]	; void *
		call	_memset
		add	esp, 0Ch

loc_7C91CC:				; CODE XREF: CcPreparePinWrite+C4j
		push	0
		push	[ebp+var_20]
		call	CcSetDirtyPinnedData
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+arg_14]
		mov	[eax], ecx
		mov	[ebp+var_19], bl

loc_7C91E1:				; CODE XREF: CcPreparePinWrite+12896Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_7C91F4
		mov	al, bl
		jmp	loc_7C9144
CcPreparePinWrite endp


;  S U B	R O U T	I N E 


sub_7C91F4	proc near		; CODE XREF: CcPreparePinWrite+F4p
					; sub_8F1A66+6j

; FUNCTION CHUNK AT 008F1A71 SIZE 00000013 BYTES

		test	bl, bl
		jz	loc_8F1A71

locret_7C91FC:				; CODE XREF: sub_7C91F4+12887Fj
					; sub_7C91F4+12888Bj
		retn
sub_7C91F4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CcMapDataCommon	proc near		; CODE XREF: CcMapDataForOverwrite+81p
					; CcMapData+57p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008CA1E2 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	ebx, ebx
		mov	esi, edi
		mov	[esp+20h+var_8], ebx
		and	esi, 1
		mov	[esp+20h+var_4], ebx
		mov	[esp+20h+var_10], ebx
		inc	dword ptr fs:64Ch[esi*4]
		mov	eax, large fs:124h
		mov	[eax+328h], ebx
		mov	eax, [ecx+14h]
		mov	eax, [eax+4]
		test	esi, esi
		jz	loc_8CA1E2
		push	dword ptr [edx+4]
		shr	edi, 6
		lea	ecx, [esp+24h+var_C]
		push	dword ptr [edx]
		and	edi, 1
		lea	edx, [esp+28h+var_10]
		push	ebx
		push	edi
		push	ecx
		mov	ecx, eax
		call	CcGetVirtualAddress
		mov	ecx, [ebp+arg_C]
		mov	[ecx], eax

loc_7C9266:				; CODE XREF: CcMapDataCommon+100FFFj
		mov	edx, [ebp+arg_8]
		mov	al, 1
		mov	ecx, [esp+20h+var_10]
		mov	[edx], ecx

loc_7C9271:				; CODE XREF: CcMapDataCommon+10100Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
CcMapDataCommon	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtAddAtomEx	proc near		; CODE XREF: NtAddAtom(x,x,x)+10p
					; DATA XREF: .text:0058128Co

var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_21D		= byte ptr -21Dh
var_21C		= dword	ptr -21Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F1A84 SIZE 00000011 BYTES
; FUNCTION CHUNK AT 008F1ADA SIZE 0000000A BYTES

		push	224h
		push	offset dword_6A3AF0
		call	__SEH_prolog4_GS
		mov	ebx, [ebp+arg_0]
		mov	esi, [ebp+arg_4]
		mov	edi, [ebp+arg_8]
		xor	eax, eax
		mov	[ebp+var_228], eax
		mov	[ebp+var_22C], eax
		test	[ebp+arg_C], 0FFFFFFFDh
		jnz	loc_8F1ADA
		push	eax
		push	eax
		lea	eax, [ebp+var_228]
		push	eax
		push	2
		call	PsInvokeWin32Callout
		cmp	[ebp+var_228], 0
		jz	loc_8F1A84
		cmp	esi, 1FEh
		ja	loc_8F1ADA
		mov	eax, large fs:124h
		mov	cl, [eax+15Ah]
		mov	[ebp+var_21D], cl
		mov	eax, ebx
		mov	[ebp+var_224], eax
		test	cl, cl
		jz	loc_7C9378
		and	[ebp+ms_exc.disabled], 0
		test	edi, edi
		jz	short loc_7C931E
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	loc_8F1A8E

loc_7C930F:				; CODE XREF: NtAddAtomEx+128816j
		mov	ax, [ecx]
		movzx	eax, ax
		mov	[ecx], ax
		mov	eax, [ebp+var_224]

loc_7C931E:				; CODE XREF: NtAddAtomEx+84j
		test	ebx, ebx
		jz	short loc_7C9371
		test	esi, esi
		jz	short loc_7C9348
		test	bl, 1
		jnz	loc_7C93CD
		lea	eax, [esi+ebx]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	loc_7C93D2
		cmp	eax, ebx
		jb	loc_7C93D2

loc_7C9348:				; CODE XREF: NtAddAtomEx+AAj
					; NtAddAtomEx+15Bj
		lea	eax, [ebp+var_21C]
		mov	[ebp+var_224], eax
		push	esi		; size_t
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		shr	esi, 1
		xor	eax, eax
		mov	word ptr [ebp+esi*2+var_21C], ax
		mov	eax, [ebp+var_224]

loc_7C9371:				; CODE XREF: NtAddAtomEx+A6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C9378:				; CODE XREF: NtAddAtomEx+78j
		push	[ebp+arg_C]
		lea	ecx, [ebp+var_22C]
		push	ecx
		push	eax
		push	[ebp+var_228]
		call	RtlAddAtomToAtomTableEx
		mov	ecx, eax
		test	edi, edi
		jz	short loc_7C93B9
		test	ecx, ecx
		js	short loc_7C93B9
		cmp	[ebp+var_21D], 0
		jz	short loc_7C93DA
		mov	[ebp+ms_exc.disabled], 1
		mov	ax, word ptr [ebp+var_22C]
		mov	[edi], ax

loc_7C93B2:				; CODE XREF: sub_8F1ACC+9j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C93B9:				; CODE XREF: NtAddAtomEx+118j
					; NtAddAtomEx+11Cj ...
		mov	eax, ecx

loc_7C93BB:				; CODE XREF: NtAddAtomEx+12880Fj
					; sub_8F1AA6+10j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7C93CD:				; CODE XREF: NtAddAtomEx+AFj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7C93D2:				; CODE XREF: NtAddAtomEx+C0j
					; NtAddAtomEx+C8j
		mov	byte ptr [ecx],	0
		jmp	loc_7C9348
; 

loc_7C93DA:				; CODE XREF: NtAddAtomEx+125j
		mov	ax, word ptr [ebp+var_22C]
		mov	[edi], ax
		jmp	short loc_7C93B9
NtAddAtomEx	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtSetInformationKey proc near		; DATA XREF: .text:00580CC8o

var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4D		= byte ptr -4Dh
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
var_41		= byte ptr -41h
var_40		= byte ptr -40h
var_3F		= byte ptr -3Fh
var_3E		= byte ptr -3Eh
var_3D		= byte ptr -3Dh
var_3C		= dword	ptr -3Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F1AE4 SIZE 00000214 BYTES
; FUNCTION CHUNK AT 008F1D2A SIZE 0000002F BYTES

		push	0ACh
		push	offset dword_6A3B18
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_5C], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_70], eax
		xor	ebx, ebx
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], ebx
		push	8
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_3C]
		rep stosd
		mov	[ebp+var_58], eax
		cmp	ds:_CmpTraceRoutine, eax
		jnz	loc_8F1AE4

loc_7C9428:				; CODE XREF: NtSetInformationKey+12870Bj
		mov	al, bl
		mov	[ebp+var_40], al
		mov	[ebp+var_41], al
		mov	[ebp+var_48], ebx
		mov	[ebp+var_3E], bl
		push	7
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_BC]
		rep stosd
		lea	eax, [ebp+var_84]
		mov	[ebp+var_80], eax
		mov	[ebp+var_84], eax
		mov	[ebp+var_54], ebx
		mov	al, bl
		mov	[ebp+var_3D], al
		xor	eax, eax
		lea	edi, [ebp+var_9C]
		stosd
		stosd
		stosd
		stosd
		call	CmpAcquireShutdownRundown
		mov	[ebp+var_4D], al
		test	al, al
		jz	loc_8F1AF6
		mov	eax, large fs:124h
		mov	cl, [eax+15Ah]
		mov	[ebp+var_49], cl
		mov	byte ptr [ebp+var_78], cl
		mov	esi, [ebp+arg_4]
		mov	eax, esi
		sub	eax, ebx
		jz	loc_8F1B6A
		sub	eax, 1
		jz	loc_8F1B66
		sub	eax, 1
		jz	short loc_7C94BA
		sub	eax, 1
		jz	short loc_7C94BA
		sub	eax, 1
		jz	loc_8F1B66
		sub	eax, 1
		jnz	loc_8F1B17

loc_7C94BA:				; CODE XREF: NtSetInformationKey+BBj
					; NtSetInformationKey+C0j
		push	4
		mov	[ebp+var_3F], bl

loc_7C94BF:				; CODE XREF: NtSetInformationKey+12878Aj
		pop	eax
		cmp	[ebp+arg_C], eax
		jnz	loc_8F1B75
		mov	[ebp+ms_exc.disabled], ebx
		mov	edi, [ebp+var_70]
		test	cl, cl
		jnz	loc_8F1BB8

loc_7C94D7:				; CODE XREF: NtSetInformationKey+1287E1j
					; NtSetInformationKey+1287E9j
		push	eax		; size_t
		push	edi		; void *
		lea	eax, [ebp+var_64]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, ds:_CmKeyObjectType
		mov	[ebp+var_74], ebx
		push	ebx
		lea	ecx, [ebp+var_74]
		push	ecx
		push	[ebp+var_78]
		push	eax
		lea	eax, [esi-5]
		neg	eax
		sbb	eax, eax
		and	eax, 2
		push	eax
		push	[ebp+var_5C]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	edi, [ebp+var_74]
		mov	[ebp+var_48], edi
		mov	eax, 0C0000022h
		cmp	esi, eax
		jz	loc_8F1BD4
		mov	dl, [ebp+var_3E]

loc_7C9528:				; CODE XREF: NtSetInformationKey+128863j
		mov	[ebp+var_3D], dl
		test	esi, esi
		js	loc_8F1BE3
		cmp	ds:_CmpTraceRoutine, 0
		jnz	loc_8F1C4E

loc_7C9540:				; CODE XREF: NtSetInformationKey+12886Aj
					; NtSetInformationKey+128876j
		cmp	[ebp+arg_4], 5
		jnz	loc_8F1C61

loc_7C954A:				; CODE XREF: NtSetInformationKey+12888Bj
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	[ebp+var_41], 1
		cmp	_CmpCallBackCount, 0
		jz	short loc_7C95B4
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredSharedLite
		test	eax, eax
		jnz	short loc_7C95B4
		mov	[ebp+var_BC], edi
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_B4], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_B0], eax
		lea	eax, [ebp+var_84]
		push	eax
		push	edi
		push	12h
		push	1
		push	ebx
		lea	edx, [ebp+var_BC]
		push	3
		pop	ecx
		call	CmpCallCallBacksEx
		mov	esi, eax
		test	esi, esi
		js	loc_8F1C83
		mov	[ebp+var_40], 1

loc_7C95B4:				; CODE XREF: NtSetInformationKey+174j
					; NtSetInformationKey+182j
		mov	cl, [ebp+var_3E]
		test	cl, cl
		jnz	loc_8F1CA8

loc_7C95BF:				; CODE XREF: NtSetInformationKey+1288E5j
		mov	[ebp+var_3D], cl
		mov	eax, [ebp+arg_4]
		sub	eax, ebx
		jz	loc_8F1C91
		sub	eax, 1
		jz	loc_8F1CE6
		sub	eax, 1
		jz	loc_8F1CDE
		sub	eax, 1
		jz	loc_8F1CD7
		sub	eax, 1
		jz	loc_8F1CD0
		sub	eax, 1
		jnz	loc_8F1D2A
		mov	ax, word ptr [ebp+var_64]
		mov	edi, [ebp+var_48]
		mov	[edi+1Eh], ax
		mov	esi, ebx
		mov	al, cl

loc_7C9609:				; CODE XREF: NtSetInformationKey+128800j
					; NtSetInformationKey+128898j ...
		test	al, al
		jnz	loc_8F1D35

loc_7C9611:				; CODE XREF: NtSetInformationKey+12895Bj
		cmp	[ebp+var_40], 0
		jz	short loc_7C9633
		lea	eax, [ebp+var_84]
		push	eax
		push	ebx
		lea	eax, [ebp+var_BC]
		push	eax
		push	esi
		mov	edx, edi
		push	12h
		pop	ecx
		call	_CmPostCallbackNotificationEx@24 ; CmPostCallbackNotificationEx(x,x,x,x,x,x)
		mov	esi, eax

loc_7C9633:				; CODE XREF: NtSetInformationKey+22Fj
		cmp	[ebp+var_41], 0
		jz	short loc_7C963E
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_7C963E:				; CODE XREF: NtSetInformationKey+251j
		test	edi, edi
		jz	short loc_7C9649
		mov	ecx, edi
		call	ObfDereferenceObject

loc_7C9649:				; CODE XREF: NtSetInformationKey+25Aj
		mov	eax, ds:_CmpTraceRoutine
		test	eax, eax
		jnz	loc_8F1D46

loc_7C9656:				; CODE XREF: NtSetInformationKey+12896Ej
		cmp	[ebp+var_4D], 0
		jz	short loc_7C9661
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_7C9661:				; CODE XREF: NtSetInformationKey+274j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
NtSetInformationKey endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWin32OpenProcedure proc near		; DATA XREF: ExpWin32Initialization()+7Do

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008F1D59 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		mov	edi, 0C0000001h
		mov	[ebp+var_C], esi
		mov	eax, [esi]
		mov	[ebp+arg_C], eax
		lea	eax, [esi-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_10]
		mov	ecx, ds:_ObTypeIndexTable[edx*4]
		mov	eax, [eax]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_4], eax
		cmp	ecx, ds:_ExActivationObjectType
		jz	loc_8F1D59
		cmp	ecx, ds:_ExCoreMessagingObjectType
		jz	short loc_7C9742
		cmp	ecx, ds:_ExRawInputManagerObjectType
		jz	short loc_7C9734
		cmp	ecx, ds:_ExCompositionObjectType
		jz	short loc_7C970B
		cmp	ecx, ds:_ExDesktopObjectType
		jz	short loc_7C9726
		cmp	ecx, ds:_ExWindowStationObjectType
		jnz	short loc_7C971E
		lea	eax, [ebp+arg_C]
		push	eax
		push	1
		lea	eax, [ebp+var_14]
		push	eax
		push	10h
		jmp	short loc_7C9717
; 

loc_7C970B:				; CODE XREF: ExpWin32OpenProcedure+75j
		lea	eax, [ebp+arg_C]
		push	eax
		push	1
		lea	eax, [ebp+var_14]
		push	eax
		push	12h

loc_7C9717:				; CODE XREF: ExpWin32OpenProcedure+93j
					; ExpWin32OpenProcedure+BCj ...
		call	PsInvokeWin32Callout
		mov	edi, eax

loc_7C971E:				; CODE XREF: ExpWin32OpenProcedure+85j
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn	18h
; 

loc_7C9726:				; CODE XREF: ExpWin32OpenProcedure+7Dj
		lea	eax, [ebp+arg_C]
		push	eax
		push	1
		lea	eax, [ebp+var_14]
		push	eax
		push	8
		jmp	short loc_7C9717
; 

loc_7C9734:				; CODE XREF: ExpWin32OpenProcedure+6Dj
		lea	eax, [ebp+arg_C]
		push	eax
		push	1
		lea	eax, [ebp+var_14]
		push	eax
		push	1Bh
		jmp	short loc_7C9717
; 

loc_7C9742:				; CODE XREF: ExpWin32OpenProcedure+65j
		lea	eax, [ebp+arg_C]
		push	eax
		push	1
		lea	eax, [ebp+var_14]
		push	eax
		push	21h
		jmp	short loc_7C9717
ExpWin32OpenProcedure endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWin32OkayToCloseProcedure proc near	; DATA XREF: ExpWin32Initialization()+6Fo

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 008F1D6A SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, 0C0000001h
		push	edi
		lea	edi, [esp+20h+var_10]
		mov	eax, [esi]
		mov	[esp+20h+var_14], eax
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esi-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	edx, eax
		mov	[esp+20h+var_C], esi
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, [ebp+arg_0]
		mov	[esp+20h+var_10], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+20h+var_8], eax
		mov	ecx, ds:_ObTypeIndexTable[edx*4]
		mov	al, [ebp+arg_C]
		mov	[esp+20h+var_4], al
		cmp	ecx, ds:_ExActivationObjectType
		jz	loc_8F1D6A
		cmp	ecx, ds:_ExCoreMessagingObjectType
		jz	short loc_7C9838
		cmp	ecx, ds:_ExRawInputManagerObjectType
		jz	short loc_7C9828
		cmp	ecx, ds:_ExCompositionObjectType
		jz	short loc_7C97F2
		cmp	ecx, ds:_ExDesktopObjectType
		jz	short loc_7C9818
		cmp	ecx, ds:_ExWindowStationObjectType
		jnz	short loc_7C9807
		lea	eax, [esp+20h+var_14]
		push	eax
		push	1
		lea	eax, [esp+28h+var_10]
		push	eax
		push	0Ch
		jmp	short loc_7C9800
; 

loc_7C97F2:				; CODE XREF: ExpWin32OkayToCloseProcedure+80j
		lea	eax, [esp+20h+var_14]
		push	eax
		push	1
		lea	eax, [esp+28h+var_10]
		push	eax
		push	13h

loc_7C9800:				; CODE XREF: ExpWin32OkayToCloseProcedure+A0j
					; ExpWin32OkayToCloseProcedure+D6j ...
		call	PsInvokeWin32Callout
		mov	ebx, eax

loc_7C9807:				; CODE XREF: ExpWin32OkayToCloseProcedure+90j
		shr	ebx, 1Fh
		pop	edi
		xor	bl, 1
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_7C9818:				; CODE XREF: ExpWin32OkayToCloseProcedure+88j
		lea	eax, [esp+20h+var_14]
		push	eax
		push	1
		lea	eax, [esp+28h+var_10]
		push	eax
		push	9
		jmp	short loc_7C9800
; 

loc_7C9828:				; CODE XREF: ExpWin32OkayToCloseProcedure+78j
		lea	eax, [esp+20h+var_14]
		push	eax
		push	1
		lea	eax, [esp+28h+var_10]
		push	eax
		push	1Ch
		jmp	short loc_7C9800
; 

loc_7C9838:				; CODE XREF: ExpWin32OkayToCloseProcedure+70j
		lea	eax, [esp+20h+var_14]
		push	eax
		push	1
		lea	eax, [esp+28h+var_10]
		push	eax
		push	22h
		jmp	short loc_7C9800
ExpWin32OkayToCloseProcedure endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1882. PsReleaseProcessExitSynchronization

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsReleaseProcessExitSynchronization(x)
		public _PsReleaseProcessExitSynchronization@4
_PsReleaseProcessExitSynchronization@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		lea	ecx, [ecx+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		pop	ebp
		retn	4
_PsReleaseProcessExitSynchronization@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 648. FsRtlReleaseFileNameInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlReleaseFileNameInformation(x)
		public _FsRtlReleaseFileNameInformation@4
_FsRtlReleaseFileNameInformation@4 proc	near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, _FltMgrCallbacks
		pop	ebp
		jmp	dword ptr [eax+10h]
_FsRtlReleaseFileNameInformation@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 525. FsRtlGetFileNameInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlGetFileNameInformation(x, x, x, x)
		public _FsRtlGetFileNameInformation@16
_FsRtlGetFileNameInformation@16	proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, _FltMgrCallbacks
		test	eax, eax
		jz	short loc_7C9890
		pop	ebp
		jmp	dword ptr [eax+0Ch]
; 

loc_7C9890:				; CODE XREF: FsRtlGetFileNameInformation(x,x,x,x)+Cj
		mov	eax, 0C00000BBh
		pop	ebp
		retn	10h
_FsRtlGetFileNameInformation@16	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall RtlpValidAttributeAce(x)
_RtlpValidAttributeAce@4 proc near	; CODE XREF: RtlValidAcl+13Dp
		mov	edi, edi
		push	esi
		test	ecx, ecx
		jz	short loc_7C98EB
		movzx	esi, word ptr [ecx+2]
		mov	edx, esi
		lea	eax, [edx+3]
		and	eax, 0FFFFFFFCh
		cmp	eax, edx
		jnz	short loc_7C98EB
		cmp	esi, 10h
		jb	short loc_7C98EB
		cmp	byte ptr [ecx+8], 1
		jnz	short loc_7C98EB
		mov	al, [ecx+9]
		cmp	al, 0Fh
		ja	short loc_7C98EB
		movzx	eax, al
		lea	esi, ds:8[eax*4]
		lea	eax, [esi+1Ch]
		cmp	edx, eax
		jb	short loc_7C98EB
		sub	edx, esi
		add	ecx, 8
		sub	edx, 8
		add	ecx, esi
		call	RtlpValidRelativeAttribute
		test	al, al
		jz	short loc_7C98EB
		mov	al, 1
		pop	esi
		retn
; 

loc_7C98EB:				; CODE XREF: RtlpValidAttributeAce(x)+5j
					; RtlpValidAttributeAce(x)+15j	...
		xor	al, al
		pop	esi
		retn
_RtlpValidAttributeAce@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpValidRelativeAttribute proc	near	; CODE XREF: RtlpValidAttributeAce(x)+44p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F1D7D SIZE 000001B0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	[ebp+var_8], esi
		mov	ebx, edx
		test	edi, edi
		jz	loc_7C99B4
		cmp	ebx, 14h
		jb	loc_7C99B4
		cmp	[edi+6], si
		jnz	loc_7C99B4
		test	dword ptr [edi+8], 0FFC0h
		jnz	loc_7C99B4
		mov	eax, [edi+0Ch]
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_7C99B4
		mov	eax, [edi]
		cmp	ebx, eax
		jb	short loc_7C99B4
		push	4
		sub	edx, eax
		pop	ecx
		cmp	edx, ecx
		jb	short loc_7C99B4
		lea	ecx, [ebp+var_10]
		push	ecx
		lea	ecx, [eax+edi]
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		test	eax, eax
		js	short loc_7C99B4
		mov	eax, [ebp+var_4]
		push	4
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_7C99B4
		lea	eax, [ebx-10h]
		cmp	eax, [ebp+var_8]
		jb	short loc_7C99B4
		movzx	ecx, word ptr [edi+4]
		mov	eax, ecx
		test	ax, ax
		jz	short loc_7C99B4
		push	2
		pop	edx
		cmp	ax, dx
		ja	loc_8F1D7D
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_7C99AD
		add	edi, 10h

loc_7C9994:				; CODE XREF: RtlpValidRelativeAttribute+BBj
		mov	edx, [edi]
		cmp	ebx, edx
		jb	short loc_7C99B4
		mov	ecx, ebx
		sub	ecx, edx
		cmp	ecx, 8
		jb	short loc_7C99B4
		push	4
		pop	ecx
		inc	esi
		add	edi, ecx
		cmp	esi, eax
		jb	short loc_7C9994

loc_7C99AD:				; CODE XREF: RtlpValidRelativeAttribute+9Fj
					; RtlpValidRelativeAttribute+1284B0j ...
		mov	al, 1

loc_7C99AF:				; CODE XREF: RtlpValidRelativeAttribute+C6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7C99B4:				; CODE XREF: RtlpValidRelativeAttribute+16j
					; RtlpValidRelativeAttribute+1Fj ...
		xor	al, al
		jmp	short loc_7C99AF
RtlpValidRelativeAttribute endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ValidFilter(x, x)
_ValidFilter@8	proc near		; CODE XREF: PiDqQueryValidateQueryData:loc_7FB193p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	ebx, ecx
		mov	[ebp+var_38], 1
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		and	[ebp+var_30], eax
		mov	esi, edx
		rep stosd
		lea	eax, [ebp+var_2C]
		mov	ecx, offset GetPropertyFromPropArray
		mov	[ebp+var_34], eax
		lea	edx, [ebp+var_38]
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		push	ebx
		call	_FilterEval@20	; FilterEval(x,x,x,x,x)
		cmp	eax, 0C000000Dh
		jz	short loc_7C9A40
		xor	edi, edi
		test	ebx, ebx
		jz	short loc_7C9A2E
		add	esi, 20h

loc_7C9A0E:				; CODE XREF: ValidFilter(x,x)+74j
		cmp	dword ptr [esi-4], 0
		jnz	short loc_7C9A40
		push	dword ptr [esi]
		mov	edx, [esi+4]
		mov	ecx, [esi+8]
		call	_PnpValidatePropertyData
		cmp	eax, 1
		jz	short loc_7C9A40
		inc	edi
		add	esi, 2Ch
		cmp	edi, ebx
		jb	short loc_7C9A0E

loc_7C9A2E:				; CODE XREF: ValidFilter(x,x)+51j
		xor	eax, eax
		inc	eax

loc_7C9A31:				; CODE XREF: ValidFilter(x,x)+8Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_7C9A40:				; CODE XREF: ValidFilter(x,x)+4Bj
					; ValidFilter(x,x)+5Aj	...
		xor	eax, eax
		jmp	short loc_7C9A31
_ValidFilter@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpValidatePropertyData proc near	; CODE XREF: ValidFilter(x,x)+64p
					; _PnpGetObjectPropertyWorker+A5p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F1F2D SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		mov	edi, edx
		xor	esi, esi
		test	[ebp+arg_0], 0FFFF0000h
		mov	edx, ecx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], esi
		jnz	loc_8F1F2D
		push	ebx
		mov	ebx, [ebp+arg_0]
		and	ebx, 0FFFh
		cmp	ebx, 19h
		ja	loc_7C9C27
		mov	ecx, ebx
		call	__GetBaseTypeSize@4 ; _GetBaseTypeSize(x)
		mov	ecx, eax
		mov	eax, [ebp+arg_0]
		and	eax, 0F000h
		mov	[ebp+var_10], ecx
		mov	[ebp+var_4], eax
		test	ecx, ecx
		jz	short loc_7C9ACB
		cmp	eax, 1000h
		jz	loc_7C9BFD
		cmp	eax, 2000h
		jz	loc_7C9B71
		test	eax, eax
		jnz	loc_7C9C27
		mov	ecx, [ebp+arg_0]
		call	__IsFixedSizeType@4 ; _IsFixedSizeType(x)
		test	al, al
		jz	short loc_7C9AC8
		cmp	edi, [ebp+var_10]

loc_7C9AC2:				; CODE XREF: _PnpValidatePropertyData+1284F7j
		jnz	loc_7C9C27

loc_7C9AC8:				; CODE XREF: _PnpValidatePropertyData+79j
					; _PnpValidatePropertyData+132j ...
		mov	eax, [ebp+var_4]

loc_7C9ACB:				; CODE XREF: _PnpValidatePropertyData+4Fj
		cmp	ebx, 12h
		jz	short loc_7C9B21
		ja	short loc_7C9B0E
		cmp	ebx, 1
		jbe	loc_7C9BD4
		cmp	ebx, 10h
		jz	loc_7C9BD8
		cmp	ebx, 11h
		jnz	short loc_7C9B68
		test	edx, edx
		jz	loc_7C9C27
		mov	eax, esi
		test	edi, edi
		jz	short loc_7C9B68

loc_7C9AF7:				; CODE XREF: _PnpValidatePropertyData+C8j
		mov	cl, [eax+edx]
		cmp	cl, 0FFh
		jz	short loc_7C9B07
		test	cl, cl
		jnz	loc_7C9C27

loc_7C9B07:				; CODE XREF: _PnpValidatePropertyData+B9j
		inc	eax
		cmp	eax, edi
		jnb	short loc_7C9B68
		jmp	short loc_7C9AF7
; 

loc_7C9B0E:				; CODE XREF: _PnpValidatePropertyData+8Cj
		sub	ebx, 13h
		jz	loc_7C9C31
		sub	ebx, 1
		jz	short loc_7C9B21
		sub	ebx, 5
		jnz	short loc_7C9B68

loc_7C9B21:				; CODE XREF: _PnpValidatePropertyData+8Aj
					; _PnpValidatePropertyData+D6j
		test	edx, edx
		jz	loc_7C9C27
		cmp	edi, 2
		jb	loc_7C9C27
		test	eax, 2000h
		jnz	short loc_7C9B81
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		push	eax
		mov	edx, edi
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		test	eax, eax
		js	loc_7C9C27
		mov	eax, [ebp+var_8]
		add	eax, 2
		cmp	eax, 0FFFEh
		ja	loc_7C9C27

loc_7C9B60:				; CODE XREF: _PnpValidatePropertyData+18Ej
					; _PnpValidatePropertyData+206j
		cmp	eax, edi

loc_7C9B62:				; CODE XREF: _PnpValidatePropertyData+192j
		jnz	loc_7C9C27

loc_7C9B68:				; CODE XREF: _PnpValidatePropertyData+A3j
					; _PnpValidatePropertyData+B1j	...
		pop	ebx

loc_7C9B69:				; CODE XREF: _PnpValidatePropertyData+1284EEj
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	4
; 

loc_7C9B71:				; CODE XREF: _PnpValidatePropertyData+61j
		mov	eax, ebx
		sub	eax, 12h
		jz	loc_7C9AC8
		jmp	loc_8F1F37
; 

loc_7C9B81:				; CODE XREF: _PnpValidatePropertyData+F3j
		mov	ecx, esi
		mov	[ebp+arg_0], esi
		cmp	[edx], si
		jz	short loc_7C9BCF
		mov	ebx, [ebp+var_C]

loc_7C9B8E:				; CODE XREF: _PnpValidatePropertyData+189j
		lea	eax, [ebp+var_8]
		mov	edx, edi
		sub	edx, ecx
		mov	ecx, ebx
		push	eax
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		test	eax, eax
		js	loc_7C9C27
		mov	eax, [ebp+var_8]
		test	al, 1
		jnz	short loc_7C9C27
		add	eax, 2
		mov	[ebp+var_8], eax
		cmp	eax, 0FFFEh
		ja	short loc_7C9C27
		mov	ecx, [ebp+arg_0]
		add	ecx, eax
		mov	[ebp+arg_0], ecx
		cmp	ecx, edi
		ja	short loc_7C9C27
		shr	eax, 1
		lea	ebx, [ebx+eax*2]
		cmp	[ebx], si
		jnz	short loc_7C9B8E

loc_7C9BCF:				; CODE XREF: _PnpValidatePropertyData+145j
		lea	eax, [ecx+2]
		jmp	short loc_7C9B60
; 

loc_7C9BD4:				; CODE XREF: _PnpValidatePropertyData+91j
		test	edi, edi
		jmp	short loc_7C9B62
; 

loc_7C9BD8:				; CODE XREF: _PnpValidatePropertyData+9Aj
		test	edx, edx
		jz	short loc_7C9C27
		shr	edi, 3
		mov	eax, esi
		test	edi, edi
		jz	short loc_7C9B68

loc_7C9BE5:				; CODE XREF: _PnpValidatePropertyData+1B7j
		cmp	[edx+eax*8+4], esi
		jg	short loc_7C9BF2
		jl	short loc_7C9C27
		cmp	[edx+eax*8], esi
		jb	short loc_7C9C27

loc_7C9BF2:				; CODE XREF: _PnpValidatePropertyData+1A5j
		inc	eax
		cmp	eax, edi
		jnb	loc_7C9B68
		jmp	short loc_7C9BE5
; 

loc_7C9BFD:				; CODE XREF: _PnpValidatePropertyData+56j
		cmp	ebx, 1
		jbe	short loc_7C9C27
		mov	ecx, [ebp+arg_0]
		call	__IsFixedSizeType@4 ; _IsFixedSizeType(x)
		test	al, al
		jz	short loc_7C9C27
		mov	ecx, [ebp+var_10]
		cmp	edi, ecx
		jb	short loc_7C9C27
		xor	edx, edx
		mov	eax, edi
		div	ecx
		test	edx, edx
		jnz	short loc_7C9C27
		mov	edx, [ebp+var_C]
		jmp	loc_7C9AC8
; 

loc_7C9C27:				; CODE XREF: _PnpValidatePropertyData+30j
					; _PnpValidatePropertyData+69j	...
		mov	esi, 0C000000Dh
		jmp	loc_7C9B68
; 

loc_7C9C31:				; CODE XREF: _PnpValidatePropertyData+CDj
		test	edx, edx
		jz	short loc_7C9C27
		push	esi
		push	edi
		push	edx
		call	_RtlValidRelativeSecurityDescriptor@12 ; RtlValidRelativeSecurityDescriptor(x,x,x)
		test	al, al
		jz	short loc_7C9C27
		mov	ebx, [ebp+var_C]
		push	ebx
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		jmp	loc_7C9B60
_PnpValidatePropertyData endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1653. PcwCloseInstance

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PcwCloseInstance(x)
		public _PcwCloseInstance@4
_PcwCloseInstance@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, ds:_ExpPcwExtensionHost
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_7C9C79
		push	[ebp+arg_0]
		call	dword ptr [eax+0Ch]
		mov	ecx, ds:_ExpPcwExtensionHost
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_7C9C79:				; CODE XREF: PcwCloseInstance(x)+12j
		pop	ebp
		retn	4
_PcwCloseInstance@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1654. PcwCreateInstance

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PcwCreateInstance
PcwCreateInstance proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008F1F40 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, ds:_ExpPcwExtensionHost
		push	esi
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	loc_8F1F40
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	dword ptr [eax+8]
		mov	ecx, ds:_ExpPcwExtensionHost
		mov	esi, eax
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_7C9CBA:				; CODE XREF: PcwCreateInstance+1282CBj
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	14h
PcwCreateInstance endp ; sp = -14h

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1652. PcwAddInstance

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PcwAddInstance(x, x, x, x, x)
		public _PcwAddInstance@20
_PcwAddInstance@20 proc	near		; CODE XREF: ExProcessorCounterSetCallback+237p
					; ExProcessorCounterSetCallback+A16p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, ds:_ExpPcwExtensionHost
		push	esi
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_7C9D01
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	dword ptr [eax+10h]
		mov	ecx, ds:_ExpPcwExtensionHost
		mov	esi, eax
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_7C9CFA:				; CODE XREF: PcwAddInstance(x,x,x,x,x)+42j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	14h
; 

loc_7C9D01:				; CODE XREF: PcwAddInstance(x,x,x,x,x)+13j
		call	_ExpPcwDisabledStatus@0	; ExpPcwDisabledStatus()
		mov	esi, eax
		jmp	short loc_7C9CFA
_PcwAddInstance@20 endp

; 
		align 10h
; Exported entry 865. IoGetFileObjectGenericMapping

;  S U B	R O U T	I N E 


; __stdcall IoGetFileObjectGenericMapping()
		public _IoGetFileObjectGenericMapping@0
_IoGetFileObjectGenericMapping@0 proc near
					; CODE XREF: CmpCheckHivePrimaryFileReadWriteAccess(x)+3Ep
					; VfUtilIsLocalSystem(x)+49p
		mov	eax, (offset loc_A3F6BF+1)
		retn
_IoGetFileObjectGenericMapping@0 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 462. FsRtlAcknowledgeEcp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlAcknowledgeEcp(x)
		public _FsRtlAcknowledgeEcp@4
_FsRtlAcknowledgeEcp@4 proc near	; CODE XREF: FsRtlCheckOplockEx2+C63B6p
					; FsRtlpAttachOplockKey+B5893p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		or	dword ptr [eax-10h], 8
		pop	ebp
		retn	4
_FsRtlAcknowledgeEcp@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	NtGetMUIRegistryInfo(int,int,void *)
NtGetMUIRegistryInfo proc near		; DATA XREF: .text:00581004o

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F1F52 SIZE 0000008D BYTES
; FUNCTION CHUNK AT 008F1FF2 SIZE 0000002B BYTES

		push	68h
		push	offset dword_6A3B38
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp+var_20], edx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_54]
		rep stosd
		lea	edi, [ebp+var_3C]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_24], edx
		push	9
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_78]
		rep stosd
		mov	[ebp+var_19], dl
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	loc_8F1F52
		cmp	_InitSafeBootMode, edx
		jnz	loc_8F1F52
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_7C9DBD
		mov	[ebp+ms_exc.disabled], edx
		mov	eax, edi
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edi, ecx
		jnb	loc_8F1F66

loc_7C9D9C:				; CODE XREF: NtGetMUIRegistryInfo+128238j
		nop
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	eax, eax
		jz	short loc_7C9DCA
		cmp	[ebp+arg_8], 0
		jz	loc_8F1F5C
		test	eax, eax
		jnz	short loc_7C9DD4
		jmp	short loc_7C9DCA
; 

loc_7C9DBD:				; CODE XREF: NtGetMUIRegistryInfo+57j
		test	byte ptr [ebp+arg_0], 0Ah
		jz	loc_8F1F5C
		mov	[ebp+var_20], edx

loc_7C9DCA:				; CODE XREF: NtGetMUIRegistryInfo+7Bj
					; NtGetMUIRegistryInfo+8Bj
		cmp	[ebp+arg_8], 0
		jnz	loc_8F1F5C

loc_7C9DD4:				; CODE XREF: NtGetMUIRegistryInfo+89j
		xor	ebx, ebx
		inc	ebx
		cmp	[ebp+arg_0], 0
		jnz	short loc_7C9DE0
		mov	[ebp+arg_0], ebx

loc_7C9DE0:				; CODE XREF: NtGetMUIRegistryInfo+ABj
		test	[ebp+arg_0], 0FFFFFFF4h
		jnz	loc_8F1F5C
		cmp	_MUIRegistryLock, 0
		jz	loc_7C9FC7

loc_7C9DFA:				; CODE XREF: NtGetMUIRegistryInfo+2AEj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	ebx
		push	_MUIRegistryLock
		call	ExAcquireResourceExclusiveLite
		mov	[ebp+var_19], bl
		mov	eax, _MUIRegistryInfo
		cmp	eax, 0FFFFFFFFh
		jz	loc_8F1F6D
		test	byte ptr [ebp+arg_0], 1
		jz	loc_7C9FE9
		xor	dl, dl
		mov	byte ptr [ebp+arg_0+3],	dl
		test	eax, eax
		jz	loc_7C9EDE

loc_7C9E3C:				; CODE XREF: NtGetMUIRegistryInfo+292j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_7C9E51
		cmp	eax, _MUIRegistryInfoSize
		jb	loc_8F1FCE
		mov	dl, bl

loc_7C9E51:				; CODE XREF: NtGetMUIRegistryInfo+111j
		xor	esi, esi

loc_7C9E53:				; CODE XREF: NtGetMUIRegistryInfo+1282A3j
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	loc_8F1FD8

loc_7C9E65:				; CODE XREF: NtGetMUIRegistryInfo+1282AAj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, _MUIRegistryInfoSize
		mov	[edi], eax
		test	dl, dl
		jnz	short loc_7C9EAC

loc_7C9E74:				; CODE XREF: NtGetMUIRegistryInfo+1ACj
					; sub_8F202B+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7C9E7B:				; CODE XREF: NtGetMUIRegistryInfo+2B4j
					; NtGetMUIRegistryInfo+2EBj ...
		cmp	[ebp+var_19], 0
		jz	short loc_7C9E98
		mov	ecx, _MUIRegistryLock
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_7C9E98:				; CODE XREF: NtGetMUIRegistryInfo+14Fj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7C9EAC:				; CODE XREF: NtGetMUIRegistryInfo+142j
		push	ebx
		push	[ebp+var_20]
		push	[ebp+arg_8]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	[ebp+var_20]	; size_t
		push	0		; int
		push	[ebp+arg_8]	; void *
		call	_memset
		push	_MUIRegistryInfoSize ; size_t
		push	_MUIRegistryInfo ; void	*
		push	[ebp+arg_8]	; void *
		call	_memcpy
		add	esp, 18h
		jmp	short loc_7C9E74
; 

loc_7C9EDE:				; CODE XREF: NtGetMUIRegistryInfo+106j
		push	0
		push	ebx
		lea	eax, [ebp+var_3C]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_78], eax
		xor	ecx, ecx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_70], ecx
		mov	[ebp+var_6C], ecx
		movzx	eax, ds:_PsInstallUILanguageId
		mov	[ebp+var_68], eax
		mov	[ebp+var_64], ecx
		movzx	eax, ds:_PsMachineUILanguageId
		mov	[ebp+var_60], eax
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], 0C0000001h
		mov	[ebp+var_54], 18h
		mov	[ebp+var_50], ecx
		mov	[ebp+var_48], 200h
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], ecx
		lea	eax, [ebp+var_78]
		push	eax
		push	offset _MUIRegistrySystemRoutine@4 ; MUIRegistrySystemRoutine(x)
		push	ecx
		push	ecx
		lea	eax, [ebp+var_54]
		push	eax
		push	1FFFFFh
		lea	eax, [ebp+var_24]
		push	eax
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8F1FBB
		push	[ebp+var_24]
		call	_ZwClose@4	; ZwClose(x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, eax
		test	esi, esi
		js	loc_8F1FBB
		mov	esi, [ebp+var_58]
		test	esi, esi
		js	loc_8F1FBB
		mov	eax, [ebp+var_74]
		mov	_MUIRegistryInfo, eax
		mov	eax, [ebp+var_70]
		mov	_MUIRegistryInfoSize, eax
		cmp	[ebp+var_6C], 0
		jz	loc_8F1F86
		cmp	[ebp+var_64], 0
		jz	loc_8F1F97

loc_7C9FAD:				; CODE XREF: NtGetMUIRegistryInfo+128275j
		cmp	[ebp+var_5C], 0
		jz	loc_8F1FAA

loc_7C9FB7:				; CODE XREF: NtGetMUIRegistryInfo+128286j
		test	esi, esi
		js	loc_8F1FBB
		mov	dl, byte ptr [ebp+arg_0+3]
		jmp	loc_7C9E3C
; 

loc_7C9FC7:				; CODE XREF: NtGetMUIRegistryInfo+C4j
		mov	ecx, offset _MUIRegistryLock
		call	MUIInitializeResourceLock
		mov	esi, eax
		mov	ecx, esi
		mov	eax, 0C0000000h
		and	ecx, eax
		cmp	ecx, eax
		jnz	loc_7C9DFA
		jmp	loc_7C9E7B
; 

loc_7C9FE9:				; CODE XREF: NtGetMUIRegistryInfo+F9j
		test	byte ptr [ebp+arg_0], 2
		jz	loc_8F1FF2
		test	eax, eax
		jz	short loc_7CA019
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	_MUIRegistryInfo, 0
		and	_MUIRegistryInfoSize, 0
		test	byte ptr [ebp+arg_0], 8
		jz	short loc_7CA019
		add	ds:0FFDF03A4h, ebx

loc_7CA019:				; CODE XREF: NtGetMUIRegistryInfo+2C5j
					; NtGetMUIRegistryInfo+2E1j ...
		xor	esi, esi
		jmp	loc_7C9E7B
NtGetMUIRegistryInfo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExIsRestrictedCaller(x)
_ExIsRestrictedCaller@4	proc near	; CODE XREF: PAGE:0077EEA1p
					; PAGE:0077EEEAp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+28h+var_10]
		stosd
		xor	esi, esi
		mov	[esp+28h+var_18], esi
		mov	[esp+28h+var_14], esi
		stosd
		stosd
		stosd
		test	cl, cl
		jz	short loc_7CA0A2
		lea	eax, [esp+28h+var_10]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		lea	eax, [esp+28h+var_18]
		push	eax
		lea	eax, [esp+2Ch+var_14]
		push	eax
		push	1
		push	offset _ExpRestrictedGenericMapping
		push	esi
		push	esi
		push	20000h
		push	esi
		lea	eax, [esp+48h+var_10]
		push	eax
		push	ds:_SeMediumDaclSd
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		lea	ecx, [esp+28h+var_10]
		mov	bl, al
		push	ecx
		call	SeReleaseSubjectContext
		test	bl, bl
		jz	short loc_7CA0AB
		cmp	[esp+28h+var_18], esi
		jl	short loc_7CA0AB

loc_7CA0A2:				; CODE XREF: ExIsRestrictedCaller(x)+24j
		xor	eax, eax

loc_7CA0A4:				; CODE XREF: ExIsRestrictedCaller(x)+8Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7CA0AB:				; CODE XREF: ExIsRestrictedCaller(x)+7Aj
					; ExIsRestrictedCaller(x)+80j
		xor	eax, eax
		inc	eax
		jmp	short loc_7CA0A4
_ExIsRestrictedCaller@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWin32CloseProcedure proc near	; DATA XREF: ExpWin32Initialization()+56o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F2036 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	esi
		mov	esi, [ebp+arg_4]
		mov	[esp+18h+var_C], esi
		mov	eax, [esi]
		mov	[esp+18h+var_14], eax
		lea	eax, [esi-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, [ebp+arg_0]
		mov	[esp+18h+var_10], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+18h+var_8], eax
		mov	ecx, ds:_ObTypeIndexTable[edx*4]
		mov	eax, [ebp+arg_C]
		mov	[esp+18h+var_4], eax
		cmp	ecx, ds:_ExActivationObjectType
		jz	loc_8F2036
		cmp	ecx, ds:_ExCoreMessagingObjectType
		jz	short loc_7CA17B
		cmp	ecx, ds:_ExRawInputManagerObjectType
		jz	short loc_7CA16B
		cmp	ecx, ds:_ExCompositionObjectType
		jz	short loc_7CA141
		cmp	ecx, ds:_ExDesktopObjectType
		jz	short loc_7CA15B
		cmp	ecx, ds:_ExWindowStationObjectType
		jnz	short loc_7CA154
		lea	eax, [esp+18h+var_14]
		push	eax
		push	1
		lea	eax, [esp+20h+var_10]
		push	eax
		push	0Dh
		jmp	short loc_7CA14F
; 

loc_7CA141:				; CODE XREF: ExpWin32CloseProcedure+6Fj
		lea	eax, [esp+18h+var_14]
		push	eax
		push	1
		lea	eax, [esp+20h+var_10]
		push	eax
		push	14h

loc_7CA14F:				; CODE XREF: ExpWin32CloseProcedure+8Fj
					; ExpWin32CloseProcedure+B9j ...
		call	PsInvokeWin32Callout

loc_7CA154:				; CODE XREF: ExpWin32CloseProcedure+7Fj
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_7CA15B:				; CODE XREF: ExpWin32CloseProcedure+77j
		lea	eax, [esp+18h+var_14]
		push	eax
		push	1
		lea	eax, [esp+20h+var_10]
		push	eax
		push	0Ah
		jmp	short loc_7CA14F
; 

loc_7CA16B:				; CODE XREF: ExpWin32CloseProcedure+67j
		lea	eax, [esp+18h+var_14]
		push	eax
		push	1
		lea	eax, [esp+20h+var_10]
		push	eax
		push	1Dh
		jmp	short loc_7CA14F
; 

loc_7CA17B:				; CODE XREF: ExpWin32CloseProcedure+5Fj
		lea	eax, [esp+18h+var_14]
		push	eax
		push	1
		lea	eax, [esp+20h+var_10]
		push	eax
		push	23h
		jmp	short loc_7CA14F
ExpWin32CloseProcedure endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspAllocateAndQueryProcessNotificationChannel proc near	; CODE XREF: PAGE:0083F2DBp

var_8C		= dword	ptr -8Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_66		= byte ptr -66h
var_65		= byte ptr -65h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F2049 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[ebp+var_70], ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_8C]
		mov	esi, edx
		mov	edx, [ebp+arg_0]
		stosd
		mov	[ebp+var_74], esi
		lea	ebx, [esi+460h]
		mov	[ebp+var_6C], edx
		mov	[ebp+var_78], ebx
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_66], al
		mov	[ebp+var_65], al
		mov	[ebp+var_64], eax
		mov	[ebp+var_60], eax
		mov	eax, [ebx]
		or	eax, [ebx+4]
		jnz	loc_7CA2B2
		push	2		; int
		push	58h		; size_t
		lea	eax, [ebp+var_5C]
		push	eax		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		xor	edi, edi
		lea	ecx, [ebp+var_5C]
		push	edi
		push	_SeWorldSid
		push	1
		push	edi
		push	2
		pop	edx
		call	RtlpAddKnownAce
		push	1
		lea	eax, [ebp+var_8C]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	edi
		lea	eax, [ebp+var_5C]
		push	eax
		push	1
		lea	eax, [ebp+var_8C]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		lea	eax, [ebp+var_8C]
		push	eax
		push	edi
		push	edi
		push	edi
		push	4
		push	3
		lea	eax, [ebp+var_64]
		push	eax
		call	_ZwCreateWnfStateName@28 ; ZwCreateWnfStateName(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7CA300
		mov	edi, [ebp+var_70]
		dec	word ptr [edi+13Ch]
		nop
		add	esi, 0E0h
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebx]
		or	eax, [ebx+4]
		jnz	loc_8F2049
		mov	edi, [ebp+var_6C]
		mov	eax, [ebp+var_64]
		mov	ecx, [ebp+var_74]
		mov	[ebx], eax
		mov	eax, [ebp+var_60]
		mov	[ebx+4], eax
		mov	eax, [edi+24h]
		mov	[ecx+484h], eax
		mov	eax, [edi+28h]
		mov	edi, [ebp+var_70]
		mov	[ecx+488h], eax
		mov	[ebp+var_65], 1

loc_7CA294:				; CODE XREF: PspAllocateAndQueryProcessNotificationChannel+127EC1j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7CA319

loc_7CA2A1:				; CODE XREF: PspAllocateAndQueryProcessNotificationChannel+194j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	edx, [ebp+var_6C]

loc_7CA2B2:				; CODE XREF: PspAllocateAndQueryProcessNotificationChannel+4Fj
		push	0Ch
		mov	esi, ebx
		mov	edi, edx
		mov	bh, [ebp+var_65]
		pop	ecx
		rep movsd
		mov	edi, [ebp+var_6C]
		lea	esi, [edx+8]
		xor	ecx, ecx
		mov	bl, cl

loc_7CA2C8:				; CODE XREF: PspAllocateAndQueryProcessNotificationChannel+15Bj
		mov	edx, [esi]
		and	edx, 7FFFFFFFh
		mov	[esi], edx
		test	bh, bh
		jz	short loc_7CA2E0
		xor	eax, eax
		inc	eax
		shl	eax, cl
		test	[edi+24h], eax
		jnz	short loc_7CA311

loc_7CA2E0:				; CODE XREF: PspAllocateAndQueryProcessNotificationChannel+148j
					; PspAllocateAndQueryProcessNotificationChannel+187j ...
		inc	ecx
		add	esi, 4
		cmp	ecx, 7
		jb	short loc_7CA2C8
		test	bl, bl
		mov	ebx, [ebp+var_78]
		jnz	loc_8F2052

loc_7CA2F4:				; CODE XREF: PspAllocateAndQueryProcessNotificationChannel+127ED4j
		cmp	[ebp+var_66], 0
		jnz	loc_8F2065

loc_7CA2FE:				; CODE XREF: PspAllocateAndQueryProcessNotificationChannel+127EE2j
		xor	eax, eax

loc_7CA300:				; CODE XREF: PspAllocateAndQueryProcessNotificationChannel+B3j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_7CA311:				; CODE XREF: PspAllocateAndQueryProcessNotificationChannel+152j
		test	edx, edx
		jz	short loc_7CA2E0
		mov	bl, 1
		jmp	short loc_7CA2E0
; 

loc_7CA319:				; CODE XREF: PspAllocateAndQueryProcessNotificationChannel+113j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7CA2A1
PspAllocateAndQueryProcessNotificationChannel endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KeGetExecuteOptions(x, x)
_KeGetExecuteOptions@8 proc near	; CODE XREF: PAGE:0083CBA7p
		mov	al, [ecx+6Bh]
		movzx	ecx, al
		and	ecx, 1
		test	al, 2
		jnz	short loc_7CA35C

loc_7CA333:				; CODE XREF: KeGetExecuteOptions(x,x)+39j
		test	al, 4
		jz	short loc_7CA33A
		or	ecx, 4

loc_7CA33A:				; CODE XREF: KeGetExecuteOptions(x,x)+Fj
		test	al, 8
		jz	short loc_7CA341
		or	ecx, 8

loc_7CA341:				; CODE XREF: KeGetExecuteOptions(x,x)+16j
		test	al, 10h
		jnz	short loc_7CA352

loc_7CA345:				; CODE XREF: KeGetExecuteOptions(x,x)+2Fj
		test	al, 20h
		jnz	short loc_7CA357

loc_7CA349:				; CODE XREF: KeGetExecuteOptions(x,x)+34j
		test	al, 40h
		jnz	short loc_7CA361

loc_7CA34D:				; CODE XREF: KeGetExecuteOptions(x,x)+3Ej
		mov	[edx], ecx
		xor	eax, eax
		retn
; 

loc_7CA352:				; CODE XREF: KeGetExecuteOptions(x,x)+1Dj
		or	ecx, 10h
		jmp	short loc_7CA345
; 

loc_7CA357:				; CODE XREF: KeGetExecuteOptions(x,x)+21j
		or	ecx, 20h
		jmp	short loc_7CA349
; 

loc_7CA35C:				; CODE XREF: KeGetExecuteOptions(x,x)+Bj
		or	ecx, 2
		jmp	short loc_7CA333
; 

loc_7CA361:				; CODE XREF: KeGetExecuteOptions(x,x)+25j
		or	ecx, 40h
		jmp	short loc_7CA34D
_KeGetExecuteOptions@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUnsecureVirtualMemoryAgainstWrites(x, x, x)
_MiUnsecureVirtualMemoryAgainstWrites@12 proc near ; CODE XREF:	MiRemoveSecureEntry+D9p
					; MmSecureVirtualMemoryAgainstWrites+164E43p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		mov	eax, ecx
		and	[ebp+var_4], 0
		lea	ecx, [ebp+var_4]
		push	ecx
		lea	ecx, [ebp+var_8]
		push	ecx
		mov	ecx, large fs:124h
		push	0
		push	4
		push	[ebp+arg_0]
		mov	ecx, [ecx+80h]
		push	edx
		mov	edx, eax
		call	_MiSetProtectionOnSection@32 ; MiSetProtectionOnSection(x,x,x,x,x,x,x,x)
		leave
		retn	4
_MiUnsecureVirtualMemoryAgainstWrites@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepFilterPrivilegeAudits proc near	; CODE XREF: SePrivilegedServiceAuditAlarm(x,x,x,x)+82p
					; SeSinglePrivilegeCheck+190p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F2073 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:_SepFilterPrivileges
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_1C], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_8], eax
		test	edx, edx
		jz	loc_7CA47B
		mov	esi, [edx]
		mov	[ebp+var_10], esi
		test	esi, esi
		jz	loc_7CA47B
		mov	eax, [eax]
		push	ebx
		mov	[ebp+var_14], eax
		lea	ebx, [edx+8]
		lea	eax, [edx+0Ch]
		mov	edx, esi
		mov	esi, [ebp+var_8]
		mov	[ebp+var_4], eax

loc_7CA3E3:				; CODE XREF: SepFilterPrivilegeAudits+80j
		mov	ecx, [ebx]
		mov	[ebp+var_18], ecx
		mov	ecx, [ebp+var_14]
		mov	[ebp+var_C], esi

loc_7CA3EE:				; CODE XREF: SepFilterPrivilegeAudits+65j
		mov	esi, [ebp+var_18]
		cmp	esi, [ecx]
		mov	esi, [ebp+var_8]
		jz	short loc_7CA409

loc_7CA3F8:				; CODE XREF: SepFilterPrivilegeAudits+71j
		mov	ecx, [ebp+var_C]
		add	ecx, 4
		mov	[ebp+var_C], ecx
		mov	ecx, [ecx]
		test	ecx, ecx
		jnz	short loc_7CA3EE
		jmp	short loc_7CA414
; 

loc_7CA409:				; CODE XREF: SepFilterPrivilegeAudits+56j
		mov	eax, [eax]
		cmp	eax, [ecx+4]
		mov	eax, [ebp+var_4]
		jnz	short loc_7CA3F8
		inc	edi

loc_7CA414:				; CODE XREF: SepFilterPrivilegeAudits+67j
		add	eax, 0Ch
		add	ebx, 0Ch
		mov	[ebp+var_4], eax
		sub	edx, 1
		jnz	short loc_7CA3E3
		test	byte ptr [ebp+var_20], 1
		mov	esi, [ebp+var_10]
		mov	edx, [ebp+var_1C]
		jz	short loc_7CA476
		test	esi, esi
		jz	short loc_7CA476
		lea	ebx, [edx+8]
		mov	[ebp+var_20], esi
		add	edx, 0Ch

loc_7CA43B:				; CODE XREF: SepFilterPrivilegeAudits+D1j
		mov	ecx, [ebx]
		mov	eax, offset _SepServicesFilterPrivileges
		mov	[ebp+var_20], ecx
		mov	ecx, ds:_SepServicesFilterPrivileges
		mov	[ebp+var_4], eax

loc_7CA44E:				; CODE XREF: SepFilterPrivilegeAudits+C6j
		mov	eax, [ebp+var_20]
		cmp	eax, [ecx]
		mov	eax, [ebp+var_4]
		jz	loc_8F2073

loc_7CA45C:				; CODE XREF: SepFilterPrivilegeAudits+127CDDj
		add	eax, 4
		mov	[ebp+var_4], eax
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_7CA44E

loc_7CA468:				; CODE XREF: SepFilterPrivilegeAudits+127CE3j
		add	ebx, 0Ch
		add	edx, 0Ch
		sub	esi, 1
		jnz	short loc_7CA43B
		mov	esi, [ebp+var_10]

loc_7CA476:				; CODE XREF: SepFilterPrivilegeAudits+8Cj
					; SepFilterPrivilegeAudits+90j
		pop	ebx
		cmp	edi, esi
		jnz	short loc_7CA481

loc_7CA47B:				; CODE XREF: SepFilterPrivilegeAudits+1Cj
					; SepFilterPrivilegeAudits+29j
		xor	al, al

loc_7CA47D:				; CODE XREF: SepFilterPrivilegeAudits+E3j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_7CA481:				; CODE XREF: SepFilterPrivilegeAudits+D9j
		mov	al, 1
		jmp	short loc_7CA47D
SepFilterPrivilegeAudits endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpAllocateMessageFunction proc near	; DATA XREF: AlpcpInitSystem+13Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F2088 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7CA4D9
		push	98h		; size_t
		xor	ebx, ebx
		lea	edi, [esi+18h]
		push	ebx		; int
		push	edi		; void *
		call	_memset
		mov	ecx, ds:_AlpcMessageTable
		add	esp, 0Ch
		mov	edx, edi
		push	ebx
		push	ebx
		push	ebx
		call	ExCreateHandleEx
		test	eax, eax
		jz	loc_8F2088

loc_7CA4CE:				; CODE XREF: AlpcpAllocateMessageFunction+127C0Bj
		or	eax, 80000000h
		mov	[edi+90h], eax

loc_7CA4D9:				; CODE XREF: AlpcpAllocateMessageFunction+1Aj
		mov	eax, esi

loc_7CA4DB:				; CODE XREF: AlpcpAllocateMessageFunction+127C1Aj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
AlpcpAllocateMessageFunction endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeBuildLogicalProcessorSystemInformation proc near ; CODE XREF:	PAGE:007806D6p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= word ptr -4
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F20A5 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_8], 0
		xor	eax, eax
		push	ebx
		push	esi
		mov	si, cx
		mov	[ebp+var_1C], eax
		xor	ebx, ebx
		mov	[ebp+var_4], si
		push	edi
		cmp	ds:_KeNumberProcessors,	eax
		jbe	loc_7CA614

loc_7CA50B:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+12Cj
		mov	ecx, ds:_KiProcessorBlock[eax*4]
		mov	al, [ecx+3C5h]
		mov	[ebp+var_1], al
		movzx	eax, al
		cmp	ax, si
		jnz	loc_7CA601
		movzx	eax, [ebp+var_1]
		and	[ebp+var_20], 0
		mov	esi, [ecx+eax*4+401Ch]
		test	esi, esi
		jz	loc_8F20A5
		bsr	edi, esi

loc_7CA541:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+127BC6j
		mov	eax, [ecx+3CCh]
		cmp	eax, edi
		jz	loc_7CA6BA

loc_7CA54F:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+200j
					; KeBuildLogicalProcessorSystemInformation+23Ej
		mov	esi, [ecx+402Ch]
		and	[ebp+var_18], 0
		test	esi, esi
		jz	loc_8F20AD
		bsr	edi, esi

loc_7CA564:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+127BCEj
		cmp	eax, edi
		jnz	short loc_7CA599
		cmp	[ecx+3C8h], esi
		setnz	al
		add	ebx, 18h
		cmp	ebx, [ebp+arg_0]
		ja	loc_7CA6AE
		and	dword ptr [edx+8], 0
		and	dword ptr [edx+4], 0
		and	dword ptr [edx+10h], 0
		and	dword ptr [edx+14h], 0
		and	dword ptr [edx+0Ch], 0
		mov	[edx], esi
		mov	[edx+8], al
		add	edx, 18h

loc_7CA599:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+84j
					; KeBuildLogicalProcessorSystemInformation+1D3j
		xor	eax, eax
		mov	[ebp+var_10], eax
		cmp	[ecx+4010h], eax
		jbe	short loc_7CA5FD
		lea	esi, [edx+8]
		mov	[ebp+var_C], esi
		lea	esi, [ecx+3FD4h]
		mov	[ebp+var_14], esi
		lea	esi, [ecx+4038h]
		mov	[ebp+var_18], esi

loc_7CA5BE:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+119j
		mov	edi, [ecx+3C8h]
		mov	[ebp+var_20], edi
		mov	edi, [esi]
		test	edi, edi
		jz	loc_8F20B5
		and	[ebp+var_24], 0
		bsr	eax, edi
		cmp	[ecx+3CCh], eax
		mov	eax, [ebp+var_10]
		jz	loc_7CA66C

loc_7CA5E7:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+1BBj
					; KeBuildLogicalProcessorSystemInformation+1C7j
		add	[ebp+var_14], 0Ch
		inc	eax
		add	esi, 4
		mov	[ebp+var_10], eax
		mov	[ebp+var_18], esi
		cmp	eax, [ecx+4010h]
		jb	short loc_7CA5BE

loc_7CA5FD:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+C2j
		mov	si, [ebp+var_4]

loc_7CA601:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+3Fj
		mov	eax, [ebp+var_1C]
		inc	eax
		mov	[ebp+var_1C], eax
		cmp	eax, ds:_KeNumberProcessors
		jb	loc_7CA50B

loc_7CA614:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+23j
		movzx	edi, ds:_KeNumberNodes
		xor	eax, eax
		mov	[ebp+var_20], edi
		test	edi, edi
		jz	loc_7CA70A
		add	edx, 8

loc_7CA62B:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+222j
		mov	ecx, ds:_KeNodeBlock[eax*4]
		mov	esi, [ecx+84h]
		test	esi, esi
		jz	loc_7CA701
		mov	di, [ebp+var_4]
		cmp	[ecx+88h], di
		mov	edi, [ebp+var_20]
		jnz	loc_7CA701
		add	ebx, 18h
		cmp	ebx, [ebp+arg_0]
		jbe	loc_7CA6E7
		mov	[ebp+var_8], 0C0000004h
		jmp	loc_7CA701
; 

loc_7CA66C:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+FFj
					; KeBuildLogicalProcessorSystemInformation+127BD6j
		add	ebx, 18h
		cmp	ebx, [ebp+arg_0]
		ja	short loc_7CA6A2
		xor	esi, esi
		mov	[edx], edi
		mov	edi, [ebp+var_C]
		add	edx, 18h
		add	[ebp+var_C], 18h
		mov	[edi+8], esi
		mov	[edi+0Ch], esi
		mov	[edi], esi
		mov	[edi+4], esi
		mov	esi, [ebp+var_14]
		mov	dword ptr [edi-4], 2
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_18]
		jmp	loc_7CA5E7
; 

loc_7CA6A2:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+190j
		mov	[ebp+var_8], 0C0000004h
		jmp	loc_7CA5E7
; 

loc_7CA6AE:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+95j
		mov	[ebp+var_8], 0C0000004h
		jmp	loc_7CA599
; 

loc_7CA6BA:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+67j
		add	ebx, 18h
		cmp	ebx, [ebp+arg_0]
		ja	short loc_7CA719
		xor	eax, eax
		mov	[edx], esi
		mov	dword ptr [edx+4], 3
		mov	[edx+10h], eax
		mov	[edx+14h], eax
		mov	[edx+8], eax
		mov	[edx+0Ch], eax
		add	edx, 18h
		mov	eax, [ecx+3CCh]
		jmp	loc_7CA54F
; 

loc_7CA6E7:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+178j
		xor	ecx, ecx
		mov	[edx-8], esi
		mov	dword ptr [edx-4], 1
		mov	[edx+8], ecx
		mov	[edx+0Ch], ecx
		mov	[edx+4], ecx
		mov	[edx], eax
		add	edx, 18h

loc_7CA701:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+158j
					; KeBuildLogicalProcessorSystemInformation+16Cj ...
		inc	eax
		cmp	eax, edi
		jb	loc_7CA62B

loc_7CA70A:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+140j
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		mov	[ecx], ebx
		pop	ebx
		leave
		retn	8
; 

loc_7CA719:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+1DEj
		mov	[ebp+var_8], 0C0000004h
		jmp	loc_7CA54F
KeBuildLogicalProcessorSystemInformation endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpOpenPort(x, x,	x, x, x, x)
_AlpcpOpenPort@24 proc near		; DATA XREF: AlpcpInitSystem+FAo

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		cmp	[ebp+arg_0], 0
		jnz	short loc_7CA755

loc_7CA740:				; CODE XREF: AlpcpOpenPort(x,x,x,x,x,x)+59j
					; AlpcpOpenPort(x,x,x,x,x,x)+61j
		xor	esi, esi

loc_7CA742:				; CODE XREF: AlpcpOpenPort(x,x,x,x,x,x)+68j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	18h
; 

loc_7CA755:				; CODE XREF: AlpcpOpenPort(x,x,x,x,x,x)+18j
		cmp	[ebp+arg_0], 2
		jnz	short loc_7CA789
		mov	ecx, [ebp+arg_C]
		test	dword ptr [ecx+98h], 100000h
		jnz	short loc_7CA789
		mov	ecx, [ecx+0Ch]
		mov	eax, ecx
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, ecx
		cmp	eax, [ebp+arg_8]
		jz	short loc_7CA740
		mov	eax, [ebp+arg_10]
		and	dword ptr [eax], 0FFFFFFFEh
		jmp	short loc_7CA740
; 

loc_7CA789:				; CODE XREF: AlpcpOpenPort(x,x,x,x,x,x)+33j
					; AlpcpOpenPort(x,x,x,x,x,x)+42j
		mov	esi, 0C00000BBh
		jmp	short loc_7CA742
_AlpcpOpenPort@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeIsTokenAssignableToProcess(x, x)
_SeIsTokenAssignableToProcess@8	proc near
					; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+E58p
					; PspAssignPrimaryToken+41p

var_24		= byte ptr -24h
var_23		= byte ptr -23h
var_22		= byte ptr -22h
var_21		= dword	ptr -21h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, edx
		push	ebx
		xor	ebx, ebx
		mov	[esp+28h+var_14], eax
		push	esi
		mov	[eax], bl
		mov	eax, large fs:124h
		push	edi
		mov	edi, ecx
		mov	[esp+30h+var_10], ebx
		mov	[esp+30h+var_8], ebx
		mov	eax, [eax+80h]
		push	eax
		mov	[esp+34h+var_22], bl
		mov	byte ptr [esp+34h+var_21], bl
		mov	[esp+34h+var_23], bl
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_7CA7E0
		mov	eax, 0C0000001h
		jmp	loc_7CA915
; 

loc_7CA7E0:				; CODE XREF: SeIsTokenAssignableToProcess(x,x)+44j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceSharedLite
		lea	edx, [esp+30h+var_8]
		mov	ecx, esi
		call	_SepCopyTokenIntegrity@8 ; SepCopyTokenIntegrity(x,x)
		mov	eax, [esi+280h]
		mov	ecx, [esi+30h]
		mov	[esp+30h+var_18], eax
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, large fs:124h
		mov	edx, esi
		mov	ecx, [eax+80h]
		add	ecx, 12Ch
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	dword ptr [edi+30h]
		call	ExAcquireResourceSharedLite
		lea	edx, [esp+30h+var_10]
		mov	ecx, edi
		call	_SepCopyTokenIntegrity@8 ; SepCopyTokenIntegrity(x,x)
		mov	eax, [edi+0ACh]
		mov	ecx, [edi+30h]
		mov	esi, [edi+0A8h]
		mov	[esp+30h+var_21+1], eax
		mov	eax, [edi+280h]
		mov	[esp+30h+var_1C], eax
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	esi, 2
		jnz	short loc_7CA89D
		cmp	[esp+30h+var_21+1], esi
		jge	short loc_7CA89D
		mov	eax, 0C00000A5h
		jmp	short loc_7CA915
; 

loc_7CA89D:				; CODE XREF: SeIsTokenAssignableToProcess(x,x)+FEj
					; SeIsTokenAssignableToProcess(x,x)+104j
		mov	edx, [esp+30h+var_10]
		lea	eax, [esp+0Dh]
		mov	ecx, [esp+30h+var_8]
		push	eax
		call	RtlSidDominates
		test	eax, eax
		js	short loc_7CA915
		cmp	[esp+30h+var_23], bl
		jz	short loc_7CA8FB
		mov	edx, [esp+30h+var_1C]
		lea	eax, [esp+30h+var_23]
		mov	ecx, [esp+30h+var_18]
		push	eax
		mov	[esp+34h+var_23], bl
		call	_RtlSidDominatesForTrust@12 ; RtlSidDominatesForTrust(x,x,x)
		test	eax, eax
		js	short loc_7CA915
		cmp	[esp+30h+var_23], bl
		jz	short loc_7CA8FB
		lea	edx, [esp+0Eh]
		mov	ecx, edi
		call	SepIsChildTokenByPointer
		mov	cl, [esp+30h+var_22]
		test	cl, cl
		jnz	short loc_7CA8FF
		test	eax, eax
		js	short loc_7CA915
		lea	edx, [esp+30h+var_21]
		mov	ecx, edi
		call	SepIsSiblingTokenByPointer

loc_7CA8FB:				; CODE XREF: SeIsTokenAssignableToProcess(x,x)+127j
					; SeIsTokenAssignableToProcess(x,x)+147j
		mov	cl, [esp+30h+var_22]

loc_7CA8FF:				; CODE XREF: SeIsTokenAssignableToProcess(x,x)+15Aj
		test	eax, eax
		js	short loc_7CA915
		test	cl, cl
		jnz	short loc_7CA90D
		cmp	byte ptr [esp+30h+var_21], bl
		jz	short loc_7CA90F

loc_7CA90D:				; CODE XREF: SeIsTokenAssignableToProcess(x,x)+175j
		mov	bl, 1

loc_7CA90F:				; CODE XREF: SeIsTokenAssignableToProcess(x,x)+17Bj
		mov	ecx, [esp+30h+var_14]
		mov	[ecx], bl

loc_7CA915:				; CODE XREF: SeIsTokenAssignableToProcess(x,x)+4Bj
					; SeIsTokenAssignableToProcess(x,x)+10Bj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_SeIsTokenAssignableToProcess@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepIsSiblingTokenByPointer proc	near	; CODE XREF: SeIsTokenAssignableToProcess(x,x)+166p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F20BD SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, edx
		push	ebx
		mov	[ebp+var_8], eax
		mov	ebx, ecx
		push	esi
		mov	byte ptr [eax],	0
		mov	eax, large fs:124h
		push	edi
		mov	eax, [eax+80h]
		push	eax
		mov	[ebp+var_C], eax
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8F20BD
		mov	eax, [edi+24h]
		mov	edx, edi
		mov	ecx, [ebp+var_C]
		mov	esi, [edi+20h]
		add	ecx, 12Ch
		mov	[ebp+var_10], eax
		mov	eax, [edi+18h]
		mov	[ebp+var_14], eax
		mov	eax, [edi+1Ch]
		mov	[ebp+var_4], eax
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		mov	ecx, [ebx+24h]
		mov	edx, [ebx+18h]
		mov	[ebp+var_C], ecx
		mov	ecx, [ebx+1Ch]
		mov	[ebp+var_18], edx
		mov	[ebp+var_1C], ecx
		cmp	[ebx+20h], esi
		jnz	short loc_7CA9EA
		mov	eax, [ebp+var_C]
		cmp	eax, [ebp+var_10]
		jnz	short loc_7CA9EA
		mov	esi, [ebp+var_14]
		cmp	edx, esi
		jz	short loc_7CA9F1

loc_7CA99B:				; CODE XREF: SepIsSiblingTokenByPointer+D8j
		mov	edx, ebx
		mov	ecx, edi
		call	_SepAcquireOrderedReadLocks@8 ;	SepAcquireOrderedReadLocks(x,x)
		test	byte ptr [edi+0B0h], 20h
		jnz	short loc_7CA9D0
		test	byte ptr [ebx+0B0h], 20h
		jnz	short loc_7CA9D0
		mov	edx, [ebx+0C0h]
		mov	ecx, [edi+0C0h]
		mov	eax, [edx+18h]
		and	eax, [ecx+18h]
		test	al, 40h
		jnz	loc_8F20C7

loc_7CA9D0:				; CODE XREF: SepIsSiblingTokenByPointer+8Fj
					; SepIsSiblingTokenByPointer+98j ...
		mov	ecx, [edi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_7CA9EA:				; CODE XREF: SepIsSiblingTokenByPointer+6Ej
					; SepIsSiblingTokenByPointer+76j ...
		xor	eax, eax

loc_7CA9EC:				; CODE XREF: SepIsSiblingTokenByPointer+1277A6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7CA9F1:				; CODE XREF: SepIsSiblingTokenByPointer+7Dj
		cmp	ecx, [ebp+var_4]
		jnz	short loc_7CA99B
		mov	eax, [ebp+var_8]
		mov	byte ptr [eax],	1
		jmp	short loc_7CA9EA
SepIsSiblingTokenByPointer endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepIsChildTokenByPointer proc near	; CODE XREF: SeIsTokenAssignableToProcess(x,x)+14Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F20FF SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		mov	ebx, [eax+80h]
		push	ebx
		mov	byte ptr [edi],	0
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		test	eax, eax
		jz	short loc_7CAA54
		mov	ecx, [eax+14h]
		mov	edx, eax
		mov	[ebp+var_8], ecx
		lea	ecx, [ebx+12Ch]
		push	esi
		mov	esi, [eax+10h]
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+20h]
		cmp	eax, esi
		mov	ecx, [ecx+24h]
		pop	esi
		jz	loc_8F20FF

loc_7CAA4E:				; CODE XREF: SepIsChildTokenByPointer+127704j
					; SepIsChildTokenByPointer+12770Dj
		xor	eax, eax

loc_7CAA50:				; CODE XREF: SepIsChildTokenByPointer+5Bj
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_7CAA54:				; CODE XREF: SepIsChildTokenByPointer+25j
		mov	eax, 0C0000001h
		jmp	short loc_7CAA50
SepIsChildTokenByPointer endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCompareTokens	proc near		; DATA XREF: .text:005811A0o

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F2110 SIZE 00000007 BYTES
; FUNCTION CHUNK AT 008F2137 SIZE 000000AB BYTES

		push	30h
		push	offset dword_6A3B60
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_19], bl
		mov	[ebp+var_34], ebx
		mov	[ebp+var_38], ebx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_2C], al
		test	al, al
		jz	short loc_7CAAA7
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, [ebp+arg_8]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8F2110

loc_7CAA9C:				; CODE XREF: NtCompareTokens+1276B6j
		mov	al, [ecx]
		mov	[ecx], al
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7CAAA7:				; CODE XREF: NtCompareTokens+2Bj
		mov	eax, ds:_SeTokenObjectType
		mov	[ebp+var_24], ebx
		push	ebx
		lea	ecx, [ebp+var_24]
		push	ecx
		push	[ebp+var_2C]
		push	eax
		push	8
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	[ebp+var_20], eax
		mov	edi, [ebp+var_24]
		test	eax, eax
		js	loc_8F2137
		mov	ecx, [ebp+arg_4]
		cmp	[ebp+arg_0], ecx
		jz	loc_8F2141
		mov	eax, ds:_SeTokenObjectType
		mov	[ebp+var_30], ebx
		push	ebx
		lea	edx, [ebp+var_30]
		push	edx
		push	[ebp+var_2C]
		push	eax
		push	8
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	[ebp+var_20], eax
		mov	esi, [ebp+var_30]
		test	eax, eax
		js	loc_7CAC9F
		cmp	edi, esi
		jz	loc_7CAC9B
		mov	edx, esi
		mov	ecx, edi
		call	_SepAcquireOrderedReadLocks@8 ;	SepAcquireOrderedReadLocks(x,x)
		mov	[ebp+var_19], 1
		mov	ebx, [esi+94h]
		mov	eax, [edi+94h]
		mov	[ebp+arg_0], eax
		push	dword ptr [ebx]
		push	dword ptr [eax]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	loc_7CAC4C
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+4]
		xor	eax, [ebx+4]
		test	al, 14h
		jnz	loc_7CAC4C
		lea	eax, [ebp+var_34]
		push	eax
		push	1Dh
		push	edi
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		js	loc_7CAC4C
		lea	eax, [ebp+var_38]
		push	eax
		push	1Dh
		push	esi
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		js	loc_7CAC4C
		mov	eax, [ebp+var_34]
		cmp	eax, [ebp+var_38]
		jnz	loc_7CAC4C
		test	eax, eax
		jnz	loc_8F214B

loc_7CAB8B:				; CODE XREF: NtCompareTokens+12772Dj
		mov	edx, [edi+280h]
		mov	ebx, [esi+280h]
		test	ebx, ebx
		setnz	cl
		test	edx, edx
		setnz	al
		cmp	al, cl
		jnz	loc_7CAC4C
		test	edx, edx
		jnz	loc_8F218E

loc_7CABB1:				; CODE XREF: NtCompareTokens+127741j
		push	edi
		call	_SeTokenIsRestricted@4 ; SeTokenIsRestricted(x)
		mov	bl, al
		push	esi
		call	_SeTokenIsRestricted@4 ; SeTokenIsRestricted(x)
		cmp	bl, al
		jnz	loc_7CAC4C
		test	bl, bl
		jnz	loc_8F21A2

loc_7CABCF:				; CODE XREF: NtCompareTokens+127781j
		mov	eax, [edi+48h]
		cmp	eax, [esi+48h]
		jnz	short loc_7CAC4C
		mov	eax, [edi+4Ch]
		cmp	eax, [esi+4Ch]
		jnz	short loc_7CAC4C
		mov	eax, [edi+40h]
		cmp	eax, [esi+40h]
		jnz	short loc_7CAC4C
		mov	eax, [edi+44h]
		cmp	eax, [esi+44h]
		jnz	short loc_7CAC4C
		mov	eax, [edi+0BCh]
		cmp	eax, [esi+0BCh]
		jnz	short loc_7CAC4C
		mov	eax, [esi+7Ch]
		dec	eax
		push	eax
		mov	eax, [esi+94h]
		add	eax, 8
		push	eax
		mov	edx, [edi+7Ch]
		dec	edx
		mov	ecx, [edi+94h]
		add	ecx, 8
		call	SepCompareSidAndAttributeArrays
		test	al, al
		jz	short loc_7CAC4C
		mov	edx, [esi+27Ch]
		mov	ecx, [edi+27Ch]
		call	SepCompareClaimAttributes
		test	al, al
		jz	short loc_7CAC4C
		mov	edx, [esi+1DCh]
		mov	ecx, [edi+1DCh]
		call	_AuthzBasepCompareLegacySecurityAttributesInformation@8	; AuthzBasepCompareLegacySecurityAttributesInformation(x,x)
		test	al, al
		jnz	short loc_7CAC9B

loc_7CAC4C:				; CODE XREF: NtCompareTokens+D6j
					; NtCompareTokens+E7j ...
		xor	ebx, ebx

loc_7CAC4E:				; CODE XREF: NtCompareTokens+241j
					; NtCompareTokens+1276EAj
		cmp	[ebp+var_19], 0
		jz	short loc_7CAC5D
		mov	edx, esi
		mov	ecx, edi
		call	_SepReleaseOrderedReadLocks@8 ;	SepReleaseOrderedReadLocks(x,x)

loc_7CAC5D:				; CODE XREF: NtCompareTokens+1F6j
		test	edi, edi
		jz	short loc_7CAC68
		mov	ecx, edi
		call	ObfDereferenceObject

loc_7CAC68:				; CODE XREF: NtCompareTokens+203j
		test	esi, esi
		jz	short loc_7CAC73
		mov	ecx, esi
		call	ObfDereferenceObject

loc_7CAC73:				; CODE XREF: NtCompareTokens+20Ej
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+arg_8]
		mov	[eax], bl
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_20]

loc_7CAC89:				; CODE XREF: sub_8F2125+Dj
					; sub_8F21F0+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7CAC9B:				; CODE XREF: NtCompareTokens+A9j
					; NtCompareTokens+1EEj
		mov	bl, 1
		jmp	short loc_7CAC4E
; 

loc_7CAC9F:				; CODE XREF: NtCompareTokens+A1j
		mov	esi, ebx
		jmp	short loc_7CAC4C
NtCompareTokens	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepCompareLegacySecurityAttributesInformation(x, x)
_AuthzBasepCompareLegacySecurityAttributesInformation@8	proc near
					; CODE XREF: NtCompareTokens+1E7p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ecx]
		push	ebx
		xor	bl, bl
		mov	[ebp+var_4], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], eax
		push	edi
		mov	edi, [edx]
		test	eax, eax
		jz	short loc_7CAD30

loc_7CACC1:				; CODE XREF: AuthzBasepCompareLegacySecurityAttributesInformation(x,x)+8Ej
		lea	eax, [ecx+4]
		push	esi
		mov	esi, [eax]
		cmp	esi, eax
		jz	short loc_7CAD01

loc_7CACCB:				; CODE XREF: AuthzBasepCompareLegacySecurityAttributesInformation(x,x)+58j
		mov	ecx, esi
		call	_AuthzBasepIsCompareRelevantAttribute@4	; AuthzBasepIsCompareRelevantAttribute(x)
		test	al, al
		jz	short loc_7CAD38
		mov	ecx, [ebp+var_4]
		lea	edx, [esi+10h]
		call	_AuthzBasepFindSecurityAttribute@8 ; AuthzBasepFindSecurityAttribute(x,x)
		test	eax, eax
		jz	short loc_7CAD26
		mov	edx, eax
		mov	ecx, esi
		call	AuthzBasepCompareSecurityAttribute
		test	al, al
		jz	short loc_7CAD26

loc_7CACF2:				; CODE XREF: AuthzBasepCompareLegacySecurityAttributesInformation(x,x)+97j
		mov	eax, [ebp+var_C]
		mov	esi, [esi]
		add	eax, 4
		cmp	esi, eax
		jnz	short loc_7CACCB
		mov	edx, [ebp+var_4]

loc_7CAD01:				; CODE XREF: AuthzBasepCompareLegacySecurityAttributesInformation(x,x)+25j
		lea	eax, [edx+4]
		mov	esi, [eax]

loc_7CAD06:				; CODE XREF: AuthzBasepCompareLegacySecurityAttributesInformation(x,x)+79j
		cmp	esi, eax
		jz	short loc_7CAD1F
		mov	ecx, esi
		call	_AuthzBasepIsCompareRelevantAttribute@4	; AuthzBasepIsCompareRelevantAttribute(x)
		test	al, al
		jz	short loc_7CAD2D

loc_7CAD15:				; CODE XREF: AuthzBasepCompareLegacySecurityAttributesInformation(x,x)+8Aj
		mov	eax, [ebp+var_4]
		mov	esi, [esi]
		add	eax, 4
		jmp	short loc_7CAD06
; 

loc_7CAD1F:				; CODE XREF: AuthzBasepCompareLegacySecurityAttributesInformation(x,x)+64j
		cmp	[ebp+var_8], edi
		jnz	short loc_7CAD26
		mov	bl, 1

loc_7CAD26:				; CODE XREF: AuthzBasepCompareLegacySecurityAttributesInformation(x,x)+3Fj
					; AuthzBasepCompareLegacySecurityAttributesInformation(x,x)+4Cj ...
		pop	esi

loc_7CAD27:				; CODE XREF: AuthzBasepCompareLegacySecurityAttributesInformation(x,x)+92j
		pop	edi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_7CAD2D:				; CODE XREF: AuthzBasepCompareLegacySecurityAttributesInformation(x,x)+6Fj
		dec	edi
		jmp	short loc_7CAD15
; 

loc_7CAD30:				; CODE XREF: AuthzBasepCompareLegacySecurityAttributesInformation(x,x)+1Bj
		test	edi, edi
		jnz	short loc_7CACC1
		mov	bl, 1
		jmp	short loc_7CAD27
; 

loc_7CAD38:				; CODE XREF: AuthzBasepCompareLegacySecurityAttributesInformation(x,x)+30j
		dec	[ebp+var_8]
		jmp	short loc_7CACF2
_AuthzBasepCompareLegacySecurityAttributesInformation@8	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall AuthzBasepIsCompareRelevantAttribute(x)
_AuthzBasepIsCompareRelevantAttribute@4	proc near
					; CODE XREF: AuthzBasepCompareLegacySecurityAttributesInformation(x,x)+29p
					; AuthzBasepCompareLegacySecurityAttributesInformation(x,x)+68p
		test	byte ptr [ecx+1Ch], 40h
		jnz	short loc_7CAD5B
		push	1
		add	ecx, 10h
		push	ecx
		push	offset dword_401534
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_7CAD5B
		inc	al
		retn
; 

loc_7CAD5B:				; CODE XREF: AuthzBasepIsCompareRelevantAttribute(x)+4j
					; AuthzBasepIsCompareRelevantAttribute(x)+18j
		xor	al, al
		retn
_AuthzBasepIsCompareRelevantAttribute@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AuthzBasepCompareSecurityAttribute proc	near
					; CODE XREF: AuthzBasepCompareLegacySecurityAttributesInformation(x,x)+45p
					; AuthzBasepCompareSecurityAttributesInformation(x,x)+32p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F2202 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+18h+var_4], edx
		xor	ebx, ebx
		mov	ecx, ebx
		mov	[esp+18h+var_C], ebx
		mov	[esp+18h+var_8], ecx
		mov	eax, [edi+24h]
		cmp	eax, [edx+24h]
		jnz	short loc_7CADE3
		mov	ax, [edi+18h]
		cmp	ax, [edx+18h]
		jnz	short loc_7CADE3
		mov	eax, [edi+1Ch]
		cmp	eax, [edx+1Ch]
		jnz	short loc_7CADE3
		lea	eax, [edi+2Ch]
		mov	esi, [eax]

loc_7CAD9D:				; CODE XREF: AuthzBasepCompareSecurityAttribute+81j
		cmp	esi, eax
		jz	short loc_7CADE1
		movzx	edx, word ptr [edi+18h]
		mov	eax, edx
		test	ax, ax
		jz	short loc_7CADF4
		cmp	eax, 2
		jbe	short loc_7CADEC
		cmp	eax, 5
		ja	loc_8F2202

loc_7CADBA:				; CODE XREF: AuthzBasepCompareSecurityAttribute+1274B6j
		lea	ecx, [esi+18h]
		mov	eax, ebx

loc_7CADBF:				; CODE XREF: AuthzBasepCompareSecurityAttribute+94j
		mov	[esp+18h+var_8], ecx
		mov	[esp+18h+var_C], eax

loc_7CADC7:				; CODE XREF: AuthzBasepCompareSecurityAttribute+9Aj
		push	eax
		push	ecx
		mov	ecx, [esp+20h+var_4]
		call	AuthzBasepFindSecurityAttributeValue
		test	eax, eax
		jz	short loc_7CADE3
		mov	esi, [esi]
		lea	eax, [edi+2Ch]
		mov	ecx, [esp+18h+var_8]
		jmp	short loc_7CAD9D
; 

loc_7CADE1:				; CODE XREF: AuthzBasepCompareSecurityAttribute+41j
		mov	bl, 1

loc_7CADE3:				; CODE XREF: AuthzBasepCompareSecurityAttribute+26j
					; AuthzBasepCompareSecurityAttribute+30j ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7CADEC:				; CODE XREF: AuthzBasepCompareSecurityAttribute+51j
					; AuthzBasepCompareSecurityAttribute+1274A7j
		mov	ecx, [esi+18h]
		mov	eax, [esi+1Ch]
		jmp	short loc_7CADBF
; 

loc_7CADF4:				; CODE XREF: AuthzBasepCompareSecurityAttribute+4Cj
					; AuthzBasepCompareSecurityAttribute+1274B0j
		mov	eax, [esp+18h+var_C]
		jmp	short loc_7CADC7
AuthzBasepCompareSecurityAttribute endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepCompareClaimAttributes proc near	; CODE XREF: NtCompareTokens+1D2p
					; SepSetTokenClaims+11B174p

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 008F2219 SIZE 000000AF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	eax, eax
		push	esi
		mov	esi, edx
		mov	[ebp+var_1], al
		push	edi
		mov	edi, ecx
		mov	dh, al
		mov	cl, al
		mov	dl, al
		mov	bl, al
		mov	ch, al
		mov	bh, al
		cmp	edi, esi
		jnz	loc_8F2219

loc_7CAE20:				; CODE XREF: SepCompareClaimAttributes+127470j
					; SepCompareClaimAttributes+1274AAj ...
		mov	al, 1

loc_7CAE22:				; CODE XREF: SepCompareClaimAttributes+1274C9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
SepCompareClaimAttributes endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepCompareSidAndAttributeArrays	proc near ; CODE XREF: NtCompareTokens+1BDp
					; NtCompareTokens+127720p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F22C8 SIZE 000000C7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_14], edi
		cmp	edi, [ebp+arg_4]
		jnz	short loc_7CAE93
		xor	esi, esi
		mov	[ebp+var_C], esi
		test	edi, edi
		jz	short loc_7CAE82
		mov	edx, [ebp+arg_0]
		mov	eax, ecx
		sub	eax, edx
		mov	[ebp+var_C], eax
		lea	ebx, [edx+4]

loc_7CAE56:				; CODE XREF: SepCompareSidAndAttributeArrays+52j
		push	dword ptr [ebx-4]
		push	dword ptr [ecx+esi*8]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	short loc_7CAE7C
		mov	eax, [ebp+var_C]
		mov	eax, [eax+ebx]
		xor	eax, [ebx]
		test	al, 14h
		jnz	short loc_7CAE7C
		mov	ecx, [ebp+var_4]
		inc	esi
		add	ebx, 8
		cmp	esi, edi
		jb	short loc_7CAE56

loc_7CAE7C:				; CODE XREF: SepCompareSidAndAttributeArrays+3Bj
					; SepCompareSidAndAttributeArrays+47j
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_C], esi

loc_7CAE82:				; CODE XREF: SepCompareSidAndAttributeArrays+1Fj
		cmp	esi, edi
		jnz	loc_8F22C8

loc_7CAE8A:				; CODE XREF: SepCompareSidAndAttributeArrays+127509j
					; SepCompareSidAndAttributeArrays+127562j
		mov	al, 1

loc_7CAE8C:				; CODE XREF: SepCompareSidAndAttributeArrays+6Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7CAE93:				; CODE XREF: SepCompareSidAndAttributeArrays+16j
					; SepCompareSidAndAttributeArrays+1274F3j ...
		xor	al, al
		jmp	short loc_7CAE8C
SepCompareSidAndAttributeArrays	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtGetCachedSigningLevel	proc near	; DATA XREF: .text:0058101Co

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5E		= byte ptr -5Eh
var_5D		= byte ptr -5Dh
var_5C		= dword	ptr -5Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008F238F SIZE 0000008C BYTES
; FUNCTION CHUNK AT 008F244D SIZE 0000000A BYTES

		push	80h
		push	offset dword_6A3B88
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_68], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_6C], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_70], eax
		mov	esi, [ebp+arg_C]
		mov	[ebp+var_7C], esi
		mov	ebx, [ebp+arg_10]
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_84], eax
		xor	edi, edi
		push	40h
		pop	esi
		push	esi		; size_t
		push	edi		; int
		lea	eax, [ebp+var_5C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_78], esi
		xor	edx, edx
		mov	[ebp+var_80], edx
		mov	[ebp+var_74], edx
		mov	[ebp+var_5E], dl
		mov	ecx, [ebp+var_68]
		test	ecx, ecx
		jz	loc_8F244D
		cmp	[ebp+var_6C], edx
		jz	loc_8F244D
		cmp	[ebp+var_70], edx
		jz	loc_8F244D
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_5D], al
		mov	byte ptr [ebp+var_68], al
		mov	eax, ds:_IoFileObjectType
		mov	[ebp+var_64], edx
		push	edx
		lea	edx, [ebp+var_64]
		push	edx
		push	[ebp+var_68]
		push	eax
		push	1
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	edi, [ebp+var_64]
		mov	[ebp+var_68], edi
		mov	[ebp+var_90], edi
		test	esi, esi
		jns	short loc_7CAF62

loc_7CAF46:				; CODE XREF: NtGetCachedSigningLevel+104j
					; NtGetCachedSigningLevel+151j	...
		test	edi, edi
		jnz	loc_7CAFEE

loc_7CAF4E:				; CODE XREF: NtGetCachedSigningLevel+15Dj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7CAF62:				; CODE XREF: NtGetCachedSigningLevel+ACj
		mov	ecx, [ebp+var_7C]
		mov	eax, ecx
		neg	eax
		sbb	eax, eax
		lea	edx, [ebp+var_80]
		and	eax, edx
		push	eax
		mov	eax, ecx
		neg	eax
		sbb	eax, eax
		lea	edx, [ebp+var_78]
		and	eax, edx
		push	eax
		neg	ecx
		sbb	eax, eax
		lea	ecx, [ebp+var_5C]
		and	eax, ecx
		push	eax
		lea	eax, [ebp+var_5E]
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		push	edi
		call	_SeGetCachedSigningLevel@24 ; SeGetCachedSigningLevel(x,x,x,x,x,x)
		mov	[ebp+var_64], eax
		mov	esi, eax
		test	eax, eax
		js	short loc_7CAF46
		and	[ebp+ms_exc.disabled], 0
		mov	cl, [ebp+var_5D]
		cmp	cl, 1
		jnz	short loc_7CAFC5
		push	4
		push	4
		push	[ebp+var_6C]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	1
		push	1
		push	[ebp+var_70]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	cl, [ebp+var_5D]

loc_7CAFC5:				; CODE XREF: NtGetCachedSigningLevel+110j
		mov	edx, [ebp+var_74]
		mov	eax, [ebp+var_6C]
		mov	[eax], edx
		mov	al, [ebp+var_5E]
		mov	esi, [ebp+var_70]
		mov	[esi], al
		mov	eax, [ebp+var_64]
		mov	esi, eax
		test	ebx, ebx
		jnz	loc_8F238F

loc_7CAFE2:				; CODE XREF: NtGetCachedSigningLevel+127574j
					; NtGetCachedSigningLevel+12757Ej
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_7CAF46
; 

loc_7CAFEE:				; CODE XREF: NtGetCachedSigningLevel+B0j
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	loc_7CAF4E
NtGetCachedSigningLevel	endp

; 
		align 10h
; Exported entry 2467. SeGetCachedSigningLevel

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeGetCachedSigningLevel(x, x, x, x,	x, x)
		public _SeGetCachedSigningLevel@24
_SeGetCachedSigningLevel@24 proc near	; CODE XREF: NtGetCachedSigningLevel+F8p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, dword_6BEA28
		test	eax, eax
		jz	short loc_7CB038
		cmp	[ebp+arg_0], 0
		jz	short loc_7CB03F
		cmp	[ebp+arg_4], 0
		jz	short loc_7CB03F
		cmp	[ebp+arg_8], 0
		jz	short loc_7CB03F
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_4]
		push	[ebp+arg_8]
		push	[ebp+arg_0]
		call	eax

loc_7CB034:				; CODE XREF: SeGetCachedSigningLevel(x,x,x,x,x,x)+3Dj
					; SeGetCachedSigningLevel(x,x,x,x,x,x)+44j
		pop	ebp
		retn	18h
; 

loc_7CB038:				; CODE XREF: SeGetCachedSigningLevel(x,x,x,x,x,x)+Cj
		mov	eax, 0C0000001h
		jmp	short loc_7CB034
; 

loc_7CB03F:				; CODE XREF: SeGetCachedSigningLevel(x,x,x,x,x,x)+12j
					; SeGetCachedSigningLevel(x,x,x,x,x,x)+18j ...
		mov	eax, 0C000000Dh
		jmp	short loc_7CB034
_SeGetCachedSigningLevel@24 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpInsertMessageDirectQueue(x, x)
_AlpcpInsertMessageDirectQueue@8 proc near ; CODE XREF:	AlpcpCompleteDispatchMessage+77Bp
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		xor	edx, edx
		lea	ecx, [ebx+7Ch]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+14h]
		lea	ecx, [ebx+80h]
		mov	[edi+8], ebx
		and	eax, 0FFFFFF84h
		mov	esi, [ebx+0F4h]
		and	esi, 6
		or	esi, 1
		shl	esi, 2
		or	esi, eax
		mov	[edi+14h], esi
		lea	esi, [ebx+7Ch]
		mov	eax, [ecx+4]
		mov	[edi+4], eax
		mov	[edi], ecx
		mov	eax, [ecx+4]
		mov	[eax], edi
		or	eax, 0FFFFFFFFh
		inc	dword ptr [ebx+110h]
		mov	[ecx+4], edi
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7CB0AC

loc_7CB0A2:				; CODE XREF: AlpcpInsertMessageDirectQueue(x,x)+6Dj
		pop	edi
		mov	ecx, esi
		pop	esi
		pop	ebx
		jmp	KeAbPostRelease
; 

loc_7CB0AC:				; CODE XREF: AlpcpInsertMessageDirectQueue(x,x)+5Aj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7CB0A2
_AlpcpInsertMessageDirectQueue@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpReceiveView(x,	x, x)
_AlpcpReceiveView@12 proc near		; CODE XREF: AlpcpExposeViewAttribute(x,x,x,x)+2Ap

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [edx+4Ch]
		push	esi
		mov	esi, [eax+8]
		mov	ecx, esi
		call	AlpcpLockForCachedReferenceBlob
		mov	eax, [ebp+arg_0]
		mov	ecx, esi
		mov	dl, [esi+18h]
		and	dl, 1
		mov	[eax], dl
		call	AlpcpUnlockBlob
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	4
_AlpcpReceiveView@12 endp

; 
		align 8
; Exported entry 564. FsRtlIsEcpFromUserMode

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlIsEcpFromUserMode(x)
		public _FsRtlIsEcpFromUserMode@4
_FsRtlIsEcpFromUserMode@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax-10h]
		shr	eax, 4
		and	al, 1
		pop	ebp
		retn	4
_FsRtlIsEcpFromUserMode@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpOpenRegistrationObject(x, x, x,	x, x, x)
_EtwpOpenRegistrationObject@24 proc near
					; DATA XREF: EtwpInitializePrivateSessionDemuxObject()+56o
					; EtwpInitializeRegistration()+81o ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		neg	eax
		sbb	eax, eax
		and	eax, 0C00000BBh
		pop	ebp
		retn	18h
_EtwpOpenRegistrationObject@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtAlpcDeleteSectionView	proc near	; DATA XREF: .text:00581220o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F2457 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, large fs:124h
		sub	esp, 14h
		dec	word ptr [eax+13Ch]
		push	ebx
		push	esi
		push	edi
		nop
		cmp	[ebp+arg_4], 0
		jnz	loc_8F2457
		mov	eax, large fs:124h
		lea	ecx, [esp+20h+var_10]
		xor	edi, edi
		push	edi
		push	ecx
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+28h+var_C], al
		push	[esp+28h+var_C]
		mov	eax, ds:_AlpcPortObjectType
		push	eax
		push	1
		push	[ebp+arg_0]
		mov	[esp+38h+var_10], edi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7CB1EB
		mov	ebx, [esp+20h+var_10]
		mov	eax, [ebp+arg_8]
		mov	[esp+20h+var_4], edi
		mov	[esp+20h+var_8], eax
		lea	esi, [ebx+0D0h]

loc_7CB183:				; CODE XREF: NtAlpcDeleteSectionView+A4j
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		lea	eax, [esp+20h+var_8]
		push	eax
		push	ecx
		mov	ecx, ebx
		call	_AlpcpEnumerateResourcesPort@16	; AlpcpEnumerateResourcesPort(x,x,x,x)
		push	11h
		mov	edi, eax
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jnz	short loc_7CB202

loc_7CB1A9:				; CODE XREF: NtAlpcDeleteSectionView+F7j
		mov	ecx, esi
		call	KeAbPostRelease
		cmp	edi, 0C000022Dh
		jz	short loc_7CB183
		mov	edi, [esp+20h+var_4]
		test	edi, edi
		jz	short loc_7CB20B
		mov	ecx, edi
		call	_AlpcpDeleteView@4 ; AlpcpDeleteView(x)
		movzx	esi, al
		mov	ecx, edi
		neg	esi
		sbb	esi, esi
		xor	edx, edx
		and	esi, 3FFFFFAAh
		inc	edx
		add	esi, 0C0000056h
		call	AlpcpDereferenceBlobEx

loc_7CB1E4:				; CODE XREF: NtAlpcDeleteSectionView+FEj
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_7CB1EB:				; CODE XREF: NtAlpcDeleteSectionView+5Aj
					; NtAlpcDeleteSectionView+12734Aj
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7CB202:				; CODE XREF: NtAlpcDeleteSectionView+95j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_7CB1A9
; 

loc_7CB20B:				; CODE XREF: NtAlpcDeleteSectionView+ACj
		mov	esi, 0C0000141h
		jmp	short loc_7CB1E4
NtAlpcDeleteSectionView	endp

; 
		align 8
; Exported entry 1572. NtQuerySystemInformationEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtQuerySystemInformationEx
NtQuerySystemInformationEx proc	near	; DATA XREF: .text:00580DF4o

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008F2461 SIZE 00000053 BYTES

		push	0Ch
		push	offset dword_6A3BA8
		call	__SEH_prolog4
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	loc_8F24AA
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	loc_8F24AA
		mov	ecx, [ebp+arg_0]
		cmp	ecx, 79h
		jg	loc_7CB2CF
		jz	loc_7CB301
		cmp	ecx, 49h
		jle	loc_7CB2FB
		mov	eax, ecx
		sub	eax, 53h
		jz	loc_7CB301
		sub	eax, 11h
		jz	loc_7CB301
		sub	eax, 7
		jnz	loc_7CB30E

loc_7CB272:				; CODE XREF: NtQuerySystemInformationEx+C7j
					; NtQuerySystemInformationEx+CCj ...
		push	3

loc_7CB274:				; CODE XREF: NtQuerySystemInformationEx+DEj
		pop	edx

loc_7CB275:				; CODE XREF: NtQuerySystemInformationEx+ECj
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	short loc_7CB2AC
		and	[ebp+ms_exc.disabled], 0
		test	edx, esi
		jnz	short loc_7CB309
		lea	edx, [esi+edi]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	loc_8F24A2
		cmp	edx, esi
		jb	loc_8F24A2

loc_7CB2A5:				; CODE XREF: NtQuerySystemInformationEx+12728Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7CB2AC:				; CODE XREF: NtQuerySystemInformationEx+6Bj
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	edi
		mov	edx, esi
		call	_ExpQuerySystemInformation@24 ;	ExpQuerySystemInformation(x,x,x,x,x,x)

loc_7CB2BD:				; CODE XREF: sub_7CB34D+Dj
					; NtQuerySystemInformationEx+127285j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7CB2CF:				; CODE XREF: NtQuerySystemInformationEx+28j
		mov	eax, 0B4h
		cmp	ecx, eax
		jle	short loc_7CB318
		mov	eax, ecx
		sub	eax, 0B5h
		jz	short loc_7CB272
		sub	eax, 1Ch
		jz	short loc_7CB272
		sub	eax, 1
		jz	short loc_7CB272
		sub	eax, 1
		jnz	loc_8F2498

loc_7CB2F4:				; CODE XREF: NtQuerySystemInformationEx+117j
					; NtQuerySystemInformationEx+12727Aj
		push	7
		jmp	loc_7CB274
; 

loc_7CB2FB:				; CODE XREF: NtQuerySystemInformationEx+37j
		jnz	loc_8F2461

loc_7CB301:				; CODE XREF: NtQuerySystemInformationEx+2Ej
					; NtQuerySystemInformationEx+42j ...
		xor	edx, edx
		inc	edx
		jmp	loc_7CB275
; 

loc_7CB309:				; CODE XREF: NtQuerySystemInformationEx+73j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7CB30E:				; CODE XREF: NtQuerySystemInformationEx+54j
		sub	eax, 1
		jz	short loc_7CB301
		jmp	loc_8F2498
; 

loc_7CB318:				; CODE XREF: NtQuerySystemInformationEx+BEj
		jz	loc_7CB272
		mov	eax, ecx
		sub	eax, 8Dh
		jz	short loc_7CB301
		sub	eax, 13h
		jz	short loc_7CB301
		sub	eax, 5
		jz	short loc_7CB2F4
		sub	eax, 0Ah
		jz	loc_7CB272
		jmp	loc_8F248F
NtQuerySystemInformationEx endp


;  S U B	R O U T	I N E 


sub_7CB33F	proc near		; DATA XREF: .text:006A3BBCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_7CB33F	endp


;  S U B	R O U T	I N E 


sub_7CB34D	proc near		; DATA XREF: .text:006A3BC0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_7CB2BD
sub_7CB34D	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpOpenImageFileOptionsKeyEx proc near	; CODE XREF: RtlOpenImageFileOptionsKey(x,x,x)+Dp
					; SepIsImageInMinTcbList+110p

var_2E		= byte ptr -2Eh
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F24B4 SIZE 00000031 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, ecx
		mov	[ebx], esi
		mov	[esp+40h+var_28], esi
		mov	[esp+40h+var_24], esi
		mov	[esp+40h+var_20], esi
		movzx	edx, word ptr [edi]
		mov	eax, [edi+4]
		mov	ecx, edx
		add	eax, ecx
		mov	[esp+40h+var_1C], esi
		test	ecx, ecx
		jz	short loc_7CB3A7

loc_7CB395:				; CODE XREF: RtlpOpenImageFileOptionsKeyEx+43j
		cmp	word ptr [eax-2], 5Ch
		jz	short loc_7CB3A5
		add	eax, 0FFFFFFFEh
		dec	ecx
		sub	ecx, 1
		jnz	short loc_7CB395

loc_7CB3A5:				; CODE XREF: RtlpOpenImageFileOptionsKeyEx+3Aj
		xor	esi, esi

loc_7CB3A7:				; CODE XREF: RtlpOpenImageFileOptionsKeyEx+33j
		sub	edx, ecx
		mov	[esp+40h+var_1C], eax
		movzx	eax, dx
		mov	word ptr [esp+40h+var_20], ax
		cmp	eax, edx
		jnz	loc_8F24B4
		cmp	_RtlpDisableIFEOCaching, 0
		lea	ecx, [esp+40h+var_28]
		setnz	[esp+40h+var_2D]
		call	@RtlpOpenBaseImageFileOptionsKey@4 ; RtlpOpenBaseImageFileOptionsKey(x)
		test	eax, eax
		js	short loc_7CB43E
		mov	eax, large fs:124h
		mov	ecx, [esp+40h+var_28]
		mov	al, [eax+15Ah]
		mov	[esp+40h+var_14], ecx
		xor	ecx, ecx
		cmp	al, 1
		mov	[esp+40h+var_18], 18h
		lea	eax, [esp+40h+var_20]
		mov	[esp+40h+var_8], esi
		setz	cl
		mov	[esp+40h+var_10], eax
		dec	ecx
		mov	[esp+40h+var_4], esi
		lea	eax, [esp+40h+var_18]
		and	ecx, 0FFFFFC00h
		push	eax
		push	9
		lea	eax, [esp+48h+var_24]
		add	ecx, 640h
		push	eax
		mov	[esp+4Ch+var_C], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		cmp	[esp+40h+var_2D], 0
		mov	esi, eax
		jnz	loc_8F24BE

loc_7CB438:				; CODE XREF: RtlpOpenImageFileOptionsKeyEx+127167j
		test	esi, esi
		jns	short loc_7CB447

loc_7CB43C:				; CODE XREF: RtlpOpenImageFileOptionsKeyEx+109j
					; RtlpOpenImageFileOptionsKeyEx+127171j ...
		mov	eax, esi

loc_7CB43E:				; CODE XREF: RtlpOpenImageFileOptionsKeyEx+74j
					; RtlpOpenImageFileOptionsKeyEx+127159j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7CB447:				; CODE XREF: RtlpOpenImageFileOptionsKeyEx+DAj
		mov	eax, [esp+40h+var_24]
		lea	ecx, [esp+40h+var_2C]
		push	edi
		mov	[esp+44h+var_2C], eax
		call	RtlpProcessIFEOKeyFilter
		mov	esi, eax
		test	esi, esi
		js	loc_8F24CC
		mov	eax, [esp+40h+var_2C]
		mov	[ebx], eax
		jmp	short loc_7CB43C
RtlpOpenImageFileOptionsKeyEx endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall RtlpOpenBaseImageFileOptionsKey(x)
@RtlpOpenBaseImageFileOptionsKey@4 proc	near ; CODE XREF: RtlpOpenImageFileOptionsKeyEx+6Dp
					; RtlQueryImageFileExecutionOptions+11p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		lea	esi, [eax+264h]
		mov	edx, [esi]
		mov	[ebp+var_4], edx
		test	edx, edx
		jnz	short loc_7CB4B8
		push	ecx
		lea	ecx, [ebp+var_4]
		call	@RtlpOpenBaseImageFileOptionsKeyEx@12 ;	RtlpOpenBaseImageFileOptionsKeyEx(x,x,x)
		test	eax, eax
		js	short loc_7CB4BC
		cmp	_RtlpDisableIFEOCaching, 0
		mov	edx, [ebp+var_4]
		jnz	short loc_7CB4B8
		mov	ecx, edx
		xor	eax, eax
		lock cmpxchg [esi], ecx
		test	eax, eax
		jz	short loc_7CB4B8
		push	edx
		call	_ZwClose@4	; ZwClose(x)
		mov	edx, [esi]

loc_7CB4B8:				; CODE XREF: RtlpOpenBaseImageFileOptionsKey(x)+1Dj
					; RtlpOpenBaseImageFileOptionsKey(x)+36j ...
		mov	[edi], edx
		xor	eax, eax

loc_7CB4BC:				; CODE XREF: RtlpOpenBaseImageFileOptionsKey(x)+2Aj
		pop	edi
		pop	esi
		leave
		retn
@RtlpOpenBaseImageFileOptionsKey@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpProcessIFEOKeyFilter proc near	; CODE XREF: RtlpOpenImageFileOptionsKeyEx+F4p

var_27C		= dword	ptr -27Ch
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F24E5 SIZE 00000309 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 280h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		push	6
		xor	edx, edx
		mov	[ebp+var_254], ebx
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_240], edx
		lea	edi, [ebp+var_27C]
		mov	[ebp+var_23C], edx
		rep stosd
		push	offset ??_C@_1BE@BICGMBFB@?$AAU?$AAs?$AAe?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr@NNGAKEGL@
		lea	eax, [ebp+var_240]
		mov	[ebp+var_234], edx
		lea	ecx, [ebp+var_22C]
		mov	[ebp+var_230], edx
		push	eax
		mov	[ebp+var_260], edx
		mov	edi, edx
		mov	[ebp+var_25C], edx
		mov	[ebp+var_238], 220h
		mov	[ebp+var_24C], ecx
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_7CB57D
		lea	eax, [ebp+var_234]
		push	eax
		push	220h
		lea	eax, [ebp+var_22C]
		push	eax
		push	2
		pop	eax
		push	eax
		lea	eax, [ebp+var_240]
		push	eax
		push	dword ptr [ebx]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_8F2500
		cmp	eax, 0C0000034h
		jnz	loc_8F24E5

loc_7CB57B:				; CODE XREF: RtlpProcessIFEOKeyFilter+12702Aj
					; RtlpProcessIFEOKeyFilter+12703Bj ...
		xor	eax, eax

loc_7CB57D:				; CODE XREF: RtlpProcessIFEOKeyFilter+81j
					; RtlpProcessIFEOKeyFilter+127035j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
RtlpProcessIFEOKeyFilter endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmCreateCacheManagerSection(x, x, x, x, x)
_MmCreateCacheManagerSection@20	proc near ; CODE XREF: CcInitializeCacheMapEx+65Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		and	edx, 1
		push	eax
		push	0FFFFFFFFh
		push	eax
		push	[ebp+arg_8]
		push	eax
		push	eax
		push	eax
		lea	eax, ds:2[edx*4]
		xor	edx, edx
		push	eax
		push	8000000h
		push	4
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	MiCreateSection
		pop	ebp
		retn	0Ch
_MmCreateCacheManagerSection@20	endp

; 
		align 8
; Exported entry 1874. PsReferenceImpersonationToken

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsReferenceImpersonationToken(x, x,	x, x)
		public _PsReferenceImpersonationToken@16
_PsReferenceImpersonationToken@16 proc near ; CODE XREF: CmpOpenHiveFile+17D895p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	0
		push	[ebp+arg_C]
		inc	edx
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_PsReferenceImpersonationTokenEx@24 ; PsReferenceImpersonationTokenEx(x,x,x,x,x,x)
		pop	ebp
		retn	10h
_PsReferenceImpersonationToken@16 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1636. ObQueryObjectAuditingByHandle

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObQueryObjectAuditingByHandle
ObQueryObjectAuditingByHandle proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F27EE SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, large fs:124h
		mov	ecx, large fs:124h
		push	ebx
		push	esi
		mov	ebx, [eax+80h]
		mov	eax, large fs:124h
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_8], ecx
		mov	ecx, edi
		mov	dl, [eax+15Ah]
		mov	[ebp+var_1], 0
		mov	[ebp+var_10], ebx
		call	_ObpIsKernelHandle@8 ; ObpIsKernelHandle(x,x)
		test	al, al
		jnz	short loc_7CB6AB
		call	_KeIsAttachedProcess@0 ; KeIsAttachedProcess()
		test	al, al
		jnz	loc_8F27EE
		mov	esi, [ebx+18Ch]

loc_7CB641:				; CODE XREF: ObQueryObjectAuditingByHandle+CBj
					; ObQueryObjectAuditingByHandle+12721Dj
		mov	eax, [ebp+var_8]
		dec	word ptr [eax+13Ch]
		nop
		mov	edx, edi
		mov	ecx, esi
		call	ExMapHandleToPointer
		mov	edi, eax
		test	edi, edi
		jz	short loc_7CB6C2
		push	7
		pop	edx
		mov	ecx, edi
		call	_ExGetHandleAttributes@8 ; ExGetHandleAttributes(x,x)
		mov	ebx, eax
		xor	eax, eax
		inc	eax
		lock xadd [edi], eax
		lea	ecx, [esi+20h]
		xor	edx, edx
		xor	esi, esi
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], esi
		lock or	[eax], edx
		cmp	[ecx], esi
		jnz	short loc_7CB6B9

loc_7CB682:				; CODE XREF: ObQueryObjectAuditingByHandle+D4j
		mov	eax, [ebp+arg_4]
		shr	ebx, 2
		and	bl, 1
		mov	[eax], bl
		mov	ebx, [ebp+var_10]

loc_7CB690:				; CODE XREF: ObQueryObjectAuditingByHandle+DBj
		mov	ecx, [ebp+var_8]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	[ebp+var_1], 0
		jnz	loc_8F280E

loc_7CB6A2:				; CODE XREF: ObQueryObjectAuditingByHandle+12722Dj
		mov	eax, esi

loc_7CB6A4:				; CODE XREF: ObQueryObjectAuditingByHandle+127214j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7CB6AB:				; CODE XREF: ObQueryObjectAuditingByHandle+40j
		mov	esi, _ObpKernelHandleTable
		xor	edi, 80000000h
		jmp	short loc_7CB641
; 

loc_7CB6B9:				; CODE XREF: ObQueryObjectAuditingByHandle+94j
		xor	edx, edx
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	short loc_7CB682
; 

loc_7CB6C2:				; CODE XREF: ObQueryObjectAuditingByHandle+6Dj
		mov	esi, 0C0000008h
		jmp	short loc_7CB690
ObQueryObjectAuditingByHandle endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCloseObjectAuditAlarm	proc near	; DATA XREF: .text:005811BCo

var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 008F281E SIZE 0000004F BYTES
; FUNCTION CHUNK AT 008F288D SIZE 00000043 BYTES

		push	24h
		push	offset dword_6A3BC8
		call	__SEH_prolog4
		xor	eax, eax
		lea	edi, [ebp+var_34]
		stosd
		stosd
		stosd
		stosd
		xor	edi, edi
		mov	[ebp+var_1C], edi
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		cmp	[ebp+arg_8], 0
		jnz	loc_8F281E
		xor	eax, eax

loc_7CB6FC:				; CODE XREF: NtCloseObjectAuditAlarm+127201j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
NtCloseObjectAuditAlarm	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtQueryWnfStateNameInformation proc near ; DATA	XREF: .text:00580DD8o

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008F28D0 SIZE 00000037 BYTES
; FUNCTION CHUNK AT 008F291C SIZE 0000000D BYTES
; FUNCTION CHUNK AT 008F294F SIZE 0000001F BYTES

		push	4Ch
		push	offset dword_6A3BE8
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+var_54], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_38], esi
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	[ebp+var_19], bl
		mov	byte ptr [ebp+var_34], bl
		mov	[ebp+var_28], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_5C], esi
		mov	[ebp+var_58], esi
		mov	[ebp+ms_exc.disabled], esi
		push	[ebp+var_34]
		lea	edx, [ebp+var_54]
		mov	ecx, [ebp+arg_0]
		call	ExpCaptureWnfStateName
		mov	[ebp+var_20], eax
		test	eax, eax
		js	loc_7CB9D2
		mov	ecx, [ebp+var_54]
		mov	eax, [ebp+var_50]
		shrd	ecx, eax, 4
		and	ecx, 3
		mov	[ebp+var_40], ecx
		mov	ecx, [ebp+var_54]
		shrd	ecx, eax, 6
		and	ecx, 0Fh
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_2C], ecx
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		push	[ebp+var_34]
		mov	edx, [ebp+arg_8]
		call	_ExpWnfCaptureScopeInstanceId@20 ; ExpWnfCaptureScopeInstanceId(x,x,x,x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		js	loc_7CB9D2
		mov	ecx, [ebp+arg_4]
		cmp	ecx, 2
		ja	loc_8F291C
		cmp	[ebp+arg_10], 4
		jb	loc_8F28D0
		test	bl, bl
		jz	short loc_7CB7DB
		push	4
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	ecx, [ebp+arg_4]

loc_7CB7DB:				; CODE XREF: NtQueryWnfStateNameInformation+BBj
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi
		xor	ebx, ebx
		inc	ebx
		test	ecx, ecx
		jz	loc_7CB969
		mov	[ebp+arg_0], esi

loc_7CB7EF:				; CODE XREF: NtQueryWnfStateNameInformation+262j
		mov	dl, [ebp+var_19]
		test	dl, dl
		jz	loc_7CB951
		test	ecx, ecx
		jz	loc_7CB951
		mov	eax, esi
		mov	[ebp+arg_10], eax
		cmp	[ebp+arg_8], eax
		jnz	loc_8F28E4

loc_7CB810:				; CODE XREF: NtQueryWnfStateNameInformation+248j
					; NtQueryWnfStateNameInformation+1271F4j
		mov	[ebp+arg_8], esi
		test	eax, eax
		jnz	short loc_7CB827
		cmp	ecx, 2
		jnz	loc_7CB944

loc_7CB820:				; CODE XREF: NtQueryWnfStateNameInformation+238j
		mov	[ebp+arg_8], 2

loc_7CB827:				; CODE XREF: NtQueryWnfStateNameInformation+107j
					; NtQueryWnfStateNameInformation+23Ej
		mov	ecx, esi
		test	dl, dl
		jz	loc_7CB95B
		cmp	[ebp+arg_0], ecx
		jnz	loc_7CB97B
		mov	ecx, large fs:124h
		mov	edx, [ecx+80h]

loc_7CB847:				; CODE XREF: NtQueryWnfStateNameInformation+279j
		mov	eax, [ebp+var_2C]

loc_7CB84A:				; CODE XREF: NtQueryWnfStateNameInformation+256j
		push	[ebp+var_38]	; void *
		push	eax		; int
		push	ecx		; int
		lea	ecx, [ebp+var_30]
		call	ExpWnfResolveScopeInstance
		mov	[ebp+var_20], eax
		test	eax, eax
		js	loc_7CB9D8
		push	[ebp+var_50]
		push	[ebp+var_54]
		lea	edx, [ebp+var_24]
		mov	ecx, [ebp+var_30]
		call	_ExpWnfLookupNameInstance@16 ; ExpWnfLookupNameInstance(x,x,x,x)
		mov	[ebp+var_20], eax
		cmp	eax, 0C0000034h
		jz	loc_7CB98C

loc_7CB881:				; CODE XREF: NtQueryWnfStateNameInformation+282j
		test	eax, eax
		js	loc_7CB9D8
		cmp	[ebp+arg_10], 0
		jnz	short loc_7CB8A8
		mov	ecx, [ebp+var_24]
		mov	ecx, [ecx+2Ch]

loc_7CB895:				; CODE XREF: NtQueryWnfStateNameInformation+2ADj
		mov	edx, [ebp+arg_8]
		call	_ExpWnfCheckCallerAccess@8 ; ExpWnfCheckCallerAccess(x,x)
		test	eax, eax
		mov	[ebp+var_20], eax
		js	loc_7CB9D8

loc_7CB8A8:				; CODE XREF: NtQueryWnfStateNameInformation+17Fj
					; NtQueryWnfStateNameInformation+2A1j
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, [ebp+arg_4]
		mov	eax, ecx
		sub	eax, esi
		jz	short loc_7CB8C8
		sub	eax, 1
		mov	ecx, [ebp+var_24]
		jz	short loc_7CB937
		test	ecx, ecx
		jz	short loc_7CB8C5
		cmp	[ecx+5Ch], esi
		jnz	short loc_7CB940

loc_7CB8C5:				; CODE XREF: NtQueryWnfStateNameInformation+1B0j
					; NtQueryWnfStateNameInformation+230j ...
		mov	ecx, [ebp+arg_4]

loc_7CB8C8:				; CODE XREF: NtQueryWnfStateNameInformation+1A4j
		mov	eax, [ebp+arg_C]
		mov	[eax], ebx
		mov	eax, esi

loc_7CB8CF:				; CODE XREF: NtQueryWnfStateNameInformation+127216j
		mov	[ebp+var_20], eax
		mov	[ebp+ms_exc.disabled], edi

loc_7CB8D5:				; CODE XREF: NtQueryWnfStateNameInformation+2CDj
					; NtQueryWnfStateNameInformation+1271D1j ...
		cmp	eax, 0C0000034h
		jz	loc_8F294F

loc_7CB8E0:				; CODE XREF: NtQueryWnfStateNameInformation+127243j
					; NtQueryWnfStateNameInformation+12725Bj ...
		mov	ecx, [ebp+var_24]
		test	ecx, ecx
		jz	short loc_7CB8EF
		add	ecx, 4
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_7CB8EF:				; CODE XREF: NtQueryWnfStateNameInformation+1D7j
		mov	ecx, [ebp+var_30]
		test	ecx, ecx
		jz	short loc_7CB8FE
		add	ecx, 4
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_7CB8FE:				; CODE XREF: NtQueryWnfStateNameInformation+1E6j
		cmp	[ebp+var_28], 0
		jnz	loc_7CB9C0

loc_7CB908:				; CODE XREF: NtQueryWnfStateNameInformation+2BFj
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	[ebp+var_34]
		lea	edx, [ebp+var_5C]
		mov	ecx, [ebp+var_2C]
		call	_ExpWnfReleaseCapturedScopeInstanceId@12 ; ExpWnfReleaseCapturedScopeInstanceId(x,x,x)
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7CB937:				; CODE XREF: NtQueryWnfStateNameInformation+1ACj
		test	ecx, ecx
		jz	short loc_7CB940
		cmp	[ecx+58h], esi
		jnz	short loc_7CB8C5

loc_7CB940:				; CODE XREF: NtQueryWnfStateNameInformation+1B5j
					; NtQueryWnfStateNameInformation+22Bj
		mov	ebx, esi
		jmp	short loc_7CB8C5
; 

loc_7CB944:				; CODE XREF: NtQueryWnfStateNameInformation+10Cj
		cmp	ecx, ebx
		jz	loc_7CB820
		jmp	loc_7CB827
; 

loc_7CB951:				; CODE XREF: NtQueryWnfStateNameInformation+E6j
					; NtQueryWnfStateNameInformation+EEj
		mov	eax, ebx
		mov	[ebp+arg_10], eax
		jmp	loc_7CB810
; 

loc_7CB95B:				; CODE XREF: NtQueryWnfStateNameInformation+11Dj
		mov	edx, ds:_PsInitialSystemProcess
		mov	eax, [ebp+var_3C]
		jmp	loc_7CB84A
; 

loc_7CB969:				; CODE XREF: NtQueryWnfStateNameInformation+D8j
		mov	[ebp+arg_0], ebx
		cmp	[ebp+arg_8], 0
		jz	loc_7CB7EF
		jmp	loc_8F28D7
; 

loc_7CB97B:				; CODE XREF: NtQueryWnfStateNameInformation+126j
		mov	eax, large fs:124h
		mov	edx, [eax+80h]
		jmp	loc_7CB847
; 

loc_7CB98C:				; CODE XREF: NtQueryWnfStateNameInformation+16Dj
		cmp	[ebp+var_40], 3
		jz	loc_7CB881
		push	[ebp+var_50]
		push	[ebp+var_54]
		lea	ecx, [ebp+var_28]
		call	ExpWnfLookupPermanentName
		mov	[ebp+var_20], eax
		test	eax, eax
		js	short loc_7CB9D8
		cmp	[ebp+arg_10], 0
		jnz	loc_7CB8A8
		mov	ecx, [ebp+var_28]
		mov	ecx, [ecx+8]
		jmp	loc_7CB895
; 

loc_7CB9C0:				; CODE XREF: NtQueryWnfStateNameInformation+1F4j
		push	20666E57h
		push	[ebp+var_28]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7CB908
; 

loc_7CB9D2:				; CODE XREF: NtQueryWnfStateNameInformation+5Fj
					; NtQueryWnfStateNameInformation+9Dj
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi

loc_7CB9D8:				; CODE XREF: NtQueryWnfStateNameInformation+14Ej
					; NtQueryWnfStateNameInformation+175j ...
		mov	ecx, [ebp+arg_4]
		jmp	loc_7CB8D5
NtQueryWnfStateNameInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	NtAlpcSetInformation(int,int,int,size_t)
_NtAlpcSetInformation@16 proc near	; DATA XREF: .text:005811F4o

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4D		= byte ptr -4Dh
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	54h
		push	offset dword_6A3C20
		call	__SEH_prolog4_GS
		mov	edi, [ebp+arg_0]
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_58], esi
		push	2Ch		; size_t
		push	0		; int
		lea	eax, [ebp+var_48]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		and	[ebp+var_4C], 0
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		test	edi, edi
		jnz	short loc_7CBA1C

loc_7CBA12:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+4Aj
		mov	edi, 0C000000Dh
		jmp	loc_7CBC53
; 

loc_7CBA1C:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+30j
		test	esi, esi
		jnz	short loc_7CBA2C
		cmp	[ebp+arg_4], 7
		jz	short loc_7CBA2C
		cmp	[ebp+arg_4], 0Ah
		jnz	short loc_7CBA12

loc_7CBA2C:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+3Ej
					; NtAlpcSetInformation(x,x,x,x)+44j
		mov	eax, large fs:124h
		mov	cl, [eax+15Ah]
		mov	[ebp+var_4D], cl
		mov	byte ptr [ebp+var_60], cl
		mov	eax, [ebp+var_58]
		mov	esi, eax
		mov	[ebp+var_54], esi
		mov	ebx, [ebp+arg_C]
		test	ebx, ebx
		jz	short loc_7CBA92
		test	cl, cl
		jz	short loc_7CBA92
		cmp	ebx, 2Ch
		jbe	short loc_7CBA60
		mov	edi, 0C0000004h
		jmp	loc_7CBC53
; 

loc_7CBA60:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+74j
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_7CBA73
		mov	eax, ecx
		mov	[ebp+var_58], eax

loc_7CBA73:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+8Cj
		push	ebx		; size_t
		push	eax		; void *
		lea	eax, [ebp+var_48]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		nop
		lea	esi, [ebp+var_48]
		mov	[ebp+var_54], esi
		mov	[ebp+var_64], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7CBA92:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+6Bj
					; NtAlpcSetInformation(x,x,x,x)+6Fj
		lea	eax, [ebp+var_4C]
		push	eax
		push	[ebp+var_60]
		xor	edx, edx
		inc	edx
		mov	ecx, edi
		call	_AlpcpReferencePortByHandle@16 ; AlpcpReferencePortByHandle(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_7CBC53
		mov	ecx, [ebp+arg_4]
		dec	ecx
		cmp	ecx, 9		; switch 10 cases
		ja	loc_7CBC44	; default
		jmp	ds:off_7CBC6C[ecx*4] ; switch jump
; 

loc_7CBAC1:				; DATA XREF: .text:006A3C34o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_5C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7CBACF:				; DATA XREF: .text:006A3C38o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_5C]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_7CBC53
; 

loc_7CBAE1:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+DAj
					; DATA XREF: PAGE:off_7CBC6Co
		cmp	ebx, 2Ch	; case 0x0
		jz	short loc_7CBAF0

loc_7CBAE6:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+138j
		mov	edi, 0C0000004h
		jmp	loc_7CBC49
; 

loc_7CBAF0:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+104j
		mov	ecx, [esi]
		mov	esi, [ebp+var_4C]
		test	ecx, 0FC00FFFFh
		jnz	short loc_7CBB44
		mov	eax, [esi+98h]
		xor	eax, ecx
		and	eax, 20000h
		xor	[esi+98h], eax
		jmp	loc_7CBC4C
; 

loc_7CBB15:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+DAj
					; DATA XREF: PAGE:off_7CBC6Co
		cmp	ebx, 8		; case 0x1
		jnz	short loc_7CBAE6
		push	dword ptr [esi]
		mov	edx, [esi+4]
		mov	esi, [ebp+var_4C]
		mov	ecx, esi
		call	AlpcpAssociateIoCompletionPort

loc_7CBB29:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+184j
		mov	edi, eax
		jmp	loc_7CBC4C
; 

loc_7CBB30:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+DAj
					; DATA XREF: PAGE:off_7CBC6Co
		mov	esi, [ebp+var_4C] ; case 0x5
		mov	eax, [esi+0F4h]
		and	al, 6
		cmp	al, 2
		jnz	short loc_7CBB44
		cmp	ebx, 10h
		jz	short loc_7CBB4E

loc_7CBB44:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+11Bj
					; NtAlpcSetInformation(x,x,x,x)+15Dj ...
		mov	edi, 0C000000Dh
		jmp	loc_7CBC4C
; 

loc_7CBB4E:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+162j
		push	ecx
		mov	edx, [ebp+var_54]
		push	dword ptr [edx+0Ch]
		push	dword ptr [edx+8]
		push	dword ptr [edx+4]
		mov	edx, [edx]
		mov	ecx, esi
		call	AlpcpInitializeCompletionList
		jmp	short loc_7CBB29
; 

loc_7CBB66:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+DAj
					; DATA XREF: PAGE:off_7CBC6Co
		mov	esi, [ebp+var_4C] ; case 0x6
		test	ebx, ebx
		jnz	short loc_7CBB44
		mov	ecx, esi
		call	_AlpcpLockPortExclusive@4 ; AlpcpLockPortExclusive(x)
		cmp	[esi+0D4h], ebx
		jz	short loc_7CBB83
		mov	ecx, esi
		call	_AlpcpFreeCompletionList@4 ; AlpcpFreeCompletionList(x)

loc_7CBB83:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+19Aj
					; NtAlpcSetInformation(x,x,x,x)+25Fj
		mov	ecx, esi
		call	_AlpcpUnlockPortExclusive@4 ; AlpcpUnlockPortExclusive(x)
		xor	edi, edi
		jmp	loc_7CBC4C
; 

loc_7CBB91:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+DAj
					; DATA XREF: PAGE:off_7CBC6Co
		mov	esi, [ebp+var_4C] ; case 0x9
		test	ebx, ebx
		jnz	short loc_7CBB44
		mov	ecx, esi
		call	_AlpcpLockPortExclusive@4 ; AlpcpLockPortExclusive(x)
		cmp	[esi+0D4h], ebx
		jnz	short loc_7CBBAE
		mov	edi, 0C000000Dh
		jmp	short loc_7CBBBA
; 

loc_7CBBAE:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+1C5j
		and	dword ptr [esi+0F4h], 0FFFEFFFFh
		xor	edi, edi

loc_7CBBBA:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+1CCj
		mov	ecx, esi
		call	_AlpcpUnlockPortExclusive@4 ; AlpcpUnlockPortExclusive(x)
		jmp	loc_7CBC4C
; 

loc_7CBBC6:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+DAj
					; DATA XREF: PAGE:off_7CBC6Co
		cmp	ebx, 4		; case 0x7
		jnz	short loc_7CBC44 ; default
		cmp	dword ptr [esi], 0
		mov	esi, [ebp+var_4C]
		jz	loc_7CBB44
		mov	ecx, esi
		call	_AlpcpLockPortShared@4 ; AlpcpLockPortShared(x)
		cmp	dword ptr [esi+0D4h], 0
		jnz	short loc_7CBBEE
		mov	edi, 0C000000Dh
		jmp	short loc_7CBBFC
; 

loc_7CBBEE:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+205j
		mov	edx, [ebp+var_54]
		mov	edx, [edx]
		mov	ecx, esi
		call	_AlpcpAdjustCompletionListConcurrencyCount@8 ; AlpcpAdjustCompletionListConcurrencyCount(x,x)
		xor	edi, edi

loc_7CBBFC:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+20Cj
		mov	ecx, esi
		call	_AlpcpUnlockPortShared@4 ; AlpcpUnlockPortShared(x)
		jmp	short loc_7CBC4C
; 

loc_7CBC05:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+DAj
					; DATA XREF: PAGE:off_7CBC6Co
		lea	edi, [ebx-8]	; case 0x4
		neg	edi
		sbb	edi, edi
		and	edi, 0C000000Dh
		jmp	short loc_7CBC49
; 

loc_7CBC14:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+DAj
					; DATA XREF: PAGE:off_7CBC6Co
		cmp	[ebp+var_4D], 0	; case 0x8
		jnz	short loc_7CBC44 ; default
		mov	edi, [ebp+var_58]
		mov	ecx, [edi]
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	esi, [ebp+var_4C]
		mov	ecx, esi
		call	_AlpcpLockPortExclusive@4 ; AlpcpLockPortExclusive(x)
		mov	eax, [edi]
		mov	[esi+0D8h], eax
		mov	eax, [edi+4]
		mov	[esi+0DCh], eax
		jmp	loc_7CBB83
; 

loc_7CBC44:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+D4j
					; NtAlpcSetInformation(x,x,x,x)+DAj ...
		mov	edi, 0C000000Dh	; default

loc_7CBC49:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+10Bj
					; NtAlpcSetInformation(x,x,x,x)+232j
		mov	esi, [ebp+var_4C]

loc_7CBC4C:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+130j
					; NtAlpcSetInformation(x,x,x,x)+14Bj ...
		mov	ecx, esi
		call	_AlpcpDereferencePort@4	; AlpcpDereferencePort(x)

loc_7CBC53:				; CODE XREF: NtAlpcSetInformation(x,x,x,x)+37j
					; NtAlpcSetInformation(x,x,x,x)+7Bj ...
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_NtAlpcSetInformation@16 endp

; 
off_7CBC6C	dd offset loc_7CBAE1	; DATA XREF: NtAlpcSetInformation(x,x,x,x)+DAr
		dd offset loc_7CBB15	; jump table for switch	statement
		dd offset loc_7CBC44
		dd offset loc_7CBC44
		dd offset loc_7CBC05
		dd offset loc_7CBB30
		dd offset loc_7CBB66
		dd offset loc_7CBBC6
		dd offset loc_7CBC14
		dd offset loc_7CBB91

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpAssociateIoCompletionPort proc near ; CODE	XREF: NtAlpcSetInformation(x,x,x,x)+144p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F2993 SIZE 00000098 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, edx
		push	esi
		mov	esi, ecx
		test	ebx, ebx
		jz	loc_8F2993
		push	edi
		lea	edi, [esi+0D0h]
		xor	edx, edx
		mov	ecx, edi
		mov	[ebp+var_C], edi
		call	ExAcquirePushLockExclusiveEx
		xor	ecx, ecx
		cmp	[esi+10h], ecx
		jnz	loc_8F299D
		cmp	[esi+0D4h], ecx
		jnz	loc_8F29C2
		mov	eax, large fs:124h
		push	ecx
		mov	[ebp+var_4], ecx
		lea	ecx, [ebp+var_4]
		push	ecx
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_8], al
		push	[ebp+var_8]
		mov	eax, ds:_IoCompletionObjectType
		push	eax
		push	2
		push	ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edx, [ebp+var_4]
		mov	ebx, eax
		mov	[esi+10h], edx
		test	ebx, ebx
		js	loc_8F2A02
		mov	ecx, [esi+0D4h]
		mov	ebx, [ebp+arg_0]
		mov	[esi+14h], ebx
		test	ecx, ecx
		jnz	loc_8F29F2
		mov	al, [edx]
		and	al, 7Fh
		cmp	al, 15h
		jz	loc_8F29E7
		mov	ecx, [edx+1Ch]

loc_7CBD2F:				; CODE XREF: AlpcpAssociateIoCompletionPort+126D59j
		cmp	ecx, 4
		jbe	short loc_7CBD37
		push	4
		pop	ecx

loc_7CBD37:				; CODE XREF: AlpcpAssociateIoCompletionPort+9Ej
					; AlpcpAssociateIoCompletionPort+126D64j
		push	ebx
		call	AlpcpAllocateCompletionPacketLookaside
		mov	[esi+18h], eax
		test	eax, eax
		jz	loc_8F29FD
		lea	ebx, [esi+5Ch]
		xor	edx, edx
		mov	ecx, ebx
		mov	[ebp+var_8], ebx
		call	ExAcquirePushLockExclusiveEx
		lea	ecx, [esi+60h]
		mov	eax, [ecx]
		cmp	eax, ecx
		jnz	short loc_7CBD93

loc_7CBD60:				; CODE XREF: AlpcpAssociateIoCompletionPort+11Dj
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7CBDB3

loc_7CBD6D:				; CODE XREF: AlpcpAssociateIoCompletionPort+126j
		mov	ecx, ebx
		call	KeAbPostRelease
		xor	ebx, ebx

loc_7CBD76:				; CODE XREF: AlpcpAssociateIoCompletionPort+126D83j
					; AlpcpAssociateIoCompletionPort+126D92j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7CBDBC

loc_7CBD83:				; CODE XREF: AlpcpAssociateIoCompletionPort+12Fj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, ebx

loc_7CBD8C:				; CODE XREF: AlpcpAssociateIoCompletionPort+126D29j
					; AlpcpAssociateIoCompletionPort+126D4Ej
		pop	edi

loc_7CBD8D:				; CODE XREF: AlpcpAssociateIoCompletionPort+126D04j
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7CBD93:				; CODE XREF: AlpcpAssociateIoCompletionPort+CAj
		mov	edi, eax
		lea	ebx, [esi+60h]

loc_7CBD98:				; CODE XREF: AlpcpAssociateIoCompletionPort+115j
		push	0
		push	0
		xor	dl, dl
		mov	ecx, esi
		call	_AlpcpQueueIoCompletionPort@16 ; AlpcpQueueIoCompletionPort(x,x,x,x)
		mov	edi, [edi]
		cmp	edi, ebx
		jnz	short loc_7CBD98
		mov	edi, [ebp+var_C]
		mov	ebx, [ebp+var_8]
		jmp	short loc_7CBD60
; 

loc_7CBDB3:				; CODE XREF: AlpcpAssociateIoCompletionPort+D7j
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7CBD6D
; 

loc_7CBDBC:				; CODE XREF: AlpcpAssociateIoCompletionPort+EDj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7CBD83
AlpcpAssociateIoCompletionPort endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpAdjustCompletionListConcurrencyCount(x, x)
_AlpcpAdjustCompletionListConcurrencyCount@8 proc near
					; CODE XREF: NtAlpcSetInformation(x,x,x,x)+215p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], ebx
		push	edi
		mov	eax, [ebx+0D4h]
		add	eax, 4Ch
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], eax
		mov	edi, [eax]

loc_7CBDE9:				; CODE XREF: AlpcpAdjustCompletionListConcurrencyCount(x,x)+42j
					; AlpcpAdjustCompletionListConcurrencyCount(x,x)+63j ...
		cmp	edi, esi
		jz	short loc_7CBE2F
		mov	edx, edi
		mov	eax, edi
		mov	edi, [ebp+var_8]
		mov	ecx, esi
		lock cmpxchg [edi], ecx
		mov	edi, eax
		cmp	edi, edx
		jnz	short loc_7CBE2B
		cmp	dword ptr [ebx+10h], 0
		jz	short loc_7CBE2F
		cmp	edx, esi
		jnb	short loc_7CBDE9
		mov	ebx, esi
		mov	esi, [ebp+var_4]
		sub	ebx, edx

loc_7CBE11:				; CODE XREF: AlpcpAdjustCompletionListConcurrencyCount(x,x)+5Bj
		push	0
		push	0
		mov	dl, 1
		mov	ecx, esi
		call	_AlpcpQueueIoCompletionPort@16 ; AlpcpQueueIoCompletionPort(x,x,x,x)
		sub	ebx, 1
		jnz	short loc_7CBE11
		mov	esi, [ebp+var_C]
		mov	ebx, [ebp+var_4]
		jmp	short loc_7CBDE9
; 

loc_7CBE2B:				; CODE XREF: AlpcpAdjustCompletionListConcurrencyCount(x,x)+38j
		cmp	edi, esi
		jb	short loc_7CBDE9

loc_7CBE2F:				; CODE XREF: AlpcpAdjustCompletionListConcurrencyCount(x,x)+25j
					; AlpcpAdjustCompletionListConcurrencyCount(x,x)+3Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AlpcpAdjustCompletionListConcurrencyCount@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpInitializeCompletionList proc near	; CODE XREF: NtAlpcSetInformation(x,x,x,x)+17Fp

var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1E		= byte ptr -1Eh
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F2A2B SIZE 00000007 BYTES
; FUNCTION CHUNK AT 008F2A4F SIZE 00000037 BYTES
; FUNCTION CHUNK AT 008F2A94 SIZE 0000003E BYTES

		push	34h
		push	offset dword_6A3C40
		call	__SEH_prolog4
		mov	eax, edx
		mov	[ebp+var_30], eax
		mov	[ebp+var_24], ecx
		xor	ebx, ebx
		mov	dl, bl
		mov	[ebp+var_19], dl
		mov	dh, bl
		mov	[ebp+var_1A], dh
		mov	[ebp+var_1B], bl
		mov	esi, ebx
		mov	edi, [ebp+arg_0]
		or	eax, edi
		test	eax, 0FFFh
		jnz	loc_8F2A94
		lea	eax, [edi-4000h]
		cmp	eax, 3FFFC000h
		ja	loc_8F2A94
		test	[ebp+arg_8], 55FFFFFFh
		jnz	loc_8F2A94
		cmp	[ebp+arg_4], ebx
		jz	loc_8F2A94
		push	6E496C41h
		push	58h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_28], esi
		test	esi, esi
		jz	loc_8F2A2B
		push	58h		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[esi+8], eax
		mov	eax, [ebp+var_30]
		mov	[esi+14h], eax
		add	eax, edi
		mov	[ebp+var_38], eax
		mov	[esi+18h], eax
		mov	ecx, esi
		call	AlpcpRegisterCompletionListDatabase
		test	eax, eax
		jz	loc_8F2A59
		mov	al, 1
		mov	[ebp+var_1B], al
		mov	[ebp+var_1E], al
		push	ebx
		push	ebx
		push	ebx
		push	edi
		push	[ebp+var_30]
		call	IoAllocateMdl
		mov	ecx, eax
		mov	[esi+10h], ecx
		test	ecx, ecx
		jz	loc_8F2A2B
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, large fs:124h
		mov	[ebp+var_44], eax
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_34], al
		push	2
		push	[ebp+var_34]
		push	ecx
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+var_1A], 1
		mov	eax, [esi+10h]
		test	byte ptr [eax+6], 5
		jnz	loc_8F2A60
		push	40000000h
		push	ebx
		push	ebx
		push	1
		push	ebx
		push	eax
		call	MmMapLockedPagesSpecifyCache

loc_7CBF4C:				; CODE XREF: AlpcpInitializeCompletionList+126C2Fj
		mov	[esi+20h], eax
		test	eax, eax
		jz	loc_8F2A68
		push	edi		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	ebx, [esi+20h]
		mov	[ebp+var_3C], ebx
		mov	ecx, 0BAADF00Dh
		mov	[ebx], ecx
		mov	eax, 0DEADBEEFh
		mov	[ebx+4], eax
		mov	[ebx+148h], eax
		mov	[ebx+14Ch], ecx
		mov	eax, edi
		shr	eax, 6
		lea	eax, ds:0FFFh[eax*4]
		mov	ecx, 0FFFFF000h
		and	eax, ecx
		mov	[ebp+var_2C], eax
		sub	edi, eax
		sub	edi, 1000h
		mov	edx, edi
		shr	edx, 6
		mov	esi, edx
		shr	esi, 3
		add	esi, 0FFFh
		and	esi, ecx
		sub	edi, esi
		mov	ecx, [ebp+var_28]
		mov	eax, [ebp+arg_0]
		mov	[ecx+24h], eax
		mov	[ecx+28h], ebx
		mov	eax, [ecx+20h]
		add	eax, 1000h
		mov	[ecx+2Ch], eax
		mov	ebx, [ebp+var_2C]
		mov	[ecx+30h], ebx
		mov	ecx, ebx
		add	ecx, eax
		mov	eax, [ebp+var_28]
		mov	[eax+34h], ecx
		mov	[eax+38h], esi
		mov	eax, esi
		shr	eax, 6
		sub	edx, eax
		mov	eax, [ebp+var_28]
		mov	[eax+44h], edx
		lea	eax, [ecx+esi]
		mov	ecx, [ebp+var_28]
		mov	[ecx+3Ch], eax
		mov	[ecx+40h], edi
		mov	eax, [ebp+arg_4]
		mov	[ecx+4Ch], eax
		mov	edx, [ebp+var_30]
		mov	[ecx+14h], edx
		mov	eax, [ebp+var_38]
		mov	[ecx+18h], eax
		mov	eax, ebx
		add	eax, esi
		add	edx, 1000h
		add	eax, edx
		mov	[ecx+1Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+50h], eax
		push	eax
		call	_AlpcGetHeaderSize@4 ; AlpcGetHeaderSize(x)
		mov	ecx, [ebp+var_28]
		mov	[ecx+54h], eax
		mov	ebx, [ebp+var_3C]
		mov	eax, [ebp+arg_0]
		mov	[ebx+8], eax
		mov	dword ptr [ebx+0Ch], 1000h
		mov	eax, [ebp+var_2C]
		mov	[ebx+10h], eax
		add	eax, 1000h
		mov	[ebx+14h], eax
		mov	[ebx+18h], esi
		add	eax, esi
		mov	[ebx+1Ch], eax
		mov	[ebx+20h], edi
		mov	eax, [ebx+40h]
		mov	ecx, [ebx+44h]
		or	eax, 0FFFFFFh
		mov	[ebx+40h], eax
		mov	[ebx+44h], ecx
		mov	eax, [ebx+40h]
		mov	ecx, [ebx+44h]
		or	eax, 0FF000000h
		mov	esi, 0FFFFh
		or	ecx, esi
		mov	[ebx+40h], eax
		mov	[ebx+44h], ecx
		mov	ecx, [ebx+40h]
		mov	edx, [ebx+44h]
		or	eax, 0FFFFFFFFh
		and	ecx, eax
		and	edx, esi
		mov	[ebx+40h], ecx
		mov	[ebx+44h], edx
		mov	esi, [ebp+var_28]
		mov	ecx, [esi+50h]
		mov	[ebx+24h], ecx
		mov	ecx, [esi+54h]
		mov	[ebx+28h], ecx
		mov	edi, [esi+2Ch]
		mov	ecx, [esi+30h]
		xor	ebx, ebx
		lea	edx, [ecx+edi]
		add	ecx, 3
		shr	ecx, 2
		cmp	edx, edi
		sbb	edx, edx
		not	edx
		and	edx, ecx
		jbe	short loc_7CC0C6
		mov	ecx, ebx

loc_7CC0BC:				; CODE XREF: AlpcpInitializeCompletionList+290j
		mov	[edi], eax
		lea	edi, [edi+4]
		inc	ecx
		cmp	ecx, edx
		jb	short loc_7CC0BC

loc_7CC0C6:				; CODE XREF: AlpcpInitializeCompletionList+284j
		mov	edi, [ebp+var_24]
		lea	ecx, [edi+0D0h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	[ebp+var_19], 1
		cmp	[edi+0D4h], ebx
		jnz	loc_8F2A72
		mov	eax, [edi+0F4h]
		test	al, 40h
		jnz	loc_8F2A7C
		mov	edx, [edi+10h]
		test	edx, edx
		jz	short loc_7CC128
		push	dword ptr [edi+14h]
		mov	ecx, [ebp+var_2C]
		shr	ecx, 2
		call	AlpcpAllocateCompletionPacketLookaside
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	loc_8F2A68
		mov	ecx, [edi+18h]
		call	_AlpcpFreeCompletionPacketLookaside@4 ;	AlpcpFreeCompletionPacketLookaside(x)
		mov	eax, [ebp+arg_0]
		mov	[edi+18h], eax
		mov	eax, [edi+0F4h]

loc_7CC128:				; CODE XREF: AlpcpInitializeCompletionList+2C5j
		mov	[edi+0D4h], esi
		mov	esi, ebx
		and	eax, 0FFFFF7FFh
		or	eax, 1C000h
		mov	[edi+0F4h], eax
		mov	edi, ebx

loc_7CC142:				; CODE XREF: AlpcpInitializeCompletionList+126C39j
					; AlpcpInitializeCompletionList+126C43j ...
		mov	ecx, [ebp+var_24]
		mov	dl, [ebp+var_19]

loc_7CC148:				; CODE XREF: AlpcpInitializeCompletionList+126C20j
					; AlpcpInitializeCompletionList+126C65j
		or	eax, 0FFFFFFFFh
		test	dl, dl
		jz	short loc_7CC167
		add	ecx, 0D0h
		mov	[ebp+arg_0], ecx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7CC183

loc_7CC162:				; CODE XREF: AlpcpInitializeCompletionList+357j
		call	KeAbPostRelease

loc_7CC167:				; CODE XREF: AlpcpInitializeCompletionList+319j
		test	esi, esi
		jnz	loc_8F2A9E

loc_7CC16F:				; CODE XREF: AlpcpInitializeCompletionList+126C99j
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7CC183:				; CODE XREF: AlpcpInitializeCompletionList+32Cj
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+arg_0]
		jmp	short loc_7CC162
AlpcpInitializeCompletionList endp

; 
		align 2

;  S U B	R O U T	I N E 


AlpcpRegisterCompletionListDatabase proc near ;	CODE XREF: AlpcpInitializeCompletionList+A2p

; FUNCTION CHUNK AT 008F2AD2 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, offset _AlpcpCompletionListDatabase
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	edx, dword_6C6F28
		mov	ebx, offset dword_6C6F28
		cmp	edx, ebx
		jnz	short loc_7CC1E8

loc_7CC1B2:				; CODE XREF: AlpcpRegisterCompletionListDatabase+60j
					; AlpcpRegisterCompletionListDatabase+6Cj ...
		mov	eax, [edx+4]
		cmp	[eax], edx
		jnz	short loc_7CC207
		mov	[esi], edx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[edx+4], esi
		xor	esi, esi
		inc	dword_6C6F24
		inc	esi

loc_7CC1CC:				; CODE XREF: AlpcpRegisterCompletionListDatabase+12695Ej
		or	edx, 0FFFFFFFFh
		lock xadd [edi], edx
		and	dl, 6
		cmp	dl, 2
		jz	short loc_7CC1FE

loc_7CC1DB:				; CODE XREF: AlpcpRegisterCompletionListDatabase+77j
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_7CC1E8:				; CODE XREF: AlpcpRegisterCompletionListDatabase+22j
		mov	ecx, [esi+8]

loc_7CC1EB:				; CODE XREF: AlpcpRegisterCompletionListDatabase+6Ej
		cmp	[edx+8], ecx
		ja	short loc_7CC1B2
		jz	loc_8F2AD2

loc_7CC1F6:				; CODE XREF: AlpcpRegisterCompletionListDatabase+126956j
		mov	edx, [edx]
		cmp	edx, ebx
		jz	short loc_7CC1B2
		jmp	short loc_7CC1EB
; 

loc_7CC1FE:				; CODE XREF: AlpcpRegisterCompletionListDatabase+4Bj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7CC1DB
; 

loc_7CC207:				; CODE XREF: AlpcpRegisterCompletionListDatabase+29j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
AlpcpRegisterCompletionListDatabase endp ; AL =	character to display


;  S U B	R O U T	I N E 


; __stdcall AlpcpFreeCompletionList(x)
_AlpcpFreeCompletionList@4 proc	near	; CODE XREF: AlpcpDoPortCleanup+E4p
					; NtAlpcSetInformation(x,x,x,x)+19Ep
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+0D4h]
		push	dword ptr [esi+10h]
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	dword ptr [esi+10h]
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		mov	ecx, esi
		call	_AlpcpUnregisterCompletionListDatabase@4 ; AlpcpUnregisterCompletionListDatabase(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi+0D4h], 0
		and	dword ptr [edi+0F4h], 0FFFFBFFFh
		pop	edi
		pop	esi
		retn
_AlpcpFreeCompletionList@4 endp	; sp = -4

; 
		align 4

; __stdcall AlpcpUnregisterCompletionListDatabase(x)
_AlpcpUnregisterCompletionListDatabase@4: ; CODE XREF: AlpcpFreeCompletionList(x)+1Ep
					; AlpcpInitializeCompletionList+126C8Dp
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, offset _AlpcpCompletionListDatabase
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_7CC298
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_7CC298
		mov	[eax], ecx
		mov	[ecx+4], eax
		or	eax, 0FFFFFFFFh
		dec	dword_6C6F24
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7CC28F

loc_7CC286:				; CODE XREF: PAGE:007CC296j
		mov	ecx, edi
		pop	edi
		pop	esi
		jmp	KeAbPostRelease
; 

loc_7CC28F:				; CODE XREF: PAGE:007CC284j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7CC286
; 

loc_7CC298:				; CODE XREF: PAGE:007CC265j
					; PAGE:007CC26Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		db 2 dup(0CCh)
; Exported entry 2478. SeOpenObjectAuditAlarm

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeOpenObjectAuditAlarm(x, x, x, x, x, x, x,	x, x)
		public _SeOpenObjectAuditAlarm@36
_SeOpenObjectAuditAlarm@36 proc	near	; CODE XREF: IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)+FFp
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+42Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	byte ptr [ebp+arg_1C], 0
		jz	short loc_7CC2CF
		push	[ebp+arg_20]
		push	0
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	SeOpenObjectAuditAlarmWithTransaction

loc_7CC2CF:				; CODE XREF: SeOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x)+9j
		pop	ebp
		retn	24h
_SeOpenObjectAuditAlarm@36 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepIsImageInMinTcbList proc near	; CODE XREF: SepIsMinTCB+C5p
					; SepIsMinTCB+14768Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008F2AF1 SIZE 00000060 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edx
		mov	eax, ecx
		mov	esi, edi
		mov	[ebp+var_8], eax
		test	edx, edx
		jz	short loc_7CC309
		mov	ebx, eax

loc_7CC2F0:				; CODE XREF: SepIsImageInMinTcbList+33j
		mov	eax, [ebp+arg_0]
		push	1
		push	ebx
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_7CC317

loc_7CC300:				; CODE XREF: SepIsImageInMinTcbList+14Fj
		inc	esi
		add	ebx, 10h
		cmp	esi, [ebp+var_4]
		jb	short loc_7CC2F0

loc_7CC309:				; CODE XREF: SepIsImageInMinTcbList+18j
		mov	edi, 0C0000225h

loc_7CC30E:				; CODE XREF: SepIsImageInMinTcbList+F9j
					; SepIsImageInMinTcbList+102j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_7CC317:				; CODE XREF: SepIsImageInMinTcbList+2Aj
		mov	eax, [ebx+0Ch]
		test	eax, eax
		jnz	loc_7CC41D

loc_7CC322:				; CODE XREF: SepIsImageInMinTcbList+155j
		mov	ecx, [ebp+var_8]
		add	esi, esi
		mov	bl, [ecx+esi*8+0Ah]
		test	bl, bl
		jz	loc_7CC3F6

loc_7CC333:				; CODE XREF: SepIsImageInMinTcbList+12Bj
		mov	edx, [ebp+arg_10]
		movzx	ecx, bl
		shr	ecx, 4
		mov	al, ds:_SeProtectedMapping[ecx*2]
		mov	[edx], al
		mov	al, ds:byte_A40CE1[ecx*2]

loc_7CC34C:				; CODE XREF: SepIsImageInMinTcbList+13Ej
		mov	esi, [ebp+arg_14]
		mov	[esi], al
		mov	ecx, dword_6BEA40
		test	ecx, ecx
		jz	loc_8F2AF1
		mov	al, [edx]
		mov	byte ptr [ebp+arg_8], al
		mov	eax, [ebp+arg_C]
		push	eax
		push	[ebp+arg_8]
		call	ecx
		test	eax, eax
		jz	loc_8F2AF1
		mov	ecx, [ebp+arg_C]

loc_7CC378:				; CODE XREF: SepIsImageInMinTcbList+126825j
		mov	edx, dword_6BEA40
		test	edx, edx
		jz	loc_8F2AFE
		mov	al, [esi]
		push	ecx
		mov	byte ptr [ebp+arg_8], al
		push	[ebp+arg_8]
		call	edx
		test	eax, eax
		jz	loc_8F2AFE

loc_7CC399:				; CODE XREF: SepIsImageInMinTcbList+12682Fj
		mov	ecx, [ebp+arg_18]
		mov	al, bl
		and	al, 7
		cmp	al, 1
		jz	short loc_7CC3C2
		test	[ebp+arg_4], 1
		jz	short loc_7CC417

loc_7CC3AA:				; CODE XREF: SepIsImageInMinTcbList+147j
		mov	al, [esi]
		and	al, 0Fh
		cmp	al, 4
		jb	loc_8F2B08

loc_7CC3B6:				; CODE XREF: SepIsImageInMinTcbList+12683Bj
		mov	al, [ecx]
		and	bl, 0F2h
		and	al, 8
		or	bl, al
		or	bl, 2

loc_7CC3C2:				; CODE XREF: SepIsImageInMinTcbList+CEj
					; SepIsImageInMinTcbList+145j
		mov	[ecx], bl
		cmp	byte ptr [ecx],	0
		mov	[ebp+arg_C], edi
		mov	[ebp+arg_8], edi
		jnz	loc_7CC30E
		cmp	byte ptr [esi],	0
		jnz	loc_7CC30E
		lea	eax, [ebp+arg_8]
		push	eax
		push	ecx
		mov	ecx, [ebp+arg_0]
		call	RtlpOpenImageFileOptionsKeyEx
		test	eax, eax
		js	loc_7CC30E
		jmp	loc_8F2B14
; 

loc_7CC3F6:				; CODE XREF: SepIsImageInMinTcbList+59j
		mov	al, byte ptr [ebp+arg_8]
		test	al, al
		jnz	short loc_7CC42E

loc_7CC3FD:				; CODE XREF: SepIsImageInMinTcbList+15Cj
		test	bl, bl
		jnz	loc_7CC333
		mov	edx, [ebp+arg_10]
		mov	al, [ecx+esi*8+8]
		mov	[edx], al
		mov	al, [ecx+esi*8+9]
		jmp	loc_7CC34C
; 

loc_7CC417:				; CODE XREF: SepIsImageInMinTcbList+D4j
		cmp	al, 2
		jnz	short loc_7CC3C2
		jmp	short loc_7CC3AA
; 

loc_7CC41D:				; CODE XREF: SepIsImageInMinTcbList+48j
		cmp	eax, dword_6BBFD0
		jnz	loc_7CC300
		jmp	loc_7CC322
; 

loc_7CC42E:				; CODE XREF: SepIsImageInMinTcbList+127j
		mov	bl, al
		jmp	short loc_7CC3FD
SepIsImageInMinTcbList endp

; 

NtImpersonateThread:			; DATA XREF: .text:00580FE4o
		push	60h
		push	offset dword_6A3C60
		call	__SEH_prolog4
		push	3Ch
		xor	ebx, ebx
		push	ebx
		lea	eax, [ebp-70h]
		push	eax
		call	_memset
		add	esp, 0Ch
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp-24h], al
		mov	[ebp-4], ebx
		test	al, al
		jz	short loc_7CC481
		mov	eax, [ebp+10h]
		test	al, 3
		jnz	loc_7CC528
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	loc_8F2B51

loc_7CC47E:				; CODE XREF: PAGE:008F2B53j
		nop
		mov	al, [eax]

loc_7CC481:				; CODE XREF: PAGE:007CC463j
		mov	esi, [ebp+10h]
		lea	edi, [ebp-34h]
		movsd
		movsd
		movsd
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, ds:_PsThreadType
		mov	[ebp-20h], ebx
		push	ebx
		lea	ecx, [ebp-20h]
		push	ecx
		push	dword ptr [ebp-24h]
		push	eax
		push	200h
		push	dword ptr [ebp+0Ch]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7CC516
		mov	eax, ds:_PsThreadType
		mov	[ebp-1Ch], ebx
		push	ebx
		lea	ecx, [ebp-1Ch]
		push	ecx
		push	dword ptr [ebp-24h]
		push	eax
		push	100h
		push	dword ptr [ebp+8]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		mov	esi, [ebp-20h]
		test	edi, edi
		js	short loc_7CC50D
		lea	eax, [ebp-70h]
		push	eax
		push	ebx
		lea	eax, [ebp-34h]
		push	eax
		push	esi
		call	_SeCreateClientSecurity@16 ; SeCreateClientSecurity(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_7CC505
		push	dword ptr [ebp-1Ch]
		lea	eax, [ebp-70h]
		push	eax
		call	_SeImpersonateClientEx@8 ; SeImpersonateClientEx(x,x)
		mov	edi, eax
		mov	ecx, [ebp-64h]
		call	ObfDereferenceObject

loc_7CC505:				; CODE XREF: PAGE:007CC4EDj
		mov	ecx, [ebp-1Ch]
		call	ObfDereferenceObject

loc_7CC50D:				; CODE XREF: PAGE:007CC4D8j
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, edi

loc_7CC516:				; CODE XREF: PAGE:007CC4B1j
					; PAGE:008F2B75j
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7CC528:				; CODE XREF: PAGE:007CC46Aj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		db 3 dup(0CCh)
		db 2 dup(0CCh)
; Exported entry 910. IoOpenDeviceRegistryKey

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoOpenDeviceRegistryKey
IoOpenDeviceRegistryKey	proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F2B7A SIZE 0000000B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	loc_7CC5F4
		mov	eax, [edi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_7CC5F4
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_7CC5F4
		test	[ebp+arg_4], 1
		jnz	loc_7CC5F0
		test	[ebp+arg_4], 2
		jz	short loc_7CC5F4
		push	12h

loc_7CC577:				; CODE XREF: IoOpenDeviceRegistryKey+C0j
		test	[ebp+arg_4], 4
		pop	esi
		jnz	loc_8F2B7A

loc_7CC582:				; CODE XREF: IoOpenDeviceRegistryKey+12664Ej
		mov	eax, large fs:124h
		push	ebx
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	ebx, offset _PnpRegistryDeviceResource
		push	ebx
		call	ExAcquireResourceExclusiveLite
		mov	eax, [edi+0B0h]
		mov	edi, [ebp+arg_C]
		mov	ecx, _PiPnpRtlCtx
		push	0
		mov	edx, [eax+14h]
		push	edi
		push	1
		push	[ebp+arg_8]
		mov	edx, [edx+18h]
		push	0
		push	esi
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_7CC5D4
		test	edi, edi
		jz	short loc_7CC5D4
		mov	ecx, [edi]
		call	_IopApplyMutableTagToRegistryKey@4 ; IopApplyMutableTagToRegistryKey(x)

loc_7CC5D4:				; CODE XREF: IoOpenDeviceRegistryKey+95j
					; IoOpenDeviceRegistryKey+99j
		mov	ecx, ebx
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		pop	ebx

loc_7CC5EA:				; CODE XREF: IoOpenDeviceRegistryKey+C7j
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
; 

loc_7CC5F0:				; CODE XREF: IoOpenDeviceRegistryKey+37j
		push	11h
		jmp	short loc_7CC577
; 

loc_7CC5F4:				; CODE XREF: IoOpenDeviceRegistryKey+Cj
					; IoOpenDeviceRegistryKey+1Dj ...
		mov	eax, 0C000000Dh
		jmp	short loc_7CC5EA
IoOpenDeviceRegistryKey	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopApplyMutableTagToRegistryKey(x)
_IopApplyMutableTagToRegistryKey@4 proc	near ; CODE XREF: IoOpenDeviceRegistryKey+9Dp
					; IoOpenDriverRegistryKey(x,x,x,x,x)+279p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		and	[ebp+var_8], 0
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_7CC64A
		lea	eax, [ebp+var_8]
		push	eax
		push	4
		lea	eax, [ebp+var_4]
		push	eax
		push	7
		push	esi
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		test	eax, eax
		js	short loc_7CC647
		mov	eax, [ebp+var_4]
		mov	ecx, 1000h
		test	eax, ecx
		jnz	short loc_7CC651
		or	eax, ecx
		push	4
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	5
		push	esi
		call	_ZwSetInformationKey@16	; ZwSetInformationKey(x,x,x,x)

loc_7CC647:				; CODE XREF: IopApplyMutableTagToRegistryKey(x)+2Aj
					; IopApplyMutableTagToRegistryKey(x)+53j ...
		pop	esi
		leave
		retn
; 

loc_7CC64A:				; CODE XREF: IopApplyMutableTagToRegistryKey(x)+14j
		mov	eax, 0C000000Dh
		jmp	short loc_7CC647
; 

loc_7CC651:				; CODE XREF: IopApplyMutableTagToRegistryKey(x)+36j
		xor	eax, eax
		jmp	short loc_7CC647
_IopApplyMutableTagToRegistryKey@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpInternEntryMatch(x, x, x)
_RtlpInternEntryMatch@12 proc near	; CODE XREF: RtlpInternEntryFind+95p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ecx
		push	ebx
		push	esi
		mov	[ebp+var_4], eax
		mov	eax, [eax+0Ch]
		mov	esi, eax
		and	esi, 3FFh
		push	edi
		cmp	[edx], esi
		jnz	short loc_7CC6CA
		shr	eax, 0Ah
		add	eax, esi
		cmp	[ebp+arg_0], eax
		jnz	short loc_7CC6CA
		mov	eax, [edx+8]
		xor	ebx, ebx
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_7CC6C1
		mov	edi, [edx+4]

loc_7CC68C:				; CODE XREF: RtlpInternEntryMatch(x,x,x)+69j
		mov	edx, [edi+0Ch]
		lea	ecx, [esi-1]
		add	ecx, edx
		lea	eax, [edx-1]
		and	ecx, eax
		mov	eax, [edi+8]
		sub	edx, ecx
		mov	ecx, [ebp+var_4]
		dec	edx
		push	eax		; size_t
		push	dword ptr [edi]	; void *
		add	esi, edx
		add	ecx, esi
		add	esi, eax
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7CC6CA
		inc	ebx
		add	edi, 10h
		cmp	ebx, [ebp+arg_0]
		jb	short loc_7CC68C

loc_7CC6C1:				; CODE XREF: RtlpInternEntryMatch(x,x,x)+31j
		mov	al, 1

loc_7CC6C3:				; CODE XREF: RtlpInternEntryMatch(x,x,x)+76j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7CC6CA:				; CODE XREF: RtlpInternEntryMatch(x,x,x)+1Bj
					; RtlpInternEntryMatch(x,x,x)+25j ...
		xor	al, al
		jmp	short loc_7CC6C3
_RtlpInternEntryMatch@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall CmpGenerateFastLeafHintForCompressedString(void *)
_CmpGenerateFastLeafHintForCompressedString@8 proc near	; CODE XREF: CmpCheckLeaf+178p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	4
		xor	eax, eax
		pop	esi
		mov	[ebp+var_4], eax
		cmp	edx, esi
		jb	short loc_7CC6F5

loc_7CC6E1:				; CODE XREF: CmpGenerateFastLeafHintForCompressedString(x,x)+2Bj
		push	esi		; size_t
		push	ecx		; void *
		lea	eax, [ebp+var_4]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	esp, 0Ch

loc_7CC6F2:				; CODE XREF: CmpGenerateFastLeafHintForCompressedString(x,x)+2Dj
		pop	esi
		leave
		retn
; 

loc_7CC6F5:				; CODE XREF: CmpGenerateFastLeafHintForCompressedString(x,x)+11j
		mov	esi, edx
		test	edx, edx
		jnz	short loc_7CC6E1
		jmp	short loc_7CC6F2
_CmpGenerateFastLeafHintForCompressedString@8 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1558. NtQueryInformationAtom

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtQueryInformationAtom
NtQueryInformationAtom proc near	; DATA XREF: .text:00580E80o

var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008F2B85 SIZE 0000006F BYTES

		push	2Ch
		push	offset dword_6A3C80
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_20]
		push	eax
		push	2
		call	PsInvokeWin32Callout
		cmp	[ebp+var_20], ebx
		jz	loc_8F2B85
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, large fs:124h
		mov	[ebp+var_3C], eax
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		mov	edi, [ebp+arg_8]
		test	al, al
		jz	short loc_7CC771
		push	4
		push	[ebp+arg_C]
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	short loc_7CC771
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8F2B8F

loc_7CC76D:				; CODE XREF: NtQueryInformationAtom+12648Fj
		mov	eax, [ecx]
		mov	[ecx], eax

loc_7CC771:				; CODE XREF: NtQueryInformationAtom+4Aj
					; NtQueryInformationAtom+5Cj
		mov	esi, ebx
		mov	[ebp+var_24], esi
		mov	eax, [ebp+arg_4]
		sub	eax, ebx
		jnz	loc_8F2B96
		push	6
		pop	esi
		mov	[ebp+var_24], esi
		cmp	[ebp+arg_C], esi
		jb	loc_8F2BE3
		mov	[ebp+var_28], ebx
		mov	eax, [ebp+arg_C]
		add	eax, 0FFFFFFFAh
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [edi+6]
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		push	[ebp+arg_0]
		push	[ebp+var_20]
		call	RtlQueryAtomInAtomTable
		mov	edx, eax
		mov	[ebp+var_30], edx
		test	edx, edx
		js	short loc_7CC7DC
		mov	ax, word ptr [ebp+var_28]
		mov	[edi], ax
		mov	ax, word ptr [ebp+var_34]
		mov	[edi+2], ax
		mov	eax, [ebp+var_2C]
		mov	[edi+4], ax
		lea	esi, [eax+8]

loc_7CC7D9:				; CODE XREF: NtQueryInformationAtom+1264DCj
		mov	[ebp+var_24], esi

loc_7CC7DC:				; CODE XREF: NtQueryInformationAtom+BCj
					; NtQueryInformationAtom+1264A1j ...
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	short loc_7CC7E5
		mov	[ecx], esi

loc_7CC7E5:				; CODE XREF: NtQueryInformationAtom+DFj
					; sub_8F2C02+9j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, edx

loc_7CC7EE:				; CODE XREF: NtQueryInformationAtom+126488j
					; NtQueryInformationAtom+1264EDj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
NtQueryInformationAtom endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiPnpRtlGetFilteredDeviceList proc near	; CODE XREF: PiPnpRtlCmActionCallback+284p

var_3C		= dword	ptr -3Ch
var_38		= byte ptr -38h
var_37		= word ptr -37h
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F2C10 SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_24]
		mov	ecx, [ebx+0Ch]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_37], ax
		mov	[ebp+var_35], al
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		test	cl, 7Ch
		jnz	loc_8F2C36
		test	cl, 1
		jnz	loc_7CC940
		test	cl, 2
		jnz	short loc_7CC8C3
		test	cl, cl
		jns	short loc_7CC88F
		mov	edx, [ebx+8]
		test	edx, edx
		jz	loc_8F2C10
		test	ecx, 100h
		jz	short loc_7CC860
		mov	[ebp+var_20], 1

loc_7CC860:				; CODE XREF: PiPnpRtlGetFilteredDeviceList+5Aj
		push	dword ptr [ebx+20h]
		mov	eax, [ebx+10h]
		push	dword ptr [ebx+1Ch]
		mov	[ebp+var_1C], eax
		push	dword ptr [ebx+18h]
		mov	eax, [ebx+14h]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	offset _PiPnpRtlEnumeratorFilterCallback@16 ; PiPnpRtlEnumeratorFilterCallback(x,x,x,x)
		push	5
		pop	ecx
		call	PiDmGetCmObjectConstraintListFromCache

loc_7CC886:				; CODE XREF: PiPnpRtlGetFilteredDeviceList+C1j
		mov	esi, eax

loc_7CC888:				; CODE XREF: PiPnpRtlGetFilteredDeviceList+DCj
					; PiPnpRtlGetFilteredDeviceList+12Aj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7CC88F:				; CODE XREF: PiPnpRtlGetFilteredDeviceList+47j
		test	ecx, 100h
		jz	short loc_7CC89B
		mov	[ebp+var_20], 1

loc_7CC89B:				; CODE XREF: PiPnpRtlGetFilteredDeviceList+95j
		push	dword ptr [ebx+20h]
		mov	eax, [ebx+10h]
		xor	ecx, ecx
		push	dword ptr [ebx+1Ch]
		mov	[ebp+var_1C], eax
		mov	edx, offset _PiPnpRtlEnumeratorFilterCallback@16 ; PiPnpRtlEnumeratorFilterCallback(x,x,x,x)
		mov	eax, [ebx+14h]
		inc	ecx
		push	dword ptr [ebx+18h]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_PiDmGetCmObjectListFromCache@24 ; PiDmGetCmObjectListFromCache(x,x,x,x,x,x)
		jmp	short loc_7CC886
; 

loc_7CC8C3:				; CODE XREF: PiPnpRtlGetFilteredDeviceList+43j
		mov	eax, [ebx+8]
		test	eax, eax
		jz	loc_8F2C10
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7CC888
		push	dword ptr [ebx+20h]
		xor	eax, eax
		xor	ecx, ecx
		push	dword ptr [ebx+1Ch]
		mov	[ebp+var_37], ax
		mov	edx, offset PiPnpRtlServiceFilterCallback
		push	dword ptr [ebx+18h]
		lea	eax, [ebp+var_14]
		mov	[ebp+var_35], cl
		mov	[ebp+var_3C], eax
		mov	eax, [ebx+0Ch]
		shr	eax, 8
		and	al, 1
		mov	[ebp+var_34], ecx
		mov	[ebp+var_38], al
		mov	eax, [ebx+10h]
		mov	[ebp+var_2C], eax
		mov	eax, [ebx+14h]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_30], ecx
		inc	ecx
		push	eax
		call	_PiDmGetCmObjectListFromCache@24 ; PiDmGetCmObjectListFromCache(x,x,x,x,x,x)
		cmp	[ebp+var_34], 0
		mov	esi, eax
		jz	loc_7CC888
		xor	eax, eax
		push	eax
		push	[ebp+var_34]

loc_7CC936:				; CODE XREF: PiPnpRtlGetFilteredDeviceList+230j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7CC888
; 

loc_7CC940:				; CODE XREF: PiPnpRtlGetFilteredDeviceList+3Aj
		mov	ecx, [ebx+8]
		test	ecx, ecx
		jz	loc_8F2C10
		push	5Ch
		pop	edi

loc_7CC94E:				; CODE XREF: PiPnpRtlGetFilteredDeviceList+126421j
		movzx	edx, word ptr [ecx]
		test	dx, dx
		jz	loc_8F2C10
		cmp	dx, di
		jz	loc_8F2C10
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, 2
		ja	loc_8F2C10
		push	edi		; wchar_t
		push	ecx		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		mov	ecx, eax
		test	ecx, ecx
		jnz	loc_8F2C1A

loc_7CC983:				; CODE XREF: PiPnpRtlGetFilteredDeviceList+126427j
		push	47706E50h
		push	190h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_8F2C2C
		push	800h
		lea	ecx, [ebp+var_8]
		mov	edx, 0C8h
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		push	dword ptr [ebx+8]
		mov	ecx, eax
		call	RtlStringCchCopyExW
		mov	esi, eax
		test	esi, esi
		js	short loc_7CCA1F
		cmp	[ebp+var_8], 2
		jb	short loc_7CCA35
		mov	eax, [ebp+var_C]
		xor	ecx, ecx
		mov	[eax], di
		mov	[eax+2], cx
		mov	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7CCA1F
		push	dword ptr [ebx+20h]
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		push	dword ptr [ebx+1Ch]
		mov	[ebp+var_24], eax
		mov	edx, offset _PiPnpRtlEnumeratorFilterCallback@16 ; PiPnpRtlEnumeratorFilterCallback(x,x,x,x)
		mov	eax, [ebx+0Ch]
		inc	ecx
		push	dword ptr [ebx+18h]
		shr	eax, 8
		and	al, 1
		mov	[ebp+var_20], al
		mov	eax, [ebx+10h]
		mov	[ebp+var_1C], eax
		mov	eax, [ebx+14h]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_PiDmGetCmObjectListFromCache@24 ; PiDmGetCmObjectListFromCache(x,x,x,x,x,x)
		mov	esi, eax

loc_7CCA1F:				; CODE XREF: PiPnpRtlGetFilteredDeviceList+1BFj
					; PiPnpRtlGetFilteredDeviceList+1E4j ...
		mov	eax, [ebp+var_4]

loc_7CCA22:				; CODE XREF: PiPnpRtlGetFilteredDeviceList+12643Bj
		test	eax, eax
		jz	loc_7CC888
		push	47706E50h
		push	eax
		jmp	loc_7CC936
; 

loc_7CCA35:				; CODE XREF: PiPnpRtlGetFilteredDeviceList+1C5j
		mov	esi, 0C000000Dh
		jmp	short loc_7CCA1F
PiPnpRtlGetFilteredDeviceList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiPnpRtlGetFilteredDeviceInterfaceList proc near ; CODE	XREF: PiPnpRtlCmActionCallback+15Ap

var_30		= dword	ptr -30h
var_28		= byte ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F2C40 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		and	[ebp+var_1C], 0
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		and	[ebp+var_18], 0
		stosd
		mov	esi, ecx
		stosd
		stosd
		stosd
		xor	eax, eax
		test	byte ptr [esi+10h], 1
		lea	edi, [ebp+var_30]
		stosd
		stosd
		stosd
		stosd
		stosd
		jz	short loc_7CCA77
		mov	[ebp+var_28], 1

loc_7CCA77:				; CODE XREF: PiPnpRtlGetFilteredDeviceInterfaceList+35j
		mov	eax, [esi+14h]
		mov	edx, [esi+8]
		mov	[ebp+var_24], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_20], eax
		mov	eax, [esi+0Ch]
		test	eax, eax
		jnz	short loc_7CCABF
		mov	eax, [esi+24h]
		mov	ecx, [esi+20h]
		mov	esi, [esi+1Ch]
		push	eax
		lea	eax, [ebp+var_30]
		push	ecx
		push	esi
		push	eax
		test	edx, edx
		jz	loc_8F2C40
		xor	ecx, ecx

loc_7CCAA7:				; CODE XREF: PiPnpRtlGetFilteredDeviceInterfaceList+C1j
		push	offset PiPnpRtlInterfaceFilterCallback
		call	PiDmGetCmObjectConstraintListFromCache

loc_7CCAB1:				; CODE XREF: PiPnpRtlGetFilteredDeviceInterfaceList+93j
					; PiPnpRtlGetFilteredDeviceInterfaceList+A4j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_7CCABF:				; CODE XREF: PiPnpRtlGetFilteredDeviceInterfaceList+4Fj
		test	edx, edx
		jz	short loc_7CCAEB
		push	edx
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_7CCAB1
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		test	eax, eax
		js	short loc_7CCAB1
		lea	eax, [ebp+var_14]
		mov	[ebp+var_30], eax
		mov	eax, [esi+0Ch]

loc_7CCAEB:				; CODE XREF: PiPnpRtlGetFilteredDeviceInterfaceList+85j
		push	dword ptr [esi+24h]
		lea	edx, [ebp+var_30]
		xor	ecx, ecx
		push	dword ptr [esi+20h]
		inc	ecx
		push	dword ptr [esi+1Ch]
		push	edx
		mov	edx, eax
		jmp	short loc_7CCAA7
PiPnpRtlGetFilteredDeviceInterfaceList endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDmGetCmObjectConstraintListFromCache proc near
					; CODE XREF: PiPnpRtlGetFilteredDeviceList+81p
					; PiPnpRtlGetFilteredDeviceInterfaceList+70p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008F2C52 SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_8], eax
		imul	eax, ecx, 14h
		mov	eax, ds:dword_4042C8[eax]
		sub	eax, 1
		jz	short loc_7CCB4D
		sub	eax, 1
		jz	short loc_7CCB52
		sub	eax, 1
		jnz	loc_8F2C52
		push	3

loc_7CCB32:				; CODE XREF: PiDmGetCmObjectConstraintListFromCache+54j
					; PiDmGetCmObjectConstraintListFromCache+12616Aj ...
		pop	eax

loc_7CCB33:				; CODE XREF: PiDmGetCmObjectConstraintListFromCache+50j
					; PiDmGetCmObjectConstraintListFromCache+126163j
		push	[ebp+arg_10]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_C]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	eax
		push	ecx
		call	_PiDmGetObjectConstraintList@28	; PiDmGetObjectConstraintList(x,x,x,x,x,x,x)
		leave
		retn	14h
; 

loc_7CCB4D:				; CODE XREF: PiDmGetCmObjectConstraintListFromCache+20j
		xor	eax, eax
		inc	eax
		jmp	short loc_7CCB33
; 

loc_7CCB52:				; CODE XREF: PiDmGetCmObjectConstraintListFromCache+25j
		push	2
		jmp	short loc_7CCB32
PiDmGetCmObjectConstraintListFromCache endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmGetObjectConstraintList(x, x, x, x, x, x, x)
_PiDmGetObjectConstraintList@28	proc near
					; CODE XREF: PiDmGetCmObjectConstraintListFromCache+44p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		xor	eax, eax
		and	[ebp+var_4], 0
		push	esi
		push	edi
		lea	edi, [ebp+var_1C]
		mov	[ebp+var_8], ecx
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_10]
		mov	edi, [ebp+arg_8]
		and	dword ptr [eax], 0
		cmp	[ebp+arg_C], 0
		jbe	short loc_7CCB85
		xor	eax, eax
		mov	[edi], ax

loc_7CCB85:				; CODE XREF: PiDmGetObjectConstraintList(x,x,x,x,x,x,x)+28j
		imul	ecx, 14h
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, ds:_PiDmListDefs[ecx]
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7CCC08
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		and	[ebp+var_C], 0
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	offset _PiDmGetObjectListCallback@12 ; PiDmGetObjectListCallback(x,x,x)
		mov	[ebp+var_1C], offset _PiDmCmObjectMatchCallback@12 ; PiDmCmObjectMatchCallback(x,x,x)
		mov	[ebp+var_14], edi
		call	PiDmListEnumObjectsWithCallback
		mov	esi, eax
		test	esi, esi
		js	short loc_7CCBF2
		mov	ecx, [ebp+arg_10]
		mov	eax, [ebp+var_C]
		mov	[ecx], eax

loc_7CCBD9:				; CODE XREF: PiDmGetObjectConstraintList(x,x,x,x,x,x,x)+BFj
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_7CCBF2
		inc	eax
		mov	[ecx], eax
		test	edi, edi
		jz	short loc_7CCC17
		cmp	[ebp+arg_C], eax
		jb	short loc_7CCC17
		xor	ecx, ecx
		mov	[edi+eax*2-2], cx

loc_7CCBF2:				; CODE XREF: PiDmGetObjectConstraintList(x,x,x,x,x,x,x)+79j
					; PiDmGetObjectConstraintList(x,x,x,x,x,x,x)+87j ...
		cmp	[ebp+var_4], 0
		jz	short loc_7CCC00
		mov	ecx, [ebp+var_4]
		call	PiDmObjectRelease

loc_7CCC00:				; CODE XREF: PiDmGetObjectConstraintList(x,x,x,x,x,x,x)+A0j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	14h
; 

loc_7CCC08:				; CODE XREF: PiDmGetObjectConstraintList(x,x,x,x,x,x,x)+45j
		cmp	esi, 0C0000034h
		jnz	short loc_7CCBF2
		mov	ecx, [ebp+arg_10]
		xor	esi, esi
		jmp	short loc_7CCBD9
; 

loc_7CCC17:				; CODE XREF: PiDmGetObjectConstraintList(x,x,x,x,x,x,x)+8Ej
					; PiDmGetObjectConstraintList(x,x,x,x,x,x,x)+93j
		mov	esi, 0C0000023h
		jmp	short loc_7CCBF2
_PiDmGetObjectConstraintList@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCheckCreateAccessOnKcbStack proc near ; CODE	XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1408p
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+178Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008F2C7D SIZE 0000003D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	ecx, edx
		mov	edx, [ebp+arg_14]
		push	0
		call	_CmpGetSecurityCacheEntryForKcbStack@12	; CmpGetSecurityCacheEntryForKcbStack(x,x,x)
		mov	dl, [ebp+arg_10]
		xor	ebx, ebx
		mov	esi, [ebp+arg_4]
		inc	ebx
		lea	edi, [eax+18h]
		test	dl, dl
		jnz	loc_8F2C7D

loc_7CCC46:				; CODE XREF: CmpCheckCreateAccessOnKcbStack+126072j
		mov	eax, [ebp+arg_0]
		mov	ecx, [esi+18h]
		or	ecx, [ebp+arg_C]
		or	ecx, 4
		mov	eax, [eax+3Ch]
		and	eax, ecx
		cmp	eax, ecx
		jnz	loc_8F2C95
		test	dl, dl
		jnz	loc_8F2CA5

loc_7CCC67:				; CODE XREF: CmpCheckCreateAccessOnKcbStack+12608Bj
		push	[ebp+arg_18]
		mov	edx, edi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	esi
		call	CmpCheckCreateAccess
		mov	bl, al

loc_7CCC7A:				; CODE XREF: CmpCheckCreateAccessOnKcbStack+126082j
					; CmpCheckCreateAccessOnKcbStack+126097j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	1Ch
CmpCheckCreateAccessOnKcbStack endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCheckCreateAccess proc near		; CODE XREF: CmpCheckCreateAccessOnKcbStack+55p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F2CBA SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		lea	eax, [ebp+var_4]
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ecx, ecx
		push	esi
		push	eax
		push	[ebp+arg_4]
		mov	eax, ds:_CmKeyObjectType
		add	edi, 1Ch
		add	eax, 34h
		mov	[ebp+var_4], ecx
		push	eax
		mov	eax, [ebp+arg_8]
		push	ecx
		push	ecx
		or	eax, 4
		push	eax
		push	ecx
		push	edi
		push	edx
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		mov	bl, al
		test	bl, bl
		jz	short loc_7CCCC9
		test	byte ptr [ebp+arg_8], 20h
		jnz	short loc_7CCCD2

loc_7CCCC9:				; CODE XREF: CmpCheckCreateAccess+3Dj
					; CmpCheckCreateAccess+59j ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	10h
; 

loc_7CCCD2:				; CODE XREF: CmpCheckCreateAccess+43j
		push	[ebp+arg_4]
		push	edi
		call	RtlIsSandboxedToken
		test	al, al
		jz	short loc_7CCCC9
		jmp	loc_8F2CBA
CmpCheckCreateAccess endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetDeviceSoftwareKeyPath proc near	; CODE XREF: _CmGetDeviceRegKeyPath+6Bp

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008F2CC7 SIZE 000001C2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	byte ptr [ecx+4], 0
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+arg_14]
		push	edi
		mov	edi, edx
		mov	[ebp+var_68], ebx
		jnz	loc_8F2CC7
		push	[ebp+arg_8]
		lea	eax, [ebp+var_60]
		push	ecx
		push	eax
		call	_CmGetDeviceSoftwareKey
		test	eax, eax
		js	short loc_7CCD72
		test	[ebp+arg_0], 200h
		jnz	loc_8F2E16
		lea	edx, [ebp+var_60]
		xor	ecx, ecx
		lea	edi, [edx+2]

loc_7CCD34:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+59j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, cx
		jnz	short loc_7CCD34
		sub	edx, edi
		sar	edx, 1
		add	edx, 28h
		test	esi, esi
		jz	short loc_7CCD4C
		mov	[esi], edx

loc_7CCD4C:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+64j
		cmp	edx, [ebp+arg_10]
		ja	short loc_7CCD83
		lea	eax, [ebp+var_60]
		push	eax
		push	(offset	loc_8C90FB+1) ;	char
		push	offset ??_C@_1M@DFKENGJN@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@ ; "%s\\%s"
		push	800h		; int
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_10]	; int
		push	ebx		; void *
		call	RtlStringCchPrintfExW
		add	esp, 20h

loc_7CCD72:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+39j
					; _CmGetDeviceSoftwareKeyPath+A4j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_7CCD83:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+6Bj
					; _CmGetDeviceSoftwareKeyPath+126017j ...
		mov	eax, 0C0000023h
		jmp	short loc_7CCD72
_CmGetDeviceSoftwareKeyPath endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetDeviceSoftwareKey	proc near	; CODE XREF: _CmGetDeviceSoftwareKeyPath+32p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= byte ptr -60h
var_14		= word ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 008F2E89 SIZE 00000180 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, edx
		push	esi
		xor	edx, edx
		mov	[ebp+var_70], eax
		push	edi
		push	edx
		mov	edi, ecx
		mov	[ebp+var_64], edx
		lea	ecx, [ebp+var_68]
		mov	[ebp+var_74], edx
		push	ecx
		push	ebx
		lea	ecx, [ebp+var_6C]
		mov	[ebp+var_7C], edx
		push	ecx
		push	0Ah
		mov	[ebp+var_78], edx
		mov	ecx, edi
		mov	[ebp+var_6C], edx
		push	edx
		mov	edx, eax
		mov	[ebp+var_68], 58h
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000225h
		jz	loc_8F2E89

loc_7CCDE8:				; CODE XREF: _CmGetDeviceSoftwareKey+12610Aj
					; _CmGetDeviceSoftwareKey+12625Fj ...
		cmp	[ebp+var_64], 0
		jnz	loc_8F2FFC

loc_7CCDF2:				; CODE XREF: _CmGetDeviceSoftwareKey+12627Aj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_CmGetDeviceSoftwareKey	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtOpenSemaphore	proc near		; DATA XREF: .text:00580F10o

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F3035 SIZE 0000000D BYTES

		push	14h
		push	offset dword_6A3CA0
		call	__SEH_prolog4
		xor	edi, edi
		mov	[ebp+var_1C], edi
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_24], bl
		test	bl, bl
		jz	short loc_7CCE44
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_7CCE9F

loc_7CCE39:				; CODE XREF: NtOpenSemaphore+9Bj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7CCE44:				; CODE XREF: NtOpenSemaphore+22j
		mov	esi, ds:_ExSemaphoreObjectType
		lea	eax, [ebp+var_1C]
		push	eax
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		push	edi
		push	[ebp+arg_4]
		push	edi
		push	[ebp+var_24]
		push	esi
		push	[ebp+arg_8]
		call	ObOpenObjectByNameEx
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	short loc_7CCE8A
		test	bl, bl
		jz	loc_8F3035
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_7CCE83:				; CODE XREF: sub_8F302D+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7CCE8A:				; CODE XREF: NtOpenSemaphore+64j
					; NtOpenSemaphore+126237j
		mov	eax, [ebp+arg_4]

loc_7CCE8D:				; CODE XREF: sub_8F3017+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7CCE9F:				; CODE XREF: NtOpenSemaphore+31j
		mov	ecx, eax
		jmp	short loc_7CCE39
NtOpenSemaphore	endp

; 
		align 8
; Exported entry 577. FsRtlKernelFsControlFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	FsRtlKernelFsControlFile(int,int,void *,size_t,void *,int,int)
		public FsRtlKernelFsControlFile
FsRtlKernelFsControlFile proc near	; CODE XREF: sub_A16A58+31Fp
					; sub_A16A58+35Bp ...

var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008F3042 SIZE 00000067 BYTES
; FUNCTION CHUNK AT 008F30CD SIZE 00000068 BYTES

		push	2Ch
		push	offset dword_6A3CC8
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	esi, ebx
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], ebx
		xor	eax, eax
		lea	edi, [ebp+var_3C]
		stosd
		stosd
		stosd
		stosd
		push	ebx
		push	ebx
		lea	eax, [ebp+var_3C]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	edi, [ebp+arg_4]
		and	edi, 3
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+arg_0]
		test	dword ptr [eax+2Ch], 800h
		jnz	loc_8F3042
		push	eax
		call	IoGetRelatedDeviceObject
		mov	ecx, eax
		mov	[ebp+var_2C], ecx
		push	ebx
		movzx	eax, byte ptr [ecx+30h]
		push	eax
		push	ecx
		call	IoAllocateIrpEx
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		jz	loc_8F3049
		lea	eax, [esi+60h]
		mov	[ebp+var_28], eax
		mov	ecx, [eax]
		mov	word ptr [ecx-24h], 40Dh
		mov	eax, [ebp+arg_0]
		mov	[ecx-0Ch], eax
		mov	edx, [ebp+arg_14]
		mov	[ecx-20h], edx
		mov	eax, [ebp+arg_C]
		mov	[ecx-1Ch], eax
		mov	edx, [ebp+arg_4]
		mov	[ecx-18h], edx
		test	edi, edi
		mov	edx, [ebp+arg_14]
		jnz	loc_7CD00D
		test	eax, eax
		jnz	short loc_7CCF4C
		test	edx, edx
		jz	loc_8F30CD

loc_7CCF4C:				; CODE XREF: FsRtlKernelFsControlFile+9Aj
		cmp	eax, edx
		jnb	loc_8F30D8
		mov	eax, [ebp+arg_10]
		mov	[esi+0Ch], eax
		push	[ebp+arg_C]	; size_t
		push	[ebp+arg_8]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_7CCF69:				; CODE XREF: FsRtlKernelFsControlFile+126236j
		mov	dword ptr [esi+8], 10h
		mov	eax, [ebp+arg_10]
		mov	[esi+3Ch], eax
		test	eax, eax
		jz	short loc_7CCF7E
		or	dword ptr [esi+8], 40h

loc_7CCF7E:				; CODE XREF: FsRtlKernelFsControlFile+D0j
					; FsRtlKernelFsControlFile+171j ...
		mov	eax, large fs:124h
		mov	esi, [ebp+var_20]
		mov	[esi+50h], eax
		or	dword ptr [esi+8], 4
		mov	[esi+20h], bl
		mov	eax, [ebp+var_28]
		mov	eax, [eax]
		mov	dword ptr [eax-8], offset _SmKmGenericCompletion@12 ; SmKmGenericCompletion(x,x,x)
		lea	ecx, [ebp+var_3C]
		mov	[eax-4], ecx
		mov	[eax-21h], bl
		mov	byte ptr [eax-21h], 40h
		mov	byte ptr [eax-21h], 0C0h
		mov	byte ptr [eax-21h], 0E0h
		mov	edx, esi
		mov	ecx, [ebp+var_2C]
		call	IofCallDriver
		mov	[ebp+var_1C], eax
		cmp	eax, 103h
		jz	loc_8F30E3

loc_7CCFCA:				; CODE XREF: FsRtlKernelFsControlFile+126255j
					; FsRtlKernelFsControlFile+12626Ej
		mov	edi, [esi+18h]
		mov	[ebp+var_1C], edi
		mov	ecx, [esi+1Ch]
		mov	eax, [ebp+arg_18]
		mov	[eax], ecx
		test	edi, edi
		jns	short loc_7CCFFC

loc_7CCFDC:				; CODE XREF: FsRtlKernelFsControlFile+156j
					; FsRtlKernelFsControlFile+15Ej ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_7CD030
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_7CCFFC:				; CODE XREF: FsRtlKernelFsControlFile+132j
		test	ecx, ecx
		jz	short loc_7CCFDC
		mov	eax, [ebp+arg_14]
		cmp	[ebp+arg_C], eax
		jb	short loc_7CCFDC
		jmp	loc_8F311B
; 

loc_7CD00D:				; CODE XREF: FsRtlKernelFsControlFile+92j
		cmp	edi, 2
		jbe	loc_8F3056
		cmp	edi, 3
		jnz	loc_7CCF7E
		mov	eax, [ebp+arg_10]
		mov	[esi+3Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx-14h], eax
		jmp	loc_7CCF7E
FsRtlKernelFsControlFile endp


;  S U B	R O U T	I N E 


sub_7CD030	proc near		; CODE XREF: FsRtlKernelFsControlFile+13Bp
					; sub_8F3135+8j

; FUNCTION CHUNK AT 008F3142 SIZE 0000000D BYTES

		test	esi, esi
		jz	short locret_7CD045
		mov	ecx, [esi+4]
		test	ecx, ecx
		jnz	loc_8F3142

loc_7CD03F:				; CODE XREF: sub_7CD030+12611Aj
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)

locret_7CD045:				; CODE XREF: sub_7CD030+2j
		retn
sub_7CD030	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1597. NtSetSecurityObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtSetSecurityObject
NtSetSecurityObject proc near		; CODE XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+16Ep
					; RtlpSysVolCheckOwnerAndSecurity(x,x)+262p ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= dword	ptr -5
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F314F SIZE 0000015C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_14], eax
		cmp	[ebp+arg_8], eax
		jz	loc_8F314F
		mov	ebx, [ebp+arg_4]
		mov	eax, ebx
		mov	ecx, ebx
		and	eax, 80h
		and	ecx, 100h
		test	ebx, 10000h
		jnz	loc_8F3159

loc_7CD098:				; CODE XREF: NtSetSecurityObject+12611Fj
					; NtSetSecurityObject+12612Bj
		lea	edx, [ebp+var_28]
		mov	ecx, ebx
		call	SeSetSecurityAccessMask
		mov	eax, large fs:124h
		mov	edi, [ebp+var_28]
		and	[ebp+var_C], 0
		mov	al, [eax+15Ah]
		mov	[ebp+var_20], al
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	dword ptr [ebp+var_20]
		push	0
		push	edi
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7CD1BC
		lea	eax, [ebp+var_10]
		push	eax		; int
		push	1		; int
		push	1		; int
		push	dword ptr [ebp+var_20] ; char
		push	[ebp+arg_8]	; size_t
		call	SeCaptureSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	loc_7CD1B4
		mov	ecx, [ebp+var_10]
		push	4
		pop	eax
		mov	cx, [ecx+2]
		bt	cx, ax
		setnb	cl
		bt	ebx, 10h
		setb	al
		test	cl, al
		jnz	loc_7CD1C5

loc_7CD115:				; CODE XREF: NtSetSecurityObject+17Fj
		test	bl, 1
		jnz	loc_7CD1D0

loc_7CD11E:				; CODE XREF: NtSetSecurityObject+18Bj
		test	bl, 2
		jnz	loc_7CD285

loc_7CD127:				; CODE XREF: NtSetSecurityObject+240j
		test	byte ptr [ebp+var_38], 4
		jnz	short loc_7CD133
		and	edi, 0FFF3FFFFh

loc_7CD133:				; CODE XREF: NtSetSecurityObject+DFj
		test	edi, edi
		jnz	loc_7CD297

loc_7CD13B:				; CODE XREF: NtSetSecurityObject+26Cj
					; NtSetSecurityObject+1261E2j ...
		test	esi, esi
		js	short loc_7CD192
		mov	ecx, [ebp+var_C]
		test	bl, 40h
		jnz	loc_8F323E

loc_7CD14B:				; CODE XREF: NtSetSecurityObject+126223j
					; NtSetSecurityObject+12623Cj
		test	esi, esi
		js	short loc_7CD17D
		mov	eax, ebx
		and	eax, 20h
		mov	[ebp+arg_8], eax
		jnz	loc_7CD22C

loc_7CD15D:				; CODE XREF: NtSetSecurityObject+227j
		mov	ecx, [ebp+var_C]

loc_7CD160:				; CODE XREF: NtSetSecurityObject+211j
		test	esi, esi
		js	short loc_7CD17D
		push	[ebp+var_10]
		push	ebx
		push	ecx
		call	_ObSetSecurityObjectByPointer@12 ; ObSetSecurityObjectByPointer(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7CD17D
		test	edi, edi
		jnz	short loc_7CD1E2
		cmp	[ebp+arg_8], edi
		jnz	short loc_7CD1E2

loc_7CD17D:				; CODE XREF: NtSetSecurityObject+101j
					; NtSetSecurityObject+116j ...
		cmp	[ebp+var_14], 0
		jnz	loc_8F328D

loc_7CD187:				; CODE XREF: NtSetSecurityObject+12624Bj
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	loc_7CD278

loc_7CD192:				; CODE XREF: NtSetSecurityObject+F1j
					; NtSetSecurityObject+234j ...
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	loc_7CD2C3

loc_7CD19D:				; CODE XREF: NtSetSecurityObject+27Fj
		cmp	[ebp+var_1C], 0
		jnz	loc_8F329C

loc_7CD1A7:				; CODE XREF: NtSetSecurityObject+12625Aj
		push	1
		push	dword ptr [ebp+var_20]
		push	[ebp+var_10]
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)

loc_7CD1B4:				; CODE XREF: NtSetSecurityObject+A3j
		mov	ecx, [ebp+var_C]
		call	ObfDereferenceObject

loc_7CD1BC:				; CODE XREF: NtSetSecurityObject+86j
		mov	eax, esi

loc_7CD1BE:				; CODE XREF: NtSetSecurityObject+126108j
					; NtSetSecurityObject+12614Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7CD1C5:				; CODE XREF: NtSetSecurityObject+C3j
		and	ebx, 0FFFFFE07h
		jmp	loc_7CD115
; 

loc_7CD1D0:				; CODE XREF: NtSetSecurityObject+CCj
		mov	eax, [ebp+var_10]
		cmp	dword ptr [eax+4], 0
		jnz	loc_7CD11E
		jmp	loc_8F317C
; 

loc_7CD1E2:				; CODE XREF: NtSetSecurityObject+12Aj
					; NtSetSecurityObject+12Fj
		push	[ebp+var_10]
		mov	edx, [ebp+var_C]
		push	[ebp+var_14]
		push	[ebp+var_24]
		lea	eax, [edx-18h]
		push	[ebp+var_18]
		shr	eax, 8
		push	[ebp+var_1C]
		movzx	ecx, al
		movzx	eax, byte ptr [edx-0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		push	ebx
		push	edi
		xor	ecx, eax
		push	0
		push	[ebp+arg_0]
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		xor	ecx, ecx
		push	0
		add	eax, 8
		push	eax
		call	SeSecurityDescriptorChangedAuditAlarm
		jmp	loc_7CD17D
; 

loc_7CD22C:				; CODE XREF: NtSetSecurityObject+10Bj
		lea	eax, [ecx-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [ecx-0Ch]
		mov	ecx, [ebp+var_C]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		cmp	eax, ds:_IoFileObjectType
		jnz	short loc_7CD263
		mov	eax, [ecx+4]
		test	byte ptr [eax+20h], 10h
		jnz	loc_7CD160

loc_7CD263:				; CODE XREF: NtSetSecurityObject+208j
		lea	eax, [ebp+var_24]
		push	eax
		push	0
		push	20h
		pop	edx
		call	ObpAllocateAndQuerySecurityDescriptorInfo
		mov	esi, eax
		jmp	loc_7CD15D
; 

loc_7CD278:				; CODE XREF: NtSetSecurityObject+140j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7CD192
; 

loc_7CD285:				; CODE XREF: NtSetSecurityObject+D5j
		mov	eax, [ebp+var_10]
		cmp	dword ptr [eax+8], 0
		jnz	loc_7CD127
		jmp	loc_8F317C
; 

loc_7CD297:				; CODE XREF: NtSetSecurityObject+E9j
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_18]
		push	eax
		push	0
		push	8
		pop	edx
		call	ObpAllocateAndQuerySecurityDescriptorInfo
		mov	esi, eax
		test	esi, esi
		js	loc_7CD192
		test	edi, 0FEFFFFFFh
		jz	loc_7CD13B
		jmp	loc_8F319B
; 

loc_7CD2C3:				; CODE XREF: NtSetSecurityObject+14Bj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7CD19D
NtSetSecurityObject endp


;  S U B	R O U T	I N E 


SeSetSecurityAccessMask	proc near	; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+1CEp
					; NtSetSecurityObject+51p ...

; FUNCTION CHUNK AT 008F32AB SIZE 0000000C BYTES

		xor	eax, eax
		mov	[edx], eax
		test	ecx, 10000h
		jnz	loc_8F32AB

loc_7CD2E0:				; CODE XREF: SeSetSecurityAccessMask+125FE2j
		test	cl, 13h
		jz	short loc_7CD2EC
		or	eax, 80000h
		mov	[edx], eax

loc_7CD2EC:				; CODE XREF: SeSetSecurityAccessMask+13j
		push	esi
		mov	esi, 40000h
		test	cl, 4
		jz	short loc_7CD2FB
		or	eax, esi
		mov	[edx], eax

loc_7CD2FB:				; CODE XREF: SeSetSecurityAccessMask+25j
		test	cl, 20h
		jnz	short loc_7CD339

loc_7CD300:				; CODE XREF: SeSetSecurityAccessMask+6Dj
		test	cl, cl
		js	short loc_7CD333

loc_7CD304:				; CODE XREF: SeSetSecurityAccessMask+67j
		test	ecx, 100h
		jnz	short loc_7CD345

loc_7CD30C:				; CODE XREF: SeSetSecurityAccessMask+79j
		mov	esi, 1000000h
		test	cl, 40h
		jnz	short loc_7CD34B

loc_7CD316:				; CODE XREF: SeSetSecurityAccessMask+7Fj
		test	cl, 8
		jnz	short loc_7CD33F

loc_7CD31B:				; CODE XREF: SeSetSecurityAccessMask+73j
		test	ecx, 1F8h
		jnz	short loc_7CD325

loc_7CD323:				; CODE XREF: SeSetSecurityAccessMask+5Bj
		pop	esi
		retn
; 

loc_7CD325:				; CODE XREF: SeSetSecurityAccessMask+51j
		test	ecx, 50000000h
		jz	short loc_7CD323
		or	eax, esi
		mov	[edx], eax
		pop	esi
		retn
; 

loc_7CD333:				; CODE XREF: SeSetSecurityAccessMask+32j
		or	eax, esi
		mov	[edx], eax
		jmp	short loc_7CD304
; 

loc_7CD339:				; CODE XREF: SeSetSecurityAccessMask+2Ej
		or	eax, esi
		mov	[edx], eax
		jmp	short loc_7CD300
; 

loc_7CD33F:				; CODE XREF: SeSetSecurityAccessMask+49j
		or	eax, esi
		mov	[edx], eax
		jmp	short loc_7CD31B
; 

loc_7CD345:				; CODE XREF: SeSetSecurityAccessMask+3Aj
		or	eax, esi
		mov	[edx], eax
		jmp	short loc_7CD30C
; 

loc_7CD34B:				; CODE XREF: SeSetSecurityAccessMask+44j
		or	eax, esi
		mov	[edx], eax
		jmp	short loc_7CD316
SeSetSecurityAccessMask	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeSecurityDescriptorChangedAuditAlarm proc near	; CODE XREF: NtSetSecurityObject+1D6p

var_72		= byte ptr -72h
var_71		= byte ptr -71h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
Source1		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
Source2		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

; FUNCTION CHUNK AT 008F32B7 SIZE 0000064D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+80h+var_14], edx
		lea	edi, [esp+80h+var_10]
		stosd
		stosd
		stosd
		stosd
		xor	edi, edi
		mov	eax, edi
		mov	[esp+80h+var_24], edi
		mov	[esp+80h+var_6C], eax
		mov	esi, edi
		mov	[esp+80h+var_40], eax
		mov	ebx, edi
		mov	[esp+80h+var_3C], eax
		lea	eax, [esp+80h+var_10]
		push	eax
		mov	eax, large fs:124h
		mov	[esp+84h+var_48], edi
		mov	[esp+84h+var_20], edi
		mov	[esp+84h+var_5C], edi
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		mov	[esp+8Ch+var_64], edi
		mov	[esp+8Ch+var_1C], edi
		mov	[esp+8Ch+var_70], esi
		mov	[esp+8Ch+var_18], edi
		mov	[esp+8Ch+var_50], edi
		mov	[esp+8Ch+var_38], edi
		mov	[esp+8Ch+var_60], edi
		mov	[esp+8Ch+var_54], edi
		mov	[esp+8Ch+Source2], edi
		mov	[esp+8Ch+var_4C], edi
		mov	[esp+8Ch+var_28], edi
		mov	[esp+8Ch+var_58], edi
		mov	[esp+8Ch+var_2C], edi
		call	SeCaptureSubjectContextEx
		mov	eax, [esp+80h+var_10]
		mov	[esp+80h+var_34], eax
		test	eax, eax
		jnz	short loc_7CD3FF
		mov	eax, [esp+80h+var_8]
		mov	[esp+80h+var_34], eax
		test	eax, eax
		jz	loc_8F32B7

loc_7CD3FF:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+9Bj
		lea	eax, [esp+80h+var_10]
		mov	dl, 1
		push	eax
		push	edi
		mov	ecx, 8Eh
		call	SepAdtAuditThisEventWithContext
		mov	[esp+80h+var_71], al
		test	al, al
		jnz	loc_8F32C6

loc_7CD41D:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+125F77j
					; SeSecurityDescriptorChangedAuditAlarm+125F87j
		mov	edi, [ebp+arg_10]
		test	edi, 1000000h
		jnz	loc_7CD54F

loc_7CD42C:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+21Dj
					; SeSecurityDescriptorChangedAuditAlarm+125FA0j ...
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	loc_8F3309
		xor	ecx, ecx
		cmp	[eax], cx
		jz	loc_8F3309
		mov	esi, eax

loc_7CD444:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+125FE2j
		mov	[esp+80h+var_64], esi

loc_7CD448:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+125FE9j
		and	edi, 0FEFFFFFFh
		jnz	loc_8F3340

loc_7CD454:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+12603Cj
		mov	ecx, [esp+80h+var_70]

loc_7CD458:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+12604Aj
					; SeSecurityDescriptorChangedAuditAlarm+12605Cj
		mov	esi, [ebp+arg_28]
		movzx	eax, word ptr [esi+2]
		mov	edx, eax
		test	al, 10h
		jz	loc_7CD5A9
		test	dx, dx
		jns	loc_7CD5BF
		mov	edx, [esi+0Ch]
		lea	eax, [edx+esi]
		neg	edx
		sbb	edx, edx
		and	edx, eax
		mov	[esp+80h+var_44], edx

loc_7CD482:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+25Dj
		mov	edi, [ebp+arg_1C]
		test	edi, edi
		jnz	loc_7CD57A

loc_7CD48D:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+247j
					; SeSecurityDescriptorChangedAuditAlarm+268j
		mov	edi, [ebp+arg_18]
		test	edi, edi
		jnz	loc_8F33B3

loc_7CD498:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126084j
					; SeSecurityDescriptorChangedAuditAlarm+126090j
		mov	eax, [ebp+arg_20]
		test	eax, eax
		jz	short loc_7CD4C8
		movzx	eax, word ptr [eax+2]
		mov	edx, eax
		test	al, 10h
		jz	loc_7CD59E
		mov	eax, [ebp+arg_20]
		test	dx, dx
		jns	loc_7CD5C9
		mov	edx, [eax+0Ch]
		add	eax, edx
		neg	edx
		sbb	edx, edx
		and	edx, eax
		mov	[esp+80h+var_4C], edx

loc_7CD4C8:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+14Bj
					; SeSecurityDescriptorChangedAuditAlarm+252j
		mov	eax, [ebp+arg_24]
		test	eax, eax
		jnz	loc_8F33E7
		mov	edx, ebx

loc_7CD4D5:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1260C4j
		mov	eax, [esp+80h+var_44]
		test	eax, eax
		jz	short loc_7CD522
		xor	ecx, ecx
		cmp	[eax+4], cx
		mov	ecx, [esp+80h+var_70]
		jz	short loc_7CD522
		test	ecx, ecx
		jnz	loc_8F341B

loc_7CD4F1:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1F6j
					; SeSecurityDescriptorChangedAuditAlarm+126354j ...
		xor	eax, eax

loc_7CD4F3:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1263B9j
					; SeSecurityDescriptorChangedAuditAlarm+1263C4j
		test	edi, edi
		jnz	loc_8F371B

loc_7CD4FB:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+12644Bj
					; SeSecurityDescriptorChangedAuditAlarm+12649Aj ...
		test	ebx, ebx
		jnz	loc_8F37FA

loc_7CD503:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126595j
					; SeSecurityDescriptorChangedAuditAlarm+1265A2j
		mov	eax, [esp+80h+var_1C]
		test	eax, eax
		js	loc_8F38F9

loc_7CD50F:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1265ADj
		lea	eax, [esp+80h+var_10]
		push	eax
		call	SeReleaseSubjectContext

loc_7CD519:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+125F6Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_7CD522:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+189j
					; SeSecurityDescriptorChangedAuditAlarm+195j
		mov	eax, [esp+80h+var_54]
		test	eax, eax
		jnz	loc_8F36B6

loc_7CD52E:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+12636Dj
					; SeSecurityDescriptorChangedAuditAlarm+126378j
		mov	eax, [esp+80h+var_50]
		test	eax, eax
		jnz	loc_8F36CF

loc_7CD53A:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126386j
					; SeSecurityDescriptorChangedAuditAlarm+126393j
		mov	eax, [esp+80h+var_4C]
		test	eax, eax
		jnz	loc_8F36EA

loc_7CD546:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1263A1j
					; SeSecurityDescriptorChangedAuditAlarm+1263AEj
		test	edx, edx
		jz	short loc_7CD4F1
		jmp	loc_8F3705
; 

loc_7CD54F:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+D4j
		lea	eax, [esp+80h+var_10]
		mov	dl, 1
		push	eax
		xor	eax, eax
		mov	ecx, 8Ch
		push	eax
		call	SepAdtAuditThisEventWithContext
		test	al, al
		jnz	loc_8F32DE

loc_7CD56B:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+125F98j
		cmp	[esp+80h+var_71], bl
		jz	loc_7CD42C
		jmp	loc_8F32EF
; 

loc_7CD57A:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+135j
		movzx	eax, word ptr [edi+2]
		mov	edx, eax
		test	al, 10h
		jz	short loc_7CD5B4
		test	dx, dx
		jns	short loc_7CD5C4
		mov	edx, [edi+0Ch]
		lea	eax, [edx+edi]
		neg	edx
		sbb	edx, edx
		and	edx, eax
		mov	[esp+80h+var_54], edx
		jmp	loc_7CD48D
; 

loc_7CD59E:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+155j
		xor	eax, eax

loc_7CD5A0:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+27Aj
		mov	[esp+80h+var_4C], eax
		jmp	loc_7CD4C8
; 

loc_7CD5A9:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+111j
		xor	eax, eax

loc_7CD5AB:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+270j
		mov	[esp+80h+var_44], eax
		jmp	loc_7CD482
; 

loc_7CD5B4:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+230j
		xor	eax, eax

loc_7CD5B6:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+275j
		mov	[esp+80h+var_54], eax
		jmp	loc_7CD48D
; 

loc_7CD5BF:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+11Aj
		mov	eax, [esi+0Ch]
		jmp	short loc_7CD5AB
; 

loc_7CD5C4:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+235j
		mov	eax, [edi+0Ch]
		jmp	short loc_7CD5B6
; 

loc_7CD5C9:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+161j
		mov	eax, [eax+0Ch]
		jmp	short loc_7CD5A0
SeSecurityDescriptorChangedAuditAlarm endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpAllocateAndQuerySecurityDescriptorInfo proc near ; CODE XREF: NtSetSecurityObject+220p
					; NtSetSecurityObject+257p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F3904 SIZE 00000083 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_4], 0
		mov	eax, ecx
		push	ebx
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], edx
		lea	ebx, [eax-18h]
		mov	eax, ebx
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [ebx+0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		cmp	[ebp+arg_0], 0
		push	esi
		push	edi
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		mov	[ebp+var_C], eax
		jnz	loc_8F3904
		mov	eax, _ObpDefaultSecurityDescriptorLength
		mov	edi, 7153624Fh
		push	edi
		push	eax
		push	1
		mov	[ebp+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7CD684
		mov	eax, [ebp+var_C]
		add	ebx, 14h
		push	0
		mov	[ebp+var_14], ebx
		mov	ecx, [eax+6Ch]
		lea	edx, [eax+34h]
		push	edx
		push	dword ptr [eax+4Ch]
		lea	eax, [ebp+var_4]
		mov	[ebp+var_18], ecx
		push	ebx
		push	eax
		push	esi
		lea	eax, [ebp+var_8]
		mov	[ebp+arg_0], edx
		push	eax
		push	1
		push	[ebp+var_10]
		call	ecx
		mov	ebx, eax
		cmp	ebx, 0C0000023h
		jz	loc_8F3945

loc_7CD669:				; CODE XREF: ObpAllocateAndQuerySecurityDescriptorInfo+1263B4j
		test	ebx, ebx
		js	short loc_7CD67B
		mov	eax, [ebp+arg_4]
		mov	[eax], esi

loc_7CD672:				; CODE XREF: ObpAllocateAndQuerySecurityDescriptorInfo+B4j
		mov	eax, ebx

loc_7CD674:				; CODE XREF: ObpAllocateAndQuerySecurityDescriptorInfo+BBj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7CD67B:				; CODE XREF: ObpAllocateAndQuerySecurityDescriptorInfo+9Dj
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7CD672
; 

loc_7CD684:				; CODE XREF: ObpAllocateAndQuerySecurityDescriptorInfo+5Fj
					; ObpAllocateAndQuerySecurityDescriptorInfo+12635Dj ...
		mov	eax, 0C000009Ah
		jmp	short loc_7CD674
ObpAllocateAndQuerySecurityDescriptorInfo endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmStoreAllocateVirtualMemory proc near	; CODE XREF: SmKmStoreHelperCommandProcess+FAp

var_91		= byte ptr -91h
var_90		= dword	ptr -90h
var_88		= dword	ptr -88h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= byte ptr -2Ch
var_18		= dword	ptr -18h

; FUNCTION CHUNK AT 008F3987 SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 84h
		push	ebx
		push	esi
		mov	esi, large fs:124h
		mov	ebx, ecx
		push	edi
		push	6
		pop	ecx
		xor	edx, edx
		lea	edi, [esp+90h+var_18]
		xor	eax, eax
		mov	[esp+90h+var_80], edx
		push	58h		; size_t
		rep stosd
		push	edx		; int
		lea	eax, [esp+98h+var_70]
		mov	[esp+98h+var_7C], edx
		push	eax		; void *
		mov	[esp+9Ch+var_78], edx
		call	_memset
		mov	eax, [esi+80h]
		lea	ecx, [esp+9Ch+var_70]
		mov	[esp+9Ch+var_30], eax
		add	esp, 0Ch
		mov	[esp+90h+var_34], eax
		xor	edx, edx
		mov	eax, ds:_MmHighestUserAddress
		mov	[esp+90h+var_6C], eax
		lea	eax, [esp+90h+var_7C]
		mov	[esp+90h+var_38], eax
		lea	eax, [esp+90h+var_80]
		mov	[esp+90h+var_64], ebx
		xor	ebx, ebx
		push	eax
		mov	[esp+94h+var_68], 10000h
		mov	[esp+94h+var_5C], 3000h
		mov	[esp+94h+var_58], 2
		mov	[esp+94h+var_48], 1
		mov	[esp+94h+var_3C], 80000001h
		mov	[esp+94h+var_2C], bl
		call	MiAllocateVirtualMemory
		mov	[esp+90h+var_74], eax
		test	eax, eax
		js	short loc_7CD7B6
		mov	ecx, dword_6D061C
		lea	edx, [esp+90h+var_74]
		xor	ecx, [esp+90h+var_30]
		xor	ecx, [esp+90h+var_7C]
		call	MiObtainReferencedSecureVad
		mov	edi, eax
		test	edi, edi
		jz	short loc_7CD7B6
		mov	ecx, edi
		call	_MiMakeSecureExclusive@4 ; MiMakeSecureExclusive(x)
		test	eax, eax
		jz	loc_8F3987
		mov	esi, [edi+10h]
		lea	eax, [esp+90h+var_18]
		push	eax
		push	1
		shl	esi, 0Ch
		push	edi
		push	[esp+9Ch+var_30]
		or	esi, 0FFFh
		mov	ecx, esi
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, [esp+0A0h+var_80]
		mov	edx, eax
		call	_MiDecommitPages@24 ; MiDecommitPages(x,x,x,x,x,x)
		mov	ecx, [esp+0A0h+var_90]
		mov	edx, esi
		call	MiLockPageTableRange
		test	eax, eax
		js	short loc_7CD7AE
		mov	ecx, edi
		call	MiUnlockAndDereferenceVad
		mov	eax, [esp+0A0h+var_90]
		mov	edi, ebx
		mov	[esp+0A0h+var_88], eax

loc_7CD7AE:				; CODE XREF: MmStoreAllocateVirtualMemory+10Fj
		test	edi, edi
		jnz	loc_8F399E

loc_7CD7B6:				; CODE XREF: MmStoreAllocateVirtualMemory+AAj
					; MmStoreAllocateVirtualMemory+C7j ...
		mov	eax, [esp+0A0h+var_88]

loc_7CD7BA:				; CODE XREF: MmStoreAllocateVirtualMemory+12630Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
MmStoreAllocateVirtualMemory endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtAlpcDeletePortSection	proc near	; DATA XREF: .text:00581228o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F39BE SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		cmp	[ebp+arg_4], 0
		jnz	loc_8F39BE
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_4]
		and	[ebp+var_4], 0
		push	0
		push	ecx
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_4], al
		push	[ebp+arg_4]
		mov	eax, ds:_AlpcPortObjectType
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7CD859
		mov	edx, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+var_4]
		push	edi
		push	offset _AlpcSectionType
		mov	ecx, [ebx+8]
		add	ecx, 14h
		call	AlpcReferenceBlobByHandle
		mov	edi, eax
		test	edi, edi
		jz	short loc_7CD86C
		mov	ecx, edi
		call	AlpcpDeleteBlob
		test	al, al
		jz	short loc_7CD873
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	AlpcpDereferenceBlobEx

loc_7CD846:				; CODE XREF: NtAlpcDeletePortSection+B6j
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	AlpcpDereferenceBlobEx

loc_7CD850:				; CODE XREF: NtAlpcDeletePortSection+AFj
		mov	ecx, ebx
		call	ObfDereferenceObject
		pop	edi
		pop	ebx

loc_7CD859:				; CODE XREF: NtAlpcDeletePortSection+4Fj
					; NtAlpcDeletePortSection+126201j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		pop	esi
		leave
		retn	0Ch
; 

loc_7CD86C:				; CODE XREF: NtAlpcDeletePortSection+6Dj
		mov	esi, 0C0000008h
		jmp	short loc_7CD850
; 

loc_7CD873:				; CODE XREF: NtAlpcDeletePortSection+78j
		mov	esi, 0C0000056h
		jmp	short loc_7CD846
NtAlpcDeletePortSection	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpQuerySidMessage(x, x, x, x, x)
_AlpcpQuerySidMessage@20 proc near	; CODE XREF: NtAlpcQueryInformationMessage+179p

var_44		= dword	ptr -44h
var_38		= dword	ptr -38h
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	esi
		push	edi
		push	3Ch		; size_t
		lea	eax, [ebp+var_44]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		and	[ebp+var_8], 0
		lea	eax, [ebp-1]
		add	esp, 0Ch
		mov	[ebp+var_1], 0
		mov	edx, esi
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_44]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	AlpcpGetEffectiveTokenMessage
		test	eax, eax
		js	short loc_7CD8DC
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		push	[ebp+arg_4]
		mov	ecx, [ebp+var_8]
		call	AlpcpQuerySidToken
		cmp	[ebp+var_1], 0
		mov	esi, eax
		jz	short loc_7CD8DA
		mov	ecx, [ebp+var_38]
		call	ObfDereferenceObject

loc_7CD8DA:				; CODE XREF: AlpcpQuerySidMessage(x,x,x,x,x)+56j
		mov	eax, esi

loc_7CD8DC:				; CODE XREF: AlpcpQuerySidMessage(x,x,x,x,x)+3Dj
		pop	edi
		pop	esi
		leave
		retn	0Ch
_AlpcpQuerySidMessage@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpQuerySidToken proc	near		; CODE XREF: AlpcpQuerySidMessage(x,x,x,x,x)+4Bp

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	58h
		push	offset dword_6A3CF0
		call	__SEH_prolog4_GS
		mov	ebx, edx
		mov	esi, ecx
		mov	edi, [ebp+arg_4]
		and	[ebp+var_64], 0
		push	44h		; size_t
		push	0		; int
		lea	eax, [ebp+var_60]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_64]
		push	eax
		push	44h
		lea	edx, [ebp+var_60]
		mov	ecx, esi
		call	_SeQueryUserSidToken@16	; SeQueryUserSidToken(x,x,x,x)
		xor	esi, esi
		mov	eax, [ebp+var_64]
		cmp	eax, [ebp+arg_0]
		ja	short loc_7CD95A

loc_7CD923:				; CODE XREF: AlpcpQuerySidToken+7Dj
		and	[ebp+ms_exc.disabled], 0
		test	edi, edi
		jz	short loc_7CD92D
		mov	[edi], eax

loc_7CD92D:				; CODE XREF: AlpcpQuerySidToken+47j
		test	esi, esi
		js	short loc_7CD93F
		push	eax		; size_t
		lea	eax, [ebp+var_60]
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_7CD93F:				; CODE XREF: AlpcpQuerySidToken+4Dj
					; sub_8F39D6+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7CD95A:				; CODE XREF: AlpcpQuerySidToken+3Fj
		mov	esi, 0C0000023h
		jmp	short loc_7CD923
AlpcpQuerySidToken endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpGetEffectiveTokenMessage proc near	; CODE XREF: AlpcpQuerySidMessage(x,x,x,x,x)+36p
					; AlpcpQueryTokenModifiedIdMessage(x,x,x,x,x)+57p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F39E1 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr [edx+14h], 80h
		mov	eax, ecx
		push	esi
		jnz	loc_8F39E1
		mov	ecx, [edx+48h]
		test	ecx, ecx
		jnz	short loc_7CD9EB
		mov	eax, [eax+0F4h]
		mov	ecx, [edx+0Ch]
		and	al, 6
		cmp	al, 2
		jnz	short loc_7CD9F6
		test	ecx, ecx
		jz	short loc_7CD9F6
		mov	esi, [ecx+0F4h]
		mov	eax, esi
		and	al, 6
		cmp	al, 4
		jnz	short loc_7CD9F6
		test	esi, 400h
		jz	short loc_7CD9D7
		mov	edx, [edx+10h]
		test	edx, edx
		jz	short loc_7CD9F6
		mov	esi, [ebp+arg_4]
		lea	eax, [ecx+9Ch]
		push	esi
		push	0
		push	eax
		push	edx
		call	SeCreateClientSecurityEx
		test	eax, eax
		js	short loc_7CD9D2
		mov	eax, [ebp+arg_0]
		mov	ecx, [esi+0Ch]
		mov	[eax], ecx
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	1

loc_7CD9D0:				; CODE XREF: AlpcpGetEffectiveTokenMessage+87j
		xor	eax, eax

loc_7CD9D2:				; CODE XREF: AlpcpGetEffectiveTokenMessage+5Ej
					; AlpcpGetEffectiveTokenMessage+99j ...
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_7CD9D7:				; CODE XREF: AlpcpGetEffectiveTokenMessage+40j
		mov	ecx, [ecx+2Ch]
		test	ecx, ecx
		jz	short loc_7CD9F6

loc_7CD9DE:				; CODE XREF: AlpcpGetEffectiveTokenMessage+92j
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	0
		jmp	short loc_7CD9D0
; 

loc_7CD9EB:				; CODE XREF: AlpcpGetEffectiveTokenMessage+17j
		cmp	dword ptr [ecx+14h], 1
		jl	short loc_7CD9F6
		mov	ecx, [ecx+1Ch]
		jmp	short loc_7CD9DE
; 

loc_7CD9F6:				; CODE XREF: AlpcpGetEffectiveTokenMessage+26j
					; AlpcpGetEffectiveTokenMessage+2Aj ...
		mov	eax, 0C0000022h
		jmp	short loc_7CD9D2
AlpcpGetEffectiveTokenMessage endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeTokenIsElevated(x, x)
_SeTokenIsElevated@8 proc near		; CODE XREF: SeTokenCanImpersonate(x,x,x,x)+189p
					; SeTokenCanImpersonate(x,x,x,x)+1A3p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	ebx, ebx
		cmp	dword ptr [ecx+0A8h], 2
		mov	[ebp+var_4], ebx
		mov	[edi], bl
		jnz	short loc_7CDA22
		cmp	dword ptr [ecx+0ACh], 2
		jl	short loc_7CDA4D

loc_7CDA22:				; CODE XREF: SeTokenIsElevated(x,x)+19j
		lea	eax, [ebp+var_4]
		push	eax
		push	14h
		push	ecx
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	ecx, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	short loc_7CDA3B
		cmp	[ecx], ebx
		jnz	short loc_7CDA51

loc_7CDA3B:				; CODE XREF: SeTokenIsElevated(x,x)+37j
					; SeTokenIsElevated(x,x)+56j
		test	ecx, ecx
		jz	short loc_7CDA46
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7CDA46:				; CODE XREF: SeTokenIsElevated(x,x)+3Fj
					; SeTokenIsElevated(x,x)+51j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7CDA4D:				; CODE XREF: SeTokenIsElevated(x,x)+22j
		mov	esi, ebx
		jmp	short loc_7CDA46
; 

loc_7CDA51:				; CODE XREF: SeTokenIsElevated(x,x)+3Bj
		mov	byte ptr [edi],	1
		jmp	short loc_7CDA3B
_SeTokenIsElevated@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 566. FsRtlIsFatDbcsLegal

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlIsFatDbcsLegal
FsRtlIsFatDbcsLegal proc near		; CODE XREF: FsRtlIsFatDbcsLegal+126040p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= byte ptr  18h

; FUNCTION CHUNK AT 008F39EB SIZE 0000016E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	si, word ptr [ebp+arg_0]
		xor	edx, edx
		mov	bh, dl
		push	edi
		test	si, si
		jz	loc_7CDB0D
		mov	ecx, [ebp+arg_8]
		xor	eax, eax
		mov	edi, [ebp+arg_4]
		inc	eax
		test	cl, cl
		jnz	loc_8F39EB

loc_7CDA88:				; CODE XREF: FsRtlIsFatDbcsLegal+125FAAj
					; FsRtlIsFatDbcsLegal+125FC1j ...
		cmp	byte ptr [edi],	5Ch
		jz	loc_8F3A31

loc_7CDA91:				; CODE XREF: FsRtlIsFatDbcsLegal+125FFEj
		cmp	[ebp+arg_C], dl
		jnz	loc_8F3A5F
		test	cl, cl
		jnz	loc_8F3AB6

loc_7CDAA2:				; CODE XREF: FsRtlIsFatDbcsLegal+1260BAj
		cmp	si, 0Ch
		ja	short loc_7CDB0D
		movzx	esi, si
		test	esi, esi
		jz	short loc_7CDAFF

loc_7CDAAF:				; CODE XREF: FsRtlIsFatDbcsLegal+92j
		mov	bl, [edi+edx]
		cmp	bl, 80h
		jnb	loc_8F3B1B

loc_7CDABB:				; CODE XREF: FsRtlIsFatDbcsLegal+1260C6j
					; FsRtlIsFatDbcsLegal+1260D9j
		test	bl, bl
		js	short loc_7CDADC
		movzx	eax, bl
		movzx	ecx, ds:byte_40B788[eax]
		xor	eax, eax
		cmp	byte ptr [ebp+arg_8], al
		setnz	al
		lea	eax, ds:1[eax*8]
		and	ecx, eax
		jz	short loc_7CDB0D

loc_7CDADC:				; CODE XREF: FsRtlIsFatDbcsLegal+61j
		cmp	bl, 2Eh
		jz	short loc_7CDB11
		cmp	bl, 22h
		jz	short loc_7CDB11

loc_7CDAE6:				; CODE XREF: FsRtlIsFatDbcsLegal+D3j
		cmp	edx, 8
		jnb	short loc_7CDB09

loc_7CDAEB:				; CODE XREF: FsRtlIsFatDbcsLegal+AFj
					; FsRtlIsFatDbcsLegal+1260F8j
		inc	edx
		cmp	edx, esi
		jb	short loc_7CDAAF
		cmp	bl, 20h
		jz	short loc_7CDB0D
		cmp	bl, 2Eh
		jz	short loc_7CDB0D
		cmp	bl, 22h
		jz	short loc_7CDB0D

loc_7CDAFF:				; CODE XREF: FsRtlIsFatDbcsLegal+51j
		xor	eax, eax
		inc	eax

loc_7CDB02:				; CODE XREF: FsRtlIsFatDbcsLegal+B3j
					; FsRtlIsFatDbcsLegal+1260B3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7CDB09:				; CODE XREF: FsRtlIsFatDbcsLegal+8Dj
		test	bh, bh
		jnz	short loc_7CDAEB

loc_7CDB0D:				; CODE XREF: FsRtlIsFatDbcsLegal+15j
					; FsRtlIsFatDbcsLegal+4Aj ...
		xor	al, al
		jmp	short loc_7CDB02
; 

loc_7CDB11:				; CODE XREF: FsRtlIsFatDbcsLegal+83j
					; FsRtlIsFatDbcsLegal+88j
		test	edx, edx
		jz	short loc_7CDB0D
		test	bh, bh
		jnz	short loc_7CDB0D
		mov	eax, esi
		sub	eax, edx
		dec	eax
		cmp	eax, 3
		ja	short loc_7CDB0D
		cmp	byte ptr [edi+edx-1], 20h
		jz	short loc_7CDB0D
		xor	eax, eax
		inc	eax
		mov	bh, al
		jmp	short loc_7CDAE6
FsRtlIsFatDbcsLegal endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiFreeWorkingSetSwapContext(x, x)
_MiFreeWorkingSetSwapContext@8 proc near ; CODE	XREF: MmInSwapWorkingSet+EAp
					; MiBeginProcessClean+22Ep ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, edx
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_7CDB4A
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7CDB4A:				; CODE XREF: MiFreeWorkingSetSwapContext(x,x)+Fj
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_7CDB74

loc_7CDB51:				; CODE XREF: MiFreeWorkingSetSwapContext(x,x)+49j
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	short loc_7CDB5F
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7CDB5F:				; CODE XREF: MiFreeWorkingSetSwapContext(x,x)+24j
		lea	edx, [esi+20h]
		mov	ecx, edi
		call	_MiFreeReservationRun@8	; MiFreeReservationRun(x,x)
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_7CDB74:				; CODE XREF: MiFreeWorkingSetSwapContext(x,x)+1Dj
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7CDB51
_MiFreeWorkingSetSwapContext@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpVEExecuteCreateLogic(x, x, x, x,	x, x, x, x, x)
_CmpVEExecuteCreateLogic@36 proc near	; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1961p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_6		= dword	ptr -6
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_C], edx
		push	esi
		push	edi
		push	eax
		mov	[ebp+var_18], eax
		mov	ebx, ecx
		mov	[ebp+var_14], eax
		mov	byte ptr [ebp+var_6+1],	al
		mov	[ebp+var_10], eax
		mov	byte ptr [ebp+var_6], al
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		cmp	[ebx+22h], ax
		jz	short loc_7CDBBB

loc_7CDBB1:				; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+44j
		mov	esi, 0C0000271h
		jmp	loc_7CDD3D
; 

loc_7CDBBB:				; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+31j
		mov	edi, [ebp+arg_14]
		test	byte ptr [edi+14h], 10h
		jnz	short loc_7CDBB1
		mov	esi, [ebp+arg_4]
		lea	eax, [edi+0Ch]
		add	esi, 1Ch
		mov	ecx, ebx
		push	eax
		mov	edx, esi
		mov	[ebp+arg_14], esi
		call	sub_5009EC
		test	al, al
		jnz	short loc_7CDBE8

loc_7CDBDE:				; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+AFj
					; CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+CAj
		mov	esi, 0C0000271h
		jmp	loc_7CDD3B
; 

loc_7CDBE8:				; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+5Ej
		test	byte ptr [edi+60h], 1
		jnz	short loc_7CDBFA
		lea	ecx, [edi+64h]
		call	CmpAttachToRegistryProcess
		or	dword ptr [edi+60h], 1

loc_7CDBFA:				; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+6Ej
		lea	eax, [ebp+var_18]
		mov	ecx, ebx
		push	eax
		push	esi
		call	_CmpReparseToVirtualPath@16 ; CmpReparseToVirtualPath(x,x,x,x)
		test	al, al
		jz	short loc_7CDC29
		push	0
		push	[ebp+var_14]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		jmp	loc_7CDCFB
; 

loc_7CDC29:				; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+8Aj
		test	byte ptr [ebx+68h], 20h
		jnz	short loc_7CDBDE
		mov	eax, [ebp+arg_C]
		mov	ecx, ebx
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_10]
		or	eax, 4
		push	eax
		mov	[ebp+arg_C], eax
		call	_CmpDoAccessCheckOnKCB@16 ; CmpDoAccessCheckOnKCB(x,x,x,x)
		test	al, al
		jnz	short loc_7CDBDE
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_10]
		mov	ecx, ebx
		push	20019h
		call	_CmpDoAccessCheckOnKCB@16 ; CmpDoAccessCheckOnKCB(x,x,x,x)
		test	al, al
		jnz	short loc_7CDC6A

loc_7CDC60:				; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+10Dj
		mov	esi, 0C0000022h
		jmp	loc_7CDD3B
; 

loc_7CDC6A:				; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+E0j
		mov	edx, [ebx+2Ch]
		lea	eax, [ebp+var_6+1]
		mov	ecx, [ebp+arg_C]
		add	edx, 18h
		push	eax
		push	esi
		call	CmpCheckAdminAccess
		mov	esi, eax
		test	esi, esi
		js	loc_7CDD3B
		cmp	byte ptr [ebp+var_6+1],	0
		jz	short loc_7CDC60
		mov	ecx, [ebp+var_C]
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	edx, [ebp+arg_14]
		lea	eax, [ebp+var_10]
		push	eax
		mov	eax, [edi]
		mov	ecx, ebx
		shr	eax, 0Ah
		and	al, 1
		movzx	eax, al
		push	eax
		call	_CmpReplicateKeyToVirtual@16 ; CmpReplicateKeyToVirtual(x,x,x,x)
		mov	ecx, [ebp+var_C]
		mov	esi, eax
		call	_CmpLockKcbExclusive@4 ; CmpLockKcbExclusive(x)
		test	esi, esi
		js	short loc_7CDD3B
		mov	ecx, [ebx+2Ch]
		lea	eax, [ebp+var_6]
		mov	edx, [ebp+arg_14]
		add	ecx, 18h
		push	eax
		call	_CmpExamineSaclForAuditEvent@12	; CmpExamineSaclForAuditEvent(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7CDD3B
		cmp	byte ptr [ebp+var_6], 0
		jz	short loc_7CDCEA
		mov	edx, [ebp+arg_14]
		mov	ecx, ebx
		call	_CmpReportAuditVirtualizationEvent@8 ; CmpReportAuditVirtualizationEvent(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7CDD3B

loc_7CDCEA:				; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+15Aj
		mov	eax, [ebp+var_10]
		or	dword ptr [edi+40h], 2
		mov	[edi+48h], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+arg_14]

loc_7CDCFB:				; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+A6j
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	_CmRealKCBToVirtualPath@16 ; CmRealKCBToVirtualPath(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7CDD3B
		mov	esi, [ebp+arg_18]
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_7CDD1D
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7CDD1D:				; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+195j
		mov	eax, [ebp+var_18]
		mov	[esi], eax
		mov	eax, [ebp+var_14]
		mov	[esi+4], eax
		lea	eax, [ebp+var_18]
		push	0
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		or	dword ptr [edi], 8
		mov	esi, 104h

loc_7CDD3B:				; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+65j
					; CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+E7j ...
		xor	eax, eax

loc_7CDD3D:				; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+38j
		cmp	[ebp+var_14], 0
		jz	short loc_7CDD4C
		push	eax
		push	[ebp+var_14]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7CDD4C:				; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+1C3j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_CmpVEExecuteCreateLogic@36 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocateUserStack proc near		; CODE XREF: MiAllocateVirtualMemoryCommon+DAp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F3B59 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx
		test	dword ptr [esi+28h], 40000000h
		jnz	loc_8F3B59

loc_7CDD70:				; CODE XREF: MiAllocateUserStack+125E10j
		push	edx
		xor	edx, edx
		call	MiAllocateVirtualMemory
		and	dword ptr [esi+38h], 0
		and	dword ptr [esi+34h], 0
		test	eax, eax
		js	short loc_7CDD86
		xor	eax, eax

loc_7CDD86:				; CODE XREF: MiAllocateUserStack+2Cj
		pop	esi
		leave
		retn
MiAllocateUserStack endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpVEPerformOpenAccessCheck(x, x, x, x, x, x)
_CmpVEPerformOpenAccessCheck@24	proc near
					; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+437p

var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		push	esi
		xor	eax, eax
		push	edi
		mov	esi, [ebx+8]
		mov	byte ptr [ebp+var_1], al
		cmp	[esi+22h], ax
		jnz	short loc_7CDDBF
		mov	edx, [ebp+arg_8]
		test	byte ptr [edx+14h], 10h
		jnz	short loc_7CDDBF
		add	edx, 0Ch
		mov	ecx, esi
		call	SilentFailAccessCheck
		test	al, al
		jnz	short loc_7CDDC9

loc_7CDDBF:				; CODE XREF: CmpVEPerformOpenAccessCheck(x,x,x,x,x,x)+1Cj
					; CmpVEPerformOpenAccessCheck(x,x,x,x,x,x)+25j	...
		mov	eax, [ebp+arg_C]

loc_7CDDC2:				; CODE XREF: CmpVEPerformOpenAccessCheck(x,x,x,x,x,x)+A5j
					; CmpVEPerformOpenAccessCheck(x,x,x,x,x,x)+ACj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7CDDC9:				; CODE XREF: CmpVEPerformOpenAccessCheck(x,x,x,x,x,x)+33j
		mov	edi, [ebp+arg_0]
		lea	eax, [ebp+var_1]
		mov	edx, [esi+2Ch]
		push	eax
		add	edx, 18h
		mov	ecx, [edi+10h]
		lea	eax, [edi+1Ch]
		push	eax
		call	CmpCheckAdminAccess
		mov	[ebp+arg_0], eax
		test	eax, eax
		js	short loc_7CDDBF
		cmp	byte ptr [ebp+var_1], 0
		jz	short loc_7CDE31
		mov	eax, ds:_CmKeyObjectType
		add	eax, 34h
		mov	[ebp+arg_8], 2000000h
		push	eax
		lea	eax, [ebp+arg_8]
		push	eax
		call	_RtlMapGenericMask@8 ; RtlMapGenericMask(x,x)
		mov	eax, [ebp+arg_8]
		mov	ecx, ebx
		mov	edx, [ebp+var_8]
		mov	[edi+10h], eax
		mov	[edi+18h], eax
		lea	eax, [ebp+arg_0]
		push	eax
		push	[ebp+arg_4]
		push	edi
		call	CmpCheckKeyBodyAccess
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, [ebp+arg_0]
		jmp	short loc_7CDDC2
; 

loc_7CDE31:				; CODE XREF: CmpVEPerformOpenAccessCheck(x,x,x,x,x,x)+63j
		mov	eax, 0C0000022h
		jmp	short loc_7CDDC2
_CmpVEPerformOpenAccessCheck@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCheckKeyBodyAccess proc near		; CODE XREF: CmpVEPerformOpenAccessCheck(x,x,x,x,x,x)+94p
					; CmpDoAccessCheckOnKCB(x,x,x,x)+F3p

var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F3B6B SIZE 0000004F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		and	[ebp+var_10], 0
		xor	eax, eax
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_28]
		mov	esi, edx
		stosd
		mov	ebx, ecx
		mov	[ebp+var_14], esi
		stosd
		stosd
		stosd
		or	eax, 0FFFFFFFFh
		mov	word ptr [ebp+var_28+2], ax
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	loc_8F3B6B
		mov	edx, [ebx+8]
		lea	ecx, [ebp+var_28]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		js	loc_7CDF54
		push	0
		mov	edx, esi
		lea	ecx, [ebp+var_28]
		call	_CmpGetSecurityCacheEntryForKcbStack@12	; CmpGetSecurityCacheEntryForKcbStack(x,x,x)
		mov	esi, [ebp+arg_0]
		lea	edi, [eax+18h]
		lea	eax, [esi+1Ch]
		push	eax
		mov	[ebp+var_18], eax
		call	_SeLockSubjectContext@4	; SeLockSubjectContext(x)
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+arg_4]
		mov	eax, ds:_CmKeyObjectType
		add	eax, 34h
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	dword ptr [esi+14h]
		lea	eax, [esi+1Ch]
		push	dword ptr [esi+10h]
		push	1
		push	eax
		push	edi
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		cmp	[ebp+var_8], 0
		mov	byte ptr [ebp+arg_0], al
		jnz	loc_8F3B78

loc_7CDEDC:				; CODE XREF: CmpCheckKeyBodyAccess+125D54j
		test	al, al
		jz	short loc_7CDEF0
		mov	eax, [ebp+var_10]
		or	[esi+14h], eax
		or	eax, 2000000h
		not	eax
		and	[esi+10h], eax

loc_7CDEF0:				; CODE XREF: CmpCheckKeyBodyAccess+A6j
		or	word ptr [ebx+1Ch], 2
		mov	ecx, [ebp+var_14]
		test	ecx, ecx
		jnz	loc_8F3B91
		cmp	byte ptr [ebp+arg_4], cl
		jz	short loc_7CDF25
		lea	eax, [esi+0Ah]
		push	eax
		xor	eax, eax
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	eax
		push	esi
		push	edi
		push	eax

loc_7CDF16:				; CODE XREF: CmpCheckKeyBodyAccess+125D6Dj
		mov	eax, ds:_CmKeyObjectType
		push	ebx
		add	eax, 8
		push	eax
		call	SeOpenObjectAuditAlarmWithTransaction

loc_7CDF25:				; CODE XREF: CmpCheckKeyBodyAccess+CBj
		push	[ebp+var_18]
		mov	eax, 0FFFDh
		and	[ebx+1Ch], ax
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)
		mov	ecx, [ebp+var_C]
		mov	bl, byte ptr [ebp+arg_0]

loc_7CDF3C:				; CODE XREF: CmpCheckKeyBodyAccess+11Ej
		cmp	[ebp+var_1C], 0
		jnz	loc_8F3BAA

loc_7CDF46:				; CODE XREF: CmpCheckKeyBodyAccess+125D7Dj
		mov	eax, [ebp+arg_8]
		pop	edi
		pop	esi
		mov	[eax], ecx
		mov	al, bl
		pop	ebx
		leave
		retn	0Ch
; 

loc_7CDF54:				; CODE XREF: CmpCheckKeyBodyAccess+49j
					; CmpCheckKeyBodyAccess+125D3Bj
		xor	bl, bl
		jmp	short loc_7CDF3C
CmpCheckKeyBodyAccess endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCheckAdminAccess proc near		; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+FAp
					; CmpVEPerformOpenAccessCheck(x,x,x,x,x,x)+53p	...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F3BBA SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		xor	eax, eax
		mov	[ebp+var_14], ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_10], eax
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_4]
		push	edi
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		call	CmpBuildAdminInformation
		mov	edi, eax
		test	edi, edi
		js	short loc_7CDFB4
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		mov	eax, ds:_CmKeyObjectType
		push	1
		add	eax, 34h
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	0
		push	[ebp+var_14]
		push	0
		push	[ebp+var_4]
		push	ebx
		call	SeAccessCheckFromState
		mov	ecx, [ebp+arg_4]
		xor	edi, edi
		mov	[ecx], al

loc_7CDFB4:				; CODE XREF: CmpCheckAdminAccess+2Cj
		cmp	[ebp+var_8], 0
		jnz	loc_8F3BBA

loc_7CDFBE:				; CODE XREF: CmpCheckAdminAccess+125C6Cj
		cmp	[ebp+var_4], 0
		jz	short loc_7CDFCC
		mov	ecx, [ebp+var_4]
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_7CDFCC:				; CODE XREF: CmpCheckAdminAccess+6Aj
		mov	eax, edi
		pop	edi
		pop	ebx
		leave
		retn	8
CmpCheckAdminAccess endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpBuildAdminInformation proc near	; CODE XREF: CmpCheckAdminAccess+23p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F3BC9 SIZE 0000008B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		push	esi
		mov	eax, edx
		mov	[ebp+var_24], ecx
		push	edi
		xor	edi, edi
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_C], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_4], edi
		call	CmpEffectiveTokenForSubject
		lea	ecx, [ebp+var_4]
		push	ecx
		push	16h
		push	eax
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_28], ebx
		test	ebx, ebx
		js	loc_7CE1EF
		mov	edx, [ebp+var_4]
		or	edi, 0FFFFFFFFh
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_10], edi
		xor	esi, esi
		mov	[ebp+var_8], ecx
		mov	edx, [edx]
		mov	eax, [edx]
		mov	ebx, eax
		shl	ebx, 3
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	short loc_7CE081
		mov	eax, [edx+4]
		mov	ecx, ds:_SeExports
		mov	[ebp+var_10], eax
		mov	[ebp+var_1C], ecx

loc_7CE041:				; CODE XREF: CmpBuildAdminInformation+A8j
		mov	eax, [eax+esi*8]
		push	eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_C], eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	ebx, eax
		cmp	edi, 0FFFFFFFFh
		jz	loc_7CE205

loc_7CE05B:				; CODE XREF: CmpBuildAdminInformation+244j
		mov	ecx, [ebp+var_8]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_7CE075
		mov	eax, [ebp+var_10]
		mov	eax, [eax+esi*8+4]
		and	eax, 60h
		cmp	al, 60h
		jz	loc_7CE228

loc_7CE075:				; CODE XREF: CmpBuildAdminInformation+8Dj
					; CmpBuildAdminInformation+24Fj ...
		mov	eax, [ebp+var_10]
		inc	esi
		cmp	esi, [ebp+var_20]
		jb	short loc_7CE041
		mov	[ebp+var_10], edi

loc_7CE081:				; CODE XREF: CmpBuildAdminInformation+5Cj
		xor	edi, edi
		cmp	[ebp+var_10], 0FFFFFFFFh
		jz	loc_8F3BC9

loc_7CE08D:				; CODE XREF: CmpBuildAdminInformation+125C0Dj
		cmp	ecx, 0FFFFFFFFh
		jz	loc_8F3BE6

loc_7CE096:				; CODE XREF: CmpBuildAdminInformation+125C2Aj
		test	edi, edi
		jnz	loc_8F3C03

loc_7CE09E:				; CODE XREF: CmpBuildAdminInformation+125C44j
		mov	eax, [ebp+var_4]
		lea	ecx, [ebx+3]
		and	ecx, 0FFFFFFFCh
		mov	[ebp+var_18], ecx
		mov	eax, [eax+8]
		imul	eax, [eax], 0Ch
		lea	esi, [eax+1E0h]
		add	esi, ecx
		test	eax, eax
		jz	short loc_7CE0C4
		lea	esi, [eax+1D4h]
		add	esi, ecx

loc_7CE0C4:				; CODE XREF: CmpBuildAdminInformation+E6j
		xor	ecx, ecx
		mov	edx, esi
		push	20204D43h
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8F3C1D
		push	esi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	ecx, [ebp+var_4]
		lea	esi, [ebx+0C0h]
		add	esp, 0Ch
		mov	eax, [ecx+0Ch]
		mov	[ebx+0Ch], eax
		mov	eax, [ecx+10h]
		mov	[ebx+10h], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+14h]
		mov	[ebx+14h], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+18h]
		mov	[ebx+18h], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+1Ch]
		mov	[ebx+1Ch], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+20h]
		and	eax, 0FFFFBFFFh
		or	eax, 2000h
		mov	[ebx+20h], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax]
		mov	eax, [eax]
		add	eax, edi
		mov	[ebx+3Ch], esi
		mov	[ebx+38h], eax
		mov	ecx, eax
		mov	eax, [ebp+var_4]
		shl	ecx, 3
		mov	edx, [eax]
		lea	eax, [ebp+var_14]
		push	eax		; int
		lea	eax, [ebp+var_C]
		push	eax		; int
		lea	eax, [esi+ecx]
		push	eax		; void *
		mov	eax, [ebp+var_18]
		push	esi		; int
		sub	eax, ecx
		push	eax		; int
		push	dword ptr [edx+4] ; int
		push	dword ptr [edx]	; int
		call	_RtlCopySidAndAttributesArray@28 ; RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_10]
		lea	esi, [ebx+38h]
		cmp	ecx, 0FFFFFFFFh
		jnb	short loc_7CE178
		mov	eax, [esi+4]
		mov	dword ptr [eax+ecx*8+4], 7

loc_7CE178:				; CODE XREF: CmpBuildAdminInformation+197j
		mov	ecx, [ebp+var_8]
		cmp	ecx, 0FFFFFFFFh
		jnb	short loc_7CE18B
		mov	eax, [esi+4]
		mov	dword ptr [eax+ecx*8+4], 60h

loc_7CE18B:				; CODE XREF: CmpBuildAdminInformation+1AAj
		test	edi, edi
		jnz	loc_8F3C29

loc_7CE193:				; CODE XREF: CmpBuildAdminInformation+125C7Bj
		push	esi		; void *
		push	dword ptr [esi]	; int
		push	dword ptr [esi+4] ; int
		call	RtlSidHashInitialize
		mov	[ebx], esi
		xor	edi, edi
		mov	eax, [esi+4]
		add	eax, [ebp+var_18]
		mov	[eax], edi
		mov	[eax+4], edi
		mov	[ebx+4], eax
		add	eax, 88h
		mov	[eax], edi
		lea	esi, [eax+88h]
		mov	[eax+4], edi
		mov	[ebx+2Ch], eax
		mov	[ebx+28h], edi
		mov	eax, [ebp+var_4]
		mov	eax, [eax+8]
		mov	ecx, [eax]
		lea	eax, [esi+4]
		push	eax
		mov	[esi], ecx
		mov	eax, [ebp+var_4]
		mov	eax, [eax+8]
		add	eax, 4
		push	eax
		push	ecx
		call	_RtlCopyLuidAndAttributesArray@12 ; RtlCopyLuidAndAttributesArray(x,x,x)
		mov	eax, [ebp+var_24]
		mov	[ebx+8], esi
		mov	[eax], ebx
		mov	ebx, [ebp+var_28]

loc_7CE1EF:				; CODE XREF: CmpBuildAdminInformation+37j
					; CmpBuildAdminInformation+125C50j
		cmp	[ebp+var_4], 0
		jz	short loc_7CE1FE
		push	edi
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7CE1FE:				; CODE XREF: CmpBuildAdminInformation+21Fj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_7CE205:				; CODE XREF: CmpBuildAdminInformation+81j
		mov	eax, [ebp+var_1C]
		push	[ebp+var_18]
		push	dword ptr [eax+0E4h]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	loc_7CE05B
		mov	ecx, [ebp+var_8]
		mov	edi, esi
		jmp	loc_7CE075
; 

loc_7CE228:				; CODE XREF: CmpBuildAdminInformation+9Bj
		mov	ecx, esi
		mov	[ebp+var_8], ecx
		jmp	loc_7CE075
CmpBuildAdminInformation endp

; 
		align 8
; Exported entry 2000. RtlCopyLuidAndAttributesArray

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCopyLuidAndAttributesArray(x, x,	x)
		public _RtlCopyLuidAndAttributesArray@12
_RtlCopyLuidAndAttributesArray@12 proc near ; CODE XREF: CmpBuildAdminInformation+20Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_7CE260
		mov	edx, [ebp+arg_4]
		mov	eax, [ebp+arg_8]
		sub	edx, eax
		push	esi
		push	edi

loc_7CE24E:				; CODE XREF: RtlCopyLuidAndAttributesArray(x,x,x)+24j
		mov	edi, eax
		lea	esi, [edx+eax]
		add	eax, 0Ch
		movsd
		movsd
		movsd
		sub	ecx, 1
		jnz	short loc_7CE24E
		pop	edi
		pop	esi

loc_7CE260:				; CODE XREF: RtlCopyLuidAndAttributesArray(x,x,x)+Aj
		pop	ebp
		retn	0Ch
_RtlCopyLuidAndAttributesArray@12 endp


;  S U B	R O U T	I N E 


CmpEffectiveTokenForSubject proc near	; CODE XREF: CmpBuildAdminInformation+1Fp
					; CmpExamineSaclForAuditEvent(x,x,x)+57p ...

; FUNCTION CHUNK AT 008F3C54 SIZE 0000000F BYTES

		mov	eax, [ecx]
		push	esi
		mov	esi, eax
		test	eax, eax
		jnz	short loc_7CE270
		mov	esi, [ecx+8]

loc_7CE270:				; CODE XREF: CmpEffectiveTokenForSubject+7j
		test	edx, edx
		jnz	loc_8F3C54

loc_7CE278:				; CODE XREF: CmpEffectiveTokenForSubject+1259FAj
		mov	eax, esi
		pop	esi
		retn
CmpEffectiveTokenForSubject endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PsQueryFullProcessImageName(void *,int)
PsQueryFullProcessImageName proc near	; CODE XREF: PAGE:0077EADBp
					; PAGE:0083B5D1p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	18h
		push	offset dword_6A3D10
		call	__SEH_prolog4
		mov	edi, [ecx+1C0h]
		mov	ecx, [ebp+arg_4]
		mov	esi, [ecx]
		movzx	eax, word ptr [edi+2]
		mov	[ecx], eax
		movzx	eax, word ptr [edi+2]
		cmp	eax, esi
		ja	short loc_7CE2F9
		mov	ebx, [edi]
		mov	eax, [edi+4]
		mov	[ebp+var_24], eax
		mov	eax, ebx
		shr	eax, 10h
		xor	cx, cx
		cmp	cx, ax
		sbb	ecx, ecx
		and	ecx, [ebp+arg_0]
		xor	esi, esi
		mov	[ebp+ms_exc.disabled], esi
		mov	[edx], ebx
		mov	[edx+4], ecx
		test	ax, ax
		jz	short loc_7CE2DB
		movzx	eax, word ptr [edi+2]
		push	eax		; size_t
		push	dword ptr [edi+4] ; void *
		push	[ebp+arg_0]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_7CE2DB:				; CODE XREF: PsQueryFullProcessImageName+4Aj
					; sub_8F3C71+6j
		mov	[ebp+var_20], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7CE2E5:				; CODE XREF: PsQueryFullProcessImageName+82j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7CE2F9:				; CODE XREF: PsQueryFullProcessImageName+23j
		mov	esi, 0C0000004h
		jmp	short loc_7CE2E5
PsQueryFullProcessImageName endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopSymlinkRememberJunction proc	near	; CODE XREF: IopGraftName(x,x,x)+56Ep
					; IopSymlinkProcessReparse+1258B8p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F3C7C SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	ebx, ebx
		mov	[esp+28h+var_10], edx
		mov	edx, ecx
		mov	ecx, edi
		mov	[esp+28h+var_C], edx
		call	IopSymlinkGetRelatedMountPoint
		mov	esi, eax
		test	esi, esi
		jnz	loc_8F3C7C
		mov	eax, [edi+8]
		mov	esi, edi

loc_7CE333:				; CODE XREF: IopSymlinkRememberJunction+125990j
		test	eax, eax
		jnz	loc_8F3C8B
		inc	eax
		mov	[esp+28h+var_14], esi
		or	[esi+2], ax
		mov	[esi], dx
		cmp	edi, esi
		jnz	short loc_7CE356
		mov	ecx, [esp+28h+var_10]
		xor	edx, edx
		cmp	[ecx+20h], edx
		jnz	short loc_7CE3A0

loc_7CE356:				; CODE XREF: IopSymlinkRememberJunction+49j
					; IopSymlinkRememberJunction+CCj ...
		mov	edi, [esp+28h+var_10]
		push	69536F49h
		movzx	eax, word ptr [edi+30h]
		add	eax, 14h
		push	eax
		xor	eax, eax
		inc	eax
		push	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esi+8], ecx
		test	ecx, ecx
		jz	loc_8F3C95
		movzx	eax, word ptr [edi+30h]
		xor	edx, edx
		push	edx		; int
		push	edx		; __int16
		push	edx		; __int16
		push	edx		; __int16
		push	edx		; void *
		push	edx		; __int16
		push	eax		; __int16
		push	dword ptr [edi+34h] ; void *
		lea	edx, [eax+14h]
		call	IopSymlinkInitializeSymlinkInfo

loc_7CE395:				; CODE XREF: IopSymlinkRememberJunction+118j
					; IopSymlinkRememberJunction+12599Aj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7CE3A0:				; CODE XREF: IopSymlinkRememberJunction+54j
		xor	eax, eax
		mov	[esp+28h+var_4], edx
		mov	[esp+28h+var_8], eax
		mov	ax, [edi+0Ch]
		mov	[esp+28h+var_18], edx
		add	ax, 2
		lea	edx, [esp+28h+var_18]
		movzx	eax, ax
		push	edx
		push	eax
		lea	edx, [esp+30h+var_8]
		call	IopGetRelatedFileName
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7CE356
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@ ; void	*
		lea	eax, [esp+2Ch+var_8]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		lea	eax, [edi+0Ch]
		push	eax
		lea	eax, [esp+2Ch+var_8]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		movzx	eax, word ptr [edi+2]
		mov	edx, edi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	eax
		push	[esp+2Ch+var_18]
		lea	eax, [esp+30h+var_8]
		push	eax
		push	[esp+34h+var_C]
		call	IopSymlinkUpdateECP
		push	0
		push	[esp+2Ch+var_4]
		mov	ebx, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		js	loc_7CE395
		mov	ecx, [esi+3Ch]
		lea	edx, [esp+28h+var_14]
		call	_IopSymlinkGetECP@8 ; IopSymlinkGetECP(x,x)
		mov	esi, [esp+28h+var_14]
		jmp	loc_7CE356
IopSymlinkRememberJunction endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopSymlinkProcessReparse proc near	; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+F15p

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 008F3C9F SIZE 00000063 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		mov	eax, [esi+1Ch]
		cmp	eax, 0A0000003h
		jnz	short loc_7CE45D

loc_7CE449:				; CODE XREF: IopSymlinkProcessReparse+2Ej
					; IopSymlinkProcessReparse+125870j
		cmp	[ebp+arg_4], 0
		jnz	short loc_7CE457
		push	[ebp+arg_0]
		call	_IopGraftName@12 ; IopGraftName(x,x,x)

loc_7CE457:				; CODE XREF: IopSymlinkProcessReparse+19j
					; IopSymlinkProcessReparse+125879j ...
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_7CE45D:				; CODE XREF: IopSymlinkProcessReparse+13j
		cmp	eax, 0A000000Ch
		jz	short loc_7CE449
		jmp	loc_8F3C9F
IopSymlinkProcessReparse endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopGraftName(x, x, x)
_IopGraftName@12 proc near		; CODE XREF: IopSymlinkProcessReparse+1Ep

var_3A		= byte ptr -3Ah
var_39		= byte ptr -39h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= word ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, edx
		xor	edx, edx
		push	ebx
		push	esi
		mov	[esp+44h+var_28], eax
		mov	ebx, ecx
		mov	eax, [eax+20h]
		push	edi
		mov	[esp+48h+var_18], eax
		lea	eax, [esp+48h+var_C]
		push	eax
		push	ebx
		mov	[esp+50h+var_30], ebx
		mov	[esp+50h+var_2C], edx
		mov	[esp+50h+var_14], edx
		mov	[esp+50h+var_20], edx
		mov	[esp+50h+var_34], edx
		mov	[esp+50h+var_8], edx
		mov	[esp+50h+var_38], edx
		mov	[esp+50h+var_39], dl
		mov	[esp+50h+var_1C], edx
		mov	[esp+50h+var_24], edx
		mov	dword ptr [esp+50h+var_4], edx
		mov	[esp+50h+var_C], edx
		call	_FsRtlGetEcpListFromIrp@8 ; FsRtlGetEcpListFromIrp(x,x)
		mov	ecx, [esp+48h+var_C]
		lea	edx, [esp+48h+var_38]
		mov	esi, eax
		call	_IopSymlinkGetECP@8 ; IopSymlinkGetECP(x,x)
		mov	edi, [esp+48h+var_38]
		mov	edx, 0C0000278h
		push	2
		pop	eax
		or	[edi+2], ax
		cmp	dword ptr [ebx+18h], 104h
		jz	short loc_7CE4EE
		mov	esi, edx

loc_7CE4EE:				; CODE XREF: IopGraftName(x,x,x)+80j
		mov	eax, [ebx+1Ch]
		cmp	eax, 0A0000003h
		jz	short loc_7CE508
		cmp	eax, 0A000000Ch
		jz	short loc_7CE508
		cmp	eax, 0A0000019h
		jz	short loc_7CE508
		mov	esi, edx

loc_7CE508:				; CODE XREF: IopGraftName(x,x,x)+8Cj
					; IopGraftName(x,x,x)+93j ...
		xor	eax, eax
		cmp	[ebx+54h], eax
		jnz	short loc_7CE511
		mov	esi, edx

loc_7CE511:				; CODE XREF: IopGraftName(x,x,x)+A3j
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jnz	short loc_7CE51A
		mov	esi, edx

loc_7CE51A:				; CODE XREF: IopGraftName(x,x,x)+ACj
		movzx	ecx, word ptr [ebx+6]
		mov	eax, 4000h
		cmp	cx, ax
		jb	short loc_7CE52A
		mov	esi, edx

loc_7CE52A:				; CODE XREF: IopGraftName(x,x,x)+BCj
		cmp	[ebx+4], ax
		jb	short loc_7CE532
		mov	esi, edx

loc_7CE532:				; CODE XREF: IopGraftName(x,x,x)+C4j
		mov	eax, [ebx]
		cmp	eax, 0A0000003h
		jz	short loc_7CE54B
		cmp	eax, 0A000000Ch
		jz	short loc_7CE54B
		cmp	eax, 0A0000019h
		jz	short loc_7CE54B
		mov	esi, edx

loc_7CE54B:				; CODE XREF: IopGraftName(x,x,x)+CFj
					; IopGraftName(x,x,x)+D6j ...
		mov	edx, [esp+48h+var_28]
		xor	ebx, ebx
		cmp	[edx+30h], bx
		mov	ebx, [ebp+arg_0]
		jnz	short loc_7CE55F
		mov	esi, 0C0000278h

loc_7CE55F:				; CODE XREF: IopGraftName(x,x,x)+EEj
		test	esi, esi
		js	loc_7CE982
		cmp	eax, 0A0000003h
		jnz	short loc_7CE588
		movzx	eax, word ptr [ebx+8]
		add	eax, 10h
		add	eax, ebx
		mov	[esp+48h+var_8], eax
		movzx	eax, word ptr [ebx+0Ah]
		mov	[esp+48h+var_20], eax
		jmp	loc_7CE732
; 

loc_7CE588:				; CODE XREF: IopGraftName(x,x,x)+102j
		cmp	eax, 0A000000Ch
		jnz	loc_7CE72D
		movzx	eax, word ptr [ebx+8]
		add	eax, 14h
		add	eax, ebx
		test	byte ptr [ebx+10h], 1
		mov	[esp+48h+var_8], eax
		movzx	eax, word ptr [ebx+0Ah]
		mov	[esp+48h+var_20], eax
		jz	loc_7CE727
		mov	eax, [esp+48h+var_18]
		mov	edi, 100h
		mov	[esp+48h+var_39], 1
		test	eax, eax
		jz	loc_7CE723
		xor	ecx, ecx
		push	ecx
		push	5
		pop	edx
		mov	ecx, eax
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		test	eax, eax
		jnz	loc_7CE723

loc_7CE5DD:				; CODE XREF: IopGraftName(x,x,x)+1D9j
		push	63466F49h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[esp+48h+var_24], esi
		test	esi, esi
		jz	loc_7CE71E
		push	edi		; size_t
		xor	eax, eax
		push	eax		; int
		push	esi		; void *
		call	_memset
		mov	eax, [esp+54h+var_28]
		add	esp, 0Ch
		mov	edx, esi
		mov	ecx, [eax+4]
		xor	eax, eax
		push	eax
		lea	eax, [esp+4Ch+var_14]
		push	eax
		push	edi
		call	ObQueryNameStringMode
		mov	esi, eax
		test	esi, esi
		jns	short loc_7CE652
		cmp	esi, 80000005h
		jnz	short loc_7CE64A
		mov	edi, [esp+48h+var_14]
		cmp	edi, 0FFFFh
		jnb	short loc_7CE645
		xor	eax, eax
		push	eax
		mov	eax, [esp+4Ch+var_24]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7CE5DD
; 

loc_7CE645:				; CODE XREF: IopGraftName(x,x,x)+1CAj
		mov	esi, 0C0000106h

loc_7CE64A:				; CODE XREF: IopGraftName(x,x,x)+1BEj
		test	esi, esi
		js	loc_7CE723

loc_7CE652:				; CODE XREF: IopGraftName(x,x,x)+1B6j
		mov	eax, [esp+48h+var_28]
		mov	esi, 100h
		movzx	edi, word ptr [eax+30h]
		movzx	eax, word ptr [ebx+6]
		sub	edi, eax
		mov	eax, [esp+48h+var_24]
		movzx	eax, word ptr [eax]
		add	edi, eax
		mov	[esp+48h+var_2C], edi
		mov	[esp+48h+var_10], edi

loc_7CE676:				; CODE XREF: IopGraftName(x,x,x)+274j
		push	63466F49h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+48h+var_1C], eax
		test	eax, eax
		jz	loc_7CE71E
		push	esi		; size_t
		xor	ecx, ecx
		mov	dword ptr [esp+4Ch+var_4], eax
		push	ecx		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [esp+54h+var_18]
		lea	eax, [esp+54h+var_14]
		add	esp, 0Ch
		mov	edx, esi
		push	eax
		push	[esp+4Ch+var_1C]
		push	9
		call	IopGetFileInformation
		mov	esi, eax
		test	esi, esi
		jns	short loc_7CE6E7
		cmp	esi, 80000005h
		jnz	short loc_7CE723
		mov	eax, [esp+48h+var_1C]
		mov	esi, [eax]
		add	esi, 8
		cmp	esi, 0FFFFh
		jnb	short loc_7CE6E0
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7CE676
; 

loc_7CE6E0:				; CODE XREF: IopGraftName(x,x,x)+269j
		mov	esi, 0C0000106h
		jmp	short loc_7CE723
; 

loc_7CE6E7:				; CODE XREF: IopGraftName(x,x,x)+250j
		lea	eax, [esp+48h+var_10]
		mov	ecx, edi
		push	eax
		mov	eax, [esp+4Ch+var_1C]
		mov	edx, [eax]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		mov	eax, [esp+48h+var_10]
		mov	[esp+48h+var_2C], eax
		js	short loc_7CE717
		mov	edi, [esp+48h+var_38]
		cmp	eax, 0FFFFh
		jb	short loc_7CE727
		mov	esi, 0C0000106h
		jmp	short loc_7CE727
; 

loc_7CE717:				; CODE XREF: IopGraftName(x,x,x)+299j
		mov	esi, 0C0000095h
		jmp	short loc_7CE723
; 

loc_7CE71E:				; CODE XREF: IopGraftName(x,x,x)+188j
					; IopGraftName(x,x,x)+21Fj
		mov	esi, 0C000009Ah

loc_7CE723:				; CODE XREF: IopGraftName(x,x,x)+158j
					; IopGraftName(x,x,x)+16Dj ...
		mov	edi, [esp+48h+var_38]

loc_7CE727:				; CODE XREF: IopGraftName(x,x,x)+142j
					; IopGraftName(x,x,x)+2A4j ...
		movzx	edx, word ptr [ebx+6]
		jmp	short loc_7CE734
; 

loc_7CE72D:				; CODE XREF: IopGraftName(x,x,x)+123j
		mov	esi, 0C0000276h

loc_7CE732:				; CODE XREF: IopGraftName(x,x,x)+119j
		mov	edx, ecx

loc_7CE734:				; CODE XREF: IopGraftName(x,x,x)+2C1j
		test	esi, esi
		js	loc_7CE95B
		mov	ecx, edi
		call	IopSymlinkGetRelatedMountPoint
		test	eax, eax
		jz	short loc_7CE74D
		movzx	eax, word ptr [eax+0Ch]
		jmp	short loc_7CE761
; 

loc_7CE74D:				; CODE XREF: IopGraftName(x,x,x)+2DBj
		mov	eax, [edi+8]
		mov	ecx, edi
		jmp	short loc_7CE759
; 

loc_7CE754:				; CODE XREF: IopGraftName(x,x,x)+2F1j
		mov	ecx, eax
		mov	eax, [ecx+8]

loc_7CE759:				; CODE XREF: IopGraftName(x,x,x)+2E8j
		test	eax, eax
		jnz	short loc_7CE754
		movzx	eax, word ptr [ecx+0Ch]

loc_7CE761:				; CODE XREF: IopGraftName(x,x,x)+2E1j
		cmp	[esp+48h+var_39], 0
		movzx	edi, ax
		jz	short loc_7CE79D
		mov	eax, [esp+48h+var_18]
		test	eax, eax
		jz	short loc_7CE78C
		xor	ecx, ecx
		push	ecx
		push	5
		pop	edx
		mov	ecx, eax
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		test	eax, eax
		jnz	short loc_7CE78C
		mov	eax, [esp+48h+var_2C]
		add	eax, edi
		jmp	short loc_7CE796
; 

loc_7CE78C:				; CODE XREF: IopGraftName(x,x,x)+307j
					; IopGraftName(x,x,x)+318j
		mov	eax, [esp+48h+var_2C]
		cmp	eax, edi
		ja	short loc_7CE796
		mov	eax, edi

loc_7CE796:				; CODE XREF: IopGraftName(x,x,x)+320j
					; IopGraftName(x,x,x)+328j
		add	eax, 2
		mov	[esp+48h+var_2C], eax

loc_7CE79D:				; CODE XREF: IopGraftName(x,x,x)+2FFj
		mov	edx, [esp+48h+var_20]
		movzx	edi, word ptr [ebx+6]
		add	edi, [esp+48h+var_2C]
		movzx	eax, dx
		add	eax, 4
		add	edi, eax
		cmp	edi, 0FFFFh
		jnb	short loc_7CE7EE
		push	63466F49h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+48h+var_34], ecx
		test	ecx, ecx
		jnz	short loc_7CE7DB
		mov	edx, [esp+48h+var_20]
		mov	esi, 0C000009Ah
		jmp	short loc_7CE7F7
; 

loc_7CE7DB:				; CODE XREF: IopGraftName(x,x,x)+364j
		push	edi		; size_t
		xor	eax, eax
		push	eax		; int
		push	ecx		; void *
		call	_memset
		mov	edx, [esp+54h+var_20]
		add	esp, 0Ch
		jmp	short loc_7CE7F3
; 

loc_7CE7EE:				; CODE XREF: IopGraftName(x,x,x)+34Dj
		mov	esi, 0C0000106h

loc_7CE7F3:				; CODE XREF: IopGraftName(x,x,x)+382j
		mov	ecx, [esp+48h+var_34]

loc_7CE7F7:				; CODE XREF: IopGraftName(x,x,x)+36Fj
		add	edi, 0FFFFFFFEh
		mov	[esp+48h+var_10], edi
		test	esi, esi
		js	loc_7CE95B
		cmp	[esp+48h+var_39], 0
		jz	loc_7CE99B
		mov	eax, [esp+48h+var_18]
		xor	ecx, ecx
		mov	[esp+48h+var_8], ecx
		test	eax, eax
		jz	loc_7CE921
		push	ecx
		push	5
		pop	edx
		mov	ecx, eax
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		test	eax, eax
		jnz	loc_7CE921
		mov	esi, [esp+48h+var_24]
		mov	ebx, [esp+48h+var_34]
		movzx	eax, word ptr [esi]
		push	eax		; size_t
		push	dword ptr [esi+4] ; void *
		push	ebx		; void *
		call	_memcpy
		movzx	eax, word ptr [esi]
		mov	edi, dword ptr [esp+54h+var_4]
		shr	eax, 1
		push	dword ptr [edi]	; size_t
		lea	esi, [ebx+eax*2]
		lea	eax, [edi+4]
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [edi]
		add	esp, 18h
		shr	eax, 1
		push	5Ch
		lea	edx, [esi+eax*2]
		mov	eax, [esp+4Ch+var_28]
		pop	ecx
		mov	eax, [eax+34h]
		cmp	[eax], cx
		jz	short loc_7CE888
		cmp	[edx-2], cx
		jz	short loc_7CE888
		mov	[edx], cx
		add	edx, 2

loc_7CE888:				; CODE XREF: IopGraftName(x,x,x)+410j
					; IopGraftName(x,x,x)+416j
		mov	ecx, [esp+48h+var_C]
		sub	edx, ebx
		movzx	ebx, dx
		lea	edx, [esp+48h+var_38]
		mov	dword ptr [esp+48h+var_4], ebx
		call	_IopSymlinkRemoveECP@8 ; IopSymlinkRemoveECP(x,x)
		mov	edi, [esp+48h+var_38]
		movzx	ecx, bx
		movzx	ebx, word ptr [edi+0Ch]
		add	ebx, 2
		add	ebx, ecx
		cmp	ebx, 0FFFFh
		jb	short loc_7CE8CC
		mov	esi, 0C0000106h

loc_7CE8BB:				; CODE XREF: IopGraftName(x,x,x)+474j
		xor	ebx, ebx
		push	ebx
		push	[esp+4Ch+var_34]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7CE95D
; 

loc_7CE8CC:				; CODE XREF: IopGraftName(x,x,x)+44Aj
		mov	ecx, [esp+48h+var_30]
		lea	edx, [esp+48h+var_8]
		push	ebx
		call	IopSymlinkAllocateAndAddECP
		mov	esi, eax
		test	esi, esi
		js	short loc_7CE8BB
		push	dword ptr [edi+8] ; int
		movzx	eax, word ptr [edi+2]
		lea	edx, [ebx+14h]
		mov	esi, [esp+4Ch+var_8]
		mov	ecx, esi
		push	eax		; __int16
		mov	eax, [esp+50h+var_24]
		movzx	eax, word ptr [eax]
		push	eax		; __int16
		push	dword ptr [esp+54h+var_4] ; __int16
		movzx	eax, word ptr [edi]
		push	[esp+58h+var_34] ; void	*
		push	eax		; __int16
		movzx	eax, word ptr [edi+0Ch]
		push	eax		; __int16
		push	dword ptr [edi+10h] ; void *
		call	IopSymlinkInitializeSymlinkInfo
		push	edi
		call	_FsRtlFreeExtraCreateParameter@4 ; FsRtlFreeExtraCreateParameter(x)
		mov	ebx, [ebp+arg_0]
		mov	edi, [esp+48h+var_10]
		jmp	short loc_7CE925
; 

loc_7CE921:				; CODE XREF: IopGraftName(x,x,x)+3B3j
					; IopGraftName(x,x,x)+3C6j
		mov	esi, [esp+48h+var_38]

loc_7CE925:				; CODE XREF: IopGraftName(x,x,x)+4B5j
		mov	dx, [ebx+6]
		mov	ecx, esi
		call	IopSymlinkGetRelatedMountPoint
		test	eax, eax
		jnz	short loc_7CE944
		mov	ecx, [esi+8]
		mov	eax, esi
		jmp	short loc_7CE940
; 

loc_7CE93B:				; CODE XREF: IopGraftName(x,x,x)+4D8j
		mov	eax, ecx
		mov	ecx, [eax+8]

loc_7CE940:				; CODE XREF: IopGraftName(x,x,x)+4CFj
		test	ecx, ecx
		jnz	short loc_7CE93B

loc_7CE944:				; CODE XREF: IopGraftName(x,x,x)+4C8j
		mov	ecx, [esp+48h+var_28]
		mov	edx, eax
		push	edi		; int
		push	[esp+4Ch+var_34] ; void	*
		push	[esp+50h+var_30] ; int
		push	ebx		; int
		call	_IopSymlinkApplyToOpenedName@24	; IopSymlinkApplyToOpenedName(x,x,x,x,x,x)
		mov	esi, eax

loc_7CE95B:				; CODE XREF: IopGraftName(x,x,x)+2CCj
					; IopGraftName(x,x,x)+396j
		xor	ebx, ebx

loc_7CE95D:				; CODE XREF: IopGraftName(x,x,x)+45Dj
					; IopGraftName(x,x,x)+59Cj
		cmp	[esp+48h+var_39], 0
		jz	short loc_7CE982
		mov	eax, [esp+48h+var_24]
		test	eax, eax
		jz	short loc_7CE973
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7CE973:				; CODE XREF: IopGraftName(x,x,x)+500j
		mov	eax, [esp+48h+var_1C]
		test	eax, eax
		jz	short loc_7CE982
		push	ebx
		push	eax

loc_7CE97D:				; CODE XREF: IopGraftName(x,x,x)+552j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7CE982:				; CODE XREF: IopGraftName(x,x,x)+F7j
					; IopGraftName(x,x,x)+4F8j ...
		mov	edi, [esp+48h+var_30]

loc_7CE986:				; CODE XREF: IopGraftName(x,x,x)+575j
		test	esi, esi
		js	short loc_7CE98F
		mov	esi, 104h

loc_7CE98F:				; CODE XREF: IopGraftName(x,x,x)+51Ej
		mov	[edi+18h], esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7CE99B:				; CODE XREF: IopGraftName(x,x,x)+3A1j
		movzx	eax, word ptr [ebx+6]
		mov	edi, [esp+48h+var_28]
		push	eax		; int
		push	edi		; int
		push	edx		; int
		mov	edx, [esp+54h+var_8] ; void *
		call	_IopCopyOverNewPathSecure@20 ; IopCopyOverNewPathSecure(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_7CE9BE
		xor	eax, eax
		push	eax
		push	[esp+4Ch+var_34]
		jmp	short loc_7CE97D
; 

loc_7CE9BE:				; CODE XREF: IopGraftName(x,x,x)+549j
		cmp	dword ptr [ebx], 0A0000003h
		mov	esi, [esp+48h+var_38]
		jnz	short loc_7CE9E1
		mov	edi, [esp+48h+var_30]
		mov	edx, [esp+48h+var_28]
		mov	cx, [ebx+6]
		push	esi
		push	edi
		call	IopSymlinkRememberJunction
		mov	esi, eax
		jmp	short loc_7CE986
; 

loc_7CE9E1:				; CODE XREF: IopGraftName(x,x,x)+55Ej
		mov	ax, [esi+2]
		mov	ecx, 0FFFEh
		and	ax, cx
		xor	ebx, ebx
		mov	ecx, [esp+48h+var_30]
		mov	edx, esi
		movzx	eax, ax
		push	eax
		push	ebx
		lea	eax, [edi+30h]
		push	eax
		push	ebx
		call	IopSymlinkUpdateECP
		mov	esi, eax
		jmp	loc_7CE95D
_IopGraftName@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


IopSymlinkGetRelatedMountPoint proc near ; CODE	XREF: IopSymlinkRememberJunction+1Fp
					; IopGraftName(x,x,x)+2D4p ...

; FUNCTION CHUNK AT 008F3D02 SIZE 00000019 BYTES

		test	ecx, ecx
		jz	short loc_7CEA27

loc_7CEA10:				; CODE XREF: IopSymlinkGetRelatedMountPoint+125304j
		test	byte ptr [ecx+2], 1
		jnz	loc_8F3D02

loc_7CEA1A:				; CODE XREF: IopSymlinkGetRelatedMountPoint+1252F9j
					; IopSymlinkGetRelatedMountPoint+12530Aj
		test	ecx, ecx
		jz	short loc_7CEA27
		test	byte ptr [ecx+2], 1
		jnz	short loc_7CEA27
		xor	eax, eax
		retn
; 

loc_7CEA27:				; CODE XREF: IopSymlinkGetRelatedMountPoint+2j
					; IopSymlinkGetRelatedMountPoint+10j ...
		mov	eax, ecx
		retn
IopSymlinkGetRelatedMountPoint endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopSymlinkCreateECP proc near		; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+E9Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F3D1B SIZE 00000081 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		push	2
		pop	ecx
		movzx	eax, word ptr [esi]
		mov	[ebp+var_10], edx
		mov	edi, eax
		mov	[ebp+var_C], ebx
		mov	edx, edi
		mov	[ebp+var_1], 0
		cmp	ax, cx
		jbe	short loc_7CEA6A
		mov	ecx, eax
		mov	eax, [esi+4]
		shr	ecx, 1
		cmp	word ptr [eax+ecx*2-2],	5Ch
		jz	loc_8F3D1B

loc_7CEA6A:				; CODE XREF: IopSymlinkCreateECP+2Bj
					; IopSymlinkCreateECP+1252FEj
		mov	ecx, [ebp+var_10]
		mov	ecx, [ecx+20h]
		test	ecx, ecx
		jnz	short loc_7CEABC
		push	edx
		mov	ecx, ebx

loc_7CEA77:				; CODE XREF: IopSymlinkCreateECP+ADj
		lea	edx, [ebp+var_8]
		call	IopSymlinkAllocateAndAddECP
		test	eax, eax
		js	short loc_7CEAD9
		movzx	eax, word ptr [esi]
		mov	edi, [ebp+var_8]
		mov	ecx, edi
		push	0		; int
		push	0		; __int16
		push	dword ptr [ebp+arg_4] ;	__int16
		lea	edx, [eax+14h]
		push	0		; __int16
		push	0		; void *
		push	0		; __int16
		push	eax		; __int16
		push	dword ptr [esi+4] ; void *
		call	IopSymlinkInitializeSymlinkInfo

loc_7CEAA4:				; CODE XREF: IopSymlinkCreateECP+12536Dj
		mov	ecx, [ebp+arg_8]
		xor	eax, eax
		mov	[ecx], edi

loc_7CEAAB:				; CODE XREF: IopSymlinkCreateECP+B2j
		cmp	[ebp+var_1], 0
		jnz	short loc_7CEADE

loc_7CEAB1:				; CODE XREF: IopSymlinkCreateECP+BAj
		pop	edi
		pop	esi
		pop	ebx
		test	eax, eax
		js	short loc_7CEAE6

locret_7CEAB8:				; CODE XREF: IopSymlinkCreateECP+BFj
		leave
		retn	0Ch
; 

loc_7CEABC:				; CODE XREF: IopSymlinkCreateECP+48j
		push	0
		push	5
		pop	edx
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_8F3D2D
		movzx	eax, word ptr [esi]
		mov	ecx, [ebp+var_C]
		push	eax
		jmp	short loc_7CEA77
; 

loc_7CEAD9:				; CODE XREF: IopSymlinkCreateECP+57j
					; IopSymlinkCreateECP+12531Cj ...
		mov	ecx, [ebp+arg_8]
		jmp	short loc_7CEAAB
; 

loc_7CEADE:				; CODE XREF: IopSymlinkCreateECP+85j
		push	2
		pop	edx
		add	[esi], dx
		jmp	short loc_7CEAB1
; 

loc_7CEAE6:				; CODE XREF: IopSymlinkCreateECP+8Cj
		and	dword ptr [ecx], 0
		jmp	short locret_7CEAB8
IopSymlinkCreateECP endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopSymlinkUpdateECP proc near		; CODE XREF: IopSymlinkRememberJunction+104p
					; IopGraftName(x,x,x)+595p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h
arg_C		= word ptr  14h

; FUNCTION CHUNK AT 008F3D9C SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	eax, ecx
		mov	esi, edx
		push	edi
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_8], esi
		push	ecx
		xor	ebx, ebx
		mov	[ebp+var_14], eax
		push	eax
		mov	[ebp+var_C], ebx
		mov	[ebp+var_4], ebx
		call	_FsRtlGetEcpListFromIrp@8 ; FsRtlGetEcpListFromIrp(x,x)
		mov	ecx, [ebp+var_4]
		lea	edx, [ebp+var_C]
		call	_IopSymlinkGetECP@8 ; IopSymlinkGetECP(x,x)
		mov	edi, [ebp+arg_4]
		movzx	ecx, word ptr [edi]
		cmp	[esi+0Eh], cx
		jnb	loc_7CEBC2
		mov	[ebp+var_10], ebx
		mov	ebx, [ebp+var_C]
		cmp	ebx, esi
		jz	loc_7CEBCE

loc_7CEB3C:				; CODE XREF: IopSymlinkUpdateECP+1252C1j
		mov	eax, [ebx+8]
		cmp	eax, esi
		jnz	loc_8F3DAB
		push	69536F49h
		add	ecx, 14h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8F3DB2
		mov	[ebx+8], edi

loc_7CEB64:				; CODE XREF: IopSymlinkUpdateECP+10Cj
		push	dword ptr [esi+8] ; int
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		push	dword ptr [ebp+arg_C] ;	__int16
		push	edx		; __int16
		movzx	eax, word ptr [ecx]
		push	edx		; __int16
		push	edx		; void *
		push	dword ptr [ebp+arg_0] ;	__int16
		lea	edx, [eax+14h]
		push	eax		; __int16
		push	dword ptr [ecx+4] ; void *
		mov	ecx, edi
		call	IopSymlinkInitializeSymlinkInfo
		cmp	esi, ebx
		jz	short loc_7CEBFD
		push	69536F49h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7CEB95:				; CODE XREF: IopSymlinkUpdateECP+11Bj
		mov	esi, edi

loc_7CEB97:				; CODE XREF: IopSymlinkUpdateECP+E0j
		mov	eax, dword ptr [ebp+arg_C]
		mov	[esi+2], ax
		mov	ax, [ebp+arg_8]
		mov	[esi+4], ax
		mov	eax, dword ptr [ebp+arg_0]
		mov	[esi], ax
		test	byte ptr [esi+2], 1
		jnz	short loc_7CEBB9
		mov	ecx, esi
		call	_IopSymlinkFreeRelatedMountPointChain@4	; IopSymlinkFreeRelatedMountPointChain(x)

loc_7CEBB9:				; CODE XREF: IopSymlinkUpdateECP+C4j
		xor	eax, eax

loc_7CEBBB:				; CODE XREF: IopSymlinkUpdateECP+1252BAj
					; IopSymlinkUpdateECP+1252CBj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7CEBC2:				; CODE XREF: IopSymlinkUpdateECP+3Cj
		push	edi
		lea	eax, [esi+0Ch]
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		jmp	short loc_7CEB97
; 

loc_7CEBCE:				; CODE XREF: IopSymlinkUpdateECP+4Aj
		mov	ecx, [ebp+var_4]
		lea	edx, [ebp+var_8]
		call	_IopSymlinkRemoveECP@8 ; IopSymlinkRemoveECP(x,x)
		movzx	eax, word ptr [edi]
		lea	edx, [ebp+var_10]
		mov	ecx, [ebp+var_14]
		push	eax
		call	IopSymlinkAllocateAndAddECP
		mov	esi, eax
		test	esi, esi
		js	loc_8F3D9C
		mov	esi, [ebp+var_8]
		mov	edi, [ebp+var_10]
		jmp	loc_7CEB64
; 

loc_7CEBFD:				; CODE XREF: IopSymlinkUpdateECP+9Cj
		and	dword ptr [esi+8], 0
		push	esi
		call	_FsRtlFreeExtraCreateParameter@4 ; FsRtlFreeExtraCreateParameter(x)
		jmp	short loc_7CEB95
IopSymlinkUpdateECP endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IopSymlinkInitializeSymlinkInfo(void *,__int16,__int16,void *,__int16,__int16,__int16,int)
IopSymlinkInitializeSymlinkInfo	proc near ; CODE XREF: IopSymlinkRememberJunction+90p
					; IopGraftName(x,x,x)+4A3p ...

arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch
arg_8		= word ptr  10h
arg_C		= dword	ptr  14h
arg_10		= word ptr  18h
arg_14		= word ptr  1Ch
arg_18		= word ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 008F3DBC SIZE 00000041 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, ecx
		mov	[edi+6], ax
		lea	ecx, [edi+14h]
		mov	ax, [ebp+arg_14]
		mov	[edi+4], ax
		xor	eax, eax
		mov	[edi+0Ch], ax
		lea	eax, [edx-14h]
		mov	[edi+0Eh], ax
		xor	edx, edx
		mov	ax, [ebp+arg_8]
		mov	[edi], ax
		mov	ax, [ebp+arg_18]
		mov	[edi+2], ax
		mov	eax, [ebp+arg_1C]
		mov	[edi+10h], ecx
		mov	[edi+8], eax
		cmp	[ebp+arg_C], edx
		jnz	loc_8F3DBC

loc_7CEC54:				; CODE XREF: IopSymlinkInitializeSymlinkInfo+1251EEj
		mov	si, [ebp+arg_4]
		movzx	eax, si
		push	eax		; size_t
		push	[ebp+arg_0]	; void *
		movzx	eax, dx
		add	eax, ecx
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		add	[edi+0Ch], si
		pop	edi
		pop	esi
		pop	ebp
		retn	20h
IopSymlinkInitializeSymlinkInfo	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopSymlinkCleanupECP(x, x)
_IopSymlinkCleanupECP@8	proc near	; DATA XREF: IopSymlinkAllocateAndAddECP+30o
					; IopSymlinkPropagateToExtensionIfNeeded+FE924o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_IopSymlinkFreeRelatedMountPointChain@4	; IopSymlinkFreeRelatedMountPointChain(x)
		pop	ebp
		retn	8
_IopSymlinkCleanupECP@8	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IopSymlinkFreeRelatedMountPointChain(x)
_IopSymlinkFreeRelatedMountPointChain@4	proc near ; CODE XREF: IopSymlinkUpdateECP+C8p
					; IopSymlinkCleanupECP(x,x)+8p	...
		mov	edi, edi
		push	edi
		mov	edi, ecx
		mov	eax, [edi+8]
		test	eax, eax
		jnz	short loc_7CEC9C

loc_7CEC96:				; CODE XREF: IopSymlinkFreeRelatedMountPointChain(x)+28j
		and	dword ptr [edi+8], 0
		pop	edi
		retn
; 

loc_7CEC9C:				; CODE XREF: IopSymlinkFreeRelatedMountPointChain(x)+Aj
		push	esi

loc_7CEC9D:				; CODE XREF: IopSymlinkFreeRelatedMountPointChain(x)+25j
		mov	esi, [eax+8]
		push	69536F49h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		test	esi, esi
		jnz	short loc_7CEC9D
		pop	esi
		jmp	short loc_7CEC96
_IopSymlinkFreeRelatedMountPointChain@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopSymlinkAllocateAndAddECP proc near	; CODE XREF: IopGraftName(x,x,x)+46Bp
					; IopSymlinkCreateECP+50p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= word ptr  8

; FUNCTION CHUNK AT 008F3DFD SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	eax, ecx
		mov	ebx, edx
		xor	ecx, ecx
		mov	[ebp+var_C], eax
		push	esi
		push	edi
		mov	[ebp+var_1], cl
		mov	[ebp+var_8], ecx
		mov	[ebx], ecx
		lea	ecx, [ebp+var_8]
		push	ecx
		push	eax
		call	_FsRtlGetEcpListFromIrp@8 ; FsRtlGetEcpListFromIrp(x,x)
		movzx	eax, [ebp+arg_0]
		push	ebx
		push	offset _IopSymlinkInfoLookasideList
		push	offset _IopSymlinkCleanupECP@8 ; IopSymlinkCleanupECP(x,x)
		push	0
		add	eax, 14h
		push	eax
		push	(offset	loc_A3F6CF+1)
		call	FsRtlAllocateExtraCreateParameterFromLookasideList
		mov	edi, eax
		test	edi, edi
		js	short loc_7CED26
		mov	esi, [ebp+var_8]
		test	esi, esi
		jz	loc_8F3DFD

loc_7CED0A:				; CODE XREF: IopSymlinkAllocateAndAddECP+12516Ej
		mov	eax, [ebx]
		push	eax
		push	esi
		call	FsRtlInsertExtraCreateParameter
		mov	edi, eax
		test	edi, edi
		js	loc_8F3E27

loc_7CED1D:				; CODE XREF: IopSymlinkAllocateAndAddECP+12518Bj
					; IopSymlinkAllocateAndAddECP+12519Fj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7CED26:				; CODE XREF: IopSymlinkAllocateAndAddECP+49j
					; IopSymlinkAllocateAndAddECP+125158j
		mov	esi, [ebp+var_8]
		jmp	loc_8F3E27
IopSymlinkAllocateAndAddECP endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtIsrDpcQuery(x,	x)
_PopEtIsrDpcQuery@8 proc near		; CODE XREF: PopEtProcessEnumSnapshotCallback(x,x):loc_756104p

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ecx+3E0h]
		lea	eax, [ebp+var_48]
		push	esi
		push	edi
		push	40h		; size_t
		push	0		; int
		push	eax		; void *
		mov	edi, edx
		call	_memset
		xor	eax, eax
		mov	[ebp+var_50], ebx
		and	[ebp+var_4C], eax
		push	1B0h		; size_t
		push	eax		; int
		push	edi		; void *
		mov	[ebp+var_54], eax
		call	_memset
		mov	eax, ds:dword_70E328
		add	esp, 18h
		mov	[ebp+var_58], eax
		mov	[ebp+var_5C], offset _KeActiveProcessors

loc_7CED81:				; CODE XREF: PopEtIsrDpcQuery(x,x)+9Cj
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_4C]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_7CEDCC
		mov	ecx, [ebp+var_4C]
		lea	edx, [ebp+var_48]
		mov	ecx, ds:_KiProcessorBlock[ecx*4]
		call	_KeQueryCycleTimeStatsProcessor@8 ; KeQueryCycleTimeStatsProcessor(x,x)
		lea	edx, [ebp+var_48]
		mov	ecx, edi
		push	4
		sub	edx, edi
		pop	ebx

loc_7CEDAE:				; CODE XREF: PopEtIsrDpcQuery(x,x)+9Aj
		push	2
		pop	esi

loc_7CEDB1:				; CODE XREF: PopEtIsrDpcQuery(x,x)+95j
		mov	eax, [edx+ecx]
		add	[ecx], eax
		mov	eax, [edx+ecx+4]
		adc	[ecx+4], eax
		add	ecx, 8
		sub	esi, 1
		jnz	short loc_7CEDB1
		sub	ebx, 1
		jnz	short loc_7CEDAE
		jmp	short loc_7CED81
; 

loc_7CEDCC:				; CODE XREF: PopEtIsrDpcQuery(x,x)+62j
		push	10h
		pop	ecx
		mov	esi, edi
		mov	edi, [ebp+var_50]
		rep movsd
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopEtIsrDpcQuery@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepValidOwnerSubjectContext(x, x, x)
_SepValidOwnerSubjectContext@12	proc near ; CODE XREF: RtlpNewSecurityObject+1562p
					; RtlpSetSecurityObject+8C3p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	eax, edx
		xor	ebx, ebx
		mov	[ebp+var_8], eax
		push	esi
		push	edi
		mov	edi, ecx
		test	eax, eax
		jz	loc_7CEEA3
		cmp	[ebp+arg_0], bl
		jnz	short loc_7CEE0D
		mov	esi, [edi]
		test	esi, esi
		jnz	short loc_7CEE10

loc_7CEE0D:				; CODE XREF: SepValidOwnerSubjectContext(x,x,x)+1Fj
		mov	esi, [edi+8]

loc_7CEE10:				; CODE XREF: SepValidOwnerSubjectContext(x,x,x)+25j
		cmp	dword ptr [esi+0A8h], 2
		jz	short loc_7CEE96

loc_7CEE19:				; CODE XREF: SepValidOwnerSubjectContext(x,x,x)+B7j
		mov	eax, large fs:124h
		mov	dword ptr [ebp+arg_0], ebx
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceSharedLite
		mov	eax, [esi+7Ch]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_7CEE65
		mov	ecx, [esi+94h]
		mov	[ebp+var_4], ecx

loc_7CEE47:				; CODE XREF: SepValidOwnerSubjectContext(x,x,x)+ACj
		push	dword ptr [ecx]
		push	[ebp+var_8]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	short loc_7CEE7F
		mov	edx, dword ptr [ebp+arg_0]
		mov	ecx, esi
		call	_SepIdAssignableAsOwner@8 ; SepIdAssignableAsOwner(x,x)
		test	al, al
		jz	short loc_7CEE65
		mov	bl, 1

loc_7CEE65:				; CODE XREF: SepValidOwnerSubjectContext(x,x,x)+56j
					; SepValidOwnerSubjectContext(x,x,x)+7Bj ...
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	bl, bl
		jz	short loc_7CEEA7

loc_7CEE76:				; CODE XREF: SepValidOwnerSubjectContext(x,x,x)+D8j
		mov	al, bl

loc_7CEE78:				; CODE XREF: SepValidOwnerSubjectContext(x,x,x)+BFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7CEE7F:				; CODE XREF: SepValidOwnerSubjectContext(x,x,x)+6Dj
		mov	eax, dword ptr [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		inc	eax
		add	ecx, 8
		mov	dword ptr [ebp+arg_0], eax
		mov	[ebp+var_4], ecx
		cmp	eax, [ebp+var_C]
		jb	short loc_7CEE47
		jmp	short loc_7CEE65
; 

loc_7CEE96:				; CODE XREF: SepValidOwnerSubjectContext(x,x,x)+31j
		cmp	dword ptr [esi+0ACh], 2
		jge	loc_7CEE19

loc_7CEEA3:				; CODE XREF: SepValidOwnerSubjectContext(x,x,x)+16j
		xor	al, al
		jmp	short loc_7CEE78
; 

loc_7CEEA7:				; CODE XREF: SepValidOwnerSubjectContext(x,x,x)+8Ej
		push	ds:dword_A949DC
		mov	dl, 1
		mov	ecx, edi
		push	ds:_SeRestorePrivilege
		call	_SeSinglePrivilegeCheckEx@16 ; SeSinglePrivilegeCheckEx(x,x,x,x)
		mov	bl, al
		jmp	short loc_7CEE76
_SepValidOwnerSubjectContext@12	endp


;  S U B	R O U T	I N E 


; __stdcall SepIdAssignableAsOwner(x, x)
_SepIdAssignableAsOwner@8 proc near	; CODE XREF: SepValidOwnerSubjectContext(x,x,x)+74p
					; PAGE:007E9A2Ap
		test	edx, edx
		jnz	short loc_7CEEC7
		mov	al, 1
		retn
; 

loc_7CEEC7:				; CODE XREF: SepIdAssignableAsOwner(x,x)+2j
		mov	eax, [ecx+94h]
		mov	eax, [eax+edx*8+4]
		shr	eax, 3
		and	al, 1
		retn
_SepIdAssignableAsOwner@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsQueryProcessQuotaCounters(x, x, x, x)
_PsQueryProcessQuotaCounters@16	proc near ; CODE XREF: PAGE:0083BE20p
					; PAGE:0083BE37p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_7CEEF0
		mov	eax, [esi+edx*4+108h]
		mov	[ecx], eax

loc_7CEEF0:				; CODE XREF: PsQueryProcessQuotaCounters(x,x,x,x)+Dj
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_7CEF00
		mov	eax, [esi+edx*4+110h]
		mov	[ecx], eax

loc_7CEF00:				; CODE XREF: PsQueryProcessQuotaCounters(x,x,x,x)+1Dj
		pop	esi
		pop	ebp
		retn	8
_PsQueryProcessQuotaCounters@16	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWnfCreateProcessContext proc	near	; CODE XREF: ExpWnfResolveScopeInstance+272p
					; NtSetWnfProcessNotificationEvent+123930p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F3E58 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		push	20666E57h
		push	44h
		pop	esi
		push	esi
		push	1
		mov	[ebp+var_8], edx
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8F3E58
		push	esi		; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		mov	[edi+2], si
		mov	eax, 906h
		mov	[edi], ax
		add	esp, 0Ch
		lea	eax, [edi+20h]
		mov	[edi+40h], ebx
		mov	[eax+4], eax
		xor	edx, edx
		mov	[eax], eax
		mov	ecx, offset _ExpWnfProcessesListLock
		lea	eax, [edi+2Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edi+38h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [ebp+var_4]
		push	ebx
		mov	[edi+4], eax
		call	KeAbPreAcquire
		mov	esi, eax
		mov	edx, offset _ExpWnfProcessesListLock
		lock bts dword ptr [edx], 0
		jnb	short loc_7CEF98
		push	edx
		mov	edx, esi
		mov	ecx, offset _ExpWnfProcessesListLock
		call	ExfAcquirePushLockExclusiveEx
		mov	edx, offset _ExpWnfProcessesListLock

loc_7CEF98:				; CODE XREF: ExpWnfCreateProcessContext+7Ej
		test	esi, esi
		jnz	short loc_7CF002

loc_7CEF9C:				; CODE XREF: ExpWnfCreateProcessContext+100j
		mov	ecx, ds:off_A93E38
		lea	eax, [edi+8]
		mov	esi, offset _ExpWnfProcessesListHead
		cmp	[ecx], esi
		jnz	short loc_7CF016
		mov	[eax], esi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	ds:off_A93E38, eax
		or	eax, 0FFFFFFFFh
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7CF008

loc_7CEFC7:				; CODE XREF: ExpWnfCreateProcessContext+10Ej
		mov	ecx, edx
		call	KeAbPostRelease
		mov	ecx, [ebp+var_4]
		mov	esi, edi
		add	ecx, 39Ch
		xor	eax, eax
		lock cmpxchg [ecx], esi
		test	eax, eax
		jnz	loc_8F3E62

loc_7CEFE7:				; CODE XREF: ExpWnfCreateProcessContext+124F57j
					; ExpWnfCreateProcessContext+124F66j
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		mov	eax, [eax+39Ch]
		mov	[ecx], eax
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_7CF002:				; CODE XREF: ExpWnfCreateProcessContext+94j
		or	byte ptr [esi+0Eh], 1
		jmp	short loc_7CEF9C
; 

loc_7CF008:				; CODE XREF: ExpWnfCreateProcessContext+BFj
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, offset _ExpWnfProcessesListLock
		jmp	short loc_7CEFC7
; 

loc_7CF016:				; CODE XREF: ExpWnfCreateProcessContext+A6j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall PiAuIsLocalSystem(x, x)
_PiAuIsLocalSystem@8:			; CODE XREF: PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)+7Bp
		mov	edi, edi
		push	esi
		mov	esi, edx
		mov	edx, _PiAuLocalSystemSecurityObject
		push	esi
		push	ecx
		push	offset _PiAuLocalSystemSecurityMapping
		mov	ecx, 0F0000h
		mov	byte ptr [esi],	0
		call	PiAuVerifyAccessToObject
		test	eax, eax
		js	short loc_7CF041
		pop	esi
		retn
; 

loc_7CF041:				; CODE XREF: ExpWnfCreateProcessContext+137j
		mov	byte ptr [esi],	0
		pop	esi
		retn
ExpWnfCreateProcessContext endp	; sp = -1Ch


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiAuVerifyAccessToObject proc near	; CODE XREF: ExpWnfCreateProcessContext+130p
					; PiPnpRtlIsDeviceEnumerableForUser(x,x,x,x,x)+A7p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F3E71 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+30h+var_1C], edx
		lea	edi, [esp+30h+var_10]
		mov	[esp+30h+var_14], ecx
		stosd
		xor	ebx, ebx
		mov	[esp+30h+var_18], ebx
		mov	[esp+30h+var_20], ebx
		mov	byte ptr [esp+30h+var_24], 1
		stosd
		stosd
		stosd
		test	edx, edx
		jz	loc_8F3E71
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jz	loc_8F3E71
		mov	edi, [ebp+arg_4]
		mov	[esi], bl
		test	edi, edi
		jz	short loc_7CF0C9
		mov	eax, edi

loc_7CF093:				; CODE XREF: PiAuVerifyAccessToObject+B8j
		lea	ecx, [esp+30h+var_20]
		push	ecx
		lea	ecx, [esp+34h+var_18]
		push	ecx
		push	[esp+38h+var_24]
		push	[ebp+arg_0]
		push	ebx
		push	ebx
		push	[esp+48h+var_14]
		push	ebx
		push	eax
		push	edx
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		mov	[esi], al
		test	edi, edi
		jz	short loc_7CF100

loc_7CF0B8:				; CODE XREF: PiAuVerifyAccessToObject+C4j
		cmp	[esp+30h+var_20], ebx
		jl	short loc_7CF10C

loc_7CF0BE:				; CODE XREF: PiAuVerifyAccessToObject+C8j
					; PiAuVerifyAccessToObject+124E30j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7CF0C9:				; CODE XREF: PiAuVerifyAccessToObject+49j
		lea	eax, [esp+30h+var_10]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	eax, large fs:124h
		mov	edx, [esp+30h+var_1C]
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+30h+var_24], al
		lea	eax, [esp+30h+var_10]
		jmp	short loc_7CF093
; 

loc_7CF100:				; CODE XREF: PiAuVerifyAccessToObject+70j
		lea	eax, [esp+30h+var_10]
		push	eax
		call	SeReleaseSubjectContext
		jmp	short loc_7CF0B8
; 

loc_7CF10C:				; CODE XREF: PiAuVerifyAccessToObject+76j
		mov	[esi], bl
		jmp	short loc_7CF0BE
PiAuVerifyAccessToObject endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1428. MmLockPagableDataSection
; Exported entry 1429. MmLockPagableImageSection

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmLockPagableDataSection
MmLockPagableDataSection proc near	; CODE XREF: VfInitSystemNoRebootNeeded(x,x)+33p
					; VfInitSystemNoRebootNeeded(x,x)+3Dp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F3E7B SIZE 00000053 BYTES

		mov	edi, edi	; MmLockPagableDataSection
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		sub	esp, 0Ch
		push	ebx
		push	esi
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	loc_7CF1D6
		mov	eax, large fs:124h
		xor	esi, esi
		mov	[ebp+var_C], eax
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceExclusiveLite
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	_MiLookupDataTableEntry@8 ; MiLookupDataTableEntry(x,x)
		mov	ecx, [ebp+arg_0]
		mov	eax, [eax+18h]
		sub	ecx, eax
		push	eax
		mov	[ebp+var_4], ecx
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		xor	ebx, ebx
		movzx	ecx, word ptr [eax+14h]
		add	ecx, 18h
		add	ecx, eax
		movzx	eax, word ptr [eax+6]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_7CF1A6

loc_7CF180:				; CODE XREF: MmLockPagableDataSection+8Aj
		mov	eax, [ecx+10h]
		mov	edx, [ecx+8]
		cmp	eax, edx
		jb	short loc_7CF1D2

loc_7CF18A:				; CODE XREF: MmLockPagableDataSection+BEj
		mov	edx, [ecx+0Ch]
		cmp	[ebp+var_4], edx
		jb	short loc_7CF199
		add	eax, edx
		cmp	[ebp+var_4], eax
		jb	short loc_7CF1A4

loc_7CF199:				; CODE XREF: MmLockPagableDataSection+7Aj
		add	ecx, 28h
		inc	ebx
		cmp	ebx, [ebp+var_8]
		jb	short loc_7CF180
		jmp	short loc_7CF1A6
; 

loc_7CF1A4:				; CODE XREF: MmLockPagableDataSection+81j
		mov	esi, ecx

loc_7CF1A6:				; CODE XREF: MmLockPagableDataSection+68j
					; MmLockPagableDataSection+8Cj
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite
		mov	ecx, [ebp+var_C]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		test	esi, esi
		jz	loc_8F3E7B
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	MiLockPagableImageSection
		mov	eax, esi

loc_7CF1CC:				; CODE XREF: MmLockPagableDataSection+C3j
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7CF1D2:				; CODE XREF: MmLockPagableDataSection+72j
		mov	eax, edx
		jmp	short loc_7CF18A
; 

loc_7CF1D6:				; CODE XREF: MmLockPagableDataSection+14j
		xor	eax, eax
		inc	eax
		jmp	short loc_7CF1CC
MmLockPagableDataSection endp

; 
		align 10h
; Exported entry 1912. PsSetProcessWin32Process

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsSetProcessWin32Process
PsSetProcessWin32Process proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F3ECE SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], eax
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+arg_0]
		xor	edx, edx
		lea	ebx, [esi+0E0h]
		mov	ecx, ebx
		mov	[ebp+arg_0], ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_7CF28B
		test	byte ptr [esi+0FCh], 8
		jnz	loc_8F3ECE
		cmp	[esi+154h], edi
		jnz	loc_8F3ECE
		mov	[esi+154h], eax
		mov	edx, [esi+440h]
		mov	eax, edx
		mov	ecx, [esi+444h]
		and	eax, 0C0000000h
		and	ecx, 0FFFFFFFh
		or	eax, ecx
		jnz	loc_8F3E8F
		and	edx, 3FFFFFFFh
		or	edx, edi
		jnz	loc_8F3E8F

loc_7CF266:				; CODE XREF: PsSetProcessWin32Process+BCj
					; PsSetProcessWin32Process+CCj	...
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7CF29E

loc_7CF273:				; CODE XREF: PsSetProcessWin32Process+C5j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [ebp+var_4]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7CF28B:				; CODE XREF: PsSetProcessWin32Process+36j
		mov	eax, [esi+154h]
		cmp	eax, [ebp+arg_8]
		jnz	short loc_7CF2A7
		mov	[esi+154h], edi
		jmp	short loc_7CF266
; 

loc_7CF29E:				; CODE XREF: PsSetProcessWin32Process+91j
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7CF273
; 

loc_7CF2A7:				; CODE XREF: PsSetProcessWin32Process+B4j
		mov	edi, 0C0000001h
		jmp	short loc_7CF266
PsSetProcessWin32Process endp


;  S U B	R O U T	I N E 


; __stdcall PspIsEnforcementAccountingNonZero(x)
_PspIsEnforcementAccountingNonZero@4 proc near
					; CODE XREF: PspRemoveProcessFromJobChain+1CDp
		lea	edx, [ecx+260h]
		add	ecx, 2C8h

loc_7CF2BA:				; CODE XREF: PspIsEnforcementAccountingNonZero(x)+1Aj
		cmp	edx, ecx
		jnb	short loc_7CF2CA
		mov	eax, [edx]
		or	eax, [edx+4]
		jnz	short loc_7CF2CD
		add	edx, 8
		jmp	short loc_7CF2BA
; 

loc_7CF2CA:				; CODE XREF: PspIsEnforcementAccountingNonZero(x)+Ej
		xor	al, al
		retn
; 

loc_7CF2CD:				; CODE XREF: PspIsEnforcementAccountingNonZero(x)+15j
		mov	al, 1
		retn
_PspIsEnforcementAccountingNonZero@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtGetNextThread	proc near		; DATA XREF: .text:00580FFCo

var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_159		= byte ptr -159h
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_90		= dword	ptr -90h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008F3ED8 SIZE 00000045 BYTES
; FUNCTION CHUNK AT 008F3F50 SIZE 00000037 BYTES

		push	16Ch
		push	offset dword_6A3D30
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_168], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_16C], eax
		mov	esi, [ebp+arg_14]
		mov	[ebp+var_174], esi
		xor	edi, edi
		mov	[ebp+var_160], edi
		mov	[ebp+var_158], edi
		push	74h		; size_t
		push	edi		; int
		lea	eax, [ebp+var_90]
		push	eax		; void *
		call	_memset
		push	0C4h		; size_t
		push	edi		; int
		lea	eax, [ebp+var_154]
		push	eax		; void *
		call	_memset
		add	esp, 18h
		mov	[ebp+var_170], edi
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_164],	al
		mov	[ebp+ms_exc.disabled], edi
		xor	ebx, ebx
		test	al, al
		setz	bl
		dec	ebx
		and	ebx, 0FFFEFE00h
		add	ebx, 11FF2h
		and	ebx, [ebp+arg_C]
		test	al, al
		jz	short loc_7CF375
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8F3ED8

loc_7CF371:				; CODE XREF: NtGetNextThread+124C0Aj
		mov	eax, [ecx]
		mov	[ecx], eax

loc_7CF375:				; CODE XREF: NtGetNextThread+90j
		mov	[esi], edi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+arg_10], 0
		jnz	loc_8F3EDF
		push	edi
		lea	eax, [ebp+var_160]
		push	eax
		mov	edi, 6E457350h
		push	edi
		push	[ebp+var_164]
		push	ds:_PsProcessType
		push	400h
		push	[ebp+var_168]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7CF526
		mov	eax, [ebp+var_16C]
		test	eax, eax
		jz	short loc_7CF404
		push	0
		lea	ecx, [ebp+var_158]
		push	ecx
		push	edi
		push	[ebp+var_164]
		push	ds:_PsThreadType
		push	0
		push	eax
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7CF53D
		mov	ecx, [ebp+var_158]
		mov	eax, [ecx+150h]
		cmp	eax, [ebp+var_160]
		jnz	loc_8F3EE9

loc_7CF404:				; CODE XREF: NtGetNextThread+F2j
		push	[ebp+var_158]
		push	[ebp+var_160]
		call	_PsGetNextProcessThread@8 ; PsGetNextProcessThread(x,x)
		mov	esi, eax
		mov	[ebp+var_168], esi
		test	esi, esi
		jz	loc_7CF538
		push	[ebp+var_164]
		push	ds:dword_A94A14
		push	ds:_SeDebugPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		setnz	[ebp+var_159]
		mov	eax, large fs:124h
		mov	[ebp+var_16C], eax

loc_7CF451:				; CODE XREF: NtGetNextThread+124CA7j
		test	byte ptr [esi+2FCh], 2
		jz	loc_8F3EFA

loc_7CF45E:				; CODE XREF: NtGetNextThread+124C3Cj
		mov	eax, ds:_PsProcessType
		add	eax, 34h
		push	eax		; int
		push	[ebp+arg_8]	; int
		lea	eax, [ebp+var_154]
		push	eax		; void *
		lea	eax, [ebp+var_90]
		push	eax		; void *
		call	SeCreateAccessState
		mov	[ebp+var_158], eax
		test	eax, eax
		js	short loc_7CF504
		cmp	[ebp+var_159], 0
		jz	short loc_7CF4A5
		mov	eax, [ebp+var_80]
		test	eax, 2000000h
		jnz	loc_8F3F11
		or	[ebp+var_7C], eax

loc_7CF4A1:				; CODE XREF: NtGetNextThread+124C48j
		and	[ebp+var_80], 0

loc_7CF4A5:				; CODE XREF: NtGetNextThread+1BEj
		lea	eax, [ebp+var_170]
		push	eax
		push	[ebp+var_164]
		push	ds:_PsThreadType
		push	0
		lea	eax, [ebp+var_90]
		push	eax
		push	ebx
		push	esi
		call	ObOpenObjectByPointer
		mov	[ebp+var_158], eax
		lea	eax, [ebp+var_90]
		push	eax
		call	SeDeleteAccessState
		mov	eax, [ebp+var_158]
		test	eax, eax
		js	loc_8F3F50
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_170]
		mov	ecx, [ebp+var_174]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7CF504:				; CODE XREF: NtGetNextThread+1B5j
					; NtGetNextThread+124C85j
		mov	ebx, [ebp+var_158]

loc_7CF50A:				; CODE XREF: sub_8F3F30+1Bj
					; NtGetNextThread+124CB2j
		mov	edx, edi
		mov	ecx, [ebp+var_160]
		call	ObfDereferenceObjectWithTag
		test	esi, esi
		jz	short loc_7CF524
		mov	edx, edi
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_7CF524:				; CODE XREF: NtGetNextThread+249j
		mov	eax, ebx

loc_7CF526:				; CODE XREF: NtGetNextThread+E4j
					; NtGetNextThread+27Cj	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7CF538:				; CODE XREF: NtGetNextThread+14Fj
		mov	esi, 8000001Ah

loc_7CF53D:				; CODE XREF: NtGetNextThread+116j
					; NtGetNextThread+124C25j
		mov	edx, edi
		mov	ecx, [ebp+var_160]
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	short loc_7CF526
NtGetNextThread	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWnfNotifySubscription(x,	x, x, x)
_ExpWnfNotifySubscription@16 proc near	; CODE XREF: ExpWnfSubscribeWnfStateChange+1F3p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		lea	esi, [ecx+40h]
		mov	[ebp+var_4], edx
		xor	edi, edi
		xor	edx, edx
		push	edi
		mov	ecx, esi
		call	KeAbPreAcquire
		push	11h
		mov	ebx, eax
		xor	eax, eax
		pop	ecx
		lock cmpxchg [esi], ecx
		test	eax, eax
		jz	short loc_7CF582
		push	esi
		mov	edx, ebx
		mov	ecx, esi
		call	ExfAcquirePushLockSharedEx

loc_7CF582:				; CODE XREF: ExpWnfNotifySubscription(x,x,x,x)+28j
		test	ebx, ebx
		jnz	short loc_7CF5E5

loc_7CF586:				; CODE XREF: ExpWnfNotifySubscription(x,x,x,x)+9Bj
		mov	ebx, [ebp+var_4]
		cmp	[ebx+1Ch], edi
		jz	short loc_7CF59F
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	_ExpWnfInsertSubscriptionInPendingQueue@8 ; ExpWnfInsertSubscriptionInPendingQueue(x,x)
		test	eax, eax
		jz	short loc_7CF59F
		mov	edi, [ebx+18h]

loc_7CF59F:				; CODE XREF: ExpWnfNotifySubscription(x,x,x,x)+3Ej
					; ExpWnfNotifySubscription(x,x,x,x)+4Cj
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_7CF5B4
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7CF5B4:				; CODE XREF: ExpWnfNotifySubscription(x,x,x,x)+5Dj
		mov	ecx, esi
		call	KeAbPostRelease
		test	edi, edi
		jz	short loc_7CF5DE
		cmp	ds:_PsInitialSystemProcess, edi
		jz	short loc_7CF5EB
		mov	eax, [edi+39Ch]
		mov	eax, [eax+40h]
		test	eax, eax
		jz	short loc_7CF5DE
		push	0
		push	1
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_7CF5DE:				; CODE XREF: ExpWnfNotifySubscription(x,x,x,x)+6Fj
					; ExpWnfNotifySubscription(x,x,x,x)+84j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7CF5E5:				; CODE XREF: ExpWnfNotifySubscription(x,x,x,x)+36j
		or	byte ptr [ebx+0Eh], 1
		jmp	short loc_7CF586
; 

loc_7CF5EB:				; CODE XREF: ExpWnfNotifySubscription(x,x,x,x)+77j
		mov	ecx, [ebp+arg_4]
		call	_ExpWnfStartKernelDispatcher@4 ; ExpWnfStartKernelDispatcher(x)
		jmp	short loc_7CF5DE
_ExpWnfNotifySubscription@16 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ExpWnfStartKernelDispatcher(x)
_ExpWnfStartKernelDispatcher@4 proc near
					; CODE XREF: ExpWnfNotifyNameSubscribers(x,x,x,x)+12Dp
					; ExpWnfNotifySubscription(x,x,x,x)+A0p
		mov	edi, edi
		push	esi
		test	ecx, ecx
		jnz	short loc_7CF633
		mov	eax, _ExpWnfDispatcher
		push	2
		pop	esi
		add	eax, 14h
		lock or	[eax], esi
		mov	ecx, _ExpWnfDispatcher
		mov	eax, esi
		push	3
		pop	edx
		add	ecx, 14h
		lock cmpxchg [ecx], edx
		cmp	eax, esi
		jnz	short loc_7CF631
		mov	eax, _ExpWnfDispatcher
		push	1
		add	eax, 4
		push	eax
		call	ExQueueWorkItem

loc_7CF631:				; CODE XREF: ExpWnfStartKernelDispatcher(x)+29j
		pop	esi
		retn
; 

loc_7CF633:				; CODE XREF: ExpWnfStartKernelDispatcher(x)+5j
		pop	esi
		jmp	ExpWnfDispatchKernelSubscription
_ExpWnfStartKernelDispatcher@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWnfWorkItemRoutine(x)
_ExpWnfWorkItemRoutine@4 proc near	; DATA XREF: EtwpInitializeCoverageSampler+F94Fo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop

loc_7CF650:				; CODE XREF: ExpWnfWorkItemRoutine(x)+3Ej
		mov	eax, _ExpWnfDispatcher
		push	0FFFFFFFDh
		pop	ecx
		add	eax, 14h
		lock and [eax],	ecx
		call	ExpWnfDispatchKernelSubscription
		mov	ecx, _ExpWnfDispatcher
		xor	eax, eax
		xor	edx, edx
		add	ecx, 14h
		inc	eax
		lock cmpxchg [ecx], edx
		cmp	eax, 1
		jnz	short loc_7CF650
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_ExpWnfWorkItemRoutine@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWnfDispatchKernelSubscription proc near ; CODE XREF:	ExpWnfStartKernelDispatcher(x)+3Ej
					; ExpWnfWorkItemRoutine(x)+24p

var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F3FAF SIZE 00000048 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		mov	eax, ds:_PsInitialSystemProcess
		xor	ecx, ecx
		push	ebx
		mov	[esp+28h+var_C], ecx
		xor	edx, edx
		mov	[esp+28h+var_8], ecx
		mov	ebx, [eax+39Ch]
		push	esi
		push	edi
		push	ecx
		lea	edi, [ebx+34h]
		mov	[esp+34h+var_10], ebx
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	esi, eax
		lock bts dword ptr [edi], 0
		jnb	short loc_7CF6DE
		push	edi
		mov	edx, esi
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_7CF6DE:				; CODE XREF: ExpWnfDispatchKernelSubscription+46j
		test	esi, esi
		jnz	loc_7CF913

loc_7CF6E6:				; CODE XREF: ExpWnfDispatchKernelSubscription+28Bj
		lea	ecx, [ebx+38h]
		or	esi, 0FFFFFFFFh
		mov	[esp+30h+var_14], ecx

loc_7CF6F0:				; CODE XREF: ExpWnfDispatchKernelSubscription+24Dj
		mov	eax, [ecx]
		mov	[esp+30h+var_1C], eax
		cmp	eax, ecx
		jz	loc_7CF8DE
		lea	ebx, [eax-40h]
		lea	ecx, [ebx+4]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	eax, [esp+30h+var_1C]
		mov	dword ptr [ebx+48h], 2
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_7CF938
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_7CF938
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	eax, [ebx+4Ch]
		mov	[esp+30h+var_24], eax
		mov	eax, [esp+30h+var_10]
		add	eax, 28h
		mov	[esp+30h+var_20], eax

loc_7CF741:				; CODE XREF: ExpWnfDispatchKernelSubscription+237j
		and	dword ptr [ebx+4Ch], 0
		mov	eax, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_7CF91C

loc_7CF755:				; CODE XREF: ExpWnfDispatchKernelSubscription+297j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [esp+30h+var_20]
		xor	edx, edx
		push	0
		call	KeAbPreAcquire
		mov	edx, [esp+30h+var_20]
		push	11h
		mov	[esp+34h+var_18], eax
		xor	eax, eax
		pop	ecx
		lock cmpxchg [edx], ecx
		mov	edx, [esp+30h+var_18]
		test	eax, eax
		jz	short loc_7CF792
		mov	eax, [esp+30h+var_20]
		mov	ecx, eax
		push	eax
		call	ExfAcquirePushLockSharedEx
		mov	edx, [esp+30h+var_18]

loc_7CF792:				; CODE XREF: ExpWnfDispatchKernelSubscription+F4j
		test	edx, edx
		jnz	loc_7CF904

loc_7CF79A:				; CODE XREF: ExpWnfDispatchKernelSubscription+27Cj
		mov	ebx, [ebx+1Ch]
		test	ebx, ebx
		jz	loc_8F3FAF
		lea	ecx, [ebx+4]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	ebx, eax
		jz	loc_8F3FAF
		mov	ecx, [esp+30h+var_24]

loc_7CF7C0:				; CODE XREF: ExpWnfDispatchKernelSubscription+12492Ej
		mov	eax, ecx
		and	eax, 1
		jz	short loc_7CF7DA
		mov	eax, [esp+30h+var_1C]
		mov	edx, [ebx+38h]
		cmp	edx, [eax-8]
		jbe	loc_8F3FBF
		mov	[eax-8], edx

loc_7CF7DA:				; CODE XREF: ExpWnfDispatchKernelSubscription+139j
					; ExpWnfDispatchKernelSubscription+12493Aj
		mov	edx, [esp+30h+var_20]
		push	11h
		pop	eax
		test	ecx, ecx
		jz	loc_8F3FCB
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jz	short loc_7CF7FF
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	edx, [esp+30h+var_20]

loc_7CF7FF:				; CODE XREF: ExpWnfDispatchKernelSubscription+166j
		mov	ecx, edx
		call	KeAbPostRelease
		mov	edx, [esp+30h+var_1C]
		add	edx, 0FFFFFFC0h
		mov	ecx, [edx+20h]
		mov	eax, [edx+24h]
		xor	ecx, 0A3BC0074h
		xor	eax, 41C64E6Dh
		mov	[esp+30h+var_C], ecx
		mov	[esp+30h+var_8], eax
		test	ebx, ebx
		jz	loc_8F3FED
		mov	eax, [ebx+28h]
		mov	[esp+30h+var_18], eax

loc_7CF835:				; CODE XREF: ExpWnfDispatchKernelSubscription+124966j
		mov	eax, [esp+30h+var_24]
		mov	ecx, eax
		and	ecx, 1
		mov	[esp+30h+var_24], ecx
		test	ebx, ebx
		jz	loc_7CF931
		test	ecx, ecx
		jz	loc_7CF931
		mov	ecx, [ebx+38h]

loc_7CF855:				; CODE XREF: ExpWnfDispatchKernelSubscription+2A7j
		push	dword ptr [edx+34h]
		push	[esp+34h+var_18]
		push	ecx
		push	eax
		lea	eax, [esp+40h+var_C]
		push	eax
		push	edx
		call	dword ptr [edx+30h]
		cmp	[esp+48h+var_3C], 0
		jz	short loc_7CF885
		mov	eax, esi
		lock xadd [ebx+5Ch], eax
		jnz	short loc_7CF885
		push	0
		push	0
		push	8
		pop	edx
		mov	ecx, ebx
		call	_ExpWnfNotifyNameSubscribers@16	; ExpWnfNotifyNameSubscribers(x,x,x,x)

loc_7CF885:				; CODE XREF: ExpWnfDispatchKernelSubscription+1E0j
					; ExpWnfDispatchKernelSubscription+1E9j ...
		test	ebx, ebx
		jz	short loc_7CF891
		lea	ecx, [ebx+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_7CF891:				; CODE XREF: ExpWnfDispatchKernelSubscription+1FBj
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	ebx, eax
		lock bts dword ptr [edi], 0
		jnb	short loc_7CF8AF
		push	edi
		mov	edx, ebx
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_7CF8AF:				; CODE XREF: ExpWnfDispatchKernelSubscription+217j
		test	ebx, ebx
		jnz	short loc_7CF90D

loc_7CF8B3:				; CODE XREF: ExpWnfDispatchKernelSubscription+285j
		mov	ebx, [esp+48h+var_34]
		add	ebx, 0FFFFFFC0h
		mov	eax, [ebx+4Ch]
		mov	[esp+48h+var_3C], eax
		test	eax, eax
		jnz	loc_7CF741
		and	dword ptr [ebx+48h], 0
		lea	ecx, [ebx+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, [esp+48h+var_2C]
		jmp	loc_7CF6F0
; 

loc_7CF8DE:				; CODE XREF: ExpWnfDispatchKernelSubscription+6Cj
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7CF928

loc_7CF8EB:				; CODE XREF: ExpWnfDispatchKernelSubscription+2A3j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [esp+30h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7CF904:				; CODE XREF: ExpWnfDispatchKernelSubscription+108j
		or	byte ptr [edx+0Eh], 1
		jmp	loc_7CF79A
; 

loc_7CF90D:				; CODE XREF: ExpWnfDispatchKernelSubscription+225j
		or	byte ptr [ebx+0Eh], 1
		jmp	short loc_7CF8B3
; 

loc_7CF913:				; CODE XREF: ExpWnfDispatchKernelSubscription+54j
		or	byte ptr [esi+0Eh], 1
		jmp	loc_7CF6E6
; 

loc_7CF91C:				; CODE XREF: ExpWnfDispatchKernelSubscription+C3j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7CF755
; 

loc_7CF928:				; CODE XREF: ExpWnfDispatchKernelSubscription+25Dj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7CF8EB
; 

loc_7CF931:				; CODE XREF: ExpWnfDispatchKernelSubscription+1B8j
					; ExpWnfDispatchKernelSubscription+1C0j
		xor	ecx, ecx
		jmp	loc_7CF855
; 

loc_7CF938:				; CODE XREF: ExpWnfDispatchKernelSubscription+8Dj
					; ExpWnfDispatchKernelSubscription+98j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall PiUEventMetaNotificationCallback(x,	x, x, x, x, x)
_PiUEventMetaNotificationCallback@24:	; DATA XREF: PiUEventInit(x)+B2o
		mov	_PiUEventBroadcastSubscriberPresent, 1
		xor	eax, eax
		retn	18h
ExpWnfDispatchKernelSubscription endp ;	sp = -34h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmCreateSpecialImageSection proc near	; CODE XREF: PAGE:007A2F2Ep
					; PAGE:007A307Bp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F3FF7 SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		xor	eax, eax
		push	edi
		and	esi, 1
		mov	[esp+20h+var_4], edx
		mov	edi, esi
		mov	[esp+20h+var_C], eax
		neg	edi
		mov	[esp+20h+var_10], eax
		mov	ebx, ecx
		sbb	edi, edi
		and	edi, 0FEC00000h
		add	edi, 2400000h
		test	byte ptr [ebp+arg_C], 4
		jnz	loc_8F3FF7

loc_7CF98A:				; CODE XREF: MmCreateSpecialImageSection+1246B0j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[esp+20h+var_8], eax

loc_7CF9A0:				; CODE XREF: MmCreateSpecialImageSection+1246CBj
		xor	ecx, ecx
		push	ecx
		push	eax
		push	ecx
		push	ecx
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	esi
		push	edi
		push	10h
		push	ecx
		push	ecx
		lea	ecx, [esp+50h+var_10]
		call	MiCreateSection
		test	eax, eax
		js	short loc_7CFA13
		mov	ecx, [esp+20h+var_10]
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	edi, eax
		mov	ecx, edi
		call	MiReferenceControlAreaFile
		mov	esi, eax
		mov	ecx, esi
		call	_CcZeroEndOfLastPage@4 ; CcZeroEndOfLastPage(x)
		mov	edx, esi
		mov	ecx, edi
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)
		mov	ecx, [esp+20h+var_10]
		lea	eax, [esp+20h+var_C]
		push	eax
		xor	eax, eax
		xor	edx, edx
		push	eax
		push	eax
		push	eax
		push	0F001Fh
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7CFA0A
		mov	ecx, [esp+20h+var_C]
		mov	[ebx], ecx

loc_7CFA0A:				; CODE XREF: MmCreateSpecialImageSection+B8j
					; MmCreateSpecialImageSection+CEj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_7CFA13:				; CODE XREF: MmCreateSpecialImageSection+76j
		cmp	eax, 0C0000054h
		jnz	short loc_7CFA0A
		jmp	loc_8F3FFF
MmCreateSpecialImageSection endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtSuspendThread	proc near		; DATA XREF: .text:00580C24o

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	1Ch
		push	offset dword_6A3D58
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], edx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		mov	[ebp+ms_exc.disabled], edx
		test	al, al
		jz	short loc_7CFA5E
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_7CFA5E
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_7CFAC8

loc_7CFA5A:				; CODE XREF: NtSuspendThread+AAj
		mov	eax, [ecx]
		mov	[ecx], eax

loc_7CFA5E:				; CODE XREF: NtSuspendThread+28j
					; NtSuspendThread+2Fj
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi
		push	edx
		lea	eax, [ebp+var_1C]
		push	eax
		mov	ebx, 75537350h
		push	ebx
		push	[ebp+var_24]
		push	ds:_PsThreadType
		push	2
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7CFAB6
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_1C]
		call	PsSuspendThread
		mov	esi, eax
		mov	edx, ebx
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObjectWithTag
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_7CFAB1
		mov	eax, [ebp+var_20]
		mov	[ecx], eax

loc_7CFAB1:				; CODE XREF: NtSuspendThread+8Aj
		mov	[ebp+ms_exc.disabled], edi

loc_7CFAB4:				; CODE XREF: sub_8F402A+Dj
		mov	eax, esi

loc_7CFAB6:				; CODE XREF: NtSuspendThread+64j
					; PAGE:008F4057j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7CFAC8:				; CODE XREF: NtSuspendThread+38j
		mov	ecx, eax
		jmp	short loc_7CFA5A
NtSuspendThread	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsSuspendThread	proc near		; CODE XREF: NtSuspendThread+6Dp
					; PsSuspendProcess+43p	...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F405C SIZE 0000000A BYTES
; FUNCTION CHUNK AT 008F4088 SIZE 00000012 BYTES

		push	1Ch
		push	offset dword_6A3D80
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+var_1C], esi
		mov	eax, large fs:124h
		mov	[ebp+var_20], eax
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [ebp+arg_0]
		lea	ecx, [edi+2ECh]
		mov	[ebp+var_2C], ecx
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_7CFB76
		mov	eax, [edi+2FCh]
		test	al, 1
		jnz	loc_8F405C
		mov	[ebp+ms_exc.disabled], esi
		mov	ecx, edi
		call	KeSuspendThread
		mov	[ebp+var_1C], eax

loc_7CFB1E:				; CODE XREF: sub_8F407D+6j
		mov	[ebp+var_28], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7CFB28:				; CODE XREF: PsSuspendThread+124595j
		mov	ecx, [ebp+var_2C]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_7CFB30:				; CODE XREF: PsSuspendThread+AFj
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_7CFB40
		mov	eax, [ebp+var_1C]
		mov	[ecx], eax
		test	eax, eax
		jz	short loc_7CFB5C

loc_7CFB40:				; CODE XREF: PsSuspendThread+69j
					; PsSuspendThread+A3j ...
		mov	ecx, [ebp+var_20]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7CFB5C:				; CODE XREF: PsSuspendThread+72j
		mov	edi, [ebp+arg_0]
		mov	eax, [edi+150h]
		test	dword ptr [eax+3A8h], 100000h
		jz	short loc_7CFB40
		jmp	loc_8F4088
; 

loc_7CFB76:				; CODE XREF: PsSuspendThread+35j
		mov	esi, 0C000004Bh
		jmp	short loc_7CFB30
PsSuspendThread	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmpRemoveKeyHash(x,	x)
_CmpRemoveKeyHash@8 proc near		; CODE XREF: CmpDiscardKcb(x)+62p
					; CmpRehashKcbSubtree(x,x)+59p	...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		push	dword ptr [edi]
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		imul	edx, eax, 0Ch
		mov	ecx, edi
		pop	edi
		add	edx, [esi+434h]
		pop	esi
		jmp	_CmpRemoveKeyHashFromTableEntry@8 ; CmpRemoveKeyHashFromTableEntry(x,x)
_CmpRemoveKeyHash@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpRemoveKeyHashFromTableEntry(x, x)
_CmpRemoveKeyHashFromTableEntry@8 proc near ; CODE XREF: CmpRemoveKeyHash(x,x)+1Cj
					; CmpCleanUpKcbCacheWithLock+1C7p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		add	edx, 8
		jz	short loc_7CFBB9

loc_7CFBAA:				; CODE XREF: CmpRemoveKeyHashFromTableEntry(x,x)+20j
		mov	eax, [edx]
		test	eax, eax
		jz	short loc_7CFBB9
		cmp	eax, esi
		jnz	short loc_7CFBBB
		mov	eax, [eax+4]
		mov	[edx], eax

loc_7CFBB9:				; CODE XREF: CmpRemoveKeyHashFromTableEntry(x,x)+8j
					; CmpRemoveKeyHashFromTableEntry(x,x)+Ej
		pop	esi
		retn
; 

loc_7CFBBB:				; CODE XREF: CmpRemoveKeyHashFromTableEntry(x,x)+12j
		lea	edx, [eax+4]
		test	edx, edx
		jnz	short loc_7CFBAA
		pop	esi
		retn
_CmpRemoveKeyHashFromTableEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpAddKeyHashToEntry proc near		; CODE XREF: CmpInsertKeyHash(x,x,x)+1Cp

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008F409A SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, [edx+8]
		mov	esi, edi
		jz	loc_8F409A

loc_7CFBDB:				; CODE XREF: CmpAddKeyHashToEntry+1244D8j
					; CmpAddKeyHashToEntry+124503j
		mov	[ecx+4], edi
		xor	eax, eax
		mov	[edx+8], ecx

loc_7CFBE3:				; CODE XREF: CmpAddKeyHashToEntry+1244F7j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
CmpAddKeyHashToEntry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGetDeletedHashIndexInHive(x, x)
_CmpGetDeletedHashIndexInHive@8	proc near ; CODE XREF: CmpDiscardKcb(x)+75p
					; CmpUnlockDeletedHashEntryByKcb(x)+Fp	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ecx+440h]
		shr	eax, 9
		xor	eax, [ebp+arg_0]
		imul	edx, eax, 18AA3h
		mov	eax, edx
		shr	eax, 9
		xor	eax, edx
		dec	ecx
		and	eax, ecx
		pop	ebp
		retn	4
_CmpGetDeletedHashIndexInHive@8	endp

; 
		align 8
; Exported entry 2426. SeAssignSecurity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAssignSecurity(x,	x, x, x, x, x, x)
		public _SeAssignSecurity@28
_SeAssignSecurity@28 proc near		; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+27Ep
					; CmFcInitSystem2()+4Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		mov	edx, [ebp+arg_4]
		push	esi
		test	ecx, ecx
		jz	short loc_7CFC4E
		test	edx, edx
		jnz	short loc_7CFC6B

loc_7CFC2E:				; CODE XREF: SeAssignSecurity(x,x,x,x,x,x,x)+59j
		mov	esi, 400h
		test	[ecx+2], si
		jz	short loc_7CFC3C
		xor	eax, eax
		inc	eax

loc_7CFC3C:				; CODE XREF: SeAssignSecurity(x,x,x,x,x,x,x)+1Fj
					; SeAssignSecurity(x,x,x,x,x,x,x)+57j
		test	edx, edx
		jnz	short loc_7CFC73

loc_7CFC40:				; CODE XREF: SeAssignSecurity(x,x,x,x,x,x,x)+5Fj
		mov	esi, 800h
		test	[ecx+2], si
		jz	short loc_7CFC4E
		or	eax, 2

loc_7CFC4E:				; CODE XREF: SeAssignSecurity(x,x,x,x,x,x,x)+10j
					; SeAssignSecurity(x,x,x,x,x,x,x)+31j ...
		push	0
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	eax
		push	[ebp+arg_C]
		push	0
		push	0
		push	[ebp+arg_8]
		call	RtlpNewSecurityObject
		pop	esi
		pop	ebp
		retn	1Ch
; 

loc_7CFC6B:				; CODE XREF: SeAssignSecurity(x,x,x,x,x,x,x)+14j
		test	byte ptr [edx+2], 4
		jnz	short loc_7CFC3C
		jmp	short loc_7CFC2E
; 

loc_7CFC73:				; CODE XREF: SeAssignSecurity(x,x,x,x,x,x,x)+26j
		test	byte ptr [edx+2], 10h
		jz	short loc_7CFC40
		jmp	short loc_7CFC4E
_SeAssignSecurity@28 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlpAllocateOplock proc near		; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+85p
					; LdrpGetResourceFileName+1B8p	...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	10h
		push	offset dword_6A3DA0
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+var_1C], esi
		mov	[ebp+ms_exc.disabled], esi
		mov	[ebp+var_20], 1
		mov	ebx, 6F725346h
		push	ebx
		push	50h
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_1C], edi
		push	50h		; size_t
		push	esi		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		push	ebx
		push	20h
		push	210h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi+4Ch], eax
		xor	ebx, ebx
		inc	ebx
		mov	[eax], ebx
		mov	[eax+4], esi
		mov	[eax+8], esi
		push	esi
		push	ebx
		add	eax, 0Ch
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [edi+14h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edi+1Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edi+24h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edi+2Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edi+34h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edi+3Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[edi+48h], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+var_20], esi
		call	sub_7CFD31
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
FsRtlpAllocateOplock endp


;  S U B	R O U T	I N E 


sub_7CFD31	proc near		; CODE XREF: FsRtlpAllocateOplock+9Ep
					; sub_8F40CC+5j

; FUNCTION CHUNK AT 008F40D6 SIZE 00000010 BYTES

		cmp	[ebp-20h], esi
		jnz	loc_8F40D6

locret_7CFD3A:				; CODE XREF: sub_7CFD31+1243A7j
		retn
sub_7CFD31	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWin32ParseProcedure(x, x, x, x, x, x, x,	x, x, x)
_ExpWin32ParseProcedure@40 proc	near	; DATA XREF: ExpWin32Initialization()+76o

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_1B		= word ptr -1Bh
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 30h
		mov	ecx, [ebp+arg_0]
		mov	[esp+30h+var_28], ecx
		mov	eax, [ecx]
		mov	[esp+30h+var_2C], eax
		xor	eax, eax
		mov	[esp+30h+var_1B], ax
		mov	[esp+30h+var_19], al
		mov	eax, [ebp+arg_4]
		mov	[esp+30h+var_24], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+30h+var_20], eax
		mov	al, [ebp+arg_C]
		mov	[esp+30h+var_1C], al
		mov	eax, [ebp+arg_10]
		mov	[esp+30h+var_18], eax
		mov	eax, [ebp+arg_14]
		mov	[esp+30h+var_14], eax
		mov	eax, [ebp+arg_18]
		mov	[esp+30h+var_10], eax
		mov	eax, [ebp+arg_1C]
		mov	[esp+30h+var_C], eax
		mov	eax, [ebp+arg_20]
		mov	[esp+30h+var_8], eax
		mov	eax, [ebp+arg_24]
		mov	[esp+30h+var_4], eax
		lea	eax, [esp+30h+var_2C]
		push	eax
		push	1
		lea	eax, [esp+38h+var_28]
		push	eax
		push	0Fh
		call	PsInvokeWin32Callout
		mov	esp, ebp
		pop	ebp
		retn	28h
_ExpWin32ParseProcedure@40 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2145. RtlGetVersion

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlGetVersion
RtlGetVersion	proc near		; CODE XREF: RtlVerifyVersionInfo+55p
					; SymCryptInitEnvWindowsKernelmodeWin8_1nLater(x)+48p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F40E6 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_4], ebx
		mov	edi, 124h
		mov	dword ptr [esi+4], 0Ah
		mov	[esi+8], ebx
		movzx	eax, word ptr _NtBuildNumber
		mov	[esi+0Ch], eax
		mov	eax, [esi]
		mov	dword ptr [esi+10h], 2
		cmp	eax, 11Ch
		jnz	short loc_7CFE63

loc_7CFDF7:				; CODE XREF: RtlGetVersion+ABj
		movzx	eax, byte ptr _CmNtCSDVersion+1
		mov	[esi+114h], ax
		movzx	eax, byte ptr _CmNtCSDVersion
		mov	[esi+116h], ax
		xor	eax, eax
		mov	[esi+118h], ax
		mov	[esi+11Ah], bl
		cmp	_InitializationPhase, eax
		jbe	short loc_7CFE54
		lea	eax, [ebp+var_4]
		push	eax
		call	_RtlGetNtProductType@4 ; RtlGetNtProductType(x)
		test	al, al
		jz	short loc_7CFE40
		mov	al, byte ptr [ebp+var_4]
		mov	[esi+11Ah], al

loc_7CFE40:				; CODE XREF: RtlGetVersion+79j
		call	RtlGetSuiteMask
		mov	[esi+118h], ax
		cmp	[esi], edi
		jz	loc_8F40E6

loc_7CFE54:				; CODE XREF: RtlGetVersion+6Cj
					; RtlGetVersion+12433Aj
		mov	[esi+11Bh], bl

loc_7CFE5A:				; CODE XREF: RtlGetVersion+A9j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	4
; 

loc_7CFE63:				; CODE XREF: RtlGetVersion+39j
		cmp	eax, edi
		jnz	short loc_7CFE5A
		jmp	short loc_7CFDF7
RtlGetVersion	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2140. RtlGetSuiteMask

;  S U B	R O U T	I N E 


		public RtlGetSuiteMask
RtlGetSuiteMask	proc near		; CODE XREF: RtlGetVersion:loc_7CFE40p
					; RtlGetVersion:loc_8F40E6p

; FUNCTION CHUNK AT 008F40FB SIZE 0000000F BYTES

		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_8F40FB
		mov	eax, ds:0FFDF02D0h
		retn
RtlGetSuiteMask	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAlpcCreatePort(x,	x, x)
_NtAlpcCreatePort@12 proc near		; DATA XREF: .text:0058123Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		mov	ecx, [ebp+arg_0]
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_8]
		call	AlpcpCreateConnectionPort
		mov	ecx, large fs:124h
		mov	esi, eax
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	0Ch
_NtAlpcCreatePort@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpCreateConnectionPort proc near	; CODE XREF: NtAlpcCreatePort(x,x,x)+22p
					; NtCreatePort(x,x,x,x,x)+23p ...

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F410A SIZE 0000000E BYTES
; FUNCTION CHUNK AT 008F4138 SIZE 00000017 BYTES

		push	54h
		push	offset dword_6A3DC0
		call	__SEH_prolog4_GS
		mov	[ebp+var_5C], edx
		mov	esi, ecx
		mov	[ebp+var_60], esi
		mov	ebx, [ebp+arg_0]
		push	2Ch		; size_t
		xor	edi, edi
		push	edi		; int
		lea	eax, [ebp+var_48]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], edi
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_49], al
		test	al, al
		jz	loc_7D0066
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8F410A

loc_7CFF15:				; CODE XREF: AlpcpCreateConnectionPort+12424Ej
		mov	eax, [ecx]
		mov	[ecx], eax
		test	ebx, ebx
		jz	short loc_7CFF35
		mov	esi, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8F4111

loc_7CFF2C:				; CODE XREF: AlpcpCreateConnectionPort+124255j
		push	0Bh
		pop	ecx
		lea	edi, [ebp+var_48]
		rep movsd
		nop

loc_7CFF35:				; CODE XREF: AlpcpCreateConnectionPort+5Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	al, [ebp+var_49]

loc_7CFF3F:				; CODE XREF: AlpcpCreateConnectionPort+1AAj
					; AlpcpCreateConnectionPort+1BAj
		lea	ecx, [ebp+var_54]
		push	ecx
		mov	edx, [ebp+var_5C]
		mov	cl, al
		call	_AlpcpCreatePort@12 ; AlpcpCreatePort(x,x,x)
		test	eax, eax
		js	loc_7D003C
		test	ebx, ebx
		jz	short loc_7CFF66
		test	[ebp+var_48], 40000h
		jnz	loc_7D004E

loc_7CFF66:				; CODE XREF: AlpcpCreateConnectionPort+99j
					; AlpcpCreateConnectionPort+194j
		push	[ebp+arg_8]
		xor	edx, edx
		inc	edx
		mov	esi, [ebp+var_54]
		mov	ecx, esi
		call	_AlpcpInitializePort@12	; AlpcpInitializePort(x,x,x)
		mov	edi, eax
		mov	ecx, esi
		test	edi, edi
		js	loc_8F413C
		neg	ebx
		sbb	ebx, ebx
		lea	eax, [ebp+var_48]
		and	ebx, eax
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	0
		push	esi
		mov	edx, ebx
		call	_AlpcpValidateAndSetPortAttributes@28 ;	AlpcpValidateAndSetPortAttributes(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8F413A
		cmp	byte ptr [ebp+arg_C], 0
		jnz	loc_7D0057

loc_7CFFB2:				; CODE XREF: AlpcpCreateConnectionPort+1A3j
		mov	edx, ebx
		mov	ecx, esi
		call	_AlpcpSetOwnerProcessPort@8 ; AlpcpSetOwnerProcessPort(x,x)
		push	1
		push	28h
		pop	edx
		mov	ecx, offset _AlpcConnectionType
		call	@AlpcpAllocateBlob@12 ;	AlpcpAllocateBlob(x,x,x)
		mov	[esi+8], eax
		test	eax, eax
		jz	loc_8F4148
		xor	ebx, ebx
		mov	[eax+8], ebx
		mov	eax, [esi+8]
		mov	[eax], esi
		mov	eax, [esi+8]
		mov	[eax+4], ebx
		mov	eax, [esi+8]
		mov	[eax+24h], ebx
		mov	eax, [esi+8]
		add	eax, 0Ch
		mov	[eax+4], eax
		mov	[eax], eax
		mov	ecx, [esi+8]
		add	ecx, 14h
		call	_AlpcInitializeHandleTable@8 ; AlpcInitializeHandleTable(x,x)
		test	eax, eax
		js	loc_8F4138
		lea	eax, [ebp+var_50]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	1F0001h
		xor	edx, edx
		mov	ecx, esi
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_7D003A
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_50]
		mov	edx, [ebp+var_60]
		mov	[edx], eax

loc_7D0033:				; CODE XREF: sub_8F415D+Ej
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7D003A:				; CODE XREF: AlpcpCreateConnectionPort+164j
		mov	eax, ecx

loc_7D003C:				; CODE XREF: AlpcpCreateConnectionPort+91j
					; sub_8F4126+Dj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7D004E:				; CODE XREF: AlpcpCreateConnectionPort+A2j
		mov	byte ptr [ebp+arg_8], 1
		jmp	loc_7CFF66
; 

loc_7D0057:				; CODE XREF: AlpcpCreateConnectionPort+EEj
		or	dword ptr [esi+0F4h], 3000h
		jmp	loc_7CFFB2
; 

loc_7D0066:				; CODE XREF: AlpcpCreateConnectionPort+3Fj
		test	ebx, ebx
		jz	loc_7CFF3F
		push	0Bh
		pop	ecx
		mov	esi, ebx
		lea	edi, [ebp+var_48]
		rep movsd
		jmp	loc_7CFF3F
AlpcpCreateConnectionPort endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 828. IoForwardAndCatchIrp
; Exported entry 829. IoForwardIrpSynchronously

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoForwardIrpSynchronously(x, x)
		public _IoForwardIrpSynchronously@8
_IoForwardIrpSynchronously@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi	; IoForwardAndCatchIrp
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		cmp	byte ptr [edx+23h], 1
		jz	short loc_7D00B4
		push	esi
		mov	esi, [edx+60h]
		push	edi
		push	7
		pop	ecx
		lea	eax, [esi-24h]
		push	edx
		push	[ebp+arg_0]
		mov	edi, eax
		rep movsd
		mov	byte ptr [eax+3], 0
		call	_IoSynchronousCallDriver@8 ; IoSynchronousCallDriver(x,x)
		pop	edi
		mov	al, 1
		pop	esi

loc_7D00B0:				; CODE XREF: IoForwardIrpSynchronously(x,x)+34j
		pop	ebp
		retn	8
; 

loc_7D00B4:				; CODE XREF: IoForwardIrpSynchronously(x,x)+Cj
		xor	al, al
		jmp	short loc_7D00B0
_IoForwardIrpSynchronously@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1453. MmPrefetchPages

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmPrefetchPages(x, x)
		public _MmPrefetchPages@8
_MmPrefetchPages@8 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		call	MmPrefetchPagesEx
		pop	ebp
		retn	8
_MmPrefetchPages@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiUpdateProcessSharedCommit(x, x)
_MiUpdateProcessSharedCommit@8 proc near ; CODE	XREF: MiChargeSegmentCommit+175p
		call	_MiIncludeSharedCommit@4 ; MiIncludeSharedCommit(x)
		test	eax, eax
		jz	short locret_7D0121
		mov	eax, [ecx]
		push	esi
		xor	esi, esi
		mov	eax, [eax+30h]
		jmp	short loc_7D00EB
; 

loc_7D00E7:				; CODE XREF: MiUpdateProcessSharedCommit(x,x)+19j
		mov	esi, eax
		mov	eax, [eax]

loc_7D00EB:				; CODE XREF: MiUpdateProcessSharedCommit(x,x)+11j
		test	eax, eax
		jnz	short loc_7D00E7

loc_7D00EF:				; CODE XREF: MiUpdateProcessSharedCommit(x,x)+42j
					; MiUpdateProcessSharedCommit(x,x)+46j	...
		test	esi, esi
		jz	short loc_7D0120
		mov	ecx, [esi+0Ch]
		test	cl, 1
		jnz	short loc_7D0136
		add	ecx, 418h

loc_7D0101:				; CODE XREF: MiUpdateProcessSharedCommit(x,x)+6Bj
		mov	eax, edx
		lock xadd [ecx], eax
		mov	eax, [esi+4]
		mov	ecx, esi
		test	eax, eax
		jnz	short loc_7D0122

loc_7D0110:				; CODE XREF: MiUpdateProcessSharedCommit(x,x)+4Aj
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jz	short loc_7D00EF
		cmp	[esi], ecx
		jz	short loc_7D00EF
		mov	ecx, esi
		jmp	short loc_7D0110
; 

loc_7D0120:				; CODE XREF: MiUpdateProcessSharedCommit(x,x)+1Dj
		pop	esi

locret_7D0121:				; CODE XREF: MiUpdateProcessSharedCommit(x,x)+7j
		retn
; 

loc_7D0122:				; CODE XREF: MiUpdateProcessSharedCommit(x,x)+3Aj
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_7D00EF

loc_7D012A:				; CODE XREF: MiUpdateProcessSharedCommit(x,x)+5Ej
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_7D012A
		jmp	short loc_7D00EF
; 

loc_7D0136:				; CODE XREF: MiUpdateProcessSharedCommit(x,x)+25j
		and	ecx, 0FFFFFFFEh
		add	ecx, 31Ch
		jmp	short loc_7D0101
_MiUpdateProcessSharedCommit@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcSectionDeleteProcedure(x)
_AlpcSectionDeleteProcedure@4 proc near	; DATA XREF: .text:00401134o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_7D0160
		mov	edx, [esi+0Ch]
		push	esi
		call	@AlpcDeleteBlobByHandle@12 ; AlpcDeleteBlobByHandle(x,x,x)
		and	dword ptr [esi+8], 0

loc_7D0160:				; CODE XREF: AlpcSectionDeleteProcedure(x)+Fj
		mov	edi, [esi+14h]
		test	edi, edi
		jz	short loc_7D0189
		mov	ecx, esi
		call	AlpcpLockForCachedReferenceBlob
		mov	edx, esi
		mov	ecx, edi
		call	_AlpcpRemoveResourcePort@8 ; AlpcpRemoveResourcePort(x,x)
		and	dword ptr [esi+14h], 0
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	ecx, edi
		call	ObfDereferenceObject

loc_7D0189:				; CODE XREF: AlpcSectionDeleteProcedure(x)+23j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_AlpcSectionDeleteProcedure@4 endp ; sp	=  8

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAlpcDisconnectPort(x, x)
_NtAlpcDisconnectPort@8	proc near	; DATA XREF: .text:00581218o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		test	[ebp+arg_4], 0FFFFFFFEh
		jnz	short loc_7D0209
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_4]
		and	[ebp+var_4], 0
		push	0
		push	ecx
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_8], al
		push	[ebp+var_8]
		mov	eax, ds:_AlpcPortObjectType
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D01F6
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_4]
		call	AlpcpDisconnectPort
		mov	ecx, [ebp+var_4]
		mov	esi, eax
		call	ObfDereferenceObject

loc_7D01F6:				; CODE XREF: NtAlpcDisconnectPort(x,x)+4Fj
					; NtAlpcDisconnectPort(x,x)+7Ej
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		pop	esi
		leave
		retn	8
; 

loc_7D0209:				; CODE XREF: NtAlpcDisconnectPort(x,x)+1Dj
		mov	esi, 0C000000Dh
		jmp	short loc_7D01F6
_NtAlpcDisconnectPort@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspReadIFEONodeOptions proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8F7p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F4170 SIZE 00000064 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_4]
		push	edi
		push	4
		push	eax
		push	4
		push	offset ??_C@_1BI@OGLLNOMI@?$AAN?$AAo?$AAd?$AAe?$AAO?$AAp?$AAt?$AAi?$AAo?$AAn?$AAs@NNGAKEGL@ ; "NodeOptions"
		push	edx
		mov	esi, ecx
		mov	[ebp+var_4], edi
		call	RtlQueryImageFileKeyOption
		test	eax, eax
		jns	loc_8F4170

loc_7D023B:				; CODE XREF: PspReadIFEONodeOptions+123F6Dj
					; PspReadIFEONodeOptions+123F7Fj ...
		pop	edi
		pop	esi
		leave
		retn	4
PspReadIFEONodeOptions endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspReadIFEOPerfOptions proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A4Bp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F41D4 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		and	[esp+4+var_4], 0
		push	ebx
		push	esi
		push	edi
		push	0
		push	4
		pop	ebx
		mov	esi, edx
		mov	edi, ecx
		push	ebx
		lea	eax, [esi+8]
		push	eax
		push	ebx
		push	offset ??_C@_1BG@GPFBNIMC@?$AAI?$AAo?$AAP?$AAr?$AAi?$AAo?$AAr?$AAi?$AAt?$AAy@NNGAKEGL@ ; "IoPriority"
		push	edi
		call	RtlQueryImageFileKeyOption
		test	eax, eax
		jns	short loc_7D02C4

loc_7D0270:				; CODE XREF: PspReadIFEOPerfOptions+85j
		push	0
		push	ebx
		lea	eax, [esi+0Ch]
		push	eax
		push	ebx
		push	offset ??_C@_1BK@ELALMENO@?$AAP?$AAa?$AAg?$AAe?$AAP?$AAr?$AAi?$AAo?$AAr?$AAi?$AAt?$AAy@NNGAKEGL@ ; "P"
		push	edi
		call	RtlQueryImageFileKeyOption
		test	eax, eax
		js	short loc_7D028A
		or	dword ptr [esi], 2

loc_7D028A:				; CODE XREF: PspReadIFEOPerfOptions+43j
		push	0
		push	ebx
		lea	eax, [esi+10h]
		push	eax
		push	ebx
		push	offset ??_C@_1CC@PFOHGJKI@?$AAC?$AAp?$AAu?$AAP?$AAr?$AAi?$AAo?$AAr?$AAi?$AAt?$AAy?$AAC?$AAl?$AAa?$AAs@NNGAKEGL@	; "CpuPriorityClass"
		push	edi
		call	RtlQueryImageFileKeyOption
		test	eax, eax
		jns	short loc_7D02C9

loc_7D02A1:				; CODE XREF: PspReadIFEOPerfOptions+89j
		push	0
		push	ebx
		lea	eax, [esp+18h+var_4]
		push	eax
		push	ebx
		push	offset ??_C@_1CI@MMFMNCAG@?$AAW?$AAo?$AAr?$AAk?$AAi?$AAn?$AAg?$AAS?$AAe?$AAt?$AAL?$AAi?$AAm?$AAi?$AAt@NNGAKEGL@	; "W"
		push	edi
		call	RtlQueryImageFileKeyOption
		test	eax, eax
		jns	loc_8F41D4

loc_7D02BD:				; CODE XREF: PspReadIFEOPerfOptions+123FA0j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7D02C4:				; CODE XREF: PspReadIFEOPerfOptions+2Cj
		or	dword ptr [esi], 1
		jmp	short loc_7D0270
; 

loc_7D02C9:				; CODE XREF: PspReadIFEOPerfOptions+5Dj
		or	[esi], ebx
		jmp	short loc_7D02A1
PspReadIFEOPerfOptions endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2290. RtlQueryImageFileKeyOption

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlQueryImageFileKeyOption
RtlQueryImageFileKeyOption proc	near	; CODE XREF: KiIsDisableFgBoostDecayFeatureStateSet()+29p
					; KiDisableFgBoostDecayRegistryChangeHandler(x)+28p ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008F41E7 SIZE 000000D3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_14]
		xor	edx, edx
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	esi, [ebp+arg_0]
		lea	edi, [ebp+var_18]
		mov	[ebp+var_30], eax
		xor	eax, eax
		mov	ebx, [ebp+arg_C]
		stosd
		push	ecx
		mov	[ebp+var_2C], esi
		mov	[ebp+var_28], edx
		stosd
		mov	[ebp+var_24], edx
		mov	[ebp+var_1C], edx
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_7D034E
		mov	eax, [ebp+arg_10]
		cmp	eax, 8
		jnb	short loc_7D035F
		lea	eax, [ebp+var_1C]
		push	eax
		push	14h
		lea	edi, [ebp+var_18]
		mov	eax, edi
		push	eax
		push	2
		lea	eax, [ebp+var_28]
		push	eax
		push	esi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_7D03B8
		cmp	esi, 80000005h
		jz	loc_8F41F2

loc_7D034E:				; CODE XREF: RtlQueryImageFileKeyOption+48j
					; RtlQueryImageFileKeyOption+E4j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_7D035F:				; CODE XREF: RtlQueryImageFileKeyOption+50j
		lea	esi, [eax+0Ch]

loc_7D0362:				; CODE XREF: RtlQueryImageFileKeyOption+123F23j
		push	6B497452h
		push	esi
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	loc_8F42B0
		lea	ecx, [ebp+var_1C]
		mov	edi, eax
		push	ecx
		push	esi
		push	eax
		push	2
		lea	eax, [ebp+var_28]
		push	eax
		push	[ebp+var_2C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_7D03BD
		cmp	esi, 80000005h
		jz	loc_8F41E7

loc_7D03A5:				; CODE XREF: RtlQueryImageFileKeyOption+131j
					; RtlQueryImageFileKeyOption+140j ...
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_7D03B4
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7D03B4:				; CODE XREF: RtlQueryImageFileKeyOption+D8j
		mov	eax, esi
		jmp	short loc_7D034E
; 

loc_7D03B8:				; CODE XREF: RtlQueryImageFileKeyOption+6Ej
		xor	eax, eax
		mov	[ebp+var_20], eax

loc_7D03BD:				; CODE XREF: RtlQueryImageFileKeyOption+C5j
		mov	edx, [ebp+arg_8]
		test	edx, edx
		jz	short loc_7D0414
		mov	ecx, [ebp+arg_10]

loc_7D03C7:				; CODE XREF: RtlQueryImageFileKeyOption+14Dj
		mov	eax, [edi+4]
		cmp	eax, 3
		jz	loc_8F4281
		cmp	eax, 7
		jz	loc_8F4281
		cmp	eax, 4
		jnz	short loc_7D0421
		cmp	edx, eax
		jnz	loc_8F4295
		cmp	ecx, eax
		jnz	short loc_7D045C
		cmp	[edi+8], eax
		jnz	short loc_7D045C
		mov	[ebp+var_1C], eax
		test	ebx, ebx
		jz	short loc_7D0455
		mov	eax, [edi+0Ch]
		mov	[ebx], eax

loc_7D03FE:				; CODE XREF: RtlQueryImageFileKeyOption+17Ej
					; RtlQueryImageFileKeyOption+188j ...
		mov	ecx, [ebp+var_30]
		test	ecx, ecx
		jz	short loc_7D03A5
		test	esi, esi
		js	loc_8F429F

loc_7D040D:				; CODE XREF: RtlQueryImageFileKeyOption+123FD9j
		mov	eax, [ebp+var_1C]
		mov	[ecx], eax
		jmp	short loc_7D03A5
; 

loc_7D0414:				; CODE XREF: RtlQueryImageFileKeyOption+F0j
		mov	ecx, [edi+8]
		cmp	ecx, [ebp+arg_10]
		ja	short loc_7D0452
		mov	edx, [edi+4]
		jmp	short loc_7D03C7
; 

loc_7D0421:				; CODE XREF: RtlQueryImageFileKeyOption+10Dj
		cmp	eax, 0Bh
		jnz	loc_8F41FA
		cmp	edx, eax
		jnz	loc_8F4295
		push	8
		pop	eax
		cmp	ecx, eax
		jnz	short loc_7D045C
		cmp	[edi+8], eax
		jnz	short loc_7D045C
		mov	[ebp+var_1C], eax
		test	ebx, ebx
		jz	short loc_7D0455
		mov	eax, [edi+0Ch]
		mov	[ebx], eax
		mov	eax, [edi+10h]
		mov	[ebx+4], eax
		jmp	short loc_7D03FE
; 

loc_7D0452:				; CODE XREF: RtlQueryImageFileKeyOption+148j
		mov	[ebp+var_1C], ecx

loc_7D0455:				; CODE XREF: RtlQueryImageFileKeyOption+125j
					; RtlQueryImageFileKeyOption+171j ...
		mov	esi, 80000005h
		jmp	short loc_7D03FE
; 

loc_7D045C:				; CODE XREF: RtlQueryImageFileKeyOption+119j
					; RtlQueryImageFileKeyOption+11Ej ...
		mov	esi, 0C0000004h
		jmp	loc_7D03A5
RtlQueryImageFileKeyOption endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 253. CmCallbackReleaseKeyObjectIDEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmCallbackReleaseKeyObjectIDEx(x)
		public _CmCallbackReleaseKeyObjectIDEx@4
_CmCallbackReleaseKeyObjectIDEx@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, 624E4D43h
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
		pop	ebp
		retn	4
_CmCallbackReleaseKeyObjectIDEx@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpProviderArrivalCallback proc near	; CODE XREF: EtwpEnableGuid+6B5p
					; EtwpEnableGuid+7DBp ...

var_21C		= dword	ptr -21Ch
Length		= dword	ptr -218h
var_214		= dword	ptr -214h
var_20D		= byte ptr -20Dh
var_20C		= dword	ptr -20Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F42BA SIZE 000000B2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 220h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		mov	al, dl
		mov	esi, ecx
		mov	[ebp+var_20D], al
		cmp	[edi+2Ch], ebx
		jz	loc_8F42BA
		test	byte ptr [edi+32h], 20h
		mov	edx, 200h
		jnz	loc_8F42C4
		test	dword ptr [esi+258h], 2000000h
		jnz	loc_8F42C4

loc_7D04D1:				; CODE XREF: EtwpProviderArrivalCallback+123EA8j
		test	byte ptr [edi+32h], 8
		jz	short loc_7D053E
		test	byte ptr [esi+0Ch], 80h
		jnz	short loc_7D0551
		lea	ecx, [ebp+var_20C]
		mov	[ebp+Length], edx
		mov	[ebp+var_214], ecx
		mov	edx, edi
		lea	ecx, [ebp+Length]
		push	ecx
		lea	ecx, [ebp+var_214]
		push	ecx
		mov	cl, al
		call	EtwpLocateDbgIdForRegEntry
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7D052C
		push	[ebp+Length]	; Length
		mov	edx, [ebp+var_214]
		mov	ecx, esi
		call	_EtwpTrackDebugIdForSession@12 ; EtwpTrackDebugIdForSession(x,x,x)
		test	dword ptr [esi+0Ch], 80000h
		jnz	loc_8F432F

loc_7D052C:				; CODE XREF: EtwpProviderArrivalCallback+88j
					; EtwpProviderArrivalCallback+123EC6j ...
		lea	eax, [ebp+var_20C]
		cmp	[ebp+var_214], eax
		jnz	loc_8F435A

loc_7D053E:				; CODE XREF: EtwpProviderArrivalCallback+53j
					; EtwpProviderArrivalCallback+123EE5j
		mov	eax, ebx

loc_7D0540:				; CODE XREF: EtwpProviderArrivalCallback+D4j
					; EtwpProviderArrivalCallback+123E3Dj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_7D0551:				; CODE XREF: EtwpProviderArrivalCallback+59j
		mov	eax, 0C00000BBh
		jmp	short loc_7D0540
EtwpProviderArrivalCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwpTrackDebugIdForSession(SIZE_T Length)
_EtwpTrackDebugIdForSession@12 proc near ; CODE	XREF: EtwpProviderArrivalCallback+98p

Source2		= dword	ptr -4
Length		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+Source2], edx
		push	esi
		xor	edx, edx
		lea	ecx, [ebx+1F0h]
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [ebp+Length]
		cmp	esi, 8000h
		ja	short loc_7D05AF
		mov	eax, [ebx+0FCh]
		add	eax, esi
		cmp	eax, [ebx+4]
		ja	short loc_7D05AF
		lea	eax, [ebx+48h]
		push	edi
		mov	edi, [eax]

loc_7D0590:				; CODE XREF: EtwpTrackDebugIdForSession(x,x,x)+43j
		cmp	edi, eax
		jz	short loc_7D05D4
		cmp	[edi+0Ch], esi
		jz	short loc_7D059D

loc_7D0599:				; CODE XREF: EtwpTrackDebugIdForSession(x,x,x)+7Aj
		mov	edi, [edi]
		jmp	short loc_7D0590
; 

loc_7D059D:				; CODE XREF: EtwpTrackDebugIdForSession(x,x,x)+3Fj
		push	esi		; Length
		push	[ebp+Source2]	; Source2
		lea	eax, [edi+10h]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, esi
		jnz	short loc_7D05CF

loc_7D05AE:				; CODE XREF: EtwpTrackDebugIdForSession(x,x,x)+93j
					; EtwpTrackDebugIdForSession(x,x,x)+D4j
		pop	edi

loc_7D05AF:				; CODE XREF: EtwpTrackDebugIdForSession(x,x,x)+23j
					; EtwpTrackDebugIdForSession(x,x,x)+30j
		or	eax, 0FFFFFFFFh
		lea	esi, [ebx+1F0h]
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7D062E

loc_7D05C2:				; CODE XREF: EtwpTrackDebugIdForSession(x,x,x)+DDj
		mov	ecx, esi
		call	KeAbPostRelease
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7D05CF:				; CODE XREF: EtwpTrackDebugIdForSession(x,x,x)+54j
		lea	eax, [ebx+48h]
		jmp	short loc_7D0599
; 

loc_7D05D4:				; CODE XREF: EtwpTrackDebugIdForSession(x,x,x)+3Aj
		push	62777445h
		lea	eax, [esi+10h]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_7D05AE
		add	[ebx+0FCh], esi
		lea	ecx, [edi+10h]
		push	esi		; size_t
		push	[ebp+Source2]	; void *
		mov	[edi+0Ch], esi
		push	ecx		; void *
		call	_memcpy
		lea	eax, [ebx+48h]
		add	esp, 0Ch
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_7D0637
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[ecx+4], edi
		mov	ecx, 8C0h
		mov	[eax], edi
		lea	eax, [ebx+25Ch]
		mov	byte ptr [edi+8], 0
		lock or	[eax], ecx
		jmp	short loc_7D05AE
; 

loc_7D062E:				; CODE XREF: EtwpTrackDebugIdForSession(x,x,x)+68j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7D05C2
; 

loc_7D0637:				; CODE XREF: EtwpTrackDebugIdForSession(x,x,x)+B6j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_EtwpTrackDebugIdForSession@12 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpLocateDbgIdForRegEntry proc	near	; CODE XREF: EtwpProviderArrivalCallback+7Fp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F436C SIZE 0000000A BYTES

		push	24h
		push	offset dword_6A3DE8
		call	__SEH_prolog4
		mov	bl, cl
		xor	eax, eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_20], eax
		mov	ecx, [edx+2Ch]
		test	ecx, ecx
		jz	loc_8F436C
		test	bl, bl
		jz	loc_7D06FE
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		lea	edx, [ebp+var_1C]
		call	_MmGetImageInformation@16 ; MmGetImageInformation(x,x,x,x)
		test	eax, eax
		js	short loc_7D06EC

loc_7D067F:				; CODE XREF: EtwpLocateDbgIdForRegEntry+D0j
		and	[ebp+ms_exc.disabled], 0
		lea	eax, [ebp+var_24]
		push	eax
		push	0
		mov	esi, [ebp+var_20]
		push	esi
		mov	eax, [ebp+var_1C]
		and	eax, 0FFFFFFFCh
		push	eax
		push	1
		call	RtlImageNtHeaderEx
		mov	[ebp+var_28], eax
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi
		test	eax, eax
		js	short loc_7D06EC
		test	esi, esi
		jz	short loc_7D0719

loc_7D06AC:				; CODE XREF: EtwpLocateDbgIdForRegEntry+EBj
		test	eax, eax
		js	short loc_7D06EC
		cmp	bl, 1
		jnz	short loc_7D06D9
		mov	[ebp+ms_exc.disabled], 1
		mov	esi, [ebp+var_20]
		test	esi, esi
		jz	short loc_7D06D6
		mov	ecx, [ebp+var_1C]
		lea	edx, [esi+ecx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_7D0729
		cmp	edx, ecx
		jb	short loc_7D0729

loc_7D06D6:				; CODE XREF: EtwpLocateDbgIdForRegEntry+85j
					; EtwpLocateDbgIdForRegEntry+F0j
		mov	[ebp+ms_exc.disabled], edi

loc_7D06D9:				; CODE XREF: EtwpLocateDbgIdForRegEntry+77j
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	0
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_1C]
		call	_EtwpFindDebugId@20 ; EtwpFindDebugId(x,x,x,x,x)

loc_7D06EC:				; CODE XREF: EtwpLocateDbgIdForRegEntry+41j
					; EtwpLocateDbgIdForRegEntry+6Aj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7D06FE:				; CODE XREF: EtwpLocateDbgIdForRegEntry+29j
		lea	eax, [ebp+var_1C]
		push	eax
		push	ecx
		call	RtlPcToFileHeader
		cmp	[ebp+var_1C], 0
		jnz	loc_7D067F
		mov	eax, 0C0000225h
		jmp	short loc_7D06EC
; 

loc_7D0719:				; CODE XREF: EtwpLocateDbgIdForRegEntry+6Ej
		lea	edx, [ebp+var_20]
		mov	ecx, [ebp+var_24]
		call	EtwpGetImageSize
		mov	[ebp+var_28], eax
		jmp	short loc_7D06AC
; 

loc_7D0729:				; CODE XREF: EtwpLocateDbgIdForRegEntry+94j
					; EtwpLocateDbgIdForRegEntry+98j
		mov	byte ptr [eax],	0
		jmp	short loc_7D06D6
EtwpLocateDbgIdForRegEntry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlCutoverTimeToSystemTime proc	near	; CODE XREF: ExpRefreshTimeZoneInformation(x)+306p
					; ExpRefreshTimeZoneInformation(x)+36Ap ...

var_34		= dword	ptr -34h
var_30		= word ptr -30h
var_26		= dword	ptr -26h
var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_1A		= word ptr -1Ah
var_18		= word ptr -18h
var_16		= word ptr -16h
var_14		= word ptr -14h
var_12		= word ptr -12h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F43AC SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_20]
		stosd
		mov	esi, edx
		mov	[ebp+var_8], esi
		mov	ebx, ecx
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+arg_0]
		call	_RtlTimeToTimeFields@8 ; RtlTimeToTimeFields(x,x)
		xor	ecx, ecx
		cmp	[ebx], cx
		jnz	loc_8F43AC
		xor	eax, eax
		mov	[ebp+var_10], ecx
		lea	edi, [ebp+var_34]
		mov	[ebp+var_C], ecx
		stosd
		stosd
		stosd
		stosd
		movzx	eax, word ptr [ebx+4]
		mov	[ebp+var_4], eax
		cmp	ax, 5
		jg	loc_7D0879
		test	ax, ax
		jz	loc_7D0879
		mov	ax, word ptr [ebp+var_20]
		mov	word ptr [ebp+var_20], ax
		xor	eax, eax
		movzx	ecx, word ptr [ebx+2]
		movzx	esi, word ptr [ebx+0Eh]
		mov	word ptr [ebp+var_20+2], cx
		lea	edi, [eax+1]
		mov	ax, [ebx+6]
		mov	[ebp+var_1A], ax
		mov	ax, [ebx+8]
		mov	[ebp+var_18], ax
		mov	ax, [ebx+0Ah]
		mov	[ebp+var_16], ax
		mov	ax, [ebx+0Ch]
		mov	[ebp+var_14], ax
		xor	eax, eax
		mov	[ebp+var_12], ax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_20]
		mov	[ebp+var_1C], di
		push	eax
		call	_RtlTimeFieldsToTime@8 ; RtlTimeFieldsToTime(x,x)
		test	al, al
		jz	loc_7D0879
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlTimeToTimeFields@8 ; RtlTimeToTimeFields(x,x)
		mov	ecx, [ebp+var_26]
		cmp	cx, si
		jle	loc_8F43C2
		sub	esi, ecx
		lea	edi, [esi+8]
		movzx	eax, di

loc_7D0802:				; CODE XREF: RtlCutoverTimeToSystemTime+123C9Aj
					; RtlCutoverTimeToSystemTime+123CABj
		mov	esi, [ebp+var_4]
		xor	ecx, ecx
		inc	ecx
		movzx	ebx, ax
		mov	[ebp+arg_0], ecx
		cmp	cx, si
		jge	short loc_7D084C
		movzx	ebx, ax

loc_7D0816:				; CODE XREF: RtlCutoverTimeToSystemTime+11Cj
		lea	eax, [ebp+var_10]
		add	di, 7
		push	eax
		lea	eax, [ebp+var_20]
		mov	[ebp+var_1C], di
		push	eax
		call	_RtlTimeFieldsToTime@8 ; RtlTimeFieldsToTime(x,x)
		test	al, al
		jz	short loc_7D084C
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlTimeToTimeFields@8 ; RtlTimeToTimeFields(x,x)
		mov	eax, [ebp+arg_0]
		movzx	ebx, [ebp+var_30]
		inc	eax
		mov	[ebp+arg_0], eax
		cmp	ax, si
		jl	short loc_7D0816

loc_7D084C:				; CODE XREF: RtlCutoverTimeToSystemTime+E3j
					; RtlCutoverTimeToSystemTime+FFj
		lea	eax, [ebp+var_10]
		mov	[ebp+var_1C], bx
		push	eax
		lea	ecx, [ebp+var_20]
		push	ecx
		call	_RtlTimeFieldsToTime@8 ; RtlTimeFieldsToTime(x,x)
		test	al, al
		jz	short loc_7D0879
		mov	edx, [ebp+var_8]
		xor	eax, eax
		mov	ecx, [ebp+var_10]
		inc	eax
		mov	[edx], ecx
		mov	ecx, [ebp+var_C]
		mov	[edx+4], ecx

loc_7D0872:				; CODE XREF: RtlCutoverTimeToSystemTime+14Dj
					; RtlCutoverTimeToSystemTime+123C8Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7D0879:				; CODE XREF: RtlCutoverTimeToSystemTime+4Cj
					; RtlCutoverTimeToSystemTime+55j ...
		xor	al, al
		jmp	short loc_7D0872
RtlCutoverTimeToSystemTime endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 758. IoBuildSynchronousFsdRequest

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoBuildSynchronousFsdRequest(x, x, x, x, x,	x, x)
		public _IoBuildSynchronousFsdRequest@28
_IoBuildSynchronousFsdRequest@28 proc near ; CODE XREF:	IoShutdownSystem(x)+61p
					; IoShutdownSystem(x)+136p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	dword ptr [ebp+4] ; int
		push	[ebp+arg_18]	; int
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; size_t
		push	[ebp+arg_8]	; void *
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		call	_IopBuildSynchronousFsdRequest@32 ; IopBuildSynchronousFsdRequest(x,x,x,x,x,x,x,x)
		pop	ecx
		pop	ebp
		retn	1Ch
_IoBuildSynchronousFsdRequest@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IopBuildSynchronousFsdRequest(int,int,void *,size_t,int,int,int,int)
_IopBuildSynchronousFsdRequest@32 proc near
					; CODE XREF: IoBuildSynchronousFsdRequest(x,x,x,x,x,x,x)+1Ep
					; PnpQueryInterface+87p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	[ebp+arg_1C]	; int
		push	[ebp+arg_18]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; size_t
		push	[ebp+arg_8]	; void *
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		call	IopBuildAsynchronousFsdRequest
		mov	esi, eax
		test	esi, esi
		jz	short loc_7D08E6
		mov	eax, [ebp+arg_14]
		mov	ecx, esi
		mov	[esi+2Ch], eax
		call	IopQueueThreadIrp
		mov	eax, esi

loc_7D08E0:				; CODE XREF: IopBuildSynchronousFsdRequest(x,x,x,x,x,x,x,x)+3Ej
		pop	esi
		pop	ecx
		pop	ebp
		retn	20h
; 

loc_7D08E6:				; CODE XREF: IopBuildSynchronousFsdRequest(x,x,x,x,x,x,x,x)+25j
		xor	eax, eax
		jmp	short loc_7D08E0
_IopBuildSynchronousFsdRequest@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpLockDeletedHashEntryExclusiveByKcb proc near	; CODE XREF: CmpDiscardKcb(x)+69p
					; CmpCleanUpKcbCacheWithLock+1A5p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F43DE SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, [eax+10h]
		mov	ecx, ebx
		push	dword ptr [eax+8]
		mov	[ebp+var_4], eax
		mov	esi, [ebx+43Ch]
		call	_CmpGetDeletedHashIndexInHive@8	; CmpGetDeletedHashIndexInHive(x,x)
		imul	edi, eax, 0Ch
		mov	ecx, ebx
		mov	eax, [ebp+var_4]
		push	dword ptr [eax+8]
		call	_CmpGetDeletedHashIndexInHive@8	; CmpGetDeletedHashIndexInHive(x,x)
		imul	ecx, eax, 0Ch
		xor	edx, edx
		add	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, ebx
		mov	[edi+esi+4], eax
		call	_CmpReferenceHive@4 ; CmpReferenceHive(x)
		test	al, al
		jz	loc_8F43DE
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
CmpLockDeletedHashEntryExclusiveByKcb endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall HvAddToLayoutStats(x, x)
_HvAddToLayoutStats@8 proc near		; CODE XREF: HvCheckHive+108p
					; HvCheckBin+136p ...
		add	[ecx+8], edx
		inc	dword ptr [ecx+0Ch]
		retn
_HvAddToLayoutStats@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwpReceiveNotification(void *,int)
EtwpReceiveNotification	proc near	; CODE XREF: NtTraceControl(x,x,x,x,x,x)+327p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F43F8 SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_8], edx
		mov	eax, [eax+80h]
		push	edi
		mov	[ebp+var_4], ecx
		mov	esi, [eax+19Ch]
		mov	[ebp+var_C], esi
		test	esi, esi
		jz	loc_8F43EE
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [esi+8]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_10], eax
		call	ExAcquirePushLockExclusiveEx
		lea	ecx, [esi+0Ch]
		mov	edi, [ecx]
		cmp	edi, ecx
		jz	loc_8F4407
		mov	dl, byte ptr [ebp+arg_0]

loc_7D09AB:				; CODE XREF: EtwpReceiveNotification+123AAEj
		mov	eax, [edi+0Ch]
		mov	al, [eax+33h]
		and	al, 1
		cmp	dl, al
		jnz	loc_8F43F8

loc_7D09BB:				; CODE XREF: EtwpReceiveNotification+123AB4j
		cmp	edi, ecx
		jz	loc_8F4407
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	loc_7D0AAA
		mov	edx, [edi+4]
		cmp	[edx], edi
		jnz	loc_7D0AAA
		mov	[edx], eax
		mov	[eax+4], edx
		mov	eax, [edi+8]
		mov	edx, [ebp+var_8]
		mov	[ebp+arg_0], eax
		cmp	[eax+4], edx
		ja	loc_7D0A86

loc_7D09F0:				; CODE XREF: EtwpReceiveNotification+14Ej
		mov	edx, [eax+4]
		mov	eax, [ebp+arg_4]
		mov	ecx, [ecx]
		mov	[ebp+var_8], ecx
		lea	ecx, [esi+8]
		mov	[eax], edx
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	ebx, ebx
		js	short loc_7D0A6C
		mov	eax, [ebp+arg_0]
		xor	esi, esi
		inc	esi
		lock xadd [eax+14h], esi
		inc	esi
		push	dword ptr [eax+4] ; size_t
		push	eax		; void *
		push	[ebp+var_4]	; void *
		call	_memcpy
		mov	edx, [ebp+var_4]
		add	esp, 0Ch
		mov	ecx, [ebp+arg_0]
		and	dword ptr [edx+18h], 0
		mov	[edx+14h], esi
		movzx	eax, word ptr [edi+18h]
		mov	[edx+18h], eax
		cmp	byte ptr [ecx+0Ch], 0
		jnz	short loc_7D0AA1

loc_7D0A4C:				; CODE XREF: EtwpReceiveNotification+15Aj
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+8], eax
		dec	eax
		jz	short loc_7D0A75

loc_7D0A57:				; CODE XREF: EtwpReceiveNotification+12Fj
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	_EtwpReleaseQueueEntry@8 ; EtwpReleaseQueueEntry(x,x)
		mov	eax, [ebp+var_C]
		add	eax, 0Ch
		cmp	[ebp+var_8], eax
		jnz	short loc_7D0A7F

loc_7D0A6C:				; CODE XREF: EtwpReceiveNotification+C7j
					; EtwpReceiveNotification+136j	...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_7D0A75:				; CODE XREF: EtwpReceiveNotification+107j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7D0A57
; 

loc_7D0A7F:				; CODE XREF: EtwpReceiveNotification+11Cj
		mov	ebx, 105h
		jmp	short loc_7D0A6C
; 

loc_7D0A86:				; CODE XREF: EtwpReceiveNotification+9Cj
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_7D0AAA
		mov	[edi], edx
		mov	ebx, 0C0000023h
		mov	[edi+4], ecx
		mov	[edx+4], edi
		mov	[ecx], edi
		jmp	loc_7D09F0
; 

loc_7D0AA1:				; CODE XREF: EtwpReceiveNotification+FCj
		movzx	eax, word ptr [edi+1Ah]
		mov	[edx+10h], eax
		jmp	short loc_7D0A4C
; 

loc_7D0AAA:				; CODE XREF: EtwpReceiveNotification+7Aj
					; EtwpReceiveNotification+85j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
EtwpReceiveNotification	endp


;  S U B	R O U T	I N E 


; __stdcall EtwpReleaseQueueEntry(x, x)
_EtwpReleaseQueueEntry@8 proc near	; CODE XREF: EtwpReceiveNotification+10Ep
					; PAGE:0083599Dp ...
		mov	edi, edi
		push	ecx
		push	ebx
		mov	ebx, edx
		push	esi
		mov	esi, ecx
		test	bl, 2
		jnz	short loc_7D0ADF

loc_7D0ABE:				; CODE XREF: EtwpReleaseQueueEntry(x,x)+3Cj
					; EtwpReleaseQueueEntry(x,x)+47j
		not	ebx
		lea	edx, [esi+1Ch]
		mov	eax, [edx]

loc_7D0AC5:				; CODE XREF: EtwpReleaseQueueEntry(x,x)+1Dj
		mov	ecx, eax
		and	ecx, ebx
		lock cmpxchg [edx], ecx
		jnz	short loc_7D0AC5
		test	ebx, eax
		jnz	short loc_7D0ADB
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7D0ADB:				; CODE XREF: EtwpReleaseQueueEntry(x,x)+21j
		pop	esi
		pop	ebx
		pop	ecx
		retn
; 

loc_7D0ADF:				; CODE XREF: EtwpReleaseQueueEntry(x,x)+Cj
		mov	ecx, [esi+10h]
		call	ObfDereferenceObject
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_7D0ABE
		push	dword ptr [esi+0Ch]
		push	eax
		call	_PsReleaseProcessWakeCounter@8 ; PsReleaseProcessWakeCounter(x,x)
		jmp	short loc_7D0ABE
_EtwpReleaseQueueEntry@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtSetWnfProcessNotificationEvent proc near ; DATA XREF:	.text:00580C48o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F4427 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		mov	eax, [ecx+39Ch]
		mov	edi, eax
		mov	[ebp+var_4], eax
		test	edi, edi
		jz	loc_8F4427

loc_7D0B30:				; CODE XREF: NtSetWnfProcessNotificationEvent+123942j
		mov	eax, ds:_ExEventObjectType
		lea	ecx, [ebp+var_8]
		and	[ebp+var_8], 0
		push	0
		push	ecx
		push	1
		push	eax
		push	2
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D0B6A
		mov	ecx, [ebp+var_8]
		lea	esi, [edi+40h]
		mov	edx, ecx
		xor	eax, eax
		lock cmpxchg [esi], edx
		test	eax, eax
		jnz	loc_8F4441
		xor	esi, esi

loc_7D0B6A:				; CODE XREF: NtSetWnfProcessNotificationEvent+56j
					; NtSetWnfProcessNotificationEvent+123939j ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	4
NtSetWnfProcessNotificationEvent endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2287. RtlQueryElevationFlags

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlQueryElevationFlags(x)
		public _RtlQueryElevationFlags@4
_RtlQueryElevationFlags@4 proc near	; CODE XREF: SeTokenCanImpersonate(x,x,x,x)+175p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		mov	[ecx], eax
		test	byte ptr ds:0FFDF02F0h,	2
		jz	short loc_7D0B9C
		inc	eax
		mov	[ecx], eax

loc_7D0B9C:				; CODE XREF: RtlQueryElevationFlags(x)+13j
		test	byte ptr ds:0FFDF02F0h,	4
		jz	short loc_7D0BAA
		or	eax, 2
		mov	[ecx], eax

loc_7D0BAA:				; CODE XREF: RtlQueryElevationFlags(x)+1Fj
		test	byte ptr ds:0FFDF02F0h,	8
		jz	short loc_7D0BB8
		or	eax, 4
		mov	[ecx], eax

loc_7D0BB8:				; CODE XREF: RtlQueryElevationFlags(x)+2Dj
		xor	eax, eax
		pop	ebp
		retn	4
_RtlQueryElevationFlags@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpExposeCapturedContextAttribute(x, x, x, x)
_AlpcpExposeCapturedContextAttribute@16	proc near ; CODE XREF: PAGE:0082FB6Ep
					; PAGE:00832B3Ap

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], esi
		test	ebx, ebx
		jz	short loc_7D0C02
		and	dword ptr [ebx+4], 0
		mov	eax, 20000000h
		mov	ecx, [ebp+arg_0]
		test	ecx, eax
		jz	short loc_7D0C02
		push	edi
		mov	edx, eax
		call	_AlpcpGetMessageAttributeOffset@8 ; AlpcpGetMessageAttributeOffset(x,x)
		push	5
		pop	ecx
		lea	edi, [ebx+eax]
		mov	eax, [ebp+var_4]
		rep movsd
		cmp	dword ptr [eax], 0
		pop	edi
		jz	short loc_7D0C02
		or	dword ptr [ebx+4], 20000000h

loc_7D0C02:				; CODE XREF: AlpcpExposeCapturedContextAttribute(x,x,x,x)+12j
					; AlpcpExposeCapturedContextAttribute(x,x,x,x)+22j ...
		pop	esi
		pop	ebx
		leave
		retn	8
_AlpcpExposeCapturedContextAttribute@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpInternEntryCreate proc near		; CODE XREF: RtlInternTableIntern+81p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F4450 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, edx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	eax, [ebx]
		sub	esi, eax
		add	eax, 0FFFFFFF0h
		mov	[ebp+var_8], ebx
		cmp	eax, 3F0h
		ja	loc_7D0CF1
		cmp	esi, 400000h
		ja	loc_7D0CF1
		push	[ebp+arg_4]
		mov	eax, [ecx+0Ch]
		push	ecx
		call	dword ptr [eax]
		mov	edi, eax
		test	edi, edi
		jz	loc_7D0CF1
		push	dword ptr [ebx]	; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	eax, [ebx]
		mov	edx, 3FFh
		and	eax, edx
		shl	esi, 0Ah
		or	eax, esi
		xor	ecx, ecx
		mov	[edi+0Ch], eax
		inc	ecx
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		and	[ebp+arg_0], 0
		mov	[edi+4], eax
		mov	eax, [ebp+var_8]
		mov	[edi+8], ecx
		or	[ebx+0Ch], ecx
		mov	ebx, [edi+0Ch]
		and	ebx, edx
		cmp	dword ptr [eax+8], 0
		jbe	short loc_7D0CE8
		xor	ecx, ecx
		mov	[ebp+var_4], ecx

loc_7D0C8F:				; CODE XREF: RtlpInternEntryCreate+DEj
		mov	eax, [eax+4]
		mov	esi, ebx
		add	eax, ecx
		lea	ecx, [ebx-1]
		mov	[ebp+arg_4], eax
		dec	ebx
		mov	edx, [eax+0Ch]
		add	ecx, edx
		lea	eax, [edx-1]
		and	ecx, eax
		sub	edx, ecx
		add	ebx, edx
		cmp	ebx, esi
		jnz	loc_8F4450

loc_7D0CB3:				; CODE XREF: RtlpInternEntryCreate+12385Bj
		mov	eax, [ebp+arg_4]
		lea	esi, [ebx+edi]
		push	dword ptr [eax+8] ; size_t
		push	dword ptr [eax]	; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		add	ecx, 10h
		add	ebx, [eax+8]
		inc	edx
		mov	[eax+4], esi
		mov	eax, [ebp+var_8]
		mov	[ebp+arg_0], edx
		mov	[ebp+var_4], ecx
		cmp	edx, [eax+8]
		jb	short loc_7D0C8F

loc_7D0CE8:				; CODE XREF: RtlpInternEntryCreate+80j
					; RtlpInternEntryCreate+EBj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7D0CF1:				; CODE XREF: RtlpInternEntryCreate+1Ej
					; RtlpInternEntryCreate+2Aj ...
		xor	edi, edi
		jmp	short loc_7D0CE8
RtlpInternEntryCreate endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtInternerAllocate(x, x)
_PopEtInternerAllocate@8 proc near	; DATA XREF: PopEtInit+66o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	54456F50h
		push	[ebp+arg_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	8
_PopEtInternerAllocate@8 endp


;  S U B	R O U T	I N E 


RtlpInsertStringAtom proc near		; CODE XREF: RtlAddAtomToAtomTableEx+107p

; FUNCTION CHUNK AT 008F4468 SIZE 00000034 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	ebx, ecx
		push	eax
		push	eax
		push	eax
		mov	ecx, [ebx+0Ch]
		mov	edi, edx
		call	ExCreateHandleEx
		mov	esi, eax
		test	esi, esi
		jz	short loc_7D0D66
		shr	eax, 2
		mov	edx, 0FFFFh
		cmp	eax, edx
		ja	loc_8F4468
		lea	ecx, [eax+0C000h]
		cmp	ecx, eax
		jb	loc_8F4468
		cmp	ecx, edx
		ja	loc_8F4468
		movzx	eax, ax
		mov	[edi+4], ax
		add	eax, 0FFFFC000h
		mov	[edi+6], ax
		mov	al, 1

loc_7D0D62:				; CODE XREF: RtlpInsertStringAtom+5Aj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_7D0D66:				; CODE XREF: RtlpInsertStringAtom+1Aj
					; RtlpInsertStringAtom+123789j
		xor	al, al
		jmp	short loc_7D0D62
RtlpInsertStringAtom endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlDecompressFragmentLZNT1 proc	near	; DATA XREF: PAGE:00A4087Co

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 008F449C SIZE 0000008F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		mov	ebx, [ebp+arg_8]
		xor	eax, eax
		push	esi
		xor	edx, edx
		mov	word ptr [esp+3Ch+var_30], ax
		mov	eax, [ebp+arg_4]
		mov	esi, edx
		add	eax, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_C]
		push	edx
		mov	[esp+44h+var_20], eax
		add	edi, ebx
		push	1
		lea	eax, [esp+48h+var_18]
		mov	[esp+48h+var_24], edi
		push	eax
		mov	[esp+4Ch+var_2C], edx
		mov	[esp+4Ch+var_18], edx
		mov	[esp+4Ch+var_14], edx
		mov	[esp+4Ch+var_10], edx
		mov	[esp+4Ch+var_C], edx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		and	[esp+40h+var_4], esi
		mov	[esp+40h+var_8], 1
		test	bl, 1
		jnz	loc_8F449C
		mov	ax, [ebx]
		mov	word ptr [esp+40h+var_30], ax

loc_7D0DD7:				; CODE XREF: RtlDecompressFragmentLZNT1+12373Fj
		mov	ecx, [ebp+arg_10]
		mov	edx, 1000h

loc_7D0DDF:				; CODE XREF: RtlDecompressFragmentLZNT1+C3j
		mov	eax, [esp+40h+var_30]
		and	eax, 0FFFh
		mov	[esp+40h+var_28], edx
		add	eax, 3
		cmp	ecx, edx
		jb	short loc_7D0E34
		add	eax, ebx
		cmp	eax, edi
		ja	loc_8F451C
		mov	ebx, eax
		sub	ecx, edx
		lea	eax, [edi-2]
		mov	[ebp+arg_10], ecx
		cmp	ebx, eax
		ja	loc_8F44AE
		test	bl, 1
		jz	loc_7D0F1F
		mov	al, [ebx]
		mov	byte ptr [esp+40h+var_30], al
		mov	al, [ebx+1]
		mov	byte ptr [esp+40h+var_30+1], al
		mov	ax, word ptr [esp+40h+var_30]

loc_7D0E2A:				; CODE XREF: RtlDecompressFragmentLZNT1+1BDj
		test	ax, ax
		jnz	short loc_7D0DDF
		jmp	loc_8F44AE
; 

loc_7D0E34:				; CODE XREF: RtlDecompressFragmentLZNT1+87j
		mov	edi, [ebp+arg_0]
		add	eax, ebx
		mov	[esp+40h+var_1C], eax
		cmp	eax, [esp+40h+var_24]
		ja	loc_8F451C

loc_7D0E47:				; CODE XREF: RtlDecompressFragmentLZNT1+19Cj
		sub	edx, ecx
		cmp	edx, [ebp+arg_4]
		jnb	loc_7D0F2C

loc_7D0E52:				; CODE XREF: RtlDecompressFragmentLZNT1+1C5j
		test	[esp+40h+var_30], 8000h
		mov	[esp+40h+var_2C], edx
		jz	loc_8F44DB
		test	ecx, ecx
		jnz	loc_7D0F6F
		cmp	edx, 1000h
		jnz	loc_7D0F6F
		mov	ecx, [ebp+arg_14]
		add	ebx, 2
		test	ecx, ecx
		jz	loc_8F44BA
		push	ecx
		push	eax
		push	ebx
		push	[esp+4Ch+var_20]
		mov	edx, edi
		lea	ecx, [esp+50h+var_18]
		call	_LZNT1DecompressChunkNewThread@24 ; LZNT1DecompressChunkNewThread(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8F44D5
		mov	eax, [ebp+arg_14]
		mov	[esp+40h+var_2C], eax

loc_7D0EA9:				; CODE XREF: RtlDecompressFragmentLZNT1+251j
					; RtlDecompressFragmentLZNT1+123765j
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		add	edi, [esp+40h+var_2C]
		sub	eax, [esp+40h+var_2C]
		mov	[ebp+arg_10], ecx
		mov	[ebp+arg_4], eax
		jz	short loc_7D0F34
		mov	edx, [esp+40h+var_24]
		mov	ebx, [esp+40h+var_1C]
		lea	eax, [edx-2]
		cmp	ebx, eax
		ja	short loc_7D0F34
		test	bl, 1
		jnz	short loc_7D0F0B
		mov	ax, [ebx]
		mov	word ptr [esp+40h+var_30], ax

loc_7D0EDA:				; CODE XREF: RtlDecompressFragmentLZNT1+1B3j
		test	ax, ax
		jz	short loc_7D0F34
		mov	eax, [esp+40h+var_30]
		and	eax, 0FFFh
		mov	[esp+40h+var_28], 1000h
		add	eax, 3
		add	eax, ebx
		mov	[esp+40h+var_1C], eax
		cmp	eax, edx
		ja	loc_8F451C
		mov	edx, 1000h
		jmp	loc_7D0E47
; 

loc_7D0F0B:				; CODE XREF: RtlDecompressFragmentLZNT1+166j
		mov	al, [ebx]
		mov	byte ptr [esp+40h+var_30], al
		mov	al, [ebx+1]
		mov	byte ptr [esp+40h+var_30+1], al
		mov	ax, word ptr [esp+40h+var_30]
		jmp	short loc_7D0EDA
; 

loc_7D0F1F:				; CODE XREF: RtlDecompressFragmentLZNT1+A8j
		mov	ax, [ebx]
		mov	word ptr [esp+40h+var_30], ax
		jmp	loc_7D0E2A
; 

loc_7D0F2C:				; CODE XREF: RtlDecompressFragmentLZNT1+E2j
		mov	edx, [ebp+arg_4]
		jmp	loc_7D0E52
; 

loc_7D0F34:				; CODE XREF: RtlDecompressFragmentLZNT1+152j
					; RtlDecompressFragmentLZNT1+161j ...
		mov	eax, [ebp+arg_18]
		sub	edi, [ebp+arg_0]
		mov	[eax], edi

loc_7D0F3C:				; CODE XREF: RtlDecompressFragmentLZNT1+12374Bj
					; RtlDecompressFragmentLZNT1+123793j ...
		or	eax, 0FFFFFFFFh
		lock xadd [esp+40h+var_8], eax
		jz	short loc_7D0FC0

loc_7D0F47:				; CODE XREF: RtlDecompressFragmentLZNT1+264j
		push	0
		push	0
		push	0
		push	0
		lea	eax, [esp+50h+var_18]
		push	eax
		call	KeWaitForSingleObject
		test	esi, esi
		js	short loc_7D0F64
		cmp	[esp+40h+var_4], 0
		jl	short loc_7D0FD3

loc_7D0F64:				; CODE XREF: RtlDecompressFragmentLZNT1+1F1j
					; RtlDecompressFragmentLZNT1+26Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_7D0F6F:				; CODE XREF: RtlDecompressFragmentLZNT1+FCj
					; RtlDecompressFragmentLZNT1+108j
		lea	ecx, [esp+40h+var_28]
		push	ecx
		mov	ecx, [ebp+arg_1C]
		push	eax
		lea	eax, [ebx+2]
		push	eax
		lea	eax, [ecx+1000h]
		push	eax
		push	ecx
		call	_LZNT1DecompressChunk@20 ; LZNT1DecompressChunk(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8F44F4
		mov	ecx, [esp+40h+var_28]
		mov	eax, ecx
		mov	ebx, [ebp+arg_10]
		sub	eax, ebx
		mov	edx, [ebp+arg_1C]
		add	edx, ebx
		cmp	eax, [esp+40h+var_2C]
		jb	loc_8F4502
		push	[esp+40h+var_2C] ; size_t
		push	edx		; void *

loc_7D0FB2:				; CODE XREF: RtlDecompressFragmentLZNT1+123785j
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_7D0EA9
; 

loc_7D0FC0:				; CODE XREF: RtlDecompressFragmentLZNT1+1DBj
		push	0
		push	0
		lea	eax, [esp+48h+var_18]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_7D0F47
; 

loc_7D0FD3:				; CODE XREF: RtlDecompressFragmentLZNT1+1F8j
		mov	esi, [esp+40h+var_4]
		jmp	short loc_7D0F64
RtlDecompressFragmentLZNT1 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlDecompressBufferLZNT1 proc near	; DATA XREF: .text:00403FA4o

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008F452B SIZE 000000BA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		mov	ebx, [ebp+arg_8]
		xor	eax, eax
		push	esi
		mov	word ptr [esp+34h+var_2C], ax
		xor	edx, edx
		mov	eax, [ebp+arg_4]
		mov	esi, edx
		push	edi
		mov	edi, [ebp+arg_0]
		add	eax, edi
		mov	[esp+38h+var_20], eax
		mov	eax, [ebp+arg_C]
		add	eax, ebx
		mov	[esp+38h+var_18], edx
		push	edx
		mov	[esp+3Ch+var_24], eax
		lea	eax, [esp+3Ch+var_18]
		push	1
		push	eax
		mov	[esp+44h+var_14], edx
		mov	[esp+44h+var_10], edx
		mov	[esp+44h+var_C], edx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		and	[esp+38h+var_4], esi
		mov	[esp+38h+var_8], 1
		test	bl, 1
		jnz	loc_8F452B
		mov	ax, [ebx]
		mov	word ptr [esp+38h+var_2C], ax

loc_7D1045:				; CODE XREF: RtlDecompressBufferLZNT1+12355Ej
		mov	eax, [esp+38h+var_2C]
		and	[esp+38h+var_28], esi
		and	eax, 0FFFh
		add	eax, 3
		lea	edx, [eax+ebx]
		mov	[esp+38h+var_1C], edx
		cmp	edx, [esp+38h+var_24]
		ja	loc_7D110A
		mov	ecx, [esp+38h+var_2C]

loc_7D106A:				; CODE XREF: RtlDecompressBufferLZNT1+12Aj
		test	ecx, 8000h
		jz	loc_8F4563
		add	ebx, 2
		cmp	[ebp+arg_10], 0
		jz	loc_8F453D
		push	[ebp+arg_10]
		lea	ecx, [esp+3Ch+var_18]
		push	edx
		mov	edx, [esp+40h+var_20]
		push	ebx
		push	edx
		mov	edx, edi
		call	_LZNT1DecompressChunkNewThread@24 ; LZNT1DecompressChunkNewThread(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8F4555
		mov	ecx, [ebp+arg_10]
		mov	[esp+38h+var_28], ecx

loc_7D10A9:				; CODE XREF: RtlDecompressBufferLZNT1+1235CDj
		mov	edx, [esp+38h+var_20]
		add	edi, ecx
		mov	ebx, [esp+38h+var_1C]
		cmp	edi, edx
		jz	short loc_7D1120
		mov	eax, [esp+38h+var_24]
		add	eax, 0FFFFFFFEh
		cmp	ebx, eax
		ja	short loc_7D1120
		test	bl, 1
		jz	short loc_7D1116
		mov	al, [ebx]
		mov	byte ptr [esp+38h+var_2C], al
		mov	al, [ebx+1]
		mov	byte ptr [esp+38h+var_2C+1], al
		mov	ax, word ptr [esp+38h+var_2C]

loc_7D10D9:				; CODE XREF: RtlDecompressBufferLZNT1+144j
		test	ax, ax
		jz	short loc_7D1120
		mov	eax, 1000h
		cmp	ecx, eax
		jb	loc_8F45AC

loc_7D10EB:				; CODE XREF: RtlDecompressBufferLZNT1+1235F3j
		mov	ecx, [esp+38h+var_2C]
		mov	eax, ecx
		and	eax, 0FFFh
		add	eax, 3
		lea	edx, [eax+ebx]
		mov	[esp+38h+var_1C], edx
		cmp	edx, [esp+38h+var_24]
		jbe	loc_7D106A

loc_7D110A:				; CODE XREF: RtlDecompressBufferLZNT1+86j
					; RtlDecompressBufferLZNT1+12358Cj ...
		mov	eax, [ebp+arg_14]

loc_7D110D:				; CODE XREF: RtlDecompressBufferLZNT1+14Dj
		mov	esi, 0C0000242h
		mov	[eax], ebx
		jmp	short loc_7D112E
; 

loc_7D1116:				; CODE XREF: RtlDecompressBufferLZNT1+EBj
		mov	ax, [ebx]
		mov	word ptr [esp+38h+var_2C], ax
		jmp	short loc_7D10D9
; 

loc_7D1120:				; CODE XREF: RtlDecompressBufferLZNT1+DBj
					; RtlDecompressBufferLZNT1+E6j	...
		mov	eax, [ebp+arg_14]
		cmp	ebx, [esp+38h+var_24]
		ja	short loc_7D110D
		sub	edi, [ebp+arg_0]
		mov	[eax], edi

loc_7D112E:				; CODE XREF: RtlDecompressBufferLZNT1+13Aj
					; RtlDecompressBufferLZNT1+123584j
		or	eax, 0FFFFFFFFh
		lock xadd [esp+38h+var_8], eax
		jz	loc_8F45D2
		xor	ebx, ebx

loc_7D113F:				; CODE XREF: RtlDecompressBufferLZNT1+123606j
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esp+48h+var_18]
		push	eax
		call	KeWaitForSingleObject
		test	esi, esi
		js	short loc_7D1158
		cmp	[esp+38h+var_4], 0
		jl	short loc_7D1163

loc_7D1158:				; CODE XREF: RtlDecompressBufferLZNT1+175j
					; RtlDecompressBufferLZNT1+18Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_7D1163:				; CODE XREF: RtlDecompressBufferLZNT1+17Cj
		mov	esi, [esp+38h+var_4]
		jmp	short loc_7D1158
RtlDecompressBufferLZNT1 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCreateSymbolicLinkObject proc	near	; CODE XREF: CreateSystemRootLink+1C2p
					; CreateSystemRootLink+280p ...

var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F45E5 SIZE 0000002C BYTES
; FUNCTION CHUNK AT 008F4637 SIZE 00000022 BYTES

		push	0A8h
		push	offset dword_6A3E78
		call	__SEH_prolog4_GS
		mov	edi, [ebp+arg_0]
		mov	ebx, [ebp+arg_8]
		mov	esi, [ebp+arg_C]
		xor	eax, eax
		mov	[ebp+var_8C], eax
		mov	[ebp+var_88], eax
		mov	[ebp+var_98], eax
		mov	[ebp+var_94], eax
		push	eax
		lea	eax, [ebp+var_98]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	0
		lea	eax, [ebp+var_8C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_A4], al
		test	al, al
		jz	loc_7D1458
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, ebx
		test	bl, 3
		jnz	loc_7D148A
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8F45E5

loc_7D11ED:				; CODE XREF: NtCreateSymbolicLinkObject+12347Dj
		nop
		mov	al, [ecx]
		mov	eax, [ebx+8]
		mov	[ebp+var_90], eax
		test	eax, eax
		jz	short loc_7D1244
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	loc_8F45EC

loc_7D120B:				; CODE XREF: NtCreateSymbolicLinkObject+123484j
		nop
		mov	al, [eax]
		mov	eax, [ebp+var_90]
		mov	edx, [eax]
		mov	[ebp+var_98], edx
		mov	ecx, [eax+4]
		mov	[ebp+var_94], ecx
		test	dx, dx
		jz	short loc_7D1244
		movzx	edx, dx
		add	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	loc_8F45F3
		cmp	edx, ecx
		jb	loc_8F45F3

loc_7D1244:				; CODE XREF: NtCreateSymbolicLinkObject+91j
					; NtCreateSymbolicLinkObject+BEj ...
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8F45FB

loc_7D1253:				; CODE XREF: NtCreateSymbolicLinkObject+123493j
		nop
		mov	al, [ecx]
		mov	eax, [esi]
		mov	[ebp+var_8C], eax
		mov	ecx, [esi+4]
		mov	[ebp+var_88], ecx
		shr	eax, 10h
		test	ax, ax
		jz	short loc_7D128D
		movzx	edx, word ptr [ebp+var_8C+2]
		add	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	loc_8F4602
		cmp	edx, ecx
		jb	loc_8F4602

loc_7D128D:				; CODE XREF: NtCreateSymbolicLinkObject+103j
					; NtCreateSymbolicLinkObject+12349Bj
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	loc_8F460A

loc_7D129C:				; CODE XREF: NtCreateSymbolicLinkObject+1234A2j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+var_88]
		mov	ecx, [ebp+var_8C]

loc_7D12B3:				; CODE XREF: NtCreateSymbolicLinkObject+304j
					; NtCreateSymbolicLinkObject+31Bj
		mov	eax, ecx
		shr	eax, 10h
		mov	edx, eax
		test	al, 1
		jnz	loc_8F4637

loc_7D12C2:				; CODE XREF: NtCreateSymbolicLinkObject+1234E0j
		mov	ax, word ptr [ebp+var_8C+2]
		test	ax, ax
		jz	loc_8F464F
		cmp	word ptr [ebp+var_8C], ax
		ja	loc_8F464F
		test	byte ptr [ebp+var_8C], 1
		jnz	loc_8F464F
		and	[ebp+var_B8], 0
		mov	[ebp+var_B4], ecx
		mov	[ebp+var_B0], esi
		push	[ebp+var_A4]
		lea	eax, [ebp+var_B8]
		push	eax
		push	ebx
		mov	esi, [ebp+arg_4]
		mov	edx, esi
		mov	ecx, edi
		call	ObCreateSymbolicLink
		mov	edi, eax
		mov	[ebp+var_90], edi
		mov	[ebp+var_AC], edi
		mov	[ebp+var_A8], esi
		mov	esi, _EtwApiCallsProvRegHandle
		mov	ecx, esi
		mov	ebx, dword_6BC5D4
		or	ecx, ebx
		jz	loc_7D1444
		xor	ecx, ecx
		mov	[ebp+var_9C], ecx
		mov	edx, ecx
		mov	eax, [ebp+var_94]
		test	eax, eax
		jz	short loc_7D136E
		mov	[ebp+var_84], eax
		mov	[ebp+var_80], ecx
		movzx	eax, word ptr [ebp+var_98]
		mov	[ebp+var_7C], eax
		mov	[ebp+var_78], ecx
		inc	edx

loc_7D136E:				; CODE XREF: NtCreateSymbolicLinkObject+1EBj
		mov	eax, edx
		add	eax, eax
		lea	edi, [ebp+var_9C]
		mov	[ebp+eax*8+var_84], edi
		mov	[ebp+eax*8+var_80], ecx
		mov	[ebp+eax*8+var_7C], 2
		mov	[ebp+eax*8+var_78], ecx
		inc	edx
		mov	eax, [ebp+var_88]
		test	eax, eax
		jz	short loc_7D13BD
		mov	ecx, edx
		add	ecx, ecx
		mov	[ebp+ecx*8+var_84], eax
		and	[ebp+ecx*8+var_80], 0
		movzx	eax, word ptr [ebp+var_8C]
		mov	[ebp+ecx*8+var_7C], eax
		and	[ebp+ecx*8+var_78], 0
		inc	edx
		xor	ecx, ecx

loc_7D13BD:				; CODE XREF: NtCreateSymbolicLinkObject+22Ej
		mov	eax, edx
		add	eax, eax
		lea	edi, [ebp+var_9C]
		mov	[ebp+eax*8+var_84], edi
		mov	[ebp+eax*8+var_80], ecx
		mov	[ebp+eax*8+var_7C], 2
		mov	[ebp+eax*8+var_78], ecx
		lea	eax, [edx+1]
		add	eax, eax
		lea	ecx, [ebp+var_A8]
		mov	[ebp+eax*8+var_84], ecx
		and	[ebp+eax*8+var_80], 0
		mov	[ebp+eax*8+var_7C], 4
		and	[ebp+eax*8+var_78], 0
		lea	eax, [edx+2]
		add	eax, eax
		lea	ecx, [ebp+var_AC]
		mov	[ebp+eax*8+var_84], ecx
		xor	ecx, ecx
		mov	[ebp+eax*8+var_80], ecx
		mov	[ebp+eax*8+var_7C], 4
		mov	[ebp+eax*8+var_78], ecx
		lea	eax, [ebp+var_84]
		push	eax
		lea	eax, [edx+3]
		push	eax
		push	ecx
		push	offset _KERNEL_AUDIT_API_CREATESYMBOLICLINKOBJECT
		push	ebx
		push	esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	edi, [ebp+var_90]

loc_7D1444:				; CODE XREF: NtCreateSymbolicLinkObject+1D3j
		mov	eax, edi

loc_7D1446:				; CODE XREF: sub_8F4622+10j
					; NtCreateSymbolicLinkObject+1234EAj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7D1458:				; CODE XREF: NtCreateSymbolicLinkObject+61j
		mov	ecx, [esi]
		mov	[ebp+var_8C], ecx
		mov	esi, [esi+4]
		mov	[ebp+var_88], esi
		mov	edx, [ebx+8]
		test	edx, edx
		jz	loc_7D12B3
		mov	eax, [edx]
		mov	[ebp+var_98], eax
		mov	eax, [edx+4]
		mov	[ebp+var_94], eax
		jmp	loc_7D12B3
; 

loc_7D148A:				; CODE XREF: NtCreateSymbolicLinkObject+70j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger
NtCreateSymbolicLinkObject endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObCreateSymbolicLink proc near		; CODE XREF: NtCreateSymbolicLinkObject+1AAp
					; MiCreateMemoryEvent+F0p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F4659 SIZE 0000000A BYTES

		push	1Ch
		push	offset dword_6A3E98
		call	__SEH_prolog4
		mov	[ebp+var_24], edx
		mov	[ebp+var_28], ecx
		xor	edi, edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edi
		mov	edx, _ObpSymbolicLinkObjectType
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		push	edi
		push	20h
		push	ecx
		push	[ebp+arg_8]
		push	[ebp+arg_0]
		mov	cl, byte ptr [ebp+arg_8]
		call	ObCreateObjectEx
		mov	ebx, eax
		mov	esi, [ebp+var_1C]
		test	ebx, ebx
		js	loc_7D1579
		push	esi
		call	KeQuerySystemTime
		mov	[esi+10h], edi
		mov	[esi+14h], edi
		mov	ebx, [ebp+arg_4]
		test	byte ptr [ebx],	1
		jnz	loc_7D1597
		mov	ax, [ebx+6]
		mov	[esi+0Ah], ax
		mov	ax, [ebx+4]
		mov	[esi+8], ax
		push	746D7953h
		movzx	eax, word ptr [ebx+6]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esi+0Ch], ecx
		test	ecx, ecx
		jz	loc_8F4659
		mov	[ebp+ms_exc.disabled], edi
		movzx	eax, word ptr [ebx+6]
		push	eax		; size_t
		push	dword ptr [ebx+8] ; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7D1536:				; CODE XREF: ObCreateSymbolicLink+11Aj
		push	[ebp+arg_8]
		push	edi
		call	RtlIsSandboxedToken
		test	al, al
		jnz	short loc_7D1591

loc_7D1543:				; CODE XREF: ObCreateSymbolicLink+105j
		lea	eax, [ebp+var_20]
		push	eax
		push	edi
		push	edi
		push	edi
		push	[ebp+var_24]
		xor	edx, edx
		mov	ecx, esi
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	ebx, eax
		mov	esi, edi
		mov	[ebp+var_1C], esi
		test	ebx, ebx
		js	short loc_7D1579
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+var_28]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7D1577:				; CODE XREF: sub_8F4667+Fj
		mov	ebx, edi

loc_7D1579:				; CODE XREF: ObCreateSymbolicLink+3Fj
					; ObCreateSymbolicLink+CFj ...
		test	esi, esi
		jnz	short loc_7D15AC

loc_7D157D:				; CODE XREF: ObCreateSymbolicLink+123j
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7D1591:				; CODE XREF: ObCreateSymbolicLink+B1j
		or	dword ptr [esi+14h], 2
		jmp	short loc_7D1543
; 

loc_7D1597:				; CODE XREF: ObCreateSymbolicLink+57j
		mov	dword ptr [esi+14h], 10h
		mov	eax, [ebx+4]
		mov	[esi+8], eax
		mov	eax, [ebx+8]
		mov	[esi+0Ch], eax
		jmp	short loc_7D1536
; 

loc_7D15AC:				; CODE XREF: ObCreateSymbolicLink+EBj
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	short loc_7D157D
ObCreateSymbolicLink endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSwitchBaseAddress proc near		; CODE XREF: MiRelocateImageAgain+129p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F469E SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ecx+38h]
		push	ebx
		mov	ebx, [ecx]
		push	esi
		mov	esi, [eax+10h]
		mov	eax, edx
		push	edi
		sub	eax, [ebx+18h]
		mov	[ebp+var_4], ecx
		mov	edi, [esi+14h]
		mov	[esi+14h], eax
		mov	ecx, [ebx+24h]
		mov	[ebx+18h], edx
		mov	[ebp+var_8], eax
		mov	eax, [esi+14h]
		add	[ecx], eax
		mov	[ebp+var_C], esi
		mov	esi, [esi+8]

loc_7D15EB:				; CODE XREF: MiSwitchBaseAddress+7Cj
		test	esi, esi
		jnz	short loc_7D1627
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		push	2
		call	_MiWalkEntireImage@16 ;	MiWalkEntireImage(x,x,x,x)
		mov	esi, [ebp+var_C]
		mov	eax, [ebp+var_8]
		add	eax, edi
		mov	[esi+14h], eax
		mov	esi, [esi+8]
		test	esi, esi
		jnz	short loc_7D1634

loc_7D1611:				; CODE XREF: MiSwitchBaseAddress+8Fj
		mov	eax, 2000h
		test	[ebx+8], ax
		jnz	loc_8F469E

loc_7D1620:				; CODE XREF: MiSwitchBaseAddress+123111j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7D1627:				; CODE XREF: MiSwitchBaseAddress+37j
		push	edi
		lea	edx, [esi+10h]
		call	_MiApplyBytestreamFixup@12 ; MiApplyBytestreamFixup(x,x,x)
		mov	esi, [esi]
		jmp	short loc_7D15EB
; 

loc_7D1634:				; CODE XREF: MiSwitchBaseAddress+59j
		neg	edi

loc_7D1636:				; CODE XREF: MiSwitchBaseAddress+8Dj
		push	edi
		lea	edx, [esi+10h]
		call	_MiApplyBytestreamFixup@12 ; MiApplyBytestreamFixup(x,x,x)
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_7D1636
		jmp	short loc_7D1611
MiSwitchBaseAddress endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtWriteVirtualMemory(x, x, x, x, x)
_NtWriteVirtualMemory@20 proc near	; DATA XREF: .text:00580B94o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	20h
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	MiReadWriteVirtualMemory
		pop	ebp
		retn	14h
_NtWriteVirtualMemory@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspAssignProcessQuotaBlock proc	near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+F83p
					; PspSetQuotaLimits+11F7C2p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_65		= byte ptr -65h
var_64		= dword	ptr -64h
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F46CC SIZE 0000007B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		push	44h		; size_t
		push	eax		; int
		mov	[ebp+var_74], eax
		mov	ebx, ecx
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_64]
		push	eax		; void *
		mov	[ebp+var_7C], edx
		mov	[ebp+var_78], ebx
		call	_memset
		add	esp, 0Ch
		lea	edx, [ebp+var_64]
		xor	al, al
		xor	edi, edi
		mov	[ebp+var_65], al
		mov	ecx, esi
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_70], edi
		push	eax
		push	44h
		call	_SeQueryUserSidToken@16	; SeQueryUserSidToken(x,x,x,x)
		test	ebx, ebx
		jnz	loc_8F46CC

loc_7D16C4:				; CODE XREF: PspAssignProcessQuotaBlock+123068j
		mov	ebx, [ebp+var_6C]
		lea	edi, [ebp+var_64]
		mov	al, [ebp+var_65]
		mov	[ebp+var_70], edi

loc_7D16D0:				; CODE XREF: PspAssignProcessQuotaBlock+123075j
		push	0
		movzx	eax, al
		mov	edx, ebx
		push	eax
		mov	ecx, edi
		call	PspLookupProcessQuotaBlock
		mov	esi, eax
		test	esi, esi
		jnz	loc_7D1778
		cmp	[ebp+var_78], eax
		jnz	loc_7D183D
		lea	eax, [ebp+var_18]
		push	eax
		lea	edx, [ebp+var_74]
		lea	ecx, [ebp+var_64]
		call	PspReadUserQuotaLimits
		mov	edi, eax
		test	edi, edi
		js	loc_8F4740
		cmp	[ebp+var_74], esi
		jz	loc_7D1838
		mov	ebx, large fs:124h
		and	[ebp+var_70], esi
		and	[ebp+var_6C], esi
		mov	edi, ds:_PspQuotaBlockTable
		dec	word ptr [ebx+13Ch]
		mov	[ebp+var_65], 1
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	esi, ds:_PspDefaultQuotaBlock
		test	esi, esi
		jz	short loc_7D17A3
		mov	ecx, esi
		call	_PspSafeReferenceQuotaBlock@4 ;	PspSafeReferenceQuotaBlock(x)
		test	eax, eax
		jz	short loc_7D17A3
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	loc_7D182C

loc_7D1763:				; CODE XREF: PspAssignProcessQuotaBlock+1CBj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, ebx
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		lock inc dword ptr [esi+204h]

loc_7D1778:				; CODE XREF: PspAssignProcessQuotaBlock+7Bj
					; PspAssignProcessQuotaBlock+1B9j ...
		mov	eax, [ebp+var_7C]
		cmp	dword ptr [eax+188h], 0
		lea	edx, [eax+188h]
		jnz	loc_8F4714
		mov	[edx], esi

loc_7D1790:				; CODE XREF: PspAssignProcessQuotaBlock+1230BBj
		xor	eax, eax

loc_7D1792:				; CODE XREF: PspAssignProcessQuotaBlock+1230DAj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_7D17A3:				; CODE XREF: PspAssignProcessQuotaBlock+DCj
					; PspAssignProcessQuotaBlock+E7j
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jz	short loc_7D17B8
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7D17B8:				; CODE XREF: PspAssignProcessQuotaBlock+147j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, ebx
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ebx, [ebp+var_6C]
		mov	edi, offset _PspDefaultResourceLimits

loc_7D17CE:				; CODE XREF: PspAssignProcessQuotaBlock+1D3j
					; PspAssignProcessQuotaBlock+1D7j
		push	62517350h
		lea	eax, [ebx+240h]
		push	eax
		push	204h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8F46E2
		mov	ecx, [ebp+var_78]
		mov	edx, edi
		push	esi		; void *
		call	PspInitializeQuotaBlock
		mov	edi, eax
		test	edi, edi
		js	loc_8F472E
		mov	edi, [ebp+var_70]
		test	edi, edi
		jnz	loc_8F46E9

loc_7D180E:				; CODE XREF: PspAssignProcessQuotaBlock+123092j
		movzx	eax, [ebp+var_65]
		mov	edx, ebx
		push	esi
		push	eax
		mov	ecx, edi
		call	PspLookupProcessQuotaBlock
		mov	edi, eax
		test	edi, edi
		jz	loc_7D1778
		jmp	loc_8F46FF
; 

loc_7D182C:				; CODE XREF: PspAssignProcessQuotaBlock+F5j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_7D1763
; 

loc_7D1838:				; CODE XREF: PspAssignProcessQuotaBlock+A6j
		lea	edi, [ebp+var_18]
		jmp	short loc_7D17CE
; 

loc_7D183D:				; CODE XREF: PspAssignProcessQuotaBlock+84j
		xor	edi, edi
		jmp	short loc_7D17CE
PspAssignProcessQuotaBlock endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspLookupProcessQuotaBlock proc	near	; CODE XREF: PspAssignProcessQuotaBlock+72p
					; PspAssignProcessQuotaBlock+1B0p

var_20		= dword	ptr -20h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F4747 SIZE 000000A8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, large fs:124h
		mov	eax, ecx
		push	esi
		push	edi
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], ebx
		call	@PspHashKeyValue@8 ; PspHashKeyValue(x,x)
		imul	esi, eax, 0Ch
		xor	edi, edi
		add	esi, ds:_PspQuotaBlockTable
		dec	word ptr [ebx+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		cmp	[ebp+arg_4], edi
		jnz	loc_7D190D
		call	ExAcquirePushLockSharedEx

loc_7D1886:				; CODE XREF: PspLookupProcessQuotaBlock+D0j
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	loc_7D1917
		lea	eax, [esi+4]
		mov	ebx, [eax]

loc_7D1896:				; CODE XREF: PspLookupProcessQuotaBlock+122F26j
		cmp	ebx, eax
		jnz	loc_8F4747

loc_7D189E:				; CODE XREF: PspLookupProcessQuotaBlock+D8j
					; PspLookupProcessQuotaBlock+E2j ...
		mov	ecx, [ebp+arg_4]

loc_7D18A1:				; CODE XREF: PspLookupProcessQuotaBlock+122F68j
		test	ecx, ecx
		jnz	short loc_7D18C9
		push	11h
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jnz	short loc_7D192F

loc_7D18B1:				; CODE XREF: PspLookupProcessQuotaBlock+F4j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_8]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_7D18C0:				; CODE XREF: PspLookupProcessQuotaBlock+C9j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7D18C9:				; CODE XREF: PspLookupProcessQuotaBlock+61j
		test	edi, edi
		jnz	short loc_7D18E8
		lea	eax, [ecx+208h]
		cmp	[ebp+arg_0], edi
		jz	loc_8F47BB
		mov	ds:_PspDefaultQuotaBlock, ecx
		mov	dword ptr [eax], 1

loc_7D18E8:				; CODE XREF: PspLookupProcessQuotaBlock+89j
					; PspLookupProcessQuotaBlock+122F8Dj
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_7D18FC
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_7D18FC:				; CODE XREF: PspLookupProcessQuotaBlock+B1j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_8]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		jmp	short loc_7D18C0
; 

loc_7D190D:				; CODE XREF: PspLookupProcessQuotaBlock+39j
		call	ExAcquirePushLockExclusiveEx
		jmp	loc_7D1886
; 

loc_7D1917:				; CODE XREF: PspLookupProcessQuotaBlock+49j
		cmp	[ebp+arg_0], edi
		jz	short loc_7D189E
		mov	edi, ds:_PspDefaultQuotaBlock

loc_7D1922:				; CODE XREF: PspLookupProcessQuotaBlock+122F2Ej
		test	edi, edi
		jz	loc_7D189E
		jmp	loc_8F4775
; 

loc_7D192F:				; CODE XREF: PspLookupProcessQuotaBlock+6Dj
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_7D18B1
PspLookupProcessQuotaBlock endp

; 
		align 4

;  S U B	R O U T	I N E 


; __fastcall PspHashKeyValue(x,	x)
@PspHashKeyValue@8 proc	near		; CODE XREF: PspLookupProcessQuotaBlock+1Ap
					; PspRemoveQuotaBlock(x)+31p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	eax, eax
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	short loc_7D195E
		mov	edx, eax
		test	edi, edi
		jz	short loc_7D195B

loc_7D1950:				; CODE XREF: PspHashKeyValue(x,x)+1Dj
		movzx	ecx, byte ptr [edx+esi]
		add	eax, ecx
		inc	edx
		cmp	edx, edi
		jb	short loc_7D1950

loc_7D195B:				; CODE XREF: PspHashKeyValue(x,x)+12j
		and	eax, 1Fh

loc_7D195E:				; CODE XREF: PspHashKeyValue(x,x)+Cj
		pop	edi
		pop	esi
		retn
@PspHashKeyValue@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspReadUserQuotaLimits proc near	; CODE XREF: PspAssignProcessQuotaBlock+94p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F47EF SIZE 000000B1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	ebx, [ebp+arg_0]
		lea	edi, [ebp+var_1C]
		mov	[ebp+var_2C], ebx
		stosd
		mov	esi, edx
		mov	edx, ecx
		mov	[ebp+var_58], esi
		push	6
		pop	ecx
		stosd
		mov	dword ptr [esi], 1
		mov	esi, ds:_PspQuotaDatabaseKey
		mov	[ebp+var_24], edx
		stosd
		mov	[ebp+var_20], esi
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_4C]
		rep stosd
		xor	edi, edi
		mov	[ebp+var_50], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_28], edi
		test	esi, esi
		jz	short loc_7D1A32

loc_7D19BC:				; CODE XREF: PspReadUserQuotaLimits+123j
		cmp	esi, 1
		jz	short loc_7D1A1D
		push	1
		push	edx
		lea	eax, [ebp+var_34]
		push	eax
		call	RtlConvertSidToUnicodeString
		mov	esi, eax
		test	esi, esi
		js	short loc_7D1A1F
		mov	eax, [ebp+var_20]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_34]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	1
		lea	eax, [ebp+var_28]
		mov	[ebp+var_4C], 18h
		push	eax
		mov	[ebp+var_40], 2C0h
		mov	[ebp+var_3C], edi
		mov	[ebp+var_38], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_34]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	esi, esi
		jns	loc_8F47EF
		cmp	esi, 0C0000034h
		jnz	short loc_7D1A1F

loc_7D1A1D:				; CODE XREF: PspReadUserQuotaLimits+5Dj
					; PspReadUserQuotaLimits+122F32j ...
		mov	esi, edi

loc_7D1A1F:				; CODE XREF: PspReadUserQuotaLimits+6Fj
					; PspReadUserQuotaLimits+B9j ...
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_7D1A32:				; CODE XREF: PspReadUserQuotaLimits+58j
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_4C], 18h
		push	eax
		push	9
		lea	eax, [ebp+var_20]
		mov	[ebp+var_48], edi
		push	eax
		mov	[ebp+var_40], 2C0h
		mov	[ebp+var_44], offset _PspQuotaKeyNames
		mov	[ebp+var_3C], edi
		mov	[ebp+var_38], edi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7D1A8A
		mov	ecx, [ebp+var_20]

loc_7D1A6A:				; CODE XREF: PspReadUserQuotaLimits+12Ej
		mov	edx, offset _PspQuotaDatabaseKey
		xor	eax, eax
		lock cmpxchg [edx], ecx
		mov	esi, eax
		test	esi, esi
		jnz	loc_8F47D9
		mov	esi, [ebp+var_20]

loc_7D1A82:				; CODE XREF: PspLookupProcessQuotaBlock+122FA8j
		mov	edx, [ebp+var_24]
		jmp	loc_7D19BC
; 

loc_7D1A8A:				; CODE XREF: PspReadUserQuotaLimits+103j
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_20], ecx
		jmp	short loc_7D1A6A
PspReadUserQuotaLimits endp


;  S U B	R O U T	I N E 


; __stdcall PspSafeReferenceQuotaBlock(x)
_PspSafeReferenceQuotaBlock@4 proc near	; CODE XREF: PspAssignProcessQuotaBlock+E0p
					; PspLookupProcessQuotaBlock+122F35p
		mov	edi, edi
		push	esi
		lea	esi, [ecx+200h]
		mov	edx, [esi]

loc_7D1A9D:				; CODE XREF: PspSafeReferenceQuotaBlock(x)+1Cj
		test	edx, edx
		jz	short loc_7D1AB5
		mov	ecx, edx
		inc	edx
		mov	eax, ecx
		lock cmpxchg [esi], edx
		mov	edx, eax
		cmp	edx, ecx
		jnz	short loc_7D1A9D
		xor	eax, eax
		inc	eax
		pop	esi
		retn
; 

loc_7D1AB5:				; CODE XREF: PspSafeReferenceQuotaBlock(x)+Dj
		xor	eax, eax
		pop	esi
		retn
_PspSafeReferenceQuotaBlock@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeReleaseSid(x, x, x)
_SeReleaseSid@12 proc near		; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+968p
					; PAGE:007E9961p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	dl, dl
		jz	short loc_7D1AD4

loc_7D1AC3:				; CODE XREF: SeReleaseSid(x,x,x)+20j
		cmp	dl, 1
		jnz	short loc_7D1AD0

loc_7D1AC8:				; CODE XREF: SeReleaseSid(x,x,x)+1Ej
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7D1AD0:				; CODE XREF: SeReleaseSid(x,x,x)+Cj
		pop	ebp
		retn	4
; 

loc_7D1AD4:				; CODE XREF: SeReleaseSid(x,x,x)+7j
		cmp	[ebp+arg_0], 1
		jz	short loc_7D1AC8
		jmp	short loc_7D1AC3
_SeReleaseSid@12 endp


;  S U B	R O U T	I N E 


; __stdcall PspConvertJobLimitViolationToV2(x, x)
_PspConvertJobLimitViolationToV2@8 proc	near ; CODE XREF: PAGE:007578EAp
		mov	edi, edi
		push	esi
		mov	esi, [ecx]
		mov	[edx], esi
		push	edi
		mov	edi, [ecx+4]
		mov	[edx+4], edi
		mov	eax, [ecx+8]
		mov	[edx+8], eax
		mov	eax, [ecx+0Ch]
		mov	[edx+0Ch], eax
		mov	eax, [ecx+10h]
		mov	[edx+10h], eax
		mov	eax, [ecx+14h]
		mov	[edx+14h], eax
		mov	eax, [ecx+18h]
		mov	[edx+18h], eax
		mov	eax, [ecx+1Ch]
		mov	[edx+1Ch], eax
		mov	eax, [ecx+20h]
		mov	[edx+20h], eax
		mov	eax, [ecx+24h]
		mov	[edx+24h], eax
		mov	eax, [ecx+28h]
		mov	[edx+28h], eax
		mov	eax, [ecx+2Ch]
		mov	[edx+2Ch], eax
		mov	eax, [ecx+30h]
		mov	[edx+30h], eax
		mov	eax, [ecx+34h]
		mov	[edx+34h], eax
		mov	eax, [ecx+38h]
		mov	[edx+38h], eax
		mov	eax, [ecx+3Ch]
		mov	[edx+3Ch], eax
		mov	eax, [ecx+50h]
		mov	[edx+40h], eax
		mov	eax, [ecx+54h]
		mov	[edx+44h], eax
		mov	eax, [ecx+40h]
		mov	[edx+48h], eax
		mov	eax, [ecx+44h]
		mov	[edx+4Ch], eax
		mov	eax, [ecx+48h]
		mov	[edx+50h], eax
		mov	eax, [ecx+4Ch]
		mov	[edx+54h], eax
		mov	eax, 278204h
		and	edi, eax
		and	esi, eax
		mov	[edx+4], edi
		pop	edi
		mov	[edx], esi
		pop	esi
		retn
_PspConvertJobLimitViolationToV2@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSetProcessPpmPolicy proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F48A0 SIZE 00000079 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		shl	edi, 7
		lea	ebx, [esi+64h]

loc_7D1B88:				; CODE XREF: PspSetProcessPpmPolicy+28j
		mov	edx, [ebx]
		mov	ecx, edx
		and	ecx, 0FFFFFC7Fh
		mov	eax, edx
		or	ecx, edi
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	short loc_7D1B88
		cmp	ds:_KeDisableLowQosTimerResolution, 0
		jnz	loc_8F48A0

loc_7D1BAB:				; CODE XREF: PspSetProcessPpmPolicy+122D4Fj
					; PspSetProcessPpmPolicy+122D61j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
PspSetProcessPpmPolicy endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmStoreFreeVirtualMemory(x)
_MmStoreFreeVirtualMemory@4 proc near	; CODE XREF: SmKmStoreHelperCommandProcess+12Bp
					; SmKmStoreHelperCommandProcess+12350Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_C]
		xor	edx, edx
		push	eax
		mov	edi, ecx
		call	MiObtainReferencedVadEx
		mov	ecx, edi
		mov	[ebp+var_8], eax
		mov	esi, [eax+10h]
		mov	edx, esi
		mov	ebx, [eax+0Ch]
		shl	edx, 0Ch
		or	edx, 0FFFh
		call	_MiUnlockPageTableRange@8 ; MiUnlockPageTableRange(x,x)
		mov	eax, large fs:124h
		lea	edx, [ebp-1]
		push	ecx
		mov	ecx, [ebp+var_8]
		push	0
		push	dword ptr [eax+80h]
		mov	[ebp+var_1], 0
		push	esi
		push	ebx
		call	MiFreeVadRange
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MmStoreFreeVirtualMemory@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtGetContextThread(x, x)
_NtGetContextThread@8 proc near		; DATA XREF: .text:00581014o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_4]
		and	[ebp+var_4], 0
		push	edi
		push	0
		mov	al, [eax+15Ah]
		push	ecx
		mov	byte ptr [ebp+var_8], al
		push	[ebp+var_8]
		mov	eax, ds:_PsThreadType
		push	eax
		push	8
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_7D1C67
		push	esi
		mov	esi, [ebp+var_4]
		test	dword ptr [esi+58h], 400h
		jnz	short loc_7D1C6E
		push	[ebp+var_8]
		push	[ebp+arg_4]
		push	esi
		call	_PsGetContextThread@12 ; PsGetContextThread(x,x,x)
		mov	edi, eax

loc_7D1C5F:				; CODE XREF: NtGetContextThread(x,x)+69j
		mov	ecx, esi
		call	ObfDereferenceObject
		pop	esi

loc_7D1C67:				; CODE XREF: NtGetContextThread(x,x)+38j
		mov	eax, edi
		pop	edi
		leave
		retn	8
; 

loc_7D1C6E:				; CODE XREF: NtGetContextThread(x,x)+45j
		mov	edi, 0C0000008h
		jmp	short loc_7D1C5F
_NtGetContextThread@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1765. PsGetContextThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetContextThread(x, x, x)
		public _PsGetContextThread@12
_PsGetContextThread@12 proc near	; CODE XREF: NtGetContextThread(x,x)+4Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	1
		push	[ebp+arg_8]
		push	[ebp+arg_8]
		call	PspGetContextThreadInternal
		pop	ebp
		retn	0Ch
_PsGetContextThread@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCheckSecurityCellAccess(x, x, x,	x, x)
_CmpCheckSecurityCellAccess@20 proc near
					; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+217p
					; CmpCheckKeyAccess(x,x,x,x,x)+4Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		xor	eax, eax
		and	[ebp+var_C], 0
		or	[ebp+var_C], 0FFFFFFFFh
		push	esi
		push	edi
		mov	word ptr [ebp+var_8], ax
		mov	edi, ecx
		lea	eax, [ebp+var_C]
		push	eax
		push	edx
		push	edi
		call	dword ptr [edi+4]
		test	eax, eax
		jz	short loc_7D1CE4
		push	[ebp+arg_8]
		mov	dl, [ebp+arg_0]
		lea	ecx, [eax+14h]
		push	[ebp+arg_4]
		call	CmpCheckKeySecurityDescriptorAccess
		mov	esi, eax
		lea	eax, [ebp+var_C]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_7D1CDC:				; CODE XREF: CmpCheckSecurityCellAccess(x,x,x,x,x)+53j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	0Ch
; 

loc_7D1CE4:				; CODE XREF: CmpCheckSecurityCellAccess(x,x,x,x,x)+29j
		mov	esi, 0C000009Ah
		jmp	short loc_7D1CDC
_CmpCheckSecurityCellAccess@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCheckKeySecurityDescriptorAccess proc near
					; CODE XREF: CmpCheckSecurityCellAccess(x,x,x,x,x)+37p
					; CmpCheckKcbStackAccess(x,x,x,x,x)+19p ...

var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_80		= dword	ptr -80h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_64		= dword	ptr -64h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 008F4919 SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 154h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		lea	eax, [ebp+var_80]
		push	74h		; size_t
		push	esi		; int
		push	eax		; void *
		mov	ebx, edx
		mov	[ebp+var_14C], esi
		mov	edi, ecx
		mov	[ebp+var_150], esi
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_148]
		push	0C4h		; size_t
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	esi, large fs:124h
		add	esp, 0Ch
		mov	eax, ds:_CmKeyObjectType
		add	eax, 34h
		push	eax		; int
		push	[ebp+arg_0]	; int
		lea	eax, [ebp+var_148]
		push	eax		; void *
		lea	eax, [ebp+var_80]
		push	eax		; void *
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		push	eax		; int
		push	esi		; int
		call	_SeCreateAccessStateEx@24 ; SeCreateAccessStateEx(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D1DC2
		cmp	[ebp+arg_4], 0
		jnz	loc_8F4919

loc_7D1D74:				; CODE XREF: CmpCheckKeySecurityDescriptorAccess+122C5Aj
		lea	eax, [ebp+var_150]
		push	eax
		lea	eax, [ebp+var_14C]
		push	eax
		mov	eax, ds:_CmKeyObjectType
		push	ebx
		add	eax, 34h
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	[ebp+arg_0]
		push	eax
		lea	eax, [ebp+var_64]
		push	eax
		push	edi
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 3FFFFFDEh
		add	esi, 0C0000022h

loc_7D1DB1:				; CODE XREF: CmpCheckKeySecurityDescriptorAccess+122C3Ej
					; CmpCheckKeySecurityDescriptorAccess+122C4Cj
		lea	ecx, [ebp+var_80]
		call	SepDeleteAccessState
		lea	eax, [ebp+var_64]
		push	eax
		call	SeReleaseSubjectContext

loc_7D1DC2:				; CODE XREF: CmpCheckKeySecurityDescriptorAccess+7Cj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
CmpCheckKeySecurityDescriptorAccess endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspGetNoChildProcessRestrictedPolicy proc near ; CODE XREF: PAGE:007A9C7Cp
					; PAGE:0083E322p ...

var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= dword	ptr -2

; FUNCTION CHUNK AT 008F494B SIZE 0000000B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		xor	eax, eax
		mov	edi, ecx
		push	edi
		mov	byte ptr [ebp+var_2+1],	al
		mov	byte ptr [ebp+var_2], al
		mov	[ebp+var_3], al
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	esi, eax
		lea	edx, [ebp-1]
		lea	eax, [ebp-3]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_2]
		push	eax
		call	_SeTokenGetNoChildProcessRestricted@16 ; SeTokenGetNoChildProcessRestricted(x,x,x,x)
		lea	ecx, [edi+12Ch]
		mov	edx, esi
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		cmp	byte ptr [ebp+var_2+1],	0
		pop	edi
		pop	esi
		jnz	loc_8F494B
		movzx	eax, [ebp+var_3]
		neg	eax
		sbb	eax, eax
		and	eax, 3
		leave
		retn
PspGetNoChildProcessRestrictedPolicy endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpWriteExtendedContext proc near	; CODE XREF: PspGetContextThreadInternal+194p

var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F4956 SIZE 00000018 BYTES

		push	18h
		push	offset dword_6A3EC0
		call	__SEH_prolog4
		mov	esi, edx
		xor	edi, edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_20], edi
		lea	edx, [ebp+var_1C]
		mov	ecx, [ebp+arg_4]
		call	RtlpValidateContextFlags
		test	eax, eax
		js	short loc_7D1EA3
		lea	eax, [ebp+var_20]
		push	eax
		xor	edx, edx
		mov	ecx, [ebp+arg_4]
		call	RtlpGetLegacyContextLength
		mov	[ebp+ms_exc.disabled], edi
		test	byte ptr [ebp+var_1C], 1
		jz	short loc_7D1E7C
		push	[ebp+var_20]
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax+0Ch]
		mov	eax, [eax+8]
		add	eax, esi
		push	eax
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_7D1E7C:				; CODE XREF: RtlpWriteExtendedContext+3Aj
		test	byte ptr [ebp+var_1C], 2
		jnz	loc_8F4956

loc_7D1E86:				; CODE XREF: RtlpWriteExtendedContext+122B3Dj
		push	edi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		mov	edx, esi
		mov	cl, 1
		call	_RtlpCopyExtendedContext@24 ; RtlpCopyExtendedContext(x,x,x,x,x,x)

loc_7D1E99:				; CODE XREF: sub_8F497C+6j
		mov	[ebp+var_28], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7D1EA3:				; CODE XREF: RtlpWriteExtendedContext+23j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
RtlpWriteExtendedContext endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMGetDeviceIdList(x, x, x, x, x, x)
_PiCMGetDeviceIdList@24	proc near	; CODE XREF: PiCMHandleIoctl+C3p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		xor	eax, eax
		xor	ebx, ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_20]
		mov	[ebp+var_4], ebx
		stosd
		mov	[ebp+var_C], ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_34]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_C]
		mov	edi, ebx
		mov	[ebp+var_8], edi
		mov	[eax], ebx
		lea	eax, [ebp+var_34]
		push	eax
		push	ecx
		call	PiCMCaptureDeviceListInputData
		mov	esi, eax
		test	esi, esi
		js	loc_7D1FF5
		test	byte_6CD8BB, 2
		mov	esi, [ebp+var_30]
		jz	loc_7D1F93
		movzx	eax, si
		cmp	eax, 8
		ja	short loc_7D1F4B
		jz	short loc_7D1F44
		sub	eax, ebx
		jz	short loc_7D1F3D
		sub	eax, 1
		jz	short loc_7D1F36
		sub	eax, 1
		jz	short loc_7D1F2F
		dec	eax
		sub	eax, 1
		jnz	short loc_7D1F5F
		mov	ecx, offset ??_C@_1BO@BFLJCOAG@?$AAE?$AAj?$AAe?$AAc?$AAt?$AAR?$AAe?$AAl?$AAa?$AAt?$AAi?$AAo?$AAn?$AAs@FNODOBFM@
		jmp	short loc_7D1F80
; 

loc_7D1F2F:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+6Aj
		mov	ecx, offset ??_C@_1BA@IELBACJJ@?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe@FNODOBFM@
		jmp	short loc_7D1F80
; 

loc_7D1F36:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+65j
		mov	ecx, offset ??_C@_19DDCEFKEI@?$AAE?$AAn?$AAu?$AAm@FNODOBFM@
		jmp	short loc_7D1F80
; 

loc_7D1F3D:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+60j
		mov	ecx, offset ??_C@_19KLMLHLJG@?$AAN?$AAo?$AAn?$AAe@FNODOBFM@
		jmp	short loc_7D1F80
; 

loc_7D1F44:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+5Cj
		mov	ecx, (offset off_5A4D70+2)
		jmp	short loc_7D1F80
; 

loc_7D1F4B:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+5Aj
		sub	eax, 10h
		jz	short loc_7D1F7B
		sub	eax, 10h
		jz	short loc_7D1F74
		sub	eax, 20h
		jz	short loc_7D1F6D
		sub	eax, 40h
		jz	short loc_7D1F66

loc_7D1F5F:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+70j
		mov	ecx, offset ??_C@_1BA@LEPJIIOK@?$AAU?$AAn?$AAk?$AAn?$AAo?$AAw?$AAn@FNODOBFM@
		jmp	short loc_7D1F80
; 

loc_7D1F66:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+A7j
		mov	ecx, offset ??_C@_1M@OAHBGIFG@?$AAC?$AAl?$AAa?$AAs?$AAs@FNODOBFM@
		jmp	short loc_7D1F80
; 

loc_7D1F6D:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+A2j
		mov	ecx, offset ??_C@_1CG@ENKBDIHB@?$AAT?$AAr?$AAa?$AAn?$AAs?$AAp?$AAo?$AAr?$AAt?$AAR?$AAe?$AAl?$AAa?$AAt?$AAi@FNODOBFM@
		jmp	short loc_7D1F80
; 

loc_7D1F74:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+9Dj
		mov	ecx, offset ??_C@_1BK@MHOOBJGI@?$AAB?$AAu?$AAs?$AAR?$AAe?$AAl?$AAa?$AAt?$AAi?$AAo?$AAn?$AAs@FNODOBFM@
		jmp	short loc_7D1F80
; 

loc_7D1F7B:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+98j
		mov	ecx, offset ??_C@_1BO@NCAAGMIC@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAR?$AAe?$AAl?$AAa?$AAt?$AAi?$AAo?$AAn?$AAs@FNODOBFM@

loc_7D1F80:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+77j
					; PiCMGetDeviceIdList(x,x,x,x,x,x)+7Ej	...
		mov	eax, esi
		shr	eax, 10h
		and	eax, 1
		push	eax
		push	ecx
		push	[ebp+var_2C]
		push	ecx
		call	_McTemplateK0zzt_EtwWriteTransfer@24 ; McTemplateK0zzt_EtwWriteTransfer(x,x,x,x,x,x)

loc_7D1F93:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+4Ej
		cmp	[ebp+arg_0], ebx
		jz	loc_7D2169
		mov	ebx, [ebp+arg_4]
		cmp	ebx, 14h
		jb	loc_7D2169
		mov	edi, esi
		and	edi, 20000h
		jz	short loc_7D2031
		push	2
		pop	ecx
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jnz	short loc_7D2031
		mov	esi, 0C0000022h

loc_7D1FC3:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+1A2j
					; PiCMGetDeviceIdList(x,x,x,x,x,x)+1C7j ...
		push	[ebp+arg_C]	; int
		mov	eax, [ebp+var_4]
		xor	ebx, ebx
		push	[ebp+arg_4]	; int
		mov	ecx, esi
		push	[ebp+arg_0]	; int
		lea	edx, [eax+eax]
		push	[ebp+var_24]	; int
		push	ebx		; size_t
		push	ebx		; void *
		push	ebx		; int
		call	PiCMReturnBufferResultData
		mov	edi, [ebp+var_8]

loc_7D1FE4:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+2DEj
		mov	esi, eax
		test	edi, edi
		jz	short loc_7D1FF5
		push	34706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7D1FF5:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+3Ej
					; PiCMGetDeviceIdList(x,x,x,x,x,x)+132j
		cmp	[ebp+var_2C], 0
		jz	short loc_7D2013
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_7D2013
		push	ebx
		push	[ebp+var_2C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7D2013:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+143j
					; PiCMGetDeviceIdList(x,x,x,x,x,x)+152j
		test	byte_6CD8BB, 2
		jz	short loc_7D2028
		push	esi
		push	ecx
		mov	edx, offset _KMPnPEvt_CfgMgr_DeviceList_Stop
		call	_McTemplateK0d_EtwWriteTransfer@16 ; McTemplateK0d_EtwWriteTransfer(x,x,x,x)

loc_7D2028:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+164j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7D2031:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+FAj
					; PiCMGetDeviceIdList(x,x,x,x,x,x)+106j
		lea	eax, [ebx-14h]
		cmp	eax, 2
		sbb	ebx, ebx
		not	ebx
		and	ebx, eax
		jbe	short loc_7D2063
		push	34706E50h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	short loc_7D205D
		mov	esi, 0C000009Ah
		jmp	loc_7D1FC3
; 

loc_7D205D:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+19Bj
		mov	eax, ebx
		shr	eax, 1
		jmp	short loc_7D2069
; 

loc_7D2063:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+187j
		and	[ebp+var_8], 0
		xor	eax, eax

loc_7D2069:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+1ABj
		lea	edx, [ebp+var_C]
		mov	[ebp+var_10], eax
		mov	ecx, esi
		mov	[ebp+var_4], eax
		call	PiCMConvertDeviceListFilters
		mov	esi, eax
		test	esi, esi
		js	loc_7D1FC3
		mov	eax, [ebp+var_30]
		movzx	eax, ax
		cmp	eax, 4
		jz	short loc_7D2109
		cmp	eax, 8
		jz	short loc_7D2109
		cmp	eax, 10h
		jz	short loc_7D2109
		cmp	eax, 20h
		jz	short loc_7D2109
		cmp	eax, 40h
		jz	short loc_7D2109
		lea	eax, [ebp+var_20]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		push	ecx
		mov	edx, [ebp+var_2C]
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_4]
		mov	eax, edi
		lea	ecx, [ebp+var_20]
		push	[ebp+var_8]
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, ecx
		mov	ecx, _PiPnpRtlCtx
		neg	edi
		push	eax
		sbb	edi, edi
		not	edi
		and	edi, offset _PiCMMandatoryFilterCallback@16 ; PiCMMandatoryFilterCallback(x,x,x,x)
		push	edi
		push	[ebp+var_C]
		call	_CmGetMatchingFilteredDeviceList
		mov	esi, eax
		lea	eax, [ebp+var_20]
		push	eax
		call	SeReleaseSubjectContext
		mov	edi, [ebp+var_8]
		test	esi, esi
		jns	short loc_7D2146
		jmp	short loc_7D216E
; 

loc_7D2109:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+1D6j
					; PiCMGetDeviceIdList(x,x,x,x,x,x)+1DBj ...
		mov	ecx, [ebp+var_2C]
		test	ecx, ecx
		jnz	short loc_7D211A
		mov	esi, 0C000000Dh
		jmp	loc_7D1FC3
; 

loc_7D211A:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+258j
		mov	eax, [ebp+var_C]
		lea	edx, [ebp+var_4]
		mov	edi, [ebp+var_8]
		and	eax, 0FFFFFEFFh
		push	ecx
		push	edx
		push	[ebp+var_10]
		mov	edx, ecx
		mov	ecx, _PiPnpRtlCtx
		push	edi
		push	eax
		call	__CmGetDeviceRelationsList@28 ;	_CmGetDeviceRelationsList(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7D1FC3

loc_7D2146:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+24Fj
		cmp	[ebp+var_4], 0
		jnz	short loc_7D216E
		mov	[ebp+var_4], 1
		cmp	ebx, 2
		jb	short loc_7D215F
		xor	eax, eax
		mov	[edi], ax
		jmp	short loc_7D216E
; 

loc_7D215F:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+2A0j
		mov	esi, 0C0000023h
		jmp	loc_7D1FC3
; 

loc_7D2169:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+E0j
					; PiCMGetDeviceIdList(x,x,x,x,x,x)+ECj
		mov	esi, 0C000000Dh

loc_7D216E:				; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+251j
					; PiCMGetDeviceIdList(x,x,x,x,x,x)+294j ...
		test	esi, esi
		js	loc_7D1FC3
		push	[ebp+arg_C]	; int
		mov	eax, [ebp+var_4]
		xor	ebx, ebx
		push	[ebp+arg_4]	; int
		mov	ecx, esi
		push	[ebp+arg_0]	; int
		lea	edx, [eax+eax]
		push	[ebp+var_24]	; int
		push	edx		; size_t
		push	edi		; void *
		push	ebx		; int
		call	PiCMReturnBufferResultData
		jmp	loc_7D1FE4
_PiCMGetDeviceIdList@24	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetMatchingFilteredDeviceList proc near
					; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+23Ap
					; IopGetRootDevices+CCp ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008F4987 SIZE 00000067 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_30], 0
		mov	eax, edx
		and	[ebp+var_2C], 0
		and	[ebp+var_8], 0
		and	[ebp+var_C], 0
		mov	edx, [ebp+arg_14]
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_34], ebx
		mov	ebx, [ebx+100h]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_18], edi
		mov	edi, [ebp+var_34]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], esi
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], edx
		test	ebx, ebx
		jz	loc_8F498B
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	10h
		push	1
		push	0
		push	edi
		call	ebx
		cmp	eax, 0C0000002h
		jz	short loc_7D2235
		cmp	eax, 0C0000120h
		jnz	loc_8F4987

loc_7D221F:				; CODE XREF: _CmGetMatchingFilteredDeviceList+12283Cj
		mov	esi, [ebp+var_30]

loc_7D2222:				; CODE XREF: _CmGetMatchingFilteredDeviceList+122814j
					; _CmGetMatchingFilteredDeviceList+122831j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
; 

loc_7D2235:				; CODE XREF: _CmGetMatchingFilteredDeviceList+78j
		xor	ebx, ebx
		jmp	loc_8F498B
_CmGetMatchingFilteredDeviceList endp


;  S U B	R O U T	I N E 


PiCMConvertDeviceListFilters proc near	; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+1BEp

; FUNCTION CHUNK AT 008F49EE SIZE 0000004D BYTES

		mov	edi, edi
		push	esi
		push	edi
		push	8
		xor	esi, esi
		movzx	eax, cx
		pop	edi
		mov	[edx], esi
		cmp	eax, edi
		jbe	short loc_7D2291
		push	10h
		pop	edi
		sub	eax, edi
		jz	loc_8F4A2F
		sub	eax, edi
		jz	loc_8F4A1F
		sub	eax, 20h
		jz	loc_8F4A0F
		sub	eax, 40h
		jnz	short loc_7D22CA
		mov	dword ptr [edx], 80h
		mov	eax, 180h

loc_7D227A:				; CODE XREF: PiCMConvertDeviceListFilters+64j
					; PiCMConvertDeviceListFilters+7Fj ...
		test	ecx, 0FFFC0000h
		jnz	short loc_7D22CA
		test	ecx, 10000h
		jz	short loc_7D228C
		mov	[edx], eax

loc_7D228C:				; CODE XREF: PiCMConvertDeviceListFilters+4Cj
					; PiCMConvertDeviceListFilters+93j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_7D2291:				; CODE XREF: PiCMConvertDeviceListFilters+10j
		jz	loc_8F4A08
		sub	eax, esi
		jnz	short loc_7D22A2
		mov	eax, 100h
		jmp	short loc_7D227A
; 

loc_7D22A2:				; CODE XREF: PiCMConvertDeviceListFilters+5Dj
		sub	eax, 1
		jz	short loc_7D22BD
		sub	eax, 1
		jnz	loc_8F49EE
		mov	dword ptr [edx], 2
		mov	eax, 102h
		jmp	short loc_7D227A
; 

loc_7D22BD:				; CODE XREF: PiCMConvertDeviceListFilters+69j
		mov	dword ptr [edx], 1
		mov	eax, 101h
		jmp	short loc_7D227A
; 

loc_7D22CA:				; CODE XREF: PiCMConvertDeviceListFilters+31j
					; PiCMConvertDeviceListFilters+44j ...
		mov	esi, 0C000000Dh
		jmp	short loc_7D228C
PiCMConvertDeviceListFilters endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMCaptureDeviceListInputData proc near ; CODE	XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+35p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F4A3B SIZE 0000000F BYTES
; FUNCTION CHUNK AT 008F4A5E SIZE 00000055 BYTES

		push	18h
		push	offset dword_6A3EE0
		call	__SEH_prolog4
		mov	esi, edx
		mov	edx, ecx
		and	[ebp+var_20], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		test	edx, edx
		jz	loc_8F4AA6
		test	esi, esi
		jz	loc_8F4AA6
		and	[ebp+ms_exc.disabled], ebx
		test	dl, 3
		jnz	loc_7D23D1
		lea	ecx, [edx+esi]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	loc_8F4A3B
		cmp	ecx, edx
		jb	loc_8F4A3B

loc_7D232E:				; CODE XREF: PiCMCaptureDeviceListInputData+12276Cj
		cmp	esi, 14h
		jb	loc_8F4A43
		push	5
		pop	ecx
		mov	esi, edx
		mov	eax, [ebp+arg_4]
		mov	edi, eax
		rep movsd
		cmp	dword ptr [eax], 14h
		jnz	loc_8F4A43

loc_7D234C:				; CODE XREF: PiCMCaptureDeviceListInputData+12278Fj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+arg_4]
		test	ebx, ebx
		js	loc_8F4A7D
		lea	edi, [esi+8]
		mov	eax, [edi]
		and	dword ptr [edi], 0
		test	eax, eax
		jz	short loc_7D23BE
		mov	ecx, [esi+0Ch]
		cmp	ecx, 2
		jb	loc_8F4A66
		push	1
		push	[ebp+var_24]
		push	2
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	PiControlMakeUserModeCallersCopy
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7D23D6
		mov	[ebp+var_20], 1
		mov	edx, [esi+0Ch]
		shr	edx, 1
		mov	ecx, [edi]
		xor	eax, eax
		mov	[ecx+edx*2-2], ax

loc_7D23A2:				; CODE XREF: PiCMCaptureDeviceListInputData+F8j
					; PiCMCaptureDeviceListInputData+10Bj ...
		test	ebx, ebx
		js	loc_8F4A7D

loc_7D23AA:				; CODE XREF: PiCMCaptureDeviceListInputData+1227CFj
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7D23BE:				; CODE XREF: PiCMCaptureDeviceListInputData+96j
					; PiCMCaptureDeviceListInputData+122796j
		cmp	dword ptr [esi+0Ch], 0
		ja	loc_8F4A78
		test	eax, eax
		jz	short loc_7D23A2
		jmp	loc_8F4A6E
; 

loc_7D23D1:				; CODE XREF: PiCMCaptureDeviceListInputData+3Ej
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7D23D6:				; CODE XREF: PiCMCaptureDeviceListInputData+B9j
		and	dword ptr [edi], 0
		and	dword ptr [esi+0Ch], 0
		jmp	short loc_7D23A2
PiCMCaptureDeviceListInputData endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcSectionDestroyProcedure proc near	; DATA XREF: .text:00401138o

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F4AB3 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi+8]
		test	ecx, ecx
		jnz	loc_8F4AB3

loc_7D23F4:				; CODE XREF: AlpcSectionDestroyProcedure+1226E0j
		mov	ecx, [esi+14h]
		test	ecx, ecx
		jnz	loc_8F4AC5

loc_7D23FF:				; CODE XREF: AlpcSectionDestroyProcedure+1226F8j
		mov	ecx, [esi]
		pop	esi
		test	ecx, ecx
		jz	short loc_7D240B
		call	ObfDereferenceObject

loc_7D240B:				; CODE XREF: AlpcSectionDestroyProcedure+24j
		xor	eax, eax
		pop	ebp
		retn	4
AlpcSectionDestroyProcedure endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void __stdcall PiDqSerializationWrite(void *,char *,unsigned int)
PiDqSerializationWrite proc near	; DATA XREF: PiDqQuerySerializeActionQueue+8Fo

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	8
		push	offset dword_6A3F00
		call	__SEH_prolog4
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi+8]
		mov	eax, [esi+4]
		sub	eax, ecx
		mov	edi, [ebp+arg_8]
		cmp	eax, edi
		jb	short loc_7D2461
		and	[ebp+ms_exc.disabled], 0
		push	edi		; size_t
		push	[ebp+arg_4]	; void *
		mov	eax, [esi]
		add	eax, ecx
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		add	[esi+8], edi

loc_7D2448:				; CODE XREF: sub_8F4AE1+Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7D244F:				; CODE XREF: PiDqSerializationWrite+53j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7D2461:				; CODE XREF: PiDqSerializationWrite+1Cj
		mov	byte ptr [esi+14h], 1
		jmp	short loc_7D244F
PiDqSerializationWrite endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1386. MmCommitSessionMappedView

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmCommitSessionMappedView
MmCommitSessionMappedView proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F4AF0 SIZE 000000CB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	edi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 1
		jnz	loc_8F4AF0

loc_7D248A:				; CODE XREF: MmCommitSessionMappedView+12268Ej
		mov	edx, [ebp+arg_4]
		add	edx, esi
		cmp	edx, esi
		jbe	loc_8F4B1A
		dec	edx
		mov	ecx, edx
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 1
		jnz	loc_8F4B0A

loc_7D24A8:				; CODE XREF: MmCommitSessionMappedView+1226A8j
		mov	ebx, large fs:124h
		mov	edi, [ebx+80h]
		test	dword ptr [edi+0FCh], 10000h
		jz	loc_8F4B24
		mov	edi, [edi+180h]
		or	edx, 0FFFh
		mov	ecx, edx
		mov	[ebp+arg_0], edi
		and	esi, 0FFFFF000h
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, esi
		mov	edx, eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		sub	edx, eax
		sar	edx, 3
		inc	edx
		dec	word ptr [ebx+13Eh]
		mov	[ebp+arg_4], edx
		nop
		mov	ecx, [edi+74h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [edi+78h]
		jmp	short loc_7D250D
; 

loc_7D250A:				; CODE XREF: MmCommitSessionMappedView+B8j
		mov	ecx, [ecx+4]

loc_7D250D:				; CODE XREF: MmCommitSessionMappedView+9Cj
					; MmCommitSessionMappedView+C0j
		test	ecx, ecx
		jz	short loc_7D252E
		mov	edx, [ecx+34h]
		mov	eax, [ecx+18h]
		mov	[ebp+var_4], edx
		and	edx, 0FFFFF000h
		add	eax, edx
		cmp	esi, eax
		jnb	short loc_7D250A
		cmp	esi, edx
		jnb	short loc_7D253F
		mov	ecx, [ecx]
		jmp	short loc_7D250D
; 

loc_7D252E:				; CODE XREF: MmCommitSessionMappedView+A3j
					; MmCommitSessionMappedView+D5j
		xor	edi, edi
		push	edi
		push	edi
		push	2
		push	esi
		push	0D7h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_7D253F:				; CODE XREF: MmCommitSessionMappedView+BCj
		test	ecx, ecx
		jz	short loc_7D252E
		mov	eax, [ecx+20h]
		xor	edi, edi
		mov	edx, [eax]
		cmp	[edx+20h], edi
		jnz	loc_8F4B2E
		mov	eax, [ebp+var_4]
		and	eax, 0FFFFF000h
		sub	esi, eax
		xor	eax, eax
		shr	esi, 0Ch
		add	esi, [ecx+10h]
		mov	[ebp+var_10], esi
		adc	eax, [ecx+14h]
		lea	ecx, [edx+50h]
		lea	edx, [ebp+var_10]
		mov	[ebp+var_C], eax
		call	_MiLocatePagefileSubsection@8 ;	MiLocatePagefileSubsection(x,x)
		mov	esi, eax
		mov	[ebp+var_8], esi
		test	esi, esi
		jz	loc_8F4B73
		mov	eax, [esi+4]
		mov	edx, esi
		mov	ecx, [ebp+var_10]
		mov	esi, [esi+1Ch]
		lea	eax, [eax+ecx*8]
		add	ecx, [ebp+arg_4]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+var_C]
		adc	eax, edi
		cmp	eax, edi
		jb	short loc_7D25B1
		ja	loc_8F4B56

loc_7D25A9:				; CODE XREF: MmCommitSessionMappedView+122702j
		cmp	ecx, esi
		ja	loc_8F4B56

loc_7D25B1:				; CODE XREF: MmCommitSessionMappedView+135j
					; MmCommitSessionMappedView+1226FCj
		push	[ebp+arg_4]
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		call	MiChargeSegmentCommit
		mov	edi, [ebp+arg_0]
		mov	esi, eax
		or	eax, 0FFFFFFFFh
		mov	edi, [edi+74h]
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_8F4BA7

loc_7D25D6:				; CODE XREF: MmCommitSessionMappedView+12273Dj
					; MmCommitSessionMappedView+12274Aj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, ebx
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		neg	esi
		sbb	esi, esi
		and	esi, 3FFFFED3h
		lea	eax, [esi-3FFFFED3h]

loc_7D25F4:				; CODE XREF: MmCommitSessionMappedView+122699j
					; MmCommitSessionMappedView+1226B3j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
MmCommitSessionMappedView endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtFlushVirtualMemory proc near		; DATA XREF: .text:00581038o

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F4BBB SIZE 00000015 BYTES
; FUNCTION CHUNK AT 008F4BF0 SIZE 0000002C BYTES

		push	24h
		push	offset dword_6A3F20
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ecx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_2C], al
		test	al, al
		jz	loc_8F4BF0
		mov	[ebp+ms_exc.disabled], ecx
		mov	esi, [ebp+arg_4]
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8F4BBB

loc_7D2645:				; CODE XREF: NtFlushVirtualMemory+1225C1j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	edi, [ebp+arg_8]
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	loc_8F4BC2

loc_7D265B:				; CODE XREF: NtFlushVirtualMemory+1225C8j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ebx, [ebp+arg_C]
		mov	ecx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8F4BC9

loc_7D2671:				; CODE XREF: NtFlushVirtualMemory+1225CFj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [esi]
		mov	[ebp+var_20], ecx
		mov	edx, [edi]
		mov	[ebp+var_1C], edx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7D2686:				; CODE XREF: NtFlushVirtualMemory+122607j
		mov	eax, ds:_MmHighestUserAddress
		cmp	ecx, eax
		ja	loc_8F4C08
		sub	eax, ecx
		inc	eax
		cmp	eax, edx
		jb	loc_8F4C12
		push	0
		lea	eax, [ebp+var_24]
		push	eax
		push	6C466D4Dh
		push	[ebp+var_2C]
		push	ds:_PsProcessType
		push	8
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7D270E
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		lea	edx, [ebp+var_20]
		mov	ecx, [ebp+var_24]
		call	MmFlushVirtualMemory
		mov	[ebp+arg_4], eax
		mov	edx, 6C466D4Dh
		mov	ecx, [ebp+var_24]
		call	ObfDereferenceObjectWithTag
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_1C]
		mov	[edi], eax
		mov	eax, [ebp+var_20]
		and	eax, 0FFFFF000h
		mov	[esi], eax
		mov	eax, [ebp+var_34]
		mov	[ebx], eax
		mov	eax, [ebp+var_30]
		mov	[ebx+4], eax

loc_7D2704:				; CODE XREF: sub_8F4C20+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+arg_4]

loc_7D270E:				; CODE XREF: NtFlushVirtualMemory+C2j
					; sub_8F4BDE+Dj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
NtFlushVirtualMemory endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmFlushVirtualMemory proc near		; CODE XREF: NtFlushVirtualMemory+D2p
					; CMFFlushHitsFile(x,x)+A8p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_41		= byte ptr -41h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F4C28 SIZE 000000DE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[esp+58h+var_34], ecx
		lea	edi, [esp+58h+var_1C]
		mov	[esp+58h+var_48], eax
		xor	ebx, ebx
		mov	eax, [ebp+arg_4]
		mov	esi, ebx
		mov	[esp+58h+var_24], eax
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd
		mov	eax, [esp+58h+var_48]
		mov	ecx, [edx]
		mov	[esp+58h+var_3C], ebx
		mov	[esp+58h+var_30], ebx
		mov	edi, [eax]
		mov	eax, [esp+58h+var_34]
		dec	edi
		add	edi, ecx
		mov	[esp+58h+var_4C], ebx
		and	ecx, 0FFFFF000h
		or	edi, 0FFFh
		mov	[edx], ecx
		mov	[esp+58h+var_40], ecx
		mov	ecx, large fs:124h
		mov	[esp+58h+var_28], ecx
		cmp	[ecx+80h], eax
		jnz	loc_8F4C28

loc_7D279E:				; CODE XREF: MmFlushVirtualMemory+122519j
		mov	[esp+58h+var_34], ebx
		call	_KeAreAllApcsDisabled@0	; KeAreAllApcsDisabled()
		mov	ecx, [esp+58h+var_40]
		mov	[esp+58h+var_41], al
		lea	eax, [esp+58h+var_4C]
		push	eax
		push	2
		pop	edx
		call	MiObtainReferencedVadEx
		mov	ecx, eax
		mov	[esp+58h+var_2C], ecx
		test	ecx, ecx
		jz	loc_8F4C3E
		mov	eax, [esp+58h+var_48]
		mov	edx, [ecx+10h]
		cmp	[eax], ebx
		jz	loc_7D2957

loc_7D27D9:				; CODE XREF: MmFlushVirtualMemory+245j
		mov	eax, [ecx+1Ch]
		mov	[esp+58h+var_20], eax
		test	eax, 100000h
		jnz	loc_8F4CEC
		mov	eax, edi
		shr	eax, 0Ch
		mov	[esp+58h+var_38], eax
		cmp	eax, edx
		ja	loc_8F4CEC
		mov	eax, [ecx+2Ch]
		mov	edx, [eax]
		mov	[esp+58h+var_4C], edx
		cmp	[edx+20h], ebx
		jz	loc_7D296A
		mov	eax, [esp+58h+var_20]
		and	al, 70h
		cmp	al, 20h
		jz	loc_7D296A
		mov	edx, [esp+58h+var_48]
		mov	eax, edi
		mov	ecx, [esp+58h+var_40]
		sub	eax, ecx
		inc	eax
		mov	[edx], eax
		mov	edx, [esp+58h+var_4C]
		cmp	[esp+58h+var_41], bl
		jnz	short loc_7D2842
		test	dword ptr [edx+1Ch], 20000h
		jnz	loc_8F4C58

loc_7D2842:				; CODE XREF: MmFlushVirtualMemory+113j
					; MmFlushVirtualMemory+122540j
		push	[esp+58h+var_28]
		mov	edx, edi
		call	MiFlushDirtyBitsToPfn
		mov	edi, [esp+58h+var_2C]
		lea	eax, [esp+58h+var_30]
		mov	edx, [esp+58h+var_38]
		mov	ecx, edi
		push	eax
		push	ebx
		call	MiGetProtoPteAddress
		mov	edx, [esp+58h+var_40]
		lea	eax, [esp+58h+var_3C]
		push	eax
		push	ebx
		shr	edx, 0Ch
		mov	ecx, edi
		call	MiGetProtoPteAddress
		mov	[esp+58h+var_28], eax
		mov	eax, [esp+58h+var_30]
		mov	[esp+58h+var_40], eax
		test	eax, eax
		jz	loc_8F4C65
		mov	edx, [esp+58h+var_38]
		lea	eax, [esp+58h+var_20]
		push	eax
		push	ebx
		mov	ecx, edi
		call	MiGetProtoPteAddress
		mov	[esp+58h+var_38], eax
		mov	eax, [esp+58h+var_30]

loc_7D28A3:				; CODE XREF: MmFlushVirtualMemory+12257Ej
		mov	edx, [esp+58h+var_3C]
		mov	ecx, [esp+58h+var_4C]
		push	eax
		call	_MiFlushAcquire@12 ; MiFlushAcquire(x,x,x)
		test	eax, eax
		jz	loc_8F4CB9
		mov	ecx, edi
		call	MiUnlockAndDereferenceVadShared
		cmp	esi, 2
		jnb	loc_8F4CC7

loc_7D28C9:				; CODE XREF: MmFlushVirtualMemory+1225B2j
		mov	ecx, [esp+5Ch+var_50]
		mov	esi, ebx
		call	MiReferenceControlAreaFile
		mov	edi, [esp+18h]
		mov	[esp+5Ch+var_4C], eax

loc_7D28DC:				; CODE XREF: MmFlushVirtualMemory+265j
		cmp	esi, 0C0000054h
		jz	loc_8F4CD7

loc_7D28E8:				; CODE XREF: MmFlushVirtualMemory+1225C7j
		mov	ecx, eax
		call	FsRtlAcquireFileForCcFlushEx
		mov	esi, eax
		test	esi, esi
		js	short loc_7D2923
		push	[esp+5Ch+var_28]
		mov	edx, [esp+60h+var_3C]
		push	[esp+60h+var_38]
		mov	ecx, [esp+64h+var_2C]
		push	ebx
		push	edi
		push	[esp+6Ch+var_40]
		call	MiFlushSectionInternal
		mov	ecx, [esp+5Ch+var_4C]
		mov	esi, eax
		call	FsRtlReleaseFileForCcFlush
		cmp	esi, 0C0000054h
		jz	short loc_7D2981

loc_7D2923:				; CODE XREF: MmFlushVirtualMemory+1D3j
		mov	edx, [esp+5Ch+var_4C]
		mov	ecx, [esp+5Ch+var_50]
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)
		push	dword ptr [esp+18h]
		mov	edx, [esp+60h+var_40]
		mov	ecx, [esp+60h+var_50]
		call	_MiFlushRelease@12 ; MiFlushRelease(x,x,x)
		mov	eax, esi

loc_7D2943:				; CODE XREF: MmFlushVirtualMemory+25Fj
		mov	ecx, [esp+5Ch+var_8]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7D2957:				; CODE XREF: MmFlushVirtualMemory+B3j
		mov	edi, edx
		shl	edi, 0Ch
		or	edi, 0FFFh
		or	esi, 1
		jmp	loc_7D27D9
; 

loc_7D296A:				; CODE XREF: MmFlushVirtualMemory+E8j
					; MmFlushVirtualMemory+F6j
		mov	ebx, 0C0000088h

loc_7D296F:				; CODE XREF: MmFlushVirtualMemory+1225A2j
					; MmFlushVirtualMemory+1225D1j
		call	MiUnlockAndDereferenceVadShared

loc_7D2974:				; CODE XREF: MmFlushVirtualMemory+122528j
					; MmFlushVirtualMemory+122533j
		cmp	esi, 2
		jnb	loc_8F4CF6

loc_7D297D:				; CODE XREF: MmFlushVirtualMemory+1225E1j
		mov	eax, ebx
		jmp	short loc_7D2943
; 

loc_7D2981:				; CODE XREF: MmFlushVirtualMemory+201j
		mov	eax, [esp+5Ch+var_4C]
		jmp	loc_7D28DC
MmFlushVirtualMemory endp


;  S U B	R O U T	I N E 


EtwpFreeGuidEntry proc near		; CODE XREF: EtwpAddGuidEntry(x,x,x)+60p
					; EtwpAddGuidEntry(x,x,x)+1DDp	...

; FUNCTION CHUNK AT 008F4D06 SIZE 00000093 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		cmp	[esi+168h], edi
		jnz	loc_8F4D06

loc_7D299E:				; CODE XREF: EtwpFreeGuidEntry+1223F4j
		push	1
		push	dword ptr [esi+2Ch]
		call	ObDereferenceSecurityDescriptor
		mov	eax, [esi+160h]
		test	eax, eax
		jnz	short loc_7D29CA

loc_7D29B2:				; CODE XREF: EtwpFreeGuidEntry+47j
		mov	eax, [esi+164h]
		add	eax, 8BCh
		lock dec dword ptr [eax]
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
; 

loc_7D29CA:				; CODE XREF: EtwpFreeGuidEntry+26j
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7D29B2
EtwpFreeGuidEntry endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMarkPrivateImageCfgBits proc near	; CODE XREF: MiMarkProcessCfgBits(x,x,x,x,x,x,x)+4Bp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	eax, [edx+2Ch]
		mov	esi, [edx+10h]
		push	edi
		mov	edi, [edx+0Ch]
		mov	ecx, [eax]
		mov	edx, [edx+30h]
		shl	edi, 0Ch
		inc	esi
		shl	esi, 0Ch
		mov	eax, [ecx]
		mov	eax, [eax+28h]
		cmp	edx, eax
		jnz	loc_8F4D88

loc_7D2A03:				; CODE XREF: EtwpFreeGuidEntry+12240Aj
		call	_MiGetControlAreaLoadConfig@4 ;	MiGetControlAreaLoadConfig(x)
		push	esi
		push	edi
		push	0
		mov	edx, [eax+0Ch]
		push	ecx
		mov	ecx, ebx
		call	MiPopulateCfgBitMap
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
MiMarkPrivateImageCfgBits endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2458. SeDeassignSecurity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeDeassignSecurity(x)
		public _SeDeassignSecurity@4
_SeDeassignSecurity@4 proc near		; CODE XREF: SepDeleteAccessState+45p
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+D0Fp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_7D2A3B
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7D2A3B:				; CODE XREF: SeDeassignSecurity(x)+Dj
		and	dword ptr [esi], 0
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	4
_SeDeassignSecurity@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void __stdcall PiDqSerializationAlloc(void *,char **,unsigned	int *)
PiDqSerializationAlloc proc near	; DATA XREF: PiDqQuerySerializeActionQueue+94o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, [esi]
		mov	eax, [edi+10h]
		cmp	ecx, eax
		ja	short loc_7D2A6C

loc_7D2A5C:				; CODE XREF: PiDqSerializationAlloc+67j
		mov	[esi], eax
		mov	eax, [ebp+arg_4]
		mov	ecx, [edi+0Ch]
		pop	edi
		pop	esi
		mov	[eax], ecx
		pop	ebp
		retn	0Ch
; 

loc_7D2A6C:				; CODE XREF: PiDqSerializationAlloc+14j
		mov	eax, [edi+0Ch]
		push	ebx
		mov	ebx, 58706E50h
		test	eax, eax
		jnz	sub_8F4D99

loc_7D2A7D:				; CODE XREF: sub_8F4D99+9j
		mov	eax, 1000h
		cmp	ecx, eax
		jnb	short loc_7D2A8A
		mov	[esi], eax
		mov	ecx, eax

loc_7D2A8A:				; CODE XREF: PiDqSerializationAlloc+3Ej
		push	ebx
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi+0Ch], eax
		pop	ebx
		test	eax, eax
		jz	short loc_7D2AAF
		push	dword ptr [esi]	; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [esi]
		add	esp, 0Ch

loc_7D2AAA:				; CODE XREF: PiDqSerializationAlloc+6Bj
		mov	[edi+10h], eax
		jmp	short loc_7D2A5C
; 

loc_7D2AAF:				; CODE XREF: PiDqSerializationAlloc+53j
		xor	eax, eax
		jmp	short loc_7D2AAA
PiDqSerializationAlloc endp

; 
		align 8
; Exported entry 1916. PsSetThreadWin32Thread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSetThreadWin32Thread(x, x, x)
		public _PsSetThreadWin32Thread@12
_PsSetThreadWin32Thread@12 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		add	edx, 124h
		test	eax, eax
		jnz	short loc_7D2ADA
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx

loc_7D2AD6:				; CODE XREF: PsSetThreadWin32Thread(x,x,x)+24j
		pop	ebp
		retn	0Ch
; 

loc_7D2ADA:				; CODE XREF: PsSetThreadWin32Thread(x,x,x)+13j
		xchg	eax, [edx]
		jmp	short loc_7D2AD6
_PsSetThreadWin32Thread@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeSynchronizeWithDynamicProcessors proc	near ; CODE XREF: PAGE:007B3C2Bp
					; ExpGetProcessInformation+D6Cp ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F4DA7 SIZE 00000031 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	ds:_KeDynamicPartitioningSupported, 0
		push	esi
		jnz	loc_8F4DA7

loc_7D2AF2:				; CODE XREF: KeSynchronizeWithDynamicProcessors+1222DCj
					; KeSynchronizeWithDynamicProcessors+1222F5j
		pop	esi
		leave
		retn
KeSynchronizeWithDynamicProcessors endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbFindDatabaseNode(x, x,	x)
_DrvDbFindDatabaseNode@12 proc near	; CODE XREF: DrvDbGetObjectDatabaseNode+8Dp
					; DrvDbSuspendDatabase+3Cp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	ebx, ecx
		xor	ecx, ecx
		push	edi
		mov	[eax], ecx
		lea	eax, [ebp+var_C]
		push	edx
		push	eax
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_7D2B48
		add	ebx, 0Ch
		mov	edi, 0C0000034h
		mov	esi, [ebx]

loc_7D2B2A:				; CODE XREF: DrvDbFindDatabaseNode(x,x,x)+5Dj
		cmp	esi, ebx
		jz	short loc_7D2B48
		push	1
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [esi+8]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_7D2B51
		mov	eax, [ebp+arg_0]
		xor	edi, edi
		mov	[eax], esi

loc_7D2B48:				; CODE XREF: DrvDbFindDatabaseNode(x,x,x)+28j
					; DrvDbFindDatabaseNode(x,x,x)+36j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7D2B51:				; CODE XREF: DrvDbFindDatabaseNode(x,x,x)+49j
		mov	esi, [esi]
		jmp	short loc_7D2B2A
_DrvDbFindDatabaseNode@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtGetNlsSectionPtr proc	near		; DATA XREF: .text:00580FF8o

var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_13C		= dword	ptr -13Ch
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_11D		= byte ptr -11Dh
var_11C		= word ptr -11Ch
var_9C		= word ptr -9Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008F4DD8 SIZE 00000048 BYTES
; FUNCTION CHUNK AT 008F4E46 SIZE 0000001F BYTES

		push	180h
		push	offset dword_6A3F48
		call	__SEH_prolog4_GS
		mov	ebx, [ebp+arg_C]
		mov	edx, [ebp+arg_10]
		mov	[ebp+var_13C], edx
		xor	ecx, ecx
		mov	[ebp+var_148], ecx
		mov	[ebp+var_144], ecx
		mov	[ebp+var_128], ecx
		mov	[ebp+var_124], ecx
		mov	[ebp+var_158], ecx
		mov	[ebp+var_154], ecx
		mov	[ebp+var_130], ecx
		mov	[ebp+var_134], ecx
		test	ebx, ebx
		jz	loc_8F4DD8
		test	edx, edx
		jz	loc_8F4DE2
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_11D], al
		test	al, al
		jz	short loc_7D2C04
		mov	[ebp+ms_exc.disabled], ecx
		mov	ecx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8F4DEC

loc_7D2BDB:				; CODE XREF: NtGetNlsSectionPtr+122298j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_8F4DF3

loc_7D2BEE:				; CODE XREF: NtGetNlsSectionPtr+12229Fj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jnz	loc_8F4DFA

loc_7D2BFD:				; CODE XREF: NtGetNlsSectionPtr+1222BCj
					; NtGetNlsSectionPtr+1222C5j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7D2C04:				; CODE XREF: NtGetNlsSectionPtr+71j
		lea	eax, [ebp+var_148]
		push	eax		; int
		push	ecx		; int
		lea	eax, [ebp+var_9C]
		push	eax		; wchar_t *
		mov	edx, dword ptr [ebp+arg_4] ; char
		mov	edi, [ebp+arg_0]
		mov	ecx, edi	; int
		call	_RtlpInitNlsSectionName@20 ; RtlpInitNlsSectionName(x,x,x,x,x)
		test	eax, eax
		js	loc_7D2D4B
		mov	[ebp+var_178], 18h
		and	[ebp+var_174], 0
		mov	[ebp+var_16C], 2D0h
		lea	eax, [ebp+var_148]
		mov	[ebp+var_170], eax
		and	[ebp+var_168], 0
		and	[ebp+var_164], 0
		cmp	edi, 0Bh
		jnz	loc_7D2E24

loc_7D2C66:				; CODE XREF: NtGetNlsSectionPtr+2D1j
		lea	eax, [ebp+var_178]
		push	eax
		push	4
		lea	eax, [ebp+var_124]
		push	eax
		call	_ZwOpenSection@12 ; ZwOpenSection(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7D2D5D

loc_7D2C85:				; CODE XREF: NtGetNlsSectionPtr+2C3j
		mov	eax, ds:_MmSectionObjectType
		and	[ebp+var_12C], 0
		push	0
		lea	ecx, [ebp+var_12C]
		push	ecx
		push	0
		push	eax
		push	0F001Fh
		push	[ebp+var_124]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		push	[ebp+var_124]
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	loc_7D2D49
		and	[ebp+var_160], 0
		and	[ebp+var_15C], 0
		cmp	[ebp+var_11D], 0
		jz	loc_8F4E46
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	2
		push	400000h
		push	1
		lea	ecx, [ebp+var_134]
		push	ecx
		lea	ecx, [ebp+var_160]
		push	ecx
		push	0
		push	0
		lea	ecx, [ebp+var_130]
		push	ecx
		push	eax
		mov	edi, [ebp+var_12C]
		push	edi
		call	MmMapViewOfSection

loc_7D2D18:				; CODE XREF: NtGetNlsSectionPtr+12230Aj
		mov	esi, eax
		mov	ecx, edi
		call	ObfDereferenceObject
		test	esi, esi
		js	short loc_7D2D49
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_130]
		mov	[ebx], eax
		mov	eax, [ebp+var_134]
		mov	ecx, [ebp+var_13C]
		mov	[ecx], eax

loc_7D2D42:				; CODE XREF: sub_8F4E78+9j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7D2D49:				; CODE XREF: NtGetNlsSectionPtr+166j
					; NtGetNlsSectionPtr+1CDj ...
		mov	eax, esi

loc_7D2D4B:				; CODE XREF: NtGetNlsSectionPtr+CCj
					; NtGetNlsSectionPtr+230j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7D2D5D:				; CODE XREF: NtGetNlsSectionPtr+129j
		and	[ebp+var_150], 0
		and	[ebp+var_14C], 0
		lea	eax, [ebp+var_150]
		push	eax		; int
		push	ecx		; int
		lea	eax, [ebp+var_11C]
		push	eax		; wchar_t *
		mov	edx, dword ptr [ebp+arg_4] ; char
		mov	ecx, edi	; int
		call	RtlpInitNlsFileName
		test	eax, eax
		js	short loc_7D2D4B
		mov	[ebp+var_190], 18h
		xor	ecx, ecx
		mov	[ebp+var_18C], ecx
		mov	[ebp+var_184], 240h
		lea	eax, [ebp+var_150]
		mov	[ebp+var_188], eax
		mov	[ebp+var_180], ecx
		mov	[ebp+var_17C], ecx
		push	ecx
		push	1
		lea	eax, [ebp+var_158]
		push	eax
		lea	eax, [ebp+var_190]
		push	eax
		push	100000h
		lea	eax, [ebp+var_128]
		push	eax
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		js	loc_7D2D4B
		push	[ebp+var_128]
		push	8000000h
		push	2
		push	0
		lea	eax, [ebp+var_178]
		push	eax
		push	4
		lea	eax, [ebp+var_124]
		push	eax
		call	_ZwCreateSection@28 ; ZwCreateSection(x,x,x,x,x,x,x)
		mov	esi, eax
		push	[ebp+var_128]
		call	_ZwClose@4	; ZwClose(x)

loc_7D2E17:				; CODE XREF: NtGetNlsSectionPtr+2DCj
		test	esi, esi
		jns	loc_7D2C85
		jmp	loc_7D2D49
; 

loc_7D2E24:				; CODE XREF: NtGetNlsSectionPtr+10Aj
		cmp	edi, 0Ch
		jz	loc_7D2C66
		mov	esi, 0C0000001h
		jmp	short loc_7D2E17
NtGetNlsSectionPtr endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall RtlpInitNlsSectionName(int,char,wchar_t *,int,int)
_RtlpInitNlsSectionName@20 proc	near	; CODE XREF: NtGetNlsSectionPtr+C5p

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		sub	ecx, 0Bh
		jnz	short loc_7D2E6A
		push	edx		; char
		push	offset ??_C@_1CI@HJIJDFAH@?$AA?2?$AAN?$AAL?$AAS?$AA?2?$AAN?$AAl?$AAs?$AAS?$AAe?$AAc?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@ ; wchar_t *

loc_7D2E45:				; CODE XREF: RtlpInitNlsSectionName(x,x,x,x,x)+41j
		push	40h		; int
		push	[ebp+arg_0]	; wchar_t *
		call	RtlStringCchPrintfW
		mov	esi, eax
		add	esp, 10h
		test	esi, esi
		js	short loc_7D2E65
		push	[ebp+arg_0]
		push	[ebp+arg_8]
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_7D2E63:				; CODE XREF: RtlpInitNlsSectionName(x,x,x,x,x)+48j
		mov	eax, esi

loc_7D2E65:				; CODE XREF: RtlpInitNlsSectionName(x,x,x,x,x)+22j
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_7D2E6A:				; CODE XREF: RtlpInitNlsSectionName(x,x,x,x,x)+9j
		sub	ecx, 1
		jnz	short loc_7D2E77
		push	edx
		push	(offset	loc_8BE8F1+1)
		jmp	short loc_7D2E45
; 

loc_7D2E77:				; CODE XREF: RtlpInitNlsSectionName(x,x,x,x,x)+39j
		mov	esi, 0C00000EFh
		jmp	short loc_7D2E63
_RtlpInitNlsSectionName@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall RtlpInitNlsFileName(int,char,wchar_t *,int,int)
RtlpInitNlsFileName proc near		; CODE XREF: NtGetNlsSectionPtr+229p

var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_158		= byte ptr -158h
var_44		= dword	ptr -44h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F4E86 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 19Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		and	[ebp+var_184], 0
		and	[ebp+var_180], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_17C], eax
		push	6
		xor	eax, eax
		mov	[ebp+var_174], edx
		pop	ecx
		lea	edi, [ebp+var_19C]
		rep stosd
		xor	edi, edi
		mov	[ebp+var_178], edi
		mov	[ebp+var_168], edi
		sub	esi, 0Bh
		jnz	short loc_7D2F0E
		push	edx		; char
		push	offset ??_C@_1EA@HNKNGHFI@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@ ; wchar_t *
		push	40h		; int
		push	ebx		; wchar_t *
		call	RtlStringCchPrintfW
		mov	esi, eax
		add	esp, 10h
		test	esi, esi
		js	short loc_7D2EFD

loc_7D2EEF:				; CODE XREF: RtlpInitNlsFileName+18Bj
		push	ebx
		push	[ebp+var_17C]
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_7D2EFB:				; CODE XREF: RtlpInitNlsFileName+F8j
					; RtlpInitNlsFileName+15Ej ...
		mov	eax, esi

loc_7D2EFD:				; CODE XREF: RtlpInitNlsFileName+6Fj
					; RtlpInitNlsFileName+122017j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_7D2F0E:				; CODE XREF: RtlpInitNlsFileName+58j
		sub	esi, 1
		jnz	loc_8F4E86
		push	offset ??_C@_1IK@PPFMMLKE@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		lea	eax, [ebp+var_184]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_184]
		mov	[ebp+var_19C], 18h
		mov	[ebp+var_194], eax
		lea	eax, [ebp+var_19C]
		push	eax
		push	80000000h
		lea	eax, [ebp+var_168]
		mov	[ebp+var_198], edi
		push	eax
		mov	[ebp+var_190], 240h
		mov	[ebp+var_18C], edi
		mov	[ebp+var_188], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D2EFB
		push	40h
		pop	edi
		lea	eax, [ebp+var_44]
		mov	word ptr [ebp+var_170],	di
		mov	[ebp+var_16C], eax
		lea	eax, [ebp+var_170]
		push	eax
		push	10h
		push	[ebp+var_174]
		mov	word ptr [ebp+var_170+2], di
		call	_RtlIntegerToUnicodeString@12 ;	RtlIntegerToUnicodeString(x,x,x)
		lea	eax, [ebp+var_178]
		push	eax
		push	120h
		lea	eax, [ebp+var_164]
		push	eax
		push	2
		lea	eax, [ebp+var_170]
		push	eax
		push	[ebp+var_168]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		push	[ebp+var_168]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	loc_7D2EFB
		cmp	[ebp+var_160], 1
		jnz	loc_8F4E90
		lea	eax, [ebp+var_158]
		push	eax		; char
		push	offset ??_C@_1DA@DNHKEGIO@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@ ; "\\SystemRoot\\System32\\%s"
		push	edi		; int
		push	ebx		; wchar_t *
		call	RtlStringCchPrintfW
		mov	esi, eax
		add	esp, 10h
		test	esi, esi
		jns	loc_7D2EEF
		jmp	loc_7D2EFB
RtlpInitNlsFileName endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2183. RtlIntegerToUnicodeString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIntegerToUnicodeString(x, x, x)
		public _RtlIntegerToUnicodeString@12
_RtlIntegerToUnicodeString@12 proc near	; CODE XREF: BapdpMarshallBootDataToRegistry+82B58p
					; AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+924p ...

var_30		= word ptr -30h
var_2E		= word ptr -2Eh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, [ebp+arg_8]
		lea	eax, [ebp+var_28]
		push	edi
		push	eax
		push	21h
		pop	edi
		push	edi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	RtlIntegerToChar
		test	eax, eax
		js	short loc_7D3070
		lea	eax, [ebp+var_28]
		mov	[ebp+var_2E], di
		mov	ecx, eax
		mov	[ebp+var_2C], eax
		lea	edx, [ecx+1]

loc_7D3057:				; CODE XREF: RtlIntegerToUnicodeString(x,x,x)+42j
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_7D3057
		push	0
		lea	eax, [ebp-30h]
		sub	ecx, edx
		push	eax
		push	esi
		mov	[ebp+var_30], cx
		call	RtlAnsiStringToUnicodeString

loc_7D3070:				; CODE XREF: RtlIntegerToUnicodeString(x,x,x)+2Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_RtlIntegerToUnicodeString@12 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2181. RtlIntegerToChar

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlIntegerToChar
RtlIntegerToChar proc near		; CODE XREF: RtlIntegerToUnicodeString(x,x,x)+25p
					; CmpInitializeRegistryNode+BCp

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_1F		= dword	ptr -1Fh
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F4E9A SIZE 00000036 BYTES

		push	3Ch
		push	offset dword_6A3F70
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_44], eax
		mov	ebx, [ebp+arg_4]
		mov	eax, ebx
		sub	eax, 0
		jz	loc_7D3148
		dec	eax
		sub	eax, 1
		jz	loc_8F4E9A
		sub	eax, 6
		jz	loc_7D316D
		dec	eax
		sub	eax, 1
		jnz	loc_7D3153

loc_7D30C3:				; CODE XREF: RtlIntegerToChar+C8j
		xor	ecx, ecx
		xor	esi, esi

loc_7D30C7:				; CODE XREF: RtlIntegerToChar+DBj
		lea	edx, [ebp+var_1F]
		mov	[ebp+var_48], edx
		mov	edi, [ebp+arg_0]

loc_7D30D0:				; CODE XREF: RtlIntegerToChar+6Cj
		test	ecx, ecx
		jnz	short loc_7D3140
		mov	eax, edi
		xor	edx, edx
		div	ebx
		mov	ebx, edx
		mov	edi, eax
		mov	edx, [ebp+var_48]

loc_7D30E1:				; CODE XREF: RtlIntegerToChar+C0j
		dec	edx
		mov	[ebp+var_48], edx
		mov	al, ds:_RtlpIntegerChars[ebx]
		mov	[edx], al
		test	edi, edi
		mov	ebx, [ebp+arg_4]
		jnz	short loc_7D30D0
		lea	ebx, [ebp+var_1F]
		sub	ebx, edx
		mov	edi, [ebp+arg_8]
		mov	eax, [ebp+var_44]
		test	edi, edi
		js	loc_8F4EA4

loc_7D3107:				; CODE XREF: RtlIntegerToChar+121E45j
		cmp	ebx, edi

loc_7D3109:				; CODE XREF: RtlIntegerToChar+121E22j
		jg	short loc_7D3171
		and	[ebp+ms_exc.disabled], 0
		push	ebx		; size_t
		push	edx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	ebx, edi
		jge	short loc_7D3125
		mov	eax, [ebp+var_44]
		mov	byte ptr [eax+ebx], 0

loc_7D3125:				; CODE XREF: RtlIntegerToChar+96j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax

loc_7D312E:				; CODE XREF: RtlIntegerToChar+E5j
					; RtlIntegerToChar+F0j	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7D3140:				; CODE XREF: RtlIntegerToChar+4Cj
		mov	ebx, esi
		and	ebx, edi
		shr	edi, cl
		jmp	short loc_7D30E1
; 

loc_7D3148:				; CODE XREF: RtlIntegerToChar+1Aj
		push	0Ah
		pop	ebx
		mov	[ebp+arg_4], ebx
		jmp	loc_7D30C3
; 

loc_7D3153:				; CODE XREF: RtlIntegerToChar+37j
		sub	eax, 6
		jnz	short loc_7D3166
		push	4

loc_7D315A:				; CODE XREF: RtlIntegerToChar+E9j
		pop	ecx
		xor	esi, esi
		inc	esi

loc_7D315E:				; CODE XREF: RtlIntegerToChar+121E19j
		shl	esi, cl
		dec	esi
		jmp	loc_7D30C7
; 

loc_7D3166:				; CODE XREF: RtlIntegerToChar+D0j
		mov	eax, 0C000000Dh
		jmp	short loc_7D312E
; 

loc_7D316D:				; CODE XREF: RtlIntegerToChar+2Dj
		push	3
		jmp	short loc_7D315A
; 

loc_7D3171:				; CODE XREF: RtlIntegerToChar:loc_7D3109j
		mov	eax, 80000005h
		jmp	short loc_7D312E
RtlIntegerToChar endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnQueryPrefetcherInformation proc near ; CODE	XREF: PAGE:00780321p

var_1D4		= dword	ptr -1D4h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F4EF0 SIZE 00000023 BYTES
; FUNCTION CHUNK AT 008F4F26 SIZE 0000000A BYTES

		push	1C4h
		push	offset dword_6A3F90
		call	__SEH_prolog4_GS
		mov	esi, edx
		push	[ebp+arg_4]
		push	ds:dword_A949EC
		push	ds:_SeProfileSingleProcessPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_8F4EF0
		push	14h
		pop	ecx
		cmp	[ebp+arg_0], ecx
		jnz	loc_8F4EFA
		xor	ebx, ebx
		mov	[ebp+ms_exc.disabled], ebx
		push	5
		pop	ecx
		lea	edi, [ebp+var_3C]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+var_3C], 1
		jnz	loc_8F4F26
		cmp	[ebp+var_38], 6B756843h
		jnz	loc_8F4F26
		mov	eax, [ebp+var_34]
		sub	eax, 1
		jnz	short loc_7D3208
		push	[ebp+arg_8]
		mov	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_30]
		call	PfSnGetCompletedTrace
		mov	ebx, eax

loc_7D31F4:				; CODE XREF: PfSnQueryPrefetcherInformation+145j
					; PfSnQueryPrefetcherInformation+121D7Dj ...
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7D3208:				; CODE XREF: PfSnQueryPrefetcherInformation+6Aj
		sub	eax, 1
		jnz	loc_8F4F09
		cmp	[ebp+var_2C], 198h
		jnz	loc_8F4F26
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset unk_6D4858
		call	ExAcquirePushLockSharedEx
		push	66h
		pop	ecx
		mov	esi, offset dword_6D46C0
		lea	edi, [ebp+var_1D4]
		rep movsd
		xor	ecx, ecx
		push	11h
		pop	eax
		mov	esi, offset unk_6D4858
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_7D3262
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7D3262:				; CODE XREF: PfSnQueryPrefetcherInformation+E1j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	[ebp+ms_exc.disabled], 1
		cmp	byte ptr [ebp+arg_4], 0
		jz	short loc_7D329F
		mov	eax, [ebp+var_30]
		test	al, 7
		jnz	short loc_7D32C2
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	short loc_7D32C7

loc_7D328C:				; CODE XREF: PfSnQueryPrefetcherInformation+151j
		mov	al, [eax]
		mov	edx, [ebp+var_30]
		mov	[edx], al
		mov	al, [edx+190h]
		mov	[edx+190h], al

loc_7D329F:				; CODE XREF: PfSnQueryPrefetcherInformation+101j
		push	66h
		pop	ecx
		lea	esi, [ebp+var_1D4]
		mov	edi, [ebp+var_30]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 198h
		jmp	loc_7D31F4
; 

loc_7D32C2:				; CODE XREF: PfSnQueryPrefetcherInformation+108j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7D32C7:				; CODE XREF: PfSnQueryPrefetcherInformation+112j
		mov	[ecx], bl
		jmp	short loc_7D328C
PfSnQueryPrefetcherInformation endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnGetCompletedTrace proc near		; CODE XREF: PfSnQueryPrefetcherInformation+75p

var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F4F78 SIZE 0000012E BYTES

		push	1Ch
		push	offset dword_6A3FB8
		call	__SEH_prolog4
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_19], 1
		mov	edi, offset dword_6D4964
		mov	ecx, edi
		call	ExAcquireFastMutex
		mov	dword_6D4988, 2
		mov	esi, dword_6D495C
		mov	ebx, offset dword_6D495C
		cmp	esi, ebx
		jz	loc_7D33C2
		mov	[ebp+var_2C], esi
		mov	ecx, [esi+10h]
		cmp	ecx, [ebp+var_20]
		ja	loc_7D33C9
		mov	eax, [esi]
		cmp	[esi+4], ebx
		jnz	loc_7D33D5
		cmp	[eax+4], esi
		jnz	loc_7D33D5
		mov	dword_6D495C, eax
		mov	[eax+4], ebx
		dec	dword_6D4984
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	[ebp+var_19], 0
		xor	edi, edi
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		and	[ebp+ms_exc.disabled], edi
		test	al, al
		jz	short loc_7D3369
		push	8
		push	[ebp+var_20]
		push	[ebp+var_24]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_7D3369:				; CODE XREF: PfSnGetCompletedTrace+8Ej
		push	dword ptr [esi+10h] ; size_t
		lea	eax, [esi+8]
		push	eax		; void *
		push	[ebp+var_24]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7D3382:				; CODE XREF: sub_8F4F5E+15j
		test	edi, edi
		js	loc_8F4F78
		mov	ecx, [esi+10h]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edi, edi

loc_7D339C:				; CODE XREF: PfSnGetCompletedTrace+FBj
					; PfSnGetCompletedTrace+107j ...
		cmp	[ebp+var_19], 0
		jnz	short loc_7D33B6

loc_7D33A2:				; CODE XREF: PfSnGetCompletedTrace+F4j
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7D33B6:				; CODE XREF: PfSnGetCompletedTrace+D4j
		mov	ecx, offset dword_6D4964
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	short loc_7D33A2
; 

loc_7D33C2:				; CODE XREF: PfSnGetCompletedTrace+39j
		mov	edi, 8000001Ah
		jmp	short loc_7D339C
; 

loc_7D33C9:				; CODE XREF: PfSnGetCompletedTrace+48j
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	edi, 0C0000023h
		jmp	short loc_7D339C
; 

loc_7D33D5:				; CODE XREF: PfSnGetCompletedTrace+53j
					; PfSnGetCompletedTrace+5Cj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

SeAuditHandleCreation:			; CODE XREF: ObDuplicateObject+49Ep
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+ms_exc.prev_er], edx
		xor	ebx, ebx
		mov	esi, ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [edi+30h]
		mov	[ebp+ms_exc.msEH_ptr], eax
		cmp	[ebp+arg_0], ebx
		jnz	short loc_7D340F
		mov	eax, [eax+30h]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jnz	short loc_7D340C
		mov	eax, [edi+2Ch]
		mov	[ebp+arg_0], eax

loc_7D340C:				; CODE XREF: PfSnGetCompletedTrace+138j
		mov	eax, [ebp+ms_exc.msEH_ptr]

loc_7D340F:				; CODE XREF: PfSnGetCompletedTrace+12Ej
		cmp	[edi+9], bl
		jnz	loc_8F4FAD
		cmp	[eax+0C0h], bl
		jnz	loc_8F4FD9

loc_7D3424:				; CODE XREF: PfSnGetCompletedTrace+121D08j
					; PfSnGetCompletedTrace+121DD5j
		mov	[edi+0Ah], bl
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
PfSnGetCompletedTrace endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1581. NtRequestWaitReplyPort

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtRequestWaitReplyPort
NtRequestWaitReplyPort proc near	; DATA XREF: .text:00580D54o

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	14h
		push	offset dword_6A3FD8
		call	__SEH_prolog4
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_20], bl
		mov	eax, ds:_AlpcPortObjectType
		and	[ebp+var_1C], 0
		push	0
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_20]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D34D9
		xor	edx, edx
		test	bl, bl
		jz	loc_7D350E
		mov	[ebp+ms_exc.disabled], edx
		mov	ecx, [ebp+arg_8]
		test	cl, 3
		jnz	short loc_7D3505
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_7D350A

loc_7D349E:				; CODE XREF: NtRequestWaitReplyPort+D8j
		mov	al, [ecx]
		mov	[ecx], al
		mov	al, [ecx+14h]
		mov	[ecx+14h], al
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7D34AF:				; CODE XREF: NtRequestWaitReplyPort+DDj
		push	[ebp+var_20]
		push	edx
		push	edx
		push	edx
		push	ecx
		push	edx
		push	[ebp+arg_4]
		mov	edx, 20000h
		mov	ecx, [ebp+var_1C]
		call	_AlpcpProcessSynchronousRequest@36 ; AlpcpProcessSynchronousRequest(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000703h
		jz	short loc_7D3513

loc_7D34D1:				; CODE XREF: NtRequestWaitReplyPort+E4j
		cmp	esi, 0C0000701h
		jz	short loc_7D351A

loc_7D34D9:				; CODE XREF: NtRequestWaitReplyPort+4Aj
					; NtRequestWaitReplyPort+EBj ...
		mov	ecx, [ebp+var_1C]
		test	ecx, ecx
		jz	short loc_7D34E5
		call	ObfDereferenceObject

loc_7D34E5:				; CODE XREF: NtRequestWaitReplyPort+AAj
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7D3505:				; CODE XREF: NtRequestWaitReplyPort+5Fj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7D350A:				; CODE XREF: NtRequestWaitReplyPort+68j
		mov	[eax], dl
		jmp	short loc_7D349E
; 

loc_7D350E:				; CODE XREF: NtRequestWaitReplyPort+50j
		mov	ecx, [ebp+arg_8]
		jmp	short loc_7D34AF
; 

loc_7D3513:				; CODE XREF: NtRequestWaitReplyPort+9Bj
		mov	esi, 0C0000037h
		jmp	short loc_7D34D1
; 

loc_7D351A:				; CODE XREF: NtRequestWaitReplyPort+A3j
		mov	esi, 0C0000253h
		jmp	short loc_7D34D9
NtRequestWaitReplyPort endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWin32DeleteProcedure(x)
_ExpWin32DeleteProcedure@4 proc	near	; DATA XREF: ExpWin32Initialization()+67o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_4], esi
		mov	eax, [esi]
		mov	[ebp+arg_0], eax
		lea	eax, [esi-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		pop	esi
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		cmp	eax, ds:_ExActivationObjectType
		jz	short loc_7D3589
		cmp	eax, ds:_ExCoreMessagingObjectType
		jz	short loc_7D3597
		cmp	eax, ds:_ExRawInputManagerObjectType
		jz	short loc_7D35A5
		cmp	eax, ds:_ExCompositionObjectType
		jnz	short loc_7D35B3
		lea	eax, [ebp+arg_0]
		push	eax
		push	1
		lea	eax, [ebp+var_4]
		push	eax
		push	15h

loc_7D3580:				; CODE XREF: ExpWin32DeleteProcedure(x)+73j
					; ExpWin32DeleteProcedure(x)+81j ...
		call	PsInvokeWin32Callout

locret_7D3585:				; CODE XREF: ExpWin32DeleteProcedure(x)+ADj
		leave
		retn	4
; 

loc_7D3589:				; CODE XREF: ExpWin32DeleteProcedure(x)+38j
		lea	eax, [ebp+arg_0]
		push	eax
		push	1
		lea	eax, [ebp+var_4]
		push	eax
		push	28h
		jmp	short loc_7D3580
; 

loc_7D3597:				; CODE XREF: ExpWin32DeleteProcedure(x)+40j
		lea	eax, [ebp+arg_0]
		push	eax
		push	1
		lea	eax, [ebp+var_4]
		push	eax
		push	24h
		jmp	short loc_7D3580
; 

loc_7D35A5:				; CODE XREF: ExpWin32DeleteProcedure(x)+48j
		lea	eax, [ebp+arg_0]
		push	eax
		push	1
		lea	eax, [ebp+var_4]
		push	eax
		push	1Eh
		jmp	short loc_7D3580
; 

loc_7D35B3:				; CODE XREF: ExpWin32DeleteProcedure(x)+50j
		cmp	eax, ds:_ExDesktopObjectType
		jnz	short loc_7D35C9
		lea	eax, [ebp+arg_0]
		push	eax
		push	1
		lea	eax, [ebp+var_4]
		push	eax
		push	0Bh
		jmp	short loc_7D3580
; 

loc_7D35C9:				; CODE XREF: ExpWin32DeleteProcedure(x)+97j
		cmp	eax, ds:_ExWindowStationObjectType
		jnz	short locret_7D3585
		lea	eax, [ebp+arg_0]
		push	eax
		push	1
		lea	eax, [ebp+var_4]
		push	eax
		push	0Eh
		jmp	short loc_7D3580
_ExpWin32DeleteProcedure@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCreateNamedPipeFile proc near		; DATA XREF: .text:00581138o

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= byte ptr -24h
var_23		= dword	ptr -23h
var_1F		= word ptr -1Fh
var_1D		= byte ptr -1Dh
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch

; FUNCTION CHUNK AT 008F50E6 SIZE 00000010 BYTES

		push	38h
		push	offset dword_6A3FF8
		call	__SEH_prolog4_GS
		mov	esi, [ebp+arg_0]
		mov	edi, [ebp+arg_8]
		mov	ebx, [ebp+arg_C]
		mov	ecx, [ebp+arg_34]
		xor	edx, edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_23], edx
		xor	eax, eax
		mov	[ebp+var_1F], ax
		mov	[ebp+var_1D], dl
		test	ecx, ecx
		jz	loc_7D36B7
		mov	[ebp+var_24], 1
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	loc_8F50E6
		mov	[ebp+ms_exc.disabled], edx
		mov	edx, ecx
		test	cl, 3
		jnz	short loc_7D36AE
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_7D36B3

loc_7D363F:				; CODE XREF: NtCreateNamedPipeFile+D5j
		nop
		mov	al, [edx]
		mov	eax, [ecx]
		mov	[ebp+var_2C], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_28], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	edx, edx

loc_7D3656:				; CODE XREF: NtCreateNamedPipeFile+DAj
					; NtCreateNamedPipeFile+121B11j
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+arg_20]
		mov	[ebp+var_40], eax
		mov	eax, [ebp+arg_24]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_28]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_2C]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_30]
		mov	[ebp+var_30], eax
		push	edx		; void *
		push	edx		; int
		push	edx		; int
		lea	eax, [ebp+var_44]
		push	eax		; int
		push	1		; int
		push	edx		; int
		push	edx		; void *
		push	[ebp+arg_18]	; int
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; int
		push	edx		; int
		push	edx		; int
		push	ebx		; int
		push	edi		; int
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		call	_IopCreateFile@64 ; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)

loc_7D369C:				; CODE XREF: sub_8F50D4+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	38h
; 

loc_7D36AE:				; CODE XREF: NtCreateNamedPipeFile+54j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7D36B3:				; CODE XREF: NtCreateNamedPipeFile+5Dj
		mov	edx, eax
		jmp	short loc_7D363F
; 

loc_7D36B7:				; CODE XREF: NtCreateNamedPipeFile+2Ej
		mov	[ebp+var_24], dl
		jmp	short loc_7D3656
NtCreateNamedPipeFile endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlpCreateServerAcl(void *,void	*,int)
_RtlpCreateServerAcl@20	proc near	; CODE XREF: RtlpNewSecurityObject+10F9p
					; RtlpSetSecurityObject+EE96Ep

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	[ebp+var_1], dl
		xor	ebx, ebx
		mov	edx, ecx
		mov	[ebp+var_14], edx
		push	8
		pop	ecx
		mov	[ebp+var_8], ecx
		test	edx, edx
		jnz	short loc_7D36EA
		mov	eax, [ebp+arg_8]
		mov	[eax], bl
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx
		xor	eax, eax
		jmp	loc_7D38F8
; 

loc_7D36EA:				; CODE XREF: RtlpCreateServerAcl(x,x,x,x,x)+1Bj
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		lea	edi, [edx+8]
		mov	[ebp+var_10], ebx
		movzx	eax, byte ptr [eax+1]
		mov	esi, edi
		movzx	edx, word ptr [edx+4]
		add	ax, 2
		shl	ax, 2
		movzx	eax, ax
		mov	[ebp+var_C], eax
		mov	[ebp+var_1C], edx
		test	edx, edx
		jz	loc_7D37B5

loc_7D3718:				; CODE XREF: RtlpCreateServerAcl(x,x,x,x,x)+F4j
		mov	dl, [esi]
		test	dl, dl
		jnz	short loc_7D373D
		lea	edx, [ebp+var_8]
		push	edx
		mov	edx, eax
		call	_RtlUShortAdd@12 ; RtlUShortAdd(x,x,x)
		test	eax, eax
		js	loc_7D38F6
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_8]
		push	eax
		push	4
		pop	edx
		jmp	short loc_7D376C
; 

loc_7D373D:				; CODE XREF: RtlpCreateServerAcl(x,x,x,x,x)+60j
		cmp	[ebp+var_1], bl
		jz	short loc_7D377C
		cmp	dl, 4
		jnz	short loc_7D377C
		movzx	edx, byte ptr [esi+0Dh]
		shl	dx, 2
		lea	eax, [edx+8]
		cmp	ax, word ptr [ebp+var_C]
		jbe	short loc_7D375D
		sub	eax, [ebp+var_C]
		jmp	short loc_7D3765
; 

loc_7D375D:				; CODE XREF: RtlpCreateServerAcl(x,x,x,x,x)+9Aj
		mov	eax, [ebp+var_C]
		sub	eax, edx
		sub	eax, 8

loc_7D3765:				; CODE XREF: RtlpCreateServerAcl(x,x,x,x,x)+9Fj
		movzx	edx, ax
		lea	eax, [ebp+var_8]
		push	eax

loc_7D376C:				; CODE XREF: RtlpCreateServerAcl(x,x,x,x,x)+7Fj
		call	_RtlUShortAdd@12 ; RtlUShortAdd(x,x,x)
		test	eax, eax
		js	loc_7D38F6
		mov	ecx, [ebp+var_8]

loc_7D377C:				; CODE XREF: RtlpCreateServerAcl(x,x,x,x,x)+84j
					; RtlpCreateServerAcl(x,x,x,x,x)+89j
		movzx	eax, word ptr [esi+2]
		lea	edx, [ebp+var_8]
		push	edx
		mov	edx, eax
		mov	[ebp+var_18], eax
		call	_RtlUShortAdd@12 ; RtlUShortAdd(x,x,x)
		test	eax, eax
		js	loc_7D38F6
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_18]
		inc	ecx
		movzx	eax, ax
		add	esi, eax
		mov	[ebp+var_10], ecx
		cmp	ecx, [ebp+var_1C]
		mov	ecx, [ebp+var_8]
		jnb	short loc_7D37B5
		mov	eax, [ebp+var_C]
		jmp	loc_7D3718
; 

loc_7D37B5:				; CODE XREF: RtlpCreateServerAcl(x,x,x,x,x)+56j
					; RtlpCreateServerAcl(x,x,x,x,x)+EFj
		push	63416553h
		movzx	esi, cx
		xor	eax, eax
		push	esi
		inc	eax
		push	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		test	ecx, ecx
		jnz	short loc_7D37DC
		mov	eax, 0C000009Ah
		jmp	loc_7D38F6
; 

loc_7D37DC:				; CODE XREF: RtlpCreateServerAcl(x,x,x,x,x)+114j
		mov	eax, [ebp+arg_8]
		push	3		; int
		push	esi		; size_t
		push	ecx		; void *
		mov	byte ptr [eax],	1
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		lea	esi, [eax+8]
		mov	eax, [ebp+var_14]
		movzx	eax, word ptr [eax+4]
		mov	ecx, eax
		cmp	dx, ax
		jnb	loc_7D38ED

loc_7D380A:				; CODE XREF: RtlpCreateServerAcl(x,x,x,x,x)+22Bj
		mov	al, [edi]
		test	al, al
		jz	short loc_7D3836
		cmp	[ebp+var_1], 0
		jz	short loc_7D381A
		cmp	al, 4
		jz	short loc_7D3836

loc_7D381A:				; CODE XREF: RtlpCreateServerAcl(x,x,x,x,x)+158j
		movzx	eax, word ptr [edi+2]
		push	eax		; size_t
		push	edi		; void *
		push	esi		; void *
		call	_memcpy
		movzx	ecx, word ptr [edi+2]
		add	esp, 0Ch
		add	esi, ecx
		mov	eax, ecx
		jmp	loc_7D38D8
; 

loc_7D3836:				; CODE XREF: RtlpCreateServerAcl(x,x,x,x,x)+152j
					; RtlpCreateServerAcl(x,x,x,x,x)+15Cj
		mov	[ebp+arg_8], esi
		test	al, al
		jnz	short loc_7D3842
		lea	eax, [edi+8]
		jmp	short loc_7D3850
; 

loc_7D3842:				; CODE XREF: RtlpCreateServerAcl(x,x,x,x,x)+17Fj
		lea	eax, [edi+0Ch]
		push	eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	eax, 0Ch
		add	eax, edi

loc_7D3850:				; CODE XREF: RtlpCreateServerAcl(x,x,x,x,x)+184j
		mov	ecx, [ebp+arg_0]
		mov	[ebp+arg_4], eax
		mov	eax, [edi]
		mov	[esi], eax
		mov	eax, [edi+4]
		mov	[esi+4], eax
		add	esi, 0Ch
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	al, [eax+1]
		add	al, 2
		shl	al, 2
		movzx	eax, al
		add	esi, eax
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+arg_4]
		add	esp, 18h
		mov	cl, [eax+1]
		movzx	eax, cl
		lea	esi, [esi+eax*4]
		mov	eax, [ebp+arg_0]
		add	esi, 8
		movzx	edx, byte ptr [eax+1]
		movzx	eax, cl
		add	dx, 7
		add	dx, ax
		xor	ecx, ecx
		mov	eax, [ebp+arg_8]
		shl	dx, 2
		inc	ecx
		mov	[eax+2], dx
		mov	byte ptr [eax],	4
		mov	[eax+8], cx
		movzx	eax, word ptr [edi+2]

loc_7D38D8:				; CODE XREF: RtlpCreateServerAcl(x,x,x,x,x)+175j
		movzx	eax, ax
		inc	ebx
		add	edi, eax
		mov	eax, [ebp+var_14]
		movzx	ecx, word ptr [eax+4]
		cmp	ebx, ecx
		jb	loc_7D380A

loc_7D38ED:				; CODE XREF: RtlpCreateServerAcl(x,x,x,x,x)+148j
		mov	eax, [ebp+var_1C]
		mov	[eax+4], cx
		xor	eax, eax

loc_7D38F6:				; CODE XREF: RtlpCreateServerAcl(x,x,x,x,x)+6Fj
					; RtlpCreateServerAcl(x,x,x,x,x)+B7j ...
		pop	edi
		pop	esi

loc_7D38F8:				; CODE XREF: RtlpCreateServerAcl(x,x,x,x,x)+29j
		pop	ebx
		leave
		retn	0Ch
_RtlpCreateServerAcl@20	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpPopulateKeyFullInformation(x, x,	x, x, x, x)
_CmpPopulateKeyFullInformation@24 proc near
					; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+376p
					; CmpQueryKeyDataFromNode+213p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_8]
		mov	[ebp+var_4], edx
		mov	edx, ecx
		lea	ebx, [esi+2Ch]
		mov	[eax], ebx
		cmp	edi, 2Ch
		jb	short loc_7D397A
		mov	ecx, [ebp+arg_4]
		mov	eax, [edx]
		mov	[ecx], eax
		mov	eax, [edx+4]
		mov	[ecx+4], eax
		mov	eax, [edx+18h]
		mov	[ecx+18h], eax
		mov	eax, [edx+1Ch]
		mov	[ecx+1Ch], eax
		mov	eax, [edx+24h]
		mov	[ecx+24h], eax
		mov	eax, [edx+28h]
		mov	[ecx+28h], eax
		mov	eax, [edx+8]
		mov	[ecx+8], eax
		mov	[ecx+10h], esi
		mov	eax, [edx+14h]
		mov	[ecx+14h], eax
		mov	eax, [edx+20h]
		mov	[ecx+20h], eax
		xor	eax, eax
		cmp	eax, esi
		sbb	eax, eax
		and	eax, 2Dh
		dec	eax
		mov	[ecx+0Ch], eax
		test	esi, esi
		jnz	short loc_7D3981

loc_7D396A:				; CODE XREF: CmpPopulateKeyFullInformation(x,x,x,x,x,x)+9Aj
		cmp	edi, ebx
		sbb	eax, eax
		and	eax, 80000005h

loc_7D3973:				; CODE XREF: CmpPopulateKeyFullInformation(x,x,x,x,x,x)+81j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7D397A:				; CODE XREF: CmpPopulateKeyFullInformation(x,x,x,x,x,x)+1Fj
		mov	eax, 0C0000023h
		jmp	short loc_7D3973
; 

loc_7D3981:				; CODE XREF: CmpPopulateKeyFullInformation(x,x,x,x,x,x)+6Aj
		lea	eax, [edi-2Ch]
		cmp	eax, esi
		jbe	short loc_7D399A

loc_7D3988:				; CODE XREF: CmpPopulateKeyFullInformation(x,x,x,x,x,x)+9Ej
		push	esi		; size_t
		push	[ebp+var_4]	; void *
		lea	eax, [ecx+2Ch]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_7D396A
; 

loc_7D399A:				; CODE XREF: CmpPopulateKeyFullInformation(x,x,x,x,x,x)+88j
		mov	esi, eax
		jmp	short loc_7D3988
_CmpPopulateKeyFullInformation@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlAcquirePrivilege proc near		; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+BE0p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F50F6 SIZE 000000B2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], ecx
		push	esi
		push	edi
		test	ebx, 0FFFFFFFCh
		jnz	loc_8F50F6
		test	bl, 2
		jnz	loc_8F5100

loc_7D39CB:				; CODE XREF: RtlAcquirePrivilege+121765j
		lea	eax, [edx-1]
		imul	eax, 0Ch
		push	62507452h
		add	eax, 424h
		push	eax
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	esi, eax
		test	esi, esi
		jz	loc_8F5108
		mov	eax, large fs:124h
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0
		and	dword ptr [esi+10h], 0
		mov	eax, [eax+2FCh]
		test	al, 8
		jz	short loc_7D3A40
		test	bl, 1
		jz	loc_8F5112
		push	4
		lea	edx, [esi+4]
		pop	ecx
		call	RtlpOpenThreadToken
		mov	edi, eax
		test	edi, edi
		js	loc_7D3B30
		or	dword ptr [esi+10h], 1
		lea	eax, [ebp+arg_0]
		and	[ebp+arg_0], 0
		push	4
		push	eax
		push	5
		push	0FFFFFFFEh
		call	_ZwSetInformationThread@16 ; ZwSetInformationThread(x,x,x,x)

loc_7D3A40:				; CODE XREF: RtlAcquirePrivilege+6Bj
					; RtlAcquirePrivilege+121788j
		cmp	dword ptr [esi], 0
		jnz	short loc_7D3A68
		push	esi
		test	bl, 2
		jnz	loc_8F512B
		push	28h
		pop	edx
		push	3
		pop	ecx
		call	_RtlImpersonateSelfEx@12 ; RtlImpersonateSelfEx(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_7D3B0F
		or	dword ptr [esi+10h], 1

loc_7D3A68:				; CODE XREF: RtlAcquirePrivilege+A5j
					; RtlAcquirePrivilege+1217A9j
		mov	ebx, [ebp+var_8]
		lea	eax, [esi+414h]
		lea	ecx, [esi+14h]
		mov	[esi+0Ch], eax
		xor	edi, edi
		mov	[esi+8], ecx
		mov	[eax], ebx
		test	ebx, ebx
		jz	short loc_7D3AA8
		xor	edx, edx

loc_7D3A84:				; CODE XREF: RtlAcquirePrivilege+108j
		mov	ecx, [esi+0Ch]
		lea	edx, [edx+0Ch]
		mov	eax, [ebp+var_C]
		mov	eax, [eax+edi*4]
		mov	[edx+ecx-8], eax
		and	dword ptr [edx+ecx-4], 0
		inc	edi
		mov	eax, [esi+0Ch]
		mov	dword ptr [edx+eax], 2
		cmp	edi, ebx
		jb	short loc_7D3A84

loc_7D3AA8:				; CODE XREF: RtlAcquirePrivilege+E2j
		mov	ecx, 400h
		lea	eax, [ebp+var_4]
		push	eax
		mov	[ebp+var_4], ecx
		push	dword ptr [esi+8]
		push	ecx
		push	dword ptr [esi+0Ch]
		push	0
		push	dword ptr [esi]
		call	_ZwAdjustPrivilegesToken@24 ; ZwAdjustPrivilegesToken(x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000023h
		jz	loc_8F5178

loc_7D3AD2:				; CODE XREF: RtlAcquirePrivilege+1217CAj
					; RtlAcquirePrivilege+1217F8j
		cmp	edi, 106h
		jz	short loc_7D3AEC

loc_7D3ADA:				; CODE XREF: RtlAcquirePrivilege+1A0j
		test	edi, edi
		js	short loc_7D3AF6
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		xor	eax, eax

loc_7D3AE5:				; CODE XREF: RtlAcquirePrivilege+19Cj
					; RtlAcquirePrivilege+12175Dj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7D3AEC:				; CODE XREF: RtlAcquirePrivilege+13Aj
		cmp	ebx, 1
		jnz	short loc_7D3B3C
		mov	edi, 0C0000061h

loc_7D3AF6:				; CODE XREF: RtlAcquirePrivilege+13Ej
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_7D3B08
		lea	ecx, [esi+14h]
		cmp	eax, ecx
		jnz	loc_8F519B

loc_7D3B08:				; CODE XREF: RtlAcquirePrivilege+15Dj
					; RtlAcquirePrivilege+121805j
		push	dword ptr [esi]
		call	_ZwClose@4	; ZwClose(x)

loc_7D3B0F:				; CODE XREF: RtlAcquirePrivilege+C0j
					; RtlAcquirePrivilege+12179Fj
		test	byte ptr [esi+10h], 1
		jz	short loc_7D3B30
		push	4
		lea	ebx, [esi+4]
		push	ebx
		push	5
		push	0FFFFFFFEh
		call	_ZwSetInformationThread@16 ; ZwSetInformationThread(x,x,x,x)
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_7D3B30
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_7D3B30:				; CODE XREF: RtlAcquirePrivilege+85j
					; RtlAcquirePrivilege+175j ...
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		jmp	short loc_7D3AE5
; 

loc_7D3B3C:				; CODE XREF: RtlAcquirePrivilege+151j
		xor	edi, edi
		jmp	short loc_7D3ADA
RtlAcquirePrivilege endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlImpersonateSelfEx(x, x, x)
_RtlImpersonateSelfEx@12 proc near	; CODE XREF: CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)+11Dp
					; RtlAcquirePrivilege+B7p ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= word ptr -0Ch
var_A		= word ptr -0Ah
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, edx
		xor	edx, edx
		xor	eax, eax
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_A], ax
		test	edi, edi
		jz	loc_7D3C0B

loc_7D3B70:				; CODE XREF: RtlImpersonateSelfEx(x,x,x)+CDj
		xor	eax, eax
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], eax
		mov	edx, 200h
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	edx
		push	2
		push	0FFFFFFFFh
		mov	[ebp+var_34], 18h
		mov	[ebp+var_28], edx
		mov	[ebp+var_14], 0Ch
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], 1
		call	_ZwOpenProcessTokenEx@16 ; ZwOpenProcessTokenEx(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D3BF8
		lea	eax, [ebp+var_18]
		or	ebx, 4
		push	eax
		push	2
		push	0
		lea	eax, [ebp+var_34]
		push	eax
		push	ebx
		push	[ebp+var_1C]
		call	_ZwDuplicateToken@24 ; ZwDuplicateToken(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D3BF0
		push	4
		lea	eax, [ebp+var_18]
		push	eax
		push	5
		push	0FFFFFFFEh
		call	_ZwSetInformationThread@16 ; ZwSetInformationThread(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D3C1A
		test	edi, edi
		jz	short loc_7D3C1A
		mov	eax, [ebp+var_18]
		mov	[edi], eax

loc_7D3BF0:				; CODE XREF: RtlImpersonateSelfEx(x,x,x)+90j
					; RtlImpersonateSelfEx(x,x,x)+E2j
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_7D3BF8:				; CODE XREF: RtlImpersonateSelfEx(x,x,x)+72j
		mov	eax, esi

loc_7D3BFA:				; CODE XREF: RtlImpersonateSelfEx(x,x,x)+D8j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_7D3C0B:				; CODE XREF: RtlImpersonateSelfEx(x,x,x)+2Aj
		test	ebx, ebx
		jz	loc_7D3B70
		mov	eax, 0C00000F0h
		jmp	short loc_7D3BFA
; 

loc_7D3C1A:				; CODE XREF: RtlImpersonateSelfEx(x,x,x)+A5j
					; RtlImpersonateSelfEx(x,x,x)+A9j
		push	[ebp+var_18]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_7D3BF0
_RtlImpersonateSelfEx@12 endp


;  S U B	R O U T	I N E 


RtlpOpenThreadToken proc near		; CODE XREF: RtlAcquirePrivilege+7Cp
					; RtlAcquirePrivilege+121779p

; FUNCTION CHUNK AT 008F51A8 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	ebx, 200h
		push	esi
		push	ebx
		push	1
		mov	edi, ecx
		push	edi
		push	0FFFFFFFEh
		call	_ZwOpenThreadTokenEx@20	; ZwOpenThreadTokenEx(x,x,x,x,x)
		test	eax, eax
		js	loc_8F51A8

loc_7D3C46:				; CODE XREF: RtlpOpenThreadToken+121590j
		pop	edi
		pop	esi
		pop	ebx
		retn
RtlpOpenThreadToken endp

; 
		align 10h
; Exported entry 1909. PsSetProcessPriorityByClass

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSetProcessPriorityByClass(x, x)
		public _PsSetProcessPriorityByClass@8
_PsSetProcessPriorityByClass@8 proc near ; CODE	XREF: PAGE:007A731Ep
					; PAGE:007A73C3p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	2
		pop	edx
		cmp	[ebp+arg_4], edx
		jz	short loc_7D3C72
		cmp	[ebp+arg_4], 1
		push	0
		setz	dl
		call	_PspSetProcessForegroundBackgroundRequest@12 ; PspSetProcessForegroundBackgroundRequest(x,x,x)

loc_7D3C6E:				; CODE XREF: PsSetProcessPriorityByClass(x,x)+27j
		pop	ebp
		retn	8
; 

loc_7D3C72:				; CODE XREF: PsSetProcessPriorityByClass(x,x)+Ej
		call	_PspSetProcessPriorityByClass@8	; PspSetProcessPriorityByClass(x,x)
		jmp	short loc_7D3C6E
_PsSetProcessPriorityByClass@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetProcessForegroundBackgroundRequest(x,	x, x)
_PspSetProcessForegroundBackgroundRequest@12 proc near ; CODE XREF: PAGE:007AADA6p
					; PsSetProcessPriorityByClass(x,x)+19p

var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	bh, [ebp+arg_0]
		xor	eax, eax
		test	bh, bh
		mov	[ebp+var_4], ecx
		push	esi
		setnz	al
		mov	bl, dl
		dec	eax
		push	edi
		mov	edi, large fs:124h
		and	eax, 0FFFF0000h
		add	eax, 20000h
		mov	dword ptr [ebp+arg_0], eax
		dec	word ptr [edi+13Ch]
		nop
		lea	esi, [ecx+0E0h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [ebp+var_4]
		mov	eax, dword ptr [ebp+arg_0]
		add	edx, 3A8h
		test	bl, bl
		jnz	short loc_7D3D1B
		mov	ecx, [edx]
		not	eax
		lock and [edx],	eax
		xor	eax, eax
		mov	edx, 10000h
		test	bh, bh
		setnz	al
		dec	eax
		and	eax, edx
		add	eax, edx
		and	eax, ecx
		neg	eax
		sbb	eax, eax
		and	eax, 1

loc_7D3CEF:				; CODE XREF: PspSetProcessForegroundBackgroundRequest(x,x,x)+A7j
		mov	ecx, [ebp+var_4]
		mov	edx, eax
		call	_PspSetProcessPriorityByClass@8	; PspSetProcessPriorityByClass(x,x)
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7D3D23

loc_7D3D06:				; CODE XREF: PspSetProcessForegroundBackgroundRequest(x,x,x)+B0j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7D3D1B:				; CODE XREF: PspSetProcessForegroundBackgroundRequest(x,x,x)+52j
		lock or	[edx], eax
		xor	eax, eax
		inc	eax
		jmp	short loc_7D3CEF
; 

loc_7D3D23:				; CODE XREF: PspSetProcessForegroundBackgroundRequest(x,x,x)+8Aj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7D3D06
_PspSetProcessForegroundBackgroundRequest@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpDoLocalizeNextHive proc near		; DATA XREF: .data:006B160Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F51B9 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, dword_6B161C
		mov	ecx, (offset loc_98967E+2)
		mul	ecx
		mov	ecx, [ebp+arg_4]
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	[ecx], eax
		mov	eax, [ebp+arg_0]
		mov	[ecx+4], edx
		push	edi
		mov	[eax], bl
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpShutdownRundown
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_8F51B9
		xor	ecx, ecx

loc_7D3D72:				; CODE XREF: CmpDoLocalizeNextHive+6Aj
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_7D3D98
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, edi
		call	HvHiveConvertLockedPagesToCowByPolicy
		mov	esi, eax
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		test	esi, esi
		js	short loc_7D3DB8
		mov	ecx, edi
		jmp	short loc_7D3D72
; 

loc_7D3D98:				; CODE XREF: CmpDoLocalizeNextHive+4Fj
					; CmpDoLocalizeNextHive+8Ej
		mov	ecx, offset _CmpShutdownRundown
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_7D3DAE:				; CODE XREF: CmpDoLocalizeNextHive+12149Bj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
; 

loc_7D3DB8:				; CODE XREF: CmpDoLocalizeNextHive+66j
		mov	bl, 1
		jmp	short loc_7D3D98
CmpDoLocalizeNextHive endp


;  S U B	R O U T	I N E 


HvHiveConvertLockedPagesToCowByPolicy proc near	; CODE XREF: CmpDoLocalizeNextHive+58p

; FUNCTION CHUNK AT 008F51CC SIZE 00000014 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	byte ptr [esi+0BCh], 4
		jnz	short loc_7D3DD0

loc_7D3DCA:				; CODE XREF: HvHiveConvertLockedPagesToCowByPolicy+6Aj
		xor	esi, esi

loc_7D3DCC:				; CODE XREF: HvHiveConvertLockedPagesToCowByPolicy+6Cj
		mov	eax, esi
		pop	esi
		retn
; 

loc_7D3DD0:				; CODE XREF: HvHiveConvertLockedPagesToCowByPolicy+Cj
		push	ebx
		push	edi
		lea	edi, [esi+24h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		lea	ebx, [esi+28h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		lea	ecx, [esi+0A0h]
		call	_HvpViewMapConvertLockedPagesToCOWByPolicy@4 ; HvpViewMapConvertLockedPagesToCOWByPolicy(x)
		mov	esi, eax
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		test	al, 2
		jnz	loc_8F51CC

loc_7D3E06:				; CODE XREF: HvHiveConvertLockedPagesToCowByPolicy+121412j
					; HvHiveConvertLockedPagesToCowByPolicy+12141Fj
		mov	ecx, ebx
		call	KeAbPostRelease
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_7D3E2A

loc_7D3E1B:				; CODE XREF: HvHiveConvertLockedPagesToCowByPolicy+75j
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		pop	ebx
		test	esi, esi
		jns	short loc_7D3DCA
		jmp	short loc_7D3DCC
; 

loc_7D3E2A:				; CODE XREF: HvHiveConvertLockedPagesToCowByPolicy+5Dj
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_7D3E1B
HvHiveConvertLockedPagesToCowByPolicy endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpViewMapConvertLockedPagesToCOWByPolicy(x)
_HvpViewMapConvertLockedPagesToCOWByPolicy@4 proc near
					; CODE XREF: HvHiveConvertLockedPagesToCowByPolicy+34p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	edx, edx
		mov	ecx, 1000h
		cmp	edx, [edi+0Ch]
		jl	short loc_7D3E52
		jg	short loc_7D3EBC
		cmp	ecx, [edi+8]
		jnb	short loc_7D3EBC

loc_7D3E52:				; CODE XREF: HvpViewMapConvertLockedPagesToCOWByPolicy(x)+15j
		lea	ebx, [edi+20h]

loc_7D3E55:				; CODE XREF: HvpViewMapConvertLockedPagesToCOWByPolicy(x)+7Fj
					; HvpViewMapConvertLockedPagesToCOWByPolicy(x)+86j
		test	byte ptr [ebx+4], 1
		mov	esi, [ebx]
		jz	short loc_7D3E63
		test	esi, esi
		jz	short loc_7D3E63
		xor	esi, ebx

loc_7D3E63:				; CODE XREF: HvpViewMapConvertLockedPagesToCOWByPolicy(x)+27j
					; HvpViewMapConvertLockedPagesToCOWByPolicy(x)+2Bj
		movzx	eax, byte ptr [ebx+4]
		and	eax, 1
		mov	[ebp+var_4], eax
		jmp	short loc_7D3E71
; 

loc_7D3E6F:				; CODE XREF: HvpViewMapConvertLockedPagesToCOWByPolicy(x)+53j
					; HvpViewMapConvertLockedPagesToCOWByPolicy(x)+57j
		mov	esi, eax

loc_7D3E71:				; CODE XREF: HvpViewMapConvertLockedPagesToCOWByPolicy(x)+39j
					; HvpViewMapConvertLockedPagesToCOWByPolicy(x)+5Bj
		test	esi, esi
		jz	short loc_7D3E9D
		cmp	edx, [esi+24h]
		jl	short loc_7D3E81
		jg	short loc_7D3E91
		cmp	ecx, [esi+20h]
		jnb	short loc_7D3E91

loc_7D3E81:				; CODE XREF: HvpViewMapConvertLockedPagesToCOWByPolicy(x)+44j
		mov	eax, [esi]

loc_7D3E83:				; CODE XREF: HvpViewMapConvertLockedPagesToCOWByPolicy(x)+96j
		cmp	[ebp+var_4], 0
		jz	short loc_7D3E6F
		test	eax, eax
		jz	short loc_7D3E6F
		xor	esi, eax
		jmp	short loc_7D3E71
; 

loc_7D3E91:				; CODE XREF: HvpViewMapConvertLockedPagesToCOWByPolicy(x)+46j
					; HvpViewMapConvertLockedPagesToCOWByPolicy(x)+4Bj
		cmp	edx, [esi+2Ch]
		jl	short loc_7D3E9D
		jg	short loc_7D3EC7
		cmp	ecx, [esi+28h]
		jnb	short loc_7D3EC7

loc_7D3E9D:				; CODE XREF: HvpViewMapConvertLockedPagesToCOWByPolicy(x)+3Fj
					; HvpViewMapConvertLockedPagesToCOWByPolicy(x)+60j
		mov	edx, esi
		mov	ecx, edi
		call	_HvpMappedViewConvertLockedPagesToCOWByPolicy@8	; HvpMappedViewConvertLockedPagesToCOWByPolicy(x,x)
		test	eax, eax
		js	short loc_7D3EC2
		mov	edx, [esi+2Ch]
		mov	ecx, [esi+28h]
		cmp	edx, [edi+0Ch]
		jl	short loc_7D3E55
		jg	short loc_7D3EBC
		cmp	ecx, [edi+8]
		jb	short loc_7D3E55

loc_7D3EBC:				; CODE XREF: HvpViewMapConvertLockedPagesToCOWByPolicy(x)+17j
					; HvpViewMapConvertLockedPagesToCOWByPolicy(x)+1Cj ...
		and	dword ptr [edi+1Ch], 0FFFFFFFBh
		xor	eax, eax

loc_7D3EC2:				; CODE XREF: HvpViewMapConvertLockedPagesToCOWByPolicy(x)+74j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7D3EC7:				; CODE XREF: HvpViewMapConvertLockedPagesToCOWByPolicy(x)+62j
					; HvpViewMapConvertLockedPagesToCOWByPolicy(x)+67j
		mov	eax, [esi+4]
		jmp	short loc_7D3E83
_HvpViewMapConvertLockedPagesToCOWByPolicy@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpMappedViewConvertLockedPagesToCOWByPolicy(x, x)
_HvpMappedViewConvertLockedPagesToCOWByPolicy@8	proc near
					; CODE XREF: HvpViewMapConvertLockedPagesToCOWByPolicy(x)+6Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, edx
		mov	[ebp+var_C], ecx
		cmp	dword ptr [esi+34h], 0
		jz	loc_7D3F80
		push	ebx
		mov	ebx, [esi+24h]
		mov	edx, ebx
		mov	eax, ebx
		cmp	eax, [esi+2Ch]
		push	edi
		mov	edi, [esi+20h]
		mov	ecx, edi
		mov	[ebp+var_8], eax
		mov	eax, ecx
		mov	[ebp+var_4], edi
		jl	short loc_7D3F06
		jg	short loc_7D3F40

loc_7D3F01:				; CODE XREF: HvpMappedViewConvertLockedPagesToCOWByPolicy(x,x)+72j
		cmp	eax, [esi+28h]
		jnb	short loc_7D3F40

loc_7D3F06:				; CODE XREF: HvpMappedViewConvertLockedPagesToCOWByPolicy(x,x)+31j
					; HvpMappedViewConvertLockedPagesToCOWByPolicy(x,x)+70j
		cmp	dword ptr [esi+34h], 0
		jz	short loc_7D3F5A
		sub	eax, [esi+10h]
		shr	eax, 0Ch
		test	byte ptr [eax+esi+38h],	10h
		jz	short loc_7D3F61
		mov	eax, [ebp+var_4]

loc_7D3F1C:				; CODE XREF: HvpMappedViewConvertLockedPagesToCOWByPolicy(x,x)+B2j
		add	ecx, 1000h
		adc	edx, 0
		add	eax, 1000h
		mov	[ebp+var_4], eax
		mov	eax, [ebp+var_8]
		adc	eax, 0
		cmp	eax, [esi+2Ch]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_4]
		jl	short loc_7D3F06
		jle	short loc_7D3F01

loc_7D3F40:				; CODE XREF: HvpMappedViewConvertLockedPagesToCOWByPolicy(x,x)+33j
					; HvpMappedViewConvertLockedPagesToCOWByPolicy(x,x)+38j
		cmp	edi, ecx
		jnz	short loc_7D3F48
		cmp	ebx, edx
		jz	short loc_7D3F5A

loc_7D3F48:				; CODE XREF: HvpMappedViewConvertLockedPagesToCOWByPolicy(x,x)+76j
		push	edx
		push	ecx
		mov	ecx, [ebp+var_C]
		mov	edx, esi
		push	ebx
		push	edi
		call	_HvpMappedViewConvertRegionFromLockedToCOWByPolicy@24 ;	HvpMappedViewConvertRegionFromLockedToCOWByPolicy(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7D3F5C

loc_7D3F5A:				; CODE XREF: HvpMappedViewConvertLockedPagesToCOWByPolicy(x,x)+3Ej
					; HvpMappedViewConvertLockedPagesToCOWByPolicy(x,x)+7Aj
		xor	eax, eax

loc_7D3F5C:				; CODE XREF: HvpMappedViewConvertLockedPagesToCOWByPolicy(x,x)+8Cj
					; HvpMappedViewConvertLockedPagesToCOWByPolicy(x,x)+CAj
		pop	edi
		pop	ebx

loc_7D3F5E:				; CODE XREF: HvpMappedViewConvertLockedPagesToCOWByPolicy(x,x)+B6j
		pop	esi
		leave
		retn
; 

loc_7D3F61:				; CODE XREF: HvpMappedViewConvertLockedPagesToCOWByPolicy(x,x)+4Bj
		cmp	edi, ecx
		jnz	short loc_7D3F84
		cmp	ebx, edx
		jnz	short loc_7D3F84

loc_7D3F69:				; CODE XREF: HvpMappedViewConvertLockedPagesToCOWByPolicy(x,x)+C8j
		mov	eax, [ebp+var_4]
		mov	edi, eax
		mov	edx, [ebp+var_8]
		add	edi, 1000h
		mov	ebx, edx
		mov	ecx, eax
		adc	ebx, 0
		jmp	short loc_7D3F1C
; 

loc_7D3F80:				; CODE XREF: HvpMappedViewConvertLockedPagesToCOWByPolicy(x,x)+12j
		xor	eax, eax
		jmp	short loc_7D3F5E
; 

loc_7D3F84:				; CODE XREF: HvpMappedViewConvertLockedPagesToCOWByPolicy(x,x)+97j
					; HvpMappedViewConvertLockedPagesToCOWByPolicy(x,x)+9Bj
		push	edx
		push	ecx
		mov	ecx, [ebp+var_C]
		mov	edx, esi
		push	ebx
		push	edi
		call	_HvpMappedViewConvertRegionFromLockedToCOWByPolicy@24 ;	HvpMappedViewConvertRegionFromLockedToCOWByPolicy(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_7D3F69
		jmp	short loc_7D3F5C
_HvpMappedViewConvertLockedPagesToCOWByPolicy@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpMappedViewConvertRegionFromLockedToCOWByPolicy(x, x, x, x, x, x)
_HvpMappedViewConvertRegionFromLockedToCOWByPolicy@24 proc near
					; CODE XREF: HvpMappedViewConvertLockedPagesToCOWByPolicy(x,x)+85p
					; HvpMappedViewConvertLockedPagesToCOWByPolicy(x,x)+C1p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, edx
		mov	[ebp+var_C], ecx
		lea	edx, [ebp+var_8]
		sub	esi, ebx
		push	edx
		mov	edx, [ecx+18h]
		mov	eax, [edi+30h]
		sub	eax, [edi+10h]
		push	8
		add	eax, ebx
		push	esi
		push	eax
		mov	[ebp+var_4], eax
		call	_CmSiProtectViewOfSection@24 ; CmSiProtectViewOfSection(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7D4047
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		push	1
		call	HvpViewMapTouchPages
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		push	eax
		push	2
		push	esi
		push	[ebp+var_4]
		mov	edx, [edx+18h]
		call	_CmSiProtectViewOfSection@24 ; CmSiProtectViewOfSection(x,x,x,x,x,x)
		mov	eax, [ebp+var_C]
		push	esi
		push	[ebp+var_4]
		mov	edx, [eax+18h]
		call	_CmSiUnlockViewOfSection@16 ; CmSiUnlockViewOfSection(x,x,x,x)
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_C], eax
		cmp	edx, [ebp+arg_C]
		jl	short loc_7D4015
		jg	short loc_7D4041
		cmp	ebx, [ebp+arg_8]
		jnb	short loc_7D4041

loc_7D4015:				; CODE XREF: HvpMappedViewConvertRegionFromLockedToCOWByPolicy(x,x,x,x,x,x)+74j
					; HvpMappedViewConvertRegionFromLockedToCOWByPolicy(x,x,x,x,x,x)+9Dj ...
		mov	ecx, ebx
		sub	ecx, [edi+10h]
		shr	ecx, 0Ch
		mov	al, [ecx+edi+38h]
		and	al, 0EFh
		or	al, 4
		add	ebx, 1000h
		mov	[ecx+edi+38h], al
		adc	edx, 0
		cmp	edx, [ebp+arg_C]
		jl	short loc_7D4015
		jg	short loc_7D403E
		cmp	ebx, [ebp+arg_8]
		jb	short loc_7D4015

loc_7D403E:				; CODE XREF: HvpMappedViewConvertRegionFromLockedToCOWByPolicy(x,x,x,x,x,x)+9Fj
		mov	eax, [ebp+var_C]

loc_7D4041:				; CODE XREF: HvpMappedViewConvertRegionFromLockedToCOWByPolicy(x,x,x,x,x,x)+76j
					; HvpMappedViewConvertRegionFromLockedToCOWByPolicy(x,x,x,x,x,x)+7Bj
		shr	esi, 0Ch
		sub	[edi+34h], esi

loc_7D4047:				; CODE XREF: HvpMappedViewConvertRegionFromLockedToCOWByPolicy(x,x,x,x,x,x)+39j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_HvpMappedViewConvertRegionFromLockedToCOWByPolicy@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeGetImageRequiredSigningLevel(x, x, x, x, x)
_SeGetImageRequiredSigningLevel@20 proc	near ; CODE XREF: MiValidateExistingImage(x)+10Ep
					; MiCreateNewSection(x,x)+309p

var_8		= dword	ptr -8
var_4		= byte ptr -4
var_3		= byte ptr -3
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		xor	eax, eax
		mov	[ebp+var_8], ecx
		push	esi
		mov	esi, eax
		mov	[ebp+var_1], al
		mov	[ebp-2], al
		mov	[ebp+var_3], al
		mov	eax, dword_6BEA58
		push	edi
		test	eax, eax
		jz	short loc_7D4084
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	eax
		mov	esi, eax
		jmp	loc_7D4184
; 

loc_7D4084:				; CODE XREF: SeGetImageRequiredSigningLevel(x,x,x,x,x)+20j
		mov	al, ds:_SeILSigningPolicy
		mov	[ebp+var_4], al
		test	al, al
		jnz	short loc_7D4098
		mov	al, _SeILSigningPolicyRuntime
		mov	[ebp+var_4], al

loc_7D4098:				; CODE XREF: SeGetImageRequiredSigningLevel(x,x,x,x,x)+40j
		push	ebx
		mov	ebx, [ebp+arg_0]
		cmp	al, 2
		jnz	short loc_7D40AF
		test	bl, bl
		jnz	short loc_7D40AF
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	2
		jmp	loc_7D4183
; 

loc_7D40AF:				; CODE XREF: SeGetImageRequiredSigningLevel(x,x,x,x,x)+50j
					; SeGetImageRequiredSigningLevel(x,x,x,x,x)+54j
		cmp	bl, 2
		jnz	short loc_7D40C3
		test	al, al
		jnz	short loc_7D40CB
		mov	eax, [ebp+arg_8]

loc_7D40BB:				; CODE XREF: SeGetImageRequiredSigningLevel(x,x,x,x,x)+113j
		mov	byte ptr [eax],	0
		jmp	loc_7D4183
; 

loc_7D40C3:				; CODE XREF: SeGetImageRequiredSigningLevel(x,x,x,x,x)+64j
		test	bl, bl
		jz	loc_7D417E

loc_7D40CB:				; CODE XREF: SeGetImageRequiredSigningLevel(x,x,x,x,x)+68j
		test	dl, 10h
		jnz	loc_7D417E
		mov	eax, dword_6BEA40
		test	eax, eax
		jz	short loc_7D40EB
		push	ebx
		push	[ebp+arg_4]
		call	eax
		test	eax, eax
		jnz	loc_7D417E

loc_7D40EB:				; CODE XREF: SeGetImageRequiredSigningLevel(x,x,x,x,x)+8Dj
		mov	eax, large fs:124h
		mov	edi, [eax+80h]
		push	edi
		call	_PsIsProtectedProcess@4	; PsIsProtectedProcess(x)
		test	eax, eax
		jnz	short loc_7D417E
		cmp	bl, 6
		jnz	short loc_7D417E
		test	dword ptr [edi+490h], 800000h
		jnz	short loc_7D4176
		mov	eax, dword_6BEA3C
		test	eax, eax
		jnz	short loc_7D4122
		mov	esi, 0C0000001h
		jmp	short loc_7D4183
; 

loc_7D4122:				; CODE XREF: SeGetImageRequiredSigningLevel(x,x,x,x,x)+CBj
		mov	edi, [ebp+var_8]
		lea	ecx, [ebp-2]
		push	ecx
		lea	ecx, [ebp-1]
		push	ecx
		push	edi
		call	eax
		mov	esi, eax
		test	esi, esi
		js	short loc_7D4183
		cmp	[ebp+var_1], 0
		jnz	short loc_7D4176
		cmp	byte ptr [ebp-2], 0
		jnz	short loc_7D4176
		lea	eax, [ebp+var_3]
		push	eax
		push	edi
		push	0
		call	RtlIsUntrustedObject
		mov	esi, eax
		test	esi, esi
		js	short loc_7D4183
		cmp	[ebp+var_3], 0
		jnz	short loc_7D4176
		cmp	[ebp+var_4], 2
		mov	eax, [ebp+arg_8]
		jb	loc_7D40BB
		setz	cl
		dec	cl
		and	cl, 0FDh
		add	cl, 9
		mov	[eax], cl
		jmp	short loc_7D4183
; 

loc_7D4176:				; CODE XREF: SeGetImageRequiredSigningLevel(x,x,x,x,x)+C2j
					; SeGetImageRequiredSigningLevel(x,x,x,x,x)+ECj ...
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	6
		jmp	short loc_7D4183
; 

loc_7D417E:				; CODE XREF: SeGetImageRequiredSigningLevel(x,x,x,x,x)+77j
					; SeGetImageRequiredSigningLevel(x,x,x,x,x)+80j ...
		mov	eax, [ebp+arg_8]
		mov	[eax], bl

loc_7D4183:				; CODE XREF: SeGetImageRequiredSigningLevel(x,x,x,x,x)+5Cj
					; SeGetImageRequiredSigningLevel(x,x,x,x,x)+70j ...
		pop	ebx

loc_7D4184:				; CODE XREF: SeGetImageRequiredSigningLevel(x,x,x,x,x)+31j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	0Ch
_SeGetImageRequiredSigningLevel@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmGetDeviceInterfaceMappedPropertyFromRegValue(int,void	*,int,int,int,int)
_CmGetDeviceInterfaceMappedPropertyFromRegValue	proc near
					; CODE XREF: _CmGetDeviceInterfaceMappedProperty(x,x,x,x,x,x,x,x,x)+C7p
					; _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+53p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008F51E0 SIZE 00000060 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_14], edx
		xor	edx, edx
		push	ebx
		mov	[ebp+var_2C], ecx
		mov	ecx, [ebp+arg_C]
		mov	[eax], edx
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_28], edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_1], dl
		mov	[ebp+var_2], dl
		mov	[eax], edx
		push	esi
		push	edi
		test	ecx, ecx
		jz	loc_8F51E0
		mov	ebx, [ebp+arg_10]
		mov	eax, ebx
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+arg_C], eax

loc_7D41DA:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+121056j
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+10h]
		mov	[ebp+var_24], eax
		cmp	eax, 2
		jb	loc_8F51E7
		mov	esi, [ebp+arg_4]
		mov	eax, offset off_A42DD8
		mov	edi, [ebp+var_24]
		mov	ecx, edx
		mov	[ebp+var_1C], eax
		mov	[ebp+arg_10], ecx

loc_7D41FF:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+8Ej
		mov	edx, [eax]
		mov	[ebp+var_24], eax
		cmp	edi, [edx+10h]
		jz	short loc_7D421E

loc_7D4209:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+12106Bj
		add	ecx, 8
		add	eax, 8
		xor	edx, edx
		mov	[ebp+arg_10], ecx
		mov	[ebp+var_1C], eax
		cmp	ecx, 18h
		jb	short loc_7D41FF
		jmp	short loc_7D4235
; 

loc_7D421E:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+7Bj
		push	10h		; size_t
		push	edx		; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8F51F1
		mov	edx, [ebp+var_24]

loc_7D4235:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+90j
		mov	esi, [ebp+var_28]
		mov	edi, [ebp+var_2C]
		test	edx, edx
		jz	loc_8F51E7
		cmp	[ebp+arg_0], esi
		jnz	short loc_7D4269
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_C]
		push	0
		push	eax
		push	0
		push	1
		push	ecx
		push	30h
		mov	ecx, edi
		call	_CmOpenDeviceInterfaceRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_7D432D

loc_7D4269:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+BAj
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax+10h]
		cmp	ecx, 2
		jz	loc_7D439C
		cmp	ecx, 3
		jz	loc_7D4344
		cmp	ecx, 100h
		jnz	loc_8F5236
		push	10h		; size_t
		push	offset _DEVPKEY_Device_InstanceId ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8F5236
		mov	edx, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	0
		push	1
		push	ecx
		push	31h
		mov	ecx, edi
		call	_CmOpenDeviceInterfaceRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_7D432D
		mov	ecx, [ebp+arg_C]
		lea	eax, [ebp+var_8]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_18]
		lea	eax, [ebp+var_20]
		push	eax
		mov	edx, offset ??_C@_1BO@PDEOPOFH@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe@NNGAKEGL@	; "DeviceInstance"
		mov	[ebp+var_8], ebx
		call	_RegRtlQueryValue
		push	[ebp+var_18]
		mov	edi, eax
		call	_ZwClose@4	; ZwClose(x)
		cmp	edi, 0C0000034h
		jz	loc_7D4473
		cmp	edi, 0C000017Ch
		jz	loc_7D4473
		mov	ecx, 0C0000023h
		test	edi, edi
		jnz	loc_8F5226

loc_7D430C:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+12109Ej
		mov	edx, [ebp+arg_14]
		mov	eax, [ebp+var_8]
		mov	[edx], eax
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 12h
		test	edi, edi
		jnz	loc_8F522F
		test	ebx, ebx
		jz	loc_8F522F

loc_7D432D:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+D7j
					; _CmGetDeviceInterfaceMappedPropertyFromRegValue+133j	...
		cmp	[ebp+var_C], 0
		jz	short loc_7D433B
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_7D433B:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+1A5j
					; _CmGetDeviceInterfaceMappedPropertyFromRegValue+121060j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7D4344:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+EFj
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceInterface_Enabled	; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8F5236
		mov	eax, [ebp+arg_14]
		mov	dword ptr [eax], 1
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 11h
		cmp	ebx, 1
		jb	loc_8F521C
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_2]
		push	eax
		push	ecx
		mov	ecx, edi
		call	__CmIsDeviceInterfaceEnabled@16	; _CmIsDeviceInterfaceEnabled(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D432D
		cmp	[ebp+var_2], 0
		mov	ecx, [ebp+arg_C]
		setz	al
		dec	al
		mov	[ecx], al
		jmp	short loc_7D432D
; 

loc_7D439C:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+E6j
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceInterface_FriendlyName ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8F5236
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_7D43BE
		mov	eax, [ebp+var_C]

loc_7D43BE:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+22Dj
		test	edi, edi
		jz	loc_8F51FC
		mov	ecx, [edi+74h]

loc_7D43C9:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+121072j
		lea	edx, [ebp+var_10]
		push	edx
		push	1
		push	0
		push	offset ??_C@_1CE@JDBBMLAG@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?5?$AAP?$AAa?$AAr?$AAa?$AAm?$AAe?$AAt?$AAe@NNGAKEGL@ ; "Device Parameters"
		mov	edx, eax
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		cmp	eax, 0C0000034h
		jz	loc_7D4473
		cmp	eax, 0C000017Ch
		jz	loc_7D4473
		test	eax, eax
		js	loc_8F5203
		mov	eax, [edi+108h]
		mov	[ebp+var_8], ebx
		test	eax, eax
		jnz	short loc_7D440D
		mov	eax, offset _PnpRegQueryValueIndirect

loc_7D440D:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+27Aj
		lea	ecx, [ebp-1]
		push	ecx
		lea	ecx, [ebp+var_8]
		push	ecx
		mov	ecx, [ebp+arg_C]
		push	ecx
		lea	ecx, [ebp+var_20]
		push	ecx
		push	offset ??_C@_1BK@BFIEKNFP@?$AAF?$AAr?$AAi?$AAe?$AAn?$AAd?$AAl?$AAy?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@ ; "FriendlyName"
		push	[ebp+var_10]
		push	edi
		call	eax ; _PnpRegQueryValueIndirect
		mov	edi, eax
		push	[ebp+var_10]
		call	_ZwClose@4	; ZwClose(x)
		cmp	edi, 0C0000034h
		jz	short loc_7D4473
		cmp	edi, 0C000017Ch
		jz	short loc_7D4473
		mov	ecx, 0C0000023h
		test	edi, edi
		jnz	short loc_7D447D

loc_7D444B:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+2F3j
		mov	edx, [ebp+arg_14]
		mov	eax, [ebp+var_8]
		mov	[edx], eax
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 12h
		test	edi, edi
		jnz	short loc_7D4486
		test	ebx, ebx
		jz	short loc_7D4486

loc_7D4464:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+2FCj
		cmp	[ebp+var_1], 0
		jz	loc_7D432D
		jmp	loc_8F5211
; 

loc_7D4473:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+161j
					; _CmGetDeviceInterfaceMappedPropertyFromRegValue+16Dj	...
		mov	esi, 0C0000225h
		jmp	loc_7D432D
; 

loc_7D447D:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+2BDj
		cmp	edi, ecx
		jz	short loc_7D444B
		jmp	loc_8F520A
; 

loc_7D4486:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+2D2j
					; _CmGetDeviceInterfaceMappedPropertyFromRegValue+2D6j
		mov	esi, ecx
		jmp	short loc_7D4464
_CmGetDeviceInterfaceMappedPropertyFromRegValue	endp


;  S U B	R O U T	I N E 


; __stdcall PspConvertJobNotificationLimitToV2(x, x)
_PspConvertJobNotificationLimitToV2@8 proc near	; CODE XREF: PAGE:007579F8p
		mov	edi, edi
		push	esi
		mov	esi, [ecx+28h]
		mov	[edx+30h], esi
		and	esi, 278204h
		mov	eax, [ecx]
		mov	[edx], eax
		mov	eax, [ecx+4]
		mov	[edx+4], eax
		mov	eax, [ecx+8]
		mov	[edx+8], eax
		mov	eax, [ecx+0Ch]
		mov	[edx+0Ch], eax
		mov	eax, [ecx+10h]
		mov	[edx+10h], eax
		mov	eax, [ecx+14h]
		mov	[edx+14h], eax
		mov	eax, [ecx+30h]
		mov	[edx+18h], eax
		mov	eax, [ecx+34h]
		mov	[edx+1Ch], eax
		mov	eax, [ecx+18h]
		mov	[edx+20h], eax
		mov	eax, [ecx+1Ch]
		mov	[edx+24h], eax
		mov	eax, [ecx+20h]
		mov	[edx+28h], eax
		mov	eax, [ecx+24h]
		mov	[edx+30h], esi
		mov	[edx+2Ch], eax
		pop	esi
		retn
_PspConvertJobNotificationLimitToV2@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspUpdateEnforcementTimer(x)
_PspUpdateEnforcementTimer@4 proc near	; CODE XREF: sub_759647-291p
					; sub_759647:loc_8D34F3p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi

loc_7D44ED:				; CODE XREF: PspUpdateEnforcementTimer(x)+35j
					; PspUpdateEnforcementTimer(x)+39j
		mov	esi, _PspJobTimeLimitsRequest
		mov	ebx, esi
		mov	edi, dword_6BEE44
		add	ebx, 1
		mov	ecx, edi
		mov	[ebp+var_4], edi
		mov	edx, edi
		adc	ecx, 0
		mov	eax, esi
		mov	edi, offset _PspJobTimeLimitsRequest
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_4]
		cmp	eax, esi
		jnz	short loc_7D44ED
		cmp	edx, edi
		jnz	short loc_7D44ED
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PspUpdateEnforcementTimer@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspGetProcessParameterOverrides	proc near ; CODE XREF: PAGE:007A310Ap

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F5240 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx
		mov	[ebp+var_10], 1
		mov	[ebp+var_8], edx
		lea	eax, [esi+8Ch]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	ds:__imp__PsGetProcessParameterOverrides@8 ; PsGetProcessParameterOverrides(x,x)
		mov	eax, [ebp+var_4]
		test	eax, eax
		jnz	loc_8F5240

loc_7D455F:				; CODE XREF: PspGetProcessParameterOverrides+120D1Fj
					; PspGetProcessParameterOverrides+120D2Ej
		mov	[esi+140h], eax
		pop	esi
		leave
		retn
PspGetProcessParameterOverrides	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 811. IoDeleteController
; Exported entry 1758. PsDereferencePrimaryToken

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsDereferencePrimaryToken(x)
		public _PsDereferencePrimaryToken@4
_PsDereferencePrimaryToken@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi	; IoDeleteController
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	ObfDereferenceObject
		pop	ebp
		retn	4
_PsDereferencePrimaryToken@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCheckAndFixSecurityCellsRefcount(x)
_CmpCheckAndFixSecurityCellsRefcount@4 proc near
					; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+2F1p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		xor	ebx, ebx
		xor	eax, eax
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], ebx
		or	[ebp+var_14], 0FFFFFFFFh
		push	edi
		mov	[ebp+var_10], ebx
		mov	edi, ebx
		mov	[ebp+var_4], ebx
		mov	word ptr [ebp+var_10], ax
		cmp	[esi+4C0h], ebx
		jbe	loc_7D466E

loc_7D45B0:				; CODE XREF: CmpCheckAndFixSecurityCellsRefcount(x)+E8j
		mov	eax, [esi+4CCh]
		lea	ecx, [ebp+var_14]
		push	ecx
		mov	[ebp+var_C], eax
		mov	eax, [eax+edi*8]
		push	eax
		push	esi
		mov	[ebp+var_8], eax
		call	dword ptr [esi+4]
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_7D467E
		mov	edx, [ebp+var_C]
		mov	eax, [eax+0Ch]
		mov	ecx, [edx+edi*8+4]
		cmp	eax, [ecx+14h]
		jz	short loc_7D4601
		mov	edx, [edx+edi*8]
		mov	ecx, esi
		push	ebx
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jz	short loc_7D4670
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_4]
		mov	eax, [edx+edi*8+4]
		mov	eax, [eax+14h]
		mov	[ecx+0Ch], eax

loc_7D4601:				; CODE XREF: CmpCheckAndFixSecurityCellsRefcount(x)+60j
		mov	eax, [edx+edi*8+4]
		cmp	[eax+14h], ebx
		jnz	short loc_7D4651
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		push	ebx
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		mov	eax, [ebp+var_4]
		mov	ecx, esi
		push	ebx
		mov	edx, [eax+4]
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		mov	eax, [ebp+var_4]
		mov	ecx, esi
		push	ebx
		mov	edx, [eax+8]
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		mov	[ebp+var_4], ebx
		call	_CmpRemoveSecurityCellList@8 ; CmpRemoveSecurityCellList(x,x)
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	HvFreeCell
		dec	edi

loc_7D4651:				; CODE XREF: CmpCheckAndFixSecurityCellsRefcount(x)+88j
		cmp	[ebp+var_4], ebx
		jz	short loc_7D4661
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	[ebp+var_4], ebx

loc_7D4661:				; CODE XREF: CmpCheckAndFixSecurityCellsRefcount(x)+D4j
		inc	edi
		cmp	edi, [esi+4C0h]
		jb	loc_7D45B0

loc_7D466E:				; CODE XREF: CmpCheckAndFixSecurityCellsRefcount(x)+2Aj
		mov	bl, 1

loc_7D4670:				; CODE XREF: CmpCheckAndFixSecurityCellsRefcount(x)+6Fj
		cmp	[ebp+var_4], 0
		jz	short loc_7D467E
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_7D467E:				; CODE XREF: CmpCheckAndFixSecurityCellsRefcount(x)+4Dj
					; CmpCheckAndFixSecurityCellsRefcount(x)+F4j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_CmpCheckAndFixSecurityCellsRefcount@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmGetDeviceHardwareKeyPath(int,int,int,void *,int,int)
_CmGetDeviceHardwareKeyPath proc near	; CODE XREF: _CmGetDeviceRegKeyPath+87p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008F5257 SIZE 000000DC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_0], 200h
		push	esi
		push	edi
		mov	esi, edx
		jnz	loc_8F5257
		lea	edi, [edx+2]
		xor	ecx, ecx

loc_7D46A1:				; CODE XREF: _CmGetDeviceHardwareKeyPath+24j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, cx
		jnz	short loc_7D46A1
		mov	eax, [ebp+arg_14]
		sub	edx, edi
		sar	edx, 1
		test	[ebp+arg_0], 100h
		jnz	loc_8F52FC
		add	edx, 31h
		test	eax, eax
		jz	short loc_7D46C9
		mov	[eax], edx

loc_7D46C9:				; CODE XREF: _CmGetDeviceHardwareKeyPath+3Fj
		cmp	edx, [ebp+arg_10]
		ja	short loc_7D46F9
		push	offset ??_C@_1CE@JDBBMLAG@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?5?$AAP?$AAa?$AAr?$AAa?$AAm?$AAe?$AAt?$AAe@NNGAKEGL@ ; "Device Parameters"
		push	esi
		push	offset ??_C@_1DM@BNJPOICG@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@ ; char

loc_7D46D9:				; CODE XREF: _CmGetDeviceHardwareKeyPath+120C0Cj
		push	offset ??_C@_1BC@GLIGFLDD@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@	; "%s\\%s\\%s"
		push	800h		; int
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		call	RtlStringCchPrintfExW
		add	esp, 24h

loc_7D46F3:				; CODE XREF: _CmGetDeviceHardwareKeyPath+78j
					; _CmGetDeviceHardwareKeyPath+120C67j ...
		pop	edi
		pop	esi
		pop	ebp
		retn	18h
; 

loc_7D46F9:				; CODE XREF: _CmGetDeviceHardwareKeyPath+46j
					; _CmGetDeviceHardwareKeyPath+120BFBj ...
		mov	eax, 0C0000023h
		jmp	short loc_7D46F3
_CmGetDeviceHardwareKeyPath endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _SysCtxGetCachedContextBaseKey(x, x, x)
__SysCtxGetCachedContextBaseKey@12 proc	near ; CODE XREF: _PnpCtxGetCachedNodeBaseKey+5Fp
					; _PnpCtxGetCachedNodeBaseKey+CBp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		sub	edx, 1
		jz	short loc_7D472F
		sub	edx, 1
		jz	short loc_7D4740
		sub	edx, 1
		jz	short loc_7D473B
		sub	edx, 1
		jnz	short loc_7D4734
		mov	eax, [ecx+18h]

loc_7D471F:				; CODE XREF: _SysCtxGetCachedContextBaseKey(x,x,x)+32j
					; _SysCtxGetCachedContextBaseKey(x,x,x)+3Ej ...
		test	eax, eax
		jz	short loc_7D4745
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax

loc_7D4728:				; CODE XREF: _SysCtxGetCachedContextBaseKey(x,x,x)+39j
					; _SysCtxGetCachedContextBaseKey(x,x,x)+4Aj
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
; 

loc_7D472F:				; CODE XREF: _SysCtxGetCachedContextBaseKey(x,x,x)+Bj
		mov	eax, [ecx+0Ch]
		jmp	short loc_7D471F
; 

loc_7D4734:				; CODE XREF: _SysCtxGetCachedContextBaseKey(x,x,x)+1Aj
		mov	esi, 0C000000Dh
		jmp	short loc_7D4728
; 

loc_7D473B:				; CODE XREF: _SysCtxGetCachedContextBaseKey(x,x,x)+15j
		mov	eax, [ecx+14h]
		jmp	short loc_7D471F
; 

loc_7D4740:				; CODE XREF: _SysCtxGetCachedContextBaseKey(x,x,x)+10j
		mov	eax, [ecx+10h]
		jmp	short loc_7D471F
; 

loc_7D4745:				; CODE XREF: _SysCtxGetCachedContextBaseKey(x,x,x)+21j
		mov	esi, 0C0000034h
		jmp	short loc_7D4728
__SysCtxGetCachedContextBaseKey@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepValidLabelSubjectContext proc near	; CODE XREF: RtlpSetSecurityObject+5B1p

var_10		= dword	ptr -10h
var_5		= dword	ptr -5
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008F5333 SIZE 00000053 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	edi, edx
		mov	[ebp+var_10], eax
		mov	ebx, ecx
		mov	byte ptr [ebp+var_5], al
		test	edi, edi
		jz	loc_7D47EE

loc_7D476B:				; CODE XREF: SepValidLabelSubjectContext+ADj
		mov	esi, [ebx]
		test	esi, esi
		jnz	short loc_7D4774
		mov	esi, [ebx+8]

loc_7D4774:				; CODE XREF: SepValidLabelSubjectContext+23j
		cmp	dword ptr [esi+0A8h], 2
		jz	short loc_7D47E1

loc_7D477D:				; CODE XREF: SepValidLabelSubjectContext+9Cj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceSharedLite
		lea	edx, [ebp+var_10]
		mov	ecx, esi
		call	_SepCopyTokenIntegrity@8 ; SepCopyTokenIntegrity(x,x)
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	[ebp+arg_0], 8
		jnz	loc_8F5333

loc_7D47BD:				; CODE XREF: SepValidLabelSubjectContext+120C0Aj
					; SepValidLabelSubjectContext+120C1Bj
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_5]
		push	eax
		mov	edx, edi
		call	RtlSidDominates
		test	eax, eax
		js	short loc_7D47EA
		mov	al, byte ptr [ebp+var_5]
		test	al, al
		jz	loc_8F536C

loc_7D47DA:				; CODE XREF: SepValidLabelSubjectContext+A0j
					; SepValidLabelSubjectContext+120C35j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7D47E1:				; CODE XREF: SepValidLabelSubjectContext+2Fj
		cmp	dword ptr [esi+0ACh], 2
		jge	short loc_7D477D

loc_7D47EA:				; CODE XREF: SepValidLabelSubjectContext+81j
					; SepValidLabelSubjectContext+120C00j
		xor	al, al
		jmp	short loc_7D47DA
; 

loc_7D47EE:				; CODE XREF: SepValidLabelSubjectContext+19j
		mov	eax, ds:_SeExports
		mov	edi, [eax+17Ch]
		jmp	loc_7D476B
SepValidLabelSubjectContext endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpClearKeyAccessBits proc near		; CODE XREF: CmpReorganizeHive+1B2p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F5386 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_8], 0
		or	[ebp+var_1C], 0FFFFFFFFh
		and	[ebp+var_18], 0
		push	ebx
		push	esi
		push	edi
		push	317A6D43h
		push	1000h
		push	1
		mov	[ebp+var_14], edx
		mov	esi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8F5386
		mov	eax, [esi+20h]
		xor	edi, edi
		mov	eax, [eax+24h]
		and	[ebx+4], edi
		mov	[ebx], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_7D4856

loc_7D4847:				; CODE XREF: CmpClearKeyAccessBits+108j
					; CmpClearKeyAccessBits+120B97j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi

loc_7D4851:				; CODE XREF: CmpClearKeyAccessBits+120B8Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7D4856:				; CODE XREF: CmpClearKeyAccessBits+47j
		mov	eax, [esi+34h]
		and	[ebp+var_4], edi
		mov	[ebp+var_10], eax

loc_7D485F:				; CODE XREF: CmpClearKeyAccessBits+C6j
		mov	eax, [ebx+edi*8]
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_8F5390
		cmp	byte ptr [eax+0Ch], 0
		jnz	short loc_7D48C6
		mov	ecx, [ebp+var_4]

loc_7D487F:				; CODE XREF: CmpClearKeyAccessBits+E8j
		mov	edx, [ebx+edi*8+4]
		cmp	edx, [eax+14h]
		jb	short loc_7D488F

loc_7D4888:				; CODE XREF: CmpClearKeyAccessBits+97j
		test	edi, edi
		jz	short loc_7D48E8
		dec	edi
		jmp	short loc_7D48BC
; 

loc_7D488F:				; CODE XREF: CmpClearKeyAccessBits+88j
		cmp	edi, 1FFh
		jz	short loc_7D4888
		lea	ecx, [ebp+var_8]
		push	ecx
		push	edx
		mov	edx, eax
		mov	ecx, esi
		call	_CmpFindSubKeyByNumber@16 ; CmpFindSubKeyByNumber(x,x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		js	short loc_7D4912
		inc	dword ptr [ebx+edi*8+4]
		inc	edi
		mov	eax, [ebp+var_8]
		and	dword ptr [ebx+edi*8+4], 0
		mov	[ebx+edi*8], eax

loc_7D48BC:				; CODE XREF: CmpClearKeyAccessBits+8Fj
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	short loc_7D485F
; 

loc_7D48C6:				; CODE XREF: CmpClearKeyAccessBits+7Cj
		mov	edx, [ebx+edi*8]
		mov	ecx, esi
		push	0
		push	0
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_7D490B
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_4]
		inc	ecx
		mov	[ebp+var_4], ecx
		mov	byte ptr [eax+0Ch], 0
		jmp	short loc_7D487F
; 

loc_7D48E8:				; CODE XREF: CmpClearKeyAccessBits+8Cj
		mov	eax, [esi+34h]
		mov	edx, ecx
		sub	eax, [ebp+var_10]
		mov	ecx, [ebp+var_14]
		shr	eax, 3
		push	eax
		call	_CmpLogClearAccessBitsEvent@12 ; CmpLogClearAccessBitsEvent(x,x,x)
		xor	edi, edi

loc_7D48FE:				; CODE XREF: CmpClearKeyAccessBits+112j
					; CmpClearKeyAccessBits+117j
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	loc_7D4847
; 

loc_7D490B:				; CODE XREF: CmpClearKeyAccessBits+D8j
		mov	edi, 0C000009Ah
		jmp	short loc_7D48FE
; 

loc_7D4912:				; CODE XREF: CmpClearKeyAccessBits+ACj
		mov	edi, [ebp+var_C]
		jmp	short loc_7D48FE
CmpClearKeyAccessBits endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _NtPlugPlayGetDeviceProperty(x, x, x, x, x,	x, x)
__NtPlugPlayGetDeviceProperty@28 proc near
					; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+60Cp
					; _CmGetDeviceRegPropWorker+21Ap

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		xor	edx, edx
		push	eax
		inc	edx
		call	__PnpCtxGetNtPlugPlayRoutine@12	; _PnpCtxGetNtPlugPlayRoutine(x,x,x)
		test	eax, eax
		js	short loc_7D4958
		cmp	[ebp+var_4], 0
		jz	short loc_7D495E
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edi
		push	esi
		call	[ebp+var_4]
		cmp	eax, 80000005h
		jz	short loc_7D4965

loc_7D4958:				; CODE XREF: _NtPlugPlayGetDeviceProperty(x,x,x,x,x,x,x)+1Ej
					; _NtPlugPlayGetDeviceProperty(x,x,x,x,x,x,x)+4Bj ...
		pop	edi
		pop	esi
		leave
		retn	14h
; 

loc_7D495E:				; CODE XREF: _NtPlugPlayGetDeviceProperty(x,x,x,x,x,x,x)+24j
		mov	eax, 0C0000002h
		jmp	short loc_7D4958
; 

loc_7D4965:				; CODE XREF: _NtPlugPlayGetDeviceProperty(x,x,x,x,x,x,x)+3Ej
		mov	eax, 0C0000023h
		jmp	short loc_7D4958
__NtPlugPlayGetDeviceProperty@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlGetDeviceNtPropertyRoutine(x, x, x,	x, x, x, x)
_PiPnpRtlGetDeviceNtPropertyRoutine@28 proc near ; DATA	XREF: PiPnpRtlInit+97o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_18]
		mov	edx, [ebp+arg_8]
		push	[ebp+arg_14]
		mov	ecx, [ebp+arg_4]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	PlugPlayGetDeviceProperty
		pop	ebp
		retn	1Ch
_PiPnpRtlGetDeviceNtPropertyRoutine@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PlugPlayGetDeviceProperty proc near	; CODE XREF: PiPnpRtlGetDeviceNtPropertyRoutine(x,x,x,x,x,x,x)+17p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F539A SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	esi
		test	ecx, ecx
		jz	short loc_7D49FD
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jz	short loc_7D49FD
		cmp	[ebp+arg_C], 0
		jnz	short loc_7D49FD
		mov	eax, [ecx]
		push	ebx
		mov	[ebp+var_14], eax
		mov	eax, [ecx+4]
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_14]
		push	14h
		push	eax
		push	0Ah
		mov	[ebp+var_C], edx
		mov	[ebp+var_4], edi
		call	_ZwPlugPlayControl@12 ;	ZwPlugPlayControl(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7D49EB
		mov	ecx, [ebp+var_4]
		cmp	edi, ecx
		ja	loc_8F539A

loc_7D49E0:				; CODE XREF: PlugPlayGetDeviceProperty+6Fj
		mov	[esi], ecx

loc_7D49E2:				; CODE XREF: PlugPlayGetDeviceProperty+6Aj
		pop	edi
		mov	eax, ebx
		pop	ebx

loc_7D49E6:				; CODE XREF: PlugPlayGetDeviceProperty+76j
		pop	esi
		leave
		retn	10h
; 

loc_7D49EB:				; CODE XREF: PlugPlayGetDeviceProperty+47j
		cmp	ebx, 0C0000023h
		jz	short loc_7D49F8
		and	dword ptr [esi], 0
		jmp	short loc_7D49E2
; 

loc_7D49F8:				; CODE XREF: PlugPlayGetDeviceProperty+65j
					; PlugPlayGetDeviceProperty+120A21j
		mov	ecx, [ebp+var_4]
		jmp	short loc_7D49E0
; 

loc_7D49FD:				; CODE XREF: PlugPlayGetDeviceProperty+Bj
					; PlugPlayGetDeviceProperty+12j ...
		mov	eax, 0C000000Dh
		jmp	short loc_7D49E6
PlugPlayGetDeviceProperty endp


;  S U B	R O U T	I N E 


; __stdcall MiFreeVadEventBitmapCharges(x, x)
_MiFreeVadEventBitmapCharges@8 proc near ; CODE	XREF: MiReleaseVadEventBlocks+B2p
					; MiReleaseVadEventBlocks+C0p ...
		mov	edx, [edx+4]
		test	dl, 1Fh
		push	0
		pop	eax
		setnz	al
		shr	edx, 5
		add	eax, 0Ah
		add	eax, edx
		shl	eax, 2
		push	eax
		push	ecx
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		retn
_MiFreeVadEventBitmapCharges@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ConstraintEval	proc near		; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+22Fp

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F53B2 SIZE 000000D3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_58], eax
		xor	eax, eax
		mov	[ebp+var_50], ebx
		mov	edx, ecx
		mov	[ebp+var_34], eax
		push	0Ah
		pop	ecx
		lea	edi, [ebp+var_30]
		mov	[ebp+var_38], edx
		rep stosd
		imul	edi, edx, 2Ch
		test	[ebp+arg_4], 0FF00000h
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_44], eax
		jnz	loc_8F53B2
		test	edx, edx
		jz	loc_7D4BEB
		push	52544C46h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_40], eax
		test	eax, eax
		jz	loc_8F53BC
		test	dword ptr [esi], 0FF00000h
		jnz	loc_7D4BD1
		push	edi		; size_t
		push	esi		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_38]
		add	esp, 0Ch

loc_7D4AAF:				; CODE XREF: ConstraintEval+1C2j
		xor	edi, edi
		test	eax, eax
		jz	short loc_7D4AD7
		mov	eax, [ebp+var_40]
		add	eax, 4
		mov	[ebp+var_54], eax
		mov	esi, eax
		mov	[ebp+var_3C], eax

loc_7D4AC3:				; CODE XREF: ConstraintEval+B1j
		mov	eax, [esi+10h]
		cmp	eax, [ebx+10h]
		jz	short loc_7D4AE1

loc_7D4ACB:				; CODE XREF: ConstraintEval+CBj
					; ConstraintEval+D3j ...
		inc	edi
		add	esi, 2Ch
		mov	[ebp+var_3C], esi
		cmp	edi, [ebp+var_38]
		jb	short loc_7D4AC3

loc_7D4AD7:				; CODE XREF: ConstraintEval+8Fj
					; ConstraintEval+F3j ...
		mov	ebx, 0C0000001h
		jmp	loc_7D4BB1
; 

loc_7D4AE1:				; CODE XREF: ConstraintEval+A5j
		push	10h		; size_t
		push	ebx		; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7D4ACB
		mov	eax, [esi+14h]
		cmp	eax, [ebx+14h]
		jnz	short loc_7D4ACB
		mov	eax, [esi+18h]
		mov	ecx, [ebx+18h]
		cmp	eax, ecx
		jnz	loc_8F53C6

loc_7D4B07:				; CODE XREF: ConstraintEval+1209C3j
		mov	eax, [ebp+arg_4]
		lea	ebx, [esi-4]
		cmp	[ebx], eax
		jnz	loc_8F53EC
		test	ebx, ebx
		jz	short loc_7D4AD7
		lea	edx, [ebx+4]
		lea	edi, [ebp+var_30]
		mov	esi, edx
		push	0Ah
		pop	ecx
		rep movsd
		mov	edi, 10000h
		sub	eax, 1
		jz	loc_8F5437
		sub	eax, 1
		jnz	loc_7D4BF2

loc_7D4B3D:				; CODE XREF: ConstraintEval+1E4j
					; ConstraintEval+1209D3j ...
		mov	esi, [ebp+var_54]
		xor	ecx, ecx

loc_7D4B42:				; CODE XREF: ConstraintEval+13Dj
		lea	eax, [esi-4]
		cmp	eax, ebx
		jz	short loc_7D4B55
		mov	eax, [esi+10h]
		cmp	eax, [ebx+14h]
		jz	loc_7D4C13

loc_7D4B55:				; CODE XREF: ConstraintEval+123j
					; ConstraintEval+25Aj
		mov	eax, [ebp+var_38]
		inc	ecx
		add	esi, 2Ch
		mov	[ebp+var_34], ecx
		cmp	ecx, eax
		jb	short loc_7D4B42
		xor	dword ptr [ebx], 10000h
		lea	ecx, [ebp+var_30]
		mov	[ebp+var_48], ecx
		lea	edx, [ebp+var_4C]
		lea	ecx, [ebp+var_44]
		mov	[ebp+var_4C], 1
		push	ecx
		push	[ebp+var_40]
		mov	ecx, offset GetPropertyFromPropArray
		push	eax
		call	_FilterEval@20	; FilterEval(x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7D4BB1
		cmp	[ebp+var_44], 0
		jnz	loc_7D4AD7
		mov	eax, [ebp+var_58]
		mov	edi, eax
		mov	esi, [ebp+var_3C]
		push	0Bh
		add	esi, 0FFFFFFFCh
		pop	ecx
		rep movsd
		xor	dword ptr [eax], 10000h

loc_7D4BB1:				; CODE XREF: ConstraintEval+B8j
					; ConstraintEval+16Bj
		push	52544C46h
		push	[ebp+var_40]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7D4BBE:				; CODE XREF: ConstraintEval+1CCj
					; ConstraintEval+120993j ...
		mov	ecx, [ebp+var_8]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_7D4BD1:				; CODE XREF: ConstraintEval+77j
		mov	ecx, [ebp+var_38]
		mov	edx, esi
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		call	SimplifyFilter
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_38], eax
		jmp	loc_7D4AAF
; 

loc_7D4BEB:				; CODE XREF: ConstraintEval+53j
		mov	ebx, 0C0000001h
		jmp	short loc_7D4BBE
; 

loc_7D4BF2:				; CODE XREF: ConstraintEval+113j
		sub	eax, edi
		jz	loc_8F540D
		sub	eax, edi
		jnz	loc_7D4AD7
		mov	eax, [ebx+20h]
		cmp	eax, 12h
		jz	loc_7D4B3D
		jmp	loc_8F53F4
; 

loc_7D4C13:				; CODE XREF: ConstraintEval+12Bj
		push	10h		; size_t
		push	edx		; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7D4C78
		mov	eax, [esi+14h]
		cmp	eax, [ebx+18h]
		jnz	short loc_7D4C78
		mov	eax, [esi+18h]
		mov	ecx, [ebx+1Ch]
		cmp	eax, ecx
		jnz	loc_8F5451

loc_7D4C39:				; CODE XREF: ConstraintEval+120A4Ej
		mov	edi, [esi-4]
		cmp	edi, [ebx]
		jnz	loc_7D4AD7
		mov	eax, [esi+1Ch]
		cmp	eax, [ebx+20h]
		jnz	loc_7D4AD7
		mov	eax, [esi+20h]
		cmp	eax, [ebx+24h]
		jnz	loc_7D4AD7
		push	eax		; size_t
		push	dword ptr [ebx+28h] ; void *
		push	dword ptr [esi+24h] ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7D4AD7
		jmp	loc_8F5477
; 

loc_7D4C78:				; CODE XREF: ConstraintEval+1FDj
					; ConstraintEval+205j ...
		mov	ecx, [ebp+var_34]
		lea	edx, [ebx+4]
		jmp	loc_7D4B55
ConstraintEval	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SimplifyFilter	proc near		; CODE XREF: ConstraintEval+1B7p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F5485 SIZE 00000072 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, edx
		mov	edx, ecx
		mov	[ebp+var_8], ecx
		xor	ecx, ecx
		mov	[ebp+var_4], ecx
		mov	[esi], ecx
		test	edx, edx
		jz	short loc_7D4CF3
		push	edi

loc_7D4CA4:				; CODE XREF: SimplifyFilter+6Cj
		mov	eax, [ebx]
		cmp	eax, offset loc_500000
		jz	loc_8F54E6
		cmp	eax, (offset loc_5FFFFF+1)
		jz	loc_8F54E6
		mov	ecx, [esi]
		mov	esi, ebx
		imul	edx, ecx, 2Ch
		mov	[ebp+var_C], ecx
		push	0Bh
		pop	ecx
		add	edx, [ebp+arg_4]
		mov	edi, edx
		rep movsd
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jnz	loc_8F5485

loc_7D4CDB:				; CODE XREF: SimplifyFilter+120824j
					; SimplifyFilter+120830j ...
		mov	esi, [ebp+arg_0]
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+var_8]
		inc	eax
		mov	[esi], eax

loc_7D4CE7:				; CODE XREF: SimplifyFilter+12086Ej
		add	ebx, 2Ch
		sub	edx, 1
		mov	[ebp+var_8], edx
		jnz	short loc_7D4CA4
		pop	edi

loc_7D4CF3:				; CODE XREF: SimplifyFilter+1Dj
		pop	esi
		pop	ebx
		leave
		retn	8
SimplifyFilter	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSetIoCompletion(x, x, x, x, x)
_NtSetIoCompletion@20 proc near		; DATA XREF: .text:00580CA0o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_4]
		push	esi
		push	edi
		xor	edi, edi
		mov	al, [eax+15Ah]
		push	edi
		push	ecx
		mov	byte ptr [ebp+var_8], al
		push	[ebp+var_8]
		mov	eax, ds:_IoCompletionObjectType
		push	eax
		push	2
		push	[ebp+arg_0]
		mov	[ebp+var_4], edi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D4D57
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_4]
		push	edi
		push	edi
		push	1
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	IoSetIoCompletionEx2
		mov	ecx, [ebp+var_4]
		mov	esi, eax
		call	ObfDereferenceObject

loc_7D4D57:				; CODE XREF: NtSetIoCompletion(x,x,x,x,x)+39j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	14h
_NtSetIoCompletion@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 


MiCleanEmbryonicProcess	proc near	; CODE XREF: MmCleanProcessAddressSpace+19p

; FUNCTION CHUNK AT 008F54F7 SIZE 0000007F BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [esi+0FCh]
		mov	edx, [edi]
		test	dl, 20h
		jnz	loc_8F54F7
		mov	eax, edx
		mov	ebx, 400h
		and	eax, 0C00h
		cmp	eax, ebx
		jbe	loc_8F5507
		cmp	eax, 800h
		jz	loc_8F551C

loc_7D4D97:				; CODE XREF: MiCleanEmbryonicProcess+1207A1j
		xor	eax, eax

loc_7D4D99:				; CODE XREF: MiCleanEmbryonicProcess+1207B7j
		pop	edi
		pop	esi
		pop	ebx
		retn
MiCleanEmbryonicProcess	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PspConvertJobNotificationLimitFromV2(x, x)
_PspConvertJobNotificationLimitFromV2@8	proc near ; CODE XREF: sub_759647-4A0p
		and	dword ptr [edx], 0
		mov	eax, [ecx+30h]
		mov	[edx+28h], eax
		mov	eax, [ecx]
		mov	[edx], eax
		mov	eax, [ecx+4]
		mov	[edx+4], eax
		mov	eax, [ecx+8]
		mov	[edx+8], eax
		mov	eax, [ecx+0Ch]
		mov	[edx+0Ch], eax
		mov	eax, [ecx+10h]
		mov	[edx+10h], eax
		mov	eax, [ecx+14h]
		mov	[edx+14h], eax
		mov	eax, [ecx+18h]
		mov	[edx+30h], eax
		mov	eax, [ecx+1Ch]
		mov	[edx+34h], eax
		mov	eax, [ecx+20h]
		mov	[edx+18h], eax
		mov	eax, [ecx+24h]
		mov	[edx+1Ch], eax
		mov	eax, [ecx+28h]
		mov	[edx+20h], eax
		mov	eax, [ecx+2Ch]
		mov	[edx+24h], eax
		retn
_PspConvertJobNotificationLimitFromV2@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtAllocateReserveObject	proc near	; DATA XREF: .text:00581260o

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F5576 SIZE 00000007 BYTES
; FUNCTION CHUNK AT 008F55A9 SIZE 0000000A BYTES

		push	14h
		push	offset dword_6A4040
		call	__SEH_prolog4
		mov	edi, [ebp+arg_8]
		and	[ebp+arg_8], 0
		and	[ebp+var_1C], 0
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_24], bl
		test	bl, bl
		jz	short loc_7D4E37
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8F5576

loc_7D4E2C:				; CODE XREF: NtAllocateReserveObject+12078Aj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7D4E37:				; CODE XREF: NtAllocateReserveObject+28j
		cmp	edi, 1
		ja	loc_8F55A9
		mov	eax, ds:_PspMemoryReserveObjectSizes[edi*4]
		mov	edx, ds:_PspMemoryReserveObjectTypes[edi*4]
		push	0
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	0
		push	0
		push	eax
		push	ecx
		push	[ebp+var_24]
		push	[ebp+arg_4]
		mov	cl, bl
		call	ObCreateObjectEx
		test	eax, eax
		js	short loc_7D4ED5
		push	ds:_PspMemoryReserveObjectSizes[edi*4] ; size_t
		push	0		; int
		mov	esi, [ebp+var_1C]
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		cmp	edi, 1
		jnz	short loc_7D4E9A
		mov	dword ptr [esi+0Ch], 4
		mov	dword ptr [esi+20h], offset _PspIoMiniPacketCallbackRoutine@8 ;	PspIoMiniPacketCallbackRoutine(x,x)
		mov	[esi+24h], esi
		mov	byte ptr [esi+28h], 0

loc_7D4E9A:				; CODE XREF: NtAllocateReserveObject+95j
		lea	eax, [ebp+arg_8]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	0F0003h
		xor	edx, edx
		mov	ecx, esi
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	short loc_7D4ED2
		test	bl, bl
		jz	short loc_7D4EE7
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_7D4ECB:				; CODE XREF: sub_8F55A1+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7D4ED2:				; CODE XREF: NtAllocateReserveObject+C8j
					; NtAllocateReserveObject+101j
		mov	eax, [ebp+arg_4]

loc_7D4ED5:				; CODE XREF: NtAllocateReserveObject+7Bj
					; sub_8F558B+Dj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7D4EE7:				; CODE XREF: NtAllocateReserveObject+CCj
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jmp	short loc_7D4ED2
NtAllocateReserveObject	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall SepReferenceLogonSession(x,	x)
_SepReferenceLogonSession@8 proc near	; CODE XREF: SepCreateTokenEx+6CAp
					; SepLinkLogonSessions+131p ...
		mov	edi, edi
		push	esi
		push	edx
		mov	esi, ecx
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		mov	edx, eax
		mov	ecx, esi
		call	_SepReferenceLogonSessionSilo@12 ; SepReferenceLogonSessionSilo(x,x,x)
		pop	esi
		retn
_SepReferenceLogonSession@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepReferenceLogonSessionSilo(x, x, x)
_SepReferenceLogonSessionSilo@12 proc near ; CODE XREF:	SepReferenceLogonSession(x,x)+Fp
					; NtQueryInformationToken(x,x,x,x,x)+1988p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ecx
		mov	[ebp+var_8], edx
		push	ebx
		push	esi
		mov	[ebp+var_4], eax
		imul	esi, [eax], 5B250A24h
		mov	eax, ds:_SepLogonSessions
		push	edi
		shr	esi, 1Ch
		lea	edi, [eax+esi*4]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		and	esi, 3
		imul	eax, esi, 38h
		push	1
		lea	ebx, _SepRmDbLock[eax]
		push	ebx
		call	ExAcquireResourceExclusiveLite
		mov	esi, [edi]
		test	esi, esi
		jz	short loc_7D4FB1
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_8]

loc_7D4F59:				; CODE XREF: SepReferenceLogonSessionSilo(x,x,x)+A7j
		cmp	[esi+58h], edx
		jnz	short loc_7D4FAB
		mov	eax, [ecx]
		cmp	eax, [esi+4]
		jnz	short loc_7D4FAB
		mov	eax, [ecx+4]
		cmp	eax, [esi+8]
		jnz	short loc_7D4FAB
		push	8
		pop	edi
		lea	edx, [esi+18h]
		mov	eax, [edx]

loc_7D4F75:				; CODE XREF: SepReferenceLogonSessionSilo(x,x,x)+75j
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_7D4F75
		test	al, 8
		jz	short loc_7D4F91
		xor	eax, eax
		inc	eax
		lock xadd [esi+14h], eax
		inc	eax
		cmp	eax, 1
		jle	short loc_7D4FC4

loc_7D4F91:				; CODE XREF: SepReferenceLogonSessionSilo(x,x,x)+79j
					; SepReferenceLogonSessionSilo(x,x,x)+C1j
		mov	ecx, ebx
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		xor	eax, eax

loc_7D4FA4:				; CODE XREF: SepReferenceLogonSessionSilo(x,x,x)+BAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7D4FAB:				; CODE XREF: SepReferenceLogonSessionSilo(x,x,x)+54j
					; SepReferenceLogonSessionSilo(x,x,x)+5Bj ...
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_7D4F59

loc_7D4FB1:				; CODE XREF: SepReferenceLogonSessionSilo(x,x,x)+49j
		mov	ecx, ebx
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, 0C000005Fh
		jmp	short loc_7D4FA4
; 

loc_7D4FC4:				; CODE XREF: SepReferenceLogonSessionSilo(x,x,x)+87j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_7D4F91
_SepReferenceLogonSessionSilo@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnLogVolumeCreate proc near		; CODE XREF: PfFileInfoNotify+632p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F55B3 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		xor	edi, edi
		movzx	eax, word ptr [ebx+16h]
		mov	ecx, [ebx]
		add	eax, eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], edi
		lea	esi, [eax+45h]
		lea	eax, [ebp+var_4]
		shr	esi, 3
		push	eax
		mov	edx, esi
		call	PfSnLogHelper
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_8F55B3
		mov	ecx, [ebp+var_4]
		lea	eax, ds:0FFFFFFF8h[esi*8]
		or	eax, 5
		push	edi
		mov	[ecx+4], edi
		lea	esi, [ecx+0Fh]
		mov	[ecx], eax
		and	esi, 0FFFFFFF8h
		mov	eax, [ebx+4]
		mov	[ecx+4], eax
		mov	ecx, [ebp+var_8]
		mov	[esi], edi
		lea	eax, [esi+2Ch]
		mov	[ebp+var_14], eax
		xor	eax, eax
		mov	word ptr [ebp+var_18], ax
		mov	eax, [ebx+1Ch]
		movzx	edx, cx
		lea	ecx, ds:1B0h[ecx*8]
		mov	word ptr [ebp+var_18+2], dx
		mov	[ebp+var_8], eax
		mov	eax, [esi]
		and	eax, 80000002h
		mov	word ptr [ebp+var_C], dx
		or	ecx, eax
		mov	word ptr [ebp+var_C+2],	dx
		or	ecx, 2
		mov	[esi], ecx
		mov	eax, [ebx+24h]
		mov	[esi+4], eax
		mov	eax, [ebx+28h]
		mov	[esi+8], eax
		mov	eax, [ebx+4]
		mov	[esi+18h], eax
		mov	eax, [esi+20h]
		xor	eax, [ebx+20h]
		and	eax, 0Fh
		xor	[esi+20h], eax
		mov	ecx, [ebx+20h]
		mov	eax, [esi+20h]
		xor	ecx, eax
		and	ecx, 0F0h
		xor	ecx, eax
		mov	[esi+20h], ecx
		mov	eax, [ebx+8]
		mov	[esi+10h], eax
		mov	eax, [ebx+0Ch]
		mov	[esi+14h], eax
		mov	eax, [ebx+10h]
		mov	[esi+1Ch], eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_18]
		mov	[esi+24h], dx
		push	eax
		mov	[esi+26h], dx
		call	RtlUpcaseUnicodeString
		movzx	ecx, word ptr [ebx+16h]
		xor	eax, eax
		mov	[esi+ecx*2+2Ch], ax
		mov	ecx, [ebp+var_10]
		add	ecx, 104h
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_7D50D0:				; CODE XREF: PfSnLogVolumeCreate+1205ECj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PfSnLogVolumeCreate endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmQueryStoreInformation	proc near	; CODE XREF: PAGE:00780FCCp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F55BD SIZE 0000006A BYTES

		push	1Ch
		push	offset dword_6A4068
		call	__SEH_prolog4
		cmp	[ebp+arg_0], 10h
		jnz	loc_8F55BD
		and	[ebp+ms_exc.disabled], 0
		mov	esi, edx
		lea	edi, [ebp+var_2C]
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+var_2C], 1
		jnz	loc_8F55C7
		mov	esi, [ebp+var_28]
		cmp	esi, 16h
		jz	short loc_7D5119
		cmp	esi, 8
		jnz	short loc_7D5184

loc_7D5119:				; CODE XREF: SmQueryStoreInformation+3Aj
					; SmQueryStoreInformation+AFj ...
		dec	esi
		sub	esi, 1
		jz	loc_8F5611
		sub	esi, 3
		jz	loc_8F55F6
		sub	esi, 3
		jz	short loc_7D516C
		sub	esi, 5
		jz	loc_8F55DB
		dec	esi
		sub	esi, 1
		jz	short loc_7D51B6
		sub	esi, 7
		jnz	loc_8F55D1
		push	[ebp+arg_4]
		push	[ebp+arg_8]
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_24]
		call	SmProcessCompressionInfoRequest

loc_7D515A:				; CODE XREF: SmQueryStoreInformation+AAj
					; SmQueryStoreInformation+DCj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7D516C:				; CODE XREF: SmQueryStoreInformation+57j
		push	[ebp+arg_4]
		push	[ebp+arg_8]
		push	[ebp+var_20]
		mov	edx, [ebp+var_24]
		mov	ecx, offset unk_718498
		call	SmcProcessListRequest
		jmp	short loc_7D515A
; 

loc_7D5184:				; CODE XREF: SmQueryStoreInformation+3Fj
		cmp	esi, 2
		jz	short loc_7D5119
		cmp	esi, 5
		jz	short loc_7D5119
		cmp	esi, 0Dh
		jz	short loc_7D5119
		push	[ebp+arg_4]
		push	ds:dword_A949EC
		push	ds:_SeProfileSingleProcessPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	loc_7D5119
		mov	eax, 0C0000022h
		jmp	short loc_7D515A
; 

loc_7D51B6:				; CODE XREF: SmQueryStoreInformation+66j
		push	[ebp+arg_4]
		push	[ebp+arg_8]
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_24]
		call	SmProcessRegistrationRequest
		jmp	short loc_7D515A
SmQueryStoreInformation	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmProcessCompressionInfoRequest	proc near ; CODE XREF: SmQueryStoreInformation+7Dp

var_668		= dword	ptr -668h
var_664		= dword	ptr -664h
var_660		= dword	ptr -660h
var_65C		= dword	ptr -65Ch
var_658		= dword	ptr -658h
var_654		= dword	ptr -654h
var_650		= dword	ptr -650h
var_64C		= dword	ptr -64Ch
var_648		= dword	ptr -648h
var_644		= dword	ptr -644h
var_640		= dword	ptr -640h
var_63C		= dword	ptr -63Ch
var_634		= dword	ptr -634h
var_630		= dword	ptr -630h
var_62C		= dword	ptr -62Ch
var_628		= dword	ptr -628h
var_61C		= dword	ptr -61Ch
var_608		= dword	ptr -608h
var_604		= dword	ptr -604h
var_5FC		= dword	ptr -5FCh
var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F5647 SIZE 0000003B BYTES
; FUNCTION CHUNK AT 008F56A1 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A4088
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		push	ecx
		push	ecx
		push	ebx
		sub	esp, 658h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_24], eax
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, edx
		mov	[ebp+var_62C], ecx
		mov	eax, [ebx+8]
		mov	[ebp+var_668], eax
		push	600h		; size_t
		xor	eax, eax
		push	eax		; int
		lea	eax, [ebp+var_628]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		mov	[ebp+var_630], eax
		mov	[ebp+var_660], eax
		mov	[ebp+var_654], eax
		mov	[ebp+var_640], eax
		mov	[ebp+var_63C], eax
		cmp	esi, 28h
		jnz	loc_8F5647
		mov	[ebp+var_4], eax
		cmp	[ebx+0Ch], al
		jz	short loc_7D5299
		mov	ecx, [ebp+var_62C]
		test	cl, 7
		jnz	loc_7D5475
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		jnb	loc_8F5651

loc_7D528F:				; CODE XREF: SmProcessCompressionInfoRequest+120489j
		mov	al, [ecx]
		mov	[ecx], al
		mov	al, [ecx+20h]
		mov	[ecx+20h], al

loc_7D5299:				; CODE XREF: SmProcessCompressionInfoRequest+A6j
		push	0Ah
		pop	ecx
		mov	esi, [ebp+var_62C]
		lea	edi, [ebp+var_660]
		rep movsd
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	byte ptr [ebp+var_660],	3
		jnz	loc_8F56A1
		test	[ebp+var_660], 0FFFFFF00h
		jnz	loc_8F56A1
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	esi, offset unk_718464
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, ds:dword_718460
		test	ecx, ecx
		jz	loc_8F5658
		mov	eax, [ecx+0E4h]
		mov	[ebp+var_65C], eax
		mov	eax, [ecx+28Ch]
		shl	eax, 0Ch
		mov	[ebp+var_658], eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_7D5327
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_7D5327:				; CODE XREF: SmProcessCompressionInfoRequest+154j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	edi, edi
		mov	[ebp+var_648], edi
		mov	[ebp+var_644], edi
		mov	[ebp+var_650], edi
		mov	[ebp+var_64C], edi
		mov	eax, edi
		mov	[ebp+var_634], edi

loc_7D5355:				; CODE XREF: SmProcessCompressionInfoRequest+1B4j
		push	ecx
		mov	edx, eax
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	_SmKmStoreReferenceEx@12 ; SmKmStoreReferenceEx(x,x,x)
		mov	[ebp+var_664], eax
		test	eax, eax
		jnz	short loc_7D53CD

loc_7D536C:				; CODE XREF: SmProcessCompressionInfoRequest+24Aj
					; SmProcessCompressionInfoRequest+2A6j
		mov	eax, [ebp+var_634]
		inc	eax
		mov	[ebp+var_634], eax
		cmp	eax, 400h
		jb	short loc_7D5355
		mov	[ebp+var_4], 1
		push	0Ah
		pop	ecx
		lea	esi, [ebp+var_660]
		mov	edi, [ebp+var_62C]
		rep movsd
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+var_668]
		mov	dword ptr [eax], 28h
		xor	eax, eax

loc_7D53AD:				; CODE XREF: SmProcessCompressionInfoRequest+120482j
					; SmProcessCompressionInfoRequest+1204B3j ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		mov	ecx, [ebp+var_24]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
; 

loc_7D53CD:				; CODE XREF: SmProcessCompressionInfoRequest+1A0j
		mov	[ebp+var_630], 600h
		lea	ecx, [ebp+var_630]
		push	ecx
		lea	ecx, [ebp+var_628]
		push	ecx
		mov	ecx, eax
		call	?SmStGetStoreStats@?$SMKM_STORE@USM_TRAITS@@@@SGJPAU1@W4_ST_STATS_LEVEL@@PAU_ST_STATS@@PAK@Z ; SMKM_STORE<SM_TRAITS>::SmStGetStoreStats(SMKM_STORE<SM_TRAITS> *,_ST_STATS_LEVEL,_ST_STATS *,ulong *)
		mov	esi, eax
		mov	edx, [ebp+var_664]
		mov	edx, [edx+10F0h]
		and	edx, 3FFh
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		test	esi, esi
		js	loc_7D536C
		mov	ecx, edi
		mov	esi, [ebp+var_648]

loc_7D5422:				; CODE XREF: SmProcessCompressionInfoRequest+277j
		mov	eax, [ebp+var_61C]
		mul	[ebp+ecx*8+var_5FC]
		add	esi, eax
		mov	[ebp+var_648], esi
		adc	[ebp+var_644], edx
		inc	ecx
		cmp	ecx, 8
		jb	short loc_7D5422
		mov	eax, [ebp+var_608]
		mov	esi, 1000h
		mul	esi
		add	[ebp+var_650], eax
		adc	[ebp+var_64C], edx
		mov	eax, [ebp+var_604]
		mul	esi
		add	[ebp+var_640], eax
		adc	[ebp+var_63C], edx
		jmp	loc_7D536C
; 

loc_7D5475:				; CODE XREF: SmProcessCompressionInfoRequest+B1j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
SmProcessCompressionInfoRequest	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqIrpQueryGetResult proc near		; CODE XREF: PiDqDispatch+195p

var_4C		= dword	ptr -4Ch
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008F56D7 SIZE 00000032 BYTES
; FUNCTION CHUNK AT 008F572F SIZE 0000001C BYTES

		push	3Ch
		push	offset dword_6A40B0
		call	__SEH_prolog4
		mov	eax, ecx
		mov	[ebp+var_24], eax
		xor	ecx, ecx
		mov	esi, ecx
		mov	edx, [eax+60h]
		mov	[ebp+var_20], edx
		mov	eax, [edx+18h]
		mov	ebx, [eax+10h]
		mov	[ebp+var_3C], ebx
		mov	eax, [edx+0Ch]
		mov	[ebp+var_34], eax
		mov	[ebp+var_19], cl
		mov	[ebp+var_28], ecx
		mov	[ebp+var_2C], ecx
		xor	eax, eax
		lea	edi, [ebp+var_4C]
		stosd
		stosd
		stosd
		stosd
		test	ebx, ebx
		jz	loc_8F56D7
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	edi, [ebx+20h]
		mov	[ebp+var_30], edi
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebx+74h]
		test	al, 8
		jnz	loc_8F56E1
		test	al, 4
		jz	loc_8F56EB
		test	al, 1
		jnz	loc_8F56F5
		test	al, 10h
		jnz	loc_8F56EB
		or	eax, 10h
		mov	[ebx+74h], eax
		mov	[ebp+var_19], 1

loc_7D5508:				; CODE XREF: PiDqIrpQueryGetResult+12026Cj
					; PiDqIrpQueryGetResult+120276j ...
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		js	loc_7D55BF
		mov	eax, [ebp+var_20]
		mov	eax, [eax+4]
		cmp	eax, 10h
		jb	loc_8F56FF
		cmp	[ebp+var_34], (offset loc_470002+5)
		jnz	loc_7D562F
		and	[ebp+ms_exc.disabled], 0
		push	4
		push	eax
		mov	edi, [ebp+var_24]
		push	dword ptr [edi+3Ch]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7D555A:				; CODE XREF: sub_8F5717+13j
		test	esi, esi
		js	short loc_7D55BF
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		mov	eax, [ebp+var_20]
		push	dword ptr [eax+4]
		mov	edx, [edi+3Ch]
		mov	ecx, ebx
		call	PiDqQuerySerializeActionQueue
		mov	esi, eax
		test	esi, esi
		js	short loc_7D55BF
		mov	ecx, large fs:124h
		dec	word ptr [ecx+13Ch]
		nop
		xor	edx, edx
		mov	ecx, [ebp+var_30]
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [ebp+var_4C]
		push	eax
		push	[ebp+var_2C]
		mov	eax, [ebp+var_20]
		mov	edx, [eax+4]
		mov	ecx, ebx
		call	_PiDqQueryGetNextIoctlInfo@16 ;	PiDqQueryGetNextIoctlInfo(x,x,x,x)
		mov	ecx, [ebp+var_30]

loc_7D55AC:				; CODE XREF: PiDqIrpQueryGetResult+212j
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_7D55BF:				; CODE XREF: PiDqIrpQueryGetResult+A5j
					; PiDqIrpQueryGetResult+E2j ...
		cmp	esi, 103h
		jz	short loc_7D561D

loc_7D55C7:				; CODE XREF: PiDqIrpQueryGetResult+120262j
					; PiDqIrpQueryGetResult+12028Aj ...
		cmp	[ebp+var_19], 0
		jz	short loc_7D560C
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [ebx+20h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebx+74h]
		and	eax, 0FFFFFFEFh
		mov	[ebx+74h], eax
		test	esi, esi
		js	loc_8F5739

loc_7D55F6:				; CODE XREF: PiDqIrpQueryGetResult+1202CCj
		xor	edx, edx
		lea	ecx, [ebx+20h]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_7D560C:				; CODE XREF: PiDqIrpQueryGetResult+151j
		lea	eax, [ebp+var_4C]
		push	eax
		push	[ebp+var_28]
		mov	edx, esi
		mov	ecx, [ebp+var_24]
		call	PiDqIrpComplete

loc_7D561D:				; CODE XREF: PiDqIrpQueryGetResult+14Bj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7D562F:				; CODE XREF: PiDqIrpQueryGetResult+C1j
		mov	edi, [ebp+var_24]
		cmp	dword ptr [edi+0Ch], 0
		jz	loc_8F572F
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [ebx+20h]
		call	ExAcquirePushLockExclusiveEx
		cmp	dword ptr [ebx+60h], 0
		jnz	short loc_7D5691
		lea	eax, [ebx+64h]
		cmp	[eax], eax
		jnz	short loc_7D5691
		mov	eax, [ebx+0Ch]
		test	byte ptr [eax+20h], 1
		jz	short loc_7D5691
		mov	ecx, offset _PiDqIrpCancel@8 ; PiDqIrpCancel(x,x)
		lea	eax, [edi+38h]
		xchg	ecx, [eax]
		cmp	byte ptr [edi+24h], 0
		jnz	short loc_7D56AD
		mov	[ebx+5Ch], edi
		mov	eax, [edi+60h]
		or	byte ptr [eax+3], 1
		mov	esi, 103h

loc_7D5689:				; CODE XREF: PiDqIrpQueryGetResult+231j
					; PiDqIrpQueryGetResult+238j
		lea	ecx, [ebx+20h]
		jmp	loc_7D55AC
; 

loc_7D5691:				; CODE XREF: PiDqIrpQueryGetResult+1DEj
					; PiDqIrpQueryGetResult+1E5j ...
		lea	eax, [ebp+var_4C]
		push	eax
		push	0
		mov	eax, [ebp+var_20]
		mov	edx, [eax+4]
		mov	ecx, ebx
		call	_PiDqQueryGetNextIoctlInfo@16 ;	PiDqQueryGetNextIoctlInfo(x,x,x,x)
		mov	[ebp+var_28], 10h
		jmp	short loc_7D5689
; 

loc_7D56AD:				; CODE XREF: PiDqIrpQueryGetResult+1FEj
		mov	esi, 0C0000120h
		jmp	short loc_7D5689
PiDqIrpQueryGetResult endp


;  S U B	R O U T	I N E 


; __stdcall PspNotifyEmptyJobsInJobChain(x)
_PspNotifyEmptyJobsInJobChain@4	proc near ; CODE XREF: PspRundownSingleProcess(x,x)+226p
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		lea	eax, [ecx+0F8h]
		lock bts dword ptr [eax], 0Bh
		mov	esi, [ecx+158h]
		setb	bl
		neg	bl
		sbb	bl, bl
		inc	bl
		jmp	short loc_7D56E6
; 

loc_7D56D5:				; CODE XREF: PspNotifyEmptyJobsInJobChain(x)+34j
		push	1
		mov	dl, bl
		mov	ecx, esi
		call	_PspEvaluateAndNotifyEmptyJob@12 ; PspEvaluateAndNotifyEmptyJob(x,x,x)
		mov	esi, [esi+244h]

loc_7D56E6:				; CODE XREF: PspNotifyEmptyJobsInJobChain(x)+1Fj
		test	esi, esi
		jnz	short loc_7D56D5
		pop	esi
		pop	ebx
		pop	ecx
		retn
_PspNotifyEmptyJobsInJobChain@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmiTraceRundownNotify(x, x,	x)
_WmiTraceRundownNotify@12 proc near	; CODE XREF: EtwpKernelTraceRundown+191p
					; EtwpUpdateFileInfoDriverState+129976p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_C]
		and	[ebp+var_C], 0
		push	esi
		mov	[ebp+var_14], ecx
		mov	ecx, 400000h
		mov	[ebp+var_18], edx
		lea	edx, [ebp+var_8]
		push	eax
		mov	[ebp+var_1C], 2
		mov	[ebp+var_10], ecx
		call	WmipBuildTraceDeviceList
		mov	esi, eax
		test	esi, esi
		js	short loc_7D5741
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_8]
		push	eax
		push	10h
		push	0Ch
		call	WmipSendWmiIrpToTraceDeviceList
		mov	esi, eax
		test	esi, esi
		js	short loc_7D5741
		xor	esi, esi

loc_7D5741:				; CODE XREF: WmiTraceRundownNotify(x,x,x)+36j
					; WmiTraceRundownNotify(x,x,x)+4Fj
		cmp	[ebp+var_8], 0
		jz	short loc_7D5752
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		call	_WmipFreeTraceDeviceList@8 ; WmipFreeTraceDeviceList(x,x)

loc_7D5752:				; CODE XREF: WmiTraceRundownNotify(x,x,x)+57j
		mov	eax, esi
		pop	esi
		leave
		retn	4
_WmiTraceRundownNotify@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall WmipFreeTraceDeviceList(x, x)
_WmipFreeTraceDeviceList@8 proc	near	; CODE XREF: WmipBuildTraceDeviceList+D0F2Dp
					; WmiTraceRundownNotify(x,x,x)+5Fp ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, edx
		xor	esi, esi
		push	edi
		mov	edi, ecx
		test	ebx, ebx
		jz	short loc_7D5776

loc_7D5769:				; CODE XREF: WmipFreeTraceDeviceList(x,x)+1Aj
		mov	ecx, [edi+esi*8]
		call	WmipUnreferenceRegEntry
		inc	esi
		cmp	esi, ebx
		jb	short loc_7D5769

loc_7D5776:				; CODE XREF: WmipFreeTraceDeviceList(x,x)+Dj
		push	70696D57h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		retn
_WmipFreeTraceDeviceList@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipSendWmiIrpToTraceDeviceList	proc near ; CODE XREF: WmiTraceRundownNotify(x,x,x)+46p
					; WmiSetNetworkNotify(x)+39p

var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F574B SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_8], ecx
		push	esi
		push	esi
		push	esi
		push	esi
		mov	edi, offset _WmipSMMutex
		mov	ebx, edx
		push	edi
		call	KeWaitForSingleObject
		mov	eax, _WmipServiceDeviceObject
		push	esi
		push	edi
		mov	al, [eax+30h]
		mov	[ebp+var_1], al
		inc	al
		mov	[ebp+var_C], al
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		push	esi
		push	dword ptr [ebp+var_C]
		call	IoAllocateIrp
		mov	edi, eax
		test	edi, edi
		jz	loc_8F574B
		test	ebx, ebx
		jz	short loc_7D5835
		mov	al, [ebp+var_1]
		mov	ecx, 94h
		cbw
		movzx	eax, ax
		imul	eax, 24h
		add	ax, cx
		mov	[ebp+var_10], eax

loc_7D57EB:				; CODE XREF: WmipSendWmiIrpToTraceDeviceList+ADj
		push	dword ptr [ebp+var_C] ;	char
		push	eax		; __int16
		push	edi		; void *
		call	IoInitializeIrp
		add	dword ptr [edi+60h], 0FFFFFFDCh
		mov	ecx, [edi+60h]
		dec	byte ptr [edi+23h]
		mov	eax, _WmipServiceDeviceObject
		push	[ebp+arg_8]
		mov	dl, [ebp+arg_0]
		push	[ebp+arg_4]
		mov	[ecx+14h], eax
		mov	ecx, edi
		mov	eax, large fs:124h
		mov	[edi+50h], eax
		mov	eax, [ebp+var_8]
		push	esi
		mov	eax, [eax]
		push	dword ptr [eax+8]
		call	WmipForwardWmiIrp
		add	[ebp+var_8], 8
		mov	eax, [ebp+var_10]
		sub	ebx, 1
		jnz	short loc_7D57EB

loc_7D5835:				; CODE XREF: WmipSendWmiIrpToTraceDeviceList+4Dj
		push	edi
		call	_IoFreeIrp@4	; IoFreeIrp(x)

loc_7D583B:				; CODE XREF: WmipSendWmiIrpToTraceDeviceList+11FFCAj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
WmipSendWmiIrpToTraceDeviceList	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspJobClose	proc near		; DATA XREF: PspInitPhase0+285o

arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F5755 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		xor	ebx, ebx
		inc	ebx
		cmp	[ebp+arg_C], ebx
		ja	short loc_7D58B4
		mov	eax, large fs:124h
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	[ebp+arg_C], eax
		lea	edi, [esi+310h]
		lock or	[edi], ebx
		mov	edx, eax
		mov	ecx, esi
		call	_PspLockJobExclusive@8 ; PspLockJobExclusive(x,x)
		test	dword ptr [esi+0B0h], 2000h
		jnz	short loc_7D58B9

loc_7D587E:				; CODE XREF: PspJobClose+A7j
					; PspJobClose+11FF18j
		xor	ebx, ebx
		xor	edx, edx
		push	ebx
		mov	ecx, esi
		call	_PspLockJobMemoryLimitsExclusive@12 ; PspLockJobMemoryLimitsExclusive(x,x,x)
		mov	edi, [esi+0D4h]
		xor	edx, edx
		push	ebx
		mov	ecx, esi
		mov	[esi+0D4h], ebx
		call	_PspUnlockJobMemoryLimitsExclusive@12 ;	PspUnlockJobMemoryLimitsExclusive(x,x,x)
		mov	edx, [ebp+arg_C]
		mov	ecx, esi
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		test	edi, edi
		jnz	loc_8F5761

loc_7D58B2:				; CODE XREF: PspJobClose+11FF29j
		pop	edi
		pop	esi

loc_7D58B4:				; CODE XREF: PspJobClose+Cj
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_7D58B9:				; CODE XREF: PspJobClose+38j
		lock bts dword ptr [edi], 1Dh
		jb	short loc_7D58C8
		test	dword ptr [edi], 40000000h
		jnz	short loc_7D58CA

loc_7D58C8:				; CODE XREF: PspJobClose+7Aj
		xor	bl, bl

loc_7D58CA:				; CODE XREF: PspJobClose+82j
		mov	edx, [ebp+arg_C]
		mov	ecx, esi
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	PspTerminateAllProcessesInJobHierarchy
		mov	edx, [ebp+arg_C]
		mov	ecx, esi
		call	_PspLockJobExclusive@8 ; PspLockJobExclusive(x,x)
		test	bl, bl
		jz	short loc_7D587E
		jmp	loc_8F5755
PspJobClose	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtTerminateJobObject proc near		; DATA XREF: .text:00580C18o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F5772 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_4]
		and	[ebp+var_4], 0
		push	esi
		push	0
		mov	al, [eax+15Ah]
		push	ecx
		mov	byte ptr [ebp+var_8], al
		push	[ebp+var_8]
		mov	eax, ds:_PsJobType
		push	eax
		push	8
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8F5772
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_4]
		push	0
		call	PspTerminateAllProcessesInJobHierarchy
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject

loc_7D5945:				; CODE XREF: NtTerminateJobObject+11FE8Aj
					; NtTerminateJobObject+11FE9Fj
		mov	eax, esi
		pop	esi
		leave
		retn	8
NtTerminateJobObject endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspTerminateAllProcessesInJobHierarchy proc near ; CODE	XREF: PspJobClose+96p
					; NtTerminateJobObject+46p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008F5796 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, edx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	ecx, 80h
		lea	eax, [esi+310h]
		lock or	[eax], ecx
		mov	[ebp+var_C], edi
		mov	byte ptr [ebp+var_8], bl
		cmp	[ebp+arg_0], bl
		jnz	short loc_7D59C2

loc_7D597C:				; CODE XREF: PspTerminateAllProcessesInJobHierarchy+7Aj
		push	2
		lea	eax, [ebp+var_C]
		xor	edx, edx
		push	eax
		push	ebx
		push	offset PspTerminateProcessesJobCallback
		mov	ecx, esi
		call	PspEnumJobsAndProcessesInJobHierarchy
		mov	al, byte ptr [ebp+var_8]
		test	al, 2
		jz	short loc_7D59B3
		mov	bl, 1

loc_7D599A:				; CODE XREF: PspTerminateAllProcessesInJobHierarchy+74j
		test	ds:_PerfGlobalGroupMask, 80000h
		jnz	loc_8F5796

loc_7D59AA:				; CODE XREF: PspTerminateAllProcessesInJobHierarchy+11FE5Aj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
; 

loc_7D59B3:				; CODE XREF: PspTerminateAllProcessesInJobHierarchy+4Aj
		push	ebx
		xor	dl, dl
		mov	ecx, esi
		call	_PspEvaluateAndNotifyEmptyJob@12 ; PspEvaluateAndNotifyEmptyJob(x,x,x)
		mov	al, byte ptr [ebp+var_8]
		jmp	short loc_7D599A
; 

loc_7D59C2:				; CODE XREF: PspTerminateAllProcessesInJobHierarchy+2Ej
		mov	byte ptr [ebp+var_8], 1
		jmp	short loc_7D597C
PspTerminateAllProcessesInJobHierarchy endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtAlpcCreateResourceReserve proc near	; DATA XREF: .text:00581234o

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F57AB SIZE 00000011 BYTES

		push	18h
		push	offset dword_6A40D0
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp+var_20], edx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		cmp	[ebp+arg_4], edx
		jnz	loc_8F57AB
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_4], al
		test	al, al
		jz	short loc_7D5A21
		mov	[ebp+ms_exc.disabled], edx
		mov	ecx, [ebp+arg_C]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8F57B5

loc_7D5A16:				; CODE XREF: NtAlpcCreateResourceReserve+11FDEFj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7D5A21:				; CODE XREF: NtAlpcCreateResourceReserve+39j
		mov	eax, ds:_AlpcPortObjectType
		mov	[ebp+var_1C], edx
		push	edx
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+arg_4]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D5A7B
		lea	eax, [ebp+var_20]
		push	eax
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+var_1C]
		call	_AlpcpCreateReserve@12 ; AlpcpCreateReserve(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D5A73
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_20]
		or	ecx, 80000000h
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx

loc_7D5A6C:				; CODE XREF: sub_8F57EA+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7D5A73:				; CODE XREF: NtAlpcCreateResourceReserve+8Dj
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObject

loc_7D5A7B:				; CODE XREF: NtAlpcCreateResourceReserve+78j
					; NtAlpcCreateResourceReserve+11FDE8j ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
NtAlpcCreateResourceReserve endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpCreateReserve(x, x, x)
_AlpcpCreateReserve@12 proc near	; CODE XREF: NtAlpcCreateResourceReserve+84p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_C], ecx
		cmp	ebx, 0FFD7h
		jbe	short loc_7D5AC0
		mov	eax, 80000005h
		jmp	loc_7D5C9C
; 

loc_7D5AC0:				; CODE XREF: AlpcpCreateReserve(x,x,x)+18j
		push	18h
		pop	edx
		cmp	ebx, edx
		jnb	short loc_7D5AD1
		mov	eax, 0C000000Dh
		jmp	loc_7D5C9C
; 

loc_7D5AD1:				; CODE XREF: AlpcpCreateReserve(x,x,x)+29j
		push	esi
		push	1
		mov	ecx, offset _AlpcReserveType
		call	@AlpcpAllocateBlob@12 ;	AlpcpAllocateBlob(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_7D5AEE
		mov	eax, 0C000009Ah
		jmp	loc_7D5C9B
; 

loc_7D5AEE:				; CODE XREF: AlpcpCreateReserve(x,x,x)+46j
		push	edi
		push	6
		xor	eax, eax
		mov	edi, esi
		pop	ecx
		rep stosd
		mov	eax, large fs:124h
		mov	edx, 198h
		mov	edi, [eax+80h]
		mov	ecx, edi
		call	_AlpcpChargePagedPoolQuota@8 ; AlpcpChargePagedPoolQuota(x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		js	short loc_7D5B36
		push	1
		mov	edx, ebx
		lea	ecx, [ebp+var_4]
		call	@AlpcpAllocateMessage@12 ; AlpcpAllocateMessage(x,x,x)
		mov	[ebp+var_8], eax
		mov	ecx, edi
		test	eax, eax
		jns	short loc_7D5B48
		mov	edx, 198h
		call	_AlpcpReleasePagedPoolQuota@8 ;	AlpcpReleasePagedPoolQuota(x,x)

loc_7D5B36:				; CODE XREF: AlpcpCreateReserve(x,x,x)+79j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	AlpcpDereferenceBlobEx
		mov	eax, [ebp+var_8]
		jmp	loc_7D5C9A
; 

loc_7D5B48:				; CODE XREF: AlpcpCreateReserve(x,x,x)+8Ej
		mov	edx, 63706C41h
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+var_4]
		mov	edx, ebx
		push	0		; void *
		mov	[eax+1Ch], edi
		mov	[esi+0Ch], eax
		mov	[esi+10h], ebx
		mov	[eax+34h], esi
		mov	ecx, [esi+0Ch]
		call	@AlpcpCaptureMessageData@12 ; AlpcpCaptureMessageData(x,x,x)
		mov	ecx, esi
		mov	dword ptr [esi+14h], 1
		mov	edi, eax
		call	AlpcpReferenceBlob
		cmp	_AlpcpMessageLogEnabled, 0
		mov	ebx, [ebp+var_4]
		jz	short loc_7D5B90
		mov	ecx, ebx
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_7D5B90:				; CODE XREF: AlpcpCreateReserve(x,x,x)+EBj
		mov	ecx, ebx
		call	AlpcpUnlockBlob
		test	edi, edi
		js	loc_7D5C8E
		mov	ebx, [ebp+var_C]
		xor	edx, edx
		lea	edi, [ebx+0D0h]
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		test	byte ptr [ebx+0F4h], 20h
		jz	short loc_7D5BE0
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jz	short loc_7D5BCF
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7D5BCF:				; CODE XREF: AlpcpCreateReserve(x,x,x)+12Aj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	edi, 0C0000037h
		jmp	loc_7D5C8E
; 

loc_7D5BE0:				; CODE XREF: AlpcpCreateReserve(x,x,x)+11Cj
		mov	ecx, esi
		call	AlpcpReferenceBlob
		lea	ecx, [esi-4]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [esi-10h], 4
		lea	edx, [ebp+var_8]
		mov	eax, [ebx+8]
		add	eax, 14h
		mov	[ebp+var_8], esi
		mov	[esi+4], eax
		mov	ecx, [ebx+8]
		add	ecx, 14h
		call	@AlpcAddHandleTableEntry@8 ; AlpcAddHandleTableEntry(x,x)
		mov	[esi+8], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_7D5C4F
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jz	short loc_7D5C2C
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7D5C2C:				; CODE XREF: AlpcpCreateReserve(x,x,x)+187j
		mov	ecx, edi
		call	KeAbPostRelease
		and	dword ptr [esi+4], 0
		mov	ecx, esi
		call	@AlpcpEndInitialization@4 ; AlpcpEndInitialization(x)
		push	2
		pop	edx
		mov	ecx, esi
		call	AlpcpDereferenceBlobEx
		mov	eax, 0C000009Ah
		jmp	short loc_7D5C9A
; 

loc_7D5C4F:				; CODE XREF: AlpcpCreateReserve(x,x,x)+179j
		mov	ecx, ebx
		mov	[esi], ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edx, esi
		mov	ecx, ebx
		call	_AlpcpInsertResourcePort@8 ; AlpcpInsertResourcePort(x,x)
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_7D5C76
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7D5C76:				; CODE XREF: AlpcpCreateReserve(x,x,x)+1D1j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, [ebp+arg_0]
		mov	ecx, [esi+8]
		mov	[eax], ecx
		mov	ecx, esi
		call	@AlpcpEndInitialization@4 ; AlpcpEndInitialization(x)
		xor	edi, edi

loc_7D5C8E:				; CODE XREF: AlpcpCreateReserve(x,x,x)+FDj
					; AlpcpCreateReserve(x,x,x)+13Fj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	AlpcpDereferenceBlobEx
		mov	eax, edi

loc_7D5C9A:				; CODE XREF: AlpcpCreateReserve(x,x,x)+A7j
					; AlpcpCreateReserve(x,x,x)+1B1j
		pop	edi

loc_7D5C9B:				; CODE XREF: AlpcpCreateReserve(x,x,x)+4Dj
		pop	esi

loc_7D5C9C:				; CODE XREF: AlpcpCreateReserve(x,x,x)+1Fj
					; AlpcpCreateReserve(x,x,x)+30j
		pop	ebx
		leave
		retn	4
_AlpcpCreateReserve@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

StringListContains proc	near		; CODE XREF: PropertyEval+13Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F57F5 SIZE 0000004F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, edx
		xor	edx, edx
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], ecx
		mov	ebx, edx
		mov	[ebp+var_8], edx
		cmp	[esi], dx
		jz	short loc_7D5D30
		push	edi

loc_7D5CC4:				; CODE XREF: StringListContains+11FB97j
		mov	edi, ecx
		cmp	[ecx], dx
		jz	short loc_7D5D26

loc_7D5CCB:				; CODE XREF: StringListContains+7Fj
		cmp	[ebp+arg_4], 0
		jnz	loc_8F57F5
		mov	ecx, esi
		mov	eax, edi

loc_7D5CD9:				; CODE XREF: StringListContains+57j
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	short loc_7D5D38
		test	dx, dx
		jz	short loc_7D5CFB
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	short loc_7D5D38
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_7D5CD9

loc_7D5CFB:				; CODE XREF: StringListContains+42j
		xor	eax, eax

loc_7D5CFD:				; CODE XREF: StringListContains+9Bj
					; StringListContains+11FB5Cj
		test	eax, eax
		jz	short loc_7D5D3F
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_7D5D06:				; CODE XREF: StringListContains+6Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_8]
		jnz	short loc_7D5D06
		sub	ecx, edx
		xor	eax, eax
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2
		cmp	[edi], ax
		jnz	short loc_7D5CCB

loc_7D5D23:				; CODE XREF: StringListContains+A0j
		mov	eax, [ebp+var_4]

loc_7D5D26:				; CODE XREF: StringListContains+27j
		cmp	eax, 12h
		jnz	loc_8F5803

loc_7D5D2F:				; CODE XREF: StringListContains+11FB6Aj
					; StringListContains+11FB9Dj
		pop	edi

loc_7D5D30:				; CODE XREF: StringListContains+1Fj
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_7D5D38:				; CODE XREF: StringListContains+3Dj
					; StringListContains+4Cj
		sbb	eax, eax
		or	eax, 1
		jmp	short loc_7D5CFD
; 

loc_7D5D3F:				; CODE XREF: StringListContains+5Dj
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_7D5D23
StringListContains endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpUpdateHiveRootCellFlags(x, x)
_CmpUpdateHiveRootCellFlags@8 proc near	; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x):loc_8154B1p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		xor	eax, eax
		mov	[ebp+var_C], esi
		mov	word ptr [ebp+var_C], ax
		mov	ebx, edx
		mov	[ebp+var_10], esi
		xor	edx, edx
		or	[ebp+var_10], 0FFFFFFFFh
		lea	eax, [edi+24h]
		mov	ecx, eax
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], eax
		call	ExAcquirePushLockSharedEx
		lea	eax, [ebp+var_10]
		push	eax
		push	ebx
		push	edi
		call	dword ptr [edi+4]
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_7D5DD4
		mov	al, [ebx+2]
		and	al, 0Ch
		cmp	al, 0Ch
		jz	short loc_7D5DA4
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		push	esi
		push	esi
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_7D5DDB
		or	word ptr [ebx+2], 0Ch

loc_7D5DA4:				; CODE XREF: CmpUpdateHiveRootCellFlags(x,x)+49j
					; CmpUpdateHiveRootCellFlags(x,x)+9Cj
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_7D5DAC:				; CODE XREF: CmpUpdateHiveRootCellFlags(x,x)+95j
		mov	edi, [ebp+var_8]
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_7D5DCB

loc_7D5DBD:				; CODE XREF: CmpUpdateHiveRootCellFlags(x,x)+8Ej
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7D5DCB:				; CODE XREF: CmpUpdateHiveRootCellFlags(x,x)+77j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_7D5DBD
; 

loc_7D5DD4:				; CODE XREF: CmpUpdateHiveRootCellFlags(x,x)+40j
		mov	esi, 0C000009Ah
		jmp	short loc_7D5DAC
; 

loc_7D5DDB:				; CODE XREF: CmpUpdateHiveRootCellFlags(x,x)+59j
		mov	esi, 0C000009Ah
		jmp	short loc_7D5DA4
_CmpUpdateHiveRootCellFlags@8 endp

; 
		align 8
; Exported entry 1442. MmMapViewInSessionSpace

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmMapViewInSessionSpace(x, x, x)
		public _MmMapViewInSessionSpace@12
_MmMapViewInSessionSpace@12 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		xor	eax, eax
		push	eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_MmMapViewInSessionSpaceEx@20 ;	MmMapViewInSessionSpaceEx(x,x,x,x,x)
		leave
		retn	0Ch
_MmMapViewInSessionSpace@12 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1443. MmMapViewInSessionSpaceEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmMapViewInSessionSpaceEx(x, x, x, x, x)
		public _MmMapViewInSessionSpaceEx@20
_MmMapViewInSessionSpaceEx@20 proc near	; CODE XREF: MmMapViewInSessionSpace(x,x,x)+1Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		mov	edx, [eax+80h]
		test	dword ptr [edx+0FCh], 10000h
		jz	short loc_7D5E54
		mov	edx, [edx+180h]
		mov	ecx, [ebp+arg_0]
		add	edx, 70h
		push	0
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	MiMapViewInSystemSpace

loc_7D5E50:				; CODE XREF: MmMapViewInSessionSpaceEx(x,x,x,x,x)+45j
		pop	ebp
		retn	14h
; 

loc_7D5E54:				; CODE XREF: MmMapViewInSessionSpaceEx(x,x,x,x,x)+1Bj
		mov	eax, 0C0000019h
		jmp	short loc_7D5E50
_MmMapViewInSessionSpaceEx@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopOpenLinkOrRenameTarget proc near	; CODE XREF: .text:00522740p
					; IoSetInformation(x,x,x,x)+28Cp

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7A		= dword	ptr -7Ah
var_76		= word ptr -76h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_10		= byte ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F5844 SIZE 0000008D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+94h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		push	0Ah
		mov	[esp+0A4h+var_64], ecx
		lea	edi, [esp+0A4h+var_30]
		pop	ecx
		mov	[esp+0A0h+var_6C], edx
		xor	edx, edx
		mov	[esp+0A0h+var_8C], eax
		mov	ebx, edx
		xor	eax, eax
		mov	[esp+0A0h+var_68], esi
		test	dword ptr [esi+2Ch], 800h
		rep stosd
		push	2
		mov	[esp+0A4h+var_58], edx
		mov	[esp+0A4h+var_54], edx
		mov	[esp+0A4h+var_90], edx
		mov	[esp+0A4h+var_88], ebx
		mov	[esp+0A4h+var_50], edx
		mov	[esp+0A4h+var_4C], edx
		mov	[esp+0A4h+var_80+2], edx
		mov	[esp+0A4h+var_7A], edx
		mov	[esp+0A4h+var_76], ax
		pop	edi
		jnz	short loc_7D5EF4
		lea	edx, [esp+0A0h+var_30]
		mov	ecx, esi
		call	IopGetBasicInformationFile
		test	eax, eax
		js	loc_7D6064
		xor	edx, edx
		test	[esp+0A0h+var_10], 10h
		jnz	loc_7D607B

loc_7D5EF4:				; CODE XREF: IopOpenLinkOrRenameTarget+73j
					; IopOpenLinkOrRenameTarget+222j
		mov	ecx, [esp+0A0h+var_8C]
		mov	ecx, [ecx+4]
		test	ecx, ecx
		jnz	loc_8F5844

loc_7D5F03:				; CODE XREF: IopOpenLinkOrRenameTarget+11FA12j
					; IopOpenLinkOrRenameTarget+11FA1Dj
		mov	ecx, [esp+0A0h+var_8C]
		xor	edx, edx
		mov	[esp+0A0h+var_48], 18h
		inc	edx
		mov	[esp+0A0h+var_44], ebx
		push	14h
		movzx	eax, word ptr [ecx+8]
		mov	word ptr [esp+0A4h+var_60], ax
		mov	word ptr [esp+0A4h+var_60+2], ax
		lea	eax, [ecx+0Ch]
		mov	ecx, [esi+2Ch]
		mov	[esp+0A4h+var_5C], eax
		and	ecx, 20000h
		mov	eax, [esp+0A4h+var_6C]
		mov	eax, [eax+60h]
		mov	[esp+0A4h+var_8C], eax
		mov	al, [eax-22h]
		not	al
		mov	[esp+0A4h+var_70], edx
		movzx	eax, al
		and	eax, edx
		shl	eax, 0Ah
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 0FFFFFFC0h
		add	ecx, 240h
		or	ecx, eax
		lea	eax, [esp+0A4h+var_60]
		mov	[esp+0A4h+var_40], eax
		xor	eax, eax
		mov	[esp+0A4h+var_3C], ecx
		xor	ecx, ecx
		mov	[esp+0A4h+var_76], ax
		pop	eax
		mov	[esp+0A0h+var_38], ecx
		mov	[esp+0A0h+var_34], ecx
		mov	[esp+0A0h+var_80+2], ecx
		mov	[esp+0A0h+var_7A], ecx
		push	ecx
		mov	ecx, esi
		mov	word ptr [esp+0A4h+var_80], ax
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		test	eax, eax
		jnz	loc_8F587E

loc_7D5F9C:				; CODE XREF: IopOpenLinkOrRenameTarget+11FA28j
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		mov	[esp+0A0h+var_74], eax
		lea	eax, [esp+0A0h+var_80]
		push	eax
		mov	eax, [esp+0A4h+var_8C]
		mov	al, [eax-22h]
		not	al
		and	eax, 1
		or	eax, 104h
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	4000h
		push	1
		push	3
		push	eax
		push	eax
		lea	eax, [esp+0CCh+var_58]
		push	eax
		lea	eax, [esp+0D0h+var_48]
		push	eax
		mov	eax, edi
		or	eax, 100000h
		push	eax
		lea	eax, [esp+0D8h+var_90]
		push	eax
		call	_IoCreateFileEx@60 ; IoCreateFileEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D605A
		mov	eax, ds:_IoFileObjectType
		lea	ecx, [esp+0A0h+var_50]
		and	[esp+0A0h+var_84], 0
		push	ecx
		lea	ecx, [esp+0A4h+var_84]
		push	ecx
		push	0
		push	eax
		push	edi
		push	[esp+0B4h+var_90]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8F589E
		mov	edi, [esp+0A0h+var_84]
		mov	ecx, edi
		call	ObfDereferenceObject
		push	[esp+0A0h+var_68]
		call	IoGetRelatedDeviceObject
		push	edi
		mov	esi, eax
		call	IoGetRelatedDeviceObject
		cmp	eax, esi
		jnz	loc_8F5889
		mov	eax, [esp+0A0h+var_8C]
		xor	esi, esi
		mov	ecx, [esp+0A0h+var_64]
		mov	[eax-18h], edi
		mov	eax, [esp+0A0h+var_90]
		mov	[ecx], eax

loc_7D605A:				; CODE XREF: IopOpenLinkOrRenameTarget+19Aj
					; IopOpenLinkOrRenameTarget+11FA3Dj ...
		test	ebx, ebx
		jnz	loc_8F58AE

loc_7D6062:				; CODE XREF: IopOpenLinkOrRenameTarget+11FA5Fj
					; IopOpenLinkOrRenameTarget+11FA70j
		mov	eax, esi

loc_7D6064:				; CODE XREF: IopOpenLinkOrRenameTarget+82j
					; IopOpenLinkOrRenameTarget+11FA08j
		mov	ecx, [esp+0A0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7D607B:				; CODE XREF: IopOpenLinkOrRenameTarget+92j
		push	4
		pop	edi
		jmp	loc_7D5EF4
IopOpenLinkOrRenameTarget endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopGetBasicInformationFile proc	near	; CODE XREF: IopOpenLinkOrRenameTarget+7Bp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 008F58D1 SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		xor	edi, edi
		push	ebx
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		call	IoGetRelatedDeviceObject
		mov	[ebp+var_C], eax
		mov	esi, [eax+8]
		mov	esi, [esi+28h]
		test	esi, esi
		jz	loc_8F58F1
		mov	esi, [esi+10h]
		test	esi, esi
		jz	loc_8F58F1
		test	byte ptr _MmVerifierData, 10h
		jnz	loc_8F58D1

loc_7D60CB:				; CODE XREF: IopGetBasicInformationFile+11F857j
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		mov	eax, [ebx+2Ch]
		push	[ebp+var_8]
		shr	eax, 1
		and	al, 1
		movzx	eax, al
		push	eax
		push	ebx
		call	esi
		mov	[ebp+var_1], al
		test	edi, edi
		jnz	loc_8F58E0

loc_7D60EC:				; CODE XREF: IopGetBasicInformationFile+11F868j
		test	al, al
		jz	loc_8F58F1
		mov	eax, [ebp+var_14]

loc_7D60F7:				; CODE XREF: IopGetBasicInformationFile+11F880j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
IopGetBasicInformationFile endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspValidateJobAffinityState proc near	; CODE XREF: PspInsertProcess+19Ep

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F5909 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		push	1
		xor	edi, edi
		lea	ebx, [esi+20h]
		push	ebx
		call	ExAcquireResourceSharedLite
		mov	ecx, [esi+0C4h]
		mov	esi, [ebp+var_4]
		test	ecx, ecx
		jnz	loc_8F5909

loc_7D6128:				; CODE XREF: PspValidateJobAffinityState+11F81Ej
		mov	eax, 4000000h
		lea	edx, [esi+0FCh]
		lock or	[edx], eax

loc_7D6136:				; CODE XREF: PspValidateJobAffinityState+11F818j
		mov	ecx, ebx
		call	ExReleaseResourceLite
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PspValidateJobAffinityState endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 453. ExUnsubscribeWnfStateChange

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExUnsubscribeWnfStateChange(x)
		public _ExUnsubscribeWnfStateChange@4
_ExUnsubscribeWnfStateChange@4 proc near ; CODE	XREF: SshpUnsubscribeCallbacks()+27p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edx, ds:_PsInitialSystemProcess
		mov	ecx, [ebp+arg_0]
		call	ExpWnfDeleteSubscription
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	ecx
		pop	ebp
		retn	4
_ExUnsubscribeWnfStateChange@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2427. SeAssignSecurityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAssignSecurityEx(x, x, x,	x, x, x, x, x, x)
		public _SeAssignSecurityEx@36
_SeAssignSecurityEx@36 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_4]
		push	ecx
		push	[ebp+arg_1C]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_18]
		push	0
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_SeAssignSecurityEx2@40	; SeAssignSecurityEx2(x,x,x,x,x,x,x,x,x,x)
		pop	ecx
		pop	ebp
		retn	24h
_SeAssignSecurityEx@36 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1635. ObQueryNameString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObQueryNameString(x, x, x, x)
		public _ObQueryNameString@16
_ObQueryNameString@16 proc near		; CODE XREF: IopGetFileVolumeNameInformation+3Dp
					; IoDeleteDevice+109p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	ObQueryNameStringMode
		pop	ebp
		retn	10h
_ObQueryNameString@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSetQuotaLimits proc near		; CODE XREF: PAGE:007A75A2p

var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9A		= byte ptr -9Ah
var_99		= byte ptr -99h
var_98		= byte ptr -98h
var_97		= byte ptr -97h
var_96		= byte ptr -96h
var_95		= byte ptr -95h
var_94		= dword	ptr -94h
var_6C		= dword	ptr -6Ch
var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F591F SIZE 0000010F BYTES

		push	0A4h
		push	offset dword_6A4140
		call	__SEH_prolog4_GS
		mov	esi, edx
		mov	[ebp+var_A4], ecx
		xor	ebx, ebx
		mov	[ebp+var_A0], ebx
		push	38h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_54]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_6C]
		rep stosd
		mov	[ebp+var_99], bl
		push	0Ah
		pop	ecx
		lea	edi, [ebp+var_94]
		rep stosd
		mov	[ebp+ms_exc.disabled], ebx
		cmp	[ebp+arg_0], 20h
		jz	loc_8F591F
		cmp	[ebp+arg_0], 38h
		jnz	loc_8F5A1D
		mov	[ebp+var_97], bl
		push	0Eh
		pop	ecx
		lea	edi, [ebp+var_54]
		rep movsd
		inc	ebx

loc_7D623D:				; CODE XREF: PspSetQuotaLimits+11F76Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_24]
		test	ecx, 0FFFFFFE0h
		jnz	loc_8F5A13
		mov	eax, ecx
		and	eax, 3
		cmp	al, 3
		jz	loc_8F5A13
		mov	eax, ecx
		and	eax, 0Ch
		cmp	al, 0Ch
		jz	loc_8F5A13
		xor	esi, esi
		test	cl, bl
		jnz	loc_7D64AE
		test	cl, 2
		jnz	loc_7D646B

loc_7D6280:				; CODE XREF: PspSetQuotaLimits+2A0j
		test	cl, 4
		jz	loc_7D645A
		or	esi, ebx

loc_7D628B:				; CODE XREF: PspSetQuotaLimits+28Fj
					; PspSetQuotaLimits+298j
		mov	eax, [ebp+var_20]
		or	eax, [ebp+var_28]
		or	eax, [ebp+var_2C]
		or	eax, [ebp+var_30]
		jnz	loc_8F5A13
		push	eax
		lea	eax, [ebp+var_A0]
		push	eax
		push	79517350h
		push	[ebp+arg_4]
		push	ds:_PsProcessType
		push	100h
		push	[ebp+var_A4]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7D6448
		mov	ecx, large fs:124h
		mov	[ebp+var_AC], ecx
		xor	ecx, ecx
		mov	[ebp+var_A4], ecx
		mov	eax, [ebp+var_A0]
		cmp	dword ptr [eax+188h], offset _PspSystemQuotaBlock
		jnz	short loc_7D6304
		cmp	[ebp+var_4C], ecx
		jz	loc_8F593F
		cmp	[ebp+var_48], ecx
		jz	loc_8F593F

loc_7D6304:				; CODE XREF: PspSetQuotaLimits+122j
		cmp	[ebp+var_4C], ecx
		jz	loc_7D6432
		cmp	[ebp+var_48], ecx
		jz	loc_7D6432
		cmp	[ebp+var_4C], 0FFFFFFFFh
		jz	loc_7D6473

loc_7D6320:				; CODE XREF: PspSetQuotaLimits+2A9j
		mov	[ebp+var_98], cl
		lea	eax, [ebp+var_94]
		push	eax
		push	[ebp+arg_4]
		call	_PspSinglePrivCheck@16 ; PspSinglePrivCheck(x,x,x,x)
		mov	byte ptr [ebp+var_A8], al
		mov	[ebp+var_9A], bl
		xor	ecx, ecx

loc_7D6343:				; CODE XREF: PspSetQuotaLimits+2C1j
		mov	[ebp+var_96], cl
		mov	edi, [ebp+var_A0]
		mov	[ebp+var_B0], edi

loc_7D6355:				; CODE XREF: PspSetQuotaLimits+247j
		mov	[ebp+var_95], cl
		lea	eax, [ebp+var_6C]
		push	eax
		push	[ebp+var_A0]
		call	KeStackAttachProcess
		mov	eax, [ebp+var_AC]
		dec	word ptr [eax+13Eh]
		nop
		mov	edi, [edi+158h]
		test	edi, edi
		jz	short loc_7D63AC
		lea	eax, [edi+20h]
		push	ebx
		push	eax
		call	ExAcquireResourceExclusiveLite
		test	[edi+18Ch], bl
		jnz	loc_8F59C3

loc_7D6398:				; CODE XREF: PspSetQuotaLimits+11F80Aj
					; PspSetQuotaLimits+11F822j
		xor	edx, edx
		mov	ecx, offset dword_6BEF18
		call	ExAcquirePushLockExclusiveEx
		lea	ecx, [edi+20h]
		call	ExReleaseResourceLite

loc_7D63AC:				; CODE XREF: PspSetQuotaLimits+1B2j
		lea	eax, [ebp+var_99]
		push	eax
		push	esi
		push	[ebp+var_A8]
		push	0
		mov	edx, [ebp+var_48]
		mov	ecx, [ebp+var_4C]
		call	MmAdjustWorkingSetSizeEx
		mov	[ebp+var_A4], eax
		test	eax, eax
		js	loc_8F59F5

loc_7D63D5:				; CODE XREF: PspSetQuotaLimits+11F82Dj
					; PspSetQuotaLimits+11F840j
		test	edi, edi
		jz	short loc_7D63DE
		call	_PspUnlockWorkingSetChangeExclusiveUnsafe@0 ; PspUnlockWorkingSetChangeExclusiveUnsafe()

loc_7D63DE:				; CODE XREF: PspSetQuotaLimits+209j
		mov	ecx, [ebp+var_AC]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		lea	eax, [ebp+var_6C]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		cmp	[ebp+var_99], bl
		jz	loc_7D6494

loc_7D63FE:				; CODE XREF: PspSetQuotaLimits+2CDj
		mov	al, [ebp+var_96]

loc_7D6404:				; CODE XREF: PspSetQuotaLimits+2DBj
		mov	ecx, [ebp+var_B0]
		cmp	[ecx+158h], edi
		mov	edi, ecx
		push	0
		pop	ecx
		jnz	loc_7D6355
		cmp	[ebp+var_9A], bl
		jnz	short loc_7D6432
		lea	ecx, [ebp+var_94]
		push	ecx
		movzx	edx, al
		call	_PspSinglePrivCheckAudit@12 ; PspSinglePrivCheckAudit(x,x,x)

loc_7D6432:				; CODE XREF: PspSetQuotaLimits+139j
					; PspSetQuotaLimits+142j ...
		mov	edx, 79517350h
		mov	ecx, [ebp+var_A0]
		call	ObfDereferenceObjectWithTag
		mov	eax, [ebp+var_A4]

loc_7D6448:				; CODE XREF: PspSetQuotaLimits+F7j
					; PspSetQuotaLimits+11F7F0j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7D645A:				; CODE XREF: PspSetQuotaLimits+B5j
		test	cl, 8
		jz	loc_7D628B
		or	esi, 2
		jmp	loc_7D628B
; 

loc_7D646B:				; CODE XREF: PspSetQuotaLimits+ACj
		push	8

loc_7D646D:				; CODE XREF: PspSetQuotaLimits+2E2j
		pop	esi
		jmp	loc_7D6280
; 

loc_7D6473:				; CODE XREF: PspSetQuotaLimits+14Cj
		cmp	[ebp+var_48], 0FFFFFFFFh
		jnz	loc_7D6320
		mov	[ebp+var_98], bl
		mov	byte ptr [ebp+var_A8], cl
		mov	[ebp+var_9A], cl
		jmp	loc_7D6343
; 

loc_7D6494:				; CODE XREF: PspSetQuotaLimits+22Aj
		cmp	[ebp+var_95], 0
		jnz	loc_7D63FE
		mov	al, bl
		mov	[ebp+var_96], al
		jmp	loc_7D6404
; 

loc_7D64AE:				; CODE XREF: PspSetQuotaLimits+A3j
		push	4
		jmp	short loc_7D646D
PspSetQuotaLimits endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSinglePrivCheckAudit(x, x, x)
_PspSinglePrivCheckAudit@12 proc near	; CODE XREF: PspSetQuotaLimits+25Fp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		cmp	byte ptr [esi+24h], 0
		jz	short loc_7D64CC
		cmp	edx, 1
		jz	short loc_7D64D1

loc_7D64C6:				; CODE XREF: PspSinglePrivCheckAudit(x,x,x)+34j
		push	esi
		call	SeReleaseSubjectContext

loc_7D64CC:				; CODE XREF: PspSinglePrivCheckAudit(x,x,x)+Dj
		pop	esi
		pop	ebp
		retn	4
; 

loc_7D64D1:				; CODE XREF: PspSinglePrivCheckAudit(x,x,x)+12j
		movzx	eax, byte ptr [esi+25h]
		mov	edx, esi
		push	eax
		lea	eax, [esi+10h]
		mov	ecx, (offset loc_A405E7+1)
		push	eax
		call	_SePrivilegedServiceAuditAlarm@16 ; SePrivilegedServiceAuditAlarm(x,x,x,x)
		jmp	short loc_7D64C6
_PspSinglePrivCheckAudit@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSinglePrivCheck(x, x, x,	x)
_PspSinglePrivCheck@16 proc near	; CODE XREF: PspSetQuotaLimits+162p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		mov	[esi+24h], al
		test	al, al
		jz	short loc_7D656F
		mov	eax, large fs:124h
		push	ebx
		push	edi
		xor	ebx, ebx
		inc	ebx
		push	esi
		mov	[esi+10h], ebx
		mov	[esi+14h], ebx
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	edi, [ebp+arg_0]
		xor	eax, eax
		mov	byte ptr [esi+25h], 0
		mov	[ebp+arg_4], eax

loc_7D652B:				; CODE XREF: PspSinglePrivCheck(x,x,x,x)+73j
		mov	ecx, dword ptr ds:(loc_A405D3+5)[eax]
		push	edi
		push	esi
		mov	eax, [ecx]
		mov	[esi+18h], eax
		mov	eax, [ecx+4]
		and	dword ptr [esi+20h], 0
		mov	[esi+1Ch], eax
		lea	eax, [esi+10h]
		push	eax
		call	_SePrivilegeCheck@12 ; SePrivilegeCheck(x,x,x)
		cmp	al, 1
		jz	short loc_7D656A
		mov	eax, [ebp+arg_4]
		add	eax, 4
		mov	[ebp+arg_4], eax
		cmp	eax, 8
		jb	short loc_7D652B
		mov	bl, [esi+25h]

loc_7D6560:				; CODE XREF: PspSinglePrivCheck(x,x,x,x)+85j
		pop	edi
		movzx	eax, bl
		pop	ebx

loc_7D6565:				; CODE XREF: PspSinglePrivCheck(x,x,x,x)+8Aj
		pop	esi
		pop	ebp
		retn	8
; 

loc_7D656A:				; CODE XREF: PspSinglePrivCheck(x,x,x,x)+65j
		mov	[esi+25h], bl
		jmp	short loc_7D6560
; 

loc_7D656F:				; CODE XREF: PspSinglePrivCheck(x,x,x,x)+11j
		xor	eax, eax
		inc	eax
		jmp	short loc_7D6565
_PspSinglePrivCheck@16 endp


;  S U B	R O U T	I N E 


; __stdcall MiDereferenceSession()
_MiDereferenceSession@0	proc near	; CODE XREF: MmCleanProcessAddressSpace+209p
					; MiSessionCreate:loc_867307p ...
		mov	eax, large fs:124h
		or	ecx, 0FFFFFFFFh
		push	esi
		mov	esi, [eax+80h]
		mov	eax, [esi+180h]
		lock xadd [eax], ecx
		jz	short loc_7D65A0

loc_7D6590:				; CODE XREF: MiDereferenceSession()+31j
		mov	ecx, 0FFFEFFFFh
		lea	eax, [esi+0FCh]
		lock and [eax],	ecx
		pop	esi
		retn
; 

loc_7D65A0:				; CODE XREF: MiDereferenceSession()+1Aj
		call	MiDereferenceSessionFinal
		jmp	short loc_7D6590
_MiDereferenceSession@0	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspGetProcessProtectionRequirementsFromImage proc near ; CODE XREF: PAGE:007A2F8Fp
					; PspCreateProcess+AC972p

var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008F5A54 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	eax, [eax]
		mov	al, [eax+0Bh]
		and	al, 0F0h
		cmp	al, 50h
		jz	loc_8F5A54

loc_7D65C6:				; CODE XREF: PspGetProcessProtectionRequirementsFromImage+11F4DAj
		mov	bl, [ebp+arg_0]

loc_7D65C9:				; CODE XREF: PspGetProcessProtectionRequirementsFromImage+11F4B8j
					; PspGetProcessProtectionRequirementsFromImage+11F4C1j	...
		mov	[esi], bl
		xor	eax, eax
		pop	esi
		pop	ebx
		leave
		retn	4
PspGetProcessProtectionRequirementsFromImage endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQueueApcThread(x,	x, x, x, x)
_NtQueueApcThread@20 proc near		; DATA XREF: .text:00580DCCo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	0
		push	0
		push	[ebp+arg_0]
		call	_NtQueueApcThreadEx2@28	; NtQueueApcThreadEx2(x,x,x,x,x,x,x)
		pop	ebp
		retn	14h
_NtQueueApcThread@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQueueApcThreadEx(x, x, x,	x, x, x)
_NtQueueApcThreadEx@24 proc near	; DATA XREF: .text:00580DC8o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_14]
		xor	eax, eax
		cmp	[ebp+arg_4], 1
		push	[ebp+arg_10]
		setz	al
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	eax
		mov	eax, [ebp+arg_4]
		dec	eax
		neg	eax
		sbb	eax, eax
		and	eax, [ebp+arg_4]
		push	eax
		push	[ebp+arg_0]
		call	_NtQueueApcThreadEx2@28	; NtQueueApcThreadEx2(x,x,x,x,x,x,x)
		pop	ebp
		retn	18h
_NtQueueApcThreadEx@24 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1756. PsDereferenceImpersonationToken

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsDereferenceImpersonationToken(x)
		public _PsDereferenceImpersonationToken@4
_PsDereferenceImpersonationToken@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_7D663F
		call	ObfDereferenceObject

loc_7D663F:				; CODE XREF: PsDereferenceImpersonationToken(x)+Aj
		pop	ebp
		retn	4
_PsDereferenceImpersonationToken@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSetJobLimitsJobPreCallback proc near	; DATA XREF: sub_759647+603o
					; sub_759647+17A3ECo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F5A87 SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		mov	edx, esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		call	PspSetEffectiveJobLimits
		test	byte ptr [esi+4], 1
		jz	loc_8F5A87

loc_7D6664:				; CODE XREF: PspSetJobLimitsJobPreCallback+11F445j
					; PspSetJobLimitsJobPreCallback+11F465j
		pop	edi
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	8
PspSetJobLimitsJobPreCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSetEffectiveJobLimits proc near	; CODE XREF: PspEstablishJobHierarchy+178p
					; PspSetJobLimitsJobPreCallback+11p

var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F5AAE SIZE 00000133 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4], edx
		lea	edi, [ebp+var_18]
		mov	ebx, ecx
		stosd
		push	10h
		pop	ecx
		mov	esi, [ebx+244h]
		stosd
		mov	[ebp+var_8], esi
		stosd
		mov	edi, edx
		call	_PspSetEffectiveLimit@8	; PspSetEffectiveLimit(x,x)
		xor	edx, edx
		xor	ecx, ecx
		inc	edx
		test	al, al
		jnz	loc_7D6749

loc_7D66A4:				; CODE XREF: PspSetEffectiveJobLimits+109j
					; PspSetEffectiveJobLimits+11F4A0j
		push	20h
		mov	edx, edi
		pop	ecx
		call	_PspSetEffectiveLimit@8	; PspSetEffectiveLimit(x,x)
		test	al, al
		jnz	loc_7D677A

loc_7D66B6:				; CODE XREF: PspSetEffectiveJobLimits+12Fj
		mov	edx, edi
		mov	ecx, 80h
		call	_PspSetEffectiveLimit@8	; PspSetEffectiveLimit(x,x)
		test	al, al
		jnz	loc_7D67A0

loc_7D66CA:				; CODE XREF: PspSetEffectiveJobLimits+154j
					; PspSetEffectiveJobLimits+11F4EDj
		xor	ecx, ecx
		mov	edx, edi
		inc	ecx
		call	_PspSetEffectiveLimit@8	; PspSetEffectiveLimit(x,x)
		test	al, al
		jnz	loc_7D67C5

loc_7D66DC:				; CODE XREF: PspSetEffectiveJobLimits+186j
					; PspSetEffectiveJobLimits+11F51Fj
		mov	edx, edi
		mov	ecx, 100h
		call	_PspSetEffectiveLimit@8	; PspSetEffectiveLimit(x,x)
		test	al, al
		jnz	short loc_7D6717

loc_7D66EC:				; CODE XREF: PspSetEffectiveJobLimits+DBj
					; PspSetEffectiveJobLimits+205j
		push	2
		mov	edx, edi
		pop	ecx
		call	_PspSetEffectiveLimit@8	; PspSetEffectiveLimit(x,x)
		test	al, al
		jnz	loc_7D67F7

loc_7D66FE:				; CODE XREF: PspSetEffectiveJobLimits+1C4j
					; PspSetEffectiveJobLimits+11F570j
		mov	ecx, [ebx+0B0h]
		mov	[ebx+18Ch], ecx
		test	esi, esi
		jnz	loc_7D6835

loc_7D6712:				; CODE XREF: PspSetEffectiveJobLimits+1D7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7D6717:				; CODE XREF: PspSetEffectiveJobLimits+7Ej
		test	esi, esi
		jz	loc_7D6848
		mov	ecx, [esi+178h]
		mov	edx, [esi+17Ch]

loc_7D672B:				; CODE XREF: PspSetEffectiveJobLimits+1E2j
		test	dword ptr [ebx+0B0h], 100h
		jnz	loc_7D6853

loc_7D673B:				; CODE XREF: PspSetEffectiveJobLimits+1F3j
		mov	[ebx+178h], ecx
		mov	[ebx+17Ch], edx
		jmp	short loc_7D66EC
; 

loc_7D6749:				; CODE XREF: PspSetEffectiveJobLimits+32j
		test	byte ptr [ebx+0B0h], 10h
		jnz	loc_8F5AAE
		lea	eax, [ebx+15Ch]
		test	esi, esi
		jz	loc_8F5AFF
		add	esi, 15Ch
		mov	edi, eax

loc_7D676C:				; CODE XREF: PspSetEffectiveJobLimits+11F47Dj
					; PspSetEffectiveJobLimits+11F48Ej
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_8]
		mov	edi, [ebp+var_4]
		jmp	loc_7D66A4
; 

loc_7D677A:				; CODE XREF: PspSetEffectiveJobLimits+44j
		test	esi, esi
		jz	loc_8F5B11
		mov	dl, [esi+1A4h]

loc_7D6788:				; CODE XREF: PspSetEffectiveJobLimits+11F4A7j
		test	byte ptr [ebx+0B0h], 20h
		jnz	loc_8F5B18

loc_7D6795:				; CODE XREF: PspSetEffectiveJobLimits+11F4C4j
					; PspSetEffectiveJobLimits+11F4CCj
		mov	[ebx+1A4h], dl
		jmp	loc_7D66B6
; 

loc_7D67A0:				; CODE XREF: PspSetEffectiveJobLimits+58j
		test	esi, esi
		jz	loc_8F5B3D
		mov	eax, [esi+190h]

loc_7D67AE:				; CODE XREF: PspSetEffectiveJobLimits+11F4D4j
		test	[ebx+0B0h], cl
		jnz	loc_8F5B45

loc_7D67BA:				; CODE XREF: PspSetEffectiveJobLimits+11F4E1j
		mov	[ebx+190h], eax
		jmp	loc_7D66CA
; 

loc_7D67C5:				; CODE XREF: PspSetEffectiveJobLimits+6Aj
		test	esi, esi
		jz	loc_8F5B5E
		mov	ecx, [esi+170h]
		mov	eax, [esi+174h]

loc_7D67D9:				; CODE XREF: PspSetEffectiveJobLimits+11F4F6j
		test	byte ptr [ebx+0B0h], 1
		jnz	loc_8F5B67

loc_7D67E6:				; CODE XREF: PspSetEffectiveJobLimits+11F507j
		mov	[ebx+174h], eax
		mov	[ebx+170h], ecx
		jmp	loc_7D66DC
; 

loc_7D67F7:				; CODE XREF: PspSetEffectiveJobLimits+8Cj
		test	esi, esi
		jz	loc_8F5B90
		mov	ecx, [esi+168h]
		mov	edx, [esi+16Ch]
		mov	edi, [esi+180h]

loc_7D6811:				; CODE XREF: PspSetEffectiveJobLimits+11F52Aj
		test	byte ptr [ebx+0B0h], 2
		jnz	loc_8F5B9B

loc_7D681E:				; CODE XREF: PspSetEffectiveJobLimits+11F552j
		mov	[ebx+168h], ecx
		mov	[ebx+16Ch], edx
		mov	[ebx+180h], edi
		jmp	loc_7D66FE
; 

loc_7D6835:				; CODE XREF: PspSetEffectiveJobLimits+A0j
		mov	eax, [esi+18Ch]
		or	eax, ecx
		mov	[ebx+18Ch], eax
		jmp	loc_7D6712
; 

loc_7D6848:				; CODE XREF: PspSetEffectiveJobLimits+ADj
		xor	eax, eax
		mov	ecx, eax
		mov	edx, eax
		jmp	loc_7D672B
; 

loc_7D6853:				; CODE XREF: PspSetEffectiveJobLimits+C9j
		mov	eax, [ebx+148h]
		cmp	eax, ecx
		jb	short loc_7D6865
		test	ecx, ecx
		jnz	loc_7D673B

loc_7D6865:				; CODE XREF: PspSetEffectiveJobLimits+1EFj
		mov	[ebx+178h], eax
		mov	[ebx+17Ch], ebx
		jmp	loc_7D66EC
PspSetEffectiveJobLimits endp


;  S U B	R O U T	I N E 


; __stdcall PspSetEffectiveLimit(x, x)
_PspSetEffectiveLimit@8	proc near	; CODE XREF: PspSetEffectiveJobLimits+26p
					; PspSetEffectiveJobLimits+3Dp	...
		test	edx, edx
		jz	short loc_7D688C
		mov	eax, [edx]
		test	[eax+0B0h], ecx
		jnz	short loc_7D688C
		test	[edx+8], ecx
		jnz	short loc_7D688C
		xor	al, al
		retn
; 

loc_7D688C:				; CODE XREF: PspSetEffectiveLimit(x,x)+2j
					; PspSetEffectiveLimit(x,x)+Cj	...
		mov	al, 1
		retn
_PspSetEffectiveLimit@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspHardenMitigationOptions(x)
_PspHardenMitigationOptions@4 proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+13F7p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	eax, ecx
		lea	edi, [esp+48h+var_38]
		push	6
		pop	ecx
		mov	esi, eax
		mov	[esp+48h+var_3C], eax
		rep movsd
		lea	edx, [esp+48h+var_38]
		mov	esi, offset _PspHardenedMitigationOptionsMap
		xor	ecx, ecx

loc_7D68C5:				; CODE XREF: PspHardenMitigationOptions(x)+41j
		mov	eax, [edx+ecx*4]
		cmp	eax, [esi+ecx*4]
		jnz	short loc_7D68D8
		inc	ecx
		cmp	ecx, 6
		jnz	short loc_7D68C5
		jmp	loc_7D69D2
; 

loc_7D68D8:				; CODE XREF: PspHardenMitigationOptions(x)+3Bj
		mov	edx, [esp+48h+var_38]
		mov	al, dl
		mov	ebx, [esp+48h+var_34]
		and	al, 3
		cmp	al, 1
		jz	short loc_7D68F6
		and	edx, 0FFFFFFFDh
		mov	[esp+48h+var_34], ebx
		or	edx, 1
		mov	[esp+48h+var_38], edx

loc_7D68F6:				; CODE XREF: PspHardenMitigationOptions(x)+56j
		mov	ecx, edx
		mov	eax, ebx
		shrd	ecx, eax, 8
		and	cl, 3
		cmp	cl, 3
		jz	short loc_7D6914
		or	edx, 300h
		mov	[esp+48h+var_34], ebx
		mov	[esp+48h+var_38], edx

loc_7D6914:				; CODE XREF: PspHardenMitigationOptions(x)+74j
		mov	ecx, edx
		mov	eax, ebx
		shrd	ecx, eax, 0Ch
		and	cl, 3
		cmp	cl, 1
		jz	short loc_7D6938
		and	edx, 0FFFFDFFFh
		mov	[esp+48h+var_34], ebx
		or	edx, 1000h
		mov	[esp+48h+var_38], edx

loc_7D6938:				; CODE XREF: PspHardenMitigationOptions(x)+92j
		mov	ecx, edx
		mov	eax, ebx
		shrd	ecx, eax, 4
		and	cl, 3
		cmp	cl, 1
		jz	short loc_7D6956
		and	edx, 0FFFFFFDFh
		mov	[esp+48h+var_34], ebx
		or	edx, 10h
		mov	[esp+48h+var_38], edx

loc_7D6956:				; CODE XREF: PspHardenMitigationOptions(x)+B6j
		mov	ecx, edx
		mov	eax, ebx
		shrd	ecx, eax, 10h
		and	cl, 3
		cmp	cl, 1
		jz	short loc_7D697A
		and	edx, 0FFFDFFFFh
		mov	[esp+48h+var_34], ebx
		or	edx, 10000h
		mov	[esp+48h+var_38], edx

loc_7D697A:				; CODE XREF: PspHardenMitigationOptions(x)+D4j
		mov	ecx, edx
		mov	eax, ebx
		shrd	ecx, eax, 14h
		and	cl, 3
		cmp	cl, 1
		jz	short loc_7D69C5
		cmp	cl, 2
		jz	short loc_7D69C5
		push	6
		pop	ecx
		mov	esi, offset _PspSystemMitigationOptions
		lea	edi, [esp+48h+var_1C]
		rep movsd
		mov	ecx, [esp+48h+var_1C]
		mov	eax, [esp+48h+var_18]
		shrd	ecx, eax, 14h
		and	cl, 3
		cmp	cl, 2
		jz	short loc_7D69C5
		and	edx, 0FFDFFFFFh
		mov	[esp+48h+var_34], ebx
		or	edx, 100000h
		mov	[esp+48h+var_38], edx

loc_7D69C5:				; CODE XREF: PspHardenMitigationOptions(x)+F8j
					; PspHardenMitigationOptions(x)+FDj ...
		mov	edi, [esp+48h+var_3C]
		lea	esi, [esp+48h+var_38]
		push	6
		pop	ecx
		rep movsd

loc_7D69D2:				; CODE XREF: PspHardenMitigationOptions(x)+43j
		mov	ecx, [esp+48h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_PspHardenMitigationOptions@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 400. ExQueryFastCacheDevLicense

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExQueryFastCacheDevLicense
ExQueryFastCacheDevLicense proc	near	; CODE XREF: SepIsLockedDown(x,x):loc_9D83A5p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	42h
		pop	eax
		push	44h
		mov	word ptr [ebp+var_C], ax
		lea	edx, [ebp+var_4]
		pop	eax
		lea	ecx, [ebp+var_C]
		mov	word ptr [ebp+var_C+2],	ax
		mov	[ebp+var_8], offset ??_C@_1EE@BPAKLPIP@?$AAA?$AAl?$AAl?$AAo?$AAw?$AAD?$AAe?$AAv?$AAe?$AAl?$AAo?$AAp?$AAm?$AAe?$AAn@NNGAKEGL@
		mov	[ebp+var_4], 0FFFFh
		call	KIsUnlockSettingEnabled
		test	eax, eax
		js	short loc_7D6A27
		xor	eax, eax
		inc	eax
		cmp	[ebp+var_4], eax
		jnz	short loc_7D6A27
		leave
		retn
; 

loc_7D6A27:				; CODE XREF: ExQueryFastCacheDevLicense+31j
					; ExQueryFastCacheDevLicense+39j
		xor	al, al
		leave
		retn
ExQueryFastCacheDevLicense endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KIsUnlockSettingEnabled	proc near	; CODE XREF: ExQueryFastCacheDevLicense+2Ap

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F5BE1 SIZE 0000003E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+30h+var_8], (offset loc_960093+1)
		push	74h
		mov	[esp+34h+var_20], eax
		mov	edi, edx
		mov	[esp+34h+var_1C], eax
		mov	ebx, ecx
		mov	[esp+34h+var_18], eax
		mov	edx, offset ??_C@_1HG@FBAFABN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		mov	[esp+34h+var_14], eax
		mov	ecx, offset ??_C@_1BK@IJBLJGGE@?$AAA?$AAp?$AAp?$AAx?$AAP?$AAo?$AAl?$AAi?$AAc?$AAi?$AAe?$AAs@NNGAKEGL@ ;	"AppxPolicies"
		pop	eax
		push	76h
		mov	word ptr [esp+34h+var_10], ax
		pop	eax
		mov	word ptr [esp+30h+var_10+2], ax
		lea	eax, [esp+30h+var_18]
		push	eax
		mov	[esp+34h+var_4], offset	??_C@_1JG@FCMCEFGE@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		mov	[esp+34h+var_C], edx
		mov	dword ptr [edi], 0FFFFh
		call	KGetAppModelStateSeparatedRegKeyPath
		mov	esi, eax
		test	esi, esi
		js	short loc_7D6AF8
		push	edi
		mov	edx, ebx
		lea	ecx, [esp+34h+var_18]
		call	KGetUnlockSetting
		mov	esi, eax
		test	esi, esi
		js	short loc_7D6AF8
		call	_CmIsStateSeparationEnabled@0 ;	CmIsStateSeparationEnabled()
		test	al, al
		jnz	loc_8F5BE1

loc_7D6AB3:				; CODE XREF: KIsUnlockSettingEnabled+11F1BBj
					; KIsUnlockSettingEnabled+11F1CFj
		test	esi, esi
		js	short loc_7D6AF8
		cmp	dword ptr [edi], 0FFFFh
		jnz	short loc_7D6AF8
		lea	eax, [esp+30h+var_20]
		mov	edx, offset ??_C@_1JG@FCMCEFGE@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		push	eax
		mov	ecx, offset ??_C@_1BO@MGAGFEKD@?$AAA?$AAp?$AAp?$AAM?$AAo?$AAd?$AAe?$AAl?$AAU?$AAn?$AAl?$AAo?$AAc?$AAk@NNGAKEGL@	; "AppModelUnlock"
		call	KGetAppModelStateSeparatedRegKeyPath
		mov	esi, eax
		test	esi, esi
		js	short loc_7D6AF8
		push	edi
		mov	edx, ebx
		lea	ecx, [esp+34h+var_20]
		call	KGetUnlockSetting
		mov	esi, eax
		test	esi, esi
		js	short loc_7D6AF8
		call	_CmIsStateSeparationEnabled@0 ;	CmIsStateSeparationEnabled()
		test	al, al
		jnz	loc_8F5C00

loc_7D6AF8:				; CODE XREF: KIsUnlockSettingEnabled+66j
					; KIsUnlockSettingEnabled+78j ...
		lea	ecx, [esp+30h+var_20]
		call	_AppModelFreeUnicodeString@4 ; AppModelFreeUnicodeString(x)
		lea	ecx, [esp+30h+var_18]
		call	_AppModelFreeUnicodeString@4 ; AppModelFreeUnicodeString(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
KIsUnlockSettingEnabled	endp

; 
		align 8
; Exported entry 2224. RtlIsStateSeparationEnabled
; [00000005 BYTES: COLLAPSED FUNCTION RtlIsStateSeparationEnabled(). PRESS KEYPAD "+" TO EXPAND]
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KGetUnlockSetting proc near		; CODE XREF: KIsUnlockSettingEnabled+6Fp
					; KIsUnlockSettingEnabled+B4p ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F5C1F SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		xor	eax, eax
		mov	[ebp+var_40], 18h
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, edx
		mov	[ebp+var_24], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_40]
		push	eax
		push	20119h
		lea	eax, [ebp+var_24]
		mov	[ebp+var_34], 240h
		push	eax
		mov	[ebp+var_38], ecx
		call	ds:__imp__ZwOpenKey@12 ; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D6BBC
		lea	eax, [ebp+var_28]
		push	eax
		push	18h
		lea	eax, [ebp+var_20]
		push	eax
		push	2
		push	ebx
		push	[ebp+var_24]
		call	ds:__imp__ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D6BB3
		mov	eax, [ebp+var_14]
		xor	ecx, ecx
		inc	ecx
		test	eax, eax
		jz	short loc_7D6BA1
		cmp	eax, ecx
		jnz	loc_8F5C1F

loc_7D6BA1:				; CODE XREF: KGetUnlockSetting+79j
					; KGetUnlockSetting+11F106j ...
		cmp	[ebp+var_1C], 4
		jnz	short loc_7D6BDF
		cmp	[ebp+var_18], 4
		jb	short loc_7D6BDF
		test	cl, cl
		jz	short loc_7D6BDF
		mov	[edi], eax

loc_7D6BB3:				; CODE XREF: KGetUnlockSetting+6Fj
					; KGetUnlockSetting+C7j
		push	[ebp+var_24]
		call	ds:__imp__ZwClose@4 ; ZwClose(x)

loc_7D6BBC:				; CODE XREF: KGetUnlockSetting+53j
		cmp	esi, 0C0000034h
		jnz	short loc_7D6BCC
		mov	dword ptr [edi], 0FFFFh
		xor	esi, esi

loc_7D6BCC:				; CODE XREF: KGetUnlockSetting+A4j
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_7D6BDF:				; CODE XREF: KGetUnlockSetting+87j
					; KGetUnlockSetting+8Dj ...
		mov	dword ptr [edi], 0FFFFh
		jmp	short loc_7D6BB3
KGetUnlockSetting endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ObCheckActiveHandles(x)
_ObCheckActiveHandles@4	proc near	; CODE XREF: MiFinishCreateSection+1B0p
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		lea	edi, [esi-10h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [esi-14h]
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	esi, esi
		pop	edi
		setnz	al
		pop	esi
		retn
_ObCheckActiveHandles@4	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2281. RtlPinAtomInAtomTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlPinAtomInAtomTable
RtlPinAtomInAtomTable proc near

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F5C31 SIZE 00000017 BYTES
; FUNCTION CHUNK AT 008F5C5C SIZE 00000008 BYTES

		push	10h
		push	offset dword_6A41A8
		call	__SEH_prolog4
		mov	ecx, [ebp+arg_0]
		call	_RtlpLockAtomTable@4 ; RtlpLockAtomTable(x)
		test	al, al
		jz	loc_8F5C31
		and	[ebp+ms_exc.disabled], 0
		mov	esi, 0C0000008h
		mov	[ebp+var_1C], esi
		mov	eax, 0C000h
		mov	edi, [ebp+arg_4]
		cmp	di, ax
		jb	loc_8F5C3B
		mov	edx, edi
		and	edx, 3FFFh
		mov	ecx, [ebp+arg_0]
		call	_RtlpAtomMapAtomToHandleEntry@8	; RtlpAtomMapAtomToHandleEntry(x,x)
		test	eax, eax
		jz	short loc_7D6C91
		cmp	[eax+6], di
		jnz	short loc_7D6C91
		push	0
		mov	edx, eax
		mov	ecx, [ebp+arg_0]
		call	_RtlpLookupLowBox@12 ; RtlpLookupLowBox(x,x,x)
		test	eax, eax
		jz	short loc_7D6C91
		xor	esi, esi
		mov	[ebp+var_1C], esi
		or	word ptr [eax+0Eh], 1

loc_7D6C91:				; CODE XREF: RtlPinAtomInAtomTable+4Bj
					; RtlPinAtomInAtomTable+51j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+arg_0]
		add	edi, 8
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7D6CCB

loc_7D6CAB:				; CODE XREF: RtlPinAtomInAtomTable+AEj
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, esi

loc_7D6CB9:				; CODE XREF: RtlPinAtomInAtomTable+11F012j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7D6CCB:				; CODE XREF: RtlPinAtomInAtomTable+85j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7D6CAB
RtlPinAtomInAtomTable endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtEnergyContextProcessStateUpdate(x)
_PopEtEnergyContextProcessStateUpdate@4	proc near
					; CODE XREF: PoEnergyContextUpdateComponentPower(x,x,x,x)+591p
					; PopEtEnergyContextSetState(x,x)+13Bp

var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1D0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	edi, ecx
		lea	eax, [ebp+var_1B8]
		push	1B0h		; size_t
		push	0		; int
		push	eax		; void *
		mov	esi, [edi+3E0h]
		call	_memset
		add	esp, 0Ch
		lea	edx, [ebp+var_1B8]
		inc	dword ptr [esi+1C4h]
		mov	ecx, edi
		call	_PsQueryProcessEnergyValues@8 ;	PsQueryProcessEnergyValues(x,x)
		and	[ebp+var_1C8], 0
		lea	eax, [ebp+var_1B8]
		and	[ebp+var_1C0], 0
		lea	edx, [ebp+var_1CC]
		mov	[ebp+var_1CC], 3
		mov	[ebp+var_1BC], eax
		mov	[ebp+var_1C4], edi
		call	PopEtEnumEnergyTrackers
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopEtEnergyContextProcessStateUpdate@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopBootStatSet	proc near		; CODE XREF: PopPowerInformationInternal+36Bp

var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008F5C64 SIZE 00000011 BYTES
; FUNCTION CHUNK AT 008F5C88 SIZE 00000018 BYTES

		push	40h
		push	offset dword_6A41C8
		call	__SEH_prolog4
		mov	[ebp+var_48], edx
		mov	[ebp+var_24], ecx
		xor	ebx, ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_28], ebx
		mov	edi, ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1B], bl
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		mov	[ebp+var_1A], al
		test	al, al
		jnz	loc_7D6EB5
		mov	edi, [ecx+0Ch]
		mov	[ebp+var_30], edi

loc_7D6DA8:				; CODE XREF: PopBootStatSet+202j
		mov	[ebp+var_1B], 1
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	edx, edx
		mov	ecx, offset _PopBootStatLock
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlLockBootStatusData@4 ; RtlLockBootStatusData(x)
		mov	esi, eax
		test	esi, esi
		js	loc_7D6E65
		mov	al, [ebp+var_19]
		test	al, al
		jnz	loc_7D6F67

loc_7D6DDB:				; CODE XREF: PopBootStatSet+217j
		mov	eax, ebx

loc_7D6DDD:				; CODE XREF: PopBootStatSet+100j
		mov	[ebp+var_2C], eax
		mov	ecx, [ebp+var_24]
		cmp	eax, [ecx+8]
		jnb	short loc_7D6E65
		imul	eax, 0Ch
		add	eax, edi
		mov	[ebp+var_3C], eax
		lea	ecx, [ebp+var_28]
		push	ecx
		lea	edx, [ebp+var_34]
		mov	ecx, [eax]
		call	_RtlBootStatusItemInfo@12 ; RtlBootStatusItemInfo(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D6E65
		mov	esi, [ebp+var_3C]
		mov	ecx, [ebp+var_28]
		cmp	[esi+8], ecx
		jb	loc_8F5C88
		mov	eax, [ebp+var_34]
		lea	eax, _PopBootStat[eax]
		mov	[ebp+var_3C], eax
		mov	[ebp+ms_exc.disabled], 1
		push	ecx		; size_t
		push	dword ptr [esi+4] ; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		lea	eax, [ebp+var_38]
		push	eax
		push	[ebp+var_28]
		push	[ebp+var_3C]
		push	dword ptr [esi]
		push	ebx
		push	[ebp+var_20]
		call	RtlGetSetBootStatusData
		mov	esi, eax
		mov	edx, [ebp+var_48]
		test	edx, edx
		jnz	loc_8F5C92

loc_7D6E5C:				; CODE XREF: PopBootStatSet+11EF3Bj
		mov	eax, [ebp+var_2C]
		inc	eax
		jmp	loc_7D6DDD
; 

loc_7D6E65:				; CODE XREF: PopBootStatSet+6Aj
					; PopBootStatSet+86j ...
		cmp	[ebp+var_20], 0
		jz	short loc_7D6E73
		push	[ebp+var_20]
		call	_RtlUnlockBootStatusData@4 ; RtlUnlockBootStatusData(x)

loc_7D6E73:				; CODE XREF: PopBootStatSet+109j
		cmp	[ebp+var_1B], 0
		jz	short loc_7D6E99
		or	eax, 0FFFFFFFFh
		mov	ecx, offset _PopBootStatLock
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_7D6F96

loc_7D6E8F:				; CODE XREF: PopBootStatSet+240j
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_7D6E99:				; CODE XREF: PopBootStatSet+117j
		cmp	[ebp+var_19], 0
		jnz	loc_7D6F82

loc_7D6EA3:				; CODE XREF: PopBootStatSet+224j
					; PopBootStatSet+231j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7D6EB5:				; CODE XREF: PopBootStatSet+3Cj
		mov	eax, [ecx+8]
		push	0Ch
		pop	ecx
		mul	ecx
		push	edx
		push	eax
		lea	ecx, [ebp+var_2C]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D6E65
		push	206D654Dh
		mov	esi, [ebp+var_2C]
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_30], edi
		test	edi, edi
		jz	loc_8F5C64
		mov	[ebp+ms_exc.disabled], ebx
		test	esi, esi
		jz	short loc_7D6F18
		mov	eax, [ebp+var_24]
		mov	eax, [eax+0Ch]
		test	al, 3
		jnz	loc_7D6FA5
		lea	edx, [eax+esi]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		ja	loc_8F5C6E
		cmp	edx, eax
		jb	loc_8F5C6E

loc_7D6F18:				; CODE XREF: PopBootStatSet+18Fj
					; PopBootStatSet+11EF10j
		push	esi		; size_t
		mov	esi, [ebp+var_24]
		push	dword ptr [esi+0Ch] ; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, ebx

loc_7D6F2A:				; CODE XREF: PopBootStatSet+1F9j
		mov	[ebp+var_40], eax
		cmp	eax, [esi+8]
		jnb	short loc_7D6F5B
		imul	ecx, eax, 0Ch
		add	ecx, edi
		mov	[ebp+var_50], ecx
		mov	edx, [ecx+8]
		test	edx, edx
		jz	short loc_7D6F58
		mov	ecx, [ecx+4]
		mov	[ebp+var_3C], ecx
		add	edx, ecx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		ja	short loc_7D6FAA
		cmp	edx, [ebp+var_3C]
		jb	short loc_7D6FAA

loc_7D6F58:				; CODE XREF: PopBootStatSet+1DFj
					; PopBootStatSet+24Cj
		inc	eax
		jmp	short loc_7D6F2A
; 

loc_7D6F5B:				; CODE XREF: PopBootStatSet+1D0j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_7D6DA8
; 

loc_7D6F67:				; CODE XREF: PopBootStatSet+75j
		push	2
		mov	dl, al
		mov	ecx, [ebp+var_20]
		call	_PopBootStatAccessCheck@12 ; PopBootStatAccessCheck(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_7D6DDB
		jmp	loc_7D6E65
; 

loc_7D6F82:				; CODE XREF: PopBootStatSet+13Dj
		test	edi, edi
		jz	loc_7D6EA3
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7D6EA3
; 

loc_7D6F96:				; CODE XREF: PopBootStatSet+129j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset _PopBootStatLock
		jmp	loc_7D6E8F
; 

loc_7D6FA5:				; CODE XREF: PopBootStatSet+199j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7D6FAA:				; CODE XREF: PopBootStatSet+1F1j
					; PopBootStatSet+1F6j
		mov	[ecx], bl
		jmp	short loc_7D6F58
PopBootStatSet	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2139. RtlGetSetBootStatusData

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlGetSetBootStatusData
RtlGetSetBootStatusData	proc near	; CODE XREF: PopBootStatSet+EAp
					; PopBootStatGet+167p

var_BE		= byte ptr -0BEh
var_BD		= dword	ptr -0BDh
var_B8		= dword	ptr -0B8h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008F5CCB SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0C4h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_C]
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_14]
		push	edi
		mov	edi, [ebp+arg_0]
		push	0B0h		; size_t
		push	eax		; int
		mov	byte ptr [esp+0D8h+var_BD], al
		mov	[esp+0D8h+var_BD+1], eax
		lea	eax, [esp+0D8h+var_B8]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		cmp	[ebp+arg_4], 0
		jnz	loc_7D70B8
		cmp	[ebp+arg_8], 0Fh
		jz	loc_8F5CCB
		push	0		; int
		push	1		; int
		lea	eax, [esp+1Bh]
		mov	dl, 1
		push	eax		; void *
		push	0Fh		; int
		mov	ecx, edi
		call	RtlpGetSetBootStatusData
		test	eax, eax
		js	short loc_7D70A1
		push	0		; int
		push	0B0h		; int
		lea	eax, [esp+0D8h+var_B8]
		mov	dl, 1
		push	eax		; void *
		push	[ebp+arg_8]	; int
		mov	ecx, edi
		call	RtlpGetSetBootStatusData
		test	eax, eax
		js	short loc_7D70A1
		lea	eax, [esp+0D0h+var_BD+1]
		xor	dl, dl
		push	eax		; int
		push	[ebp+arg_10]	; int
		mov	ecx, edi
		push	ebx		; void *
		push	[ebp+arg_8]	; int
		call	RtlpGetSetBootStatusData
		test	eax, eax
		js	short loc_7D70A1
		mov	ecx, [esp+0D0h+var_BD+1]
		test	esi, esi
		jz	short loc_7D7064
		mov	[esi], ecx

loc_7D7064:				; CODE XREF: RtlGetSetBootStatusData+ACj
		mov	al, byte ptr [esp+0D0h+var_BD]
		xor	edx, edx
		test	ecx, ecx
		jz	short loc_7D707B

loc_7D706E:				; CODE XREF: RtlGetSetBootStatusData+C1j
		add	al, byte ptr [esp+edx+0D0h+var_B8]
		inc	edx
		cmp	edx, ecx
		jb	short loc_7D706E
		mov	byte ptr [esp+0D0h+var_BD], al

loc_7D707B:				; CODE XREF: RtlGetSetBootStatusData+B8j
		xor	edx, edx
		test	ecx, ecx
		jz	short loc_7D708D

loc_7D7081:				; CODE XREF: RtlGetSetBootStatusData+D3j
		sub	al, [ebx+edx]
		inc	edx
		cmp	edx, ecx
		jb	short loc_7D7081
		mov	byte ptr [esp+0D0h+var_BD], al

loc_7D708D:				; CODE XREF: RtlGetSetBootStatusData+CBj
		push	0		; int
		push	1		; int
		lea	eax, [esp+0D8h+var_BD]
		xor	dl, dl
		push	eax		; void *
		push	0Fh		; int

loc_7D709A:				; CODE XREF: RtlGetSetBootStatusData+10Ej
		mov	ecx, edi
		call	RtlpGetSetBootStatusData

loc_7D70A1:				; CODE XREF: RtlGetSetBootStatusData+6Fj
					; RtlGetSetBootStatusData+8Bj ...
		mov	ecx, [esp+0D0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_7D70B8:				; CODE XREF: RtlGetSetBootStatusData+49j
		push	esi
		push	[ebp+arg_10]
		mov	dl, 1
		push	ebx
		push	[ebp+arg_8]
		jmp	short loc_7D709A
RtlGetSetBootStatusData	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlpGetSetBootStatusData(int,void *,int,int)
RtlpGetSetBootStatusData proc near	; CODE XREF: RtlGetSetBootStatusData+68p
					; RtlGetSetBootStatusData+84p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F5CD5 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_1], dl
		push	edi
		lea	eax, [ebp+var_18]
		mov	[ebp+var_C], edi
		push	eax
		push	4
		lea	eax, [ebp+var_C]
		mov	[ebp+var_8], edi
		push	eax
		lea	eax, [ebp+var_20]
		mov	[ebp+var_20], edi
		push	eax
		push	edi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_1C], edi
		push	edi
		push	ebx
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		call	_ZwReadFile@36	; ZwReadFile(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7D719B
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_8]
		push	eax
		lea	edx, [ebp+var_18]
		call	_RtlBootStatusItemInfo@12 ; RtlBootStatusItemInfo(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D719B
		mov	ecx, [ebp+var_18]
		xor	eax, eax
		mov	[ebp+var_14], edi
		mov	edi, [ebp+var_8]
		mov	edx, edi
		add	edx, ecx
		adc	eax, eax
		test	eax, eax
		jb	short loc_7D7147
		ja	loc_8F5CD5
		cmp	edx, [ebp+var_C]
		ja	loc_8F5CD5

loc_7D7147:				; CODE XREF: RtlpGetSetBootStatusData+72j
		cmp	[ebp+arg_8], edi
		jb	loc_8F5CDF
		cmp	[ebp+var_1], 0
		jz	short loc_7D71A2
		cmp	_BootStatFileHandleAcquired, 0
		jz	loc_8F5CE9
		cmp	_BootStatFileHandle, ebx
		jnz	loc_8F5CE9
		mov	eax, _BootStatDataCache
		test	eax, eax
		jz	loc_8F5CE9
		push	edi		; size_t
		add	eax, ecx
		mov	[ebp+var_1C], edi
		push	eax		; void *
		push	[ebp+arg_4]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_7D718E:				; CODE XREF: RtlpGetSetBootStatusData+148j
					; RtlpGetSetBootStatusData+11EC3Fj
		test	esi, esi
		js	short loc_7D7199
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jnz	short loc_7D720E

loc_7D7199:				; CODE XREF: RtlpGetSetBootStatusData+CCj
					; RtlpGetSetBootStatusData+14Fj
		mov	eax, esi

loc_7D719B:				; CODE XREF: RtlpGetSetBootStatusData+44j
					; RtlpGetSetBootStatusData+5Dj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7D71A2:				; CODE XREF: RtlpGetSetBootStatusData+90j
		cmp	_BootStatFileHandleAcquired, 0
		jz	short loc_7D71CB
		cmp	_BootStatFileHandle, ebx
		jnz	short loc_7D71CB
		mov	eax, _BootStatDataCache
		test	eax, eax
		jz	short loc_7D71CB
		push	edi		; size_t
		push	[ebp+arg_4]	; void *
		add	eax, ecx
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_7D71CB:				; CODE XREF: RtlpGetSetBootStatusData+E5j
					; RtlpGetSetBootStatusData+EDj	...
		xor	ecx, ecx
		lea	eax, [ebp+var_18]
		push	ecx
		push	eax
		push	edi
		push	[ebp+arg_4]
		lea	eax, [ebp+var_20]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	ebx
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D71FE
		cmp	_BootStatDisableFlush, 0
		jnz	short loc_7D71FE
		lea	eax, [ebp+var_28]
		push	eax
		push	ebx
		call	_ZwFlushBuffersFile@8 ;	ZwFlushBuffersFile(x,x)
		mov	esi, eax

loc_7D71FE:				; CODE XREF: RtlpGetSetBootStatusData+123j
					; RtlpGetSetBootStatusData+12Cj
		mov	edx, [ebp+arg_4]
		mov	cl, 1
		push	edi
		push	[ebp+var_18]
		call	_RtlpRecordBootStatusData@16 ; RtlpRecordBootStatusData(x,x,x,x)
		jmp	short loc_7D718E
; 

loc_7D720E:				; CODE XREF: RtlpGetSetBootStatusData+D3j
		mov	eax, [ebp+var_1C]
		mov	[ecx], eax
		jmp	short loc_7D7199
RtlpGetSetBootStatusData endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlBootStatusItemInfo(x, x,	x)
_RtlBootStatusItemInfo@12 proc near	; CODE XREF: PopBootStatSet+99p
					; RtlpGetSetBootStatusData+54p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ecx, ecx
		js	short loc_7D723F
		cmp	ecx, 12h
		jnb	short loc_7D723F
		mov	eax, ds:_RtlpBootStatusFields[ecx*8]
		mov	[edx], eax
		mov	eax, [ebp+arg_0]
		mov	ecx, ds:dword_40BCF4[ecx*8]
		mov	[eax], ecx
		xor	eax, eax

loc_7D723B:				; CODE XREF: RtlBootStatusItemInfo(x,x,x)+2Ej
		pop	ebp
		retn	4
; 

loc_7D723F:				; CODE XREF: RtlBootStatusItemInfo(x,x,x)+7j
					; RtlBootStatusItemInfo(x,x,x)+Cj
		mov	eax, 0C000000Dh
		jmp	short loc_7D723B
_RtlBootStatusItemInfo@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpRecordBootStatusData(x,	x, x, x)
_RtlpRecordBootStatusData@16 proc near	; CODE XREF: RtlpGetSetBootStatusData+143p
					; RtlInitializeBootStatusDataBlackBox(x)+78p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C], eax
		xor	eax, eax
		push	esi
		xor	esi, esi
		mov	[ebp+var_14], edx
		inc	eax
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], eax
		test	cl, cl
		jz	short loc_7D7272
		or	esi, eax
		mov	[ebp+var_4], esi

loc_7D7272:				; CODE XREF: RtlpRecordBootStatusData(x,x,x,x)+25j
		push	0
		push	0
		push	14h
		lea	eax, [ebp+var_14]
		push	eax
		push	5Eh
		call	_ZwPowerInformation@20 ; ZwPowerInformation(x,x,x,x,x)
		pop	esi
		leave
		retn	8
_RtlpRecordBootStatusData@16 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2386. RtlUnlockBootStatusData

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlUnlockBootStatusData(x)
		public _RtlUnlockBootStatusData@4
_RtlUnlockBootStatusData@4 proc	near	; CODE XREF: PopBootStatSet+10Ep
					; PoClearTransitionMarker()+35p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		call	_RtlpAcquireBootStatusLock@0 ; RtlpAcquireBootStatusLock()
		mov	eax, _BootStatReferenceCount
		test	eax, eax
		jz	loc_7D733E
		mov	esi, [ebp+arg_0]
		xor	ecx, ecx
		dec	eax
		mov	bl, cl
		mov	_BootStatReferenceCount, eax
		cmp	_BootStatFileHandleAcquired, cl
		jz	short loc_7D72F7
		test	esi, esi
		jz	short loc_7D72DD
		cmp	_BootStatKeepHandleOpen, cl
		jnz	short loc_7D72F7
		test	eax, eax
		jnz	short loc_7D72F7
		jmp	short loc_7D72E3
; 

loc_7D72DD:				; CODE XREF: RtlUnlockBootStatusData(x)+3Fj
		mov	esi, _BootStatFileHandle

loc_7D72E3:				; CODE XREF: RtlUnlockBootStatusData(x)+4Dj
		mov	_BootStatReferenceCount, ecx
		mov	bl, 1
		mov	_BootStatFileHandle, ecx
		mov	_BootStatFileHandleAcquired, cl

loc_7D72F7:				; CODE XREF: RtlUnlockBootStatusData(x)+3Bj
					; RtlUnlockBootStatusData(x)+47j ...
		test	esi, esi
		jz	short loc_7D733E
		push	ecx
		push	ecx
		push	2
		lea	eax, [ebp+var_8]
		push	eax
		push	9C040h
		lea	eax, [ebp+var_10]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	esi
		call	_ZwFsControlFile@40 ; ZwFsControlFile(x,x,x,x,x,x,x,x,x,x)
		test	bl, bl
		jz	short loc_7D733E
		mov	eax, _BootStatDataCache
		test	eax, eax
		jz	short loc_7D7331
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	_BootStatDataCache, 0

loc_7D7331:				; CODE XREF: RtlUnlockBootStatusData(x)+92j
		push	esi
		mov	_BootStatFileHandleAcquired, 0
		call	_ZwClose@4	; ZwClose(x)

loc_7D733E:				; CODE XREF: RtlUnlockBootStatusData(x)+22j
					; RtlUnlockBootStatusData(x)+6Bj ...
		call	_RtlpReleaseBootStatusLock@0 ; RtlpReleaseBootStatusLock()
		pop	esi
		pop	ebx
		leave
		retn	4
_RtlUnlockBootStatusData@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2243. RtlLockBootStatusData

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlLockBootStatusData(x)
		public _RtlLockBootStatusData@4
_RtlLockBootStatusData@4 proc near	; CODE XREF: PopBootStatSet+61p
					; CmCompleteRegistryInitialization+11Fp ...

var_32		= byte ptr -32h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	edi, [esp+40h+var_18]
		push	6
		pop	ecx
		xor	eax, eax
		mov	[esp+40h+var_28], ebx
		rep stosd
		mov	esi, ebx
		mov	[esp+40h+var_24], ebx
		mov	[esp+40h+var_30], ebx
		mov	edi, ebx
		mov	[esp+40h+var_20], ebx
		mov	[esp+40h+var_1C], ebx
		mov	[esp+40h+var_2C], esi
		mov	[esp+40h+var_31], bl
		call	_RtlpAcquireBootStatusLock@0 ; RtlpAcquireBootStatusLock()
		inc	_BootStatReferenceCount
		cmp	_BootStatFileHandleAcquired, bl
		jz	short loc_7D73BB
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_7D73AF
		mov	eax, _BootStatFileHandle

loc_7D73A8:				; CODE XREF: RtlLockBootStatusData(x)+F5j
		mov	[ecx], eax
		jmp	loc_7D7463
; 

loc_7D73AF:				; CODE XREF: RtlLockBootStatusData(x)+53j
					; RtlLockBootStatusData(x)+EBj
		mov	_BootStatKeepHandleOpen, 1
		jmp	loc_7D7463
; 

loc_7D73BB:				; CODE XREF: RtlLockBootStatusData(x)+4Cj
		lea	edx, [esp+0Fh]
		lea	ecx, [esp+40h+var_2C]
		call	_RtlpGetBootStatusPath@8 ; RtlpGetBootStatusPath(x,x)
		mov	esi, [esp+40h+var_2C]
		lea	eax, [esp+40h+var_28]
		push	esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	20h
		lea	eax, [esp+44h+var_28]
		mov	[esp+44h+var_18], 18h
		mov	[esp+44h+var_10], eax
		lea	eax, [esp+44h+var_20]
		push	1
		push	eax
		lea	eax, [esp+4Ch+var_18]
		mov	[esp+4Ch+var_14], ebx
		push	eax
		push	12019Fh
		lea	eax, [esp+54h+var_30]
		mov	[esp+54h+var_C], 2C0h
		push	eax
		mov	[esp+58h+var_8], ebx
		mov	[esp+58h+var_4], ebx
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_7D7448
		mov	ecx, [esp+40h+var_30]
		mov	_BootStatFileHandle, ecx
		mov	_BootStatFileHandleAcquired, 1
		call	_RtlInitializeBootStatDataCache@0 ; RtlInitializeBootStatDataCache()
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	loc_7D73AF
		mov	eax, [esp+40h+var_30]
		jmp	loc_7D73A8
; 

loc_7D7448:				; CODE XREF: RtlLockBootStatusData(x)+CEj
		mov	eax, [ebp+arg_0]
		mov	_BootStatFileHandle, ebx
		mov	_BootStatFileHandleAcquired, bl
		mov	_BootStatReferenceCount, ebx
		test	eax, eax
		jz	short loc_7D7463
		mov	[eax], ebx

loc_7D7463:				; CODE XREF: RtlLockBootStatusData(x)+5Cj
					; RtlLockBootStatusData(x)+68j	...
		call	_RtlpReleaseBootStatusLock@0 ; RtlpReleaseBootStatusLock()
		cmp	[esp+40h+var_31], bl
		jz	short loc_7D7475
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7D7475:				; CODE XREF: RtlLockBootStatusData(x)+11Ej
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_RtlLockBootStatusData@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBootStatAccessCheck(x, x, x)
_PopBootStatAccessCheck@12 proc	near	; CODE XREF: PopBootStatSet+20Ep
					; PopBootStatGet+107p ...

var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_28]
		stosd
		xor	ebx, ebx
		push	ebx
		mov	esi, edx
		mov	[ebp+var_18], ebx
		mov	byte ptr [ebp+var_14], bl
		stosd
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		stosd
		stosd
		lea	eax, [ebp+var_C]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [ebp+var_C]
		mov	[ebp+var_8], eax
		test	eax, eax
		js	short loc_7D753A
		push	ebx
		lea	eax, [ebp+var_14]
		mov	ecx, edi
		push	eax
		lea	edx, [ebp+var_10]
		call	ObpGetObjectSecurity
		mov	[ebp+var_8], eax
		test	eax, eax
		js	short loc_7D752F
		lea	eax, [ebp+var_28]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		mov	esi, [ebp+var_10]
		lea	eax, [ebp+var_28]
		push	(offset	loc_A3F6BF+1)
		push	ebx
		push	ebx
		push	[ebp+arg_0]
		push	ebx
		push	eax
		push	esi
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		mov	bl, al
		lea	eax, [ebp+var_28]
		push	eax
		call	SeReleaseSubjectContext
		test	bl, bl
		jz	short loc_7D7522
		and	[ebp+var_8], 0

loc_7D7522:				; CODE XREF: PopBootStatAccessCheck(x,x,x)+9Cj
		test	esi, esi
		jz	short loc_7D752F
		push	[ebp+var_14]
		push	esi
		call	_ObReleaseObjectSecurity@8 ; ObReleaseObjectSecurity(x,x)

loc_7D752F:				; CODE XREF: PopBootStatAccessCheck(x,x,x)+50j
					; PopBootStatAccessCheck(x,x,x)+A4j
		test	edi, edi
		jz	short loc_7D753A
		mov	ecx, edi
		call	ObfDereferenceObject

loc_7D753A:				; CODE XREF: PopBootStatAccessCheck(x,x,x)+3Aj
					; PopBootStatAccessCheck(x,x,x)+B1j
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopBootStatAccessCheck@12 endp


;  S U B	R O U T	I N E 


; __stdcall PspSetEnergyTrackingStateJobTree(x,	x)
_PspSetEnergyTrackingStateJobTree@8 proc near ;	CODE XREF: sub_7594DB+2Cp
		mov	edi, edi
		push	ebx
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	eax, [edi]
		test	eax, 0FFFFFFF3h
		jnz	short loc_7D75AC
		not	eax
		test	[edi+4], eax
		jnz	short loc_7D75AC
		call	_PspIsContextAdmin@0 ; PspIsContextAdmin()
		test	al, al
		jz	short loc_7D75A5
		push	esi
		push	1
		lea	esi, [ebx+20h]
		push	esi
		call	ExAcquireResourceExclusiveLite
		mov	eax, [edi]
		mov	edx, offset _PspSetJobEnergyTrackingStateCallback@8 ; PspSetJobEnergyTrackingStateCallback(x,x)
		push	5
		push	edi
		push	offset _PspSetProcessEnergyTrackingStateCallback@8 ; PspSetProcessEnergyTrackingStateCallback(x,x)
		mov	[ebx+3A8h], eax
		mov	ecx, ebx
		mov	eax, [edi+4]
		push	0
		mov	[ebx+3ACh], eax
		call	PspEnumJobsAndProcessesInJobHierarchy
		mov	ecx, esi
		call	ExReleaseResourceLite
		xor	eax, eax
		pop	esi

loc_7D75A2:				; CODE XREF: PspSetEnergyTrackingStateJobTree(x,x)+66j
					; PspSetEnergyTrackingStateJobTree(x,x)+6Dj
		pop	edi
		pop	ebx
		retn
; 

loc_7D75A5:				; CODE XREF: PspSetEnergyTrackingStateJobTree(x,x)+1Fj
		mov	eax, 0C0000022h
		jmp	short loc_7D75A2
; 

loc_7D75AC:				; CODE XREF: PspSetEnergyTrackingStateJobTree(x,x)+Fj
					; PspSetEnergyTrackingStateJobTree(x,x)+16j
		mov	eax, 0C000000Dh
		jmp	short loc_7D75A2
_PspSetEnergyTrackingStateJobTree@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspIsContextAdmin()
_PspIsContextAdmin@0 proc near		; CODE XREF: sub_75A01A:loc_75A086p
					; PspSetEnergyTrackingStateJobTree(x,x)+18p

var_10		= dword	ptr -10h
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10h
		push	ebx
		push	edi
		xor	eax, eax
		lea	edi, [esp+18h+var_10]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esp+18h+var_10]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		lea	eax, [esp+18h+var_10]
		push	eax
		call	_SeLockSubjectContext@4	; SeLockSubjectContext(x)
		mov	eax, [esp+18h+var_10]
		test	eax, eax
		jnz	short loc_7D75FE
		mov	eax, [esp+18h+var_8]

loc_7D75FE:				; CODE XREF: PspIsContextAdmin()+44j
		push	eax
		call	SeTokenIsAdmin
		mov	bl, al
		lea	eax, [esp+18h+var_10]
		push	eax
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)
		lea	eax, [esp+18h+var_10]
		push	eax
		call	SeReleaseSubjectContext
		pop	edi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PspIsContextAdmin@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepCheckCapabilities proc near		; CODE XREF: NtCreateLowBoxToken+44Bp
					; SepIsImpersonationAllowedDueToCapability+11ADA5p

var_2A		= byte ptr -2Ah
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F5D08 SIZE 000000A9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		xor	eax, eax
		mov	[esp+38h+var_28], eax
		mov	ebx, ecx
		mov	[esp+38h+var_24], eax
		mov	[esp+38h+var_18], eax
		mov	[esp+38h+var_14], eax
		mov	[edi], al
		lea	eax, [esp+38h+var_18]
		push	eax
		push	1Dh
		push	ebx
		mov	[esp+44h+var_10], edx
		mov	[esp+44h+var_4], ebx
		mov	[esp+44h+var_29], 1
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D76D6
		cmp	[esp+38h+var_18], 0
		jz	loc_8F5D08
		lea	eax, [esp+38h+var_28]
		push	eax
		push	1Eh
		push	ebx
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D76D6
		lea	eax, [esp+38h+var_14]
		push	eax
		push	2Eh
		push	ebx
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D76D6
		mov	edx, [esp+38h+var_28]
		xor	edi, edi
		mov	bl, 1
		mov	[esp+38h+var_20], edx
		cmp	[esp+38h+var_10], edi
		jbe	short loc_7D76D1

loc_7D76AC:				; CODE XREF: SepCheckCapabilities+ADj
		xor	bl, bl
		cmp	[esp+38h+var_14], 0
		jnz	short loc_7D7702
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+edi*8]
		call	_SepIsLpacCapabilitySid@4 ; SepIsLpacCapabilitySid(x)
		test	al, al
		jz	short loc_7D76FE

loc_7D76C4:				; CODE XREF: SepCheckCapabilities+13Cj
		mov	bl, 1

loc_7D76C6:				; CODE XREF: SepCheckCapabilities+11E77Aj
		mov	edx, [esp+38h+var_20]
		inc	edi
		cmp	edi, [esp+38h+var_10]
		jb	short loc_7D76AC

loc_7D76D1:				; CODE XREF: SepCheckCapabilities+88j
					; SepCheckCapabilities+11E6F8j	...
		mov	eax, [ebp+arg_8]
		mov	[eax], bl

loc_7D76D6:				; CODE XREF: SepCheckCapabilities+45j
					; SepCheckCapabilities+63j ...
		cmp	[esp+38h+var_28], 0
		jz	short loc_7D76E8
		push	0
		push	[esp+3Ch+var_28]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7D76E8:				; CODE XREF: SepCheckCapabilities+B9j
		cmp	[esp+38h+var_24], 0
		jnz	loc_8F5DA1

loc_7D76F3:				; CODE XREF: SepCheckCapabilities+11E78Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7D76FE:				; CODE XREF: SepCheckCapabilities+A0j
		mov	edx, [esp+38h+var_20]

loc_7D7702:				; CODE XREF: SepCheckCapabilities+91j
		mov	eax, [esp+38h+var_28]
		xor	ecx, ecx
		mov	[esp+38h+var_1C], ecx
		mov	eax, [eax]
		mov	[esp+38h+var_C], eax
		test	eax, eax
		jz	loc_8F5D10
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+edi*8]
		mov	[esp+38h+var_8], eax

loc_7D7724:				; CODE XREF: SepCheckCapabilities+12Bj
		push	eax
		push	dword ptr [edx+ecx*8+4]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		mov	ecx, [esp+38h+var_1C]
		test	al, al
		jnz	short loc_7D774F

loc_7D7736:				; CODE XREF: SepCheckCapabilities+142j
		inc	ecx
		mov	[esp+38h+var_1C], ecx
		cmp	ecx, [esp+38h+var_C]
		jnb	loc_8F5D10
		mov	eax, [esp+38h+var_8]
		mov	edx, [esp+38h+var_20]
		jmp	short loc_7D7724
; 

loc_7D774F:				; CODE XREF: SepCheckCapabilities+112j
		mov	eax, [esp+38h+var_20]
		mov	edx, [ebp+arg_0]
		mov	eax, [eax+ecx*8+8]
		cmp	eax, [edx+edi*8+4]
		jz	loc_7D76C4
		jmp	short loc_7D7736
SepCheckCapabilities endp


;  S U B	R O U T	I N E 


; __stdcall SepIsLpacCapabilitySid(x)
_SepIsLpacCapabilitySid@4 proc near	; CODE XREF: SepCheckCapabilities+99p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi

loc_7D776E:				; CODE XREF: SepIsLpacCapabilitySid(x)+20j
		mov	eax, ds:_SeLpacCapabilitySids[esi]
		push	dword ptr [eax]
		push	edi
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	short loc_7D778A
		add	esi, 4
		cmp	esi, 48h
		jb	short loc_7D776E
		jmp	short loc_7D778C
; 

loc_7D778A:				; CODE XREF: SepIsLpacCapabilitySid(x)+18j
		mov	al, 1

loc_7D778C:				; CODE XREF: SepIsLpacCapabilitySid(x)+22j
		pop	edi
		pop	esi
		retn
_SepIsLpacCapabilitySid@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetProcessBackgroundCountCallback(x, x)
_PspSetProcessBackgroundCountCallback@8	proc near ; DATA XREF: PspSetBackgroundJobTree+46o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	byte ptr [ecx+0F8h], 1
		jz	short loc_7D77A7

loc_7D77A1:				; CODE XREF: PspSetProcessBackgroundCountCallback(x,x)+38j
		xor	eax, eax
		pop	ebp
		retn	8
; 

loc_7D77A7:				; CODE XREF: PspSetProcessBackgroundCountCallback(x,x)+Fj
		mov	eax, [ecx+158h]
		push	esi
		mov	esi, [eax+198h]
		mov	eax, [ebp+arg_4]
		cmp	byte ptr [eax],	0
		jnz	short loc_7D77CA
		test	esi, esi
		jnz	short loc_7D77C7
		xor	edx, edx

loc_7D77C2:				; CODE XREF: PspSetProcessBackgroundCountCallback(x,x)+3Fj
		call	_PspNotifyProcessBackgroundTransition@8	; PspNotifyProcessBackgroundTransition(x,x)

loc_7D77C7:				; CODE XREF: PspSetProcessBackgroundCountCallback(x,x)+2Ej
					; PspSetProcessBackgroundCountCallback(x,x)+41j
		pop	esi
		jmp	short loc_7D77A1
; 

loc_7D77CA:				; CODE XREF: PspSetProcessBackgroundCountCallback(x,x)+2Aj
		xor	edx, edx
		inc	edx
		cmp	esi, edx
		jz	short loc_7D77C2
		jmp	short loc_7D77C7
_PspSetProcessBackgroundCountCallback@8	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWatchProductTypeWork	proc near	; DATA XREF: ExpWatchProductTypeInitialization+192o

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_7E		= byte ptr -7Eh
var_7C		= dword	ptr -7Ch
var_76		= byte ptr -76h
var_75		= byte ptr -75h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6A		= byte ptr -6Ah
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F5DB1 SIZE 000001A6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+6Ch+var_4], eax
		xor	eax, eax
		mov	byte ptr [esp+3], 1
		push	ebx
		push	esi
		push	edi
		push	ds:off_A41484
		mov	[esp+7Ch+var_48], eax
		mov	bh, al
		mov	[esp+7Ch+var_44], eax
		mov	bl, al
		mov	[esp+7Ch+var_60], eax
		mov	[esp+7Ch+var_5C], eax
		mov	[esp+7Ch+var_4C], eax
		mov	[esp+7Ch+var_50], eax
		mov	[esp+7Ch+var_54], eax
		mov	[esp+7Ch+var_58], eax
		lea	eax, [esp+7Ch+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	esi, esi
		mov	[esp+78h+var_40], 18h
		lea	eax, [esp+78h+var_48]
		mov	[esp+78h+var_3C], esi
		xor	edx, edx
		mov	[esp+78h+var_34], 240h
		mov	ecx, offset _ExpKeyManipLock
		mov	[esp+78h+var_38], eax
		mov	[esp+78h+var_30], esi
		mov	[esp+78h+var_2C], esi
		call	ExAcquirePushLockSharedEx
		cmp	_ExpProductTypeKey, esi
		jz	loc_7D7B0C
		mov	edi, 0C000009Ah

loc_7D786B:				; CODE XREF: ExpWatchProductTypeWork+11E5F6j
		push	esi
		push	esi
		lea	eax, [esp+80h+var_40]
		mov	edx, 2001Fh
		push	eax
		lea	ecx, [esp+84h+var_54]
		call	CmOpenKey
		cmp	eax, edi
		jz	loc_8F5DB1
		test	eax, eax
		js	loc_8F5DCF
		cmp	_ExpSetupModeDetected, 0
		mov	eax, _ExpProductTypeKey
		mov	[esp+84h+var_64], eax
		mov	eax, [esp+84h+var_60]
		mov	_ExpProductTypeKey, eax
		jnz	loc_7D7AAE
		push	ds:off_A41488
		lea	eax, [esp+1Ch]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+84h+var_5C]
		push	eax		; int
		push	22h		; int
		lea	eax, [esp+8Ch+var_34]
		push	eax		; int
		push	2		; size_t
		lea	eax, [esp+28h]
		push	eax		; int
		push	_ExpProductTypeKey ; int
		call	NtQueryValueKey
		cmp	eax, edi
		jz	loc_8F5DE6

loc_7D78E5:				; CODE XREF: ExpWatchProductTypeWork+11E64Dj
		test	eax, eax
		js	loc_7D79F0
		mov	eax, ds:off_A4148C
		lea	ecx, [esp+84h+var_28]

loc_7D78F6:				; CODE XREF: ExpWatchProductTypeWork+14Aj
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	loc_7D7B49
		test	dx, dx
		jz	short loc_7D7920
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	loc_7D7B49
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_7D78F6

loc_7D7920:				; CODE XREF: ExpWatchProductTypeWork+131j
		xor	eax, eax

loc_7D7922:				; CODE XREF: ExpWatchProductTypeWork+37Aj
		test	eax, eax
		jz	loc_8F5E26
		mov	eax, ds:off_A41490
		lea	ecx, [esp+84h+var_28]

loc_7D7933:				; CODE XREF: ExpWatchProductTypeWork+187j
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	loc_7D7B53
		test	dx, dx
		jz	short loc_7D795D
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	loc_7D7B53
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_7D7933

loc_7D795D:				; CODE XREF: ExpWatchProductTypeWork+16Ej
		xor	eax, eax

loc_7D795F:				; CODE XREF: ExpWatchProductTypeWork+384j
		test	eax, eax
		jz	loc_8F5E26
		xor	bl, bl

loc_7D7969:				; CODE XREF: ExpWatchProductTypeWork+11E654j
		mov	edx, _ExpProductTypeValueInfo
		mov	eax, ds:off_A41494
		add	edx, 0Ch
		mov	ecx, edx

loc_7D7979:				; CODE XREF: ExpWatchProductTypeWork+1CDj
		mov	si, [eax]
		cmp	si, [ecx]
		jnz	loc_7D7B5D
		test	si, si
		jz	short loc_7D79A3
		mov	si, [eax+2]
		cmp	si, [ecx+2]
		jnz	loc_7D7B5D
		add	eax, 4
		add	ecx, 4
		test	si, si
		jnz	short loc_7D7979

loc_7D79A3:				; CODE XREF: ExpWatchProductTypeWork+1B4j
		xor	eax, eax

loc_7D79A5:				; CODE XREF: ExpWatchProductTypeWork+38Ej
		test	eax, eax
		jnz	loc_8F5E2D

loc_7D79AD:				; CODE XREF: ExpWatchProductTypeWork+11E65Bj
		mov	bl, [esp+84h+var_75]

loc_7D79B1:				; CODE XREF: ExpWatchProductTypeWork+11E674j
		lea	eax, [esp+84h+var_28]

loc_7D79B5:				; CODE XREF: ExpWatchProductTypeWork+209j
		mov	cx, [edx]
		cmp	cx, [eax]
		jnz	loc_7D7B67
		test	cx, cx
		jz	short loc_7D79DF
		mov	cx, [edx+2]
		cmp	cx, [eax+2]
		jnz	loc_7D7B67
		add	edx, 4
		add	eax, 4
		test	cx, cx
		jnz	short loc_7D79B5

loc_7D79DF:				; CODE XREF: ExpWatchProductTypeWork+1F0j
		xor	eax, eax

loc_7D79E1:				; CODE XREF: ExpWatchProductTypeWork+398j
		test	eax, eax
		setz	al
		dec	al
		and	al, bl
		xor	esi, esi
		mov	[esp+84h+var_75], al

loc_7D79F0:				; CODE XREF: ExpWatchProductTypeWork+113j
		mov	ebx, _ExpProductTypeKey
		mov	edi, 0C0000002h
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, [eax+204h]
		mov	eax, ds:dword_A93F04
		test	eax, eax
		jz	loc_8F5EF5
		push	ebx
		push	ecx
		call	eax
		mov	edi, eax
		test	edi, edi
		js	loc_8F5EF5
		mov	cl, 1
		call	CmpLockRegistryFreezeAware
		mov	ecx, _ExpProductTypeValueInfo
		mov	bh, 1
		push	dword ptr [ecx+8]
		lea	eax, [ecx+0Ch]
		push	eax
		push	dword ptr [ecx+4]
		lea	eax, [esp+98h+var_74]
		push	esi
		push	eax
		push	_ExpProductTypeKey
		call	NtSetValueKey
		mov	edi, 0C000009Ah
		cmp	eax, edi
		jz	loc_8F5E4D

loc_7D7A58:				; CODE XREF: ExpWatchProductTypeWork+11E6B7j
		test	eax, eax
		js	loc_8F5DD6
		cmp	dword_6D6EF0, 0
		lea	eax, [esp+8Ch+var_74]
		push	ds:off_A41498
		push	eax
		jz	loc_8F5EDB
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, dword_6D6EF0
		push	dword ptr [ecx+8]
		lea	eax, [ecx+0Ch]
		push	eax
		push	dword ptr [ecx+4]
		lea	eax, [esp+98h+var_74]
		push	esi
		push	eax
		push	_ExpProductTypeKey
		call	NtSetValueKey
		cmp	eax, edi
		jz	loc_8F5E90

loc_7D7AA6:				; CODE XREF: ExpWatchProductTypeWork+11E6FAj
		test	eax, eax
		js	loc_8F5ED3

loc_7D7AAE:				; CODE XREF: ExpWatchProductTypeWork+D5j
					; ExpWatchProductTypeWork+11E71Cj ...
		mov	eax, _ExpProductTypeKey
		push	1
		push	4
		push	offset _ExpProductTypeChangeBuffer
		push	esi
		push	10000005h
		push	offset _ExpProductTypeIoSb
		push	1
		push	offset _ExpWatchProductTypeWorkItem
		push	esi
		push	esi
		push	esi
		push	eax
		call	NtNotifyChangeMultipleKeys
		mov	edi, eax
		cmp	edi, 0C000009Ah
		jz	loc_8F5F03
		test	bh, bh
		jz	short loc_7D7AEE
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_7D7AEE:				; CODE XREF: ExpWatchProductTypeWork+313j
		test	edi, edi
		js	loc_8F5EFA
		cmp	_ExpSetupModeDetected, 0
		mov	bl, bh
		jnz	short loc_7D7B0C
		cmp	byte ptr [esp+0Fh], 0
		jnz	loc_8F5F21

loc_7D7B0C:				; CODE XREF: ExpWatchProductTypeWork+8Cj
					; ExpWatchProductTypeWork+32Bj	...
		xor	edx, edx
		mov	ecx, offset _ExpKeyManipLock
		call	ExReleasePushLockEx
		mov	eax, [esp+20h]
		test	eax, eax
		jz	short loc_7D7B35
		test	bl, bl
		jz	short loc_7D7B2E
		push	eax
		call	_NtFlushKey@4	; NtFlushKey(x)
		mov	eax, [esp+20h]

loc_7D7B2E:				; CODE XREF: ExpWatchProductTypeWork+34Ej
		push	esi
		push	eax
		call	ObCloseHandle

loc_7D7B35:				; CODE XREF: ExpWatchProductTypeWork+34Aj
		mov	ecx, [esp+8Ch+var_18]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7D7B49:				; CODE XREF: ExpWatchProductTypeWork+128j
					; ExpWatchProductTypeWork+13Bj
		sbb	eax, eax
		or	eax, 1
		jmp	loc_7D7922
; 

loc_7D7B53:				; CODE XREF: ExpWatchProductTypeWork+165j
					; ExpWatchProductTypeWork+178j
		sbb	eax, eax
		or	eax, 1
		jmp	loc_7D795F
; 

loc_7D7B5D:				; CODE XREF: ExpWatchProductTypeWork+1ABj
					; ExpWatchProductTypeWork+1BEj
		sbb	eax, eax
		or	eax, 1
		jmp	loc_7D79A5
; 

loc_7D7B67:				; CODE XREF: ExpWatchProductTypeWork+1E7j
					; ExpWatchProductTypeWork+1FAj
		sbb	eax, eax
		or	eax, 1
		jmp	loc_7D79E1
ExpWatchProductTypeWork	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtFlushKey(x)
_NtFlushKey@4	proc near		; CODE XREF: ExpWatchProductTypeWork+351p
					; DATA XREF: .text:00581040o

var_6E		= byte ptr -6Eh
var_6D		= byte ptr -6Dh
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_40		= dword	ptr -40h
var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+74h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	esi, [ebp+arg_0]
		lea	edi, [esp+80h+var_50]
		xor	ebx, ebx
		stosd
		push	6
		pop	ecx
		push	8
		stosd
		mov	[esp+84h+var_54], ebx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+84h+var_40]
		rep stosd
		lea	edi, [esp+84h+var_28]
		pop	ecx
		rep stosd
		mov	edi, ebx
		mov	[esp+80h+var_6C], edi
		cmp	ds:_CmpTraceRoutine, eax
		jz	short loc_7D7BCE
		mov	edx, 20000h
		lea	ecx, [esp+80h+var_28]
		call	@EtwGetKernelTraceTimestamp@8 ;	EtwGetKernelTraceTimestamp(x,x)

loc_7D7BCE:				; CODE XREF: NtFlushKey(x)+4Cj
		lea	eax, [esp+80h+var_64]
		mov	[esp+80h+var_6E], bl
		mov	[esp+80h+var_68], ebx
		mov	[esp+80h+var_60], eax
		mov	[esp+80h+var_64], eax
		call	CmpAcquireShutdownRundown
		mov	bl, al
		mov	[esp+80h+var_6D], bl
		test	bl, bl
		jnz	short loc_7D7BFB
		mov	esi, 0C0000189h
		jmp	loc_7D7D6B
; 

loc_7D7BFB:				; CODE XREF: NtFlushKey(x)+7Dj
		mov	eax, large fs:124h
		xor	edx, edx
		mov	bl, [eax+15Ah]
		lea	eax, [esp+80h+var_58]
		push	eax
		lea	eax, [esp+84h+var_68]
		mov	byte ptr [esp+84h+var_5C], bl
		push	eax
		push	[esp+88h+var_5C]
		push	ecx
		mov	ecx, esi
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [esp+80h+var_68]
		mov	esi, eax
		test	esi, esi
		js	loc_7D7D58
		cmp	ds:_CmpTraceRoutine, 0
		jz	short loc_7D7C45
		test	edi, edi
		jz	short loc_7D7C45
		mov	eax, [edi+8]
		mov	[esp+80h+var_6C], eax

loc_7D7C45:				; CODE XREF: NtFlushKey(x)+C6j
					; NtFlushKey(x)+CAj
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	eax, [edi+8]
		mov	eax, [eax+10h]
		test	byte ptr [eax+64h], 2
		jz	short loc_7D7C71
		test	bl, bl
		jz	short loc_7D7C71
		mov	eax, [esp+80h+var_54]
		not	eax
		test	eax, 20006h
		jz	short loc_7D7C71
		mov	esi, 0C0000022h
		jmp	loc_7D7D53
; 

loc_7D7C71:				; CODE XREF: NtFlushKey(x)+E2j
					; NtFlushKey(x)+E6j ...
		cmp	_CmpCallBackCount, 0
		jz	short loc_7D7CBF
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredSharedLite
		test	eax, eax
		jnz	short loc_7D7CBF
		lea	eax, [esp+80h+var_64]
		mov	[esp+80h+var_50], edi
		push	eax
		push	edi
		push	1Fh
		push	ecx
		push	1Eh
		lea	edx, [esp+94h+var_50]
		pop	ecx
		call	_CmpCallCallBacks@24 ; CmpCallCallBacks(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_7D7CBA
		cmp	esi, 0C0000503h
		jnz	loc_7D7D53
		xor	esi, esi
		jmp	loc_7D7D53
; 

loc_7D7CBA:				; CODE XREF: NtFlushKey(x)+133j
		mov	[esp+80h+var_6E], 1

loc_7D7CBF:				; CODE XREF: NtFlushKey(x)+106j
					; NtFlushKey(x)+114j
		xor	cl, cl
		call	CmpLockRegistryFreezeAware
		mov	ecx, [edi+8]
		call	_CmpLockKcbShared@4 ; CmpLockKcbShared(x)
		xor	edx, edx
		mov	ecx, edi
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	short loc_7D7D28
		mov	ecx, [edi+8]
		mov	esi, [ecx+10h]
		cmp	esi, ds:_CmpMasterHive
		jnz	short loc_7D7D12
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		lea	ecx, [esp+80h+var_40]
		call	CmpAttachToRegistryProcess
		xor	ecx, ecx
		call	_CmpDoFlushAll@4 ; CmpDoFlushAll(x)
		lea	ecx, [esp+80h+var_40]
		call	_CmpDetachFromRegistryProcess@4	; CmpDetachFromRegistryProcess(x)
		xor	esi, esi
		jmp	short loc_7D7D35
; 

loc_7D7D12:				; CODE XREF: NtFlushKey(x)+177j
		lea	ebx, [esi+430h]
		mov	ecx, ebx
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_7D7DA2
		mov	esi, 0C0000425h

loc_7D7D28:				; CODE XREF: NtFlushKey(x)+169j
		mov	ecx, [edi+8]
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_7D7D35:				; CODE XREF: NtFlushKey(x)+19Ej
					; NtFlushKey(x)+26Aj
		cmp	[esp+80h+var_6E], 0
		jz	short loc_7D7D53
		lea	eax, [esp+80h+var_64]
		mov	edx, edi
		push	eax
		lea	eax, [esp+84h+var_50]
		push	eax
		push	esi
		push	1Fh
		pop	ecx
		call	_CmPostCallbackNotification@20 ; CmPostCallbackNotification(x,x,x,x,x)
		mov	esi, eax

loc_7D7D53:				; CODE XREF: NtFlushKey(x)+FAj
					; NtFlushKey(x)+13Bj ...
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_7D7D58:				; CODE XREF: NtFlushKey(x)+B9j
		test	edi, edi
		jz	short loc_7D7D63
		mov	ecx, edi
		call	ObfDereferenceObject

loc_7D7D63:				; CODE XREF: NtFlushKey(x)+1E8j
		mov	edi, [esp+80h+var_6C]
		mov	bl, [esp+80h+var_6D]

loc_7D7D6B:				; CODE XREF: NtFlushKey(x)+84j
		mov	eax, ds:_CmpTraceRoutine
		test	eax, eax
		jz	short loc_7D7D83
		push	0
		push	edi
		push	0
		push	esi
		lea	ecx, [esp+90h+var_28]
		push	ecx
		push	15h
		call	eax

loc_7D7D83:				; CODE XREF: NtFlushKey(x)+200j
		test	bl, bl
		jz	short loc_7D7D8C
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_7D7D8C:				; CODE XREF: NtFlushKey(x)+213j
		mov	ecx, [esp+98h+var_1C]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7D7DA2:				; CODE XREF: NtFlushKey(x)+1AFj
		mov	ecx, [edi+8]
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		lea	ecx, [esp+80h+var_40]
		call	CmpAttachToRegistryProcess
		xor	edx, edx
		mov	ecx, esi
		call	CmpFlushHive
		mov	esi, eax
		test	esi, esi
		jns	short loc_7D7DCC
		mov	esi, 0C000014Dh

loc_7D7DCC:				; CODE XREF: NtFlushKey(x)+253j
		lea	ecx, [esp+80h+var_40]
		call	_CmpDetachFromRegistryProcess@4	; CmpDetachFromRegistryProcess(x)
		mov	ecx, ebx
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_7D7D35
_NtFlushKey@4	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2385. RtlUnicodeToUTF8N

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlUnicodeToUTF8N
RtlUnicodeToUTF8N proc near		; CODE XREF: EtwpQueryPartitionRegistryInformation+1CAp
					; EtwpQueryPartitionRegistryInformation+82BB3p	...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008F5F57 SIZE 00000187 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_C]
		push	ebx
		push	edi
		xor	edi, edi
		xor	ebx, ebx
		mov	[ebp+var_4], edi
		test	ecx, ecx
		jz	loc_7D7F5F
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	loc_7D7F32
		mov	eax, [ebp+arg_10]
		test	al, 1
		jnz	loc_8F5F61
		shr	eax, 1
		mov	edx, esi
		lea	edi, [ecx+eax*2]
		mov	eax, [ebp+arg_4]
		add	eax, esi
		mov	[ebp+arg_10], edi
		mov	[ebp+arg_C], eax

loc_7D7E29:				; CODE XREF: RtlUnicodeToUTF8N+66j
					; RtlUnicodeToUTF8N+147j
		cmp	ecx, edi
		jnb	loc_8F5F6B
		movzx	esi, word ptr [ecx]
		test	ebx, ebx
		jnz	loc_8F5F78
		mov	ebx, esi
		add	ecx, 2

loc_7D7E41:				; CODE XREF: RtlUnicodeToUTF8N+C3j
		lea	eax, [ebx-0D800h]
		cmp	eax, 3FFh
		jbe	short loc_7D7E29

loc_7D7E4E:				; CODE XREF: RtlUnicodeToUTF8N+11E18Dj
					; RtlUnicodeToUTF8N+11E19Dj ...
		lea	eax, [ebx-0D800h]
		cmp	eax, 7FFh
		jbe	loc_8F5F9C

loc_7D7E5F:				; CODE XREF: RtlUnicodeToUTF8N+11E1C2j
		xor	esi, esi
		inc	esi
		cmp	ebx, 7Fh
		ja	loc_8F5FAD

loc_7D7E6B:				; CODE XREF: RtlUnicodeToUTF8N+11E1DEj
		mov	eax, [ebp+arg_C]
		sub	eax, esi
		cmp	edx, eax
		ja	loc_8F60D4
		cmp	ebx, 7Fh
		ja	loc_8F5FC9

loc_7D7E81:				; CODE XREF: RtlUnicodeToUTF8N+11E230j
		mov	esi, [ebp+arg_C]
		mov	eax, edi
		sub	eax, ecx
		mov	[edx], bl
		inc	edx
		sar	eax, 1
		sub	esi, edx
		cmp	eax, 0Dh
		ja	short loc_7D7EC4
		cmp	esi, eax
		jb	loc_7D7F2B

loc_7D7E9C:				; CODE XREF: RtlUnicodeToUTF8N+C8j
		cmp	ecx, edi
		jnb	short loc_7D7EB0
		movzx	ebx, word ptr [ecx]
		add	ecx, 2
		cmp	ebx, 7Fh
		ja	short loc_7D7E41
		mov	[edx], bl
		inc	edx
		jmp	short loc_7D7E9C
; 

loc_7D7EB0:				; CODE XREF: RtlUnicodeToUTF8N+B8j
					; RtlUnicodeToUTF8N+11E187j
		mov	edi, [ebp+var_4]

loc_7D7EB3:				; CODE XREF: RtlUnicodeToUTF8N+11E2F3j
		mov	ecx, [ebp+arg_8]
		mov	eax, edi
		sub	edx, [ebp+arg_0]
		mov	[ecx], edx

loc_7D7EBD:				; CODE XREF: RtlUnicodeToUTF8N+160j
					; RtlUnicodeToUTF8N+11E176j ...
		pop	esi

loc_7D7EBE:				; CODE XREF: RtlUnicodeToUTF8N+17Ej
		pop	edi
		pop	ebx
		leave
		retn	14h
; 

loc_7D7EC4:				; CODE XREF: RtlUnicodeToUTF8N+ACj
		cmp	esi, eax
		jb	loc_8F601B

loc_7D7ECC:				; CODE XREF: RtlUnicodeToUTF8N+11E237j
		lea	esi, [eax-5]
		lea	esi, [ecx+esi*2]
		cmp	ecx, esi
		jnb	short loc_7D7F2B

loc_7D7ED6:				; CODE XREF: RtlUnicodeToUTF8N+140j
		movzx	ebx, word ptr [ecx]
		add	ecx, 2
		cmp	ebx, 7Fh
		ja	loc_8F6035
		mov	[edx], bl
		inc	edx
		test	cl, 2
		jnz	short loc_7D7F4B

loc_7D7EED:				; CODE XREF: RtlUnicodeToUTF8N+177j
		cmp	ecx, esi
		jnb	short loc_7D7F28

loc_7D7EF1:				; CODE XREF: RtlUnicodeToUTF8N+13Cj
		mov	eax, [ecx+4]
		mov	ebx, [ecx]
		mov	[ebp+arg_4], eax
		or	eax, ebx
		test	eax, 0FF80FF80h
		jnz	loc_8F6022
		mov	eax, [ebp+arg_4]
		add	ecx, 8
		mov	[edx], bl
		mov	[edx+2], al
		shr	ebx, 10h
		shr	eax, 10h
		mov	[edx+1], bl
		mov	[edx+3], al
		add	edx, 4
		cmp	ecx, esi
		jb	short loc_7D7EF1

loc_7D7F24:				; CODE XREF: RtlUnicodeToUTF8N+11E24Aj
					; RtlUnicodeToUTF8N+11E2D9j
		cmp	ecx, esi
		jb	short loc_7D7ED6

loc_7D7F28:				; CODE XREF: RtlUnicodeToUTF8N+109j
					; RtlUnicodeToUTF8N+11E2E1j ...
		mov	edi, [ebp+arg_10]

loc_7D7F2B:				; CODE XREF: RtlUnicodeToUTF8N+B0j
					; RtlUnicodeToUTF8N+EEj
		xor	ebx, ebx
		jmp	loc_7D7E29
; 

loc_7D7F32:				; CODE XREF: RtlUnicodeToUTF8N+20j
		cmp	[ebp+arg_8], ebx
		jz	loc_8F5F57
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_10]
		call	CountUnicodeToUTF8
		jmp	loc_7D7EBD
; 

loc_7D7F4B:				; CODE XREF: RtlUnicodeToUTF8N+105j
		movzx	ebx, word ptr [ecx]
		add	ecx, 2
		cmp	ebx, 7Fh
		ja	loc_8F6035
		mov	[edx], bl
		inc	edx
		jmp	short loc_7D7EED
; 

loc_7D7F5F:				; CODE XREF: RtlUnicodeToUTF8N+14j
		mov	eax, 0C00000F2h
		jmp	loc_7D7EBE
RtlUnicodeToUTF8N endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTryToLockHashEntryExclusive proc near ; CODE	XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+EA3p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F60DE SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_0]
		mov	edi, ecx
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		imul	esi, eax, 0Ch
		xor	ebx, ebx
		inc	ebx
		xor	edx, edx
		push	ebx
		add	esi, [edi+434h]
		mov	ecx, esi
		call	KeAbPreAcquire
		lock bts dword ptr [esi], 0
		jb	loc_8F60ED
		test	eax, eax
		jz	short loc_7D7FA4
		or	[eax+0Eh], bl

loc_7D7FA4:				; CODE XREF: CmpTryToLockHashEntryExclusive+35j
		mov	eax, large fs:124h
		mov	ecx, edi
		mov	[esi+4], eax
		call	_CmpReferenceHive@4 ; CmpReferenceHive(x)
		test	al, al
		jz	loc_8F60DE

loc_7D7FBC:				; CODE XREF: CmpTryToLockHashEntryExclusive+11E192j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	4
CmpTryToLockHashEntryExclusive endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiDmObjectGetCachedObjectReference(int,void *,int)
PiDmObjectGetCachedObjectReference proc	near
					; CODE XREF: PiDmObjectGetCachedObjectProperty(x,x,x,x,x,x,x,x,x)+B2p
					; PiDmGetReferencedObjectFromProperty+35p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F6101 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_8], 0
		mov	eax, ecx
		and	[ebp+var_4], 0
		lea	ecx, [ebp+var_4]
		push	ebx
		push	esi
		push	edi
		push	ecx
		mov	[ebp+var_C], edx
		mov	ecx, eax
		lea	edx, [ebp+var_8]
		mov	[ebp+var_10], eax
		mov	esi, 0C0000016h
		xor	bl, bl
		call	_PiDmGetCacheKeys@12 ; PiDmGetCacheKeys(x,x,x)
		mov	edi, [ebp+var_4]
		test	edi, edi
		jz	short loc_7D8074
		push	[ebp+arg_4]	; void *
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_PiDmGetCachedKeyIndex@12 ; PiDmGetCachedKeyIndex(x,x,x)
		mov	[ebp+arg_4], eax
		cmp	eax, edi
		jnb	short loc_7D8074
		cmp	[ebp+arg_0], 0
		jz	loc_8F6101

loc_7D801B:				; CODE XREF: PiDmObjectGetCachedObjectReference+11E156j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [ebp+arg_0]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		imul	ecx, [ebp+arg_4], 14h
		mov	eax, [ecx+edi+40h]
		dec	eax
		sub	eax, 1
		jz	short loc_7D8084
		sub	eax, 4
		jnz	short loc_7D807D
		mov	eax, [ebp+arg_8]
		mov	ecx, [ecx+edi+48h]
		mov	[eax], ecx
		lock inc dword ptr [ecx+4]
		xor	esi, esi

loc_7D8057:				; CODE XREF: PiDmObjectGetCachedObjectReference+BCj
					; PiDmObjectGetCachedObjectReference+C3j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	bl, bl
		jnz	loc_8F6121

loc_7D8074:				; CODE XREF: PiDmObjectGetCachedObjectReference+35j
					; PiDmObjectGetCachedObjectReference+49j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7D807D:				; CODE XREF: PiDmObjectGetCachedObjectReference+80j
		mov	esi, 0C0000016h
		jmp	short loc_7D8057
; 

loc_7D8084:				; CODE XREF: PiDmObjectGetCachedObjectReference+7Bj
		mov	esi, 0C0000225h
		jmp	short loc_7D8057
PiDmObjectGetCachedObjectReference endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeCodeIntegrityQueryInformation(x, x, x)
_SeCodeIntegrityQueryInformation@12 proc near ;	CODE XREF: PAGE:00780E48p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dword_6BEA2C, 0
		jz	short loc_7D80C3
		mov	al, ds:_SeILSigningPolicy
		test	al, al
		jnz	short loc_7D80A8
		mov	al, _SeILSigningPolicyRuntime

loc_7D80A8:				; CODE XREF: SeCodeIntegrityQueryInformation(x,x,x)+15j
		push	[ebp+arg_0]
		movzx	eax, al
		test	eax, eax
		setnz	al
		movzx	eax, al
		push	eax
		push	edx
		push	ecx
		call	dword_6BEA2C

loc_7D80BF:				; CODE XREF: SeCodeIntegrityQueryInformation(x,x,x)+3Cj
		pop	ebp
		retn	4
; 

loc_7D80C3:				; CODE XREF: SeCodeIntegrityQueryInformation(x,x,x)+Cj
		mov	eax, 0C0000001h
		jmp	short loc_7D80BF
_SeCodeIntegrityQueryInformation@12 endp


;  S U B	R O U T	I N E 


; __stdcall ObpRemoveNamespaceFromTable(x)
_ObpRemoveNamespaceFromTable@4 proc near ; CODE	XREF: ObpCloseDirectoryObject(x,x,x,x)+1Bp
					; NtDeletePrivateNamespace(x)+64p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, 0C0190021h
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ebx, eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [ebx+19Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		push	2
		pop	ecx
		lea	eax, [edi+0A8h]
		lock or	[eax], ecx
		mov	eax, [edi+0A0h]
		test	eax, eax
		jz	short loc_7D8139
		xor	esi, esi
		mov	[edi+0A0h], esi
		mov	[eax+8], esi
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_7D8158
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_7D8158
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, edi
		dec	dword ptr [ebx+1A0h]
		call	ObfDereferenceObject

loc_7D8139:				; CODE XREF: ObpRemoveNamespaceFromTable(x)+42j
		xor	edx, edx
		lea	ecx, [ebx+19Ch]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_7D8158:				; CODE XREF: ObpRemoveNamespaceFromTable(x)+54j
					; ObpRemoveNamespaceFromTable(x)+5Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_ObpRemoveNamespaceFromTable@4 endp


;  S U B	R O U T	I N E 


; __stdcall SepAppendDefaultDacl(x, x)
_SepAppendDefaultDacl@8	proc near	; CODE XREF: SepAppendAceToTokenDefaultDacl+131p
					; PAGE:007E97B7p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		movzx	edi, word ptr [edx+2]
		mov	eax, [ebx+9Ch]
		push	edi		; size_t
		push	edx		; void *
		movzx	esi, byte ptr [eax+1]
		mov	eax, [ebx+0A0h]
		add	eax, 8
		lea	esi, [eax+esi*4]
		push	esi		; void *
		call	_memcpy
		sub	[ebx+8Ch], edi
		add	esp, 0Ch
		mov	[ebx+0A4h], esi
		pop	edi
		pop	esi
		pop	ebx
		retn
_SepAppendDefaultDacl@8	endp


;  S U B	R O U T	I N E 


SepFreeDefaultDacl proc	near		; CODE XREF: SepAppendAceToTokenDefaultDacl+128p
					; PAGE:007E97A7p

; FUNCTION CHUNK AT 008F612E SIZE 00000024 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+0A4h]
		test	eax, eax
		jz	short loc_7D81BA
		movzx	eax, word ptr [eax+2]
		add	[esi+8Ch], eax
		and	dword ptr [esi+0A4h], 0

loc_7D81BA:				; CODE XREF: SepFreeDefaultDacl+Dj
		mov	edx, [esi+0A0h]
		mov	ecx, [esi+9Ch]
		cmp	edx, ecx
		jnz	loc_8F612E
		pop	esi
		retn
SepFreeDefaultDacl endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepExpandDynamic(x,	x)
_SepExpandDynamic@8 proc near		; CODE XREF: SepAppendAceToTokenDefaultDacl+11Bp
					; PAGE:007E9734p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		mov	eax, [edi+9Ch]
		movzx	ecx, byte ptr [eax+1]
		mov	eax, [edi+8Ch]
		add	eax, 8
		lea	ecx, [eax+ecx*4]
		mov	eax, [edi+0A4h]
		mov	[ebp+var_4], ecx
		test	eax, eax
		jz	short loc_7D820A
		movzx	eax, word ptr [eax+2]
		add	ecx, eax
		mov	[ebp+var_4], ecx

loc_7D820A:				; CODE XREF: SepExpandDynamic(x,x)+2Fj
		cmp	edx, ecx
		jbe	short loc_7D826C
		push	64546553h
		push	edx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7D8272
		push	ebx
		push	[ebp+var_4]	; size_t
		mov	ebx, [edi+0A0h]
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		sub	eax, [ebp+var_4]
		add	[edi+8Ch], eax
		mov	eax, [edi+0A4h]
		mov	[edi+0A0h], esi
		test	eax, eax
		jz	short loc_7D825B
		sub	eax, ebx
		add	eax, esi
		mov	[edi+0A4h], eax

loc_7D825B:				; CODE XREF: SepExpandDynamic(x,x)+7Fj
		push	0
		sub	esi, ebx
		add	[edi+9Ch], esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebx

loc_7D826C:				; CODE XREF: SepExpandDynamic(x,x)+3Cj
		xor	eax, eax

loc_7D826E:				; CODE XREF: SepExpandDynamic(x,x)+A7j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_7D8272:				; CODE XREF: SepExpandDynamic(x,x)+4Fj
		mov	eax, 0C000009Ah
		jmp	short loc_7D826E
_SepExpandDynamic@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmGetVisibleValueCount proc near	; CODE XREF: CmpQueryKeyDataFromNode+1E7p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F6152 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		or	eax, 0FFFFFFFFh
		test	edx, edx
		jz	short loc_7D8289
		mov	eax, [edx+24h]

loc_7D8289:				; CODE XREF: CmGetVisibleValueCount+Aj
		test	ecx, ecx
		jz	short loc_7D829A
		cmp	[ebp+arg_0], 0
		jnz	loc_8F6152
		mov	eax, [ecx+30h]

loc_7D829A:				; CODE XREF: CmGetVisibleValueCount+11j
					; CmGetVisibleValueCount+11DEF8j
		pop	ebp
		retn	4
CmGetVisibleValueCount endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCreateHiveRootCell proc near		; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+103Dp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F6177 SIZE 0000007F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_10], edx
		xor	ecx, ecx
		xor	eax, eax
		push	esi
		mov	[ebp+var_24], ecx
		xor	edx, edx
		or	[ebp+var_24], 0FFFFFFFFh
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		lea	ecx, [ebx+24h]
		push	edi
		mov	word ptr [ebp+var_20], ax
		call	ExAcquirePushLockSharedEx
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		call	_CmpNameSize@4	; CmpNameSize(x)
		movzx	esi, ax
		mov	ecx, ebx
		lea	eax, [ebp+var_24]
		add	esi, 4Ch
		push	eax
		lea	eax, [ebp+var_C]
		mov	edx, esi
		push	eax
		push	0
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	[ebp+arg_0], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_8F6177
		push	esi		; size_t
		mov	esi, [ebp+var_C]
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, 6B6Eh
		mov	[esi], ax
		push	0Ch
		pop	eax
		mov	[esi+2], ax
		lea	eax, [ebp+var_1C]
		push	eax
		call	KeQuerySystemTime
		mov	eax, [ebp+var_1C]
		or	ecx, 0FFFFFFFFh
		mov	[esi+4], eax
		mov	edx, edi
		mov	eax, [ebp+var_18]
		mov	[esi+8], eax
		lea	eax, [esi+2Ch]
		mov	[esi+10h], ecx
		mov	[esi+1Ch], ecx
		mov	[esi+20h], ecx
		mov	[esi+28h], ecx
		mov	[eax], ecx
		mov	[esi+30h], ecx
		lea	ecx, [esi+4Ch]
		mov	[ebp+var_18], eax
		call	CmpCopyName
		mov	[esi+48h], ax
		cmp	ax, [edi]
		jnb	short loc_7D836A
		or	word ptr [esi+2], 20h

loc_7D836A:				; CODE XREF: CmpCreateHiveRootCell+C5j
		test	byte ptr [ebx+980h], 20h
		mov	edx, [ebp+var_10]
		lea	ecx, [edx+1Ch]
		jz	loc_7D8478
		call	_CmpGenerateAppHiveSecurityDescriptor@4	; CmpGenerateAppHiveSecurityDescriptor(x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_8F617E

loc_7D838D:				; CODE XREF: CmpCreateHiveRootCell+1FEj
		lea	esi, [ebx+484h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		push	[ebp+var_18]	; int
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		push	0		; int
		push	[ebp+var_8]	; void *
		push	[ebp+var_C]	; int
		call	_CmpGetSecurityDescriptorNode@24 ; CmpGetSecurityDescriptorNode(x,x,x,x,x,x)
		xor	edx, edx
		mov	ecx, esi
		mov	edi, eax
		call	ExReleasePushLockEx
		mov	esi, [ebp+arg_4]
		test	edi, edi
		js	loc_8F61AA
		mov	ecx, [esi+24h]
		xor	edx, edx
		add	ecx, 28h
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esi+24h]
		call	_HvMarkBaseBlockDirty@4	; HvMarkBaseBlockDirty(x)
		mov	ecx, [esi+24h]
		call	HvCheckAndUpdateHiveBackupTimeStamp
		mov	edi, eax
		or	ecx, 0FFFFFFFFh
		mov	eax, [esi+24h]
		add	eax, 28h
		mov	[ebp+arg_4], eax
		lock xadd [eax], ecx
		test	cl, 2
		jnz	loc_8F61B2

loc_7D83FF:				; CODE XREF: CmpCreateHiveRootCell+11DF17j
					; CmpCreateHiveRootCell+11DF27j
		mov	ecx, eax
		call	KeAbPostRelease
		test	edi, edi
		js	loc_8F6198
		mov	eax, [ebx+20h]
		mov	ecx, [ebp+arg_0]
		or	[ebp+arg_0], 0FFFFFFFFh
		xor	edi, edi
		mov	[eax+24h], ecx
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx

loc_7D8422:				; CODE XREF: CmpCreateHiveRootCell+11DF07j
		mov	eax, [ebp+var_8]
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	short loc_7D843D
		test	byte ptr [ebx+980h], 20h
		jz	short loc_7D84A7
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7D843D:				; CODE XREF: CmpCreateHiveRootCell+18Cj
					; CmpCreateHiveRootCell+22Cj ...
		cmp	[ebp+var_C], 0
		jz	short loc_7D844B
		lea	eax, [ebp+var_24]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]

loc_7D844B:				; CODE XREF: CmpCreateHiveRootCell+1A3j
		mov	eax, [ebp+arg_0]
		cmp	eax, 0FFFFFFFFh
		jnz	loc_8F61E8

loc_7D8457:				; CODE XREF: CmpCreateHiveRootCell+11DF53j
		push	11h
		xor	edx, edx
		lea	esi, [ebx+24h]
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_7D84CF

loc_7D8468:				; CODE XREF: CmpCreateHiveRootCell+238j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7D8478:				; CODE XREF: CmpCreateHiveRootCell+D9j
		mov	eax, ds:_CmKeyObjectType
		xor	esi, esi
		mov	edx, [edx+2Ch]
		add	eax, 34h
		push	esi
		push	eax
		push	ecx
		push	esi
		push	1
		push	esi
		push	esi
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		push	eax
		call	RtlpNewSecurityObject
		mov	edi, eax
		test	edi, edi
		jns	loc_7D838D
		jmp	loc_8F618D
; 

loc_7D84A7:				; CODE XREF: CmpCreateHiveRootCell+195j
		test	byte ptr [esi],	1
		jz	short loc_7D84B6
		test	byte ptr [esi+14h], 4
		jnz	loc_8F61CA

loc_7D84B6:				; CODE XREF: CmpCreateHiveRootCell+20Cj
		mov	esi, [ebp+var_10]
		mov	esi, [esi+30h]
		mov	ecx, [esi+2Ch]
		test	ecx, ecx
		jnz	loc_8F61D8

loc_7D84C7:				; CODE XREF: CmpCreateHiveRootCell+11DF45j
		mov	[esi+2Ch], eax
		jmp	loc_7D843D
; 

loc_7D84CF:				; CODE XREF: CmpCreateHiveRootCell+1C8j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_7D8468
CmpCreateHiveRootCell endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvMarkBaseBlockDirty(x)
_HvMarkBaseBlockDirty@4	proc near	; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+792p
					; CmpReorganizeHive+1CCp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, ecx
		cmp	byte ptr [esi+83h], 0
		jnz	short loc_7D850A
		cmp	dword ptr [esi+34h], 0
		jnz	short loc_7D850A
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		mov	[esi+990h], eax
		mov	[esi+994h], edx
		call	CmpIssueNewDirtyCallback

loc_7D850A:				; CODE XREF: HvMarkBaseBlockDirty(x)+12j
					; HvMarkBaseBlockDirty(x)+18j
		test	byte ptr [esi+64h], 2
		mov	byte ptr [esi+83h], 1
		jnz	short loc_7D8541
		mov	eax, _CmpLazyFlushIntervalInSeconds
		mov	ecx, (offset loc_98967E+2)
		mul	ecx
		push	0
		add	eax, [esi+990h]
		mov	[ebp+var_8], eax
		adc	edx, [esi+994h]
		xor	ecx, ecx
		mov	[ebp+var_4], edx
		lea	edx, [ebp+var_8]
		call	CmpArmLazyWriter

loc_7D8541:				; CODE XREF: HvMarkBaseBlockDirty(x)+3Dj
		pop	esi
		leave
		retn
_HvMarkBaseBlockDirty@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGenerateAppHiveSecurityDescriptor(x)
_CmpGenerateAppHiveSecurityDescriptor@4	proc near ; CODE XREF: CmpCreateHiveRootCell+DFp

var_170		= dword	ptr -170h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_60		= dword	ptr -60h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 170h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ecx+8]
		lea	eax, [ebp+var_150]
		push	edi
		push	0ECh		; size_t
		xor	ebx, ebx
		push	ebx		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		lea	edi, [ebp+var_170]
		stosd
		push	54h		; size_t
		push	ebx		; int
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_60]
		push	eax		; void *
		call	_memset
		add	esp, 18h
		mov	[ebp+var_154], ebx
		lea	eax, [ebp+var_170]
		mov	[ebp+var_158], ebx
		mov	edi, ebx
		push	1
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		lea	eax, [ebp+var_158]
		push	eax
		push	4
		push	esi
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		test	eax, eax
		js	loc_7D86FB
		lea	eax, [ebp+var_154]
		push	eax
		push	5
		push	esi
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		test	eax, eax
		js	loc_7D86FB
		mov	eax, [ebp+var_158]
		push	1
		mov	esi, [eax]
		mov	eax, [ebp+var_154]
		mov	edi, [eax]
		lea	eax, [ebp+var_170]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	ebx
		push	esi
		lea	eax, [ebp+var_170]
		push	eax
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		push	ebx
		push	edi
		lea	eax, [ebp+var_170]
		push	eax
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		push	2
		pop	edi
		push	edi		; int
		push	0ECh		; size_t
		lea	eax, [ebp+var_150]
		push	eax		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		push	ebx
		push	_SeWorldSid
		mov	esi, 0F003Fh
		lea	ecx, [ebp+var_150]
		push	esi
		push	edi
		mov	edx, edi
		call	RtlpAddKnownAce
		push	ebx
		push	_SeAllAppPackagesSid
		mov	edx, edi
		lea	ecx, [ebp+var_150]
		push	esi
		push	edi
		call	RtlpAddKnownAce
		push	ebx
		push	ds:_SeRestrictedSid
		mov	edx, edi
		lea	ecx, [ebp+var_150]
		push	esi
		push	edi
		call	RtlpAddKnownAce
		push	ebx
		lea	eax, [ebp+var_150]
		xor	esi, esi
		push	eax
		inc	esi
		lea	eax, [ebp+var_170]
		push	esi
		push	eax
		call	RtlSetDaclSecurityDescriptor
		push	edi		; int
		push	54h		; size_t
		lea	eax, [ebp+var_60]
		push	eax		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		push	esi
		push	ecx
		push	_SeLowMandatorySid
		lea	ecx, [ebp+var_60]
		push	ebx
		call	RtlAddMandatoryAce
		push	ebx
		lea	eax, [ebp+var_60]
		push	eax
		push	esi
		lea	eax, [ebp+var_170]
		push	eax
		call	_RtlSetSaclSecurityDescriptor@16 ; RtlSetSaclSecurityDescriptor(x,x,x,x)
		lea	eax, [ebp+var_15C]
		mov	[ebp+var_15C], ebx
		push	eax
		push	ebx
		lea	eax, [ebp+var_170]
		push	eax
		call	_RtlAbsoluteToSelfRelativeSD@12	; RtlAbsoluteToSelfRelativeSD(x,x,x)
		push	65536D43h
		push	[ebp+var_15C]
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_7D86FB
		lea	eax, [ebp+var_15C]
		push	eax
		push	edi
		lea	eax, [ebp+var_170]
		push	eax
		call	_RtlAbsoluteToSelfRelativeSD@12	; RtlAbsoluteToSelfRelativeSD(x,x,x)

loc_7D86FB:				; CODE XREF: CmpGenerateAppHiveSecurityDescriptor(x)+78j
					; CmpGenerateAppHiveSecurityDescriptor(x)+8Fj ...
		cmp	[ebp+var_154], ebx
		jz	short loc_7D870F
		push	ebx
		push	[ebp+var_154]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7D870F:				; CODE XREF: CmpGenerateAppHiveSecurityDescriptor(x)+1BDj
		cmp	[ebp+var_158], ebx
		jz	short loc_7D8723
		push	ebx
		push	[ebp+var_158]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7D8723:				; CODE XREF: CmpGenerateAppHiveSecurityDescriptor(x)+1D1j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpGenerateAppHiveSecurityDescriptor@4	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1937. RtlAbsoluteToSelfRelativeSD

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlAbsoluteToSelfRelativeSD(x, x, x)
		public _RtlAbsoluteToSelfRelativeSD@12
_RtlAbsoluteToSelfRelativeSD@12	proc near
					; CODE XREF: SepCheckAndCopySelfRelativeSD(x,x,x,x)+33p
					; SepCheckAndCopySelfRelativeSD(x,x,x,x)+60p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		cmp	word ptr [ecx+2], 0
		jl	short loc_7D8758
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		call	RtlMakeSelfRelativeSD

loc_7D8754:				; CODE XREF: RtlAbsoluteToSelfRelativeSD(x,x,x)+23j
		pop	ebp
		retn	0Ch
; 

loc_7D8758:				; CODE XREF: RtlAbsoluteToSelfRelativeSD(x,x,x)+Dj
		mov	eax, 0C00000E7h
		jmp	short loc_7D8754
_RtlAbsoluteToSelfRelativeSD@12	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlMakeSelfRelativeSD proc near		; CODE XREF: RtlAbsoluteToSelfRelativeSD(x,x,x)+15p
					; RtlpSysVolCheckOwnerAndSecurity(x,x)+212p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F61F6 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		lea	eax, [ebp+var_4]
		xor	ebx, ebx
		push	eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], ebx
		push	eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_4], ebx
		push	eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_C], ebx
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], ebx
		push	eax
		lea	eax, [ebp+var_20]
		mov	[ebp+var_1C], ebx
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		push	eax
		lea	edx, [ebp+var_1C]
		mov	[ebp+var_14], ebx
		call	RtlpQuerySecurityDescriptor
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_C]
		mov	[ebp+var_C], eax
		add	eax, ecx
		add	eax, [ebp+var_4]
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_10], ecx
		add	ecx, 14h
		add	eax, ecx
		mov	ecx, [ebp+arg_0]
		cmp	eax, [ecx]
		ja	short loc_7D8832
		test	edi, edi
		jz	loc_8F61F6
		push	eax		; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		mov	eax, [esi]
		add	esp, 0Ch
		lea	esi, [edi+14h]
		mov	[edi], eax
		cmp	[ebp+var_4], ebx
		ja	short loc_7D8867
		mov	eax, ebx

loc_7D87F1:				; CODE XREF: RtlMakeSelfRelativeSD+11Cj
		mov	[edi+0Ch], eax
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_7D880F
		push	eax		; size_t
		push	[ebp+var_18]	; void *
		push	esi		; void *
		call	_memcpy
		mov	ebx, esi
		add	esp, 0Ch
		sub	ebx, edi
		add	esi, [ebp+var_10]

loc_7D880F:				; CODE XREF: RtlMakeSelfRelativeSD+99j
		mov	[edi+10h], ebx
		mov	ebx, [ebp+var_C]
		test	ebx, ebx
		jnz	short loc_7D883B

loc_7D8819:				; CODE XREF: RtlMakeSelfRelativeSD+F1j
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	short loc_7D8853

loc_7D8820:				; CODE XREF: RtlMakeSelfRelativeSD+105j
		mov	eax, 8000h
		or	[edi+2], ax
		xor	eax, eax

loc_7D882B:				; CODE XREF: RtlMakeSelfRelativeSD+D9j
					; RtlMakeSelfRelativeSD+11DA9Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7D8832:				; CODE XREF: RtlMakeSelfRelativeSD+6Ej
		mov	[ecx], eax
		mov	eax, 0C0000023h
		jmp	short loc_7D882B
; 

loc_7D883B:				; CODE XREF: RtlMakeSelfRelativeSD+B7j
		push	ebx		; size_t
		push	[ebp+var_1C]	; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, esi
		add	esp, 0Ch
		sub	eax, edi
		add	esi, ebx
		mov	[edi+4], eax
		jmp	short loc_7D8819
; 

loc_7D8853:				; CODE XREF: RtlMakeSelfRelativeSD+BEj
		push	eax		; size_t
		push	[ebp+var_20]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		sub	esi, edi
		mov	[edi+8], esi
		jmp	short loc_7D8820
; 

loc_7D8867:				; CODE XREF: RtlMakeSelfRelativeSD+8Dj
		push	[ebp+var_4]	; size_t
		push	[ebp+var_14]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		add	esi, [ebp+var_4]
		push	14h
		pop	eax
		jmp	loc_7D87F1
RtlMakeSelfRelativeSD endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpQuerySecurityDescriptor proc near	; CODE XREF: RtlMakeSelfRelativeSD+48p
					; RtlSelfRelativeToAbsoluteSD+51p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008F6200 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, [ecx+4]
		cmp	[ecx+2], si
		jl	loc_7D8954

loc_7D8898:				; CODE XREF: RtlpQuerySecurityDescriptor+DBj
		mov	[edx], edi
		test	edi, edi
		jnz	short loc_7D8918
		mov	edx, esi

loc_7D88A0:				; CODE XREF: RtlpQuerySecurityDescriptor+A4j
		mov	eax, [ebp+arg_0]
		mov	[eax], edx
		movzx	eax, word ptr [ecx+2]
		mov	edx, eax
		test	al, 4
		jz	loc_8F6200
		test	dx, dx
		mov	edx, [ecx+10h]
		js	loc_7D8962

loc_7D88BF:				; CODE XREF: RtlpQuerySecurityDescriptor+E9j
					; RtlpQuerySecurityDescriptor+11D980j
		mov	eax, [ebp+arg_C]
		mov	[eax], edx
		test	edx, edx
		jz	loc_8F6207
		movzx	edx, word ptr [edx+2]
		add	edx, 3
		and	edx, 0FFFFFFFCh

loc_7D88D6:				; CODE XREF: RtlpQuerySecurityDescriptor+11D987j
		mov	eax, [ebp+arg_10]
		mov	[eax], edx
		mov	edx, [ecx+8]
		cmp	[ecx+2], si
		jl	loc_7D8970

loc_7D88E8:				; CODE XREF: RtlpQuerySecurityDescriptor+F7j
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		test	edx, edx
		jnz	short loc_7D892B
		mov	edx, esi

loc_7D88F3:				; CODE XREF: RtlpQuerySecurityDescriptor+B7j
		mov	eax, [ebp+arg_8]
		mov	[eax], edx
		movzx	eax, word ptr [ecx+2]
		mov	edx, eax
		test	al, 10h
		jnz	short loc_7D893B
		mov	edx, esi

loc_7D8904:				; CODE XREF: RtlpQuerySecurityDescriptor+BFj
					; RtlpQuerySecurityDescriptor+11D995j
		mov	eax, [ebp+arg_14]
		mov	[eax], edx
		test	edx, edx
		jnz	short loc_7D8948

loc_7D890D:				; CODE XREF: RtlpQuerySecurityDescriptor+D0j
		mov	eax, [ebp+arg_18]
		pop	edi
		mov	[eax], esi
		pop	esi
		pop	ebp
		retn	1Ch
; 

loc_7D8918:				; CODE XREF: RtlpQuerySecurityDescriptor+1Aj
		movzx	eax, byte ptr [edi+1]
		lea	edx, ds:0Bh[eax*4]
		and	edx, 0FFFFFFFCh
		jmp	loc_7D88A0
; 

loc_7D892B:				; CODE XREF: RtlpQuerySecurityDescriptor+6Dj
		movzx	eax, byte ptr [edx+1]
		lea	edx, ds:0Bh[eax*4]
		and	edx, 0FFFFFFFCh
		jmp	short loc_7D88F3
; 

loc_7D893B:				; CODE XREF: RtlpQuerySecurityDescriptor+7Ej
		test	dx, dx
		mov	edx, [ecx+0Ch]
		jns	short loc_7D8904
		jmp	loc_8F620E
; 

loc_7D8948:				; CODE XREF: RtlpQuerySecurityDescriptor+89j
		movzx	esi, word ptr [edx+2]
		add	esi, 3
		and	esi, 0FFFFFFFCh
		jmp	short loc_7D890D
; 

loc_7D8954:				; CODE XREF: RtlpQuerySecurityDescriptor+10j
		lea	eax, [edi+ecx]
		neg	edi
		sbb	edi, edi
		and	edi, eax
		jmp	loc_7D8898
; 

loc_7D8962:				; CODE XREF: RtlpQuerySecurityDescriptor+37j
		lea	eax, [edx+ecx]
		neg	edx
		sbb	edx, edx
		and	edx, eax
		jmp	loc_7D88BF
; 

loc_7D8970:				; CODE XREF: RtlpQuerySecurityDescriptor+60j
		lea	eax, [edx+ecx]
		neg	edx
		sbb	edx, edx
		and	edx, eax
		jmp	loc_7D88E8
RtlpQuerySecurityDescriptor endp


;  S U B	R O U T	I N E 


; __stdcall CmWorkerEngineQueueWorkItem(x)
_CmWorkerEngineQueueWorkItem@4 proc near ; CODE	XREF: CmpDoQueueLateUnloadWorker+C0p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, offset _CmpWorkerEngineLock
		mov	ecx, edi
		xor	bl, bl
		call	ExAcquireFastMutex
		mov	eax, dword_6CE104
		mov	ecx, offset _CmpWorkerEngineListHead
		cmp	[eax], ecx
		jnz	short loc_7D89DA
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6CE104, esi
		cmp	_CmpWorkerEngineWorkItemActive,	bl
		jnz	short loc_7D89BF
		mov	_CmpWorkerEngineWorkItemActive,	1
		inc	bl

loc_7D89BF:				; CODE XREF: CmWorkerEngineQueueWorkItem(x)+36j
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	bl, bl
		jz	short loc_7D89D6
		push	1
		push	offset _CmpWorkerEngineWorkItem
		call	ExQueueWorkItem

loc_7D89D6:				; CODE XREF: CmWorkerEngineQueueWorkItem(x)+4Aj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_7D89DA:				; CODE XREF: CmWorkerEngineQueueWorkItem(x)+21j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_CmWorkerEngineQueueWorkItem@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpGetVolumeLogFileSizeCap proc	near	; CODE XREF: CmpOpenHiveFile+3B3p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F621C SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	edi
		push	6
		mov	edx, ecx
		lea	edi, [ebp+var_20]
		pop	ecx
		xor	eax, eax
		and	[ebp+var_28], eax
		and	[ebp+var_24], eax
		push	3
		rep stosd
		push	18h
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		push	edx
		call	_ZwQueryVolumeInformationFile@20 ; ZwQueryVolumeInformationFile(x,x,x,x,x)
		test	eax, eax
		js	short loc_7D8A4E
		mov	eax, [ebp+var_C]
		mul	[ebp+var_10]
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	edx
		push	eax
		call	__allmul
		shrd	eax, edx, 0Bh
		mov	ecx, 2000000h
		cmp	eax, ecx
		jb	loc_8F621C

loc_7D8A3F:				; CODE XREF: CmpGetVolumeLogFileSizeCap+11D849j
		mov	eax, ecx

loc_7D8A41:				; CODE XREF: CmpGetVolumeLogFileSizeCap+73j
					; CmpGetVolumeLogFileSizeCap+11D843j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_7D8A4E:				; CODE XREF: CmpGetVolumeLogFileSizeCap+39j
		mov	eax, 2000000h
		jmp	short loc_7D8A41
CmpGetVolumeLogFileSizeCap endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerRequestCompare(x, x, x)
_PopPowerRequestCompare@12 proc	near	; DATA XREF: PopPowerRequestInit()+E3o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax+4]
		mov	eax, [ebp+arg_8]
		mov	edx, [eax+4]
		xor	eax, eax
		cmp	ecx, edx
		jl	short loc_7D8A71
		setle	al
		inc	eax

loc_7D8A71:				; CODE XREF: PopPowerRequestCompare(x,x,x)+15j
		pop	ebp
		retn	0Ch
_PopPowerRequestCompare@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2029. RtlDeleteAce

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlDeleteAce(x, x)
		public _RtlDeleteAce@8
_RtlDeleteAce@8	proc near		; CODE XREF: RtlInitEnumerationHashTable(x,x)+82p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	esi
		call	RtlValidAcl
		test	al, al
		jz	short loc_7D8ADE
		movzx	eax, word ptr [esi+4]
		mov	edi, [ebp+arg_4]
		cmp	edi, eax
		jnb	short loc_7D8ADE
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		call	_RtlFirstFreeAce@8 ; RtlFirstFreeAce(x,x)
		test	al, al
		jz	short loc_7D8ADE
		lea	ecx, [esi+8]
		test	edi, edi
		jz	short loc_7D8ABE

loc_7D8AB3:				; CODE XREF: RtlDeleteAce(x,x)+42j
		movzx	eax, word ptr [ecx+2]
		add	ecx, eax	; int
		sub	edi, 1
		jnz	short loc_7D8AB3

loc_7D8ABE:				; CODE XREF: RtlDeleteAce(x,x)+37j
		mov	eax, [ebp+var_4]
		movzx	edx, word ptr [ecx+2] ;	size_t
		sub	eax, ecx
		push	eax		; int
		call	RtlpDeleteData
		mov	eax, 0FFFFh
		add	[esi+4], ax
		xor	eax, eax

loc_7D8AD8:				; CODE XREF: RtlDeleteAce(x,x)+69j
		pop	edi
		pop	esi
		leave
		retn	8
; 

loc_7D8ADE:				; CODE XREF: RtlDeleteAce(x,x)+17j
					; RtlDeleteAce(x,x)+22j ...
		mov	eax, 0C000000Dh
		jmp	short loc_7D8AD8
_RtlDeleteAce@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall RtlpDeleteData(int,size_t,int)
RtlpDeleteData	proc near		; CODE XREF: RtlDeleteAce(x,x)+4Ep

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F622E SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, edx
		cmp	edx, [ebp+arg_0]
		jb	short loc_7D8B14

loc_7D8AF6:				; CODE XREF: RtlpDeleteData+11D754j
		mov	eax, [ebp+arg_0]
		sub	eax, edx
		cmp	eax, [ebp+arg_0]
		jnb	short loc_7D8B0E
		push	edx		; size_t
		add	eax, ebx
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_7D8B0E:				; CODE XREF: RtlpDeleteData+18j
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_7D8B14:				; CODE XREF: RtlpDeleteData+Ej
		sub	ecx, edx
		jmp	loc_8F622E
RtlpDeleteData	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtInternerEntryInitialize(x, x, x)
_PopEtInternerEntryInitialize@12 proc near ; DATA XREF:	PopEtInit+81o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_8]
		cmp	dword ptr [edx], 2Ch
		jnz	short loc_7D8B8E
		mov	eax, [edx+4]
		mov	ecx, [ebp+arg_4]
		mov	eax, [eax+4]
		mov	[ecx+10h], eax
		mov	eax, [edx+4]
		mov	eax, [eax+14h]
		mov	[ecx+20h], eax
		mov	eax, [edx+4]
		mov	ax, [eax+18h]
		mov	[ecx+2Ah], ax
		mov	eax, [edx+4]
		mov	eax, [eax+24h]
		mov	[ecx+14h], eax
		mov	eax, [edx+4]
		mov	ax, [eax+28h]
		shr	ax, 1
		mov	[ecx+24h], ax
		mov	eax, [edx+4]
		mov	eax, [eax+34h]
		mov	[ecx+18h], eax
		mov	eax, [edx+4]
		mov	ax, [eax+38h]
		shr	ax, 1
		mov	[ecx+26h], ax
		mov	eax, [edx+4]
		mov	eax, [eax+44h]
		mov	[ecx+1Ch], eax
		mov	eax, [edx+4]
		mov	ax, [eax+48h]
		shr	ax, 1
		mov	[ecx+28h], ax

loc_7D8B8E:				; CODE XREF: PopEtInternerEntryInitialize(x,x,x)+Bj
		pop	ebp
		retn	0Ch
_PopEtInternerEntryInitialize@12 endp

; 
		align 8
; Exported entry 2371. RtlUTF8ToUnicodeN

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlUTF8ToUnicodeN
RtlUTF8ToUnicodeN proc near		; CODE XREF: RtlMultiByteToUnicodeN+185CA7p
					; RtlMultiByteToUnicodeSize+185CBBp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008F623F SIZE 00000279 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_C]
		xor	edx, edx
		push	esi
		mov	esi, [ebp+arg_10]
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		lea	eax, [ebx+esi]
		mov	[ebp+arg_10], eax
		mov	eax, [ebp+arg_4]
		shr	eax, 1
		lea	eax, [edi+eax*2]
		mov	[ebp+arg_C], eax
		xor	eax, eax
		mov	[ebp+var_4], eax
		test	ebx, ebx
		jz	loc_8F623F
		test	edi, edi
		jz	loc_8F6249

loc_7D8BD4:				; CODE XREF: RtlUTF8ToUnicodeN+159j
		mov	edi, [ebp+arg_10]

loc_7D8BD7:				; CODE XREF: RtlUTF8ToUnicodeN+1A5j
					; RtlUTF8ToUnicodeN+11D70Aj ...
		cmp	ebx, edi
		jnb	loc_7D8D36
		movsx	esi, byte ptr [ebx]
		inc	ebx
		test	edx, edx
		jnz	loc_8F6269
		mov	edx, esi
		cmp	edx, 7Fh
		ja	loc_8F6318

loc_7D8BF6:				; CODE XREF: RtlUTF8ToUnicodeN+11D6E7j
		mov	esi, [ebp+arg_C]

loc_7D8BF9:				; CODE XREF: RtlUTF8ToUnicodeN+11D74Cj
					; RtlUTF8ToUnicodeN+11D77Bj
		cmp	ecx, esi
		jnb	loc_8F647C
		mov	[ecx], dx
		mov	eax, esi
		add	ecx, 2
		mov	edx, edi
		sub	eax, ecx
		sub	edx, ebx
		sar	eax, 1
		cmp	edx, 0Dh
		jbe	loc_7D8CF6
		cmp	edx, eax
		jnb	loc_8F6368

loc_7D8C22:				; CODE XREF: RtlUTF8ToUnicodeN+11D7D2j
		lea	edi, [edx-7]
		lea	edi, [ecx+edi*2]
		mov	[ebp+arg_4], edi

loc_7D8C2B:				; CODE XREF: RtlUTF8ToUnicodeN+11D8D7j
		cmp	ecx, edi
		jnb	loc_7D8CEF
		movsx	edx, byte ptr [ebx]
		inc	ebx
		cmp	edx, 7Fh
		ja	loc_8F6394
		mov	[ecx], dx
		add	ecx, 2
		test	bl, 1
		jnz	loc_8F636F

loc_7D8C4F:				; CODE XREF: RtlUTF8ToUnicodeN+11D7E6j
		test	bl, 2
		jz	short loc_7D8C7B
		movzx	eax, word ptr [ebx]
		mov	edx, eax
		test	edx, 8080h
		jnz	loc_8F6383
		shr	edx, 8
		and	eax, 7Fh
		and	edx, 7Fh
		mov	[ecx], ax
		add	ebx, 2
		mov	[ecx+2], dx
		add	ecx, 4

loc_7D8C7B:				; CODE XREF: RtlUTF8ToUnicodeN+BAj
					; RtlUTF8ToUnicodeN+155j
		cmp	ecx, edi
		jnb	short loc_7D8CEF
		mov	esi, [ebx+4]
		mov	eax, esi
		mov	edx, [ebx]
		or	eax, edx
		test	eax, 80808080h
		jnz	loc_8F6383
		mov	eax, edx
		add	ebx, 8
		and	eax, 7Fh
		mov	[ecx], ax
		mov	eax, edx
		shr	eax, 8
		and	eax, 7Fh
		mov	[ecx+2], ax
		mov	eax, edx
		shr	eax, 10h
		and	eax, 7Fh
		shr	edx, 18h
		mov	[ecx+4], ax
		and	edx, 7Fh
		mov	[ecx+6], dx
		mov	eax, esi
		push	7Fh
		pop	edx
		and	eax, edx
		mov	[ecx+8], ax
		mov	eax, esi
		shr	eax, 8
		and	eax, edx
		mov	[ecx+0Ah], ax
		mov	eax, esi
		shr	eax, 10h
		shr	esi, 18h
		and	eax, edx
		and	esi, edx
		mov	[ecx+0Ch], ax
		mov	[ecx+0Eh], si
		add	ecx, 10h
		jmp	short loc_7D8C7B
; 

loc_7D8CEF:				; CODE XREF: RtlUTF8ToUnicodeN+95j
					; RtlUTF8ToUnicodeN+E5j ...
		xor	edx, edx
		jmp	loc_7D8BD4
; 

loc_7D8CF6:				; CODE XREF: RtlUTF8ToUnicodeN+7Cj
		cmp	eax, edx
		jb	short loc_7D8D3B

loc_7D8CFA:				; CODE XREF: RtlUTF8ToUnicodeN+179j
		cmp	ebx, edi
		jnb	short loc_7D8D13
		movsx	edx, byte ptr [ebx]
		inc	ebx
		cmp	edx, 7Fh
		ja	loc_8F6318
		mov	[ecx], dx
		add	ecx, 2
		jmp	short loc_7D8CFA
; 

loc_7D8D13:				; CODE XREF: RtlUTF8ToUnicodeN+164j
		xor	edx, edx

loc_7D8D15:				; CODE XREF: RtlUTF8ToUnicodeN+1A1j
		test	edx, edx
		jnz	loc_8F6495
		mov	eax, [ebp+var_4]

loc_7D8D20:				; CODE XREF: RtlUTF8ToUnicodeN+11D90Bj
					; RtlUTF8ToUnicodeN+11D91Bj
		mov	edx, [ebp+arg_8]
		test	edx, edx
		jz	short loc_7D8D2F
		sub	ecx, [ebp+arg_0]
		and	ecx, 0FFFFFFFEh
		mov	[edx], ecx

loc_7D8D2F:				; CODE XREF: RtlUTF8ToUnicodeN+18Dj
					; RtlUTF8ToUnicodeN+11D6ACj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7D8D36:				; CODE XREF: RtlUTF8ToUnicodeN+41j
		mov	esi, [ebp+arg_C]
		jmp	short loc_7D8D15
; 

loc_7D8D3B:				; CODE XREF: RtlUTF8ToUnicodeN+160j
		xor	edx, edx
		jmp	loc_7D8BD7
RtlUTF8ToUnicodeN endp

; Exported entry 666. FsRtlSyncVolumes

;  S U B	R O U T	I N E 


; __stdcall FsRtlSyncVolumes(x,	x, x)
		public _FsRtlSyncVolumes@12
_FsRtlSyncVolumes@12 proc near		; DATA XREF: .text:00581044o
		xor	eax, eax
		retn	0Ch
_FsRtlSyncVolumes@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall AlpcpWalkConnectionList(x)
_AlpcpWalkConnectionList@4 proc	near	; CODE XREF: AlpcpDisconnectPort+20Ep
		mov	edi, edi
		push	esi
		mov	esi, [ecx+8]
		add	esi, 0Ch
		push	edi
		mov	edi, [esi]
		cmp	edi, esi
		jz	short loc_7D8D80
		push	ebx

loc_7D8D59:				; CODE XREF: AlpcpWalkConnectionList(x)+35j
		lea	ebx, [edi-10h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7D8D83

loc_7D8D72:				; CODE XREF: AlpcpWalkConnectionList(x)+42j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	edi, [edi]
		cmp	edi, esi
		jnz	short loc_7D8D59
		pop	ebx

loc_7D8D80:				; CODE XREF: AlpcpWalkConnectionList(x)+Ej
		pop	edi
		pop	esi
		retn
; 

loc_7D8D83:				; CODE XREF: AlpcpWalkConnectionList(x)+28j
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7D8D72
_AlpcpWalkConnectionList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SleepstudyHelperBuildBlocker proc near	; CODE XREF: SleepstudyHelper_RegisterComponentEx(x,x,x,x,x,x,x,x,x,x,x)+6Ap
					; SleepstudyHelper_RegisterPdoWithParentGuid(x,x,x,x,x,x,x)+59p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F64B8 SIZE 0000004F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		xor	esi, esi
		mov	eax, [eax]
		mov	ebx, esi
		mov	[ebp+var_C], eax
		push	edi
		mov	edi, esi
		mov	eax, [eax+0Ch]
		mov	[ebp+var_4], eax
		cmp	[ebp+arg_4], ebx
		jz	loc_8F64E1
		mov	edx, eax
		mov	ecx, 120h
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		push	[ebp+var_4]
		mov	ebx, eax
		push	48h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_8], edi
		test	ebx, ebx
		jz	loc_8F64D5
		test	edi, edi
		jz	loc_8F64D5
		push	118h		; size_t
		lea	ecx, [ebx+4]
		push	esi		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		push	48h		; size_t
		push	esi		; int
		push	edi		; void *
		call	_memset
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		mov	[ebx+11Ch], edi
		mov	[edi+44h], ebx
		mov	[ebx], esi
		mov	dword ptr [edi+40h], 1
		cmp	byte ptr [ecx+34h], 0
		jnz	loc_8F64B8

loc_7D8E20:				; CODE XREF: SleepstudyHelperBuildBlocker+11D730j
		mov	eax, [ecx+30h]
		test	eax, eax
		jz	short loc_7D8E39
		mov	[ebx+118h], eax
		mov	eax, [eax+11Ch]
		add	eax, 40h
		lock inc dword ptr [eax]

loc_7D8E39:				; CODE XREF: SleepstudyHelperBuildBlocker+99j
		mov	edx, [ebp+var_C]
		lea	eax, [edi+8]
		mov	[edi+4], edi
		lea	esi, [ecx+8]
		mov	[edi], edi
		mov	[edi+10h], edx
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[ebp+var_4], eax
		mov	eax, [ecx+4]
		mov	[edi+14h], eax
		add	edi, 18h
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_8]
		lea	esi, [ecx+18h]
		add	edi, 28h
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ecx+28h]
		xor	edi, edi
		mov	esi, [ebp+var_8]
		mov	[esi+38h], eax
		mov	eax, [ecx+2Ch]
		mov	[esi+3Ch], eax
		lea	eax, [edx+8]
		mov	[ecx+28h], edi
		xor	edx, edx
		mov	[ecx+2Ch], edi
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_C]
		add	eax, 14h
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_7D8F05
		mov	[esi+4], ecx
		mov	[esi], eax
		mov	[ecx], esi
		mov	ecx, [ebp+var_8]
		mov	[eax+4], esi
		call	SSHSupportReleasePushLockExclusive
		mov	esi, [esi+14h]
		xor	edx, edx
		shl	esi, 4
		add	esi, offset _SshpBlockerCollections
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		lea	ecx, [esi+8]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_7D8F05
		mov	eax, [ebp+var_4]
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		cmp	byte ptr [esi+4], 0
		jnz	loc_8F64C1

loc_7D8EE7:				; CODE XREF: SleepstudyHelperBuildBlocker+11D744j
		mov	ecx, esi
		call	SSHSupportReleasePushLockExclusive
		mov	eax, [ebp+arg_0]
		push	eax
		call	SleepstudyHelperDestroyBlockerBuilder
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx

loc_7D8EFC:				; CODE XREF: SleepstudyHelperBuildBlocker+11D776j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7D8F05:				; CODE XREF: SleepstudyHelperBuildBlocker+111j
					; SleepstudyHelperBuildBlocker+142j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
SleepstudyHelperBuildBlocker endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SleepstudyHelperDestroyBlockerBuilder proc near
					; CODE XREF: SleepstudyHelperCreateBlockerFromGuid+CE4F4p
					; SleepstudyHelperBuildBlocker+166p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F6507 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	esi, esi
		jz	short loc_7D8F49
		mov	eax, [esi]
		xor	edi, edi
		mov	ecx, [esi+2Ch]
		push	ebx
		mov	ebx, [eax+0Ch]
		test	ecx, ecx
		jnz	loc_8F6507

loc_7D8F2B:				; CODE XREF: SleepstudyHelperDestroyBlockerBuilder+11D60Cj
		mov	ecx, [esi+30h]
		test	ecx, ecx
		jz	short loc_7D8F37
		call	SshpDereferenceBlocker

loc_7D8F37:				; CODE XREF: SleepstudyHelperDestroyBlockerBuilder+26j
		mov	edx, ebx
		mov	ecx, esi
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
		pop	ebx

loc_7D8F41:				; CODE XREF: SleepstudyHelperDestroyBlockerBuilder+44j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_7D8F49:				; CODE XREF: SleepstudyHelperDestroyBlockerBuilder+Cj
		mov	edi, 0C000000Dh
		jmp	short loc_7D8F41
SleepstudyHelperDestroyBlockerBuilder endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SshpDereferenceBlocker proc near	; CODE XREF: SleepstudyHelperSetBlockerParentHandle(x,x):loc_50DF88p
					; SleepstudyHelperDestroyBlockerBuilder+28p ...

; FUNCTION CHUNK AT 008F651B SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi

loc_7D8F57:				; CODE XREF: SshpDereferenceBlocker+11D5D4j
		mov	edx, [ecx+11Ch]
		or	eax, 0FFFFFFFFh
		mov	esi, [ecx+118h]
		add	edx, 40h
		lock xadd [edx], eax
		dec	eax
		jz	loc_8F651B

loc_7D8F74:				; CODE XREF: SshpDereferenceBlocker+11D5DAj
		pop	esi
		leave
		retn
SshpDereferenceBlocker endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 542. FsRtlIncrementCcFastReadNotPossible

;  S U B	R O U T	I N E 


; __stdcall FsRtlIncrementCcFastReadNotPossible()
		public _FsRtlIncrementCcFastReadNotPossible@0
_FsRtlIncrementCcFastReadNotPossible@0 proc near
		inc	large dword ptr	fs:608h
		retn
_FsRtlIncrementCcFastReadNotPossible@0 endp


;  S U B	R O U T	I N E 


; __stdcall PspInheritQuota(x, x)
_PspInheritQuota@8 proc	near		; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+FC2p
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1043p
		test	edx, edx
		jz	short loc_7D8FA3
		mov	eax, [edx+188h]

loc_7D8F8E:				; CODE XREF: PspInheritQuota(x,x)+24j
		lock inc dword ptr [eax+200h]
		lock inc dword ptr [eax+204h]
		mov	[ecx+188h], eax
		retn
; 

loc_7D8FA3:				; CODE XREF: PspInheritQuota(x,x)+2j
		mov	eax, offset _PspSystemQuotaBlock
		jmp	short loc_7D8F8E
_PspInheritQuota@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

wil_StagingConfig_QueryFeatureState proc near
					; CODE XREF: wil_details_GetCurrentFeatureEnabledState(x,x)+4Cp

var_110		= dword	ptr -110h
var_FC		= dword	ptr -0FCh
var_EC		= dword	ptr -0ECh
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F652F SIZE 0000004B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 110h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, [ebp+arg_8]
		lea	eax, [ebp+var_110]
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_D8], edx
		push	34h		; int
		push	edi		; int
		push	eax		; void *
		mov	esi, ecx
		mov	[ebp+var_DC], edi
		call	_memset
		pop	ecx
		pop	ecx
		lea	eax, [ebp+var_D4]
		mov	edx, esi	; int
		push	eax		; int
		push	ecx		; int
		lea	ecx, [ebp+var_110] ; void *
		call	wil_details_StagingConfig_Load
		test	eax, eax
		jnz	short loc_7D9031
		push	[ebp+arg_4]
		mov	edx, [ebp+var_D8]
		lea	ecx, [ebp+var_110]
		push	[ebp+arg_0]
		call	wil_details_StagingConfig_QueryFeatureState
		mov	[ebp+var_DC], eax
		test	ebx, ebx
		jnz	loc_8F652F

loc_7D9024:				; CODE XREF: wil_StagingConfig_QueryFeatureState+11D5B6j
		cmp	[ebp+var_E0], 0
		jnz	loc_8F6565

loc_7D9031:				; CODE XREF: wil_StagingConfig_QueryFeatureState+53j
					; wil_StagingConfig_QueryFeatureState+11D5CBj
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_DC]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
wil_StagingConfig_QueryFeatureState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

wil_RtlStagingConfig_QueryFeatureState proc near
					; CODE XREF: wil_details_GetCurrentFeatureEnabledState(x,x)+39p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F657A SIZE 00000065 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		xor	ebx, ebx
		stosd
		mov	esi, ecx
		stosd
		stosd
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		xor	eax, eax
		cmp	[ebp+arg_0], eax
		setz	al
		push	eax
		push	edx
		call	_RtlQueryFeatureConfiguration@16 ; RtlQueryFeatureConfiguration(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8F657A
		cmp	edi, 117h
		jz	loc_8F65BC

loc_7D908C:				; CODE XREF: wil_RtlStagingConfig_QueryFeatureState+11D56Fj
					; wil_RtlStagingConfig_QueryFeatureState+11D580j
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jnz	loc_8F65CD

loc_7D9097:				; CODE XREF: wil_RtlStagingConfig_QueryFeatureState+11D592j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
wil_RtlStagingConfig_QueryFeatureState endp


;  S U B	R O U T	I N E 


; __stdcall RtlpFcLeaveRegion(x)
_RtlpFcLeaveRegion@4 proc near		; CODE XREF: RtlpFcBufferManagerDereferenceBuffers(x,x)+14j
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_RtlpFcLeaveRegion@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpFcQueryFeatureConfigurationFromBufferSet proc near
					; CODE XREF: RtlQueryFeatureConfiguration(x,x,x,x)+66p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F65DF SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	edx, [ebp+arg_0]
		mov	ecx, edx
		call	_RtlpFcValidateFeatureConfigurationType@4 ; RtlpFcValidateFeatureConfigurationType(x)
		test	eax, eax
		js	short loc_7D90DD
		xor	ecx, ecx
		lea	eax, [esi+8]

loc_7D90C6:				; CODE XREF: RtlpFcQueryFeatureConfigurationFromBufferSet+30j
		cmp	dword ptr [eax], 0
		jnz	loc_8F65DF
		inc	ecx
		add	eax, 10h
		cmp	ecx, 3
		jl	short loc_7D90C6
		mov	eax, 80000022h

loc_7D90DD:				; CODE XREF: RtlpFcQueryFeatureConfigurationFromBufferSet+19j
					; RtlpFcQueryFeatureConfigurationFromBufferSet+11D55Bj
		pop	edi
		pop	esi
		leave
		retn	8
RtlpFcQueryFeatureConfigurationFromBufferSet endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall RtlpFcEnterRegion(x)
_RtlpFcEnterRegion@4 proc near		; CODE XREF: RtlpFcBufferManagerReferenceBuffers(x,x,x)+Cp
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		retn
_RtlpFcEnterRegion@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnHashUnsafeUnicodeString proc near	; CODE XREF: PfSnScanCommandLine(x,x)+5Cp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008F6606 SIZE 0000007E BYTES
; FUNCTION CHUNK AT 008F6698 SIZE 00000019 BYTES

		push	18h
		push	offset dword_6A41F0
		call	__SEH_prolog4
		mov	[ebp+var_24], edx
		mov	edx, ecx
		xor	ebx, ebx
		mov	[ebp+ms_exc.disabled], ebx
		movzx	esi, word ptr [edx]
		test	si, si
		jz	short loc_7D912E
		mov	ecx, [edx+4]
		test	cl, 1
		jnz	loc_7D91A2
		lea	edi, [ecx+esi]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		ja	short loc_7D91A7
		cmp	edi, ecx
		jb	short loc_7D91A7

loc_7D912E:				; CODE XREF: PfSnHashUnsafeUnicodeString+1Cj
					; PfSnHashUnsafeUnicodeString+B5j
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_20], ebx
		mov	edx, [edx+4]
		mov	edi, esi
		mov	esi, 4CB2Fh

loc_7D913E:				; CODE XREF: PfSnHashUnsafeUnicodeString+ACj
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edx
		cmp	edi, 8
		jl	loc_8F6606
		movzx	eax, byte ptr [edx+1]
		imul	ecx, eax, 25h
		movzx	eax, byte ptr [edx+2]
		add	ecx, eax
		imul	ecx, 25h
		movzx	eax, byte ptr [edx+3]
		add	ecx, eax
		imul	ecx, 25h
		movzx	eax, byte ptr [edx+4]
		add	ecx, eax
		imul	ecx, 25h
		movzx	eax, byte ptr [edx+5]
		add	ecx, eax
		imul	ecx, 25h
		movzx	eax, byte ptr [edx+6]
		add	ecx, eax
		imul	ecx, 25h
		movzx	eax, byte ptr [edx]
		imul	eax, 1A617D0Dh
		add	ecx, eax
		imul	eax, esi, 2FE8ED1Fh
		sub	ecx, eax
		movzx	esi, byte ptr [edx+7]
		add	esi, ecx
		add	edx, 8
		sub	edi, 8
		jmp	short loc_7D913E
; 

loc_7D91A2:				; CODE XREF: PfSnHashUnsafeUnicodeString+24j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7D91A7:				; CODE XREF: PfSnHashUnsafeUnicodeString+34j
					; PfSnHashUnsafeUnicodeString+38j
		mov	[eax], bl
		jmp	short loc_7D912E
PfSnHashUnsafeUnicodeString endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpInitCmRM	proc near		; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+246p
					; CmpFinishSystemHivesLoad(x)+13Ap ...

var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4A		= byte ptr -4Ah
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F66B1 SIZE 000002EE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_4A], dl
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_24]
		xor	edx, edx
		stosd
		mov	ebx, ecx
		push	6
		pop	ecx
		push	7
		stosd
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_70], edx
		mov	[ebp+var_80], edx
		stosd
		mov	[ebp+var_5C], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_88], edx
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_44]
		mov	[ebp+var_64], edx
		stosd
		mov	[ebp+var_78], edx
		mov	[ebp+var_58], edx
		mov	[ebp+var_68], edx
		stosd
		mov	[ebp+var_49], dl
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_34]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_A4]
		mov	[ebp+var_74], eax
		rep stosd
		lea	edi, [ebp+var_C4]
		mov	[ebp+var_84], eax
		pop	ecx
		mov	[ebp+var_60], eax
		mov	[ebp+var_8C], eax
		rep stosd
		cmp	ds:_CmpMiniNTBoot, al
		jnz	loc_7D976F
		test	ebx, ebx
		jz	loc_7D97CC

loc_7D9251:				; CODE XREF: CmpInitCmRM+626j
		test	dword ptr [ebx+64h], 8001h
		jnz	loc_7D976F
		lea	ecx, [ebp+var_14]
		call	CmpUuidCreate
		mov	esi, eax
		test	esi, esi
		js	loc_8F66B1
		lea	ecx, [ebp+var_34]
		call	CmpUuidCreate
		mov	esi, eax
		test	esi, esi
		js	loc_8F66B1
		push	6D524D43h
		push	58h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_54], esi
		test	esi, esi
		jz	loc_8F66BD
		push	58h		; size_t
		xor	edi, edi
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		push	6C724D43h
		push	38h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_A8], ecx
		test	ecx, ecx
		jz	loc_8F66E1
		lea	eax, [esi+8]
		mov	[esi+34h], edi
		mov	[eax+4], eax
		mov	[eax], eax
		movzx	eax, [ebp+var_4A]
		neg	eax
		mov	[esi+38h], edi
		push	ecx
		sbb	eax, eax
		and	eax, 4
		mov	[esi+3Ch], eax
		mov	[esi+40h], edi
		mov	[esi+44h], edi
		mov	[esi+24h], edi
		mov	[esi+28h], edi
		mov	[esi+2Ch], edi
		mov	[esi+50h], ecx
		call	ExInitializeResourceLite
		mov	esi, [ebx+20h]
		mov	eax, 6D746D72h
		cmp	[esi+0A4h], eax
		jnz	loc_8F66F8
		push	10h		; size_t
		lea	edi, [esi+94h]
		lea	eax, [ebp+var_24]
		push	edi		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_8F6703

loc_7D9331:				; CODE XREF: CmpInitCmRM+11D56Cj
		push	10h		; size_t
		lea	edi, [esi+70h]
		lea	eax, [ebp+var_24]
		push	edi		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_8F671D

loc_7D934B:				; CODE XREF: CmpInitCmRM+11D57Fj
		push	10h		; size_t
		lea	edi, [esi+80h]
		lea	eax, [ebp+var_24]
		push	edi		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_8F6730
		mov	al, [ebp+var_49]

loc_7D936B:				; CODE XREF: CmpInitCmRM+11D58Dj
		mov	esi, [ebp+var_6C]

loc_7D936E:				; CODE XREF: CmpInitCmRM+11D654j
					; CmpInitCmRM+11D65Dj
		test	al, al
		jnz	loc_8F673E

loc_7D9376:				; CODE XREF: CmpInitCmRM+11D5BFj
		mov	eax, [ebx+400h]
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_74]
		push	eax
		mov	eax, [ebx+20h]
		add	eax, 94h
		push	eax
		call	_RtlStringFromGUID@8 ; RtlStringFromGUID(x,x)
		mov	ecx, eax
		mov	[ebp+var_48], ecx
		test	ecx, ecx
		js	loc_8F68E5
		test	esi, esi
		jz	loc_7D97D7
		mov	ecx, [esi+400h]
		lea	edx, [ebp+var_84]
		call	CmpQueryNameString
		mov	ecx, eax
		mov	[ebp+var_48], ecx
		test	ecx, ecx
		js	loc_8F68D9
		lea	edi, [ebp+var_84]

loc_7D93CA:				; CODE XREF: CmpInitCmRM+637j
		mov	ax, [edi]
		add	ax, _TmLogExt
		add	ax, word ptr _CmpClfsLogPrefix
		add	ax, word ptr [ebp+var_74]
		mov	word ptr [ebp+var_60+2], ax
		movzx	eax, ax
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[ebp+var_5C], eax
		test	eax, eax
		jz	loc_8F68C5
		push	offset _CmpClfsLogPrefix
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	edi
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		lea	eax, [ebp+var_74]
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	offset _TmLogExt
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		lea	eax, [ebp+var_74]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	esi, esi
		jz	short loc_7D9443
		lea	eax, [ebp+var_84]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_7D9443:				; CODE XREF: CmpInitCmRM+289j
		mov	ecx, [ebp+var_7C]
		lea	edx, [ebp+var_78]
		call	CmpQueryFileSecurityDescriptor
		mov	ecx, eax
		xor	edi, edi
		mov	[ebp+var_48], ecx
		test	ecx, ecx
		js	loc_8F68B9
		push	edi
		push	edi
		push	200h
		push	edi
		push	8
		pop	esi
		push	esi
		push	3
		push	[ebp+var_78]
		lea	eax, [ebp+var_60]
		push	7
		push	0C0000000h
		push	eax
		lea	eax, [ebp+var_50]
		push	eax
		call	ds:__imp__ClfsCreateLogFile@44 ; ClfsCreateLogFile(x,x,x,x,x,x,x,x,x,x,x)
		push	edi
		push	[ebp+var_78]
		mov	[ebp+var_48], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_48]
		test	ecx, ecx
		js	loc_8F6770
		lea	eax, [ebp+var_58]
		mov	[ebp+var_C0], edi
		push	eax
		lea	eax, [ebp+var_C4]
		mov	[ebp+var_BC], edi
		push	eax
		push	[ebp+var_50]
		mov	[ebp+var_B8], edi
		mov	[ebp+var_B4], edi
		mov	[ebp+var_B0], edi
		mov	[ebp+var_AC], edi
		mov	[ebp+var_C4], 1
		call	ds:__imp__ClfsMgmtRegisterManagedClient@12 ; ClfsMgmtRegisterManagedClient(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_48], ecx
		test	ecx, ecx
		js	loc_8F68B1
		movzx	eax, _TmContainerExt
		push	6D524D43h
		add	eax, 18h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_7C], edx
		test	edx, edx
		jz	loc_8F68A2
		push	6
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd
		mov	cx, _TmContainerExt
		movzx	eax, cx
		push	eax		; size_t
		push	off_6B30D4	; void *
		mov	dword ptr [edx], 1
		lea	esi, [eax+18h]
		mov	dword ptr [edx+0Ch], 9
		lea	eax, [edx+12h]
		mov	[edx+4], esi
		push	eax		; void *
		mov	[edx+10h], cx
		call	_memcpy
		add	esp, 0Ch
		push	esi
		mov	esi, [ebp+var_7C]
		push	esi
		push	[ebp+var_50]
		call	ds:__imp__ClfsMgmtInstallPolicy@12 ; ClfsMgmtInstallPolicy(x,x,x)
		xor	edi, edi
		mov	[ebp+var_48], eax
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_48]
		mov	esi, [ebp+var_54]
		test	ecx, ecx
		js	loc_8F6896
		mov	ecx, _CmpClfsLogPrefix
		mov	eax, [ebp+var_60]
		sub	eax, ecx
		mov	[ebp+var_A4], 18h
		mov	word ptr [ebp+var_8C], ax
		mov	eax, [ebp+var_60+2]
		sub	eax, ecx
		mov	[ebp+var_A0], edi
		mov	word ptr [ebp+var_8C+2], ax
		push	edi
		push	[ebp+var_64]
		movzx	eax, cx
		add	eax, [ebp+var_5C]
		mov	[ebp+var_88], eax
		lea	eax, [ebp+var_8C]
		push	eax
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_98], 240h
		push	eax
		push	0F003Fh
		lea	eax, [esi+10h]
		mov	[ebp+var_9C], edi
		push	eax
		mov	[ebp+var_94], edi
		mov	[ebp+var_90], edi
		call	_ZwCreateTransactionManager@24 ; ZwCreateTransactionManager(x,x,x,x,x,x)
		mov	[ebp+var_48], eax
		cmp	eax, 0C0000035h
		jz	loc_8F678F
		test	eax, eax
		js	short loc_7D9605
		push	dword ptr [esi+10h]
		call	_ZwRecoverTransactionManager@4 ; ZwRecoverTransactionManager(x)
		mov	[ebp+var_48], eax

loc_7D9605:				; CODE XREF: CmpInitCmRM+44Cj
					; CmpInitCmRM+11D616j
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [ebp+var_48]
		test	ecx, ecx
		js	loc_8F681D
		cmp	[ebp+var_50], edi
		jz	short loc_7D962A
		push	[ebp+var_50]
		call	ds:__imp__ClfsCloseLogFileObject@4 ; ClfsCloseLogFileObject(x)
		mov	[ebp+var_50], edi

loc_7D962A:				; CODE XREF: CmpInitCmRM+470j
		cmp	[ebp+var_58], edi
		jz	short loc_7D963B
		push	[ebp+var_58]
		call	ds:__imp__ClfsMgmtDeregisterManagedClient@4 ; ClfsMgmtDeregisterManagedClient(x)
		mov	[ebp+var_58], edi

loc_7D963B:				; CODE XREF: CmpInitCmRM+481j
		mov	eax, ds:_TmTransactionManagerObjectType
		lea	edx, [ebp+var_64]
		mov	ecx, [esi+10h]
		push	edi
		push	edx
		push	edi
		push	eax
		push	0F003Fh
		push	ecx
		mov	[ebp+var_64], edi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+var_64]
		mov	[ebp+var_48], ecx
		mov	[esi+14h], eax
		test	ecx, ecx
		js	loc_8F682C
		mov	esi, [ebx+20h]
		lea	edi, [ebp+var_44]
		add	esi, 70h
		lea	ecx, [ebp+var_A4]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_54]
		xor	edi, edi
		push	edi
		push	edi
		push	ecx
		lea	ecx, [ebp+var_44]
		mov	[ebp+var_A4], 18h
		push	ecx
		mov	[ebp+var_A0], edi
		lea	eax, [esi+18h]
		mov	[ebp+var_98], 240h
		mov	[ebp+var_9C], edi
		mov	[ebp+var_94], edi
		mov	[ebp+var_90], edi
		push	dword ptr [esi+10h]
		push	1F007Fh
		push	eax
		call	_ZwCreateResourceManager@28 ; ZwCreateResourceManager(x,x,x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_48], ecx
		cmp	ecx, 0C0000035h
		jz	loc_8F683B

loc_7D96D8:				; CODE XREF: CmpInitCmRM+11D6B0j
		test	ecx, ecx
		js	loc_8F6861
		push	dword ptr [esi+18h]
		call	_ZwRecoverResourceManager@4 ; ZwRecoverResourceManager(x)
		mov	ecx, eax
		mov	[ebp+var_48], ecx
		test	ecx, ecx
		js	loc_8F6870
		mov	eax, ds:_TmResourceManagerObjectType
		lea	edx, [ebp+var_64]
		mov	ecx, [esi+18h]
		push	edi
		push	edx
		push	edi
		push	eax
		push	1F007Fh
		push	ecx
		mov	[ebp+var_64], edi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+var_64]
		mov	[ebp+var_48], ecx
		mov	[esi+1Ch], eax
		test	ecx, ecx
		js	loc_8F687C
		mov	ecx, [ebp+var_6C]
		test	ecx, ecx
		jz	short loc_7D9780
		mov	[ecx+9A0h], esi
		mov	dword ptr [esi+20h], 1

loc_7D9739:				; CODE XREF: CmpInitCmRM+607j
		mov	[esi+30h], ecx
		call	_LOCK_CM_RM_LIST@0 ; LOCK_CM_RM_LIST()
		mov	eax, dword_6CDDC4
		mov	edx, offset _CmpRmListHead
		cmp	[eax], edx
		jnz	loc_7D97F9
		mov	[esi], edx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6CDDC4, esi
		call	_UNLOCK_CM_RM_LIST@0 ; UNLOCK_CM_RM_LIST()
		cmp	[ebp+var_4A], 0
		jnz	loc_8F6888

loc_7D976F:				; CODE XREF: CmpInitCmRM+97j
					; CmpInitCmRM+ACj ...
		xor	eax, eax

loc_7D9771:				; CODE XREF: CmpInitCmRM+11D530j
					; CmpInitCmRM+11D7EEj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_7D9780:				; CODE XREF: CmpInitCmRM+57Ej
		mov	_CmRmSystem, esi

loc_7D9786:				; CODE XREF: CmpInitCmRM+5F7j
		mov	eax, dword_6B1644[edi]
		test	eax, eax
		jnz	short loc_7D97B5

loc_7D9790:				; CODE XREF: CmpInitCmRM+60Dj
		mov	eax, dword_6B1634[edi]
		test	eax, eax
		jnz	short loc_7D97E8

loc_7D979A:				; CODE XREF: CmpInitCmRM+61Ej
					; CmpInitCmRM+640j
		add	edi, 78h
		cmp	edi, 348h
		jb	short loc_7D9786
		mov	eax, ds:_CmpMasterHive
		mov	[eax+9A0h], esi
		inc	dword ptr [esi+20h]
		jmp	short loc_7D9739
; 

loc_7D97B5:				; CODE XREF: CmpInitCmRM+5E2j
		test	byte ptr [eax+64h], 2
		jnz	short loc_7D9790
		inc	dword ptr [esi+20h]
		mov	eax, dword_6B1644[edi]

loc_7D97C4:				; CODE XREF: CmpInitCmRM+64Bj
		mov	[eax+9A0h], esi
		jmp	short loc_7D979A
; 

loc_7D97CC:				; CODE XREF: CmpInitCmRM+9Fj
		mov	ebx, dword_6B179C
		jmp	loc_7D9251
; 

loc_7D97D7:				; CODE XREF: CmpInitCmRM+1F4j
		mov	edi, offset _CmpLogPath
		mov	[ebp+var_64], 34h
		jmp	loc_7D93CA
; 

loc_7D97E8:				; CODE XREF: CmpInitCmRM+5ECj
		test	byte ptr [eax+64h], 2
		jnz	short loc_7D979A
		inc	dword ptr [esi+20h]
		mov	eax, dword_6B1634[edi]
		jmp	short loc_7D97C4
; 

loc_7D97F9:				; CODE XREF: CmpInitCmRM+5A1j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
CmpInitCmRM	endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpUuidCreate	proc near		; CODE XREF: CmpInitCmRM+B5p
					; CmpInitCmRM+C7p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F699F SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, ecx

loc_7D9809:				; CODE XREF: CmpUuidCreate+11D1B9j
		push	esi
		call	ExUuidCreate
		cmp	eax, 0C000022Dh
		jz	loc_8F699F
		pop	esi
		leave
		retn
CmpUuidCreate	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall UNLOCK_CM_RM_LIST()
_UNLOCK_CM_RM_LIST@0 proc near		; CODE XREF: CmpInitCmRM+5B4p
		mov	edi, edi
		push	ecx
		mov	ecx, offset _CmpRmListLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	ecx
		retn
_UNLOCK_CM_RM_LIST@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall LOCK_CM_RM_LIST()
_LOCK_CM_RM_LIST@0 proc	near		; CODE XREF: CmpInitCmRM+590p
		mov	edi, edi
		push	ecx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpRmListLock
		call	ExAcquireFastMutexUnsafe
		pop	ecx
		retn
_LOCK_CM_RM_LIST@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpQueryNameString proc	near		; CODE XREF: CmpInitCmRM+206p
					; CmpTraceHiveMountBaseFileMounted+1897FEp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F69BC SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, _CmIoFileObjectType
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax]
		xor	esi, esi
		push	esi
		mov	ebx, edx
		mov	[ebp+var_4], esi
		lea	edx, [ebp+var_C]
		mov	[ebp+var_C], esi
		push	edx
		push	esi
		push	eax
		push	1
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_14], eax
		test	edi, edi
		js	loc_7D9928
		mov	eax, 108h
		push	62534D43h
		push	eax
		push	1
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_10], esi

loc_7D98AD:				; CODE XREF: CmpQueryNameString+11D19Dj
		test	esi, esi
		jz	short loc_7D9920
		mov	ecx, [ebp+var_14]
		xor	eax, eax
		push	eax
		lea	eax, [ebp+var_4]
		mov	edx, esi
		push	eax
		push	[ebp+var_8]
		call	ObQueryNameStringMode
		mov	edi, eax
		test	edi, edi
		js	loc_8F69BC
		xor	eax, eax
		mov	[ebx], ax
		movzx	eax, word ptr [esi]
		push	eax
		mov	[ebx+2], ax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[ebx+4], eax
		test	eax, eax
		jz	short loc_7D992F
		push	esi
		push	ebx
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	edi, eax
		movzx	eax, word ptr [ebx]
		test	ax, ax
		jz	short loc_7D9913
		mov	edx, [ebx+4]
		mov	ecx, eax
		xor	esi, esi

loc_7D9900:				; CODE XREF: CmpQueryNameString+11D1AEj
		movzx	eax, cx
		shr	eax, 1
		cmp	[edx+eax*2-2], si
		jz	loc_8F69FA

loc_7D9910:				; CODE XREF: CmpQueryNameString+11D1B4j
		mov	esi, [ebp+var_10]

loc_7D9913:				; CODE XREF: CmpQueryNameString+9Fj
					; CmpQueryNameString+DCj ...
		test	esi, esi
		jz	short loc_7D9920
		xor	eax, eax
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7D9920:				; CODE XREF: CmpQueryNameString+57j
					; CmpQueryNameString+BDj
		mov	ecx, [ebp+var_14]
		call	ObfDereferenceObject

loc_7D9928:				; CODE XREF: CmpQueryNameString+35j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7D992F:				; CODE XREF: CmpQueryNameString+8Ej
		mov	edi, 0C0000017h
		jmp	short loc_7D9913
CmpQueryNameString endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAcceptConnectPort(x, x, x, x, x, x)
_NtAcceptConnectPort@24	proc near	; DATA XREF: .text:00580B8Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	[ebp+arg_14]
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	eax
		push	eax
		push	eax
		call	_AlpcpAcceptConnectPort@48 ; AlpcpAcceptConnectPort(x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, large fs:124h
		mov	esi, eax
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	esi, 0C0000703h
		jz	short loc_7D9986

loc_7D997F:				; CODE XREF: NtAcceptConnectPort(x,x,x,x,x,x)+55j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	18h
; 

loc_7D9986:				; CODE XREF: NtAcceptConnectPort(x,x,x,x,x,x)+47j
		mov	esi, 0C000000Bh
		jmp	short loc_7D997F
_NtAcceptConnectPort@24	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PspGetJobLimitInformationValidFlags(x, x)
_PspGetJobLimitInformationValidFlags@8 proc near ; CODE	XREF: PAGE:007575C1p
					; sub_759647+364p
		cmp	ecx, 2
		jz	short loc_7D99A7
		xor	eax, eax
		cmp	edx, 70h
		setnz	al
		dec	eax
		and	eax, 0FFA00000h
		add	eax, offset loc_607FFF
		retn
; 

loc_7D99A7:				; CODE XREF: PspGetJobLimitInformationValidFlags(x,x)+3j
		mov	eax, 0FFh
		retn
_PspGetJobLimitInformationValidFlags@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnLogIdentifier(x, x)
_PfSnLogIdentifier@8 proc near		; CODE XREF: PfSnBeginScenario+163p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		push	eax
		movzx	edi, word ptr [ebx]
		add	edi, 13h
		shr	edi, 3
		mov	edx, edi
		call	PfSnTraceGetLogEntry
		test	eax, eax
		js	short loc_7D9A0A
		mov	esi, [ebp+var_4]
		mov	eax, edi
		shl	eax, 3
		push	eax		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, ds:0FFFFFFF8h[edi*8]
		or	eax, 6
		mov	[esi], eax
		movzx	eax, word ptr [ebx]
		push	eax		; size_t
		push	dword ptr [ebx+4] ; void *
		lea	eax, [esi+8]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax

loc_7D9A0A:				; CODE XREF: PfSnLogIdentifier(x,x)+25j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PfSnLogIdentifier@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall ExReleaseTimeRefreshLock()
_ExReleaseTimeRefreshLock@0 proc near	; CODE XREF: .text:00685276p
					; PoBroadcastSystemState+42Dp ...
		mov	edi, edi
		push	ecx
		mov	ecx, offset _ExpTimeRefreshLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	ecx
		retn
_ExReleaseTimeRefreshLock@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipSecurityMethod proc	near		; DATA XREF: WmipInitializeSecurity+1CEo

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= word ptr -5Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 008F7176 SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_10]
		mov	ecx, [ebp+arg_C]
		mov	edx, [ebp+arg_14]
		mov	[ebp+var_60], eax
		mov	eax, [ebp+arg_1C]
		push	ebx
		mov	ebx, [ebp+arg_18]
		mov	[ebp+var_64], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_68], ebx
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_0]
		sub	eax, 0
		jz	short loc_7D9AA6
		sub	eax, 1
		jz	short loc_7D9A96
		sub	eax, 1
		jz	short loc_7D9A8D
		sub	eax, 1
		jnz	loc_8F7176
		push	ecx
		mov	edx, ecx
		mov	ecx, edi
		call	_ObAssignObjectSecurityDescriptor@12 ; ObAssignObjectSecurityDescriptor(x,x,x)

loc_7D9A7C:				; CODE XREF: WmipSecurityMethod+70j
					; WmipSecurityMethod+80j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	24h
; 

loc_7D9A8D:				; CODE XREF: WmipSecurityMethod+43j
		mov	ecx, edx
		call	_ObDeassignSecurity@4 ;	ObDeassignSecurity(x)
		jmp	short loc_7D9A7C
; 

loc_7D9A96:				; CODE XREF: WmipSecurityMethod+3Ej
		push	ecx
		push	[ebp+var_60]
		mov	edx, esi
		push	ecx
		mov	ecx, edi
		call	_ObQuerySecurityDescriptorInfo@20 ; ObQuerySecurityDescriptorInfo(x,x,x,x,x)
		jmp	short loc_7D9A7C
; 

loc_7D9AA6:				; CODE XREF: WmipSecurityMethod+39j
		push	[ebp+var_64]
		and	[ebp+var_70], 0
		and	[ebp+var_6C], 0
		push	ebx
		push	edx
		push	ecx
		push	esi
		push	edi
		call	ObSetSecurityDescriptorInfo
		mov	esi, eax
		test	esi, esi
		js	loc_7D9B72
		mov	eax, 400h
		push	70696D57h
		push	eax
		mov	[ebp+var_60], eax
		push	ebx

loc_7D9AD4:				; CODE XREF: WmipSecurityMethod+11D777j
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8F71A0
		or	[ebp+var_64], 0FFFFFFFFh
		lea	eax, [ebp+var_60]
		push	ecx
		push	eax
		push	ebx
		lea	edx, [ebp+var_64]
		mov	ecx, edi
		call	_ObQuerySecurityDescriptorInfo@20 ; ObQuerySecurityDescriptorInfo(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	loc_8F7188

loc_7D9B05:				; CODE XREF: WmipSecurityMethod+11D781j
		test	esi, esi
		js	short loc_7D9B72
		movzx	eax, byte ptr [edi+1Fh]
		push	eax
		movzx	eax, byte ptr [edi+1Eh]
		push	eax
		movzx	eax, byte ptr [edi+1Dh]
		push	eax
		movzx	eax, byte ptr [edi+1Ch]
		push	eax
		movzx	eax, byte ptr [edi+1Bh]
		push	eax
		movzx	eax, byte ptr [edi+1Ah]
		push	eax
		movzx	eax, byte ptr [edi+19h]
		push	eax
		movzx	eax, byte ptr [edi+18h]
		push	eax
		movzx	eax, word ptr [edi+16h]
		push	eax
		movzx	eax, word ptr [edi+14h]
		push	eax
		push	dword ptr [edi+10h] ; char
		lea	eax, [ebp+var_5C]
		push	offset ??_C@_1GC@MIJCAPDC@?$AA?$CF?$AA0?$AA8?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAx?$AA?9@NNGAKEGL@ ; wchar_t *
		push	4Ch		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 38h
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_70]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, ebx
		lea	ecx, [ebp+var_70]
		call	WmipSaveGuidSecurityDescriptor
		push	0
		push	ebx
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7D9B72:				; CODE XREF: WmipSecurityMethod+9Bj
					; WmipSecurityMethod+E3j
		mov	eax, esi
		jmp	loc_7D9A7C
WmipSecurityMethod endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObAssignObjectSecurityDescriptor(x,	x, x)
_ObAssignObjectSecurityDescriptor@12 proc near ; CODE XREF: WmipSecurityMethod+53p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		test	edi, edi
		jz	short loc_7D9BC4
		push	ebx
		push	8
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		call	ObLogSecurityDescriptor
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7D9BB3
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_4]
		test	eax, eax
		jnz	short loc_7D9BBC
		and	[esi-4], eax

loc_7D9BB3:				; CODE XREF: ObAssignObjectSecurityDescriptor(x,x,x)+25j
					; ObAssignObjectSecurityDescriptor(x,x,x)+48j
		mov	eax, ebx
		pop	ebx

loc_7D9BB6:				; CODE XREF: ObAssignObjectSecurityDescriptor(x,x,x)+50j
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_7D9BBC:				; CODE XREF: ObAssignObjectSecurityDescriptor(x,x,x)+34j
		add	eax, 7
		mov	[esi-4], eax
		jmp	short loc_7D9BB3
; 

loc_7D9BC4:				; CODE XREF: ObAssignObjectSecurityDescriptor(x,x,x)+12j
		and	dword ptr [esi-4], 0
		xor	eax, eax
		jmp	short loc_7D9BB6
_ObAssignObjectSecurityDescriptor@12 endp


;  S U B	R O U T	I N E 


; __stdcall ObDeassignSecurity(x)
_ObDeassignSecurity@4 proc near		; CODE XREF: WmipSecurityMethod+6Bp
		mov	eax, [ecx]
		and	dword ptr [ecx], 0
		mov	ecx, eax
		and	ecx, 7
		and	eax, 0FFFFFFF8h
		inc	ecx
		push	ecx
		push	eax
		call	ObDereferenceSecurityDescriptor
		xor	eax, eax
		retn
_ObDeassignSecurity@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtQueryInstallUILanguage proc near	; CODE XREF: NtQueryDefaultUILanguage(x)+6j
					; ExpSetPendingUILanguage+2A8p	...

var_24		= dword	ptr -24h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	14h
		push	offset dword_6A4210
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp+ms_exc.disabled], edx
		mov	eax, large fs:124h
		mov	[ebp+var_24], eax
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		test	al, al
		jz	short loc_7D9C20
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_7D9C48

loc_7D9C17:				; CODE XREF: NtQueryInstallUILanguage+66j
		mov	ax, [ecx]
		movzx	eax, ax
		mov	[ecx], ax

loc_7D9C20:				; CODE XREF: NtQueryInstallUILanguage+25j
		mov	cx, ds:_PsInstallUILanguageId
		mov	eax, [ebp+arg_0]
		mov	[eax], cx

loc_7D9C2D:				; CODE XREF: sub_8F71BA+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, edx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7D9C48:				; CODE XREF: NtQueryInstallUILanguage+31j
		mov	ecx, eax
		jmp	short loc_7D9C17
NtQueryInstallUILanguage endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCompareObjects(x,	x)
_NtCompareObjects@8 proc near		; DATA XREF: .text:005811A8o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	esi
		xor	esi, esi
		push	esi
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_8], al
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_8]
		mov	[ebp+var_4], esi
		push	esi
		push	esi
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7D9CBB
		push	esi
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], esi
		push	eax
		push	[ebp+var_8]
		push	esi
		push	esi
		push	[ebp+arg_4]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7D9CB1
		mov	esi, [ebp+var_4]
		mov	ecx, [ebp+var_C]
		sub	esi, ecx
		neg	esi
		sbb	esi, esi
		and	esi, 0C00001ACh
		call	ObfDereferenceObject

loc_7D9CB1:				; CODE XREF: NtCompareObjects(x,x)+4Cj
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject
		mov	eax, esi

loc_7D9CBB:				; CODE XREF: NtCompareObjects(x,x)+31j
		pop	esi
		leave
		retn	8
_NtCompareObjects@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 663. FsRtlSetKernelEaFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlSetKernelEaFile
FsRtlSetKernelEaFile proc near		; CODE XREF: CmpAdjustFileCFSafety(x,x)+B6p
					; CmpAdjustFileCFSafety(x,x)+107p ...

var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F71C5 SIZE 0000004C BYTES

		push	24h
		push	offset dword_6A4230
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	esi, ebx
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], ebx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		stosd
		stosd
		stosd
		stosd
		push	ebx
		push	ebx
		lea	eax, [ebp+var_34]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	[ebp+ms_exc.disabled], ebx
		mov	edi, [ebp+arg_0]
		test	dword ptr [edi+2Ch], 800h
		jnz	loc_8F71C5
		push	edi
		call	IoGetRelatedDeviceObject
		mov	ecx, eax
		mov	[ebp+arg_0], ecx
		push	ebx
		movzx	eax, byte ptr [ecx+30h]
		push	eax
		push	ecx
		call	IoAllocateIrpEx
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		jz	loc_8F71CF
		lea	edx, [esi+60h]
		mov	ecx, [edx]
		mov	word ptr [ecx-24h], 408h
		mov	[ecx-0Ch], edi
		mov	eax, [ebp+arg_4]
		mov	[esi+3Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx-20h], eax
		mov	eax, large fs:124h
		mov	esi, [ebp+var_24]
		mov	[esi+50h], eax
		mov	dword ptr [esi+8], 4
		mov	[esi+20h], bl
		mov	eax, [edx]
		mov	dword ptr [eax-8], offset _SmKmGenericCompletion@12 ; SmKmGenericCompletion(x,x,x)
		lea	ecx, [ebp+var_34]
		mov	[eax-4], ecx
		mov	[eax-21h], bl
		mov	byte ptr [eax-21h], 40h
		mov	byte ptr [eax-21h], 0C0h
		mov	byte ptr [eax-21h], 0E0h
		mov	edx, esi
		mov	ecx, [ebp+arg_0]
		call	IofCallDriver
		mov	[ebp+var_20], eax
		cmp	eax, 103h
		jz	loc_8F71D9

loc_7D9D8D:				; CODE XREF: FsRtlSetKernelEaFile+11D52Dj
					; FsRtlSetKernelEaFile+11D546j
		mov	edi, [esi+18h]

loc_7D9D90:				; CODE XREF: FsRtlSetKernelEaFile+11D504j
					; FsRtlSetKernelEaFile+11D50Ej
		mov	[ebp+var_20], edi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_7D9DB3
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
FsRtlSetKernelEaFile endp


;  S U B	R O U T	I N E 


sub_7D9DB3	proc near		; CODE XREF: FsRtlSetKernelEaFile+D4p
					; sub_8F7211+8j

; FUNCTION CHUNK AT 008F721E SIZE 0000000D BYTES

		test	esi, esi
		jz	short locret_7D9DC8
		mov	ecx, [esi+4]
		test	ecx, ecx
		jnz	loc_8F721E

loc_7D9DC2:				; CODE XREF: sub_7D9DB3+11D473j
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)

locret_7D9DC8:				; CODE XREF: sub_7D9DB3+2j
		retn
sub_7D9DB3	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	GetPropertyFromPropArray(int,void *,int,int,int)
GetPropertyFromPropArray proc near	; DATA XREF: ValidFilter(x,x)+30o
					; ConstraintEval+15Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008F722B SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_8]
		xor	edx, edx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, 0C0000225h
		mov	[ecx], edx
		mov	ebx, edx
		mov	ecx, [ebp+arg_C]
		mov	[ecx], edx
		mov	ecx, [ebp+arg_10]
		mov	[ecx], edx
		cmp	[esi], edx
		jbe	short loc_7D9E18
		mov	ecx, [ebp+arg_4]
		push	edi
		mov	edi, edx
		mov	[ebp+arg_0], edi

loc_7D9DF9:				; CODE XREF: GetPropertyFromPropArray+46j
		add	edi, [esi+4]
		mov	eax, [edi+10h]
		cmp	eax, [ecx+10h]
		jz	short loc_7D9E1E

loc_7D9E04:				; CODE XREF: GetPropertyFromPropArray+65j
					; GetPropertyFromPropArray+6Dj	...
		mov	edi, [ebp+arg_0]
		inc	ebx
		add	edi, 28h
		mov	[ebp+arg_0], edi
		cmp	ebx, [esi]
		jb	short loc_7D9DF9
		mov	eax, 0C0000225h

loc_7D9E17:				; CODE XREF: GetPropertyFromPropArray+A6j
		pop	edi

loc_7D9E18:				; CODE XREF: GetPropertyFromPropArray+24j
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
; 

loc_7D9E1E:				; CODE XREF: GetPropertyFromPropArray+38j
		push	10h		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcmp
		mov	ecx, [ebp+arg_4]
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7D9E04
		mov	eax, [edi+14h]
		cmp	eax, [ecx+14h]
		jnz	short loc_7D9E04
		mov	eax, [edi+18h]
		mov	ecx, [ecx+18h]
		cmp	eax, ecx
		jnz	loc_8F722B

loc_7D9E47:				; CODE XREF: GetPropertyFromPropArray+11D474j
		mov	eax, [esi+4]
		mov	edx, [ebp+arg_8]
		imul	ecx, ebx, 28h
		mov	eax, [eax+ecx+1Ch]
		mov	[edx], eax
		mov	eax, [esi+4]
		mov	edx, [ebp+arg_C]
		mov	eax, [eax+ecx+20h]
		mov	[edx], eax
		mov	eax, [esi+4]
		mov	eax, [eax+ecx+24h]
		mov	ecx, [ebp+arg_10]
		mov	[ecx], eax
		xor	eax, eax
		jmp	short loc_7D9E17
GetPropertyFromPropArray endp

; 
		align 8
; Exported entry 378. ExInitializePagedLookasideList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExInitializePagedLookasideList(x, x, x, x, x, x, x)
		public _ExInitializePagedLookasideList@28
_ExInitializePagedLookasideList@28 proc	near ; CODE XREF: FsRtlInitSystem()+5Fp
					; FsRtlInitializeLargeMcbs()+18p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ExInitializePagedLookasideListInternal
		pop	ebp
		retn	1Ch
_ExInitializePagedLookasideList@28 endp	; sp = -20h

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1642. ObReferenceSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObReferenceSecurityDescriptor(x, x)
		public _ObReferenceSecurityDescriptor@8
_ObReferenceSecurityDescriptor@8 proc near ; CODE XREF:	IopGetSetSecurityObject+2F9p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		add	eax, 0FFFFFFF4h
		lock xadd [eax], ecx
		test	ecx, ecx
		jg	short loc_7D9EBD
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_7D9EBD:				; CODE XREF: ObReferenceSecurityDescriptor(x,x)+14j
		pop	ebp
		retn	8
_ObReferenceSecurityDescriptor@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	NtPrivilegedServiceAuditAlarm(int,int,size_t,void *,int)
NtPrivilegedServiceAuditAlarm proc near	; DATA XREF: .text:00580ECCo

var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008F724C SIZE 00000063 BYTES
; FUNCTION CHUNK AT 008F72D4 SIZE 0000004E BYTES

		push	38h
		push	offset dword_6A4250
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_20], ecx
		xor	eax, eax
		lea	edi, [ebp+var_48]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ecx
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_30], bl
		lea	eax, [ebp+var_48]
		push	eax
		call	SeCaptureSubjectContext
		mov	dl, bl
		lea	ecx, [ebp+var_48]
		call	_SeCheckAuditPrivilege@8 ; SeCheckAuditPrivilege(x,x)
		test	al, al
		jz	loc_8F724C
		mov	eax, ds:_SeTokenObjectType
		xor	ebx, ebx
		mov	[ebp+var_24], ebx
		push	ebx
		lea	ecx, [ebp+var_24]
		push	ecx
		push	[ebp+var_30]
		push	eax
		push	8
		push	[ebp+arg_8]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	loc_8F7253
		mov	ecx, [ebp+var_24]
		cmp	dword ptr [ecx+0A8h], 2
		jnz	short loc_7D9F4F
		cmp	dword ptr [ecx+0ACh], 1
		jl	loc_8F7273

loc_7D9F4F:				; CODE XREF: NtPrivilegedServiceAuditAlarm+7Ej
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_7D9F6E
		lea	edx, [ebp+var_2C]
		call	SepProbeAndCaptureString_U
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	loc_7DA00F

loc_7D9F6E:				; CODE XREF: NtPrivilegedServiceAuditAlarm+95j
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_7D9F8A
		lea	edx, [ebp+var_28]
		call	SepProbeAndCaptureString_U
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	loc_7DA00F

loc_7D9F8A:				; CODE XREF: NtPrivilegedServiceAuditAlarm+B1j
		mov	ecx, [ebp+arg_C]
		mov	edx, ecx
		test	cl, 3
		jnz	loc_7DA084
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8F728D

loc_7D9FA5:				; CODE XREF: NtPrivilegedServiceAuditAlarm+11D3CDj
		nop
		mov	al, [edx]
		mov	esi, [ecx]
		mov	[ebp+var_30], esi
		test	esi, esi
		jz	short loc_7D9FBA
		cmp	esi, 42h
		ja	loc_8F7294

loc_7D9FBA:				; CODE XREF: NtPrivilegedServiceAuditAlarm+EDj
		imul	eax, esi, 0Ch
		add	eax, 8
		mov	[ebp+arg_8], eax
		mov	[ebp+var_38], eax
		jz	short loc_7D9FE1
		lea	edi, [eax+ecx]
		mov	edx, ds:_MmUserProbeAddress
		cmp	edi, edx
		ja	loc_8F72A8
		cmp	edi, ecx
		jb	loc_8F72A8

loc_7D9FE1:				; CODE XREF: NtPrivilegedServiceAuditAlarm+104j
					; NtPrivilegedServiceAuditAlarm+11D3E8j
		push	72506553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_20], edi
		test	edi, edi
		jz	loc_8F729B
		push	[ebp+arg_8]	; size_t
		push	[ebp+arg_C]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[edi], esi
		mov	esi, [ebp+var_1C]

loc_7DA00F:				; CODE XREF: NtPrivilegedServiceAuditAlarm+A6j
					; NtPrivilegedServiceAuditAlarm+C2j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7DA016:				; CODE XREF: sub_8F72BD+12j
		test	esi, esi
		js	loc_8F72D4
		push	[ebp+arg_10]
		push	[ebp+var_20]
		push	[ebp+var_40]
		push	[ebp+var_24]
		mov	esi, [ebp+var_28]
		push	esi
		mov	edi, [ebp+var_2C]
		mov	edx, edi
		lea	ecx, [ebp+var_48]
		call	SepAdtPrivilegedServiceAuditAlarm
		test	edi, edi
		jz	short loc_7DA046
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7DA046:				; CODE XREF: NtPrivilegedServiceAuditAlarm+17Bj
		test	esi, esi
		jz	short loc_7DA051
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7DA051:				; CODE XREF: NtPrivilegedServiceAuditAlarm+186j
		mov	edi, [ebp+var_20]
		test	edi, edi
		jz	short loc_7DA05F
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7DA05F:				; CODE XREF: NtPrivilegedServiceAuditAlarm+194j
		mov	ecx, [ebp+var_24]
		call	ObfDereferenceObject
		lea	eax, [ebp+var_48]
		push	eax
		call	SeReleaseSubjectContext
		xor	eax, eax

loc_7DA072:				; CODE XREF: NtPrivilegedServiceAuditAlarm+11D3C6j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7DA084:				; CODE XREF: NtPrivilegedServiceAuditAlarm+D0j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger
NtPrivilegedServiceAuditAlarm endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRemoveValueFromList(x, x, x)
_CmpRemoveValueFromList@12 proc	near	; CODE XREF: CmDeleteValueKey+466p
					; CmSetValueKey(x,x,x,x,x,x,x)+851p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, ecx
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_8], eax
		mov	edi, [ebx]
		mov	edx, [ebx+4]
		sub	edi, 1
		jz	short loc_7DA113
		or	[ebp+var_10], 0FFFFFFFFh
		lea	ecx, [ebp+var_10]
		and	[ebp+var_C], 0
		push	ecx
		push	edx
		push	eax
		call	dword ptr [eax+4]
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_7DA11D

loc_7DA0C0:				; CODE XREF: CmpRemoveValueFromList(x,x,x)+42j
		cmp	esi, edi
		jnb	short loc_7DA0CE
		mov	eax, [ecx+esi*4+4]
		mov	[ecx+esi*4], eax
		inc	esi
		jmp	short loc_7DA0C0
; 

loc_7DA0CE:				; CODE XREF: CmpRemoveValueFromList(x,x,x)+38j
		mov	esi, [ebp+var_8]
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edx, [ebx+4]
		lea	eax, [ebp+var_10]
		and	[ebp+arg_0], 0
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+arg_0]
		push	eax
		mov	eax, edi
		push	1
		shl	eax, 2
		push	eax
		call	_HvReallocateCell@24 ; HvReallocateCell(x,x,x,x,x,x)
		mov	[ebp+arg_0], eax
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	eax, [ebp+arg_0]

loc_7DA105:				; CODE XREF: CmpRemoveValueFromList(x,x,x)+91j
		mov	[ebx+4], eax
		xor	eax, eax
		mov	[ebx], edi

loc_7DA10C:				; CODE XREF: CmpRemoveValueFromList(x,x,x)+98j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7DA113:				; CODE XREF: CmpRemoveValueFromList(x,x,x)+1Dj
		call	HvFreeCell
		or	eax, 0FFFFFFFFh
		jmp	short loc_7DA105
; 

loc_7DA11D:				; CODE XREF: CmpRemoveValueFromList(x,x,x)+34j
		mov	eax, 0C000009Ah
		jmp	short loc_7DA10C
_CmpRemoveValueFromList@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsWow64GetSupportedArchitectures proc near ; CODE XREF:	PAGE:00781F33p

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	0Ch
		push	offset dword_6A4270
		call	__SEH_prolog4
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 8
		cmp	edx, 8
		jnb	short loc_7DA155
		mov	eax, 0C0000023h

loc_7DA143:				; CODE XREF: PsWow64GetSupportedArchitectures+5Fj
					; sub_8F7332+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7DA155:				; CODE XREF: PsWow64GetSupportedArchitectures+18j
		xor	eax, eax
		mov	[ebp+ms_exc.disabled], eax
		mov	[ecx+4], eax
		mov	dword ptr [ecx], 14Ch
		mov	dword ptr [ecx], 1014Ch
		mov	dword ptr [ecx], 3014Ch
		mov	dword ptr [ecx], 7014Ch
		cmp	[ebp+arg_4], eax
		jnz	short loc_7DA185

loc_7DA17A:				; CODE XREF: PsWow64GetSupportedArchitectures+67j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	short loc_7DA143
; 

loc_7DA185:				; CODE XREF: PsWow64GetSupportedArchitectures+54j
		mov	dword ptr [ecx], 0F014Ch
		jmp	short loc_7DA17A
PsWow64GetSupportedArchitectures endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1800. PsGetProcessExitTime

;  S U B	R O U T	I N E 


; __stdcall PsGetProcessExitTime()
		public _PsGetProcessExitTime@0
_PsGetProcessExitTime@0	proc near
		mov	eax, large fs:124h
		mov	edx, [eax+80h]
		mov	eax, [edx+388h]
		mov	edx, [edx+38Ch]
		retn
_PsGetProcessExitTime@0	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall HvFreeUnreconciledData(x)
_HvFreeUnreconciledData@4 proc near	; CODE XREF: CmpFlushHive+4D1p
					; CmpFlushHive+51Bp ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		mov	eax, [esi+480h]
		test	eax, eax
		jz	short loc_7DA1D1
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+480h], ebx
		mov	[esi+468h], bl

loc_7DA1D1:				; CODE XREF: HvFreeUnreconciledData(x)+10j
		cmp	[esi+470h], ebx
		jnz	short loc_7DA1DC

loc_7DA1D9:				; CODE XREF: HvFreeUnreconciledData(x)+90j
		pop	esi
		pop	ebx
		retn
; 

loc_7DA1DC:				; CODE XREF: HvFreeUnreconciledData(x)+2Bj
		push	edi
		mov	edi, ebx
		cmp	[esi+47Ch], ebx
		jbe	short loc_7DA20B

loc_7DA1E7:				; CODE XREF: HvFreeUnreconciledData(x)+5Bj
		mov	eax, [esi+478h]
		mov	eax, [eax+ebx+4]
		test	eax, eax
		jz	short loc_7DA1FD
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7DA1FD:				; CODE XREF: HvFreeUnreconciledData(x)+47j
		inc	edi
		add	ebx, 0Ch
		cmp	edi, [esi+47Ch]
		jb	short loc_7DA1E7
		xor	ebx, ebx

loc_7DA20B:				; CODE XREF: HvFreeUnreconciledData(x)+39j
		push	ebx
		push	dword ptr [esi+478h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	ebx
		push	dword ptr [esi+470h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+478h], ebx
		mov	[esi+47Ch], ebx
		mov	[esi+46Ch], ebx
		mov	[esi+470h], ebx
		pop	edi
		jmp	short loc_7DA1D9
_HvFreeUnreconciledData@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PiPnpRtlApplyMandatoryDeviceContainerFilters(int,wchar_t *,int,int,int)
_PiPnpRtlApplyMandatoryDeviceContainerFilters@20 proc near
					; CODE XREF: PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)+A3p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_8], ecx
		lea	edi, [ebp+var_14]
		mov	ebx, edx
		stosd
		xor	esi, esi
		and	[ebp+var_4], esi
		push	offset ??_C@_1EO@EKIIDBMB@?$AA?$HL?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA?9?$AA0?$AA0?$AA0?$AA0?$AA?9@NNGAKEGL@ ; "{00000000-0000-0000-FFFF-FFFFFFFFFFFF}"
		push	ebx		; wchar_t *
		stosd
		stosd
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_7DA2C8
		lea	eax, [ebp+var_4]
		mov	edx, ebx
		push	eax
		push	5
		pop	ecx
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	edi, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	short loc_7DA2B4
		mov	eax, [ebp+var_8]
		mov	edx, edi
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	offset _PiPnpRtlApplyMandatoryDeviceContainerFiltersCallback@12	; PiPnpRtlApplyMandatoryDeviceContainerFiltersCallback(x,x,x)
		push	4
		pop	ecx
		mov	[ebp+var_C], 0
		call	PiDmListEnumObjectsWithCallback
		mov	esi, eax
		test	esi, esi
		js	short loc_7DA2B4
		mov	edx, [ebp+arg_8]
		mov	al, [ebp+var_C]
		mov	[edx], al

loc_7DA2B4:				; CODE XREF: PiPnpRtlApplyMandatoryDeviceContainerFilters(x,x,x,x,x)+43j
					; PiPnpRtlApplyMandatoryDeviceContainerFilters(x,x,x,x,x)+6Cj
		test	edi, edi
		jz	short loc_7DA2BF
		mov	ecx, edi
		call	PiDmObjectRelease

loc_7DA2BF:				; CODE XREF: PiPnpRtlApplyMandatoryDeviceContainerFilters(x,x,x,x,x)+78j
					; PiPnpRtlApplyMandatoryDeviceContainerFilters(x,x,x,x,x)+90j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7DA2C8:				; CODE XREF: PiPnpRtlApplyMandatoryDeviceContainerFilters(x,x,x,x,x)+2Cj
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	1
		jmp	short loc_7DA2BF
_PiPnpRtlApplyMandatoryDeviceContainerFilters@20 endp


;  S U B	R O U T	I N E 


; __stdcall RtlReleasePrivilege(x)
_RtlReleasePrivilege@4 proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+C3Bp
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+17C4p
		mov	edi, edi
		push	ebx
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		mov	ecx, [edi+10h]
		mov	eax, ecx
		and	al, 3
		cmp	al, 1
		jz	short loc_7DA2F4
		push	ebx
		push	ebx
		push	ebx
		push	dword ptr [edi+8]
		push	ebx
		push	dword ptr [edi]
		call	_ZwAdjustPrivilegesToken@24 ; ZwAdjustPrivilegesToken(x,x,x,x,x,x)
		mov	ecx, [edi+10h]

loc_7DA2F4:				; CODE XREF: RtlReleasePrivilege(x)+11j
		test	cl, 1
		jz	short loc_7DA316
		push	esi
		push	4
		lea	esi, [edi+4]
		push	esi
		push	5
		push	0FFFFFFFEh
		call	_ZwSetInformationThread@16 ; ZwSetInformationThread(x,x,x,x)
		mov	eax, [esi]
		pop	esi
		test	eax, eax
		jz	short loc_7DA316
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_7DA316:				; CODE XREF: RtlReleasePrivilege(x)+27j
					; RtlReleasePrivilege(x)+3Ej
		mov	ecx, [edi+8]
		lea	eax, [edi+14h]
		cmp	ecx, eax
		jnz	short loc_7DA331

loc_7DA320:				; CODE XREF: RtlReleasePrivilege(x)+68j
		push	dword ptr [edi]
		call	_ZwClose@4	; ZwClose(x)
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	ebx
		retn
; 

loc_7DA331:				; CODE XREF: RtlReleasePrivilege(x)+4Ej
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7DA320
_RtlReleasePrivilege@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeSetVirtualizationToken(x,	x)
_SeSetVirtualizationToken@8 proc near	; CODE XREF: PAGE:007A9228p
					; PAGE:007EA6BEp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	dword ptr [edi+30h]
		call	ExAcquireResourceExclusiveLite
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, [edi+0B0h]
		test	esi, esi
		jz	short loc_7DA3B5
		test	eax, 200h
		jnz	short loc_7DA3A8

loc_7DA37C:				; CODE XREF: SeSetVirtualizationToken(x,x)+79j
		lea	ecx, [edi+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [edi+30h]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		leave
		retn
; 

loc_7DA3A8:				; CODE XREF: SeSetVirtualizationToken(x,x)+40j
		or	eax, 400h

loc_7DA3AD:				; CODE XREF: SeSetVirtualizationToken(x,x)+80j
		mov	[edi+0B0h], eax
		jmp	short loc_7DA37C
; 

loc_7DA3B5:				; CODE XREF: SeSetVirtualizationToken(x,x)+39j
		and	eax, 0FFFFFBFFh
		jmp	short loc_7DA3AD
_SeSetVirtualizationToken@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdiDispatchControl(x)
_WdiDispatchControl@4 proc near		; CODE XREF: NtTraceControl(x,x,x,x,x,x)+4A5p

var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+18h+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+20h+var_14]
		stosd
		mov	esi, ecx
		stosd
		stosd
		stosd
		test	esi, esi
		jz	short loc_7DA41B
		push	0
		push	dword ptr [esi]
		lea	edx, [esp+28h+var_14]
		mov	cl, 1
		call	_EtwGetProviderIdFromHandle@16 ; EtwGetProviderIdFromHandle(x,x,x,x)
		test	eax, eax
		js	short loc_7DA40A
		push	dword ptr [esi+28h]
		lea	eax, [esi+8]
		push	eax
		lea	edx, [esi+18h]
		lea	ecx, [esp+28h+var_14]
		call	WdipStartEndScenario

loc_7DA40A:				; CODE XREF: WdiDispatchControl(x)+39j
					; WdiDispatchControl(x)+64j
		mov	ecx, [esp+20h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7DA41B:				; CODE XREF: WdiDispatchControl(x)+26j
		mov	eax, 0C000000Dh
		jmp	short loc_7DA40A
_WdiDispatchControl@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WdipStartEndScenario proc near		; CODE XREF: WdiDispatchControl(x)+49p
					; EtwWriteStartScenario+94p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F7344 SIZE 00000069 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		test	ecx, ecx
		jz	short loc_7DA460
		test	edx, edx
		jz	short loc_7DA460
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_7DA460
		xor	esi, esi
		cmp	[edx], esi
		jz	loc_8F7344

loc_7DA442:				; CODE XREF: WdipStartEndScenario+11CF26j
					; WdipStartEndScenario+11CF30j	...
		cmp	[ebp+arg_4], 0Ah
		movzx	eax, word ptr [eax]
		push	edx
		mov	edx, eax
		jz	short loc_7DA459
		call	_WdipSemEndScenario@12 ; WdipSemEndScenario(x,x,x)

loc_7DA453:				; CODE XREF: WdipStartEndScenario+3Cj
					; WdipStartEndScenario+43j
		pop	esi
		pop	ecx
		pop	ebp
		retn	8
; 

loc_7DA459:				; CODE XREF: WdipStartEndScenario+2Aj
		call	_WdipSemStartScenario@12 ; WdipSemStartScenario(x,x,x)
		jmp	short loc_7DA453
; 

loc_7DA460:				; CODE XREF: WdipStartEndScenario+9j
					; WdipStartEndScenario+Dj ...
		mov	eax, 0C000000Dh
		jmp	short loc_7DA453
WdipStartEndScenario endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemEndScenario(x, x, x)
_WdipSemEndScenario@12 proc near	; CODE XREF: WdipStartEndScenario+2Cp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	ecx, ecx
		jz	short loc_7DA48E
		cmp	[ebp+arg_0], 0
		jz	short loc_7DA48E
		cmp	_WdipSemEnabled, 0
		jz	short loc_7DA495
		push	[ebp+arg_0]
		call	WdipSemDisableScenario

loc_7DA489:				; CODE XREF: WdipSemEndScenario(x,x,x)+2Bj
					; WdipSemEndScenario(x,x,x)+32j
		pop	ecx
		pop	ebp
		retn	4
; 

loc_7DA48E:				; CODE XREF: WdipSemEndScenario(x,x,x)+8j
					; WdipSemEndScenario(x,x,x)+Ej
		mov	eax, 0C000000Dh
		jmp	short loc_7DA489
; 

loc_7DA495:				; CODE XREF: WdipSemEndScenario(x,x,x)+17j
		mov	eax, 0C0000001h
		jmp	short loc_7DA489
_WdipSemEndScenario@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WdipSemDisableScenario proc near	; CODE XREF: WdipSemEndScenario(x,x,x)+1Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F73AD SIZE 00000075 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_8], edx
		dec	word ptr [eax+13Ch]
		mov	esi, ecx
		push	edi
		mov	[ebp+var_C], esi
		mov	[ebp+var_1], bl
		nop
		xor	edx, edx
		mov	ecx, offset _WdipSemPushLock
		call	ExAcquirePushLockSharedEx
		mov	edi, [ebp+arg_0]
		test	esi, esi
		jz	loc_8F73AD
		test	edi, edi
		jz	loc_8F73AD
		cmp	_WdipSemEnabled, bl
		jz	loc_7DA582
		call	_WdipSemGetLoggerIds@0 ; WdipSemGetLoggerIds()
		mov	esi, eax
		test	esi, esi
		js	loc_8F73B7
		mov	ecx, edi
		call	_WdipSemMarkInstanceForDeletion@4 ; WdipSemMarkInstanceForDeletion(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_7DA582
		push	dword ptr [ebx+18h] ; int
		mov	edx, [ebp+var_8] ; int
		mov	ecx, [ebp+var_C] ; void	*
		call	WdipSemValidateEndEvent
		mov	esi, eax
		test	esi, esi
		js	short loc_7DA587
		xor	dl, dl
		mov	ecx, ebx
		call	_WdipSemDisableContextProviders@8 ; WdipSemDisableContextProviders(x,x)

loc_7DA526:				; CODE XREF: WdipSemDisableScenario+11CF1Fj
		test	esi, esi
		js	short loc_7DA587
		mov	edi, offset _WDI_SEM_EVENT_SCENARIO_END
		push	edi
		push	dword_6BCB74
		push	_WdipSemRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_7DA54E
		mov	edx, ebx
		mov	ecx, edi
		call	WdipSemWriteSemActionsEvent

loc_7DA54E:				; CODE XREF: WdipSemDisableScenario+A7j
		mov	ecx, ebx
		call	_WdipSemDeleteTransitionalInstance@4 ; WdipSemDeleteTransitionalInstance(x)

loc_7DA555:				; CODE XREF: WdipSemDisableScenario+10Bj
					; WdipSemDisableScenario+11CF42j
		mov	edi, offset _WdipSemPushLock
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	[ebp+var_1], 0
		jnz	loc_8F73E3

loc_7DA579:				; CODE XREF: WdipSemDisableScenario+11CF81j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7DA582:				; CODE XREF: WdipSemDisableScenario+4Bj
					; WdipSemDisableScenario+6Bj
		mov	esi, 0C0000001h

loc_7DA587:				; CODE XREF: WdipSemDisableScenario+7Fj
					; WdipSemDisableScenario+8Cj ...
		push	offset _WDI_SEM_EVENT_SCENARIO_END_FAILED
		push	dword_6BCB74
		push	_WdipSemRegHandle
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8F73C0

loc_7DA5A5:				; CODE XREF: WdipSemDisableScenario+11CF36j
		test	ebx, ebx
		jz	short loc_7DA555
		jmp	loc_8F73D7
WdipSemDisableScenario endp


;  S U B	R O U T	I N E 


; __stdcall WdipSemMarkInstanceForDeletion(x)
_WdipSemMarkInstanceForDeletion@4 proc near ; CODE XREF: WdipSemDisableScenario+62p
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset dword_6BDB9C
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		test	edi, edi
		jz	short loc_7DA5EF
		mov	ecx, edi	; void *
		call	_WdipSemQueryEnabledInstanceTable@4 ; WdipSemQueryEnabledInstanceTable(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7DA5EF
		cmp	dword ptr [esi+20h], 0
		jnz	short loc_7DA60A
		mov	dword ptr [esi+20h], 1

loc_7DA5EF:				; CODE XREF: WdipSemMarkInstanceForDeletion(x)+25j
					; WdipSemMarkInstanceForDeletion(x)+32j ...
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_7DA60A:				; CODE XREF: WdipSemMarkInstanceForDeletion(x)+38j
		xor	esi, esi
		jmp	short loc_7DA5EF
_WdipSemMarkInstanceForDeletion@4 endp


;  S U B	R O U T	I N E 


; int __fastcall WdipSemQueryEnabledInstanceTable(void *)
_WdipSemQueryEnabledInstanceTable@4 proc near
					; CODE XREF: WdipSemMarkInstanceForDeletion(x)+29p
					; WdipSemReserveInstanceTableEntry+3Dp
		mov	edi, edi
		push	ebx
		push	edi
		mov	ebx, ecx
		xor	edi, edi
		test	ebx, ebx
		jz	short loc_7DA63F
		push	esi
		mov	esi, _WdipSemEnabledInstanceTable

loc_7DA621:				; CODE XREF: WdipSemQueryEnabledInstanceTable(x)+38j
		cmp	esi, offset _WdipSemEnabledInstanceTable
		jz	short loc_7DA63E
		push	10h		; size_t
		lea	eax, [esi+8]
		push	eax		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7DA644
		mov	edi, esi

loc_7DA63E:				; CODE XREF: WdipSemQueryEnabledInstanceTable(x)+19j
		pop	esi

loc_7DA63F:				; CODE XREF: WdipSemQueryEnabledInstanceTable(x)+Aj
		mov	eax, edi
		pop	edi
		pop	ebx
		retn
; 

loc_7DA644:				; CODE XREF: WdipSemQueryEnabledInstanceTable(x)+2Cj
		mov	esi, [esi]
		jmp	short loc_7DA621
_WdipSemQueryEnabledInstanceTable@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemGetLoggerIds()
_WdipSemGetLoggerIds@0 proc near	; CODE XREF: WdipSemDisableScenario+51p
					; WdipSemEnableScenario+51p ...

var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		xor	esi, esi
		lea	eax, [ebp+var_8]
		push	offset ??_C@_1BA@GKCNOEEH@?$AAD?$AAi?$AAa?$AAg?$AAL?$AAo?$AAg@NNGAKEGL@
		push	eax
		mov	[ebp+var_10], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	edx, [ebp+var_10]
		lea	ecx, [ebp+var_8]
		call	_EtwQueryTraceHandleByLoggerName@8 ; EtwQueryTraceHandleByLoggerName(x,x)
		mov	edi, eax
		movzx	eax, word ptr [ebp+var_10]
		test	edi, edi
		js	short loc_7DA6B7

loc_7DA680:				; CODE XREF: WdipSemGetLoggerIds()+71j
		mov	ecx, offset _WdipDiagLoggerId
		xchg	eax, [ecx]
		push	offset ??_C@_1BM@EGPIEMAI@?$AAW?$AAd?$AAi?$AAC?$AAo?$AAn?$AAt?$AAe?$AAx?$AAt?$AAL?$AAo?$AAg@NNGAKEGL@ ;	"WdiContextLog"
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	edx, [ebp+var_10]
		lea	ecx, [ebp+var_8]
		call	_EtwQueryTraceHandleByLoggerName@8 ; EtwQueryTraceHandleByLoggerName(x,x)
		test	eax, eax
		js	short loc_7DA6A8
		movzx	esi, word ptr [ebp+var_10]

loc_7DA6A8:				; CODE XREF: WdipSemGetLoggerIds()+5Aj
		mov	ecx, offset _WdipContextLoggerId
		xchg	esi, [ecx]
		test	edi, edi
		js	short loc_7DA6BB

loc_7DA6B3:				; CODE XREF: WdipSemGetLoggerIds()+75j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_7DA6B7:				; CODE XREF: WdipSemGetLoggerIds()+36j
		mov	eax, esi
		jmp	short loc_7DA680
; 

loc_7DA6BB:				; CODE XREF: WdipSemGetLoggerIds()+69j
		mov	eax, edi
		jmp	short loc_7DA6B3
_WdipSemGetLoggerIds@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall EtwQueryTraceHandleByLoggerName(x, x)
_EtwQueryTraceHandleByLoggerName@8 proc	near ; CODE XREF: WdipSemGetLoggerIds()+29p
					; WdipSemGetLoggerIds()+53p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		test	edi, edi
		jz	short loc_7DA720
		xor	ebx, ebx
		cmp	[edi+4], ebx
		jz	short loc_7DA720
		cmp	[edi], bx
		jz	short loc_7DA720
		test	esi, esi
		jz	short loc_7DA720
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		push	ebx
		mov	edx, edi
		mov	ecx, [eax+1F0h]
		call	@EtwpAcquireLoggerContextByLoggerName@12 ; EtwpAcquireLoggerContextByLoggerName(x,x,x)
		test	eax, eax
		jz	short loc_7DA719
		mov	[esi], ebx
		mov	[esi+4], ebx
		cmp	[eax], ebx
		jz	short loc_7DA712
		movzx	ecx, word ptr [eax]

loc_7DA700:				; CODE XREF: EtwQueryTraceHandleByLoggerName(x,x)+57j
		mov	[esi], cx
		xor	dl, dl
		mov	ecx, eax
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		xor	eax, eax

loc_7DA70E:				; CODE XREF: EtwQueryTraceHandleByLoggerName(x,x)+5Ej
					; EtwQueryTraceHandleByLoggerName(x,x)+65j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_7DA712:				; CODE XREF: EtwQueryTraceHandleByLoggerName(x,x)+3Bj
		mov	ecx, 0FFFFh
		jmp	short loc_7DA700
; 

loc_7DA719:				; CODE XREF: EtwQueryTraceHandleByLoggerName(x,x)+32j
		mov	eax, 0C0000296h
		jmp	short loc_7DA70E
; 

loc_7DA720:				; CODE XREF: EtwQueryTraceHandleByLoggerName(x,x)+Bj
					; EtwQueryTraceHandleByLoggerName(x,x)+12j ...
		mov	eax, 0C000000Dh
		jmp	short loc_7DA70E
_EtwQueryTraceHandleByLoggerName@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall WdipSemDeleteTransitionalInstance(x)
_WdipSemDeleteTransitionalInstance@4 proc near ; CODE XREF: WdipSemDisableScenario+B4p
					; WdipTimeoutCheckRoutine+11BB90p ...
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset dword_6BDB9C
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [esi]
		cmp	[edx+4], esi
		jnz	short loc_7DA784
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_7DA784
		mov	[eax], edx
		mov	ecx, edi
		mov	[edx+4], eax
		xor	edx, edx
		dec	dword_6BDB98
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	edx, esi
		mov	ecx, offset unk_6BDBF0
		pop	esi
		jmp	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
; 

loc_7DA784:				; CODE XREF: WdipSemDeleteTransitionalInstance(x)+25j
					; WdipSemDeleteTransitionalInstance(x)+2Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_WdipSemDeleteTransitionalInstance@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WdipSemWriteSemActionsEvent proc near	; CODE XREF: WdipSemDisableScenario+ADp
					; WdipSemEnableScenario+A8p

var_A20		= dword	ptr -0A20h
var_A1C		= dword	ptr -0A1Ch
var_A18		= dword	ptr -0A18h
var_A14		= dword	ptr -0A14h
var_A10		= dword	ptr -0A10h
var_A0C		= dword	ptr -0A0Ch
var_A08		= dword	ptr -0A08h
var_A04		= dword	ptr -0A04h
var_A00		= dword	ptr -0A00h
var_9FC		= dword	ptr -9FCh
var_9F8		= dword	ptr -9F8h
var_808		= dword	ptr -808h
var_804		= dword	ptr -804h
var_800		= dword	ptr -800h
var_7FC		= dword	ptr -7FCh
var_7F8		= dword	ptr -7F8h
var_7F4		= dword	ptr -7F4h
var_7F0		= dword	ptr -7F0h
var_7EC		= dword	ptr -7ECh
var_7E8		= dword	ptr -7E8h
var_7E4		= dword	ptr -7E4h
var_7E0		= dword	ptr -7E0h
var_7DC		= dword	ptr -7DCh
var_7D8		= dword	ptr -7D8h
var_7D4		= dword	ptr -7D4h
var_7D0		= dword	ptr -7D0h
var_7CC		= dword	ptr -7CCh
var_7BC		= dword	ptr -7BCh
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F7422 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	1F0h		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_9F8]
		mov	edi, edx
		mov	esi, ecx
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_A18], edi
		mov	[ebp+var_A20], esi
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_A00], ebx
		mov	[ebp+var_9FC], ebx
		test	esi, esi
		jz	loc_8F7422
		test	edi, edi
		jz	loc_8F7422
		mov	ecx, _WdipContextLoggerId
		mov	eax, offset _WdipContextLoggerId
		xchg	ecx, [eax]
		lea	edx, [ebp+var_A00]
		call	_WdipSemGetLoggerDroppedEventCount@8 ; WdipSemGetLoggerDroppedEventCount(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7DA981
		mov	ecx, [edi+18h]
		push	4
		pop	esi
		lea	edx, [ecx+30h]
		mov	eax, [edx]
		add	eax, esi
		mov	[ebp+var_808], ecx
		mov	[ebp+var_A1C], eax
		lea	eax, [ecx+10h]
		mov	[ebp+var_7F8], eax
		lea	eax, [ebp+var_A00]
		mov	[ebp+var_804], ebx
		mov	[ebp+var_800], 10h
		mov	[ebp+var_7FC], ebx
		mov	[ebp+var_7F4], ebx
		mov	[ebp+var_7F0], 2
		mov	[ebp+var_7EC], ebx
		mov	[ebp+var_7E8], eax
		mov	[ebp+var_7E4], ebx
		mov	[ebp+var_7E0], esi
		mov	[ebp+var_7DC], ebx
		mov	[ebp+var_7D8], edx
		mov	[ebp+var_7D4], ebx
		mov	[ebp+var_7D0], esi
		mov	[ebp+var_7CC], ebx
		mov	[ebp+var_A14], edx
		cmp	[edx], ebx
		jbe	loc_7DA962
		lea	eax, [ebp+var_7BC]
		add	edi, 24h
		lea	edx, [ecx+38h]
		mov	[ebp+var_A04], eax
		mov	[ebp+var_A0C], edi
		mov	[ebp+var_A08], edx

loc_7DA8B7:				; CODE XREF: WdipSemWriteSemActionsEvent+1CCj
		mov	eax, [edx]
		mov	ecx, offset unk_6BDBF8
		mov	[ebp+var_A10], eax
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_7DA9B6

loc_7DA8D3:				; CODE XREF: WdipSemWriteSemActionsEvent+238j
		mov	edx, [ebp+var_A10]
		mov	edi, ecx
		mov	esi, edx
		movsd
		movsd
		movsd
		movsd
		mov	al, [edx+12h]
		mov	edi, [ebp+var_A0C]
		mov	esi, [ebp+var_A04]
		mov	[ecx+10h], al
		mov	eax, [edx+18h]
		mov	[ecx+18h], eax
		mov	eax, [edx+1Ch]
		mov	[ecx+1Ch], eax
		mov	eax, [edx+24h]
		mov	edx, [ebp+var_A08]
		mov	[ecx+20h], eax
		add	edx, 4
		mov	eax, [edi]
		add	edi, 4
		mov	[ecx+24h], eax
		mov	eax, [ebp+var_9FC]
		mov	[esi-0Ch], ecx
		mov	[esi-8], ebx
		mov	dword ptr [esi-4], 28h
		mov	[ebp+eax*4+var_9F8], ecx
		inc	eax
		mov	ecx, [ebp+var_A14]
		mov	[esi], ebx
		add	esi, 10h
		mov	[ebp+var_9FC], eax
		mov	[ebp+var_A04], esi
		mov	[ebp+var_A08], edx
		mov	[ebp+var_A0C], edi
		cmp	eax, [ecx]
		jb	loc_7DA8B7
		mov	edi, [ebp+var_A18]

loc_7DA962:				; CODE XREF: WdipSemWriteSemActionsEvent+109j
		lea	eax, [ebp+var_808]
		push	eax
		push	[ebp+var_A1C]
		lea	edx, [edi+8]
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_A20]
		call	_WdipSemWriteEvent@24 ;	WdipSemWriteEvent(x,x,x,x,x,x)
		mov	esi, eax

loc_7DA981:				; CODE XREF: WdipSemWriteSemActionsEvent+77j
					; WdipSemWriteSemActionsEvent+243j
		mov	edi, [ebp+var_9FC]
		test	edi, edi
		jz	short loc_7DA9A5

loc_7DA98B:				; CODE XREF: WdipSemWriteSemActionsEvent+219j
		mov	edx, [ebp+ebx*4+var_9F8]
		test	edx, edx
		jz	short loc_7DA9A0
		mov	ecx, offset unk_6BDBF8
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_7DA9A0:				; CODE XREF: WdipSemWriteSemActionsEvent+20Aj
		inc	ebx
		cmp	ebx, edi
		jb	short loc_7DA98B

loc_7DA9A5:				; CODE XREF: WdipSemWriteSemActionsEvent+1FFj
					; WdipSemWriteSemActionsEvent+11CC9Dj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_7DA9B6:				; CODE XREF: WdipSemWriteSemActionsEvent+143j
		push	28h
		pop	ecx
		call	_WdipSemAllocatePool@4 ; WdipSemAllocatePool(x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	loc_7DA8D3
		mov	esi, 0C000009Ah
		jmp	short loc_7DA981
WdipSemWriteSemActionsEvent endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemWriteEvent(x, x, x, x, x, x)
_WdipSemWriteEvent@24 proc near		; CODE XREF: WdipSemWriteSemActionsEvent+1F0p
					; WdipSemSqmInit()+55p	...

var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, dword_6BCB74
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		mov	edi, _WdipSemRegHandle
		test	esi, esi
		jz	short loc_7DAA19
		push	esi
		push	ebx
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_7DAA12
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+var_4]
		push	esi
		push	ebx
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_7DAA0B:				; CODE XREF: WdipSemWriteEvent(x,x,x,x,x,x)+47j
					; WdipSemWriteEvent(x,x,x,x,x,x)+4Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7DAA12:				; CODE XREF: WdipSemWriteEvent(x,x,x,x,x,x)+28j
		mov	eax, 0C0000008h
		jmp	short loc_7DAA0B
; 

loc_7DAA19:				; CODE XREF: WdipSemWriteEvent(x,x,x,x,x,x)+1Cj
		mov	eax, 0C000000Dh
		jmp	short loc_7DAA0B
_WdipSemWriteEvent@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemGetLoggerDroppedEventCount(x, x)
_WdipSemGetLoggerDroppedEventCount@8 proc near ; CODE XREF: WdipSemWriteSemActionsEvent+6Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		push	esi
		mov	esi, edx
		mov	[ebp+var_8], ecx
		test	esi, esi
		jz	short loc_7DAA59
		test	ecx, ecx
		jz	short loc_7DAA59
		lea	eax, [ebp+var_8]
		push	eax
		push	0
		push	4
		lea	eax, [ebp+var_4]
		push	eax
		push	8
		call	WmiQueryTraceInformation
		test	eax, eax
		js	short loc_7DAA56
		mov	ecx, [ebp+var_4]
		mov	[esi], ecx

loc_7DAA56:				; CODE XREF: WdipSemGetLoggerDroppedEventCount(x,x)+2Fj
					; WdipSemGetLoggerDroppedEventCount(x,x)+3Ej
		pop	esi
		leave
		retn
; 

loc_7DAA59:				; CODE XREF: WdipSemGetLoggerDroppedEventCount(x,x)+14j
					; WdipSemGetLoggerDroppedEventCount(x,x)+18j
		mov	eax, 0C000000Dh
		jmp	short loc_7DAA56
_WdipSemGetLoggerDroppedEventCount@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2633. WmiQueryTraceInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public WmiQueryTraceInformation
WmiQueryTraceInformation proc near	; CODE XREF: WdipSemGetLoggerDroppedEventCount(x,x)+28p
					; EtwpEventTracingCounterSetCallback(x,x,x)+172p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008F742C SIZE 00000316 BYTES
; FUNCTION CHUNK AT 008F7762 SIZE 000001E6 BYTES

		push	34h
		push	offset dword_6A4290
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_20], ebx
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, [eax+1F0h]
		mov	[ebp+ms_exc.disabled], ebx
		mov	edi, [ebp+arg_C]
		test	edi, edi
		jnz	loc_8F742C

loc_7DAA99:				; CODE XREF: WmiQueryTraceInformation+11C9C8j
		mov	eax, [ebp+arg_0]
		cmp	eax, 0Fh	; switch 16 cases
		ja	loc_8F7937	; default
		jmp	ds:off_7DABC6[eax*4] ; switch jump

loc_7DAAAC:				; DATA XREF: PAGE:007DABE6o
		cmp	[ebp+arg_8], 4	; case 0x8
		jnz	loc_8F746C
		mov	esi, [ebp+arg_10]
		test	esi, esi
		jz	loc_8F747D
		mov	esi, [esi]
		mov	[ebp+var_1C], esi
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, [eax+1F0h]
		push	ebx
		mov	edx, esi
		call	EtwpAcquireLoggerContextByLoggerId
		test	eax, eax
		jz	loc_8F75FD
		mov	esi, [eax+0A8h]
		xor	dl, dl
		mov	ecx, eax
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_7DAAF9
		mov	[eax], esi

loc_7DAAF9:				; CODE XREF: WmiQueryTraceInformation+8Fj
					; WmiQueryTraceInformation+11CA39j ...
		test	edi, edi
		jnz	loc_8F74AC

loc_7DAB01:				; CODE XREF: WmiQueryTraceInformation+E6j
					; WmiQueryTraceInformation+11CA4Cj ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_20]

loc_7DAB0B:				; CODE XREF: WmiQueryTraceInformation+148j
					; WmiQueryTraceInformation+11CA01j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7DAB1D:				; CODE XREF: WmiQueryTraceInformation+3Fj
					; DATA XREF: PAGE:007DABF2o
		test	edi, edi	; case 0xB
		jnz	loc_8F78E4

loc_7DAB25:				; CODE XREF: WmiQueryTraceInformation+11CE84j
		cmp	_EtwpInitialized, 0
		jz	loc_8F78EF
		cmp	[ebp+arg_8], 4
		jnz	loc_8F746C
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_7DABA2
		mov	dword ptr [eax], offset	_EtwpDiskIoNotifyRoutines

loc_7DAB49:				; CODE XREF: WmiQueryTraceInformation+110j
					; WmiQueryTraceInformation+13Aj ...
		mov	[ebp+var_20], ebx
		jmp	short loc_7DAB01
; 

loc_7DAB4E:				; CODE XREF: WmiQueryTraceInformation+3Fj
					; DATA XREF: PAGE:007DABFAo
		test	edi, edi	; case 0xD
		jnz	short loc_7DABB3

loc_7DAB52:				; CODE XREF: WmiQueryTraceInformation+153j
		cmp	_EtwpInitialized, 0
		jz	loc_8F78EF
		cmp	[ebp+arg_8], 4
		jnz	loc_8F746C
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_7DABA2
		mov	dword ptr [eax], offset	_EtwpFltIoNotifyRoutines
		jmp	short loc_7DAB49
; 

loc_7DAB78:				; CODE XREF: WmiQueryTraceInformation+3Fj
					; DATA XREF: PAGE:007DAC02o
		test	edi, edi	; case 0xF
		jnz	short loc_7DABBB

loc_7DAB7C:				; CODE XREF: WmiQueryTraceInformation+15Bj
		cmp	_EtwpInitialized, 0
		jz	loc_8F78EF
		cmp	[ebp+arg_8], 4
		jnz	loc_8F746C
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_7DABA2
		mov	dword ptr [eax], offset	_EtwpWdfNotifyRoutines
		jmp	short loc_7DAB49
; 

loc_7DABA2:				; CODE XREF: WmiQueryTraceInformation+DBj
					; WmiQueryTraceInformation+108j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C00000F0h
		jmp	loc_7DAB0B
; 

loc_7DABB3:				; CODE XREF: WmiQueryTraceInformation+EAj
		mov	dword ptr [edi], 4
		jmp	short loc_7DAB52
; 

loc_7DABBB:				; CODE XREF: WmiQueryTraceInformation+114j
		mov	dword ptr [edi], 4
		jmp	short loc_7DAB7C
WmiQueryTraceInformation endp

; 
		db 8Dh
		db 49h,	0
off_7DABC6	dd offset loc_8F7433	; DATA XREF: WmiQueryTraceInformation+3Fr
					; jump table for switch	statement
		dd offset loc_8F74B7	; case 0x1
		dd offset loc_8F750D	; case 0x2
		dd offset loc_8F7560	; case 0x3
		dd offset loc_8F759A	; case 0x4
		dd offset loc_8F760E	; case 0x5
		dd offset loc_8F761A	; case 0x6
		dd offset loc_8F76B8	; case 0x7
		dd offset loc_7DAAAC	; case 0x8
		dd offset loc_8F7805	; case 0x9
		dd offset loc_8F7762	; case 0xA
		dd offset loc_7DAB1D	; case 0xB
		dd offset loc_8F7900	; case 0xC
		dd offset loc_7DAB4E	; case 0xD
		dd offset loc_8F7937	; default
		dd offset loc_7DAB78	; case 0xF

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemDisableContextProviders(x, x)
_WdipSemDisableContextProviders@8 proc near ; CODE XREF: WdipSemDisableScenario+85p
					; WdipTimeoutCheckRoutine+11BB6Ep

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	[ebp+var_1], dl
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	short loc_7DAC4E
		mov	ebx, [ecx+18h]
		xor	edi, edi
		cmp	[ebx+30h], edi
		jbe	short loc_7DAC4E
		lea	eax, [ebx+38h]
		lea	esi, [ecx+24h]
		mov	[ebp+var_8], eax

loc_7DAC2B:				; CODE XREF: WdipSemDisableContextProviders(x,x)+46j
		cmp	dword ptr [esi], 0
		mov	ecx, [eax]
		jl	short loc_7DAC3F
		call	WdipSemDisableContextProvider
		mov	dl, [ebp+var_1]
		mov	[esi], eax
		mov	eax, [ebp+var_8]

loc_7DAC3F:				; CODE XREF: WdipSemDisableContextProviders(x,x)+2Aj
		inc	edi
		add	eax, 4
		add	esi, 4
		mov	[ebp+var_8], eax
		cmp	edi, [ebx+30h]
		jb	short loc_7DAC2B

loc_7DAC4E:				; CODE XREF: WdipSemDisableContextProviders(x,x)+10j
					; WdipSemDisableContextProviders(x,x)+1Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_WdipSemDisableContextProviders@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WdipSemDisableContextProvider proc near	; CODE XREF: WdipSemDisableContextProviders(x,x)+2Cp

var_6		= byte ptr -6
var_5		= byte ptr -5

; FUNCTION CHUNK AT 008F7964 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[esp+14h+var_5], dl
		dec	word ptr [eax+13Ch]
		mov	ebx, ecx
		push	edi
		nop
		xor	edx, edx
		mov	ecx, offset dword_6BDB84
		call	ExAcquirePushLockExclusiveEx
		test	ebx, ebx
		jz	loc_8F7964
		mov	dl, [esp+18h+var_5]
		mov	ecx, ebx
		call	WdipSemCaptureState
		cmp	dword ptr [ebx+20h], 1
		jz	short loc_7DACD4
		mov	edi, [ebx+28h]
		mov	eax, offset _WdipContextLoggerId
		mov	ecx, _WdipContextLoggerId
		xchg	ecx, [eax]
		sub	dword ptr [edi+48h], 1
		jnz	short loc_7DACD4
		mov	edx, ebx
		cmp	[edi+28h], esi
		jnz	short loc_7DACF5
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		call	_WdipSemEnableDisableTrace@28 ;	WdipSemEnableDisableTrace(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7DACD4
		push	8
		xor	eax, eax
		add	edi, 30h
		pop	ecx
		rep stosd

loc_7DACD4:				; CODE XREF: WdipSemDisableContextProvider+47j
					; WdipSemDisableContextProvider+5Dj ...
		xor	edx, edx
		mov	ecx, offset dword_6BDB84
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7DACF5:				; CODE XREF: WdipSemDisableContextProvider+64j
		movzx	eax, byte ptr [edi+10h]
		push	1
		push	dword ptr [edi+20h]
		push	dword ptr [edi+1Ch]
		push	dword ptr [edi+18h]
		push	eax
		call	_WdipSemEnableDisableTrace@28 ;	WdipSemEnableDisableTrace(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7DACD4
		mov	al, [edi+10h]
		mov	[edi+30h], al
		mov	eax, [edi+18h]
		mov	[edi+38h], eax
		mov	eax, [edi+1Ch]
		mov	[edi+3Ch], eax
		mov	eax, [edi+20h]
		mov	[edi+40h], eax
		jmp	short loc_7DACD4
WdipSemDisableContextProvider endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemEnableDisableTrace(x, x, x, x, x, x,	x)
_WdipSemEnableDisableTrace@28 proc near	; CODE XREF: WdipSemCaptureState+CE590p
					; WdipSemCaptureState+CE5B3p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	esi
		mov	esi, edx
		movzx	eax, cx
		test	esi, esi
		jz	short loc_7DAD66
		test	cx, cx
		jz	short loc_7DAD66
		push	[ebp+arg_C]
		xor	ecx, ecx
		cdq
		push	ecx
		push	ecx
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	[ebp+arg_10]
		push	edx
		push	eax
		push	ecx
		push	esi
		call	_EtwEnableTrace@44 ; EtwEnableTrace(x,x,x,x,x,x,x,x,x,x,x)

loc_7DAD5F:				; CODE XREF: WdipSemEnableDisableTrace(x,x,x,x,x,x,x)+41j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7DAD66:				; CODE XREF: WdipSemEnableDisableTrace(x,x,x,x,x,x,x)+11j
					; WdipSemEnableDisableTrace(x,x,x,x,x,x,x)+16j
		mov	eax, 0C000000Dh
		jmp	short loc_7DAD5F
_WdipSemEnableDisableTrace@28 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 287. EtwEnableTrace

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwEnableTrace(x, x, x, x, x, x, x,	x, x, x, x)
		public _EtwEnableTrace@44
_EtwEnableTrace@44 proc	near		; CODE XREF: WdipSemEnableDisableTrace(x,x,x,x,x,x,x)+30p
					; EtwWmitraceWorker()+11Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	edx, [ebp+arg_0]
		mov	ecx, [eax+1F0h]
		xor	eax, eax
		push	eax		; int
		push	eax		; int
		push	eax		; void *
		push	eax		; int
		push	eax		; void *
		push	eax		; int
		push	eax		; void *
		push	eax		; int
		push	eax		; int
		push	[ebp+arg_28]	; int
		push	[ebp+arg_24]	; int
		push	[ebp+arg_20]	; int
		push	[ebp+arg_1C]	; int
		push	[ebp+arg_18]	; int
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; size_t
		push	[ebp+arg_C]	; int
		push	dword ptr [ebp+arg_8] ;	__int16
		push	[ebp+arg_4]	; int
		call	EtwpEnableTrace
		mov	esp, ebp
		pop	ebp
		retn	2Ch
_EtwEnableTrace@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall WdipSemValidateEndEvent(void *,int,int)
WdipSemValidateEndEvent	proc near	; CODE XREF: WdipSemDisableScenario+76p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= word ptr -2
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F796E SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	[ebp+var_2], dx
		mov	[ebp+var_C], ecx
		push	esi
		test	ecx, ecx
		jz	short loc_7DAE20
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_7DAE20
		mov	edx, [eax+34h]
		xor	esi, esi
		mov	[ebp+var_8], edx
		push	ebx
		push	edi
		mov	edi, esi
		test	edx, edx
		jz	short loc_7DAE27
		lea	ebx, [eax+228h]

loc_7DADED:				; CODE XREF: WdipSemValidateEndEvent+11CBC2j
		mov	eax, [ebx]
		push	10h		; size_t
		push	eax		; void *
		push	ecx		; void *
		mov	[ebp+arg_0], eax
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8F796E
		mov	eax, [ebp+arg_0]
		mov	cx, [ebp+var_2]
		cmp	cx, [eax+10h]
		jnz	loc_8F796E

loc_7DAE17:				; CODE XREF: WdipSemValidateEndEvent+70j
		pop	edi
		pop	ebx

loc_7DAE19:				; CODE XREF: WdipSemValidateEndEvent+69j
		mov	eax, esi
		pop	esi
		leave
		retn	4
; 

loc_7DAE20:				; CODE XREF: WdipSemValidateEndEvent+12j
					; WdipSemValidateEndEvent+19j
		mov	esi, 0C000000Dh
		jmp	short loc_7DAE19
; 

loc_7DAE27:				; CODE XREF: WdipSemValidateEndEvent+29j
					; WdipSemValidateEndEvent+11CBB9j
		mov	esi, 0C0000001h
		jmp	short loc_7DAE17
WdipSemValidateEndEvent	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1907. PsSetProcessDxgProcess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSetProcessDxgProcess(x, x)
		public _PsSetProcessDxgProcess@8
_PsSetProcessDxgProcess@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	[eax+434h], ecx
		pop	ebp
		retn	8
_PsSetProcessDxgProcess@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 215. CcMdlReadComplete

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcMdlReadComplete(x, x)
		public _CcMdlReadComplete@8
_CcMdlReadComplete@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		call	IoGetRelatedDeviceObject
		mov	edx, eax
		mov	ecx, [edx+8]
		mov	ecx, [ecx+28h]
		test	ecx, ecx
		jz	short loc_7DAE84
		cmp	dword ptr [ecx], 4Ch
		jbe	short loc_7DAE84
		mov	eax, [ecx+44h]
		test	eax, eax
		jz	short loc_7DAE84
		push	edx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	eax
		test	al, al
		jz	short loc_7DAE84

loc_7DAE80:				; CODE XREF: CcMdlReadComplete(x,x)+3Ej
		pop	ebp
		retn	8
; 

loc_7DAE84:				; CODE XREF: CcMdlReadComplete(x,x)+17j
					; CcMdlReadComplete(x,x)+1Cj ...
		mov	edx, [ebp+arg_4]
		call	_CcMdlReadComplete2@8 ;	CcMdlReadComplete2(x,x)
		jmp	short loc_7DAE80
_CcMdlReadComplete@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDereferencePerSessionProtos(x, x)
_MiDereferencePerSessionProtos@8 proc near ; CODE XREF:	MiDeleteVad(x,x,x)+1083p
					; MiRemoveFromSystemSpace+362p	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, large fs:124h
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		push	edi
		mov	[ebp+var_C], ebx
		mov	edi, [esi]
		dec	word ptr [ebx+13Eh]
		nop
		add	edi, 1Ch
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		add	esi, 50h
		jz	short loc_7DAEE1
		mov	ebx, [ebp+var_8]

loc_7DAECA:				; CODE XREF: MiDereferencePerSessionProtos(x,x)+4Ej
		lea	eax, [ebp+var_4]
		mov	edx, ebx
		push	eax
		mov	ecx, esi
		call	_MiDereferenceSubsectionProtos@12 ; MiDereferenceSubsectionProtos(x,x,x)
		mov	esi, [esi+8]
		test	esi, esi
		jnz	short loc_7DAECA
		mov	ebx, [ebp+var_C]

loc_7DAEE1:				; CODE XREF: MiDereferencePerSessionProtos(x,x)+37j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7DAF09

loc_7DAEEE:				; CODE XREF: MiDereferencePerSessionProtos(x,x)+82j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, ebx
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		lea	ecx, [ebp+var_4]
		call	_MiFreeSubsectionProtos@4 ; MiFreeSubsectionProtos(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7DAF09:				; CODE XREF: MiDereferencePerSessionProtos(x,x)+5Ej
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7DAEEE
_MiDereferencePerSessionProtos@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDereferenceSubsectionProtos(x, x,	x)
_MiDereferenceSubsectionProtos@12 proc near
					; CODE XREF: MiDereferencePerSessionProtos(x,x)+44p
					; MiCreatePerSessionProtos+11CA3Fp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		test	byte ptr [esi+12h], 2
		jnz	short loc_7DAF25

loc_7DAF20:				; CODE XREF: MiDereferenceSubsectionProtos(x,x,x)+40j
		pop	esi
		pop	ebp
		retn	4
; 

loc_7DAF25:				; CODE XREF: MiDereferenceSubsectionProtos(x,x,x)+Cj
		push	edi
		call	_MiLocateSessionProtosInSubsection@8 ; MiLocateSessionProtosInSubsection(x,x)
		mov	edi, eax
		sub	dword ptr [edi+28h], 1
		jnz	short loc_7DAF51
		mov	ecx, [esi]
		mov	edx, esi
		push	0
		push	edi
		call	_MiUpdatePerSessionProto@16 ; MiUpdatePerSessionProto(x,x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	eax, [esi+1Ch]
		mov	[edi+28h], eax
		mov	[edi+20h], esi
		mov	eax, [ecx]
		mov	[edi], eax
		mov	[ecx], edi

loc_7DAF51:				; CODE XREF: MiDereferenceSubsectionProtos(x,x,x)+1Fj
		pop	edi
		jmp	short loc_7DAF20
_MiDereferenceSubsectionProtos@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreatePerSessionProtos proc near	; CODE XREF: MiInsertInSystemSpace+5D2p
					; MiCloneImageVad+96F60p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F7983 SIZE 00000052 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		mov	[ebp+var_14], esi
		push	edi
		cmp	ebx, 7FFFFh
		jnb	loc_7DB017

loc_7DAF76:				; CODE XREF: MiCreatePerSessionProtos+C6j
		mov	ecx, large fs:124h
		mov	edi, [esi]
		mov	[ebp+var_10], ecx
		dec	word ptr [ecx+13Eh]
		nop
		add	edi, 1Ch
		xor	edx, edx
		mov	ecx, edi
		mov	[ebp+var_18], edi
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [esi+50h]
		mov	[ebp+var_8], eax
		mov	esi, eax

loc_7DAFA1:				; CODE XREF: MiCreatePerSessionProtos+5Aj
		test	esi, esi
		jz	short loc_7DAFEF
		test	byte ptr [esi+12h], 2
		jnz	short loc_7DAFB0

loc_7DAFAB:				; CODE XREF: MiCreatePerSessionProtos+99j
					; MiCreatePerSessionProtos+C1j
		mov	esi, [esi+8]
		jmp	short loc_7DAFA1
; 

loc_7DAFB0:				; CODE XREF: MiCreatePerSessionProtos+55j
		mov	edx, ebx
		mov	ecx, esi
		call	_MiLocateSessionProtosInSubsection@8 ; MiLocateSessionProtosInSubsection(x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	short loc_7DB012
		lea	eax, [ebp+var_4]
		xor	edx, edx
		push	eax
		push	0
		push	0
		call	MiAllocatePerSessionProtos
		mov	[ebp+var_1C], eax
		test	eax, eax
		js	loc_8F7983
		mov	eax, [ebp+var_4]
		mov	edx, esi
		mov	ecx, [ebp+var_14]
		push	1
		push	eax
		mov	[eax+20h], ebx
		call	_MiUpdatePerSessionProto@16 ; MiUpdatePerSessionProto(x,x,x,x)
		jmp	short loc_7DAFAB
; 

loc_7DAFEF:				; CODE XREF: MiCreatePerSessionProtos+4Fj
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7DB027

loc_7DAFFC:				; CODE XREF: MiCreatePerSessionProtos+DAj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_10]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		xor	eax, eax

loc_7DB00D:				; CODE XREF: MiCreatePerSessionProtos+D1j
					; MiCreatePerSessionProtos+11CA7Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7DB012:				; CODE XREF: MiCreatePerSessionProtos+6Aj
		inc	dword ptr [eax+28h]
		jmp	short loc_7DAFAB
; 

loc_7DB017:				; CODE XREF: MiCreatePerSessionProtos+1Cj
		cmp	ebx, 0FFFFFFFFh
		jz	loc_7DAF76
		mov	eax, 0C00000CEh
		jmp	short loc_7DB00D
; 

loc_7DB027:				; CODE XREF: MiCreatePerSessionProtos+A6j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7DAFFC
MiCreatePerSessionProtos endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocatePerSessionProtos proc	near	; CODE XREF: MiCreatePerSessionProtos+76p
					; MiCreateSessionDriverProtos(x,x,x)+A0p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F79D5 SIZE 0000013B BYTES
; FUNCTION CHUNK AT 008F7B53 SIZE 0000003D BYTES

		push	54h
		push	offset dword_6A42D8
		call	__SEH_prolog4
		mov	[ebp+var_38], edx
		mov	[ebp+var_1C], ecx
		xor	esi, esi
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		mov	ebx, esi
		mov	[ebp+var_2C], esi
		mov	eax, [ecx]
		mov	[ebp+var_3C], eax
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	[ebp+var_40], eax
		push	esi
		mov	edx, [ecx+1Ch]
		mov	ecx, eax
		call	MiChargeCommit
		test	eax, eax
		jz	loc_8F79D5
		push	esi
		push	40h
		mov	edx, 73536D4Dh
		push	2Ch
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_24], edi
		mov	[ebp+var_50], edi
		test	edi, edi
		jz	loc_8F79DF
		mov	dword ptr [edi+28h], 1
		mov	ecx, [ebp+var_1C]
		mov	ecx, [ecx+1Ch]
		shl	ecx, 3
		push	esi
		push	112h
		mov	edx, 74536D4Dh
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jz	loc_8F79DF
		mov	[edi+24h], ecx
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+1Ch]
		shl	eax, 3
		push	eax		; size_t
		push	esi		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, [ebp+var_1C]
		call	_MiMakeSubsectionPte@4 ; MiMakeSubsectionPte(x)
		mov	[ebp+var_44], eax
		mov	[ebp+var_48], edx
		lea	ecx, [edi+0Ch]
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_54], ecx
		mov	eax, [ecx+0Ch]
		and	eax, 0FFFFFFFBh
		or	eax, 3
		mov	[ecx+0Ch], eax
		mov	eax, [ebp+var_1C]
		mov	edx, [eax+4]
		mov	[ebp+var_34], edx
		mov	ecx, esi
		mov	[ebp+var_20], ecx
		cmp	[eax+1Ch], esi
		jbe	loc_7DB18C
		mov	edi, eax
		mov	ebx, [ebp+var_30]
		mov	esi, [ebp+var_38]

loc_7DB114:				; CODE XREF: MiAllocatePerSessionProtos+153j
		mov	edx, [edx]
		mov	[ebp+var_30], edx
		nop
		mov	ecx, [ebp+var_34]
		mov	eax, [ecx+4]
		mov	[ebp+var_28], eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	loc_8F79E9
		mov	eax, [ebp+var_28]
		push	eax
		push	edx
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	[ebp+var_30], eax
		mov	ecx, edx
		mov	[ebp+var_28], ecx
		mov	edx, eax

loc_7DB144:				; CODE XREF: MiAllocatePerSessionProtos+11C9BCj
		mov	eax, edx
		or	eax, ecx
		jz	loc_7DB1E4
		test	esi, esi
		jnz	short loc_7DB16D
		push	ecx
		push	edx
		call	_IS_PTE_NOT_DEMAND_ZERO@8 ; IS_PTE_NOT_DEMAND_ZERO(x,x)
		test	eax, eax
		jz	loc_8F79F1
		mov	eax, [ebp+var_44]
		mov	[ebx], eax
		nop
		mov	eax, [ebp+var_48]

loc_7DB16A:				; CODE XREF: MiAllocatePerSessionProtos+11C9CAj
		mov	[ebx+4], eax

loc_7DB16D:				; CODE XREF: MiAllocatePerSessionProtos+120j
		add	ebx, 8
		mov	edx, [ebp+var_34]
		add	edx, 8
		mov	[ebp+var_34], edx
		mov	ecx, [ebp+var_20]
		inc	ecx
		mov	[ebp+var_20], ecx
		cmp	ecx, [edi+1Ch]
		jb	short loc_7DB114

loc_7DB185:				; CODE XREF: MiAllocatePerSessionProtos+1B7j
		xor	esi, esi
		mov	ebx, esi
		mov	edi, [ebp+var_24]

loc_7DB18C:				; CODE XREF: MiAllocatePerSessionProtos+D6j
		mov	[edi+1Ch], ecx
		xor	edx, edx
		inc	edx
		mov	ecx, [ebp+var_2C]
		call	_MiUpdateSystemProtoPtesTree@8 ; MiUpdateSystemProtoPtesTree(x,x)
		mov	eax, [edi+24h]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+var_38]
		test	eax, eax
		jnz	loc_8F79FF

loc_7DB1AB:				; CODE XREF: MiAllocatePerSessionProtos+11CADBj
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		mov	[ebp+var_24], esi
		mov	edi, esi

loc_7DB1B5:				; CODE XREF: MiAllocatePerSessionProtos+11C9B4j
					; MiAllocatePerSessionProtos+11CAD2j ...
		test	ebx, ebx
		jnz	sub_8F7B41

loc_7DB1BD:				; CODE XREF: sub_8F7B41+Dj
		mov	ebx, [ebp+var_24]
		test	ebx, ebx
		jnz	loc_8F7B53

loc_7DB1C8:				; CODE XREF: MiAllocatePerSessionProtos+11CB48j
		test	edi, edi
		js	loc_8F7B7D

loc_7DB1D0:				; CODE XREF: MiAllocatePerSessionProtos+11CB5Bj
		mov	eax, edi

loc_7DB1D2:				; CODE XREF: MiAllocatePerSessionProtos+11C9AAj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7DB1E4:				; CODE XREF: MiAllocatePerSessionProtos+118j
		mov	ecx, [ebp+var_20]
		jmp	short loc_7DB185
MiAllocatePerSessionProtos endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiFreeSubsectionProtos(x)
_MiFreeSubsectionProtos@4 proc near	; CODE XREF: MiDereferencePerSessionProtos(x,x)+71p
					; MiCreatePerSessionProtos+11CA74p
		mov	edi, edi
		push	esi
		mov	esi, ecx

loc_7DB1EF:				; CODE XREF: MiFreeSubsectionProtos(x)+14j
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_7DB200
		mov	eax, [ecx]
		mov	[esi], eax
		call	MiDeletePerSessionProtos
		jmp	short loc_7DB1EF
; 

loc_7DB200:				; CODE XREF: MiFreeSubsectionProtos(x)+9j
		pop	esi
		retn
_MiFreeSubsectionProtos@4 endp


;  S U B	R O U T	I N E 


; __stdcall SSHSupportAllocatePaged(x, x)
_SSHSupportAllocatePaged@8 proc	near	; CODE XREF: SleepstudyHelperCreateBlockerFromGuid+33p
					; SleepstudyHelperSetBlockerFriendlyName+2Cp ...
		mov	edi, edi
		push	edx
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		retn
_SSHSupportAllocatePaged@8 endp


;  S U B	R O U T	I N E 


CmpTrimHive	proc near		; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+2A3p
					; CmpUpdatePhaseAccessBit()+26p

; FUNCTION CHUNK AT 008F7B90 SIZE 00000014 BYTES

		cmp	_CmpAccessBitForPhase, 2
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		jnz	short loc_7DB230
		mov	esi, [edi+0BE0h]
		test	esi, esi
		jnz	short loc_7DB234
		mov	esi, [edi+0BE4h]
		test	esi, esi
		jnz	short loc_7DB234

loc_7DB230:				; CODE XREF: CmpTrimHive+Cj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_7DB234:				; CODE XREF: CmpTrimHive+16j
					; CmpTrimHive+20j
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		lea	ebx, [edi+24h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		lea	ecx, [edi+28h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+0C8h]
		mov	edx, esi
		push	eax
		mov	ecx, edi
		mov	[edi+0BE4h], esi
		mov	[edi+0BE8h], eax
		call	HvTrimHive
		or	eax, 0FFFFFFFFh
		lea	esi, [edi+28h]
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_8F7B90

loc_7DB27D:				; CODE XREF: CmpTrimHive+11C984j
					; CmpTrimHive+11C991j
		mov	ecx, esi
		call	KeAbPostRelease
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_7DB299
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7DB299:				; CODE XREF: CmpTrimHive+82j
		mov	ecx, ebx
		call	KeAbPostRelease
		pop	edi
		pop	esi
		pop	ebx
		jmp	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
CmpTrimHive	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvTrimHive	proc near		; CODE XREF: CmpTrimHive+58p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F7BA4 SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx

loc_7DB2B4:				; CODE XREF: HvTrimHive+40j
		cmp	esi, [ebp+arg_0]
		jnb	short loc_7DB2EA
		mov	edx, esi
		mov	ecx, edi
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		mov	edx, eax
		mov	ebx, [edx+4]
		test	bl, 2
		jnz	short loc_7DB2E2
		mov	ecx, ebx
		or	ecx, 4
		mov	[edx+4], ecx
		test	cl, 1
		jz	short loc_7DB2E2
		test	bl, 8
		jnz	loc_8F7BA4

loc_7DB2E2:				; CODE XREF: HvTrimHive+22j
					; HvTrimHive+2Fj ...
		add	esi, 1000h
		jmp	short loc_7DB2B4
; 

loc_7DB2EA:				; CODE XREF: HvTrimHive+Fj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
HvTrimHive	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwpApplyEventIdPayloadFilterOnUserEvent(__int16,int,int,void *)
EtwpApplyEventIdPayloadFilterOnUserEvent proc near
					; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+380p

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	0Ch
		push	offset dword_6A42F8
		call	__SEH_prolog4
		mov	esi, ecx
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [ebp+arg_4]
		add	eax, 28h
		movzx	ecx, word ptr [eax]
		mov	[ebp+var_1C], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	0		; char
		push	1		; char
		push	[ebp+arg_C]	; void *
		push	[ebp+arg_8]	; int
		push	ecx		; int
		push	eax		; int
		push	dword ptr [ebp+arg_0] ;	__int16
		mov	ecx, esi
		call	EtwpApplyEventIdPayloadFilter

loc_7DB32D:				; CODE XREF: sub_8F7BC8+Cj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
EtwpApplyEventIdPayloadFilterOnUserEvent endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall ExpWnfFreeScopeInstance(x, x)
_ExpWnfFreeScopeInstance@8 proc	near	; CODE XREF: ExpWnfDeleteScopeById(x,x,x)+A5p
					; ExpWnfResolveScopeInstance+148947p ...
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		test	dl, dl
		jz	short loc_7DB391
		lea	ecx, [esi+4]
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	ecx, [esi+20h]
		test	ecx, ecx
		jz	short loc_7DB38D

loc_7DB35A:				; CODE XREF: ExpWnfFreeScopeInstance(x,x)+27j
					; ExpWnfFreeScopeInstance(x,x)+38j ...
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_7DB369
		mov	eax, ecx
		mov	ecx, edx
		and	dword ptr [eax], 0
		jmp	short loc_7DB35A
; 

loc_7DB369:				; CODE XREF: ExpWnfFreeScopeInstance(x,x)+1Ej
		mov	edx, [ecx+4]
		test	edx, edx
		jz	short loc_7DB37A
		mov	eax, ecx
		mov	ecx, edx
		and	dword ptr [eax+4], 0
		jmp	short loc_7DB35A
; 

loc_7DB37A:				; CODE XREF: ExpWnfFreeScopeInstance(x,x)+2Ej
		mov	edi, [ecx+8]
		push	esi
		push	ecx
		call	_ExpWnfDeleteNameInstanceCallback@8 ; ExpWnfDeleteNameInstanceCallback(x,x)
		and	edi, 0FFFFFFFCh
		jz	short loc_7DB38D
		mov	ecx, edi
		jmp	short loc_7DB35A
; 

loc_7DB38D:				; CODE XREF: ExpWnfFreeScopeInstance(x,x)+18j
					; ExpWnfFreeScopeInstance(x,x)+47j
		and	dword ptr [esi+20h], 0

loc_7DB391:				; CODE XREF: ExpWnfFreeScopeInstance(x,x)+9j
		mov	eax, [esi+24h]
		test	eax, eax
		jnz	short loc_7DB3AE

loc_7DB398:				; CODE XREF: ExpWnfFreeScopeInstance(x,x)+74j
		mov	eax, [esi+28h]
		test	eax, eax
		jnz	short loc_7DB3B6

loc_7DB39F:				; CODE XREF: ExpWnfFreeScopeInstance(x,x)+7Cj
		push	20666E57h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_7DB3AE:				; CODE XREF: ExpWnfFreeScopeInstance(x,x)+56j
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_7DB398
; 

loc_7DB3B6:				; CODE XREF: ExpWnfFreeScopeInstance(x,x)+5Dj
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_7DB39F
_ExpWnfFreeScopeInstance@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWnfDeleteNameInstanceCallback(x,	x)
_ExpWnfDeleteNameInstanceCallback@8 proc near ;	CODE XREF: ExpWnfFreeScopeInstance(x,x)+3Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		lea	ecx, [esi-4]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	ecx, [ebp+arg_4]
		lea	edx, [esi-8]
		push	0
		call	ExpWnfDeleteNameInstance
		pop	esi
		pop	ebp
		retn	8
_ExpWnfDeleteNameInstanceCallback@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpCreateSymbolicLinkName proc near	; CODE XREF: PAGE:0081715Cp

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= word ptr -38h
var_36		= word ptr -36h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 008F7BD9 SIZE 000000B7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		mov	ebx, ecx
		xor	eax, eax
		push	esi
		push	edi
		xor	ecx, ecx
		mov	[ebp+var_38], ax
		lea	esi, [ebx-18h]
		mov	[ebp+var_20], ebx
		mov	al, [esi+0Eh]
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ecx
		push	40h
		pop	edi
		mov	[ebp+var_18], edi
		test	al, 2
		jz	loc_8F7BD9
		movzx	eax, al
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	esi, eax

loc_7DB423:				; CODE XREF: ObpCreateSymbolicLinkName+11C7F9j
		test	esi, esi
		jz	short loc_7DB431
		mov	eax, [esi]
		cmp	[eax+98h], ecx
		jnz	short loc_7DB436

loc_7DB431:				; CODE XREF: ObpCreateSymbolicLinkName+43j
					; ObpCreateSymbolicLinkName+5Bj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7DB436:				; CODE XREF: ObpCreateSymbolicLinkName+4Dj
		push	4
		pop	eax
		cmp	[esi+4], ax
		jnz	short loc_7DB431
		mov	eax, [esi+8]
		cmp	word ptr [eax+2], 3Ah
		jnz	short loc_7DB431
		mov	cx, [eax]
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		movzx	ecx, ax
		lea	eax, [ecx-41h]
		cmp	ax, 19h
		ja	short loc_7DB431
		and	[ebp+var_48], 0
		sub	ecx, edi
		and	[ebp+var_44], 0
		mov	[ebx+10h], ecx
		mov	eax, [esi]
		mov	[ebp+var_14], eax
		xor	al, al
		mov	[ebp+var_2], al
		mov	[ebp+var_36], 0
		mov	[ebp+var_1], al
		mov	[ebp+var_34], 0FFFF1234h
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		mov	ecx, eax
		call	_OBP_GET_SILO_ROOT_DIRECTORY_FROM_SILO@4 ; OBP_GET_SILO_ROOT_DIRECTORY_FROM_SILO(x)
		mov	edi, eax
		mov	ecx, edi
		mov	[ebp+var_10], edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	esi, [ebx+0Ch]
		mov	eax, [ebx+8]
		mov	[ebp+var_28], eax
		mov	[ebp+var_C], esi
		mov	[ebp+var_24], esi
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		xor	ebx, ebx
		mov	[ebp+var_1C], eax
		inc	ebx

loc_7DB4B6:				; CODE XREF: ObpCreateSymbolicLinkName+11C87Aj
		test	byte ptr [ebp+var_24], 7
		mov	[ebp+var_8], edi
		jnz	loc_8F7BFE
		mov	eax, [eax]
		mov	[ebp+var_8], edi
		mov	edx, [eax]
		test	edx, edx
		jz	loc_8F7BFE
		mov	ecx, edi
		mov	di, word ptr [ebp+var_28]
		push	8
		pop	eax
		mov	[ebp+var_8], ecx
		cmp	di, ax
		jb	short loc_7DB502
		mov	eax, [esi]
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_8], ecx
		cmp	eax, ds:_ObpDosDevicesShortNamePrefix
		jnz	short loc_7DB502
		mov	eax, [esi+4]
		cmp	eax, ds:off_A40164
		jz	loc_8F7BE0

loc_7DB502:				; CODE XREF: ObpCreateSymbolicLinkName+FFj
					; ObpCreateSymbolicLinkName+10Fj ...
		push	5Ch
		pop	edx
		cmp	[esi], dx
		jnz	short loc_7DB51C
		add	esi, 2
		mov	eax, 0FFFEh
		add	di, ax
		mov	[ebp+var_C], esi
		mov	word ptr [ebp+var_28], di

loc_7DB51C:				; CODE XREF: ObpCreateSymbolicLinkName+126j
		mov	eax, [ebp+var_28]
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], esi
		test	di, di
		jz	short loc_7DB543
		mov	eax, 0FFFEh

loc_7DB52F:				; CODE XREF: ObpCreateSymbolicLinkName+158j
		cmp	[esi], dx
		jz	short loc_7DB53C
		add	esi, 2
		add	di, ax
		jnz	short loc_7DB52F

loc_7DB53C:				; CODE XREF: ObpCreateSymbolicLinkName+150j
		mov	word ptr [ebp+var_28], di
		mov	[ebp+var_C], esi

loc_7DB543:				; CODE XREF: ObpCreateSymbolicLinkName+146j
		sub	word ptr [ebp+var_30], di
		jz	loc_7DB6B3
		cmp	ecx, [ebp+var_14]
		jz	loc_8F7C0A
		xor	al, al
		mov	[ebp+var_2], al
		mov	[ebp+var_1], al

loc_7DB55E:				; CODE XREF: ObpCreateSymbolicLinkName+11C83Aj
		lea	eax, [ebp+var_48]
		push	eax
		push	0
		push	0
		push	0
		lea	edx, [ebp+var_30]
		call	ObpLookupDirectoryEntryEx
		mov	ecx, [ebp+var_8]
		mov	esi, eax
		cmp	ecx, [ebp+var_14]
		jz	loc_8F7C21
		mov	al, byte ptr [ebp+var_36+1]
		mov	[ebp+var_1], al
		mov	al, byte ptr [ebp+var_36]
		mov	[ebp+var_2], al

loc_7DB58A:				; CODE XREF: ObpCreateSymbolicLinkName+11C84Bj
		test	esi, esi
		jz	short loc_7DB5CE
		lea	eax, [esi-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		cmp	eax, _ObpDirectoryObjectType
		jnz	short loc_7DB5C2
		mov	ecx, esi
		mov	esi, [ebp+var_C]
		mov	[ebp+var_8], ecx
		jmp	loc_7DB502
; 

loc_7DB5C2:				; CODE XREF: ObpCreateSymbolicLinkName+1D1j
		cmp	eax, _ObpSymbolicLinkObjectType
		jz	loc_8F7C32

loc_7DB5CE:				; CODE XREF: ObpCreateSymbolicLinkName+1AAj
					; ObpCreateSymbolicLinkName+11C854j ...
		mov	ecx, [ebp+var_20]
		add	ecx, 0FFFFFFE8h
		movzx	eax, byte ptr [ecx+0Eh]
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		mov	eax, [ecx]
		mov	edi, [eax+98h]
		test	esi, esi
		jz	short loc_7DB65A
		lea	eax, [esi-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		cmp	eax, ds:_IoDeviceObjectType
		jnz	short loc_7DB65A
		mov	eax, [esi+2Ch]
		cmp	eax, 13h
		ja	loc_8F7C71
		cmp	eax, 12h
		jnb	loc_8F7C84
		cmp	eax, 2
		jb	loc_7DB6C8
		cmp	eax, 3
		jbe	loc_8F7C6D
		cmp	eax, 6
		jbe	loc_7DB6C8
		cmp	eax, 9
		ja	loc_8F7C68
		mov	eax, [esi+20h]
		not	eax
		and	ebx, eax
		add	ebx, 2

loc_7DB65A:				; CODE XREF: ObpCreateSymbolicLinkName+20Cj
					; ObpCreateSymbolicLinkName+233j ...
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		mov	esi, [ebp+var_1C]
		xor	edx, edx
		lea	eax, [esi+70h]
		mov	ecx, eax
		mov	[ebp+var_1C], eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_20]
		mov	ecx, [eax+10h]
		mov	[ecx+edi+13h], bl
		lea	edx, [ecx-1]
		mov	eax, [edi+10h]
		bts	eax, edx
		mov	[edi+10h], eax
		cmp	edi, [esi]
		jnz	short loc_7DB6CC
		mov	eax, [esi+4]
		bts	eax, edx
		mov	[esi+4], eax

loc_7DB69D:				; CODE XREF: ObpCreateSymbolicLinkName+2EEj
		mov	ecx, [ebp+var_1C]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_7DB6B3:				; CODE XREF: ObpCreateSymbolicLinkName+165j
		lea	ecx, [ebp+var_48]
		call	_ObpReleaseLookupContext@4 ; ObpReleaseLookupContext(x)
		mov	ecx, [ebp+var_10]
		call	ObfDereferenceObject
		jmp	loc_7DB431
; 

loc_7DB6C8:				; CODE XREF: ObpCreateSymbolicLinkName+24Dj
					; ObpCreateSymbolicLinkName+25Fj ...
		xor	ebx, ebx
		jmp	short loc_7DB65A
; 

loc_7DB6CC:				; CODE XREF: ObpCreateSymbolicLinkName+2B0j
		inc	dword ptr [esi+ecx*4+4]
		jmp	short loc_7DB69D
ObpCreateSymbolicLinkName endp

; 
		align 8
; Exported entry 1498. NtAllocateUuids

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtAllocateUuids
NtAllocateUuids	proc near		; DATA XREF: .text:00581254o

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F7C90 SIZE 0000006A BYTES

		push	28h
		push	offset dword_6A4318
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], edx
		mov	[ebp+ms_exc.disabled], edx
		mov	eax, large fs:124h
		mov	[ebp+var_30], eax
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		mov	ebx, [ebp+arg_0]
		test	al, al
		jz	loc_8F7C9E
		test	bl, 3
		jnz	loc_7DB865
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8F7C90

loc_7DB728:				; CODE XREF: NtAllocateUuids+11C5BAj
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+4]
		mov	[ebx+4], al
		mov	ecx, [ebp+arg_4]
		test	cl, 3
		jnz	loc_7DB865
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_7DB749
		mov	ecx, eax

loc_7DB749:				; CODE XREF: NtAllocateUuids+6Dj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_8]
		test	cl, 3
		jnz	loc_7DB865
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_7DB764
		mov	ecx, eax

loc_7DB764:				; CODE XREF: NtAllocateUuids+88j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	esi, [ebp+arg_C]
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8F7C97

loc_7DB778:				; CODE XREF: NtAllocateUuids+11C5C1j
		mov	al, [esi]
		mov	[esi], al
		mov	al, [esi+5]
		mov	[esi+5], al

loc_7DB782:				; CODE XREF: NtAllocateUuids+11C5C9j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, large fs:124h
		mov	[ebp+arg_0], eax
		dec	word ptr [eax+13Ch]
		nop
		push	edx
		xor	edx, edx
		mov	ecx, offset _ExpUuidLock
		call	KeAbPreAcquire
		mov	edi, eax
		mov	eax, offset _ExpUuidLock
		lock bts dword ptr [eax], 0
		jb	loc_8F7CA6

loc_7DB7B9:				; CODE XREF: NtAllocateUuids+11C5D8j
		test	edi, edi
		jz	short loc_7DB7C1
		or	byte ptr [edi+0Eh], 1

loc_7DB7C1:				; CODE XREF: NtAllocateUuids+E3j
		lea	eax, [ebp+var_24]
		push	eax
		lea	edx, [ebp+var_20]
		lea	ecx, [ebp+var_38]
		call	ExpAllocateUuids
		mov	edi, eax
		test	edi, edi
		js	loc_8F7CB5
		call	_ExpUuidSaveSequenceNumberIf@0 ; ExpUuidSaveSequenceNumberIf()
		mov	al, ds:_ExpUuidCacheValid
		mov	byte ptr [ebp+arg_C+3],	al
		or	eax, 0FFFFFFFFh
		mov	edi, offset _ExpUuidLock
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_8F7CE6

loc_7DB7FB:				; CODE XREF: NtAllocateUuids+11C610j
					; NtAllocateUuids+11C61Dj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+arg_0]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_38]
		mov	[ebx], eax
		mov	eax, [ebp+var_34]
		mov	[ebx+4], eax
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		mov	ecx, [ebp+var_24]
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		mov	eax, ds:dword_A93E1C+2
		mov	[esi], eax
		mov	ax, word ptr ds:dword_A93E20+2
		mov	[esi+4], ax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	byte ptr [ebp+arg_C+3],	0
		jnz	short loc_7DB861
		mov	eax, 40020056h

loc_7DB84F:				; CODE XREF: NtAllocateUuids+18Bj
					; NtAllocateUuids+11C609j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7DB861:				; CODE XREF: NtAllocateUuids+170j
		xor	eax, eax
		jmp	short loc_7DB84F
; 

loc_7DB865:				; CODE XREF: NtAllocateUuids+3Dj
					; NtAllocateUuids+60j ...
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
NtAllocateUuids	endp


;  S U B	R O U T	I N E 


; __stdcall ExpUuidSaveSequenceNumberIf()
_ExpUuidSaveSequenceNumberIf@0 proc near ; CODE	XREF: NtAllocateUuids+102p
					; ExUuidCreate+100p
		mov	edi, edi
		push	ecx
		xor	eax, eax
		cmp	ds:_ExpUuidSequenceNumberNotSaved, 1
		jz	short loc_7DB87A

loc_7DB878:				; CODE XREF: ExpUuidSaveSequenceNumberIf()+17j
		pop	ecx
		retn
; 

loc_7DB87A:				; CODE XREF: ExpUuidSaveSequenceNumberIf()+Cj
		call	_ExpUuidSaveSequenceNumber@4 ; ExpUuidSaveSequenceNumber(x)
		test	eax, eax
		js	short loc_7DB878
		mov	ds:_ExpUuidSequenceNumberNotSaved, 0
		pop	ecx
		retn
_ExpUuidSaveSequenceNumberIf@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpAllocateUuids proc near		; CODE XREF: NtAllocateUuids+F3p
					; ExpUuidGetValues(x)+23p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F7D3E SIZE 000000A8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], ecx
		cmp	ds:_ExpUuidSequenceNumberValid,	0
		mov	ebx, edx
		push	edi
		mov	[ebp+var_8], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		jz	loc_7DB96C

loc_7DB8B4:				; CODE XREF: ExpAllocateUuids+10Bj
		lea	eax, [ebp+var_14]
		push	eax
		call	KeQuerySystemTime
		mov	esi, [ebp+var_14]
		mov	edx, esi
		sub	edx, ds:_ExpUuidLastTimeAllocated
		mov	edi, [ebp+var_10]
		mov	ecx, edi
		sbb	ecx, ds:dword_A93E0C
		test	ecx, ecx
		jg	short loc_7DB8E5
		jl	loc_8F7D65
		test	edx, edx
		jb	loc_8F7D65

loc_7DB8E5:				; CODE XREF: ExpAllocateUuids+49j
					; ExpAllocateUuids+11C501j
		mov	eax, edx
		or	eax, ecx
		jz	loc_8F7D92
		cmp	ds:_ExpUuidTimeSequenceNumber, 0
		jnz	loc_8F7DCD

loc_7DB8FC:				; CODE XREF: ExpAllocateUuids+11C548j
		test	ecx, ecx
		jl	loc_8F7DD9
		mov	eax, (offset loc_98967E+2)
		jg	short loc_7DB90F
		cmp	edx, eax
		jbe	short loc_7DB913

loc_7DB90F:				; CODE XREF: ExpAllocateUuids+7Dj
		mov	edx, eax
		xor	ecx, ecx

loc_7DB913:				; CODE XREF: ExpAllocateUuids+81j
		test	ecx, ecx
		jl	loc_8F7DD9
		mov	eax, 2710h
		jg	short loc_7DB92A
		cmp	edx, eax
		jbe	loc_8F7DD9

loc_7DB92A:				; CODE XREF: ExpAllocateUuids+94j
		add	edx, 0FFFFD8F0h
		mov	[ebx], eax
		adc	ecx, 0FFFFFFFFh

loc_7DB935:				; CODE XREF: ExpAllocateUuids+11C555j
		sub	esi, eax
		mov	eax, [ebp+var_C]
		sbb	edi, 0
		sub	esi, edx
		sbb	edi, ecx
		mov	[eax], esi
		mov	[eax+4], edi
		xor	ecx, ecx
		mov	eax, [ebx]
		add	eax, esi
		mov	ds:_ExpUuidLastTimeAllocated, eax
		adc	ecx, edi
		mov	ds:dword_A93E0C, ecx

loc_7DB959:				; CODE XREF: ExpAllocateUuids+11C53Cj
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_ExpUuidSequenceNumber
		mov	[ecx], eax
		xor	eax, eax

loc_7DB965:				; CODE XREF: ExpAllocateUuids+11C515j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7DB96C:				; CODE XREF: ExpAllocateUuids+22j
		call	_ExpUuidLoadSequenceNumber@4 ; ExpUuidLoadSequenceNumber(x)
		mov	[ebp+var_8], eax
		test	eax, eax
		js	loc_8F7D3E
		mov	ecx, ds:_ExpUuidSequenceNumber
		inc	ecx

loc_7DB983:				; CODE XREF: ExpAllocateUuids+11C4D4j
		mov	ds:_ExpUuidSequenceNumber, ecx
		mov	ds:_ExpUuidSequenceNumberValid,	1
		mov	ds:_ExpUuidSequenceNumberNotSaved, 1
		jmp	loc_7DB8B4
ExpAllocateUuids endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWnfCheckCrossScopeAccess(x, x)
_ExpWnfCheckCrossScopeAccess@8 proc near ; CODE	XREF: ExpNtUpdateWnfStateData+2DFp
					; NtQueryWnfStateData+3A2p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		and	[esp+8+var_4], 0
		shrd	ecx, eax, 6
		push	esi
		and	ecx, 0Fh
		push	edi
		cmp	ecx, 3
		jz	short loc_7DBA04
		cmp	ecx, 1
		jnz	short loc_7DBA16
		mov	ecx, [ebp+arg_0]
		shrd	ecx, eax, 4
		test	ecx, 3
		jnz	short loc_7DBA16
		push	eax
		push	[ebp+arg_0]
		lea	ecx, [esp+18h+var_4]
		call	ExpWnfLookupPermanentName
		test	eax, eax
		js	short loc_7DBA06
		mov	esi, [esp+10h+var_4]
		push	10h
		pop	edx
		mov	ecx, [esi+8]
		call	_ExpWnfCheckCallerAccess@8 ; ExpWnfCheckCallerAccess(x,x)
		push	20666E57h
		push	esi
		mov	edi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		js	short loc_7DBA0E

loc_7DBA04:				; CODE XREF: ExpWnfCheckCrossScopeAccess(x,x)+21j
					; ExpWnfCheckCrossScopeAccess(x,x)+A1j
		xor	eax, eax

loc_7DBA06:				; CODE XREF: ExpWnfCheckCrossScopeAccess(x,x)+46j
					; ExpWnfCheckCrossScopeAccess(x,x)+A8j	...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7DBA0E:				; CODE XREF: ExpWnfCheckCrossScopeAccess(x,x)+66j
		cmp	edi, 0C0000022h
		jnz	short loc_7DBA46

loc_7DBA16:				; CODE XREF: ExpWnfCheckCrossScopeAccess(x,x)+26j
					; ExpWnfCheckCrossScopeAccess(x,x)+35j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+10h+var_4], al
		push	[esp+10h+var_4]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_7DBA04
		mov	eax, 0C0000061h
		jmp	short loc_7DBA06
; 

loc_7DBA46:				; CODE XREF: ExpWnfCheckCrossScopeAccess(x,x)+78j
		mov	eax, edi
		jmp	short loc_7DBA06
_ExpWnfCheckCrossScopeAccess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExEnableHandleExceptions proc near	; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+124p
					; PAGE:007A9435p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F7DE6 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	bl, dl
		mov	esi, ecx
		mov	[ebp+var_4], eax
		nop
		lea	edi, [esi+24h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esi+54h]
		test	ecx, ecx
		jnz	loc_8F7DE6
		mov	cl, [esi+1Ch]
		test	cl, 2
		jnz	short loc_7DBABD
		test	bl, bl
		setz	al
		and	cl, 0FDh
		dec	al
		and	al, 2
		or	al, cl
		mov	[esi+1Ch], al

loc_7DBA98:				; CODE XREF: ExEnableHandleExceptions+11C3A9j
					; ExEnableHandleExceptions+11C3B5j
		mov	bl, 1

loc_7DBA9A:				; CODE XREF: ExEnableHandleExceptions+7Ej
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7DBACA

loc_7DBAA7:				; CODE XREF: ExEnableHandleExceptions+87j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_4]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_7DBABD:				; CODE XREF: ExEnableHandleExceptions+3Bj
					; ExEnableHandleExceptions+11C3A1j
		test	bl, bl
		mov	al, 1
		setz	bl
		dec	bl
		and	bl, al
		jmp	short loc_7DBA9A
; 

loc_7DBACA:				; CODE XREF: ExEnableHandleExceptions+5Bj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7DBAA7
ExEnableHandleExceptions endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtFilterToken	proc near		; DATA XREF: .text:00581058o

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008F7E04 SIZE 00000015 BYTES
; FUNCTION CHUNK AT 008F7E3D SIZE 0000000A BYTES

		push	54h
		push	offset dword_6A4340
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_38], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_44], esi
		mov	[ebp+var_3C], esi
		mov	[ebp+var_54], esi
		mov	[ebp+var_48], esi
		mov	[ebp+var_64], esi
		mov	[ebp+var_60], esi
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_1C], al
		mov	[ebp+ms_exc.disabled], esi
		mov	ecx, [ebp+arg_14]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8F7E04

loc_7DBB2E:				; CODE XREF: NtFilterToken+11C332j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	loc_7DBCE4
		mov	edx, ecx
		test	cl, 3
		jnz	loc_7DBD33
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8F7E0B

loc_7DBB55:				; CODE XREF: NtFilterToken+11C339j
		nop
		mov	al, [edx]
		mov	eax, [ecx]
		mov	[ebp+var_28], eax
		mov	eax, esi

loc_7DBB5F:				; CODE XREF: NtFilterToken+98j
		mov	[ebp+var_4C], eax
		cmp	eax, [ebp+var_28]
		jnb	short loc_7DBB6E
		mov	[ecx+eax*8+8], esi
		inc	eax
		jmp	short loc_7DBB5F
; 

loc_7DBB6E:				; CODE XREF: NtFilterToken+91j
		lea	eax, [ebp+var_50]
		push	eax		; int
		lea	eax, [ebp+var_38]
		push	eax		; int
		push	ecx		; int
		push	ecx		; int
		push	esi		; int
		push	esi		; void *
		push	dword ptr [ebp+var_1C] ; char
		add	ecx, 4		; void *
		mov	edx, [ebp+var_28] ; int
		call	SeCaptureSidAndAttributesArray
		mov	edi, eax
		mov	[ebp+var_20], edi

loc_7DBB8D:				; CODE XREF: NtFilterToken+213j
		test	edi, edi
		js	short loc_7DBBE3
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jnz	loc_7DBCEC

loc_7DBB9C:				; CODE XREF: NtFilterToken+24Bj
		test	edi, edi
		js	short loc_7DBBE3
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	short loc_7DBBE3
		mov	edx, ecx
		test	cl, 3
		jnz	loc_7DBD33
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8F7E12

loc_7DBBBF:				; CODE XREF: NtFilterToken+11C340j
		nop
		mov	al, [edx]
		mov	edx, [ecx]	; int
		mov	[ebp+var_30], edx
		lea	eax, [ebp+var_40]
		push	eax		; int
		lea	eax, [ebp+var_2C]
		push	eax		; int
		push	ecx		; int
		push	ecx		; int
		push	esi		; int
		push	esi		; void *
		push	dword ptr [ebp+var_1C] ; char
		add	ecx, 4		; void *
		call	SeCaptureSidAndAttributesArray
		mov	edi, eax
		mov	[ebp+var_20], edi

loc_7DBBE3:				; CODE XREF: NtFilterToken+BBj
					; NtFilterToken+CAj ...
		push	0FFFFFFFEh
		pop	ebx
		mov	[ebp+ms_exc.disabled], ebx

loc_7DBBE9:				; CODE XREF: sub_8F7E27+11j
		test	edi, edi
		js	loc_7DBCA9
		mov	ecx, esi
		mov	eax, [ebp+var_2C]
		add	eax, 4

loc_7DBBF9:				; CODE XREF: NtFilterToken+136j
		cmp	ecx, [ebp+var_30]
		jnb	short loc_7DBC0C
		cmp	[eax], esi
		jnz	loc_8F7E3D
		inc	ecx
		add	eax, 8
		jmp	short loc_7DBBF9
; 

loc_7DBC0C:				; CODE XREF: NtFilterToken+128j
		mov	eax, ds:_SeTokenObjectType
		mov	[ebp+var_34], esi
		lea	ecx, [ebp+var_64]
		push	ecx
		lea	ecx, [ebp+var_34]
		push	ecx
		push	dword ptr [ebp+var_1C]
		push	eax
		push	2
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_7DBCA9
		mov	[ebp+var_24], esi
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_40]
		push	[ebp+var_2C]
		push	[ebp+var_30]
		push	[ebp+var_3C]
		push	[ebp+var_44]
		push	[ebp+var_38]
		push	[ebp+var_28]
		push	[ebp+arg_4]
		mov	dl, [ebp+var_1C]
		mov	ecx, [ebp+var_34]
		call	_SepFilterToken@44 ; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_7DBC8B
		lea	eax, [ebp+var_48]
		push	eax
		push	esi
		push	esi
		push	1
		push	[ebp+var_60]
		xor	edx, edx
		mov	ecx, [ebp+var_24]
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_7DBC8B
		mov	ecx, [ebp+var_24]
		call	_SepFinalizeTokenAcls@4	; SepFinalizeTokenAcls(x)
		mov	ecx, [ebp+var_24]
		call	ObfDereferenceObject

loc_7DBC8B:				; CODE XREF: NtFilterToken+18Aj
					; NtFilterToken+1A5j
		mov	ecx, [ebp+var_34]
		call	ObfDereferenceObject
		test	edi, edi
		js	short loc_7DBCA9
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_48]
		mov	eax, [ebp+arg_14]
		mov	[eax], ecx
		mov	[ebp+ms_exc.disabled], ebx

loc_7DBCA9:				; CODE XREF: NtFilterToken+117j
					; NtFilterToken+15Aj ...
		mov	ecx, [ebp+var_38]
		test	ecx, ecx
		jz	short loc_7DBCB9
		push	ecx
		mov	dl, [ebp+var_1C]
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)

loc_7DBCB9:				; CODE XREF: NtFilterToken+1DAj
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jnz	short loc_7DBD24

loc_7DBCC0:				; CODE XREF: NtFilterToken+259j
		mov	ecx, [ebp+var_2C]
		test	ecx, ecx
		jz	short loc_7DBCD0
		push	ecx
		mov	dl, [ebp+var_1C]
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)

loc_7DBCD0:				; CODE XREF: NtFilterToken+1F1j
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7DBCE4:				; CODE XREF: NtFilterToken+63j
		mov	edi, [ebp+var_20]
		jmp	loc_7DBB8D
; 

loc_7DBCEC:				; CODE XREF: NtFilterToken+C2j
		mov	edx, ecx
		test	cl, 3
		jnz	short loc_7DBD33
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_7DBD2F

loc_7DBCFC:				; CODE XREF: NtFilterToken+25Dj
		nop
		mov	al, [edx]
		mov	edx, [ecx]
		mov	[ebp+var_44], edx
		lea	eax, [ebp+var_54]
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		sub	esp, 10h
		push	dword ptr [ebp+var_1C]
		add	ecx, 4
		call	SeCaptureLuidAndAttributesArray
		mov	edi, eax
		mov	[ebp+var_20], edi
		jmp	loc_7DBB9C
; 

loc_7DBD24:				; CODE XREF: NtFilterToken+1EAj
		push	ecx
		mov	dl, [ebp+var_1C]
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)
		jmp	short loc_7DBCC0
; 

loc_7DBD2F:				; CODE XREF: NtFilterToken+226j
		mov	edx, eax
		jmp	short loc_7DBCFC
; 

loc_7DBD33:				; CODE XREF: NtFilterToken+6Ej
					; NtFilterToken+D8j ...
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
NtFilterToken	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSetBackgroundJobTree	proc near	; CODE XREF: sub_759647+291p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F7E67 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		mov	byte ptr [ebp+var_4], dl
		push	edi
		push	1
		lea	edi, [esi+20h]
		push	edi
		call	ExAcquireResourceExclusiveLite
		mov	dl, byte ptr [ebp+var_4]
		lea	ecx, [esi+310h]
		mov	eax, [ecx]
		and	eax, 400h
		test	dl, dl
		jnz	short loc_7DBDB4
		test	eax, eax
		jz	loc_8F7E67

loc_7DBD6C:				; CODE XREF: PspSetBackgroundJobTree+7Ej
		test	dl, dl
		jnz	short loc_7DBDBD
		lock btr dword ptr [ecx], 0Ah

loc_7DBD75:				; CODE XREF: PspSetBackgroundJobTree+8Aj
		push	ebx
		push	5
		lea	eax, [ebp+var_4]
		xor	ebx, ebx
		push	eax
		push	offset _PspSetProcessBackgroundCountCallback@8 ; PspSetProcessBackgroundCountCallback(x,x)
		push	ebx
		mov	edx, offset _PspSetJobBackgroundCountCallback@8	; PspSetJobBackgroundCountCallback(x,x)
		mov	ecx, esi
		call	PspEnumJobsAndProcessesInJobHierarchy
		mov	ecx, edi
		call	ExReleaseResourceLite
		cmp	byte ptr [ebp+var_4], bl
		jnz	short loc_7DBDAD
		push	ebx
		push	ebx
		push	ebx
		push	offset _PspBoostJobIoPriorityCallback@8	; PspBoostJobIoPriorityCallback(x,x)
		xor	edx, edx
		mov	ecx, esi
		call	PspEnumJobsAndProcessesInJobHierarchy

loc_7DBDAD:				; CODE XREF: PspSetBackgroundJobTree+62j
		xor	eax, eax
		pop	ebx

loc_7DBDB0:				; CODE XREF: PspSetBackgroundJobTree+11C13Bj
		pop	edi
		pop	esi
		leave
		retn
; 

loc_7DBDB4:				; CODE XREF: PspSetBackgroundJobTree+2Aj
		test	eax, eax
		jz	short loc_7DBD6C
		jmp	loc_8F7E67
; 

loc_7DBDBD:				; CODE XREF: PspSetBackgroundJobTree+36j
		lock bts dword ptr [ecx], 0Ah
		jmp	short loc_7DBD75
PspSetBackgroundJobTree	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpRealtimeNotifyConsumers proc near	; CODE XREF: EtwpLogger(x)+19Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F7E78 SIZE 000000A2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		xor	edx, edx
		push	edi
		lea	eax, [esi+1F0h]
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, esi
		call	EtwpGetMaxTrackingEventBufferSize
		mov	ebx, eax
		mov	[ebp+var_4], ebx
		test	ebx, ebx
		jnz	short loc_7DBE1E
		xor	edi, edi
		mov	esi, 8000001Ah

loc_7DBDFA:				; CODE XREF: EtwpRealtimeNotifyConsumers+A9j
					; EtwpRealtimeNotifyConsumers+11C0B9j
		mov	ebx, [ebp+var_C]
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		test	al, 2
		jnz	loc_8F7F06

loc_7DBE0C:				; CODE XREF: EtwpRealtimeNotifyConsumers+11C144j
					; EtwpRealtimeNotifyConsumers+11C151j
		mov	ecx, ebx
		call	KeAbPostRelease
		test	edi, edi
		jnz	short loc_7DBE6F

loc_7DBE17:				; CODE XREF: EtwpRealtimeNotifyConsumers+B3j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7DBE1E:				; CODE XREF: EtwpRealtimeNotifyConsumers+2Dj
		push	62777445h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8F7E78
		push	ebx
		mov	edx, edi
		mov	ecx, esi
		call	EtwpInitializeProviderInfoBuffer
		lea	eax, [esi+100h]
		mov	ebx, [eax]

loc_7DBE47:				; CODE XREF: EtwpRealtimeNotifyConsumers+11C128j
		cmp	ebx, eax
		jnz	loc_8F7E82
		mov	eax, [esi+50h]

loc_7DBE52:				; CODE XREF: EtwpRealtimeNotifyConsumers+11C13Dj
		test	eax, eax
		jnz	loc_8F7EF1

loc_7DBE5A:				; CODE XREF: EtwpRealtimeNotifyConsumers+11C131j
		add	esi, 48h
		mov	eax, [esi]
		jmp	short loc_7DBE67
; 

loc_7DBE61:				; CODE XREF: EtwpRealtimeNotifyConsumers+A5j
		mov	byte ptr [eax+8], 1
		mov	eax, [eax]

loc_7DBE67:				; CODE XREF: EtwpRealtimeNotifyConsumers+9Bj
		cmp	eax, esi
		jnz	short loc_7DBE61
		xor	esi, esi
		jmp	short loc_7DBDFA
; 

loc_7DBE6F:				; CODE XREF: EtwpRealtimeNotifyConsumers+51j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7DBE17
EtwpRealtimeNotifyConsumers endp

; 
		align 2

;  S U B	R O U T	I N E 


EtwpGetMaxTrackingEventBufferSize proc near ; CODE XREF: EtwpRealtimeNotifyConsumers+21p
					; EtwpSendDbgId(x)+4Ap

; FUNCTION CHUNK AT 008F7F1A SIZE 0000002A BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		xor	edx, edx
		push	esi
		push	edi
		lea	ecx, [ebx+48h]
		mov	esi, [ecx]
		cmp	esi, ecx
		jnz	short loc_7DBEB1

loc_7DBE8C:				; CODE XREF: EtwpGetMaxTrackingEventBufferSize+5Fj
		lea	edi, [ebx+2C8h]
		mov	esi, [edi]

loc_7DBE94:				; CODE XREF: EtwpGetMaxTrackingEventBufferSize+11C0B5j
		cmp	esi, edi
		jnz	loc_8F7F1A
		mov	eax, [ebx+54h]
		pop	edi
		pop	esi
		pop	ebx
		test	eax, eax
		jnz	loc_8F7F34

loc_7DBEAA:				; CODE XREF: EtwpGetMaxTrackingEventBufferSize+11C0C5j
		test	edx, edx
		jnz	short loc_7DBEDB

loc_7DBEAE:				; CODE XREF: EtwpGetMaxTrackingEventBufferSize+64j
		mov	eax, edx
		retn
; 

loc_7DBEB1:				; CODE XREF: EtwpGetMaxTrackingEventBufferSize+10j
		mov	edx, offset _NtBuildLabEx
		lea	edi, [edx+1]

loc_7DBEB9:				; CODE XREF: EtwpGetMaxTrackingEventBufferSize+44j
		mov	al, [edx]
		inc	edx
		test	al, al
		jnz	short loc_7DBEB9
		sub	edx, edi
		add	edx, 18h
		and	edx, 0FFFFFFF8h

loc_7DBEC8:				; CODE XREF: EtwpGetMaxTrackingEventBufferSize+5Dj
		mov	eax, [esi+0Ch]
		mov	esi, [esi]
		add	eax, 13h
		and	eax, 0FFFFFFF8h
		add	edx, eax
		cmp	esi, ecx
		jnz	short loc_7DBEC8
		jmp	short loc_7DBE8C
; 

loc_7DBEDB:				; CODE XREF: EtwpGetMaxTrackingEventBufferSize+32j
		add	edx, 48h
		jmp	short loc_7DBEAE
EtwpGetMaxTrackingEventBufferSize endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpInitializeProviderInfoBuffer proc near ; CODE XREF:	EtwpRealtimeNotifyConsumers+76p
					; EtwpSendDbgId(x)+77p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F7F44 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	[ebp+var_4], edi
		call	EtwpInitializeBufferHeader
		mov	eax, [ebp+arg_0]
		mov	ecx, edi
		push	7
		pop	edx
		mov	[edi], eax
		call	@EtwpResetBufferHeader@8 ; EtwpResetBufferHeader(x,x)
		mov	edx, edi
		lea	esi, [ebx+0E8h]
		xor	eax, eax
		inc	eax
		mov	[edx+34h], ax
		lea	edi, [edx+38h]
		mov	eax, [edx+20h]
		mov	dword ptr [edx+2Ch], 3
		and	eax, 0FFFFFFF8h
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebx+7Ch]
		and	esi, 7
		or	esi, eax
		xor	eax, eax
		or	eax, [edx+24h]
		mov	[ebp+var_8], eax
		mov	[ebp+var_8], eax
		mov	[edx+24h], eax
		mov	[edx+20h], esi
		mov	eax, [ebx+7Ch]
		sub	eax, 1
		jnz	short loc_7DBF75

loc_7DBF4A:				; CODE XREF: EtwpInitializeProviderInfoBuffer+A4j
		mov	eax, _EtwPerfFreq
		and	esi, 7
		mov	ecx, dword_6BC154
		xor	edx, edx
		mov	edi, [ebp+var_4]
		shld	ecx, eax, 3
		shl	eax, 3
		or	esi, eax
		or	edx, ecx
		mov	[edi+20h], esi
		mov	[edi+24h], edx

loc_7DBF6E:				; CODE XREF: EtwpInitializeProviderInfoBuffer+A2j
					; EtwpInitializeProviderInfoBuffer+11C07Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7DBF75:				; CODE XREF: EtwpInitializeProviderInfoBuffer+68j
		dec	eax
		sub	eax, 1
		jz	loc_8F7F44
		sub	eax, 1
		jnz	short loc_7DBF6E
		jmp	short loc_7DBF4A
EtwpInitializeProviderInfoBuffer endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSetProcessPriorityClass proc	near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+129Cp
					; PAGE:007A7306p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F7F62 SIZE 0000004B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	bl, dl
		push	edi
		mov	edi, ecx
		cmp	bl, 6
		ja	short loc_7DC001
		cmp	bl, 4
		jz	short loc_7DBFF4

loc_7DBFA0:				; CODE XREF: PspSetProcessPriorityClass+74j
					; PspSetProcessPriorityClass+11C017j
		mov	esi, [edi+158h]
		mov	eax, large fs:124h
		mov	[esp+10h+var_4], eax
		test	esi, esi
		jnz	short loc_7DBFC5

loc_7DBFB4:				; CODE XREF: PspSetProcessPriorityClass+6Cj
		mov	[edi+1BBh], bl
		xor	eax, eax

loc_7DBFBC:				; CODE XREF: PspSetProcessPriorityClass+80j
					; PspSetProcessPriorityClass+11C022j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7DBFC5:				; CODE XREF: PspSetProcessPriorityClass+2Cj
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [esi+20h]
		push	1
		push	eax
		call	ExAcquireResourceSharedLite
		test	byte ptr [esi+18Ch], 20h
		jnz	short loc_7DC008

loc_7DBFE1:				; CODE XREF: PspSetProcessPriorityClass+88j
		lea	ecx, [esi+20h]
		call	ExReleaseResourceLite
		mov	ecx, [esp+10h+var_4]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	short loc_7DBFB4
; 

loc_7DBFF4:				; CODE XREF: PspSetProcessPriorityClass+18j
		cmp	bl, [edi+1BBh]
		jz	short loc_7DBFA0
		jmp	loc_8F7F62
; 

loc_7DC001:				; CODE XREF: PspSetProcessPriorityClass+13j
		mov	eax, 0C000000Dh
		jmp	short loc_7DBFBC
; 

loc_7DC008:				; CODE XREF: PspSetProcessPriorityClass+59j
		mov	bl, [esi+1A4h]
		jmp	short loc_7DBFE1
PspSetProcessPriorityClass endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpInitializeTimeStamp	proc near	; CODE XREF: EtwpStartLogger+58Ep

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F7FAD SIZE 000000A6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		push	1
		pop	ebx
		mov	eax, [esi+7Ch]
		dec	eax
		sub	eax, 1
		jz	loc_7DC12D
		sub	eax, ebx
		jz	loc_7DC160
		sub	eax, ebx
		jz	loc_8F7FAD

loc_7DC03D:				; CODE XREF: EtwpInitializeTimeStamp+11BFB1j
		mov	[esi+7Ch], ebx
		mov	eax, ebx

loc_7DC042:				; CODE XREF: EtwpInitializeTimeStamp+11Fj
					; EtwpInitializeTimeStamp+153j
		mov	[esi+20h], eax
		lea	ebx, [esi+0E8h]
		test	byte ptr [esi+258h], 2
		jnz	loc_7DC0E3
		cmp	dword ptr [esi+7Ch], 3
		jz	loc_8F7FCE
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_20]
		and	[ebp+var_4], eax
		rep stosd
		lea	eax, [ebp+var_4]
		push	eax
		push	7
		lea	eax, [ebp+var_20]
		push	eax
		call	RtlGetMultiTimePrecise
		mov	edx, [ebp+var_4]
		mov	eax, edx
		mov	edi, [ebp+var_14]
		and	eax, 5
		mov	ecx, [ebp+var_18]
		cmp	al, 5
		jnz	loc_8F7FEC
		mov	eax, [ebp+var_10]
		mov	[ebx], eax
		mov	eax, [ebp+var_C]
		mov	[ebx+4], eax
		mov	eax, [esi+7Ch]
		cmp	eax, 2
		jz	loc_7DC146
		cmp	eax, 1
		jnz	loc_8F801A
		mov	eax, [ebp+var_20]
		mov	[esi+0F0h], eax
		mov	eax, [ebp+var_1C]
		mov	[esi+0F4h], eax

loc_7DC0C6:				; CODE XREF: EtwpInitializeTimeStamp+14Bj
		and	edx, 3
		cmp	dl, 3
		jz	loc_8F803D

loc_7DC0D2:				; CODE XREF: EtwpInitializeTimeStamp+11Bj
					; EtwpInitializeTimeStamp+11BFD7j ...
		lea	edi, [esi+150h]
		mov	esi, ebx
		movsd
		movsd
		movsd
		movsd
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7DC0E3:				; CODE XREF: EtwpInitializeTimeStamp+42j
		mov	eax, _EtwpRefTimeSystem
		mov	[ebx], eax
		mov	eax, dword_6BC174
		mov	[ebx+4], eax
		mov	eax, _EtwpRefQpcDelta
		mov	[esi+358h], eax
		mov	eax, dword_6BC19C
		mov	[esi+35Ch], eax
		mov	eax, [esi+7Ch]
		cmp	eax, 3
		jz	short loc_7DC168
		cmp	eax, 2
		jz	short loc_7DC134
		mov	eax, _EtwpRefTimePerfCounter
		mov	[esi+0F0h], eax
		mov	eax, dword_6BC164

loc_7DC125:				; CODE XREF: EtwpInitializeTimeStamp+134j
					; EtwpInitializeTimeStamp+168j
		mov	[esi+0F4h], eax
		jmp	short loc_7DC0D2
; 

loc_7DC12D:				; CODE XREF: EtwpInitializeTimeStamp+17j
		xor	eax, eax
		jmp	loc_7DC042
; 

loc_7DC134:				; CODE XREF: EtwpInitializeTimeStamp+103j
		mov	eax, _EtwpRefTimeSystem
		mov	[esi+0F0h], eax
		mov	eax, dword_6BC174
		jmp	short loc_7DC125
; 

loc_7DC146:				; CODE XREF: EtwpInitializeTimeStamp+95j
		mov	eax, [ebp+var_10]
		mov	[esi+0F0h], eax
		mov	eax, [ebp+var_C]
		mov	[esi+0F4h], eax

loc_7DC158:				; CODE XREF: EtwpInitializeTimeStamp+11C00Dj
					; EtwpInitializeTimeStamp+11C028j
		mov	eax, [ebp+var_1C]
		jmp	loc_7DC0C6
; 

loc_7DC160:				; CODE XREF: EtwpInitializeTimeStamp+1Fj
		push	3

loc_7DC162:				; CODE XREF: EtwpInitializeTimeStamp+11BFB9j
		pop	eax
		jmp	loc_7DC042
; 

loc_7DC168:				; CODE XREF: EtwpInitializeTimeStamp+FEj
		mov	eax, _EtwpRefTimeCycle
		mov	[esi+0F0h], eax
		mov	eax, dword_6BC16C
		jmp	short loc_7DC125
EtwpInitializeTimeStamp	endp


;  S U B	R O U T	I N E 


; __stdcall VrpUnlockDiffHiveTable()
_VrpUnlockDiffHiveTable@0 proc near	; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x):loc_7353B9p
					; VrpLoadDifferencingHive(x,x,x,x,x,x,x,x):loc_735445p
		xor	edx, edx
		mov	ecx, offset _gLoadedDiffHivesLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_VrpUnlockDiffHiveTable@0 endp


;  S U B	R O U T	I N E 


; __stdcall VrpLockDiffHiveTableExclusive()
_VrpLockDiffHiveTableExclusive@0 proc near
					; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x):loc_7353DBp
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _gLoadedDiffHivesLock
		jmp	ExAcquirePushLockExclusiveEx
_VrpLockDiffHiveTableExclusive@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpAllocateDiffHiveEntry(x,	x)
_VrpAllocateDiffHiveEntry@8 proc near	; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+D6p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, edx
		push	67655256h
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], edi
		movzx	esi, word ptr [edi]
		movzx	ebx, word ptr [eax]
		add	esi, 28h
		add	ebx, esi
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_8], esi
		test	esi, esi
		jz	loc_7DC286
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		movzx	eax, word ptr [edi]
		add	esp, 0Ch
		mov	ebx, [edi+4]
		shr	eax, 1
		lea	ecx, [ebx+eax*2]
		mov	eax, 4CB2Fh
		cmp	ebx, ecx
		jnb	short loc_7DC239
		mov	edi, eax
		mov	esi, ecx

loc_7DC20A:				; CODE XREF: VrpAllocateDiffHiveEntry(x,x)+7Fj
		movzx	eax, word ptr [ebx]
		push	eax
		call	_RtlUpcaseUnicodeChar@4	; RtlUpcaseUnicodeChar(x)
		imul	ecx, edi, 25h
		add	ebx, 2
		movzx	edx, ax
		movzx	eax, dl
		add	ecx, eax
		movzx	eax, dh
		imul	edi, ecx, 25h
		add	edi, eax
		cmp	ebx, esi
		jb	short loc_7DC20A
		mov	esi, [ebp+var_8]
		mov	[ebp+var_4], edi
		mov	edi, [ebp+var_C]
		mov	eax, [ebp+var_4]

loc_7DC239:				; CODE XREF: VrpAllocateDiffHiveEntry(x,x)+58j
		and	dword ptr [esi+0Ch], 0
		lea	ecx, [esi+18h]
		mov	[esi+4], eax
		mov	dword ptr [esi+8], 1
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		movzx	eax, word ptr [edi]
		push	eax		; size_t
		mov	[esi+24h], ax
		lea	eax, [esi+28h]
		push	dword ptr [edi+4] ; void *
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+var_10]
		movzx	eax, word ptr [ecx]
		push	eax		; size_t
		mov	[esi+26h], ax
		movzx	eax, word ptr [esi+24h]
		push	dword ptr [ecx+4] ; void *
		shr	eax, 1
		add	eax, 14h
		lea	eax, [esi+eax*2]
		push	eax		; void *
		call	_memcpy
		add	esp, 18h

loc_7DC286:				; CODE XREF: VrpAllocateDiffHiveEntry(x,x)+34j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_VrpAllocateDiffHiveEntry@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall VrpLockDiffHiveTableShared()
_VrpLockDiffHiveTableShared@0 proc near	; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+9Ap
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _gLoadedDiffHivesLock
		jmp	ExAcquirePushLockSharedEx
_VrpLockDiffHiveTableShared@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopDiagDeviceRundownWorker(x)
_PopDiagDeviceRundownWorker@4 proc near	; DATA XREF: PopDiagInitialize()+4Co
		xor	eax, eax
		mov	ecx, offset _PopDiagDeviceRundownRequests
		xchg	eax, [ecx]
		call	_IoDiagTraceDevicesRundown@0 ; IoDiagTraceDevicesRundown()
		retn	4
_PopDiagDeviceRundownWorker@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IoDiagTraceDevicesRundown()
_IoDiagTraceDevicesRundown@0 proc near	; CODE XREF: PopDiagDeviceRundownWorker(x)+9p
		mov	edi, edi
		push	esi
		mov	cl, 1
		call	_IoControlPnpDeviceActionQueue@4 ; IoControlPnpDeviceActionQueue(x)
		mov	esi, _IopRootDeviceNode
		jmp	short loc_7DC2CE
; 

loc_7DC2CC:				; CODE XREF: IoDiagTraceDevicesRundown()+19j
		mov	esi, eax

loc_7DC2CE:				; CODE XREF: IoDiagTraceDevicesRundown()+10j
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_7DC2CC
		jmp	short loc_7DC2DA
; 

loc_7DC2D7:				; CODE XREF: IoDiagTraceDevicesRundown()+3Dj
		mov	esi, [esi+8]

loc_7DC2DA:				; CODE XREF: IoDiagTraceDevicesRundown()+1Bj
					; IoDiagTraceDevicesRundown()+46j
		cmp	esi, _IopRootDeviceNode
		jz	short loc_7DC304
		push	dword ptr [esi+58h]
		lea	eax, [esi+1Ch]
		mov	ecx, esi
		push	eax
		lea	edx, [esi+14h]
		call	_PoDiagTraceDeviceRundown@16 ; PoDiagTraceDeviceRundown(x,x,x,x)
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_7DC2D7

loc_7DC2F9:				; CODE XREF: IoDiagTraceDevicesRundown()+48j
		mov	esi, eax
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_7DC2DA
		jmp	short loc_7DC2F9
; 

loc_7DC304:				; CODE XREF: IoDiagTraceDevicesRundown()+26j
		xor	cl, cl
		pop	esi
		jmp	_IoControlPnpDeviceActionQueue@4 ; IoControlPnpDeviceActionQueue(x)
_IoDiagTraceDevicesRundown@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoDiagTraceDeviceRundown(x,	x, x, x)
_PoDiagTraceDeviceRundown@16 proc near	; CODE XREF: IoDiagTraceDevicesRundown()+34p

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_65		= dword	ptr -65h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_6C], ecx
		movzx	ecx, word ptr [edx]
		mov	[ebp+var_65+1],	eax
		mov	al, [ebp+arg_4]
		push	edi
		xor	edi, edi
		mov	[ebp+var_5C], 4
		dec	al
		mov	[ebp+var_60], edi
		mov	byte ptr [ebp+var_65], al
		lea	eax, [ebp+var_65]
		mov	[ebp+var_54], eax
		mov	ax, cx
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_44], eax
		mov	eax, [edx+4]
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_34], eax
		mov	eax, ecx
		mov	[ebp+var_2C], eax
		push	2
		movzx	ecx, word ptr [edx]
		mov	ax, cx
		mov	[ebp+var_58], edi
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_74]
		mov	[ebp+var_24], eax
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], 1
		mov	[ebp+var_48], edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], edi
		pop	esi
		mov	[ebp+var_3C], esi
		mov	[ebp+var_1C], esi
		push	5
		pop	eax
		test	cx, cx
		jz	short loc_7DC3C2
		mov	eax, [edx+4]
		mov	[ebp+var_14], eax
		mov	eax, ecx
		push	6
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], edi
		pop	eax

loc_7DC3C2:				; CODE XREF: PoDiagTraceDeviceRundown(x,x,x,x)+A0j
		lea	ecx, [ebp+var_65+1]
		push	ecx
		push	eax
		push	edi
		push	offset _POP_ETW_EVENT_DEVICE_RUNDOWN
		push	dword_6C1D74
		push	_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PoDiagTraceDeviceRundown@16 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 403. ExQueryWnfStateData

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ExQueryWnfStateData(int,int,void *,int)
		public _ExQueryWnfStateData@16
_ExQueryWnfStateData@16	proc near	; CODE XREF: PopWnfAirplaneModeCallback+33p
					; PopWnfBluetoothChargingCallback(x,x,x,x,x,x)+22p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edx, [ebp+arg_0]
		call	_ExpWnfAcquireSubscriptionNameInstance@8 ; ExpWnfAcquireSubscriptionNameInstance(x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_7DC44E
		mov	eax, [ebp+arg_C]
		mov	ecx, edi
		mov	edx, [ebp+arg_4]
		push	eax		; int
		push	dword ptr [eax]	; int
		push	[ebp+arg_8]	; void *
		call	ExpWnfReadStateData
		mov	esi, eax
		test	esi, esi
		js	short loc_7DC432
		xor	esi, esi

loc_7DC432:				; CODE XREF: ExQueryWnfStateData(x,x,x,x)+3Aj
		lea	ecx, [edi+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_7DC43A:				; CODE XREF: ExQueryWnfStateData(x,x,x,x)+5Fj
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	10h
; 

loc_7DC44E:				; CODE XREF: ExQueryWnfStateData(x,x,x,x)+21j
		mov	esi, 0C0000034h
		jmp	short loc_7DC43A
_ExQueryWnfStateData@16	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWnfAcquireSubscriptionNameInstance(x, x)
_ExpWnfAcquireSubscriptionNameInstance@8 proc near
					; CODE XREF: ExQueryWnfStateData(x,x,x,x)+18p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ds:_PsInitialSystemProcess
		push	ebx
		push	esi
		push	edi
		mov	esi, [eax+39Ch]
		xor	ebx, ebx
		mov	[ebp+var_4], edx
		add	esi, 28h
		push	ebx
		xor	edx, edx
		mov	ecx, esi
		call	KeAbPreAcquire
		push	11h
		mov	edi, eax
		xor	eax, eax
		pop	ecx
		lock cmpxchg [esi], ecx
		test	eax, eax
		jz	short loc_7DC497
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockSharedEx

loc_7DC497:				; CODE XREF: ExpWnfAcquireSubscriptionNameInstance(x,x)+35j
		test	edi, edi
		jnz	short loc_7DC4D7

loc_7DC49B:				; CODE XREF: ExpWnfAcquireSubscriptionNameInstance(x,x)+85j
		mov	edi, [ebp+var_4]
		mov	ecx, [edi+1Ch]
		test	ecx, ecx
		jz	short loc_7DC4B4
		add	ecx, 4
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_7DC4B4
		mov	ebx, [edi+1Ch]

loc_7DC4B4:				; CODE XREF: ExpWnfAcquireSubscriptionNameInstance(x,x)+4Dj
					; ExpWnfAcquireSubscriptionNameInstance(x,x)+59j
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_7DC4C9
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7DC4C9:				; CODE XREF: ExpWnfAcquireSubscriptionNameInstance(x,x)+6Aj
		mov	ecx, esi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_7DC4D7:				; CODE XREF: ExpWnfAcquireSubscriptionNameInstance(x,x)+43j
		or	byte ptr [edi+0Eh], 1
		jmp	short loc_7DC49B
_ExpWnfAcquireSubscriptionNameInstance@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGetVolumeClusterSizeCompletion(x, x, x)
_CmpGetVolumeClusterSizeCompletion@12 proc near	; DATA XREF: CmpGetVolumeClusterSize+F1o

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	0
		push	[ebp+arg_8]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	eax, 0C0000016h
		pop	ebp
		retn	0Ch
_CmpGetVolumeClusterSizeCompletion@12 endp


;  S U B	R O U T	I N E 


; __stdcall PnpProcessCustomDeviceEvent(x)
_PnpProcessCustomDeviceEvent@4 proc near ; CODE	XREF: PAGE:00763E95p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, [ecx]
		mov	ecx, esi
		push	edi
		mov	ebx, [esi+68h]
		mov	edi, [esi+6Ch]
		call	PiDcHandleCustomDeviceEvent
		mov	ecx, esi
		call	PiUEventNotifyUserMode
		push	0
		push	edi
		lea	ecx, [edi+4]
		mov	edx, ebx
		call	PnpNotifyTargetDeviceChange
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		retn
_PnpProcessCustomDeviceEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDcHandleCustomDeviceEvent proc near	; CODE XREF: PnpProcessCustomDeviceEvent(x)+Fp

var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_149		= byte ptr -149h
var_148		= dword	ptr -148h
var_F8		= word ptr -0F8h
var_A8		= word ptr -0A8h
var_58		= word ptr -58h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F8053 SIZE 000002BC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 164h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	ebx, ecx
		xor	esi, esi
		push	edi
		push	10h		; size_t
		push	offset _GUID_TARGET_DEVICE_TRANSPORT_RELATIONS_CHANGED ; void *
		mov	eax, [ebx+6Ch]
		mov	edi, esi
		add	eax, 4
		mov	[ebp+var_150], esi
		push	eax		; void *
		mov	[ebp+var_154], esi
		mov	[ebp+var_158], esi
		mov	[ebp+var_160], esi
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_8F8053

loc_7DC57A:				; CODE XREF: PiDcHandleCustomDeviceEvent+11BDD9j
					; PiDcHandleCustomDeviceEvent+11BDE4j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PiDcHandleCustomDeviceEvent endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopAvlComparePowerRequestKeys(x, x,	x)
_PopAvlComparePowerRequestKeys@12 proc near
					; DATA XREF: PopStatsInitPowerRequestLibrary()+3Ao

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		add	eax, 4
		push	1
		push	eax
		mov	eax, [ebp+arg_4]
		add	eax, 4
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		mov	ecx, eax
		xor	eax, eax
		test	ecx, ecx
		js	short loc_7DC5B2
		setle	al
		inc	eax

loc_7DC5B2:				; CODE XREF: PopAvlComparePowerRequestKeys(x,x,x)+20j
		pop	ebp
		retn	0Ch
_PopAvlComparePowerRequestKeys@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpCreateWorkerThread proc near		; CODE XREF: ExpWorkQueueManagerThread+249p
					; ExpWorkQueueCreateMinimumThreads(x,x)+21p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F830F SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		lea	edi, [esi+1ACh]
		mov	eax, [edi]

loc_7DC5D1:				; CODE XREF: ExpCreateWorkerThread+2Cj
		lea	ecx, [eax+1]
		mov	edx, eax
		or	ecx, 4000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_7DC5D1
		mov	edx, [esi+1A0h]
		lea	eax, [ebp+var_8]
		mov	ecx, [esi+19Ch]
		push	eax
		push	ebx
		push	esi
		push	offset ExpWorkerThread
		sub	esp, 0Ch
		call	_ExpPartitionCreateSystemThread@36 ; ExpPartitionCreateSystemThread(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7DC64A
		mov	eax, ds:_PsThreadType
		lea	ecx, [ebp+var_4]
		xor	edx, edx
		push	edx
		push	ecx
		push	edx
		push	eax
		push	20h
		push	[ebp+var_8]
		mov	[ebp+var_4], edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7DC63B
		mov	ecx, [ebp+var_4]
		push	8
		pop	edx
		call	KeBoostPriorityThread
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject

loc_7DC63B:				; CODE XREF: ExpCreateWorkerThread+70j
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_7DC643:				; CODE XREF: ExpCreateWorkerThread+11BD6Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7DC64A:				; CODE XREF: ExpCreateWorkerThread+51j
		mov	edx, [edi]
		jmp	loc_8F830F
ExpCreateWorkerThread endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpPartitionCreateSystemThread(x, x, x, x, x, x, x,	x, x)
_ExpPartitionCreateSystemThread@36 proc	near ; CODE XREF: ExpCreateWorkerThread+48p

arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_18]
		mov	eax, [ecx]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		mov	eax, [eax+38h]
		push	[ebp+arg_C]
		push	ecx
		push	eax
		push	ecx
		mov	ecx, edx
		call	_ExpNodeCreateSystemThread@36 ;	ExpNodeCreateSystemThread(x,x,x,x,x,x,x,x,x)
		pop	ecx
		pop	ebp
		retn	1Ch
_ExpPartitionCreateSystemThread@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpNodeCreateSystemThread(x, x, x, x, x, x,	x, x, x)
_ExpNodeCreateSystemThread@36 proc near	; CODE XREF: ExpPartitionCreateSystemThread(x,x,x,x,x,x,x,x,x)+1Cp
					; ExpWorkQueueManagerStart(x)+3Bp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	[ebp+var_18], eax
		mov	ebx, ecx
		mov	eax, [ebp+arg_18]
		push	esi
		mov	esi, [ebp+arg_14]
		push	edi
		mov	[ebp+var_24], eax
		lea	edi, [ebp+var_10]
		xor	eax, eax
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_10]
		xor	edi, edi
		push	edi
		push	eax
		movzx	eax, word ptr [ebx+8Ah]
		push	eax
		call	_KeQueryNodeActiveAffinity@12 ;	KeQueryNodeActiveAffinity(x,x,x)
		push	edi
		push	esi
		lea	edx, [ebp+var_10]
		mov	ecx, ebx
		call	_KeSelectIdealProcessor@16 ; KeSelectIdealProcessor(x,x,x,x)
		movzx	eax, ax
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_18]
		push	[ebp+var_1C]
		push	edi
		push	[ebp+var_20]
		push	edi
		push	1FFFFFh
		push	[ebp+var_24]
		call	PsCreateSystemThreadEx
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
_ExpNodeCreateSystemThread@36 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1848. PsIsProcessCommitRelinquished

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsIsProcessCommitRelinquished(x)
		public _PsIsProcessCommitRelinquished@4
_PsIsProcessCommitRelinquished@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+3A8h]
		shr	eax, 8
		and	al, 1
		pop	ebp
		retn	4
_PsIsProcessCommitRelinquished@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2133. RtlGetNtSystemRoot

;  S U B	R O U T	I N E 


		public RtlGetNtSystemRoot
RtlGetNtSystemRoot proc	near		; CODE XREF: ObpUseSystemDeviceMap(x)+1Ap
					; MiDriverLoadSucceeded+10Ep ...

; FUNCTION CHUNK AT 008F8329 SIZE 0000000F BYTES

		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_8F8329
		mov	eax, 0FFDF0030h
		retn
RtlGetNtSystemRoot endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiResidentPagesForSpan(x, x, x)
_MiResidentPagesForSpan@12 proc	near	; CODE XREF: MiDeletePartialVad+DD4B0p
					; MiDeletePartialVad+DD827p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	ebx, edx
		mov	edx, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		test	edx, edx
		js	short loc_7DC770
		lea	esi, [edx+1]

loc_7DC759:				; CODE XREF: MiResidentPagesForSpan(x,x,x)+30j
		mov	ecx, edi
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, ebx
		mov	edi, eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ebx, eax
		sub	esi, 1
		jnz	short loc_7DC759

loc_7DC770:				; CODE XREF: MiResidentPagesForSpan(x,x,x)+16j
		xor	esi, esi
		inc	esi
		cmp	edx, esi
		jge	short loc_7DC7C3
		sub	esi, edx

loc_7DC779:				; CODE XREF: MiResidentPagesForSpan(x,x,x)+83j
		mov	eax, ebx
		sub	eax, edi
		sar	eax, 3
		lea	edx, ds:8[eax*8]
		mov	eax, edi
		mov	ecx, edx
		and	eax, 0FFFh
		and	ecx, 0FFFh
		shr	edx, 0Ch
		add	edx, [ebp+var_4]
		add	ecx, 0FFFh
		add	eax, ecx
		mov	ecx, edi
		shr	eax, 0Ch
		add	eax, edx
		mov	[ebp+var_4], eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, ebx
		mov	edi, eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ebx, eax
		sub	esi, 1
		jnz	short loc_7DC779

loc_7DC7C3:				; CODE XREF: MiResidentPagesForSpan(x,x,x)+37j
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiResidentPagesForSpan@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


WdipTimeoutCheckRoutine	proc near	; DATA XREF: WdipSemStartTimeoutCheck()+4Fo

; FUNCTION CHUNK AT 008F8338 SIZE 00000030 BYTES

		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _WdipSemPushLock
		call	ExAcquirePushLockSharedEx
		call	WdipSemSqmLogInflightLimitExceededDataPoints
		cmp	_WdipSemTimeoutEnabled,	0
		jz	short loc_7DC80C
		mov	ecx, offset _WdipSemEnabledInstanceTable
		call	WdipSemMarkNextTimedOutInstanceForDeletion
		mov	edi, eax

loc_7DC804:				; CODE XREF: WdipTimeoutCheckRoutine+11BB95j
		test	edi, edi
		jnz	loc_8F8338

loc_7DC80C:				; CODE XREF: WdipTimeoutCheckRoutine+28j
		mov	eax, _WdipSemTimeoutValue
		xor	edx, edx
		push	0Ah
		pop	ecx
		div	ecx
		push	ds:dword_40AA6C
		push	ds:_WdipSemOneSecond
		push	0
		push	eax
		call	__allmul
		mov	esi, edx
		mov	ecx, offset _WdipSemPushLock
		xor	edx, edx
		mov	edi, eax
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	offset _WdipTimeoutTimerParameters
		push	0
		push	0
		push	esi
		push	edi
		push	_WdipTimeoutTimer
		call	ExSetTimer
		pop	edi
		pop	esi
		retn	4
WdipTimeoutCheckRoutine	endp

; 
		align 4

;  S U B	R O U T	I N E 


WdipSemMarkNextTimedOutInstanceForDeletion proc	near
					; CODE XREF: WdipTimeoutCheckRoutine+2Fp
					; WdipTimeoutCheckRoutine+11BB77p

; FUNCTION CHUNK AT 008F8368 SIZE 00000027 BYTES

		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset dword_6BDB9C
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		test	edi, edi
		jz	short loc_7DC896
		mov	edx, [edi]
		mov	edi, offset _WdipSemEnabledInstanceTable

loc_7DC892:				; CODE XREF: WdipSemMarkNextTimedOutInstanceForDeletion+58j
					; WdipSemMarkNextTimedOutInstanceForDeletion+11BB0Ej ...
		cmp	edx, edi
		jnz	short loc_7DC8B1

loc_7DC896:				; CODE XREF: WdipSemMarkNextTimedOutInstanceForDeletion+25j
					; WdipSemMarkNextTimedOutInstanceForDeletion+11BB26j
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_7DC8B1:				; CODE XREF: WdipSemMarkNextTimedOutInstanceForDeletion+30j
		mov	ecx, edx
		mov	edx, [edx]
		inc	dword ptr [ecx+1Ch]
		cmp	dword ptr [ecx+1Ch], 0Ah
		jb	short loc_7DC892
		jmp	loc_8F8368
WdipSemMarkNextTimedOutInstanceForDeletion endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WdipSemSqmLogInflightLimitExceededDataPoints proc near
					; CODE XREF: WdipTimeoutCheckRoutine+1Cp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F838F SIZE 0000008F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, large fs:124h
		and	[ebp+var_14], 0
		push	ebx
		push	esi
		xor	esi, esi
		dec	word ptr [eax+13Ch]
		push	edi
		nop
		xor	edx, edx
		mov	ecx, offset dword_6BCA44
		call	ExAcquirePushLockExclusiveEx
		mov	ebx, dword_6BCA40
		test	ebx, ebx
		jnz	loc_8F838F

loc_7DC907:				; CODE XREF: WdipSemSqmLogInflightLimitExceededDataPoints+11BADEj
					; WdipSemSqmLogInflightLimitExceededDataPoints+11BB2Aj
		xor	edi, edi
		cmp	dword_6BCA40, edi
		ja	loc_8F83F3

loc_7DC915:				; CODE XREF: WdipSemSqmLogInflightLimitExceededDataPoints+11BB55j
		and	dword_6BCA40, 0
		xor	edx, edx
		mov	ecx, offset dword_6BCA44
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
WdipSemSqmLogInflightLimitExceededDataPoints endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 992. IoSetIoCompletion

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetIoCompletion(x, x, x, x, x, x)
		public _IoSetIoCompletion@24
_IoSetIoCompletion@24 proc near		; CODE XREF: PspSendJobNotification(x,x,x,x)+1Ep
					; PAGE:0081D6B7p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	0
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	IoSetIoCompletionEx2
		pop	ebp
		retn	18h
_IoSetIoCompletion@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopIrqPackResource(x, x, x,	x)
_IopIrqPackResource@16 proc near	; DATA XREF: IopIrqInitialize()+1Fo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+arg_0]
		mov	byte ptr [edx],	2
		mov	ax, [ecx+4]
		mov	[edx+2], ax
		mov	al, [ecx+2]
		or	dword ptr [edx+0Ch], 0FFFFFFFFh
		mov	[edx+1], al
		mov	eax, [ebp+arg_4]
		mov	[edx+8], eax
		mov	[edx+4], ax
		xor	eax, eax
		mov	[edx+6], ax
		pop	ebp
		retn	10h
_IopIrqPackResource@16 endp


;  S U B	R O U T	I N E 


; __stdcall UnlockShutdown()
_UnlockShutdown@0 proc near		; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x):loc_434AF9p
					; CmShutdownSystem(x)+1A0p ...
		xor	edx, edx
		mov	ecx, offset _CmpShutdownLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_UnlockShutdown@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmKtmNotification(x, x, x, x, x, x,	x)
_CmKtmNotification@28 proc near		; DATA XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+288o
					; CmpFinishSystemHivesLoad(x)+153o ...

var_76		= byte ptr -76h
var_75		= byte ptr -75h
var_6E		= byte ptr -6Eh
var_6D		= dword	ptr -6Dh
var_66		= byte ptr -66h
var_65		= byte ptr -65h
var_64		= dword	ptr -64h
var_5D		= byte ptr -5Dh
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+6Ch+var_4], eax
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		mov	[esp+6Ch+var_58], eax
		mov	eax, [ebp+arg_18]
		push	ebx
		push	esi
		push	edi
		mov	esi, [ebp+arg_0]
		lea	edi, [esp+78h+var_38]
		mov	[esp+78h+var_3C], eax
		xor	eax, eax
		stosd
		mov	[esp+78h+var_50], ecx
		mov	[esp+78h+var_64], ecx
		mov	[esp+78h+var_48], ecx
		stosd
		mov	[esp+78h+var_5D], cl
		mov	[esp+78h+var_65], cl
		mov	[esp+78h+var_54], ecx
		stosd
		mov	[esp+78h+var_44], ecx
		mov	[esp+78h+var_40], ecx
		push	8
		stosd
		xor	eax, eax
		pop	ecx
		lea	edi, [esp+78h+var_28]
		mov	[esp+78h+var_5C], esi
		rep stosd
		mov	edi, [esp+78h+var_58]
		mov	ecx, edi
		mov	byte ptr [esp+78h+var_4C], 1
		call	_CmpIsCmRm@4	; CmpIsCmRm(x)
		test	al, al
		jnz	short loc_7DCA3D
		mov	eax, 0C000000Dh
		jmp	loc_7DCD43
; 

loc_7DCA3D:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+77j
		test	byte ptr [edi+3Ch], 8
		jnz	loc_7DCD41
		mov	ebx, [ebp+arg_C]
		cmp	ebx, 100h
		jnz	short loc_7DCA62
		push	[esp+78h+var_3C]
		mov	ecx, edi
		call	_CmpRecoverEnlistment@12 ; CmpRecoverEnlistment(x,x,x)
		jmp	loc_7DCD43
; 

loc_7DCA62:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+96j
		test	bl, 0Eh
		jz	loc_7DCD41
		lea	eax, [esp+78h+var_64]
		push	eax
		push	esi
		call	ds:__imp__TmReferenceEnlistmentKey@8 ; TmReferenceEnlistmentKey(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_7DCD43
		call	_LOCK_TRANSACTION_LIST@0 ; LOCK_TRANSACTION_LIST()
		mov	ecx, [esp+80h+var_6D+1]
		mov	eax, [ecx+18h]
		test	al, 8
		jz	short loc_7DCAF1
		push	2
		pop	edi
		sub	ebx, edi
		jz	short loc_7DCAD1
		sub	ebx, edi
		jz	short loc_7DCAB8
		sub	ebx, 4
		jnz	short loc_7DCAEA
		or	eax, edi
		mov	[ecx+18h], eax
		call	_UNLOCK_TRANSACTION_LIST@0 ; UNLOCK_TRANSACTION_LIST()
		push	ebx
		push	[esp+84h+var_64]
		call	ds:__imp__TmRollbackComplete@8 ; TmRollbackComplete(x,x)
		jmp	short loc_7DCAE8
; 

loc_7DCAB8:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+E0j
		or	eax, 4
		mov	[ecx+18h], eax
		call	_UNLOCK_TRANSACTION_LIST@0 ; UNLOCK_TRANSACTION_LIST()
		push	0
		push	[esp+84h+var_64]
		call	ds:__imp__TmCommitComplete@8 ; TmCommitComplete(x,x)
		jmp	short loc_7DCAEA
; 

loc_7DCAD1:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+DCj
		or	eax, 1
		mov	[ecx+18h], eax
		call	_UNLOCK_TRANSACTION_LIST@0 ; UNLOCK_TRANSACTION_LIST()
		push	0
		push	[esp+84h+var_64]
		call	ds:__imp__TmPrepareComplete@8 ;	TmPrepareComplete(x,x)

loc_7DCAE8:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+FCj
		mov	esi, eax

loc_7DCAEA:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+E5j
					; CmKtmNotification(x,x,x,x,x,x,x)+115j ...
		mov	eax, esi
		jmp	loc_7DCD43
; 

loc_7DCAF1:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+D5j
		call	_UNLOCK_TRANSACTION_LIST@0 ; UNLOCK_TRANSACTION_LIST()
		mov	ecx, dword_6B179C
		cmp	_CmRmSystem, edi
		jz	short loc_7DCB07
		mov	ecx, [edi+30h]

loc_7DCB07:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+148j
		lea	edx, [esp+80h+var_4C]
		call	CmpEtwGetHivePath
		test	eax, eax
		js	short loc_7DCB35
		mov	edx, 20000h
		lea	ecx, [esp+80h+var_30]
		call	@EtwGetKernelTraceTimestamp@8 ;	EtwGetKernelTraceTimestamp(x,x)
		mov	esi, [esp+80h+var_6D+1]
		lea	edi, [esp+80h+var_40]
		lea	esi, [esi+2Ch]
		movsd
		movsd
		movsd
		movsd
		mov	edi, [esp+20h]

loc_7DCB35:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+158j
		mov	eax, ds:_CmpLoadHiveLockOwner
		cmp	eax, large fs:124h
		jnz	short loc_7DCB4A
		mov	[esp+80h+var_6E], 1
		jmp	short loc_7DCB54
; 

loc_7DCB4A:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+187j
		mov	[esp+80h+var_6E], 0
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()

loc_7DCB54:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+18Ej
		mov	ecx, edi
		call	_CmpIsCmRm@4	; CmpIsCmRm(x)
		test	al, al
		jnz	short loc_7DCB80
		cmp	[esp+80h+var_6E], al
		jnz	short loc_7DCB6A
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()

loc_7DCB6A:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+1A9j
		push	0
		push	[esp+84h+var_64]
		call	ds:__imp__TmDereferenceEnlistmentKey@8 ; TmDereferenceEnlistmentKey(x,x)
		mov	esi, 0C000000Dh
		jmp	loc_7DCD33
; 

loc_7DCB80:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+1A3j
		push	2
		mov	eax, ebx
		pop	edi
		sub	eax, edi
		jz	short loc_7DCBC0
		sub	eax, edi
		jz	short loc_7DCBAE
		sub	eax, 4
		jz	short loc_7DCB9D
		mov	edx, [esp+80h+var_58]
		mov	esi, 0C000000Dh
		jmp	short loc_7DCBDC
; 

loc_7DCB9D:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+1D6j
		mov	ecx, [esp+80h+var_6D+1]
		lea	edx, [esp+80h+var_5C]
		call	_CmpTransMgrRollback@8 ; CmpTransMgrRollback(x,x)
		push	8
		jmp	short loc_7DCBD9
; 

loc_7DCBAE:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+1D1j
		mov	edx, [esp+80h+var_6D+1]
		lea	eax, [esp+80h+var_5C]
		push	eax
		call	_CmpTransMgrCommit@12 ;	CmpTransMgrCommit(x,x,x)
		push	10h
		jmp	short loc_7DCBD9
; 

loc_7DCBC0:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+1CDj
		mov	edx, [esp+80h+var_6D+1]
		lea	eax, [esp+80h+var_6D]
		mov	ecx, [esp+20h]
		push	eax
		lea	eax, [esp+84h+var_5C]
		push	eax
		call	CmpTransMgrPrepare
		push	4

loc_7DCBD9:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+1F2j
					; CmKtmNotification(x,x,x,x,x,x,x)+204j
		mov	esi, eax
		pop	edx

loc_7DCBDC:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+1E1j
		mov	[esp+80h+var_58], esi
		test	esi, esi
		jns	short loc_7DCBEF
		cmp	ebx, 4
		jz	short loc_7DCBEF
		mov	ecx, [esp+80h+var_6D+1]
		jmp	short loc_7DCC27
; 

loc_7DCBEF:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+228j
					; CmKtmNotification(x,x,x,x,x,x,x)+22Dj
		mov	ecx, [esp+80h+var_6D+1]
		lea	eax, [ecx+8]
		cmp	[eax], eax
		jz	short loc_7DCC18
		test	esi, esi
		js	short loc_7DCC18
		push	edx
		mov	edx, ecx
		mov	ecx, [esp+24h]
		call	_CmLogTmRmAction@12 ; CmLogTmRmAction(x,x,x)
		mov	ecx, [esp+80h+var_6D+1]
		mov	esi, eax
		cmp	ebx, edi
		jz	short loc_7DCC1D
		xor	esi, esi
		jmp	short loc_7DCC1D
; 

loc_7DCC18:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+23Ej
					; CmKtmNotification(x,x,x,x,x,x,x)+242j
		mov	byte ptr [esp+80h+var_54], 0

loc_7DCC1D:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+258j
					; CmKtmNotification(x,x,x,x,x,x,x)+25Cj
		mov	[esp+80h+var_65], 1
		cmp	ebx, 4
		jz	short loc_7DCC33

loc_7DCC27:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+233j
		cmp	ebx, 8
		jz	short loc_7DCC33
		cmp	byte ptr [esp+80h+var_6D], 1
		jnz	short loc_7DCC87

loc_7DCC33:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+26Bj
					; CmKtmNotification(x,x,x,x,x,x,x)+270j
		xor	eax, eax
		cmp	[ecx+24h], eax
		jz	short loc_7DCC41
		mov	edx, [ecx+28h]
		mov	[esp+80h+var_50], edx

loc_7DCC41:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+27Ej
		test	byte ptr [ecx+18h], 20h
		jz	short loc_7DCC61
		mov	ecx, [esp+20h]
		push	eax
		call	_CmpAccountForLogReservation@12	; CmpAccountForLogReservation(x,x,x)
		test	eax, eax
		js	short loc_7DCC5D
		mov	eax, [esp+80h+var_6D+1]
		and	dword ptr [eax+18h], 0FFFFFFDFh

loc_7DCC5D:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+299j
		mov	ecx, [esp+80h+var_6D+1]

loc_7DCC61:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+28Bj
		test	esi, esi
		jns	short loc_7DCC6A
		cmp	ebx, 4
		jz	short loc_7DCC87

loc_7DCC6A:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+2A9j
		lea	edx, [esp+80h+var_5C]
		call	_CmpTransMgrRollback@8 ; CmpTransMgrRollback(x,x)
		push	[esp+80h+var_54]
		mov	edx, [esp+84h+var_6D+1]
		mov	esi, eax
		mov	ecx, [esp+24h]
		push	ebx
		call	_CmpCleanupTransactionState@16 ; CmpCleanupTransactionState(x,x,x,x)

loc_7DCC87:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+277j
					; CmKtmNotification(x,x,x,x,x,x,x)+2AEj
		push	0
		push	[esp+84h+var_64]
		call	ds:__imp__TmDereferenceEnlistmentKey@8 ; TmDereferenceEnlistmentKey(x,x)
		cmp	[esp+88h+var_76], 0
		jnz	short loc_7DCC9F
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()

loc_7DCC9F:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+2DEj
		cmp	byte ptr [esp+88h+var_6D], 1
		jnz	short loc_7DCCED
		mov	eax, ebx
		sub	eax, edi
		jz	short loc_7DCCD0
		sub	eax, edi
		jz	short loc_7DCCC2
		sub	eax, 4
		jnz	short loc_7DCCED
		push	eax
		push	[esp+8Ch+var_6D+1]
		call	ds:__imp__TmRollbackComplete@8 ; TmRollbackComplete(x,x)
		jmp	short loc_7DCCEB
; 

loc_7DCCC2:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+2F4j
		push	0
		push	[esp+8Ch+var_6D+1]
		call	ds:__imp__TmCommitComplete@8 ; TmCommitComplete(x,x)
		jmp	short loc_7DCCED
; 

loc_7DCCD0:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+2F0j
		cmp	[esp+88h+var_75], 1
		push	0
		push	[esp+8Ch+var_6D+1]
		jnz	short loc_7DCCE5
		call	ds:__imp__TmReadOnlyEnlistment@8 ; TmReadOnlyEnlistment(x,x)
		jmp	short loc_7DCCEB
; 

loc_7DCCE5:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+321j
		call	ds:__imp__TmPrepareComplete@8 ;	TmPrepareComplete(x,x)

loc_7DCCEB:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+306j
					; CmKtmNotification(x,x,x,x,x,x,x)+329j
		mov	esi, eax

loc_7DCCED:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+2EAj
					; CmKtmNotification(x,x,x,x,x,x,x)+2F9j ...
		mov	eax, [esp+30h]
		test	eax, eax
		jz	short loc_7DCCFB
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_7DCCFB:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+339j
		sub	ebx, edi
		jz	short loc_7DCD10
		sub	ebx, edi
		jz	short loc_7DCD0C
		sub	ebx, 4
		jnz	short loc_7DCD14
		mov	al, 20h
		jmp	short loc_7DCD16
; 

loc_7DCD0C:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+347j
		mov	al, 1Eh
		jmp	short loc_7DCD16
; 

loc_7DCD10:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+343j
		mov	al, 1Fh
		jmp	short loc_7DCD16
; 

loc_7DCD14:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+34Cj
		xor	eax, eax

loc_7DCD16:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+350j
					; CmKtmNotification(x,x,x,x,x,x,x)+354j ...
		lea	ecx, [esp+90h+var_5C]
		push	ecx
		lea	ecx, [esp+94h+var_40]
		push	ecx
		push	[esp+98h+var_6D+1]
		lea	edx, [esp+9Ch+var_50]
		mov	cl, al
		push	dword ptr [esp+34h]
		call	CmpEtwDumpTxR

loc_7DCD33:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+1C1j
		lea	ecx, [esp+90h+var_5C]
		call	_CmpEtwReleaseHivePath@4 ; CmpEtwReleaseHivePath(x)
		jmp	loc_7DCAEA
; 

loc_7DCD41:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+87j
					; CmKtmNotification(x,x,x,x,x,x,x)+ABj
		xor	eax, eax

loc_7DCD43:				; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+7Ej
					; CmKtmNotification(x,x,x,x,x,x,x)+A3j	...
		mov	ecx, [esp+78h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_CmKtmNotification@28 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmSnapshotRMTxArray proc near		; CODE XREF: CmpTryToRundownHive+FFp
					; CmpPerformUnloadKey+18B6D1p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F841E SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		test	ecx, ecx
		jz	short loc_7DCDB5
		lea	ebx, [ecx+8]

loc_7DCD6A:				; CODE XREF: CmSnapshotRMTxArray+11B6D6j
		call	_LOCK_TRANSACTION_LIST@0 ; LOCK_TRANSACTION_LIST()
		xor	esi, esi
		and	[ebp+var_4], esi

loc_7DCD74:				; CODE XREF: CmSnapshotRMTxArray+65j
					; CmSnapshotRMTxArray+68j
		push	0
		lea	edx, [ebp+var_4]
		mov	ecx, ebx
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jnz	short loc_7DCDB9
		mov	eax, [edi+4]
		sub	eax, [edi]
		cmp	esi, eax
		ja	loc_8F841E
		xor	esi, esi
		mov	[ebp+var_4], esi

loc_7DCD96:				; CODE XREF: CmSnapshotRMTxArray+11B6E5j
					; CmSnapshotRMTxArray+11B6F5j
		push	esi
		lea	edx, [ebp+var_4]
		mov	ecx, ebx
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jnz	loc_8F8439
		call	_UNLOCK_TRANSACTION_LIST@0 ; UNLOCK_TRANSACTION_LIST()
		mov	eax, esi

loc_7DCDB0:				; CODE XREF: CmSnapshotRMTxArray+5Fj
					; CmSnapshotRMTxArray+11B6DCj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7DCDB5:				; CODE XREF: CmSnapshotRMTxArray+Dj
		xor	eax, eax
		jmp	short loc_7DCDB0
; 

loc_7DCDB9:				; CODE XREF: CmSnapshotRMTxArray+2Aj
		test	byte ptr [eax+18h], 8
		jnz	short loc_7DCD74
		inc	esi
		jmp	short loc_7DCD74
CmSnapshotRMTxArray endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpIsCmRm(x)
_CmpIsCmRm@4	proc near		; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+70p
					; CmKtmNotification(x,x,x,x,x,x,x)+19Cp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		push	edi
		mov	[ebp+var_4], ebx
		nop
		mov	edi, offset _CmpRmListLock
		mov	ecx, edi
		call	ExAcquireFastMutexUnsafe

loc_7DCDEC:				; CODE XREF: CmpIsCmRm(x)+3Ej
		push	ebx
		lea	edx, [ebp+var_4]
		mov	ecx, offset _CmpRmListHead
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jz	short loc_7DCE18
		cmp	eax, esi
		jnz	short loc_7DCDEC
		cmp	[esi+18h], ebx
		jz	short loc_7DCE18
		cmp	[esi+1Ch], ebx
		jz	short loc_7DCE18
		cmp	[esi+10h], ebx
		jz	short loc_7DCE18
		cmp	[esi+14h], ebx
		jz	short loc_7DCE18
		mov	bl, 1

loc_7DCE18:				; CODE XREF: CmpIsCmRm(x)+3Aj
					; CmpIsCmRm(x)+43j ...
		mov	ecx, edi
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_CmpIsCmRm@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmListGetNextElement(x, x, x)
_CmListGetNextElement@12 proc near	; CODE XREF: CmSnapshotRMTxArray+23p
					; CmSnapshotRMTxArray+44p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [edx]
		test	eax, eax
		jz	short loc_7DCE4C

loc_7DCE3D:				; CODE XREF: CmListGetNextElement(x,x,x)+1Ej
		cmp	ecx, eax
		jz	short loc_7DCE52
		mov	ecx, [eax]
		sub	eax, [ebp+arg_0]
		mov	[edx], ecx

loc_7DCE48:				; CODE XREF: CmListGetNextElement(x,x,x)+22j
		pop	ebp
		retn	4
; 

loc_7DCE4C:				; CODE XREF: CmListGetNextElement(x,x,x)+9j
		mov	eax, [ecx]
		mov	[edx], eax
		jmp	short loc_7DCE3D
; 

loc_7DCE52:				; CODE XREF: CmListGetNextElement(x,x,x)+Dj
		xor	eax, eax
		jmp	short loc_7DCE48
_CmListGetNextElement@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmRmFinalizeRecovery proc near		; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+29Cp
					; CmpFinishSystemHivesLoad(x)+167p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F8452 SIZE 00000087 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_20], 0
		xor	eax, eax
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_1C]
		push	6
		pop	ecx
		rep stosd
		call	_LOCK_TRANSACTION_LIST@0 ; LOCK_TRANSACTION_LIST()
		lea	edi, [esi+8]

loc_7DCE82:				; CODE XREF: CmRmFinalizeRecovery+11B66Fj
		mov	esi, [edi]
		cmp	esi, edi
		jnz	loc_8F8452
		call	_UNLOCK_TRANSACTION_LIST@0 ; UNLOCK_TRANSACTION_LIST()
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmRmFinalizeRecovery endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall UNLOCK_TRANSACTION_LIST()
_UNLOCK_TRANSACTION_LIST@0 proc	near	; CODE XREF: CmpTransEnlistUowInCmTrans+2Cp
					; CmpTransEnlistUowInCmTrans:loc_5DE234p ...
		mov	edi, edi
		push	ecx
		mov	ecx, offset _CmpTransactionListLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	ecx
		retn
_UNLOCK_TRANSACTION_LIST@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall LOCK_TRANSACTION_LIST()
_LOCK_TRANSACTION_LIST@0 proc near	; CODE XREF: CmpTransEnlistUowInCmTrans+9p
					; CmKtmNotification(x,x,x,x,x,x,x)+C7p	...
		mov	edi, edi
		push	ecx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpTransactionListLock
		call	ExAcquireFastMutexUnsafe
		pop	ecx
		retn
_LOCK_TRANSACTION_LIST@0 endp

; 
		align 10h
; Exported entry 2509. SeSetSecurityDescriptorInfoEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeSetSecurityDescriptorInfoEx(x, x,	x, x, x, x, x)
		public _SeSetSecurityDescriptorInfoEx@28
_SeSetSecurityDescriptorInfoEx@28 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		cmp	dword ptr [eax], 0
		jz	short loc_7DCF0D
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	[ebp+arg_18]
		mov	edx, [edx]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	eax
		push	[ebp+arg_8]
		call	RtlpSetSecurityObject

loc_7DCF09:				; CODE XREF: SeSetSecurityDescriptorInfoEx(x,x,x,x,x,x,x)+32j
		pop	ebp
		retn	1Ch
; 

loc_7DCF0D:				; CODE XREF: SeSetSecurityDescriptorInfoEx(x,x,x,x,x,x,x)+Bj
		mov	eax, 0C00000D7h
		jmp	short loc_7DCF09
_SeSetSecurityDescriptorInfoEx@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcReserveDestroyProcedure(x)
_AlpcReserveDestroyProcedure@4 proc near ; DATA	XREF: .text:00401114o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [esi+0Ch]
		test	edi, edi
		jz	short loc_7DCF44
		mov	ecx, edi
		call	AlpcpLockForCachedReferenceBlob
		and	dword ptr [edi+34h], 0
		and	dword ptr [esi+0Ch], 0
		cmp	_AlpcpMessageLogEnabled, 0
		jnz	short loc_7DCF70

loc_7DCF3D:				; CODE XREF: AlpcReserveDestroyProcedure(x)+63j
		mov	ecx, edi
		call	AlpcpUnlockBlob

loc_7DCF44:				; CODE XREF: AlpcReserveDestroyProcedure(x)+Fj
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_7DCF54
		mov	edx, [esi+8]
		push	esi
		call	@AlpcDeleteBlobByHandle@12 ; AlpcDeleteBlobByHandle(x,x,x)

loc_7DCF54:				; CODE XREF: AlpcReserveDestroyProcedure(x)+35j
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_7DCF68
		mov	edx, esi
		call	_AlpcpRemoveResourcePort@8 ; AlpcpRemoveResourcePort(x,x)
		mov	ecx, [esi]
		call	ObfDereferenceObject

loc_7DCF68:				; CODE XREF: AlpcReserveDestroyProcedure(x)+44j
		pop	edi
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	4
; 

loc_7DCF70:				; CODE XREF: AlpcReserveDestroyProcedure(x)+27j
		mov	ecx, edi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)
		jmp	short loc_7DCF3D
_AlpcReserveDestroyProcedure@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 254. CmGetBoundTransaction

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmGetBoundTransaction(x, x)
		public _CmGetBoundTransaction@8
_CmGetBoundTransaction@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jz	short loc_7DCF9A
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+20h]
		test	al, 1
		jnz	short loc_7DCF9A
		and	eax, 0FFFFFFFEh

loc_7DCF96:				; CODE XREF: CmGetBoundTransaction(x,x)+1Ej
		pop	ebp
		retn	8
; 

loc_7DCF9A:				; CODE XREF: CmGetBoundTransaction(x,x)+9j
					; CmGetBoundTransaction(x,x)+13j
		xor	eax, eax
		jmp	short loc_7DCF96
_CmGetBoundTransaction@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoSetProcessEnergyTrackingState	proc near ; CODE XREF: PAGE:007AAA24p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F84D9 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	eax, ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], eax
		mov	edx, [eax+3E0h]
		xor	esi, esi
		mov	ebx, esi
		test	edx, edx
		jz	loc_8F84CF
		cmp	[edi+8], esi
		jnz	loc_8F84D9
		mov	eax, [edi]
		test	eax, 0FFFFFFEFh
		jnz	loc_8F84D9
		not	eax
		test	[edi+4], eax
		jnz	loc_8F84D9
		test	byte ptr [edi+0Ch], 1
		jz	short loc_7DD001
		mov	ecx, esi
		lea	eax, [edi+10h]

loc_7DCFEC:				; CODE XREF: PoSetProcessEnergyTrackingState+5Aj
		cmp	[eax], si
		jz	short loc_7DD001
		inc	ecx
		add	eax, 2
		cmp	ecx, 40h
		jb	short loc_7DCFEC
		mov	esi, 0C000000Dh
		jmp	short loc_7DD05B
; 

loc_7DD001:				; CODE XREF: PoSetProcessEnergyTrackingState+47j
					; PoSetProcessEnergyTrackingState+51j
		mov	eax, large fs:124h
		mov	ebx, edx
		dec	word ptr [eax+13Ch]
		lea	esi, [ebx+1B0h]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	edx, edi
		mov	ecx, [ebp+var_4]
		mov	[esi+4], eax
		call	_PopEtEnergyContextSetState@8 ;	PopEtEnergyContextSetState(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7DD03B
		xor	esi, esi

loc_7DD03B:				; CODE XREF: PoSetProcessEnergyTrackingState+99j
					; PoSetProcessEnergyTrackingState+11B540j
		test	ebx, ebx
		jz	short loc_7DD05B
		lea	ecx, [ebx+1B0h]
		cmp	dword ptr [ecx+4], 0
		jz	short loc_7DD04F
		and	dword ptr [ecx+4], 0

loc_7DD04F:				; CODE XREF: PoSetProcessEnergyTrackingState+ABj
		xor	edx, edx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_7DD05B:				; CODE XREF: PoSetProcessEnergyTrackingState+61j
					; PoSetProcessEnergyTrackingState+9Fj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
PoSetProcessEnergyTrackingState	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ExpWnfAllocateScopeInstance(void *,int)
_ExpWnfAllocateScopeInstance@16	proc near ; CODE XREF: ExpWnfResolveScopeInstance+2C9p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ebx, ecx
		push	20666E57h
		mov	[ebp+var_4], edx
		lea	eax, [edi+2Ch]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7DD0E5
		xor	ecx, ecx
		mov	eax, 902h
		mov	[esi+10h], ecx
		mov	[esi+14h], ecx
		mov	[esi+18h], ecx
		mov	[esi+1Ch], ecx
		mov	[esi+20h], ecx
		mov	[esi+24h], ecx
		mov	[esi+28h], ecx
		mov	[esi], ax
		push	2Ch
		pop	eax
		mov	[esi+2], ax
		mov	eax, [ebp+var_4]
		mov	[esi+4], ecx
		mov	[esi+8], eax
		mov	[esi+0Ch], edi
		test	edi, edi
		jz	short loc_7DD0D4
		push	edi		; size_t
		push	[ebp+arg_0]	; void *
		lea	eax, [esi+2Ch]
		push	eax		; void *
		mov	[esi+10h], eax
		call	_memcpy
		add	esp, 0Ch
		xor	ecx, ecx

loc_7DD0D4:				; CODE XREF: ExpWnfAllocateScopeInstance(x,x,x,x)+5Bj
		mov	[esi+1Ch], ecx
		xor	eax, eax
		mov	[esi+20h], ecx
		mov	[ebx], esi

loc_7DD0DE:				; CODE XREF: ExpWnfAllocateScopeInstance(x,x,x,x)+88j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7DD0E5:				; CODE XREF: ExpWnfAllocateScopeInstance(x,x,x,x)+25j
		mov	eax, 0C000009Ah
		jmp	short loc_7DD0DE
_ExpWnfAllocateScopeInstance@16	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1430. MmLockPagableSectionByHandle

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmLockPagableSectionByHandle(x)
		public _MmLockPagableSectionByHandle@4
_MmLockPagableSectionByHandle@4	proc near ; CODE XREF: IoDeleteDevice+D417Ep
					; KiStartDynamicProcessor(x,x,x,x)+345p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		inc	edx
		call	MiLockPagableImageSection
		pop	ebp
		retn	4
_MmLockPagableSectionByHandle@4	endp


;  S U B	R O U T	I N E 


; __stdcall PfpPrefetchSharedDeref(x)
_PfpPrefetchSharedDeref@4 proc near	; CODE XREF: PfSnCleanupPrefetchHeader(x)+AFp
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+50h], eax
		dec	eax
		test	eax, eax
		jg	short locret_7DD11D
		jnz	short loc_7DD11E
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

locret_7DD11D:				; CODE XREF: PfpPrefetchSharedDeref(x)+Bj
		retn
; 

loc_7DD11E:				; CODE XREF: PfpPrefetchSharedDeref(x)+Dj
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		retn
_PfpPrefetchSharedDeref@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspApplyIFEOPerfOptions	proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+125Cp

var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F84E3 SIZE 0000007B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		mov	[esp+18h+var_8], esi
		test	byte ptr [esi],	1
		jnz	loc_8F84E3

loc_7DD143:				; CODE XREF: PspApplyIFEOPerfOptions+11B3C5j
					; PspApplyIFEOPerfOptions+11B3E7j ...
		mov	ecx, [esi]
		test	cl, 2
		jz	short loc_7DD17F
		mov	edi, [esi+0Ch]
		call	_MmGetDefaultPagePriority@0 ; MmGetDefaultPagePriority()
		cmp	edi, eax
		jnb	short loc_7DD17F
		mov	eax, [ebx+0F8h]
		lea	esi, [ebx+0F8h]
		shl	edi, 0Ch

loc_7DD165:				; CODE XREF: PspApplyIFEOPerfOptions+53j
		mov	ecx, eax
		mov	edx, eax
		and	ecx, 0FFFF8FFFh
		or	ecx, edi
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_7DD165
		mov	esi, [esp+18h+var_8]
		mov	ecx, [esi]

loc_7DD17F:				; CODE XREF: PspApplyIFEOPerfOptions+24j
					; PspApplyIFEOPerfOptions+30j
		test	cl, 4
		jnz	loc_8F853D

loc_7DD188:				; CODE XREF: PspApplyIFEOPerfOptions+11B420j
					; PspApplyIFEOPerfOptions+11B435j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
PspApplyIFEOPerfOptions	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspDeleteUserStack(x, x, x,	x)
_PspDeleteUserStack@16 proc near	; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+216p
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+6A4p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_1C]
		push	6
		pop	ecx
		rep stosd
		lea	eax, [ebp+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, esi
		call	KiStackAttachProcess
		mov	eax, [ebp+arg_4]
		test	byte ptr [eax],	2
		jz	short loc_7DD1E9
		mov	eax, [ebx+10h]
		and	[ebp+var_20], 0
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_20]
		push	8000h
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		push	0FFFFFFFFh
		call	_ZwFreeVirtualMemory@16	; ZwFreeVirtualMemory(x,x,x,x)

loc_7DD1E9:				; CODE XREF: PspDeleteUserStack(x,x,x,x)+37j
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PspDeleteUserStack@16 endp


;  S U B	R O U T	I N E 


; __stdcall LockShutdownShared()
_LockShutdownShared@0 proc near		; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+85p
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _CmpShutdownLock
		jmp	ExAcquirePushLockSharedEx
_LockShutdownShared@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall AslPathSplit(wchar_t *,int,int,int,int,int,int)
AslPathSplit	proc near		; CODE XREF: SdbpCreateSearchDBContext(x,x,x,x,x,x)+CCp

var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= word ptr -210h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F855E SIZE 0000006C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 218h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_214], eax
		mov	ecx, [ebp+arg_C]
		mov	ebx, edx
		xor	edx, edx
		mov	[ebp+var_218], ecx
		push	edi
		push	5Ch
		mov	[ebx], dx
		mov	[ecx], dx
		xor	ecx, ecx
		mov	[eax], cx
		pop	eax
		push	eax		; wchar_t
		push	esi		; wchar_t *
		mov	[ebp+var_210], dx
		call	_wcsrchr
		mov	edi, eax
		pop	ecx
		pop	ecx
		test	edi, edi
		jz	loc_8F855E
		mov	edx, [ebp+arg_0]
		sub	eax, esi
		sar	eax, 1
		mov	ecx, ebx
		inc	eax
		push	eax
		push	esi
		call	RtlStringCchCopyNW
		mov	esi, eax
		test	esi, esi
		js	loc_8F8565

loc_7DD291:				; CODE XREF: AslPathSplit+11B342j
		push	5Ch
		pop	eax
		cmp	[edi], ax
		jnz	short loc_7DD29C
		add	edi, 2

loc_7DD29C:				; CODE XREF: AslPathSplit+79j
		push	edi
		mov	edx, 105h
		lea	ecx, [ebp+var_210]
		call	RtlStringCchCopyW
		mov	esi, eax
		test	esi, esi
		js	loc_8F8591
		lea	eax, [ebp+var_210]
		push	2Eh		; wchar_t
		push	eax		; wchar_t *
		call	_wcsrchr
		pop	ecx
		mov	ebx, eax
		mov	edx, 104h
		lea	eax, [ebp+var_210]
		pop	ecx
		mov	ecx, [ebp+var_214]
		test	ebx, ebx
		jz	loc_8F85B8
		mov	edi, ebx
		sub	edi, eax
		sar	edi, 1
		push	edi
		push	eax
		call	RtlStringCchCopyNW
		mov	esi, eax
		test	esi, esi
		js	loc_8F859E
		mov	eax, [ebp+var_214]
		xor	ecx, ecx
		push	ebx
		mov	edx, 104h
		mov	[eax+edi*2], cx
		mov	ecx, [ebp+var_218]
		call	RtlStringCchCopyW
		mov	esi, eax
		test	esi, esi
		js	loc_8F85AB

loc_7DD320:				; CODE XREF: AslPathSplit+11B3A4j
		xor	esi, esi

loc_7DD322:				; CODE XREF: AslPathSplit+11B36Ej
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
AslPathSplit	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1913. PsSetProcessWindowStation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSetProcessWindowStation(x, x)
		public _PsSetProcessWindowStation@8
_PsSetProcessWindowStation@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	[eax+16Ch], ecx
		pop	ebp
		retn	8
_PsSetProcessWindowStation@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1825. PsGetThreadExitStatus

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsGetThreadExitStatus
PsGetThreadExitStatus proc near		; CODE XREF: NtQueryInformationThread+809p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F85CA SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [esi+2ECh]
		mov	ecx, edi
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	loc_8F85CA
		mov	eax, [esi+324h]

loc_7DD379:				; CODE XREF: PsGetThreadExitStatus+11B282j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
PsGetThreadExitStatus endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpInsertSecurityCellList proc near	; CODE XREF: CmpGetSecurityDescriptorNodeEx(x,x,x,x,x,x,x)+DBp

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 008F85DB SIZE 0000006A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_18], edx
		push	esi
		push	edi
		mov	[ebp+var_20], eax
		mov	esi, ecx
		xor	ecx, ecx
		mov	[ebp+var_28], eax
		mov	[ebp+var_40], eax
		mov	ebx, ecx
		mov	[ebp+var_38], eax
		mov	edi, ecx
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_40]
		push	eax
		push	[ebp+arg_0]
		mov	[ebp+var_8], ecx
		push	esi
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_1], cl
		call	dword ptr [esi+4]
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_8F85DB
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_14], 1
		test	edx, edx
		jns	short loc_7DD432

loc_7DD3E4:				; CODE XREF: CmpInsertSecurityCellList+1C1j
		mov	[eax+4], edx

loc_7DD3E7:				; CODE XREF: CmpInsertSecurityCellList+17Aj
		push	ecx
		push	0
		mov	ecx, esi
		mov	[eax+8], edx
		call	CmpAddSecurityCellToCache
		test	eax, eax
		js	loc_8F85E9
		cmp	[ebp+var_8], 0
		jnz	loc_7DD50C

loc_7DD406:				; CODE XREF: CmpInsertSecurityCellList+194j
		cmp	[ebp+var_C], 0
		jnz	loc_7DD519

loc_7DD410:				; CODE XREF: CmpInsertSecurityCellList+1A1j
		test	edi, edi
		jnz	loc_7DD526

loc_7DD418:				; CODE XREF: CmpInsertSecurityCellList+1A8j
					; CmpInsertSecurityCellList+1B6j
		test	ebx, ebx
		jnz	loc_7DD4FF

loc_7DD420:				; CODE XREF: CmpInsertSecurityCellList+187j
					; CmpInsertSecurityCellList+11B2C0j
		lea	eax, [ebp+var_40]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	al, byte ptr [ebp+var_14]

loc_7DD42B:				; CODE XREF: CmpInsertSecurityCellList+11B25Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7DD432:				; CODE XREF: CmpInsertSecurityCellList+62j
		lea	eax, [ebp+var_38]
		push	eax
		push	[ebp+var_18]
		push	esi
		call	dword ptr [esi+4]
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8F863C
		mov	ax, [ebx+2]
		and	ax, 4
		cmp	[ebp+arg_4], 0
		movzx	eax, ax
		jnz	loc_8F85E2
		test	ax, ax
		jnz	loc_7DD53B
		mov	eax, [ebx+10h]
		lea	ecx, [ebp+var_30]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jz	loc_8F8630

loc_7DD47B:				; CODE XREF: CmpInsertSecurityCellList+11B264j
		mov	eax, [edi+2Ch]
		lea	ecx, [ebp+var_28]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_8F8620
		mov	eax, [eax+4]
		lea	ecx, [ebp+var_20]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_8F8612
		mov	edx, [edi+2Ch]
		mov	ecx, esi
		push	0
		push	0
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_8F8604
		mov	ecx, [ebp+var_C]
		push	0
		push	0
		mov	edx, [ecx+4]
		mov	ecx, esi
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_8F8604
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+var_10]
		mov	[ebp+var_1], 1
		mov	eax, [ecx+4]
		mov	[edx+4], eax
		mov	eax, [ebp+var_8]
		mov	eax, [eax+8]
		mov	[edx+8], eax
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+var_8]
		mov	[ecx+4], edx
		jmp	loc_7DD3E7
; 

loc_7DD4FF:				; CODE XREF: CmpInsertSecurityCellList+9Aj
		lea	eax, [ebp+var_38]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	loc_7DD420
; 

loc_7DD50C:				; CODE XREF: CmpInsertSecurityCellList+80j
		lea	eax, [ebp+var_20]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	loc_7DD406
; 

loc_7DD519:				; CODE XREF: CmpInsertSecurityCellList+8Aj
		lea	eax, [ebp+var_28]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	loc_7DD410
; 

loc_7DD526:				; CODE XREF: CmpInsertSecurityCellList+92j
		cmp	edi, ebx
		jz	loc_7DD418
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	loc_7DD418
; 

loc_7DD53B:				; CODE XREF: CmpInsertSecurityCellList+DFj
		mov	eax, [ebp+var_10]
		mov	edx, [ebp+arg_0]
		jmp	loc_7DD3E4
CmpInsertSecurityCellList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpWakeWriteQueueWaiters proc near	; CODE XREF: CmpFlushHive+42Bp
					; CmpFlushHive:loc_7543D2p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, ecx
		test	edx, edx
		jnz	sub_8F8645

loc_7DD556:				; CODE XREF: sub_8F8645+1Dj
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		pop	ebp
		retn	4
CmpWakeWriteQueueWaiters endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopTranslatorHandlerCm(x, x, x, x, x, x, x)
_IopTranslatorHandlerCm@28 proc	near	; DATA XREF: IopPnPDispatch+16Co

arg_4		= dword	ptr  0Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		xor	eax, eax
		push	edi
		mov	edi, [ebp+arg_18]
		movsd
		movsd
		movsd
		movsd
		pop	edi
		pop	esi
		pop	ebp
		retn	1Ch
_IopTranslatorHandlerCm@28 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeTokenDefaultDaclChangedAuditAlarm proc near ;	CODE XREF: PAGE:007E97C5p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_14		= dword	ptr -14h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F8667 SIZE 00000143 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		xor	eax, eax
		mov	[esp+4Ch+var_3C], edx
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+58h+var_38]
		xor	ecx, ecx
		stosd
		mov	esi, ecx
		mov	[esp+58h+var_48], ecx
		mov	[esp+58h+var_44], ecx
		mov	[esp+58h+var_4C], ecx
		stosd
		mov	[esp+58h+var_40], ecx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+58h+var_28]
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+58h+var_14]
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esp+58h+var_38]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	ebx, [esp+58h+var_38]
		test	ebx, ebx
		jnz	short loc_7DD5F3
		mov	ebx, [esp+58h+var_30]
		test	ebx, ebx
		jz	loc_8F8667

loc_7DD5F3:				; CODE XREF: SeTokenDefaultDaclChangedAuditAlarm+69j
		lea	eax, [esp+58h+var_38]
		mov	dl, 1
		push	eax
		push	0
		mov	ecx, 8Eh
		call	SepAdtAuditThisEventWithContext
		test	al, al
		jnz	loc_8F8676
		xor	esi, esi

loc_7DD610:				; CODE XREF: SeTokenDefaultDaclChangedAuditAlarm+11B107j
					; SeTokenDefaultDaclChangedAuditAlarm+11B1F7j ...
		cmp	[esp+58h+var_48], 0
		jnz	loc_8F8786

loc_7DD61B:				; CODE XREF: SeTokenDefaultDaclChangedAuditAlarm+11B217j
		cmp	[esp+58h+var_44], 0
		jnz	loc_8F8798

loc_7DD626:				; CODE XREF: SeTokenDefaultDaclChangedAuditAlarm+11B229j
		test	esi, esi
		js	short loc_7DD63D

loc_7DD62A:				; CODE XREF: SeTokenDefaultDaclChangedAuditAlarm+C7j
		lea	eax, [esp+58h+var_38]
		push	eax
		call	SeReleaseSubjectContext

loc_7DD634:				; CODE XREF: SeTokenDefaultDaclChangedAuditAlarm+11B0F5j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7DD63D:				; CODE XREF: SeTokenDefaultDaclChangedAuditAlarm+ACj
		push	esi
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		jmp	short loc_7DD62A
SeTokenDefaultDaclChangedAuditAlarm endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2305. RtlRandom

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlRandom(x)
		public _RtlRandom@4
_RtlRandom@4	proc near		; CODE XREF: CcGetRandomVacbArrayWithReference()+Ep
					; CcUnmapInactiveViewsInternal(x,x,x,x)+DEp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	ecx, ecx
		inc	ecx
		call	ExGenRandom
		mov	ecx, [ebp+arg_0]
		and	eax, 7FFFFFFFh
		mov	[ecx], eax
		pop	ebp
		retn	4
_RtlRandom@4	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ExpWnfGetScopeInstanceIdSize(x, x)
_ExpWnfGetScopeInstanceIdSize@8	proc near ; CODE XREF: ExpWnfResolveScopeInstance+28Bp
		sub	ecx, 0
		jz	short loc_7DD67E
		sub	ecx, 1
		jnz	short loc_7DD674

loc_7DD670:				; CODE XREF: ExpWnfGetScopeInstanceIdSize(x,x)+16j
		push	4
		pop	eax
		retn
; 

loc_7DD674:				; CODE XREF: ExpWnfGetScopeInstanceIdSize(x,x)+8j
		sub	ecx, 1
		jz	short loc_7DD681
		sub	ecx, 1
		jz	short loc_7DD670

loc_7DD67E:				; CODE XREF: ExpWnfGetScopeInstanceIdSize(x,x)+3j
		xor	eax, eax
		retn
; 

loc_7DD681:				; CODE XREF: ExpWnfGetScopeInstanceIdSize(x,x)+11j
		push	edx
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		retn
_ExpWnfGetScopeInstanceIdSize@8	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1445. MmMapViewInSystemSpaceEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmMapViewInSystemSpaceEx(x,	x, x, x, x)
		public _MmMapViewInSystemSpaceEx@20
_MmMapViewInSystemSpaceEx@20 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		mov	edx, offset unk_6CF5A4
		push	0
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	MiMapViewInSystemSpace
		pop	ecx
		pop	ebp
		retn	14h
_MmMapViewInSystemSpaceEx@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepSetTokenClaims proc near		; CODE XREF: SepCreateTokenEx+825p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F87AA SIZE 000000BB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_8]
		mov	esi, ecx
		xor	ebx, ebx
		push	[ebp+arg_4]
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_4], ebx
		push	[ebp+arg_0]
		call	SepCreateClaimAttributes
		mov	[ebp+arg_8], eax
		test	eax, eax
		js	short loc_7DD6EE
		mov	edi, [ebp+var_4]
		test	edi, edi
		jnz	loc_8F87AA
		mov	[esi+27Ch], ebx

loc_7DD6EE:				; CODE XREF: SepSetTokenClaims+27j
					; SepSetTokenClaims+11B1ACj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
SepSetTokenClaims endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepCreateClaimAttributes proc near	; CODE XREF: SepSetTokenClaims+1Dp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F8865 SIZE 00000161 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_14], edx
		xor	ecx, ecx
		mov	[ebp+var_20], edi
		and	[ebp+var_1C], ecx
		mov	esi, ecx
		mov	[ebp+var_18], 1
		mov	ebx, ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_1], cl
		mov	[ebp+var_2], cl
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], ecx
		test	edi, edi
		jz	short loc_7DD751
		and	[edi], ecx
		test	edx, edx
		jnz	loc_8F8865
		cmp	[ebp+arg_0], ecx
		jnz	loc_8F8865
		cmp	[ebp+arg_4], ecx
		jnz	loc_8F8865
		xor	eax, eax

loc_7DD74A:				; CODE XREF: SepCreateClaimAttributes+60j
					; SepCreateClaimAttributes+11B2C4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7DD751:				; CODE XREF: SepCreateClaimAttributes+34j
		mov	eax, 0C000000Dh
		jmp	short loc_7DD74A
SepCreateClaimAttributes endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 337. ExCreateCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExCreateCallback(x,	x, x, x)
		public _ExCreateCallback@16
_ExCreateCallback@16 proc near		; CODE XREF: KeRegisterProcessorChangeCallback+7Fp
					; IoRegisterBootDriverCallback(x,x)+68p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+30h+var_18]
		rep movsd
		or	[esp+30h+var_C], 200h
		xor	edi, edi
		mov	[esp+30h+var_24], edi
		mov	[esp+30h+var_20], edi
		cmp	[esp+30h+var_10], edi
		jz	loc_7DD8AF
		mov	esi, ds:_ExCallbackObjectType
		lea	eax, [esp+30h+var_24]
		push	eax
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		push	edi
		push	edi
		push	edi
		push	edi
		push	esi
		lea	eax, [esp+4Ch+var_18]
		push	eax
		call	ObOpenObjectByNameEx
		mov	esi, eax

loc_7DD7BD:				; CODE XREF: ExCreateCallback(x,x,x,x)+156j
		test	esi, esi
		js	short loc_7DD7FF

loc_7DD7C1:				; CODE XREF: ExCreateCallback(x,x,x,x)+146j
		mov	eax, ds:_ExCallbackObjectType
		lea	ecx, [esp+30h+var_1C]
		push	edi
		push	ecx
		push	edi
		push	eax
		push	edi
		push	[esp+44h+var_24]
		mov	[esp+48h+var_1C], edi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		push	[esp+30h+var_24]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_7DD7F4
		mov	ecx, [ebp+arg_0]
		mov	eax, [esp+30h+var_1C]
		mov	[ecx], eax

loc_7DD7F4:				; CODE XREF: ExCreateCallback(x,x,x,x)+8Bj
					; ExCreateCallback(x,x,x,x)+CDj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_7DD7FF:				; CODE XREF: ExCreateCallback(x,x,x,x)+61j
		cmp	[ebp+arg_8], 0
		jz	loc_7DD8A2
		mov	edx, ds:_ExCallbackObjectType
		lea	eax, [esp+30h+var_20]
		push	edi
		push	eax
		push	edi
		push	edi
		push	1Ch
		push	ecx
		push	edi
		lea	eax, [esp+4Ch+var_18]
		xor	cl, cl
		push	eax
		call	ObCreateObjectEx
		mov	esi, eax
		test	esi, esi
		js	short loc_7DD7F4
		mov	esi, [esp+30h+var_20]
		mov	al, [ebp+arg_C]
		mov	dword ptr [esi], 6C6C6143h
		mov	[esi+10h], al
		lea	eax, [esi+8]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[esi+4], edi
		dec	word ptr [ebx+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset _ExpCallbackListLock
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, dword_6BBD9C
		lea	eax, [esi+14h]
		mov	edx, offset _ExpCallbackListHead
		cmp	[ecx], edx
		jnz	short loc_7DD8B9
		mov	[eax], edx
		xor	edx, edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	ecx, offset _ExpCallbackListLock
		mov	dword_6BBD9C, eax
		call	ExReleasePushLockEx
		mov	ecx, ebx
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		lea	eax, [esp+30h+var_24]
		xor	edx, edx
		push	eax
		push	edi
		push	edi
		push	edi
		push	1
		mov	ecx, esi
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	esi, eax

loc_7DD8A2:				; CODE XREF: ExCreateCallback(x,x,x,x)+A5j
		test	esi, esi
		jns	loc_7DD7C1
		jmp	loc_7DD7F4
; 

loc_7DD8AF:				; CODE XREF: ExCreateCallback(x,x,x,x)+37j
		mov	esi, 0C0000001h
		jmp	loc_7DD7BD
; 

loc_7DD8B9:				; CODE XREF: ExCreateCallback(x,x,x,x)+10Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ExCreateCallback@16 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepCheckCreateLowBox(x)
_SepCheckCreateLowBox@4	proc near	; CODE XREF: NtCreateLowBoxToken+10Ap

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_1], 1
		lea	edi, [ebp+var_14]
		mov	esi, ecx
		stosd
		xor	ebx, ebx
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_14]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	ecx, [ebp+var_14]
		test	ecx, ecx
		jz	short loc_7DD956
		cmp	[ebp+var_10], 2
		jl	short loc_7DD95B

loc_7DD903:				; CODE XREF: SepCheckCreateLowBox(x)+9Bj
		mov	ebx, [ecx+0B0h]
		mov	al, [ebp+var_1]
		and	ebx, 2000h

loc_7DD912:				; CODE XREF: SepCheckCreateLowBox(x)+9Fj
		test	ebx, ebx
		jz	short loc_7DD934

loc_7DD916:				; CODE XREF: SepCheckCreateLowBox(x)+78j
					; SepCheckCreateLowBox(x)+84j ...
		lea	eax, [ebp+var_14]
		push	eax
		call	SeReleaseSubjectContext
		neg	ebx
		pop	edi
		sbb	ebx, ebx
		and	ebx, 3FFFFFDEh
		pop	esi
		lea	eax, [ebx-3FFFFFDEh]
		pop	ebx
		leave
		retn
; 

loc_7DD934:				; CODE XREF: SepCheckCreateLowBox(x)+56j
		test	al, al
		jz	short loc_7DD916
		test	dword ptr [ecx+0B0h], 4000h
		jz	short loc_7DD916
		mov	ecx, [ecx+1E0h]
		mov	edx, esi
		call	_RtlIsParentOfChildAppContainer@8 ; RtlIsParentOfChildAppContainer(x,x)
		movzx	ebx, al
		jmp	short loc_7DD916
; 

loc_7DD956:				; CODE XREF: SepCheckCreateLowBox(x)+3Dj
		mov	ecx, [ebp+var_C]
		jmp	short loc_7DD903
; 

loc_7DD95B:				; CODE XREF: SepCheckCreateLowBox(x)+43j
		mov	al, bl
		jmp	short loc_7DD912
_SepCheckCreateLowBox@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpUnlockHiveList()
_CmpUnlockHiveList@0 proc near		; CODE XREF: CmpUnJoinClassOfTrust(x)+28j
					; CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+20Bp	...
		xor	edx, edx
		mov	ecx, offset _CmpHiveListHeadLock
		jmp	ExReleasePushLockEx
_CmpUnlockHiveList@0 endp


;  S U B	R O U T	I N E 


; __stdcall CmpLockHiveListExclusive()
_CmpLockHiveListExclusive@0 proc near	; CODE XREF: CmpUnJoinClassOfTrust(x):loc_432F37p
					; CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x):loc_434A1Ap ...
		xor	edx, edx
		mov	ecx, offset _CmpHiveListHeadLock
		jmp	ExAcquirePushLockExclusiveEx
_CmpLockHiveListExclusive@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetJobEnergyTrackingStateCallback(x, x)
_PspSetJobEnergyTrackingStateCallback@8	proc near
					; DATA XREF: PspSetEnergyTrackingStateJobTree(x,x)+2Fo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	eax, [edx]
		mov	[ecx+3A8h], eax
		mov	eax, [edx+4]
		mov	[ecx+3ACh], eax
		xor	eax, eax
		pop	ebp
		retn	8
_PspSetJobEnergyTrackingStateCallback@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpSetWorkerFactoryDeferredCreateTimer proc near
					; CODE XREF: ExpWorkerFactoryCheckCreate+27Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F89C6 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	eax, ebx
		mov	[ebp+var_8], ebx
		push	esi
		push	edi
		sub	eax, 1
		jz	loc_8F89C6
		sub	eax, 1
		jz	short loc_7DDA08
		sub	eax, 1
		jnz	short loc_7DDA18
		mov	edx, _ExpWorkerFactoryDeferredShortTimeout
		mov	esi, dword_6BBA44
		push	1Eh

loc_7DD9CC:				; CODE XREF: ExpSetWorkerFactoryDeferredCreateTimer+7Cj
		pop	edi

loc_7DD9CD:				; CODE XREF: ExpSetWorkerFactoryDeferredCreateTimer+84j
					; ExpSetWorkerFactoryDeferredCreateTimer+11B03Dj
		mov	eax, _ExpWorkerFactoryThreadCreationState
		mov	[ebp+var_4], eax
		cmp	ebx, eax
		jle	short loc_7DDA03

loc_7DD9D9:				; CODE XREF: ExpSetWorkerFactoryDeferredCreateTimer+11B049j
		mov	ecx, ebx
		mov	ebx, offset _ExpWorkerFactoryThreadCreationState
		lock cmpxchg [ebx], ecx
		mov	ebx, [ebp+var_8]
		mov	ecx, eax
		cmp	[ebp+var_4], ecx
		jnz	loc_8F89DC
		push	0
		push	edi
		push	0
		push	esi
		push	edx
		push	offset _ExpWorkerFactoryThreadCreationTimer
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)

loc_7DDA03:				; CODE XREF: ExpSetWorkerFactoryDeferredCreateTimer+3Dj
					; ExpSetWorkerFactoryDeferredCreateTimer+11B04Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7DDA08:				; CODE XREF: ExpSetWorkerFactoryDeferredCreateTimer+1Dj
		mov	edx, _ExpWorkerFactoryDeferredMediumTimeout
		mov	esi, dword_6BBA3C
		push	78h
		jmp	short loc_7DD9CC
; 

loc_7DDA18:				; CODE XREF: ExpSetWorkerFactoryDeferredCreateTimer+22j
		xor	edx, edx
		xor	esi, esi
		xor	edi, edi
		jmp	short loc_7DD9CD
ExpSetWorkerFactoryDeferredCreateTimer endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpQueryGpuUtilization proc near	; CODE XREF: PAGE:0077D3A5p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F89EE SIZE 0000000A BYTES

		push	34h
		push	offset dword_6A43A8
		call	__SEH_prolog4_GS
		mov	ebx, ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_3C], eax
		xor	eax, eax
		lea	edi, [ebp+var_34]
		stosd
		stosd
		stosd
		stosd
		cmp	dword ptr [ebx+10h], 10h
		jb	loc_8F89EE
		and	[ebp+ms_exc.disabled], 0
		test	dl, dl
		jz	short loc_7DDA5B
		push	8
		push	10h
		push	dword ptr [ebx+0Ch]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_7DDA5B:				; CODE XREF: PfpQueryGpuUtilization+2Dj
		mov	esi, [ebx+0Ch]
		lea	edi, [ebp+var_34]
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	esi, esi
		inc	esi
		cmp	[ebp+var_34], esi
		jnz	short loc_7DDAD9
		mov	eax, [ebp+var_30]
		mov	[ebp+var_38], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_7DDA94
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_38], eax

loc_7DDA94:				; CODE XREF: PfpQueryGpuUtilization+5Dj
		lea	eax, [ebp+var_38]
		push	eax
		push	esi
		lea	eax, [ebp+var_2C]
		push	eax
		push	19h
		call	PsInvokeWin32Callout
		test	eax, eax
		js	short loc_7DDAC7
		mov	[ebp+ms_exc.disabled], esi
		lea	esi, [ebp+var_34]
		mov	edi, [ebx+0Ch]
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_3C]
		mov	dword ptr [eax], 10h
		xor	eax, eax

loc_7DDAC7:				; CODE XREF: PfpQueryGpuUtilization+86j
					; PfpQueryGpuUtilization+BEj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7DDAD9:				; CODE XREF: PfpQueryGpuUtilization+52j
		mov	eax, 0C0000059h
		jmp	short loc_7DDAC7
PfpQueryGpuUtilization endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 597. FsRtlMdlWriteCompleteDev

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlMdlWriteCompleteDev(x,	x, x, x)
		public _FsRtlMdlWriteCompleteDev@16
_FsRtlMdlWriteCompleteDev@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	byte ptr [ecx+2Ch], 10h
		jnz	short loc_7DDB05
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		call	CcMdlWriteComplete2
		mov	al, 1

loc_7DDB01:				; CODE XREF: FsRtlMdlWriteCompleteDev(x,x,x,x)+21j
		pop	ebp
		retn	10h
; 

loc_7DDB05:				; CODE XREF: FsRtlMdlWriteCompleteDev(x,x,x,x)+Cj
		xor	al, al
		jmp	short loc_7DDB01
_FsRtlMdlWriteCompleteDev@16 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2013. RtlCreateHeap

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlCreateHeap
RtlCreateHeap	proc near

var_100		= dword	ptr -100h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_B4		= dword	ptr -0B4h
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008F8A2B SIZE 00000186 BYTES
; FUNCTION CHUNK AT 008F8BDA SIZE 00000134 BYTES
; FUNCTION CHUNK AT 008F8DDB SIZE 00000384 BYTES

		push	0F0h
		push	offset dword_6A43D0
		call	__SEH_prolog4_GS
		mov	ecx, [ebp+arg_10]
		mov	[ebp+var_50], ecx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_5C], eax
		mov	[ebp+var_70], eax
		mov	[ebp+var_88], ecx
		mov	esi, [ebp+arg_14]
		xor	ebx, ebx
		mov	[ebp+var_60], ebx
		mov	eax, _NtGlobalFlag
		mov	[ebp+var_64], eax
		push	7
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_B4]
		rep stosd
		push	7
		pop	ecx
		lea	edi, [ebp+var_100]
		rep stosd
		mov	[ebp+var_84], ebx
		mov	[ebp+var_68], ebx
		push	2Ch		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_48]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_4C], ebx
		mov	eax, ebx
		mov	[ebp+var_54], eax
		mov	eax, [ebp+arg_0]
		test	eax, 100h
		jz	loc_8F8A2B
		mov	edi, [ebp+var_5C]
		test	edi, edi
		jz	short loc_7DDC0C
		cmp	[ebp+var_50], ebx
		jnz	short loc_7DDC0C
		test	al, 2
		jnz	short loc_7DDC0C
		mov	edx, [ebp+var_64]
		mov	ecx, eax
		call	_RtlpHpConvertCreationFlags@8 ;	RtlpHpConvertCreationFlags(x,x)
		mov	[ebp+var_74], eax
		mov	eax, [esi+24h]
		mov	[ebp+var_70], eax
		test	eax, eax
		jz	short loc_7DDC04
		mov	ecx, [esi+1Ch]
		test	ecx, ecx
		jz	short loc_7DDC0C
		mov	esi, [esi+20h]
		test	esi, esi
		jz	short loc_7DDC0C
		cmp	ecx, esi
		ja	short loc_7DDC0C

loc_7DDBC1:				; CODE XREF: RtlCreateHeap+FCj
		call	_RtlpHpLegacyGetEnvHandle@0 ; RtlpHpLegacyGetEnvHandle()
		push	edx		; int
		push	eax		; char
		push	[ebp+var_74]	; int
		push	ecx		; int
		push	esi		; int
		mov	edx, [ebp+var_70] ; int
		mov	ecx, edi	; void *
		call	RtlpHpFixedHeapCreate
		mov	esi, eax

loc_7DDBD9:				; CODE XREF: RtlCreateHeap+100j
					; RtlCreateHeap+11B615j
		mov	edx, [ebp+var_50]

loc_7DDBDC:				; CODE XREF: sub_8F8BBE+17j
					; RtlCreateHeap+11B1EBj
		mov	eax, ebx

loc_7DDBDE:				; CODE XREF: RtlCreateHeap+11B1FBj
					; RtlCreateHeap+11B2DEj
		test	eax, eax
		jnz	loc_8F9128

loc_7DDBE6:				; CODE XREF: RtlCreateHeap+11B61Cj
					; RtlCreateHeap+11B628j
		cmp	[ebp+var_4C], 0
		jnz	loc_8F913B

loc_7DDBF0:				; CODE XREF: RtlCreateHeap+11B62Fj
					; RtlCreateHeap+11B64Cj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7DDC04:				; CODE XREF: RtlCreateHeap+9Fj
		mov	ecx, [ebp+arg_C]
		mov	esi, [ebp+arg_8]
		jmp	short loc_7DDBC1
; 

loc_7DDC0C:				; CODE XREF: RtlCreateHeap+7Fj
					; RtlCreateHeap+84j ...
		mov	esi, ebx
		jmp	short loc_7DDBD9
RtlCreateHeap	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeSecureBootQueryInformation proc near	; CODE XREF: PAGE:007817A1p

var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F915F SIZE 0000005D BYTES
; FUNCTION CHUNK AT 008F91EC SIZE 00000077 BYTES

		push	1Ch
		push	offset dword_6A43F0
		call	__SEH_prolog4
		mov	edi, ecx
		mov	[ebp+var_28], edi
		xor	esi, esi
		mov	[ebp+var_1C], esi
		mov	ebx, esi
		mov	eax, edi
		sub	eax, 8Fh
		jnz	short loc_7DDC58

loc_7DDC31:				; CODE XREF: SeSecureBootQueryInformation+11B552j
		mov	ecx, dword_6FDDF4
		test	ecx, ecx
		jnz	loc_8F91EC
		mov	ebx, 80430006h

loc_7DDC44:				; CODE XREF: SeSecureBootQueryInformation+7Dj
					; SeSecureBootQueryInformation+84j ...
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7DDC58:				; CODE XREF: SeSecureBootQueryInformation+1Fj
		push	2
		pop	ecx
		sub	eax, ecx
		jnz	loc_8F915F
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		cmp	[ebp+arg_0], ecx
		jb	short loc_7DDC8F
		mov	[ebp+ms_exc.disabled], esi
		mov	al, byte ptr dword_6D710C
		and	al, 1
		mov	[edx], al
		mov	eax, dword_6D710C
		shr	eax, 3
		and	al, 1
		mov	[edx+1], al

loc_7DDC86:				; CODE XREF: SeSecureBootQueryInformation+11B5A7j
					; SeSecureBootQueryInformation+11B627j	...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_7DDC44
; 

loc_7DDC8F:				; CODE XREF: SeSecureBootQueryInformation+5Bj
					; SeSecureBootQueryInformation+11B58Cj	...
		mov	ebx, 0C0000004h
		jmp	short loc_7DDC44
SeSecureBootQueryInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpAllocateTraceBufferPool proc near	; CODE XREF: EtwpStartLogger+666p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F927E SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		call	EtwpQueryUsedProcessorCount
		mov	ebx, eax
		mov	ecx, edi
		mov	[ebp+var_4], ebx
		call	_EtwpGetSystemMaximumBufferCount@4 ; EtwpGetSystemMaximumBufferCount(x)
		lea	ecx, [ebx+ebx]
		mov	edx, eax
		mov	ebx, [edi+0Ch]
		test	ebx, 4000000h
		jnz	loc_8F927E

loc_7DDCC6:				; CODE XREF: EtwpAllocateTraceBufferPool+11B5EBj
		cmp	edx, ecx
		jb	loc_8F9286

loc_7DDCCE:				; CODE XREF: EtwpAllocateTraceBufferPool+11B5F2j
		mov	eax, [edi+0A4h]
		cmp	eax, ecx
		jbe	short loc_7DDD38

loc_7DDCD8:				; CODE XREF: EtwpAllocateTraceBufferPool+A4j
		cmp	eax, edx
		jnb	loc_8F928D

loc_7DDCE0:				; CODE XREF: EtwpAllocateTraceBufferPool+11B5F9j
		mov	esi, [edi+98h]
		mov	[edi+0A4h], eax
		cmp	esi, ecx
		jbe	short loc_7DDD34

loc_7DDCF0:				; CODE XREF: EtwpAllocateTraceBufferPool+A0j
		cmp	esi, edx
		jnb	short loc_7DDD46

loc_7DDCF4:				; CODE XREF: EtwpAllocateTraceBufferPool+B2j
		mov	[edi+98h], esi
		cmp	esi, eax
		ja	loc_8F9294

loc_7DDD02:				; CODE XREF: EtwpAllocateTraceBufferPool+11B606j
		test	ebx, 400h
		jnz	short loc_7DDD3C

loc_7DDD0A:				; CODE XREF: EtwpAllocateTraceBufferPool+AEj
		test	ebx, 40000h
		jnz	short loc_7DDD2D
		mov	ecx, [edi+88h]
		test	ecx, ecx
		jnz	loc_8F92A1

loc_7DDD20:				; CODE XREF: EtwpAllocateTraceBufferPool+11B611j
					; EtwpAllocateTraceBufferPool+11B61Dj
		mov	edx, esi
		mov	ecx, edi
		call	_EtwpAllocateFreeBuffers@8 ; EtwpAllocateFreeBuffers(x,x)
		cmp	eax, esi
		jb	short loc_7DDD4A

loc_7DDD2D:				; CODE XREF: EtwpAllocateTraceBufferPool+7Aj
		xor	eax, eax

loc_7DDD2F:				; CODE XREF: EtwpAllocateTraceBufferPool+B9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7DDD34:				; CODE XREF: EtwpAllocateTraceBufferPool+58j
		mov	esi, ecx
		jmp	short loc_7DDCF0
; 

loc_7DDD38:				; CODE XREF: EtwpAllocateTraceBufferPool+40j
		mov	eax, ecx
		jmp	short loc_7DDCD8
; 

loc_7DDD3C:				; CODE XREF: EtwpAllocateTraceBufferPool+72j
		mov	eax, esi
		mov	[edi+0A4h], eax
		jmp	short loc_7DDD0A
; 

loc_7DDD46:				; CODE XREF: EtwpAllocateTraceBufferPool+5Cj
		mov	esi, edx
		jmp	short loc_7DDCF4
; 

loc_7DDD4A:				; CODE XREF: EtwpAllocateTraceBufferPool+95j
		mov	eax, 0C0000017h
		jmp	short loc_7DDD2F
EtwpAllocateTraceBufferPool endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpGetSystemMaximumBufferCount(x)
_EtwpGetSystemMaximumBufferCount@4 proc	near ; CODE XREF: EtwpAllocateTraceBufferPool+17p
					; EtwpUpdateTrace+89036p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		xor	edx, edx
		push	esi
		push	edi
		cmp	dword ptr [ebx+0E0h], 1
		jnz	short loc_7DDDA8
		mov	edi, ds:_MmSizeOfPagedPoolInBytes

loc_7DDD6F:				; CODE XREF: EtwpGetSystemMaximumBufferCount(x)+73j
					; EtwpGetSystemMaximumBufferCount(x)+77j ...
		test	byte ptr [ebx+258h], 2
		jnz	short loc_7DDDD1

loc_7DDD78:				; CODE XREF: EtwpGetSystemMaximumBufferCount(x)+87j
					; EtwpGetSystemMaximumBufferCount(x)+8Ej
		mov	eax, edx
		mul	ds:_EtwpMaxNonPagedPoolUsage
		push	0
		mov	esi, eax
		mov	eax, edi
		mul	ds:_EtwpMaxNonPagedPoolUsage
		push	64h
		add	esi, edx
		push	esi

loc_7DDD91:				; CODE XREF: EtwpGetSystemMaximumBufferCount(x)+A4j
		push	eax
		call	__aulldiv
		push	0
		push	dword ptr [ebx+4]
		push	edx
		push	eax
		call	__aulldiv
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7DDDA8:				; CODE XREF: EtwpGetSystemMaximumBufferCount(x)+15j
		mov	eax, dword_6D3018
		mov	eax, [eax]
		mov	edi, [eax+0F48h]
		shld	edx, edi, 0Ch
		shl	edi, 0Ch
		call	_MmGetMaximumNonPagedPoolInBytes@0 ; MmGetMaximumNonPagedPoolInBytes()
		test	edx, edx
		ja	short loc_7DDDCB
		jb	short loc_7DDD6F
		cmp	edi, eax
		jb	short loc_7DDD6F

loc_7DDDCB:				; CODE XREF: EtwpGetSystemMaximumBufferCount(x)+71j
		mov	edi, eax
		xor	edx, edx
		jmp	short loc_7DDD6F
; 

loc_7DDDD1:				; CODE XREF: EtwpGetSystemMaximumBufferCount(x)+24j
		mov	eax, [ebx+0Ch]
		test	eax, 2000000h
		jz	short loc_7DDD78
		test	eax, 400h
		jz	short loc_7DDD78
		push	32h
		pop	esi
		mov	eax, edx
		mul	esi
		push	0
		mov	ecx, eax
		mov	eax, edi
		mul	esi
		push	64h
		add	ecx, edx
		push	ecx
		jmp	short loc_7DDD91
_EtwpGetSystemMaximumBufferCount@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void *__stdcall MIDL_user_allocate(size_t)
_MIDL_user_allocate@4 proc near		; DATA XREF: .text:004016DCo
					; PAGE:00A400C9w

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	6370726Bh
		push	[ebp+arg_0]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	4
_MIDL_user_allocate@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1444. MmMapViewInSystemSpace

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmMapViewInSystemSpace(x, x, x)
		public _MmMapViewInSystemSpace@12
_MmMapViewInSystemSpace@12 proc	near	; CODE XREF: LdrpMapResourceFile+15Dp
					; KsepSdbMapToMemory+167p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		push	eax
		push	eax
		mov	[ebp+var_C], eax
		mov	edx, offset unk_6CF5A4
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	MiMapViewInSystemSpace
		leave
		retn	0Ch
_MmMapViewInSystemSpace@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepRmAddLogonSessionInfoWrkr(x, x)
_SepRmAddLogonSessionInfoWrkr@8	proc near ; DATA XREF: PAGE:00A40D0Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		lea	ecx, [ecx+1Ch]
		call	SepUpdateLogonSessionTrack
		mov	ecx, [ebp+arg_4]
		mov	[ecx+18h], eax
		pop	ebp
		retn	8
_SepRmAddLogonSessionInfoWrkr@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepUpdateLogonSessionTrack proc	near	; CODE XREF: SepRmAddLogonSessionInfoWrkr(x,x)+Bp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F92B8 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		xor	edi, edi
		imul	esi, [ebx], 5B250A24h
		shr	esi, 1Ch
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, esi
		and	eax, 3
		imul	eax, 38h
		push	1
		lea	eax, _SepRmDbLock[eax]
		push	eax
		mov	[ebp+var_4], eax
		call	ExAcquireResourceExclusiveLite
		mov	eax, ds:_SepLogonSessions
		mov	esi, [eax+esi*4]
		test	esi, esi
		jz	loc_7DDF9D
		mov	ecx, [ebx]

loc_7DDEAD:				; CODE XREF: SepUpdateLogonSessionTrack+139j
		cmp	ecx, [esi+4]
		jnz	loc_7DDF93
		mov	eax, [ebx+4]
		cmp	eax, [esi+8]
		jnz	loc_7DDF93
		mov	eax, [esi+28h]
		test	eax, eax
		jz	short loc_7DDED6
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+28h], edi
		mov	[esi+30h], edi

loc_7DDED6:				; CODE XREF: SepUpdateLogonSessionTrack+69j
		movzx	ecx, word ptr [ebx+8]
		movzx	eax, word ptr [ebx+10h]
		add	ecx, 5
		and	ecx, 0FFFFFFFCh
		add	eax, 2
		push	734C6553h
		add	eax, ecx
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8F92B8
		mov	[esi+28h], ecx
		movzx	eax, word ptr [ebx+8]
		add	eax, 5
		and	eax, 0FFFFFFFCh
		add	eax, ecx
		mov	[esi+30h], eax
		movzx	eax, word ptr [ebx+8]
		push	eax		; size_t
		lea	eax, [ebx+18h]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		movzx	ecx, word ptr [ebx+8]
		add	esp, 0Ch
		mov	[esi+24h], cx
		xor	edx, edx
		lea	eax, [ecx+2]
		shr	ecx, 1
		mov	[esi+26h], ax
		mov	eax, [esi+28h]
		mov	[eax+ecx*2], dx
		movzx	eax, word ptr [ebx+10h]
		push	eax		; size_t
		movzx	eax, word ptr [ebx+8]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		add	eax, 18h
		add	eax, ebx
		push	eax		; void *
		push	dword ptr [esi+30h] ; void *
		call	_memcpy
		movzx	ecx, word ptr [ebx+10h]
		add	esp, 0Ch
		mov	[esi+2Ch], cx
		lea	eax, [ecx+2]
		shr	ecx, 1
		mov	[esi+2Eh], ax
		xor	edx, edx
		mov	eax, [esi+30h]
		mov	[eax+ecx*2], dx

loc_7DDF78:				; CODE XREF: SepUpdateLogonSessionTrack+144j
					; SepUpdateLogonSessionTrack+11B45Fj
		mov	ecx, [ebp+var_4]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7DDF93:				; CODE XREF: SepUpdateLogonSessionTrack+52j
					; SepUpdateLogonSessionTrack+5Ej
		mov	esi, [esi]
		test	esi, esi
		jnz	loc_7DDEAD

loc_7DDF9D:				; CODE XREF: SepUpdateLogonSessionTrack+47j
		mov	edi, 0C000005Fh
		jmp	short loc_7DDF78
SepUpdateLogonSessionTrack endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1535. NtNotifyChangeDirectoryFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtNotifyChangeDirectoryFile(x, x, x, x, x, x, x, x,	x)
		public _NtNotifyChangeDirectoryFile@36
_NtNotifyChangeDirectoryFile@36	proc near ; DATA XREF: .text:00580F74o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	1
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_NtNotifyChangeDirectoryFileEx@40 ; NtNotifyChangeDirectoryFileEx(x,x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	24h
_NtNotifyChangeDirectoryFile@36	endp ; sp = -28h

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmLoadKey	proc near		; CODE XREF: CmLoadDifferencingKey+7FBp

var_1BC		= dword	ptr -1BCh
var_1B4		= dword	ptr -1B4h
var_1AD		= byte ptr -1ADh
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_138		= dword	ptr -138h
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 008F92C2 SIZE 0000015A BYTES
; FUNCTION CHUNK AT 008F942D SIZE 00000531 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1B4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1B4h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[esp+1C0h+var_1B4], edx
		mov	ebx, ecx
		mov	[esp+1C0h+var_178], ebx
		mov	eax, [ebp+arg_4]
		mov	[esp+1C0h+var_17C], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+1C0h+var_19C], eax
		mov	eax, [ebp+arg_10]
		mov	[esp+1C0h+var_180], eax
		mov	eax, [ebp+arg_14]
		mov	[esp+1C0h+var_16C], eax
		lea	edi, [esp+1C0h+var_150]
		mov	eax, [ebp+arg_1C]
		mov	[esp+1C0h+var_168], eax
		mov	eax, [ebp+arg_20]
		push	6
		mov	[esp+1C4h+var_184], eax
		xor	eax, eax
		pop	ecx
		mov	[esp+1C0h+var_1AC], eax
		mov	byte ptr [esp+1C0h+var_15C], al
		mov	[esp+1C0h+var_1A8], eax
		mov	[esp+1C0h+var_198], eax
		rep stosd
		mov	eax, [ebx+8]
		push	2
		pop	esi
		movzx	eax, word ptr [eax]
		cmp	ax, si
		jb	short loc_7DE06A
		mov	ecx, eax
		shr	ecx, 1
		jz	short loc_7DE06A

loc_7DE058:				; CODE XREF: CmLoadKey+11B2F7j
		mov	edx, [ebx+8]
		mov	eax, [edx+4]
		cmp	word ptr [eax+ecx*2-2],	5Ch
		jz	loc_8F92C2

loc_7DE06A:				; CODE XREF: CmLoadKey+7Aj
					; CmLoadKey+80j ...
		mov	eax, [ebx+8]
		cmp	[eax], si
		jb	loc_8F92D8
		push	62534D43h
		mov	eax, 104h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[esp+1C0h+var_1A4], esi
		test	esi, esi
		jz	loc_8F92E2
		mov	ecx, [ebx+8]
		lea	edx, [esp+1C0h+var_174]
		xor	edi, edi
		mov	[esp+1C0h+var_170], esi
		mov	eax, 104h
		mov	[esp+1C0h+var_174], edi
		mov	word ptr [esp+1C0h+var_174+2], ax
		call	CmpQueryHiveRedirectionFileList
		test	al, al
		jnz	loc_8F92EC

loc_7DE0BE:				; CODE XREF: CmLoadKey+11B31Ej
					; CmLoadKey+11B32Cj
		call	CmpAcquireShutdownRundown
		test	al, al
		jz	loc_8F9307
		mov	ebx, [ebp+arg_0]
		mov	eax, ebx
		and	eax, 2000h
		mov	esi, eax
		mov	[esp+1C0h+var_190], eax
		neg	esi
		sbb	esi, esi
		and	esi, 3
		test	ebx, 4000h
		jnz	loc_7DE25A

loc_7DE0EE:				; CODE XREF: CmLoadKey+287j
		cmp	[esp+1C0h+var_19C], edi
		jnz	loc_7DE252

loc_7DE0F8:				; CODE XREF: CmLoadKey+27Fj
		xor	ecx, ecx
		mov	edx, 154h
		push	33394D43h
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+1C0h+var_1A0], edi
		test	edi, edi
		jz	loc_8F9318
		push	154h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	byte ptr [esp+1C0h+var_158], 1
		lea	eax, [esp+1C0h+var_15C]
		mov	ecx, ebx
		and	ecx, 4
		mov	dl, 1
		shl	ecx, 6
		push	edi
		push	eax
		push	[esp+1C8h+var_16C]
		mov	eax, ebx
		and	eax, 20h
		or	ecx, eax
		mov	eax, ebx
		add	ecx, ecx
		and	eax, 480h
		or	ecx, eax
		mov	eax, ebx
		add	ecx, ecx
		and	eax, 0FFFFF223h
		or	ecx, eax
		lea	eax, [esp+1CCh+var_1AC]
		push	esi
		mov	esi, [esp+1D0h+var_1B4]
		shl	ecx, 13h
		or	ecx, 1190001h
		push	ecx
		push	eax
		lea	eax, [esp+1D8h+var_158]
		mov	ecx, esi
		push	eax
		call	_CmpCmdHiveOpen@36 ; CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		mov	[esp+1C0h+var_1B4], ebx
		test	ebx, ebx
		js	loc_8F9326
		cmp	[esp+1C0h+var_190], 0
		mov	esi, [esp+1C0h+var_1AC]
		jnz	loc_8F93EA

loc_7DE19E:				; CODE XREF: CmLoadKey+11B498j
		cmp	[ebp+arg_C], 0
		jnz	loc_7DE262

loc_7DE1A8:				; CODE XREF: CmLoadKey+296j
		push	edi
		push	[esp+1C4h+var_15C]
		mov	edx, [esp+1C8h+var_178]
		mov	ecx, esi
		push	[esp+1C8h+var_158]
		push	[esp+1CCh+var_184]
		push	[ebp+arg_18]
		push	[esp+1D4h+var_180]
		push	[esp+1D8h+var_19C]
		push	[esp+1DCh+var_17C]
		push	[ebp+arg_0]
		call	_CmpLoadKeyCommon@44 ; CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		xor	esi, esi
		mov	[esp+1C0h+var_1B4], ebx
		test	ebx, ebx
		js	loc_8F9476

loc_7DE1E2:				; CODE XREF: CmLoadKey+11B48Cj
		xor	ebx, ebx

loc_7DE1E4:				; CODE XREF: CmLoadKey+11B40Fj
		mov	[esp+1C0h+var_1B4], ebx

loc_7DE1E8:				; CODE XREF: CmLoadKey+11B37Cj
					; sub_8F941C+Cj
		test	esi, esi
		jnz	loc_8F9489

loc_7DE1F0:				; CODE XREF: CmLoadKey+11B34Bj
					; CmLoadKey+11B4AEj ...
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)
		push	0
		push	[esp+1C4h+var_1A4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		js	loc_8F94A9
		cmp	dword_6B2348, 5
		jbe	short loc_7DE22C
		push	4000h
		mov	esi, offset dword_6B2348
		push	8
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_8F98BD

loc_7DE22C:				; CODE XREF: CmLoadKey+239j
					; CmLoadKey+11B4DAj ...
		test	edi, edi
		jz	short loc_7DE237
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_7DE237:				; CODE XREF: CmLoadKey+258j
		mov	eax, [esp+1C0h+var_1B4]

loc_7DE23B:				; CODE XREF: CmLoadKey+11B307j
					; CmLoadKey+11B311j ...
		mov	ecx, [esp+1C0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_7DE252:				; CODE XREF: CmLoadKey+11Cj
		or	esi, 4
		jmp	loc_7DE0F8
; 

loc_7DE25A:				; CODE XREF: CmLoadKey+112j
		or	esi, 8
		jmp	loc_7DE0EE
; 

loc_7DE262:				; CODE XREF: CmLoadKey+1CCj
		or	dword ptr [esi+980h], 2000h
		jmp	loc_7DE1A8
CmLoadKey	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpQueryHiveRedirectionFileList	proc near ; CODE XREF: CmLoadKey+DBp
					; CmpInitializeSystemHivesLoad+C1p ...

var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_1FC		= dword	ptr -1FCh
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F995E SIZE 000000D7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 234h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_218], 0
		xor	eax, eax
		and	[ebp+var_214], 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_230]
		push	6
		pop	ecx
		rep stosd
		xor	edi, edi
		mov	esi, edx
		mov	[ebp+var_20C], edi
		cmp	_CmStateSeparationEnabled, eax
		jnz	loc_8F995E
		xor	al, al

loc_7DE2BF:				; CODE XREF: CmpQueryHiveRedirectionFileList+11B7BEj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpQueryHiveRedirectionFileList	endp

; 

PiUEventFreeClientRegistrationContext:	; CODE XREF: PiUEventDispatch+65p
					; PiUEventHandleRegistration+121B53p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		test	dl, dl
		jz	short loc_7DE341
		mov	ecx, offset _PiUEventClientRegistrationListLock
		call	ExAcquireFastMutex
		mov	ecx, [esi+8]
		call	ExAcquireFastMutex
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	loc_7DE3BC
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	loc_7DE3BC
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	eax, [esi+4Ch]
		sub	eax, 0
		jnz	short loc_7DE38A
		dec	_PiUEventDevInterfaceClientCount

loc_7DE313:				; CODE XREF: PAGE:007DE395j
					; PAGE:007DE3B7j ...
		push	ebx
		lea	ebx, [esi+40h]
		mov	edi, [ebx]

loc_7DE319:				; CODE XREF: PAGE:008F9A56j
		cmp	edi, ebx
		jnz	loc_8F9A49
		lea	ebx, [esi+38h]
		mov	edi, [ebx]

loc_7DE326:				; CODE XREF: PAGE:008F9A68j
		cmp	edi, ebx
		jnz	loc_8F9A5B
		mov	ecx, [esi+8]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, offset _PiUEventClientRegistrationListLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	ebx

loc_7DE341:				; CODE XREF: PAGE:007DE2D6j
		mov	eax, [esi+4Ch]
		sub	eax, 1
		jz	short loc_7DE39A
		sub	eax, 1
		jz	short loc_7DE39A
		sub	eax, 1
		jz	short loc_7DE39A

loc_7DE353:				; CODE XREF: PAGE:007DE39Fj
					; PAGE:007DE3A6j
		lea	eax, [esi+30h]
		push	eax
		call	_ZwDeleteWnfStateName@4	; ZwDeleteWnfStateName(x)
		lea	eax, [esi+20h]
		push	eax
		call	SeReleaseSubjectContext
		mov	edi, 59706E50h
		push	edi
		push	dword ptr [esi+8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	58h
		push	0
		push	esi
		call	_memset
		add	esp, 0Ch
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
; 

loc_7DE38A:				; CODE XREF: PAGE:007DE30Bj
		sub	eax, 1
		jnz	short loc_7DE3A8
		dec	_PiUEventDevHandleClientCount
		jmp	loc_7DE313
; 

loc_7DE39A:				; CODE XREF: PAGE:007DE347j
					; PAGE:007DE34Cj ...
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_7DE353
		call	PiDmObjectRelease
		jmp	short loc_7DE353
; 

loc_7DE3A8:				; CODE XREF: PAGE:007DE38Dj
		sub	eax, 1
		jnz	loc_8F9A35
		dec	_PiUEventDevInstanceClientCount
		jmp	loc_7DE313
; 

loc_7DE3BC:				; CODE XREF: PAGE:007DE2EFj
					; PAGE:007DE2FAj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		db 2 dup(0CCh)
; Exported entry 1507. NtCompareSigningLevels

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCompareSigningLevels(x, x)
		public _NtCompareSigningLevels@8
_NtCompareSigningLevels@8 proc near	; DATA XREF: .text:005811A4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, dword_6BEA40
		test	eax, eax
		jz	short loc_7DE3EE
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	eax

loc_7DE3DC:				; CODE XREF: NtCompareSigningLevels(x,x)+2Aj
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFBD8h
		add	eax, 0C0000428h
		pop	ebp
		retn	8
; 

loc_7DE3EE:				; CODE XREF: NtCompareSigningLevels(x,x)+Cj
		xor	eax, eax
		jmp	short loc_7DE3DC
_NtCompareSigningLevels@8 endp

; 
		align 8
; Exported entry 1945. RtlAddAtomToAtomTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlAddAtomToAtomTable(x, x,	x)
		public _RtlAddAtomToAtomTable@12
_RtlAddAtomToAtomTable@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	RtlAddAtomToAtomTableEx
		pop	ebp
		retn	0Ch
_RtlAddAtomToAtomTable@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopUserCompletion(x, x, x, x, x)
_IopUserCompletion@20 proc near		; DATA XREF: .text:00522D9Ao

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		add	eax, 0FFFFFFC0h
		push	eax
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		pop	ebp
		retn	14h
_IopUserCompletion@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspLogAuditTerminateRemoteProcessEvent(x, x)
_PspLogAuditTerminateRemoteProcessEvent@8 proc near ; CODE XREF: NtTerminateProcess+14Ep

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	4
		lea	eax, [ebp+var_28]
		mov	[ebp+var_28], ecx
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		mov	[ebp+var_2C], edx
		xor	edx, edx
		push	edx
		push	offset _KERNEL_AUDIT_API_TERMINATEPROCESS
		push	dword_6BC5D4
		mov	[ebp+var_20], edx
		push	_EtwApiCallsProvRegHandle
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PspLogAuditTerminateRemoteProcessEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlApplyMandatoryDeviceContainerFiltersCallback(x, x, x)
_PiPnpRtlApplyMandatoryDeviceContainerFiltersCallback@12 proc near
					; DATA XREF: PiPnpRtlApplyMandatoryDeviceContainerFilters(x,x,x,x,x)+57o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+arg_0]
		push	esi
		lea	esi, [ecx+8]
		mov	edx, [edx+0Ch]
		push	esi
		push	dword ptr [ecx+4]
		mov	ecx, [ecx]
		push	0
		call	_PiPnpRtlApplyMandatoryDeviceFilters@20	; PiPnpRtlApplyMandatoryDeviceFilters(x,x,x,x,x)
		test	eax, eax
		js	short loc_7DE4B6
		mov	ecx, [ebp+arg_8]
		mov	dl, [esi]
		mov	[ecx], dl

loc_7DE4B6:				; CODE XREF: PiPnpRtlApplyMandatoryDeviceContainerFiltersCallback(x,x,x)+21j
		pop	esi
		pop	ebp
		retn	0Ch
_PiPnpRtlApplyMandatoryDeviceContainerFiltersCallback@12 endp

; 
		align 10h
; Exported entry 923. IoQueryVolumeInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoQueryVolumeInformation(x,	x, x, x, x)
		public _IoQueryVolumeInformation@20
_IoQueryVolumeInformation@20 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	0
		push	[ebp+arg_8]
		call	IopQueryXxxInformation
		pop	ebp
		retn	14h
_IoQueryVolumeInformation@20 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1484. MmUnmapViewInSessionSpace

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmUnmapViewInSessionSpace(x)
		public _MmUnmapViewInSessionSpace@4
_MmUnmapViewInSessionSpace@4 proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	_MmUnmapViewInSystemSpace@4 ; MmUnmapViewInSystemSpace(x)
_MmUnmapViewInSessionSpace@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2330. RtlSetConsoleSessionForegroundProcessId

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlSetConsoleSessionForegroundProcessId
RtlSetConsoleSessionForegroundProcessId	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F9A6D SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_8F9A6D
		mov	eax, [ebp+arg_0]
		mov	ds:0FFDF0338h, eax
		mov	eax, [ebp+arg_4]
		mov	ds:0FFDF033Ch, eax

loc_7DE518:				; CODE XREF: RtlSetConsoleSessionForegroundProcessId+11B58Ej
		pop	ebp
		retn	8
RtlSetConsoleSessionForegroundProcessId	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpDeleteSymbolicLink(x)
_ObpDeleteSymbolicLink@4 proc near	; DATA XREF: ObInitSystem+304o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	byte ptr [esi+14h], 10h
		jnz	short loc_7DE53A
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_7DE53A
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7DE53A:				; CODE XREF: ObpDeleteSymbolicLink(x)+Dj
					; ObpDeleteSymbolicLink(x)+14j
		and	dword ptr [esi+0Ch], 0
		pop	esi
		pop	ebp
		retn	4
_ObpDeleteSymbolicLink@4 endp

; 
		align 8
; Exported entry 1752. PsChargeProcessWakeCounter

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsChargeProcessWakeCounter(x, x, x,	x)
		public _PsChargeProcessWakeCounter@16
_PsChargeProcessWakeCounter@16 proc near ; CODE	XREF: EtwpQueueNotification+12Fp
					; AlpcpCompleteDispatchMessage+D6p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		call	_PsGetProcessInheritedFromUniqueProcessId@4 ; PsGetProcessInheritedFromUniqueProcessId(x)
		test	eax, eax
		jz	short loc_7DE574
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	1
		push	1
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_PspChargeProcessWakeCounter@28	; PspChargeProcessWakeCounter(x,x,x,x,x,x,x)

loc_7DE570:				; CODE XREF: PsChargeProcessWakeCounter(x,x,x,x)+2Ej
		pop	ebp
		retn	10h
; 

loc_7DE574:				; CODE XREF: PsChargeProcessWakeCounter(x,x,x,x)+Fj
		xor	eax, eax
		jmp	short loc_7DE570
_PsChargeProcessWakeCounter@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetJobBackgroundCountCallback(x,	x)
_PspSetJobBackgroundCountCallback@8 proc near ;	DATA XREF: PspSetBackgroundJobTree+4Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		mov	edx, [ecx+198h]
		cmp	byte ptr [eax],	0
		lea	eax, [edx+1]
		jnz	short loc_7DE594
		lea	eax, [edx-1]

loc_7DE594:				; CODE XREF: PspSetJobBackgroundCountCallback(x,x)+17j
		mov	[ecx+198h], eax
		xor	eax, eax
		pop	ebp
		retn	8
_PspSetJobBackgroundCountCallback@8 endp


;  S U B	R O U T	I N E 


MiCreateRotateView proc	near		; CODE XREF: MiDeletePartialVad+DD369p
					; MiReserveUserMemory+4A9p

; FUNCTION CHUNK AT 008F9A89 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	0
		push	40h
		push	28h
		mov	ebx, ecx
		mov	edx, 77776D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7DE60E
		xor	ecx, ecx
		call	_MiGetInPageSupportBlock@4 ; MiGetInPageSupportBlock(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_7DE606
		mov	eax, large fs:124h
		push	130h
		mov	eax, [eax+80h]
		push	eax
		call	_PsChargeProcessNonPagedPoolQuota@8 ; PsChargeProcessNonPagedPoolQuota(x,x)
		push	0
		test	eax, eax
		js	loc_8F9A89
		mov	edx, esi
		mov	dword ptr [esi+24h], 8
		mov	ecx, ebx
		mov	[esi+4], edi
		call	_MiInsertVadEvent@12 ; MiInsertVadEvent(x,x,x)
		xor	eax, eax
		inc	eax

loc_7DE602:				; CODE XREF: MiCreateRotateView+70j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_7DE606:				; CODE XREF: MiCreateRotateView+29j
		push	0
		push	esi

loc_7DE609:				; CODE XREF: MiCreateRotateView+11B4F2j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7DE60E:				; CODE XREF: MiCreateRotateView+1Cj
		xor	eax, eax
		jmp	short loc_7DE602
MiCreateRotateView endp

; 
		align 8
; Exported entry 487. FsRtlCancellableWaitForSingleObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlCancellableWaitForSingleObject(x, x, x)
		public _FsRtlCancellableWaitForSingleObject@12
_FsRtlCancellableWaitForSingleObject@12	proc near
					; CODE XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)+1E1p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		lea	eax, [ebp+arg_0]
		push	0
		push	[ebp+arg_4]
		push	0
		push	eax
		push	1
		call	FsRtlCancellableWaitForMultipleObjects
		pop	ebp
		retn	0Ch
_FsRtlCancellableWaitForSingleObject@12	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1411. MmGetPhysicalMemoryRangesEx2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmGetPhysicalMemoryRangesEx2
MmGetPhysicalMemoryRangesEx2 proc near	; CODE XREF: PfpMemoryRangesQuery+51p
					; MmGetPhysicalMemoryRanges()+7p ...

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F9A97 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	[ebp+arg_4], 0FFFFFFFCh
		push	esi
		push	edi
		mov	[ebp+var_1], 0
		jnz	short loc_7DE68B
		test	byte ptr [ebp+arg_4], 2
		mov	ecx, [ebp+arg_0]
		jnz	loc_8F9A97

loc_7DE65E:				; CODE XREF: MmGetPhysicalMemoryRangesEx2+11B463j
		lea	eax, [ebp-1]
		push	eax
		call	MiPartitionObjectToPartition
		mov	esi, eax
		test	esi, esi
		jz	short loc_7DE68B
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		call	MiGetPhysicalMemoryRanges
		cmp	[ebp+var_1], 0
		mov	edi, eax
		jnz	loc_8F9AA4

loc_7DE683:				; CODE XREF: MmGetPhysicalMemoryRangesEx2+11B470j
		mov	eax, edi

loc_7DE685:				; CODE XREF: MmGetPhysicalMemoryRangesEx2+51j
		pop	edi
		pop	esi
		leave
		retn	8
; 

loc_7DE68B:				; CODE XREF: MmGetPhysicalMemoryRangesEx2+13j
					; MmGetPhysicalMemoryRangesEx2+2Fj ...
		xor	eax, eax
		jmp	short loc_7DE685
MmGetPhysicalMemoryRangesEx2 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetPhysicalMemoryRanges proc near	; CODE XREF: MmGetPhysicalMemoryRangesEx2+36p

var_12		= byte ptr -12h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F9AB1 SIZE 0000009B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	[esp+14h+var_11], 0
		push	ebx
		mov	ebx, large fs:124h
		mov	[esp+18h+var_8], ebx
		push	esi
		mov	esi, ecx
		mov	[esp+1Ch+var_C], esi
		push	edi
		mov	edi, offset _MiSystemPartition
		test	dl, 1
		jnz	loc_8F9AB1
		cmp	esi, edi
		jnz	loc_8F9AB1

loc_7DE6CA:				; CODE XREF: MiGetPhysicalMemoryRanges+11B42Fj
					; MiGetPhysicalMemoryRanges+11B43Dj ...
		xor	edx, edx
		mov	ecx, esi
		call	MiReferencePageRuns
		mov	[esp+20h+var_10], eax
		test	eax, eax
		jz	loc_8F9B37
		mov	edi, [esi+0F48h]
		mov	eax, [eax]
		neg	edi
		sbb	edi, edi
		and	edi, eax

loc_7DE6ED:				; CODE XREF: MiGetPhysicalMemoryRanges+11B4A9j
		push	0
		lea	ecx, [edi+1]
		mov	edx, 68506D4Dh
		shl	ecx, 4
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[esp+20h+var_4], eax
		test	eax, eax
		jz	short loc_7DE74F
		mov	ecx, eax
		test	edi, edi
		jz	short loc_7DE742
		mov	ebx, [esp+20h+var_10]
		mov	esi, 1000h
		add	ebx, 0Ch

loc_7DE71B:				; CODE XREF: MiGetPhysicalMemoryRanges+A8j
		mov	eax, [ebx-4]
		mul	esi
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	eax, [ebx]
		lea	ebx, [ebx+8]
		mul	esi
		mov	[ecx+8], eax
		mov	[ecx+0Ch], edx
		add	ecx, 10h
		sub	edi, 1
		jnz	short loc_7DE71B
		mov	esi, [esp+20h+var_C]
		mov	ebx, [esp+20h+var_8]

loc_7DE742:				; CODE XREF: MiGetPhysicalMemoryRanges+7Dj
		xor	eax, eax
		mov	[ecx], eax
		mov	[ecx+4], eax
		mov	[ecx+8], eax
		mov	[ecx+0Ch], eax

loc_7DE74F:				; CODE XREF: MiGetPhysicalMemoryRanges+77j
		cmp	[esp+20h+var_11], 0
		jnz	loc_8F9B3E

loc_7DE75A:				; CODE XREF: MiGetPhysicalMemoryRanges+11B4B7j
		mov	eax, [esp+20h+var_10]
		test	eax, eax
		jz	short loc_7DE769
		mov	ecx, eax
		call	_MiDereferencePageRuns@4 ; MiDereferencePageRuns(x)

loc_7DE769:				; CODE XREF: MiGetPhysicalMemoryRanges+D0j
		mov	eax, [esp+20h+var_4]

loc_7DE76D:				; CODE XREF: MiGetPhysicalMemoryRanges+11B48Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
MiGetPhysicalMemoryRanges endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1890. PsResumeProcess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsResumeProcess
PsResumeProcess	proc near		; CODE XREF: NtResumeProcess(x)+50p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F9B4C SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, large fs:124h
		push	edi
		mov	[ebp+var_4], esi
		dec	word ptr [esi+13Ch]
		nop
		mov	ebx, [ebp+arg_0]
		lea	ecx, [ebx+0F0h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		cmp	al, 1
		jnz	short loc_7DE7F7
		xor	edi, edi
		push	edi

loc_7DE7AA:				; CODE XREF: PsResumeProcess+4Dj
		push	ebx
		call	_PsGetNextProcessThread@8 ; PsGetNextProcessThread(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7DE7C9
		test	dword ptr [esi+58h], 200000h
		jnz	short loc_7DE7C6
		mov	ecx, esi
		call	_KeResumeThread@4 ; KeResumeThread(x)

loc_7DE7C6:				; CODE XREF: PsResumeProcess+43j
		push	esi
		jmp	short loc_7DE7AA
; 

loc_7DE7C9:				; CODE XREF: PsResumeProcess+3Aj
		lea	ecx, [ebx+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	esi, [ebp+var_4]

loc_7DE7D7:				; CODE XREF: PsResumeProcess+82j
		mov	ecx, esi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	dword ptr [ebx+3A8h], 80000h
		jnz	loc_8F9B4C

loc_7DE7EE:				; CODE XREF: PsResumeProcess+11B3DEj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7DE7F7:				; CODE XREF: PsResumeProcess+2Bj
		mov	edi, 0C000010Ah
		jmp	short loc_7DE7D7
PsResumeProcess	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRemoveFromSecurityCache(x, x)
_CmpRemoveFromSecurityCache@8 proc near	; CODE XREF: CmpRemoveSecurityCellList(x,x)+97p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	eax
		mov	esi, ecx
		call	_CmpFindSecurityCellCacheIndex@12 ; CmpFindSecurityCellCacheIndex(x,x,x)
		test	al, al
		jz	short loc_7DE876
		mov	eax, [esi+4CCh]
		push	ebx
		push	edi
		mov	edi, [ebp+var_4]
		mov	edx, [eax+edi*8+4]
		lea	eax, [edx+8]
		mov	ebx, [eax]
		cmp	[ebx+4], eax
		jnz	short loc_7DE879
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_7DE879
		mov	[ecx], ebx
		mov	[ebx+4], ecx
		mov	eax, [edx+10h]
		add	eax, 18h
		push	eax
		push	edx
		call	dword ptr [esi+10h]
		mov	eax, [esi+4CCh]
		lea	ecx, [eax+edi*8]
		mov	eax, [esi+4C0h]
		sub	eax, edi
		lea	eax, ds:0FFFFFFF8h[eax*8]
		push	eax		; size_t
		lea	eax, [ecx+8]
		push	eax		; void *
		push	ecx		; void *
		call	_memmove
		add	esp, 0Ch
		dec	dword ptr [esi+4C0h]
		pop	edi
		pop	ebx

loc_7DE876:				; CODE XREF: CmpRemoveFromSecurityCache(x,x)+18j
		pop	esi
		leave
		retn
; 

loc_7DE879:				; CODE XREF: CmpRemoveFromSecurityCache(x,x)+31j
					; CmpRemoveFromSecurityCache(x,x)+38j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_CmpRemoveFromSecurityCache@8 endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall HvGetCurrentLogFileSizePointer(x)
_HvGetCurrentLogFileSizePointer@4 proc near ; CODE XREF: HvWriteLogFile+58p
		mov	eax, [ecx+68h]
		sub	eax, 1
		jz	short loc_7DE88B
		sub	eax, 3
		jnz	short loc_7DE892

loc_7DE88B:				; CODE XREF: HvGetCurrentLogFileSizePointer(x)+6j
		lea	eax, [ecx+498h]
		retn
; 

loc_7DE892:				; CODE XREF: HvGetCurrentLogFileSizePointer(x)+Bj
		sub	eax, 1
		jnz	short loc_7DE89E
		lea	eax, [ecx+4A0h]
		retn
; 

loc_7DE89E:				; CODE XREF: HvGetCurrentLogFileSizePointer(x)+17j
		xor	eax, eax
		retn
_HvGetCurrentLogFileSizePointer@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


CmpTryToLockKcbExclusive proc near	; CODE XREF: CmpCreateKeyControlBlock+5C2p
					; CmpInitializePreloadedHive+3AFp

; FUNCTION CHUNK AT 008F9B5D SIZE 00000014 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		inc	ebx
		xor	edx, edx
		push	ebx
		lea	esi, [edi+18h]
		mov	ecx, esi
		call	KeAbPreAcquire
		lock bts dword ptr [esi], 0
		jb	loc_8F9B5D
		test	eax, eax
		jz	short loc_7DE8CB
		or	[eax+0Eh], bl

loc_7DE8CB:				; CODE XREF: CmpTryToLockKcbExclusive+24j
		mov	eax, large fs:124h
		mov	[edi+1Ch], eax

loc_7DE8D4:				; CODE XREF: CmpTryToLockKcbExclusive+11B2CAj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		retn
CmpTryToLockKcbExclusive endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpSetValueDataExisting	proc near	; CODE XREF: CmpSetValueKeyExisting+25Fp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F9B71 SIZE 00000103 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		or	[ebp+var_24], 0FFFFFFFFh
		lea	eax, [ebp+var_2C]
		or	[ebp+var_2C], 0FFFFFFFFh
		or	[ebp+var_1C], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		push	eax
		push	[ebp+arg_8]
		mov	esi, ecx
		mov	[ebp+var_10], edx
		xor	edi, edi
		push	esi
		mov	[ebp+var_20], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_18], edi
		call	dword ptr [esi+4]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_8F9B71
		mov	eax, [eax+4]
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8F9B7B
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		add	eax, 3FD7h
		mov	ecx, 3FD8h
		div	ecx
		movzx	ecx, ax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_8], ecx
		movzx	eax, word ptr [eax+2]
		cmp	cx, ax
		ja	loc_8F9B85
		jb	loc_8F9C10

loc_7DE95A:				; CODE XREF: CmpSetValueDataExisting+11B2EFj
					; CmpSetValueDataExisting+11B324j ...
		xor	edx, edx
		mov	eax, edi
		cmp	dx, cx

loc_7DE961:				; CODE XREF: CmpSetValueDataExisting+D7j
		mov	[ebp+arg_8], eax
		jnb	short loc_7DE9B3
		movzx	eax, ax
		lea	ecx, [ebp+var_24]
		push	ecx
		mov	eax, [ebx+eax*4]
		push	eax
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	short loc_7DE9D7
		mov	ecx, [ebp+arg_0]
		mov	edx, 3FD8h
		cmp	ecx, edx
		jbe	short loc_7DE987
		mov	ecx, edx

loc_7DE987:				; CODE XREF: CmpSetValueDataExisting+A9j
		push	ecx		; size_t
		push	[ebp+var_10]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_24]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	ecx, [ebp+var_8]
		mov	eax, 3FD8h
		add	[ebp+var_10], eax
		sub	[ebp+arg_0], eax
		mov	eax, [ebp+arg_8]
		inc	eax
		cmp	ax, cx
		jmp	short loc_7DE961
; 

loc_7DE9B3:				; CODE XREF: CmpSetValueDataExisting+8Aj
		mov	eax, [ebp+var_C]
		mov	[eax+2], cx

loc_7DE9BA:				; CODE XREF: CmpSetValueDataExisting+102j
					; CmpSetValueDataExisting+11B331j
		test	ebx, ebx
		jz	short loc_7DE9C6
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_7DE9C6:				; CODE XREF: CmpSetValueDataExisting+E2j
					; CmpSetValueDataExisting+11B2A6j
		lea	eax, [ebp+var_2C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	eax, edi

loc_7DE9D0:				; CODE XREF: CmpSetValueDataExisting+11B29Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7DE9D7:				; CODE XREF: CmpSetValueDataExisting+9Dj
					; CmpSetValueDataExisting+11B312j
		mov	edi, 0C000009Ah
		jmp	short loc_7DE9BA
CmpSetValueDataExisting	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoQueryLowPriorityIoInformation	proc near ; CODE XREF: PAGE:00780E2Fp

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	0Ch
		push	offset dword_6A4450
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	esi, [ebp+arg_4]
		mov	[esi], ecx
		cmp	[ebp+arg_0], 28h
		jb	short loc_7DEA6A
		mov	[ebp+ms_exc.disabled], ecx
		mov	eax, _IoLowPriorityReadOperationCount
		mov	[edx], eax
		mov	eax, _IoLowPriorityWriteOperationCount
		mov	[edx+4], eax
		mov	eax, _IoKernelIssuedIoBoostedCount
		mov	[edx+8], eax
		mov	eax, _IoPagingReadLowPriorityCount
		mov	[edx+0Ch], eax
		mov	eax, _IoPagingReadLowPriorityBumpedCount
		mov	[edx+10h], eax
		mov	eax, _IoPagingWriteLowPriorityCount
		mov	[edx+14h], eax
		mov	eax, _IoPagingWriteLowPriorityBumpedCount
		mov	[edx+18h], eax
		mov	eax, _IoBoostedThreadedIrpCount
		mov	[edx+1Ch], eax
		mov	eax, _IoBoostedPagingIrpCount
		mov	[edx+20h], eax
		mov	eax, _IoBlanketBoostCount
		mov	[edx+24h], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7DEA50:				; CODE XREF: IoQueryLowPriorityIoInformation+91j
		mov	dword ptr [esi], 28h
		mov	eax, ecx

loc_7DEA58:				; CODE XREF: sub_8F9C82+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7DEA6A:				; CODE XREF: IoQueryLowPriorityIoInformation+17j
		mov	ecx, 0C0000023h
		jmp	short loc_7DEA50
IoQueryLowPriorityIoInformation	endp

; 
		align 2

;  S U B	R O U T	I N E 


PspSetProcessSchedulingGroup proc near	; CODE XREF: PspApplyJobChainLimitsToProcess(x,x,x)+8Dp
					; PspApplyJobChainLimitsToProcess(x,x,x)+B1p ...

; FUNCTION CHUNK AT 008F9C94 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	ebx, [esi+0FCh]
		nop
		and	ebx, 8
		jnz	short loc_7DEAA1

loc_7DEA87:				; CODE XREF: PspSetProcessSchedulingGroup+33j
		call	_KeSetProcessSchedulingGroup@8 ; KeSetProcessSchedulingGroup(x,x)

loc_7DEA8C:				; CODE XREF: PspSetProcessSchedulingGroup+31j
		mov	eax, [esi+0FCh]
		and	eax, 8
		cmp	ebx, eax
		jnz	loc_8F9C94

loc_7DEA9D:				; CODE XREF: PspSetProcessSchedulingGroup+11B224j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_7DEAA1:				; CODE XREF: PspSetProcessSchedulingGroup+13j
		test	edi, edi
		jnz	short loc_7DEA8C
		jmp	short loc_7DEA87
PspSetProcessSchedulingGroup endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 918. IoQueryFileInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoQueryFileInformation(x, x, x, x, x)
		public _IoQueryFileInformation@20
_IoQueryFileInformation@20 proc	near	; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+160Ap
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+16BBp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	1
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	0
		push	[ebp+arg_8]
		call	IopQueryXxxInformation
		pop	ebp
		retn	14h
_IoQueryFileInformation@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RawQueryFsAttributeInfo(x, x, x)
_RawQueryFsAttributeInfo@12 proc near	; CODE XREF: RawQueryVolumeInformation+6Fp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	esi
		mov	esi, [ecx]
		cmp	esi, 12h
		jb	short loc_7DEB0A
		and	dword ptr [edx], 0
		and	dword ptr [edx+4], 0
		mov	dword ptr [edx+8], 6
		mov	eax, ds:??_C@_17BPAADKPP@?$AAR?$AAA?$AAW@NNGAKEGL@
		mov	[edx+0Ch], eax
		mov	ax, ds:word_8BE8C6
		mov	[edx+10h], ax
		lea	eax, [esi-12h]
		mov	[ecx], eax
		xor	eax, eax

loc_7DEB05:				; CODE XREF: RawQueryFsAttributeInfo(x,x,x)+41j
		pop	esi
		pop	ebp
		retn	4
; 

loc_7DEB0A:				; CODE XREF: RawQueryFsAttributeInfo(x,x,x)+Ej
		mov	eax, 80000005h
		jmp	short loc_7DEB05
_RawQueryFsAttributeInfo@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry  16.

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpGetSystemPdoList(x, x)
		public _PnpGetSystemPdoList@8
_PnpGetSystemPdoList@8 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	edi
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_7DEB6B
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_7DEB72
		mov	eax, [eax+0B0h]
		mov	ecx, [eax+14h]

loc_7DEB35:				; CODE XREF: PnpGetSystemPdoList(x,x)+62j
		push	ebx
		push	esi
		lea	eax, [ebp+var_8]
		xor	esi, esi
		push	eax
		mov	edx, offset _PiPnpPdoDeviceListEnumCallback@8 ;	PiPnpPdoDeviceListEnumCallback(x,x)
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		call	_PipForDeviceNodeSubtree@12 ; PipForDeviceNodeSubtree(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7DEB7A
		mov	ecx, [ebp+var_4]
		mov	[edi], ecx
		mov	[ebp+var_4], esi

loc_7DEB5B:				; CODE XREF: PnpGetSystemPdoList(x,x)+67j
		mov	ecx, esi
		call	_PiPnpFreePdoDeviceList@4 ; PiPnpFreePdoDeviceList(x)
		pop	esi
		mov	eax, ebx
		pop	ebx

loc_7DEB66:				; CODE XREF: PnpGetSystemPdoList(x,x)+5Aj
		pop	edi
		leave
		retn	8
; 

loc_7DEB6B:				; CODE XREF: PnpGetSystemPdoList(x,x)+Dj
		mov	eax, 0C000000Dh
		jmp	short loc_7DEB66
; 

loc_7DEB72:				; CODE XREF: PnpGetSystemPdoList(x,x)+14j
		mov	ecx, _IopRootDeviceNode
		jmp	short loc_7DEB35
; 

loc_7DEB7A:				; CODE XREF: PnpGetSystemPdoList(x,x)+3Bj
		mov	esi, [ebp+var_4]
		jmp	short loc_7DEB5B
_PnpGetSystemPdoList@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry  13.

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpFreeSystemPdoList(x)
		public _PnpFreeSystemPdoList@4
_PnpFreeSystemPdoList@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_PiPnpFreePdoDeviceList@4 ; PiPnpFreePdoDeviceList(x)
		pop	ebp
		retn	4
_PnpFreeSystemPdoList@4	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PiPnpFreePdoDeviceList(x)
_PiPnpFreePdoDeviceList@4 proc near	; CODE XREF: PnpGetSystemPdoList(x,x)+47p
					; PnpFreeSystemPdoList(x)+8p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_7DEBC3
		push	edi
		xor	edi, edi
		cmp	[esi], edi
		jbe	short loc_7DEBBA
		push	ebx
		lea	ebx, [esi+4]

loc_7DEBAA:				; CODE XREF: PiPnpFreePdoDeviceList(x)+21j
		mov	ecx, [ebx]
		call	ObfDereferenceObject
		inc	edi
		lea	ebx, [ebx+4]
		cmp	edi, [esi]
		jb	short loc_7DEBAA
		pop	ebx

loc_7DEBBA:				; CODE XREF: PiPnpFreePdoDeviceList(x)+Ej
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi

loc_7DEBC3:				; CODE XREF: PiPnpFreePdoDeviceList(x)+7j
		pop	esi
		retn
_PiPnpFreePdoDeviceList@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


MiDereferenceFailedControlArea proc near ; CODE	XREF: MiFinishCreateSection+1FCp
					; MiCreateImageOrDataSection+F7D3Dp ...

; FUNCTION CHUNK AT 008F9CA8 SIZE 00000011 BYTES

		mov	edx, [ecx]
		push	esi
		mov	esi, [ecx+28h]
		mov	ecx, esi
		test	dl, 4
		jz	loc_8F9CA8
		not	edx
		and	edx, 1
		pop	esi
		jmp	_MiDereferenceControlAreaBySection@8 ; MiDereferenceControlAreaBySection(x,x)
MiDereferenceFailedControlArea endp


;  S U B	R O U T	I N E 


; __stdcall HvResetLogFileStatusAll(x)
_HvResetLogFileStatusAll@4 proc	near	; CODE XREF: CmpFlushHive+4F3p
					; HvpPerformLogFileRecovery(x,x,x,x)+3EFp
		mov	byte ptr [ecx+80h], 0
		cmp	dword ptr [ecx+68h], 1
		jz	short locret_7DEBF6
		mov	byte ptr [ecx+81h], 0

locret_7DEBF6:				; CODE XREF: HvResetLogFileStatusAll(x)+Bj
		retn
_HvResetLogFileStatusAll@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 794. IoCreateFileSpecifyDeviceObjectHint

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCreateFileSpecifyDeviceObjectHint(x, x, x, x, x, x, x, x,	x, x, x, x, x, x, x)
		public _IoCreateFileSpecifyDeviceObjectHint@60
_IoCreateFileSpecifyDeviceObjectHint@60	proc near

var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch
arg_38		= dword	ptr  40h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		push	14h
		stosd
		stosd
		stosd
		stosd
		pop	eax
		mov	word ptr [ebp+var_14], ax
		mov	eax, [ebp+arg_38]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+arg_34]
		mov	[ebp+var_4], 1
		push	[ebp+arg_30]
		push	[ebp+arg_2C]
		push	[ebp+arg_28]
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_IoCreateFileEx@60 ; IoCreateFileEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		pop	edi
		leave
		retn	3Ch
_IoCreateFileSpecifyDeviceObjectHint@60	endp

; 
		align 10h
; Exported entry 2517. SeTokenImpersonationLevel

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeTokenImpersonationLevel(x)
		public _SeTokenImpersonationLevel@4
_SeTokenImpersonationLevel@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+0ACh]
		pop	ebp
		retn	4
_SeTokenImpersonationLevel@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtRegisterThreadTerminatePort proc near	; DATA XREF: .text:00580D98o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F9CB9 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, large fs:124h
		lea	ecx, [ebp+var_4]
		and	[ebp+var_4], 0
		push	0
		push	ecx
		mov	al, [esi+15Ah]
		mov	byte ptr [ebp+var_8], al
		push	[ebp+var_8]
		mov	eax, ds:_LpcPortObjectType
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7DECD9
		push	70547350h
		push	8
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8F9CB9
		mov	eax, [ebp+var_4]
		mov	[ecx+4], eax
		mov	eax, [esi+29Ch]
		mov	[ecx], eax
		xor	eax, eax
		mov	[esi+29Ch], ecx

loc_7DECD9:				; CODE XREF: NtRegisterThreadTerminatePort+37j
					; NtRegisterThreadTerminatePort+11B054j
		pop	esi
		leave
		retn	4
NtRegisterThreadTerminatePort endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsIsServiceSession(x)
_PsIsServiceSession@4 proc near		; CODE XREF: PopGetSettingNotificationName+106p
					; PopGetSettingNotificationName+19Bp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_7DED0B
		lea	edx, [ebp+var_4]
		call	_PsGetSiloBySessionId@8	; PsGetSiloBySessionId(x,x)
		test	eax, eax
		js	short loc_7DED0F
		push	[ebp+var_4]
		call	_PsGetServerSiloServiceSessionId@4 ; PsGetServerSiloServiceSessionId(x)
		cmp	eax, esi
		setz	al

loc_7DED08:				; CODE XREF: PsIsServiceSession(x)+2Fj
					; PsIsServiceSession(x)+33j
		pop	esi
		leave
		retn
; 

loc_7DED0B:				; CODE XREF: PsIsServiceSession(x)+Fj
		mov	al, 1
		jmp	short loc_7DED08
; 

loc_7DED0F:				; CODE XREF: PsIsServiceSession(x)+1Bj
		xor	al, al
		jmp	short loc_7DED08
_PsIsServiceSession@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSetJobIoAttributionJobPreCallback proc near ; DATA XREF: PspSetJobIoAttribution+9Fo
					; PspRemoveIoAttribution(x)+3Ao ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008F9CCB SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	ecx, [eax+4]
		cmp	edx, ecx
		jnz	loc_8F9CCB

loc_7DED2A:				; CODE XREF: PspSetJobIoAttributionJobPreCallback+11AFC7j
		xor	eax, eax
		pop	ebp
		retn	8
PspSetJobIoAttributionJobPreCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspEnableWakeCounters proc near		; DATA XREF: PspAllocateAndQueryNotificationChannel+2C6o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, [edx+244h]
		test	ecx, ecx
		jnz	short loc_7DED5B

loc_7DED42:				; CODE XREF: sub_8F9CE0+3Fj
		add	edx, 310h
		test	dword ptr [edx], 1000h
		jnz	short loc_7DED55
		lock bts dword ptr [edx], 0Ch

loc_7DED55:				; CODE XREF: PspEnableWakeCounters+1Ej
					; PspEnableWakeCounters+35j
		xor	eax, eax
		pop	ebp
		retn	8
; 

loc_7DED5B:				; CODE XREF: PspEnableWakeCounters+10j
		test	dword ptr [ecx+310h], 1000h
		jnz	short loc_7DED55
		jmp	sub_8F9CE0
PspEnableWakeCounters endp


;  S U B	R O U T	I N E 


PspIsSiloInSilo	proc near		; CODE XREF: PsIsProcessInSilo(x,x)+24p
					; PsIsThreadInSilo+C3F57p ...

; FUNCTION CHUNK AT 008F9D24 SIZE 00000013 BYTES

		test	edx, edx
		jnz	short loc_7DED73

loc_7DED70:				; CODE XREF: PspIsSiloInSilo+11AFBAj
		mov	al, 1
		retn
; 

loc_7DED73:				; CODE XREF: PspIsSiloInSilo+2j
					; PspIsSiloInSilo+11AFC6j
		test	ecx, ecx
		jnz	loc_8F9D24
		xor	al, al
		retn
PspIsSiloInSilo	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtInternerFree(x, x)
_PopEtInternerFree@8 proc near		; DATA XREF: PopEtInit+6Co

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	54456F50h
		push	[ebp+arg_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	8
_PopEtInternerFree@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopDeallocateApc(x,	x, x, x, x)
_IopDeallocateApc@20 proc near		; DATA XREF: IoRaiseHardError(x,x,x)+A0o
					; IoRaiseInformationalHardError(x,x,x)+10Bo ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	14h
_IopDeallocateApc@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SepImageVerificationCallbackPreProcess(int,int,void *,void *,size_t)
_SepImageVerificationCallbackPreProcess@20 proc	near
					; DATA XREF: SepImageVerificationCallbackWorker(x)+1Ao

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		push	[ebp+arg_10]	; size_t
		mov	edi, [ebp+arg_8]
		push	esi		; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [esi+0Ch]
		add	esp, 0Ch
		sub	eax, esi
		add	eax, edi
		mov	[edi+0Ch], eax
		mov	eax, [esi+1Ch]
		sub	eax, esi
		add	eax, edi
		mov	[edi+1Ch], eax
		mov	eax, [esi+24h]
		sub	eax, esi
		add	eax, edi
		mov	[edi+24h], eax
		mov	eax, [esi+28h]
		sub	eax, esi
		add	eax, edi
		mov	[edi+28h], eax
		mov	eax, [esi+2Ch]
		sub	eax, esi
		add	eax, edi
		mov	[edi+2Ch], eax
		pop	edi
		pop	esi
		pop	ebp
		retn	14h
_SepImageVerificationCallbackPreProcess@20 endp


;  S U B	R O U T	I N E 


; __stdcall SshpReferenceBlocker(x)
_SshpReferenceBlocker@4	proc near	; CODE XREF: SleepstudyHelperSetBlockerParentHandle(x,x)+21p
		mov	eax, [ecx+11Ch]
		add	eax, 40h
		lock inc dword ptr [eax]
		retn
_SshpReferenceBlocker@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpConstructNameFromKcbNameBlocks proc near ; CODE XREF: CmpConstructNameWithStatus+D2p
					; CmpLogTransactionAbortedWithChildName+1189FFp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F9D37 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	[ebp+var_14], edx
		mov	esi, ecx
		call	_CmpKeyFullNameLength@4	; CmpKeyFullNameLength(x)
		mov	[ebp+var_4], eax
		cmp	eax, 0FFFFh
		ja	loc_8F9D37
		push	edi
		lea	ebx, [eax+8]
		xor	ecx, ecx
		push	624E4D43h
		mov	edx, ebx
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8F9D41
		push	ebx		; size_t
		xor	ebx, ebx
		push	ebx		; int
		push	edi		; void *
		call	_memset
		lea	eax, [edi+8]
		add	esp, 0Ch
		mov	[edi+4], eax
		mov	eax, [ebp+var_4]
		movzx	eax, ax
		mov	[edi], ax
		mov	[edi+2], ax
		shr	ax, 1
		movzx	edx, ax
		test	esi, esi
		jz	short loc_7DEEE0

loc_7DEE71:				; CODE XREF: CmpConstructNameFromKcbNameBlocks+D4j
		test	dword ptr [esi+68h], 40000h
		jnz	short loc_7DEEEC

loc_7DEE7A:				; CODE XREF: CmpConstructNameFromKcbNameBlocks+E9j
		mov	eax, [esi+28h]
		mov	[ebp+var_8], eax
		mov	ecx, [eax]
		movzx	eax, word ptr [eax+0Ch]
		and	ecx, 1
		mov	[ebp+var_C], ecx
		jz	short loc_7DEEF7

loc_7DEE8E:				; CODE XREF: CmpConstructNameFromKcbNameBlocks+F5j
		sub	edx, eax
		movzx	eax, ax
		movzx	ecx, dx
		mov	[ebp+var_10], edx
		mov	edx, [ebp+var_8]
		mov	[ebp+var_4], eax
		add	edx, 0Eh
		cmp	[ebp+var_C], 0
		mov	eax, [edi+4]
		lea	ecx, [eax+ecx*2]
		jz	loc_8F9D4B
		push	[ebp+var_4]
		push	edx
		mov	edx, [ebp+var_4]
		lea	edx, [edx+edx]
		call	_CmpCopyCompressedName@16 ; CmpCopyCompressedName(x,x,x,x)

loc_7DEEC1:				; CODE XREF: CmpConstructNameFromKcbNameBlocks+11AF54j
		mov	edx, [ebp+var_10]
		mov	eax, [edi+4]
		add	edx, 0FFFFh
		movzx	ecx, dx
		push	5Ch
		pop	ebx
		mov	[eax+ecx*2], bx
		mov	esi, [esi+24h]

loc_7DEEDA:				; CODE XREF: CmpConstructNameFromKcbNameBlocks+EDj
		test	esi, esi
		jnz	short loc_7DEE71
		xor	ebx, ebx

loc_7DEEE0:				; CODE XREF: CmpConstructNameFromKcbNameBlocks+67j
		mov	eax, [ebp+var_14]
		mov	[eax], edi

loc_7DEEE5:				; CODE XREF: CmpConstructNameFromKcbNameBlocks+11AF3Ej
		pop	edi

loc_7DEEE6:				; CODE XREF: CmpConstructNameFromKcbNameBlocks+11AF34j
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_7DEEEC:				; CODE XREF: CmpConstructNameFromKcbNameBlocks+70j
		mov	eax, [esi+24h]
		test	eax, eax
		jz	short loc_7DEE7A
		mov	esi, eax
		jmp	short loc_7DEEDA
; 

loc_7DEEF7:				; CODE XREF: CmpConstructNameFromKcbNameBlocks+84j
		shr	ax, 1
		movzx	eax, ax
		jmp	short loc_7DEE8E
CmpConstructNameFromKcbNameBlocks endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCreateNotificationName(x)
_PopCreateNotificationName@4 proc near	; CODE XREF: PopGetSettingNotificationName+127p
					; PopGetSettingNotificationName+202p

var_1C4		= dword	ptr -1C4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_60		= dword	ptr -60h
var_34		= dword	ptr -34h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_1AC], offset ??_C@_1CK@FJCLHILF@?$AAl?$AAp?$AAa?$AAc?$AAP?$AAn?$AAp?$AAN?$AAo?$AAt?$AAi?$AAf?$AAi?$AAc?$AAa@NNGAKEGL@ ; "lpacPnpNotifications"
		lea	edi, [ebp+var_1C4]
		mov	esi, ecx
		stosd
		push	28h
		stosd
		stosd
		stosd
		stosd
		pop	eax
		push	2Ah
		mov	word ptr [ebp+var_1B0],	ax
		pop	eax
		push	2
		pop	ebx
		push	ebx		; int
		mov	word ptr [ebp+var_1B0+2], ax
		lea	eax, [ebp+var_1A8]
		push	148h		; size_t
		push	eax		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		xor	edi, edi
		lea	ecx, [ebp+var_1A8]
		push	edi
		push	_SeLocalSystemSid
		mov	edx, ebx
		push	1F0003h
		push	edi
		call	RtlpAddKnownAce
		push	edi
		push	_SeWorldSid
		mov	edx, ebx
		lea	ecx, [ebp+var_1A8]
		push	120001h
		push	edi
		call	RtlpAddKnownAce
		push	edi
		push	_SeAllAppPackagesSid
		mov	edx, ebx
		lea	ecx, [ebp+var_1A8]
		push	120001h
		push	edi
		call	RtlpAddKnownAce
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_1B0]
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	short loc_7DF013
		push	edi
		lea	eax, [ebp+var_34]
		mov	edx, ebx
		push	eax
		push	120001h
		push	edi
		lea	ecx, [ebp+var_1A8]
		call	RtlpAddKnownAce
		push	1
		lea	eax, [ebp+var_1C4]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	edi
		lea	eax, [ebp+var_1A8]
		push	eax
		push	1
		lea	eax, [ebp+var_1C4]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		lea	eax, [ebp+var_1C4]
		push	eax
		push	24h
		push	edi
		push	edi
		push	4
		push	3
		push	esi
		call	_ZwCreateWnfStateName@28 ; ZwCreateWnfStateName(x,x,x,x,x,x,x)

loc_7DF013:				; CODE XREF: PopCreateNotificationName(x)+C0j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopCreateNotificationName@4 endp

; 
		align 8
; Exported entry 632. FsRtlPrepareMdlWriteEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlPrepareMdlWriteEx
FsRtlPrepareMdlWriteEx proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, [ebp+arg_14]
		push	edi
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	ebx
		call	_FsRtlPrepareMdlWrite@24 ; FsRtlPrepareMdlWrite(x,x,x,x,x,x)
		test	al, al
		jz	sub_8F9D61
		xor	ebx, ebx

loc_7DF053:				; CODE XREF: sub_8F9D61+6Cj
		mov	eax, ebx

loc_7DF055:				; CODE XREF: sub_8F9D61+27j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	18h
FsRtlPrepareMdlWriteEx endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 630. FsRtlPrepareMdlWrite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlPrepareMdlWrite(x, x, x, x, x,	x)
		public _FsRtlPrepareMdlWrite@24
_FsRtlPrepareMdlWrite@24 proc near	; CODE XREF: FsRtlPrepareMdlWriteEx+1Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		call	IoGetRelatedDeviceObject
		mov	ecx, [eax+8]
		mov	ecx, [ecx+28h]
		test	ecx, ecx
		jz	short loc_7DF09E
		cmp	dword ptr [ecx], 48h
		jbe	short loc_7DF09E
		mov	ecx, [ecx+48h]
		test	ecx, ecx
		jz	short loc_7DF09E
		push	eax
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ecx

loc_7DF09A:				; CODE XREF: FsRtlPrepareMdlWrite(x,x,x,x,x,x)+3Ej
		pop	ebp
		retn	18h
; 

loc_7DF09E:				; CODE XREF: FsRtlPrepareMdlWrite(x,x,x,x,x,x)+15j
					; FsRtlPrepareMdlWrite(x,x,x,x,x,x)+1Aj ...
		xor	al, al
		jmp	short loc_7DF09A
_FsRtlPrepareMdlWrite@24 endp

; 
		align 8
; Exported entry 595. FsRtlMdlReadEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlMdlReadEx
FsRtlMdlReadEx	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, [ebp+arg_14]
		push	edi
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	ebx
		call	_FsRtlMdlRead@24 ; FsRtlMdlRead(x,x,x,x,x,x)
		test	al, al
		jz	sub_8F9DD2
		xor	ebx, ebx

loc_7DF0D3:				; CODE XREF: sub_8F9DD2+6Dj
		mov	eax, ebx

loc_7DF0D5:				; CODE XREF: sub_8F9DD2+28j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	18h
FsRtlMdlReadEx	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 591. FsRtlMdlRead

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlMdlRead(x, x, x, x, x,	x)
		public _FsRtlMdlRead@24
_FsRtlMdlRead@24 proc near		; CODE XREF: FsRtlMdlReadEx+1Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		call	IoGetRelatedDeviceObject
		mov	ecx, [eax+8]
		mov	ecx, [ecx+28h]
		test	ecx, ecx
		jz	short loc_7DF11E
		cmp	dword ptr [ecx], 40h
		jbe	short loc_7DF11E
		mov	ecx, [ecx+40h]
		test	ecx, ecx
		jz	short loc_7DF11E
		push	eax
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ecx

loc_7DF11A:				; CODE XREF: FsRtlMdlRead(x,x,x,x,x,x)+3Ej
		pop	ebp
		retn	18h
; 

loc_7DF11E:				; CODE XREF: FsRtlMdlRead(x,x,x,x,x,x)+15j
					; FsRtlMdlRead(x,x,x,x,x,x)+1Aj ...
		xor	al, al
		jmp	short loc_7DF11A
_FsRtlMdlRead@24 endp


;  S U B	R O U T	I N E 


; __stdcall PfSnPowerBoost(x, x)
_PfSnPowerBoost@8 proc near		; CODE XREF: PfSnEndTrace+3F7p
					; PfSnEndTrace+40Ep
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [esi+8]
		test	edx, edx
		jz	short loc_7DF159
		xor	ecx, ecx
		inc	ecx
		call	_PfSnPowerBoostUpdate@4	; PfSnPowerBoostUpdate(x)
		mov	ecx, esi
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		push	0FFFFFFFFh
		push	0FE363C80h
		lea	eax, [esi+30h]
		xor	edx, edx
		push	eax
		push	0
		mov	ecx, edi
		call	KiSetTimerEx

loc_7DF155:				; CODE XREF: PfSnPowerBoost(x,x)+56j
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_7DF159:				; CODE XREF: PfSnPowerBoost(x,x)+Cj
		push	edi
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		test	al, al
		jz	short loc_7DF171
		xor	ecx, ecx
		call	_PfSnPowerBoostUpdate@4	; PfSnPowerBoostUpdate(x)
		mov	ecx, esi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_7DF171:				; CODE XREF: PfSnPowerBoost(x,x)+3Fj
		mov	ecx, esi
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		jmp	short loc_7DF155
_PfSnPowerBoost@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnPowerBoostUpdate(x)
_PfSnPowerBoostUpdate@4	proc near	; CODE XREF: PfSnPowerBoost(x,x)+11p
					; PfSnPowerBoost(x,x)+43p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		xor	eax, eax
		mov	edx, offset unk_6D49F4
		test	ecx, ecx
		setnz	al
		lea	eax, ds:0FFFFFFFFh[eax*2]
		lock xadd [edx], eax
		test	eax, eax
		jz	short loc_7DF1D4

loc_7DF19C:				; CODE XREF: PfSnPowerBoostUpdate(x)+5Ej
		cmp	eax, 1
		jnz	short locret_7DF1D2
		test	ecx, ecx
		jnz	short locret_7DF1D2

loc_7DF1A5:				; CODE XREF: PfSnPowerBoostUpdate(x)+5Cj
		xor	edx, edx
		lea	eax, [ecx+ecx]
		push	ecx
		push	edx
		xor	eax, edx
		mov	[ebp+var_4], edx
		or	[ebp+var_4], 0FFFFFFFFh
		and	eax, 2
		push	edx
		push	edx
		xor	eax, edx
		mov	ecx, offset _WNF_SEB_APP_LAUNCH_PREFETCH
		push	edx
		or	eax, 1
		lea	edx, [ebp+var_8]
		push	8
		mov	[ebp+var_8], eax
		call	ExpNtUpdateWnfStateData

locret_7DF1D2:				; CODE XREF: PfSnPowerBoostUpdate(x)+25j
					; PfSnPowerBoostUpdate(x)+29j
		leave
		retn
; 

loc_7DF1D4:				; CODE XREF: PfSnPowerBoostUpdate(x)+20j
		test	ecx, ecx
		jnz	short loc_7DF1A5
		jmp	short loc_7DF19C
_PfSnPowerBoostUpdate@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetCpuRateControlJobPreCallback(x, x)
_PspSetCpuRateControlJobPreCallback@8 proc near
					; DATA XREF: PspAddSchedulingGroupToJobChain+C6o
					; PspAddSchedulingGroupToJobChain+128BF9o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		lea	eax, [ecx+40h]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, [ebp+arg_0]
		mov	[eax+220h], ecx
		xor	eax, eax
		pop	ebp
		retn	8
_PspSetCpuRateControlJobPreCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetNoChildProcessRestrictedPolicy(x, x)
_PspSetNoChildProcessRestrictedPolicy@8	proc near
					; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+84Fp
					; PspApplyMitigationOptions(x,x,x,x,x,x,x)+876p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ecx
		mov	edi, edx
		push	eax
		mov	[ebp+var_4], eax
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		cmp	edi, 3
		mov	[ebp+var_8], eax
		mov	ecx, eax
		setz	bl
		cmp	edi, 2
		movzx	esi, bl
		push	esi
		setz	dl
		call	_SeTokenSetNoChildProcessRestricted@12 ; SeTokenSetNoChildProcessRestricted(x,x,x)
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_8]
		lea	ecx, [ecx+12Ch]
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PspSetNoChildProcessRestrictedPolicy@8	endp

; 
		align 8
; Exported entry 825. IoEnumerateRegisteredFiltersList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoEnumerateRegisteredFiltersList
IoEnumerateRegisteredFiltersList proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F9E44 SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	esi, esi
		dec	word ptr [eax+13Ch]
		nop
		push	esi
		mov	ebx, offset _IopDatabaseResource
		push	ebx
		call	ExAcquireResourceExclusiveLite
		test	al, al
		jz	loc_8F9E44

loc_7DF273:				; CODE XREF: IoEnumerateRegisteredFiltersList+11AC17j
		mov	eax, _IopFsNotifyChangeQueueHead
		mov	ecx, offset _IopFsNotifyChangeQueueHead
		push	edi
		mov	edi, [ebp+arg_4]
		shr	edi, 2

loc_7DF284:				; CODE XREF: IoEnumerateRegisteredFiltersList+A1j
		cmp	eax, ecx
		jnz	short loc_7DF2E6
		mov	eax, [ebp+arg_8]
		cmp	edi, esi
		mov	[eax], esi
		sbb	esi, esi
		mov	ebx, _IopFsNotifyChangeQueueHead
		and	esi, 0C0000023h
		test	edi, edi
		jz	short loc_7DF2C7

loc_7DF2A1:				; CODE XREF: IoEnumerateRegisteredFiltersList+7Dj
		cmp	ebx, ecx
		jz	short loc_7DF2C7
		mov	ecx, [ebx+8]
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebx+8]
		mov	[ecx], eax
		add	ecx, 4
		mov	ebx, [ebx]
		mov	[ebp+arg_0], ecx
		mov	ecx, offset _IopFsNotifyChangeQueueHead
		sub	edi, 1
		jnz	short loc_7DF2A1

loc_7DF2C7:				; CODE XREF: IoEnumerateRegisteredFiltersList+57j
					; IoEnumerateRegisteredFiltersList+5Bj
		mov	ecx, offset _IopDatabaseResource
		call	ExReleaseResourceLite
		pop	edi

loc_7DF2D2:				; CODE XREF: IoEnumerateRegisteredFiltersList+11AC0Aj
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_7DF2E6:				; CODE XREF: IoEnumerateRegisteredFiltersList+3Ej
		mov	eax, [eax]
		inc	esi
		jmp	short loc_7DF284
IoEnumerateRegisteredFiltersList endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelperGetBlockerGuid(x, x)
_SleepstudyHelperGetBlockerGuid@8 proc near
					; CODE XREF: SleepstudyHelper_GenerateGuid(x,x,x,x)+8Ep
					; SleepstudyHelper_RegisterPdoWithParentHandle(x,x,x,x)+40p
					; DATA XREF: ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, 0C000000Dh
		test	esi, esi
		jz	short loc_7DF316
		push	edi
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_7DF315
		mov	esi, [esi+11Ch]
		add	esi, 28h
		xor	eax, eax
		movsd
		movsd
		movsd
		movsd

loc_7DF315:				; CODE XREF: SleepstudyHelperGetBlockerGuid(x,x)+18j
		pop	edi

loc_7DF316:				; CODE XREF: SleepstudyHelperGetBlockerGuid(x,x)+10j
		pop	esi
		pop	ebp
		retn	8
_SleepstudyHelperGetBlockerGuid@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetProcessEnergyTrackingStateCallback(x,	x)
_PspSetProcessEnergyTrackingStateCallback@8 proc near
					; DATA XREF: PspSetEnergyTrackingStateJobTree(x,x)+37o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, [ebp+arg_4]
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		push	8
		push	[ebp+arg_0]
		call	PsUpdateComponentPower
		xor	eax, eax
		mov	esp, ebp
		pop	ebp
		retn	8
_PspSetProcessEnergyTrackingStateCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpAddToHiveFileList proc near		; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+278p
					; CmpFinishSystemHivesLoad(x)+300p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F9E64 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		lea	edi, [ebp+var_2C]
		mov	ebx, ecx
		mov	[ebp+var_14], esi
		push	6
		xor	eax, eax
		mov	[ebp+var_10], esi
		pop	ecx
		mov	[ebp+var_4], esi
		mov	[ebp+var_C], esi
		rep stosd
		mov	[ebp+var_8], esi
		cmp	_CmpHiveFileListHandle,	eax
		jz	loc_7DF3FA

loc_7DF372:				; CODE XREF: CmpAddToHiveFileList+114j
					; CmpAddToHiveFileList+11AB2Ej
		xor	ecx, ecx
		mov	edx, 202h
		push	62714D43h
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8F9E71
		test	byte ptr [ebx+64h], 1
		jnz	loc_7DF45D
		lea	eax, [ebp+var_4]
		push	eax
		push	200h
		push	edi
		push	1
		push	dword ptr [ebx+400h]
		call	_ZwQueryObject@20 ; ZwQueryObject(x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_4]
		add	eax, 0FFFFFFF8h
		mov	[ebp+var_4], eax
		test	esi, esi
		js	short loc_7DF3EC
		mov	ecx, [edi+4]
		xor	edx, edx
		shr	eax, 1
		mov	[ecx+eax*2], dx
		mov	eax, [ebp+var_4]
		add	eax, 2

loc_7DF3CF:				; CODE XREF: CmpAddToHiveFileList+125j
		push	eax
		push	ecx
		push	1
		mov	[ebp+var_4], eax
		lea	eax, [ebx+4B8h]
		push	0
		push	eax
		push	_CmpHiveFileListHandle
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax

loc_7DF3EC:				; CODE XREF: CmpAddToHiveFileList+7Ej
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_7DF3F3:				; CODE XREF: CmpAddToHiveFileList+102j
					; CmpAddToHiveFileList+11AB38j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7DF3FA:				; CODE XREF: CmpAddToHiveFileList+2Ej
		push	offset ??_C@_1HI@EDNIGPI@?$AA?2?$AAr?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAm?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\registry\\machine\\system\\currentcontrol"...
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		push	1
		push	esi
		lea	eax, [ebp+var_14]
		mov	[ebp+var_2C], 18h
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		push	esi
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_8]
		mov	[ebp+var_28], esi
		push	eax
		mov	[ebp+var_20], 240h
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7DF3F3
		mov	ecx, [ebp+var_8]
		mov	edx, offset _CmpHiveFileListHandle
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	loc_7DF372
		jmp	loc_8F9E64
; 

loc_7DF45D:				; CODE XREF: CmpAddToHiveFileList+54j
		push	2
		lea	ecx, [ebp+var_C]
		pop	eax
		jmp	loc_7DF3CF
CmpAddToHiveFileList endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2456. SeCreateClientSecurityFromSubjectContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeCreateClientSecurityFromSubjectContext
SeCreateClientSecurityFromSubjectContext proc near

var_C		= dword	ptr -0Ch
var_5		= dword	ptr -5
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F9E7B SIZE 0000000C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		mov	byte ptr [ebp+var_5], bl
		mov	byte ptr [ebp+var_1], bl
		mov	esi, [edi]
		test	esi, esi
		jnz	short loc_7DF48D
		mov	esi, [edi+8]

loc_7DF48D:				; CODE XREF: SeCreateClientSecurityFromSubjectContext+1Aj
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edx, [edi]
		test	edx, edx
		jnz	short loc_7DF4D8
		mov	[ebp+arg_0], 1

loc_7DF4A1:				; CODE XREF: SeCreateClientSecurityFromSubjectContext+91j
					; SeCreateClientSecurityFromSubjectContext+11AA14j
		push	[ebp+arg_C]
		mov	eax, [edi+4]
		xor	ecx, ecx
		push	ebx
		push	[ebp+var_5]
		mov	ebx, [ebp+arg_4]
		mov	edx, ebx
		push	ecx
		push	ecx
		push	eax
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, esi
		push	[ebp+arg_8]
		call	SepCreateClientSecurityEx
		mov	edi, eax
		test	edi, edi
		js	short loc_7DF506
		cmp	byte ptr [ebx+8], 0
		jz	short loc_7DF506

loc_7DF4CF:				; CODE XREF: SeCreateClientSecurityFromSubjectContext+9Fj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7DF4D8:				; CODE XREF: SeCreateClientSecurityFromSubjectContext+2Aj
		mov	eax, [edi+8]
		lea	ecx, [ebp+var_1]
		mov	edx, [edx+280h]
		push	ecx
		mov	[ebp+arg_0], 2
		mov	eax, [eax+280h]
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	_RtlSidDominatesForTrust@12 ; RtlSidDominatesForTrust(x,x,x)
		cmp	byte ptr [ebp+var_1], bl
		jnz	short loc_7DF4A1
		jmp	loc_8F9E7B
; 

loc_7DF506:				; CODE XREF: SeCreateClientSecurityFromSubjectContext+59j
					; SeCreateClientSecurityFromSubjectContext+5Fj
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	short loc_7DF4CF
SeCreateClientSecurityFromSubjectContext endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCreateDirectoryObjectEx(x, x, x, x, x)
_NtCreateDirectoryObjectEx@20 proc near	; DATA XREF: .text:00581178o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_C]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_8]
		call	ObpCreateDirectoryObject
		pop	ebp
		retn	14h
_NtCreateDirectoryObjectEx@20 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1607. NtWriteFileGather

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	NtWriteFileGather(int,int,int,int,int,void *,int,int,int)
		public _NtWriteFileGather@36
_NtWriteFileGather@36 proc near		; DATA XREF: .text:00580B9Co

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		push	48h
		push	offset dword_6A4490
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_54], ebx
		mov	eax, large fs:124h
		mov	[ebp+var_4C], eax
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		mov	byte ptr [ebp+var_2C], al
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_2C]
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		call	IopReferenceFileObject
		test	eax, eax
		js	loc_7DFAF0
		mov	eax, [ebp+var_44]
		mov	[ebp+var_40], eax
		mov	esi, [ebp+var_24]
		push	esi
		call	IoGetRelatedDeviceObject
		mov	[ebp+var_30], eax
		lea	edx, [esi+2Ch]
		mov	[ebp+arg_0], edx
		mov	ecx, [edx]
		test	cl, 8
		jz	loc_7DFAE4
		test	cl, 2
		jnz	loc_7DFAE4
		test	byte ptr [eax+1Ch], 4
		jnz	loc_7DFAE4
		mov	eax, [eax+2Ch]
		cmp	eax, 8
		jz	short loc_7DF5EF
		cmp	eax, 6
		jz	short loc_7DF5EF
		cmp	eax, 20h
		jz	short loc_7DF5EF
		cmp	eax, 3
		jz	short loc_7DF5EF
		cmp	eax, 14h
		jz	short loc_7DF5EF
		cmp	eax, 9
		jz	short loc_7DF5EF
		cmp	eax, 36h
		jz	short loc_7DF5EF
		cmp	eax, 53h
		jnz	loc_7DFAE4

loc_7DF5EF:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+94j
					; NtWriteFileGather(x,x,x,x,x,x,x,x,x)+99j ...
		mov	eax, [ebp+arg_18]
		mov	edi, eax
		and	edi, 0FFFh
		neg	edi
		sbb	edi, edi
		neg	edi
		shr	eax, 0Ch
		add	edi, eax
		cmp	[ebp+var_19], bl
		jz	loc_7DF7B3
		shr	ecx, 5
		not	ecx
		and	ecx, 4
		or	cl, 2
		mov	eax, [ebp+var_40]
		test	cl, al
		jnz	short loc_7DF631
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, 0C0000022h
		jmp	loc_7DFAF0
; 

loc_7DF631:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+ECj
		mov	[ebp+var_3C], ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, [ebp+arg_10]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_7DF645
		mov	ecx, eax

loc_7DF645:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+10Fj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, edi
		shl	eax, 3
		test	eax, eax
		jz	short loc_7DF672
		test	byte ptr [ebp+arg_14], 3
		jnz	loc_7DFB02
		mov	ecx, [ebp+arg_14]
		lea	edx, [eax+ecx]
		mov	esi, ds:_MmUserProbeAddress
		cmp	edx, esi
		ja	short loc_7DF670
		cmp	edx, ecx
		jnb	short loc_7DF672

loc_7DF670:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+138j
		mov	[esi], bl

loc_7DF672:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+11Ej
					; NtWriteFileGather(x,x,x,x,x,x,x,x,x)+13Cj
		cmp	[ebp+arg_18], 0
		jz	short loc_7DF6B5
		mov	edx, eax
		xor	ecx, ecx
		inc	ecx
		call	sub_60F12F
		mov	esi, eax
		mov	[ebp+var_20], esi
		mov	eax, edi
		shl	eax, 3
		push	eax		; size_t
		push	[ebp+arg_14]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+arg_14], esi
		mov	ecx, ebx

loc_7DF69E:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+181j
		cmp	ecx, edi
		jnb	short loc_7DF6B5
		mov	eax, [esi+ecx*8]
		and	eax, 0FFFh
		or	eax, ebx
		jnz	loc_7DFB07
		inc	ecx
		jmp	short loc_7DF69E
; 

loc_7DF6B5:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+144j
					; NtWriteFileGather(x,x,x,x,x,x,x,x,x)+16Ej
		mov	esi, [ebp+var_24]
		cmp	[esi+6Ch], ebx
		jz	short loc_7DF6C7
		cmp	[ebp+arg_8], 0
		jnz	loc_7DFB07

loc_7DF6C7:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+189j
		mov	ecx, [ebp+arg_1C]
		test	ecx, ecx
		jz	short loc_7DF6F5
		mov	edx, ecx
		test	cl, 3
		jnz	loc_7DFB11
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_7DF6E4
		mov	edx, eax

loc_7DF6E4:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+1AEj
		nop
		mov	al, [edx]
		mov	esi, [ebp+var_24]
		mov	eax, [ecx]
		mov	[ebp+var_58], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_54], eax

loc_7DF6F5:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+19Aj
		lea	eax, [esi+2Ch]
		mov	[ebp+arg_0], eax
		mov	eax, [eax]
		mov	[ebp+var_38], eax
		test	al, 8
		jz	short loc_7DF75F
		mov	edx, [ebp+var_30]
		movzx	edi, word ptr [edx+0ACh]
		test	di, di
		jz	short loc_7DF72E
		mov	eax, edi
		dec	eax
		mov	edx, [ebp+arg_18]
		test	eax, edx
		jz	short loc_7DF72B
		mov	eax, edx
		xor	edx, edx
		div	edi
		test	edx, edx
		jnz	loc_7DFB07

loc_7DF72B:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+1E9j
		mov	eax, [ebp+var_38]

loc_7DF72E:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+1DFj
		test	ecx, ecx
		jz	short loc_7DF75F
		cmp	[ebp+var_58], 0FFFFFFFFh
		jnz	short loc_7DF73E
		cmp	[ebp+var_54], 0FFFFFFFFh
		jz	short loc_7DF75F

loc_7DF73E:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+204j
		cmp	[ebp+var_58], 0FFFFFFFEh
		jnz	short loc_7DF74E
		cmp	[ebp+var_54], 0FFFFFFFFh
		jnz	short loc_7DF74E
		test	al, 2
		jnz	short loc_7DF75F

loc_7DF74E:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+210j
					; NtWriteFileGather(x,x,x,x,x,x,x,x,x)+216j
		test	di, di
		jz	short loc_7DF75F
		lea	eax, [edi-1]
		test	[ebp+var_58], eax
		jnz	loc_7DFB07

loc_7DF75F:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+1D0j
					; NtWriteFileGather(x,x,x,x,x,x,x,x,x)+1FEj ...
		mov	eax, [ebp+arg_20]
		test	eax, eax
		jz	short loc_7DF77B
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_7DF772
		mov	eax, ecx

loc_7DF772:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+23Cj
		nop
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		mov	esi, [ebp+var_24]

loc_7DF77B:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+232j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_7DF7D1
; 

loc_7DF784:				; DATA XREF: .text:006A44A4o
		lea	edx, [ebp+var_3C]
		mov	ecx, [ebp+ms_exc.exc_ptr]
		call	_IopExceptionFilter@8 ;	IopExceptionFilter(x,x)
		retn
; 

loc_7DF790:				; DATA XREF: .text:006A44A8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ecx, [ebp+var_24]
		call	ObfDereferenceObject
		cmp	[ebp+var_20], 0
		jz	short loc_7DF7AB
		push	0
		push	[ebp+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7DF7AB:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+26Dj
		mov	eax, [ebp+var_3C]
		jmp	loc_7DFADB
; 

loc_7DF7B3:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+D6j
		mov	ecx, [ebp+arg_1C]
		test	ecx, ecx
		jz	short loc_7DF7C5
		mov	eax, [ecx]
		mov	[ebp+var_58], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_54], eax

loc_7DF7C5:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+286j
		mov	eax, [ebp+arg_20]
		test	eax, eax
		jz	short loc_7DF7D1
		mov	eax, [eax]
		mov	[ebp+var_34], eax

loc_7DF7D1:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+250j
					; NtWriteFileGather(x,x,x,x,x,x,x,x,x)+298j
		mov	eax, [ebp+var_40]
		and	al, 6
		cmp	al, 4
		jnz	short loc_7DF7E2
		or	[ebp+var_58], 0FFFFFFFFh
		or	[ebp+var_54], 0FFFFFFFFh

loc_7DF7E2:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+2A6j
		cmp	[ebp+arg_4], 0
		jz	short loc_7DF831
		mov	eax, ds:_ExEventObjectType
		mov	[ebp+var_38], ebx
		push	ebx
		lea	ecx, [ebp+var_38]
		push	ecx
		push	[ebp+var_2C]
		push	eax
		push	2
		push	[ebp+arg_4]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		mov	eax, [ebp+var_38]
		mov	[ebp+var_28], eax
		test	edi, edi
		jns	short loc_7DF82B
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	esi, [ebp+var_20]
		test	esi, esi
		jz	short loc_7DF824
		push	ebx
		push	esi

loc_7DF81F:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+38Dj
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7DF824:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+2E9j
					; NtWriteFileGather(x,x,x,x,x,x,x,x,x)+383j
		mov	eax, edi
		jmp	loc_7DFAF0
; 

loc_7DF82B:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+2DBj
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_7DF831:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+2B4j
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		test	al, 2
		jz	loc_7DF8EF
		shr	eax, 2
		and	al, 1
		mov	byte ptr [ebp+arg_20], al
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	ebx
		mov	esi, [ebp+var_24]
		lea	ecx, [esi+4Ch]
		xor	edx, edx
		call	KeAbPreAcquire
		mov	[ebp+var_1A], bl
		xor	edx, edx
		inc	edx
		lea	ecx, [esi+44h]
		xchg	edx, [ecx]
		test	edx, edx
		jnz	short loc_7DF884
		test	eax, eax
		jz	short loc_7DF879
		or	byte ptr [eax+0Eh], 1

loc_7DF879:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+341j
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edi, ebx
		jmp	short loc_7DF898
; 

loc_7DF884:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+33Dj
		lea	ecx, [ebp+var_1A]
		push	ecx
		push	eax
		push	[ebp+arg_20]
		mov	dl, [ebp+var_19]
		mov	ecx, esi
		call	IopWaitAndAcquireFileObjectLock
		mov	edi, eax

loc_7DF898:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+350j
		cmp	[ebp+var_1A], 0
		jz	short loc_7DF8C4
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jz	short loc_7DF8AA
		call	ObfDereferenceObject

loc_7DF8AA:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+371j
		mov	ecx, esi
		call	ObfDereferenceObject
		cmp	[ebp+var_20], 0
		jz	loc_7DF824
		push	ebx
		push	[ebp+var_20]
		jmp	loc_7DF81F
; 

loc_7DF8C4:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+36Aj
		mov	al, 1
		mov	byte ptr [ebp+arg_20], al
		cmp	[ebp+arg_1C], 0
		jnz	short loc_7DF8D5
		cmp	[ebp+var_58], 0
		jz	short loc_7DF8E1

loc_7DF8D5:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+39Bj
		cmp	[ebp+var_58], 0FFFFFFFEh
		jnz	short loc_7DF90F
		cmp	[ebp+var_54], 0FFFFFFFFh
		jnz	short loc_7DF90F

loc_7DF8E1:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+3A1j
		mov	eax, [esi+38h]
		mov	[ebp+var_58], eax
		mov	eax, [esi+3Ch]
		mov	[ebp+var_54], eax
		jmp	short loc_7DF90F
; 

loc_7DF8EF:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+306j
		cmp	[ebp+arg_1C], 0
		jnz	short loc_7DF90A
		test	eax, 280h
		jnz	short loc_7DF90A
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jz	short loc_7DF93A
		call	ObfDereferenceObject
		jmp	short loc_7DF93A
; 

loc_7DF90A:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+3C1j
					; NtWriteFileGather(x,x,x,x,x,x,x,x,x)+3C8j
		mov	al, bl
		mov	byte ptr [ebp+arg_20], al

loc_7DF90F:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+3A7j
					; NtWriteFileGather(x,x,x,x,x,x,x,x,x)+3ADj ...
		cmp	[ebp+var_54], 0
		jge	short loc_7DF958
		cmp	[ebp+var_54], 0FFFFFFFFh
		jnz	short loc_7DF921
		cmp	[ebp+var_58], 0FFFFFFFFh
		jz	short loc_7DF958

loc_7DF921:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+3E7j
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jz	short loc_7DF92D
		call	ObfDereferenceObject

loc_7DF92D:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+3F4j
		cmp	byte ptr [ebp+arg_20], 0
		jz	short loc_7DF93A
		mov	ecx, esi
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)

loc_7DF93A:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+3CFj
					; NtWriteFileGather(x,x,x,x,x,x,x,x,x)+3D6j ...
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	esi, [ebp+var_20]
		test	esi, esi
		jz	loc_7DFAEB
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7DFAEB
; 

loc_7DF958:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+3E1j
					; NtWriteFileGather(x,x,x,x,x,x,x,x,x)+3EDj
		mov	ecx, esi
		call	_IopResetEvent@4 ; IopResetEvent(x)
		push	dword ptr [ebp+4]
		mov	al, byte ptr [ebp+arg_20]
		xor	al, 1
		movzx	eax, al
		push	eax
		mov	eax, [ebp+var_30]
		mov	dl, [eax+30h]
		mov	ecx, eax
		call	IopAllocateIrpExReturn
		mov	esi, eax
		mov	[ebp+arg_1C], esi
		mov	ecx, [ebp+var_24]
		test	esi, esi
		jnz	short loc_7DF9A4
		mov	edx, [ebp+var_28]
		call	_IopAllocateIrpCleanup@8 ; IopAllocateIrpCleanup(x,x)
		cmp	[ebp+var_20], esi
		jz	short loc_7DF99A
		push	ebx
		push	[ebp+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7DF99A:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+45Dj
		mov	eax, 0C000009Ah
		jmp	loc_7DFAF0
; 

loc_7DF9A4:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+450j
		mov	[esi+64h], ecx
		mov	eax, [ebp+var_4C]
		mov	[esi+50h], eax
		mov	[esi+54h], ebx
		mov	al, [ebp+var_19]
		mov	[esi+20h], al
		mov	[esi+21h], bl
		mov	[esi+24h], bl
		mov	[esi+38h], ebx
		mov	eax, [ebp+var_28]
		mov	[esi+2Ch], eax
		mov	eax, [ebp+arg_10]
		mov	[esi+28h], eax
		mov	eax, [ebp+arg_8]
		mov	[esi+30h], eax
		mov	eax, [ebp+arg_C]
		mov	[esi+34h], eax
		mov	edi, [esi+60h]
		mov	dword ptr [edi-24h], 4
		mov	[edi-0Ch], ecx
		mov	eax, [ebp+arg_0]
		test	byte ptr [eax],	10h
		jz	short loc_7DF9F0
		mov	byte ptr [edi-22h], 4

loc_7DF9F0:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+4B8j
		mov	[esi+0Ch], ebx
		mov	[esi+4], ebx
		mov	[esi+8], ebx
		mov	edx, [ebp+arg_18]
		test	edx, edx
		jz	short loc_7DFA4B
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+arg_14]
		mov	eax, [ecx]
		push	esi
		push	1
		push	ebx
		push	edx
		push	eax
		call	IoAllocateMdl
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_7DFA27
		push	0C000009Ah
		jmp	loc_7DFB0C
; 

loc_7DFA27:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+4E9j
		movzx	eax, byte ptr [edi-24h]
		push	eax
		mov	edx, [ebp+var_30]
		push	edx
		push	ecx
		push	[ebp+var_2C]
		mov	edx, [ebp+arg_14]
		call	IopProbeAndLockSelectedPages
		mov	ecx, [ebp+arg_14]
		mov	eax, [ecx]
		mov	[esi+3Ch], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7DFA4B:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+4CCj
		cmp	[ebp+var_20], 0
		jz	short loc_7DFA5A
		push	ebx
		push	[ebp+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7DFA5A:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+51Dj
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		and	eax, 8
		or	eax, 5000h
		shr	eax, 3
		or	[esi+8], eax
		mov	ecx, [ebp+arg_18]
		mov	[edi-20h], ecx
		mov	eax, [ebp+var_34]
		mov	[edi-1Ch], eax
		mov	eax, [ebp+var_58]
		mov	[edi-18h], eax
		mov	eax, [ebp+var_54]
		mov	[edi-14h], eax
		push	1
		push	[ebp+arg_20]
		push	[ebp+var_2C]
		push	1
		push	[ebp+var_24]
		mov	edx, esi
		mov	ecx, [ebp+var_30]
		call	_IopSynchronousServiceTail@28 ;	IopSynchronousServiceTail(x,x,x,x,x,x,x)
		jmp	short loc_7DFAF0
; 

loc_7DFA9E:				; DATA XREF: .text:006A44B0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_50], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7DFAAC:				; DATA XREF: .text:006A44B4o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ecx, [ebp+var_24]
		movzx	eax, byte ptr [ecx+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		xor	ebx, ebx
		push	ebx
		push	[ebp+var_28]
		mov	edx, [ebp+arg_1C]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		cmp	[ebp+var_20], ebx
		jz	short loc_7DFAD8
		push	ebx
		push	[ebp+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7DFAD8:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+59Bj
		mov	eax, [ebp+var_50]

loc_7DFADB:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+27Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_7DFAF0
; 

loc_7DFAE4:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+75j
					; NtWriteFileGather(x,x,x,x,x,x,x,x,x)+7Ej ...
		mov	ecx, esi
		call	ObfDereferenceObject

loc_7DFAEB:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+414j
					; NtWriteFileGather(x,x,x,x,x,x,x,x,x)+421j
		mov	eax, 0C000000Dh

loc_7DFAF0:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+52j
					; NtWriteFileGather(x,x,x,x,x,x,x,x,x)+FAj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_7DFB02:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+124j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7DFB07:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+17Aj
					; NtWriteFileGather(x,x,x,x,x,x,x,x,x)+18Fj ...
		push	0C000000Dh

loc_7DFB0C:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+4F0j
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_7DFB11:				; CODE XREF: NtWriteFileGather(x,x,x,x,x,x,x,x,x)+1A1j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		mov	ecx, [ebp+arg_1C]
		int	3		; Trap to Debugger
_NtWriteFileGather@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpGenerateFileName proc near		; CODE XREF: EtwpStartLogger+97Cp
					; EtwpFlushBufferToLogfile+113p ...

var_4		= byte ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F9E87 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		mov	eax, [esi+4]
		test	eax, eax
		jz	loc_8F9E87
		push	edi
		push	25h		; wchar_t
		push	eax		; wchar_t *
		call	_wcschr
		mov	edi, eax
		pop	ecx
		pop	ecx
		test	edi, edi
		jz	loc_7DFBE3
		push	25h		; wchar_t
		push	dword ptr [esi+4] ; wchar_t *
		call	_wcsrchr
		pop	ecx
		pop	ecx
		cmp	edi, eax
		jnz	loc_7DFBE3
		push	offset ??_C@_15KNBIKKIN@?$AA?$CF?$AAd@NNGAKEGL@	; wchar_t *
		push	dword ptr [esi+4] ; wchar_t *
		call	_wcsstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_7DFBE3
		xor	eax, eax
		inc	eax
		lock xadd [ebx], eax
		inc	eax
		movzx	ebx, word ptr [esi+2]
		push	50777445h
		add	ebx, 40h
		mov	dword ptr [ebp+var_4], eax
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_7DFBDC
		push	dword ptr [ebp+var_4] ;	char
		push	dword ptr [esi+4] ; wchar_t *
		push	ebx		; int
		push	edi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 10h
		test	eax, eax
		jnz	loc_8F9E91
		movzx	eax, word ptr [esi]
		push	eax		; size_t
		push	edi		; void *
		push	dword ptr [esi+4] ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_8F9E91
		push	[ebp+arg_0]
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		push	edi
		push	[ebp+arg_0]
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax

loc_7DFBD5:				; CODE XREF: EtwpGenerateFileName+C7j
					; EtwpGenerateFileName+CEj ...
		pop	edi

loc_7DFBD6:				; CODE XREF: EtwpGenerateFileName+11A372j
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7DFBDC:				; CODE XREF: EtwpGenerateFileName+76j
		mov	eax, 0C0000017h
		jmp	short loc_7DFBD5
; 

loc_7DFBE3:				; CODE XREF: EtwpGenerateFileName+26j
					; EtwpGenerateFileName+3Aj ...
		mov	eax, 0C0000033h
		jmp	short loc_7DFBD5
EtwpGenerateFileName endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpVirtualQuery	proc near		; CODE XREF: PAGE:0077D3CFp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F9EA3 SIZE 00000022 BYTES

		push	24h
		push	offset dword_6A44B8
		call	__SEH_prolog4
		mov	esi, ecx
		xor	eax, eax
		lea	edi, [ebp+var_30]
		stosd
		stosd
		stosd
		stosd
		stosd
		cmp	dword ptr [esi+10h], 14h
		jnz	loc_8F9EA3
		and	[ebp+ms_exc.disabled], 0
		push	14h
		pop	eax
		test	dl, dl
		jz	short loc_7DFC3C
		mov	ecx, [esi+0Ch]
		test	cl, 3
		jnz	loc_7DFCAD
		lea	edi, [ecx+14h]
		mov	edx, ds:_MmUserProbeAddress
		cmp	edi, edx
		ja	loc_8F9EAD
		cmp	edi, ecx
		jb	loc_8F9EAD

loc_7DFC3C:				; CODE XREF: PfpVirtualQuery+2Bj
					; PfpVirtualQuery+11A2C9j
		push	eax		; size_t
		push	dword ptr [esi+0Ch] ; void *
		lea	eax, [ebp+var_30]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+var_30], 1
		jnz	short loc_7DFCB2
		mov	eax, [ebp+var_2C]
		mov	edx, eax
		and	edx, 1
		jnz	loc_8F9EB8

loc_7DFC67:				; CODE XREF: PfpVirtualQuery+11A2D6j
		test	eax, 0FFFFFFFCh
		jnz	short loc_7DFCB2
		xor	ecx, ecx
		test	edx, edx
		jnz	short loc_7DFCB9
		test	al, 2
		jz	short loc_7DFC79
		inc	ecx

loc_7DFC79:				; CODE XREF: PfpVirtualQuery+8Cj
					; PfpVirtualQuery+D2j
		push	ecx
		push	0
		push	[ebp+var_24]
		push	[ebp+var_28]
		push	4
		xor	edx, edx
		mov	ecx, [ebp+var_20]
		call	MmQueryVirtualMemory
		test	eax, eax
		js	short loc_7DFC9B
		mov	ecx, [ebp+arg_0]
		mov	dword ptr [ecx], 14h

loc_7DFC9B:				; CODE XREF: PfpVirtualQuery+A6j
					; PfpVirtualQuery+CDj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7DFCAD:				; CODE XREF: PfpVirtualQuery+33j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7DFCB2:				; CODE XREF: PfpVirtualQuery+6Dj
					; PfpVirtualQuery+82j ...
		mov	eax, 0C000000Dh
		jmp	short loc_7DFC9B
; 

loc_7DFCB9:				; CODE XREF: PfpVirtualQuery+88j
		push	2
		pop	ecx
		jmp	short loc_7DFC79
PfpVirtualQuery	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 549. FsRtlInitializeExtraCreateParameter

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlInitializeExtraCreateParameter(x, x, x, x, x, x)
		public _FsRtlInitializeExtraCreateParameter@24
_FsRtlInitializeExtraCreateParameter@24	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	eax, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_10]
		push	edi
		mov	dword ptr [ecx], 48706345h
		lea	edi, [ecx+10h]
		mov	[ecx+4], edx
		mov	[ecx+0Ch], edx
		mov	[ecx+8], edx
		movsd
		movsd
		movsd
		movsd
		mov	[ecx+20h], eax
		mov	eax, [ebp+arg_4]
		mov	[ecx+24h], eax
		mov	eax, [ebp+arg_C]
		mov	[ecx+28h], eax
		mov	eax, [ebp+arg_14]
		pop	edi
		mov	[ecx+2Ch], eax
		mov	[ecx+30h], edx
		pop	esi
		pop	ebp
		retn	18h
_FsRtlInitializeExtraCreateParameter@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PerfDiagpProxyWorker proc near		; DATA XREF: PerfDiagpRequestState(x)+25o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F9EE5 SIZE 00000041 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		and	[esp+8+var_4], 0
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		test	eax, eax
		jz	loc_7DFDD4
		mov	esi, [eax+10h]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset dword_6BC720
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		call	_PerfDiagpIsTracingAllowed@0 ; PerfDiagpIsTracingAllowed()
		test	eax, eax
		jz	loc_8F9F03
		mov	ecx, dword_6BC724
		lea	eax, [esi-1]
		cmp	ecx, eax
		jnz	loc_7DFE0F

loc_7DFD6B:				; CODE XREF: PerfDiagpProxyWorker+111j
					; PerfDiagpProxyWorker+11A1E8j
		mov	eax, esi
		sub	eax, 1
		jz	loc_7DFE2D
		sub	eax, 1
		jz	short loc_7DFDDC
		sub	eax, 1
		jz	loc_7DFE26
		sub	eax, 1
		jnz	short loc_7DFDEF

loc_7DFD89:				; CODE XREF: PerfDiagpProxyWorker+EDj
		xor	edx, edx
		xor	ecx, ecx
		call	_PerfDiagpInitializeLoggerInfo@8 ; PerfDiagpInitializeLoggerInfo(x,x)
		lea	eax, [esp+10h+var_4]
		mov	ecx, offset dword_6BC748
		push	eax		; int
		mov	eax, dword_6BC748
		push	eax		; int
		push	ecx		; void *
		push	eax		; int
		push	ecx		; void *
		push	2		; int
		call	_NtTraceControl@24 ; NtTraceControl(x,x,x,x,x,x)

loc_7DFDAC:				; CODE XREF: PerfDiagpProxyWorker+DEj
					; PerfDiagpProxyWorker+F2j ...
		mov	dword_6BC724, esi

loc_7DFDB2:				; CODE XREF: PerfDiagpProxyWorker+11A203j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_8F9F12

loc_7DFDC1:				; CODE XREF: PerfDiagpProxyWorker+11A20Aj
					; PerfDiagpProxyWorker+11A217j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_7DFDD4:				; CODE XREF: PerfDiagpProxyWorker+16j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7DFDDC:				; CODE XREF: PerfDiagpProxyWorker+6Fj
		mov	edx, offset ??_C@_1EC@PDKCPLOK@?$AAW?$AAa?$AAi?$AAt?$AAi?$AAn?$AAg?$AAF?$AAo?$AAr?$AAL?$AAo?$AAg?$AAo?$AAn@NNGAKEGL@ ; "WaitingForLogonEnableKernelFlags"

loc_7DFDE1:				; CODE XREF: PerfDiagpProxyWorker+121j
		call	_PerfDiagpUpdatePerfDiagLoggerEnableFlags@8 ; PerfDiagpUpdatePerfDiagLoggerEnableFlags(x,x)

loc_7DFDE6:				; CODE XREF: PerfDiagpProxyWorker+103j
		test	eax, eax
		jns	short loc_7DFDAC
		jmp	loc_8F9F03
; 

loc_7DFDEF:				; CODE XREF: PerfDiagpProxyWorker+7Dj
		sub	eax, 1
		jz	short loc_7DFE34
		sub	eax, 1
		jz	short loc_7DFD89
		sub	eax, 1
		jnz	short loc_7DFDAC
		call	PerfDiagpSaveActiveDCLLogFileName
		mov	ecx, offset ??_C@_1FK@BKPNCEDA@?$AAD?$AAi?$AAa?$AAg?$AAn?$AAo?$AAs?$AAt?$AAi?$AAc?$AAs?$AA?2?$AAP?$AAe?$AAr@NNGAKEGL@ ;	"D"

loc_7DFE08:				; CODE XREF: PerfDiagpProxyWorker+128j
					; PerfDiagpProxyWorker+12Fj
		call	_PerfDiagpStartPerfDiagLogger@4	; PerfDiagpStartPerfDiagLogger(x)
		jmp	short loc_7DFDE6
; 

loc_7DFE0F:				; CODE XREF: PerfDiagpProxyWorker+5Bj
		cmp	esi, 3
		jz	loc_8F9EE5
		cmp	esi, 7
		jz	loc_7DFD6B
		jmp	loc_8F9EEF
; 

loc_7DFE26:				; CODE XREF: PerfDiagpProxyWorker+74j
		mov	edx, offset ??_C@_1CE@MEENLKDH@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAF?$AAl?$AAa@NNGAKEGL@ ; "EnableKernelFlags"
		jmp	short loc_7DFDE1
; 

loc_7DFE2D:				; CODE XREF: PerfDiagpProxyWorker+66j
		mov	ecx, offset ??_C@_1FC@PKMDBHLJ@?$AAD?$AAi?$AAa?$AAg?$AAn?$AAo?$AAs?$AAt?$AAi?$AAc?$AAs?$AA?2?$AAP?$AAe?$AAr@NNGAKEGL@
		jmp	short loc_7DFE08
; 

loc_7DFE34:				; CODE XREF: PerfDiagpProxyWorker+E8j
		mov	ecx, offset ??_C@_1GG@HCHEFAFD@?$AAD?$AAi?$AAa?$AAg?$AAn?$AAo?$AAs?$AAt?$AAi?$AAc?$AAs?$AA?2?$AAP?$AAe?$AAr@NNGAKEGL@ ;	"Diagnostics\\Performance\\SecondaryLogonC"...
		jmp	short loc_7DFE08
PerfDiagpProxyWorker endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PerfDiagpIsTracingAllowed()
_PerfDiagpIsTracingAllowed@0 proc near	; CODE XREF: PerfDiagpProxyWorker+43p
					; PerfDiagpStartPerfDiagLogger(x)+4Fp

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_28]
		push	offset ??_C@_1JG@PGFGANOH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\"
		xor	esi, esi
		mov	[ebp+var_28], edi
		push	eax
		mov	[ebp+var_24], edi
		inc	esi
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edi
		mov	[ebp+var_1C], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1DC@FCKDDIPN@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAD?$AAi?$AAa?$AAg?$AAn?$AAo?$AAs?$AAt@NNGAKEGL@
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_28]
		mov	[ebp+var_20], 14h
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	20019h
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_48], 18h
		push	eax
		mov	[ebp+var_44], edi
		mov	[ebp+var_3C], 240h
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_7DFEF4
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_20]
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_1C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7DFEF4
		cmp	[ebp+var_20], 10h
		jb	short loc_7DFEF4
		cmp	[ebp+var_14], 4
		jnz	short loc_7DFEF4
		cmp	[ebp+var_10], 4
		jnz	short loc_7DFEF4
		mov	eax, [ebp+var_C]
		neg	eax
		sbb	eax, eax
		not	eax
		and	esi, eax

loc_7DFEF4:				; CODE XREF: PerfDiagpIsTracingAllowed()+7Cj
					; PerfDiagpIsTracingAllowed()+99j ...
		cmp	[ebp+var_1C], edi
		jz	short loc_7DFF01
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_7DFF01:				; CODE XREF: PerfDiagpIsTracingAllowed()+BBj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PerfDiagpIsTracingAllowed@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PerfDiagpInitializeLoggerInfo(x, x)
_PerfDiagpInitializeLoggerInfo@8 proc near ; CODE XREF:	PerfDiagpProxyWorker+83p
					; PerfDiagpUpdatePerfDiagLoggerEnableFlags(x,x)+96p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, 0B0h
		mov	[ebp+var_4], edx
		push	esi		; size_t
		push	0		; int
		push	offset dword_6BC748 ; void *
		mov	ebx, ecx
		call	_memset
		add	esp, 0Ch
		mov	dword_6BC790, 80000000h
		mov	eax, offset unk_6BC728
		mov	word ptr dword_6BC790, si
		mov	edi, eax
		mov	dword_6BC774, 20000h
		mov	byte ptr dword_6BC790+2, 0FFh
		mov	esi, offset ??_C@_1CA@DEFPGLJP@?$AAP?$AAe?$AAr?$AAf?$AAD?$AAi?$AAa?$AAg?$AA?5?$AAL?$AAo?$AAg?$AAg?$AAe?$AAr@NNGAKEGL@
		push	8
		pop	ecx
		push	eax
		rep movsd
		push	offset unk_6BC7D8
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		mov	dword_6BC748, 0B4h
		pop	edi
		mov	word_6BC7FA, ax
		inc	eax
		pop	esi
		test	ebx, ebx
		mov	word_6BC7F8, ax
		pop	ebx
		jnz	short loc_7DFF95
		leave
		retn
; 

loc_7DFF95:				; CODE XREF: PerfDiagpInitializeLoggerInfo(x,x)+7Fj
		mov	ecx, [ebp+var_4]
		inc	ecx
		mov	word_6BC7FE, ax
		mov	word_6BC7FA, ax
		mov	word_6BC7FC, cx
		lea	eax, [ecx+1]
		mov	word_6BC7F8, ax
		movzx	eax, cx
		lea	eax, ds:0B4h[eax*4]
		mov	dword_6BC748, eax
		leave
		retn
_PerfDiagpInitializeLoggerInfo@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerRequestIsExecutionRequiredStatusHeld(x)
_PopPowerRequestIsExecutionRequiredStatusHeld@4	proc near
					; CODE XREF: PopHandleExecutionRequiredPowerRequestUpdate(x)+2Bp
					; PopEnableExecutionRequiredPowerRequests+83D73p
		cmp	dword ptr [ecx+24h], 0
		setnbe	al
		cmp	ds:_PopPowerRequestConvertSystemToExecution, 0
		jz	short locret_7DFFDE
		cmp	dword ptr [ecx+1Ch], 0
		jbe	short locret_7DFFDE
		mov	al, 1

locret_7DFFDE:				; CODE XREF: PopPowerRequestIsExecutionRequiredStatusHeld(x)+Ej
					; PopPowerRequestIsExecutionRequiredStatusHeld(x)+14j
		retn
_PopPowerRequestIsExecutionRequiredStatusHeld@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpIsValueTombstone(x, x)
_CmpIsValueTombstone@8 proc near	; CODE XREF: CmDeleteValueKey+338p
					; CmSetValueKey(x,x,x,x,x,x,x)+5C2p ...
		test	dword ptr [ecx+64h], 80000h
		jnz	short loc_7DFFEC
		xor	al, al
		retn
; 

loc_7DFFEC:				; CODE XREF: CmpIsValueTombstone(x,x)+7j
		mov	al, [edx+10h]
		shr	al, 1
		and	al, 1
		retn
_CmpIsValueTombstone@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetJobIoAttributionProcessCallback(x, x)
_PspSetJobIoAttributionProcessCallback@8 proc near ; DATA XREF:	PspSetJobIoAttribution+99o
					; PspRemoveIoAttribution(x)+47o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	ecx, [ecx]
		call	_IoSetDiskIoAttributionOnProcess@8 ; IoSetDiskIoAttributionOnProcess(x,x)
		xor	eax, eax
		pop	ebp
		retn	8
_PspSetJobIoAttributionProcessCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmGetPageFileInformation proc near	; CODE XREF: PAGE:0077F281p

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F9F26 SIZE 00000017 BYTES
; FUNCTION CHUNK AT 008F9F63 SIZE 0000000D BYTES

		push	4Ch
		push	offset dword_6A44D8
		call	__SEH_prolog4
		mov	edi, edx
		mov	[ebp+var_38], edi
		xor	ebx, ebx
		mov	[ebp+var_19], bl
		xor	eax, eax
		cmp	[ebp+arg_4], eax
		setnz	al
		lea	eax, ds:18h[eax*8]
		mov	[ebp+var_28], eax
		mov	[ebp+var_20], ebx
		mov	esi, [ebp+arg_8]
		mov	[esi], ebx
		mov	[ebp+var_2C], edi
		lea	eax, [ebp+var_19]
		push	eax
		or	ecx, 0FFFFFFFFh
		call	MiPartitionObjectToPartition
		mov	edx, eax
		mov	[ebp+var_30], edx
		test	edx, edx
		jz	loc_8F9F26
		mov	esi, [edx+0F4Ch]
		mov	[ebp+var_50], esi
		mov	[ebp+ms_exc.disabled], ebx
		mov	[edi+4], ebx
		mov	eax, ebx
		mov	[ebp+var_24], eax
		mov	edi, [ebp+var_20]
		mov	ecx, [ebp+var_2C]

loc_7E0072:				; CODE XREF: MmGetPageFileInformation+186j
		cmp	eax, esi
		jnb	loc_7E0197
		mov	eax, [edx+eax*4+0F54h]
		test	byte ptr [eax+74h], 50h
		jnz	loc_7E018B
		mov	esi, [ebp+var_38]
		add	esi, edi
		mov	[ebp+var_2C], esi
		mov	eax, [ebp+var_28]
		add	eax, edi
		mov	[ebp+var_4C], eax
		cmp	eax, edi
		jbe	loc_8F9F30
		cmp	eax, [ebp+arg_0]
		ja	loc_8F9F30
		mov	[ebp+var_20], eax
		mov	ecx, [ebp+var_24]
		mov	eax, [edx+ecx*4+0F54h]
		mov	edi, [eax]
		mov	edx, [eax+0Ch]
		mov	[ebp+var_3C], edx
		mov	edx, [eax+10h]
		mov	[ebp+var_40], edx
		mov	edx, [eax+8]
		mov	[ebp+var_44], edx
		mov	eax, [eax+4]
		mov	[ebp+var_48], eax
		mov	edx, [ebp+var_30]
		mov	eax, [ebp+var_3C]

loc_7E00D9:				; CODE XREF: MmGetPageFileInformation+CFj
		cmp	eax, edi
		jnb	short loc_7E00D9
		mov	[esi+4], edi
		sub	edi, eax
		sub	edi, 2
		mov	[esi+8], edi
		mov	eax, [ebp+var_40]
		mov	[esi+0Ch], eax
		cmp	[ebp+arg_4], 0
		jnz	loc_7E01C3

loc_7E00F8:				; CODE XREF: MmGetPageFileInformation+1C3j
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], ebx
		mov	eax, [edx+ecx*4+0F54h]
		movzx	eax, word ptr [eax+30h]
		mov	ecx, eax
		mov	[ebp+var_48], ecx
		mov	word ptr [ebp+var_5C], ax
		lea	ecx, [eax+2]
		mov	word ptr [ebp+var_5C+2], cx
		mov	edi, [ebp+var_28]
		add	edi, esi
		mov	[ebp+var_58], edi
		mov	eax, [ebp+var_5C]
		mov	[esi+10h], eax
		mov	[esi+14h], edi
		movzx	ecx, cx
		add	ecx, 3
		and	ecx, 0FFFFFFFCh
		mov	[ebp+var_44], ecx
		mov	eax, [ebp+var_4C]
		lea	edi, [ecx+eax]
		cmp	edi, [ebp+arg_0]
		ja	loc_7E01D4
		cmp	edi, eax
		jbe	loc_7E01D4
		mov	[ebp+var_20], edi
		mov	eax, [ebp+var_48]
		movzx	esi, ax
		push	esi		; size_t
		mov	eax, [ebp+var_24]
		mov	eax, [edx+eax*4+0F54h]
		push	dword ptr [eax+34h] ; void *
		push	[ebp+var_58]	; void *
		call	_memcpy
		add	esp, 0Ch
		shr	esi, 1
		xor	ecx, ecx
		mov	eax, [ebp+var_58]
		mov	[eax+esi*2], cx
		mov	eax, [ebp+var_28]
		add	eax, [ebp+var_44]
		mov	ecx, [ebp+var_2C]
		mov	[ecx], eax
		mov	edx, [ebp+var_30]
		mov	esi, [ebp+var_50]

loc_7E018B:				; CODE XREF: MmGetPageFileInformation+79j
		mov	eax, [ebp+var_24]
		inc	eax
		mov	[ebp+var_24], eax
		jmp	loc_7E0072
; 

loc_7E0197:				; CODE XREF: MmGetPageFileInformation+68j
		mov	[ecx], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+arg_8]
		mov	[ecx], edi

loc_7E01A5:				; CODE XREF: MmGetPageFileInformation+1DFj
					; sub_8F9F4B+13j
		cmp	[ebp+var_19], 0
		jnz	loc_8F9F63

loc_7E01AF:				; CODE XREF: MmGetPageFileInformation+119F5Fj
		mov	eax, ebx

loc_7E01B1:				; CODE XREF: MmGetPageFileInformation+119F1Fj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7E01C3:				; CODE XREF: MmGetPageFileInformation+E6j
		mov	eax, [ebp+var_44]
		mov	[esi+18h], eax
		mov	eax, [ebp+var_48]
		mov	[esi+1Ch], eax
		jmp	loc_7E00F8
; 

loc_7E01D4:				; CODE XREF: MmGetPageFileInformation+133j
					; MmGetPageFileInformation+13Bj
		mov	[ebp+var_20], edi
		mov	ecx, [ebp+arg_8]
		mov	[ecx], edi

loc_7E01DC:				; CODE XREF: MmGetPageFileInformation+119F2Cj
		mov	ebx, 0C0000004h
		mov	[ebp+var_34], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_7E01A5
MmGetPageFileInformation endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpConstructAndCacheName proc near	; CODE XREF: CmpGetSymbolicLinkTarget+9D5p
					; CmCallbackGetKeyObjectID(x,x,x,x)+AEp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

; FUNCTION CHUNK AT 008F9F70 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	esi, esi
		lea	edx, [ebp-1]
		mov	[ebp+var_C], edi
		mov	ebx, ecx
		mov	[ebp+var_8], esi
		call	CmpGetCachedFullKCBName
		test	eax, eax
		jz	short loc_7E0228

loc_7E0211:				; CODE XREF: CmpConstructAndCacheName+6Dj
		test	edi, edi
		jnz	short loc_7E0262

loc_7E0215:				; CODE XREF: CmpConstructAndCacheName+76j
		xor	edi, edi

loc_7E0217:				; CODE XREF: CmpConstructAndCacheName+72j
		test	esi, esi
		jnz	loc_8F9F70

loc_7E021F:				; CODE XREF: CmpConstructAndCacheName+119D8Ej
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7E0228:				; CODE XREF: CmpConstructAndCacheName+21j
		lea	edx, [ebp+var_8]
		mov	ecx, ebx
		call	CmpConstructNameWithStatus
		mov	edi, eax
		test	edi, edi
		js	short loc_7E025D
		mov	edx, [ebp+var_8]
		lea	ecx, [ebx+0A0h]
		xor	eax, eax
		lock cmpxchg [ecx], edx
		neg	eax
		lea	edx, [ebp-1]
		mov	ecx, ebx
		sbb	esi, esi
		and	esi, [ebp+var_8]
		call	CmpGetCachedFullKCBName
		mov	edi, [ebp+var_C]
		jmp	short loc_7E0211
; 

loc_7E025D:				; CODE XREF: CmpConstructAndCacheName+48j
		mov	esi, [ebp+var_8]
		jmp	short loc_7E0217
; 

loc_7E0262:				; CODE XREF: CmpConstructAndCacheName+25j
		mov	[edi], eax
		jmp	short loc_7E0215
CmpConstructAndCacheName endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpBlockOnLockedHandleEntry(x, x, x)
_ExpBlockOnLockedHandleEntry@12	proc near ; CODE XREF: ExLockHandleTableEntry(x,x)+30p
					; ExFastReferenceHandleTableEntry(x,x,x)+D7p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	4
		lea	eax, [ebp+arg_0]
		add	ecx, 20h
		push	eax
		call	ExBlockOnAddressPushLock
		pop	ebp
		retn	4
_ExpBlockOnLockedHandleEntry@12	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtStringIntern(x, x, x)
_PopEtStringIntern@12 proc near		; CODE XREF: PopEtEnergyContextSetState(x,x)+5Cp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	[ebp+var_14], ecx
		lea	eax, [ebp+var_14]
		mov	ecx, _PopEtGlobals
		push	esi
		mov	[ebp+var_20], eax
		xor	esi, esi
		lea	eax, ds:2[edx*2]
		mov	[ebp+var_18], esi
		lea	ecx, [ecx+20h]
		mov	[ebp+var_24], 10h
		lea	edx, [ebp+var_24]
		mov	[ebp+var_1C], 1
		mov	[ebp+var_10], esi
		mov	[ebp+var_8], 2
		mov	[ebp+var_C], eax
		call	RtlInternTableIntern
		test	eax, eax
		jz	short loc_7E02DA
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax

loc_7E02D3:				; CODE XREF: PopEtStringIntern(x,x,x)+5Fj
		mov	eax, esi
		pop	esi
		leave
		retn	4
; 

loc_7E02DA:				; CODE XREF: PopEtStringIntern(x,x,x)+4Cj
		mov	esi, 0C000009Ah
		jmp	short loc_7E02D3
_PopEtStringIntern@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspIsSetJobIoAttributionJobPreCallback(x, x)
_PspIsSetJobIoAttributionJobPreCallback@8 proc near
					; DATA XREF: PspIsSetJobIoAttribution(x,x,x)+1Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	dword ptr [eax+324h], 0
		jnz	short loc_7E02F9

loc_7E02F3:				; CODE XREF: PspIsSetJobIoAttributionJobPreCallback(x,x)+1Aj
		xor	eax, eax

loc_7E02F5:				; CODE XREF: PspIsSetJobIoAttributionJobPreCallback(x,x)+21j
		pop	ebp
		retn	8
; 

loc_7E02F9:				; CODE XREF: PspIsSetJobIoAttributionJobPreCallback(x,x)+Fj
		cmp	eax, [ebp+arg_4]
		jz	short loc_7E02F3
		mov	eax, 0C0000718h
		jmp	short loc_7E02F5
_PspIsSetJobIoAttributionJobPreCallback@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpTrackProviderBinary	proc near	; CODE XREF: NtTraceControl(x,x,x,x,x,x)+2FAp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F9F81 SIZE 000000CE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ds:_EtwpRegistrationObjectType
		mov	edx, [edx]
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], ecx
		push	edi
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_4], edi
		push	ecx
		push	1
		push	eax
		push	800h
		push	edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_10], ebx
		test	ebx, ebx
		js	loc_7E03F7
		mov	esi, [ebp+var_4]
		mov	eax, [esi+10h]
		cmp	[eax+168h], edi
		jnz	loc_8F9F81

loc_7E0352:				; CODE XREF: EtwpTrackProviderBinary+119CACj
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	ecx, [esi+10h]
		xor	edx, edx
		add	ecx, 16Ch
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, large fs:124h
		mov	eax, [esi+10h]
		mov	edi, [ebp+var_4]
		mov	[eax+170h], ecx
		lea	eax, [edi+32h]
		test	byte ptr [eax],	20h
		jnz	short loc_7E03FC
		push	20h
		pop	ecx
		lock or	[eax], cx
		mov	ebx, [ebp+var_4]
		xor	edi, edi

loc_7E038E:				; CODE XREF: EtwpTrackProviderBinary+B0j
		mov	eax, [esi+10h]
		cmp	dword ptr [edi+eax+60h], 0
		jnz	loc_8F9FB7

loc_7E039C:				; CODE XREF: EtwpTrackProviderBinary+119CC5j
					; EtwpTrackProviderBinary+119CDFj
		mov	ecx, [esi+10h]
		mov	eax, [ecx+168h]
		test	eax, eax
		jnz	loc_8F9FEA

loc_7E03AD:				; CODE XREF: EtwpTrackProviderBinary+119CE9j
					; EtwpTrackProviderBinary+119D03j ...
		add	edi, 20h
		cmp	edi, 100h
		jb	short loc_7E038E
		mov	ebx, [ebp+var_10]
		mov	edi, [ebp+var_4]

loc_7E03BE:				; CODE XREF: EtwpTrackProviderBinary+F8j
		mov	eax, [esi+10h]
		xor	edx, edx
		and	dword ptr [eax+170h], 0
		mov	ecx, [esi+10h]
		add	ecx, 16Ch
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [esi+10h]
		mov	eax, [eax+168h]
		test	eax, eax
		jnz	loc_8FA028

loc_7E03EE:				; CODE XREF: EtwpTrackProviderBinary+119D44j
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, ebx

loc_7E03F7:				; CODE XREF: EtwpTrackProviderBinary+34j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7E03FC:				; CODE XREF: EtwpTrackProviderBinary+7Aj
		xor	ebx, ebx
		jmp	short loc_7E03BE
EtwpTrackProviderBinary	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInSwapStore	proc near		; CODE XREF: MmInSwapWorkingSet+9Ap

; FUNCTION CHUNK AT 008FA04F SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		push	0
		push	40h
		push	28h
		mov	esi, ecx
		mov	edx, 73536D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8FA04F
		push	ebx
		push	0
		push	0
		lea	ebx, [edi+14h]
		push	ebx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		and	dword ptr [edi], 0
		mov	edx, 73576D4Dh
		mov	ecx, esi
		mov	dword ptr [edi+8], offset _MiInSwapStoreWorker@4 ; MiInSwapStoreWorker(x)
		mov	[edi+0Ch], edi
		call	ObfReferenceObjectWithTag
		mov	eax, large fs:124h
		push	eax
		mov	[edi+10h], esi
		mov	dword ptr [edi+24h], 2
		call	_KeQueryPriorityThread@4 ; KeQueryPriorityThread(x)
		mov	edx, eax
		cmp	edx, 0Fh
		jge	short loc_7E046A
		inc	edx

loc_7E046A:				; CODE XREF: MiInSwapStore+67j
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		or	esi, 0FFFFFFFFh
		add	edx, 20h
		mov	ecx, edi
		push	dword ptr [eax+64h]
		push	esi
		call	ExQueueWorkItemToPartition
		push	offset _Mi30Milliseconds
		push	0
		push	0
		push	1Ah
		push	ebx
		call	KeWaitForSingleObject
		lea	eax, [edi+24h]
		lock xadd [eax], esi
		dec	esi
		pop	ebx
		jnz	short loc_7E04A4
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7E04A4:				; CODE XREF: MiInSwapStore+9Aj
		xor	eax, eax

loc_7E04A6:				; CODE XREF: MiInSwapStore+119C54j
		pop	edi
		pop	esi
		leave
		retn
MiInSwapStore	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpLockHashEntryShared proc near	; CODE XREF: CmpWalkOneLevel+6D5p
					; CmpFindSubkeyInHashByChildCell+82p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FA059 SIZE 00000031 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	[ebp+arg_0]
		mov	esi, ecx
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		imul	ecx, eax, 0Ch
		xor	edx, edx
		add	ecx, [esi+434h]
		call	ExAcquirePushLockSharedEx
		mov	ecx, esi
		call	_CmpReferenceHive@4 ; CmpReferenceHive(x)
		test	al, al
		jz	loc_8FA059
		pop	esi
		pop	ebp
		retn	4
CmpLockHashEntryShared endp


;  S U B	R O U T	I N E 


CmEqualTrans	proc near		; CODE XREF: CmpGetSymbolicLinkTarget+568p
					; CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+228p ...
		mov	edi, edi
		push	esi
		test	ecx, ecx
		jnz	short loc_7E04E9

loc_7E04E5:				; CODE XREF: CmEqualTrans+Dj
		xor	al, al
		pop	esi
		retn
; 

loc_7E04E9:				; CODE XREF: CmEqualTrans+5j
		test	edx, edx
		jz	short loc_7E04E5
		cmp	ecx, edx
		jnz	loc_8FA069
		mov	al, 1
		pop	esi
		retn
CmEqualTrans	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpVEAddHiveToSIDMappingTable(x, x)
_CmpVEAddHiveToSIDMappingTable@8 proc near
					; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+E8p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	eax, eax
		mov	esi, edx
		push	edi
		push	eax
		mov	[ebp+var_C], eax
		mov	edi, ecx
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_C]
		push	eax
		mov	[ebp+var_4], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	esi, [esi+8]
		push	2
		pop	ebx
		push	5Ch
		movzx	ecx, word ptr [esi]
		mov	eax, [esi+4]
		sub	ecx, ebx
		shr	ecx, 1
		lea	eax, [eax+ecx*2]
		pop	ecx
		mov	[ebp+var_8], eax
		cmp	[eax], cx
		jz	short loc_7E0567
		mov	cx, word ptr [ebp+var_C+2]
		mov	dx, word ptr [ebp+var_C]
		push	5Ch
		pop	edi

loc_7E0547:				; CODE XREF: CmpVEAddHiveToSIDMappingTable(x,x)+68j
		sub	eax, ebx
		add	dx, bx
		add	cx, bx
		mov	[ebp+var_8], eax
		mov	word ptr [ebp+var_C], dx
		mov	word ptr [ebp+var_C+2],	cx
		cmp	eax, [esi+4]
		jb	short loc_7E0564
		cmp	[eax], di
		jnz	short loc_7E0547

loc_7E0564:				; CODE XREF: CmpVEAddHiveToSIDMappingTable(x,x)+63j
		mov	edi, [ebp+var_4]

loc_7E0567:				; CODE XREF: CmpVEAddHiveToSIDMappingTable(x,x)+40j
		add	eax, ebx
		lea	ecx, [ebp+var_C]
		mov	edx, edi
		mov	[ebp+var_8], eax
		call	CmpAddStringToMapping
		test	eax, eax
		js	short loc_7E0582
		or	[edi+980h], ebx
		xor	eax, eax

loc_7E0582:				; CODE XREF: CmpVEAddHiveToSIDMappingTable(x,x)+7Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpVEAddHiveToSIDMappingTable@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpAddStringToMapping proc near		; CODE XREF: CmpVEAddHiveToSIDMappingTable(x,x)+77p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FA08A SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	edi
		mov	ecx, offset _CmpSIDMappingLock
		xor	esi, esi
		call	ExAcquireFastMutex
		mov	ecx, _CmpSIDToHiveMappingCount
		inc	ecx
		cmp	ecx, 1
		jb	loc_8FA08A
		mov	eax, _CmpSIDToHiveMappingSize
		cmp	ecx, eax
		jnb	loc_7E064F

loc_7E05C1:				; CODE XREF: CmpAddStringToMapping+F9j
					; CmpAddStringToMapping+119B35j
		mov	edx, _CmpSIDToHiveMappingCount
		mov	ecx, _CmpSIDToHiveMapping
		add	edx, edx
		mov	eax, [ebp+var_4]
		push	65564D43h
		mov	[ecx+edx*8+0Ch], eax
		mov	ax, [ebx]
		mov	[ecx+edx*8], ax
		mov	ax, [ebx]
		mov	[ecx+edx*8+2], ax
		movzx	eax, word ptr [ebx]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, _CmpSIDToHiveMappingCount
		mov	ecx, eax
		mov	edx, _CmpSIDToHiveMapping
		mov	eax, edi
		shl	eax, 4
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], edx
		mov	[eax+edx+4], ecx
		test	ecx, ecx
		jz	short loc_7E068C
		movzx	eax, word ptr [ebx]
		push	eax		; size_t
		push	dword ptr [ebx+4] ; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, ebx
		call	_CmpHashUnicodeComponent@4 ; CmpHashUnicodeComponent(x)
		mov	edx, [ebp+var_4]
		inc	edi
		mov	ecx, [ebp+var_8]
		mov	_CmpSIDToHiveMappingCount, edi
		mov	[edx+ecx+8], eax

loc_7E063E:				; CODE XREF: CmpAddStringToMapping+109j
					; CmpAddStringToMapping+119B07j
		mov	ecx, offset _CmpSIDMappingLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7E064F:				; CODE XREF: CmpAddStringToMapping+33j
		mov	edi, _CmpSIDToHiveMapping
		add	eax, 4
		push	65564D43h
		shl	eax, 4
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	_CmpSIDToHiveMapping, ecx
		test	ecx, ecx
		jz	loc_8FA094
		add	_CmpSIDToHiveMappingSize, 4
		test	edi, edi
		jz	loc_7E05C1
		jmp	loc_8FA09F
; 

loc_7E068C:				; CODE XREF: CmpAddStringToMapping+8Cj
					; CmpAddStringToMapping+119B12j
		mov	esi, 0C000009Ah
		jmp	short loc_7E063E
CmpAddStringToMapping endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspGetStandardHandleList proc near	; CODE XREF: PspSetupUserProcessAddressSpace+181p

var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	1Ch
		push	offset dword_6A44F8
		call	__SEH_prolog4
		mov	edi, edx
		xor	esi, esi
		mov	[ebp+ms_exc.disabled], esi
		mov	eax, [ecx+17Ch]
		mov	eax, [eax+10h]
		mov	[ebp+var_1C], eax
		add	eax, 18h
		mov	[ebp+var_20], eax
		test	al, 3
		jnz	short loc_7E06FF
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	short loc_7E0704

loc_7E06C7:				; CODE XREF: PspGetStandardHandleList+72j
		nop
		mov	al, [eax]
		mov	ecx, esi
		mov	[ebp+var_24], ecx
		mov	edx, [ebp+var_20]

loc_7E06D2:				; CODE XREF: PspGetStandardHandleList+4Dj
		cmp	ecx, 3
		jnb	short loc_7E06E3
		mov	eax, [edx+ecx*4]
		mov	[edi+ecx*4], eax
		inc	ecx
		mov	[ebp+var_24], ecx
		jmp	short loc_7E06D2
; 

loc_7E06E3:				; CODE XREF: PspGetStandardHandleList+41j
					; sub_8FA0D0+6j
		mov	[ebp+var_2C], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7E06FF:				; CODE XREF: PspGetStandardHandleList+27j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7E0704:				; CODE XREF: PspGetStandardHandleList+31j
		mov	eax, ecx
		jmp	short loc_7E06C7
PspGetStandardHandleList endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2439. SeAuditingHardLinkEventsWithContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAuditingHardLinkEventsWithContext(x, x, x)
		public _SeAuditingHardLinkEventsWithContext@12
_SeAuditingHardLinkEventsWithContext@12	proc near

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		movzx	eax, word ptr [edx+2]
		mov	ecx, eax
		test	al, 10h
		jz	short loc_7E0758
		test	cx, cx
		mov	ecx, [edx+0Ch]
		jns	short loc_7E0731
		lea	eax, [ecx+edx]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_7E0731:				; CODE XREF: SeAuditingHardLinkEventsWithContext(x,x,x)+18j
		test	ecx, ecx
		jz	short loc_7E0758
		xor	eax, eax
		cmp	ax, [ecx+4]
		jz	short loc_7E0758
		mov	dl, [ebp+arg_0]
		push	[ebp+arg_8]
		test	dl, dl
		setz	al
		movzx	eax, al
		push	eax
		push	75h
		pop	ecx
		call	SepAdtAuditThisEventWithContext
		test	al, al
		jnz	short loc_7E075E

loc_7E0758:				; CODE XREF: SeAuditingHardLinkEventsWithContext(x,x,x)+10j
					; SeAuditingHardLinkEventsWithContext(x,x,x)+25j ...
		xor	al, al

loc_7E075A:				; CODE XREF: SeAuditingHardLinkEventsWithContext(x,x,x)+52j
		pop	ebp
		retn	0Ch
; 

loc_7E075E:				; CODE XREF: SeAuditingHardLinkEventsWithContext(x,x,x)+48j
		mov	al, 1
		jmp	short loc_7E075A
_SeAuditingHardLinkEventsWithContext@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpAllocateMap(x, x, x, x)
_HvpAllocateMap@16 proc	near		; CODE XREF: HvpInitMap+13Dp
					; HvpExpandMap+18AA72p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	[ebp+arg_4], 400h
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_4], eax
		jnb	short loc_7E07BA
		mov	esi, [ebp+arg_0]

loc_7E077E:				; CODE XREF: HvpAllocateMap(x,x,x,x)+4Dj
		cmp	esi, [ebp+arg_4]
		ja	short loc_7E07B1
		push	39324D43h
		push	0
		push	1800h
		call	dword ptr [eax+0Ch]
		mov	edi, eax
		test	edi, edi
		jz	short loc_7E07BA
		push	1800h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		mov	[ebx+esi*4], edi
		inc	esi
		jmp	short loc_7E077E
; 

loc_7E07B1:				; CODE XREF: HvpAllocateMap(x,x,x,x)+1Fj
		mov	al, 1

loc_7E07B3:				; CODE XREF: HvpAllocateMap(x,x,x,x)+5Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7E07BA:				; CODE XREF: HvpAllocateMap(x,x,x,x)+17j
					; HvpAllocateMap(x,x,x,x)+34j
		xor	al, al
		jmp	short loc_7E07B3
_HvpAllocateMap@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopIrqScoreRequirement(x)
_IopIrqScoreRequirement@4 proc near	; DATA XREF: IopIrqInitialize()+33o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+0Ch]
		sub	eax, [ecx+8]
		inc	eax
		pop	ebp
		retn	4
_IopIrqScoreRequirement@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2394. RtlUpcaseUnicodeStringToOemString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlUpcaseUnicodeStringToOemString
RtlUpcaseUnicodeStringToOemString proc near

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 008FA0DB SIZE 00000021 BYTES

		push	14h
		push	offset dword_6A4518
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	esi, [ebp+arg_4]
		push	esi
		call	_RtlxUnicodeStringToOemSize@4 ;	RtlxUnicodeStringToOemSize(x)
		cmp	eax, 0FFFFh
		ja	loc_8FA0DB
		movzx	edx, ax
		lea	ecx, [edx-1]
		mov	edi, [ebp+arg_0]
		mov	[edi], cx
		cmp	[ebp+arg_8], bl
		jnz	loc_7E0892
		cmp	cx, [edi+2]
		jnb	loc_8FA0E5

loc_7E081A:				; CODE XREF: RtlUpcaseUnicodeStringToOemString+CBj
		mov	[ebp+var_1C], ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	[ebp+var_24], 1
		movzx	eax, word ptr [esi]
		push	eax
		push	dword ptr [esi+4]
		lea	eax, [ebp+var_20]
		push	eax
		movzx	eax, word ptr [edi]
		push	eax
		push	dword ptr [edi+4]
		call	RtlUpcaseUnicodeToOemN
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	short loc_7E086B
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		call	RtlpDidUnicodeToOemWork
		test	al, al
		jz	loc_8FA0EF

loc_7E0859:				; CODE XREF: RtlUpcaseUnicodeStringToOemString+119921j
		test	esi, esi
		js	short loc_7E086B
		mov	ecx, [edi+4]
		mov	eax, [ebp+var_20]
		mov	[eax+ecx], bl
		mov	esi, ebx
		mov	[ebp+var_1C], esi

loc_7E086B:				; CODE XREF: RtlUpcaseUnicodeStringToOemString+6Fj
					; RtlUpcaseUnicodeStringToOemString+85j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+var_24], 0
		call	sub_7E08AE
		mov	eax, esi

loc_7E0880:				; CODE XREF: RtlUpcaseUnicodeStringToOemString+D6j
					; RtlUpcaseUnicodeStringToOemString+11990Aj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7E0892:				; CODE XREF: RtlUpcaseUnicodeStringToOemString+34j
		mov	[edi+2], dx
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[edi+4], eax
		test	eax, eax
		jnz	loc_7E081A
		mov	eax, 0C0000017h
		jmp	short loc_7E0880
RtlUpcaseUnicodeStringToOemString endp


;  S U B	R O U T	I N E 


sub_7E08AE	proc near		; CODE XREF: RtlUpcaseUnicodeStringToOemString+A3p
					; sub_8FA0FC+8j

; FUNCTION CHUNK AT 008FA109 SIZE 00000016 BYTES

		cmp	[ebp-24h], ebx
		jnz	loc_8FA109
		test	esi, esi
		js	loc_8FA109

locret_7E08BF:				; CODE XREF: sub_7E08AE+11985Fj
		retn
sub_7E08AE	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpInitializeLoggerSecurityDescriptor(x, x)
_EtwpInitializeLoggerSecurityDescriptor@8 proc near ; CODE XREF: EtwpStartLogger+6C5p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	8
		push	eax
		push	edx
		mov	esi, ecx
		call	ObLogSecurityDescriptor
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_7E08EC
		mov	eax, [ebp+var_4]
		test	eax, eax
		jnz	short loc_7E08F1
		and	[esi+238h], eax

loc_7E08EC:				; CODE XREF: EtwpInitializeLoggerSecurityDescriptor(x,x)+1Dj
					; EtwpInitializeLoggerSecurityDescriptor(x,x)+3Aj
		mov	eax, ecx
		pop	esi
		leave
		retn
; 

loc_7E08F1:				; CODE XREF: EtwpInitializeLoggerSecurityDescriptor(x,x)+24j
		add	eax, 7
		mov	[esi+238h], eax
		jmp	short loc_7E08EC
_EtwpInitializeLoggerSecurityDescriptor@8 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpStartTrace(x, x)
_EtwpStartTrace@8 proc near		; CODE XREF: NtTraceControl(x,x,x,x,x,x)+211p
					; EtwWmitraceWorker()+281p
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	esi, edx
		mov	ebx, ecx
		nop
		xor	eax, eax
		lea	edi, [ebx+0A88h]
		push	eax
		push	eax
		push	eax
		push	eax
		push	edi
		call	KeWaitForSingleObject
		mov	edx, esi
		mov	ecx, ebx
		call	EtwpStartLogger
		push	0
		push	edi
		mov	esi, eax
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_EtwpStartTrace@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtQueryTimerResolution proc near	; DATA XREF: .text:00580DE8o

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FA141 SIZE 00000023 BYTES

		push	0Ch
		push	offset dword_6A4538
		call	__SEH_prolog4
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	loc_8FA141
		and	[ebp+ms_exc.disabled], 0
		mov	edx, [ebp+arg_0]
		mov	ecx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	short loc_7E09D2

loc_7E097A:				; CODE XREF: NtQueryTimerResolution+8Cj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	esi, [ebp+arg_4]
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	short loc_7E09D6

loc_7E098C:				; CODE XREF: NtQueryTimerResolution+90j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	edi, [ebp+arg_8]
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	short loc_7E09DA

loc_7E099E:				; CODE XREF: NtQueryTimerResolution+94j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, ds:_KeMaximumIncrement
		mov	[edx], eax
		mov	eax, ds:_KeMinimumIncrement
		mov	[esi], eax
		mov	eax, ds:_KeTimeIncrement
		mov	[edi], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7E09BE:				; CODE XREF: NtQueryTimerResolution+119817j
		xor	eax, eax

loc_7E09C0:				; CODE XREF: sub_8FA12F+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7E09D2:				; CODE XREF: NtQueryTimerResolution+30j
		mov	ecx, eax
		jmp	short loc_7E097A
; 

loc_7E09D6:				; CODE XREF: NtQueryTimerResolution+42j
		mov	ecx, eax
		jmp	short loc_7E098C
; 

loc_7E09DA:				; CODE XREF: NtQueryTimerResolution+54j
		mov	ecx, eax
		jmp	short loc_7E099E
NtQueryTimerResolution endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWnfRegisterPermanentName proc near	; CODE XREF: NtCreateWnfStateName+25Dp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FA164 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	ebx, ebx
		push	edi
		mov	edi, [ebp+arg_0]
		push	22h
		pop	eax
		mov	[ebp+var_38], ebx
		mov	word ptr [ebp+var_38+2], ax
		lea	eax, [ebp+var_28]
		push	esi
		mov	[ebp+var_2C], ecx
		lea	ecx, [ebp+var_38]
		push	edi
		mov	[ebp+var_30], ebx
		mov	[ebp+var_34], eax
		call	_ExpWnfComposeValueName@12 ; ExpWnfComposeValueName(x,x,x)
		shrd	edi, esi, 4
		lea	edx, [ebp+var_30]
		and	edi, 3
		mov	ecx, edi
		call	ExpWnfGetNameStoreRegistryRoot
		mov	esi, eax
		test	esi, esi
		js	short loc_7E0A9B
		mov	edi, [ebp+var_2C]
		push	dword ptr [edi+8]
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		mov	esi, eax
		lea	eax, [esi+4]
		mov	[ebp+var_2C], eax
		cmp	[edi+4], ebx
		jnz	short loc_7E0AAE

loc_7E0A4A:				; CODE XREF: ExpWnfRegisterPermanentName+D6j
		push	20666E57h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_7E0AB6
		push	esi		; size_t
		push	dword ptr [edi+8] ; void *
		push	ebx		; void *
		call	_memcpy
		mov	eax, [edi]
		add	esp, 0Ch
		mov	[esi+ebx], eax
		mov	eax, [edi+4]
		test	eax, eax
		jnz	loc_8FA164

loc_7E0A7A:				; CODE XREF: ExpWnfRegisterPermanentName+119791j
		push	[ebp+var_2C]
		lea	eax, [ebp+var_38]
		push	ebx
		push	3
		push	0
		push	eax
		push	[ebp+var_30]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		push	20666E57h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7E0A9B:				; CODE XREF: ExpWnfRegisterPermanentName+52j
					; ExpWnfRegisterPermanentName+DDj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_7E0AAE:				; CODE XREF: ExpWnfRegisterPermanentName+6Aj
		lea	eax, [esi+14h]
		mov	[ebp+var_2C], eax
		jmp	short loc_7E0A4A
; 

loc_7E0AB6:				; CODE XREF: ExpWnfRegisterPermanentName+7Dj
		mov	esi, 0C000009Ah
		jmp	short loc_7E0A9B
ExpWnfRegisterPermanentName endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpCompareNamespaceEntry(x,	x)
_ObpCompareNamespaceEntry@8 proc near	; CODE XREF: ObpLookupNamespaceEntry(x,x)+30p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [ecx+1Ch]
		push	esi
		xor	esi, esi
		mov	[ebp+var_10], esi
		cmp	eax, [edx+1Ch]
		jnz	short loc_7E0B0B
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], edx
		add	ecx, 18h
		push	eax
		mov	edx, offset _ObpCompareEntryLevel1@8 ; ObpCompareEntryLevel1(x,x)
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], esi
		call	RtlEnumerateBoundaryDescriptorEntries
		test	eax, eax
		js	short loc_7E0B0B
		cmp	[ebp+var_4], esi
		jl	short loc_7E0B0B
		mov	eax, [ebp+var_8]
		cmp	eax, [ebp+var_C]
		jnz	short loc_7E0B0B
		xor	eax, eax
		inc	eax

loc_7E0B08:				; CODE XREF: ObpCompareNamespaceEntry(x,x)+4Fj
		pop	esi
		leave
		retn
; 

loc_7E0B0B:				; CODE XREF: ObpCompareNamespaceEntry(x,x)+14j
					; ObpCompareNamespaceEntry(x,x)+38j ...
		xor	eax, eax
		jmp	short loc_7E0B08
_ObpCompareNamespaceEntry@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSetJobLimitsJobPostCallback proc near ; DATA	XREF: sub_759647+5FEo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FA174 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		test	byte ptr [eax+4], 1
		jz	loc_8FA174

loc_7E0B22:				; CODE XREF: PspSetJobLimitsJobPostCallback+119669j
					; PspSetJobLimitsJobPostCallback+119674j
		xor	eax, eax
		pop	ebp
		retn	8
PspSetJobLimitsJobPostCallback endp


;  S U B	R O U T	I N E 


; __stdcall CmpDelayFreeRMWorker(x)
_CmpDelayFreeRMWorker@4	proc near	; DATA XREF: CmpInitializeTransactions()+D2o
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, offset _CmpDelayFreeRMLock
		mov	ecx, edi
		call	ExAcquireFastMutex
		mov	ebx, offset _CmpDelayFreeRMListHead

loc_7E0B3E:				; CODE XREF: CmpDelayFreeRMWorker(x)+69j
		mov	esi, _CmpDelayFreeRMListHead
		cmp	esi, ebx
		jz	short loc_7E0B93
		cmp	[esi+4], ebx
		jnz	short loc_7E0BA7
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_7E0BA7
		mov	_CmpDelayFreeRMListHead, eax
		mov	ecx, edi
		mov	[eax+4], ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		push	dword ptr [esi+50h]
		call	ExDeleteResourceLite
		push	0
		push	dword ptr [esi+50h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	6D524D43h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	ecx, edi
		call	ExAcquireFastMutex
		jmp	short loc_7E0B3E
; 

loc_7E0B93:				; CODE XREF: CmpDelayFreeRMWorker(x)+1Ej
		mov	ecx, edi
		mov	_CmpDelayFreeRMWorkItemActive, 0
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		pop	esi
		pop	ebx
		retn	4
; 

loc_7E0BA7:				; CODE XREF: CmpDelayFreeRMWorker(x)+23j
					; CmpDelayFreeRMWorker(x)+2Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_CmpDelayFreeRMWorker@4	endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetJobNotificationCountCallback(x, x)
_PspSetJobNotificationCountCallback@8 proc near	; DATA XREF: sub_759647+85Eo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		mov	edx, [ecx+1A0h]
		cmp	dword ptr [eax], 0
		lea	eax, [edx+1]
		jz	short loc_7E0BD1

loc_7E0BC5:				; CODE XREF: PspSetJobNotificationCountCallback(x,x)+28j
		mov	[ecx+1A0h], eax
		xor	eax, eax
		pop	ebp
		retn	8
; 

loc_7E0BD1:				; CODE XREF: PspSetJobNotificationCountCallback(x,x)+17j
		lea	eax, [edx-1]
		jmp	short loc_7E0BC5
_PspSetJobNotificationCountCallback@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 217. CcMdlWriteComplete

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcMdlWriteComplete(x, x, x)
		public _CcMdlWriteComplete@12
_CcMdlWriteComplete@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		call	IoGetRelatedDeviceObject
		mov	edx, eax
		mov	ecx, [edx+8]
		mov	ecx, [ecx+28h]
		test	ecx, ecx
		jz	short loc_7E0C15
		cmp	dword ptr [ecx], 4Ch
		jbe	short loc_7E0C15
		mov	eax, [ecx+4Ch]
		test	eax, eax
		jz	short loc_7E0C15
		push	edx
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	eax
		test	al, al
		jz	short loc_7E0C15

loc_7E0C11:				; CODE XREF: CcMdlWriteComplete(x,x,x)+47j
		pop	ebp
		retn	0Ch
; 

loc_7E0C15:				; CODE XREF: CcMdlWriteComplete(x,x,x)+17j
					; CcMdlWriteComplete(x,x,x)+1Cj ...
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	CcMdlWriteComplete2
		jmp	short loc_7E0C11
_CcMdlWriteComplete@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWnfGetPermanentDataStoreHandle proc near ; CODE XREF: ExpWnfCreateNameInstance+263p
					; ExpWnfDeletePermanentStateData(x,x,x)+6Fp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FA189 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		xor	eax, eax
		mov	[ebp+var_4], eax
		push	edi
		mov	edi, ecx
		cmp	edx, 3
		jz	short loc_7E0C90
		cmp	edx, 2
		jz	short loc_7E0C90
		push	24h

loc_7E0C42:				; CODE XREF: ExpWnfGetPermanentDataStoreHandle+6Cj
		pop	ecx
		lea	esi, [ecx+edi]
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_7E0C59

loc_7E0C4C:				; CODE XREF: ExpWnfGetPermanentDataStoreHandle+68j
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		xor	eax, eax

loc_7E0C53:				; CODE XREF: ExpWnfGetPermanentDataStoreHandle+53j
		pop	edi
		pop	esi
		leave
		retn	8
; 

loc_7E0C59:				; CODE XREF: ExpWnfGetPermanentDataStoreHandle+24j
		cmp	edx, 3
		jz	short loc_7E0C94
		cmp	edx, 2
		jz	short loc_7E0C94

loc_7E0C63:				; CODE XREF: ExpWnfGetPermanentDataStoreHandle+71j
		lea	ecx, [ebp+var_4]
		push	ecx
		push	[ebp+arg_0]
		push	eax
		push	ecx
		push	dword ptr [edi+10h]
		mov	ecx, [edi+8]
		call	ExpWnfGetPermanentDataStoreHandleByScopeId
		test	eax, eax
		js	short loc_7E0C53
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		lock cmpxchg [esi], ecx
		test	eax, eax
		jnz	loc_8FA189

loc_7E0C8C:				; CODE XREF: ExpWnfGetPermanentDataStoreHandle+11956Bj
		mov	ecx, [esi]
		jmp	short loc_7E0C4C
; 

loc_7E0C90:				; CODE XREF: ExpWnfGetPermanentDataStoreHandle+13j
					; ExpWnfGetPermanentDataStoreHandle+18j
		push	28h
		jmp	short loc_7E0C42
; 

loc_7E0C94:				; CODE XREF: ExpWnfGetPermanentDataStoreHandle+36j
					; ExpWnfGetPermanentDataStoreHandle+3Bj
		xor	eax, eax
		inc	eax
		jmp	short loc_7E0C63
ExpWnfGetPermanentDataStoreHandle endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelperSetBlockerVisible(x, x)
_SleepstudyHelperSetBlockerVisible@8 proc near ; DATA XREF: .data:006B35FCo

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, 0C000000Dh
		test	ecx, ecx
		jz	short loc_7E0CB3
		mov	al, [ebp+arg_4]
		mov	[ecx+34h], al
		xor	eax, eax

loc_7E0CB3:				; CODE XREF: SleepstudyHelperSetBlockerVisible(x,x)+Fj
		pop	ebp
		retn	8
_SleepstudyHelperSetBlockerVisible@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


MiFreePlaceholderStorage proc near	; CODE XREF: MiDeletePartialVad+DD416p
					; MiMapViewOfDataSection+8E4p ...

; FUNCTION CHUNK AT 008FA196 SIZE 00000011 BYTES

		mov	edi, edi
		push	esi
		mov	edx, 80h
		call	MiGetVadWakeList
		mov	esi, eax
		test	esi, esi
		jnz	loc_8FA196
		pop	esi
		retn
MiFreePlaceholderStorage endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1809. PsGetProcessSecurityPort

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessSecurityPort(x)
		public _PsGetProcessSecurityPort@4
_PsGetProcessSecurityPort@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+1BCh]
		pop	ebp
		retn	4
_PsGetProcessSecurityPort@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiUEventHandleUnregisterClient(x)
_PiUEventHandleUnregisterClient@4 proc near ; CODE XREF: PiUEventHandleIoctl+66p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, [ecx+10h]
		xor	ebx, ebx
		test	esi, esi
		jz	short loc_7E0D0D
		mov	ecx, [esi+8]
		call	ExAcquireFastMutex
		mov	ecx, [esi+8]
		mov	[esi+54h], bl
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_7E0D08:				; CODE XREF: PiUEventHandleUnregisterClient(x)+2Aj
		pop	esi
		mov	eax, ebx
		pop	ebx
		retn
; 

loc_7E0D0D:				; CODE XREF: PiUEventHandleUnregisterClient(x)+Bj
		mov	ebx, 0C000000Dh
		jmp	short loc_7E0D08
_PiUEventHandleUnregisterClient@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtMakeTemporaryObject proc near		; CODE XREF: IopReassignSystemRoot(x,x)+17Ep
					; DATA XREF: .text:00580F98o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FA1A7 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, large fs:124h
		xor	ecx, ecx
		push	esi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_C], al
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], ecx
		push	eax
		push	[ebp+var_C]
		push	ecx
		push	10000h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7E0D72
		push	[ebp+var_8]
		call	_ObMakeTemporaryObject@4 ; ObMakeTemporaryObject(x)
		test	byte ptr [ebp+var_14], 4
		jnz	loc_8FA1A7

loc_7E0D68:				; CODE XREF: NtMakeTemporaryObject+11949Ej
		mov	ecx, [ebp+var_8]
		call	ObfDereferenceObject
		mov	eax, esi

loc_7E0D72:				; CODE XREF: NtMakeTemporaryObject+40j
		pop	esi
		leave
		retn	4
NtMakeTemporaryObject endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1629. ObMakeTemporaryObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObMakeTemporaryObject(x)
		public _ObMakeTemporaryObject@4
_ObMakeTemporaryObject@4 proc near	; CODE XREF: IoDeleteDevice+15Ep
					; IopCompleteUnloadOrDelete+D42A9p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [edi-10h]
		call	ExAcquirePushLockExclusiveEx
		and	byte ptr [edi-9], 0EFh
		lea	ecx, [edi-10h]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		lea	ecx, [edi-18h]
		call	ObpDeleteNameCheck
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_ObMakeTemporaryObject@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpGetCorrectKcbLockOrder proc near	; CODE XREF: CmpLockTwoKcbsShared(x,x)+3Fp
					; CmpUnlockTwoKcbs+65p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FA1B7 SIZE 0000004A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+4]
		push	esi
		mov	esi, [edx+4]
		push	edi
		shr	eax, 15h
		mov	edi, 3FFh
		shr	esi, 15h
		and	eax, edi
		and	esi, edi
		cmp	eax, esi
		jbe	short loc_7E0DF8

loc_7E0DE6:				; CODE XREF: CmpGetCorrectKcbLockOrder+119400j
					; CmpGetCorrectKcbLockOrder+119422j ...
		mov	esi, ecx

loc_7E0DE8:				; CODE XREF: CmpGetCorrectKcbLockOrder+3Cj
		mov	eax, [ebp+arg_0]
		pop	edi
		mov	[eax], edx
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		pop	esi
		pop	ebp
		retn	8
; 

loc_7E0DF8:				; CODE XREF: CmpGetCorrectKcbLockOrder+1Ej
		jnb	loc_8FA1B7

loc_7E0DFE:				; CODE XREF: CmpGetCorrectKcbLockOrder+119411j
					; CmpGetCorrectKcbLockOrder+119428j ...
		mov	esi, edx
		mov	edx, ecx
		jmp	short loc_7E0DE8
CmpGetCorrectKcbLockOrder endp

; Exported entry 1929. PsWow64IsMachineSupported

;  S U B	R O U T	I N E 


; __stdcall NtCompleteConnectPort(x)
		public _NtCompleteConnectPort@4
_NtCompleteConnectPort@4 proc near	; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+280p
					; KeBugCheck2(x,x,x,x,x,x)+9BFp ...
		xor	eax, eax
		retn	4
_NtCompleteConnectPort@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsQueryProcessSignatureMitigationPolicy(x, x)
_PsQueryProcessSignatureMitigationPolicy@8 proc	near ; CODE XREF: PAGE:0083DFBFp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		and	dword ptr [esi], 0
		mov	edi, [ebx+490h]
		mov	cl, [ebx+3A4h]
		cmp	cl, 8
		jb	short loc_7E0E35
		cmp	byte ptr [ebx+3A5h], 8
		jnb	short loc_7E0E89

loc_7E0E35:				; CODE XREF: PsQueryProcessSignatureMitigationPolicy(x,x)+20j
		mov	eax, dword_6BEA40
		test	eax, eax
		jz	short loc_7E0E47
		push	6
		push	ecx
		call	eax
		test	eax, eax
		jnz	short loc_7E0E66

loc_7E0E47:				; CODE XREF: PsQueryProcessSignatureMitigationPolicy(x,x)+32j
					; PsQueryProcessSignatureMitigationPolicy(x,x)+64j ...
		test	edi, 1000000h
		jnz	short loc_7E0E93
		test	edi, 2000000h
		jnz	short loc_7E0E98

loc_7E0E57:				; CODE XREF: PsQueryProcessSignatureMitigationPolicy(x,x)+7Dj
					; PsQueryProcessSignatureMitigationPolicy(x,x)+82j ...
		test	edi, 800000h
		jnz	short loc_7E0E8E

loc_7E0E5F:				; CODE XREF: PsQueryProcessSignatureMitigationPolicy(x,x)+87j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_7E0E66:				; CODE XREF: PsQueryProcessSignatureMitigationPolicy(x,x)+3Bj
		mov	ecx, dword_6BEA40
		test	ecx, ecx
		jz	short loc_7E0E47
		mov	al, [ebx+3A5h]
		mov	byte ptr [ebp+arg_4], al
		push	6
		push	[ebp+arg_4]
		call	ecx
		test	eax, eax
		jz	short loc_7E0E47
		or	dword ptr [esi], 2
		jmp	short loc_7E0E57
; 

loc_7E0E89:				; CODE XREF: PsQueryProcessSignatureMitigationPolicy(x,x)+29j
		or	dword ptr [esi], 1
		jmp	short loc_7E0E57
; 

loc_7E0E8E:				; CODE XREF: PsQueryProcessSignatureMitigationPolicy(x,x)+53j
		or	dword ptr [esi], 4
		jmp	short loc_7E0E5F
; 

loc_7E0E93:				; CODE XREF: PsQueryProcessSignatureMitigationPolicy(x,x)+43j
		or	dword ptr [esi], 8
		jmp	short loc_7E0E57
; 

loc_7E0E98:				; CODE XREF: PsQueryProcessSignatureMitigationPolicy(x,x)+4Bj
		or	dword ptr [esi], 10h
		jmp	short loc_7E0E57
_PsQueryProcessSignatureMitigationPolicy@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpDeleteSymbolicLinkName proc near	; CODE XREF: ObpDeleteNameCheck:loc_8CA119p
					; ObpMarkDirectoryObjectsTemporary+E5C85p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FA201 SIZE 0000008F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, [ebx+10h]
		test	esi, esi
		jnz	loc_8FA201

loc_7E0EB4:				; CODE XREF: ObpDeleteSymbolicLinkName+1193EDj
		pop	esi
		pop	ebx
		leave
		retn
ObpDeleteSymbolicLinkName endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; 
; Exported entry 1575. NtReadFileScatter

; __stdcall NtReadFileScatter(x, x, x, x, x, x,	x, x, x)
		public _NtReadFileScatter@36
_NtReadFileScatter@36:			; DATA XREF: .text:00580DB8o
		push	44h
		push	offset dword_6A4558
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp-24h], ebx
		mov	[ebp-20h], ebx
		mov	[ebp-28h], ebx
		mov	[ebp-30h], ebx
		mov	[ebp-54h], ebx
		mov	[ebp-50h], ebx
		mov	eax, large fs:124h
		mov	[ebp-48h], eax
		mov	al, [eax+15Ah]
		mov	[ebp-19h], al
		mov	[ebp-2Ch], al
		push	ebx
		lea	eax, [ebp-24h]
		push	eax
		push	dword ptr [ebp-2Ch]
		xor	edx, edx
		inc	edx
		mov	ecx, [ebp+8]
		call	IopReferenceFileObject
		test	eax, eax
		js	loc_7E141F
		mov	esi, [ebp-24h]
		push	esi
		call	IoGetRelatedDeviceObject
		mov	edx, eax
		mov	[ebp+8], edx
		lea	eax, [esi+2Ch]
		mov	[ebp-34h], eax
		mov	ecx, [eax]
		test	cl, 8
		jz	loc_7E1413
		test	cl, 2
		jnz	loc_7E1413
		test	byte ptr [edx+1Ch], 4
		jnz	loc_7E1413
		mov	eax, [edx+2Ch]
		cmp	eax, 8
		jz	short loc_7E0F6F
		cmp	eax, 6
		jz	short loc_7E0F6F
		cmp	eax, 20h
		jz	short loc_7E0F6F
		cmp	eax, 3
		jz	short loc_7E0F6F
		cmp	eax, 14h
		jz	short loc_7E0F6F
		cmp	eax, 9
		jz	short loc_7E0F6F
		cmp	eax, 36h
		jz	short loc_7E0F6F
		cmp	eax, 53h
		jnz	loc_7E1413

loc_7E0F6F:				; CODE XREF: PAGE:007E0F46j
					; PAGE:007E0F4Bj ...
		mov	edx, [ebp+20h]
		mov	edi, edx
		and	edi, 0FFFh
		neg	edi
		sbb	edi, edi
		neg	edi
		mov	eax, edx
		shr	eax, 0Ch
		add	edi, eax
		mov	[ebp-44h], edi
		cmp	[ebp-19h], bl
		jz	loc_7E1115
		mov	[ebp-38h], ebx
		mov	[ebp-4], ebx
		mov	ecx, [ebp+18h]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_7E0FA7
		mov	ecx, eax

loc_7E0FA7:				; CODE XREF: PAGE:007E0FA3j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	esi, [ebp-24h]
		cmp	[esi+6Ch], ebx
		jz	short loc_7E0FCC
		cmp	dword ptr [ebp+10h], 0
		jz	short loc_7E0FCC

loc_7E0FB9:				; CODE XREF: PAGE:007E102Bj
					; PAGE:007E1040j
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7E141A
; 

loc_7E0FCC:				; CODE XREF: PAGE:007E0FB1j
					; PAGE:007E0FB7j
		mov	ecx, [ebp+24h]
		test	ecx, ecx
		jz	short loc_7E0FFD
		mov	edx, ecx
		test	cl, 3
		jnz	loc_7E1431
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_7E0FE9
		mov	edx, eax

loc_7E0FE9:				; CODE XREF: PAGE:007E0FE5j
		nop
		mov	al, [edx]
		mov	esi, [ebp-24h]
		mov	eax, [ecx]
		mov	[ebp-54h], eax
		mov	eax, [ecx+4]
		mov	[ebp-50h], eax
		mov	edx, [ebp+20h]

loc_7E0FFD:				; CODE XREF: PAGE:007E0FD1j
		mov	eax, [ebp-34h]
		test	byte ptr [eax],	8
		jz	short loc_7E1046
		mov	eax, [ebp+8]
		movzx	eax, word ptr [eax+0ACh]
		mov	[ebp-34h], eax
		test	ax, ax
		jz	short loc_7E1030
		movzx	eax, ax
		mov	[ebp-40h], eax
		dec	eax
		test	eax, edx
		jz	short loc_7E102D
		mov	eax, edx
		xor	edx, edx
		div	dword ptr [ebp-40h]
		test	edx, edx
		jnz	short loc_7E0FB9

loc_7E102D:				; CODE XREF: PAGE:007E1020j
		mov	eax, [ebp-34h]

loc_7E1030:				; CODE XREF: PAGE:007E1015j
		test	ecx, ecx
		jz	short loc_7E1046
		test	ax, ax
		jz	short loc_7E1046
		movzx	eax, ax
		dec	eax
		test	[ebp-54h], eax
		jnz	loc_7E0FB9

loc_7E1046:				; CODE XREF: PAGE:007E1003j
					; PAGE:007E1032j ...
		mov	eax, edi
		shl	eax, 3
		mov	[ebp-34h], eax
		test	eax, eax
		jz	short loc_7E107B
		test	byte ptr [ebp+1Ch], 3
		jnz	loc_7E1439
		mov	edx, [ebp+1Ch]
		lea	edi, [eax+edx]
		mov	ecx, ds:_MmUserProbeAddress
		mov	[ebp-40h], ecx
		cmp	edi, ecx
		mov	ecx, [ebp+24h]
		ja	short loc_7E1076
		cmp	edi, edx
		jnb	short loc_7E107B

loc_7E1076:				; CODE XREF: PAGE:007E1070j
		mov	edx, [ebp-40h]
		mov	[edx], bl

loc_7E107B:				; CODE XREF: PAGE:007E1050j
					; PAGE:007E1074j
		cmp	dword ptr [ebp+20h], 0
		jz	short loc_7E10C1
		mov	edx, eax
		xor	ecx, ecx
		inc	ecx
		call	sub_4F0630
		mov	edi, eax
		mov	[ebp-20h], edi
		push	dword ptr [ebp-34h]
		push	dword ptr [ebp+1Ch]
		push	edi
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+1Ch], edi
		mov	edx, ebx
		mov	ecx, [ebp-44h]

loc_7E10A7:				; CODE XREF: PAGE:007E10BCj
		cmp	edx, ecx
		jnb	short loc_7E10BE
		mov	eax, [edi+edx*8]
		and	eax, 0FFFh
		or	eax, ebx
		jnz	loc_7E143E
		inc	edx
		jmp	short loc_7E10A7
; 

loc_7E10BE:				; CODE XREF: PAGE:007E10A9j
		mov	ecx, [ebp+24h]

loc_7E10C1:				; CODE XREF: PAGE:007E107Fj
		mov	eax, [ebp+28h]
		test	eax, eax
		jz	short loc_7E10DD
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		jb	short loc_7E10D4
		mov	eax, edx

loc_7E10D4:				; CODE XREF: PAGE:007E10D0j
		nop
		mov	eax, [eax]
		mov	[ebp-30h], eax
		mov	esi, [ebp-24h]

loc_7E10DD:				; CODE XREF: PAGE:007E10C6j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_7E1133
; 

loc_7E10E6:				; DATA XREF: .text:006A456Co
		lea	edx, [ebp-38h]
		mov	ecx, [ebp-14h]
		call	_IopExceptionFilter@8 ;	IopExceptionFilter(x,x)
		retn
; 

loc_7E10F2:				; DATA XREF: .text:006A4570o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-24h]
		call	ObfDereferenceObject
		cmp	dword ptr [ebp-20h], 0
		jz	short loc_7E110D
		push	0
		push	dword ptr [ebp-20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7E110D:				; CODE XREF: PAGE:007E1101j
		mov	eax, [ebp-38h]
		jmp	loc_7E140A
; 

loc_7E1115:				; CODE XREF: PAGE:007E0F8Dj
		mov	ecx, [ebp+24h]
		test	ecx, ecx
		jz	short loc_7E1127
		mov	eax, [ecx]
		mov	[ebp-54h], eax
		mov	eax, [ecx+4]
		mov	[ebp-50h], eax

loc_7E1127:				; CODE XREF: PAGE:007E111Aj
		mov	eax, [ebp+28h]
		test	eax, eax
		jz	short loc_7E1133
		mov	eax, [eax]
		mov	[ebp-30h], eax

loc_7E1133:				; CODE XREF: PAGE:007E10E4j
					; PAGE:007E112Cj
		cmp	dword ptr [ebp+0Ch], 0
		jz	short loc_7E1187
		mov	eax, ds:_ExEventObjectType
		mov	[ebp-3Ch], ebx
		push	ebx
		lea	ecx, [ebp-3Ch]
		push	ecx
		push	dword ptr [ebp-2Ch]
		push	eax
		push	2
		push	dword ptr [ebp+0Ch]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	[ebp+28h], eax
		mov	ecx, [ebp-3Ch]
		mov	[ebp-28h], ecx
		test	eax, eax
		jns	short loc_7E117E
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	edi, [ebp-20h]
		test	edi, edi
		jz	short loc_7E1176
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7E1176:				; CODE XREF: PAGE:007E116Dj
		mov	eax, [ebp+28h]
		jmp	loc_7E141F
; 

loc_7E117E:				; CODE XREF: PAGE:007E115Fj
		push	ecx
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	ecx, [ebp+24h]

loc_7E1187:				; CODE XREF: PAGE:007E1137j
		lea	eax, [esi+2Ch]
		mov	[ebp+0Ch], eax
		mov	eax, [eax]
		test	al, 2
		jz	loc_7E1242
		shr	eax, 2
		and	al, 1
		mov	[ebp+28h], al
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	ebx
		mov	esi, [ebp-24h]
		lea	ecx, [esi+4Ch]
		xor	edx, edx
		call	KeAbPreAcquire
		mov	[ebp-1Ah], bl
		xor	edx, edx
		inc	edx
		lea	ecx, [esi+44h]
		xchg	edx, [ecx]
		test	edx, edx
		jnz	short loc_7E11DD
		test	eax, eax
		jz	short loc_7E11D2
		or	byte ptr [eax+0Eh], 1

loc_7E11D2:				; CODE XREF: PAGE:007E11CCj
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edi, ebx
		jmp	short loc_7E11F1
; 

loc_7E11DD:				; CODE XREF: PAGE:007E11C8j
		lea	ecx, [ebp-1Ah]
		push	ecx
		push	eax
		push	dword ptr [ebp+28h]
		mov	dl, [ebp-19h]
		mov	ecx, esi
		call	IopWaitAndAcquireFileObjectLock
		mov	edi, eax

loc_7E11F1:				; CODE XREF: PAGE:007E11DBj
		cmp	byte ptr [ebp-1Ah], 0
		jz	short loc_7E1220
		mov	ecx, [ebp-28h]
		test	ecx, ecx
		jz	short loc_7E1203
		call	ObfDereferenceObject

loc_7E1203:				; CODE XREF: PAGE:007E11FCj
		mov	ecx, esi
		call	ObfDereferenceObject
		cmp	dword ptr [ebp-20h], 0
		jz	short loc_7E1219
		push	ebx
		push	dword ptr [ebp-20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7E1219:				; CODE XREF: PAGE:007E120Ej
		mov	eax, edi
		jmp	loc_7E141F
; 

loc_7E1220:				; CODE XREF: PAGE:007E11F5j
		cmp	dword ptr [ebp+24h], 0
		jz	short loc_7E1232
		cmp	dword ptr [ebp-54h], 0FFFFFFFEh
		jnz	short loc_7E123E
		cmp	dword ptr [ebp-50h], 0FFFFFFFFh
		jnz	short loc_7E123E

loc_7E1232:				; CODE XREF: PAGE:007E1224j
		mov	eax, [esi+38h]
		mov	[ebp-54h], eax
		mov	eax, [esi+3Ch]
		mov	[ebp-50h], eax

loc_7E123E:				; CODE XREF: PAGE:007E122Aj
					; PAGE:007E1230j
		mov	al, 1
		jmp	short loc_7E125D
; 

loc_7E1242:				; CODE XREF: PAGE:007E1191j
		test	ecx, ecx
		jnz	short loc_7E125B
		test	eax, 280h
		jnz	short loc_7E125B
		mov	ecx, [ebp-28h]
		test	ecx, ecx
		jz	short loc_7E127F
		call	ObfDereferenceObject
		jmp	short loc_7E127F
; 

loc_7E125B:				; CODE XREF: PAGE:007E1244j
					; PAGE:007E124Bj
		mov	al, bl

loc_7E125D:				; CODE XREF: PAGE:007E1240j
		mov	[ebp+24h], al
		cmp	dword ptr [ebp-50h], 0
		jge	short loc_7E129D
		mov	ecx, [ebp-28h]
		test	ecx, ecx
		jz	short loc_7E1272
		call	ObfDereferenceObject

loc_7E1272:				; CODE XREF: PAGE:007E126Bj
		cmp	byte ptr [ebp+24h], 0
		jz	short loc_7E127F
		mov	ecx, esi
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)

loc_7E127F:				; CODE XREF: PAGE:007E1252j
					; PAGE:007E1259j ...
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	edi, [ebp-20h]
		test	edi, edi
		jz	loc_7E141A
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7E141A
; 

loc_7E129D:				; CODE XREF: PAGE:007E1264j
		mov	ecx, esi
		call	_IopResetEvent@4 ; IopResetEvent(x)
		push	dword ptr [ebp+4]
		mov	al, [ebp+24h]
		xor	al, 1
		movzx	eax, al
		push	eax
		mov	eax, [ebp+8]
		mov	dl, [eax+30h]
		mov	ecx, eax
		call	IopAllocateIrpExReturn
		mov	esi, eax
		mov	[ebp+28h], esi
		mov	ecx, [ebp-24h]
		test	esi, esi
		jnz	short loc_7E12E9
		mov	edx, [ebp-28h]
		call	_IopAllocateIrpCleanup@8 ; IopAllocateIrpCleanup(x,x)
		cmp	[ebp-20h], esi
		jz	short loc_7E12DF
		push	ebx
		push	dword ptr [ebp-20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7E12DF:				; CODE XREF: PAGE:007E12D4j
		mov	eax, 0C000009Ah
		jmp	loc_7E141F
; 

loc_7E12E9:				; CODE XREF: PAGE:007E12C7j
		mov	[esi+64h], ecx
		mov	eax, [ebp-48h]
		mov	[esi+50h], eax
		mov	[esi+54h], ebx
		mov	al, [ebp-19h]
		mov	[esi+20h], al
		mov	[esi+21h], bl
		mov	[esi+24h], bl
		mov	[esi+38h], ebx
		mov	eax, [ebp-28h]
		mov	[esi+2Ch], eax
		mov	eax, [ebp+18h]
		mov	[esi+28h], eax
		mov	eax, [ebp+10h]
		mov	[esi+30h], eax
		mov	eax, [ebp+14h]
		mov	[esi+34h], eax
		mov	edi, [esi+60h]
		mov	dword ptr [edi-24h], 3
		mov	[edi-0Ch], ecx
		mov	[esi+0Ch], ebx
		mov	[esi+4], ebx
		mov	[esi+8], ebx
		mov	edx, [ebp+20h]
		test	edx, edx
		jz	short loc_7E137B
		mov	dword ptr [ebp-4], 1
		mov	ecx, [ebp+1Ch]
		mov	eax, [ecx]
		push	esi
		push	1
		push	ebx
		push	edx
		push	eax
		call	IoAllocateMdl
		test	eax, eax
		jnz	short loc_7E135E
		push	0C000009Ah
		jmp	loc_7E1443
; 

loc_7E135E:				; CODE XREF: PAGE:007E1352j
		push	1
		push	dword ptr [ebp-2Ch]
		push	dword ptr [ebp+1Ch]
		push	eax
		call	MmProbeAndLockSelectedPages
		mov	ecx, [ebp+1Ch]
		mov	eax, [ecx]
		mov	[esi+3Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_7E137B:				; CODE XREF: PAGE:007E1337j
		cmp	dword ptr [ebp-20h], 0
		jz	short loc_7E138A
		push	ebx
		push	dword ptr [ebp-20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7E138A:				; CODE XREF: PAGE:007E137Fj
		mov	eax, [ebp+0Ch]
		mov	eax, [eax]
		and	eax, 8
		or	eax, 4800h
		shr	eax, 3
		or	[esi+8], eax
		mov	edx, [ebp+20h]
		mov	[edi-20h], edx
		mov	eax, [ebp-30h]
		mov	[edi-1Ch], eax
		mov	eax, [ebp-54h]
		mov	[edi-18h], eax
		mov	eax, [ebp-50h]
		mov	[edi-14h], eax
		push	ebx
		push	dword ptr [ebp+24h]
		push	dword ptr [ebp-2Ch]
		push	1
		push	dword ptr [ebp-24h]
		mov	edx, esi
		mov	ecx, [ebp+8]
		call	_IopSynchronousServiceTail@28 ;	IopSynchronousServiceTail(x,x,x,x,x,x,x)
		jmp	short loc_7E141F
; 

loc_7E13CD:				; DATA XREF: .text:006A4578o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7E13DB:				; DATA XREF: .text:006A457Co
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-24h]
		movzx	eax, byte ptr [ecx+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		xor	ebx, ebx
		push	ebx
		push	dword ptr [ebp-28h]
		mov	edx, [ebp+28h]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		cmp	[ebp-20h], ebx
		jz	short loc_7E1407
		push	ebx
		push	dword ptr [ebp-20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7E1407:				; CODE XREF: PAGE:007E13FCj
		mov	eax, [ebp-4Ch]

loc_7E140A:				; CODE XREF: PAGE:007E1110j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_7E141F
; 

loc_7E1413:				; CODE XREF: PAGE:007E0F27j
					; PAGE:007E0F30j ...
		mov	ecx, esi
		call	ObfDereferenceObject

loc_7E141A:				; CODE XREF: PAGE:007E0FC7j
					; PAGE:007E128Bj ...
		mov	eax, 0C000000Dh

loc_7E141F:				; CODE XREF: PAGE:007E0F08j
					; PAGE:007E1179j ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_7E1431:				; CODE XREF: PAGE:007E0FD8j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		mov	ecx, [ebp+24h]

loc_7E1439:				; CODE XREF: PAGE:007E1056j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7E143E:				; CODE XREF: PAGE:007E10B5j
		push	0C000000Dh

loc_7E1443:				; CODE XREF: PAGE:007E1359j
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1922. PsTerminateSystemThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsTerminateSystemThread
PsTerminateSystemThread	proc near	; CODE XREF: PopIrpWorker+2E6p
					; InbvRotateGuiBootDisplay(x)+55p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FA290 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		test	dword ptr [eax+58h], 400h
		jz	loc_8FA290
		push	1
		push	[ebp+arg_0]
		push	eax
		call	PspTerminateThreadByPointer

loc_7E1471:				; CODE XREF: PsTerminateSystemThread+118E47j
		pop	ebp
		retn	4
PsTerminateSystemThread	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpValidateFlagExtension(x)
_EtwpValidateFlagExtension@4 proc near	; CODE XREF: EtwpStartLogger+17Cp
					; EtwpUpdateTrace+36p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+48h]
		mov	[ebp+var_4], esi
		test	esi, esi
		js	short loc_7E148F

loc_7E148B:				; CODE XREF: EtwpValidateFlagExtension(x)+B3j
		xor	eax, eax
		jmp	short loc_7E14BE
; 

loc_7E148F:				; CODE XREF: EtwpValidateFlagExtension(x)+13j
		call	_Feature_3257204026__private_IsEnabledDeviceUsage@0 ; Feature_3257204026__private_IsEnabledDeviceUsage()
		test	eax, eax
		jz	short loc_7E14C3
		cmp	byte ptr [ebp+var_4+2],	0FFh
		jnz	short loc_7E14B9
		test	si, si
		jz	short loc_7E14B9
		mov	eax, 0B0h
		cmp	si, ax
		jb	short loc_7E14B9

loc_7E14AD:				; CODE XREF: EtwpValidateFlagExtension(x)+58j
		mov	ecx, [edi]
		movzx	edx, si
		lea	eax, [edx+4]
		cmp	ecx, eax
		jnb	short loc_7E14D0

loc_7E14B9:				; CODE XREF: EtwpValidateFlagExtension(x)+26j
					; EtwpValidateFlagExtension(x)+2Bj ...
		mov	eax, 0C000000Dh

loc_7E14BE:				; CODE XREF: EtwpValidateFlagExtension(x)+17j
					; EtwpValidateFlagExtension(x)+BDj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7E14C3:				; CODE XREF: EtwpValidateFlagExtension(x)+20j
		cmp	byte ptr [ebp+var_4+2],	0FFh
		jnz	short loc_7E14B9
		test	si, si
		jz	short loc_7E14B9
		jmp	short loc_7E14AD
; 

loc_7E14D0:				; CODE XREF: EtwpValidateFlagExtension(x)+41j
		lea	ebx, [edx+edi]
		test	bl, 1
		jnz	short loc_7E152E
		movzx	esi, word ptr [ebx]
		xor	eax, eax
		inc	eax
		cmp	si, ax
		jb	short loc_7E14B9
		mov	eax, esi
		sub	ecx, edx
		shl	eax, 2
		cmp	eax, ecx
		ja	short loc_7E14B9
		movzx	edi, word ptr [ebx+2]
		lea	eax, [esi-1]
		movzx	ecx, ax
		lea	edx, [ebx+4]
		xor	eax, eax
		xor	esi, esi
		cmp	ax, di
		jnb	short loc_7E1524
		xor	ebx, ebx
		inc	ebx

loc_7E1507:				; CODE XREF: EtwpValidateFlagExtension(x)+ACj
		test	dl, 1
		jnz	short loc_7E152E
		cmp	cx, bx
		jb	short loc_7E14B9
		movzx	eax, word ptr [edx]
		cmp	cx, ax
		jb	short loc_7E14B9
		sub	ecx, eax
		lea	edx, [edx+eax*4]
		inc	esi
		cmp	si, di
		jb	short loc_7E1507

loc_7E1524:				; CODE XREF: EtwpValidateFlagExtension(x)+8Cj
		test	cx, cx
		jnz	short loc_7E14B9
		jmp	loc_7E148B
; 

loc_7E152E:				; CODE XREF: EtwpValidateFlagExtension(x)+60j
					; EtwpValidateFlagExtension(x)+94j
		mov	eax, 0C00002C5h
		jmp	short loc_7E14BE
_EtwpValidateFlagExtension@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWnfEnumerateScopeInstances proc near	; CODE XREF: NtDeleteWnfStateName+261p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FA29A SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		mov	[ebp+var_10], ebx
		cmp	esi, 4
		jz	loc_8FA29A
		cmp	esi, 5
		jz	loc_8FA29A
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()

loc_7E1562:				; CODE XREF: ExpWnfEnumerateScopeInstances+118D70j
		mov	ecx, [eax+208h]
		test	ecx, ecx
		jz	loc_7E161B
		imul	eax, esi, 0Ch
		push	edi
		push	0
		lea	edx, [eax+14h]
		add	edx, ecx
		lea	edi, [eax+10h]
		add	edi, ecx
		mov	[ebp+var_4], edx
		xor	edx, edx
		mov	[ebp+var_C], edi
		mov	ecx, edi
		call	KeAbPreAcquire
		push	11h
		mov	esi, eax
		xor	eax, eax
		pop	ecx
		lock cmpxchg [edi], ecx
		test	eax, eax
		jz	short loc_7E15A8
		push	edi
		mov	edx, esi
		mov	ecx, edi
		call	ExfAcquirePushLockSharedEx

loc_7E15A8:				; CODE XREF: ExpWnfEnumerateScopeInstances+66j
		test	esi, esi
		jnz	short loc_7E160C

loc_7E15AC:				; CODE XREF: ExpWnfEnumerateScopeInstances+DAj
		test	ebx, ebx
		jz	short loc_7E1608
		mov	esi, [ebx+14h]

loc_7E15B3:				; CODE XREF: ExpWnfEnumerateScopeInstances+D4j
		mov	eax, [ebp+var_4]
		test	esi, esi
		jnz	short loc_7E15BC
		mov	esi, [eax]

loc_7E15BC:				; CODE XREF: ExpWnfEnumerateScopeInstances+82j
		cmp	esi, eax
		jz	short loc_7E15DF
		mov	ebx, [ebp+var_4]

loc_7E15C3:				; CODE XREF: ExpWnfEnumerateScopeInstances+118D7Dj
		lea	edi, [esi-14h]
		lea	ecx, [edi+4]
		mov	[ebp+var_8], edi
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_8FA2AB

loc_7E15D9:				; CODE XREF: ExpWnfEnumerateScopeInstances+118D83j
		mov	edi, [ebp+var_C]
		mov	ebx, [ebp+var_10]

loc_7E15DF:				; CODE XREF: ExpWnfEnumerateScopeInstances+88j
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_7E1612

loc_7E15ED:				; CODE XREF: ExpWnfEnumerateScopeInstances+E3j
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		test	ebx, ebx
		jz	short loc_7E1601
		lea	ecx, [ebx+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_7E1601:				; CODE XREF: ExpWnfEnumerateScopeInstances+C1j
		mov	eax, [ebp+var_8]

loc_7E1604:				; CODE XREF: ExpWnfEnumerateScopeInstances+E7j
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7E1608:				; CODE XREF: ExpWnfEnumerateScopeInstances+78j
		xor	esi, esi
		jmp	short loc_7E15B3
; 

loc_7E160C:				; CODE XREF: ExpWnfEnumerateScopeInstances+74j
		or	byte ptr [esi+0Eh], 1
		jmp	short loc_7E15AC
; 

loc_7E1612:				; CODE XREF: ExpWnfEnumerateScopeInstances+B5j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_7E15ED
; 

loc_7E161B:				; CODE XREF: ExpWnfEnumerateScopeInstances+34j
		xor	eax, eax
		jmp	short loc_7E1604
ExpWnfEnumerateScopeInstances endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall HvResetInactiveLogFileStatus(x)
_HvResetInactiveLogFileStatus@4	proc near ; CODE XREF: CmpFlushHive+846p
		mov	eax, [ecx+68h]
		cmp	eax, 4
		jz	short loc_7E1635
		cmp	eax, 5
		jnz	short locret_7E1634
		add	eax, 7Bh

loc_7E1630:				; CODE XREF: HvResetInactiveLogFileStatus(x)+1Aj
		mov	byte ptr [eax+ecx], 0

locret_7E1634:				; CODE XREF: HvResetInactiveLogFileStatus(x)+Bj
		retn
; 

loc_7E1635:				; CODE XREF: HvResetInactiveLogFileStatus(x)+6j
		mov	eax, 81h
		jmp	short loc_7E1630
_HvResetInactiveLogFileStatus@4	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 550. FsRtlInitializeExtraCreateParameterList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlInitializeExtraCreateParameterList(x)
		public _FsRtlInitializeExtraCreateParameterList@4
_FsRtlInitializeExtraCreateParameterList@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_7E1666
		and	dword ptr [ecx+4], 0
		lea	eax, [ecx+8]
		mov	[eax+4], eax
		mov	[eax], eax
		xor	eax, eax
		mov	dword ptr [ecx], 4C706345h

loc_7E1662:				; CODE XREF: FsRtlInitializeExtraCreateParameterList(x)+29j
		pop	ebp
		retn	4
; 

loc_7E1666:				; CODE XREF: FsRtlInitializeExtraCreateParameterList(x)+Aj
		mov	eax, 0C000000Dh
		jmp	short loc_7E1662
_FsRtlInitializeExtraCreateParameterList@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1757. PsDereferenceKernelStack

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsDereferenceKernelStack
PsDereferenceKernelStack proc near

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FA2BE SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		or	eax, 0FFFFFFFFh
		lock xadd [esi+338h], eax
		jz	loc_8FA2BE

loc_7E168C:				; CODE XREF: PsDereferenceKernelStack+118C5Ej
		pop	esi
		pop	ebp
		retn	4
PsDereferenceKernelStack endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1623. ObGetObjectSecurity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObGetObjectSecurity(x, x, x)
		public _ObGetObjectSecurity@12
_ObGetObjectSecurity@12	proc near	; CODE XREF: SepSetProcessTrustLabelAceForToken(x)+7Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	[ebp+arg_8]
		call	ObpGetObjectSecurity
		pop	ebp
		retn	0Ch
_ObGetObjectSecurity@12	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageFlushWorkItemCallback(x)
_EtwpCoverageFlushWorkItemCallback@4 proc near ; DATA XREF: EtwpCoverageEnsureContext()+1B6o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, _EtwpCoverageNonPagedContext
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		and	dword ptr [eax+0Ch], 0
		push	edi
		test	byte ptr [esi+18h], 1
		jz	short loc_7E16D8
		push	4
		pop	edx
		mov	ecx, esi
		call	_EtwpCoverageReset@8 ; EtwpCoverageReset(x,x)

loc_7E16D8:				; CODE XREF: EtwpCoverageFlushWorkItemCallback(x)+1Cj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _EtwpCoverageLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	edi, 0FFDF0324h
		mov	edx, 0FFDF0320h
		mov	_EtwpCoverageLockOwner,	eax
		mov	ebx, ds:0FFDF0004h
		mov	ecx, 0FFDF0328h
		mov	[esp+10h+var_4], ebx
		mov	edi, [edi]
		mov	edx, [edx]
		mov	eax, [ecx]
		cmp	edi, eax
		jz	short loc_7E173E
		lea	esi, [ecx-4]
		lea	ebx, [ecx-8]

loc_7E1726:				; CODE XREF: EtwpCoverageFlushWorkItemCallback(x)+85j
		pause
		mov	edi, [esi]
		mov	edx, [ebx]
		mov	ecx, [ecx]
		cmp	edi, ecx
		mov	ecx, 0FFDF0328h
		jnz	short loc_7E1726
		mov	esi, [ebp+arg_0]
		mov	ebx, [esp+10h+var_4]

loc_7E173E:				; CODE XREF: EtwpCoverageFlushWorkItemCallback(x)+6Ej
		mov	eax, edx
		shl	edi, 8
		mul	ebx
		imul	edi, ebx
		shrd	eax, edx, 18h
		mov	edx, [esi]
		add	eax, edi
		sub	eax, [edx+10h]
		cmp	eax, [esi+10h]
		jb	short loc_7E175F
		mov	ecx, esi
		call	_EtwpCoverageFlushPending@4 ; EtwpCoverageFlushPending(x)

loc_7E175F:				; CODE XREF: EtwpCoverageFlushWorkItemCallback(x)+A6j
		and	_EtwpCoverageLockOwner,	0
		or	eax, 0FFFFFFFFh
		mov	esi, offset _EtwpCoverageLock
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_7E177F
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_7E177F:				; CODE XREF: EtwpCoverageFlushWorkItemCallback(x)+C6j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_EtwpCoverageFlushWorkItemCallback@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageFlushPending(x)
_EtwpCoverageFlushPending@4 proc near	; CODE XREF: EtwpCoverageFlushWorkItemCallback(x)+AAp
					; EtwpCoverageRecord(x,x)+15Fp	...

var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	[ebp+var_8C], esi
		cmp	dword ptr [esi+28h], 0
		jz	loc_7E192E
		mov	ecx, ds:0FFDF0004h
		mov	ebx, 0FFDF0324h
		mov	[ebp+var_90], ecx
		mov	edi, [ebx]
		lea	eax, [ebx-4]
		mov	edx, [eax]
		add	eax, 8
		mov	eax, [eax]
		cmp	edi, eax
		jz	short loc_7E1805
		lea	eax, [ebx-4]
		lea	esi, [ebx+4]

loc_7E17ED:				; CODE XREF: EtwpCoverageFlushPending(x)+5Bj
		pause
		mov	edi, [ebx]
		mov	edx, [eax]
		mov	ecx, [esi]
		cmp	edi, ecx
		jnz	short loc_7E17ED
		mov	esi, [ebp+var_8C]
		mov	ecx, [ebp+var_90]

loc_7E1805:				; CODE XREF: EtwpCoverageFlushPending(x)+49j
		mov	eax, edx
		shl	edi, 8
		mul	ecx
		imul	edi, ecx
		mov	ebx, eax
		movzx	eax, word ptr [esi+28h]
		shrd	ebx, edx, 18h
		mov	[ebp+var_A4], eax
		add	ebx, edi
		cmp	dword_6B2A68, 5
		mov	edi, [esi+1Ch]
		jbe	loc_7E1910
		push	4000h
		push	0
		mov	ecx, offset dword_6B2A68
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_7E1910
		mov	ecx, [esi]
		push	4
		pop	edx
		mov	eax, [ecx]
		and	[ebp+var_64], 0
		and	[ebp+var_5C], 0
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_94]
		mov	[ebp+var_68], eax
		mov	[ebp+var_60], edx
		mov	eax, [ecx+4]
		and	[ebp+var_54], 0
		and	[ebp+var_4C], 0
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_98]
		mov	[ebp+var_58], eax
		mov	eax, ebx
		mov	[ebp+var_50], edx
		sub	eax, [ecx+10h]
		and	[ebp+var_44], 0
		and	[ebp+var_3C], 0
		mov	[ebp+var_9C], eax
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_48], eax
		mov	eax, ebx
		mov	[ebp+var_40], edx
		sub	eax, [ecx+14h]
		xor	ecx, ecx
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_28], eax
		mov	eax, [edi+10h]
		mov	[ebp+var_18], eax
		mov	ax, [edi+0Ch]
		sub	ax, [edi+10h]
		movzx	eax, ax
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_88]
		push	eax
		push	8
		push	ecx
		push	ecx
		push	offset loc_422EC0
		push	offset dword_6B2A68
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], 2
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_7E1910:				; CODE XREF: EtwpCoverageFlushPending(x)+8Fj
					; EtwpCoverageFlushPending(x)+A8j
		mov	eax, [edi+0Ch]
		mov	[edi+10h], eax
		mov	eax, [esi]
		and	dword ptr [esi+28h], 0
		add	eax, 98h
		push	0
		push	eax
		call	KeCancelTimer2
		mov	eax, [esi]
		mov	[eax+10h], ebx

loc_7E192E:				; CODE XREF: EtwpCoverageFlushPending(x)+24j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpCoverageFlushPending@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerRequestAllocate(x, x)
_PopPowerRequestAllocate@8 proc	near	; DATA XREF: PopPowerRequestInit()+CFo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	6C564150h
		push	[ebp+arg_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	8
_PopPowerRequestAllocate@8 endp


;  S U B	R O U T	I N E 


PspDoesJobHierarchyPermitUILimits proc near ; CODE XREF: sub_759647+ABEp
					; PspAssignProcessToJob+1266ACp

; FUNCTION CHUNK AT 008FA2D5 SIZE 00000018 BYTES

		mov	edi, edi
		push	ecx
		mov	eax, [ecx+244h]

loc_7E195F:				; CODE XREF: PspDoesJobHierarchyPermitUILimits+11898Ej
		test	eax, eax
		jnz	loc_8FA2D5
		test	dl, 1
		jnz	short loc_7E1982
		push	1
		push	ecx
		push	eax
		push	eax
		mov	edx, offset PspDoesJobHierarchyPermitUILimitsCallback
		call	PspEnumJobsAndProcessesInJobHierarchy
		test	eax, eax
		setns	al
		pop	ecx
		retn
; 

loc_7E1982:				; CODE XREF: PspDoesJobHierarchyPermitUILimits+14j
		mov	al, 1
		pop	ecx
		retn
PspDoesJobHierarchyPermitUILimits endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspEnableTimerVirtualization(x, x)
_PspEnableTimerVirtualization@8	proc near ; DATA XREF: sub_759647+8A0o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		add	eax, 310h
		lock bts dword ptr [eax], 12h
		xor	eax, eax
		pop	ebp
		retn	8
_PspEnableTimerVirtualization@8	endp


;  S U B	R O U T	I N E 


; __stdcall PspAllocStorage(x)
_PspAllocStorage@4 proc	near		; CODE XREF: PspCreateSilo(x)+3Ap
					; PspInitializeSiloStructures+129p
		mov	edi, edi
		push	esi
		push	74537350h
		push	140h
		push	204h
		mov	esi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_7E19D8
		xor	edx, edx
		mov	ecx, edx

loc_7E19BF:				; CODE XREF: PspAllocStorage(x)+2Cj
		mov	[eax+ecx*8], edx
		mov	[eax+ecx*8+4], edx
		inc	ecx
		cmp	ecx, 20h
		jb	short loc_7E19BF
		mov	[eax+100h], edx
		mov	[esi], eax
		xor	eax, eax
		pop	esi
		retn
; 

loc_7E19D8:				; CODE XREF: PspAllocStorage(x)+1Bj
		mov	eax, 0C000009Ah
		pop	esi
		retn
_PspAllocStorage@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceThermalRequest proc	near	; CODE XREF: PopRundownThermalRequests()+59p
					; PopAssociateThermalRequest+188p ...

var_F2		= byte ptr -0F2h
var_F1		= dword	ptr -0F1h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FA2ED SIZE 000002BB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0F4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0F4h+var_4], eax
		push	ebx
		mov	ebx, ecx
		mov	eax, edx
		xor	ecx, ecx
		mov	[esp+0F8h+var_BC], eax
		push	esi
		mov	esi, ecx
		mov	[esp+0FCh+var_E8], ecx
		push	edi
		mov	[esp+100h+var_E4], ecx
		mov	[esp+100h+var_DC], ecx
		mov	[esp+100h+var_D8], ecx
		mov	[esp+100h+var_D4], ecx
		mov	[esp+100h+var_D0], ecx
		mov	[esp+100h+var_F1+1], ecx
		mov	byte ptr [esp+100h+var_F1], cl
		mov	[esp+100h+var_E0], ecx
		cmp	_PopDiagHandleRegistered, cl
		jz	short loc_7E1A51
		push	eax
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8FA2ED

loc_7E1A51:				; CODE XREF: PopDiagTraceThermalRequest+55j
					; PopDiagTraceThermalRequest+118BB2j ...
		mov	ecx, [esp+100h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
PopDiagTraceThermalRequest endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1001. IoSetShareAccess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetShareAccess(x,	x, x, x)
		public _IoSetShareAccess@16
_IoSetShareAccess@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_IoSetLinkShareAccess@24 ; IoSetLinkShareAccess(x,x,x,x,x,x)
		pop	ebp
		retn	10h
_IoSetShareAccess@16 endp

; 
		align 10h
; Exported entry 186. CcCopyRead

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcCopyRead(x, x, x,	x, x, x)
		public _CcCopyRead@24
_CcCopyRead@24	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	CcCopyReadEx
		pop	ebp
		retn	18h
_CcCopyRead@24	endp

; 
		align 8
; Exported entry 997. IoSetIrpExtraCreateParameter

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetIrpExtraCreateParameter(x, x)
		public _IoSetIrpExtraCreateParameter@8
_IoSetIrpExtraCreateParameter@8	proc near ; CODE XREF: IopSymlinkAllocateAndAddECP+125165p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	byte ptr [ecx+8], 80h
		jz	short loc_7E1ADC
		cmp	dword ptr [ecx+3Ch], 0
		jnz	short loc_7E1AE3
		mov	eax, [ebp+arg_4]
		mov	[ecx+3Ch], eax
		or	dword ptr [eax+4], 8
		xor	eax, eax

loc_7E1AD8:				; CODE XREF: IoSetIrpExtraCreateParameter(x,x)+29j
					; IoSetIrpExtraCreateParameter(x,x)+30j
		pop	ebp
		retn	8
; 

loc_7E1ADC:				; CODE XREF: IoSetIrpExtraCreateParameter(x,x)+Cj
		mov	eax, 0C00000EFh
		jmp	short loc_7E1AD8
; 

loc_7E1AE3:				; CODE XREF: IoSetIrpExtraCreateParameter(x,x)+12j
		mov	eax, 0C00000F0h
		jmp	short loc_7E1AD8
_IoSetIrpExtraCreateParameter@8	endp

; 
		align 10h
; Exported entry 954. IoRemoveShareAccess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoRemoveShareAccess(x, x)
		public _IoRemoveShareAccess@8
_IoRemoveShareAccess@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_IoRemoveLinkShareAccessEx@16 ;	IoRemoveLinkShareAccessEx(x,x,x,x)
		pop	ebp
		retn	8
_IoRemoveShareAccess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipOpenCloseCleanup(x, x)
_WmipOpenCloseCleanup@8	proc near	; DATA XREF: WmipDriverEntry+F5o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		xor	dl, dl
		and	dword ptr [ecx+18h], 0
		and	dword ptr [ecx+1Ch], 0
		call	IofCompleteRequest
		xor	eax, eax
		pop	ebp
		retn	8
_WmipOpenCloseCleanup@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerRequestFree(x, x)
_PopPowerRequestFree@8 proc near	; DATA XREF: PopPowerRequestInit()+BBo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	6C564150h
		push	[ebp+arg_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	8
_PopPowerRequestFree@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 636. FsRtlQueryCachedVdl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlQueryCachedVdl
FsRtlQueryCachedVdl proc near

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FA5A8 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+64h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, [ebp+arg_0]
		lea	edi, [esp+70h+var_58]
		mov	ebx, [ebp+arg_4]
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		push	eax
		push	eax
		mov	[esp+78h+var_60], eax
		mov	[esp+78h+var_5C], eax
		lea	eax, [esp+78h+var_58]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	esi
		call	IoGetRelatedDeviceObject
		mov	edi, eax
		lea	eax, [esp+70h+var_60]
		push	eax
		lea	eax, [esp+74h+var_58]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	edi
		push	90284h
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_8FA5A8
		and	[esp+70h+var_48], 0
		lea	eax, [esp+70h+var_48]
		and	[esp+70h+var_44], 0
		mov	ecx, edi
		or	[esp+70h+var_40], 0FFFFFFFFh
		mov	[esp+70h+var_3C], 7FFFFFFFh
		mov	[esp+70h+var_38], 1
		mov	[edx+0Ch], eax
		mov	eax, [edx+60h]
		mov	[eax-0Ch], esi
		mov	byte ptr [eax-24h], 0Dh
		mov	dword ptr [eax-1Ch], 18h
		mov	dword ptr [eax-20h], 40h
		call	IofCallDriver
		mov	esi, eax
		xor	edi, edi
		cmp	esi, 103h
		jz	loc_8FA5B2

loc_7E1C04:				; CODE XREF: FsRtlQueryCachedVdl+118A82j
		mov	ecx, 0C0000000h
		mov	eax, esi
		and	eax, ecx
		cmp	eax, ecx
		jz	short loc_7E1C30
		mov	[ebx], edi
		mov	[ebx+4], edi
		mov	edi, [esp+70h+var_40]
		test	edi, edi
		jz	short loc_7E1C30
		lea	edx, [esp+70h+var_38]

loc_7E1C22:				; CODE XREF: FsRtlQueryCachedVdl+ECj
		test	byte ptr [edx+10h], 1
		jnz	short loc_7E1C46

loc_7E1C28:				; CODE XREF: FsRtlQueryCachedVdl+114j
		add	edx, 18h
		sub	edi, 1
		jnz	short loc_7E1C22

loc_7E1C30:				; CODE XREF: FsRtlQueryCachedVdl+CDj
					; FsRtlQueryCachedVdl+DAj
		mov	eax, esi

loc_7E1C32:				; CODE XREF: FsRtlQueryCachedVdl+118A6Bj
		mov	ecx, [esp+70h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7E1C46:				; CODE XREF: FsRtlQueryCachedVdl+E4j
		mov	ecx, [edx+8]
		add	ecx, [edx]
		mov	eax, [edx+0Ch]
		adc	eax, [edx+4]
		mov	[ebx], ecx
		mov	[ebx+4], eax
		jmp	short loc_7E1C28
FsRtlQueryCachedVdl endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopGenericPackResource(x, x, x, x)
_IopGenericPackResource@16 proc	near	; DATA XREF: IopMemInitialize()+21o
					; IopPortInitialize()+3Do

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_C]
		mov	al, [edx+1]
		mov	[ecx], al
		mov	ax, [edx+4]
		mov	[ecx+2], ax
		mov	al, [edx+2]
		mov	[ecx+1], al
		mov	eax, [ebp+arg_4]
		mov	[ecx+4], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+8], eax
		mov	eax, [edx+8]
		mov	[ecx+0Ch], eax
		xor	eax, eax
		pop	ebp
		retn	10h
_IopGenericPackResource@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSetJobLimitsProcessCallback proc near ; DATA	XREF: sub_759647+5F9o
					; sub_759647+17A3E5o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FA5C9 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	byte ptr [esi+0F8h], 1
		jnz	short loc_7E1CB9
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ecx, esi
		mov	edx, [edi+4]
		call	PspApplyJobLimitsToProcess
		test	byte ptr [edi+4], 1
		jz	loc_8FA5C9

loc_7E1CB8:				; CODE XREF: PspSetJobLimitsProcessCallback+118943j
					; PspSetJobLimitsProcessCallback+118950j
		pop	edi

loc_7E1CB9:				; CODE XREF: PspSetJobLimitsProcessCallback+10j
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	8
PspSetJobLimitsProcessCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceCoolingExtension proc near	; CODE XREF: PopRundownThermalRequests()+3Ep
					; PopAssociateThermalRequest+128p ...

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_75		= dword	ptr -75h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FA5E3 SIZE 0000011D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_84], eax
		push	edi
		mov	edi, ecx
		mov	[ebp+var_80], eax
		mov	[ebp+var_8C], eax
		mov	[ebp+var_7C], eax
		mov	byte ptr [ebp+var_75], al
		mov	[ebp+var_88], eax
		cmp	_PopDiagHandleRegistered, al
		jz	short loc_7E1D1A
		push	ebx
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8FA5E3

loc_7E1D1A:				; CODE XREF: PopDiagTraceCoolingExtension+3Ej
					; PopDiagTraceCoolingExtension+118A3Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopDiagTraceCoolingExtension endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpLogTransactionAbortedWithChildName proc near
					; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+73Dp
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+7A4p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FA700 SIZE 000000B1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_10]
		push	ebx
		push	eax
		mov	edi, edx
		mov	[ebp+var_10], ebx
		mov	esi, ecx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		cmp	[ebp+arg_8], ebx
		jnz	loc_8FA700

loc_7E1D55:				; CODE XREF: CmpLogTransactionAbortedWithChildName+1189DFj
					; CmpLogTransactionAbortedWithChildName+1189F4j ...
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_7E1D63

loc_7E1D5C:				; CODE XREF: CmpLogTransactionAbortedWithChildName+42j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7E1D63:				; CODE XREF: CmpLogTransactionAbortedWithChildName+32j
		mov	ecx, eax
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	short loc_7E1D5C
CmpLogTransactionAbortedWithChildName endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1961. RtlAreAnyAccessesGranted

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlAreAnyAccessesGranted(x,	x)
		public _RtlAreAnyAccessesGranted@8
_RtlAreAnyAccessesGranted@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	[ebp+arg_4], eax
		setnz	al
		pop	ebp
		retn	8
_RtlAreAnyAccessesGranted@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1875. PsReferenceKernelStack

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsReferenceKernelStack(x)
		public _PsReferenceKernelStack@4
_PsReferenceKernelStack@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		lock inc dword ptr [eax+338h]
		pop	ebp
		retn	4
_PsReferenceKernelStack@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 484. FsRtlAreVolumeStartupApplicationsComplete

;  S U B	R O U T	I N E 


; __stdcall FsRtlAreVolumeStartupApplicationsComplete()
		public _FsRtlAreVolumeStartupApplicationsComplete@0
_FsRtlAreVolumeStartupApplicationsComplete@0 proc near
		mov	al, ds:_FsRtlpVolumeStartupApplicationsComplete
		retn
_FsRtlAreVolumeStartupApplicationsComplete@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlValidProcessProtection proc near	; CODE XREF: PspBuildCreateProcessContext(x,x,x,x)+F24p
					; DATA XREF: .text:004037E8o

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008FA7B1 SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	al, [ebp+arg_0]
		cmp	al, 41h
		jbe	short loc_7E1DC2
		cmp	al, 51h
		jb	short loc_7E1DDE
		cmp	al, 52h
		ja	short loc_7E1DD1

loc_7E1DBC:				; CODE XREF: RtlValidProcessProtection:loc_7E1DC2j
					; RtlValidProcessProtection+1Ej ...
		mov	al, 1

loc_7E1DBE:				; CODE XREF: RtlValidProcessProtection+38j
		pop	ebp
		retn	4
; 

loc_7E1DC2:				; CODE XREF: RtlValidProcessProtection+Aj
		jz	short loc_7E1DBC
		test	al, al
		jz	short loc_7E1DBC
		cmp	al, 31h
		jz	short loc_7E1DBC
		jmp	loc_8FA7B1
; 

loc_7E1DD1:				; CODE XREF: RtlValidProcessProtection+12j
		cmp	al, 60h
		jbe	short loc_7E1DDE
		cmp	al, 62h
		jbe	short loc_7E1DBC
		jmp	loc_8FA7CE
; 

loc_7E1DDE:				; CODE XREF: RtlValidProcessProtection+Ej
					; RtlValidProcessProtection+2Bj ...
		xor	al, al
		jmp	short loc_7E1DBE
RtlValidProcessProtection endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PerfDiagpBootUserProxyCallback(x, x, x, x, x, x, x,	x, x)
_PerfDiagpBootUserProxyCallback@36 proc	near ; DATA XREF: PerfDiagInitialize()+42o

arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		jnz	short loc_7E1DF9
		push	4

loc_7E1DEF:				; CODE XREF: PerfDiagpBootUserProxyCallback(x,x,x,x,x,x,x,x,x)+1Fj
		pop	ecx
		call	_PerfDiagpRequestState@4 ; PerfDiagpRequestState(x)

loc_7E1DF5:				; CODE XREF: PerfDiagpBootUserProxyCallback(x,x,x,x,x,x,x,x,x)+1Bj
		pop	ebp
		retn	24h
; 

loc_7E1DF9:				; CODE XREF: PerfDiagpBootUserProxyCallback(x,x,x,x,x,x,x,x,x)+9j
		cmp	[ebp+arg_8], 55h
		jnz	short loc_7E1DF5
		push	3
		jmp	short loc_7E1DEF
_PerfDiagpBootUserProxyCallback@36 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PerfDiagpRequestState(x)
_PerfDiagpRequestState@4 proc near	; CODE XREF: PerfDiagpBootUserProxyCallback(x,x,x,x,x,x,x,x,x)+Ep
					; PerfDiagpShutdownProxyCallback(x,x,x,x,x,x,x,x,x)+14p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	esi, 8
		jge	short loc_7E1E3B
		push	64465250h
		push	14h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_7E1E3B
		and	dword ptr [eax], 0
		push	1
		push	eax
		mov	dword ptr [eax+8], offset PerfDiagpProxyWorker
		mov	[eax+0Ch], eax
		mov	[eax+10h], esi
		call	ExQueueWorkItem

loc_7E1E3B:				; CODE XREF: PerfDiagpRequestState(x)+8j
					; PerfDiagpRequestState(x)+1Dj
		pop	esi
		retn
_PerfDiagpRequestState@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 613. FsRtlNotifyUninitializeSync

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlNotifyUninitializeSync(x)
		public _FsRtlNotifyUninitializeSync@4
_FsRtlNotifyUninitializeSync@4 proc near
					; CODE XREF: FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)+53p
					; FsRtlNotifyFilterChangeDirectoryLite+12BE48p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_7E1E5C
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi], 0

loc_7E1E5C:				; CODE XREF: FsRtlNotifyUninitializeSync(x)+Dj
		pop	esi
		pop	ebp
		retn	4
_FsRtlNotifyUninitializeSync@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspDoesJobHierarchyPermitUILimitsCallback proc near
					; DATA XREF: PspDoesJobHierarchyPermitUILimits+1Bo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FA7E3 SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	eax, [ebp+arg_4]
		jnz	loc_8FA7E3

loc_7E1E73:				; CODE XREF: PspDoesJobHierarchyPermitUILimitsCallback+118991j
		xor	eax, eax

loc_7E1E75:				; CODE XREF: PspDoesJobHierarchyPermitUILimitsCallback+11899Cj
		pop	ebp
		retn	8
PspDoesJobHierarchyPermitUILimitsCallback endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopAvlAllocatePowerRequestStats(x, x)
_PopAvlAllocatePowerRequestStats@8 proc	near
					; DATA XREF: PopStatsInitPowerRequestLibrary()+35o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	54515750h
		push	[ebp+arg_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	8
_PopAvlAllocatePowerRequestStats@8 endp

; 
		align 8
; Exported entry 2340. RtlSetSystemBootStatusEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSetSystemBootStatusEx(x,	x, x)
		public _RtlSetSystemBootStatusEx@12
_RtlSetSystemBootStatusEx@12 proc near	; CODE XREF: PAGELK:0071F064p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		push	[ebp+arg_4]
		push	20h
		pop	ecx
		call	RtlpSystemBootStatusRequest
		pop	ecx
		pop	ebp
		retn	0Ch
_RtlSetSystemBootStatusEx@12 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1823. PsGetSiloMonitorContextSlot

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetSiloMonitorContextSlot(x)
		public _PsGetSiloMonitorContextSlot@4
_PsGetSiloMonitorContextSlot@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+0Ch]
		pop	ebp
		retn	4
_PsGetSiloMonitorContextSlot@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpStartSiloRegistryNamespace(x)
_CmpStartSiloRegistryNamespace@4 proc near ; CODE XREF:	CmInitSiloNamespace(x)+1Ap
					; CmpInitSiloSupport(x)+38p

var_D6		= byte ptr -0D6h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_C0		= dword	ptr -0C0h
var_84		= dword	ptr -84h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_44		= dword	ptr -44h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0DCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0DCh+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+0E8h+var_D0]
		stosd
		xor	ebx, ebx
		push	0B4h		; size_t
		push	ebx		; int
		mov	esi, ecx
		mov	[esp+1Bh], bl
		stosd
		stosd
		stosd
		lea	eax, [esp+0F0h+var_C0]
		or	edi, 0FFFFFFFFh
		push	eax		; void *
		mov	word ptr [esp+0F4h+var_D0+2], di
		call	_memset
		add	esp, 0Ch
		mov	[esp+0E8h+var_84], edi
		lea	eax, [esp+0E8h+var_68]
		mov	[esp+0E8h+var_64], eax
		mov	[esp+0E8h+var_68], eax
		lea	eax, [esp+0E8h+var_44]
		push	38h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	edi, ebx
		add	esp, 0Ch
		lea	ebx, [esi+10h]
		mov	[esp+0E8h+var_D4], edi
		cmp	[ebx], edi
		jnz	short loc_7E1FB8
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	esi, ds:_CmpRegistryRootObject
		lea	ecx, [esp+0E8h+var_D0]
		mov	edx, [esi+8]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		lea	ecx, [esp+0E8h+var_D0]
		call	_CmpLockKcbStackExclusive@4 ; CmpLockKcbStackExclusive(x)
		mov	ecx, [esi+8]
		lea	eax, [esp+13h]
		push	eax
		lea	eax, [esp+0ECh+var_D4]
		xor	dl, dl
		push	eax
		lea	eax, [esp+0F0h+var_D0]
		push	eax
		push	1
		push	edi
		lea	eax, [esp+0FCh+var_C0]
		push	eax
		call	CmpCreateKeyBody
		lea	ecx, [esp+0E8h+var_D0]
		mov	esi, eax
		call	CmpUnlockKcbStack
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		test	esi, esi
		js	short loc_7E1FE9
		mov	ecx, [esp+0E8h+var_D4]
		xor	eax, eax
		lock cmpxchg [ebx], ecx
		mov	edi, eax
		neg	edi
		sbb	edi, edi
		and	edi, [esp+0E8h+var_D4]

loc_7E1FB8:				; CODE XREF: CmpStartSiloRegistryNamespace(x)+83j
		xor	esi, esi

loc_7E1FBA:				; CODE XREF: CmpStartSiloRegistryNamespace(x)+123j
		lea	ecx, [esp+0E8h+var_D0]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		xor	dl, dl
		lea	ecx, [esp+0E8h+var_C0]
		call	CmpCleanupParseContext
		test	edi, edi
		jnz	short loc_7E1FEF

loc_7E1FD2:				; CODE XREF: CmpStartSiloRegistryNamespace(x)+12Cj
		mov	ecx, [esp+0E8h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7E1FE9:				; CODE XREF: CmpStartSiloRegistryNamespace(x)+D8j
		mov	edi, [esp+0E8h+var_D4]
		jmp	short loc_7E1FBA
; 

loc_7E1FEF:				; CODE XREF: CmpStartSiloRegistryNamespace(x)+106j
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	short loc_7E1FD2
_CmpStartSiloRegistryNamespace@4 endp


;  S U B	R O U T	I N E 


; __stdcall HvUnlockHiveFilePages(x)
_HvUnlockHiveFilePages@4 proc near	; CODE XREF: CmpRecheckHiveVolumePolicy(x):loc_433E12p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+64h]
		test	eax, (offset loc_7FFFFF+1)
		jnz	short loc_7E2009
		pop	esi
		retn
; 

loc_7E2009:				; CODE XREF: HvUnlockHiveFilePages(x)+Dj
		test	eax, 20000h
		jz	short loc_7E201F
		push	ecx
		lea	ecx, [esi+0A0h]
		call	_HvpViewMapAdjustFlag@12 ; HvpViewMapAdjustFlag(x,x,x)
		mov	eax, [esi+64h]

loc_7E201F:				; CODE XREF: HvUnlockHiveFilePages(x)+16j
		and	eax, 0FF7FFFFFh
		mov	[esi+64h], eax
		pop	esi
		retn
_HvUnlockHiveFilePages@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmpInitializeKcbStack(x)
_CmpInitializeKcbStack@4 proc near	; CODE XREF: CmQueryLayeredKey+4Ep
					; CmDeleteLayeredKey(x,x,x)+4Bp ...
		mov	edi, edi
		push	edi
		xor	eax, eax
		mov	edi, ecx
		stosd
		stosd
		stosd
		stosd
		or	eax, 0FFFFFFFFh
		mov	[ecx+2], ax
		pop	edi
		retn
_CmpInitializeKcbStack@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLogTransactionAbortedForRollbackPacket(x, x, x)
_CmpLogTransactionAbortedForRollbackPacket@12 proc near
					; CODE XREF: CmpTryToRundownHive+115p
					; CmpPerformUnloadKey+18B680p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax]
		push	ecx
		push	edx
		xor	edx, edx
		call	CmpLogTransactionAbortedWithChildName
		pop	ecx
		pop	ebp
		retn	4
_CmpLogTransactionAbortedForRollbackPacket@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWnfDeletePermanentName(x, x)
_ExpWnfDeletePermanentName@8 proc near	; CODE XREF: NtDeleteWnfStateName+22Ep

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, [ebp+arg_4]
		lea	ecx, [ebp+var_34]
		push	edi
		mov	edi, [ebp+arg_0]
		xor	eax, eax
		push	22h
		mov	[ebp+var_34], eax
		mov	[ebp+var_2C], eax
		pop	eax
		mov	word ptr [ebp+var_34+2], ax
		lea	eax, [ebp+var_28]
		push	esi
		push	edi
		mov	[ebp+var_30], eax
		call	_ExpWnfComposeValueName@12 ; ExpWnfComposeValueName(x,x,x)
		shrd	edi, esi, 4
		lea	edx, [ebp+var_2C]
		and	edi, 3
		mov	ecx, edi
		call	ExpWnfGetNameStoreRegistryRoot
		pop	edi
		pop	esi
		test	eax, eax
		js	short loc_7E20B4
		lea	eax, [ebp+var_34]
		push	eax
		push	[ebp+var_2C]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_7E20B4:				; CODE XREF: ExpWnfDeletePermanentName(x,x)+4Ej
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_ExpWnfDeletePermanentName@8 endp

; [00000005 BYTES: COLLAPSED FUNCTION MmStoreFlushAllHintedPages(). PRESS KEYPAD "+" TO	EXPAND]
		align 4

;  S U B	R O U T	I N E 


; __stdcall VrpIncrementDiffHiveEntryHardRefCount(x)
_VrpIncrementDiffHiveEntryHardRefCount@4 proc near
					; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+172p
		inc	dword ptr [ecx+10h]
		cmp	dword ptr [ecx+10h], 1
		jbe	_VrpReferenceDiffHiveEntryUnsafe@4 ; VrpReferenceDiffHiveEntryUnsafe(x)
		retn
_VrpIncrementDiffHiveEntryHardRefCount@4 endp


;  S U B	R O U T	I N E 


; __stdcall VrpReferenceDiffHiveEntryUnsafe(x)
_VrpReferenceDiffHiveEntryUnsafe@4 proc	near
					; CODE XREF: VrpIncrementDiffHiveEntryHardRefCount(x)+7j
					; VrpUnloadDifferencingHive+18F9D3p
		mov	edi, edi
		push	esi
		lea	esi, [ecx+8]
		mov	ecx, [esi]
		lea	edx, [ecx+1]

loc_7E20E1:				; CODE XREF: VrpReferenceDiffHiveEntryUnsafe(x)+1Fj
		cmp	edx, 1
		jbe	short loc_7E20F7
		mov	eax, ecx
		lock cmpxchg [esi], edx
		mov	edx, eax
		cmp	edx, ecx
		jz	short loc_7E2100
		mov	ecx, edx
		inc	edx
		jmp	short loc_7E20E1
; 

loc_7E20F7:				; CODE XREF: VrpReferenceDiffHiveEntryUnsafe(x)+Ej
		push	0Eh
		pop	ecx
		jz	short loc_7E20FE
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_7E20FE:				; CODE XREF: VrpReferenceDiffHiveEntryUnsafe(x)+24j
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_7E2100:				; CODE XREF: VrpReferenceDiffHiveEntryUnsafe(x)+1Aj
		pop	esi
		retn
_VrpReferenceDiffHiveEntryUnsafe@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnTracingStateExWorkerRoutine	proc near ; DATA XREF: PfSnInitializePrefetcher()+C9o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, offset dword_6D4964
		mov	ecx, edi
		call	ExAcquireFastMutex
		xor	esi, esi
		cmp	dword_6D4988, 2
		jnz	sub_8FA803
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_7E212B:				; CODE XREF: sub_8FA803+53j
					; sub_8FA803+61j
		push	esi
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	4
PfSnTracingStateExWorkerRoutine	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopAvlFreePowerRequestStats(x, x)
_PopAvlFreePowerRequestStats@8 proc near ; DATA	XREF: PopStatsInitPowerRequestLibrary()+30o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	54515750h
		push	[ebp+arg_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	8
_PopAvlFreePowerRequestStats@8 endp


;  S U B	R O U T	I N E 


; __stdcall AdtpEtwBuildDashString(x)
_AdtpEtwBuildDashString@4 proc near	; CODE XREF: AdtpPackageParameters+2BFp
					; AdtpPackageParameters+83E1Bp	...
		and	dword ptr [ecx+4], 0
		and	dword ptr [ecx+0Ch], 0
		mov	dword ptr [ecx], offset	dword_40A908
		mov	dword ptr [ecx+8], 4
		retn
_AdtpEtwBuildDashString@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopSymlinkEnforceEnabledTypes proc near	; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1B4p

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FA869 SIZE 000000B7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, _IopSymlinkEnabledTypes
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_2], dl
		mov	[ebp+var_1], cl
		mov	[ebp+var_8], edi
		cmp	ebx, 0Fh
		jz	short loc_7E21E2
		push	edi
		lea	eax, [ebp+var_8]
		push	eax
		push	offset _GUID_ECP_NETWORK_OPEN_CONTEXT
		push	[ebp+arg_0]
		call	_FsRtlFindExtraCreateParameter@16 ; FsRtlFindExtraCreateParameter(x,x,x,x)
		test	eax, eax
		jns	short loc_7E21A3
		cmp	eax, 0C0000225h
		jnz	short loc_7E21E4

loc_7E21A3:				; CODE XREF: IopSymlinkEnforceEnabledTypes+34j
		mov	esi, [ebp+var_8]
		test	esi, esi
		jnz	loc_8FA869

loc_7E21AE:				; CODE XREF: IopSymlinkEnforceEnabledTypes+11870Dj
		cmp	[ebp+var_1], 0
		push	2
		pop	ecx
		jz	loc_8FA878

loc_7E21BB:				; CODE XREF: IopSymlinkEnforceEnabledTypes+118721j
		mov	al, [ebp+var_2]
		test	al, al
		jz	loc_8FA88C

loc_7E21C6:				; CODE XREF: IopSymlinkEnforceEnabledTypes+118728j
					; IopSymlinkEnforceEnabledTypes+118776j
		cmp	[ebp+var_1], 0
		jz	loc_8FA8EE
		test	bl, 3
		jz	short loc_7E21EB
		test	al, al
		jz	loc_8FA8E1
		test	bl, 1

loc_7E21E0:				; CODE XREF: IopSymlinkEnforceEnabledTypes+1187B5j
		jz	short loc_7E21EB

loc_7E21E2:				; CODE XREF: IopSymlinkEnforceEnabledTypes+1Ej
					; IopSymlinkEnforceEnabledTypes:loc_8FA906j ...
		xor	eax, eax

loc_7E21E4:				; CODE XREF: IopSymlinkEnforceEnabledTypes+3Bj
					; IopSymlinkEnforceEnabledTypes+8Aj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7E21EB:				; CODE XREF: IopSymlinkEnforceEnabledTypes+6Dj
					; IopSymlinkEnforceEnabledTypes:loc_7E21E0j ...
		mov	eax, 0C0000715h
		jmp	short loc_7E21E4
IopSymlinkEnforceEnabledTypes endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpApplyTransientFilters proc near	; CODE XREF: EtwpNotifyGuid(x,x,x)+21Cp
					; EtwpIsRegEntryAllowed+9Dp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FA920 SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		mov	bl, 1
		test	[edi+32h], bl
		jnz	short loc_7E223A
		mov	esi, [ebp+arg_8]
		mov	edx, [esi]
		test	edx, edx
		jnz	loc_8FA920

loc_7E2215:				; CODE XREF: EtwpApplyTransientFilters+11873Dj
		mov	edx, [esi+4]
		xor	ecx, ecx
		test	edx, edx
		jnz	loc_8FA934
		cmp	[esi+8], ecx
		jnz	loc_8FA934

loc_7E222B:				; CODE XREF: EtwpApplyTransientFilters+118750j
		test	bl, bl
		jz	short loc_7E223A
		mov	eax, [ebp+var_4]
		test	eax, eax
		jnz	loc_8FA947

loc_7E223A:				; CODE XREF: EtwpApplyTransientFilters+14j
					; EtwpApplyTransientFilters+3Bj ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	0Ch
EtwpApplyTransientFilters endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtBucketsAllocate(x, x)
_PopEtBucketsAllocate@8	proc near	; CODE XREF: PopEtProcessSnapshotCreate+FBp
					; PopEtAggregateGet+12Dp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	54456F50h
		push	[ebp+arg_0]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	8
_PopEtBucketsAllocate@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopInitializeWorkItem(x, x,	x)
_PopInitializeWorkItem@12 proc near	; CODE XREF: PopInitializeIRTimer(x,x,x,x,x,x,x)+2Dp
					; PoInitSystem+14Cp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		lea	eax, [ecx+10h]
		xchg	esi, [eax]
		mov	eax, [ebp+arg_0]
		and	dword ptr [ecx], 0
		mov	[ecx+8], edx
		mov	[ecx+0Ch], eax
		pop	esi
		pop	ebp
		retn	4
_PopInitializeWorkItem@12 endp


;  S U B	R O U T	I N E 


CmListGetPrevElement proc near		; CODE XREF: CmpGetEffectiveCellType(x,x)+29p
					; CmpUndoDeleteKeyForTransEx(x,x,x)+41p ...

; FUNCTION CHUNK AT 008FA97B SIZE 0000000D BYTES

		mov	edi, edi
		push	esi
		mov	esi, [edx]
		test	esi, esi
		jnz	short loc_7E2288
		mov	esi, [ecx+4]
		mov	[edx], esi

loc_7E2288:				; CODE XREF: CmListGetPrevElement+7j
		cmp	ecx, esi
		jnz	loc_8FA97B
		xor	eax, eax

loc_7E2292:				; CODE XREF: CmListGetPrevElement+118709j
		pop	esi
		retn	4
CmListGetPrevElement endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry  22.

;  S U B	R O U T	I N E 


; __stdcall ExpReducedLicenseData()
		public _ExpReducedLicenseData@0
_ExpReducedLicenseData@0 proc near	; CODE XREF: SLUpdateLicenseDataInternal(x,x,x):loc_A06E7Ep
		cmp	_InitSafeBootMode, 0
		jnz	short loc_7E22B1
		cmp	_InitIsWinPEMode, 0
		jnz	short loc_7E22B1
		xor	al, al
		retn
; 

loc_7E22B1:				; CODE XREF: ExpReducedLicenseData()+7j
					; ExpReducedLicenseData()+10j
		mov	al, 1
		retn
_ExpReducedLicenseData@0 endp


;  S U B	R O U T	I N E 


; __stdcall VrpLockDiffHiveEntry(x)
_VrpLockDiffHiveEntry@4	proc near	; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+16Bp
					; VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+27Bp
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		add	ecx, 0Ch
		xor	edx, edx
		jmp	ExAcquirePushLockExclusiveEx
_VrpLockDiffHiveEntry@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtBucketsFree(x,	x)
_PopEtBucketsFree@8 proc near		; CODE XREF: PopEtProcessSnapshotCreate+211p
					; PopEtAggregateGet+23Fp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	54456F50h
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	8
_PopEtBucketsFree@8 endp


;  S U B	R O U T	I N E 


; __stdcall VrpUnlockDiffHiveEntry(x)
_VrpUnlockDiffHiveEntry@4 proc near	; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+1C2p
					; VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+2B9p
		mov	edi, edi
		push	esi
		lea	esi, [ecx+0Ch]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_7E22FC
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_7E22FC:				; CODE XREF: VrpUnlockDiffHiveEntry(x)+11j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		pop	esi
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_VrpUnlockDiffHiveEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopBusNumberUnpackRequirement(x, x,	x, x, x)
_IopBusNumberUnpackRequirement@20 proc near ; DATA XREF: IopBusNumberInitialize()+12o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		push	esi
		xor	esi, esi
		mov	eax, [edx+0Ch]
		mov	[ecx], eax
		mov	[ecx+4], esi
		mov	eax, [edx+10h]
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		mov	[ecx+4], esi
		mov	ecx, [ebp+arg_C]
		mov	eax, [edx+8]
		mov	[ecx], eax
		mov	eax, [ebp+arg_10]
		mov	[ecx+4], esi
		mov	[eax+4], esi
		mov	dword ptr [eax], 1
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	14h
_IopBusNumberUnpackRequirement@20 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry  17.

;  S U B	R O U T	I N E 


; __stdcall RtlGetHostNtSystemRoot()
		public _RtlGetHostNtSystemRoot@0
_RtlGetHostNtSystemRoot@0 proc near	; CODE XREF: IoConfigureCrashDump+8681Dp
					; INIT:00ACD39Ap
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	ecx, eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		add	eax, 26Ch
		retn
_RtlGetHostNtSystemRoot@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpGetLeapSecondDataRegistryKeyHandle(x)
_ExpGetLeapSecondDataRegistryKeyHandle@4 proc near
					; CODE XREF: ExpReadLeapSecondData(x,x)+4Dp
					; ExSetLeapSecondEnabled(x)+16p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		xor	eax, eax
		mov	[ebp+var_1C], 18h
		push	esi
		push	eax
		push	eax
		push	eax
		push	eax
		mov	[ebp+var_4], eax
		mov	esi, ecx
		mov	[ebp+var_18], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_10], 240h
		push	eax
		mov	[ebp+var_14], offset _ExpLeapSecondRegkeyPath
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7E23B3
		mov	ecx, [ebp+var_4]
		mov	[esi], ecx

loc_7E23B3:				; CODE XREF: ExpGetLeapSecondDataRegistryKeyHandle(x)+46j
		pop	esi
		leave
		retn
_ExpGetLeapSecondDataRegistryKeyHandle@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpParseAndUpdateLeapSecondData	proc near ; CODE XREF: ExpReadLeapSecondData(x,x)+14Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FA988 SIZE 00000095 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	eax, ecx
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_4], eax
		xor	edi, edi
		mov	[ebp+var_8], esi
		cmp	dword ptr [eax+4], 3
		jnz	short loc_7E2411
		mov	ecx, [eax+8]
		xor	edx, edx
		push	0Ch
		mov	eax, ecx
		pop	ebx
		div	ebx
		test	edx, edx
		jnz	short loc_7E2411
		mov	eax, ecx
		div	ebx
		mov	ebx, eax
		mov	ecx, ebx
		shl	ecx, 3
		add	ecx, 8
		cmp	ecx, 1000h
		ja	short loc_7E240A
		test	ebx, ebx
		jnz	loc_8FA990
		xor	esi, esi

loc_7E2403:				; CODE XREF: ExpParseAndUpdateLeapSecondData+1185D5j
					; ExpParseAndUpdateLeapSecondData+1185E4j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7E240A:				; CODE XREF: ExpParseAndUpdateLeapSecondData+41j
		push	2
		jmp	loc_8FA98A
; 

loc_7E2411:				; CODE XREF: ExpParseAndUpdateLeapSecondData+1Bj
					; ExpParseAndUpdateLeapSecondData+2Bj
		xor	esi, esi
		inc	esi
		jmp	loc_8FAA05
ExpParseAndUpdateLeapSecondData	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopBusNumberPackResource(x,	x, x, x)
_IopBusNumberPackResource@16 proc near	; DATA XREF: IopBusNumberInitialize()+1Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+arg_0]
		mov	byte ptr [edx],	6
		mov	al, [ecx+2]
		mov	[edx+1], al
		mov	ax, [ecx+4]
		mov	[edx+2], ax
		mov	eax, [ebp+arg_4]
		mov	[edx+4], eax
		mov	eax, [ecx+8]
		mov	[edx+8], eax
		xor	eax, eax
		pop	ebp
		retn	10h
_IopBusNumberPackResource@16 endp


;  S U B	R O U T	I N E 


; __stdcall CmFcpInitializeSectionState(x)
_CmFcpInitializeSectionState@4 proc near
					; CODE XREF: CmFcManagerStartRuntimePhase(x):loc_AB33CAp
					; CmFcManagerInitialize(x):loc_AD8DBDp
		mov	edi, edi
		push	edi
		mov	edi, ecx
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		pop	edi
		retn
_CmFcpInitializeSectionState@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; int __fastcall CmpInitializeParseContext(void	*)
_CmpInitializeParseContext@4 proc near	; CODE XREF: CmInitSystem1(x)+6Ep
		mov	edi, edi
		push	esi
		push	0B4h		; size_t
		mov	esi, ecx
		push	0		; int
		push	esi		; void *
		call	_memset
		or	dword ptr [esi+3Ch], 0FFFFFFFFh
		lea	eax, [esi+58h]
		push	38h		; size_t
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+7Ch]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 18h
		pop	esi
		retn
_CmpInitializeParseContext@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiSessionAddProcess(x, x)
_MiSessionAddProcess@8 proc near	; CODE XREF: MiMarkSessionMasterProcess+17p
		mov	[ecx+180h], edx
		lea	eax, [ecx+0FCh]
		mov	edx, 10000h
		lock or	[eax], edx
		retn
_MiSessionAddProcess@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ExpNodeInitialize(x)
_ExpNodeInitialize@4 proc near		; CODE XREF: ExpWorkerInitialization:loc_AD4B5Cp
		mov	edi, edi
		push	esi
		push	40h		; size_t
		lea	esi, [ecx+140h]
		push	0		; int
		push	esi		; void *
		call	_memset
		and	dword ptr [esi+0Ch], 0
		add	esp, 0Ch
		and	dword ptr [esi], 0
		mov	dword ptr [esi+8], offset _ExpNodeHotAddProcessorWorker@4 ; ExpNodeHotAddProcessorWorker(x)
		pop	esi
		retn
_ExpNodeInitialize@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiSizeMemoryListLocks()
_MiSizeMemoryListLocks@0 proc near	; CODE XREF: MmCreatePartition(x,x):loc_57B167p
					; MiAddPartitionToCrashDump(x,x)+2Ep ...
		mov	eax, dword_6D06D4
		movzx	ecx, ds:_KeNumberNodes
		lea	eax, ds:0Fh[eax*2]
		add	eax, ecx
		imul	eax, 0Ch
		retn
_MiSizeMemoryListLocks@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopClearHibernateDiagnosticInfo()
_PopClearHibernateDiagnosticInfo@0 proc	near
					; CODE XREF: PopUnlockAfterSleepWorker(x):loc_720534p
		push	80h		; size_t
		push	0		; int
		push	offset _PopHibernateDiagnosticInfo ; void *
		call	_memset
		add	esp, 0Ch
		retn
_PopClearHibernateDiagnosticInfo@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall EtwpInitializeStackLookasideList()
_EtwpInitializeStackLookasideList@0 proc near ;	CODE XREF: EtwpInitialize+102p
		xor	eax, eax
		mov	_EtwpStackLookAsideList, eax
		mov	dword_6BC444, eax
		mov	dword_6BC448, eax
		mov	dword_6BC44C, eax
		retn
_EtwpInitializeStackLookasideList@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmBeginProfileAccumulation(x, x, x)
_PpmBeginProfileAccumulation@12	proc near ; CODE XREF: PpmInitPolicyConfiguration()+99p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	[ecx+200h], eax
		mov	eax, [ebp+arg_4]
		mov	[ecx+204h], eax
		pop	ebp
		retn	8
_PpmBeginProfileAccumulation@12	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorHandleSystemTransitionStartIntent(x, x, x)
_PopPowerAggregatorHandleSystemTransitionStartIntent@12	proc near
					; DATA XREF: PAGEDATA:00A93490o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 3
		xor	eax, eax
		pop	ebp
		retn	0Ch
_PopPowerAggregatorHandleSystemTransitionStartIntent@12	endp


;  S U B	R O U T	I N E 


; __stdcall MiSessionPoolTrackTable()
_MiSessionPoolTrackTable@0 proc	near	; CODE XREF: ExInitializeSessionPoolTrackTable():loc_56015Ep
		mov	eax, dword_6D05D4
		add	eax, 3000h
		retn
_MiSessionPoolTrackTable@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmpSetGlobalQuotaAllowed()
_CmpSetGlobalQuotaAllowed@0 proc near	; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+2DDp
		mov	eax, ds:_CmpGlobalQuota
		mov	ds:_CmpGlobalQuotaAllowed, eax
		retn
_CmpSetGlobalQuotaAllowed@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PspSiloInitializeSharedUserSessionId(x)
_PspSiloInitializeSharedUserSessionId@4	proc near
					; CODE XREF: PspInitializeSiloStructures+51p
		or	dword ptr [ecx+18h], 0FFFFFFFFh
		xor	eax, eax
		retn
_PspSiloInitializeSharedUserSessionId@4	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall BiIsLogEnabled()
_BiIsLogEnabled@0 proc near		; CODE XREF: PopCheckForAbnormalResetp
					; BiLogFileOwnerProcess(x,x)+3Dp ...
		xor	al, al
		retn
_BiIsLogEnabled@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopClearShutdownMarker()
_PopClearShutdownMarker@0 proc near	; CODE XREF: PopUnlockAfterSleepWorker(x)+50p
		and	_PopBsdShutdownInProgress, 0
		retn
_PopClearShutdownMarker@0 endp


;  S U B	R O U T	I N E 


; __stdcall CmSiRWLockInitialize(x)
_CmSiRWLockInitialize@4	proc near	; CODE XREF: SshInitialize+Ep
					; SshInitialize+2Dp ...
		and	dword ptr [ecx], 0
		retn
_CmSiRWLockInitialize@4	endp


;  S U B	R O U T	I N E 


; __stdcall MmConfigurePrefetchSeekThreshold(x)
_MmConfigurePrefetchSeekThreshold@4 proc near ;	CODE XREF: MiInitSystem+38Bp
		mov	dword_6D3488, ecx
		retn
_MmConfigurePrefetchSeekThreshold@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpCloseRegistrationObject proc near	; DATA XREF: EtwpInitializeRegistration()+88o

arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008FF30C SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 1
		jnz	short loc_7E25B4
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		lea	esi, [edi+32h]
		test	byte ptr [esi],	2
		jz	short loc_7E25AB
		push	ebx
		mov	ebx, offset _ETW_EVENT_PROVIDER_UNREGISTERS
		push	ebx
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8FF30C

loc_7E25AA:				; CODE XREF: EtwpCloseRegistrationObject+11CDAEj
		pop	ebx

loc_7E25AB:				; CODE XREF: EtwpCloseRegistrationObject+16j
		push	40h
		pop	eax
		lock or	[esi], ax
		pop	edi
		pop	esi

loc_7E25B4:				; CODE XREF: EtwpCloseRegistrationObject+9j
		pop	ebp
		retn	10h
EtwpCloseRegistrationObject endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 859. IoGetDevicePropertyData

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoGetDevicePropertyData
IoGetDevicePropertyData	proc near	; CODE XREF: PopFxQueryBiosDeviceName(x,x)+32p
					; PopFxQueryBiosDeviceName(x,x)+88p ...

var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 009080FE SIZE 00000122 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		test	esi, esi
		jz	loc_9081D9
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_9080FE
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_9080FE
		push	[ebp+arg_1C]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	ecx
		push	[ebp+arg_8]
		mov	ecx, esi
		call	PnpGetDevicePropertyData
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	20h
IoGetDevicePropertyData	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpGetDevicePropertyData proc near	; CODE XREF: IoGetDevicePropertyData+4Bp

var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0090823C SIZE 00000050 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0CCh+var_4], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		mov	[esp+0D4h+var_CC], eax
		xor	esi, esi
		mov	eax, [ebp+arg_14]
		push	edi
		mov	[esp+0D8h+var_BC], eax
		mov	edi, ecx
		mov	eax, 0AAh
		mov	[esp+0D8h+var_C0], edx
		push	eax		; size_t
		lea	eax, [esp+0DCh+var_B8]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+0D8h+var_C8], esi
		mov	[esp+0D8h+var_C4], esi
		test	edi, edi
		jz	short loc_7E2677
		mov	eax, [edi+0B0h]
		mov	esi, [eax+14h]

loc_7E2677:				; CODE XREF: PnpGetDevicePropertyData+56j
		test	esi, esi
		jz	loc_908282
		cmp	dword ptr [esi+18h], 0
		jz	loc_908282
		cmp	[ebp+arg_0], 0
		jnz	loc_90823C

loc_7E2693:				; CODE XREF: PnpGetDevicePropertyData+125C45j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpDevicePropertyLock
		call	ExAcquireResourceSharedLite
		mov	edx, [esi+18h]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	[esp+0DCh+var_CC]
		push	[ebp+arg_8]
		push	ebx
		push	[esp+0E8h+var_BC]
		push	[esp+0ECh+var_C0]
		push	[esp+0F0h+var_C4]
		push	0
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [esp+0D8h+var_C0]
		cmp	dword ptr [eax+10h], 2
		jz	short loc_7E271F

loc_7E26E1:				; CODE XREF: PnpGetDevicePropertyData+11Bj
					; PnpGetDevicePropertyData+137j ...
		mov	ecx, offset _PnpDevicePropertyLock
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	esi, 0C0000225h
		jz	short loc_7E2718

loc_7E26FF:				; CODE XREF: PnpGetDevicePropertyData+107j
					; PnpGetDevicePropertyData+125C50j ...
		mov	ecx, [esp+0D8h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_7E2718:				; CODE XREF: PnpGetDevicePropertyData+E7j
		mov	esi, 0C0000034h
		jmp	short loc_7E26FF
; 

loc_7E271F:				; CODE XREF: PnpGetDevicePropertyData+C9j
		push	10h		; size_t
		push	offset _INTERRUPT_CONNECTION_DATA_PKEY ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7E26E1
		cmp	esi, 0C0000034h
		jz	loc_90826B
		cmp	esi, 0C0000225h
		jz	loc_90826B
		test	esi, esi
		jnz	short loc_7E26E1
		mov	eax, [esp+0D8h+var_CC]
		mov	edx, ebx	; Source2
		mov	ecx, edi	; int
		push	dword ptr [eax]	; Length
		call	PnpCompareInterruptInformation
		jmp	short loc_7E26E1
PnpGetDevicePropertyData endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1716. PoRegisterPowerSettingCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PoRegisterPowerSettingCallback(int,void	*,int,int,int)
		public PoRegisterPowerSettingCallback
PoRegisterPowerSettingCallback proc near ; CODE	XREF: HvlpRegisterPowerPolicyCallbacks()+24p
					; HvlpRegisterPowerPolicyCallbacks()+52p ...

var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00908A6F SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 23Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+23Ch+var_4], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		xor	ebx, ebx
		mov	[esp+240h+var_214], eax
		mov	eax, dword_6C2D0C
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ecx, esi	; void *
		push	edi
		mov	[esp+248h+var_23C], esi
		mov	[esp+248h+var_22C], ebx
		mov	[esp+248h+var_234], ebx
		mov	[esp+248h+var_220], ebx
		mov	[esp+248h+var_21C], ebx
		mov	[esp+248h+var_228], ebx
		mov	[esp+248h+var_224], ebx
		mov	[esp+248h+var_238], ebx
		mov	[esp+248h+var_218], eax
		call	_PopStateIsSessionSpecific@4 ; PopStateIsSessionSpecific(x)
		test	al, al
		jnz	loc_7E2931
		mov	edi, [ebp+arg_8]
		mov	[esp+248h+var_230], ebx
		test	edi, edi
		jz	short loc_7E27EC
		push	10h		; size_t
		push	esi		; void *
		push	offset _GUID_CONSOLE_DISPLAY_STATE ; "VoJpG$oG"
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_7E2938

loc_7E27EC:				; CODE XREF: PoRegisterPowerSettingCallback+6Cj
					; PoRegisterPowerSettingCallback+205j ...
		mov	ecx, offset _PopSettingLock
		call	ExAcquireFastMutex
		mov	edi, 74655350h
		push	edi
		push	48h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_908A7D
		push	48h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [ebp+arg_8]
		add	esp, 0Ch
		mov	[ebx+8], edi
		lea	edi, [ebx+24h]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [esp+248h+var_230]
		mov	[ebx+38h], eax
		mov	eax, [ebp+arg_C]
		mov	[ebx+3Ch], eax
		mov	eax, [ebp+arg_0]
		mov	[ebx+40h], eax
		test	esi, esi
		jnz	loc_908A87
		mov	eax, [esp+248h+var_23C]

loc_7E2848:				; CODE XREF: PoRegisterPowerSettingCallback+12632Fj
		mov	esi, eax
		lea	edi, [ebx+14h]
		or	edx, 0FFFFFFFFh
		mov	ecx, eax
		movsd
		movsd
		movsd
		movsd
		call	_PopFindPowerSettingConfiguration@8 ; PopFindPowerSettingConfiguration(x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_7E28FC
		mov	esi, [esp+248h+var_23C]
		push	10h		; size_t
		push	offset _GUID_IDLE_BACKGROUND_TASK ; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_7E2921
		push	10h		; size_t
		push	offset _GUID_BACKGROUND_TASK_NOTIFICATION ; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_7E2921

loc_7E2899:				; CODE XREF: PoRegisterPowerSettingCallback+1C6j
		lea	eax, [edi+8]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_7E29B7
		mov	[ebx], eax
		mov	[ebx+4], ecx
		mov	[ecx], ebx
		mov	[eax+4], ebx

loc_7E28B1:				; CODE XREF: PoRegisterPowerSettingCallback+1B5j
		xor	esi, esi
		cmp	_PopOsInitPhase, 3
		sbb	al, al
		inc	al
		mov	byte ptr [esp+248h+var_22C], al
		mov	eax, [esp+248h+var_214]
		test	eax, eax
		jnz	short loc_7E291D

loc_7E28CA:				; CODE XREF: PoRegisterPowerSettingCallback+1B9j
					; PoRegisterPowerSettingCallback+12631Cj
		mov	ecx, offset _PopSettingLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		cmp	byte ptr [esp+248h+var_22C], 0
		jz	short loc_7E28E3
		push	20h
		pop	ecx
		call	_PopSetNotificationWork@4 ; PopSetNotificationWork(x)

loc_7E28E3:				; CODE XREF: PoRegisterPowerSettingCallback+173j
					; PoRegisterPowerSettingCallback+1D0j
		mov	ecx, [esp+248h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7E28FC:				; CODE XREF: PoRegisterPowerSettingCallback+F9j
		mov	eax, dword_6C216C
		mov	ecx, offset _PopRegisteredPowerSettingCallbacks
		cmp	[eax], ecx
		jnz	loc_7E29B7
		mov	[ebx], ecx
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	dword_6C216C, ebx
		jmp	short loc_7E28B1
; 

loc_7E291D:				; CODE XREF: PoRegisterPowerSettingCallback+162j
		mov	[eax], ebx
		jmp	short loc_7E28CA
; 

loc_7E2921:				; CODE XREF: PoRegisterPowerSettingCallback+115j
					; PoRegisterPowerSettingCallback+12Dj
		mov	eax, [esp+248h+var_218]
		mov	eax, [edi+eax*4+30h]
		mov	[ebx+34h], eax
		jmp	loc_7E2899
; 

loc_7E2931:				; CODE XREF: PoRegisterPowerSettingCallback+5Dj
		mov	esi, 0C000000Dh
		jmp	short loc_7E28E3
; 

loc_7E2938:				; CODE XREF: PoRegisterPowerSettingCallback+80j
		mov	eax, 208h
		push	eax		; size_t
		lea	eax, [esp+24Ch+var_210]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		lea	eax, [esp+254h+var_210]
		add	esp, 0Ch
		mov	[esp+248h+var_224], eax
		mov	eax, 208h
		mov	word ptr [esp+248h+var_228+2], ax
		lea	eax, [esp+248h+var_228]
		push	eax
		push	edi
		call	RtlPcToFileName
		test	eax, eax
		js	loc_7E27EC
		lea	eax, [esp+248h+var_228]
		mov	[esp+248h+var_21C], 8
		mov	[esp+248h+var_220], eax
		lea	eax, [esp+248h+var_220]
		mov	[esp+248h+var_238], eax
		lea	eax, [esp+248h+var_234]
		push	eax		; int
		push	1		; int
		lea	eax, [esp+250h+var_238]
		push	eax		; int
		push	offset _GUID_EM_PO_CONSOLE_STATE_CHANGE_REMAP_RULE ; void *
		call	EmClientRuleEvaluate
		test	eax, eax
		js	loc_7E27EC
		cmp	[esp+248h+var_234], 2
		jnz	loc_7E27EC
		jmp	loc_908A6F
; 

loc_7E29B7:				; CODE XREF: PoRegisterPowerSettingCallback+13Bj
					; PoRegisterPowerSettingCallback+1A2j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
PoRegisterPowerSettingCallback endp	; AL = character to display


;  S U B	R O U T	I N E 


EtwpCheckForStackTracingExtension proc near ; CODE XREF: EtwpStartLogger+5AEp
					; EtwpUpdateTrace+164p

; FUNCTION CHUNK AT 0090CBFA SIZE 00000064 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	3
		mov	ebx, edx
		mov	edi, ecx
		pop	edx
		xor	esi, esi
		call	_EtwpGetFlagExtension@8	; EtwpGetFlagExtension(x,x)
		mov	edx, eax
		test	edx, edx
		jnz	loc_90CBFA

loc_7E29D9:				; CODE XREF: EtwpCheckForStackTracingExtension+12A25Ej
					; EtwpCheckForStackTracingExtension+12A270j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
EtwpCheckForStackTracingExtension endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall EtwpGetFlagExtension(x, x)
_EtwpGetFlagExtension@8	proc near	; CODE XREF: EtwpCheckForStackTracingExtension+Ep
					; EtwpUpdateLoggerGroupMasks+45p ...
		mov	eax, [ecx+48h]
		push	esi
		mov	si, dx
		push	edi
		test	eax, eax
		js	short loc_7E29F1

loc_7E29EC:				; CODE XREF: EtwpGetFlagExtension(x,x)+24j
					; EtwpGetFlagExtension(x,x)+36j
		xor	eax, eax

loc_7E29EE:				; CODE XREF: EtwpGetFlagExtension(x,x)+3Cj
		pop	edi
		pop	esi
		retn
; 

loc_7E29F1:				; CODE XREF: EtwpGetFlagExtension(x,x)+Aj
		movzx	eax, ax
		xor	edx, edx
		add	eax, ecx
		movzx	edi, word ptr [eax+2]
		lea	ecx, [eax+4]
		xor	eax, eax
		cmp	ax, di
		jnb	short loc_7E29EC

loc_7E2A06:				; CODE XREF: EtwpGetFlagExtension(x,x)+38j
		cmp	[ecx+2], si
		jz	short loc_7E2A1A
		movzx	eax, word ptr [ecx]
		inc	edx
		lea	ecx, [ecx+eax*4]
		cmp	dx, di
		jnb	short loc_7E29EC
		jmp	short loc_7E2A06
; 

loc_7E2A1A:				; CODE XREF: EtwpGetFlagExtension(x,x)+2Aj
		mov	eax, ecx
		jmp	short loc_7E29EE
_EtwpGetFlagExtension@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCCSwapStop(x, x)
_EtwpCCSwapStop@8 proc near		; CODE XREF: EtwpUpdateGroupMasks+ECp
					; EtwpFlushTrace+129868p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ds:_KeNumberProcessors
		mov	al, dl
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_1], al
		mov	esi, ecx
		test	ebx, ebx
		jz	short loc_7E2A61

loc_7E2A3A:				; CODE XREF: EtwpCCSwapStop(x,x)+3Ej
		mov	ecx, edi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	eax, [eax+4054h]
		cmp	dword ptr [eax+esi*4+128h], 0
		jz	short loc_7E2A59
		mov	byte ptr [eax+esi+120h], 1

loc_7E2A59:				; CODE XREF: EtwpCCSwapStop(x,x)+31j
		inc	edi
		cmp	edi, ebx
		jb	short loc_7E2A3A
		mov	al, [ebp+var_1]

loc_7E2A61:				; CODE XREF: EtwpCCSwapStop(x,x)+1Aj
		test	al, al
		jz	short loc_7E2A6C
		dec	_CCSwapNumLoggersPerClockType[esi*4]

loc_7E2A6C:				; CODE XREF: EtwpCCSwapStop(x,x)+45j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpCCSwapStop@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpUpdateLoggerGroupMasks proc	near	; CODE XREF: EtwpStopLoggerInstance(x)+2Dp
					; EtwpStartLogger+A34p	...

var_24		= dword	ptr -24h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090CC5E SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_24]
		push	8
		mov	esi, edx
		xor	eax, eax
		pop	ecx
		rep stosd
		test	esi, esi
		jnz	short loc_7E2AB2

loc_7E2A99:				; CODE XREF: EtwpUpdateLoggerGroupMasks+76j
					; EtwpUpdateLoggerGroupMasks+12A1F1j ...
		lea	edx, [ebp+var_24]
		mov	ecx, ebx
		call	EtwpUpdateGroupMasks

loc_7E2AA3:				; CODE XREF: EtwpUpdateLoggerGroupMasks+7Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_7E2AB2:				; CODE XREF: EtwpUpdateLoggerGroupMasks+25j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_EtwpGetFlagExtension@8	; EtwpGetFlagExtension(x,x)
		test	eax, eax
		jz	loc_90CC5E
		mov	cx, [eax]
		shl	cx, 2
		sub	cx, 4
		movzx	ecx, cx
		cmp	ecx, 20h
		ja	short loc_7E2AEA
		push	ecx		; size_t
		add	eax, 4
		push	eax		; void *
		lea	eax, [ebp+var_24]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_7E2A99
; 

loc_7E2AEA:				; CODE XREF: EtwpUpdateLoggerGroupMasks+63j
		mov	eax, 0C000000Dh
		jmp	short loc_7E2AA3
EtwpUpdateLoggerGroupMasks endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpUpdateGroupMasks proc near		; CODE XREF: EtwpUpdateLoggerGroupMasks+2Cp
					; EtwSetPerformanceTraceInformation(x,x,x)+105p

var_6A		= byte ptr -6Ah
var_69		= byte ptr -69h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090CC71 SIZE 00000094 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+6Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [esp+78h+var_44]
		push	8
		pop	ecx
		xor	eax, eax
		mov	[esp+78h+var_5C], esi
		rep stosd
		push	8
		pop	ecx
		mov	ebx, edx
		lea	edi, [esp+78h+var_24]
		rep stosd
		mov	edi, [esi]
		mov	dl, 1
		mov	eax, [esi+2E4h]
		mov	ecx, ebx
		mov	[esp+78h+var_50], ebx
		mov	[esp+78h+var_60], edi
		mov	[esp+78h+var_68], eax
		call	_EtwpMapEnableFlags@8 ;	EtwpMapEnableFlags(x,x)
		test	ebx, ebx
		jz	short loc_7E2B53
		mov	eax, [ebx+4]
		test	al, 11h
		jnz	loc_90CC71

loc_7E2B53:				; CODE XREF: EtwpUpdateGroupMasks+54j
					; EtwpUpdateGroupMasks+12A185j
		mov	eax, [esi+2E4h]
		cmp	eax, ds:_EtwpHostSiloState
		jnz	loc_90CC7C

loc_7E2B65:				; CODE XREF: EtwpUpdateGroupMasks+12A199j
		test	ebx, ebx
		jz	short loc_7E2B76
		test	dword ptr [ebx+4], 402h
		jnz	loc_90CC90

loc_7E2B76:				; CODE XREF: EtwpUpdateGroupMasks+75j
					; EtwpUpdateGroupMasks+12A1C5j
		lea	eax, [esi+1F0h]
		xor	edx, edx
		mov	ecx, eax
		mov	[esp+78h+var_48], eax
		call	ExAcquirePushLockExclusiveEx
		movzx	eax, byte ptr [esi+25Ah]
		mov	ecx, eax
		mov	[esp+78h+var_4C], eax
		mov	eax, [esi+2E4h]
		shl	ecx, 5
		add	eax, 948h
		mov	[esp+78h+var_64], ecx
		push	4
		pop	edx
		add	eax, ecx
		jz	loc_7E2D04
		mov	ecx, [eax+4]
		test	cl, dl
		jz	loc_7E2D04
		test	ecx, 100h
		jz	loc_7E2D04
		test	ebx, ebx
		jz	short loc_7E2BD9
		mov	ecx, [ebx+4]
		test	cl, dl
		jnz	loc_90CCC7

loc_7E2BD9:				; CODE XREF: EtwpUpdateGroupMasks+DAj
					; EtwpUpdateGroupMasks+12A1E1j
		mov	ecx, [esi+7Ch]
		mov	dl, 1
		call	_EtwpCCSwapStop@8 ; EtwpCCSwapStop(x,x)

loc_7E2BE3:				; CODE XREF: EtwpUpdateGroupMasks+214j
					; EtwpUpdateGroupMasks+21Fj ...
		mov	ecx, [esp+78h+var_64]
		mov	eax, [esi+2E4h]
		add	ecx, 948h
		add	eax, ecx
		mov	[esp+78h+var_54], eax
		mov	edi, eax
		lea	eax, [esp+78h+var_44]
		sub	ebx, eax
		xor	esi, esi

loc_7E2C03:				; CODE XREF: EtwpUpdateGroupMasks+135j
		lea	ecx, [esp+78h+var_44]
		add	ecx, esi
		mov	edx, [ebx+ecx]
		mov	eax, edx
		not	eax
		and	eax, [edi]
		mov	[ecx], eax
		mov	eax, [edi]
		lea	edi, [edi+4]
		not	eax
		and	eax, edx
		mov	[esp+esi+78h+var_24], eax
		add	esi, 4
		cmp	esi, 20h
		jb	short loc_7E2C03
		mov	edi, [esp+78h+var_60]
		mov	edx, edi
		mov	ecx, [esp+78h+var_68]
		push	20h
		push	[esp+7Ch+var_54]
		call	_EtwpLogGroupMask@16 ; EtwpLogGroupMask(x,x,x,x)
		mov	esi, [esp+78h+var_5C]
		test	dword ptr [esi+0Ch], 400h
		jnz	loc_7E2D46
		mov	edx, [esp+78h+var_68]
		lea	ecx, [esp+78h+var_44]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	edi
		mov	[esp+88h+var_69], al
		call	EtwpKernelTraceRundown

loc_7E2C66:				; CODE XREF: EtwpUpdateGroupMasks+259j
		mov	edi, [esi+2E4h]
		mov	ecx, [esp+78h+var_64]
		mov	ebx, [esp+78h+var_50]
		add	ecx, 948h
		add	edi, ecx
		mov	esi, ebx
		push	8
		pop	ecx
		push	[esp+78h+var_4C]
		rep movsd
		mov	esi, [esp+7Ch+var_60]
		mov	edx, esi
		mov	ecx, [esp+7Ch+var_68]
		call	EtwpUpdateGlobalGroupMasks
		mov	edi, eax
		test	edi, edi
		js	loc_90CCE8
		push	5
		push	ebx
		mov	ebx, [esp+80h+var_68]
		mov	edx, esi
		mov	ecx, ebx
		call	_EtwpLogGroupMask@16 ; EtwpLogGroupMask(x,x,x,x)
		cmp	[esp+78h+var_69], 0
		jnz	loc_7E2D50

loc_7E2CBB:				; CODE XREF: EtwpUpdateGroupMasks+269j
		push	0
		push	0
		push	1
		push	esi
		mov	edx, ebx
		lea	ecx, [esp+88h+var_24]
		call	EtwpKernelTraceRundown

loc_7E2CCD:				; CODE XREF: EtwpUpdateGroupMasks+26Fj
					; EtwpUpdateGroupMasks+12A1FAj
		mov	edx, esi
		mov	ecx, ebx
		call	EtwpLogAlwaysPresentRundown

loc_7E2CD6:				; CODE XREF: EtwpUpdateGroupMasks+252j
		mov	esi, [esp+78h+var_48]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_90CCF1

loc_7E2CE9:				; CODE XREF: EtwpUpdateGroupMasks+12A201j
					; EtwpUpdateGroupMasks+12A20Ej
		mov	ecx, esi
		call	KeAbPostRelease
		mov	eax, edi

loc_7E2CF2:				; CODE XREF: EtwpUpdateGroupMasks+12A193j
					; EtwpUpdateGroupMasks+12A1D0j
		mov	ecx, [esp+78h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7E2D04:				; CODE XREF: EtwpUpdateGroupMasks+BBj
					; EtwpUpdateGroupMasks+C6j ...
		test	ebx, ebx
		jz	loc_7E2BE3
		mov	ecx, [ebx+4]
		test	cl, dl
		jz	loc_7E2BE3
		test	ecx, 100h
		jz	loc_7E2BE3
		test	eax, eax
		jz	short loc_7E2D32
		mov	eax, [eax+4]
		test	al, dl
		jnz	loc_90CCD8

loc_7E2D32:				; CODE XREF: EtwpUpdateGroupMasks+233j
					; EtwpUpdateGroupMasks+12A1F1j
		mov	ecx, [esi+7Ch]
		call	EtwpCCSwapStart
		mov	edi, eax
		test	edi, edi
		jns	loc_7E2BE3
		jmp	short loc_7E2CD6
; 

loc_7E2D46:				; CODE XREF: EtwpUpdateGroupMasks+157j
		mov	[esp+78h+var_69], 1
		jmp	loc_7E2C66
; 

loc_7E2D50:				; CODE XREF: EtwpUpdateGroupMasks+1C3j
		mov	eax, [esp+78h+var_5C]
		test	byte ptr [eax+258h], 2
		jnz	loc_7E2CBB
		jmp	loc_7E2CCD
EtwpUpdateGroupMasks endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpLogGroupMask(x,	x, x, x)
_EtwpLogGroupMask@16 proc near		; CODE XREF: EtwpUpdateGroupMasks+147p
					; EtwpUpdateGroupMasks+1B9p ...

var_3C		= dword	ptr -3Ch
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_14], 0
		mov	eax, ecx
		and	[ebp+var_C], 0
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	8
		pop	ecx
		push	offset byte_401802
		push	[ebp+arg_4]
		lea	edi, [ebp+var_3C]
		mov	[ebp+var_10], 24h
		rep movsd
		lea	ecx, [ebp+var_3C]
		mov	[ebp+var_1C], 50h
		push	1
		mov	[ebp+var_18], ecx
		lea	ecx, [ebp+var_18]
		push	edx
		mov	edx, eax
		call	EtwpLogKernelEvent
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwpLogGroupMask@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpKernelTraceRundown proc near	; CODE XREF: EtwpUpdateGroupMasks+16Fp
					; EtwpUpdateGroupMasks+1D6p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0090CD05 SIZE 00000170 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, edx
		mov	byte ptr [ebp+arg_4+3],	0
		push	0
		mov	[ebp+var_4], edi
		mov	esi, ecx
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		mov	byte ptr [ebp+var_8], al
		lea	eax, [ebp+arg_4+3]
		push	eax
		push	0
		call	_EtwpOpenLogger@16 ; EtwpOpenLogger(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_7E2EF0
		test	esi, esi
		jz	loc_7E2EC7
		test	byte ptr [esi+4], 20h
		jnz	loc_90CD05

loc_7E2E17:				; CODE XREF: EtwpKernelTraceRundown+129F3Fj
					; EtwpKernelTraceRundown+129F4Ej
		mov	ecx, [esi]
		test	ecx, 0C004h
		jz	loc_7E2EFF

loc_7E2E25:				; CODE XREF: EtwpKernelTraceRundown+13Bj
					; EtwpKernelTraceRundown+144j ...
		push	[ebp+arg_C]
		mov	edx, edi
		mov	ecx, esi
		push	[ebp+arg_8]
		push	ebx
		call	EtwpProcessThreadImageRundown
		mov	ecx, [esi]

loc_7E2E37:				; CODE XREF: EtwpKernelTraceRundown+151j
		lea	eax, [esi+8]
		mov	[ebp+arg_C], eax
		and	ecx, 20000h
		jnz	loc_90CD1B
		test	dword ptr [eax], 1000000h
		mov	[ebp+arg_C], eax
		jnz	loc_90CD1B

loc_7E2E58:				; CODE XREF: EtwpKernelTraceRundown+129F71j
		mov	eax, [esi+4]
		test	al, 2
		jnz	loc_90CD3E

loc_7E2E63:				; CODE XREF: EtwpKernelTraceRundown+129F84j
		test	eax, 400h
		jnz	loc_90CD51

loc_7E2E6E:				; CODE XREF: EtwpKernelTraceRundown+129F97j
		test	eax, 10000h
		jnz	loc_90CD64

loc_7E2E79:				; CODE XREF: EtwpKernelTraceRundown+129FA8j
		test	eax, 20000h
		jnz	loc_90CD75

loc_7E2E84:				; CODE XREF: EtwpKernelTraceRundown+129FB9j
		test	eax, 400008h
		jnz	loc_90CD86

loc_7E2E8F:				; CODE XREF: EtwpKernelTraceRundown+129FD0j
		test	eax, 8000049h
		jnz	loc_90CD9D

loc_7E2E9A:				; CODE XREF: EtwpKernelTraceRundown+129FDEj
		mov	eax, [ebp+arg_C]
		test	dword ptr [eax], 100000h
		jnz	loc_90CDAB

loc_7E2EA9:				; CODE XREF: EtwpKernelTraceRundown+129FECj
		test	esi, esi
		jz	short loc_7E2EC7
		mov	eax, [esi+4]
		test	bl, bl
		jz	short loc_7E2F24
		test	eax, 8000000h
		jnz	loc_90CE42

loc_7E2EBF:				; CODE XREF: EtwpKernelTraceRundown+12A09Aj
		test	al, 20h
		jnz	loc_90CE67

loc_7E2EC7:				; CODE XREF: EtwpKernelTraceRundown+3Fj
					; EtwpKernelTraceRundown+E3j ...
		cmp	byte ptr [ebp+arg_4+3],	0
		jz	short loc_7E2EF0
		mov	eax, [ebp+var_4]
		xor	edx, edx
		inc	edx
		mov	ecx, [eax+188h]
		mov	eax, [ebp+arg_0]
		mov	ecx, [ecx+eax*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_7E2EF0:				; CODE XREF: EtwpKernelTraceRundown+37j
					; EtwpKernelTraceRundown+103j
		push	[ebp+var_8]
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7E2EFF:				; CODE XREF: EtwpKernelTraceRundown+57j
		test	byte ptr [esi+10h], 40h
		jnz	loc_7E2E25
		test	cl, 3
		jnz	loc_7E2E25
		test	dword ptr [esi+4], 8000000h
		jz	loc_7E2E37
		jmp	loc_7E2E25
; 

loc_7E2F24:				; CODE XREF: EtwpKernelTraceRundown+EAj
		mov	ebx, [ebp+var_4]
		test	eax, 8000000h
		jnz	loc_90CDB9

loc_7E2F32:				; CODE XREF: EtwpKernelTraceRundown+12A00Fj
		test	al, 9
		jnz	loc_90CDDC

loc_7E2F3A:				; CODE XREF: EtwpKernelTraceRundown+12A02Fj
		test	eax, 80000h
		jnz	loc_90CDFC

loc_7E2F45:				; CODE XREF: EtwpKernelTraceRundown+12A040j
		test	dword ptr [esi], 200h
		jz	short loc_7E2F5E
		mov	edx, [ebp+arg_0]
		push	ecx
		mov	ecx, [edi+2E4h]
		mov	ecx, [ecx]
		call	_WmiTraceRundownNotify@12 ; WmiTraceRundownNotify(x,x,x)

loc_7E2F5E:				; CODE XREF: EtwpKernelTraceRundown+183j
		mov	eax, [esi+10h]
		test	eax, 8000h
		jnz	loc_90CE0D

loc_7E2F6C:				; CODE XREF: EtwpKernelTraceRundown+12A05Bj
		test	al, 0C0h
		jnz	loc_90CE28

loc_7E2F74:				; CODE XREF: EtwpKernelTraceRundown+12A069j
		test	dword ptr [esi+8], 10000h
		jz	loc_7E2EC7
		jmp	loc_90CE36
EtwpKernelTraceRundown endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpProcessThreadImageRundown proc near	; CODE XREF: EtwpKernelTraceRundown+68p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= word ptr -24h
var_20		= dword	ptr -20h
var_14		= dword	ptr -14h
var_C		= byte ptr -0Ch
var_A		= byte ptr -0Ah
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0090CE75 SIZE 000000A8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_30]
		push	ebx
		push	esi
		push	edi
		push	2Ch		; size_t
		xor	ebx, ebx
		mov	esi, edx
		push	ebx		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		mov	al, [ebp+arg_0]
		add	esp, 0Ch
		mov	ecx, [esi+258h]
		and	ecx, 80h
		mov	[ebp+var_30], edi
		mov	[ebp+var_20], esi
		mov	[ebp+var_C], al
		test	al, al
		jnz	loc_7E304B
		test	ecx, ecx
		jnz	loc_90CE86

loc_7E2FD2:				; CODE XREF: EtwpProcessThreadImageRundown+C9j
					; EtwpProcessThreadImageRundown+129F11j
		mov	[ebp+var_A], al
		test	edi, edi
		jz	short loc_7E2FE3
		test	byte ptr [edi+10h], 40h
		jnz	loc_90CE9C

loc_7E2FE3:				; CODE XREF: EtwpProcessThreadImageRundown+51j
					; EtwpProcessThreadImageRundown+129F1Dj ...
		push	74777445h
		mov	esi, 2000h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	short loc_7E3003
		mov	[ebp+var_24], si

loc_7E3003:				; CODE XREF: EtwpProcessThreadImageRundown+77j
		cmp	[ebp+arg_8], ebx
		ja	loc_90CEC0

loc_7E300C:				; CODE XREF: EtwpProcessThreadImageRundown+129F3Fj
					; EtwpProcessThreadImageRundown+129F5Bj
		lea	eax, [ebp+var_30]
		push	eax
		push	ds:_PsIdleProcess
		call	EtwpProcessEnumCallback
		lea	edx, [ebp+var_30]
		mov	ecx, offset EtwpProcessEnumCallback
		call	PsEnumProcesses

loc_7E3028:				; CODE XREF: EtwpProcessThreadImageRundown+129F71j
					; EtwpProcessThreadImageRundown+129F83j
		cmp	[ebp+var_28], 0
		jz	short loc_7E3038
		push	0
		push	[ebp+var_28]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7E3038:				; CODE XREF: EtwpProcessThreadImageRundown+A6j
		cmp	[ebp+var_14], 0
		jnz	loc_90CF0E

loc_7E3042:				; CODE XREF: EtwpProcessThreadImageRundown+129F92j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
; 

loc_7E304B:				; CODE XREF: EtwpProcessThreadImageRundown+3Ej
		xor	al, al
		test	ecx, ecx
		jz	short loc_7E2FD2
		jmp	loc_90CE75
EtwpProcessThreadImageRundown endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpProcessEnumCallback	proc near	; CODE XREF: EtwpProcessThreadImageRundown+90p
					; EtwpProcessThreadImageRundown+129F7Ep
					; DATA XREF: ...

var_30		= byte ptr -30h
var_2F		= byte ptr -2Fh
var_2E		= byte ptr -2Eh
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090CF1D SIZE 0000006B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+40h+var_1C]
		mov	[esp+40h+var_28], eax
		rep stosd
		mov	edi, [ebx]
		mov	[esp+40h+var_2D], al
		mov	[esp+40h+var_30], al
		mov	eax, [ebx+10h]
		mov	[esp+40h+var_2C], eax
		mov	al, [ebx+24h]
		push	esi
		mov	[esp+44h+var_2F], al
		mov	[esp+44h+var_20], edi
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		mov	ecx, [esp+40h+var_2C]
		mov	edx, [ecx+2E4h]
		cmp	edx, ds:_EtwpHostSiloState
		jnz	loc_90CF1D

loc_7E30BC:				; CODE XREF: EtwpProcessEnumCallback+129EDAj
		xor	edx, edx
		mov	ecx, esi
		mov	[ebx+25h], dl
		call	_EtwpIsProcessZombie@4 ; EtwpIsProcessZombie(x)
		test	eax, eax
		jnz	loc_7E3251
		mov	[esp+40h+var_2E], 1
		cmp	esi, ds:_PsIdleProcess
		jz	loc_7E3280
		mov	eax, large fs:124h
		cmp	[eax+80h], esi
		jz	loc_7E3289
		lea	ecx, [esi+0F0h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_90CF35
		lea	eax, [esp+40h+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, esi
		call	KiStackAttachProcess
		mov	cl, [esp+40h+var_30]
		mov	[esp+40h+var_2D], 1

loc_7E311D:				; CODE XREF: EtwpProcessEnumCallback+235j
		mov	al, [esp+40h+var_2E]

loc_7E3121:				; CODE XREF: EtwpProcessEnumCallback+22Ej
					; EtwpProcessEnumCallback+129EE5j
		mov	[ebx+25h], al
		mov	[ebx+27h], cl
		test	edi, edi
		jz	loc_7E31B1
		cmp	[esp+40h+var_2F], 0
		jnz	loc_7E31E4
		test	dword ptr [edi+4], 8000000h
		jnz	loc_90CF4E

loc_7E3147:				; CODE XREF: EtwpProcessEnumCallback+129F01j
		mov	eax, [edi]
		test	al, 4
		jz	short loc_7E3159
		cmp	esi, ds:_PsInitialSystemProcess
		jz	loc_7E32CE

loc_7E3159:				; CODE XREF: EtwpProcessEnumCallback+F5j
					; EtwpProcessEnumCallback+285j
		test	eax, 0C004h
		jz	short loc_7E316A
		push	edi
		mov	edx, ebx
		mov	ecx, esi
		call	EtwpEnumerateAddressSpace

loc_7E316A:				; CODE XREF: EtwpProcessEnumCallback+108j
		test	byte ptr [edi+10h], 40h
		jnz	loc_90CF5C

loc_7E3174:				; CODE XREF: EtwpProcessEnumCallback+129F0Cj
					; EtwpProcessEnumCallback+129F1Bj
		test	byte ptr [edi],	2
		jz	short loc_7E3192
		cmp	esi, ds:_PsIdleProcess
		jz	loc_7E3290
		push	ebx
		mov	edx, offset _EtwpThreadEnumCallback@12 ; EtwpThreadEnumCallback(x,x,x)
		mov	ecx, esi
		call	PsEnumProcessThreads

loc_7E3192:				; CODE XREF: EtwpProcessEnumCallback+121j
					; EtwpProcessEnumCallback+245j	...
		mov	eax, [edi]
		test	al, 8
		jnz	loc_90CF76

loc_7E319C:				; CODE XREF: EtwpProcessEnumCallback+129F2Dj
		test	al, 1
		jz	short loc_7E31B1
		mov	edx, [esp+40h+var_2C]
		mov	ecx, esi
		push	ebx
		push	304h
		call	_EtwpTraceProcessRundown@16 ; EtwpTraceProcessRundown(x,x,x,x)

loc_7E31B1:				; CODE XREF: EtwpProcessEnumCallback+D3j
					; EtwpProcessEnumCallback+148j	...
		cmp	[esp+40h+var_2D], 0
		jz	short loc_7E31CE
		xor	edx, edx
		lea	ecx, [esp+40h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		lea	ecx, [esi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_7E31CE:				; CODE XREF: EtwpProcessEnumCallback+160j
					; EtwpProcessEnumCallback+1FDj	...
		mov	ecx, [esp+40h+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7E31E4:				; CODE XREF: EtwpProcessEnumCallback+DEj
		mov	eax, [edi]
		test	al, 1
		jz	short loc_7E31FD
		mov	edx, [esp+40h+var_2C]
		mov	ecx, esi
		push	ebx
		push	303h
		call	_EtwpTraceProcessRundown@16 ; EtwpTraceProcessRundown(x,x,x,x)
		mov	eax, [edi]

loc_7E31FD:				; CODE XREF: EtwpProcessEnumCallback+192j
		test	al, 2
		jz	short loc_7E321A
		cmp	esi, ds:_PsIdleProcess
		jz	loc_7E32F2
		push	ebx
		mov	edx, offset _EtwpThreadEnumCallback@12 ; EtwpThreadEnumCallback(x,x,x)
		mov	ecx, esi
		call	PsEnumProcessThreads

loc_7E321A:				; CODE XREF: EtwpProcessEnumCallback+1A9j
					; EtwpProcessEnumCallback+2A7j	...
		mov	eax, [edi]
		test	eax, 0C004h
		jz	short loc_7E322F
		push	edi
		mov	edx, ebx
		mov	ecx, esi
		call	EtwpEnumerateAddressSpace
		mov	eax, [edi]

loc_7E322F:				; CODE XREF: EtwpProcessEnumCallback+1CBj
		test	al, 4
		jz	short loc_7E323F
		cmp	esi, ds:_PsInitialSystemProcess
		jz	loc_7E32E0

loc_7E323F:				; CODE XREF: EtwpProcessEnumCallback+1DBj
					; EtwpProcessEnumCallback+297j
		test	dword ptr [edi+4], 8000000h
		jz	loc_7E31B1
		jmp	loc_90CF40
; 

loc_7E3251:				; CODE XREF: EtwpProcessEnumCallback+74j
		test	edi, edi
		jz	loc_7E31CE
		test	byte ptr [edi],	1
		jz	loc_7E31CE
		cmp	[esp+40h+var_2F], dl
		jnz	loc_7E31CE
		mov	edx, [esp+40h+var_2C]
		push	ebx
		push	327h
		call	_EtwpTraceProcessRundown@16 ; EtwpTraceProcessRundown(x,x,x,x)
		jmp	loc_7E31CE
; 

loc_7E3280:				; CODE XREF: EtwpProcessEnumCallback+85j
		mov	al, dl
		mov	cl, 1
		jmp	loc_7E3121
; 

loc_7E3289:				; CODE XREF: EtwpProcessEnumCallback+97j
		mov	cl, dl
		jmp	loc_7E311D
; 

loc_7E3290:				; CODE XREF: EtwpProcessEnumCallback+129j
		mov	eax, ds:_KeNumberProcessors
		mov	[esp+40h+var_24], eax
		test	eax, eax
		jz	loc_7E3192
		mov	edi, [esp+40h+var_24]
		xor	eax, eax

loc_7E32A7:				; CODE XREF: EtwpProcessEnumCallback+26Dj
		push	ebx
		mov	ecx, eax
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		push	dword ptr [eax+0Ch]
		push	esi
		call	_EtwpThreadEnumCallback@12 ; EtwpThreadEnumCallback(x,x,x)
		mov	eax, [esp+40h+var_28]
		inc	eax
		mov	[esp+40h+var_28], eax
		cmp	eax, edi
		jb	short loc_7E32A7
		mov	edi, [esp+40h+var_20]
		jmp	loc_7E3192
; 

loc_7E32CE:				; CODE XREF: EtwpProcessEnumCallback+FDj
		mov	ecx, [esp+40h+var_2C]
		xor	dl, dl
		call	EtwpSysModuleRunDown
		mov	eax, [edi]
		jmp	loc_7E3159
; 

loc_7E32E0:				; CODE XREF: EtwpProcessEnumCallback+1E3j
		mov	dl, [esp+40h+var_2F]
		mov	ecx, [esp+40h+var_2C]
		call	EtwpSysModuleRunDown
		jmp	loc_7E323F
; 

loc_7E32F2:				; CODE XREF: EtwpProcessEnumCallback+1B1j
		mov	eax, ds:_KeNumberProcessors
		mov	[esp+40h+var_24], eax
		test	eax, eax
		jz	loc_7E321A
		mov	edi, [esp+40h+var_24]
		xor	eax, eax

loc_7E3309:				; CODE XREF: EtwpProcessEnumCallback+2CFj
		push	ebx
		mov	ecx, eax
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		push	dword ptr [eax+0Ch]
		push	esi
		call	_EtwpThreadEnumCallback@12 ; EtwpThreadEnumCallback(x,x,x)
		mov	eax, [esp+40h+var_28]
		inc	eax
		mov	[esp+40h+var_28], eax
		cmp	eax, edi
		jb	short loc_7E3309
		mov	edi, [esp+40h+var_20]
		jmp	loc_7E321A
EtwpProcessEnumCallback	endp


;  S U B	R O U T	I N E 


; __stdcall EtwpIsProcessZombie(x)
_EtwpIsProcessZombie@4 proc near	; CODE XREF: EtwpProcessEnumCallback+6Dp
					; EtwpPsProvProcessEnumCallback(x,x)+51p
		test	byte ptr [ecx+0FCh], 4
		jnz	short loc_7E333C

loc_7E3339:				; CODE XREF: EtwpIsProcessZombie(x)+10j
					; EtwpIsProcessZombie(x)+19j ...
		xor	eax, eax
		retn
; 

loc_7E333C:				; CODE XREF: EtwpIsProcessZombie(x)+7j
		cmp	dword ptr [ecx+4], 0
		jz	short loc_7E3339
		cmp	dword ptr [ecx+1D8h], 0
		jnz	short loc_7E3339
		lea	eax, [ecx+2Ch]
		cmp	[eax], eax
		jnz	short loc_7E3339
		xor	eax, eax
		inc	eax
		retn
_EtwpIsProcessZombie@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceProcessRundown(x, x, x, x)
_EtwpTraceProcessRundown@16 proc near	; CODE XREF: EtwpProcessEnumCallback+156p
					; EtwpProcessEnumCallback+1A0p	...

var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_B8		= dword	ptr -0B8h
var_98		= dword	ptr -98h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 26Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	eax, eax
		push	esi
		push	edi
		push	18Ch		; size_t
		push	eax		; int
		mov	[ebp+var_264], eax
		mov	esi, ecx
		mov	[ebp+var_260], eax
		mov	[ebp+var_250], eax
		mov	[ebp+var_24C], eax
		lea	eax, [ebp+var_248]
		push	eax		; void *
		mov	[ebp+var_25C], edx
		call	_memset
		add	esp, 0Ch
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		lea	edi, [ebp+var_B8]
		push	8
		pop	ecx
		rep stosd
		mov	eax, [ebx+8]
		xor	edi, edi
		mov	[ebp+var_254], eax
		mov	ecx, esi
		xor	eax, eax
		mov	[ebp+var_26C], edi
		mov	word ptr [ebp+var_258],	ax
		mov	ax, [ebx+0Ch]
		mov	word ptr [ebp+var_258+2], ax
		lea	eax, [ebp+var_24C]
		push	eax
		lea	eax, [ebp+var_258]
		mov	[ebp+var_268], edi
		push	eax
		lea	eax, [ebp+var_264]
		push	eax
		lea	eax, [ebp+var_248]
		push	eax
		lea	eax, [ebp+var_250]
		push	eax
		lea	eax, [ebp+var_98]
		push	eax
		lea	eax, [ebp+var_26C]
		push	eax
		lea	eax, [ebp+var_B8]
		push	eax
		movzx	eax, byte ptr [ebx+25h]
		push	eax
		call	EtwpBuildProcessEvent
		xor	eax, eax
		mov	ecx, 327h
		cmp	word ptr [ebp+arg_0], cx
		lea	ecx, [ebp+var_98]
		setz	al
		add	eax, 501804h
		push	eax
		push	[ebp+arg_0]
		mov	eax, [ebp+var_25C]
		push	[ebp+var_250]
		push	dword ptr [eax]
		mov	edx, [eax+2E4h]
		call	EtwpLogKernelEvent
		mov	eax, [ebp+var_254]
		cmp	eax, [ebx+8]
		jnz	short loc_7E349B

loc_7E3468:				; CODE XREF: EtwpTraceProcessRundown(x,x,x,x)+14Cj
		lea	eax, [ebp+var_264]
		push	eax
		call	_RtlFreeAnsiString@4 ; RtlFreeAnsiString(x)
		cmp	[ebp+var_24C], edi
		jz	short loc_7E3488
		push	edi
		push	[ebp+var_24C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7E3488:				; CODE XREF: EtwpTraceProcessRundown(x,x,x,x)+124j
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_7E349B:				; CODE XREF: EtwpTraceProcessRundown(x,x,x,x)+110j
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7E3468
_EtwpTraceProcessRundown@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpSysModuleRunDown proc near		; CODE XREF: EtwpProcessEnumCallback+27Ep
					; EtwpProcessEnumCallback+292p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= word ptr -70h
var_6E		= word ptr -6Eh
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= word ptr -54h
var_52		= word ptr -52h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090CF88 SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	eax, eax
		mov	bl, dl
		push	edi
		xor	edi, edi
		mov	[ebp+var_6E], ax
		mov	[ebp+var_68], edi
		mov	esi, ecx
		mov	[ebp+var_64], edi
		mov	[ebp+var_5C], edi
		mov	[ebp+var_54], ax
		mov	[ebp+var_3C], edi
		mov	[ebp+var_6C], edi
		test	bl, bl
		jnz	short loc_7E351D
		mov	edx, [esi+2E4h]
		lea	ecx, [ebp+var_38]
		push	offset byte_401802
		push	1421h
		push	1
		push	dword ptr [esi]
		mov	[ebp+var_38], offset _PsNtosImageBase
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], 4
		mov	[ebp+var_2C], edi
		call	EtwpLogKernelEvent
		lea	eax, [ebp+var_6C]
		push	eax
		call	HvlQueryConnection
		test	eax, eax
		jz	loc_90CF88

loc_7E351D:				; CODE XREF: EtwpSysModuleRunDown+36j
					; EtwpSysModuleRunDown+129B13j
		mov	[ebp+var_74], esi
		lea	eax, [ebp+var_38]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_7C], eax
		mov	eax, 1403h
		test	bl, bl
		jnz	short loc_7E3536
		inc	eax

loc_7E3536:				; CODE XREF: EtwpSysModuleRunDown+8Fj
		mov	[ebp+var_70], ax
		lea	edx, [ebp+var_7C]
		xor	eax, eax
		mov	[ebp+var_60], edi
		mov	[ebp+var_52], ax
		mov	ecx, offset _EtwpSystemImageEnumCallback@8 ; EtwpSystemImageEnumCallback(x,x)
		lea	eax, [ebp+var_68]
		mov	[ebp+var_50], edi
		mov	[ebp+var_58], edi
		mov	[ebp+var_4C], edi
		mov	[ebp+var_48], edi
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], 2Ch
		mov	[ebp+var_2C], edi
		mov	[ebp+var_18], offset _EtwpNull
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], 2
		mov	[ebp+var_C], edi
		call	MmEnumerateSystemImages
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
EtwpSysModuleRunDown endp


;  S U B	R O U T	I N E 


EtwpLogAlwaysPresentRundown proc near	; CODE XREF: EtwpUpdateGroupMasks+1DFp
					; EtwpLogKernelTraceRundown(x,x,x,x,x,x)+2Dp
		cmp	_KdDebuggerEnabled, 0
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		mov	ebx, offset byte_401802
		jnz	sub_90CFBC

loc_7E35B1:				; CODE XREF: sub_90CFBC+12j
		push	ebx
		push	8
		push	0
		push	esi
		mov	edx, edi
		xor	ecx, ecx
		call	EtwpLogKernelEvent
		pop	edi
		pop	esi
		pop	ebx
		retn
EtwpLogAlwaysPresentRundown endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpUpdateGlobalGroupMasks proc	near	; CODE XREF: EtwpUpdateGroupMasks+19Fp
					; EtwpUpdateKernelGroupsWork(x)+19p ...

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= byte ptr -60h
var_44		= dword	ptr -44h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090CFD3 SIZE 00000078 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+74h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	8
		mov	ebx, ecx
		mov	[esp+84h+var_74], eax
		pop	ecx
		xor	eax, eax
		mov	[esp+80h+var_6C], ebx
		push	8
		lea	edi, [esp+84h+var_44]
		mov	esi, edx
		rep stosd
		pop	ecx
		push	eax
		push	eax
		push	eax
		push	eax
		lea	edi, [esp+90h+var_24]
		mov	[esp+90h+var_70], esi
		rep stosd
		push	offset _EtwpGroupMaskMutex
		call	KeWaitForSingleObject
		cmp	[esp+80h+var_74], 8
		jnb	short loc_7E3633
		cmp	esi, [ebx+8]
		jnb	loc_90CFD3
		mov	eax, [ebx+18Ch]
		mov	eax, [eax+esi*4]

loc_7E362B:				; CODE XREF: EtwpUpdateGlobalGroupMasks+129A12j
		test	al, 1
		jnz	loc_90CFDB

loc_7E3633:				; CODE XREF: EtwpUpdateGlobalGroupMasks+53j
		push	8
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+80h+var_64]
		push	0Ah
		rep stosd
		lea	edx, [ebx+948h]
		pop	esi

loc_7E3647:				; CODE XREF: EtwpUpdateGlobalGroupMasks+97j
		xor	ecx, ecx

loc_7E3649:				; CODE XREF: EtwpUpdateGlobalGroupMasks+92j
		mov	eax, [edx]
		add	edx, 4
		or	[esp+ecx*4+80h+var_64],	eax
		inc	ecx
		cmp	ecx, 8
		jb	short loc_7E3649
		sub	esi, 1
		jnz	short loc_7E3647
		lea	edi, [ebx+928h]
		push	8
		pop	ecx
		lea	esi, [esp+80h+var_64]
		mov	[esp+80h+var_68], edi
		rep movsd
		xor	ecx, ecx

loc_7E3672:				; CODE XREF: EtwpUpdateGlobalGroupMasks+129A4Bj
		mov	dl, 1
		call	_PspGetNextSilo@8 ; PspGetNextSilo(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_90CFE5
		mov	edx, ds:_EtwpHostSiloState
		xor	ecx, ecx
		push	4
		add	edx, 928h
		pop	edi

loc_7E3694:				; CODE XREF: EtwpUpdateGlobalGroupMasks+DCj
		mov	eax, [edx]
		add	edx, edi
		or	[esp+ecx*4+80h+var_64],	eax
		inc	ecx
		cmp	ecx, 8
		jb	short loc_7E3694
		xor	esi, esi

loc_7E36A4:				; CODE XREF: EtwpUpdateGlobalGroupMasks+101j
		mov	ecx, ds:_PerfGlobalGroupMask[esi]
		mov	eax, ecx
		mov	edx, [esp+esi+80h+var_64]
		not	eax
		and	eax, edx
		not	edx
		and	edx, ecx
		mov	[esp+esi+80h+var_44], eax
		mov	[esp+esi+80h+var_24], edx
		add	esi, edi
		cmp	esi, 20h
		jb	short loc_7E36A4
		mov	esi, [esp+80h+var_70]
		lea	edx, [esp+80h+var_24]
		push	esi
		push	ebx
		lea	ecx, [esp+88h+var_64]
		call	EtwpDisableKernelTrace
		push	esi
		push	ebx
		lea	edx, [esp+88h+var_44]
		lea	ecx, [esp+88h+var_64]
		call	EtwpEnableKernelTrace
		mov	ebx, eax
		test	ebx, ebx
		js	loc_90D014

loc_7E36F3:				; CODE XREF: EtwpUpdateGlobalGroupMasks+129A82j
		test	[esp+80h+var_60], 4
		lea	esi, [esp+80h+var_64]
		push	8
		pop	ecx
		mov	edi, offset _PerfGlobalGroupMask
		mov	eax, offset _KiCpuTracingFlags
		rep movsd
		jnz	short loc_7E3734
		lock btr dword ptr [eax], 0

loc_7E3712:				; CODE XREF: EtwpUpdateGlobalGroupMasks+175j
					; EtwpUpdateGlobalGroupMasks+129A1Cj
		push	0
		push	offset _EtwpGroupMaskMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	ecx, [esp+80h+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7E3734:				; CODE XREF: EtwpUpdateGlobalGroupMasks+147j
		lock bts dword ptr [eax], 0
		jmp	short loc_7E3712
EtwpUpdateGlobalGroupMasks endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpEnableKernelTrace proc near		; CODE XREF: EtwpUpdateGlobalGroupMasks+120p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090D04B SIZE 00000273 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_50], eax
		push	8
		xor	eax, eax
		mov	[ebp+var_54], esi
		mov	ebx, edx
		lea	edi, [ebp+var_24]
		xor	edx, edx
		mov	[ebp+var_4C], edx
		pop	ecx
		rep stosd
		mov	eax, 80000h
		test	ebx, ebx
		jz	short loc_7E3790
		mov	ecx, [ebx+4]
		mov	edi, (offset loc_7FFFFF+1)
		test	ecx, eax
		jnz	loc_90D04B
		mov	eax, edi

loc_7E3788:				; CODE XREF: EtwpEnableKernelTrace+129917j
		test	ecx, edi
		jnz	loc_90D058

loc_7E3790:				; CODE XREF: EtwpEnableKernelTrace+38j
					; EtwpEnableKernelTrace+12991Fj
		test	esi, esi
		jz	short loc_7E37A1
		test	dword ptr [esi+4], 880000h
		jnz	loc_90D060

loc_7E37A1:				; CODE XREF: EtwpEnableKernelTrace+56j
					; EtwpEnableKernelTrace+12995Aj
		cmp	ds:_EtwpFileSystemReady, 0
		jz	short loc_7E37C8
		push	[ebp+arg_4]
		mov	edx, ebx
		mov	ecx, esi
		push	[ebp+var_50]
		push	1
		call	EtwpUpdateFileInfoDriverState
		mov	edx, eax
		mov	[ebp+var_4C], edx
		test	edx, edx
		jnz	loc_7E390C

loc_7E37C8:				; CODE XREF: EtwpEnableKernelTrace+6Cj
		test	ebx, ebx
		jz	loc_7E390A
		mov	ecx, [ebx]
		mov	eax, 2000000h
		mov	esi, [ebp+var_24]
		mov	edx, offset _EtwpTraceFileIo@24	; EtwpTraceFileIo(x,x,x,x,x,x)
		test	ecx, eax
		jnz	loc_90D09B

loc_7E37E7:				; CODE XREF: EtwpEnableKernelTrace+12996Cj
		mov	eax, 4000000h
		test	ecx, eax
		jnz	loc_90D0AD

loc_7E37F4:				; CODE XREF: EtwpEnableKernelTrace+12997Ej
		mov	eax, 200h
		test	ecx, eax
		jnz	loc_7E3925

loc_7E3801:				; CODE XREF: EtwpEnableKernelTrace+1FAj
		mov	eax, 100h
		test	ecx, eax
		jnz	loc_7E393B

loc_7E380E:				; CODE XREF: EtwpEnableKernelTrace+21Aj
		mov	eax, 400h
		test	ecx, eax
		jnz	loc_90D0BF

loc_7E381B:				; CODE XREF: EtwpEnableKernelTrace+129992j
		mov	eax, [ebx+10h]
		mov	edi, [ebp+var_14]
		test	al, 1
		jnz	loc_90D0D3

loc_7E3829:				; CODE XREF: EtwpEnableKernelTrace+1299AAj
		test	al, 2
		jnz	loc_90D0EB

loc_7E3831:				; CODE XREF: EtwpEnableKernelTrace+1299BFj
		mov	edx, 200000h
		test	[ebx], edx
		jnz	loc_90D100

loc_7E383E:				; CODE XREF: EtwpEnableKernelTrace+1299D3j
		mov	eax, [ebx+10h]
		mov	ecx, 400000h
		test	eax, ecx
		jnz	loc_90D114

loc_7E384E:				; CODE XREF: EtwpEnableKernelTrace+1299EAj
		mov	ecx, 80000h
		test	eax, ecx
		jnz	loc_90D12B

loc_7E385B:				; CODE XREF: EtwpEnableKernelTrace+129A01j
		mov	ecx, offset _EtwpTraceFltTimedIo@20 ; EtwpTraceFltTimedIo(x,x,x,x,x)
		test	eax, 100000h
		jnz	loc_90D142

loc_7E386B:				; CODE XREF: EtwpEnableKernelTrace+129A18j
		test	eax, edx
		jnz	loc_90D159

loc_7E3873:				; CODE XREF: EtwpEnableKernelTrace+129A2Bj
		mov	ecx, 1000000h
		mov	edx, offset _EtwpTraceWdf@20 ; EtwpTraceWdf(x,x,x,x,x)
		test	eax, ecx
		jnz	loc_90D16C

loc_7E3885:				; CODE XREF: EtwpEnableKernelTrace+129A3Ej
		mov	ecx, 2000000h
		test	eax, ecx
		jnz	loc_90D17F

loc_7E3892:				; CODE XREF: EtwpEnableKernelTrace+129A4Ej
		mov	eax, 8000000h
		test	[ebx+8], eax
		jnz	loc_90D18F

loc_7E38A0:				; CODE XREF: EtwpEnableKernelTrace+129A60j
		mov	eax, [ebx]
		mov	edx, 20000h
		test	eax, edx
		jnz	loc_90D1A1

loc_7E38AF:				; CODE XREF: EtwpEnableKernelTrace+129A83j
		test	eax, 100000h
		jnz	loc_90D1C4

loc_7E38BA:				; CODE XREF: EtwpEnableKernelTrace+129AA5j
		test	eax, 10000h
		jnz	loc_90D1E6

loc_7E38C5:				; CODE XREF: EtwpEnableKernelTrace+129AC3j
		test	byte ptr [ebx+4], 10h
		jnz	loc_90D204

loc_7E38CF:				; CODE XREF: EtwpEnableKernelTrace+129ADDj
		test	dword ptr [ebx], 40000h
		jnz	loc_90D21E

loc_7E38DB:				; CODE XREF: EtwpEnableKernelTrace+129B00j
		mov	eax, [ebx+4]
		test	al, 2
		jnz	loc_90D241
		mov	esi, [ebp+var_20]

loc_7E38E9:				; CODE XREF: EtwpEnableKernelTrace+129B16j
		test	eax, 400h
		jnz	loc_90D257

loc_7E38F4:				; CODE XREF: EtwpEnableKernelTrace+129B29j
		test	byte ptr [ebx+10h], 80h
		jnz	loc_90D26A

loc_7E38FE:				; CODE XREF: EtwpEnableKernelTrace+129B3Cj
		test	dword ptr [ebx+4], 20000h
		jnz	short loc_7E395B

loc_7E3907:				; CODE XREF: EtwpEnableKernelTrace+226j
		mov	edx, [ebp+var_4C]

loc_7E390A:				; CODE XREF: EtwpEnableKernelTrace+8Ej
		test	edx, edx

loc_7E390C:				; CODE XREF: EtwpEnableKernelTrace+86j
		js	loc_90D27D

loc_7E3912:				; CODE XREF: EtwpEnableKernelTrace+129B7Dj
		mov	ecx, [ebp+var_4]
		mov	eax, edx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_7E3925:				; CODE XREF: EtwpEnableKernelTrace+BFj
		or	esi, eax
		mov	dword_6B14B4, offset _EtwpTraceFileName@24 ; EtwpTraceFileName(x,x,x,x,x,x)
		mov	ecx, [ebx]
		mov	[ebp+var_24], esi
		jmp	loc_7E3801
; 

loc_7E393B:				; CODE XREF: EtwpEnableKernelTrace+CCj
		or	esi, eax
		mov	_EtwpDiskIoNotifyRoutines, offset EtwpTraceIo
		mov	dword_6B14AC, offset _EtwpTraceRedirectedIo@8 ;	EtwpTraceRedirectedIo(x,x)
		mov	ecx, [ebx]
		mov	[ebp+var_24], esi
		jmp	loc_7E380E
; 

loc_7E395B:				; CODE XREF: EtwpEnableKernelTrace+1C9j
		lock inc _EtwpEthreadSyncTrackingSequence
		jmp	short loc_7E3907
EtwpEnableKernelTrace endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpDisableKernelTrace proc near	; CODE XREF: EtwpUpdateGlobalGroupMasks+111p
					; EtwpEnableKernelTrace+129B75p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090D2BE SIZE 00000134 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	ebx, ecx
		xor	edi, edi
		mov	[ebp+var_4], ebx
		test	esi, esi
		jz	loc_7E3A90
		mov	eax, [esi]
		test	eax, 20000h
		jnz	loc_90D2BE

loc_7E398B:				; CODE XREF: EtwpDisableKernelTrace+129966j
		test	eax, 100000h
		jnz	loc_90D2CF

loc_7E3996:				; CODE XREF: EtwpDisableKernelTrace+129972j
		test	eax, 2000000h
		jnz	loc_90D2DB

loc_7E39A1:				; CODE XREF: EtwpDisableKernelTrace+12997Fj
		test	eax, 4000000h
		jnz	loc_90D2E8

loc_7E39AC:				; CODE XREF: EtwpDisableKernelTrace+12998Cj
		test	eax, 200h
		jz	short loc_7E39BB
		mov	dword_6B14B4, edi
		mov	eax, [esi]

loc_7E39BB:				; CODE XREF: EtwpDisableKernelTrace+4Dj
		test	eax, 100h
		jz	short loc_7E39D0
		mov	_EtwpDiskIoNotifyRoutines, edi
		mov	dword_6B14AC, edi
		mov	eax, [esi]

loc_7E39D0:				; CODE XREF: EtwpDisableKernelTrace+5Cj
		test	eax, 400h
		jnz	loc_90D2F5

loc_7E39DB:				; CODE XREF: EtwpDisableKernelTrace+129997j
		mov	eax, [esi+10h]
		test	al, 1
		jnz	loc_90D300

loc_7E39E6:				; CODE XREF: EtwpDisableKernelTrace+1299A5j
		test	al, 2
		jnz	loc_90D30E

loc_7E39EE:				; CODE XREF: EtwpDisableKernelTrace+1299B0j
		mov	eax, [esi]
		test	eax, 200000h
		jnz	loc_90D319

loc_7E39FB:				; CODE XREF: EtwpDisableKernelTrace+1299BDj
		test	eax, 10000h
		jnz	loc_90D326

loc_7E3A06:				; CODE XREF: EtwpDisableKernelTrace+1299C9j
		test	byte ptr [esi+4], 10h
		jnz	loc_90D332

loc_7E3A10:				; CODE XREF: EtwpDisableKernelTrace+1299D6j
		mov	eax, [esi+10h]
		test	eax, 400000h
		jnz	loc_90D33F

loc_7E3A1E:				; CODE XREF: EtwpDisableKernelTrace+1299E4j
		test	eax, 80000h
		jnz	loc_90D34D

loc_7E3A29:				; CODE XREF: EtwpDisableKernelTrace+1299F2j
		test	eax, 100000h
		jnz	loc_90D35B

loc_7E3A34:				; CODE XREF: EtwpDisableKernelTrace+129A00j
		test	eax, 200000h
		jnz	loc_90D369

loc_7E3A3F:				; CODE XREF: EtwpDisableKernelTrace+129A0Ej
		test	eax, 1000000h
		jnz	loc_90D377

loc_7E3A4A:				; CODE XREF: EtwpDisableKernelTrace+129A1Cj
		test	eax, 2000000h
		jnz	short loc_7E3AA7

loc_7E3A51:				; CODE XREF: EtwpDisableKernelTrace+149j
		test	dword ptr [esi+8], 8000000h
		jnz	short loc_7E3AAF

loc_7E3A5A:				; CODE XREF: EtwpDisableKernelTrace+151j
		test	dword ptr [esi], 40000h
		jnz	loc_90D385

loc_7E3A66:				; CODE XREF: EtwpDisableKernelTrace+129A2Cj
		mov	eax, [esi+4]
		test	al, 2
		jnz	loc_90D395

loc_7E3A71:				; CODE XREF: EtwpDisableKernelTrace+129A3Ej
		test	eax, 400h
		jnz	loc_90D3A7

loc_7E3A7C:				; CODE XREF: EtwpDisableKernelTrace+129A6Cj
		test	byte ptr [esi+10h], 80h
		jnz	short loc_7E3AB7

loc_7E3A82:				; CODE XREF: EtwpDisableKernelTrace+158j
		mov	eax, 880000h
		test	[esi+4], eax
		jnz	loc_90D3D5

loc_7E3A90:				; CODE XREF: EtwpDisableKernelTrace+14j
					; EtwpDisableKernelTrace+129A78j ...
		push	[ebp+arg_4]
		mov	edx, esi
		mov	ecx, ebx
		push	[ebp+arg_0]
		push	edi
		call	EtwpUpdateFileInfoDriverState
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7E3AA7:				; CODE XREF: EtwpDisableKernelTrace+EBj
		mov	dword_6B5B84, edi
		jmp	short loc_7E3A51
; 

loc_7E3AAF:				; CODE XREF: EtwpDisableKernelTrace+F4j
		mov	dword_6B5B88, edi
		jmp	short loc_7E3A5A
; 

loc_7E3AB7:				; CODE XREF: EtwpDisableKernelTrace+11Cj
		call	_ObDisableEtwReferenceTrace@0 ;	ObDisableEtwReferenceTrace()
		jmp	short loc_7E3A82
EtwpDisableKernelTrace endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpUpdateFileInfoDriverState proc near	; CODE XREF: EtwpEnableKernelTrace+7Ap
					; EtwpDisableKernelTrace+137p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0090D3F2 SIZE 00000090 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		xor	ebx, ebx
		push	esi
		push	edi
		mov	edi, ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		cmp	[ebp+arg_0], ebx
		jnz	short loc_7E3B17
		test	ecx, ecx
		jz	short loc_7E3AE3
		test	dword ptr [ecx], 6000200h
		jnz	short loc_7E3B02

loc_7E3AE3:				; CODE XREF: EtwpUpdateFileInfoDriverState+1Bj
		cmp	dword_6FDB40, ebx
		jnz	loc_90D42B

loc_7E3AEF:				; CODE XREF: EtwpUpdateFileInfoDriverState+12997Bj
		xor	ecx, ecx
		call	_EtwpUpdateFileInfoDriverRegistration@4	; EtwpUpdateFileInfoDriverRegistration(x)
		cmp	dword_6FDB40, ebx
		jnz	loc_90D43E

loc_7E3B02:				; CODE XREF: EtwpUpdateFileInfoDriverState+23j
					; EtwpUpdateFileInfoDriverState+5Bj ...
		mov	esi, ebx
		mov	edi, ebx

loc_7E3B06:				; CODE XREF: EtwpUpdateFileInfoDriverState+82j
		test	edi, edi
		jnz	loc_90D460

loc_7E3B0E:				; CODE XREF: EtwpUpdateFileInfoDriverState+12995Bj
					; EtwpUpdateFileInfoDriverState+1299BFj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7E3B17:				; CODE XREF: EtwpUpdateFileInfoDriverState+17j
		test	edx, edx
		jz	short loc_7E3B02
		test	dword ptr [edx], 6000200h
		jz	short loc_7E3B02
		call	WmiQueryTraceProviderCount
		xor	esi, esi
		inc	esi
		test	eax, eax
		jz	loc_90D3F2

loc_7E3B33:				; CODE XREF: EtwpUpdateFileInfoDriverState+129968j
		mov	ecx, esi
		call	_EtwpUpdateFileInfoDriverRegistration@4	; EtwpUpdateFileInfoDriverRegistration(x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_7E3B02
		jmp	short loc_7E3B06
EtwpUpdateFileInfoDriverState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUpdateFileInfoDriverRegistration(x)
_EtwpUpdateFileInfoDriverRegistration@4	proc near
					; CODE XREF: EtwpUpdateFileInfoDriverState+33p
					; EtwpUpdateFileInfoDriverState+77p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		push	edi		; struct _exception *
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_4], esi
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		push	eax
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	edi, eax
		lea	eax, [ebp+var_14]
		push	offset ??_C@_1CC@DPPHACFF@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAF?$AAi?$AAl?$AAe?$AAI?$AAn?$AAf@NNGAKEGL@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	20h
		lea	eax, [ebp+var_14]
		mov	[ebp+var_34], 18h
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_1C]
		push	7
		push	eax
		lea	eax, [ebp+var_34]
		mov	[ebp+var_30], esi
		push	eax
		push	120089h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_28], 240h
		push	eax
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], esi
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7E3BE8
		xor	ecx, ecx
		mov	[ebp+var_C], 1
		push	ecx
		push	ecx
		push	8
		lea	eax, [ebp+var_C]
		mov	[ebp+var_8], ebx
		push	eax
		push	220020h
		lea	eax, [ebp+var_1C]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+var_4]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax

loc_7E3BE8:				; CODE XREF: EtwpUpdateFileInfoDriverRegistration(x)+7Aj
		cmp	[ebp+var_4], 0
		jz	short loc_7E3BF6
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_7E3BF6:				; CODE XREF: EtwpUpdateFileInfoDriverRegistration(x)+AAj
		push	edi
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpUpdateFileInfoDriverRegistration@4	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall EtwpMapEnableFlags(x, x)
_EtwpMapEnableFlags@8 proc near		; CODE XREF: EtwpUpdateGroupMasks+4Dp
					; EtwpGetLoggerInfoFromContext+216p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		mov	ebx, 1FFFFFFFh

loc_7E3C12:				; CODE XREF: EtwpMapEnableFlags(x,x)+5Bj
		cmp	dl, 1
		jz	short loc_7E3C41
		test	esi, esi
		jz	short loc_7E3C59
		mov	ecx, ds:dword_A410D4[edi]
		mov	eax, ecx
		shr	eax, 1Dh
		mov	eax, [esi+eax*4]
		and	eax, ecx
		test	eax, ebx
		jz	short loc_7E3C59
		mov	ecx, ds:_EtwpEnableFlagMap[edi]

loc_7E3C35:				; CODE XREF: EtwpMapEnableFlags(x,x)+67j
		mov	eax, ecx
		and	ecx, ebx
		shr	eax, 1Dh
		or	[esi+eax*4], ecx
		jmp	short loc_7E3C59
; 

loc_7E3C41:				; CODE XREF: EtwpMapEnableFlags(x,x)+11j
		test	esi, esi
		jz	short loc_7E3C59
		mov	ecx, ds:_EtwpEnableFlagMap[edi]
		mov	eax, ecx
		shr	eax, 1Dh
		mov	eax, [esi+eax*4]
		and	eax, ecx
		test	eax, ebx
		jnz	short loc_7E3C65

loc_7E3C59:				; CODE XREF: EtwpMapEnableFlags(x,x)+15j
					; EtwpMapEnableFlags(x,x)+29j ...
		add	edi, 8
		cmp	edi, 40h
		jb	short loc_7E3C12
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_7E3C65:				; CODE XREF: EtwpMapEnableFlags(x,x)+53j
		mov	ecx, ds:dword_A410D4[edi]
		jmp	short loc_7E3C35
_EtwpMapEnableFlags@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


EtwpSynchronizeWithLogger proc near	; CODE XREF: EtwpTransitionToRealtime(x,x)+77p
					; EtwpTransitionToRealtime(x,x)+FDp ...

; FUNCTION CHUNK AT 0090D482 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		lea	ebx, [edi+164h]
		push	ebx
		call	_KeResetEvent@4	; KeResetEvent(x)
		lea	eax, [edi+25Ch]
		lock or	[eax], esi
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		xor	esi, esi
		test	al, al
		jz	loc_90D482
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		ja	loc_90D482
		push	esi
		push	esi
		lea	eax, [edi+174h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_7E3CB7:				; CODE XREF: EtwpSynchronizeWithLogger+12981Fj
					; EtwpSynchronizeWithLogger+129830j
		push	esi
		push	esi
		push	esi
		push	esi
		push	ebx
		call	KeWaitForSingleObject
		mov	esi, [edi+28h]
		push	ebx
		call	_KeResetEvent@4	; KeResetEvent(x)
		and	dword ptr [edi+28h], 0
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		retn
EtwpSynchronizeWithLogger endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpFlushTrace	proc near		; CODE XREF: NtTraceControl(x,x,x,x,x,x)+273p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090D4A3 SIZE 000000BA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		xor	eax, eax
		mov	ebx, edx
		mov	esi, ecx
		mov	[esp+1Ch+var_10], eax
		push	edi
		mov	ecx, ebx
		mov	[esp+20h+var_C], esi
		mov	[esp+20h+var_8], eax
		mov	[esp+20h+var_4], eax
		call	@EtwpValidateLoggerInfo@4 ; EtwpValidateLoggerInfo(x)
		test	eax, eax
		js	loc_7E3DDE
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [esp+20h+var_10]
		mov	ecx, esi
		push	eax
		call	EtwpAcquireLoggerContext
		mov	esi, eax
		test	esi, esi
		js	loc_7E3DC6
		mov	edi, [esp+20h+var_10]
		mov	eax, [edi+0Ch]
		test	eax, 40000h
		jnz	loc_90D4A3
		mov	ecx, eax
		mov	esi, 400h
		and	ecx, 100h
		xor	edx, edx
		or	ecx, esi
		shr	ecx, 3
		cmp	[edi+248h], edx
		jz	short loc_7E3D5C
		or	ecx, 40h

loc_7E3D5C:				; CODE XREF: EtwpFlushTrace+83j
		and	eax, esi
		mov	[esp+20h+var_10], eax
		jnz	loc_90D4AD

loc_7E3D68:				; CODE XREF: EtwpFlushTrace+1297EDj
		mov	edx, edi
		call	_EtwpCheckLoggerControlAccess@8	; EtwpCheckLoggerControlAccess(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7E3DBA
		cmp	[esp+20h+var_10], 0
		jnz	loc_90D4D0
		push	4
		pop	edx
		mov	ecx, edi
		call	EtwpSynchronizeWithLogger

loc_7E3D8A:				; CODE XREF: EtwpFlushTrace+129874j
		mov	esi, eax
		test	esi, esi
		js	short loc_7E3DBA
		mov	edx, edi
		mov	ecx, ebx
		call	EtwpGetLoggerInfoFromContext
		mov	ebx, (offset loc_40754E+2)
		mov	esi, eax
		push	ebx
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jnz	loc_90D54D

loc_7E3DBA:				; CODE XREF: EtwpFlushTrace+9Fj
					; EtwpFlushTrace+BAj ...
		xor	eax, eax
		mov	ecx, edi
		lea	edx, [eax+1]
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_7E3DC6:				; CODE XREF: EtwpFlushTrace+51j
		lea	eax, [esp+20h+var_8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi

loc_7E3DDE:				; CODE XREF: EtwpFlushTrace+2Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
EtwpFlushTrace	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpStopTrace	proc near		; CODE XREF: NtTraceControl(x,x,x,x,x,x)+22Bp
					; EtwShutdown+A633Ap ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 0090D55D SIZE 0000008A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		and	[esp+14h+var_10], 0
		or	[esp+14h+var_4], 0FFFFFFFFh
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[esp+1Ch+var_8], 88CA6C00h
		mov	esi, ecx
		mov	ecx, ebx
		push	edi
		mov	[esp+20h+var_14], esi
		call	@EtwpValidateLoggerInfo@4 ; EtwpValidateLoggerInfo(x)
		test	eax, eax
		js	loc_7E3F76
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [esp+20h+var_10]
		mov	ecx, esi
		push	eax
		call	EtwpAcquireLoggerContext
		mov	edi, eax
		test	edi, edi
		js	loc_7E3F7F
		cmp	[ebp+arg_0], 0
		mov	esi, [esp+20h+var_10]
		jnz	short loc_7E3E6B
		test	byte ptr [esi+0Ch], 40h
		jnz	loc_90D55D
		mov	edx, esi
		mov	ecx, 80h
		call	_EtwpCheckLoggerControlAccess@8	; EtwpCheckLoggerControlAccess(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_90D570

loc_7E3E6B:				; CODE XREF: EtwpStopTrace+63j
		test	dword ptr [esi+0Ch], 400h
		mov	edi, [esi]
		mov	[esp+20h+var_10], edi
		jnz	loc_90D57E
		mov	eax, [esi+24h]
		push	0
		push	ds:_PsThreadType
		mov	[esp+28h+var_C], eax
		push	100000h
		push	eax
		call	ObReferenceObjectByPointer
		lea	eax, [esi+164h]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	ecx, [esp+20h+var_14]
		xor	edx, edx
		inc	edx
		mov	ecx, [ecx+188h]
		mov	ecx, [ecx+edi*4]
		call	@ExAcquireRundownProtectionCacheAwareEx@8 ; ExAcquireRundownProtectionCacheAwareEx(x,x)
		test	al, al
		jz	loc_90D5CD
		mov	ecx, esi
		call	_EtwpStopLoggerInstance@4 ; EtwpStopLoggerInstance(x)
		mov	edi, eax
		test	edi, edi
		js	loc_90D5AF

loc_7E3ED2:				; CODE XREF: EtwpStopTrace+1297E2j
					; EtwpStopTrace+1297ECj
		mov	dl, 1
		mov	ecx, esi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		test	edi, edi
		js	short loc_7E3F4D
		cmp	dword ptr [esi+28h], 0
		jl	short loc_7E3F03
		lea	edi, [esi+164h]

loc_7E3EEB:				; CODE XREF: EtwpStopTrace+11Bj
		lea	eax, [esp+20h+var_8]
		push	eax
		push	0
		push	0
		push	0
		push	edi
		call	KeWaitForSingleObject
		cmp	eax, 102h
		jz	short loc_7E3EEB

loc_7E3F03:				; CODE XREF: EtwpStopTrace+FDj
		mov	edx, esi
		mov	ecx, ebx
		call	EtwpGetLoggerInfoFromContext
		mov	edi, eax
		test	edi, edi
		js	short loc_7E3F34
		mov	edi, [esi+28h]
		mov	ebx, (offset loc_40756C+4)
		push	ebx
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jnz	loc_90D5D7

loc_7E3F34:				; CODE XREF: EtwpStopTrace+12Aj
					; EtwpStopTrace+1297FCj
		mov	eax, [esp+20h+var_14]
		xor	edx, edx
		inc	edx
		mov	ecx, [eax+188h]
		mov	eax, [esp+20h+var_10]
		mov	ecx, [ecx+eax*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)

loc_7E3F4D:				; CODE XREF: EtwpStopTrace+F7j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	esi, [esp+20h+var_C]
		test	edi, edi
		js	short loc_7E3F6D
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	esi
		call	KeWaitForSingleObject

loc_7E3F6D:				; CODE XREF: EtwpStopTrace+179j
		mov	ecx, esi
		call	ObfDereferenceObject

loc_7E3F74:				; CODE XREF: EtwpStopTrace+1A5j
		mov	eax, edi

loc_7E3F76:				; CODE XREF: EtwpStopTrace+31j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7E3F7F:				; CODE XREF: EtwpStopTrace+55j
					; EtwpStopTrace+129785j ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	short loc_7E3F74
EtwpStopTrace	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpQueryTrace(x, x)
_EtwpQueryTrace@8 proc near		; CODE XREF: NtTraceControl(x,x,x,x,x,x)+243p
					; EtwWmitraceWorker()+BCp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		and	[esp+4+var_4], 0
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		push	edi
		mov	ecx, ebx
		call	@EtwpValidateLoggerInfo@4 ; EtwpValidateLoggerInfo(x)
		test	eax, eax
		js	short loc_7E400F
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [esp+10h+var_4]
		mov	ecx, esi
		push	eax
		call	EtwpAcquireLoggerContext
		mov	edi, eax
		test	edi, edi
		js	short loc_7E4001
		mov	esi, [esp+10h+var_4]
		xor	ecx, ecx
		mov	edx, esi
		inc	ecx
		call	_EtwpCheckLoggerControlAccess@8	; EtwpCheckLoggerControlAccess(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_7E3FF8
		test	dword ptr [esi+258h], 4000h
		jnz	short loc_7E4016

loc_7E3FED:				; CODE XREF: EtwpQueryTrace(x,x)+A4j
		mov	edx, esi
		mov	ecx, ebx
		call	EtwpGetLoggerInfoFromContext
		mov	edi, eax

loc_7E3FF8:				; CODE XREF: EtwpQueryTrace(x,x)+51j
		mov	ecx, esi

loc_7E3FFA:				; CODE XREF: EtwpQueryTrace(x,x)+AAj
		mov	dl, 1
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_7E4001:				; CODE XREF: EtwpQueryTrace(x,x)+3Dj
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi

loc_7E400F:				; CODE XREF: EtwpQueryTrace(x,x)+1Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7E4016:				; CODE XREF: EtwpQueryTrace(x,x)+5Dj
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	EtwpCheckSecurityLoggerAccess
		mov	edi, eax
		test	edi, edi
		js	short loc_7E4034
		mov	esi, [esp+10h+var_4]
		jmp	short loc_7E3FED
; 

loc_7E4034:				; CODE XREF: EtwpQueryTrace(x,x)+9Ej
		mov	ecx, [esp+10h+var_4]
		jmp	short loc_7E3FFA
_EtwpQueryTrace@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpAcquireLoggerContext proc near	; CODE XREF: EtwpTransitionToRealtime(x,x)+38p
					; EtwpFlushTrace+48p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090D5E7 SIZE 00000008 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, edx
		push	esi
		push	edi
		push	10h		; size_t
		mov	[ebp+var_8], eax
		mov	edi, ecx
		add	eax, 18h
		xor	ecx, ecx
		push	offset _SystemTraceControlGuid ; void *
		push	eax		; void *
		or	esi, 0FFFFFFFFh
		mov	[ebx], ecx
		call	_memcmp
		mov	cl, [edi+914h]
		add	esp, 0Ch
		test	eax, eax
		jz	loc_90D5E7

loc_7E4077:				; CODE XREF: EtwpAcquireLoggerContext+1295B0j
		mov	eax, [ebp+var_8]
		movzx	edx, cl
		cmp	esi, edx
		jz	short loc_7E40D0
		xor	ebx, ebx
		lea	ecx, [eax+90h]
		cmp	[ecx], bx
		mov	ebx, [ebp+arg_0]
		jbe	short loc_7E40D0
		xor	esi, esi
		lea	edx, [ebp+var_C]
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		call	EtwpCaptureString
		test	eax, eax
		js	short loc_7E40C2
		push	1
		lea	edx, [ebp+var_C]
		mov	ecx, edi
		call	@EtwpAcquireLoggerContextByLoggerName@12 ; EtwpAcquireLoggerContextByLoggerName(x,x,x)
		mov	[ebx], eax
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	[ebx], esi

loc_7E40BE:				; CODE XREF: EtwpAcquireLoggerContext+BFj
		jz	short loc_7E40C9
		xor	eax, eax

loc_7E40C2:				; CODE XREF: EtwpAcquireLoggerContext+69j
					; EtwpAcquireLoggerContext+94j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7E40C9:				; CODE XREF: EtwpAcquireLoggerContext:loc_7E40BEj
		mov	eax, 0C0000296h
		jmp	short loc_7E40C2
; 

loc_7E40D0:				; CODE XREF: EtwpAcquireLoggerContext+45j
					; EtwpAcquireLoggerContext+55j
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_7E40EA
		movzx	eax, word ptr [eax+8]
		mov	ecx, 0FFFFh
		mov	esi, eax
		cmp	ax, cx
		jz	short loc_7E40FB

loc_7E40E5:				; CODE XREF: EtwpAcquireLoggerContext+C3j
		cmp	esi, [edi+8]
		jnb	short loc_7E40FF

loc_7E40EA:				; CODE XREF: EtwpAcquireLoggerContext+99j
		push	1
		mov	edx, esi
		mov	ecx, edi
		call	EtwpAcquireLoggerContextByLoggerId
		mov	[ebx], eax
		test	eax, eax
		jmp	short loc_7E40BE
; 

loc_7E40FB:				; CODE XREF: EtwpAcquireLoggerContext+A9j
		mov	esi, edx
		jmp	short loc_7E40E5
; 

loc_7E40FF:				; CODE XREF: EtwpAcquireLoggerContext+AEj
		mov	eax, 0C0000008h
		jmp	short loc_7E40C2
EtwpAcquireLoggerContext endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpCaptureString proc near		; CODE XREF: EtwpAcquireLoggerContext+62p
					; EtwpStartLogger+1CFp	...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 0090D5EF SIZE 00000008 BYTES

		push	1Ch
		push	offset dword_6A4D68
		call	__SEH_prolog4
		mov	[ebp+var_24], edx
		mov	ebx, ecx
		xor	edi, edi
		and	[ebp+var_20], edi
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		push	edi
		push	edx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		and	[ebp+ms_exc.disabled], edi
		cmp	[ebp+var_19], 0
		jz	short loc_7E4167
		movzx	eax, word ptr [ebx]
		test	ax, ax
		jz	short loc_7E4167
		mov	ecx, [ebx+4]
		test	cl, 1
		jnz	loc_7E41DE
		lea	edx, [ecx+eax]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	loc_90D5EF
		cmp	edx, ecx
		jb	loc_90D5EF

loc_7E4167:				; CODE XREF: EtwpCaptureString+33j
					; EtwpCaptureString+3Bj ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	50777445h
		movzx	eax, word ptr [ebx]
		add	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		jz	short loc_7E41E3
		mov	[ebp+ms_exc.disabled], 1
		movzx	eax, word ptr [ebx]
		push	eax		; size_t
		push	dword ptr [ebx+4] ; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		movzx	eax, word ptr [ebx]
		shr	eax, 1
		xor	ecx, ecx
		mov	[esi+eax*2], cx
		push	esi		; void *
		push	[ebp+var_24]	; int
		call	RtlCreateUnicodeString
		test	al, al
		jz	short loc_7E41E3

loc_7E41C0:				; CODE XREF: EtwpCaptureString+E2j
					; sub_90D605+23j
		test	esi, esi
		jz	short loc_7E41CC
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7E41CC:				; CODE XREF: EtwpCaptureString+BCj
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7E41DE:				; CODE XREF: EtwpCaptureString+43j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7E41E3:				; CODE XREF: EtwpCaptureString+82j
					; EtwpCaptureString+B8j
		mov	edi, 0C0000017h
		jmp	short loc_7E41C0
EtwpCaptureString endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpValidateUserModeLoggerInfo(x, x, x)
_EtwpValidateUserModeLoggerInfo@12 proc	near ; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1D7p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, 0B0h
		cmp	edx, eax
		jb	short loc_7E4210
		cmp	[ebp+arg_0], eax
		jb	short loc_7E4210
		call	@EtwpValidateLoggerInfo@4 ; EtwpValidateLoggerInfo(x)
		test	eax, eax
		js	short loc_7E420C
		cmp	[ecx], edx
		ja	short loc_7E4210
		xor	eax, eax

loc_7E420C:				; CODE XREF: EtwpValidateUserModeLoggerInfo(x,x,x)+1Aj
					; EtwpValidateUserModeLoggerInfo(x,x,x)+2Bj
		pop	ebp
		retn	4
; 

loc_7E4210:				; CODE XREF: EtwpValidateUserModeLoggerInfo(x,x,x)+Cj
					; EtwpValidateUserModeLoggerInfo(x,x,x)+11j ...
		mov	eax, 0C0000206h
		jmp	short loc_7E420C
_EtwpValidateUserModeLoggerInfo@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __fastcall EtwpValidateLoggerInfo(x)
@EtwpValidateLoggerInfo@4 proc near	; CODE XREF: EtwpTransitionToRealtime(x,x)+1Dp
					; EtwpFlushTrace+26p ...
		test	ecx, ecx
		jz	short loc_7E4236
		cmp	dword ptr [ecx], 0B0h
		jb	short loc_7E4230
		test	dword ptr [ecx+2Ch], 20000h
		jz	short loc_7E4236
		xor	eax, eax
		retn
; 

loc_7E4230:				; CODE XREF: EtwpValidateLoggerInfo(x)+Aj
		mov	eax, 0C0000206h
		retn
; 

loc_7E4236:				; CODE XREF: EtwpValidateLoggerInfo(x)+2j
					; EtwpValidateLoggerInfo(x)+13j
		mov	eax, 0C000000Dh
		retn
@EtwpValidateLoggerInfo@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpGetLoggerInfoFromContext proc near	; CODE XREF: EtwpTransitionToRealtime(x,x)+106p
					; EtwpFlushTrace+C0p ...

var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3E		= byte ptr -3Eh
var_3D		= byte ptr -3Dh
var_3C		= dword	ptr -3Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 0090D62D SIZE 0000000A BYTES
; FUNCTION CHUNK AT 0090D662 SIZE 00000015 BYTES

		push	48h
		push	offset dword_6A4D90
		call	__SEH_prolog4_GS
		mov	eax, edx
		mov	[ebp+var_44], eax
		mov	ebx, ecx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_4C], eax
		xor	ecx, ecx
		mov	[ebp+var_48], ecx
		test	dword ptr [eax+0Ch], 2000000h
		jnz	loc_7E442E
		and	[ebx+48h], ecx

loc_7E426A:				; CODE XREF: EtwpGetLoggerInfoFromContext+224j
		lea	esi, [eax+0C8h]
		lea	edi, [ebx+18h]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_44]
		mov	eax, [esi+0Ch]
		mov	[ebx+40h], eax
		mov	eax, [esi+0D8h]
		mov	[ebx+3Ch], eax
		mov	eax, [esi+84h]
		mov	[ebx+44h], eax
		mov	eax, [esi+4]
		shr	eax, 0Ah
		mov	[ebx+30h], eax
		mov	eax, [esi+0A0h]
		mov	[ebx+60h], eax
		mov	eax, [esi+98h]
		mov	[ebx+34h], eax
		mov	eax, [esi+0A4h]
		mov	[ebx+38h], eax
		mov	eax, [esi+0A8h]
		mov	[ebx+68h], eax
		mov	eax, [esi+9Ch]
		mov	[ebx+64h], eax
		mov	eax, [esi+0B0h]
		mov	ecx, [esi+0B8h]
		cmp	eax, ecx
		ja	short loc_7E42DA
		mov	eax, ecx

loc_7E42DA:				; CODE XREF: EtwpGetLoggerInfoFromContext+9Aj
		mov	[ebx+6Ch], eax
		xor	edi, edi
		mov	[ebx+50h], edi
		mov	[ebx+54h], edi
		mov	edx, [esi+258h]
		shr	edx, 4
		and	edx, 1
		mov	[ebx+50h], edx
		mov	[ebx+54h], edi
		mov	ecx, [esi+258h]
		shr	ecx, 1Bh
		and	ecx, 1
		xor	eax, eax
		shld	eax, ecx, 1
		add	ecx, ecx
		or	ecx, edx
		or	eax, edi
		mov	[ebx+50h], ecx
		mov	[ebx+54h], eax
		mov	eax, [esi+0B4h]
		mov	[ebx+70h], eax
		mov	eax, [esi+0BCh]
		mov	[ebx+74h], eax
		mov	eax, [esi+108h]
		mov	[ebx+0A0h], eax
		mov	eax, [esi+88h]
		mov	[ebx+4Ch], eax
		cmp	[esi], edi
		jz	loc_90D62D
		movzx	eax, word ptr [esi]

loc_7E4347:				; CODE XREF: EtwpGetLoggerInfoFromContext+1293F6j
		mov	[ebx+8], ax
		mov	eax, [esi+24h]
		test	eax, eax
		jz	short loc_7E435B
		mov	eax, [eax+2B0h]
		mov	[ebx+78h], eax

loc_7E435B:				; CODE XREF: EtwpGetLoggerInfoFromContext+114j
		mov	eax, [esi+7Ch]
		mov	[ebx+28h], eax
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_3D], al
		mov	[ebp+var_3E], al
		lea	ecx, [esi+1F0h]
		mov	[ebp+var_44], ecx
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		movzx	eax, word ptr [esi+64h]
		test	ax, ax
		jz	short loc_7E43C6
		cmp	[ebx+82h], di
		jbe	short loc_7E43C6
		mov	[ebp+ms_exc.disabled], edi
		cmp	[ebp+var_3D], 0
		jz	short loc_7E43AF
		push	2
		add	eax, 2
		push	eax
		push	dword ptr [ebx+84h]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_7E43AF:				; CODE XREF: EtwpGetLoggerInfoFromContext+160j
		lea	eax, [esi+64h]
		push	eax
		lea	eax, [ebx+80h]
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7E43C6:				; CODE XREF: EtwpGetLoggerInfoFromContext+14Ej
					; EtwpGetLoggerInfoFromContext+157j ...
		or	eax, 0FFFFFFFFh
		mov	ecx, [ebp+var_44]
		lock xadd [ecx], eax
		test	al, 2
		jnz	loc_90D662

loc_7E43D8:				; CODE XREF: EtwpGetLoggerInfoFromContext+129428j
					; EtwpGetLoggerInfoFromContext+129436j
		call	KeAbPostRelease
		mov	eax, [ebp+var_48]
		test	eax, eax
		jnz	short loc_7E441E
		add	esi, 5Ch
		movzx	ecx, word ptr [esi]
		mov	[ebp+var_4C], ecx
		test	cx, cx
		jz	short loc_7E441E
		cmp	[ebx+92h], di
		jbe	short loc_7E441E
		mov	[ebp+ms_exc.disabled], 1
		lea	eax, [ebx+90h]
		push	edi
		push	eax
		push	esi
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_7E4465

loc_7E4414:				; CODE XREF: EtwpGetLoggerInfoFromContext+253j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_48]

loc_7E441E:				; CODE XREF: EtwpGetLoggerInfoFromContext+1A6j
					; EtwpGetLoggerInfoFromContext+1B4j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7E442E:				; CODE XREF: EtwpGetLoggerInfoFromContext+25j
		movzx	esi, byte ptr [eax+25Ah]
		shl	esi, 5
		mov	eax, [eax+2E4h]
		add	eax, 948h
		add	esi, eax
		push	8
		pop	ecx
		lea	edi, [ebp+var_3C]
		rep movsd
		xor	dl, dl
		lea	ecx, [ebp+var_3C]
		call	_EtwpMapEnableFlags@8 ;	EtwpMapEnableFlags(x,x)
		mov	eax, [ebp+var_3C]
		mov	[ebx+48h], eax
		mov	eax, [ebp+var_44]
		jmp	loc_7E426A
; 

loc_7E4465:				; CODE XREF: EtwpGetLoggerInfoFromContext+1D6j
		cmp	[ebp+var_3E], 0
		jz	short loc_7E4482
		push	2
		mov	eax, [ebp+var_4C]
		movzx	eax, ax
		add	eax, 2
		push	eax
		push	dword ptr [ebx+94h]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_7E4482:				; CODE XREF: EtwpGetLoggerInfoFromContext+22Dj
		push	esi
		lea	eax, [ebx+90h]
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		jmp	short loc_7E4414
EtwpGetLoggerInfoFromContext endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpStopLoggerInstance(x)
_EtwpStopLoggerInstance@4 proc near	; CODE XREF: EtwpStopTrace+DDp
					; EtwpLogger(x)+320p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		push	40h
		pop	eax
		mov	edi, [ebx+2E4h]
		lea	esi, [ebx+258h]
		mov	[ebp+var_C], edi
		lock or	[esi], eax
		test	dword ptr [ebx+0Ch], 2000000h
		jz	short loc_7E44C4
		xor	edx, edx
		call	EtwpUpdateLoggerGroupMasks

loc_7E44C4:				; CODE XREF: EtwpStopLoggerInstance(x)+29j
		mov	eax, [esi]
		test	al, 20h
		jnz	short loc_7E44D5
		mov	edx, [ebx]
		mov	ecx, edi
		call	EtwpDisableTraceProviders
		mov	eax, [esi]

loc_7E44D5:				; CODE XREF: EtwpStopLoggerInstance(x)+36j
		test	eax, 4000h
		jz	loc_7E457C
		mov	eax, [ebx]
		lea	edx, [edi+890h]
		xor	ecx, ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], ecx

loc_7E44F0:				; CODE XREF: EtwpStopLoggerInstance(x)+70j
		movzx	eax, word ptr [edx]
		cmp	eax, [ebp+var_8]
		jz	short loc_7E4506
		inc	ecx
		add	edx, 2
		mov	[ebp+var_4], ecx
		cmp	ecx, 8
		jb	short loc_7E44F0
		jmp	short loc_7E457C
; 

loc_7E4506:				; CODE XREF: EtwpStopLoggerInstance(x)+64j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	esi, [edi+17Ch]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		movzx	edx, byte ptr [edi+8A0h]
		mov	eax, [ebp+var_4]
		movzx	eax, al
		btr	edx, eax
		xor	eax, eax
		mov	[edi+8A0h], dl
		mov	edx, [ebp+var_4]
		shl	edx, 5
		add	edx, 70h
		push	8
		add	edi, edx
		xor	edx, edx
		pop	ecx
		rep stosd
		mov	edi, [ebp+var_C]
		xor	ecx, ecx
		mov	eax, [ebp+var_4]
		mov	[edi+eax*2+890h], cx
		and	[edi+180h], ecx
		mov	ecx, esi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		lea	esi, [ebx+258h]

loc_7E457C:				; CODE XREF: EtwpStopLoggerInstance(x)+48j
					; EtwpStopLoggerInstance(x)+72j
		test	dword ptr [ebx+0Ch], 400h
		jnz	short loc_7E45AF
		mov	eax, [esi]
		test	eax, 800h
		jz	short loc_7E4599
		mov	edx, [ebx]
		mov	ecx, ebx
		call	_EtwpLogPmcCounterRundown@8 ; EtwpLogPmcCounterRundown(x,x)
		mov	eax, [esi]

loc_7E4599:				; CODE XREF: EtwpStopLoggerInstance(x)+FAj
		test	eax, 1000000h
		jz	short loc_7E45AF
		push	dword ptr [ebx]
		mov	ecx, [ebx+2B8h]
		mov	edx, edi
		call	_EtwpStackRundown@12 ; EtwpStackRundown(x,x,x)

loc_7E45AF:				; CODE XREF: EtwpStopLoggerInstance(x)+F1j
					; EtwpStopLoggerInstance(x)+10Cj
		xor	ecx, ecx
		lea	eax, [ebx+0F8h]
		xchg	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_7E45C4
		mov	eax, 80000025h
		jmp	short loc_7E4638
; 

loc_7E45C4:				; CODE XREF: EtwpStopLoggerInstance(x)+129j
		mov	eax, [ebx+2DCh]
		test	eax, eax
		jz	short loc_7E45DD
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_7E45DD
		push	0
		push	eax
		call	_ExCancelTimer@8 ; ExCancelTimer(x,x)

loc_7E45DD:				; CODE XREF: EtwpStopLoggerInstance(x)+13Aj
					; EtwpStopLoggerInstance(x)+141j
		mov	ecx, [ebx]
		mov	edx, ebx
		mov	eax, [edi+18Ch]
		or	edx, 1
		mov	[eax+ecx*4], edx
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_7E4612
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		ja	short loc_7E4612
		push	0
		push	0
		lea	eax, [ebx+174h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_7E462A
; 

loc_7E4612:				; CODE XREF: EtwpStopLoggerInstance(x)+162j
					; EtwpStopLoggerInstance(x)+16Cj
		lea	eax, [ebx+25Ch]
		lock bts dword ptr [eax], 8
		jb	short loc_7E462A
		lea	ecx, [ebx+1B0h]
		call	_EtwpInsertQueueDpc@4 ;	EtwpInsertQueueDpc(x)

loc_7E462A:				; CODE XREF: EtwpStopLoggerInstance(x)+17Ej
					; EtwpStopLoggerInstance(x)+18Bj
		push	0
		push	2
		pop	edx
		mov	ecx, ebx
		call	_EtwpSendSessionNotification@12	; EtwpSendSessionNotification(x,x,x)
		xor	eax, eax

loc_7E4638:				; CODE XREF: EtwpStopLoggerInstance(x)+130j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpStopLoggerInstance@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpSendSessionNotification(x, x, x)
_EtwpSendSessionNotification@12	proc near ; CODE XREF: EtwpCreateLogFile+238p
					; EtwpStopLoggerInstance(x)+19Fp ...

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_44		= dword	ptr -44h
var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 78h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, ecx
		mov	[ebp+var_74], edx
		push	ebx
		push	esi
		push	edi
		movzx	ebx, word ptr [eax]
		mov	[ebp+var_70], eax
		test	bx, bx
		jz	short loc_7E46D2

loc_7E4663:				; CODE XREF: EtwpSendSessionNotification(x,x,x)+99j
		push	60h
		pop	esi
		push	esi		; size_t
		lea	eax, [ebp+var_6C]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+var_70]
		lea	edi, [ebp+var_44]
		mov	[ebp+var_68], esi
		add	esp, 0Ch
		mov	[ebp+var_6C], 7
		mov	esi, offset _SessionNotificationGuid
		movzx	eax, bx
		cdq
		push	0
		movsd
		movsd
		movsd
		movsd
		lea	esi, [ecx+0C8h]
		mov	ecx, [ecx+2E4h]
		lea	edi, [ebp+var_34]
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_74]
		mov	[ebp+var_18], edx
		lea	edx, [ebp+var_6C]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_20], eax
		call	_EtwpNotifyGuid@12 ; EtwpNotifyGuid(x,x,x)
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_7E46D2:				; CODE XREF: EtwpSendSessionNotification(x,x,x)+23j
		mov	ebx, 0FFFFh
		jmp	short loc_7E4663
_EtwpSendSessionNotification@12	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpDisableTraceProviders proc near	; CODE XREF: EtwpStopLoggerInstance(x)+3Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090D697 SIZE 00000041 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		cmp	esi, ds:_EtwpHostSiloState
		jnz	loc_90D697
		mov	edi, 0FFDF0380h

loc_7E46FB:				; CODE XREF: EtwpDisableTraceProviders+128FCCj
		push	0
		xor	edx, edx
		mov	[ebp+var_8], edi
		call	_EtwpGetNextGuidEntry@12 ; EtwpGetNextGuidEntry(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_7E472F
		mov	edi, [ebp+var_4]

loc_7E4710:				; CODE XREF: EtwpDisableTraceProviders+50j
		push	0
		mov	edx, ebx
		mov	ecx, edi
		call	EtwpClearSessionAndUnreferenceEntry
		push	0
		mov	edx, ebx
		mov	ecx, esi
		call	_EtwpGetNextGuidEntry@12 ; EtwpGetNextGuidEntry(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_7E4710
		mov	edi, [ebp+var_8]

loc_7E472F:				; CODE XREF: EtwpDisableTraceProviders+31j
		push	2
		xor	edx, edx
		mov	ecx, esi
		call	_EtwpGetNextGuidEntry@12 ; EtwpGetNextGuidEntry(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_7E4762
		mov	edi, [ebp+var_4]

loc_7E4743:				; CODE XREF: EtwpDisableTraceProviders+83j
		push	2
		mov	edx, ebx
		mov	ecx, edi
		call	EtwpClearSessionAndUnreferenceEntry
		push	2
		mov	edx, ebx
		mov	ecx, esi
		call	_EtwpGetNextGuidEntry@12 ; EtwpGetNextGuidEntry(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_7E4743
		mov	edi, [ebp+var_8]

loc_7E4762:				; CODE XREF: EtwpDisableTraceProviders+64j
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _EtwpGlobalMutex
		call	KeWaitForSingleObject
		mov	eax, [ebp+var_4]
		mov	esi, ebx

loc_7E4777:				; CODE XREF: EtwpDisableTraceProviders+AAj
		cmp	[edi+esi*2], al
		jz	loc_90D6AB

loc_7E4780:				; CODE XREF: EtwpDisableTraceProviders+128FF9j
		inc	esi
		cmp	esi, 9
		jb	short loc_7E4777
		push	ebx
		push	offset _EtwpGlobalMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
EtwpDisableTraceProviders endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpGetNextGuidEntry(x, x, x)
_EtwpGetNextGuidEntry@12 proc near	; CODE XREF: EtwpDisableTraceProviders+28p
					; EtwpDisableTraceProviders+47p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_1], 0
		xor	eax, eax
		lea	edx, [ecx+190h]
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], eax
		push	edi
		test	esi, esi
		jz	loc_7E4873
		mov	eax, [esi+20h]
		xor	eax, [esi+1Ch]
		xor	eax, [esi+18h]
		xor	eax, [esi+14h]
		and	eax, 3Fh
		imul	ecx, eax, 1Ch
		add	ecx, edx

loc_7E47D1:				; CODE XREF: EtwpGetNextGuidEntry(x,x,x)+DFj
		mov	eax, [ebp+arg_0]
		lea	ebx, [ecx+18h]
		lea	edi, [ecx+eax*8]
		mov	[ebp+var_8], edi

loc_7E47DD:				; CODE XREF: EtwpGetNextGuidEntry(x,x,x)+D8j
		mov	eax, large fs:124h
		mov	[ebp+arg_0], edi
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		test	esi, esi
		jz	short loc_7E47FD
		mov	edi, esi

loc_7E47FD:				; CODE XREF: EtwpGetNextGuidEntry(x,x,x)+63j
					; EtwpGetNextGuidEntry(x,x,x)+7Aj
		mov	edi, [edi]
		cmp	edi, [ebp+arg_0]
		jz	short loc_7E4816
		mov	ecx, edi
		mov	[ebp+var_C], edi
		call	EtwpReferenceGuidEntry
		test	al, al
		jz	short loc_7E47FD
		mov	[ebp+var_1], 1

loc_7E4816:				; CODE XREF: EtwpGetNextGuidEntry(x,x,x)+6Cj
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [ebx], ecx
		cmp	eax, 11h
		jz	short loc_7E482B
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_7E482B:				; CODE XREF: EtwpGetNextGuidEntry(x,x,x)+8Cj
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	esi, esi
		jz	short loc_7E4842
		mov	ecx, esi
		call	EtwpUnreferenceGuidEntry

loc_7E4842:				; CODE XREF: EtwpGetNextGuidEntry(x,x,x)+A3j
		cmp	[ebp+var_1], 0
		jz	short loc_7E4852
		mov	eax, [ebp+var_C]

loc_7E484B:				; CODE XREF: EtwpGetNextGuidEntry(x,x,x)+E6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7E4852:				; CODE XREF: EtwpGetNextGuidEntry(x,x,x)+B0j
		mov	ecx, [ebp+var_8]
		add	ebx, 1Ch
		mov	eax, [ebp+var_10]
		add	ecx, 1Ch
		add	eax, 718h
		mov	[ebp+var_8], ecx
		cmp	ebx, eax
		jz	short loc_7E487A
		xor	esi, esi
		mov	edi, ecx
		jmp	loc_7E47DD
; 

loc_7E4873:				; CODE XREF: EtwpGetNextGuidEntry(x,x,x)+21j
		mov	ecx, edx
		jmp	loc_7E47D1
; 

loc_7E487A:				; CODE XREF: EtwpGetNextGuidEntry(x,x,x)+D2j
		xor	eax, eax
		jmp	short loc_7E484B
_EtwpGetNextGuidEntry@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpClearSessionAndUnreferenceEntry proc near ;	CODE XREF: EtwpDisableTraceProviders+3Cp
					; EtwpDisableTraceProviders+6Fp

var_88		= word ptr -88h
var_85		= byte ptr -85h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2D		= byte ptr -2Dh
Source2		= dword	ptr -2Ch
var_8		= dword	ptr -8
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 0090D6D8 SIZE 000000EC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+Source2]
		push	8
		xor	eax, eax
		mov	[ebp+var_50], ebx
		pop	ecx
		rep stosd
		mov	eax, large fs:124h
		mov	esi, edx
		xor	edx, edx
		mov	[ebp+var_4C], esi
		mov	[ebp+var_2D], dl
		mov	[ebp+var_34], edx
		dec	word ptr [eax+13Ch]
		mov	[ebp+var_44], edx
		nop
		lea	ecx, [esi+16Ch]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+170h], eax
		movzx	eax, word ptr [esi+38h]
		mov	[ebp+var_80], eax
		cmp	eax, ebx
		jz	loc_7E4B33

loc_7E48E9:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+2BEj
		mov	edi, [ebp+var_50]
		lea	ecx, [esi+60h]
		xor	ebx, ebx
		xor	edx, edx
		inc	edx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_54], edx

loc_7E48FA:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+8Aj
		cmp	[ecx], edx
		jz	short loc_7E494C

loc_7E48FE:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+D4j
		inc	ebx
		add	ecx, 20h
		mov	[ebp+var_38], ebx
		cmp	ebx, 8
		jb	short loc_7E48FA
		mov	byte ptr [ebp+var_54], 0

loc_7E490E:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+178j
					; EtwpClearSessionAndUnreferenceEntry+293j ...
		and	dword ptr [esi+170h], 0
		lea	ecx, [esi+16Ch]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	byte ptr [ebp+var_54], 1
		jz	loc_7E4B49

loc_7E4938:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+2D2j
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_44]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_7E494C:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+7Ej
		movzx	eax, word ptr [ecx+6]
		cmp	eax, edi
		jnz	short loc_7E48FE
		and	dword ptr [ecx], 0
		mov	eax, edx
		mov	ecx, ebx
		shl	eax, cl
		lea	ecx, [esi+64h]
		mov	[ebp+var_48], eax
		xor	eax, eax
		mov	edi, eax
		mov	[ebp+var_7C], eax
		mov	[ebp+var_78], eax
		mov	esi, edi
		mov	[ebp+var_70], eax
		mov	ebx, edi
		mov	[ebp+var_6C], eax
		mov	[ebp+var_68], eax
		or	eax, 0FFFFFFFFh
		push	8
		mov	[ebp+var_64], eax
		mov	[ebp+var_60], eax
		pop	eax
		mov	[ebp+var_74], edi
		mov	[ebp+var_3C], eax

loc_7E498C:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+149j
		cmp	dword ptr [ecx-4], 0
		jz	short loc_7E49BE
		mov	al, [ecx]
		mov	[ebp+var_7C], edx
		cmp	byte ptr [ebp+var_78], al
		jbe	loc_7E4B41

loc_7E49A0:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+2C6j
		mov	eax, [ecx+14h]
		and	[ebp+var_64], eax
		or	esi, [ecx+0Ch]
		or	ebx, [ecx+10h]
		mov	eax, [ecx+18h]
		and	[ebp+var_60], eax
		or	edi, [ecx+4]
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_6C], esi
		mov	[ebp+var_68], ebx

loc_7E49BE:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+112j
		add	ecx, 20h
		sub	eax, 1
		mov	[ebp+var_3C], eax
		jnz	short loc_7E498C
		push	8
		mov	[ebp+var_74], edi
		lea	esi, [ebp+var_7C]
		mov	edi, [ebp+var_4C]
		pop	ecx
		push	0
		add	edi, 40h
		rep movsd
		mov	esi, [ebp+var_4C]
		mov	ecx, esi
		push	edx
		mov	edx, [ebp+var_38]
		push	0
		call	_EtwpUpdateFilterData@20 ; EtwpUpdateFilterData(x,x,x,x,x)
		lea	ecx, [esi+24h]
		mov	eax, [ecx]
		mov	[ebp+var_40], eax
		cmp	eax, ecx
		jz	loc_7E490E
		not	byte ptr [ebp+var_48]
		mov	ebx, [ebp+var_34]

loc_7E4A02:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+28Bj
		cmp	[ebp+arg_0], 0
		jnz	loc_90D6D8
		mov	edi, eax
		lea	edx, [eax+34h]
		mov	[ebp+var_3C], edi

loc_7E4A14:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+128E9Bj
		mov	ch, [edx]
		mov	eax, [eax]
		mov	cl, ch
		and	cl, byte ptr [ebp+var_48]
		mov	[edx], cl
		test	byte ptr [edi+32h], 8
		mov	[ebp+var_40], eax
		jnz	loc_90D71E

loc_7E4A2C:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+128EACj
		cmp	cl, ch
		jz	loc_7E4AFA
		lea	edx, [ebp+Source2]
		mov	ecx, edi
		call	EtwpComputeRegEntryEnableInfo
		mov	dl, [edi+34h]
		mov	ecx, esi
		call	EtwpGetSchematizedFilterSize
		mov	ecx, eax
		mov	[ebp+var_58], ecx
		push	78h
		pop	eax
		mov	[ebp+var_38], eax
		test	ecx, ecx
		jnz	loc_90D72F

loc_7E4A5B:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+128EBAj
		test	ebx, ebx
		jnz	loc_7E4B55

loc_7E4A63:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+300j
		mov	ecx, [ebp+var_38]
		lea	eax, [ebp+var_34]
		push	eax
		xor	edx, edx
		call	_EtwpAllocDataBlock@12 ; EtwpAllocDataBlock(x,x,x)
		mov	ebx, [ebp+var_34]
		mov	[ebp+var_44], eax
		test	eax, eax
		js	short loc_7E4AE7
		mov	eax, [ebp+var_38]
		mov	dword ptr [ebx], 3
		mov	[ebx+4], eax
		mov	esi, [edi+10h]
		lea	edi, [ebx+28h]
		add	esi, 14h
		mov	[ebp+var_85], 0
		push	8
		pop	ecx
		movsd
		movsd
		movsd
		movsd
		lea	edi, [ebx+48h]
		lea	esi, [ebp+Source2]
		rep movsd
		mov	esi, [ebp+var_4C]
		mov	edi, [ebp+var_3C]
		movzx	eax, byte ptr [esi+3Bh]
		and	eax, 1
		mov	[ebx+70h], eax
		mov	ax, [esi+38h]
		mov	ecx, [esi+30h]
		mov	[ebp+var_88], ax
		mov	al, [esi+3Ah]
		mov	[ebp-86h], al
		mov	eax, dword ptr [ebp+var_88]
		mov	[ebx+68h], eax
		mov	eax, [ebp+var_58]
		mov	[ebx+6Ch], ecx
		test	eax, eax
		jnz	loc_90D75A
		and	[ebx+74h], eax

loc_7E4AE7:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+1FBj
					; EtwpClearSessionAndUnreferenceEntry+128F0Cj
		test	ebx, ebx
		jz	short loc_7E4AF7

loc_7E4AEB:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+2FAj
		mov	edx, ebx
		mov	ecx, edi
		call	EtwpSendDataBlock
		mov	[ebp+var_44], eax

loc_7E4AF7:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+26Bj
		mov	eax, [ebp+var_40]

loc_7E4AFA:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+1B0j
					; EtwpClearSessionAndUnreferenceEntry+128EA6j
		cmp	[ebp+var_2D], 0
		jnz	loc_90D78F

loc_7E4B04:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+128F41j
		lea	ecx, [esi+24h]
		cmp	eax, ecx
		jnz	loc_7E4A02
		test	ebx, ebx
		jz	loc_7E490E
		or	eax, 0FFFFFFFFh
		lock xadd [ebx+8], eax
		dec	eax
		jnz	loc_7E490E
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7E490E
; 

loc_7E4B33:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+65j
		xor	eax, eax
		lea	edi, [esi+30h]
		stosd
		stosd
		stosd
		stosd
		jmp	loc_7E48E9
; 

loc_7E4B41:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+11Cj
		mov	byte ptr [ebp+var_78], al
		jmp	loc_7E49A0
; 

loc_7E4B49:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+B4j
		mov	ecx, esi
		call	EtwpUnreferenceGuidEntry
		jmp	loc_7E4938
; 

loc_7E4B55:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+1DFj
		cmp	[ebx+4], eax
		jnz	loc_90D73D
		push	20h		; Length
		lea	eax, [ebp+Source2]
		push	eax		; Source2
		lea	eax, [ebx+48h]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 20h
		jnz	loc_90D73D

loc_7E4B76:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+128ED7j
		test	ebx, ebx
		jnz	loc_7E4AEB
		jmp	loc_7E4A63
EtwpClearSessionAndUnreferenceEntry endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepDereferenceLowBoxNumberEntry	proc near ; CODE XREF: PAGE:007EA5CDp
					; SepTokenDeleteMethod+10Fp ...

var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 0090D7C4 SIZE 0000005E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		and	[ebp+var_8], ebx
		push	edi
		mov	edi, edx
		cmp	esi, 5
		jnb	loc_90D7C4
		imul	eax, esi, 14h
		add	eax, offset _g_SessionLowboxArray
		mov	[ebp+var_8], eax

loc_7E4BAC:				; CODE XREF: SepDereferenceLowBoxNumberEntry+128C8Fj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+var_8]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		or	eax, 0FFFFFFFFh
		mov	ecx, eax
		lock xadd [edi+0Ch], ecx
		dec	ecx
		test	ecx, ecx
		jle	short loc_7E4BFB

loc_7E4BD5:				; CODE XREF: SepDereferenceLowBoxNumberEntry+128C99j
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7E4BF2

loc_7E4BDF:				; CODE XREF: SepDereferenceLowBoxNumberEntry+75j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	eax, eax

loc_7E4BED:				; CODE XREF: SepDereferenceLowBoxNumberEntry+E6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7E4BF2:				; CODE XREF: SepDereferenceLowBoxNumberEntry+59j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7E4BDF
; 

loc_7E4BFB:				; CODE XREF: SepDereferenceLowBoxNumberEntry+4Fj
		jnz	loc_90D818
		push	0
		push	edi
		push	dword ptr [esi+0Ch]
		call	RtlRemoveEntryHashTable
		mov	[ebp+var_1], al
		test	al, al
		jz	short loc_7E4C75
		mov	edx, [edi+14h]
		dec	edx
		mov	ecx, edx
		and	edx, 7
		shr	ecx, 3
		add	ecx, [esi+8]
		movsx	eax, byte ptr [ecx]
		btr	eax, edx
		mov	[ecx], al

loc_7E4C2A:				; CODE XREF: SepDereferenceLowBoxNumberEntry+F6j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7E4C6C

loc_7E4C37:				; CODE XREF: SepDereferenceLowBoxNumberEntry+EFj
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	[ebp+var_1], 0
		jz	short loc_7E4C68
		mov	ecx, [edi+18h]
		test	ecx, ecx
		jz	short loc_7E4C68
		mov	edx, [edi+14h]
		call	_ExRemoveLowBoxAtomReferences@8	; ExRemoveLowBoxAtomReferences(x,x)
		mov	ecx, [edi+18h]
		call	_RtlDereferenceAtomTable@4 ; RtlDereferenceAtomTable(x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7E4C68:				; CODE XREF: SepDereferenceLowBoxNumberEntry+C3j
					; SepDereferenceLowBoxNumberEntry+CAj
		mov	eax, ebx
		jmp	short loc_7E4BED
; 

loc_7E4C6C:				; CODE XREF: SepDereferenceLowBoxNumberEntry+B1j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7E4C37
; 

loc_7E4C75:				; CODE XREF: SepDereferenceLowBoxNumberEntry+8Dj
		mov	ebx, 0C0000001h
		jmp	short loc_7E4C2A
SepDereferenceLowBoxNumberEntry	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepDereferenceCachedHandlesEntry proc near ; CODE XREF:	SepSetTokenBnoIsolation+D21FBp
					; PAGE:007EA5E8p ...

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 0090D822 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	esi, [ecx+34h]
		dec	word ptr [eax+13Ch]
		mov	ebx, edx
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		or	eax, 0FFFFFFFFh
		mov	ecx, eax
		lock xadd [ebx+0Ch], ecx
		dec	ecx
		test	ecx, ecx
		jle	short loc_7E4CD6

loc_7E4CB2:				; CODE XREF: SepDereferenceCachedHandlesEntry+128BABj
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7E4D35

loc_7E4CBC:				; CODE XREF: SepDereferenceCachedHandlesEntry+C0j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	eax, eax

loc_7E4CD1:				; CODE XREF: SepDereferenceCachedHandlesEntry+B7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7E4CD6:				; CODE XREF: SepDereferenceCachedHandlesEntry+34j
		jnz	loc_90D822
		push	edi
		push	ebx
		push	dword ptr [esi+4]
		call	RtlRemoveEntryHashTable
		mov	[ebp+var_1], al
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_90D82C

loc_7E4CF8:				; CODE XREF: SepDereferenceCachedHandlesEntry+128BB2j
					; SepDereferenceCachedHandlesEntry+128BBFj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	[ebp+var_1], 0
		jz	short loc_7E4D41
		mov	edx, [ebx+20h]
		mov	ecx, [ebx+1Ch]
		call	_SepCloseCachedTokenHandles@8 ;	SepCloseCachedTokenHandles(x,x)
		mov	ecx, [ebx+20h]
		test	ecx, ecx
		jz	short loc_7E4D2A
		push	edi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7E4D2A:				; CODE XREF: SepDereferenceCachedHandlesEntry+A5j
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7E4D31:				; CODE XREF: SepDereferenceCachedHandlesEntry+CAj
		mov	eax, edi
		jmp	short loc_7E4CD1
; 

loc_7E4D35:				; CODE XREF: SepDereferenceCachedHandlesEntry+3Ej
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7E4CBC
; 

loc_7E4D41:				; CODE XREF: SepDereferenceCachedHandlesEntry+93j
		mov	edi, 0C0000001h
		jmp	short loc_7E4D31
SepDereferenceCachedHandlesEntry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepAllocateAndInitializeCachedHandleEntry proc near
					; CODE XREF: SepGetCachedHandlesEntry+7Bp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090D840 SIZE 00000043 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	eax, edx
		mov	edi, ecx
		mov	[ebp+var_4], eax
		push	24h
		pop	ecx
		and	dword ptr [eax], 0
		mov	eax, [edi]
		sub	eax, 0
		jnz	loc_90D840
		mov	eax, [edi+4]
		movzx	eax, byte ptr [eax+1]
		lea	ecx, ds:2Ch[eax*4]

loc_7E4D77:				; CODE XREF: SepAllocateAndInitializeCachedHandleEntry+128AFBj
					; SepAllocateAndInitializeCachedHandleEntry+128B07j
		lea	ebx, [ecx+3]
		push	734C6553h
		and	ebx, 0FFFFFFFCh
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7E4DCD
		xor	ecx, ecx
		mov	dword ptr [esi+0Ch], 1
		mov	[esi+20h], ecx
		mov	[esi+1Ch], ecx
		mov	eax, [edi]
		mov	[esi+10h], eax
		mov	eax, [edi]
		sub	eax, ecx
		jnz	loc_90D854
		lea	eax, [esi+24h]
		mov	[esi+14h], eax
		push	dword ptr [edi+4] ; void *
		push	eax		; void *
		lea	eax, [ebx-24h]
		push	eax		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)

loc_7E4DC1:				; CODE XREF: SepAllocateAndInitializeCachedHandleEntry+128B0Fj
					; SepAllocateAndInitializeCachedHandleEntry+128B36j
		mov	eax, [ebp+var_4]
		mov	[eax], esi
		xor	eax, eax

loc_7E4DC8:				; CODE XREF: SepAllocateAndInitializeCachedHandleEntry+8Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7E4DCD:				; CODE XREF: SepAllocateAndInitializeCachedHandleEntry+46j
		mov	eax, 0C000009Ah
		jmp	short loc_7E4DC8
SepAllocateAndInitializeCachedHandleEntry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspAddSchedulingGroupToJobChain	proc near ; CODE XREF: sub_759647+218p
					; PspEstablishJobHierarchy+17F8C7p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090D883 SIZE 0000015B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		lea	eax, [esp+18h+var_8]
		mov	ebx, edx
		mov	[esp+18h+var_4], eax
		push	esi
		mov	esi, eax
		mov	[esp+1Ch+var_8], esi
		push	edi
		mov	edi, ecx
		test	ebx, ebx
		jz	short loc_7E4E30
		push	624A7350h
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_90D883
		mov	[esi+8], ebx
		lea	ecx, [esp+20h+var_8]
		mov	eax, [esp+20h+var_8]
		cmp	[eax+4], ecx
		jnz	loc_7E4EDC
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[eax+4], esi
		mov	[esp+20h+var_8], esi

loc_7E4E30:				; CODE XREF: PspAddSchedulingGroupToJobChain+22j
					; PspAddSchedulingGroupToJobChain+128B45j
		test	edi, edi
		jnz	loc_90D88D

loc_7E4E38:				; CODE XREF: PspAddSchedulingGroupToJobChain+128AC0j
		xor	ebx, ebx

loc_7E4E3A:				; CODE XREF: PspAddSchedulingGroupToJobChain+FAj
		lea	eax, [esp+20h+var_8]
		cmp	esi, eax
		jz	loc_7E4ED3
		mov	edi, [esi+8]
		mov	ecx, [edi+21Ch]
		mov	eax, [edi+244h]
		add	ecx, 40h
		mov	[esp+20h+var_C], ecx
		test	eax, eax
		jnz	loc_90D991
		mov	eax, [edi+220h]
		mov	[esp+20h+var_10], eax
		cmp	ds:_PsCpuFairShareEnabled, bl
		jnz	loc_90D99F

loc_7E4E7A:				; CODE XREF: PspAddSchedulingGroupToJobChain+128BC6j
					; PspAddSchedulingGroupToJobChain+128BCDj ...
		push	dword ptr [ecx+4]
		mov	edx, eax
		push	dword ptr [ecx]
		call	KeInsertSchedulingGroup
		cmp	[edi+220h], ebx
		jnz	loc_90D9C4

loc_7E4E92:				; CODE XREF: PspAddSchedulingGroupToJobChain+128C05j
		push	8
		push	dword ptr [edi+21Ch]
		mov	edx, offset _PspSetCpuRateControlJobPreCallback@8 ; PspSetCpuRateControlJobPreCallback(x,x)
		mov	ecx, edi
		push	ebx
		push	offset _PspSetCpuRateControlJobPostCallback@8 ;	PspSetCpuRateControlJobPostCallback(x,x)
		call	PspEnumJobsAndProcessesInJobHierarchy
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_7E4EDC
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_7E4EDC
		push	624A7350h
		mov	[eax], ecx
		push	esi
		mov	[ecx+4], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [esp+28h+var_10]
		jmp	loc_7E4E3A
; 

loc_7E4ED3:				; CODE XREF: PspAddSchedulingGroupToJobChain+6Cj
		xor	eax, eax

loc_7E4ED5:				; CODE XREF: PspAddSchedulingGroupToJobChain+128AB4j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7E4EDC:				; CODE XREF: PspAddSchedulingGroupToJobChain+4Aj
					; PspAddSchedulingGroupToJobChain+DDj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall NtImpersonateAnonymousToken(x)
_NtImpersonateAnonymousToken@4:		; DATA XREF: .text:00580FECo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+74h+var_3C]
		rep stosd
		lea	edi, [esp+74h+var_4C]
		xor	ebx, ebx
		stosd
		lea	ecx, [esp+74h+var_60]
		push	ebx
		mov	[esp+78h+var_58], ebx
		push	ecx
		stosd
		mov	[esp+7Ch+var_5C], ebx
		mov	[esp+7Ch+var_64], ebx
		mov	[esp+7Ch+var_54], ebx
		stosd
		stosd
		mov	eax, large fs:124h
		mov	[esp+7Ch+var_60], ebx
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+7Ch+var_50], al
		push	[esp+7Ch+var_50]
		mov	eax, ds:_PsThreadType
		push	eax
		push	100h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	loc_7E5166
		lea	eax, [esp+74h+var_4C]
		push	eax
		call	SeCaptureSubjectContext
		mov	edi, [esp+74h+var_4C]
		mov	esi, [esp+74h+var_44]
		test	edi, edi
		jnz	short loc_7E4F66
		mov	edi, esi

loc_7E4F66:				; CODE XREF: PspAddSchedulingGroupToJobChain+18Ej
		lea	eax, [esp+74h+var_64]
		mov	edx, offset ??_C@_1FK@FPMGJMB@?$AAA?$AAn?$AAo?$AAn?$AAy?$AAm?$AAo?$AAu?$AAs?$AAA?$AAp?$AAp?$AAC?$AAo?$AAn@NNGAKEGL@ ; "AnonymousAppContainerImpersonationLevel"...
		push	eax
		call	_SepRegQueryDwordValue@12 ; SepRegQueryDwordValue(x,x,x)
		mov	ecx, 4000h
		test	eax, eax
		js	short loc_7E4F84
		cmp	[esp+74h+var_64], ebx
		jnz	short loc_7E4FA8

loc_7E4F84:				; CODE XREF: PspAddSchedulingGroupToJobChain+1A8j
		cmp	dword ptr [edi+0A8h], 1
		jz	short loc_7E4FA8
		test	[esi+0B0h], ecx
		jz	short loc_7E4FA8
		cmp	dword ptr [edi+0ACh], 2
		jge	short loc_7E4FA8
		mov	esi, 0C00000A5h
		jmp	loc_7E5133
; 

loc_7E4FA8:				; CODE XREF: PspAddSchedulingGroupToJobChain+1AEj
					; PspAddSchedulingGroupToJobChain+1B7j	...
		test	[edi+0B0h], ecx
		jnz	loc_7E5105
		lea	eax, [esp+74h+var_64]
		mov	edx, offset ??_C@_1DE@CKOBBNBJ@?$AAE?$AAv?$AAe?$AAr?$AAy?$AAo?$AAn?$AAe?$AAI?$AAn?$AAc?$AAl?$AAu?$AAd?$AAe@NNGAKEGL@
		push	eax
		call	_SepRegQueryDwordValue@12 ; SepRegQueryDwordValue(x,x,x)
		test	eax, eax
		js	short loc_7E4FD4
		cmp	[esp+74h+var_64], 1
		mov	ebx, ds:_SeAnonymousLogonToken
		jz	short loc_7E4FDA

loc_7E4FD4:				; CODE XREF: PspAddSchedulingGroupToJobChain+1F1j
		mov	ebx, ds:_SeAnonymousLogonTokenNoEveryone

loc_7E4FDA:				; CODE XREF: PspAddSchedulingGroupToJobChain+1FEj
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jz	short loc_7E5003
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		lea	edx, [esp+74h+var_5C]
		mov	ecx, eax
		call	_SepCopyAnonymousTokenAndSetSilo@8 ; SepCopyAnonymousTokenAndSetSilo(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7E5133
		mov	ebx, [esp+74h+var_5C]
		jmp	short loc_7E5069
; 

loc_7E5003:				; CODE XREF: PspAddSchedulingGroupToJobChain+20Dj
		test	dword ptr [edi+0B0h], 380000h
		jz	short loc_7E5069
		xor	ecx, ecx
		mov	[esp+74h+var_3C], 18h
		lea	eax, [esp+74h+var_58]
		mov	[esp+74h+var_38], ecx
		push	eax		; int
		push	1		; int
		push	ecx		; int
		push	2		; size_t
		push	2		; int
		mov	[esp+88h+var_30], ecx
		lea	edx, [esp+88h+var_3C]
		mov	[esp+88h+var_34], ecx
		mov	[esp+88h+var_2C], ecx
		mov	[esp+88h+var_28], ecx
		mov	ecx, ebx
		push	1		; char
		call	_SepDuplicateToken@32 ;	SepDuplicateToken(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7E5133
		mov	ecx, [esp+74h+var_58]
		mov	eax, [edi+0B0h]
		and	eax, 380000h
		or	[ecx+0B0h], eax
		mov	ebx, [esp+74h+var_58]

loc_7E5069:				; CODE XREF: PspAddSchedulingGroupToJobChain+22Dj
					; PspAddSchedulingGroupToJobChain+239j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+74h+var_50], al
		push	[esp+74h+var_50]
		push	ds:_SeTokenObjectType
		push	4
		push	ebx
		call	ObReferenceObjectByPointer
		mov	esi, eax
		test	esi, esi
		js	loc_7E5133
		mov	ecx, ebx
		call	ObfDereferenceObject
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	edi, eax
		push	edi
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_7E50B6
		mov	esi, 0C0000001h
		jmp	short loc_7E5133
; 

loc_7E50B6:				; CODE XREF: PspAddSchedulingGroupToJobChain+2D9j
		push	esi
		call	_SeTokenIsRestricted@4 ; SeTokenIsRestricted(x)
		test	al, al
		jz	short loc_7E50D8
		push	esi
		call	_SeTokenIsWriteRestricted@4 ; SeTokenIsWriteRestricted(x)
		test	al, al
		jnz	short loc_7E50D8
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	esi, 0C0000022h
		jmp	short loc_7E5133
; 

loc_7E50D8:				; CODE XREF: PspAddSchedulingGroupToJobChain+2EAj
					; PspAddSchedulingGroupToJobChain+2F4j
		lea	ecx, [edi+12Ch]
		mov	edx, esi
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		cmp	[esp+74h+var_5C], 0
		push	2
		push	0
		setz	byte ptr [esp+7Ch+var_50]
		push	[esp+7Ch+var_50]
		push	ebx
		push	[esp+84h+var_60]
		call	PsImpersonateClient
		mov	esi, eax
		jmp	short loc_7E5133
; 

loc_7E5105:				; CODE XREF: PspAddSchedulingGroupToJobChain+1DAj
		lea	edx, [esp+74h+var_54]
		mov	ecx, edi
		call	_SepGetAnonymousToken@8	; SepGetAnonymousToken(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7E5133
		push	2
		push	ebx
		push	1
		push	[esp+80h+var_54]
		push	[esp+84h+var_60]
		call	PsImpersonateClient
		mov	ecx, [esp+74h+var_54]
		mov	esi, eax
		call	ObfDereferenceObject

loc_7E5133:				; CODE XREF: PspAddSchedulingGroupToJobChain+1CFj
					; PspAddSchedulingGroupToJobChain+223j	...
		lea	eax, [esp+74h+var_4C]
		push	eax
		call	SeReleaseSubjectContext
		mov	ecx, [esp+74h+var_60]
		test	ecx, ecx
		jz	short loc_7E514A
		call	ObfDereferenceObject

loc_7E514A:				; CODE XREF: PspAddSchedulingGroupToJobChain+36Fj
		mov	ecx, [esp+74h+var_5C]
		test	ecx, ecx
		jz	short loc_7E5157
		call	ObfDereferenceObject

loc_7E5157:				; CODE XREF: PspAddSchedulingGroupToJobChain+37Cj
		mov	ecx, [esp+74h+var_58]
		test	ecx, ecx
		jz	short loc_7E5164
		call	ObfDereferenceObject

loc_7E5164:				; CODE XREF: PspAddSchedulingGroupToJobChain+389j
		mov	eax, esi

loc_7E5166:				; CODE XREF: PspAddSchedulingGroupToJobChain+174j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
PspAddSchedulingGroupToJobChain	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepRegQueryDwordValue(x, x,	x)
_SepRegQueryDwordValue@12 proc near	; CODE XREF: PspAddSchedulingGroupToJobChain+19Cp
					; PspAddSchedulingGroupToJobChain+1EAp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		mov	edi, edx
		mov	ecx, offset ??_C@_1GO@BNNKBEEN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		push	eax
		mov	edx, 201h
		call	_SepRegOpenKey@12 ; SepRegOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7E51B2
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		push	4
		push	4
		call	_SepRegQueryValue@20 ; SepRegQueryValue(x,x,x,x,x)
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)

loc_7E51B2:				; CODE XREF: SepRegQueryDwordValue(x,x,x)+25j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	4
_SepRegQueryDwordValue@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepRegQueryValue(x,	x, x, x, x)
_SepRegQueryValue@20 proc near		; CODE XREF: SepRegQueryDwordValue(x,x,x)+33p
					; SepAdtInitializeBounds()+29p	...

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		xor	eax, eax
		mov	esi, ecx
		push	edi
		mov	edi, [ebp+arg_8]
		mov	[ebp+var_60], eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_60]
		push	edx
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_58]
		push	eax
		push	50h
		lea	eax, [ebp+var_54]
		push	eax
		push	2
		lea	eax, [ebp+var_60]
		push	eax
		push	esi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_7E5216

loc_7E5204:				; CODE XREF: SepRegQueryValue(x,x,x,x,x)+80j
					; SepRegQueryValue(x,x,x,x,x)+90j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_7E5216:				; CODE XREF: SepRegQueryValue(x,x,x,x,x)+48j
		mov	ecx, [ebp+arg_0]
		cmp	[ebp+var_50], ecx
		jnz	short loc_7E5253
		mov	eax, [ebp+arg_4]
		cmp	[ebp+var_4C], eax
		jnz	short loc_7E5253
		sub	ecx, 3
		jz	short loc_7E523C
		sub	ecx, 1
		jnz	short loc_7E524C
		cmp	eax, 4
		jb	short loc_7E524C
		mov	eax, [ebp+var_48]
		mov	[edi], eax
		jmp	short loc_7E5204
; 

loc_7E523C:				; CODE XREF: SepRegQueryValue(x,x,x,x,x)+6Fj
		push	eax		; size_t
		lea	eax, [ebp+var_48]
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_7E5204
; 

loc_7E524C:				; CODE XREF: SepRegQueryValue(x,x,x,x,x)+74j
					; SepRegQueryValue(x,x,x,x,x)+79j
		mov	esi, 0C000000Dh
		jmp	short loc_7E5204
; 

loc_7E5253:				; CODE XREF: SepRegQueryValue(x,x,x,x,x)+62j
					; SepRegQueryValue(x,x,x,x,x)+6Aj
		mov	esi, 0C0000024h
		jmp	short loc_7E5204
_SepRegQueryValue@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepRegOpenKey(x, x,	x)
_SepRegOpenKey@12 proc near		; CODE XREF: SepBuildCapPolicyTable+43p
					; SepBuildCapPolicyTable+5Cp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	esi
		push	edi
		push	ecx
		lea	eax, [ebp+var_C]
		xor	edi, edi
		push	eax
		mov	esi, edx
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_C]
		mov	[ebp+var_24], 18h
		lea	ecx, [ebp+var_24]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_0]
		push	ecx
		push	esi
		push	eax
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], 240h
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		mov	[eax], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		pop	edi
		pop	esi
		leave
		retn	4
_SepRegOpenKey@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ObpParseSymbolicLinkEx(void *,int,int,int,int,int,int,int,int,int,int)
ObpParseSymbolicLinkEx proc near	; DATA XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+EA4o
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x):loc_8112D7o ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

; FUNCTION CHUNK AT 0090D9DE SIZE 00000088 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	[ebp+var_10], 0
		mov	[ebp+var_C], 0
		test	byte ptr [esi+14h], 2
		mov	[ebp+var_8], 0
		jnz	loc_7E54B0

loc_7E52DD:				; CODE XREF: ObpParseSymbolicLinkEx+211j
		mov	ebx, [ebp+arg_18]
		cmp	word ptr [ebx],	0
		jz	loc_7E5438
		mov	eax, [ebx+4]
		cmp	word ptr [eax],	5Ch
		jnz	loc_90DA01

loc_7E52F7:				; CODE XREF: ObpParseSymbolicLinkEx+191j
					; ObpParseSymbolicLinkEx+128735j ...
		mov	eax, [esi+14h]
		mov	edi, [ebp+arg_24]
		test	al, 8
		jnz	loc_90DA0B

loc_7E5305:				; CODE XREF: ObpParseSymbolicLinkEx+128764j
		test	al, 4
		jnz	loc_90DA19

loc_7E530D:				; CODE XREF: ObpParseSymbolicLinkEx+128774j
		lea	edx, [esi+8]
		mov	[ebp+arg_C], edx
		test	al, 10h
		jnz	loc_7E547E

loc_7E531B:				; CODE XREF: ObpParseSymbolicLinkEx+1EBj
		movzx	edi, word ptr [edx]
		test	edi, edi
		jz	short loc_7E5335
		mov	eax, [edx+4]
		mov	ecx, edi
		shr	ecx, 1
		cmp	word ptr [eax+ecx*2-2],	5Ch
		jz	loc_90DA29

loc_7E5335:				; CODE XREF: ObpParseSymbolicLinkEx+70j
					; ObpParseSymbolicLinkEx+12877Dj ...
		movzx	eax, word ptr [ebx]
		mov	[ebp+arg_4], eax
		movzx	eax, ax
		add	eax, edi
		cmp	eax, 0FFF0h
		ja	loc_90DA48
		movzx	ecx, ax
		mov	eax, [ebp+arg_14]
		mov	[ebp+arg_8], ecx
		movzx	esi, word ptr [eax+2]
		mov	[ebp+arg_18], esi
		cmp	si, cx
		mov	esi, [ebp+arg_0]
		jbe	loc_7E53F9
		mov	ecx, [ebp+arg_18]
		movzx	ecx, cx
		mov	[ebp+arg_18], ecx
		mov	ecx, [eax+4]
		mov	eax, [ebp+arg_4]
		mov	[ebp+arg_0], ecx
		movzx	eax, ax

loc_7E537C:				; CODE XREF: ObpParseSymbolicLinkEx+175j
		test	ax, ax
		jz	short loc_7E5398
		movzx	eax, ax
		push	eax		; size_t
		mov	eax, [ebx+4]
		push	eax		; void *
		lea	eax, [ecx+edi]
		push	eax		; void *
		call	_memmove
		mov	edx, [ebp+arg_C]
		add	esp, 0Ch

loc_7E5398:				; CODE XREF: ObpParseSymbolicLinkEx+CFj
		mov	eax, [edx+4]
		push	edi		; size_t
		mov	edi, [ebp+arg_0]
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		mov	ebx, [ebp+arg_14]
		add	esp, 0Ch
		movzx	eax, ax
		shr	eax, 1
		mov	[edi+eax*2], cx
		mov	eax, [ebx+4]
		cmp	edi, eax
		jnz	short loc_7E542A

loc_7E53C1:				; CODE XREF: ObpParseSymbolicLinkEx+17Cj
					; ObpParseSymbolicLinkEx+186j
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_8]
		mov	[ebx], ax
		mov	eax, [ebp+arg_18]
		mov	[ebx+2], ax
		mov	eax, [ebp+arg_28]
		mov	[ebx+4], edi
		test	ecx, ecx
		jnz	loc_7E54A0
		mov	[eax], esi
		test	byte ptr [esi+14h], 1
		jnz	loc_90DA5C
		mov	eax, 104h

loc_7E53F0:				; CODE XREF: ObpParseSymbolicLinkEx+1287B1j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_7E53F9:				; CODE XREF: ObpParseSymbolicLinkEx+B1j
		lea	eax, [ecx+2]
		movzx	eax, ax
		mov	[ebp+arg_18], eax
		push	6D4E624Fh
		movzx	eax, ax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+arg_0], ecx
		test	ecx, ecx
		jz	loc_90DA52
		movzx	eax, word ptr [ebx]
		mov	edx, [ebp+arg_C]
		jmp	loc_7E537C
; 

loc_7E542A:				; CODE XREF: ObpParseSymbolicLinkEx+10Fj
		test	eax, eax
		jz	short loc_7E53C1
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7E53C1
; 

loc_7E5438:				; CODE XREF: ObpParseSymbolicLinkEx+34j
		mov	edi, [ebp+arg_4]
		cmp	edi, _ObpSymbolicLinkObjectType
		jnz	loc_7E52F7
		test	byte ptr [esi+14h], 1
		jnz	loc_90D9DE

loc_7E5451:				; CODE XREF: ObpParseSymbolicLinkEx+12873Bj
		push	[ebp+arg_C]
		push	edi
		push	0
		push	esi
		call	ObReferenceObjectByPointer
		mov	edi, eax
		test	edi, edi
		js	loc_90D9F0
		mov	ecx, [ebp+arg_28]
		mov	[ecx], esi

loc_7E546C:				; CODE XREF: ObpParseSymbolicLinkEx+1E3j
					; ObpParseSymbolicLinkEx+21Cj ...
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jnz	short loc_7E54CE

loc_7E5473:				; CODE XREF: ObpParseSymbolicLinkEx+223j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_7E547E:				; CODE XREF: ObpParseSymbolicLinkEx+65j
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		mov	eax, [esi+0Ch]
		push	eax
		mov	eax, [edx]
		push	esi
		call	eax
		mov	edi, eax
		test	edi, edi
		js	short loc_7E546C
		lea	edx, [ebp+var_10]
		mov	[ebp+arg_C], edx
		jmp	loc_7E531B
; 

loc_7E54A0:				; CODE XREF: ObpParseSymbolicLinkEx+129j
		pop	edi
		pop	esi
		mov	[eax], ecx
		mov	eax, 118h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch		; struct _exception *
; 

loc_7E54B0:				; CODE XREF: ObpParseSymbolicLinkEx+27j
		push	[ebp+arg_C]
		mov	eax, [ebp+arg_8]
		add	eax, 1Ch
		push	eax
		call	RtlIsSandboxedToken
		test	al, al
		jnz	loc_7E52DD
		mov	edi, 0C0000034h
		jmp	short loc_7E546C
; 

loc_7E54CE:				; CODE XREF: ObpParseSymbolicLinkEx+1C1j
		call	ObfDereferenceObject
		jmp	short loc_7E5473
ObpParseSymbolicLinkEx endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiResolveMemoryEvent(x, x, x, x)
_MiResolveMemoryEvent@16 proc near	; DATA XREF: MiCreateMemoryEvent+E9o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		mov	eax, ds:_MiMemoryEventNames[ecx*8]
		mov	[edx], eax
		mov	eax, ds:off_40117C[ecx*8]
		mov	[edx+4], eax
		mov	eax, 0FFFEh
		add	dword ptr [edx+4], 2
		add	[edx], ax
		add	[edx+2], ax
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		xor	edx, edx
		lea	ecx, [ebp+arg_4]
		push	edx
		push	ecx
		mov	eax, [eax+88h]
		push	edx
		push	edx
		push	0F000Fh
		push	eax
		mov	[ebp+arg_4], edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+arg_4]
		mov	[edx], ecx
		pop	ebp
		retn	10h
_MiResolveMemoryEvent@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepSetTokenCachedHandles proc near	; CODE XREF: SepSetTokenBnoIsolation+D2227p
					; NtCreateLowBoxToken+30Ap

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090DA66 SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, ecx
		xor	ecx, ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_1], cl
		mov	ebx, edx
		mov	[ebp+var_8], ebx
		mov	byte ptr [ebp+var_10], cl
		mov	[ebp+var_14], ecx
		push	edi
		mov	edi, ecx
		test	esi, esi
		jz	short loc_7E55AD
		push	63486553h
		mov	eax, esi
		shl	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_90DA66
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		push	edi
		call	SepReferenceCachedTokenHandles
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7E562F
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		push	edi
		push	esi
		mov	[ebp+var_1], 1
		call	SepValidateReferencedCachedHandles
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7E562F
		mov	ebx, [ebp+var_8]
		mov	eax, [ebp+var_C]

loc_7E55AD:				; CODE XREF: SepSetTokenCachedHandles+27j
		mov	esi, [eax+0C0h]
		mov	eax, large fs:124h
		add	esi, 34h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [esi+4]
		xor	ecx, ecx
		cmp	[eax], ecx
		jz	loc_7E565B

loc_7E55DA:				; CODE XREF: SepSetTokenCachedHandles+133j
		lea	eax, [ebp+var_14]
		mov	edx, ebx
		push	eax
		lea	eax, [ebp+var_10]
		mov	ecx, esi
		push	eax
		call	SepGetCachedHandlesEntry
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_90DA75
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		push	edi
		push	[ebp+arg_0]
		push	[ebp+var_10]
		push	[ebp+var_14]
		call	SepAssignTokenCachedHandleEntry
		test	al, al
		jnz	short loc_7E5653

loc_7E560E:				; CODE XREF: SepSetTokenCachedHandles+127j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	short loc_7E5670

loc_7E5619:				; CODE XREF: SepSetTokenCachedHandles:loc_90DA80j
					; SepSetTokenCachedHandles+12855Bj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	esi, [ebp+arg_0]

loc_7E562F:				; CODE XREF: SepSetTokenCachedHandles+54j
					; SepSetTokenCachedHandles+6Fj
		test	edi, edi
		jz	short loc_7E564A
		cmp	[ebp+var_1], 0
		jz	short loc_7E5642
		mov	edx, edi
		mov	ecx, esi
		call	_SepCloseCachedTokenHandles@8 ;	SepCloseCachedTokenHandles(x,x)

loc_7E5642:				; CODE XREF: SepSetTokenCachedHandles+105j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7E564A:				; CODE XREF: SepSetTokenCachedHandles+FFj
					; SepSetTokenCachedHandles+128539j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_7E5653:				; CODE XREF: SepSetTokenCachedHandles+DAj
		xor	edi, edi
		mov	[ebp+var_1], 0
		jmp	short loc_7E560E
; 

loc_7E565B:				; CODE XREF: SepSetTokenCachedHandles+A2j
		push	ecx
		push	ecx
		push	eax
		call	_RtlCreateHashTable@12 ; RtlCreateHashTable(x,x,x)
		test	al, al
		jnz	loc_7E55DA
		jmp	loc_90DA70
; 

loc_7E5670:				; CODE XREF: SepSetTokenCachedHandles+E5j
		test	al, 4
		jmp	loc_90DA80
SepSetTokenCachedHandles endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepAssignTokenCachedHandleEntry	proc near ; CODE XREF: SepSetTokenCachedHandles+D3p

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0090DA92 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [edx]
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_8]
		sub	edx, eax
		jnz	loc_90DA92
		mov	edx, [ebp+arg_0]
		test	esi, esi
		jz	short loc_7E5699
		cmp	[edx+1Ch], eax
		jz	short loc_7E56A8

loc_7E5699:				; CODE XREF: SepAssignTokenCachedHandleEntry+1Aj
					; SepAssignTokenCachedHandleEntry+32j
		mov	[ecx+278h], edx

loc_7E569F:				; CODE XREF: SepAssignTokenCachedHandleEntry+128432j
		test	al, al
		jnz	short loc_7E56AC

loc_7E56A3:				; CODE XREF: SepAssignTokenCachedHandleEntry+3Dj
					; SepAssignTokenCachedHandleEntry+12841Dj
		pop	esi
		pop	ebp
		retn	10h
; 

loc_7E56A8:				; CODE XREF: SepAssignTokenCachedHandleEntry+1Fj
		mov	al, 1
		jmp	short loc_7E5699
; 

loc_7E56AC:				; CODE XREF: SepAssignTokenCachedHandleEntry+29j
		mov	ecx, [ebp+arg_C]
		mov	[edx+1Ch], esi
		mov	[edx+20h], ecx
		jmp	short loc_7E56A3
SepAssignTokenCachedHandleEntry	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepGetCachedHandlesEntry proc near	; CODE XREF: SepSetTokenCachedHandles+B4p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090DAAF SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ecx+4]
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_10], eax
		xor	ebx, ebx
		mov	[ebp+var_8], ebx
		mov	esi, ebx
		mov	[ebp+var_C], ebx
		mov	eax, [edi]
		mov	[ebp+var_4], ebx
		sub	eax, ebx
		jnz	loc_90DAAF
		mov	ecx, [edi+4]
		movzx	eax, byte ptr [ecx+1]
		mov	esi, [ecx+eax*4+4]
		test	esi, esi
		jz	short loc_7E575B

loc_7E56F1:				; CODE XREF: SepGetCachedHandlesEntry+A6j
					; SepGetCachedHandlesEntry+1283FAj ...
		mov	eax, [ebp+arg_0]
		mov	edx, esi
		mov	ecx, [ebp+var_10]
		mov	[eax], bl
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		call	SepFindMatchingCachedHandlesEntry
		mov	edx, [ebp+var_8]
		test	edx, edx
		jz	short loc_7E572E
		xor	eax, eax
		inc	eax
		lock xadd [edx+0Ch], eax
		inc	eax
		cmp	eax, 1
		jle	short loc_7E5760

loc_7E571A:				; CODE XREF: SepGetCachedHandlesEntry+ADj
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax],	1
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		xor	eax, eax

loc_7E5727:				; CODE XREF: SepGetCachedHandlesEntry+82j
					; SepGetCachedHandlesEntry+A1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7E572E:				; CODE XREF: SepGetCachedHandlesEntry+52j
		lea	edx, [ebp+var_C]
		mov	ecx, edi
		call	SepAllocateAndInitializeCachedHandleEntry
		test	eax, eax
		js	short loc_7E5727
		push	ebx
		push	esi
		mov	esi, [ebp+var_C]
		push	esi
		push	[ebp+var_10]
		call	RtlInsertEntryHashTable
		test	al, al
		jz	loc_90DAD0
		mov	eax, [ebp+arg_4]
		mov	[eax], esi

loc_7E5757:				; CODE XREF: SepGetCachedHandlesEntry+128424j
		mov	eax, ebx
		jmp	short loc_7E5727
; 

loc_7E575B:				; CODE XREF: SepGetCachedHandlesEntry+37j
		xor	esi, esi
		inc	esi
		jmp	short loc_7E56F1
; 

loc_7E5760:				; CODE XREF: SepGetCachedHandlesEntry+60j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_7E571A
SepGetCachedHandlesEntry endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepFindMatchingCachedHandlesEntry proc near ; CODE XREF: SepGetCachedHandlesEntry+48p

var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090DAE1 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_4], 0
		xor	eax, eax
		push	ebx
		push	edi
		lea	edi, [ebp+var_14]
		mov	[ebp+var_8], ecx
		stosd
		xor	bl, bl
		stosd
		stosd
		lea	eax, [ebp+var_14]
		push	eax
		push	edx
		push	ecx
		call	_RtlLookupEntryHashTable@12 ; RtlLookupEntryHashTable(x,x,x)
		test	eax, eax
		jz	short loc_7E57CB
		mov	ecx, [ebp+arg_0]
		push	esi
		mov	esi, [ecx]
		lea	edi, [ecx+4]

loc_7E579B:				; CODE XREF: SepFindMatchingCachedHandlesEntry+1283A1j
		mov	[ebp+var_4], eax
		cmp	esi, [eax+10h]
		jnz	loc_90DAFB
		mov	ecx, esi
		sub	ecx, 0
		jnz	loc_90DAE1
		push	dword ptr [eax+14h]
		push	dword ptr [edi]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)

loc_7E57BC:				; CODE XREF: SepFindMatchingCachedHandlesEntry+12838Ej
		test	al, al
		jz	short loc_7E57C2
		mov	bl, 1

loc_7E57C2:				; CODE XREF: SepFindMatchingCachedHandlesEntry+56j
					; SepFindMatchingCachedHandlesEntry+12837Cj
		test	bl, bl
		jz	loc_90DAFB

loc_7E57CA:				; CODE XREF: SepFindMatchingCachedHandlesEntry+1283A7j
		pop	esi

loc_7E57CB:				; CODE XREF: SepFindMatchingCachedHandlesEntry+28j
		mov	eax, [ebp+arg_4]
		movzx	ecx, bl
		neg	ecx
		pop	edi
		sbb	ecx, ecx
		and	ecx, [ebp+var_4]
		mov	[eax], ecx
		xor	eax, eax
		pop	ebx
		leave
		retn	8
SepFindMatchingCachedHandlesEntry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepSetTokenLowboxNumber	proc near	; CODE XREF: SepGetAnonymousToken(x,x)+B5p
					; NtCreateLowBoxToken+2ECp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 0090DB14 SIZE 000000DF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_18], ecx
		push	esi
		push	edi
		mov	edi, [ecx+78h]
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_14], edx
		mov	ebx, eax
		mov	[ebp+var_10], eax
		mov	ecx, offset _LowboxSessionMapLock
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_1], al
		cmp	edi, 5
		jnb	loc_90DB14
		imul	edi, 14h
		add	edi, offset _g_SessionLowboxArray
		mov	[ebp+var_8], edi

loc_7E5823:				; CODE XREF: SepSetTokenLowboxNumber+1283C6j
		cmp	byte ptr [edi+10h], 0
		jz	short loc_7E589A

loc_7E5829:				; CODE XREF: SepSetTokenLowboxNumber+FAj
		test	ebx, ebx
		jnz	short loc_7E587F
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [ebp+var_8]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_C]
		push	eax
		mov	ecx, edi
		call	SepGetLowBoxNumberEntry
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_7E5867
		mov	ecx, [ebp+var_18]
		mov	eax, [ebp+var_C]
		mov	[ecx+274h], eax

loc_7E5867:				; CODE XREF: SepSetTokenLowboxNumber+77j
		mov	eax, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7E58EA

loc_7E5873:				; CODE XREF: SepSetTokenLowboxNumber+10Fj
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_7E587F:				; CODE XREF: SepSetTokenLowboxNumber+49j
					; SepSetTokenLowboxNumber+1283BDj
		cmp	byte ptr [ebp+var_10], 0
		jnz	loc_90DBAD
		cmp	[ebp+var_1], 0
		jnz	loc_90DBC8

loc_7E5893:				; CODE XREF: SepSetTokenLowboxNumber+12840Cj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_7E589A:				; CODE XREF: SepSetTokenLowboxNumber+45j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		cmp	byte ptr [edi+10h], 0
		mov	edi, [ebp+var_8]
		jnz	short loc_7E58C4
		mov	ecx, edi
		call	SepInitializeLowBoxNumberTable
		mov	ebx, eax

loc_7E58C4:				; CODE XREF: SepSetTokenLowboxNumber+D7j
		mov	eax, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7E58E1

loc_7E58D0:				; CODE XREF: SepSetTokenLowboxNumber+106j
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_7E5829
; 

loc_7E58E1:				; CODE XREF: SepSetTokenLowboxNumber+ECj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7E58D0
; 

loc_7E58EA:				; CODE XREF: SepSetTokenLowboxNumber+8Fj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7E5873
SepSetTokenLowboxNumber	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepGetLowBoxNumberEntry	proc near	; CODE XREF: SepSetTokenLowboxNumber+6Ep

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090DBF3 SIZE 000000AB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		lea	eax, [ecx+4]
		mov	ebx, edx
		push	esi
		push	edi
		mov	edi, [ecx+0Ch]
		xor	esi, esi
		mov	[ebp+var_4], eax
		mov	ecx, edi
		lea	eax, [ebp+var_8]
		mov	[ebp+var_C], ebx
		push	eax
		mov	[ebp+var_8], esi
		mov	[ebp+var_14], edi
		call	SepFindMatchingLowBoxNumberEntry
		mov	edx, [ebp+var_8]
		xor	edi, edi
		inc	edi
		test	edx, edx
		jz	short loc_7E5948
		mov	eax, edi
		lock xadd [edx+0Ch], eax
		inc	eax
		cmp	eax, edi
		jle	loc_90DBF3

loc_7E593A:				; CODE XREF: SepGetLowBoxNumberEntry+128304j
		mov	eax, [ebp+arg_0]
		mov	[eax], edx
		xor	eax, eax

loc_7E5941:				; CODE XREF: SepGetLowBoxNumberEntry+E5j
					; SepGetLowBoxNumberEntry+12830Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7E5948:				; CODE XREF: SepGetLowBoxNumberEntry+34j
		movzx	eax, byte ptr [ebx+1]
		push	734C6553h
		lea	eax, ds:27h[eax*4]
		and	eax, 0FFFFFFFCh
		push	eax
		push	edi
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_90DBFD
		push	[ebp+var_C]	; void *
		lea	eax, [ebx+1Ch]
		push	eax		; void *
		mov	[ebx+10h], eax
		mov	eax, [ebp+var_8]
		add	eax, 0FFFFFFE4h
		push	eax		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		push	esi
		push	edi
		push	[ebp+var_4]
		call	RtlFindClearBitsAndSet
		mov	[ebp+var_8], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_90DC07

loc_7E599B:				; CODE XREF: SepGetLowBoxNumberEntry+12837Ej
		cmp	eax, 0FFFFh
		jz	loc_90DC78
		mov	ecx, [ebp+var_C]
		inc	eax
		mov	[ebx+14h], eax
		mov	[ebx+18h], esi
		mov	[ebx+0Ch], edi
		movzx	eax, byte ptr [ecx+1]
		mov	eax, [ecx+eax*4+4]
		test	eax, eax
		jz	short loc_7E59DE

loc_7E59BF:				; CODE XREF: SepGetLowBoxNumberEntry+ECj
		push	esi
		push	eax
		push	ebx
		push	[ebp+var_14]
		call	RtlInsertEntryHashTable
		test	al, al
		jz	loc_90DC89
		mov	eax, [ebp+arg_0]
		mov	[eax], ebx

loc_7E59D7:				; CODE XREF: SepGetLowBoxNumberEntry+128390j
		mov	eax, esi
		jmp	loc_7E5941
; 

loc_7E59DE:				; CODE XREF: SepGetLowBoxNumberEntry+C9j
		mov	eax, edi
		jmp	short loc_7E59BF
SepGetLowBoxNumberEntry	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepFindMatchingLowBoxNumberEntry proc near ; CODE XREF:	SepGetLowBoxNumberEntry+27p

var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090DC9E SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_8], edx
		lea	edi, [ebp+var_14]
		xor	ebx, ebx
		stosd
		mov	esi, ecx
		mov	[ebp+var_1], bl
		stosd
		stosd
		movzx	eax, byte ptr [edx+1]
		mov	eax, [edx+eax*4+4]
		test	eax, eax
		jz	short loc_7E5A4D

loc_7E5A0B:				; CODE XREF: SepFindMatchingLowBoxNumberEntry+6Ej
		lea	ecx, [ebp+var_14]
		push	ecx
		push	eax
		push	esi
		call	_RtlLookupEntryHashTable@12 ; RtlLookupEntryHashTable(x,x,x)
		test	eax, eax
		jz	short loc_7E5A49
		mov	edi, [ebp+var_8]

loc_7E5A1D:				; CODE XREF: SepFindMatchingLowBoxNumberEntry+1282C8j
		push	dword ptr [eax+10h]
		mov	ebx, eax
		push	edi
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	loc_90DC9E
		mov	al, 1

loc_7E5A32:				; CODE XREF: SepFindMatchingLowBoxNumberEntry+69j
					; SepFindMatchingLowBoxNumberEntry+1282D1j
		movzx	ecx, al
		mov	eax, [ebp+arg_0]
		neg	ecx
		pop	edi
		sbb	ecx, ecx
		and	ecx, ebx
		pop	esi
		mov	[eax], ecx
		xor	eax, eax
		pop	ebx
		leave
		retn	4
; 

loc_7E5A49:				; CODE XREF: SepFindMatchingLowBoxNumberEntry+36j
		mov	al, bl
		jmp	short loc_7E5A32
; 

loc_7E5A4D:				; CODE XREF: SepFindMatchingLowBoxNumberEntry+27j
		xor	eax, eax
		inc	eax
		jmp	short loc_7E5A0B
SepFindMatchingLowBoxNumberEntry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepValidateReferencedCachedHandles proc	near ; CODE XREF: SepSetTokenCachedHandles+66p

var_452		= byte ptr -452h
var_451		= byte ptr -451h
var_450		= dword	ptr -450h
var_44C		= dword	ptr -44Ch
var_448		= dword	ptr -448h
var_444		= dword	ptr -444h
var_440		= dword	ptr -440h
var_43C		= dword	ptr -43Ch
var_438		= dword	ptr -438h
var_434		= dword	ptr -434h
var_430		= dword	ptr -430h
var_42C		= dword	ptr -42Ch
var_428		= dword	ptr -428h
var_420		= byte ptr -420h
var_41C		= dword	ptr -41Ch
var_414		= byte ptr -414h
var_410		= dword	ptr -410h
var_40C		= dword	ptr -40Ch
var_408		= word ptr -408h
var_208		= word ptr -208h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090DCB8 SIZE 0000007D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 454h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+454h+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, edx
		mov	[esp+458h+var_42C], eax
		xor	edx, edx
		mov	[esp+458h+var_450], ecx
		push	esi
		push	edi
		mov	eax, [ebx]
		mov	esi, edx
		mov	[esp+460h+var_440], edx
		mov	edi, edx
		mov	[esp+460h+var_451], dl
		mov	[esp+460h+var_43C], edx
		mov	[esp+460h+var_44C], edx
		mov	[esp+460h+var_444], edx
		mov	[esp+460h+var_434], edx
		mov	[esp+460h+var_430], edx
		mov	[esp+460h+var_448], edx
		sub	eax, edx
		jnz	loc_90DCB8
		lea	eax, [esp+460h+var_43C]
		push	eax
		push	dword ptr [ebx+4]
		call	RtlGetAppContainerSidType
		mov	esi, eax
		test	esi, esi
		js	loc_7E5CBD
		mov	esi, [ebx+4]
		push	2
		pop	ebx
		mov	[esp+460h+var_448], ebx
		cmp	[esp+460h+var_43C], ebx
		jnz	loc_7E5D34
		push	1
		push	esi
		lea	eax, [esp+468h+var_434]
		push	eax
		call	RtlConvertSidToUnicodeString
		mov	esi, eax
		test	esi, esi
		js	loc_7E5CBD
		mov	[esp+460h+var_451], 1

loc_7E5AF5:				; CODE XREF: SepValidateReferencedCachedHandles+340j
		mov	ecx, [esp+460h+var_450]
		lea	eax, [esp+460h+var_434]
		mov	[esp+460h+var_444], eax
		lea	eax, [esp+460h+var_408]
		push	dword ptr [ecx+78h] ; char
		push	offset ??_C@_1BK@JJANIBL@?$AA?2?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAs?$AA?2?$AA?$CF?$AAd@NNGAKEGL@ ; "\\Sessions\\%d"
		push	100h		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		mov	esi, eax
		add	esp, 10h
		test	esi, esi
		js	loc_7E5CBD
		lea	eax, [esp+460h+var_408]
		push	eax
		lea	eax, [esp+464h+var_428]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset aDeviceNamedpip ; "\\Device\\NamedPipe"
		lea	eax, [esp+464h+var_41C]
		mov	[esp+464h+var_420], 1
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	ebx, ebx
		mov	[esp+460h+var_414], bl

loc_7E5B4E:				; CODE XREF: SepValidateReferencedCachedHandles+1282DEj
		cmp	[ebp+arg_0], edi
		jbe	loc_7E5CBD

loc_7E5B57:				; CODE XREF: SepValidateReferencedCachedHandles+265j
		test	edi, edi
		jz	short loc_7E5B62
		mov	ecx, edi
		call	ObfDereferenceObject

loc_7E5B62:				; CODE XREF: SepValidateReferencedCachedHandles+107j
		mov	ecx, [esp+460h+var_42C]
		mov	eax, [esp+460h+var_440]
		push	ebx
		mov	[esp+464h+var_450], ebx
		mov	eax, [ecx+eax*4]
		lea	ecx, [esp+464h+var_450]
		push	ecx
		push	ebx
		push	ebx
		push	ebx
		push	eax
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [esp+460h+var_450]
		mov	esi, eax
		test	esi, esi
		js	loc_7E5CAB
		lea	eax, [edi-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [edi-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		cmp	eax, _ObpSymbolicLinkObjectType
		jz	short loc_7E5BC1
		cmp	eax, _ObpDirectoryObjectType
		jnz	loc_7E5D02

loc_7E5BC1:				; CODE XREF: SepValidateReferencedCachedHandles+161j
					; SepValidateReferencedCachedHandles+2BFj
		cmp	[esp+460h+var_44C], 0
		jz	short loc_7E5BD6
		push	ebx
		push	[esp+464h+var_44C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esp+460h+var_44C], ebx

loc_7E5BD6:				; CODE XREF: SepValidateReferencedCachedHandles+174j
		lea	edx, [esp+460h+var_44C]
		mov	ecx, edi
		call	SepQueryNameString
		mov	esi, eax
		test	esi, esi
		js	loc_7E5CBD
		mov	ecx, [esp+460h+var_44C]
		test	ecx, ecx
		jz	loc_7E5CA2
		cmp	[ecx+2], bx
		jz	loc_7E5CA2
		cmp	[esp+460h+var_448], 0
		mov	eax, [ecx]
		mov	[esp+460h+var_410], eax
		mov	eax, [ecx+4]
		mov	[esp+460h+var_40C], eax
		jbe	loc_7E5CA2
		lea	eax, [esp+460h+var_428]
		mov	[esp+460h+var_450], eax

loc_7E5C21:				; CODE XREF: SepValidateReferencedCachedHandles+2D7j
		push	1
		lea	ecx, [esp+464h+var_410]
		push	ecx
		push	eax
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	loc_7E5D19
		imul	eax, ebx, 0Ch
		mov	al, [esp+eax+460h+var_420]
		test	al, al
		jz	short loc_7E5CA9
		push	edi
		call	_ObQueryNameInfo@4 ; ObQueryNameInfo(x)
		test	eax, eax
		jz	short loc_7E5CA2
		xor	ebx, ebx
		cmp	[eax+6], bx
		jz	short loc_7E5CA2
		mov	ecx, [eax+4]
		mov	eax, [eax+8]
		push	1
		push	[esp+464h+var_444]
		mov	[esp+468h+var_438], eax
		lea	eax, [esp+468h+var_43C]
		push	eax
		mov	[esp+46Ch+var_43C], ecx
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_7E5CAB
		mov	eax, offset _AllowedCachedObjectNames
		mov	[esp+460h+var_450], eax

loc_7E5C7E:				; CODE XREF: SepValidateReferencedCachedHandles+24Ej
		push	1
		push	eax
		lea	eax, [esp+468h+var_43C]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_7E5CA9
		mov	eax, [esp+460h+var_450]
		add	ebx, 8
		add	eax, 8
		mov	[esp+460h+var_450], eax
		cmp	ebx, 28h
		jb	short loc_7E5C7E

loc_7E5CA2:				; CODE XREF: SepValidateReferencedCachedHandles+19Fj
					; SepValidateReferencedCachedHandles+1A9j ...
		mov	esi, 0C000000Dh
		jmp	short loc_7E5CBD
; 

loc_7E5CA9:				; CODE XREF: SepValidateReferencedCachedHandles+1EDj
					; SepValidateReferencedCachedHandles+23Bj
		xor	ebx, ebx

loc_7E5CAB:				; CODE XREF: SepValidateReferencedCachedHandles+136j
					; SepValidateReferencedCachedHandles+221j
		mov	edx, [esp+460h+var_440]
		inc	edx
		mov	[esp+460h+var_440], edx
		cmp	edx, [ebp+arg_0]
		jb	loc_7E5B57

loc_7E5CBD:				; CODE XREF: SepValidateReferencedCachedHandles+6Dj
					; SepValidateReferencedCachedHandles+98j ...
		mov	ecx, [esp+460h+var_44C]
		test	ecx, ecx
		jz	short loc_7E5CCD
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7E5CCD:				; CODE XREF: SepValidateReferencedCachedHandles+271j
		test	edi, edi
		jz	short loc_7E5CD8
		mov	ecx, edi
		call	ObfDereferenceObject

loc_7E5CD8:				; CODE XREF: SepValidateReferencedCachedHandles+27Dj
		cmp	[esp+460h+var_451], 0
		jz	short loc_7E5CE9
		lea	eax, [esp+460h+var_434]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_7E5CE9:				; CODE XREF: SepValidateReferencedCachedHandles+28Bj
		mov	ecx, [esp+460h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7E5D02:				; CODE XREF: SepValidateReferencedCachedHandles+169j
		cmp	eax, ds:_IoFileObjectType
		jnz	short loc_7E5CA2
		mov	eax, [edi+4]
		cmp	dword ptr [eax+2Ch], 11h
		jz	loc_7E5BC1
		jmp	short loc_7E5CA2
; 

loc_7E5D19:				; CODE XREF: SepValidateReferencedCachedHandles+1DEj
		mov	eax, [esp+460h+var_450]
		inc	ebx
		add	eax, 0Ch
		mov	[esp+460h+var_450], eax
		cmp	ebx, [esp+460h+var_448]
		jb	loc_7E5C21
		jmp	loc_7E5CA2
; 

loc_7E5D34:				; CODE XREF: SepValidateReferencedCachedHandles+81j
		push	0Bh
		push	esi
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	dword ptr [eax]
		push	0Ah
		push	esi
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	dword ptr [eax]
		push	9
		push	esi
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	dword ptr [eax]
		push	8
		push	esi
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	dword ptr [eax]	; char
		lea	eax, [esp+470h+var_208]
		push	offset ??_C@_1BI@NJNFIEDN@?$AA?$CF?$AAu?$AA?9?$AA?$CF?$AAu?$AA?9?$AA?$CF?$AAu?$AA?9?$AA?$CF?$AAu@NNGAKEGL@ ; wchar_t *
		push	100h		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		mov	esi, eax
		add	esp, 1Ch
		test	esi, esi
		js	loc_7E5CBD
		lea	eax, [esp+460h+var_208]
		push	eax
		lea	eax, [esp+464h+var_434]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	loc_7E5AF5
SepValidateReferencedCachedHandles endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepQueryNameString proc	near		; CODE XREF: SepValidateReferencedCachedHandles+18Ap
					; SeSecurityDescriptorChangedAuditAlarm+1264B6p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090DD35 SIZE 00000059 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		mov	edi, edx
		push	ecx
		push	eax
		mov	[ebp+var_4], ecx
		xor	edx, edx
		mov	[edi], ecx
		push	ecx
		mov	ecx, ebx
		call	ObQueryNameStringMode
		mov	esi, eax
		cmp	esi, 0C0000004h
		jnz	loc_90DD35

loc_7E5DC9:				; CODE XREF: SepQueryNameString+127FA9j
		push	6E4F6553h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi], eax
		test	eax, eax
		jz	short loc_7E5E0F
		xor	ecx, ecx
		mov	edx, eax
		push	ecx
		lea	ecx, [ebp+var_4]
		push	ecx
		push	[ebp+var_4]
		mov	ecx, ebx
		call	ObQueryNameStringMode
		mov	esi, eax
		test	esi, esi
		js	loc_90DD46
		mov	eax, [edi]
		xor	ecx, ecx
		cmp	[eax], cx
		jz	loc_90DD46

loc_7E5E08:				; CODE XREF: SepQueryNameString+7Cj
					; SepQueryNameString+127FA3j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7E5E0F:				; CODE XREF: SepQueryNameString+44j
		mov	esi, 0C000009Ah
		jmp	short loc_7E5E08
SepQueryNameString endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1634. ObQueryNameInfo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObQueryNameInfo(x)
		public _ObQueryNameInfo@4
_ObQueryNameInfo@4 proc	near		; CODE XREF: SepValidateReferencedCachedHandles+1F0p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		add	ecx, 0FFFFFFE8h
		mov	al, [ecx+0Eh]
		test	al, 2
		jz	short loc_7E5E43
		movzx	eax, al
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax

loc_7E5E3D:				; CODE XREF: ObQueryNameInfo(x)+29j
		mov	eax, ecx
		pop	ebp
		retn	4
; 

loc_7E5E43:				; CODE XREF: ObQueryNameInfo(x)+10j
		xor	ecx, ecx
		jmp	short loc_7E5E3D
_ObQueryNameInfo@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSetTokenSessionById(x, x, x, x, x)
_SepSetTokenSessionById@20 proc	near	; CODE XREF: SepGetAnonymousToken(x,x)+9Ep
					; SeSubProcessToken+18Bp ...

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		cmp	[esi+78h], edi
		jnz	short loc_7E5E5E

loc_7E5E58:				; CODE XREF: SepSetTokenSessionById(x,x,x,x,x)+20j
					; SepSetTokenSessionById(x,x,x,x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_7E5E5E:				; CODE XREF: SepSetTokenSessionById(x,x,x,x,x)+Ej
		mov	[esi+78h], edi
		cmp	ds:_SeTokenDoesNotTrackSessionObject, 0
		jnz	short loc_7E5E58
		cmp	[ebp+arg_0], 0
		jnz	short loc_7E5E89
		mov	ecx, [esi+29Ch]
		test	ecx, ecx
		jnz	short loc_7E5E9D

loc_7E5E7A:				; CODE XREF: SepSetTokenSessionById(x,x,x,x,x)+5Aj
		mov	ecx, edi
		call	MmGetSessionObjectById

loc_7E5E81:				; CODE XREF: SepSetTokenSessionById(x,x,x,x,x)+53j
		mov	[esi+29Ch], eax
		jmp	short loc_7E5E58
; 

loc_7E5E89:				; CODE XREF: SepSetTokenSessionById(x,x,x,x,x)+26j
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_7E5E98
		mov	eax, [esi+29Ch]
		mov	[ecx], eax

loc_7E5E98:				; CODE XREF: SepSetTokenSessionById(x,x,x,x,x)+46j
		mov	eax, [ebp+arg_4]
		jmp	short loc_7E5E81
; 

loc_7E5E9D:				; CODE XREF: SepSetTokenSessionById(x,x,x,x,x)+30j
		call	ObfDereferenceObject
		jmp	short loc_7E5E7A
_SepSetTokenSessionById@20 endp


;  S U B	R O U T	I N E 


; __stdcall PspFreeRateControl(x, x)
_PspFreeRateControl@8 proc near		; CODE XREF: PspRemoveCpuRateControl+32p
					; sub_759647+17A5A4p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		sub	edx, 0
		jz	short loc_7E5EE1
		call	_KeGetSchedulingGroupSize@0 ; KeGetSchedulingGroupSize()
		add	eax, 40h

loc_7E5EB7:				; CODE XREF: PspFreeRateControl(x,x)+40j
		mov	ecx, [esi]
		mov	edx, eax
		push	0
		call	PsReturnSharedPoolQuota
		mov	eax, [esi+0Ch]
		mov	edi, 624A7350h
		test	eax, eax
		jnz	short loc_7E5ED8

loc_7E5ECE:				; CODE XREF: PspFreeRateControl(x,x)+3Bj
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
; 

loc_7E5ED8:				; CODE XREF: PspFreeRateControl(x,x)+28j
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7E5ECE
; 

loc_7E5EE1:				; CODE XREF: PspFreeRateControl(x,x)+9j
		push	30h
		pop	eax
		jmp	short loc_7E5EB7
_PspFreeRateControl@8 endp


;  S U B	R O U T	I N E 


PspAllocateRateControl proc near	; CODE XREF: sub_759647+175p
					; PspAddSchedulingGroupToJobChain+128AC9p ...

; FUNCTION CHUNK AT 0090DD8E SIZE 00000012 BYTES

		mov	edi, edi
		push	esi
		push	edi
		sub	ecx, 0
		jz	short loc_7E5F43
		call	_KeGetSchedulingGroupSize@0 ; KeGetSchedulingGroupSize()
		lea	edi, [eax+40h]
		mov	eax, 200h

loc_7E5EFC:				; CODE XREF: PspAllocateRateControl+63j
		push	624A7350h
		push	edi
		push	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7E5F3E
		mov	ecx, large fs:124h
		mov	edx, edi
		push	ebx
		push	0
		mov	ecx, [ecx+80h]
		call	PsChargeSharedPoolQuota
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_90DD8E
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi], ebx

loc_7E5F3D:				; CODE XREF: PspAllocateRateControl+127EB5j
		pop	ebx

loc_7E5F3E:				; CODE XREF: PspAllocateRateControl+26j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_7E5F43:				; CODE XREF: PspAllocateRateControl+7j
		push	30h
		xor	eax, eax
		pop	edi
		inc	eax
		jmp	short loc_7E5EFC
PspAllocateRateControl endp

; 
		align 10h
; Exported entry 2041. RtlDestroyAtomTable

		public RtlDestroyAtomTable
RtlDestroyAtomTable:			; CODE XREF: RtlDereferenceAtomTable(x)+3p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+8]
		or	eax, 0FFFFFFFFh
		lock xadd [ebx+4], eax
		jz	short loc_7E5F6C

loc_7E5F65:				; CODE XREF: PAGE:007E600Bj
		xor	eax, eax

loc_7E5F67:				; CODE XREF: PAGE:0090DDA5j
		pop	ebx
		leave
		retn	4
; 

loc_7E5F6C:				; CODE XREF: PAGE:007E5F63j
		mov	ecx, ebx
		call	_RtlpLockAtomTable@4 ; RtlpLockAtomTable(x)
		test	al, al
		jz	loc_90DDA0
		xor	ecx, ecx
		push	esi
		push	edi
		lea	edi, [ebx+18h]
		mov	[ebp-4], ecx
		cmp	[ebx+14h], ecx
		jbe	short loc_7E5FC9

loc_7E5F8A:				; CODE XREF: PAGE:007E5FC7j
		mov	esi, [edi]
		mov	eax, esi
		and	dword ptr [edi], 0
		lea	edi, [edi+4]
		mov	[ebp+8], eax
		test	esi, esi
		jz	short loc_7E5FC0

loc_7E5F9B:				; CODE XREF: PAGE:007E5FBBj
		mov	esi, [esi]
		and	dword ptr [eax], 0
		add	eax, 8
		mov	[ebp-8], eax

loc_7E5FA6:				; CODE XREF: PAGE:007E6029j
		mov	ecx, [eax]
		cmp	ecx, eax
		jnz	short loc_7E6010
		mov	ecx, [ebp+8]
		call	_RtlpFreeAtom@4	; RtlpFreeAtom(x)
		mov	[ebp+8], esi
		mov	eax, esi
		test	esi, esi
		jnz	short loc_7E5F9B
		mov	ecx, [ebp-4]

loc_7E5FC0:				; CODE XREF: PAGE:007E5F99j
		inc	ecx
		mov	[ebp-4], ecx
		cmp	ecx, [ebx+14h]
		jb	short loc_7E5F8A

loc_7E5FC9:				; CODE XREF: PAGE:007E5F88j
		and	dword ptr [ebx], 0
		lea	esi, [ebx+8]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7E602E

loc_7E5FDC:				; CODE XREF: PAGE:007E6035j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	esi, [ebx+0Ch]
		mov	ecx, esi
		call	_ExpRemoveHandleTable@4	; ExpRemoveHandleTable(x)
		mov	ecx, esi
		call	ExpFreeHandleTable
		push	7
		pop	ecx
		xor	eax, eax
		mov	edi, ebx
		rep stosd
		mov	ecx, ebx
		call	_RtlpFreeAtom@4	; RtlpFreeAtom(x)
		pop	edi
		pop	esi
		jmp	loc_7E5F65
; 

loc_7E6010:				; CODE XREF: PAGE:007E5FAAj
		cmp	[ecx+4], eax
		jnz	short loc_7E6037
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_7E6037
		mov	[eax], edx
		mov	[edx+4], eax
		call	_RtlpFreeAtom@4	; RtlpFreeAtom(x)
		mov	eax, [ebp-8]
		jmp	loc_7E5FA6
; 

loc_7E602E:				; CODE XREF: PAGE:007E5FDAj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7E5FDC
; 

loc_7E6037:				; CODE XREF: PAGE:007E6013j
					; PAGE:007E601Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1518. NtDeleteAtom

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtDeleteAtom(x)
		public _NtDeleteAtom@4
_NtDeleteAtom@4	proc near		; DATA XREF: .text:005810C0o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		and	[esp+8+var_4], 0
		lea	eax, [esp+8+var_4]
		push	eax
		call	_MmSessionGetWin32Callouts@0 ; MmSessionGetWin32Callouts()
		push	2
		pop	edx
		mov	ecx, eax
		call	_ExCallCallBack@12 ; ExCallCallBack(x,x,x)
		cmp	[esp+8+var_4], 0
		jz	short loc_7E607E
		push	[ebp+arg_0]
		push	[esp+0Ch+var_4]
		call	RtlDeleteAtomFromAtomTable

loc_7E6078:				; CODE XREF: NtDeleteAtom(x)+41j
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7E607E:				; CODE XREF: NtDeleteAtom(x)+28j
		mov	eax, 0C0000022h
		jmp	short loc_7E6078
_NtDeleteAtom@4	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2030. RtlDeleteAtomFromAtomTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlDeleteAtomFromAtomTable
RtlDeleteAtomFromAtomTable proc	near	; CODE XREF: NtDeleteAtom(x)+31p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090DDAA SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	ecx, ebx
		call	_RtlpLockAtomTable@4 ; RtlpLockAtomTable(x)
		test	al, al
		jz	loc_90DDAA
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	eax, 0C000h
		mov	esi, 0C0000008h
		cmp	di, ax
		jb	short loc_7E6119
		mov	edx, edi
		mov	ecx, ebx
		and	edx, 3FFFh
		call	_RtlpAtomMapAtomToHandleEntry@8	; RtlpAtomMapAtomToHandleEntry(x,x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_7E60F4
		cmp	[eax+6], di
		jnz	short loc_7E60F4
		push	1
		mov	edx, eax
		mov	ecx, ebx
		call	_RtlpLookupLowBox@12 ; RtlpLookupLowBox(x,x,x)
		test	eax, eax
		jz	short loc_7E60F4
		xor	esi, esi
		test	byte ptr [eax+0Eh], 1
		jnz	short loc_7E612B
		mov	ecx, [ebp+arg_0]
		mov	edx, eax
		push	ebx
		call	_RtlpDereferenceAtom@12	; RtlpDereferenceAtom(x,x,x)

loc_7E60F4:				; CODE XREF: RtlDeleteAtomFromAtomTable+40j
					; RtlDeleteAtomFromAtomTable+46j ...
		add	ebx, 8
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7E6122

loc_7E6104:				; CODE XREF: RtlDeleteAtomFromAtomTable+9Fj
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		mov	eax, esi
		pop	esi

loc_7E6114:				; CODE XREF: RtlDeleteAtomFromAtomTable+127D25j
		pop	ebx
		pop	ebp
		retn	8
; 

loc_7E6119:				; CODE XREF: RtlDeleteAtomFromAtomTable+2Aj
		test	di, di
		jz	short loc_7E60F4
		xor	esi, esi
		jmp	short loc_7E60F4
; 

loc_7E6122:				; CODE XREF: RtlDeleteAtomFromAtomTable+78j
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7E6104
; 

loc_7E612B:				; CODE XREF: RtlDeleteAtomFromAtomTable+5Dj
		mov	esi, 40000019h
		jmp	short loc_7E60F4
RtlDeleteAtomFromAtomTable endp


;  S U B	R O U T	I N E 


; __stdcall RtlpFreeAtom(x)
_RtlpFreeAtom@4	proc near		; CODE XREF: RtlDestroyLowBoxAtoms(x,x)+90p
					; RtlpDereferenceAtom(x,x,x)+4Ep ...
		mov	edi, edi
		push	esi
		lea	esi, [ecx-8]
		mov	edx, [esi+4]
		mov	ecx, [esi]
		push	0
		call	PsReturnSharedPoolQuota
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
_RtlpFreeAtom@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsReturnSharedPoolQuota	proc near	; CODE XREF: .text:00511855p
					; .text:005E769Bp ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090DDB4 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		cmp	esi, 1
		jz	short loc_7E617A
		test	edx, edx
		jz	short loc_7E6169
		push	edx
		push	1
		xor	edx, edx
		call	PspReturnQuota

loc_7E6169:				; CODE XREF: PsReturnSharedPoolQuota+Fj
		cmp	[ebp+arg_0], 0
		ja	loc_90DDB4

loc_7E6173:				; CODE XREF: PsReturnSharedPoolQuota+127C74j
		mov	ecx, esi
		call	PspDereferenceQuotaBlock

loc_7E617A:				; CODE XREF: PsReturnSharedPoolQuota+Bj
		pop	esi
		pop	ebp
		retn	4
PsReturnSharedPoolQuota	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall RtlpFreeHandleForAtom(x, x)
_RtlpFreeHandleForAtom@8 proc near	; CODE XREF: RtlpFreeAllAtom(x,x)+50p
					; RtlEmptyAtomTable(x,x)+58p
		mov	edi, edi
		push	ecx
		mov	eax, large fs:124h
		push	esi
		movzx	esi, word ptr [edx+4]
		push	edi
		shl	esi, 2
		mov	edi, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [edi+0Ch]
		mov	edx, esi
		call	ExMapHandleToPointer
		test	eax, eax
		jz	short loc_7E61B5
		mov	ecx, [edi+0Ch]
		mov	edx, esi
		push	eax
		call	ExDestroyHandle

loc_7E61B5:				; CODE XREF: RtlpFreeHandleForAtom(x,x)+28j
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ecx
		retn
_RtlpFreeHandleForAtom@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspAllocateAndQueryNotificationChannel proc near ; CODE	XREF: PAGE:00757A97p

var_5C		= byte ptr -5Ch
var_5B		= byte ptr -5Bh
var_5A		= byte ptr -5Ah
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090DDC7 SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+5Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[esp+60h+var_30], eax
		xor	ebx, ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+68h+var_48], ecx
		lea	edi, [esp+68h+var_20]
		mov	byte ptr [esp+68h+var_40], bl
		stosd
		mov	esi, edx
		mov	[esp+68h+var_34], esi
		mov	[esp+0Fh], bl
		mov	[esp+68h+var_28], ebx
		test	dword ptr [esi+310h], 800h
		stosd
		mov	[esp+68h+var_24], ebx
		mov	[esp+68h+var_38], ebx
		mov	[esp+68h+var_4C], ebx
		stosd
		mov	[esp+68h+var_54], ebx
		mov	[esp+68h+var_44], ebx
		mov	[esp+68h+var_50], ebx
		stosd
		mov	[esp+68h+var_5A], bl
		mov	[esp+68h+var_2C], ebx
		mov	[esp+68h+var_C], ebx
		stosd
		mov	[esp+68h+var_8], ebx
		jz	loc_7E62CF
		lea	eax, [esp+68h+var_54]
		mov	[esp+68h+var_5B], 1
		mov	edx, ecx
		mov	ecx, esi
		push	eax
		call	PspLockRootJobExclusive
		mov	eax, [esp+68h+var_54]
		cmp	esi, eax
		jz	short loc_7E6268
		add	eax, 20h
		push	eax
		call	ExConvertExclusiveToSharedLite
		push	1
		lea	eax, [esi+20h]
		push	eax
		call	ExAcquireResourceExclusiveLite

loc_7E6268:				; CODE XREF: PspAllocateAndQueryNotificationChannel+94j
					; PspAllocateAndQueryNotificationChannel+311j ...
		mov	edi, [esp+68h+var_30]
		add	esi, 1B0h
		cmp	[esp+68h+var_5B], 0
		push	10h
		pop	ecx
		rep movsd
		mov	esi, [esp+68h+var_34]
		jz	short loc_7E6296

loc_7E6282:				; CODE XREF: PspAllocateAndQueryNotificationChannel+CEj
		cmp	esi, [esp+ebx*4+68h+var_54]
		jz	short loc_7E6296
		inc	ebx
		cmp	ebx, 1
		jb	short loc_7E6282
		lea	ecx, [esi+20h]
		call	ExReleaseResourceLite

loc_7E6296:				; CODE XREF: PspAllocateAndQueryNotificationChannel+C2j
					; PspAllocateAndQueryNotificationChannel+C8j
		mov	edx, [esp+68h+var_48]
		mov	ecx, [esp+68h+var_54]
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		cmp	[esp+68h+var_5A], 0
		jnz	loc_90DE0E
		cmp	[esp+68h+var_5B], 0
		jz	loc_7E64D4

loc_7E62B9:				; CODE XREF: PspAllocateAndQueryNotificationChannel+325j
					; PspAllocateAndQueryNotificationChannel+127C5Aj
		xor	eax, eax

loc_7E62BB:				; CODE XREF: PspAllocateAndQueryNotificationChannel+127C4Bj
		mov	ecx, [esp+68h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7E62CF:				; CODE XREF: PspAllocateAndQueryNotificationChannel+75j
		push	ebx
		lea	eax, [esp+6Ch+var_40]
		mov	ecx, esi
		push	eax
		lea	edx, [esp+70h+var_4C]
		call	ObpGetObjectSecurity
		mov	edi, eax
		test	edi, edi
		js	loc_90DE07
		cmp	[esp+68h+var_4C], ebx
		jz	loc_90DDC7
		lea	eax, [esp+2Fh]
		push	eax
		lea	eax, [esp+6Ch+var_38]
		push	eax
		push	[esp+70h+var_4C]
		call	_RtlGetOwnerSecurityDescriptor@12 ; RtlGetOwnerSecurityDescriptor(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_90DDFA
		mov	ecx, [esp+68h+var_48]
		lea	eax, [esp+68h+var_58]
		push	ebx
		push	eax
		lea	eax, [esp+17h]
		push	eax
		lea	edx, [esp+74h+var_44]
		call	PsReferenceEffectiveToken
		lea	ecx, [esp+68h+var_50]
		mov	[esp+68h+var_58], eax
		push	ecx
		push	1
		push	eax
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		cmp	[esp+68h+var_44], 1
		mov	edi, eax
		jnz	loc_90DDCE
		mov	eax, [esp+68h+var_48]
		mov	edx, [esp+68h+var_58]
		mov	ecx, [eax+80h]
		add	ecx, 12Ch
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)

loc_7E6360:				; CODE XREF: PspAllocateAndQueryNotificationChannel+127C16j
					; PspAllocateAndQueryNotificationChannel+127C23j
		test	edi, edi
		js	loc_90DDFA
		mov	eax, [esp+68h+var_50]
		push	66577350h
		mov	eax, [eax]
		movzx	ecx, byte ptr [eax+1]
		mov	eax, [esp+6Ch+var_38]
		movzx	eax, byte ptr [eax+1]
		add	ecx, eax
		lea	eax, ds:30h[ecx*4]
		push	eax
		push	200h
		mov	[esp+74h+var_44], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+68h+var_58], eax
		test	eax, eax
		jz	loc_90DDF0
		push	2		; int
		push	[esp+6Ch+var_44] ; size_t
		push	eax		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	edi, [esp+68h+var_58]
		mov	ecx, edi
		push	ebx
		push	[esp+6Ch+var_38]
		push	80000000h
		push	ebx
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	eax, [esp+68h+var_50]
		mov	ecx, edi
		push	ebx
		push	dword ptr [eax]
		push	80000000h
		push	ebx
		push	2
		pop	edx
		call	RtlpAddKnownAce
		push	1
		lea	eax, [esp+6Ch+var_20]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	ebx
		push	edi
		push	1
		lea	eax, [esp+74h+var_20]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		lea	eax, [esp+68h+var_20]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	4
		push	3
		lea	eax, [esp+80h+var_C]
		push	eax
		call	_ZwCreateWnfStateName@28 ; ZwCreateWnfStateName(x,x,x,x,x,x,x)
		push	66577350h
		push	[esp+6Ch+var_58]
		mov	edi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		js	loc_90DDF0
		mov	edx, [esp+68h+var_48]
		lea	eax, [esp+68h+var_54]
		push	eax
		mov	ecx, esi
		mov	[esp+6Ch+var_5B], bl
		call	PspLockRootJobExclusive
		lea	edi, [esi+310h]
		test	dword ptr [edi], 800h
		jnz	loc_90DDE6
		mov	eax, [esp+68h+var_C]
		lea	edx, [esp+68h+var_28]
		mov	[esi+1B0h], eax
		mov	ecx, esi
		mov	eax, [esp+68h+var_8]
		mov	[esi+1B4h], eax
		lea	eax, [esp+68h+var_28]
		mov	[esp+68h+var_2C], eax
		lea	eax, [esi+1F8h]
		push	ebx
		push	eax
		call	_PspComputeReportWakeFilter@16 ; PspComputeReportWakeFilter(x,x,x,x)
		push	2
		push	ebx
		push	offset PspEnableProcessWakeCounters
		push	offset PspEnableWakeCounters
		xor	edx, edx
		call	PspEnumJobsAndProcessesInJobHierarchy
		lock bts dword ptr [edi], 0Bh

loc_7E6495:				; CODE XREF: PspAllocateAndQueryNotificationChannel+305j
					; PspAllocateAndQueryNotificationChannel+309j
		mov	esi, _PspJobTimeLimitsRequest
		mov	ebx, esi
		mov	edi, dword_6BEE44
		add	ebx, 1
		mov	ecx, edi
		mov	[esp+68h+var_40], edi
		mov	edx, edi
		adc	ecx, 0
		mov	eax, esi
		mov	edi, offset _PspJobTimeLimitsRequest
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [esp+68h+var_40]
		cmp	eax, esi
		jnz	short loc_7E6495
		cmp	edx, edi
		jnz	short loc_7E6495
		mov	esi, [esp+68h+var_34]
		xor	ebx, ebx
		jmp	loc_7E6268
; 

loc_7E64D4:				; CODE XREF: PspAllocateAndQueryNotificationChannel+F5j
		push	[esp+68h+var_30]
		mov	edx, [esp+6Ch+var_2C]
		mov	ecx, esi
		call	_PspDispatchWakeNotification@12	; PspDispatchWakeNotification(x,x,x)
		jmp	loc_7E62B9
PspAllocateAndQueryNotificationChannel endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspLockRootJobExclusive	proc near	; CODE XREF: .text:005117AAp
					; .text:005E7627p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090DE1D SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		test	edx, edx
		jz	short loc_7E64FE
		dec	word ptr [edx+13Eh]
		nop

loc_7E64FE:				; CODE XREF: PspLockRootJobExclusive+Cj
					; PspLockRootJobExclusive+12793Dj
		mov	eax, [esi+248h]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+var_4]
		push	1
		add	eax, 20h
		push	eax
		call	ExAcquireResourceExclusiveLite
		mov	eax, [esi+248h]
		cmp	[ebp+var_4], eax
		mov	ecx, [ebp+var_4]
		jnz	loc_90DE1D
		mov	eax, [ebp+arg_0]
		pop	esi
		mov	[eax], ecx
		leave
		retn	4
PspLockRootJobExclusive	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspFreezeJobTree proc near		; CODE XREF: sub_759647-198p
					; PspFreezeJobTree+127924p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_53		= byte ptr -53h
var_48		= dword	ptr -48h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090DE2A SIZE 0000003E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+7Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+88h+var_58]
		stosd
		mov	esi, ecx
		push	40h		; size_t
		mov	ebx, edx
		mov	[esp+8Ch+var_68], esi
		stosd
		stosd
		stosd
		xor	eax, eax
		push	eax		; int
		mov	[esp+90h+var_5C], eax
		mov	[esp+90h+var_70], eax
		mov	[esp+90h+var_6C], eax
		lea	eax, [esp+90h+var_48]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+88h+var_60], ebx
		lea	eax, [esi+20h]
		xor	edi, edi
		and	[esp+88h+var_78], edi
		mov	[esp+88h+var_64], edi
		push	1
		push	eax
		mov	[esp+90h+var_74], eax
		call	ExAcquireResourceExclusiveLite
		mov	eax, [ebx]
		test	al, 1
		jnz	loc_7E6680

loc_7E65A2:				; CODE XREF: PspFreezeJobTree+162j
					; PspFreezeJobTree+1D6j
		test	al, 4
		jnz	loc_7E66D4

loc_7E65AA:				; CODE XREF: PspFreezeJobTree+1B6j
					; PspFreezeJobTree+1EAj
		lea	ecx, [esi+310h]
		mov	[esp+88h+var_74], ecx
		test	al, 2
		jz	short loc_7E65F9
		test	dword ptr [ecx], 800h
		jz	short loc_7E65E5
		push	1
		lea	eax, [ebx+8]
		mov	ecx, esi
		push	eax
		lea	edx, [esp+90h+var_70]
		call	_PspComputeReportWakeFilter@16 ; PspComputeReportWakeFilter(x,x,x,x)
		mov	eax, [esp+88h+var_6C]
		or	eax, [esp+88h+var_70]
		jnz	loc_7E66B4
		lea	ecx, [esi+310h]

loc_7E65E5:				; CODE XREF: PspFreezeJobTree+8Cj
					; PspFreezeJobTree+19Dj
		mov	eax, [ebx+8]
		mov	[esi+1F8h], eax
		mov	eax, [ebx+0Ch]
		mov	[esi+1FCh], eax
		mov	eax, [ebx]

loc_7E65F9:				; CODE XREF: PspFreezeJobTree+84j
		test	al, 1
		jnz	loc_7E669F

loc_7E6601:				; CODE XREF: PspFreezeJobTree+17Dj
		test	al, 4
		jnz	loc_7E66F3

loc_7E6609:				; CODE XREF: PspFreezeJobTree+1CFj
		test	edi, edi
		jnz	short loc_7E6642

loc_7E660D:				; CODE XREF: PspFreezeJobTree+129j
		lea	ecx, [esi+20h]
		call	ExReleaseResourceLite
		test	edi, edi
		jnz	short loc_7E665D

loc_7E6619:				; CODE XREF: PspFreezeJobTree+147j
					; PspFreezeJobTree+127931j
		lea	eax, [esp+88h+var_48]
		mov	ecx, esi
		push	eax
		lea	edx, [esp+8Ch+var_70]
		call	_PspDispatchWakeNotification@12	; PspDispatchWakeNotification(x,x,x)

loc_7E6629:				; CODE XREF: PspFreezeJobTree+127909j
		mov	ecx, [esp+88h+var_4]
		mov	eax, [esp+88h+var_78]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7E6642:				; CODE XREF: PspFreezeJobTree+D9j
		push	edi
		lea	eax, [esp+8Ch+var_60]
		mov	edx, offset _PspSetJobFreezeCountCallback@8 ; PspSetJobFreezeCountCallback(x,x)
		push	eax
		push	offset PspSetProcessFreezeStateCallback
		push	0
		mov	ecx, esi
		call	PspEnumJobsAndProcessesInJobHierarchy
		jmp	short loc_7E660D
; 

loc_7E665D:				; CODE XREF: PspFreezeJobTree+E5j
		push	0
		lea	eax, [esp+8Ch+var_78]
		xor	edx, edx
		push	eax
		push	0
		push	offset _PspExecuteJobFreezeThawCallback@8 ; PspExecuteJobFreezeThawCallback(x,x)
		mov	ecx, esi
		call	PspEnumJobsAndProcessesInJobHierarchy
		cmp	[esp+88h+var_78], 0
		jge	short loc_7E6619
		jmp	loc_90DE40
; 

loc_7E6680:				; CODE XREF: PspFreezeJobTree+6Aj
		mov	ecx, [esi+310h]
		and	ecx, 200h
		cmp	byte ptr [ebx+4], 0
		jz	short loc_7E6706
		test	ecx, ecx
		jz	loc_7E65A2
		jmp	loc_90DE2A
; 

loc_7E669F:				; CODE XREF: PspFreezeJobTree+C9j
		cmp	byte ptr [ebx+4], 0
		jz	short loc_7E6713
		lock bts dword ptr [ecx], 9

loc_7E66AA:				; CODE XREF: PspFreezeJobTree+1E6j
		mov	eax, [ebx]
		push	5
		pop	edi
		jmp	loc_7E6601
; 

loc_7E66B4:				; CODE XREF: PspFreezeJobTree+A7j
		push	10h
		add	esi, 1B0h
		lea	edi, [esp+8Ch+var_48]
		pop	ecx
		rep movsd
		mov	esi, [esp+88h+var_68]
		mov	ecx, [esp+88h+var_74]
		mov	edi, [esp+88h+var_64]
		jmp	loc_7E65E5
; 

loc_7E66D4:				; CODE XREF: PspFreezeJobTree+72j
		mov	ecx, [esi+310h]
		and	ecx, 80000h
		cmp	byte ptr [ebx+5], 0
		jz	short loc_7E671A
		test	ecx, ecx
		jz	loc_7E65AA
		jmp	loc_90DE2A
; 

loc_7E66F3:				; CODE XREF: PspFreezeJobTree+D1j
		cmp	byte ptr [ebx+5], 0
		jz	short loc_7E6727
		lock bts dword ptr [ecx], 13h

loc_7E66FE:				; CODE XREF: PspFreezeJobTree+1FAj
		push	5
		pop	edi
		jmp	loc_7E6609
; 

loc_7E6706:				; CODE XREF: PspFreezeJobTree+15Ej
		test	ecx, ecx
		jnz	loc_7E65A2
		jmp	loc_90DE2A
; 

loc_7E6713:				; CODE XREF: PspFreezeJobTree+171j
		lock btr dword ptr [ecx], 9
		jmp	short loc_7E66AA
; 

loc_7E671A:				; CODE XREF: PspFreezeJobTree+1B2j
		test	ecx, ecx
		jnz	loc_7E65AA
		jmp	loc_90DE2A
; 

loc_7E6727:				; CODE XREF: PspFreezeJobTree+1C5j
		lock btr dword ptr [ecx], 13h
		jmp	short loc_7E66FE
PspFreezeJobTree endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspDispatchWakeNotification(x, x, x)
_PspDispatchWakeNotification@12	proc near
					; CODE XREF: PspAllocateAndQueryNotificationChannel+320p
					; PspFreezeJobTree+F2p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		mov	eax, [ebx+4]
		or	eax, [ebx]
		jnz	short loc_7E6746

loc_7E6741:				; CODE XREF: PspDispatchWakeNotification(x,x,x)+52j
		pop	ebx
		leave
		retn	4
; 

loc_7E6746:				; CODE XREF: PspDispatchWakeNotification(x,x,x)+11j
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		add	edi, 8

loc_7E6750:				; CODE XREF: PspDispatchWakeNotification(x,x,x)+4Ej
		mov	eax, [edi+4]
		xor	ecx, ecx
		mov	edx, [edi]
		mov	[ebp+arg_0], eax
		mov	eax, edx
		or	eax, [ebp+arg_0]
		jnz	short loc_7E6782

loc_7E6761:				; CODE XREF: PspDispatchWakeNotification(x,x,x)+57j
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_4]
		push	edx
		push	ebx
		mov	edx, esi
		call	PspSendWakeNotification
		test	al, al
		jnz	short loc_7E677E
		inc	esi
		add	edi, 8
		cmp	esi, 7
		jb	short loc_7E6750

loc_7E677E:				; CODE XREF: PspDispatchWakeNotification(x,x,x)+45j
		pop	edi
		pop	esi
		jmp	short loc_7E6741
; 

loc_7E6782:				; CODE XREF: PspDispatchWakeNotification(x,x,x)+31j
		push	3
		pop	ecx
		jmp	short loc_7E6761
_PspDispatchWakeNotification@12	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSendWakeNotification	proc near	; CODE XREF: PspChargeJobWakeCounter+172p
					; PspDispatchWakeNotification(x,x,x)+3Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0090DE68 SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	ebx, edx
		and	eax, 2
		xor	edx, edx
		mov	[ebp+var_8], ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], eax
		mov	ecx, ebx
		inc	edx
		mov	ebx, [ebp+arg_4]
		shl	edx, cl
		mov	ecx, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_8]
		test	[ecx+4], edx
		jnz	short loc_7E67C4

loc_7E67B7:				; CODE XREF: PspSendWakeNotification+45j
		test	[ecx], edx
		jnz	short loc_7E67CF

loc_7E67BB:				; CODE XREF: PspSendWakeNotification+49j
					; PspSendWakeNotification+1276E7j ...
		xor	al, al

loc_7E67BD:				; CODE XREF: PspSendWakeNotification+8Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7E67C4:				; CODE XREF: PspSendWakeNotification+2Dj
		mov	eax, ebx
		or	eax, edi
		jz	short loc_7E67E4
		mov	eax, [ebp+var_4]
		jmp	short loc_7E67B7
; 

loc_7E67CF:				; CODE XREF: PspSendWakeNotification+31j
		test	eax, eax
		jz	short loc_7E67BB
		cmp	ebx, 1
		jnz	loc_90DE68
		test	edi, edi
		jnz	loc_90DE68

loc_7E67E4:				; CODE XREF: PspSendWakeNotification+40j
					; PspSendWakeNotification+1276F7j
		mov	edx, 6F4E7350h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		test	ds:dword_70EFD0, 400h
		jnz	loc_90DE84

loc_7E6800:				; CODE XREF: PspSendWakeNotification+127700j
					; PspSendWakeNotification+127709j ...
		mov	edx, 2000h
		mov	ecx, esi
		call	_PspRequestDeferredJobNotification@8 ; PspRequestDeferredJobNotification(x,x)
		test	al, al
		jz	short loc_7E6814

loc_7E6810:				; CODE XREF: PspSendWakeNotification+98j
		mov	al, 1
		jmp	short loc_7E67BD
; 

loc_7E6814:				; CODE XREF: PspSendWakeNotification+86j
		mov	edx, 6F4E7350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		jmp	short loc_7E6810
PspSendWakeNotification	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspComputeReportWakeFilter(x, x, x,	x)
_PspComputeReportWakeFilter@16 proc near
					; CODE XREF: PspAllocateAndQueryNotificationChannel+2B9p
					; PspFreezeJobTree+9Ap

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, [esi]
		mov	[edx], eax
		mov	eax, [esi+4]
		mov	[edx+4], eax
		jz	short loc_7E686B
		mov	eax, [ecx+1F8h]
		not	eax
		and	[edx], eax
		mov	eax, [ecx+1FCh]
		not	eax
		and	[edx+4], eax
		mov	esi, [edx+4]

loc_7E6853:				; CODE XREF: PspComputeReportWakeFilter(x,x,x,x)+4Bj
		mov	eax, [ecx+200h]
		and	eax, esi
		mov	[edx+4], eax
		not	eax
		and	[ecx+200h], eax
		pop	esi
		pop	ebp
		retn	8
; 

loc_7E686B:				; CODE XREF: PspComputeReportWakeFilter(x,x,x,x)+17j
		mov	esi, eax
		jmp	short loc_7E6853
_PspComputeReportWakeFilter@16 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2134. RtlGetOwnerSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetOwnerSecurityDescriptor(x, x,	x)
		public _RtlGetOwnerSecurityDescriptor@12
_RtlGetOwnerSecurityDescriptor@12 proc near ; CODE XREF: CmpCheckKeyOwnerForPca(x,x)+27p
					; PspAllocateAndQueryNotificationChannel+144p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		cmp	byte ptr [ecx],	1
		jnz	short loc_7E68AA
		cmp	word ptr [ecx+2], 0
		mov	edx, [ecx+4]
		jge	short loc_7E6894
		lea	eax, [edx+ecx]
		neg	edx
		sbb	edx, edx
		and	edx, eax

loc_7E6894:				; CODE XREF: RtlGetOwnerSecurityDescriptor(x,x,x)+15j
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		mov	eax, [ebp+arg_8]
		mov	cl, [ecx+2]
		and	cl, 1
		mov	[eax], cl
		xor	eax, eax

loc_7E68A6:				; CODE XREF: RtlGetOwnerSecurityDescriptor(x,x,x)+3Bj
		pop	ebp
		retn	0Ch
; 

loc_7E68AA:				; CODE XREF: RtlGetOwnerSecurityDescriptor(x,x,x)+Bj
		mov	eax, 0C0000058h
		jmp	short loc_7E68A6
_RtlGetOwnerSecurityDescriptor@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


PspRemoveCpuRateControl	proc near	; CODE XREF: .text:005117C5p

; FUNCTION CHUNK AT 0090DEAE SIZE 0000002D BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	0FFFFFFDFh
		pop	ecx
		mov	eax, [esi+21Ch]
		and	dword ptr [eax+18h], 0
		lea	eax, [esi+310h]
		lock and [eax],	ecx
		mov	ecx, [esi+21Ch]
		add	ecx, 40h
		call	KeRemoveSchedulingGroup
		mov	ecx, [esi+21Ch]
		push	2
		pop	edx
		call	_PspFreeRateControl@8 ;	PspFreeRateControl(x,x)
		and	dword ptr [esi+21Ch], 0
		cmp	ds:_PsCpuFairShareEnabled, 0
		jnz	loc_90DEAE

loc_7E68FD:				; CODE XREF: PspRemoveCpuRateControl+127602j
					; PspRemoveCpuRateControl+127610j
		pop	esi
		retn
PspRemoveCpuRateControl	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PspUnlockJobConditionally(x, x, x)
_PspUnlockJobConditionally@12 proc near	; CODE XREF: .text:005117DFp
					; .text:005E764Ep ...
		xor	eax, eax

loc_7E6902:				; CODE XREF: PspUnlockJobConditionally(x,x,x)+Bj
		cmp	ecx, [edx+eax*4]
		jz	short locret_7E6915
		inc	eax
		cmp	eax, 1
		jb	short loc_7E6902
		add	ecx, 20h
		call	ExReleaseResourceLite

locret_7E6915:				; CODE XREF: PspUnlockJobConditionally(x,x,x)+5j
		retn	4
_PspUnlockJobConditionally@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSetJobIoAttribution proc near	; CODE XREF: PspSetJobIoRateControl+69p
					; PspSetJobIoRateControl+111p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090DEDB SIZE 00000040 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_2], dl
		lea	edi, [ebp+var_10]
		xor	ebx, ebx
		stosd
		mov	esi, ecx
		mov	[ebp+var_1], bl
		stosd
		stosd
		test	dl, dl
		jz	loc_7E69DB
		push	ebx
		call	_PspIsSetJobIoAttribution@12 ; PspIsSetJobIoAttribution(x,x,x)
		test	al, al
		jnz	loc_90DEDB
		mov	eax, [ebp+arg_4]
		cmp	[ebp+arg_0], bl
		jz	short loc_7E6976
		mov	ecx, [esi+320h]
		lea	edx, [ecx+eax]
		cmp	edx, ecx
		jb	loc_90DEE7
		test	ecx, ecx
		jnz	loc_7E6A3A
		mov	[esi+320h], eax
		mov	[ebp+var_1], 1

loc_7E6976:				; CODE XREF: PspSetJobIoAttribution+39j
		mov	ecx, [esi+324h]
		add	eax, ecx
		cmp	eax, ecx
		jb	loc_90DEF3
		test	ecx, ecx
		jnz	loc_7E6A48
		xor	edx, edx
		mov	ecx, esi
		call	IoDiskIoAttributionAllocate
		mov	edi, eax
		test	edi, edi
		jz	loc_90DEFC
		mov	ecx, edi
		call	_IoStartDiskIoAttributionForContext@4 ;	IoStartDiskIoAttributionForContext(x)
		push	5
		lea	eax, [ebp+var_10]
		mov	[ebp+var_10], edi
		push	eax
		push	offset _PspSetJobIoAttributionProcessCallback@8	; PspSetJobIoAttributionProcessCallback(x,x)
		push	ebx
		mov	edx, offset PspSetJobIoAttributionJobPreCallback
		mov	[ebp+var_8], 1
		mov	ecx, esi
		mov	[ebp+var_C], esi
		call	PspEnumJobsAndProcessesInJobHierarchy
		mov	eax, [ebp+arg_4]
		mov	[esi+324h], eax
		mov	[esi+328h], edi
		jmp	short loc_7E6A1B
; 

loc_7E69DB:				; CODE XREF: PspSetJobIoAttribution+1Fj
		mov	eax, [ebp+arg_4]
		cmp	[ebp+arg_0], bl
		jz	short loc_7E69F7
		mov	ecx, [esi+320h]
		cmp	ecx, eax
		jb	short loc_7E6A56
		sub	ecx, eax
		mov	[esi+320h], ecx
		jnz	short loc_7E6A40

loc_7E69F7:				; CODE XREF: PspSetJobIoAttribution+C9j
		mov	ecx, [esi+324h]
		mov	edi, [esi+328h]
		cmp	ecx, eax
		ja	loc_90DF0E
		mov	ecx, esi
		call	_PspRemoveIoAttribution@4 ; PspRemoveIoAttribution(x)
		mov	[esi+324h], ebx

loc_7E6A18:				; CODE XREF: PspSetJobIoAttribution+13Cj
					; PspSetJobIoAttribution+1275FEj
		mov	eax, [ebp+arg_4]

loc_7E6A1B:				; CODE XREF: PspSetJobIoAttribution+C1j
					; PspSetJobIoAttribution+12Ej
		mov	cl, bl

loc_7E6A1D:				; CODE XREF: PspSetJobIoAttribution+1275F1j
		test	cl, cl
		jnz	short loc_7E6A5F

loc_7E6A21:				; CODE XREF: PspSetJobIoAttribution+145j
					; PspSetJobIoAttribution+14Dj ...
		mov	dl, [ebp+var_2]
		mov	ecx, [esi+2D4h]
		push	ebx
		push	edi
		call	EtwTracePsIoAttribution
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_7E6A3A:				; CODE XREF: PspSetJobIoAttribution+4Ej
		mov	[esi+320h], edx

loc_7E6A40:				; CODE XREF: PspSetJobIoAttribution+DDj
		mov	edi, [esi+328h]
		jmp	short loc_7E6A1B
; 

loc_7E6A48:				; CODE XREF: PspSetJobIoAttribution+70j
		mov	edi, [esi+328h]
		mov	[esi+324h], eax
		jmp	short loc_7E6A18
; 

loc_7E6A56:				; CODE XREF: PspSetJobIoAttribution+D3j
		mov	edi, ebx
		mov	ebx, 0C000000Dh
		jmp	short loc_7E6A21
; 

loc_7E6A5F:				; CODE XREF: PspSetJobIoAttribution+107j
		sub	[esi+320h], eax
		jmp	short loc_7E6A21
PspSetJobIoAttribution endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTracePsIoAttribution	proc near	; CODE XREF: PspSetJobIoAttribution+114p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090DF1B SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	[ebp+var_38], ecx
		push	ebx
		push	esi
		mov	esi, offset _PsDiskIoAttributionStart
		push	edi
		test	dl, dl
		jz	short loc_7E6AB6

loc_7E6A89:				; CODE XREF: EtwTracePsIoAttribution+53j
		mov	edi, dword_6BC18C
		mov	ebx, _EtwpPsProvRegHandle
		push	esi
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_90DF1B

loc_7E6AA5:				; CODE XREF: EtwTracePsIoAttribution+1274F4j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_7E6AB6:				; CODE XREF: EtwTracePsIoAttribution+1Fj
		mov	esi, offset _PsDiskIoAttributionStop
		jmp	short loc_7E6A89
EtwTracePsIoAttribution	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspIsSetJobIoAttribution(x,	x, x)
_PspIsSetJobIoAttribution@12 proc near	; CODE XREF: PspSetJobIoAttribution+26p
					; PspValidateJobAssignmentDiskIoAttribution+32p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+244h]
		push	ebx
		xor	ebx, ebx

loc_7E6ACC:				; CODE XREF: PspIsSetJobIoAttribution(x,x,x)+3Fj
		test	eax, eax
		jnz	short loc_7E6AEF
		cmp	[ebp+arg_0], bl
		jnz	short loc_7E6AE8
		push	5
		push	ecx
		push	ebx
		push	ebx
		mov	edx, offset _PspIsSetJobIoAttributionJobPreCallback@8 ;	PspIsSetJobIoAttributionJobPreCallback(x,x)
		call	PspEnumJobsAndProcessesInJobHierarchy
		test	eax, eax
		js	short loc_7E6AFF

loc_7E6AE8:				; CODE XREF: PspIsSetJobIoAttribution(x,x,x)+15j
					; PspIsSetJobIoAttribution(x,x,x)+43j
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	4
; 

loc_7E6AEF:				; CODE XREF: PspIsSetJobIoAttribution(x,x,x)+10j
		cmp	[eax+324h], ebx
		jnz	short loc_7E6AFF
		mov	eax, [eax+244h]
		jmp	short loc_7E6ACC
; 

loc_7E6AFF:				; CODE XREF: PspIsSetJobIoAttribution(x,x,x)+28j
					; PspIsSetJobIoAttribution(x,x,x)+37j
		mov	bl, 1
		jmp	short loc_7E6AE8
_PspIsSetJobIoAttribution@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoDiskIoAttributionAllocate proc near	; CODE XREF: PspSetJobIoAttribution+7Ap
					; PspIoRateEntryActivate+18CDB8p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090DF61 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	41446F49h
		mov	ebx, 98h
		mov	[ebp+var_4], ecx
		push	ebx
		push	200h
		mov	edi, edx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7E6B7C
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		xor	ecx, ecx
		add	esp, 0Ch
		inc	ecx
		or	dword ptr [esi+8], 0FFFFFFFFh
		mov	[esi+10h], ecx

loc_7E6B43:				; CODE XREF: IoDiskIoAttributionAllocate+4Dj
		mov	eax, ecx
		lock xadd _IopDiskIoAttributionKey, eax
		inc	eax
		mov	[esi+0Ch], eax
		jz	short loc_7E6B43
		lea	ebx, [esi+8Ch]
		mov	ecx, ebx
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_7E6B80
		mov	[esi+88h], eax

loc_7E6B6D:				; CODE XREF: IoDiskIoAttributionAllocate+83j
		test	edi, edi
		jnz	loc_90DF61

loc_7E6B75:				; CODE XREF: IoDiskIoAttributionAllocate+12746Aj
		mov	eax, esi

loc_7E6B77:				; CODE XREF: IoDiskIoAttributionAllocate+7Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7E6B7C:				; CODE XREF: IoDiskIoAttributionAllocate+27j
		xor	eax, eax
		jmp	short loc_7E6B77
; 

loc_7E6B80:				; CODE XREF: IoDiskIoAttributionAllocate+61j
		mov	ecx, ebx
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		jmp	short loc_7E6B6D
IoDiskIoAttributionAllocate endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspRemoveIoAttribution(x)
_PspRemoveIoAttribution@4 proc near	; CODE XREF: .text:005E7642p
					; PspSetJobIoAttribution+F5p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		mov	esi, ecx
		push	edi
		cmp	dword ptr [esi+324h], 0
		jz	short loc_7E6BE6
		mov	ecx, [esi+328h]
		call	_IoStopDiskIoAttributionForContext@4 ; IoStopDiskIoAttributionForContext(x)
		mov	ecx, [esi+328h]
		call	_IoDiskIoAttributionDereference@4 ; IoDiskIoAttributionDereference(x)
		and	dword ptr [esi+328h], 0
		mov	ecx, esi

loc_7E6BBE:				; CODE XREF: PspRemoveIoAttribution(x)+5Ej
		xor	eax, eax
		lea	edi, [ebp+var_C]
		stosd
		mov	edx, offset PspSetJobIoAttributionJobPreCallback
		push	5
		stosd
		stosd
		lea	eax, [ebp+var_C]
		push	eax
		push	offset _PspSetJobIoAttributionProcessCallback@8	; PspSetJobIoAttributionProcessCallback(x,x)
		mov	[ebp+var_8], ecx
		mov	ecx, esi
		push	0
		call	PspEnumJobsAndProcessesInJobHierarchy
		pop	edi
		pop	esi
		leave
		retn
; 

loc_7E6BE6:				; CODE XREF: PspRemoveIoAttribution(x)+13j
		xor	ecx, ecx
		jmp	short loc_7E6BBE
_PspRemoveIoAttribution@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspQueryJobIoAttribution proc near	; CODE XREF: PAGE:00757AC6p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

; FUNCTION CHUNK AT 0090DF73 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		push	8
		mov	ebx, edx
		lea	edi, [esp+54h+var_40]
		mov	edx, ecx
		xor	eax, eax
		pop	ecx
		rep stosd
		push	8
		xor	esi, esi
		mov	[esp+54h+var_44], edx
		lea	edi, [esp+54h+var_20]
		pop	ecx
		rep stosd
		cmp	[edx+320h], esi
		jz	loc_90DF73
		mov	ecx, [esp+50h+var_44]
		lea	eax, [esp+50h+var_20]
		push	eax
		lea	edx, [esp+54h+var_40]
		mov	ecx, [ecx+328h]
		call	IoDiskIoAttributionQuery
		mov	eax, [esp+50h+var_28]
		mov	ecx, [esp+50h+var_14]
		mov	[ebx+8], eax
		mov	eax, [esp+50h+var_40]
		mov	[ebx+10h], eax
		mov	eax, [esp+50h+var_3C]
		mov	[ebx+14h], eax
		mov	eax, [esp+50h+var_38]
		mov	[ebx+18h], eax
		mov	eax, [esp+50h+var_34]
		mov	[ebx+1Ch], eax
		mov	eax, [esp+50h+var_30]
		mov	[ebx+20h], eax
		mov	eax, [esp+50h+var_2C]
		mov	[ebx+24h], eax
		mov	eax, [esp+50h+var_8]
		mov	[ebx+28h], eax
		mov	eax, [esp+50h+var_20]
		mov	[ebx+30h], eax
		mov	eax, [esp+50h+var_1C]
		mov	[ebx+3Ch], ecx
		mov	ecx, [esp+50h+var_10]
		mov	[ebx+34h], eax
		mov	eax, [esp+50h+var_18]
		mov	[ebx+40h], ecx
		mov	ecx, [esp+50h+var_C]
		mov	[ebx+38h], eax
		mov	[ebx+44h], ecx

loc_7E6C9C:				; CODE XREF: PspQueryJobIoAttribution+12738Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
PspQueryJobIoAttribution endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtAdjustGroupsToken proc near		; DATA XREF: .text:00581278o

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= byte ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= dword	ptr -19h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0090DF7D SIZE 00000033 BYTES
; FUNCTION CHUNK AT 0090DFD0 SIZE 0000000B BYTES
; FUNCTION CHUNK AT 0090DFF1 SIZE 00000032 BYTES
; FUNCTION CHUNK AT 0090E076 SIZE 0000008C BYTES

		push	58h
		push	offset dword_6A4DB8
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_28], ecx
		mov	byte ptr [ebp+var_19], cl
		mov	[ebp+var_58], ecx
		mov	ebx, [ebp+arg_8]
		cmp	[ebp+arg_4], cl
		jnz	short loc_7E6CD9
		test	ebx, ebx
		jz	loc_90DF7D

loc_7E6CD9:				; CODE XREF: NtAdjustGroupsToken+29j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_8+3],	al
		mov	[ebp+var_30], al
		test	al, al
		jz	loc_90DFD0
		mov	[ebp-4], ecx
		cmp	[ebp+arg_4], 0
		jnz	short loc_7E6D18
		mov	eax, ebx
		test	bl, 3
		jnz	loc_7E6E76
		mov	ecx, ds:_MmUserProbeAddress
		cmp	ebx, ecx
		jnb	loc_90DF87

loc_7E6D15:				; CODE XREF: NtAdjustGroupsToken+1272E3j
		nop
		mov	al, [eax]

loc_7E6D18:				; CODE XREF: NtAdjustGroupsToken+54j
		mov	esi, [ebp+arg_10]
		test	esi, esi
		jnz	loc_90DF8E

loc_7E6D23:				; CODE XREF: NtAdjustGroupsToken+127305j
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		xor	ecx, ecx

loc_7E6D2B:				; CODE XREF: NtAdjustGroupsToken+127330j
		cmp	[ebp+arg_4], 0
		jnz	short loc_7E6D5F
		mov	dword ptr [ebp-4], 1
		mov	edx, [ebx]	; int
		mov	[ebp+var_34], edx
		lea	eax, [ebp+var_3C]
		push	eax		; int
		lea	eax, [ebp+var_20]
		push	eax		; int
		push	ecx		; int
		push	ecx		; int
		push	ecx		; int
		push	ecx		; void *
		push	dword ptr [ebp+var_30] ; char
		lea	ecx, [ebx+4]	; void *
		call	SeCaptureSidAndAttributesArray
		test	eax, eax
		js	loc_7E6E7B
		mov	[ebp-4], edi

loc_7E6D5F:				; CODE XREF: NtAdjustGroupsToken+89j
		mov	eax, ds:_SeTokenObjectType
		xor	ebx, ebx
		mov	[ebp+var_2C], ebx
		push	ebx
		lea	ecx, [ebp+var_2C]
		push	ecx
		push	dword ptr [ebp+var_30]
		push	eax
		xor	eax, eax
		test	esi, esi
		setnz	al
		lea	eax, ds:40h[eax*8]
		push	eax
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_90DFF1
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	edi, [ebp+var_2C]
		push	1
		push	dword ptr [edi+30h]
		call	ExAcquireResourceExclusiveLite
		mov	[ebp+var_44], ebx
		xor	ecx, ecx
		lea	eax, [ebp+var_44]
		lock or	[eax], ecx
		lea	eax, [ebp+var_19]
		push	eax		; int
		lea	eax, [ebp+var_28]
		push	eax		; int
		lea	eax, [ebp+var_24]
		push	eax		; int
		push	ebx		; void *
		push	esi		; int
		mov	ebx, [ebp+var_20]
		push	ebx		; int
		push	[ebp+var_34]	; int
		push	dword ptr [ebp+arg_4] ;	char
		xor	dl, dl
		mov	ecx, edi
		call	SepAdjustGroups
		mov	edx, eax
		mov	[ebp+arg_10], edx
		test	esi, esi
		jnz	loc_90E008

loc_7E6DDE:				; CODE XREF: NtAdjustGroupsToken+127378j
		test	edx, edx
		js	loc_90E076
		test	esi, esi
		jnz	loc_90E0AD
		mov	eax, [ebp+var_58]

loc_7E6DF1:				; CODE XREF: NtAdjustGroupsToken+127457j
		mov	dword ptr [ebp-4], 3
		lea	ecx, [ebp+var_19]
		push	ecx		; int
		lea	ecx, [ebp+var_28]
		push	ecx		; int
		lea	ecx, [ebp+var_24]
		push	ecx		; int
		push	eax		; void *
		push	esi		; int
		push	ebx		; int
		push	[ebp+var_34]	; int
		push	dword ptr [ebp+arg_4] ;	char
		mov	dl, 1
		mov	ecx, edi
		call	SepAdjustGroups
		mov	[ebp+var_60], eax
		test	esi, esi
		jnz	short loc_7E6E80

loc_7E6E1D:				; CODE XREF: NtAdjustGroupsToken+1DFj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		cmp	byte ptr [ebp+var_19], 0
		jz	short loc_7E6E32
		lea	ecx, [edi+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)

loc_7E6E32:				; CODE XREF: NtAdjustGroupsToken+182j
		and	[ebp+var_5C], 0
		xor	ecx, ecx
		lea	eax, [ebp+var_5C]
		lock or	[eax], ecx
		mov	ecx, [edi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, edi
		call	ObfDereferenceObject
		test	ebx, ebx
		jz	short loc_7E6E61
		push	ecx
		mov	dl, byte ptr [ebp+arg_8+3]
		mov	ecx, ebx
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)

loc_7E6E61:				; CODE XREF: NtAdjustGroupsToken+1AEj
		mov	eax, [ebp+var_60]

loc_7E6E64:				; CODE XREF: NtAdjustGroupsToken+1D8j
					; NtAdjustGroupsToken+1272DCj ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7E6E76:				; CODE XREF: NtAdjustGroupsToken+5Bj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7E6E7B:				; CODE XREF: NtAdjustGroupsToken+B0j
		mov	[ebp-4], edi
		jmp	short loc_7E6E64
; 

loc_7E6E80:				; CODE XREF: NtAdjustGroupsToken+175j
		mov	ecx, [ebp+var_28]
		mov	[esi], ecx
		jmp	short loc_7E6E1D
NtAdjustGroupsToken endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SepAdjustGroups(char,int,int,int,void *,int,int,int)
SepAdjustGroups	proc near		; CODE XREF: NtAdjustGroupsToken+126p
					; NtAdjustGroupsToken+16Bp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 0090E15D SIZE 000000CB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_18]
		mov	al, dl
		xor	edx, edx
		mov	[ebp+var_1], al
		xor	ebx, ebx
		mov	[ebp+var_24], edx
		inc	ebx
		mov	[ebp+var_C], edx
		mov	[esi], edx
		push	edi
		mov	edi, ebx
		mov	[ebp+var_18], edx
		mov	edx, [ebp+arg_C]
		mov	[ebp+var_8], ecx
		cmp	[ecx+7Ch], ebx
		jbe	short loc_7E6F2B

loc_7E6EB8:				; CODE XREF: SepAdjustGroups+9Ej
		cmp	[ebp+arg_0], 0
		mov	ecx, [ecx+94h]
		mov	edx, [ecx+edi*8]
		mov	eax, [ecx+edi*8+4]
		mov	[ebp+var_14], edx
		mov	[ebp+var_1C], eax
		jnz	loc_7E6F62
		and	[ebp+var_20], 0
		xor	cl, cl
		cmp	[ebp+arg_4], 0
		mov	byte ptr [ebp+arg_18+3], cl
		jbe	short loc_7E6F19
		mov	eax, [ebp+arg_8]
		add	eax, 4
		mov	[ebp+var_10], eax

loc_7E6EED:				; CODE XREF: SepAdjustGroups+8Fj
		test	cl, cl
		jnz	short loc_7E6F19
		push	dword ptr [eax-4]
		push	edx
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	short loc_7E6F7A

loc_7E6EFE:				; CODE XREF: SepAdjustGroups+10Ej
					; SepAdjustGroups+176j
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+var_10]
		inc	ecx
		mov	edx, [ebp+var_14]
		add	eax, 8
		cmp	ecx, [ebp+arg_4]
		mov	[ebp+var_20], ecx
		mov	cl, byte ptr [ebp+arg_18+3]
		mov	[ebp+var_10], eax
		jb	short loc_7E6EED

loc_7E6F19:				; CODE XREF: SepAdjustGroups+5Aj
					; SepAdjustGroups+67j ...
		mov	al, [ebp+var_1]

loc_7E6F1C:				; CODE XREF: SepAdjustGroups+127345j
		mov	ecx, [ebp+var_8]
		xor	ebx, ebx
		inc	edi
		inc	ebx
		cmp	edi, [ecx+7Ch]
		jb	short loc_7E6EB8
		mov	edx, [ebp+arg_C]

loc_7E6F2B:				; CODE XREF: SepAdjustGroups+2Ej
		cmp	[ebp+arg_0], 0
		jnz	short loc_7E6F3E
		mov	ecx, [ebp+var_18]
		mov	edi, 106h
		cmp	ecx, [ebp+arg_4]
		jb	short loc_7E6F41

loc_7E6F3E:				; CODE XREF: SepAdjustGroups+A7j
		mov	edi, [ebp+var_24]

loc_7E6F41:				; CODE XREF: SepAdjustGroups+B4j
		cmp	dword ptr [esi], 0
		jbe	short loc_7E6F4A
		test	al, al
		jnz	short loc_7E6F4C

loc_7E6F4A:				; CODE XREF: SepAdjustGroups+BCj
		xor	bl, bl

loc_7E6F4C:				; CODE XREF: SepAdjustGroups+C0j
		mov	eax, [ebp+arg_1C]
		mov	[eax], bl
		test	edx, edx
		jnz	loc_90E213

loc_7E6F59:				; CODE XREF: SepAdjustGroups+12739Bj
		mov	eax, edi

loc_7E6F5B:				; CODE XREF: SepAdjustGroups+12737Cj
					; SepAdjustGroups+127386j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
; 

loc_7E6F62:				; CODE XREF: SepAdjustGroups+47j
		mov	ebx, eax
		and	ebx, 6
		cmp	ebx, 2
		jz	loc_90E15D
		cmp	ebx, 4
		jnz	short loc_7E6F19
		jmp	loc_90E15D
; 

loc_7E6F7A:				; CODE XREF: SepAdjustGroups+74j
		mov	eax, [ebp+var_8]
		inc	[ebp+var_18]
		mov	byte ptr [ebp+arg_18+3], bl
		mov	edx, [eax+94h]
		mov	eax, [ebp+var_10]
		mov	ecx, [edx+edi*8+4]
		mov	eax, [eax]
		xor	eax, ecx
		test	al, 4
		jz	loc_7E6EFE
		test	cl, 1
		jnz	loc_90E209
		test	cl, 10h
		jnz	loc_90E1FF
		mov	eax, [ebp+var_14]
		movzx	eax, byte ptr [eax+1]
		lea	ebx, ds:0Bh[eax*4]
		and	ebx, 0FFFFFFFCh
		add	[ebp+var_C], ebx
		cmp	[ebp+var_1], 0
		jz	short loc_7E6FF9
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jnz	loc_90E1D2

loc_7E6FD3:				; CODE XREF: SepAdjustGroups+127372j
		mov	eax, [edx+edi*8+4]
		mov	ecx, eax
		and	ecx, 4
		not	ecx
		and	ecx, eax
		mov	eax, [ebp+var_8]
		mov	[edx+edi*8+4], ecx
		mov	ecx, [eax+94h]
		mov	eax, [ebp+var_10]
		mov	eax, [eax]
		and	eax, 4
		or	[ecx+edi*8+4], eax

loc_7E6FF9:				; CODE XREF: SepAdjustGroups+13Ej
		inc	dword ptr [esi]
		xor	ebx, ebx
		inc	ebx
		jmp	loc_7E6EFE
SepAdjustGroups	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCreateTokenEx	proc near		; CODE XREF: NtCreateToken(x,x,x,x,x,x,x,x,x,x,x,x,x)+32p
					; DATA XREF: .text:005810F8o

var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2F		= byte ptr -2Fh
var_2E		= byte ptr -2Eh
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch
arg_38		= dword	ptr  40h
arg_3C		= dword	ptr  44h
arg_40		= dword	ptr  48h

; FUNCTION CHUNK AT 0090E228 SIZE 000000C3 BYTES
; FUNCTION CHUNK AT 0090E307 SIZE 000000DF BYTES
; FUNCTION CHUNK AT 0090E4CD SIZE 00000045 BYTES

		push	0DCh
		push	offset dword_6A4DF8
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_AC], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_A4], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_90], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_64], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_C8], eax
		mov	esi, [ebp+arg_1C]
		mov	[ebp+var_68], esi
		mov	esi, [ebp+arg_20]
		mov	[ebp+var_6C], esi
		mov	esi, [ebp+arg_24]
		mov	[ebp+var_84], esi
		mov	esi, [ebp+arg_28]
		mov	[ebp+var_88], esi
		mov	esi, [ebp+arg_2C]
		mov	[ebp+var_80], esi
		mov	esi, [ebp+arg_30]
		mov	[ebp+var_8C], esi
		mov	esi, [ebp+arg_34]
		mov	[ebp+var_70], esi
		mov	eax, [ebp+arg_38]
		mov	[ebp+var_74], eax
		mov	esi, [ebp+arg_3C]
		mov	[ebp+var_78], esi
		mov	eax, [ebp+arg_40]
		mov	[ebp+var_7C], eax
		xor	ebx, ebx
		mov	[ebp+var_D0], ebx
		mov	[ebp+var_A8], ebx
		mov	[ebp+var_2E], bl
		xor	eax, eax
		lea	edi, [ebp+var_EC]
		stosd
		stosd
		stosd
		mov	[ebp+var_C0], ebx
		mov	[ebp+var_BC], ebx
		mov	[ebp+var_B8], ebx
		mov	[ebp+var_B4], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_D8], ebx
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_CC], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_44], ebx
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_94], ebx
		mov	[ebp+var_2F], bl
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_B0], 1
		mov	[ebp+var_98], ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_D4], ebx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_2D], al
		mov	byte ptr [ebp+var_38], al
		push	[ebp+var_38]
		push	ds:dword_A94CB4
		push	ds:_SeCreateTokenPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_90E228
		mov	cl, [ebp+var_2D]
		test	cl, cl
		jz	loc_90E307
		mov	[ebp+ms_exc.disabled], ebx
		mov	edx, [ebp+var_AC]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_90E232

loc_7E7163:				; CODE XREF: NtCreateTokenEx+127230j
		mov	eax, [edx]
		mov	[edx], eax
		mov	eax, [ebp+var_64]
		mov	edx, eax
		test	al, 3
		jnz	loc_7E75B8
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_90E239

loc_7E7181:				; CODE XREF: NtCreateTokenEx+127237j
		nop
		mov	al, [edx]
		mov	eax, [ebp+var_68]
		mov	edx, eax
		test	al, 3
		jnz	loc_7E75B8
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_90E240

loc_7E719E:				; CODE XREF: NtCreateTokenEx+12723Ej
		nop
		mov	al, [edx]
		mov	eax, [ebp+var_6C]
		mov	edx, eax
		test	al, 3
		jnz	loc_7E75B8
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_90E247

loc_7E71BB:				; CODE XREF: NtCreateTokenEx+127245j
		nop
		mov	al, [edx]
		mov	eax, [ebp+var_7C]
		mov	edx, eax
		test	al, 3
		jnz	loc_7E75B8
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_90E24E

loc_7E71D8:				; CODE XREF: NtCreateTokenEx+12724Cj
		nop
		mov	al, [edx]
		mov	eax, [ebp+var_70]
		test	eax, eax
		jnz	loc_7E755A

loc_7E71E6:				; CODE XREF: NtCreateTokenEx+569j
		mov	eax, [ebp+var_74]
		mov	edx, eax
		test	al, 3
		jnz	loc_7E75B8
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_90E255

loc_7E7200:				; CODE XREF: NtCreateTokenEx+127253j
		nop
		mov	al, [edx]
		mov	eax, [ebp+var_78]
		test	eax, eax
		jz	short loc_7E7224
		mov	edx, eax
		test	al, 3
		jnz	loc_7E75B8
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_90E25C

loc_7E7221:				; CODE XREF: NtCreateTokenEx+12725Aj
		nop
		mov	al, [edx]

loc_7E7224:				; CODE XREF: NtCreateTokenEx+204j
		mov	eax, [ebp+var_90]
		mov	edx, eax
		test	al, 3
		jnz	loc_7E75B8
		mov	eax, ds:_MmUserProbeAddress
		mov	edi, edx
		cmp	edi, eax
		jnb	loc_90E263

loc_7E7243:				; CODE XREF: NtCreateTokenEx+127261j
		nop
		mov	al, [edx]
		mov	eax, [ebp+var_8C]
		test	eax, eax
		jnz	loc_90E26A

loc_7E7254:				; CODE XREF: NtCreateTokenEx+127282j
		mov	eax, [ebp+var_80]
		test	eax, eax
		jnz	loc_90E28B

loc_7E725F:				; CODE XREF: NtCreateTokenEx+1272A0j
		mov	eax, [ebp+var_88]
		test	eax, eax
		jnz	loc_90E2A9

loc_7E726D:				; CODE XREF: NtCreateTokenEx+1272C1j
		mov	eax, [ebp+var_84]
		test	eax, eax
		jnz	loc_90E2CA

loc_7E727B:				; CODE XREF: NtCreateTokenEx+1272E2j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7E7282:				; CODE XREF: NtCreateTokenEx+127309j
		mov	esi, [ebp+arg_C]
		lea	eax, [esi-1]
		cmp	eax, 1
		ja	loc_90E4CD
		lea	eax, [ebp+var_EC]
		push	eax
		lea	eax, [ebp+var_2E]
		push	eax
		mov	dl, cl
		mov	ecx, [ebp+var_A4]
		call	SeCaptureSecurityQos
		test	eax, eax
		js	loc_7E7548
		cmp	esi, 2
		jz	loc_90E312

loc_7E72BA:				; CODE XREF: NtCreateTokenEx+127312j
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+ms_exc.disabled], ecx
		mov	[ebp+var_34], ebx
		mov	eax, [edi]
		mov	[ebp+var_C0], eax
		mov	eax, [edi+4]
		mov	[ebp+var_BC], eax
		mov	edx, [ebp+var_64]
		mov	eax, [edx]
		mov	[ebp+var_B8], eax
		mov	eax, [edx+4]
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_D8]
		push	eax		; int
		lea	eax, [ebp+var_4C]
		push	eax		; int
		push	ecx		; int
		push	ecx		; int
		push	ebx		; int
		push	ebx		; void *
		push	[ebp+var_38]	; char
		mov	edx, ecx	; int
		mov	ecx, [ebp+var_C8] ; void *
		call	SeCaptureSidAndAttributesArray
		mov	ebx, eax
		mov	[ebp+var_34], ebx
		test	ebx, ebx
		js	short loc_7E737C
		mov	eax, [ebp+var_68]
		mov	esi, [eax]
		mov	[ebp+var_A0], esi
		lea	ecx, [ebp+var_48]
		push	ecx		; int
		lea	ecx, [ebp+var_50]
		push	ecx		; int
		push	ecx		; int
		push	ecx		; int
		push	0		; int
		push	0		; void *
		push	[ebp+var_38]	; char
		lea	ecx, [eax+4]	; void *
		mov	edx, esi	; int
		call	SeCaptureSidAndAttributesArray
		mov	ebx, eax
		mov	[ebp+var_34], ebx
		imul	eax, esi, -8
		mov	ecx, [ebp+var_48]
		add	ecx, eax
		mov	[ebp+var_48], ecx
		lea	eax, [ecx+3]
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_48], eax
		test	ebx, ebx
		js	short loc_7E737C
		mov	eax, [ebp+var_6C]
		mov	edx, [eax]
		mov	[ebp+var_9C], edx
		lea	ecx, [ebp+var_CC]
		push	ecx
		lea	ecx, [ebp+var_54]
		push	ecx
		sub	esp, 10h
		push	[ebp+var_38]
		lea	ecx, [eax+4]
		call	SeCaptureLuidAndAttributesArray
		mov	ebx, eax
		mov	[ebp+var_34], ebx

loc_7E737C:				; CODE XREF: NtCreateTokenEx+30Aj
					; NtCreateTokenEx+34Dj
		mov	eax, [ebp+var_70]
		test	eax, eax
		jnz	loc_7E7572

loc_7E7387:				; CODE XREF: NtCreateTokenEx+58Ej
		test	ebx, ebx
		js	short loc_7E73A6
		mov	eax, [ebp+var_74]
		mov	ecx, [eax]
		lea	eax, [ebp+var_40]
		push	eax
		push	1
		sub	esp, 0Ch
		mov	dl, [ebp+var_2D]
		call	SeCaptureSid
		mov	ebx, eax
		mov	[ebp+var_34], ebx

loc_7E73A6:				; CODE XREF: NtCreateTokenEx+385j
					; NtCreateTokenEx+570j
		mov	eax, [ebp+var_78]
		test	eax, eax
		jz	short loc_7E73D7
		test	ebx, ebx
		js	short loc_7E73D7
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_7E73D7
		lea	eax, [ebp+var_D0]
		push	eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	200h
		push	ecx
		push	ecx
		mov	dl, [ebp+var_2D]
		call	SeCaptureAcl
		mov	ebx, eax
		mov	[ebp+var_34], ebx

loc_7E73D7:				; CODE XREF: NtCreateTokenEx+3A7j
					; NtCreateTokenEx+3ABj	...
		mov	esi, [ebp+var_7C]
		lea	edi, [ebp+var_2C]
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ebp+var_80]
		xor	esi, esi
		test	eax, eax
		jnz	loc_90E326

loc_7E73EE:				; CODE XREF: NtCreateTokenEx+127324j
					; NtCreateTokenEx+127351j
		mov	eax, [ebp+var_84]
		test	eax, eax
		jnz	loc_90E35A

loc_7E73FC:				; CODE XREF: NtCreateTokenEx+127358j
					; NtCreateTokenEx+12737Aj
		mov	eax, [ebp+var_88]
		test	eax, eax
		jnz	loc_90E383

loc_7E740A:				; CODE XREF: NtCreateTokenEx+127381j
					; NtCreateTokenEx+1273A3j
		mov	eax, [ebp+var_8C]
		test	eax, eax
		jnz	loc_90E3AC

loc_7E7418:				; CODE XREF: NtCreateTokenEx+1273AAj
					; NtCreateTokenEx+1273BCj
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi
		test	ebx, ebx
		js	short loc_7E7498
		movzx	eax, [ebp+var_2F]
		neg	eax
		sbb	eax, eax
		lea	ecx, [ebp+var_94]
		and	eax, ecx
		push	esi
		push	eax
		push	[ebp+var_58]
		push	[ebp+var_98]
		push	[ebp+var_60]
		push	[ebp+var_5C]
		lea	eax, [ebp+var_2C]
		push	eax
		push	[ebp+var_44]
		push	[ebp+var_40]
		push	[ebp+var_3C]
		push	[ebp+var_54]
		push	[ebp+var_9C]
		push	[ebp+var_48]
		push	[ebp+var_50]
		push	[ebp+var_A0]
		push	[ebp+var_4C]
		lea	eax, [ebp+var_B8]
		push	eax
		lea	eax, [ebp+var_C0]
		push	eax
		push	[ebp+var_E8]
		push	[ebp+arg_C]
		push	[ebp+var_A4]
		push	[ebp+arg_4]
		mov	dl, [ebp+var_2D]
		lea	ecx, [ebp+var_A8]
		call	SepCreateTokenEx
		mov	ebx, eax

loc_7E7498:				; CODE XREF: NtCreateTokenEx+41Cj
		mov	ecx, [ebp+var_4C]
		test	ecx, ecx
		jz	short loc_7E74A8
		push	ecx
		mov	dl, [ebp+var_2D]
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)

loc_7E74A8:				; CODE XREF: NtCreateTokenEx+499j
		mov	ecx, [ebp+var_50]
		test	ecx, ecx
		jz	short loc_7E74B8
		push	ecx
		mov	dl, [ebp+var_2D]
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)

loc_7E74B8:				; CODE XREF: NtCreateTokenEx+4A9j
		mov	ecx, [ebp+var_54]
		test	ecx, ecx
		jz	short loc_7E74C8
		push	ecx
		mov	dl, [ebp+var_2D]
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)

loc_7E74C8:				; CODE XREF: NtCreateTokenEx+4B9j
		mov	al, [ebp+var_2D]
		cmp	[ebp+var_3C], 0
		jnz	loc_7E7597

loc_7E74D5:				; CODE XREF: NtCreateTokenEx+599j
					; NtCreateTokenEx+5ABj
		cmp	[ebp+var_40], 0
		jz	short loc_7E74EC
		test	al, al
		jz	short loc_7E74E3
		cmp	al, 1
		jnz	short loc_7E74EC

loc_7E74E3:				; CODE XREF: NtCreateTokenEx+4D9j
		push	esi
		push	[ebp+var_40]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7E74EC:				; CODE XREF: NtCreateTokenEx+4D5j
					; NtCreateTokenEx+4DDj
		mov	al, [ebp+var_2D]
		cmp	[ebp+var_44], 0
		jz	short loc_7E7509
		test	al, al
		jz	short loc_7E74FD
		cmp	al, 1
		jnz	short loc_7E7509

loc_7E74FD:				; CODE XREF: NtCreateTokenEx+4F3j
		push	esi
		push	[ebp+var_44]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	al, [ebp+var_2D]

loc_7E7509:				; CODE XREF: NtCreateTokenEx+4EFj
					; NtCreateTokenEx+4F7j
		mov	ecx, [ebp+var_58]
		test	ecx, ecx
		jnz	loc_90E3C5

loc_7E7514:				; CODE XREF: NtCreateTokenEx+1273C9j
		mov	ecx, [ebp+var_5C]
		test	ecx, ecx
		jnz	loc_90E3D2

loc_7E751F:				; CODE XREF: NtCreateTokenEx+1273D3j
		mov	ecx, [ebp+var_60]
		test	ecx, ecx
		jnz	loc_90E3DC

loc_7E752A:				; CODE XREF: NtCreateTokenEx+1273DDj
		test	ebx, ebx
		js	short loc_7E7546
		mov	[ebp+ms_exc.disabled], 2
		mov	eax, [ebp+var_A8]
		mov	ecx, [ebp+var_AC]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], edi

loc_7E7546:				; CODE XREF: NtCreateTokenEx+528j
		mov	eax, ebx

loc_7E7548:				; CODE XREF: NtCreateTokenEx+2A7j
					; NtCreateTokenEx+127229j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	44h
; 

loc_7E755A:				; CODE XREF: NtCreateTokenEx+1DCj
		mov	edx, eax
		test	al, 3
		jnz	short loc_7E75B8
		mov	eax, ds:_MmUserProbeAddress
		cmp	[ebp+var_70], eax
		jnb	short loc_7E75B4

loc_7E756A:				; CODE XREF: NtCreateTokenEx+5B2j
		nop
		mov	al, [edx]
		jmp	loc_7E71E6
; 

loc_7E7572:				; CODE XREF: NtCreateTokenEx+37Dj
		test	ebx, ebx
		js	loc_7E73A6
		mov	ecx, [eax]
		lea	eax, [ebp+var_3C]
		push	eax
		push	1
		sub	esp, 0Ch
		mov	dl, [ebp+var_2D]
		call	SeCaptureSid
		mov	ebx, eax
		mov	[ebp+var_34], ebx
		jmp	loc_7E7387
; 

loc_7E7597:				; CODE XREF: NtCreateTokenEx+4CBj
		test	al, al
		jz	short loc_7E75A3
		cmp	al, 1
		jnz	loc_7E74D5

loc_7E75A3:				; CODE XREF: NtCreateTokenEx+595j
		push	esi
		push	[ebp+var_3C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	al, [ebp+var_2D]
		jmp	loc_7E74D5
; 

loc_7E75B4:				; CODE XREF: NtCreateTokenEx+564j
		mov	edx, eax
		jmp	short loc_7E756A
; 

loc_7E75B8:				; CODE XREF: NtCreateTokenEx+16Aj
					; NtCreateTokenEx+187j	...
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger

SepSetTokenCapabilities:		; CODE XREF: SepGetAnonymousToken(x,x)+84p
					; NtCreateLowBoxToken+2D8p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+arg_4], ebx
		mov	[ebp+ms_exc.disabled], ebx
		cmp	[esi+1E4h], ebx
		jnz	loc_7E768F

loc_7E75E1:				; CODE XREF: NtCreateTokenEx+697j
					; NtCreateTokenEx+6A4j
		test	edi, edi
		jz	loc_7E76BE
		cmp	edi, 1000h
		ja	loc_90E4D7
		cmp	_SepTokenCapabilitySidSharingEnabled, bl
		jnz	loc_90E4E1
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+arg_4]
		push	eax
		mov	edx, edi
		call	_SepLengthSidAndAttributesArray@12 ; SepLengthSidAndAttributesArray(x,x,x)
		test	eax, eax
		js	short loc_7E7688
		mov	eax, [ebp+arg_4]

loc_7E7616:				; CODE XREF: NtCreateTokenEx+1274E2j
		push	73536553h
		push	eax
		push	1
		mov	[ebp+arg_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_90E4EB
		cmp	_SepTokenCapabilitySidSharingEnabled, 0
		jnz	loc_90E4F5
		lea	eax, [ebp+ms_exc.msEH_ptr]
		mov	edx, edi	; int
		push	eax		; int
		lea	eax, [ebp+ms_exc.disabled]
		push	eax		; int
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_4]	; int
		mov	ecx, [ebp+arg_0] ; void	*
		push	ebx		; void *
		push	0		; char
		call	SeCaptureSidAndAttributesArray

loc_7E7657:				; CODE XREF: NtCreateTokenEx+1274FCj
		mov	[ebp+arg_0], eax
		test	eax, eax
		js	loc_90E505
		cmp	dword ptr [esi+1E4h], 0
		jnz	short loc_7E76B5

loc_7E766B:				; CODE XREF: NtCreateTokenEx+6B8j
		lea	eax, [esi+1ECh]
		mov	[esi+1E4h], ebx
		push	eax		; void *
		push	edi		; int
		push	ebx		; int
		mov	[esi+1E8h], edi
		call	RtlSidHashInitialize

loc_7E7685:				; CODE XREF: NtCreateTokenEx+127509j
		mov	eax, [ebp+arg_0]

loc_7E7688:				; CODE XREF: NtCreateTokenEx+60Dj
					; NtCreateTokenEx+6AFj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7E768F:				; CODE XREF: NtCreateTokenEx+5D7j
		test	edx, edx
		jz	short loc_7E76AE
		mov	ecx, [esi+1E0h]
		test	ecx, ecx
		jz	loc_7E75E1
		call	_RtlIsParentOfChildAppContainer@8 ; RtlIsParentOfChildAppContainer(x,x)
		test	al, al
		jnz	loc_7E75E1

loc_7E76AE:				; CODE XREF: NtCreateTokenEx+68Dj
		mov	eax, 0C0000022h
		jmp	short loc_7E7688
; 

loc_7E76B5:				; CODE XREF: NtCreateTokenEx+665j
		mov	ecx, esi
		call	SepFreeTokenCapabilities
		jmp	short loc_7E766B
; 

loc_7E76BE:				; CODE XREF: NtCreateTokenEx+5DFj
		cmp	[esi+1E4h], ebx
		jnz	short loc_7E76D6

loc_7E76C6:				; CODE XREF: NtCreateTokenEx+6D9j
		mov	[esi+1E4h], ebx
		xor	eax, eax
		mov	[esi+1E8h], ebx
		jmp	short loc_7E7688
; 

loc_7E76D6:				; CODE XREF: NtCreateTokenEx+6C0j
		mov	ecx, esi
		call	SepFreeTokenCapabilities
		jmp	short loc_7E76C6
NtCreateTokenEx	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepLengthSidAndAttributesArray(x, x, x)
_SepLengthSidAndAttributesArray@12 proc	near ; CODE XREF: NtCreateTokenEx+606p
					; SepCreateClaimAttributes+11B20Ep ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		push	61536553h
		push	4
		push	1
		mov	esi, edx
		mov	ebx, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_7E7747
		lea	eax, [ebp+var_4]
		mov	edx, esi	; int
		push	eax		; int
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	ecx		; int
		push	ecx		; int
		push	4		; int
		push	edi		; void *
		push	0		; char
		mov	ecx, ebx	; void *
		call	SeCaptureSidAndAttributesArray
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		push	0
		lea	esi, [eax+3FFFFFDDh]
		neg	esi
		mov	[edx], ecx
		push	edi
		sbb	esi, esi
		and	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi

loc_7E7740:				; CODE XREF: SepLengthSidAndAttributesArray(x,x,x)+6Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7E7747:				; CODE XREF: SepLengthSidAndAttributesArray(x,x,x)+28j
		mov	eax, 0C000009Ah
		jmp	short loc_7E7740
_SepLengthSidAndAttributesArray@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall SeCaptureSidAndAttributesArray(void *,int,char,void *,int,int,int,int,int)
SeCaptureSidAndAttributesArray proc near ; CODE	XREF: NtFilterToken+AFp
					; NtFilterToken+105p ...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 0090E512 SIZE 0000004C BYTES
; FUNCTION CHUNK AT 0090E58A SIZE 00000039 BYTES
; FUNCTION CHUNK AT 0090E608 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A4E30
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, edx
		mov	ebx, ecx
		mov	[ebp+var_1C], 0
		xor	eax, eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], eax
		test	esi, esi
		jz	loc_7E7AA5
		cmp	esi, 1000h
		ja	loc_90E512
		lea	eax, ds:0[esi*8]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_38], eax
		mov	edi, eax
		mov	[ebp+var_30], edi
		mov	dl, [ebp+arg_0]
		test	dl, dl
		jnz	loc_7E78DB
		xor	ecx, ecx
		mov	edi, edi

loc_7E77D0:				; CODE XREF: SeCaptureSidAndAttributesArray+98j
		cmp	ecx, esi
		jnb	short loc_7E77FC
		mov	eax, [ebx+ecx*8]
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	edi, eax
		inc	ecx
		jmp	short loc_7E77D0
; 

loc_7E77EA:				; CODE XREF: SeCaptureSidAndAttributesArray+1E2j
					; SeCaptureSidAndAttributesArray+126DE9j
		mov	[ebp+var_4], 0FFFFFFFEh
		test	ecx, ecx
		js	loc_90E54C
		mov	dl, [ebp+arg_0]

loc_7E77FC:				; CODE XREF: SeCaptureSidAndAttributesArray+82j
		mov	eax, [ebp+arg_18]
		mov	[eax], edi
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	loc_7E7A65
		cmp	edi, [ebp+arg_8]
		ja	loc_7E78BA
		mov	eax, [ebp+arg_14]
		mov	[eax], ecx
		mov	edi, ecx

loc_7E781C:				; CODE XREF: SeCaptureSidAndAttributesArray+334j
		test	dl, dl
		jnz	loc_7E79BE
		lea	eax, ds:0[esi*8]
		push	eax		; size_t
		push	ebx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	edx, ds:0[esi*8]
		add	edx, 3
		and	edx, 0FFFFFFFCh
		add	edx, edi
		xor	ebx, ebx
		mov	edi, [ebp+arg_14]
		mov	eax, [edi]
		mov	[ebp+arg_8], eax

loc_7E784F:				; CODE XREF: SeCaptureSidAndAttributesArray+134j
		mov	[ebp+arg_18], edx
		cmp	ebx, esi
		jnb	short loc_7E788D
		mov	ecx, [eax+ebx*8]
		movzx	eax, byte ptr [ecx+1]
		lea	edi, ds:8[eax*4]
		push	edi		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edx, [ebp+arg_18]
		mov	eax, [ebp+arg_8]
		mov	[eax+ebx*8], edx
		inc	ebx
		lea	eax, [edi+3]
		and	eax, 0FFFFFFFCh
		add	edx, eax
		mov	eax, [ebp+arg_8]
		jmp	short loc_7E784F
; 

loc_7E7886:				; CODE XREF: SeCaptureSidAndAttributesArray+2A2j
					; SeCaptureSidAndAttributesArray+2ACj
		mov	[ebp+var_4], 0FFFFFFFEh

loc_7E788D:				; CODE XREF: SeCaptureSidAndAttributesArray+104j
		cmp	[ebp+arg_0], 0
		jnz	loc_7E7A89

loc_7E7897:				; CODE XREF: SeCaptureSidAndAttributesArray+343j
		mov	esi, [ebp+var_20]
		cmp	[ebp+arg_4], 0
		jz	loc_7E7A98

loc_7E78A4:				; CODE XREF: SeCaptureSidAndAttributesArray+34Aj
					; SeCaptureSidAndAttributesArray+126ECBj
		mov	eax, esi

loc_7E78A6:				; CODE XREF: SeCaptureSidAndAttributesArray+126DC7j
					; SeCaptureSidAndAttributesArray+126E09j ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_7E78BA:				; CODE XREF: SeCaptureSidAndAttributesArray+BFj
		test	dl, dl
		jnz	loc_90E58A

loc_7E78C2:				; CODE XREF: SeCaptureSidAndAttributesArray+126E44j
		mov	eax, 0C0000023h
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_7E78DB:				; CODE XREF: SeCaptureSidAndAttributesArray+76j
		push	61546553h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	loc_90E5A9
		mov	[ebp+var_4], 0
		lea	edx, ds:0[esi*8]
		test	edx, edx
		jz	short loc_7E7927
		test	bl, 3
		jnz	loc_7E7ACD
		lea	eax, [edx+ebx]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	loc_90E51C
		cmp	eax, ebx
		jb	loc_90E51C

loc_7E7927:				; CODE XREF: SeCaptureSidAndAttributesArray+1B3j
					; SeCaptureSidAndAttributesArray+126DCFj
		xor	eax, eax
		mov	[ebp+var_2C], eax
		mov	ecx, [ebp+var_20]
		nop

loc_7E7930:				; CODE XREF: SeCaptureSidAndAttributesArray+269j
		cmp	eax, esi
		jnb	loc_7E77EA
		lea	ecx, ds:0[eax*8]
		mov	edx, [ecx+ebx]
		lea	eax, [edx+1]
		mov	edi, ds:_MmUserProbeAddress
		cmp	eax, edi
		jnb	loc_90E524

loc_7E7953:				; CODE XREF: SeCaptureSidAndAttributesArray+126DD6j
		nop
		mov	al, [eax]
		movzx	eax, al
		mov	[ebp+var_40], eax
		cmp	eax, 0Fh
		ja	loc_90E52B
		add	ecx, [ebp+var_1C]
		mov	[ebp+var_20], ecx
		mov	[ecx], edx
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_44], eax
		mov	[ecx+4], eax
		mov	ecx, [ecx]
		test	cl, 3
		jnz	loc_7E7AD2
		lea	edx, [ecx+eax]
		mov	edi, ds:_MmUserProbeAddress
		cmp	edx, edi
		ja	loc_90E53E
		cmp	edx, ecx
		jb	loc_90E53E

loc_7E799E:				; CODE XREF: SeCaptureSidAndAttributesArray+126DF7j
		add	eax, 3
		and	eax, 0FFFFFFFCh
		mov	edi, [ebp+var_30]
		add	edi, eax
		mov	[ebp+var_30], edi
		mov	eax, [ebp+var_2C]
		inc	eax
		mov	[ebp+var_2C], eax
		mov	ecx, [ebp+var_24]
		mov	[ebp+var_20], ecx
		jmp	loc_7E7930
; 

loc_7E79BE:				; CODE XREF: SeCaptureSidAndAttributesArray+CEj
		mov	[ebp+var_4], 1
		mov	[ebp+var_28], edi
		lea	eax, ds:0[esi*8]
		push	eax		; size_t
		push	ebx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ebx, [ebp+var_38]
		add	ebx, edi
		mov	[ebp+var_28], ebx
		xor	edi, edi
		mov	[ebp+var_2C], edi
		mov	eax, [ebp+arg_14]
		mov	eax, [eax]
		mov	[ebp+arg_18], eax
		nop

loc_7E79F0:				; CODE XREF: SeCaptureSidAndAttributesArray+313j
		cmp	edi, esi
		jnb	loc_7E7886
		cmp	[ebp+var_20], 0
		jnz	loc_7E7886
		mov	ecx, [ebp+var_1C]
		mov	eax, [ecx+edi*8+4]
		push	eax		; size_t
		mov	eax, [ecx+edi*8]
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [ebp+arg_18]
		mov	[ecx+edi*8], ebx
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+edi*8+4]
		mov	[ebp+arg_8], eax
		add	eax, 3
		and	eax, 0FFFFFFFCh
		add	ebx, eax
		mov	[ebp+var_28], ebx
		test	dword ptr [ecx+edi*8+4], 1FFFFF80h
		jnz	loc_90E5B3
		mov	ebx, [ecx+edi*8]
		push	ebx
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_7E7AD7
		push	ebx
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		cmp	eax, [ebp+arg_8]
		jnz	short loc_7E7AD7

loc_7E7A5C:				; CODE XREF: SeCaptureSidAndAttributesArray+392j
		mov	ebx, [ebp+var_28]

loc_7E7A5F:				; CODE XREF: SeCaptureSidAndAttributesArray+126E6Ej
		inc	edi
		mov	[ebp+var_2C], edi
		jmp	short loc_7E79F0
; 

loc_7E7A65:				; CODE XREF: SeCaptureSidAndAttributesArray+B6j
		push	61536553h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	eax, [ebp+arg_14]
		mov	[eax], edi
		test	edi, edi
		jz	loc_90E599
		mov	dl, [ebp+arg_0]
		jmp	loc_7E781C
; 

loc_7E7A89:				; CODE XREF: SeCaptureSidAndAttributesArray+141j
		push	0
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7E7897
; 

loc_7E7A98:				; CODE XREF: SeCaptureSidAndAttributesArray+14Ej
		test	esi, esi
		jns	loc_7E78A4
		jmp	loc_90E608
; 

loc_7E7AA5:				; CODE XREF: SeCaptureSidAndAttributesArray+4Aj
		mov	eax, [ebp+arg_14]
		mov	dword ptr [eax], 0
		mov	eax, [ebp+arg_18]
		mov	dword ptr [eax], 0
		xor	eax, eax
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_7E7ACD:				; CODE XREF: SeCaptureSidAndAttributesArray+1B8j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7E7AD2:				; CODE XREF: SeCaptureSidAndAttributesArray+22Fj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7E7AD7:				; CODE XREF: SeCaptureSidAndAttributesArray+2FBj
					; SeCaptureSidAndAttributesArray+30Aj
		mov	eax, 0C0000078h
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		jmp	loc_7E7A5C
SeCaptureSidAndAttributesArray endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeCaptureAcl	proc near		; CODE XREF: NtCreateTokenEx+3C9p
					; PAGE:007E9699p ...

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0090E620 SIZE 0000000E BYTES

		push	18h
		push	offset dword_6A4E58
		call	__SEH_prolog4
		mov	[ebp+var_24], ecx
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		test	dl, dl
		jz	loc_7E7BB9
		mov	[ebp+ms_exc.disabled], ebx
		lea	eax, [ecx+2]
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		jnb	loc_90E620

loc_7E7B18:				; CODE XREF: SeCaptureAcl+126B3Aj
		nop
		mov	ax, [eax]
		movzx	esi, ax
		mov	[ebp+var_1C], esi
		test	esi, esi
		jz	short loc_7E7B47
		test	cl, 3
		jnz	loc_7E7BC2
		lea	edx, [esi+ecx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	loc_90E627
		cmp	edx, ecx
		jb	loc_90E627

loc_7E7B47:				; CODE XREF: SeCaptureAcl+3Cj
					; SeCaptureAcl+126B41j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7E7B4E:				; CODE XREF: SeCaptureAcl+D8j
		cmp	esi, 8
		jb	loc_90E658
		lea	ecx, [esi+3]
		and	ecx, 0FFFFFFFCh
		mov	eax, [ebp+arg_14]
		mov	[eax], ecx
		push	63416553h
		push	esi
		push	[ebp+arg_8]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, [ebp+arg_10]
		mov	[edi], eax
		test	eax, eax
		jz	short loc_7E7BC7
		mov	[ebp+ms_exc.disabled], 1
		push	esi		; size_t
		push	[ebp+var_24]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edx, esi
		mov	ecx, [edi]
		call	_SepCheckAcl@8	; SepCheckAcl(x,x)
		test	al, al
		jz	sub_90E64E
		xor	eax, eax

loc_7E7BA7:				; CODE XREF: SeCaptureAcl+E4j
					; sub_90E63C+Dj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7E7BB9:				; CODE XREF: SeCaptureAcl+16j
		movzx	esi, word ptr [ecx+2]
		mov	[ebp+var_1C], esi
		jmp	short loc_7E7B4E
; 

loc_7E7BC2:				; CODE XREF: SeCaptureAcl+41j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7E7BC7:				; CODE XREF: SeCaptureAcl+8Fj
		mov	eax, 0C000009Ah
		jmp	short loc_7E7BA7
SeCaptureAcl	endp


;  S U B	R O U T	I N E 


; __stdcall SepCheckAcl(x, x)
_SepCheckAcl@8	proc near		; CODE XREF: SeCaptureAcl+B0p
		cmp	edx, 8
		jb	short loc_7E7BE2
		movzx	eax, word ptr [ecx+2]
		cmp	edx, eax
		jnz	short loc_7E7BE2
		push	ecx
		call	RtlValidAcl
		retn
; 

loc_7E7BE2:				; CODE XREF: SepCheckAcl(x,x)+3j
					; SepCheckAcl(x,x)+Bj
		xor	al, al
		retn
_SepCheckAcl@8	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall SeReleaseAcl(x, x, x)
_SeReleaseAcl@12 proc near		; CODE XREF: PAGE:007E9723p
					; PAGE:007E976Fp ...
		test	dl, dl
		jz	short loc_7E7BEF
		cmp	dl, 1
		jnz	short locret_7E7BF7

loc_7E7BEF:				; CODE XREF: SeReleaseAcl(x,x,x)+2j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

locret_7E7BF7:				; CODE XREF: SeReleaseAcl(x,x,x)+7j
		retn	4
_SeReleaseAcl@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeSetMandatoryPolicyToken(x, x)
_SeSetMandatoryPolicyToken@8 proc near	; CODE XREF: PAGE:007EA274p
					; NtCreateLowBoxToken+22Ep ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		test	dword ptr [esi], 0FFFFFFFCh
		jnz	short loc_7E7C69
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	dword ptr [edi+30h]
		call	ExAcquireResourceExclusiveLite
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, [esi]
		lea	ecx, [edi+34h]
		mov	[edi+0BCh], eax
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [edi+30h]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	eax, eax

loc_7E7C65:				; CODE XREF: SeSetMandatoryPolicyToken(x,x)+74j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_7E7C69:				; CODE XREF: SeSetMandatoryPolicyToken(x,x)+13j
		mov	eax, 0C000000Dh
		jmp	short loc_7E7C65
_SeSetMandatoryPolicyToken@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopAllocateFoExtensionsOnCreate	proc near ; CODE XREF: IopAllocRealFileObject+336p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0090E691 SIZE 000000C6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		mov	esi, 0C000000Dh
		test	byte ptr [edi+5Ch], 2
		jz	short loc_7E7CAE
		and	[ebp+arg_0], 0
		lea	edx, [ebp+arg_0]
		call	IopAllocateFileObjectExtension
		mov	esi, eax
		test	esi, esi
		js	short loc_7E7CE7
		mov	eax, [ebp+arg_0]
		xor	esi, esi
		or	dword ptr [eax], 1
		test	esi, esi
		js	short loc_7E7CE7
		mov	ecx, [ebp+var_4]

loc_7E7CAE:				; CODE XREF: IopAllocateFoExtensionsOnCreate+1Bj
		mov	eax, [edi+5Ch]
		test	al, 1
		jnz	short loc_7E7CF0

loc_7E7CB5:				; CODE XREF: IopAllocateFoExtensionsOnCreate+A7j
		test	al, 4
		jnz	loc_90E691

loc_7E7CBD:				; CODE XREF: IopAllocateFoExtensionsOnCreate+126ACDj
		mov	ebx, [ebp+arg_4]
		test	al, 40h
		jnz	short loc_7E7D19
		push	dword ptr [ebx+8]
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jz	short loc_7E7D19
		mov	eax, [edi+14h]
		test	eax, eax
		jz	short loc_7E7CE7
		push	eax
		call	_IoGetSilo@4	; IoGetSilo(x)
		push	eax
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jz	short loc_7E7D19

loc_7E7CE7:				; CODE XREF: IopAllocateFoExtensionsOnCreate+2Dj
					; IopAllocateFoExtensionsOnCreate+39j ...
		mov	eax, esi

loc_7E7CE9:				; CODE XREF: IopAllocateFoExtensionsOnCreate+CAj
					; IopAllocateFoExtensionsOnCreate+126A60j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7E7CF0:				; CODE XREF: IopAllocateFoExtensionsOnCreate+43j
		and	[ebp+arg_0], 0
		lea	eax, [ebp+arg_0]
		push	0		; int
		push	eax		; int
		push	1		; char
		xor	edx, edx
		push	10h		; size_t
		inc	edx
		call	IopGetSetSpecificExtension
		mov	esi, eax
		test	esi, esi
		js	short loc_7E7CE7
		mov	eax, [ebp+arg_0]
		mov	ecx, [edi+6Ch]
		mov	[eax], ecx
		mov	eax, [edi+5Ch]
		jmp	short loc_7E7CB5
; 

loc_7E7D19:				; CODE XREF: IopAllocateFoExtensionsOnCreate+52j
					; IopAllocateFoExtensionsOnCreate+5Ej ...
		mov	edx, [edi+14h]
		xor	esi, esi
		mov	edi, [ebx+8]
		test	edx, edx
		jnz	short loc_7E7D7A

loc_7E7D25:				; CODE XREF: IopAllocateFoExtensionsOnCreate+113j
					; IopAllocateFoExtensionsOnCreate+11Dj
		push	edi
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jnz	short loc_7E7CE7
		and	[ebp+arg_0], esi
		push	edi
		call	PsAcquireSiloHardReference
		test	eax, eax
		js	short loc_7E7CE9
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+arg_0]
		push	0		; int
		push	eax		; int
		push	1		; char
		push	0Ch
		pop	ebx
		push	ebx		; size_t
		push	7
		pop	edx
		call	IopGetSetSpecificExtension
		mov	esi, eax
		test	esi, esi
		js	loc_90E74C
		mov	eax, [ebp+arg_0]
		mov	edx, 70536F49h
		mov	ecx, edi
		mov	[eax], ebx
		mov	[eax+8], edi
		or	dword ptr [eax+4], 1
		call	ObfReferenceObjectWithTag
		jmp	loc_7E7CE7
; 

loc_7E7D7A:				; CODE XREF: IopAllocateFoExtensionsOnCreate+B3j
		mov	ecx, edi
		call	_PsIsServerSilo@4 ; PsIsServerSilo(x)
		test	al, al
		jz	short loc_7E7D25
		push	edx
		call	_IoGetSilo@4	; IoGetSilo(x)
		mov	edi, eax
		jmp	short loc_7E7D25
IopAllocateFoExtensionsOnCreate	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspCheckConditionalWakeCharge(x, x,	x)
_PspCheckConditionalWakeCharge@12 proc near
					; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+DBp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		cmp	dword ptr [esi+158h], 0
		jz	short loc_7E7DB9
		mov	eax, [esi+158h]
		lea	ebx, [edx+248h]
		mov	eax, [eax+248h]
		cmp	eax, [ebx]
		jz	short loc_7E7DC2

loc_7E7DB9:				; CODE XREF: PspCheckConditionalWakeCharge(x,x,x)+11j
					; PspCheckConditionalWakeCharge(x,x,x)+52j
		mov	al, 1

loc_7E7DBB:				; CODE XREF: PspCheckConditionalWakeCharge(x,x,x)+5Ej
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_7E7DC2:				; CODE XREF: PspCheckConditionalWakeCharge(x,x,x)+27j
		mov	ecx, [ebp+arg_0]
		xor	edi, edi
		inc	edi
		shl	edi, cl

loc_7E7DCA:				; CODE XREF: PspCheckConditionalWakeCharge(x,x,x)+5Aj
		mov	ecx, esi
		call	_PspIsProcessInJob@8 ; PspIsProcessInJob(x,x)
		cmp	eax, 124h
		jnz	short loc_7E7DE0
		test	[edx+1F8h], edi
		jnz	short loc_7E7DEC

loc_7E7DE0:				; CODE XREF: PspCheckConditionalWakeCharge(x,x,x)+46j
		cmp	edx, [ebx]
		jz	short loc_7E7DB9
		mov	edx, [edx+244h]
		jmp	short loc_7E7DCA
; 

loc_7E7DEC:				; CODE XREF: PspCheckConditionalWakeCharge(x,x,x)+4Ej
		xor	al, al
		jmp	short loc_7E7DBB
_PspCheckConditionalWakeCharge@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtIsProcessInJob proc near		; DATA XREF: .text:00580FD0o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090E757 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, large fs:124h
		xor	ebx, ebx
		cmp	[ebp+arg_0], 0FFFFFFFFh
		mov	[ebp+var_4], ebx
		mov	al, [esi+15Ah]
		mov	byte ptr [ebp+var_8], al
		jz	loc_90E757
		push	ebx
		lea	eax, [ebp+var_4]
		push	eax
		push	624A7350h
		push	[ebp+var_8]
		push	ds:_PsProcessType
		push	1000h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7E7E93
		mov	esi, [ebp+var_4]

loc_7E7E40:				; CODE XREF: NtIsProcessInJob+126970j
		push	edi
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_7E7E99
		mov	eax, ds:_PsJobType
		lea	ecx, [ebp+var_C]
		push	ebx
		push	ecx
		push	[ebp+var_8]
		mov	[ebp+var_C], ebx
		push	eax
		push	4
		push	edi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edx, [ebp+var_C]
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7E7E7E

loc_7E7E6A:				; CODE XREF: NtIsProcessInJob+B2j
		mov	ecx, esi
		call	_PspIsProcessInJob@8 ; PspIsProcessInJob(x,x)
		mov	ebx, eax
		test	edi, edi
		jz	short loc_7E7E7E
		mov	ecx, edx
		call	ObfDereferenceObject

loc_7E7E7E:				; CODE XREF: NtIsProcessInJob+78j
					; NtIsProcessInJob+85j
		cmp	[ebp+arg_0], 0FFFFFFFFh
		pop	edi
		jz	short loc_7E7E91
		mov	edx, 624A7350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_7E7E91:				; CODE XREF: NtIsProcessInJob+93j
		mov	eax, ebx

loc_7E7E93:				; CODE XREF: NtIsProcessInJob+4Bj
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7E7E99:				; CODE XREF: NtIsProcessInJob+56j
		mov	edx, [esi+158h]
		mov	esi, [ebp+var_4]
		jmp	short loc_7E7E6A
NtIsProcessInJob endp


;  S U B	R O U T	I N E 


; __stdcall PspIsProcessInJob(x, x)
_PspIsProcessInJob@8 proc near		; CODE XREF: PspCheckConditionalWakeCharge(x,x,x)+3Cp
					; NtIsProcessInJob+7Cp	...
		mov	ecx, [ecx+158h]
		mov	eax, 123h

loc_7E7EAF:				; CODE XREF: PspIsProcessInJob(x,x)+19j
		test	ecx, ecx
		jz	short locret_7E7EBF
		cmp	ecx, edx
		jz	short loc_7E7EC0

loc_7E7EB7:				; CODE XREF: PspIsProcessInJob(x,x)+21j
		mov	ecx, [ecx+244h]
		jmp	short loc_7E7EAF
; 

locret_7E7EBF:				; CODE XREF: PspIsProcessInJob(x,x)+Dj
		retn
; 

loc_7E7EC0:				; CODE XREF: PspIsProcessInJob(x,x)+11j
		mov	eax, 124h
		jmp	short loc_7E7EB7
_PspIsProcessInJob@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PsIsJobParentImmutable(x)
_PsIsJobParentImmutable@4 proc near	; CODE XREF: PspGetJobAssignmentDisposition+91p
					; PspGetJobAssignmentDisposition:loc_90EAD9p ...
		test	byte ptr [ecx+314h], 1
		jnz	short loc_7E7EDC
		xor	eax, eax
		cmp	[ecx+244h], eax
		jnz	short loc_7E7EDC
		retn
; 

loc_7E7EDC:				; CODE XREF: PsIsJobParentImmutable(x)+7j
					; PsIsJobParentImmutable(x)+11j
		mov	al, 1
		retn
_PsIsJobParentImmutable@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeSetSessionIdToken proc near		; CODE XREF: PAGE:007E963Fp
					; SepCopyAnonymousTokenAndSetSilo(x,x)+110p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090E765 SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	eax, edx
		and	[ebp+var_8], ebx
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], eax
		cmp	ds:_SeTokenDoesNotTrackSessionObject, ebx
		jnz	short loc_7E7F0A
		mov	ecx, eax
		call	MmGetSessionObjectById
		mov	edi, eax

loc_7E7F0A:				; CODE XREF: SeSetSessionIdToken+1Fj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceExclusiveLite
		and	[ebp+var_C], ebx
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock or	[eax], ecx
		cmp	[esi+0B4h], cl
		jnz	loc_90E765
		test	dword ptr [esi+0B0h], 4000h
		jnz	loc_90E76F

loc_7E7F49:				; CODE XREF: SeSetSessionIdToken+126897j
					; SeSetSessionIdToken+1268ABj
		mov	eax, [ebp+var_4]
		cmp	[esi+78h], eax
		jnz	short loc_7E7F96

loc_7E7F51:				; CODE XREF: SeSetSessionIdToken+CBj
		test	dword ptr [esi+0B0h], 4000h
		mov	[esi+78h], eax
		jnz	loc_90E790

loc_7E7F64:				; CODE XREF: SeSetSessionIdToken+12688Aj
					; SeSetSessionIdToken+1268BFj
		and	[ebp+var_10], 0
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	edi, edi
		jz	short loc_7E7F88
		mov	ecx, edi
		call	ObfDereferenceObject

loc_7E7F88:				; CODE XREF: SeSetSessionIdToken+9Fj
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jnz	short loc_7E7FAD

loc_7E7F8F:				; CODE XREF: SeSetSessionIdToken+D2j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_7E7F96:				; CODE XREF: SeSetSessionIdToken+6Fj
		lea	ecx, [ebp+var_8]
		mov	edx, eax
		push	ecx
		push	edi
		push	1
		mov	ecx, esi
		call	_SepSetTokenSessionById@20 ; SepSetTokenSessionById(x,x,x,x,x)
		mov	eax, [ebp+var_4]
		xor	edi, edi
		jmp	short loc_7E7F51
; 

loc_7E7FAD:				; CODE XREF: SeSetSessionIdToken+ADj
		call	ObfDereferenceObject
		jmp	short loc_7E7F8F
SeSetSessionIdToken endp


;  S U B	R O U T	I N E 


PspJobDeleteStorageArrays proc near	; CODE XREF: .text:0051160Bp

; FUNCTION CHUNK AT 0090E7A4 SIZE 00000019 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+308h]
		test	ecx, ecx
		jnz	loc_90E7A4
		pop	esi
		retn
PspJobDeleteStorageArrays endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspJobIoRateControlDisable proc	near	; CODE XREF: .text:0051162Ap
					; PspSetJobIoRateControl+18CD1Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090E7BD SIZE 0000005C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		cmp	[esi+354h], edi
		jnz	loc_90E7BD

loc_7E7FE3:				; CODE XREF: PspJobIoRateControlDisable+126801j
		lea	eax, [ebp+var_8]
		mov	ecx, esi
		mov	edx, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		call	_PspJobIoRateVolumeEntryRemoveAll@8 ; PspJobIoRateVolumeEntryRemoveAll(x,x)

loc_7E7FF5:				; CODE XREF: PspJobIoRateControlDisable+12682Ej
		mov	esi, [ebp+var_8]
		lea	eax, [ebp+var_8]
		cmp	esi, eax
		jnz	loc_90E7D0
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn
PspJobIoRateControlDisable endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PspGetJobLockHierarchyForDeletion(x, x)
_PspGetJobLockHierarchyForDeletion@8 proc near ; CODE XREF: .text:00511709p
		mov	edi, edi
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	ecx, ebx
		call	_PspLockJobAssignment@4	; PspLockJobAssignment(x)
		mov	edx, [edi+244h]
		xor	eax, eax
		test	edx, edx
		jnz	short loc_7E8043

loc_7E802D:				; CODE XREF: PspGetJobLockHierarchyForDeletion(x,x)+42j
		mov	[esi+eax*8+4], edi
		mov	ecx, ebx
		mov	byte ptr [esi+eax*8+8],	0
		inc	eax
		pop	edi
		mov	[esi], eax
		pop	esi
		pop	ebx
		jmp	_PspUnlockJobAssignment@4 ; PspUnlockJobAssignment(x)
; 

loc_7E8043:				; CODE XREF: PspGetJobLockHierarchyForDeletion(x,x)+21j
		mov	[esi+8], al
		xor	eax, eax
		mov	[esi+4], edx
		inc	eax
		jmp	short loc_7E802D
_PspGetJobLockHierarchyForDeletion@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetCpuRateControlJobPostCallback(x, x)
_PspSetCpuRateControlJobPostCallback@8 proc near
					; DATA XREF: PspAddSchedulingGroupToJobChain+CEo
					; PspAddSchedulingGroupToJobChain+128BF4o

var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		push	0
		stosd
		stosd
		mov	edi, [ebp+arg_4]
		lea	eax, [edi+40h]
		neg	edi
		sbb	edi, edi
		and	edi, eax

loc_7E8076:				; CODE XREF: PspSetCpuRateControlJobPostCallback(x,x)+4Dj
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_C]
		push	eax
		mov	edx, ebx
		call	_PspGetNextJobProcess@16 ; PspGetNextJobProcess(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_7E8091
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7E8091:				; CODE XREF: PspSetCpuRateControlJobPostCallback(x,x)+3Aj
		mov	edx, edi
		mov	ecx, esi
		call	PspSetProcessSchedulingGroup
		push	esi
		jmp	short loc_7E8076
_PspSetCpuRateControlJobPostCallback@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspBoostJobIoPriorityCallback(x, x)
_PspBoostJobIoPriorityCallback@8 proc near ; DATA XREF:	PspSetBackgroundJobTree+67o

var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		cmp	dword ptr [ebx+198h], 0
		stosd
		stosd
		stosd
		ja	short loc_7E80DB
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_C]
		push	0
		mov	[ebp+arg_0], eax
		mov	edx, eax
		push	ecx

loc_7E80CE:				; CODE XREF: PspBoostJobIoPriorityCallback(x,x)+5Cj
		mov	ecx, ebx
		call	_PspGetNextJobProcess@16 ; PspGetNextJobProcess(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_7E80E4

loc_7E80DB:				; CODE XREF: PspBoostJobIoPriorityCallback(x,x)+1Dj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	8
; 

loc_7E80E4:				; CODE XREF: PspBoostJobIoPriorityCallback(x,x)+3Bj
		push	0

loc_7E80E6:				; CODE XREF: PspBoostJobIoPriorityCallback(x,x)+6Fj
		push	esi
		call	_PsGetNextProcessThread@8 ; PsGetNextProcessThread(x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_7E80FC
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_C]
		push	esi
		push	eax
		jmp	short loc_7E80CE
; 

loc_7E80FC:				; CODE XREF: PspBoostJobIoPriorityCallback(x,x)+52j
		push	0
		mov	ecx, edi
		call	_PsGetIoPriorityThread@4 ; PsGetIoPriorityThread(x)
		mov	edx, eax
		call	IoBoostThreadIoPriority
		push	edi
		jmp	short loc_7E80E6
_PspBoostJobIoPriorityCallback@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtAssignProcessToJobObject proc	near	; DATA XREF: .text:005811E8o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	eax, large fs:124h
		lea	ecx, [esp+0Ch+var_8]
		push	ebx
		push	esi
		push	edi
		mov	al, [eax+15Ah]
		xor	esi, esi
		push	esi
		push	ecx
		mov	byte ptr [esp+20h+var_4], al
		push	[esp+20h+var_4]
		mov	eax, ds:_PsJobType
		push	eax
		push	1
		push	[ebp+arg_0]
		mov	[esp+30h+var_C], esi
		mov	[esp+30h+var_8], esi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7E81D2
		mov	ecx, [ebp+arg_4]
		cmp	ecx, 0FFFFFFF9h
		jz	loc_90E802
		mov	eax, ds:_PsProcessType
		lea	edx, [esp+18h+var_C]
		push	esi
		push	esi
		push	edx
		push	624A7350h
		push	[esp+28h+var_4]
		mov	edx, 101h
		push	eax
		call	ObpReferenceObjectByHandleWithTag
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7E81D2

loc_7E818A:				; CODE XREF: PspJobIoRateControlDisable+12684Aj
		mov	edi, [esp+18h+var_C]
		push	esi
		mov	esi, [esp+1Ch+var_8]
		push	edi
		push	esi
		call	PsAssignProcessToJobObject
		mov	ebx, eax

loc_7E819C:				; CODE XREF: NtAssignProcessToJobObject+CAj
		test	ds:_PerfGlobalGroupMask, 80000h
		jnz	sub_90E819

loc_7E81AC:				; CODE XREF: sub_90E819+Aj
		test	edi, edi
		jz	short loc_7E81BC
		mov	edx, 624A7350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_7E81BC:				; CODE XREF: NtAssignProcessToJobObject+9Ej
		test	esi, esi
		jz	short loc_7E81C7
		mov	ecx, esi
		call	ObfDereferenceObject

loc_7E81C7:				; CODE XREF: NtAssignProcessToJobObject+AEj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7E81D2:				; CODE XREF: NtAssignProcessToJobObject+46j
					; NtAssignProcessToJobObject+78j
		mov	edi, [esp+18h+var_C]
		mov	esi, [esp+18h+var_8]
		jmp	short loc_7E819C
NtAssignProcessToJobObject endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1746. PsAssignProcessToJobObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsAssignProcessToJobObject
PsAssignProcessToJobObject proc	near	; CODE XREF: NtAssignProcessToJobObject+85p
					; PsCreateMinimalProcess+9C2E4p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0090E828 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	esi
		xor	esi, esi
		mov	[esp+8+var_4], esi

loc_7E81F2:				; CODE XREF: PsAssignProcessToJobObject+126649j
		mov	edx, [ebp+arg_4]
		lea	eax, [esp+8+var_4]
		mov	ecx, [ebp+arg_0]
		push	eax
		push	[ebp+arg_8]
		call	PspGetJobAssignmentDisposition
		test	eax, eax
		js	short loc_7E822E
		push	[esp+8+var_4]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		call	PspAssignProcessToJob
		inc	esi
		cmp	eax, 0C000022Dh
		jz	loc_90E828

loc_7E8227:				; CODE XREF: PsAssignProcessToJobObject+51j
					; PsAssignProcessToJobObject+126654j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_7E822E:				; CODE XREF: PsAssignProcessToJobObject+25j
		mov	eax, 0C0000022h
		jmp	short loc_7E8227
PsAssignProcessToJobObject endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspAssignProcessToJob proc near		; CODE XREF: PsAssignProcessToJobObject+34p

var_58		= dword	ptr -58h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_21		= dword	ptr -21h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090E83B SIZE 000001EF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_30], ecx
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	esi, [ebp+arg_0]
		stosd
		xor	ecx, ecx
		mov	ebx, edx
		mov	[ebp+var_21+1],	esi
		mov	[ebp+var_40], ebx
		mov	byte ptr [ebp+var_21], cl
		stosd
		mov	[ebp+var_34], ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_19], cl
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_4C]
		stosd
		stosd
		stosd
		xor	eax, eax
		cmp	[ebp+arg_4], 5
		lea	edi, [ebp+var_58]
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		mov	edi, [ebp+var_30]
		mov	[ebp+var_28], eax
		mov	[ebp+var_2C], ecx
		jz	loc_90E83B

loc_7E829A:				; CODE XREF: PspAssignProcessToJob+126640j
		test	ebx, ebx
		jz	short loc_7E82B5
		lea	ecx, [ebx+0F0h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_90E87B
		or	[ebp+var_19], 10h

loc_7E82B5:				; CODE XREF: PspAssignProcessToJob+66j
		lea	eax, [ebp+var_18]
		mov	edx, ebx
		push	eax
		push	[ebp+arg_4]
		mov	ecx, edi
		push	esi
		call	PspGetJobLockHierarchyForAssignment
		mov	ecx, [ebp+var_28]
		or	[ebp+var_19], 6
		call	_PspLockJobAssignment@4	; PspLockJobAssignment(x)
		push	1
		push	[ebp+var_28]
		mov	edx, ebx
		lea	ecx, [ebp+var_18]
		call	_PspLockJobsAndProcessExclusive@16 ; PspLockJobsAndProcessExclusive(x,x,x,x)
		cmp	[ebp+arg_4], 5
		mov	ecx, edi
		jz	loc_90E885
		lea	eax, [ebp+var_2C]
		mov	edx, ebx
		push	eax
		push	esi
		call	PspGetJobAssignmentDisposition
		test	eax, eax
		js	loc_90E8B1
		mov	eax, [ebp+var_2C]
		cmp	eax, [ebp+arg_4]
		jnz	loc_90E8BB
		cmp	eax, 2
		jz	loc_90E8C5

loc_7E8316:				; CODE XREF: PspAssignProcessToJob+126676j
		test	ebx, ebx
		jz	loc_90E8CC
		cmp	eax, 5
		jz	loc_90E8CC
		mov	eax, [ebx+158h]
		mov	[ebp+var_21+1],	eax

loc_7E8330:				; CODE XREF: PspAssignProcessToJob+126699j
		mov	esi, [ebp+var_2C]
		cmp	esi, 4
		jz	loc_7E8575

loc_7E833C:				; CODE XREF: PspAssignProcessToJob+346j
					; PspAssignProcessToJob+1266B3j
		mov	edx, [ebp+var_21+1]
		mov	ecx, edi
		push	esi
		push	ebx
		call	PspValidateJobAssignmentSiloPolicy
		test	al, al
		jz	loc_90E8EF
		cmp	esi, 5
		jz	loc_90E8F9

loc_7E8359:				; CODE XREF: PspAssignProcessToJob+1266CCj
		mov	edx, [ebp+var_21+1]
		push	esi
		call	_PspValidateJobAssignmentNestingDepth@12 ; PspValidateJobAssignmentNestingDepth(x,x,x)
		test	al, al
		jz	loc_90E8EF
		push	esi
		mov	ecx, edi
		call	PspValidateJobAssignmentRateControlLimits
		test	al, al
		jz	loc_90E8EF
		push	esi
		call	PspValidateJobAssignmentDiskIoAttribution
		test	al, al
		jz	loc_90E8EF
		mov	edx, [ebp+var_21+1]
		lea	eax, [ebp+var_3C]
		push	eax
		lea	eax, [ebp+var_34]
		mov	ecx, edi
		push	eax
		push	esi
		call	PspRetrieveJobChainSegmentProcessCharges
		cmp	[ebp+var_34], 0
		jz	short loc_7E83BC
		mov	edx, [ebp+var_3C]
		mov	ecx, [ebp+var_34]
		push	0
		push	ebx
		call	_PspValidateJobChainLimits@16 ;	PspValidateJobChainLimits(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7E8526
		mov	esi, [ebp+var_2C]

loc_7E83BC:				; CODE XREF: PspAssignProcessToJob+169j
		push	esi
		push	[ebp+var_21+1]
		mov	edx, ebx
		mov	ecx, edi
		call	PspEstablishJobHierarchy
		mov	esi, eax
		test	esi, esi
		js	loc_7E8526
		test	ebx, ebx
		jz	loc_90E8C5
		test	dword ptr [edi+310h], 1000h
		push	4
		pop	esi
		jz	short loc_7E843E
		lea	ecx, [ebx+468h]
		xor	eax, eax
		mov	ebx, [ebp+var_21+1]
		mov	[ebp+var_30], eax
		mov	[ebp+var_38], ecx

loc_7E83FB:				; CODE XREF: PspAssignProcessToJob+1E7j
		mov	edx, [ecx]
		and	edx, 7FFFFFFFh
		jnz	loc_90E907

loc_7E8409:				; CODE XREF: PspAssignProcessToJob+1266E9j
		lock bts dword ptr [ecx], 1Fh
		mov	eax, [ebp+var_30]
		add	ecx, esi
		inc	eax
		mov	[ebp+var_38], ecx
		mov	[ebp+var_30], eax
		cmp	eax, 7
		jb	short loc_7E83FB
		mov	ebx, [ebp+var_40]
		mov	eax, [ebx+48Ch]
		and	eax, 7FFFFFFFh
		jnz	loc_90E924

loc_7E8433:				; CODE XREF: PspAssignProcessToJob+126704j
		lea	eax, [ebx+48Ch]
		lock bts dword ptr [eax], 1Fh

loc_7E843E:				; CODE XREF: PspAssignProcessToJob+1B2j
		lea	ecx, [ebx+0E0h]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_7E8591

loc_7E8455:				; CODE XREF: PspAssignProcessToJob+366j
		call	KeAbPostRelease
		or	[ebp+var_19], 8
		mov	edx, [ebp+var_21+1]
		cmp	[ebp+var_2C], esi
		jz	short loc_7E8469
		mov	edx, [ebp+var_3C]

loc_7E8469:				; CODE XREF: PspAssignProcessToJob+22Ej
		mov	ecx, [ebp+var_34]
		push	0
		push	ebx
		call	_PspIncrementJobChainProcessCounts@16 ;	PspIncrementJobChainProcessCounts(x,x,x,x)
		mov	edx, [ebp+var_21+1]
		mov	ecx, edi
		push	ebx
		call	_PspApplyJobChainLimitsToProcess@12 ; PspApplyJobChainLimitsToProcess(x,x,x)
		push	[ebp+var_28]
		xor	edx, edx
		lea	ecx, [ebp+var_18]
		call	PspUnlockJobsAndProcessExclusive
		and	[ebp+var_19], 0FBh
		lea	esi, [edi+310h]
		mov	eax, 1000000h
		test	[esi], eax
		jnz	short loc_7E84BD
		push	0
		lea	edx, [ebp+var_21]
		mov	ecx, ebx
		call	_PsQueryProcessAttributes@12 ; PsQueryProcessAttributes(x,x,x)
		cmp	byte ptr [ebp+var_21], 0
		mov	eax, 1800000h
		jnz	loc_7E8587

loc_7E84BA:				; CODE XREF: PspAssignProcessToJob+356j
		lock or	[esi], eax

loc_7E84BD:				; CODE XREF: PspAssignProcessToJob+267j
		mov	ecx, ebx
		call	PspApplyWorkingSetLimitsToProcess
		mov	esi, eax
		test	esi, esi
		js	short loc_7E8526
		cmp	[ebp+var_2C], 5
		jz	loc_90E93F
		xor	eax, eax

loc_7E84D6:				; CODE XREF: PspAssignProcessToJob+12670Cj
		mov	edx, [ebp+var_21+1]
		mov	ecx, ebx
		push	eax
		call	MmAssignProcessToJob
		test	eax, eax
		jz	loc_90E947
		mov	ecx, [ebp+var_28]
		call	_PspUnlockJobAssignment@4 ; PspUnlockJobAssignment(x)
		mov	eax, [ebp+var_28]
		and	[ebp+var_19], 0FDh
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, ebx
		call	PspChangeProcessExecutionState
		mov	ecx, [ebp+var_28]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		cmp	dword ptr [edi+0CCh], 0
		jnz	loc_90E951

loc_7E851C:				; CODE XREF: PspAssignProcessToJob+126765j
		cmp	[ebp+var_2C], 5
		jz	loc_90E9A0

loc_7E8526:				; CODE XREF: PspAssignProcessToJob+17Dj
					; PspAssignProcessToJob+197j ...
		mov	al, [ebp+var_19]

loc_7E8529:				; CODE XREF: PspAssignProcessToJob+126777j
		test	al, 10h
		jz	short loc_7E853B
		lea	ecx, [ebx+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	al, [ebp+var_19]

loc_7E853B:				; CODE XREF: PspAssignProcessToJob+2F5j
		test	al, 20h
		jnz	short loc_7E8547
		test	esi, esi
		js	loc_90E9B2

loc_7E8547:				; CODE XREF: PspAssignProcessToJob+307j
					; PspAssignProcessToJob+12677Ej ...
		mov	edi, [ebp+var_28]
		test	al, 4
		jnz	loc_90E9F7

loc_7E8552:				; CODE XREF: PspAssignProcessToJob+1267CFj
		test	al, 2
		jnz	loc_90EA0A

loc_7E855A:				; CODE XREF: PspAssignProcessToJob+1267DEj
		test	al, 1
		jnz	loc_90EA19

loc_7E8562:				; CODE XREF: PspAssignProcessToJob+1267EFj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_7E8575:				; CODE XREF: PspAssignProcessToJob+100j
		test	byte ptr [edi+310h], 10h
		jz	loc_7E833C
		jmp	loc_90E8D4
; 

loc_7E8587:				; CODE XREF: PspAssignProcessToJob+27Ej
		mov	eax, 1000000h
		jmp	loc_7E84BA
; 

loc_7E8591:				; CODE XREF: PspAssignProcessToJob+219j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [ebx+0E0h]
		jmp	loc_7E8455
PspAssignProcessToJob endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PspUnlockJobAssignment(x)
_PspUnlockJobAssignment@4 proc near	; CODE XREF: PspLockJobChain+47p
					; PspGetJobLockHierarchyForDeletion(x,x)+34j ...
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		or	eax, 0FFFFFFFFh
		mov	edi, offset _PspJobAssignmentLock
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7E85CE

loc_7E85BA:				; CODE XREF: PspUnlockJobAssignment(x)+33j
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		test	esi, esi
		jz	short loc_7E85D7
		mov	ecx, esi
		pop	esi
		jmp	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
; 

loc_7E85CE:				; CODE XREF: PspUnlockJobAssignment(x)+16j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7E85BA
; 

loc_7E85D7:				; CODE XREF: PspUnlockJobAssignment(x)+22j
		pop	esi
		retn
_PspUnlockJobAssignment@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspUnlockJobsAndProcessExclusive proc near ; CODE XREF:	.text:00511732p
					; PspAssignProcessToJob+251p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090EA2A SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ecx]
		mov	ebx, edx
		push	edi
		test	esi, esi
		jz	short loc_7E8608
		lea	edi, [ecx-4]
		lea	edi, [edi+esi*8]

loc_7E85F0:				; CODE XREF: PspUnlockJobsAndProcessExclusive+2Cj
		cmp	byte ptr [edi+4], 0
		mov	ecx, [edi]
		jnz	short loc_7E861F
		add	ecx, 20h
		call	ExReleaseResourceLite

loc_7E8600:				; CODE XREF: PspUnlockJobsAndProcessExclusive+4Ej
		sub	edi, 8
		sub	esi, 1
		jnz	short loc_7E85F0

loc_7E8608:				; CODE XREF: PspUnlockJobsAndProcessExclusive+Ej
		test	ebx, ebx
		jnz	loc_90EA2A

loc_7E8610:				; CODE XREF: PspUnlockJobsAndProcessExclusive+126471j
		mov	ecx, [ebp+arg_0]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_7E861F:				; CODE XREF: PspUnlockJobsAndProcessExclusive+1Cj
		push	0
		xor	edx, edx
		call	PspUnlockJobChain
		jmp	short loc_7E8600
PspUnlockJobsAndProcessExclusive endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspRetrieveJobChainSegmentProcessCharges proc near ; CODE XREF:	PspAssignProcessToJob+160p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0090EA50 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		sub	eax, 1
		jnz	short loc_7E864D

loc_7E863A:				; CODE XREF: PspRetrieveJobChainSegmentProcessCharges+27j
		mov	ecx, edx

loc_7E863C:				; CODE XREF: PspRetrieveJobChainSegmentProcessCharges+34j
		mov	edx, esi

loc_7E863E:				; CODE XREF: PspRetrieveJobChainSegmentProcessCharges+12642Fj
					; PspRetrieveJobChainSegmentProcessCharges+126436j
		mov	eax, [ebp+arg_4]
		pop	esi
		mov	[eax], edx
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		pop	ebp
		retn	0Ch
; 

loc_7E864D:				; CODE XREF: PspRetrieveJobChainSegmentProcessCharges+Ej
		dec	eax
		sub	eax, 1
		jz	short loc_7E863A
		sub	eax, 1
		jnz	loc_90EA50
		xor	ecx, ecx
		jmp	short loc_7E863C
PspRetrieveJobChainSegmentProcessCharges endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspValidateJobAssignmentDiskIoAttribution proc near ; CODE XREF: PspAssignProcessToJob+145p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090EA65 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 4
		push	esi
		mov	esi, ecx
		jz	short loc_7E8681
		cmp	[ebp+arg_0], 5
		jz	short loc_7E8681
		cmp	[ebp+arg_0], 7
		jz	short loc_7E8681

loc_7E867A:				; CODE XREF: PspValidateJobAssignmentDiskIoAttribution+39j
					; PspValidateJobAssignmentDiskIoAttribution+126419j
		mov	al, 1

loc_7E867C:				; CODE XREF: PspValidateJobAssignmentDiskIoAttribution+126421j
		pop	esi
		pop	ebp
		retn	4
; 

loc_7E8681:				; CODE XREF: PspValidateJobAssignmentDiskIoAttribution+Cj
					; PspValidateJobAssignmentDiskIoAttribution+12j ...
		cmp	dword ptr [edx+324h], 0
		jnz	loc_90EA65
		push	1
		mov	ecx, edx
		call	_PspIsSetJobIoAttribution@12 ; PspIsSetJobIoAttribution(x,x,x)
		test	al, al
		jz	short loc_7E867A
		jmp	loc_90EA65
PspValidateJobAssignmentDiskIoAttribution endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspValidateJobAssignmentRateControlLimits proc near ; CODE XREF: PspAssignProcessToJob+137p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090EA86 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 4
		push	esi
		jz	short loc_7E86BF
		cmp	[ebp+arg_0], 5
		jz	short loc_7E86BF
		cmp	[ebp+arg_0], 7
		jz	short loc_7E86BF

loc_7E86B8:				; CODE XREF: PspValidateJobAssignmentRateControlLimits+42j
		mov	al, 1

loc_7E86BA:				; CODE XREF: PspValidateJobAssignmentRateControlLimits+1263F4j
		pop	esi
		pop	ebp
		retn	4
; 

loc_7E86BF:				; CODE XREF: PspValidateJobAssignmentRateControlLimits+Aj
					; PspValidateJobAssignmentRateControlLimits+10j ...
		xor	eax, eax
		mov	esi, 2000000h

loc_7E86C6:				; CODE XREF: PspValidateJobAssignmentRateControlLimits+40j
		cmp	eax, 2
		jz	short loc_7E86DC
		cmp	eax, 1
		jz	short loc_7E86DC
		test	[ecx+310h], esi
		jnz	loc_90EA86

loc_7E86DC:				; CODE XREF: PspValidateJobAssignmentRateControlLimits+29j
					; PspValidateJobAssignmentRateControlLimits+2Ej ...
		inc	eax
		cmp	eax, 3
		jl	short loc_7E86C6
		jmp	short loc_7E86B8
PspValidateJobAssignmentRateControlLimits endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspValidateJobAssignmentNestingDepth(x, x, x)
_PspValidateJobAssignmentNestingDepth@12 proc near ; CODE XREF:	PspAssignProcessToJob+127p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 4
		jz	short loc_7E8701
		cmp	[ebp+arg_0], 5
		jz	short loc_7E8701
		cmp	[ebp+arg_0], 7
		jz	short loc_7E8701

loc_7E86FB:				; CODE XREF: PspValidateJobAssignmentNestingDepth(x,x,x)+28j
		mov	al, 1

loc_7E86FD:				; CODE XREF: PspValidateJobAssignmentNestingDepth(x,x,x)+2Cj
		pop	ebp
		retn	4
; 

loc_7E8701:				; CODE XREF: PspValidateJobAssignmentNestingDepth(x,x,x)+9j
					; PspValidateJobAssignmentNestingDepth(x,x,x)+Fj ...
		movzx	eax, byte ptr [edx+1A6h]
		inc	eax
		cmp	eax, 64h
		jbe	short loc_7E86FB
		xor	al, al
		jmp	short loc_7E86FD
_PspValidateJobAssignmentNestingDepth@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspValidateJobAssignmentSiloPolicy proc	near ; CODE XREF: PspAssignProcessToJob+10Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090EA99 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, edx
		cmp	eax, 1
		jnz	short loc_7E8741

loc_7E8723:				; CODE XREF: PspValidateJobAssignmentSiloPolicy+32j
					; PspValidateJobAssignmentSiloPolicy+37j
		push	ecx
		call	_PsGetEffectiveServerSilo@4 ; PsGetEffectiveServerSilo(x)
		push	edi
		mov	esi, eax
		call	_PsGetEffectiveServerSilo@4 ; PsGetEffectiveServerSilo(x)
		cmp	eax, esi
		jnz	loc_90EA99

loc_7E8739:				; CODE XREF: PspValidateJobAssignmentSiloPolicy+3Cj
					; PspValidateJobAssignmentSiloPolicy:loc_7E8757j
		mov	al, 1

loc_7E873B:				; CODE XREF: PspValidateJobAssignmentSiloPolicy+49j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_7E8741:				; CODE XREF: PspValidateJobAssignmentSiloPolicy+Fj
		cmp	eax, 3
		jz	short loc_7E8723
		cmp	eax, 5
		jz	short loc_7E8723
		cmp	eax, 4
		jnz	short loc_7E8739
		call	_PsIsServerSilo@4 ; PsIsServerSilo(x)
		test	al, al

loc_7E8757:				; CODE XREF: PspValidateJobAssignmentSiloPolicy+126391j
		jz	short loc_7E8739
		xor	al, al
		jmp	short loc_7E873B
PspValidateJobAssignmentSiloPolicy endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspTerminateProcessesJobCallback proc near
					; DATA XREF: PspTerminateAllProcessesInJobHierarchy+39o

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090EAA8 SIZE 00000031 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	edi
		lea	edi, [esp+28h+var_C]
		stosd
		stosd
		stosd
		call	_PsIsServerSilo@4 ; PsIsServerSilo(x)
		mov	edi, [ebp+arg_4]
		test	al, al
		jnz	loc_90EAA8
		xor	bl, bl

loc_7E878C:				; CODE XREF: PspTerminateProcessesJobCallback+126362j
					; PspTerminateProcessesJobCallback+126376j
		movzx	eax, byte ptr [edi+4]
		lea	ecx, [esp+28h+var_C]
		and	eax, 1
		push	0
		push	ecx
		lea	eax, ds:6[eax*8]
		mov	[esp+30h+var_14], eax
		mov	eax, large fs:124h
		mov	edx, eax
		mov	[esp+30h+var_10], eax

loc_7E87B1:				; CODE XREF: PspTerminateProcessesJobCallback+9Dj
		mov	ecx, esi
		call	_PspGetNextJobProcess@16 ; PspGetNextJobProcess(x,x,x,x)
		mov	[esp+28h+var_18], eax
		test	eax, eax
		jnz	short loc_7E87CF
		test	bl, bl
		jnz	short loc_7E87FD

loc_7E87C4:				; CODE XREF: PspTerminateProcessesJobCallback+A6j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7E87CF:				; CODE XREF: PspTerminateProcessesJobCallback+60j
		test	dword ptr [eax+0F8h], 800h
		jnz	short loc_7E87DF
		or	byte ptr [edi+4], 2

loc_7E87DF:				; CODE XREF: PspTerminateProcessesJobCallback+7Bj
		push	dword ptr [edi]
		xor	edx, edx
		mov	ecx, eax
		push	[esp+2Ch+var_14]
		call	PspRemoveProcessFromJobChain
		push	[esp+28h+var_18]
		mov	edx, [esp+2Ch+var_10]
		lea	eax, [esp+2Ch+var_C]
		push	eax
		jmp	short loc_7E87B1
; 

loc_7E87FD:				; CODE XREF: PspTerminateProcessesJobCallback+64j
		mov	ecx, esi
		call	_PspCompleteServerSiloShutdown@4 ; PspCompleteServerSiloShutdown(x)
		jmp	short loc_7E87C4
PspTerminateProcessesJobCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspGetNextJobProcess(x, x, x, x)
_PspGetNextJobProcess@16 proc near	; CODE XREF: PspExecuteJobFreezeThawCallback(x,x)+2Ap
					; PspExecuteJobFreezeThawCallback(x,x)+4Ep ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, edx
		mov	ebx, ecx
		mov	[ebp+var_4], eax
		push	edi
		mov	[ebp+var_8], ebx
		call	_PspLockJobExclusive@8 ; PspLockJobExclusive(x,x)
		cmp	[ebp+arg_4], 0
		jnz	short loc_7E88A7
		lea	eax, [ebx+24Ch]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_7E88BB
		mov	[esi], ecx
		lea	edi, [ebx+18h]
		mov	[esi+4], eax
		mov	[ecx+4], esi
		mov	[eax], esi
		mov	[esi+8], edi

loc_7E884A:				; CODE XREF: PspGetNextJobProcess(x,x,x,x)+A4j
		mov	edi, [edi]
		lea	eax, [ebx+18h]
		mov	[ebp+arg_0], eax
		cmp	edi, eax
		jnz	short loc_7E8888

loc_7E8856:				; CODE XREF: PspGetNextJobProcess(x,x,x,x)+9Dj
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_7E88BB
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_7E88BB
		mov	[ecx], eax
		xor	ebx, ebx
		mov	[eax+4], ecx

loc_7E886B:				; CODE XREF: PspGetNextJobProcess(x,x,x,x)+96j
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		mov	[esi+8], edi
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		cmp	[ebp+arg_4], 0
		jnz	short loc_7E88AC

loc_7E887F:				; CODE XREF: PspGetNextJobProcess(x,x,x,x)+B3j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_7E8888:				; CODE XREF: PspGetNextJobProcess(x,x,x,x)+4Ej
					; PspGetNextJobProcess(x,x,x,x)+9Fj
		lea	ebx, [edi-1C4h]
		mov	edx, 624A7350h
		mov	ecx, ebx
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jnz	short loc_7E886B
		mov	edi, [edi]
		cmp	edi, [ebp+arg_0]
		jz	short loc_7E8856
		jmp	short loc_7E8888
; 

loc_7E88A7:				; CODE XREF: PspGetNextJobProcess(x,x,x,x)+21j
		mov	edi, [esi+8]
		jmp	short loc_7E884A
; 

loc_7E88AC:				; CODE XREF: PspGetNextJobProcess(x,x,x,x)+77j
		mov	ecx, [ebp+arg_4]
		mov	edx, 624A7350h
		call	ObfDereferenceObjectWithTag
		jmp	short loc_7E887F
; 

loc_7E88BB:				; CODE XREF: PspGetNextJobProcess(x,x,x,x)+2Ej
					; PspGetNextJobProcess(x,x,x,x)+55j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PspGetNextJobProcess@16 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspGetJobAssignmentDisposition proc near ; CODE	XREF: PsAssignProcessToJobObject+1Ep
					; PspAssignProcessToJob+BEp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090EAD9 SIZE 0000008D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		test	ebx, ebx
		jz	loc_90EAD9
		lea	eax, [ebx+0F0h]
		mov	ecx, eax
		mov	[ebp+arg_0], eax
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_90EB15
		test	byte ptr [ebx+0FCh], 8
		push	esi
		jnz	loc_90EB1F
		xor	esi, esi
		cmp	[ebx+158h], esi
		jnz	short loc_7E891D
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 1

loc_7E890C:				; CODE XREF: PspGetJobAssignmentDisposition+B3j
					; PspGetJobAssignmentDisposition+126264j ...
		mov	ecx, [ebp+arg_0]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	eax, esi
		pop	esi

loc_7E8917:				; CODE XREF: PspGetJobAssignmentDisposition+126246j
					; PspGetJobAssignmentDisposition+126250j ...
		pop	edi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_7E891D:				; CODE XREF: PspGetJobAssignmentDisposition+41j
		mov	edx, edi
		mov	ecx, ebx
		call	_PspIsProcessInJob@8 ; PspIsProcessInJob(x,x)
		cmp	eax, 124h
		jz	loc_90EB29
		mov	ecx, [ebx+158h]
		mov	eax, edi
		test	edi, edi
		jz	short loc_7E894F

loc_7E893D:				; CODE XREF: PspGetJobAssignmentDisposition+8Dj
		cmp	eax, ecx
		jz	loc_90EB37
		mov	eax, [eax+244h]
		test	eax, eax
		jnz	short loc_7E893D

loc_7E894F:				; CODE XREF: PspGetJobAssignmentDisposition+7Bj
		mov	ecx, edi
		call	_PsIsJobParentImmutable@4 ; PsIsJobParentImmutable(x)
		test	al, al
		jnz	loc_90EB45
		cmp	[edi+8Ch], esi
		jnz	loc_90EB45
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 4
		jmp	short loc_7E890C
PspGetJobAssignmentDisposition endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspLockJobsAndProcessExclusive(x, x, x, x)
_PspLockJobsAndProcessExclusive@16 proc	near ; CODE XREF: .text:00511716p
					; PspAssignProcessToJob+A6p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, ecx
		mov	ecx, [ebp+arg_4]
		and	ecx, 1
		dec	word ptr [eax+13Eh]
		push	esi
		mov	[ebp+arg_4], ecx
		nop
		test	edx, edx
		jz	short loc_7E89A7
		lea	ecx, [edx+0E0h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+arg_4]

loc_7E89A7:				; CODE XREF: PspLockJobsAndProcessExclusive(x,x,x,x)+1Fj
		xor	esi, esi
		cmp	[ebx], esi
		jbe	short loc_7E89D0
		push	edi
		lea	edi, [ebx+4]

loc_7E89B1:				; CODE XREF: PspLockJobsAndProcessExclusive(x,x,x,x)+57j
		cmp	byte ptr [edi+4], 0
		mov	eax, [edi]
		jnz	short loc_7E89D6
		push	1
		add	eax, 20h
		push	eax
		call	ExAcquireResourceExclusiveLite

loc_7E89C4:				; CODE XREF: PspLockJobsAndProcessExclusive(x,x,x,x)+6Aj
		mov	ecx, [ebp+arg_4]
		inc	esi
		add	edi, 8
		cmp	esi, [ebx]
		jb	short loc_7E89B1
		pop	edi

loc_7E89D0:				; CODE XREF: PspLockJobsAndProcessExclusive(x,x,x,x)+35j
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_7E89D6:				; CODE XREF: PspLockJobsAndProcessExclusive(x,x,x,x)+41j
		push	ecx
		xor	edx, edx
		mov	ecx, eax
		call	PspLockJobChain
		jmp	short loc_7E89C4
_PspLockJobsAndProcessExclusive@16 endp


;  S U B	R O U T	I N E 


; __stdcall PspLockJobAssignment(x)
_PspLockJobAssignment@4	proc near	; CODE XREF: PspLockJobChain+26p
					; PspGetJobLockHierarchyForDeletion(x,x)+12p ...
		test	ecx, ecx
		jz	short loc_7E89EE
		dec	word ptr [ecx+13Eh]
		nop

loc_7E89EE:				; CODE XREF: PspLockJobAssignment(x)+2j
		xor	edx, edx
		mov	ecx, offset _PspJobAssignmentLock
		jmp	ExAcquirePushLockExclusiveEx
_PspLockJobAssignment@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspGetJobLockHierarchyForAssignment proc near ;	CODE XREF: PspAssignProcessToJob+8Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0090EB66 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, ecx
		sub	eax, 1
		jnz	short loc_7E8A1F

loc_7E8A0A:				; CODE XREF: PspGetJobLockHierarchyForAssignment+2Dj
					; PspGetJobLockHierarchyForAssignment+126174j
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 1
		mov	[eax+4], esi
		mov	byte ptr [eax+8], 1

loc_7E8A1A:				; CODE XREF: PspGetJobLockHierarchyForAssignment+55j
					; PspGetJobLockHierarchyForAssignment+5Dj ...
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_7E8A1F:				; CODE XREF: PspGetJobLockHierarchyForAssignment+Ej
		sub	eax, 1
		jz	short loc_7E8A51
		sub	eax, 1
		jz	short loc_7E8A0A
		sub	eax, 1
		jnz	loc_90EB66
		mov	eax, [edx+158h]

loc_7E8A38:				; CODE XREF: PspGetJobLockHierarchyForAssignment+126186j
		mov	ecx, [ebp+arg_8]
		mov	dword ptr [ecx], 2
		mov	[ecx+4], eax
		mov	byte ptr [ecx+8], 1
		mov	[ecx+0Ch], esi
		mov	byte ptr [ecx+10h], 0
		jmp	short loc_7E8A1A
; 

loc_7E8A51:				; CODE XREF: PspGetJobLockHierarchyForAssignment+28j
		mov	eax, [ebp+arg_8]
		and	dword ptr [eax], 0
		jmp	short loc_7E8A1A
PspGetJobLockHierarchyForAssignment endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtOpenPrivateNamespace proc near	; DATA XREF: .text:00580F2Co

var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0090EB85 SIZE 0000002C BYTES
; FUNCTION CHUNK AT 0090EBD1 SIZE 00000016 BYTES

		push	1Ch
		push	offset dword_6A4E80
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_24], ecx
		mov	eax, large fs:124h
		mov	dl, [eax+15Ah]
		mov	byte ptr [ebp+var_2C], dl
		mov	[ebp+var_1C], ecx
		test	dl, dl
		jz	loc_90EBD1
		mov	[ebp+ms_exc.disabled], ecx
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_90EB85

loc_7E8A9B:				; CODE XREF: NtOpenPrivateNamespace+12612Dj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jnz	loc_90EB8C

loc_7E8AAA:				; CODE XREF: NtOpenPrivateNamespace+126152j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7E8AB1:				; CODE XREF: NtOpenPrivateNamespace+12617Cj
					; NtOpenPrivateNamespace+126188j
		xor	ebx, ebx
		test	dl, dl
		setz	bl
		dec	ebx
		and	ebx, 0FFFEFE00h
		add	ebx, 11FF2h
		and	ebx, [ebp+var_1C]
		lea	edx, [ebp+var_20]
		mov	ecx, [ebp+arg_C]
		call	ObpCaptureBoundaryDescriptor
		test	eax, eax
		js	short loc_7E8B34
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	esi, eax
		mov	ecx, large fs:124h
		dec	word ptr [ecx+13Ch]
		nop
		lea	edi, [esi+19Ch]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		lea	ecx, [esi+74h]
		mov	edx, [ebp+var_20]
		call	_ObpLookupNamespaceEntry@8 ; ObpLookupNamespaceEntry(x,x)
		mov	esi, eax
		push	534E624Fh
		push	[ebp+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jnz	short loc_7E8B46

loc_7E8B1A:				; CODE XREF: NtOpenPrivateNamespace+F1j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, 0C000003Ah

loc_7E8B34:				; CODE XREF: NtOpenPrivateNamespace+7Bj
					; NtOpenPrivateNamespace+14Bj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7E8B46:				; CODE XREF: NtOpenPrivateNamespace+BEj
		mov	esi, [esi+8]
		test	esi, esi
		jz	short loc_7E8B1A
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_2C]
		push	_ObpDirectoryObjectType
		push	[ebp+arg_4]
		push	0
		push	ebx
		push	esi
		call	ObOpenObjectByPointer
		mov	[ebp+arg_8], eax
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_24]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_7E8B9B:				; CODE XREF: sub_90EBEB+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+arg_8]
		jmp	short loc_7E8B34
NtOpenPrivateNamespace endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PspLockJobListExclusive(x)
_PspLockJobListExclusive@4 proc	near	; CODE XREF: .text:005116A3p
					; NtCreateJobObject+153p
		dec	word ptr [ecx+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset _PspJobListLock
		jmp	ExAcquirePushLockExclusiveEx
_PspLockJobListExclusive@4 endp


;  S U B	R O U T	I N E 


PspUnlockJobListExclusive proc near	; CODE XREF: .text:005116C8p
					; NtCreateJobObject+17Cp

; FUNCTION CHUNK AT 0090EBF3 SIZE 00000014 BYTES

		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		or	eax, 0FFFFFFFFh
		mov	edi, offset _PspJobListLock
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_90EBF3

loc_7E8BD7:				; CODE XREF: PspUnlockJobListExclusive+126039j
					; PspUnlockJobListExclusive+126046j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ecx
		retn
PspUnlockJobListExclusive endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 455. ExUuidCreate

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExUuidCreate
ExUuidCreate	proc near		; CODE XREF: CmpUuidCreate+Cp
					; NtCreateJobObject+19Bp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090EC07 SIZE 00000076 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	ecx, large fs:124h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_8], ecx
		push	edi
		or	esi, 0FFFFFFFFh

loc_7E8C08:				; CODE XREF: ExUuidCreate+58j
					; ExUuidCreate+60j ...
		mov	ecx, [ebp+arg_0]
		mov	edx, ds:_ExpUuidCachedValues
		mov	eax, ds:dword_A93E1C
		mov	edi, ds:dword_A93E14
		mov	[ecx+8], eax
		mov	eax, ds:dword_A93E20
		mov	[ecx+0Ch], eax
		mov	al, ds:_ExpUuidCacheValid
		mov	[ebp+var_1], al
		mov	eax, esi
		mov	[ebp+var_C], edx
		lock xadd ds:dword_A93E18, eax
		dec	eax
		mov	ecx, [ebp+var_8]
		cmp	edx, ds:_ExpUuidCachedValues
		jnz	short loc_7E8C08
		cmp	edi, ds:dword_A93E14
		jnz	short loc_7E8C08
		test	eax, eax
		js	short loc_7E8C8E
		mov	ecx, [ebp+var_C]
		cdq
		sub	ecx, eax
		mov	eax, [ebp+arg_0]
		sbb	edi, edx
		mov	[eax+4], di
		shr	edi, 10h
		mov	[eax], ecx
		mov	ecx, 0FFFh
		and	di, cx
		inc	ecx
		or	di, cx
		cmp	[ebp+var_1], 0
		mov	[eax+6], di
		jz	short loc_7E8C87

loc_7E8C7E:				; CODE XREF: ExUuidCreate+9Ej
					; ExUuidCreate+12608Aj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
; 

loc_7E8C87:				; CODE XREF: ExUuidCreate+8Ej
		mov	ebx, 40020056h
		jmp	short loc_7E8C7E
; 

loc_7E8C8E:				; CODE XREF: ExUuidCreate+64j
		dec	word ptr [ecx+13Ch]
		nop
		push	0
		xor	edx, edx
		mov	ecx, offset _ExpUuidLock
		call	KeAbPreAcquire
		mov	[ebp+var_10], eax
		mov	ecx, offset _ExpUuidLock
		lock bts dword ptr [ecx], 0
		jb	loc_90EC07

loc_7E8CB7:				; CODE XREF: ExUuidCreate+126029j
		test	eax, eax
		jz	short loc_7E8CBF
		or	byte ptr [eax+0Eh], 1

loc_7E8CBF:				; CODE XREF: ExUuidCreate+CBj
		mov	eax, [ebp+var_C]
		cmp	eax, ds:_ExpUuidCachedValues
		jnz	loc_90EC31
		cmp	edi, ds:dword_A93E14
		jnz	loc_90EC31
		mov	ecx, offset _ExpUuidCachedValues
		call	_ExpUuidGetValues@4 ; ExpUuidGetValues(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_90EC50
		call	_ExpUuidSaveSequenceNumberIf@0 ; ExpUuidSaveSequenceNumberIf()
		mov	cl, ds:_ExpUuidCacheValid
		mov	edi, offset _ExpUuidLock
		mov	ecx, esi
		lock xadd [edi], ecx
		test	cl, 2
		jnz	loc_90EC1C

loc_7E8D0D:				; CODE XREF: ExUuidCreate+126031j
					; ExUuidCreate+12603Ej
		mov	ecx, edi

loc_7E8D0F:				; CODE XREF: ExUuidCreate+12604Dj
					; ExUuidCreate+12605Dj
		call	KeAbPostRelease
		mov	ecx, [ebp+var_8]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_7E8C08
ExUuidCreate	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PspIoRateEntryInitialize(x)
_PspIoRateEntryInitialize@4 proc near	; CODE XREF: NtCreateJobObject+1DDp
					; PspSetJobIoRateControlForVolume(x,x,x,x,x)+48p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		xor	eax, eax
		push	7
		pop	ecx
		mov	edi, ebx
		rep stosd
		lea	esi, [ebx+10h]
		mov	ecx, esi
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		mov	ecx, esi
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	ecx, esi
		call	@ExRundownCompleted@4 ;	ExRundownCompleted(x)
		or	dword ptr [ebx+8], 0FFFFFFFFh
		pop	edi
		pop	esi
		pop	ebx
		retn
_PspIoRateEntryInitialize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCreatePrivateNamespace proc near	; DATA XREF: .text:0058112Co

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0090EC7D SIZE 00000007 BYTES
; FUNCTION CHUNK AT 0090ECA4 SIZE 0000003C BYTES

		push	1Ch
		push	offset dword_6A4EA8
		call	__SEH_prolog4
		xor	edi, edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		test	al, al
		jz	short loc_7E8D9A
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_90EC7D

loc_7E8D8F:				; CODE XREF: NtCreatePrivateNamespace+125F2Dj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7E8D9A:				; CODE XREF: NtCreatePrivateNamespace+28j
		lea	edx, [ebp+var_20]
		mov	ecx, [ebp+arg_C]
		call	ObpCaptureBoundaryDescriptor
		test	eax, eax
		js	loc_7E8F20
		mov	ebx, [ebp+var_20]
		lea	ecx, [ebx+18h]
		call	ObpVerifyCreatorAccessCheck
		mov	esi, eax
		test	esi, esi
		js	loc_90ECAD
		mov	eax, [ebx+0Ch]
		lea	esi, [eax+0C8h]
		cmp	esi, eax
		jb	loc_90ECA4
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		push	edi
		push	esi
		push	edi
		push	[ebp+var_24]
		push	[ebp+arg_8]
		push	_ObpDirectoryObjectType
		push	[ebp+var_24]
		call	_ObCreateObject@36 ; ObCreateObject(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_90ECAB
		push	esi		; size_t
		push	edi		; int
		mov	esi, [ebp+var_1C]
		mov	[ebp+arg_8], esi
		push	esi		; void *
		call	_memset
		lea	edi, [esi+0B7h]
		and	edi, 0FFFFFFF8h
		mov	[edi+4], edi
		mov	[edi], edi
		mov	ecx, [ebx+0Ch]
		mov	[edi+0Ch], ecx
		and	dword ptr [edi+8], 0
		mov	al, [ebx+14h]
		mov	[edi+14h], al
		push	ecx		; size_t
		lea	eax, [ebx+18h]
		push	eax		; void *
		lea	eax, [edi+18h]
		push	eax		; void *
		call	_memcpy
		add	esp, 18h
		push	534E624Fh
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+94h], 0
		or	dword ptr [esi+0ACh], 0FFFFFFFFh
		mov	dword ptr [esi+0A8h], 1
		lea	ecx, [esi-18h]
		mov	al, [ecx+0Eh]
		test	al, 2
		jnz	loc_7E8F32
		xor	ecx, ecx

loc_7E8E67:				; CODE XREF: NtCreatePrivateNamespace+1EFj
		test	ecx, ecx
		jnz	loc_90ECBF
		mov	ecx, edi
		call	_ObpRegisterPrivateNamespace@4 ; ObpRegisterPrivateNamespace(x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7E8F46
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		lea	eax, [ebp+var_28]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_4]
		xor	edx, edx
		mov	ecx, esi
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+arg_C], esi
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ebx, eax
		mov	ecx, large fs:124h
		dec	word ptr [ecx+13Ch]
		nop
		lea	eax, [ebx+19Ch]
		mov	[ebp+arg_4], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockExclusiveEx
		test	esi, esi
		js	loc_90ECC9
		mov	eax, [ebp+arg_8]
		test	byte ptr [eax+0A8h], 2
		jnz	loc_90ECC9
		mov	eax, [ebp+var_1C]
		mov	[edi+8], eax
		mov	[eax+0A0h], edi

loc_7E8EED:				; CODE XREF: NtCreatePrivateNamespace+125F89j
		xor	edx, edx
		mov	ecx, [ebp+arg_4]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		jl	short loc_7E8F1D
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_28]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_7E8F16:				; CODE XREF: sub_90ECE4+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7E8F1D:				; CODE XREF: NtCreatePrivateNamespace+1B3j
		mov	eax, [ebp+arg_C]

loc_7E8F20:				; CODE XREF: NtCreatePrivateNamespace+55j
					; NtCreatePrivateNamespace+1FDj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7E8F32:				; CODE XREF: NtCreatePrivateNamespace+10Dj
		movzx	eax, al
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		jmp	loc_7E8E67
; 

loc_7E8F46:				; CODE XREF: NtCreatePrivateNamespace+128j
					; NtCreatePrivateNamespace+125F72j
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, ebx
		jmp	short loc_7E8F20
NtCreatePrivateNamespace endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpRegisterPrivateNamespace(x)
_ObpRegisterPrivateNamespace@4 proc near ; CODE	XREF: NtCreatePrivateNamespace+11Fp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, 0C0000035h
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	esi, eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [esi+19Ch]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	ExAcquirePushLockExclusiveEx
		add	esi, 74h
		mov	edx, edi
		mov	ecx, esi
		call	_ObpLookupNamespaceEntry@8 ; ObpLookupNamespaceEntry(x,x)
		test	eax, eax
		jnz	short loc_7E8FB9
		movzx	eax, byte ptr [edi+14h]
		lea	eax, [esi+eax*8]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_7E8FD6
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi
		inc	dword ptr [esi+12Ch]
		xor	ebx, ebx

loc_7E8FB9:				; CODE XREF: ObpRegisterPrivateNamespace(x)+45j
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_7E8FD6:				; CODE XREF: ObpRegisterPrivateNamespace(x)+53j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_ObpRegisterPrivateNamespace@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpLookupNamespaceEntry(x, x)
_ObpLookupNamespaceEntry@8 proc	near	; CODE XREF: NtOpenPrivateNamespace+A8p
					; ObpRegisterPrivateNamespace(x)+3Ep
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		movzx	eax, byte ptr [edi+14h]
		lea	ebx, [ecx+eax*8]
		mov	esi, [ebx]

loc_7E8FF3:				; CODE XREF: ObpLookupNamespaceEntry(x,x)+3Fj
		cmp	esi, ebx
		jnz	short loc_7E9000
		xor	eax, eax

loc_7E8FF9:				; CODE XREF: ObpLookupNamespaceEntry(x,x)+3Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7E9000:				; CODE XREF: ObpLookupNamespaceEntry(x,x)+19j
		mov	eax, [esi+0Ch]
		cmp	eax, [edi+0Ch]
		jnz	short loc_7E9019
		mov	edx, edi
		mov	ecx, esi
		call	_ObpCompareNamespaceEntry@8 ; ObpCompareNamespaceEntry(x,x)
		test	eax, eax
		jz	short loc_7E9019
		mov	eax, esi
		jmp	short loc_7E8FF9
; 

loc_7E9019:				; CODE XREF: ObpLookupNamespaceEntry(x,x)+2Aj
					; ObpLookupNamespaceEntry(x,x)+37j
		mov	esi, [esi]
		jmp	short loc_7E8FF3
_ObpLookupNamespaceEntry@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCreateJobObject proc near		; DATA XREF: .text:00581154o

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0090ECEC SIZE 0000003A BYTES
; FUNCTION CHUNK AT 0090ED5D SIZE 00000015 BYTES

		push	30h
		push	offset dword_6A4ED0
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_2C], esi
		mov	eax, large fs:124h
		mov	[ebp+var_30], eax
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		mov	[ebp+ms_exc.disabled], esi
		test	al, al
		jz	short loc_7E9062
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_90ECEC

loc_7E905E:				; CODE XREF: NtCreateJobObject+125CD0j
		mov	eax, [ecx]
		mov	[ecx], eax

loc_7E9062:				; CODE XREF: NtCreateJobObject+2Ej
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	_PoEnergyEstimationEnabled@0 ; PoEnergyEstimationEnabled()
		mov	[ebp+var_19], al
		xor	ebx, ebx
		test	al, al
		setnz	bl
		dec	ebx
		and	ebx, 0FFFFFE50h
		add	ebx, 570h
		lea	eax, [ebp+var_20]
		push	eax
		push	ebx
		push	esi
		push	ebx
		push	esi
		push	[ebp+var_24]
		push	[ebp+arg_8]
		push	ds:_PsJobType
		push	[ebp+var_24]
		call	_ObCreateObject@36 ; ObCreateObject(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_7E928D
		push	ebx		; size_t
		push	esi		; int
		mov	esi, [ebp+var_20]
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+248h], esi
		lea	eax, [esi+18h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+23Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+234h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+24Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	[esi+230h], ebx
		lea	eax, [esi+0B8h]
		push	eax
		call	_KeInitializeAffinityEx@4 ; KeInitializeAffinityEx(x)
		lea	eax, [esi+15Ch]
		push	eax
		call	_KeInitializeAffinityEx@4 ; KeInitializeAffinityEx(x)
		lea	eax, [esi+2FCh]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[eax+8], ebx
		cmp	[ebp+var_19], bl
		jz	short loc_7E9134
		lea	eax, [esi+3C0h]
		mov	[esi+318h], eax

loc_7E9134:				; CODE XREF: NtCreateJobObject+108j
		or	dword ptr [esi+0E8h], 0FFFFFFFFh
		mov	dword ptr [esi+1A8h], 3FFEh
		mov	dword ptr [esi+38Ch], 1
		mov	dword ptr [esi+190h], 0Ah
		mov	dword ptr [esi+0ECh], 5
		lea	eax, [esi+20h]
		push	eax
		call	ExInitializeResourceLite
		mov	edi, [ebp+var_30]
		mov	ecx, edi
		call	_PspLockJobListExclusive@4 ; PspLockJobListExclusive(x)
		lea	eax, [esi+10h]
		mov	ecx, ds:dword_A93C6C
		mov	edx, offset _PspJobList
		cmp	[ecx], edx
		jnz	loc_7E927D
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	ds:dword_A93C6C, eax
		mov	ecx, edi
		call	PspUnlockJobListExclusive
		or	dword ptr [esi+310h], 200000h
		mov	eax, [esi+310h]
		mov	[ebp+var_2C], eax
		lea	edi, [esi+2D8h]

loc_7E91B8:				; CODE XREF: NtCreateJobObject+125CF3j
		push	edi
		call	ExUuidCreate
		mov	ebx, eax
		cmp	ebx, 0C000022Dh
		jz	loc_90ECF3

loc_7E91CC:				; CODE XREF: NtCreateJobObject+125CF9j
		lea	edi, [ebx-40020056h]
		neg	edi
		sbb	edi, edi
		and	edi, ebx
		jl	short loc_7E91F5
		mov	edx, esi
		mov	ecx, ds:_PspUniqueJobIdTable
		call	_ExCreateHandle@8 ; ExCreateHandle(x,x)
		test	eax, eax
		jz	loc_90ED1C
		mov	[esi+2D4h], eax

loc_7E91F5:				; CODE XREF: NtCreateJobObject+1BAj
					; NtCreateJobObject+125D03j
		lea	ecx, [esi+340h]
		call	_PspIoRateEntryInitialize@4 ; PspIoRateEntryInitialize(x)
		xor	ebx, ebx
		mov	[esi+360h], ebx
		mov	[esi+364h], ebx
		mov	[esi+388h], ebx
		mov	ecx, esi
		test	edi, edi
		js	short loc_7E9284
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		lea	eax, [ebp+var_28]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+arg_4]
		xor	edx, edx
		mov	ecx, esi
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_7E9282
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_28]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7E924E:				; CODE XREF: NtCreateJobObject+26Dj
					; NtCreateJobObject+272j
		test	ds:_PerfGlobalGroupMask, 80000h
		jnz	loc_90ED5D

loc_7E925E:				; CODE XREF: NtCreateJobObject+125D4Fj
		test	esi, esi
		jz	short loc_7E9269
		mov	ecx, esi
		call	ObfDereferenceObject

loc_7E9269:				; CODE XREF: NtCreateJobObject+242j
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7E927D:				; CODE XREF: NtCreateJobObject+168j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_7E9282:				; CODE XREF: NtCreateJobObject+218j
		mov	ecx, esi

loc_7E9284:				; CODE XREF: NtCreateJobObject+1FAj
		call	ObfDereferenceObject
		mov	esi, ebx
		jmp	short loc_7E924E
; 

loc_7E928D:				; CODE XREF: NtCreateJobObject+8Cj
					; sub_90ED36+22j
		mov	esi, [ebp+var_20]
		jmp	short loc_7E924E
NtCreateJobObject endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpVerifyCreatorAccessCheck proc near	; CODE XREF: NtCreatePrivateNamespace+61p
					; NtDeletePrivateNamespace(x)+57p

var_80		= dword	ptr -80h
var_7C		= word ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= byte ptr -54h
var_50		= dword	ptr -50h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090ED72 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+84h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+90h+var_7C], 1000h
		push	44h		; size_t
		push	eax		; int
		mov	[esp+98h+var_80], eax
		mov	ebx, ecx
		lea	eax, [esp+98h+var_50]
		push	eax		; void *
		call	_memset
		and	[esp+9Ch+var_74], 0
		lea	edi, [esp+9Ch+var_70]
		and	[esp+9Ch+var_78], 0
		add	esp, 0Ch
		xor	eax, eax
		push	8
		pop	ecx
		rep stosd
		mov	eax, large fs:124h
		lea	ecx, [esp+90h+var_70]
		push	ecx
		push	dword ptr [eax+80h]
		push	eax
		call	SeCaptureSubjectContextEx
		mov	esi, [esp+90h+var_70]
		test	esi, esi
		jz	loc_7E93DA

loc_7E9308:				; CODE XREF: ObpVerifyCreatorAccessCheck+14Cj
		cmp	dword ptr [esi+0A8h], 2
		jnz	short loc_7E931E
		cmp	dword ptr [esi+0ACh], 2
		jl	loc_90ED7D

loc_7E931E:				; CODE XREF: ObpVerifyCreatorAccessCheck+7Dj
		lea	eax, [esp+90h+var_78]
		push	eax
		push	1Dh
		push	esi
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		cmp	[esp+90h+var_78], 0
		jnz	loc_7E93E3

loc_7E9336:				; CODE XREF: ObpVerifyCreatorAccessCheck+164j
		lea	eax, [esp+90h+var_74]
		push	eax
		push	19h
		push	esi
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		push	1
		lea	eax, [esp+94h+var_80]
		push	eax
		lea	eax, [esp+98h+var_50]
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	0
		lea	eax, [esp+94h+var_50]
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	edx, [esp+90h+var_74]
		mov	[eax], edx
		lea	eax, [esp+90h+var_50]
		mov	[esp+90h+var_5C], eax
		lea	eax, [esp+90h+var_70]
		push	eax
		call	_SeLockSubjectContext@4	; SeLockSubjectContext(x)
		lea	eax, [esp+90h+var_70]
		mov	edx, offset ObpVerifyAccessToBoundaryEntry
		push	eax
		mov	ecx, ebx
		call	RtlEnumerateBoundaryDescriptorEntries
		mov	esi, eax
		lea	eax, [esp+90h+var_70]
		push	eax
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)
		mov	ecx, [esp+90h+var_58]
		test	ecx, ecx
		js	short loc_7E93B0
		test	esi, esi
		js	loc_90ED72

loc_7E93A5:				; CODE XREF: ObpVerifyCreatorAccessCheck+125AE6j
		test	ecx, ecx
		js	short loc_7E93B0
		cmp	[esp+90h+var_60], 0
		jnz	short loc_7E93FE

loc_7E93B0:				; CODE XREF: ObpVerifyCreatorAccessCheck+109j
					; ObpVerifyCreatorAccessCheck+115j ...
		lea	eax, [esp+90h+var_70]
		push	eax
		call	SeReleaseSubjectContext
		cmp	[esp+90h+var_60], 0
		jnz	short loc_7E940A

loc_7E93C1:				; CODE XREF: ObpVerifyCreatorAccessCheck+183j
		mov	ecx, [esp+90h+var_4]
		mov	eax, [esp+90h+var_58]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7E93DA:				; CODE XREF: ObpVerifyCreatorAccessCheck+70j
		mov	esi, [esp+90h+var_68]
		jmp	loc_7E9308
; 

loc_7E93E3:				; CODE XREF: ObpVerifyCreatorAccessCheck+9Ej
		lea	eax, [esp+90h+var_60]
		push	eax
		push	1Fh
		push	esi
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	[esp+90h+var_58], eax
		test	eax, eax
		jns	loc_7E9336
		jmp	short loc_7E93B0
; 

loc_7E93FE:				; CODE XREF: ObpVerifyCreatorAccessCheck+11Cj
		test	[esp+90h+var_54], 1
		jnz	short loc_7E93B0
		jmp	loc_90ED7D
; 

loc_7E940A:				; CODE XREF: ObpVerifyCreatorAccessCheck+12Dj
		push	0
		push	[esp+94h+var_60]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7E93C1
ObpVerifyCreatorAccessCheck endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIsParentOfChildAppContainer(x, x)
_RtlIsParentOfChildAppContainer@8 proc near ; CODE XREF: SepCheckCreateLowBox(x)+8Ep
					; NtCreateTokenEx+69Dp	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	ebx, edx
		push	eax
		push	esi
		mov	[ebp+var_8], esi
		call	RtlGetAppContainerSidType
		test	eax, eax
		js	short loc_7E947E
		cmp	[ebp+var_4], 2
		jnz	short loc_7E947E
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		call	RtlGetAppContainerSidType
		test	eax, eax
		js	short loc_7E947E
		cmp	[ebp+var_4], 1
		jnz	short loc_7E947E
		xor	edi, edi
		inc	edi

loc_7E9458:				; CODE XREF: RtlIsParentOfChildAppContainer(x,x)+5Dj
		push	edi
		push	esi
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	edi
		push	ebx
		mov	esi, eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	ecx, [esi]
		cmp	ecx, [eax]
		jnz	short loc_7E947E
		mov	esi, [ebp+var_8]
		inc	edi
		cmp	edi, 8
		jb	short loc_7E9458
		mov	al, 1

loc_7E9479:				; CODE XREF: RtlIsParentOfChildAppContainer(x,x)+68j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7E947E:				; CODE XREF: RtlIsParentOfChildAppContainer(x,x)+21j
					; RtlIsParentOfChildAppContainer(x,x)+27j ...
		xor	al, al
		jmp	short loc_7E9479
_RtlIsParentOfChildAppContainer@8 endp

; 
		align 4
		dd 2 dup(0CCCCCCCCh)
; 
; Exported entry 1593. NtSetInformationToken

; __stdcall NtSetInformationToken(x, x,	x, x)
		public _NtSetInformationToken@16
_NtSetInformationToken@16:		; DATA XREF: .text:00580CB4o
		push	144h
		push	offset dword_6A4EF8
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp-25h], bl
		mov	[ebp-4Ch], ebx
		mov	[ebp-68h], ebx
		mov	[ebp-2Ch], ebx
		mov	[ebp-30h], ebx
		mov	[ebp-48h], ebx
		mov	[ebp-3Ch], ebx
		mov	[ebp-38h], ebx
		mov	[ebp-10Ch], ebx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp-19h], al
		mov	[ebp-24h], al
		test	al, al
		jz	short loc_7E9500
		mov	[ebp-4], ebx
		mov	ecx, [ebp+14h]
		test	ecx, ecx
		jz	short loc_7E94F9
		mov	eax, [ebp+10h]
		test	al, 3
		jnz	loc_7EA705
		lea	edx, [eax+ecx]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		ja	short loc_7E94F7
		cmp	edx, eax
		jnb	short loc_7E94F9

loc_7E94F7:				; CODE XREF: PAGE:007E94F1j
		mov	[ecx], bl

loc_7E94F9:				; CODE XREF: PAGE:007E94D9j
					; PAGE:007E94F5j
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_7E9500:				; CODE XREF: PAGE:007E94CFj
		mov	edi, [ebp+0Ch]
		cmp	edi, 4
		jz	short loc_7E9576
		cmp	edi, 5
		jz	short loc_7E9576
		cmp	edi, 0Ch
		jz	short loc_7E9576
		cmp	edi, 6
		jz	short loc_7E9576
		cmp	edi, 0Eh
		jz	short loc_7E9576
		cmp	edi, 10h
		jz	short loc_7E9576
		cmp	edi, 13h
		jz	short loc_7E9576
		cmp	edi, 11h
		jz	short loc_7E9576
		cmp	edi, 19h
		jz	short loc_7E9576
		cmp	edi, 1Bh
		jz	short loc_7E9576
		cmp	edi, 17h
		jz	short loc_7E9576
		cmp	edi, 18h
		jz	short loc_7E9576
		cmp	edi, 1Ah
		jz	short loc_7E9576
		cmp	edi, 27h
		jz	short loc_7E9576
		cmp	edi, 2Ah
		jz	short loc_7E9576
		cmp	edi, 2Dh
		jz	short loc_7E9576
		mov	eax, 0C0000003h
		jmp	loc_7EA6F3
; 

loc_7E955D:				; DATA XREF: .text:006A4F0Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-54h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7E956B:				; DATA XREF: .text:006A4F10o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-54h]
		jmp	loc_7E9B66
; 

loc_7E9576:				; CODE XREF: PAGE:007E9506j
					; PAGE:007E950Bj ...
		mov	ecx, 80h
		cmp	edi, 0Ch
		jnz	short loc_7E9587
		mov	ecx, 180h
		jmp	short loc_7E958F
; 

loc_7E9587:				; CODE XREF: PAGE:007E957Ej
		cmp	edi, 13h
		jnz	short loc_7E958F
		lea	ecx, [edi+75h]

loc_7E958F:				; CODE XREF: PAGE:007E9585j
					; PAGE:007E958Aj
		mov	eax, ds:_SeTokenObjectType
		mov	[ebp-20h], ebx
		push	ebx
		lea	edx, [ebp-20h]
		push	edx
		push	dword ptr [ebp-24h]
		push	eax
		push	ecx
		push	dword ptr [ebp+8]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, [ebp-20h]
		mov	[ebp-50h], esi
		test	eax, eax
		js	loc_7EA6F3
		cmp	edi, 17h
		jg	loc_7E9FB1
		jz	loc_7E9EF6
		cmp	edi, 0Eh
		jg	loc_7E9C52
		jz	loc_7E9B72
		push	4
		pop	eax
		sub	edi, eax
		jz	loc_7E998F
		sub	edi, 1
		jz	loc_7E9839
		sub	edi, 1
		jz	short loc_7E966C
		sub	edi, 6
		jnz	loc_7E9FEC
		cmp	[ebp+14h], eax
		jnz	loc_7E9994
		mov	dword ptr [ebp-4], 5
		mov	eax, [ebp+10h]
		mov	edi, [eax]
		mov	[ebp-130h], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	dword ptr [ebp-24h]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_7E963B

loc_7E9631:				; CODE XREF: PAGE:007E9BABj
					; PAGE:007E9D08j ...
		mov	edi, 0C0000061h
		jmp	loc_7E99CD
; 

loc_7E963B:				; CODE XREF: PAGE:007E962Fj
		mov	edx, edi
		mov	ecx, esi
		call	SeSetSessionIdToken

loc_7E9644:				; CODE XREF: PAGE:007E9C97j
					; PAGE:007EA0FFj ...
		mov	edi, eax
		jmp	loc_7E99CD
; 

loc_7E964B:				; DATA XREF: .text:006A4F48o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-58h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7E9659:				; DATA XREF: .text:006A4F4Co
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	eax, [ebp-58h]
		jmp	loc_7E9B66
; 

loc_7E966C:				; CODE XREF: PAGE:007E95ECj
		cmp	[ebp+14h], eax
		jb	loc_7E9994
		mov	[ebp-4], eax
		mov	eax, [ebp+10h]
		mov	eax, [eax]
		mov	[ebp+10h], eax
		mov	[ebp-48h], eax
		test	eax, eax
		jz	short loc_7E96AB
		lea	ecx, [ebp-4Ch]
		push	ecx
		lea	ecx, [ebp-48h]
		push	ecx
		push	ecx
		push	1
		push	ecx
		push	ecx
		mov	dl, [ebp-19h]
		mov	ecx, eax
		call	SeCaptureAcl
		mov	edi, eax
		mov	[ebp-34h], edi
		mov	eax, [ebp-48h]
		mov	[ebp+10h], eax
		jmp	short loc_7E96B3
; 

loc_7E96AB:				; CODE XREF: PAGE:007E9685j
		mov	[ebp-4Ch], ebx
		mov	edi, ebx
		mov	[ebp-34h], edi

loc_7E96B3:				; CODE XREF: PAGE:007E96A9j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	edi, edi
		js	loc_7E99CD
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceExclusiveLite
		mov	[ebp-5Ch], ebx
		xor	ecx, ecx
		lea	eax, [ebp-5Ch]
		lock or	[eax], ecx
		mov	eax, [esi+9Ch]
		movzx	edx, byte ptr [eax+1]
		mov	ecx, [ebp-4Ch]
		add	ecx, 8
		lea	edx, [ecx+edx*4]
		cmp	edx, [esi+88h]
		jbe	short loc_7E9732
		mov	[ebp-60h], ebx
		xor	ecx, ecx
		lea	eax, [ebp-60h]
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, [ebp+10h]
		test	eax, eax
		jz	short loc_7E9728
		push	ecx
		mov	dl, [ebp-19h]
		mov	ecx, eax
		call	_SeReleaseAcl@12 ; SeReleaseAcl(x,x,x)

loc_7E9728:				; CODE XREF: PAGE:007E971Bj
		mov	eax, 0C0000099h
		jmp	loc_7EA6F3
; 

loc_7E9732:				; CODE XREF: PAGE:007E96F5j
		mov	ecx, esi
		call	_SepExpandDynamic@8 ; SepExpandDynamic(x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_7E9779
		mov	[ebp-64h], ebx
		lea	eax, [ebp-64h]

loc_7E9745:				; CODE XREF: PAGE:007E97A3j
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, [ebp+10h]
		test	eax, eax
		jz	loc_7E99D4
		push	ecx
		mov	dl, [ebp-19h]
		mov	ecx, eax
		call	_SeReleaseAcl@12 ; SeReleaseAcl(x,x,x)
		jmp	loc_7E99D4
; 

loc_7E9779:				; CODE XREF: PAGE:007E973Dj
		mov	ecx, [esi+0A4h]
		test	ecx, ecx
		jz	short loc_7E97A5
		lea	eax, [ebp-68h]
		push	eax
		lea	eax, [ebp-3Ch]
		push	eax
		push	ecx
		push	1
		push	ecx
		push	ecx
		xor	dl, dl
		call	SeCaptureAcl
		mov	edi, eax
		test	edi, edi
		jns	short loc_7E97A5
		mov	[ebp-6Ch], ebx
		lea	eax, [ebp-6Ch]
		jmp	short loc_7E9745
; 

loc_7E97A5:				; CODE XREF: PAGE:007E9781j
					; PAGE:007E979Bj
		mov	ecx, esi
		call	SepFreeDefaultDacl
		mov	edi, [ebp+10h]
		test	edi, edi
		jz	short loc_7E97BC
		mov	edx, edi
		mov	ecx, esi
		call	_SepAppendDefaultDacl@8	; SepAppendDefaultDacl(x,x)

loc_7E97BC:				; CODE XREF: PAGE:007E97B1j
		push	edi
		push	dword ptr [ebp-3Ch]
		push	dword ptr [ebp+8]
		mov	edx, esi
		call	SeTokenDefaultDaclChangedAuditAlarm
		lea	ecx, [esi+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		mov	[ebp-70h], ebx
		xor	ecx, ecx
		lea	eax, [ebp-70h]
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		test	edi, edi
		jz	short loc_7E9800
		push	ecx
		mov	dl, [ebp-19h]
		mov	ecx, edi
		call	_SeReleaseAcl@12 ; SeReleaseAcl(x,x,x)

loc_7E9800:				; CODE XREF: PAGE:007E97F3j
		cmp	dword ptr [ebp-3Ch], 0
		jz	short loc_7E9811
		push	ecx
		xor	dl, dl
		mov	ecx, [ebp-3Ch]
		call	_SeReleaseAcl@12 ; SeReleaseAcl(x,x,x)

loc_7E9811:				; CODE XREF: PAGE:007E9804j
					; PAGE:007E9EBEj
		xor	eax, eax
		jmp	loc_7EA6F3
; 

loc_7E9818:				; DATA XREF: .text:006A4F3Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-74h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7E9826:				; DATA XREF: .text:006A4F40o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	eax, [ebp-74h]
		jmp	loc_7E9B66
; 

loc_7E9839:				; CODE XREF: PAGE:007E95E3j
		cmp	[ebp+14h], eax
		jb	loc_7E9994
		mov	dword ptr [ebp-4], 3
		mov	eax, [ebp+10h]
		mov	ecx, [eax]
		mov	[ebp-30h], ecx
		lea	eax, [ebp-30h]
		push	eax
		push	1
		sub	esp, 0Ch
		mov	dl, [ebp-19h]
		call	SeCaptureSid
		mov	edi, eax
		mov	[ebp-34h], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	edi, edi
		js	loc_7E99CD
		mov	edi, [ebp-30h]
		mov	edx, edi
		mov	ecx, esi
		call	_SepIdAssignableAsGroup@8 ; SepIdAssignableAsGroup(x,x)
		test	al, al
		jnz	short loc_7E9890
		mov	edi, 0C000005Bh
		jmp	loc_7E9952
; 

loc_7E9890:				; CODE XREF: PAGE:007E9884j
		movzx	eax, byte ptr [edi+1]
		lea	edi, ds:8[eax*4]
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceExclusiveLite
		mov	[ebp-78h], ebx
		xor	ecx, ecx
		lea	eax, [ebp-78h]
		lock or	[eax], ecx
		mov	ecx, [esi+0A4h]
		mov	eax, edi
		test	ecx, ecx
		jz	short loc_7E98C9
		movzx	eax, word ptr [ecx+2]
		add	eax, edi
		mov	edi, eax

loc_7E98C9:				; CODE XREF: PAGE:007E98BFj
		cmp	eax, [esi+88h]
		jbe	short loc_7E98F0
		mov	[ebp-7Ch], ebx
		xor	ecx, ecx
		lea	eax, [ebp-7Ch]
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	edi, 0C0000099h
		jmp	short loc_7E9952
; 

loc_7E98F0:				; CODE XREF: PAGE:007E98CFj
		mov	edx, edi
		mov	ecx, esi
		call	_SepExpandDynamic@8 ; SepExpandDynamic(x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_7E9919
		mov	[ebp-80h], ebx
		xor	ecx, ecx
		lea	eax, [ebp-80h]
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	short loc_7E9952
; 

loc_7E9919:				; CODE XREF: PAGE:007E98FDj
		mov	ecx, esi
		call	_SepFreePrimaryGroup@4 ; SepFreePrimaryGroup(x)
		mov	edx, [ebp-30h]
		mov	ecx, esi
		call	_SepAppendPrimaryGroup@8 ; SepAppendPrimaryGroup(x,x)
		lea	ecx, [esi+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		mov	[ebp-84h], ebx
		xor	ecx, ecx
		lea	eax, [ebp-84h]
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	edi, ebx

loc_7E9952:				; CODE XREF: PAGE:007E988Bj
					; PAGE:007E98EEj ...
		mov	ecx, esi
		call	ObfDereferenceObject
		push	1
		mov	dl, [ebp-19h]
		mov	ecx, [ebp-30h]
		call	_SeReleaseSid@12 ; SeReleaseSid(x,x,x)
		jmp	short loc_7E99D4
; 

loc_7E9968:				; DATA XREF: .text:006A4F30o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-88h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7E9979:				; DATA XREF: .text:006A4F34o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	eax, [ebp-88h]
		jmp	loc_7E9B66
; 

loc_7E998F:				; CODE XREF: PAGE:007E95DAj
		cmp	[ebp+14h], eax
		jnb	short loc_7E999B

loc_7E9994:				; CODE XREF: PAGE:007E95FAj
					; PAGE:007E966Fj ...
		mov	edi, 0C0000004h
		jmp	short loc_7E99CD
; 

loc_7E999B:				; CODE XREF: PAGE:007E9992j
		mov	dword ptr [ebp-4], 1
		mov	eax, [ebp+10h]
		mov	ecx, [eax]
		mov	[ebp-2Ch], ecx
		lea	eax, [ebp-2Ch]
		push	eax
		push	1
		sub	esp, 0Ch
		mov	dl, [ebp-19h]
		call	SeCaptureSid
		mov	[ebp+10h], eax
		mov	[ebp-34h], eax
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		test	eax, eax
		jns	short loc_7E99DB
		mov	edi, eax

loc_7E99CD:				; CODE XREF: PAGE:007E9636j
					; PAGE:007E9646j ...
		mov	ecx, esi
		call	ObfDereferenceObject

loc_7E99D4:				; CODE XREF: PAGE:007E9763j
					; PAGE:007E9774j ...
		mov	eax, edi
		jmp	loc_7EA6F3
; 

loc_7E99DB:				; CODE XREF: PAGE:007E99C9j
		mov	[ebp+10h], ebx
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceExclusiveLite
		mov	[ebp-8Ch], ebx
		xor	ecx, ecx
		lea	eax, [ebp-8Ch]
		lock or	[eax], ecx
		mov	ecx, ebx

loc_7E9A00:				; CODE XREF: PAGE:007E9AA0j
		cmp	ecx, [esi+7Ch]
		jnb	loc_7E9B08
		mov	dword ptr [ebp-4], 2
		mov	eax, [esi+94h]
		push	dword ptr [eax+ecx*8]
		push	dword ptr [ebp-2Ch]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	short loc_7E9A96
		mov	edx, [ebp+10h]
		mov	ecx, esi
		call	_SepIdAssignableAsOwner@8 ; SepIdAssignableAsOwner(x,x)
		test	al, al
		jz	short loc_7E9A43
		mov	[esi+90h], edx
		mov	al, 1
		mov	[ebp-25h], al
		mov	[ebp+10h], ebx
		jmp	short loc_7E9A4D
; 

loc_7E9A43:				; CODE XREF: PAGE:007E9A31j
		mov	dword ptr [ebp+10h], 0C000005Ah
		mov	al, [ebp-25h]

loc_7E9A4D:				; CODE XREF: PAGE:007E9A41j
		test	al, al
		jz	short loc_7E9A59
		lea	ecx, [esi+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)

loc_7E9A59:				; CODE XREF: PAGE:007E9A4Fj
		mov	[ebp-90h], ebx
		xor	ecx, ecx
		lea	eax, [ebp-90h]
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		push	1
		mov	dl, [ebp-19h]
		mov	ecx, [ebp-2Ch]
		call	_SeReleaseSid@12 ; SeReleaseSid(x,x,x)
		mov	[ebp-4], edi
		mov	eax, [ebp+10h]
		jmp	loc_7EA6F3
; 

loc_7E9A96:				; CODE XREF: PAGE:007E9A23j
		mov	[ebp-4], edi
		mov	ecx, [ebp+10h]
		inc	ecx
		mov	[ebp+10h], ecx
		jmp	loc_7E9A00
; 

loc_7E9AA5:				; DATA XREF: .text:006A4F24o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-98h], eax
		xor	eax, eax
		inc	eax
		retn
; 
word_7E9AB6	dw 658Bh		; DATA XREF: .text:006A4F28o
		dd 0DB7D80E8h, 8B0B7400h, 498DB04Dh, 0F83CE834h, 0A583FFCEh
		dd 0FFFFFF6Ch, 8DC93300h, 0FFFF6C85h, 809F0FFh,	8BB0758Bh
		dd 89E8304Eh, 0E8FFD353h, 0FFD35954h, 5DE8CE8Bh, 6AFFD35Ch
		dd 0DC558A01h, 0E8D44D8Bh, 0FFFE7FBAh, 0FF68858Bh, 5EEBFFFFh
; 

loc_7E9B08:				; CODE XREF: PAGE:007E9A03j
		mov	[ebp-9Ch], ebx
		xor	ecx, ecx
		lea	eax, [ebp-9Ch]
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		push	1
		mov	dl, [ebp-19h]
		mov	ecx, [ebp-2Ch]
		call	_SeReleaseSid@12 ; SeReleaseSid(x,x,x)
		mov	eax, 0C000005Ah
		jmp	loc_7EA6F3
; 

loc_7E9B44:				; DATA XREF: .text:006A4F18o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0A0h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7E9B55:				; DATA XREF: .text:006A4F1Co
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	eax, [ebp-0A0h]

loc_7E9B66:				; CODE XREF: PAGE:007E9571j
					; PAGE:007E9667j ...
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7EA6F3
; 

loc_7E9B72:				; CODE XREF: PAGE:007E95CFj
		cmp	dword ptr [ebp+14h], 4
		jnz	loc_7E9994
		mov	dword ptr [ebp-4], 7
		mov	eax, [ebp+10h]
		mov	edi, [eax]
		mov	[ebp-134h], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	dword ptr [ebp-24h]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7E9631
		test	edi, edi
		jz	short loc_7E9BBF

loc_7E9BB5:				; CODE XREF: PAGE:007E9DCBj
		mov	edi, 0C000000Dh
		jmp	loc_7E99CD
; 

loc_7E9BBF:				; CODE XREF: PAGE:007E9BB3j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceExclusiveLite
		mov	[ebp-0A4h], ebx
		xor	ecx, ecx
		lea	eax, [ebp-0A4h]
		lock or	[eax], ecx
		test	byte ptr [esi+0B0h], 20h
		jnz	short loc_7E9C08
		cmp	ds:_SeTokenLeakTracking, ecx
		jz	short loc_7E9BF7
		mov	ecx, esi
		call	_SepRemoveTokenLogonSession@4 ;	SepRemoveTokenLogonSession(x)

loc_7E9BF7:				; CODE XREF: PAGE:007E9BEEj
		mov	ecx, esi
		call	_SepStopReferencingLogonSession@4 ; SepStopReferencingLogonSession(x)
		mov	edi, eax
		test	edi, edi
		js	loc_7E99CD

loc_7E9C08:				; CODE XREF: PAGE:007E9BE6j
		mov	[ebp-0A8h], ebx
		lea	eax, [ebp-0A8h]

loc_7E9C14:				; CODE XREF: PAGE:007E9D5Fj
					; PAGE:007E9E12j ...
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_7EA6C3
; 

loc_7E9C2B:				; DATA XREF: .text:006A4F60o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0ACh], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7E9C3C:				; DATA XREF: .text:006A4F64o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	eax, [ebp-0ACh]
		jmp	loc_7E9B66
; 

loc_7E9C52:				; CODE XREF: PAGE:007E95C9j
		sub	edi, 10h
		jz	loc_7E9D8B
		sub	edi, 1
		jz	short loc_7E9CC3
		dec	edi
		sub	edi, 1
		jnz	loc_7E9FEC
		cmp	dword ptr [ebp+14h], 4
		jnz	loc_7E9994
		mov	dword ptr [ebp-4], 6
		mov	eax, [ebp+10h]
		mov	edx, [eax]
		mov	[ebp-138h], edx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	dword ptr [ebp-24h]
		mov	ecx, esi
		call	SepLinkLogonSessions
		jmp	loc_7E9644
; 

loc_7E9C9C:				; DATA XREF: .text:006A4F54o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B0h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7E9CAD:				; DATA XREF: .text:006A4F58o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	eax, [ebp-0B0h]
		jmp	loc_7E9B66
; 

loc_7E9CC3:				; CODE XREF: PAGE:007E9C5Ej
		cmp	dword ptr [ebp+14h], 8
		jnz	loc_7E9994
		mov	dword ptr [ebp-4], 9
		mov	eax, [ebp+10h]
		mov	edi, [eax]
		mov	[ebp-154h], edi
		mov	eax, [eax+4]
		mov	[ebp+10h], eax
		mov	[ebp-150h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	dword ptr [ebp-24h]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7E9631
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceExclusiveLite
		mov	[ebp-0B4h], ebx
		xor	ecx, ecx
		lea	eax, [ebp-0B4h]
		lock or	[eax], ecx
		mov	eax, [esi+0C8h]
		or	eax, [esi+0C4h]
		jnz	short loc_7E9D4B
		mov	[esi+0C4h], edi
		mov	eax, [ebp+10h]
		mov	[esi+0C8h], eax

loc_7E9D4B:				; CODE XREF: PAGE:007E9D3Aj
		lea	ecx, [esi+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		mov	[ebp-0B8h], ebx
		lea	eax, [ebp-0B8h]
		jmp	loc_7E9C14
; 

loc_7E9D64:				; DATA XREF: .text:006A4F78o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0BCh], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7E9D75:				; DATA XREF: .text:006A4F7Co
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	eax, [ebp-0BCh]
		jmp	loc_7E9B66
; 

loc_7E9D8B:				; CODE XREF: PAGE:007E9C55j
		mov	[ebp-40h], ebx
		push	dword ptr [ebp-24h]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7E9631
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceSharedLite
		mov	bl, [esi+77h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	bl, bl
		jnz	loc_7E9BB5
		mov	eax, [ebp+10h]
		test	eax, eax
		jnz	short loc_7E9E17
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceExclusiveLite
		xor	ebx, ebx
		mov	[ebp-0C0h], ebx
		xor	ecx, ecx
		lea	eax, [ebp-0C0h]
		lock or	[eax], ecx
		mov	byte ptr [esi+77h], 1
		lea	ecx, [esi+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		mov	[ebp-0C4h], ebx
		lea	eax, [ebp-0C4h]
		jmp	loc_7E9C14
; 

loc_7E9E17:				; CODE XREF: PAGE:007E9DD6j
		mov	dword ptr [ebp-4], 8
		lea	ecx, [ebp-40h]
		push	ecx
		sub	esp, 10h
		mov	dl, [ebp-19h]
		mov	ecx, eax
		call	_SepCaptureAuditPolicy@28 ; SepCaptureAuditPolicy(x,x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp-34h], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	edi, edi
		js	loc_7E99CD
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceExclusiveLite
		and	dword ptr [ebp-0C8h], 0
		xor	ecx, ecx
		lea	eax, [ebp-0C8h]
		lock or	[eax], ecx
		mov	byte ptr [esi+77h], 2
		lea	ebx, [esi+58h]
		push	7
		pop	ecx
		mov	esi, [ebp-40h]
		mov	edi, ebx
		rep movsd
		movsw
		movsb
		mov	esi, [ebp-20h]
		lea	ecx, [esi+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		and	dword ptr [ebp-0CCh], 0
		xor	ecx, ecx
		lea	eax, [ebp-0CCh]
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	dl, 1
		mov	ecx, ebx
		call	_SepModifyTokenPolicyCounter@8 ; SepModifyTokenPolicyCounter(x,x)
		mov	ecx, esi
		call	ObfDereferenceObject
		push	ecx
		mov	dl, [ebp-19h]
		mov	ecx, [ebp-40h]
		call	_SepReleaseAuditPolicy@12 ; SepReleaseAuditPolicy(x,x,x)
		jmp	loc_7E9811
; 

loc_7E9EC3:				; DATA XREF: .text:006A4F6Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0D0h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7E9ED4:				; DATA XREF: .text:006A4F70o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		push	ecx
		mov	dl, [ebp-24h]
		mov	ecx, [ebp-40h]
		call	_SepReleaseAuditPolicy@12 ; SepReleaseAuditPolicy(x,x,x)
		mov	eax, [ebp-0D0h]
		jmp	loc_7E9B66
; 

loc_7E9EF6:				; CODE XREF: PAGE:007E95C0j
		cmp	dword ptr [ebp+14h], 4
		jnz	loc_7E9994
		mov	dword ptr [ebp-4], 0Ah
		mov	eax, [ebp+10h]
		mov	edi, [eax]
		mov	[ebp-13Ch], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	dword ptr [ebp-24h]
		push	ds:dword_A94CB4
		push	ds:_SeCreateTokenPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7E9631
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceExclusiveLite
		mov	[ebp-0D4h], ebx
		xor	ecx, ecx
		lea	eax, [ebp-0D4h]
		lock or	[eax], ecx
		mov	eax, [esi+0B0h]
		test	edi, edi
		jz	short loc_7E9F66
		or	eax, 200h
		jmp	short loc_7E9F6B
; 

loc_7E9F66:				; CODE XREF: PAGE:007E9F5Dj
		and	eax, 0FFFFFDFFh

loc_7E9F6B:				; CODE XREF: PAGE:007E9F64j
		mov	[esi+0B0h], eax
		lea	ecx, [esi+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		mov	[ebp-0D8h], ebx
		lea	eax, [ebp-0D8h]
		jmp	loc_7E9C14
; 

loc_7E9F8A:				; DATA XREF: .text:006A4F84o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0DCh], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7E9F9B:				; DATA XREF: .text:006A4F88o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	eax, [ebp-0DCh]
		jmp	loc_7E9B66
; 

loc_7E9FB1:				; CODE XREF: PAGE:007E95BAj
		sub	edi, 18h
		jz	loc_7EA699
		sub	edi, 1
		jz	loc_7EA364
		sub	edi, 1
		jz	loc_7EA2A5
		sub	edi, 1
		jz	loc_7EA21A
		sub	edi, 0Ch
		jz	loc_7EA12B
		sub	edi, 3
		jz	loc_7EA0B7
		sub	edi, 3
		jz	short loc_7E9FF6

loc_7E9FEC:				; CODE XREF: PAGE:007E95F1j
					; PAGE:007E9C64j
		mov	eax, 0C000000Dh
		jmp	loc_7EA6F3
; 

loc_7E9FF6:				; CODE XREF: PAGE:007E9FEAj
		push	dword ptr [ebp-24h]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7E9631
		cmp	dword ptr [ebp+14h], 4
		jnz	loc_7E9994
		mov	dword ptr [ebp-4], 10h
		mov	eax, [ebp+10h]
		mov	eax, [eax]
		mov	[ebp-140h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	eax, eax
		jnz	loc_7EA6C3
		test	dword ptr [esi+0B0h], 80000h
		jz	loc_7EA6C3
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceExclusiveLite
		mov	[ebp-0E0h], ebx
		xor	ecx, ecx
		lea	eax, [ebp-0E0h]
		lock or	[eax], ecx
		and	dword ptr [esi+0B0h], 0FFF7FFFFh
		lea	ecx, [esi+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		mov	[ebp-0E4h], ebx
		lea	eax, [ebp-0E4h]
		jmp	loc_7E9C14
; 

loc_7EA090:				; DATA XREF: .text:006A4FCCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0E8h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7EA0A1:				; DATA XREF: .text:006A4FD0o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	eax, [ebp-0E8h]
		jmp	loc_7E9B66
; 

loc_7EA0B7:				; CODE XREF: PAGE:007E9FE1j
		cmp	dword ptr [ebp+14h], 4
		jnz	loc_7E9994
		mov	dword ptr [ebp-4], 0Fh
		mov	eax, [ebp+10h]
		mov	edi, [eax]
		mov	[ebp-144h], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	dword ptr [ebp-24h]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7E9631
		mov	edx, edi
		mov	ecx, esi
		call	_SeSetPrivateNameSpaceToken@8 ;	SeSetPrivateNameSpaceToken(x,x)
		jmp	loc_7E9644
; 

loc_7EA104:				; DATA XREF: .text:006A4FC0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0ECh], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7EA115:				; DATA XREF: .text:006A4FC4o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	eax, [ebp-0ECh]
		jmp	loc_7E9B66
; 

loc_7EA12B:				; CODE XREF: PAGE:007E9FD8j
		mov	[ebp-44h], ebx
		mov	eax, [ebp+10h]
		test	eax, eax
		jz	loc_7E9994
		cmp	dword ptr [ebp+14h], 8
		jb	loc_7E9994
		lea	ecx, [ebp-44h]
		push	ecx
		mov	dl, [ebp-19h]
		mov	ecx, eax
		call	SepCaptureTokenSecurityAttributesAndOperationsInformation
		mov	edi, eax
		test	edi, edi
		js	loc_7E99CD
		call	_Feature_RelaxTcbForUWP__private_ReportDeviceUsage@0 ; Feature_RelaxTcbForUWP__private_ReportDeviceUsage()
		push	dword ptr [ebp-24h]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_7EA17D
		mov	edi, 0C0000061h

loc_7EA17D:				; CODE XREF: PAGE:007EA176j
		test	edi, edi
		jns	short loc_7EA191

loc_7EA181:				; CODE XREF: PAGE:007EA215j
		mov	dl, [ebp-19h]
		mov	ecx, [ebp-44h]
		call	_SepReleaseTokenSecurityAttributesAndOperationsInformation@8 ; SepReleaseTokenSecurityAttributesAndOperationsInformation(x,x)
		jmp	loc_7E99CD
; 

loc_7EA191:				; CODE XREF: PAGE:007EA17Fj
		mov	[ebp+13h], bl
		mov	edi, [ebp-44h]
		mov	edx, [edi]
		mov	ecx, [edi+4]
		call	_SepShouldSetDelinkFlags@8 ; SepShouldSetDelinkFlags(x,x)
		test	al, al
		jz	short loc_7EA1A9
		mov	byte ptr [ebp+13h], 1

loc_7EA1A9:				; CODE XREF: PAGE:007EA1A3j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceExclusiveLite
		mov	[ebp-0F0h], ebx
		xor	ecx, ecx
		lea	eax, [ebp-0F0h]
		lock or	[eax], ecx
		push	dword ptr [edi]
		mov	edx, [edi+4]
		mov	ecx, [esi+1DCh]
		call	AuthzBasepSetSecurityAttributesToken
		mov	edi, eax
		test	edi, edi
		js	short loc_7EA1EF
		cmp	byte ptr [ebp+13h], 0
		jz	short loc_7EA1EF
		or	dword ptr [esi+0B0h], 20000h

loc_7EA1EF:				; CODE XREF: PAGE:007EA1DDj
					; PAGE:007EA1E3j
		lea	ecx, [esi+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		mov	[ebp-0F4h], ebx
		xor	ecx, ecx
		lea	eax, [ebp-0F4h]
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_7EA181
; 

loc_7EA21A:				; CODE XREF: PAGE:007E9FCFj
		cmp	dword ptr [ebp+14h], 4
		jnz	loc_7E9994
		mov	dword ptr [ebp-4], 0Eh
		mov	eax, [ebp+10h]
		mov	eax, [eax]
		mov	[ebp-0F8h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	dword ptr [ebp-24h]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7E9631
		cmp	byte ptr [esi+0B4h], 0
		jz	short loc_7EA26C
		mov	edi, 0C000012Bh
		jmp	loc_7E99CD
; 

loc_7EA26C:				; CODE XREF: PAGE:007EA260j
		lea	edx, [ebp-0F8h]
		mov	ecx, esi
		call	_SeSetMandatoryPolicyToken@8 ; SeSetMandatoryPolicyToken(x,x)
		jmp	loc_7E9644
; 

loc_7EA27E:				; DATA XREF: .text:006A4FB4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0FCh], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7EA28F:				; DATA XREF: .text:006A4FB8o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	eax, [ebp-0FCh]
		jmp	loc_7E9B66
; 

loc_7EA2A5:				; CODE XREF: PAGE:007E9FC6j
		cmp	dword ptr [ebp+14h], 4
		jnz	loc_7E9994
		mov	dword ptr [ebp-4], 0Dh
		mov	eax, [ebp+10h]
		mov	edi, [eax]
		mov	[ebp-148h], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	edi, edi
		jz	short loc_7EA2E8
		push	dword ptr [ebp-24h]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_7E9631

loc_7EA2E8:				; CODE XREF: PAGE:007EA2CAj
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceExclusiveLite
		mov	[ebp-100h], ebx
		xor	ecx, ecx
		lea	eax, [ebp-100h]
		lock or	[eax], ecx
		mov	eax, [esi+0B0h]
		test	edi, edi
		jz	short loc_7EA319
		or	eax, 1000h
		jmp	short loc_7EA31E
; 

loc_7EA319:				; CODE XREF: PAGE:007EA310j
		and	eax, 0FFFFEFFFh

loc_7EA31E:				; CODE XREF: PAGE:007EA317j
		mov	[esi+0B0h], eax
		lea	ecx, [esi+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		mov	[ebp-104h], ebx
		lea	eax, [ebp-104h]
		jmp	loc_7E9C14
; 

loc_7EA33D:				; DATA XREF: .text:006A4FA8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-108h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7EA34E:				; DATA XREF: .text:006A4FACo
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	eax, [ebp-108h]
		jmp	loc_7E9B66
; 

loc_7EA364:				; CODE XREF: PAGE:007E9FBDj
		cmp	dword ptr [ebp+14h], 8
		jb	loc_7E9994
		mov	dword ptr [ebp-4], 0Ch
		lea	eax, [ebp-10Ch]
		push	eax
		lea	eax, [ebp-38h]
		push	eax
		push	ecx
		push	ecx
		push	ebx
		push	ebx
		push	dword ptr [ebp-24h]
		xor	edx, edx
		inc	edx
		mov	ecx, [ebp+10h]
		call	SeCaptureSidAndAttributesArray
		mov	edi, eax
		mov	[ebp-34h], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	edi, edi
		js	loc_7E99CD
		mov	edi, [ebp-38h]
		mov	edi, [edi]
		mov	ecx, _SeUntrustedMandatorySid
		mov	eax, [edi+2]
		cmp	eax, [ecx+2]
		jnz	loc_7EA655
		movzx	eax, word ptr [edi+6]
		cmp	ax, [ecx+6]
		jnz	loc_7EA655
		push	edi
		call	_RtlSubAuthorityCountSid@4 ; RtlSubAuthorityCountSid(x)
		mov	al, [eax]
		test	al, al
		jnz	short loc_7EA3DB
		mov	edi, ebx
		jmp	short loc_7EA3F4
; 

loc_7EA3DB:				; CODE XREF: PAGE:007EA3D5j
		movzx	eax, al
		dec	eax
		push	eax
		push	edi
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	edi, [eax]
		cmp	edi, 4000h
		ja	loc_7EA655

loc_7EA3F4:				; CODE XREF: PAGE:007EA3D9j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceExclusiveLite
		mov	[ebp-110h], ebx
		xor	ecx, ecx
		lea	eax, [ebp-110h]
		lock or	[eax], ecx
		mov	ecx, esi
		call	_SepLocateTokenIntegrity@4 ; SepLocateTokenIntegrity(x)
		mov	[ebp+0Ch], eax
		test	eax, eax
		jnz	short loc_7EA43D
		mov	[ebp-114h], ebx
		xor	ecx, ecx
		lea	eax, [ebp-114h]
		lock or	[eax], ecx
		mov	ebx, 0C0000446h
		jmp	loc_7EA62E
; 

loc_7EA43D:				; CODE XREF: PAGE:007EA420j
		mov	eax, [eax]
		mov	[ebp+14h], eax
		push	eax
		call	_RtlSubAuthorityCountSid@4 ; RtlSubAuthorityCountSid(x)
		mov	al, [eax]
		mov	[ebp+13h], al
		test	al, al
		jnz	short loc_7EA457
		mov	edx, ebx
		mov	ecx, ebx
		jmp	short loc_7EA46F
; 

loc_7EA457:				; CODE XREF: PAGE:007EA44Fj
		movzx	eax, al
		mov	[ebp+8], eax
		dec	eax
		push	eax
		push	dword ptr [ebp+14h]
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	edx, [eax]
		mov	al, [ebp+13h]
		mov	ecx, [ebp+8]

loc_7EA46F:				; CODE XREF: PAGE:007EA455j
		cmp	edi, edx
		jbe	short loc_7EA4CA
		push	dword ptr [ebp-24h]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_7EA4A6
		mov	[ebp-118h], ebx
		xor	ecx, ecx
		lea	eax, [ebp-118h]
		lock or	[eax], ecx
		mov	ebx, 0C0000061h
		jmp	loc_7EA62E
; 

loc_7EA4A6:				; CODE XREF: PAGE:007EA489j
		cmp	byte ptr [esi+0B4h], 0
		jz	short loc_7EA4EE
		mov	[ebp-11Ch], ebx
		xor	ecx, ecx
		lea	eax, [ebp-11Ch]
		lock or	[eax], ecx
		mov	ebx, 0C000012Bh
		jmp	loc_7EA62E
; 

loc_7EA4CA:				; CODE XREF: PAGE:007EA471j
		test	al, al
		jnz	short loc_7EA4D2
		mov	eax, ebx
		jmp	short loc_7EA4E0
; 

loc_7EA4D2:				; CODE XREF: PAGE:007EA4CCj
		lea	eax, [ecx-1]
		push	eax
		push	dword ptr [ebp+14h]
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	eax, [eax]

loc_7EA4E0:				; CODE XREF: PAGE:007EA4D0j
		cmp	edi, eax
		jnb	short loc_7EA4EE
		and	dword ptr [esi+0B0h], 0FFFFEFFFh

loc_7EA4EE:				; CODE XREF: PAGE:007EA4ADj
					; PAGE:007EA4E2j
		mov	ecx, [ebp+0Ch]
		mov	ecx, [ecx]
		mov	al, [ecx+1]
		test	al, al
		jz	loc_7EA618
		movzx	eax, al
		dec	eax
		push	eax
		push	ecx
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	[eax], edi
		cmp	edi, 3000h
		jnb	short loc_7EA526
		mov	eax, 0DFE9F97Bh
		and	[esi+48h], eax
		and	dword ptr [esi+4Ch], 0FFFFFFEEh
		and	[esi+50h], eax
		and	dword ptr [esi+54h], 0FFFFFFEEh

loc_7EA526:				; CODE XREF: PAGE:007EA511j
		cmp	edi, 2000h
		jnb	short loc_7EA550
		mov	eax, 2800000h
		and	[esi+48h], eax
		and	dword ptr [esi+4Ch], 2
		and	[esi+50h], eax
		and	dword ptr [esi+54h], 2
		and	dword ptr [esi+0B0h], 0FFFFDFFFh
		jmp	loc_7EA5FD
; 

loc_7EA550:				; CODE XREF: PAGE:007EA52Cj
		test	dword ptr [esi+0B0h], 4000h
		jz	loc_7EA5F3
		mov	edx, [esi+1E0h]
		mov	ecx, esi
		call	_SepRemoveAceFromTokenDefaultDacl@8 ; SepRemoveAceFromTokenDefaultDacl(x,x)
		and	dword ptr [esi+0B0h], 0FFFFBFFFh
		mov	eax, [esi+1E0h]
		test	eax, eax
		jz	short loc_7EA58E
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+1E0h], ebx

loc_7EA58E:				; CODE XREF: PAGE:007EA57Fj
		mov	eax, [esi+1E4h]
		test	eax, eax
		jz	short loc_7EA5C0
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+1E4h], ebx
		mov	[esi+1E8h], ebx
		push	88h
		push	ebx
		lea	eax, [esi+1ECh]
		push	eax
		call	_memset
		add	esp, 0Ch

loc_7EA5C0:				; CODE XREF: PAGE:007EA596j
		mov	edx, [esi+274h]
		test	edx, edx
		jz	short loc_7EA5D8
		mov	ecx, [esi+78h]
		call	SepDereferenceLowBoxNumberEntry
		mov	[esi+274h], ebx

loc_7EA5D8:				; CODE XREF: PAGE:007EA5C8j
		mov	edx, [esi+278h]
		test	edx, edx
		jz	short loc_7EA5F3
		mov	ecx, [esi+0C0h]
		call	SepDereferenceCachedHandlesEntry
		mov	[esi+278h], ebx

loc_7EA5F3:				; CODE XREF: PAGE:007EA55Aj
					; PAGE:007EA5E0j
		or	dword ptr [esi+0B0h], 2000h

loc_7EA5FD:				; CODE XREF: PAGE:007EA54Bj
		lea	ecx, [esi+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		mov	[ebp-120h], ebx
		xor	ecx, ecx
		lea	eax, [ebp-120h]
		lock or	[eax], ecx
		jmp	short loc_7EA62E
; 

loc_7EA618:				; CODE XREF: PAGE:007EA4F8j
		mov	[ebp-124h], ebx
		xor	ecx, ecx
		lea	eax, [ebp-124h]
		lock or	[eax], ecx
		mov	ebx, 0C000000Dh

loc_7EA62E:				; CODE XREF: PAGE:007EA438j
					; PAGE:007EA4A1j ...
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		push	ecx
		mov	dl, [ebp-19h]
		mov	ecx, [ebp-38h]
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)
		mov	eax, ebx
		jmp	loc_7EA6F3
; 

loc_7EA655:				; CODE XREF: PAGE:007EA3B7j
					; PAGE:007EA3C5j ...
		mov	ecx, esi
		call	ObfDereferenceObject
		push	ecx
		mov	dl, [ebp-19h]
		mov	ecx, [ebp-38h]
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)
		mov	eax, 0C0000446h
		jmp	loc_7EA6F3
; 

loc_7EA672:				; DATA XREF: .text:006A4F9Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-128h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7EA683:				; DATA XREF: .text:006A4FA0o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	eax, [ebp-128h]
		jmp	loc_7E9B66
; 

loc_7EA699:				; CODE XREF: PAGE:007E9FB4j
		cmp	dword ptr [ebp+14h], 4
		jnz	loc_7E9994
		mov	dword ptr [ebp-4], 0Bh
		mov	eax, [ebp+10h]
		mov	edx, [eax]
		mov	[ebp-14Ch], edx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, esi
		call	_SeSetVirtualizationToken@8 ; SeSetVirtualizationToken(x,x)

loc_7EA6C3:				; CODE XREF: PAGE:007E9C26j
					; PAGE:007EA037j ...
		mov	edi, ebx
		jmp	loc_7E99CD
; 

loc_7EA6CA:				; DATA XREF: .text:006A4F90o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-12Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7EA6DB:				; DATA XREF: .text:006A4F94o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-12Ch]

loc_7EA6F3:				; CODE XREF: PAGE:007E9558j
					; PAGE:007E95B1j ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7EA705:				; CODE XREF: PAGE:007E94E0j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 


; __stdcall SepReleaseTokenSecurityAttributesAndOperationsInformation(x, x)
_SepReleaseTokenSecurityAttributesAndOperationsInformation@8 proc near
					; CODE XREF: PAGE:007EA187p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	dl, dl
		jz	short loc_7EA732
		push	0
		push	dword ptr [esi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_7EA72A
		call	SepFreeCapturedTokenSecurityAttributesInformation

loc_7EA72A:				; CODE XREF: SepReleaseTokenSecurityAttributesAndOperationsInformation(x,x)+17j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7EA732:				; CODE XREF: SepReleaseTokenSecurityAttributesAndOperationsInformation(x,x)+7j
		xor	eax, eax
		pop	esi
		retn
_SepReleaseTokenSecurityAttributesAndOperationsInformation@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepFreeCapturedTokenSecurityAttributesInformation proc near
					; CODE XREF: SepReleaseTokenSecurityAttributesAndOperationsInformation(x,x)+19p
					; NtCreateTokenEx:loc_90E3D2p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090ED8A SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	edi
		mov	edi, ecx
		cmp	dword ptr [edi+4], 0
		mov	ebx, [edi+8]
		mov	[ebp+var_8], ebx
		jbe	short loc_7EA775
		push	esi
		lea	esi, [ebx+14h]
		mov	ebx, [ebp+var_4]

loc_7EA758:				; CODE XREF: SepFreeCapturedTokenSecurityAttributesInformation+39j
		push	0
		push	dword ptr [esi-10h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	dword ptr [esi-4], 0
		jnz	short loc_7EA78D

loc_7EA768:				; CODE XREF: SepFreeCapturedTokenSecurityAttributesInformation+60j
					; SepFreeCapturedTokenSecurityAttributesInformation+70j ...
		inc	ebx
		add	esi, 18h
		cmp	ebx, [edi+4]
		jb	short loc_7EA758
		mov	ebx, [ebp+var_8]
		pop	esi

loc_7EA775:				; CODE XREF: SepFreeCapturedTokenSecurityAttributesInformation+19j
		test	ebx, ebx
		jz	short loc_7EA781
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7EA781:				; CODE XREF: SepFreeCapturedTokenSecurityAttributesInformation+41j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_7EA78D:				; CODE XREF: SepFreeCapturedTokenSecurityAttributesInformation+30j
		movzx	ecx, word ptr [esi-0Ch]
		mov	eax, ecx
		test	ax, ax
		jz	short loc_7EA768
		cmp	eax, 2
		ja	short loc_7EA7A8

loc_7EA79D:				; CODE XREF: SepFreeCapturedTokenSecurityAttributesInformation+75j
					; SepFreeCapturedTokenSecurityAttributesInformation+124657j ...
		push	0
		push	dword ptr [esi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7EA768
; 

loc_7EA7A8:				; CODE XREF: SepFreeCapturedTokenSecurityAttributesInformation+65j
		cmp	eax, 3
		jz	short loc_7EA79D
		jmp	loc_90ED8A
SepFreeCapturedTokenSecurityAttributesInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepShouldSetDelinkFlags(x, x)
_SepShouldSetDelinkFlags@8 proc	near	; CODE XREF: SepInternalSetSecurityAttributesToken(x,x,x,x,x)+52p
					; PAGE:007EA19Cp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	ebx, ebx
		cmp	dword ptr [ecx], 1
		push	edi
		mov	edi, edx
		jz	short loc_7EA7F6
		push	esi
		mov	esi, ebx
		cmp	[edi+4], ebx
		jbe	short loc_7EA7EF
		mov	eax, ebx
		mov	[ebp+var_4], ebx

loc_7EA7D0:				; CODE XREF: SepShouldSetDelinkFlags(x,x)+3Bj
		mov	ecx, [edi+8]
		add	ecx, eax
		jz	short loc_7EA7E3
		call	SepPotentialGlobalTableAttribute
		test	al, al
		jnz	short loc_7EA7FA
		mov	eax, [ebp+var_4]

loc_7EA7E3:				; CODE XREF: SepShouldSetDelinkFlags(x,x)+23j
		inc	esi
		add	eax, 18h
		mov	[ebp+var_4], eax
		cmp	esi, [edi+4]
		jb	short loc_7EA7D0

loc_7EA7EF:				; CODE XREF: SepShouldSetDelinkFlags(x,x)+17j
					; SepShouldSetDelinkFlags(x,x)+4Aj
		pop	esi

loc_7EA7F0:				; CODE XREF: SepShouldSetDelinkFlags(x,x)+46j
		pop	edi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_7EA7F6:				; CODE XREF: SepShouldSetDelinkFlags(x,x)+Fj
		mov	bl, 1
		jmp	short loc_7EA7F0
; 

loc_7EA7FA:				; CODE XREF: SepShouldSetDelinkFlags(x,x)+2Cj
		mov	bl, 1
		jmp	short loc_7EA7EF
_SepShouldSetDelinkFlags@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepCaptureTokenSecurityAttributesAndOperationsInformation proc near
					; CODE XREF: PAGE:007EA14Cp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090EDB3 SIZE 00000066 BYTES

		push	24h
		push	offset dword_6A4FD8
		call	__SEH_prolog4
		mov	[ebp+var_2C], edx
		xor	ebx, ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_1C], ebx
		mov	eax, [ebp+arg_0]
		mov	[eax], ebx
		test	dl, dl
		jz	loc_90EDB3
		mov	[ebp+ms_exc.disabled], ebx
		mov	edx, ecx
		test	cl, 3
		jnz	loc_7EA923
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_90EDD2

loc_7EA83D:				; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+1245D6j
		nop
		mov	al, [edx]
		mov	eax, [ecx+4]
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	loc_90EDC1
		test	al, 3
		jnz	loc_7EA923
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		jnb	loc_90EDD9

loc_7EA864:				; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+1245DDj
		nop
		mov	al, [eax]
		mov	eax, [ecx]
		mov	[ebp+var_28], eax
		mov	esi, ebx
		mov	[ebp+var_30], esi
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_90EDE7
		test	bl, 3
		jnz	loc_7EA923
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_90EDE0

loc_7EA891:				; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+1245E4j
		nop
		mov	al, [ebx]
		mov	ebx, [ebp+var_28]
		mov	esi, [ebx+4]
		mov	[ebp+var_30], esi
		mov	edi, [ebp+var_20]

loc_7EA8A0:				; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+1245F1j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_2C]
		mov	edx, esi
		mov	ecx, edi
		call	SepCaptureTokenSecurityOperations
		test	eax, eax
		js	short loc_7EA90A
		test	ebx, ebx
		jz	short loc_7EA8D8
		lea	eax, [ebp+var_24]
		push	eax		; int
		push	1		; int
		push	[ebp+var_2C]	; size_t
		push	esi		; int
		mov	edx, edi
		mov	ecx, ebx
		call	SepCaptureTokenSecurityAttributesInformation
		mov	edi, eax
		test	edi, edi
		js	short loc_7EA91C

loc_7EA8D8:				; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+BFj
		push	6F416553h
		push	8
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, [ebp+var_24]
		mov	ecx, [ebp+var_1C]
		test	eax, eax
		jz	loc_90EDF4
		mov	[eax+4], ecx
		mov	[eax], esi
		mov	edx, [ebp+arg_0]
		mov	[edx], eax
		xor	edi, edi

loc_7EA900:				; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+123j
		test	edi, edi
		js	loc_90EDF9

loc_7EA908:				; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+124609j
					; SepCaptureTokenSecurityAttributesAndOperationsInformation+124616j
		mov	eax, edi

loc_7EA90A:				; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+BBj
					; SepCaptureTokenSecurityAttributesAndOperationsInformation+1245BEj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7EA91C:				; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+D8j
		xor	esi, esi
		mov	ecx, [ebp+var_1C]
		jmp	short loc_7EA900
; 

loc_7EA923:				; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+2Cj
					; SepCaptureTokenSecurityAttributesAndOperationsInformation+52j ...
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
SepCaptureTokenSecurityAttributesAndOperationsInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SepCaptureTokenSecurityAttributesInformation(int,size_t,int,int)
SepCaptureTokenSecurityAttributesInformation proc near
					; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+CFp
					; NtCreateTokenEx+127370p ...

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0090EE39 SIZE 000000F4 BYTES
; FUNCTION CHUNK AT 0090EF61 SIZE 00000094 BYTES

		push	58h
		push	offset dword_6A4FF8
		call	__SEH_prolog4
		mov	[ebp+var_5C], edx
		mov	[ebp+var_54], ecx
		xor	ebx, ebx
		mov	edi, ebx
		mov	[ebp+var_38], edi
		mov	[ebp+var_58], edi
		mov	[ebp+var_44], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_19], bl
		mov	esi, ebx
		mov	[ebp+var_20], esi
		mov	[ebp+var_28], esi
		mov	eax, ebx
		mov	[ebp+var_30], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_48], ebx
		mov	[ebp+var_2C], ebx
		cmp	byte ptr [ebp+arg_4], al
		jz	loc_90EE39
		push	74416553h
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jz	loc_90EE51
		mov	eax, [ebp+var_5C]
		test	eax, eax
		jz	loc_90EE5B
		cmp	[ebp+arg_0], 1
		jb	loc_90EE5B
		cmp	dword ptr [eax], 1
		jz	loc_90EE5B

loc_7EA9A5:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+124537j
		xor	eax, eax
		mov	edi, ecx
		stosd
		stosd
		stosd
		cmp	byte ptr [ebp+arg_4], 1
		jnz	loc_7EABFD
		mov	[ebp+ms_exc.disabled], ebx
		mov	edx, [ebp+var_54]
		test	dl, 3
		jnz	loc_7EAD13
		lea	esi, [edx+0Ch]
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		ja	loc_90EE64
		cmp	esi, edx
		jb	loc_90EE64

loc_7EA9DD:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+12453Ej
		mov	ax, [edx]
		mov	[ecx], ax
		mov	ax, [edx+2]
		mov	[ecx+2], ax
		mov	esi, [edx+4]
		mov	[ecx+4], esi
		test	esi, esi
		jz	loc_90EE6B
		mov	eax, [edx+8]
		mov	[ecx+8], eax
		mov	eax, esi
		push	18h
		pop	ecx
		mul	ecx
		push	edx
		push	eax
		lea	ecx, [ebp+var_3C]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		mov	[ebp+var_28], esi
		test	esi, esi
		js	loc_90EE7E
		push	74416553h
		mov	eax, [ebp+var_3C]
		mov	[ebp+arg_4], eax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_38], edi
		mov	[ebp+var_58], edi
		mov	eax, [ebp+var_24]
		test	edi, edi
		jz	loc_90EE43
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_7EAA7D
		mov	edx, [eax+8]
		test	dl, 3
		jnz	loc_7EAD13
		lea	esi, [edx+ecx]
		mov	[ebp+arg_4], esi
		mov	esi, ds:_MmUserProbeAddress
		mov	[ebp+var_54], esi
		cmp	[ebp+arg_4], esi
		mov	esi, [ebp+var_20]
		ja	loc_90EE94
		cmp	[ebp+arg_4], edx
		jb	loc_90EE94

loc_7EAA7D:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+123j
					; SepCaptureTokenSecurityAttributesInformation+124571j
		push	ecx		; size_t
		push	dword ptr [eax+8] ; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, ebx

loc_7EAA8C:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+232j
		mov	[ebp+var_40], eax
		mov	[ebp+var_54], eax
		mov	ecx, ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_34], ecx
		mov	ecx, [ebp+var_24]
		cmp	eax, [ecx+4]
		jnb	loc_7EAB5F
		imul	eax, 18h
		mov	[ebp+var_50], eax
		movzx	eax, word ptr [eax+edi]
		test	ax, ax
		jz	loc_90EE9E
		push	74416553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_30], edx
		mov	[ebp+var_34], edx
		test	edx, edx
		jz	loc_90EEB0
		mov	ecx, [ebp+var_50]
		movzx	eax, word ptr [ecx+edi]
		mov	[ebp+arg_4], eax
		movzx	eax, ax
		mov	[ebp+var_60], eax
		movzx	eax, ax
		cmp	word ptr [ebp+arg_4], 0
		jz	short loc_7EAB35
		mov	eax, [ecx+edi+4]
		mov	[ebp+var_4C], eax
		test	al, 1
		jnz	loc_7EAD13
		mov	eax, [ebp+arg_4]
		movzx	eax, ax
		mov	esi, [ebp+var_4C]
		add	esi, eax
		mov	[ebp+arg_4], esi
		mov	eax, ds:_MmUserProbeAddress
		mov	[ebp+var_64], eax
		cmp	esi, eax
		mov	esi, [ebp+var_20]
		ja	loc_90EEBA
		mov	eax, [ebp+var_60]
		movzx	eax, ax
		mov	esi, [ebp+arg_4]
		cmp	esi, [ebp+var_4C]
		mov	esi, [ebp+var_20]
		jb	loc_90EEB7

loc_7EAB35:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+1C6j
					; SepCaptureTokenSecurityAttributesInformation+124598j
		movzx	eax, ax
		push	eax		; size_t
		push	dword ptr [ecx+edi+4] ;	void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_50]
		mov	ecx, [ebp+var_30]
		mov	[eax+edi+4], ecx
		inc	[ebp+var_44]
		mov	[ebp+var_34], ebx
		mov	eax, [ebp+var_54]
		inc	eax
		jmp	loc_7EAA8C
; 

loc_7EAB5F:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+178j
		mov	eax, ebx
		mov	[ebp+var_64], 2
		mov	[ebp+var_60], 4

loc_7EAB6F:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+275j
		mov	[ebp+var_40], eax
		cmp	eax, [ecx+4]
		jnb	short loc_7EAB9F
		imul	eax, 18h
		mov	[ebp+var_3C], eax
		mov	edx, [eax+edi+10h]
		mov	[ebp+arg_4], edx
		test	edx, edx
		jnz	loc_7EAC7F
		cmp	byte ptr [ebp+arg_8], dl
		jz	loc_90EF1D
		mov	[eax+edi+14h], ebx

loc_7EAB99:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+3A5j
		mov	eax, [ebp+var_40]
		inc	eax
		jmp	short loc_7EAB6F
; 

loc_7EAB9F:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+24Dj
		test	esi, esi
		js	short loc_7EABB8
		mov	[ecx+8], edi
		cmp	[ebp+var_19], 0
		jnz	short loc_7EABB8
		mov	eax, [ebp+arg_0]
		cmp	eax, [ecx+4]
		jnz	loc_90EF1D

loc_7EABB8:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+279j
					; SepCaptureTokenSecurityAttributesInformation+282j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7EABBF:				; CODE XREF: sub_90EF3B+21j
		test	esi, esi
		js	short loc_7EABFA
		mov	ecx, ebx
		mov	eax, [ebp+var_24]
		mov	edx, [eax+4]
		mov	[ebp+arg_0], edx
		lea	eax, [edi+10h]

loc_7EABD1:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+2D0j
		mov	[ebp+arg_4], eax
		mov	[ebp+arg_8], ecx
		cmp	ecx, edx
		jnb	short loc_7EABFA
		cmp	[ebp+var_19], 0
		jnz	short loc_7EAC21
		mov	eax, [ebp+var_5C]
		mov	eax, [eax+ecx*4]
		cmp	eax, 2
		jz	short loc_7EAC1E
		cmp	eax, 4
		mov	eax, [ebp+arg_4]
		jz	short loc_7EAC21

loc_7EABF4:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+34Cj
					; SepCaptureTokenSecurityAttributesInformation+3E6j ...
		inc	ecx
		add	eax, 18h
		jmp	short loc_7EABD1
; 

loc_7EABFA:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+299j
					; SepCaptureTokenSecurityAttributesInformation+2B1j
		mov	ecx, [ebp+var_24]

loc_7EABFD:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+88j
		test	esi, esi
		js	loc_90EF7B
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx

loc_7EAC0A:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+124567j
					; SepCaptureTokenSecurityAttributesInformation+1246C8j
		mov	eax, esi

loc_7EAC0C:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+124516j
					; SepCaptureTokenSecurityAttributesInformation+12452Ej	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7EAC1E:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+2C2j
		mov	eax, [ebp+arg_4]

loc_7EAC21:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+2B7j
					; SepCaptureTokenSecurityAttributesInformation+2CAj
		mov	edi, ebx
		mov	edx, offset _SepValidAttributesTypes
		mov	ecx, ebx
		mov	[ebp+var_54], ebx

loc_7EAC2D:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+3BEj
		mov	[ebp+var_50], edx
		cmp	ecx, 40h
		jnb	loc_7EAD08
		push	1
		push	edx
		add	eax, 0FFFFFFF0h
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jnz	loc_7EACD2
		shl	edi, 4
		mov	ecx, [ebp+arg_4]
		movzx	eax, word ptr [ecx-8]
		cmp	eax, ds:dword_A40C68[edi]
		jnz	loc_90EF61

loc_7EAC63:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+124641j
		mov	eax, [ecx]
		mov	ecx, [ebp+arg_8]
		mov	edx, [ebp+arg_0]
		cmp	eax, ds:dword_A40C6C[edi]
		mov	eax, [ebp+arg_4]
		jnb	loc_7EABF4
		jmp	loc_90EF6E
; 

loc_7EAC7F:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+25Ej
		movzx	esi, word ptr [eax+edi+8]
		mov	edx, esi
		test	dx, dx
		jz	loc_90EF0D
		cmp	dx, word ptr [ebp+var_64]
		ja	short loc_7EACEB

loc_7EAC95:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+1245ABj
		lea	ecx, [ebp+var_2C]
		push	ecx
		push	ecx
		mov	edx, [ebp+arg_4]
		mov	ecx, [eax+edi+14h]
		call	SepCaptureInt64Array

loc_7EACA6:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+3DEj
					; SepCaptureTokenSecurityAttributesInformation+1245CAj	...
		mov	esi, eax
		mov	[ebp+var_20], esi
		mov	[ebp+var_28], esi
		test	esi, esi
		js	short loc_7EACBC
		mov	eax, [ebp+var_2C]
		mov	ecx, [ebp+var_3C]
		mov	[ecx+edi+14h], eax

loc_7EACBC:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+388j
		mov	ecx, [ebp+var_24]

loc_7EACBF:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+1245F0j
		test	esi, esi
		js	loc_7EABB8
		inc	[ebp+var_48]
		mov	[ebp+var_2C], ebx
		jmp	loc_7EAB99
; 

loc_7EACD2:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+31Fj
		inc	edi
		mov	ecx, [ebp+var_54]
		push	10h
		pop	eax
		add	ecx, eax
		mov	[ebp+var_54], ecx
		mov	edx, [ebp+var_50]
		add	edx, eax
		mov	eax, [ebp+arg_4]
		jmp	loc_7EAC2D
; 

loc_7EACEB:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+36Bj
		cmp	edx, 3
		jnz	loc_90EEC5
		lea	ecx, [ebp+var_2C]
		push	ecx
		push	1
		mov	edx, [ebp+arg_4]
		mov	ecx, [eax+edi+14h]
		call	SepCaptureUnicodeStringArray
		jmp	short loc_7EACA6
; 

loc_7EAD08:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+30Bj
		mov	ecx, [ebp+arg_8]
		mov	edx, [ebp+arg_0]
		jmp	loc_7EABF4
; 

loc_7EAD13:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+97j
					; SepCaptureTokenSecurityAttributesInformation+12Bj ...
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
SepCaptureTokenSecurityAttributesInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpCaptureBoundaryDescriptor proc near	; CODE XREF: NtOpenPrivateNamespace+74p
					; NtCreatePrivateNamespace+4Ep

var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= byte ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 0090EFF5 SIZE 0000001F BYTES
; FUNCTION CHUNK AT 0090F034 SIZE 000000A1 BYTES
; FUNCTION CHUNK AT 0090F0FF SIZE 00000030 BYTES

		push	50h
		push	offset dword_6A5040
		call	__SEH_prolog4
		mov	[ebp+var_40], edx
		mov	[ebp+var_34], ecx
		xor	eax, eax
		lea	edi, [ebp+var_60]
		stosd
		stosd
		stosd
		stosd
		xor	ebx, ebx
		mov	[edx], ebx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_1A], al
		test	al, al
		jz	loc_90F034
		mov	[ebp+ms_exc.disabled], ebx
		mov	esi, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_90EFF5

loc_7EAD60:				; CODE XREF: ObpCaptureBoundaryDescriptor+1242DFj
		lea	edi, [ebp+var_50]
		movsd
		movsd
		movsd
		movsd
		nop
		mov	esi, [ebp+var_48]
		lea	eax, [esi-10h]
		cmp	eax, 7FEFh
		ja	loc_90F003
		test	esi, esi
		jz	short loc_7EAD9E
		test	cl, 3
		jnz	loc_7EAEF0
		lea	edx, [esi+ecx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	loc_90EFFC
		cmp	edx, ecx
		jb	loc_90EFFC

loc_7EAD9E:				; CODE XREF: ObpCaptureBoundaryDescriptor+63j
					; ObpCaptureBoundaryDescriptor+1242E6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7EADA5:				; CODE XREF: ObpCaptureBoundaryDescriptor+124328j
		mov	edi, ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_19], bl
		mov	ecx, esi
		mov	[ebp+var_24], ecx
		mov	eax, ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_2C], ebx
		test	[ebp+var_44], 1
		jnz	loc_7EAE9D

loc_7EADC4:				; CODE XREF: ObpCaptureBoundaryDescriptor+1C8j
		add	ecx, 18h
		mov	[ebp+var_24], ecx
		adc	eax, ebx
		jnz	loc_90F0FF
		cmp	ecx, 0FFFFFFFFh
		ja	loc_90F0FF
		push	534E624Fh
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_3C], edi
		test	edi, edi
		jz	loc_90F081
		mov	eax, [ebp+var_24]
		add	eax, 0FFFFFFE8h
		mov	[edi+0Ch], eax
		lea	eax, [edi+18h]
		mov	[ebp+ms_exc.disabled], 1
		push	esi		; size_t
		push	[ebp+var_34]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+var_20], 0
		jnz	loc_90F08B

loc_7EAE26:				; CODE XREF: ObpCaptureBoundaryDescriptor+1243AEj
		lea	ecx, [edi+18h]
		mov	[ecx+8], esi
		mov	eax, [ebp+var_4C]
		mov	[ecx+4], eax
		push	ebx
		xor	edx, edx
		call	RtlEnumerateBoundaryDescriptorEntries
		mov	esi, eax
		test	esi, esi
		js	short loc_7EAE4F
		mov	ecx, edi
		call	_ObpCheckDuplicateEntries@4 ; ObpCheckDuplicateEntries(x)
		test	eax, eax
		jz	loc_90F0CB

loc_7EAE4F:				; CODE XREF: ObpCaptureBoundaryDescriptor+126j
		mov	[edi+14h], bl
		push	edi
		mov	edx, offset _ObpHashBoundaryFunction@8 ; ObpHashBoundaryFunction(x,x)
		lea	ecx, [edi+18h]
		call	RtlEnumerateBoundaryDescriptorEntries
		movzx	eax, byte ptr [edi+14h]
		xor	edx, edx
		push	25h
		pop	ecx
		div	ecx
		mov	[edi+14h], dl

loc_7EAE6E:				; CODE XREF: ObpCaptureBoundaryDescriptor+12433Dj
					; ObpCaptureBoundaryDescriptor+12436Ej	...
		cmp	[ebp+var_20], 0
		jnz	loc_90F109

loc_7EAE78:				; CODE XREF: ObpCaptureBoundaryDescriptor+1243FAj
		cmp	[ebp+var_19], 0
		jnz	short loc_7EAEE5

loc_7EAE7E:				; CODE XREF: ObpCaptureBoundaryDescriptor+1D6j
		test	esi, esi
		js	loc_90F117
		mov	eax, [ebp+var_40]
		mov	[eax], edi

loc_7EAE8B:				; CODE XREF: ObpCaptureBoundaryDescriptor+124401j
					; ObpCaptureBoundaryDescriptor+124412j
		mov	eax, esi

loc_7EAE8D:				; CODE XREF: ObpCaptureBoundaryDescriptor+1242F7j
					; sub_90F022+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7EAE9D:				; CODE XREF: ObpCaptureBoundaryDescriptor+A6j
		mov	ecx, large fs:124h
		mov	[ebp+var_19], 1
		mov	eax, [ecx+80h]
		lea	edx, [ebp+var_60]
		push	edx
		push	eax
		push	ecx
		call	SeCaptureSubjectContextEx
		mov	esi, [ebp+var_60]
		test	esi, esi
		jnz	short loc_7EAEC3
		mov	esi, [ebp+var_58]

loc_7EAEC3:				; CODE XREF: ObpCaptureBoundaryDescriptor+1A6j
		lea	eax, [ebp+var_28]
		push	eax
		push	1Dh
		push	esi
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		cmp	[ebp+var_28], edi
		jnz	loc_90F045
		mov	ecx, [ebp+var_24]
		mov	eax, ebx

loc_7EAEDD:				; CODE XREF: ObpCaptureBoundaryDescriptor+124364j
		mov	esi, [ebp+var_48]
		jmp	loc_7EADC4
; 

loc_7EAEE5:				; CODE XREF: ObpCaptureBoundaryDescriptor+164j
		lea	eax, [ebp+var_60]
		push	eax
		call	SeReleaseSubjectContext
		jmp	short loc_7EAE7E
; 

loc_7EAEF0:				; CODE XREF: ObpCaptureBoundaryDescriptor+68j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger
ObpCaptureBoundaryDescriptor endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpCheckDuplicateEntries(x)
_ObpCheckDuplicateEntries@4 proc near	; CODE XREF: ObpCaptureBoundaryDescriptor+12Ap

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		xor	eax, eax
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], eax
		mov	edx, offset _ObpCompareEntryLevel1@8 ; ObpCompareEntryLevel1(x,x)
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_14], ecx
		add	ecx, 18h
		push	eax
		call	RtlEnumerateBoundaryDescriptorEntries
		test	eax, eax
		js	short loc_7EAF3A
		cmp	[ebp+var_4], 0
		jl	short loc_7EAF3A
		mov	eax, [ebp+var_8]
		cmp	eax, [ebp+var_C]
		jnz	short loc_7EAF3A
		xor	eax, eax
		inc	eax
		leave
		retn
; 

loc_7EAF3A:				; CODE XREF: ObpCheckDuplicateEntries(x)+2Fj
					; ObpCheckDuplicateEntries(x)+35j ...
		xor	eax, eax
		leave
		retn
_ObpCheckDuplicateEntries@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpLogHiveFileInaccessible proc	near	; CODE XREF: CmpOpenHiveFile+390p

var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E0		= dword	ptr -0E0h
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B1		= byte ptr -0B1h
var_B0		= dword	ptr -0B0h
var_68		= dword	ptr -68h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090F12F SIZE 00000085 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 104h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	44h		; size_t
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_C4], edx
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		xor	eax, eax
		mov	ebx, ds:_SeNullSid
		lea	edi, [ebp+var_E8]
		mov	[ebp+var_100], 18h
		stosd
		add	esp, 0Ch
		xor	ecx, ecx
		mov	[ebp+var_F4], 240h
		mov	[ebp+var_D0], ecx
		mov	[ebp+var_CC], ecx
		push	[ebp+arg_0]
		stosd
		push	[ebp+arg_4]
		mov	[ebp+var_C0], ecx
		mov	[ebp+var_B8], ecx
		stosd
		mov	[ebp+var_B1], cl
		mov	[ebp+var_FC], ecx
		mov	[ebp+var_F8], esi
		stosd
		lea	eax, [ebp+var_D0]
		push	eax
		lea	eax, [ebp+var_100]
		mov	[ebp+var_F0], ecx
		push	eax
		push	20000h
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_EC], ecx
		mov	edi, ecx
		push	eax
		mov	[ebp+var_BC], edi
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		js	loc_7EB10A
		mov	ecx, [ebp+var_B8]
		lea	edx, [ebp+var_C0]
		call	CmpQueryFileSecurityDescriptor
		test	eax, eax
		js	loc_7EB10A
		lea	eax, [ebp+var_104]
		push	eax
		lea	eax, [ebp+var_BC]
		push	eax
		push	0Ch
		push	1
		push	[ebp+var_C0]
		call	SeConvertSecurityDescriptorToStringSecurityDescriptor
		test	eax, eax
		js	loc_7EB104
		lea	eax, [ebp+var_E8]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	ecx, [ebp+var_E8]
		mov	[ebp+var_B1], 1
		test	ecx, ecx
		jz	loc_7EB0F9

loc_7EB076:				; CODE XREF: CmpLogHiveFileInaccessible+1C1j
		xor	esi, esi
		lea	edx, [ebp+var_B0]
		push	esi
		push	44h
		call	_SeQueryUserSidToken@16	; SeQueryUserSidToken(x,x,x,x)
		mov	edi, [ebp+var_BC]
		lea	ebx, [ebp+var_B0]

loc_7EB092:				; CODE XREF: CmpLogHiveFileInaccessible+1CEj
		cmp	dword_6B2348, 3
		jbe	short loc_7EB0B4
		push	2000h
		push	8
		mov	ecx, offset dword_6B2348
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_90F12F

loc_7EB0B4:				; CODE XREF: CmpLogHiveFileInaccessible+15Bj
					; CmpLogHiveFileInaccessible+124271j
		cmp	[ebp+var_B1], 0
		jz	short loc_7EB0C9
		lea	eax, [ebp+var_E8]
		push	eax
		call	SeReleaseSubjectContext

loc_7EB0C9:				; CODE XREF: CmpLogHiveFileInaccessible+17Dj
		test	edi, edi
		jz	short loc_7EB0D4
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7EB0D4:				; CODE XREF: CmpLogHiveFileInaccessible+18Dj
		cmp	[ebp+var_B8], 0
		jz	short loc_7EB0E8
		push	[ebp+var_B8]
		call	_ZwClose@4	; ZwClose(x)

loc_7EB0E8:				; CODE XREF: CmpLogHiveFileInaccessible+19Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_7EB0F9:				; CODE XREF: CmpLogHiveFileInaccessible+132j
		mov	ecx, [ebp+var_E0]
		jmp	loc_7EB076
; 

loc_7EB104:				; CODE XREF: CmpLogHiveFileInaccessible+FEj
		mov	edi, [ebp+var_BC]

loc_7EB10A:				; CODE XREF: CmpLogHiveFileInaccessible+C0j
					; CmpLogHiveFileInaccessible+D9j
		xor	esi, esi
		jmp	short loc_7EB092
CmpLogHiveFileInaccessible endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LocalConvertSDToStringSD_Rev1 proc near	; CODE XREF: SeConvertSecurityDescriptorToStringSecurityDescriptor+3Cp

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0090F1B4 SIZE 00000283 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		xor	edx, edx
		push	ebx
		push	esi
		mov	eax, edx
		mov	[ebp+var_14], edx
		mov	esi, edx
		mov	ecx, edx
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], edx
		mov	[ebp+var_1], dl
		mov	[ebp+var_2], dl
		mov	[ebp+var_18], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], edx
		cmp	[ebp+arg_4], eax
		jz	loc_7EB426
		cmp	[ebp+arg_C], eax
		jz	loc_7EB426
		mov	ebx, [ebp+arg_8]
		test	bl, 1
		jnz	loc_90F1B4

loc_7EB174:				; CODE XREF: LocalConvertSDToStringSD_Rev1+1240B8j
		test	bl, 2
		jnz	loc_90F1EB

loc_7EB17D:				; CODE XREF: LocalConvertSDToStringSD_Rev1+1240EDj
		test	eax, eax
		js	loc_90F1CC
		test	bl, 4
		jz	short loc_7EB19E
		lea	eax, [ebp+arg_8+3]
		push	eax
		lea	eax, [ebp+var_40]
		push	eax
		lea	eax, [ebp+var_2]
		push	eax
		push	[ebp+arg_4]
		call	_RtlGetDaclSecurityDescriptor@16 ; RtlGetDaclSecurityDescriptor(x,x,x,x)

loc_7EB19E:				; CODE XREF: LocalConvertSDToStringSD_Rev1+7Aj
		test	eax, eax
		js	loc_90F1CC
		and	ebx, 1F8h
		jz	short loc_7EB1D7
		lea	eax, [ebp+arg_8+3]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp-1]
		push	eax
		push	[ebp+arg_4]
		call	_RtlGetSaclSecurityDescriptor@16 ; RtlGetSaclSecurityDescriptor(x,x,x,x)
		test	eax, eax
		js	loc_90F200
		cmp	[ebp+var_1], 0
		mov	esi, [ebp+var_28]
		jnz	loc_90F20B

loc_7EB1D7:				; CODE XREF: LocalConvertSDToStringSD_Rev1+9Ej
					; LocalConvertSDToStringSD_Rev1+1240FFj ...
		lea	eax, [ebp+arg_8]
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		push	[ebp+arg_4]
		call	_RtlGetControlSecurityDescriptor@12 ; RtlGetControlSecurityDescriptor(x,x,x)
		test	eax, eax
		js	loc_90F1CC
		mov	ecx, [ebp+var_34]
		xor	ebx, ebx
		test	ecx, ecx
		jnz	loc_90F24E

loc_7EB1FC:				; CODE XREF: LocalConvertSDToStringSD_Rev1+124158j
		mov	ecx, [ebp+var_38]
		test	ecx, ecx
		jnz	loc_90F26B

loc_7EB207:				; CODE XREF: LocalConvertSDToStringSD_Rev1+124175j
		mov	ebx, [ebp+var_3C]
		test	bx, bx
		jz	short loc_7EB243
		lea	eax, [ebp+var_20]
		xor	edx, edx
		push	eax
		inc	edx
		mov	ecx, ebx
		call	LocalGetStringForControl
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	loc_7EB3A7
		lea	eax, [ebp+var_1C]
		mov	ecx, ebx
		push	eax
		push	2
		pop	edx
		call	LocalGetStringForControl
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		test	ebx, ebx
		jnz	loc_7EB3AA

loc_7EB243:				; CODE XREF: LocalConvertSDToStringSD_Rev1+FFj
		mov	al, [ebp+var_1]
		test	al, al
		jnz	loc_90F288

loc_7EB24E:				; CODE XREF: LocalConvertSDToStringSD_Rev1+1241A3j
		mov	bl, [ebp+var_2]
		xor	esi, esi
		test	bl, bl
		jz	short loc_7EB283
		mov	ecx, [ebp+var_40]
		lea	eax, [ebp+var_10]
		push	1
		push	esi
		push	esi
		push	esi
		push	eax
		lea	eax, [ebp+var_30]
		mov	dl, bl
		push	eax
		push	1
		call	LocalConvertAclToString
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		test	ebx, ebx
		jnz	loc_7EB3AA
		add	edi, [ebp+var_10]
		mov	bl, [ebp+var_2]

loc_7EB283:				; CODE XREF: LocalConvertSDToStringSD_Rev1+147j
		mov	ecx, [ebp+var_18]
		test	ecx, ecx
		jnz	loc_90F2B6

loc_7EB28E:				; CODE XREF: LocalConvertSDToStringSD_Rev1+1241C0j
		mov	esi, [ebp+var_C]
		test	esi, esi
		jnz	loc_90F2D3

loc_7EB299:				; CODE XREF: LocalConvertSDToStringSD_Rev1+1241E0j
		test	bl, bl
		jz	loc_90F2F3
		mov	eax, [ebp+var_20]
		add	edi, 4
		xor	ebx, ebx
		test	eax, eax
		jz	short loc_7EB2C4
		mov	ecx, eax
		lea	edx, [ecx+2]

loc_7EB2B2:				; CODE XREF: LocalConvertSDToStringSD_Rev1+1ADj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_7EB2B2
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]

loc_7EB2C4:				; CODE XREF: LocalConvertSDToStringSD_Rev1+19Dj
					; LocalConvertSDToStringSD_Rev1+1241E7j
		cmp	[ebp+var_1], 0
		jnz	loc_90F2FA

loc_7EB2CE:				; CODE XREF: LocalConvertSDToStringSD_Rev1+1241F4j
					; LocalConvertSDToStringSD_Rev1+124211j
		lea	ebx, [edi+2]
		push	ecx
		mov	ecx, ebx
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	edx, eax
		mov	eax, [ebp+arg_C]
		mov	[eax], edx
		test	edx, edx
		jz	loc_7EB3F4
		xor	eax, eax
		shr	ebx, 1
		mov	esi, eax
		mov	eax, [ebp+var_18]
		test	eax, eax
		jnz	loc_90F324

loc_7EB2F9:				; CODE XREF: LocalConvertSDToStringSD_Rev1+124247j
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jnz	loc_90F35A

loc_7EB304:				; CODE XREF: LocalConvertSDToStringSD_Rev1+12428Bj
		cmp	[ebp+var_2], 0
		jz	loc_7EB392
		mov	eax, ebx
		lea	ecx, [edx+esi*2]
		mov	edx, [ebp+var_20]
		sub	eax, esi
		test	edx, edx
		jz	loc_90F39E
		push	edx
		push	3Ah
		push	offset ??_C@_13MKMNOPIJ@?$AAD@NNGAKEGL@
		push	offset ??_C@_1BE@OCEKOCCF@?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAc?$AA?$CF?$AAw?$AAs@NNGAKEGL@
		push	eax
		push	ecx
		call	_swprintf_s
		add	esp, 18h

loc_7EB337:				; CODE XREF: LocalConvertSDToStringSD_Rev1+1242A6j
		mov	eax, [ebp+arg_C]
		mov	edx, [eax]
		lea	ecx, [edx+esi*2]
		lea	eax, [ecx+2]
		mov	[ebp+arg_4], eax

loc_7EB345:				; CODE XREF: LocalConvertSDToStringSD_Rev1+241j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_14]
		jnz	short loc_7EB345
		sub	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_30]
		sar	ecx, 1
		add	esi, ecx
		test	eax, eax
		jz	short loc_7EB392
		push	eax
		mov	eax, ebx
		sub	eax, esi
		push	eax
		lea	eax, [edx+esi*2]
		push	eax
		call	_wcscpy_s
		mov	eax, [ebp+arg_C]
		add	esp, 0Ch
		mov	edx, [eax]
		lea	ecx, [edx+esi*2]
		lea	eax, [ecx+2]
		mov	[ebp+arg_4], eax

loc_7EB37F:				; CODE XREF: LocalConvertSDToStringSD_Rev1+27Bj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_14]
		jnz	short loc_7EB37F
		sub	ecx, [ebp+arg_4]
		sar	ecx, 1
		add	esi, ecx

loc_7EB392:				; CODE XREF: LocalConvertSDToStringSD_Rev1+1FAj
					; LocalConvertSDToStringSD_Rev1+24Fj
		cmp	[ebp+var_1], 0
		jnz	loc_90F3B9

loc_7EB39C:				; CODE XREF: LocalConvertSDToStringSD_Rev1+12430Ej
					; LocalConvertSDToStringSD_Rev1+124324j
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_7EB3A7
		shr	edi, 1
		mov	[eax], edi

loc_7EB3A7:				; CODE XREF: LocalConvertSDToStringSD_Rev1+114j
					; LocalConvertSDToStringSD_Rev1+293j ...
		mov	ebx, [ebp+var_8]

loc_7EB3AA:				; CODE XREF: LocalConvertSDToStringSD_Rev1+12Fj
					; LocalConvertSDToStringSD_Rev1+169j ...
		mov	esi, [ebp+var_C]

loc_7EB3AD:				; CODE XREF: LocalConvertSDToStringSD_Rev1+2E9j
		mov	eax, [ebp+var_18]
		xor	edi, edi
		test	eax, eax
		jnz	short loc_7EB3F9

loc_7EB3B6:				; CODE XREF: LocalConvertSDToStringSD_Rev1+2F2j
		test	esi, esi
		jnz	short loc_7EB402

loc_7EB3BA:				; CODE XREF: LocalConvertSDToStringSD_Rev1+2FBj
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jnz	short loc_7EB40B

loc_7EB3C1:				; CODE XREF: LocalConvertSDToStringSD_Rev1+304j
		mov	eax, [ebp+var_30]
		test	eax, eax
		jz	short loc_7EB3CF
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7EB3CF:				; CODE XREF: LocalConvertSDToStringSD_Rev1+2B8j
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_7EB414

loc_7EB3D6:				; CODE XREF: LocalConvertSDToStringSD_Rev1+30Dj
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_7EB3E4
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7EB3E4:				; CODE XREF: LocalConvertSDToStringSD_Rev1+2CDj
		mov	eax, [ebp+var_24]
		test	eax, eax
		jnz	short loc_7EB41D

loc_7EB3EB:				; CODE XREF: LocalConvertSDToStringSD_Rev1+316j
		mov	eax, ebx

loc_7EB3ED:				; CODE XREF: LocalConvertSDToStringSD_Rev1+31Bj
					; LocalConvertSDToStringSD_Rev1+1240D8j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7EB3F4:				; CODE XREF: LocalConvertSDToStringSD_Rev1+1D4j
		push	8
		pop	ebx
		jmp	short loc_7EB3AD
; 

loc_7EB3F9:				; CODE XREF: LocalConvertSDToStringSD_Rev1+2A6j
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7EB3B6
; 

loc_7EB402:				; CODE XREF: LocalConvertSDToStringSD_Rev1+2AAj
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7EB3BA
; 

loc_7EB40B:				; CODE XREF: LocalConvertSDToStringSD_Rev1+2B1j
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7EB3C1
; 

loc_7EB414:				; CODE XREF: LocalConvertSDToStringSD_Rev1+2C6j
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7EB3D6
; 

loc_7EB41D:				; CODE XREF: LocalConvertSDToStringSD_Rev1+2DBj
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7EB3EB
; 

loc_7EB426:				; CODE XREF: LocalConvertSDToStringSD_Rev1+4Bj
					; LocalConvertSDToStringSD_Rev1+54j
		push	57h
		pop	eax
		jmp	short loc_7EB3ED
LocalConvertSDToStringSD_Rev1 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LocalGetStringForControl proc near	; CODE XREF: LocalConvertSDToStringSD_Rev1+10Ap
					; LocalConvertSDToStringSD_Rev1+123p

var_20C		= dword	ptr -20Ch
var_206		= word ptr -206h
var_204		= dword	ptr -204h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090F437 SIZE 00000008 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_20C], edx
		mov	[ebp+var_206], cx
		test	ebx, ebx
		jz	loc_90F437
		mov	[ebx], edi
		mov	esi, edi

loc_7EB462:				; CODE XREF: LocalGetStringForControl+6Bj
		mov	eax, ds:dword_40426C[esi]
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_7EB491
		mov	ecx, ds:dword_404264[esi]
		lea	eax, [ecx+edi]
		cmp	eax, 100h
		jnb	loc_90F437
		movzx	eax, [ebp+var_206]
		test	ds:dword_404268[esi], eax
		jnz	short loc_7EB4E9

loc_7EB491:				; CODE XREF: LocalGetStringForControl+40j
					; LocalGetStringForControl+EAj
		add	esi, 10h
		cmp	esi, 60h
		jb	short loc_7EB462
		lea	esi, [edi+edi]
		cmp	esi, 200h
		jnb	short loc_7EB522
		xor	eax, eax
		mov	word ptr [ebp+esi+var_204], ax
		test	edi, edi
		jz	short loc_7EB4D6
		add	esi, 2
		push	ecx
		mov	ecx, esi
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	[ebx], eax
		test	eax, eax
		jz	short loc_7EB51B
		lea	ecx, [ebp+var_204]
		shr	esi, 1
		push	ecx
		push	esi
		push	eax
		call	_wcscpy_s
		add	esp, 0Ch

loc_7EB4D6:				; CODE XREF: LocalGetStringForControl+84j
		xor	eax, eax

loc_7EB4D8:				; CODE XREF: LocalGetStringForControl+12400Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_7EB4E9:				; CODE XREF: LocalGetStringForControl+63j
		push	ecx
		push	ds:_ControlLookup[esi]
		mov	eax, 100h
		sub	eax, edi
		push	eax
		lea	eax, [ebp+var_204]
		lea	eax, [eax+edi*2]
		push	eax
		call	_wcsncpy_s
		mov	edx, [ebp+var_20C]
		add	esp, 10h
		add	edi, ds:dword_404264[esi]
		jmp	loc_7EB491
; 

loc_7EB51B:				; CODE XREF: LocalGetStringForControl+95j
		push	8
		jmp	loc_90F439
; 

loc_7EB522:				; CODE XREF: LocalGetStringForControl+76j
		call	___report_rangecheckfailure
		int	3		; Trap to Debugger
LocalGetStringForControl endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LocalConvertSidToStringSidW proc near	; CODE XREF: SeConvertSidToStringSid(x,x)+Bp
					; LocalConvertAclToString+629p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090F43F SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		mov	esi, edx
		test	ecx, ecx
		jz	short loc_7EB58E
		test	esi, esi
		jz	short loc_7EB58E
		push	1
		push	ecx
		lea	eax, [ebp+var_8]
		push	eax
		call	RtlConvertSidToUnicodeString
		test	eax, eax
		js	short loc_7EB58B
		push	ecx
		movzx	ecx, word ptr [ebp+var_8]
		add	ecx, 2
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	[esi], eax
		test	eax, eax
		jz	loc_90F43F
		movzx	edx, word ptr [ebp+var_8]
		mov	ecx, eax
		push	edx
		push	[ebp+var_4]
		add	edx, 2
		call	_RtlStringCbCopyNW@16 ;	RtlStringCbCopyNW(x,x,x,x)
		test	eax, eax
		js	short loc_7EB58B
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		xor	eax, eax

loc_7EB58B:				; CODE XREF: LocalConvertSidToStringSidW+29j
					; LocalConvertSidToStringSidW+56j ...
		pop	esi
		leave
		retn
; 

loc_7EB58E:				; CODE XREF: LocalConvertSidToStringSidW+15j
					; LocalConvertSidToStringSidW+19j
		mov	eax, 0C000000Dh
		jmp	short loc_7EB58B
LocalConvertSidToStringSidW endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeQueryMandatoryLabel proc near		; CODE XREF: MiAllowImageMap(x,x,x,x)+117p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090F452 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		movzx	eax, word ptr [ecx+2]
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	edx, eax
		test	al, 10h
		jz	short loc_7EB600
		mov	esi, [ecx+0Ch]
		test	dx, dx
		jns	short loc_7EB5BC
		lea	eax, [esi+ecx]
		neg	esi
		sbb	esi, esi
		and	esi, eax

loc_7EB5BC:				; CODE XREF: SeQueryMandatoryLabel+1Bj
					; SeQueryMandatoryLabel+6Cj
		mov	ebx, _SepDefaultMandatorySid
		mov	[ebp+var_4], edi

loc_7EB5C5:				; CODE XREF: SeQueryMandatoryLabel+48j
		lea	eax, [ebp+var_4]
		push	eax
		push	11h
		push	esi
		call	_RtlFindAceByType@12 ; RtlFindAceByType(x,x,x)
		test	eax, eax
		jnz	loc_90F452

loc_7EB5D9:				; CODE XREF: SeQueryMandatoryLabel+123EC0j
		inc	[ebp+var_4]
		test	eax, eax
		jnz	short loc_7EB5C5

loc_7EB5E0:				; CODE XREF: SeQueryMandatoryLabel+123EC9j
		push	ebx
		call	_RtlSubAuthorityCountSid@4 ; RtlSubAuthorityCountSid(x)
		mov	al, [eax]
		test	al, al
		jz	short loc_7EB5F9
		movzx	eax, al
		dec	eax
		push	eax
		push	ebx
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	edi, [eax]

loc_7EB5F9:				; CODE XREF: SeQueryMandatoryLabel+54j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7EB600:				; CODE XREF: SeQueryMandatoryLabel+13j
		mov	esi, edi
		jmp	short loc_7EB5BC
SeQueryMandatoryLabel endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LocalpGetStringForCondition proc near	; CODE XREF: LocalGetAceCondition+9Cp

var_444		= dword	ptr -444h
var_440		= dword	ptr -440h
var_43C		= dword	ptr -43Ch
var_438		= dword	ptr -438h
var_434		= dword	ptr -434h
var_430		= dword	ptr -430h
var_42C		= dword	ptr -42Ch
var_428		= dword	ptr -428h
var_424		= dword	ptr -424h
var_420		= dword	ptr -420h
var_41C		= dword	ptr -41Ch
var_418		= dword	ptr -418h
var_414		= dword	ptr -414h
var_410		= byte ptr -410h
var_40C		= dword	ptr -40Ch
var_408		= dword	ptr -408h
var_404		= dword	ptr -404h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0090F464 SIZE 0000021D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 444h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	[ebp+var_438], eax
		mov	eax, [ebp+arg_C]
		push	edi
		mov	[ebp+var_434], eax
		xor	edi, edi
		mov	eax, [ebp+arg_10]
		mov	esi, edi
		push	400h		; size_t
		mov	[ebp+var_430], eax
		lea	eax, [ebp+var_404]
		push	edi		; int
		push	eax		; void *
		mov	[ebp+var_41C], edx
		mov	[ebp+var_428], ecx
		mov	[ebp+var_444], ebx
		mov	[ebp+var_440], edi
		mov	[ebp+var_408], esi
		mov	[ebp+var_40C], edi
		call	_memset
		mov	ecx, [ebp+var_428]
		xor	eax, eax
		add	esp, 0Ch
		mov	[ebp+var_420], eax
		test	ecx, ecx
		jz	loc_7EB9B2
		test	ebx, ebx
		jz	loc_7EB9B2
		mov	edx, [ebp+var_41C]
		test	edx, edx
		jz	loc_7EB9B2
		cmp	edx, 6
		jb	loc_90F677
		cmp	dword ptr [ecx], 78747261h
		jnz	loc_90F677
		push	4
		pop	eax
		mov	[ebp+var_424], eax

loc_7EB6C1:				; CODE XREF: LocalpGetStringForCondition+2F8j
		cmp	edi, 0FFh
		jz	loc_90F648
		add	ecx, eax
		mov	[ebp+var_414], ecx
		mov	bl, [ecx]
		mov	byte ptr [ebp+var_43C],	bl
		cmp	bl, 51h
		ja	short loc_7EB70D
		cmp	bl, 50h
		jnb	loc_7EB90A
		test	bl, bl
		jnz	loc_7EB901
		mov	ecx, [ebp+var_428]

loc_7EB6F9:				; CODE XREF: LocalpGetStringForCondition+38Fj
		inc	eax
		cmp	eax, edx
		jb	loc_7EB98F

loc_7EB702:				; CODE XREF: LocalpGetStringForCondition+397j
		jz	loc_7EB8E6
		jmp	loc_90F476
; 

loc_7EB70D:				; CODE XREF: LocalpGetStringForCondition+DCj
		cmp	bl, 80h
		jb	loc_90F476
		cmp	bl, 93h
		ja	loc_7EB875

loc_7EB71F:				; CODE XREF: LocalpGetStringForCondition+27Dj
		cmp	bl, 0A0h
		jz	loc_90F494
		cmp	bl, 0A1h
		jz	loc_90F494
		cmp	bl, 0A2h
		jz	loc_90F486

loc_7EB73A:				; CODE XREF: LocalpGetStringForCondition+123ED3j
		mov	cl, [ecx]
		call	_GetOperatorIndexByToken@4 ; GetOperatorIndexByToken(x)
		test	eax, eax
		js	loc_90F476
		imul	edx, eax, 14h
		mov	[ebp+var_418], edx
		mov	ecx, ds:_Operators[edx]
		lea	eax, [ecx+2]
		mov	dword ptr [ebp+var_410], eax

loc_7EB761:				; CODE XREF: LocalpGetStringForCondition+16Aj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_440]
		jnz	short loc_7EB761
		sub	ecx, dword ptr [ebp+var_410]
		sar	ecx, 1
		add	ecx, ecx
		cmp	ds:byte_403FE4[edx], 0
		mov	[ebp+var_40C], ecx
		jnz	loc_90F4DC
		cmp	edi, 2
		jl	loc_90F476
		mov	ebx, [ebp+edi*4+var_408]
		lea	eax, [ebp+var_40C]
		push	eax
		mov	edx, ebx
		call	_ULongAddStringSize@12 ; ULongAddStringSize(x,x,x)
		test	eax, eax
		js	loc_90F604
		mov	eax, [ebp+edi*4+var_40C]
		lea	ecx, [ebp+var_40C]
		push	ecx
		mov	ecx, [ebp+var_40C]
		mov	edx, eax
		mov	dword ptr [ebp+var_410], eax
		call	_ULongAddStringSize@12 ; ULongAddStringSize(x,x,x)
		test	eax, eax
		js	loc_90F604
		mov	eax, [ebp+var_40C]
		add	eax, 0Ah
		push	ecx
		mov	ecx, eax
		mov	[ebp+var_42C], eax
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	[ebp+var_40C], eax
		test	eax, eax
		jz	loc_90F5FC
		mov	ecx, [ebp+var_418]
		push	ebx
		push	ds:_Operators[ecx]
		mov	ecx, [ebp+var_42C]
		push	dword ptr [ebp+var_410]	; char
		shr	ecx, 1
		push	offset ??_C@_1BM@HKDMMLMD@?$AA?$CI?$AA?$CF?$AAl?$AAs?$AA?5?$AA?$CF?$AAl?$AAs?$AA?5?$AA?$CF?$AAl?$AAs?$AA?$CJ@NNGAKEGL@ ; wchar_t *
		push	ecx		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 18h
		test	eax, eax
		js	loc_90F618
		test	ebx, ebx
		jz	short loc_7EB840
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7EB840:				; CODE XREF: LocalpGetStringForCondition+231j
		mov	eax, dword ptr [ebp+var_410]
		test	eax, eax
		jz	short loc_7EB853
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7EB853:				; CODE XREF: LocalpGetStringForCondition+244j
		or	ecx, 0FFFFFFFFh
		lea	edx, [ebp+edi*4+var_40C]

loc_7EB85D:				; CODE XREF: LocalpGetStringForCondition+123FECj
		mov	eax, [ebp+var_40C]
		mov	[edx], eax
		xor	eax, eax
		mov	[ebp+var_420], 1
		add	edi, ecx
		jmp	short loc_7EB8D4
; 

loc_7EB875:				; CODE XREF: LocalpGetStringForCondition+115j
		cmp	bl, 9Fh
		jbe	loc_90F476
		cmp	bl, 0A3h
		jbe	loc_7EB71F
		cmp	bl, 0F7h
		jbe	loc_90F476
		cmp	bl, 0FCh
		ja	loc_90F476
		lea	esi, [ebp+var_420]
		sub	edx, eax
		push	esi
		lea	esi, [ebp+var_40C]
		push	esi
		push	[ebp+var_43C]
		call	GetPrintableAttributeName
		mov	esi, eax
		mov	[ebp+var_408], esi
		test	esi, esi
		jnz	loc_90F621
		mov	eax, [ebp+var_40C]
		mov	[ebp+edi*4+var_404], eax

loc_7EB8D1:				; CODE XREF: LocalpGetStringForCondition+34Dj
		inc	edi
		xor	eax, eax

loc_7EB8D4:				; CODE XREF: LocalpGetStringForCondition+26Fj
		mov	edx, [ebp+var_41C]
		mov	[ebp+var_40C], eax
		mov	eax, [ebp+var_424]

loc_7EB8E6:				; CODE XREF: LocalpGetStringForCondition:loc_7EB702j
		add	eax, [ebp+var_420]
		mov	[ebp+var_424], eax
		cmp	eax, edx
		jnb	short loc_7EB956
		mov	ecx, [ebp+var_428]
		jmp	loc_7EB6C1
; 

loc_7EB901:				; CODE XREF: LocalpGetStringForCondition+E9j
		cmp	bl, 10h
		jnz	loc_90F464

loc_7EB90A:				; CODE XREF: LocalpGetStringForCondition+E1j
					; LocalpGetStringForCondition+123E63j ...
		push	[ebp+arg_14]
		lea	esi, [ebp+var_420]
		sub	edx, eax
		push	[ebp+var_430]
		push	[ebp+var_434]
		push	[ebp+var_438]
		push	esi
		lea	esi, [ebp+var_40C]
		push	esi
		call	GetPrintableOperandValue
		mov	esi, eax
		mov	[ebp+var_408], esi
		test	esi, esi
		jnz	loc_90F621
		mov	ecx, [ebp+var_40C]
		mov	[ebp+edi*4+var_404], ecx
		jmp	loc_7EB8D1
; 

loc_7EB956:				; CODE XREF: LocalpGetStringForCondition+2F0j
		cmp	edi, 1
		jnz	short loc_7EB9A9
		mov	ebx, [ebp+var_444]
		mov	ecx, ebx
		mov	eax, [ebp+var_404]
		mov	[ebx], eax
		call	EncloseSubCondition
		mov	esi, eax
		mov	[ebp+var_408], esi
		test	esi, esi
		jnz	short loc_7EB9A0

loc_7EB97C:				; CODE XREF: LocalpGetStringForCondition+3A7j
					; LocalpGetStringForCondition+12400Fj ...
		mov	eax, esi

loc_7EB97E:				; CODE XREF: LocalpGetStringForCondition+3B1j
					; LocalpGetStringForCondition+124078j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_7EB98F:				; CODE XREF: LocalpGetStringForCondition+F8j
		cmp	byte ptr [ecx+eax], 0
		jz	loc_7EB6F9
		cmp	eax, edx
		jmp	loc_7EB702
; 

loc_7EB9A0:				; CODE XREF: LocalpGetStringForCondition+376j
		xor	eax, eax
		mov	[ebx], eax
		jmp	loc_90F63D
; 

loc_7EB9A9:				; CODE XREF: LocalpGetStringForCondition+355j
					; LocalpGetStringForCondition+123E7Dj ...
		test	edi, edi
		jz	short loc_7EB97C
		jmp	loc_90F63D
; 

loc_7EB9B2:				; CODE XREF: LocalpGetStringForCondition+83j
					; LocalpGetStringForCondition+8Bj ...
		push	57h
		pop	eax
		jmp	short loc_7EB97E
LocalpGetStringForCondition endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ULongAddStringSize(x, x, x)
_ULongAddStringSize@12 proc near	; CODE XREF: LocalpGetStringForCondition+1A2p
					; LocalpGetStringForCondition+1CBp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	2
		mov	esi, ecx
		lea	eax, [edx+2]
		pop	edi

loc_7EB9C7:				; CODE XREF: ULongAddStringSize(x,x,x)+17j
		mov	cx, [edx]
		add	edx, edi
		test	cx, cx
		jnz	short loc_7EB9C7
		mov	ecx, [ebp+arg_0]
		sub	edx, eax
		sar	edx, 1
		mov	eax, edx
		mul	edi
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_7EB9F1
		mov	edx, [ecx]
		push	ecx
		mov	ecx, esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)

loc_7EB9F1:				; CODE XREF: ULongAddStringSize(x,x,x)+2Dj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_ULongAddStringSize@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EncloseSubCondition proc near		; CODE XREF: LocalpGetStringForCondition+367p
					; LocalpGetStringForCondition+123E9Cp ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090F681 SIZE 0000008E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], esi
		mov	edx, [ebx]
		cmp	word ptr [edx],	28h
		jnz	loc_90F681

loc_7EBA13:				; CODE XREF: EncloseSubCondition+123D12j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
EncloseSubCondition endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

GetPrintableOperandValue proc near	; CODE XREF: LocalpGetStringForCondition+32Bp
					; GetPrintableOperandValue+123E83p

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= byte ptr -68h
var_62		= byte ptr -62h
var_61		= byte ptr -61h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_14		= word ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0090F70F SIZE 000004BC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 90h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_80], edx
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_88], ecx
		mov	ecx, [ebp+arg_C]
		mov	[ebp+var_90], ecx
		mov	ecx, [ebp+arg_10]
		mov	[ebp+var_8C], ecx
		xor	ecx, ecx
		mov	[ebp+var_60], eax
		mov	esi, ecx
		mov	[ebp+var_84], ecx
		mov	[ebp+var_5C], ecx
		mov	dword ptr [ebp+var_68],	ecx
		mov	[ebp+var_74], ecx
		test	edi, edi
		jz	loc_7EBB57
		test	eax, eax
		jz	loc_7EBB57
		test	edx, edx
		jz	loc_7EBB57
		mov	dword ptr [ebx], 1
		mov	al, [edi]
		test	al, al
		jz	loc_90F980
		cmp	al, 4
		jbe	loc_90FAA5
		cmp	al, 10h
		jnz	loc_90F70F
		lea	eax, [edx-1]
		cmp	eax, 4
		jb	loc_90F801
		mov	ecx, [edi+1]
		lea	eax, [edx-5]
		mov	[ebp+var_70], ecx
		mov	dword ptr [ebx], 5
		cmp	eax, ecx
		jb	loc_90F801
		lea	eax, [ebp+var_5C]
		push	eax
		push	6
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_7EBB49
		push	ecx
		mov	ecx, [ebp+var_5C]
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+var_60]
		mov	[eax], ecx
		test	ecx, ecx
		jz	short loc_7EBB50
		push	22h
		pop	eax
		push	[ebp+var_70]	; size_t
		mov	[ecx], ax
		mov	eax, [ebx]
		add	eax, edi
		mov	edi, [ebp+var_60]
		push	eax		; void *
		mov	eax, [edi]
		add	eax, 2
		push	eax		; void *
		call	_memcpy
		mov	edx, [ebp+var_70]
		add	esp, 0Ch
		mov	eax, [edi]
		mov	ecx, edx
		shr	ecx, 1
		push	22h
		pop	esi
		mov	[eax+ecx*2+2], si
		mov	eax, [edi]
		xor	edi, edi
		mov	esi, edi
		mov	[eax+ecx*2+4], di
		add	[ebx], edx

loc_7EBB2A:				; CODE XREF: GetPrintableOperandValue+123D64j
					; GetPrintableOperandValue+123DD9j ...
		xor	ecx, ecx

loc_7EBB2C:				; CODE XREF: GetPrintableOperandValue+123F6Bj
		cmp	dword ptr [ebp+var_68],	0
		jnz	loc_90FBBD

loc_7EBB36:				; CODE XREF: GetPrintableOperandValue+134j
					; GetPrintableOperandValue+123DECj ...
		mov	eax, esi

loc_7EBB38:				; CODE XREF: GetPrintableOperandValue+140j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_7EBB49:				; CODE XREF: GetPrintableOperandValue+BDj
					; GetPrintableOperandValue+123FD3j ...
		mov	esi, 216h
		jmp	short loc_7EBB36
; 

loc_7EBB50:				; CODE XREF: GetPrintableOperandValue+D1j
					; GetPrintableOperandValue+123DBDj ...
		push	8
		jmp	loc_90F7FB
; 

loc_7EBB57:				; CODE XREF: GetPrintableOperandValue+56j
					; GetPrintableOperandValue+5Ej	...
		push	57h
		pop	eax
		jmp	short loc_7EBB38
GetPrintableOperandValue endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

GetPrintableAttributeName proc near	; CODE XREF: LocalpGetStringForCondition+2ABp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0090FBCB SIZE 00000104 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		xor	eax, eax
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], ebx
		mov	esi, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		push	edi
		mov	edi, eax
		test	ebx, ebx
		jz	loc_7EBC70
		cmp	[ebp+arg_4], eax
		jz	loc_7EBC70
		test	edx, edx
		jz	loc_7EBC70
		mov	ecx, [ebp+arg_8]
		lea	eax, [edx-1]
		mov	dword ptr [ecx], 1
		cmp	eax, 4
		jb	loc_90FBCB
		mov	ebx, [ebx+1]
		lea	eax, [edx-5]
		mov	[ebp+var_8], ebx
		mov	dword ptr [ecx], 5
		cmp	eax, ebx
		jb	loc_90FBCB
		mov	bl, byte ptr [ebp+arg_0]
		cmp	bl, 0F8h
		jnz	loc_90FBD5
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	2
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_90FC68

loc_7EBBE6:				; CODE XREF: GetPrintableAttributeName+1240DFj
					; GetPrintableAttributeName+124104j
		push	ecx
		mov	ecx, [ebp+var_4]
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	ebx, eax
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx
		test	ebx, ebx
		jz	short loc_7EBC6B
		mov	al, byte ptr [ebp+arg_0]
		cmp	al, 0FBh
		jz	loc_90FC72
		cmp	al, 0F9h
		jz	loc_90FCA2
		cmp	al, 0FAh
		jz	loc_90FC7A
		cmp	al, 0FCh
		jz	loc_90FCAA

loc_7EBC1D:				; CODE XREF: GetPrintableAttributeName+124160j
		cmp	al, 0F8h
		jnz	loc_90FC89
		mov	eax, [ebp+arg_8]
		push	[ebp+var_8]	; size_t
		mov	eax, [eax]
		mov	[ebp+arg_0], eax
		add	eax, [ebp+var_14]
		push	eax		; void *
		lea	eax, [ebx+edi]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_8]

loc_7EBC43:				; CODE XREF: GetPrintableAttributeName+124141j
		mov	ecx, [ebp+var_4]
		xor	edi, edi
		shr	ecx, 1
		add	esp, 0Ch
		add	eax, [ebp+var_8]
		mov	[edx], eax
		mov	[ebx+ecx*2-2], di

loc_7EBC57:				; CODE XREF: GetPrintableAttributeName+112j
					; GetPrintableAttributeName+12408Fj ...
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_90FCC1

loc_7EBC62:				; CODE XREF: GetPrintableAttributeName+124074j
					; GetPrintableAttributeName+124111j ...
		mov	eax, esi

loc_7EBC64:				; CODE XREF: GetPrintableAttributeName+117j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7EBC6B:				; CODE XREF: GetPrintableAttributeName+9Cj
		push	8
		pop	esi
		jmp	short loc_7EBC57
; 

loc_7EBC70:				; CODE XREF: GetPrintableAttributeName+24j
					; GetPrintableAttributeName+2Dj ...
		push	57h
		pop	eax
		jmp	short loc_7EBC64
GetPrintableAttributeName endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlEnumerateBoundaryDescriptorEntries proc near
					; CODE XREF: ObpCompareNamespaceEntry(x,x)+31p
					; ObpVerifyCreatorAccessCheck+F2p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090FCCF SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], edx
		push	edi
		mov	eax, [esi+8]
		cmp	eax, 10h
		jb	loc_7EBD42
		cmp	dword ptr [esi], 1
		jnz	loc_7EBD42
		lea	ebx, [eax+esi]
		cmp	ebx, esi
		jb	loc_7EBD42
		lea	edi, [esi+10h]
		xor	edx, edx
		lea	ecx, [edi+8]
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edx
		mov	eax, edx
		cmp	ecx, ebx
		jnb	short loc_7EBD34

loc_7EBCBA:				; CODE XREF: RtlEnumerateBoundaryDescriptorEntries+A6j
		inc	eax
		mov	[ebp+var_4], eax
		mov	eax, [edi+4]
		mov	[ebp+var_8], eax
		cmp	eax, 8
		jb	short loc_7EBD42
		add	eax, edi
		mov	[ebp+var_18], eax
		cmp	eax, edi
		jb	short loc_7EBD42
		cmp	eax, ebx
		ja	short loc_7EBD42
		mov	eax, [edi]
		sub	eax, 1
		jz	short loc_7EBD1E
		sub	eax, 1
		jnz	loc_90FCCF

loc_7EBCE6:				; CODE XREF: RtlEnumerateBoundaryDescriptorEntries+124069j
		mov	edx, [ebp+var_8]
		add	edx, 0FFFFFFF8h
		call	_RtlpValidateSidBuffer@8 ; RtlpValidateSidBuffer(x,x)
		test	al, al
		jz	short loc_7EBD42

loc_7EBCF5:				; CODE XREF: RtlEnumerateBoundaryDescriptorEntries+B2j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_7EBD06
		push	[ebp+arg_0]
		push	edi
		call	eax
		test	eax, eax
		jz	short loc_7EBD31

loc_7EBD06:				; CODE XREF: RtlEnumerateBoundaryDescriptorEntries+84j
		mov	edi, [ebp+var_18]
		mov	eax, [ebp+var_4]
		add	edi, 7
		and	edi, 0FFFFFFF8h
		lea	ecx, [edi+8]
		cmp	ecx, ebx
		jnb	short loc_7EBD34
		mov	edx, [ebp+var_10]
		jmp	short loc_7EBCBA
; 

loc_7EBD1E:				; CODE XREF: RtlEnumerateBoundaryDescriptorEntries+65j
		mov	eax, [ebp+var_C]
		inc	eax
		mov	[ebp+var_C], eax
		cmp	eax, 1
		jbe	short loc_7EBCF5
		mov	eax, 0C00000BDh
		jmp	short loc_7EBD3B
; 

loc_7EBD31:				; CODE XREF: RtlEnumerateBoundaryDescriptorEntries+8Ej
		mov	eax, [ebp+var_4]

loc_7EBD34:				; CODE XREF: RtlEnumerateBoundaryDescriptorEntries+42j
					; RtlEnumerateBoundaryDescriptorEntries+A1j
		cmp	[esi+4], eax
		jnz	short loc_7EBD42
		xor	eax, eax

loc_7EBD3B:				; CODE XREF: RtlEnumerateBoundaryDescriptorEntries+B9j
					; RtlEnumerateBoundaryDescriptorEntries+D1j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7EBD42:				; CODE XREF: RtlEnumerateBoundaryDescriptorEntries+16j
					; RtlEnumerateBoundaryDescriptorEntries+1Fj ...
		mov	eax, 0C000000Dh
		jmp	short loc_7EBD3B
RtlEnumerateBoundaryDescriptorEntries endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall RtlpValidateSidBuffer(x, x)
_RtlpValidateSidBuffer@8 proc near	; CODE XREF: RtlEnumerateBoundaryDescriptorEntries+76p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		cmp	edi, 8
		jb	short loc_7EBD74
		push	esi
		call	_RtlSubAuthorityCountSid@4 ; RtlSubAuthorityCountSid(x)
		movzx	eax, byte ptr [eax]
		lea	eax, ds:8[eax*4]
		cmp	edi, eax
		jb	short loc_7EBD74
		push	esi
		call	_RtlValidSid@4	; RtlValidSid(x)

loc_7EBD71:				; CODE XREF: RtlpValidateSidBuffer(x,x)+2Cj
		pop	edi
		pop	esi
		retn
; 

loc_7EBD74:				; CODE XREF: RtlpValidateSidBuffer(x,x)+Bj
					; RtlpValidateSidBuffer(x,x)+1Fj
		xor	al, al
		jmp	short loc_7EBD71
_RtlpValidateSidBuffer@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LocalConvertAclToString	proc near	; CODE XREF: LocalConvertSDToStringSD_Rev1+15Dp
					; LocalConvertSDToStringSD_Rev1+12418Ep

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 0090FCEF SIZE 000002EA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		mov	[ebp+var_8], edi
		mov	[ebp+var_38], ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_1C], ecx
		test	esi, esi
		jz	loc_90FFD1
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		jz	loc_90FFD1
		test	dl, dl
		jz	loc_90FCEF
		test	edi, edi
		jz	loc_90FD08
		movzx	eax, word ptr [edi+4]
		test	ax, ax
		jz	loc_90FD22
		cmp	byte ptr [ebp+arg_0], cl
		setz	cl
		inc	ecx
		mov	[ebp+var_18], ecx
		push	ecx
		mov	ecx, eax
		shl	ecx, 2
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_2C], ebx
		test	ebx, ebx
		jz	loc_90FD36
		push	ecx
		movzx	ecx, word ptr [edi+4]
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	[ebp+var_30], eax
		test	eax, eax
		jz	loc_90FD2D
		push	ecx
		movzx	ecx, word ptr [edi+4]
		shl	ecx, 2
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	edx, eax
		mov	[ebp+var_48], edx
		test	edx, edx
		jz	loc_90FD3D
		lea	eax, [edi+8]
		mov	ebx, eax
		mov	[ebp+var_C], eax
		xor	eax, eax
		mov	[ebp+var_44], ebx
		mov	[ebp+var_3C], eax
		cmp	ax, [edi+4]
		jnb	loc_90FE14
		mov	ecx, [ebp+var_2C]
		mov	eax, edx
		mov	edx, [ebp+var_4]
		sub	eax, ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_34], eax

loc_7EBE50:				; CODE XREF: LocalConvertAclToString+2C3j
		push	[ebp+var_18]
		add	edx, 2
		xor	ecx, ecx
		mov	[ebp+var_4], edx
		movzx	edx, byte ptr [ebx]
		call	_LookupAceTypeInTable@12 ; LookupAceTypeInTable(x,x,x)
		test	eax, eax
		jz	loc_90FE04
		mov	ecx, [eax]
		xor	esi, esi
		lea	edx, [ecx+2]

loc_7EBE72:				; CODE XREF: LocalConvertAclToString+103j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_7EBE72
		mov	edi, [ebp+var_4]
		sub	ecx, edx
		sar	ecx, 1
		add	edi, 2
		xor	eax, eax
		lea	edi, [edi+ecx*2]

loc_7EBE8C:				; CODE XREF: LocalConvertAclToString+128j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		shl	edx, cl
		test	[ebx+1], dl
		jnz	loc_7EBF8A

loc_7EBE9C:				; CODE XREF: LocalConvertAclToString+222j
					; LocalConvertAclToString+240j
		inc	esi
		cmp	esi, 8
		jb	short loc_7EBE8C
		movzx	eax, byte ptr [ebx]
		lea	edx, [edi+2]
		mov	[ebp+var_4], edx
		mov	[ebp+var_24], edx
		cmp	eax, 15h
		ja	loc_90FDFD
		movzx	eax, ds:byte_7EC440[eax]
		jmp	ds:off_7EC434[eax*4]

loc_7EBEC5:				; DATA XREF: PAGE:off_7EC434o
		mov	eax, [ebx+4]
		lea	edi, [ebx+8]
		mov	[ebp+var_10], eax
		mov	[ebp+var_20], edi

loc_7EBED1:				; CODE XREF: LocalConvertAclToString+124020j
					; LocalConvertAclToString+12402Cj
		mov	ebx, [ebp+var_1C]
		xor	esi, esi
		test	ebx, ebx
		jnz	loc_7EC413

loc_7EBEDE:				; CODE XREF: LocalConvertAclToString+6A5j
		push	[ebp+arg_18]
		mov	ebx, [ebp+var_44]
		lea	eax, [ebp+var_24]
		push	esi
		push	[ebp+arg_10]
		mov	edx, edi
		mov	[ebp+arg_0], esi
		push	[ebp+arg_C]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	LocalGetAceCondition
		mov	[ebp+arg_0], eax
		test	eax, eax
		jnz	loc_90FDF2
		mov	eax, [ebp+var_34]
		mov	edi, esi
		mov	esi, [ebp+var_28]
		xor	ecx, ecx
		mov	[eax+esi], ecx
		cmp	byte ptr [ebx],	11h
		jz	loc_90FDA9
		mov	eax, [ebp+var_18]

loc_7EBF27:				; CODE XREF: LocalConvertAclToString+124034j
		mov	edx, [ebp+var_10]
		xor	ecx, ecx
		push	eax
		call	_LookupAccessMaskInTable@12 ; LookupAccessMaskInTable(x,x,x)
		test	eax, eax
		jnz	loc_7EC328
		mov	esi, eax
		mov	eax, [ebp+var_10]

loc_7EBF3F:				; CODE XREF: LocalConvertAclToString+1D6j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		shl	edx, cl
		and	edx, eax
		jnz	short loc_7EBF55

loc_7EBF4A:				; CODE XREF: LocalConvertAclToString+210j
		inc	esi
		cmp	esi, 20h
		jb	short loc_7EBF3F
		jmp	loc_90FDB9
; 

loc_7EBF55:				; CODE XREF: LocalConvertAclToString+1D0j
		cmp	byte ptr [ebx],	11h
		jz	loc_90FDB1
		mov	eax, [ebp+var_18]

loc_7EBF61:				; CODE XREF: LocalConvertAclToString+12403Cj
		push	eax
		xor	ecx, ecx
		call	_LookupAccessMaskInTable@12 ; LookupAccessMaskInTable(x,x,x)
		test	eax, eax
		jz	short loc_7EBFBD
		mov	ecx, [eax]
		lea	edx, [ecx+2]	; int

loc_7EBF72:				; CODE XREF: LocalConvertAclToString+204j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_38]
		jnz	short loc_7EBF72
		mov	eax, [ebp+var_10]
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		jmp	short loc_7EBF4A
; 

loc_7EBF8A:				; CODE XREF: LocalConvertAclToString+11Ej
		movzx	eax, byte ptr [ebx]
		xor	ecx, ecx	; wchar_t *
		push	eax		; char
		push	[ebp+var_18]	; int
		call	LookupAceFlagsInTable
		test	eax, eax
		jz	loc_7EBE9C
		mov	ecx, [eax]
		lea	edx, [ecx+2]

loc_7EBFA5:				; CODE XREF: LocalConvertAclToString+237j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_38]
		jnz	short loc_7EBFA5
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		jmp	loc_7EBE9C
; 

loc_7EBFBD:				; CODE XREF: LocalConvertAclToString+1F3j
		mov	esi, [ebp+var_28]
		mov	eax, [ebp+var_34]
		push	14h
		pop	edi
		mov	dword ptr [eax+esi], 2

loc_7EBFCD:				; CODE XREF: LocalConvertAclToString+5D3j
					; LocalConvertAclToString+124044j
		mov	eax, [ebp+var_24]
		add	eax, 6
		add	eax, edi
		mov	edi, [ebp+var_20]
		mov	[ebp+var_4], eax
		mov	edx, edi
		lea	eax, [ebp+var_40]
		push	eax		; int
		push	[ebp+arg_18]	; size_t
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_C]	; int
		xor	ecx, ecx
		call	LookupSidInTable
		test	eax, eax
		jz	loc_7EC393
		mov	edi, [ebp+var_3C]
		lea	ecx, [eax+2]
		mov	[esi], ecx

loc_7EC000:				; CODE XREF: LocalConvertAclToString+642j
		lea	edx, [ecx+2]

loc_7EC003:				; CODE XREF: LocalConvertAclToString+295j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_38]
		jnz	short loc_7EC003
		movzx	eax, word ptr [ebx+2]
		sub	ecx, edx
		mov	edx, [ebp+var_4]
		add	ebx, eax
		mov	eax, [ebp+var_8]
		add	esi, 4
		sar	ecx, 1
		mov	[ebp+var_28], esi
		mov	[ebp+var_44], ebx
		movzx	eax, word ptr [eax+4]
		lea	edx, [edx+ecx*2]
		add	edx, 4
		inc	edi
		mov	[ebp+var_4], edx
		mov	[ebp+var_3C], edi
		cmp	edi, eax
		jb	loc_7EBE50
		mov	eax, [ebp+arg_0]

loc_7EC044:				; CODE XREF: LocalConvertAclToString+124080j
					; LocalConvertAclToString+124097j
		test	edx, edx
		jz	loc_90FE19
		mov	esi, [ebp+arg_4]

loc_7EC04F:				; CODE XREF: LocalConvertAclToString+1240ACj
		test	eax, eax
		jnz	loc_7EC287
		test	dl, 1
		jnz	loc_90FE29

loc_7EC060:				; CODE XREF: LocalConvertAclToString+1240B5j
		push	ecx
		mov	ecx, edx
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	ebx, [ebp+var_8]
		mov	edi, eax
		mov	[esi], edi
		test	edi, edi
		jz	loc_90FE32
		mov	esi, [ebp+var_4]
		xor	eax, eax
		shr	esi, 1
		mov	[ebp+var_44], eax
		cmp	ax, [ebx+4]
		jnb	loc_7EC28A
		mov	ecx, [ebp+var_2C]
		mov	eax, [ebp+var_48]
		mov	edx, [ebp+var_C]
		sub	eax, ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_40], eax

loc_7EC09C:				; CODE XREF: LocalConvertAclToString+509j
		test	esi, esi
		jz	loc_90FF9A
		push	28h
		pop	eax
		push	[ebp+var_18]
		mov	[edi], ax
		xor	ecx, ecx
		movzx	edx, byte ptr [edx]
		add	edi, 2
		dec	esi
		call	_LookupAceTypeInTable@12 ; LookupAceTypeInTable(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_7EC0D5
		push	dword ptr [ebx]
		push	esi
		push	edi
		call	_wcscpy_s
		mov	eax, [ebx+4]
		add	esp, 0Ch
		sub	esi, eax
		lea	edi, [edi+eax*2]

loc_7EC0D5:				; CODE XREF: LocalConvertAclToString+347j
		test	esi, esi
		jz	loc_90FF9A
		push	3Bh
		pop	eax
		mov	[edi], ax
		add	edi, 2
		dec	esi
		xor	eax, eax
		mov	ebx, eax

loc_7EC0EB:				; CODE XREF: LocalConvertAclToString+38Aj
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		shl	edx, cl
		mov	ecx, [ebp+var_C]
		test	[ecx+1], dl
		jnz	loc_7EC2F4

loc_7EC0FE:				; CODE XREF: LocalConvertAclToString+5ABj
		inc	ebx
		cmp	ebx, 8
		jb	short loc_7EC0EB
		test	esi, esi
		jz	loc_90FF9A
		push	3Bh
		pop	eax
		mov	[edi], ax
		xor	eax, eax
		add	edi, 2
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		dec	esi
		movzx	eax, byte ptr [ecx]
		cmp	eax, 15h
		ja	short loc_7EC140
		movzx	eax, ds:byte_7EC464[eax]
		jmp	ds:off_7EC458[eax*4]

loc_7EC134:				; DATA XREF: PAGE:off_7EC458o
		mov	eax, [ecx+4]
		mov	[ebp+var_10], eax
		lea	eax, [ecx+8]
		mov	[ebp+var_20], eax

loc_7EC140:				; CODE XREF: LocalConvertAclToString+3ACj
					; LocalConvertAclToString+3B5j	...
		xor	eax, eax

loc_7EC142:				; CODE XREF: LocalConvertAclToString+124119j
		mov	ebx, [ebp+var_1C]
		test	ebx, ebx
		jnz	loc_7EC422

loc_7EC14D:				; CODE XREF: LocalConvertAclToString+6B6j
		push	[ebp+arg_18]
		mov	ebx, [ebp+var_C]
		mov	ecx, ebx
		mov	edx, [ebp+var_20]
		push	eax
		push	[ebp+arg_10]
		mov	[ebp+arg_0], eax
		lea	eax, [ebp+var_4C]
		push	[ebp+arg_C]
		push	eax
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	LocalGetAceCondition
		mov	[ebp+arg_0], eax
		test	eax, eax
		jnz	loc_7EC287
		mov	eax, [ebp+var_28]
		mov	ecx, [ebp+var_40]
		mov	eax, [eax+ecx]
		cmp	eax, 2
		jnz	loc_7EC350
		push	offset ??_C@_15OEMMNBIC@?$AA0?$AAx@NNGAKEGL@
		push	esi
		push	edi
		call	_wcscpy_s
		add	esp, 0Ch
		sub	esi, 2
		add	edi, 4
		push	10h
		push	esi
		push	edi
		push	[ebp+var_10]
		call	__ultow_s
		mov	ecx, edi
		add	esp, 10h
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_7EC1BB:				; CODE XREF: LocalConvertAclToString+44Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_7EC1BB
		sub	ecx, edx
		sar	ecx, 1
		sub	esi, ecx
		lea	edi, [edi+ecx*2]

loc_7EC1CF:				; CODE XREF: LocalConvertAclToString+5FCj
					; LocalConvertAclToString+616j	...
		test	esi, esi
		jz	loc_90FF9A
		mov	eax, [ebp+var_38]
		push	3Bh
		pop	ecx
		mov	[edi], cx
		add	edi, 2
		dec	esi
		test	eax, eax
		jnz	loc_90FEF2

loc_7EC1EC:				; CODE XREF: LocalConvertAclToString+1241C9j
		test	esi, esi
		jz	loc_90FF9A
		mov	eax, [ebp+var_34]
		mov	[edi], cx
		add	edi, 2
		dec	esi
		test	eax, eax
		jnz	loc_90FF46

loc_7EC206:				; CODE XREF: LocalConvertAclToString+12421Dj
		test	esi, esi
		jz	loc_90FF9A
		mov	eax, [ebp+var_28]
		mov	[edi], cx
		add	edi, 2
		dec	esi
		mov	ebx, [eax]
		push	ebx
		push	esi
		push	edi
		call	_wcscpy_s
		add	esp, 0Ch
		lea	ecx, [ebx+2]
		xor	edx, edx

loc_7EC22A:				; CODE XREF: LocalConvertAclToString+4BBj
		mov	ax, [ebx]
		add	ebx, 2
		cmp	ax, dx
		jnz	short loc_7EC22A
		sub	ebx, ecx
		sar	ebx, 1
		sub	esi, ebx
		lea	edi, [edi+ebx*2]
		mov	ebx, [ebp+var_1C]
		test	ebx, ebx
		jnz	loc_7EC3D8

loc_7EC249:				; CODE XREF: LocalConvertAclToString+696j
		cmp	esi, 1
		jbe	loc_90FF9A
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_44]
		add	[ebp+var_28], 4
		push	29h
		pop	eax
		mov	[edi], ax
		add	edi, 2
		xor	eax, eax
		dec	esi
		inc	ecx
		mov	[ebp+var_44], ecx
		mov	[edi], ax
		movzx	eax, word ptr [edx+2]
		add	edx, eax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_C], edx
		movzx	eax, word ptr [eax+4]
		cmp	ecx, eax
		jb	loc_7EC09C

loc_7EC287:				; CODE XREF: LocalConvertAclToString+2D9j
					; LocalConvertAclToString+400j	...
		mov	ebx, [ebp+var_8]

loc_7EC28A:				; CODE XREF: LocalConvertAclToString+30Dj
		mov	edi, [ebp+arg_0]

loc_7EC28D:				; CODE XREF: LocalConvertAclToString+1240C0j
					; LocalConvertAclToString+12422Dj
		xor	eax, eax
		mov	esi, eax
		cmp	ax, [ebx+4]
		jnb	short loc_7EC2B3
		mov	edi, [ebp+var_2C]

loc_7EC29A:				; CODE XREF: LocalConvertAclToString+536j
		mov	eax, [ebp+var_30]
		cmp	byte ptr [eax+esi], 0
		jnz	loc_7EC3BF

loc_7EC2A7:				; CODE XREF: LocalConvertAclToString+64Cj
					; LocalConvertAclToString+65Bj
		movzx	eax, word ptr [ebx+4]
		inc	esi
		cmp	esi, eax
		jb	short loc_7EC29A
		mov	edi, [ebp+arg_0]

loc_7EC2B3:				; CODE XREF: LocalConvertAclToString+51Dj
		xor	esi, esi
		push	esi
		push	[ebp+var_2C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	esi
		push	[ebp+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	esi
		push	[ebp+var_48]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, [ebp+var_1C]
		test	ebx, ebx
		jnz	loc_90FFAA

loc_7EC2DB:				; CODE XREF: LocalConvertAclToString+124239j
		test	edi, edi
		jnz	loc_90FFB6
		mov	eax, [ebp+var_4]

loc_7EC2E6:				; CODE XREF: LocalConvertAclToString+124254j
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		mov	eax, edi

loc_7EC2ED:				; CODE XREF: LocalConvertAclToString+123F8Bj
					; LocalConvertAclToString+123FB0j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_7EC2F4:				; CODE XREF: LocalConvertAclToString+380j
		movzx	eax, byte ptr [ecx]
		xor	ecx, ecx	; wchar_t *
		push	eax		; char
		push	[ebp+var_18]	; int
		call	LookupAceFlagsInTable
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_7EC320
		push	dword ptr [eax]
		push	esi
		push	edi
		call	_wcscpy_s
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, [eax+4]
		sub	esi, eax
		lea	edi, [edi+eax*2]

loc_7EC320:				; CODE XREF: LocalConvertAclToString+58Fj
		mov	ecx, [ebp+var_C]
		jmp	loc_7EC0FE
; 

loc_7EC328:				; CODE XREF: LocalConvertAclToString+1BCj
		mov	ecx, [ebp+var_34]
		xor	edi, edi
		mov	dword ptr [ecx+esi], 1
		mov	ecx, [eax]
		lea	edx, [ecx+2]

loc_7EC339:				; CODE XREF: LocalConvertAclToString+5CAj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_7EC339
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [ecx+ecx]
		jmp	loc_7EBFCD
; 

loc_7EC350:				; CODE XREF: LocalConvertAclToString+412j
		cmp	eax, 1
		jnz	loc_90FE9E
		cmp	byte ptr [ebx],	11h
		jz	loc_90FE96
		mov	eax, [ebp+var_18]

loc_7EC365:				; CODE XREF: LocalConvertAclToString+124121j
		mov	edx, [ebp+var_10]
		xor	ecx, ecx
		push	eax
		call	_LookupAccessMaskInTable@12 ; LookupAccessMaskInTable(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_7EC1CF
		push	dword ptr [ebx]
		push	esi
		push	edi
		call	_wcscpy_s
		mov	eax, [ebx+4]
		add	esp, 0Ch
		sub	esi, eax
		lea	edi, [edi+eax*2]
		jmp	loc_7EC1CF
; 

loc_7EC393:				; CODE XREF: LocalConvertAclToString+27Aj
		cmp	[ebp+var_40], 0
		jnz	loc_90FDC1
		mov	edx, esi
		mov	ecx, edi
		call	LocalConvertSidToStringSidW
		test	eax, eax
		js	loc_90FDEA

loc_7EC3AE:				; CODE XREF: LocalConvertAclToString+124068j
		mov	edi, [ebp+var_3C]
		mov	eax, [ebp+var_30]
		mov	byte ptr [eax+edi], 1
		mov	ecx, [esi]
		jmp	loc_7EC000
; 

loc_7EC3BF:				; CODE XREF: LocalConvertAclToString+529j
		mov	eax, [edi+esi*4]
		test	eax, eax
		jz	loc_7EC2A7
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7EC2A7
; 

loc_7EC3D8:				; CODE XREF: LocalConvertAclToString+4CBj
		test	esi, esi
		jz	loc_90FF9A
		push	3Bh
		pop	eax
		mov	[edi], ax
		add	edi, 2
		push	ebx
		dec	esi
		push	esi
		push	edi
		call	_wcscpy_s
		add	esp, 0Ch
		lea	ecx, [ebx+2]
		xor	edx, edx

loc_7EC3FA:				; CODE XREF: LocalConvertAclToString+68Bj
		mov	ax, [ebx]
		add	ebx, 2
		cmp	ax, dx
		jnz	short loc_7EC3FA
		sub	ebx, ecx
		sar	ebx, 1
		sub	esi, ebx
		lea	edi, [edi+ebx*2]
		jmp	loc_7EC249
; 

loc_7EC413:				; CODE XREF: LocalConvertAclToString+160j
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+var_1C], esi
		jmp	loc_7EBEDE
; 

loc_7EC422:				; CODE XREF: LocalConvertAclToString+3CFj
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[ebp+var_1C], eax
		jmp	loc_7EC14D
LocalConvertAclToString	endp

; 
		align 4
off_7EC434	dd offset loc_7EBEC5	; DATA XREF: LocalConvertAclToString+146r
		dd offset loc_90FD4C
		dd offset loc_90FDFD
byte_7EC440	db 0			; DATA XREF: LocalConvertAclToString+13Fr
		align 4
		dd 1010102h, 1000001h, 2020002h, 2, 0FF8B0000h
off_7EC458	dd offset loc_7EC134	; DATA XREF: LocalConvertAclToString+3B5r
		dd offset loc_90FE3D
		dd offset loc_7EC140
byte_7EC464	db 0			; DATA XREF: LocalConvertAclToString+3AEr
		align 4
		dd 1010102h, 1000001h, 2020002h, 2
		db 2 dup(0)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LookupAccessMaskInTable(x, x, x)
_LookupAccessMaskInTable@12 proc near	; CODE XREF: LocalConvertAclToString+1B5p
					; LocalConvertAclToString+1ECp	...

var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], edx
		push	edi
		mov	edi, esi
		mov	ebx, offset unk_6B206C
		mov	esi, ecx

loc_7EC492:				; CODE XREF: LookupAccessMaskInTable(x,x,x)+33j
		mov	eax, [ebx+8]
		and	eax, [ebp+arg_0]
		cmp	eax, [ebp+arg_0]
		jnz	short loc_7EC4A6
		test	esi, esi
		jnz	short loc_7EC4CB
		cmp	edx, [ebx+4]
		jz	short loc_7EC4AF

loc_7EC4A6:				; CODE XREF: LookupAccessMaskInTable(x,x,x)+21j
					; LookupAccessMaskInTable(x,x,x)+66j
		inc	edi
		add	ebx, 10h
		cmp	edi, 1Ch
		jb	short loc_7EC492

loc_7EC4AF:				; CODE XREF: LookupAccessMaskInTable(x,x,x)+2Aj
					; LookupAccessMaskInTable(x,x,x)+61j
		push	0
		pop	esi
		cmp	edi, 1Ch
		jnb	short loc_7EC4C2
		mov	esi, edi
		shl	esi, 4
		add	esi, offset off_6B2068

loc_7EC4C2:				; CODE XREF: LookupAccessMaskInTable(x,x,x)+3Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7EC4CB:				; CODE XREF: LookupAccessMaskInTable(x,x,x)+25j
		push	dword ptr [ebx]	; size_t
		push	dword ptr [ebx-4] ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_7EC4AF
		mov	edx, [ebp+var_8]
		jmp	short loc_7EC4A6
_LookupAccessMaskInTable@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LocalGetAceCondition proc near		; CODE XREF: LocalConvertAclToString+186p
					; LocalConvertAclToString+3F6p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 0090FFD9 SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, edx
		mov	edi, ecx
		mov	edx, [ebp+arg_0]
		xor	ebx, ebx
		mov	ecx, [ebp+arg_4]
		mov	esi, ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], eax
		mov	[edx], ebx
		mov	[ecx], ebx
		mov	bl, [edi]
		mov	[ebp+var_4], esi
		cmp	bl, 9
		jz	short loc_7EC535
		cmp	bl, 0Ah
		jz	short loc_7EC535
		cmp	bl, 12h
		jz	short loc_7EC535
		cmp	bl, 0Dh
		jz	short loc_7EC535
		cmp	bl, 0Bh
		jz	loc_90FFD9
		cmp	bl, 15h
		jz	short loc_7EC535

loc_7EC52C:				; CODE XREF: LocalGetAceCondition+72j
					; LocalGetAceCondition+A5j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_7EC535:				; CODE XREF: LocalGetAceCondition+2Bj
					; LocalGetAceCondition+30j ...
		cmp	bl, 0Bh
		jz	loc_90FFD9
		push	eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		movzx	edi, word ptr [edi+2]
		sub	edi, eax
		sub	edi, 8

loc_7EC54D:				; CODE XREF: LocalGetAceCondition+123B1Ej
		mov	eax, [ebp+arg_4]
		mov	[eax], edi
		test	edi, edi
		jz	short loc_7EC52C
		mov	esi, [ebp+var_8]
		push	esi
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		cmp	bl, 12h
		mov	edx, edi
		mov	ebx, [ebp+arg_0]
		jz	loc_910005
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	ecx
		push	ebx
		lea	ecx, [eax+esi]
		call	LocalpGetStringForCondition

loc_7EC583:				; CODE XREF: LocalGetAceCondition+123B38j
		mov	esi, eax
		test	esi, esi
		jnz	short loc_7EC52C
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebx]
		mov	edi, [edx]
		lea	ebx, [ecx+2]

loc_7EC593:				; CODE XREF: LocalGetAceCondition+BBj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_C]
		jnz	short loc_7EC593
		sub	ecx, ebx
		lea	eax, [edi+2]
		sar	ecx, 1
		lea	eax, [eax+ecx*2]
		mov	[edx], eax
		jmp	loc_7EC52C
LocalGetAceCondition endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall LookupAceFlagsInTable(wchar_t *,int,int,char)
LookupAceFlagsInTable proc near		; CODE XREF: LocalConvertAclToString+21Bp
					; LocalConvertAclToString+585p	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 0091001F SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], edx
		xor	edi, edi
		mov	edx, ecx
		mov	ebx, edi
		mov	[ebp+var_4], edx
		mov	esi, edi

loc_7EC5C9:				; CODE XREF: LookupAceFlagsInTable+51j
		mov	eax, dword_6B1F9C[esi]
		and	eax, [ebp+arg_0]
		cmp	eax, [ebp+arg_0]
		jnz	short loc_7EC5F7
		mov	ecx, dword_6B1FA0[esi]
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jnz	loc_91001F

loc_7EC5E8:				; CODE XREF: LookupAceFlagsInTable+123A89j
		test	edx, edx
		jnz	short loc_7EC605
		mov	eax, [ebp+var_10]
		cmp	eax, dword_6B1F98[esi]
		jz	short loc_7EC61E

loc_7EC5F7:				; CODE XREF: LookupAceFlagsInTable+25j
					; LookupAceFlagsInTable+88j ...
		add	esi, 18h
		inc	ebx
		cmp	esi, 0D8h
		jb	short loc_7EC5C9
		jmp	short loc_7EC61E
; 

loc_7EC605:				; CODE XREF: LookupAceFlagsInTable+3Aj
		push	dword_6B1F94[esi] ; size_t
		push	off_6B1F90[esi]	; wchar_t *
		push	edx		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7EC635

loc_7EC61E:				; CODE XREF: LookupAceFlagsInTable+45j
					; LookupAceFlagsInTable+53j
		cmp	ebx, 9
		jnb	short loc_7EC62C
		imul	edi, ebx, 18h
		add	edi, offset off_6B1F90

loc_7EC62C:				; CODE XREF: LookupAceFlagsInTable+71j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7EC635:				; CODE XREF: LookupAceFlagsInTable+6Cj
		mov	edx, [ebp+var_4]
		jmp	short loc_7EC5F7
LookupAceFlagsInTable endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LookupAceTypeInTable(x, x, x)
_LookupAceTypeInTable@12 proc near	; CODE XREF: LocalConvertAclToString+E6p
					; LocalConvertAclToString+33Ep	...

var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], edx
		push	edi
		mov	edi, esi
		mov	ebx, offset unk_6B222C
		mov	esi, ecx

loc_7EC652:				; CODE XREF: LookupAceTypeInTable(x,x,x)+4Fj
		mov	eax, [ebx+8]
		and	eax, [ebp+arg_0]
		cmp	eax, [ebp+arg_0]
		jnz	short loc_7EC682
		test	esi, esi
		jnz	short loc_7EC68D
		cmp	edx, [ebx+4]
		jnz	short loc_7EC682

loc_7EC666:				; CODE XREF: LookupAceTypeInTable(x,x,x)+51j
					; LookupAceTypeInTable(x,x,x)+63j
		push	0
		pop	esi
		cmp	edi, 11h
		jnb	short loc_7EC679
		mov	esi, edi
		shl	esi, 4
		add	esi, offset off_6B2228

loc_7EC679:				; CODE XREF: LookupAceTypeInTable(x,x,x)+32j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7EC682:				; CODE XREF: LookupAceTypeInTable(x,x,x)+21j
					; LookupAceTypeInTable(x,x,x)+2Aj ...
		inc	edi
		add	ebx, 10h
		cmp	edi, 11h
		jb	short loc_7EC652
		jmp	short loc_7EC666
; 

loc_7EC68D:				; CODE XREF: LookupAceTypeInTable(x,x,x)+25j
		push	dword ptr [ebx]	; size_t
		push	dword ptr [ebx-4] ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_7EC666
		mov	edx, [ebp+var_8]
		jmp	short loc_7EC682
_LookupAceTypeInTable@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	LookupSidInTable(int,int,int,size_t,int)
LookupSidInTable proc near		; CODE XREF: SeConvertStringSidToSid+49p
					; LocalConvertAclToString+273p	...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00910049 SIZE 0000012A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		mov	[ebp+var_18], esi
		mov	[ebp+var_1], bl
		mov	[ebp+var_C], ebx
		push	edi
		mov	edi, edx
		mov	[ebp+var_14], edi
		test	esi, esi
		jnz	short loc_7EC6CD
		test	edi, edi
		jz	loc_910049

loc_7EC6CD:				; CODE XREF: LookupSidInTable+1Fj
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_8], ebx
		push	3Fh
		mov	[eax], ebx
		pop	eax
		mov	[ebp+var_10], eax
		test	esi, esi
		jnz	loc_7EC78F
		push	edi
		mov	[ebp+var_1], 1
		call	_RtlSubAuthorityCountSid@4 ; RtlSubAuthorityCountSid(x)
		mov	al, [eax]
		test	al, al
		jz	short loc_7EC721
		movzx	eax, al
		dec	eax
		push	eax
		push	edi
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	eax, [eax]
		cmp	eax, 207h
		jz	loc_910050
		cmp	eax, 206h
		jz	loc_910050
		cmp	eax, 1F2h
		jz	loc_910050

loc_7EC721:				; CODE XREF: LookupSidInTable+4Dj
					; LookupSidInTable+129j ...
		mov	edi, ebx
		mov	esi, ebx

loc_7EC725:				; CODE XREF: LookupSidInTable+A2j
		cmp	[ebp+var_1], bl
		jz	short loc_7EC75F
		push	dword_6B4008[esi]
		push	[ebp+var_14]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	short loc_7EC748

loc_7EC73C:				; CODE XREF: LookupSidInTable+DAj
					; LookupSidInTable+1239D9j ...
		add	esi, 64h
		inc	edi
		cmp	esi, 189Ch
		jb	short loc_7EC725

loc_7EC748:				; CODE XREF: LookupSidInTable+96j
					; LookupSidInTable+D5j
		cmp	edi, 3Fh
		jnb	short loc_7EC785
		imul	ebx, edi, 64h

loc_7EC750:				; CODE XREF: LookupSidInTable+123ACAj
		add	ebx, offset byte_6B3FF8

loc_7EC756:				; CODE XREF: LookupSidInTable+E4j
					; LookupSidInTable+123A2Dj ...
		mov	eax, ebx

loc_7EC758:				; CODE XREF: LookupSidInTable+1239A7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7EC75F:				; CODE XREF: LookupSidInTable+84j
		push	dword_6B4004[esi] ; size_t
		lea	eax, off_6B3FFA[esi]
		push	eax		; wchar_t *
		push	[ebp+var_18]	; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_7EC748
		cmp	[ebp+var_8], ebx
		jz	short loc_7EC73C
		jmp	loc_91007A
; 

loc_7EC785:				; CODE XREF: LookupSidInTable+A7j
		cmp	[ebp+var_8], ebx
		jz	short loc_7EC756
		jmp	loc_9100CE
; 

loc_7EC78F:				; CODE XREF: LookupSidInTable+39j
		push	2		; size_t
		push	offset ??_C@_15DCAAPKNL@?$AAE?$AAA@NNGAKEGL@ ; "EA"
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_7EC7D3
		push	2		; size_t
		push	offset ??_C@_15OHIPBLFN@?$AAS?$AAA@NNGAKEGL@ ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_91006E
		push	2		; size_t
		push	offset ??_C@_15MMAMLPML@?$AAR?$AAO@NNGAKEGL@ ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7EC721

loc_7EC7D3:				; CODE XREF: LookupSidInTable+FDj
					; LookupSidInTable+1239D1j
		mov	[ebp+var_8], 1
		jmp	loc_7EC721
LookupSidInTable endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 2209. RtlIsElevatedRid

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIsElevatedRid(x)
		public _RtlIsElevatedRid@4
_RtlIsElevatedRid@4 proc near		; CODE XREF: SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)+F8p
					; SeQueryInformationToken(x,x,x)+8E5p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		test	eax, eax
		jz	short loc_7EC841
		test	byte ptr [eax+4], 30h
		jnz	short loc_7EC841
		mov	esi, [eax]
		push	esi
		call	_RtlSubAuthorityCountSid@4 ; RtlSubAuthorityCountSid(x)
		mov	bl, [eax]
		cmp	bl, 1
		jb	short loc_7EC841
		push	0
		push	esi
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	eax, [eax]
		cmp	eax, 50h
		jnb	short loc_7EC849

loc_7EC822:				; CODE XREF: RtlIsElevatedRid(x)+5Cj
		movzx	eax, bl
		dec	eax
		push	eax
		push	esi
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	ecx, [eax]
		xor	eax, eax

loc_7EC831:				; CODE XREF: RtlIsElevatedRid(x)+4Fj
		cmp	ecx, ds:dword_40B908[eax]
		jz	short loc_7EC850
		add	eax, 4
		cmp	eax, 4Ch
		jb	short loc_7EC831

loc_7EC841:				; CODE XREF: RtlIsElevatedRid(x)+Cj
					; RtlIsElevatedRid(x)+12j ...
		pop	esi
		xor	al, al
		pop	ebx
		pop	ebp
		retn	4
; 

loc_7EC849:				; CODE XREF: RtlIsElevatedRid(x)+30j
		cmp	eax, 6Fh
		ja	short loc_7EC822
		jmp	short loc_7EC841
; 

loc_7EC850:				; CODE XREF: RtlIsElevatedRid(x)+47j
		pop	esi
		mov	al, 1
		pop	ebx
		pop	ebp
		retn	4
_RtlIsElevatedRid@4 endp


;  S U B	R O U T	I N E 


; __stdcall SddlpAlloc(x, x, x)
_SddlpAlloc@12	proc near		; CODE XREF: SeConvertSecurityDescriptorToStringSecurityDescriptor+D4FE6p
					; SeConvertStringSidToSid+84368p ...
		mov	edi, edi
		push	esi
		push	edi
		push	64536553h
		mov	edi, ecx
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_7EC87D
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch

loc_7EC87D:				; CODE XREF: SddlpAlloc(x,x,x)+17j
		pop	edi
		mov	eax, esi
		pop	esi
		retn	4
_SddlpAlloc@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ObpCompareEntryLevel2(void *Source1,int)
_ObpCompareEntryLevel2@8 proc near	; DATA XREF: ObpCompareEntryLevel1(x,x)+8o

Source1		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+Source1]
		mov	ecx, [esi+8]
		mov	edx, [edi+4]
		cmp	edx, [ecx+4]
		jnz	short loc_7EC8B2
		mov	eax, [edi]
		cmp	eax, [ecx]
		jnz	short loc_7EC8B2
		push	edx		; Length
		push	ecx		; Source2
		push	edi		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, [edi+4]
		jnz	short loc_7EC8B2
		inc	dword ptr [esi+10h]

loc_7EC8B2:				; CODE XREF: ObpCompareEntryLevel2(x,x)+16j
					; ObpCompareEntryLevel2(x,x)+1Cj ...
		xor	eax, eax
		pop	edi
		inc	eax
		pop	esi
		pop	ebp
		retn	8
_ObpCompareEntryLevel2@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall GetOperatorIndexByToken(x)
_GetOperatorIndexByToken@4 proc	near	; CODE XREF: LocalpGetStringForCondition+138p
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+23Dp ...
		xor	edx, edx
		mov	eax, edx

loc_7EC8C0:				; CODE XREF: GetOperatorIndexByToken(x)+15j
		cmp	ds:byte_403FDC[eax], cl
		jz	short loc_7EC8D7
		add	eax, 14h
		inc	edx
		cmp	eax, 1E0h
		jb	short loc_7EC8C0
		or	eax, 0FFFFFFFFh
		retn
; 

loc_7EC8D7:				; CODE XREF: GetOperatorIndexByToken(x)+Aj
		mov	eax, edx
		retn
_GetOperatorIndexByToken@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpCompareEntryLevel1(x, x)
_ObpCompareEntryLevel1@8 proc near	; DATA XREF: ObpCompareNamespaceEntry(x,x)+23o
					; ObpCheckDuplicateEntries(x)+10o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	edx, offset _ObpCompareEntryLevel2@8 ; ObpCompareEntryLevel2(x,x)
		push	esi
		mov	esi, [ebp+arg_4]
		push	esi
		mov	ecx, [esi+4]
		inc	dword ptr [esi+0Ch]
		add	ecx, 18h
		mov	[esi+8], eax
		call	RtlEnumerateBoundaryDescriptorEntries
		test	eax, eax
		js	short loc_7EC91C
		mov	eax, [esi+0Ch]
		cmp	eax, [esi+10h]
		jnz	short loc_7EC911
		xor	eax, eax
		inc	eax

loc_7EC90C:				; CODE XREF: ObpCompareEntryLevel1(x,x)+40j
		pop	esi
		pop	ebp
		retn	8
; 

loc_7EC911:				; CODE XREF: ObpCompareEntryLevel1(x,x)+2Dj
		mov	dword ptr [esi+14h], 0C000017Bh

loc_7EC918:				; CODE XREF: ObpCompareEntryLevel1(x,x)+45j
		xor	eax, eax
		jmp	short loc_7EC90C
; 

loc_7EC91C:				; CODE XREF: ObpCompareEntryLevel1(x,x)+25j
		mov	[esi+14h], eax
		jmp	short loc_7EC918
_ObpCompareEntryLevel1@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpHashBoundaryFunction(x, x)
_ObpHashBoundaryFunction@8 proc	near	; DATA XREF: ObpCaptureBoundaryDescriptor+13Bo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	8
		pop	eax
		lea	edx, [ecx+8]
		cmp	[ecx+4], eax
		jbe	short loc_7EC94B
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	bl, [esi+14h]

loc_7EC93D:				; CODE XREF: ObpHashBoundaryFunction(x,x)+25j
		add	bl, [edx]
		inc	edx
		inc	eax
		mov	[esi+14h], bl
		cmp	eax, [ecx+4]
		jb	short loc_7EC93D
		pop	esi
		pop	ebx

loc_7EC94B:				; CODE XREF: ObpHashBoundaryFunction(x,x)+11j
		xor	eax, eax
		inc	eax
		pop	ebp
		retn	8
_ObpHashBoundaryFunction@8 endp

; 
		align 8
; Exported entry 2116. RtlGetControlSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetControlSecurityDescriptor(x, x, x)
		public _RtlGetControlSecurityDescriptor@12
_RtlGetControlSecurityDescriptor@12 proc near
					; CODE XREF: AdtpIsSDValidSelfRelative(x,x)+3Cp
					; LocalConvertSDToStringSD_Rev1+D4p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+arg_8]
		movzx	ecx, byte ptr [edx]
		mov	[eax], ecx
		cmp	byte ptr [edx],	1
		jnz	short loc_7EC97D
		mov	eax, [ebp+arg_4]
		mov	cx, [edx+2]
		mov	[eax], cx
		xor	eax, eax

loc_7EC979:				; CODE XREF: RtlGetControlSecurityDescriptor(x,x,x)+2Aj
		pop	ebp
		retn	0Ch
; 

loc_7EC97D:				; CODE XREF: RtlGetControlSecurityDescriptor(x,x,x)+13j
		mov	eax, 0C0000058h
		jmp	short loc_7EC979
_RtlGetControlSecurityDescriptor@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpQueryFileSecurityDescriptor proc near ; CODE	XREF: CmpInitHiveFromFile+54Cp
					; CmpOpenHiveFile+265p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00910173 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		push	ecx
		push	4
		push	ebx
		mov	edi, ecx
		mov	[ebp+var_4], ecx
		call	_ZwQuerySecurityObject@20 ; ZwQuerySecurityObject(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	loc_910182
		push	64734D43h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_7EC9F1
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_4]
		push	edi
		push	4
		push	ebx
		call	_ZwQuerySecurityObject@20 ; ZwQuerySecurityObject(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_910173

loc_7EC9E5:				; CODE XREF: CmpQueryFileSecurityDescriptor+72j
					; CmpQueryFileSecurityDescriptor+1237F9j ...
		mov	eax, [ebp+var_8]
		mov	[eax], edi
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7EC9F1:				; CODE XREF: CmpQueryFileSecurityDescriptor+45j
		mov	esi, 0C000009Ah
		jmp	short loc_7EC9E5
CmpQueryFileSecurityDescriptor endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpVerifyAccessToBoundaryEntry proc near ; DATA	XREF: ObpVerifyCreatorAccessCheck+EAo

var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_100		= dword	ptr -100h
var_A8		= dword	ptr -0A8h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00910194 SIZE 00000054 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 11Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+11Ch+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		lea	eax, [esp+120h+var_A8]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	0A0h		; size_t
		xor	edi, edi
		push	edi		; int
		push	eax		; void *
		call	_memset
		push	54h		; size_t
		lea	eax, [esp+138h+var_100]
		mov	[esp+138h+var_118], edi
		push	edi		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		lea	edi, [esp+140h+var_114]
		stosd
		add	esp, 18h
		stosd
		push	2
		stosd
		stosd
		stosd
		mov	eax, [esi]
		lea	edi, [esi+8]
		pop	esi
		cmp	eax, esi
		jnz	loc_7ECB36
		mov	ecx, edi
		call	_RtlIsPackageSid@4 ; RtlIsPackageSid(x)
		test	al, al
		jnz	loc_7ECB63
		push	esi		; int
		push	0A0h		; size_t
		lea	eax, [esp+130h+var_A8]
		push	eax		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		push	0
		push	edi
		push	0F000Fh
		xor	edi, edi
		lea	ecx, [esp+134h+var_A8]
		push	edi
		mov	edx, esi
		call	RtlpAddKnownAce
		mov	eax, [ebx+10h]
		test	eax, eax
		jnz	loc_7ECB8F

loc_7ECAA4:				; CODE XREF: ObpVerifyAccessToBoundaryEntry+1AEj
		push	esi		; int
		push	54h		; size_t
		lea	eax, [esp+130h+var_100]
		push	eax		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		push	7
		push	ecx
		push	dword ptr [ebx+14h]
		lea	ecx, [esp+134h+var_100]
		push	edi
		call	RtlAddMandatoryAce
		xor	esi, esi
		lea	eax, [esp+128h+var_114]
		inc	esi
		push	esi
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	edi
		lea	eax, [esp+12Ch+var_A8]
		push	eax
		push	esi
		lea	eax, [esp+134h+var_114]
		push	eax
		call	RtlSetDaclSecurityDescriptor

loc_7ECAE3:				; CODE XREF: ObpVerifyAccessToBoundaryEntry+1237DFj
		push	edi
		lea	eax, [esp+12Ch+var_100]
		push	eax
		push	esi
		lea	eax, [esp+134h+var_114]
		push	eax
		call	_RtlSetSaclSecurityDescriptor@16 ; RtlSetSaclSecurityDescriptor(x,x,x,x)
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+128h+var_11C], al
		lea	eax, [ebx+18h]
		push	eax
		lea	eax, [esp+12Ch+var_118]
		push	eax
		push	[esp+130h+var_11C]
		mov	eax, _ObpDirectoryObjectType
		add	eax, 34h
		push	eax
		push	edi
		push	edi
		push	0F000Fh
		push	esi
		push	ebx
		push	esi
		lea	eax, [esp+150h+var_114]
		push	eax
		call	_SeAccessCheckWithHint@44 ; SeAccessCheckWithHint(x,x,x,x,x,x,x,x,x,x,x)
		test	al, al
		jnz	short loc_7ECB4A

loc_7ECB32:				; CODE XREF: ObpVerifyAccessToBoundaryEntry+1237A3j
					; ObpVerifyAccessToBoundaryEntry+1237AFj ...
		xor	eax, eax
		jmp	short loc_7ECB4C
; 

loc_7ECB36:				; CODE XREF: ObpVerifyAccessToBoundaryEntry+60j
		cmp	eax, 3
		jz	loc_9101AC
		xor	esi, esi
		inc	esi
		cmp	eax, esi
		jnz	loc_9101DC

loc_7ECB4A:				; CODE XREF: ObpVerifyAccessToBoundaryEntry+138j
					; ObpVerifyAccessToBoundaryEntry+195j
		mov	eax, esi

loc_7ECB4C:				; CODE XREF: ObpVerifyAccessToBoundaryEntry+13Cj
		mov	ecx, [esp+128h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7ECB63:				; CODE XREF: ObpVerifyAccessToBoundaryEntry+6Fj
		mov	eax, [ebx+10h]
		test	eax, eax
		jz	short loc_7ECB7A
		push	dword ptr [eax]
		push	edi
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	loc_910194

loc_7ECB7A:				; CODE XREF: ObpVerifyAccessToBoundaryEntry+170j
		mov	eax, [ebx+1Ch]
		test	al, 1
		jnz	loc_9101A0
		xor	esi, esi
		inc	esi
		or	eax, esi
		mov	[ebx+1Ch], eax
		jmp	short loc_7ECB4A
; 

loc_7ECB8F:				; CODE XREF: ObpVerifyAccessToBoundaryEntry+A6j
		push	edi
		push	dword ptr [eax]
		mov	edx, esi
		lea	ecx, [esp+130h+var_A8]
		push	0F000Fh
		push	edi
		call	RtlpAddKnownAce
		jmp	loc_7ECAA4
ObpVerifyAccessToBoundaryEntry endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall RtlIsPackageSid(x)
_RtlIsPackageSid@4 proc	near		; CODE XREF: ObpVerifyAccessToBoundaryEntry+68p
					; NtCreateLowBoxToken+178p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	byte ptr [esi+1], 2
		jb	short loc_7ECBD1
		cmp	byte ptr [esi],	1
		jnz	short loc_7ECBD1
		push	6		; Length
		push	offset _RtlpAppPackageAuthority	; Source2
		lea	eax, [esi+2]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 6
		jz	short loc_7ECBD5

loc_7ECBD1:				; CODE XREF: RtlIsPackageSid(x)+9j
					; RtlIsPackageSid(x)+Ej ...
		xor	al, al
		pop	esi
		retn
; 

loc_7ECBD5:				; CODE XREF: RtlIsPackageSid(x)+23j
		cmp	dword ptr [esi+8], 2
		jnz	short loc_7ECBD1
		mov	al, 1
		pop	esi
		retn
_RtlIsPackageSid@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2171. RtlInitializeSid

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlInitializeSid(x,	x, x)
		public _RtlInitializeSid@12
_RtlInitializeSid@12 proc near		; CODE XREF: .text:00513676p
					; .text:005136CFp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	al, [ebp+arg_8]
		cmp	al, 0Fh
		ja	short loc_7ECC0F
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	[edx+1], al
		mov	byte ptr [edx],	1
		mov	eax, [ecx]
		mov	[edx+2], eax
		mov	ax, [ecx+4]
		mov	[edx+6], ax
		xor	eax, eax

loc_7ECC0B:				; CODE XREF: RtlInitializeSid(x,x,x)+30j
		pop	ebp
		retn	0Ch
; 

loc_7ECC0F:				; CODE XREF: RtlInitializeSid(x,x,x)+Aj
		mov	eax, 0C000000Dh
		jmp	short loc_7ECC0B
_RtlInitializeSid@12 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2338. RtlSetSaclSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSetSaclSecurityDescriptor(x, x, x, x)
		public _RtlSetSaclSecurityDescriptor@16
_RtlSetSaclSecurityDescriptor@16 proc near
					; CODE XREF: SepSetProcessTrustLabelAceForToken(x)+209p
					; SepInitProcessAuditSd+86BAFp	...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	byte ptr [eax],	1
		jnz	short loc_7ECC71
		movzx	ecx, word ptr [eax+2]
		test	cx, cx
		js	short loc_7ECC78
		cmp	[ebp+arg_4], 0
		jnz	short loc_7ECC48
		and	ecx, 0FFEFh

loc_7ECC3E:				; CODE XREF: RtlSetSaclSecurityDescriptor(x,x,x,x)+53j
		mov	[eax+2], cx

loc_7ECC42:				; CODE XREF: RtlSetSaclSecurityDescriptor(x,x,x,x)+4Ej
		xor	eax, eax

loc_7ECC44:				; CODE XREF: RtlSetSaclSecurityDescriptor(x,x,x,x)+5Aj
					; RtlSetSaclSecurityDescriptor(x,x,x,x)+61j
		pop	ebp
		retn	10h
; 

loc_7ECC48:				; CODE XREF: RtlSetSaclSecurityDescriptor(x,x,x,x)+1Aj
		and	dword ptr [eax+0Ch], 0
		or	ecx, 10h
		mov	edx, [ebp+arg_8]
		movzx	ecx, cx
		test	edx, edx
		jz	short loc_7ECC5C
		mov	[eax+0Ch], edx

loc_7ECC5C:				; CODE XREF: RtlSetSaclSecurityDescriptor(x,x,x,x)+3Bj
		and	ecx, 0FFDFh
		cmp	[ebp+arg_C], 0
		mov	[eax+2], cx
		jz	short loc_7ECC42
		or	ecx, 20h
		jmp	short loc_7ECC3E
; 

loc_7ECC71:				; CODE XREF: RtlSetSaclSecurityDescriptor(x,x,x,x)+Bj
		mov	eax, 0C0000058h
		jmp	short loc_7ECC44
; 

loc_7ECC78:				; CODE XREF: RtlSetSaclSecurityDescriptor(x,x,x,x)+14j
		mov	eax, 0C0000079h
		jmp	short loc_7ECC44
_RtlSetSaclSecurityDescriptor@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlAddMandatoryAce proc	near		; CODE XREF: CmpGenerateAppHiveSecurityDescriptor(x)+15Bp
					; ObpVerifyAccessToBoundaryEntry+C4p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 009101E8 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_8], 1000h
		mov	esi, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		push	edi
		mov	edi, [ebp+arg_4]
		test	esi, esi
		jz	loc_7ECD94
		push	edi
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_9101E8
		push	6		; size_t
		lea	eax, [ebp+var_C]
		push	eax		; void *
		lea	eax, [edi+2]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_9101FC
		mov	bl, [esi]
		cmp	bl, 4
		ja	loc_9101F2
		cmp	bl, 2
		ja	short loc_7ECCEA
		mov	bl, 2

loc_7ECCEA:				; CODE XREF: RtlAddMandatoryAce+66j
		test	[ebp+arg_0], 0FFFFFFE0h
		jnz	loc_9101FC
		test	[ebp+arg_C], 0FFFFFFF8h
		jnz	loc_9101FC
		push	esi
		call	RtlValidAcl
		test	al, al
		jz	loc_7ECD94
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	_RtlFirstFreeAce@8 ; RtlFirstFreeAce(x,x)
		test	al, al
		jz	short loc_7ECD94
		movzx	eax, byte ptr [edi+1]
		mov	edx, [ebp+var_10]
		add	ax, 4
		shl	ax, 2
		movzx	eax, ax
		mov	[ebp+var_C], eax
		test	edx, edx
		jz	short loc_7ECD8D
		movzx	ecx, word ptr [esi+2]
		movzx	eax, ax
		add	ecx, esi
		add	eax, edx
		cmp	eax, ecx
		ja	short loc_7ECD8D
		mov	eax, [ebp+arg_0]
		mov	[edx+1], al
		mov	eax, [ebp+var_C]
		mov	[edx+2], ax
		mov	eax, [ebp+arg_C]
		mov	[edx+4], eax
		lea	eax, [edx+8]
		push	edi		; void *
		push	eax		; void *
		mov	byte ptr [edx],	11h
		movzx	eax, byte ptr [edi+1]
		lea	eax, ds:8[eax*4]
		push	eax		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		inc	word ptr [esi+4]
		xor	eax, eax
		mov	[esi], bl

loc_7ECD7C:				; CODE XREF: RtlAddMandatoryAce+112j
					; RtlAddMandatoryAce+119j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_7ECD8D:				; CODE XREF: RtlAddMandatoryAce+B7j
					; RtlAddMandatoryAce+C6j
		mov	eax, 0C0000099h
		jmp	short loc_7ECD7C
; 

loc_7ECD94:				; CODE XREF: RtlAddMandatoryAce+2Aj
					; RtlAddMandatoryAce+8Cj ...
		mov	eax, 0C0000077h
		jmp	short loc_7ECD7C
RtlAddMandatoryAce endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepDuplicateSid(x, x)
_SepDuplicateSid@8 proc	near		; CODE XREF: SepSetTokenTrust(x,x)+3Ep
					; SepDuplicateToken(x,x,x,x,x,x,x,x)+79Dp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		test	esi, esi
		jz	short loc_7ECDE4
		movzx	eax, byte ptr [ebx+1]
		and	dword ptr [esi], 0
		push	edi
		push	69536553h
		lea	eax, ds:8[eax*4]
		push	eax
		push	1
		mov	[ebp+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_7ECDEB
		push	ebx		; void *
		push	edi		; void *
		push	[ebp+var_4]	; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		mov	[esi], edi
		xor	eax, eax

loc_7ECDDF:				; CODE XREF: SepDuplicateSid(x,x)+54j
		pop	edi

loc_7ECDE0:				; CODE XREF: SepDuplicateSid(x,x)+4Dj
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7ECDE4:				; CODE XREF: SepDuplicateSid(x,x)+Ej
		mov	eax, 0C000000Dh
		jmp	short loc_7ECDE0
; 

loc_7ECDEB:				; CODE XREF: SepDuplicateSid(x,x)+33j
		mov	eax, 0C000009Ah
		jmp	short loc_7ECDDF
_SepDuplicateSid@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSetTokenPackage(x, x)
_SepSetTokenPackage@8 proc near		; CODE XREF: SepGetAnonymousToken(x,x)+60p
					; NtCreateLowBoxToken+31Ep ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		mov	[ebp+var_4], ebx
		mov	ecx, [esi+1E0h]
		test	ecx, ecx
		jnz	short loc_7ECE4E

loc_7ECE0B:				; CODE XREF: SepSetTokenPackage(x,x)+63j
		movzx	eax, byte ptr [ebx+1]
		push	edi
		push	69536553h
		lea	edi, ds:0Bh[eax*4]
		and	edi, 0FFFFFFFCh
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_7ECE68
		push	[ebp+var_4]	; void *
		push	ebx		; void *
		push	edi		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		mov	eax, [esi+1E0h]
		test	eax, eax
		jnz	short loc_7ECE5E

loc_7ECE41:				; CODE XREF: SepSetTokenPackage(x,x)+74j
		mov	[esi+1E0h], ebx
		xor	eax, eax

loc_7ECE49:				; CODE XREF: SepSetTokenPackage(x,x)+7Bj
		pop	edi

loc_7ECE4A:				; CODE XREF: SepSetTokenPackage(x,x)+6Aj
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7ECE4E:				; CODE XREF: SepSetTokenPackage(x,x)+17j
		call	_RtlIsParentOfChildAppContainer@8 ; RtlIsParentOfChildAppContainer(x,x)
		test	al, al
		jnz	short loc_7ECE0B
		mov	eax, 0C0000022h
		jmp	short loc_7ECE4A
; 

loc_7ECE5E:				; CODE XREF: SepSetTokenPackage(x,x)+4Dj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7ECE41
; 

loc_7ECE68:				; CODE XREF: SepSetTokenPackage(x,x)+39j
		mov	eax, 0C000009Ah
		jmp	short loc_7ECE49
_SepSetTokenPackage@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2002. RtlCopySid

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlCopySid(int,void *,void *)
		public _RtlCopySid@12
_RtlCopySid@12	proc near		; CODE XREF: SepCreateTokenEx+7E0p
					; SeConvertStringSidToSid+84384p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_8]
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:8[eax*4]
		cmp	eax, [ebp+arg_0]
		ja	short loc_7ECE9F
		push	eax		; size_t
		push	ecx		; void *
		push	[ebp+arg_4]	; void *
		call	_memmove
		add	esp, 0Ch
		xor	eax, eax

loc_7ECE9B:				; CODE XREF: RtlCopySid(x,x,x)+30j
		pop	ebp
		retn	0Ch
; 

loc_7ECE9F:				; CODE XREF: RtlCopySid(x,x,x)+16j
		mov	eax, 0C0000023h
		jmp	short loc_7ECE9B
_RtlCopySid@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	NtCreateLowBoxToken(int,int,int,int,int,int,void *,int,char)
NtCreateLowBoxToken proc near		; DATA XREF: .text:005810F4o

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_1B		= byte ptr -1Bh
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= byte ptr  28h

; FUNCTION CHUNK AT 00910206 SIZE 00000010 BYTES
; FUNCTION CHUNK AT 0091022C SIZE 000000C0 BYTES

		push	5Ch
		push	offset dword_6A5068
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_48], 1
		mov	[ebp-1Ah], cl
		mov	[ebp+var_19], cl
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_1B], cl
		xor	eax, eax
		lea	edi, [ebp+var_6C]
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	[ebp+var_1C], bl
		mov	byte ptr [ebp+var_28], bl
		test	bl, bl
		jz	short loc_7ECF4C
		mov	[ebp+ms_exc.disabled], ecx
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_910206

loc_7ECF10:				; CODE XREF: NtCreateLowBoxToken+123362j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, [ebp+arg_1C]
		shl	eax, 2
		test	eax, eax
		jz	short loc_7ECF43
		test	[ebp+arg_20], 3
		jnz	loc_7ED307
		mov	ecx, dword ptr [ebp+arg_20]
		lea	edx, [eax+ecx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	loc_91020D
		cmp	edx, ecx
		jb	loc_91020D

loc_7ECF43:				; CODE XREF: NtCreateLowBoxToken+76j
		xor	ecx, ecx

loc_7ECF45:				; CODE XREF: NtCreateLowBoxToken+12336Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7ECF4C:				; CODE XREF: NtCreateLowBoxToken+55j
		cmp	[ebp+arg_10], 0
		jz	loc_91022C
		cmp	[ebp+arg_1C], 0
		jz	loc_910236

loc_7ECF60:				; CODE XREF: NtCreateLowBoxToken+1233A0j
		cmp	dword ptr [ebp+arg_20],	0
		jz	loc_91024B

loc_7ECF6A:				; CODE XREF: NtCreateLowBoxToken+12339Aj
		mov	eax, ds:_SeTokenObjectType
		mov	[ebp+var_2C], ecx
		lea	ecx, [ebp+var_60]
		push	ecx
		lea	ecx, [ebp+var_2C]
		push	ecx
		push	[ebp+var_28]
		push	eax
		push	2
		push	[ebp+arg_4]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	loc_7ED2B3
		lea	eax, [ebp+var_38]
		push	eax
		push	1
		sub	esp, 0Ch
		mov	dl, bl
		mov	ecx, [ebp+arg_10]
		call	SeCaptureSid
		test	eax, eax
		js	loc_7ED2B3
		mov	edi, [ebp+var_38]
		mov	ecx, edi
		call	_SepCheckCreateLowBox@4	; SepCheckCreateLowBox(x)
		mov	esi, eax
		test	esi, esi
		js	loc_7ED2B3
		mov	ebx, [ebp+var_2C]
		cmp	dword ptr [ebx+0A8h], 1
		jnz	loc_7ED2C5

loc_7ECFCF:				; CODE XREF: NtCreateLowBoxToken+426j
		cmp	[ebp+arg_8], 0
		jz	loc_910266

loc_7ECFD9:				; CODE XREF: NtCreateLowBoxToken+1233C6j
		mov	ecx, [ebp+arg_18] ; void *
		test	ecx, ecx
		jz	short loc_7ECFFB
		lea	eax, [ebp+var_44]
		push	eax		; int
		lea	eax, [ebp+var_24]
		push	eax		; int
		push	ecx		; int
		push	ecx		; int
		push	0		; int
		push	0		; void *
		push	[ebp+var_28]	; char
		mov	edx, [ebp+arg_14] ; int
		call	SeCaptureSidAndAttributesArray
		mov	esi, eax

loc_7ECFFB:				; CODE XREF: NtCreateLowBoxToken+138j
		test	esi, esi
		js	loc_910276
		lea	eax, [ebp+var_30]
		push	eax
		mov	edx, dword ptr [ebp+arg_20]
		mov	ecx, [ebp+arg_1C]
		call	SepCaptureHandles
		mov	esi, eax
		test	esi, esi
		js	loc_910276
		mov	ecx, edi
		call	_RtlIsPackageSid@4 ; RtlIsPackageSid(x)
		test	al, al
		jz	loc_910271
		mov	al, [edi+1]
		cmp	al, 8
		jnz	loc_7ED2D7

loc_7ED036:				; CODE XREF: NtCreateLowBoxToken+433j
		xor	esi, esi
		cmp	[ebp+arg_14], esi
		jbe	short loc_7ED084

loc_7ED03D:				; CODE XREF: NtCreateLowBoxToken+1D9j
		mov	ecx, [ebp+var_24]
		mov	ecx, [ecx+esi*8]
		call	_RtlIsCapabilitySid@4 ;	RtlIsCapabilitySid(x)
		test	al, al
		jz	loc_910271
		xor	ebx, ebx
		test	esi, esi
		jz	short loc_7ED07B
		mov	eax, [ebp+var_24]
		mov	ecx, [eax+esi*8]
		mov	dword ptr [ebp+arg_20],	ecx

loc_7ED05F:				; CODE XREF: NtCreateLowBoxToken+1D3j
		mov	eax, [ebp+var_24]
		push	dword ptr [eax+ebx*8]
		push	ecx
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	loc_910271
		inc	ebx
		cmp	ebx, esi
		mov	ecx, dword ptr [ebp+arg_20]
		jb	short loc_7ED05F

loc_7ED07B:				; CODE XREF: NtCreateLowBoxToken+1AEj
		inc	esi
		cmp	esi, [ebp+arg_14]
		jb	short loc_7ED03D
		mov	ebx, [ebp+var_2C]

loc_7ED084:				; CODE XREF: NtCreateLowBoxToken+195j
		lea	eax, [ebp+var_3C]
		push	eax
		push	edi
		call	RtlGetAppContainerSidType
		mov	esi, eax
		test	esi, esi
		js	loc_910276
		cmp	[ebp+var_3C], 1
		jz	loc_7ED2E4

loc_7ED0A2:				; CODE XREF: NtCreateLowBoxToken+456j
		test	esi, esi
		js	loc_910276
		lea	eax, [ebp+var_20]
		push	eax		; int
		xor	eax, eax
		push	eax		; int
		push	[ebp+var_28]	; int
		push	eax		; size_t
		push	1		; int
		push	eax		; char
		mov	edx, [ebp+arg_C]
		mov	ecx, ebx
		call	_SepDuplicateToken@32 ;	SepDuplicateToken(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_910276
		mov	bl, 1
		lea	edx, [ebp+var_48]
		mov	ecx, [ebp+var_20]
		call	_SeSetMandatoryPolicyToken@8 ; SeSetMandatoryPolicyToken(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7ED24C
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	eax, [ebp+var_20]
		push	dword ptr [eax+30h]
		call	ExAcquireResourceExclusiveLite
		and	[ebp+var_4C], 0
		xor	ecx, ecx
		lea	eax, [ebp+var_4C]
		lock or	[eax], ecx
		mov	[ebp-1Ah], bl
		mov	ecx, [ebp+var_20]
		call	_SepLocateTokenIntegrity@4 ; SepLocateTokenIntegrity(x)
		test	eax, eax
		jz	loc_91028C
		mov	ecx, [eax]
		mov	al, [ecx+1]
		test	al, al
		jz	short loc_7ED12E
		movzx	eax, al
		dec	eax
		push	eax
		push	ecx
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	dword ptr [eax], 1000h

loc_7ED12E:				; CODE XREF: NtCreateLowBoxToken+275j
		mov	eax, [ebp+var_20]
		mov	ecx, (offset loc_7FFFFF+1)
		and	[eax+48h], ecx
		and	dword ptr [eax+4Ch], 2
		mov	eax, [ebp+var_20]
		and	[eax+50h], ecx
		and	dword ptr [eax+54h], 2
		mov	eax, [ebp+var_20]
		and	[eax+40h], ecx
		and	dword ptr [eax+44h], 2
		mov	eax, [ebp+var_20]
		and	dword ptr [eax+0B0h], 0FFFFDFFFh
		mov	eax, [ebp+var_20]
		or	dword ptr [eax+0B0h], 4000h

loc_7ED16B:				; CODE XREF: NtCreateLowBoxToken+1233EBj
		test	esi, esi
		js	loc_7ED24C
		push	[ebp+arg_14]
		push	[ebp+var_24]
		mov	edx, edi
		mov	ecx, [ebp+var_20]
		call	SepSetTokenCapabilities
		mov	esi, eax
		test	esi, esi
		js	loc_7ED24C
		mov	edx, edi
		mov	ecx, [ebp+var_20]
		call	SepSetTokenLowboxNumber
		mov	esi, eax
		test	esi, esi
		js	loc_7ED24C
		mov	[ebp+var_68], edi
		push	[ebp+var_30]
		push	[ebp+arg_1C]
		lea	edx, [ebp+var_6C]
		mov	ecx, [ebp+var_20]
		call	SepSetTokenCachedHandles
		mov	esi, eax
		test	esi, esi
		js	loc_7ED24C
		mov	edx, edi
		mov	ecx, [ebp+var_20]
		call	_SepSetTokenPackage@8 ;	SepSetTokenPackage(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7ED24C
		mov	edx, edi
		mov	ecx, [ebp+var_20]
		call	SepAppendAceToTokenDefaultDacl
		mov	esi, eax
		test	esi, esi
		js	short loc_7ED24C
		mov	ecx, [ebp+var_20]
		lea	ecx, [ecx+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		and	[ebp+var_50], 0
		xor	ecx, ecx
		lea	eax, [ebp+var_50]
		lock or	[eax], ecx
		mov	ecx, [ebp+var_20]
		mov	ecx, [ecx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	ecx, ecx
		mov	[ebp-1Ah], cl
		lea	eax, [ebp+var_34]
		push	eax
		push	ecx
		push	ecx
		push	1
		push	[ebp+arg_8]
		xor	edx, edx
		mov	ecx, [ebp+var_20]
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7ED24A
		push	edi
		mov	edx, 0F01FFh
		mov	ecx, [ebp+var_20]
		call	SepAppendAceToTokenObjectAcl
		mov	esi, eax
		test	esi, esi
		js	short loc_7ED24C
		mov	ecx, [ebp+var_20]
		call	_SepFinalizeTokenAcls@4	; SepFinalizeTokenAcls(x)
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObject

loc_7ED24A:				; CODE XREF: NtCreateLowBoxToken+37Ej
		xor	bl, bl

loc_7ED24C:				; CODE XREF: NtCreateLowBoxToken+237j
					; NtCreateLowBoxToken+2C7j ...
		cmp	byte ptr [ebp-1Ah], 0
		jnz	loc_910296

loc_7ED256:				; CODE XREF: NtCreateLowBoxToken+12341Bj
		test	esi, esi
		js	loc_9102C6

loc_7ED25E:				; CODE XREF: NtCreateLowBoxToken+123430j
					; NtCreateLowBoxToken+123441j
		mov	ecx, [ebp+var_24]
		mov	bl, [ebp+var_1C]
		test	ecx, ecx
		jz	short loc_7ED270
		push	ecx
		mov	dl, bl
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)

loc_7ED270:				; CODE XREF: NtCreateLowBoxToken+3C0j
		test	edi, edi
		jz	short loc_7ED27F
		push	1
		mov	dl, bl
		mov	ecx, edi
		call	_SeReleaseSid@12 ; SeReleaseSid(x,x,x)

loc_7ED27F:				; CODE XREF: NtCreateLowBoxToken+3CCj
		mov	ecx, [ebp+var_2C]
		call	ObfDereferenceObject
		cmp	[ebp+var_30], 0
		jz	short loc_7ED297
		push	0
		push	[ebp+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7ED297:				; CODE XREF: NtCreateLowBoxToken+3E5j
		test	esi, esi
		js	short loc_7ED2B1
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_34]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7ED2B1:				; CODE XREF: NtCreateLowBoxToken+3F3j
		mov	eax, esi

loc_7ED2B3:				; CODE XREF: NtCreateLowBoxToken+E4j
					; NtCreateLowBoxToken+FFj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_7ED2C5:				; CODE XREF: NtCreateLowBoxToken+123j
		cmp	dword ptr [ebx+0ACh], 2
		jge	loc_7ECFCF
		jmp	loc_910255
; 

loc_7ED2D7:				; CODE XREF: NtCreateLowBoxToken+18Aj
		cmp	al, 0Ch
		jz	loc_7ED036
		jmp	loc_91027E
; 

loc_7ED2E4:				; CODE XREF: NtCreateLowBoxToken+1F6j
		lea	eax, [ebp+var_1B]
		push	eax
		push	ecx
		push	[ebp+var_24]
		mov	edx, [ebp+arg_14]
		mov	ecx, ebx
		call	SepCheckCapabilities
		mov	esi, eax
		cmp	[ebp+var_1B], 0
		jnz	loc_7ED0A2
		jmp	loc_910285
; 

loc_7ED307:				; CODE XREF: NtCreateLowBoxToken+7Cj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
NtCreateLowBoxToken endp


;  S U B	R O U T	I N E 


; __stdcall RtlIsCapabilitySid(x)
_RtlIsCapabilitySid@4 proc near		; CODE XREF: RtlCheckTokenCapability(x,x,x)+B1p
					; NtCreateLowBoxToken+19Dp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	byte ptr [esi+1], 2
		jb	short loc_7ED33B
		cmp	byte ptr [esi],	1
		jnz	short loc_7ED33B
		push	6		; Length
		push	offset _RtlpAppPackageAuthority	; Source2
		lea	eax, [esi+2]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 6
		jnz	short loc_7ED33B
		cmp	dword ptr [esi+8], 3
		jnz	short loc_7ED33B
		mov	al, 1
		pop	esi
		retn
; 

loc_7ED33B:				; CODE XREF: RtlIsCapabilitySid(x)+9j
					; RtlIsCapabilitySid(x)+Ej ...
		xor	al, al
		pop	esi
		retn
_RtlIsCapabilitySid@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall RtlIdentifierAuthoritySid(x)
_RtlIdentifierAuthoritySid@4 proc near	; CODE XREF: SepCreateTokenEx+216p
					; SepCreateTokenEx+222p
		lea	eax, [ecx+2]
		retn
_RtlIdentifierAuthoritySid@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepCaptureInt64Array proc near		; CODE XREF: SepCaptureTokenSecurityAttributesInformation+379p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00910325 SIZE 0000000F BYTES

		push	14h
		push	offset dword_6A5090
		call	__SEH_prolog4
		mov	ebx, ecx
		and	[ebp+var_20], 0
		mov	eax, edx
		push	8
		pop	ecx
		mul	ecx
		push	edx
		push	eax
		lea	ecx, [ebp+var_20]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7ED3C7
		push	74416553h
		mov	edi, [ebp+var_20]
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	short loc_7ED3D9
		and	[ebp+ms_exc.disabled], 0
		test	edi, edi
		jz	short loc_7ED3A1
		test	bl, 3
		jnz	short loc_7ED3E0
		lea	ecx, [edi+ebx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_7ED3E5
		cmp	ecx, ebx
		jb	short loc_7ED3E5

loc_7ED3A1:				; CODE XREF: SepCaptureInt64Array+46j
					; SepCaptureInt64Array+A4j
		push	edi		; size_t
		push	ebx		; void *
		push	[ebp+var_1C]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_7ED3AE:				; CODE XREF: sub_91031A+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	esi, esi
		js	loc_910325
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_1C]
		mov	[ecx], eax

loc_7ED3C5:				; CODE XREF: SepCaptureInt64Array+122FEBj
		mov	eax, esi

loc_7ED3C7:				; CODE XREF: SepCaptureInt64Array+27j
					; SepCaptureInt64Array+9Aj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7ED3D9:				; CODE XREF: SepCaptureInt64Array+3Ej
		mov	eax, 0C000009Ah
		jmp	short loc_7ED3C7
; 

loc_7ED3E0:				; CODE XREF: SepCaptureInt64Array+4Bj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7ED3E5:				; CODE XREF: SepCaptureInt64Array+57j
					; SepCaptureInt64Array+5Bj
		mov	byte ptr [eax],	0
		jmp	short loc_7ED3A1
SepCaptureInt64Array endp

; 
		align 10h
; Exported entry 2112. RtlGetAppContainerSidType

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlGetAppContainerSidType
RtlGetAppContainerSidType proc near	; CODE XREF: SepValidateReferencedCachedHandles+64p
					; RtlIsParentOfChildAppContainer(x,x)+1Ap ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00910334 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		cmp	byte ptr [esi+1], 2
		jb	short loc_7ED44E
		cmp	byte ptr [esi],	1
		jnz	short loc_7ED44E
		push	6		; Length
		push	offset _RtlpAppPackageAuthority	; Source2
		lea	eax, [esi+2]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 6
		jnz	short loc_7ED44E
		cmp	dword ptr [esi+8], 2
		jnz	short loc_7ED44E
		push	esi
		call	_RtlSubAuthorityCountSid@4 ; RtlSubAuthorityCountSid(x)
		mov	al, [eax]
		cmp	al, 8
		jnz	short loc_7ED43B
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 2

loc_7ED434:				; CODE XREF: RtlGetAppContainerSidType+5Cj
		xor	eax, eax

loc_7ED436:				; CODE XREF: RtlGetAppContainerSidType+122F4Fj
		pop	esi
		pop	ebp
		retn	8
; 

loc_7ED43B:				; CODE XREF: RtlGetAppContainerSidType+39j
		cmp	al, 0Ch
		mov	eax, [ebp+arg_4]
		jnz	loc_910334
		mov	dword ptr [eax], 1
		jmp	short loc_7ED434
; 

loc_7ED44E:				; CODE XREF: RtlGetAppContainerSidType+Dj
					; RtlGetAppContainerSidType+12j ...
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0
		jmp	loc_91033A
RtlGetAppContainerSidType endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2237. RtlLengthRequiredSid

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlLengthRequiredSid(x)
		public _RtlLengthRequiredSid@4
_RtlLengthRequiredSid@4	proc near	; CODE XREF: SepCreateTokenEx+446p
					; SepCreateTokenEx+46Fp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	eax, 3FFFFFF7h
		ja	short loc_7ED478
		lea	eax, ds:8[eax*4]

loc_7ED474:				; CODE XREF: RtlLengthRequiredSid(x)+1Dj
		pop	ebp
		retn	4
; 

loc_7ED478:				; CODE XREF: RtlLengthRequiredSid(x)+Dj
		or	eax, 0FFFFFFFFh
		jmp	short loc_7ED474
_RtlLengthRequiredSid@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepHasCriticalAcesRemoved proc near	; CODE XREF: SepCheckForCriticalAceRemoval(x,x,x,x,x)+88p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00910344 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, ecx
		xor	ecx, ecx
		mov	[ebp+var_14], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], ecx
		mov	byte ptr [ebp+var_1], cl
		mov	[ebp+var_8], ecx
		mov	[eax], cl
		test	edi, edi
		jz	short loc_7ED4A9
		mov	[edi], cl

loc_7ED4A9:				; CODE XREF: SepHasCriticalAcesRemoved+27j
		lea	eax, [ebp+arg_4+3]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_1]
		push	eax
		push	esi
		call	_RtlGetDaclSecurityDescriptor@16 ; RtlGetDaclSecurityDescriptor(x,x,x,x)
		test	eax, eax
		js	loc_7ED572
		cmp	byte ptr [ebp+var_1], 0
		jz	loc_7ED572
		push	ebx
		mov	ebx, [ebp+var_C]
		test	ebx, ebx
		jz	loc_7ED571
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	_RtlGetControlSecurityDescriptor@12 ; RtlGetControlSecurityDescriptor(x,x,x)
		test	eax, eax
		js	loc_7ED571
		mov	eax, [ebp+var_8]
		mov	esi, [ebp+var_14]
		and	eax, 400h
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+arg_4+3]
		push	eax
		lea	eax, [ebp+var_10]
		mov	byte ptr [ebp+var_1], 0
		push	eax
		lea	eax, [ebp+var_1]
		push	eax
		push	esi
		call	_RtlGetDaclSecurityDescriptor@16 ; RtlGetDaclSecurityDescriptor(x,x,x,x)
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	_RtlGetControlSecurityDescriptor@12 ; RtlGetControlSecurityDescriptor(x,x,x)
		mov	ecx, [ebp+var_8]
		lea	esi, [ebx+8]
		movzx	eax, word ptr [ebx+4]
		mov	edx, ecx
		and	[ebp+var_14], 0
		and	edx, 400h
		and	ecx, 1000h
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_7ED571
		mov	ecx, eax

loc_7ED54C:				; CODE XREF: SepHasCriticalAcesRemoved+F1j
		cmp	byte ptr [esi],	3
		ja	short loc_7ED560
		test	byte ptr [esi+1], 20h
		lea	edx, [esi+8]
		mov	eax, [esi+4]
		mov	[ebp+var_18], eax
		jnz	short loc_7ED578

loc_7ED560:				; CODE XREF: SepHasCriticalAcesRemoved+D1j
					; SepHasCriticalAcesRemoved+166j
		movzx	eax, word ptr [esi+2]
		add	esi, eax
		mov	eax, [ebp+var_14]
		inc	eax
		mov	[ebp+var_14], eax
		cmp	eax, ecx
		jb	short loc_7ED54C

loc_7ED571:				; CODE XREF: SepHasCriticalAcesRemoved+55j
					; SepHasCriticalAcesRemoved+6Bj ...
		pop	ebx

loc_7ED572:				; CODE XREF: SepHasCriticalAcesRemoved+3Fj
					; SepHasCriticalAcesRemoved+49j
		pop	edi
		pop	esi
		leave
		retn	8
; 

loc_7ED578:				; CODE XREF: SepHasCriticalAcesRemoved+E0j
		cmp	byte ptr [ebp+var_1], 0
		jz	short loc_7ED5B5
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_7ED5B5
		and	[ebp+var_C], 0
		lea	ebx, [eax+8]
		movzx	eax, word ptr [eax+4]
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	short loc_7ED5B5
		mov	ecx, eax

loc_7ED599:				; CODE XREF: SepHasCriticalAcesRemoved+135j
		cmp	byte ptr [ebx],	3
		ja	short loc_7ED5A4
		test	byte ptr [ebx+1], 20h
		jnz	short loc_7ED5CB

loc_7ED5A4:				; CODE XREF: SepHasCriticalAcesRemoved+11Ej
					; SepHasCriticalAcesRemoved+171j
		movzx	eax, word ptr [ebx+2]
		add	ebx, eax
		mov	eax, [ebp+var_C]
		inc	eax
		mov	[ebp+var_C], eax
		cmp	eax, ecx
		jb	short loc_7ED599

loc_7ED5B5:				; CODE XREF: SepHasCriticalAcesRemoved+FEj
					; SepHasCriticalAcesRemoved+105j ...
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax],	1
		test	edi, edi
		jz	short loc_7ED571
		cmp	word ptr [ebp+var_1C], 0
		jz	short loc_7ED571
		jmp	loc_910344
; 

loc_7ED5CB:				; CODE XREF: SepHasCriticalAcesRemoved+124j
		push	edx
		lea	eax, [ebx+8]
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	short loc_7ED5E9
		mov	eax, [ebp+var_18]
		cmp	[ebx+4], eax
		jnz	short loc_7ED5E9
		mov	ecx, [ebp+var_8]
		jmp	loc_7ED560
; 

loc_7ED5E9:				; CODE XREF: SepHasCriticalAcesRemoved+159j
					; SepHasCriticalAcesRemoved+161j
		mov	ecx, [ebp+arg_4]
		lea	edx, [esi+8]
		jmp	short loc_7ED5A4
SepHasCriticalAcesRemoved endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepFilterToken(x, x, x, x, x, x, x,	x, x, x, x)
_SepFilterToken@44 proc	near		; CODE XREF: NtFilterToken+181p
					; SeFilterToken+68p

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7A		= byte ptr -7Ah
var_79		= byte ptr -79h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= byte ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 84h
		xor	eax, eax
		mov	[esp+84h+var_70], edx
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+90h+var_38]
		mov	esi, ecx
		stosd
		xor	ecx, ecx
		mov	[esp+90h+var_78], esi
		mov	[esp+90h+var_64], ecx
		mov	[esp+90h+var_60], ecx
		stosd
		mov	[esp+90h+var_74], ecx
		mov	[esp+90h+var_6C], ecx
		mov	[esp+90h+var_7A], cl
		stosd
		mov	[esp+90h+var_79], cl
		stosd
		xor	eax, eax
		lea	edi, [esp+90h+var_10]
		stosd
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[esp+90h+var_54], al
		mov	eax, [ebp+arg_0]
		and	eax, 8
		mov	[esp+90h+var_58], eax
		jz	short loc_7ED667
		test	byte ptr [esi+0B0h], 58h
		jnz	loc_7ED6E7

loc_7ED667:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+66j
		mov	ebx, [ebp+arg_14]
		mov	edi, ecx
		test	ebx, ebx
		jz	short loc_7ED693

loc_7ED670:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+9Fj
		mov	ecx, [ebp+arg_18]
		mov	ecx, [ecx+edi*8]
		call	_RtlIsPackageSid@4 ; RtlIsPackageSid(x)
		test	al, al
		jnz	short loc_7ED6E7
		mov	eax, [ebp+arg_18]
		mov	ecx, [eax+edi*8]
		call	_RtlIsCapabilitySid@4 ;	RtlIsCapabilitySid(x)
		test	al, al
		jnz	short loc_7ED6E7
		inc	edi
		cmp	edi, ebx
		jb	short loc_7ED670

loc_7ED693:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+7Cj
		mov	edi, 74416553h
		push	edi
		push	18h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[esp+90h+var_5C], ebx
		test	ebx, ebx
		jz	short loc_7ED723
		and	dword ptr [ebx], 0
		lea	eax, [ebx+4]
		and	dword ptr [ebx+0Ch], 0
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ebx+10h]
		mov	[eax+4], eax
		mov	[eax], eax
		cmp	ds:_SeTokenLeakTracking, 0
		jz	short loc_7ED6EE
		push	edi
		push	9Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+90h+var_6C], edi
		test	edi, edi
		jnz	short loc_7ED6F2
		push	eax
		push	ebx
		jmp	short loc_7ED71E
; 

loc_7ED6E7:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+6Fj
					; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+8Bj ...
		mov	eax, 0C000000Dh
		jmp	short loc_7ED728
; 

loc_7ED6EE:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+D8j
		mov	edi, [esp+90h+var_6C]

loc_7ED6F2:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+EFj
		push	6C546553h
		push	38h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+90h+var_68], eax
		test	eax, eax
		jnz	short loc_7ED731
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	ds:_SeTokenLeakTracking, 0
		jz	short loc_7ED723
		push	0
		push	edi

loc_7ED71E:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+F3j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7ED723:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+B8j
					; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+127j
		mov	eax, 0C000009Ah

loc_7ED728:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+FAj
					; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+40Ej ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_7ED731:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+117j
		mov	edx, [ebp+arg_1C]
		lea	eax, [esp+90h+var_74]
		mov	ecx, [esi+84h]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	[esp+90h+var_80], eax
		test	eax, eax
		js	loc_7EDEFC
		mov	edx, [esp+90h+var_74]
		lea	eax, [esp+90h+var_60]
		push	eax
		mov	ecx, 2A0h
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	[esp+90h+var_80], eax
		test	eax, eax
		js	loc_7EDEFC
		mov	eax, [esi+88h]
		lea	ecx, [esp+90h+var_64]
		push	ecx
		push	[esp+94h+var_60]
		xor	edx, edx
		mov	[esp+98h+var_28], 18h
		push	eax
		push	[esp+9Ch+var_60]
		mov	eax, [esp+0A0h+var_70]
		push	edx
		push	eax
		push	edx
		push	ds:_SeTokenObjectType
		push	eax
		call	_ObCreateObject@36 ; ObCreateObject(x,x,x,x,x,x,x,x,x)
		mov	[esp+90h+var_80], eax
		test	eax, eax
		mov	eax, [esp+90h+var_68]
		js	loc_7EDF00
		mov	ebx, [esp+90h+var_64]
		push	eax
		mov	[ebx+30h], eax
		call	ExInitializeResourceLite
		lea	ecx, [ebx+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		lea	ecx, [ebx+10h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		xor	edx, edx
		lea	ecx, [ebx+294h]
		mov	[ebx+0B4h], dl
		mov	edi, ebx
		mov	eax, [esi+18h]
		mov	[ebx+18h], eax
		mov	eax, [esi+1Ch]
		mov	[ebx+1Ch], eax
		lea	eax, [ebx+80h]
		movsd
		mov	[esp+90h+var_70], eax
		mov	[esp+90h+var_68], ecx
		movsd
		movsd
		movsd
		mov	esi, [esp+90h+var_78]
		mov	[ebx+8Ch], edx
		mov	[eax], edx
		mov	eax, [esp+90h+var_74]
		mov	[ebx+84h], eax
		mov	eax, [esi+10h]
		mov	[ebx+20h], eax
		mov	eax, [esi+14h]
		mov	[ebx+24h], eax
		mov	eax, [esi+0A8h]
		mov	[ebx+0A8h], eax
		mov	eax, [esi+0ACh]
		mov	[ebx+0ACh], eax
		mov	eax, [esi+28h]
		mov	[ebx+28h], eax
		mov	eax, [esi+2Ch]
		mov	[ebx+2Ch], eax
		mov	eax, [esi+0C4h]
		mov	[ebx+0C4h], eax
		mov	eax, [esi+0C8h]
		mov	[ebx+0C8h], eax
		mov	eax, [esp+90h+var_6C]
		mov	[ebx+288h], edx
		mov	[ebx+28Ch], edx
		mov	[ebx+27Ch], edx
		mov	[ecx], eax
		mov	[ebx+78h], edx
		mov	[ebx+29Ch], edx
		cmp	ds:_SeTokenLeakTracking, edx
		jz	short loc_7ED8BB
		mov	eax, [ecx]
		push	edx
		push	1Eh
		pop	edi
		push	edi
		add	eax, 1Ch
		push	eax
		call	RtlWalkFrameChain
		mov	[esp+90h+var_80], eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_7ED8BB
		mov	ecx, [esp+90h+var_68]
		mov	eax, [esp+90h+var_80]
		sub	edi, eax
		add	eax, 7
		push	1
		mov	ecx, [ecx]
		push	edi
		lea	eax, [ecx+eax*4]
		push	eax
		call	RtlWalkFrameChain

loc_7ED8BB:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+28Ej
					; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+2ACj
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceSharedLite
		mov	eax, [esi+88h]
		mov	ecx, ebx
		mov	[ebx+88h], eax
		mov	eax, [esi+90h]
		mov	[ebx+90h], eax
		xor	eax, eax
		mov	edx, [esi+78h]
		push	eax
		push	eax
		push	eax
		call	_SepSetTokenSessionById@20 ; SepSetTokenSessionById(x,x,x,x,x)
		mov	eax, [esi+78h]
		lea	ecx, [ebx+0B0h]
		mov	[ebx+78h], eax
		lea	edi, [ebx+58h]
		mov	eax, [esi+0B0h]
		add	esi, 58h
		and	eax, 0FFFFFBD7h
		mov	[esp+90h+var_6C], ecx
		mov	[ecx], eax
		push	8
		pop	ecx
		rep movsd
		mov	esi, [esp+90h+var_78]
		lea	edi, [ebx+40h]
		push	6
		pop	ecx
		mov	eax, [esi+0B8h]
		mov	[ebx+0B8h], eax
		mov	eax, [esi+0BCh]
		add	esi, 40h
		mov	[ebx+0BCh], eax
		mov	eax, [esp+90h+var_5C]
		rep movsd
		mov	[ebx+1DCh], eax
		cmp	byte ptr [ebx+77h], 2
		jnz	short loc_7ED95A
		mov	dl, 1
		lea	ecx, [ebx+58h]
		call	_SepModifyTokenPolicyCounter@8 ; SepModifyTokenPolicyCounter(x,x)

loc_7ED95A:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+35Cj
		xor	ecx, ecx
		lea	eax, [ebx+274h]
		mov	[eax], ecx
		mov	[esp+90h+var_50], eax
		lea	eax, [ebx+278h]
		mov	[eax], ecx
		mov	[esp+90h+var_4C], eax
		lea	eax, [ebx+298h]
		mov	[eax], ecx
		mov	[esp+90h+var_48], eax
		lea	eax, [ebx+1E4h]
		mov	[eax], ecx
		mov	[esp+90h+var_44], eax
		lea	eax, [ebx+1E8h]
		mov	[ebx+1E0h], ecx
		push	88h		; size_t
		mov	[esp+94h+var_3C], eax
		mov	[eax], ecx
		lea	eax, [ebx+1ECh]
		push	ecx		; int
		push	eax		; void *
		mov	[esp+9Ch+var_40], eax
		call	_memset
		mov	esi, [esp+9Ch+var_78]
		lea	eax, [ebx+0A0h]
		xor	ecx, ecx
		mov	[esp+9Ch+var_5C], eax
		mov	[eax], ecx
		add	esp, 0Ch
		mov	[ebx+280h], ecx
		mov	edx, esi
		mov	[ebx+284h], ecx
		mov	[ebx+290h], ecx
		mov	ecx, ebx
		call	SepDuplicateLogonSessionReference
		mov	edi, eax
		test	edi, edi
		jns	short loc_7EDA05

loc_7ED9EA:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+444j
					; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+45Cj ...
		mov	ecx, [esi+30h]

loc_7ED9ED:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+791j
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_7ED9FE:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+87Aj
					; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+905j
		mov	eax, edi
		jmp	loc_7ED728
; 

loc_7EDA05:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+3F6j
		xor	dl, dl
		mov	ecx, esi
		call	_SepRefDerefLuidToIndexEntryIfNecessary@8 ; SepRefDerefLuidToIndexEntryIfNecessary(x,x)
		mov	eax, [esi+290h]
		mov	[ebx+290h], eax
		mov	ecx, [esi+1DCh]
		cmp	dword ptr [ecx], 0
		jz	short loc_7EDA38
		mov	edx, [ebx+1DCh]
		push	0
		call	AuthzBasepDuplicateSecurityAttributes
		mov	edi, eax
		test	edi, edi
		js	short loc_7ED9EA

loc_7EDA38:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+431j
		cmp	dword ptr [esi+27Ch], 0
		jz	short loc_7EDA50
		mov	edx, ebx
		mov	ecx, esi
		call	_SepDuplicateTokenClaims@8 ; SepDuplicateTokenClaims(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_7ED9EA

loc_7EDA50:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+44Dj
		cmp	ds:_SeTokenLeakTracking, 0
		jz	short loc_7EDABE
		mov	eax, large fs:124h
		mov	ebx, [esp+94h+var_6C]
		mov	eax, [eax+2ACh]
		mov	ecx, [ebx]
		mov	[ecx], eax
		mov	eax, large fs:124h
		mov	ecx, [ebx]
		mov	eax, [eax+2B0h]
		mov	[ecx+4], eax
		mov	eax, [ebx]
		mov	dword ptr [eax+18h], 0Fh
		mov	eax, [ebx]
		and	dword ptr [eax+94h], 0
		mov	eax, [ebx]
		and	dword ptr [eax+98h], 0
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	edi, [ebx]
		mov	ebx, [esp+94h+var_68]
		add	edi, 8
		mov	ecx, ebx
		lea	esi, [eax+1ACh]
		movsd
		movsd
		movsd
		movsw
		movsb
		call	_SepAddTokenLogonSession@4 ; SepAddTokenLogonSession(x)
		mov	esi, [esp+18h]

loc_7EDABE:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+465j
		test	byte ptr [ebp+arg_0], 2
		jz	short loc_7EDAF5
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		push	eax
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	edi, eax
		lea	edx, [esp+94h+var_80+2]
		mov	ecx, edi
		call	_SeIsSystemContext@8 ; SeIsSystemContext(x,x)
		test	eax, eax
		js	short loc_7EDAEE
		cmp	byte ptr [esp+94h+var_80+2], 0
		jz	short loc_7EDAEE
		mov	eax, [esp+94h+var_70]
		or	dword ptr [eax], 40h

loc_7EDAEE:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+4ECj
					; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+4F3j
		mov	ecx, edi
		call	ObfDereferenceObject

loc_7EDAF5:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+4D0j
		mov	ecx, [esi+80h]
		lea	edx, [ebx+2A0h]
		mov	eax, [ebp+arg_14]
		cmp	ecx, eax
		ja	short loc_7EDB0A
		mov	ecx, eax

loc_7EDB0A:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+514j
		mov	eax, [esi+7Ch]
		add	eax, ecx
		mov	[ebx+94h], edx
		cmp	_SepTokenSidSharingEnabled, 0
		lea	ecx, [edx+eax*8]
		mov	[esp+94h+var_84], ecx
		jz	short loc_7EDB40
		mov	edx, ebx
		mov	ecx, esi
		call	_SepDuplicateTokenUserAndGroups@8 ; SepDuplicateTokenUserAndGroups(x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_7EDB66
		and	dword ptr [ebx+94h], 0
		jmp	loc_7ED9EA
; 

loc_7EDB40:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+531j
		mov	eax, [esi+7Ch]
		mov	[ebx+7Ch], eax
		lea	eax, [esp+94h+var_78]
		push	eax		; int
		lea	eax, [esp+98h+var_84]
		push	eax		; int
		push	ecx		; void *
		push	edx		; int
		push	[esp+0A4h+var_78] ; int
		push	dword ptr [esi+94h] ; int
		push	dword ptr [esi+7Ch] ; int
		call	_RtlCopySidAndAttributesArray@28 ; RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)
		mov	edi, eax

loc_7EDB66:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+540j
		mov	edx, [esi+7Ch]
		add	edx, 54h
		cmp	[ebp+arg_14], 0
		lea	edx, [ebx+edx*8]
		mov	[esp+18h], edx
		mov	[ebx+98h], edx
		jbe	short loc_7EDBF8
		mov	eax, [ebp+arg_18]

loc_7EDB82:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+604j
		mov	ecx, [esi+80h]
		test	ecx, ecx
		jz	short loc_7EDBA7
		push	dword ptr [eax]
		mov	edx, ecx
		push	ecx
		mov	ecx, [esi+98h]
		call	_SepSidInSidAndAttributes@16 ; SepSidInSidAndAttributes(x,x,x,x)
		mov	edx, [esp+18h]
		test	al, al
		jz	short loc_7EDBE9
		mov	eax, [ebp+arg_18]

loc_7EDBA7:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+598j
		lea	ecx, [esp+94h+var_78]
		push	ecx		; int
		lea	ecx, [esp+98h+var_84]
		push	ecx		; int
		push	[esp+9Ch+var_84] ; void	*
		push	edx		; int
		push	[esp+0A4h+var_78] ; int
		push	eax		; int
		push	1		; int
		call	_RtlCopySidAndAttributesArray@28 ; RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)
		mov	ecx, [esp+94h+var_74]
		mov	edi, eax
		mov	eax, [ebx+98h]
		mov	edx, [esp+18h]
		add	edx, 8
		mov	ecx, [ecx]
		mov	[esp+18h], edx
		mov	dword ptr [eax+ecx*8+4], 7
		mov	eax, [esp+94h+var_74]
		inc	dword ptr [eax]

loc_7EDBE9:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+5B0j
		mov	eax, [ebp+arg_18]
		add	eax, 8
		sub	[ebp+arg_14], 1
		mov	[ebp+arg_18], eax
		jnz	short loc_7EDB82

loc_7EDBF8:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+58Bj
		mov	eax, [esi+9Ch]
		movzx	eax, byte ptr [eax+1]
		lea	ecx, ds:8[eax*4]
		mov	eax, [esi+0A4h]
		mov	[esp+94h+var_68], ecx
		test	eax, eax
		jz	short loc_7EDC21
		movzx	eax, word ptr [eax+2]
		add	ecx, eax
		mov	[esp+94h+var_68], ecx

loc_7EDC21:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+623j
		push	64546553h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [esp+94h+var_60]
		mov	[esp+94h+var_84], eax
		mov	[ecx], eax
		test	eax, eax
		jnz	short loc_7EDC46
		mov	edi, 0C000009Ah
		jmp	loc_7ED9EA
; 

loc_7EDC46:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+648j
		mov	ecx, [esp+94h+var_74]
		xor	edx, edx
		cmp	[esi+80h], edx
		jz	short loc_7EDC62
		cmp	[ecx], edx
		jnz	short loc_7EDC62
		mov	edi, 0C000000Dh
		jmp	loc_7ED9EA
; 

loc_7EDC62:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+660j
					; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+664j
		cmp	[ecx], edx
		mov	al, dl
		mov	ecx, [esp+94h+var_70]
		jbe	short loc_7EDC76
		or	dword ptr [ecx], 810h
		mov	al, 1
		jmp	short loc_7EDC7C
; 

loc_7EDC76:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+678j
		mov	[ebx+98h], edx

loc_7EDC7C:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+682j
		cmp	[esp+94h+var_5C], edx
		jz	short loc_7EDC87
		or	dword ptr [ecx], 18h
		mov	al, 1

loc_7EDC87:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+68Ej
		test	al, al
		jz	short loc_7EDC92
		mov	ecx, esi
		call	_SepSetLogonSessionToken@4 ; SepSetLogonSessionToken(x)

loc_7EDC92:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+697j
		push	[esp+94h+var_68] ; size_t
		push	dword ptr [esi+0A0h] ; void *
		push	[esp+9Ch+var_84] ; void	*
		call	_memcpy
		mov	eax, [esi+0A4h]
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_7EDCC4
		sub	eax, [esi+0A0h]
		add	eax, [esp+94h+var_84]
		mov	[ebx+0A4h], eax
		jmp	short loc_7EDCCB
; 

loc_7EDCC4:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+6BEj
		and	dword ptr [ebx+0A4h], 0

loc_7EDCCB:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+6D0j
		mov	eax, [esi+9Ch]
		sub	eax, [esi+0A0h]
		mov	[esp+94h+var_5C], eax
		mov	eax, [esi+1E8h]
		test	eax, eax
		jz	short loc_7EDCFB
		mov	edx, [esi+1E0h]
		mov	ecx, ebx
		push	eax
		push	dword ptr [esi+1E4h]
		call	SepSetTokenCapabilities
		mov	edi, eax

loc_7EDCFB:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+6F1j
		test	edi, edi
		js	loc_7ED9EA
		mov	edx, [esi+1E0h]
		test	edx, edx
		jz	short loc_7EDD16
		mov	ecx, ebx
		call	_SepSetTokenPackage@8 ;	SepSetTokenPackage(x,x)
		mov	edi, eax

loc_7EDD16:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+719j
		test	edi, edi
		js	loc_7ED9EA
		mov	ecx, [esi+274h]
		test	ecx, ecx
		jz	short loc_7EDD39
		call	_SepReferenceLowBoxNumberEntry@4 ; SepReferenceLowBoxNumberEntry(x)
		mov	ecx, [esp+58h+var_18]
		mov	eax, [esi+274h]
		mov	[ecx], eax

loc_7EDD39:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+734j
		mov	ecx, [esi+278h]
		test	ecx, ecx
		jz	short loc_7EDD54
		call	_SepReferenceLowBoxNumberEntry@4 ; SepReferenceLowBoxNumberEntry(x)
		mov	ecx, [esp+58h+var_14]
		mov	eax, [esi+278h]
		mov	[ecx], eax

loc_7EDD54:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+74Fj
		mov	ecx, [esi+298h]
		test	ecx, ecx
		jz	short loc_7EDD6F
		call	_SepReferenceLowBoxNumberEntry@4 ; SepReferenceLowBoxNumberEntry(x)
		mov	ecx, [esp+58h+var_10]
		mov	eax, [esi+298h]
		mov	[ecx], eax

loc_7EDD6F:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+76Aj
		mov	edx, [esi+280h]
		mov	ecx, ebx
		call	_SepSetTokenTrust@8 ; SepSetTokenTrust(x,x)
		mov	ecx, [esi+30h]
		mov	edi, eax
		test	edi, edi
		js	loc_7ED9ED
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	[ebp+arg_10]
		mov	eax, [esp+5Ch+var_20]
		mov	ecx, ebx
		push	[ebp+arg_C]
		add	eax, [esp+60h+var_48]
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		push	[ebp+arg_4]
		mov	[ebx+9Ch], eax
		call	_SepRemoveDisabledGroupsAndPrivileges@24 ; SepRemoveDisabledGroupsAndPrivileges(x,x,x,x,x,x)
		lea	eax, [ebx+0CCh]
		push	eax		; void *
		push	dword ptr [ebx+7Ch] ; int
		push	dword ptr [ebx+94h] ; int
		call	RtlSidHashInitialize
		lea	eax, [ebx+154h]
		push	eax		; void *
		mov	eax, [esp+5Ch+var_38]
		push	dword ptr [eax]	; int
		push	dword ptr [ebx+98h] ; int
		call	RtlSidHashInitialize
		lea	eax, [esp+58h]
		push	eax
		call	SeCaptureSubjectContext
		mov	eax, [esp+58h+arg_0]
		push	[esp+58h+var_1C]
		mov	[esp+5Ch+arg_28], eax
		lea	eax, [esp+5Ch]
		push	eax
		call	RtlIsSandboxedToken
		test	al, al
		jz	short loc_7EDE71
		push	[esp+58h+var_1C]
		lea	eax, [esp+5Ch+arg_20]
		push	eax
		call	RtlIsSandboxedToken
		test	al, al
		jz	short loc_7EDE71
		mov	esi, [esp+58h+arg_0]
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceSharedLite
		lea	eax, [esp+58h+var_44+3]
		mov	edx, esi
		push	eax
		mov	ecx, ebx
		call	SepNewTokenAsRestrictedAsProcessToken
		mov	ecx, [esi+30h]
		mov	edi, eax
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	edi, edi
		js	short loc_7EDE5B
		cmp	byte ptr [esp+58h+var_44+3], 0
		jnz	short loc_7EDE71

loc_7EDE5B:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+860j
		mov	ecx, ebx
		call	ObfDereferenceObject
		lea	eax, [esp+58h]
		push	eax
		call	SeReleaseSubjectContext
		jmp	loc_7ED9FE
; 

loc_7EDE71:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+817j
					; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+82Cj ...
		lea	eax, [esp+58h]
		push	eax
		call	SeReleaseSubjectContext
		mov	ecx, [esp+58h+var_C]
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_7EDE95
		mov	ecx, [esp+58h+var_4]
		push	[esp+58h+var_8]	; void *
		push	dword ptr [ecx]	; int
		push	eax		; int
		call	RtlSidHashInitialize

loc_7EDE95:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+891j
		cmp	ds:_SeTokenLeakTracking, 0
		jz	short loc_7EDEF2
		cmp	_SepTokenLeakMethodWatch, 0Fh
		jnz	short loc_7EDEF2
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	eax, [eax+0E4h]
		cmp	eax, _SepTokenLeakProcessCid
		jnz	short loc_7EDEF2
		xor	ecx, ecx
		inc	ecx
		lock xadd _SepTokenLeakMethodCount, ecx
		inc	ecx
		mov	edx, [esp+58h+var_30]
		mov	eax, [edx]
		mov	[eax+94h], ecx
		mov	eax, [edx]
		mov	eax, [eax+94h]
		cmp	eax, _SepTokenLeakBreakCount
		jl	short loc_7EDEF2
		push	ebx
		push	eax
		push	offset ??_C@_0BL@PEIKBMNL@?6Token?5number?50x?$CFx?5?$DN?50x?$CFp?6@NNGAKEGL@ ;	"\nToken number	0x%x = 0x%p\n"
		call	_DbgPrint
		add	esp, 0Ch
		int	3		; Trap to Debugger

loc_7EDEF2:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+8AAj
					; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+8B3j ...
		mov	eax, [ebp+arg_20]
		mov	[eax], ebx
		jmp	loc_7ED9FE
; 

loc_7EDEFC:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+158j
					; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+177j
		mov	eax, [esp+90h+var_68]

loc_7EDF00:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+1B8j
		xor	esi, esi
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	ds:_SeTokenLeakTracking, esi
		jz	short loc_7EDF1F
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7EDF1F:				; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+924j
		mov	eax, [esp+90h+var_80]
		jmp	loc_7ED728
_SepFilterToken@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RawFileSystemControl proc near		; CODE XREF: RawDispatch+11Ap

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00910362 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, edx
		mov	edx, ecx
		mov	ecx, [ebp+arg_0]
		movzx	eax, byte ptr [ecx+1]
		sub	eax, 0
		jz	loc_91037B
		sub	eax, 1
		jnz	loc_910362
		call	RawMountVolume

loc_7EDF51:				; CODE XREF: RawFileSystemControl+12244Ej
					; RawFileSystemControl+12245Dj
		mov	esi, eax

loc_7EDF53:				; CODE XREF: RawFileSystemControl+122444j
		mov	dl, 1
		mov	[edi+18h], esi
		mov	ecx, edi
		call	IofCompleteRequest
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
RawFileSystemControl endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RawMountVolume	proc near		; CODE XREF: RawFileSystemControl+24p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= word ptr -24h
var_22		= dword	ptr -22h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 0091038A SIZE 00000020 BYTES

		push	58h
		push	offset dword_6A50B0
		call	__SEH_prolog4_GS
		mov	esi, ecx
		mov	[ebp+var_60], esi
		xor	edi, edi
		mov	[ebp+var_58], edi
		call	RawScanDeletedList
		mov	ebx, [esi+8]
		mov	[ebp+var_64], ebx
		mov	eax, 1000h
		cmp	[ebx+0ACh], ax
		ja	loc_91038A
		lea	eax, [ebp+var_58]
		push	eax
		push	edi
		push	edi
		push	8
		push	edi
		push	0E0h
		mov	eax, [esi+14h]
		push	dword ptr [eax+8]
		call	IoCreateDevice
		test	eax, eax
		js	loc_7EE0FC
		mov	esi, [ebp+var_58]
		mov	eax, [ebx+5Ch]
		cmp	eax, [esi+5Ch]
		jbe	short loc_7EDFCA
		mov	[esi+5Ch], eax

loc_7EDFCA:				; CODE XREF: RawMountVolume+5Dj
		mov	ax, [ebx+0ACh]
		mov	[esi+0ACh], ax
		or	dword ptr [esi+1Ch], 10h
		lea	ecx, [esi+0B8h]	; void *
		mov	edx, [ebp+var_60]
		push	dword ptr [edx+4] ; int
		mov	edx, [edx+8]	; int
		call	RawInitializeVcb
		mov	ebx, eax
		test	ebx, ebx
		js	loc_910394
		mov	eax, [esi+144h]
		mov	[eax+8], esi
		mov	eax, [esi+144h]
		or	dword ptr [eax+10h], 0FFFFFFFFh
		mov	eax, [esi+144h]
		xor	ecx, ecx
		mov	[eax+6], cx
		and	dword ptr [esi+1Ch], 0FFFFFF7Fh
		mov	eax, [ebp+var_64]
		mov	al, [eax+30h]
		inc	al
		mov	[esi+30h], al
		mov	[ebp+var_5C], edi
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], edi
		mov	[ebp+var_48], edi
		mov	[ebp+var_44], edi
		mov	[ebp+var_22], edi
		mov	[ebp+ms_exc.disabled], edi
		push	esi
		push	edi
		call	_IoCreateStreamFileObjectLite@8	; IoCreateStreamFileObjectLite(x,x)
		mov	[ebp+var_5C], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7EE051:				; CODE XREF: sub_9103B8+12j
		test	ebx, ebx
		js	loc_910394
		add	dword ptr [esi+104h], 2
		add	dword ptr [esi+108h], 2
		xor	ecx, ecx
		inc	ecx
		mov	word ptr [ebp+var_54], cx
		mov	[ebp+var_40], edi
		push	36h
		pop	eax
		mov	word ptr [ebp+var_54+2], ax
		or	[ebp+var_3C], 0FFFFFFFFh
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], edi
		push	6
		pop	ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], 10h
		mov	eax, ds:??_C@_17BPAADKPP@?$AAR?$AAA?$AAW@NNGAKEGL@
		mov	[ebp+var_28], eax
		mov	ax, ds:word_8BE8C6
		mov	[ebp+var_24], ax
		lea	eax, [ebp+var_54]
		push	eax
		push	ecx
		push	[ebp+var_5C]
		call	FsRtlNotifyVolumeEventEx
		mov	ecx, [ebp+var_5C]
		call	ObfDereferenceObject
		add	dword ptr [esi+104h], 0FFFFFFFEh
		add	dword ptr [esi+108h], 0FFFFFFFEh
		mov	edi, offset _RawGlobalLock
		mov	ecx, edi
		call	ExAcquireFastMutex
		add	esi, 138h
		mov	eax, _RawMountedQueue
		mov	ecx, offset _RawMountedQueue
		cmp	[eax+4], ecx
		jnz	short loc_7EE10C
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[eax+4], esi
		mov	_RawMountedQueue, esi
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_7EE0FA:				; CODE XREF: RawMountVolume+12243Dj
		mov	eax, ebx

loc_7EE0FC:				; CODE XREF: RawMountVolume+4Ej
					; RawMountVolume+122427j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7EE10C:				; CODE XREF: RawMountVolume+17Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
RawMountVolume	endp


;  S U B	R O U T	I N E 


; __stdcall RawDeleteVcb(x)
_RawDeleteVcb@4	proc near		; CODE XREF: .text:0043DFAEp
					; RawCheckForDeleteVolume(x)+5Cp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+88h]
		call	ObfDereferenceObject
		lea	eax, [esi-0B8h]
		push	eax
		call	IoDeleteDevice
		pop	esi
		retn
_RawDeleteVcb@4	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 615. FsRtlNotifyVolumeEventEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlNotifyVolumeEventEx
FsRtlNotifyVolumeEventEx proc near	; CODE XREF: RawMountVolume+141p
					; FsRtlNotifyVolumeEvent(x,x)+51p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 009103CF SIZE 0000009C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_4]
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		call	_IoGetRelatedTargetDevice@8 ; IoGetRelatedTargetDevice(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7EE18D
		mov	ecx, [ebp+arg_4]
		dec	ecx
		cmp	ecx, 0Dh	; switch 14 cases
		ja	loc_910459	; default
		jmp	ds:off_7EE196[ecx*4] ; switch jump

loc_7EE169:				; DATA XREF: PAGE:off_7EE196o
		mov	esi, offset _GUID_IO_VOLUME_MOUNT ; case 0x5

loc_7EE16E:				; CODE XREF: FsRtlNotifyVolumeEventEx+1222D8j
					; FsRtlNotifyVolumeEventEx+1222E2j ...
		mov	eax, [ebp+arg_8]
		push	0
		push	0
		push	eax
		lea	edi, [eax+4]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_4]
		push	esi
		call	IoReportTargetDeviceChangeAsynchronous

loc_7EE186:				; CODE XREF: FsRtlNotifyVolumeEventEx+1222CEj
		mov	ecx, esi
		call	ObfDereferenceObject

loc_7EE18D:				; CODE XREF: FsRtlNotifyVolumeEventEx+1Dj
		mov	eax, ebx

loc_7EE18F:				; CODE XREF: FsRtlNotifyVolumeEventEx+122330j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
FsRtlNotifyVolumeEventEx endp

; 
off_7EE196	dd offset loc_9103CF	; DATA XREF: FsRtlNotifyVolumeEventEx+2Cr
		dd offset loc_9103D6	; jump table for switch	statement
		dd offset loc_9103DD
		dd offset loc_9103E4
		dd offset loc_9103EB
		dd offset loc_7EE169
		dd offset loc_910409
		dd offset loc_91041D
		dd offset loc_910413
		dd offset loc_910427
		dd offset loc_910431
		dd offset loc_91043B
		dd offset loc_910445
		dd offset loc_91044F

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetRelatedTargetDevice(x,	x)
_IoGetRelatedTargetDevice@8 proc near	; CODE XREF: FsRtlNotifyVolumeEventEx+14p
					; PiPagePathSetState+8Ep ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, edx
		lea	edx, [ebp+var_4]
		call	_PnpGetRelatedTargetDevice@8 ; PnpGetRelatedTargetDevice(x,x)
		test	eax, eax
		js	short loc_7EE1F3
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_7EE1F3
		mov	ecx, [ecx+10h]
		mov	[esi], ecx

loc_7EE1F3:				; CODE XREF: IoGetRelatedTargetDevice(x,x)+17j
					; IoGetRelatedTargetDevice(x,x)+1Ej
		pop	esi
		leave
		retn
_IoGetRelatedTargetDevice@8 endp


;  S U B	R O U T	I N E 


PnpFreeInterruptInformation proc near	; CODE XREF: IoDeleteDevice+88p

; FUNCTION CHUNK AT 0091046B SIZE 00000017 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+0B0h]
		mov	eax, [eax+30h]
		test	eax, eax
		jnz	loc_91046B
		pop	esi
		retn
PnpFreeInterruptInformation endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 788. IoCreateDevice

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoCreateDevice
IoCreateDevice	proc near		; CODE XREF: RawMountVolume+47p
					; IoCreateDeviceSecure+12Cp ...

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= word ptr -3Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 00910482 SIZE 0000009C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+8Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_10]
		mov	[esp+98h+var_60], eax
		mov	eax, [ebp+arg_18]
		mov	[esp+98h+var_68], eax
		xor	eax, eax
		mov	ebx, [ebp+arg_C]
		mov	esi, [ebp+arg_4]
		mov	edx, esi
		mov	[esp+98h+var_88], eax
		mov	[esp+98h+var_6C], eax
		mov	[esp+98h+var_78], eax
		mov	[esp+98h+var_5C], eax
		mov	[esp+98h+var_58], eax
		mov	[esp+98h+var_84], eax
		mov	[esp+98h+var_80], eax
		mov	eax, ecx
		and	eax, 80h
		mov	[esp+98h+var_7C], ecx
		mov	edi, [ebp+arg_8]
		and	edx, 7
		mov	[esp+98h+var_74], edi
		mov	[esp+98h+var_70], eax
		mov	[esp+98h+var_64], edx

loc_7EE287:				; CODE XREF: IoCreateDevice+122295j
					; IoCreateDevice+1222B3j
		test	eax, eax
		jnz	loc_7EE59D

loc_7EE28F:				; CODE XREF: IoCreateDevice+3C5j
		push	0
		lea	eax, [esp+9Ch+var_80]
		mov	edx, ecx
		push	eax
		lea	eax, [esp+0A0h+var_84]
		push	eax
		lea	eax, [esp+0A4h+var_18]
		push	eax
		push	ecx
		mov	ecx, ebx
		call	IopCreateDefaultDeviceSecurityDescriptor
		mov	ecx, ebx
		mov	edx, eax
		sub	ecx, 3
		jz	loc_7EE615
		sub	ecx, 4
		jz	short loc_7EE2C8
		sub	ecx, 1
		jnz	loc_7EE550

loc_7EE2C8:				; CODE XREF: IoCreateDevice+A9j
					; IoCreateDevice+345j
		mov	[esp+98h+var_78], 200h

loc_7EE2D0:				; CODE XREF: IoCreateDevice+33Fj
					; IoCreateDevice+409j
		and	[esp+98h+var_50], 0
		mov	eax, _IopCaseInsensitive
		neg	eax
		mov	[esp+98h+var_54], 18h
		mov	[esp+98h+var_4C], edi
		sbb	eax, eax
		mov	[esp+98h+var_44], edx
		and	[esp+98h+var_40], 0
		and	eax, 40h
		add	eax, 200h
		cmp	[ebp+arg_14], 0
		mov	[esp+98h+var_48], eax
		jnz	loc_7EE5FC

loc_7EE309:				; CODE XREF: IoCreateDevice+3EFj
		test	edi, edi
		jnz	loc_7EE56B

loc_7EE311:				; CODE XREF: IoCreateDevice+35Ej
		mov	edi, [esp+98h+var_64]
		test	edi, edi
		jnz	loc_7EE591

loc_7EE31D:				; CODE XREF: IoCreateDevice+384j
		add	edi, esi
		lea	eax, [edi+0F4h]
		cmp	eax, 0F4h
		jb	loc_910500
		mov	edx, ds:_IoDeviceObjectType
		lea	ecx, [esp+98h+var_88]
		push	0
		push	ecx
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	eax
		push	ecx
		push	ecx
		lea	eax, [esp+0B4h+var_54]
		xor	cl, cl
		push	eax
		call	ObCreateObjectEx
		mov	esi, eax
		test	esi, esi
		js	loc_910505
		lea	eax, [edi+0F4h]
		push	eax		; size_t
		push	0		; int
		push	[esp+0A0h+var_88] ; void *
		call	_memset
		mov	eax, [esp+0A4h+var_88]
		add	esp, 0Ch
		mov	edx, [ebp+arg_4]
		lea	ecx, [eax+0B8h]
		add	ecx, edi
		xor	edi, edi
		push	0Dh
		mov	[ecx+4], eax
		mov	eax, [esp+9Ch+var_88]
		mov	[eax+0B0h], ecx
		mov	[ecx+30h], edi
		mov	[ecx+8], edi
		mov	[ecx+0Ch], edi
		pop	eax
		mov	[ecx], ax
		xor	eax, eax
		mov	[ecx+2], ax
		lea	ecx, [edx+0B8h]
		mov	eax, [esp+98h+var_88]
		push	3
		pop	esi
		mov	[eax], si
		mov	eax, [esp+98h+var_88]
		mov	[eax+2], cx
		mov	eax, [esp+98h+var_88]
		mov	ecx, [esp+98h+var_7C]
		mov	[eax+2Ch], ebx
		mov	eax, [esp+98h+var_88]
		mov	[eax+20h], ecx
		cmp	ebx, 7
		jz	loc_7EE622
		cmp	ebx, 1Fh
		jz	loc_7EE622
		cmp	ebx, 2
		jz	loc_7EE622
		cmp	ebx, 24h
		jz	loc_7EE622

loc_7EE3F0:				; CODE XREF: IoCreateDevice+43Aj
		cmp	[ebp+arg_14], 0
		mov	eax, [esp+98h+var_88]
		mov	ecx, [esp+98h+var_78]
		mov	[eax+5Ch], edi
		mov	eax, [esp+98h+var_88]
		mov	[eax+0ACh], cx
		mov	eax, [esp+98h+var_88]
		mov	dword ptr [eax+1Ch], 80h
		jnz	loc_7EE608

loc_7EE41B:				; CODE XREF: IoCreateDevice+3FCj
		mov	edi, [esp+98h+var_74]
		test	edi, edi
		jnz	loc_7EE577

loc_7EE427:				; CODE XREF: IoCreateDevice+36Bj
		test	edx, edx
		jz	loc_7EE584
		mov	ecx, [esp+98h+var_88]
		lea	eax, [ecx+0B8h]
		mov	[ecx+28h], eax

loc_7EE43C:				; CODE XREF: IoCreateDevice+378j
		mov	eax, [esp+98h+var_88]
		mov	byte ptr [eax+30h], 1
		cmp	ebx, esi
		jz	short loc_7EE45A
		cmp	ebx, 7
		jbe	loc_7EE53E
		cmp	ebx, 9
		ja	loc_7EE52C

loc_7EE45A:				; CODE XREF: IoCreateDevice+232j
					; IoCreateDevice+31Bj ...
		mov	eax, [esp+98h+var_88]
		add	eax, 34h
		mov	[eax+4], eax
		mov	[eax], eax

loc_7EE466:				; CODE XREF: IoCreateDevice+337j
		mov	ecx, [esp+98h+var_88]
		mov	eax, [ecx+20h]
		test	al, 1
		jnz	short loc_7EE489
		test	eax, 40000h
		jnz	short loc_7EE489
		mov	eax, [ecx+0B0h]
		or	dword ptr [eax+10h], 800h
		mov	ecx, [esp+98h+var_88]

loc_7EE489:				; CODE XREF: IoCreateDevice+25Bj
					; IoCreateDevice+262j
		lea	eax, [esp+98h+var_6C]
		xor	edx, edx
		push	eax
		lea	eax, [esp+9Ch+var_88]
		push	eax
		push	0
		push	1
		push	esi
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7EE5DE
		mov	ebx, [esp+98h+var_60]
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [esp+98h+var_88]
		mov	ecx, ebx
		push	1
		mov	[eax+8], ebx
		mov	edx, [esp+9Ch+var_88]
		call	IopInsertRemoveDevice
		mov	ecx, [esp+98h+var_88]
		cmp	dword ptr [ecx+24h], 0
		jnz	loc_7EE653

loc_7EE4D6:				; CODE XREF: IoCreateDevice+444j
		push	0
		push	[esp+9Ch+var_6C]
		call	ObCloseHandle

loc_7EE4E1:				; CODE XREF: IoCreateDevice+3E3j
					; IoCreateDevice+1222F5j
		cmp	[esp+98h+var_84], 0
		jnz	loc_91050E

loc_7EE4EC:				; CODE XREF: IoCreateDevice+122305j
		cmp	[esp+98h+var_80], 0
		jnz	short loc_7EE55E

loc_7EE4F3:				; CODE XREF: IoCreateDevice+355j
		test	esi, esi
		js	short loc_7EE509
		mov	eax, [esp+98h+var_88]
		mov	cl, 1
		push	edi
		mov	edx, [eax+8]
		add	edx, 1Ch
		call	EtwTiLogDeviceObjectLoadUnload

loc_7EE509:				; CODE XREF: IoCreateDevice+2E1j
		mov	ecx, [esp+98h+var_68]
		mov	eax, [esp+98h+var_88]
		mov	[ecx], eax

loc_7EE513:				; CODE XREF: IoCreateDevice+1222E7j
		mov	ecx, [esp+98h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_7EE52C:				; CODE XREF: IoCreateDevice+240j
		cmp	ebx, 14h
		jz	loc_7EE45A
		cmp	ebx, 20h
		jz	loc_7EE45A

loc_7EE53E:				; CODE XREF: IoCreateDevice+237j
		mov	eax, [esp+98h+var_88]
		add	eax, 60h
		push	eax
		call	_KeInitializeDeviceQueue@4 ; KeInitializeDeviceQueue(x)
		jmp	loc_7EE466
; 

loc_7EE550:				; CODE XREF: IoCreateDevice+AEj
		sub	ecx, 1Ch
		jnz	loc_7EE2D0
		jmp	loc_7EE2C8
; 

loc_7EE55E:				; CODE XREF: IoCreateDevice+2DDj
		push	0
		push	[esp+9Ch+var_80]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7EE4F3
; 

loc_7EE56B:				; CODE XREF: IoCreateDevice+F7j
		or	eax, 10h
		mov	[esp+98h+var_48], eax
		jmp	loc_7EE311
; 

loc_7EE577:				; CODE XREF: IoCreateDevice+20Dj
		mov	eax, [esp+98h+var_88]
		or	dword ptr [eax+1Ch], 40h
		jmp	loc_7EE427
; 

loc_7EE584:				; CODE XREF: IoCreateDevice+215j
		mov	eax, [esp+98h+var_88]
		and	dword ptr [eax+28h], 0
		jmp	loc_7EE43C
; 

loc_7EE591:				; CODE XREF: IoCreateDevice+103j
		push	8
		pop	eax
		sub	eax, edi
		mov	edi, eax
		jmp	loc_7EE31D
; 

loc_7EE59D:				; CODE XREF: IoCreateDevice+75j
		xor	eax, eax
		inc	eax
		lock xadd _IopUniqueDeviceObjectNumber,	eax
		inc	eax
		push	eax		; char
		push	offset ??_C@_1BM@LOIAIOCF@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AA?$CF?$AA0?$AA8?$AAl?$AAx@NNGAKEGL@ ; wchar_t *
		lea	eax, [esp+0A0h+var_3C]
		push	11h		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 10h
		lea	eax, [esp+98h+var_3C]
		push	eax
		lea	eax, [esp+9Ch+var_5C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, [esp+98h+var_7C]
		lea	edi, [esp+98h+var_5C]
		mov	[esp+98h+var_74], edi
		jmp	loc_7EE28F
; 

loc_7EE5DE:				; CODE XREF: IoCreateDevice+28Fj
		cmp	esi, 0C0000035h
		jnz	short loc_7EE5F2
		mov	ecx, [esp+98h+var_7C]
		test	cl, cl
		js	loc_910482

loc_7EE5F2:				; CODE XREF: IoCreateDevice+3D0j
		and	[esp+98h+var_88], 0
		jmp	loc_7EE4E1
; 

loc_7EE5FC:				; CODE XREF: IoCreateDevice+EFj
		or	eax, 20h
		mov	[esp+98h+var_48], eax
		jmp	loc_7EE309
; 

loc_7EE608:				; CODE XREF: IoCreateDevice+201j
		mov	eax, [esp+98h+var_88]
		or	dword ptr [eax+1Ch], 8
		jmp	loc_7EE41B
; 

loc_7EE615:				; CODE XREF: IoCreateDevice+A0j
		mov	[esp+98h+var_78], 800h
		jmp	loc_7EE2D0
; 

loc_7EE622:				; CODE XREF: IoCreateDevice+1BBj
					; IoCreateDevice+1C4j ...
		mov	ecx, [esp+98h+var_88]
		call	_IopCreateVpb@4	; IopCreateVpb(x)
		mov	esi, eax
		test	esi, esi
		js	loc_9104CC
		mov	eax, [esp+98h+var_88]
		push	1
		push	1
		add	eax, 9Ch
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	edx, [ebp+arg_4]
		push	3
		pop	esi
		jmp	loc_7EE3F0
; 

loc_7EE653:				; CODE XREF: IoCreateDevice+2BCj
		call	_PoVolumeDevice@4 ; PoVolumeDevice(x)
		jmp	loc_7EE4D6
IoCreateDevice	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCreateDefaultDeviceSecurityDescriptor proc near ; CODE XREF:	IoCreateDevice+94p
					; PipChangeDeviceObjectFromRegistryProperties+297p

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0091051E SIZE 000000F0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_10]
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		test	ebx, ebx
		jnz	loc_7EE6F7

loc_7EE677:				; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+9Bj
		mov	eax, [ebp+arg_8]
		push	2
		mov	[eax], edi
		pop	eax
		cmp	esi, 14h
		ja	short loc_7EE6BE
		jz	short loc_7EE6E0
		cmp	esi, eax
		jz	loc_91051E
		cmp	esi, 3
		jz	short loc_7EE69F
		cmp	esi, 7
		jz	short loc_7EE6E0
		jbe	short loc_7EE6D2
		cmp	esi, 9
		ja	short loc_7EE6DB

loc_7EE69F:				; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+33j
					; IopCreateDefaultDeviceSecurityDescriptor+68j	...
		push	ebx
		push	[ebp+arg_C]
		mov	edx, eax

loc_7EE6A5:				; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+7Bj
		mov	esi, [ebp+arg_4]
		mov	ecx, esi
		call	IopCreateSecurityDescriptorPerType
		mov	edi, eax

loc_7EE6B1:				; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+121FABj
		test	edi, edi
		js	short loc_7EE6FE
		mov	eax, esi

loc_7EE6B7:				; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+A2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7EE6BE:				; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+24j
		cmp	esi, 2Dh
		jz	short loc_7EE6E0
		cmp	esi, 20h
		jz	short loc_7EE69F
		cmp	esi, 24h
		jz	short loc_7EE6E0
		cmp	esi, 35h

loc_7EE6D0:				; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+80j
		jz	short loc_7EE6E0

loc_7EE6D2:				; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+3Aj
		push	ebx
		push	[ebp+arg_C]
		push	4
		pop	edx
		jmp	short loc_7EE6A5
; 

loc_7EE6DB:				; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+3Fj
		cmp	esi, 12h
		jmp	short loc_7EE6D0
; 

loc_7EE6E0:				; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+26j
					; IopCreateDefaultDeviceSecurityDescriptor+38j	...
		cmp	esi, eax
		jz	loc_91051E
		cmp	esi, 7
		jnz	short loc_7EE69F
		test	dl, 1
		jz	short loc_7EE69F
		jmp	loc_91051E
; 

loc_7EE6F7:				; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+13j
		mov	[ebx], edi
		jmp	loc_7EE677
; 

loc_7EE6FE:				; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+55j
					; IopCreateDefaultDeviceSecurityDescriptor+121EDFj ...
		xor	eax, eax
		jmp	short loc_7EE6B7
IopCreateDefaultDeviceSecurityDescriptor endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCreateSecurityDescriptorPerType proc	near
					; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+4Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0091060E SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	eax, ecx
		xor	bl, bl
		mov	[ebp+var_4], eax
		push	esi
		sub	edx, 1
		jz	loc_910633
		sub	edx, 1
		jnz	short loc_7EE753
		mov	esi, ds:_SePublicDefaultUnrestrictedDacl

loc_7EE726:				; CODE XREF: IopCreateSecurityDescriptorPerType+6Bj
					; IopCreateSecurityDescriptorPerType+121F21j ...
		push	edi
		push	1
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		cmp	bl, 1
		jz	short loc_7EE76F

loc_7EE734:				; CODE XREF: IopCreateSecurityDescriptorPerType+C6j
		push	0
		push	esi
		push	1
		push	[ebp+var_4]
		call	RtlSetDaclSecurityDescriptor
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jnz	loc_7EE7CD

loc_7EE74C:				; CODE XREF: IopCreateSecurityDescriptorPerType+D4j
					; IopCreateSecurityDescriptorPerType+DFj ...
		pop	edi

loc_7EE74D:				; CODE XREF: IopCreateSecurityDescriptorPerType+121F16j
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7EE753:				; CODE XREF: IopCreateSecurityDescriptorPerType+1Cj
		sub	edx, 1
		jz	loc_910628
		sub	edx, 1
		jnz	loc_91060E
		mov	esi, ds:_SePublicOpenUnrestrictedDacl

loc_7EE76B:				; CODE XREF: IopCreateSecurityDescriptorPerType+121F2Cj
		mov	bl, 1
		jmp	short loc_7EE726
; 

loc_7EE76F:				; CODE XREF: IopCreateSecurityDescriptorPerType+30j
		mov	eax, _SeLowMandatorySid
		push	65536F49h
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:18h[eax*4]
		push	eax
		push	1
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_91063E
		push	2		; int
		push	[ebp+var_8]	; size_t
		push	edi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		push	1
		push	ecx
		push	_SeLowMandatorySid
		mov	ecx, edi
		push	0
		call	RtlAddMandatoryAce
		push	0
		push	edi
		push	1
		push	[ebp+var_4]
		call	_RtlSetSaclSecurityDescriptor@16 ; RtlSetSaclSecurityDescriptor(x,x,x,x)
		mov	eax, [ebp+arg_0]
		mov	[eax], edi
		jmp	loc_7EE734
; 

loc_7EE7CD:				; CODE XREF: IopCreateSecurityDescriptorPerType+44j
		mov	ecx, [edx]
		or	ecx, 4
		mov	[edx], ecx
		test	bl, bl
		jz	loc_7EE74C
		or	ecx, 10h
		mov	[edx], ecx
		jmp	loc_7EE74C
IopCreateSecurityDescriptorPerType endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTiLogDeviceObjectLoadUnload proc near ; CODE	XREF: IoDeleteDevice+2Ep
					; IoCreateDevice+2F0p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00910648 SIZE 00000106 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, offset _THREATINT_DEVICE_OBJECT_LOAD
		push	edi
		mov	edi, edx
		test	cl, cl
		jz	short loc_7EE835

loc_7EE806:				; CODE XREF: EtwTiLogDeviceObjectLoadUnload+54j
		mov	ebx, dword_6BC124
		mov	eax, _EtwThreatIntProvRegHandle
		push	esi
		push	ebx
		push	eax
		mov	[ebp+var_54], eax
		call	EtwEventEnabled
		test	al, al
		jnz	loc_910648

loc_7EE824:				; CODE XREF: EtwTiLogDeviceObjectLoadUnload+121E76j
					; EtwTiLogDeviceObjectLoadUnload+121F63j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_7EE835:				; CODE XREF: EtwTiLogDeviceObjectLoadUnload+1Ej
		mov	esi, offset _THREATINT_DEVICE_OBJECT_UNLOAD
		jmp	short loc_7EE806
EtwTiLogDeviceObjectLoadUnload endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall RawInitializeVcb(void *,int,int)
RawInitializeVcb proc near		; CODE XREF: RawMountVolume+83p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0091074E SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	ebx, 0E0h
		mov	edi, ecx
		push	ebx		; size_t
		push	0		; int
		push	edi		; void *
		mov	esi, edx
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	ebx, 200h
		mov	dword ptr [edi], 0E00600h
		mov	[edi+88h], esi
		mov	[edi+8Ch], eax
		push	20776152h
		push	58h
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	20776152h
		mov	esi, eax
		push	ebx
		mov	[edi+90h], esi
		call	ExAllocateCacheAwareRundownProtection
		neg	esi
		mov	[edi+9Ch], eax
		mov	ecx, 0C000009Ah
		sbb	esi, esi
		and	esi, 3FFFFF66h
		add	esi, ecx
		test	eax, eax
		jz	loc_91074E

loc_7EE8B2:				; CODE XREF: RawInitializeVcb+121F14j
		xor	ecx, ecx
		xor	eax, eax
		inc	eax
		mov	[edi+0A4h], ecx
		push	ecx
		push	eax
		mov	[edi+0A0h], eax
		lea	eax, [edi+0ACh]
		push	eax
		mov	[edi+0A8h], ecx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	ecx, ecx
		lea	ebx, [edi+0C0h]
		xor	eax, eax
		mov	[ebx+4], ecx
		inc	eax
		mov	[ebx+8], ecx
		push	ecx
		push	eax
		mov	[ebx], eax
		lea	eax, [ebx+0Ch]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	al, [edi+7]
		or	byte ptr [edi+4], 40h
		and	al, 0Fh
		or	byte ptr [edi+6], 2
		or	al, 30h
		mov	[edi+7], al
		lea	eax, [edi+2Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		test	ebx, ebx
		jz	short loc_7EE916
		mov	[edi+28h], ebx

loc_7EE916:				; CODE XREF: RawInitializeVcb+D5j
		xor	eax, eax
		mov	[edi+34h], eax
		mov	[edi+38h], eax
		mov	[edi+3Ch], eax
		mov	[edi+40h], eax
		mov	eax, esi
		or	dword ptr [edi+48h], 10h
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
RawInitializeVcb endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 319. ExAllocateCacheAwareRundownProtection

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExAllocateCacheAwareRundownProtection
ExAllocateCacheAwareRundownProtection proc near	; CODE XREF: MmCreatePartition(x,x)+141p
					; RawInitializeVcb+52p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00910755 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_4]
		push	10h
		push	[ebp+arg_0]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_7EE9EC
		mov	ebx, ds:_KeNumberProcessors
		mov	[esi+0Ch], ebx
		cmp	ebx, 1
		jbe	loc_910755
		call	_KeGetRecommendedSharedDataAlignment@0 ; KeGetRecommendedSharedDataAlignment()
		mov	edi, eax

loc_7EE96E:				; CODE XREF: ExAllocateCacheAwareRundownProtection+121E22j
		push	[ebp+arg_4]
		imul	ebx, edi
		mov	[esi+8], edi
		push	ebx
		push	[ebp+arg_0]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		xor	ebx, ebx
		test	ecx, ecx
		jz	loc_91075D
		mov	edx, [esi+0Ch]
		cmp	edx, 1
		jbe	short loc_7EE9F5
		lea	eax, [edi-1]
		test	eax, ecx
		jz	short loc_7EE9F5
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi+0Ch]
		push	[ebp+arg_4]
		inc	eax
		imul	eax, edi
		push	eax
		push	[ebp+arg_0]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_91075D
		mov	edx, [esi+0Ch]
		lea	eax, [ecx-1]
		add	eax, edi
		neg	edi
		and	eax, edi

loc_7EE9CB:				; CODE XREF: ExAllocateCacheAwareRundownProtection+C1j
		mov	[esi+4], ecx
		mov	ecx, ebx
		mov	[esi], eax
		test	edx, edx
		jz	short loc_7EE9EC

loc_7EE9D6:				; CODE XREF: ExAllocateCacheAwareRundownProtection+B4j
		xor	edx, edx
		mov	eax, ecx
		div	dword ptr [esi+0Ch]
		mov	eax, [esi]
		imul	edx, [esi+8]
		inc	ecx
		mov	[edx+eax], ebx
		cmp	ecx, [esi+0Ch]
		jb	short loc_7EE9D6

loc_7EE9EC:				; CODE XREF: ExAllocateCacheAwareRundownProtection+19j
					; ExAllocateCacheAwareRundownProtection+9Ej
		mov	eax, esi

loc_7EE9EE:				; CODE XREF: ExAllocateCacheAwareRundownProtection+121E30j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_7EE9F5:				; CODE XREF: ExAllocateCacheAwareRundownProtection+5Cj
					; ExAllocateCacheAwareRundownProtection+63j
		mov	eax, ecx
		jmp	short loc_7EE9CB
ExAllocateCacheAwareRundownProtection endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 381. ExInitializeRundownProtectionCacheAware

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExInitializeRundownProtectionCacheAware(x, x)
		public _ExInitializeRundownProtectionCacheAware@8
_ExInitializeRundownProtectionCacheAware@8 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		add	eax, 0FFFFFFF0h
		push	edi
		push	4
		pop	edi
		mov	[ebp+arg_0], eax
		lea	ebx, [esi+10h]
		cmp	eax, edi
		jz	short loc_7EEA67
		call	_KeGetRecommendedSharedDataAlignment@0 ; KeGetRecommendedSharedDataAlignment()
		mov	edi, eax
		xor	edx, edx
		mov	eax, [ebp+arg_0]
		dec	ebx
		div	edi
		mov	ecx, edi
		add	ebx, edi
		neg	ecx
		dec	eax
		and	ebx, ecx

loc_7EEA34:				; CODE XREF: ExInitializeRundownProtectionCacheAware(x,x)+6Cj
		xor	ecx, ecx
		mov	[esi], ebx
		mov	[esi+8], edi
		mov	[esi+0Ch], eax
		mov	dword ptr [esi+4], 0BADCA11h
		test	eax, eax
		jz	short loc_7EEA60

loc_7EEA49:				; CODE XREF: ExInitializeRundownProtectionCacheAware(x,x)+60j
		xor	edx, edx
		mov	eax, ecx
		div	dword ptr [esi+0Ch]
		mov	eax, [esi]
		imul	edx, [esi+8]
		and	dword ptr [edx+eax], 0
		inc	ecx
		cmp	ecx, [esi+0Ch]
		jb	short loc_7EEA49

loc_7EEA60:				; CODE XREF: ExInitializeRundownProtectionCacheAware(x,x)+49j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_7EEA67:				; CODE XREF: ExInitializeRundownProtectionCacheAware(x,x)+1Cj
		xor	eax, eax
		inc	eax
		jmp	short loc_7EEA34
_ExInitializeRundownProtectionCacheAware@8 endp


;  S U B	R O U T	I N E 


RawScanDeletedList proc	near		; CODE XREF: RawMountVolume+16p
					; RawShutdown(x,x)+5p

; FUNCTION CHUNK AT 0091076B SIZE 00000053 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, offset _RawDismountedQueue
		cmp	_RawDismountedQueue, ebx
		jnz	loc_91076B
		pop	ebx
		retn
RawScanDeletedList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiUEventInitClientRegistrationContext proc near	; CODE XREF: PiUEventHandleRegistration+3Fp

var_7C		= dword	ptr -7Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_34		= dword	ptr -34h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009107BE SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_64], offset ??_C@_1CK@FJCLHILF@?$AAl?$AAp?$AAa?$AAc?$AAP?$AAn?$AAp?$AAN?$AAo?$AAt?$AAi?$AAf?$AAi?$AAc?$AAa@NNGAKEGL@ ;	"lpacPnpNotifications"
		lea	edi, [ebp+var_7C]
		xor	esi, esi
		stosd
		push	28h
		stosd
		stosd
		stosd
		stosd
		pop	eax
		push	2Ah
		mov	word ptr [ebp+var_68], ax
		pop	eax
		push	59706E50h
		push	58h
		push	1
		mov	word ptr [ebp+var_68+2], ax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_7EEC9A
		push	ebx
		push	58h		; size_t
		push	esi		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		push	59706E50h
		push	20h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi+8], eax
		test	eax, eax
		jz	loc_9107BE
		mov	ecx, eax
		call	@KeInitializeGuardedMutex@4 ; KeInitializeGuardedMutex(x)
		lea	eax, [edi+40h]
		mov	dword ptr [edi+4Ch], 4
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edi+38h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_60]
		mov	byte ptr [edi+54h], 1
		push	eax
		lea	eax, [ebp+var_68]
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_9107BE
		push	1
		lea	eax, [ebp+var_7C]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		test	eax, eax
		js	loc_9107BE
		mov	ebx, _SeLocalSystemSid
		lea	eax, [ebp+var_7C]
		push	1
		push	ebx
		push	eax
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		test	eax, eax
		js	loc_9107BE
		push	_SeLowMandatorySid
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	_SeAllAppPackagesSid
		mov	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	_SeWorldSid
		add	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	ebx
		add	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	esi, eax
		lea	eax, [ebp+var_34]
		push	eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	59706E50h
		lea	ebx, [eax+30h]
		add	ebx, esi
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_9107BE
		push	2		; int
		push	ebx		; size_t
		push	esi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		test	eax, eax
		js	loc_9107BE
		push	0
		push	_SeLocalSystemSid
		mov	ecx, esi
		push	10000000h
		push	2
		pop	ebx
		push	ebx
		mov	edx, ebx
		call	RtlpAddKnownAce
		test	eax, eax
		js	loc_9107BE
		push	0
		push	_SeWorldSid
		mov	edx, ebx
		mov	ecx, esi
		push	1
		push	ebx
		call	RtlpAddKnownAce
		test	eax, eax
		js	loc_9107BE
		push	0
		push	_SeAllAppPackagesSid
		mov	edx, ebx
		mov	ecx, esi
		push	1
		push	ebx
		call	RtlpAddKnownAce
		test	eax, eax
		js	loc_9107BE
		push	0
		push	_SeLowMandatorySid
		mov	edx, ebx
		mov	ecx, esi
		push	1
		push	ebx
		call	RtlpAddKnownAce
		test	eax, eax
		js	loc_9107BE
		push	0
		lea	eax, [ebp+var_34]
		mov	edx, ebx
		push	eax
		push	1
		push	ebx
		mov	ecx, esi
		call	RtlpAddKnownAce
		test	eax, eax
		js	loc_9107BE
		push	0
		push	esi
		push	1
		lea	eax, [ebp+var_7C]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		test	eax, eax
		js	loc_9107BE
		lea	eax, [ebp+var_7C]
		push	eax
		push	4
		push	0
		push	0
		push	4
		push	3
		lea	eax, [edi+30h]
		push	eax
		call	_ZwCreateWnfStateName@28 ; ZwCreateWnfStateName(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_9107BE

loc_7EEC8A:				; CODE XREF: PiUEventInitClientRegistrationContext+121D5Bj
		pop	ebx
		test	esi, esi
		jz	short loc_7EEC9A
		push	59706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7EEC9A:				; CODE XREF: PiUEventInitClientRegistrationContext+47j
					; PiUEventInitClientRegistrationContext+20Bj
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PiUEventInitClientRegistrationContext endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiUEventHandleRegistration proc	near	; CODE XREF: PiUEventHandleIoctl+4Ep

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 009107E2 SIZE 000000BE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_8], ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_C], eax
		mov	[ebp+var_14], edi
		mov	ebx, eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_1], al
		test	edi, edi
		jz	loc_910894
		cmp	[ebp+arg_0], 3A8h
		jnz	loc_910894
		cmp	[ebp+arg_4], 8
		jnz	loc_910894
		call	PiUEventInitClientRegistrationContext
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9107E2
		call	_PsGetCurrentThreadProcessId@0 ; PsGetCurrentThreadProcessId()
		mov	[ebx+1Ch], eax
		lea	eax, [ebx+20h]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		lea	eax, [ebp+arg_0]
		mov	edx, 104h
		push	eax
		mov	ecx, edi
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		js	loc_9107EC
		cmp	dword ptr [edi+208h], 1A0h
		jnz	loc_9107EC
		mov	esi, [edi+210h]
		cmp	esi, 4
		jge	loc_9107EC
		mov	eax, [edi+20Ch]
		test	eax, 0FFFFFFFCh
		jnz	loc_9107EC
		test	al, 1
		jnz	loc_7EEEF1

loc_7EED6F:				; CODE XREF: PiUEventHandleRegistration+249j
		test	al, 2
		jnz	loc_7EEF06

loc_7EED77:				; CODE XREF: PiUEventHandleRegistration+25Fj
					; PiUEventHandleRegistration+121B66j
		lea	ecx, [edi+218h]
		cmp	esi, 1
		jz	loc_7EEED9

loc_7EED86:				; CODE XREF: PiUEventHandleRegistration+23Cj
		cmp	esi, 2
		jz	loc_7EEF14
		cmp	esi, 3
		jz	loc_7EEF14

loc_7EED98:				; CODE XREF: PiUEventHandleRegistration+289j
		mov	[ebx+4Ch], esi
		mov	eax, [edi+210h]
		sub	eax, 0
		jnz	loc_7EEE57
		test	byte ptr [edi+20Ch], 1
		jnz	short loc_7EEDBF
		mov	esi, ecx
		lea	edi, [ebx+0Ch]
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_14]

loc_7EEDBF:				; CODE XREF: PiUEventHandleRegistration+107j
					; PiUEventHandleRegistration+29Ej
		mov	esi, [ebp+arg_0]

loc_7EEDC2:				; CODE XREF: PiUEventHandleRegistration+1F2j
					; PiUEventHandleRegistration+121B89j
		mov	eax, [ebx+30h]
		mov	ecx, offset _PiUEventClientRegistrationListLock
		mov	[edi], eax
		mov	eax, [ebx+34h]
		mov	[edi+4], eax
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax+4], 8
		call	ExAcquireFastMutex
		mov	eax, [edi+210h]
		sub	eax, 0
		jnz	loc_7EEEA1
		test	byte ptr [edi+20Ch], 1
		jnz	loc_7EEEFE
		lea	ecx, [edi+218h]
		call	_PiUEventHashGuidIntoBucket@4 ;	PiUEventHashGuidIntoBucket(x)

loc_7EEE08:				; CODE XREF: PiUEventHandleRegistration+257j
		lea	eax, _PiUEventDevInterfaceClientList[eax*8]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_7EEF8C
		inc	_PiUEventDevInterfaceClientCount
		mov	[ebx], eax
		mov	[ebx+4], edx
		mov	[edx], ebx

loc_7EEE27:				; CODE XREF: PiUEventHandleRegistration+22Aj
					; PiUEventHandleRegistration+2DDj ...
		mov	[ebp+var_1], 1
		mov	[eax+4], ebx

loc_7EEE2E:				; CODE XREF: PiUEventHandleRegistration+121B98j
		mov	ecx, offset _PiUEventClientRegistrationListLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	esi, esi
		js	loc_9107F1
		mov	edi, [ebp+var_8]
		mov	[edi+10h], ebx

loc_7EEE46:				; CODE XREF: PiUEventHandleRegistration+121BF1j
		test	esi, esi
		js	loc_9107F4

loc_7EEE4E:				; CODE XREF: PiUEventHandleRegistration+121B5Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7EEE57:				; CODE XREF: PiUEventHandleRegistration+FAj
		sub	eax, 1
		jnz	loc_7EEF38
		mov	ecx, [ecx]
		lea	eax, [ebp+var_10]
		push	eax
		lea	edx, [ebp+var_C]
		call	_PiUEventGetDeviceInstanceIdFromUserHandle@12 ;	PiUEventGetDeviceInstanceIdFromUserHandle(x,x,x)
		test	eax, eax
		js	loc_9107EC
		mov	edx, [ebp+var_C]
		lea	eax, [ebx+0Ch]
		xor	ecx, ecx
		push	eax
		inc	ecx
		mov	edx, [edx+4]
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9107F1
		mov	eax, [ebp+var_10]
		mov	[ebx+10h], eax
		mov	byte ptr [ebx+14h], 0
		jmp	loc_7EEDC2
; 

loc_7EEEA1:				; CODE XREF: PiUEventHandleRegistration+140j
		sub	eax, 1
		jnz	loc_7EEF53
		mov	ecx, [ebx+0Ch]
		mov	ecx, [ecx+0Ch]
		call	_PiUEventHashStringIntoBucket@4	; PiUEventHashStringIntoBucket(x)
		lea	eax, _PiUEventDevHandleClientList[eax*8]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_7EEF8C
		inc	_PiUEventDevHandleClientCount
		mov	[ebx], eax
		mov	[ebx+4], ecx
		mov	[ecx], ebx
		jmp	loc_7EEE27
; 

loc_7EEED9:				; CODE XREF: PiUEventHandleRegistration+D6j
		mov	eax, [ecx]
		test	eax, eax
		jz	loc_9107EC
		cmp	eax, 0FFFFFFFFh
		jnz	loc_7EED86
		jmp	loc_9107EC
; 

loc_7EEEF1:				; CODE XREF: PiUEventHandleRegistration+BFj
		test	esi, esi
		jz	loc_7EED6F
		jmp	loc_9107EC
; 

loc_7EEEFE:				; CODE XREF: PiUEventHandleRegistration+14Dj
		push	0Dh
		pop	eax
		jmp	loc_7EEE08
; 

loc_7EEF06:				; CODE XREF: PiUEventHandleRegistration+C7j
		cmp	esi, 2
		jz	loc_7EED77
		jmp	loc_91080B
; 

loc_7EEF14:				; CODE XREF: PiUEventHandleRegistration+DFj
					; PiUEventHandleRegistration+E8j
		lea	eax, [ebp+arg_0]
		mov	edx, 0C8h
		push	eax
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		js	loc_9107EC
		lea	ecx, [edi+218h]
		jmp	loc_7EED98
; 

loc_7EEF38:				; CODE XREF: PiUEventHandleRegistration+1B0j
		sub	eax, 1
		jnz	loc_910815

loc_7EEF41:				; CODE XREF: PiUEventHandleRegistration+121B70j
		test	byte ptr [edi+20Ch], 2
		jnz	loc_7EEDBF
		jmp	loc_91081F
; 

loc_7EEF53:				; CODE XREF: PiUEventHandleRegistration+1FAj
		sub	eax, 1
		jnz	loc_910838
		test	byte ptr [edi+20Ch], 2
		jz	loc_910884
		push	0Dh
		pop	eax

loc_7EEF6C:				; CODE XREF: PiUEventHandleRegistration+121BE5j
		lea	eax, _PiUEventDevInstanceClientList[eax*8]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_7EEF8C
		inc	_PiUEventDevInstanceClientCount
		mov	[ebx], eax
		mov	[ebx+4], ecx
		mov	[ecx], ebx
		jmp	loc_7EEE27
; 

loc_7EEF8C:				; CODE XREF: PiUEventHandleRegistration+16Aj
					; PiUEventHandleRegistration+217j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PiUEventHandleRegistration endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpBuildNotificationPacket proc near	; CODE XREF: EtwpCalculateUpdateNotification+12Cp
					; EtwpEnableGuid+397p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009108A0 SIZE 000000A4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		mov	eax, ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_10], eax
		mov	dl, byte ptr [ebp+arg_0]
		call	EtwpGetSchematizedFilterSize
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	loc_9108D1
		test	esi, esi
		jz	loc_9108A0
		push	[ebp+arg_4]
		mov	ecx, [esi+4]
		mov	edx, esi
		call	_EtwpAllocDataBlock@12 ; EtwpAllocDataBlock(x,x,x)
		mov	ebx, eax

loc_7EEFD1:				; CODE XREF: EtwpBuildNotificationPacket+121922j
					; EtwpBuildNotificationPacket+12193Aj ...
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
EtwpBuildNotificationPacket endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpAllocDataBlock(x, x, x)
_EtwpAllocDataBlock@12 proc near	; CODE XREF: EtwpClearSessionAndUnreferenceEntry+1EEp
					; EtwpBuildNotificationPacket+38p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	eax, edx
		mov	ecx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], eax
		mov	[ecx], esi
		test	eax, eax
		jz	short loc_7EEFF9
		cmp	[eax+4], ebx
		jnz	short loc_7EF03D

loc_7EEFF9:				; CODE XREF: EtwpAllocDataBlock(x,x,x)+18j
		push	edi
		push	44777445h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_7EF044
		mov	eax, [ebp+var_4]
		push	ebx		; size_t
		test	eax, eax
		jz	short loc_7EF034
		push	eax		; void *
		push	edi		; void *
		call	_memcpy

loc_7EF01C:				; CODE XREF: EtwpAllocDataBlock(x,x,x)+61j
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	dword ptr [edi+8], 1
		mov	[eax], edi

loc_7EF02B:				; CODE XREF: EtwpAllocDataBlock(x,x,x)+6Fj
		pop	edi

loc_7EF02C:				; CODE XREF: EtwpAllocDataBlock(x,x,x)+68j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4		; size_t
; 

loc_7EF034:				; CODE XREF: EtwpAllocDataBlock(x,x,x)+39j
		push	esi		; int
		push	edi		; void *
		call	_memset
		jmp	short loc_7EF01C
; 

loc_7EF03D:				; CODE XREF: EtwpAllocDataBlock(x,x,x)+1Dj
		mov	esi, 0C0000004h
		jmp	short loc_7EF02C
; 

loc_7EF044:				; CODE XREF: EtwpAllocDataBlock(x,x,x)+31j
		mov	esi, 0C0000017h
		jmp	short loc_7EF02B
_EtwpAllocDataBlock@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpNotifyGuid(x, x, x)
_EtwpNotifyGuid@12 proc	near		; CODE XREF: EtwpSendSessionNotification(x,x,x)+7Ep
					; NtTraceControl(x,x,x,x,x,x)+37Dp

var_5E		= byte ptr -5Eh
var_5D		= byte ptr -5Dh
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		push	ebx
		xor	eax, eax
		mov	[esp+68h+var_44], ecx
		push	esi
		push	edi
		push	2Ch		; size_t
		push	eax		; int
		mov	[esp+78h+var_34], eax
		mov	ebx, edx
		mov	[esp+78h+var_48], eax
		mov	[esp+78h+var_4C], eax
		mov	[esp+78h+var_58], eax
		mov	[esp+78h+var_50], eax
		mov	[esp+78h+var_5D], al
		mov	[esp+78h+var_40], eax
		lea	eax, [esp+78h+var_2C]
		push	eax		; void *
		call	_memset
		mov	edx, [ebx+4]
		add	esp, 0Ch
		cmp	edx, 10000h
		jbe	short loc_7EF0A3
		mov	eax, 0C0000206h
		jmp	loc_7EF3DF
; 

loc_7EF0A3:				; CODE XREF: EtwpNotifyGuid(x,x,x)+4Bj
		mov	esi, [ebx]
		cmp	esi, 0Bh
		jnz	short loc_7EF107
		cmp	edx, 78h
		jnb	short loc_7EF0B9

loc_7EF0AF:				; CODE XREF: EtwpNotifyGuid(x,x,x)+7Dj
		mov	esi, 80000005h
		jmp	loc_7EF3D4
; 

loc_7EF0B9:				; CODE XREF: EtwpNotifyGuid(x,x,x)+61j
		mov	esi, [ebx+48h]
		lea	eax, [edx-4Ch]
		add	esi, 7
		mov	ecx, esi
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_7EF0AF
		and	esi, 0FFFFFFF8h
		mov	ecx, [esi+ebx+48h]
		test	ecx, ecx
		jz	short loc_7EF0FE
		lea	edi, [ebx+4Ch]
		add	edi, esi
		lea	eax, [esp+70h+var_2C]
		sub	edx, edi
		mov	[esp+70h+var_40], edi
		add	edx, ebx
		push	eax
		push	edx
		mov	edx, edi
		call	_EtwpValidateTraceControlFilterDescriptors@16 ;	EtwpValidateTraceControlFilterDescriptors(x,x,x,x)
		test	eax, eax
		jz	short loc_7EF0FE
		mov	esi, 0C000000Dh
		jmp	loc_7EF3D4
; 

loc_7EF0FE:				; CODE XREF: EtwpNotifyGuid(x,x,x)+88j
					; EtwpNotifyGuid(x,x,x)+A6j
		push	4
		mov	dword ptr [ebx], 4
		pop	esi

loc_7EF107:				; CODE XREF: EtwpNotifyGuid(x,x,x)+5Cj
		call	_PsGetCurrentThreadProcessId@0 ; PsGetCurrentThreadProcessId()
		mov	[ebx+24h], eax
		cmp	esi, 4
		jnz	short loc_7EF15D
		cmp	dword ptr [ebx+4], 0F8h
		jnb	short loc_7EF127
		mov	esi, 0C0000023h
		jmp	loc_7EF3D4
; 

loc_7EF127:				; CODE XREF: EtwpNotifyGuid(x,x,x)+CFj
		and	[esp+70h+var_38], 0
		mov	edx, 80h
		mov	ecx, offset _PrivateLoggerSecurityGuid
		call	_EtwpCheckCurrentUserGuidAccess@8 ; EtwpCheckCurrentUserGuidAccess(x,x)
		test	eax, eax
		jns	short loc_7EF144
		mov	[esp+70h+var_5D], 1

loc_7EF144:				; CODE XREF: EtwpNotifyGuid(x,x,x)+F1j
		mov	eax, [esp+70h+var_38]
		lea	edx, [ebx+28h]
		mov	esi, offset _PrivateLoggerNotificationGuid
		mov	edi, edx
		movsd
		movsd
		movsd
		movsd
		mov	edi, 80h
		jmp	short loc_7EF166
; 

loc_7EF15D:				; CODE XREF: EtwpNotifyGuid(x,x,x)+C6j
		push	4
		xor	eax, eax
		lea	edx, [ebx+28h]
		pop	edi
		inc	eax

loc_7EF166:				; CODE XREF: EtwpNotifyGuid(x,x,x)+10Fj
		mov	ecx, [ebx+20h]
		and	dword ptr [ebx+14h], 0
		mov	[esp+70h+var_3C], ecx
		mov	ecx, [esp+70h+var_44]
		push	eax
		call	_EtwpFindGuidEntryByGuid@12 ; EtwpFindGuidEntryByGuid(x,x,x)
		mov	esi, eax
		mov	[esp+70h+var_44], esi
		test	esi, esi
		jnz	short loc_7EF18F
		mov	esi, 0C0000295h
		jmp	loc_7EF3D4
; 

loc_7EF18F:				; CODE XREF: EtwpNotifyGuid(x,x,x)+137j
		cmp	[ebp+arg_0], 0
		jz	short loc_7EF1B4
		cmp	dword ptr [ebx], 4
		jz	short loc_7EF1B4
		mov	ecx, [esi+2Ch]
		mov	edx, edi
		push	0
		call	_EtwpAccessCheck@12 ; EtwpAccessCheck(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7EF3C9
		mov	esi, [esp+70h+var_44]

loc_7EF1B4:				; CODE XREF: EtwpNotifyGuid(x,x,x)+147j
					; EtwpNotifyGuid(x,x,x)+14Cj
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		lea	ecx, [esi+16Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		lea	edi, [esi+24h]
		mov	[esi+170h], eax
		mov	[esp+70h+var_30], edi
		cmp	[edi], edi
		jnz	short loc_7EF1E7
		mov	esi, 0C0000296h
		jmp	loc_7EF370
; 

loc_7EF1E7:				; CODE XREF: EtwpNotifyGuid(x,x,x)+18Fj
		cmp	byte ptr [ebx+0Ch], 0
		jz	short loc_7EF20E
		lea	eax, [esp+70h+var_48]
		mov	ecx, esi
		push	eax
		lea	edx, [esp+74h+var_34]
		call	EtwpCreateUmReplyObject
		mov	esi, eax
		test	esi, esi
		js	loc_7EF370
		mov	eax, [esp+70h+var_48]
		mov	[ebx+18h], eax

loc_7EF20E:				; CODE XREF: EtwpNotifyGuid(x,x,x)+19Fj
		mov	ecx, [ebx+4]
		lea	eax, [esp+70h+var_4C]
		push	eax
		mov	edx, ebx
		call	_EtwpAllocDataBlock@12 ; EtwpAllocDataBlock(x,x,x)
		mov	ecx, eax
		mov	[esp+70h+var_5C], ecx
		test	ecx, ecx
		jns	short loc_7EF231

loc_7EF227:				; CODE XREF: EtwpNotifyGuid(x,x,x)+2CCj
		mov	esi, 0C0000017h
		jmp	loc_7EF370
; 

loc_7EF231:				; CODE XREF: EtwpNotifyGuid(x,x,x)+1D9j
		mov	esi, [edi]
		cmp	esi, edi
		jmp	loc_7EF34A
; 

loc_7EF23A:				; CODE XREF: EtwpNotifyGuid(x,x,x)+302j
		movzx	eax, word ptr [esi+32h]
		mov	edi, [esp+70h+var_4C]
		test	al, 2
		jz	loc_7EF344
		test	al, 40h
		jnz	loc_7EF344
		mov	eax, [esp+70h+var_40]
		test	eax, eax
		jz	short loc_7EF275
		mov	edx, [esp+70h+var_4]
		lea	ecx, [esp+70h+var_2C]
		push	ecx
		push	0
		push	eax
		mov	ecx, esi
		call	EtwpApplyTransientFilters
		test	al, al
		jz	loc_7EF340

loc_7EF275:				; CODE XREF: EtwpNotifyGuid(x,x,x)+20Cj
		cmp	[esp+70h+var_3C], 0
		jz	short loc_7EF28E
		push	dword ptr [esi+28h]
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		cmp	eax, [esp+70h+var_3C]
		jnz	loc_7EF340

loc_7EF28E:				; CODE XREF: EtwpNotifyGuid(x,x,x)+22Ej
		cmp	[esp+70h+var_5D], 1
		jnz	short loc_7EF2AB
		mov	ecx, [esi+28h]
		call	_EtwpCheckCurrentUserProcessAccess@4 ; EtwpCheckCurrentUserProcessAccess(x)
		mov	ecx, eax
		mov	[esp+70h+var_5C], ecx
		test	ecx, ecx
		js	loc_7EF344

loc_7EF2AB:				; CODE XREF: EtwpNotifyGuid(x,x,x)+247j
		cmp	dword ptr [ebx], 4
		jnz	short loc_7EF32F
		and	[esp+70h+var_38], 0
		cmp	dword ptr [ebx+4Ch], 1
		jz	short loc_7EF32F
		movzx	esi, word ptr [ebx+50h]
		lea	eax, [esp+70h+var_38]
		push	eax
		mov	eax, 7FFFh
		and	si, ax
		mov	eax, [esp+74h+var_54]
		push	dword ptr [eax+28h]
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		mov	edx, esi
		mov	ecx, eax
		call	_EtwpDemuxPrivateTraceHandle@12	; EtwpDemuxPrivateTraceHandle(x,x,x)
		mov	ecx, eax
		mov	[esp+70h+var_5C], ecx
		test	ecx, ecx
		js	loc_7EF3C0
		mov	edi, [esp+70h+var_58]
		test	edi, edi
		jz	short loc_7EF303
		mov	ecx, edi
		call	_EtwpUnreferenceDataBlock@4 ; EtwpUnreferenceDataBlock(x)
		and	[esp+70h+var_58], 0

loc_7EF303:				; CODE XREF: EtwpNotifyGuid(x,x,x)+2A9j
		mov	ecx, [ebx+4]
		lea	eax, [esp+70h+var_58]
		push	eax
		mov	edx, ebx
		call	_EtwpAllocDataBlock@12 ; EtwpAllocDataBlock(x,x,x)
		mov	[esp+70h+var_5C], eax
		test	eax, eax
		js	loc_7EF227
		mov	edi, [esp+70h+var_58]
		mov	ax, word ptr [esp+70h+var_38]
		mov	esi, [esp+70h+var_54]
		mov	[edi+50h], ax

loc_7EF32F:				; CODE XREF: EtwpNotifyGuid(x,x,x)+262j
					; EtwpNotifyGuid(x,x,x)+26Dj
		mov	edx, edi
		mov	ecx, esi
		call	EtwpSendDataBlock
		test	eax, eax
		js	short loc_7EF3B8
		inc	[esp+70h+var_50]

loc_7EF340:				; CODE XREF: EtwpNotifyGuid(x,x,x)+223j
					; EtwpNotifyGuid(x,x,x)+23Cj
		mov	ecx, [esp+70h+var_5C]

loc_7EF344:				; CODE XREF: EtwpNotifyGuid(x,x,x)+1F8j
					; EtwpNotifyGuid(x,x,x)+200j ...
		mov	esi, [esi]
		cmp	esi, [esp+70h+var_30]

loc_7EF34A:				; CODE XREF: EtwpNotifyGuid(x,x,x)+1E9j
		mov	[esp+70h+var_54], esi
		jnz	loc_7EF23A
		mov	eax, [esp+70h+var_34]
		mov	esi, [esp+70h+var_50]
		cdq
		mov	[ebx+18h], eax
		xor	eax, eax
		cmp	eax, esi
		mov	[ebx+14h], esi
		mov	[ebx+1Ch], edx
		sbb	esi, esi
		not	esi
		and	esi, ecx

loc_7EF370:				; CODE XREF: EtwpNotifyGuid(x,x,x)+196j
					; EtwpNotifyGuid(x,x,x)+1B5j ...
		mov	ebx, [esp+70h+var_44]
		xor	edx, edx
		and	dword ptr [ebx+170h], 0
		lea	ecx, [ebx+16Ch]
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [esp+70h+var_4C]
		test	ecx, ecx
		jz	short loc_7EF39A
		call	_EtwpUnreferenceDataBlock@4 ; EtwpUnreferenceDataBlock(x)

loc_7EF39A:				; CODE XREF: EtwpNotifyGuid(x,x,x)+347j
		mov	edi, [esp+70h+var_58]
		test	edi, edi
		jz	short loc_7EF3A9
		mov	ecx, edi
		call	_EtwpUnreferenceDataBlock@4 ; EtwpUnreferenceDataBlock(x)

loc_7EF3A9:				; CODE XREF: EtwpNotifyGuid(x,x,x)+354j
		mov	ecx, [esp+70h+var_48]
		test	ecx, ecx
		jz	short loc_7EF3CD
		call	ObfDereferenceObject
		jmp	short loc_7EF3CD
; 

loc_7EF3B8:				; CODE XREF: EtwpNotifyGuid(x,x,x)+2EEj
		mov	ecx, eax
		mov	[esp+70h+var_5C], ecx
		jmp	short loc_7EF344
; 

loc_7EF3C0:				; CODE XREF: EtwpNotifyGuid(x,x,x)+29Dj
		mov	esi, [esp+70h+var_54]
		jmp	loc_7EF344
; 

loc_7EF3C9:				; CODE XREF: EtwpNotifyGuid(x,x,x)+15Ej
		mov	ebx, [esp+70h+var_44]

loc_7EF3CD:				; CODE XREF: EtwpNotifyGuid(x,x,x)+363j
					; EtwpNotifyGuid(x,x,x)+36Aj
		mov	ecx, ebx
		call	EtwpUnreferenceGuidEntry

loc_7EF3D4:				; CODE XREF: EtwpNotifyGuid(x,x,x)+68j
					; EtwpNotifyGuid(x,x,x)+ADj ...
		lea	ecx, [esp+70h+var_2C]
		call	EtwpFreeFilterInfo
		mov	eax, esi

loc_7EF3DF:				; CODE XREF: EtwpNotifyGuid(x,x,x)+52j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_EtwpNotifyGuid@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpIsSpecialGuidEnabledOnDifferentLogger(x, x, x)
_EtwpIsSpecialGuidEnabledOnDifferentLogger@12 proc near	; CODE XREF: EtwpEnableGuid+36Fp

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, word ptr [ecx+38h]
		test	ax, ax
		jz	short loc_7EF402
		cmp	[ebp+arg_0], 2
		jz	short loc_7EF402
		cmp	[edx+6], ax
		jnz	short loc_7EF408

loc_7EF402:				; CODE XREF: EtwpIsSpecialGuidEnabledOnDifferentLogger(x,x,x)+Cj
					; EtwpIsSpecialGuidEnabledOnDifferentLogger(x,x,x)+12j	...
		xor	al, al

loc_7EF404:				; CODE XREF: EtwpIsSpecialGuidEnabledOnDifferentLogger(x,x,x)+39j
		pop	ebp
		retn	4
; 

loc_7EF408:				; CODE XREF: EtwpIsSpecialGuidEnabledOnDifferentLogger(x,x,x)+18j
		push	10h		; size_t
		lea	eax, [ecx+14h]
		push	eax		; void *
		push	offset dword_405318 ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7EF402
		mov	al, 1
		jmp	short loc_7EF404
_EtwpIsSpecialGuidEnabledOnDifferentLogger@12 endp

; 
		align 8
; Exported entry 290. EtwRegister

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwRegister(x, x, x, x)
		public _EtwRegister@16
_EtwRegister@16	proc near		; CODE XREF: KiIntSteerConnect+298p
					; BapdRegisterEtwProvider(x,x,x)+13p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		push	[ebp+arg_C]	; int
		mov	edx, [ebp+arg_0] ; void	*
		push	dword ptr [ebp+4] ; int
		mov	ecx, [eax+1F0h]	; int
		push	[ebp+arg_8]	; int
		push	[ebp+arg_4]	; int
		push	3		; int
		call	EtwpRegisterProvider
		pop	ebp
		retn	10h
_EtwRegister@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpRealtimeSendEmptyMarker(x)
_EtwpRealtimeSendEmptyMarker@4 proc near ; CODE	XREF: EtwpFlushActiveBuffers(x,x)+40Dp

var_48		= dword	ptr -48h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= word ptr -14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	esi
		push	48h		; size_t
		lea	eax, [ebp+var_48]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	edx, [ebp+var_48]
		mov	ecx, esi
		call	EtwpInitializeBufferHeader
		push	6
		mov	eax, 0FEFFh
		lea	ecx, [ebp+var_48]
		and	[ebp+var_14], ax
		pop	edx
		call	@EtwpResetBufferHeader@8 ; EtwpResetBufferHeader(x,x)
		xor	eax, eax
		mov	[ebp+var_1C], 3
		inc	eax
		mov	[ebp+var_18], 48h
		cmp	dword ptr [esi+108h], 0
		mov	[ebp+var_14], ax
		jbe	short loc_7EF4BA
		lea	edx, [ebp+var_48]
		mov	ecx, esi
		call	EtwpRealtimeDeliverBuffer

loc_7EF4B3:				; CODE XREF: EtwpRealtimeSendEmptyMarker(x)+6Dj
		test	eax, eax
		js	short loc_7EF4C1

loc_7EF4B7:				; CODE XREF: EtwpRealtimeSendEmptyMarker(x)+77j
					; EtwpRealtimeSendEmptyMarker(x)+81j ...
		pop	esi
		leave
		retn
; 

loc_7EF4BA:				; CODE XREF: EtwpRealtimeSendEmptyMarker(x)+55j
		mov	eax, 0C0000001h
		jmp	short loc_7EF4B3
; 

loc_7EF4C1:				; CODE XREF: EtwpRealtimeSendEmptyMarker(x)+63j
		mov	ecx, 10000000h
		test	[esi+0Ch], ecx
		jnz	short loc_7EF4B7
		mov	eax, [esi+258h]
		test	eax, ecx
		jnz	short loc_7EF4B7
		lea	edx, [ebp+var_48]
		mov	ecx, esi
		call	EtwpRealtimeSaveBuffer
		jmp	short loc_7EF4B7
_EtwpRealtimeSendEmptyMarker@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall EtwpRegisterProvider(int,void *,int,int,int,int,int)
EtwpRegisterProvider proc near		; CODE XREF: EtwRegister(x,x,x,x)+21p
					; DbgkpStartSystemErrorHandler()+6Bp ...

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00910944 SIZE 0000010C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+64h+var_4], eax
		mov	eax, [ebp+arg_8]
		and	[esp+64h+var_64], 0
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		push	8
		mov	[esp+74h+var_60], ecx
		lea	edi, [esp+74h+var_48]
		pop	ecx
		mov	esi, edx
		mov	[esp+70h+var_5C], eax
		mov	edx, [ebp+arg_10]
		xor	eax, eax
		push	10h		; size_t
		rep stosd
		xor	edi, edi
		mov	[esp+74h+var_50], esi
		push	offset _SecurityProviderGuid ; void *
		push	esi		; void *
		mov	[esp+7Ch+var_54], ebx
		mov	[esp+7Ch+var_58], edx
		mov	[edx], edi
		mov	[edx+4], edi
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_910944
		test	ebx, ebx
		jz	loc_7EF719

loc_7EF550:				; CODE XREF: EtwpRegisterProvider+23Bj
		cmp	[ebp+arg_0], 3
		jnz	loc_7EF6BD

loc_7EF55A:				; CODE XREF: EtwpRegisterProvider+1E7j
		push	edi
		mov	edi, [esp+74h+var_60]
		mov	edx, esi
		mov	ecx, edi
		call	_EtwpFindGuidEntryByGuid@12 ; EtwpFindGuidEntryByGuid(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_7EF584
		mov	edx, [esp+70h+var_50]
		mov	ecx, edi
		push	eax
		call	_EtwpAddGuidEntry@12 ; EtwpAddGuidEntry(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_910958

loc_7EF584:				; CODE XREF: EtwpRegisterProvider+8Aj
		cmp	dword ptr [esi+168h], 0
		jnz	loc_910962

loc_7EF591:				; CODE XREF: EtwpRegisterProvider+1214B4j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+16Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	edi, [esp+70h+var_5C]
		mov	edx, [ebp+arg_0]
		mov	[esi+170h], eax
		lea	eax, [esp+70h+var_64]
		push	eax
		push	edi
		push	ebx
		call	EtwpAddKmRegEntry
		mov	ebx, eax
		mov	[esp+70h+var_60], ebx
		test	ebx, ebx
		js	loc_7EF65C
		mov	ebx, [esp+70h+var_64]
		mov	eax, ebx
		mov	ecx, [ebp+arg_C]
		cdq
		mov	[ebx+18h], ecx
		mov	ecx, [esp+70h+var_58]
		mov	[ecx+4], edx
		xor	edx, edx
		mov	[ecx], eax
		cmp	[esi+40h], edx
		jnz	loc_7EF6A0

loc_7EF5FC:				; CODE XREF: EtwpRegisterProvider+1D6j
		mov	ecx, [esi+168h]
		test	ecx, ecx
		jnz	loc_91099B

loc_7EF60A:				; CODE XREF: EtwpRegisterProvider+1214BCj
					; EtwpRegisterProvider+1214D7j
		lea	edx, [esp+70h+var_48]
		mov	ecx, ebx
		call	EtwpComputeRegEntryEnableInfo
		mov	ecx, ebx
		call	EtwpTrackProviderRegistration
		mov	ecx, [esp+70h+var_54]
		test	ecx, ecx
		jz	short loc_7EF639
		test	byte ptr [ebx+32h], 8
		jnz	loc_7EF6D4
		cmp	[esp+70h+var_48], 0
		jnz	loc_7EF728

loc_7EF639:				; CODE XREF: EtwpRegisterProvider+140j
					; EtwpRegisterProvider+1F6j ...
		mov	edi, offset _ETW_EVENT_PROVIDER_REGISTER
		push	edi
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jnz	loc_910A16

loc_7EF658:				; CODE XREF: EtwpRegisterProvider+121545j
		mov	ebx, [esp+70h+var_60]

loc_7EF65C:				; CODE XREF: EtwpRegisterProvider+F3j
		and	dword ptr [esi+170h], 0
		lea	ecx, [esi+16Ch]
		xor	edx, edx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [esi+168h]
		test	eax, eax
		jnz	loc_910A2C

loc_7EF683:				; CODE XREF: EtwpRegisterProvider+121569j
		mov	ecx, esi
		call	EtwpUnreferenceGuidEntry

loc_7EF68A:				; CODE XREF: EtwpRegisterProvider+12147Bj
		mov	eax, ebx

loc_7EF68C:				; CODE XREF: EtwpRegisterProvider+121467j
					; EtwpRegisterProvider+121471j
		mov	ecx, [esp+70h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7EF6A0:				; CODE XREF: EtwpRegisterProvider+114j
		lea	eax, [ebx+34h]
		mov	ecx, esi
		push	eax
		push	edx
		push	edx
		mov	dl, [ebx+32h]
		shr	dl, 3
		and	dl, 1
		call	EtwpUpdateEnableMask
		xor	edx, edx
		jmp	loc_7EF5FC
; 

loc_7EF6BD:				; CODE XREF: EtwpRegisterProvider+72j
		cmp	[ebp+arg_0], 2
		jnz	loc_91094E
		test	ebx, ebx
		jnz	loc_7EF55A
		jmp	loc_91094E
; 

loc_7EF6D4:				; CODE XREF: EtwpRegisterProvider+146j
		test	byte ptr [esi+3Bh], 1
		jz	loc_7EF639
		mov	ax, [esi+38h]
		and	[esp+70h+var_1C], 0
		mov	word ptr [esp+70h+var_28], ax
		mov	al, [esi+3Ah]
		mov	byte ptr [esp+70h+var_28+2], al
		mov	eax, [esi+30h]
		mov	[esp+70h+var_24], eax
		mov	eax, [esi+34h]
		mov	[esp+70h+var_20], eax
		lea	eax, [esp+70h+var_28]
		push	edi
		push	eax
		push	1
		lea	eax, [esi+14h]
		mov	byte ptr [esp+7Ch+var_28+3], 0
		push	eax
		call	ecx
		jmp	loc_7EF639
; 

loc_7EF719:				; CODE XREF: EtwpRegisterProvider+68j
		cmp	[esp+70h+var_5C], edi
		jz	loc_7EF550
		jmp	loc_91094E
; 

loc_7EF728:				; CODE XREF: EtwpRegisterProvider+151j
		and	[esp+70h+var_4C], 0
		lea	edi, [esp+70h+var_18]
		and	[esp+70h+var_64], 0
		xor	eax, eax
		stosd
		mov	ecx, esi
		stosd
		stosd
		stosd
		mov	dl, [ebx+34h]
		call	EtwpGetSchematizedFilterSize
		mov	[esp+70h+var_58], eax
		test	eax, eax
		jnz	loc_9109BE
		mov	edi, [esp+70h+var_4C]

loc_7EF756:				; CODE XREF: EtwpRegisterProvider+1214EDj
					; EtwpRegisterProvider+121522j
		push	[esp+70h+var_5C]
		push	[esp+74h+var_64]
		push	[esp+78h+var_2C]
		push	[esp+7Ch+var_30]
		push	[esp+80h+var_34]
		push	[esp+84h+var_38]
		push	[esp+88h+var_44]
		push	1
		push	offset _GUID_NULL
		call	[esp+94h+var_54]
		test	edi, edi
		jz	loc_7EF639
		jmp	loc_910A09
EtwpRegisterProvider endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpComputeRegEntryEnableInfo proc near	; CODE XREF: EtwpClearSessionAndUnreferenceEntry+1BBp
					; EtwpRegisterProvider+12Ep ...

var_20		= dword	ptr -20h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 00910A50 SIZE 000000D1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ecx
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_10], eax
		mov	cl, [eax+36h]
		mov	esi, [eax+10h]
		mov	ch, [eax+35h]
		mov	dl, [eax+34h]
		mov	[ebp+var_2], cl
		mov	cl, [eax+37h]
		mov	eax, [eax+14h]
		mov	[ebp+var_1], ch
		mov	[ebp+var_3], cl
		mov	ecx, [esi+168h]
		mov	[ebp+var_8], eax
		mov	[ebp+var_14], ecx
		test	eax, eax
		jz	loc_7EF8F1
		mov	ecx, [eax+168h]
		mov	[ebp+var_C], ecx

loc_7EF7D9:				; CODE XREF: EtwpComputeRegEntryEnableInfo+168j
		mov	dword ptr [ebx], 0
		xor	eax, eax
		mov	dword ptr [ebx+4], 0
		add	esi, 70h
		mov	dword ptr [ebx+8], 0
		mov	dword ptr [ebx+0Ch], 0
		mov	dword ptr [ebx+10h], 0
		mov	dword ptr [ebx+14h], 0
		push	edi
		mov	dword ptr [ebx+18h], 0FFFFFFFFh
		mov	dword ptr [ebx+1Ch], 0FFFFFFFFh
		movzx	edi, dl
		lea	esp, [esp+0]

loc_7EF820:				; CODE XREF: EtwpComputeRegEntryEnableInfo+A8j
		mov	edx, 1
		mov	cl, al
		shl	edx, cl
		test	edx, edi
		jnz	loc_7EF8BA

loc_7EF831:				; CODE XREF: EtwpComputeRegEntryEnableInfo+15Cj
		inc	eax
		add	esi, 20h
		cmp	eax, 8
		jb	short loc_7EF820
		mov	ch, [ebp+var_1]
		test	ch, ch
		jz	short loc_7EF866
		mov	esi, [ebp+var_8]
		xor	edx, edx
		movzx	edi, ch
		add	esi, 64h
		lea	esp, [esp+0]

loc_7EF850:				; CODE XREF: EtwpComputeRegEntryEnableInfo+D4j
		mov	eax, 1
		mov	cl, dl
		shl	eax, cl
		test	eax, edi
		jnz	short loc_7EF880

loc_7EF85D:				; CODE XREF: EtwpComputeRegEntryEnableInfo+F4j
					; EtwpComputeRegEntryEnableInfo+128j
		inc	edx
		add	esi, 20h
		cmp	edx, 8
		jb	short loc_7EF850

loc_7EF866:				; CODE XREF: EtwpComputeRegEntryEnableInfo+AFj
		mov	eax, [ebp+var_10]
		pop	edi
		mov	eax, [eax+10h]
		cmp	dword ptr [eax+168h], 0
		jnz	loc_910A50

loc_7EF87A:				; CODE XREF: EtwpComputeRegEntryEnableInfo+121326j
					; EtwpComputeRegEntryEnableInfo+12138Cj
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7EF880:				; CODE XREF: EtwpComputeRegEntryEnableInfo+CBj
		cmp	dword ptr [esi-4], 0
		jz	short loc_7EF85D
		mov	al, [ebx+4]
		mov	dword ptr [ebx], 1
		mov	cl, [esi]
		cmp	al, cl
		ja	short loc_7EF897
		mov	al, cl

loc_7EF897:				; CODE XREF: EtwpComputeRegEntryEnableInfo+103j
		mov	[ebx+4], al
		mov	eax, [esi+0Ch]
		or	[ebx+10h], eax
		mov	eax, [esi+10h]
		or	[ebx+14h], eax
		mov	eax, [esi+14h]
		and	[ebx+18h], eax
		mov	eax, [esi+18h]
		and	[ebx+1Ch], eax
		mov	eax, [esi+4]
		or	[ebx+8], eax
		jmp	short loc_7EF85D
; 

loc_7EF8BA:				; CODE XREF: EtwpComputeRegEntryEnableInfo+9Bj
		mov	cl, [ebx+4]
		mov	dword ptr [ebx], 1
		mov	dl, [esi-0Ch]
		cmp	cl, dl
		ja	short loc_7EF8CC
		mov	cl, dl

loc_7EF8CC:				; CODE XREF: EtwpComputeRegEntryEnableInfo+138j
		mov	[ebx+4], cl
		mov	ecx, [esi]
		or	[ebx+10h], ecx
		mov	ecx, [esi+4]
		or	[ebx+14h], ecx
		mov	ecx, [esi+8]
		and	[ebx+18h], ecx
		mov	ecx, [esi+0Ch]
		and	[ebx+1Ch], ecx
		mov	ecx, [esi-8]
		or	[ebx+8], ecx
		jmp	loc_7EF831
; 

loc_7EF8F1:				; CODE XREF: EtwpComputeRegEntryEnableInfo+3Aj
		mov	[ebp+var_C], 0
		jmp	loc_7EF7D9
EtwpComputeRegEntryEnableInfo endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpAddKmRegEntry proc near		; CODE XREF: EtwpRegisterProvider+E6p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00910B21 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	52777445h
		push	3Ch
		push	200h
		mov	[ebp+var_4], edx
		mov	ebx, ecx
		xor	edi, edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_910B21
		push	3Ch		; size_t
		push	edi		; int
		push	esi		; void *
		call	_memset
		xor	eax, eax
		add	esp, 0Ch
		inc	eax
		mov	ecx, ebx
		mov	[esi+32h], ax
		call	EtwpReferenceGuidEntry
		cmp	[ebp+var_4], 2
		mov	[esi+10h], ebx
		jz	short loc_7EF998

loc_7EF94C:				; CODE XREF: EtwpAddKmRegEntry+9Fj
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_7EF965
		mov	eax, [ebp+arg_4]
		mov	[esi+2Ch], ecx
		mov	[esi+28h], eax
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		test	eax, eax
		jnz	short loc_7EF99F

loc_7EF965:				; CODE XREF: EtwpAddKmRegEntry+53j
					; EtwpAddKmRegEntry+BBj
		lea	eax, [ebx+24h]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_7EF9BB
		mov	[esi+4], eax
		mov	[esi], ecx
		mov	[ecx+4], esi
		mov	[eax], esi
		lea	eax, [esi+8]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, 80h
		or	[esi+32h], ax
		mov	eax, [ebp+arg_8]
		mov	[eax], esi

loc_7EF98F:				; CODE XREF: EtwpAddKmRegEntry+121228j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7EF998:				; CODE XREF: EtwpAddKmRegEntry+4Cj
		or	word ptr [esi+32h], 8
		jmp	short loc_7EF94C
; 

loc_7EF99F:				; CODE XREF: EtwpAddKmRegEntry+65j
		mov	ecx, large fs:124h
		or	word ptr [esi+32h], 10h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[esi+1Ch], eax
		jmp	short loc_7EF965
; 

loc_7EF9BB:				; CODE XREF: EtwpAddKmRegEntry+6Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
EtwpAddKmRegEntry endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUnreferenceDataBlock(x)
_EtwpUnreferenceDataBlock@4 proc near	; CODE XREF: EtwpNotifyGuid(x,x,x)+2ADp
					; EtwpNotifyGuid(x,x,x)+349p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+8], eax
		dec	eax
		jnz	short locret_7EF9D9
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

locret_7EF9D9:				; CODE XREF: EtwpUnreferenceDataBlock(x)+Fj
		leave
		retn
_EtwpUnreferenceDataBlock@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpAddGuidEntry(x,	x, x)
_EtwpAddGuidEntry@12 proc near		; CODE XREF: EtwpRegisterProvider+93p
					; EtwpAddGuidEntry(x,x,x)+50p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	ebx, edx
		mov	eax, ecx
		push	edi
		mov	[ebp+var_8], ebx
		xor	edi, edi
		mov	[ebp+var_4], eax
		call	EtwpAllocGuidEntry
		mov	esi, eax
		test	esi, esi
		jnz	short loc_7EFA06

loc_7EF9FD:				; CODE XREF: EtwpAddGuidEntry(x,x,x)+65j
		xor	eax, eax

loc_7EF9FF:				; CODE XREF: EtwpAddGuidEntry(x,x,x)+1E4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7EFA06:				; CODE XREF: EtwpAddGuidEntry(x,x,x)+1Fj
		mov	ecx, ds:_EtwpHostSiloState
		cmp	[ebp+var_4], ecx
		jz	short loc_7EFA43
		push	[ebp+arg_0]
		mov	edx, ebx
		call	_EtwpFindGuidEntryByGuid@12 ; EtwpFindGuidEntryByGuid(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_7EFA43
		push	[ebp+arg_0]
		mov	ecx, ds:_EtwpHostSiloState
		mov	edx, ebx
		call	_EtwpAddGuidEntry@12 ; EtwpAddGuidEntry(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_7EFA43
		dec	dword ptr [esi+10h]
		mov	ecx, esi
		call	EtwpFreeGuidEntry
		jmp	short loc_7EF9FD
; 

loc_7EFA43:				; CODE XREF: EtwpAddGuidEntry(x,x,x)+33j
					; EtwpAddGuidEntry(x,x,x)+43j ...
		mov	eax, [ebx+0Ch]
		xor	eax, [ebx+8]
		xor	eax, [ebx+4]
		xor	eax, [ebx]
		mov	ebx, [ebp+var_4]
		and	eax, 3Fh
		imul	eax, 1Ch
		add	ebx, 190h
		add	ebx, eax
		mov	eax, [ebp+arg_0]
		lea	eax, [ebx+eax*8]
		mov	[ebp+var_4], eax
		test	edi, edi
		jz	short loc_7EFAAB
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		lea	ecx, [edi+16Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		lea	ecx, [edi+8]
		mov	[edi+170h], eax
		lea	eax, [esi+8]
		mov	[esi+168h], edi
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	loc_7EFBC5
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[edx+4], eax
		mov	[ecx], eax

loc_7EFAAB:				; CODE XREF: EtwpAddGuidEntry(x,x,x)+8Ej
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [ebx+18h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+arg_0], eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_4]
		mov	ebx, [eax]
		jmp	short loc_7EFAF3
; 

loc_7EFACF:				; CODE XREF: EtwpAddGuidEntry(x,x,x)+119j
		xor	ecx, ecx

loc_7EFAD1:				; CODE XREF: EtwpAddGuidEntry(x,x,x)+105j
		mov	eax, [ebp+var_8]
		mov	eax, [eax+ecx*4]
		cmp	eax, [ebx+ecx*4+14h]
		jnz	short loc_7EFAEE
		inc	ecx
		cmp	ecx, 4
		jnz	short loc_7EFAD1
		mov	ecx, ebx
		call	EtwpReferenceGuidEntry
		test	al, al
		jnz	short loc_7EFAF9

loc_7EFAEE:				; CODE XREF: EtwpAddGuidEntry(x,x,x)+FFj
		mov	ebx, [ebx]
		mov	eax, [ebp+var_4]

loc_7EFAF3:				; CODE XREF: EtwpAddGuidEntry(x,x,x)+F1j
		cmp	ebx, eax
		jnz	short loc_7EFACF
		jmp	short loc_7EFB51
; 

loc_7EFAF9:				; CODE XREF: EtwpAddGuidEntry(x,x,x)+110j
		test	ebx, ebx
		jz	short loc_7EFB4E
		mov	ecx, [ebp+arg_0]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_7EFB15
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+arg_0]

loc_7EFB15:				; CODE XREF: EtwpAddGuidEntry(x,x,x)+12Fj
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	edi, edi
		jz	loc_7EFBB0
		lea	eax, [esi+8]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_7EFBC5
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_7EFBC5
		mov	[ecx], edx
		mov	[edx+4], ecx
		and	dword ptr [esi+168h], 0
		jmp	short loc_7EFB88
; 

loc_7EFB4E:				; CODE XREF: EtwpAddGuidEntry(x,x,x)+11Fj
		mov	eax, [ebp+var_4]

loc_7EFB51:				; CODE XREF: EtwpAddGuidEntry(x,x,x)+11Bj
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_7EFBC5
		mov	[esi], ecx
		mov	ebx, esi
		mov	[esi+4], eax
		mov	[ecx+4], esi
		mov	ecx, [ebp+arg_0]
		mov	[eax], esi
		xor	esi, esi
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_7EFB7E
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+arg_0]

loc_7EFB7E:				; CODE XREF: EtwpAddGuidEntry(x,x,x)+198j
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_7EFB88:				; CODE XREF: EtwpAddGuidEntry(x,x,x)+170j
		test	edi, edi
		jz	short loc_7EFBB0
		and	dword ptr [edi+170h], 0
		lea	ecx, [edi+16Ch]
		xor	edx, edx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	esi, esi
		jz	short loc_7EFBBE
		mov	ecx, edi
		call	EtwpUnreferenceGuidEntry

loc_7EFBB0:				; CODE XREF: EtwpAddGuidEntry(x,x,x)+145j
					; EtwpAddGuidEntry(x,x,x)+1AEj
		test	esi, esi
		jz	short loc_7EFBBE
		dec	dword ptr [esi+10h]
		mov	ecx, esi
		call	EtwpFreeGuidEntry

loc_7EFBBE:				; CODE XREF: EtwpAddGuidEntry(x,x,x)+1CBj
					; EtwpAddGuidEntry(x,x,x)+1D6j
		mov	eax, ebx
		jmp	loc_7EF9FF
; 

loc_7EFBC5:				; CODE XREF: EtwpAddGuidEntry(x,x,x)+BFj
					; EtwpAddGuidEntry(x,x,x)+153j	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_EtwpAddGuidEntry@12 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpAllocGuidEntry proc	near		; CODE XREF: EtwpAddGuidEntry(x,x,x)+16p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00910F48 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		push	47777445h
		mov	edi, 178h
		mov	[ebp+var_8], ecx
		push	edi
		mov	esi, edx
		push	200h
		mov	[ebp+var_C], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_7EFC83
		push	edi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	ecx, [ebp+var_C]
		lea	edi, [ebx+14h]
		mov	dword ptr [ebx+10h], 1
		lea	eax, [ebx+24h]
		movsd
		lea	edx, [ebp+var_4]
		add	esp, 0Ch
		movsd
		movsd
		movsd
		mov	[eax+4], eax
		xor	esi, esi
		mov	[eax], eax
		lea	eax, [ebx+8]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [ebp+var_8]
		mov	[ebx+170h], esi
		mov	[ebx+164h], eax
		mov	[ebx+16Ch], esi
		call	_EtwpGetSecurityDescriptorByGuid@8 ; EtwpGetSecurityDescriptorByGuid(x,x)
		push	1
		lea	eax, [ebx+2Ch]
		push	eax
		push	[ebp+var_4]
		call	ObLogSecurityDescriptor
		test	eax, eax
		js	loc_910F48

loc_7EFC62:				; CODE XREF: EtwpAllocGuidEntry+121387j
		lea	ecx, [ebp+var_4]
		call	_EtwpFreeSecurityDescriptor@4 ;	EtwpFreeSecurityDescriptor(x)
		test	ebx, ebx
		jz	short loc_7EFC7C
		mov	eax, [ebx+164h]
		add	eax, 8BCh
		lock inc dword ptr [eax]

loc_7EFC7C:				; CODE XREF: EtwpAllocGuidEntry+A2j
		mov	eax, ebx

loc_7EFC7E:				; CODE XREF: EtwpAllocGuidEntry+BBj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7EFC83:				; CODE XREF: EtwpAllocGuidEntry+30j
		xor	eax, eax
		jmp	short loc_7EFC7E
EtwpAllocGuidEntry endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwpEnableTrace(int,__int16,int,size_t,int,int,int,int,int,int,int,int,void *,int,void *,int,void *,int,int)
EtwpEnableTrace	proc near		; CODE XREF: EtwEnableTrace(x,x,x,x,x,x,x,x,x,x,x)+3Fp
					; EtwpEnableAutoLoggerProvider+4E7p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch
arg_38		= dword	ptr  40h
arg_3C		= dword	ptr  44h
arg_40		= dword	ptr  48h
arg_44		= dword	ptr  4Ch
arg_48		= dword	ptr  50h

; FUNCTION CHUNK AT 00910F56 SIZE 00000205 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_28]
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], edx
		mov	ecx, edi
		mov	[ebp+var_4], ecx
		push	78h
		pop	esi
		test	ebx, ebx
		jz	short loc_7EFCBF
		mov	edx, edi

loc_7EFCAC:				; CODE XREF: EtwpEnableTrace+35j
		movzx	eax, word ptr [ebx+edx*8]
		test	ax, ax
		jnz	loc_910F56

loc_7EFCB9:				; CODE XREF: EtwpEnableTrace+1212D2j
					; EtwpEnableTrace+1212EDj
		inc	edx
		cmp	edx, 4
		jb	short loc_7EFCAC

loc_7EFCBF:				; CODE XREF: EtwpEnableTrace+20j
		mov	eax, [ebp+arg_2C]
		test	eax, eax
		jz	short loc_7EFCDD
		mov	edx, edi

loc_7EFCC8:				; CODE XREF: EtwpEnableTrace+128j
		mov	eax, [eax+edx*4]
		test	eax, eax
		jnz	loc_7EFDB5

loc_7EFCD3:				; CODE XREF: EtwpEnableTrace+134j
					; EtwpEnableTrace+14Dj
		inc	edx
		cmp	edx, 2
		jb	loc_7EFDAD

loc_7EFCDD:				; CODE XREF: EtwpEnableTrace+3Cj
		mov	eax, [ebp+arg_34]
		test	eax, eax
		jnz	loc_910F84

loc_7EFCE8:				; CODE XREF: EtwpEnableTrace+121302j
		mov	eax, [ebp+arg_3C]
		test	eax, eax
		jnz	loc_910F8F

loc_7EFCF3:				; CODE XREF: EtwpEnableTrace+12130Dj
		mov	eax, [ebp+arg_44]
		test	eax, eax
		jnz	loc_910F9A

loc_7EFCFE:				; CODE XREF: EtwpEnableTrace+121318j
		cmp	[ebp+arg_48], 0
		jnz	loc_910FA5

loc_7EFD08:				; CODE XREF: EtwpEnableTrace+121324j
		mov	eax, ecx
		shl	eax, 4
		push	74777445h
		add	esi, eax
		mov	[ebp+var_C], eax
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_910FB1
		push	esi		; size_t
		push	edi		; int
		push	ebx		; void *
		call	_memset
		mov	[ebx+4], esi
		add	esp, 0Ch
		mov	esi, [ebp+arg_0]
		mov	dword ptr [ebx], 3
		test	esi, esi
		jnz	loc_910FBB

loc_7EFD48:				; CODE XREF: EtwpEnableTrace+12133Aj
		mov	esi, [ebp+var_8]
		lea	edi, [ebx+28h]
		mov	eax, [ebp+arg_C]
		movsd
		movsd
		movsd
		movsd
		mov	[ebx+48h], eax
		mov	al, byte ptr [ebp+arg_10]
		mov	[ebx+4Ch], al
		mov	eax, [ebp+arg_1C]
		mov	[ebx+60h], eax
		mov	eax, [ebp+arg_20]
		mov	[ebx+64h], eax
		mov	eax, [ebp+arg_14]
		mov	[ebx+58h], eax
		mov	eax, [ebp+arg_18]
		mov	[ebx+5Ch], eax
		mov	ax, [ebp+arg_4]
		mov	[ebx+4Eh], ax
		mov	eax, [ebp+arg_24]
		mov	[ebx+50h], eax
		mov	eax, [ebp+var_4]
		mov	[ebx+74h], eax
		test	eax, eax
		jnz	short loc_7EFDDA

loc_7EFD8E:				; CODE XREF: EtwpEnableTrace+23Ej
					; EtwpEnableTrace+1214CEj
		mov	ecx, [ebp+var_10]
		xor	edi, edi
		push	edi
		mov	edx, ebx
		call	EtwpEnableGuid
		push	edi
		push	ebx
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7EFDA4:				; CODE XREF: EtwpEnableTrace+1212F7j
					; EtwpEnableTrace+12132Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4Ch
; 

loc_7EFDAD:				; CODE XREF: EtwpEnableTrace+4Fj
		mov	eax, [ebp+arg_2C]
		jmp	loc_7EFCC8
; 

loc_7EFDB5:				; CODE XREF: EtwpEnableTrace+45j
		movzx	eax, word ptr [eax+2]
		test	ax, ax
		jz	loc_7EFCD3
		cmp	eax, 40h
		ja	loc_910F7A
		inc	ecx
		lea	esi, [esi+eax*2]
		mov	[ebp+var_4], ecx
		add	esi, 4
		jmp	loc_7EFCD3
; 

loc_7EFDDA:				; CODE XREF: EtwpEnableTrace+104j
		mov	edi, [ebp+var_C]
		lea	edx, [ebx+84h]
		add	edi, 78h
		mov	[ebp+arg_0], edx
		add	edi, ebx
		xor	eax, eax
		mov	ecx, eax
		mov	[ebp+arg_10], eax
		mov	eax, [ebp+arg_28]
		mov	[ebp+arg_C], ecx

loc_7EFDF8:				; CODE XREF: EtwpEnableTrace+186j
		xor	esi, esi
		cmp	[eax+ecx*8], si
		mov	esi, [ebp+arg_10]
		ja	loc_910FC7

loc_7EFE07:				; CODE XREF: EtwpEnableTrace+121344j
					; EtwpEnableTrace+1213C7j
		inc	ecx
		mov	[ebp+arg_C], ecx
		cmp	ecx, 4
		jb	short loc_7EFDF8
		xor	eax, eax
		lea	edx, [ebx+80h]
		mov	ecx, eax
		mov	eax, esi
		shl	eax, 4
		add	edx, eax
		mov	[ebp+arg_0], ecx
		mov	[ebp+arg_28], edx

loc_7EFE27:				; CODE XREF: EtwpEnableTrace+217j
		mov	eax, [ebp+arg_2C]
		mov	eax, [eax+ecx*4]
		test	eax, eax
		jz	short loc_7EFE98
		xor	esi, esi
		cmp	[eax+2], si
		mov	esi, [ebp+arg_10]
		jbe	short loc_7EFE98
		mov	eax, ecx
		sub	eax, 0
		jnz	loc_911054
		mov	dword ptr [edx+4], 80000200h

loc_7EFE4E:				; CODE XREF: EtwpEnableTrace+1213CFj
					; EtwpEnableTrace+1213DCj
		mov	eax, [ebp+arg_2C]
		mov	esi, [ebp+arg_28]
		mov	eax, [eax+ecx*4]
		movzx	eax, word ptr [eax+2]
		lea	ecx, ds:4[eax*2]
		mov	eax, edi
		sub	eax, ebx
		mov	[edx], ecx
		cdq
		mov	[esi-8], eax
		mov	eax, esi
		push	ecx		; size_t
		mov	ecx, [ebp+arg_2C]
		mov	[eax-4], edx
		mov	eax, [ebp+arg_0]
		push	dword ptr [ecx+eax*4] ;	void *
		push	edi		; void *
		call	_memcpy
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		mov	esi, [ebp+arg_10]
		add	esp, 0Ch
		add	edi, [edx]
		inc	esi
		add	edx, 10h
		mov	[ebp+arg_10], esi
		mov	[ebp+arg_28], edx

loc_7EFE98:				; CODE XREF: EtwpEnableTrace+1A7j
					; EtwpEnableTrace+1B2j
		inc	ecx
		mov	[ebp+arg_0], ecx
		cmp	ecx, 2
		jb	short loc_7EFE27
		mov	ecx, [ebp+arg_34]
		test	ecx, ecx
		jnz	loc_911069

loc_7EFEAC:				; CODE XREF: EtwpEnableTrace+12141Dj
		mov	ecx, [ebp+arg_3C]
		test	ecx, ecx
		jnz	loc_9110AA

loc_7EFEB7:				; CODE XREF: EtwpEnableTrace+12145Ej
		mov	ecx, [ebp+arg_44]
		test	ecx, ecx
		jnz	loc_9110EB

loc_7EFEC2:				; CODE XREF: EtwpEnableTrace+12149Cj
		cmp	[ebp+arg_48], 0
		jz	loc_7EFD8E
		jmp	loc_911129
EtwpEnableTrace	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUpdateFilterData(x, x, x, x, x)
_EtwpUpdateFilterData@20 proc near	; CODE XREF: EtwpClearSessionAndUnreferenceEntry+169p
					; EtwpUpdateGuidEnableInfo+116p ...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_5], cl
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_14], ecx
		push	edi
		test	edx, edx
		jz	short loc_7EFF12
		cmp	[edx+74h], ecx
		jz	short loc_7EFF12
		mov	al, byte ptr [ebp+arg_4]
		jmp	short loc_7EFF17
; 

loc_7EFF12:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+34j
					; EtwpUpdateFilterData(x,x,x,x,x)+39j
		mov	al, 1
		mov	byte ptr [ebp+arg_4], al

loc_7EFF17:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+3Ej
		mov	edi, [esi+160h]
		mov	[ebp+var_2C], edi
		test	al, al
		jz	loc_7F00BF
		test	edi, edi
		jz	loc_7F0602
		mov	eax, [ebp+var_2C]
		xor	edi, edi
		imul	ebx, 34h
		add	eax, ebx
		xchg	edi, [eax]
		push	[ebp+arg_4]
		mov	ecx, [esi+160h]
		xor	edx, edx
		push	0
		add	ecx, ebx
		call	EtwpUpdateSchematizedFilterData
		mov	ecx, 80000004h
		mov	eax, edi
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_7EFF6F
		mov	ecx, [esi+160h]
		xor	edx, edx
		push	[ebp+arg_4]
		add	ecx, ebx
		call	_EtwpUpdatePidFilterData@12 ; EtwpUpdatePidFilterData(x,x,x)

loc_7EFF6F:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+89j
		mov	ecx, 80000008h
		mov	eax, edi
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_7EFF91
		mov	ecx, [esi+160h]
		xor	edx, edx
		push	[ebp+arg_4]
		add	ecx, 8
		add	ecx, ebx
		call	_EtwpUpdateStringFilterData@12 ; EtwpUpdateStringFilterData(x,x,x)

loc_7EFF91:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+A8j
		mov	ecx, 80000010h
		mov	eax, edi
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_7EFFB3
		mov	ecx, [esi+160h]
		xor	edx, edx
		push	[ebp+arg_4]
		add	ecx, 0Ch
		add	ecx, ebx
		call	_EtwpUpdateStringFilterData@12 ; EtwpUpdateStringFilterData(x,x,x)

loc_7EFFB3:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+CAj
		mov	ecx, 80000020h
		mov	eax, edi
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_7EFFD5
		mov	ecx, [esi+160h]
		xor	edx, edx
		push	[ebp+arg_4]
		add	ecx, 10h
		add	ecx, ebx
		call	_EtwpUpdateStringFilterData@12 ; EtwpUpdateStringFilterData(x,x,x)

loc_7EFFD5:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+ECj
		mov	ecx, 80008000h
		mov	eax, edi
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_7EFFF7
		mov	ecx, [esi+160h]
		xor	edx, edx
		push	[ebp+arg_4]
		add	ecx, 14h
		add	ecx, ebx
		call	_EtwpUpdateStringFilterData@12 ; EtwpUpdateStringFilterData(x,x,x)

loc_7EFFF7:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+10Ej
		mov	ecx, 80001000h
		mov	eax, edi
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_7F0016
		mov	eax, [esi+160h]
		add	eax, 18h
		add	eax, ebx
		xor	ecx, ecx
		xchg	ecx, [eax]
		mov	[ebp+var_24], ecx

loc_7F0016:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+130j
		mov	edx, 80000200h
		mov	eax, edi
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_7F0035
		mov	eax, [esi+160h]
		add	eax, 24h
		add	eax, ebx
		xor	ecx, ecx
		xchg	ecx, [eax]
		mov	[ebp+var_20], ecx

loc_7F0035:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+14Fj
		mov	ecx, 80000400h
		mov	eax, edi
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_7F0054
		mov	eax, [esi+160h]
		add	eax, 30h
		add	eax, ebx
		xor	ecx, ecx
		xchg	ecx, [eax]
		mov	[ebp+var_18], ecx

loc_7F0054:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+16Ej
		mov	ecx, 80002000h
		mov	eax, edi
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_7F0073
		mov	eax, [esi+160h]
		add	eax, 1Ch
		add	eax, ebx
		xor	ecx, ecx
		xchg	ecx, [eax]
		mov	[ebp+var_10], ecx

loc_7F0073:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+18Dj
		mov	ecx, 80004000h
		mov	eax, edi
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_7F0099
		mov	ecx, [esi+160h]
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+arg_4]
		add	ecx, ebx
		xor	edx, edx
		call	_EtwpUpdateLevelKwFilter@16 ; EtwpUpdateLevelKwFilter(x,x,x,x)
		mov	[ebp+var_C], eax

loc_7F0099:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+1ACj
		mov	eax, 80000100h
		and	edi, eax
		cmp	edi, eax
		jnz	loc_7F056C
		mov	eax, [esi+160h]
		add	eax, 28h
		add	eax, ebx
		xor	ecx, ecx
		xchg	ecx, [eax]
		mov	[ebp+var_14], ecx
		jmp	loc_7F056F
; 

loc_7F00BF:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+50j
		test	edi, edi
		jnz	short loc_7F0100
		push	46777445h
		push	1A0h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_7F00E7
		mov	eax, 0C0000017h
		jmp	loc_7F05FB
; 

loc_7F00E7:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+209j
		push	1A0h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	edx, [ebp+arg_0]
		add	esp, 0Ch
		mov	[esi+160h], edi

loc_7F0100:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+1EFj
		imul	ebx, 34h
		xor	ecx, ecx
		lea	eax, [edi+ebx]
		xchg	ecx, [eax]
		xor	edi, edi
		mov	[ebp+arg_4], ecx
		and	[ebp+var_2C], edi
		cmp	[edx+74h], edi
		jbe	loc_7F0373
		lea	ecx, [edx+84h]
		mov	[ebp+var_28], ecx

loc_7F0124:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+495j
		mov	eax, [ecx-4]
		mov	edx, [ecx]
		mov	ecx, [ecx-0Ch]
		add	ecx, [ebp+arg_0]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+var_28]
		mov	[ebp+var_44], ecx
		mov	ecx, 80000200h
		mov	[ebp+var_38], edx
		mov	eax, [eax-8]
		adc	eax, 0
		mov	[ebp+var_40], eax
		cmp	edx, ecx
		ja	loc_7F0280
		jz	loc_7F025E
		cmp	edx, 80000000h
		jz	loc_7F023F
		cmp	edx, 80000004h
		jz	loc_7F0222
		cmp	edx, 80000008h
		jz	loc_7F0202
		cmp	edx, 80000010h
		jz	short loc_7F01DF
		cmp	edx, 80000020h
		jz	short loc_7F01BC
		cmp	edx, 80000100h
		jnz	loc_7F0351
		mov	edx, [ebp+arg_8]
		mov	eax, [esi+160h]
		add	eax, 28h
		add	eax, ebx
		mov	ecx, [edx+24h]
		xchg	ecx, [eax]
		and	dword ptr [edx+24h], 0
		or	edi, 80000100h
		mov	[ebp+var_14], ecx
		jmp	loc_7F0351
; 

loc_7F01BC:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+2B7j
		mov	edx, [ebp+arg_8]
		mov	ecx, [esi+160h]
		add	ecx, 10h
		push	0
		lea	edx, [edx+8]
		add	ecx, ebx
		call	_EtwpUpdateStringFilterData@12 ; EtwpUpdateStringFilterData(x,x,x)
		or	edi, 80000020h
		jmp	loc_7F0351
; 

loc_7F01DF:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+2AFj
		mov	edx, [ebp+arg_8]
		mov	ecx, [esi+160h]
		add	ecx, 0Ch
		push	0
		lea	edx, [edx+4]
		add	ecx, ebx
		call	_EtwpUpdateStringFilterData@12 ; EtwpUpdateStringFilterData(x,x,x)
		or	edi, 80000010h
		jmp	loc_7F0351
; 

loc_7F0202:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+2A3j
		mov	ecx, [esi+160h]
		mov	edx, [ebp+arg_8]
		add	ecx, 8
		push	0
		add	ecx, ebx
		call	_EtwpUpdateStringFilterData@12 ; EtwpUpdateStringFilterData(x,x,x)
		or	edi, 80000008h
		jmp	loc_7F0351
; 

loc_7F0222:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+297j
		mov	ecx, [esi+160h]
		lea	edx, [ebp+var_44]
		push	0
		add	ecx, ebx
		call	_EtwpUpdatePidFilterData@12 ; EtwpUpdatePidFilterData(x,x,x)
		or	edi, 80000004h
		jmp	loc_7F0351
; 

loc_7F023F:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+28Bj
		mov	ecx, [esi+160h]
		lea	eax, [ebp+var_44]
		mov	edx, [ebp+var_30]
		add	ecx, ebx
		push	0
		push	eax
		call	EtwpUpdateSchematizedFilterData
		mov	[ebp+var_5], 1
		jmp	loc_7F0351
; 

loc_7F025E:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+27Fj
		mov	edx, [ebp+arg_8]
		mov	eax, [esi+160h]
		add	eax, 24h
		add	eax, ebx
		mov	edx, [edx+10h]
		xchg	edx, [eax]
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_20], edx
		and	dword ptr [eax+10h], 0
		jmp	loc_7F034F
; 

loc_7F0280:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+279j
		mov	ecx, 80000400h
		cmp	edx, ecx
		jz	loc_7F0332
		mov	ecx, 80001000h
		cmp	edx, ecx
		jz	short loc_7F0313
		mov	ecx, 80002000h
		cmp	edx, ecx
		jz	short loc_7F02F4
		cmp	edx, 80004000h
		jz	short loc_7F02D3
		cmp	edx, 80008000h
		jnz	loc_7F0351
		mov	edx, [ebp+arg_8]
		mov	ecx, [esi+160h]
		add	ecx, 14h
		push	0
		lea	edx, [edx+0Ch]
		add	ecx, ebx
		call	_EtwpUpdateStringFilterData@12 ; EtwpUpdateStringFilterData(x,x,x)
		or	edi, 80008000h
		jmp	short loc_7F0351
; 

loc_7F02D3:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+3D3j
		mov	ecx, [esi+160h]
		lea	eax, [ebp+var_1C]
		push	eax
		push	0
		add	ecx, ebx
		lea	edx, [ebp+var_44]
		call	_EtwpUpdateLevelKwFilter@16 ; EtwpUpdateLevelKwFilter(x,x,x,x)
		mov	[ebp+var_C], eax
		or	edi, 80004000h
		jmp	short loc_7F0351
; 

loc_7F02F4:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+3CBj
		mov	edx, [ebp+arg_8]
		mov	eax, [esi+160h]
		add	eax, 1Ch
		add	eax, ebx
		mov	edx, [edx+1Ch]
		xchg	edx, [eax]
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_10], edx
		and	dword ptr [eax+1Ch], 0
		jmp	short loc_7F034F
; 

loc_7F0313:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+3C2j
		mov	edx, [ebp+arg_8]
		mov	eax, [esi+160h]
		add	eax, 18h
		add	eax, ebx
		mov	edx, [edx+14h]
		xchg	edx, [eax]
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_24], edx
		and	dword ptr [eax+14h], 0
		jmp	short loc_7F034F
; 

loc_7F0332:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+3B5j
		mov	edx, [ebp+arg_8]
		mov	eax, [esi+160h]
		add	eax, 30h
		add	eax, ebx
		mov	edx, [edx+18h]
		xchg	edx, [eax]
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_18], edx
		and	dword ptr [eax+18h], 0

loc_7F034F:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+3A9j
					; EtwpUpdateFilterData(x,x,x,x,x)+43Fj	...
		or	edi, ecx

loc_7F0351:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+2BFj
					; EtwpUpdateFilterData(x,x,x,x,x)+2E5j	...
		mov	edx, [ebp+var_2C]
		mov	eax, [ebp+arg_0]
		inc	edx
		mov	ecx, [ebp+var_28]
		add	ecx, 10h
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], ecx
		cmp	edx, [eax+74h]
		jb	loc_7F0124
		cmp	[ebp+var_5], 0
		jnz	short loc_7F038E

loc_7F0373:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+243j
		mov	eax, [esi+160h]
		mov	ecx, [eax+ebx+2Ch]
		test	ecx, ecx
		jz	short loc_7F038E
		and	dword ptr [eax+ebx+2Ch], 0
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F038E:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+49Fj
					; EtwpUpdateFilterData(x,x,x,x,x)+4ADj
		mov	ecx, [ebp+arg_4]
		mov	edx, 80000004h
		mov	eax, ecx
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_7F03BA
		mov	eax, edi
		and	eax, edx
		cmp	eax, edx
		jz	short loc_7F03BA
		mov	ecx, [esi+160h]
		xor	edx, edx
		push	1
		add	ecx, ebx
		call	_EtwpUpdatePidFilterData@12 ; EtwpUpdatePidFilterData(x,x,x)
		mov	ecx, [ebp+arg_4]

loc_7F03BA:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+4CAj
					; EtwpUpdateFilterData(x,x,x,x,x)+4D2j
		mov	edx, 80000008h
		mov	eax, ecx
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_7F03E6
		mov	eax, edi
		and	eax, edx
		cmp	eax, edx
		jz	short loc_7F03E6
		mov	ecx, [esi+160h]
		xor	edx, edx
		add	ecx, 8
		push	1
		add	ecx, ebx
		call	_EtwpUpdateStringFilterData@12 ; EtwpUpdateStringFilterData(x,x,x)
		mov	ecx, [ebp+arg_4]

loc_7F03E6:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+4F3j
					; EtwpUpdateFilterData(x,x,x,x,x)+4FBj
		mov	edx, 80000010h
		mov	eax, ecx
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_7F0412
		mov	eax, edi
		and	eax, edx
		cmp	eax, edx
		jz	short loc_7F0412
		mov	ecx, [esi+160h]
		xor	edx, edx
		add	ecx, 0Ch
		push	1
		add	ecx, ebx
		call	_EtwpUpdateStringFilterData@12 ; EtwpUpdateStringFilterData(x,x,x)
		mov	ecx, [ebp+arg_4]

loc_7F0412:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+51Fj
					; EtwpUpdateFilterData(x,x,x,x,x)+527j
		mov	edx, 80000020h
		mov	eax, ecx
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_7F043E
		mov	eax, edi
		and	eax, edx
		cmp	eax, edx
		jz	short loc_7F043E
		mov	ecx, [esi+160h]
		xor	edx, edx
		add	ecx, 10h
		push	1
		add	ecx, ebx
		call	_EtwpUpdateStringFilterData@12 ; EtwpUpdateStringFilterData(x,x,x)
		mov	ecx, [ebp+arg_4]

loc_7F043E:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+54Bj
					; EtwpUpdateFilterData(x,x,x,x,x)+553j
		mov	edx, 80008000h
		mov	eax, ecx
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_7F046A
		mov	eax, edi
		and	eax, edx
		cmp	eax, edx
		jz	short loc_7F046A
		mov	ecx, [esi+160h]
		xor	edx, edx
		add	ecx, 14h
		push	1
		add	ecx, ebx
		call	_EtwpUpdateStringFilterData@12 ; EtwpUpdateStringFilterData(x,x,x)
		mov	ecx, [ebp+arg_4]

loc_7F046A:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+577j
					; EtwpUpdateFilterData(x,x,x,x,x)+57Fj
		mov	edx, 80001000h
		mov	eax, ecx
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_7F0491
		mov	eax, edi
		and	eax, edx
		cmp	eax, edx
		jz	short loc_7F0491
		mov	eax, [esi+160h]
		add	eax, 18h
		add	eax, ebx
		xor	edx, edx
		xchg	edx, [eax]
		mov	[ebp+var_24], edx

loc_7F0491:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+5A3j
					; EtwpUpdateFilterData(x,x,x,x,x)+5ABj
		mov	edx, 80000200h
		mov	eax, ecx
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_7F04B8
		mov	eax, edi
		and	eax, edx
		cmp	eax, edx
		jz	short loc_7F04B8
		mov	eax, [esi+160h]
		add	eax, 24h
		add	eax, ebx
		xor	edx, edx
		xchg	edx, [eax]
		mov	[ebp+var_20], edx

loc_7F04B8:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+5CAj
					; EtwpUpdateFilterData(x,x,x,x,x)+5D2j
		mov	edx, 80000400h
		mov	eax, ecx
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_7F04DF
		mov	eax, edi
		and	eax, edx
		cmp	eax, edx
		jz	short loc_7F04DF
		mov	eax, [esi+160h]
		add	eax, 30h
		add	eax, ebx
		xor	edx, edx
		xchg	edx, [eax]
		mov	[ebp+var_18], edx

loc_7F04DF:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+5F1j
					; EtwpUpdateFilterData(x,x,x,x,x)+5F9j
		mov	edx, 80002000h
		mov	eax, ecx
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_7F0506
		mov	eax, edi
		and	eax, edx
		cmp	eax, edx
		jz	short loc_7F0506
		mov	eax, [esi+160h]
		add	eax, 1Ch
		add	eax, ebx
		xor	edx, edx
		xchg	edx, [eax]
		mov	[ebp+var_10], edx

loc_7F0506:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+618j
					; EtwpUpdateFilterData(x,x,x,x,x)+620j
		mov	edx, 80004000h
		mov	eax, ecx
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_7F0536
		mov	eax, edi
		and	eax, edx
		cmp	eax, edx
		jz	short loc_7F0536
		mov	ecx, [esi+160h]
		lea	eax, [ebp+var_1C]
		push	eax
		push	1
		add	ecx, ebx
		xor	edx, edx
		call	_EtwpUpdateLevelKwFilter@16 ; EtwpUpdateLevelKwFilter(x,x,x,x)
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_C], eax

loc_7F0536:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+63Fj
					; EtwpUpdateFilterData(x,x,x,x,x)+647j
		mov	edx, 80000100h
		and	ecx, edx
		cmp	ecx, edx
		jnz	short loc_7F055D
		mov	eax, edi
		and	eax, edx
		cmp	eax, edx
		jz	short loc_7F055D
		mov	eax, [esi+160h]
		add	eax, 28h
		add	eax, ebx
		xor	ecx, ecx
		xchg	ecx, [eax]
		mov	[ebp+var_14], ecx
		jmp	short loc_7F0560
; 

loc_7F055D:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+66Dj
					; EtwpUpdateFilterData(x,x,x,x,x)+675j
		mov	ecx, [ebp+var_14]

loc_7F0560:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+689j
		mov	eax, [esi+160h]
		add	eax, ebx
		xchg	edi, [eax]
		jmp	short loc_7F056F
; 

loc_7F056C:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+1D0j
		mov	ecx, [ebp+var_14]

loc_7F056F:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+1E8j
					; EtwpUpdateFilterData(x,x,x,x,x)+698j
		cmp	[ebp+var_24], 0
		mov	edi, [ebp+var_20]
		mov	esi, [ebp+var_18]
		mov	ebx, [ebp+var_10]
		jnz	short loc_7F0593
		test	edi, edi
		jnz	short loc_7F0593
		test	esi, esi
		jnz	short loc_7F0593
		test	ebx, ebx
		jnz	short loc_7F0593
		cmp	[ebp+var_1C], ebx
		jnz	short loc_7F0593
		test	ecx, ecx
		jz	short loc_7F05F8

loc_7F0593:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+6AAj
					; EtwpUpdateFilterData(x,x,x,x,x)+6AEj	...
		push	0
		push	offset _KeAbCrossThreadDeleteNopDpcRoutine@16 ;	KeAbCrossThreadDeleteNopDpcRoutine(x,x,x,x)
		call	_KeGenericCallDpc@8 ; KeGenericCallDpc(x,x)
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	short loc_7F05AE
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F05AE:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+6D2j
		test	edi, edi
		jz	short loc_7F05BA
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F05BA:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+6DEj
		test	esi, esi
		jz	short loc_7F05C5
		mov	ecx, esi
		call	_EtwpFreeEventNameFilter@4 ; EtwpFreeEventNameFilter(x)

loc_7F05C5:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+6EAj
		test	ebx, ebx
		jz	short loc_7F05D0
		mov	ecx, ebx
		call	_EtwpFreeEventNameFilter@4 ; EtwpFreeEventNameFilter(x)

loc_7F05D0:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+6F5j
		cmp	[ebp+var_1C], 0
		jz	short loc_7F05E0
		push	0
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F05E0:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+702j
		mov	ecx, [ebp+var_14]
		test	ecx, ecx
		jz	short loc_7F05F8
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		jnz	short loc_7F05F8
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F05F8:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+6BFj
					; EtwpUpdateFilterData(x,x,x,x,x)+713j	...
		mov	eax, [ebp+var_C]

loc_7F05FB:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+210j
					; EtwpUpdateFilterData(x,x,x,x,x)+732j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7F0602:				; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+58j
		mov	eax, ecx
		jmp	short loc_7F05FB
_EtwpUpdateFilterData@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpUpdateGuidEnableInfo proc near	; CODE XREF: EtwpEnableGuid+2A2p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0091115B SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		lea	esi, [edx+48h]
		mov	[ebp+var_C], edx
		mov	eax, [esi]
		mov	ebx, ecx
		mov	[ebp+var_8], ebx
		push	edi
		cmp	eax, 1
		jnz	loc_7F084F
		mov	al, [edx+70h]
		xor	al, [ebx+3Bh]
		and	al, 1
		xor	[ebx+3Bh], al
		mov	al, [edx+6Bh]
		mov	cl, [ebx+3Bh]
		add	al, al
		and	cl, 1
		or	al, cl
		mov	[ebx+3Bh], al
		mov	ax, [edx+68h]
		mov	[ebx+38h], ax
		mov	al, [edx+6Ah]
		mov	[ebx+3Ah], al
		mov	eax, [ebp+arg_0]
		mov	[ebx+30h], eax
		mov	eax, [ebp+arg_4]
		mov	[ebx+34h], eax

loc_7F065C:				; CODE XREF: EtwpUpdateGuidEnableInfo+24Bj
					; EtwpUpdateGuidEnableInfo+259j ...
		xor	edi, edi
		lea	ecx, [ebx+66h]
		mov	eax, edi
		mov	[ebp+arg_4], eax

loc_7F0666:				; CODE XREF: EtwpUpdateGuidEnableInfo+73j
		cmp	[ecx-6], edi
		jnz	loc_7F0763

loc_7F066F:				; CODE XREF: EtwpUpdateGuidEnableInfo+169j
		inc	eax
		add	ecx, 20h
		mov	[ebp+arg_4], eax
		cmp	eax, 8
		jb	short loc_7F0666
		cmp	[esi], edi
		jz	loc_7F0883
		mov	eax, edi
		lea	ecx, [ebx+60h]
		mov	[ebp+arg_4], eax

loc_7F068B:				; CODE XREF: EtwpUpdateGuidEnableInfo+272j
		cmp	[ecx], edi
		jnz	loc_7F086E
		lea	edi, [eax+3]
		xor	eax, eax
		shl	edi, 5
		push	8
		add	edi, ebx
		mov	[ebp+var_2C], eax
		mov	dl, byte ptr [ebp+var_2C]
		pop	ecx
		rep movsd
		mov	esi, eax
		mov	[ebp+var_30], eax
		push	8
		mov	[ebp+var_24], eax
		lea	ecx, [ebx+64h]
		mov	[ebp+var_20], eax
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_1C], eax
		mov	ebx, esi
		pop	eax
		mov	[ebp+var_28], esi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_4], eax

loc_7F06CD:				; CODE XREF: EtwpUpdateGuidEnableInfo+D6j
		cmp	dword ptr [ecx-4], 0
		jnz	short loc_7F0731

loc_7F06D3:				; CODE XREF: EtwpUpdateGuidEnableInfo+158j
		add	ecx, 20h
		sub	eax, 1
		mov	[ebp+var_4], eax
		jnz	short loc_7F06CD
		mov	ebx, [ebp+var_8]
		xor	eax, eax
		push	8
		pop	ecx
		push	[ebp+arg_8]
		mov	byte ptr [ebp+var_2C], dl
		lea	edi, [ebx+40h]
		mov	edx, [ebp+var_C]
		inc	eax
		mov	[ebp+var_28], esi
		lea	esi, [ebp+var_30]
		rep movsd
		mov	cl, byte ptr [ebp+arg_4]
		shl	al, cl
		cmp	dword ptr [edx+48h], 0
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+var_4]
		mov	[eax], cl
		setz	al
		movzx	eax, al
		mov	ecx, ebx
		push	eax
		push	edx
		mov	edx, [ebp+arg_4]
		call	_EtwpUpdateFilterData@20 ; EtwpUpdateFilterData(x,x,x,x,x)
		mov	ecx, ebx
		call	EtwpReferenceGuidEntry

loc_7F0728:				; CODE XREF: EtwpUpdateGuidEnableInfo+203j
					; EtwpUpdateGuidEnableInfo+210j
		xor	eax, eax

loc_7F072A:				; CODE XREF: EtwpUpdateGuidEnableInfo+282j
					; EtwpUpdateGuidEnableInfo+120B5Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7F0731:				; CODE XREF: EtwpUpdateGuidEnableInfo+CBj
		mov	al, [ecx]
		mov	[ebp+var_30], 1
		cmp	dl, al
		ja	short loc_7F0740
		mov	dl, al

loc_7F0740:				; CODE XREF: EtwpUpdateGuidEnableInfo+136j
		mov	eax, [ecx+10h]
		or	[ebp+var_1C], eax
		or	ebx, [ecx+0Ch]
		and	edi, [ecx+14h]
		mov	eax, [ecx+18h]
		and	[ebp+var_14], eax
		or	esi, [ecx+4]
		mov	eax, [ebp+var_4]
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], edi
		jmp	loc_7F06D3
; 

loc_7F0763:				; CODE XREF: EtwpUpdateGuidEnableInfo+63j
		mov	ax, [ecx]
		cmp	ax, [esi+6]
		jz	short loc_7F0774
		mov	eax, [ebp+arg_4]
		jmp	loc_7F066F
; 

loc_7F0774:				; CODE XREF: EtwpUpdateGuidEnableInfo+164j
		mov	edi, [ebp+arg_4]
		xor	eax, eax
		add	edi, 3
		mov	[ebp+var_2C], eax
		mov	dl, byte ptr [ebp+var_2C]
		shl	edi, 5
		push	8
		add	edi, ebx
		mov	[ebp+var_20], eax
		pop	ecx
		rep movsd
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_30], eax
		push	8
		mov	[ebp+var_28], eax
		lea	esi, [ebx+64h]
		mov	ebx, [ebp+var_20]
		xor	ecx, ecx
		mov	[ebp+var_24], eax
		inc	ecx
		mov	[ebp+var_1C], eax
		pop	eax
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_4], eax

loc_7F07B3:				; CODE XREF: EtwpUpdateGuidEnableInfo+1BCj
		cmp	dword ptr [esi-4], 0
		jnz	short loc_7F081B

loc_7F07B9:				; CODE XREF: EtwpUpdateGuidEnableInfo+244j
		add	esi, 20h
		sub	eax, 1
		mov	[ebp+var_4], eax
		jnz	short loc_7F07B3
		mov	ebx, [ebp+var_8]
		lea	esi, [ebp+var_30]
		push	8
		pop	ecx
		push	[ebp+arg_8]
		xor	eax, eax
		mov	byte ptr [ebp+var_2C], dl
		mov	edx, [ebp+var_C]
		lea	edi, [ebx+40h]
		rep movsd
		mov	cl, byte ptr [ebp+arg_4]
		inc	eax
		shl	al, cl
		lea	esi, [edx+48h]
		cmp	dword ptr [esi], 0
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+var_4]
		mov	[eax], cl
		setz	al
		movzx	eax, al
		mov	ecx, ebx
		push	eax
		push	edx
		mov	edx, [ebp+arg_4]
		call	_EtwpUpdateFilterData@20 ; EtwpUpdateFilterData(x,x,x,x,x)
		cmp	dword ptr [esi], 0
		jnz	loc_7F0728
		mov	ecx, ebx
		call	EtwpUnreferenceGuidEntry
		jmp	loc_7F0728
; 

loc_7F081B:				; CODE XREF: EtwpUpdateGuidEnableInfo+1B1j
		mov	al, [esi]
		mov	[ebp+var_30], ecx
		cmp	dl, al
		ja	short loc_7F0826
		mov	dl, al

loc_7F0826:				; CODE XREF: EtwpUpdateGuidEnableInfo+21Cj
		mov	eax, [esi+10h]
		or	[ebp+var_1C], eax
		mov	eax, [esi+18h]
		and	[ebp+var_14], eax
		mov	eax, [ebp+var_28]
		or	ebx, [esi+0Ch]
		and	edi, [esi+14h]
		or	eax, [esi+4]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_4]
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], edi
		jmp	loc_7F07B9
; 

loc_7F084F:				; CODE XREF: EtwpUpdateGuidEnableInfo+1Bj
		test	eax, eax
		jnz	loc_7F065C
		mov	ax, [ebx+38h]
		cmp	ax, [edx+68h]
		jnz	loc_7F065C
		and	byte ptr [ebx+3Bh], 0FEh
		jmp	loc_7F065C
; 

loc_7F086E:				; CODE XREF: EtwpUpdateGuidEnableInfo+87j
		inc	eax
		add	ecx, 20h
		mov	[ebp+arg_4], eax
		cmp	eax, 8
		jb	loc_7F068B
		jmp	loc_91115B
; 

loc_7F0883:				; CODE XREF: EtwpUpdateGuidEnableInfo+77j
		mov	eax, 0C0000225h
		jmp	loc_7F072A
EtwpUpdateGuidEnableInfo endp

; 
		align 2

;  S U B	R O U T	I N E 


EtwpCheckNotificationAccess proc near	; CODE XREF: EtwpValidateEnableNotification+DDp
					; EtwpUpdatePeriodicCaptureState(x,x,x,x)+97p

; FUNCTION CHUNK AT 00911165 SIZE 00000019 BYTES

		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		push	0
		mov	edx, 80h
		call	_EtwpCheckGuidAccess@12	; EtwpCheckGuidAccess(x,x,x)
		test	eax, eax
		js	short loc_7F08D5
		push	0
		mov	edx, 80h
		mov	ecx, esi
		call	_EtwpCheckGuidAccess@12	; EtwpCheckGuidAccess(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7F08D5
		push	10h		; size_t
		push	offset _s_ProviderThreatInt ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_911165

loc_7F08D3:				; CODE XREF: EtwpCheckNotificationAccess+1208EBj
		mov	eax, esi

loc_7F08D5:				; CODE XREF: EtwpCheckNotificationAccess+17j
					; EtwpCheckNotificationAccess+2Bj
		pop	edi
		pop	esi
		pop	ecx
		retn
EtwpCheckNotificationAccess endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnLogPrefetchMetadata	proc near	; CODE XREF: PfSnPrefetchMetadata+30p
					; PfSnPrefetchMetadata+1B5p

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 0091117E SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_5C], edx
		mov	esi, offset _ThreadStart
		mov	[ebp+var_58], ebx
		push	edi
		mov	edi, ecx
		cmp	[ebp+arg_0], bl
		jnz	short loc_7F0908
		mov	esi, offset _PfSnEvt_PrefetchMetadata_Stop

loc_7F0908:				; CODE XREF: PfSnLogPrefetchMetadata+27j
		test	edi, edi
		jz	short loc_7F092E
		mov	ecx, dword_6D49E8
		mov	eax, ecx
		mov	edx, dword_6D49EC
		or	eax, edx
		jz	short loc_7F092E
		push	esi
		push	edx
		push	ecx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_91117E

loc_7F092E:				; CODE XREF: PfSnLogPrefetchMetadata+30j
					; PfSnLogPrefetchMetadata+42j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
PfSnLogPrefetchMetadata	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpStartLogger	proc near		; CODE XREF: EtwpStartTrace(x,x)+2Bp
					; EtwStartAutoLogger+901p

var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= byte ptr -6Ch
var_6B		= byte ptr -6Bh
var_6A		= word ptr -6Ah
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009111C2 SIZE 00000403 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0ACh+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+0B8h+var_7C], edx
		lea	edi, [esp+0B8h+var_48]
		mov	[esp+0B8h+var_AC], ecx
		stosd
		xor	ebx, ebx
		push	8
		mov	[esp+0BCh+var_A4], ebx
		mov	[esp+0BCh+var_78], ebx
		stosd
		mov	[esp+0BCh+var_88], ebx
		mov	[esp+0BCh+var_84], ebx
		mov	[esp+0BCh+var_80], ebx
		stosd
		mov	[esp+0BCh+var_90], ebx
		mov	[esp+0BCh+var_8C], ebx
		stosd
		xor	eax, eax
		mov	[esp+0BCh+var_6A], ax
		pop	eax
		mov	[esp+0B8h+var_9C], eax
		lea	eax, [esp+0B8h+var_90]
		push	ebx
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		lea	eax, [esp+0BCh+var_84]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edi, [esp+0B8h+var_7C]
		mov	edx, [edi+40h]
		mov	ebx, edx
		and	ebx, 9DECE5FFh
		mov	[esp+0B8h+var_94], edx
		mov	[esp+0B8h+var_A0], ebx
		test	bl, 3
		jz	loc_7F1194

loc_7F09D3:				; CODE XREF: EtwpStartLogger+857j
					; EtwpStartLogger+864j
		test	ebx, 40000h
		jnz	loc_9111C2

loc_7F09DF:				; CODE XREF: EtwpStartLogger+12088Cj
		test	ebx, 80000h
		jnz	loc_9111D1

loc_7F09EB:				; CODE XREF: EtwpStartLogger+120897j
					; EtwpStartLogger+1208A7j
		test	ebx, 400h
		jnz	loc_7F140E

loc_7F09F7:				; CODE XREF: EtwpStartLogger+B00j
					; EtwpStartLogger+1208C6j
		mov	eax, ebx
		and	eax, 3
		cmp	al, 3
		jz	loc_7F118A
		mov	ecx, 0C000h
		mov	eax, ebx
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_7F118A
		xor	ecx, ecx
		test	ebx, 700h
		jnz	short loc_7F0A2B
		cmp	[edi+84h], ecx
		jz	loc_7F118A

loc_7F0A2B:				; CODE XREF: EtwpStartLogger+DDj
		mov	eax, ebx
		and	eax, 6
		cmp	al, 6
		jz	loc_7F118A
		push	2
		mov	eax, ebx
		pop	esi
		and	eax, esi
		jz	short loc_7F0A4A
		cmp	[edi+3Ch], ecx
		jz	loc_7F118A

loc_7F0A4A:				; CODE XREF: EtwpStartLogger+FFj
		test	bl, 20h
		jnz	loc_7F117C

loc_7F0A53:				; CODE XREF: EtwpStartLogger+844j
		test	bl, 40h
		jnz	loc_7F1388

loc_7F0A5C:				; CODE XREF: EtwpStartLogger+A58j
					; EtwpStartLogger+A70j
		mov	esi, 0C00000h
		mov	ecx, ebx
		and	ecx, esi
		mov	[esp+0B8h+var_98], ecx
		cmp	ecx, esi
		jz	loc_7F118A
		test	bl, 8
		jnz	loc_7F1221

loc_7F0A7A:				; CODE XREF: EtwpStartLogger+956j
		mov	ecx, 3000000h
		mov	eax, edx
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_7F118A
		mov	ecx, edx
		and	ecx, 400h
		test	edx, 4000000h
		jnz	loc_91120B

loc_7F0A9F:				; CODE XREF: EtwpStartLogger+1208D3j
		test	edx, 10000h
		jnz	loc_7F118A
		mov	eax, [edi+50h]
		and	eax, 4
		or	eax, 0
		jnz	loc_911218

loc_7F0ABA:				; CODE XREF: EtwpStartLogger+1208FFj
		mov	ecx, edi
		call	_EtwpValidateFlagExtension@4 ; EtwpValidateFlagExtension(x)
		mov	esi, eax
		test	esi, esi
		js	loc_911573
		mov	eax, ebx
		xor	edx, edx
		and	eax, 100h
		or	eax, 400h
		shr	eax, 3
		mov	[esp+0B8h+var_94], eax
		cmp	[edi+80h], dx
		jbe	short loc_7F0AF0
		or	eax, 40h
		mov	[esp+0B8h+var_94], eax

loc_7F0AF0:				; CODE XREF: EtwpStartLogger+1A7j
		lea	ecx, [edi+90h]
		cmp	[ecx], dx
		jbe	loc_7F118A
		cmp	[edi+94h], edx
		jz	loc_7F118A
		lea	edx, [esp+0B8h+var_90]
		call	EtwpCaptureString
		mov	esi, eax
		test	esi, esi
		jnz	loc_911573
		mov	ecx, [esp+0B8h+var_AC]
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		lea	edx, [esp+0BCh+var_90]
		call	EtwpLookupLoggerIdByName
		test	eax, eax
		jz	loc_911244
		push	10h		; size_t
		lea	esi, [edi+18h]
		push	offset _GUID_NULL ; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_7F1208
		lea	edi, [esp+0B8h+var_48]
		movsd
		movsd
		movsd
		movsd
		mov	edi, [esp+0B8h+var_7C]

loc_7F0B5F:				; CODE XREF: EtwpStartLogger+8D6j
		cmp	[esp+0B8h+var_98], 0
		jnz	short loc_7F0B99
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_7F0B8F
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionId@4 ; MmGetSessionId(x)
		test	eax, eax
		jnz	loc_7F12D0

loc_7F0B8F:				; CODE XREF: EtwpStartLogger+233j
		or	ebx, (offset loc_7FFFFF+1)

loc_7F0B95:				; CODE XREF: EtwpStartLogger+996j
		mov	[esp+0B8h+var_A0], ebx

loc_7F0B99:				; CODE XREF: EtwpStartLogger+224j
		mov	eax, [esp+0B8h+var_AC]
		push	10h
		pop	esi
		push	esi		; size_t
		mov	eax, [eax+18Ch]
		mov	[esp+0BCh+var_98], eax
		lea	eax, [esp+0BCh+var_48]
		push	offset _SystemTraceControlGuid ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_7F14B3
		push	esi		; size_t
		lea	eax, [esp+0BCh+var_48]
		push	offset _CKCLGuid ; void	*
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_7F14B3
		push	esi		; size_t
		lea	eax, [esp+0BCh+var_48]
		push	offset _GlobalLoggerGuid ; void	*
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_91124E
		push	esi		; size_t
		mov	esi, offset _AuditLoggerGuid
		lea	eax, [esp+0BCh+var_48]
		push	esi		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_7F144B
		push	offset ??_C@_1CE@KHBCIFLE@?$AAE?$AAv?$AAe?$AAn?$AAt?$AAl?$AAo?$AAg?$AA?9?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi@NNGAKEGL@ ; wchar_t *
		push	[esp+0BCh+var_8C] ; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_9112A8

loc_7F0C2F:				; CODE XREF: EtwpStartLogger+12097Cj
		mov	ecx, [esp+0B8h+var_AC]
		push	4
		pop	esi
		mov	eax, [ecx+8]
		cmp	eax, esi
		jbe	short loc_7F0C5F

loc_7F0C3D:				; CODE XREF: EtwpStartLogger+31Dj
		xor	eax, eax
		mov	edx, esi
		push	eax
		call	EtwpAcquireLoggerContextByLoggerId
		mov	[esp+0B8h+var_A4], eax
		test	eax, eax
		jnz	loc_7F114E

loc_7F0C53:				; CODE XREF: EtwpStartLogger+837j
		mov	ecx, [esp+0B8h+var_AC]
		inc	esi
		mov	eax, [ecx+8]
		cmp	esi, eax
		jb	short loc_7F0C3D

loc_7F0C5F:				; CODE XREF: EtwpStartLogger+2FBj
					; EtwpStartLogger+12098Dj
		cmp	esi, eax
		jb	loc_911244
		push	4
		pop	edx
		mov	[esp+0B8h+var_A8], edx
		mov	[esp+0B8h+var_A4], edx
		cmp	eax, edx
		jbe	short loc_7F0CB3
		mov	eax, [esp+0B8h+var_98]
		xor	ebx, ebx
		mov	edi, eax
		inc	ebx
		or	edi, ebx
		lea	esi, [eax+10h]

loc_7F0C84:				; CODE XREF: EtwpStartLogger+361j
		mov	ecx, edi
		mov	eax, ebx
		lock cmpxchg [esi], ecx
		cmp	eax, ebx
		jz	short loc_7F0CA3
		mov	eax, [esp+0B8h+var_AC]
		inc	edx
		add	esi, 4
		mov	[esp+0B8h+var_A4], edx
		mov	eax, [eax+8]
		cmp	edx, eax
		jb	short loc_7F0C84

loc_7F0CA3:				; CODE XREF: EtwpStartLogger+34Ej
		mov	ebx, [esp+0B8h+var_A0]
		mov	edi, [esp+0B8h+var_7C]
		mov	ecx, [esp+0B8h+var_AC]
		mov	[esp+0B8h+var_A8], edx

loc_7F0CB3:				; CODE XREF: EtwpStartLogger+334j
		mov	esi, [ecx+8]
		cmp	edx, esi
		jnb	loc_9112D2
		mov	esi, [esp+0B8h+var_A8]
		xor	edx, edx
		inc	edx

loc_7F0CC5:				; CODE XREF: EtwpStartLogger+B6Ej
		mov	ecx, [ecx+188h]
		mov	ecx, [ecx+esi*4]
		call	@ExAcquireRundownProtectionCacheAwareEx@8 ; ExAcquireRundownProtectionCacheAwareEx(x,x)
		lea	edx, [esp+0B8h+var_88]
		lea	ecx, [esp+0B8h+var_48]
		call	_EtwpGetSecurityDescriptorByGuid@8 ; EtwpGetSecurityDescriptorByGuid(x,x)
		mov	edx, [esp+0B8h+var_94]
		xor	eax, eax
		mov	ecx, [esp+0B8h+var_88]
		push	eax
		call	_EtwpAccessCheck@12 ; EtwpAccessCheck(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_91154E
		push	10h		; size_t
		lea	eax, [esp+0BCh+var_48]
		push	eax		; void *
		push	offset _HeapGuid ; void	*
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_91136C
		push	10h		; size_t
		lea	eax, [esp+0BCh+var_48]
		push	eax		; void *
		push	offset _CritSecGuid ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		setnz	al
		lea	eax, ds:1[eax*8]
		mov	[esp+0B8h+var_94], eax
		xor	eax, eax

loc_7F0D3C:				; CODE XREF: EtwpStartLogger+120A32j
		test	dword ptr [edi+40h], 2000000h
		push	8
		pop	esi
		jnz	loc_7F13BB

loc_7F0D4C:				; CODE XREF: EtwpStartLogger+A7Fj
					; EtwpStartLogger+AC9j
		mov	edx, ebx
		lea	ecx, [esp+0B8h+var_90]
		call	EtwpInitLoggerContext
		push	6
		pop	edx
		mov	ecx, edi
		mov	ebx, eax
		call	_EtwpGetFlagExtension@8	; EtwpGetFlagExtension(x,x)
		test	eax, eax
		jnz	loc_91138F

loc_7F0D6B:				; CODE XREF: EtwpStartLogger+120A59j
					; EtwpStartLogger+120A77j
		lea	eax, [esp+0B8h+var_90]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	ebx, ebx
		jz	loc_9113BC
		lea	edi, [ebx+0C8h]
		xor	edx, edx
		lea	esi, [esp+0B8h+var_48]
		movsd
		movsd
		movsd
		movsd
		mov	edi, [esp+0B8h+var_7C]
		mov	eax, [edi+3Ch]
		mov	[ebx+0D8h], eax
		mov	eax, [edi+28h]
		mov	[ebx+7Ch], eax
		mov	eax, [edi+50h]
		and	eax, 2
		or	eax, edx
		jnz	loc_9113C6

loc_7F0DAE:				; CODE XREF: EtwpStartLogger+120A99j
		mov	eax, [edi+50h]
		and	eax, 8
		or	eax, edx
		jnz	loc_9113DE

loc_7F0DBC:				; CODE XREF: EtwpStartLogger+120AA8j
		mov	eax, [edi+44h]
		test	eax, eax
		jnz	loc_7F11F2
		mov	eax, [esp+0B8h+var_A0]
		test	eax, 100h
		jnz	loc_7F11E3

loc_7F0DD6:				; CODE XREF: EtwpStartLogger+8B8j
		mov	eax, [edi+4Ch]
		mov	ecx, eax
		test	eax, eax
		jnz	loc_9113ED

loc_7F0DE3:				; CODE XREF: EtwpStartLogger+120AB7j
					; EtwpStartLogger+120AC2j
		mov	eax, [esp+0B8h+var_A8]
		mov	[ebx+88h], ecx
		lea	ecx, [edi+80h]
		mov	[ebx], eax
		mov	eax, [esp+0B8h+var_AC]
		mov	[ebx+2E4h], eax
		cmp	[ecx], dx
		jbe	short loc_7F0E21
		cmp	[edi+84h], edx
		jz	short loc_7F0E21
		lea	edx, [esp+0B8h+var_84]
		call	EtwpCaptureString
		mov	esi, eax
		test	esi, esi
		js	loc_9114DB
		xor	edx, edx

loc_7F0E21:				; CODE XREF: EtwpStartLogger+4C2j
					; EtwpStartLogger+4CAj
		test	byte ptr [edi+70h], 2
		jnz	loc_7F11B9

loc_7F0E2B:				; CODE XREF: EtwpStartLogger+885j
		test	byte ptr [ebx+0Ch], 8
		mov	eax, [esp+0B8h+var_84]
		push	edx
		jnz	loc_7F129B
		mov	[ebx+64h], eax
		mov	eax, [esp+0BCh+var_80]
		mov	[ebx+68h], eax
		lea	eax, [esp+0BCh+var_84]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_7F0E4E:				; CODE XREF: EtwpStartLogger+985j
		mov	ecx, large fs:124h
		xor	eax, eax
		inc	eax
		mov	[esp+0B8h+var_74], 0Ch
		mov	[esp+0B8h+var_6C], al
		mov	[esp+0B8h+var_6B], al
		lea	eax, [ebx+1F8h]
		push	eax
		xor	eax, eax
		mov	[esp+0BCh+var_70], 2
		push	eax
		lea	eax, [esp+0C0h+var_74]
		push	eax
		push	ecx
		call	_SeCreateClientSecurity@16 ; SeCreateClientSecurity(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9114D3
		test	dword ptr [ebx+0Ch], 100h
		lea	esi, [ebx+258h]
		jnz	loc_7F11FD
		push	0FFFFFFF7h
		pop	eax
		lock and [esi],	eax

loc_7F0EA8:				; CODE XREF: EtwpStartLogger+8C3j
		mov	ecx, [edi+70h]
		test	cl, 2
		jnz	loc_7F11CA

loc_7F0EB4:				; CODE XREF: EtwpStartLogger+893j
		xor	eax, eax
		inc	eax
		test	cl, al
		jnz	loc_7F11D8

loc_7F0EBF:				; CODE XREF: EtwpStartLogger+89Ej
		mov	eax, 4000h
		test	ecx, eax
		jnz	loc_7F1524

loc_7F0ECC:				; CODE XREF: EtwpStartLogger+BE7j
		mov	ecx, ebx
		call	EtwpInitializeTimeStamp
		mov	edx, [esp+0B8h+var_9C]
		push	8
		pop	eax
		cmp	edx, eax
		mov	eax, [esp+0B8h+var_A4]
		mov	[esp+0B8h+var_A8], eax
		jb	loc_7F12E2

loc_7F0EEA:				; CODE XREF: EtwpStartLogger+9EAj
		mov	edx, ebx
		mov	ecx, edi
		call	EtwpCheckForStackTracingExtension
		mov	esi, eax
		test	esi, esi
		js	loc_9114DB
		mov	eax, [edi+34h]
		test	eax, eax
		jz	short loc_7F0F0A
		mov	[ebx+98h], eax

loc_7F0F0A:				; CODE XREF: EtwpStartLogger+5C2j
		mov	eax, [edi+38h]
		test	eax, eax
		jz	short loc_7F0F17
		mov	[ebx+0A4h], eax

loc_7F0F17:				; CODE XREF: EtwpStartLogger+5CFj
		mov	eax, [edi+30h]
		test	eax, eax
		jz	short loc_7F0F31
		mov	ecx, 4000h
		cmp	eax, ecx
		ja	loc_91140E

loc_7F0F2B:				; CODE XREF: EtwpStartLogger+120AD3j
		shl	eax, 0Ah
		mov	[ebx+4], eax

loc_7F0F31:				; CODE XREF: EtwpStartLogger+5DCj
		mov	eax, [edi+50h]
		xor	edx, edx
		and	eax, 4
		or	eax, edx
		jnz	loc_911418

loc_7F0F41:				; CODE XREF: EtwpStartLogger+120AF6j
		lea	ecx, [ebx+64h]
		cmp	[ecx], dx
		jbe	short loc_7F0F7E
		xor	edx, edx
		lea	eax, [ebx+25Ch]
		inc	edx
		lock or	[eax], edx
		mov	eax, large fs:124h
		xor	dl, dl
		mov	ecx, ebx
		mov	[ebx+24h], eax
		call	EtwpCreateLogFile
		mov	esi, eax
		test	esi, esi
		js	loc_9114D3
		mov	eax, [esp+0B8h+var_A4]
		lea	ecx, [ebx+64h]
		mov	[esp+0B8h+var_A8], eax
		xor	edx, edx

loc_7F0F7E:				; CODE XREF: EtwpStartLogger+607j
		mov	eax, [ebx+4]
		mov	esi, 1000h
		cmp	eax, esi
		jb	loc_7F1537

loc_7F0F8E:				; CODE XREF: EtwpStartLogger+C07j
					; EtwpStartLogger+120B07j
		add	eax, 0FFFFFFB8h
		mov	ecx, 0FFFFh
		cmp	eax, ecx
		jnb	loc_7F12DB

loc_7F0F9E:				; CODE XREF: EtwpStartLogger+99Dj
		and	eax, 0FFFFFFF8h
		mov	ecx, ebx
		mov	[ebx+8], eax
		call	EtwpAllocateTraceBufferPool
		mov	esi, eax
		test	esi, esi
		js	loc_91144C
		mov	eax, [ebx+0D8h]
		test	eax, eax
		jz	short loc_7F0FCC
		test	dword ptr [ebx+0Ch], 2000h
		jz	loc_7F11A9

loc_7F0FCC:				; CODE XREF: EtwpStartLogger+67Dj
		xor	esi, esi
		mov	ecx, (offset loc_9FFFFF+1)
		mov	edx, esi

loc_7F0FD5:				; CODE XREF: EtwpStartLogger+874j
		mov	eax, [ebx+0A4h]
		imul	eax, [ebx+4]
		add	eax, eax
		cmp	edx, esi
		jb	loc_7F132F
		ja	short loc_7F0FF3
		cmp	ecx, eax
		jbe	loc_7F132F

loc_7F0FF3:				; CODE XREF: EtwpStartLogger+6A9j
					; EtwpStartLogger+9F3j
		mov	[ebx+140h], ecx
		mov	ecx, ebx
		mov	[ebx+144h], edx
		mov	edx, [esp+0B8h+var_88]
		call	_EtwpInitializeLoggerSecurityDescriptor@8 ; EtwpInitializeLoggerSecurityDescriptor(x,x)
		lea	ecx, [esp+0B8h+var_88]
		mov	esi, eax
		call	_EtwpFreeSecurityDescriptor@4 ;	EtwpFreeSecurityDescriptor(x)
		test	esi, esi
		js	loc_91144C
		mov	eax, [esp+0B8h+var_AC]
		lock inc dword ptr [eax+8C8h]
		mov	ecx, [eax+188h]
		xor	edx, edx
		mov	eax, [esp+0B8h+var_A8]
		inc	edx
		mov	ecx, [ecx+eax*4]
		call	@ExAcquireRundownProtectionCacheAwareEx@8 ; ExAcquireRundownProtectionCacheAwareEx(x,x)
		test	dword ptr [ebx+0Ch], 400h
		jnz	short loc_7F10C0
		xor	eax, eax
		mov	[esp+0B8h+var_60], 18h
		mov	[esp+0B8h+var_5C], eax
		mov	[esp+0B8h+var_54], 200h
		mov	[esp+0B8h+var_58], eax
		mov	[esp+0B8h+var_50], eax
		mov	[esp+0B8h+var_4C], eax
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		xor	ecx, ecx
		mov	[esp+0B8h+var_68], eax
		push	ecx
		push	ecx
		lea	eax, [esp+0C0h+var_68]
		mov	[esp+0C0h+var_64], ebx
		push	eax
		push	offset _EtwpLogger@4 ; EtwpLogger(x)
		push	ecx
		push	ecx
		lea	eax, [esp+0D0h+var_60]
		push	eax
		push	1FFFFFh
		lea	eax, [esp+0D8h+var_78]
		push	eax
		call	PsCreateSystemThreadEx
		mov	esi, eax
		test	esi, esi
		js	loc_911458
		push	[esp+0B8h+var_78]
		call	_ZwClose@4	; ZwClose(x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebx+164h]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, eax

loc_7F10C0:				; CODE XREF: EtwpStartLogger+704j
		push	offset _ETW_EVENT_START_TRACE
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jnz	loc_911491

loc_7F10DE:				; CODE XREF: EtwpStartLogger+120B5Fj
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebx+1D0h]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esp+0B8h+var_A8]
		mov	ecx, ebx
		mov	edx, [esp+0B8h+var_98]
		lea	eax, [edx+eax*4]
		xchg	ecx, [eax]
		xor	eax, eax
		mov	ecx, ebx
		push	eax
		push	5
		pop	edx
		call	_EtwpSendSessionNotification@12	; EtwpSendSessionNotification(x,x,x)
		test	dword ptr [ebx+0Ch], 2000000h
		jnz	loc_7F1338

loc_7F1119:				; CODE XREF: EtwpStartLogger+A3Dj
					; EtwpStartLogger+120B75j
		mov	eax, [esp+0B8h+var_94]
		cmp	al, 9
		jnz	loc_9114BD

loc_7F1125:				; CODE XREF: EtwpStartLogger+120B8Ej
		mov	edx, ebx
		mov	ecx, edi
		call	EtwpGetLoggerInfoFromContext
		mov	dl, 1
		mov	ecx, ebx
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_7F1137:				; CODE XREF: EtwpStartLogger+120B4Cj
					; EtwpStartLogger+120C80j
		mov	ecx, [esp+0B8h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7F114E:				; CODE XREF: EtwpStartLogger+30Dj
		push	10h		; size_t
		lea	ecx, [esp+0BCh+var_48]
		push	ecx		; void *
		lea	ecx, [eax+0C8h]
		push	ecx		; void *
		call	_memcmp
		mov	ecx, [esp+0C4h+var_A4]
		add	esp, 0Ch
		xor	dl, dl
		test	eax, eax
		jz	loc_9112C1
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		jmp	loc_7F0C53
; 

loc_7F117C:				; CODE XREF: EtwpStartLogger+10Dj
		cmp	[edi+3Ch], ecx
		jz	short loc_7F118A
		test	dl, 0Ch
		jz	loc_7F0A53

loc_7F118A:				; CODE XREF: EtwpStartLogger+BEj
					; EtwpStartLogger+CFj ...
		mov	esi, 0C000000Dh
		jmp	loc_911573
; 

loc_7F1194:				; CODE XREF: EtwpStartLogger+8Dj
		test	bl, 0Ch
		jz	loc_7F09D3
		or	ebx, 1
		mov	[esp+0B8h+var_A0], ebx
		jmp	loc_7F09D3
; 

loc_7F11A9:				; CODE XREF: EtwpStartLogger+686j
		mov	ecx, 100000h
		mul	ecx
		xor	esi, esi
		mov	ecx, eax
		jmp	loc_7F0FD5
; 

loc_7F11B9:				; CODE XREF: EtwpStartLogger+4E5j
		mov	eax, [edi+60h]
		mov	[ebx+0DCh], eax
		mov	[edi+60h], edx
		jmp	loc_7F0E2B
; 

loc_7F11CA:				; CODE XREF: EtwpStartLogger+56Ej
		push	2
		pop	eax
		lock or	[esi], eax
		mov	ecx, [edi+70h]
		jmp	loc_7F0EB4
; 

loc_7F11D8:				; CODE XREF: EtwpStartLogger+579j
		lock or	[esi], eax
		mov	ecx, [edi+70h]
		jmp	loc_7F0EBF
; 

loc_7F11E3:				; CODE XREF: EtwpStartLogger+490j
		and	al, 10h
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 3E7h
		inc	eax

loc_7F11F2:				; CODE XREF: EtwpStartLogger+481j
		mov	[ebx+84h], eax
		jmp	loc_7F0DD6
; 

loc_7F11FD:				; CODE XREF: EtwpStartLogger+55Cj
		push	8
		pop	eax
		lock or	[esi], eax
		jmp	loc_7F0EA8
; 

loc_7F1208:				; CODE XREF: EtwpStartLogger+20Dj
		lea	eax, [esp+0B8h+var_48]
		push	eax
		call	ExUuidCreate
		mov	esi, eax
		test	esi, esi
		jns	loc_7F0B5F
		jmp	loc_911573
; 

loc_7F1221:				; CODE XREF: EtwpStartLogger+134j
		xor	ecx, ecx
		cmp	[edi+84h], ecx
		jz	loc_7F118A
		test	eax, eax
		jnz	loc_7F118A
		cmp	[edi+3Ch], ecx
		jz	loc_7F118A
		test	byte ptr [edi+70h], 2
		jnz	loc_7F118A
		test	edx, 2000000h
		jnz	loc_7F118A
		push	10h		; size_t
		lea	esi, [edi+18h]
		push	offset _SystemTraceControlGuid ; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_7F118A
		push	10h		; size_t
		push	offset _CKCLGuid ; void	*
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_7F118A
		test	bl, 4
		jnz	loc_7F118A
		mov	edx, [esp+0B8h+var_94]
		jmp	loc_7F0A7A
; 

loc_7F129B:				; CODE XREF: EtwpStartLogger+4F4j
		mov	[ebx+6Ch], eax
		mov	eax, [esp+0BCh+var_80]
		mov	[ebx+70h], eax
		lea	eax, [esp+0BCh+var_84]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebx+64h]
		push	eax
		lea	edx, [ebx+0DCh]
		lea	ecx, [ebx+6Ch]
		call	EtwpGenerateFileName
		mov	esi, eax
		test	esi, esi
		jns	loc_7F0E4E
		jmp	loc_9114DB
; 

loc_7F12D0:				; CODE XREF: EtwpStartLogger+249j
		or	ebx, 400000h
		jmp	loc_7F0B95
; 

loc_7F12DB:				; CODE XREF: EtwpStartLogger+658j
		mov	eax, ecx
		jmp	loc_7F0F9E
; 

loc_7F12E2:				; CODE XREF: EtwpStartLogger+5A4j
		or	dword ptr [ebx+0Ch], 2000000h
		xor	ecx, ecx
		inc	ecx
		mov	[ebx+25Ah], dl
		cmp	edx, ecx
		jbe	loc_7F152C

loc_7F12FA:				; CODE XREF: EtwpStartLogger+BF2j
		mov	edx, [esp+0B8h+var_AC]
		mov	esi, [esp+0B8h+var_9C]
		mov	[edx+esi*2+914h], al
		mov	eax, [ebx+7Ch]
		dec	eax
		cmp	eax, 4
		jnb	loc_911407
		mov	al, [ebx+7Ch]

loc_7F1319:				; CODE XREF: EtwpStartLogger+120AC9j
		mov	[edx+esi*2+915h], al
		lea	eax, [edx+924h]
		lock bts [eax],	esi
		jmp	loc_7F0EEA
; 

loc_7F132F:				; CODE XREF: EtwpStartLogger+6A3j
					; EtwpStartLogger+6ADj
		mov	ecx, eax
		mov	edx, esi
		jmp	loc_7F0FF3
; 

loc_7F1338:				; CODE XREF: EtwpStartLogger+7D3j
		mov	eax, [esp+0B8h+var_AC]
		cmp	eax, ds:_EtwpHostSiloState
		jnz	short loc_7F1370
		push	1
		mov	edx, edi
		mov	ecx, ebx
		call	EtwpCheckForPoolTagFilterExtension
		mov	esi, eax
		test	esi, esi
		js	loc_9114A4
		imul	eax, [esp+0B8h+var_9C],	14h
		add	eax, offset _EtwpObjectTypeFilter
		xor	edx, edx
		mov	dword ptr [eax+4], 2Ah
		inc	edx
		mov	[eax], dx

loc_7F1370:				; CODE XREF: EtwpStartLogger+A02j
		mov	edx, edi
		mov	ecx, ebx
		call	EtwpUpdateLoggerGroupMasks
		mov	esi, eax
		test	esi, esi
		jns	loc_7F1119
		jmp	loc_9114A4
; 

loc_7F1388:				; CODE XREF: EtwpStartLogger+116j
		test	byte ptr [edi+70h], 2
		jz	loc_7F118A
		test	ebx, 402h
		jnz	loc_7F0A5C
		test	ebx, 100h
		jz	loc_7F118A
		cmp	[edi+84h], ecx
		jz	loc_7F0A5C
		jmp	loc_7F118A
; 

loc_7F13BB:				; CODE XREF: EtwpStartLogger+406j
		cmp	[esp+0B8h+var_9C], esi
		jnz	loc_7F0D4C
		push	eax
		mov	edx, 80h
		mov	ecx, offset _SystemTraceControlGuid
		call	_EtwpCheckGuidAccess@12	; EtwpCheckGuidAccess(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_91154E
		mov	esi, [esp+0B8h+var_AC]
		push	2
		pop	eax
		push	8
		mov	[esp+0BCh+var_9C], eax
		pop	ecx

loc_7F13ED:				; CODE XREF: EtwpStartLogger+120A3Aj
		bt	[esi+924h], eax
		jb	loc_911377

loc_7F13FA:				; CODE XREF: EtwpStartLogger+120A40j
		mov	[esp+0B8h+var_9C], eax
		cmp	eax, ecx
		jz	loc_911385
		push	8
		pop	esi
		jmp	loc_7F0D4C
; 

loc_7F140E:				; CODE XREF: EtwpStartLogger+B1j
		xor	eax, eax
		cmp	[edi+84h], eax
		jnz	loc_7F118A
		test	ebx, 4000Fh
		jnz	loc_7F118A
		test	ebx, 100h
		jnz	loc_9111EC

loc_7F1434:				; CODE XREF: EtwpStartLogger+1208B6j
		cmp	[edi+44h], eax
		jnz	loc_9111FB

loc_7F143D:				; CODE XREF: EtwpStartLogger+1208BEj
		cmp	[edi+4Ch], eax
		jz	loc_7F09F7
		jmp	loc_911203
; 

loc_7F144B:				; CODE XREF: EtwpStartLogger+2D1j
		push	3
		pop	esi
		mov	[esp+0B8h+var_A8], esi
		mov	[esp+0B8h+var_A4], esi
		test	ebx, 1000000h
		jnz	loc_7F118A
		lea	eax, [esp+0B8h+var_90]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		push	offset ??_C@_1CE@KHBCIFLE@?$AAE?$AAv?$AAe?$AAn?$AAt?$AAl?$AAo?$AAg?$AA?9?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi@NNGAKEGL@ ; void	*
		lea	eax, [esp+0BCh+var_90]
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jz	loc_911362
		mov	eax, [esp+0B8h+var_98]
		or	ebx, 80h
		mov	[esp+0B8h+var_A0], ebx
		lea	edx, [eax+0Ch]

loc_7F1494:				; CODE XREF: EtwpStartLogger+BDFj
					; EtwpStartLogger+120963j
		mov	ecx, eax
		xor	eax, eax
		inc	eax
		or	ecx, eax
		lock cmpxchg [edx], ecx
		xor	edx, edx
		inc	edx
		cmp	eax, edx
		jnz	loc_911244
		mov	ecx, [esp+0B8h+var_AC]
		jmp	loc_7F0CC5
; 

loc_7F14B3:				; CODE XREF: EtwpStartLogger+27Fj
					; EtwpStartLogger+29Aj
		lea	eax, [esp+0B8h+var_90]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		push	esi		; size_t
		lea	eax, [esp+0BCh+var_48]
		push	offset _SystemTraceControlGuid ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_911350
		xor	edx, edx
		mov	eax, offset ??_C@_1DO@EIIFEDGL@?$AAC?$AAi?$AAr?$AAc?$AAu?$AAl?$AAa?$AAr?$AA?5?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl@NNGAKEGL@
		push	2
		inc	edx
		pop	esi
		mov	[esp+0B8h+var_9C], edx

loc_7F14E7:				; CODE XREF: EtwpStartLogger+120A1Dj
		push	eax		; void *
		lea	eax, [esp+0BCh+var_90]
		mov	[esp+0BCh+var_A4], esi
		push	eax		; int
		mov	[esp+0C0h+var_A8], esi
		call	RtlCreateUnicodeString
		test	al, al
		jz	loc_911362
		or	ebx, 80h
		mov	[esp+0B8h+var_A0], ebx
		test	ebx, 1000000h
		jnz	loc_7F118A
		mov	eax, [esp+0B8h+var_98]
		lea	edx, [eax+esi*4]
		jmp	loc_7F1494
; 

loc_7F1524:				; CODE XREF: EtwpStartLogger+586j
		lock or	[esi], eax
		jmp	loc_7F0ECC
; 

loc_7F152C:				; CODE XREF: EtwpStartLogger+9B4j
		push	20h
		pop	edx
		lock or	[esi], edx
		jmp	loc_7F12FA
; 

loc_7F1537:				; CODE XREF: EtwpStartLogger+648j
		cmp	[ecx], dx
		ja	loc_91143B
		test	dword ptr [ebx+0Ch], 400h
		jz	loc_7F0F8E
		jmp	loc_91143B
EtwpStartLogger	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpLookupLoggerIdByName proc near	; CODE XREF: EtwpStartLogger+1EBp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009115C5 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		xor	esi, esi
		mov	eax, 0C0000296h
		push	edi
		cmp	[ebx+8], esi
		jbe	short loc_7F1589

loc_7F156D:				; CODE XREF: EtwpLookupLoggerIdByName+30j
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	EtwpAcquireLoggerContextByLoggerId
		mov	edi, eax
		test	edi, edi
		jnz	short loc_7F1590

loc_7F157E:				; CODE XREF: EtwpLookupLoggerIdByName+5Dj
		inc	esi
		cmp	esi, [ebx+8]
		jb	short loc_7F156D
		mov	eax, 0C0000296h

loc_7F1589:				; CODE XREF: EtwpLookupLoggerIdByName+19j
					; EtwpLookupLoggerIdByName+12007Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7F1590:				; CODE XREF: EtwpLookupLoggerIdByName+2Aj
		push	1
		push	[ebp+var_4]
		lea	eax, [edi+5Ch]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		xor	dl, dl
		mov	ecx, edi
		test	al, al
		jnz	loc_9115C5
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		jmp	short loc_7F157E
EtwpLookupLoggerIdByName endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall EtwpEnableDisableSpecialGuids(int,void	*,int,int,int,int,int,int)
EtwpEnableDisableSpecialGuids proc near	; CODE XREF: EtwpEnableGuid+138p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 009115D6 SIZE 000000C3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_14]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		push	2
		mov	byte ptr [eax],	1
		mov	edi, ecx
		mov	eax, [ebp+arg_4]
		pop	esi
		mov	[ebp+var_4], edx
		mov	byte ptr [ebp+var_8], bl
		cmp	eax, esi
		jz	short loc_7F1642
		cmp	eax, 1
		jz	short loc_7F163C
		test	eax, eax
		jnz	short loc_7F165A
		mov	byte ptr [ebp+arg_8+3],	al

loc_7F15E4:				; CODE XREF: EtwpEnableDisableSpecialGuids+8Ej
		xor	eax, eax
		mov	[ebp+arg_4], eax

loc_7F15E9:				; CODE XREF: EtwpEnableDisableSpecialGuids+5Ej
		push	10h		; size_t
		push	edx		; void *
		push	ds:_EtwpUmglProviders[eax*8] ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		mov	eax, [ebp+arg_4]
		jz	loc_91167B
		mov	edx, [ebp+var_4]
		inc	eax
		mov	[ebp+arg_4], eax
		cmp	eax, 0Ah
		jb	short loc_7F15E9
		push	10h		; size_t
		push	edx		; void *
		push	offset _KernelRundownGuid ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_911615
		mov	eax, [ebp+arg_14]
		mov	byte ptr [eax],	0

loc_7F1630:				; CODE XREF: EtwpEnableDisableSpecialGuids+AEj
		mov	eax, 0C0000225h

loc_7F1635:				; CODE XREF: EtwpEnableDisableSpecialGuids+120057j
					; EtwpEnableDisableSpecialGuids+12005Ej ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7F163C:				; CODE XREF: EtwpEnableDisableSpecialGuids+29j
		mov	byte ptr [ebp+arg_8+3],	1
		jmp	short loc_7F15E4
; 

loc_7F1642:				; CODE XREF: EtwpEnableDisableSpecialGuids+24j
		push	10h		; size_t
		push	edx		; void *
		push	offset _SystemTraceControlGuid ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_9115D6

loc_7F165A:				; CODE XREF: EtwpEnableDisableSpecialGuids+2Dj
					; EtwpEnableDisableSpecialGuids+12002Aj
		mov	ebx, [ebp+arg_14]
		mov	byte ptr [ebx],	0
		jmp	short loc_7F1630
EtwpEnableDisableSpecialGuids endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpValidateEnableNotification proc near ; CODE	XREF: EtwpEnableGuid+CFp

var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00911699 SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		push	esi
		xor	esi, esi
		push	edi
		cmp	dword ptr [ebx+4], 78h
		mov	[eax], esi
		jb	loc_7F178C
		cmp	[ebx+74h], esi
		ja	loc_7F179A

loc_7F168A:				; CODE XREF: EtwpValidateEnableNotification+144j
		mov	eax, [ebx+48h]
		test	eax, eax
		jnz	loc_7F175C

loc_7F1695:				; CODE XREF: EtwpValidateEnableNotification+FDj
					; EtwpValidateEnableNotification+106j
		movzx	edi, word ptr [ebx+4Eh]
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		and	ecx, 8000h
		setnz	al
		mov	[edx+12h], al
		test	ecx, ecx
		jnz	loc_9116B5
		cmp	edi, 3
		jz	loc_7F1793
		lea	eax, [ebx+28h]
		push	10h		; size_t
		push	eax		; void *
		push	offset _PrivateLoggerNotificationGuid ;	void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_7F178C
		push	esi
		mov	esi, [ebp+var_4]
		mov	edx, edi
		mov	ecx, esi
		call	EtwpAcquireLoggerContextByLoggerId
		test	eax, eax
		jz	loc_9116AB
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		cmp	esi, ds:_EtwpHostSiloState
		jnz	loc_911699

loc_7F16FC:				; CODE XREF: EtwpValidateEnableNotification+120044j
		test	byte ptr [ebx+50h], 20h
		jnz	short loc_7F177F

loc_7F1702:				; CODE XREF: EtwpValidateEnableNotification+124j
		test	byte ptr [eax+258h], 40h
		jnz	loc_9116AB
		mov	ecx, [ebp+arg_4]
		lea	esi, [eax+0C8h]
		mov	edi, ecx
		movsd
		movsd
		movsd
		movsd
		mov	edx, [eax+0Ch]
		test	dl, dl
		jns	short loc_7F172C
		mov	byte ptr [ecx+10h], 1
		mov	edx, [eax+0Ch]

loc_7F172C:				; CODE XREF: EtwpValidateEnableNotification+C1j
		test	edx, 1000000h
		jnz	short loc_7F1770

loc_7F1734:				; CODE XREF: EtwpValidateEnableNotification+112j
		cmp	[ebp+arg_0], 0
		jz	short loc_7F1776
		mov	edx, ecx
		lea	ecx, [ebx+28h]
		call	EtwpCheckNotificationAccess
		mov	esi, eax

loc_7F1746:				; CODE XREF: EtwpValidateEnableNotification+116j
					; EtwpValidateEnableNotification+12004Ej
		mov	eax, [ebx+50h]

loc_7F1749:				; CODE XREF: EtwpValidateEnableNotification+120069j
		test	al, 10h
		jnz	short loc_7F177A
		or	eax, 40h

loc_7F1750:				; CODE XREF: EtwpValidateEnableNotification+11Bj
		mov	[ebx+50h], eax
		mov	eax, esi

loc_7F1755:				; CODE XREF: EtwpValidateEnableNotification+12Fj
					; EtwpValidateEnableNotification+136j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7F175C:				; CODE XREF: EtwpValidateEnableNotification+2Dj
		cmp	eax, 1
		jz	loc_7F1695
		cmp	eax, 2
		jz	loc_7F1695
		jmp	short loc_7F178C
; 

loc_7F1770:				; CODE XREF: EtwpValidateEnableNotification+D0j
		mov	byte ptr [ecx+11h], 1
		jmp	short loc_7F1734
; 

loc_7F1776:				; CODE XREF: EtwpValidateEnableNotification+D6j
		xor	esi, esi
		jmp	short loc_7F1746
; 

loc_7F177A:				; CODE XREF: EtwpValidateEnableNotification+E9j
		and	eax, 0FFFFFFEFh
		jmp	short loc_7F1750
; 

loc_7F177F:				; CODE XREF: EtwpValidateEnableNotification+9Ej
		test	dword ptr [eax+0Ch], 1030800h
		jz	loc_7F1702

loc_7F178C:				; CODE XREF: EtwpValidateEnableNotification+19j
					; EtwpValidateEnableNotification+6Ej ...
		mov	eax, 0C000000Dh
		jmp	short loc_7F1755
; 

loc_7F1793:				; CODE XREF: EtwpValidateEnableNotification+53j
		mov	eax, 0C0000022h
		jmp	short loc_7F1755
; 

loc_7F179A:				; CODE XREF: EtwpValidateEnableNotification+22j
		mov	edx, [ebp+arg_C]
		mov	ecx, ebx
		call	_EtwpValidateFilterDescriptors@8 ; EtwpValidateFilterDescriptors(x,x)
		test	eax, eax
		jz	loc_7F168A
		jmp	short loc_7F178C
EtwpValidateEnableNotification endp


;  S U B	R O U T	I N E 


EtwpFreeFilterInfo proc	near		; CODE XREF: EtwpNotifyGuid(x,x,x)+38Cp
					; EtwpEnableGuid+334p

; FUNCTION CHUNK AT 009116D0 SIZE 00000023 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi

loc_7F17B7:				; CODE XREF: EtwpFreeFilterInfo+18j
		mov	eax, [edi+esi*4]
		test	eax, eax
		jnz	loc_9116D0

loc_7F17C2:				; CODE XREF: EtwpFreeFilterInfo+11FF2Aj
		inc	esi
		cmp	esi, 4
		jb	short loc_7F17B7
		push	2
		lea	esi, [edi+10h]
		pop	ebx

loc_7F17CE:				; CODE XREF: EtwpFreeFilterInfo+30j
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_9116DD

loc_7F17D8:				; CODE XREF: EtwpFreeFilterInfo+11FF37j
		add	esi, 4
		sub	ebx, 1
		jnz	short loc_7F17CE
		mov	ecx, [edi+18h]
		test	ecx, ecx
		jnz	short loc_7F17F6

loc_7F17E7:				; CODE XREF: EtwpFreeFilterInfo+4Dj
		mov	eax, [edi+24h]
		pop	edi
		pop	esi
		pop	ebx
		test	eax, eax
		jnz	loc_9116EA
		retn
; 

loc_7F17F6:				; CODE XREF: EtwpFreeFilterInfo+37j
		call	_EtwpFreeEventNameFilter@4 ; EtwpFreeEventNameFilter(x)
		jmp	short loc_7F17E7
EtwpFreeFilterInfo endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpUpdateRegEntryEnableMask proc near	; CODE XREF: EtwpEnableGuid+4C5p
					; EtwpDisallowedGuidRemoval(x,x)+192p

var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_3		= dword	ptr  0Bh
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 009116F3 SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_4], edx
		mov	esi, ecx
		mov	ecx, [ebp+arg_8]
		push	edi
		cmp	byte ptr [ebp+arg_3+1],	bl
		jnz	loc_9116F3
		test	cl, cl
		setnz	bl
		lea	ebx, ds:34h[ebx*2]

loc_7F1826:				; CODE XREF: EtwpUpdateRegEntryEnableMask+11FF01j
		cmp	[ebp+arg_C], 1
		jnz	short loc_7F1870
		mov	al, [ebp+arg_0]
		mov	dl, 1
		mov	byte ptr [ebp+arg_8+3],	al
		mov	byte ptr [ebp+arg_3], al
		lea	eax, [ebp+arg_3]
		push	eax
		push	ecx
		push	[ebp+arg_3+1]
		mov	ecx, esi
		call	EtwpApplyScopeFilters
		lea	edi, [esi+32h]
		movzx	eax, word ptr [edi]
		test	al, 8
		jnz	short loc_7F1886
		test	eax, 400h
		jnz	loc_911704

loc_7F185B:				; CODE XREF: EtwpUpdateRegEntryEnableMask+11FF0Aj
					; EtwpUpdateRegEntryEnableMask+11FF1Cj	...
		mov	al, byte ptr [ebp+arg_8+3]
		not	al
		and	al, [ebx+esi]
		or	al, byte ptr [ebp+arg_3]
		mov	[ebx+esi], al

loc_7F1869:				; CODE XREF: EtwpUpdateRegEntryEnableMask+76j
					; EtwpUpdateRegEntryEnableMask+7Cj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7F1870:				; CODE XREF: EtwpUpdateRegEntryEnableMask+2Cj
		cmp	[ebp+arg_C], 0
		jnz	short loc_7F1869
		test	byte ptr [esi+32h], 8
		jnz	short loc_7F1869
		mov	al, [ebp+arg_0]
		not	al
		and	[ebx+esi], al
		jmp	short loc_7F1869
; 

loc_7F1886:				; CODE XREF: EtwpUpdateRegEntryEnableMask+50j
		mov	al, byte ptr [ebp+arg_3]
		mov	[esi+34h], al
		jmp	short loc_7F1869
EtwpUpdateRegEntryEnableMask endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpCalculateUpdateNotification	proc near ; CODE XREF: EtwpEnableGuid+4ECp
					; EtwpDisallowedGuidAddition(x,x)+1B5p	...

Source1		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_82		= word ptr -82h
Source2		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0091172E SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	dh, [ebp+arg_8]
		mov	ah, dl
		push	ebx
		push	esi
		mov	esi, [ebp+arg_14]
		mov	ebx, ecx
		xor	ecx, ecx
		mov	[ebp+var_88], esi
		push	edi
		test	dh, dh
		jnz	loc_911739
		cmp	[ebp+arg_C], cl
		jnz	loc_91172E
		mov	al, [ebx+34h]
		mov	dl, [ebx+36h]

loc_7F18CF:				; CODE XREF: EtwpCalculateUpdateNotification+11FEA6j
					; EtwpCalculateUpdateNotification+11FEBAj
		mov	di, [ebx+32h]
		and	di, 8
		mov	[ebp+var_82], di
		jnz	loc_7F19D8
		test	[ebp+arg_0], ah
		jz	loc_7F19CE

loc_7F18ED:				; CODE XREF: EtwpCalculateUpdateNotification+142j
		cmp	[ebp+arg_4], al
		jnz	short loc_7F191A
		cmp	dh, 2
		jz	short loc_7F191A
		test	dl, dl
		jnz	short loc_7F191A
		cmp	[ebx+35h], cl
		jnz	short loc_7F191A
		cmp	[ebx+37h], cl
		jnz	short loc_7F191A

loc_7F1905:				; CODE XREF: EtwpCalculateUpdateNotification+14Cj
					; EtwpCalculateUpdateNotification+11FEC3j
		mov	[esi], ecx

loc_7F1907:				; CODE XREF: EtwpCalculateUpdateNotification+11Aj
					; EtwpCalculateUpdateNotification+133j
		mov	al, 1

loc_7F1909:				; CODE XREF: EtwpCalculateUpdateNotification+13Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_7F191A:				; CODE XREF: EtwpCalculateUpdateNotification+62j
					; EtwpCalculateUpdateNotification+67j ...
		push	78h		; size_t
		push	ecx		; int
		lea	eax, [ebp+Source2]
		push	eax		; void *
		call	_memset
		mov	eax, [esi]
		lea	edi, [ebp+Source2]
		add	esp, 0Ch
		mov	dl, [ebx+34h]
		mov	esi, eax
		mov	[ebp+Source1], eax
		push	12h
		pop	ecx
		rep movsd
		mov	ecx, [ebx+10h]
		lea	edi, [ebp+var_58]
		mov	[ebp+var_78], 1
		push	78h
		lea	esi, [ecx+14h]
		movsd
		movsd
		movsd
		movsd
		pop	esi
		mov	[ebp+var_7C], esi
		call	EtwpGetSchematizedFilterSize
		test	eax, eax
		jnz	loc_911765

loc_7F1965:				; CODE XREF: EtwpCalculateUpdateNotification+11FEDFj
		lea	edx, [ebp+var_38]
		mov	ecx, ebx
		call	EtwpComputeRegEntryEnableInfo
		cmp	[ebp+var_82], 0
		jnz	loc_911772

loc_7F197D:				; CODE XREF: EtwpCalculateUpdateNotification+11FEECj
		mov	ecx, [ebp+Source1]
		test	ecx, ecx
		jz	short loc_7F19F1
		mov	eax, [ecx+4]
		cmp	eax, [ebp+var_7C]
		jnz	short loc_7F19E5
		push	esi		; Length
		lea	eax, [ebp+Source2]
		push	eax		; Source2
		push	ecx		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, esi
		jnz	short loc_7F19E5
		mov	ecx, [ebp+var_88]
		mov	eax, [ecx]

loc_7F19A6:				; CODE XREF: EtwpCalculateUpdateNotification+161j
		test	eax, eax
		jnz	loc_7F1907

loc_7F19AE:				; CODE XREF: EtwpCalculateUpdateNotification+169j
		movzx	eax, byte ptr [ebx+34h]
		lea	edx, [ebp+Source2]
		push	ecx
		mov	ecx, [ebx+10h]
		push	eax
		call	EtwpBuildNotificationPacket
		test	eax, eax
		jns	loc_7F1907

loc_7F19C7:				; CODE XREF: EtwpCalculateUpdateNotification+148j
					; EtwpCalculateUpdateNotification+11FED2j
		xor	al, al
		jmp	loc_7F1909
; 

loc_7F19CE:				; CODE XREF: EtwpCalculateUpdateNotification+59j
		test	al, ah
		jnz	loc_7F18ED
		jmp	short loc_7F19C7
; 

loc_7F19D8:				; CODE XREF: EtwpCalculateUpdateNotification+50j
		test	al, al
		jnz	loc_7F1905
		jmp	loc_91174D
; 

loc_7F19E5:				; CODE XREF: EtwpCalculateUpdateNotification+FFj
					; EtwpCalculateUpdateNotification+10Ej
		mov	ecx, [ebp+var_88]
		xor	eax, eax
		mov	[ecx], eax
		jmp	short loc_7F19A6
; 

loc_7F19F1:				; CODE XREF: EtwpCalculateUpdateNotification+F7j
		mov	ecx, [ebp+var_88]
		jmp	short loc_7F19AE
EtwpCalculateUpdateNotification	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpSendDataBlock proc near		; CODE XREF: EtwpClearSessionAndUnreferenceEntry+271p
					; EtwpNotifyGuid(x,x,x)+2E7p ...

var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0091177F SIZE 00000179 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_90]
		mov	ebx, ecx
		mov	esi, edx
		push	6
		pop	ecx
		rep stosd
		movzx	ecx, word ptr [ebx+32h]
		lea	edi, [ebp+var_78]
		stosd
		xor	edx, edx
		mov	[ebp+var_98], esi
		mov	[ebp+var_AC], edx
		mov	[ebp+var_C0], edx
		stosd
		stosd
		stosd
		mov	eax, edx
		mov	[ebp+var_94], eax
		test	cl, 1
		jnz	short loc_7F1A6E
		test	cl, 2
		jz	short loc_7F1A5F
		mov	ecx, [ebx+28h]
		mov	edx, esi
		push	ebx
		call	EtwpQueueNotification

loc_7F1A5F:				; CODE XREF: EtwpSendDataBlock+58j
					; EtwpSendDataBlock+80j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_7F1A6E:				; CODE XREF: EtwpSendDataBlock+53j
		mov	ecx, [ebx+28h]
		mov	[ebp+var_B0], ecx
		cmp	[ebx+2Ch], edx
		jz	short loc_7F1A5F
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_A8], edx
		push	eax
		mov	[ebp+var_A4], edx
		mov	[ebp+var_A0], edx
		mov	[ebp+var_9C], edx
		call	KeQueryTickCount
		test	byte ptr [ebx+32h], 10h
		jnz	loc_91177F

loc_7F1AAA:				; CODE XREF: EtwpSendDataBlock+11FDCCj
		cmp	dword ptr [esi], 3
		jnz	loc_91181C
		test	byte ptr [ebx+32h], 8
		jnz	loc_7F1BD8
		mov	edi, [esi+58h]
		mov	eax, [ebx+2Ch]
		mov	cl, [esi+4Ch]
		mov	[ebp+var_BC], edi
		mov	edi, [esi+5Ch]
		mov	[ebp+var_B8], edi
		mov	edi, [esi+60h]
		mov	[ebp+var_CC], eax
		mov	eax, [esi+48h]
		mov	[ebp+var_B4], edi
		mov	edi, [esi+64h]
		mov	[ebp+var_98], edi
		mov	[ebp+var_C8], eax
		test	eax, eax
		jz	loc_7F1BB5

loc_7F1AFE:				; CODE XREF: EtwpSendDataBlock+1D9j
		setz	al
		xor	edx, edx
		dec	al
		and	al, cl
		mov	ecx, [esi+74h]
		mov	byte ptr [ebp+var_C4], al
		test	ecx, ecx
		jnz	loc_9117CB
		mov	eax, edx

loc_7F1B1A:				; CODE XREF: EtwpSendDataBlock+11FDF3j
					; EtwpSendDataBlock+11FE1Dj
		push	[ebp+var_B0]
		push	eax
		push	[ebp+var_98]
		lea	eax, [esi+38h]
		push	[ebp+var_B4]
		push	[ebp+var_B8]
		push	[ebp+var_BC]
		push	[ebp+var_C4]
		push	[ebp+var_C8]
		push	eax
		call	[ebp+var_CC]

loc_7F1B4F:				; CODE XREF: EtwpSendDataBlock+21Fj
					; EtwpSendDataBlock+11FE2Cj
		mov	esi, [ebp+var_C0]
		test	esi, esi
		jnz	loc_91182B

loc_7F1B5D:				; CODE XREF: EtwpSendDataBlock+11FE45j
		lea	eax, [ebp+var_A0]
		push	eax
		call	KeQueryTickCount
		call	_KeQueryTimeIncrement@0	; KeQueryTimeIncrement()
		mov	edx, [ebp+var_A0]
		sub	edx, [ebp+var_A8]
		mov	ecx, [ebp+var_9C]
		sbb	ecx, [ebp+var_A4]
		push	ecx
		push	edx
		push	0
		push	eax
		call	__allmul
		mov	edi, edx
		mov	esi, eax
		test	edi, edi
		jl	short loc_7F1BAA
		jg	loc_911844
		cmp	esi, 23C36D10h
		jnb	loc_911844

loc_7F1BAA:				; CODE XREF: EtwpSendDataBlock+19Cj
					; EtwpSendDataBlock+11FDC1j ...
		mov	eax, [ebp+var_94]
		jmp	loc_7F1A5F
; 

loc_7F1BB5:				; CODE XREF: EtwpSendDataBlock+FEj
		and	[ebp+var_BC], 0
		and	[ebp+var_B8], 0
		and	[ebp+var_B4], 0
		and	[ebp+var_98], 0
		test	eax, eax
		jmp	loc_7F1AFE
; 

loc_7F1BD8:				; CODE XREF: EtwpSendDataBlock+BDj
		mov	edi, [ebx+10h]
		push	[ebp+var_B0]
		mov	ax, [edi+38h]
		mov	cl, [edi+3Ah]
		mov	edx, [edi+30h]
		mov	esi, [edi+34h]
		and	[ebp+var_5C], 0
		mov	word ptr [ebp+var_68], ax
		lea	eax, [ebp+var_68]
		push	eax
		mov	eax, [ebp+var_98]
		mov	byte ptr [ebp+var_68+2], cl
		mov	byte ptr [ebp+var_68+3], 0
		mov	[ebp+var_64], edx
		movzx	eax, byte ptr [eax+70h]
		push	eax
		lea	eax, [edi+14h]
		mov	[ebp+var_60], esi
		push	eax
		call	dword ptr [ebx+2Ch]
		jmp	loc_7F1B4F
EtwpSendDataBlock endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpQueueNotification proc near		; CODE XREF: EtwpSendDataBlock+60p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009118F8 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	[ebp+var_8], edx
		xor	esi, esi
		mov	ax, [eax+32h]
		mov	edx, 100h
		and	ax, dx
		mov	[ebp+var_C], ecx
		movzx	eax, ax
		push	edi
		mov	[ebp+var_1], 1
		setnz	[ebp+var_2]
		mov	[ebp+var_10], eax
		call	EtwpAddDataSource
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9118F8
		push	72777445h
		push	20h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9118F8
		mov	ecx, [ebp+var_8]
		xor	eax, eax
		mov	[edi], eax
		mov	[edi+4], eax
		mov	[edi+10h], eax
		mov	[edi+14h], eax
		mov	[edi+18h], eax
		mov	[edi+1Ch], eax
		mov	eax, [ebp+arg_0]
		mov	[edi+8], ecx
		mov	[edi+0Ch], eax
		mov	ax, [eax+30h]
		mov	[edi+18h], ax
		mov	dword ptr [edi+1Ch], 1
		cmp	byte ptr [ecx+0Ch], 0
		jnz	loc_7F1D31

loc_7F1CB0:				; CODE XREF: EtwpQueueNotification+14Dj
		lock inc dword ptr [ecx+8]
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		lea	eax, [ebx+8]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+arg_0], eax
		call	ExAcquirePushLockExclusiveEx
		lea	ecx, [ebx+0Ch]
		mov	edx, [ecx]

loc_7F1CCD:				; CODE XREF: EtwpQueueNotification+154j
		cmp	edx, ecx
		jnz	short loc_7F1D20
		mov	dl, [ebp+var_1]

loc_7F1CD4:				; CODE XREF: EtwpQueueNotification+111j
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	loc_7F1D77
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	[ecx+4], edi
		test	dl, dl
		jz	short loc_7F1D08
		cmp	word ptr [ebp+var_10], 0
		jnz	loc_911911
		mov	eax, [ebx]

loc_7F1CFA:				; CODE XREF: EtwpQueueNotification+11FCF6j
		test	eax, eax
		jz	short loc_7F1D08
		push	0
		push	1
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_7F1D08:				; CODE XREF: EtwpQueueNotification+CDj
					; EtwpQueueNotification+DEj
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_7F1D17:				; CODE XREF: EtwpQueueNotification+11FCDFj
					; EtwpQueueNotification+11FCEEj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7F1D20:				; CODE XREF: EtwpQueueNotification+B1j
		mov	eax, [edx+0Ch]
		mov	al, [eax+33h]
		and	al, 1
		cmp	[ebp+var_2], al
		jnz	short loc_7F1D70
		xor	dl, dl
		jmp	short loc_7F1CD4
; 

loc_7F1D31:				; CODE XREF: EtwpQueueNotification+8Cj
		mov	esi, [ecx+18h]
		mov	ecx, esi
		or	dword ptr [edi+1Ch], 2
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	[edi+10h], esi
		mov	esi, [ebp+arg_0]
		push	esi
		push	3
		push	1
		push	[ebp+var_C]
		call	_PsChargeProcessWakeCounter@16 ; PsChargeProcessWakeCounter(x,x,x,x)
		mov	edx, edi
		mov	[edi+14h], eax
		mov	ecx, esi
		call	EtwpAddReplyIndex
		mov	esi, eax
		test	esi, esi
		js	loc_911902
		mov	ecx, [ebp+var_8]
		jmp	loc_7F1CB0
; 

loc_7F1D70:				; CODE XREF: EtwpQueueNotification+10Dj
		mov	edx, [edx]
		jmp	loc_7F1CCD
; 

loc_7F1D77:				; CODE XREF: EtwpQueueNotification+BBj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall EtwpAddNotificationEvent(x,	x)
_EtwpAddNotificationEvent@8:		; CODE XREF: NtTraceControl(x,x,x,x,x,x)+5E0p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_ExEventObjectType
		and	dword ptr [ebp-4], 0
		push	ebx
		push	esi
		push	edi
		push	0
		mov	bl, dl
		lea	edx, [ebp-4]
		push	edx
		push	1
		push	eax
		push	2
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, [ebp-4]
		mov	edi, eax
		test	edi, edi
		js	short loc_7F1DD3
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		call	EtwpAddDataSource
		mov	edx, eax
		test	edx, edx
		jz	short loc_7F1DDE
		test	bl, bl
		jnz	short loc_7F1DE5

loc_7F1DC5:				; CODE XREF: EtwpQueueNotification+1CAj
		mov	ecx, esi
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	short loc_7F1DEA
		xor	esi, esi

loc_7F1DD3:				; CODE XREF: EtwpQueueNotification+18Aj
					; EtwpQueueNotification+1C5j ...
		test	esi, esi
		jnz	short loc_7F1DF1

loc_7F1DD7:				; CODE XREF: EtwpQueueNotification+1DAj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7F1DDE:				; CODE XREF: EtwpQueueNotification+1A1j
		mov	edi, 0C0000017h
		jmp	short loc_7F1DD3
; 

loc_7F1DE5:				; CODE XREF: EtwpQueueNotification+1A5j
		add	edx, 4
		jmp	short loc_7F1DC5
; 

loc_7F1DEA:				; CODE XREF: EtwpQueueNotification+1B1j
		mov	edi, 0C0000718h
		jmp	short loc_7F1DD3
; 

loc_7F1DF1:				; CODE XREF: EtwpQueueNotification+1B7j
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	short loc_7F1DD7
EtwpQueueNotification endp


;  S U B	R O U T	I N E 


EtwpAddDataSource proc near		; CODE XREF: EtwpQueueNotification+30p
					; EtwpQueueNotification+198p

; FUNCTION CHUNK AT 00911919 SIZE 0000000E BYTES

		mov	edi, edi
		push	esi
		lea	esi, [ecx+19Ch]
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_7F1E4B
		push	53777445h
		push	14h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_7F1E4D
		push	edi
		xor	edi, edi
		lea	eax, [edx+0Ch]
		mov	[edx], edi
		mov	ecx, edx
		mov	[edx+4], edi
		mov	[edx+10h], edi
		mov	[eax+4], eax
		mov	[eax], eax
		xor	eax, eax
		mov	[edx+8], edi
		lock cmpxchg [esi], ecx
		mov	esi, eax
		test	esi, esi
		jnz	loc_911919

loc_7F1E48:				; CODE XREF: EtwpAddDataSource+11FB28j
		mov	eax, edx
		pop	edi

loc_7F1E4B:				; CODE XREF: EtwpAddDataSource+Dj
		pop	esi
		retn
; 

loc_7F1E4D:				; CODE XREF: EtwpAddDataSource+24j
		xor	eax, eax
		pop	esi
		retn
EtwpAddDataSource endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpEnableGuid	proc near		; CODE XREF: EtwpEnableTrace+10Ep
					; NtTraceControl(x,x,x,x,x,x)+363p

var_106		= byte ptr -106h
var_105		= byte ptr -105h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_EE		= dword	ptr -0EEh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_86		= byte ptr -86h
var_84		= dword	ptr -84h
var_58		= dword	ptr -58h
var_40		= dword	ptr -40h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00911927 SIZE 0000030E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+10Ch+var_4], eax
		push	ebx
		push	esi
		mov	esi, edx
		mov	[esp+114h+var_E8], ecx
		xor	edx, edx
		mov	[esp+114h+var_EE+2], esi
		push	edi
		push	2Ch		; size_t
		lea	eax, [esi+28h]
		mov	[esp+11Ch+var_A4], edx
		mov	[esp+11Ch+var_B8], eax
		mov	cl, dl
		lea	eax, [esi+48h]
		mov	[esp+11Ch+var_AC], edx
		mov	[esp+11Ch+var_C0], eax
		mov	ebx, edx
		mov	eax, [eax+8]
		and	eax, 20h
		mov	[esp+11Ch+var_104], ebx
		mov	[esp+11Ch+var_C8], eax
		setz	al
		mov	[esp+11Ch+var_D4], edx
		dec	al
		mov	byte ptr [esp+11Ch+var_EE+1], dl
		and	al, 2
		mov	[esp+11Ch+var_105], dl
		mov	byte ptr [esp+11Ch+var_C4], al
		lea	eax, [esp+11Ch+var_84]
		push	edx		; int
		push	eax		; void *
		mov	[esp+124h+var_D0], ecx
		mov	byte ptr [esp+124h+var_A8], cl
		mov	byte ptr [esp+124h+var_B4], dl
		mov	byte ptr [esp+124h+var_EE], dl
		mov	[esp+124h+var_F4], edx
		mov	[esp+124h+var_B0], edx
		call	_memset
		xor	eax, eax
		mov	ecx, [esp+124h+var_E8]
		lea	edi, [esp+124h+var_98]
		add	esp, 0Ch
		stosd
		mov	edx, esi
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		and	[esp+118h+var_BC], eax
		mov	[esp+118h+var_FC], eax
		mov	[esp+118h+var_F8], eax
		lea	eax, [esp+118h+var_84]
		push	eax
		lea	eax, [esp+11Ch+var_F4]
		push	eax
		lea	eax, [esp+120h+var_98]
		push	eax
		push	[ebp+arg_0]
		call	EtwpValidateEnableNotification
		mov	esi, eax
		test	esi, esi
		js	loc_7F2159
		mov	esi, [esp+118h+var_C0]
		mov	eax, [esi]
		mov	[esp+118h+var_100], eax
		mov	eax, [esp+118h+var_EE+2]
		mov	edi, [eax+74h]
		mov	[esp+118h+var_CC], edi
		test	edi, edi
		jnz	loc_7F2565

loc_7F1F4D:				; CODE XREF: EtwpEnableGuid+716j
		xor	edi, edi
		and	[esp+118h+var_1C], ebx

loc_7F1F56:				; CODE XREF: EtwpEnableGuid+77Cj
		cmp	[esp+118h+var_C8], 0
		jnz	loc_7F2542
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	edx, [esp+118h+var_B8] ; void *
		lea	eax, [esp+118h+var_EE]
		push	eax		; int
		push	edi		; int
		mov	edi, [esp+120h+var_E8]
		lea	eax, [esp+120h+var_28]
		push	eax		; int
		push	dword ptr [esi+10h] ; int
		movzx	eax, word ptr [esi+6]
		mov	ecx, edi	; int
		push	[esp+128h+var_100] ; int
		push	eax		; int
		call	EtwpEnableDisableSpecialGuids
		mov	esi, eax
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	byte ptr [esp+118h+var_EE], 0
		jnz	loc_7F2159
		mov	esi, [esp+118h+var_C0]

loc_7F1FA5:				; CODE XREF: EtwpEnableGuid+6F4j
		movzx	eax, word ptr [esi+6]
		test	ax, ax
		jz	loc_911C2B
		push	2
		pop	ecx
		cmp	ax, cx
		jz	loc_911C2B
		call	_PsGetCurrentThreadProcessId@0 ; PsGetCurrentThreadProcessId()
		mov	ecx, [esp+118h+var_EE+2]
		mov	edx, offset _PrivateLoggerNotificationGuid
		mov	bl, [esp+118h+var_86]
		mov	[ecx+24h], eax
		mov	eax, [esp+118h+var_C4]
		movzx	eax, al
		mov	[esp+118h+var_E4], eax
		test	bl, bl
		jnz	short loc_7F1FE8
		lea	edx, [ecx+28h]

loc_7F1FE8:				; CODE XREF: EtwpEnableGuid+191j
		push	eax
		mov	ecx, edi
		call	_EtwpFindGuidEntryByGuid@12 ; EtwpFindGuidEntryByGuid(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_7F21A4
		test	bl, bl
		jnz	short loc_7F2005
		cmp	[esp+118h+var_100], 1
		jz	short loc_7F2011

loc_7F2005:				; CODE XREF: EtwpEnableGuid+1AAj
		mov	esi, 0C0000295h
		xor	ebx, ebx
		jmp	loc_7F2159
; 

loc_7F2011:				; CODE XREF: EtwpEnableGuid+1B1j
		push	[esp+118h+var_E4]
		mov	edx, [esp+11Ch+var_B8]
		mov	ecx, [esp+11Ch+var_E8]
		call	_EtwpAddGuidEntry@12 ; EtwpAddGuidEntry(x,x,x)
		mov	ebx, eax
		mov	[esp+118h+var_104], ebx
		test	ebx, ebx
		jz	loc_911927

loc_7F2030:				; CODE XREF: EtwpEnableGuid+35Dj
					; EtwpEnableGuid+376j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		lea	ecx, [ebx+16Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	edi, [esp+118h+var_F4]
		mov	[ebx+170h], eax
		mov	byte ptr [esp+118h+var_EE+1], 1
		test	edi, edi
		jz	short loc_7F2068
		test	byte ptr [edi+258h], 40h
		jnz	loc_91193D

loc_7F2068:				; CODE XREF: EtwpEnableGuid+207j
		cmp	[esp+118h+var_C8], 0
		jnz	loc_7F254B

loc_7F2073:				; CODE XREF: EtwpEnableGuid+70Ej
		cmp	[esp+118h+var_86], 0
		mov	edx, [esp+118h+var_EE+2]
		mov	eax, [esp+118h+var_100]
		mov	[edx+70h], eax
		movzx	ecx, word ptr [esi+6]
		mov	[edx+68h], cx
		mov	al, [esi+4]
		mov	[edx+6Ah], al
		mov	eax, [esi+10h]
		mov	[edx+6Ch], eax
		mov	edi, [esi+14h]
		mov	eax, [esi+10h]
		mov	[esp+118h+var_D8], edi
		mov	[esp+118h+var_E4], edi
		mov	edi, [esp+118h+var_F4]
		mov	[esp+118h+var_DC], eax
		jnz	loc_911947
		mov	ecx, [esp+118h+var_E4]

loc_7F20BA:				; CODE XREF: EtwpEnableGuid+11FB09j
		or	eax, ecx
		jz	loc_7F2475

loc_7F20C2:				; CODE XREF: EtwpEnableGuid+62Bj
		cmp	byte ptr [esi+4], 0
		jnz	short loc_7F20CC
		mov	byte ptr [esi+4], 0FFh

loc_7F20CC:				; CODE XREF: EtwpEnableGuid+274j
		cmp	[esp+118h+var_100], 2
		jz	short loc_7F211F
		cmp	[esp+118h+var_86], 0
		jnz	short loc_7F211F
		lea	eax, [esp+118h+var_B4]
		mov	ecx, ebx
		push	eax
		lea	eax, [esp+11Ch+var_84]
		push	eax
		push	[esp+120h+var_D8]
		push	[esp+124h+var_DC]
		call	EtwpUpdateGuidEnableInfo
		mov	esi, eax
		test	esi, esi
		js	short loc_7F2140
		mov	eax, [esp+118h+var_C0]
		lea	esi, [ebx+40h]
		push	8
		pop	ecx
		mov	edi, eax
		rep movsd
		test	byte ptr [eax+8], 4
		mov	edi, [esp+118h+var_F4]
		jnz	loc_911960

loc_7F211B:				; CODE XREF: EtwpEnableGuid+11FB27j
					; EtwpEnableGuid+11FB32j
		mov	edx, [esp+118h+var_EE+2]

loc_7F211F:				; CODE XREF: EtwpEnableGuid+27Fj
					; EtwpEnableGuid+289j
		lea	eax, [ebx+24h]
		cmp	[eax], eax
		jnz	loc_7F21D3
		cmp	dword ptr [ebx+168h], 0
		jnz	short loc_7F213E
		lea	eax, [ebx+8]
		cmp	[eax], eax
		jnz	loc_7F21D3

loc_7F213E:				; CODE XREF: EtwpEnableGuid+2DFj
		xor	esi, esi

loc_7F2140:				; CODE XREF: EtwpEnableGuid+2ABj
					; EtwpEnableGuid+5F6j ...
		and	dword ptr [ebx+170h], 0
		lea	ecx, [ebx+16Ch]
		xor	edx, edx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_7F2159:				; CODE XREF: EtwpEnableGuid+D8j
					; EtwpEnableGuid+149j ...
		mov	ecx, [esp+118h+var_F4]
		test	ecx, ecx
		jz	short loc_7F2168
		xor	dl, dl
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_7F2168:				; CODE XREF: EtwpEnableGuid+30Dj
		mov	ecx, [esp+118h+var_AC]
		test	ecx, ecx
		jnz	loc_7F25FD

loc_7F2174:				; CODE XREF: EtwpEnableGuid+7B0j
		test	ebx, ebx
		jz	short loc_7F217F
		mov	ecx, ebx
		call	EtwpUnreferenceGuidEntry

loc_7F217F:				; CODE XREF: EtwpEnableGuid+324j
		lea	ecx, [esp+118h+var_84]
		call	EtwpFreeFilterInfo
		mov	ecx, [esp+118h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7F21A4:				; CODE XREF: EtwpEnableGuid+1A2j
		cmp	[esp+118h+var_100], 1
		mov	ebx, edi
		mov	[esp+118h+var_104], ebx
		jnz	loc_7F2030
		push	[esp+118h+var_C4]
		mov	edx, esi
		mov	[esp+11Ch+var_104], ebx
		mov	ecx, edi
		call	_EtwpIsSpecialGuidEnabledOnDifferentLogger@12 ;	EtwpIsSpecialGuidEnabledOnDifferentLogger(x,x,x)
		test	al, al
		jz	loc_7F2030
		jmp	loc_911931
; 

loc_7F21D3:				; CODE XREF: EtwpEnableGuid+2D2j
					; EtwpEnableGuid+2E6j
		cmp	byte ptr [edx+0Ch], 0
		jnz	loc_7F25D3

loc_7F21DD:				; CODE XREF: EtwpEnableGuid+7A6j
		lea	eax, [esp+118h+var_BC]
		mov	ecx, ebx
		push	eax
		push	0FFh
		call	EtwpBuildNotificationPacket
		test	eax, eax
		js	loc_911989
		mov	eax, [esp+118h+var_BC]
		lea	edx, [esp+118h+var_F8]
		push	edx
		mov	edx, eax
		lea	ecx, [eax+4]
		mov	[esp+11Ch+var_A0], ecx
		mov	ecx, [ecx]
		call	_EtwpAllocDataBlock@12 ; EtwpAllocDataBlock(x,x,x)
		test	eax, eax
		js	loc_911993
		mov	esi, [esp+118h+var_F8]
		lea	eax, [ebx+60h]
		mov	ebx, [esp+118h+var_D0]
		xor	ecx, ecx
		push	8
		mov	[esp+11Ch+var_FC], esi
		mov	[esp+11Ch+var_E0], esi
		pop	edx

loc_7F222F:				; CODE XREF: EtwpEnableGuid+3EDj
		cmp	dword ptr [eax], 0
		jnz	loc_7F2482

loc_7F2238:				; CODE XREF: EtwpEnableGuid+63Aj
		inc	ecx
		add	eax, 20h
		sub	edx, 1
		jnz	short loc_7F222F
		mov	ebx, [esp+118h+var_104]
		xor	ecx, ecx
		mov	byte ptr [esp+118h+var_E8], dl
		mov	[esp+118h+var_D8], ecx
		cmp	[ebx+168h], ecx
		jnz	short loc_7F2264
		lea	eax, [ebx+8]
		mov	ecx, [eax]
		cmp	ecx, eax
		jnz	loc_7F2536

loc_7F2264:				; CODE XREF: EtwpEnableGuid+403j
					; EtwpEnableGuid+6EBj
		mov	ecx, ebx
		mov	[esp+118h+var_E4], ecx

loc_7F226A:				; CODE XREF: EtwpEnableGuid+11FD4Bj
		lea	edx, [ecx+24h]
		mov	eax, [edx]
		mov	[esp+118h+var_9C], edx
		mov	[esp+118h+var_DC], eax
		cmp	eax, edx
		jz	loc_7F23C7

loc_7F227F:				; CODE XREF: EtwpEnableGuid+56Bj
		cmp	[esp+118h+var_C8], 0
		jnz	loc_9119A1
		mov	esi, eax
		mov	[esp+118h+var_104], esi

loc_7F2290:				; CODE XREF: EtwpEnableGuid+11FB94j
		push	[esp+118h+var_C4]
		mov	eax, [eax]
		mov	edx, edi
		push	[esp+11Ch+var_E8]
		mov	[esp+120h+var_DC], eax
		mov	ecx, esi
		lea	eax, [esp+120h+var_84]
		push	eax
		push	[esp+124h+var_EE+2]
		lea	eax, [esp+128h+var_98]
		push	eax
		call	EtwpIsRegEntryAllowed
		test	al, al
		jz	loc_7F23AA
		cmp	[esp+118h+var_86], 0
		mov	eax, [esp+118h+var_BC]
		mov	[esp+118h+var_CC], eax
		jnz	loc_911A77
		mov	eax, [esp+118h+var_100]
		cmp	eax, 2
		jz	loc_7F236B
		cmp	byte ptr [esp+118h+var_E8], 0
		jnz	loc_9119EB
		cmp	[esp+118h+var_C8], 0
		jnz	loc_911A02
		mov	al, [esi+34h]

loc_7F22FF:				; CODE XREF: EtwpEnableGuid+11FBA3j
					; EtwpEnableGuid+11FBABj ...
		push	[esp+118h+var_100]
		mov	edx, edi
		mov	byte ptr [esp+11Ch+var_D0], al
		push	[esp+11Ch+var_E8]
		mov	ecx, esi
		push	[esp+120h+var_C4]
		push	[esp+124h+var_B4]
		call	EtwpUpdateRegEntryEnableMask
		mov	dl, byte ptr [esp+118h+var_B4]
		lea	eax, [esp+118h+var_F8]
		push	eax
		push	[esp+11Ch+var_100]
		mov	ecx, esi
		push	[esp+120h+var_E8]
		push	[esp+124h+var_C4]
		push	[esp+128h+var_A8]
		push	[esp+12Ch+var_D0]
		call	EtwpCalculateUpdateNotification
		test	al, al
		mov	eax, [esp+118h+var_F8]
		mov	[esp+118h+var_FC], eax
		jz	loc_911A0A
		test	eax, eax
		jnz	loc_7F2453
		mov	eax, [esp+118h+var_E0]
		mov	[esp+118h+var_FC], eax
		mov	[esp+118h+var_F8], eax

loc_7F2367:				; CODE XREF: EtwpEnableGuid+60Bj
					; EtwpEnableGuid+61Ej
		mov	eax, [esp+118h+var_100]

loc_7F236B:				; CODE XREF: EtwpEnableGuid+48Ej
		cmp	eax, 1
		jnz	loc_7F2491

loc_7F2374:				; CODE XREF: EtwpEnableGuid+648j
		movzx	edx, word ptr [esi+32h]
		test	dl, 28h
		jnz	loc_7F24AD
		test	dword ptr [edi+258h], 2000000h
		jnz	loc_7F24AD

loc_7F2391:				; CODE XREF: EtwpEnableGuid+642j
					; EtwpEnableGuid+674j ...
		mov	edx, [esp+118h+var_CC]
		mov	ecx, esi
		call	EtwpSendDataBlock
		test	eax, eax
		js	short loc_7F23AA
		test	byte ptr [esi+32h], 2
		jz	short loc_7F23AA
		inc	[esp+118h+var_D4]

loc_7F23AA:				; CODE XREF: EtwpEnableGuid+46Bj
					; EtwpEnableGuid+54Cj ...
		cmp	[esp+118h+var_105], 0
		jnz	loc_911B0D

loc_7F23B5:				; CODE XREF: EtwpEnableGuid+11FCDFj
		mov	eax, [esp+118h+var_DC]
		cmp	eax, [esp+118h+var_9C]
		jnz	loc_7F227F
		mov	ecx, [esp+118h+var_E4]

loc_7F23C7:				; CODE XREF: EtwpEnableGuid+427j
		cmp	ecx, ebx
		jnz	loc_911B36

loc_7F23CF:				; CODE XREF: EtwpEnableGuid+11FCFDj
		mov	esi, [esp+118h+var_D8]
		test	esi, esi
		jnz	loc_911B54
		mov	ecx, [esp+118h+var_EE+2]
		mov	eax, [esp+118h+var_D4]
		mov	[ecx+14h], eax
		mov	eax, [esp+118h+var_A4]
		cdq
		mov	[ecx+18h], eax
		mov	[ecx+1Ch], edx
		test	edi, edi
		jz	short loc_7F2425
		mov	eax, [esp+118h+var_100]
		cmp	eax, 1
		jnz	loc_7F249F
		mov	eax, offset _ETW_EVENT_PROVIDER_ENABLED

loc_7F2407:				; CODE XREF: EtwpEnableGuid+656j
		push	eax
		push	dword_6BC30C
		mov	[esp+120h+var_D4], eax
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jnz	loc_911BDA

loc_7F2425:				; CODE XREF: EtwpEnableGuid+5A1j
					; EtwpEnableGuid+64Fj ...
		mov	edi, [esp+118h+var_FC]

loc_7F2429:				; CODE XREF: EtwpEnableGuid+11FB4Aj
					; EtwpEnableGuid+11FD83j
		test	edi, edi
		jz	short loc_7F2434
		mov	ecx, edi
		call	_EtwpUnreferenceDataBlock@4 ; EtwpUnreferenceDataBlock(x)

loc_7F2434:				; CODE XREF: EtwpEnableGuid+5D9j
					; EtwpEnableGuid+11FB3Cj
		mov	eax, [esp+118h+var_BC]
		test	eax, eax
		jz	short loc_7F2443
		mov	ecx, eax
		call	_EtwpUnreferenceDataBlock@4 ; EtwpUnreferenceDataBlock(x)

loc_7F2443:				; CODE XREF: EtwpEnableGuid+5E8j
		cmp	byte ptr [esp+118h+var_EE+1], 1
		jz	loc_7F2140
		jmp	loc_7F2159
; 

loc_7F2453:				; CODE XREF: EtwpEnableGuid+503j
		mov	ecx, [esp+118h+var_E0]
		mov	[esp+118h+var_CC], eax
		cmp	eax, ecx
		jz	loc_7F2367
		call	_EtwpUnreferenceDataBlock@4 ; EtwpUnreferenceDataBlock(x)
		mov	eax, [esp+118h+var_CC]
		mov	[esp+118h+var_E0], eax
		jmp	loc_7F2367
; 

loc_7F2475:				; CODE XREF: EtwpEnableGuid+26Aj
		or	dword ptr [esi+10h], 0FFFFFFFFh
		or	dword ptr [esi+14h], 0FFFFFFFFh
		jmp	loc_7F20C2
; 

loc_7F2482:				; CODE XREF: EtwpEnableGuid+3E0j
		movzx	ebx, bl
		bts	ebx, ecx
		mov	byte ptr [esp+118h+var_A8], bl
		jmp	loc_7F2238
; 

loc_7F2491:				; CODE XREF: EtwpEnableGuid+51Cj
		cmp	eax, 2
		jnz	loc_7F2391
		jmp	loc_7F2374
; 

loc_7F249F:				; CODE XREF: EtwpEnableGuid+5AAj
		test	eax, eax
		jnz	short loc_7F2425
		mov	eax, offset _ETW_EVENT_PROVIDER_DISABLED
		jmp	loc_7F2407
; 

loc_7F24AD:				; CODE XREF: EtwpEnableGuid+529j
					; EtwpEnableGuid+539j
		test	dl, 1
		jnz	loc_7F2607
		mov	ecx, [esi+28h]
		add	ecx, 0F0h
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_7F2391
		push	6
		pop	ecx
		push	dword ptr [esi+28h]
		xor	eax, eax
		lea	edi, [esp+11Ch+var_40]
		rep stosd
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		push	eax
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	edi, [esp+118h+var_104]
		mov	esi, eax
		lea	eax, [esp+118h+var_40]
		push	eax
		push	dword ptr [edi+28h]
		call	KeStackAttachProcess
		push	edi
		mov	edi, [esp+11Ch+var_F4]
		mov	dl, 1
		mov	ecx, edi
		call	EtwpProviderArrivalCallback
		lea	eax, [esp+118h+var_40]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		push	esi
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		mov	esi, [esp+118h+var_104]
		mov	ecx, [esi+28h]
		add	ecx, 0F0h
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_7F2391
; 

loc_7F2536:				; CODE XREF: EtwpEnableGuid+40Cj
		add	ecx, 0FFFFFFF8h
		mov	[esp+118h+var_D8], ecx
		jmp	loc_7F2264
; 

loc_7F2542:				; CODE XREF: EtwpEnableGuid+109j
		mov	edi, [esp+118h+var_E8]
		jmp	loc_7F1FA5
; 

loc_7F254B:				; CODE XREF: EtwpEnableGuid+21Bj
		mov	ecx, edi
		call	EtwpAcquireTokenAccessInformation
		mov	esi, eax
		test	esi, esi
		jnz	loc_7F2140
		mov	esi, [esp+118h+var_C0]
		jmp	loc_7F2073
; 

loc_7F2565:				; CODE XREF: EtwpEnableGuid+F5j
		cmp	edi, 3
		jnb	loc_7F1F4D
		add	eax, 78h
		mov	[esp+118h+var_E4], edi
		lea	ecx, [esp+118h+var_24]
		sub	ecx, eax
		lea	ebx, [esp+118h+var_28]
		mov	[esp+118h+var_D8], ecx
		mov	ecx, ebx
		mov	edi, [esp+118h+var_D8]
		lea	edx, [eax+8]
		sub	ecx, eax
		mov	[esp+118h+var_DC], ecx

loc_7F2598:				; CODE XREF: EtwpEnableGuid+772j
		mov	eax, [edx+4]
		mov	[edi+edx], eax
		mov	eax, [edx]
		mov	[ecx+edx], eax
		mov	ecx, [edx-8]
		add	ecx, [esp+118h+var_EE+2]
		mov	eax, [edx-4]
		adc	eax, 0
		mov	[ebx], ecx
		mov	ecx, [esp+118h+var_DC]
		lea	ebx, [ebx+10h]
		add	edx, 10h
		mov	[ebx-0Ch], eax
		sub	[esp+118h+var_E4], 1
		jnz	short loc_7F2598
		mov	ebx, [esp+118h+var_104]
		mov	edi, [esp+118h+var_CC]
		jmp	loc_7F1F56
; 

loc_7F25D3:				; CODE XREF: EtwpEnableGuid+385j
		lea	eax, [esp+118h+var_AC]
		mov	ecx, ebx
		push	eax
		lea	edx, [esp+11Ch+var_A4]
		call	EtwpCreateUmReplyObject
		mov	esi, eax
		test	esi, esi
		js	loc_7F2140
		mov	edx, [esp+118h+var_EE+2]
		mov	eax, [esp+118h+var_AC]
		mov	[edx+18h], eax
		jmp	loc_7F21DD
; 

loc_7F25FD:				; CODE XREF: EtwpEnableGuid+31Cj
		call	ObfDereferenceObject
		jmp	loc_7F2174
; 

loc_7F2607:				; CODE XREF: EtwpEnableGuid+65Ej
		push	6
		xor	eax, eax
		lea	edi, [esp+11Ch+var_58]
		pop	ecx
		rep stosd
		xor	ecx, ecx
		mov	[esp+118h+var_104], ecx
		test	dl, 10h
		jnz	loc_911A23

loc_7F2624:				; CODE XREF: EtwpEnableGuid+11FBF3j
		mov	edi, [esp+118h+var_F4]
		xor	dl, dl
		push	esi
		mov	ecx, edi
		call	EtwpProviderArrivalCallback
		mov	eax, [esp+118h+var_104]
		test	eax, eax
		jz	loc_7F2391
		jmp	loc_911A5B
EtwpEnableGuid	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpIsRegEntryAllowed proc near		; CODE XREF: EtwpEnableGuid+464p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= byte ptr  18h

; FUNCTION CHUNK AT 00911C35 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		mov	eax, [ebx+48h]
		mov	edi, [ebp+arg_0]
		test	byte ptr [esi+32h], 1
		mov	[ebp+arg_4], eax
		jnz	short loc_7F26AB

loc_7F2665:				; CODE XREF: EtwpIsRegEntryAllowed+71j
		cmp	eax, 2
		jz	short loc_7F26D7
		cmp	byte ptr [edi+12h], 0
		jnz	short loc_7F26D7

loc_7F2670:				; CODE XREF: EtwpIsRegEntryAllowed+A9j
		test	byte ptr [esi+32h], 8
		mov	dl, [ebp+arg_10]
		jnz	short loc_7F26B9

loc_7F2679:				; CODE XREF: EtwpIsRegEntryAllowed+82j
					; EtwpIsRegEntryAllowed+8Fj
		cmp	byte ptr [edi+12h], 1
		jz	loc_911C35
		cmp	dl, 2
		jz	loc_911C42

loc_7F268C:				; CODE XREF: EtwpIsRegEntryAllowed+11F614j
		movzx	eax, byte ptr [edi+10h]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	_EtwpCheckProviderLoggingAccess@12 ; EtwpCheckProviderLoggingAccess(x,x,x)

loc_7F269A:				; CODE XREF: EtwpIsRegEntryAllowed+11F5F9j
		test	eax, eax
		jnz	short loc_7F26A7
		mov	al, 1

loc_7F26A0:				; CODE XREF: EtwpIsRegEntryAllowed+65j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7F26A7:				; CODE XREF: EtwpIsRegEntryAllowed+58j
					; EtwpIsRegEntryAllowed+6Bj ...
		xor	al, al
		jmp	short loc_7F26A0
; 

loc_7F26AB:				; CODE XREF: EtwpIsRegEntryAllowed+1Fj
		cmp	byte ptr [edi+11h], 0
		jnz	short loc_7F26A7
		cmp	byte ptr [edi+12h], 0
		jz	short loc_7F2665
		jmp	short loc_7F26A7
; 

loc_7F26B9:				; CODE XREF: EtwpIsRegEntryAllowed+33j
		cmp	dl, 2
		jz	short loc_7F26A7
		cmp	[ebp+arg_C], 0
		jnz	short loc_7F26A7
		test	eax, eax
		jnz	short loc_7F2679
		mov	ecx, [esi+10h]
		mov	ax, [ebx+68h]
		cmp	ax, [ecx+38h]
		jz	short loc_7F2679
		jmp	short loc_7F26A7
; 

loc_7F26D7:				; CODE XREF: EtwpIsRegEntryAllowed+24j
					; EtwpIsRegEntryAllowed+2Aj
		mov	edx, [ebp+arg_8]
		push	edx
		push	0
		push	ebx
		mov	edx, [edx+28h]
		call	EtwpApplyTransientFilters
		test	al, al
		jz	short loc_7F26A7
		mov	eax, [ebp+arg_4]
		jmp	short loc_7F2670
EtwpIsRegEntryAllowed endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCheckProviderLoggingAccess(x, x, x)
_EtwpCheckProviderLoggingAccess@12 proc	near ; CODE XREF: EtwpIsRegEntryAllowed+51p

var_14		= dword	ptr -14h
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		cmp	[ebp+arg_0], 0
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		mov	esi, edx
		stosd
		stosd
		stosd
		stosd
		jz	short loc_7F2742
		test	byte ptr [ecx+32h], 1
		jnz	short loc_7F2742
		lea	eax, [ebp+var_14]
		push	eax
		push	dword ptr [ecx+28h]
		push	0
		call	SeCaptureSubjectContextEx
		lea	eax, [ebp+var_14]
		mov	edx, 200h
		push	eax
		mov	ecx, esi
		call	_EtwpCheckGuidAccess@12	; EtwpCheckGuidAccess(x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_14]
		push	eax
		call	SeReleaseSubjectContext
		mov	eax, esi

loc_7F273C:				; CODE XREF: EtwpCheckProviderLoggingAccess(x,x,x)+54j
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_7F2742:				; CODE XREF: EtwpCheckProviderLoggingAccess(x,x,x)+19j
					; EtwpCheckProviderLoggingAccess(x,x,x)+1Fj
		xor	eax, eax
		jmp	short loc_7F273C
_EtwpCheckProviderLoggingAccess@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCheckGuidAccess(x, x, x)
_EtwpCheckGuidAccess@12	proc near	; CODE XREF: EtwpCheckNotificationAccess+10p
					; EtwpCheckNotificationAccess+22p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, edx
		lea	edx, [ebp+var_4]
		call	_EtwpGetSecurityDescriptorByGuid@8 ; EtwpGetSecurityDescriptorByGuid(x,x)
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		call	_EtwpAccessCheck@12 ; EtwpAccessCheck(x,x,x)
		lea	ecx, [ebp+var_4]
		mov	esi, eax
		call	_EtwpFreeSecurityDescriptor@4 ;	EtwpFreeSecurityDescriptor(x)
		mov	eax, esi
		pop	esi
		leave
		retn	4
_EtwpCheckGuidAccess@12	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpRealtimeCreateLogfile proc near	; CODE XREF: EtwpLogger(x)+158p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 00911C5D SIZE 00000073 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		push	edi
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		lea	edi, [esi+110h]
		cmp	[edi], eax
		jz	short loc_7F279E

loc_7F2799:				; CODE XREF: EtwpRealtimeCreateLogfile+1A8j
					; EtwpRealtimeCreateLogfile+11F4E8j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7F279E:				; CODE XREF: EtwpRealtimeCreateLogfile+1Dj
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	ebx, [esi+114h]
		xor	eax, eax
		cmp	[ebx], ax
		jnz	loc_7F289C
		mov	ecx, [esi+60h]
		xor	edi, edi
		lea	edx, [ecx+2]

loc_7F27C1:				; CODE XREF: EtwpRealtimeCreateLogfile+50j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_7F27C1
		sub	ecx, edx
		sar	ecx, 1
		push	50777445h
		lea	eax, ds:14h[ecx*2]
		push	eax
		push	1
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_911C5D
		push	dword ptr [esi+60h] ; char
		push	offset ??_C@_1BK@GCMGPE@?$AAE?$AAt?$AAw?$AAR?$AAT?$AA?$CF?$AAw?$AAs?$AA?4?$AAe?$AAt?$AAl@NNGAKEGL@ ; wchar_t *
		push	[ebp+var_8]	; int
		push	edi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 10h
		test	eax, eax
		jnz	loc_911C67
		movzx	eax, word ptr [edi]
		mov	edx, edi
		test	ax, ax
		jz	short loc_7F285C
		push	3Ch
		mov	ecx, eax
		pop	ebx

loc_7F281C:				; CODE XREF: EtwpRealtimeCreateLogfile+DAj
		movzx	eax, cx
		cmp	ax, bx
		jbe	loc_7F2927
		cmp	eax, 3Eh
		jb	short loc_7F2849
		cmp	eax, 3Fh
		jbe	loc_7F293C
		cmp	eax, 5Ch
		jz	loc_7F293C
		cmp	cx, 7Ch
		jz	loc_7F293C

loc_7F2849:				; CODE XREF: EtwpRealtimeCreateLogfile+B1j
					; EtwpRealtimeCreateLogfile+1BCj ...
		add	edx, 2
		movzx	eax, word ptr [edx]
		mov	ecx, eax
		test	ax, ax
		jnz	short loc_7F281C
		lea	ebx, [esi+114h]

loc_7F285C:				; CODE XREF: EtwpRealtimeCreateLogfile+9Bj
		push	ds:_EtwpRTBacklogFileRoot ; void *
		push	ebx		; int
		call	RtlCreateUnicodeString
		test	al, al
		jz	loc_911C7A
		push	edi
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_10]
		mov	edx, ebx
		push	eax
		xor	eax, eax
		mov	cl, 1
		push	eax
		call	EtwpExpandFileName
		mov	edi, eax
		test	edi, edi
		js	loc_7F2917
		lea	edi, [esi+110h]
		xor	eax, eax

loc_7F289C:				; CODE XREF: EtwpRealtimeCreateLogfile+39j
		test	byte ptr [esi+258h], 1
		mov	byte ptr [ebp+var_1], al
		jz	short loc_7F28AC
		mov	byte ptr [ebp+var_1], 1

loc_7F28AC:				; CODE XREF: EtwpRealtimeCreateLogfile+12Cj
		push	1
		push	1
		push	eax
		lea	eax, [ebp+var_1]
		mov	edx, ebx
		push	eax
		mov	ecx, edi
		call	EtwpDelayCreate
		mov	edi, eax
		test	edi, edi
		js	short loc_7F2917
		xor	ebx, ebx
		test	byte ptr [esi+258h], 1
		push	48h
		pop	eax
		mov	[esi+128h], eax
		mov	[esi+12Ch], ebx
		mov	[esi+120h], eax
		mov	[esi+124h], ebx
		mov	[esi+130h], eax
		mov	[esi+134h], ebx
		jz	short loc_7F2917
		mov	ecx, esi
		call	EtwpRealtimeRestoreState
		mov	edi, eax
		test	edi, edi
		js	loc_911C84
		cmp	[esi+148h], ebx
		ja	short loc_7F2947

loc_7F290F:				; CODE XREF: EtwpRealtimeCreateLogfile+1DCj
		test	edi, edi
		js	loc_911C84

loc_7F2917:				; CODE XREF: EtwpRealtimeCreateLogfile+114j
					; EtwpRealtimeCreateLogfile+148j ...
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, edi
		jmp	loc_7F2799
; 

loc_7F2927:				; CODE XREF: EtwpRealtimeCreateLogfile+A8j
		jz	short loc_7F293C
		cmp	eax, 22h
		jz	short loc_7F293C
		cmp	eax, 2Fh
		jz	short loc_7F293C
		cmp	eax, 3Ah
		jnz	loc_7F2849

loc_7F293C:				; CODE XREF: EtwpRealtimeCreateLogfile+B6j
					; EtwpRealtimeCreateLogfile+BFj ...
		push	5Fh
		pop	eax
		mov	[edx], ax
		jmp	loc_7F2849
; 

loc_7F2947:				; CODE XREF: EtwpRealtimeCreateLogfile+193j
		lea	edx, [esi+0E8h]
		mov	ecx, esi
		call	_EtwpRealtimeUpdateReferenceTime@8 ; EtwpRealtimeUpdateReferenceTime(x,x)
		mov	edi, eax
		jmp	short loc_7F290F
EtwpRealtimeCreateLogfile endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall EtwpAcquireLoggerContextByLoggerName(x, x,	x)
@EtwpAcquireLoggerContextByLoggerName@12 proc near
					; CODE XREF: EtwQueryTraceHandleByLoggerName(x,x)+2Bp
					; EtwpAcquireLoggerContext+72p

var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	eax, edx
		mov	ebx, ecx
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		test	eax, eax
		jz	short loc_7F29A6
		xor	edi, edi
		cmp	[ebx+8], edi
		jbe	short loc_7F29A6

loc_7F2974:				; CODE XREF: EtwpAcquireLoggerContextByLoggerName(x,x,x)+4Cj
		push	0
		mov	edx, edi
		mov	ecx, ebx
		call	EtwpAcquireLoggerContextByLoggerId
		mov	esi, eax
		test	esi, esi
		jz	short loc_7F29A0
		push	1
		push	[ebp+var_4]
		lea	ecx, [esi+5Ch]
		push	ecx
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_7F29AA
		xor	dl, dl

loc_7F2999:				; CODE XREF: EtwpAcquireLoggerContextByLoggerName(x,x,x)+82j
		mov	ecx, esi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_7F29A0:				; CODE XREF: EtwpAcquireLoggerContextByLoggerName(x,x,x)+2Bj
		inc	edi
		cmp	edi, [ebx+8]
		jb	short loc_7F2974

loc_7F29A6:				; CODE XREF: EtwpAcquireLoggerContextByLoggerName(x,x,x)+13j
					; EtwpAcquireLoggerContextByLoggerName(x,x,x)+1Aj
		xor	eax, eax
		jmp	short loc_7F29D1
; 

loc_7F29AA:				; CODE XREF: EtwpAcquireLoggerContextByLoggerName(x,x,x)+3Dj
		mov	al, [ebp+arg_0]
		cmp	al, 1
		jnz	short loc_7F29C6
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esi+1D0h]
		push	eax
		call	KeWaitForSingleObject
		mov	al, [ebp+arg_0]

loc_7F29C6:				; CODE XREF: EtwpAcquireLoggerContextByLoggerName(x,x,x)+57j
		cmp	dword ptr [esi+0F8h], 0
		jz	short loc_7F29D8
		mov	eax, esi

loc_7F29D1:				; CODE XREF: EtwpAcquireLoggerContextByLoggerName(x,x,x)+50j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7F29D8:				; CODE XREF: EtwpAcquireLoggerContextByLoggerName(x,x,x)+75j
		mov	dl, al
		jmp	short loc_7F2999
@EtwpAcquireLoggerContextByLoggerName@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpLogger(x)
_EtwpLogger@4	proc near		; DATA XREF: EtwTraceReadyThread(x,x,x,x)+98o
					; EtwpStartLogger+73Eo

var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	ecx, [ebp+arg_0]
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, [ecx+4]
		push	edi
		mov	[esi+24h], eax
		push	dword ptr [ecx]
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	ecx, large fs:124h
		push	0Fh
		push	ecx
		mov	[esp+30h+var_C], eax
		call	KeSetActualBasePriorityThread
		push	0
		push	0
		lea	ebx, [esi+164h]
		push	ebx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		lea	eax, [esi+174h]
		xor	ecx, ecx
		mov	[esp+28h+var_8], eax
		lea	eax, [esi+188h]
		mov	[esp+28h+var_4], eax
		cmp	[esi+0F8h], ecx
		jz	loc_7F2D4B
		lea	ebx, [esi+25Ch]

loc_7F2A4B:				; CODE XREF: EtwpLogger(x)+32Dj
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	1
		lea	eax, [esp+40h+var_8]
		mov	[esp+40h+var_18], ecx
		push	eax
		xor	eax, eax
		mov	edi, ecx
		cmp	[esi+84h], ecx
		setnbe	al
		inc	eax
		push	eax
		call	KeWaitForMultipleObjects
		cmp	eax, 1
		jnz	short loc_7F2A90
		xor	dl, dl
		mov	ecx, esi
		call	_EtwpResetFlushTimer@8 ; EtwpResetFlushTimer(x,x)
		lea	eax, [esi+174h]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		xor	edi, edi
		inc	edi
		mov	[esp+28h+var_18], edi

loc_7F2A90:				; CODE XREF: EtwpLogger(x)+96j
		cmp	ds:_EtwpFileSystemReady, 0
		jz	short loc_7F2AA5
		push	4
		lea	eax, [esi+258h]
		pop	ecx
		lock or	[eax], ecx

loc_7F2AA5:				; CODE XREF: EtwpLogger(x)+BBj
		mov	ecx, esi
		call	_EtwpAdjustFreeBuffers@4 ; EtwpAdjustFreeBuffers(x)
		mov	eax, [ebx]
		push	4
		pop	ecx
		and	eax, ecx
		mov	[esp+28h+var_10], eax
		jz	short loc_7F2AD2
		cmp	dword ptr [esi+84h], 0
		jbe	short loc_7F2ACB
		mov	dl, 1
		mov	ecx, esi
		call	_EtwpResetFlushTimer@8 ; EtwpResetFlushTimer(x,x)

loc_7F2ACB:				; CODE XREF: EtwpLogger(x)+E4j
		xor	edi, edi
		inc	edi
		mov	[esp+28h+var_18], edi

loc_7F2AD2:				; CODE XREF: EtwpLogger(x)+DBj
		lea	ecx, [esi+258h]
		test	byte ptr [ecx],	4
		jnz	short loc_7F2AEB
		mov	edx, edi
		mov	ecx, esi
		call	_EtwpFlushActiveBuffers@8 ; EtwpFlushActiveBuffers(x,x)
		jmp	loc_7F2D01
; 

loc_7F2AEB:				; CODE XREF: EtwpLogger(x)+FFj
		mov	eax, [ebx]
		test	al, al
		jns	short loc_7F2B14
		mov	eax, 0FFFFFF7Fh
		lock and [ebx],	eax
		xor	edi, edi
		cmp	[esi+248h], edi
		jz	short loc_7F2B16
		mov	dl, 1
		mov	ecx, esi
		call	EtwpFinalizeHeader
		lea	ecx, [esi+258h]
		jmp	short loc_7F2B16
; 

loc_7F2B14:				; CODE XREF: EtwpLogger(x)+113j
		xor	edi, edi

loc_7F2B16:				; CODE XREF: EtwpLogger(x)+125j
					; EtwpLogger(x)+136j
		test	dword ptr [esi+0Ch], 100h
		jz	short loc_7F2B27
		push	8
		pop	eax
		lock or	[ecx], eax
		jmp	short loc_7F2B2D
; 

loc_7F2B27:				; CODE XREF: EtwpLogger(x)+141j
		push	0FFFFFFF7h
		pop	eax
		lock and [ecx],	eax

loc_7F2B2D:				; CODE XREF: EtwpLogger(x)+149j
		test	byte ptr [ecx],	8
		jz	short loc_7F2B6C
		mov	ecx, esi
		call	EtwpRealtimeCreateLogfile
		mov	edi, eax
		test	edi, edi
		js	loc_7F2CC7
		mov	ecx, esi
		call	_EtwpRealtimeUpdateConsumers@4 ; EtwpRealtimeUpdateConsumers(x)
		mov	ecx, esi
		call	EtwpRealtimeFlushSavedBuffers
		xor	edi, edi
		cmp	[esi+108h], edi
		jbe	short loc_7F2B6C
		cmp	[esi+148h], edi
		jbe	short loc_7F2B6C
		xor	dl, dl
		mov	ecx, esi
		call	EtwpRequestFlushTimer

loc_7F2B6C:				; CODE XREF: EtwpLogger(x)+154j
					; EtwpLogger(x)+17Dj ...
		mov	eax, [ebx]
		test	al, 40h
		jz	short loc_7F2B7F
		push	0FFFFFFBFh
		pop	eax
		lock and [ebx],	eax
		mov	ecx, esi
		call	EtwpRealtimeNotifyConsumers

loc_7F2B7F:				; CODE XREF: EtwpLogger(x)+194j
		mov	eax, [ebx]
		test	al, 8
		jz	short loc_7F2BA3
		mov	ecx, esi
		call	EtwpRealtimeDisconnectAllConsumers
		push	0FFFFFFF7h
		pop	eax
		lock and [ebx],	eax
		push	edi
		push	edi
		lea	eax, [esi+164h]
		mov	[esi+28h], edi
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_7F2BA3:				; CODE XREF: EtwpLogger(x)+1A7j
		mov	eax, [ebx]
		test	al, 3
		jz	loc_7F2C39
		mov	eax, [ebx]
		mov	cl, 1
		mov	[esp+28h+var_19], cl
		test	al, 2
		jz	short loc_7F2BCA
		cmp	[esi+248h], edi
		setnz	al
		dec	al
		and	al, cl
		mov	[esp+28h+var_19], al

loc_7F2BCA:				; CODE XREF: EtwpLogger(x)+1DBj
		mov	dl, cl
		mov	ecx, esi
		call	EtwpCreateLogFile
		mov	edi, eax
		mov	[esi+28h], edi
		test	edi, edi
		jns	short loc_7F2C1A
		mov	eax, [esi+0Ch]
		mov	[esp+28h+var_14], eax
		test	al, 8
		jz	short loc_7F2C1A
		push	offset _ETW_EVENT_SWITCH_TO_NEW_FILE_FAILED
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_7F2C1A
		push	[esp+28h+var_14]
		lea	eax, [esi+64h]
		push	edi
		push	eax
		lea	eax, [esi+5Ch]
		push	eax
		push	ecx
		push	ecx
		mov	ecx, offset _ETW_EVENT_SWITCH_TO_NEW_FILE_FAILED
		call	_EtwpEventWriteTemplateAdmin@32	; EtwpEventWriteTemplateAdmin(x,x,x,x,x,x,x,x)

loc_7F2C1A:				; CODE XREF: EtwpLogger(x)+1FEj
					; EtwpLogger(x)+209j ...
		push	0
		push	0
		lea	eax, [esi+164h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		test	edi, edi
		jns	short loc_7F2C39
		cmp	[esp+28h+var_19], 1
		jz	loc_7F2CC7

loc_7F2C39:				; CODE XREF: EtwpLogger(x)+1CBj
					; EtwpLogger(x)+250j
		mov	edx, [esp+28h+var_18]
		mov	ecx, esi
		call	_EtwpFlushActiveBuffers@8 ; EtwpFlushActiveBuffers(x,x)
		mov	edi, eax
		mov	eax, [ebx]
		test	al, 1
		jz	short loc_7F2C63
		test	edi, edi
		js	short loc_7F2C63
		cmp	[esp+28h+var_18], 0
		jnz	short loc_7F2C63
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_EtwpFlushActiveBuffers@8 ; EtwpFlushActiveBuffers(x,x)
		mov	edi, eax

loc_7F2C63:				; CODE XREF: EtwpLogger(x)+26Ej
					; EtwpLogger(x)+272j ...
		mov	eax, [ebx]
		test	eax, 1000h
		jz	short loc_7F2CA3
		mov	eax, 0FFFFEFFFh
		lock and [ebx],	eax
		cmp	dword ptr [esi+248h], 0
		jz	short loc_7F2CA3
		xor	dl, dl
		mov	ecx, esi
		call	EtwpFinalizeHeader
		mov	edi, eax
		test	edi, edi
		jns	short loc_7F2C91
		mov	[esi+28h], edi
		jmp	short loc_7F2CA3
; 

loc_7F2C91:				; CODE XREF: EtwpLogger(x)+2AEj
		push	dword ptr [esi+248h]
		call	_ZwClose@4	; ZwClose(x)
		and	dword ptr [esi+248h], 0

loc_7F2CA3:				; CODE XREF: EtwpLogger(x)+28Ej
					; EtwpLogger(x)+29Fj ...
		cmp	[esp+28h+var_10], 0
		jz	short loc_7F2CC3
		push	0FFFFFFFBh
		pop	eax
		lock and [ebx],	eax
		push	0
		push	0
		lea	eax, [esi+164h]
		mov	[esi+28h], edi
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_7F2CC3:				; CODE XREF: EtwpLogger(x)+2CCj
		test	edi, edi
		jns	short loc_7F2D01

loc_7F2CC7:				; CODE XREF: EtwpLogger(x)+161j
					; EtwpLogger(x)+257j
		push	offset _ETW_EVENT_SESSION_END_FAILED
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_7F2CF7
		push	dword ptr [esi+2Ch]
		lea	eax, [esi+64h]
		push	dword ptr [esi+0Ch]
		push	edi
		push	eax
		lea	eax, [esi+5Ch]
		push	eax
		push	ecx
		push	ecx
		call	_EtwpEventWriteTemplateSessionEnd@36 ; EtwpEventWriteTemplateSessionEnd(x,x,x,x,x,x,x,x,x)

loc_7F2CF7:				; CODE XREF: EtwpLogger(x)+303j
		mov	ecx, esi
		mov	[esi+28h], edi
		call	_EtwpStopLoggerInstance@4 ; EtwpStopLoggerInstance(x)

loc_7F2D01:				; CODE XREF: EtwpLogger(x)+10Aj
					; EtwpLogger(x)+2E9j
		xor	ecx, ecx
		cmp	[esi+0F8h], ecx
		jnz	loc_7F2A4B
		lea	ebx, [esi+164h]
		jmp	short loc_7F2D4B
; 

loc_7F2D17:				; CODE XREF: EtwpLogger(x)+37Dj
		cmp	edi, 103h
		jz	short loc_7F2D63
		xor	ecx, ecx
		cmp	[esi+0A0h], ecx
		jle	short loc_7F2D5B
		mov	eax, [esi+9Ch]
		cmp	[esi+0A0h], eax
		jle	short loc_7F2D5B
		push	offset _EtwpOneSecond
		push	ecx
		push	ecx
		push	ecx
		lea	eax, [esi+174h]
		push	eax
		call	KeWaitForSingleObject

loc_7F2D4B:				; CODE XREF: EtwpLogger(x)+63j
					; EtwpLogger(x)+339j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_EtwpFlushActiveBuffers@8 ; EtwpFlushActiveBuffers(x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_7F2D17

loc_7F2D5B:				; CODE XREF: EtwpLogger(x)+34Bj
					; EtwpLogger(x)+359j
		cmp	edi, 103h
		jnz	short loc_7F2D7E

loc_7F2D63:				; CODE XREF: EtwpLogger(x)+341j
		test	byte ptr [esi+258h], 8
		jz	short loc_7F2D79
		cmp	dword ptr [esi+110h], 0
		jnz	short loc_7F2D79
		xor	edi, edi
		jmp	short loc_7F2D7E
; 

loc_7F2D79:				; CODE XREF: EtwpLogger(x)+38Ej
					; EtwpLogger(x)+397j
		mov	edi, 0C0000001h

loc_7F2D7E:				; CODE XREF: EtwpLogger(x)+385j
					; EtwpLogger(x)+39Bj
		cmp	dword ptr [esi+248h], 0
		jz	short loc_7F2DA2
		xor	dl, dl
		mov	ecx, esi
		call	EtwpFinalizeHeader
		push	dword ptr [esi+248h]
		call	_ZwClose@4	; ZwClose(x)
		and	dword ptr [esi+248h], 0

loc_7F2DA2:				; CODE XREF: EtwpLogger(x)+3A9j
		cmp	dword ptr [esi+110h], 0
		jz	short loc_7F2DC4
		mov	ecx, esi
		call	EtwpRealtimeSaveState
		push	dword ptr [esi+110h]
		call	_ZwClose@4	; ZwClose(x)
		and	dword ptr [esi+110h], 0

loc_7F2DC4:				; CODE XREF: EtwpLogger(x)+3CDj
		push	0
		push	0
		push	ebx
		mov	[esi+28h], edi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		test	edi, edi
		jns	short loc_7F2DFB
		mov	ebx, (offset loc_40756C+4)
		push	ebx
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_7F2DFB
		push	ecx
		push	ecx
		mov	edx, esi
		mov	ecx, ebx
		call	_EtwpEventWriteTemplateSession@16 ; EtwpEventWriteTemplateSession(x,x,x,x)

loc_7F2DFB:				; CODE XREF: EtwpLogger(x)+3F7j
					; EtwpLogger(x)+412j
		mov	ecx, esi
		call	_EtwpFreeLoggerContext@4 ; EtwpFreeLoggerContext(x)
		push	[esp+20h+var_4]
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		push	edi
		call	PsTerminateSystemThread
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_EtwpLogger@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpUpdateEnableMask proc near		; CODE XREF: .text:00447456p
					; .text:005ADF96p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00911CD0 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ecx
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		test	dl, dl
		jnz	short loc_7F2E41
		xor	edi, edi
		lea	esi, [eax+68h]

loc_7F2E32:				; CODE XREF: EtwpUpdateEnableMask+25j
		cmp	dword ptr [esi-8], 0
		jnz	short loc_7F2E48

loc_7F2E38:				; CODE XREF: EtwpUpdateEnableMask+8Cj
					; EtwpUpdateEnableMask+11EEBCj
		inc	edi
		add	esi, 20h
		cmp	edi, 8
		jb	short loc_7F2E32

loc_7F2E41:				; CODE XREF: EtwpUpdateEnableMask+11j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7F2E48:				; CODE XREF: EtwpUpdateEnableMask+1Cj
		cmp	[ebp+arg_0], 0
		jnz	loc_911CD0

loc_7F2E52:				; CODE XREF: EtwpUpdateEnableMask+11EEC2j
		movzx	edx, word ptr [esi-2]
		mov	ecx, [eax+164h]
		and	[ebp+var_4], 0
		push	0
		call	EtwpAcquireLoggerContextByLoggerId
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_7F2EA3
		cmp	[ebp+arg_4], 0
		mov	eax, [ebx+0Ch]
		jz	short loc_7F2EA8
		test	al, al
		jns	short loc_7F2E89
		mov	edx, ebx
		mov	ecx, 200h
		call	_EtwpCheckLoggerControlAccess@8	; EtwpCheckLoggerControlAccess(x,x)
		mov	[ebp+var_4], eax

loc_7F2E89:				; CODE XREF: EtwpUpdateEnableMask+5Ej
					; EtwpUpdateEnableMask+93j ...
		xor	dl, dl
		mov	ecx, ebx
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		cmp	[ebp+var_4], 0
		jnz	short loc_7F2EA3
		mov	ecx, [ebp+arg_8]
		movzx	eax, byte ptr [ecx]
		bts	eax, edi
		mov	[ecx], al

loc_7F2EA3:				; CODE XREF: EtwpUpdateEnableMask+51j
					; EtwpUpdateEnableMask+7Cj
		mov	eax, [ebp+var_8]
		jmp	short loc_7F2E38
; 

loc_7F2EA8:				; CODE XREF: EtwpUpdateEnableMask+5Aj
		test	eax, 1000000h
		jz	short loc_7F2E89
		mov	[ebp+var_4], 0C0000022h
		jmp	short loc_7F2E89
EtwpUpdateEnableMask endp


;  S U B	R O U T	I N E 


; __fastcall EtwpReleaseLoggerContext(x, x)
@EtwpReleaseLoggerContext@8 proc near	; CODE XREF: EtwpAdjustSiloTraceBuffers(x)+EFp
					; EtwpTransitionToRealtime(x,x)+13Ep ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	dl, dl
		jnz	short loc_7F2EDB

loc_7F2EC1:				; CODE XREF: EtwpReleaseLoggerContext(x,x)+31j
		mov	eax, [esi+2E4h]
		xor	edx, edx
		mov	esi, [esi]
		inc	edx
		mov	ecx, [eax+188h]
		mov	ecx, [ecx+esi*4]
		pop	esi
		jmp	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
; 

loc_7F2EDB:				; CODE XREF: EtwpReleaseLoggerContext(x,x)+7j
		push	0
		lea	eax, [esi+1D0h]
		push	eax
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		jmp	short loc_7F2EC1
@EtwpReleaseLoggerContext@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall EtwpCheckLoggerControlAccess(x, x)
_EtwpCheckLoggerControlAccess@8	proc near ; CODE XREF: EtwpTransitionToRealtime(x,x)+61p
					; EtwTraceRaw(x,x,x,x,x)+8Fp ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	ecx, edi
		call	EtwpReferenceLoggerSecurityDescriptor
		mov	ebx, eax
		mov	edx, esi
		push	0
		mov	ecx, ebx
		call	_EtwpAccessCheck@12 ; EtwpAccessCheck(x,x,x)
		add	edi, 238h
		mov	esi, eax
		mov	ecx, [edi]
		mov	edx, ecx
		xor	edx, ebx
		cmp	edx, 7
		jnb	short loc_7F2F38

loc_7F2F1C:				; CODE XREF: EtwpCheckLoggerControlAccess(x,x)+4Aj
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jnz	short loc_7F2F2F

loc_7F2F29:				; CODE XREF: EtwpCheckLoggerControlAccess(x,x)+54j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_7F2F2F:				; CODE XREF: EtwpCheckLoggerControlAccess(x,x)+3Bj
		mov	ecx, eax
		xor	eax, ebx
		cmp	eax, 7
		jb	short loc_7F2F1C

loc_7F2F38:				; CODE XREF: EtwpCheckLoggerControlAccess(x,x)+2Ej
		push	1
		push	ebx
		call	ObDereferenceSecurityDescriptor
		jmp	short loc_7F2F29
_EtwpCheckLoggerControlAccess@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpAccessCheck(x, x, x)
_EtwpAccessCheck@12 proc near		; CODE XREF: .text:00447418p
					; EtwpNotifyGuid(x,x,x)+155p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		lea	edi, [esp+28h+var_10]
		mov	[esp+28h+var_14], ecx
		stosd
		mov	ebx, edx
		xor	edx, edx
		mov	[esp+28h+var_1C], edx
		mov	[esp+28h+var_18], edx
		stosd
		stosd
		stosd
		test	esi, esi
		jnz	short loc_7F2FCE
		lea	eax, [esp+28h+var_10]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		lea	eax, [esp+28h+var_10]
		xor	edx, edx

loc_7F2F94:				; CODE XREF: EtwpAccessCheck(x,x,x)+8Ej
		lea	ecx, [esp+28h+var_1C]
		push	ecx
		lea	ecx, [esp+2Ch+var_18]
		push	ecx
		push	1
		push	offset _EtwpGenericMapping
		push	edx
		push	edx
		push	ebx
		push	edx
		push	eax
		push	[esp+4Ch+var_14]
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		test	esi, esi
		jnz	short loc_7F2FC1
		lea	eax, [esp+28h+var_10]
		push	eax
		call	SeReleaseSubjectContext

loc_7F2FC1:				; CODE XREF: EtwpAccessCheck(x,x,x)+73j
		mov	eax, [esp+28h+var_1C]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7F2FCE:				; CODE XREF: EtwpAccessCheck(x,x,x)+2Dj
		mov	eax, esi
		jmp	short loc_7F2F94
_EtwpAccessCheck@12 endp


;  S U B	R O U T	I N E 


EtwpReferenceLoggerSecurityDescriptor proc near
					; CODE XREF: EtwpCheckLoggerControlAccess(x,x)+Bp
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+294p

; FUNCTION CHUNK AT 00911CE1 SIZE 000000A5 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		lea	esi, [ecx+238h]
		mov	ebx, [esi]
		push	edi
		test	bl, 7
		jz	short loc_7F2FF1

loc_7F2FE4:				; CODE XREF: EtwpReferenceLoggerSecurityDescriptor+46j
		lea	ecx, [ebx-1]
		mov	eax, ebx
		lock cmpxchg [esi], ecx
		cmp	eax, ebx
		jnz	short loc_7F3014

loc_7F2FF1:				; CODE XREF: EtwpReferenceLoggerSecurityDescriptor+10j
					; EtwpReferenceLoggerSecurityDescriptor+48j
		push	7
		xor	edi, edi
		mov	eax, ebx
		pop	edx
		and	eax, edx
		inc	edi
		cmp	eax, edi
		jb	loc_911D2C
		and	ebx, 0FFFFFFF8h
		cmp	eax, edi
		jz	loc_911CE1

loc_7F300E:				; CODE XREF: EtwpReferenceLoggerSecurityDescriptor+11ED3Bj
					; EtwpReferenceLoggerSecurityDescriptor+11ED55j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		retn
; 

loc_7F3014:				; CODE XREF: EtwpReferenceLoggerSecurityDescriptor+1Dj
		mov	ebx, eax
		test	al, 7
		jnz	short loc_7F2FE4
		jmp	short loc_7F2FF1
EtwpReferenceLoggerSecurityDescriptor endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpFlushActiveBuffers(x, x)
_EtwpFlushActiveBuffers@8 proc near	; CODE XREF: EtwpLogger(x)+105p
					; EtwpLogger(x)+263p ...

var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_89		= byte ptr -89h
var_88		= dword	ptr -88h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	80h		; size_t
		xor	ebx, ebx
		mov	[ebp+var_A8], edx
		lea	eax, [ebp+var_88]
		mov	edi, ecx
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_A0], edi
		call	_memset
		add	esp, 0Ch
		cmp	[edi+248h], ebx
		jnz	short loc_7F3084
		cmp	[edi+110h], ebx
		jnz	short loc_7F3084
		cmp	[edi+84h], ebx
		jbe	short loc_7F307A
		xor	dl, dl
		mov	ecx, edi
		call	EtwpRequestFlushTimer

loc_7F307A:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+53j
		mov	eax, 103h
		jmp	loc_7F3434
; 

loc_7F3084:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+43j
					; EtwpFlushActiveBuffers(x,x)+4Bj
		mov	eax, [edi+2D0h]
		lea	edx, [ebp+var_88]
		mov	[ebp+var_90], edx
		test	eax, eax
		jz	short loc_7F30A2
		mov	edx, eax
		mov	[ebp+var_90], eax

loc_7F30A2:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+7Cj
		test	dword ptr [edi+0Ch], 40000h
		mov	esi, ebx
		mov	[ebp+var_89], bl
		jz	short loc_7F30CC
		xor	ecx, ecx
		lea	eax, [edi+58h]
		xchg	ecx, [eax]
		test	ecx, ecx
		jz	loc_7F31F4
		xor	esi, esi
		mov	[edx], ecx
		inc	esi
		jmp	loc_7F31F4
; 

loc_7F30CC:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+95j
		mov	ecx, edi
		call	EtwpQueryUsedProcessorCount
		sub	eax, 1
		mov	[ebp+var_98], eax
		js	loc_7F31ED
		mov	edx, [ebp+var_90]
		mov	ebx, eax
		shl	ebx, 6
		mov	[ebp+var_9C], ebx

loc_7F30F3:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+1C9j
		test	dword ptr [edi+0Ch], 10000000h
		jz	short loc_7F3101
		lea	ecx, [edi+58h]
		jmp	short loc_7F311B
; 

loc_7F3101:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+DEj
		mov	eax, [edi+2E4h]
		mov	ecx, [edi]
		mov	eax, [eax+8D8h]
		mov	eax, [eax+ebx]
		lea	ecx, [eax+ecx*4]
		mov	eax, [ebp+var_98]

loc_7F311B:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+E3j
		mov	ebx, [ecx]
		mov	[ebp+var_94], ecx
		and	ebx, 0FFFFFFF8h
		jz	loc_7F31CD
		cmp	[ebp+var_A8], 0
		jz	loc_7F31BE
		mov	ecx, [edi+4]
		lea	eax, [ebx+8]
		lock xadd [eax], ecx
		cmp	ecx, [edi+4]
		ja	short loc_7F314B
		mov	[ebx+4], ecx

loc_7F314B:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+12Aj
		mov	eax, [ebp+var_94]
		mov	edi, eax
		mov	ecx, [eax]

loc_7F3155:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+150j
		mov	eax, ecx
		xor	eax, ebx
		cmp	eax, 7
		ja	short loc_7F316E
		xor	edx, edx
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jz	short loc_7F316E
		mov	ecx, eax
		jmp	short loc_7F3155
; 

loc_7F316E:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+140j
					; EtwpFlushActiveBuffers(x,x)+14Cj
		mov	edi, [ebp+var_A0]
		mov	edx, ecx
		and	edx, 0FFFFFFF8h
		cmp	edx, ebx
		jnz	short loc_7F319B
		and	ecx, 7
		lea	eax, [edx+0Ch]
		neg	ecx
		lock xadd [eax], ecx
		mov	ecx, edi
		call	EtwpPrepareDirtyBuffer
		jmp	short loc_7F31AA
; 

loc_7F3192:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+181j
		mov	eax, [edx+20h]
		cmp	eax, ebx
		jz	short loc_7F319F
		mov	edx, eax

loc_7F319B:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+15Fj
		test	edx, edx
		jnz	short loc_7F3192

loc_7F319F:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+17Bj
		and	dword ptr [edx+20h], 0
		mov	[ebp+var_89], 1

loc_7F31AA:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+174j
		mov	eax, [ebp+var_90]
		mov	edx, eax
		mov	[eax+esi*4], ebx
		inc	esi
		mov	eax, [ebp+var_98]
		jmp	short loc_7F31CD
; 

loc_7F31BE:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+117j
		mov	ecx, [ebx+20h]
		test	ecx, ecx
		jz	short loc_7F31CD
		mov	[edx+esi*4], ecx
		inc	esi
		and	dword ptr [ebx+20h], 0

loc_7F31CD:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+10Aj
					; EtwpFlushActiveBuffers(x,x)+1A0j ...
		mov	ebx, [ebp+var_9C]
		dec	eax
		sub	ebx, 40h
		mov	[ebp+var_98], eax
		mov	[ebp+var_9C], ebx
		test	eax, eax
		jns	loc_7F30F3
		xor	ebx, ebx

loc_7F31ED:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+C0j
		mov	ecx, edi
		call	EtwpLockUnlockBufferList

loc_7F31F4:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+A0j
					; EtwpFlushActiveBuffers(x,x)+ABj
		mov	[ebp+var_98], ebx
		test	esi, esi
		jle	loc_7F32FE
		mov	eax, [ebp+var_90]
		lea	eax, [eax+esi*4]
		add	eax, 0FFFFFFFCh
		mov	[ebp+var_9C], eax

loc_7F3214:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+2DCj
		xor	ecx, ecx
		xor	edx, edx
		inc	ecx
		mov	[ebp+var_94], edx
		cmp	esi, ecx
		jle	short loc_7F327F
		mov	ebx, [ebp+var_90]
		xor	edi, edi

loc_7F322B:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+25Bj
		mov	eax, [ebx+ecx*4]
		mov	edx, [edi+ebx]
		mov	[ebp+var_AC], eax
		mov	[ebp+var_A4], edx
		mov	eax, [eax+14h]
		cmp	eax, [edx+14h]
		mov	edx, [ebp+var_94]
		jl	short loc_7F3274
		jg	short loc_7F3267
		mov	eax, [ebp+var_AC]
		mov	ebx, [ebp+var_A4]
		mov	eax, [eax+10h]
		cmp	eax, [ebx+10h]
		mov	ebx, [ebp+var_90]
		jbe	short loc_7F3274

loc_7F3267:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+22Fj
		mov	edx, ecx
		mov	edi, ecx
		mov	[ebp+var_94], edx
		shl	edi, 2

loc_7F3274:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+22Dj
					; EtwpFlushActiveBuffers(x,x)+249j
		inc	ecx
		cmp	ecx, esi
		jl	short loc_7F322B
		mov	edi, [ebp+var_A0]

loc_7F327F:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+205j
		mov	ecx, [ebp+var_90]
		mov	ebx, [ebp+var_94]
		mov	edx, [ecx+edx*4]
		lea	eax, [edx+20h]
		mov	[ebp+var_A4], eax
		mov	eax, [eax]
		mov	[ecx+ebx*4], eax
		mov	ebx, [ebp+var_98]
		test	eax, eax
		jnz	short loc_7F32C5
		mov	eax, [ebp+var_9C]
		dec	esi
		mov	ebx, [ebp+var_94]
		sub	[ebp+var_9C], 4
		mov	eax, [eax]
		mov	[ecx+ebx*4], eax
		mov	ebx, [ebp+var_98]

loc_7F32C5:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+288j
		cmp	dword ptr [edx+0Ch], 0
		jg	short loc_7F32E6
		mov	eax, [edx+4]
		cmp	eax, 48h
		ja	short loc_7F32E6
		test	eax, eax
		jnz	short loc_7F32DD
		cmp	dword ptr [edx+8], 48h
		ja	short loc_7F32E6

loc_7F32DD:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+2B9j
		mov	ecx, edi
		call	_EtwpCompleteBuffer@8 ;	EtwpCompleteBuffer(x,x)
		jmp	short loc_7F32F6
; 

loc_7F32E6:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+2ADj
					; EtwpFlushActiveBuffers(x,x)+2B5j ...
		mov	eax, [ebp+var_A4]
		mov	[eax], ebx
		mov	ebx, eax
		mov	[ebp+var_98], ebx

loc_7F32F6:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+2C8j
		test	esi, esi
		jg	loc_7F3214

loc_7F32FE:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+1E0j
		and	[ebp+var_A0], 0
		xor	eax, eax
		mov	[ebp+var_90], eax
		test	ebx, ebx
		jz	loc_7F3416
		cmp	[ebp+var_A8], eax
		mov	esi, [ebx]
		setnz	al
		movzx	eax, ax
		mov	[ebp+var_AC], eax

loc_7F3329:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+3C5j
		test	esi, esi
		jnz	short loc_7F3336
		movzx	eax, ax
		mov	[ebp+var_A0], eax

loc_7F3336:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+30Fj
		mov	ecx, edi
		add	ebx, 0FFFFFFE0h
		call	_EtwpAdjustFreeBuffers@4 ; EtwpAdjustFreeBuffers(x)
		mov	ecx, ebx
		call	EtwpWaitForBufferReferenceCount
		mov	eax, [ebp+var_98]
		xor	ecx, ecx
		mov	[ebp+var_94], ecx
		mov	[ebp+var_9C], ecx
		mov	[eax], ecx
		test	dword ptr [edi+0Ch], 40000h
		jz	short loc_7F337E
		mov	eax, [ebx+38h]
		mov	[ebp+var_94], eax
		mov	eax, [ebx+3Ch]
		mov	[ebp+var_9C], eax
		mov	[ebx+38h], ecx
		mov	[ebx+3Ch], ecx

loc_7F337E:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+348j
		push	[ebp+var_A0]
		mov	edx, ebx
		mov	ecx, edi
		call	EtwpFlushBuffer
		test	dword ptr [edi+0Ch], 40000h
		mov	[ebp+var_A4], eax
		jz	short loc_7F33B2
		push	[ebp+var_9C]
		xor	ecx, ecx
		push	ebx
		push	eax
		mov	[ebx+34h], cx
		call	[ebp+var_94]
		jmp	short loc_7F33BB
; 

loc_7F33B2:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+37Ej
		mov	edx, ebx
		mov	ecx, edi
		call	_EtwpCompleteBuffer@8 ;	EtwpCompleteBuffer(x,x)

loc_7F33BB:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+394j
		mov	ebx, esi
		mov	[ebp+var_98], ebx
		test	esi, esi
		jz	short loc_7F33C9
		mov	esi, [esi]

loc_7F33C9:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+3A9j
		mov	eax, [ebp+var_A4]
		test	eax, eax
		jz	short loc_7F33D9
		mov	[ebp+var_90], eax

loc_7F33D9:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+3B5j
		mov	eax, [ebp+var_AC]
		test	ebx, ebx
		jnz	loc_7F3329
		cmp	dword ptr [edi+84h], 0
		jbe	short loc_7F342E
		cmp	[ebp+var_A8], 0
		jz	short loc_7F342E
		test	dword ptr [edi+0Ch], 10000000h
		jz	short loc_7F340B
		cmp	[ebp+var_89], 0
		jz	short loc_7F342E

loc_7F340B:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+3E4j
		xor	dl, dl
		mov	ecx, edi
		call	EtwpRequestFlushTimer
		jmp	short loc_7F342E
; 

loc_7F3416:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+2F3j
		cmp	[ebp+var_A8], eax
		jz	short loc_7F342E
		test	byte ptr [edi+258h], 8
		jz	short loc_7F342E
		mov	ecx, edi
		call	_EtwpRealtimeSendEmptyMarker@4 ; EtwpRealtimeSendEmptyMarker(x)

loc_7F342E:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+3D2j
					; EtwpFlushActiveBuffers(x,x)+3DBj ...
		mov	eax, [ebp+var_90]

loc_7F3434:				; CODE XREF: EtwpFlushActiveBuffers(x,x)+63j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpFlushActiveBuffers@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpFlushBuffer	proc near		; CODE XREF: EtwpFlushActiveBuffers(x,x)+36Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00911D86 SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	eax, edx
		push	edi
		push	[ebp+arg_0]
		mov	ecx, 0C0000001h
		mov	[ebp+var_4], eax
		mov	edi, ecx
		mov	esi, ecx
		mov	ecx, ebx
		call	_EtwpPrepareHeader@12 ;	EtwpPrepareHeader(x,x,x)
		mov	ecx, [ebp+arg_0]
		cmp	eax, 80000022h
		setz	al
		and	cl, 1
		mov	byte ptr [ebp+var_8], al
		test	al, al
		jnz	short loc_7F34D8

loc_7F347D:				; CODE XREF: EtwpFlushBuffer+98j
		test	byte ptr [ebx+258h], 8
		jnz	short loc_7F34C0

loc_7F3486:				; CODE XREF: EtwpFlushBuffer+8Dj
					; EtwpFlushBuffer+11E94Dj
		cmp	dword ptr [ebx+248h], 0
		jz	short loc_7F34A3
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		call	EtwpFlushBufferToLogfile
		mov	esi, eax
		test	esi, esi
		js	loc_911D96

loc_7F34A3:				; CODE XREF: EtwpFlushBuffer+49j
					; EtwpFlushBuffer+11E95Dj
		test	edi, edi
		jns	short loc_7F34B7
		cmp	edi, 0C0000188h
		jz	short loc_7F34B7
		test	esi, esi
		js	loc_911DA6

loc_7F34B7:				; CODE XREF: EtwpFlushBuffer+61j
					; EtwpFlushBuffer+69j ...
		xor	eax, eax

loc_7F34B9:				; CODE XREF: EtwpFlushBuffer+11E96Cj
					; EtwpFlushBuffer+11E973j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7F34C0:				; CODE XREF: EtwpFlushBuffer+40j
		push	[ebp+var_8]
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		call	EtwpFlushBufferToRealtime
		mov	edi, eax
		test	edi, edi
		jns	short loc_7F3486
		jmp	loc_911D86
; 

loc_7F34D8:				; CODE XREF: EtwpFlushBuffer+37j
		test	cl, cl
		jz	short loc_7F34B7
		jmp	short loc_7F347D
EtwpFlushBuffer	endp


;  S U B	R O U T	I N E 


EtwpWaitForBufferReferenceCount	proc near ; CODE XREF: EtwpFlushActiveBuffers(x,x)+326p
					; EtwpBufferingModeFlush(x)+215p ...

; FUNCTION CHUNK AT 00911DBC SIZE 00000011 BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi

loc_7F34E6:				; CODE XREF: EtwpWaitForBufferReferenceCount+11E8EAj
		cmp	[esi+0Ch], edi
		jnz	loc_911DBC
		pop	edi
		pop	esi
		retn
EtwpWaitForBufferReferenceCount	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpAdjustFreeBuffers(x)
_EtwpAdjustFreeBuffers@4 proc near	; CODE XREF: EtwpLogger(x)+CBp
					; EtwpFlushActiveBuffers(x,x)+31Fp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		test	dword ptr [esi+0Ch], 40000h
		jnz	short loc_7F351F
		mov	eax, [esi+9Ch]
		mov	[ebp+var_4], eax
		call	EtwpQueryUsedProcessorCount
		mov	ebx, eax
		mov	eax, [ebp+var_4]
		cmp	eax, ebx
		jb	short loc_7F3526

loc_7F351F:				; CODE XREF: EtwpAdjustFreeBuffers(x)+14j
					; EtwpAdjustFreeBuffers(x)+41j	...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7F3526:				; CODE XREF: EtwpAdjustFreeBuffers(x)+2Bj
		sub	ebx, eax
		mov	ecx, esi
		mov	edx, ebx
		call	_EtwpAllocateFreeBuffers@8 ; EtwpAllocateFreeBuffers(x,x)
		cmp	ebx, eax
		jz	short loc_7F351F
		mov	edi, 0C0000017h
		jmp	short loc_7F351F
_EtwpAdjustFreeBuffers@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpPrepareHeader(x, x, x)
_EtwpPrepareHeader@12 proc near		; CODE XREF: EtwpAddLogHeader+44Dp
					; EtwpFlushBuffer+1Fp ...

arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_7F359F

loc_7F354B:				; CODE XREF: EtwpPrepareHeader(x,x,x)+66j
		cmp	[ebp+arg_0], 1
		mov	[esi+30h], eax
		jz	short loc_7F355A
		cmp	eax, 48h
		jz	short loc_7F35A4

loc_7F355A:				; CODE XREF: EtwpPrepareHeader(x,x,x)+17j
		mov	eax, dword ptr [ebp+arg_0]
		or	eax, 20h
		mov	[esi+34h], ax
		cmp	dword ptr [ecx+248h], 0
		jz	short loc_7F3597

loc_7F356D:				; CODE XREF: EtwpPrepareHeader(x,x,x)+5Fj
		mov	eax, [esi]
		mov	ecx, [esi+30h]
		sub	eax, ecx
		test	eax, eax
		jle	short loc_7F358A
		push	eax		; size_t
		lea	eax, [ecx+esi]
		push	0FFh		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_7F358A:				; CODE XREF: EtwpPrepareHeader(x,x,x)+3Aj
					; EtwpPrepareHeader(x,x,x)+61j
		cmp	dword ptr [esi+30h], 48h
		jz	short loc_7F35A4
		xor	eax, eax

loc_7F3592:				; CODE XREF: EtwpPrepareHeader(x,x,x)+6Dj
		pop	esi
		pop	ebp
		retn	4
; 

loc_7F3597:				; CODE XREF: EtwpPrepareHeader(x,x,x)+2Fj
		test	byte ptr [ebp+arg_0], 40h
		jz	short loc_7F356D
		jmp	short loc_7F358A
; 

loc_7F359F:				; CODE XREF: EtwpPrepareHeader(x,x,x)+Dj
		mov	eax, [esi+8]
		jmp	short loc_7F354B
; 

loc_7F35A4:				; CODE XREF: EtwpPrepareHeader(x,x,x)+1Cj
					; EtwpPrepareHeader(x,x,x)+52j
		mov	eax, 80000022h
		jmp	short loc_7F3592
_EtwpPrepareHeader@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpFlushBufferToLogfile proc near	; CODE XREF: EtwpFlushBuffer+50p
					; EtwpBufferingModeFlush(x)+268p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00911DCD SIZE 000000B8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		xor	esi, esi
		mov	[ebp+var_C], ebx
		mov	[ebp+var_10], edi
		mov	[ebp+var_1C], esi
		mov	ebx, [ebx]
		mov	[ebp+var_18], esi
		mov	[ebp+var_4], ebx
		cmp	[edi+0D8h], esi
		jbe	short loc_7F35FC
		call	_EtwpQueryMaximumFileSize@4 ; EtwpQueryMaximumFileSize(x)
		mov	esi, eax
		mov	ecx, edx
		mov	eax, ebx
		mov	[ebp+var_8], ecx
		mul	dword ptr [edi+80h]
		cmp	edx, ecx
		jb	short loc_7F35FC
		ja	loc_7F368F
		cmp	eax, esi
		jnb	loc_7F368F

loc_7F35FC:				; CODE XREF: EtwpFlushBufferToLogfile+28j
					; EtwpFlushBufferToLogfile+40j	...
		push	0
		lea	esi, [edi+90h]
		push	esi
		push	ebx
		push	[ebp+var_C]
		lea	eax, [ebp+var_1C]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	dword ptr [edi+248h]
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_14], ebx
		test	ebx, ebx
		js	loc_911E4C
		mov	eax, [ebp+var_4]
		add	[esi], eax
		mov	eax, [edi+2E4h]
		adc	dword ptr [esi+4], 0
		add	eax, 8D0h
		mov	edi, [ebp+var_4]
		mov	[ebp+var_8], eax

loc_7F3644:				; CODE XREF: EtwpFlushBufferToLogfile+BBj
					; EtwpFlushBufferToLogfile+C0j
		mov	esi, [eax]
		mov	ebx, edi
		mov	edx, [eax+4]
		add	ebx, esi
		push	0
		pop	ecx
		mov	[ebp+var_C], edx
		adc	ecx, edx
		mov	eax, esi
		nop
		mov	edi, [ebp+var_8]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_4]
		cmp	eax, esi
		mov	eax, [ebp+var_8]
		jnz	short loc_7F3644
		cmp	edx, [ebp+var_C]
		jnz	short loc_7F3644
		mov	edi, [ebp+var_10]
		mov	ebx, [ebp+var_14]

loc_7F3674:				; CODE XREF: EtwpFlushBufferToLogfile+11E8B9j
					; EtwpFlushBufferToLogfile+11E8D4j
		test	ebx, ebx
		js	loc_911E34
		inc	dword ptr [edi+0B0h]
		inc	dword ptr [edi+80h]

loc_7F3688:				; CODE XREF: EtwpFlushBufferToLogfile+11E89Bj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_7F368F:				; CODE XREF: EtwpFlushBufferToLogfile+42j
					; EtwpFlushBufferToLogfile+4Aj
		mov	eax, [edi+0Ch]
		test	al, 2
		jnz	loc_911DCD
		test	al, 8
		jz	loc_911DEC
		lea	esi, [edi+25Ch]
		mov	eax, [esi]
		test	al, 1
		jnz	loc_7F35FC
		lea	eax, [edi+74h]
		push	eax
		lea	edx, [edi+0DCh]
		lea	ecx, [edi+6Ch]
		call	EtwpGenerateFileName
		xor	eax, eax
		inc	eax
		lock or	[esi], eax
		jmp	loc_7F35FC
EtwpFlushBufferToLogfile endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpFlushBufferToRealtime proc near	; CODE XREF: EtwpFlushBuffer+84p

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 00911E85 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, edx
		mov	eax, 0C0000001h
		cmp	[esi+108h], ebx
		jbe	short loc_7F370C
		cmp	[esi+148h], ebx
		jnz	short loc_7F370C
		call	EtwpRealtimeDeliverBuffer
		test	eax, eax
		js	short loc_7F370C
		cmp	[ebp+arg_0], bl
		jnz	loc_911E85

loc_7F3705:				; CODE XREF: EtwpFlushBufferToRealtime+4Ej
					; EtwpFlushBufferToRealtime+11E7C3j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_7F370C:				; CODE XREF: EtwpFlushBufferToRealtime+19j
					; EtwpFlushBufferToRealtime+21j ...
		cmp	[ebp+arg_0], bl
		jnz	loc_911E85
		mov	edx, edi
		mov	ecx, esi
		call	EtwpRealtimeSaveBuffer
		jmp	short loc_7F3705
EtwpFlushBufferToRealtime endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpRealtimeDeliverBuffer proc near	; CODE XREF: EtwpRealtimeSendEmptyMarker(x)+5Cp
					; EtwpFlushBufferToRealtime+23p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 00911EA0 SIZE 00000065 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		xor	esi, esi
		mov	[ebp+var_1], 0
		mov	[ebp+var_2], 0
		mov	ecx, [edi+160h]
		test	ecx, ecx
		jnz	loc_911EA0

loc_7F3748:				; CODE XREF: EtwpRealtimeDeliverBuffer+11E7A1j
		lea	ecx, [edi+100h]
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	loc_7F3802

loc_7F3758:				; CODE XREF: EtwpRealtimeDeliverBuffer+A1j
		mov	ebx, eax
		mov	eax, [eax]
		mov	[ebp+var_10], eax
		movzx	eax, word ptr [edx+34h]
		mov	ecx, eax
		test	byte ptr [ebx+32h], 2
		mov	[ebp+var_C], ecx
		jnz	loc_911EC6

loc_7F3772:				; CODE XREF: EtwpRealtimeDeliverBuffer+11E7ADj
		push	edx
		mov	edx, ebx
		mov	ecx, edi
		call	EtwpRealtimeInjectEtwBuffer
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		mov	[edx+34h], cx
		test	eax, eax
		js	loc_911EE1
		mov	cl, [ebx+32h]
		mov	eax, [ebp+var_C]
		movzx	eax, ax
		test	cl, 2
		jnz	loc_911ED2

loc_7F37A0:				; CODE XREF: EtwpRealtimeDeliverBuffer+11E7BCj
		xor	edx, edx
		mov	[ebp+var_1], 1
		bt	ax, dx
		mov	edx, [ebp+var_8]
		setb	al
		and	al, cl
		test	al, 1
		jnz	short loc_7F37EB

loc_7F37B6:				; CODE XREF: EtwpRealtimeDeliverBuffer+D7j
					; EtwpRealtimeDeliverBuffer+11E7D1j
		mov	eax, [ebp+var_10]
		lea	ecx, [edi+100h]
		cmp	eax, ecx
		jnz	short loc_7F3758
		cmp	[ebp+var_1], 0
		jz	short loc_7F3802
		cmp	[ebp+var_2], 0
		jnz	short loc_7F37F9

loc_7F37CF:				; CODE XREF: EtwpRealtimeDeliverBuffer+E0j
		cmp	word ptr [edx+36h], 6
		jz	short loc_7F37DC
		inc	dword ptr [edi+0B8h]

loc_7F37DC:				; CODE XREF: EtwpRealtimeDeliverBuffer+B4j
					; EtwpRealtimeDeliverBuffer+11E7E0j
		test	esi, esi
		jnz	loc_911EF6
		xor	eax, eax

loc_7F37E6:				; CODE XREF: EtwpRealtimeDeliverBuffer+E7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7F37EB:				; CODE XREF: EtwpRealtimeDeliverBuffer+94j
					; EtwpRealtimeDeliverBuffer+11E7C6j
		mov	edx, ebx
		mov	ecx, edi
		call	_EtwpDisassociateConsumer@8 ; EtwpDisassociateConsumer(x,x)
		mov	edx, [ebp+var_8]
		jmp	short loc_7F37B6
; 

loc_7F37F9:				; CODE XREF: EtwpRealtimeDeliverBuffer+ADj
		and	dword ptr [edi+160h], 0
		jmp	short loc_7F37CF
; 

loc_7F3802:				; CODE XREF: EtwpRealtimeDeliverBuffer+32j
					; EtwpRealtimeDeliverBuffer+A7j
		mov	eax, 0C0000001h
		jmp	short loc_7F37E6
EtwpRealtimeDeliverBuffer endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpRealtimeInjectEtwBuffer proc near	; CODE XREF: EtwpRealtimeDeliverBuffer+57p
					; EtwpRealtimeNotifyConsumers+11C114p

var_54		= dword	ptr -54h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00911F05 SIZE 00000009 BYTES
; FUNCTION CHUNK AT 00911F2A SIZE 0000000C BYTES

		push	44h
		push	offset dword_6A50D0
		call	__SEH_prolog4_GS
		mov	esi, edx
		mov	ebx, ecx
		mov	[ebp+var_44], esi
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_40], edx
		mov	[ebp+var_48], edx
		push	6
		pop	eax
		mov	ecx, eax
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		xor	edi, edi
		mov	[ebp+var_38], edi
		push	6
		pop	eax
		cmp	[edx+36h], ax
		jz	loc_7F393B
		mov	[esi+2Ch], edi

loc_7F3847:				; CODE XREF: EtwpRealtimeInjectEtwBuffer+144j
		mov	ecx, [esi+0Ch]
		add	ecx, 0F0h
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_7F3958
		mov	ecx, [esi+0Ch]
		lea	eax, [ebp+var_34]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, [ebx+0A8h]
		mov	eax, [esi+4Ch]
		mov	[eax], ecx
		mov	ecx, [ebx+0BCh]
		mov	eax, [esi+50h]
		mov	[eax], ecx
		mov	ecx, [ebx+0A4h]
		shl	ecx, 2
		mov	eax, [esi+20h]
		cmp	[eax], ecx
		jnb	loc_911F05
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		lea	eax, [ebp+var_38]
		push	eax
		mov	edi, [ebp+var_40]
		push	dword ptr [edi+30h]
		mov	edx, esi
		call	EtwpFindUserBufferSpace
		mov	[ebp+var_3C], eax
		test	eax, eax
		js	short loc_7F390E
		mov	[ebp+ms_exc.disabled], 1
		push	dword ptr [edi+30h] ; size_t
		push	edi		; void *
		push	[ebp+var_38]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_38]
		add	eax, 20h
		mov	[ebp+var_40], eax
		mov	ebx, [esi+24h]
		mov	edi, [ebx]

loc_7F38DB:				; CODE XREF: EtwpRealtimeInjectEtwBuffer+E4j
		mov	[eax], edi
		mov	edx, edi
		mov	ecx, eax
		mov	eax, edi
		lock cmpxchg [ebx], ecx
		mov	edi, eax
		cmp	edi, edx
		mov	eax, [ebp+var_40]
		jnz	short loc_7F38DB
		mov	[ebp+var_54], edi
		mov	eax, [esi+20h]
		lock inc dword ptr [eax]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	edi, edi
		jnz	short loc_7F390E
		push	edi
		push	edi
		push	dword ptr [esi+1Ch]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_7F390E:				; CODE XREF: EtwpRealtimeInjectEtwBuffer+ABj
					; EtwpRealtimeInjectEtwBuffer+F8j ...
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [esi+0Ch]
		add	ecx, 0F0h
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	eax, [ebp+var_3C]

loc_7F3929:				; CODE XREF: EtwpRealtimeInjectEtwBuffer+14Cj
					; EtwpRealtimeInjectEtwBuffer+153j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7F393B:				; CODE XREF: EtwpRealtimeInjectEtwBuffer+34j
		mov	eax, [esi+2Ch]
		inc	eax
		mov	[esi+2Ch], eax
		test	dword ptr [ebx+0Ch], 10000000h
		jnz	short loc_7F3954
		cmp	eax, 2
		jbe	loc_7F3847

loc_7F3954:				; CODE XREF: EtwpRealtimeInjectEtwBuffer+13Fj
		xor	eax, eax
		jmp	short loc_7F3929
; 

loc_7F3958:				; CODE XREF: EtwpRealtimeInjectEtwBuffer+4Dj
		mov	eax, 0C000010Ah
		jmp	short loc_7F3929
EtwpRealtimeInjectEtwBuffer endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpFindUserBufferSpace	proc near	; CODE XREF: EtwpRealtimeInjectEtwBuffer+A1p

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00911F6A SIZE 0000001E BYTES

		push	10h
		push	offset dword_6A50F8
		call	__SEH_prolog4
		mov	edi, edx
		xor	esi, esi
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		mov	eax, [ebp+arg_0]
		add	eax, 0FFFh
		and	eax, 0FFFFF000h
		mov	[ebp+arg_0], eax
		shr	eax, 0Ch
		mov	[ebp+var_1C], eax
		mov	[ebp+ms_exc.disabled], esi
		lea	ecx, [edi+34h]
		push	ecx
		push	eax
		call	_RtlFindNextAlignedForwardRunClear@16 ;	RtlFindNextAlignedForwardRunClear(x,x,x,x)
		mov	ebx, eax
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_7F39E0
		push	[ebp+var_1C]
		push	ebx
		lea	eax, [edi+34h]
		push	eax
		call	RtlInterlockedSetClearRun
		test	eax, eax
		mov	eax, [ebp+arg_4]
		jz	short loc_7F39BB
		shl	ebx, 0Ch
		add	ebx, [edi+3Ch]
		mov	[eax], ebx

loc_7F39BB:				; CODE XREF: EtwpFindUserBufferSpace+51j
					; EtwpFindUserBufferSpace+83j
		mov	ebx, [ebp+var_1C]
		add	[edi+48h], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[eax], esi
		jz	short loc_7F39E5

loc_7F39CC:				; CODE XREF: EtwpFindUserBufferSpace+A7j
					; EtwpFindUserBufferSpace+11E618j ...
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7F39E0:				; CODE XREF: EtwpFindUserBufferSpace+3Dj
		mov	eax, [ebp+arg_4]
		jmp	short loc_7F39BB
; 

loc_7F39E5:				; CODE XREF: EtwpFindUserBufferSpace+6Aj
		push	4
		push	1000h
		lea	ecx, [ebp+arg_0]
		push	ecx
		push	esi
		push	eax
		push	dword ptr [edi+8]
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_911F6A
		add	[edi+44h], ebx
		jmp	short loc_7F39CC
EtwpFindUserBufferSpace	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnPrefetchMetadata proc near		; CODE XREF: PfSnAsyncPrefetchStep(x,x,x)+13p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00911FA8 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_8], ecx
		lea	edi, [ebp+var_4C]
		mov	[ebp+var_14], edx
		stosd
		xor	esi, esi
		push	1
		mov	[ebp+var_3C], esi
		mov	[ebp+var_38], esi
		stosd
		mov	[ebp+var_10], esi
		stosd
		stosd
		mov	edi, ecx
		mov	ebx, [edi]
		mov	ecx, ebx
		mov	[ebp+var_24], ebx
		call	PfSnLogPrefetchMetadata
		test	ebx, ebx
		jz	loc_911FA8
		push	esi
		push	esi
		lea	eax, [ebp+var_64]
		mov	[ebp+var_64], 18h
		push	eax
		push	1F0003h
		lea	eax, [ebp+var_10]
		mov	[ebp+var_60], esi
		push	eax
		mov	[ebp+var_58], 200h
		mov	[ebp+var_5C], esi
		mov	[ebp+var_54], esi
		mov	[ebp+var_50], esi
		call	NtCreateEvent
		mov	esi, eax
		test	esi, esi
		js	loc_7F3BAA
		mov	edx, [ebx+6Ch]
		and	[ebp+var_28], 0
		add	edx, ebx
		cmp	dword ptr [ebx+70h], 0
		mov	[ebp+var_2C], edx
		jbe	loc_7F3BA8
		lea	eax, [edx+14h]
		lea	esi, [edi+14h]
		mov	[ebp+var_C], eax

loc_7F3A9E:				; CODE XREF: PfSnPrefetchMetadata+198j
		mov	ecx, [eax-14h]
		add	ecx, edx	; wchar_t *
		mov	edx, esi	; int
		push	1		; int
		call	_PfSnFindPrefetchVolumeInfoInList@12 ; PfSnFindPrefetchVolumeInfoInList(x,x,x)
		mov	esi, eax
		mov	[ebp+var_34], esi
		test	esi, esi
		jz	loc_7F3B89
		test	byte ptr [esi+40h], 1
		jz	loc_7F3B89
		mov	eax, [ebp+var_C]
		and	[ebp+var_4], 0
		mov	edi, [ebp+var_14]
		push	4
		mov	ecx, [eax]
		lea	edx, [eax+10h]
		add	ecx, [ebp+var_2C]
		mov	[ebp+var_20], ecx
		xor	ecx, ecx
		pop	ebx

loc_7F3ADD:				; CODE XREF: PfSnPrefetchMetadata+E6j
		xor	eax, eax
		inc	eax
		shl	eax, cl
		test	eax, edi
		jnz	loc_7F3C74

loc_7F3AEA:				; CODE XREF: PfSnPrefetchMetadata+272j
		inc	ecx
		add	edx, ebx
		cmp	ecx, 7
		jb	short loc_7F3ADD
		push	[ebp+var_10]
		mov	edi, [ebp+var_8]
		mov	ecx, edi
		push	[ebp+var_4]
		mov	edx, [esi+10h]
		push	dword ptr [esi+3Ch]
		push	[ebp+var_20]
		call	PfSnPrefetchFileMetadata
		mov	eax, [ebp+var_4]
		add	[esi+3Ch], eax
		mov	edx, [edi+28h]
		mov	[ebp+var_30], edx
		mov	[edx], ebx
		mov	ecx, [edi+34h]
		mov	eax, [edi+30h]
		and	ecx, 7
		or	ecx, 8
		and	eax, 7
		shl	ecx, 3
		mov	edi, 300h
		or	ecx, eax
		mov	[edx+4], edi
		mov	[edx+8], ecx
		xor	ecx, ecx
		add	edx, 10h

loc_7F3B3D:				; CODE XREF: PfSnPrefetchMetadata+144j
		and	dword ptr [edx+4], 0
		mov	eax, ecx
		shl	eax, 0Ch
		inc	ecx
		mov	[edx], eax
		lea	edx, [edx+8]
		cmp	ecx, edi
		jb	short loc_7F3B3D
		mov	edx, [ebp+var_C]
		xor	ecx, ecx
		mov	edi, [esi+38h]
		add	edx, 2Ch
		mov	[ebp+var_4], edi
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_20], edx

loc_7F3B64:				; CODE XREF: PfSnPrefetchMetadata+174j
		mov	ebx, [ebp+var_8]
		xor	eax, eax
		inc	eax
		shl	eax, cl
		test	[ebp+var_14], eax
		jnz	short loc_7F3BCB

loc_7F3B71:				; CODE XREF: PfSnPrefetchMetadata+1C8j
					; PfSnPrefetchMetadata+265j
		inc	ecx
		add	edx, 4
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_20], edx
		cmp	ecx, 7
		jb	short loc_7F3B64
		mov	ebx, [ebp+var_24]
		mov	[esi+38h], edi
		mov	edi, [ebp+var_8]

loc_7F3B89:				; CODE XREF: PfSnPrefetchMetadata+A9j
					; PfSnPrefetchMetadata+B3j
		mov	ecx, [ebp+var_28]
		lea	esi, [edi+14h]
		mov	eax, [ebp+var_C]
		inc	ecx
		mov	edx, [ebp+var_2C]
		add	eax, 60h
		mov	[ebp+var_28], ecx
		mov	[ebp+var_C], eax
		cmp	ecx, [ebx+70h]
		jb	loc_7F3A9E

loc_7F3BA8:				; CODE XREF: PfSnPrefetchMetadata+85j
		xor	esi, esi

loc_7F3BAA:				; CODE XREF: PfSnPrefetchMetadata+6Fj
		cmp	[ebp+var_10], 0
		jz	short loc_7F3BB8
		push	[ebp+var_10]
		call	NtClose

loc_7F3BB8:				; CODE XREF: PfSnPrefetchMetadata+1A4j
					; PfSnPrefetchMetadata+11E5A3j
		mov	edx, [ebp+var_14]
		mov	ecx, ebx
		push	0
		call	PfSnLogPrefetchMetadata
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7F3BCB:				; CODE XREF: PfSnPrefetchMetadata+165j
		and	[ebp+var_18], 0
		cmp	dword ptr [edx], 0
		jbe	short loc_7F3B71
		and	[ebp+var_54], 0
		lea	eax, [ebp+var_3C]
		and	[ebp+var_50], 0
		mov	[ebp+var_64], 18h
		mov	[ebp+var_58], 240h
		mov	[ebp+var_5C], eax

loc_7F3BF0:				; CODE XREF: PfSnPrefetchMetadata+260j
		mov	eax, [esi+0Ch]
		lea	edi, [edi+4]
		lea	eax, [edi+eax*2]
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [esi+24h]
		lea	edi, [ebp+var_4C]
		mov	[ebp+var_60], eax
		lea	edx, [esi+10h]
		xor	eax, eax
		stosd
		push	ecx
		mov	ecx, [ebx+4]
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_64]
		push	eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	[ebp+var_30]
		call	_PfpPrefetchEntireDirectory@24 ; PfpPrefetchEntireDirectory(x,x,x,x,x,x)
		cmp	[ebp+var_4C], 0
		jz	short loc_7F3C4F
		mov	eax, [ebx+40h]
		cmp	eax, [ebx+44h]
		jnb	short loc_7F3C4F
		mov	eax, [ebx+40h]
		lea	esi, [ebp+var_4C]
		mov	edi, [ebx+3Ch]
		shl	eax, 4
		add	edi, eax
		movsd
		movsd
		movsd
		movsd
		inc	dword ptr [ebx+40h]
		mov	esi, [ebp+var_34]

loc_7F3C4F:				; CODE XREF: PfSnPrefetchMetadata+223j
					; PfSnPrefetchMetadata+22Bj
		mov	edi, [ebp+var_4]
		mov	edx, [ebp+var_20]
		movzx	eax, word ptr [edi]
		lea	edi, [edi+eax*2]
		mov	eax, [ebp+var_18]
		add	edi, 4
		inc	eax
		mov	[ebp+var_4], edi
		mov	[ebp+var_18], eax
		cmp	eax, [edx]
		jb	short loc_7F3BF0
		mov	ecx, [ebp+var_1C]
		jmp	loc_7F3B71
; 

loc_7F3C74:				; CODE XREF: PfSnPrefetchMetadata+DAj
		mov	eax, [edx+1Ch]
		add	eax, [edx]
		add	[ebp+var_4], eax
		jmp	loc_7F3AEA
PfSnPrefetchMetadata endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfpPrefetchEntireDirectory(x, x, x,	x, x, x)
_PfpPrefetchEntireDirectory@24 proc near ; CODE	XREF: PfSnPrefetchMetadata+21Ap

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_14], 2
		push	edx
		push	edi
		push	4021h
		push	100001h
		push	dword ptr [eax+4]
		mov	ebx, ecx
		mov	[ebp+var_8], edi
		push	dword ptr [eax+8]
		mov	edx, ebx
		mov	[ebp+var_4], edi
		lea	ecx, [ebp+var_24]
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], edi
		call	PfpOpenHandleCreate
		mov	esi, eax
		test	esi, esi
		js	short loc_7F3D40
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_7F3D13
		push	1
		lea	eax, [ebp+arg_8]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		mov	edi, [ebp+var_20]
		mov	ecx, edi
		push	8
		push	6
		pop	edx
		call	IopQueryXxxInformation
		test	eax, eax
		js	short loc_7F3D11
		mov	eax, [ebp+var_8]
		mov	[esi+8], eax
		mov	eax, [ebp+var_4]
		mov	[esi+0Ch], eax
		mov	eax, [edi+0Ch]
		mov	[esi], eax
		mov	eax, [ebp+var_18]
		mov	[esi+4], eax

loc_7F3D11:				; CODE XREF: PfpPrefetchEntireDirectory(x,x,x,x,x,x)+76j
		xor	edi, edi

loc_7F3D13:				; CODE XREF: PfpPrefetchEntireDirectory(x,x,x,x,x,x)+58j
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	edi
		push	edi
		push	edi
		mov	eax, [ecx+4]
		lea	eax, ds:10h[eax*8]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_24]
		lea	eax, [ebp+var_10]
		push	90120h
		push	eax
		push	edi
		push	edi
		call	_IopXxxControlFile@44 ;	IopXxxControlFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_7F3D59

loc_7F3D40:				; CODE XREF: PfpPrefetchEntireDirectory(x,x,x,x,x,x)+51j
					; PfpPrefetchEntireDirectory(x,x,x,x,x,x)+D9j
		test	byte ptr [ebp+var_14], 4
		jz	short loc_7F3D50
		mov	edx, ebx
		lea	ecx, [ebp+var_24]
		call	_PfpOpenHandleClose@8 ;	PfpOpenHandleClose(x,x)

loc_7F3D50:				; CODE XREF: PfpPrefetchEntireDirectory(x,x,x,x,x,x)+C2j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7F3D59:				; CODE XREF: PfpPrefetchEntireDirectory(x,x,x,x,x,x)+BCj
		mov	esi, edi
		jmp	short loc_7F3D40
_PfpPrefetchEntireDirectory@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpFileBuildReadSupport	proc near	; CODE XREF: PfpPrefetchFilesTrickle+C3p
					; PfpPrefetchFiles(x,x)+1A2p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00911FB2 SIZE 00000083 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		xor	eax, eax
		mov	[ebp+var_8], ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_2C], eax
		lea	edi, [ebp+var_58]
		mov	[ebp+var_28], eax
		mov	ebx, edx
		mov	[ebp+var_18], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		push	6
		pop	ecx
		rep stosd
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		mov	edi, [ebp+var_8]
		test	al, al
		mov	[ebp+var_30], 2
		setz	cl
		dec	ecx
		and	ecx, 0FFFFFF9Fh
		mov	edx, [edi+4]
		add	ecx, 81h
		mov	[ebp+var_1C], ecx
		xor	ecx, ecx
		test	al, al
		mov	eax, ebx
		setz	cl
		dec	ecx
		and	ecx, 0D000000h
		add	ecx, 4000000h
		mov	[ebp+var_24], ecx
		mov	ecx, [edi]
		sub	eax, [ecx+24h]
		sub	eax, ecx
		sar	eax, 5
		imul	eax, 14h
		add	eax, edx
		mov	[ebp+var_20], eax
		test	edx, edx
		jnz	loc_911FB2

loc_7F3DED:				; CODE XREF: PfpFileBuildReadSupport+11E258j
		mov	esi, [ebp+arg_0]
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_58]
		mov	edx, ebx
		push	eax
		lea	eax, [ebp+var_2C]
		mov	ecx, edi
		push	eax
		push	esi
		call	PfpFileSetupObjectAttributes
		mov	edx, [edi+14h]
		lea	ecx, [ebp+var_40]
		imul	eax, esi, 28h
		add	eax, [edi+8]
		push	eax
		push	80h
		push	[ebp+var_18]
		push	[ebp+var_1C]
		push	[ebp+var_54]
		push	[ebp+var_50]
		call	PfpOpenHandleCreate
		mov	esi, eax
		test	esi, esi
		js	loc_7F3EF3
		mov	ecx, [ebp+var_40]
		mov	edx, 5300h
		call	PfpFileCheckAttributesForPrefetch
		mov	esi, eax
		test	esi, esi
		js	loc_7F3F20
		xor	ecx, ecx
		cmp	[edi+4], ecx
		jnz	loc_911FC3

loc_7F3E55:				; CODE XREF: PfpFileBuildReadSupport+11E279j
		test	byte ptr [ebx],	1
		jz	short loc_7F3E64
		cmp	byte ptr [ebp+arg_4], 0
		jz	loc_911FDC

loc_7F3E64:				; CODE XREF: PfpFileBuildReadSupport+FAj
					; PfpFileBuildReadSupport+11E287j
		push	[ebp+var_40]
		lea	eax, [ebp+var_58]
		mov	[ebp+var_58], 18h
		push	[ebp+var_24]
		mov	[ebp+var_54], ecx
		push	2
		push	ecx
		push	eax
		push	5
		lea	eax, [ebp+var_C]
		mov	[ebp+var_4C], 240h
		push	eax
		mov	[ebp+var_50], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], ecx
		call	NtCreateSection
		mov	esi, eax
		test	esi, esi
		js	loc_911FF5
		lea	eax, [ebp+var_10]
		mov	edx, ebx
		push	eax
		push	[ebp+arg_4]
		mov	ecx, edi
		call	PfpFileBuildReadList
		mov	esi, eax
		test	esi, esi
		js	loc_912010
		mov	edx, [ebp+arg_8]
		lea	esi, [ebp+var_40]
		mov	eax, [ebp+var_C]
		push	5
		pop	ecx
		lea	edi, [edx+4]
		mov	[edx+18h], eax
		mov	eax, [ebp+var_10]
		rep movsd
		xor	ecx, ecx
		mov	[ebp+var_30], 2
		mov	[ebp+var_40], ecx
		mov	esi, ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_C], ecx
		mov	[edx], eax
		mov	[ebp+var_14], ecx
		mov	[edx+1Ch], ebx

loc_7F3EF3:				; CODE XREF: PfpFileBuildReadSupport+CFj
					; PfpFileBuildReadSupport+11E292j ...
		test	byte ptr [ebp+var_30], 1
		jnz	short loc_7F3F20
		mov	edi, [ebp+var_8]

loc_7F3EFC:				; CODE XREF: PfpFileBuildReadSupport+1C9j
					; PfpFileBuildReadSupport+1D5j
		cmp	[ebp+var_C], 0
		jnz	loc_91201B

loc_7F3F06:				; CODE XREF: PfpFileBuildReadSupport+11E2C5j
		test	byte ptr [ebp+var_30], 4
		jnz	short loc_7F3F35

loc_7F3F0C:				; CODE XREF: PfpFileBuildReadSupport+1E2j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	loc_912028

loc_7F3F17:				; CODE XREF: PfpFileBuildReadSupport+11E2D2j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7F3F20:				; CODE XREF: PfpFileBuildReadSupport+E6j
					; PfpFileBuildReadSupport+199j	...
		mov	eax, [ebx]
		mov	edi, [ebp+var_8]
		test	al, 8
		jnz	short loc_7F3EFC
		or	eax, 8
		mov	[ebx], eax
		mov	eax, [edi]
		inc	dword ptr [eax+64h]
		jmp	short loc_7F3EFC
; 

loc_7F3F35:				; CODE XREF: PfpFileBuildReadSupport+1ACj
		mov	edx, [edi+14h]
		lea	ecx, [ebp+var_40]
		call	_PfpOpenHandleClose@8 ;	PfpOpenHandleClose(x,x)
		jmp	short loc_7F3F0C
PfpFileBuildReadSupport	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtNotifyChangeKey(x, x, x, x, x, x,	x, x, x, x)
_NtNotifyChangeKey@40 proc near		; CODE XREF: ExpWatchProductTypeInitialization+35Bp
					; ExpWatchProductTypeInitialization+14BD0p
					; DATA XREF: ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	0
		push	0
		push	[ebp+arg_0]
		call	NtNotifyChangeMultipleKeys
		pop	ebp
		retn	28h
_NtNotifyChangeKey@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtNotifyChangeMultipleKeys proc	near	; CODE XREF: ExpWatchProductTypeWork+2FEp
					; NtNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)+27p ...

var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E1		= byte ptr -0E1h
var_E0		= dword	ptr -0E0h
var_DA		= byte ptr -0DAh
var_D9		= byte ptr -0D9h
var_D8		= dword	ptr -0D8h
var_9C		= dword	ptr -9Ch
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_5C		= dword	ptr -5Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= byte ptr  34h

; FUNCTION CHUNK AT 00912035 SIZE 00000019 BYTES
; FUNCTION CHUNK AT 00912079 SIZE 0000029E BYTES
; FUNCTION CHUNK AT 00912349 SIZE 00000124 BYTES

		push	110h
		push	offset dword_6A5118
		call	__SEH_prolog4_GS
		mov	ebx, [ebp+arg_10]
		mov	[ebp+var_104], ebx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_E0], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_110], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_114], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_10C], eax
		mov	esi, [ebp+arg_24]
		xor	ecx, ecx
		mov	[ebp+var_F4], ecx
		mov	[ebp+var_FC], ecx
		mov	[ebp+var_E8], ecx
		mov	[ebp+var_F0], 1
		push	0B4h		; size_t
		push	ecx		; int
		lea	eax, [ebp+var_D8]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		and	[ebp+var_F8], 0
		call	CmpAcquireShutdownRundown
		mov	[ebp+var_E1], al
		test	al, al
		jz	loc_912035
		mov	edi, [ebp+arg_4]
		cmp	edi, 1
		ja	loc_91203F
		setz	[ebp+var_DA]
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_D9], al
		mov	byte ptr [ebp+var_100],	al
		test	al, al
		jz	loc_7F4334
		test	[ebp+arg_1C], 10000000h
		jz	loc_7F4282
		cmp	[ebp+arg_2C], 0
		jz	loc_91203F
		test	ebx, ebx
		jnz	loc_91203F
		cmp	[ebp+var_114], ebx
		jz	loc_91203F
		mov	[ebp+var_F0], 4

loc_7F4066:				; CODE XREF: NtNotifyChangeMultipleKeys+344j
					; NtNotifyChangeMultipleKeys+354j ...
		mov	eax, [ebp+arg_1C]
		and	eax, 1000000Fh
		cmp	[ebp+arg_1C], eax
		jnz	loc_912079
		push	0
		lea	eax, [ebp+var_F4]
		push	eax
		mov	eax, [ebp+var_100]
		mov	[ebp+var_108], eax
		push	eax
		push	ecx
		push	10h
		pop	edx
		mov	ecx, [ebp+var_E0]
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_91207E
		xor	ecx, ecx
		mov	ebx, ecx
		mov	[ebp+var_E0], ebx
		mov	[ebp+var_EC], ebx
		cmp	edi, 1
		jz	loc_7F436F

loc_7F40BF:				; CODE XREF: NtNotifyChangeMultipleKeys+486j
		push	ecx
		push	ecx
		mov	edx, 10000h
		mov	ecx, [ebp+var_F0]
		call	CmpAllocatePostBlock
		mov	esi, eax
		mov	[ebp+var_110], esi
		test	esi, esi
		jz	loc_91209B
		cmp	edi, 1
		jz	loc_7F43FD

loc_7F40EA:				; CODE XREF: NtNotifyChangeMultipleKeys+4A4j
		mov	ebx, [ebp+var_F0]
		cmp	ebx, 1
		jz	loc_9120EA
		mov	ecx, [ebp+var_114]
		test	ecx, ecx
		jz	short loc_7F4143
		mov	eax, ds:_ExEventObjectType
		and	[ebp+var_100], 0
		push	0
		lea	edx, [ebp+var_100]
		push	edx
		push	[ebp+var_108]
		push	eax
		push	2
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		mov	eax, [ebp+var_100]
		mov	[ebp+var_FC], eax
		test	edi, edi
		js	loc_9120C1
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_7F4143:				; CODE XREF: NtNotifyChangeMultipleKeys+18Fj
		mov	ecx, [ebp+var_FC]
		mov	eax, [esi+20h]
		cmp	ebx, 2
		jz	loc_7F42CB
		mov	[eax], ecx
		mov	edi, [ebp+var_E0]
		cmp	ebx, 4
		jnz	loc_7F4355

loc_7F4166:				; CODE XREF: NtNotifyChangeMultipleKeys+3BDj
					; NtNotifyChangeMultipleKeys+3F8j ...
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ebx, [ebp+var_F4]
		add	ebx, 8
		mov	ecx, [ebx]
		cmp	[ebp+arg_4], 1
		jz	loc_7F4421
		call	_CmpLockKcbShared@4 ; CmpLockKcbShared(x)

loc_7F4185:				; CODE XREF: NtNotifyChangeMultipleKeys+4B7j
		xor	edx, edx
		mov	ecx, [ebp+var_F4]
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	loc_912420
		mov	eax, [ebp+arg_4]
		cmp	eax, 1
		jz	loc_7F442E

loc_7F41A6:				; CODE XREF: NtNotifyChangeMultipleKeys+4D3j
					; NtNotifyChangeMultipleKeys+4ECj
		mov	ecx, [ebx]
		mov	ecx, [ecx+10h]
		call	_CmLockHive@4	; CmLockHive(x)
		xor	eax, eax
		inc	eax
		mov	[ebp+var_EC], eax

loc_7F41B9:				; CODE XREF: NtNotifyChangeMultipleKeys+518j
		mov	ecx, offset _CmpPostLock
		call	ExAcquireFastMutexUnsafe
		push	esi
		push	ecx
		push	ecx
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		mov	edx, esi
		mov	ecx, [ebp+var_F4]
		call	CmpNotifyChangeKey
		mov	edi, eax
		test	edi, edi
		js	loc_9120F5
		mov	al, [ebp+var_DA]
		mov	[ebp+var_D9], al
		cmp	[ebp+arg_4], 1
		jz	loc_7F448F

loc_7F41F9:				; CODE XREF: NtNotifyChangeMultipleKeys+55Aj
					; NtNotifyChangeMultipleKeys+11E21Ej ...
		mov	ecx, offset _CmpPostLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	eax, [ebp+var_EC]
		cmp	eax, 1
		jnz	loc_7F44D7

loc_7F4212:				; CODE XREF: NtNotifyChangeMultipleKeys+5C9j
		mov	ecx, [ebx]
		mov	ecx, [ecx+10h]

loc_7F4217:				; CODE XREF: NtNotifyChangeMultipleKeys+583j
		call	_CmUnlockHive@4	; CmUnlockHive(x)

loc_7F421C:				; CODE XREF: NtNotifyChangeMultipleKeys+56Dj
		mov	ecx, [ebx]
		cmp	[ebp+arg_4], 1
		jz	loc_7F44FA
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)

loc_7F422D:				; CODE XREF: NtNotifyChangeMultipleKeys+596j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	eax, [ebp+var_E0]
		test	eax, eax
		jnz	loc_7F450D

loc_7F4240:				; CODE XREF: NtNotifyChangeMultipleKeys+5A2j
		test	edi, edi
		js	loc_912401
		cmp	[ebp+var_F0], 1
		jz	loc_9121F9

loc_7F4255:				; CODE XREF: NtNotifyChangeMultipleKeys+457j
					; NtNotifyChangeMultipleKeys+11E124j ...
		mov	ecx, [ebp+var_F4]
		call	ObfDereferenceObject
		cmp	[ebp+var_E1], 0
		jz	short loc_7F426E
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_7F426E:				; CODE XREF: NtNotifyChangeMultipleKeys+2F5j
		mov	eax, edi

loc_7F4270:				; CODE XREF: NtNotifyChangeMultipleKeys+11E0C8j
					; NtNotifyChangeMultipleKeys+11E0D7j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	30h
; 

loc_7F4282:				; CODE XREF: NtNotifyChangeMultipleKeys+C6j
		and	[ebp+ms_exc.disabled], 0
		push	4
		push	8
		mov	ebx, [ebp+var_10C]
		push	ebx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	4
		push	[ebp+arg_28]
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	dword ptr [ebx], 103h
		and	dword ptr [ebx+4], 0
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+arg_2C], 0
		jz	loc_7F4066
		mov	[ebp+var_F0], 2
		jmp	loc_7F4066
; 

loc_7F42CB:				; CODE XREF: NtNotifyChangeMultipleKeys+1DDj
		mov	edx, [ebp+var_10C]
		mov	[eax+38h], edx
		mov	eax, [esi+20h]
		mov	[eax+4], ecx
		mov	edx, [ebp+var_104]
		test	edx, edx
		jnz	short loc_7F42E9
		mov	edx, offset _CmpDummyApc@12 ; CmpDummyApc(x,x,x)

loc_7F42E9:				; CODE XREF: NtNotifyChangeMultipleKeys+370j
		mov	ecx, large fs:124h
		push	[ebp+arg_14]
		cmp	[ebp+var_104], 0
		setz	al
		dec	al
		and	al, [ebp+var_D9]
		movzx	eax, al
		push	eax
		push	edx
		push	offset _CmpPostApcRunDown@4 ; CmpPostApcRunDown(x)
		push	offset CmpPostApc
		push	2
		push	ecx
		mov	eax, [esi+20h]
		add	eax, 8
		push	eax
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		mov	edi, [ebp+var_EC]
		mov	[ebp+var_E0], edi
		jmp	loc_7F4166
; 

loc_7F4334:				; CODE XREF: NtNotifyChangeMultipleKeys+B9j
		cmp	[ebp+arg_2C], 0
		jz	loc_7F4066
		mov	[ebp+var_F0], 3
		test	edi, edi
		jz	loc_7F4066
		jmp	loc_91203F
; 

loc_7F4355:				; CODE XREF: NtNotifyChangeMultipleKeys+1EEj
		mov	eax, [esi+20h]
		mov	edx, [ebp+var_104]
		mov	[eax+4], edx
		mov	ecx, [esi+20h]
		mov	eax, [ebp+arg_14]
		mov	[ecx+8], eax
		jmp	loc_7F4166
; 

loc_7F436F:				; CODE XREF: NtNotifyChangeMultipleKeys+147j
		or	[ebp+var_9C], 0FFFFFFFFh
		mov	[ebp+var_80], ecx
		mov	[ebp+var_7C], ecx
		lea	eax, [ebp+var_80]
		mov	[ebp+var_7C], eax
		mov	[ebp+var_80], eax
		push	38h		; size_t
		push	ecx		; int
		lea	eax, [ebp+var_5C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_EC]
		push	eax
		lea	eax, [ebp+var_D8]
		push	eax
		push	[ebp+var_108]
		push	ecx
		push	10h
		xor	edx, edx
		mov	ecx, [ebp+var_110]
		call	_CmObReferenceObjectByName@28 ;	CmObReferenceObjectByName(x,x,x,x,x,x,x)
		mov	edi, eax
		xor	dl, dl
		lea	ecx, [ebp+var_D8]
		call	CmpCleanupParseContext
		test	edi, edi
		js	loc_7F4255
		mov	ebx, [ebp+var_EC]
		mov	[ebp+var_E0], ebx
		mov	edx, [ebx+8]
		mov	eax, [ebp+var_F4]
		mov	eax, [eax+8]
		mov	eax, [eax+10h]
		cmp	eax, [edx+10h]
		jz	loc_91208A
		mov	edi, [ebp+arg_4]
		xor	ecx, ecx
		jmp	loc_7F40BF
; 

loc_7F43FD:				; CODE XREF: NtNotifyChangeMultipleKeys+172j
		push	esi
		push	ebx
		xor	edx, edx
		mov	ecx, [ebp+var_F0]
		call	CmpAllocatePostBlock
		mov	edi, eax
		mov	[ebp+var_E8], edi
		test	edi, edi
		jnz	loc_7F40EA
		jmp	loc_9120A9
; 

loc_7F4421:				; CODE XREF: NtNotifyChangeMultipleKeys+208j
		mov	edx, [edi+8]
		call	_CmpLockTwoKcbsShared@8	; CmpLockTwoKcbsShared(x,x)
		jmp	loc_7F4185
; 

loc_7F442E:				; CODE XREF: NtNotifyChangeMultipleKeys+22Ej
		xor	edx, edx
		mov	ecx, edi
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	loc_912420
		mov	eax, [ebp+arg_4]
		cmp	eax, 1
		jnz	loc_7F41A6
		mov	eax, [ebx]
		mov	ecx, [eax+10h]
		mov	eax, [edi+8]
		mov	eax, [eax+10h]
		cmp	ecx, eax
		jb	loc_7F4519
		jz	loc_7F41A6
		mov	ecx, eax
		call	_CmLockHive@4	; CmLockHive(x)
		mov	ecx, [ebx]
		mov	ecx, [ecx+10h]
		call	_CmLockHive@4	; CmLockHive(x)
		push	3

loc_7F4477:				; CODE XREF: NtNotifyChangeMultipleKeys+5B9j
		pop	eax
		mov	[ebp+var_EC], eax
		mov	eax, [edi+8]
		mov	eax, [eax+10h]
		mov	[ebp+var_F8], eax
		jmp	loc_7F41B9
; 

loc_7F448F:				; CODE XREF: NtNotifyChangeMultipleKeys+281j
		mov	ecx, [ebp+var_E0]
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		test	edi, edi
		jz	loc_91217E
		push	esi
		push	ecx
		push	ecx
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		mov	edx, [ebp+var_E8]
		mov	ecx, [ebp+var_E0]
		call	CmpNotifyChangeKey
		mov	edi, eax
		mov	al, [ebp+var_DA]
		mov	[ebp+var_D9], al
		test	edi, edi
		jns	loc_7F41F9
		jmp	loc_912195
; 

loc_7F44D7:				; CODE XREF: NtNotifyChangeMultipleKeys+29Aj
		cmp	eax, 2
		jz	short loc_7F4530
		cmp	eax, 3
		jnz	loc_7F421C
		mov	ecx, [ebx]
		mov	ecx, [ecx+10h]
		call	_CmUnlockHive@4	; CmUnlockHive(x)
		mov	ecx, [ebp+var_F8]
		jmp	loc_7F4217
; 

loc_7F44FA:				; CODE XREF: NtNotifyChangeMultipleKeys+2B0j
		mov	eax, [ebp+var_E0]
		mov	edx, [eax+8]
		call	CmpUnlockTwoKcbs
		jmp	loc_7F422D
; 

loc_7F450D:				; CODE XREF: NtNotifyChangeMultipleKeys+2C8j
		mov	ecx, eax
		call	ObfDereferenceObject
		jmp	loc_7F4240
; 

loc_7F4519:				; CODE XREF: NtNotifyChangeMultipleKeys+4E6j
		call	_CmLockHive@4	; CmLockHive(x)
		mov	ecx, [edi+8]
		mov	ecx, [ecx+10h]
		call	_CmLockHive@4	; CmLockHive(x)
		push	2
		jmp	loc_7F4477
; 

loc_7F4530:				; CODE XREF: NtNotifyChangeMultipleKeys+568j
		mov	ecx, [ebp+var_F8]
		call	_CmUnlockHive@4	; CmUnlockHive(x)
		jmp	loc_7F4212
NtNotifyChangeMultipleKeys endp


;  S U B	R O U T	I N E 


; __stdcall CmUnlockHive(x)
_CmUnlockHive@4	proc near		; CODE XREF: NtNotifyChangeMultipleKeys:loc_7F4217p
					; NtNotifyChangeMultipleKeys+578p ...
		mov	edi, edi
		push	esi
		lea	esi, [ecx+448h]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_7F455E

loc_7F4556:				; CODE XREF: CmUnlockHive(x)+25j
		mov	ecx, esi
		pop	esi
		jmp	KeAbPostRelease
; 

loc_7F455E:				; CODE XREF: CmUnlockHive(x)+14j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_7F4556
_CmUnlockHive@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpNotifyChangeKey proc	near		; CODE XREF: NtNotifyChangeMultipleKeys+262p
					; NtNotifyChangeMultipleKeys+545p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= byte ptr -28h
var_27		= byte ptr -27h
var_26		= byte ptr -26h
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0091246D SIZE 00000083 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_34], eax
		mov	ebx, ecx
		xor	edx, edx
		mov	[ebp+var_20], ebx
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	loc_91246D
		mov	eax, [ebx+8]
		mov	ebx, [ebx+0Ch]
		mov	[ebp+var_24], ebx
		mov	esi, [eax+10h]
		test	ebx, ebx
		jnz	loc_7F467A
		push	626E4D43h
		push	2Ch
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	ebx, eax
		mov	[ebp+var_24], ebx
		test	ebx, ebx
		jz	loc_91247E
		mov	edx, [ebp+var_20]
		movzx	ecx, [ebp+arg_4]
		and	ecx, 1
		shl	ecx, 1Eh
		mov	eax, [edx+8]
		mov	[ebx+10h], eax
		mov	eax, [ebp+arg_0]
		and	eax, 3FFFFFFFh
		or	ecx, eax
		lea	eax, [ebx+8]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ebx+1Ch]
		push	eax
		mov	eax, large fs:124h
		mov	[ebx+18h], ecx
		mov	[edx+0Ch], ebx
		mov	[ebx+14h], edx
		mov	eax, [eax+80h]
		push	eax
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	eax, [esi+418h]
		add	esi, 418h
		test	eax, eax
		jz	short loc_7F465D
		mov	ecx, [ebp+var_20]
		mov	ecx, [ecx+8]
		mov	edx, [ecx+4]
		shr	edx, 15h
		and	edx, 3FFh
		lea	ecx, [ecx+0]

loc_7F4640:				; CODE XREF: CmpNotifyChangeKey+EBj
		mov	ecx, [eax+10h]
		mov	esi, eax
		mov	ecx, [ecx+4]
		shr	ecx, 15h
		and	ecx, 3FFh
		cmp	ecx, edx
		ja	short loc_7F466A
		mov	ecx, [eax]
		mov	eax, ecx
		test	ecx, ecx
		jnz	short loc_7F4640

loc_7F465D:				; CODE XREF: CmpNotifyChangeKey+B9j
		mov	[esi], ebx
		mov	dword ptr [ebx], 0
		mov	[ebx+4], esi
		jmp	short loc_7F467A
; 

loc_7F466A:				; CODE XREF: CmpNotifyChangeKey+E3j
		mov	[ebx], eax
		mov	ecx, [eax+4]
		mov	[ecx], ebx
		mov	ecx, [eax+4]
		mov	[ebx+4], ecx
		mov	[eax+4], ebx

loc_7F467A:				; CODE XREF: CmpNotifyChangeKey+3Fj
					; CmpNotifyChangeKey+F8j
		mov	ecx, [ebx+8]
		lea	eax, [ebx+8]
		cmp	[ecx+4], eax
		jnz	loc_7F47C6
		mov	[edi+4], eax
		mov	[edi], ecx
		mov	[ecx+4], edi
		mov	[eax], edi
		lea	eax, [edi+10h]
		test	dword ptr [edi+1Ch], 10000h
		jz	loc_7F4789
		mov	[eax+4], eax
		mov	[eax], eax

loc_7F46A8:				; CODE XREF: CmpNotifyChangeKey+230j
		mov	eax, [edi+1Ch]
		and	eax, 0FFFFh
		cmp	eax, 4
		jnz	short loc_7F4708

loc_7F46B5:				; CODE XREF: CmpNotifyChangeKey+19Bj
		mov	ecx, ds:dword_A93340
		lea	eax, [edi+8]
		cmp	dword ptr [ecx], offset	_CmpAsyncKernelPostList
		jnz	loc_7F47C6
		mov	dword ptr [eax], offset	_CmpAsyncKernelPostList
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	ds:dword_A93340, eax

loc_7F46DA:				; CODE XREF: CmpNotifyChangeKey+1ECj
		test	ds:dword_70EFC8, 2000000h
		jnz	loc_91248F

loc_7F46EA:				; CODE XREF: CmpNotifyChangeKey+11DF7Bj
		cmp	dword ptr [ebx+18h], 0
		jl	short loc_7F4761
		mov	eax, 103h

loc_7F46F5:				; CODE XREF: CmpNotifyChangeKey+11DF09j
					; CmpNotifyChangeKey+11DF1Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7F4708:				; CODE XREF: CmpNotifyChangeKey+143j
		cmp	eax, 3
		jz	short loc_7F46B5
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, large fs:124h
		mov	bl, al
		call	_PsInvalidateStartAddress@4 ; PsInvalidateStartAddress(x)
		test	dword ptr [edi+1Ch], 10000h
		lea	edx, [edi+8]
		jz	short loc_7F47A5
		mov	ecx, large fs:124h
		mov	eax, [ecx+294h]
		add	ecx, 294h
		cmp	[eax+4], ecx
		jnz	short loc_7F47C6
		mov	[edx], eax
		mov	[edx+4], ecx
		mov	[eax+4], edx
		mov	[ecx], edx

loc_7F4751:				; CODE XREF: CmpNotifyChangeKey+254j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [ebp+var_24]
		jmp	loc_7F46DA
; 

loc_7F4761:				; CODE XREF: CmpNotifyChangeKey+17Ej
		push	0
		push	0
		push	1
		push	10Ch
		push	ecx
		mov	ecx, ebx
		call	CmpPostNotify
		mov	ecx, [ebp+var_8]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7F4789:				; CODE XREF: CmpNotifyChangeKey+12Dj
		mov	ecx, [ebp+var_34]
		add	ecx, 10h
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_7F47C6
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		jmp	loc_7F46A8
; 

loc_7F47A5:				; CODE XREF: CmpNotifyChangeKey+1BDj
		mov	eax, large fs:124h
		mov	ecx, [eax+298h]
		add	eax, 294h
		cmp	[ecx], eax
		jnz	short loc_7F47C6
		mov	[edx], eax
		mov	[edx+4], ecx
		mov	[ecx], edx
		mov	[eax+4], edx
		jmp	short loc_7F4751
; 

loc_7F47C6:				; CODE XREF: CmpNotifyChangeKey+113j
					; CmpNotifyChangeKey+154j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall CmLockHive(x)
_CmLockHive@4:				; CODE XREF: NtNotifyChangeMultipleKeys+239p
					; NtNotifyChangeMultipleKeys+4F4p ...
		add	ecx, 448h
		xor	edx, edx
		jmp	ExAcquirePushLockExclusiveEx
CmpNotifyChangeKey endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpAllocatePostBlock proc near		; CODE XREF: NtNotifyChangeMultipleKeys+15Ap
					; NtNotifyChangeMultipleKeys+495p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009124F0 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	62704D43h
		push	24h
		push	9
		pop	ebx
		push	ebx
		mov	[ebp+var_4], edx
		mov	edi, ecx
		call	ExAllocatePoolWithQuotaTag
		mov	esi, eax
		test	esi, esi
		jz	loc_7F4896
		mov	eax, edi
		or	eax, [ebp+var_4]
		mov	[esi+1Ch], eax
		test	eax, 10000h
		jz	short loc_7F485F
		and	dword ptr [esi+18h], 0
		cmp	edi, 4
		jnz	short loc_7F484A

loc_7F481C:				; CODE XREF: CmpAllocatePostBlock+71j
					; CmpAllocatePostBlock+78j
		push	34344D43h
		push	3Ch
		push	ebx
		call	ExAllocatePoolWithQuotaTag
		mov	ecx, eax
		mov	[esi+20h], ecx
		test	ecx, ecx
		jz	short loc_7F488E
		sub	edi, 1
		jz	loc_9124F0
		dec	edi
		sub	edi, 1
		jz	short loc_7F4856

loc_7F4841:				; CODE XREF: CmpAllocatePostBlock+81j
					; CmpAllocatePostBlock+B0j ...
		mov	eax, esi

loc_7F4843:				; CODE XREF: CmpAllocatePostBlock+BCj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7F484A:				; CODE XREF: CmpAllocatePostBlock+3Ej
		cmp	edi, 3
		jz	short loc_7F481C
		mov	ebx, 208h
		jmp	short loc_7F481C
; 

loc_7F4856:				; CODE XREF: CmpAllocatePostBlock+63j
		mov	edi, ecx
		xor	eax, eax
		stosd
		stosd
		stosd
		jmp	short loc_7F4841
; 

loc_7F485F:				; CODE XREF: CmpAllocatePostBlock+35j
		mov	eax, [ebp+arg_4]
		push	35344D43h
		push	0Ch
		push	ebx
		mov	eax, [eax+20h]
		mov	[esi+20h], eax
		call	ExAllocatePoolWithQuotaTag
		mov	ecx, eax
		mov	[esi+18h], ecx
		test	ecx, ecx
		jz	short loc_7F488E
		mov	eax, [ebp+arg_0]
		mov	[ecx+8], eax
		mov	eax, [esi+18h]
		mov	[eax+4], eax
		mov	[eax], eax
		jmp	short loc_7F4841
; 

loc_7F488E:				; CODE XREF: CmpAllocatePostBlock+54j
					; CmpAllocatePostBlock+A0j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F4896:				; CODE XREF: CmpAllocatePostBlock+22j
		xor	eax, eax
		jmp	short loc_7F4843
CmpAllocatePostBlock endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnSectionInfoCleanupWorkItem(x)
_PfSnSectionInfoCleanupWorkItem@4 proc near
					; DATA XREF: PfSnPrefetchSectionsCleanup(x,x,x,x)+67o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax+10h]
		push	1
		mov	ebx, [edi+4]
		mov	eax, [ebx+20h]
		mov	[ebp+arg_0], eax
		mov	eax, [ebx+24h]
		mov	[ebp+var_4], eax
		call	_PsSetCurrentThreadPrefetching@4 ; PsSetCurrentThreadPrefetching(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop

loc_7F48CD:				; CODE XREF: PAGE:007F48F8j
					; PAGE:007F4909j
		xor	esi, esi
		lea	eax, [edi+10h]
		inc	esi
		lock xadd [eax], esi
_PfSnSectionInfoCleanupWorkItem@4 endp

		inc	esi
		dec	esi
		cmp	esi, [edi+14h]
		jnb	short loc_7F490B
		mov	eax, [ebp+8]
		mov	eax, [eax+esi*4]
		test	eax, eax
		jz	short loc_7F48F0
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F48F0:				; CODE XREF: PAGE:007F48E6j
		mov	eax, [ebp-4]
		mov	ecx, [eax+esi*4]
		test	ecx, ecx
		js	short loc_7F48CD
		shl	ecx, 5
		mov	edx, ebx
		add	ecx, [ebx+1Ch]
		push	1
		call	PfSnCleanupPrefetchSectionInfo
		jmp	short loc_7F48CD
; 

loc_7F490B:				; CODE XREF: PAGE:007F48DCj
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	0
		call	_PsSetCurrentThreadPrefetching@4 ; PsSetCurrentThreadPrefetching(x)
		mov	ecx, edi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnPopulateReadList proc near		; DATA XREF: PfSnPrefetchSections+F8o

var_A0		= dword	ptr -0A0h
var_8E		= byte ptr -8Eh
var_8D		= byte ptr -8Dh
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009124FF SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+94h+var_4], eax
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	ecx, 6
		mov	[esp+0A0h+var_3C], eax
		lea	edi, [esp+0A0h+var_1C]
		mov	[esp+0A0h+var_38], eax
		rep stosd
		mov	edi, [edx+10h]
		xor	ecx, ecx
		mov	[esp+0A0h+var_8E], al
		xor	ebx, ebx
		mov	[esp+0A0h+var_60], eax
		lea	eax, [esp+0A0h+var_1C]
		mov	[esp+0A0h+var_5C], edx
		xor	edx, edx
		mov	esi, [edi+4]
		mov	[esp+0A0h+var_8C], ecx
		mov	ecx, [edi+8]
		push	eax
		mov	[esp+0A4h+var_6C], edi
		mov	[esp+0A4h+var_88], esi
		call	KiStackAttachProcess
		push	1
		call	_PsSetCurrentThreadPrefetching@4 ; PsSetCurrentThreadPrefetching(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	ebx
		push	ebx
		lea	eax, [esp+0A8h+var_34]
		mov	[esp+0A8h+var_34], 18h
		push	eax
		push	1F0003h
		lea	eax, [esp+0B0h+var_60]
		mov	[esp+0B0h+var_30], ebx
		push	eax
		mov	[esp+0B4h+var_28], 200h
		mov	[esp+0B4h+var_2C], ebx
		mov	[esp+0B4h+var_24], ebx
		mov	[esp+0B4h+var_20], ebx
		call	NtCreateEvent
		test	eax, eax
		js	loc_91252B
		mov	eax, [esi]
		mov	[esp+0A0h+var_64], ebx
		mov	ebx, 1
		mov	ecx, [eax+54h]
		add	ecx, eax
		mov	[esp+0A0h+var_54], ecx
		mov	ecx, [eax+5Ch]
		add	ecx, eax
		mov	[esp+0A0h+var_4C], ecx
		mov	ecx, [eax+64h]
		add	ecx, eax
		mov	eax, [esi+20h]
		mov	[esp+0A0h+var_44], eax
		mov	eax, [esi+24h]
		mov	esi, [esi+34h]
		mov	[esp+0A0h+var_58], eax
		and	esi, 7
		mov	eax, [esp+0A0h+var_5C]
		or	esi, 8
		mov	[esp+0A0h+var_50], ecx
		shl	esi, 3
		mov	ecx, [eax+14h]
		mov	eax, [esp+0A0h+var_88]
		mov	[esp+0A0h+var_78], ecx
		mov	eax, [eax+30h]
		and	eax, 7
		or	esi, eax
		lea	eax, [edi+10h]
		mov	[esp+0A0h+var_48], esi
		lock xadd [eax], ebx
		inc	ebx
		dec	ebx
		mov	[esp+0A0h+var_70], ebx
		cmp	ebx, [edi+14h]
		jb	short loc_7F4ABA

loc_7F4A6D:				; CODE XREF: PfSnPopulateReadList+3F8j
					; PfSnPopulateReadList+11DC27j
		mov	eax, [esp+0A0h+var_60]
		test	eax, eax
		jz	short loc_7F4A7B
		push	eax
		call	NtClose

loc_7F4A7B:				; CODE XREF: PfSnPopulateReadList+143j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	0
		call	_PsSetCurrentThreadPrefetching@4 ; PsSetCurrentThreadPrefetching(x)
		xor	edx, edx
		lea	ecx, [esp+0A0h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, edi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, [esp+0A0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_7F4ABA:				; CODE XREF: PfSnPopulateReadList+13Bj
		xor	edx, edx
		lea	esp, [esp+0]

loc_7F4AC0:				; CODE XREF: PfSnPopulateReadList+3E1j
		mov	edi, [esp+0A0h+var_54]
		mov	eax, ebx
		shl	eax, 5
		add	edi, eax
		mov	[esp+0A0h+var_40], eax
		mov	eax, [edi+14h]
		test	al, 1
		jnz	loc_7F4CE1
		mov	ecx, [esp+0A0h+var_5C]
		mov	[esp+0A0h+var_8D], 0
		mov	ecx, [ecx+18h]
		and	ecx, 1
		mov	[esp+0A0h+var_68], ecx
		jz	loc_7F4D43
		shr	eax, 8
		and	eax, [esp+0A0h+var_78]
		test	al, 7Fh
		jz	loc_7F4CE1

loc_7F4B02:				; CODE XREF: PfSnPopulateReadList+439j
					; PfSnPopulateReadList+445j
		mov	ebx, [edi+0Ch]
		mov	edx, [esp+0A0h+var_88]
		add	ebx, [esp+0A0h+var_50]
		push	0		; int
		mov	ecx, ebx	; wchar_t *
		lea	edx, [edx+14h]	; int
		call	_PfSnFindPrefetchVolumeInfoInList@12 ; PfSnFindPrefetchVolumeInfoInList(x,x,x)
		mov	[esp+0A0h+var_7C], eax
		test	eax, eax
		jz	loc_91250F
		mov	eax, [edi+8]
		push	4C506343h
		lea	eax, ds:18h[eax*8]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[esp+0A0h+var_8C], edx
		test	edx, edx
		jz	loc_912518
		mov	ecx, [esp+0A0h+var_7C]
		mov	eax, [esp+0A0h+var_68]
		mov	[edx+8], eax
		lea	eax, [esp+0A0h+var_3C]
		mov	dword ptr [edx], 0
		mov	dword ptr [edx+4], 0
		mov	ecx, [ecx+0Ch]
		inc	ecx
		lea	ecx, [ebx+ecx*2]
		push	ecx
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ebx, [esp+0A0h+var_88]
		lea	eax, [esp+0A0h+var_8E]
		mov	edx, [esp+0A0h+var_7C]
		mov	ecx, ebx
		push	eax
		lea	eax, [esp+0A4h+var_64]
		push	eax
		push	[esp+0A8h+var_60]
		lea	eax, [esp+0ACh+var_3C]
		push	[esp+0ACh+var_68]
		push	[esp+0B0h+var_70]
		push	[esp+0B4h+var_78]
		push	edi
		push	eax
		call	PfSnGetSectionObject
		test	eax, eax
		js	loc_7F4E03
		xor	ebx, ebx
		mov	[esp+0A0h+var_7C], 1
		mov	[esp+0A0h+var_74], ebx
		cmp	[esp+0A0h+var_8D], bl
		jnz	loc_7F4D99

loc_7F4BC6:				; CODE XREF: PfSnPopulateReadList+48Fj
					; PfSnPopulateReadList+49Dj
		mov	edx, [edi]
		mov	ecx, [edi+4]
		xor	edi, edi
		mov	[esp+0A0h+var_84], ecx
		mov	[esp+0A0h+var_80], edi
		lea	eax, [ecx+edx]
		cmp	edx, eax
		jge	loc_7F4C77
		mov	eax, [esp+0A0h+var_4C]
		mov	esi, [esp+0A0h+var_8C]
		lea	eax, [eax+edx*8]
		add	eax, 4
		mov	edi, edi

loc_7F4BF0:				; CODE XREF: PfSnPopulateReadList+33Dj
		mov	ebx, [eax]
		test	bl, 1
		jnz	short loc_7F4C5F
		test	bl, 8
		jnz	loc_7F4D33

loc_7F4C00:				; CODE XREF: PfSnPopulateReadList+408j
		mov	ecx, ebx
		mov	edx, 1
		shr	ecx, 4
		and	ecx, 7
		shl	edx, cl
		test	[esp+0A0h+var_78], edx
		jz	short loc_7F4C5B
		mov	ecx, [esp+0A0h+var_68]
		test	ecx, ecx
		jnz	short loc_7F4C2C
		test	bl, 4
		jz	short loc_7F4C5B
		test	ecx, ecx
		jnz	short loc_7F4C2C
		mov	ecx, [esp+0A0h+var_84]
		jmp	short loc_7F4C35
; 

loc_7F4C2C:				; CODE XREF: PfSnPopulateReadList+2EBj
					; PfSnPopulateReadList+2F4j
		mov	ecx, [esp+0A0h+var_84]
		test	bl, 2
		jz	short loc_7F4C5F

loc_7F4C35:				; CODE XREF: PfSnPopulateReadList+2FAj
					; PfSnPopulateReadList+40Ej
		mov	edi, [eax-4]
		test	edi, edi
		jz	loc_7F4D80

loc_7F4C40:				; CODE XREF: PfSnPopulateReadList+455j
		mov	ecx, [esi+4]
		xor	edx, edx
		shld	edx, edi, 9
		shl	edi, 9
		mov	[esi+ecx*8+10h], edi
		mov	[esi+ecx*8+14h], edx
		inc	dword ptr [esi+4]
		inc	[esp+0A0h+var_74]

loc_7F4C5B:				; CODE XREF: PfSnPopulateReadList+2E3j
					; PfSnPopulateReadList+2F0j
		mov	ecx, [esp+0A0h+var_84]

loc_7F4C5F:				; CODE XREF: PfSnPopulateReadList+2C5j
					; PfSnPopulateReadList+303j
		mov	edi, [esp+0A0h+var_80]

loc_7F4C63:				; CODE XREF: PfSnPopulateReadList+464j
		add	eax, 8
		sub	ecx, 1
		mov	[esp+0A0h+var_84], ecx
		jnz	short loc_7F4BF0
		mov	esi, [esp+0A0h+var_48]
		mov	ebx, [esp+0A0h+var_74]

loc_7F4C77:				; CODE XREF: PfSnPopulateReadList+2AAj
		mov	edx, [esp+0A0h+var_8C]
		cmp	dword ptr [edx+4], 1
		jz	short loc_7F4CCF

loc_7F4C81:				; CODE XREF: PfSnPopulateReadList+3A4j
					; PfSnPopulateReadList+3ABj ...
		mov	eax, [esp+0A0h+var_64]
		or	[edx+10h], esi
		mov	edi, [esp+0A0h+var_6C]
		mov	[edx], eax
		mov	eax, 1
		lock xadd [edi+0Ch], eax
		inc	eax
		lea	ecx, ds:0FFFFFFFCh[eax*4]
		mov	eax, [esp+0A0h+var_44]
		mov	[ecx+eax], edx
		xor	edx, edx
		mov	[esp+0A0h+var_8C], edx
		lea	eax, [edi+18h]
		lock xadd [eax], ebx
		cmp	[esp+0A0h+var_8E], dl
		jz	loc_9124FF
		mov	ebx, [esp+0A0h+var_58]
		mov	eax, [esp+0A0h+var_70]
		mov	[esp+0A0h+var_8E], dl
		mov	[ecx+ebx], eax
		jmp	short loc_7F4CFC
; 

loc_7F4CCF:				; CODE XREF: PfSnPopulateReadList+34Fj
		cmp	[esp+0A0h+var_8D], 0
		jz	short loc_7F4C81
		cmp	[esp+0A0h+var_7C], 0
		jz	short loc_7F4C81
		test	edi, edi
		jnz	short loc_7F4C81

loc_7F4CE1:				; CODE XREF: PfSnPopulateReadList+1A4j
					; PfSnPopulateReadList+1CCj ...
		mov	ebx, [esp+0A0h+var_88]

loc_7F4CE5:				; CODE XREF: PfSnPopulateReadList+4D7j
		cmp	[esp+0A0h+var_8E], 0
		jnz	loc_7F4DE5

loc_7F4CF0:				; CODE XREF: PfSnPopulateReadList+4CEj
		test	edx, edx
		jnz	loc_7F4DD2

loc_7F4CF8:				; CODE XREF: PfSnPopulateReadList+4B0j
		mov	edi, [esp+0A0h+var_6C]

loc_7F4CFC:				; CODE XREF: PfSnPopulateReadList+39Dj
					; PfSnPopulateReadList+11DBDAj
		mov	ebx, 1
		lea	eax, [edi+10h]
		lock xadd [eax], ebx
		inc	ebx
		dec	ebx
		mov	[esp+0A0h+var_70], ebx
		cmp	ebx, [edi+14h]
		jb	loc_7F4AC0
		mov	esi, [esp+0A0h+var_88]

loc_7F4D1B:				; CODE XREF: PfSnPopulateReadList+11DC00j
		cmp	[esp+0A0h+var_8E], 0
		jnz	loc_912535

loc_7F4D26:				; CODE XREF: PfSnPopulateReadList+11DC1Aj
		test	edx, edx
		jz	loc_7F4A6D
		jmp	loc_91254F
; 

loc_7F4D33:				; CODE XREF: PfSnPopulateReadList+2CAj
		cmp	[esp+0A0h+var_7C], 0
		jnz	loc_7F4C00
		jmp	loc_7F4C35
; 

loc_7F4D43:				; CODE XREF: PfSnPopulateReadList+1BDj
		mov	ecx, edi
		call	_PfSnGetFirstPrefetchPhase@8 ; PfSnGetFirstPrefetchPhase(x,x)
		mov	ecx, eax
		mov	edx, 1
		mov	eax, [edi+14h]
		shl	edx, cl
		and	edx, [esp+0A0h+var_78]
		setnz	bl
		shr	eax, 1
		and	eax, [esp+0A0h+var_78]
		mov	[esp+0A0h+var_8D], bl
		test	al, 7Fh
		jnz	loc_7F4B02
		mov	[esp+0A0h+var_8D], bl
		test	edx, edx
		jnz	loc_7F4B02
		jmp	loc_91250F
; 

loc_7F4D80:				; CODE XREF: PfSnPopulateReadList+30Aj
		cmp	[esp+0A0h+var_8D], 0
		jz	loc_7F4C40
		mov	edi, 1
		mov	[esp+0A0h+var_80], edi
		jmp	loc_7F4C63
; 

loc_7F4D99:				; CODE XREF: PfSnPopulateReadList+290j
		mov	ecx, [esp+0A0h+var_8C]
		mov	eax, [ecx+4]
		mov	[ecx+eax*8+10h], ebx
		mov	[ecx+eax*8+14h], ebx
		mov	ebx, 1
		mov	eax, [esp+0A0h+var_64]
		inc	dword ptr [ecx+4]
		mov	[esp+0A0h+var_74], ebx
		mov	eax, [eax+14h]
		cmp	dword ptr [eax+8], 0
		jnz	loc_7F4BC6
		mov	[esp+0A0h+var_7C], 0
		jmp	loc_7F4BC6
; 

loc_7F4DD2:				; CODE XREF: PfSnPopulateReadList+3C2j
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edx, edx
		mov	[esp+0A0h+var_8C], edx
		jmp	loc_7F4CF8
; 

loc_7F4DE5:				; CODE XREF: PfSnPopulateReadList+3BAj
		mov	ecx, [ebx+1Ch]
		mov	edx, ebx
		add	ecx, [esp+0A0h+var_40]
		push	1
		call	PfSnCleanupPrefetchSectionInfo
		mov	edx, [esp+0A0h+var_8C]
		mov	[esp+0A0h+var_8E], 0
		jmp	loc_7F4CF0
; 

loc_7F4E03:				; CODE XREF: PfSnPopulateReadList+278j
		mov	edx, [esp+0A0h+var_8C]
		jmp	loc_7F4CE5
PfSnPopulateReadList endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1902. PsSetCurrentThreadPrefetching

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSetCurrentThreadPrefetching(x)
		public _PsSetCurrentThreadPrefetching@4
_PsSetCurrentThreadPrefetching@4 proc near ; CODE XREF:	PfpPrefetchSharedStart(x)+24p
					; PfpPrefetchSharedCleanup(x)+93p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, large fs:124h
		push	ebx
		dec	word ptr [ecx+13Eh]
		nop
		mov	bl, [ecx+304h]
		mov	dl, [ebp+arg_0]
		shl	dl, 6
		xor	dl, bl
		and	dl, 40h
		xor	dl, bl
		mov	[ecx+304h], dl
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		shr	bl, 6
		and	bl, 1
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	4
_PsSetCurrentThreadPrefetching@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnGetSectionObject proc near		; CODE XREF: PfSnPopulateReadList+271p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 0091255C SIZE 000000AA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_54], eax
		mov	eax, [ebp+arg_14]
		push	ebx
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_18]
		push	esi
		mov	[ebp+var_34], ecx
		mov	esi, edx
		push	edi
		mov	ebx, [ebp+arg_C]
		lea	edi, [ebp+var_20]
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_24], eax
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd
		mov	eax, [ebp+var_50]
		xor	ecx, ecx
		mov	edi, [ebp+var_34]
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], ecx
		mov	[eax], ecx
		mov	eax, [ebp+var_24]
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], ecx
		mov	[eax], cl
		mov	eax, [edi]
		mov	[ebp+var_40], ecx
		mov	[ebp+var_30], ecx
		mov	ecx, [ebp+arg_10]
		neg	ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_3C], 2
		sbb	ecx, ecx
		and	ecx, 0D000000h
		add	ecx, 4000000h
		mov	[ebp+var_38], ecx
		cmp	ebx, [eax+58h]
		jnb	loc_91255C
		shl	ebx, 5
		xor	eax, eax
		add	ebx, [edi+1Ch]
		inc	eax
		test	byte ptr [ebx+10h], 4
		jnz	loc_7F50D6
		test	[esi+40h], al
		jz	loc_912566

loc_7F4EFF:				; CODE XREF: PfSnGetSectionObject+11D736j
					; PfSnGetSectionObject+11D751j
		mov	edx, [edi+4]
		lea	eax, [esi+10h]
		push	eax
		push	80h
		push	40h
		push	0A1h
		push	dword ptr [esi+24h]
		lea	ecx, [ebp+var_4C]
		push	[ebp+var_54]
		call	PfpOpenHandleCreate
		mov	esi, eax
		test	esi, esi
		js	loc_7F50BD
		mov	edx, dword_6D4850
		mov	ecx, [ebp+var_4C]
		shr	edx, 4
		not	edx
		and	edx, 1
		shl	edx, 0Eh
		add	edx, 1300h
		call	PfpFileCheckAttributesForPrefetch
		mov	esi, eax
		test	esi, esi
		js	loc_7F50BD
		lea	esi, [edi+40h]
		mov	eax, [esi]
		cmp	eax, [edi+44h]
		jnb	short loc_7F4FA6
		mov	ecx, [ebp+var_48]
		lea	eax, [ebp+var_54]
		push	1
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		push	0
		push	8
		push	6
		pop	edx
		call	IopQueryXxxInformation
		test	eax, eax
		js	short loc_7F4FA6
		xor	edx, edx
		inc	edx
		lock xadd [esi], edx
		inc	edx
		mov	ecx, [edi+3Ch]
		add	edx, edx
		mov	eax, [ebp+var_60]
		mov	[ecx+edx*8-8], eax
		mov	eax, [ebp+var_5C]
		mov	[ecx+edx*8-4], eax
		mov	eax, [ebp+var_48]
		mov	eax, [eax+0Ch]
		mov	[ecx+edx*8-10h], eax
		mov	eax, [ebp+var_40]
		mov	[ecx+edx*8-0Ch], eax

loc_7F4FA6:				; CODE XREF: PfSnGetSectionObject+109j
					; PfSnGetSectionObject+126j
		push	5
		xor	eax, eax
		lea	esi, [ebp+var_4C]
		pop	ecx
		mov	edi, ebx
		rep movsd
		mov	ecx, [ebp+var_38]
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], 2

loc_7F4FC8:				; CODE XREF: PfSnGetSectionObject+286j
		mov	edi, [ebp+arg_10]
		test	edi, edi
		jnz	loc_7F50DD
		cmp	[ebx+18h], eax
		jnz	loc_9125B8

loc_7F4FDC:				; CODE XREF: PfSnGetSectionObject+28Ej
		mov	[ebp+var_74], eax
		mov	[ebp+var_70], eax
		mov	[ebp+var_68], eax
		mov	[ebp+var_64], eax
		mov	[ebp+var_78], 18h
		mov	[ebp+var_6C], 240h
		push	dword ptr [ebx]
		push	ecx
		push	2
		push	eax
		lea	eax, [ebp+var_78]
		push	eax
		push	5
		lea	eax, [ebp+var_30]
		push	eax
		call	NtCreateSection
		mov	esi, eax
		test	esi, esi
		js	loc_7F50AD
		mov	eax, ds:_MmSectionObjectType
		lea	ecx, [ebp+var_2C]
		xor	edx, edx
		push	edx
		push	ecx
		push	edx
		push	eax
		push	5
		push	[ebp+var_30]
		mov	[ebp+var_2C], edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_2C]
		test	esi, esi
		js	short loc_7F50A9
		mov	esi, [ebp+arg_8]
		xor	edx, edx
		test	edi, edi
		mov	edi, [ebp+var_28]
		push	esi
		mov	ecx, edi
		jnz	loc_7F50EB
		mov	[ebx+18h], eax
		call	_PfSnIsSectionPrefetchedAfterPhase@12 ;	PfSnIsSectionPrefetchedAfterPhase(x,x,x)
		test	al, al
		jnz	loc_9125D5

loc_7F505C:				; CODE XREF: PfSnGetSectionObject+11D77Ej
					; PfSnGetSectionObject+11D799j	...
		or	dword ptr [ebx+1Ch], 2

loc_7F5060:				; CODE XREF: PfSnGetSectionObject+2AEj
		mov	eax, [ebp+var_24]
		mov	byte ptr [eax],	1

loc_7F5066:				; CODE XREF: PfSnGetSectionObject+2A4j
					; PfSnGetSectionObject+11D778j	...
		mov	ecx, [ebp+var_50]
		xor	edx, edx
		mov	eax, [ebx+4]
		inc	edx
		and	[ebp+var_38], 0
		push	esi
		mov	[ecx], eax
		mov	ecx, edi
		call	_PfSnIsSectionPrefetchedAfterPhase@12 ;	PfSnIsSectionPrefetchedAfterPhase(x,x,x)
		test	al, al
		jnz	short loc_7F50A4
		push	esi
		xor	edx, edx
		mov	ecx, edi
		call	_PfSnIsSectionPrefetchedAfterPhase@12 ;	PfSnIsSectionPrefetchedAfterPhase(x,x,x)
		test	al, al
		jnz	short loc_7F50A4
		mov	eax, [edi+14h]
		shr	eax, 8
		and	eax, esi
		test	al, 7Fh
		jz	short loc_7F50A0
		cmp	[ebp+arg_10], edx
		jz	short loc_7F50A4

loc_7F50A0:				; CODE XREF: PfSnGetSectionObject+247j
		or	dword ptr [ebx+1Ch], 4

loc_7F50A4:				; CODE XREF: PfSnGetSectionObject+22Dj
					; PfSnGetSectionObject+23Bj ...
		mov	eax, [ebp+var_38]
		xor	esi, esi

loc_7F50A9:				; CODE XREF: PfSnGetSectionObject+1E5j
		test	eax, eax
		jnz	short loc_7F5112

loc_7F50AD:				; CODE XREF: PfSnGetSectionObject+1BDj
					; PfSnGetSectionObject+2C7j
		mov	eax, [ebp+var_30]
		test	eax, eax
		jz	short loc_7F50BA
		push	eax
		call	NtClose

loc_7F50BA:				; CODE XREF: PfSnGetSectionObject+260j
		mov	edi, [ebp+var_34]

loc_7F50BD:				; CODE XREF: PfSnGetSectionObject+D2j
					; PfSnGetSectionObject+FBj ...
		test	byte ptr [ebp+var_3C], 4
		jnz	short loc_7F5105

loc_7F50C3:				; CODE XREF: PfSnGetSectionObject+2BEj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	20h
; 

loc_7F50D6:				; CODE XREF: PfSnGetSectionObject+9Ej
		xor	eax, eax
		jmp	loc_7F4FC8
; 

loc_7F50DD:				; CODE XREF: PfSnGetSectionObject+17Bj
		cmp	[ebx+14h], eax
		jz	loc_7F4FDC
		jmp	loc_9125A8
; 

loc_7F50EB:				; CODE XREF: PfSnGetSectionObject+1F4j
		mov	[ebx+14h], eax

loc_7F50EE:				; CODE XREF: PfSnGetSectionObject+11D761j
		inc	edx
		call	_PfSnIsSectionPrefetchedAfterPhase@12 ;	PfSnIsSectionPrefetchedAfterPhase(x,x,x)
		test	al, al
		jnz	loc_7F5066
		or	dword ptr [ebx+1Ch], 1
		jmp	loc_7F5060
; 

loc_7F5105:				; CODE XREF: PfSnGetSectionObject+26Fj
		mov	edx, [edi+4]
		lea	ecx, [ebp+var_4C]
		call	_PfpOpenHandleClose@8 ;	PfpOpenHandleClose(x,x)
		jmp	short loc_7F50C3
; 

loc_7F5112:				; CODE XREF: PfSnGetSectionObject+259j
		mov	ecx, eax
		call	ObfDereferenceObject
		jmp	short loc_7F50AD
PfSnGetSectionObject endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnIsSectionPrefetchedAfterPhase(x, x, x)
_PfSnIsSectionPrefetchedAfterPhase@12 proc near	; CODE XREF: PfSnGetSectionObject+1FDp
					; PfSnGetSectionObject+226p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+14h]
		cmp	edx, 1
		jz	short loc_7F5146
		shr	eax, 1

loc_7F512C:				; CODE XREF: PfSnIsSectionPrefetchedAfterPhase(x,x,x)+2Dj
		and	eax, 7Fh
		bsr	ecx, eax
		setnz	al
		test	al, al
		jz	short loc_7F514B
		bsr	eax, [ebp+arg_0]
		cmp	ecx, eax
		setnbe	al

locret_7F5142:				; CODE XREF: PfSnIsSectionPrefetchedAfterPhase(x,x,x)+31j
		leave
		retn	4
; 

loc_7F5146:				; CODE XREF: PfSnIsSectionPrefetchedAfterPhase(x,x,x)+Cj
		shr	eax, 8
		jmp	short loc_7F512C
; 

loc_7F514B:				; CODE XREF: PfSnIsSectionPrefetchedAfterPhase(x,x,x)+1Bj
		xor	al, al
		jmp	short locret_7F5142
_PfSnIsSectionPrefetchedAfterPhase@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PfSnFindPrefetchVolumeInfoInList(wchar_t *,int,int)
_PfSnFindPrefetchVolumeInfoInList@12 proc near ; CODE XREF: PfSnPrefetchMetadata+9Dp
					; PfSnPopulateReadList+1E4p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	eax, ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], eax
		mov	esi, [ebx]
		cmp	esi, ebx
		jz	short loc_7F5191

loc_7F5168:				; CODE XREF: PfSnFindPrefetchVolumeInfoInList(x,x,x)+53j
		push	dword ptr [esi+0Ch] ; size_t
		push	dword ptr [esi+8] ; wchar_t *
		push	eax		; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7F519A
		mov	eax, [esi+0Ch]
		mov	ecx, [ebp+var_4]
		movzx	eax, word ptr [ecx+eax*2]
		cmp	[ebp+arg_0], edi
		jnz	short loc_7F51A5
		cmp	eax, 5Ch

loc_7F518D:				; CODE XREF: PfSnFindPrefetchVolumeInfoInList(x,x,x)+58j
		jnz	short loc_7F519A
		mov	edi, esi

loc_7F5191:				; CODE XREF: PfSnFindPrefetchVolumeInfoInList(x,x,x)+16j
					; PfSnFindPrefetchVolumeInfoInList(x,x,x)+4Ej
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7F519A:				; CODE XREF: PfSnFindPrefetchVolumeInfoInList(x,x,x)+29j
					; PfSnFindPrefetchVolumeInfoInList(x,x,x):loc_7F518Dj
		mov	esi, [esi]
		cmp	esi, ebx
		jz	short loc_7F5191
		mov	eax, [ebp+var_4]
		jmp	short loc_7F5168
; 

loc_7F51A5:				; CODE XREF: PfSnFindPrefetchVolumeInfoInList(x,x,x)+38j
		test	ax, ax
		jmp	short loc_7F518D
_PfSnFindPrefetchVolumeInfoInList@12 endp


;  S U B	R O U T	I N E 


; __stdcall PfSnCleanupPrefetchHeader(x)
_PfSnCleanupPrefetchHeader@4 proc near	; CODE XREF: PfSnEndTrace+38Cp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	short loc_7F51EB
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_7F51E3
		xor	ebx, ebx
		cmp	[ecx+58h], ebx
		jbe	short loc_7F51E3
		xor	edi, edi

loc_7F51C7:				; CODE XREF: PfSnCleanupPrefetchHeader(x)+34j
		mov	ecx, [esi+1Ch]
		mov	edx, esi
		push	0
		add	ecx, edi
		call	PfSnCleanupPrefetchSectionInfo
		mov	eax, [esi]
		inc	ebx
		add	edi, 20h
		cmp	ebx, [eax+58h]
		jb	short loc_7F51C7
		mov	eax, [esi+1Ch]

loc_7F51E3:				; CODE XREF: PfSnCleanupPrefetchHeader(x)+12j
					; PfSnCleanupPrefetchHeader(x)+19j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F51EB:				; CODE XREF: PfSnCleanupPrefetchHeader(x)+Cj
		lea	ebx, [esi+14h]

loc_7F51EE:				; CODE XREF: PfSnCleanupPrefetchHeader(x)+71j
		mov	edi, [ebx]
		cmp	edi, ebx
		jz	short loc_7F521D
		cmp	[edi+4], ebx
		jnz	short loc_7F5273
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	short loc_7F5273
		mov	[ebx], eax
		lea	ecx, [edi+24h]
		mov	[eax+4], ebx
		mov	edx, [esi+4]
		call	_PfpOpenHandleClose@8 ;	PfpOpenHandleClose(x,x)
		mov	edx, [esi+4]
		lea	ecx, [edi+10h]
		call	_PfpOpenHandleClose@8 ;	PfpOpenHandleClose(x,x)
		jmp	short loc_7F51EE
; 

loc_7F521D:				; CODE XREF: PfSnCleanupPrefetchHeader(x)+48j
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_7F522C
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F522C:				; CODE XREF: PfSnCleanupPrefetchHeader(x)+78j
		mov	eax, [esi+28h]
		test	eax, eax
		jz	short loc_7F523B
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F523B:				; CODE XREF: PfSnCleanupPrefetchHeader(x)+87j
		mov	eax, [esi+2Ch]
		test	eax, eax
		jz	short loc_7F524A
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F524A:				; CODE XREF: PfSnCleanupPrefetchHeader(x)+96j
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_7F525E
		call	_PfpPrefetchSharedCleanup@4 ; PfpPrefetchSharedCleanup(x)
		mov	ecx, [esi+4]
		call	_PfpPrefetchSharedDeref@4 ; PfpPrefetchSharedDeref(x)

loc_7F525E:				; CODE XREF: PfSnCleanupPrefetchHeader(x)+A5j
		mov	eax, [esi+3Ch]
		test	eax, eax
		jnz	short loc_7F5269

loc_7F5265:				; CODE XREF: PfSnCleanupPrefetchHeader(x)+C7j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_7F5269:				; CODE XREF: PfSnCleanupPrefetchHeader(x)+B9j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7F5265
; 

loc_7F5273:				; CODE XREF: PfSnCleanupPrefetchHeader(x)+4Dj
					; PfSnCleanupPrefetchHeader(x)+54j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PfSnCleanupPrefetchHeader@4 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnCleanupPrefetchSectionInfo proc near ; CODE	XREF: PAGE:007F4904p
					; PfSnPopulateReadList+4C0p ...

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 00912606 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		jz	short loc_7F52CF
		mov	eax, [esi+1Ch]
		xor	ebx, ebx
		test	al, 1
		jnz	short loc_7F52EE

loc_7F5293:				; CODE XREF: PfSnCleanupPrefetchSectionInfo+88j
		test	al, 2
		jz	short loc_7F52A9
		mov	ecx, [esi+18h]
		call	ObfDereferenceObject
		and	dword ptr [esi+1Ch], 0FFFFFFFDh
		mov	eax, [esi+1Ch]
		mov	[esi+18h], ebx

loc_7F52A9:				; CODE XREF: PfSnCleanupPrefetchSectionInfo+1Dj
		test	al, 4
		jz	short loc_7F52E7
		mov	edx, [edi+4]
		mov	ecx, esi
		call	_PfpOpenHandleClose@8 ;	PfpOpenHandleClose(x,x)
		mov	[esi], ebx
		mov	[esi+4], ebx
		mov	[esi+8], ebx
		mov	[esi+0Ch], ebx
		mov	dword ptr [esi+10h], 2
		and	dword ptr [esi+1Ch], 0FFFFFFFBh
		jmp	short loc_7F52E7
; 

loc_7F52CF:				; CODE XREF: PfSnCleanupPrefetchSectionInfo+10j
		mov	ecx, [esi+14h]
		test	ecx, ecx
		jnz	short loc_7F5302

loc_7F52D6:				; CODE XREF: PfSnCleanupPrefetchSectionInfo+8Fj
		mov	ecx, [esi+18h]
		test	ecx, ecx
		jnz	short loc_7F5309

loc_7F52DD:				; CODE XREF: PfSnCleanupPrefetchSectionInfo+96j
		test	byte ptr [esi+10h], 4
		jnz	loc_912606

loc_7F52E7:				; CODE XREF: PfSnCleanupPrefetchSectionInfo+33j
					; PfSnCleanupPrefetchSectionInfo+55j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_7F52EE:				; CODE XREF: PfSnCleanupPrefetchSectionInfo+19j
		mov	ecx, [esi+14h]
		call	ObfDereferenceObject
		and	dword ptr [esi+1Ch], 0FFFFFFFEh
		mov	eax, [esi+1Ch]
		mov	[esi+14h], ebx
		jmp	short loc_7F5293
; 

loc_7F5302:				; CODE XREF: PfSnCleanupPrefetchSectionInfo+5Cj
		call	ObfDereferenceObject
		jmp	short loc_7F52D6
; 

loc_7F5309:				; CODE XREF: PfSnCleanupPrefetchSectionInfo+63j
		call	ObfDereferenceObject
		jmp	short loc_7F52DD
PfSnCleanupPrefetchSectionInfo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpOpenHandleCreate proc near		; CODE XREF: PfpVolumeOpenAndVerify+156p
					; PfpVolumeOpenAndVerify+23Cp ...

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00912615 SIZE 00000066 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		push	40h		; size_t
		lea	eax, [esp+5Ch+var_40]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		add	esp, 0Ch
		xor	ebx, ebx
		push	0FFFFFFFFh
		push	0FFFFD8F0h
		push	ebx
		push	dword ptr [esi+1Ch]
		call	__allmul
		mov	[esp+58h+var_48], eax
		mov	[esp+58h+var_44], edx

loc_7F534D:				; CODE XREF: PfpOpenHandleCreate+11D350j
		test	byte ptr [esi+28h], 4
		jnz	loc_912671
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jnz	loc_7F540E

loc_7F5362:				; CODE XREF: PfpOpenHandleCreate+105j
		lea	eax, [esi+14h]
		mov	[esp+58h+var_38], 18h
		mov	[esp+58h+var_40], eax
		xor	ecx, ecx
		mov	eax, [ebp+arg_4]
		mov	[esp+58h+var_34], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+58h+var_30], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+58h+var_20], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+58h+var_18], eax
		mov	eax, [ebp+arg_10]
		mov	[esp+58h+var_1C], eax
		mov	eax, [ebp+arg_14]
		mov	[esp+58h+var_3C], ecx
		mov	[esp+58h+var_14], ecx
		mov	[esp+58h+var_10], ecx
		mov	[esp+58h+var_C], ecx
		mov	[esp+58h+var_8], ecx
		mov	[esp+58h+var_4], ecx
		mov	[esp+58h+var_2C], 240h
		mov	[esp+58h+var_28], ecx
		mov	[esp+58h+var_24], ecx
		test	eax, eax
		jz	short loc_7F53CC
		mov	eax, [eax+4]
		mov	[esp+58h+var_3C], eax

loc_7F53CC:				; CODE XREF: PfpOpenHandleCreate+B3j
		lea	eax, [esp+58h+var_40]
		push	eax
		mov	eax, dword_6D4928
		call	dword ptr [eax]
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_7F5422
		mov	eax, [esp+5Ch+var_14]
		mov	[edi+4], eax
		mov	eax, [esp+5Ch+var_18]
		mov	[edi], eax
		mov	eax, [esp+5Ch+var_10]
		mov	[edi+8], eax
		mov	eax, [esp+5Ch+var_8]
		mov	[edi+0Ch], eax
		lock inc dword ptr [esi+30h]
		or	dword ptr [edi+10h], 4
		xor	ecx, ecx

loc_7F5403:				; CODE XREF: PfpOpenHandleCreate+110j
					; PfpOpenHandleCreate+128j ...
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_7F540E:				; CODE XREF: PfpOpenHandleCreate+4Cj
		call	_PfpCheckPrefetchAbort@4 ; PfpCheckPrefetchAbort(x)
		test	eax, eax
		jz	loc_7F5362
		mov	ecx, 0C0000240h
		jmp	short loc_7F5403
; 

loc_7F5422:				; CODE XREF: PfpOpenHandleCreate+CCj
		inc	dword ptr [esi+34h]
		mov	eax, [esp+5Ch+var_C]
		cmp	eax, 2
		jnz	loc_912615
		cmp	ecx, 0C0000022h
		jz	short loc_7F5403
		or	dword ptr [edi+10h], 1
		jmp	short loc_7F5403
PfpOpenHandleCreate endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnGetFirstPrefetchPhase(x, x)
_PfSnGetFirstPrefetchPhase@8 proc near	; CODE XREF: PfSnPopulateReadList+415p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+14h]
		shr	eax, 8
		and	eax, 7Fh
		bsf	ecx, eax
		setnz	al
		test	al, al
		jz	short loc_7F545D

loc_7F5459:				; CODE XREF: PfSnGetFirstPrefetchPhase(x,x)+20j
		mov	eax, ecx
		leave
		retn
; 

loc_7F545D:				; CODE XREF: PfSnGetFirstPrefetchPhase(x,x)+17j
		push	7
		pop	ecx
		jmp	short loc_7F5459
_PfSnGetFirstPrefetchPhase@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfpOpenHandleClose(x, x)
_PfpOpenHandleClose@8 proc near		; CODE XREF: PfpPrefetchVolumesCleanup(x)+2Ap
					; PfpPrefetchVolumesCleanup(x)+42p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	esi
		mov	esi, ecx
		mov	eax, [esi+10h]
		test	al, 10h
		jnz	short loc_7F549E
		mov	eax, [esi]
		mov	[ebp+var_C], eax
		mov	eax, [esi+4]
		mov	[ebp+var_8], eax
		mov	eax, [esi+8]
		mov	[ebp+var_4], eax
		lea	eax, [edx+14h]
		mov	[ebp+var_10], eax
		lock inc dword ptr [edx+38h]
		lea	eax, [ebp+var_10]
		push	eax
		mov	eax, dword_6D4928
		call	dword ptr [eax+4]
		mov	eax, [esi+10h]

loc_7F549E:				; CODE XREF: PfpOpenHandleClose(x,x)+10j
		or	eax, 8
		mov	[esi+10h], eax
		pop	esi
		leave
		retn
_PfpOpenHandleClose@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopQueryXxxInformation proc near	; CODE XREF: IopGetNetworkOpenInformation+46p
					; IoQueryVolumeInformation(x,x,x,x,x)+18p ...

var_28		= byte ptr -28h
var_27		= byte ptr -27h
var_26		= byte ptr -26h
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

; FUNCTION CHUNK AT 0091267B SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+38h+var_18], 0
		lea	edi, [esp+38h+var_10]
		mov	[esp+38h+var_14], 0
		stosd
		mov	esi, edx
		mov	[esp+38h+var_20], esi
		mov	ebx, ecx
		mov	[esp+38h+var_25], 0
		stosd
		stosd
		stosd
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [ebx+2Ch]
		mov	ecx, [ebp+arg_4]
		mov	[esp+38h+var_24], ecx
		test	al, 2
		jz	loc_7F563D
		shr	eax, 2
		and	al, 1
		mov	byte ptr [esp+38h+var_1C], al
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	0
		lea	ecx, [ebx+4Ch]
		xor	edx, edx
		call	KeAbPreAcquire
		mov	[esp+38h+var_26], 0
		lea	ecx, [ebx+44h]
		mov	edx, 1
		xchg	edx, [ecx]
		test	edx, edx
		jnz	loc_7F5685
		test	eax, eax
		jz	short loc_7F553E
		or	byte ptr [eax+0Eh], 1

loc_7F553E:				; CODE XREF: IopQueryXxxInformation+88j
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_7F5545:				; CODE XREF: IopQueryXxxInformation+1F1j
		lea	eax, [ebx+5Ch]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	[esp+38h+var_27], 1

loc_7F5553:				; CODE XREF: IopQueryXxxInformation+1A0j
		push	ebx
		call	IoGetRelatedDeviceObject
		mov	edi, eax
		cmp	esi, 4Bh
		jz	loc_912687

loc_7F5564:				; CODE XREF: IopQueryXxxInformation+11D1E4j
		mov	al, [esp+38h+var_27]
		mov	ecx, [ebp+4]
		xor	al, 1
		mov	dl, [edi+30h]
		push	ecx
		movzx	eax, al
		mov	ecx, edi
		push	eax
		call	IopAllocateIrpExReturn
		mov	esi, eax
		test	esi, esi
		jz	loc_912699
		cmp	[esp+38h+var_27], 0
		mov	eax, large fs:124h
		mov	[esi+50h], eax
		mov	eax, [esp+38h+var_24]
		mov	[esi+64h], ebx
		mov	[esi+20h], al
		jz	loc_7F5655
		or	byte ptr [esi+27h], 2
		xor	eax, eax

loc_7F55AA:				; CODE XREF: IopQueryXxxInformation+1B0j
		mov	[esi+2Ch], eax
		lea	eax, [esp+38h+var_18]
		mov	ecx, [esi+60h]
		mov	[esi+28h], eax
		mov	al, [ebp+arg_10]
		neg	al
		mov	dword ptr [esi+30h], 0
		mov	[ecx-0Ch], ebx
		sbb	al, al
		and	al, 0FBh
		add	al, 0Ah
		mov	[ecx-24h], al
		mov	eax, [ebp+arg_8]
		or	dword ptr [esi+8], 10h
		cmp	[esp+38h+var_25], 0
		mov	[esi+0Ch], eax
		mov	eax, [ebp+arg_0]
		mov	[ecx-20h], eax
		mov	eax, [esp+38h+var_20]
		mov	[ecx-1Ch], eax
		jnz	loc_9126AC

loc_7F55F1:				; CODE XREF: IopQueryXxxInformation+11D200j
		mov	ecx, esi
		call	IopQueueThreadIrp
		mov	edx, esi
		mov	ecx, edi
		call	IofCallDriver
		cmp	[esp+38h+var_27], 0
		mov	edi, eax
		jz	short loc_7F5665
		cmp	edi, 103h
		jnz	short loc_7F5622
		push	[esp+38h+var_24]
		mov	edx, ebx
		mov	ecx, esi
		call	_IopWaitForSynchronousIo@12 ; IopWaitForSynchronousIo(x,x,x)
		mov	edi, [ebx+1Ch]

loc_7F5622:				; CODE XREF: IopQueryXxxInformation+160j
		mov	ecx, ebx
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)

loc_7F5629:				; CODE XREF: IopQueryXxxInformation+1BBj
					; IopQueryXxxInformation+1D3j
		mov	ecx, [ebp+arg_C]
		mov	eax, [esp+38h+var_14]
		mov	[ecx], eax

loc_7F5632:				; CODE XREF: IopQueryXxxInformation+11D1D2j
		mov	eax, edi

loc_7F5634:				; CODE XREF: IopQueryXxxInformation+11D1F7j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7F563D:				; CODE XREF: IopQueryXxxInformation+46j
		push	0
		push	1
		lea	eax, [esp+40h+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	[esp+38h+var_27], 0
		jmp	loc_7F5553
; 

loc_7F5655:				; CODE XREF: IopQueryXxxInformation+EEj
		mov	dword ptr [esi+8], 4
		lea	eax, [esp+38h+var_10]
		jmp	loc_7F55AA
; 

loc_7F5665:				; CODE XREF: IopQueryXxxInformation+158j
		cmp	edi, 103h
		jnz	short loc_7F5629
		push	0
		push	0
		push	0
		push	0
		lea	eax, [esp+48h+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	edi, [esp+38h+var_18]
		jmp	short loc_7F5629
; 

loc_7F5685:				; CODE XREF: IopQueryXxxInformation+80j
		mov	dl, byte ptr [esp+38h+var_24]
		lea	ecx, [esp+38h+var_26]
		push	ecx
		push	eax
		push	[esp+40h+var_1C]
		mov	ecx, ebx
		call	IopWaitAndAcquireFileObjectLock
		mov	edi, eax
		cmp	[esp+38h+var_26], 0
		jz	loc_7F5545
		jmp	loc_91267B
IopQueryXxxInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpPrefetchFilesTrickle	proc near	; CODE XREF: PfpPrefetchRequestPerform+23Dp

var_6C		= dword	ptr -6Ch
var_64		= dword	ptr -64h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 009126B5 SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_6C]
		push	8
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_C], esi
		rep stosd
		mov	edi, [esi]
		xor	ebx, ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_1], bl
		call	_PFP_GET_CURRENT_TICK_COUNT_MS@0 ; PFP_GET_CURRENT_TICK_COUNT_MS()
		mov	edx, ebx
		mov	ecx, [esi]
		mov	[ebp+var_4C], eax
		mov	[ebp+var_24], edx
		movzx	eax, word ptr [ecx+1Eh]
		mov	[ebp+var_2C], eax
		cmp	[edi+8], ebx
		jbe	loc_7F58FB
		mov	[ebp+var_28], ebx
		mov	ecx, ebx
		mov	[ebp+var_3C], ebx

loc_7F56F7:				; CODE XREF: PfpPrefetchFilesTrickle+249j
		mov	eax, [esi+8]
		test	byte ptr [ecx+eax+10h],	4
		jz	loc_7F58E4
		mov	eax, [edi+20h]
		add	eax, [ebp+var_28]
		mov	[ebp+var_34], ebx
		mov	[ebp+var_38], eax
		test	dword ptr [eax+0Ch], 0FFFFFFFEh
		jbe	loc_7F58E4
		mov	edx, ebx
		mov	[ebp+var_20], ebx

loc_7F5723:				; CODE XREF: PfpPrefetchFilesTrickle+22Cj
		mov	ecx, [eax+10h]
		add	ecx, edx
		mov	[ebp+var_30], ecx
		mov	eax, [ecx]
		test	al, 2
		jnz	loc_7F58BE
		cmp	[ecx+10h], ebx
		jz	loc_7F58BE
		mov	cl, bl
		mov	byte ptr [ebp+var_10], cl

loc_7F5743:				; CODE XREF: PfpPrefetchFilesTrickle+201j
		mov	edx, eax
		and	edx, 1
		test	cl, cl
		jz	loc_7F590F
		test	edx, edx
		jz	loc_7F58A3

loc_7F5758:				; CODE XREF: PfpPrefetchFilesTrickle+267j
		lea	ecx, [ebp+var_6C]
		call	_PfpReadSupportInitialize@4 ; PfpReadSupportInitialize(x)
		mov	edx, [ebp+var_30]
		lea	eax, [ebp+var_6C]
		push	eax
		push	[ebp+var_10]
		mov	ecx, esi
		push	[ebp+var_24]
		call	PfpFileBuildReadSupport
		test	eax, eax
		js	loc_7F5872
		mov	ecx, [ebp+var_6C]
		mov	eax, [ebp+var_64]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_44], ecx
		mov	[ecx], eax
		mov	eax, [ecx+4]
		lea	ecx, [ebp+var_40]
		push	ecx
		mov	[ebp+var_1C], eax
		lea	eax, [esi+18h]
		push	ecx
		push	58h
		mov	edx, eax
		mov	[ebp+var_18], ebx
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_8], ebx
		mov	[ebp+var_48], eax
		call	MmQueryMemoryListInformation
		cmp	[ebp+var_1C], ebx
		jbe	loc_9126B5

loc_7F57B6:				; CODE XREF: PfpPrefetchFilesTrickle+1B4j
		mov	ecx, esi
		call	_PfpCheckPrefetchAbort@4 ; PfpCheckPrefetchAbort(x)
		test	eax, eax
		jnz	loc_7F5930
		mov	edx, [ebp+var_2C]
		lea	ecx, [esi+18h]
		call	_PfpAvailablePagesForPrefetch@8	; PfpAvailablePagesForPrefetch(x,x)
		test	eax, eax
		jz	loc_7F5930
		mov	ecx, [ebp+var_18]
		mov	edx, [ebp+var_1C]
		lea	eax, [ecx+10h]
		cmp	eax, edx
		ja	loc_7F5918
		push	10h
		pop	eax

loc_7F57EC:				; CODE XREF: PfpPrefetchFilesTrickle+270j
		mov	edx, [ebp+var_14]
		add	ecx, 2
		mov	[edx+4], eax
		lea	esi, [edx+10h]
		shl	eax, 3
		push	eax		; size_t
		lea	eax, [edx+ecx*8]
		push	eax		; void *
		push	esi		; void *
		call	_memmove
		mov	eax, [ebp+var_C]
		lea	edx, [ebp+var_44]
		add	esp, 0Ch
		mov	eax, [eax]
		push	ebx
		mov	ecx, [eax+1Ch]
		mov	eax, [ebp+var_2C]
		and	ecx, 7
		or	[esi+4], ebx
		and	eax, 7
		shl	eax, 3
		or	ecx, eax
		or	[esi], ecx
		xor	ecx, ecx
		inc	ecx
		call	MmPrefetchPagesEx
		mov	edx, [ebp+var_14]
		mov	esi, eax
		mov	ecx, [ebp+var_48]
		mov	edx, [edx+4]
		call	_PfpUpdateRepurposedByPrefetch@8 ; PfpUpdateRepurposedByPrefetch(x,x)
		mov	edx, [ebp+var_8]
		test	esi, esi
		mov	esi, [ebp+var_C]
		js	short loc_7F5866
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+var_18]
		mov	eax, [eax+4]
		add	ecx, eax
		add	edx, eax
		mov	[ebp+var_18], ecx
		mov	[ebp+var_8], edx
		cmp	ecx, [ebp+var_1C]
		jb	loc_7F57B6

loc_7F5866:				; CODE XREF: PfpPrefetchFilesTrickle+19Cj
					; PfpPrefetchFilesTrickle+28Bj	...
		cmp	byte ptr [ebp+var_10], bl
		jz	loc_7F5921
		add	[edi+4Ch], edx

loc_7F5872:				; CODE XREF: PfpPrefetchFilesTrickle+CAj
					; PfpPrefetchFilesTrickle+278j
		mov	ecx, [esi+14h]
		lea	edx, [ebp+var_6C]
		call	_PfpReadSupportCleanup@8 ; PfpReadSupportCleanup(x,x)
		cmp	[ebp+var_1], bl
		jnz	loc_7F5929
		mov	ecx, esi
		call	_PfpCheckPrefetchAbort@4 ; PfpCheckPrefetchAbort(x)
		test	eax, eax
		jnz	loc_7F5929
		mov	eax, [ebp+var_30]
		mov	eax, [eax]
		mov	edx, eax
		test	al, 8
		jnz	short loc_7F58B3
		mov	cl, byte ptr [ebp+var_10]

loc_7F58A3:				; CODE XREF: PfpPrefetchFilesTrickle+A6j
					; PfpPrefetchFilesTrickle+265j
		inc	cl
		mov	edx, eax
		mov	byte ptr [ebp+var_10], cl
		cmp	cl, 1
		jbe	loc_7F5743

loc_7F58B3:				; CODE XREF: PfpPrefetchFilesTrickle+1F2j
		test	dl, 8
		mov	edx, [ebp+var_20]
		jnz	short loc_7F58BE
		inc	dword ptr [edi+3Ch]

loc_7F58BE:				; CODE XREF: PfpPrefetchFilesTrickle+83j
					; PfpPrefetchFilesTrickle+8Cj ...
		mov	eax, [ebp+var_38]
		add	edx, 20h
		mov	ecx, [ebp+var_34]
		inc	ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_34], ecx
		mov	eax, [eax+0Ch]
		shr	eax, 1
		cmp	ecx, eax
		mov	eax, [ebp+var_38]
		jb	loc_7F5723
		mov	edx, [ebp+var_24]
		mov	ecx, [ebp+var_3C]

loc_7F58E4:				; CODE XREF: PfpPrefetchFilesTrickle+53j
					; PfpPrefetchFilesTrickle+6Cj
		add	[ebp+var_28], 20h
		inc	edx
		add	ecx, 28h
		mov	[ebp+var_24], edx
		mov	[ebp+var_3C], ecx
		cmp	edx, [edi+8]
		jb	loc_7F56F7

loc_7F58FB:				; CODE XREF: PfpPrefetchFilesTrickle+3Dj
					; PfpPrefetchFilesTrickle+282j
		call	_PFP_GET_CURRENT_TICK_COUNT_MS@0 ; PFP_GET_CURRENT_TICK_COUNT_MS()
		mov	ecx, [esi]
		sub	eax, [ebp+var_4C]
		pop	edi
		pop	esi
		add	[ecx+58h], eax
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_7F590F:				; CODE XREF: PfpPrefetchFilesTrickle+9Ej
		test	edx, edx
		jnz	short loc_7F58A3
		jmp	loc_7F5758
; 

loc_7F5918:				; CODE XREF: PfpPrefetchFilesTrickle+137j
		mov	eax, edx
		sub	eax, ecx
		jmp	loc_7F57EC
; 

loc_7F5921:				; CODE XREF: PfpPrefetchFilesTrickle+1BDj
		add	[edi+48h], edx
		jmp	loc_7F5872
; 

loc_7F5929:				; CODE XREF: PfpPrefetchFilesTrickle+1D4j
					; PfpPrefetchFilesTrickle+1E3j
		mov	ebx, 0C0000240h
		jmp	short loc_7F58FB
; 

loc_7F5930:				; CODE XREF: PfpPrefetchFilesTrickle+113j
					; PfpPrefetchFilesTrickle+126j
		mov	edx, [ebp+var_8]
		mov	[ebp+var_1], 1
		jmp	loc_7F5866
PfpPrefetchFilesTrickle	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfpUpdateRepurposedByPrefetch(x, x)
_PfpUpdateRepurposedByPrefetch@8 proc near ; CODE XREF:	PfpPrefetchPrivatePages+13Dp
					; PfpPrefetchFilesTrickle+18Fp	...

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_2C		= dword	ptr -2Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	58h		; size_t
		xor	esi, esi
		lea	eax, [ebp+var_60]
		push	esi		; int
		push	eax		; void *
		mov	edi, edx
		mov	ebx, ecx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_64], esi
		lea	eax, [ebp+var_64]
		lea	edx, [ebp+var_60]
		push	eax
		push	ecx
		push	58h
		or	ecx, 0FFFFFFFFh
		call	MmQueryMemoryListInformation
		mov	eax, esi
		mov	ecx, esi

loc_7F597F:				; CODE XREF: PfpUpdateRepurposedByPrefetch(x,x)+4Bj
		add	eax, [ebp+ecx*4+var_2C]
		inc	ecx
		cmp	ecx, 7
		jbe	short loc_7F597F
		push	8
		lea	ecx, [ebx+34h]
		pop	edx

loc_7F598F:				; CODE XREF: PfpUpdateRepurposedByPrefetch(x,x)+5Bj
		add	esi, [ecx]
		lea	ecx, [ecx+4]
		sub	edx, 1
		jnz	short loc_7F598F
		sub	eax, esi
		cmp	eax, edi
		ja	short loc_7F59C7

loc_7F599F:				; CODE XREF: PfpUpdateRepurposedByPrefetch(x,x)+8Dj
		test	eax, eax
		jnz	short loc_7F59BC

loc_7F59A3:				; CODE XREF: PfpUpdateRepurposedByPrefetch(x,x)+89j
		push	16h
		pop	ecx
		mov	edi, ebx
		lea	esi, [ebp+var_60]
		rep movsd
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_7F59BC:				; CODE XREF: PfpUpdateRepurposedByPrefetch(x,x)+65j
		mov	ecx, offset dword_6D4948
		lock xadd [ecx], eax
		jmp	short loc_7F59A3
; 

loc_7F59C7:				; CODE XREF: PfpUpdateRepurposedByPrefetch(x,x)+61j
		mov	eax, edi
		jmp	short loc_7F599F
_PfpUpdateRepurposedByPrefetch@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PfpAvailablePagesForPrefetch(x, x)
_PfpAvailablePagesForPrefetch@8	proc near ; CODE XREF: PfpPrefetchPrivatePages+104p
					; PfpPrefetchFilesTrickle+11Fp	...
		mov	edi, edi
		push	esi
		mov	esi, [ecx+4]
		xor	eax, eax
		add	esi, [ecx]
		add	ecx, 14h
		inc	edx

loc_7F59DA:				; CODE XREF: PfpAvailablePagesForPrefetch(x,x)+16j
		add	eax, [ecx]
		lea	ecx, [ecx+4]
		sub	edx, 1
		jnz	short loc_7F59DA
		add	eax, esi
		cmp	eax, 80h
		pop	esi
		sbb	eax, eax
		inc	eax
		retn
_PfpAvailablePagesForPrefetch@8	endp


;  S U B	R O U T	I N E 


; __stdcall PfpReadSupportCleanup(x, x)
_PfpReadSupportCleanup@8 proc near	; CODE XREF: PfpPrefetchFilesTrickle+1CCp
					; PfpPrefetchFiles(x,x)+1B6p ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_7F5A05
		push	eax
		call	NtClose

loc_7F5A05:				; CODE XREF: PfpReadSupportCleanup(x,x)+Dj
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_7F5A13
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F5A13:				; CODE XREF: PfpReadSupportCleanup(x,x)+19j
		test	byte ptr [esi+14h], 4
		jz	short loc_7F5A25
		mov	edx, edi
		lea	ecx, [esi+4]
		pop	edi
		pop	esi
		jmp	_PfpOpenHandleClose@8 ;	PfpOpenHandleClose(x,x)
; 

loc_7F5A25:				; CODE XREF: PfpReadSupportCleanup(x,x)+27j
		pop	edi
		pop	esi
		retn
_PfpReadSupportCleanup@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpFileSetupObjectAttributes proc near	; CODE XREF: PfpFileBuildReadSupport+A3p
					; PfpVolumePrefetchMetadata+155p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 009126BC SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		mov	edi, [ebp+arg_C]
		mov	eax, [esi]
		and	al, 2
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 3FC1h
		add	eax, 60h
		mov	[edi], eax
		mov	eax, [esi+18h]
		test	eax, eax
		jz	loc_9126BC
		test	byte ptr [esi],	4
		jnz	loc_9126BC
		mov	edx, [ebp+arg_4]
		add	eax, 2
		mov	[edx+4], eax
		mov	cx, [esi+1Ch]
		add	cx, cx
		mov	[edx+2], cx
		lea	eax, [ecx-2]
		imul	ecx, [ebp+arg_0], 28h
		mov	[edx], ax
		mov	eax, [ebx+8]
		mov	ecx, [ecx+eax+14h]

loc_7F5A85:				; CODE XREF: PfpFileSetupObjectAttributes+11CCB7j
		mov	eax, [ebp+arg_8]
		pop	edi
		pop	esi
		pop	ebx
		and	dword ptr [eax+10h], 0
		and	dword ptr [eax+14h], 0
		mov	dword ptr [eax], 18h
		mov	[eax+4], ecx
		mov	dword ptr [eax+0Ch], 240h
		mov	[eax+8], edx
		pop	ebp
		retn	10h
PfpFileSetupObjectAttributes endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpFileBuildReadList proc near		; CODE XREF: PfpFileBuildReadSupport+14Dp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009126E4 SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, edx
		mov	[ebp+var_1C], ecx
		push	ebx
		push	esi
		push	edi
		test	byte ptr [eax],	1
		mov	[ebp+var_14], eax
		jz	short loc_7F5ACC
		cmp	byte ptr [ebp+arg_0], 0
		jz	loc_9126E4

loc_7F5ACC:				; CODE XREF: PfpFileBuildReadList+16j
		mov	edi, [eax+10h]
		xor	esi, esi
		mov	ebx, esi
		push	8
		pop	ecx
		test	edi, edi
		jz	short loc_7F5AF4
		mov	edx, [eax+14h]
		add	edx, ecx

loc_7F5ADF:				; CODE XREF: PfpFileBuildReadList+45j
		mov	ecx, [edx]
		add	ebx, 2
		shr	ecx, 0Ch
		lea	edx, [edx+10h]
		add	ebx, ecx
		sub	edi, 1
		jnz	short loc_7F5ADF
		push	8
		pop	ecx

loc_7F5AF4:				; CODE XREF: PfpFileBuildReadList+2Ej
		mov	eax, ebx
		mul	ecx
		add	eax, 10h
		adc	edx, esi
		mov	[ebp+var_20], edx
		jnz	loc_91272F
		cmp	eax, 0FFFFFFFFh
		ja	loc_91272F
		push	4C526650h
		xor	ebx, ebx
		push	eax
		inc	ebx
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_912717
		mov	ecx, [ebp+var_14]
		xor	eax, eax
		mov	edi, edx
		stosd
		stosd
		stosd
		stosd
		test	[ecx], bl
		jz	short loc_7F5B3A
		mov	[edx+8], ebx

loc_7F5B3A:				; CODE XREF: PfpFileBuildReadList+8Bj
		mov	[ebp+var_8], esi
		cmp	[ecx+10h], esi
		jbe	loc_7F5BE1
		mov	eax, esi
		mov	[ebp+var_18], esi

loc_7F5B4B:				; CODE XREF: PfpFileBuildReadList+131j
		mov	edi, [ecx+14h]
		add	edi, eax
		mov	[ebp+var_10], edi
		mov	eax, [edi]
		mov	edi, [edi+4]
		mov	[ebp+var_20], eax
		mov	[ebp+var_C], edi
		mov	edi, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_1C]
		mov	eax, [eax]
		test	byte ptr [eax+38h], 2
		mov	eax, [ebp+arg_0]
		jnz	loc_912721

loc_7F5B78:				; CODE XREF: PfpFileBuildReadList+11CC80j
		mov	ebx, [ebp+var_10]
		and	[ebp+var_4], esi
		mov	ebx, [ebx+8]
		add	ebx, [ebp+var_20]
		mov	[ebp+var_10], ebx
		mov	ebx, [ebp+var_4]
		adc	ebx, [ebp+var_C]
		mov	[ebp+var_4], ebx
		cmp	eax, ebx
		mov	ebx, [ebp+var_8]
		jb	short loc_7F5B9E
		ja	short loc_7F5BCB
		cmp	edi, [ebp+var_10]
		jnb	short loc_7F5BCB

loc_7F5B9E:				; CODE XREF: PfpFileBuildReadList+EBj
		mov	ecx, [ebp+arg_0]
		mov	ebx, [ebp+var_10]

loc_7F5BA4:				; CODE XREF: PfpFileBuildReadList+113j
					; PfpFileBuildReadList+119j
		mov	eax, [edx+4]
		mov	[edx+eax*8+10h], edi
		mov	[edx+eax*8+14h], ecx
		inc	dword ptr [edx+4]
		add	edi, 1000h
		adc	ecx, esi
		cmp	ecx, [ebp+var_4]
		jb	short loc_7F5BA4
		ja	short loc_7F5BC5
		cmp	edi, ebx
		jb	short loc_7F5BA4

loc_7F5BC5:				; CODE XREF: PfpFileBuildReadList+115j
		mov	ecx, [ebp+var_14]
		mov	ebx, [ebp+var_8]

loc_7F5BCB:				; CODE XREF: PfpFileBuildReadList+EDj
					; PfpFileBuildReadList+F2j
		mov	eax, [ebp+var_18]
		inc	ebx
		add	eax, 10h
		mov	[ebp+var_8], ebx
		mov	[ebp+var_18], eax
		cmp	ebx, [ecx+10h]
		jb	loc_7F5B4B

loc_7F5BE1:				; CODE XREF: PfpFileBuildReadList+96j
		mov	eax, [ebp+arg_4]
		mov	[eax], edx

loc_7F5BE6:				; CODE XREF: PfpFileBuildReadList+11CC68j
		xor	eax, eax

loc_7F5BE8:				; CODE XREF: PfpFileBuildReadList+11CC72j
					; PfpFileBuildReadList+11CC8Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
PfpFileBuildReadList endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpRealtimeFlushSavedBuffers proc near	; CODE XREF: EtwpLogger(x)+170p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00912739 SIZE 000000A5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		push	edi
		cmp	[ebx+148h], esi
		jnz	short loc_7F5C0E

loc_7F5C07:				; CODE XREF: EtwpRealtimeFlushSavedBuffers+24j
					; EtwpRealtimeFlushSavedBuffers+E0j
		xor	eax, eax

loc_7F5C09:				; CODE XREF: EtwpRealtimeFlushSavedBuffers+11CB4Ej
					; EtwpRealtimeFlushSavedBuffers+11CBE9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7F5C0E:				; CODE XREF: EtwpRealtimeFlushSavedBuffers+15j
		cmp	[ebx+108h], esi
		jz	short loc_7F5C07
		push	50777445h
		push	dword ptr [ebx+4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_4], edi
		test	edi, edi
		jz	loc_912739
		push	dword ptr [ebx+4] ; size_t
		push	esi		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch

loc_7F5C3F:				; CODE XREF: EtwpRealtimeFlushSavedBuffers+11CB69j
		mov	esi, [ebx+148h]

loc_7F5C45:				; CODE XREF: EtwpRealtimeFlushSavedBuffers+CAj
					; EtwpRealtimeFlushSavedBuffers+11CB5Cj
		test	esi, esi
		jz	short loc_7F5CC1
		cmp	dword ptr [ebx+108h], 0
		jz	loc_912773
		mov	eax, [ebx+12Ch]
		mov	edx, edi
		mov	esi, [ebx+128h]
		mov	ecx, ebx
		mov	[ebp+var_8], eax
		call	EtwpRealtimeRestoreBuffer
		mov	ecx, ebx
		test	eax, eax
		js	loc_912780
		mov	edx, edi
		call	EtwpRealtimeDeliverBuffer
		test	eax, eax
		js	loc_91275E
		test	byte ptr [ebx+258h], 1
		jz	short loc_7F5C99
		push	3
		pop	eax
		cmp	[edi+36h], ax
		jz	short loc_7F5CD5

loc_7F5C99:				; CODE XREF: EtwpRealtimeFlushSavedBuffers+9Ej
					; EtwpRealtimeFlushSavedBuffers+F5j
		mov	esi, [ebx+148h]
		dec	esi
		mov	[ebx+148h], esi
		mov	eax, [edi+30h]
		sub	[ebx+138h], eax
		sbb	dword ptr [ebx+13Ch], 0
		cmp	dword ptr [ebx+10h], 0
		jge	short loc_7F5C45
		jmp	loc_912743
; 

loc_7F5CC1:				; CODE XREF: EtwpRealtimeFlushSavedBuffers+57j
					; EtwpRealtimeFlushSavedBuffers+11CB8Bj
		mov	ecx, ebx
		call	EtwpRealtimeZeroTruncateLogfile

loc_7F5CC8:				; CODE XREF: EtwpRealtimeFlushSavedBuffers+11CB85j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7F5C07
; 

loc_7F5CD5:				; CODE XREF: EtwpRealtimeFlushSavedBuffers+A7j
		lea	esi, [edi+38h]
		lea	edi, [ebx+150h]
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_4]
		jmp	short loc_7F5C99
EtwpRealtimeFlushSavedBuffers endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpRealtimeUpdateConsumers(x)
_EtwpRealtimeUpdateConsumers@4 proc near ; CODE	XREF: EtwpLogger(x)+169p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		lea	esi, [ebx+25Ch]
		mov	eax, [esi]
		test	al, 20h
		jnz	short loc_7F5D14

loc_7F5CFF:				; CODE XREF: EtwpRealtimeUpdateConsumers(x)+B6j
		mov	eax, [esi]
		lea	ecx, [ebx+1F0h]
		test	al, 10h
		jnz	loc_7F5DA3

loc_7F5D0F:				; CODE XREF: EtwpRealtimeUpdateConsumers(x)+122j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7F5D14:				; CODE XREF: EtwpRealtimeUpdateConsumers(x)+15j
		lea	esi, [ebx+1F0h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebx+10Ch]
		xor	edx, edx
		and	dword ptr [ebx+10Ch], 0
		mov	ecx, esi
		mov	[ebp+var_4], eax
		call	ExReleasePushLockEx
		mov	eax, [ebp+var_4]
		lea	esi, [ebx+150h]
		lea	ecx, [ebx+100h]
		mov	edi, [eax+14h]
		and	dword ptr [eax+14h], 0
		add	edi, 50h
		movsd
		movsd
		movsd
		movsd
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_7F5E0F
		mov	[eax], ecx
		lea	esi, [ebx+25Ch]
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		inc	dword ptr [ebx+108h]
		and	byte ptr [eax+32h], 0F7h
		push	40h
		pop	eax
		lock or	[esi], eax
		and	dword ptr [ebx+28h], 0
		push	0FFFFFFDFh
		pop	eax
		lock and [esi],	eax
		push	0
		push	0
		lea	eax, [ebx+164h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_7F5CFF
; 

loc_7F5DA3:				; CODE XREF: EtwpRealtimeUpdateConsumers(x)+21j
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	edi, [ebx+10Ch]
		lea	ecx, [ebx+1F0h]
		and	dword ptr [ebx+10Ch], 0
		xor	edx, edx
		call	ExReleasePushLockEx
		lea	ecx, [ebx+100h]
		mov	edx, 0C0000296h
		mov	eax, [ecx]

loc_7F5DD1:				; CODE XREF: EtwpRealtimeUpdateConsumers(x)+F3j
		cmp	eax, ecx
		jz	short loc_7F5DF1
		cmp	edi, eax
		jz	short loc_7F5DDD

loc_7F5DD9:				; CODE XREF: EtwpRealtimeUpdateConsumers(x)+F9j
					; EtwpRealtimeUpdateConsumers(x)+107j
		mov	eax, [eax]
		jmp	short loc_7F5DD1
; 

loc_7F5DDD:				; CODE XREF: EtwpRealtimeUpdateConsumers(x)+EFj
		test	byte ptr [edi+32h], 1
		jnz	short loc_7F5DD9
		push	4
		pop	edx
		lock or	[esi], edx
		or	byte ptr [edi+32h], 1
		xor	edx, edx
		jmp	short loc_7F5DD9
; 

loc_7F5DF1:				; CODE XREF: EtwpRealtimeUpdateConsumers(x)+EBj
		push	0FFFFFFEFh
		mov	[ebx+28h], edx
		pop	eax
		lock and [esi],	eax
		push	0
		push	0
		lea	eax, [ebx+164h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_7F5D0F
; 

loc_7F5E0F:				; CODE XREF: EtwpRealtimeUpdateConsumers(x)+76j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_EtwpRealtimeUpdateConsumers@4 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsInvalidateStartAddress(x)
_PsInvalidateStartAddress@4 proc near	; CODE XREF: CmpNotifyChangeKey+1AEp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	al, [ecx+304h]
		test	al, 8
		jz	short loc_7F5E26
		leave
		retn
; 

loc_7F5E26:				; CODE XREF: PsInvalidateStartAddress(x)+Ej
		or	byte ptr [ecx+304h], 8
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		xor	edx, edx
		lock or	[eax], edx
		lea	eax, [ecx+294h]
		mov	[eax+4], eax
		mov	[eax], eax
		leave
		retn
_PsInvalidateStartAddress@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnQueryVolumeInfo proc near		; CODE XREF: PfSnOpenVolumesForPrefetch+1A7p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 009127DE SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	6
		mov	[ebp+var_44], eax
		lea	edi, [ebp+var_24]
		mov	eax, [ebp+arg_4]
		mov	esi, ecx
		pop	ecx
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_8]
		push	2
		mov	[ebp+var_40], eax
		xor	eax, eax
		pop	ebx
		rep stosd
		xor	edi, edi
		mov	[ebp+var_48], esi
		push	edx
		lea	eax, [ebp+var_50]
		mov	[ebp+var_50], edi
		push	eax
		mov	[ebp+var_4C], edi
		mov	[ebp+var_58], edi
		mov	[ebp+var_54], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edi
		mov	[ebp+var_28], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		push	edi
		push	edi
		push	100180h
		push	edi
		lea	eax, [ebp+var_50]
		mov	edx, esi
		push	eax
		lea	ecx, [ebp+var_38]
		call	PfpOpenHandleCreate
		mov	esi, eax
		test	esi, esi
		js	short loc_7F5F32
		push	1
		push	18h
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		push	[ebp+var_38]
		call	_NtQueryVolumeInformationFile@20 ; NtQueryVolumeInformationFile(x,x,x,x,x)
		mov	ecx, 0C0000000h
		mov	esi, eax
		and	eax, ecx
		cmp	eax, ecx
		jz	short loc_7F5F32
		mov	ecx, [ebp+var_3C]
		lea	esi, [ebp+var_38]
		mov	eax, [ebp+var_24]
		mov	edi, [ebp+var_44]
		push	5
		mov	[ecx], eax
		mov	eax, [ebp+var_20]
		mov	[ecx+4], eax
		mov	ecx, [ebp+var_40]
		mov	eax, [ebp+var_1C]
		mov	[ecx], eax
		pop	ecx
		rep movsd
		xor	esi, esi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi

loc_7F5F16:				; CODE XREF: PfSnQueryVolumeInfo+EFj
		test	bl, 4
		jnz	loc_9127DE

loc_7F5F1F:				; CODE XREF: PfSnQueryVolumeInfo+11C9A3j
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_7F5F32:				; CODE XREF: PfSnQueryVolumeInfo+7Bj
					; PfSnQueryVolumeInfo+9Cj
		mov	ebx, [ebp+var_28]
		jmp	short loc_7F5F16
PfSnQueryVolumeInfo endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObQuerySecurityObject(x, x,	x, x, x)
_ObQuerySecurityObject@20 proc near	; CODE XREF: SepVerifyDesktopAppxImage(x,x,x,x)+95p
					; SepVerifyDesktopAppxImage(x,x,x,x)+E2p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		push	0
		lea	eax, [edi-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [edi-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	ecx, ds:_ObTypeIndexTable[edx*4]
		mov	edx, [ecx+6Ch]
		lea	eax, [ecx+34h]
		push	eax
		push	dword ptr [ecx+4Ch]
		lea	eax, [edi-4]
		push	eax
		lea	eax, [ebp+arg_4]
		push	eax
		push	[ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		push	edi
		call	edx
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		pop	edi
		pop	esi
		mov	[edx], ecx
		leave
		retn	0Ch
_ObQuerySecurityObject@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtFlushBuffersFile(x, x)
_NtFlushBuffersFile@8 proc near		; DATA XREF: .text:0058104Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_0]
		call	NtFlushBuffersFileEx
		pop	ebp
		retn	8
_NtFlushBuffersFile@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtFlushBuffersFileEx proc near		; CODE XREF: NtFlushBuffersFile(x,x)+10p
					; DATA XREF: .text:00581050o

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 009127EE SIZE 00000007 BYTES
; FUNCTION CHUNK AT 00912815 SIZE 00000045 BYTES

		push	2Ch
		push	offset dword_6A5140
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ecx
		cmp	[ebp+arg_8], ecx
		jnz	loc_912850
		cmp	[ebp+arg_C], ecx
		jnz	loc_912850
		mov	eax, large fs:124h
		mov	[ebp+var_28], eax
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+arg_C], bl
		test	bl, bl
		jz	short loc_7F600F
		mov	[ebp+ms_exc.disabled], ecx
		mov	ecx, [ebp+arg_10]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_9127EE

loc_7F6004:				; CODE XREF: NtFlushBuffersFileEx+11C844j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7F600F:				; CODE XREF: NtFlushBuffersFileEx+43j
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_20], eax
		push	eax
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		call	IopReferenceFileObject
		test	eax, eax
		js	loc_7F6147
		mov	esi, [ebp+var_1C]
		mov	ecx, [esi+2Ch]
		mov	eax, ecx
		shr	eax, 5
		not	eax
		and	eax, 4
		or	al, 2
		test	byte ptr [ebp+var_30], al
		jz	loc_7F61AA
		test	cl, 2
		jz	loc_7F6159
		shr	ecx, 2
		and	cl, 1
		mov	byte ptr [ebp+arg_0], cl
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	0
		mov	esi, [ebp+var_1C]
		lea	ecx, [esi+4Ch]
		xor	edx, edx
		call	KeAbPreAcquire
		mov	edi, eax
		xor	bh, bh
		mov	byte ptr [ebp+arg_8+3],	bh
		xor	eax, eax
		inc	eax
		mov	[ebp+arg_C], eax
		mov	edx, eax
		lea	ecx, [esi+44h]
		xchg	edx, [ecx]
		test	edx, edx
		jnz	loc_7F61BA
		test	edi, edi
		jz	short loc_7F609D
		or	[edi+0Eh], al

loc_7F609D:				; CODE XREF: NtFlushBuffersFileEx+ECj
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	edi, edi

loc_7F60A6:				; CODE XREF: NtFlushBuffersFileEx+224j
		test	bh, bh
		jnz	loc_7F61AF
		mov	byte ptr [ebp+arg_0], 1
		xor	edi, edi

loc_7F60B4:				; CODE XREF: NtFlushBuffersFileEx+1D2j
		mov	ecx, esi
		call	_IopResetEvent@4 ; IopResetEvent(x)
		push	esi
		call	IoGetRelatedDeviceObject
		mov	[ebp+var_2C], eax
		push	dword ptr [ebp+4]
		push	0
		mov	dl, [eax+30h]
		mov	ecx, eax
		call	IopAllocateIrpExReturn
		mov	esi, eax
		test	esi, esi
		jz	loc_912815
		mov	ecx, [ebp+var_1C]
		mov	[esi+64h], ecx
		mov	eax, [ebp+var_28]
		mov	[esi+50h], eax
		mov	[esi+20h], bl
		mov	ebx, [ebp+arg_C]
		test	bl, bl
		jz	loc_7F6183
		mov	eax, [ebp+arg_10]
		xor	edx, edx

loc_7F60FC:				; CODE XREF: NtFlushBuffersFileEx+1E3j
		mov	[esi+2Ch], edx
		mov	[esi+28h], eax
		and	dword ptr [esi+30h], 0
		mov	eax, [esi+60h]
		mov	byte ptr [eax-24h], 9
		mov	[eax-0Ch], ecx
		test	[ebp+arg_4], 1
		jnz	loc_912835
		test	[ebp+arg_4], 2
		jnz	loc_91283E
		test	[ebp+arg_4], 4
		jnz	loc_912847

loc_7F612E:				; CODE XREF: NtFlushBuffersFileEx+11C88Dj
					; NtFlushBuffersFileEx+11C896j	...
		push	2
		push	[ebp+arg_0]
		push	[ebp+var_20]
		push	0
		push	ecx
		mov	edx, esi
		mov	ecx, [ebp+var_2C]
		call	_IopSynchronousServiceTail@28 ;	IopSynchronousServiceTail(x,x,x,x,x,x,x)
		test	bl, bl
		jz	short loc_7F6194

loc_7F6147:				; CODE XREF: NtFlushBuffersFileEx+7Ej
					; NtFlushBuffersFileEx+1FCj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7F6159:				; CODE XREF: NtFlushBuffersFileEx+A2j
		push	10h
		pop	edx
		mov	ecx, 200h
		call	IopVerifierExAllocatePool
		mov	edi, eax
		test	edi, edi
		jz	short loc_7F61D5
		push	0
		push	1
		push	edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	al, al
		mov	[ebp+arg_C], eax
		mov	byte ptr [ebp+arg_0], al
		jmp	loc_7F60B4
; 

loc_7F6183:				; CODE XREF: NtFlushBuffersFileEx+145j
		mov	dword ptr [esi+8], 4
		lea	eax, [ebp+var_3C]
		mov	edx, edi
		jmp	loc_7F60FC
; 

loc_7F6194:				; CODE XREF: NtFlushBuffersFileEx+199j
		push	[ebp+arg_10]
		lea	ecx, [ebp+var_3C]
		push	ecx
		push	[ebp+var_20]
		push	esi
		mov	edx, edi
		mov	ecx, eax
		call	IopSynchronousApiServiceTail
		jmp	short loc_7F6147
; 

loc_7F61AA:				; CODE XREF: NtFlushBuffersFileEx+99j
		mov	edi, 0C0000022h

loc_7F61AF:				; CODE XREF: NtFlushBuffersFileEx+FCj
					; NtFlushBuffersFileEx+22Ej
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, edi
		jmp	short loc_7F6147
; 

loc_7F61BA:				; CODE XREF: NtFlushBuffersFileEx+E4j
		lea	eax, [ebp+arg_8+3]
		push	eax
		push	edi
		push	[ebp+arg_0]
		mov	dl, bl
		mov	ecx, esi
		call	IopWaitAndAcquireFileObjectLock
		mov	edi, eax
		mov	bh, byte ptr [ebp+arg_8+3]
		jmp	loc_7F60A6
; 

loc_7F61D5:				; CODE XREF: NtFlushBuffersFileEx+1BEj
		mov	edi, 0C000009Ah
		jmp	short loc_7F61AF
NtFlushBuffersFileEx endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; 
; Exported entry 1556. NtQueryEaFile

; __stdcall NtQueryEaFile(x, x,	x, x, x, x, x, x, x)
		public _NtQueryEaFile@36
_NtQueryEaFile@36:			; DATA XREF: .text:00580E8Co
		push	4Ch
		push	offset dword_6A5160
		call	__SEH_prolog4
		mov	edi, [ebp+0Ch]
		xor	ebx, ebx
		mov	[ebp-28h], ebx
		mov	[ebp-2Ch], ebx
		mov	[ebp-20h], ebx
		mov	[ebp-19h], bl
		mov	[ebp-30h], ebx
		mov	[ebp-5Ch], ebx
		mov	[ebp-58h], ebx
		mov	eax, large fs:124h
		mov	[ebp-4Ch], eax
		mov	al, [eax+15Ah]
		mov	[ebp-1Ah], al
		mov	[ebp-40h], al
		test	al, al
		jz	loc_7F6377
		mov	[ebp-4], ebx
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jb	short loc_7F6235
		mov	ecx, eax

loc_7F6235:				; CODE XREF: PAGE:007F6231j
		mov	eax, [ecx]
		mov	[ecx], eax
		push	4
		mov	eax, [ebp+14h]
		push	eax
		push	dword ptr [ebp+10h]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	edx, [ebp+24h]
		test	edx, edx
		jz	short loc_7F6262
		mov	eax, edx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		jb	short loc_7F625C
		mov	eax, ecx

loc_7F625C:				; CODE XREF: PAGE:007F6258j
		nop
		mov	eax, [eax]
		mov	[ebp-30h], eax

loc_7F6262:				; CODE XREF: PAGE:007F624Cj
		mov	ecx, [ebp+1Ch]
		test	ecx, ecx
		jz	loc_7F6345
		cmp	dword ptr [ebp+20h], 0
		jz	loc_7F6345
		mov	[ebp-34h], ebx
		mov	[ebp-24h], ebx
		mov	byte ptr [ebp-19h], 1
		test	cl, 3
		jnz	loc_7F6730
		mov	eax, [ebp+20h]
		add	eax, ecx
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	short loc_7F629D
		cmp	eax, ecx
		jnb	short loc_7F629F

loc_7F629D:				; CODE XREF: PAGE:007F6297j
		mov	[edx], bl

loc_7F629F:				; CODE XREF: PAGE:007F629Bj
		mov	esi, [ebp+20h]
		mov	edx, esi
		call	sub_4FA154
		mov	edi, eax
		mov	[ebp-20h], edi
		push	esi
		push	dword ptr [ebp+1Ch]
		push	edi
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp-24h], esi

loc_7F62BE:				; CODE XREF: PAGE:007F6339j
		mov	[ebp-34h], edi
		cmp	esi, 5
		jge	short loc_7F62EE
		mov	[ebp-24h], ebx
		push	ebx
		push	dword ptr [ebp-20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp-20h], ebx
		mov	eax, 80000014h
		mov	ecx, [ebp+0Ch]
		mov	[ecx], eax
		mov	[ecx+4], ebx

loc_7F62E2:				; CODE XREF: PAGE:007F631Aj
					; PAGE:007F6372j ...
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7F663B
; 

loc_7F62EE:				; CODE XREF: PAGE:007F62C4j
		movzx	eax, byte ptr [edi+4]
		add	eax, 6
		cmp	esi, eax
		jnb	short loc_7F631C

loc_7F62F9:				; CODE XREF: PAGE:007F632Aj
					; PAGE:007F632Ej ...
		mov	esi, edi
		mov	edi, [ebp-20h]
		sub	esi, edi
		mov	[ebp-24h], esi
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp-20h], ebx
		mov	eax, 80000014h
		mov	ecx, [ebp+0Ch]
		mov	[ecx], eax
		mov	[ecx+4], esi
		jmp	short loc_7F62E2
; 

loc_7F631C:				; CODE XREF: PAGE:007F62F7j
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_7F633B
		add	eax, 3
		and	eax, 0FFFFFFFCh
		cmp	eax, ecx
		jnz	short loc_7F62F9
		test	ecx, ecx
		js	short loc_7F62F9
		sub	esi, ecx
		mov	[ebp-24h], esi
		js	short loc_7F62F9
		add	edi, ecx
		jmp	short loc_7F62BE
; 

loc_7F633B:				; CODE XREF: PAGE:007F6320j
		sub	esi, eax
		mov	[ebp-24h], esi
		js	short loc_7F62F9
		mov	edi, [ebp+0Ch]

loc_7F6345:				; CODE XREF: PAGE:007F6267j
					; PAGE:007F6271j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_7F63BD
; 

loc_7F634E:				; DATA XREF: .text:006A5174o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7F635C:				; DATA XREF: .text:006A5178o
		mov	esp, [ebp-18h]
		cmp	dword ptr [ebp-20h], 0
		jz	short loc_7F636F
		push	0
		push	dword ptr [ebp-20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F636F:				; CODE XREF: PAGE:007F6363j
		mov	eax, [ebp-44h]
		jmp	loc_7F62E2
; 

loc_7F6377:				; CODE XREF: PAGE:007F621Fj
		cmp	[ebp+1Ch], ebx
		jz	short loc_7F63B1
		mov	esi, [ebp+20h]
		test	esi, esi
		jz	short loc_7F63B1
		mov	byte ptr [ebp-19h], 1
		mov	dword ptr [ebp-4], 1
		mov	edx, esi
		call	sub_4FA154
		mov	edi, eax
		mov	[ebp-20h], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	esi
		push	dword ptr [ebp+1Ch]
		push	edi
		call	_memcpy
		add	esp, 0Ch
		mov	edi, [ebp+0Ch]

loc_7F63B1:				; CODE XREF: PAGE:007F637Aj
					; PAGE:007F6381j
		mov	eax, [ebp+24h]
		test	eax, eax
		jz	short loc_7F63BD
		mov	eax, [eax]
		mov	[ebp-30h], eax

loc_7F63BD:				; CODE XREF: PAGE:007F634Cj
					; PAGE:007F63B6j
		push	ebx
		lea	eax, [ebp-28h]
		push	eax
		mov	eax, [ebp-40h]
		mov	[ebp-40h], eax
		push	eax
		push	8
		pop	edx
		mov	ecx, [ebp+8]
		call	IopReferenceFileObject
		mov	esi, eax
		test	esi, esi
		jns	short loc_7F6409
		cmp	byte ptr [ebp-19h], 0
		jz	short loc_7F63E9
		push	ebx
		push	dword ptr [ebp-20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F63E9:				; CODE XREF: PAGE:007F63DEj
		mov	eax, esi
		jmp	loc_7F663B
; 

loc_7F63F0:				; DATA XREF: .text:006A5180o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-48h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7F63FE:				; DATA XREF: .text:006A5184o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-48h]
		jmp	loc_7F62E2
; 

loc_7F6409:				; CODE XREF: PAGE:007F63D8j
		mov	esi, [ebp-28h]
		lea	eax, [esi+2Ch]
		mov	[ebp+1Ch], eax
		mov	eax, [eax]
		test	al, 2
		jz	short loc_7F6491
		shr	eax, 2
		and	al, 1
		mov	[ebp+0Ch], al
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	ebx
		mov	esi, [ebp-28h]
		lea	ecx, [esi+4Ch]
		xor	edx, edx
		call	KeAbPreAcquire
		mov	edx, eax
		mov	[ebp-1Bh], bl
		xor	ecx, ecx
		inc	ecx
		lea	eax, [esi+44h]
		xchg	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_7F6461
		test	edx, edx
		jz	short loc_7F6455
		or	byte ptr [edx+0Eh], 1

loc_7F6455:				; CODE XREF: PAGE:007F644Fj
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	[ebp+0Ch], ebx
		jmp	short loc_7F6476
; 

loc_7F6461:				; CODE XREF: PAGE:007F644Bj
		lea	eax, [ebp-1Bh]
		push	eax
		push	edx
		push	dword ptr [ebp+0Ch]
		mov	dl, [ebp-1Ah]
		mov	ecx, esi
		call	IopWaitAndAcquireFileObjectLock
		mov	[ebp+0Ch], eax

loc_7F6476:				; CODE XREF: PAGE:007F645Fj
		cmp	byte ptr [ebp-1Bh], 0
		jz	short loc_7F648D
		cmp	byte ptr [ebp-19h], 0
		jz	short loc_7F64B2
		push	ebx
		push	dword ptr [ebp-20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7F64B2
; 

loc_7F648D:				; CODE XREF: PAGE:007F647Aj
		mov	al, 1
		jmp	short loc_7F64CC
; 

loc_7F6491:				; CODE XREF: PAGE:007F6416j
		call	sub_60F0DF
		mov	[ebp-2Ch], eax
		test	eax, eax
		jnz	short loc_7F64C1
		cmp	[ebp-19h], al
		jz	short loc_7F64AB
		push	ebx
		push	dword ptr [ebp-20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F64AB:				; CODE XREF: PAGE:007F64A0j
		mov	dword ptr [ebp+0Ch], 0C000009Ah

loc_7F64B2:				; CODE XREF: PAGE:007F6480j
					; PAGE:007F648Bj
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, [ebp+0Ch]
		jmp	loc_7F663B
; 

loc_7F64C1:				; CODE XREF: PAGE:007F649Bj
		push	ebx
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	al, bl

loc_7F64CC:				; CODE XREF: PAGE:007F648Fj
		mov	[ebp+0Ch], al
		mov	ecx, esi
		call	_IopResetEvent@4 ; IopResetEvent(x)
		push	esi
		call	IoGetRelatedDeviceObject
		mov	[ebp+8], eax
		push	dword ptr [ebp+4]
		push	ebx
		mov	dl, [eax+30h]
		mov	ecx, eax
		call	IopAllocateIrpExReturn
		mov	esi, eax
		mov	[ebp-3Ch], esi
		test	esi, esi
		jnz	short loc_7F652A
		mov	eax, [ebp+1Ch]
		test	byte ptr [eax],	2
		jnz	short loc_7F6507
		push	ebx
		push	dword ptr [ebp-2Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F6507:				; CODE XREF: PAGE:007F64FCj
		xor	edx, edx
		mov	ecx, [ebp-28h]
		call	_IopAllocateIrpCleanup@8 ; IopAllocateIrpCleanup(x,x)
		cmp	byte ptr [ebp-19h], 0
		jz	short loc_7F6520
		push	ebx
		push	dword ptr [ebp-20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F6520:				; CODE XREF: PAGE:007F6515j
		mov	eax, 0C000009Ah
		jmp	loc_7F663B
; 

loc_7F652A:				; CODE XREF: PAGE:007F64F4j
		mov	edx, [ebp-28h]
		mov	[ebp-38h], edx
		mov	[esi+64h], edx
		mov	eax, [ebp-4Ch]
		mov	[esi+50h], eax
		mov	al, [ebp-1Ah]
		mov	[esi+20h], al
		cmp	byte ptr [ebp+0Ch], 0
		jz	short loc_7F654B
		mov	eax, edi
		mov	ecx, ebx
		jmp	short loc_7F6558
; 

loc_7F654B:				; CODE XREF: PAGE:007F6543j
		mov	dword ptr [esi+8], 4
		lea	eax, [ebp-5Ch]
		mov	ecx, [ebp-2Ch]

loc_7F6558:				; CODE XREF: PAGE:007F6549j
		mov	[esi+2Ch], ecx
		mov	[esi+28h], eax
		mov	[esi+30h], ebx
		mov	ecx, [esi+60h]
		sub	ecx, 24h
		mov	[ebp+1Ch], ecx
		mov	byte ptr [ecx],	7
		mov	[ecx+18h], edx
		cmp	byte ptr [ebp-19h], 0
		jz	short loc_7F6585
		mov	eax, [ebp-20h]
		mov	[esi+54h], eax
		mov	[ecx+8], eax
		mov	eax, [ebp+20h]
		mov	[ecx+0Ch], eax

loc_7F6585:				; CODE XREF: PAGE:007F6574j
		mov	eax, [ebp+8]
		mov	eax, [eax+1Ch]
		test	al, 4
		jz	loc_7F669B
		mov	eax, [ebp+14h]
		test	eax, eax
		jz	loc_7F668F
		mov	dword ptr [ebp-4], 2
		mov	edx, eax
		call	sub_4FA154
		mov	[esi+0Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		cmp	_IopDisableBufferedIoInit, 0
		jnz	short loc_7F65CC
		push	dword ptr [ebp+14h]
		push	ebx
		push	eax
		call	_memset
		add	esp, 0Ch

loc_7F65CC:				; CODE XREF: PAGE:007F65BDj
		or	dword ptr [esi+8], 70h
		mov	ecx, [ebp+1Ch]
		mov	edx, [ebp-38h]

loc_7F65D6:				; CODE XREF: PAGE:007F669Dj
		mov	eax, [ebp+10h]
		mov	[esi+3Ch], eax

loc_7F65DC:				; CODE XREF: PAGE:007F66E9j
		mov	eax, [ebp+14h]

loc_7F65DF:				; CODE XREF: PAGE:007F6696j
					; PAGE:007F66A8j
		mov	[ecx+4], eax
		mov	eax, [ebp-30h]
		mov	[ecx+10h], eax
		mov	[ecx+2], bl
		mov	al, bl
		cmp	[ebp+28h], al
		jz	short loc_7F65F8
		mov	byte ptr [ecx+2], 1
		mov	al, 1

loc_7F65F8:				; CODE XREF: PAGE:007F65F0j
		cmp	byte ptr [ebp+18h], 0
		jz	short loc_7F6603
		or	al, 2
		mov	[ecx+2], al

loc_7F6603:				; CODE XREF: PAGE:007F65FCj
		cmp	dword ptr [ebp+24h], 0
		jz	short loc_7F660E
		or	al, 4
		mov	[ecx+2], al

loc_7F660E:				; CODE XREF: PAGE:007F6607j
		push	2
		push	dword ptr [ebp+0Ch]
		push	dword ptr [ebp-40h]
		push	ebx
		push	edx
		mov	edx, esi
		mov	ecx, [ebp+8]
		call	_IopSynchronousServiceTail@28 ;	IopSynchronousServiceTail(x,x,x,x,x,x,x)
		cmp	byte ptr [ebp+0Ch], 0
		jnz	short loc_7F663B
		push	edi
		lea	ecx, [ebp-5Ch]
		push	ecx
		push	dword ptr [ebp-40h]
		push	esi
		mov	edx, [ebp-2Ch]
		mov	ecx, eax
		call	IopSynchronousApiServiceTail

loc_7F663B:				; CODE XREF: PAGE:007F62E9j
					; PAGE:007F63EBj ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_7F664D:				; DATA XREF: .text:006A518Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-50h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7F665B:				; DATA XREF: .text:006A5190o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-28h]
		movzx	eax, byte ptr [ecx+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		push	dword ptr [ebp-2Ch]
		xor	ebx, ebx
		push	ebx
		mov	edx, [ebp-3Ch]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		cmp	[ebp-20h], ebx
		jz	short loc_7F6687
		push	ebx
		push	dword ptr [ebp-20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F6687:				; CODE XREF: PAGE:007F667Cj
		mov	eax, [ebp-50h]
		jmp	loc_7F62E2
; 

loc_7F668F:				; CODE XREF: PAGE:007F6598j
		mov	[esi+0Ch], ebx
		or	dword ptr [esi+8], 50h
		jmp	loc_7F65DF
; 

loc_7F669B:				; CODE XREF: PAGE:007F658Dj
		test	al, 10h
		jz	loc_7F65D6
		mov	eax, [ebp+14h]
		test	eax, eax
		jz	loc_7F65DF
		mov	dword ptr [ebp-4], 3
		push	esi
		push	1
		push	ebx
		push	eax
		push	dword ptr [ebp+10h]
		call	IoAllocateMdl
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_7F6735
		mov	eax, [ebp+1Ch]
		movzx	eax, byte ptr [eax]
		push	eax
		push	dword ptr [ebp+8]
		push	1
		mov	dl, [ebp-1Ah]
		call	sub_60F0AA
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp+1Ch]
		mov	edx, [ebp-38h]
		jmp	loc_7F65DC
; 

loc_7F66EE:				; DATA XREF: .text:006A5198o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-54h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7F66FC:				; DATA XREF: .text:006A519Co
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-28h]
		movzx	eax, byte ptr [ecx+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		push	dword ptr [ebp-2Ch]
		xor	ebx, ebx
		push	ebx
		mov	edx, [ebp-3Ch]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		cmp	[ebp-20h], ebx
		jz	short loc_7F6728
		push	ebx
		push	dword ptr [ebp-20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F6728:				; CODE XREF: PAGE:007F671Dj
		mov	eax, [ebp-54h]
		jmp	loc_7F62E2
; 

loc_7F6730:				; CODE XREF: PAGE:007F6284j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7F6735:				; CODE XREF: PAGE:007F66C6j
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
; 
		db 0CCh
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1570. NtQuerySecurityObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtQuerySecurityObject
NtQuerySecurityObject proc near		; CODE XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+37p
					; RtlpSysVolCheckOwnerAndSecurity(x,x)+74p
					; DATA XREF: ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0091285A SIZE 00000007 BYTES

		push	24h
		push	offset dword_6A51A0
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], esi
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		test	al, al
		jz	short loc_7F679B
		mov	[ebp+ms_exc.disabled], esi
		mov	ecx, [ebp+arg_10]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_91285A

loc_7F6783:				; CODE XREF: NtQuerySecurityObject+11C116j
		mov	eax, [ecx]
		mov	[ecx], eax
		push	4
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7F679B:				; CODE XREF: NtQuerySecurityObject+28j
		lea	edx, [ebp+var_20]
		mov	ecx, [ebp+arg_4]
		call	_SeQuerySecurityAccessMask@8 ; SeQuerySecurityAccessMask(x,x)
		mov	[ebp+var_1C], esi
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_24]
		push	esi
		push	[ebp+var_20]
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7F6828
		mov	edi, [ebp+var_1C]
		lea	eax, [edi-18h]
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [edi-0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	ecx, ds:_ObTypeIndexTable[ecx*4]
		mov	esi, [ecx+6Ch]
		push	[ebp+var_24]
		lea	eax, [ecx+34h]
		push	eax
		push	dword ptr [ecx+4Ch]
		lea	eax, [edi-4]
		push	eax
		lea	eax, [ebp+arg_C]
		push	eax
		push	[ebp+arg_8]
		lea	eax, [ebp+arg_4]
		push	eax
		push	1
		push	edi
		call	esi
		mov	ebx, eax
		mov	[ebp+ms_exc.disabled], 1
		mov	esi, [ebp+arg_C]
		mov	edx, [ebp+arg_10]
		mov	[edx], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, ebx

loc_7F6828:				; CODE XREF: NtQuerySecurityObject+7Cj
					; sub_91286F+Dj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
NtQuerySecurityObject endp


;  S U B	R O U T	I N E 


; __stdcall SeQuerySecurityAccessMask(x, x)
_SeQuerySecurityAccessMask@8 proc near	; CODE XREF: NtQuerySecurityObject+5Bp
					; IoCheckFunctionAccess(x,x,x,x,x,x)+110p
		xor	eax, eax
		mov	[edx], eax
		test	ecx, 10000h
		jnz	short loc_7F6888

loc_7F6846:				; CODE XREF: SeQuerySecurityAccessMask(x,x)+55j
		push	esi
		mov	esi, 20000h
		test	cl, 17h
		jnz	short loc_7F686E

loc_7F6851:				; CODE XREF: SeQuerySecurityAccessMask(x,x)+38j
		test	cl, 20h
		jnz	short loc_7F687C

loc_7F6856:				; CODE XREF: SeQuerySecurityAccessMask(x,x)+46j
		test	cl, 40h
		jnz	short loc_7F6891

loc_7F685B:				; CODE XREF: SeQuerySecurityAccessMask(x,x)+5Bj
		test	cl, cl
		js	short loc_7F6882

loc_7F685F:				; CODE XREF: SeQuerySecurityAccessMask(x,x)+4Cj
		test	ecx, 100h
		jnz	short loc_7F6897

loc_7F6867:				; CODE XREF: SeQuerySecurityAccessMask(x,x)+61j
		pop	esi
		test	cl, 8
		jnz	short loc_7F6874
		retn
; 

loc_7F686E:				; CODE XREF: SeQuerySecurityAccessMask(x,x)+15j
		or	eax, esi
		mov	[edx], eax
		jmp	short loc_7F6851
; 

loc_7F6874:				; CODE XREF: SeQuerySecurityAccessMask(x,x)+31j
		or	eax, 1000000h
		mov	[edx], eax
		retn
; 

loc_7F687C:				; CODE XREF: SeQuerySecurityAccessMask(x,x)+1Aj
		or	eax, esi
		mov	[edx], eax
		jmp	short loc_7F6856
; 

loc_7F6882:				; CODE XREF: SeQuerySecurityAccessMask(x,x)+23j
		or	eax, esi
		mov	[edx], eax
		jmp	short loc_7F685F
; 

loc_7F6888:				; CODE XREF: SeQuerySecurityAccessMask(x,x)+Aj
		mov	eax, 1020000h
		mov	[edx], eax
		jmp	short loc_7F6846
; 

loc_7F6891:				; CODE XREF: SeQuerySecurityAccessMask(x,x)+1Fj
		or	eax, esi
		mov	[edx], eax
		jmp	short loc_7F685B
; 

loc_7F6897:				; CODE XREF: SeQuerySecurityAccessMask(x,x)+2Bj
		or	eax, esi
		mov	[edx], eax
		jmp	short loc_7F6867
_SeQuerySecurityAccessMask@8 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1554. NtQueryDirectoryFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQueryDirectoryFile(x, x, x, x, x,	x, x, x, x, x, x)
		public _NtQueryDirectoryFile@44
_NtQueryDirectoryFile@44 proc near	; DATA XREF: .text:00580E98o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= byte ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= byte ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_20], 0
		setz	al
		dec	al
		and	al, 2
		cmp	[ebp+arg_28], 0
		jz	short loc_7F68BA
		or	al, 1

loc_7F68BA:				; CODE XREF: NtQueryDirectoryFile(x,x,x,x,x,x,x,x,x,x,x)+14j
		push	[ebp+arg_24]
		movzx	eax, al
		push	eax
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_NtQueryDirectoryFileEx@40 ; NtQueryDirectoryFileEx(x,x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	2Ch
_NtQueryDirectoryFile@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopGetSetSecurityObject	proc near	; DATA XREF: IoCreateObjectTypes+DFo
					; IoCreateObjectTypes+280o

var_44		= dword	ptr -44h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_1B		= dword	ptr  23h
arg_1F		= byte ptr  27h
arg_20		= byte ptr  28h

; FUNCTION CHUNK AT 009128A9 SIZE 0000007C BYTES
; FUNCTION CHUNK AT 00912939 SIZE 0000001F BYTES
; FUNCTION CHUNK AT 00912971 SIZE 0000002B BYTES

		push	34h
		push	offset dword_6A51C8
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_24], ecx
		push	3
		pop	edx
		mov	ebx, [ebp+arg_0]
		cmp	[ebx], dx
		jz	loc_7F6ADF
		mov	edi, [ebx+4]
		cmp	[ebx+30h], cx
		jz	loc_9128A9

loc_7F690F:				; CODE XREF: IopGetSetSecurityObject+11BFD0j
		test	dword ptr [ebx+2Ch], 800h
		jnz	loc_7F6AE3
		cmp	[ebp+arg_4], 2
		jz	loc_912995
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ecx
		xor	eax, eax
		lea	edi, [ebp+var_44]
		stosd
		stosd
		stosd
		stosd
		mov	edi, large fs:124h
		mov	al, [edi+15Ah]
		mov	[ebp+arg_1F], al
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [ebx+2Ch]
		test	al, 2
		jz	loc_7F6AA6
		shr	eax, 2
		and	al, 1
		mov	byte ptr [ebp+arg_0], al
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	0
		lea	ecx, [ebx+4Ch]
		xor	edx, edx
		call	KeAbPreAcquire
		mov	edx, eax
		mov	byte ptr [ebp+arg_1B], 0
		xor	ecx, ecx
		inc	ecx
		lea	eax, [ebx+44h]
		xchg	ecx, [eax]
		test	ecx, ecx
		jnz	loc_7F6C2F
		test	edx, edx
		jz	short loc_7F6997
		or	byte ptr [edx+0Eh], 1

loc_7F6997:				; CODE XREF: IopGetSetSecurityObject+AFj
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	esi, esi

loc_7F69A0:				; CODE XREF: IopGetSetSecurityObject+361j
		cmp	byte ptr [ebp+arg_1B], 0
		jnz	loc_7F6C23
		mov	[ebp+arg_1F], 1

loc_7F69AE:				; CODE XREF: IopGetSetSecurityObject+1D5j
		mov	ecx, ebx
		call	_IopResetEvent@4 ; IopResetEvent(x)
		push	ebx
		call	IoGetRelatedDeviceObject
		mov	ecx, eax
		mov	[ebp+arg_0], ecx
		push	dword ptr [ebp+4]
		mov	al, [ebp+arg_1F]
		xor	al, 1
		movzx	eax, al
		push	eax
		mov	dl, [ecx+30h]
		call	IopAllocateIrpExReturn
		mov	esi, eax
		test	esi, esi
		jz	loc_9128B7
		mov	[esi+64h], ebx
		mov	[esi+50h], edi
		mov	al, [ebp+arg_20]
		mov	[esi+20h], al
		test	byte ptr [ebx+2Ch], 2
		jz	loc_7F6ABC
		or	byte ptr [esi+27h], 2
		xor	eax, eax

loc_7F69FA:				; CODE XREF: IopGetSetSecurityObject+1E4j
		mov	[esi+2Ch], eax
		lea	eax, [ebp+var_34]
		mov	[esi+28h], eax
		and	dword ptr [esi+30h], 0
		mov	ecx, [esi+60h]
		mov	edi, [ebp+arg_4]
		mov	eax, [ebp+arg_8]
		cmp	edi, 1
		jnz	loc_7F6B61
		mov	byte ptr [ecx-24h], 14h
		mov	eax, [eax]
		mov	[ecx-20h], eax
		mov	eax, [ebp+arg_10]
		mov	eax, [eax]
		mov	[ecx-1Ch], eax
		mov	eax, [ebp+arg_C]
		mov	[esi+3Ch], eax

loc_7F6A30:				; CODE XREF: IopGetSetSecurityObject+28Ej
		mov	[ecx-0Ch], ebx
		mov	ecx, esi
		call	IopQueueThreadIrp
		call	_IopUpdateOtherOperationCount@0	; IopUpdateOtherOperationCount()
		mov	edx, esi
		mov	ecx, [ebp+arg_0]
		call	IofCallDriver
		mov	esi, eax
		cmp	[ebp+arg_1F], 0
		jz	short loc_7F6ACB
		cmp	esi, 103h
		jz	loc_9128CA

loc_7F6A5D:				; CODE XREF: IopGetSetSecurityObject+11BFFAj
		mov	ecx, ebx
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)

loc_7F6A64:				; CODE XREF: IopGetSetSecurityObject+1EFj
					; IopGetSetSecurityObject+11C011j
		mov	ecx, 0C0000010h
		cmp	esi, ecx
		jz	loc_9128F8
		xor	eax, eax
		inc	eax
		cmp	edi, eax
		jnz	short loc_7F6A92
		cmp	esi, 80000005h
		jz	short loc_7F6AD8

loc_7F6A80:				; CODE XREF: IopGetSetSecurityObject+1FBj
		mov	[ebp+ms_exc.disabled], eax
		mov	eax, [ebp+var_30]
		mov	ecx, [ebp+arg_10]
		mov	[ecx], eax

loc_7F6A8B:				; CODE XREF: IopGetSetSecurityObject+11C05Aj
					; sub_912966+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7F6A92:				; CODE XREF: IopGetSetSecurityObject+194j
					; IopGetSetSecurityObject+22Bj	...
		mov	eax, esi

loc_7F6A94:				; CODE XREF: IopGetSetSecurityObject+11BFE3j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_7F6AA6:				; CODE XREF: IopGetSetSecurityObject+6Fj
		push	0
		push	1
		lea	eax, [ebp+var_44]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	[ebp+arg_1F], 0
		jmp	loc_7F69AE
; 

loc_7F6ABC:				; CODE XREF: IopGetSetSecurityObject+10Cj
		mov	dword ptr [esi+8], 4
		lea	eax, [ebp+var_44]
		jmp	loc_7F69FA
; 

loc_7F6ACB:				; CODE XREF: IopGetSetSecurityObject+16Dj
		cmp	esi, 103h
		jnz	short loc_7F6A64
		jmp	loc_9128E1
; 

loc_7F6AD8:				; CODE XREF: IopGetSetSecurityObject+19Cj
		mov	esi, 0C0000023h
		jmp	short loc_7F6A80
; 

loc_7F6ADF:				; CODE XREF: IopGetSetSecurityObject+1Aj
		mov	edi, ebx
		mov	ebx, ecx

loc_7F6AE3:				; CODE XREF: IopGetSetSecurityObject+34j
					; IopGetSetSecurityObject+11BFCAj
		mov	eax, [ebp+arg_4]
		cmp	eax, edx
		jnz	loc_7F6B75
		mov	esi, ecx
		test	ebx, ebx
		jnz	loc_912971

loc_7F6AF8:				; CODE XREF: IopGetSetSecurityObject+11C09Cj
		push	1
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+arg_C]
		call	ObLogSecurityDescriptor
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	short loc_7F6A92
		push	0
		push	[ebp+arg_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, large fs:124h
		dec	word ptr [ebx+13Ch]
		nop
		push	1
		mov	esi, offset _IopSecurityResource
		push	esi
		call	ExAcquireResourceExclusiveLite
		cmp	dword ptr [edi+98h], 0
		jnz	loc_912983

loc_7F6B42:				; CODE XREF: IopGetSetSecurityObject+11C0AEj
		mov	eax, [ebp+var_24]
		mov	[edi+98h], eax
		mov	ecx, esi
		call	ExReleaseResourceLite
		mov	ecx, ebx
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	esi, [ebp+var_1C]
		jmp	loc_7F6A92
; 

loc_7F6B61:				; CODE XREF: IopGetSetSecurityObject+131j
		mov	byte ptr [ecx-24h], 15h
		mov	eax, [eax]
		mov	[ecx-20h], eax
		mov	eax, [ebp+arg_C]
		mov	[ecx-1Ch], eax
		jmp	loc_7F6A30
; 

loc_7F6B75:				; CODE XREF: IopGetSetSecurityObject+206j
		test	eax, eax
		jnz	short loc_7F6BA4
		mov	ecx, edi
		call	IopGetDevicePDO
		mov	ebx, eax
		push	dword ptr [ebp+24h]
		mov	ecx, edi
		push	dword ptr [ebp+20h]
		push	[ebp+arg_C]
		test	ebx, ebx
		jnz	loc_7F6C17
		mov	edx, [ebp+arg_8]
		call	IopSetDeviceSecurityDescriptor
		mov	esi, eax
		jmp	loc_7F6A92
; 

loc_7F6BA4:				; CODE XREF: IopGetSetSecurityObject+295j
		xor	ebx, ebx
		inc	ebx
		cmp	eax, ebx
		jnz	loc_912995

loc_7F6BAF:				; CODE XREF: IopGetSetSecurityObject+11C027j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		mov	dword ptr [ebp+arg_20],	eax
		nop
		push	ebx
		mov	esi, offset _IopSecurityResource
		push	esi
		call	ExAcquireResourceSharedLite
		mov	edi, [edi+98h]
		test	edi, edi
		mov	[ebp+var_20], edi
		jz	short loc_7F6BE0
		push	ebx
		push	edi
		call	_ObReferenceSecurityDescriptor@8 ; ObReferenceSecurityDescriptor(x,x)

loc_7F6BE0:				; CODE XREF: IopGetSetSecurityObject+2F5j
		mov	ecx, esi
		call	ExReleaseResourceLite
		mov	ecx, dword ptr [ebp+arg_20]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		lea	eax, [ebp+var_20]
		push	eax		; void *
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		call	SeQuerySecurityDescriptorInfo
		mov	esi, eax
		test	edi, edi
		jz	loc_7F6A92
		push	ebx
		push	edi
		call	ObDereferenceSecurityDescriptor
		jmp	loc_7F6A92
; 

loc_7F6C17:				; CODE XREF: IopGetSetSecurityObject+2ADj
		push	[ebp+arg_8]
		mov	edx, ebx
		call	_IopSetDeviceSecurityDescriptors@24 ; IopSetDeviceSecurityDescriptors(x,x,x,x,x,x)
		mov	esi, eax

loc_7F6C23:				; CODE XREF: IopGetSetSecurityObject+C2j
		mov	ecx, ebx
		call	ObfDereferenceObject
		jmp	loc_7F6A92
; 

loc_7F6C2F:				; CODE XREF: IopGetSetSecurityObject+A7j
		lea	eax, [ebp+arg_1B]
		push	eax
		push	edx
		push	[ebp+arg_0]
		mov	dl, [ebp+arg_1F]
		mov	ecx, ebx
		call	IopWaitAndAcquireFileObjectLock
		mov	esi, eax
		jmp	loc_7F69A0
IopGetSetSecurityObject	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtQueryFullAttributesFile proc near	; DATA XREF: .text:00580E84o

var_198		= dword	ptr -198h
var_190		= dword	ptr -190h
var_188		= dword	ptr -188h
var_180		= dword	ptr -180h
var_170		= dword	ptr -170h
var_16A		= word ptr -16Ah
var_15C		= dword	ptr -15Ch
var_154		= dword	ptr -154h
var_143		= byte ptr -143h
var_141		= byte ptr -141h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_134		= dword	ptr -134h
var_124		= dword	ptr -124h
var_104		= dword	ptr -104h
var_FC		= dword	ptr -0FCh
var_F5		= byte ptr -0F5h
var_F4		= dword	ptr -0F4h
var_54		= dword	ptr -54h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0091299C SIZE 00000008 BYTES
; FUNCTION CHUNK AT 009129CC SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A51F0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 188h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, [ebp+arg_0]
		mov	ebx, [ebp+arg_4]
		push	0A0h		; size_t
		push	0		; int
		lea	eax, [ebp+var_F4]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_FC], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_F5], al
		mov	byte ptr [ebp+var_104],	al
		test	al, al
		jz	short loc_7F6CFB
		mov	[ebp+var_4], 0
		test	bl, 3
		jnz	loc_7F6E5A
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_91299C

loc_7F6CEA:				; CODE XREF: NtQueryFullAttributesFile+11BD4Fj
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+34h]
		mov	[ebx+34h], al
		mov	[ebp+var_4], 0FFFFFFFEh

loc_7F6CFB:				; CODE XREF: NtQueryFullAttributesFile+7Bj
		push	90h		; size_t
		push	0		; int
		lea	eax, [ebp+var_198]
		push	eax		; void *
		call	_memset
		push	38h		; size_t
		push	0		; int
		lea	eax, [ebp+var_54]
		push	eax		; void *
		call	_memset
		add	esp, 18h
		mov	[ebp+var_198], offset loc_900008
		mov	eax, 7
		mov	[ebp+var_16A], ax
		mov	[ebp+var_15C], 1
		mov	[ebp+var_170], 204000h
		mov	[ebp+var_143], 1
		mov	[ebp+var_141], 1
		lea	eax, [ebp+var_F4]
		mov	[ebp+var_140], eax
		mov	[ebp+var_180], esi
		mov	[ebp+var_13C], 20h
		cmp	[ebp+var_F5], 0
		jz	loc_7F6E4F
		lea	eax, [ebp+var_54]
		mov	[ebp+var_154], eax

loc_7F6D88:				; CODE XREF: NtQueryFullAttributesFile+205j
		xor	eax, eax
		lea	edi, [ebp+var_134]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	eax, 14h
		mov	word ptr [ebp+var_134],	ax
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		mov	[ebp+var_124], eax
		call	_IopUpdateOtherOperationCount@0	; IopUpdateOtherOperationCount()
		lea	eax, [ebp+var_FC]
		push	eax
		push	[ebp+var_124]
		lea	eax, [ebp+var_198]
		push	eax
		push	80h
		push	0
		mov	edi, [ebp+var_104]
		push	edi
		mov	eax, ds:_IoFileObjectType
		push	eax
		push	esi
		call	ObOpenObjectByNameEx
		mov	esi, eax
		lea	ecx, [ebp+var_198]
		call	_IopCleanupExtraCreateParameters@4 ; IopCleanupExtraCreateParameters(x)
		cmp	[ebp+var_188], 0BEAA0251h
		jz	short loc_7F6E20
		test	esi, esi
		jns	loc_9129CC

loc_7F6E00:				; CODE XREF: NtQueryFullAttributesFile+11BD8Dj
		mov	eax, esi

loc_7F6E02:				; CODE XREF: NtQueryFullAttributesFile+1D8j
					; NtQueryFullAttributesFile+1E1j ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7F6E20:				; CODE XREF: NtQueryFullAttributesFile+1A6j
		mov	eax, [ebp+var_190]
		test	eax, eax
		js	short loc_7F6E02
		cmp	[ebp+var_F5], 0
		jz	short loc_7F6E02
		mov	[ebp+var_4], 1
		mov	ecx, 0Eh
		lea	esi, [ebp+var_54]
		mov	edi, ebx
		rep movsd

loc_7F6E46:				; CODE XREF: sub_9129F5+9j
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_7F6E02
; 

loc_7F6E4F:				; CODE XREF: NtQueryFullAttributesFile+129j
		mov	[ebp+var_154], ebx
		jmp	loc_7F6D88
; 

loc_7F6E5A:				; CODE XREF: NtQueryFullAttributesFile+87j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger
NtQueryFullAttributesFile endp


;  S U B	R O U T	I N E 


; __stdcall IopCleanupExtraCreateParameters(x)
_IopCleanupExtraCreateParameters@4 proc	near ; CODE XREF: IoQueryInformationByName+1FDp
					; NtQueryFullAttributesFile+197p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+68h]
		test	ecx, ecx
		jz	short loc_7F6E79
		call	FsRtlpCleanupEcps
		test	al, al
		jz	short loc_7F6E79
		and	dword ptr [esi+68h], 0

loc_7F6E79:				; CODE XREF: IopCleanupExtraCreateParameters(x)+Aj
					; IopCleanupExtraCreateParameters(x)+13j
		pop	esi
		retn
_IopCleanupExtraCreateParameters@4 endp

; 
		align 10h

NtQueryAttributesFile:			; DATA XREF: .text:00580EB4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5218
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 180h
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		mov	[ebp-1Ch], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	esi, [ebp+8]
		mov	ebx, [ebp+0Ch]
		push	0A0h
		push	0
		lea	eax, [ebp-0F4h]
		push	eax
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [ebp-0FCh], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp-0F8h], al
		test	al, al
		jz	short loc_7F6F25
		mov	dword ptr [ebp-4], 0
		test	bl, 3
		jnz	loc_7F7094
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_912A03

loc_7F6F14:				; CODE XREF: PAGE:00912A06j
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+24h]
		mov	[ebx+24h], al
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_7F6F25:				; CODE XREF: PAGE:007F6EF5j
		push	90h
		push	0
		lea	eax, [ebp-190h]
		push	eax
		call	_memset
		push	38h
		push	0
		lea	eax, [ebp-54h]
		push	eax
		call	_memset
		add	esp, 18h
		mov	dword ptr [ebp-190h], offset loc_900008
		mov	eax, 7
		mov	[ebp-162h], ax
		mov	dword ptr [ebp-154h], 1
		mov	dword ptr [ebp-168h], 204000h
		mov	[ebp-150h], ebx
		lea	eax, [ebp-54h]
		mov	[ebp-14Ch], eax
		mov	byte ptr [ebp-13Bh], 1
		lea	eax, [ebp-0F4h]
		mov	[ebp-138h], eax
		mov	[ebp-178h], esi
		mov	dword ptr [ebp-134h], 20h
		xor	eax, eax
		mov	[ebp-12Ch], eax
		mov	[ebp-128h], eax
		mov	[ebp-124h], eax
		mov	[ebp-120h], eax
		mov	[ebp-11Ch], eax
		mov	eax, 14h
		mov	[ebp-12Ch], ax
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		mov	[ebp-11Ch], eax
		cmp	_IoCountOperations, 1
		jnz	short loc_7F7011
		mov	ecx, 1
		mov	eax, large fs:124h
		mov	eax, [eax+150h]
		add	eax, 200h
		lock add [eax],	ecx
		jnb	short loc_7F7004
		lock adc dword ptr [eax+4], 0

loc_7F7004:				; CODE XREF: PAGE:007F6FFDj
		inc	large dword ptr	fs:624h
		mov	eax, [ebp-11Ch]

loc_7F7011:				; CODE XREF: PAGE:007F6FE2j
		lea	ecx, [ebp-0FCh]
		push	ecx
		push	eax
		lea	eax, [ebp-190h]
		push	eax
		push	80h
		push	0
		push	dword ptr [ebp-0F8h]
		mov	eax, ds:_IoFileObjectType
		push	eax
		push	esi
		call	ObOpenObjectByNameEx
		mov	esi, eax
		mov	ecx, [ebp-128h]
		test	ecx, ecx
		jz	short loc_7F7058
		call	FsRtlpCleanupEcps
		test	al, al
		jz	short loc_7F7058
		mov	dword ptr [ebp-128h], 0

loc_7F7058:				; CODE XREF: PAGE:007F7043j
					; PAGE:007F704Cj
		cmp	dword ptr [ebp-180h], 0BEAA0251h
		jz	short loc_7F708C
		test	esi, esi
		jns	loc_912A33

loc_7F706C:				; CODE XREF: PAGE:00912A49j
		mov	eax, esi

loc_7F706E:				; CODE XREF: PAGE:007F7092j
					; PAGE:00912A2Ej
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-1Ch]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7F708C:				; CODE XREF: PAGE:007F7062j
		mov	eax, [ebp-188h]
		jmp	short loc_7F706E
; 

loc_7F7094:				; CODE XREF: PAGE:007F6F01j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		db 3 dup(0CCh)
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlpCleanupEcps proc near		; CODE XREF: IopCleanupExtraCreateParameters(x)+Cp
					; PAGE:007F7045p ...

var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00912A4E SIZE 00000068 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		mov	ebx, ecx
		mov	eax, [ebx+4]
		test	eax, 3F0h
		jnz	loc_912A4E
		push	esi
		lea	esi, [ebx+8]
		push	edi
		test	al, 1
		jnz	loc_7F71E3

loc_7F70C6:				; CODE XREF: FsRtlpCleanupEcps+AFj
					; FsRtlpCleanupEcps+C0j
		mov	eax, [esi]
		cmp	eax, esi
		jz	loc_7F7165
		cmp	[eax+4], esi
		jnz	loc_912AA0
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_912AA0
		mov	[esi], ecx
		lea	edx, [eax+2Ch]
		mov	[ecx+4], esi
		lea	edi, [edx-34h]
		mov	dword ptr [eax+4], 0
		mov	dword ptr [eax], 0
		mov	ecx, [edi+20h]
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], 0
		test	ecx, ecx
		jz	short loc_7F7117
		lea	eax, [edi+10h]
		push	eax
		push	edx
		call	ecx
		mov	edx, [ebp+var_8]

loc_7F7117:				; CODE XREF: FsRtlpCleanupEcps+6Bj
		test	byte ptr [edi+24h], 20h
		jnz	loc_7F71C4

loc_7F7121:				; CODE XREF: FsRtlpCleanupEcps+12Cj
					; FsRtlpCleanupEcps+13Ej
		mov	ecx, [edi+2Ch]
		test	ecx, ecx
		jz	loc_7F71BA
		test	byte ptr [edi+24h], 40h
		jnz	loc_912A5B
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jnb	short loc_7F71AF
		mov	edx, edi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_7F714A:				; CODE XREF: FsRtlpCleanupEcps+118j
					; FsRtlpCleanupEcps+122j ...
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	loc_7F70C6
		push	eax
		mov	eax, _FltMgrCallbacks
		mov	eax, [eax+4]
		call	eax
		jmp	loc_7F70C6
; 

loc_7F7165:				; CODE XREF: FsRtlpCleanupEcps+2Aj
		test	byte ptr [ebx+4], 4
		jz	loc_912A67
		mov	ax, word_6F9E04
		inc	dword_6F9E14
		cmp	ax, word_6F9E08
		jnb	short loc_7F7199
		mov	edx, ebx
		mov	ecx, offset _FsRtlEcpListLookaside
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_7F7190:				; CODE XREF: FsRtlpCleanupEcps+11B9CFj
		mov	al, 1

loc_7F7192:				; CODE XREF: FsRtlpCleanupEcps+166j
		pop	edi
		pop	esi

loc_7F7194:				; CODE XREF: FsRtlpCleanupEcps+11B9B6j
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7F7199:				; CODE XREF: FsRtlpCleanupEcps+E2j
		inc	dword_6F9E18
		push	ebx
		call	dword_6F9E2C
		pop	edi
		pop	esi
		mov	al, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7F71AF:				; CODE XREF: FsRtlpCleanupEcps+A1j
		mov	eax, [ecx+2Ch]
		inc	dword ptr [ecx+18h]
		push	edi
		call	eax
		jmp	short loc_7F714A
; 

loc_7F71BA:				; CODE XREF: FsRtlpCleanupEcps+86j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7F714A
; 

loc_7F71C4:				; CODE XREF: FsRtlpCleanupEcps+7Bj
		mov	ecx, _FltMgrCallbacks
		test	ecx, ecx
		jz	loc_7F7121
		mov	eax, [edi+30h]
		push	edx
		mov	[ebp+var_4], eax
		push	eax
		mov	eax, [ecx]
		call	eax
		jmp	loc_7F7121
; 

loc_7F71E3:				; CODE XREF: FsRtlpCleanupEcps+20j
		mov	edi, [esi]
		cmp	edi, esi
		jz	short loc_7F7204
		lea	esp, [esp+0]

loc_7F71F0:				; CODE XREF: FsRtlpCleanupEcps+162j
		mov	edx, edi
		mov	eax, edi
		mov	edi, [edi]
		test	byte ptr [edx+1Ch], 1
		jz	loc_912A74

loc_7F7200:				; CODE XREF: FsRtlpCleanupEcps+11B9FBj
		cmp	edi, esi
		jnz	short loc_7F71F0

loc_7F7204:				; CODE XREF: FsRtlpCleanupEcps+147j
		xor	al, al
		jmp	short loc_7F7192
FsRtlpCleanupEcps endp

; 
		align 10h
; Exported entry 1573. NtQueryVolumeInformationFile

; __stdcall NtQueryVolumeInformationFile(x, x, x, x, x)
		public _NtQueryVolumeInformationFile@20
_NtQueryVolumeInformationFile@20:	; CODE XREF: PfpVolumeOpenAndVerify+F9p
					; PfpVolumeOpenAndVerify+17Fp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5238
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	dword ptr [ebp-24h], 0
		xor	eax, eax
		mov	[ebp-28h], eax
		mov	eax, large fs:124h
		mov	[ebp-44h], eax
		mov	al, [eax+15Ah]
		mov	[ebp-1Eh], al
		mov	[ebp-34h], al
		test	al, al
		jz	loc_7F7325
		mov	eax, [ebp+18h]
		cmp	eax, 0Fh
		jnb	loc_7F730C
		mov	al, byte ptr ds:_IopQueryFsOperationLength[eax]
		test	al, al
		jz	loc_7F730C
		movzx	eax, al
		mov	edi, [ebp+14h]
		cmp	edi, eax
		jnb	short loc_7F72AB
		mov	eax, 0C0000004h
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7F72AB:				; CODE XREF: PAGE:007F7290j
		mov	dword ptr [ebp-4], 0
		mov	ebx, [ebp+0Ch]
		mov	ecx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_7F72C2
		mov	ecx, eax

loc_7F72C2:				; CODE XREF: PAGE:007F72BEj
		mov	eax, [ecx]
		mov	[ecx], eax
		push	4
		push	edi
		mov	esi, [ebp+10h]
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_7F732B
; 

loc_7F72DB:				; DATA XREF: .text:006A524Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		mov	eax, 1
		retn
; 

loc_7F72EB:				; DATA XREF: .text:006A5250o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-38h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7F730C:				; CODE XREF: PAGE:007F7274j
					; PAGE:007F7282j
		mov	eax, 0C0000003h
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7F7325:				; CODE XREF: PAGE:007F7268j
		mov	edi, [ebp+14h]
		mov	ebx, [ebp+0Ch]

loc_7F732B:				; CODE XREF: PAGE:007F72D9j
		push	0
		lea	eax, [ebp-24h]
		push	eax
		mov	eax, [ebp-34h]
		mov	[ebp-48h], eax
		push	eax
		mov	edx, [ebp+18h]
		mov	edx, ds:_IopQueryFsOperationAccess[edx*4]
		mov	ecx, [ebp+8]
		call	IopReferenceFileObject
		test	eax, eax
		js	loc_7F77AC
		mov	esi, [ebp-24h]
		lea	eax, [esi+2Ch]
		mov	[ebp-34h], eax
		mov	ecx, [eax]
		mov	edx, ecx
		and	edx, 800h
		mov	eax, [ebp+18h]
		jz	short loc_7F738F
		cmp	eax, 4
		jz	short loc_7F7398
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, 0C0000010h
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7F738F:				; CODE XREF: PAGE:007F7368j
		cmp	eax, 4
		jnz	loc_7F7484

loc_7F7398:				; CODE XREF: PAGE:007F736Dj
		test	edx, edx
		jnz	short loc_7F73A9
		mov	eax, [esi+4]
		cmp	dword ptr [eax+2Ch], 14h
		jz	loc_7F7484

loc_7F73A9:				; CODE XREF: PAGE:007F739Aj
		mov	byte ptr [ebp+1Bh], 0
		mov	edx, [esi+4]
		mov	[ebp+14h], edx
		cmp	dword ptr [edx+24h], 0
		jz	short loc_7F73C6
		mov	ecx, edx
		call	IopGetMountFlag
		mov	[ebp+1Bh], al
		mov	edx, [ebp+14h]

loc_7F73C6:				; CODE XREF: PAGE:007F73B7j
		cmp	edi, 8
		jnb	short loc_7F73ED
		mov	edi, 0C0000004h
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, edi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7F73ED:				; CODE XREF: PAGE:007F73C9j
		mov	dword ptr [ebp-4], 1
		mov	eax, [edx+2Ch]
		mov	ecx, [ebp+10h]
		mov	[ecx], eax
		mov	eax, [edx+20h]
		mov	[ecx+4], eax
		cmp	byte ptr [ebp+1Bh], 0
		jz	short loc_7F740E
		or	eax, 20h
		mov	[ecx+4], eax

loc_7F740E:				; CODE XREF: PAGE:007F7406j
		mov	dword ptr [ebx], 0
		mov	dword ptr [ebx+4], 8
		xor	edi, edi
		mov	[ebp-2Ch], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, edi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7F7444:				; DATA XREF: .text:006A5258o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3Ch], eax
		mov	eax, 1
		retn
; 

loc_7F7454:				; DATA XREF: .text:006A525Co
		mov	esp, [ebp-18h]
		mov	edi, [ebp-3Ch]
		mov	[ebp-2Ch], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-24h]
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, edi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7F7484:				; CODE XREF: PAGE:007F7392j
					; PAGE:007F73A3j
		test	cl, 2
		jz	loc_7F751C
		shr	ecx, 2
		and	cl, 1
		mov	[ebp+8], cl
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	0
		mov	esi, [ebp-24h]
		lea	ecx, [esi+4Ch]
		xor	edx, edx
		call	KeAbPreAcquire
		mov	edx, eax
		mov	byte ptr [ebp-1Dh], 0
		mov	ecx, 1
		lea	eax, [esi+44h]
		xchg	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_7F74DF
		test	edx, edx
		jz	short loc_7F74CF
		or	byte ptr [edx+0Eh], 1

loc_7F74CF:				; CODE XREF: PAGE:007F74C9j
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	dword ptr [ebp+8], 0
		jmp	short loc_7F74F4
; 

loc_7F74DF:				; CODE XREF: PAGE:007F74C5j
		lea	eax, [ebp-1Dh]
		push	eax
		push	edx
		push	dword ptr [ebp+8]
		mov	dl, [ebp-1Eh]
		mov	ecx, esi
		call	IopWaitAndAcquireFileObjectLock
		mov	[ebp+8], eax

loc_7F74F4:				; CODE XREF: PAGE:007F74DDj
		cmp	byte ptr [ebp-1Dh], 0
		jz	short loc_7F7518
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, [ebp+8]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7F7518:				; CODE XREF: PAGE:007F74F8j
		mov	al, 1
		jmp	short loc_7F751E
; 

loc_7F751C:				; CODE XREF: PAGE:007F7487j
		xor	al, al

loc_7F751E:				; CODE XREF: PAGE:007F751Aj
		mov	[ebp+8], al
		cmp	dword ptr [ebp+18h], 9
		jnz	loc_7F75E8
		mov	dword ptr [ebp-30h], 0
		mov	dword ptr [ebp-4], 2
		mov	edx, edi
		call	sub_4FA154
		mov	edi, eax
		mov	[ebp-30h], edi
		mov	ebx, [ebp+14h]
		push	ebx
		push	dword ptr [ebp+10h]
		push	edi
		call	_memcpy
		add	esp, 0Ch
		push	ebx
		mov	edx, edi
		mov	ecx, esi
		call	_IopGetDriverPathInformation@12	; IopGetDriverPathInformation(x,x,x)
		mov	ebx, eax
		mov	[ebp-2Ch], ebx
		test	ebx, ebx
		js	loc_7F77C0
		mov	al, [edi]
		mov	ecx, [ebp+10h]
		mov	[ecx], al
		mov	eax, [ebp+0Ch]
		mov	dword ptr [eax], 0
		mov	dword ptr [eax+4], 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_7F75B2
; 

loc_7F758C:				; DATA XREF: .text:006A5264o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		mov	eax, 1
		retn
; 

loc_7F759C:				; DATA XREF: .text:006A5268o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-40h]
		mov	[ebp-2Ch], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-24h]
		mov	edi, [ebp-30h]

loc_7F75B2:				; CODE XREF: PAGE:007F758Aj
		test	edi, edi
		jz	short loc_7F75BE
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F75BE:				; CODE XREF: PAGE:007F75B4j
		test	byte ptr [esi+2Ch], 2
		jz	short loc_7F75CB
		mov	ecx, esi
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)

loc_7F75CB:				; CODE XREF: PAGE:007F75C2j
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, ebx
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7F75E8:				; CODE XREF: PAGE:007F7525j
		mov	ecx, esi
		call	_IopResetEvent@4 ; IopResetEvent(x)
		push	esi
		call	IoGetRelatedDeviceObject
		mov	[ebp+14h], eax
		mov	ecx, [ebp-34h]
		test	byte ptr [ecx],	2
		jnz	short loc_7F7636
		call	sub_51531E
		mov	[ebp-28h], eax
		test	eax, eax
		jnz	short loc_7F762C
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, 0C000009Ah
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7F762C:				; CODE XREF: PAGE:007F760Aj
		push	0
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)

loc_7F7636:				; CODE XREF: PAGE:007F75FEj
		mov	eax, [ebp+4]
		push	eax
		push	0
		mov	eax, [ebp+14h]
		mov	dl, [eax+30h]
		mov	ecx, eax
		call	IopAllocateIrpExReturn
		mov	esi, eax
		mov	[ebp-4Ch], esi
		test	esi, esi
		jnz	short loc_7F7686
		mov	eax, [ebp-34h]
		test	byte ptr [eax],	2
		jnz	short loc_7F7663
		push	esi
		push	dword ptr [ebp-28h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F7663:				; CODE XREF: PAGE:007F7658j
		xor	edx, edx
		mov	ecx, [ebp-24h]
		call	_IopAllocateIrpCleanup@8 ; IopAllocateIrpCleanup(x,x)
		mov	eax, 0C000009Ah
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7F7686:				; CODE XREF: PAGE:007F7650j
		mov	edx, [ebp-24h]
		mov	[ebp-34h], edx
		mov	[esi+64h], edx
		mov	eax, [ebp-44h]
		mov	[esi+50h], eax
		mov	al, [ebp-1Eh]
		mov	[esi+20h], al
		mov	dword ptr [ebp-58h], 0
		mov	dword ptr [ebp-54h], 0
		cmp	byte ptr [ebp+8], 0
		jz	short loc_7F76B5
		mov	eax, ebx
		xor	ecx, ecx
		jmp	short loc_7F76C2
; 

loc_7F76B5:				; CODE XREF: PAGE:007F76ADj
		mov	dword ptr [esi+8], 4
		lea	eax, [ebp-58h]
		mov	ecx, [ebp-28h]

loc_7F76C2:				; CODE XREF: PAGE:007F76B3j
		mov	[esi+2Ch], ecx
		mov	[esi+28h], eax
		mov	dword ptr [esi+30h], 0
		mov	eax, [esi+60h]
		sub	eax, 24h
		mov	[ebp+0Ch], eax
		mov	byte ptr [eax],	0Ah
		mov	[eax+18h], edx
		mov	eax, [ebp+10h]
		mov	[esi+3Ch], eax
		mov	dword ptr [esi+0Ch], 0
		mov	dword ptr [esi+4], 0
		mov	dword ptr [ebp-4], 3
		mov	edx, edi
		call	sub_4FA154
		mov	[esi+0Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		cmp	_IopDisableBufferedIoInit, 0
		jnz	short loc_7F771F
		push	edi
		push	0
		push	eax
		call	_memset
		add	esp, 0Ch

loc_7F771F:				; CODE XREF: PAGE:007F7711j
		or	dword ptr [esi+8], 870h
		mov	ecx, [ebp+0Ch]
		mov	[ecx+4], edi
		mov	eax, [ebp+18h]
		mov	[ecx+8], eax
		push	2
		push	dword ptr [ebp+8]
		mov	edi, [ebp-48h]
		push	edi
		push	1
		push	dword ptr [ebp-34h]
		mov	edx, esi
		mov	ecx, [ebp+14h]
		call	_IopSynchronousServiceTail@28 ;	IopSynchronousServiceTail(x,x,x,x,x,x,x)
		cmp	byte ptr [ebp+8], 0
		jnz	short loc_7F77AC
		push	ebx
		lea	ecx, [ebp-58h]
		push	ecx
		push	edi
		push	esi
		mov	edx, [ebp-28h]
		mov	ecx, eax
		call	IopSynchronousApiServiceTail
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7F7775:				; DATA XREF: .text:006A5270o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-50h], eax
		mov	eax, 1
		retn
; 

loc_7F7785:				; DATA XREF: .text:006A5274o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-24h]
		movzx	eax, byte ptr [ecx+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		push	dword ptr [ebp-28h]
		push	0
		mov	edx, [ebp-4Ch]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-50h]

loc_7F77AC:				; CODE XREF: PAGE:007F734Cj
					; PAGE:007F774Ej
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7F77C0:				; CODE XREF: PAGE:007F7566j
		push	ebx
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
; 
		dw 0CCCCh
		align 10h
; Exported entry 1555. NtQueryDirectoryFileEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQueryDirectoryFileEx(x, x, x, x, x, x, x,	x, x, x)
		public _NtQueryDirectoryFileEx@40
_NtQueryDirectoryFileEx@40 proc	near	; CODE XREF: NtQueryDirectoryFile(x,x,x,x,x,x,x,x,x,x,x)+37p
					; DATA XREF: .text:00580E9Co

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		lea	eax, [ebp+var_8]
		mov	edx, [ebp+arg_4]
		push	eax
		lea	eax, [ebp+var_C]
		mov	byte ptr [ebp+var_4], 0
		push	eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_14], 0
		push	eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], 0
		push	eax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_C], 0
		push	eax
		push	ecx
		push	[ebp+arg_24]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_20]
		mov	byte ptr [ebp+var_8], 0
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_BuildQueryDirectoryIrp@64 ; BuildQueryDirectoryIrp(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_7F7849
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_14]
		push	2
		push	[ebp+var_4]
		push	[ebp+var_8]
		push	1
		push	[ebp+var_C]
		call	_IopSynchronousServiceTail@28 ;	IopSynchronousServiceTail(x,x,x,x,x,x,x)

loc_7F7849:				; CODE XREF: NtQueryDirectoryFileEx(x,x,x,x,x,x,x,x,x,x)+5Fj
		mov	esp, ebp
		pop	ebp
		retn	28h
_NtQueryDirectoryFileEx@40 endp

; 
		align 10h

; __stdcall BuildQueryDirectoryIrp(x, x, x, x, x, x, x,	x, x, x, x, x, x, x, x,	x)
_BuildQueryDirectoryIrp@64:		; CODE XREF: NtQueryDirectoryFileEx(x,x,x,x,x,x,x,x,x,x)+58p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5278
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	[ebp-3Ch], edx
		mov	[ebp-38h], ecx
		mov	dword ptr [ebp-28h], 0
		mov	dword ptr [ebp-2Ch], 0
		mov	dword ptr [ebp-24h], 0
		mov	eax, large fs:124h
		mov	[ebp-40h], eax
		mov	dl, [eax+15Ah]
		mov	[ebp-19h], dl
		mov	[ebp-30h], dl
		mov	eax, [ebp+3Ch]
		mov	[eax], dl
		mov	dword ptr [ebp-4], 0
		test	dl, dl
		jz	loc_7F7990
		xor	ecx, ecx
		mov	[ebp-20h], ecx
		mov	edx, [ebp+10h]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_7F78DC
		mov	edx, eax

loc_7F78DC:				; CODE XREF: PAGE:007F78D8j
		mov	eax, [edx]
		mov	[edx], eax
		mov	esi, [ebp+1Ch]
		cmp	esi, 1
		jnz	short loc_7F78EF

loc_7F78E8:				; CODE XREF: PAGE:007F7903j
					; DATA XREF: PAGE:off_7F7E98o
		mov	ecx, 48h
		jmp	short loc_7F7957
; 

loc_7F78EF:				; CODE XREF: PAGE:007F78E6j
		cmp	esi, 3
		jz	short loc_7F7952
		lea	eax, [esi-2]
		cmp	eax, 3Dh
		ja	short loc_7F792E
		movzx	eax, ds:byte_7F7EB8[eax]
		jmp	ds:off_7F7E98[eax*4]

loc_7F790A:				; DATA XREF: PAGE:007F7EA8o
		mov	ecx, 58h
		jmp	short loc_7F7957
; 

loc_7F7911:				; CODE XREF: PAGE:007F7903j
					; DATA XREF: PAGE:007F7EA4o
		mov	ecx, 70h
		jmp	short loc_7F7957
; 

loc_7F7918:				; CODE XREF: PAGE:007F7903j
					; DATA XREF: PAGE:007F7E9Co
		mov	ecx, 10h
		jmp	short loc_7F7957
; 

loc_7F791F:				; CODE XREF: PAGE:007F7903j
					; DATA XREF: PAGE:007F7EA0o
		mov	ecx, 38h
		jmp	short loc_7F7957
; 

loc_7F7926:				; CODE XREF: PAGE:007F7903j
					; DATA XREF: PAGE:007F7EB0o
		mov	ecx, 78h
		mov	[ebp-20h], ecx

loc_7F792E:				; CODE XREF: PAGE:007F78FAj
					; PAGE:007F7903j
					; DATA XREF: ...
		test	ecx, ecx
		jnz	short loc_7F795A
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000003h
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7F7952:				; CODE XREF: PAGE:007F78F2j
					; PAGE:007F7903j
					; DATA XREF: ...
		mov	ecx, 60h

loc_7F7957:				; CODE XREF: PAGE:007F78EDj
					; PAGE:007F790Fj ...
		mov	[ebp-20h], ecx

loc_7F795A:				; CODE XREF: PAGE:007F7930j
		mov	ebx, [ebp+18h]
		cmp	ebx, ecx
		jnb	short loc_7F7981
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C0000004h
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7F7981:				; CODE XREF: PAGE:007F795Fj
		push	4
		push	ebx
		mov	ebx, [ebp+14h]
		push	ebx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	dl, [ebp-19h]

loc_7F7990:				; CODE XREF: PAGE:007F78C3j
		mov	ecx, [ebp+24h]
		test	ecx, ecx
		jz	loc_7F7A65
		mov	dword ptr [ebp-54h], 0
		mov	dword ptr [ebp-50h], 0
		test	dl, dl
		jz	short loc_7F79CD
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_7F79B8
		mov	ecx, eax

loc_7F79B8:				; CODE XREF: PAGE:007F79B4j
		nop
		mov	eax, [ecx]
		mov	[ebp-54h], eax
		mov	ecx, [ecx+4]
		mov	[ebp-50h], ecx
		mov	esi, ecx
		mov	edi, ecx
		mov	eax, [ebp-54h]
		jmp	short loc_7F79DF
; 

loc_7F79CD:				; CODE XREF: PAGE:007F79ABj
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		mov	[ebp-5Ch], eax
		mov	esi, ecx
		mov	[ebp-54h], eax
		mov	[ebp-50h], ecx
		mov	edi, esi

loc_7F79DF:				; CODE XREF: PAGE:007F79CBj
		mov	[ebp+3Ch], ecx
		mov	[ebp+24h], eax
		test	al, 1
		jz	short loc_7F7A09
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C000000Dh
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7F7A09:				; CODE XREF: PAGE:007F79E7j
		test	ax, ax
		jz	short loc_7F7A65
		test	dl, dl
		jz	short loc_7F7A36
		movzx	ecx, ax
		add	ecx, esi
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		ja	short loc_7F7A25
		cmp	ecx, edi
		jnb	short loc_7F7A28

loc_7F7A25:				; CODE XREF: PAGE:007F7A1Fj
		mov	byte ptr [edx],	0

loc_7F7A28:				; CODE XREF: PAGE:007F7A23j
		mov	ecx, 200h
		cmp	ax, cx
		jnb	loc_7F7E81

loc_7F7A36:				; CODE XREF: PAGE:007F7A10j
		movzx	esi, ax
		lea	edx, [esi+8]
		call	sub_4FA154
		mov	ebx, eax
		mov	[ebp-24h], ebx
		lea	edi, [ebx+8]
		push	esi
		push	dword ptr [ebp+3Ch]
		push	edi
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+24h]
		mov	[ebx], ax
		mov	[ebx+2], ax
		mov	[ebx+4], edi
		jmp	short loc_7F7A68
; 

loc_7F7A65:				; CODE XREF: PAGE:007F7995j
					; PAGE:007F7A0Cj
		mov	ebx, [ebp-24h]

loc_7F7A68:				; CODE XREF: PAGE:007F7A63j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp-28h]
		push	eax
		push	dword ptr [ebp-30h]
		mov	edx, 1
		mov	ecx, [ebp-38h]
		call	IopReferenceFileObject
		mov	esi, eax
		test	esi, esi
		jns	short loc_7F7AAD
		test	ebx, ebx
		jz	short loc_7F7A97
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F7A97:				; CODE XREF: PAGE:007F7A8Dj
		mov	eax, esi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7F7AAD:				; CODE XREF: PAGE:007F7A89j
		mov	edi, [ebp-28h]
		mov	eax, [ebp+38h]
		mov	[eax], edi
		cmp	dword ptr [edi+6Ch], 0
		jz	short loc_7F7AED
		cmp	dword ptr [ebp+8], 0
		jz	short loc_7F7AED
		mov	ecx, edi
		call	ObfDereferenceObject
		test	ebx, ebx
		jz	short loc_7F7AD4
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F7AD4:				; CODE XREF: PAGE:007F7ACAj
		mov	eax, 0C000000Dh
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7F7AED:				; CODE XREF: PAGE:007F7AB9j
					; PAGE:007F7ABFj
		mov	ecx, [ebp-3Ch]
		test	ecx, ecx
		jz	short loc_7F7B4D
		mov	eax, ds:_ExEventObjectType
		mov	dword ptr [ebp-34h], 0
		push	0
		lea	edx, [ebp-34h]
		push	edx
		push	dword ptr [ebp-30h]
		push	eax
		push	2
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp-34h]
		mov	[ebp-2Ch], eax
		test	esi, esi
		jns	short loc_7F7B47
		test	ebx, ebx
		jz	short loc_7F7B2A
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F7B2A:				; CODE XREF: PAGE:007F7B20j
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, esi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7F7B47:				; CODE XREF: PAGE:007F7B1Cj
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_7F7B4D:				; CODE XREF: PAGE:007F7AF2j
		mov	eax, [edi+2Ch]
		test	al, 2
		jz	loc_7F7BFF
		shr	eax, 2
		and	al, 1
		mov	[ebp+3Ch], al
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	0
		mov	edi, [ebp-28h]
		lea	ecx, [edi+4Ch]
		xor	edx, edx
		call	KeAbPreAcquire
		xor	bh, bh
		mov	[ebp-1Ah], bh
		lea	ecx, [edi+44h]
		mov	edx, 1
		xchg	edx, [ecx]
		test	edx, edx
		jnz	short loc_7F7BA6
		test	eax, eax
		jz	short loc_7F7B98
		or	byte ptr [eax+0Eh], 1

loc_7F7B98:				; CODE XREF: PAGE:007F7B92j
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	esi, esi
		mov	bl, [ebp-19h]
		jmp	short loc_7F7BBF
; 

loc_7F7BA6:				; CODE XREF: PAGE:007F7B8Ej
		lea	ecx, [ebp-1Ah]
		push	ecx
		push	eax
		push	dword ptr [ebp+3Ch]
		mov	bl, [ebp-19h]
		mov	dl, bl
		mov	ecx, edi
		call	IopWaitAndAcquireFileObjectLock
		mov	esi, eax
		mov	bh, [ebp-1Ah]

loc_7F7BBF:				; CODE XREF: PAGE:007F7BA4j
		test	bh, bh
		jz	short loc_7F7BFB
		mov	ecx, [ebp-24h]
		test	ecx, ecx
		jz	short loc_7F7BD2
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F7BD2:				; CODE XREF: PAGE:007F7BC8j
		mov	ecx, [ebp-2Ch]
		test	ecx, ecx
		jz	short loc_7F7BDE
		call	ObfDereferenceObject

loc_7F7BDE:				; CODE XREF: PAGE:007F7BD7j
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, esi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7F7BFB:				; CODE XREF: PAGE:007F7BC1j
		mov	al, 1
		jmp	short loc_7F7C04
; 

loc_7F7BFF:				; CODE XREF: PAGE:007F7B52j
		xor	al, al
		mov	bl, [ebp-19h]

loc_7F7C04:				; CODE XREF: PAGE:007F7BFDj
		mov	esi, [ebp+2Ch]
		mov	[esi], al
		mov	ecx, edi
		call	_IopResetEvent@4 ; IopResetEvent(x)
		push	edi
		call	IoGetRelatedDeviceObject
		mov	[ebp+3Ch], eax
		mov	ecx, [ebp+30h]
		mov	[ecx], eax
		mov	ecx, [ebp+4]
		push	ecx
		cmp	byte ptr [esi],	0
		setz	cl
		movzx	ecx, cl
		push	ecx
		mov	dl, [eax+30h]
		mov	ecx, eax
		call	IopAllocateIrpExReturn
		mov	esi, eax
		mov	[ebp+24h], esi
		mov	ecx, [ebp-28h]
		test	esi, esi
		jnz	short loc_7F7C71
		mov	edx, [ebp-2Ch]
		call	_IopAllocateIrpCleanup@8 ; IopAllocateIrpCleanup(x,x)
		mov	eax, [ebp-24h]
		test	eax, eax
		jz	short loc_7F7C58
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F7C58:				; CODE XREF: PAGE:007F7C4Fj
		mov	eax, 0C000009Ah
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7F7C71:				; CODE XREF: PAGE:007F7C40j
		mov	eax, [ebp+34h]
		mov	[eax], esi
		mov	[esi+64h], ecx
		mov	eax, [ebp-40h]
		mov	[esi+50h], eax
		mov	[esi+20h], bl
		mov	eax, [ebp-2Ch]
		mov	[esi+2Ch], eax
		mov	eax, [ebp+10h]
		mov	[esi+28h], eax
		mov	eax, [ebp+8]
		mov	[esi+30h], eax
		mov	eax, [ebp+0Ch]
		mov	[esi+34h], eax
		mov	edi, [esi+60h]
		mov	word ptr [edi-24h], 10Ch
		mov	[edi-0Ch], ecx
		mov	eax, [ebp-24h]
		mov	[esi+54h], eax
		mov	dword ptr [esi+0Ch], 0
		mov	dword ptr [esi+4], 0
		mov	eax, [ebp+3Ch]
		mov	eax, [eax+1Ch]
		test	al, 4
		jz	loc_7F7D5E
		mov	dword ptr [ebp-4], 1
		mov	ebx, [ebp+18h]
		mov	edx, ebx
		call	sub_4FA154
		mov	[esi+0Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		cmp	_IopDisableBufferedIoInit, 0
		jnz	short loc_7F7CF8
		push	ebx
		push	0
		push	eax
		call	_memset
		add	esp, 0Ch

loc_7F7CF8:				; CODE XREF: PAGE:007F7CEAj
		mov	dword ptr [esi+8], 70h
		jmp	loc_7F7E00
; 

loc_7F7D04:				; DATA XREF: .text:006A5298o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44h], eax
		mov	eax, 1
		retn
; 

loc_7F7D14:				; DATA XREF: .text:006A529Co
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-28h]
		movzx	eax, byte ptr [ecx+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		push	0
		push	dword ptr [ebp-2Ch]
		mov	edx, [ebp+24h]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		mov	eax, [ebp-24h]
		test	eax, eax
		jz	short loc_7F7D40
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F7D40:				; CODE XREF: PAGE:007F7D36j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-44h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7F7D5E:				; CODE XREF: PAGE:007F7CC2j
		test	al, 10h
		jz	loc_7F7DFD
		mov	dword ptr [ebp-4], 2
		push	esi
		push	1
		push	0
		mov	ebx, [ebp+18h]
		push	ebx
		mov	eax, [ebp+14h]
		push	eax
		call	IoAllocateMdl
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_7F7E8B
		movzx	eax, byte ptr [edi-24h]
		push	eax
		push	dword ptr [ebp+3Ch]
		push	ecx
		mov	dl, [ebp-19h]
		call	sub_60F076
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_7F7E06
; 

loc_7F7DA3:				; DATA XREF: .text:006A52A4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-48h], eax
		mov	eax, 1
		retn
; 

loc_7F7DB3:				; DATA XREF: .text:006A52A8o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-28h]
		movzx	eax, byte ptr [ecx+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		push	0
		push	dword ptr [ebp-2Ch]
		mov	edx, [ebp+24h]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		mov	eax, [ebp-24h]
		test	eax, eax
		jz	short loc_7F7DDF
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F7DDF:				; CODE XREF: PAGE:007F7DD5j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-48h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7F7DFD:				; CODE XREF: PAGE:007F7D60j
		mov	ebx, [ebp+18h]

loc_7F7E00:				; CODE XREF: PAGE:007F7CFFj
		mov	eax, [ebp+14h]
		mov	[esi+3Ch], eax

loc_7F7E06:				; CODE XREF: PAGE:007F7DA1j
		mov	[edi-20h], ebx
		mov	eax, [ebp+1Ch]
		mov	[edi-18h], eax
		mov	dword ptr [edi-14h], 0
		mov	eax, [ebp-24h]
		mov	[edi-1Ch], eax
		mov	al, [ebp+20h]
		and	al, 1Bh
		mov	[edi-22h], al
		or	dword ptr [esi+8], 800h
		xor	eax, eax
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7F7E41:				; DATA XREF: .text:006A528Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		mov	eax, 1
		retn
; 

loc_7F7E51:				; DATA XREF: .text:006A5290o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-24h]
		test	eax, eax
		jz	short loc_7F7E63
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F7E63:				; CODE XREF: PAGE:007F7E59j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-4Ch]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_7F7E81:				; CODE XREF: PAGE:007F7A30j
		push	0C000000Dh
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_7F7E8B:				; CODE XREF: PAGE:007F7D83j
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		lea	ecx, [ecx+0]
; 
off_7F7E98	dd offset loc_7F78E8	; DATA XREF: PAGE:007F7903r
		dd offset loc_7F7918
		dd offset loc_7F791F
		dd offset loc_7F7911
		dd offset loc_7F790A
		dd offset loc_7F7952
		dd offset loc_7F7926
		dd offset loc_7F792E
byte_7F7EB8	db 0			; DATA XREF: PAGE:007F78FCr
		db 3 dup(7)
		dd 7070707h, 7010707h, 3 dup(7070707h),	70707h,	1020707h
		dd 3070707h, 7070704h, 2 dup(7070707h),	7070705h, 7070707h
		dd 7050707h
; 
		pop	es
		push	es

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopSynchronousApiServiceTail proc near	; CODE XREF: PAGE:007BE3A2p
					; NtFlushBuffersFileEx+1F7p ...

var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	10h
		push	offset dword_6A52B0
		call	__SEH_prolog4
		mov	edi, edx
		mov	[ebp+var_20], edi
		mov	esi, ecx
		cmp	esi, 103h
		jz	short loc_7F7F4A

loc_7F7F11:				; CODE XREF: IopSynchronousApiServiceTail+73j
		and	[ebp+ms_exc.disabled], 0
		mov	edx, [ebp+arg_8]
		mov	eax, [edx]
		mov	ecx, [ebp+arg_C]
		mov	[ecx], eax
		mov	eax, [edx+4]
		mov	[ecx+4], eax

loc_7F7F25:				; CODE XREF: sub_912AC4+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	0
		push	[ebp+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7F7F4A:				; CODE XREF: IopSynchronousApiServiceTail+19j
		push	0
		push	0
		push	[ebp+arg_4]
		push	0
		push	edi
		call	KeWaitForSingleObject
		cmp	eax, 0C0h
		jz	loc_912AA7

loc_7F7F64:				; CODE XREF: FsRtlpCleanupEcps+11BA11j
		mov	eax, [ebp+arg_8]
		mov	esi, [eax]
		jmp	short loc_7F7F11
IopSynchronousApiServiceTail endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnIsVolumeMounted(x, x, x)
_PfSnIsVolumeMounted@12	proc near	; CODE XREF: PfSnOpenVolumesForPrefetch+174p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_10]
		push	ecx
		push	eax
		mov	edi, edx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx		; void *
		push	20h		; int
		push	ebx		; int
		push	ebx		; int
		push	ebx		; int
		push	ebx		; int
		push	ebx		; void *
		push	20h		; int
		push	1		; int
		push	7		; int
		push	ebx		; int
		lea	eax, [ebp+var_10]
		mov	[ebp+var_38], 18h
		mov	[ebp+var_30], eax
		lea	ecx, [ebp+var_8]
		push	ebx		; int
		lea	eax, [ebp+var_18]
		mov	[ebp+var_34], ebx
		push	eax		; int
		lea	eax, [ebp+var_38]
		mov	[ebp+var_2C], 240h
		push	eax		; int
		mov	edx, 100080h
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ebx
		call	_IopCreateFile@64 ; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7F8022
		push	4
		push	8
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+var_8]
		call	_NtQueryVolumeInformationFile@20 ; NtQueryVolumeInformationFile(x,x,x,x,x)
		mov	ecx, 0C0000000h
		mov	esi, eax
		and	eax, ecx
		cmp	eax, ecx
		jz	short loc_7F801A
		mov	ecx, [ebp+var_1C]
		mov	esi, ebx
		mov	eax, ecx
		shr	eax, 5
		and	eax, 1
		and	ecx, 1
		mov	[edi], eax
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_7F801A:				; CODE XREF: PfSnIsVolumeMounted(x,x,x)+95j
		push	[ebp+var_8]
		call	NtClose

loc_7F8022:				; CODE XREF: PfSnIsVolumeMounted(x,x,x)+74j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_PfSnIsVolumeMounted@12	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnOpenVolumesForPrefetch proc	near	; CODE XREF: PfSnEndTrace+2DBp

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00912ACF SIZE 00000090 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_6C], edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_34], esi
		lea	eax, [ebp+var_14]
		mov	[ebp+var_28], edi
		mov	[ebp+var_10], eax
		mov	dl, 1
		mov	[ebp+var_14], eax
		mov	eax, esi
		mov	ebx, [edi]
		mov	ecx, ebx
		push	2
		mov	[ebp+var_2C], eax
		mov	[ebp+var_C], eax
		pop	eax
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], esi
		mov	[ebp+var_74], esi
		mov	[ebp+var_70], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_68], esi
		mov	[ebp+var_64], esi
		mov	[ebp+var_60], esi
		mov	[ebp+var_5C], esi
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], esi
		mov	[ebp+var_48], esi
		mov	[ebp+var_44], eax
		mov	[ebp+var_1C], esi
		mov	[ebp+var_30], ebx
		mov	[ebp+var_18], esi
		call	PfSnLogOpenVolumesForPrefetch
		test	ebx, ebx
		jz	loc_912ACF
		mov	eax, [ebx+70h]
		cmp	eax, 4000h
		jnb	loc_912ACF
		imul	eax, 44h
		push	76506343h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi+8], eax
		test	eax, eax
		jz	loc_912AD9
		mov	[ebp+var_8], esi
		cmp	[ebx+70h], esi
		jbe	short loc_7F80F6

loc_7F80DB:				; CODE XREF: PfSnOpenVolumesForPrefetch+C6j
		mov	ecx, [edi+8]
		add	ecx, esi	; void *
		call	_PfSnVolumeNodeInitialize@4 ; PfSnVolumeNodeInitialize(x)
		mov	eax, [ebp+var_8]
		add	esi, 44h
		inc	eax
		mov	[ebp+var_8], eax
		cmp	eax, [ebx+70h]
		jb	short loc_7F80DB
		xor	esi, esi

loc_7F80F6:				; CODE XREF: PfSnOpenVolumesForPrefetch+ADj
		push	esi
		push	esi
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_8C], 18h
		push	eax
		push	1F0003h
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_88], esi
		push	eax
		mov	[ebp+var_80], 200h
		mov	[ebp+var_84], esi
		mov	[ebp+var_7C], esi
		mov	[ebp+var_78], esi
		call	NtCreateEvent
		mov	esi, eax
		test	esi, esi
		js	loc_7F8435
		xor	ecx, ecx
		lea	eax, [ebp+var_C]
		push	ecx		; int
		push	eax		; int
		push	ecx		; char
		push	ecx		; int
		xor	edx, edx	; int
		mov	ecx, offset _GUID_DEVINTERFACE_VOLUME ;	int
		call	IopGetDeviceInterfaces
		mov	esi, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_2C], eax
		test	esi, esi
		js	loc_7F8435
		xor	edx, edx
		mov	esi, eax
		mov	ecx, edx
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], ecx
		cmp	[eax], dx
		jz	loc_7F8291

loc_7F8174:				; CODE XREF: PfSnOpenVolumesForPrefetch+25Cj
		mov	ebx, esi
		lea	edx, [ebx+2]

loc_7F8179:				; CODE XREF: PfSnOpenVolumesForPrefetch+157j
		mov	ax, [ebx]
		add	ebx, 2
		cmp	ax, word ptr [ebp+var_34]
		jnz	short loc_7F8179
		sub	ebx, edx
		sar	ebx, 1
		lea	eax, ds:2[ebx*2]
		cmp	ecx, eax
		ja	short loc_7F8197
		mov	[ebp+var_8], eax

loc_7F8197:				; CODE XREF: PfSnOpenVolumesForPrefetch+166j
		lea	eax, [ebp+var_20]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_4]
		call	_PfSnIsVolumeMounted@12	; PfSnIsVolumeMounted(x,x,x)
		test	eax, eax
		js	loc_912AE3
		mov	eax, [ebp+var_4]

loc_7F81B0:				; CODE XREF: PfSnOpenVolumesForPrefetch+11AABCj
		test	eax, eax
		jz	loc_7F8277
		cmp	[ebp+var_20], 0
		jnz	loc_7F8277
		mov	ecx, [edi+4]
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_40]
		mov	edx, esi
		push	eax
		lea	eax, [ebp+var_68]
		push	eax
		call	PfSnQueryVolumeInfo
		test	eax, eax
		js	loc_7F8277
		push	76506343h
		push	30h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_38], ecx
		test	ecx, ecx
		jz	loc_912AD9
		xor	eax, eax
		lea	edx, [ecx+8]
		mov	[ecx], eax
		lea	esi, [ebp+var_68]
		mov	[ecx+4], eax
		mov	edi, edx
		mov	[ecx+1Ch], eax
		mov	[ecx+20h], eax
		mov	[ecx+24h], eax
		mov	[ecx+28h], eax
		mov	[ecx+2Ch], eax
		stosd
		push	5
		stosd
		stosd
		stosd
		stosd
		or	dword ptr [edx+10h], 2
		mov	edi, edx
		mov	eax, [ebp+var_40]
		lea	edx, [ebp+var_14]
		mov	[ecx+28h], eax
		mov	eax, [ebp+var_3C]
		mov	[ecx+2Ch], eax
		mov	eax, [ebp+var_24]
		mov	[ecx+24h], eax
		xor	eax, eax
		pop	ecx
		rep movsd
		mov	esi, [ebp+var_C]
		mov	[ebp+var_68], eax
		mov	[ebp+var_64], eax
		mov	[ebp+var_60], eax
		mov	[ebp+var_5C], eax
		mov	eax, [ebp+var_38]
		mov	[ebp+var_58], 2
		mov	[eax+1Ch], esi
		mov	[eax+20h], ebx
		mov	ecx, [ebp+var_10]
		cmp	[ecx], edx
		jnz	loc_7F84AC
		mov	edi, [ebp+var_28]
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[ebp+var_10], eax

loc_7F8277:				; CODE XREF: PfSnOpenVolumesForPrefetch+186j
					; PfSnOpenVolumesForPrefetch+190j ...
		mov	ecx, [ebp+var_8]
		lea	esi, [esi+ebx*2]
		add	esi, 2
		xor	eax, eax
		mov	[ebp+var_C], esi
		cmp	[esi], ax
		jnz	loc_7F8174
		mov	ebx, [ebp+var_30]

loc_7F8291:				; CODE XREF: PfSnOpenVolumesForPrefetch+142j
		lea	eax, [ecx+2]
		push	76506343h
		push	eax
		push	1
		mov	[ebp+var_38], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_912AD9
		mov	edx, [ebx+6Ch]
		xor	eax, eax
		add	edx, ebx
		mov	[ebp+var_20], eax
		mov	[ebp+var_34], edx
		cmp	[ebx+70h], eax
		jbe	loc_7F8420
		mov	esi, eax
		mov	[ebp+var_C], eax
		mov	ecx, edx
		mov	[ebp+var_4], edx

loc_7F82CF:				; CODE XREF: PfSnOpenVolumesForPrefetch+3EEj
		mov	ebx, [edi+8]
		mov	eax, [ecx]
		add	ebx, esi
		add	eax, edx
		mov	[ebx+8], eax
		mov	eax, [ecx+4]
		mov	[ebx+0Ch], eax
		xor	eax, eax
		mov	[ebx+3Ch], eax
		mov	eax, [ecx+1Ch]
		add	eax, edx
		mov	[ebx+38h], eax
		lea	eax, [ebp+var_14]
		mov	esi, [ebp+var_14]
		cmp	esi, eax
		jz	loc_912B16

loc_7F82FC:				; CODE XREF: PfSnOpenVolumesForPrefetch+2F5j
		mov	eax, [esi+28h]
		lea	edx, [ebp+var_40]
		push	dword ptr [esi+24h]
		mov	[ebp+var_40], eax
		mov	eax, [esi+2Ch]
		mov	[ebp+var_24], esi
		mov	[ebp+var_3C], eax
		call	_PfMetadataRecordIsEqual@12 ; PfMetadataRecordIsEqual(x,x,x)
		test	al, al
		jnz	short loc_7F8323
		mov	esi, [esi]
		lea	eax, [ebp+var_14]
		cmp	esi, eax
		jnz	short loc_7F82FC

loc_7F8323:				; CODE XREF: PfSnOpenVolumesForPrefetch+2ECj
		lea	eax, [ebp+var_14]
		cmp	esi, eax
		jz	loc_912B16
		mov	eax, [ebp+var_24]
		mov	esi, [ebp+var_8]
		push	dword ptr [eax+1Ch] ; char
		push	offset ??_C@_17CHCGIDNB@?$AA?$CF?$AAs?$AA?2@NNGAKEGL@ ;	wchar_t	*
		push	[ebp+var_38]	; int
		push	esi		; wchar_t *
		call	_RtlStringCbPrintfW
		pop	ecx
		pop	ecx
		mov	edx, esi
		lea	ecx, [ebp+var_74]
		call	RtlUnicodeStringInitWorker
		mov	esi, [ebp+var_24]
		lea	ecx, [ebp+var_54]
		mov	edx, [edi+4]
		lea	eax, [esi+8]
		push	eax
		push	80h
		push	21h
		push	120089h
		xor	eax, eax
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		call	PfpOpenHandleCreate
		test	eax, eax
		js	loc_912B13
		lea	edx, [esi+8]
		xor	eax, eax
		push	5
		pop	ecx
		lea	edi, [ebx+10h]
		mov	esi, edx
		rep movsd
		mov	edi, edx
		lea	esi, [ebp+var_54]
		push	5
		pop	ecx
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		or	dword ptr [edx+10h], 2
		lea	edi, [ebx+24h]
		rep movsd
		mov	edi, [ebp+var_28]
		mov	[ebp+var_54], eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], eax
		lea	eax, [edi+14h]
		mov	ecx, [eax+4]
		mov	[ebp+var_44], 2
		cmp	[ecx], eax
		jnz	loc_7F84AC
		mov	edx, [ebp+var_1C]
		mov	[ebx+4], ecx
		mov	[ebx], eax
		mov	[ecx], ebx
		lea	ecx, [ebx+10h]
		mov	[eax+4], ebx
		call	PfSnVolumeCheckSeekPenalty
		mov	ecx, [ebx+40h]
		xor	ecx, eax
		and	ecx, 1
		xor	[ebx+40h], ecx
		mov	eax, [ebx+40h]
		test	al, 1
		jz	loc_912AED
		or	[ebp+var_18], 1

loc_7F83F8:				; CODE XREF: PfSnOpenVolumesForPrefetch+11AAC5j
					; PfSnOpenVolumesForPrefetch+11AAD8j ...
		mov	ecx, [ebp+var_4]

loc_7F83FB:				; CODE XREF: PfSnOpenVolumesForPrefetch+11AB17j
		mov	edx, [ebp+var_20]
		add	ecx, 60h
		mov	eax, [ebp+var_30]
		inc	edx
		mov	esi, [ebp+var_C]
		add	esi, 44h
		mov	[ebp+var_20], edx
		mov	[ebp+var_4], ecx
		cmp	edx, [eax+70h]
		mov	edx, [ebp+var_34]
		mov	[ebp+var_C], esi
		jb	loc_7F82CF

loc_7F8420:				; CODE XREF: PfSnOpenVolumesForPrefetch+293j
		mov	ecx, [ebp+var_6C]
		mov	eax, [ebp+var_18]
		mov	[ecx], eax
		xor	eax, eax
		mov	esi, eax
		push	eax
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F8435:				; CODE XREF: PfSnOpenVolumesForPrefetch+108j
					; PfSnOpenVolumesForPrefetch+12Dj ...
		test	byte ptr [ebp+var_58], 4
		jnz	loc_912B48

loc_7F843F:				; CODE XREF: PfSnOpenVolumesForPrefetch+11AB27j
		mov	ebx, [ebp+var_28]

loc_7F8442:				; CODE XREF: PfSnOpenVolumesForPrefetch+44Fj
		mov	edi, [ebp+var_14]
		lea	eax, [ebp+var_14]
		cmp	edi, eax
		jz	short loc_7F847D
		cmp	[edi+4], eax
		jnz	short loc_7F84AC
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	short loc_7F84AC
		mov	[ebp+var_14], eax
		lea	ecx, [ebp+var_14]
		mov	[eax+4], ecx
		test	byte ptr [edi+18h], 4
		jz	short loc_7F8472
		mov	edx, [ebx+4]
		lea	ecx, [edi+8]
		call	_PfpOpenHandleClose@8 ;	PfpOpenHandleClose(x,x)

loc_7F8472:				; CODE XREF: PfSnOpenVolumesForPrefetch+439j
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7F8442
; 

loc_7F847D:				; CODE XREF: PfSnOpenVolumesForPrefetch+41Ej
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jz	short loc_7F848D
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7F848D:				; CODE XREF: PfSnOpenVolumesForPrefetch+456j
		cmp	[ebp+var_1C], 0
		jz	short loc_7F849B
		push	[ebp+var_1C]
		call	NtClose

loc_7F849B:				; CODE XREF: PfSnOpenVolumesForPrefetch+465j
		mov	ecx, [ebp+var_30]
		xor	dl, dl
		call	PfSnLogOpenVolumesForPrefetch
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7F84AC:				; CODE XREF: PfSnOpenVolumesForPrefetch+238j
					; PfSnOpenVolumesForPrefetch+397j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

NtCancelIoFileEx:			; DATA XREF: .text:005811D4o
		push	14h
		push	offset dword_6A52D0
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		test	al, al
		jz	short loc_7F84F4
		mov	[ebp+var_4], ebx
		mov	ecx, [ebp+arg_8]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_912B58

loc_7F84E9:				; CODE XREF: PfSnOpenVolumesForPrefetch+11AB2Ej
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_7F84F4:				; CODE XREF: PfSnOpenVolumesForPrefetch+4A8j
		push	ebx
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_24]
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		call	IopReferenceFileObject
		test	eax, eax
		js	short loc_7F8576
		call	_IopUpdateOtherOperationCount@0	; IopUpdateOtherOperationCount()
		mov	eax, large fs:124h
		mov	edx, [eax+80h]
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+arg_4]
		mov	ecx, [ebp+var_1C]
		call	IopCancelIrpsInFileObjectList
		mov	esi, eax
		cmp	[ebp+arg_4], 0
		jz	short loc_7F8535
		test	esi, esi
		jnz	short loc_7F8542

loc_7F8535:				; CODE XREF: PfSnOpenVolumesForPrefetch+503j
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_1C]
		call	_IopCancelIrpsInThreadListForCurrentProcess@8 ;	IopCancelIrpsInThreadListForCurrentProcess(x,x)
		or	esi, eax

loc_7F8542:				; CODE XREF: PfSnOpenVolumesForPrefetch+507j
		mov	[ebp+var_4], 1
		neg	esi
		sbb	esi, esi
		and	esi, 3FFFFDDBh
		add	esi, 0C0000225h
		mov	[ebp+arg_4], esi
		mov	ecx, [ebp+arg_8]
		mov	[ecx], esi
		mov	[ecx+4], ebx

loc_7F8564:				; CODE XREF: sub_912B83+3j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObject
		mov	eax, [ebp+arg_4]

loc_7F8576:				; CODE XREF: PfSnOpenVolumesForPrefetch+4DCj
					; sub_912B6D+Dj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
PfSnOpenVolumesForPrefetch endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCleanupProcessResources proc	near	; CODE XREF: IopCloseFile(x,x,x,x)+78p
					; IopCloseFile(x,x,x,x)+39Cp

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00912B8B SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		push	1
		push	1
		push	0
		push	0
		mov	edi, edx
		call	IopCancelIrpsInFileObjectList
		mov	esi, [ebp+arg_0]

loc_7F85A2:				; CODE XREF: IopCleanupProcessResources+11A612j
		test	esi, esi
		jnz	loc_912B8B
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
IopCleanupProcessResources endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfMetadataRecordIsEqual(x, x, x)
_PfMetadataRecordIsEqual@12 proc near	; CODE XREF: PfVerifyScenarioBuffer+7ABp
					; PfSnOpenVolumesForPrefetch+2E5p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+8]
		cmp	eax, [edx]
		jnz	short loc_7F85C6
		mov	eax, [ecx+0Ch]
		cmp	eax, [edx+4]
		jz	short loc_7F85CC

loc_7F85C6:				; CODE XREF: PfMetadataRecordIsEqual(x,x,x)+Aj
					; PfMetadataRecordIsEqual(x,x,x)+20j
		xor	al, al

loc_7F85C8:				; CODE XREF: PfMetadataRecordIsEqual(x,x,x)+24j
		pop	ebp
		retn	4
; 

loc_7F85CC:				; CODE XREF: PfMetadataRecordIsEqual(x,x,x)+12j
		mov	eax, [ecx+10h]
		cmp	eax, [ebp+arg_0]
		jnz	short loc_7F85C6
		mov	al, 1
		jmp	short loc_7F85C8
_PfMetadataRecordIsEqual@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtResetEvent	proc near		; CODE XREF: PfSnPrefetchFileMetadata+76p
					; PfSnPrefetchFileMetadata+119D3Ap
					; DATA XREF: ...

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00912B9F SIZE 00000020 BYTES
; FUNCTION CHUNK AT 00912BDF SIZE 0000000B BYTES
; FUNCTION CHUNK AT 00912BED SIZE 0000000C BYTES

		push	14h
		push	offset dword_6A52F8
		call	__SEH_prolog4
		xor	edi, edi
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_24], bl
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jnz	short loc_7F8653

loc_7F85FC:				; CODE XREF: NtResetEvent+7Dj
					; NtResetEvent+11A5E2j
		mov	eax, ds:_ExEventObjectType
		mov	[ebp+var_1C], edi
		push	edi
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_24]
		push	eax
		push	2
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	short loc_7F8628
		push	[ebp+var_1C]
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	edi, eax

loc_7F8628:				; CODE XREF: NtResetEvent+44j
		cmp	[ebp+arg_4], 0
		jl	short loc_7F8632
		test	esi, esi
		jnz	short loc_7F865C

loc_7F8632:				; CODE XREF: NtResetEvent+54j
					; NtResetEvent+8Ej ...
		mov	ecx, [ebp+var_1C]
		test	ecx, ecx
		jz	short loc_7F863E
		call	ObfDereferenceObject

loc_7F863E:				; CODE XREF: NtResetEvent+5Fj
		mov	eax, [ebp+arg_4]

loc_7F8641:				; CODE XREF: sub_912BCD+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7F8653:				; CODE XREF: NtResetEvent+22j
		test	bl, bl
		jz	short loc_7F85FC
		jmp	loc_912B9F
; 

loc_7F865C:				; CODE XREF: NtResetEvent+58j
		test	bl, bl
		jnz	loc_912BDF
		mov	[esi], edi
		jmp	short loc_7F8632
NtResetEvent	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnLogOpenVolumesForPrefetch proc near	; CODE XREF: PfSnOpenVolumesForPrefetch+71p
					; PfSnOpenVolumesForPrefetch+474p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00912BFD SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_48], 0
		push	esi
		mov	esi, offset _PfSnEvt_OpenVolumes_Start
		push	edi
		mov	edi, ecx
		test	dl, dl
		jnz	short loc_7F8690
		mov	esi, offset _PfSnEvt_OpenVolumes_Stop

loc_7F8690:				; CODE XREF: PfSnLogOpenVolumesForPrefetch+21j
		test	edi, edi
		jz	short loc_7F86B6
		mov	ecx, dword_6D49E8
		mov	eax, ecx
		mov	edx, dword_6D49EC
		or	eax, edx
		jz	short loc_7F86B6
		push	esi
		push	edx
		push	ecx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_912BFD

loc_7F86B6:				; CODE XREF: PfSnLogOpenVolumesForPrefetch+2Aj
					; PfSnLogOpenVolumesForPrefetch+3Cj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PfSnLogOpenVolumesForPrefetch endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; 
; Exported entry 1536. NtNotifyChangeDirectoryFileEx

; __stdcall NtNotifyChangeDirectoryFileEx(x, x,	x, x, x, x, x, x, x, x)
		public _NtNotifyChangeDirectoryFileEx@40
_NtNotifyChangeDirectoryFileEx@40:	; CODE XREF: NtNotifyChangeDirectoryFile(x,x,x,x,x,x,x,x,x)+22p
					; DATA XREF: .text:00580F78o
		push	2Ch
		push	offset dword_6A5320
		call	__SEH_prolog4
		and	dword ptr [ebp-20h], 0
		and	dword ptr [ebp-24h], 0
		mov	eax, large fs:124h
		mov	[ebp-34h], eax
		mov	al, [eax+15Ah]
		mov	[ebp-19h], al
		mov	[ebp-30h], al
		test	al, al
		jz	short loc_7F8758
		and	dword ptr [ebp-4], 0
		mov	ecx, [ebp+18h]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_7F8709
		mov	ecx, eax

loc_7F8709:				; CODE XREF: PAGE:007F8705j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ebx, [ebp+20h]
		test	ebx, ebx
		jz	short loc_7F871F
		push	4
		push	ebx
		push	dword ptr [ebp+1Ch]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_7F871F:				; CODE XREF: PAGE:007F8712j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	dword ptr [ebp+24h], 0FFFFF000h
		jnz	short loc_7F8735
		cmp	dword ptr [ebp+24h], 0
		jnz	short loc_7F875B

loc_7F8735:				; CODE XREF: PAGE:007F872Dj
		mov	eax, 0C000000Dh
		jmp	loc_7F8A1A
; 

loc_7F873F:				; DATA XREF: .text:006A5334o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7F874D:				; DATA XREF: .text:006A5338o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-2Ch]
		jmp	loc_7F89D6
; 

loc_7F8758:				; CODE XREF: PAGE:007F86F5j
		mov	ebx, [ebp+20h]

loc_7F875B:				; CODE XREF: PAGE:007F8733j
		push	0
		lea	eax, [ebp-20h]
		push	eax
		mov	edi, [ebp-30h]
		mov	[ebp-30h], edi
		push	edi
		xor	edx, edx
		inc	edx
		mov	ecx, [ebp+8]
		call	IopReferenceFileObject
		test	eax, eax
		js	loc_7F8A1A
		mov	esi, [ebp-20h]
		cmp	dword ptr [esi+6Ch], 0
		jz	short loc_7F8794
		cmp	dword ptr [ebp+10h], 0
		jz	short loc_7F8794
		mov	edi, 0C000000Dh
		jmp	loc_7F8846
; 

loc_7F8794:				; CODE XREF: PAGE:007F8782j
					; PAGE:007F8788j
		cmp	dword ptr [ebp+0Ch], 0
		jz	short loc_7F87CB
		mov	eax, ds:_ExEventObjectType
		and	dword ptr [ebp-28h], 0
		push	0
		lea	ecx, [ebp-28h]
		push	ecx
		push	edi
		push	eax
		push	2
		push	dword ptr [ebp+0Ch]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		mov	eax, [ebp-28h]
		mov	[ebp-24h], eax
		test	edi, edi
		js	loc_7F8846
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_7F87CB:				; CODE XREF: PAGE:007F8798j
		mov	eax, [esi+2Ch]
		test	al, 2
		jz	loc_7F8858
		shr	eax, 2
		and	al, 1
		mov	[ebp+20h], al
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	0
		mov	esi, [ebp-20h]
		lea	ecx, [esi+4Ch]
		xor	edx, edx
		call	KeAbPreAcquire
		mov	edx, eax
		mov	byte ptr [ebp-1Ah], 0
		xor	ecx, ecx
		inc	ecx
		lea	eax, [esi+44h]
		xchg	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_7F8820
		test	edx, edx
		jz	short loc_7F8815
		or	byte ptr [edx+0Eh], 1

loc_7F8815:				; CODE XREF: PAGE:007F880Fj
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	edi, edi
		jmp	short loc_7F8834
; 

loc_7F8820:				; CODE XREF: PAGE:007F880Bj
		lea	eax, [ebp-1Ah]
		push	eax
		push	edx
		push	dword ptr [ebp+20h]
		mov	dl, [ebp-19h]
		mov	ecx, esi
		call	IopWaitAndAcquireFileObjectLock
		mov	edi, eax

loc_7F8834:				; CODE XREF: PAGE:007F881Ej
		cmp	byte ptr [ebp-1Ah], 0
		jz	short loc_7F8854
		mov	ecx, [ebp-24h]
		test	ecx, ecx
		jz	short loc_7F8846
		call	ObfDereferenceObject

loc_7F8846:				; CODE XREF: PAGE:007F878Fj
					; PAGE:007F87BFj ...
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, edi
		jmp	loc_7F8A1A
; 

loc_7F8854:				; CODE XREF: PAGE:007F8838j
		mov	al, 1
		jmp	short loc_7F885A
; 

loc_7F8858:				; CODE XREF: PAGE:007F87D0j
		xor	al, al

loc_7F885A:				; CODE XREF: PAGE:007F8856j
		mov	[ebp+0Ch], al
		mov	ecx, esi
		call	_IopResetEvent@4 ; IopResetEvent(x)
		push	esi
		call	IoGetRelatedDeviceObject
		mov	ecx, eax
		mov	[ebp+20h], ecx
		push	dword ptr [ebp+4]
		mov	al, [ebp+0Ch]
		xor	al, 1
		movzx	eax, al
		push	eax
		mov	dl, [ecx+30h]
		call	IopAllocateIrpExReturn
		mov	esi, eax
		mov	[ebp-28h], esi
		test	esi, esi
		jnz	short loc_7F88A1
		mov	edx, [ebp-24h]
		mov	ecx, [ebp-20h]
		call	_IopAllocateIrpCleanup@8 ; IopAllocateIrpCleanup(x,x)
		mov	eax, 0C000009Ah
		jmp	loc_7F8A1A
; 

loc_7F88A1:				; CODE XREF: PAGE:007F888Aj
		mov	edx, [ebp-20h]
		mov	[ebp+8], edx
		mov	[esi+64h], edx
		mov	eax, [ebp-34h]
		mov	[esi+50h], eax
		mov	al, [ebp-19h]
		mov	[esi+20h], al
		mov	eax, [ebp-24h]
		mov	[esi+2Ch], eax
		mov	eax, [ebp+18h]
		mov	[esi+28h], eax
		mov	eax, [ebp+10h]
		mov	[esi+30h], eax
		mov	eax, [ebp+14h]
		mov	[esi+34h], eax
		mov	edi, [esi+60h]
		mov	byte ptr [edi-24h], 0Ch
		cmp	dword ptr [ebp+2Ch], 2
		setz	al
		add	al, 2
		mov	[edi-23h], al
		mov	[edi-0Ch], edx
		mov	ecx, [ebp+20h]
		test	ebx, ebx
		jz	loc_7F89E5
		mov	eax, [ecx+1Ch]
		test	al, 4
		jz	short loc_7F896B
		mov	dword ptr [ebp-4], 1
		mov	edx, ebx
		call	sub_4FA154
		mov	[esi+0Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		cmp	_IopDisableBufferedIoInit, 0
		jnz	short loc_7F8923
		push	ebx
		push	0
		push	eax
		call	_memset
		add	esp, 0Ch

loc_7F8923:				; CODE XREF: PAGE:007F8915j
		mov	eax, [ebp+1Ch]
		mov	[esi+3Ch], eax
		mov	dword ptr [esi+8], 70h

loc_7F8930:				; CODE XREF: PAGE:007F89A6j
		mov	ecx, [ebp+20h]
		mov	edx, [ebp+8]
		jmp	loc_7F89E5
; 

loc_7F893B:				; DATA XREF: .text:006A5340o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7F8949:				; DATA XREF: .text:006A5344o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		movzx	eax, byte ptr [ecx+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		push	0
		push	dword ptr [ebp-24h]
		mov	edx, [ebp-28h]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		mov	eax, [ebp-38h]
		jmp	short loc_7F89D6
; 

loc_7F896B:				; CODE XREF: PAGE:007F88F4j
		test	al, 10h
		jz	short loc_7F89DF
		mov	dword ptr [ebp-4], 2
		push	esi
		push	1
		push	0
		push	ebx
		push	dword ptr [ebp+1Ch]
		call	IoAllocateMdl
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_7F8A2C
		movzx	eax, byte ptr [edi-24h]
		push	eax
		push	dword ptr [ebp+20h]
		push	ecx
		mov	dl, [ebp-19h]
		call	sub_60F076
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_7F8930
; 

loc_7F89A8:				; DATA XREF: .text:006A534Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_7F89B6:				; DATA XREF: .text:006A5350o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		movzx	eax, byte ptr [ecx+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		push	0
		push	dword ptr [ebp-24h]
		mov	edx, [ebp-28h]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		mov	eax, [ebp-3Ch]

loc_7F89D6:				; CODE XREF: PAGE:007F8753j
					; PAGE:007F8969j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_7F8A1A
; 

loc_7F89DF:				; CODE XREF: PAGE:007F896Dj
		mov	eax, [ebp+1Ch]
		mov	[esi+3Ch], eax

loc_7F89E5:				; CODE XREF: PAGE:007F88E9j
					; PAGE:007F8936j
		mov	[edi-20h], ebx
		mov	eax, [ebp+24h]
		mov	[edi-1Ch], eax
		cmp	byte ptr [edi-23h], 3
		jnz	short loc_7F89FA
		mov	eax, [ebp+2Ch]
		mov	[edi-18h], eax

loc_7F89FA:				; CODE XREF: PAGE:007F89F2j
		mov	byte ptr [edi-22h], 0
		cmp	byte ptr [ebp+28h], 0
		jz	short loc_7F8A08
		mov	byte ptr [edi-22h], 1

loc_7F8A08:				; CODE XREF: PAGE:007F8A02j
		push	2
		push	dword ptr [ebp+0Ch]
		push	dword ptr [ebp-30h]
		push	0
		push	edx
		mov	edx, esi
		call	_IopSynchronousServiceTail@28 ;	IopSynchronousServiceTail(x,x,x,x,x,x,x)

loc_7F8A1A:				; CODE XREF: PAGE:007F873Aj
					; PAGE:007F8775j ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	28h
; 

loc_7F8A2C:				; CODE XREF: PAGE:007F8988j
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpPrefetchDirectoryStream proc	near	; CODE XREF: PfpVolumePrefetchMetadata+16Cp

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00912C2F SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_34], 2
		xor	ecx, ecx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ecx
		mov	eax, [edi]
		mov	ebx, [edi+0Ch]
		mov	esi, [edi+14h]
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx
		movzx	eax, word ptr [eax+1Eh]
		mov	[ebp+var_18], eax
		mov	dword ptr [ebx], 4
		mov	eax, [edi]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], ecx
		mov	ecx, [eax+1Ch]
		mov	eax, [ebp+var_18]
		and	ecx, 7
		push	edx
		and	eax, 7
		mov	[ebp+var_20], esi
		push	0
		push	[ebp+arg_C]
		shl	eax, 3
		mov	edx, esi
		or	ecx, eax
		mov	[ebp+var_4], ebx
		mov	eax, [ebp+arg_8]
		push	100001h
		mov	[ebx+8], ecx
		lea	ecx, [ebp+var_44]
		push	dword ptr [eax+4]
		push	dword ptr [eax+8]
		call	PfpOpenHandleCreate
		mov	esi, eax
		test	esi, esi
		js	loc_7F8C3F
		mov	eax, [edi]
		test	byte ptr [eax+38h], 4
		jz	short loc_7F8AE5
		lea	eax, [ebp+var_14]
		push	eax
		push	ecx
		lea	edx, [edi+18h]
		or	ecx, 0FFFFFFFFh
		push	58h
		call	MmQueryMemoryListInformation

loc_7F8AE5:				; CODE XREF: PfpPrefetchDirectoryStream+99j
		mov	ecx, [ebp+arg_0]
		xor	ebx, ebx
		cmp	[ecx+10h], ebx
		jbe	loc_7F8C3D

loc_7F8AF3:				; CODE XREF: PfpPrefetchDirectoryStream+1FFj
		mov	eax, [ebp+var_4]
		and	dword ptr [eax+4], 0
		cmp	ebx, [ecx+10h]
		jnb	loc_7F8C3D
		mov	eax, [edi+10h]
		mov	edx, ebx
		shl	edx, 4
		xor	esi, esi
		mov	[ebp+arg_C], eax
		mov	[ebp+arg_8], edx

loc_7F8B13:				; CODE XREF: PfpPrefetchDirectoryStream+174j
		mov	eax, [ecx+14h]
		mov	edi, [ebp+arg_8]
		mov	ecx, [edx+eax]
		mov	edx, [edx+eax+4]
		mov	eax, [edi+eax+8]
		xor	edi, edi
		add	eax, ecx
		mov	[ebp+var_14], eax
		adc	edi, edx
		mov	[ebp+var_10], edi
		mov	edi, [ebp+var_1C]
		cmp	edx, [ebp+var_C]
		ja	short loc_7F8B49
		mov	eax, [ebp+var_8]
		jb	loc_7F8C59
		cmp	ecx, eax
		jb	loc_7F8C59

loc_7F8B49:				; CODE XREF: PfpPrefetchDirectoryStream+FEj
					; PfpPrefetchDirectoryStream+226j
		mov	eax, [ebp+arg_C]
		mov	[ebp+arg_C], eax
		cmp	edx, [ebp+var_10]
		jb	short loc_7F8B5B
		ja	short loc_7F8B98

loc_7F8B56:				; CODE XREF: PfpPrefetchDirectoryStream+153j
		cmp	ecx, [ebp+var_14]
		jnb	short loc_7F8B98

loc_7F8B5B:				; CODE XREF: PfpPrefetchDirectoryStream+11Aj
					; PfpPrefetchDirectoryStream+151j
		mov	esi, [ebp+var_4]
		mov	eax, [esi+4]
		mov	[esi+eax*8+10h], ecx
		mov	[esi+eax*8+14h], edx
		mov	esi, [esi+4]
		mov	eax, [ebp+var_4]
		inc	esi
		add	ecx, 1000h
		adc	edx, 0
		mov	[eax+4], esi
		mov	eax, [edi+10h]
		mov	[ebp+arg_C], eax
		cmp	esi, eax
		jnb	short loc_7F8B8F
		cmp	edx, [ebp+var_10]
		jb	short loc_7F8B5B
		jbe	short loc_7F8B56
		jmp	short loc_7F8B98
; 

loc_7F8B8F:				; CODE XREF: PfpPrefetchDirectoryStream+14Cj
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], edx
		mov	[ebp+arg_C], eax

loc_7F8B98:				; CODE XREF: PfpPrefetchDirectoryStream+11Cj
					; PfpPrefetchDirectoryStream+121j ...
		cmp	esi, eax
		jnb	short loc_7F8BB2
		mov	ecx, [ebp+arg_0]
		inc	ebx
		mov	edx, [ebp+arg_8]
		add	edx, 10h
		mov	[ebp+arg_8], edx
		cmp	ebx, [ecx+10h]
		jb	loc_7F8B13

loc_7F8BB2:				; CODE XREF: PfpPrefetchDirectoryStream+162j
		test	esi, esi
		jz	loc_7F8C3D
		mov	ecx, edi
		call	_PfpCheckPrefetchAbort@4 ; PfpCheckPrefetchAbort(x)
		test	eax, eax
		jnz	loc_912C43
		mov	eax, [edi]
		lea	ecx, [edi+18h]
		test	byte ptr [eax+38h], 4
		jz	short loc_7F8BE4
		mov	edx, [ebp+var_18]
		call	_PfpAvailablePagesForPrefetch@8	; PfpAvailablePagesForPrefetch(x,x)
		test	eax, eax
		jz	loc_912C43

loc_7F8BE4:				; CODE XREF: PfpPrefetchDirectoryStream+19Aj
		xor	ecx, ecx
		lea	eax, ds:10h[esi*8]
		push	ecx
		push	ecx
		push	ecx
		push	eax
		push	[ebp+var_4]
		lea	eax, [ebp+var_28]
		xor	edx, edx
		push	90120h
		push	eax
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_44]
		call	_IopXxxControlFile@44 ;	IopXxxControlFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [edi]
		test	byte ptr [eax+38h], 4
		jz	short loc_7F8C21
		mov	eax, [ebp+var_4]
		lea	ecx, [edi+18h]
		mov	edx, [eax+4]
		call	_PfpUpdateRepurposedByPrefetch@8 ; PfpUpdateRepurposedByPrefetch(x,x)

loc_7F8C21:				; CODE XREF: PfpPrefetchDirectoryStream+1D9j
		test	esi, esi
		js	short loc_7F8C63
		cmp	esi, 103h
		jz	loc_912C2F
		mov	ecx, [ebp+arg_0]
		cmp	ebx, [ecx+10h]
		jb	loc_7F8AF3

loc_7F8C3D:				; CODE XREF: PfpPrefetchDirectoryStream+B5j
					; PfpPrefetchDirectoryStream+C5j ...
		xor	esi, esi

loc_7F8C3F:				; CODE XREF: PfpPrefetchDirectoryStream+8Dj
					; PfpPrefetchDirectoryStream+233j ...
		test	byte ptr [ebp+var_34], 4
		jz	short loc_7F8C50
		mov	edx, [ebp+var_20]
		lea	ecx, [ebp+var_44]
		call	_PfpOpenHandleClose@8 ;	PfpOpenHandleClose(x,x)

loc_7F8C50:				; CODE XREF: PfpPrefetchDirectoryStream+20Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7F8C59:				; CODE XREF: PfpPrefetchDirectoryStream+103j
					; PfpPrefetchDirectoryStream+10Bj
		mov	edx, [ebp+var_C]
		mov	ecx, eax
		jmp	loc_7F8B49
; 

loc_7F8C63:				; CODE XREF: PfpPrefetchDirectoryStream+1EBj
		cmp	esi, 0C0000011h
		jz	short loc_7F8C3D
		jmp	short loc_7F8C3F
PfpPrefetchDirectoryStream endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpVolumePrefetchMetadata proc near	; CODE XREF: PfpPrefetchRequestPerform+1FCp

var_6C		= dword	ptr -6Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00912C4D SIZE 000000EA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_6C]
		mov	ebx, ecx
		mov	[ebp+var_4C], eax
		push	6
		pop	ecx
		mov	esi, edx
		mov	[ebp+var_14], ebx
		rep stosd
		mov	[ebp+var_10], esi
		mov	[ebp+var_48], eax
		mov	[ebp+var_54], eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_C], eax
		call	_PFP_GET_CURRENT_TICK_COUNT_MS@0 ; PFP_GET_CURRENT_TICK_COUNT_MS()
		mov	ecx, [ebx]
		mov	edi, esi
		mov	esi, [ebx+0Ch]
		mov	[ebp+var_44], eax
		shl	edi, 5
		movzx	edx, word ptr [ecx+1Eh]
		add	edi, [ecx+20h]
		mov	dword ptr [esi], 3
		mov	eax, [ebx]
		mov	[ebp+var_34], edx
		mov	[ebp+var_40], edi
		mov	[ebp+var_4], esi
		mov	ecx, [eax+1Ch]
		mov	eax, edx
		and	eax, 7
		and	ecx, 7
		shl	eax, 3
		or	ecx, eax
		mov	[esi+8], ecx
		mov	eax, [ebx]
		test	byte ptr [eax+38h], 4
		jz	short loc_7F8CF9
		lea	eax, [ebp+var_30]
		push	eax
		push	ecx
		lea	edx, [ebx+18h]
		or	ecx, 0FFFFFFFFh
		push	58h
		call	MmQueryMemoryListInformation

loc_7F8CF9:				; CODE XREF: PfpVolumePrefetchMetadata+77j
		xor	ecx, ecx
		test	dword ptr [edi+0Ch], 0FFFFFFFEh
		jbe	short loc_7F8D67

loc_7F8D04:				; CODE XREF: PfpVolumePrefetchMetadata+11A09Aj
		and	dword ptr [esi+4], 0
		mov	eax, [edi+0Ch]
		shr	eax, 1
		cmp	ecx, eax
		jnb	short loc_7F8D5C
		mov	edx, ecx
		shl	edx, 5

loc_7F8D16:				; CODE XREF: PfpVolumePrefetchMetadata+E1j
		mov	eax, [edi+10h]
		add	eax, edx
		inc	ecx
		add	edx, 20h
		mov	[ebp+var_28], ecx
		test	byte ptr [eax],	10h
		jnz	loc_7F8FB9

loc_7F8D2B:				; CODE XREF: PfpVolumePrefetchMetadata+351j
		mov	esi, [eax+8]
		mov	[ebp+var_2C], esi
		mov	esi, [eax+0Ch]
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_30], esi
		or	eax, esi
		mov	esi, [ebp+var_4]
		jnz	loc_912C4D
		mov	esi, [esi+4]

loc_7F8D48:				; CODE XREF: PfpVolumePrefetchMetadata+11A006j
		mov	eax, [edi+0Ch]
		shr	eax, 1
		cmp	ecx, eax
		jb	short loc_7F8D16

loc_7F8D51:				; CODE XREF: PfpVolumePrefetchMetadata+11A000j
		test	esi, esi
		jnz	loc_912C79
		mov	esi, [ebp+var_4]

loc_7F8D5C:				; CODE XREF: PfpVolumePrefetchMetadata+A1j
					; PfpVolumePrefetchMetadata+11A094j
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jnz	loc_7F8DFC

loc_7F8D67:				; CODE XREF: PfpVolumePrefetchMetadata+94j
					; PfpVolumePrefetchMetadata+1A3j ...
		xor	ecx, ecx
		test	dword ptr [edi+0Ch], 0FFFFFFFEh
		mov	[ebp+var_2C], ecx
		jbe	short loc_7F8D9A
		xor	eax, eax
		mov	[ebp+var_C], eax

loc_7F8D7A:				; CODE XREF: PfpVolumePrefetchMetadata+12Aj
		mov	esi, [edi+10h]
		add	esi, eax
		test	byte ptr [esi],	2
		jnz	short loc_7F8DB0

loc_7F8D84:				; CODE XREF: PfpVolumePrefetchMetadata+182j
		add	eax, 20h
		inc	ecx
		mov	[ebp+var_C], eax
		mov	eax, [edi+0Ch]
		shr	eax, 1
		cmp	ecx, eax
		mov	[ebp+var_2C], ecx
		mov	eax, [ebp+var_C]
		jb	short loc_7F8D7A

loc_7F8D9A:				; CODE XREF: PfpVolumePrefetchMetadata+105j
		xor	esi, esi

loc_7F8D9C:				; CODE XREF: PfpVolumePrefetchMetadata+18Cj
					; PfpVolumePrefetchMetadata+2FBj ...
		call	_PFP_GET_CURRENT_TICK_COUNT_MS@0 ; PFP_GET_CURRENT_TICK_COUNT_MS()
		mov	ecx, [ebx]
		sub	eax, [ebp+var_44]
		pop	edi
		add	[ecx+54h], eax
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7F8DB0:				; CODE XREF: PfpVolumePrefetchMetadata+114j
		lea	eax, [ebp+var_38]
		mov	edx, esi
		push	eax
		lea	eax, [ebp+var_6C]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_54]
		push	eax
		push	[ebp+var_10]
		call	PfpFileSetupObjectAttributes
		push	[ebp+var_38]
		imul	edx, [ebp+var_10], 28h
		lea	eax, [ebp+var_6C]
		push	eax
		push	ecx
		push	esi
		mov	ecx, ebx
		add	edx, [ebx+8]
		call	PfpPrefetchDirectoryStream
		mov	esi, eax
		test	esi, esi
		js	short loc_7F8DF2
		mov	eax, [ebx]
		inc	dword ptr [eax+40h]

loc_7F8DEA:				; CODE XREF: PfpVolumePrefetchMetadata+18Aj
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_2C]
		jmp	short loc_7F8D84
; 

loc_7F8DF2:				; CODE XREF: PfpVolumePrefetchMetadata+175j
		cmp	esi, 0C0000240h
		jnz	short loc_7F8DEA
		jmp	short loc_7F8D9C
; 

loc_7F8DFC:				; CODE XREF: PfpVolumePrefetchMetadata+F3j
		mov	eax, [ebx]
		and	[ebp+var_20], 0
		and	[ebp+var_24], 0
		inc	dword ptr [eax+40h]
		xor	eax, eax
		mov	[ebp+var_2C], eax
		cmp	[ecx+10h], eax
		jbe	loc_7F8D67

loc_7F8E17:				; CODE XREF: PfpVolumePrefetchMetadata+31Fj
		and	dword ptr [esi+4], 0
		cmp	eax, [ecx+10h]
		jnb	loc_7F8D67
		mov	edi, [ebx+10h]
		mov	edx, eax
		shl	edx, 4
		xor	eax, eax
		mov	[ebp+var_28], edx

loc_7F8E31:				; CODE XREF: PfpVolumePrefetchMetadata+27Bj
		mov	ebx, [ebp+var_28]
		mov	[ebp+var_8], eax
		mov	eax, [ecx+14h]
		mov	ecx, [eax+edx]
		mov	edx, [eax+edx+4]
		mov	eax, [eax+ebx+8]
		xor	ebx, ebx
		add	eax, ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_1C], edx
		adc	ebx, edx
		mov	[ebp+var_3C], eax
		mov	[ebp+var_30], ebx
		mov	ebx, [ebp+var_14]
		cmp	edx, [ebp+var_24]
		ja	short loc_7F8E6E
		jb	loc_7F8F92
		cmp	ecx, [ebp+var_20]
		jb	loc_7F8F92

loc_7F8E6E:				; CODE XREF: PfpVolumePrefetchMetadata+1EFj
					; PfpVolumePrefetchMetadata+330j
		cmp	edx, [ebp+var_30]
		ja	loc_7F8FB1
		jb	short loc_7F8E81
		cmp	ecx, eax
		jnb	loc_7F8FB1

loc_7F8E81:				; CODE XREF: PfpVolumePrefetchMetadata+209j
					; PfpVolumePrefetchMetadata+252j ...
		mov	eax, [esi+4]
		shrd	ecx, edx, 0Ah
		shr	edx, 0Ah
		mov	[esi+eax*8+10h], ecx
		mov	ecx, [ebp+var_18]
		mov	[esi+eax*8+14h], edx
		mov	eax, [esi+4]
		mov	edx, [ebp+var_1C]
		inc	eax
		add	ecx, 1000h
		mov	[esi+4], eax
		mov	edi, [ebx+10h]
		adc	edx, 0
		mov	[ebp+var_8], eax
		mov	[ebp+var_18], ecx
		mov	[ebp+var_1C], edx
		cmp	eax, edi
		jnb	loc_7F8FA3
		cmp	edx, [ebp+var_30]
		jb	short loc_7F8E81
		ja	short loc_7F8EC9
		cmp	ecx, [ebp+var_3C]
		jb	short loc_7F8E81

loc_7F8EC9:				; CODE XREF: PfpVolumePrefetchMetadata+254j
					; PfpVolumePrefetchMetadata+33Ej ...
		cmp	eax, edi
		jnb	short loc_7F8EEF
		mov	esi, [ebp+var_C]
		mov	ecx, [ebp+var_2C]
		mov	edx, [ebp+var_28]
		inc	ecx
		add	edx, 10h
		mov	[ebp+var_2C], ecx
		cmp	ecx, [esi+10h]
		mov	esi, [ebp+var_4]
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_28], edx
		jb	loc_7F8E31

loc_7F8EEF:				; CODE XREF: PfpVolumePrefetchMetadata+25Dj
		mov	edi, [ebp+var_40]
		test	eax, eax
		jz	loc_7F8D67
		mov	ecx, ebx
		call	_PfpCheckPrefetchAbort@4 ; PfpCheckPrefetchAbort(x)
		test	eax, eax
		jnz	loc_912D2D
		mov	eax, [ebx]
		lea	ecx, [ebx+18h]
		test	byte ptr [eax+38h], 4
		jz	short loc_7F8F24
		mov	edx, [ebp+var_34]
		call	_PfpAvailablePagesForPrefetch@8	; PfpAvailablePagesForPrefetch(x,x)
		test	eax, eax
		jz	loc_912D2D

loc_7F8F24:				; CODE XREF: PfpVolumePrefetchMetadata+2A4j
		imul	ecx, [ebp+var_10], 28h
		xor	edx, edx
		mov	eax, [ebx+8]
		push	edx
		push	edx
		push	edx
		mov	ecx, [ecx+eax]
		mov	eax, [ebp+var_8]
		lea	eax, ds:10h[eax*8]
		push	eax
		push	esi
		push	90120h
		lea	eax, [ebp+var_4C]
		push	eax
		push	edx
		push	edx
		call	_IopXxxControlFile@44 ;	IopXxxControlFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebx]
		test	byte ptr [eax+38h], 4
		jz	short loc_7F8F67
		mov	eax, [ebp+var_4]
		lea	ecx, [ebx+18h]
		mov	edx, [eax+4]
		call	_PfpUpdateRepurposedByPrefetch@8 ; PfpUpdateRepurposedByPrefetch(x,x)

loc_7F8F67:				; CODE XREF: PfpVolumePrefetchMetadata+2E9j
		test	esi, esi
		js	loc_7F8D9C
		cmp	esi, 103h
		jz	loc_912D19
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_2C]
		cmp	eax, [ecx+10h]
		jnb	loc_7F8D67
		mov	esi, [ebp+var_4]
		jmp	loc_7F8E17
; 

loc_7F8F92:				; CODE XREF: PfpVolumePrefetchMetadata+1F1j
					; PfpVolumePrefetchMetadata+1FAj
		mov	ecx, [ebp+var_20]
		mov	edx, [ebp+var_24]
		mov	[ebp+var_18], ecx
		mov	[ebp+var_1C], edx
		jmp	loc_7F8E6E
; 

loc_7F8FA3:				; CODE XREF: PfpVolumePrefetchMetadata+249j
		mov	[ebp+var_20], ecx
		mov	[ebp+var_24], edx
		mov	[ebp+var_8], eax
		jmp	loc_7F8EC9
; 

loc_7F8FB1:				; CODE XREF: PfpVolumePrefetchMetadata+203j
					; PfpVolumePrefetchMetadata+20Dj
		mov	eax, [ebp+var_8]
		jmp	loc_7F8EC9
; 

loc_7F8FB9:				; CODE XREF: PfpVolumePrefetchMetadata+B7j
		mov	ebx, [ebp+var_14]
		mov	[ebp+var_C], eax
		jmp	loc_7F8D2B
PfpVolumePrefetchMetadata endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnVolumeCheckSeekPenalty proc	near	; CODE XREF: PfSnOpenVolumesForPrefetch+3ADp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= byte ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00912D37 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_20], edx
		lea	edi, [ebp+var_1C]
		mov	[ebp+var_10], 7
		stosd
		mov	esi, ecx
		xor	ecx, ecx
		xor	ebx, ebx
		push	ecx
		push	edx
		stosd
		inc	ebx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_8], ecx
		stosd
		mov	[ebp+var_C], ecx
		call	_ZwResetEvent@8	; ZwResetEvent(x,x)
		mov	edi, [ebp+var_20]
		lea	eax, [ebp+var_1C]
		push	0Ch
		push	eax
		push	0Ch
		lea	eax, [ebp+var_10]
		push	eax
		push	2D1400h
		lea	eax, [ebp+var_28]
		push	eax
		push	0
		push	0
		push	edi
		push	dword ptr [esi]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 103h
		jz	loc_912D37

loc_7F9034:				; CODE XREF: PfSnVolumeCheckSeekPenalty+119D80j
		test	eax, eax
		js	short loc_7F9040
		xor	ebx, ebx
		cmp	[ebp+var_14], bl
		setnz	bl

loc_7F9040:				; CODE XREF: PfSnVolumeCheckSeekPenalty+72j
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PfSnVolumeCheckSeekPenalty endp

; 
		align 2

;  S U B	R O U T	I N E 


; int __fastcall PfSnVolumeNodeInitialize(void *)
_PfSnVolumeNodeInitialize@4 proc near	; CODE XREF: PfSnOpenVolumesForPrefetch+B4p
		mov	edi, edi
		push	esi
		push	edi
		push	44h		; size_t
		mov	esi, ecx
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	[esi+4], esi
		lea	edi, [esi+10h]
		mov	[esi], esi
		xor	eax, eax
		stosd
		add	esp, 0Ch
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		or	dword ptr [esi+20h], 2
		lea	edi, [esi+24h]
		stosd
		stosd
		stosd
		stosd
		stosd
		or	dword ptr [esi+34h], 2
		pop	edi
		pop	esi
		retn
_PfSnVolumeNodeInitialize@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnPrefetchFileMetadata proc near	; CODE XREF: PfSnPrefetchMetadata+FCp
					; PfSnGetSectionObject+11D74Cp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00912D49 SIZE 000000EC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		xor	esi, esi
		mov	[ebp+var_4], edx
		mov	edx, ecx
		test	edi, edi
		jz	loc_7F9144
		mov	ebx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebx+4]
		mov	[ebp+arg_8], eax
		cmp	eax, ecx
		jbe	loc_912E2B
		sub	eax, ecx
		cmp	eax, edi
		jb	loc_912E2B
		mov	eax, [edx+34h]
		mov	ecx, [edx+30h]
		and	eax, 7
		or	eax, 8
		and	ecx, 7
		shl	eax, 3
		or	eax, ecx
		cmp	[ebp+arg_4], esi
		jnz	loc_912D5D
		cmp	edi, 300h
		ja	loc_912D5D
		push	esi
		push	[ebp+arg_C]
		mov	[ebx+4], edi
		mov	[ebx+8], eax
		call	NtResetEvent
		mov	edx, [ebp+arg_C]
		lea	eax, ds:10h[edi*8]
		mov	ecx, [ebp+var_4]
		push	esi
		push	esi
		push	esi
		push	eax
		push	ebx
		push	90120h
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		push	esi
		call	_IopXxxControlFile@44 ;	IopXxxControlFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 103h
		jz	loc_912D49

loc_7F9135:				; CODE XREF: PfSnPrefetchFileMetadata+119CCEj
		mov	eax, [ebp+arg_8]
		mov	[ebx+4], eax

loc_7F913B:				; CODE XREF: PfSnPrefetchFileMetadata+BCj
					; PfSnPrefetchFileMetadata+119CECj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7F9144:				; CODE XREF: PfSnPrefetchFileMetadata+1Fj
		xor	esi, esi
		jmp	short loc_7F913B
PfSnPrefetchFileMetadata endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmGetDeviceContainerRegKeyPath(int,int,int,void *,int,int)
__CmGetDeviceContainerRegKeyPath@32 proc near ;	CODE XREF: PiDqGetRelativeObjectRegPath+89p
					; _CmOpenDeviceContainerRegKeyWorker+76p ...

arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	esi
		push	edi
		mov	esi, edx
		jz	short loc_7F91B8
		test	[ebp+arg_0], 0FFFFFEAFh
		jnz	short loc_7F91B8
		call	__CmValidateDeviceContainerName@8 ; _CmValidateDeviceContainerName(x,x)
		test	eax, eax
		js	short loc_7F91AB
		mov	ecx, esi
		xor	edi, edi
		lea	edx, [ecx+2]

loc_7F9170:				; CODE XREF: _CmGetDeviceContainerRegKeyPath(x,x,x,x,x,x,x,x)+31j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_7F9170
		mov	eax, [ebp+arg_14]
		sub	ecx, edx
		sar	ecx, 1
		add	ecx, 33h
		test	eax, eax
		jz	short loc_7F918B
		mov	[eax], ecx

loc_7F918B:				; CODE XREF: _CmGetDeviceContainerRegKeyPath(x,x,x,x,x,x,x,x)+3Fj
		cmp	ecx, [ebp+arg_10]
		ja	short loc_7F91B1
		push	esi		; char
		push	offset ??_C@_1GK@OAJGGHAA@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@ ; wchar_t *
		push	800h		; int
		push	edi		; int
		push	edi		; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		call	RtlStringCchPrintfExW
		add	esp, 1Ch

loc_7F91AB:				; CODE XREF: _CmGetDeviceContainerRegKeyPath(x,x,x,x,x,x,x,x)+1Fj
					; _CmGetDeviceContainerRegKeyPath(x,x,x,x,x,x,x,x)+6Ej	...
		pop	edi
		pop	esi
		pop	ebp
		retn	18h
; 

loc_7F91B1:				; CODE XREF: _CmGetDeviceContainerRegKeyPath(x,x,x,x,x,x,x,x)+46j
		mov	eax, 0C0000023h
		jmp	short loc_7F91AB
; 

loc_7F91B8:				; CODE XREF: _CmGetDeviceContainerRegKeyPath(x,x,x,x,x,x,x,x)+Dj
					; _CmGetDeviceContainerRegKeyPath(x,x,x,x,x,x,x,x)+16j
		mov	eax, 0C000000Dh
		jmp	short loc_7F91AB
__CmGetDeviceContainerRegKeyPath@32 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmGetDeviceMappedPropertyFromComposite(int,void	*,int,int,int,int,int)
_CmGetDeviceMappedPropertyFromComposite	proc near
					; CODE XREF: _CmGetDeviceMappedProperty+14Cp
					; _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+1CDp

var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D5		= dword	ptr -0D5h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_BC		= dword	ptr -0BCh
var_AC		= dword	ptr -0ACh
var_5C		= dword	ptr -5Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 00912E35 SIZE 000004CF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 128h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_D5+1],	edx
		mov	[ebp+var_D0], ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_FC], eax
		xor	eax, eax
		mov	[ebp+var_110], eax
		mov	[ebp+var_118], eax
		mov	[ebp+var_E8], eax
		mov	[ebp+var_F0], eax
		mov	[ebp+var_EC], eax
		mov	[ebp+var_10C], eax
		mov	[ebp+var_11C], eax
		mov	[ebp+var_F4], eax
		mov	[ebp+var_120], eax
		mov	[ebp+var_108], eax
		mov	[ebp+var_104], eax
		mov	[ebp+var_F8], eax
		mov	esi, eax
		mov	ebx, [ebp+arg_14]
		lea	edi, [ebp+var_BC]
		and	[ebp+var_124], esi
		stosd
		mov	edx, [ebp+arg_8]
		stosd
		mov	ecx, [ebp+arg_C]
		mov	[ebp+var_E0], edx
		mov	[ebp+var_DC], ecx
		stosd
		mov	byte ptr [ebp+var_D5], 0
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_CC]
		stosd
		stosd
		stosd
		stosd
		mov	edi, [ebp+arg_18]
		test	di, di
		jnz	loc_912E35
		and	[edx], esi
		mov	eax, edi
		and	[ebx], esi
		and	eax, 0FFFF0000h
		mov	[ebp+var_100], eax
		test	ecx, ecx
		jz	loc_7F9A83
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_E4], eax
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_DC], eax

loc_7F92AB:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+8CEj
		mov	edi, [ebp+arg_4]
		mov	ecx, [edi+10h]
		mov	[ebp+var_114], ecx
		cmp	ecx, 2
		jb	loc_912E3F
		cmp	ecx, 0Ah
		jz	loc_7F93D9
		cmp	ecx, 100h
		jz	loc_7F95E8
		cmp	ecx, 2
		jz	loc_7F9671

loc_7F92DE:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+4CFj
		cmp	ecx, 3
		jz	loc_7F992F

loc_7F92E7:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+119CE6j
		cmp	ecx, 0Ch
		jz	loc_912EAB
		push	4
		pop	eax
		mov	[ebp+var_F4], eax
		push	10h
		cmp	ecx, eax
		jz	loc_7F94A4
		cmp	ecx, 5
		jz	loc_7F9694
		cmp	ecx, 6
		jz	loc_7F9A9D
		cmp	ecx, 7
		jz	loc_912FAD
		cmp	ecx, 0Bh
		jz	loc_912FC7
		cmp	ecx, 8
		jz	loc_7F974D
		cmp	ecx, 9
		jz	loc_91309B
		cmp	ecx, 2
		jz	loc_7F97E4
		cmp	ecx, 0Fh
		jz	loc_7F9D1A
		pop	eax
		cmp	ecx, eax
		jz	loc_7F9E12
		cmp	ecx, 0Eh
		jz	loc_913165
		cmp	ecx, 14h
		jz	loc_9131D6
		cmp	ecx, 15h
		jz	loc_91322A
		cmp	ecx, 1Ah
		jz	loc_7F9842
		cmp	ecx, 16h
		jz	loc_7F95BC

loc_7F9381:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+11A11Dj
		cmp	ecx, 17h
		jnz	loc_7F95A9
		push	eax		; size_t
		push	offset _DEVPKEY_Device_CompoundLowerFilters ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7F95A9

loc_7F93A1:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+40Dj
		mov	eax, [ebp+var_E4]
		mov	ecx, [ebp+var_DC]
		push	ebx
		mov	ebx, [ebp+var_D0]
		push	eax
		push	ecx
		push	[ebp+var_E0]
		mov	ecx, ebx
		push	edi
		push	[ebp+var_FC]
		mov	edi, [ebp+var_D5+1]
		mov	edx, edi
		call	_CmGetDeviceCompoundFilters

loc_7F93D2:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+AF5j
		mov	esi, eax
		jmp	loc_7F959D
; 

loc_7F93D9:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+103j
		push	10h		; size_t
		push	offset _DEVPKEY_NAME ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_912E49
		push	[ebp+var_100]
		mov	edi, [ebp+var_DC]
		lea	eax, [ebp+var_E8]
		mov	edx, [ebp+var_D5+1]
		mov	ecx, [ebp+var_D0]
		push	eax
		mov	eax, [ebp+var_E4]
		push	eax
		push	edi
		push	[ebp+var_E0]
		push	offset _DEVPKEY_Device_FriendlyName
		push	0
		push	[ebp+var_FC]
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_7F95D8
		cmp	esi, 0C0000023h
		jz	loc_7F95D8
		cmp	esi, 0C0000225h
		jnz	loc_7F95E0
		push	[ebp+var_100]
		mov	ecx, [ebp+var_D0]
		lea	eax, [ebp+var_E8]
		push	eax
		push	[ebp+arg_10]
		push	edi
		push	[ebp+var_E0]
		mov	edi, [ebp+var_D5+1]
		mov	edx, edi
		push	offset _DEVPKEY_Device_DeviceDesc
		push	0
		push	[ebp+var_FC]
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_7F9ED1

loc_7F9497:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+D17j
		mov	eax, [ebp+var_E8]
		mov	[ebx], eax
		jmp	loc_7F9597	; size_t
; 

loc_7F94A4:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+13Dj
		push	offset _DEVPKEY_Device_EjectionRelations ; void	*
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_912F75
		push	10h		; size_t
		push	offset _DEVPKEY_Device_InLocalMachineContainer ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7F95A9
		push	[ebp+var_100]
		mov	eax, [ebp+var_E0]
		xor	ecx, ecx
		mov	edi, [ebp+var_D5+1]
		inc	ecx
		mov	edx, edi
		mov	dword ptr [eax], 11h
		lea	eax, [ebp+var_E8]
		push	eax
		push	10h
		lea	eax, [ebp+var_BC]
		mov	[ebx], ecx
		push	eax
		lea	eax, [ebp+var_F8]
		push	eax
		push	offset _DEVPKEY_Device_ContainerId
		push	0
		push	[ebp+var_FC]
		push	ecx
		mov	ecx, [ebp+var_D0]
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7F9597
		push	[ebp+var_100]
		mov	ecx, [ebp+var_D0]
		lea	eax, [ebp+var_E8]
		push	eax
		push	10h
		lea	eax, [ebp+var_CC]
		mov	edx, offset ??_C@_1BK@CCOOHMCM@?$AAH?$AAT?$AAR?$AAE?$AAE?$AA?2?$AAR?$AAO?$AAO?$AAT?$AA?2?$AA0@NNGAKEGL@
		push	eax
		lea	eax, [ebp+var_F8]
		push	eax
		push	offset _DEVPKEY_Device_BaseContainerId
		push	0
		push	0
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7F9597
		mov	eax, [ebp+arg_10]
		cmp	eax, [ebx]
		jb	loc_7F9A93
		push	10h		; size_t
		lea	eax, [ebp+var_BC]
		push	eax		; void *
		lea	eax, [ebp+var_CC]
		push	eax		; void *
		call	_memcmp
		mov	ecx, [ebp+var_DC]
		add	esp, 0Ch
		test	eax, eax
		setnz	al
		dec	al
		mov	[ecx], al

loc_7F9597:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+2DFj
					; _CmGetDeviceMappedPropertyFromComposite+365j	...
		mov	ebx, [ebp+var_D0]

loc_7F959D:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+214j
					; _CmGetDeviceMappedPropertyFromComposite+5E9j	...
		cmp	esi, 0C000000Eh
		jz	loc_7F9EEE

loc_7F95A9:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+1C4j
					; _CmGetDeviceMappedPropertyFromComposite+1DBj	...
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
; 

loc_7F95BC:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+1BBj
		push	eax		; size_t
		push	offset _DEVPKEY_Device_CompoundUpperFilters ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_7F93A1
		jmp	loc_9132D4
; 

loc_7F95D8:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+276j
					; _CmGetDeviceMappedPropertyFromComposite+282j
		mov	eax, [ebp+var_E8]
		mov	[ebx], eax

loc_7F95E0:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+28Ej
					; _CmGetDeviceMappedPropertyFromComposite+4A6j	...
		mov	edi, [ebp+var_D5+1]
		jmp	short loc_7F9597
; 

loc_7F95E8:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+10Fj
		push	10h		; size_t
		push	offset _DEVPKEY_Device_InstanceId ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7F95A9
		mov	edi, [ebp+var_D5+1]
		lea	eax, [ebp+var_F4]
		push	eax
		mov	edx, 0C8h
		mov	ecx, edi
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7F9597
		mov	eax, [ebp+var_F4]
		mov	edi, [ebp+var_E0]
		lea	eax, ds:2[eax*2]
		mov	[ebx], eax
		mov	dword ptr [edi], 12h
		mov	edx, [ebx]
		cmp	[ebp+var_E4], edx
		jb	loc_7F9A93
		mov	ecx, [ebp+var_DC]
		push	900h
		push	0
		push	0
		push	[ebp+var_D5+1]
		call	RtlStringCbCopyExW
		mov	esi, eax
		test	esi, esi
		jns	loc_7F95E0
		jmp	loc_912E95
; 

loc_7F9671:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+118j
		push	10h		; size_t
		push	offset _DEVPKEY_Device_DevNodeStatus ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_7F9947
		mov	ecx, [ebp+var_114]
		jmp	loc_7F92DE	; size_t
; 

loc_7F9694:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+146j
		push	offset _DEVPKEY_Device_RemovalRelations	; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_912F7A
		push	10h		; size_t
		push	offset _DEVPKEY_Device_IsPresent ; void	*
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7F95A9
		mov	eax, [ebp+var_E0]
		mov	dword ptr [ebx], 1
		mov	dword ptr [eax], 11h
		mov	eax, [ebp+var_E4]
		cmp	eax, [ebx]
		jb	loc_7F9A93
		mov	edi, [ebp+var_D5+1]
		lea	eax, [ebp+var_108]
		push	edi
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7F9597
		mov	ebx, [ebp+var_DC]
		lea	eax, [ebp+var_110]
		push	ecx
		mov	ecx, [ebp+var_D0]
		lea	edx, [ebp+var_108]
		push	eax
		lea	eax, [ebp+var_10C]
		mov	byte ptr [ebx],	0
		push	eax
		lea	eax, [ebp+var_EC]
		push	eax
		call	__NtPlugPlayGetDeviceStatus@24 ; _NtPlugPlayGetDeviceStatus(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C000000Eh
		jz	loc_7F9ECA
		test	esi, esi
		js	loc_7F9597

loc_7F9745:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+991j
					; _CmGetDeviceMappedPropertyFromComposite+A12j	...
		mov	byte ptr [ebx],	0FFh
		jmp	loc_7F9597	; size_t
; 

loc_7F974D:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+16Aj
		push	offset _DEVPKEY_Device_Parent ;	void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_7F9A11
		push	10h		; size_t
		push	offset _DEVPKEY_Device_ReportedDeviceIdsHash ; "~\vT@Ej\vL\b"
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7F95A9
		mov	eax, [ebp+var_E0]
		mov	edi, [ebp+var_D5+1]
		push	4
		mov	dword ptr [eax], 7
		pop	eax
		mov	[ebx], eax
		lea	eax, [ebp+var_108]
		push	edi
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	ebx, [ebp+var_D0]
		mov	esi, eax
		test	esi, esi
		js	loc_7F959D
		push	ecx
		mov	ecx, [ebp+var_DC]
		lea	eax, [ebp+arg_10]
		push	eax
		mov	eax, [ebp+var_E4]
		push	eax
		push	ecx
		push	0Dh

loc_7F97C4:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+11A011j
		lea	edx, [ebp+var_108]
		mov	ecx, ebx
		call	__NtPlugPlayGetDeviceProperty@28 ; _NtPlugPlayGetDeviceProperty(x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	loc_7F959D
		jmp	loc_7F9F1D	; size_t
; 

loc_7F97E4:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+17Cj
		push	offset _DEVPKEY_Device_SafeRemovalRequired ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7F9BD7
		mov	eax, [ebp+var_E0]
		mov	dword ptr [ebx], 1
		mov	dword ptr [eax], 11h
		mov	eax, [ebp+var_E4]
		cmp	eax, [ebx]
		jb	loc_7F9A93
		push	[ebp+var_FC]
		mov	edx, [ebp+var_D5+1]
		mov	ecx, [ebp+var_D0]
		call	_CmIsDeviceSafeRemovalRequired
		mov	ecx, [ebp+var_DC]
		neg	al
		sbb	al, al
		mov	[ecx], al
		jmp	loc_7F95A9
; 

loc_7F9842:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+1B2j
		push	eax		; size_t
		push	offset _DEVPKEY_Device_OmitFromSystemSpec ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7F95A9
		mov	eax, [ebp+var_E0]
		xor	ecx, ecx
		inc	ecx
		mov	dword ptr [eax], 11h
		mov	[ebx], ecx
		cmp	[ebp+var_E4], ecx
		jb	loc_7F9A93
		push	[ebp+var_100]
		mov	ebx, [ebp+var_DC]
		lea	eax, [ebp+var_E8]
		mov	edx, [ebp+var_D5+1]
		push	eax
		push	ecx
		lea	eax, [ebp+var_D5]
		mov	byte ptr [ebx],	0
		push	eax
		lea	eax, [ebp+var_F8]
		push	eax
		push	offset _DEVPKEY_Device_UpdateWithUngroupedDrivers
		push	0
		push	[ebp+var_FC]
		push	ecx
		mov	ecx, [ebp+var_D0]
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	edi, 0C0000023h
		test	esi, esi
		jns	loc_91326F
		cmp	esi, 0C0000225h
		jnz	loc_91329B

loc_7F98D5:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+11A0B6j
					; _CmGetDeviceMappedPropertyFromComposite+11A0C3j ...
		push	[ebp+var_100]
		mov	edx, [ebp+var_D5+1]
		lea	eax, [ebp+var_E8]
		mov	ecx, [ebp+var_D0]
		push	eax
		push	1
		lea	eax, [ebp+var_D5]
		push	eax
		lea	eax, [ebp+var_F8]
		push	eax
		push	offset _DEVPKEY_Device_DriverInGroup
		push	0
		push	[ebp+var_FC]
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_9132A8
		cmp	esi, 0C0000225h
		jnz	loc_9132C7

loc_7F9928:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+11A10Fj
		xor	esi, esi
		jmp	loc_7F95E0
; 

loc_7F992F:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+121j
		push	10h		; size_t
		push	offset _DEVPKEY_Device_ProblemCode ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_912EA0

loc_7F9947:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+4C3j
					; _CmGetDeviceMappedPropertyFromComposite+119D03j
		mov	edx, [ebp+var_D5+1]
		lea	eax, [ebp+var_110]
		push	ecx
		mov	ecx, [ebp+var_D0]
		push	eax
		lea	eax, [ebp+var_10C]
		push	eax
		lea	eax, [ebp+var_EC]
		push	eax
		push	[ebp+var_FC]
		call	__CmGetDeviceStatus@28 ; _CmGetDeviceStatus(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7F95E0
		mov	eax, [edi+10h]
		cmp	eax, 2
		mov	[ebp+var_114], eax
		mov	eax, [ebp+var_EC]
		mov	[ebp+var_F4], eax
		jnz	loc_7F9CBA
		push	10h		; size_t
		push	offset _DEVPKEY_Device_DevNodeStatus ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7F9CBA

loc_7F99B4:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+B19j
		push	7

loc_7F99B6:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+119D1Aj
		mov	eax, [ebp+var_E0]
		mov	dword ptr [ebx], 4
		pop	ecx
		mov	[eax], ecx
		mov	eax, [ebp+arg_10]
		cmp	eax, [ebx]
		jb	loc_7F9A93
		cmp	dword ptr [edi+10h], 0Ch
		jz	loc_912EDF

loc_7F99DA:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+119D31j
		mov	ebx, [ebp+var_F4]

loc_7F99E0:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+119D9Dj
		mov	eax, [edi+10h]
		cmp	eax, 2
		jnz	loc_7F9CE4
		push	10h		; size_t
		push	offset _DEVPKEY_Device_DevNodeStatus ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_912F62

loc_7F9A04:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+B55j
		mov	ecx, [ebp+var_DC]
		mov	[ecx], ebx
		jmp	loc_7F95E0
; 

loc_7F9A11:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+59Dj
		mov	eax, [ebp+var_E4]
		mov	ecx, [ebp+var_DC]
		mov	edi, [ebp+var_D5+1]
		mov	edx, edi
		shr	eax, 1
		mov	[ebp+var_F0], eax
		lea	eax, [ebp+var_F0]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_D0]
		call	_CmGetDeviceParent
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_7F9597
		mov	ecx, 0C0000023h
		test	esi, esi
		jnz	loc_7F9F27

loc_7F9A5B:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+D69j
		mov	eax, [ebp+var_F0]
		add	eax, eax
		mov	[ebx], eax
		mov	eax, [ebp+var_E0]
		mov	dword ptr [eax], 12h

loc_7F9A71:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+119F55j
		mov	eax, [ebp+arg_10]
		cmp	eax, [ebx]
		jnb	loc_7F9597

loc_7F9A7C:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+119E84j
		mov	esi, ecx
		jmp	loc_7F95A9
; 

loc_7F9A83:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+D0j
		xor	edx, edx
		mov	[ebp+var_E4], edx
		mov	[ebp+arg_10], edx
		jmp	loc_7F92AB
; 

loc_7F9A93:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+3AAj
					; _CmGetDeviceMappedPropertyFromComposite+482j	...
		mov	esi, 0C0000023h
		jmp	loc_7F95A9	; size_t
; 

loc_7F9A9D:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+14Fj
		push	offset _DEVPKEY_Device_PowerRelations ;	void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		push	10h		; size_t
		test	eax, eax
		jz	loc_912FDF
		push	offset _DEVPKEY_Device_HasProblem ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7F95A9
		mov	eax, [ebp+var_E0]
		xor	ecx, ecx
		inc	ecx
		mov	dword ptr [eax], 11h
		mov	[ebx], ecx
		cmp	[ebp+var_E4], ecx
		jb	short loc_7F9A93
		mov	edi, [ebp+var_D5+1]
		lea	eax, [ebp+var_108]
		push	edi
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7F9597
		mov	ebx, [ebp+var_DC]
		lea	eax, [ebp+var_110]
		push	ecx
		mov	ecx, [ebp+var_D0]
		lea	edx, [ebp+var_108]
		push	eax
		lea	eax, [ebp+var_10C]
		mov	byte ptr [ebx],	0
		push	eax
		lea	eax, [ebp+var_EC]
		push	eax
		call	__NtPlugPlayGetDeviceStatus@24 ; _NtPlugPlayGetDeviceStatus(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C000000Eh
		jz	loc_7F9ECA
		test	esi, esi
		js	loc_7F9597
		test	[ebp+var_EC], 8000h
		jnz	loc_7F9745
		test	[ebp+var_EC], 400h
		jnz	loc_912F7E

loc_7F9B67:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+119DC7j
					; _CmGetDeviceMappedPropertyFromComposite+119DD0j ...
		test	byte ptr [ebp+var_EC], 8
		jnz	loc_7F9597
		push	[ebp+var_100]
		mov	ecx, [ebp+var_D0]
		lea	eax, [ebp+var_E8]
		push	eax
		push	4
		pop	eax
		push	eax
		lea	eax, [ebp+var_11C]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_F8]
		push	eax
		push	offset _DEVPKEY_Device_Capabilities
		push	0
		push	[ebp+var_FC]
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000225h
		jz	loc_7F9ECA
		test	esi, esi
		js	loc_7F9597
		test	byte ptr [ebp+var_11C],	40h

loc_7F9BCC:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+119F6Ej
		jz	loc_7F9597
		jmp	loc_7F9745
; 

loc_7F9BD7:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+634j
		push	10h		; size_t
		push	offset _DEVPKEY_Device_ContainerId ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7F95A9
		push	[ebp+arg_18]
		mov	edi, [ebp+var_D5+1]
		lea	eax, [ebp+var_E8]
		mov	ecx, [ebp+var_D0]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_E8], 4Eh
		push	eax
		lea	eax, [ebp+var_124]
		push	eax
		push	25h
		push	[ebp+var_FC]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7F9597
		lea	ecx, [ebp+var_5C]
		call	_PnpIsNullGuidString@4 ; PnpIsNullGuidString(x)
		test	al, al
		jnz	loc_7F9F1D
		mov	eax, [ebp+var_E0]
		mov	dword ptr [ebx], 10h
		mov	dword ptr [eax], 0Dh
		mov	eax, [ebp+arg_10]
		cmp	eax, [ebx]
		jb	loc_7F9A93
		mov	ebx, [ebp+var_D0]
		lea	eax, [ebp+var_AC]
		push	ecx
		push	eax
		lea	eax, [ebp+var_5C]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	_CmGetDeviceContainerIdFromBase
		mov	esi, eax
		test	esi, esi
		js	loc_7F959D
		lea	eax, [ebp+var_AC]
		push	eax
		lea	eax, [ebp+var_108]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7F959D
		mov	ecx, [ebp+var_DC]
		lea	eax, [ebp+var_108]
		push	ecx
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		jmp	loc_7F93D2
; 

loc_7F9CBA:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+7D6j
					; _CmGetDeviceMappedPropertyFromComposite+7EEj
		cmp	[ebp+var_114], 3
		jnz	loc_912EC8
		push	10h		; size_t
		push	offset _DEVPKEY_Device_ProblemCode ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_7F99B4
		jmp	loc_912EC8
; 

loc_7F9CE4:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+826j
		cmp	eax, 3
		jnz	loc_912F62
		push	10h		; size_t
		push	offset _DEVPKEY_Device_ProblemCode ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_912F62
		and	ebx, 400h
		neg	ebx
		sbb	ebx, ebx
		and	ebx, [ebp+var_10C]
		jmp	loc_7F9A04	; size_t
; 

loc_7F9D1A:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+185j
		push	offset _DEVPKEY_Device_IsConnected ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7F95A9
		mov	eax, [ebp+var_E0]
		xor	ecx, ecx
		inc	ecx
		mov	dword ptr [eax], 11h
		mov	[ebx], ecx
		cmp	[ebp+var_E4], ecx
		jb	loc_7F9A93
		mov	edi, [ebp+var_D5+1]
		lea	eax, [ebp+var_108]
		push	edi
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7F9597
		mov	ebx, [ebp+var_DC]
		lea	eax, [ebp+var_110]
		push	ecx
		mov	ecx, [ebp+var_D0]
		lea	edx, [ebp+var_108]
		push	eax
		lea	eax, [ebp+var_10C]
		mov	byte ptr [ebx],	0
		push	eax
		lea	eax, [ebp+var_EC]
		push	eax
		call	__NtPlugPlayGetDeviceStatus@24 ; _NtPlugPlayGetDeviceStatus(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C000000Eh
		jz	loc_7F9ECA
		test	esi, esi
		js	loc_7F9597
		test	[ebp+var_EC], 2000000h
		jnz	loc_7F9597
		push	[ebp+var_100]
		mov	ecx, [ebp+var_D0]
		lea	eax, [ebp+var_E8]
		push	eax
		push	1
		lea	eax, [ebp+var_D5]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_F8]
		push	eax
		push	offset _DEVPKEY_Device_PresenceNotForDevice
		push	0
		push	0
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_91311A
		cmp	esi, 0C0000225h
		jnz	loc_913133

loc_7F9E0B:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+119F7Fj
		xor	esi, esi
		jmp	loc_7F9745
; 

loc_7F9E12:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+18Ej
		push	eax		; size_t
		push	offset _DEVPKEY_Device_IsRebootRequired	; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7F95A9
		mov	eax, [ebp+var_E0]
		xor	ecx, ecx
		inc	ecx
		mov	dword ptr [eax], 11h
		mov	[ebx], ecx
		cmp	[ebp+var_E4], ecx
		jb	loc_7F9A93
		mov	edi, [ebp+var_D5+1]
		lea	eax, [ebp+var_108]
		push	edi
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7F9597
		mov	ebx, [ebp+var_DC]
		lea	eax, [ebp+var_110]
		push	ecx
		mov	ecx, [ebp+var_D0]
		lea	edx, [ebp+var_108]
		push	eax
		lea	eax, [ebp+var_10C]
		mov	byte ptr [ebx],	0
		push	eax
		lea	eax, [ebp+var_EC]
		push	eax
		call	__NtPlugPlayGetDeviceStatus@24 ; _NtPlugPlayGetDeviceStatus(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C000000Eh
		jz	short loc_7F9ECA
		test	esi, esi
		js	loc_7F9597
		test	[ebp+var_EC], 100h
		jnz	loc_7F9745
		test	[ebp+var_EC], 400h
		jz	loc_7F9597
		jmp	loc_913144
; 

loc_7F9ECA:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+577j
					; _CmGetDeviceMappedPropertyFromComposite+979j	...
		xor	esi, esi
		jmp	loc_7F95A9
; 

loc_7F9ED1:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+2D1j
		cmp	esi, 0C0000023h
		jz	loc_7F9497
		cmp	esi, 0C0000225h
		jz	loc_7F95A9
		jmp	loc_7F9597
; 

loc_7F9EEE:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+3E3j
		push	0
		lea	eax, [ebp+var_120]
		mov	edx, edi
		push	eax
		push	0
		push	1
		push	0
		push	10h
		mov	ecx, ebx
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		test	esi, esi
		jnz	loc_9132E2
		push	[ebp+var_120]
		call	_ZwClose@4	; ZwClose(x)

loc_7F9F1D:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+61Fj
					; _CmGetDeviceMappedPropertyFromComposite+A7Dj	...
		mov	esi, 0C0000225h
		jmp	loc_7F95A9
; 

loc_7F9F27:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+895j
		cmp	esi, ecx
		jz	loc_7F9A5B
		jmp	loc_7F9597
_CmGetDeviceMappedPropertyFromComposite	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiUEventHandleGetEvent proc near	; CODE XREF: PiUEventHandleIoctl+26p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00913359 SIZE 00000068 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, [ecx+10h]
		mov	eax, edx
		push	esi
		xor	esi, esi
		mov	[ebp+var_14], eax
		push	edi
		test	ebx, ebx
		jz	loc_9133B7
		test	eax, eax
		jz	loc_9133B7
		mov	ecx, [ebp+arg_4]
		cmp	ecx, 4
		jbe	loc_9133B7
		and	[eax], esi
		lea	edx, [eax+4]
		mov	edi, eax
		mov	[ebp+var_8], edx
		sub	edi, edx
		add	edi, ecx
		mov	ecx, [ebx+8]
		call	ExAcquireFastMutex
		lea	eax, [ebx+40h]
		mov	ecx, [eax]
		mov	[ebp+var_4], ecx

loc_7F9F83:				; CODE XREF: PiUEventHandleGetEvent+BEj
		cmp	ecx, eax
		jz	short loc_7F9FF4
		test	esi, esi
		js	short loc_7F9FF4
		lea	eax, [ecx+10h]
		mov	[ebp+var_C], ecx
		push	dword ptr [eax]	; size_t
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		mov	[ebp+var_18], eax
		call	PiUEventCopyEventData
		mov	esi, eax
		test	esi, esi
		js	loc_913397
		mov	eax, [ebp+var_8]
		mov	edx, edi
		mov	ecx, [eax]
		sub	edx, ecx
		mov	[ebp+var_10], edx
		cmp	ecx, edi
		ja	short loc_7FA024
		add	eax, ecx
		mov	[ebp+var_8], eax

loc_7F9FBF:				; CODE XREF: PiUEventHandleGetEvent+F5j
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+var_4]
		inc	dword ptr [eax]
		mov	eax, [ebp+var_18]
		mov	ecx, [ecx]
		mov	[ebp+var_4], ecx
		mov	eax, [eax]
		cmp	byte ptr [eax+28h], 0
		jnz	loc_913359
		mov	edx, [ebp+var_C]
		mov	ecx, ebx
		push	0
		call	_PiUEventDequeuePendingEventWorker@12 ;	PiUEventDequeuePendingEventWorker(x,x,x)
		mov	edx, [ebp+var_10]

loc_7F9FEA:				; CODE XREF: PiUEventHandleGetEvent+119459j
		mov	ecx, [ebp+var_4]
		lea	eax, [ebx+40h]
		mov	edi, edx
		jmp	short loc_7F9F83
; 

loc_7F9FF4:				; CODE XREF: PiUEventHandleGetEvent+51j
					; PiUEventHandleGetEvent+55j ...
		mov	ecx, [ebx+8]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		cmp	esi, 0C0000023h
		jz	short loc_7FA02B

loc_7FA004:				; CODE XREF: PiUEventHandleGetEvent+FEj
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		sub	ecx, edi
		mov	[eax+4], ecx
		lea	eax, [esi+3FFFFFDDh]
		neg	eax
		sbb	eax, eax
		and	esi, eax

loc_7FA01B:				; CODE XREF: PiUEventHandleGetEvent+11947Ej
					; PiUEventHandleGetEvent+119488j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7FA024:				; CODE XREF: PiUEventHandleGetEvent+84j
		mov	esi, 0C0000023h
		jmp	short loc_7F9FBF
; 

loc_7FA02B:				; CODE XREF: PiUEventHandleGetEvent+CEj
		mov	ecx, ebx
		call	_PiUEventNotifyClientPendingEvent@4 ; PiUEventNotifyClientPendingEvent(x)
		jmp	short loc_7FA004
PiUEventHandleGetEvent endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiUEventCopyEventData(size_t)
PiUEventCopyEventData proc near		; CODE XREF: PiUEventHandleGetEvent+67p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009133C1 SIZE 00000083 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_8], ecx
		and	[ebp+var_4], ebx
		mov	eax, edx
		mov	[ebp+var_C], eax
		push	esi
		push	edi
		cmp	eax, 40h
		jb	loc_91343A
		mov	edx, [ebp+arg_0]
		cmp	[edx+24h], eax
		ja	loc_91343A
		mov	al, [edx+28h]
		lea	esi, [edx+2Ch]
		mov	[ecx+4], al
		lea	edi, [ecx+0Ch]
		mov	al, [edx+29h]
		mov	[ecx+5], al
		mov	eax, [edx+3Ch]
		mov	[ecx+8], eax
		movsd
		movsd
		movsd
		movsd
		mov	eax, [edx+3Ch]
		sub	eax, 1
		jz	loc_913418
		sub	eax, 1
		jz	loc_7FA127
		sub	eax, 1
		jnz	loc_7FA1A2
		lea	eax, [ebp+var_4]
		lea	ecx, [edx+54h]
		mov	edx, 0C8h
		push	eax
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7FA11E
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_7FA11E
		mov	ecx, [ebp+arg_0]
		lea	edx, ds:49h[eax*2]
		and	edx, 0FFFFFFFCh
		movzx	eax, word ptr [edx+ecx+2Eh]
		sub	eax, 1Ch
		mov	[ebp+arg_0], eax
		add	eax, 3Ch
		mov	[ebp+var_4], eax
		cmp	[ebp+var_C], eax
		jb	loc_91343A
		mov	edi, [ebp+var_8]
		lea	esi, [ecx+30h]
		add	esi, edx
		add	edi, 24h
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_8]
		mov	eax, [edx+ecx+44h]
		mov	[esi+34h], eax
		mov	eax, [ebp+arg_0]
		push	eax		; size_t
		mov	[esi+38h], eax
		lea	eax, [ecx+48h]
		add	eax, edx
		push	eax		; void *
		lea	eax, [esi+3Ch]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		mov	dword ptr [esi+1Ch], 1
		mov	[esi], eax

loc_7FA11E:				; CODE XREF: PiUEventCopyEventData+7Cj
					; PiUEventCopyEventData+83j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
; 

loc_7FA127:				; CODE XREF: PiUEventCopyEventData+58j
		lea	eax, [edx+60h]
		mov	edx, 7FFFh
		lea	ecx, [ebp+var_4]
		push	ecx
		mov	ecx, eax
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7FA11E
		mov	edx, [ebp+var_4]
		lea	eax, ds:36h[edx*2]
		cmp	[ebp+var_C], eax
		jb	loc_91343A
		mov	ecx, [ebp+arg_0]
		lea	eax, ds:2[edx*2]
		mov	edi, [ebp+var_8]
		add	edi, 24h
		push	eax		; size_t
		lea	esi, [ecx+50h]
		lea	eax, [ecx+60h]
		movsd
		push	eax		; void *
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_8]
		lea	esi, [edi+34h]
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edx, esi
		push	0
		call	__CmSetDeviceInterfacePathFormat@12 ; _CmSetDeviceInterfacePathFormat(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7FA11E
		mov	ecx, [ebp+var_4]
		and	dword ptr [edi+1Ch], 0
		lea	eax, ds:36h[ecx*2]
		mov	[edi], eax
		jmp	loc_7FA11E
; 

loc_7FA1A2:				; CODE XREF: PiUEventCopyEventData+61j
		sub	eax, 1
		jz	short loc_7FA1BE
		sub	eax, 5
		jz	loc_9133CB
		sub	eax, 1
		jz	short loc_7FA1BE
		sub	eax, 1
		jnz	loc_9133C1

loc_7FA1BE:				; CODE XREF: PiUEventCopyEventData+171j
					; PiUEventCopyEventData+17Fj
		lea	esi, [edx+50h]
		mov	edx, 0C8h
		lea	eax, [ebp+var_4]
		mov	ecx, esi
		push	eax
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7FA11E
		mov	eax, [ebp+var_4]
		lea	edi, ds:26h[eax*2]
		cmp	[ebp+var_C], edi
		jb	loc_91343A
		lea	eax, ds:2[eax*2]
		push	eax		; size_t
		push	esi		; void *
		mov	esi, [ebp+var_8]
		lea	eax, [esi+24h]
		push	eax		; void *
		call	_memcpy
		mov	dword ptr [esi+1Ch], 2

loc_7FA20A:				; CODE XREF: PiUEventCopyEventData+1193DFj
		add	esp, 0Ch
		mov	[esi], edi
		jmp	loc_7FA11E
PiUEventCopyEventData endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMDispatch(x, x)
_PiCMDispatch@8	proc near		; DATA XREF: .text:00403F2Co

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		push	esi
		mov	esi, [ecx+18h]
		test	esi, esi
		js	short loc_7FA241
		mov	eax, [ecx+60h]
		movzx	eax, byte ptr [eax]
		sub	eax, 0
		jz	short loc_7FA23F
		dec	eax
		sub	eax, 1
		jz	short loc_7FA23F
		sub	eax, 0Ch
		jz	short loc_7FA252
		sub	eax, 4
		jnz	short loc_7FA241

loc_7FA23F:				; CODE XREF: PiCMDispatch(x,x)+19j
					; PiCMDispatch(x,x)+1Fj
		xor	esi, esi

loc_7FA241:				; CODE XREF: PiCMDispatch(x,x)+Ej
					; PiCMDispatch(x,x)+29j ...
		xor	dl, dl
		mov	[ecx+18h], esi
		call	IofCompleteRequest
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
; 

loc_7FA252:				; CODE XREF: PiCMDispatch(x,x)+24j
		mov	esi, 0C00000BBh
		jmp	short loc_7FA241
_PiCMDispatch@8	endp

; 
		align 2

;  S U B	R O U T	I N E 


PiUEventHandleIoctl proc near		; CODE XREF: PiUEventDispatch+2Bp

; FUNCTION CHUNK AT 00913444 SIZE 00000018 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	ecx, [esi+60h]
		mov	eax, [ecx+0Ch]
		sub	eax, (offset loc_4707FE+2)
		jz	short loc_7FA298
		sub	eax, 4
		jnz	short loc_7FA2AF
		mov	edx, [esi+0Ch]
		lea	eax, [esi+18h]
		push	eax
		push	dword ptr [ecx+4]
		push	ecx
		mov	ecx, [ecx+18h]
		call	PiUEventHandleGetEvent

loc_7FA285:				; CODE XREF: PiUEventHandleIoctl+53j
					; PiUEventHandleIoctl+6Bj ...
		mov	edi, eax

loc_7FA287:				; CODE XREF: PiUEventHandleIoctl+72j
		xor	dl, dl
		mov	[esi+18h], edi
		mov	ecx, esi
		call	IofCompleteRequest
		mov	eax, edi
		pop	edi
		pop	esi
		retn
; 

loc_7FA298:				; CODE XREF: PiUEventHandleIoctl+11j
		mov	edx, [esi+0Ch]
		lea	eax, [esi+18h]
		push	eax
		push	dword ptr [ecx+4]
		push	dword ptr [ecx+8]
		mov	ecx, [ecx+18h]
		call	PiUEventHandleRegistration
		jmp	short loc_7FA285
; 

loc_7FA2AF:				; CODE XREF: PiUEventHandleIoctl+16j
		sub	eax, 4
		jz	loc_913444
		sub	eax, 4
		jnz	short loc_7FA2C7
		mov	ecx, [ecx+18h]
		call	_PiUEventHandleUnregisterClient@4 ; PiUEventHandleUnregisterClient(x)
		jmp	short loc_7FA285
; 

loc_7FA2C7:				; CODE XREF: PiUEventHandleIoctl+61j
		mov	edi, 0C00000BBh
		jmp	short loc_7FA287
PiUEventHandleIoctl endp


;  S U B	R O U T	I N E 


; __stdcall _CmValidateDeviceContainerName(x, x)
__CmValidateDeviceContainerName@8 proc near ; CODE XREF: _PnpDispatchDeviceContainer+70p
					; _CmGetDeviceContainerRegKeyPath(x,x,x,x,x,x,x,x)+18p	...
		mov	edi, edi
		push	esi
		mov	esi, edx
		mov	ecx, esi
		call	__PnpIsValidGuidString@4 ; _PnpIsValidGuidString(x)
		test	al, al
		jz	short loc_7FA2ED
		mov	ecx, esi
		call	_PnpIsNullGuidString@4 ; PnpIsNullGuidString(x)
		test	al, al
		jnz	short loc_7FA2ED
		xor	eax, eax
		pop	esi
		retn
; 

loc_7FA2ED:				; CODE XREF: _CmValidateDeviceContainerName(x,x)+Ej
					; _CmValidateDeviceContainerName(x,x)+19j
		mov	eax, 0C0000033h
		pop	esi
		retn
__CmValidateDeviceContainerName@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 855. IoGetDeviceInterfaces

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoGetDeviceInterfaces
IoGetDeviceInterfaces proc near		; CODE XREF: PnprIsMemoryDevice(x,x)+2Ep
					; PnprIsProcessorDevice(x,x,x,x)+29p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	ebx, ebx
		mov	edx, ebx
		push	edi
		test	esi, esi
		jz	short loc_7FA331
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_9080FE
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_9080FE
		lea	edx, [eax+14h]	; int

loc_7FA331:				; CODE XREF: IoGetDeviceInterfaces+11j
		mov	ecx, [ebp+arg_0] ; int
		push	ebx		; int
		push	[ebp+arg_C]	; int
		push	ebx		; char
		push	[ebp+arg_8]	; int
		call	IopGetDeviceInterfaces
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
IoGetDeviceInterfaces endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMValidateDeviceInstance proc	near	; CODE XREF: PiCMHandleIoctl+96p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0091345C SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	byte ptr [ebp+var_1], 1
		push	7
		mov	esi, ecx
		lea	edi, [ebp+var_4C]
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_30]
		xor	ebx, ebx
		stosd
		mov	[ebp+var_C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_20], ebx
		stosd
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_8], ebx
		stosd
		stosd
		mov	eax, [ebp+arg_C]
		mov	[eax], ebx
		lea	eax, [ebp+var_4C]
		push	eax
		push	ecx
		mov	ecx, esi
		call	PiCMCaptureObjectInputData
		mov	edi, [ebp+var_40]
		mov	esi, eax
		test	esi, esi
		js	loc_7FA4A9
		test	edi, edi
		jz	loc_91347D
		mov	ebx, [ebp+var_48]
		xor	ecx, ecx
		inc	ecx
		lea	eax, [ebx-1]
		cmp	eax, ecx
		ja	loc_91347D
		cmp	[ebp+var_44], ecx
		jnz	loc_91347D
		cmp	[ebp+var_38], 0
		jnz	loc_91347D
		cmp	[ebp+arg_0], 0
		jz	loc_91347D
		cmp	[ebp+arg_4], 8
		jb	loc_91347D
		xor	edx, edx
		lea	eax, [ebp+var_8]
		push	edx
		push	edx
		push	eax
		push	edx
		push	ecx
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		call	_PnpOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_7FA484
		cmp	ebx, 2
		jz	loc_7FA4CE

loc_7FA407:				; CODE XREF: PiCMValidateDeviceInstance+190j
		lea	eax, [ebp+var_30]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	edi, [ebp+var_40]
		lea	eax, [ebp+var_1]
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_8]
		push	1
		call	_PiPnpRtlApplyMandatoryFilters@24 ; PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_30]
		push	eax
		call	SeReleaseSubjectContext
		test	esi, esi
		js	short loc_7FA484
		cmp	byte ptr [ebp+var_1], 0
		jz	loc_7FA506
		cmp	[ebp+var_48], 2
		jz	short loc_7FA4DE
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_1C]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_8]
		call	__CmGetDeviceStatus@28 ; _CmGetDeviceStatus(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_7FA506

loc_7FA484:				; CODE XREF: PiCMValidateDeviceInstance+B0j
					; PiCMValidateDeviceInstance+105j ...
		cmp	[ebp+var_8], 0
		jz	short loc_7FA492
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_7FA492:				; CODE XREF: PiCMValidateDeviceInstance+140j
		push	[ebp+arg_C]
		mov	edx, [ebp+var_34]
		mov	ecx, esi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiCMReturnBasicResultData
		mov	esi, eax
		xor	ebx, ebx

loc_7FA4A9:				; CODE XREF: PiCMValidateDeviceInstance+4Ej
		test	edi, edi
		jz	short loc_7FA4C5
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_7FA4C5
		push	ebx
		push	[ebp+var_40]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7FA4C5:				; CODE XREF: PiCMValidateDeviceInstance+163j
					; PiCMValidateDeviceInstance+172j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7FA4CE:				; CODE XREF: PiCMValidateDeviceInstance+B9j
		push	2
		pop	ecx
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jz	loc_7FA407

loc_7FA4DE:				; CODE XREF: PiCMValidateDeviceInstance+115j
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_10]
		push	4
		pop	ebx
		push	eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], ebx
		push	eax
		lea	eax, [ebp+var_C]
		mov	edx, offset ??_C@_1BA@LEPEEO@?$AAP?$AAh?$AAa?$AAn?$AAt?$AAo?$AAm@NNGAKEGL@ ; "Phantom"
		push	eax
		call	_RegRtlQueryValue
		test	eax, eax
		js	short loc_7FA484
		jmp	loc_91345C
; 

loc_7FA506:				; CODE XREF: PiCMValidateDeviceInstance+10Bj
					; PiCMValidateDeviceInstance+136j ...
		mov	esi, 0C000000Eh
		jmp	loc_7FA484
PiCMValidateDeviceInstance endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMReturnBasicResultData proc near	; CODE XREF: PiCMValidateDeviceInstance+158p
					; PiCMSetObjectProperty+157p ...

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	10h
		push	offset dword_6A5358
		call	__SEH_prolog4
		mov	[ebp+var_1C], ecx
		xor	edi, edi
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		push	8
		pop	ebx
		cmp	[ebp+arg_4], ebx
		jb	short loc_7FA56F
		cmp	edx, ebx
		jnz	short loc_7FA56F
		mov	[ebp+ms_exc.disabled], edi
		push	4
		push	[ebp+arg_4]
		mov	esi, [ebp+arg_0]
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	[esi], ebx
		mov	eax, [ebp+var_1C]
		mov	[esi+4], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7FA552:				; CODE XREF: sub_913495+10j
		test	edi, edi
		js	short loc_7FA55B
		mov	ecx, [ebp+arg_8]
		mov	[ecx], ebx

loc_7FA55B:				; CODE XREF: PiCMReturnBasicResultData+44j
					; PiCMReturnBasicResultData+64j
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7FA56F:				; CODE XREF: PiCMReturnBasicResultData+1Cj
					; PiCMReturnBasicResultData+20j
		mov	edi, 0C000000Dh
		jmp	short loc_7FA55B
PiCMReturnBasicResultData endp


;  S U B	R O U T	I N E 


; __stdcall PiDqObjectManagerUnregisterQuery(x,	x)
_PiDqObjectManagerUnregisterQuery@8 proc near ;	CODE XREF: PiDqDispatch+122p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	esi, edx
		lea	ecx, [ebx+38h]
		call	ExAcquireFastMutex
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_7FA598

loc_7FA58D:				; CODE XREF: PiDqObjectManagerUnregisterQuery(x,x)+3Dj
		pop	edi
		pop	esi
		lea	ecx, [ebx+38h]
		pop	ebx
		jmp	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
; 

loc_7FA598:				; CODE XREF: PiDqObjectManagerUnregisterQuery(x,x)+15j
		cmp	[eax+4], esi
		jnz	short loc_7FA5B5
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_7FA5B5
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	ecx, esi
		dec	dword ptr [ebx+78h]
		call	PiDqQueryRelease
		jmp	short loc_7FA58D
; 

loc_7FA5B5:				; CODE XREF: PiDqObjectManagerUnregisterQuery(x,x)+25j
					; PiDqObjectManagerUnregisterQuery(x,x)+2Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PiDqObjectManagerUnregisterQuery@8 endp ; AL =	character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqQueryRelease proc near		; CODE XREF: PiDqObjectManagerUnregisterQuery(x,x)+38p
					; PiDqDispatch+56p ...

; FUNCTION CHUNK AT 009134AA SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		or	eax, 0FFFFFFFFh
		lock xadd [esi+70h], eax
		dec	eax
		jnz	short loc_7FA616
		test	byte_6CD8BA, 40h
		jnz	loc_9134AA

loc_7FA5DB:				; CODE XREF: PiDqQueryRelease+118EFEj
		mov	ecx, esi
		call	PiDqQueryFreeActiveData
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_7FA5F4
		push	6370726Bh
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7FA5F4:				; CODE XREF: PiDqQueryRelease+2Dj
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_7FA602
		push	eax		; Handle
		call	ds:__imp__MesHandleFree@4 ; MesHandleFree(x)

loc_7FA602:				; CODE XREF: PiDqQueryRelease+3Fj
		lea	eax, [esi+10h]
		push	eax
		call	SeReleaseSubjectContext
		push	58706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7FA616:				; CODE XREF: PiDqQueryRelease+12j
		pop	esi
		leave
		retn
PiDqQueryRelease endp

; 
		align 2

;  S U B	R O U T	I N E 


; int __fastcall PnpIsNullGuid(void *Source2)
_PnpIsNullGuid@4 proc near		; CODE XREF: PiDqIrpQueryCreate+10Ap
					; PiDqObjectManagerServiceActionQueue+19Dp ...
		push	10h		; Length
		push	ecx		; Source2
		push	offset _GUID_NULL ; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 10h
		setz	al
		retn
_PnpIsNullGuid@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDqQueryGetNextIoctlInfo(x, x, x, x)
_PiDqQueryGetNextIoctlInfo@16 proc near	; CODE XREF: PiDqIrpQueryGetResult+12Ap
					; PiDqIrpQueryGetResult+225p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, edx
		cmp	[ecx+60h], esi
		jnz	short loc_7FA662
		lea	eax, [ecx+64h]
		cmp	[eax], eax
		jnz	short loc_7FA662
		test	byte ptr [ecx+74h], 20h
		jz	short loc_7FA662
		mov	eax, [ecx+0Ch]
		mov	edx, [ebp+arg_4]
		test	byte ptr [eax+20h], 1
		jnz	short loc_7FA699
		mov	[edx], esi
		mov	[edx+4], esi

loc_7FA65C:				; CODE XREF: PiDqQueryGetNextIoctlInfo(x,x,x,x)+64j
					; PiDqQueryGetNextIoctlInfo(x,x,x,x)+69j ...
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_7FA662:				; CODE XREF: PiDqQueryGetNextIoctlInfo(x,x,x,x)+Ej
					; PiDqQueryGetNextIoctlInfo(x,x,x,x)+15j ...
		mov	edx, [ebp+arg_4]
		mov	dword ptr [edx], (offset loc_470002+5)
		test	byte ptr [ecx+74h], 20h
		jnz	short loc_7FA6A8
		push	4
		pop	eax

loc_7FA674:				; CODE XREF: PiDqQueryGetNextIoctlInfo(x,x,x,x)+80j
					; PiDqQueryGetNextIoctlInfo(x,x,x,x)+83j
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jnz	short loc_7FA6B3
		shl	eax, 0Ah

loc_7FA67E:				; CODE XREF: PiDqQueryGetNextIoctlInfo(x,x,x,x)+8Bj
		mov	ecx, 10000h
		mov	[edx+4], eax
		cmp	eax, ecx
		ja	short loc_7FA6BB
		mov	ecx, eax

loc_7FA68C:				; CODE XREF: PiDqQueryGetNextIoctlInfo(x,x,x,x)+90j
		cmp	ecx, esi
		jb	short loc_7FA6C0

loc_7FA690:				; CODE XREF: PiDqQueryGetNextIoctlInfo(x,x,x,x)+97j
		cmp	ecx, edi
		jnb	short loc_7FA65C
		mov	[edx+4], edi
		jmp	short loc_7FA65C
; 

loc_7FA699:				; CODE XREF: PiDqQueryGetNextIoctlInfo(x,x,x,x)+27j
		mov	dword ptr [edx], offset	loc_470008
		mov	dword ptr [edx+4], 10h
		jmp	short loc_7FA65C
; 

loc_7FA6A8:				; CODE XREF: PiDqQueryGetNextIoctlInfo(x,x,x,x)+41j
		mov	eax, [ecx+6Ch]
		cmp	[ecx+60h], esi
		jz	short loc_7FA674
		inc	eax
		jmp	short loc_7FA674
; 

loc_7FA6B3:				; CODE XREF: PiDqQueryGetNextIoctlInfo(x,x,x,x)+4Bj
		imul	eax, esi
		add	eax, 10h
		jmp	short loc_7FA67E
; 

loc_7FA6BB:				; CODE XREF: PiDqQueryGetNextIoctlInfo(x,x,x,x)+5Aj
		mov	[edx+4], ecx
		jmp	short loc_7FA68C
; 

loc_7FA6C0:				; CODE XREF: PiDqQueryGetNextIoctlInfo(x,x,x,x)+60j
		mov	[edx+4], esi
		mov	ecx, esi
		jmp	short loc_7FA690
_PiDqQueryGetNextIoctlInfo@16 endp

; 
		align 4

;  S U B	R O U T	I N E 


PiDqQueryGetObjectManager proc near	; CODE XREF: PiDqDispatch+F9p
					; PiDqQuerySerializeActionQueue+73p

; FUNCTION CHUNK AT 009134BD SIZE 00000031 BYTES

		mov	eax, [ecx+0Ch]
		xor	edx, edx
		mov	eax, [eax+10h]
		sub	eax, 1
		jz	short loc_7FA6EB
		sub	eax, 1
		jz	short loc_7FA6F2
		sub	eax, 1
		jnz	loc_9134BD
		mov	edx, offset _PiDqDeviceManager

loc_7FA6E8:				; CODE XREF: PiDqQueryGetObjectManager+28j
					; PiDqQueryGetObjectManager+2Fj ...
		mov	eax, edx
		retn
; 

loc_7FA6EB:				; CODE XREF: PiDqQueryGetObjectManager+Bj
		mov	edx, offset _PiDqDeviceInterfaceManager
		jmp	short loc_7FA6E8
; 

loc_7FA6F2:				; CODE XREF: PiDqQueryGetObjectManager+10j
		mov	edx, offset _PiDqDeviceContainerManager
		jmp	short loc_7FA6E8
PiDqQueryGetObjectManager endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqObjectManagerEnumerateAndRegisterQuery proc	near
					; CODE XREF: PiDqQuerySerializeActionQueue+7Cp

var_C0		= dword	ptr -0C0h
var_BA		= byte ptr -0BAh
var_B9		= byte ptr -0B9h
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_80		= dword	ptr -80h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_58		= dword	ptr -58h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009134EE SIZE 00000145 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0C4h+var_4], eax
		push	ebx
		mov	ebx, edx
		mov	[esp+0C8h+var_B4], ecx
		push	esi
		push	edi
		push	7
		mov	eax, [ebx+0Ch]
		lea	edi, [esp+0D4h+var_74]
		xor	edx, edx
		pop	ecx
		push	2Ch		; size_t
		mov	al, [eax+20h]
		mov	esi, edx
		and	al, 1
		mov	[esp+0D4h+var_B0], edx
		mov	[esp+0D4h+var_B9], al
		xor	eax, eax
		rep stosd
		push	edx		; int
		lea	eax, [esp+0D8h+var_A0]
		mov	[esp+0D8h+var_C0], edx
		push	eax		; void *
		mov	[esp+0DCh+var_A4], edx
		mov	[esp+0DCh+var_AC], edx
		call	_memset
		add	esp, 0Ch
		cmp	[esp+0D0h+var_B9], 0
		jnz	loc_7FA94D
		mov	edi, [esp+0D0h+var_B4]

loc_7FA769:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+2A4j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [ebx+20h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [ebx+0Ch]
		xor	ecx, ecx
		mov	eax, [edx+14h]
		sub	eax, ecx
		jz	loc_7FA853
		sub	eax, 1
		jnz	loc_9134F8
		mov	edx, [edx+18h]
		lea	eax, [esp+0D0h+var_C0]
		mov	ecx, [edi+80h]
		push	eax
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_7FA7E6
		test	esi, esi
		js	short loc_7FA80C
		mov	ecx, [esp+0D0h+var_C0]
		call	_PiDmObjectIsEnumerable@4 ; PiDmObjectIsEnumerable(x)
		test	al, al
		jz	short loc_7FA7D5
		mov	edx, [esp+0D0h+var_C0]
		mov	ecx, ebx
		call	PiDqQueryEnumObject

loc_7FA7D3:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+208j
		mov	esi, eax

loc_7FA7D5:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+CCj
		mov	ecx, [esp+0D0h+var_C0]
		call	PiDmObjectRelease

loc_7FA7DE:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+2EAj
		test	esi, esi
		js	short loc_7FA80C

loc_7FA7E2:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+1A6j
					; PiDqObjectManagerEnumerateAndRegisterQuery+118E01j ...
		test	esi, esi
		js	short loc_7FA80C

loc_7FA7E6:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+BBj
					; PiDqObjectManagerEnumerateAndRegisterQuery+1E8j
		lea	eax, [esp+0D0h+var_AC]
		xor	edx, edx
		push	eax
		xor	eax, eax
		xor	ecx, ecx
		push	eax
		call	_PiDqQueryActionQueueEntryCreate@16 ; PiDqQueryActionQueueEntryCreate(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7FA80C
		mov	edx, [esp+0D0h+var_AC]
		mov	ecx, ebx
		call	PiDqQueryAppendActionEntry
		or	dword ptr [ebx+74h], 20h

loc_7FA80C:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+BFj
					; PiDqObjectManagerEnumerateAndRegisterQuery+E6j ...
		xor	edx, edx
		lea	ecx, [ebx+20h]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	edi, [esp+0D0h+var_B4]

loc_7FA826:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+2AAj
		lea	ecx, [ebx+20h]
		test	esi, esi
		js	loc_9135F8

loc_7FA831:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+118F34j
		cmp	[esp+0D0h+var_B9], 0
		jnz	loc_7FA9A9

loc_7FA83C:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+2C2j
		mov	ecx, [esp+0D0h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7FA853:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+91j
		mov	edx, offset _PiDqQueryConstraintData
		mov	[esp+0D0h+var_B8], ecx
		mov	esi, 0C0000001h
		mov	[esp+0D0h+var_B0], edx

loc_7FA865:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+191j
		mov	eax, [edx]
		mov	[esp+0D0h+var_A8], edx
		cmp	eax, [edi+80h]
		jz	loc_7FA907

loc_7FA877:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+24Ej
		add	ecx, 18h
		add	edx, 18h
		mov	[esp+0D0h+var_B8], ecx
		mov	[esp+0D0h+var_B0], edx
		cmp	ecx, 90h
		jb	short loc_7FA865

loc_7FA88D:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+23Cj
		test	esi, esi
		js	loc_7FA9C1
		mov	edi, [esp+0D0h+var_A8]
		mov	eax, [esp+0D0h+var_80]
		cmp	eax, [edi+0Ch]
		jnz	loc_7FA7E2
		cmp	eax, 0Dh
		jnz	loc_7FA9E9
		push	ecx		; int
		mov	ecx, [esp+0D4h+var_78] ; int
		lea	edx, [esp+0D4h+var_58] ; void *
		call	_PnpStringFromGuid@12 ;	PnpStringFromGuid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7FA80C
		lea	eax, [esp+0D0h+var_58]

loc_7FA8CB:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+2F8j
					; PiDqObjectManagerEnumerateAndRegisterQuery+306j
		lea	ecx, [esp+0D0h+var_C0]
		mov	edx, eax
		push	ecx
		mov	ecx, [edi+10h]
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_7FA7E6
		test	esi, esi
		js	loc_7FA80C
		mov	edx, [esp+0D0h+var_C0]
		mov	ecx, [edi+14h]
		push	ebx
		push	offset _PiDqEnumQueryObjectsCallback@12	; PiDqEnumQueryObjectsCallback(x,x,x)
		call	PiDmListEnumObjectsWithCallback
		jmp	loc_7FA7D3
; 

loc_7FA907:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+177j
		mov	esi, [edx+4]
		lea	edi, [esp+0D0h+var_74]
		push	5
		pop	ecx
		rep movsd
		mov	ecx, [ebx+0Ch]
		lea	eax, [esp+0D0h+var_A0]
		push	eax
		push	dword ptr [edx+8]
		lea	eax, [esp+0D8h+var_74]
		mov	edx, [ecx+38h]
		mov	ecx, [ecx+34h]
		push	eax
		call	ConstraintEval
		mov	esi, eax
		cmp	esi, 0C0000001h
		jnz	loc_7FA88D
		mov	edi, [esp+0D0h+var_B4]
		mov	edx, [esp+0D0h+var_B0]
		mov	ecx, [esp+0D0h+var_B8]
		jmp	loc_7FA877
; 

loc_7FA94D:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+65j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [esp+0D0h+var_B4]
		push	1
		push	edi
		call	ExAcquireResourceSharedLite
		lea	ecx, [edi+38h]
		call	ExAcquireFastMutex
		test	byte ptr [edi+7Ch], 2
		jnz	loc_9134EE
		lea	eax, [edi+68h]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_7FA9F7
		mov	[ebx], eax
		mov	[ebx+4], ecx
		mov	[ecx], ebx
		mov	[eax+4], ebx
		inc	dword ptr [edi+78h]
		lock inc dword ptr [ebx+70h]

loc_7FA994:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+118DF9j
		lea	ecx, [edi+38h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	esi, esi
		jns	loc_7FA769
		jmp	loc_7FA826
; 

loc_7FA9A9:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+13Cj
		mov	ecx, edi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_7FA83C
; 

loc_7FA9C1:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+195j
		cmp	esi, 0C0000001h
		jnz	loc_7FA80C
		mov	eax, [esp+0D0h+var_B4]
		mov	edx, offset _PiDqEnumQueryObjectsCallback@12 ; PiDqEnumQueryObjectsCallback(x,x,x)
		push	ebx
		mov	ecx, [eax+80h]
		call	_PiDmEnumObjectsWithCallback@12	; PiDmEnumObjectsWithCallback(x,x,x)
		mov	esi, eax
		jmp	loc_7FA7DE
; 

loc_7FA9E9:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+1AFj
		cmp	eax, 12h
		jnz	short loc_7FA9FC
		mov	eax, [esp+0D0h+var_78]
		jmp	loc_7FA8CB
; 

loc_7FA9F7:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+287j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_7FA9FC:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+2F2j
		mov	eax, [esp+0D0h+var_A4]
		jmp	loc_7FA8CB
PiDqObjectManagerEnumerateAndRegisterQuery endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqIrpComplete	proc near		; CODE XREF: PiDqIrpQueryGetResult+19Ep
					; PiDqIrpQueryCreate+1E9p ...

var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	10h
		push	offset dword_6A5378
		call	__SEH_prolog4
		mov	[ebp+var_20], ecx
		mov	eax, [ecx+60h]
		test	edx, edx
		js	short loc_7FAA68
		cmp	dword ptr [eax+0Ch], (offset loc_470002+5)
		jz	short loc_7FAA51
		mov	esi, [ebp+arg_4]
		mov	edi, [ecx+0Ch]
		movsd
		movsd
		movsd
		movsd

loc_7FAA2F:				; CODE XREF: PiDqIrpComplete+60j
					; sub_913641+10j
		mov	eax, [ebp+arg_0]

loc_7FAA32:				; CODE XREF: PiDqIrpComplete+64j
		mov	[ecx+1Ch], eax
		mov	[ecx+18h], edx
		xor	dl, dl
		call	IofCompleteRequest
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7FAA51:				; CODE XREF: PiDqIrpComplete+1Dj
		and	[ebp+ms_exc.disabled], 0
		mov	esi, [ebp+arg_4]
		mov	edi, [ecx+3Ch]
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_7FAA2F
; 

loc_7FAA68:				; CODE XREF: PiDqIrpComplete+14j
		xor	eax, eax
		jmp	short loc_7FAA32
PiDqIrpComplete	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDaDispatch	proc near		; DATA XREF: PiDaDriverEntry+10o

var_8		= dword	ptr -8
var_2		= word ptr -2
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00913656 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	eax, [ecx+60h]
		cmp	byte ptr [eax],	0
		mov	esi, [eax+18h]
		jz	short loc_7FAAA8
		mov	eax, [esi+0Ch]
		cmp	eax, 5
		jnb	loc_913656

loc_7FAA90:				; CODE XREF: PiDaDispatch+94j
		imul	eax, 0Ch
		push	ecx
		push	[ebp+arg_0]
		call	ds:off_403F14[eax]
		mov	esi, eax

loc_7FAA9F:				; CODE XREF: PiDaDispatch+118BF9j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7FAAA8:				; CODE XREF: PiDaDispatch+16j
		mov	edx, [esi+34h]
		mov	[ebp+var_8], edx
		test	edx, edx
		jz	short loc_7FAB0E
		xor	eax, eax
		xor	edi, edi

loc_7FAAB6:				; CODE XREF: PiDaDispatch+A0j
		mov	ebx, edx
		mov	edx, ds:_IrpHandlingTable[edi]

loc_7FAABE:				; CODE XREF: PiDaDispatch+84j
		mov	cx, [edx]
		cmp	cx, [ebx]
		mov	[ebp+var_2], cx
		mov	ecx, [ebp+arg_4]
		jnz	short loc_7FAB18
		cmp	[ebp+var_2], 0
		jz	short loc_7FAAF2
		mov	cx, [edx+2]
		cmp	cx, [ebx+2]
		mov	[ebp+var_2], cx
		mov	ecx, [ebp+arg_4]
		jnz	short loc_7FAB18
		add	edx, 4
		add	ebx, 4
		cmp	[ebp+var_2], 0
		jnz	short loc_7FAABE

loc_7FAAF2:				; CODE XREF: PiDaDispatch+66j
		xor	edx, edx

loc_7FAAF4:				; CODE XREF: PiDaDispatch+B1j
		test	edx, edx
		jnz	short loc_7FAB02
		cmp	eax, 0FFFFFFFFh
		jz	short loc_7FAB0E
		mov	[esi+0Ch], eax
		jmp	short loc_7FAA90
; 

loc_7FAB02:				; CODE XREF: PiDaDispatch+8Aj
		mov	edx, [ebp+var_8]
		add	edi, 0Ch
		inc	eax
		cmp	edi, 3Ch
		jb	short loc_7FAAB6

loc_7FAB0E:				; CODE XREF: PiDaDispatch+44j
					; PiDaDispatch+8Fj
		mov	esi, 0C000000Dh
		jmp	loc_91365B
; 

loc_7FAB18:				; CODE XREF: PiDaDispatch+5Fj
					; PiDaDispatch+77j
		sbb	edx, edx
		or	edx, 1
		jmp	short loc_7FAAF4
PiDaDispatch	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqDispatch	proc near		; CODE XREF: PiDaDispatch+2Bp
					; DATA XREF: .text:off_403F14o	...

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0091366A SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ecx, [edi+60h]
		mov	esi, [edi+18h]
		mov	[ebp+var_4], ecx
		mov	edx, [ecx+18h]
		lea	eax, [edx+10h]
		mov	ebx, [eax]
		mov	[ebp+arg_4], eax
		movzx	eax, byte ptr [ecx]
		sub	eax, 0
		jz	short loc_7FAB9C
		dec	eax
		sub	eax, 1
		jz	short loc_7FAB70
		sub	eax, 0Ch
		jnz	loc_7FABEB
		mov	eax, [ecx+0Ch]
		cmp	eax, (offset loc_46FFFF+1)
		jnz	loc_7FACA1
		mov	ecx, edi
		call	PiDqIrpQueryCreate

loc_7FAB6C:				; CODE XREF: PiDqDispatch+19Aj
					; PiDqDispatch+20Aj
		mov	esi, eax
		jmp	short loc_7FAB93
; 

loc_7FAB70:				; CODE XREF: PiDqDispatch+2Cj
		test	ebx, ebx
		jz	short loc_7FAB85
		mov	ecx, ebx
		call	PiDqQueryRelease
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+18h]
		and	dword ptr [eax+10h], 0

loc_7FAB85:				; CODE XREF: PiDqDispatch+52j
					; PiDqDispatch+D2j ...
		xor	esi, esi
		and	[edi+18h], esi

loc_7FAB8A:				; CODE XREF: PiDqDispatch+C9j
		xor	dl, dl
		mov	ecx, edi
		call	IofCompleteRequest

loc_7FAB93:				; CODE XREF: PiDqDispatch+4Ej
					; PiDqDispatch+CEj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7FAB9C:				; CODE XREF: PiDqDispatch+26j
		mov	ecx, [edx+34h]
		xor	esi, esi
		mov	edx, ecx
		mov	eax, offset ??_C@_1BG@FHMIEFJA@?$AA?2?$AAD?$AAe?$AAv?$AA?2?$AAQ?$AAu?$AAe?$AAr?$AAy@NNGAKEGL@ ;	"\\Dev\\Query"

loc_7FABA8:				; CODE XREF: PiDqDispatch+B0j
		mov	bx, [eax]
		cmp	bx, [edx]
		jnz	loc_7FACD3
		test	bx, bx
		jz	short loc_7FABD2
		mov	bx, [eax+2]
		cmp	bx, [edx+2]
		jnz	loc_7FACD3
		add	eax, 4
		add	edx, 4
		test	bx, bx
		jnz	short loc_7FABA8

loc_7FABD2:				; CODE XREF: PiDqDispatch+97j
		xor	eax, eax

loc_7FABD4:				; CODE XREF: PiDqDispatch+1B8j
		test	eax, eax
		jnz	loc_7FACDD
		mov	edx, [ebp+arg_4]
		call	PiDqQueryCreate
		mov	esi, eax

loc_7FABE6:				; CODE XREF: PiDqDispatch+1F3j
					; PiDqDispatch+118B4Fj	...
		mov	[edi+18h], esi
		jmp	short loc_7FAB8A
; 

loc_7FABEB:				; CODE XREF: PiDqDispatch+31j
		sub	eax, 4
		jnz	short loc_7FAB93
		test	ebx, ebx
		jz	short loc_7FAB85
		mov	[ebp+arg_4], eax
		xor	esi, esi
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [ebx+20h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		test	byte ptr [ebx+74h], 4
		jz	short loc_7FAC21
		mov	ecx, ebx
		call	PiDqQueryGetObjectManager
		mov	[ebp+arg_4], eax

loc_7FAC21:				; CODE XREF: PiDqDispatch+F5j
		xor	edx, edx
		lea	ecx, [ebx+20h]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_7FAC47
		mov	edx, ebx
		mov	ecx, eax
		call	_PiDqObjectManagerUnregisterQuery@8 ; PiDqObjectManagerUnregisterQuery(x,x)

loc_7FAC47:				; CODE XREF: PiDqDispatch+11Cj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [ebx+20h]
		call	ExAcquirePushLockExclusiveEx
		or	dword ptr [ebx+74h], 8
		mov	eax, [ebx+5Ch]
		test	eax, eax
		jnz	short loc_7FACBF

loc_7FAC6A:				; CODE XREF: PiDqDispatch+1A8j
					; PiDqDispatch+1B1j
		xor	edx, edx
		lea	ecx, [ebx+20h]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		jz	loc_7FAB85
		and	dword ptr [esi+1Ch], 0
		xor	dl, dl
		mov	ecx, esi
		mov	dword ptr [esi+18h], 0C0000120h
		call	IofCompleteRequest
		jmp	loc_7FAB85
; 

loc_7FACA1:				; CODE XREF: PiDqDispatch+3Fj
		cmp	eax, (offset loc_470002+4)
		jbe	loc_91366A
		cmp	eax, offset loc_470008
		ja	short loc_7FAD18
		mov	ecx, edi
		call	PiDqIrpQueryGetResult
		jmp	loc_7FAB6C
; 

loc_7FACBF:				; CODE XREF: PiDqDispatch+148j
		xor	ecx, ecx
		add	eax, 38h
		xchg	ecx, [eax]
		test	ecx, ecx
		jz	short loc_7FAC6A
		mov	esi, [ebx+5Ch]
		and	dword ptr [ebx+5Ch], 0
		jmp	short loc_7FAC6A
; 

loc_7FACD3:				; CODE XREF: PiDqDispatch+8Ej
					; PiDqDispatch+A1j
		sbb	eax, eax
		or	eax, 1
		jmp	loc_7FABD4
; 

loc_7FACDD:				; CODE XREF: PiDqDispatch+B6j
		mov	eax, offset ??_C@_1BK@CEGKAJBG@?$AA?2?$AAD?$AAe?$AAv?$AA?2?$AAN?$AAo?$AAS?$AAt?$AAa?$AAt?$AAe@NNGAKEGL@	; "\\Dev\\NoState"

loc_7FACE2:				; CODE XREF: PiDqDispatch+1E2j
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	short loc_7FAD2F
		test	dx, dx
		jz	short loc_7FAD04
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	short loc_7FAD2F
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_7FACE2

loc_7FAD04:				; CODE XREF: PiDqDispatch+1CDj
		xor	eax, eax

loc_7FAD06:				; CODE XREF: PiDqDispatch+214j
		test	eax, eax
		jnz	loc_913674
		mov	eax, [ebp+arg_4]
		and	[eax], esi
		jmp	loc_7FABE6
; 

loc_7FAD18:				; CODE XREF: PiDqDispatch+191j
		cmp	eax, (offset loc_47000B+1)
		jnz	loc_91366A
		mov	ecx, edi
		call	PiDqIrpPropertySet
		jmp	loc_7FAB6C
; 

loc_7FAD2F:				; CODE XREF: PiDqDispatch+1C8j
					; PiDqDispatch+1D7j
		sbb	eax, eax
		or	eax, 1
		jmp	short loc_7FAD06
PiDqDispatch	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiUEventDispatch proc near		; DATA XREF: .text:00403F44o

arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0091367E SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [esi+18h]
		mov	ebx, [esi+60h]
		test	edi, edi
		js	short loc_7FAD68
		movzx	eax, byte ptr [ebx]
		xor	edx, edx
		sub	eax, edx
		jz	short loc_7FAD71
		dec	eax
		sub	eax, 1
		jz	short loc_7FAD8F
		mov	ecx, esi
		sub	eax, 0Ch
		jnz	short loc_7FAD85
		call	PiUEventHandleIoctl
		mov	edi, eax

loc_7FAD68:				; CODE XREF: PiUEventDispatch+13j
					; PiUEventDispatch+4Dj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_7FAD71:				; CODE XREF: PiUEventDispatch+1Cj
		mov	eax, [ebx+18h]
		mov	[eax+10h], edx

loc_7FAD77:				; CODE XREF: PiUEventDispatch+74j
		mov	ecx, esi

loc_7FAD79:				; CODE XREF: PiUEventDispatch+52j
		mov	[esi+18h], edx

loc_7FAD7C:				; CODE XREF: PiUEventDispatch+118950j
		xor	dl, dl
		call	IofCompleteRequest
		jmp	short loc_7FAD68
; 

loc_7FAD85:				; CODE XREF: PiUEventDispatch+29j
		sub	eax, 4
		jz	short loc_7FAD79
		jmp	loc_91367E
; 

loc_7FAD8F:				; CODE XREF: PiUEventDispatch+22j
		mov	eax, [ebx+18h]
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jz	short loc_7FADA8
		mov	dl, 1
		call	PiUEventFreeClientRegistrationContext
		mov	eax, [ebx+18h]
		xor	edx, edx
		mov	[eax+10h], edx

loc_7FADA8:				; CODE XREF: PiUEventDispatch+61j
		mov	edi, edx
		jmp	short loc_7FAD77
PiUEventDispatch endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqQueryCreate	proc near		; CODE XREF: PiDqDispatch+BFp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0091368B SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		push	58706E50h
		mov	ebx, 80h
		mov	[ebp+var_10], edx
		push	ebx
		push	200h
		xor	edi, edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_C], esi
		test	esi, esi
		jz	loc_91368B
		push	ebx		; size_t
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [esi+70h], 1

loc_7FADF0:				; CODE XREF: PiDqQueryCreate+6Dj
					; PiDqQueryCreate+74j
		mov	eax, _PiDqSequenceNumber
		mov	esi, offset _PiDqSequenceNumber
		mov	edx, dword_6CBA8C
		mov	ebx, eax
		add	ebx, 1
		mov	[ebp+var_4], eax
		mov	ecx, edx
		mov	[ebp+var_8], edx
		adc	ecx, edi
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [ebp+var_4]
		cmp	eax, ecx
		jnz	short loc_7FADF0
		mov	eax, [ebp+var_8]
		cmp	edx, eax
		jnz	short loc_7FADF0
		mov	esi, [ebp+var_C]
		add	ecx, 1
		push	edi		; int
		push	offset _PiDqFreeGenericTableEntry@8 ; int
		adc	eax, edi
		push	offset _PiDqAllocateGenericTableEntry@8	; int
		mov	[esi+7Ch], eax
		lea	eax, [esi+24h]
		push	offset _PiDqCompareAddresses@12	; int
		push	eax		; void *
		mov	[esi+78h], ecx
		mov	[esi+20h], edi
		call	_RtlInitializeGenericTableAvl@20 ; RtlInitializeGenericTableAvl(x,x,x,x,x)
		mov	ecx, large fs:124h
		lea	eax, [esi+64h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+10h]
		push	eax
		push	dword ptr [ecx+80h]
		mov	ecx, large fs:124h
		push	ecx
		call	SeCaptureSubjectContextEx
		mov	eax, [ebp+var_10]
		mov	[eax], esi

loc_7FAE77:				; CODE XREF: PiDqQueryCreate+1188E4j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PiDqQueryCreate	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqIrpQueryCreate proc	near		; CODE XREF: PiDqDispatch+47p

var_8C		= dword	ptr -8Ch
var_7C		= dword	ptr -7Ch
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_36		= byte ptr -36h
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 00913695 SIZE 00000032 BYTES
; FUNCTION CHUNK AT 00913701 SIZE 0000031D BYTES

		push	7Ch
		push	offset dword_6A5398
		call	__SEH_prolog4_GS
		mov	[ebp+var_68], ecx
		mov	eax, [ecx+60h]
		mov	[ebp+var_58], eax
		mov	[ebp+var_40], eax
		mov	eax, [eax+18h]
		mov	esi, [eax+10h]
		mov	[ebp+var_60], esi
		mov	[ebp+var_4C], esi
		xor	ebx, ebx
		mov	[ebp+var_35], bl
		mov	[ebp+var_74], ebx
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_36], bl
		mov	[ebp+var_64], ebx
		mov	[ebp+var_70], ebx
		xor	eax, eax
		lea	edi, [ebp+var_8C]
		stosd
		stosd
		stosd
		stosd
		test	esi, esi
		jz	loc_913695
		mov	edi, ecx
		cmp	[edi+0Ch], ebx
		jz	loc_91369F
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+20h]
		mov	[ebp+var_7C], ecx
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+74h]
		test	al, 8
		jnz	loc_9136A9
		test	al, 10h
		jnz	loc_9136B3
		or	eax, 10h
		mov	[esi+74h], eax
		mov	[ebp+var_35], 1
		test	al, 4
		jnz	loc_9136B3
		mov	ecx, [ebp+var_58]
		cmp	dword ptr [ecx+4], 10h
		jb	loc_9136BD
		lea	eax, [esi+8]
		push	eax		; pHandle
		push	dword ptr [ecx+8] ; BufferSize
		push	dword ptr [edi+0Ch] ; pBuffer
		call	ds:__imp__MesDecodeBufferHandleCreate@12 ; MesDecodeBufferHandleCreate(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_7FAFC4
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [esi+8]
		lea	ecx, [esi+0Ch]
		mov	[ebp+var_3C], ecx
		push	ecx
		push	offset dword_4077E4
		push	offset off_4016D8
		push	(offset	loc_4077CB+1)
		push	eax
		call	ds:__imp__NdrMesTypeDecode2@20 ; NdrMesTypeDecode2(x,x,x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		lea	eax, [esi+0Ch]

loc_7FAF6F:				; CODE XREF: sub_9136D9+23j
		test	edi, edi
		js	short loc_7FAFC4
		mov	ecx, [eax]
		call	PiDqQueryValidateQueryData
		mov	edi, eax
		mov	[ebp+var_5C], edi
		test	edi, edi
		js	short loc_7FAFC4
		mov	esi, [ebp+var_3C]
		mov	ecx, [esi]	; Source2
		call	_PnpIsNullGuid@4 ; PnpIsNullGuid(x)
		test	al, al
		jnz	short loc_7FAFB0
		mov	esi, [esi]
		lea	edi, [ebp+var_2C]
		movsd
		movsd
		movsd
		movsd
		lea	eax, [ebp+var_2C]
		push	eax
		call	_IoSetActivityIdThread@4 ; IoSetActivityIdThread(x)
		mov	[ebp+var_74], eax
		mov	[ebp+var_36], 1
		mov	edi, [ebp+var_5C]
		mov	esi, [ebp+var_3C]

loc_7FAFB0:				; CODE XREF: PiDqIrpQueryCreate+111j
		test	byte_6CD8BA, 40h
		jnz	loc_913701

loc_7FAFBD:				; CODE XREF: PiDqIrpQueryCreate+118B8Ej
					; PiDqIrpQueryCreate+118B9Bj
		mov	esi, [ebp+var_60]
		or	dword ptr [esi+74h], 4

loc_7FAFC4:				; CODE XREF: PiDqIrpQueryCreate+BEj
					; PiDqIrpQueryCreate+F3j ...
		xor	edx, edx
		mov	ecx, [ebp+var_7C]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	edi, edi
		js	short loc_7FB005
		mov	eax, [ebp+var_58]
		mov	eax, [eax+4]
		cmp	eax, 10h
		jbe	loc_7FB08C
		lea	ecx, [ebp+var_70]
		push	ecx
		lea	ecx, [ebp+var_64]
		push	ecx
		push	eax
		mov	edx, [ebp+var_68]
		mov	edx, [edx+0Ch]
		mov	ecx, esi
		call	PiDqQuerySerializeActionQueue
		mov	edi, eax

loc_7FB005:				; CODE XREF: PiDqIrpQueryCreate+15Ej
					; PiDqIrpQueryCreate+215j ...
		cmp	[ebp+var_35], 0
		jz	short loc_7FB058
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [esi+20h]
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, esi
		test	edi, edi
		js	short loc_7FB098
		lea	eax, [ebp+var_8C]
		push	eax
		push	[ebp+var_70]
		mov	eax, [ebp+var_58]
		mov	edx, [eax+4]
		call	_PiDqQueryGetNextIoctlInfo@16 ;	PiDqQueryGetNextIoctlInfo(x,x,x,x)

loc_7FB03E:				; CODE XREF: PiDqIrpQueryCreate+223j
		and	dword ptr [esi+74h], 0FFFFFFEFh
		xor	edx, edx
		lea	ecx, [esi+20h]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_7FB058:				; CODE XREF: PiDqIrpQueryCreate+18Bj
		lea	eax, [ebp+var_8C]
		push	eax
		push	[ebp+var_64]
		mov	edx, edi
		mov	ecx, [ebp+var_68]
		call	PiDqIrpComplete
		cmp	[ebp+var_36], 0
		jz	short loc_7FB07A
		push	[ebp+var_74]
		call	_IoClearActivityIdThread@4 ; IoClearActivityIdThread(x)

loc_7FB07A:				; CODE XREF: PiDqIrpQueryCreate+1F2j
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7FB08C:				; CODE XREF: PiDqIrpQueryCreate+169j
		mov	[ebp+var_64], 10h
		jmp	loc_7FB005
; 

loc_7FB098:				; CODE XREF: PiDqIrpQueryCreate+1A9j
		or	dword ptr [esi+74h], 1
		call	PiDqQueryFreeActiveData
		jmp	short loc_7FB03E
PiDqIrpQueryCreate endp

; 
		align 4

;  S U B	R O U T	I N E 


PiDqQueryValidateQueryData proc	near	; CODE XREF: PiDqIrpQueryCreate+F7p

; FUNCTION CHUNK AT 00913A1E SIZE 00000042 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	esi, esi
		jz	loc_7FB1B1
		mov	ecx, [esi+10h]
		call	PiDqGetPnpObjectType
		test	eax, eax
		jz	loc_7FB1B1
		mov	ebx, [esi+20h]
		xor	edi, edi
		test	bl, 2
		jnz	loc_7FB1B8

loc_7FB0D1:				; CODE XREF: PiDqQueryValidateQueryData+117j
		mov	eax, [esi+14h]
		sub	eax, 1
		jnz	loc_7FB185
		cmp	[esi+18h], edi
		jz	loc_7FB1B1

loc_7FB0E6:				; CODE XREF: PiDqQueryValidateQueryData+E4j
					; PiDqQueryValidateQueryData+11898Dj
		test	ebx, 0FFFFFFF8h
		jnz	loc_7FB1B1
		test	bl, 4
		jnz	short loc_7FB174
		cmp	[esi+28h], edi
		jnz	loc_7FB1B1
		cmp	[esi+24h], edi
		jnz	loc_7FB1B1

loc_7FB109:				; CODE XREF: PiDqQueryValidateQueryData+DDj
		mov	eax, [esi+30h]
		test	eax, eax
		jz	loc_7FB19E

loc_7FB114:				; CODE XREF: PiDqQueryValidateQueryData+FDj
		mov	ecx, [esi+2Ch]
		test	ecx, ecx
		jz	loc_7FB1A9

loc_7FB11F:				; CODE XREF: PiDqQueryValidateQueryData+107j
		mov	edx, edi
		test	ecx, ecx
		jz	short loc_7FB138
		add	eax, 18h

loc_7FB128:				; CODE XREF: PiDqQueryValidateQueryData+92j
		cmp	[eax], edi
		jnz	loc_7FB1B1
		inc	edx
		add	eax, 1Ch
		cmp	edx, ecx
		jb	short loc_7FB128

loc_7FB138:				; CODE XREF: PiDqQueryValidateQueryData+7Fj
		mov	edx, [esi+38h]
		test	edx, edx
		jnz	short loc_7FB144
		cmp	[esi+34h], edi
		jnz	short loc_7FB1B1

loc_7FB144:				; CODE XREF: PiDqQueryValidateQueryData+99j
		mov	ecx, [esi+34h]
		test	ecx, ecx
		jnz	short loc_7FB14F
		test	edx, edx
		jnz	short loc_7FB1B1

loc_7FB14F:				; CODE XREF: PiDqQueryValidateQueryData+A5j
		test	edx, edx
		jnz	short loc_7FB193

loc_7FB153:				; CODE XREF: PiDqQueryValidateQueryData+F6j
		mov	eax, [esi+40h]
		test	eax, eax
		jnz	short loc_7FB15F
		cmp	[esi+3Ch], edi
		jnz	short loc_7FB1B1

loc_7FB15F:				; CODE XREF: PiDqQueryValidateQueryData+B4j
		mov	ecx, [esi+3Ch]
		test	ecx, ecx
		jnz	short loc_7FB1C3
		test	eax, eax
		jnz	short loc_7FB1B1
		test	ecx, ecx
		jnz	short loc_7FB1C3

loc_7FB16E:				; CODE XREF: PiDqQueryValidateQueryData+1189B7j
		xor	eax, eax

loc_7FB170:				; CODE XREF: PiDqQueryValidateQueryData+112j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_7FB174:				; CODE XREF: PiDqQueryValidateQueryData+51j
		mov	edx, [esi+24h]
		mov	ecx, [esi+28h]
		call	_PnpValidateMultiSz@8 ;	PnpValidateMultiSz(x,x)
		test	eax, eax
		jns	short loc_7FB109
		jmp	short loc_7FB1B1
; 

loc_7FB185:				; CODE XREF: PiDqQueryValidateQueryData+33j
		sub	eax, 1
		jnz	loc_7FB0E6
		jmp	loc_913A1E
; 

loc_7FB193:				; CODE XREF: PiDqQueryValidateQueryData+ADj
		call	_ValidFilter@8	; ValidFilter(x,x)
		test	eax, eax
		jnz	short loc_7FB153
		jmp	short loc_7FB1B1
; 

loc_7FB19E:				; CODE XREF: PiDqQueryValidateQueryData+6Aj
		cmp	[esi+2Ch], edi
		jz	loc_7FB114
		jmp	short loc_7FB1B1
; 

loc_7FB1A9:				; CODE XREF: PiDqQueryValidateQueryData+75j
		test	eax, eax
		jz	loc_7FB11F

loc_7FB1B1:				; CODE XREF: PiDqQueryValidateQueryData+9j
					; PiDqQueryValidateQueryData+19j ...
		mov	eax, 0C000000Dh
		jmp	short loc_7FB170
; 

loc_7FB1B8:				; CODE XREF: PiDqQueryValidateQueryData+27j
		cmp	[esi+2Ch], edi
		jbe	loc_7FB0D1
		jmp	short loc_7FB1B1
; 

loc_7FB1C3:				; CODE XREF: PiDqQueryValidateQueryData+C0j
					; PiDqQueryValidateQueryData+C8j
		xor	ebx, ebx
		jmp	loc_913A36
PiDqQueryValidateQueryData endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FilterEvalImpliedAnd proc near		; CODE XREF: FilterEval(x,x,x,x,x):loc_7FD716p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00913A60 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		xor	eax, eax
		mov	[ebp+var_14], edx
		inc	eax
		mov	[ebp+var_18], ecx
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_8]
		push	esi
		mov	esi, ebx
		mov	[ebp+var_C], ebx
		push	edi
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		mov	[eax], ebx
		cmp	[ebp+arg_0], ebx
		jbe	short loc_7FB264
		mov	edi, [ebp+arg_4]
		add	edi, 24h

loc_7FB1FE:				; CODE XREF: FilterEvalImpliedAnd+92j
		test	dword ptr [edi-24h], 0FF00000h
		jnz	loc_913A60
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [edi-20h]
		push	eax
		push	edx
		call	ecx
		mov	esi, eax
		cmp	esi, 0C0000225h
		jz	short loc_7FB271
		test	esi, esi
		jnz	short loc_7FB25E
		push	[ebp+arg_8]	; int
		mov	edx, [ebp+var_8]
		push	dword ptr [edi]	; int
		mov	ecx, [ebp+var_C]
		push	dword ptr [edi+4] ; wchar_t *
		push	dword ptr [edi-4] ; int
		push	dword ptr [edi-24h] ; int
		push	[ebp+var_4]	; int
		call	PropertyEval
		mov	eax, [ebp+arg_8]
		cmp	[eax], esi
		jz	short loc_7FB26D

loc_7FB24F:				; CODE XREF: FilterEvalImpliedAnd+ACj
		mov	edx, [ebp+var_14]
		inc	ebx
		mov	ecx, [ebp+var_18]
		add	edi, 2Ch
		cmp	ebx, [ebp+arg_0]
		jb	short loc_7FB1FE

loc_7FB25E:				; CODE XREF: FilterEvalImpliedAnd+60j
					; FilterEvalImpliedAnd+11889Bj
		cmp	[ebp+var_10], 0
		jz	short loc_7FB278

loc_7FB264:				; CODE XREF: FilterEvalImpliedAnd+2Cj
					; FilterEvalImpliedAnd+B0j ...
		mov	eax, esi

loc_7FB266:				; CODE XREF: FilterEvalImpliedAnd+A5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7FB26D:				; CODE XREF: FilterEvalImpliedAnd+83j
		xor	eax, eax
		jmp	short loc_7FB266
; 

loc_7FB271:				; CODE XREF: FilterEvalImpliedAnd+5Cj
		xor	esi, esi
		and	[ebp+var_10], esi
		jmp	short loc_7FB24F
; 

loc_7FB278:				; CODE XREF: FilterEvalImpliedAnd+98j
		test	esi, esi
		jnz	short loc_7FB264
		mov	esi, 0C0000001h
		jmp	short loc_7FB264
FilterEvalImpliedAnd endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMCaptureInterfaceListInputData proc near ; CODE XREF: PiCMGetDeviceInterfaceList+48p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00913A7E SIZE 0000009A BYTES

		push	18h
		push	offset dword_6A53B8
		call	__SEH_prolog4
		mov	esi, edx
		mov	edx, ecx
		and	[ebp+var_20], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		test	edx, edx
		jz	loc_913B0B
		test	esi, esi
		jz	loc_913B0B
		and	[ebp+ms_exc.disabled], ebx
		test	dl, 3
		jnz	short loc_7FB33A
		lea	ecx, [edx+esi]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_7FB33F
		cmp	ecx, edx
		jb	short loc_7FB33F

loc_7FB2D4:				; CODE XREF: PiCMCaptureInterfaceListInputData+BEj
		cmp	esi, 24h
		jb	short loc_7FB344
		push	9
		pop	ecx
		mov	esi, edx
		mov	eax, [ebp+arg_4]
		mov	edi, eax
		rep movsd
		cmp	dword ptr [eax], 24h
		jnz	short loc_7FB344

loc_7FB2EA:				; CODE XREF: PiCMCaptureInterfaceListInputData+1187FDj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+arg_4]
		test	ebx, ebx
		js	loc_913AE2
		lea	edi, [esi+18h]
		mov	eax, [edi]
		and	dword ptr [edi], 0
		test	eax, eax
		jnz	loc_913A86

loc_7FB30C:				; CODE XREF: PiCMCaptureInterfaceListInputData+118849j
		cmp	dword ptr [esi+1Ch], 0
		ja	loc_913ADD
		test	eax, eax
		jnz	loc_913AD3

loc_7FB31E:				; CODE XREF: PiCMCaptureInterfaceListInputData+118836j
					; PiCMCaptureInterfaceListInputData+118842j ...
		test	ebx, ebx
		js	loc_913AE2

loc_7FB326:				; CODE XREF: PiCMCaptureInterfaceListInputData+118882j
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7FB33A:				; CODE XREF: PiCMCaptureInterfaceListInputData+3Ej
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7FB33F:				; CODE XREF: PiCMCaptureInterfaceListInputData+4Aj
					; PiCMCaptureInterfaceListInputData+4Ej
		mov	byte ptr [eax],	0
		jmp	short loc_7FB2D4
; 

loc_7FB344:				; CODE XREF: PiCMCaptureInterfaceListInputData+53j
					; PiCMCaptureInterfaceListInputData+64j
		mov	ebx, 0C000000Dh
		jmp	loc_913A7E
PiCMCaptureInterfaceListInputData endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMGetDeviceInterfaceList proc	near	; CODE XREF: PiCMHandleIoctl+87p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00913B18 SIZE 0000006F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		push	9
		mov	esi, ecx
		mov	[ebp+var_34], eax
		pop	ecx
		xor	eax, eax
		and	[ebp+var_44], 0
		and	[ebx], eax
		lea	edi, [ebp+var_28]
		and	[ebp+var_40], 0
		rep stosd
		lea	eax, [ebp+var_28]
		mov	[ebp+var_3C], ebx
		xor	ebx, ebx
		push	eax
		push	ecx
		mov	edi, ebx
		mov	[ebp+var_2C], ebx
		mov	ecx, esi
		mov	[ebp+var_30], edi
		call	PiCMCaptureInterfaceListInputData
		mov	esi, eax
		test	esi, esi
		js	loc_7FB467
		test	byte_6CD8BB, 2
		mov	edx, [ebp+var_10]
		mov	ebx, [ebp+var_24]
		mov	[ebp+var_38], edx
		jnz	loc_913B18

loc_7FB3BB:				; CODE XREF: PiCMGetDeviceInterfaceList+1187E1j
		cmp	[ebp+var_34], edi
		jz	loc_913B48
		mov	ecx, [ebp+arg_4]
		cmp	ecx, 14h
		jb	loc_913B48
		lea	eax, [ecx-14h]
		mov	[ebp+var_38], eax
		test	ebx, 0FFFE0000h
		jnz	loc_913B34
		test	bx, bx
		jnz	loc_913B3E

loc_7FB3EB:				; CODE XREF: PiCMGetDeviceInterfaceList+1187F5j
		test	esi, esi
		js	loc_7FB49B
		push	edx
		lea	eax, [ebp+var_44]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7FB498
		movzx	edx, word ptr [ebp+var_44]
		lea	eax, [ebp+var_44]
		shr	ebx, 10h
		lea	ecx, [ebp+var_20] ; int
		not	ebx
		and	ebx, 1
		neg	edx
		sbb	edx, edx
		and	edx, eax	; int
		lea	eax, [ebp+var_2C]
		push	eax		; int
		lea	eax, [ebp+var_30]
		push	eax		; int
		push	1		; char
		push	ebx		; int
		call	IopGetDeviceInterfaces
		mov	edi, [ebp+var_30]
		mov	esi, eax
		mov	eax, [ebp+var_2C]
		cmp	[ebp+var_38], eax
		jb	short loc_7FB491

loc_7FB43C:				; CODE XREF: PiCMGetDeviceInterfaceList+148j
					; PiCMGetDeviceInterfaceList+118802j
		test	esi, esi
		js	short loc_7FB498
		push	[ebp+var_3C]	; int
		xor	ebx, ebx
		mov	edx, eax
		push	[ebp+arg_4]	; int
		push	[ebp+var_34]	; int
		push	[ebp+var_8]	; int
		push	eax		; size_t
		push	edi		; void *

loc_7FB452:				; CODE XREF: PiCMGetDeviceInterfaceList+15Ej
		push	ebx		; int
		mov	ecx, esi
		call	PiCMReturnBufferResultData
		mov	esi, eax
		test	edi, edi
		jz	short loc_7FB467
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7FB467:				; CODE XREF: PiCMGetDeviceInterfaceList+51j
					; PiCMGetDeviceInterfaceList+110j
		cmp	[ebp+var_10], 0
		jnz	loc_913B55

loc_7FB471:				; CODE XREF: PiCMGetDeviceInterfaceList+118814j
					; PiCMGetDeviceInterfaceList+118823j
		test	byte_6CD8BB, 2
		jnz	loc_913B76

loc_7FB47E:				; CODE XREF: PiCMGetDeviceInterfaceList+118834j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_7FB491:				; CODE XREF: PiCMGetDeviceInterfaceList+ECj
		mov	esi, 0C0000023h
		jmp	short loc_7FB43C
; 

loc_7FB498:				; CODE XREF: PiCMGetDeviceInterfaceList+B3j
					; PiCMGetDeviceInterfaceList+F0j
		mov	ecx, [ebp+arg_4]

loc_7FB49B:				; CODE XREF: PiCMGetDeviceInterfaceList+9Fj
					; PiCMGetDeviceInterfaceList+1187EBj
		push	[ebp+var_3C]
		mov	edx, [ebp+var_2C]
		xor	ebx, ebx
		push	ecx
		push	[ebp+var_34]
		push	[ebp+var_8]
		push	ebx
		push	ebx
		jmp	short loc_7FB452
PiCMGetDeviceInterfaceList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetDeviceStatus(x, x, x,	x, x, x, x)
__CmGetDeviceStatus@28 proc near	; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+7AFp
					; PiCMValidateDeviceInstance+12Fp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	ebx, ebx
		push	edi
		push	edx
		mov	[ebp+var_10], edx
		mov	[esi], ebx
		mov	[eax], ebx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_8], ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	[eax], ebx
		lea	eax, [ebp+var_18]
		push	eax
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_C], ebx
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_7FB565
		push	ecx
		push	[ebp+arg_C]
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_18]
		push	[ebp+arg_8]
		push	esi
		call	__NtPlugPlayGetDeviceStatus@24 ; _NtPlugPlayGetDeviceStatus(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_7FB565
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+arg_C]
		mov	ecx, [ebp+var_8]
		push	ebx
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+arg_C], 4
		push	eax
		lea	eax, [ebp+arg_4]
		push	eax
		push	0Bh
		push	[ebp+arg_0]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_7FB53C
		cmp	[ebp+arg_C], 4
		jb	short loc_7FB53C
		cmp	[ebp+arg_4], 4
		jnz	short loc_7FB53C
		mov	ebx, [ebp+var_C]

loc_7FB53C:				; CODE XREF: _CmGetDeviceStatus(x,x,x,x,x,x,x)+7Dj
					; _CmGetDeviceStatus(x,x,x,x,x,x,x)+83j ...
		mov	edx, [esi]
		test	bl, 4
		jnz	short loc_7FB56E

loc_7FB543:				; CODE XREF: _CmGetDeviceStatus(x,x,x,x,x,x,x)+C5j
		bt	edx, 0Ah
		setnb	cl
		test	bl, 40h
		setnz	al
		test	cl, al
		jz	short loc_7FB565
		mov	eax, [ebp+arg_8]
		or	edx, 400h
		mov	[esi], edx
		mov	dword ptr [eax], 1Ch

loc_7FB565:				; CODE XREF: _CmGetDeviceStatus(x,x,x,x,x,x,x)+3Cj
					; _CmGetDeviceStatus(x,x,x,x,x,x,x)+55j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7FB56E:				; CODE XREF: _CmGetDeviceStatus(x,x,x,x,x,x,x)+93j
		or	edx, 10h
		mov	[esi], edx
		jmp	short loc_7FB543
__CmGetDeviceStatus@28 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	DrvDbGetDriverInfFileMappedProperty(int,void *,int,int,int,int)
DrvDbGetDriverInfFileMappedProperty proc near ;	CODE XREF: DrvDbDispatchDriverInfFile+5Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00913B87 SIZE 00000054 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_4]
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, [ebp+arg_14]
		mov	esi, edx
		and	dword ptr [ebx], 0
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], ecx
		and	dword ptr [edi], 0
		mov	edx, [eax+10h]
		mov	[ebp+arg_14], edx
		cmp	edx, 2
		jz	loc_913B87

loc_7FB5AB:				; CODE XREF: DrvDbGetDriverInfFileMappedProperty+118660j
		xor	ebx, ebx
		xor	esi, esi

loc_7FB5AF:				; CODE XREF: DrvDbGetDriverInfFileMappedProperty+BCj
		mov	ecx, dword ptr ds:(loc_40166B+5)[esi]
		cmp	[ecx+10h], edx
		jnz	short loc_7FB626
		push	10h		; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7FB637
		imul	ebx, 18h
		add	ebx, (offset loc_40166B+5)
		jz	short loc_7FB63C
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_7FB5FD
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_8]
		push	1
		push	[ebp+var_C]
		push	3
		call	DrvDbOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_7FB60F
		mov	edx, [ebp+var_4]

loc_7FB5FD:				; CODE XREF: DrvDbGetDriverInfFileMappedProperty+64j
		push	edi
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	ebx
		call	DrvDbGetRegValueMappedProperty
		mov	esi, eax

loc_7FB60F:				; CODE XREF: DrvDbGetDriverInfFileMappedProperty+82j
					; DrvDbGetDriverInfFileMappedProperty+11864Dj ...
		cmp	[ebp+var_4], 0
		jz	short loc_7FB61D
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_7FB61D:				; CODE XREF: DrvDbGetDriverInfFileMappedProperty+9Dj
					; DrvDbGetDriverInfFileMappedProperty+CBj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7FB626:				; CODE XREF: DrvDbGetDriverInfFileMappedProperty+42j
					; DrvDbGetDriverInfFileMappedProperty+C4j
		add	esi, 18h
		inc	ebx
		cmp	esi, 60h
		jnb	short loc_7FB63C
		mov	eax, [ebp+arg_4]
		jmp	loc_7FB5AF
; 

loc_7FB637:				; CODE XREF: DrvDbGetDriverInfFileMappedProperty+52j
		mov	edx, [ebp+arg_14]
		jmp	short loc_7FB626
; 

loc_7FB63C:				; CODE XREF: DrvDbGetDriverInfFileMappedProperty+5Dj
					; DrvDbGetDriverInfFileMappedProperty+B7j
		mov	esi, 0C0000016h
		jmp	short loc_7FB61D
DrvDbGetDriverInfFileMappedProperty endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmSetDeviceInterfacePathFormat(x, x, x)
__CmSetDeviceInterfacePathFormat@12 proc near ;	CODE XREF: PiUEventCopyEventData+14Ep
					; IopGetDeviceInterfaces+307p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		call	__CmValidateDeviceInterfaceName@8 ; _CmValidateDeviceInterfaceName(x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_7FB66A
		cmp	[ebp+arg_0], 0
		jz	short loc_7FB671
		mov	dword ptr [esi], 3F005Ch
		mov	dword ptr [esi+4], (offset loc_5C0039+6)

loc_7FB66A:				; CODE XREF: _CmSetDeviceInterfacePathFormat(x,x,x)+11j
					; _CmSetDeviceInterfacePathFormat(x,x,x)+3Cj
		mov	eax, ecx
		pop	esi
		pop	ebp
		retn	4
; 

loc_7FB671:				; CODE XREF: _CmSetDeviceInterfacePathFormat(x,x,x)+17j
		mov	eax, dword ptr ds:??_C@_19MJCDBCKE@?$AA?2?$AA?2?$AA?$DP?$AA?2@NNGAKEGL@	; "\\"
		mov	[esi], eax
		mov	eax, ds:off_8B6B82
		mov	[esi+4], eax
		jmp	short loc_7FB66A
__CmSetDeviceInterfacePathFormat@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DrvDbDispatchDriverInfFile proc	near	; DATA XREF: .text:00404C74o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00913BDB SIZE 000000E9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		mov	edx, [ebp+arg_8]
		push	esi
		push	eax
		call	__PnpCtxGetObjectContext@12 ; _PnpCtxGetObjectContext(x,x,x)
		test	eax, eax
		js	short loc_7FB6E3
		mov	ecx, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+var_4]
		push	edi
		mov	edi, [ebp+arg_10]
		mov	eax, [ebx+8]
		test	eax, 10000000h
		jz	loc_913BDB

loc_7FB6B9:				; CODE XREF: DrvDbDispatchDriverInfFile+11856Cj
					; DrvDbDispatchDriverInfFile+118586j ...
		dec	ecx
		cmp	ecx, 8		; switch 9 cases
		ja	short loc_7FB70E ; default
		jmp	ds:off_7FB716[ecx*4] ; switch jump

loc_7FB6C6:				; DATA XREF: PAGE:off_7FB716o
		push	dword ptr [edi+18h] ; case 0x7
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		push	dword ptr [edi+14h] ; int
		push	dword ptr [edi+10h] ; int
		push	dword ptr [edi+0Ch] ; int
		push	dword ptr [edi+8] ; void *
		push	dword ptr [edi]	; int
		call	DrvDbGetDriverInfFileMappedProperty

loc_7FB6E1:				; CODE XREF: DrvDbDispatchDriverInfFile+8Aj
					; DrvDbDispatchDriverInfFile+91j ...
		pop	edi
		pop	ebx

loc_7FB6E3:				; CODE XREF: DrvDbDispatchDriverInfFile+1Cj
		pop	esi
		leave
		retn	14h
; 

loc_7FB6E8:				; CODE XREF: DrvDbDispatchDriverInfFile+3Dj
					; DATA XREF: PAGE:off_7FB716o
		mov	al, [edi+4]	; case 0x1
		mov	esi, [edi+8]
		mov	edx, [edi]
		mov	byte ptr [ebp+arg_8], al
		push	0
		lea	eax, [edi+0Ch]
		mov	ecx, ebx
		push	eax
		push	esi
		push	[ebp+arg_8]
		push	edx
		push	[ebp+arg_4]
		xor	edx, edx
		push	3
		call	DrvDbOpenObjectRegKey
		jmp	short loc_7FB6E1
; 

loc_7FB70E:				; CODE XREF: DrvDbDispatchDriverInfFile+3Bj
					; DrvDbDispatchDriverInfFile+3Dj
					; DATA XREF: ...
		mov	eax, 0C000000Dh	; default
		jmp	short loc_7FB6E1
DrvDbDispatchDriverInfFile endp

; 
		align 2
off_7FB716	dd offset loc_913C2F	; DATA XREF: DrvDbDispatchDriverInfFile+3Dr
		dd offset loc_7FB6E8	; jump table for switch	statement
		dd offset loc_913C3C
		dd offset loc_913C55
		dd offset loc_913C69
		dd offset loc_913C8D
		dd offset loc_7FB70E
		dd offset loc_7FB6C6
		dd offset loc_913CA7

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetMatchingFilteredDeviceInterfaceList proc near ; CODE XREF: IopGetDeviceInterfaces+217p
					; _PnpDeviceRaisePropertyChangeEventWorker+24Dp ...

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 00913CC4 SIZE 00000043 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_30], 0
		and	[ebp+var_2C], 0
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_34], ebx
		mov	ebx, [ebx+100h]
		mov	[ebp+var_38], edx
		mov	edx, [ebp+arg_18]
		push	esi
		mov	esi, [ebp+arg_C]
		mov	[ebp+var_3C], ebx
		mov	ebx, [ebp+var_38]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_14]
		push	edi
		mov	edi, [ebp+arg_10]
		mov	[ebp+var_28], ebx
		mov	ebx, [ebp+var_3C]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_14], edi
		mov	edi, [ebp+var_34]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], esi
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], eax
		test	ebx, ebx
		jz	short loc_7FB7E1
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	11h
		push	3
		push	0
		push	edi
		call	ebx
		cmp	eax, 0C0000002h
		jz	short loc_7FB7DF
		cmp	eax, 0C0000120h
		jnz	loc_913CC4

loc_7FB7C9:				; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceList+1185B5j
		mov	esi, [ebp+var_30]

loc_7FB7CC:				; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceList+CDj
					; _CmGetMatchingFilteredDeviceInterfaceList+1185AAj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	20h
; 

loc_7FB7DF:				; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceList+82j
		xor	ebx, ebx

loc_7FB7E1:				; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceList+6Cj
					; _CmGetMatchingFilteredDeviceInterfaceList+11858Ej
		push	[ebp+var_8]
		mov	edx, [ebp+var_28]
		mov	ecx, edi
		push	[ebp+var_C]
		push	[ebp+var_10]
		push	[ebp+var_14]
		push	[ebp+var_18]
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	[ebp+var_24]
		call	_CmGetMatchingFilteredDeviceInterfaceListWorker
		mov	esi, eax
		test	ebx, ebx
		jz	short loc_7FB7CC
		jmp	loc_913CCD
_CmGetMatchingFilteredDeviceInterfaceList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpDispatchInterfaceClass proc	near	; DATA XREF: _PnpCtxOpenMachine+162o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00913D07 SIZE 000000E8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_C]
		push	esi
		push	edi
		xor	edi, edi
		dec	eax
		mov	[ebp+var_8], edi
		mov	edx, edi
		mov	[ebp+var_4], edi
		cmp	eax, 8		; switch 9 cases
		ja	loc_913DE5	; default
		jmp	ds:off_7FB8AE[eax*4] ; switch jump

loc_7FB836:				; DATA XREF: PAGE:off_7FB8AEo
		mov	eax, [ebp+arg_10] ; case 0x7
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	dword ptr [eax+18h] ; int
		push	dword ptr [eax+14h] ; int
		push	dword ptr [eax+10h] ; int
		push	dword ptr [eax+0Ch] ; int
		push	dword ptr [eax+8] ; void *
		push	dword ptr [eax+4] ; int
		push	dword ptr [eax]	; int
		call	_CmGetInterfaceClassMappedProperty

loc_7FB858:				; CODE XREF: _PnpDispatchInterfaceClass+70j
					; _PnpDispatchInterfaceClass+9Cj ...
		mov	ecx, eax
		call	__PnpMapCmStatusToDispatchStatus@4 ; _PnpMapCmStatusToDispatchStatus(x)
		pop	edi
		pop	esi
		leave
		retn	14h
; 

loc_7FB865:				; CODE XREF: _PnpDispatchInterfaceClass+21j
					; DATA XREF: PAGE:off_7FB8AEo
		mov	ecx, [ebp+arg_4] ; case	0x0
		call	__PnpIsValidGuidString@4 ; _PnpIsValidGuidString(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFFCDh
		add	eax, 0C0000033h
		jmp	short loc_7FB858
; 

loc_7FB880:				; CODE XREF: _PnpDispatchInterfaceClass+21j
					; DATA XREF: PAGE:off_7FB8AEo
		mov	ecx, [ebp+arg_10] ; case 0x4
		mov	eax, [ecx]
		test	eax, eax
		jnz	loc_913D72

loc_7FB88D:				; CODE XREF: _PnpDispatchInterfaceClass+118575j
		mov	eax, [ecx+14h]
		and	eax, 0FFFF0000h
		push	eax
		push	dword ptr [ecx+10h]
		push	dword ptr [ecx+0Ch]
		push	dword ptr [ecx+8]
		mov	ecx, [ebp+arg_0]
		push	edx
		mov	edx, edi
		call	__CmGetMatchingInterfaceClassList@28 ; _CmGetMatchingInterfaceClassList(x,x,x,x,x,x,x)
		jmp	short loc_7FB858
_PnpDispatchInterfaceClass endp

; 
		db 8Bh,	0FFh
off_7FB8AE	dd offset loc_7FB865	; DATA XREF: _PnpDispatchInterfaceClass+21r
		dd offset loc_913D07	; jump table for switch	statement
		dd offset loc_913D31
		dd offset loc_913D57
		dd offset loc_7FB880
		dd offset loc_913D88
		dd offset loc_913DA7
		dd offset loc_7FB836
		dd offset loc_913DC1

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmGetInterfaceClassMappedProperty(int,int,void *,int,int,int,int)
_CmGetInterfaceClassMappedProperty proc	near ; CODE XREF: _PnpDispatchInterfaceClass+45p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 00913DEF SIZE 00000062 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_18]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], edx
		mov	ebx, 0C0000016h
		mov	[ebp+var_8], ecx
		push	edi
		mov	[eax], esi
		cmp	[ebp+arg_4], esi
		jnz	short loc_7FB94E
		mov	edi, [ebp+arg_8]
		mov	ecx, esi
		mov	[ebp+arg_4], esi

loc_7FB8FB:				; CODE XREF: _CmGetInterfaceClassMappedProperty+118526j
		mov	edx, ds:off_A42EE8[ecx]
		test	edx, edx
		jz	loc_913DEF
		mov	eax, [edi+10h]
		cmp	eax, [edx+10h]
		jnz	loc_913DEF
		push	10h		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7FB957
		push	[ebp+arg_18]	; int
		mov	edx, [ebp+var_4]
		push	[ebp+arg_14]	; int
		mov	ecx, [ebp+var_8]
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	edi		; void *
		push	[ebp+arg_0]	; int
		call	_CmGetInterfaceClassMappedPropertyFromRegValue
		mov	ebx, eax
		cmp	ebx, 0C0000016h
		jz	loc_913DFE

loc_7FB94E:				; CODE XREF: _CmGetInterfaceClassMappedProperty+1Fj
					; _CmGetInterfaceClassMappedProperty+118558j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	1Ch
; 

loc_7FB957:				; CODE XREF: _CmGetInterfaceClassMappedProperty+51j
		mov	ecx, [ebp+arg_4]
		jmp	loc_913DEF
_CmGetInterfaceClassMappedProperty endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmGetInterfaceClassMappedPropertyFromRegValue(int,void *,int,int,int,int)
_CmGetInterfaceClassMappedPropertyFromRegValue proc near
					; CODE XREF: _CmGetInterfaceClassMappedProperty+69p
					; _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+4Bp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00913E51 SIZE 0000007C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_24], edx
		xor	edx, edx
		push	ebx
		push	esi
		mov	[eax], edx
		mov	eax, [ebp+arg_14]
		push	edi
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_18], ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], edx
		mov	[eax], edx
		test	edi, edi
		jz	loc_913E51
		mov	ebx, [ebp+arg_10]
		mov	eax, ebx
		neg	eax
		sbb	eax, eax
		and	edi, eax
		mov	[ebp+arg_C], edi

loc_7FB9A2:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromRegValue+1184F3j
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+10h]
		mov	[ebp+var_14], eax
		cmp	eax, 2
		jb	loc_913E58
		mov	esi, [ebp+arg_4]
		mov	ecx, offset off_A42EE8
		mov	[ebp+var_C], ecx
		mov	[ebp+arg_10], edx

loc_7FB9C2:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromRegValue+11851Ej
		mov	edi, [ecx]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_1C], edi
		cmp	eax, [edi+10h]
		jnz	loc_913E6B
		push	10h		; size_t
		push	edi		; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_913E62

loc_7FB9E7:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromRegValue+118524j
		cmp	[ebp+var_10], 0
		mov	esi, [ebp+var_20]
		mov	edi, [ebp+arg_C]
		jz	loc_913E58
		cmp	[ebp+var_14], 2
		jnz	short loc_7FBA43
		mov	eax, [ebp+arg_4]
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceInterfaceClass_DefaultInterface ;	void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7FBA43
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	short loc_7FBA4C

loc_7FBA1B:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromRegValue+10Dj
		lea	eax, [ebp+var_8]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_18]
		push	0
		push	1
		push	0
		call	_PnpOpenPropertiesKey
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_7FBA79

loc_7FBA38:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromRegValue+146j
					; _CmGetInterfaceClassMappedPropertyFromRegValue+11852Fj
		mov	esi, 0C0000225h

loc_7FBA3D:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromRegValue+108j
					; _CmGetInterfaceClassMappedPropertyFromRegValue+11Bj ...
		cmp	[ebp+var_4], 0
		jnz	short loc_7FBA6F

loc_7FBA43:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromRegValue+9Bj
					; _CmGetInterfaceClassMappedPropertyFromRegValue+B2j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7FBA4C:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromRegValue+B9j
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	ecx
		push	1
		push	ecx
		mov	ecx, [ebp+var_18]
		push	40h
		call	_CmOpenCommonClassRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_7FBA3D
		mov	edx, [ebp+var_4]
		jmp	short loc_7FBA1B
; 

loc_7FBA6F:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromRegValue+E1j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_7FBA43
; 

loc_7FBA79:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromRegValue+D6j
		test	esi, esi
		js	short loc_7FBA3D
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+arg_C]
		push	eax
		push	edi
		lea	eax, [ebp+var_28]
		mov	[ebp+arg_C], ebx
		push	eax
		mov	edx, offset ??_C@_1BA@GHOECOCL@?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt@NNGAKEGL@ ; "D"
		call	_RegRtlQueryValue
		push	[ebp+var_8]
		mov	edi, eax
		call	_ZwClose@4	; ZwClose(x)
		cmp	edi, 0C0000034h
		jz	short loc_7FBA38
		jmp	loc_913E89
_CmGetInterfaceClassMappedPropertyFromRegValue endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall IopGetDeviceInterfaces(int,int,int,char,int,int)
IopGetDeviceInterfaces proc near	; CODE XREF: PfSnOpenVolumesForPrefetch+11Ep
					; IoGetDeviceInterfaces+42p ...

var_CA		= byte ptr -0CAh
var_C9		= byte ptr -0C9h
var_C8		= dword	ptr -0C8h
var_C2		= dword	ptr -0C2h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00913ECD SIZE 00000303 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0CCh+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	[esp+0D0h+var_8C], eax
		xor	eax, eax
		push	esi
		push	edi
		mov	[esp+0D8h+var_88], eax
		lea	edi, [esp+0D8h+var_6C]
		mov	[esp+0D8h+var_BC], eax
		mov	[esp+0D8h+var_B0], eax
		mov	[esp+0D8h+var_C9], al
		mov	[esp+0D8h+var_94], eax
		mov	byte ptr [esp+0D8h+var_C2], al
		stosd
		mov	[esp+0D8h+var_9C], edx
		mov	edx, [ebp+arg_8]
		mov	[esp+0D8h+var_90], edx
		stosd
		push	ecx		; int
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	edi, eax
		mov	[edx], eax
		lea	edx, [esp+0DCh+var_58] ; void *
		mov	[esp+0DCh+var_A0], eax
		mov	[esp+0DCh+var_AC], eax
		mov	ebx, eax
		mov	[esp+0DCh+var_C2+2], edi
		mov	[esp+0DCh+var_C8], eax
		mov	[esp+0DCh+var_B4], eax
		mov	[esp+0DCh+var_B8], eax
		mov	[esp+0DCh+var_98], eax
		mov	[esp+0DCh+var_A8], eax
		mov	[esp+0DCh+var_A4], eax
		mov	[esp+0DCh+var_84], eax
		mov	[esp+0DCh+var_80], eax
		call	_PnpStringFromGuid@12 ;	PnpStringFromGuid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_91418B
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceExclusiveLite
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [esp+0D8h+var_A0]
		xor	edx, edx
		push	edx
		push	eax
		push	edx
		push	0F003Fh
		push	edx
		push	40h
		lea	edx, [esp+0F0h+var_58]
		call	_CmOpenCommonClassRegKey
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_7FBE07
		cmp	esi, 0C000003Ah
		jz	loc_7FBE07
		test	esi, esi
		js	loc_7FBD1A
		xor	ecx, ecx
		lea	eax, [esp+0D8h+var_B0]
		push	ecx
		push	eax
		lea	eax, [esp+0E0h+var_BC]
		mov	edx, 400h
		push	eax
		lea	eax, [esp+0E4h+var_B8]
		push	eax
		push	offset _DEVPKEY_DeviceInterfaceClass_DefaultInterface
		push	ecx
		push	[esp+0F0h+var_A0]
		lea	eax, [esp+0F4h+var_58]
		mov	ecx, 47706E50h
		push	4
		push	eax
		call	PnpGetObjectProperty
		mov	esi, eax
		test	esi, esi
		jns	loc_913ECD

loc_7FBBEB:				; CODE XREF: IopGetDeviceInterfaces+118424j
		cmp	esi, 0C0000225h
		jnz	loc_91409E

loc_7FBBF7:				; CODE XREF: IopGetDeviceInterfaces+1185F6j
					; IopGetDeviceInterfaces+118602j
		mov	edi, [esp+0D8h+var_BC]

loc_7FBBFB:				; CODE XREF: IopGetDeviceInterfaces+1185D0j
					; IopGetDeviceInterfaces+1185EBj
		mov	eax, [esp+0D8h+var_9C]
		test	eax, eax
		jnz	loc_7FBDEC

loc_7FBC07:				; CODE XREF: IopGetDeviceInterfaces+34Ej
		cmp	[esp+0D8h+var_C9], bl
		jnz	loc_9140C8

loc_7FBC11:				; CODE XREF: IopGetDeviceInterfaces+11861Ej
		lea	eax, [esp+0D8h+var_68]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	eax, 1000h
		mov	[esp+0D8h+var_C8], eax
		cmp	[esp+0D8h+var_C9], bl
		jnz	loc_9140D1

loc_7FBC41:				; CODE XREF: IopGetDeviceInterfaces+11862Bj
					; IopGetDeviceInterfaces+118638j
		xor	edx, edx
		mov	esi, 0C0000023h
		mov	ecx, edx
		mov	[esp+0D8h+var_B0], ecx

loc_7FBC4E:				; CODE XREF: IopGetDeviceInterfaces+11863Fj
		cmp	ecx, 5
		jnb	loc_7FBCEF
		test	ebx, ebx
		jnz	loc_9140F2

loc_7FBC5F:				; CODE XREF: IopGetDeviceInterfaces+11864Fj
		push	20207050h
		add	eax, eax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_914147
		cmp	[esp+0D8h+var_C9], 0
		mov	edi, [esp+0D8h+var_C8]
		mov	[esp+0D8h+var_A4], edi
		jnz	loc_914102
		mov	ecx, edi
		mov	edi, ebx

loc_7FBC8F:				; CODE XREF: IopGetDeviceInterfaces+11868Aj
		xor	eax, eax
		mov	[esp+0D8h+var_A8], ecx
		push	eax
		lea	eax, [esp+0DCh+var_C8]
		mov	[esp+0DCh+var_98], edi
		push	eax
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [esp+0E4h+var_6C]
		push	edi
		push	eax
		mov	eax, [ebp+arg_0]
		lea	edx, [esp+0ECh+var_58]
		not	eax
		push	offset IopDeviceInterfaceFilterCallback
		and	eax, 1
		push	eax
		push	[esp+0F4h+var_94]
		call	_CmGetMatchingFilteredDeviceInterfaceList
		mov	ecx, [esp+0D8h+var_B0]
		sub	edi, ebx
		mov	esi, eax
		sar	edi, 1
		mov	eax, [esp+0D8h+var_C8]
		add	eax, edi
		inc	ecx
		mov	[esp+0D8h+var_C8], eax
		mov	[esp+0D8h+var_B0], ecx
		cmp	esi, 0C0000023h
		jz	loc_9140EB

loc_7FBCEF:				; CODE XREF: IopGetDeviceInterfaces+1A3j
					; IopGetDeviceInterfaces+11869Ej
		mov	edi, [esp+0D8h+var_A4]

loc_7FBCF3:				; CODE XREF: IopGetDeviceInterfaces+118674j
					; IopGetDeviceInterfaces+118694j
		lea	eax, [esp+0D8h+var_68]
		push	eax
		call	SeReleaseSubjectContext
		test	esi, esi
		js	short loc_7FBD16
		cmp	[esp+0D8h+var_C8], 0
		jz	loc_7FBE31

loc_7FBD0C:				; CODE XREF: IopGetDeviceInterfaces+397j
		cmp	[ebp+arg_4], 0
		jz	loc_7FBDA4

loc_7FBD16:				; CODE XREF: IopGetDeviceInterfaces+251j
					; IopGetDeviceInterfaces+2FDj ...
		mov	edi, [esp+0D8h+var_C2+2]

loc_7FBD1A:				; CODE XREF: IopGetDeviceInterfaces+F8j
					; IopGetDeviceInterfaces+37Ej ...
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		js	loc_91418B
		mov	eax, [esp+0D8h+var_90]
		mov	ecx, [esp+0D8h+var_8C]
		mov	[eax], ebx
		test	ecx, ecx
		jz	short loc_7FBD4E
		mov	eax, [esp+0D8h+var_C8]
		add	eax, eax
		mov	[ecx], eax

loc_7FBD4E:				; CODE XREF: IopGetDeviceInterfaces+296j
		xor	ecx, ecx
		mov	ebx, ecx

loc_7FBD52:				; CODE XREF: IopGetDeviceInterfaces+1186EBj
					; IopGetDeviceInterfaces+1186F3j
		cmp	[esp+0D8h+var_A0], 0
		jz	short loc_7FBD62
		push	[esp+0D8h+var_A0]
		call	_ZwClose@4	; ZwClose(x)

loc_7FBD62:				; CODE XREF: IopGetDeviceInterfaces+2A9j
		mov	edx, [esp+0D8h+var_9C]
		mov	ecx, [esp+0D8h+var_94]
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)
		mov	eax, [esp+0D8h+var_BC]
		test	eax, eax
		jnz	loc_9141A6

loc_7FBD7B:				; CODE XREF: IopGetDeviceInterfaces+118701j
		test	ebx, ebx
		jnz	loc_9141B4

loc_7FBD83:				; CODE XREF: IopGetDeviceInterfaces+11870Fj
		test	edi, edi
		jnz	loc_9141C2

loc_7FBD8B:				; CODE XREF: IopGetDeviceInterfaces+11871Dj
		mov	ecx, [esp+0D8h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_7FBDA4:				; CODE XREF: IopGetDeviceInterfaces+262j
		xor	eax, eax
		mov	edi, ebx
		cmp	[ebx], ax
		jz	loc_7FBD16

loc_7FBDB1:				; CODE XREF: IopGetDeviceInterfaces+337j
		push	1
		mov	edx, edi
		call	__CmSetDeviceInterfacePathFormat@12 ; _CmSetDeviceInterfacePathFormat(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7FBD16
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_7FBDC9:				; CODE XREF: IopGetDeviceInterfaces+326j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+0D8h+var_88]
		jnz	short loc_7FBDC9
		sub	ecx, edx
		xor	eax, eax
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2
		cmp	[edi], ax
		jnz	short loc_7FBDB1
		jmp	loc_7FBD16
; 

loc_7FBDEC:				; CODE XREF: IopGetDeviceInterfaces+153j
		push	eax
		xor	edx, edx
		lea	ecx, [esp+0DCh+var_94]
		call	PnpUnicodeStringToWstr
		mov	esi, eax
		test	esi, esi
		jns	loc_7FBC07
		jmp	loc_7FBD16
; 

loc_7FBE07:				; CODE XREF: IopGetDeviceInterfaces+E4j
					; IopGetDeviceInterfaces+F0j
		push	20207050h
		xor	eax, eax
		inc	eax
		push	2
		push	eax
		mov	[esp+0E4h+var_C8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_914181
		xor	eax, eax
		mov	[ebx], ax
		mov	esi, eax
		jmp	loc_7FBD1A
; 

loc_7FBE31:				; CODE XREF: IopGetDeviceInterfaces+258j
		xor	eax, eax
		inc	eax
		mov	[esp+0D8h+var_C8], eax
		cmp	edi, eax
		jb	loc_914151

loc_7FBE40:				; CODE XREF: IopGetDeviceInterfaces+1186C3j
		xor	eax, eax
		mov	[ebx], ax
		jmp	loc_7FBD0C
IopGetDeviceInterfaces endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDqQueryDeleteObjectFromResultSet(x, x)
_PiDqQueryDeleteObjectFromResultSet@8 proc near	; CODE XREF: PiDqQueryFreeActiveData+13p
					; PiDqQueryApplyObjectEvent+AE5E0p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], edx
		push	eax
		lea	eax, [ecx+24h]
		push	eax
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)
		test	al, al
		jz	short locret_7FBE6C
		mov	ecx, [ebp+var_4]
		call	PiDmObjectRelease

locret_7FBE6C:				; CODE XREF: PiDqQueryDeleteObjectFromResultSet(x,x)+18j
		leave
		retn
_PiDqQueryDeleteObjectFromResultSet@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDqFreeGenericTableEntry(x, x)
_PiDqFreeGenericTableEntry@8 proc near	; DATA XREF: PiDqQueryCreate+7Do

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	58706E50h
		push	[ebp+arg_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	8
_PiDqFreeGenericTableEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDqQueryAddObjectToResultSet(x, x)
_PiDqQueryAddObjectToResultSet@8 proc near ; CODE XREF:	PiDqQueryEnumObject+A9p
					; PiDqQueryApplyObjectEvent+472p

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		lea	eax, [ebp-1]
		mov	[ebp+var_8], edx
		push	eax		; int
		push	4		; size_t
		lea	eax, [ebp+var_8]
		xor	ebx, ebx
		push	eax		; void *
		lea	eax, [ecx+24h]
		mov	[ebp+var_1], bl
		push	eax		; int
		call	_RtlInsertElementGenericTableAvl@16 ; RtlInsertElementGenericTableAvl(x,x,x,x)
		test	eax, eax
		jz	short loc_7FBEBC
		cmp	[ebp+var_1], bl
		jz	short loc_7FBEB7
		mov	eax, [ebp+var_8]
		lock inc dword ptr [eax+4]

loc_7FBEB7:				; CODE XREF: PiDqQueryAddObjectToResultSet(x,x)+2Aj
					; PiDqQueryAddObjectToResultSet(x,x)+3Dj
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_7FBEBC:				; CODE XREF: PiDqQueryAddObjectToResultSet(x,x)+25j
		mov	ebx, 0C000009Ah
		jmp	short loc_7FBEB7
_PiDqQueryAddObjectToResultSet@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDqAllocateGenericTableEntry(x, x)
_PiDqAllocateGenericTableEntry@8 proc near ; DATA XREF:	PiDqQueryCreate+84o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	58706E50h
		push	[ebp+arg_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	8
_PiDqAllocateGenericTableEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _NtPlugPlayGetDeviceStatus(x, x, x,	x, x, x)
__NtPlugPlayGetDeviceStatus@24 proc near
					; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+56Ap
					; _CmGetDeviceMappedPropertyFromComposite+96Cp	...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		push	eax
		push	2
		mov	edi, edx
		mov	esi, ecx
		pop	edx
		call	__PnpCtxGetNtPlugPlayRoutine@12	; _PnpCtxGetNtPlugPlayRoutine(x,x,x)
		test	eax, eax
		js	short loc_7FBF19
		cmp	[ebp+var_4], 0
		jz	short loc_7FBF1F
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edi
		push	esi
		call	[ebp+var_4]
		cmp	eax, 80000005h
		jz	short loc_7FBF26

loc_7FBF19:				; CODE XREF: _NtPlugPlayGetDeviceStatus(x,x,x,x,x,x)+1Ej
					; _NtPlugPlayGetDeviceStatus(x,x,x,x,x,x)+48j ...
		pop	edi
		pop	esi
		leave
		retn	10h
; 

loc_7FBF1F:				; CODE XREF: _NtPlugPlayGetDeviceStatus(x,x,x,x,x,x)+24j
		mov	eax, 0C0000002h
		jmp	short loc_7FBF19
; 

loc_7FBF26:				; CODE XREF: _NtPlugPlayGetDeviceStatus(x,x,x,x,x,x)+3Bj
		mov	eax, 0C0000023h
		jmp	short loc_7FBF19
__NtPlugPlayGetDeviceStatus@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlGetDeviceStatus(x, x, x, x,	x, x)
_PiPnpRtlGetDeviceStatus@24 proc near	; DATA XREF: PiPnpRtlInit+ACo

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_14]
		mov	edx, [ebp+arg_8]
		push	[ebp+arg_10]
		mov	ecx, [ebp+arg_4]
		push	[ebp+arg_C]
		call	_PlugPlayGetDeviceStatus@20 ; PlugPlayGetDeviceStatus(x,x,x,x,x)
		pop	ebp
		retn	18h
_PiPnpRtlGetDeviceStatus@24 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PlugPlayGetDeviceStatus(x, x, x, x,	x)
_PlugPlayGetDeviceStatus@20 proc near	; CODE XREF: PiPnpRtlGetDeviceStatus(x,x,x,x,x,x)+14p
					; PiPnpRtlGatherDeviceDeleteInfo(x,x)+5Cp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		test	ecx, ecx
		jz	short loc_7FBFB5
		test	edi, edi
		jz	short loc_7FBFB5
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_7FBFB5
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_7FBFB5
		mov	eax, [ecx]
		mov	[ebp+var_1C], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_18], eax
		xor	eax, eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_1C]
		push	1Ch
		push	eax
		push	0Eh
		call	_ZwPlugPlayControl@12 ;	ZwPlugPlayControl(x,x,x)
		test	eax, eax
		js	short loc_7FBFAE
		mov	ecx, [ebp+var_10]
		mov	[edi], ecx
		mov	ecx, [ebp+var_C]
		mov	[esi], ecx
		mov	ecx, [ebp+var_4]
		mov	[ebx], ecx

loc_7FBFAE:				; CODE XREF: PlugPlayGetDeviceStatus(x,x,x,x,x)+51j
					; PlugPlayGetDeviceStatus(x,x,x,x,x)+6Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7FBFB5:				; CODE XREF: PlugPlayGetDeviceStatus(x,x,x,x,x)+Fj
					; PlugPlayGetDeviceStatus(x,x,x,x,x)+13j ...
		mov	eax, 0C000000Dh
		jmp	short loc_7FBFAE
_PlugPlayGetDeviceStatus@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DrvDbGetRegValueMappedProperty proc near
					; CODE XREF: DrvDbGetDriverInfFileMappedProperty+92p
					; DrvDbGetDriverPackageMappedProperty+254p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 009141D0 SIZE 00000074 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_C], edx
		mov	eax, [ebx+4]
		cmp	eax, 5
		jz	short loc_7FC057
		cmp	eax, 11h
		jz	short loc_7FC057
		mov	ecx, [ebp+arg_C]
		mov	eax, esi

loc_7FBFE9:				; CODE XREF: DrvDbGetRegValueMappedProperty+A1j
		mov	edx, [ebx+8]
		mov	[ebp+arg_0], ecx
		lea	ecx, [ebp+arg_0]
		push	ecx
		mov	ecx, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_RegRtlQueryValue
		mov	edx, eax
		cmp	edx, 0C0000034h
		jz	short loc_7FC050
		test	edx, edx
		jnz	loc_9141D0

loc_7FC012:				; CODE XREF: DrvDbGetRegValueMappedProperty+118220j
		mov	eax, [ebp+var_8]
		cmp	eax, [ebx+0Ch]
		jnz	short loc_7FC05F
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebx+4]
		mov	[eax], ecx
		mov	eax, [ebx+4]
		cmp	eax, 5
		jz	loc_914213
		cmp	eax, 11h
		mov	eax, [ebp+arg_10]
		jz	loc_9141E1
		mov	ecx, [ebp+arg_0]
		mov	[eax], ecx
		test	esi, esi
		jz	short loc_7FC066
		cmp	[ebp+arg_C], ecx
		jb	short loc_7FC066

loc_7FC048:				; CODE XREF: DrvDbGetRegValueMappedProperty+99j
					; DrvDbGetRegValueMappedProperty+A8j ...
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	14h
; 

loc_7FC050:				; CODE XREF: DrvDbGetRegValueMappedProperty+4Cj
		mov	edx, 0C0000225h
		jmp	short loc_7FC048
; 

loc_7FC057:				; CODE XREF: DrvDbGetRegValueMappedProperty+21j
					; DrvDbGetRegValueMappedProperty+26j
		push	4
		lea	eax, [ebp+var_4]
		pop	ecx
		jmp	short loc_7FBFE9
; 

loc_7FC05F:				; CODE XREF: DrvDbGetRegValueMappedProperty+5Cj
					; DrvDbGetRegValueMappedProperty+118241j ...
		mov	edx, 0C00000E5h
		jmp	short loc_7FC048
; 

loc_7FC066:				; CODE XREF: DrvDbGetRegValueMappedProperty+85j
					; DrvDbGetRegValueMappedProperty+8Aj ...
		mov	edx, 0C0000023h
		jmp	short loc_7FC048
DrvDbGetRegValueMappedProperty endp

; 
		align 2

;  S U B	R O U T	I N E 


PiDqQueryFreeActiveData	proc near	; CODE XREF: PiDqQueryRelease+23p
					; PiDqIrpQueryCreate+21Ep ...

; FUNCTION CHUNK AT 00914244 SIZE 0000002E BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [esi+24h]
		jmp	short loc_7FC086
; 

loc_7FC079:				; CODE XREF: PiDqQueryFreeActiveData+20j
		mov	edx, [esi+2Ch]
		mov	ecx, esi
		mov	edx, [edx+10h]
		call	_PiDqQueryDeleteObjectFromResultSet@8 ;	PiDqQueryDeleteObjectFromResultSet(x,x)

loc_7FC086:				; CODE XREF: PiDqQueryFreeActiveData+9j
		push	edi
		call	_RtlIsGenericTableEmptyAvl@4 ; RtlIsGenericTableEmptyAvl(x)
		test	al, al
		jz	short loc_7FC079
		lea	edi, [esi+64h]

loc_7FC093:				; CODE XREF: PiDqQueryFreeActiveData+1181ECj
		mov	ecx, [edi]
		cmp	ecx, edi
		jnz	loc_914244
		and	dword ptr [esi+6Ch], 0
		mov	ecx, [esi+60h]
		test	ecx, ecx
		jnz	loc_914264

loc_7FC0AC:				; CODE XREF: PiDqQueryFreeActiveData+1181FFj
		pop	edi
		pop	esi
		retn
PiDqQueryFreeActiveData	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqQuerySerializeActionQueue proc near	; CODE XREF: PiDqIrpQueryGetResult+F7p
					; PiDqIrpQueryCreate+180p

UserState	= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
Handle		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00914297 SIZE 00000025 BYTES

		push	34h
		push	offset dword_6A53D8
		call	__SEH_prolog4
		mov	esi, ecx
		mov	[ebp+var_24], esi
		xor	ecx, ecx
		mov	edi, ecx
		mov	[ebp+Handle], ecx
		mov	[ebp+var_1C], ecx
		xor	eax, eax
		mov	[ebp+var_30], eax
		mov	[ebp+UserState], edx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], 10h
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], ecx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [esi+20h]
		mov	[ebp+arg_0], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockExclusiveEx
		mov	ebx, [esi+74h]
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	bl, 20h
		jnz	short loc_7FC133
		mov	ecx, esi
		call	PiDqQueryGetObjectManager
		mov	edx, esi
		mov	ecx, eax
		call	PiDqObjectManagerEnumerateAndRegisterQuery
		mov	edi, eax

loc_7FC133:				; CODE XREF: PiDqQuerySerializeActionQueue+6Fj
		test	edi, edi
		js	loc_9142AB
		lea	eax, [ebp+Handle]
		push	eax		; pHandle
		push	offset PiDqSerializationWrite ;	WriteFn
		push	offset PiDqSerializationAlloc ;	AllocFn
		lea	eax, [ebp+UserState]
		push	eax		; UserState
		call	ds:__imp__MesEncodeIncrementalHandleCreate@16 ;	MesEncodeIncrementalHandleCreate(x,x,x,x)
		mov	edi, eax
		xor	ebx, ebx
		test	edi, edi
		js	loc_91429C
		mov	eax, [esi+74h]
		and	eax, 2
		push	eax		; Operation
		push	ebx		; ReadFn
		push	ebx		; WriteFn
		push	ebx		; AllocFn
		lea	eax, [ebp+UserState]
		push	eax		; UserState
		push	[ebp+Handle]	; Handle
		call	ds:__imp__MesIncrementalHandleReset@24 ; MesIncrementalHandleReset(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_91429C
		mov	ecx, [ebp+var_3C]
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		mov	eax, [ebp+arg_8]
		mov	[eax], ebx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+60h]
		mov	[ebp+var_1C], eax
		mov	[esi+60h], ebx
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_7FC1C4:				; CODE XREF: PiDqQuerySerializeActionQueue+1F0j
		cmp	[ebp+var_1C], 0
		jz	short loc_7FC21F
		mov	[ebp+ms_exc.disabled], ebx
		lea	eax, [ebp+var_1C]
		push	eax
		push	offset loc_407996
		push	offset off_4016D8
		push	(offset	loc_4077CB+1)
		push	[ebp+Handle]
		call	ds:__imp__NdrMesTypeEncode2@20 ; NdrMesTypeEncode2(x,x,x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7FC1F0:				; CODE XREF: sub_914280+12j
		test	edi, edi
		js	loc_91429C
		cmp	byte ptr [ebp+var_30+1], 0
		jnz	loc_914297
		cmp	byte ptr [ebp+var_30], 0
		jnz	loc_7FC307
		mov	ecx, [ebp+var_3C]
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		mov	ecx, [ebp+var_1C]
		call	_PiDqActionDataFree@4 ;	PiDqActionDataFree(x)
		mov	[ebp+var_1C], ebx

loc_7FC21F:				; CODE XREF: PiDqQuerySerializeActionQueue+118j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		call	ExAcquirePushLockExclusiveEx
		lea	ecx, [esi+64h]
		mov	eax, [ecx]
		mov	[ebp+var_2C], eax
		cmp	eax, ecx
		jz	short loc_7FC2A8
		mov	edx, [eax]
		cmp	[eax+4], ecx
		jnz	loc_7FC34E
		cmp	[edx+4], eax
		jnz	loc_7FC34E
		mov	[ecx], edx
		mov	[edx+4], ecx
		dec	dword ptr [esi+6Ch]
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		lea	eax, [ebp+var_1C]
		push	eax
		mov	edi, [ebp+var_2C]
		push	edi
		lea	edx, [esi+10h]
		mov	ecx, [esi+0Ch]
		call	PiDqActionDataCreate
		mov	esi, eax
		mov	ecx, edi
		call	_PiDqQueryActionQueueEntryFree@4 ; PiDqQueryActionQueueEntryFree(x)
		lea	edi, [esi+3FFFFFCCh]
		neg	edi
		sbb	edi, edi
		and	edi, esi
		mov	esi, [ebp+var_24]
		jge	loc_7FC1C4
		jmp	short loc_7FC2BE
; 

loc_7FC2A8:				; CODE XREF: PiDqQuerySerializeActionQueue+191j
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_7FC2BE:				; CODE XREF: PiDqQuerySerializeActionQueue+1F6j
					; PiDqQuerySerializeActionQueue+299j ...
		test	edi, edi
		js	loc_91429C

loc_7FC2C6:				; CODE XREF: PiDqQuerySerializeActionQueue+1181F6j
		mov	ecx, [ebp+var_1C]
		test	ecx, ecx
		jnz	loc_9142B2

loc_7FC2D1:				; CODE XREF: PiDqQuerySerializeActionQueue+118207j
		cmp	[ebp+var_38], 0
		jz	short loc_7FC2E4
		push	58706E50h
		push	[ebp+var_38]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7FC2E4:				; CODE XREF: PiDqQuerySerializeActionQueue+225j
		cmp	[ebp+Handle], 0
		jz	short loc_7FC2F3
		push	[ebp+Handle]	; Handle
		call	ds:__imp__MesHandleFree@4 ; MesHandleFree(x)

loc_7FC2F3:				; CODE XREF: PiDqQuerySerializeActionQueue+238j
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7FC307:				; CODE XREF: PiDqQuerySerializeActionQueue+156j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_1C]
		mov	[esi+60h], eax
		mov	[ebp+var_1C], ebx
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [ebp+var_34]
		add	ecx, 10h
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		jmp	loc_7FC2BE
; 

loc_7FC34E:				; CODE XREF: PiDqQuerySerializeActionQueue+198j
					; PiDqQuerySerializeActionQueue+1A1j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PiDqQuerySerializeActionQueue endp


;  S U B	R O U T	I N E 


; __stdcall PiDqQueryActionQueueEntryFree(x)
_PiDqQueryActionQueueEntryFree@4 proc near ; CODE XREF:	PiDqQuerySerializeActionQueue+1DCp
					; PiDqQueryFreeActiveData+1181E7p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_7FC365
		call	PiDmObjectRelease

loc_7FC365:				; CODE XREF: PiDqQueryActionQueueEntryFree(x)+Aj
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jnz	short loc_7FC379

loc_7FC36C:				; CODE XREF: PiDqQueryActionQueueEntryFree(x)+2Aj
		push	58706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
; 

loc_7FC379:				; CODE XREF: PiDqQueryActionQueueEntryFree(x)+16j
		call	PiPnpRtlObjectEventRelease
		jmp	short loc_7FC36C
_PiDqQueryActionQueueEntryFree@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiDqActionDataFree(x)
_PiDqActionDataFree@4 proc near		; CODE XREF: PiDqQuerySerializeActionQueue+167p
					; PiDqActionDataCreate+14Bp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, 58706E50h
		cmp	dword ptr [esi], 0
		jz	short loc_7FC3AE
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_7FC39E
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7FC39E:				; CODE XREF: PiDqActionDataFree(x)+15j
		mov	edx, [esi+10h]
		test	edx, edx
		jz	short loc_7FC3AE
		mov	ecx, [esi+0Ch]
		push	edi
		call	_PnpFreeDevPropertyArray@12 ; PnpFreeDevPropertyArray(x,x,x)

loc_7FC3AE:				; CODE XREF: PiDqActionDataFree(x)+Ej
					; PiDqActionDataFree(x)+23j
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
_PiDqActionDataFree@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqActionDataCreate proc near		; CODE XREF: PiDqQuerySerializeActionQueue+1D3p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009142BC SIZE 000000C7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		push	58706E50h
		push	14h
		xor	esi, esi
		mov	[esp+30h+var_18], edx
		and	[esp+30h+var_14], esi
		and	[eax], esi
		push	1
		mov	[esp+34h+var_4], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9142BC
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		mov	edi, ebx
		stosd
		stosd
		stosd
		stosd
		stosd
		cmp	[ecx+8], esi
		jz	loc_7FC4B9
		mov	eax, [ecx+10h]
		mov	edx, 7FFFFFFFh
		mov	edi, [esp+28h+var_4]
		mov	[ebx], eax
		mov	eax, [edi+10h]
		mov	[ebx+4], eax
		lea	eax, [ebx+8]
		mov	ecx, [ecx+8]
		push	eax
		push	58706E50h
		mov	ecx, [ecx+0Ch]
		call	PnpAllocatePWSTR
		mov	esi, eax
		test	esi, esi
		js	loc_7FC501
		mov	eax, [edi+2Ch]
		mov	[esp+28h+var_4], eax
		test	eax, eax
		jz	short loc_7FC4C2

loc_7FC443:				; CODE XREF: PiDqActionDataCreate+110j
		mov	eax, [ebx]
		mov	[esp+28h+var_8], eax
		cmp	eax, 1
		jnz	short loc_7FC4CD

loc_7FC44E:				; CODE XREF: PiDqActionDataCreate+118j
		mov	ecx, [edi+10h]
		call	PiDqGetPnpObjectType
		mov	ecx, eax
		lea	edx, [ebx+10h]
		mov	eax, [edi+20h]
		mov	[esp+28h+var_10], eax
		lea	eax, [ebx+0Ch]
		test	byte ptr [esp+28h+var_10], 2
		mov	[esp+28h+var_C], ecx
		jnz	loc_9142C6
		cmp	[esp+28h+var_8], 1
		push	eax
		push	edx
		mov	edx, ecx
		mov	ecx, [esp+30h+var_18]
		jnz	short loc_7FC4D8
		push	[esp+30h+var_4]
		mov	al, [edi+20h]
		push	dword ptr [edi+30h]
		and	al, 4
		push	dword ptr [edi+28h]
		movzx	eax, al
		push	eax
		push	dword ptr [ebx+8]
		call	PiDqActionDataGetRequestedProperties

loc_7FC49E:				; CODE XREF: PiDqActionDataCreate+141j
		mov	esi, eax

loc_7FC4A0:				; CODE XREF: PiDqActionDataCreate+108j
					; PiDqActionDataCreate+10Ej ...
		test	esi, esi
		js	short loc_7FC501
		cmp	dword ptr [ebx], 2
		jz	short loc_7FC4FB

loc_7FC4A9:				; CODE XREF: PiDqActionDataCreate+147j
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx

loc_7FC4AE:				; CODE XREF: PiDqActionDataCreate+150j
					; PiDqActionDataCreate+117F09j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_7FC4B9:				; CODE XREF: PiDqActionDataCreate+48j
		mov	dword ptr [ebx+4], 1
		jmp	short loc_7FC4A0
; 

loc_7FC4C2:				; CODE XREF: PiDqActionDataCreate+89j
		test	byte ptr [edi+20h], 2
		jz	short loc_7FC4A0
		jmp	loc_7FC443
; 

loc_7FC4CD:				; CODE XREF: PiDqActionDataCreate+94j
		cmp	eax, 2
		jz	loc_7FC44E
		jmp	short loc_7FC4A0
; 

loc_7FC4D8:				; CODE XREF: PiDqActionDataCreate+C9j
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax+0Ch]
		push	[esp+34h+var_4]
		push	dword ptr [edi+30h]

loc_7FC4E5:				; CODE XREF: PiDqActionDataCreate+117FC6j
		mov	al, [edi+20h]
		push	dword ptr [edi+28h]
		and	al, 4
		movzx	eax, al
		push	eax
		push	dword ptr [ebx+8]
		call	PiDqActionDataGetChangedProperties
		jmp	short loc_7FC49E
; 

loc_7FC4FB:				; CODE XREF: PiDqActionDataCreate+EFj
		cmp	dword ptr [ebx+0Ch], 0
		ja	short loc_7FC4A9

loc_7FC501:				; CODE XREF: PiDqActionDataCreate+7Aj
					; PiDqActionDataCreate+EAj ...
		mov	ecx, ebx
		call	_PiDqActionDataFree@4 ;	PiDqActionDataFree(x)
		jmp	short loc_7FC4AE
PiDqActionDataCreate endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDqQueryActionQueueEntryCreate(x, x, x, x)
_PiDqQueryActionQueueEntryCreate@16 proc near
					; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+F8p
					; PiDqQueryEnumObject+BFp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	58706E50h
		push	14h
		push	1
		mov	esi, edx
		mov	ebx, ecx
		xor	edi, edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, [ebp+arg_4]
		mov	[edx], eax
		test	eax, eax
		jz	short loc_7FC557
		mov	[eax+10h], ebx
		mov	[eax+8], esi
		test	esi, esi
		jz	short loc_7FC53F
		lock inc dword ptr [esi+4]
		mov	eax, [edx]

loc_7FC53F:				; CODE XREF: PiDqQueryActionQueueEntryCreate(x,x,x,x)+2Dj
		mov	ecx, [ebp+arg_0]
		mov	[eax+0Ch], ecx
		test	ecx, ecx
		jnz	short loc_7FC552

loc_7FC549:				; CODE XREF: PiDqQueryActionQueueEntryCreate(x,x,x,x)+4Bj
					; PiDqQueryActionQueueEntryCreate(x,x,x,x)+52j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_7FC552:				; CODE XREF: PiDqQueryActionQueueEntryCreate(x,x,x,x)+3Dj
		lock inc dword ptr [ecx]
		jmp	short loc_7FC549
; 

loc_7FC557:				; CODE XREF: PiDqQueryActionQueueEntryCreate(x,x,x,x)+23j
		mov	edi, 0C000009Ah
		jmp	short loc_7FC549
_PiDqQueryActionQueueEntryCreate@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqQueryAppendActionEntry proc	near	; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+109p
					; PiDqQueryEnumObject+CFp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 00914383 SIZE 00000029 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		lea	eax, [esi+64h]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_7FC589
		mov	[edx], eax
		mov	[edx+4], ecx
		mov	[ecx], edx
		mov	[eax+4], edx
		inc	dword ptr [esi+6Ch]
		cmp	dword ptr [esi+6Ch], 3E8h
		ja	loc_914383

loc_7FC587:				; CODE XREF: PiDqQueryAppendActionEntry+117E3Cj
		pop	esi
		retn
; 

loc_7FC589:				; CODE XREF: PiDqQueryAppendActionEntry+Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall _SysCtxRegCreateTree(x, x, x, x, x,	x, x, x, x)
__SysCtxRegCreateTree@36:		; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+1BCp
					; DrvDbAcquireDatabaseNodeBaseKey+C8p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, edx
		push	ecx
		test	ecx, ecx
		jz	short loc_7FC5BE
		mov	edx, [ecx+4]
		push	edx

loc_7FC59E:				; CODE XREF: PiDqQueryAppendActionEntry+62j
		push	[ebp+arg_18]
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		push	[ebp+arg_14]
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_RegRtlCreateTreeTransacted
		pop	ecx
		pop	ebp
		retn	1Ch
; 

loc_7FC5BE:				; CODE XREF: PiDqQueryAppendActionEntry+3Aj
		push	0
		jmp	short loc_7FC59E
PiDqQueryAppendActionEntry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_RegRtlCreateTreeTransacted proc near	; CODE XREF: PiDqQueryAppendActionEntry+56p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 009143AC SIZE 0000015E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		and	[esp+1Ch+var_10], 0
		mov	ebx, edx
		and	[esp+1Ch+var_C], 0
		mov	eax, ecx
		push	edi
		push	[ebp+arg_18]
		mov	[esp+24h+var_4], ebx
		push	[ebp+arg_14]
		mov	[esp+28h+var_8], eax
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_RegRtlCreateKeyTransacted
		mov	edi, eax
		cmp	edi, 0C0000034h
		jz	loc_9143AC

loc_7FC60E:				; CODE XREF: _RegRtlCreateTreeTransacted+117DFFj
					; _RegRtlCreateTreeTransacted+117E25j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_RegRtlCreateTreeTransacted endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_RegRtlCreateKeyTransacted proc	near	; CODE XREF: _RegRtlCreateTreeTransacted+39p
					; _SysCtxRegCreateKey(x,x,x,x,x,x,x,x,x)+28p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 0091450A SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_C], edx
		push	6
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		and	[ebp+var_14], eax
		xor	esi, esi
		and	[ebp+var_10], eax
		pop	ecx
		rep stosd
		mov	ecx, ebx
		mov	[ebp+var_8], esi
		call	__RegRtlIsPredefinedKey@4 ; _RegRtlIsPredefinedKey(x)
		test	al, al
		jnz	loc_91450A

loc_7FC64E:				; CODE XREF: _RegRtlCreateKeyTransacted+117F05j
		push	[ebp+var_C]
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_7FC6C1
		mov	eax, [ebp+arg_0]
		and	eax, 8
		or	eax, 6
		shl	eax, 5
		cmp	[ebp+arg_C], 0
		jnz	short loc_7FC6CE

loc_7FC672:				; CODE XREF: _RegRtlCreateKeyTransacted+B7j
		mov	[ebp+var_2C], 18h
		mov	[ebp+var_28], esi
		test	esi, esi
		jnz	short loc_7FC683
		mov	[ebp+var_28], ebx

loc_7FC683:				; CODE XREF: _RegRtlCreateKeyTransacted+64j
		push	[ebp+arg_14]
		or	eax, 200h
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		mov	[ebp+var_18], eax
		cmp	[ebp+arg_18], eax
		jnz	loc_914524
		push	[ebp+arg_0]
		push	eax
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_10]
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	edi, eax

loc_7FC6BE:				; CODE XREF: _RegRtlCreateKeyTransacted+117EFCj
					; _RegRtlCreateKeyTransacted+117F29j ...
		mov	esi, [ebp+var_8]

loc_7FC6C1:				; CODE XREF: _RegRtlCreateKeyTransacted+44j
		test	esi, esi
		jnz	short loc_7FC6D3

loc_7FC6C5:				; CODE XREF: _RegRtlCreateKeyTransacted+BFj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_7FC6CE:				; CODE XREF: _RegRtlCreateKeyTransacted+56j
		or	eax, 2
		jmp	short loc_7FC672
; 

loc_7FC6D3:				; CODE XREF: _RegRtlCreateKeyTransacted+A9j
		push	esi
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_7FC6C5
_RegRtlCreateKeyTransacted endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmOpenCommonClassRegKey proc near	; CODE XREF: PiCMOpenClassKey+CDp
					; _CmGetInterfaceClassMappedPropertyFromRegValue+FFp ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00914553 SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	ebx, [ebp+arg_14]
		push	esi
		push	edi
		push	2Ch		; size_t
		mov	[ebp+var_3C], eax
		mov	esi, ecx
		lea	eax, [ebp+var_30]
		mov	[ebp+var_38], edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_40], esi
		mov	[ebp+var_34], ebx
		call	_memset
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		movzx	eax, cl
		cmp	eax, 20h
		jz	loc_7FC7B6
		cmp	eax, 40h
		jnz	loc_9145A4
		push	4

loc_7FC72F:				; CODE XREF: _CmOpenCommonClassRegKey+DCj
		mov	eax, [ebp+arg_4]
		mov	edi, [esi+100h]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_20], eax
		mov	al, [ebp+arg_C]
		mov	byte ptr [ebp+var_1C], al
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_28], ecx
		mov	[ebp+var_18], eax
		pop	ebx
		test	edi, edi
		jz	short loc_7FC771
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	0Bh
		push	ebx
		push	[ebp+var_38]
		push	esi
		call	edi
		cmp	eax, 0C0000002h
		jnz	loc_914553
		xor	edi, edi

loc_7FC771:				; CODE XREF: _CmOpenCommonClassRegKey+77j
					; _CmOpenCommonClassRegKey+117E80j
		mov	edx, [ebp+var_38]
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_18]
		mov	ecx, esi
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	[ebp+var_24]
		push	[ebp+var_28]
		call	_CmOpenCommonClassRegKeyWorker
		mov	esi, eax
		test	edi, edi
		jnz	loc_914574

loc_7FC798:				; CODE XREF: _CmOpenCommonClassRegKey+117E93j
					; _CmOpenCommonClassRegKey+117EB1j ...
		mov	ebx, [ebp+var_34]

loc_7FC79B:				; CODE XREF: _CmOpenCommonClassRegKey+117ECDj
		test	esi, esi
		js	short loc_7FC7A3
		test	ebx, ebx
		jnz	short loc_7FC7BD

loc_7FC7A3:				; CODE XREF: _CmOpenCommonClassRegKey+C1j
					; _CmOpenCommonClassRegKey+E6j	...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_7FC7B6:				; CODE XREF: _CmOpenCommonClassRegKey+42j
		push	2
		jmp	loc_7FC72F
; 

loc_7FC7BD:				; CODE XREF: _CmOpenCommonClassRegKey+C5j
		mov	eax, [ebp+var_14]
		mov	[ebx], eax
		jmp	short loc_7FC7A3
_CmOpenCommonClassRegKey endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmOpenCommonClassRegKeyWorker proc near ; CODE	XREF: _CmOpenCommonClassRegKey+ADp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 009145AE SIZE 00000150 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		xor	eax, eax
		mov	[esp+28h+var_1C], 4
		test	[ebp+arg_0], 200h
		mov	ebx, ecx
		push	esi
		push	edi
		mov	esi, edx
		mov	[esp+30h+var_10], eax
		mov	edi, 0C8h
		mov	[esp+30h+var_C], esi
		mov	[esp+30h+var_20], eax
		mov	[esp+30h+var_18], eax
		mov	[esp+30h+var_8], eax
		mov	[esp+30h+var_4], eax
		mov	[esp+30h+var_14], edi
		jnz	loc_9145AE

loc_7FC80E:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+117DF3j
		push	52504E50h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)

loc_7FC81B:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+117E39j
		mov	ecx, eax
		mov	[esp+30h+var_24], ecx
		test	ecx, ecx
		jz	loc_914602
		lea	eax, [esp+30h+var_10]
		mov	edx, esi
		push	eax		; int
		mov	eax, edi
		shr	eax, 1
		push	eax		; int
		push	ecx		; void *
		push	ecx		; int
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		call	_CmGetCommonClassRegKeyPath
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	loc_9145BC
		mov	ecx, [esp+30h+var_24]

loc_7FC854:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+117E43j
		test	esi, esi
		js	loc_7FC964
		test	[ebp+arg_0], 100h
		jnz	loc_91464C
		push	ecx
		lea	eax, [esp+34h+var_8]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7FC964
		mov	si, word ptr [esp+30h+var_8]
		movzx	eax, si
		cmp	eax, edi
		jnb	loc_914642
		cmp	si, 32h
		jbe	loc_914642
		push	1
		lea	eax, [esp+34h+var_8]
		push	eax
		push	offset ?ObjectPathRootPrefix@?1??_CmOpenDeviceInterfaceRegKeyWorker@@9@9 ; `_CmOpenDeviceInterfaceRegKeyWorker'::`2'::ObjectPathRootPrefix
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		mov	edi, [esp+30h+var_24]
		test	al, al
		jz	loc_91460C
		mov	eax, 0FFCEh
		add	edi, 32h
		add	word ptr [esp+30h+var_8+2], ax
		add	si, ax
		push	1
		lea	eax, [esp+34h+var_8]
		mov	[esp+34h+var_4], edi
		push	eax
		push	offset ?ClassKeyPrefix@?1??_CmOpenCommonClassRegKeyWorker@@9@9 ; `_CmOpenCommonClassRegKeyWorker'::`2'::ClassKeyPrefix
		mov	word ptr [esp+3Ch+var_8], si
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jnz	loc_7FC98A
		push	1
		lea	eax, [esp+34h+var_8]
		push	eax
		push	offset ?DeviceClassesKeyPrefix@?1??_CmOpenDeviceInterfaceRegKeyWorker@@9@9 ; `_CmOpenDeviceInterfaceRegKeyWorker'::`2'::DeviceClassesKeyPrefix
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	loc_914616
		push	8
		pop	eax
		mov	[esp+30h+var_1C], eax
		add	edi, 2Ch

loc_7FC90A:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+1D0j
					; _CmOpenCommonClassRegKeyWorker+117E71j ...
		lea	ecx, [esp+30h+var_20]
		mov	edx, eax
		push	ecx
		mov	ecx, ebx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7FC964
		mov	edx, [esp+30h+var_20]

loc_7FC922:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+117EB8j
		cmp	[ebp+arg_C], 0
		jnz	loc_914681
		test	ebx, ebx
		jz	loc_9146A5
		mov	ecx, [ebx+74h]

loc_7FC937:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+117EE3j
		push	[ebp+arg_10]
		push	[ebp+arg_8]
		push	0
		push	edi
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_7FC952
		mov	ecx, [ebp+arg_14]
		mov	dword ptr [ecx], 2

loc_7FC952:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+183j
		cmp	eax, 0C0000034h
		jz	short loc_7FC999

loc_7FC959:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+117EDCj
					; _CmOpenCommonClassRegKeyWorker+117F18j ...
		cmp	eax, 0C000017Ch
		jz	short loc_7FC9AE
		test	eax, eax
		js	short loc_7FC9AA

loc_7FC964:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+92j
					; _CmOpenCommonClassRegKeyWorker+B4j ...
		mov	edi, [esp+30h+var_24]

loc_7FC968:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+117E1Ej
					; _CmOpenCommonClassRegKeyWorker+117E4Dj
		cmp	[esp+30h+var_18], 0
		jnz	loc_9146F0

loc_7FC973:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+117F35j
		test	edi, edi
		jz	short loc_7FC97F
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7FC97F:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+1B1j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_7FC98A:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+11Dj
		push	7
		pop	eax
		mov	[esp+30h+var_1C], eax
		add	edi, 1Ch
		jmp	loc_7FC90A
; 

loc_7FC999:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+193j
		cmp	[esp+30h+var_1C], 8
		jnz	short loc_7FC9AA
		cmp	byte ptr [ebx+4], 0
		jnz	loc_9146AC

loc_7FC9AA:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+19Ej
					; _CmOpenCommonClassRegKeyWorker+1DAj
		mov	esi, eax
		jmp	short loc_7FC964
; 

loc_7FC9AE:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+19Aj
		mov	esi, 0C00000E5h
		jmp	short loc_7FC964
_CmOpenCommonClassRegKeyWorker endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmGetCommonClassRegKeyPath(int,int,int,void *,int,int)
_CmGetCommonClassRegKeyPath proc near	; CODE XREF: _CmOpenCommonClassRegKeyWorker+79p
					; PiDqGetRelativeObjectRegPath+133854p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 009146FE SIZE 00000145 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, ebx
		push	esi
		and	eax, 60h
		mov	esi, edx
		push	edi
		cmp	al, 60h
		jz	loc_9146FE
		movzx	eax, bl
		cmp	eax, 20h
		jz	loc_7FCA78
		cmp	eax, 40h
		jnz	loc_9146FE
		mov	ecx, esi
		call	__PnpIsValidGuidString@4 ; _PnpIsValidGuidString(x)
		test	al, al
		jz	loc_7FCA8D
		mov	edx, (offset loc_8C91DD+1)

loc_7FC9FA:				; CODE XREF: _CmGetCommonClassRegKeyPath+D2j
		test	ebx, 200h
		jnz	loc_914708
		mov	edi, edx
		xor	ecx, ecx
		lea	ebx, [edi+2]

loc_7FCA0D:				; CODE XREF: _CmGetCommonClassRegKeyPath+60j
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, cx
		jnz	short loc_7FCA0D
		sub	edi, ebx
		sar	edi, 1
		lea	ebx, [edi+1]
		test	esi, esi
		jz	short loc_7FCA3E
		mov	edi, esi
		lea	eax, [edi+2]
		mov	[ebp+arg_0], eax

loc_7FCA2B:				; CODE XREF: _CmGetCommonClassRegKeyPath+7Ej
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, cx
		jnz	short loc_7FCA2B
		sub	edi, [ebp+arg_0]
		inc	ebx
		sar	edi, 1
		add	ebx, edi

loc_7FCA3E:				; CODE XREF: _CmGetCommonClassRegKeyPath+6Bj
		mov	eax, [ebp+arg_14]
		test	eax, eax
		jz	short loc_7FCA47
		mov	[eax], ebx

loc_7FCA47:				; CODE XREF: _CmGetCommonClassRegKeyPath+8Dj
		cmp	ebx, [ebp+arg_10]
		ja	short loc_7FCA94
		test	esi, esi
		jz	loc_914823
		push	esi
		push	edx		; char

loc_7FCA56:				; CODE XREF: _CmGetCommonClassRegKeyPath+117DBEj
		push	offset ??_C@_1M@DFKENGJN@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@ ; "%s\\%s"
		push	800h		; int
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		call	RtlStringCchPrintfExW
		add	esp, 20h

loc_7FCA70:				; CODE XREF: _CmGetCommonClassRegKeyPath+DCj
					; _CmGetCommonClassRegKeyPath+E3j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	18h
; 

loc_7FCA78:				; CODE XREF: _CmGetCommonClassRegKeyPath+21j
		mov	ecx, esi
		call	__PnpIsValidGuidString@4 ; _PnpIsValidGuidString(x)
		test	al, al
		jz	short loc_7FCA8D
		mov	edx, (offset loc_8C90FB+1)
		jmp	loc_7FC9FA
; 

loc_7FCA8D:				; CODE XREF: _CmGetCommonClassRegKeyPath+39j
					; _CmGetCommonClassRegKeyPath+CBj
		mov	eax, 0C0000033h
		jmp	short loc_7FCA70
; 

loc_7FCA94:				; CODE XREF: _CmGetCommonClassRegKeyPath+94j
					; _CmGetCommonClassRegKeyPath+117D9Dj ...
		mov	eax, 0C0000023h
		jmp	short loc_7FCA70
_CmGetCommonClassRegKeyPath endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMCaptureObjectInputData proc	near	; CODE XREF: PiCMGetRelatedDeviceInstance+35p
					; PiCMValidateDeviceInstance+42p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00914843 SIZE 0000000F BYTES
; FUNCTION CHUNK AT 00914866 SIZE 00000055 BYTES

		push	18h
		push	offset dword_6A53F8
		call	__SEH_prolog4
		mov	esi, edx
		mov	edx, ecx
		and	[ebp+var_20], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		test	edx, edx
		jz	loc_9148AE
		test	esi, esi
		jz	loc_9148AE
		and	[ebp+ms_exc.disabled], ebx
		test	dl, 3
		jnz	loc_7FCB9C
		lea	ecx, [edx+esi]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	loc_914843
		cmp	ecx, edx
		jb	loc_914843

loc_7FCAF8:				; CODE XREF: PiCMCaptureObjectInputData+117DAAj
		cmp	esi, 1Ch
		jb	loc_91484B
		push	7
		pop	ecx
		mov	esi, edx
		mov	eax, [ebp+arg_4]
		mov	edi, eax
		rep movsd
		cmp	dword ptr [eax], 1Ch
		jnz	loc_91484B

loc_7FCB16:				; CODE XREF: PiCMCaptureObjectInputData+117DCDj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+arg_4]
		test	ebx, ebx
		js	loc_914885
		lea	edi, [esi+0Ch]
		mov	eax, [edi]
		and	dword ptr [edi], 0
		test	eax, eax
		jnz	short loc_7FCB62

loc_7FCB34:				; CODE XREF: PiCMCaptureObjectInputData+117DD4j
		cmp	dword ptr [esi+10h], 0
		ja	loc_914880
		test	eax, eax
		jnz	loc_914876

loc_7FCB46:				; CODE XREF: PiCMCaptureObjectInputData+FEj
					; PiCMCaptureObjectInputData+10Cj ...
		test	ebx, ebx
		js	loc_914885

loc_7FCB4E:				; CODE XREF: PiCMCaptureObjectInputData+117E0Dj
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7FCB62:				; CODE XREF: PiCMCaptureObjectInputData+96j
		mov	ecx, [esi+10h]
		cmp	ecx, 2
		jb	loc_91486E
		push	1
		push	[ebp+var_24]
		push	2
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	PiControlMakeUserModeCallersCopy
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_7FCBA1
		mov	[ebp+var_20], 1
		mov	edx, [esi+10h]
		shr	edx, 1
		mov	ecx, [edi]
		xor	eax, eax
		mov	[ecx+edx*2-2], ax
		jmp	short loc_7FCB46
; 

loc_7FCB9C:				; CODE XREF: PiCMCaptureObjectInputData+3Ej
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7FCBA1:				; CODE XREF: PiCMCaptureObjectInputData+E7j
		and	dword ptr [edi], 0
		and	dword ptr [esi+10h], 0
		jmp	short loc_7FCB46
PiCMCaptureObjectInputData endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMGetObjectList proc near		; CODE XREF: PiCMHandleIoctl+4Bp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 009148BB SIZE 000000B3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		push	7
		mov	esi, ecx
		lea	edi, [ebp+var_24]
		pop	ebx
		xor	eax, eax
		mov	ecx, ebx
		rep stosd
		mov	eax, [ebp+arg_C]
		xor	ecx, ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], ecx
		mov	[eax], ecx
		lea	eax, [ebp+var_24]
		push	eax
		push	ecx
		mov	ecx, esi
		call	PiCMCaptureObjectInputData
		mov	edi, eax
		test	edi, edi
		js	loc_7FCCCB
		cmp	[ebp+var_18], 0
		jnz	loc_91493F
		cmp	[ebp+var_14], 0
		jnz	loc_91493F
		cmp	[ebp+var_20], 0
		jnz	loc_91493F
		cmp	[ebp+var_10], 0
		jnz	loc_91493F
		cmp	[ebp+arg_0], 0
		jz	loc_91492B
		mov	ecx, [ebp+arg_4]
		cmp	ecx, 14h
		jb	loc_91492B
		mov	eax, [ebp+var_1C]
		xor	esi, esi
		cmp	eax, 6
		jle	loc_9148BB
		sub	eax, 10001h
		jnz	loc_9148FF

loc_7FCC3D:				; CODE XREF: PiCMGetObjectList+117D7Cj
		mov	esi, _PiDrvDbCtx
		neg	esi
		sbb	esi, esi
		and	esi, ebx

loc_7FCC49:				; CODE XREF: PiCMGetObjectList+117D2Aj
					; PiCMGetObjectList+117D67j
		test	esi, esi
		jz	loc_91492B

loc_7FCC51:				; CODE XREF: PiCMGetObjectList+117D37j
					; PiCMGetObjectList+117D50j
		test	edi, edi
		js	loc_7FCCE7
		lea	eax, [ecx-14h]
		cmp	eax, 2
		sbb	edi, edi
		not	edi
		and	edi, eax
		jbe	short loc_7FCCDE
		push	34706E50h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		test	ebx, ebx
		jz	loc_914935
		shr	edi, 1

loc_7FCC83:				; CODE XREF: PiCMGetObjectList+13Bj
		push	0
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], edi
		push	eax
		push	edi
		push	ebx
		push	ecx
		push	ecx
		mov	edx, esi
		call	_PnpGetObjectList
		mov	edi, eax

loc_7FCC99:				; CODE XREF: PiCMGetObjectList+117D9Dj
		test	edi, edi
		js	short loc_7FCCE7
		push	[ebp+arg_C]	; int
		mov	eax, [ebp+var_4]
		mov	ecx, edi
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		lea	edx, [eax+eax]
		push	[ebp+var_C]	; int
		push	edx		; size_t
		push	ebx		; void *
		push	0		; int
		call	PiCMReturnBufferResultData

loc_7FCCBA:				; CODE XREF: PiCMGetObjectList+15Ej
		mov	edi, eax
		test	ebx, ebx
		jz	short loc_7FCCCB
		push	34706E50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7FCCCB:				; CODE XREF: PiCMGetObjectList+36j
					; PiCMGetObjectList+114j
		cmp	[ebp+var_18], 0
		jnz	loc_91494C

loc_7FCCD5:				; CODE XREF: PiCMGetObjectList+117DAFj
					; PiCMGetObjectList+117DBFj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7FCCDE:				; CODE XREF: PiCMGetObjectList+BBj
		xor	ebx, ebx
		xor	edi, edi
		mov	[ebp+var_8], ebx
		jmp	short loc_7FCC83
; 

loc_7FCCE7:				; CODE XREF: PiCMGetObjectList+A9j
					; PiCMGetObjectList+F1j ...
		push	[ebp+arg_C]	; int
		xor	eax, eax
		mov	ecx, edi
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		push	[ebp+var_C]	; int
		push	eax		; size_t
		push	eax		; void *
		push	eax		; int
		mov	eax, [ebp+var_4]
		lea	edx, [eax+eax]
		call	PiCMReturnBufferResultData
		mov	ebx, [ebp+var_8]
		jmp	short loc_7FCCBA
PiCMGetObjectList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DrvDbGetDriverDatabaseList proc	near	; CODE XREF: DrvDbDispatchDriverDatabase+41p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0091496E SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	esi
		push	edi
		mov	edi, [ebp+arg_C]
		xor	esi, esi
		mov	[ebp+var_C], edx
		mov	eax, esi
		mov	edx, ecx
		mov	[ebp+var_4], esi
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_10], edx
		mov	[edi], esi
		test	ecx, ecx
		jz	short loc_7FCD39
		cmp	[ebp+arg_8], eax
		jbe	short loc_7FCD39
		mov	[ecx], ax
		mov	eax, [edi]

loc_7FCD39:				; CODE XREF: DrvDbGetDriverDatabaseList+23j
					; DrvDbGetDriverDatabaseList+28j
		add	edx, 0Ch
		push	ebx
		mov	[ebp+var_8], edx
		mov	ebx, [edx]
		cmp	ebx, edx
		jz	short loc_7FCD9A

loc_7FCD46:				; CODE XREF: DrvDbGetDriverDatabaseList+8Cj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_91496E

loc_7FCD51:				; CODE XREF: DrvDbGetDriverDatabaseList+117C81j
		movzx	eax, word ptr [ebx+8]
		shr	eax, 1
		inc	eax
		add	[edi], eax
		test	ecx, ecx
		jz	short loc_7FCD92
		add	eax, [ebp+var_4]
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_14], eax
		cmp	eax, [ebp+arg_8]
		jnb	short loc_7FCD92
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+arg_8]
		push	900h
		push	esi
		push	esi
		push	dword ptr [ebx+0Ch]
		sub	edx, eax
		lea	ecx, [ecx+eax*2]
		call	RtlStringCchCopyExW
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+var_8]
		mov	[ebp+var_4], eax

loc_7FCD92:				; CODE XREF: DrvDbGetDriverDatabaseList+52j
					; DrvDbGetDriverDatabaseList+60j ...
		mov	ebx, [ebx]
		cmp	ebx, edx
		jnz	short loc_7FCD46
		mov	eax, [edi]

loc_7FCD9A:				; CODE XREF: DrvDbGetDriverDatabaseList+3Aj
		inc	eax
		mov	[edi], eax
		pop	ebx
		test	ecx, ecx
		jz	short loc_7FCDB6
		cmp	eax, [ebp+arg_8]
		ja	short loc_7FCDB6
		xor	edx, edx
		mov	[ecx+eax*2-2], dx

loc_7FCDAE:				; CODE XREF: DrvDbGetDriverDatabaseList+B1j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	10h
; 

loc_7FCDB6:				; CODE XREF: DrvDbGetDriverDatabaseList+96j
					; DrvDbGetDriverDatabaseList+9Bj
		mov	esi, 0C0000023h
		jmp	short loc_7FCDAE
DrvDbGetDriverDatabaseList endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpGetObjectListDispatch(x, x, x, x, x, x,	x, x)
__PnpGetObjectListDispatch@32 proc near	; CODE XREF: _PnpGetObjectList+81p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, [ebp+arg_14]
		mov	[ebp+var_4], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		push	edi
		mov	edi, ecx
		test	si, si
		jnz	short loc_7FCE24
		lea	eax, [ebp+var_4]
		push	eax
		call	__PnpCtxGetObjectDispatchCallback@12 ; _PnpCtxGetObjectDispatchCallback(x,x,x)
		test	eax, eax
		js	short loc_7FCE1D
		cmp	[ebp+var_4], ebx
		jz	short loc_7FCE2B
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	5
		push	edx
		push	ebx
		push	edi
		mov	[ebp+var_10], esi
		call	[ebp+var_4]

loc_7FCE1D:				; CODE XREF: _PnpGetObjectListDispatch(x,x,x,x,x,x,x,x)+2Bj
					; _PnpGetObjectListDispatch(x,x,x,x,x,x,x,x)+6Bj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7FCE24:				; CODE XREF: _PnpGetObjectListDispatch(x,x,x,x,x,x,x,x)+1Ej
		mov	eax, 0C000000Dh
		jmp	short loc_7FCE1D
; 

loc_7FCE2B:				; CODE XREF: _PnpGetObjectListDispatch(x,x,x,x,x,x,x,x)+30j
		mov	eax, 0C0000002h
		jmp	short loc_7FCE1D
__PnpGetObjectListDispatch@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FilterEvalStrict proc near		; CODE XREF: FilterEvalStrict+1A5p
					; FilterEval(x,x,x,x,x)+1Dp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00914990 SIZE 000000E7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		mov	[ebp+var_10], edx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_1C], 1
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		push	esi
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_18], esi
		mov	[ebp+arg_4], eax
		push	edi
		cmp	ebx, 3
		jb	loc_914A6D
		mov	ecx, [esi]
		and	ecx, 0FF00000h
		mov	[ebp+arg_0], ecx
		jz	loc_914A6D
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		mov	[ecx], eax
		lea	eax, [ebp+arg_4]
		push	eax
		mov	ecx, ebx
		call	_FindFilterOperatorClose@12 ; FindFilterOperatorClose(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_7FCF86
		imul	ecx, [ebp+arg_4], 2Ch
		mov	edx, [ebp+arg_0]
		add	ecx, esi
		add	esi, 2Ch
		mov	[ebp+var_20], ecx
		mov	ecx, ebx
		sub	ecx, [ebp+arg_4]
		dec	ebx
		mov	[ebp+var_24], ecx
		cmp	edx, 300000h
		jnz	loc_7FCF8D

loc_7FCEBB:				; CODE XREF: FilterEvalStrict+161j
		xor	ecx, ecx

loc_7FCEBD:				; CODE XREF: FilterEvalStrict+115j
		cmp	ebx, 1
		jbe	loc_7FCF55
		test	dword ptr [esi], 0FF00000h
		mov	edi, [ebp+arg_8]
		mov	[ebp+arg_4], ecx
		mov	[edi], ecx
		jnz	loc_7FCFB6
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [esi+4]
		push	eax
		push	[ebp+var_10]
		call	[ebp+var_14]
		mov	edi, eax
		cmp	edi, 0C0000225h
		jz	loc_7FCFF9
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_C]

loc_7FCF07:				; CODE XREF: FilterEvalStrict+1F3j
		test	edi, edi
		jnz	short loc_7FCF84
		push	[ebp+arg_8]	; int
		push	dword ptr [esi+24h] ; int
		push	dword ptr [esi+28h] ; wchar_t *
		push	dword ptr [esi+20h] ; int
		push	dword ptr [esi]	; int
		push	edx		; int
		mov	edx, ecx
		mov	ecx, eax
		call	PropertyEval
		dec	ebx
		mov	[ebp+arg_4], 2Ch

loc_7FCF2B:				; CODE XREF: FilterEvalStrict+1C2j
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		mov	ecx, [ebp+arg_8]
		cmp	edx, 300000h
		setz	al
		cmp	[ecx], eax
		jz	short loc_7FCF4C
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx

loc_7FCF45:				; CODE XREF: FilterEvalStrict+1E1j
		add	esi, eax
		jmp	loc_7FCEBD
; 

loc_7FCF4C:				; CODE XREF: FilterEvalStrict+10Cj
		mov	esi, [ebp+var_20]
		xor	ecx, ecx
		mov	ebx, [ebp+var_24]
		inc	ecx

loc_7FCF55:				; CODE XREF: FilterEvalStrict+8Ej
					; FilterEvalStrict+117C24j
		test	ebx, ebx
		jz	loc_914A6D
		mov	eax, [esi]
		and	eax, 0FF00000h
		cmp	eax, 400000h
		jnz	short loc_7FCF9E
		cmp	edx, 300000h

loc_7FCF71:				; CODE XREF: FilterEvalStrict+117C36j
		jnz	loc_914A6D

loc_7FCF77:				; CODE XREF: FilterEvalStrict+17Dj
		test	ecx, ecx
		jnz	short loc_7FCF84
		cmp	[ebp+var_1C], ecx
		jz	loc_7FD02A

loc_7FCF84:				; CODE XREF: FilterEvalStrict+D7j
					; FilterEvalStrict+147j ...
		mov	eax, edi

loc_7FCF86:				; CODE XREF: FilterEvalStrict+5Fj
					; FilterEvalStrict+19Aj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7FCF8D:				; CODE XREF: FilterEvalStrict+83j
		cmp	edx, 100000h
		jz	loc_7FCEBB
		jmp	loc_914990
; 

loc_7FCF9E:				; CODE XREF: FilterEvalStrict+137j
		cmp	eax, 200000h
		jnz	loc_914A5B
		cmp	edx, 100000h
		jz	short loc_7FCF77
		jmp	loc_914A6D
; 

loc_7FCFB6:				; CODE XREF: FilterEvalStrict+A2j
		lea	eax, [ebp+arg_4]
		mov	edx, esi
		push	eax
		mov	ecx, ebx
		call	_FindFilterOperatorClose@12 ; FindFilterOperatorClose(x,x,x)
		mov	ecx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+arg_4], ecx
		test	eax, eax
		jnz	short loc_7FCF86
		mov	edx, [ebp+var_10]
		push	edi
		push	esi
		push	ecx
		mov	ecx, [ebp+var_14]
		call	FilterEvalStrict
		mov	edi, eax
		cmp	edi, 0C0000001h
		jz	short loc_7FD03C
		test	edi, edi
		jnz	short loc_7FCF84

loc_7FCFEA:				; CODE XREF: FilterEvalStrict+20Fj
		sub	ebx, [ebp+arg_4]
		imul	eax, [ebp+arg_4], 2Ch
		mov	[ebp+arg_4], eax
		jmp	loc_7FCF2B
; 

loc_7FCFF9:				; CODE XREF: FilterEvalStrict+C6j
		mov	eax, [esi]
		xor	ecx, ecx
		and	eax, 0FFFh
		mov	edi, ecx
		cmp	eax, 1
		jz	short loc_7FD018
		mov	edx, [ebp+arg_0]
		dec	ebx
		push	2Ch
		mov	[ebp+var_1C], ecx
		pop	eax
		jmp	loc_7FCF45
; 

loc_7FD018:				; CODE XREF: FilterEvalStrict+1D5j
		mov	eax, ecx
		mov	[ebp+var_8], ecx
		mov	edx, ecx
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], edx
		jmp	loc_7FCF07
; 

loc_7FD02A:				; CODE XREF: FilterEvalStrict+14Cj
		mov	eax, 0C0000001h
		test	edi, edi
		jz	loc_7FCF86
		jmp	loc_7FCF84
; 

loc_7FD03C:				; CODE XREF: FilterEvalStrict+1B2j
		xor	eax, eax
		mov	[ebp+var_1C], eax
		jmp	short loc_7FCFEA
FilterEvalStrict endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PropertyEval(int,int,int,wchar_t *,int,int)
PropertyEval	proc near		; CODE XREF: FilterEvalImpliedAnd+79p
					; FilterEvalStrict+ECp	...

var_2C		= dword	ptr -2Ch
var_28		= qword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00914A77 SIZE 000036FA BYTES

		push	1Ch
		push	offset dword_6A5418
		call	__SEH_prolog4
		mov	[ebp+var_20], edx
		mov	edi, ecx
		mov	dword ptr [ebp+var_28+4], edi
		xor	ecx, ecx
		mov	[ebp+var_1C], ecx
		mov	esi, [ebp+arg_4]
		mov	eax, esi
		and	eax, 10000h
		mov	[ebp+var_2C], eax
		mov	eax, esi
		and	eax, 20000h
		mov	[ebp+arg_4], eax
		and	esi, 0F000FFFFh
		mov	ebx, [ebp+arg_14]
		mov	[ebx], ecx
		wait
		mov	[ebp+ms_exc.disabled], ecx
		test	eax, eax
		jnz	loc_7FD19E

loc_7FD08B:				; CODE XREF: PropertyEval+15Dj
					; PropertyEval+117A39j	...
		xor	edi, edi
		inc	edi
		cmp	esi, edi
		jz	loc_7FD139
		cmp	dword ptr [ebp+var_28+4], 0
		jz	short loc_7FD0F8
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_7FD0F8
		cmp	dword ptr [ebp+var_28+4], 1003h
		mov	ebx, [ebp+arg_14]
		ja	loc_7FD145
		jz	loc_917785
		mov	edx, dword ptr [ebp+var_28+4]
		dec	edx
		mov	[ebp+arg_8], edx
		cmp	edx, 18h
		mov	edx, [ebp+var_20]
		ja	loc_914A8E
		mov	ebx, [ebp+arg_8]
		jmp	ds:off_7FD284[ebx*4] ; case 0x2

loc_7FD0D6:				; DATA XREF: PAGE:007FD2B4o
		cmp	eax, 0Dh
		mov	ebx, [ebp+arg_14]
		jnz	loc_914A91	; default
		cmp	esi, 2
		jnz	loc_914A91	; default
		mov	eax, [edx]
		mov	esi, [ebp+arg_C]
		cmp	eax, [esi]
		jz	short loc_7FD11F

loc_7FD0F4:				; CODE XREF: PropertyEval+E1j
					; PropertyEval+E9j ...
		mov	edi, ecx

loc_7FD0F6:				; CODE XREF: PropertyEval:loc_7FD135j
					; PropertyEval+117DC3j	...
		mov	[ebx], edi

loc_7FD0F8:				; CODE XREF: PropertyEval+56j
					; PropertyEval+5Dj ...
		wait
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7FD100:				; CODE XREF: sub_918174+Fj
		cmp	[ebp+var_2C], 0
		jnz	loc_7FD190

loc_7FD10A:				; CODE XREF: PropertyEval+155j
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7FD11F:				; CODE XREF: PropertyEval+AEj
		mov	eax, [edx+4]
		cmp	eax, [esi+4]
		jnz	short loc_7FD0F4
		mov	eax, [edx+8]
		cmp	eax, [esi+8]
		jnz	short loc_7FD0F4
		mov	eax, [edx+0Ch]
		cmp	eax, [esi+0Ch]

loc_7FD135:				; CODE XREF: PropertyEval+117A70j
					; PropertyEval+117E81j	...
		jz	short loc_7FD0F6
		jmp	short loc_7FD0F4
; 

loc_7FD139:				; CODE XREF: PropertyEval+4Cj
		xor	eax, eax
		cmp	dword ptr [ebp+var_28+4], eax
		setnz	al

loc_7FD141:				; CODE XREF: PropertyEval+118A49j
					; PropertyEval+118A70j	...
		mov	[ebx], eax
		jmp	short loc_7FD0F8
; 

loc_7FD145:				; CODE XREF: PropertyEval+69j
		cmp	dword ptr [ebp+var_28+4], 2012h
		jnz	loc_9180CF
		cmp	eax, 12h
		jnz	loc_918116

loc_7FD15B:				; CODE XREF: PropertyEval+11B0D7j
		mov	[ebp+arg_8], esi
		sub	[ebp+arg_8], 2
		jz	loc_918151
		mov	edx, [ebp+arg_8]
		sub	edx, 0FFEh
		jnz	loc_918126
		push	[ebp+arg_4]
		push	[ebp+arg_C]
		mov	edx, eax
		mov	ecx, [ebp+var_20]
		call	StringListContains

loc_7FD187:				; CODE XREF: PropertyEval+1ABj
					; PropertyEval+21Cj ...
		mov	[ebx], eax

loc_7FD189:				; CODE XREF: PropertyEval+1D0j
					; PropertyEval+22Fj
		xor	ecx, ecx
		jmp	loc_7FD0F8
; 

loc_7FD190:				; CODE XREF: PropertyEval+C0j
		xor	eax, eax
		cmp	[ebx], ecx
		setz	al
		mov	[ebx], eax
		jmp	loc_7FD10A
; 

loc_7FD19E:				; CODE XREF: PropertyEval+41j
		cmp	edi, 12h
		jz	loc_7FD08B
		jmp	loc_914A77
; 

loc_7FD1AC:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:007FD2C8o
		cmp	eax, 12h
		mov	ebx, [ebp+arg_14]
		jnz	loc_914A91	; default
		cmp	esi, 2
		jnz	loc_918047

loc_7FD1C1:				; CODE XREF: PropertyEval+11B086j
		mov	eax, [ebp+arg_0]
		cmp	[ebp+arg_4], 0
		jz	loc_917791
		test	eax, eax
		jz	loc_7FD0F8
		cmp	eax, [ebp+arg_10]
		jnz	loc_7FD0F8
		push	[ebp+arg_C]	; wchar_t *
		push	edx		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx

loc_7FD1EA:				; CODE XREF: PropertyEval+11AFDDj
					; PropertyEval+11AFEEj	...
		neg	eax
		sbb	eax, eax

loc_7FD1EE:				; CODE XREF: PropertyEval+117D74j
		inc	eax
		jmp	short loc_7FD187
; 

loc_7FD1F1:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:007FD2C4o
		cmp	eax, 11h
		mov	ebx, [ebp+arg_14]
		jnz	loc_914A91	; default
		cmp	esi, 2
		jnz	loc_914A91	; default

loc_7FD206:				; CODE XREF: PropertyEval+117A8Bj
					; PropertyEval+118345j
		mov	cl, [edx]
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		cmp	cl, [eax]

loc_7FD20F:				; CODE XREF: PropertyEval+117CB1j
		setz	dl

loc_7FD212:				; CODE XREF: PropertyEval+117ABDj
					; PropertyEval+117ADAj	...
		mov	[ebx], edx
		jmp	loc_7FD189
; 

loc_7FD219:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:007FD29Co
		cmp	esi, 7
		mov	ebx, [ebp+arg_14]
		jz	loc_916375
		cmp	esi, 8
		jz	loc_916375
		add	eax, 0FFFFFFFEh	; switch 14 cases
		cmp	eax, 0Dh
		ja	loc_914A91	; default
		jmp	ds:off_7FD2E8[eax*4] ; switch jump

loc_7FD241:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi		; case 0x6
		sub	esi, 1
		jz	short loc_7FD265
		sub	esi, 1
		jz	short loc_7FD278
		sub	esi, 1
		jnz	loc_915EB4
		mov	ecx, [edx]

loc_7FD257:				; CODE XREF: PropertyEval+117D7Cj
					; PropertyEval+1184ACj	...
		mov	eax, [ebp+arg_C]
		cmp	ecx, [eax]

loc_7FD25C:				; CODE XREF: PropertyEval+23Bj
					; PropertyEval+118382j	...
		sbb	eax, eax
		neg	eax
		jmp	loc_7FD187
; 

loc_7FD265:				; CODE XREF: PropertyEval+201j
					; PropertyEval+118E36j	...
		mov	ecx, [edx]

loc_7FD267:				; CODE XREF: PropertyEval+117D2Aj
					; PropertyEval+118476j	...
		mov	eax, [ebp+arg_C]
		sub	ecx, [eax]

loc_7FD26C:				; CODE XREF: PropertyEval+117C25j
		neg	ecx
		sbb	ecx, ecx
		inc	ecx

loc_7FD271:				; CODE XREF: PropertyEval+117B6Ej
					; PropertyEval+117BA2j	...
		mov	[ebx], ecx
		jmp	loc_7FD189
; 

loc_7FD278:				; CODE XREF: PropertyEval+206j
		mov	ecx, [edx]

loc_7FD27A:				; CODE XREF: PropertyEval+117D84j
					; PropertyEval+1184B4j	...
		mov	eax, [ebp+arg_C]
		cmp	[eax], ecx
		jmp	short loc_7FD25C
PropertyEval	endp

; 
		align 4
off_7FD284	dd offset loc_914A9D	; DATA XREF: PropertyEval+8Br
		dd offset loc_914AB9
		dd offset loc_9152F2
		dd offset loc_915685
		dd offset loc_915A01
		dd offset loc_915D2E
		dd offset loc_7FD219
		dd offset loc_916398
		dd offset loc_9167BE
		dd offset loc_916CFE
		dd offset loc_917227
		dd offset loc_917774
		dd offset loc_7FD0D6
		dd offset loc_9177B5
		dd offset loc_917A71
		dd offset loc_917F9A
		dd offset loc_7FD1F1
		dd offset loc_7FD1AC
		dd offset loc_914A8E
		dd offset loc_914A8E
		dd offset loc_918067
		dd offset loc_918090
		dd offset loc_917779
		dd offset loc_918095
		dd offset loc_9180AF
off_7FD2E8	dd offset loc_915FEF	; DATA XREF: PropertyEval+1F6r
		dd offset loc_916044	; jump table for switch	statement
		dd offset loc_91608C
		dd offset loc_9160DA
		dd offset loc_7FD241
		dd offset loc_7FD241
		dd offset loc_91611A
		dd offset loc_9161BD
		dd offset loc_91623F
		dd offset loc_9162DA
		dd offset loc_914A91
		dd offset loc_914A91
		dd offset loc_91611A
		dd offset loc_9162DA

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiDqPropertyCallback(int,void *,int,int,int)
PiDqPropertyCallback proc near		; DATA XREF: PiDqQueryEvaluateFilter+8Do

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 009183F3 SIZE 000000C8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], eax
		xor	edx, edx
		mov	[ebp+var_8], esi
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	[ebx+0Ch], eax
		jbe	loc_7FD3CA
		xor	ecx, ecx
		mov	[ebp+arg_0], ecx

loc_7FD34B:				; CODE XREF: PiDqPropertyCallback+A6j
		add	ecx, [ebx+8]
		mov	eax, [edi+10h]
		mov	[ebp+var_C], ecx
		cmp	eax, [ecx+10h]
		jnz	short loc_7FD3B3
		push	10h		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7FD3B3
		mov	ecx, [ebp+var_C]
		mov	eax, [edi+14h]
		cmp	eax, [ecx+14h]
		jnz	short loc_7FD3B3
		mov	eax, [edi+18h]
		mov	ecx, [ecx+18h]
		cmp	eax, ecx
		jnz	loc_9183F3

loc_7FD382:				; CODE XREF: PiDqPropertyCallback+11B0EEj
		imul	edx, [ebp+var_4], 28h
		mov	eax, [ebx+8]
		mov	ecx, [edx+eax+1Ch]
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		mov	eax, [ebx+8]
		mov	ecx, [edx+eax+20h]
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		mov	eax, [ebx+8]
		mov	ecx, [edx+eax+24h]

loc_7FD3A5:				; CODE XREF: PiDqPropertyCallback+11B196j
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx

loc_7FD3AA:				; CODE XREF: PiDqPropertyCallback+C6j
					; PiDqPropertyCallback+F1j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_7FD3B3:				; CODE XREF: PiDqPropertyCallback+37j
					; PiDqPropertyCallback+47j ...
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		inc	eax
		add	ecx, 28h
		mov	[ebp+var_4], eax
		mov	[ebp+arg_0], ecx
		cmp	eax, [ebx+0Ch]
		jb	short loc_7FD34B
		mov	edx, esi

loc_7FD3CA:				; CODE XREF: PiDqPropertyCallback+20j
		mov	eax, [edi+14h]
		sub	eax, 0
		jnz	loc_918419
		mov	eax, [ebx+14h]
		mov	ecx, [eax+0Ch]
		mov	ecx, [ecx+10h]
		call	PiDqGetPnpObjectType

loc_7FD3E4:				; CODE XREF: PiDqPropertyCallback+11B157j
		test	esi, esi
		js	short loc_7FD3AA
		imul	ecx, [ebx+0Ch],	28h
		add	ecx, [ebx+8]
		push	ecx
		mov	ecx, [ebx+10h]
		push	0
		push	dword ptr [edi+14h]
		push	edi
		push	edx
		mov	edx, eax
		call	PiDqPnPGetObjectProperty
		mov	esi, eax
		cmp	esi, 0C000000Dh
		jz	loc_9184A8
		test	esi, esi
		js	short loc_7FD3AA
		imul	ecx, [ebx+0Ch],	28h
		mov	eax, [ebx+8]
		mov	ecx, [ecx+eax+1Ch]
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		imul	ecx, [ebx+0Ch],	28h
		mov	eax, [ebx+8]
		mov	ecx, [ecx+eax+20h]
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		imul	ecx, [ebx+0Ch],	28h
		mov	eax, [ebx+8]
		mov	ecx, [ecx+eax+24h]
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx
		inc	dword ptr [ebx+0Ch]
		jmp	loc_7FD3AA
PiDqPropertyCallback endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FindFilterOperatorClose(x, x, x)
_FindFilterOperatorClose@12 proc near	; CODE XREF: FilterEvalStrict+56p
					; FilterEvalStrict+18Cp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		mov	[eax], esi
		push	edi
		mov	edi, esi
		test	ebx, ebx
		jz	short loc_7FD4A7
		mov	ecx, esi

loc_7FD465:				; CODE XREF: FindFilterOperatorClose(x,x,x)+59j
		mov	eax, [edx]
		and	eax, 0FF00000h
		cmp	eax, 300000h
		jz	short loc_7FD4B1
		cmp	eax, 400000h
		jz	short loc_7FD4AE
		cmp	eax, 100000h
		jz	short loc_7FD4B1
		cmp	eax, 200000h
		jz	short loc_7FD4AE
		cmp	eax, offset loc_500000
		jz	short loc_7FD4B1
		cmp	eax, 600000h
		jz	short loc_7FD4AE

loc_7FD496:				; CODE XREF: FindFilterOperatorClose(x,x,x)+63j
					; FindFilterOperatorClose(x,x,x)+66j
		cmp	esi, edi
		jz	short loc_7FD4B4
		mov	eax, [ebp+arg_0]
		inc	ecx
		add	edx, 2Ch
		mov	[eax], ecx
		cmp	ecx, ebx
		jb	short loc_7FD465

loc_7FD4A7:				; CODE XREF: FindFilterOperatorClose(x,x,x)+15j
		mov	eax, 0C000000Dh
		jmp	short loc_7FD4B6
; 

loc_7FD4AE:				; CODE XREF: FindFilterOperatorClose(x,x,x)+2Cj
					; FindFilterOperatorClose(x,x,x)+3Aj ...
		inc	edi
		jmp	short loc_7FD496
; 

loc_7FD4B1:				; CODE XREF: FindFilterOperatorClose(x,x,x)+25j
					; FindFilterOperatorClose(x,x,x)+33j ...
		inc	esi
		jmp	short loc_7FD496
; 

loc_7FD4B4:				; CODE XREF: FindFilterOperatorClose(x,x,x)+4Cj
		xor	eax, eax

loc_7FD4B6:				; CODE XREF: FindFilterOperatorClose(x,x,x)+60j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_FindFilterOperatorClose@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


PiDqGetPnpObjectType proc near		; CODE XREF: PiDqQueryValidateQueryData+12p
					; PiDqActionDataCreate+99p ...

; FUNCTION CHUNK AT 009184BB SIZE 0000001F BYTES

		xor	eax, eax
		sub	ecx, 1
		jnz	short loc_7FD4C9
		push	3
		pop	eax

locret_7FD4C8:				; CODE XREF: PiDqGetPnpObjectType+11B00Aj
		retn
; 

loc_7FD4C9:				; CODE XREF: PiDqGetPnpObjectType+5j
		sub	ecx, 1
		jz	short loc_7FD4DB
		sub	ecx, 1
		jnz	loc_9184BB
		xor	eax, eax
		inc	eax
		retn
; 

loc_7FD4DB:				; CODE XREF: PiDqGetPnpObjectType+Ej
		push	5
		pop	eax
		retn
PiDqGetPnpObjectType endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DrvDbDispatchDriverDatabase proc near	; DATA XREF: .text:off_404C64o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 009184DA SIZE 00000079 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		mov	edx, [ebp+arg_8]
		push	eax
		call	__PnpCtxGetObjectContext@12 ; _PnpCtxGetObjectContext(x,x,x)
		test	eax, eax
		js	short locret_7FD526
		mov	eax, [ebp+arg_C]
		dec	eax
		cmp	eax, 8		; switch 9 cases
		ja	short loc_7FD569 ; default
		jmp	ds:off_7FD570[eax*4] ; switch jump

loc_7FD50D:				; DATA XREF: PAGE:off_7FD570o
		mov	edx, [ebp+arg_10] ; case 0x4
		mov	ecx, [ebp+var_4]
		push	dword ptr [edx+10h]
		push	dword ptr [edx+0Ch]
		push	dword ptr [edx+8]
		push	dword ptr [edx+4]
		mov	edx, [edx]
		call	DrvDbGetDriverDatabaseList

locret_7FD526:				; CODE XREF: DrvDbDispatchDriverDatabase+1Bj
					; DrvDbDispatchDriverDatabase+69j ...
		leave
		retn	14h
; 

loc_7FD52A:				; CODE XREF: DrvDbDispatchDriverDatabase+26j
					; DATA XREF: PAGE:off_7FD570o
		mov	eax, [ebp+arg_10] ; case 0x7
		mov	edx, [ebp+arg_4] ; wchar_t *
		mov	ecx, [ebp+var_4] ; int
		push	dword ptr [eax+18h] ; int
		push	dword ptr [eax+14h] ; int
		push	dword ptr [eax+10h] ; void *
		push	dword ptr [eax+0Ch] ; int
		push	dword ptr [eax+8] ; void *
		push	dword ptr [eax]	; int
		call	DrvDbGetDriverDatabaseMappedProperty
		jmp	short locret_7FD526
; 

loc_7FD54B:				; CODE XREF: DrvDbDispatchDriverDatabase+26j
					; DATA XREF: PAGE:off_7FD570o
		mov	ecx, [ebp+arg_10] ; case 0x1
		mov	edx, [ebp+arg_4] ; wchar_t *
		lea	eax, [ecx+0Ch]
		push	eax		; int
		push	dword ptr [ecx+8] ; int
		movzx	eax, byte ptr [ecx+4]
		push	eax		; char
		push	dword ptr [ecx]	; int
		mov	ecx, [ebp+var_4] ; int
		call	DrvDbOpenDriverDatabaseRegKey
		jmp	short locret_7FD526
; 

loc_7FD569:				; CODE XREF: DrvDbDispatchDriverDatabase+24j
					; DrvDbDispatchDriverDatabase+26j
					; DATA XREF: ...
		mov	eax, 0C000000Dh	; default
		jmp	short locret_7FD526
DrvDbDispatchDriverDatabase endp

; 
off_7FD570	dd offset loc_9184DA	; DATA XREF: DrvDbDispatchDriverDatabase+26r
		dd offset loc_7FD54B	; jump table for switch	statement
		dd offset loc_9184E7
		dd offset loc_918504
		dd offset loc_7FD50D
		dd offset loc_918514
		dd offset loc_7FD569
		dd offset loc_7FD52A
		dd offset loc_918532

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpIsValidGuidString(x)
__PnpIsValidGuidString@4 proc near	; CODE XREF: _CmValidateDeviceContainerName(x,x)+7p
					; _PnpDispatchInterfaceClass+5Ap ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_1C], 0
		xor	eax, eax
		and	[ebp+var_18], 0
		push	edi
		lea	edi, [ebp+var_14]
		stosd
		push	ecx
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_7FD5F4
		mov	eax, [ebp+var_1C+2]
		and	eax, 0FFFEh
		cmp	ax, 4Eh
		jnz	short loc_7FD5F4
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		test	eax, eax
		js	short loc_7FD5F4
		mov	al, 1

loc_7FD5E7:				; CODE XREF: _PnpIsValidGuidString(x)+62j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_7FD5F4:				; CODE XREF: _PnpIsValidGuidString(x)+30j
					; _PnpIsValidGuidString(x)+3Ej	...
		xor	al, al
		jmp	short loc_7FD5E7
__PnpIsValidGuidString@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiPnpRtlBeginOperation proc near	; CODE XREF: PiDqQueryEvaluateFilter+7Cp
					; PiDqActionDataGetRequestedProperties+43p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00918553 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], eax
		push	esi
		push	edi
		lea	ecx, [ebp+var_4]
		and	dword ptr [ebx], 0
		call	_PiPnpRtlGetCurrentOperation@4 ; PiPnpRtlGetCurrentOperation(x)
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	loc_7FD6DC
		xor	esi, esi

loc_7FD62D:				; CODE XREF: PiPnpRtlBeginOperation+E6j
		mov	eax, [ebp+var_4]
		test	eax, eax
		jnz	loc_7FD6E6
		push	41706E50h
		push	50h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_4], edi
		test	edi, edi
		jz	loc_918553
		mov	eax, [ebp+var_8]
		push	0		; int
		push	offset _PiPnpRtlOperationFreeGenericTableEntry@8 ; int
		push	offset _PiPnpRtlOperationAllocateGenericTableEntry@8 ; int
		mov	dword ptr [edi+4Ch], 1
		mov	[edi+8], eax
		lea	eax, [edi+0Ch]
		push	offset _PiPnpRtlObjectEventCompareObjects@12 ; int
		push	eax		; void *
		call	_RtlInitializeGenericTableAvl@20 ; RtlInitializeGenericTableAvl(x,x,x,x,x)
		lea	eax, [edi+44h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	edi, offset _PiPnpRtlActiveOperationsLock
		push	edi
		call	ExAcquireResourceExclusiveLite
		mov	ecx, _PiPnpRtlActiveOperations
		mov	edx, offset _PiPnpRtlActiveOperations
		cmp	[ecx+4], edx
		jnz	short loc_7FD6EB
		mov	eax, [ebp+var_4]
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[ecx+4], eax
		mov	ecx, edi
		mov	_PiPnpRtlActiveOperations, eax
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [ebp+var_4]

loc_7FD6D3:				; CODE XREF: PiPnpRtlBeginOperation+F1j
		mov	[ebx], eax

loc_7FD6D5:				; CODE XREF: PiPnpRtlBeginOperation+ECj
					; PiPnpRtlBeginOperation+11AF60j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7FD6DC:				; CODE XREF: PiPnpRtlBeginOperation+2Dj
		test	esi, esi
		jns	loc_7FD62D
		jmp	short loc_7FD6D5
; 

loc_7FD6E6:				; CODE XREF: PiPnpRtlBeginOperation+3Aj
		inc	dword ptr [eax+4Ch]
		jmp	short loc_7FD6D3
; 

loc_7FD6EB:				; CODE XREF: PiPnpRtlBeginOperation+B3j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
PiPnpRtlBeginOperation endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FilterEval(x, x, x,	x, x)
_FilterEval@20	proc near		; CODE XREF: ValidFilter(x,x)+41p
					; ConstraintEval+162p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 1
		jb	short loc_7FD71D
		mov	eax, [ebp+arg_4]
		push	[ebp+arg_8]
		push	eax
		test	dword ptr [eax], 0FF00000h
		push	[ebp+arg_0]
		jz	short loc_7FD716
		call	FilterEvalStrict

loc_7FD712:				; CODE XREF: FilterEval(x,x,x,x,x)+2Bj
					; FilterEval(x,x,x,x,x)+32j
		pop	ebp
		retn	0Ch
; 

loc_7FD716:				; CODE XREF: FilterEval(x,x,x,x,x)+1Bj
		call	FilterEvalImpliedAnd
		jmp	short loc_7FD712
; 

loc_7FD71D:				; CODE XREF: FilterEval(x,x,x,x,x)+9j
		mov	eax, 0C000000Dh
		jmp	short loc_7FD712
_FilterEval@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqQueryEvaluateFilter	proc near	; CODE XREF: PiDqQueryEnumObject+7Bp
					; PiDqQueryApplyObjectEvent+355p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0091855D SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		push	6
		mov	esi, ecx
		mov	[esp+34h+var_1C], edx
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+30h+var_18]
		rep stosd
		mov	eax, [ebp+arg_0]
		xor	ebx, ebx
		push	58706E50h
		mov	[esp+34h+var_24], ebx
		mov	[esp+34h+var_20], ebx
		mov	[eax], bl
		mov	eax, [esi+0Ch]
		imul	eax, [eax+34h],	28h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_91855D
		mov	eax, [esi+0Ch]
		imul	eax, [eax+34h],	28h
		push	eax		; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		mov	eax, [esi+0Ch]
		lea	ecx, [esp+3Ch+var_20]
		add	esp, 0Ch
		mov	eax, [eax+34h]
		mov	[esp+30h+var_14], eax
		mov	eax, [esp+30h+var_1C]
		mov	[esp+30h+var_10], edi
		mov	[esp+30h+var_8], eax
		mov	[esp+30h+var_4], esi
		call	PiPnpRtlBeginOperation
		mov	eax, [esi+0Ch]
		lea	ecx, [esp+30h+var_24]
		push	ecx
		lea	edx, [esp+34h+var_18]
		mov	ecx, offset PiDqPropertyCallback
		push	dword ptr [eax+38h]
		push	dword ptr [eax+34h]
		call	_FilterEval@20	; FilterEval(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7FD7D3
		cmp	[esp+30h+var_24], ebx
		mov	eax, [ebp+arg_0]
		setnz	cl
		mov	[eax], cl

loc_7FD7D3:				; CODE XREF: PiDqQueryEvaluateFilter+A1j
		mov	ecx, [esp+30h+var_C]
		mov	edx, edi
		push	58706E50h
		call	_PnpFreeDevPropertyArray@12 ; PnpFreeDevPropertyArray(x,x,x)
		mov	ebx, [esp+30h+var_20]

loc_7FD7E7:				; CODE XREF: PiDqQueryEvaluateFilter+11AE3Ej
		mov	eax, [esp+30h+var_18]
		test	eax, eax
		jnz	loc_918567

loc_7FD7F3:				; CODE XREF: PiDqQueryEvaluateFilter+11AE46j
					; PiDqQueryEvaluateFilter+11AE52j
		test	ebx, ebx
		jz	short loc_7FD7FE
		mov	ecx, ebx
		call	PiPnpRtlEndOperation

loc_7FD7FE:				; CODE XREF: PiDqQueryEvaluateFilter+D1j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
PiDqQueryEvaluateFilter	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmpDoesProcessBelongToServiceSession(x)
_CmpDoesProcessBelongToServiceSession@4	proc near
					; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+45Ap
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+17AEp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	esi
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		push	eax
		call	_PsGetServerSiloServiceSessionId@4 ; PsGetServerSiloServiceSessionId(x)
		mov	ecx, esi
		mov	edx, eax
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		cmp	eax, edx
		pop	esi
		setz	al
		retn
_CmpDoesProcessBelongToServiceSession@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmOpenDeviceInterfaceRegKey proc near	; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+CEp
					; _CmGetDeviceInterfaceMappedPropertyFromRegValue+12Ap	...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0091857B SIZE 0000005C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		mov	eax, [ebp+arg_14]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_10]
		mov	ebx, ecx
		push	edi
		push	2Ch		; size_t
		mov	[esp+4Ch+var_34], eax
		lea	eax, [esp+4Ch+var_30]
		push	0		; int
		push	eax		; void *
		mov	[esp+54h+var_38], edx
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	edi, [ebx+100h]
		and	[esp+48h+var_24], 0
		mov	[esp+48h+var_28], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+48h+var_20], eax
		mov	al, [ebp+arg_C]
		mov	[esp+48h+var_18], esi
		mov	esi, [esp+48h+var_38]
		mov	byte ptr [esp+48h+var_1C], al
		test	edi, edi
		jz	short loc_7FD8AE
		lea	eax, [esp+48h+var_30]
		push	eax
		push	1
		push	0Bh
		push	3
		push	esi
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jnz	loc_91857B
		xor	edi, edi

loc_7FD8AE:				; CODE XREF: _CmOpenDeviceInterfaceRegKey+64j
					; _CmOpenDeviceInterfaceRegKey+11AD58j
		lea	eax, [esp+60h+var_2C]
		mov	edx, esi
		push	eax
		push	[esp+64h+var_30]
		mov	ecx, ebx
		push	[esp+68h+var_34]
		push	[esp+6Ch+var_38]
		push	[esp+70h+var_3C]
		push	[esp+74h+var_40]
		call	_CmOpenDeviceInterfaceRegKeyWorker
		mov	esi, eax
		test	edi, edi
		jnz	loc_91859D

loc_7FD8DA:				; CODE XREF: _CmOpenDeviceInterfaceRegKey+11AD6Cj
					; _CmOpenDeviceInterfaceRegKey+11AD8Cj	...
		test	esi, esi
		js	short loc_7FD8EC
		mov	ecx, [esp+60h+var_4C]
		test	ecx, ecx
		jz	short loc_7FD8EC
		mov	eax, [esp+60h+var_2C]
		mov	[ecx], eax

loc_7FD8EC:				; CODE XREF: _CmOpenDeviceInterfaceRegKey+B0j
					; _CmOpenDeviceInterfaceRegKey+B8j ...
		mov	ecx, [esp+60h+var_1C]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
_CmOpenDeviceInterfaceRegKey endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmOpenDeviceInterfaceRegKeyWorker proc	near ; CODE XREF: _CmOpenDeviceInterfaceRegKey+9Fp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 009185D7 SIZE 000001E9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		xor	eax, eax
		mov	[ebp+var_28], edx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_18], 4
		mov	[ebp+var_10], eax
		push	edi
		mov	edi, eax
		test	esi, esi
		jz	loc_918618
		test	esi, 0FFFFFCCCh
		jnz	loc_918618
		mov	edi, 1E0h
		mov	[ebp+var_14], edi
		test	esi, 200h
		jnz	loc_9185D7

loc_7FD960:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11ACDDj
		push	52504E50h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)

loc_7FD96D:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+1FAj
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	loc_9185E4
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_20]
		push	eax
		mov	eax, edi
		shr	eax, 1
		push	eax
		push	ecx
		push	ecx
		push	[ebp+arg_4]
		push	esi
		call	_CmGetDeviceInterfaceRegKeyPath
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	loc_7FDAC5

loc_7FD99F:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11ACE7j
		test	esi, esi
		js	loc_918784
		test	[ebp+arg_0], 100h
		jnz	loc_918622
		push	[ebp+var_4]
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_918784
		mov	si, word ptr [ebp+var_30]
		movzx	eax, si
		cmp	eax, edi
		jnb	loc_918615
		cmp	si, 32h
		jbe	loc_918615
		push	1
		lea	eax, [ebp+var_30]
		push	eax
		push	offset ?ObjectPathRootPrefix@?1??_CmOpenDeviceInterfaceRegKeyWorker@@9@9 ; `_CmOpenDeviceInterfaceRegKeyWorker'::`2'::ObjectPathRootPrefix
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		mov	edi, [ebp+var_4]
		test	al, al
		jz	loc_918618
		lea	eax, [edi+32h]
		mov	[ebp+arg_4], eax
		mov	[ebp+var_2C], eax
		mov	eax, 0FFCEh
		add	word ptr [ebp+var_30+2], ax
		add	si, ax
		push	1
		lea	eax, [ebp+var_30]
		mov	word ptr [ebp+var_30], si
		push	eax
		push	offset ?DeviceClassesKeyPrefix@?1??_CmOpenDeviceInterfaceRegKeyWorker@@9@9 ; `_CmOpenDeviceInterfaceRegKeyWorker'::`2'::DeviceClassesKeyPrefix
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	loc_9185EE
		mov	[ebp+var_18], 9
		lea	eax, [edi+5Eh]

loc_7FDA39:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11AD0Ej
		mov	[ebp+arg_4], eax

loc_7FDA3C:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11ACFEj
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_24]
		push	eax
		mov	ecx, ebx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_918784
		mov	eax, [ebp+var_24]

loc_7FDA57:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11AD4Ej
		mov	[ebp+var_24], eax
		test	ebx, ebx
		jz	loc_918655
		mov	ecx, [ebx+74h]

loc_7FDA65:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11AD55j
		push	[ebp+arg_10]
		mov	edx, eax
		push	[ebp+arg_8]
		push	0
		push	[ebp+arg_4]
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		jnz	loc_91865C
		mov	eax, [ebp+arg_14]
		push	2
		pop	ecx
		mov	[eax], ecx

loc_7FDA87:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+1E5j
					; _CmOpenDeviceInterfaceRegKeyWorker+11AD1Bj ...
		cmp	[ebp+var_1C], 0
		jnz	loc_91878C

loc_7FDA91:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11AE92j
		cmp	[ebp+var_C], 0
		jnz	loc_918799

loc_7FDA9B:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11AE9Fj
		cmp	[ebp+var_8], 0
		jnz	loc_9187A6

loc_7FDAA5:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11AEACj
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_9187B3

loc_7FDAB0:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11AEB9j
		test	edi, edi
		jz	short loc_7FDABC
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7FDABC:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+1B0j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7FDAC5:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+97j
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_20]
		xor	edi, edi
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_14]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7FDA87
		mov	edi, [ebp+var_14]
		push	52504E50h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, [ebp+arg_0]
		jmp	loc_7FD96D
_CmOpenDeviceInterfaceRegKeyWorker endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetDeviceInterfaceRegKeyPath	proc near ; CODE XREF: PiDqGetRelativeObjectRegPath+9Dp
					; _CmOpenDeviceInterfaceRegKeyWorker+8Ap ...

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 009187C0 SIZE 000000E5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		mov	ecx, edx
		push	ebx
		mov	[ebp+var_64], eax
		xor	edx, edx
		mov	eax, [ebp+arg_14]
		mov	ebx, edx
		mov	[ebp+var_6C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_68], edx
		push	esi
		push	edi
		test	eax, eax
		jz	loc_91889B
		test	eax, 0FFFFFCCCh
		jnz	loc_91889B
		movzx	edi, al
		mov	[ebp+var_70], edi
		cmp	edi, 30h
		jnz	loc_7FDC7C

loc_7FDB54:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+17Dj
		mov	byte ptr [ebp+var_60], 1

loc_7FDB58:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+18Bj
		lea	edx, [ecx+2]
		xor	ebx, ebx

loc_7FDB5D:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+64j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_7FDB5D
		sub	ecx, edx
		sar	ecx, 1
		push	52504E50h
		lea	esi, ds:6[ecx*2]
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9187C0
		mov	edx, [ebp+var_5C]
		lea	eax, [ebp+var_58]
		push	ecx
		shr	esi, 1
		push	esi
		push	ebx
		push	eax
		push	[ebp+var_60]
		call	_CmGetDeviceInterfaceSubkeyPath
		mov	esi, eax
		test	esi, esi
		js	loc_7FDC5C
		mov	edx, [ebp+arg_0]
		and	edx, 200h
		jnz	loc_9187CA
		lea	ecx, [ebp+var_58]
		lea	eax, [ecx+2]
		mov	[ebp+var_5C], eax

loc_7FDBC0:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+C8j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_68]
		jnz	short loc_7FDBC0
		sub	ecx, [ebp+var_5C]
		sar	ecx, 1
		lea	eax, [ecx+30h]

loc_7FDBD4:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+11ACEBj
					; _CmGetDeviceInterfaceRegKeyPath+11AD13j
		mov	ecx, ebx
		mov	[ebp+var_60], eax
		lea	eax, [ecx+2]
		mov	[ebp+var_5C], eax

loc_7FDBDF:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+E7j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_68]
		jnz	short loc_7FDBDF
		sub	ecx, [ebp+var_5C]
		mov	eax, [ebp+var_60]
		sar	ecx, 1
		inc	eax
		add	eax, ecx
		cmp	edi, 30h
		jb	loc_918824
		cmp	edi, 31h
		ja	loc_7FDC92

loc_7FDC08:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+19Cj
					; _CmGetDeviceInterfaceRegKeyPath+11AD27j
		test	esi, esi
		js	short loc_7FDC5C
		xor	ecx, ecx
		mov	esi, ecx
		mov	ecx, [ebp+var_6C]
		test	ecx, ecx
		jz	short loc_7FDC19
		mov	[ecx], eax

loc_7FDC19:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+113j
		mov	edi, [ebp+arg_10]
		cmp	eax, edi
		ja	loc_7FDCD1
		test	edx, edx
		jnz	loc_91882E
		push	ebx
		lea	eax, [ebp+var_58]
		push	eax
		push	(offset	loc_8C91DD+1) ;	char
		push	offset ??_C@_1BC@GLIGFLDD@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@	; "%s\\%s\\%s"
		push	800h		; int
		xor	eax, eax
		push	eax		; int
		push	eax		; int
		push	edi		; int
		push	[ebp+var_64]	; void *
		call	RtlStringCchPrintfExW
		add	esp, 24h

loc_7FDC50:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+11AD5Cj
					; _CmGetDeviceInterfaceRegKeyPath+11AD94j
		mov	esi, eax
		test	esi, esi
		js	short loc_7FDC5C

loc_7FDC56:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+11AD64j
		cmp	[ebp+var_70], 32h
		jz	short loc_7FDCA3

loc_7FDC5C:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+A0j
					; _CmGetDeviceInterfaceRegKeyPath+108j	...
		xor	edx, edx

loc_7FDC5E:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+11AD9Ej
		test	ebx, ebx
		jz	short loc_7FDC69
		push	edx
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7FDC69:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+15Ej
					; _CmGetDeviceInterfaceRegKeyPath+1DBj	...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_7FDC7C:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+4Cj
		cmp	edi, 32h
		jz	loc_7FDB54
		cmp	edi, 31h
		jnz	short loc_7FDCD8
		mov	byte ptr [ebp+var_60], dl
		jmp	loc_7FDB58
; 

loc_7FDC92:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+100j
		cmp	edi, 32h
		jnz	loc_918824
		add	eax, 12h
		jmp	loc_7FDC08
; 

loc_7FDCA3:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+158j
		mov	ecx, [ebp+var_64]
		sub	esp, 0Ch
		mov	edx, edi
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@
		call	RtlStringCchCatExW
		mov	esi, eax
		test	esi, esi
		js	short loc_7FDC5C
		mov	ecx, [ebp+var_64]
		sub	esp, 0Ch
		mov	edx, edi
		push	offset ??_C@_1CE@JDBBMLAG@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?5?$AAP?$AAa?$AAr?$AAa?$AAm?$AAe?$AAt?$AAe@NNGAKEGL@ ; "Device Parameters"
		call	RtlStringCchCatExW
		mov	esi, eax
		jmp	short loc_7FDC5C
; 

loc_7FDCD1:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+11Cj
		mov	esi, 0C0000023h
		jmp	short loc_7FDC5C
; 

loc_7FDCD8:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+186j
		mov	esi, 0C000000Dh
		jmp	short loc_7FDC69
_CmGetDeviceInterfaceRegKeyPath	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmGetDeviceInterfaceMappedPropertyFromComposite(int,void *,int,int,int,void *)
_CmGetDeviceInterfaceMappedPropertyFromComposite proc near
					; CODE XREF: _CmGetDeviceInterfaceMappedProperty(x,x,x,x,x,x,x,x,x)+87p
					; _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+BCp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 009188A5 SIZE 000000CC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_C], ecx
		xor	ecx, ecx
		push	ebx
		mov	ebx, [ebp+arg_C]
		mov	[eax], ecx
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_14], ecx
		mov	[eax], ecx
		push	esi
		mov	esi, ecx
		push	edi
		test	ebx, ebx
		jz	loc_9188A5
		mov	edi, [ebp+arg_10]
		mov	eax, edi
		neg	eax
		sbb	eax, eax
		and	ebx, eax

loc_7FDD1E:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+11ABC7j
		mov	ecx, [ebp+arg_4]
		push	2
		pop	edx
		mov	eax, [ecx+10h]
		cmp	eax, edx
		jb	loc_9188AC
		cmp	eax, 0Ah
		jz	loc_7FDE40
		cmp	eax, 4
		jnz	short loc_7FDD7E
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceInterface_ClassGuid ; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7FDD75
		mov	eax, [ebp+arg_14]
		push	10h
		pop	ecx
		mov	[eax], ecx
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 0Dh
		cmp	edi, ecx
		jb	loc_9188B6
		mov	edx, [ebp+var_8]
		push	ebx
		call	__CmGetDeviceInterfaceClassGuid@12 ; _CmGetDeviceInterfaceClassGuid(x,x,x)
		mov	esi, eax

loc_7FDD75:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+6Fj
					; _CmGetDeviceInterfaceMappedPropertyFromComposite+A9j	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7FDD7E:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+5Bj
		cmp	eax, 5
		jz	loc_9188C0
		cmp	eax, edx
		jnz	short loc_7FDD75
		push	10h		; size_t
		push	offset _DEVPKEY_Device_ContainerId ; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7FDD75
		push	52504E50h
		mov	esi, 190h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+arg_C], eax
		test	eax, eax
		jz	loc_918942
		mov	edx, [ebp+var_8]
		lea	ecx, [ebp+var_4]
		push	0
		push	ecx
		mov	ecx, [ebp+var_C]
		push	esi
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		push	offset _DEVPKEY_Device_InstanceId
		push	0
		push	[ebp+arg_0]
		push	3
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7FDE9A
		cmp	[ebp+var_14], 12h
		jnz	loc_918956
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	ecx
		push	eax
		push	edi
		mov	edi, [ebp+arg_C]
		mov	edx, edi
		push	ebx
		push	[ebp+arg_8]
		push	offset _DEVPKEY_Device_ContainerId
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_C]
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_91894C

loc_7FDE23:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+1BDj
					; _CmGetDeviceInterfaceMappedPropertyFromComposite+11AC71j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jnz	loc_918960

loc_7FDE33:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+11AC8Cj
		mov	ecx, [ebp+arg_14]
		mov	eax, [ebp+var_4]
		mov	[ecx], eax
		jmp	loc_7FDD75
; 

loc_7FDE40:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+52j
		push	10h		; size_t
		push	offset _DEVPKEY_NAME ; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7FDD75
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		push	ebx
		push	[ebp+arg_8]
		push	offset _DEVPKEY_DeviceInterface_FriendlyName
		push	0
		push	[ebp+arg_0]
		push	3
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_7FDE8C

loc_7FDE7F:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+1B8j
		mov	eax, [ebp+arg_14]
		mov	ecx, [ebp+var_4]
		mov	[eax], ecx
		jmp	loc_7FDD75
; 

loc_7FDE8C:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+19Dj
		cmp	esi, 0C0000023h
		jnz	loc_7FDD75
		jmp	short loc_7FDE7F
; 

loc_7FDE9A:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+103j
					; _CmGetDeviceInterfaceMappedPropertyFromComposite+11AC7Bj
		mov	edi, [ebp+arg_C]
		jmp	short loc_7FDE23
_CmGetDeviceInterfaceMappedPropertyFromComposite endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetDeviceInterfaceClassGuid(x, x, x)
__CmGetDeviceInterfaceClassGuid@12 proc	near
					; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+8Ep
					; IopProcessSetInterfaceState+BBp ...

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		and	[ebp+var_64], 0
		lea	eax, [ebp+var_5C]
		and	[ebp+var_60], 0
		push	esi
		mov	esi, [ebp+arg_0]
		push	ecx
		push	eax
		call	__CmGetDeviceInterfaceClassGuidString@16 ; _CmGetDeviceInterfaceClassGuidString(x,x,x,x)
		test	eax, eax
		js	short loc_7FDEE7
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_64]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_7FDEE7
		push	esi
		lea	eax, [ebp+var_64]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)

loc_7FDEE7:				; CODE XREF: _CmGetDeviceInterfaceClassGuid(x,x,x)+2Aj
					; _CmGetDeviceInterfaceClassGuid(x,x,x)+3Bj
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
__CmGetDeviceInterfaceClassGuid@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetDeviceInterfaceClassGuidString(x, x, x, x)
__CmGetDeviceInterfaceClassGuidString@16 proc near
					; CODE XREF: _CmGetDeviceInterfaceClassGuid(x,x,x)+23p
					; _CmCreateDeviceInterfaceWorker(x,x,x,x,x,x)+5Bp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ebp+arg_0]
		push	ecx
		push	0
		push	0
		push	esi
		push	1
		call	_CmGetDeviceInterfaceSubkeyPath
		test	eax, eax
		jz	short loc_7FDF24
		cmp	eax, 0C0000023h
		jnz	short loc_7FDF1E
		xor	eax, eax
		mov	[esi+4Ch], ax

loc_7FDF1E:				; CODE XREF: _CmGetDeviceInterfaceClassGuidString(x,x,x,x)+20j
					; _CmGetDeviceInterfaceClassGuidString(x,x,x,x)+33j
		pop	esi
		pop	ecx
		pop	ebp
		retn	8
; 

loc_7FDF24:				; CODE XREF: _CmGetDeviceInterfaceClassGuidString(x,x,x,x)+19j
		mov	eax, 0C00000E5h
		jmp	short loc_7FDF1E
__CmGetDeviceInterfaceClassGuidString@16 endp

; 
		align 10h
; Exported entry 2493. SeQueryServerSiloToken

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeQueryServerSiloToken(x, x)
		public _SeQueryServerSiloToken@8
_SeQueryServerSiloToken@8 proc near	; CODE XREF: PAGE:007A2C9Dp
					; SepCreateClientSecurityEx+FCFCEp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [ebp+arg_0]
		push	1
		push	dword ptr [edi+30h]
		call	ExAcquireResourceSharedLite
		mov	ecx, [edi+30h]
		mov	esi, [edi+78h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		call	_PsGetSiloBySessionId@8	; PsGetSiloBySessionId(x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_SeQueryServerSiloToken@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DrvDbDispatchDriverPackage proc	near	; DATA XREF: .text:00404C6Co

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00918971 SIZE 000000E9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		mov	edx, [ebp+arg_8]
		push	esi
		push	eax
		call	__PnpCtxGetObjectContext@12 ; _PnpCtxGetObjectContext(x,x,x)
		test	eax, eax
		js	short loc_7FDFD3
		mov	ecx, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+var_4]
		push	edi
		mov	edi, [ebp+arg_10]
		mov	eax, [ebx+8]
		test	eax, 10000000h
		jz	loc_918971

loc_7FDFA9:				; CODE XREF: DrvDbDispatchDriverPackage+11AA12j
					; DrvDbDispatchDriverPackage+11AA2Cj ...
		dec	ecx
		cmp	ecx, 8		; switch 9 cases
		ja	short loc_7FDFFE ; default
		jmp	ds:off_7FE006[ecx*4] ; switch jump

loc_7FDFB6:				; DATA XREF: PAGE:off_7FE006o
		push	dword ptr [edi+18h] ; case 0x7
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		push	dword ptr [edi+14h] ; int
		push	dword ptr [edi+10h] ; void *
		push	dword ptr [edi+0Ch] ; int
		push	dword ptr [edi+8] ; void *
		push	dword ptr [edi]	; int
		call	DrvDbGetDriverPackageMappedProperty

loc_7FDFD1:				; CODE XREF: DrvDbDispatchDriverPackage+8Aj
					; DrvDbDispatchDriverPackage+91j ...
		pop	edi
		pop	ebx

loc_7FDFD3:				; CODE XREF: DrvDbDispatchDriverPackage+1Cj
		pop	esi
		leave
		retn	14h
; 

loc_7FDFD8:				; CODE XREF: DrvDbDispatchDriverPackage+3Dj
					; DATA XREF: PAGE:off_7FE006o
		mov	al, [edi+4]	; case 0x1
		mov	esi, [edi+8]
		mov	edx, [edi]
		mov	byte ptr [ebp+arg_8], al
		push	0
		lea	eax, [edi+0Ch]
		mov	ecx, ebx
		push	eax
		push	esi
		push	[ebp+arg_8]
		push	edx
		push	[ebp+arg_4]
		xor	edx, edx
		push	2
		call	DrvDbOpenObjectRegKey
		jmp	short loc_7FDFD1
; 

loc_7FDFFE:				; CODE XREF: DrvDbDispatchDriverPackage+3Bj
					; DrvDbDispatchDriverPackage+3Dj
					; DATA XREF: ...
		mov	eax, 0C000000Dh	; default
		jmp	short loc_7FDFD1
DrvDbDispatchDriverPackage endp

; 
		align 2
off_7FE006	dd offset loc_9189C5	; DATA XREF: DrvDbDispatchDriverPackage+3Dr
		dd offset loc_7FDFD8	; jump table for switch	statement
		dd offset loc_9189D2
		dd offset loc_9189EB
		dd offset loc_9189FF
		dd offset loc_918A23
		dd offset loc_7FDFFE
		dd offset loc_7FDFB6
		dd offset loc_918A3D

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxGetObjectContext(x, x, x)
__PnpCtxGetObjectContext@12 proc near	; CODE XREF: DrvDbDispatchDriverInfFile+15p
					; DrvDbDispatchDriverDatabase+14p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		lea	eax, [edx-1]
		xor	esi, esi
		cmp	eax, 0Ah
		ja	short loc_7FE04D
		mov	eax, [ebp+arg_0]
		mov	ecx, [ecx+edx*4+0C8h]
		mov	[eax], ecx

loc_7FE046:				; CODE XREF: _PnpCtxGetObjectContext(x,x,x)+28j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
; 

loc_7FE04D:				; CODE XREF: _PnpCtxGetObjectContext(x,x,x)+Ej
		mov	esi, 0C000000Dh
		jmp	short loc_7FE046
__PnpCtxGetObjectContext@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	DrvDbGetDriverPackageMappedProperty(int,void *,int,void	*,int,int)
DrvDbGetDriverPackageMappedProperty proc near ;	CODE XREF: DrvDbDispatchDriverPackage+5Ap
					; DrvDbGetDriverPackageSignerScore(x,x,x,x)+24p ...

var_4E		= byte ptr -4Eh
var_4D		= byte ptr -4Dh
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_7		= word ptr -7
var_5		= byte ptr -5
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00918A5A SIZE 000007BA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	[esp+58h+var_48], ecx
		xor	ecx, ecx
		push	esi
		push	edi
		mov	eax, ecx
		mov	[ebx], ecx
		mov	[esp+60h+var_18], eax
		lea	edi, [esp+60h+var_14]
		mov	[esp+60h+var_4C], eax
		mov	esi, ecx
		stosd
		mov	[esp+60h+var_1C], ecx
		mov	[esp+60h+var_34], ecx
		mov	[esp+60h+var_20], ecx
		stosd
		mov	[esp+60h+var_28], ecx
		mov	[esp+60h+var_30], ecx
		mov	[esp+60h+var_38], ecx
		stosd
		mov	[esp+60h+var_3C], ecx
		mov	[esp+60h+var_24], ecx
		mov	[esp+60h+var_2C], ecx
		stosd
		mov	[esp+60h+var_4D], cl
		mov	[esp+60h+var_44], edx
		stosd
		mov	edi, [ebp+arg_14]
		mov	eax, [ebp+arg_4]
		mov	[edi], ecx
		mov	ecx, [eax+10h]
		mov	[esp+60h+var_40], ecx
		cmp	ecx, 2
		jz	loc_7FE367
		cmp	ecx, 12h
		jz	loc_918A9B
		cmp	ecx, 21h
		jz	loc_918BA6
		cmp	ecx, 1Dh
		jz	loc_918DE3

loc_7FE0E1:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11ADAAj
		cmp	ecx, 1Eh
		jz	loc_918E03
		cmp	ecx, 20h
		jz	loc_918F60
		cmp	ecx, 26h
		jz	loc_918FC7
		cmp	ecx, 28h
		jz	loc_9190EE

loc_7FE105:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+32Fj
		mov	esi, [ebp+arg_4]
		xor	edx, edx
		mov	eax, edx
		mov	ebx, edx
		mov	[esp+60h+var_2C], eax

loc_7FE112:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+D7j
		mov	edx, ds:off_401730[ebx]
		cmp	[edx+10h], ecx
		jz	short loc_7FE137

loc_7FE11D:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+33Cj
		inc	eax
		add	ebx, 18h
		mov	[esp+60h+var_2C], eax
		cmp	ebx, 300h
		jb	short loc_7FE112

loc_7FE12D:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+105j
		mov	esi, 0C0000016h
		jmp	loc_7FE287
; 

loc_7FE137:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+C7j
		push	10h		; size_t
		push	esi		; void *
		push	edx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7FE388
		imul	eax, [esp+60h+var_2C], arg_10
		add	eax, offset off_401730
		mov	[esp+60h+var_40], eax
		jz	short loc_7FE12D
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		inc	ebx
		test	esi, esi
		jnz	loc_7FE395
		xor	ecx, ecx
		lea	eax, [esp+60h+var_4C]
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [esp+70h+var_48]
		xor	edx, edx
		push	ebx
		push	[esp+74h+var_44]
		push	2
		call	DrvDbOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_7FE26C
		mov	ecx, [esp+60h+var_4C]
		mov	esi, [ebp+arg_0]
		mov	eax, [esp+60h+var_40]

loc_7FE19A:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+345j
		xor	edx, edx
		cmp	[eax+14h], edx
		jz	loc_7FE292
		push	30h
		pop	eax
		push	42444450h
		push	eax
		push	ebx
		mov	[esp+6Ch+var_2C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_918C7E
		test	esi, esi
		jnz	short loc_7FE1CA
		mov	esi, [esp+60h+var_4C]

loc_7FE1CA:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+170j
		lea	eax, [esp+60h+var_2C]
		mov	edx, offset ??_C@_1BA@LIACFDLB@?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@NNGAKEGL@ ; "Version"
		push	eax
		push	ebx
		lea	eax, [esp+68h+var_28]
		mov	ecx, esi
		push	eax
		call	_RegRtlQueryValue
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_9191C8
		mov	edi, 0C0000023h
		cmp	esi, edi
		jz	loc_9191D2
		test	esi, esi
		js	short loc_7FE251
		cmp	[esp+60h+var_28], 3
		jnz	loc_9191E3
		cmp	[esp+60h+var_2C], 30h
		jnz	loc_9191E3
		cmp	[ebp+arg_C], 0
		mov	edx, [esp+60h+var_40]
		mov	ecx, [ebp+arg_8]
		mov	eax, [edx+4]
		mov	[ecx], eax
		mov	eax, [ebp+arg_14]
		mov	ecx, [edx+14h]
		mov	[eax], ecx
		jz	loc_9191DC
		cmp	[ebp+arg_10], ecx
		jb	loc_9191DC
		push	dword ptr [edx+14h] ; size_t
		mov	eax, [edx+10h]
		add	eax, ebx
		push	eax		; void *
		push	[ebp+arg_C]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_7FE251:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+1AAj
					; DrvDbGetDriverPackageMappedProperty+11AA42j ...
		test	ebx, ebx
		jz	short loc_7FE26C
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7FE25E:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11ABE7j
					; DrvDbGetDriverPackageMappedProperty+11AC39j ...
		xor	eax, eax

loc_7FE260:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AC25j
		mov	ecx, [esp+60h+var_3C]
		test	ecx, ecx
		jnz	loc_9191FA

loc_7FE26C:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+135j
					; DrvDbGetDriverPackageMappedProperty+1FFj ...
		cmp	[esp+60h+var_34], 0
		jnz	loc_919206

loc_7FE277:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11B1BBj
		cmp	[esp+60h+var_4C], 0
		jz	short loc_7FE287
		push	[esp+60h+var_4C]
		call	_ZwClose@4	; ZwClose(x)

loc_7FE287:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+DEj
					; DrvDbGetDriverPackageMappedProperty+228j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_7FE292:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+14Bj
		test	esi, esi
		jnz	loc_7FE39E

loc_7FE29A:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+34Cj
		mov	ebx, [ebp+arg_8]
		mov	edx, ecx
		push	edi
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	ebx
		push	eax
		call	DrvDbGetRegValueMappedProperty
		mov	esi, eax
		mov	edi, 0C0000023h
		cmp	esi, 0C0000225h
		jz	short loc_7FE2D3
		test	esi, esi
		jnz	loc_9191ED

loc_7FE2C4:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11B1A1j
		cmp	dword ptr [ebx], 12h
		jnz	short loc_7FE26C
		mov	ebx, [ebp+arg_14]
		cmp	dword ptr [ebx], 2
		jnz	short loc_7FE26C
		jmp	short loc_7FE2D6
; 

loc_7FE2D3:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+266j
		mov	ebx, [ebp+arg_14]

loc_7FE2D6:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+27Dj
		mov	eax, [ebp+arg_4]
		cmp	dword ptr [eax+10h], 7
		jnz	short loc_7FE26C
		push	10h		; size_t
		push	offset _DEVPKEY_DriverPackage_SignerName ; void	*
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7FE26C
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_7FE302
		mov	eax, [esp+60h+var_4C]

loc_7FE302:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+2A8j
		mov	edx, [esp+60h+var_44]
		lea	ecx, [esp+60h+var_24]
		push	ecx		; void *
		mov	ecx, [esp+64h+var_48]
		push	eax		; int
		call	_DrvDbGetDriverPackageSignerScore@16 ; DrvDbGetDriverPackageSignerScore(x,x,x,x)
		test	eax, eax
		js	loc_7FE26C
		cmp	[esp+60h+var_24], 0D000003h
		jnz	loc_7FE26C
		cmp	[ebp+arg_C], 0
		mov	eax, [ebp+arg_8]
		push	24h
		pop	ecx
		mov	dword ptr [eax], 12h
		mov	[ebx], ecx
		jz	short loc_7FE3A5
		mov	eax, [ebp+arg_10]
		cmp	eax, ecx
		jb	short loc_7FE3A5
		mov	ecx, [ebp+arg_C]
		xor	ebx, ebx
		push	800h
		push	ebx
		push	ebx
		shr	eax, 1
		push	offset ??_C@_1CE@PEJPMNIN@?$AAM?$AAi?$AAc?$AAr?$AAo?$AAs?$AAo?$AAf?$AAt?$AA?5?$AAW?$AAi?$AAn?$AAd?$AAo@NNGAKEGL@ ; "Microsoft Windows"
		mov	edx, eax
		call	RtlStringCchCopyExW
		mov	esi, ebx
		jmp	loc_7FE26C
; 

loc_7FE367:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+6Cj
		push	10h		; size_t
		push	offset _DEVPKEY_NODE ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_918A5A

loc_7FE37F:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AA59j
					; DrvDbGetDriverPackageMappedProperty+11AB64j ...
		mov	ecx, [esp+60h+var_40]
		jmp	loc_7FE105
; 

loc_7FE388:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+F1j
		mov	ecx, [esp+60h+var_40]
		mov	eax, [esp+60h+var_2C]
		jmp	loc_7FE11D
; 

loc_7FE395:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+10Fj
		mov	ecx, [esp+60h+var_18]
		jmp	loc_7FE19A
; 

loc_7FE39E:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+240j
		mov	ecx, esi
		jmp	loc_7FE29A
; 

loc_7FE3A5:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+2E9j
					; DrvDbGetDriverPackageMappedProperty+2F0j
		mov	esi, edi
		jmp	loc_918A92
DrvDbGetDriverPackageMappedProperty endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopDeviceInterfaceFilterCallback proc near ; DATA XREF:	IopGetDeviceInterfaces+20Ao

var_12		= byte ptr -12h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00919214 SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		push	ebx
		xor	ebx, ebx
		cmp	[ebp+arg_8], 3
		push	esi
		mov	[esp+20h+var_10], ebx
		mov	[esp+20h+var_C], ebx
		mov	[esp+20h+var_8], ebx
		mov	[esp+20h+var_4], ebx
		mov	[esp+20h+var_11], bl
		jnz	short loc_7FE408
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jz	short loc_7FE408
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_919214

loc_7FE3E6:				; CODE XREF: IopDeviceInterfaceFilterCallback+11AEA9j
		mov	edx, [ebp+arg_4]
		lea	eax, [esp+0Fh]
		mov	ecx, [ebp+arg_0]
		push	eax
		lea	eax, [esi+4]
		push	eax
		push	ebx
		push	3
		call	_PiPnpRtlApplyMandatoryFilters@24 ; PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)
		test	eax, eax
		sets	bl
		dec	bl
		and	bl, [esp+20h+var_11]

loc_7FE408:				; CODE XREF: IopDeviceInterfaceFilterCallback+27j
					; IopDeviceInterfaceFilterCallback+2Ej	...
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
IopDeviceInterfaceFilterCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmGetDeviceInterfaceMappedProperty(int,int,void *,int,int,int,void *)
__CmGetDeviceInterfaceMappedProperty@36	proc near
					; CODE XREF: _PnpDispatchDeviceInterface+43p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_18]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], edx
		mov	ebx, 0C0000016h
		mov	[ebp+var_8], ecx
		push	edi
		mov	[eax], esi
		cmp	[ebp+arg_4], esi
		jnz	short loc_7FE4A0
		mov	edi, [ebp+arg_8]
		mov	ecx, esi
		mov	[ebp+arg_4], esi

loc_7FE43B:				; CODE XREF: _CmGetDeviceInterfaceMappedProperty(x,x,x,x,x,x,x,x,x)+44j
		mov	edx, ds:off_A42DD8[ecx]
		test	edx, edx
		jz	short loc_7FE44D
		mov	eax, [edi+10h]
		cmp	eax, [edx+10h]
		jz	short loc_7FE4A9

loc_7FE44D:				; CODE XREF: _CmGetDeviceInterfaceMappedProperty(x,x,x,x,x,x,x,x,x)+31j
					; _CmGetDeviceInterfaceMappedProperty(x,x,x,x,x,x,x,x,x)+AAj
		add	ecx, 8
		mov	[ebp+arg_4], ecx
		cmp	ecx, 18h
		jb	short loc_7FE43B

loc_7FE458:				; CODE XREF: _CmGetDeviceInterfaceMappedProperty(x,x,x,x,x,x,x,x,x)+D6j
		mov	ecx, [edi+10h]
		mov	[ebp+arg_4], ecx

loc_7FE45E:				; CODE XREF: _CmGetDeviceInterfaceMappedProperty(x,x,x,x,x,x,x,x,x)+5Dj
		mov	eax, ds:off_A42EF0[esi]
		cmp	ecx, [eax+10h]
		jz	short loc_7FE473

loc_7FE469:				; CODE XREF: _CmGetDeviceInterfaceMappedProperty(x,x,x,x,x,x,x,x,x)+AFj
		add	esi, 8
		cmp	esi, 20h
		jb	short loc_7FE45E
		jmp	short loc_7FE4A0
; 

loc_7FE473:				; CODE XREF: _CmGetDeviceInterfaceMappedProperty(x,x,x,x,x,x,x,x,x)+55j
		push	10h		; size_t
		push	eax		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_7FE4BE
		push	[ebp+arg_18]	; void *
		mov	edx, [ebp+var_4]
		push	[ebp+arg_14]	; int
		mov	ecx, [ebp+var_8]
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	edi		; void *
		push	[ebp+arg_0]	; int
		call	_CmGetDeviceInterfaceMappedPropertyFromComposite
		mov	ebx, eax

loc_7FE4A0:				; CODE XREF: _CmGetDeviceInterfaceMappedProperty(x,x,x,x,x,x,x,x,x)+1Fj
					; _CmGetDeviceInterfaceMappedProperty(x,x,x,x,x,x,x,x,x)+5Fj ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	1Ch
; 

loc_7FE4A9:				; CODE XREF: _CmGetDeviceInterfaceMappedProperty(x,x,x,x,x,x,x,x,x)+39j
		push	10h		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_7FE4C3
		mov	ecx, [ebp+arg_4]
		jmp	short loc_7FE44D
; 

loc_7FE4BE:				; CODE XREF: _CmGetDeviceInterfaceMappedProperty(x,x,x,x,x,x,x,x,x)+6Fj
		mov	ecx, [ebp+arg_4]
		jmp	short loc_7FE469
; 

loc_7FE4C3:				; CODE XREF: _CmGetDeviceInterfaceMappedProperty(x,x,x,x,x,x,x,x,x)+A5j
		push	[ebp+arg_18]	; int
		mov	edx, [ebp+var_4]
		push	[ebp+arg_14]	; int
		mov	ecx, [ebp+var_8]
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	edi		; void *
		push	[ebp+arg_0]	; int
		call	_CmGetDeviceInterfaceMappedPropertyFromRegValue
		mov	ebx, eax
		cmp	ebx, 0C0000016h
		jnz	short loc_7FE4A0
		jmp	loc_7FE458
__CmGetDeviceInterfaceMappedProperty@36	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDqEnumQueryObjectsCallback(x, x, x)
_PiDqEnumQueryObjectsCallback@12 proc near
					; DATA XREF: PiDqObjectManagerEnumerateAndRegisterQuery+1FEo
					; PiDqObjectManagerEnumerateAndRegisterQuery+2D7o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_8]
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	byte ptr [eax],	0
		call	PiDqQueryEnumObject
		pop	ecx
		pop	ebp
		retn	0Ch
_PiDqEnumQueryObjectsCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqQueryEnumObject proc near		; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+D4p
					; PiDqEnumQueryObjectsCallback(x,x,x)+12p ...

var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 0091925A SIZE 0000000C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		and	[ebp+var_8], esi
		mov	cl, 1
		mov	byte ptr [ebp+var_1], cl
		mov	ebx, edx
		mov	eax, [edi+0Ch]
		cmp	[eax+14h], esi
		jnz	short loc_7FE573
		mov	eax, [eax+10h]
		dec	eax
		cmp	eax, 2
		ja	short loc_7FE553
		mov	edx, [ebx+0Ch]
		lea	eax, [ebp+var_1]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		lea	eax, [edi+10h]
		push	eax
		push	esi
		push	dword ptr [ebx+14h]
		call	_PiPnpRtlApplyMandatoryFilters@24 ; PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)
		mov	cl, byte ptr [ebp+var_1]
		mov	esi, eax

loc_7FE553:				; CODE XREF: PiDqQueryEnumObject+28j
		cmp	esi, 0C0000034h
		jz	loc_91925A
		cmp	esi, 0C0000225h
		jz	loc_91925A

loc_7FE56B:				; CODE XREF: PiDqQueryEnumObject+11AD57j
		test	esi, esi
		js	short loc_7FE59F
		test	cl, cl
		jz	short loc_7FE59F

loc_7FE573:				; CODE XREF: PiDqQueryEnumObject+1Fj
		mov	eax, [edi+0Ch]
		cmp	dword ptr [eax+38h], 0
		jz	short loc_7FE5A6
		mov	edx, [ebx+0Ch]
		lea	eax, [ebp+var_1]
		push	eax
		mov	ecx, edi
		call	PiDqQueryEvaluateFilter
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_7FE5E0
		mov	al, byte ptr [ebp+var_1]

loc_7FE597:				; CODE XREF: PiDqQueryEnumObject+DDj
		test	esi, esi
		js	short loc_7FE59F
		test	al, al
		jnz	short loc_7FE5A6

loc_7FE59F:				; CODE XREF: PiDqQueryEnumObject+63j
					; PiDqQueryEnumObject+67j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7FE5A6:				; CODE XREF: PiDqQueryEnumObject+70j
					; PiDqQueryEnumObject+93j
		mov	eax, [edi+0Ch]
		test	byte ptr [eax+20h], 1
		jz	short loc_7FE5BE
		mov	edx, ebx
		mov	ecx, edi
		call	_PiDqQueryAddObjectToResultSet@8 ; PiDqQueryAddObjectToResultSet(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7FE59F

loc_7FE5BE:				; CODE XREF: PiDqQueryEnumObject+A3j
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		push	eax
		push	0
		mov	edx, ebx
		inc	ecx
		call	_PiDqQueryActionQueueEntryCreate@16 ; PiDqQueryActionQueueEntryCreate(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7FE59F
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		call	PiDqQueryAppendActionEntry
		jmp	short loc_7FE59F
; 

loc_7FE5E0:				; CODE XREF: PiDqQueryEnumObject+88j
		xor	al, al
		xor	esi, esi
		mov	byte ptr [ebp+var_1], al
		jmp	short loc_7FE597
PiDqQueryEnumObject endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDqCompareAddresses(x, x, x)
_PiDqCompareAddresses@12 proc near	; DATA XREF: PiDqQueryCreate+8Fo

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		mov	eax, [ebp+arg_8]
		mov	eax, [eax]
		cmp	eax, ecx
		ja	short loc_7FE606
		sbb	eax, eax
		add	eax, 2

loc_7FE602:				; CODE XREF: PiDqCompareAddresses(x,x,x)+1Ej
		pop	ebp
		retn	0Ch
; 

loc_7FE606:				; CODE XREF: PiDqCompareAddresses(x,x,x)+11j
		xor	eax, eax
		jmp	short loc_7FE602
_PiDqCompareAddresses@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepIsImpersonationAllowedDueToCapability proc near
					; CODE XREF: SeTokenCanImpersonate(x,x,x,x)+12Cp

var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 00919266 SIZE 00000177 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	eax, eax
		mov	esi, ecx
		mov	bh, al
		mov	eax, [edi+78h]
		cmp	eax, [esi+78h]
		jnz	short loc_7FE63D
		mov	eax, [edi+0C0h]
		test	byte ptr [eax+18h], 10h
		jnz	short loc_7FE63D
		call	RtlIsMultiSessionSku
		test	al, al
		jz	loc_919266

loc_7FE63D:				; CODE XREF: SepIsImpersonationAllowedDueToCapability+18j
					; SepIsImpersonationAllowedDueToCapability+24j	...
		xor	al, al

loc_7FE63F:				; CODE XREF: SepIsImpersonationAllowedDueToCapability+11AD68j
					; SepIsImpersonationAllowedDueToCapability+11AD8Cj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
SepIsImpersonationAllowedDueToCapability endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2212. RtlIsMultiSessionSku

;  S U B	R O U T	I N E 


		public RtlIsMultiSessionSku
RtlIsMultiSessionSku proc near		; CODE XREF: GetGlobalizationUserModelType:loc_5659A5p
					; SepIsImpersonationAllowedDueToCapability+26p	...

; FUNCTION CHUNK AT 009193DD SIZE 0000000F BYTES

		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_9193DD
		mov	eax, ds:0FFDF02F0h
		shr	eax, 8
		and	al, 1
		retn
RtlIsMultiSessionSku endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpGetObjectList proc near		; CODE XREF: PiCMGetObjectList+E8p
					; PiDmObjectManagerPopulate+57p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 009193EC SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		push	ebx
		mov	ebx, _PiPnpRtlCtx
		push	esi
		push	edi
		mov	[ebp+var_30], ecx
		mov	esi, edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		mov	edi, [ebx+0F8h]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_4], esi
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_14], eax
		test	edi, edi
		jz	short loc_7FE6CD
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	5
		push	esi
		push	ecx
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_7FE715
		cmp	eax, 0C0000120h
		jz	short loc_7FE719
		test	eax, eax
		jnz	short loc_7FE71E

loc_7FE6CD:				; CODE XREF: _PnpGetObjectList+4Aj
					; _PnpGetObjectList+B5j
		push	[ebp+var_14]
		mov	edx, esi
		mov	ecx, ebx
		push	[ebp+var_18]
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	[ebp+var_24]
		push	[ebp+var_28]
		call	__PnpGetObjectListDispatch@32 ;	_PnpGetObjectListDispatch(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_7FE70C
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	5
		push	[ebp+var_4]
		push	0
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jnz	loc_9193EC

loc_7FE70C:				; CODE XREF: _PnpGetObjectList+8Aj
					; _PnpGetObjectList+BAj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_7FE715:				; CODE XREF: _PnpGetObjectList+5Ej
		xor	edi, edi
		jmp	short loc_7FE6CD
; 

loc_7FE719:				; CODE XREF: _PnpGetObjectList+65j
					; _PnpGetObjectList+11AD8Fj
		mov	esi, [ebp+var_30]
		jmp	short loc_7FE70C
; 

loc_7FE71E:				; CODE XREF: _PnpGetObjectList+69j
					; _PnpGetObjectList+11AD9Dj
		mov	esi, 0C00000E5h
		jmp	short loc_7FE70C
_PnpGetObjectList endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PiDmObjectIsEnumerable(x)
_PiDmObjectIsEnumerable@4 proc near	; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+C5p
					; PiDmEnumObjectsWithCallback(x,x,x)+CEp ...
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	ebx, [esi+18h]
		xor	edx, edx
		mov	ecx, esi
		and	bl, 1
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	esi
		mov	al, bl
		pop	ebx
		retn
_PiDmObjectIsEnumerable@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmEnumObjectsWithCallback(x, x, x)
_PiDmEnumObjectsWithCallback@12	proc near
					; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+2E3p
					; PiDmGetObjectList(x,x,x,x,x,x)+3Cp ...

var_6A		= byte ptr -6Ah
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5E		= byte ptr -5Eh
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+64h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[esp+70h+var_50], eax
		push	40h		; size_t
		lea	eax, [esp+74h+var_48]
		mov	[esp+74h+var_4C], edx
		push	ebx		; int
		push	eax		; void *
		mov	esi, ecx
		mov	edi, ebx
		call	_memset
		add	esp, 0Ch
		mov	[esp+70h+var_54], ebx
		lea	eax, [esp+70h+var_48]
		mov	[esp+70h+var_58], ebx
		mov	ecx, esi
		mov	[esp+70h+var_5C], eax
		mov	[esp+13h], bl
		call	PiDmGetObjectManagerForObjectType
		and	[esp+70h+var_38], edi
		mov	ebx, eax
		mov	[esp+70h+var_34], esi
		mov	[esp+70h+var_3C], offset _PathPrefixWin32
		cmp	esi, 3
		jz	short loc_7FE7D4
		mov	[esp+70h+var_3C], offset ??_C@_11LOCGONAA@@NNGAKEGL@

loc_7FE7D4:				; CODE XREF: PiDmEnumObjectsWithCallback(x,x,x)+6Aj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	ebx
		call	ExAcquireResourceSharedLite
		lea	ecx, [esp+70h+var_5C]
		xor	esi, esi
		push	ecx
		lea	ecx, [esp+74h+var_58]
		push	ecx
		lea	ecx, [esp+78h+var_54]
		push	ecx
		push	esi
		push	esi
		lea	eax, [ebx+38h]
		push	esi
		push	eax
		call	RtlEnumerateGenericTableLikeADirectory
		test	eax, eax
		jz	short loc_7FE811
		mov	esi, [eax]
		lock inc dword ptr [esi+4]

loc_7FE811:				; CODE XREF: PiDmEnumObjectsWithCallback(x,x,x)+A9j
		mov	ecx, ebx
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_7FE824:				; CODE XREF: PiDmEnumObjectsWithCallback(x,x,x)+150j
		test	esi, esi
		jz	loc_7FE8C0
		mov	ecx, esi
		call	_PiDmObjectIsEnumerable@4 ; PiDmObjectIsEnumerable(x)
		test	al, al
		jz	short loc_7FE847
		lea	eax, [esp+13h]
		push	eax
		push	[esp+74h+var_50]
		push	esi
		call	[esp+7Ch+var_4C]
		mov	edi, eax

loc_7FE847:				; CODE XREF: PiDmEnumObjectsWithCallback(x,x,x)+D5j
		test	edi, edi
		js	short loc_7FE8B9
		cmp	byte ptr [esp+13h], 0
		jnz	short loc_7FE8B9
		mov	eax, large fs:124h
		mov	[esp+7Ch+var_68], esi
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	ebx
		call	ExAcquireResourceSharedLite
		lea	eax, [esp+7Ch+var_68]
		push	eax
		lea	eax, [esp+80h+var_64]
		push	eax
		lea	eax, [esp+24h]
		push	eax
		push	1
		push	0
		push	0
		lea	eax, [ebx+38h]
		push	eax
		call	RtlEnumerateGenericTableLikeADirectory
		test	eax, eax
		jz	short loc_7FE8B5
		mov	esi, [eax]
		lock inc dword ptr [esi+4]

loc_7FE894:				; CODE XREF: PiDmEnumObjectsWithCallback(x,x,x)+157j
		mov	ecx, ebx
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [esp+7Ch+var_68]
		call	PiDmObjectRelease
		jmp	loc_7FE824
; 

loc_7FE8B5:				; CODE XREF: PiDmEnumObjectsWithCallback(x,x,x)+12Cj
		xor	esi, esi
		jmp	short loc_7FE894
; 

loc_7FE8B9:				; CODE XREF: PiDmEnumObjectsWithCallback(x,x,x)+E9j
					; PiDmEnumObjectsWithCallback(x,x,x)+F0j
		mov	ecx, esi
		call	PiDmObjectRelease

loc_7FE8C0:				; CODE XREF: PiDmEnumObjectsWithCallback(x,x,x)+C6j
		mov	ecx, [esp+7Ch+var_10]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_PiDmEnumObjectsWithCallback@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlApplyMandatoryDeviceInterfaceFilters(x, x, x, x, x)
_PiPnpRtlApplyMandatoryDeviceInterfaceFilters@20 proc near
					; CODE XREF: PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)+54p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	edi
		mov	ebx, ecx
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		push	ecx
		push	eax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ecx
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], ecx
		push	eax
		push	offset _DEVPKEY_Device_InstanceId
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, 47706E50h
		push	3
		push	edx
		mov	edx, 0C8h
		call	PnpGetObjectProperty
		mov	edi, eax
		test	edi, edi
		js	short loc_7FE92C
		push	[ebp+arg_8]
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		push	[ebp+arg_4]
		push	0
		call	_PiPnpRtlApplyMandatoryDeviceFilters@20	; PiPnpRtlApplyMandatoryDeviceFilters(x,x,x,x,x)
		mov	edi, eax

loc_7FE92C:				; CODE XREF: PiPnpRtlApplyMandatoryDeviceInterfaceFilters(x,x,x,x,x)+40j
		cmp	[ebp+var_4], 0
		jz	short loc_7FE93F
		push	47706E50h
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7FE93F:				; CODE XREF: PiPnpRtlApplyMandatoryDeviceInterfaceFilters(x,x,x,x,x)+5Aj
		mov	eax, edi
		pop	edi
		pop	ebx
		leave
		retn	0Ch
_PiPnpRtlApplyMandatoryDeviceInterfaceFilters@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlOperationAllocateGenericTableEntry(x, x)
_PiPnpRtlOperationAllocateGenericTableEntry@8 proc near
					; DATA XREF: PiPnpRtlBeginOperation+65o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	41706E50h
		push	[ebp+arg_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	8
_PiPnpRtlOperationAllocateGenericTableEntry@8 endp


;  S U B	R O U T	I N E 


; __stdcall PiPnpRtlObjectEventDispatch(x)
_PiPnpRtlObjectEventDispatch@4 proc near ; CODE	XREF: PiPnpRtlEndOperation:loc_7FEA52p
					; PiPnpRtlObjectEventWorker+CD966p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	byte ptr [esi+4], 0Bh
		jnz	short loc_7FE973
		cmp	dword ptr [esi+2Ch], 0
		jnz	short loc_7FE973

loc_7FE971:				; CODE XREF: PiPnpRtlObjectEventDispatch(x)+25j
		pop	esi
		retn
; 

loc_7FE973:				; CODE XREF: PiPnpRtlObjectEventDispatch(x)+9j
					; PiPnpRtlObjectEventDispatch(x)+Fj
		call	_PiDcHandleObjectEvent@4 ; PiDcHandleObjectEvent(x)
		mov	ecx, [esi+8]
		mov	ecx, [ecx+14h]
		call	PiDqGetObjectManagerForPnpObjectType
		test	eax, eax
		jz	short loc_7FE971
		mov	edx, esi
		mov	ecx, eax
		pop	esi
		jmp	PiDqObjectManagerHandleObjectEvent
_PiPnpRtlObjectEventDispatch@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlOperationFreeGenericTableEntry(x, x)
_PiPnpRtlOperationFreeGenericTableEntry@8 proc near ; DATA XREF: PiPnpRtlBeginOperation+60o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	41706E50h
		push	[ebp+arg_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	8
_PiPnpRtlOperationFreeGenericTableEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiPnpRtlEndOperation proc near		; CODE XREF: PiDqQueryEvaluateFilter+D5p
					; PiDqActionDataGetRequestedProperties+C9p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00919404 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		sub	dword ptr [esi+4Ch], 1
		jnz	loc_7FEA96
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	ebx, offset _PiPnpRtlRemoveOperationDispatchLock
		push	ebx
		call	ExAcquireResourceSharedLite
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	edi, offset _PiPnpRtlActiveOperationsLock
		push	edi
		call	ExAcquireResourceExclusiveLite
		mov	edx, [esi]
		cmp	[edx+4], esi
		jnz	loc_7FEA9B
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	loc_7FEA9B
		mov	[eax], edx
		mov	ecx, edi
		mov	[edx+4], eax
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		lea	edi, [esi+0Ch]

loc_7FEA28:				; CODE XREF: PiPnpRtlEndOperation+C1j
		push	edi
		call	_RtlIsGenericTableEmptyAvl@4 ; RtlIsGenericTableEmptyAvl(x)
		test	al, al
		jnz	short loc_7FEA6B
		mov	eax, [esi+14h]
		mov	ecx, [eax+10h]
		mov	[ebp+var_4], ecx
		mov	eax, [ecx+0Ch]
		test	eax, eax
		jz	short loc_7FEA52
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [ebp+var_4]
		and	dword ptr [eax+0Ch], 0
		mov	ecx, [ebp+var_4]

loc_7FEA52:				; CODE XREF: PiPnpRtlEndOperation+98j
		call	_PiPnpRtlObjectEventDispatch@4 ; PiPnpRtlObjectEventDispatch(x)
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)
		mov	ecx, [ebp+var_4]
		call	PiPnpRtlObjectEventRelease
		jmp	short loc_7FEA28
; 

loc_7FEA6B:				; CODE XREF: PiPnpRtlEndOperation+88j
		mov	ecx, ebx
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		lea	edi, [esi+44h]

loc_7FEA81:				; CODE XREF: PiPnpRtlEndOperation+11AA80j
		mov	ecx, [edi]
		cmp	ecx, edi
		jnz	loc_919404
		push	41706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7FEA96:				; CODE XREF: PiPnpRtlEndOperation+13j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_7FEA9B:				; CODE XREF: PiPnpRtlEndOperation+54j
					; PiPnpRtlEndOperation+5Fj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
PiPnpRtlEndOperation endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiPnpRtlObjectEventRelease proc	near	; CODE XREF: PiDqQueryActionQueueEntryFree(x):loc_7FC379p
					; PiPnpRtlEndOperation+BCp ...

; FUNCTION CHUNK AT 0091942D SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		dec	eax
		jnz	short loc_7FEAE4
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_7FEABF
		call	PiDmObjectRelease

loc_7FEABF:				; CODE XREF: PiPnpRtlObjectEventRelease+18j
		mov	eax, [esi+0Ch]
		test	eax, eax
		jnz	short loc_7FEB01

loc_7FEAC6:				; CODE XREF: PiPnpRtlObjectEventRelease+67j
		test	byte ptr [esi+4], 4
		jnz	loc_91942D

loc_7FEAD0:				; CODE XREF: PiPnpRtlObjectEventRelease+11A996j
		push	edi
		xor	edi, edi
		cmp	[esi+2Ch], edi
		ja	short loc_7FEAE7

loc_7FEAD8:				; CODE XREF: PiPnpRtlObjectEventRelease+5Fj
		push	41706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi

loc_7FEAE4:				; CODE XREF: PiPnpRtlObjectEventRelease+11j
		pop	esi
		leave
		retn
; 

loc_7FEAE7:				; CODE XREF: PiPnpRtlObjectEventRelease+36j
		push	ebx
		lea	ebx, [esi+48h]

loc_7FEAEB:				; CODE XREF: PiPnpRtlObjectEventRelease+5Cj
		mov	eax, [ebx]
		test	eax, eax
		jnz	loc_91943B

loc_7FEAF5:				; CODE XREF: PiPnpRtlObjectEventRelease+11A9A6j
		inc	edi
		add	ebx, 1Ch
		cmp	edi, [esi+2Ch]
		jb	short loc_7FEAEB
		pop	ebx
		jmp	short loc_7FEAD8
; 

loc_7FEB01:				; CODE XREF: PiPnpRtlObjectEventRelease+24j
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_7FEAC6
PiPnpRtlObjectEventRelease endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DrvDbGetObjectDatabaseNode proc	near	; CODE XREF: DrvDbOpenObjectRegKey+29p
					; DrvDbDeleteObjectRegKey(x,x,x,x)+2Ep

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0091944B SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		push	esi
		xor	esi, esi
		push	edi
		cmp	word ptr [ebx],	40h
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		jz	short loc_7FEB49

loc_7FEB2E:				; CODE XREF: DrvDbGetObjectDatabaseNode+50j
					; DrvDbGetObjectDatabaseNode+69j
		mov	edi, ebx

loc_7FEB30:				; CODE XREF: DrvDbGetObjectDatabaseNode+6Dj
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+arg_4]
		mov	ecx, [ecx+18h]
		mov	[eax], ecx

loc_7FEB3B:				; CODE XREF: DrvDbGetObjectDatabaseNode+ABj
		mov	eax, [ebp+arg_0]
		mov	[eax], edi

loc_7FEB40:				; CODE XREF: DrvDbGetObjectDatabaseNode+82j
					; DrvDbGetObjectDatabaseNode+ADj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7FEB49:				; CODE XREF: DrvDbGetObjectDatabaseNode+22j
		lea	eax, [ebx+2]
		push	3Ah		; wchar_t
		push	eax		; wchar_t *
		call	_wcschr
		mov	edi, eax
		pop	ecx
		pop	ecx
		test	edi, edi
		jz	short loc_7FEB2E
		lea	ecx, [ebx+2]
		sub	eax, ecx
		mov	[ebp+var_8], ecx
		and	eax, 0FFFFFFFEh
		inc	edi
		mov	word ptr [ebp+var_C], ax
		mov	word ptr [ebp+var_C+2],	ax
		add	edi, 1
		jz	short loc_7FEB2E
		cmp	edi, ebx
		jz	short loc_7FEB30
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	1
		call	RtlDuplicateUnicodeString
		mov	esi, eax
		test	esi, esi
		js	short loc_7FEB40
		push	[ebp+arg_4]
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_4]
		call	_DrvDbFindDatabaseNode@12 ; DrvDbFindDatabaseNode(x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	esi, 0C0000034h
		jz	loc_91944B
		test	esi, esi
		jns	short loc_7FEB3B
		jmp	short loc_7FEB40
DrvDbGetObjectDatabaseNode endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpDispatchDeviceInterface proc near	; DATA XREF: _PnpCtxOpenMachine+158o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00919455 SIZE 0000009A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_C]
		xor	ecx, ecx
		dec	eax
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], ecx
		push	esi
		mov	esi, ecx
		cmp	eax, 8		; switch 9 cases
		ja	loc_9194E5	; default
		jmp	ds:off_7FEC8A[eax*4] ; switch jump

loc_7FEBE0:				; DATA XREF: PAGE:off_7FEC8Ao
		mov	eax, [ebp+arg_10] ; case 0x7
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	dword ptr [eax+18h] ; void *
		push	dword ptr [eax+14h] ; int
		push	dword ptr [eax+10h] ; int
		push	dword ptr [eax+0Ch] ; int
		push	dword ptr [eax+8] ; void *
		push	dword ptr [eax+4] ; int
		push	dword ptr [eax]	; int
		call	__CmGetDeviceInterfaceMappedProperty@36	; _CmGetDeviceInterfaceMappedProperty(x,x,x,x,x,x,x,x,x)

loc_7FEC02:				; CODE XREF: _PnpDispatchDeviceInterface+73j
					; _PnpDispatchDeviceInterface+94j ...
		mov	ecx, eax
		call	__PnpMapCmStatusToDispatchStatus@4 ; _PnpMapCmStatusToDispatchStatus(x)
		pop	esi
		leave
		retn	14h
; 

loc_7FEC0E:				; CODE XREF: _PnpDispatchDeviceInterface+1Fj
					; DATA XREF: PAGE:off_7FEC8Ao
		mov	ecx, [ebp+arg_10] ; case 0x1
		mov	edx, [ebp+arg_4]
		lea	eax, [ecx+0Ch]
		push	eax
		push	dword ptr [ecx+8]
		movzx	eax, byte ptr [ecx+4]
		push	eax
		push	dword ptr [ecx]
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	30h
		call	_CmOpenDeviceInterfaceRegKey
		jmp	short loc_7FEC02
; 

loc_7FEC2F:				; CODE XREF: _PnpDispatchDeviceInterface+1Fj
					; DATA XREF: PAGE:off_7FEC8Ao
		mov	eax, [ebp+arg_10] ; case 0x8
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	dword ptr [eax+14h]
		push	dword ptr [eax+10h]
		push	dword ptr [eax+0Ch]
		push	dword ptr [eax+8]
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		call	_CmSetDeviceInterfaceMappedProperty
		jmp	short loc_7FEC02
; 

loc_7FEC50:				; CODE XREF: _PnpDispatchDeviceInterface+1Fj
					; DATA XREF: PAGE:off_7FEC8Ao
		mov	edx, [ebp+arg_4] ; case	0x0
		call	__CmValidateDeviceInterfaceName@8 ; _CmValidateDeviceInterfaceName(x,x)
		jmp	short loc_7FEC02
; 

loc_7FEC5A:				; CODE XREF: _PnpDispatchDeviceInterface+1Fj
					; DATA XREF: PAGE:off_7FEC8Ao
		mov	edx, [ebp+arg_10] ; case 0x4
		mov	eax, [edx]
		test	eax, eax
		jnz	loc_919496

loc_7FEC67:				; CODE XREF: _PnpDispatchDeviceInterface+11A8EDj
		mov	eax, [edx+14h]
		and	eax, 0FFFF0000h
		push	eax
		push	dword ptr [edx+10h]
		push	dword ptr [edx+0Ch]
		push	dword ptr [edx+8]
		mov	edx, ecx
		mov	ecx, [ebp+arg_0]
		push	esi
		call	_CmGetMatchingDeviceInterfaceList
		jmp	loc_7FEC02
_PnpDispatchDeviceInterface endp

; 
		align 2
off_7FEC8A	dd offset loc_7FEC50	; DATA XREF: _PnpDispatchDeviceInterface+1Fr
		dd offset loc_7FEC0E	; jump table for switch	statement
		dd offset loc_919455
		dd offset loc_91947B
		dd offset loc_7FEC5A
		dd offset loc_9194AC
		dd offset loc_9194CB
		dd offset loc_7FEBE0
		dd offset loc_7FEC2F

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmIsDeviceInterfaceEnabled(x, x, x, x)
__CmIsDeviceInterfaceEnabled@16	proc near
					; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+1F5p
					; PiPnpRtlInterfaceFilterCallback+59p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	esi
		push	edx
		push	eax
		mov	esi, ecx
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_7FECDC
		push	ecx
		push	[ebp+arg_4]
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	__NtPlugPlayGetDeviceInterfaceEnabled@16 ; _NtPlugPlayGetDeviceInterfaceEnabled(x,x,x,x)

loc_7FECDC:				; CODE XREF: _CmIsDeviceInterfaceEnabled(x,x,x,x)+1Ej
		pop	esi
		leave
		retn	8
__CmIsDeviceInterfaceEnabled@16	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _NtPlugPlayGetDeviceInterfaceEnabled(x, x, x, x)
__NtPlugPlayGetDeviceInterfaceEnabled@16 proc near
					; CODE XREF: _CmIsDeviceInterfaceEnabled(x,x,x,x)+29p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		push	eax
		push	5
		mov	edi, edx
		mov	esi, ecx
		pop	edx
		call	__PnpCtxGetNtPlugPlayRoutine@12	; _PnpCtxGetNtPlugPlayRoutine(x,x,x)
		test	eax, eax
		js	short loc_7FED12
		cmp	[ebp+var_4], 0
		jz	short loc_7FED18
		push	0
		push	[ebp+arg_0]
		push	edi
		push	esi
		call	[ebp+var_4]

loc_7FED12:				; CODE XREF: _NtPlugPlayGetDeviceInterfaceEnabled(x,x,x,x)+1Ej
					; _NtPlugPlayGetDeviceInterfaceEnabled(x,x,x,x)+3Bj
		pop	edi
		pop	esi
		leave
		retn	8
; 

loc_7FED18:				; CODE XREF: _NtPlugPlayGetDeviceInterfaceEnabled(x,x,x,x)+24j
		mov	eax, 0C0000002h
		jmp	short loc_7FED12
__NtPlugPlayGetDeviceInterfaceEnabled@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlGetDeviceInterfaceEnabled(x, x, x, x)
_PiPnpRtlGetDeviceInterfaceEnabled@16 proc near	; DATA XREF: PiPnpRtlInit+F1o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	ecx, [ebp+arg_4]
		and	[ebp+var_4], 0
		push	10h
		mov	eax, [ecx]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_10]
		push	eax
		push	17h
		call	_ZwPlugPlayControl@12 ;	ZwPlugPlayControl(x,x,x)
		mov	edx, [ebp+arg_8]
		mov	cl, byte ptr [ebp+var_4]
		mov	[edx], cl
		leave
		retn	10h
_PiPnpRtlGetDeviceInterfaceEnabled@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxGetNtPlugPlayRoutine(x, x, x)
__PnpCtxGetNtPlugPlayRoutine@12	proc near
					; CODE XREF: _NtPlugPlayGetDeviceRelatedDevice(x,x,x,x,x,x,x)+17p
					; _NtPlugPlayGetDeviceProperty(x,x,x,x,x,x,x)+17p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		cmp	edx, 6
		jge	short loc_7FED7A
		mov	eax, [ebp+arg_0]
		mov	ecx, [ecx+edx*4+80h]
		mov	[eax], ecx

loc_7FED73:				; CODE XREF: _PnpCtxGetNtPlugPlayRoutine(x,x,x)+25j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
; 

loc_7FED7A:				; CODE XREF: _PnpCtxGetNtPlugPlayRoutine(x,x,x)+Bj
		mov	esi, 0C000000Dh
		jmp	short loc_7FED73
__PnpCtxGetNtPlugPlayRoutine@12	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpUnicodeStringToWstr proc near	; CODE XREF: IopGetDeviceInterfaces+345p
					; PiControlGetDeviceInterfaceEnabled+7Fp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009194EF SIZE 0000006F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	esi, edx
		xor	edi, edi
		mov	[ebp+var_C], esi
		test	ebx, ebx
		jz	loc_919554
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	loc_919554
		movzx	edx, word ptr [eax+2]
		push	2
		pop	ecx
		cmp	dx, cx
		jb	loc_919543
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	loc_919543
		movzx	eax, word ptr [eax]
		movzx	esi, ax
		mov	[ebp+var_4], esi
		mov	esi, [ebp+var_C]
		mov	[ebp+var_8], eax
		cmp	ax, dx
		ja	loc_919554
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_10], eax
		cmp	word ptr [ebp+var_8], di
		jz	loc_91950D
		cmp	ax, di
		jz	loc_9194EF
		mov	eax, [ebp+var_4]
		movzx	eax, ax
		shr	eax, 1
		cmp	word ptr [ebp+var_8], dx
		mov	[ebp+var_8], eax
		jnz	short loc_7FEE11
		cmp	[ecx+eax*2-2], di
		jz	loc_9194EF

loc_7FEE11:				; CODE XREF: PnpUnicodeStringToWstr+82j
		mov	esi, [ebp+var_4]
		mov	eax, edx
		mov	[ebp+var_10], eax
		add	eax, 0FFFFFFFEh
		movzx	edx, si
		mov	esi, [ebp+var_C]
		cmp	edx, eax
		jbe	short loc_7FEE76

loc_7FEE26:				; CODE XREF: PnpUnicodeStringToWstr+102j
		push	75737050h
		lea	eax, [edx+2]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_10], edx
		test	edx, edx
		jz	short loc_7FEE94
		mov	ecx, [ebp+arg_0]
		movzx	eax, word ptr [ecx]
		push	eax		; size_t
		push	dword ptr [ecx+4] ; void *
		push	edx		; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		mov	ecx, [ebp+var_10]
		add	esp, 0Ch
		mov	[ebx], ecx
		movzx	eax, word ptr [eax]
		shr	eax, 1
		mov	[ecx+eax*2], dx
		test	esi, esi
		jnz	loc_9194FD

loc_7FEE6D:				; CODE XREF: PnpUnicodeStringToWstr+108j
					; PnpUnicodeStringToWstr+117j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_7FEE76:				; CODE XREF: PnpUnicodeStringToWstr+A2j
		mov	eax, [ebp+var_8]
		cmp	[ecx+eax*2-2], di
		jz	short loc_7FEE86
		cmp	[ecx+eax*2], di
		jnz	short loc_7FEE26

loc_7FEE86:				; CODE XREF: PnpUnicodeStringToWstr+FCj
		mov	[ebx], ecx
		test	esi, esi
		jz	short loc_7FEE6D
		mov	eax, [ebp+var_10]
		jmp	loc_919506
; 

loc_7FEE94:				; CODE XREF: PnpUnicodeStringToWstr+BBj
					; PnpUnicodeStringToWstr+11A7A1j
		mov	edi, 0C000009Ah
		jmp	short loc_7FEE6D
PnpUnicodeStringToWstr endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PnpUnicodeStringToWstrFree(x, x)
_PnpUnicodeStringToWstrFree@8 proc near	; CODE XREF: IopGetDeviceInterfaces+2BCp
					; PiControlGetDeviceInterfaceEnabled+EEp ...
		test	ecx, ecx
		jz	short locret_7FEEC0
		test	edx, edx
		jz	short locret_7FEEC0
		push	esi
		xor	esi, esi
		cmp	[edx+2], si
		jz	short loc_7FEEBF
		mov	eax, [edx+4]
		test	eax, eax
		jz	short loc_7FEEBF
		cmp	eax, ecx
		jz	short loc_7FEEBF
		push	esi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_7FEEBF:				; CODE XREF: PnpUnicodeStringToWstrFree(x,x)+Fj
					; PnpUnicodeStringToWstrFree(x,x)+16j ...
		pop	esi

locret_7FEEC0:				; CODE XREF: PnpUnicodeStringToWstrFree(x,x)+2j
					; PnpUnicodeStringToWstrFree(x,x)+6j
		retn
_PnpUnicodeStringToWstrFree@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiControlGetDeviceInterfaceEnabled proc	near ; DATA XREF: .text:00403BE8o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0091955E SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		xor	esi, esi
		mov	[esp+1Ch+var_8], esi
		movzx	eax, word ptr [ebx]
		mov	[esp+1Ch+var_4], esi
		mov	[esp+1Ch+var_10], esi
		mov	[esp+1Ch+var_C], esi
		mov	word ptr [esp+1Ch+var_8+2], ax
		mov	word ptr [esp+1Ch+var_8], ax
		push	edi
		test	ax, ax
		jz	loc_919578
		mov	ecx, 3F0h
		cmp	ax, cx
		ja	loc_919578
		test	al, 1
		jnz	loc_919578
		cmp	[ebx+8], esi
		jnz	loc_919578
		mov	edx, [ebx+4]
		lea	ecx, [esp+20h+var_4]
		push	1
		push	[ebp+arg_C]
		push	2
		push	eax
		call	PiControlMakeUserModeCallersCopy
		test	eax, eax
		js	loc_7FEFC1
		lea	eax, [esp+20h+var_8]
		xor	edx, edx
		push	eax
		lea	ecx, [esp+24h+var_C]
		call	PnpUnicodeStringToWstr
		mov	edi, eax
		test	edi, edi
		js	short loc_7FEFA8
		mov	edx, [esp+20h+var_C]
		lea	eax, [esp+20h+var_10]
		push	eax
		push	3
		pop	ecx
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_7FEFA8
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [esp+20h+var_10]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		cmp	dword ptr [esi+1Ch], 0
		mov	ecx, esi
		setnz	al
		xor	edx, edx
		mov	[ebx+0Ch], al
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [esp+20h+var_10]
		call	PiDmObjectRelease
		xor	esi, esi

loc_7FEFA8:				; CODE XREF: PiControlGetDeviceInterfaceEnabled+88j
					; PiControlGetDeviceInterfaceEnabled+9Fj
		mov	ecx, [esp+20h+var_C]
		lea	edx, [esp+20h+var_8]
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)
		cmp	byte ptr [ebp+arg_C], 0
		jnz	loc_91955E

loc_7FEFBF:				; CODE XREF: PiControlGetDeviceInterfaceEnabled+11A6A1j
					; PiControlGetDeviceInterfaceEnabled+11A6B1j
		mov	eax, edi

loc_7FEFC1:				; CODE XREF: PiControlGetDeviceInterfaceEnabled+6Ej
					; PiControlGetDeviceInterfaceEnabled+11A6BBj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
PiControlGetDeviceInterfaceEnabled endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetDeviceInterfaceSubkeyPath	proc near ; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+97p
					; _CmGetDeviceInterfaceClassGuidString(x,x,x,x)+12p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00919582 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		push	ebx
		mov	[ebp+var_24], eax
		mov	ebx, edx
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_30], eax
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	[ebp+var_1C], ecx
		stosd
		mov	[ebp+var_20], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], ecx
		stosd
		stosd
		stosd
		call	__CmValidateDeviceInterfaceName@8 ; _CmValidateDeviceInterfaceName(x,x)
		test	eax, eax
		js	loc_7FF0BA
		lea	eax, [ebx+8]
		push	5Ch		; wchar_t
		push	eax		; wchar_t *
		call	_wcschr
		mov	esi, eax
		pop	ecx
		pop	ecx
		test	esi, esi
		jz	loc_7FF136
		lea	edi, [esi+2]
		sub	esi, ebx

loc_7FF02D:				; CODE XREF: _CmGetDeviceInterfaceSubkeyPath+182j
		sar	esi, 1
		mov	[ebp+var_2C], esi
		mov	eax, esi
		mov	[ebp+var_28], eax
		cmp	esi, 30h
		jb	loc_919582
		inc	esi
		cmp	[ebp+arg_0], 0
		jz	short loc_7FF068
		add	esi, 2
		test	edi, edi
		jz	short loc_7FF068
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_7FF053:				; CODE XREF: _CmGetDeviceInterfaceSubkeyPath+93j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_1C]
		jnz	short loc_7FF053
		mov	eax, [ebp+var_28]
		sub	ecx, edx
		sar	ecx, 1
		add	esi, ecx

loc_7FF068:				; CODE XREF: _CmGetDeviceInterfaceSubkeyPath+7Bj
					; _CmGetDeviceInterfaceSubkeyPath+82j
		mov	ecx, [ebp+var_24]
		test	ecx, ecx
		jz	short loc_7FF0AE
		push	800h
		xor	edx, edx
		add	eax, 0FFFFFFDAh
		push	edx
		push	edx
		push	26h
		lea	eax, [ebx+eax*2]
		push	eax
		push	27h
		pop	edx
		call	RtlStringCchCopyNExW
		test	eax, eax
		js	short loc_7FF0BA
		push	[ebp+var_24]
		lea	eax, [ebp+var_38]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_7FF0BA
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		test	eax, eax
		js	short loc_7FF0BA

loc_7FF0AE:				; CODE XREF: _CmGetDeviceInterfaceSubkeyPath+A3j
		mov	edx, [ebp+arg_C]
		cmp	esi, edx
		jbe	short loc_7FF0CB
		mov	eax, 0C0000023h

loc_7FF0BA:				; CODE XREF: _CmGetDeviceInterfaceSubkeyPath+41j
					; _CmGetDeviceInterfaceSubkeyPath+C1j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
; 

loc_7FF0CB:				; CODE XREF: _CmGetDeviceInterfaceSubkeyPath+E9j
		mov	esi, 800h
		lea	eax, [ebp+var_20]
		push	esi
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_2C]
		push	ebx
		mov	ebx, [ebp+var_30]
		mov	ecx, ebx
		call	RtlStringCchCopyNExW
		test	eax, eax
		js	short loc_7FF0BA
		cmp	[ebp+arg_0], 0
		mov	dword ptr [ebx], 230023h
		mov	dword ptr [ebx+4], 23003Fh
		jz	short loc_7FF0BA
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_20]
		mov	ecx, [ebp+var_1C]
		push	esi
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	offset ??_C@_15IHPGJGAA@?$AA?2?$AA?$CD@NNGAKEGL@
		call	RtlStringCchCopyExW
		test	eax, eax
		js	short loc_7FF0BA
		test	edi, edi
		jz	short loc_7FF0BA
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_20]
		mov	ecx, [ebp+var_1C]
		push	esi
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		call	RtlStringCchCopyExW
		jmp	short loc_7FF0BA
; 

loc_7FF136:				; CODE XREF: _CmGetDeviceInterfaceSubkeyPath+58j
		mov	esi, ebx
		xor	edx, edx
		mov	edi, edx
		lea	ecx, [esi+2]

loc_7FF13F:				; CODE XREF: _CmGetDeviceInterfaceSubkeyPath+17Ej
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, dx
		jnz	short loc_7FF13F
		sub	esi, ecx
		jmp	loc_7FF02D
_CmGetDeviceInterfaceSubkeyPath	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2105. RtlGUIDFromString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGUIDFromString(x, x)
		public _RtlGUIDFromString@8
_RtlGUIDFromString@8 proc near		; CODE XREF: RtlQueryPackageClaims+EE62Bp
					; PiDevCfgParseInterfaceKeyName(x,x,x)+2Ap ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		mov	esi, [ebp+arg_4]
		lea	edi, [ebp+var_14]
		mov	ecx, [ebp+arg_0]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp-6]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp-0Ah]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp-0Eh]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_14+2]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [esi+6]
		push	eax
		lea	eax, [esi+4]
		push	eax
		movzx	eax, word ptr [ecx]
		push	esi
		push	offset _GuidFormat
		shr	eax, 1
		push	eax
		push	dword ptr [ecx+4]
		call	ScanHexFormat
		add	esp, 38h
		cmp	eax, 0FFFFFFFFh
		jz	short loc_7FF1DF
		xor	ecx, ecx

loc_7FF1BF:				; CODE XREF: RtlGUIDFromString(x,x)+75j
		mov	al, byte ptr [ebp+ecx*2+var_14]
		mov	[esi+ecx+8], al
		inc	ecx
		cmp	ecx, 8
		jb	short loc_7FF1BF
		xor	eax, eax

loc_7FF1CF:				; CODE XREF: RtlGUIDFromString(x,x)+8Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_7FF1DF:				; CODE XREF: RtlGUIDFromString(x,x)+65j
		mov	eax, 0C000000Dh
		jmp	short loc_7FF1CF
_RtlGUIDFromString@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ScanHexFormat	proc near		; CODE XREF: RtlGUIDFromString(x,x)+5Ap

var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0091958C SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	edx, [ebp+arg_8]
		lea	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], eax

loc_7FF20C:				; CODE XREF: ScanHexFormat+D6j
					; ScanHexFormat+127j
		mov	[ebp+var_10], edi
		nop

loc_7FF210:				; CODE XREF: ScanHexFormat+FFj
		movzx	ecx, word ptr [edx]
		test	cx, cx
		jz	loc_7FF31C
		cmp	ecx, 25h
		jnz	loc_7FF2DF
		movzx	eax, word ptr [edx+2]
		add	edx, 2
		mov	ecx, eax
		cmp	eax, 25h
		jz	loc_7FF2DF
		xor	edi, edi
		xor	ecx, ecx
		jmp	short loc_7FF240
; 
		align 10h

loc_7FF240:				; CODE XREF: ScanHexFormat+4Bj
					; ScanHexFormat+69j ...
		movzx	eax, word ptr [edx]
		cmp	eax, 39h
		ja	short loc_7FF25B
		cmp	eax, 30h
		jb	short loc_7FF25B
		lea	ecx, [ecx+ecx*4]
		lea	ecx, [ecx-18h]
		lea	ecx, [eax+ecx*2]

loc_7FF256:				; CODE XREF: ScanHexFormat+11A3A5j
		add	edx, 2
		jmp	short loc_7FF240
; 

loc_7FF25B:				; CODE XREF: ScanHexFormat+56j
					; ScanHexFormat+5Bj
		cmp	eax, 6Ch
		jz	loc_7FF308
		cmp	eax, 78h
		jnz	loc_91958C

loc_7FF26D:				; CODE XREF: ScanHexFormat+11A39Fj
		mov	[ebp+var_C], edi
		add	edx, 2
		xor	edi, edi
		mov	[ebp+arg_8], edx
		test	ecx, ecx
		jz	short loc_7FF2AE
		lea	esp, [esp+0]

loc_7FF280:				; CODE XREF: ScanHexFormat+BCj
		dec	ecx
		test	esi, esi
		jz	loc_7FF334
		movzx	eax, word ptr [ebx]
		mov	[ebp+var_4], eax
		add	eax, 0FFFFFFD0h
		shl	edi, 4
		cmp	ax, 9
		mov	eax, [ebp+var_4]
		ja	short loc_7FF2CB
		movzx	eax, ax
		add	eax, 0FFFFFFD0h

loc_7FF2A4:				; CODE XREF: ScanHexFormat+EDj
					; ScanHexFormat+116j
		add	edi, eax
		add	ebx, 2
		dec	esi
		test	ecx, ecx
		jnz	short loc_7FF280

loc_7FF2AE:				; CODE XREF: ScanHexFormat+8Aj
		mov	eax, [ebp+var_8]
		add	eax, 4
		cmp	[ebp+var_C], 0
		mov	[ebp+var_8], eax
		mov	eax, [eax]
		jnz	short loc_7FF311
		mov	[eax], di
		mov	edi, [ebp+var_10]
		inc	edi
		jmp	loc_7FF20C
; 

loc_7FF2CB:				; CODE XREF: ScanHexFormat+ACj
		add	eax, 0FFFFFF9Fh
		cmp	ax, 5
		mov	eax, [ebp+var_4]
		ja	short loc_7FF2F4
		movzx	eax, ax
		add	eax, 0FFFFFFA9h
		jmp	short loc_7FF2A4
; 

loc_7FF2DF:				; CODE XREF: ScanHexFormat+2Fj
					; ScanHexFormat+41j
		test	esi, esi
		jz	short loc_7FF334
		cmp	[ebx], cx
		jnz	short loc_7FF334
		add	ebx, 2
		dec	esi
		add	edx, 2
		jmp	loc_7FF210
; 

loc_7FF2F4:				; CODE XREF: ScanHexFormat+E5j
		add	eax, 0FFFFFFBFh
		cmp	ax, 5
		ja	short loc_7FF334
		mov	eax, [ebp+var_4]
		movzx	eax, ax
		add	eax, 0FFFFFFC9h
		jmp	short loc_7FF2A4
; 

loc_7FF308:				; CODE XREF: ScanHexFormat+6Ej
		inc	edi
		add	edx, 2
		jmp	loc_7FF240
; 

loc_7FF311:				; CODE XREF: ScanHexFormat+CDj
		mov	[eax], edi
		mov	edi, [ebp+var_10]
		inc	edi
		jmp	loc_7FF20C
; 

loc_7FF31C:				; CODE XREF: ScanHexFormat+26j
		test	esi, esi
		jnz	short loc_7FF329

loc_7FF320:				; CODE XREF: ScanHexFormat+13Dj
					; ScanHexFormat+142j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_7FF329:				; CODE XREF: ScanHexFormat+12Ej
		cmp	word ptr [ebx],	0
		jz	short loc_7FF320
		or	edi, 0FFFFFFFFh
		jmp	short loc_7FF320
; 

loc_7FF334:				; CODE XREF: ScanHexFormat+93j
					; ScanHexFormat+F1j ...
		pop	edi
		pop	esi
		or	eax, 0FFFFFFFFh
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
ScanHexFormat	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlApplyMandatoryDeviceFilters(x, x, x, x, x)
_PiPnpRtlApplyMandatoryDeviceFilters@20	proc near
					; CODE XREF: PiPnpRtlApplyMandatoryDeviceContainerFiltersCallback(x,x,x)+1Ap
					; PiPnpRtlApplyMandatoryDeviceInterfaceFilters(x,x,x,x,x)+4Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		push	esi
		push	[ebp+arg_4]
		mov	edi, edx
		mov	byte ptr [esi],	0
		push	[ebp+arg_0]
		call	_PiPnpRtlIsDeviceValidForSession@20 ; PiPnpRtlIsDeviceValidForSession(x,x,x,x,x)
		test	eax, eax
		js	short loc_7FF37C
		cmp	byte ptr [esi],	0
		jz	short loc_7FF371
		push	esi
		push	[ebp+arg_4]
		mov	edx, edi
		push	[ebp+arg_0]
		call	_PiPnpRtlIsDeviceEnumerableForUser@20 ;	PiPnpRtlIsDeviceEnumerableForUser(x,x,x,x,x)

loc_7FF371:				; CODE XREF: PiPnpRtlApplyMandatoryDeviceFilters(x,x,x,x,x)+23j
		test	eax, eax
		js	short loc_7FF37C

loc_7FF375:				; CODE XREF: PiPnpRtlApplyMandatoryDeviceFilters(x,x,x,x,x)+41j
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	0Ch
; 

loc_7FF37C:				; CODE XREF: PiPnpRtlApplyMandatoryDeviceFilters(x,x,x,x,x)+1Ej
					; PiPnpRtlApplyMandatoryDeviceFilters(x,x,x,x,x)+35j
		mov	byte ptr [esi],	0
		jmp	short loc_7FF375
_PiPnpRtlApplyMandatoryDeviceFilters@20	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlIsDeviceValidForSession(x, x, x, x,	x)
_PiPnpRtlIsDeviceValidForSession@20 proc near
					; CODE XREF: PiPnpRtlApplyMandatoryDeviceFilters(x,x,x,x,x)+17p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		mov	ecx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_8], eax
		mov	byte ptr [ebp+var_1], al
		mov	[esi], al
		mov	eax, [ecx]
		push	edi
		mov	edi, edx
		test	eax, eax
		jnz	short loc_7FF3B3
		mov	eax, [ecx+8]

loc_7FF3B3:				; CODE XREF: PiPnpRtlIsDeviceValidForSession(x,x,x,x,x)+2Cj
		lea	ecx, [ebp+var_1]
		push	ecx
		lea	ecx, [ebp+var_10]
		push	ecx
		push	eax
		call	_SeQuerySessionIdTokenEx@12 ; SeQuerySessionIdTokenEx(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_7FF401
		cmp	byte ptr [ebp+var_1], 0
		jnz	short loc_7FF3FE
		push	0
		lea	eax, [ebp+var_14]
		mov	edx, edi
		push	eax
		push	4
		lea	eax, [ebp+var_C]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	offset _DEVPKEY_Device_SessionId
		push	0
		push	[ebp+arg_0]
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, eax
		cmp	ecx, 0C0000225h
		jnz	short loc_7FF40A
		xor	ecx, ecx

loc_7FF3FE:				; CODE XREF: PiPnpRtlIsDeviceValidForSession(x,x,x,x,x)+49j
					; PiPnpRtlIsDeviceValidForSession(x,x,x,x,x)+90j ...
		mov	byte ptr [esi],	1

loc_7FF401:				; CODE XREF: PiPnpRtlIsDeviceValidForSession(x,x,x,x,x)+43j
					; PiPnpRtlIsDeviceValidForSession(x,x,x,x,x)+8Aj ...
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	0Ch
; 

loc_7FF40A:				; CODE XREF: PiPnpRtlIsDeviceValidForSession(x,x,x,x,x)+78j
		test	ecx, ecx
		js	short loc_7FF401
		cmp	[ebp+var_8], 7
		jnz	short loc_7FF3FE
		mov	eax, [ebp+var_C]
		cmp	eax, [ebp+var_10]
		jz	short loc_7FF3FE
		jmp	short loc_7FF401
_PiPnpRtlIsDeviceValidForSession@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlApplyMandatoryFilters(x, x,	x, x, x, x)
_PiPnpRtlApplyMandatoryFilters@24 proc near ; CODE XREF: PiCMValidateDeviceInstance+F3p
					; IopDeviceInterfaceFilterCallback+4Cp	...

var_2		= dword	ptr -2
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		mov	byte ptr [ebp+var_2], 0
		mov	byte ptr [ebp+var_2+1],	0
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_7FF43F
		mov	eax, [esi+8]

loc_7FF43F:				; CODE XREF: PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)+1Cj
		lea	ecx, [ebp+var_2+1]
		push	ecx
		lea	ecx, [ebp+arg_8]
		push	ecx
		push	eax
		call	_SeQuerySessionIdTokenEx@12 ; SeQuerySessionIdTokenEx(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_7FF479
		cmp	byte ptr [ebp+var_2+1],	0
		jnz	short loc_7FF494

loc_7FF459:				; CODE XREF: PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)+8Aj
		mov	eax, [ebp+arg_0]
		sub	eax, 1
		jz	short loc_7FF482
		dec	eax
		sub	eax, 1
		jnz	short loc_7FF4B2
		push	[ebp+arg_C]
		mov	edx, edi
		mov	ecx, ebx
		push	esi
		push	[ebp+arg_4]
		call	_PiPnpRtlApplyMandatoryDeviceInterfaceFilters@20 ; PiPnpRtlApplyMandatoryDeviceInterfaceFilters(x,x,x,x,x)

loc_7FF477:				; CODE XREF: PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)+74j
					; PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)+A8j
		mov	ecx, eax

loc_7FF479:				; CODE XREF: PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)+33j
					; PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)+84j ...
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	10h
; 

loc_7FF482:				; CODE XREF: PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)+41j
		push	[ebp+arg_C]
		mov	edx, edi
		mov	ecx, ebx
		push	esi
		push	[ebp+arg_4]
		call	_PiPnpRtlApplyMandatoryDeviceFilters@20	; PiPnpRtlApplyMandatoryDeviceFilters(x,x,x,x,x)
		jmp	short loc_7FF477
; 

loc_7FF494:				; CODE XREF: PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)+39j
		lea	edx, [ebp+var_2]
		mov	ecx, esi
		call	_PiAuIsLocalSystem@8 ; PiAuIsLocalSystem(x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_7FF479
		cmp	byte ptr [ebp+var_2], 0
		jz	short loc_7FF459

loc_7FF4AA:				; CODE XREF: PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)+98j
		mov	eax, [ebp+arg_C]
		mov	byte ptr [eax],	1
		jmp	short loc_7FF479
; 

loc_7FF4B2:				; CODE XREF: PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)+47j
		dec	eax
		sub	eax, 1
		jnz	short loc_7FF4AA
		push	[ebp+arg_C]	; int
		mov	edx, edi	; wchar_t *
		push	esi		; int
		push	ecx		; int
		mov	ecx, ebx	; int
		call	_PiPnpRtlApplyMandatoryDeviceContainerFilters@20 ; PiPnpRtlApplyMandatoryDeviceContainerFilters(x,x,x,x,x)
		jmp	short loc_7FF477
_PiPnpRtlApplyMandatoryFilters@24 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2495. SeQuerySessionIdTokenEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeQuerySessionIdTokenEx(x, x, x)
		public _SeQuerySessionIdTokenEx@12
_SeQuerySessionIdTokenEx@12 proc near	; CODE XREF: PiPnpRtlIsDeviceValidForSession(x,x,x,x,x)+3Ap
					; PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)+2Ap ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		dec	word ptr [eax+13Ch]
		push	edi
		nop
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		inc	ebx
		push	ebx
		push	dword ptr [esi+30h]
		call	ExAcquireResourceSharedLite
		mov	eax, [ebp+arg_4]
		mov	edi, [esi+78h]
		mov	[eax], edi
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	edi, edi
		jz	short loc_7FF534
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	_PsGetSiloBySessionId@8	; PsGetSiloBySessionId(x,x)
		test	eax, eax
		js	short loc_7FF542
		push	[ebp+var_4]
		call	_PsGetServerSiloServiceSessionId@4 ; PsGetServerSiloServiceSessionId(x)
		cmp	edi, eax
		setz	bl

loc_7FF534:				; CODE XREF: SeQuerySessionIdTokenEx(x,x,x)+49j
					; SeQuerySessionIdTokenEx(x,x,x)+76j
		mov	eax, [ebp+arg_8]
		pop	edi
		pop	esi
		mov	[eax], bl
		xor	eax, eax
		pop	ebx
		leave
		retn	0Ch
; 

loc_7FF542:				; CODE XREF: SeQuerySessionIdTokenEx(x,x,x)+57j
		xor	bl, bl
		jmp	short loc_7FF534
_SeQuerySessionIdTokenEx@12 endp


;  S U B	R O U T	I N E 


; __stdcall PsGetSiloBySessionId(x, x)
_PsGetSiloBySessionId@8	proc near	; CODE XREF: SessionIsInteractive+17p
					; PsIsServiceSession(x)+14p ...
		mov	edi, edi
		push	edi
		mov	edi, edx
		call	_MmGetSessionById@4 ; MmGetSessionById(x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_7FF56F
		mov	eax, [ecx+180h]
		push	esi
		mov	esi, [eax+2450h]
		call	ObfDereferenceObject
		mov	[edi], esi
		xor	eax, eax
		pop	esi
		pop	edi
		retn
; 

loc_7FF56F:				; CODE XREF: PsGetSiloBySessionId(x,x)+Ej
		mov	eax, 0C0000455h
		pop	edi
		retn
_PsGetSiloBySessionId@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlIsDeviceEnumerableForUser(x, x, x, x, x)
_PiPnpRtlIsDeviceEnumerableForUser@20 proc near
					; CODE XREF: PiPnpRtlApplyMandatoryDeviceFilters(x,x,x,x,x)+2Ep

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		xor	ebx, ebx
		push	ebx
		mov	[ebp+var_24], ecx
		mov	ecx, 20000h
		push	ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		lea	ecx, [ebp+var_1C]
		push	ecx
		lea	ecx, [ebp+var_20]
		mov	[ebp+var_20], ebx
		push	ecx
		push	offset _DEVPKEY_Device_RestrictedSD
		push	ebx
		push	eax
		push	1
		push	edx
		mov	edx, 200h
		mov	[ebp+var_18], 20001h
		mov	ecx, 47706E50h
		mov	[ebp+var_C], 0F0001h
		mov	[ebp+var_1C], ebx
		mov	[edi], bl
		call	PnpGetObjectProperty
		mov	ebx, [ebp+var_1C]
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	short loc_7FF606

loc_7FF5EA:				; CODE XREF: PiPnpRtlIsDeviceEnumerableForUser(x,x,x,x,x)+B2j
		xor	esi, esi

loc_7FF5EC:				; CODE XREF: PiPnpRtlIsDeviceEnumerableForUser(x,x,x,x,x)+98j
		mov	byte ptr [edi],	1

loc_7FF5EF:				; CODE XREF: PiPnpRtlIsDeviceEnumerableForUser(x,x,x,x,x)+92j
					; PiPnpRtlIsDeviceEnumerableForUser(x,x,x,x,x)+B0j
		test	ebx, ebx
		jnz	short loc_7FF62A

loc_7FF5F3:				; CODE XREF: PiPnpRtlIsDeviceEnumerableForUser(x,x,x,x,x)+BFj
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_7FF606:				; CODE XREF: PiPnpRtlIsDeviceEnumerableForUser(x,x,x,x,x)+72j
		test	esi, esi
		js	short loc_7FF5EF
		cmp	[ebp+var_20], 13h
		jnz	short loc_7FF5EC
		push	edi
		push	[ebp+var_24]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		push	eax
		mov	edx, ebx
		inc	ecx
		call	PiAuVerifyAccessToObject
		mov	esi, eax
		test	esi, esi
		jns	short loc_7FF5EF
		jmp	short loc_7FF5EA
; 

loc_7FF62A:				; CODE XREF: PiPnpRtlIsDeviceEnumerableForUser(x,x,x,x,x)+7Bj
		push	47706E50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_7FF5F3
_PiPnpRtlIsDeviceEnumerableForUser@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DrvDbAcquireDatabaseNodeBaseKey	proc near ; CODE XREF: DrvDbOpenObjectRegKey+71p
					; DrvDbOpenObjectRegKey+FDp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0091959A SIZE 00000054 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		and	[eax], esi
		mov	eax, large fs:124h
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ebx
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	dword ptr [edi+4Ch]
		call	ExAcquireResourceExclusiveLite
		mov	eax, [edi+1Ch]
		test	al, 4
		jnz	loc_91959A
		test	al, 2
		jz	short loc_7FF6C3
		mov	ebx, [ebp+arg_0]
		add	ebx, 0Dh
		lea	ebx, [edi+ebx*4]
		cmp	[ebx], esi
		jz	loc_7FF709

loc_7FF687:				; CODE XREF: DrvDbAcquireDatabaseNodeBaseKey+11Dj
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebx]
		mov	[ecx], eax

loc_7FF68E:				; CODE XREF: DrvDbAcquireDatabaseNodeBaseKey+98j
					; DrvDbAcquireDatabaseNodeBaseKey+CFj ...
		mov	ecx, [edi+4Ch]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	esi, 0C0000225h
		jz	loc_9195E4
		cmp	esi, 0C0000034h
		jz	loc_9195E4

loc_7FF6BA:				; CODE XREF: DrvDbAcquireDatabaseNodeBaseKey+119FB1j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7FF6C3:				; CODE XREF: DrvDbAcquireDatabaseNodeBaseKey+3Cj
		mov	edx, edi
		mov	ecx, ebx
		call	DrvDbLoadDatabaseNode
		mov	esi, eax
		test	esi, esi
		js	short loc_7FF68E
		mov	ecx, [ebp+arg_0]
		mov	edx, [edi+30h]
		mov	eax, [ebx]
		test	ecx, ecx
		jz	loc_9195C3
		mov	esi, ds:dword_404244[ecx*4]
		test	eax, eax
		jz	short loc_7FF764
		mov	ecx, [eax+74h]

loc_7FF6F0:				; CODE XREF: DrvDbAcquireDatabaseNodeBaseKey+12Ej
		push	0
		push	[ebp+arg_4]
		push	ecx
		push	0
		push	2000000h
		push	0
		push	esi
		call	__SysCtxRegCreateTree@36 ; _SysCtxRegCreateTree(x,x,x,x,x,x,x,x,x)

loc_7FF705:				; CODE XREF: DrvDbAcquireDatabaseNodeBaseKey+119FA7j
		mov	esi, eax
		jmp	short loc_7FF68E
; 

loc_7FF709:				; CODE XREF: DrvDbAcquireDatabaseNodeBaseKey+49j
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		call	DrvDbLoadDatabaseNode
		mov	esi, eax
		test	esi, esi
		js	loc_7FF68E
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		mov	edx, [edi+30h]
		mov	eax, [eax]
		test	ecx, ecx
		jz	loc_9195A4
		mov	esi, ds:dword_404244[ecx*4]
		test	eax, eax
		jz	short loc_7FF760
		mov	ecx, [eax+74h]

loc_7FF73E:				; CODE XREF: DrvDbAcquireDatabaseNodeBaseKey+12Aj
		push	0
		push	ebx
		push	ecx
		push	0
		push	2000000h
		push	0
		push	esi
		call	__SysCtxRegCreateKey@36	; _SysCtxRegCreateKey(x,x,x,x,x,x,x,x,x)

loc_7FF751:				; CODE XREF: DrvDbAcquireDatabaseNodeBaseKey+119F86j
		mov	esi, eax
		test	esi, esi
		jns	loc_7FF687
		jmp	loc_7FF68E
; 

loc_7FF760:				; CODE XREF: DrvDbAcquireDatabaseNodeBaseKey+101j
		xor	ecx, ecx
		jmp	short loc_7FF73E
; 

loc_7FF764:				; CODE XREF: DrvDbAcquireDatabaseNodeBaseKey+B3j
		xor	ecx, ecx
		jmp	short loc_7FF6F0
DrvDbAcquireDatabaseNodeBaseKey	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbReleaseDatabaseNodeBaseKey(x, x, x, x)
_DrvDbReleaseDatabaseNodeBaseKey@16 proc near ;	CODE XREF: DrvDbOpenObjectRegKey+BAp
					; DrvDbOpenObjectRegKey+151p ...

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, edx
		dec	word ptr [eax+13Ch]
		mov	ebx, ecx
		nop
		push	1
		push	dword ptr [edi+4Ch]
		call	ExAcquireResourceExclusiveLite
		test	byte ptr [edi+1Ch], 2
		jz	short loc_7FF7B3

loc_7FF795:				; CODE XREF: DrvDbReleaseDatabaseNodeBaseKey(x,x,x,x)+57j
					; DrvDbReleaseDatabaseNodeBaseKey(x,x,x,x)+64j
		mov	ecx, [edi+4Ch]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
; 

loc_7FF7B3:				; CODE XREF: DrvDbReleaseDatabaseNodeBaseKey(x,x,x,x)+2Bj
		push	[ebp+arg_4]
		call	_ZwClose@4	; ZwClose(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7FF795
		mov	edx, edi
		mov	ecx, ebx
		call	DrvDbUnloadDatabaseNode
		mov	esi, eax
		jmp	short loc_7FF795
_DrvDbReleaseDatabaseNodeBaseKey@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DrvDbOpenObjectRegKey proc near		; CODE XREF: DrvDbGetDriverInfFileMappedProperty+79p
					; DrvDbDispatchDriverInfFile+85p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 009195EE SIZE 000000D5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_C], 0
		lea	eax, [esp+0Ch+var_8]
		and	[esp+0Ch+var_8], 0
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+arg_4]
		mov	[esp+1Ch+var_4], edx
		mov	edx, [ebp+arg_4]
		mov	ebx, ecx
		push	eax
		call	DrvDbGetObjectDatabaseNode
		mov	edi, [esp+18h+var_8]
		mov	esi, eax
		test	esi, esi
		js	loc_7FF8AD
		test	edi, edi
		jnz	loc_7FF8BF
		mov	eax, [esp+18h+var_4]
		mov	edi, eax
		test	eax, eax
		jnz	loc_7FF8BF
		lea	ecx, [ebx+0Ch]
		mov	eax, [ecx]

loc_7FF825:				; CODE XREF: DrvDbOpenObjectRegKey+161j
		mov	[esp+18h+var_8], eax
		cmp	eax, ecx
		jz	loc_9195FF
		lea	ecx, [esp+18h+var_C]
		mov	edx, eax
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, ebx
		mov	edi, eax
		call	DrvDbAcquireDatabaseNodeBaseKey
		mov	esi, eax
		cmp	esi, 0C0000467h
		jz	loc_9195EE
		test	esi, esi
		js	loc_9195FF
		mov	eax, [ebx]
		test	eax, eax
		jz	loc_9195F8
		mov	ecx, [eax+74h]

loc_7FF867:				; CODE XREF: DrvDbOpenObjectRegKey+119E2Cj
		push	[ebp+arg_10]
		mov	edx, [esp+1Ch+var_C]
		push	[ebp+arg_8]
		push	0
		push	[ebp+arg_4]
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		push	[esp+18h+var_C]
		mov	edx, [esp+1Ch+var_8]
		mov	esi, eax
		push	ecx
		mov	ecx, ebx
		call	_DrvDbReleaseDatabaseNodeBaseKey@16 ; DrvDbReleaseDatabaseNodeBaseKey(x,x,x,x)
		and	[esp+18h+var_C], 0
		cmp	esi, 0C0000034h
		jz	loc_7FF926

loc_7FF89E:				; CODE XREF: DrvDbOpenObjectRegKey+13Ej
					; DrvDbOpenObjectRegKey+146j ...
		test	esi, esi
		js	short loc_7FF8AD
		mov	eax, [ebp+arg_18]
		test	eax, eax
		jnz	loc_9196BC

loc_7FF8AD:				; CODE XREF: DrvDbOpenObjectRegKey+36j
					; DrvDbOpenObjectRegKey+D2j ...
		cmp	[esp+18h+var_C], 0
		jnz	short loc_7FF916

loc_7FF8B4:				; CODE XREF: DrvDbOpenObjectRegKey+156j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_7FF8BF:				; CODE XREF: DrvDbOpenObjectRegKey+3Ej
					; DrvDbOpenObjectRegKey+4Cj
		lea	eax, [esp+18h+var_C]
		mov	edx, edi
		push	eax
		push	[ebp+arg_0]
		mov	ecx, ebx
		call	DrvDbAcquireDatabaseNodeBaseKey
		mov	esi, eax
		test	esi, esi
		js	loc_91967A
		cmp	[ebp+arg_C], 0
		mov	eax, [ebx]
		jnz	loc_919690
		test	eax, eax
		jz	short loc_7FF934
		mov	ecx, [eax+74h]

loc_7FF8ED:				; CODE XREF: DrvDbOpenObjectRegKey+168j
		push	[ebp+arg_10]
		mov	edx, [esp+1Ch+var_C]
		push	[ebp+arg_8]
		push	0
		push	[ebp+arg_4]
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_7FF8AD
		mov	eax, [ebp+arg_14]
		test	eax, eax
		jz	short loc_7FF89E
		mov	dword ptr [eax], 2
		jmp	short loc_7FF89E
; 

loc_7FF916:				; CODE XREF: DrvDbOpenObjectRegKey+E4j
		push	[esp+18h+var_C]
		mov	edx, edi
		push	ecx
		mov	ecx, ebx
		call	_DrvDbReleaseDatabaseNodeBaseKey@16 ; DrvDbReleaseDatabaseNodeBaseKey(x,x,x,x)
		jmp	short loc_7FF8B4
; 

loc_7FF926:				; CODE XREF: DrvDbOpenObjectRegKey+CAj
					; DrvDbOpenObjectRegKey+119E25j
		mov	eax, [esp+18h+var_8]
		lea	ecx, [ebx+0Ch]
		mov	eax, [eax]
		jmp	loc_7FF825
; 

loc_7FF934:				; CODE XREF: DrvDbOpenObjectRegKey+11Aj
		xor	ecx, ecx
		jmp	short loc_7FF8ED
DrvDbOpenObjectRegKey endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDaFastIoDispatch(x, x, x,	x, x, x, x, x, x)
_PiDaFastIoDispatch@36 proc near	; DATA XREF: PiDaDriverEntry+45o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		xor	cl, cl
		mov	eax, [edx+0Ch]
		cmp	eax, 5
		jnb	short loc_7FF974
		imul	eax, 0Ch
		mov	eax, ds:dword_403F18[eax]
		test	eax, eax
		jz	short loc_7FF974
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	edx
		call	eax
		mov	cl, al

loc_7FF974:				; CODE XREF: PiDaFastIoDispatch(x,x,x,x,x,x,x,x,x)+10j
					; PiDaFastIoDispatch(x,x,x,x,x,x,x,x,x)+1Dj
		mov	al, cl
		pop	ebp
		retn	24h
_PiDaFastIoDispatch@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMFastIoDeviceDispatch(x,	x, x, x, x, x, x, x, x)
_PiCMFastIoDeviceDispatch@36 proc near	; DATA XREF: .text:00403F30o

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+arg_1C]
		push	ecx
		push	[ebp+arg_18]
		mov	ecx, [ebp+arg_8]
		lea	eax, [esi+4]
		push	eax
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		call	PiCMHandleIoctl
		mov	[esi], eax
		mov	al, 1
		pop	esi
		pop	ebp
		retn	24h
_PiCMFastIoDeviceDispatch@36 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMHandleIoctl	proc near		; CODE XREF: PiCMFastIoDeviceDispatch(x,x,x,x,x,x,x,x,x)+1Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 009196C3 SIZE 0000012A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+arg_8]
		add	eax, 0FFB8F7FDh
		and	dword ptr [esi], 0
		cmp	eax, 74h
		ja	loc_9197E3
		movzx	eax, ds:byte_7FFB3A[eax]
		jmp	ds:off_7FFABE[eax*4]

loc_7FF9D5:				; DATA XREF: PAGE:007FFACEo
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiCMGetObjectProperty

loc_7FF9E2:				; CODE XREF: PiCMHandleIoctl+50j
					; PiCMHandleIoctl+5Fj ...
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_7FF9E9:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFB32o
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiCMGetObjectList
		jmp	short loc_7FF9E2
; 

loc_7FF9F8:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFAD6o
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiCMGetRegistryProperty
		jmp	short loc_7FF9E2
; 

loc_7FFA07:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFB26o
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiCMOpenObjectKey
		jmp	short loc_7FF9E2
; 

loc_7FFA16:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFB16o
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiCMOpenDeviceKey
		jmp	short loc_7FF9E2
; 

loc_7FFA25:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFAC2o
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiCMGetDeviceInterfaceList
		jmp	short loc_7FF9E2
; 

loc_7FFA34:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFAFEo
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiCMValidateDeviceInstance
		jmp	short loc_7FF9E2
; 

loc_7FFA43:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFAE2o
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PiCMGetDeviceStatus@24	; PiCMGetDeviceStatus(x,x,x,x,x,x)
		jmp	short loc_7FF9E2
; 

loc_7FFA52:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFADEo
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiCMGetRelatedDeviceInstance
		jmp	short loc_7FF9E2
; 

loc_7FFA61:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:off_7FFABEo
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PiCMGetDeviceIdList@24	; PiCMGetDeviceIdList(x,x,x,x,x,x)
		jmp	loc_7FF9E2
; 

loc_7FFA73:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFAD2o
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiCMSetObjectProperty
		jmp	loc_7FF9E2
; 

loc_7FFA85:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFB0Eo
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiCMOpenDeviceInterfaceKey
		jmp	loc_7FF9E2
; 

loc_7FFA97:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFB1Eo
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiCMOpenClassKey
		jmp	loc_7FF9E2
; 

loc_7FFAA9:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFAFAo
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiCMGetDeviceInterfaceAlias
		jmp	loc_7FF9E2
PiCMHandleIoctl	endp

; 
		db 8Dh
		db 49h,	0
off_7FFABE	dd offset loc_7FFA61	; DATA XREF: PiCMHandleIoctl+28r
		dd offset loc_7FFA25
		dd offset loc_9196C3
		dd offset loc_9196F9
		dd offset loc_7FF9D5
		dd offset loc_7FFA73
		dd offset loc_7FF9F8
		dd offset loc_91970B
		dd offset loc_7FFA52
		dd offset loc_7FFA43
		dd offset loc_91971D
		dd offset loc_91972F
		dd offset loc_919741
		dd offset loc_919753
		dd offset loc_919765
		dd offset loc_7FFAA9
		dd offset loc_7FFA34
		dd offset loc_919777
		dd offset loc_919789
		dd offset loc_91979B
		dd offset loc_7FFA85
		dd offset loc_9197AD
		dd offset loc_7FFA16
		dd offset loc_9197BF
		dd offset loc_7FFA97
		dd offset loc_9197D1
		dd offset loc_7FFA07
		dd offset loc_9196D5
		dd offset loc_9196E7
		dd offset loc_7FF9E9
		dd offset loc_9197E3
byte_7FFB3A	db 0			; DATA XREF: PiCMHandleIoctl+21r
		db 1Eh
		dd 1E011E1Eh, 1E021E1Eh, 1E031E1Eh, 1E041E1Eh, 1E051E1Eh
		dd 1E061E1Eh, 1E071E1Eh, 1E081E1Eh, 1E091E1Eh, 1E0A1E1Eh
		dd 1E0B1E1Eh, 1E0C1E1Eh, 1E0D1E1Eh, 1E0E1E1Eh, 1E0F1E1Eh
		dd 1E101E1Eh, 1E111E1Eh, 1E121E1Eh, 1E131E1Eh, 1E141E1Eh
		dd 1E151E1Eh, 1E161E1Eh, 1E171E1Eh, 1E181E1Eh, 1E191E1Eh
		dd 1E1A1E1Eh, 1E1B1E1Eh, 1E1C1E1Eh, 0CC1D1E1Eh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMCapturePropertyInputData proc near	; CODE XREF: PiCMGetObjectProperty+4Ap
					; PiCMSetObjectProperty+41p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009197ED SIZE 00000018 BYTES
; FUNCTION CHUNK AT 0091982E SIZE 00000096 BYTES

		push	20h
		push	offset dword_6A5438
		call	__SEH_prolog4
		mov	esi, edx
		mov	edx, ecx
		and	[ebp+var_28], 0
		and	[ebp+var_2C], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_20], al
		xor	eax, eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_24], eax
		test	edx, edx
		jz	loc_9198B7
		test	esi, esi
		jz	loc_9198B7
		and	[ebp+ms_exc.disabled], eax
		test	dl, 3
		jnz	loc_7FFCF2
		lea	edi, [edx+esi]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edi, ecx
		ja	loc_9197ED
		cmp	edi, edx
		jb	loc_9197ED

loc_7FFC14:				; CODE XREF: PiCMCapturePropertyInputData+119C40j
		mov	ebx, [ebp+arg_4]
		cmp	esi, 38h
		jb	loc_9197F5
		push	0Eh
		pop	ecx
		mov	esi, edx
		mov	edi, ebx
		rep movsd
		cmp	dword ptr [ebx], 38h
		jnz	loc_9197F5

loc_7FFC32:				; CODE XREF: PiCMCapturePropertyInputData+119C50j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_7FFC39:				; CODE XREF: sub_919813+16j
		test	eax, eax
		js	loc_7FFD00
		lea	edi, [ebx+0Ch]
		mov	eax, [edi]
		and	dword ptr [edi], 0
		test	eax, eax
		jz	loc_91983E
		mov	ecx, [ebx+10h]
		cmp	ecx, 2
		jb	loc_91983A
		push	1
		push	[ebp+var_20]
		push	2
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	PiControlMakeUserModeCallersCopy
		mov	esi, eax
		test	esi, esi
		js	loc_91982E
		mov	[ebp+var_28], 1
		mov	edx, [ebx+10h]
		shr	edx, 1
		mov	ecx, [edi]
		xor	eax, eax
		mov	[ecx+edx*2-2], ax

loc_7FFC8D:				; CODE XREF: PiCMCapturePropertyInputData+119C85j
					; PiCMCapturePropertyInputData+119CEEj
		lea	edi, [ebx+2Ch]
		mov	eax, [edi]
		and	dword ptr [edi], 0
		test	eax, eax
		jnz	short loc_7FFCC7

loc_7FFC99:				; CODE XREF: PiCMCapturePropertyInputData+119CF5j
		cmp	dword ptr [ebx+30h], 0
		ja	loc_91984E
		test	eax, eax
		jnz	loc_9198AB

loc_7FFCAB:				; CODE XREF: PiCMCapturePropertyInputData+140j
					; PiCMCapturePropertyInputData+14Ej ...
		test	esi, esi
		js	loc_919853

loc_7FFCB3:				; CODE XREF: PiCMCapturePropertyInputData+119CE6j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_7FFCC7:				; CODE XREF: PiCMCapturePropertyInputData+E7j
		mov	ecx, [ebx+30h]
		test	ecx, ecx
		jz	loc_9198A3
		push	1
		push	[ebp+var_20]
		push	1
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	PiControlMakeUserModeCallersCopy
		mov	esi, eax
		test	esi, esi
		js	short loc_7FFCF7
		mov	[ebp+var_2C], 1
		jmp	short loc_7FFCAB
; 

loc_7FFCF2:				; CODE XREF: PiCMCapturePropertyInputData+45j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7FFCF7:				; CODE XREF: PiCMCapturePropertyInputData+137j
		and	dword ptr [edi], 0
		and	dword ptr [ebx+30h], 0
		jmp	short loc_7FFCAB
; 

loc_7FFD00:				; CODE XREF: PiCMCapturePropertyInputData+8Bj
		mov	esi, [ebp+var_1C]
		jmp	short loc_7FFCAB
PiCMCapturePropertyInputData endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtPlugPlayControl proc near		; DATA XREF: .text:00580EECo

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 009198C4 SIZE 00000071 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_8], bl
		test	bl, bl
		jnz	loc_9198C4

loc_7FFD27:				; CODE XREF: NtPlugPlayControl+119BD5j
		mov	edi, [ebp+arg_0]
		cmp	edi, 18h
		jnb	loc_91992B
		mov	eax, edi
		shl	eax, 4
		lea	esi, _PlugPlayHandlerTable[eax]
		cmp	[esi], edi
		jnz	loc_919921
		test	esi, esi
		jz	loc_91992B
		cmp	dword ptr [esi+8], 0
		jz	loc_9198E0
		mov	eax, [ebp+arg_8]
		cmp	[esi+4], eax
		jnz	loc_9198EA
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_9198F4

loc_7FFD71:				; CODE XREF: NtPlugPlayControl+119BF2j
		mov	edx, [ebp+arg_4]
		lea	ecx, [ebp+var_4]
		and	[ebp+var_4], 0
		push	1
		push	[ebp+var_8]
		push	4
		push	[ebp+arg_8]
		call	PiControlMakeUserModeCallersCopy
		test	eax, eax
		js	short loc_7FFDD5
		push	[ebp+var_8]
		push	[ebp+arg_8]
		push	[ebp+var_4]
		push	edi
		call	dword ptr [esi+8]
		mov	esi, eax
		mov	eax, 0C0000000h
		mov	ecx, esi
		and	ecx, eax
		cmp	ecx, eax
		jz	short loc_7FFDDC

loc_7FFDAA:				; CODE XREF: NtPlugPlayControl+DEj
		mov	edx, [ebp+var_4]
		lea	ecx, [ebp+arg_4]
		push	0
		push	[ebp+var_8]
		push	4
		push	[ebp+arg_8]
		call	PiControlMakeUserModeCallersCopy
		test	eax, eax
		js	short loc_7FFDE6

loc_7FFDC3:				; CODE XREF: NtPlugPlayControl+DCj
					; NtPlugPlayControl+E2j
		cmp	esi, 0C0000056h
		jz	short loc_7FFDEA

loc_7FFDCB:				; CODE XREF: NtPlugPlayControl+E9j
		test	bl, bl
		jnz	loc_919908

loc_7FFDD3:				; CODE XREF: NtPlugPlayControl+119C06j
					; NtPlugPlayControl+119C16j
		mov	eax, esi

loc_7FFDD5:				; CODE XREF: NtPlugPlayControl+86j
					; NtPlugPlayControl+119BDFj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_7FFDDC:				; CODE XREF: NtPlugPlayControl+A2j
		cmp	esi, 0C0000023h
		jnz	short loc_7FFDC3
		jmp	short loc_7FFDAA
; 

loc_7FFDE6:				; CODE XREF: NtPlugPlayControl+BBj
		mov	esi, eax
		jmp	short loc_7FFDC3
; 

loc_7FFDEA:				; CODE XREF: NtPlugPlayControl+C3j
		mov	esi, 0C000000Eh
		jmp	short loc_7FFDCB
NtPlugPlayControl endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiControlMakeUserModeCallersCopy proc near ; CODE XREF:	NtReplacePartitionUnit(x,x,x)+132p
					; NtReplacePartitionUnit(x,x,x)+152p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00919935 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	[ebp+arg_8], 0
		mov	eax, edx
		push	esi
		mov	[ebp+var_4], eax
		mov	esi, ecx
		jnz	short loc_7FFE0F
		mov	[esi], eax
		xor	eax, eax

loc_7FFE0A:				; CODE XREF: PiControlMakeUserModeCallersCopy+6Aj
		pop	esi
		leave
		retn	10h
; 

loc_7FFE0F:				; CODE XREF: PiControlMakeUserModeCallersCopy+12j
		push	ebx
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jz	short loc_7FFE5E
		push	edi
		mov	edi, [ebp+arg_C]
		test	edi, edi
		jz	short loc_7FFE35
		push	20207050h
		push	ebx
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	[esi], eax
		test	eax, eax
		jz	short loc_7FFE65
		mov	eax, [ebp+var_4]

loc_7FFE35:				; CODE XREF: PiControlMakeUserModeCallersCopy+2Bj
		and	[ebp+arg_0], 0
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_7FFE6C
		push	edi		; int
		push	dword ptr [ebp+arg_8] ;	char
		mov	edx, eax
		push	[ebp+arg_4]	; int
		push	ebx		; size_t
		call	PiControlCopyUserModeCallersBuffer
		mov	ebx, eax
		test	ebx, ebx
		js	loc_919935

loc_7FFE58:				; CODE XREF: PiControlMakeUserModeCallersCopy+7Dj
					; PiControlMakeUserModeCallersCopy+119B45j ...
		mov	eax, ebx

loc_7FFE5A:				; CODE XREF: PiControlMakeUserModeCallersCopy+78j
		pop	edi

loc_7FFE5B:				; CODE XREF: PiControlMakeUserModeCallersCopy+71j
		pop	ebx
		jmp	short loc_7FFE0A
; 

loc_7FFE5E:				; CODE XREF: PiControlMakeUserModeCallersCopy+23j
		and	dword ptr [esi], 0
		xor	eax, eax
		jmp	short loc_7FFE5B
; 

loc_7FFE65:				; CODE XREF: PiControlMakeUserModeCallersCopy+3Ej
		mov	eax, 0C000009Ah
		jmp	short loc_7FFE5A
; 

loc_7FFE6C:				; CODE XREF: PiControlMakeUserModeCallersCopy+4Bj
		mov	ebx, [ebp+arg_0]
		jmp	short loc_7FFE58
PiControlMakeUserModeCallersCopy endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiControlCopyUserModeCallersBuffer(size_t,int,char,int)
PiControlCopyUserModeCallersBuffer proc	near
					; CODE XREF: PiControlMakeUserModeCallersCopy+57p

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0091994E SIZE 00000026 BYTES

		push	10h
		push	offset dword_6A5458
		call	__SEH_prolog4
		mov	edi, edx
		mov	[ebp+var_1C], ecx
		xor	ebx, ebx
		cmp	[ebp+arg_8], bl
		jz	loc_91994E
		mov	[ebp+ms_exc.disabled], ebx
		mov	esi, [ebp+arg_0]
		cmp	[ebp+arg_C], ebx
		jz	loc_919962
		test	esi, esi
		jz	short loc_7FFEB9
		mov	eax, [ebp+arg_4]
		dec	eax
		test	eax, edi
		jnz	short loc_7FFEDF
		lea	edx, [edi+esi]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_7FFEE4
		cmp	edx, edi
		jb	short loc_7FFEE4

loc_7FFEB9:				; CODE XREF: PiControlCopyUserModeCallersBuffer+2Dj
					; PiControlCopyUserModeCallersBuffer+74j ...
		push	esi		; size_t
		push	edi		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_7FFEC4:				; CODE XREF: sub_919982+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, ebx

loc_7FFECD:				; CODE XREF: PiControlCopyUserModeCallersBuffer+119AEBj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_7FFEDF:				; CODE XREF: PiControlCopyUserModeCallersBuffer+35j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_7FFEE4:				; CODE XREF: PiControlCopyUserModeCallersBuffer+41j
					; PiControlCopyUserModeCallersBuffer+45j
		mov	[eax], bl
		jmp	short loc_7FFEB9
PiControlCopyUserModeCallersBuffer endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpOKToFollowLink(x, x)
_CmpOKToFollowLink@8 proc near		; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+838p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp

loc_7FFEFF:				; DATA XREF: RtlpCreateHashTable+1Do
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	loc_800027
		cmp	esi, edi
		jz	loc_800027
		test	byte ptr [edi+980h], 1
		jz	short loc_7FFF60
		xor	edx, edx
		mov	ecx, offset _CmpHiveListHeadLock
		call	ExAcquirePushLockSharedEx
		mov	ecx, [edi+984h]
		lea	edx, [edi+984h]
		cmp	ecx, edx
		jz	short loc_7FFF54
		lea	ecx, [ecx+0]

loc_7FFF40:				; CODE XREF: CmpOKToFollowLink(x,x)+62j
		lea	eax, [ecx-984h]
		cmp	eax, esi
		jz	loc_80001B
		mov	ecx, [ecx]
		cmp	ecx, edx
		jnz	short loc_7FFF40

loc_7FFF54:				; CODE XREF: CmpOKToFollowLink(x,x)+4Bj
		xor	edx, edx
		mov	ecx, offset _CmpHiveListHeadLock
		call	ExReleasePushLockEx

loc_7FFF60:				; CODE XREF: CmpOKToFollowLink(x,x)+2Fj
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jz	loc_800009
		mov	esi, dword_6B2348
		cmp	esi, 5
		jbe	loc_800009

loc_7FFF7C:				; DATA XREF: RtlExpandHashTable+13o
		push	2000h
		push	10000h
		mov	ecx, offset dword_6B2348
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_7FFFD9
		lea	eax, [ebp+var_40]
		mov	[ebp+var_40], 1000000h
		mov	[ebp+var_18], eax
		mov	edx, (offset loc_419B37+6)
		lea	eax, [ebp+var_38]
		mov	[ebp+var_3C], 0
		push	eax
		push	3
		push	ecx
		mov	ecx, offset dword_6B2348
		mov	[ebp+var_14], 0
		mov	[ebp+var_10], 8
		mov	[ebp+var_C], 0
		call	__tlgWriteAgg@20 ; _tlgWriteAgg(x,x,x,x,x)
		mov	esi, dword_6B2348

loc_7FFFD9:				; CODE XREF: CmpOKToFollowLink(x,x)+A2j
		cmp	esi, 5
		jbe	short loc_800009
		push	0
		push	0
		mov	ecx, offset dword_6B2348
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_800009
		lea	eax, [ebp+var_28]
		push	eax
		push	2
		push	0

loc_7FFFF8:				; DATA XREF: MmProbeAndLockSelectedPages+E0o
					; MiReturnSystemVa(x,x,x,x)+37o ...
		push	0

loc_7FFFFA:				; DATA XREF: MiAddPhysicalMemory(x,x,x,x,x):loc_99677Co
					; MiNewPfnsSuitable(x):loc_997568o ...
		push	offset loc_419B06

loc_7FFFFF:				; DATA XREF: .text:0044A74Co
					; MiFreePagesFromMdl(x,x)+177o	...
		push	offset dword_6B2348

loc_800004:				; DATA XREF: HvlpDetermineEnlightenments()+CEo
					; IopAllocRealFileObject:loc_822099o
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_800009:				; CODE XREF: CmpOKToFollowLink(x,x)+77j
					; CmpOKToFollowLink(x,x)+86j ...
		xor	al, al
		pop	edi
		pop	esi
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_80001B:				; CODE XREF: CmpOKToFollowLink(x,x)+58j
		xor	edx, edx
		mov	ecx, offset _CmpHiveListHeadLock
		call	ExReleasePushLockEx

loc_800027:				; CODE XREF: CmpOKToFollowLink(x,x)+1Aj
					; CmpOKToFollowLink(x,x)+22j
		mov	ecx, [ebp+var_4]
		mov	al, 1
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_CmpOKToFollowLink@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMGetObjectProperty proc near		; CODE XREF: PiCMHandleIoctl+37p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0091998D SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		push	38h		; size_t
		mov	[ebp+var_40], eax
		mov	esi, edx
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_54], ebx
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		xor	eax, eax
		add	esp, 0Ch
		mov	[ebx], eax
		mov	edx, esi
		mov	ebx, eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_3C]
		push	eax
		push	ecx
		mov	ecx, edi
		call	PiCMCapturePropertyInputData
		mov	edi, eax
		test	edi, edi
		js	loc_80019B
		mov	edx, [ebp+var_30]
		mov	[ebp+var_50], edx
		test	edx, edx
		jz	loc_9199C2
		cmp	[ebp+var_38], ebx
		jnz	loc_9199C2
		cmp	[ebp+var_10], ebx
		jnz	loc_9199C2
		cmp	[ebp+var_C], ebx
		jnz	loc_9199C2
		cmp	[ebp+var_14], ebx
		jnz	loc_9199C2
		cmp	[ebp+var_40], ebx
		jz	loc_9199B8
		mov	ecx, [ebp+arg_4]
		cmp	ecx, 14h
		jb	loc_9199B8
		mov	eax, [ebp+var_34]
		xor	esi, esi
		cmp	eax, 6
		jle	loc_8001B6
		sub	eax, 10001h
		jz	loc_91999D
		sub	eax, 1
		jnz	loc_8001F5
		push	8

loc_8000FE:				; CODE XREF: PiCMGetObjectProperty+1C2j
					; PiCMGetObjectProperty+1DEj ...
		mov	esi, _PiDrvDbCtx
		neg	esi
		pop	eax
		sbb	esi, esi
		and	esi, eax

loc_80010B:				; CODE XREF: PiCMGetObjectProperty+1D6j
					; PiCMGetObjectProperty+119956j
		test	esi, esi
		jz	loc_9199A4

loc_800113:				; CODE XREF: PiCMGetObjectProperty+186j
					; PiCMGetObjectProperty+1B6j ...
		test	edi, edi
		js	loc_8001C5
		lea	eax, [ecx-14h]
		mov	[ebp+var_4C], eax
		test	eax, eax
		jz	loc_800201
		push	34706E50h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, [ebp+var_50]
		mov	ebx, eax
		mov	eax, [ebp+var_4C]
		test	ebx, ebx
		jz	loc_9199AE

loc_800146:				; CODE XREF: PiCMGetObjectProperty+1C9j
					; PiCMGetObjectProperty+119979j
		test	edi, edi
		js	short loc_8001C5
		xor	edi, edi
		lea	ecx, [ebp+var_48]
		push	edi
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	ebx
		lea	eax, [ebp+var_44]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		push	edi
		push	edi
		push	esi
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax

loc_80016B:				; CODE XREF: PiCMGetObjectProperty+11998Dj
		test	edi, edi
		js	short loc_8001C5
		push	[ebp+var_54]	; int
		mov	edx, [ebp+var_48]
		push	[ebp+arg_4]	; int
		push	[ebp+var_40]	; int
		push	[ebp+var_8]	; int
		push	edx		; size_t
		push	ebx		; void *

loc_800180:				; CODE XREF: PiCMGetObjectProperty+19Ej
		push	[ebp+var_44]	; int
		mov	ecx, edi
		call	PiCMReturnBufferResultData
		mov	edi, eax
		test	ebx, ebx
		jz	short loc_80019B
		push	34706E50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_80019B:				; CODE XREF: PiCMGetObjectProperty+53j
					; PiCMGetObjectProperty+154j
		lea	ecx, [ebp+var_3C]
		call	_PiCMReleasePropertyInputData@8	; PiCMReleasePropertyInputData(x,x)
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_8001B6:				; CODE XREF: PiCMGetObjectProperty+A8j
		jz	short loc_800225
		sub	eax, 1
		jnz	short loc_8001DA
		xor	esi, esi
		inc	esi
		jmp	loc_800113
; 

loc_8001C5:				; CODE XREF: PiCMGetObjectProperty+DBj
					; PiCMGetObjectProperty+10Ej ...
		push	[ebp+var_54]
		mov	edx, [ebp+var_48]
		push	[ebp+arg_4]
		push	[ebp+var_40]
		push	[ebp+var_8]
		push	0
		push	0
		jmp	short loc_800180
; 

loc_8001DA:				; CODE XREF: PiCMGetObjectProperty+181j
		sub	eax, 1
		jz	short loc_800221
		sub	eax, 1
		jz	short loc_80021D
		sub	eax, 1
		jnz	loc_91998D
		push	3

loc_8001EF:				; CODE XREF: PiCMGetObjectProperty+1E5j
					; PiCMGetObjectProperty+1E9j ...
		pop	esi
		jmp	loc_800113
; 

loc_8001F5:				; CODE XREF: PiCMGetObjectProperty+BCj
		sub	eax, 1
		jnz	short loc_800208
		push	9
		jmp	loc_8000FE
; 

loc_800201:				; CODE XREF: PiCMGetObjectProperty+E9j
		xor	ebx, ebx
		jmp	loc_800146
; 

loc_800208:				; CODE XREF: PiCMGetObjectProperty+1BEj
		sub	eax, 1
		jz	short loc_800229
		sub	eax, 1
		jnz	loc_80010B
		push	0Bh
		jmp	loc_8000FE
; 

loc_80021D:				; CODE XREF: PiCMGetObjectProperty+1A8j
		push	4
		jmp	short loc_8001EF
; 

loc_800221:				; CODE XREF: PiCMGetObjectProperty+1A3j
		push	2
		jmp	short loc_8001EF
; 

loc_800225:				; CODE XREF: PiCMGetObjectProperty:loc_8001B6j
		push	6
		jmp	short loc_8001EF
; 

loc_800229:				; CODE XREF: PiCMGetObjectProperty+1D1j
		push	0Ah
		jmp	loc_8000FE
PiCMGetObjectProperty endp


;  S U B	R O U T	I N E 


; __stdcall PiCMReleasePropertyInputData(x, x)
_PiCMReleasePropertyInputData@8	proc near ; CODE XREF: PiCMGetObjectProperty+164p
					; PiCMSetObjectProperty+161p
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, [eax+15Ah]
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_800253
		test	bl, bl
		jz	short loc_800253
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_800253:				; CODE XREF: PiCMReleasePropertyInputData(x,x)+15j
					; PiCMReleasePropertyInputData(x,x)+19j
		mov	eax, [esi+2Ch]
		test	eax, eax
		jnz	short loc_80025F

loc_80025A:				; CODE XREF: PiCMReleasePropertyInputData(x,x)+31j
					; PiCMReleasePropertyInputData(x,x)+3Bj
		pop	esi
		xor	eax, eax
		pop	ebx
		retn
; 

loc_80025F:				; CODE XREF: PiCMReleasePropertyInputData(x,x)+28j
		test	bl, bl
		jz	short loc_80025A
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_80025A
_PiCMReleasePropertyInputData@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiCMReturnBufferResultData(int,void *,size_t,int,int,int,int)
PiCMReturnBufferResultData proc	near	; CODE XREF: PiCMGetRelatedDeviceInstance+106p
					; PiCMGetDeviceIdList(x,x,x,x,x,x)+126p ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		push	24h
		push	offset dword_6A5478
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	eax, [ebp+arg_18]
		mov	[eax], ebx
		mov	eax, [ebp+arg_8]
		add	eax, 14h
		mov	[ebp+var_20], eax
		cmp	[ebp+arg_14], eax
		jb	short loc_800304
		push	14h
		pop	eax
		cmp	[ebp+arg_C], eax
		jnz	short loc_800304
		mov	[ebp+var_24], ebx
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], edx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_28], eax
		mov	[ebp+ms_exc.disabled], ebx
		push	4
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	5
		pop	ecx
		lea	esi, [ebp+var_34]
		mov	eax, [ebp+arg_10]
		mov	edi, eax
		rep movsd
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_8002DD
		push	ecx		; size_t
		push	[ebp+arg_4]	; void *
		add	eax, 10h
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_8002DD:				; CODE XREF: PiCMReturnBufferResultData+5Dj
					; sub_9199DA+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	ebx, ebx
		js	short loc_8002F0
		mov	edx, [ebp+arg_18]
		mov	ecx, [ebp+var_20]
		mov	[edx], ecx

loc_8002F0:				; CODE XREF: PiCMReturnBufferResultData+78j
					; PiCMReturnBufferResultData+9Bj
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_800304:				; CODE XREF: PiCMReturnBufferResultData+1Fj
					; PiCMReturnBufferResultData+27j
		mov	ebx, 0C000000Dh
		jmp	short loc_8002F0
PiCMReturnBufferResultData endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmpIsKcbLockedExclusive(x)
_CmpIsKcbLockedExclusive@4 proc	near	; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+498p
		mov	edx, large fs:124h
		xor	eax, eax
		cmp	[ecx+1Ch], edx
		setz	al
		retn
_CmpIsKcbLockedExclusive@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpTryConvertKcbLockSharedToExclusive(x)
_CmpTryConvertKcbLockSharedToExclusive@4 proc near
					; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+4A1p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		inc	ecx
		push	11h
		mov	edx, ecx
		lea	esi, [edi+18h]
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_800344
		mov	eax, large fs:124h
		mov	[edi+1Ch], eax

loc_80033F:				; CODE XREF: CmpTryConvertKcbLockSharedToExclusive(x)+2Aj
		pop	edi
		mov	al, cl
		pop	esi
		retn
; 

loc_800344:				; CODE XREF: CmpTryConvertKcbLockSharedToExclusive(x)+18j
		xor	cl, cl
		jmp	short loc_80033F
_CmpTryConvertKcbLockSharedToExclusive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCleanUpKcbCachedSymlink(x, x)
_CmpCleanUpKcbCachedSymlink@8 proc near	; CODE XREF: CmpGetSymbolicLinkTarget+B21p
					; CmDeleteValueKey+4A1p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	esi
		mov	esi, ecx
		test	dword ptr [esi+68h], 400000h
		jnz	short loc_800363
		test	byte ptr [esi+4], 8
		jnz	short loc_800368

loc_800363:				; CODE XREF: CmpCleanUpKcbCachedSymlink(x,x)+13j
					; CmpCleanUpKcbCachedSymlink(x,x)+35j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_800368:				; CODE XREF: CmpCleanUpKcbCachedSymlink(x,x)+19j
		mov	ecx, [esi+38h]
		call	_CmpDelayDerefKeyControlBlock@8	; CmpDelayDerefKeyControlBlock(x,x)
		and	dword ptr [esi+38h], 0
		mov	eax, 0FFF7h
		and	[esi+4], ax
		jmp	short loc_800363
_CmpCleanUpKcbCachedSymlink@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpUpdateKeyNodeAccessBits(x, x, x)
_CmpUpdateKeyNodeAccessBits@12 proc near ; CODE	XREF: CmpCreateTombstone(x,x)+1D4p
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+BD7p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	dword ptr [ecx+64h], 8001h
		push	esi
		mov	esi, edx
		jnz	short loc_80039B
		mov	al, _CmpAccessBitForPhase
		test	[esi+0Ch], al
		jz	short loc_8003A0

loc_80039B:				; CODE XREF: CmpUpdateKeyNodeAccessBits(x,x,x)+Fj
					; CmpUpdateKeyNodeAccessBits(x,x,x)+2Ej ...
		pop	esi
		pop	ebp
		retn	4
; 

loc_8003A0:				; CODE XREF: CmpUpdateKeyNodeAccessBits(x,x,x)+19j
		mov	edx, [ebp+arg_0]
		push	1
		push	0
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_80039B
		mov	al, _CmpAccessBitForPhase
		or	[esi+0Ch], al
		jmp	short loc_80039B
_CmpUpdateKeyNodeAccessBits@12 endp


;  S U B	R O U T	I N E 


; __stdcall HvLockHiveFlusherShared(x)
_HvLockHiveFlusherShared@4 proc	near	; CODE XREF: CmpRemoveHiveFromNamespace(x,x,x)+28p
					; CmpCreateTombstone(x,x)+71p ...
		add	ecx, 24h
		xor	edx, edx
		jmp	ExAcquirePushLockSharedEx
_HvLockHiveFlusherShared@4 endp


;  S U B	R O U T	I N E 


; __stdcall HvUnlockHiveFlusherShared(x)
_HvUnlockHiveFlusherShared@4 proc near	; CODE XREF: CmpRemoveHiveFromNamespace(x,x,x)+7Ap
					; CmpCreateTombstone(x,x)+24Dp	...
		mov	edi, edi
		push	esi
		push	11h
		lea	esi, [ecx+24h]
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_8003E0

loc_8003D8:				; CODE XREF: HvUnlockHiveFlusherShared(x)+23j
		mov	ecx, esi
		pop	esi
		jmp	KeAbPostRelease
; 

loc_8003E0:				; CODE XREF: HvUnlockHiveFlusherShared(x)+12j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_8003D8
_HvUnlockHiveFlusherShared@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqActionDataGetRequestedProperties proc near ; CODE XREF: PiDqActionDataCreate+E1p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 009199E5 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_18]
		xor	eax, eax
		push	edi
		mov	edi, [ebp+arg_10]
		mov	ebx, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_18], eax
		mov	[esi], eax
		imul	eax, edi, 28h
		push	58706E50h
		mov	[ebp+var_10], edx
		mov	[ebp+var_1C], ecx
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+arg_14]
		mov	[ecx], eax
		test	eax, eax
		jz	loc_9199E5
		lea	ecx, [ebp+var_18]
		call	PiPnpRtlBeginOperation
		and	[ebp+var_14], ebx
		test	edi, edi
		jz	short loc_80049C
		mov	ecx, [ebp+arg_C]
		mov	edx, [esi]
		add	ecx, 14h
		mov	[ebp+arg_C], ecx

loc_800444:				; CODE XREF: PiDqActionDataGetRequestedProperties+B0j
		mov	eax, [ebp+arg_14]
		xor	edi, edi
		imul	edx, 28h
		add	edx, [eax]
		mov	eax, [ecx]
		mov	[ebp+var_C], edx
		sub	eax, edi
		jnz	short loc_8004D2
		mov	eax, [ebp+var_10]
		mov	[ebp+var_8], eax

loc_80045D:				; CODE XREF: PiDqActionDataGetRequestedProperties+151j
		test	ebx, ebx
		js	short loc_80049C
		cmp	[ebp+arg_4], 0
		lea	eax, [ecx-14h]
		push	edx
		mov	edx, [ebp+var_8]
		jz	short loc_8004C1
		push	[ebp+arg_8]
		push	dword ptr [ecx]
		mov	ecx, [ebp+arg_0]
		push	eax
		push	edi
		call	_PiDqPnPGetObjectPropertyInBestLocale@28 ; PiDqPnPGetObjectPropertyInBestLocale(x,x,x,x,x,x,x)

loc_80047D:				; CODE XREF: PiDqActionDataGetRequestedProperties+E6j
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_80049C

loc_800483:				; CODE XREF: PiDqActionDataGetRequestedProperties+149j
		inc	dword ptr [esi]
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+arg_C]
		inc	eax
		mov	edx, [esi]
		add	ecx, 1Ch
		mov	[ebp+var_14], eax
		mov	[ebp+arg_C], ecx
		cmp	eax, [ebp+arg_10]
		jb	short loc_800444

loc_80049C:				; CODE XREF: PiDqActionDataGetRequestedProperties+4Dj
					; PiDqActionDataGetRequestedProperties+75j ...
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_8004AC
		cmp	eax, 0FFFFFFFFh
		jnz	loc_9199F9

loc_8004AC:				; CODE XREF: PiDqActionDataGetRequestedProperties+B7j
					; PiDqActionDataGetRequestedProperties+119615j
		mov	ecx, [ebp+var_18]
		test	ecx, ecx
		jz	short loc_8004B8
		call	PiPnpRtlEndOperation

loc_8004B8:				; CODE XREF: PiDqActionDataGetRequestedProperties+C7j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	1Ch
; 

loc_8004C1:				; CODE XREF: PiDqActionDataGetRequestedProperties+82j
		push	dword ptr [ecx+4]
		push	dword ptr [ecx]
		mov	ecx, [ebp+arg_0]
		push	eax
		push	edi
		call	PiDqPnPGetObjectProperty
		jmp	short loc_80047D
; 

loc_8004D2:				; CODE XREF: PiDqActionDataGetRequestedProperties+6Bj
		sub	eax, 1
		jnz	loc_9199EF
		and	[ebp+var_8], edi
		cmp	[ebp+var_4], edi
		jnz	short loc_800514
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	ecx
		push	ecx
		push	eax
		push	[ebp+var_1C]
		xor	ecx, ecx
		push	0
		push	1
		push	[ebp+var_10]
		inc	ecx
		call	_PiDqOpenObjectRegKey@36 ; PiDqOpenObjectRegKey(x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+arg_C]
		mov	ebx, eax
		mov	edx, [ebp+var_C]
		cmp	ebx, 0C0000034h
		jnz	short loc_800514
		xor	ebx, ebx
		or	[ebp+var_4], 0FFFFFFFFh

loc_800514:				; CODE XREF: PiDqActionDataGetRequestedProperties+F7j
					; PiDqActionDataGetRequestedProperties+122j
		cmp	[ebp+var_4], 0FFFFFFFFh
		jnz	short loc_800538
		lea	esi, [ecx-14h]
		mov	edi, edx
		push	7
		pop	ecx
		rep movsd
		and	dword ptr [edx+1Ch], 0
		and	dword ptr [edx+24h], 0
		and	dword ptr [edx+20h], 0
		mov	esi, [ebp+arg_18]
		jmp	loc_800483
; 

loc_800538:				; CODE XREF: PiDqActionDataGetRequestedProperties+12Ej
		mov	edi, [ebp+var_4]
		jmp	loc_80045D
PiDqActionDataGetRequestedProperties endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpOpenObjectRegKeyDispatch(x, x, x, x, x,	x, x, x)
__PnpOpenObjectRegKeyDispatch@32 proc near ; CODE XREF:	_PnpOpenObjectRegKey+80p

var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_4], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_24]
		push	8
		pop	ecx
		rep stosd
		mov	edi, [ebp+arg_14]
		mov	ebx, edx
		test	di, di
		jnz	short loc_8005B9
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, esi
		call	__PnpCtxGetObjectDispatchCallback@12 ; _PnpCtxGetObjectDispatchCallback(x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_8005B0
		cmp	[ebp+var_4], 0
		jz	short loc_8005C0
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_24], eax
		mov	al, [ebp+arg_8]
		mov	[ebp+var_20], al
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	[ebp+arg_0]
		mov	[ebp+var_14], edi
		push	ebx
		push	esi
		call	[ebp+var_4]
		mov	edx, eax
		test	edx, edx
		js	short loc_8005B0
		mov	ecx, [ebp+arg_10]
		mov	eax, [ebp+var_18]
		mov	[ecx], eax

loc_8005B0:				; CODE XREF: _PnpOpenObjectRegKeyDispatch(x,x,x,x,x,x,x,x)+37j
					; _PnpOpenObjectRegKeyDispatch(x,x,x,x,x,x,x,x)+66j ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	18h
; 

loc_8005B9:				; CODE XREF: _PnpOpenObjectRegKeyDispatch(x,x,x,x,x,x,x,x)+23j
		mov	edx, 0C000000Dh
		jmp	short loc_8005B0
; 

loc_8005C0:				; CODE XREF: _PnpOpenObjectRegKeyDispatch(x,x,x,x,x,x,x,x)+3Dj
		mov	edx, 0C0000002h
		jmp	short loc_8005B0
__PnpOpenObjectRegKeyDispatch@32 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxGetObjectDispatchCallback(x,	x, x)
__PnpCtxGetObjectDispatchCallback@12 proc near
					; CODE XREF: _PnpValidateObjectNameDispatch(x,x,x,x)+2Ep
					; _PnpGetObjectListDispatch(x,x,x,x,x,x,x,x)+24p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		lea	eax, [edx-1]
		xor	esi, esi
		cmp	eax, 0Ah
		ja	short loc_8005EB
		mov	eax, [ebp+arg_0]
		mov	ecx, [ecx+edx*4+98h]
		mov	[eax], ecx

loc_8005E4:				; CODE XREF: _PnpCtxGetObjectDispatchCallback(x,x,x)+28j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
; 

loc_8005EB:				; CODE XREF: _PnpCtxGetObjectDispatchCallback(x,x,x)+Ej
		mov	esi, 0C000000Dh
		jmp	short loc_8005E4
__PnpCtxGetObjectDispatchCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpOpenObjectRegKey proc near		; CODE XREF: PiDqOpenObjectRegKey(x,x,x,x,x,x,x,x,x)+4Dp
					; PiCMOpenObjectKey+D4p ...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00919A04 SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+38h+var_28]
		mov	ebx, ecx
		mov	esi, edx
		push	0Ah
		pop	ecx
		rep stosd
		mov	eax, [ebp+arg_4]
		mov	edi, [ebx+0F8h]
		mov	[esp+38h+var_20], eax
		mov	al, [ebp+arg_8]
		mov	[esp+38h+var_1C], al
		mov	eax, [ebp+arg_C]
		mov	[esp+38h+var_18], eax
		mov	eax, [ebp+arg_14]
		mov	[esp+38h+var_2C], esi
		mov	[esp+38h+var_10], eax
		test	edi, edi
		jz	short loc_800656
		lea	eax, [esp+38h+var_28]
		push	eax
		push	1
		push	2
		push	[ebp+arg_0]
		push	esi
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jnz	loc_919A04
		xor	edi, edi

loc_800656:				; CODE XREF: _PnpOpenObjectRegKey+45j
					; _PnpOpenObjectRegKey+11941Bj
		push	[esp+50h+var_28]
		lea	eax, [esp+54h+var_2C]
		mov	edx, esi
		push	eax
		push	[esp+58h+var_30]
		mov	ecx, ebx
		push	[esp+5Ch+var_34]
		push	[esp+60h+var_38]
		push	[ebp+arg_0]
		call	__PnpOpenObjectRegKeyDispatch@32 ; _PnpOpenObjectRegKeyDispatch(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	edi, edi
		jnz	loc_919A26

loc_800681:				; CODE XREF: _PnpOpenObjectRegKey+11942Fj
					; _PnpOpenObjectRegKey+119450j	...
		test	esi, esi
		js	short loc_80068C
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jnz	short loc_800697

loc_80068C:				; CODE XREF: _PnpOpenObjectRegKey+91j
					; _PnpOpenObjectRegKey+ABj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_800697:				; CODE XREF: _PnpOpenObjectRegKey+98j
		mov	eax, [esp+50h+var_2C]
		mov	[ecx], eax
		jmp	short loc_80068C
_PnpOpenObjectRegKey endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiPnpRtlInterfaceFilterCallback	proc near
					; DATA XREF: PiPnpRtlGetFilteredDeviceInterfaceList:loc_7CCAA7o
					; PiPnpRtlGetFilteredDeviceInterfaceList+126206o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_15		= dword	ptr -15h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00919A61 SIZE 00000084 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_28], eax
		lea	edi, [ebp+var_15+1]
		xor	eax, eax
		mov	[ebp+var_24], ecx
		stosd
		mov	byte ptr [ebp+var_15], bl
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_20], ebx
		stosd
		stosd
		stosd
		mov	edi, ebx
		cmp	[esi], ebx
		jnz	short loc_80073D

loc_8006DE:				; CODE XREF: PiPnpRtlInterfaceFilterCallback+E6j
		mov	eax, [esi+4]
		test	eax, eax
		jnz	loc_919A61

loc_8006E9:				; CODE XREF: PiPnpRtlInterfaceFilterCallback+1193C4j
					; PiPnpRtlInterfaceFilterCallback+119430j
		cmp	[esi+8], bl
		jz	short loc_800722
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_15]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_28]
		call	__CmIsDeviceInterfaceEnabled@16	; _CmIsDeviceInterfaceEnabled(x,x,x,x)
		test	eax, eax
		js	short loc_800707
		cmp	byte ptr [ebp+var_15], bl
		jnz	short loc_800722

loc_800707:				; CODE XREF: PiPnpRtlInterfaceFilterCallback+60j
					; PiPnpRtlInterfaceFilterCallback+89j ...
		test	edi, edi
		jnz	loc_919AD5

loc_80070F:				; CODE XREF: PiPnpRtlInterfaceFilterCallback+C4j
					; PiPnpRtlInterfaceFilterCallback+CAj ...
		mov	ecx, [ebp+var_4]
		mov	al, bl
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_800722:				; CODE XREF: PiPnpRtlInterfaceFilterCallback+4Cj
					; PiPnpRtlInterfaceFilterCallback+65j
		mov	bl, 1
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_800707
		push	dword ptr [esi+10h]
		push	[ebp+arg_8]
		push	[ebp+var_24]
		push	[ebp+var_28]
		call	eax
		mov	bl, al
		jmp	short loc_800707
; 

loc_80073D:				; CODE XREF: PiPnpRtlInterfaceFilterCallback+3Cj
		push	ebx
		lea	eax, [ebp+var_20]
		mov	edx, ecx
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	10h
		lea	eax, [ebp+var_15+1]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	offset _DEVPKEY_DeviceInterface_ClassGuid
		push	ebx
		push	ebx
		push	3
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_80070F
		cmp	[ebp+var_1C], 0Dh
		jnz	short loc_80070F
		cmp	[ebp+var_20], 10h
		jb	short loc_80070F
		push	10h		; size_t
		lea	eax, [ebp+var_15+1]
		push	eax		; void *
		push	dword ptr [esi]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_80070F
		jmp	loc_8006DE
PiPnpRtlInterfaceFilterCallback	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmGetObjectListCallback(x, x, x)
_PiDmGetObjectListCallback@12 proc near	; DATA XREF: PiDmGetObjectConstraintList(x,x,x,x,x,x,x)+61o
					; PiDmGetObjectList(x,x,x,x,x,x)+36o

var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		mov	[eax], cl
		push	edi
		mov	[ebp+var_8], ecx
		mov	edi, ecx
		mov	eax, [esi]
		mov	byte ptr [ebp+var_1], cl
		test	eax, eax
		jz	short loc_8007D0
		lea	ecx, [ebp+var_1]
		push	ecx
		push	dword ptr [esi+4]
		push	ebx
		call	eax
		mov	edi, eax
		test	edi, edi
		js	short loc_8007C7
		cmp	byte ptr [ebp+var_1], 0
		jnz	short loc_8007D0

loc_8007C7:				; CODE XREF: PiDmGetObjectListCallback(x,x,x)+33j
					; PiDmGetObjectListCallback(x,x,x)+68j	...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_8007D0:				; CODE XREF: PiDmGetObjectListCallback(x,x,x)+23j
					; PiDmGetObjectListCallback(x,x,x)+39j
		mov	ecx, [ebx+0Ch]
		lea	edx, [ecx+2]

loc_8007D6:				; CODE XREF: PiDmGetObjectListCallback(x,x,x)+54j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_8]
		jnz	short loc_8007D6
		sub	ecx, edx
		mov	edx, [esi+0Ch]
		sar	ecx, 1
		lea	eax, [ecx+1]
		add	[esi+10h], eax
		mov	[ebp+arg_8], eax
		cmp	edx, eax
		jbe	short loc_8007C7
		mov	ecx, [esi+8]
		xor	eax, eax
		push	900h
		push	eax
		push	eax
		push	dword ptr [ebx+0Ch]
		call	RtlStringCchCopyExW
		mov	ecx, [ebp+arg_8]
		lea	eax, [ecx+ecx]
		add	[esi+8], eax
		sub	[esi+0Ch], ecx
		jmp	short loc_8007C7
_PiDmGetObjectListCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmCmObjectMatchCallback(x, x, x)
_PiDmCmObjectMatchCallback@12 proc near	; DATA XREF: PiDmGetObjectConstraintList(x,x,x,x,x,x,x)+66o
					; PiDmGetCmObjectListFromCache(x,x,x,x,x,x)+26o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_800847
		push	dword ptr [eax+4]
		push	dword ptr [eax+8]
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax+0Ch]
		push	_PiPnpRtlCtx
		call	ecx
		mov	cl, al

loc_80083C:				; CODE XREF: PiDmCmObjectMatchCallback(x,x,x)+31j
		mov	eax, [ebp+arg_8]
		mov	[eax], cl
		xor	eax, eax
		pop	ebp
		retn	0Ch
; 

loc_800847:				; CODE XREF: PiDmCmObjectMatchCallback(x,x,x)+Cj
		mov	cl, 1
		jmp	short loc_80083C
_PiDmCmObjectMatchCallback@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDmListEnumObjectsWithCallback	proc near
					; CODE XREF: PiDmGetObjectConstraintList(x,x,x,x,x,x,x)+70p
					; PiPnpRtlApplyMandatoryDeviceContainerFilters(x,x,x,x,x)+63p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00919AE5 SIZE 0000000C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		imul	eax, ecx, 14h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_10], edx
		push	esi
		push	edi
		mov	[ebp+var_14], eax
		mov	esi, ebx
		mov	byte ptr [ebp+var_1], bl
		mov	edi, ebx
		mov	[ebp+var_8], ebx
		mov	eax, ds:dword_4042C4[eax]
		add	eax, edx
		mov	[ebp+var_C], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebp+var_10]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebp+var_C]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_8008D7
		push	5A706E50h
		shl	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_919AE5
		mov	edx, [ebp+var_C]
		mov	ecx, [edx]
		cmp	ecx, edx
		jz	short loc_8008D7
		mov	ebx, [ebp+var_14]

loc_8008BF:				; CODE XREF: PiDmListEnumObjectsWithCallback+87j
		mov	eax, ecx
		sub	eax, ds:dword_4042CC[ebx]
		mov	[esi+edi*4], eax
		lock inc dword ptr [eax+4]
		mov	ecx, [ecx]
		inc	edi
		cmp	ecx, edx
		jnz	short loc_8008BF
		xor	ebx, ebx

loc_8008D7:				; CODE XREF: PiDmListEnumObjectsWithCallback+4Bj
					; PiDmListEnumObjectsWithCallback+6Ej ...
		mov	ecx, [ebp+var_10]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	[ebp+var_14], ebx
		test	edi, edi
		jz	short loc_800915

loc_8008F4:				; CODE XREF: PiDmListEnumObjectsWithCallback+C5j
		lea	eax, [ebp+var_1]
		push	eax
		push	[ebp+arg_4]
		push	dword ptr [esi+ebx*4]
		call	[ebp+arg_0]
		mov	[ebp+var_8], eax
		test	eax, eax
		js	short loc_800913
		cmp	byte ptr [ebp+var_1], 0
		jnz	short loc_800913
		inc	ebx
		cmp	ebx, edi
		jb	short loc_8008F4

loc_800913:				; CODE XREF: PiDmListEnumObjectsWithCallback+BAj
					; PiDmListEnumObjectsWithCallback+C0j
		xor	ebx, ebx

loc_800915:				; CODE XREF: PiDmListEnumObjectsWithCallback+A6j
		test	esi, esi
		jz	short loc_800935
		test	edi, edi
		jz	short loc_80092A

loc_80091D:				; CODE XREF: PiDmListEnumObjectsWithCallback+DCj
		mov	ecx, [esi+ebx*4]
		call	PiDmObjectRelease
		inc	ebx
		cmp	ebx, edi
		jb	short loc_80091D

loc_80092A:				; CODE XREF: PiDmListEnumObjectsWithCallback+CFj
		push	5A706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_800935:				; CODE XREF: PiDmListEnumObjectsWithCallback+CBj
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
PiDmListEnumObjectsWithCallback	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopGetLegacyVetoListDrivers proc near	; CODE XREF: IoGetLegacyVetoList+40p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00919AF1 SIZE 000000E0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		push	10h
		pop	eax
		push	0Eh
		mov	word ptr [ebp+var_30+2], ax
		mov	esi, ecx
		pop	eax
		mov	word ptr [ebp+var_30], ax
		xor	ecx, ecx
		lea	eax, [ebp+var_30]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	1
		lea	eax, [ebp+var_8]
		mov	[ebp+var_10], ecx
		push	eax
		mov	[ebp+var_18], ecx
		mov	[ebp+var_8], ecx
		mov	byte ptr [ebp+var_14], 1
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_2C], offset ??_C@_1BA@DCJJIJNE@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@NNGAKEGL@
		mov	[ebp+var_48], 18h
		mov	[ebp+var_44], ecx
		mov	[ebp+var_3C], 240h
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], ecx
		call	_ZwOpenDirectoryObject@12 ; ZwOpenDirectoryObject(x,x,x)
		test	eax, eax
		js	loc_919AF1
		mov	eax, 0BAh
		mov	edi, 6F697050h
		push	edi
		push	eax
		push	1
		mov	[ebp+var_C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_919AFB
		mov	eax, 0BCh
		mov	[ebp+var_28], 0BC0000h
		push	edi
		push	eax
		push	1
		mov	[ebp+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_24], edi
		test	edi, edi
		jz	loc_919B09
		xor	eax, eax
		mov	[edi], ax

loc_8009F8:				; CODE XREF: IopGetLegacyVetoListDrivers+171j
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+var_14]
		push	1
		push	[ebp+var_C]
		push	ebx
		push	[ebp+var_8]
		call	_ZwQueryDirectoryObject@28 ; ZwQueryDirectoryObject(x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jz	loc_919B17

loc_800A1C:				; CODE XREF: IopGetLegacyVetoListDrivers+119217j
		mov	byte ptr [ebp+var_14], 0
		test	eax, eax
		js	loc_800AB6
		mov	ax, [ebx]
		mov	ecx, [ebp+var_4]
		add	ax, 12h
		movzx	eax, ax
		mov	[ebp+var_1C], eax
		cmp	ax, cx
		ja	loc_919B5C

loc_800A41:				; CODE XREF: IopGetLegacyVetoListDrivers+119250j
		push	dword ptr [ebx+4] ; char
		add	eax, 0FFFFFFFEh
		mov	word ptr [ebp+var_28], ax
		push	offset ??_C@_1BI@DECEDFF@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@	; wchar_t *
		movzx	eax, cx
		push	eax		; int
		push	edi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 10h
		lea	eax, [ebp+var_20]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	ds:_IoDriverObjectType
		push	eax
		push	eax
		push	240h
		lea	eax, [ebp+var_28]
		push	eax
		call	ObReferenceObjectByName
		test	eax, eax
		js	short loc_800AA7
		mov	edi, [ebp+var_20]
		test	byte ptr [edi+8], 40h
		jnz	loc_919B95

loc_800A8C:				; CODE XREF: IopGetLegacyVetoListDrivers+119261j
					; IopGetLegacyVetoListDrivers+119270j
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, [esi+8]
		cmp	dword ptr [eax], 0Bh
		jz	loc_919BB5

loc_800A9F:				; CODE XREF: IopGetLegacyVetoListDrivers+11927Ej
		mov	eax, [esi+0Ch]
		cmp	dword ptr [eax], 0
		jl	short loc_800AE1

loc_800AA7:				; CODE XREF: IopGetLegacyVetoListDrivers+13Dj
		mov	ax, word ptr [ebp+var_28+2]
		mov	edi, [ebp+var_24]
		mov	[ebp+var_4], eax
		jmp	loc_8009F8
; 

loc_800AB6:				; CODE XREF: IopGetLegacyVetoListDrivers+E2j
					; IopGetLegacyVetoListDrivers+1A4j ...
		test	edi, edi
		jz	short loc_800AC2
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_800AC2:				; CODE XREF: IopGetLegacyVetoListDrivers+178j
					; IopGetLegacyVetoListDrivers+1191D2j
		test	ebx, ebx
		jz	short loc_800ACE
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_800ACE:				; CODE XREF: IopGetLegacyVetoListDrivers+184j
					; IopGetLegacyVetoListDrivers+1191B6j ...
		cmp	[ebp+var_8], 0
		jz	short loc_800ADC
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_800ADC:				; CODE XREF: IopGetLegacyVetoListDrivers+192j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_800AE1:				; CODE XREF: IopGetLegacyVetoListDrivers+165j
					; IopGetLegacyVetoListDrivers+119278j
		mov	edi, [ebp+var_24]
		jmp	short loc_800AB6
IopGetLegacyVetoListDrivers endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpFreeDevPropertyArray(x, x, x)
_PnpFreeDevPropertyArray@12 proc near	; CODE XREF: PiDqActionDataFree(x)+29p
					; PiDqQueryEvaluateFilter+BAp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	short loc_800B0B
		push	ebx
		mov	ebx, edi

loc_800AF8:				; CODE XREF: PnpFreeDevPropertyArray(x,x,x)+22j
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	_PnpFreeDevProperty@8 ;	PnpFreeDevProperty(x,x)
		add	ebx, 28h
		sub	esi, 1
		jnz	short loc_800AF8
		pop	ebx

loc_800B0B:				; CODE XREF: PnpFreeDevPropertyArray(x,x,x)+Dj
		push	[ebp+arg_0]
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_PnpFreeDevPropertyArray@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpGetObjectProperty proc near		; CODE XREF: PiUEventCacheObjectProperties+66p
					; PiUEventCacheObjectProperties+11Ep ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 00919BDD SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_18]
		mov	ebx, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], edi
		and	[esi], edi

loc_800B33:				; CODE XREF: PnpGetObjectProperty+1190C9j
		cmp	edx, edi
		jbe	short loc_800B59
		mov	eax, [esi]
		mov	edi, edx
		mov	[ebp+var_8], edi
		test	eax, eax
		jnz	sub_919BD1

loc_800B46:				; CODE XREF: sub_919BD1+7j
		push	ebx
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi], eax
		test	eax, eax
		jz	loc_919BE8

loc_800B59:				; CODE XREF: PnpGetObjectProperty+1Bj
		push	[ebp+arg_20]
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		mov	ecx, _PiPnpRtlCtx
		and	[ebp+var_4], 0
		push	eax
		push	edi
		push	dword ptr [esi]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000023h
		jz	loc_919BDD

loc_800B92:				; CODE XREF: PnpGetObjectProperty+1190D3j
		test	edi, edi
		jns	short loc_800BAF

loc_800B96:				; CODE XREF: PnpGetObjectProperty+A5j
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_800BA6
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi], 0

loc_800BA6:				; CODE XREF: PnpGetObjectProperty+80j
					; PnpGetObjectProperty+A3j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_800BAF:				; CODE XREF: PnpGetObjectProperty+7Aj
		mov	ecx, [ebp+arg_1C]
		mov	eax, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_800BBB
		mov	[ecx], eax

loc_800BBB:				; CODE XREF: PnpGetObjectProperty+9Dj
		test	eax, eax
		jnz	short loc_800BA6
		jmp	short loc_800B96
PnpGetObjectProperty endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmValidateDeviceInterfaceName(x, x)
__CmValidateDeviceInterfaceName@8 proc near
					; CODE XREF: _CmSetDeviceInterfacePathFormat(x,x,x)+8p
					; _PnpDispatchDeviceInterface+99p ...

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_70], 0
		lea	edi, [ebp+var_68]
		mov	[ebp+var_6C], 0
		stosd
		xor	ebx, ebx
		xor	esi, esi
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_70]
		mov	edi, edx
		push	edi
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	loc_800CEA
		mov	eax, [ebp+var_70+2]
		and	eax, 0FFFEh
		cmp	eax, 62h
		jb	loc_800CEA
		push	esi
		lea	eax, [ebp+var_70]
		push	eax
		push	offset dword_401A38
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_800C4F
		push	esi
		lea	eax, [ebp+var_70]
		push	eax
		push	offset dword_401A30
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	loc_800CEA

loc_800C4F:				; CODE XREF: _CmValidateDeviceInterfaceName(x,x)+66j
		movzx	ecx, word ptr [edi+8]
		lea	eax, [edi+8]
		test	cx, cx
		jz	loc_800CE2
		mov	edx, ecx

loc_800C61:				; CODE XREF: _CmValidateDeviceInterfaceName(x,x)+A3j
		cmp	dx, 5Ch
		jz	short loc_800CD8

loc_800C67:				; CODE XREF: _CmValidateDeviceInterfaceName(x,x)+110j
		movzx	ecx, word ptr [eax+2]
		add	eax, 2
		mov	edx, ecx
		test	cx, cx
		jnz	short loc_800C61
		test	esi, esi
		jz	short loc_800CE2
		sub	esi, edi
		sar	esi, 1

loc_800C7D:				; CODE XREF: _CmValidateDeviceInterfaceName(x,x)+118j
		cmp	esi, 30h
		jb	short loc_800CEA
		push	800h
		push	0
		push	0
		lea	eax, [edi-4Ch]
		mov	edx, 27h
		push	26h
		lea	eax, [eax+esi*2]
		push	eax
		lea	ecx, [ebp+var_58]
		call	RtlStringCchCopyNExW
		test	eax, eax
		js	short loc_800CC7
		lea	eax, [ebp+var_58]
		push	eax
		lea	eax, [ebp+var_70]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_800CC7
		lea	eax, [ebp+var_68]
		push	eax
		lea	eax, [ebp+var_70]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		test	eax, eax
		js	short loc_800CEA

loc_800CC7:				; CODE XREF: _CmValidateDeviceInterfaceName(x,x)+D3j
					; _CmValidateDeviceInterfaceName(x,x)+E4j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_800CD8:				; CODE XREF: _CmValidateDeviceInterfaceName(x,x)+95j
		inc	ebx
		cmp	ebx, 1
		ja	short loc_800CEA
		mov	esi, eax
		jmp	short loc_800C67
; 

loc_800CE2:				; CODE XREF: _CmValidateDeviceInterfaceName(x,x)+89j
					; _CmValidateDeviceInterfaceName(x,x)+A7j
		movzx	esi, word ptr [ebp+var_70]
		shr	esi, 1
		jmp	short loc_800C7D
; 

loc_800CEA:				; CODE XREF: _CmValidateDeviceInterfaceName(x,x)+3Ej
					; _CmValidateDeviceInterfaceName(x,x)+4Fj ...
		mov	eax, 0C0000033h
		jmp	short loc_800CC7
__CmValidateDeviceInterfaceName@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmGetDeviceInstanceKeyPath(int,int,int,void *,int,int)
_CmGetDeviceInstanceKeyPath proc near	; CODE XREF: _CmGetDeviceRegKeyPath+45p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00919BF2 SIZE 00000065 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_0], 200h
		push	esi
		push	edi
		mov	edi, edx
		jnz	short loc_800D4F
		lea	esi, [edx+2]
		xor	ecx, ecx

loc_800D09:				; CODE XREF: _CmGetDeviceInstanceKeyPath+20j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, cx
		jnz	short loc_800D09
		mov	eax, [ebp+arg_14]
		sub	edx, esi
		sar	edx, 1
		add	edx, 1Fh
		test	eax, eax
		jz	short loc_800D24
		mov	[eax], edx

loc_800D24:				; CODE XREF: _CmGetDeviceInstanceKeyPath+2Ej
		cmp	edx, [ebp+arg_10]
		ja	short loc_800DA8
		push	edi
		push	offset ??_C@_1DM@BNJPOICG@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@ ; char
		push	offset ??_C@_1M@DFKENGJN@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@ ; "%s\\%s"
		push	800h		; int
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		call	RtlStringCchPrintfExW
		add	esp, 20h

loc_800D49:				; CODE XREF: _CmGetDeviceInstanceKeyPath+B4j
					; _CmGetDeviceInstanceKeyPath+BBj ...
		pop	edi
		pop	esi
		pop	ebp
		retn	18h
; 

loc_800D4F:				; CODE XREF: _CmGetDeviceInstanceKeyPath+10j
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jnz	loc_919BF2
		mov	esi, edi
		xor	ecx, ecx
		lea	edx, [esi+2]

loc_800D61:				; CODE XREF: _CmGetDeviceInstanceKeyPath+78j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, cx
		jnz	short loc_800D61
		mov	eax, [ebp+arg_14]
		sub	esi, edx
		sar	esi, 1
		add	esi, 52h
		test	eax, eax
		jz	short loc_800D7C
		mov	[eax], esi

loc_800D7C:				; CODE XREF: _CmGetDeviceInstanceKeyPath+86j
		cmp	esi, [ebp+arg_10]
		ja	short loc_800DA8
		push	edi
		push	offset ??_C@_1DM@BNJPOICG@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@
		push	(offset	loc_8C8FD1+1) ;	char
		push	offset ??_C@_1BC@GLIGFLDD@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@	; "%s\\%s\\%s"
		push	800h		; int
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		call	RtlStringCchPrintfExW
		add	esp, 24h
		jmp	short loc_800D49
; 

loc_800DA8:				; CODE XREF: _CmGetDeviceInstanceKeyPath+35j
					; _CmGetDeviceInstanceKeyPath+8Dj ...
		mov	eax, 0C0000023h
		jmp	short loc_800D49
_CmGetDeviceInstanceKeyPath endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmGetDeviceRegKeyPath(int,int,int,void *,int,int)
_CmGetDeviceRegKeyPath proc near	; CODE XREF: PiDqGetRelativeObjectRegPath+44p
					; _CmOpenDeviceRegKeyWorker+A7p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00919C57 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		test	ebx, ebx
		jz	loc_919C57
		test	ebx, 0FFFFFCE8h
		jnz	loc_919C57
		call	__CmValidateDeviceName@8 ; _CmValidateDeviceName(x,x)
		test	eax, eax
		js	short loc_800DFA
		movzx	eax, bl
		cmp	eax, 10h
		jnz	short loc_800E02
		push	[ebp+arg_14]	; int
		mov	edx, esi
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		push	ecx		; int
		push	[ebp+arg_4]	; int
		push	ebx		; int
		call	_CmGetDeviceInstanceKeyPath

loc_800DFA:				; CODE XREF: _CmGetDeviceRegKeyPath+2Bj
					; _CmGetDeviceRegKeyPath+70j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	18h
; 

loc_800E02:				; CODE XREF: _CmGetDeviceRegKeyPath+33j
		cmp	eax, 12h
		jnz	short loc_800E22
		push	[ebp+arg_14]
		mov	edx, esi
		mov	ecx, edi
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	ebx
		call	_CmGetDeviceSoftwareKeyPath
		jmp	short loc_800DFA
; 

loc_800E22:				; CODE XREF: _CmGetDeviceRegKeyPath+55j
		cmp	eax, 11h
		jnz	short loc_800E3E
		push	[ebp+arg_14]	; int
		mov	edx, esi
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		push	ecx		; int
		push	[ebp+arg_4]	; int
		push	ebx		; int
		call	_CmGetDeviceHardwareKeyPath
		jmp	short loc_800DFA
; 

loc_800E3E:				; CODE XREF: _CmGetDeviceRegKeyPath+75j
		cmp	eax, 13h
		jz	short loc_800E61
		cmp	eax, 14h
		jnz	loc_919C57
		push	[ebp+arg_14]	; int
		mov	edx, esi
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		push	ecx		; int
		push	ecx		; int
		push	ebx		; int
		call	__CmGetDeviceLogConfKeyPath@32 ; _CmGetDeviceLogConfKeyPath(x,x,x,x,x,x,x,x)
		jmp	short loc_800DFA
; 

loc_800E61:				; CODE XREF: _CmGetDeviceRegKeyPath+91j
		push	[ebp+arg_14]	; int
		mov	edx, esi
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		push	ecx		; int
		push	ecx		; int
		push	ebx		; int
		call	__CmGetDeviceControlKeyPath@32 ; _CmGetDeviceControlKeyPath(x,x,x,x,x,x,x,x)
		jmp	short loc_800DFA
_CmGetDeviceRegKeyPath endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmValidateDeviceName(x, x)
__CmValidateDeviceName@8 proc near	; CODE XREF: PiCMGetRelatedDeviceInstance+AEp
					; _CmGetDeviceRegKeyPath+24p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, edx
		lea	ebx, [edi+1]
		test	esi, esi
		jz	short loc_800EF1
		lea	eax, [ebp+var_4]
		mov	edx, 0C8h
		push	eax
		mov	ecx, esi
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_800EFD
		movzx	eax, word ptr [esi]
		test	ax, ax
		jz	short loc_800EFD

loc_800EB2:				; CODE XREF: _CmValidateDeviceName(x,x)+54j
		lea	ecx, [eax-21h]
		cmp	cx, 5Eh
		ja	short loc_800EFD
		cmp	ax, 2Ch
		jz	short loc_800EFD
		cmp	ax, 5Ch
		jz	short loc_800EE8
		inc	edi

loc_800EC8:				; CODE XREF: _CmValidateDeviceName(x,x)+6Fj
		movzx	ecx, word ptr [esi+2]
		add	esi, 2
		mov	eax, ecx
		test	cx, cx
		jnz	short loc_800EB2
		test	edi, edi
		jz	short loc_800EFD
		cmp	ebx, 3
		jnz	short loc_800EFD
		mov	eax, edx

loc_800EE1:				; CODE XREF: _CmValidateDeviceName(x,x)+82j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_800EE8:				; CODE XREF: _CmValidateDeviceName(x,x)+45j
		test	edi, edi
		jz	short loc_800EFD
		xor	edi, edi
		inc	ebx
		jmp	short loc_800EC8
; 

loc_800EF1:				; CODE XREF: _CmValidateDeviceName(x,x)+12j
		pop	edi
		pop	esi
		mov	eax, 0C000000Dh
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_800EFD:				; CODE XREF: _CmValidateDeviceName(x,x)+28j
					; _CmValidateDeviceName(x,x)+30j ...
		mov	eax, 0C0000033h
		jmp	short loc_800EE1
__CmValidateDeviceName@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_RegRtlQueryValue proc near		; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+14Cp
					; PiCMValidateDeviceInstance+1B0p ...

var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00919C61 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0B4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0B4h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[esp+0B8h+var_9C], eax
		mov	eax, [ebp+arg_4]
		push	esi
		mov	[esp+0BCh+var_AC], eax
		xor	eax, eax
		push	edi
		mov	edi, [ebp+arg_8]
		mov	ebx, eax
		mov	[esp+0C0h+var_98], eax
		mov	[esp+0C0h+var_94], eax
		mov	[esp+0C0h+var_A8], eax
		mov	[esp+0C0h+var_B0], eax
		lea	eax, [esp+0C0h+var_98]
		push	edx
		push	eax
		mov	[esp+0C8h+var_A4], ecx
		mov	[esp+0C8h+var_A0], edi
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_801005
		cmp	[esp+0C0h+var_AC], ebx
		jz	loc_80101E
		mov	edx, [edi]
		cmp	edx, 80h
		jbe	loc_80101E
		lea	eax, [esp+0C0h+var_B0]
		push	eax
		push	0Ch
		pop	ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_801005
		mov	esi, [esp+0C0h+var_B0]
		push	4C474552h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_919C61
		mov	edi, ebx

loc_800FAD:				; CODE XREF: _RegRtlQueryValue+123j
		lea	eax, [esp+0C0h+var_A8]
		push	eax
		push	esi
		push	edi
		push	2
		lea	eax, [esp+0D0h+var_98]
		push	eax
		push	[esp+0D4h+var_A4]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_801029

loc_800FCA:				; CODE XREF: _RegRtlQueryValue+12Dj
		mov	edx, [esp+0C0h+var_A0]
		mov	eax, [edi+8]
		mov	ecx, [edx]
		mov	[edx], eax
		cmp	ecx, eax
		jb	short loc_801033
		push	dword ptr [edi+8] ; size_t
		lea	eax, [edi+0Ch]
		push	eax		; void *
		push	[esp+0C8h+var_AC] ; void *
		call	_memcpy
		add	esp, 0Ch

loc_800FEC:				; CODE XREF: _RegRtlQueryValue+134j
		mov	ecx, [esp+0C0h+var_9C]
		test	ecx, ecx
		jz	short loc_800FF9
		mov	eax, [edi+4]
		mov	[ecx], eax

loc_800FF9:				; CODE XREF: _RegRtlQueryValue+EEj
					; _RegRtlQueryValue+12Bj
		test	ebx, ebx
		jz	short loc_801005
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_801005:				; CODE XREF: _RegRtlQueryValue+5Bj
					; _RegRtlQueryValue+8Aj ...
		mov	ecx, [esp+0C0h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_80101E:				; CODE XREF: _RegRtlQueryValue+65j
					; _RegRtlQueryValue+73j
		lea	edi, [esp+0C0h+var_90]
		mov	esi, 8Ch
		jmp	short loc_800FAD
; 

loc_801029:				; CODE XREF: _RegRtlQueryValue+C4j
		cmp	esi, 80000005h
		jnz	short loc_800FF9
		jmp	short loc_800FCA
; 

loc_801033:				; CODE XREF: _RegRtlQueryValue+D3j
		mov	esi, 0C0000023h
		jmp	short loc_800FEC
_RegRtlQueryValue endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDqPnPGetObjectPropertyInBestLocale(x, x, x, x, x,	x, x)
_PiDqPnPGetObjectPropertyInBestLocale@28 proc near
					; CODE XREF: PiDqActionDataGetRequestedProperties+8Ep
					; PiDqActionDataGetChangedProperties+88D7Ep ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_10]
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		mov	[ebp+var_4], ecx
		mov	edi, ebx
		push	0Ah
		pop	ecx
		rep stosd
		mov	edi, [ebp+var_4]
		mov	[ebp+var_8], edx
		mov	[ebp+arg_10], eax

loc_80105F:				; CODE XREF: PiDqPnPGetObjectPropertyInBestLocale(x,x,x,x,x,x,x)+73j
		mov	ecx, edi
		push	ebx
		cmp	[esi], ax
		jz	short loc_8010AF
		push	esi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiDqPnPGetObjectProperty
		test	eax, eax
		js	short loc_8010BE
		xor	ecx, ecx
		cmp	[ebx+1Ch], ecx
		jnz	short loc_8010BE
		mov	edx, 58706E50h
		mov	ecx, ebx
		call	_PnpFreeDevProperty@8 ;	PnpFreeDevProperty(x,x)
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_801092:				; CODE XREF: PiDqPnPGetObjectPropertyInBestLocale(x,x,x,x,x,x,x)+62j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+arg_10]
		jnz	short loc_801092
		sub	ecx, edx
		mov	edx, [ebp+var_8]
		sar	ecx, 1
		lea	esi, [esi+ecx*2]
		add	esi, 2
		xor	eax, eax
		jmp	short loc_80105F
; 

loc_8010AF:				; CODE XREF: PiDqPnPGetObjectPropertyInBestLocale(x,x,x,x,x,x,x)+2Bj
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiDqPnPGetObjectProperty

loc_8010BE:				; CODE XREF: PiDqPnPGetObjectPropertyInBestLocale(x,x,x,x,x,x,x)+3Ej
					; PiDqPnPGetObjectPropertyInBestLocale(x,x,x,x,x,x,x)+45j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_PiDqPnPGetObjectPropertyInBestLocale@28 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqPnPGetObjectProperty proc near	; CODE XREF: PiDqPropertyCallback+DCp
					; PiDqActionDataGetRequestedProperties+E1p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00919C6B SIZE 0000004B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_10]
		push	5
		mov	[esp+24h+var_4], ecx
		pop	ecx
		rep movsd
		mov	edi, [ebp+arg_10]
		mov	ecx, [ebp+arg_C]
		mov	[esp+20h+var_8], edx
		xor	edx, edx
		mov	ebx, edx
		mov	[esp+20h+var_C], edx
		mov	[edi+14h], eax
		lea	eax, [edi+18h]
		push	eax
		mov	[esp+24h+var_10], edx
		mov	[edi+1Ch], edx
		mov	[edi+20h], edx
		mov	[edi+24h], edx
		mov	edx, 7FFFFFFFh
		push	58706E50h
		mov	[esp+28h+var_14], 200h
		call	PnpAllocatePWSTR
		mov	esi, eax
		test	esi, esi
		js	loc_8011B3

loc_80112D:				; CODE XREF: PiDqPnPGetObjectProperty+D8j
		mov	esi, [esp+20h+var_C]
		cmp	[esp+20h+var_14], esi
		jbe	short loc_80115E
		mov	esi, [esp+20h+var_14]
		mov	[esp+20h+var_C], esi
		test	ebx, ebx
		jnz	loc_8011DF

loc_801147:				; CODE XREF: PiDqPnPGetObjectProperty+124j
		push	58706E50h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_919C91

loc_80115E:				; CODE XREF: PiDqPnPGetObjectProperty+6Fj
		and	[esp+20h+var_14], 0
		mov	eax, [esp+20h+var_8]
		test	eax, eax
		jz	loc_919C6B
		mov	edx, [esp+20h+var_4]
		lea	ecx, [esp+20h+var_14]
		push	0
		push	ecx
		push	esi
		push	ebx
		lea	ecx, [esp+30h+var_10]
		push	ecx
		push	[ebp+arg_4]
		mov	ecx, _PiPnpRtlCtx
		push	[ebp+arg_C]
		push	[ebp+arg_0]
		push	eax
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)

loc_801196:				; CODE XREF: PiDqPnPGetObjectProperty+118BC6j
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_80112D

loc_8011A0:				; CODE XREF: PiDqPnPGetObjectProperty+118BD0j
		test	esi, esi
		jns	short loc_8011CC
		test	ebx, ebx
		jz	short loc_8011B3
		push	58706E50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8011B3:				; CODE XREF: PiDqPnPGetObjectProperty+61j
					; PiDqPnPGetObjectProperty+E0j
		cmp	esi, 0C0000225h
		jnz	loc_919C9B
		xor	esi, esi

loc_8011C1:				; CODE XREF: PiDqPnPGetObjectProperty+117j
					; PiDqPnPGetObjectProperty+118BDAj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8011CC:				; CODE XREF: PiDqPnPGetObjectProperty+DCj
		mov	eax, [esp+20h+var_10]
		mov	[edi+1Ch], eax
		mov	eax, [esp+20h+var_14]
		mov	[edi+20h], eax
		mov	[edi+24h], ebx
		jmp	short loc_8011C1
; 

loc_8011DF:				; CODE XREF: PiDqPnPGetObjectProperty+7Bj
		push	58706E50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_801147
PiDqPnPGetObjectProperty endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiPnpRtlObjectEventCreate proc near	; CODE XREF: PiPnpRtlCacheObjectBaseKey(x,x,x,x)+56p
					; PiPnpRtlObjectEventWorker+78p ...

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_70		= dword	ptr -70h
var_48		= dword	ptr -48h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00919CB6 SIZE 0000003E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+9Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		push	40h		; size_t
		mov	[esp+0ACh+var_88], eax
		xor	edi, edi
		lea	eax, [esp+0ACh+var_48]
		mov	[esp+0ACh+var_98], ecx
		mov	esi, edx
		mov	[esp+0ACh+var_84], ebx
		push	edi		; int
		push	eax		; void *
		mov	[esp+0B4h+var_7C], esi
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+0A8h+var_78]
		push	30h		; size_t
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [esp+0B4h+var_98]
		lea	eax, [esp+0B4h+var_78]
		and	[ebx], edi
		add	esp, 0Ch
		mov	[esp+0A8h+var_80], eax
		mov	edx, esi
		lea	eax, [esp+0A8h+var_48]
		mov	[esp+0A8h+var_8C], edi
		mov	[esp+0A8h+var_90], edi
		push	eax
		mov	[esp+0ACh+var_94], edi
		call	PiDmInitializeComparisonObject
		mov	ebx, eax
		test	ebx, ebx
		js	loc_919CD9
		lea	ecx, [esp+0A8h+var_90]
		push	ecx
		lea	eax, [esp+0ACh+var_48]
		lea	ecx, [esp+0ACh+var_8C]
		mov	[esp+0ACh+var_70], eax
		mov	eax, [esp+0ACh+var_88]
		push	ecx
		lea	ecx, [esp+0B0h+var_80]
		add	eax, 0Ch
		push	ecx
		push	eax
		call	_RtlLookupElementGenericTableFullAvl@16	; RtlLookupElementGenericTableFullAvl(x,x,x,x)
		test	eax, eax
		jz	short loc_8012C6
		mov	esi, [eax]

loc_8012A3:				; CODE XREF: PiPnpRtlObjectEventCreate+D8j
		test	esi, esi
		jz	short loc_8012CA

loc_8012A7:				; CODE XREF: PiPnpRtlObjectEventCreate+161j
		mov	eax, [esp+0A8h+var_84]
		mov	[eax], esi

loc_8012AD:				; CODE XREF: PiPnpRtlObjectEventCreate+118AF2j
					; PiPnpRtlObjectEventCreate+118AFFj
		mov	ecx, [esp+0A8h+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_8012C6:				; CODE XREF: PiPnpRtlObjectEventCreate+AFj
		xor	esi, esi
		jmp	short loc_8012A3
; 

loc_8012CA:				; CODE XREF: PiPnpRtlObjectEventCreate+B5j
		mov	edx, [esp+0A8h+var_98]
		lea	eax, [esp+0A8h+var_94]
		mov	ecx, [esp+0A8h+var_7C]
		push	eax
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	ebx, eax
		cmp	ebx, 0C0000034h
		jz	loc_919CB6
		test	ebx, ebx
		js	short loc_80135C
		push	41706E50h
		xor	edi, edi
		push	0BCh
		inc	edi
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[esp+0A8h+var_98], esi
		test	esi, esi
		jz	loc_919CBE
		push	30h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [esp+0B4h+var_94]
		add	esp, 0Ch
		mov	[esi], edi
		xor	edi, edi
		mov	dword ptr [esi+28h], 5
		mov	[esi+8], eax
		lea	eax, [esp+0A8h+var_98]
		push	[esp+0A8h+var_90] ; int
		push	[esp+0ACh+var_8C] ; int
		push	edi		; int
		push	4		; size_t
		push	eax		; void *
		mov	eax, [esp+0BCh+var_88]
		add	eax, 0Ch
		push	eax		; int
		call	RtlInsertElementGenericTableFullAvl
		mov	esi, [esp+0A8h+var_98]
		test	eax, eax
		jnz	loc_8012A7
		jmp	loc_919CC9
; 

loc_80135C:				; CODE XREF: PiPnpRtlObjectEventCreate+FCj
		mov	edi, [esp+0A8h+var_94]
		jmp	loc_919CCE
PiPnpRtlObjectEventCreate endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpGetObjectProperty(x, x,	x, x, x, x, x, x, x, x,	x)
__PnpGetObjectProperty@44 proc near	; CODE XREF: PiRebalanceOptOut(x)+45p
					; PiRebalanceOptOut(x)+9Cp ...

var_5C		= dword	ptr -5Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, [ebp+arg_4]
		mov	[esp+2Ch+var_20], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+2Ch+var_1C], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+2Ch+var_18], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	[esp+30h+var_14], eax
		mov	ebx, edx
		mov	eax, [ebp+arg_14]
		push	esi
		mov	[esp+34h+var_10], eax
		mov	eax, [ebp+arg_18]
		push	edi
		mov	edi, ecx
		mov	[esp+38h+var_C], eax
		mov	eax, [ebp+arg_1C]
		mov	[esp+38h+var_8], eax
		mov	eax, [ebp+arg_20]
		mov	esi, [edi+0F8h]
		mov	[esp+38h+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+38h+var_28], 0
		mov	[esp+38h+var_24], 0
		test	esi, esi
		jz	short loc_8013FE
		lea	ecx, [esp+38h+var_28]
		push	ecx
		push	1
		push	8
		push	eax
		push	ebx
		push	edi
		call	esi
		cmp	eax, 0C0000002h
		jz	loc_801470
		cmp	eax, 0C0000120h
		jz	short loc_801463
		test	eax, eax
		jnz	short loc_801474

loc_8013FB:				; CODE XREF: _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)+102j
		mov	eax, [ebp+arg_0]

loc_8013FE:				; CODE XREF: _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)+65j
		push	[esp+50h+var_1C]
		mov	edx, ebx
		mov	ecx, edi
		push	[esp+54h+var_20]
		push	[esp+58h+var_24]
		push	[esp+5Ch+var_28]
		push	[esp+60h+var_2C]
		push	[esp+64h+var_30]
		push	[esp+68h+var_34]
		push	[esp+6Ch+var_38]
		push	eax
		call	_PnpGetObjectPropertyWorker
		mov	[esp+50h+var_44], eax
		test	esi, esi
		jz	short loc_80145A
		mov	[esp+50h+var_40], eax
		lea	eax, [esp+50h+var_40]
		push	eax
		push	2
		push	8
		push	[ebp+arg_0]
		push	ebx
		push	edi
		call	esi
		cmp	eax, 0C0000002h
		jz	short loc_801456
		cmp	eax, 0C0000120h
		jz	short loc_801463
		test	eax, eax
		jnz	short loc_801474

loc_801456:				; CODE XREF: _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)+D9j
		mov	eax, [esp+68h+var_5C]

loc_80145A:				; CODE XREF: _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)+BEj
					; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)+109j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_801463:				; CODE XREF: _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)+85j
					; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)+E0j
		mov	eax, [esp+50h+var_40]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_801470:				; CODE XREF: _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)+7Aj
		xor	esi, esi
		jmp	short loc_8013FB
; 

loc_801474:				; CODE XREF: _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)+89j
					; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)+E4j
		mov	eax, 0C00000E5h
		jmp	short loc_80145A
__PnpGetObjectProperty@44 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiPnpRtlObjectActionCallback proc near	; DATA XREF: PiPnpRtlInit+10Do

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00919CF4 SIZE 000000CD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, [ebp+arg_C]
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_14]
		push	edi
		mov	edi, 0C0000002h
		cmp	eax, 8
		jnz	loc_801594
		cmp	[ebp+arg_10], 1
		jnz	loc_801545
		mov	eax, [esi+20h]
		mov	ebx, [ebp+arg_4]
		mov	edx, ebx
		mov	edi, [ebp+arg_8]
		push	eax		; int
		mov	eax, [esi+1Ch]
		push	eax		; int
		mov	eax, [esi+18h]
		push	eax		; int
		mov	eax, [esi+14h]
		push	eax		; int
		mov	eax, [esi+10h]
		push	eax		; void *
		mov	eax, [esi+0Ch]
		push	eax		; int
		push	ecx		; int
		mov	ecx, edi
		call	PiDmObjectGetAggregatedBooleanPropertyData
		cmp	eax, 0C0000016h
		jnz	loc_801582
		test	dword ptr [esi+24h], 10000h
		jnz	short loc_801523
		mov	eax, [esi+20h]
		mov	edx, ebx
		push	eax		; int
		mov	eax, [esi+1Ch]
		push	eax		; int
		mov	eax, [esi+18h]
		push	eax		; int
		mov	eax, [esi+14h]
		push	eax		; int
		mov	eax, [esi+10h]
		push	eax		; void *
		mov	eax, [esi+0Ch]
		push	eax		; int
		push	ecx		; int
		mov	ecx, edi
		call	_PiDmObjectGetCachedObjectProperty@36 ;	PiDmObjectGetCachedObjectProperty(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_801582
		cmp	eax, 0C0000225h
		jz	short loc_801582
		cmp	eax, 0C0000034h
		jz	short loc_801582
		cmp	eax, 0C0000023h
		jz	short loc_801582

loc_801523:				; CODE XREF: PiPnpRtlObjectActionCallback+66j
		add	esi, 8
		xor	edi, edi
		cmp	[esi], edi
		jnz	short loc_801577 ; default
		mov	ecx, [ebp+arg_0]
		mov	edx, ebx
		push	esi
		push	[ebp+arg_8]
		call	_PiPnpRtlCacheObjectBaseKey@16 ; PiPnpRtlCacheObjectBaseKey(x,x,x,x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_801545:				; CODE XREF: PiPnpRtlObjectActionCallback+26j
		test	dword ptr [esi+24h], 10000h
		jnz	short loc_801577 ; default
		mov	eax, [esi]
		test	eax, eax
		jns	short loc_8015A3
		cmp	eax, 0C0000225h
		jnz	short loc_801575
		push	0		; int
		push	0		; int
		push	0		; int

loc_801561:				; CODE XREF: PiPnpRtlObjectActionCallback+133j
					; PiPnpRtlObjectActionCallback+264j
		mov	eax, [esi+10h]
		mov	edx, [ebp+arg_4]
		push	eax		; void *
		mov	eax, [esi+0Ch]
		push	eax		; int
		push	ecx		; int
		mov	ecx, [ebp+arg_8]
		call	PiDmObjectUpdateCachedObjectProperty

loc_801575:				; CODE XREF: PiPnpRtlObjectActionCallback+D9j
					; PiPnpRtlObjectActionCallback+153j ...
		xor	edi, edi

loc_801577:				; CODE XREF: PiPnpRtlObjectActionCallback+AAj
					; PiPnpRtlObjectActionCallback+CCj ...
		mov	eax, edi	; default
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_801582:				; CODE XREF: PiPnpRtlObjectActionCallback+59j
					; PiPnpRtlObjectActionCallback+8Cj ...
		mov	edi, 0C0000120h
		mov	[esi], eax
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_801594:				; CODE XREF: PiPnpRtlObjectActionCallback+1Cj
		add	eax, 0FFFFFFFDh	; switch 7 cases
		cmp	eax, 6
		ja	short loc_801577 ; default
		jmp	ds:off_8016EC[eax*4] ; switch jump
; 

loc_8015A3:				; CODE XREF: PiPnpRtlObjectActionCallback+D2j
		mov	eax, [esi+20h]
		mov	eax, [eax]
		push	eax
		mov	eax, [esi+18h]
		push	eax
		mov	eax, [esi+14h]
		mov	eax, [eax]
		push	eax
		jmp	short loc_801561
; 

loc_8015B5:				; CODE XREF: PiPnpRtlObjectActionCallback+11Cj
					; DATA XREF: PAGE:off_8016ECo
		cmp	[ebp+arg_10], 1	; case 0x5
		jnz	short loc_801577 ; default
		test	dword ptr [esi+1Ch], 10000h
		jnz	short loc_801577 ; default
		mov	ecx, [ebp+arg_8]
		mov	edx, [esi+18h]
		mov	edi, [esi+14h]
		mov	ebx, [esi+10h]
		cmp	ecx, 7
		jge	short loc_801575
		jmp	loc_919D91
; 

loc_8015DA:				; CODE XREF: PiPnpRtlObjectActionCallback+11Cj
					; DATA XREF: PAGE:off_8016ECo
		cmp	[ebp+arg_10], 1	; case 0x9
		jnz	loc_8016CF
		xor	edi, edi
		test	dword ptr [esi+20h], 20000h
		jnz	loc_801691
		mov	eax, [esi+1Ch]
		xor	ebx, ebx
		mov	[esp+18h+var_C], edi
		mov	[esp+18h+var_8], ebx
		test	eax, eax
		jz	short loc_80161B
		push	47706E50h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_801575

loc_80161B:				; CODE XREF: PiPnpRtlObjectActionCallback+182j
		mov	edx, [ebp+arg_4]
		lea	eax, [esp+18h+var_8]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	eax
		mov	eax, [esi+1Ch]
		push	eax
		push	ebx
		lea	eax, [esp+28h+var_C]
		push	eax
		mov	eax, [esi+10h]
		push	eax
		mov	eax, [esi+0Ch]
		push	eax
		mov	eax, [esi+8]
		push	eax
		push	[ebp+arg_8]
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_8016B7
		mov	ecx, [esp+18h+var_C]
		cmp	ecx, [esi+14h]
		jnz	short loc_8016B7
		mov	eax, [esp+18h+var_8]
		cmp	eax, [esi+1Ch]
		jnz	short loc_8016B7
		push	eax		; size_t
		mov	eax, [esi+18h]
		push	eax		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_8016B7

loc_801673:				; CODE XREF: PiPnpRtlObjectActionCallback+249j
		mov	[esi], edi
		mov	edi, 0C0000120h

loc_80167A:				; CODE XREF: PiPnpRtlObjectActionCallback+24Dj
		test	ebx, ebx
		jz	short loc_801689
		push	47706E50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_801689:				; CODE XREF: PiPnpRtlObjectActionCallback+1FCj
		test	edi, edi
		jnz	loc_801577	; default

loc_801691:				; CODE XREF: PiPnpRtlObjectActionCallback+16Dj
		add	esi, 8
		cmp	dword ptr [esi], 0
		jnz	loc_801577	; default
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	esi
		push	[ebp+arg_8]
		call	_PiPnpRtlCacheObjectBaseKey@16 ; PiPnpRtlCacheObjectBaseKey(x,x,x,x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_8016B7:				; CODE XREF: PiPnpRtlObjectActionCallback+1CDj
					; PiPnpRtlObjectActionCallback+1D6j ...
		cmp	edi, 0C0000225h
		jnz	short loc_8016CB
		cmp	dword ptr [esi+14h], 0
		jnz	short loc_8016CB
		cmp	dword ptr [esi+1Ch], 0
		jz	short loc_801673

loc_8016CB:				; CODE XREF: PiPnpRtlObjectActionCallback+23Dj
					; PiPnpRtlObjectActionCallback+243j
		xor	edi, edi
		jmp	short loc_80167A
; 

loc_8016CF:				; CODE XREF: PiPnpRtlObjectActionCallback+15Ej
		cmp	dword ptr [esi], 0
		jl	loc_801577	; default
		mov	eax, [esi+1Ch]
		push	eax
		mov	eax, [esi+18h]
		push	eax
		mov	eax, [esi+14h]
		push	eax
		jmp	loc_801561
PiPnpRtlObjectActionCallback endp

; 
		align 4
off_8016EC	dd offset loc_919CF4	; DATA XREF: PiPnpRtlObjectActionCallback+11Cr
		dd offset loc_919D47	; jump table for switch	statement
		dd offset loc_8015B5
		dd offset loc_801577
		dd offset loc_801577
		dd offset loc_801577
		dd offset loc_8015DA
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiDmObjectGetAggregatedBooleanPropertyData(int,int,void	*,int,int,int,int)
PiDmObjectGetAggregatedBooleanPropertyData proc	near
					; CODE XREF: PiPnpRtlObjectActionCallback+4Fp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 00919DC1 SIZE 000000A5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		cmp	[ebp+arg_10], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], 0
		mov	[ebp+var_C], 0
		mov	byte ptr [ebp+var_1], 0
		mov	[ebp+var_18], 0
		jz	short loc_801785
		mov	eax, [ebp+arg_14]
		mov	[ebp+arg_14], eax
		test	eax, eax
		jz	loc_919DC1

loc_80174E:				; CODE XREF: PiDmObjectGetAggregatedBooleanPropertyData+7Cj
					; PiDmObjectGetAggregatedBooleanPropertyData+1186B8j
		cmp	[ebp+arg_4], 0
		jnz	short loc_801777
		cmp	ecx, 7
		jge	short loc_801777
		mov	ecx, [ebp+arg_8]
		xor	edi, edi
		xor	esi, esi
		mov	ebx, [ecx+10h]

loc_801763:				; CODE XREF: PiDmObjectGetAggregatedBooleanPropertyData+65j
		mov	eax, ds:off_401B20[esi]
		cmp	[eax+10h], ebx
		jz	short loc_80178E

loc_80176E:				; CODE XREF: PiDmObjectGetAggregatedBooleanPropertyData+14Cj
		add	esi, 1Ch
		inc	edi
		cmp	esi, 54h
		jb	short loc_801763

loc_801777:				; CODE XREF: PiDmObjectGetAggregatedBooleanPropertyData+42j
					; PiDmObjectGetAggregatedBooleanPropertyData+47j ...
		mov	eax, 0C0000016h

loc_80177C:				; CODE XREF: PiDmObjectGetAggregatedBooleanPropertyData+E2j
					; PiDmObjectGetAggregatedBooleanPropertyData+1186C2j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_801785:				; CODE XREF: PiDmObjectGetAggregatedBooleanPropertyData+2Ej
		mov	[ebp+arg_14], 0
		jmp	short loc_80174E
; 

loc_80178E:				; CODE XREF: PiDmObjectGetAggregatedBooleanPropertyData+5Cj
		push	10h		; size_t
		push	ecx		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_801859
		mov	ecx, [ebp+var_10]
		cmp	ecx, ds:dword_401B1C[esi]
		jnz	loc_801859
		lea	eax, ds:0[edi*8]
		sub	eax, edi
		lea	ebx, _PiDmAggregatedBooleanDefs[eax*4]
		mov	[ebp+arg_4], ebx
		test	ebx, ebx
		jz	short loc_801777
		cmp	[ebp+arg_14], 1
		mov	eax, [ebp+arg_C]
		mov	dword ptr [eax], 11h
		mov	eax, [ebp+arg_18]
		mov	dword ptr [eax], 1
		jb	loc_919DCD
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_8]
		push	eax
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		test	eax, eax
		js	short loc_80177C
		mov	eax, large fs:124h
		mov	edi, [ebx+18h]
		add	edi, [ebp+var_8]
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, [ebp+var_8]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [edi]
		cmp	esi, 80000000h
		jz	loc_919DD7

loc_801822:				; CODE XREF: PiDmObjectGetAggregatedBooleanPropertyData+118751j
		mov	edx, [ebp+arg_10]
		test	esi, esi
		setle	al
		dec	al
		xor	ebx, ebx
		mov	[edx], al

loc_801830:				; CODE XREF: PiDmObjectGetAggregatedBooleanPropertyData+118739j
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [ebp+var_8]
		call	PiDmObjectRelease
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_801859:				; CODE XREF: PiDmObjectGetAggregatedBooleanPropertyData+8Cj
					; PiDmObjectGetAggregatedBooleanPropertyData+9Bj
		mov	ecx, [ebp+arg_8]
		jmp	loc_80176E
PiDmObjectGetAggregatedBooleanPropertyData endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiDmObjectGetCachedObjectProperty(int,int,void *,int,int,int,int)
_PiDmObjectGetCachedObjectProperty@36 proc near
					; CODE XREF: PiPnpRtlObjectActionCallback+85p
					; PiDmObjectGetCachedCmProperty(x,x,x,x,x,x,x)+8Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_10]
		mov	eax, edx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], ecx
		mov	[ebp+var_4], esi
		mov	[ebp+var_C], esi
		push	edi
		mov	edi, 0C0000016h
		test	ebx, ebx
		jz	short loc_801896
		mov	esi, [ebp+arg_14]
		mov	eax, esi
		neg	eax
		sbb	eax, eax
		and	ebx, eax
		mov	eax, edx

loc_801896:				; CODE XREF: PiDmObjectGetCachedObjectProperty(x,x,x,x,x,x,x,x,x)+25j
		cmp	[ebp+arg_4], 0
		jnz	short loc_8018DC
		cmp	ecx, 7
		jge	short loc_8018DC
		lea	edx, [ebp+var_4]
		push	edx
		mov	edx, eax
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_8018DC
		mov	edi, [ebp+var_10]
		cmp	edi, 3
		jz	short loc_8018E5

loc_8018BA:				; CODE XREF: PiDmObjectGetCachedObjectProperty(x,x,x,x,x,x,x,x,x)+8Aj
					; PiDmObjectGetCachedObjectProperty(x,x,x,x,x,x,x,x,x)+9Ej ...
		push	[ebp+arg_18]	; int
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		push	esi		; int
		push	ebx		; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; void *
		push	[ebp+var_4]	; int
		call	PiDmObjectGetCachedObjectPropertyData
		mov	edi, eax

loc_8018D4:				; CODE XREF: PiDmObjectGetCachedObjectProperty(x,x,x,x,x,x,x,x,x)+DEj
		mov	ecx, [ebp+var_4]
		call	PiDmObjectRelease

loc_8018DC:				; CODE XREF: PiDmObjectGetCachedObjectProperty(x,x,x,x,x,x,x,x,x)+38j
					; PiDmObjectGetCachedObjectProperty(x,x,x,x,x,x,x,x,x)+3Dj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_8018E5:				; CODE XREF: PiDmObjectGetCachedObjectProperty(x,x,x,x,x,x,x,x,x)+56j
		mov	eax, [ebp+arg_8]
		cmp	dword ptr [eax+10h], 2
		jnz	short loc_8018BA
		push	10h		; size_t
		push	offset _DEVPKEY_Device_ContainerId ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_8018BA
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		push	eax		; int
		push	offset _DEVPKEY_Device_InstanceId ; void *
		push	[ebp+var_4]	; int
		push	3
		pop	ecx
		call	PiDmObjectGetCachedObjectReference
		test	eax, eax
		js	short loc_8018BA
		push	[ebp+arg_18]	; int
		push	esi		; int
		mov	esi, [ebp+var_C]
		push	ebx		; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; void *
		mov	edx, [esi+0Ch]
		mov	ecx, [esi+14h]
		push	esi		; int
		call	PiDmObjectGetCachedObjectPropertyData
		mov	ecx, esi
		mov	edi, eax
		call	PiDmObjectRelease
		jmp	short loc_8018D4
_PiDmObjectGetCachedObjectProperty@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDmObjectRelease proc near		; CODE XREF: PiDmGetObjectConstraintList(x,x,x,x,x,x,x)+A5p
					; PiPnpRtlApplyMandatoryDeviceContainerFilters(x,x,x,x,x)+7Cp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00919E66 SIZE 0000004E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		or	eax, 0FFFFFFFFh
		push	esi
		mov	esi, ecx
		lock xadd [esi+4], eax
		dec	eax
		jz	loc_919E66

loc_80195F:				; CODE XREF: PiDmObjectRelease+11856Dj
		pop	esi
		leave
		retn
PiDmObjectRelease endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmGetObject(x, x,	x)
_PiDmGetObject@12 proc near		; CODE XREF: PiDmGetObjectConstraintList(x,x,x,x,x,x,x)+3Cp
					; PiPnpRtlApplyMandatoryDeviceContainerFilters(x,x,x,x,x)+37p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		xor	edi, edi
		call	PiDmGetObjectManagerForObjectType
		mov	ebx, eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	ebx
		call	ExAcquireResourceSharedLite
		mov	edx, esi
		mov	ecx, ebx
		call	_PiDmLookupObject@8 ; PiDmLookupObject(x,x)
		mov	ecx, eax
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		test	ecx, ecx
		jz	short loc_8019BF
		lock inc dword ptr [ecx+4]

loc_8019A3:				; CODE XREF: PiDmGetObject(x,x,x)+62j
		mov	ecx, ebx
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_8019BF:				; CODE XREF: PiDmGetObject(x,x,x)+3Bj
		mov	edi, 0C0000034h
		jmp	short loc_8019A3
_PiDmGetObject@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmLookupObject(x,	x)
_PiDmLookupObject@8 proc near		; CODE XREF: PiDmGetObject(x,x,x)+2Dp
					; PiDmRemoveCacheReferenceForObject+2Fp

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	40h		; size_t
		xor	esi, esi
		lea	eax, [esp+5Ch+var_48]
		push	esi		; int
		push	eax		; void *
		mov	ebx, edx
		mov	edi, ecx
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+58h+var_48]
		mov	[esp+58h+var_4C], eax
		test	ebx, ebx
		jz	short loc_801A24
		mov	edx, [edi+70h]
		mov	ecx, ebx
		push	eax
		call	PiDmInitializeComparisonObject
		test	eax, eax
		js	short loc_801A24
		lea	eax, [esp+58h+var_4C]
		push	eax
		lea	eax, [edi+38h]
		push	eax
		call	_RtlLookupElementGenericTableAvl@8 ; RtlLookupElementGenericTableAvl(x,x)
		test	eax, eax
		jz	short loc_801A24
		mov	esi, [eax]

loc_801A24:				; CODE XREF: PiDmLookupObject(x,x)+39j
					; PiDmLookupObject(x,x)+48j ...
		mov	ecx, [esp+58h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_PiDmLookupObject@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDmInitializeComparisonObject proc near ; CODE	XREF: PiPnpRtlObjectEventCreate+7Ap
					; PiDmLookupObject(x,x)+41p ...

var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00919EB4 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_14], 0
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	[edx+0Ch], esi
		mov	[edx+14h], ebx
		test	esi, esi
		jz	loc_919EB4
		mov	ecx, 7FFFh
		mov	eax, esi

loc_801A72:				; CODE XREF: PiDmInitializeComparisonObject+3Dj
		cmp	[eax], di
		jz	short loc_801A84
		add	eax, 2
		sub	ecx, 1
		jnz	short loc_801A72
		jmp	loc_919EBD
; 

loc_801A84:				; CODE XREF: PiDmInitializeComparisonObject+35j
		test	ecx, ecx
		jz	loc_919EBD
		mov	eax, 7FFFh
		mov	edi, esi
		sub	eax, ecx
		lea	ecx, [eax+eax]
		mov	eax, esi

loc_801A9A:				; CODE XREF: PiDmInitializeComparisonObject+118478j
		cmp	ebx, 3
		jz	loc_801B41

loc_801AA3:				; CODE XREF: PiDmInitializeComparisonObject+112j
		xor	eax, eax
		add	edx, 10h
		mov	[ebp+var_C], edx
		jz	loc_919EBD
		movzx	ebx, cx
		shr	ebx, 1
		mov	[edx], eax
		jz	short loc_801AE4
		mov	esi, 0C0h
		nop

loc_801AC0:				; CODE XREF: PiDmInitializeComparisonObject+9Fj
		movzx	ecx, word ptr [edi]
		lea	edi, [edi+2]
		dec	ebx
		mov	[ebp+var_8], ecx
		cmp	ecx, 61h
		jnb	short loc_801AF1

loc_801ACF:				; CODE XREF: PiDmInitializeComparisonObject+B9j
					; PiDmInitializeComparisonObject+C6j ...
		imul	eax, 1003Fh
		movzx	ecx, cx
		movzx	ecx, cx
		add	eax, ecx
		test	ebx, ebx
		jnz	short loc_801AC0
		mov	edx, [ebp+var_C]

loc_801AE4:				; CODE XREF: PiDmInitializeComparisonObject+78j
		mov	[edx], eax
		xor	eax, eax

loc_801AE8:				; CODE XREF: PiDmInitializeComparisonObject+118482j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_801AF1:				; CODE XREF: PiDmInitializeComparisonObject+8Dj
		cmp	ecx, 7Ah
		ja	short loc_801AFB
		add	ecx, 0FFFFFFE0h
		jmp	short loc_801ACF
; 

loc_801AFB:				; CODE XREF: PiDmInitializeComparisonObject+B4j
		mov	edx, ds:_Nls844UnicodeUpcaseTable
		mov	[ebp+var_4], edx
		test	edx, edx
		jz	short loc_801ACF
		cmp	cx, si
		jb	short loc_801ACF
		movzx	esi, cx
		mov	ecx, esi
		shr	ecx, 8
		movzx	edx, word ptr [edx+ecx*2]
		mov	ecx, esi
		shr	ecx, 4
		and	esi, 0Fh
		and	ecx, 0Fh
		add	edx, ecx
		mov	ecx, [ebp+var_4]
		movzx	ecx, word ptr [ecx+edx*2]
		mov	edx, [ebp+var_4]
		add	ecx, esi
		mov	esi, 0C0h
		mov	cx, [edx+ecx*2]
		add	cx, word ptr [ebp+var_8]
		jmp	short loc_801ACF
; 

loc_801B41:				; CODE XREF: PiDmInitializeComparisonObject+5Dj
		cmp	cx, 8
		jbe	short loc_801B57
		mov	esi, 0FFF8h
		lea	edi, [eax+8]
		add	cx, si
		jmp	loc_801AA3
; 

loc_801B57:				; CODE XREF: PiDmInitializeComparisonObject+105j
		mov	eax, 0C0000034h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
PiDmInitializeComparisonObject endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmCompareObjects(x, x, x)
_PiDmCompareObjects@12 proc near	; DATA XREF: PiDmObjectManagerInit(x,x)+1Bo

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		push	esi
		mov	eax, [eax]
		mov	ecx, [ecx]
		cmp	eax, ecx
		jz	short loc_801BBB
		mov	edx, [eax+10h]
		cmp	edx, [ecx+10h]
		jb	short loc_801B98
		jbe	short loc_801B9F

loc_801B8E:				; CODE XREF: PiDmCompareObjects(x,x,x)+49j
		mov	eax, 1

loc_801B93:				; CODE XREF: PiDmCompareObjects(x,x,x)+50j
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_801B98:				; CODE XREF: PiDmCompareObjects(x,x,x)+1Aj
					; PiDmCompareObjects(x,x,x)+47j
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_801B9F:				; CODE XREF: PiDmCompareObjects(x,x,x)+1Cj
		cmp	dword ptr [eax+14h], 3
		mov	edx, [ecx+0Ch]
		mov	ecx, [eax+0Ch]
		jz	short loc_801BC2

loc_801BAB:				; CODE XREF: PiDmCompareObjects(x,x,x)+58j
		push	edx		; wchar_t *
		push	ecx		; wchar_t *
		call	__wcsicmp
		add	esp, 8
		test	eax, eax
		js	short loc_801B98
		jg	short loc_801B8E

loc_801BBB:				; CODE XREF: PiDmCompareObjects(x,x,x)+12j
		mov	eax, 2
		jmp	short loc_801B93
; 

loc_801BC2:				; CODE XREF: PiDmCompareObjects(x,x,x)+39j
		add	ecx, 8
		add	edx, 8
		jmp	short loc_801BAB
_PiDmCompareObjects@12 endp


;  S U B	R O U T	I N E 


PiDmGetObjectManagerForObjectType proc near
					; CODE XREF: PiDmEnumObjectsWithCallback(x,x,x)+50p
					; PiDmGetObject(x,x,x)+Cp ...

; FUNCTION CHUNK AT 00919EC7 SIZE 0000000F BYTES

		xor	eax, eax
		sub	ecx, 1
		jnz	short loc_801BD7
		mov	eax, offset _PiDmDeviceManager

locret_801BD6:				; CODE XREF: PiDmGetObjectManagerForObjectType+118300j
		retn
; 

loc_801BD7:				; CODE XREF: PiDmGetObjectManagerForObjectType+5j
		sub	ecx, 1
		jz	short loc_801C01
		sub	ecx, 1
		jnz	short loc_801BE7
		mov	eax, offset _PiDmDeviceInterfaceManager
		retn
; 

loc_801BE7:				; CODE XREF: PiDmGetObjectManagerForObjectType+15j
		sub	ecx, 1
		jnz	short loc_801BF2
		mov	eax, offset _PiDmDeviceInterfaceClassManager
		retn
; 

loc_801BF2:				; CODE XREF: PiDmGetObjectManagerForObjectType+20j
		sub	ecx, 1
		jnz	loc_919EC7
		mov	eax, offset _PiDmDeviceContainerManager
		retn
; 

loc_801C01:				; CODE XREF: PiDmGetObjectManagerForObjectType+10j
		mov	eax, offset _PiDmDeviceInstallerClassManager
		retn
PiDmGetObjectManagerForObjectType endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiDmObjectGetCachedObjectPropertyData(int,void *,int,int,int,int)
PiDmObjectGetCachedObjectPropertyData proc near
					; CODE XREF: PiDmObjectGetCachedObjectProperty(x,x,x,x,x,x,x,x,x)+6Bp
					; PiDmObjectGetCachedObjectProperty(x,x,x,x,x,x,x,x,x)+D0p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00919ED6 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	eax, ecx
		mov	[ebp+var_C], edx
		push	edi
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_10], eax
		xor	ebx, ebx
		lea	edx, [ebp+var_8]
		push	ecx
		mov	ecx, eax
		mov	[ebp+var_8], ebx
		mov	esi, 0C0000016h
		mov	[ebp+var_4], ebx
		call	_PiDmGetCacheKeys@12 ; PiDmGetCacheKeys(x,x,x)
		mov	edi, [ebp+var_4]
		test	edi, edi
		jz	short loc_801CB8
		push	[ebp+arg_4]	; void *
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_PiDmGetCachedKeyIndex@12 ; PiDmGetCachedKeyIndex(x,x,x)
		mov	[ebp+arg_4], eax
		cmp	eax, edi
		jnb	short loc_801CB8
		cmp	[ebp+arg_0], ebx
		jz	loc_919ED6

loc_801C5A:				; CODE XREF: PiDmObjectGetCachedObjectPropertyData+1182E9j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [ebp+arg_0]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		imul	ecx, [ebp+arg_4], arg_C
		add	ecx, 40h
		add	ecx, edi
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_801CC1
		cmp	eax, 1
		jz	short loc_801CC1
		push	[ebp+arg_14]
		mov	edx, [ebp+arg_8]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	PiDmCacheDataDecode
		mov	esi, eax

loc_801C9B:				; CODE XREF: PiDmObjectGetCachedObjectPropertyData+BEj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	bl, bl
		jnz	loc_919EF6

loc_801CB8:				; CODE XREF: PiDmObjectGetCachedObjectPropertyData+33j
					; PiDmObjectGetCachedObjectPropertyData+47j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_801CC1:				; CODE XREF: PiDmObjectGetCachedObjectPropertyData+79j
					; PiDmObjectGetCachedObjectPropertyData+7Ej
		mov	esi, 0C0000016h
		jmp	short loc_801C9B
PiDmObjectGetCachedObjectPropertyData endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmGetCacheKeys(x,	x, x)
_PiDmGetCacheKeys@12 proc near		; CODE XREF: PiDmObjectGetCachedObjectReference+2Bp
					; PiDmObjectGetCachedObjectPropertyData+29p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		sub	ecx, 1
		jnz	short loc_801CE6
		mov	dword ptr [eax], 0Ah
		mov	ecx, offset _PiDmCachedDeviceKeys

loc_801CE0:				; CODE XREF: PiDmGetCacheKeys(x,x,x)+2Fj
					; PiDmGetCacheKeys(x,x,x)+3Bj ...
		mov	[edx], ecx
		pop	ebp
		retn	4
; 

loc_801CE6:				; CODE XREF: PiDmGetCacheKeys(x,x,x)+Bj
		dec	ecx
		sub	ecx, 1
		jnz	short loc_801CF9
		mov	dword ptr [eax], 1
		mov	ecx, offset _PiDmCachedDeviceInterfaceKeys
		jmp	short loc_801CE0
; 

loc_801CF9:				; CODE XREF: PiDmGetCacheKeys(x,x,x)+22j
		dec	ecx
		sub	ecx, 1
		jz	short loc_801D05
		xor	ecx, ecx
		mov	[eax], ecx
		jmp	short loc_801CE0
; 

loc_801D05:				; CODE XREF: PiDmGetCacheKeys(x,x,x)+35j
		mov	dword ptr [eax], 3
		mov	ecx, (offset loc_40101D+3)
		jmp	short loc_801CE0
_PiDmGetCacheKeys@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiDmGetCachedKeyIndex(void *)
_PiDmGetCachedKeyIndex@12 proc near	; CODE XREF: PiDmObjectGetCachedObjectReference+3Fp
					; PiDmObjectGetCachedObjectPropertyData+3Dp ...

var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	ebx, edx
		xor	esi, esi
		push	edi
		mov	edi, ecx
		test	ebx, ebx
		jz	short loc_801D4F
		mov	edx, [ebp+arg_0]
		mov	ecx, [edx+10h]
		mov	[ebp+var_4], ecx
		lea	esp, [esp+0]

loc_801D40:				; CODE XREF: PiDmGetCachedKeyIndex(x,x,x)+2Dj
		mov	eax, [edi]
		cmp	ecx, [eax+10h]
		jz	short loc_801D5B

loc_801D47:				; CODE XREF: PiDmGetCachedKeyIndex(x,x,x)+5Cj
		inc	esi
		add	edi, 10h
		cmp	esi, ebx
		jb	short loc_801D40

loc_801D4F:				; CODE XREF: PiDmGetCachedKeyIndex(x,x,x)+11j
		pop	edi
		pop	esi
		or	eax, 0FFFFFFFFh
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_801D5B:				; CODE XREF: PiDmGetCachedKeyIndex(x,x,x)+25j
		push	10h		; size_t
		push	eax		; void *
		push	edx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_801D76
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_801D76:				; CODE XREF: PiDmGetCachedKeyIndex(x,x,x)+49j
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+arg_0]
		jmp	short loc_801D47
_PiDmGetCachedKeyIndex@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpGetObjectPropertyWorker proc near	; CODE XREF: _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)+B3p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 00919F03 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_20]
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ecx
		push	edi
		test	si, si
		jnz	loc_919F03
		mov	edi, [ebp+arg_14]
		test	edi, edi
		jz	loc_801E5D
		mov	ebx, [ebp+arg_18]
		mov	eax, ebx
		neg	eax
		sbb	eax, eax
		and	edi, eax

loc_801DB5:				; CODE XREF: _PnpGetObjectPropertyWorker+E1j
		mov	ecx, [ebp+arg_1C]
		mov	eax, [ebp+arg_10]
		push	esi
		push	ecx
		push	ebx
		and	dword ptr [eax], 0
		and	dword ptr [ecx], 0
		mov	ecx, [ebp+var_8]
		push	edi
		push	eax
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	__PnpGetMappedPropertyDispatch@44 ; _PnpGetMappedPropertyDispatch(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000016h
		jnz	short loc_801E0B
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_801E2C

loc_801DEB:				; CODE XREF: _PnpGetObjectPropertyWorker+D3j
		push	ecx
		push	[ebp+arg_1C]
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		push	ebx
		mov	ebx, [ebp+arg_10]
		push	edi
		push	ebx
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	__PnpGetGenericStoreProperty@36	; _PnpGetGenericStoreProperty(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_801E1A

loc_801E0B:				; CODE XREF: _PnpGetObjectPropertyWorker+64j
					; _PnpGetObjectPropertyWorker+ACj ...
		cmp	[ebp+var_4], 0
		jnz	short loc_801E53

loc_801E11:				; CODE XREF: _PnpGetObjectPropertyWorker+DDj
					; _PnpGetObjectPropertyWorker+11818Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_801E1A:				; CODE XREF: _PnpGetObjectPropertyWorker+8Bj
		mov	eax, [ebp+arg_1C]
		mov	ecx, edi
		push	dword ptr [ebx]
		mov	edx, [eax]
		call	_PnpValidatePropertyData
		mov	esi, eax
		jmp	short loc_801E0B
; 

loc_801E2C:				; CODE XREF: _PnpGetObjectPropertyWorker+6Bj
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_8]
		push	2000001h
		push	[ebp+arg_0]
		call	_PnpOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_801E0B
		mov	eax, [ebp+var_4]
		jmp	short loc_801DEB
; 

loc_801E53:				; CODE XREF: _PnpGetObjectPropertyWorker+91j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_801E11
; 

loc_801E5D:				; CODE XREF: _PnpGetObjectPropertyWorker+26j
		xor	ebx, ebx
		jmp	loc_801DB5
_PnpGetObjectPropertyWorker endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpGetMappedPropertyDispatch(x, x,	x, x, x, x, x, x, x, x,	x)
__PnpGetMappedPropertyDispatch@44 proc near ; CODE XREF: _PnpGetObjectPropertyWorker+57p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		mov	ecx, [ebp+arg_0]
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ecx-1]
		mov	esi, edi
		cmp	eax, 0Ah
		ja	short loc_801ED7
		mov	edi, [edx+ecx*4+98h]

loc_801E89:				; CODE XREF: _PnpGetMappedPropertyDispatch(x,x,x,x,x,x,x,x,x,x,x)+78j
		test	esi, esi
		js	short loc_801ECE
		test	edi, edi
		jz	short loc_801EDE
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_20]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	8
		push	ecx
		push	ebx
		push	edx
		call	edi
		mov	esi, eax

loc_801ECE:				; CODE XREF: _PnpGetMappedPropertyDispatch(x,x,x,x,x,x,x,x,x,x,x)+27j
					; _PnpGetMappedPropertyDispatch(x,x,x,x,x,x,x,x,x,x,x)+7Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_801ED7:				; CODE XREF: _PnpGetMappedPropertyDispatch(x,x,x,x,x,x,x,x,x,x,x)+1Cj
		mov	esi, 0C000000Dh
		jmp	short loc_801E89
; 

loc_801EDE:				; CODE XREF: _PnpGetMappedPropertyDispatch(x,x,x,x,x,x,x,x,x,x,x)+2Bj
		mov	esi, 0C0000002h
		jmp	short loc_801ECE
__PnpGetMappedPropertyDispatch@44 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiDmObjectUpdateCachedObjectProperty(int,int,void *,int,int,int)
PiDmObjectUpdateCachedObjectProperty proc near ; CODE XREF: PiPnpRtlObjectActionCallback+F0p
					; PiDmObjectUpdateCachedCmProperty(x,x,x,x,x,x,x)+8Bp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00919F0D SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_20], edx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_24], edi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_1], bl
		cmp	[ebp+arg_4], ebx
		jnz	short loc_801F3C
		lea	eax, [ebp+var_18]
		push	eax
		lea	edx, [ebp+var_10]
		call	_PiDmGetCacheKeys@12 ; PiDmGetCacheKeys(x,x,x)
		mov	esi, [ebp+var_18]
		test	esi, esi
		jz	short loc_801F3C
		push	[ebp+arg_8]	; void *
		mov	ecx, [ebp+var_10]
		mov	edx, esi
		call	_PiDmGetCachedKeyIndex@12 ; PiDmGetCachedKeyIndex(x,x,x)
		mov	[ebp+arg_4], eax
		cmp	eax, esi
		jb	short loc_801F43

loc_801F3C:				; CODE XREF: PiDmObjectUpdateCachedObjectProperty+2Dj
					; PiDmObjectUpdateCachedObjectProperty+40j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_801F43:				; CODE XREF: PiDmObjectUpdateCachedObjectProperty+54j
		mov	esi, [ebp+var_20]
		lea	eax, [ebp+var_8]
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		test	eax, eax
		js	short loc_801F3C
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [ebp+var_8]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+arg_4]
		lea	edx, [edi+40h]
		mov	edi, [ebp+arg_10]
		imul	eax, ecx, 14h
		add	edx, eax
		mov	[ebp+var_20], edx
		mov	eax, [edx]
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	short loc_801F90
		cmp	eax, 1
		jnz	short loc_801FB2

loc_801F90:				; CODE XREF: PiDmObjectUpdateCachedObjectProperty+A3j
		mov	eax, [ebp+var_10]
		add	ecx, ecx
		push	edx		; int
		mov	edx, edi
		push	dword ptr [eax+ecx*8+8]	; int
		push	dword ptr [eax+ecx*8+4]	; int
		mov	ecx, [ebp+arg_C]
		push	[ebp+arg_14]	; size_t
		call	PiDmCacheDataEncode
		cmp	[ebp+arg_4], ebx
		setz	[ebp+var_1]

loc_801FB2:				; CODE XREF: PiDmObjectUpdateCachedObjectProperty+A8j
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	[ebp+var_1], bl
		jnz	short loc_801FDA

loc_801FCD:				; CODE XREF: PiDmObjectUpdateCachedObjectProperty+157j
					; PiDmObjectUpdateCachedObjectProperty+16Ej ...
		mov	ecx, [ebp+var_8]
		call	PiDmObjectRelease
		jmp	loc_801F3C
; 

loc_801FDA:				; CODE XREF: PiDmObjectUpdateCachedObjectProperty+E5j
		mov	edx, [ebp+arg_14]
		lea	eax, [ebp+var_1C]
		push	10000h
		push	eax
		lea	eax, [ebp+var_C]
		mov	ecx, 5A706E50h
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+arg_8]
		push	ebx
		push	ebx
		push	[ebp+var_24]
		push	esi
		call	PnpGetObjectProperty
		mov	esi, [ebp+var_C]
		cmp	eax, 0C0000225h
		jz	short loc_80206A
		mov	ebx, [ebp+var_1C]

loc_80200E:				; CODE XREF: PiDmObjectUpdateCachedObjectProperty+18Bj
					; PiDmObjectUpdateCachedObjectProperty+118039j
		test	eax, eax
		js	loc_919F24
		mov	eax, [ebp+arg_C]
		cmp	[ebp+var_14], eax
		jnz	loc_919F24
		cmp	ebx, [ebp+arg_14]
		jnz	loc_919F24
		test	esi, esi
		jz	short loc_802078
		test	edi, edi
		jz	loc_919F24

loc_802037:				; CODE XREF: PiDmObjectUpdateCachedObjectProperty+194j
		test	ebx, ebx
		jz	short loc_802052
		test	esi, esi
		jz	short loc_801FCD
		push	ebx		; size_t
		push	edi		; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_919F24

loc_802052:				; CODE XREF: PiDmObjectUpdateCachedObjectProperty+153j
					; PiDmObjectUpdateCachedObjectProperty+118077j
		test	esi, esi
		jz	loc_801FCD
		push	5A706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_801FCD
; 

loc_80206A:				; CODE XREF: PiDmObjectUpdateCachedObjectProperty+123j
		mov	[ebp+var_14], ebx
		mov	eax, ebx
		test	esi, esi
		jz	short loc_80200E
		jmp	loc_919F0D
; 

loc_802078:				; CODE XREF: PiDmObjectUpdateCachedObjectProperty+147j
		test	edi, edi
		jz	short loc_802037
		jmp	loc_919F24
PiDmObjectUpdateCachedObjectProperty endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlCacheObjectBaseKey(x, x, x,	x)
_PiPnpRtlCacheObjectBaseKey@16 proc near ; CODE	XREF: PiPnpRtlObjectActionCallback+B5p
					; PiPnpRtlObjectActionCallback+227p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		and	[ebp+var_8], 0
		cmp	[ebp+arg_0], 7
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_C], ecx
		jge	loc_80213A
		lea	ecx, [ebp+var_4]
		call	_PiPnpRtlGetCurrentOperation@4 ; PiPnpRtlGetCurrentOperation(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_802110
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PiPnpRtlRemoveOperationDispatchLock
		call	ExAcquireResourceSharedLite
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_4]
		mov	ecx, ebx
		call	PiPnpRtlObjectEventCreate
		mov	esi, eax
		test	esi, esi
		js	short loc_8020FA
		mov	edi, [ebp+var_8]
		test	edi, edi
		jz	short loc_8020FA
		add	edi, 0Ch
		xor	eax, eax
		cmp	[edi], eax
		jz	short loc_802119

loc_8020F3:				; CODE XREF: PiPnpRtlCacheObjectBaseKey(x,x,x,x)+B1j
		mov	eax, [ebp+arg_4]
		mov	edx, [edi]
		mov	[eax], edx

loc_8020FA:				; CODE XREF: PiPnpRtlCacheObjectBaseKey(x,x,x,x)+5Fj
					; PiPnpRtlCacheObjectBaseKey(x,x,x,x)+66j ...
		mov	ecx, offset _PiPnpRtlRemoveOperationDispatchLock
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_802110:				; CODE XREF: PiPnpRtlCacheObjectBaseKey(x,x,x,x)+2Ej
					; PiPnpRtlCacheObjectBaseKey(x,x,x,x)+BDj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_802119:				; CODE XREF: PiPnpRtlCacheObjectBaseKey(x,x,x,x)+6Fj
		mov	ecx, [ebp+var_C]
		mov	edx, ebx
		push	eax
		push	eax
		push	edi
		push	eax
		push	2000000h
		push	[ebp+arg_0]
		call	_PnpOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		jns	short loc_8020F3
		and	dword ptr [edi], 0
		jmp	short loc_8020FA
; 

loc_80213A:				; CODE XREF: PiPnpRtlCacheObjectBaseKey(x,x,x,x)+1Cj
		mov	esi, 0C00000BBh
		jmp	short loc_802110
_PiPnpRtlCacheObjectBaseKey@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlGetCurrentOperation(x)
_PiPnpRtlGetCurrentOperation@4 proc near ; CODE	XREF: PiPnpRtlBeginOperation+20p
					; PiPnpRtlCacheObjectBaseKey(x,x,x,x)+25p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		mov	[ebp+var_4], eax
		mov	ebx, ecx
		mov	eax, large fs:124h
		push	esi
		xor	esi, esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	edi, esi
		mov	[ebx], esi
		nop
		push	1
		push	offset _PiPnpRtlActiveOperationsLock
		call	ExAcquireResourceSharedLite
		mov	eax, _PiPnpRtlActiveOperations
		mov	ecx, offset _PiPnpRtlActiveOperations
		cmp	eax, ecx
		jz	short loc_80218E
		mov	edx, [ebp+var_4]

loc_802187:				; CODE XREF: PiPnpRtlGetCurrentOperation(x)+7Cj
		mov	edi, eax
		cmp	[eax+8], edx
		jnz	short loc_8021B8

loc_80218E:				; CODE XREF: PiPnpRtlGetCurrentOperation(x)+40j
					; PiPnpRtlGetCurrentOperation(x)+7Ej
		mov	ecx, offset _PiPnpRtlActiveOperationsLock
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	edi, edi
		jz	short loc_8021B1
		mov	[ebx], edi

loc_8021AA:				; CODE XREF: PiPnpRtlGetCurrentOperation(x)+74j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8021B1:				; CODE XREF: PiPnpRtlGetCurrentOperation(x)+64j
		mov	esi, 0C0000225h
		jmp	short loc_8021AA
; 

loc_8021B8:				; CODE XREF: PiPnpRtlGetCurrentOperation(x)+4Aj
		mov	eax, [eax]
		mov	edi, esi
		cmp	eax, ecx
		jnz	short loc_802187
		jmp	short loc_80218E
_PiPnpRtlGetCurrentOperation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpDispatchDevice proc	near		; DATA XREF: _PnpCtxOpenMachine+144o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00919F62 SIZE 0000009A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_C]
		xor	edx, edx
		dec	eax
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edx
		push	esi
		mov	esi, edx
		cmp	eax, 8		; switch 9 cases
		ja	loc_919FF2	; default
		jmp	ds:off_80229A[eax*4] ; switch jump

loc_8021E8:				; DATA XREF: PAGE:off_80229Ao
		mov	ecx, [ebp+arg_10] ; case 0x7
		mov	edx, [ebp+arg_4]
		mov	eax, [ecx+1Ch]
		and	eax, 0FFFF0000h
		push	eax		; int
		push	dword ptr [ecx+18h] ; int
		push	dword ptr [ecx+14h] ; int
		push	dword ptr [ecx+10h] ; int
		push	dword ptr [ecx+0Ch] ; int
		push	dword ptr [ecx+8] ; void *
		push	dword ptr [ecx+4] ; int
		push	dword ptr [ecx]	; int
		mov	ecx, [ebp+arg_0]
		call	_CmGetDeviceMappedProperty

loc_802213:				; CODE XREF: _PnpDispatchDevice+7Cj
					; _PnpDispatchDevice+86j ...
		mov	ecx, eax
		call	__PnpMapCmStatusToDispatchStatus@4 ; _PnpMapCmStatusToDispatchStatus(x)
		pop	esi
		leave
		retn	14h
; 

loc_80221F:				; CODE XREF: _PnpDispatchDevice+1Fj
					; DATA XREF: PAGE:off_80229Ao
		mov	ecx, [ebp+arg_10] ; case 0x1
		lea	eax, [ecx+0Ch]
		push	eax
		push	dword ptr [ecx+8]
		movzx	eax, byte ptr [ecx+4]
		push	eax
		push	dword ptr [ecx]
		mov	ecx, [ebp+arg_0]
		push	edx
		mov	edx, [ebp+arg_4]
		push	10h
		call	_CmOpenDeviceRegKey
		jmp	short loc_802213
; 

loc_802240:				; CODE XREF: _PnpDispatchDevice+1Fj
					; DATA XREF: PAGE:off_80229Ao
		mov	edx, [ebp+arg_4] ; case	0x0
		call	__CmValidateDeviceName@8 ; _CmValidateDeviceName(x,x)
		jmp	short loc_802213
; 

loc_80224A:				; CODE XREF: _PnpDispatchDevice+1Fj
					; DATA XREF: PAGE:off_80229Ao
		mov	eax, [ebp+arg_10] ; case 0x8
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	dword ptr [eax+14h] ; int
		push	dword ptr [eax+10h] ; int
		push	dword ptr [eax+0Ch] ; int
		push	dword ptr [eax+8] ; void *
		push	dword ptr [eax+4] ; void *
		push	dword ptr [eax]	; void *
		call	_CmSetDeviceMappedProperty
		jmp	short loc_802213
; 

loc_80226B:				; CODE XREF: _PnpDispatchDevice+1Fj
					; DATA XREF: PAGE:off_80229Ao
		mov	ecx, [ebp+arg_10] ; case 0x4
		mov	eax, [ecx]
		test	eax, eax
		jnz	loc_919FA3

loc_802278:				; CODE XREF: _PnpDispatchDevice+117DF2j
		mov	eax, [ecx+14h]
		and	eax, 0FFFF0000h
		push	eax
		push	dword ptr [ecx+10h]
		push	dword ptr [ecx+0Ch]
		push	dword ptr [ecx+8]
		mov	ecx, [ebp+arg_0]
		push	esi
		call	_CmGetMatchingDeviceList
		jmp	loc_802213
_PnpDispatchDevice endp

; 
		db 8Bh,	0FFh
off_80229A	dd offset loc_802240	; DATA XREF: _PnpDispatchDevice+1Fr
		dd offset loc_80221F	; jump table for switch	statement
		dd offset loc_919F62
		dd offset loc_919F88
		dd offset loc_80226B
		dd offset loc_919FB9
		dd offset loc_919FD8
		dd offset loc_8021E8
		dd offset loc_80224A
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmGetDeviceMappedProperty(int,int,void *,int,int,int,int,int)
_CmGetDeviceMappedProperty proc	near	; CODE XREF: _PnpDispatchDevice+4Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 00919FFC SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	eax, [ebp+arg_1C]
		push	ebx
		mov	[esp+10h+var_8], ecx
		mov	ecx, 0C0000016h
		movzx	eax, ax
		mov	[esp+10h+var_C], edx
		mov	[esp+10h+var_4], ecx
		push	esi
		push	edi
		test	eax, eax
		jnz	loc_919FFC
		mov	ebx, [ebp+arg_18]
		mov	[ebx], eax
		cmp	[ebp+arg_4], eax
		jnz	loc_8023B6
		mov	ecx, [ebp+arg_8]
		xor	esi, esi
		mov	edi, [ecx+10h]
		jmp	short loc_802310
; 
		align 10h

loc_802310:				; CODE XREF: _CmGetDeviceMappedProperty+43j
					; _CmGetDeviceMappedProperty+68j
		mov	eax, ds:__CmDeviceRegPropMap[esi]
		cmp	edi, [eax+10h]
		jz	loc_8023C1

loc_80231F:				; CODE XREF: _CmGetDeviceMappedProperty+114j
		add	esi, 10h
		cmp	esi, 210h
		jb	short loc_802310
		mov	ebx, [ebp+arg_14]

loc_80232D:				; CODE XREF: _CmGetDeviceMappedProperty+117D49j
		mov	edi, [ecx+10h]
		xor	esi, esi
		jmp	short loc_802340
; 
		lea	esp, [esp+0]
		jmp	short loc_802340
; 
		align 10h

loc_802340:				; CODE XREF: _CmGetDeviceMappedProperty+72j
					; _CmGetDeviceMappedProperty+7Bj ...
		mov	eax, ds:off_A42DF0[esi]
		cmp	edi, [eax+10h]
		jz	loc_80241A

loc_80234F:				; CODE XREF: _CmGetDeviceMappedProperty+16Dj
		add	esi, 10h
		cmp	esi, 20h
		jb	short loc_802340

loc_802357:				; CODE XREF: _CmGetDeviceMappedProperty+1A1j
		mov	ecx, [ebp+arg_8]
		xor	esi, esi
		mov	edi, [ecx+10h]
		nop

loc_802360:				; CODE XREF: _CmGetDeviceMappedProperty+B4j
		mov	eax, ds:off_A42E10[esi]
		cmp	edi, [eax+10h]
		jz	short loc_8023D9

loc_80236B:				; CODE XREF: _CmGetDeviceMappedProperty+12Cj
		add	esi, 8
		cmp	esi, 0D8h
		jb	short loc_802360
		mov	eax, [esp+18h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_802383:				; CODE XREF: _CmGetDeviceMappedProperty+10Fj
		push	[ebp+arg_1C]	; int
		mov	edx, [esp+arg_8]
		mov	ecx, [esp+arg_C]
		push	ebx		; int
		mov	ebx, [ebp+arg_14]
		push	ebx		; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; void *
		push	[ebp+arg_0]	; int
		call	_CmGetDeviceMappedPropertyFromRegProp
		mov	ecx, eax
		mov	[esp-4+arg_10],	ecx
		cmp	ecx, 0C0000016h
		jz	loc_91A006

loc_8023B6:				; CODE XREF: _CmGetDeviceMappedProperty+35j
					; _CmGetDeviceMappedProperty+19Bj
		mov	eax, ecx

loc_8023B8:				; CODE XREF: _CmGetDeviceMappedProperty+117D41j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_8023C1:				; CODE XREF: _CmGetDeviceMappedProperty+59j
		push	10h		; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_802383
		mov	ecx, [ebp+arg_8]
		jmp	loc_80231F
; 

loc_8023D9:				; CODE XREF: _CmGetDeviceMappedProperty+A9j
		push	10h		; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_8023F1
		mov	ecx, [ebp+arg_8]
		jmp	loc_80236B
; 

loc_8023F1:				; CODE XREF: _CmGetDeviceMappedProperty+127j
		push	[ebp+arg_1C]	; int
		mov	edx, [esp+1Ch+var_C]
		push	[ebp+arg_18]	; int
		mov	ecx, [esp+20h+var_8]
		push	ebx		; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; void *
		push	[ebp+arg_0]	; int
		call	_CmGetDeviceMappedPropertyFromComposite
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_80241A:				; CODE XREF: _CmGetDeviceMappedProperty+89j
		push	10h		; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_802432
		mov	ecx, [ebp+arg_8]
		jmp	loc_80234F
; 

loc_802432:				; CODE XREF: _CmGetDeviceMappedProperty+168j
		push	[ebp+arg_18]	; int
		mov	edx, [esp+1Ch+var_C]
		mov	ecx, [esp+1Ch+var_8]
		push	ebx		; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; void *
		push	[ebp+arg_0]	; int
		call	_CmGetDeviceMappedPropertyFromInstanceKeyRegValue
		mov	ecx, eax
		mov	[esp+18h+var_4], ecx
		cmp	ecx, 0C0000016h
		jnz	loc_8023B6
		jmp	loc_802357
_CmGetDeviceMappedProperty endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpAllocatePWSTR proc near		; CODE XREF: PiDqActionDataCreate+71p
					; PiDqPnPGetObjectProperty+58p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0091A00E SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	eax, eax
		mov	ebx, ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	esi, eax
		mov	[edi], eax
		test	ebx, ebx
		jz	short loc_8024DD
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8024DD
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_8024D5
		push	2
		pop	ecx
		inc	eax
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8024DD
		push	[ebp+arg_0]
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi], eax
		test	eax, eax
		jz	loc_91A00E
		mov	edx, [ebp+var_4]
		mov	ecx, eax
		push	ebx
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		mov	esi, eax

loc_8024D5:				; CODE XREF: PnpAllocatePWSTR+33j
		test	esi, esi
		js	loc_91A013

loc_8024DD:				; CODE XREF: PnpAllocatePWSTR+1Dj
					; PnpAllocatePWSTR+2Cj	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
PnpAllocatePWSTR endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlObjectEventCompareObjects(x, x, x)
_PiPnpRtlObjectEventCompareObjects@12 proc near	; DATA XREF: PiPnpRtlBeginOperation+77o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	esi
		mov	ecx, [eax]
		mov	eax, [ebp+arg_8]
		mov	eax, [eax]
		cmp	ecx, eax
		jz	short loc_80252E
		mov	edx, [eax+8]
		mov	esi, [ecx+8]
		mov	eax, [esi+10h]
		cmp	eax, [edx+10h]
		ja	short loc_802536
		jb	short loc_80253B
		mov	eax, [esi+14h]
		cmp	eax, [edx+14h]
		jl	short loc_80253B
		jg	short loc_802536
		mov	edx, [edx+0Ch]
		mov	ecx, [esi+0Ch]
		cmp	eax, 3
		jz	short loc_80253F

loc_80251F:				; CODE XREF: PiPnpRtlObjectEventCompareObjects(x,x,x)+5Fj
		push	edx		; wchar_t *
		push	ecx		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		js	short loc_80253B
		jg	short loc_802536

loc_80252E:				; CODE XREF: PiPnpRtlObjectEventCompareObjects(x,x,x)+12j
		push	2
		pop	eax

loc_802531:				; CODE XREF: PiPnpRtlObjectEventCompareObjects(x,x,x)+53j
					; PiPnpRtlObjectEventCompareObjects(x,x,x)+57j
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_802536:				; CODE XREF: PiPnpRtlObjectEventCompareObjects(x,x,x)+20j
					; PiPnpRtlObjectEventCompareObjects(x,x,x)+2Cj	...
		xor	eax, eax
		inc	eax
		jmp	short loc_802531
; 

loc_80253B:				; CODE XREF: PiPnpRtlObjectEventCompareObjects(x,x,x)+22j
					; PiPnpRtlObjectEventCompareObjects(x,x,x)+2Aj	...
		xor	eax, eax
		jmp	short loc_802531
; 

loc_80253F:				; CODE XREF: PiPnpRtlObjectEventCompareObjects(x,x,x)+37j
		add	ecx, 8
		add	edx, 8
		jmp	short loc_80251F
_PiPnpRtlObjectEventCompareObjects@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpGetGenericStoreProperty(x, x, x, x, x, x, x, x,	x)
__PnpGetGenericStoreProperty@36	proc near ; CODE XREF: _PnpGetObjectPropertyWorker+82p
					; PiDqPnPGetObjectProperty+118BC1p ...

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_6D		= dword	ptr -6Dh
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 98h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_74], 0
		and	[ebp+var_7C], 0
		and	[ebp+var_78], 0
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_80], edx
		mov	ecx, [ebp+arg_C]
		mov	edx, [ebp+arg_8]
		mov	[ebp+var_84], ecx
		mov	ecx, [ebp+arg_14]
		push	esi
		and	dword ptr [edx], 0
		push	edi
		and	dword ptr [ecx], 0
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_88], eax
		mov	[ebp+var_8C], edx
		mov	[ebp+var_90], ecx
		mov	byte ptr [ebp+var_6D], 0
		test	eax, eax
		jz	short loc_8025C1
		lea	ecx, [ebp+var_94]
		push	ecx
		push	55h
		pop	edx
		mov	ecx, eax
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_80264A

loc_8025C1:				; CODE XREF: _PnpGetGenericStoreProperty(x,x,x,x,x,x,x,x,x)+5Cj
		push	dword ptr [edi+10h]
		movzx	eax, byte ptr [edi+0Fh]
		push	eax
		movzx	eax, byte ptr [edi+0Eh]
		push	eax
		movzx	eax, byte ptr [edi+0Dh]
		push	eax
		movzx	eax, byte ptr [edi+0Ch]
		push	eax
		movzx	eax, byte ptr [edi+0Bh]
		push	eax
		movzx	eax, byte ptr [edi+0Ah]
		push	eax
		movzx	eax, byte ptr [edi+9]
		push	eax
		movzx	eax, byte ptr [edi+8]
		push	eax
		movzx	eax, word ptr [edi+6]
		push	eax
		movzx	eax, word ptr [edi+4]
		push	eax
		push	dword ptr [edi]	; char
		lea	eax, [ebp+var_6D+1]
		push	offset ??_C@_1HE@PLLNIKMH@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAx?$AA?9?$AA?$CF?$AA0?$AA4@NNGAKEGL@ ;	"{%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%"...
		push	800h		; int
		push	0		; int
		push	0		; int
		push	30h		; int
		push	eax		; void *
		call	RtlStringCchPrintfExW
		mov	esi, eax
		add	esp, 48h
		test	esi, esi
		js	short loc_802640
		mov	edx, [ebp+var_80]
		lea	eax, [ebp+var_74]
		push	eax
		push	ecx
		push	0
		push	1
		lea	eax, [ebp+var_6D+1]
		mov	ecx, ebx
		push	eax
		call	_PnpOpenPropertiesKey
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_80265D

loc_80263B:				; CODE XREF: _PnpGetGenericStoreProperty(x,x,x,x,x,x,x,x,x)+154j
					; _PnpGetGenericStoreProperty(x,x,x,x,x,x,x,x,x)+15Cj
		mov	esi, 0C0000225h

loc_802640:				; CODE XREF: _PnpGetGenericStoreProperty(x,x,x,x,x,x,x,x,x)+D0j
					; _PnpGetGenericStoreProperty(x,x,x,x,x,x,x,x,x)+117j ...
		cmp	[ebp+var_74], 0
		jnz	loc_8026DE

loc_80264A:				; CODE XREF: _PnpGetGenericStoreProperty(x,x,x,x,x,x,x,x,x)+73j
					; _PnpGetGenericStoreProperty(x,x,x,x,x,x,x,x,x)+19Ej
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
; 

loc_80265D:				; CODE XREF: _PnpGetGenericStoreProperty(x,x,x,x,x,x,x,x,x)+F1j
		test	esi, esi
		js	short loc_802640
		mov	eax, [ebx+108h]
		mov	edi, [ebp+arg_10]
		mov	[ebp+var_78], edi
		test	eax, eax
		jnz	short loc_802676
		mov	eax, offset _PnpRegQueryValueIndirect

loc_802676:				; CODE XREF: _PnpGetGenericStoreProperty(x,x,x,x,x,x,x,x,x)+127j
		lea	ecx, [ebp+var_6D]
		push	ecx
		lea	ecx, [ebp+var_78]
		push	ecx
		push	[ebp+var_84]
		lea	ecx, [ebp+var_7C]
		push	ecx
		push	[ebp+var_88]
		push	[ebp+var_74]
		push	ebx
		call	eax ; _PnpRegQueryValueIndirect
		mov	ecx, eax
		cmp	ecx, 0C0000034h
		jz	short loc_80263B
		cmp	ecx, 0C000017Ch
		jz	short loc_80263B
		mov	ebx, 0C0000023h
		test	ecx, ecx
		jnz	short loc_8026EB

loc_8026AF:				; CODE XREF: _PnpGetGenericStoreProperty(x,x,x,x,x,x,x,x,x)+1A5j
		mov	edx, [ebp+var_8C]
		movzx	eax, word ptr [ebp+var_7C]
		mov	[edx], eax
		cmp	eax, 1
		jz	short loc_802640
		mov	edx, [ebp+var_90]
		mov	eax, [ebp+var_78]
		mov	[edx], eax
		test	ecx, ecx
		jnz	short loc_8026D7
		test	edi, edi
		jnz	loc_802640

loc_8026D7:				; CODE XREF: _PnpGetGenericStoreProperty(x,x,x,x,x,x,x,x,x)+185j
		mov	esi, ebx
		jmp	loc_802640
; 

loc_8026DE:				; CODE XREF: _PnpGetGenericStoreProperty(x,x,x,x,x,x,x,x,x)+FCj
		push	[ebp+var_74]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_80264A
; 

loc_8026EB:				; CODE XREF: _PnpGetGenericStoreProperty(x,x,x,x,x,x,x,x,x)+165j
		cmp	ecx, ebx
		jz	short loc_8026AF
		mov	esi, ecx
		jmp	loc_802640
__PnpGetGenericStoreProperty@36	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpOpenPropertiesKey proc near		; CODE XREF: _CmGetInterfaceClassMappedPropertyFromRegValue+C9p
					; _PnpGetGenericStoreProperty(x,x,x,x,x,x,x,x,x)+E4p ...

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0091A02E SIZE 00000106 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 98h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	[ebp+var_88], edx
		xor	eax, eax
		mov	edx, [ebp+arg_10]
		mov	ebx, ecx
		mov	ecx, [ebp+arg_0]
		and	[ebp+var_98], eax
		and	[ebp+var_94], eax
		and	[edx], eax
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_8C], ecx
		xor	edi, edi
		mov	[ebp+var_84], edx
		mov	[ebp+var_90], eax
		test	ecx, ecx
		jz	loc_80281D
		lea	eax, [ebp+var_94]
		mov	edx, 200h
		push	eax
		call	sub_516190
		mov	esi, eax
		test	esi, esi
		js	loc_91A02E
		mov	eax, [ebp+var_94]

loc_80276B:				; CODE XREF: _PnpOpenPropertiesKey+11793Aj
		test	esi, esi
		js	loc_8027FD
		cmp	eax, 30h
		jnb	loc_91A035
		push	3Bh
		lea	edi, [ebp+var_80]
		pop	esi

loc_802782:				; CODE XREF: _PnpOpenPropertiesKey+117956j
		push	[ebp+var_8C]
		push	offset ??_C@_1BG@COALCEMK@?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAi?$AAe?$AAs@NNGAKEGL@ ; char
		push	offset ??_C@_1M@DFKENGJN@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@ ; "%s\\%s"
		push	800h		; int
		push	0		; int
		push	0		; int
		push	esi		; int
		push	edi		; void *
		call	RtlStringCchPrintfExW
		mov	esi, eax
		add	esp, 20h
		test	esi, esi
		js	short loc_8027E0
		test	ebx, ebx
		jz	loc_91A05C
		mov	ecx, [ebx+74h]

loc_8027B6:				; CODE XREF: _PnpOpenPropertiesKey+117968j
		push	[ebp+var_84]
		mov	edx, [ebp+var_88]
		push	[ebp+arg_4]
		push	0
		push	edi
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jz	loc_802875
		cmp	[ebp+arg_8], 0
		jnz	short loc_802810

loc_8027DE:				; CODE XREF: _PnpOpenPropertiesKey+11Fj
		mov	esi, eax

loc_8027E0:				; CODE XREF: _PnpOpenPropertiesKey+B3j
					; _PnpOpenPropertiesKey+15Fj ...
		test	edi, edi
		jz	short loc_8027EF
		lea	eax, [ebp+var_80]
		cmp	edi, eax
		jnz	loc_91A11C

loc_8027EF:				; CODE XREF: _PnpOpenPropertiesKey+ECj
					; _PnpOpenPropertiesKey+117A2Ej
		mov	eax, [ebp+var_98]
		test	eax, eax
		jnz	loc_91A129

loc_8027FD:				; CODE XREF: _PnpOpenPropertiesKey+77j
					; _PnpOpenPropertiesKey+117961j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
; 

loc_802810:				; CODE XREF: _PnpOpenPropertiesKey+E6j
		cmp	eax, 0C0000034h
		jnz	short loc_8027DE
		mov	edx, [ebp+var_84]

loc_80281D:				; CODE XREF: _PnpOpenPropertiesKey+4Ej
		test	ebx, ebx
		jz	short loc_80287F
		mov	ecx, [ebx+74h]

loc_802824:				; CODE XREF: _PnpOpenPropertiesKey+18Bj
		push	edx
		push	[ebp+arg_4]
		mov	edx, [ebp+var_88]
		push	0
		push	offset ??_C@_1BG@COALCEMK@?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAi?$AAe?$AAs@NNGAKEGL@
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		cmp	eax, 0C0000034h
		jnz	short loc_80285C
		cmp	[ebp+arg_8], 0
		jnz	loc_91A063

loc_80284B:				; CODE XREF: _PnpOpenPropertiesKey+16Fj
					; _PnpOpenPropertiesKey+117A14j
		mov	esi, eax

loc_80284D:				; CODE XREF: _PnpOpenPropertiesKey+178j
					; _PnpOpenPropertiesKey+192j ...
		mov	eax, [ebp+var_90]
		test	eax, eax
		jz	short loc_8027E0
		jmp	loc_91A10F
; 

loc_80285C:				; CODE XREF: _PnpOpenPropertiesKey+149j
					; _PnpOpenPropertiesKey+1179CAj
		cmp	eax, 0C000017Ch
		jz	short loc_802883
		test	eax, eax
		js	short loc_80284B
		cmp	[ebp+var_8C], 0
		jz	short loc_80284D
		jmp	loc_91A0C5
; 

loc_802875:				; CODE XREF: _PnpOpenPropertiesKey+DCj
		mov	esi, 0C0000034h
		jmp	loc_8027E0
; 

loc_80287F:				; CODE XREF: _PnpOpenPropertiesKey+129j
		xor	ecx, ecx
		jmp	short loc_802824
; 

loc_802883:				; CODE XREF: _PnpOpenPropertiesKey+16Bj
					; _PnpOpenPropertiesKey+117A06j
		mov	esi, 0C0000034h
		jmp	short loc_80284D
_PnpOpenPropertiesKey endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _SysCtxRegOpenKey(x, x, x, x, x, x)
__SysCtxRegOpenKey@24 proc near		; CODE XREF: PiDqOpenUserObjectRegKey+12Ep
					; PiDqOpenUserObjectRegKey+182p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, edx
		test	ecx, ecx
		jz	short loc_8028B5
		mov	edx, [ecx+4]
		push	edx

loc_80289C:				; CODE XREF: _SysCtxRegOpenKey(x,x,x,x,x,x)+2Dj
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_RegRtlOpenKeyTransacted
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_8028B5:				; CODE XREF: _SysCtxRegOpenKey(x,x,x,x,x,x)+Cj
		push	0
		jmp	short loc_80289C
__SysCtxRegOpenKey@24 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_RegRtlOpenKeyTransacted proc near	; CODE XREF: _SysCtxRegOpenKey(x,x,x,x,x,x)+20p
					; _RegRtlDeleteTreeInternal+6Cp ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0091A134 SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[esp+38h+var_24], edx
		xor	eax, eax
		lea	edi, [esp+38h+var_18]
		mov	ecx, 6
		mov	[esp+38h+var_20], eax
		rep stosd
		xor	esi, esi
		mov	[esp+38h+var_1C], eax
		mov	ecx, ebx
		mov	[esp+38h+var_28], esi
		call	__RegRtlIsPredefinedKey@4 ; _RegRtlIsPredefinedKey(x)
		test	al, al
		jnz	loc_80298B

loc_8028FE:				; CODE XREF: _RegRtlOpenKeyTransacted+DEj
		push	[esp+38h+var_24]
		lea	eax, [esp+3Ch+var_20]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_802976
		mov	ecx, [ebp+arg_0]
		mov	eax, ecx
		and	eax, 8
		mov	[esp+38h+var_18], 18h
		test	esi, esi
		jnz	short loc_802985
		mov	[esp+38h+var_14], ebx

loc_80292A:				; CODE XREF: _RegRtlOpenKeyTransacted+C9j
		mov	esi, [ebp+arg_C]
		neg	eax
		mov	[esp+38h+var_8], 0
		sbb	eax, eax
		mov	[esp+38h+var_4], 0
		and	eax, 100h
		add	eax, 240h
		mov	[esp+38h+var_C], eax
		lea	eax, [esp+38h+var_20]
		mov	[esp+38h+var_10], eax
		lea	eax, [esp+38h+var_18]
		test	esi, esi
		jnz	loc_91A134
		push	ecx
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_8]
		call	_ZwOpenKeyEx@16	; ZwOpenKeyEx(x,x,x,x)
		mov	edi, eax

loc_802972:				; CODE XREF: _RegRtlOpenKeyTransacted+D8j
					; _RegRtlOpenKeyTransacted+11788Cj ...
		mov	esi, [esp+38h+var_28]

loc_802976:				; CODE XREF: _RegRtlOpenKeyTransacted+50j
		test	esi, esi
		jnz	short loc_8029A3

loc_80297A:				; CODE XREF: _RegRtlOpenKeyTransacted+E9j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_802985:				; CODE XREF: _RegRtlOpenKeyTransacted+64j
		mov	[esp+38h+var_14], esi
		jmp	short loc_80292A
; 

loc_80298B:				; CODE XREF: _RegRtlOpenKeyTransacted+38j
		lea	edx, [esp+38h+var_28]
		call	_RegRtlOpenPredefinedKey
		mov	edi, eax
		test	edi, edi
		js	short loc_802972
		mov	esi, [esp+38h+var_28]
		jmp	loc_8028FE
; 

loc_8029A3:				; CODE XREF: _RegRtlOpenKeyTransacted+B8j
		push	esi
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_80297A
_RegRtlOpenKeyTransacted endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall _RegRtlIsPredefinedKey(x)
__RegRtlIsPredefinedKey@4 proc near	; CODE XREF: _RegRtlCreateKeyTransacted+27p
					; _RegRtlOpenKeyTransacted+31p	...
		cmp	ecx, 80000002h
		jz	short loc_8029EF
		cmp	ecx, 80000003h
		jz	short loc_8029EF
		cmp	ecx, 80000000h
		jz	short loc_8029EF
		cmp	ecx, 80000001h
		jz	short loc_8029EF
		cmp	ecx, 80000004h
		jz	short loc_8029EF
		cmp	ecx, 80000005h
		jz	short loc_8029EF
		cmp	ecx, 80000006h
		jz	short loc_8029EF
		cmp	ecx, 80000007h
		jz	short loc_8029EF
		xor	al, al
		retn
; 

loc_8029EF:				; CODE XREF: _RegRtlIsPredefinedKey(x)+6j
					; _RegRtlIsPredefinedKey(x)+Ej	...
		mov	al, 1
		retn
__RegRtlIsPredefinedKey@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDmCacheDataDecode proc near		; CODE XREF: PiDmObjectGetCachedObjectPropertyData+8Cp
					; PiDmObjectProcessPropertyChange+119p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0091A17A SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ecx]
		push	ebx
		xor	ebx, ebx
		dec	eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		sub	eax, 1
		jnz	short loc_802A1D
		mov	ebx, 0C0000225h

loc_802A14:				; CODE XREF: PiDmCacheDataDecode+9Fj
					; PiDmCacheDataDecode+CBj ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
; 

loc_802A1D:				; CODE XREF: PiDmCacheDataDecode+1Bj
		sub	eax, 1
		jz	loc_802AC2
		sub	eax, 1
		jz	loc_91A184
		sub	eax, 1
		jz	loc_802AE5
		sub	eax, 1
		jnz	loc_91A17A
		mov	eax, [ecx+4]
		push	0Dh
		pop	esi
		cmp	eax, esi
		jz	short loc_802A93
		push	12h
		pop	esi
		cmp	eax, esi
		jnz	loc_91A17A
		mov	[edx], esi
		mov	eax, [ecx+8]
		mov	edx, [eax+0Ch]
		lea	esi, [edx+2]

loc_802A61:				; CODE XREF: PiDmCacheDataDecode+78j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, bx
		jnz	short loc_802A61
		mov	eax, [ebp+arg_8]
		sub	edx, esi
		sar	edx, 1
		lea	edx, ds:2[edx*2]
		mov	[eax], edx
		cmp	[ebp+arg_4], edx
		jb	short loc_802ADB
		mov	eax, [ecx+8]
		push	edx		; size_t
		push	dword ptr [eax+0Ch] ; void *

loc_802A88:				; CODE XREF: PiDmCacheDataDecode+E7j
					; PiDmCacheDataDecode+109j
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_802A14
; 

loc_802A93:				; CODE XREF: PiDmCacheDataDecode+57j
		mov	eax, [ebp+arg_8]
		mov	[edx], esi
		push	10h
		pop	edx
		mov	[eax], edx
		cmp	[ebp+arg_4], edx
		jb	short loc_802ADB
		mov	eax, [ecx+8]
		push	dword ptr [eax+0Ch]
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	ebx, eax
		jmp	loc_802A14
; 

loc_802AC2:				; CODE XREF: PiDmCacheDataDecode+2Ej
		mov	eax, [ecx+4]
		mov	[edx], eax
		mov	eax, [ebp+arg_8]
		mov	edx, [ecx+8]
		mov	[eax], edx
		cmp	[ebp+arg_4], edx
		jb	short loc_802ADB
		push	edx
		lea	eax, [ecx+0Ch]
		push	eax
		jmp	short loc_802A88
; 

loc_802ADB:				; CODE XREF: PiDmCacheDataDecode+8Dj
					; PiDmCacheDataDecode+AEj ...
		mov	ebx, 0C0000023h
		jmp	loc_802A14
; 

loc_802AE5:				; CODE XREF: PiDmCacheDataDecode+40j
		mov	eax, [ecx+4]
		mov	[edx], eax
		mov	eax, [ebp+arg_8]
		mov	edx, [ecx+8]
		mov	[eax], edx
		cmp	[ebp+arg_4], edx
		jb	short loc_802ADB
		push	edx
		push	dword ptr [ecx+0Ch]
		jmp	short loc_802A88
PiDmCacheDataDecode endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PnpFreeDevProperty(x, x)
_PnpFreeDevProperty@8 proc near		; CODE XREF: PnpFreeDevPropertyArray(x,x,x)+17p
					; PiDqPnPGetObjectPropertyInBestLocale(x,x,x,x,x,x,x)+4Ep ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	eax, [edi+18h]
		test	eax, eax
		jz	short loc_802B14
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_802B14:				; CODE XREF: PnpFreeDevProperty(x,x)+Dj
		mov	eax, [edi+24h]
		test	eax, eax
		jnz	short loc_802B1E

loc_802B1B:				; CODE XREF: PnpFreeDevProperty(x,x)+27j
		pop	edi
		pop	esi
		retn
; 

loc_802B1E:				; CODE XREF: PnpFreeDevProperty(x,x)+1Bj
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_802B1B
_PnpFreeDevProperty@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpAccessCheckFromState(x,	x, x)
_EtwpAccessCheckFromState@12 proc near	; CODE XREF: EtwpAddRegEntryToGroup+381p
					; EtwpAddRegEntryToGroup+EEFACp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		xor	esi, esi
		lea	edx, [ebp+var_4]
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_4], esi
		call	_EtwpGetSecurityDescriptorByGuid@8 ; EtwpGetSecurityDescriptorByGuid(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	1
		push	offset _EtwpGenericMapping
		push	esi
		push	esi
		push	80h
		push	esi
		push	[ebp+arg_0]
		push	[ebp+var_4]
		call	SeAccessCheckFromState
		lea	ecx, [ebp+var_4]
		call	_EtwpFreeSecurityDescriptor@4 ;	EtwpFreeSecurityDescriptor(x)
		mov	eax, [ebp+var_8]
		pop	esi
		leave
		retn	4
_EtwpAccessCheckFromState@12 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpFreeSecurityDescriptor(x)
_EtwpFreeSecurityDescriptor@4 proc near	; CODE XREF: EtwpAllocGuidEntry+9Bp
					; EtwpStartLogger+6D0p	...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_802B8C
		cmp	eax, _EtwpDefaultTraceSecurityDescriptor
		jnz	short loc_802B8E

loc_802B89:				; CODE XREF: EtwpFreeSecurityDescriptor(x)+1Ej
					; EtwpFreeSecurityDescriptor(x)+28j
		and	dword ptr [esi], 0

loc_802B8C:				; CODE XREF: EtwpFreeSecurityDescriptor(x)+9j
		pop	esi
		retn
; 

loc_802B8E:				; CODE XREF: EtwpFreeSecurityDescriptor(x)+11j
		cmp	eax, ds:_WmipDefaultAccessSd
		jz	short loc_802B89
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_802B89
_EtwpFreeSecurityDescriptor@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpGetSecurityDescriptorByGuid(x, x)
_EtwpGetSecurityDescriptorByGuid@8 proc	near ; CODE XREF: EtwpAllocGuidEntry+7Dp
					; EtwpStartLogger+39Bp	...

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= word ptr -50h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		movzx	eax, byte ptr [ecx+0Fh]
		push	esi
		push	eax
		movzx	eax, byte ptr [ecx+0Eh]
		mov	esi, edx
		push	eax
		movzx	eax, byte ptr [ecx+0Dh]
		push	eax
		movzx	eax, byte ptr [ecx+0Ch]
		push	eax
		movzx	eax, byte ptr [ecx+0Bh]
		push	eax
		movzx	eax, byte ptr [ecx+0Ah]
		push	eax
		movzx	eax, byte ptr [ecx+9]
		and	[ebp+var_58], 0
		and	[ebp+var_54], 0
		push	eax
		movzx	eax, byte ptr [ecx+8]
		push	eax
		movzx	eax, word ptr [ecx+6]
		push	eax
		movzx	eax, word ptr [ecx+4]
		push	eax
		push	dword ptr [ecx]	; char
		lea	eax, [ebp+var_50]
		push	offset ??_C@_1GC@MIJCAPDC@?$AA?$CF?$AA0?$AA8?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAx?$AA?9@NNGAKEGL@ ; wchar_t *
		push	4Ch		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 38h
		lea	eax, [ebp+var_50]
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, esi
		lea	ecx, [ebp+var_58]
		call	EtwpGetGuidSecurityDescriptor
		cmp	dword ptr [esi], 0
		jnz	short loc_802C36
		mov	eax, _EtwpDefaultTraceSecurityDescriptor
		mov	[esi], eax
		xor	al, al

loc_802C29:				; CODE XREF: EtwpGetSecurityDescriptorByGuid(x,x)+98j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_802C36:				; CODE XREF: EtwpGetSecurityDescriptorByGuid(x,x)+7Ej
		mov	al, 1
		jmp	short loc_802C29
_EtwpGetSecurityDescriptorByGuid@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpGetGuidSecurityDescriptor proc near	; CODE XREF: EtwpGetSecurityDescriptorByGuid(x,x)+76p
					; EtwpInitializeSecurity+E4p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0091A1A7 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	eax, edx
		xor	esi, esi
		and	[ebp+var_C], esi
		mov	ebx, ecx
		push	edi
		mov	edi, 200h
		mov	[ebp+var_10], eax
		and	[eax], esi
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], edi

loc_802C5E:				; CODE XREF: EtwpGetGuidSecurityDescriptor+D2j
		test	esi, esi
		jnz	loc_802CF9

loc_802C66:				; CODE XREF: EtwpGetGuidSecurityDescriptor+C7j
		push	50777445h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_91A1A7
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	esi		; void *
		lea	eax, [ebp+var_C]
		push	eax		; int
		push	edi		; int
		push	ebx		; int
		push	_EtwpSecurityKeyHandle ; int
		push	_EtwpMutableSecurityKeyHandle ;	int
		call	RtlQueryRegistryValueWithFallback
		mov	ebx, eax
		cmp	ebx, 80000005h
		jz	short loc_802D06
		cmp	ebx, 0C0000023h
		jz	short loc_802D06
		mov	edi, [ebp+var_4]

loc_802CAE:				; CODE XREF: EtwpGetGuidSecurityDescriptor+117572j
		test	ebx, ebx
		jns	short loc_802CC5

loc_802CB2:				; CODE XREF: EtwpGetGuidSecurityDescriptor+8Fj
					; EtwpGetGuidSecurityDescriptor+BDj ...
		test	esi, esi
		jz	short loc_802CBE
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_802CBE:				; CODE XREF: EtwpGetGuidSecurityDescriptor+7Aj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_802CC5:				; CODE XREF: EtwpGetGuidSecurityDescriptor+76j
		cmp	[ebp+var_C], 3
		jnz	short loc_802CB2
		push	esi
		push	edi
		call	_SeValidSecurityDescriptor@8 ; SeValidSecurityDescriptor(x,x)
		test	al, al
		jz	short loc_802D18
		push	50777445h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+var_10]
		mov	[ecx], eax
		test	eax, eax
		jz	short loc_802D11
		push	edi		; size_t
		push	esi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_802CB2
; 

loc_802CF9:				; CODE XREF: EtwpGetGuidSecurityDescriptor+26j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_802C66
; 

loc_802D06:				; CODE XREF: EtwpGetGuidSecurityDescriptor+67j
					; EtwpGetGuidSecurityDescriptor+6Fj
		mov	edi, [ebp+var_4]
		mov	ebx, [ebp+var_8]
		jmp	loc_802C5E
; 

loc_802D11:				; CODE XREF: EtwpGetGuidSecurityDescriptor+B0j
		mov	ebx, 0C000009Ah
		jmp	short loc_802CB2
; 

loc_802D18:				; CODE XREF: EtwpGetGuidSecurityDescriptor+9Aj
		mov	ebx, 0C0000079h
		jmp	short loc_802CB2
EtwpGetGuidSecurityDescriptor endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2296. RtlQueryRegistryValueWithFallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlQueryRegistryValueWithFallback(int,int,int,int,int,void *,int)
		public RtlQueryRegistryValueWithFallback
RtlQueryRegistryValueWithFallback proc near ; CODE XREF: EtwpGetGuidSecurityDescriptor+5Ap

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 0091A1B1 SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		cmp	[ebp+arg_0], 0
		push	ebx
		mov	ebx, [ebp+arg_4]
		jnz	short loc_802D40
		test	ebx, ebx
		jz	loc_91A1B1

loc_802D40:				; CODE XREF: RtlQueryRegistryValueWithFallback+12j
		mov	edx, [ebp+arg_C]
		lea	eax, [ebp+arg_4]
		push	esi
		push	10h
		pop	ecx
		push	eax
		mov	[ebp+arg_4], ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_802DB0
		push	edi
		push	6D6C7472h
		push	[ebp+arg_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_91A1BB
		cmp	[ebp+arg_0], 0
		mov	esi, 0C0000034h
		jnz	loc_91A1C5

loc_802D82:				; CODE XREF: RtlQueryRegistryValueWithFallback+1174C4j
		test	ebx, ebx
		jz	short loc_802DA7
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		push	edi
		push	2
		push	[ebp+arg_8]
		push	ebx
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax

loc_802D9B:				; CODE XREF: RtlQueryRegistryValueWithFallback+1174BEj
		test	esi, esi
		jns	short loc_802DB8
		cmp	esi, 80000005h
		jz	short loc_802DB8

loc_802DA7:				; CODE XREF: RtlQueryRegistryValueWithFallback+60j
					; RtlQueryRegistryValueWithFallback+AAj ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_802DAF:				; CODE XREF: RtlQueryRegistryValueWithFallback+11749Cj
		pop	edi

loc_802DB0:				; CODE XREF: RtlQueryRegistryValueWithFallback+33j
		mov	eax, esi
		pop	esi

loc_802DB3:				; CODE XREF: RtlQueryRegistryValueWithFallback+117492j
		pop	ebx
		leave
		retn	1Ch
; 

loc_802DB8:				; CODE XREF: RtlQueryRegistryValueWithFallback+79j
					; RtlQueryRegistryValueWithFallback+81j
		mov	eax, [ebp+arg_18]
		mov	ecx, [edi+8]
		mov	[eax], ecx
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	short loc_802DCC
		mov	eax, [edi+4]
		mov	[ecx], eax

loc_802DCC:				; CODE XREF: RtlQueryRegistryValueWithFallback+A1j
		test	esi, esi
		js	short loc_802DA7
		push	dword ptr [edi+8] ; size_t
		lea	eax, [edi+0Ch]
		push	eax		; void *
		push	[ebp+arg_14]	; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_802DA7
RtlQueryRegistryValueWithFallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpCompareInstancePath(x, x, x)
_PnpCompareInstancePath@12 proc	near	; DATA XREF: PnpInitializeDeviceReferenceTable()+30o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		push	1
		push	dword ptr [eax+4]
		mov	eax, [ebp+arg_4]
		push	dword ptr [eax+4]
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		mov	ecx, eax
		xor	eax, eax
		test	ecx, ecx
		js	short loc_802E08
		setle	al
		inc	eax

loc_802E08:				; CODE XREF: PnpCompareInstancePath(x,x,x)+1Ej
		pop	ebp
		retn	0Ch
_PnpCompareInstancePath@12 endp


;  S U B	R O U T	I N E 


_CmMapCmObjectTypeToPnpObjectType proc near
					; CODE XREF: PiDmObjectUpdateCachedCmProperty(x,x,x,x,x,x,x)+82p
					; PiDmObjectGetCachedCmProperty(x,x,x,x,x,x,x)+81p ...

; FUNCTION CHUNK AT 0091A1ED SIZE 0000000C BYTES

		sub	ecx, 1
		jnz	short loc_802E15
		xor	eax, eax
		inc	eax
		retn
; 

loc_802E15:				; CODE XREF: _CmMapCmObjectTypeToPnpObjectType+3j
		sub	ecx, 1
		jnz	short loc_802E1E
		push	2
		pop	eax
		retn
; 

loc_802E1E:				; CODE XREF: _CmMapCmObjectTypeToPnpObjectType+Cj
		sub	ecx, 1
		jz	short loc_802E39
		sub	ecx, 1
		jz	short loc_802E35
		sub	ecx, 1
		jnz	loc_91A1ED
		push	5
		pop	eax
		retn
; 

loc_802E35:				; CODE XREF: _CmMapCmObjectTypeToPnpObjectType+1Aj
		push	4
		pop	eax
		retn
; 

loc_802E39:				; CODE XREF: _CmMapCmObjectTypeToPnpObjectType+15j
		push	3
		pop	eax
		retn
_CmMapCmObjectTypeToPnpObjectType endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmObjectUpdateCachedCmProperty(x,	x, x, x, x, x, x)
_PiDmObjectUpdateCachedCmProperty@28 proc near ; CODE XREF: PiPnpRtlCmActionCallback+114p
					; PiPnpRtlCmActionCallback+3DCp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		mov	esi, edx
		mov	edx, [ebp+arg_C]
		stosd
		stosd
		stosd
		xor	edi, edi
		cmp	[ebp+arg_4], 9
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edi
		jz	short loc_802E7E

loc_802E6E:				; CODE XREF: PiDmObjectUpdateCachedCmProperty(x,x,x,x,x,x,x)+43j
					; PiDmObjectUpdateCachedCmProperty(x,x,x,x,x,x,x)+4Dj ...
		mov	ecx, [ebp+var_8]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
; 

loc_802E7E:				; CODE XREF: PiDmObjectUpdateCachedCmProperty(x,x,x,x,x,x,x)+2Ej
		cmp	ecx, 1
		jnz	short loc_802E6E
		cmp	[ebp+arg_10], edi
		jz	short loc_802ED0
		cmp	[ebp+arg_8], ecx
		jnz	short loc_802E6E
		cmp	[ebp+arg_10], 2
		jb	short loc_802E6E
		push	edx
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		test	eax, eax
		js	short loc_802E6E
		push	10h		; int
		lea	eax, [ebp+var_18]
		push	eax		; int
		push	0Dh		; int

loc_802EB6:				; CODE XREF: PiDmObjectUpdateCachedCmProperty(x,x,x,x,x,x,x)+95j
		push	offset _DEVPKEY_Device_ClassGuid ; void	*
		push	edi		; int
		push	ecx		; int
		xor	ecx, ecx
		inc	ecx
		call	_CmMapCmObjectTypeToPnpObjectType
		mov	edx, esi
		mov	ecx, eax
		call	PiDmObjectUpdateCachedObjectProperty
		jmp	short loc_802E6E
; 

loc_802ED0:				; CODE XREF: PiDmObjectUpdateCachedCmProperty(x,x,x,x,x,x,x)+48j
		push	edi
		push	edi
		push	edi
		jmp	short loc_802EB6
_PiDmObjectUpdateCachedCmProperty@28 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmpCompareNewValueDataAgainstKCBCache(int,void *Source2,int)
_CmpCompareNewValueDataAgainstKCBCache@20 proc near
					; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+483p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_6		= dword	ptr -6
arg_0		= dword	ptr  8
Source2		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		or	[ebp+var_18], 0FFFFFFFFh
		lea	eax, [ebp+var_C]
		or	[ebp+var_20], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		xor	ecx, ecx
		push	eax
		push	ecx
		push	ecx
		mov	byte ptr [ebp+var_6], cl
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		mov	byte ptr [ebp+var_6+1],	cl
		mov	[ebp+var_C], ecx
		mov	[ebp+var_1C], ecx
		mov	ecx, [ebx+10h]
		push	edx
		lea	edx, [ebx+30h]
		call	_CmpFindNameInListWithStatus@24	; CmpFindNameInListWithStatus(x,x,x,x,x,x)
		test	eax, eax
		js	loc_802FB0
		mov	eax, [ebx+10h]
		lea	ecx, [ebp+var_20]
		push	ecx
		push	[ebp+var_C]
		push	eax
		call	dword ptr [eax+4]
		mov	ecx, eax
		test	byte ptr [ecx+10h], 2
		jnz	loc_802FF8
		mov	eax, [ebp+arg_0]
		cmp	eax, [ecx+0Ch]
		jnz	loc_802FF8
		mov	edx, [ecx+4]
		mov	eax, edx
		mov	esi, [ebp+arg_8]
		and	eax, 7FFFFFFFh
		cmp	esi, eax
		jnz	loc_802FF8
		test	esi, esi
		jz	loc_802FF4
		mov	edi, 80000000h
		lea	eax, [edx-80000000h]
		cmp	edx, edi
		jnb	short loc_802F6D
		mov	eax, edx

loc_802F6D:				; CODE XREF: CmpCompareNewValueDataAgainstKCBCache(x,x,x,x,x)+93j
		mov	[ebp+arg_0], eax
		jb	short loc_802FB5
		lea	edi, [ecx+8]

loc_802F75:				; CODE XREF: CmpCompareNewValueDataAgainstKCBCache(x,x,x,x,x)+104j
		mov	eax, esi
		and	eax, 7FFFFFFFh
		push	eax		; Length
		push	[ebp+Source2]	; Source2
		push	edi		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		mov	esi, eax
		sub	esi, [ebp+arg_8]
		neg	esi
		sbb	esi, esi
		and	esi, 2

loc_802F92:				; CODE XREF: CmpCompareNewValueDataAgainstKCBCache(x,x,x,x,x)+109j
		test	edi, edi
		jz	short loc_802F9C
		cmp	byte ptr [ebp+var_6+1],	0
		jnz	short loc_802FE1

loc_802F9C:				; CODE XREF: CmpCompareNewValueDataAgainstKCBCache(x,x,x,x,x)+BEj
					; CmpCompareNewValueDataAgainstKCBCache(x,x,x,x,x)+11Cj ...
		mov	ecx, [ebx+10h]
		lea	eax, [ebp+var_20]
		push	eax
		push	ecx
		call	dword ptr [ecx+8]

loc_802FA7:				; CODE XREF: CmpCompareNewValueDataAgainstKCBCache(x,x,x,x,x)+DDj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_802FB0:				; CODE XREF: CmpCompareNewValueDataAgainstKCBCache(x,x,x,x,x)+3Dj
		push	2
		pop	esi
		jmp	short loc_802FA7
; 

loc_802FB5:				; CODE XREF: CmpCompareNewValueDataAgainstKCBCache(x,x,x,x,x)+9Aj
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_6]
		mov	byte ptr [ebp+var_6+1],	1
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+arg_0]
		push	eax
		push	ecx
		mov	ecx, [ebx+10h]
		call	CmpGetValueData
		mov	edi, [ebp+var_10]
		test	al, al
		jnz	short loc_802F75
		push	2
		pop	esi
		jmp	short loc_802F92
; 

loc_802FE1:				; CODE XREF: CmpCompareNewValueDataAgainstKCBCache(x,x,x,x,x)+C4j
		cmp	byte ptr [ebp+var_6], 1
		jz	short loc_802FFD
		mov	eax, [ebx+10h]
		lea	ecx, [ebp+var_18]
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		jmp	short loc_802F9C
; 

loc_802FF4:				; CODE XREF: CmpCompareNewValueDataAgainstKCBCache(x,x,x,x,x)+80j
		xor	esi, esi
		jmp	short loc_802F9C
; 

loc_802FF8:				; CODE XREF: CmpCompareNewValueDataAgainstKCBCache(x,x,x,x,x)+57j
					; CmpCompareNewValueDataAgainstKCBCache(x,x,x,x,x)+63j	...
		push	2
		pop	esi
		jmp	short loc_802F9C
; 

loc_802FFD:				; CODE XREF: CmpCompareNewValueDataAgainstKCBCache(x,x,x,x,x)+10Fj
		push	0
		push	edi

loc_803000:				; DATA XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8EFo
					; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+486o ...
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_802F9C
_CmpCompareNewValueDataAgainstKCBCache@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFindNameInListWithStatus(x, x, x, x, x, x)
_CmpFindNameInListWithStatus@24	proc near ; CODE XREF: CmpGetSymbolicLinkTarget+59Fp
					; CmpGetSymbolicLinkTarget+A4Ep ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, edx
		xor	eax, eax
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], edi
		mov	esi, ecx
		or	[ebp+var_8], 0FFFFFFFFh
		mov	word ptr [ebp+var_4], ax
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_80303F
		mov	eax, [ebx+4]
		lea	ecx, [ebp+var_8]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	edi, eax
		mov	eax, [ebx]

loc_80303F:				; CODE XREF: CmpFindNameInListWithStatus(x,x,x,x,x,x)+25j
		push	[ebp+arg_C]
		mov	edx, edi
		mov	ecx, esi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	eax
		call	CmpFindNameInListCellWithStatus
		mov	ebx, eax
		test	edi, edi
		jz	short loc_803063
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_803063:				; CODE XREF: CmpFindNameInListWithStatus(x,x,x,x,x,x)+51j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
_CmpFindNameInListWithStatus@24	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpFindNameInListCellWithStatus	proc near
					; CODE XREF: CmpFindNameInListWithStatus(x,x,x,x,x,x)+48p
					; CmpValueEnumStackMatchingValueInUpperLayer(x,x,x,x)+65p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0091A1F9 SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		xor	eax, eax
		mov	[ebp+var_20], 0
		push	ebx
		mov	word ptr [ebp+var_20], ax
		mov	ebx, ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_24], 0
		mov	[ebp+var_10], edx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_24], 0FFFFFFFFh
		push	esi
		push	edi
		test	eax, eax
		jz	loc_8031F1
		xor	edi, edi
		mov	[ebp+var_C], edi
		test	eax, eax
		jz	loc_803192
		mov	esi, [ebp+arg_8]
		and	esi, 10000h
		mov	[ebp+arg_8], esi

loc_8030C2:				; CODE XREF: CmpFindNameInListCellWithStatus+11Cj
		mov	eax, [edx+edi*4]
		lea	ecx, [ebp+var_24]
		push	ecx
		push	eax
		mov	eax, [ebx+4]
		push	ebx
		call	eax
		test	byte ptr [eax+10h], 1
		lea	ebx, [eax+14h]
		movzx	edx, word ptr [eax+2]
		mov	[ebp+var_28], ebx
		mov	word ptr [ebp+var_2C], dx
		mov	word ptr [ebp+var_2C+2], dx
		jz	loc_803215
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax+4]
		test	esi, esi
		jnz	loc_91A1F9
		mov	ax, [eax]
		mov	esi, edx
		shr	ax, 1
		movzx	edi, ax
		test	di, di
		jz	short loc_80313E
		lea	ebx, [ebx+0]

loc_803110:				; CODE XREF: CmpFindNameInListCellWithStatus+CCj
		test	si, si
		jz	short loc_80313E
		movzx	edx, word ptr [ecx]
		add	ecx, 2
		movzx	eax, byte ptr [ebx]
		inc	ebx
		mov	[ebp+var_8], edx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], eax
		cmp	dx, ax
		jnz	short loc_80314B

loc_80312D:				; CODE XREF: CmpFindNameInListCellWithStatus+1C5j
		add	edi, 0FFFFh
		add	esi, 0FFFFh
		test	di, di
		jnz	short loc_803110

loc_80313E:				; CODE XREF: CmpFindNameInListCellWithStatus+98j
					; CmpFindNameInListCellWithStatus+A3j
		movzx	eax, si
		movzx	esi, di
		mov	edi, [ebp+var_C]
		sub	esi, eax
		jmp	short loc_80316C
; 

loc_80314B:				; CODE XREF: CmpFindNameInListCellWithStatus+BBj
		cmp	edx, 61h
		jnb	short loc_8031AB

loc_803150:				; CODE XREF: CmpFindNameInListCellWithStatus+14Dj
					; CmpFindNameInListCellWithStatus+1ECj
		cmp	ax, 61h
		jnb	short loc_8031BF

loc_803156:				; CODE XREF: CmpFindNameInListCellWithStatus+15Aj
					; CmpFindNameInListCellWithStatus+1D7j
		movzx	eax, ax
		movzx	ecx, dx
		sub	ecx, eax
		mov	[ebp+var_14], ecx
		jz	loc_803232
		mov	edi, [ebp+var_C]
		mov	esi, ecx

loc_80316C:				; CODE XREF: CmpFindNameInListCellWithStatus+D9j
					; CmpFindNameInListCellWithStatus+1BDj	...
		mov	ebx, [ebp+var_1C]
		lea	eax, [ebp+var_24]
		push	eax
		push	ebx
		mov	eax, [ebx+8]
		call	eax
		mov	edx, [ebp+var_10]
		test	esi, esi
		jz	short loc_8031CC
		mov	eax, [ebp+arg_0]
		inc	edi
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_C], edi
		cmp	edi, eax
		jb	loc_8030C2

loc_803192:				; CODE XREF: CmpFindNameInListCellWithStatus+40j
		mov	ecx, [ebp+arg_10]
		mov	dword ptr [ecx], 0FFFFFFFFh
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	short loc_8031A4
		mov	[ecx], eax

loc_8031A4:				; CODE XREF: CmpFindNameInListCellWithStatus+130j
		mov	eax, 0C0000034h
		jmp	short loc_8031DD
; 

loc_8031AB:				; CODE XREF: CmpFindNameInListCellWithStatus+DEj
		cmp	edx, 7Ah
		ja	loc_80324C
		add	edx, 0FFE0h
		mov	[ebp+var_8], edx
		jmp	short loc_803150
; 

loc_8031BF:				; CODE XREF: CmpFindNameInListCellWithStatus+E4j
		cmp	ax, 7Ah
		ja	short loc_80323A
		add	eax, 0FFE0h
		jmp	short loc_803156
; 

loc_8031CC:				; CODE XREF: CmpFindNameInListCellWithStatus+10Ej
		mov	ecx, [ebp+arg_10]
		xor	eax, eax
		mov	edx, [edx+edi*4]
		mov	[ecx], edx
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jnz	short loc_8031E6

loc_8031DD:				; CODE XREF: CmpFindNameInListCellWithStatus+139j
					; CmpFindNameInListCellWithStatus+194j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8031E6:				; CODE XREF: CmpFindNameInListCellWithStatus+16Bj
		mov	[ecx], edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8031F1:				; CODE XREF: CmpFindNameInListCellWithStatus+33j
		mov	ecx, [ebp+arg_10]
		mov	eax, 0C0000034h
		mov	dword ptr [ecx], 0FFFFFFFFh
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	short loc_8031DD
		pop	edi
		pop	esi
		mov	dword ptr [ecx], 0
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_803215:				; CODE XREF: CmpFindNameInListCellWithStatus+76j
		test	esi, esi
		jnz	loc_91A208
		push	1
		lea	eax, [ebp+var_2C]
		push	eax
		push	[ebp+arg_4]
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)

loc_80322B:				; CODE XREF: CmpFindNameInListCellWithStatus+117193j
		mov	esi, eax
		jmp	loc_80316C
; 

loc_803232:				; CODE XREF: CmpFindNameInListCellWithStatus+F1j
		mov	ecx, [ebp+var_18]
		jmp	loc_80312D
; 

loc_80323A:				; CODE XREF: CmpFindNameInListCellWithStatus+153j
		mov	ecx, eax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	edx, [ebp+var_8]
		movzx	eax, ax
		jmp	loc_803156
; 

loc_80324C:				; CODE XREF: CmpFindNameInListCellWithStatus+13Ej
		mov	ecx, edx
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		movzx	edx, ax
		mov	eax, [ebp+var_14]
		mov	[ebp+var_8], edx
		jmp	loc_803150
CmpFindNameInListCellWithStatus	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtSetValueKey	proc near		; CODE XREF: ExpWatchProductTypeWork+272p
					; ExpWatchProductTypeWork+2C5p	...

var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_F0		= dword	ptr -0F0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_95		= byte ptr -95h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= byte ptr -84h
var_83		= byte ptr -83h
var_82		= byte ptr -82h
var_81		= byte ptr -81h
var_80		= dword	ptr -80h
var_60		= dword	ptr -60h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0091A225 SIZE 0000019F BYTES
; FUNCTION CHUNK AT 0091A40F SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5498
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 108h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_B8], eax
		mov	esi, [ebp+arg_4]
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_9C], eax
		mov	[ebp+var_90], 0
		mov	[ebp+var_8C], 0
		mov	[ebp+var_D8], 0
		mov	[ebp+var_D4], 0
		mov	ecx, 8
		xor	eax, eax
		lea	edi, [ebp+var_80]
		rep stosd
		mov	[ebp+var_C8], eax
		cmp	ds:_CmpTraceRoutine, eax
		jnz	loc_91A225

loc_803306:				; CODE XREF: NtSetValueKey+116FC2j
		xor	al, al
		mov	[ebp+var_81], al
		mov	[ebp+var_84], al
		mov	[ebp+var_A0], 0
		xor	bh, bh
		mov	[ebp+var_82], bh
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_CC], eax
		mov	[ebp+var_D0], eax
		mov	ecx, 9
		xor	eax, eax
		lea	edi, [ebp+var_114]
		rep stosd
		push	eax
		lea	eax, [ebp+var_90]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_AC], 0
		mov	[ebp+var_DC], 0
		mov	[ebp+var_B4], 0
		mov	[ebp+var_B0], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_83], al
		mov	byte ptr [ebp+var_A4], al
		xor	bl, bl
		xor	eax, eax
		lea	edi, [ebp+var_F0]
		stosd
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpShutdownRundown
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	[ebp+var_95], al
		test	al, al
		jz	loc_91A237

loc_8033C8:				; CODE XREF: NtSetValueKey+116FDBj
		lea	eax, [ebp+var_D8]
		push	eax
		lea	eax, [ebp+var_A0]
		push	eax
		push	[ebp+var_A4]
		push	ecx
		mov	edx, 2
		mov	ecx, [ebp+var_B8]
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_88], edi
		cmp	edi, 0C0000022h
		jz	loc_80392C

loc_803401:				; CODE XREF: NtSetValueKey+11703Bj
		mov	bl, bh
		test	edi, edi
		js	loc_8036E2
		cmp	ds:_CmpTraceRoutine, 0
		jnz	loc_91A2B0

loc_803418:				; CODE XREF: NtSetValueKey+117048j
					; NtSetValueKey+117057j
		mov	[ebp+var_4], 0
		mov	cl, [ebp+var_83]
		cmp	cl, 1
		jnz	loc_803831
		mov	[ebp+var_C0], 0
		mov	[ebp+var_BC], 0
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_91A2CC

loc_80344F:				; CODE XREF: NtSetValueKey+11705Ej
		nop
		mov	ecx, [esi]
		mov	[ebp+var_C0], ecx
		mov	edi, [esi+4]
		mov	[ebp+var_BC], edi
		mov	eax, [ebp+var_C0]
		mov	[ebp+var_90], eax
		mov	[ebp+var_8C], edi
		mov	word ptr [ebp+var_90+2], cx
		mov	bx, word ptr [ebp+var_90]
		test	bx, bx
		jz	short loc_8034AE
		test	byte ptr [ebp+var_8C], 1
		jnz	loc_803983
		movzx	eax, bx
		add	eax, edi
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	loc_91A2D3
		cmp	eax, edi
		jb	loc_91A2D3

loc_8034AE:				; CODE XREF: NtSetValueKey+214j
					; NtSetValueKey+117073j
		mov	esi, [ebp+arg_14]
		mov	eax, [ebp+var_9C]
		mov	[ebp+var_A4], eax
		test	esi, esi
		jz	short loc_8034DA
		lea	ecx, [eax+esi]
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		ja	loc_91A2E8
		cmp	ecx, eax
		jb	loc_91A2E8

loc_8034DA:				; CODE XREF: NtSetValueKey+24Fj
					; NtSetValueKey+117088j
		mov	cl, [ebp+var_83]

loc_8034E0:				; CODE XREF: NtSetValueKey+608j
					; NtSetValueKey+6B7j
		mov	eax, 7FFFh
		cmp	bx, ax
		ja	loc_91A2FD
		test	byte ptr [ebp+var_90], 1
		jnz	loc_91A2FD
		cmp	esi, 7FFFF000h
		ja	loc_91A2FD
		movzx	eax, bx
		mov	[ebp+var_94], eax
		add	eax, 7
		and	eax, 0FFFFFFF8h
		mov	[ebp+var_C4], eax
		add	eax, esi
		cmp	eax, esi
		jb	loc_91A2FD
		movsx	eax, cl
		mov	[ebp+var_BC], eax
		mov	edx, edi
		mov	ecx, eax
		call	_CmpDoesBufferRequireCapturing@8 ; CmpDoesBufferRequireCapturing(x,x)
		test	al, al
		jz	loc_80387D

loc_803540:				; CODE XREF: NtSetValueKey+626j
		mov	ecx, [ebp+var_C4]
		lea	eax, [ecx+esi]
		test	eax, eax
		jz	loc_91A337
		cmp	eax, 40h
		ja	loc_8037A7

loc_80355A:				; CODE XREF: NtSetValueKey+554j
					; NtSetValueKey+593j
		lea	eax, [ebp+var_60]
		mov	[ebp+var_AC], eax

loc_803563:				; CODE XREF: NtSetValueKey+63Cj
		add	eax, ecx

loc_803565:				; CODE XREF: NtSetValueKey+5B0j
					; NtSetValueKey+645j ...
		mov	[ebp+var_94], eax
		test	bx, bx
		jz	loc_8038D5
		movzx	eax, bx
		push	eax		; size_t
		push	edi		; void *
		mov	edi, [ebp+var_AC]
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_8C], edi
		mov	bx, word ptr [ebp+var_90]

loc_803595:				; CODE XREF: NtSetValueKey+66Dj
		test	esi, esi
		jz	loc_8038E2
		push	esi		; size_t
		push	[ebp+var_A4]	; void *
		mov	ebx, [ebp+var_94]
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_9C], ebx
		mov	edi, [ebp+var_8C]
		mov	bx, word ptr [ebp+var_90]

loc_8035C6:				; CODE XREF: NtSetValueKey+620j
					; NtSetValueKey+67Cj
		mov	[ebp+var_4], 0FFFFFFFEh
		test	bx, bx
		jz	short loc_8035E3

loc_8035D2:				; CODE XREF: NtSetValueKey+1170E1j
		movzx	eax, bx
		shr	eax, 1
		cmp	word ptr [edi+eax*2-2],	0
		jz	loc_91A342

loc_8035E3:				; CODE XREF: NtSetValueKey+360j
					; NtSetValueKey+1170E7j
		mov	eax, [ebp+var_A0]
		mov	eax, [eax+8]
		test	byte ptr [eax+4], 80h
		jnz	loc_803988
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	[ebp+var_84], 1
		cmp	_CmpCallBackCount, 0
		jz	loc_80390C
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredSharedLite
		test	eax, eax
		jnz	loc_80390C
		mov	ecx, [ebp+var_A0]
		mov	[ebp+var_114], ecx
		lea	eax, [ebp+var_90]
		mov	[ebp+var_110], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_10C], eax
		mov	ebx, [ebp+arg_C]
		mov	[ebp+var_108], ebx
		mov	edi, [ebp+var_9C]
		mov	[ebp+var_104], edi
		mov	[ebp+var_100], esi
		lea	eax, [ebp+var_D0]
		push	eax
		push	ecx
		push	10h
		push	1
		push	0
		lea	edx, [ebp+var_114]
		mov	ecx, 1
		call	CmpCallCallBacksEx
		test	eax, eax
		js	loc_91A35C
		mov	[ebp+var_81], 1

loc_803693:				; CODE XREF: NtSetValueKey+6A5j
		cmp	[ebp+var_82], 0
		jnz	loc_91A373

loc_8036A0:				; CODE XREF: NtSetValueKey+117143j
		test	byte ptr [ebp+var_D8], 4
		jnz	loc_91A3B8
		mov	byte ptr [ebp+var_B4], 0

loc_8036B4:				; CODE XREF: NtSetValueKey+11714Fj
		push	[ebp+var_B4]
		push	[ebp+var_B8]
		push	esi
		push	edi
		push	ebx
		lea	edx, [ebp+var_90]
		mov	ecx, [ebp+var_A0]
		call	_CmSetValueKey@28 ; CmSetValueKey(x,x,x,x,x,x,x)
		mov	edi, eax
		mov	bl, [ebp+var_82]

loc_8036DC:				; CODE XREF: NtSetValueKey+6FDj
					; NtSetValueKey+116FE6j ...
		mov	[ebp+var_88], edi

loc_8036E2:				; CODE XREF: NtSetValueKey+195j
					; NtSetValueKey+11701Aj ...
		mov	bh, [ebp+var_81]

loc_8036E8:				; CODE XREF: sub_91A3D7+33j
		test	bl, bl
		jnz	loc_803972

loc_8036F0:				; CODE XREF: NtSetValueKey+70Ej
		test	bh, bh
		jz	short loc_80371D
		lea	eax, [ebp+var_D0]
		push	eax
		push	0
		lea	eax, [ebp+var_114]
		push	eax
		push	edi
		mov	edx, [ebp+var_A0]
		mov	ecx, 10h
		call	_CmPostCallbackNotificationEx@24 ; CmPostCallbackNotificationEx(x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_88], edi

loc_80371D:				; CODE XREF: NtSetValueKey+482j
		cmp	[ebp+var_84], 0
		jz	short loc_803738
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	edi, [ebp+var_88]

loc_803738:				; CODE XREF: NtSetValueKey+4B4j
		mov	ecx, [ebp+var_A0]
		test	ecx, ecx
		jz	short loc_803747
		call	ObfDereferenceObject

loc_803747:				; CODE XREF: NtSetValueKey+4D0j
		mov	eax, ds:_CmpTraceRoutine
		test	eax, eax
		jnz	loc_91A40F

loc_803754:				; CODE XREF: NtSetValueKey+1171B7j
		mov	eax, [ebp+var_B0]
		test	eax, eax
		jnz	loc_803825

loc_803762:				; CODE XREF: NtSetValueKey+5BCj
		cmp	[ebp+var_95], 0
		jz	short loc_803787
		mov	ecx, offset _CmpShutdownRundown
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	edi, [ebp+var_88]

loc_803787:				; CODE XREF: NtSetValueKey+4F9j
		mov	eax, edi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_8037A7:				; CODE XREF: NtSetValueKey+2E4j
		cmp	esi, 40h
		jbe	loc_8038BA

loc_8037B0:				; CODE XREF: NtSetValueKey+684j
		cmp	bx, 40h
		ja	loc_803905
		mov	edx, esi

loc_8037BC:				; CODE XREF: NtSetValueKey+660j
					; NtSetValueKey+690j ...
		mov	[ebp+var_94], edx

loc_8037C2:				; CODE XREF: NtSetValueKey+658j
		test	edx, edx
		jz	loc_80355A
		push	6E566D43h
		mov	edx, [ebp+var_94]
		call	_CmpAllocateTransientPoolWithQuotaTag@12 ; CmpAllocateTransientPoolWithQuotaTag(x,x,x)
		mov	[ebp+var_B0], eax
		test	eax, eax
		jz	loc_91A31A
		mov	edi, [ebp+var_8C]
		mov	bx, word ptr [ebp+var_90]
		mov	ecx, [ebp+var_C4]
		mov	edx, [ebp+var_94]
		test	edx, edx
		jz	loc_80355A
		cmp	edx, esi
		jnz	loc_80389B
		lea	eax, [ebp+var_60]
		mov	[ebp+var_AC], eax
		mov	eax, [ebp+var_B0]
		jmp	loc_803565
; 

loc_803825:				; CODE XREF: NtSetValueKey+4ECj
		mov	ecx, eax
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	loc_803762
; 

loc_803831:				; CODE XREF: NtSetValueKey+1B8j
		mov	eax, [esi]
		mov	[ebp+var_90], eax
		mov	edi, [esi+4]
		mov	[ebp+var_8C], edi
		mov	[ebp+var_AC], 0
		mov	esi, [ebp+arg_14]
		mov	eax, [ebp+var_9C]
		test	esi, esi
		jz	loc_80391A
		mov	al, [eax]
		mov	edi, [ebp+var_8C]
		mov	bx, word ptr [ebp+var_90]
		mov	eax, [ebp+var_9C]
		mov	[ebp+var_A4], eax
		jmp	loc_8034E0
; 

loc_80387D:				; CODE XREF: NtSetValueKey+2CAj
		mov	edx, [ebp+var_A4]
		mov	ecx, [ebp+var_BC]
		call	_CmpDoesBufferRequireCapturing@8 ; CmpDoesBufferRequireCapturing(x,x)
		test	al, al
		jz	loc_8035C6
		jmp	loc_803540
; 

loc_80389B:				; CODE XREF: NtSetValueKey+59Bj
		movzx	eax, bx
		cmp	edx, eax
		mov	eax, [ebp+var_B0]
		mov	[ebp+var_AC], eax
		jnz	loc_803563
		lea	eax, [ebp+var_60]
		jmp	loc_803565
; 

loc_8038BA:				; CODE XREF: NtSetValueKey+53Aj
		cmp	bx, 40h
		ja	short loc_8038F1
		mov	edx, [ebp+var_94]
		cmp	esi, edx
		jnb	loc_8037C2
		mov	edx, esi
		jmp	loc_8037BC
; 

loc_8038D5:				; CODE XREF: NtSetValueKey+2FEj
		xor	edi, edi
		mov	[ebp+var_8C], edi
		jmp	loc_803595
; 

loc_8038E2:				; CODE XREF: NtSetValueKey+327j
		mov	[ebp+var_9C], 0
		jmp	loc_8035C6
; 

loc_8038F1:				; CODE XREF: NtSetValueKey+64Ej
		cmp	esi, 40h
		ja	loc_8037B0
		mov	edx, [ebp+var_94]
		jmp	loc_8037BC
; 

loc_803905:				; CODE XREF: NtSetValueKey+544j
		mov	edx, eax
		jmp	loc_8037BC
; 

loc_80390C:				; CODE XREF: NtSetValueKey+3A2j
					; NtSetValueKey+3B4j
		mov	ebx, [ebp+arg_C]
		mov	edi, [ebp+var_9C]
		jmp	loc_803693
; 

loc_80391A:				; CODE XREF: NtSetValueKey+5E7j
		mov	bx, word ptr [ebp+var_90]
		mov	[ebp+var_A4], eax
		jmp	loc_8034E0
; 

loc_80392C:				; CODE XREF: NtSetValueKey+18Bj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, large fs:124h
		lea	edx, [ebp+var_F0]
		push	edx
		push	eax
		push	ecx
		call	SeCaptureSubjectContextEx
		mov	bl, 1
		lea	edx, [ebp+var_B4]
		lea	ecx, [ebp+var_F0]
		call	CmDoVirtualTest
		test	al, al
		jnz	loc_91A25B

loc_803968:				; CODE XREF: NtSetValueKey+71Ej
					; NtSetValueKey+11702Dj
		mov	edi, 0C0000022h
		jmp	loc_8036DC
; 

loc_803972:				; CODE XREF: NtSetValueKey+47Aj
		lea	eax, [ebp+var_F0]
		push	eax
		call	SeReleaseSubjectContext
		jmp	loc_8036F0
; 

loc_803983:				; CODE XREF: NtSetValueKey+21Dj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_803988:				; CODE XREF: NtSetValueKey+380j
		mov	bl, [ebp+var_82]
		jmp	short loc_803968
NtSetValueKey	endp


;  S U B	R O U T	I N E 


; __stdcall CmpIsKcbImmutable(x)
_CmpIsKcbImmutable@4 proc near		; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x):loc_73285Ep
					; CmpSetKeySecurity(x,x,x,x,x,x)+C8p ...
		mov	eax, [ecx+10h]
		mov	eax, [eax+64h]
		shr	eax, 14h
		and	al, 1
		retn
_CmpIsKcbImmutable@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmSetValueKey(x, x,	x, x, x, x, x)
_CmSetValueKey@28 proc near		; CODE XREF: NtSetValueKey+45Fp

var_D8		= dword	ptr -0D8h
var_CD		= byte ptr -0CDh
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
Source2		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0C4h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[esp+0D0h+var_AC], edx
		mov	edi, ecx
		mov	[esp+0D0h+var_C0], edi
		mov	eax, [ebp+arg_4]
		mov	[esp+0D0h+Source2], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+0D0h+var_48], eax
		xor	eax, eax
		mov	[esp+0D0h+var_1C], eax
		mov	[esp+0D0h+var_18], eax
		mov	[esp+0D0h+var_14], eax
		mov	[esp+0D0h+var_10], eax
		mov	[esp+0D0h+var_C], eax
		mov	[esp+0D0h+var_8], eax
		mov	[esp+0D0h+var_50], eax
		mov	[esp+0D0h+var_4C], eax
		lea	eax, [esp+0D0h+var_6C]
		mov	[esp+0D0h+var_68], eax
		mov	[esp+0D0h+var_6C], eax
		xor	eax, eax
		mov	[esp+0D0h+var_A8], eax
		xor	esi, esi
		mov	[esp+0D0h+var_A4], eax
		mov	[esp+0D0h+var_A0], eax
		mov	[esp+0D0h+var_9C], eax
		or	eax, 0FFFFFFFFh
		mov	[esp+0D0h+var_64], eax
		xor	ecx, ecx
		mov	word ptr [esp+0D0h+var_A8+2], ax
		xor	eax, eax
		mov	[esp+0D0h+var_60], ecx
		mov	[esp+0D0h+var_98], ecx
		mov	byte ptr [esp+0D0h+var_C4+3], cl
		mov	[esp+0D0h+var_88], ecx
		mov	[esp+0D0h+var_7C], ecx
		lea	ecx, [esp+0D0h+var_50]
		mov	[esp+0D0h+var_70], eax
		mov	[esp+0D0h+var_58], 0
		mov	[esp+0D0h+var_54], 0
		mov	[esp+0D0h+var_BC], 0
		mov	[esp+0D0h+var_B8], 0
		mov	[esp+0D0h+var_84], 0
		mov	word ptr [esp+0D0h+var_60], ax
		mov	[esp+0D0h+var_74], 0FFFFFFFFh
		mov	word ptr [esp+0D0h+var_70], ax
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		mov	[esp+0D0h+var_44], eax
		or	ecx, 0FFFFFFFFh
		mov	[esp+0D0h+var_40], eax
		mov	[esp+0D0h+var_3C], eax
		mov	[esp+0D0h+var_38], eax
		mov	[esp+0D0h+var_34], eax
		mov	[esp+0D0h+var_30], eax
		mov	[esp+0D0h+var_5C], eax
		mov	[esp+0D0h+var_90], eax
		mov	eax, large fs:124h
		mov	[esp+0D0h+var_8C], 0FFFFFFFFh
		mov	[esp+0D0h+var_80], ecx
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+0D0h+var_78], al
		xor	eax, eax
		mov	[esp+0D0h+var_2C], eax
		mov	[esp+0D0h+var_28], eax
		mov	[esp+0D0h+var_24], eax
		mov	[esp+0D0h+var_20], eax
		lea	eax, [esp+0D0h+var_2C]
		push	eax
		call	SeCaptureSubjectContext
		lea	ecx, [esp+0D0h+var_1C]
		call	CmpAttachToRegistryProcess
		call	_CmpIsShutdownRundownActive@0 ;	CmpIsShutdownRundownActive()
		mov	ebx, [ebp+arg_8]
		mov	[esp+0D0h+var_B0], ebx
		test	al, al
		jnz	loc_804249
		mov	eax, [esp+0D0h+var_7C]
		mov	[esp+0D0h+var_B4], eax

loc_803B46:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+33Dj
		lea	eax, [esp+0D0h+var_58]
		push	eax
		call	KeQuerySystemTime
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	esi, [edi+8]
		mov	ecx, esi
		mov	byte ptr [esp+0D0h+var_C4+2], 1
		call	_CmpIsKcbImmutable@4 ; CmpIsKcbImmutable(x)
		test	al, al
		jnz	loc_804242
		mov	edx, esi
		lea	ecx, [esp+0D0h+var_A8]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_804253
		mov	eax, [esp+0D0h+var_C0]
		cmp	dword ptr [eax+20h], 0
		jnz	short loc_803BA2
		cmp	dword ptr [eax+24h], 0
		jnz	short loc_803BA2
		xor	al, al
		lea	ecx, [esp+0D0h+var_A8]
		mov	byte ptr [esp+0D0h+var_C4+1], al
		call	_CmpLockKcbStackShared@4 ; CmpLockKcbStackShared(x)
		jmp	short loc_803BB0
; 

loc_803BA2:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+1E9j
					; CmSetValueKey(x,x,x,x,x,x,x)+1EFj
		lea	ecx, [esp+0D0h+var_A8]
		mov	byte ptr [esp+0D0h+var_C4+1], 1
		call	_CmpLockKcbStackTopExclusiveRestShared@4 ; CmpLockKcbStackTopExclusiveRestShared(x)

loc_803BB0:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+200j
		mov	eax, [esp+0D0h+var_C0]
		cmp	dword ptr [eax+20h], 0
		jnz	short loc_803BC0
		cmp	dword ptr [eax+24h], 0
		jz	short loc_803C03

loc_803BC0:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+218j
		xor	edx, edx
		mov	ecx, eax
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	loc_804220
		mov	ecx, [esp+0D0h+var_C0]
		lea	edx, [esp+0D0h+var_7C]
		call	CmpTransSearchAddTransFromKeyBody
		mov	edi, eax
		test	edi, edi
		js	loc_803E6A
		mov	eax, [esi+10h]
		test	byte ptr [eax+64h], 2
		jnz	loc_80420C
		mov	edi, [esp+0D0h+var_7C]
		mov	eax, [esp+0D0h+var_C0]
		mov	[esp+0D0h+var_B4], edi
		jmp	short loc_803C07
; 

loc_803C03:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+21Ej
					; CmSetValueKey(x,x,x,x,x,x,x)+469j
		mov	edi, [esp+0D0h+var_B4]

loc_803C07:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+261j
					; CmSetValueKey(x,x,x,x,x,x,x)+4C0j
		mov	edx, edi
		mov	ecx, eax
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	loc_804220
		cmp	byte ptr [esi+21h], 1
		jz	loc_803E65
		test	edi, edi
		jnz	loc_803CE2
		lea	ecx, [esi+84h]
		call	_CmpTryAcquireIXLockIntent@4 ; CmpTryAcquireIXLockIntent(x)
		test	al, al
		jz	short loc_803C4C
		lea	ecx, [esi+8Ch]
		call	_CmpTryAcquireIXLockExclusive@4	; CmpTryAcquireIXLockExclusive(x)
		test	al, al
		jnz	loc_803D6E

loc_803C4C:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+297j
		lea	eax, [esp+0D0h+var_B8]
		push	eax
		lea	edx, [esp+0D4h+var_BC]
		call	_CmpSnapshotTxOwnerArray@12 ; CmpSnapshotTxOwnerArray(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_803E6A
		mov	edi, [esp+0D0h+var_BC]
		mov	edx, 1
		push	edi
		push	ecx
		mov	ecx, esi
		call	_CmpLogTransactionAborted@16 ; CmpLogTransactionAborted(x,x,x,x)
		lea	ecx, [esp+0D0h+var_A8]
		call	CmpUnlockKcbStack
		lea	ecx, [esp+0D0h+var_A8]
		xor	bl, bl
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		xor	eax, eax
		mov	[esp+0D0h+var_A8], eax
		mov	[esp+0D0h+var_A4], eax
		mov	[esp+0D0h+var_A0], eax
		mov	[esp+0D0h+var_9C], eax
		or	eax, 0FFFFFFFFh
		mov	word ptr [esp+0D0h+var_A8+2], ax
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	edx, [esp+0D0h+var_B8]
		lea	eax, [esp+0D0h+var_88]
		push	eax
		push	ecx
		mov	ecx, edi
		mov	byte ptr [esp+0D8h+var_C4+2], bl
		call	_CmpRollbackTransactionArray@16	; CmpRollbackTransactionArray(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_804255
		call	_CmpIsShutdownRundownActive@0 ;	CmpIsShutdownRundownActive()
		test	al, al
		jnz	loc_804249
		mov	ebx, [esp+0D0h+var_B0]
		mov	edi, [esp+0D0h+var_C0]
		jmp	loc_803B46
; 

loc_803CE2:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+284j
		call	_CmpAllocateUnitOfWork@0 ; CmpAllocateUnitOfWork()
		mov	ebx, eax
		mov	[esp+0D0h+var_98], ebx
		test	ebx, ebx
		jz	loc_804215
		mov	edx, esi
		mov	ecx, ebx
		call	_CmpTransEnlistUowInKcb@8 ; CmpTransEnlistUowInKcb(x,x)
		mov	edx, edi
		mov	ecx, ebx
		call	CmpTransEnlistUowInCmTrans
		mov	edi, eax
		test	edi, edi
		js	loc_803E6A
		push	ecx
		lea	ecx, [esi+84h]
		mov	edx, ebx
		call	CmpLockIXLockIntent
		test	al, al
		jz	loc_80420C
		push	1
		lea	ecx, [esi+8Ch]
		mov	edx, ebx
		call	CmpLockIXLockExclusive
		test	al, al
		jz	loc_80420C
		mov	ecx, [esi+10h]
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	edi, [esp+0D0h+var_B4]
		lea	eax, [esp+0D0h+var_C4+3]
		push	eax
		mov	edx, edi
		mov	ecx, esi
		mov	bh, 1
		call	CmpCloneKCBValueListForTrans
		test	al, al
		jz	loc_804203
		mov	ecx, [esi+10h]
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		mov	ebx, [esp+0D0h+var_B0]

loc_803D6E:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+2A6j
		lea	ecx, [esp+0D0h+var_A8]
		call	_CmpIsKeyStackSymlink@4	; CmpIsKeyStackSymlink(x)
		test	al, al
		jz	short loc_803DD4
		cmp	[ebp+arg_0], 6
		jnz	loc_803E65
		test	bl, 1
		jnz	loc_803E65
		cmp	ebx, 0FFFFh
		ja	loc_803E65
		mov	eax, [esp+0D0h+var_AC]
		test	eax, eax
		jz	loc_803E65
		push	1
		push	eax
		push	offset _CmSymbolicLinkValueName
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	loc_803E65
		push	[esp+0D0h+var_78]
		lea	eax, [esp+0D4h+var_2C]
		push	eax
		call	RtlIsSandboxedToken
		test	al, al
		jnz	loc_803E65

loc_803DD4:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+3D9j
		cmp	dword ptr [esi+14h], 0FFFFFFFFh
		jnz	short loc_803E0E
		lea	ecx, [esp+0D0h+var_A8]
		call	CmpUnlockKcbStack
		push	1
		xor	dl, dl
		lea	ecx, [esp+0D4h+var_A8]
		xor	bl, bl
		call	_CmpPromoteKey@12 ; CmpPromoteKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_804255
		mov	ebx, [esp+0D0h+var_B0]
		mov	eax, [esp+0D0h+var_C0]
		mov	byte ptr [esp+0D0h+var_C4+1], 1
		jmp	loc_803C03
; 

loc_803E0E:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+438j
		cmp	byte ptr [esp+0D0h+var_C4+1], 0
		jnz	short loc_803E7A
		mov	edx, [esp+0D0h+var_AC]
		mov	ecx, esi
		push	ebx		; int
		push	[esp+0D4h+Source2] ; Source2
		push	[ebp+arg_0]	; int
		call	_CmpCompareNewValueDataAgainstKCBCache@20 ; CmpCompareNewValueDataAgainstKCBCache(x,x,x,x,x)
		cmp	eax, 1
		jz	short loc_803E4A
		test	eax, eax
		jz	short loc_803E71
		mov	ecx, esi
		mov	byte ptr [esp+0D0h+var_C4+1], 1
		call	_CmpIsKcbLockedExclusive@4 ; CmpIsKcbLockedExclusive(x)
		test	eax, eax
		jnz	short loc_803E7A
		call	_CmpTryConvertKcbLockSharedToExclusive@4 ; CmpTryConvertKcbLockSharedToExclusive(x)
		test	al, al
		jnz	short loc_803E7A

loc_803E4A:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+48Bj
		lea	ecx, [esp+0D0h+var_A8]
		call	CmpUnlockKcbStack
		lea	ecx, [esp+0D0h+var_A8]
		call	_CmpLockKcbStackTopExclusiveRestShared@4 ; CmpLockKcbStackTopExclusiveRestShared(x)
		mov	eax, [esp+0D0h+var_C0]
		jmp	loc_803C07
; 

loc_803E65:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+27Cj
					; CmSetValueKey(x,x,x,x,x,x,x)+3DFj ...
		mov	edi, 0C0000022h

loc_803E6A:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+242j
					; CmSetValueKey(x,x,x,x,x,x,x)+2BEj ...
		mov	bl, 1
		jmp	loc_804255
; 

loc_803E71:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+48Fj
		xor	edi, edi
		mov	bl, 1
		jmp	loc_804255
; 

loc_803E7A:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+473j
					; CmSetValueKey(x,x,x,x,x,x,x)+49Fj ...
		add	dword ptr [esi+0A8h], 1
		mov	ecx, [esi+10h]
		adc	dword ptr [esi+0ACh], 0
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	bh, 1
		test	edi, edi
		jnz	short loc_803EB2
		mov	edx, [esi+14h]
		mov	ecx, [esi+10h]
		push	edi
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jnz	short loc_803EB2
		mov	edi, 0C000017Dh
		mov	bl, bh
		jmp	loc_804257
; 

loc_803EB2:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+4F4j
					; CmSetValueKey(x,x,x,x,x,x,x)+504j
		mov	ecx, [esi+10h]
		lea	edx, [esp+0D0h+var_64]
		mov	eax, [esi+14h]
		push	edx
		push	eax
		mov	eax, [ecx+4]
		push	ecx
		call	eax
		mov	ecx, [esi+14h]
		mov	edi, eax
		push	ecx
		mov	ecx, [esi+10h]
		mov	edx, edi
		mov	[esp+0E0h+var_C8], edi
		call	_CmpUpdateKeyNodeAccessBits@12 ; CmpUpdateKeyNodeAccessBits(x,x,x)
		cmp	[esp+0DCh+var_C0], 0
		lea	eax, [esp+0DCh+var_98]
		mov	ecx, [esi+10h]
		lea	edx, [esi+94h]
		push	eax
		lea	eax, [esp+0E0h+var_90]
		push	eax
		push	0
		push	[esp+0E8h+var_B8]
		jnz	short loc_803EFB
		lea	edx, [edi+24h]

loc_803EFB:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+556j
		call	_CmpFindNameInListWithStatus@24	; CmpFindNameInListWithStatus(x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000034h
		jz	short loc_803F12
		test	edi, edi
		js	loc_8040BF

loc_803F12:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+568j
		cmp	[ebp+arg_10], 0
		mov	edi, [esp+0DCh+var_98]
		mov	[esp+0DCh+var_C4], edi
		jz	loc_803FBA
		mov	edx, [esp+0DCh+var_C0]
		lea	eax, [esp+0DCh+var_68]
		push	eax
		push	33414D43h
		lea	ecx, [esp+0E4h+var_B4]
		call	_CmpSnapshotKcbStackSecurity@16	; CmpSnapshotKcbStackSecurity(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8040BF
		mov	edi, [esp+0DCh+var_C4]
		cmp	edi, 0FFFFFFFFh
		jz	short loc_803FB2
		mov	eax, [esi+10h]
		lea	ecx, [esp+0DCh+var_80]
		push	ecx
		push	edi
		push	eax
		mov	eax, [eax+4]
		call	eax
		mov	ecx, [esi+10h]
		mov	edx, eax
		call	_CmpIsValueTombstone@8 ; CmpIsValueTombstone(x,x)
		mov	bl, al
		xor	eax, eax
		test	bl, bl
		setz	al
		mov	[esp+0E8h+var_A8], eax
		lea	eax, [esp+0E8h+var_8C]
		push	eax
		push	ecx
		mov	ecx, [ecx+8]
		call	ecx
		test	bl, bl
		jnz	short loc_803FA8
		mov	ecx, [esi+10h]
		lea	eax, [esp+0F0h+var_64]
		push	34414D43h
		push	eax
		mov	edx, edi
		call	_CmpGetValueForAudit@16	; CmpGetValueForAudit(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8040BF
		mov	edi, [esp+0F0h+var_D8]

loc_803FA8:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+5E1j
		mov	edx, [esp+0F0h+var_B0]
		mov	[esp+0F0h+var_B0], edx
		jmp	short loc_803FBA
; 

loc_803FB2:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+5ACj
		mov	[esp+0DCh+var_9C], 0

loc_803FBA:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+57Ej
					; CmSetValueKey(x,x,x,x,x,x,x)+610j
		mov	eax, [esi+14h]
		mov	ecx, [esi+10h]
		shr	eax, 1Fh
		cmp	[esp+0DCh+var_C0], 0
		mov	[esp+0DCh+Source2], eax
		jnz	loc_8040F2
		cmp	edi, 0FFFFFFFFh
		jz	short loc_804010
		lea	eax, [esp+0DCh+var_80]
		push	eax
		mov	eax, [ecx+4]
		push	edi
		push	ecx
		call	eax
		mov	ecx, [esp+0E8h+var_A0]
		mov	edx, edi
		push	ecx		; int
		push	[esp+0ECh+var_C8] ; size_t
		mov	ecx, [esi+10h]
		push	[esp+0F0h+var_AC] ; void *
		push	[ebp+arg_0]	; int
		push	eax		; int
		call	CmpSetValueKeyExisting
		mov	edi, eax
		lea	ecx, [esp+0E8h+var_8C]
		mov	eax, [esi+10h]
		push	ecx
		push	eax
		mov	eax, [eax+8]
		call	eax
		jmp	short loc_80402F
; 

loc_804010:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+635j
		mov	edx, [esp+0DCh+var_C8]
		push	eax
		push	[esp+0E0h+var_BC]
		push	[esp+0E4h+var_A0]
		push	[ebp+arg_0]
		push	[esp+0ECh+var_90]
		push	[esp+0F0h+var_B8]
		call	CmpSetValueKeyNew
		mov	edi, eax

loc_80402F:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+66Ej
		test	edi, edi
		js	loc_8040BF
		mov	ecx, [esp+0DCh+var_B8]
		mov	ebx, [esp+0DCh+var_C8]
		movzx	eax, word ptr [ecx]
		cmp	[ebx+3Ch], eax
		jnb	short loc_804051
		mov	[ebx+3Ch], eax
		mov	ax, [ecx]
		mov	[esi+62h], ax

loc_804051:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+6A5j
		mov	eax, [esp+0DCh+var_BC]
		cmp	[ebx+40h], eax
		jnb	short loc_804060
		mov	[ebx+40h], eax
		mov	[esi+64h], eax

loc_804060:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+6B8j
		mov	ecx, [esp+0DCh+var_64]
		lea	edx, [esp+0DCh+var_5C]
		mov	eax, [esp+0DCh+var_60]
		mov	[ebx+4], ecx
		mov	[ebx+8], eax
		mov	[esi+58h], ecx
		mov	ecx, esi
		mov	[esi+5Ch], eax
		call	_CmpCleanUpKcbCachedSymlink@8 ;	CmpCleanUpKcbCachedSymlink(x,x)
		mov	ecx, [ebx+28h]
		mov	eax, [ebx+24h]
		mov	[esi+34h], ecx
		mov	ecx, [esi+10h]
		mov	[esi+30h], eax
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)

loc_804096:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+7FEj
		mov	edx, [esp+0DCh+var_C0]
		lea	eax, [esp+0DCh+var_78]
		or	ecx, 0FFFFFFFFh
		mov	[esp+0DCh+var_8C], ecx
		xor	ecx, ecx
		push	eax
		mov	[esp+0E0h+var_A4], ecx
		mov	[esp+0E0h+var_CD], cl
		lea	ecx, [esp+0E0h+var_B4]
		push	4
		call	_CmpReportNotifyForKcbStack@16 ; CmpReportNotifyForKcbStack(x,x,x,x)
		xor	edi, edi

loc_8040BD:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+84Aj
					; CmSetValueKey(x,x,x,x,x,x,x)+85Ej
		xor	bh, bh

loc_8040BF:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+56Cj
					; CmSetValueKey(x,x,x,x,x,x,x)+59Fj ...
		cmp	[esp+0DCh+var_C8], 0
		jz	short loc_8040D4
		mov	eax, [esi+10h]
		lea	ecx, [esp+0DCh+var_70]
		push	ecx
		push	eax
		mov	eax, [eax+8]
		call	eax

loc_8040D4:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+724j
		mov	eax, [esp+0E4h+Source2]
		mov	bl, 1
		cmp	eax, 0FFFFFFFFh
		jz	loc_804257
		mov	ecx, [esi+10h]
		mov	edx, eax
		call	_CmpFreeValue@8	; CmpFreeValue(x,x)
		jmp	loc_804257
; 

loc_8040F2:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+62Cj
		mov	edx, [esp+0DCh+var_B8]
		push	1		; int
		push	[esp+0E0h+var_BC] ; int
		push	[esp+0E4h+var_A0] ; void *
		push	[ebp+arg_0]	; int
		call	CmpAddValueKeyNew
		mov	edx, eax
		mov	[esp+0DCh+var_8C], edx
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_80411A
		mov	edi, 0C000009Ah
		jmp	short loc_8040BF
; 

loc_80411A:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+771j
		mov	ecx, [esi+10h]
		lea	eax, [esi+94h]
		mov	[esp+0DCh+var_84], ecx
		push	eax
		cmp	edi, 0FFFFFFFFh
		jz	short loc_804139
		mov	ebx, [esp+0E0h+var_90]
		push	ebx
		call	_CmpSwapValueInList@16 ; CmpSwapValueInList(x,x,x,x)
		jmp	short loc_80415D
; 

loc_804139:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+78Bj
		mov	ecx, [eax]
		push	1
		mov	[esp+0E4h+var_98], ecx
		push	ecx
		mov	ecx, [esp+0E8h+var_84]
		call	_CmpAddValueToList@20 ;	CmpAddValueToList(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8040BF
		mov	edi, [esp+0DCh+var_C4]
		mov	ebx, [esp+0DCh+var_98]

loc_80415D:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+797j
		mov	ecx, [esi+10h]
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		mov	eax, [esp+0DCh+var_A4]
		cmp	edi, 0FFFFFFFFh
		jz	short loc_804178
		mov	[eax+30h], edi
		mov	ecx, 5
		jmp	short loc_80417D
; 

loc_804178:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+7CCj
		mov	ecx, 4

loc_80417D:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+7D6j
		mov	[eax+24h], ecx
		mov	edx, 1
		mov	ecx, [esp+0DCh+Source2]
		mov	[eax+28h], ecx
		mov	ecx, [esp+0DCh+var_8C]
		mov	[eax+34h], ecx
		mov	ecx, eax
		call	_CmAddLogForAction@8 ; CmAddLogForAction(x,x)
		mov	edi, eax
		test	edi, edi
		jns	loc_804096
		cmp	[esp+0DCh+var_C8], 0
		jz	short loc_8041C1
		mov	eax, [esi+10h]
		lea	ecx, [esp+0DCh+var_70]
		push	ecx
		push	eax
		mov	eax, [eax+8]
		call	eax
		mov	dword ptr [esp+14h], 0

loc_8041C1:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+809j
		mov	ecx, [esi+10h]
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	edx, [esp+0E4h+var_CC]
		lea	eax, [esi+94h]
		mov	ecx, [esi+10h]
		push	eax
		cmp	edx, 0FFFFFFFFh
		jz	short loc_8041EF
		push	ebx
		call	_CmpSwapValueInList@16 ; CmpSwapValueInList(x,x,x,x)
		mov	ecx, [esi+10h]
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		jmp	loc_8040BD
; 

loc_8041EF:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+83Aj
		mov	edx, ebx
		call	_CmpRemoveValueFromList@12 ; CmpRemoveValueFromList(x,x,x)
		mov	ecx, [esi+10h]
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		jmp	loc_8040BD
; 

loc_804203:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+3BCj
		mov	edi, 0C000009Ah
		mov	bl, 1
		jmp	short loc_804257
; 

loc_80420C:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+24Fj
					; CmSetValueKey(x,x,x,x,x,x,x)+381j ...
		mov	edi, 0C0190001h
		mov	bl, 1
		jmp	short loc_804255
; 

loc_804215:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+34Fj
		mov	edi, 0C000009Ah
		mov	bl, 1
		xor	bh, bh
		jmp	short loc_80426F
; 

loc_804220:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+22Bj
					; CmSetValueKey(x,x,x,x,x,x,x)+272j
		mov	eax, [esp+0D0h+var_C0]
		mov	bl, 1
		xor	bh, bh
		mov	al, [eax+1Ch]
		and	al, bl
		movzx	edi, al
		neg	edi
		sbb	edi, edi
		and	edi, 2A9h
		add	edi, 0C000017Ch
		jmp	short loc_804257
; 

loc_804242:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+1C6j
		mov	edi, 0C0000022h
		jmp	short loc_804253
; 

loc_804249:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+198j
					; CmSetValueKey(x,x,x,x,x,x,x)+32Fj
		mov	edi, 0C0000189h
		mov	byte ptr [esp+0D0h+var_C4+2], 0

loc_804253:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+1DBj
					; CmSetValueKey(x,x,x,x,x,x,x)+8A7j
		xor	bl, bl

loc_804255:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+322j
					; CmSetValueKey(x,x,x,x,x,x,x)+456j ...
		xor	bh, bh

loc_804257:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+50Dj
					; CmSetValueKey(x,x,x,x,x,x,x)+73Dj ...
		mov	eax, [esp+0D0h+var_98]
		test	eax, eax
		jz	short loc_80426F
		mov	ecx, eax
		call	CmpRundownUnitOfWork
		mov	ecx, [esp+0D0h+var_98]
		call	_CmpFreeUnitOfWork@4 ; CmpFreeUnitOfWork(x)

loc_80426F:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+87Ej
					; CmSetValueKey(x,x,x,x,x,x,x)+8BDj
		cmp	byte ptr [esp+0D0h+var_C4+3], 0
		jz	short loc_8042A7
		mov	edx, [esi+98h]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_804289
		mov	ecx, [esi+10h]
		call	HvFreeCell

loc_804289:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+8DFj
		mov	dword ptr [esi+98h], 0FFFFFFFFh
		mov	dword ptr [esi+94h], 0
		mov	dword ptr [esi+9Ch], 0

loc_8042A7:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+8D4j
		test	bh, bh
		jz	short loc_8042B3
		mov	ecx, [esi+10h]
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)

loc_8042B3:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+909j
		test	bl, bl
		jz	short loc_8042C0
		lea	ecx, [esp+0D0h+var_A8]
		call	CmpUnlockKcbStack

loc_8042C0:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+915j
		xor	dl, dl
		lea	ecx, [esp+0D0h+var_50]
		call	CmpDrainDelayDerefContext
		cmp	byte ptr [esp+0D0h+var_C4+2], 0
		jz	short loc_8042DA
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_8042DA:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+933j
		lea	eax, [esp+0D0h+var_6C]
		cmp	[esp+0D0h+var_6C], eax
		jz	short loc_8042EB
		mov	ecx, eax
		call	_CmpSignalDeferredPosts@4 ; CmpSignalDeferredPosts(x)

loc_8042EB:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+942j
		lea	ecx, [esp+0D0h+var_1C]
		call	_CmpDetachFromRegistryProcess@4	; CmpDetachFromRegistryProcess(x)
		lea	eax, [esp+0D0h+var_2C]
		push	eax
		call	SeReleaseSubjectContext
		mov	esi, [esp+0D0h+var_5C]
		test	edi, edi
		js	short loc_80435C
		cmp	[ebp+arg_10], 0
		jz	short loc_80435C
		test	esi, esi
		jz	short loc_80435C
		mov	eax, [ebp+arg_0]
		mov	edx, esi
		push	[esp+0D0h+var_90]
		mov	[esp+0D4h+var_38], eax
		xor	ecx, ecx
		mov	eax, [esp+0D4h+var_B0]
		mov	[esp+0D4h+var_34], eax
		mov	eax, [esp+0D4h+Source2]
		mov	[esp+0D4h+var_30], eax
		lea	eax, [esp+0D4h+var_44]
		push	eax
		push	[esp+0D8h+var_48]
		push	[esp+0DCh+var_C0]
		push	[esp+0E0h+var_AC]
		push	0
		call	_SeAdtRegistryValueChangedAuditAlarm@32	; SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)

loc_80435C:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+96Aj
					; CmSetValueKey(x,x,x,x,x,x,x)+970j ...
		mov	ecx, [esp+0D0h+var_3C]
		test	ecx, ecx
		jz	short loc_804371
		mov	edx, 34414D43h
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_804371:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+9C5j
		test	esi, esi
		jz	short loc_804381
		mov	edx, 33414D43h
		mov	ecx, esi
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_804381:				; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+9D3j
		lea	ecx, [esp+0D0h+var_A8]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		mov	ecx, [esp+0D0h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
_CmSetValueKey@28 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmpTryAcquireIXLockExclusive(x)
_CmpTryAcquireIXLockExclusive@4	proc near ; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+23Cp
					; CmpSetKeySecurity(x,x,x,x,x,x)+24Bp ...
		cmp	dword ptr [ecx], 0
		setz	al
		retn
_CmpTryAcquireIXLockExclusive@4	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmpTryAcquireIXLockIntent(x)
_CmpTryAcquireIXLockIntent@4 proc near	; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+290p
		cmp	dword ptr [ecx], 0
		setnl	al
		retn
_CmpTryAcquireIXLockIntent@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpRegQueryValueIndirect proc near	; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+29Ap
					; _PnpGetGenericStoreProperty(x,x,x,x,x,x,x,x,x)+14Ap ...

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 0091A42C SIZE 0000008E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_14]
		xor	edx, edx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_10]
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	short loc_804438
		mov	eax, [eax]
		neg	eax
		sbb	eax, eax
		and	esi, eax
		mov	eax, [ebp+arg_14]

loc_8043D5:				; CODE XREF: _PnpRegQueryValueIndirect+86j
		mov	ebx, [ebp+arg_18]
		test	ebx, ebx
		jnz	short loc_80440D

loc_8043DC:				; CODE XREF: _PnpRegQueryValueIndirect+5Bj
		mov	ecx, [ebp+arg_C]
		push	eax
		push	esi
		push	ecx
		mov	[ecx], edx
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		call	_RegRtlQueryValue
		mov	[ebp+arg_10], eax
		test	eax, eax
		jnz	short loc_804404

loc_8043F6:				; CODE XREF: _PnpRegQueryValueIndirect+55j
		test	ebx, ebx
		jnz	short loc_804411

loc_8043FA:				; CODE XREF: _PnpRegQueryValueIndirect+57j
					; _PnpRegQueryValueIndirect+82j ...
		mov	eax, [ebp+arg_10]
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	1Ch
; 

loc_804404:				; CODE XREF: _PnpRegQueryValueIndirect+40j
		cmp	eax, 0C0000023h
		jz	short loc_8043F6
		jmp	short loc_8043FA
; 

loc_80440D:				; CODE XREF: _PnpRegQueryValueIndirect+26j
		mov	[ebx], dl
		jmp	short loc_8043DC
; 

loc_804411:				; CODE XREF: _PnpRegQueryValueIndirect+44j
		mov	ecx, [ebp+arg_C]
		mov	ecx, [ecx]
		cmp	ecx, 3
		jbe	short loc_80443C
		cmp	ecx, 6
		jbe	short loc_80447E
		cmp	ecx, 7
		jz	short loc_80443C
		lea	eax, [ecx-8]
		cmp	eax, 3
		jbe	short loc_80447E
		cmp	cx, 19h
		setz	al
		mov	[ebx], al
		jmp	short loc_8043FA
; 

loc_804438:				; CODE XREF: _PnpRegQueryValueIndirect+14j
		mov	[eax], edx
		jmp	short loc_8043D5
; 

loc_80443C:				; CODE XREF: _PnpRegQueryValueIndirect+65j
					; _PnpRegQueryValueIndirect+6Fj
		mov	eax, [ebp+arg_14]
		mov	edx, [eax]
		cmp	[ebp+arg_10], edi
		jnz	loc_91A42C

loc_80444A:				; CODE XREF: _PnpRegQueryValueIndirect+1160F4j
		lea	eax, [ebp+arg_14]
		mov	ecx, esi
		push	eax
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		test	eax, eax
		js	short loc_804475
		sub	esp, 0Ch
		mov	ecx, esi
		call	_PnpParseIndirectInfString
		test	al, al
		jnz	short loc_804486
		sub	esp, 10h
		mov	ecx, esi
		call	_PnpParseIndirectResourceString
		test	al, al
		jnz	short loc_804486

loc_804475:				; CODE XREF: _PnpRegQueryValueIndirect+A3j
					; _PnpRegQueryValueIndirect+D5j ...
		test	edi, edi
		jz	short loc_8043FA
		jmp	loc_91A4AD
; 

loc_80447E:				; CODE XREF: _PnpRegQueryValueIndirect+6Aj
					; _PnpRegQueryValueIndirect+77j
		mov	byte ptr [ebx],	0
		jmp	loc_8043FA
; 

loc_804486:				; CODE XREF: _PnpRegQueryValueIndirect+B1j
					; _PnpRegQueryValueIndirect+BFj
		mov	byte ptr [ebx],	1
		jmp	short loc_804475
_PnpRegQueryValueIndirect endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetDeviceRegPropWorker proc near	; CODE XREF: _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)+B2p

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_C		= word ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= word ptr  1Ch

; FUNCTION CHUNK AT 0091A4BA SIZE 0000008A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_5C], eax
		xor	eax, eax
		push	esi
		mov	esi, eax
		mov	[ebp+var_60], eax
		mov	[ebp+var_68], eax
		mov	[ebp+var_80], eax
		mov	[ebp+var_6C], eax
		mov	[ebp+var_90], eax
		mov	[ebp+var_8C], eax
		mov	[ebp+var_88], eax
		movzx	eax, [ebp+arg_14]
		mov	[ebp+var_70], edx
		mov	edx, [ebp+arg_8]
		mov	[ebp+var_74], ecx
		mov	ecx, [ebp+arg_10]
		mov	[ebp+var_64], edx
		mov	[ebp+var_78], ecx
		push	edi
		mov	edi, [ebp+arg_0]
		test	eax, eax
		jnz	loc_91A4BA
		test	ecx, ecx
		jz	loc_91A53A
		test	edx, edx
		jz	loc_91A53A
		mov	edx, [ecx]
		mov	[ebp+var_7C], edx
		test	edx, edx
		jz	short loc_804512
		cmp	[ebp+var_5C], esi
		jz	loc_91A4BA

loc_804512:				; CODE XREF: _CmGetDeviceRegPropWorker+7Bj
		mov	eax, edx
		mov	[ebp+var_60], edx
		neg	eax
		sbb	eax, eax
		and	[ecx], esi
		and	eax, [ebp+var_5C]
		mov	[ebp+var_5C], eax
		mov	eax, [ebp+var_64]
		and	[eax], esi
		lea	eax, [ebx-1]
		cmp	eax, 24h
		ja	loc_91A530
		cmp	ebx, 25h
		ja	loc_91A530
		movzx	eax, ds:byte_8047A0[ebx]
		jmp	ds:off_804798[eax*4]

loc_80454B:				; DATA XREF: PAGE:0080479Co
		test	edi, edi
		jnz	short loc_80457D
		mov	edx, [ebp+var_70]
		lea	eax, [ebp+var_68]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	ecx
		push	2000001h
		push	ecx
		mov	ecx, [ebp+var_74]
		push	10h
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_80462E
		mov	edx, [ebp+var_60]
		mov	ecx, [ebp+var_78]
		mov	[ebp+var_7C], edx

loc_80457D:				; CODE XREF: _CmGetDeviceRegPropWorker+C1j
		cmp	ebx, 8
		jz	loc_8046D6
		cmp	ebx, 17h
		jz	loc_80473B
		cmp	ebx, 24h
		jz	loc_91A4CE
		mov	edx, ebx
		call	__MapCmDevicePropertyToNtProperty@8 ; _MapCmDevicePropertyToNtProperty(x,x)
		mov	[ebp+var_84], eax
		test	eax, eax
		jnz	loc_804676
		mov	edx, ebx
		call	_MapCmDevicePropertyToRegValue
		mov	edx, eax
		test	edx, edx
		jz	loc_91A4C4
		mov	eax, [ebp+var_7C]
		mov	[ebp+var_6C], eax
		test	edi, edi
		jnz	short loc_8045CB
		mov	edi, [ebp+var_68]

loc_8045CB:				; CODE XREF: _CmGetDeviceRegPropWorker+13Aj
		mov	ecx, [ebp+var_74]
		mov	eax, [ecx+108h]
		test	eax, eax
		jnz	short loc_8045DD
		mov	eax, offset _PnpRegQueryValueIndirect

loc_8045DD:				; CODE XREF: _CmGetDeviceRegPropWorker+14Aj
		push	0
		lea	ebx, [ebp+var_6C]
		push	ebx
		push	[ebp+var_5C]
		lea	ebx, [ebp+var_80]
		push	ebx
		push	edx
		push	edi
		push	ecx
		call	eax ; _PnpRegQueryValueIndirect
		cmp	eax, 0C0000034h
		jz	short loc_804654
		cmp	eax, 0C000017Ch
		jz	short loc_804654
		mov	ebx, 0C0000023h
		test	eax, eax
		js	short loc_804662

loc_804606:				; CODE XREF: _CmGetDeviceRegPropWorker+1D8j
		mov	edx, [ebp+var_80]
		mov	ecx, [ebp+var_6C]
		cmp	edx, 1
		jz	short loc_80465B

loc_804611:				; CODE XREF: _CmGetDeviceRegPropWorker+1D2j
		cmp	ecx, 2
		jb	short loc_80464F

loc_804616:				; CODE XREF: _CmGetDeviceRegPropWorker+1C6j
		cmp	edx, 4
		jz	short loc_80466F

loc_80461B:				; CODE XREF: _CmGetDeviceRegPropWorker+1E6j
		mov	edi, [ebp+var_78]
		mov	[edi], ecx
		mov	ecx, [ebp+var_64]
		mov	[ecx], edx
		test	eax, eax
		jnz	short loc_80466B
		cmp	[ebp+var_60], eax
		jz	short loc_80466B

loc_80462E:				; CODE XREF: _CmGetDeviceRegPropWorker+E2j
					; _CmGetDeviceRegPropWorker+1CDj ...
		cmp	[ebp+var_68], 0
		jz	short loc_80463C
		push	[ebp+var_68]
		call	_ZwClose@4	; ZwClose(x)

loc_80463C:				; CODE XREF: _CmGetDeviceRegPropWorker+1A6j
					; _CmGetDeviceRegPropWorker+116033j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_80464F:				; CODE XREF: _CmGetDeviceRegPropWorker+188j
		cmp	edx, 7
		jnz	short loc_804616

loc_804654:				; CODE XREF: _CmGetDeviceRegPropWorker+168j
					; _CmGetDeviceRegPropWorker+16Fj ...
		mov	esi, 0C0000225h
		jmp	short loc_80462E
; 

loc_80465B:				; CODE XREF: _CmGetDeviceRegPropWorker+183j
		cmp	ecx, 2
		jnb	short loc_804611
		jmp	short loc_804654
; 

loc_804662:				; CODE XREF: _CmGetDeviceRegPropWorker+178j
		cmp	eax, ebx
		jz	short loc_804606
		jmp	loc_804780
; 

loc_80466B:				; CODE XREF: _CmGetDeviceRegPropWorker+19Bj
					; _CmGetDeviceRegPropWorker+1A0j
		mov	esi, ebx
		jmp	short loc_80462E
; 

loc_80466F:				; CODE XREF: _CmGetDeviceRegPropWorker+18Dj
		cmp	ecx, 4
		jz	short loc_80461B
		jmp	short loc_804654
; 

loc_804676:				; CODE XREF: _CmGetDeviceRegPropWorker+11Bj
		push	[ebp+var_70]
		lea	eax, [ebp+var_90]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_80462E
		push	ecx
		mov	ecx, [ebp+var_74]
		lea	eax, [ebp+var_60]
		push	eax
		mov	eax, [ebp+var_7C]
		lea	edx, [ebp+var_90]
		push	eax
		push	[ebp+var_5C]
		push	[ebp+var_84]
		call	__NtPlugPlayGetDeviceProperty@28 ; _NtPlugPlayGetDeviceProperty(x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_804654
		test	esi, esi
		js	loc_804787

loc_8046BD:				; CODE XREF: _CmGetDeviceRegPropWorker+301j
		mov	edi, [ebp+var_78]
		mov	ecx, ebx
		mov	eax, [ebp+var_60]
		mov	[edi], eax
		call	__MapCmDevicePropertyToRegType@4 ; _MapCmDevicePropertyToRegType(x)
		mov	ecx, [ebp+var_64]
		mov	[ecx], eax
		jmp	loc_80462E
; 

loc_8046D6:				; CODE XREF: _CmGetDeviceRegPropWorker+F4j
		mov	[ebp+var_6C], 4Eh
		test	edi, edi
		jnz	short loc_8046E4
		mov	edi, [ebp+var_68]

loc_8046E4:				; CODE XREF: _CmGetDeviceRegPropWorker+253j
		mov	ebx, [ebp+var_74]
		lea	eax, [ebp+var_6C]
		mov	edx, [ebp+var_70]
		mov	ecx, ebx
		push	0
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		lea	eax, [ebp+var_80]
		push	eax
		push	9
		push	edi
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	loc_91A526
		test	esi, esi
		jnz	loc_80462E
		mov	edi, [ebp+var_78]
		lea	edx, [ebp+var_58]
		push	ecx
		push	edi
		push	[ebp+var_5C]
		mov	[ebp+var_C], ax
		mov	ecx, ebx
		push	[ebp+var_64]
		mov	eax, [ebp+var_60]
		push	8
		push	esi
		mov	[edi], eax
		call	__CmGetInstallerClassRegProp@32	; _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)
		jmp	short loc_804780
; 

loc_80473B:				; CODE XREF: _CmGetDeviceRegPropWorker+FDj
		mov	ebx, [ebp+var_70]
		push	5Ch		; wchar_t
		push	ebx		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_91A53A
		mov	edi, [ebp+var_78]
		sub	eax, ebx
		mov	edx, [ebp+var_60]
		add	eax, 2
		mov	[edi], eax
		mov	eax, [ebp+var_64]
		mov	dword ptr [eax], 1
		mov	eax, [edi]
		cmp	edx, eax
		jb	loc_91A51C
		mov	ecx, [ebp+var_5C]
		sub	esp, 0Ch
		add	eax, 0FFFFFFFEh
		push	eax
		push	ebx
		call	RtlStringCbCopyNExW

loc_804780:				; CODE XREF: _CmGetDeviceRegPropWorker+1DAj
					; _CmGetDeviceRegPropWorker+2ADj
		mov	esi, eax
		jmp	loc_80462E
; 

loc_804787:				; CODE XREF: _CmGetDeviceRegPropWorker+22Bj
		cmp	esi, 0C0000023h
		jz	loc_8046BD
		jmp	loc_80462E
_CmGetDeviceRegPropWorker endp

; 
off_804798	dd offset loc_91A530	; DATA XREF: _CmGetDeviceRegPropWorker+B8r
		dd offset loc_80454B
byte_8047A0	db 0			; DATA XREF: _CmGetDeviceRegPropWorker+B1r
		db 3 dup(1)
		dd 100h, 4 dup(1010101h), 1010001h, 2 dup(1010101h)
; 
		add	[ecx], eax

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmObjectGetCachedCmProperty(x, x,	x, x, x, x, x)
_PiDmObjectGetCachedCmProperty@28 proc near ; CODE XREF: PiPnpRtlCmActionCallback+8Bp

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_5C		= dword	ptr -5Ch
var_8		= dword	ptr -8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		and	[ebp+var_70], 0
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+arg_10]
		push	edi
		mov	[ebp+var_78], eax
		lea	edi, [ebp+var_6C]
		xor	eax, eax
		mov	[ebp+var_74], edx
		stosd
		mov	edx, 0C0000016h
		stosd
		stosd
		stosd
		test	ebx, ebx
		jz	loc_80488A
		mov	eax, [esi]
		neg	eax
		sbb	eax, eax
		and	ebx, eax

loc_80480F:				; CODE XREF: PiDmObjectGetCachedCmProperty(x,x,x,x,x,x,x)+C7j
		xor	edi, edi
		inc	edi
		cmp	[ebp+arg_4], 9
		jz	short loc_80482B

loc_804818:				; CODE XREF: PiDmObjectGetCachedCmProperty(x,x,x,x,x,x,x)+67j
					; PiDmObjectGetCachedCmProperty(x,x,x,x,x,x,x)+94j ...
		mov	ecx, [ebp+var_8]
		mov	eax, edx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
; 

loc_80482B:				; CODE XREF: PiDmObjectGetCachedCmProperty(x,x,x,x,x,x,x)+50j
		cmp	ecx, edi
		jnz	short loc_804818
		lea	eax, [ebp+var_70]
		push	eax		; int
		push	10h		; int
		lea	eax, [ebp+var_6C]
		push	eax		; int
		lea	eax, [ebp+var_7C]
		push	eax		; int
		push	offset _DEVPKEY_Device_ClassGuid ; void	*
		push	0		; int
		push	ecx		; int
		mov	ecx, edi
		call	_CmMapCmObjectTypeToPnpObjectType
		mov	edx, [ebp+var_74]
		mov	ecx, eax
		call	_PiDmObjectGetCachedObjectProperty@36 ;	PiDmObjectGetCachedObjectProperty(x,x,x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_804818
		mov	eax, [ebp+var_78]
		push	4Eh
		mov	[eax], edi
		pop	edi
		cmp	[esi], edi
		jb	short loc_80488F
		push	ecx		; int
		lea	edx, [ebp+var_5C] ; void *
		lea	ecx, [ebp+var_6C] ; int
		call	_PnpStringFromGuid@12 ;	PnpStringFromGuid(x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_804818
		mov	[esi], edi
		lea	esi, [ebp+var_5C]
		push	13h
		pop	ecx
		mov	edi, ebx
		rep movsd
		movsw
		jmp	short loc_804818
; 

loc_80488A:				; CODE XREF: PiDmObjectGetCachedCmProperty(x,x,x,x,x,x,x)+3Bj
		and	dword ptr [esi], 0
		jmp	short loc_80480F
; 

loc_80488F:				; CODE XREF: PiDmObjectGetCachedCmProperty(x,x,x,x,x,x,x)+A0j
		mov	[esi], edi
		mov	edx, 0C0000023h
		jmp	short loc_804818
_PiDmObjectGetCachedCmProperty@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxGetCachedContextBaseKey(x, x, x)
__PnpCtxGetCachedContextBaseKey@12 proc	near ; CODE XREF: PipUpdateDeviceProducts+88p
					; _CmOpenDeviceContainerRegKeyWorker+135p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	eax
		mov	esi, ecx
		call	__PnpCtxGetCachedContextBaseKeyNode@12 ; _PnpCtxGetCachedContextBaseKeyNode(x,x,x)
		test	eax, eax
		js	short loc_8048C1
		push	[ebp+arg_0]
		mov	ecx, esi
		push	edx
		mov	edx, [ebp+var_4]
		call	_PnpCtxGetCachedNodeBaseKey

loc_8048C1:				; CODE XREF: _PnpCtxGetCachedContextBaseKey(x,x,x)+19j
		pop	esi
		leave
		retn	4
__PnpCtxGetCachedContextBaseKey@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpCtxGetCachedNodeBaseKey proc near	; CODE XREF: _PnpCtxGetCachedContextBaseKey(x,x,x)+24p
					; PipOpenServiceEnumKeys+6CF78p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0091A544 SIZE 00000067 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_14], ecx
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], ecx
		mov	ebx, ecx
		lea	eax, [edx-1]
		mov	[ebp+var_10], ecx
		cmp	eax, 0Eh	; switch 15 cases
		ja	loc_91A562	; default
		jmp	ds:off_804AF6[eax*4] ; switch jump

loc_8048FB:				; DATA XREF: PAGE:off_804AF6o
		mov	eax, [esi+20h]	; case 0x4

loc_8048FE:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+53j
					; _PnpCtxGetCachedNodeBaseKey+72j ...
		mov	[ebp+var_4], eax

loc_804901:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+6Bj
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_804953
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx

loc_80490D:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+6Dj
					; _PnpCtxGetCachedNodeBaseKey+A1j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_804916:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+2Ej
					; DATA XREF: PAGE:off_804AF6o
		mov	eax, [esi+30h]	; case 0x8
		jmp	short loc_8048FE
; 

loc_80491B:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+2Ej
					; DATA XREF: PAGE:off_804AF6o
		lea	eax, [ebp+var_4] ; case	0x3
		push	eax
		push	4

loc_804921:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+115C8Cj
					; _PnpCtxGetCachedNodeBaseKey+115C97j
		pop	edx

loc_804922:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+14Bj
		mov	ecx, [esi+1Ch]
		call	__SysCtxGetCachedContextBaseKey@12 ; _SysCtxGetCachedContextBaseKey(x,x,x)
		mov	edx, [ebp+arg_0]
		mov	edi, eax

loc_80492F:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+115CA1j
		test	edi, edi
		jns	short loc_804901
		jmp	short loc_80490D
; 

loc_804935:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+2Ej
					; DATA XREF: PAGE:off_804AF6o
		mov	eax, [esi+2Ch]	; case 0x7
		jmp	short loc_8048FE
; 

loc_80493A:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+2Ej
					; DATA XREF: PAGE:off_804AF6o
		mov	eax, [esi+28h]	; case 0x6
		jmp	short loc_8048FE
; 

loc_80493F:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+2Ej
					; DATA XREF: PAGE:off_804AF6o
		mov	eax, [esi+34h]	; case 0x9
		jmp	short loc_8048FE
; 

loc_804944:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+2Ej
					; DATA XREF: PAGE:off_804AF6o
		mov	eax, [esi+24h]	; case 0x5
		jmp	short loc_8048FE
; 

loc_804949:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+2Ej
					; DATA XREF: PAGE:off_804AF6o
		mov	eax, [esi+44h]	; case 0xD
		jmp	short loc_8048FE
; 

loc_80494E:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+2Ej
					; DATA XREF: PAGE:off_804AF6o
		mov	eax, [esi+40h]	; case 0xC
		jmp	short loc_8048FE
; 

loc_804953:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+40j
		cmp	edx, 5
		jl	loc_91A56C
		cmp	edx, 0Fh
		jg	loc_91A56C

loc_804965:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+115CABj
		test	edi, edi
		js	short loc_80490D
		lea	eax, [edx-5]	; switch 11 cases
		cmp	eax, 0Ah
		ja	loc_91A58D	; default
		jmp	ds:off_804B32[eax*4] ; switch jump

loc_80497C:				; DATA XREF: PAGE:off_804B32o
		xor	eax, eax	; case 0xF
		mov	ebx, offset ??_C@_1BO@LMKEOBGK@?$AAH?$AAa?$AAr?$AAd?$AAw?$AAa?$AAr?$AAe?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg@NNGAKEGL@
		inc	eax

loc_804984:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+16Ej
					; _PnpCtxGetCachedNodeBaseKey+17Bj ...
		test	edi, edi
		js	short loc_8049E2
		lea	ecx, [ebp+var_C]
		mov	edx, eax
		push	ecx
		mov	ecx, [esi+1Ch]
		call	__SysCtxGetCachedContextBaseKey@12 ; _SysCtxGetCachedContextBaseKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_8049E2
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	ecx
		push	ecx
		push	2000000h
		push	ecx
		mov	ecx, [esi+1Ch]
		push	ebx
		call	__SysCtxRegCreateTree@36 ; _SysCtxRegCreateTree(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_8049E2
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		add	eax, 0FFFFFFFBh	; switch 11 cases
		cmp	eax, 0Ah
		ja	loc_91A5A1	; default
		jmp	ds:off_804B5E[eax*4] ; switch jump

loc_8049D6:				; DATA XREF: PAGE:off_804B5Eo
		mov	[esi+48h], ecx	; case 0xF

loc_8049D9:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+1EBj
					; _PnpCtxGetCachedNodeBaseKey+1F3j ...
		test	edi, edi
		js	short loc_8049E2
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx

loc_8049E2:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+C0j
					; _PnpCtxGetCachedNodeBaseKey+D4j ...
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	loc_80490D
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_80490D
; 

loc_8049FA:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+2Ej
					; DATA XREF: PAGE:off_804AF6o
		mov	eax, [esi+48h]	; case 0xE
		jmp	loc_8048FE
; 

loc_804A02:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+2Ej
					; DATA XREF: PAGE:off_804AF6o
		mov	eax, [esi+38h]	; case 0xA
		jmp	loc_8048FE
; 

loc_804A0A:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+2Ej
					; DATA XREF: PAGE:off_804AF6o
		lea	eax, [ebp+var_4] ; case	0x0
		xor	edx, edx
		push	eax
		inc	edx
		jmp	loc_804922
; 

loc_804A16:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+AFj
					; DATA XREF: PAGE:off_804B32o
		push	4		; case 0x5
		pop	eax
		mov	[ebp+var_8], eax
		mov	ebx, offset ??_C@_19DDCEFKEI@?$AAE?$AAn?$AAu?$AAm@NNGAKEGL@ ; "Enum"
		call	_PnpGetEnumSecurityDescriptor
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_91A576
		mov	eax, [ebp+var_8]
		jmp	loc_804984
; 

loc_804A39:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+AFj
					; DATA XREF: PAGE:off_804B32o
		push	4		; case 0x6
		pop	eax
		mov	ebx, (offset loc_8BA753+1)
		jmp	loc_804984
; 

loc_804A46:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+AFj
					; DATA XREF: PAGE:off_804B32o
		push	4		; case 0x7
		pop	eax
		mov	ebx, offset ??_C@_1BM@DIAIFPKI@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAC?$AAl?$AAa?$AAs?$AAs@NNGAKEGL@
		jmp	loc_804984
; 

loc_804A53:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+AFj
					; DATA XREF: PAGE:off_804B32o
		push	4		; case 0x8
		pop	eax
		mov	ebx, offset ??_C@_1CM@KFMFNMGE@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC@NNGAKEGL@ ;	"C"
		jmp	loc_804984
; 

loc_804A60:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+AFj
					; DATA XREF: PAGE:off_804B32o
		mov	eax, [ebp+var_14] ; case 0x9
		cmp	[eax+4], bl
		mov	ebx, offset ??_C@_1DC@NFGPPJLC@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI@NNGAKEGL@ ;	"Control\\DeviceInterfaces"
		jnz	short loc_804A72
		mov	ebx, offset ??_C@_1CM@KFMFNMGE@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC@NNGAKEGL@ ;	"C"

loc_804A72:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+1A5j
		push	4
		pop	eax
		jmp	loc_804984
; 

loc_804A7A:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+AFj
					; DATA XREF: PAGE:off_804B32o
		push	4		; case 0xA
		pop	eax
		mov	ebx, offset ??_C@_1DC@BCICPNAD@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC@NNGAKEGL@
		jmp	loc_804984
; 

loc_804A87:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+AFj
					; DATA XREF: PAGE:off_804B32o
		push	4		; case 0xB
		pop	eax
		mov	ebx, offset ??_C@_1CK@JPNJFHHG@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAP@NNGAKEGL@ ;	"Control\\DevicePanels"
		jmp	loc_804984
; 

loc_804A94:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+AFj
					; DATA XREF: PAGE:off_804B32o
		push	4		; case 0xD
		pop	eax
		mov	ebx, offset ??_C@_1DG@KMHIMGCI@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAC?$AAo?$AAD?$AAe?$AAv?$AAi?$AAc@NNGAKEGL@ ;	"Control\\CoDeviceInstallers"
		jmp	loc_804984
; 

loc_804AA1:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+AFj
					; DATA XREF: PAGE:off_804B32o
		push	4		; case 0xE
		pop	eax
		mov	ebx, offset ??_C@_1CE@JCFICPFJ@?$AAH?$AAa?$AAr?$AAd?$AAw?$AAa?$AAr?$AAe?$AA?5?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl@NNGAKEGL@ ;	"Hardware Profiles"
		jmp	loc_804984
; 

loc_804AAE:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+109j
					; DATA XREF: PAGE:off_804B5Eo
		mov	[esi+20h], ecx	; case 0x5
		jmp	loc_8049D9
; 

loc_804AB6:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+109j
					; DATA XREF: PAGE:off_804B5Eo
		mov	[esi+24h], ecx	; case 0x6
		jmp	loc_8049D9
; 

loc_804ABE:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+109j
					; DATA XREF: PAGE:off_804B5Eo
		mov	[esi+28h], ecx	; case 0x7
		jmp	loc_8049D9
; 

loc_804AC6:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+109j
					; DATA XREF: PAGE:off_804B5Eo
		mov	[esi+2Ch], ecx	; case 0x8
		jmp	loc_8049D9
; 

loc_804ACE:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+109j
					; DATA XREF: PAGE:off_804B5Eo
		mov	[esi+30h], ecx	; case 0x9
		jmp	loc_8049D9
; 

loc_804AD6:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+109j
					; DATA XREF: PAGE:off_804B5Eo
		mov	[esi+34h], ecx	; case 0xA
		jmp	loc_8049D9
; 

loc_804ADE:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+109j
					; DATA XREF: PAGE:off_804B5Eo
		mov	[esi+38h], ecx	; case 0xB
		jmp	loc_8049D9
; 

loc_804AE6:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+109j
					; DATA XREF: PAGE:off_804B5Eo
		mov	[esi+40h], ecx	; case 0xD
		jmp	loc_8049D9
; 

loc_804AEE:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+109j
					; DATA XREF: PAGE:off_804B5Eo
		mov	[esi+44h], ecx	; case 0xE
		jmp	loc_8049D9
_PnpCtxGetCachedNodeBaseKey endp

; 
off_804AF6	dd offset loc_804A0A	; DATA XREF: _PnpCtxGetCachedNodeBaseKey+2Er
		dd offset loc_91A54C	; jump table for switch	statement
		dd offset loc_91A557
		dd offset loc_80491B
		dd offset loc_8048FB
		dd offset loc_804944
		dd offset loc_80493A
		dd offset loc_804935
		dd offset loc_804916
		dd offset loc_80493F
		dd offset loc_804A02
		dd offset loc_91A544
		dd offset loc_80494E
		dd offset loc_804949
		dd offset loc_8049FA
off_804B32	dd offset loc_804A16	; DATA XREF: _PnpCtxGetCachedNodeBaseKey+AFr
		dd offset loc_804A39	; jump table for switch	statement
		dd offset loc_804A46
		dd offset loc_804A53
		dd offset loc_804A60
		dd offset loc_804A7A
		dd offset loc_804A87
		dd offset loc_91A580
		dd offset loc_804A94
		dd offset loc_804AA1
		dd offset loc_80497C
off_804B5E	dd offset loc_804AAE	; DATA XREF: _PnpCtxGetCachedNodeBaseKey+109r
		dd offset loc_804AB6	; jump table for switch	statement
		dd offset loc_804ABE
		dd offset loc_804AC6
		dd offset loc_804ACE
		dd offset loc_804AD6
		dd offset loc_804ADE
		dd offset loc_91A599
		dd offset loc_804AE6
		dd offset loc_804AEE
		dd offset loc_8049D6

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxGetCachedContextBaseKeyNode(x, x, x)
__PnpCtxGetCachedContextBaseKeyNode@12 proc near
					; CODE XREF: _PnpCtxGetCachedContextBaseKey(x,x,x)+12p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+edx*4+34h]
		test	esi, esi
		jz	short loc_804BA8

loc_804B9B:				; CODE XREF: _PnpCtxGetCachedContextBaseKeyNode(x,x,x)+40j
		mov	eax, [ebp+arg_0]
		pop	edi
		mov	[eax], esi
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	4
; 

loc_804BA8:				; CODE XREF: _PnpCtxGetCachedContextBaseKeyNode(x,x,x)+Fj
		mov	ecx, edx
		call	__PnpCtxGetPreferredBaseKeyNodeType@4 ;	_PnpCtxGetPreferredBaseKeyNodeType(x)
		lea	ecx, [eax-2]
		cmp	ecx, 1
		ja	short loc_804BC3
		add	eax, 2
		lea	eax, [edi+eax*8]
		mov	esi, [eax]
		cmp	esi, eax
		jnz	short loc_804BCC

loc_804BC3:				; CODE XREF: _PnpCtxGetCachedContextBaseKeyNode(x,x,x)+2Bj
		mov	esi, [edi+30h]

loc_804BC6:				; CODE XREF: _PnpCtxGetCachedContextBaseKeyNode(x,x,x)+45j
		mov	[edi+edx*4+34h], esi
		jmp	short loc_804B9B
; 

loc_804BCC:				; CODE XREF: _PnpCtxGetCachedContextBaseKeyNode(x,x,x)+37j
		add	esi, 0FFFFFFF8h
		jmp	short loc_804BC6
__PnpCtxGetCachedContextBaseKeyNode@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmOpenDeviceRegKey proc near		; CODE XREF: PiCMOpenDeviceKey+9Dp
					; IoOpenDeviceRegistryKey+8Cp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0091A5AB SIZE 00000061 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+18h+var_8], edx
		push	52504E50h
		push	2Ch
		push	1
		mov	ebx, [edi+100h]
		mov	[esp+24h+var_4], edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_91A5AB
		push	2Ch		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	[esi+8], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+0Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[esi+10h], eax
		mov	al, [ebp+arg_C]
		mov	[esi+14h], al
		mov	eax, [ebp+arg_10]
		mov	[esi+18h], eax
		test	ebx, ebx
		jz	short loc_804C52
		push	esi
		push	1
		push	0Bh
		push	1
		push	[esp+28h+var_8]
		push	edi
		call	ebx
		cmp	eax, 0C0000002h
		jnz	loc_91A5B5
		xor	ebx, ebx

loc_804C52:				; CODE XREF: _CmOpenDeviceRegKey+63j
					; _CmOpenDeviceRegKey+1159ECj
		mov	edx, [esp+30h+var_20]
		lea	eax, [esi+1Ch]
		push	eax
		push	dword ptr [esi+18h]
		movzx	eax, byte ptr [esi+14h]
		mov	ecx, edi
		push	eax
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		call	_CmOpenDeviceRegKeyWorker
		mov	edi, eax
		test	ebx, ebx
		jnz	loc_91A5D5

loc_804C7C:				; CODE XREF: _CmOpenDeviceRegKey+1159FEj
					; _CmOpenDeviceRegKey+115A1Bj ...
		test	edi, edi
		js	short loc_804C87
		mov	ecx, [ebp+arg_14]
		test	ecx, ecx
		jnz	short loc_804C9A

loc_804C87:				; CODE XREF: _CmOpenDeviceRegKey+ACj
					; _CmOpenDeviceRegKey+CDj ...
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_804C8F:				; CODE XREF: _CmOpenDeviceRegKey+1159DEj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_804C9A:				; CODE XREF: _CmOpenDeviceRegKey+B3j
		mov	eax, [esi+1Ch]
		mov	[ecx], eax
		jmp	short loc_804C87
_CmOpenDeviceRegKey endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetDeviceRegProp(x, x, x, x, x, x, x, x)
__CmGetDeviceRegProp@32	proc near	; CODE XREF: IoGetDeviceProperty+35Fp
					; PiGetDeviceRegProperty+49p ...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		mov	[esp+40h+var_38], edx
		mov	edx, ecx
		mov	[esp+40h+var_28], eax
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_10]
		push	esi
		mov	esi, [ebp+arg_8]
		mov	[esp+44h+var_30], ebx
		mov	[esp+44h+var_2C], ebx
		mov	[esp+44h+var_10], ebx
		mov	[esp+44h+var_C], ebx
		mov	[esp+44h+var_8], ebx
		mov	ebx, [edx+100h]
		mov	[esp+44h+var_24], eax
		mov	eax, [ebp+arg_14]
		mov	[esp+44h+var_20], esi
		mov	esi, [esp+44h+var_38]
		mov	[esp+44h+var_34], edx
		mov	[esp+44h+var_18], ecx
		mov	[esp+44h+var_14], eax
		push	edi
		mov	edi, [ebp+arg_C]
		mov	[esp+48h+var_1C], edi
		test	ebx, ebx
		jz	short loc_804D34
		lea	eax, [esp+48h+var_30]
		push	eax
		push	1
		push	9
		push	1
		push	esi
		push	edx
		call	ebx
		cmp	eax, 0C0000002h
		jz	short loc_804DA3
		cmp	eax, 0C0000120h
		jz	short loc_804D9D
		test	eax, eax
		jnz	short loc_804DA7

loc_804D34:				; CODE XREF: _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)+6Fj
					; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)+103j
		push	[esp+60h+var_2C]
		mov	edi, [esp+64h+var_4C]
		mov	edx, esi
		push	[esp+64h+var_30]
		mov	ecx, edi
		push	[esp+68h+var_34]
		push	[esp+6Ch+var_38]
		push	[esp+70h+var_3C]
		push	[esp+74h+var_40]
		call	_CmGetDeviceRegPropWorker
		mov	esi, eax
		test	ebx, ebx
		jz	short loc_804D87
		lea	eax, [esp+60h+var_48]
		mov	[esp+60h+var_48], esi
		push	eax
		push	2
		push	9
		push	1
		push	[esp+70h+var_50]
		push	edi
		call	ebx
		cmp	eax, 0C0000002h
		jz	short loc_804D87
		cmp	eax, 0C0000120h
		jz	short loc_804D9D
		test	eax, eax
		jnz	short loc_804DA7

loc_804D87:				; CODE XREF: _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)+BBj
					; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)+D8j ...
		mov	ecx, [esp+78h+var_34]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_804D9D:				; CODE XREF: _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)+8Cj
					; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)+DFj
		mov	esi, [esp+60h+var_48]
		jmp	short loc_804D87
; 

loc_804DA3:				; CODE XREF: _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)+85j
		xor	ebx, ebx
		jmp	short loc_804D34
; 

loc_804DA7:				; CODE XREF: _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)+90j
					; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)+E3j
		mov	esi, 0C00000E5h
		jmp	short loc_804D87
__CmGetDeviceRegProp@32	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiPnpRtlCmActionCallback proc near	; DATA XREF: PiPnpRtlInit+11Eo

var_3A		= byte ptr -3Ah
var_39		= dword	ptr -39h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
Source2		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0091A60C SIZE 000005A8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_14]
		mov	[esp+44h+var_24], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+44h+var_34], edx
		mov	[esp+44h+var_2C], esi
		push	edi
		mov	edi, 0C0000002h
		cmp	eax, 0Dh
		jg	loc_804ED7
		jz	loc_805094
		dec	eax
		sub	eax, 1
		jz	loc_805069
		sub	eax, 1
		jz	loc_91A720
		sub	eax, 1
		jz	loc_8051A8
		sub	eax, 5
		jnz	short loc_804E89
		xor	ebx, ebx
		cmp	[ebp+arg_10], 1
		jnz	loc_804EA8
		test	dword ptr [esi+1Ch], 10000h
		jnz	short loc_804E6D
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	ecx
		mov	ecx, [ebp+arg_8]
		call	_PiDmObjectGetCachedCmProperty@28 ; PiDmObjectGetCachedCmProperty(x,x,x,x,x,x,x)
		test	eax, eax
		jns	loc_804F18
		cmp	eax, 0C0000225h
		jz	loc_804F18
		cmp	eax, 0C0000023h
		jz	loc_804F18
		cmp	eax, 0C0000034h
		jz	loc_804F18
		mov	edx, [esp+48h+var_34]
		mov	edi, ebx

loc_804E6D:				; CODE XREF: PiPnpRtlCmActionCallback+79j
		add	esi, 8
		cmp	[esi], ebx
		jnz	short loc_804E92
		mov	ecx, [ebp+arg_8]
		push	esi
		call	_CmMapCmObjectTypeToPnpObjectType
		mov	ecx, [esp+4Ch+var_24]
		push	eax
		call	_PiPnpRtlCacheObjectBaseKey@16 ; PiPnpRtlCacheObjectBaseKey(x,x,x,x)
		jmp	short loc_804E92
; 

loc_804E89:				; CODE XREF: PiPnpRtlCmActionCallback+64j
		sub	eax, 1
		jz	loc_804F24

loc_804E92:				; CODE XREF: PiPnpRtlCmActionCallback+C4j
					; PiPnpRtlCmActionCallback+D9j	...
		mov	ecx, [esp+48h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_804EA8:				; CODE XREF: PiPnpRtlCmActionCallback+6Cj
		mov	eax, [esi]
		test	eax, eax
		js	short loc_804ECB
		mov	eax, [esi+18h]
		push	dword ptr [eax]
		mov	eax, [esi+10h]
		push	dword ptr [esi+14h]
		push	dword ptr [eax]

loc_804EBB:				; CODE XREF: PiPnpRtlCmActionCallback+127j
		push	dword ptr [esi+0Ch]
		push	ecx
		mov	ecx, [ebp+arg_8]
		call	_PiDmObjectUpdateCachedCmProperty@28 ; PiDmObjectUpdateCachedCmProperty(x,x,x,x,x,x,x)

loc_804EC7:				; CODE XREF: PiPnpRtlCmActionCallback+122j
					; PiPnpRtlCmActionCallback+2DBj ...
		mov	edi, ebx
		jmp	short loc_804E92
; 

loc_804ECB:				; CODE XREF: PiPnpRtlCmActionCallback+FEj
		cmp	eax, 0C0000225h
		jnz	short loc_804EC7
		push	ebx
		push	ebx
		push	ebx
		jmp	short loc_804EBB
; 

loc_804ED7:				; CODE XREF: PiPnpRtlCmActionCallback+39j
		sub	eax, 0Eh
		jz	loc_91AAF0
		sub	eax, 1
		jz	loc_91A9D0
		sub	eax, 1
		jz	loc_805019
		sub	eax, 1
		jnz	short loc_804E92
		cmp	[ebp+arg_10], 1
		jnz	short loc_804E92
		test	dword ptr [esi+28h], 10000h
		jnz	short loc_804E92
		mov	ecx, esi
		call	PiPnpRtlGetFilteredDeviceInterfaceList

loc_804F0D:				; CODE XREF: PiPnpRtlCmActionCallback+289j
					; PiPnpRtlCmActionCallback+115966j
		cmp	eax, 0C0000016h
		jz	loc_91A719

loc_804F18:				; CODE XREF: PiPnpRtlCmActionCallback+92j
					; PiPnpRtlCmActionCallback+9Dj	...
		mov	[esi], eax

loc_804F1A:				; CODE XREF: PiPnpRtlCmActionCallback+2E1j
					; PiPnpRtlCmActionCallback+115D76j
		mov	edi, 0C0000120h
		jmp	loc_804E92
; 

loc_804F24:				; CODE XREF: PiPnpRtlCmActionCallback+DEj
		xor	ebx, ebx
		cmp	[ebp+arg_10], 1
		jnz	loc_805172
		test	dword ptr [esi+1Ch], 20000h
		mov	edi, ebx
		jnz	loc_80514E
		mov	eax, [esi+18h]
		mov	[esp+48h+var_2C], ebx
		mov	[esp+48h+var_30], ebx
		test	eax, eax
		jz	loc_805055
		push	47706E50h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+48h+var_30], edi
		test	edi, edi
		jz	loc_805055

loc_804F6D:				; CODE XREF: PiPnpRtlCmActionCallback+2B6j
		mov	eax, [esi+18h]
		mov	[esp+48h+var_39+1], eax
		mov	eax, [ebp+arg_8]
		mov	byte ptr [esp+48h+var_39], 1
		sub	eax, 1
		jnz	loc_91A60C
		mov	edx, [esi+0Ch]
		lea	eax, [esp+0Fh]
		push	eax
		call	__CmIsDeviceRegPropWritable@12 ; _CmIsDeviceRegPropWritable(x,x,x)
		test	eax, eax
		js	short loc_804FA0
		cmp	byte ptr [esp+48h+var_39], bl
		jz	loc_91A631

loc_804FA0:				; CODE XREF: PiPnpRtlCmActionCallback+1E6j
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [esp+48h+var_39+1]
		push	ebx
		push	eax
		push	edi
		lea	eax, [esp+54h+var_2C]
		push	eax
		push	edx
		push	dword ptr [esi+8]
		mov	edx, [esp+60h+var_34]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)

loc_804FBF:				; CODE XREF: PiPnpRtlCmActionCallback+1158AFj
		mov	edi, eax
		test	edi, edi
		js	short loc_80503C
		mov	eax, [esp+48h+var_2C]
		cmp	eax, [esi+10h]
		jnz	short loc_80503C
		mov	eax, [esp+48h+var_39+1]
		cmp	eax, [esi+18h]
		jnz	short loc_80503C
		push	eax		; size_t
		push	dword ptr [esi+14h] ; void *
		mov	eax, [esp+50h+var_30]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_80503C

loc_804FEC:				; CODE XREF: PiPnpRtlCmActionCallback+299j
					; PiPnpRtlCmActionCallback+2A1j ...
		mov	[esi], edi
		mov	edi, 0C0000120h

loc_804FF3:				; CODE XREF: PiPnpRtlCmActionCallback+2A5j
		mov	eax, [esp+48h+var_30]
		test	eax, eax
		jz	short loc_805006
		push	47706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_805006:				; CODE XREF: PiPnpRtlCmActionCallback+24Bj
		test	edi, edi
		jz	loc_80514E

loc_80500E:				; CODE XREF: PiPnpRtlCmActionCallback+1158CDj
		js	loc_804E92
		jmp	loc_805159
; 

loc_805019:				; CODE XREF: PiPnpRtlCmActionCallback+13Ej
		cmp	[ebp+arg_10], 1
		jnz	loc_804E92
		test	dword ptr [esi+24h], 10000h
		jnz	loc_804E92
		mov	ecx, esi
		call	PiPnpRtlGetFilteredDeviceList
		jmp	loc_804F0D
; 

loc_80503C:				; CODE XREF: PiPnpRtlCmActionCallback+215j
					; PiPnpRtlCmActionCallback+21Ej ...
		cmp	edi, 0C0000225h
		jnz	short loc_805049
		cmp	[esi+18h], ebx
		jz	short loc_804FEC

loc_805049:				; CODE XREF: PiPnpRtlCmActionCallback+294j
		cmp	edi, 0C0000022h
		jz	short loc_804FEC

loc_805051:				; CODE XREF: PiPnpRtlCmActionCallback+115861j
		mov	edi, ebx
		jmp	short loc_804FF3
; 

loc_805055:				; CODE XREF: PiPnpRtlCmActionCallback+19Ej
					; PiPnpRtlCmActionCallback+1B9j
		mov	edi, ebx
		cmp	[esi+18h], ebx
		jnz	loc_80514E
		mov	edi, [esp+48h+var_30]
		jmp	loc_804F6D
; 

loc_805069:				; CODE XREF: PiPnpRtlCmActionCallback+49j
		cmp	[ebp+arg_10], 1
		jnz	loc_805128
		mov	ecx, [ebp+arg_8]
		xor	ebx, ebx
		push	ebx
		call	_CmMapCmObjectTypeToPnpObjectType
		mov	ecx, eax
		call	PiDmAddCacheReferenceForObject
		mov	[esi], eax
		test	eax, eax
		jns	loc_804EC7
		jmp	loc_804F1A
; 

loc_805094:				; CODE XREF: PiPnpRtlCmActionCallback+3Fj
		xor	ebx, ebx
		cmp	[ebp+arg_10], 1
		jz	loc_804EC7
		cmp	[ebp+arg_8], 5
		jnz	loc_91A966
		cmp	[esi], ebx
		jl	loc_804EC7
		lea	eax, [esp+48h+var_34]
		mov	[esp+48h+var_34], ebx
		push	eax
		push	5
		mov	edi, ebx
		mov	byte ptr [esp+50h+var_39], bl
		pop	ecx
		mov	[esp+4Ch+var_39+1], edi
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		test	eax, eax
		js	short loc_805105
		mov	edx, [esi+0Ch]
		lea	eax, [esp+48h+var_39+1]
		xor	ecx, ecx
		push	eax
		inc	ecx
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	edi, [esp+48h+var_39+1]
		test	eax, eax
		js	short loc_805105
		mov	edx, [esp+48h+var_34]
		lea	eax, [esp+48h+var_39]
		push	eax
		push	edi
		push	4
		pop	ecx
		call	_PiDmListAddObject@16 ;	PiDmListAddObject(x,x,x,x)
		cmp	byte ptr [esp+48h+var_39], bl
		jz	loc_91A956

loc_805105:				; CODE XREF: PiPnpRtlCmActionCallback+321j
					; PiPnpRtlCmActionCallback+339j ...
		cmp	[esp+48h+var_34], ebx
		jz	short loc_805114
		mov	ecx, [esp+48h+var_34]

loc_80510F:				; CODE XREF: PiPnpRtlCmActionCallback+115C1Dj
		call	PiDmObjectRelease

loc_805114:				; CODE XREF: PiPnpRtlCmActionCallback+35Bj
					; PiPnpRtlCmActionCallback+115C13j
		test	edi, edi
		jz	loc_804EC7
		mov	ecx, edi
		call	PiDmObjectRelease
		jmp	loc_804EC7
; 

loc_805128:				; CODE XREF: PiPnpRtlCmActionCallback+2BFj
		xor	eax, eax
		cmp	[esi], eax
		jl	short loc_805137
		cmp	[esi+10h], al
		jnz	loc_91A8FA

loc_805137:				; CODE XREF: PiPnpRtlCmActionCallback+37Ej
		push	ecx
		mov	ecx, [ebp+arg_8]
		call	_CmMapCmObjectTypeToPnpObjectType
		mov	ecx, eax
		call	PiDmRemoveCacheReferenceForObject

loc_805147:				; CODE XREF: PiPnpRtlCmActionCallback+115B68j
					; PiPnpRtlCmActionCallback+115BA3j
		xor	ebx, ebx
		jmp	loc_804EC7
; 

loc_80514E:				; CODE XREF: PiPnpRtlCmActionCallback+18Bj
					; PiPnpRtlCmActionCallback+25Aj ...
		lea	eax, [esi+8]
		cmp	[eax], ebx
		jz	loc_91A662

loc_805159:				; CODE XREF: PiPnpRtlCmActionCallback+266j
		cmp	[ebp+arg_8], 1
		jnz	loc_804E92
		cmp	dword ptr [esi+0Ch], 9
		jnz	loc_804E92
		jmp	loc_91A680
; 

loc_805172:				; CODE XREF: PiPnpRtlCmActionCallback+17Cj
		cmp	[esi], ebx
		jl	loc_804E92
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	ecx
		mov	ecx, [ebp+arg_8]
		call	_PiDmObjectUpdateCachedCmProperty@28 ; PiDmObjectUpdateCachedCmProperty(x,x,x,x,x,x,x)
		cmp	[ebp+arg_8], 1
		jnz	loc_804EC7
		cmp	dword ptr [esi+0Ch], 9
		jnz	loc_804EC7
		jmp	loc_91A6C5
; 

loc_8051A8:				; CODE XREF: PiPnpRtlCmActionCallback+5Bj
		cmp	[ebp+arg_10], 1
		jnz	loc_804E92
		test	dword ptr [esi+1Ch], 10000h
		jnz	loc_804E92
		jmp	loc_91A6FD
PiPnpRtlCmActionCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpConstructNameWithStatus proc	near	; CODE XREF: CmQueryLayeredKey+C9p
					; CmpTraceSecurityChanging+3Fp	...

var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008CA20F SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		and	[esp+1Ch+var_18], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+28h+var_10]
		mov	[esp+28h+var_14], edx
		stosd
		mov	ebx, ecx
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		or	edi, 0FFFFFFFFh
		mov	word ptr [esp+28h+var_10+2], di
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpShutdownRundown
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	[esp+28h+var_19], al
		test	al, al
		jz	loc_8CA20F

loc_805213:				; CODE XREF: CmpConstructNameWithStatus+C5057j
		mov	edx, ebx
		lea	ecx, [esp+28h+var_10]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_805262
		cmp	[esp+28h+var_19], 0
		jz	short loc_805290
		xor	edx, edx
		lea	ecx, [esp+28h+var_10]
		call	CmpIsKeyStackDeleted
		test	al, al
		jnz	short loc_805290
		cmp	[ebx+14h], edi
		jz	loc_8CA220

loc_805243:				; CODE XREF: CmpConstructNameWithStatus+C5069j
		lea	edx, [esp+28h+var_18]
		lea	ecx, [esp+28h+var_10]
		call	CmpConstructNameFromKeyNodes

loc_805250:				; CODE XREF: CmpConstructNameWithStatus+D7j
		mov	esi, eax
		test	esi, esi
		js	short loc_805262
		mov	ecx, [esp+28h+var_14]
		xor	esi, esi
		mov	eax, [esp+28h+var_18]
		mov	[ecx], eax

loc_805262:				; CODE XREF: CmpConstructNameWithStatus+5Ej
					; CmpConstructNameWithStatus+90j
		mov	ecx, [esp+28h+var_4]
		test	ecx, ecx
		jnz	short loc_80529D

loc_80526A:				; CODE XREF: CmpConstructNameWithStatus+DEj
		cmp	[esp+28h+var_19], 0
		jz	short loc_805287
		mov	ecx, offset _CmpShutdownRundown
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_805287:				; CODE XREF: CmpConstructNameWithStatus+ABj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_805290:				; CODE XREF: CmpConstructNameWithStatus+65j
					; CmpConstructNameWithStatus+74j ...
		lea	edx, [esp+28h+var_18]
		mov	ecx, ebx
		call	CmpConstructNameFromKcbNameBlocks
		jmp	short loc_805250
; 

loc_80529D:				; CODE XREF: CmpConstructNameWithStatus+A4j
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	short loc_80526A
CmpConstructNameWithStatus endp


;  S U B	R O U T	I N E 


; __stdcall CmpStartKcbStackForTopLayerKcb(x, x)
_CmpStartKcbStackForTopLayerKcb@8 proc near ; CODE XREF: CmQueryLayeredKey+85p
					; CmDeleteLayeredKey(x,x,x)+96p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	dx, [edi+22h]
		call	CmpStartKcbStack
		mov	esi, eax
		test	esi, esi
		js	short loc_8052C5
		mov	edx, edi
		mov	ecx, ebx
		call	_CmpPopulateKcbStack@8 ; CmpPopulateKcbStack(x,x)

loc_8052C5:				; CODE XREF: CmpStartKcbStackForTopLayerKcb(x,x)+16j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_CmpStartKcbStackForTopLayerKcb@8 endp

; 
		align 10h
; Exported entry 252. CmCallbackGetKeyObjectIDEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CmCallbackGetKeyObjectIDEx
CmCallbackGetKeyObjectIDEx proc	near

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0091ABB4 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	eax, eax
		and	[esp+38h+var_34], 0
		push	esi
		push	edi
		mov	esi, [ebp+arg_C]
		lea	edi, [esp+40h+var_1C]
		mov	edx, [ebp+arg_8]
		push	6
		pop	ecx
		rep stosd
		lea	edi, [esp+40h+var_2C]
		mov	[esp+40h+var_30], esi
		stosd
		stosd
		stosd
		stosd
		or	eax, 0FFFFFFFFh
		mov	word ptr [esp+40h+var_2C+2], ax
		test	ebx, ebx
		jz	loc_91ABBB
		cmp	dword ptr [ebx], 6B793032h
		jnz	loc_91ABBB
		cmp	[ebp+arg_0], 0
		jz	loc_91ABBB
		cmp	[ebp+arg_10], 0
		jnz	loc_91ABBB
		mov	ebx, [ebx+8]
		test	edx, edx
		jnz	loc_91ABB4

loc_805349:				; CODE XREF: CmCallbackGetKeyObjectIDEx+1158E6j
		test	esi, esi
		jz	loc_8053DA
		test	bl, 1
		jnz	loc_91ABBB
		lea	ecx, [esp+40h+var_1C]
		call	CmpAttachToRegistryProcess
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	edx, ebx
		lea	ecx, [esp+40h+var_2C]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8053AC
		lea	ecx, [esp+40h+var_2C]
		call	_CmpLockKcbStackShared@4 ; CmpLockKcbStackShared(x)
		cmp	dword ptr [ebx+28h], 0
		jz	short loc_8053DE
		lea	edx, [esp+40h+var_34]
		mov	ecx, ebx
		call	CmpConstructNameWithStatus
		test	eax, eax
		js	short loc_8053DE
		mov	ecx, [esp+40h+var_30]
		xor	esi, esi
		mov	eax, [esp+40h+var_34]
		mov	[ecx], eax

loc_8053A3:				; CODE XREF: CmCallbackGetKeyObjectIDEx+113j
		lea	ecx, [esp+40h+var_2C]
		call	CmpUnlockKcbStack

loc_8053AC:				; CODE XREF: CmCallbackGetKeyObjectIDEx+A7j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	edx, edx
		lea	ecx, [esp+40h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_8053BC:				; CODE XREF: CmCallbackGetKeyObjectIDEx+10Cj
					; CmCallbackGetKeyObjectIDEx+1158F0j
		mov	ecx, [esp+40h+var_20]
		test	ecx, ecx
		jnz	short loc_8053E5

loc_8053C4:				; CODE XREF: CmCallbackGetKeyObjectIDEx+11Aj
		mov	ecx, [esp+40h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8053DA:				; CODE XREF: CmCallbackGetKeyObjectIDEx+7Bj
		xor	esi, esi
		jmp	short loc_8053BC
; 

loc_8053DE:				; CODE XREF: CmCallbackGetKeyObjectIDEx+B6j
					; CmCallbackGetKeyObjectIDEx+C5j
		mov	esi, 0C000009Ah
		jmp	short loc_8053A3
; 

loc_8053E5:				; CODE XREF: CmCallbackGetKeyObjectIDEx+F2j
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	short loc_8053C4
CmCallbackGetKeyObjectIDEx endp

; 
		align 10h

CmpDelayCloseWorker:			; DATA XREF: CmpInitializeDelayedCloseTable()+13o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+78h], eax
		cmp	dword ptr [ebp+8], 0
		push	ebx
		push	esi
		push	edi
		jnz	loc_91ABC5
		xor	bl, bl

loc_805415:				; CODE XREF: PAGE:0091ABC7j
		xor	eax, eax
		mov	[esp+0Fh], bl
		mov	ecx, 6
		mov	dword ptr [esp+1Ch], 0
		lea	edi, [esp+28h]
		mov	dword ptr [esp+20h], 0
		rep stosd
		lea	ecx, [esp+28h]
		call	CmpAttachToRegistryProcess
		lea	ecx, [esp+1Ch]
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, offset _CmpDelayCloseWorkItemActive

loc_805452:				; CODE XREF: PAGE:00805582j
		test	bl, bl
		jnz	short loc_805460
		mov	eax, 2
		xchg	eax, [ecx]
		lea	ecx, [ecx+0]

loc_805460:				; CODE XREF: PAGE:00805454j
					; PAGE:00805563j
		xor	esi, esi
		mov	ecx, offset _CmpDelayedCloseTableLock
		mov	[esp+18h], esi
		call	ExAcquireFastMutex
		lea	edi, [esp+44h]

loc_805474:				; CODE XREF: PAGE:0080561Cj
		mov	eax, _CmpDelayedCloseElements
		cmp	eax, _CmpDelayedCloseSize
		ja	loc_8055BA
		test	bl, bl
		jnz	loc_91ABCC

loc_80548D:				; CODE XREF: PAGE:00805622j
					; PAGE:0091ABCEj
		mov	ecx, offset _CmpDelayedCloseTableLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		xor	ebx, ebx
		mov	[esp+10h], ebx
		test	esi, esi
		jz	loc_80555C
		lea	edi, [esp+4Ch]
		lea	esp, [esp+0]

loc_8054B0:				; CODE XREF: PAGE:00805556j
		mov	eax, [edi]
		mov	ecx, [edi-0Ch]
		push	eax
		call	CmpLockHashEntryExclusive
		cmp	ebx, esi
		jnb	loc_805541
		mov	ecx, esi
		lea	ebx, [edi-8]
		sub	ecx, [esp+10h]
		mov	[esp+14h], ecx

loc_8054D0:				; CODE XREF: PAGE:00805537j
		mov	eax, [ebx+8]
		cmp	eax, [edi]
		jnz	short loc_80552D
		mov	eax, [ebx-4]
		cmp	eax, [edi-0Ch]
		jnz	short loc_80552D
		cmp	byte ptr [ebx+4], 0
		jnz	short loc_80552D
		mov	esi, [ebx]
		xor	edx, edx
		lea	ecx, [esi+18h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+1Ch], eax
		xor	esi, esi
		mov	ecx, [ebx]
		mov	eax, ecx
		mov	edx, [ecx+6Ch]
		test	edx, edx
		jnz	loc_805627

loc_80550B:				; CODE XREF: PAGE:0080562Ej
					; PAGE:0091AC13j
		lea	edx, [esp+1Ch]
		mov	ecx, eax
		call	CmpCleanUpKcbCacheWithLock
		mov	ecx, [ebx]
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		test	esi, esi
		jnz	loc_91AC18

loc_805525:				; CODE XREF: PAGE:0091AC1Fj
		mov	ecx, [esp+14h]
		mov	byte ptr [ebx+4], 1

loc_80552D:				; CODE XREF: PAGE:008054D5j
					; PAGE:008054DDj ...
		add	ebx, 10h
		sub	ecx, 1
		mov	[esp+14h], ecx
		jnz	short loc_8054D0
		mov	esi, [esp+18h]
		mov	ebx, [esp+10h]

loc_805541:				; CODE XREF: PAGE:008054BDj
		mov	eax, [edi]
		mov	ecx, [edi-0Ch]
		push	eax
		call	_CmpUnlockHashEntry@8 ;	CmpUnlockHashEntry(x,x)
		inc	ebx
		add	edi, 10h
		mov	[esp+10h], ebx
		cmp	ebx, esi
		jb	loc_8054B0

loc_80555C:				; CODE XREF: PAGE:0080549Fj
		mov	bl, [esp+0Fh]
		cmp	esi, 4
		jz	loc_805460
		test	bl, bl
		jnz	short loc_805588
		xor	ecx, ecx
		mov	eax, 2
		mov	edx, offset _CmpDelayCloseWorkItemActive
		lock cmpxchg [edx], ecx
		mov	ecx, edx
		cmp	eax, 2
		jnz	loc_805452

loc_805588:				; CODE XREF: PAGE:0080556Bj
		xor	dl, dl
		lea	ecx, [esp+1Ch]
		call	CmpDrainDelayDerefContext
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	edx, edx
		lea	ecx, [esp+28h]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [esp+84h]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_8055BA:				; CODE XREF: PAGE:0080547Fj
					; PAGE:0091ABD4j
		mov	ecx, dword_6CE044
		cmp	dword ptr [ecx], offset	_CmpDelayedLRUListHead
		lea	edx, [ecx-78h]
		jnz	short loc_805639
		mov	ebx, [ecx+4]
		cmp	[ebx], ecx
		jnz	short loc_805639
		mov	dword_6CE044, ebx
		lea	ecx, [edi+4]
		mov	dword ptr [ebx], offset	_CmpDelayedLRUListHead
		dec	eax
		add	ds:dword_A94398, 0FFFFFFFFh
		mov	bl, [esp+0Fh]
		adc	ds:dword_A9439C, 0FFFFFFFFh
		inc	esi
		mov	_CmpDelayedCloseElements, eax
		mov	eax, [edx+10h]
		mov	[edi-4], eax
		mov	[edi], edx
		mov	byte ptr [ecx],	0
		mov	eax, [edx+8]
		mov	[edi+8], eax
		add	edi, 10h
		or	byte ptr [edx+20h], 4
		mov	[edx+78h], ecx
		mov	[esp+18h], esi
		cmp	esi, 4
		jb	loc_805474
		jmp	loc_80548D
; 

loc_805627:				; CODE XREF: PAGE:00805505j
		mov	edx, [edx+0Ch]
		mov	eax, ecx
		test	edx, edx
		jz	loc_80550B
		jmp	loc_91ABD9
; 

loc_805639:				; CODE XREF: PAGE:008055C9j
					; PAGE:008055D0j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1456. MmProbeAndLockProcessPages

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmProbeAndLockProcessPages
MmProbeAndLockProcessPages proc	near	; CODE XREF: CcAsyncReadPrefetch+6Ep

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	2Ch
		push	offset dword_6A54B8
		call	__SEH_prolog4_GS
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_3C], edx
		mov	ebx, [ebp+arg_4]
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		xor	esi, esi
		mov	[ebp+var_38], esi
		mov	edi, [ebp+arg_C]
		test	edi, edi
		jz	short loc_805674
		xor	edi, edi
		inc	edi

loc_805674:				; CODE XREF: MmProbeAndLockProcessPages+29j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	ebx, eax
		jz	short loc_80569A
		xor	esi, esi
		inc	esi
		mov	[ebp+var_38], esi
		lea	eax, [ebp+var_34]
		push	eax
		xor	edx, edx
		mov	ecx, ebx
		call	KiStackAttachProcess
		mov	edx, [ebp+var_3C]

loc_80569A:				; CODE XREF: MmProbeAndLockProcessPages+3Cj
		and	[ebp+ms_exc.disabled], 0
		push	edi
		push	[ebp+arg_8]
		push	edx
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_8056C6
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
MmProbeAndLockProcessPages endp


;  S U B	R O U T	I N E 


sub_8056C6	proc near		; CODE XREF: MmProbeAndLockProcessPages+69p
					; PAGE:0091AC27j
		test	esi, esi
		jz	short locret_8056D4
		xor	edx, edx
		lea	ecx, [ebp-34h]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

locret_8056D4:				; CODE XREF: sub_8056C6+2j
		retn
sub_8056C6	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpUnlockHashEntry(x, x)
_CmpUnlockHashEntry@8 proc near		; CODE XREF: CmpDrainDelayDerefContext+CFE1Ap
					; PAGE:00805547p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	[ebp+arg_0]
		mov	esi, ecx
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		imul	ecx, eax, 0Ch
		xor	edx, edx
		add	ecx, [esi+434h]
		and	dword ptr [ecx+4], 0
		call	ExReleasePushLockEx
		or	eax, 0FFFFFFFFh
		lock xadd [esi+9D8h], eax
		jz	short loc_80570C

loc_805707:				; CODE XREF: CmpUnlockHashEntry(x,x)+3Dj
		pop	esi
		pop	ebp
		retn	4
; 

loc_80570C:				; CODE XREF: CmpUnlockHashEntry(x,x)+2Fj
		mov	ecx, esi
		call	_CmpDeleteHive@4 ; CmpDeleteHive(x)
		jmp	short loc_805707
_CmpUnlockHashEntry@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpDereferenceKeyControlBlockWithLock proc near	; CODE XREF: CmpDrainDelayDerefContext+71p
					; PAGE:00855027p ...

var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 0091AC2C SIZE 000000A0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	eax, edx
		or	ebx, 0FFFFFFFFh
		mov	[esp+0Ch+var_4], eax
		push	edi
		mov	edi, ebx
		mov	ecx, [esi+10h]
		lock xadd [esi], edi
		dec	edi
		cmp	edi, 2
		jz	loc_91AC2C

loc_805740:				; CODE XREF: CmpDereferenceKeyControlBlockWithLock+115539j
		test	edi, edi
		jnz	short loc_8057B6
		test	dword ptr [esi+68h], 40000h
		jnz	loc_91AC54
		mov	ecx, [esi+4]
		mov	edx, ecx
		and	dl, 20h
		and	ecx, 20000h
		cmp	[ebp+arg_0], 0
		setz	al
		neg	ecx
		sbb	cl, cl
		not	cl
		and	cl, al
		neg	dl
		sbb	dl, dl
		not	dl
		and	dl, cl
		cmp	_CmpHoldLazyFlush, edi
		jz	short loc_805798
		movzx	eax, word ptr [esi+6Ah]
		test	al, 10h
		setz	cl
		test	byte ptr [esi+4], 8
		setz	al
		and	cl, al
		neg	cl
		sbb	cl, cl
		not	cl
		and	dl, cl

loc_805798:				; CODE XREF: CmpDereferenceKeyControlBlockWithLock+66j
		mov	ecx, esi
		test	dl, dl
		jnz	short loc_8057BF
		mov	edx, [esp+10h+var_4]
		call	CmpCleanUpKcbCacheWithLock
		mov	eax, large fs:124h
		cmp	[esi+1Ch], eax
		jnz	loc_91ACB3

loc_8057B6:				; CODE XREF: CmpDereferenceKeyControlBlockWithLock+2Cj
					; CmpDereferenceKeyControlBlockWithLock+AEj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_8057BF:				; CODE XREF: CmpDereferenceKeyControlBlockWithLock+86j
		call	_CmpAddToDelayedClose@4	; CmpAddToDelayedClose(x)
		jmp	short loc_8057B6
CmpDereferenceKeyControlBlockWithLock endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCleanUpKcbCacheWithLock proc	near	; CODE XREF: CmpCleanUpKCBCacheTable(x)+98p
					; PAGE:00805511p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0091ACCC SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[esp+14h+var_C], edx
		push	edi
		mov	[esp+18h+var_8], 0
		cmp	dword ptr [esi], 0
		jnz	loc_805953
		cmp	ds:_CmpTraceRoutine, 0
		jnz	loc_91ACCC

loc_805802:				; CODE XREF: CmpCleanUpKcbCacheWithLock+115507j
		movzx	eax, word ptr [esi+6Ah]
		test	al, 40h
		setz	cl
		test	byte ptr [esi+4], 8
		setnz	al
		test	cl, al
		jz	short loc_80582E
		mov	ecx, [esi+38h]
		call	_CmpDelayDerefKeyControlBlock@8	; CmpDelayDerefKeyControlBlock(x,x)
		mov	eax, 0FFF7h
		mov	dword ptr [esi+38h], 0
		and	[esi+4], ax

loc_80582E:				; CODE XREF: CmpCleanUpKcbCacheWithLock+44j
		mov	ebx, [esi+28h]
		xor	edx, edx
		lea	eax, [ebx+4]
		mov	[esp+18h+var_4], eax
		mov	eax, [eax]
		mov	ecx, eax
		shr	ecx, 9
		xor	ecx, eax
		imul	eax, ecx, 18AA3h
		mov	ecx, _CmpNameCacheTable
		mov	edi, eax
		shr	edi, 9
		xor	edi, eax
		and	edi, 7FFh
		shl	edi, 3
		lea	ecx, [edi+ecx]
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebx]
		mov	eax, ecx
		shr	eax, 1
		and	ecx, 1
		lea	eax, ds:0FFFFFFFEh[eax*2]
		or	eax, ecx
		mov	[ebx], eax
		cmp	eax, 2
		jnb	short loc_8058B1
		mov	ecx, _CmpNameCacheTable
		add	ecx, 4
		add	ecx, edi
		jz	short loc_8058A5
		lea	ecx, [ecx+0]

loc_805890:				; CODE XREF: CmpCleanUpKcbCacheWithLock+198j
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_8058A5
		cmp	eax, [esp+18h+var_4]
		jnz	loc_805963
		mov	eax, [eax+4]
		mov	[ecx], eax

loc_8058A5:				; CODE XREF: CmpCleanUpKcbCacheWithLock+BBj
					; CmpCleanUpKcbCacheWithLock+C4j ...
		mov	edx, 624E4D43h
		mov	ecx, ebx
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_8058B1:				; CODE XREF: CmpCleanUpKcbCacheWithLock+AEj
		mov	ecx, _CmpNameCacheTable
		xor	edx, edx
		lea	ecx, [edi+ecx]
		call	ExReleasePushLockEx
		test	byte ptr [esi+4], 4
		jnz	loc_91ACDC

loc_8058CB:				; CODE XREF: CmpCleanUpKcbCacheWithLock+11551Aj
		mov	eax, [esi+6Ch]
		test	eax, eax
		jnz	loc_8059A5

loc_8058D6:				; CODE XREF: CmpCleanUpKcbCacheWithLock+205j
		test	dword ptr [esi+4], 20000h
		lea	edi, [esi+8]
		mov	ebx, [esi+24h]
		jnz	loc_805973
		mov	eax, [edi]
		mov	ecx, eax
		mov	edx, [esi+10h]
		shr	ecx, 9
		xor	ecx, eax
		imul	eax, ecx, 18AA3h
		mov	ecx, eax
		shr	ecx, 9
		xor	ecx, eax
		mov	eax, [edx+438h]
		dec	eax
		and	ecx, eax
		mov	eax, [edx+434h]
		lea	ecx, [ecx+ecx*2]
		lea	ecx, [ecx+2]
		lea	ecx, [eax+ecx*4]
		test	ecx, ecx
		jz	short loc_80592F
		mov	edi, edi

loc_805920:				; CODE XREF: CmpCleanUpKcbCacheWithLock+18Fj
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_80592F
		cmp	eax, edi
		jnz	short loc_80595A
		mov	eax, [eax+4]
		mov	[ecx], eax

loc_80592F:				; CODE XREF: CmpCleanUpKcbCacheWithLock+14Cj
					; CmpCleanUpKcbCacheWithLock+154j ...
		or	dword ptr [esi+4], 80000h
		mov	eax, [esp+18h+var_8]
		mov	esi, [esp+18h+var_C]
		test	eax, eax
		jnz	loc_8059DA

loc_805946:				; CODE XREF: CmpCleanUpKcbCacheWithLock+213j
		test	ebx, ebx
		jz	short loc_805953
		mov	edx, esi
		mov	ecx, ebx
		call	_CmpDelayDerefKeyControlBlock@8	; CmpDelayDerefKeyControlBlock(x,x)

loc_805953:				; CODE XREF: CmpCleanUpKcbCacheWithLock+1Fj
					; CmpCleanUpKcbCacheWithLock+178j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_80595A:				; CODE XREF: CmpCleanUpKcbCacheWithLock+158j
		lea	ecx, [eax+4]
		test	ecx, ecx
		jnz	short loc_805920
		jmp	short loc_80592F
; 

loc_805963:				; CODE XREF: CmpCleanUpKcbCacheWithLock+CAj
		lea	ecx, [eax+4]
		test	ecx, ecx
		jnz	loc_805890
		jmp	loc_8058A5
; 

loc_805973:				; CODE XREF: CmpCleanUpKcbCacheWithLock+113j
		mov	ecx, esi
		call	CmpLockDeletedHashEntryExclusiveByKcb
		mov	eax, [esi+8]
		mov	edi, [esi+10h]
		mov	ecx, edi
		push	eax
		call	_CmpGetDeletedHashIndexInHive@8	; CmpGetDeletedHashIndexInHive(x,x)
		lea	ecx, [esi+8]
		lea	edx, [eax+eax*2]
		mov	eax, [edi+43Ch]
		lea	edx, [eax+edx*4]
		call	_CmpRemoveKeyHashFromTableEntry@8 ; CmpRemoveKeyHashFromTableEntry(x,x)
		mov	ecx, esi
		call	_CmpUnlockDeletedHashEntryByKcb@4 ; CmpUnlockDeletedHashEntryByKcb(x)
		jmp	short loc_80592F
; 

loc_8059A5:				; CODE XREF: CmpCleanUpKcbCacheWithLock+100j
		mov	ecx, [eax+0Ch]
		test	ecx, ecx
		jz	short loc_8059C6
		mov	edx, [eax]
		mov	ecx, [ecx+8]
		mov	[esp+18h+var_8], ecx
		cmp	[edx+4], eax
		jnz	short loc_8059E8
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_8059E8
		mov	[ecx], edx
		mov	[edx+4], ecx

loc_8059C6:				; CODE XREF: CmpCleanUpKcbCacheWithLock+1DAj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [esi+6Ch], 0
		jmp	loc_8058D6
; 

loc_8059DA:				; CODE XREF: CmpCleanUpKcbCacheWithLock+170j
		mov	edx, esi
		mov	ecx, eax
		call	_CmpDelayDerefKeyControlBlock@8	; CmpDelayDerefKeyControlBlock(x,x)
		jmp	loc_805946
; 

loc_8059E8:				; CODE XREF: CmpCleanUpKcbCacheWithLock+1E8j
					; CmpCleanUpKcbCacheWithLock+1EFj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
CmpCleanUpKcbCacheWithLock endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDelayDerefKeyControlBlock(x, x)
_CmpDelayDerefKeyControlBlock@8	proc near
					; CODE XREF: CmpRemoveLayerLinkForDiscardedKcb(x,x)+20p
					; CmpCleanUpKcbCachedSymlink(x,x)+23p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[esp+14h+var_4], edx
		push	edi
		mov	eax, [esi]
		mov	edi, [esi+10h]
		cmp	eax, 1
		jbe	short loc_805A49
		mov	edi, edi

loc_805A10:				; CODE XREF: CmpDelayDerefKeyControlBlock(x,x)+53j
		lea	edx, [eax-1]
		mov	[esp+18h+var_8], eax
		cmp	edx, 2
		jnz	short loc_805A32
		test	dword ptr [esi+68h], 40000h
		jz	short loc_805A32
		cmp	byte ptr [edi+6DCh], 1
		jnz	short loc_805A32
		mov	bl, 1
		jmp	short loc_805A34
; 

loc_805A32:				; CODE XREF: CmpDelayDerefKeyControlBlock(x,x)+2Aj
					; CmpDelayDerefKeyControlBlock(x,x)+33j ...
		xor	bl, bl

loc_805A34:				; CODE XREF: CmpDelayDerefKeyControlBlock(x,x)+40j
		mov	ecx, edx
		lock cmpxchg [esi], ecx
		cmp	eax, [esp+18h+var_8]
		jz	short loc_805A52
		cmp	eax, 1
		ja	short loc_805A10
		mov	edx, [esp+18h+var_4]

loc_805A49:				; CODE XREF: CmpDelayDerefKeyControlBlock(x,x)+1Cj
		lea	eax, [esi+78h]
		cmp	[eax], eax
		jnz	short loc_805A8B
		jmp	short loc_805A68
; 

loc_805A52:				; CODE XREF: CmpDelayDerefKeyControlBlock(x,x)+4Ej
		cmp	eax, edx
		jb	short loc_805A99
		test	bl, bl
		jz	short loc_805A84
		mov	ecx, edi
		call	CmpDoQueueLateUnloadWorker
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_805A68:				; CODE XREF: CmpDelayDerefKeyControlBlock(x,x)+60j
		mov	ecx, [edx+4]
		cmp	[ecx], edx
		jz	short loc_805A76
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_805A76:				; CODE XREF: CmpDelayDerefKeyControlBlock(x,x)+7Dj
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[edx+4], eax
		or	byte ptr [esi+20h], 1

loc_805A84:				; CODE XREF: CmpDelayDerefKeyControlBlock(x,x)+68j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_805A8B:				; CODE XREF: CmpDelayDerefKeyControlBlock(x,x)+5Ej
		push	0
		push	1
		push	esi
		push	34h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_805A99:				; CODE XREF: CmpDelayDerefKeyControlBlock(x,x)+64j
		push	0
		push	0
		push	esi
		push	25h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_CmpDelayDerefKeyControlBlock@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpLockHashEntryExclusive proc near	; CODE XREF: PAGE:008054B6p

var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0091ACEF SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	[ebp+arg_0]
		mov	edi, ecx
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		imul	esi, eax, 0Ch
		xor	edx, edx
		add	esi, [edi+434h]
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, edi
		mov	[esi+4], eax
		call	_CmpReferenceHive@4 ; CmpReferenceHive(x)
		test	al, al
		jz	loc_91ACEF
		pop	edi
		pop	esi
		pop	ebp
		retn	4
CmpLockHashEntryExclusive endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1870. PsQueryProcessAttributesByToken

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsQueryProcessAttributesByToken(x, x, x)
		public _PsQueryProcessAttributesByToken@12
_PsQueryProcessAttributesByToken@12 proc near
					; CODE XREF: PopEtGetProcessSidAndPackageIdentity(x,x,x)+32p
					; EtwpQueryTokenPackageInfo(x,x,x)+29p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_805B0A
		push	offset _PspSysAppIdClaim
		push	[ebp+arg_0]
		call	SeSecurityAttributePresent
		mov	[esi], al

loc_805B0A:				; CODE XREF: PsQueryProcessAttributesByToken(x,x,x)+Bj
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jnz	short loc_805B16

loc_805B11:				; CODE XREF: PsQueryProcessAttributesByToken(x,x,x)+37j
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_805B16:				; CODE XREF: PsQueryProcessAttributesByToken(x,x,x)+21j
		push	(offset	loc_A405DF+1)
		push	[ebp+arg_0]
		call	SeSecurityAttributePresent
		mov	[esi], al
		jmp	short loc_805B11
_PsQueryProcessAttributesByToken@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGetCmHiveFromVirtualPath(x, x)
_CmpGetCmHiveFromVirtualPath@8 proc near
					; CODE XREF: CmpVirtualBranchIsReplicated(x,x,x)+53p
					; CmpVirtualPathPresent(x)+2Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		mov	esi, edx
		lea	edx, [ebp+var_8]
		call	_CmpGetVirtualizationIDFromFullVirtualPath@8 ; CmpGetVirtualizationIDFromFullVirtualPath(x,x)
		test	eax, eax
		js	short loc_805B51
		mov	edx, esi
		lea	ecx, [ebp+var_8]
		call	CmpGetMappingHiveForString

loc_805B51:				; CODE XREF: CmpGetCmHiveFromVirtualPath(x,x)+1Dj
		pop	esi
		leave
		retn
_CmpGetCmHiveFromVirtualPath@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpGetMappingHiveForString proc	near	; CODE XREF: CmpGetVirtualStoreRoot(x,x,x,x)+3Ap
					; CmpGetCmHiveFromVirtualPath(x,x)+24p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], edx
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		call	_CmpHashUnicodeComponent@4 ; CmpHashUnicodeComponent(x)
		mov	ecx, offset _CmpSIDMappingLock
		mov	esi, eax
		call	ExAcquireFastMutex
		mov	ecx, _CmSIDMappingCacheHit
		test	ecx, ecx
		js	short loc_805BCA
		cmp	ecx, _CmpSIDToHiveMappingCount
		jge	short loc_805BCA
		mov	edi, _CmpSIDToHiveMapping
		mov	edx, [ebp+var_4]
		shl	ecx, 4
		add	edi, ecx
		cmp	[edi+8], esi
		jnz	short loc_805BCD
		mov	ax, [edi]
		cmp	ax, [edx]
		jnz	short loc_805BCD
		push	ebx
		mov	ecx, edi
		call	CmpCompareUnicodeString
		test	eax, eax
		jnz	short loc_805BCA
		mov	ecx, [ebp+var_10]
		mov	eax, [edi+0Ch]
		mov	[ecx], eax

loc_805BB9:				; CODE XREF: CmpGetMappingHiveForString+C7j
					; CmpGetMappingHiveForString+D9j
		mov	ecx, offset _CmpSIDMappingLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_805BCA:				; CODE XREF: CmpGetMappingHiveForString+2Cj
					; CmpGetMappingHiveForString+34j ...
		mov	edx, [ebp+var_4]

loc_805BCD:				; CODE XREF: CmpGetMappingHiveForString+47j
					; CmpGetMappingHiveForString+4Fj
		mov	ecx, _CmpSIDToHiveMappingCount
		mov	edi, ebx
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jz	short loc_805C28
		mov	ecx, _CmpSIDToHiveMapping
		mov	eax, [ebp+var_8]
		mov	[ebp+var_C], ecx

loc_805BE8:				; CODE XREF: CmpLockHashEntryExclusive+115269j
		cmp	[ecx+8], esi
		jnz	loc_91ACFF
		mov	ax, [ecx]
		cmp	ax, [edx]
		jnz	short loc_805C20
		push	ebx
		call	CmpCompareUnicodeString
		test	eax, eax
		jnz	short loc_805C1D
		mov	eax, _CmpSIDToHiveMapping
		mov	ecx, edi
		add	ecx, ecx
		mov	_CmSIDMappingCacheHit, edi
		mov	eax, [eax+ecx*8+0Ch]
		mov	ecx, [ebp+var_10]
		mov	[ecx], eax
		jmp	short loc_805BB9
; 

loc_805C1D:				; CODE XREF: CmpGetMappingHiveForString+ADj
		mov	ecx, [ebp+var_C]

loc_805C20:				; CODE XREF: CmpGetMappingHiveForString+A3j
		mov	eax, [ebp+var_8]
		jmp	loc_91ACFF
; 

loc_805C28:				; CODE XREF: CmpGetMappingHiveForString+86j
					; CmpLockHashEntryExclusive+115260j
		mov	ebx, 0C0000225h
		jmp	short loc_805BB9
CmpGetMappingHiveForString endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCompareUnicodeString	proc near	; CODE XREF: CmpGetSymbolicLinkTarget+81Bp
					; CmpGetSymbolicLinkTarget+B0Cp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 0091AD16 SIZE 0000003D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [edx+4]
		mov	[ebp+var_8], eax
		movzx	eax, word ptr [ecx]
		push	ebx
		mov	ebx, [ecx+4]
		shr	ax, 1
		push	esi
		push	edi
		movzx	edi, ax
		movzx	eax, word ptr [edx]
		shr	ax, 1
		movzx	esi, ax
		test	di, di
		jz	short loc_805C93
		jmp	short loc_805C60
; 
		align 10h

loc_805C60:				; CODE XREF: CmpCompareUnicodeString+2Bj
					; CmpCompareUnicodeString+61j
		test	si, si
		jz	short loc_805C93
		mov	eax, [ebp+var_8]
		movzx	ecx, word ptr [ebx]
		add	ebx, 2
		mov	[ebp+var_4], ecx
		movzx	edx, word ptr [eax]
		add	eax, 2
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], eax
		cmp	cx, dx
		jnz	short loc_805CA4

loc_805C82:				; CODE XREF: CmpCompareUnicodeString+A3j
		add	edi, 0FFFFh
		add	esi, 0FFFFh
		test	di, di
		jnz	short loc_805C60

loc_805C93:				; CODE XREF: CmpCompareUnicodeString+29j
					; CmpCompareUnicodeString+33j
		movzx	ecx, si
		movzx	eax, di
		sub	eax, ecx

loc_805C9B:				; CODE XREF: CmpCompareUnicodeString+A7j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_805CA4:				; CODE XREF: CmpCompareUnicodeString+50j
		test	[ebp+arg_0], 1
		jnz	short loc_805CC1
		cmp	ecx, 61h
		jb	short loc_805CC1
		cmp	ecx, 7Ah
		ja	loc_91AD16
		add	ecx, 0FFE0h

loc_805CBE:				; CODE XREF: CmpCompareUnicodeString+1150F1j
		mov	[ebp+var_4], ecx

loc_805CC1:				; CODE XREF: CmpCompareUnicodeString+78j
					; CmpCompareUnicodeString+7Dj
		test	[ebp+arg_0], 2
		jz	loc_91AD26

loc_805CCB:				; CODE XREF: CmpCompareUnicodeString+1150FAj
					; CmpCompareUnicodeString+115113j ...
		movzx	eax, dx
		movzx	ecx, cx
		sub	ecx, eax
		jz	short loc_805C82
		mov	eax, ecx
		jmp	short loc_805C9B
CmpCompareUnicodeString	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpHashUnicodeComponent(x)
_CmpHashUnicodeComponent@4 proc	near	; CODE XREF: CmDeleteLayeredKey(x,x,x)+301p
					; CmpDoBuildVirtualStack(x,x,x,x,x)+1C0p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx]
		sub	esp, 8
		push	esi
		push	edi
		mov	edi, [ecx+4]
		xor	esi, esi
		movzx	ecx, ax
		test	ax, ax
		jz	short loc_805D1D
		dec	cx
		shr	cx, 1
		inc	cx
		push	ebx
		movzx	ebx, cx

loc_805D04:				; CODE XREF: CmpHashUnicodeComponent(x)+3Aj
		movzx	eax, word ptr [edi]
		cmp	eax, 61h
		jnb	short loc_805D25

loc_805D0C:				; CODE XREF: CmpHashUnicodeComponent(x)+50j
					; CmpHashUnicodeComponent(x)+5Cj
		imul	esi, 25h
		add	edi, 2
		movzx	eax, ax
		add	esi, eax
		sub	ebx, 1
		jnz	short loc_805D04
		pop	ebx

loc_805D1D:				; CODE XREF: CmpHashUnicodeComponent(x)+17j
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_805D25:				; CODE XREF: CmpHashUnicodeComponent(x)+2Aj
		cmp	eax, 7Ah
		ja	short loc_805D32
		add	eax, 0FFFFFFE0h
		movzx	eax, ax
		jmp	short loc_805D0C
; 

loc_805D32:				; CODE XREF: CmpHashUnicodeComponent(x)+48j
		mov	ecx, eax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		movzx	eax, ax
		jmp	short loc_805D0C
_CmpHashUnicodeComponent@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGetVirtualizationIDFromFullVirtualPath(x, x)
_CmpGetVirtualizationIDFromFullVirtualPath@8 proc near
					; CODE XREF: CmpGetCmHiveFromVirtualPath(x,x)+16p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx]
		push	ebx
		push	esi
		mov	esi, [ecx+4]
		mov	ecx, 3
		push	edi
		mov	[edx], eax
		xor	edi, edi
		mov	[edx+4], esi
		mov	[ebp+var_4], ecx
		movzx	eax, ax

loc_805D60:				; CODE XREF: CmpGetVirtualizationIDFromFullVirtualPath(x,x)+43j
		cmp	word ptr [esi],	5Ch
		movzx	eax, ax
		jz	short loc_805D87

loc_805D69:				; CODE XREF: CmpGetVirtualizationIDFromFullVirtualPath(x,x)+4Dj
		movzx	eax, word ptr [edx]
		inc	edi
		movzx	ecx, di
		add	esi, 2
		add	ecx, ecx
		mov	[edx+4], esi
		mov	ebx, eax
		cmp	ecx, eax
		jnb	short loc_805DD5
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jnz	short loc_805D60
		jmp	short loc_805D91
; 

loc_805D87:				; CODE XREF: CmpGetVirtualizationIDFromFullVirtualPath(x,x)+27j
		sub	ecx, 1
		mov	[ebp+var_4], ecx
		jnz	short loc_805D69
		mov	ebx, eax

loc_805D91:				; CODE XREF: CmpGetVirtualizationIDFromFullVirtualPath(x,x)+45j
		lea	eax, [edi+edi]
		add	esi, 2
		sub	ebx, eax
		mov	[edx+4], esi
		sub	ebx, 2
		xor	edi, edi
		movzx	eax, bx
		xor	ecx, ecx
		mov	[edx], edi
		mov	ebx, 0C000000Dh
		mov	edi, eax
		test	edi, edi
		jz	short loc_805DCC
		xor	eax, eax

loc_805DB5:				; CODE XREF: CmpGetVirtualizationIDFromFullVirtualPath(x,x)+86j
		cmp	word ptr [esi+eax], 5Ch
		jz	short loc_805DCA
		add	word ptr [edx],	2
		inc	ecx
		lea	eax, [ecx+ecx]
		cmp	eax, edi
		jb	short loc_805DB5
		jmp	short loc_805DCC
; 

loc_805DCA:				; CODE XREF: CmpGetVirtualizationIDFromFullVirtualPath(x,x)+7Aj
		xor	ebx, ebx

loc_805DCC:				; CODE XREF: CmpGetVirtualizationIDFromFullVirtualPath(x,x)+71j
					; CmpGetVirtualizationIDFromFullVirtualPath(x,x)+88j
		mov	eax, ebx

loc_805DCE:				; CODE XREF: CmpGetVirtualizationIDFromFullVirtualPath(x,x)+9Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_805DD5:				; CODE XREF: CmpGetVirtualizationIDFromFullVirtualPath(x,x)+3Cj
		mov	eax, 0C000000Dh
		jmp	short loc_805DCE
_CmpGetVirtualizationIDFromFullVirtualPath@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpVEExecuteParseLogic proc near	; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+807p

var_2A		= byte ptr -2Ah
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0091AD53 SIZE 00000052 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		cmp	_CmpVEEnabled, 0
		push	ebx
		push	esi
		push	edi
		mov	[esp+38h+var_24], edx
		mov	esi, ecx
		jz	short loc_805E66
		mov	eax, [ebp+arg_0]
		test	byte ptr [eax+14h], 10h
		jnz	short loc_805E66
		cmp	word ptr [esi+22h], 0
		jnz	short loc_805E66
		mov	edi, [esi+10h]
		cmp	edi, ds:_CmpMasterHive
		jz	short loc_805E66
		xor	eax, eax
		mov	[esp+38h+var_1C], esi
		mov	[esp+38h+var_20], eax
		mov	[esp+38h+var_18], eax
		mov	[esp+38h+var_14], eax
		mov	word ptr [esp+38h+var_20+2], ax
		xor	ebx, ebx

loc_805E31:				; CODE XREF: CmpVEExecuteParseLogic+98j
		movsx	ecx, bx
		cmp	bx, 2
		jge	loc_91AD53
		mov	ecx, [esp+ecx*4+38h+var_1C]

loc_805E42:				; CODE XREF: CmpVEExecuteParseLogic+114F7Aj
		xor	edx, edx
		call	_CmpGetEffectiveKcbSemantics@8 ; CmpGetEffectiveKcbSemantics(x,x)
		cmp	eax, 1
		jz	short loc_805E7A
		cmp	dword ptr [ecx+14h], 0FFFFFFFFh
		jz	short loc_805E74
		test	byte ptr [edi+980h], 10h
		jnz	short loc_805E7A
		test	dword ptr [esi+68h], 2000000h
		jnz	short loc_805E7A

loc_805E66:				; CODE XREF: CmpVEExecuteParseLogic+1Bj
					; CmpVEExecuteParseLogic+24j ...
		mov	eax, 0C0000271h

loc_805E6B:				; CODE XREF: CmpVEExecuteParseLogic+114FC0j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_805E74:				; CODE XREF: CmpVEExecuteParseLogic+72j
		dec	ebx
		test	bx, bx
		jns	short loc_805E31

loc_805E7A:				; CODE XREF: CmpVEExecuteParseLogic+6Cj
					; CmpVEExecuteParseLogic+7Bj ...
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		mov	[esp+38h+var_29], dl
		mov	[esp+38h+var_10], eax
		mov	[esp+38h+var_C], eax
		lea	edi, [ebx+0Ch]
		mov	[esp+38h+var_8], eax
		mov	[esp+38h+var_4], eax
		test	edi, edi
		jz	short loc_805EA4
		mov	eax, [edi]
		test	al, 1
		jnz	loc_805F62

loc_805EA4:				; CODE XREF: CmpVEExecuteParseLogic+B8j
		cmp	[ebp+arg_8], dl
		jz	short loc_805E66
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	loc_91AD5F

loc_805EB4:				; CODE XREF: CmpVEExecuteParseLogic+114F9Fj
		mov	ecx, [eax]
		mov	[esp+38h+var_28], 0
		test	ecx, ecx
		jnz	loc_805F50
		mov	eax, [eax+8]

loc_805EC9:				; CODE XREF: CmpVEExecuteParseLogic+172j
		test	ecx, ecx
		jnz	short loc_805EE1
		lea	ecx, [esp+38h+var_28]
		push	ecx
		push	18h
		push	eax
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		cmp	[esp+38h+var_28], 0
		jnz	short loc_805F57

loc_805EE1:				; CODE XREF: CmpVEExecuteParseLogic+EBj
		mov	al, 1

loc_805EE3:				; CODE XREF: CmpVEExecuteParseLogic+179j
		mov	[esp+38h+var_2A], al
		test	edi, edi
		jz	short loc_805EFA
		mov	ecx, [edi]
		test	al, al
		jz	short loc_805F5B
		or	ecx, 3

loc_805EF4:				; CODE XREF: CmpVEExecuteParseLogic+180j
		mov	[esp+38h+var_2A], al
		mov	[edi], ecx

loc_805EFA:				; CODE XREF: CmpVEExecuteParseLogic+109j
		cmp	[esp+38h+var_29], 0
		jnz	loc_91AD84

loc_805F05:				; CODE XREF: CmpVEExecuteParseLogic+114FB2j
		test	al, al
		jnz	loc_805E66

loc_805F0D:				; CODE XREF: CmpVEExecuteParseLogic+18Aj
		test	byte ptr [ebx],	8
		jnz	loc_805E66
		test	byte ptr [ebx+60h], 1
		jnz	short loc_805F28
		lea	ecx, [ebx+64h]
		call	CmpAttachToRegistryProcess
		or	dword ptr [ebx+60h], 1

loc_805F28:				; CODE XREF: CmpVEExecuteParseLogic+13Aj
		test	dword ptr [esi+68h], 2000000h
		mov	ecx, esi
		mov	edx, [esp+38h+var_24]
		jnz	loc_91AD97
		push	[ebp+arg_C]
		push	[ebp+arg_4]
		push	ebx
		call	_CmpVEExecuteRealStoreParseLogic@20 ; CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_805F50:				; CODE XREF: CmpVEExecuteParseLogic+E0j
		mov	eax, ecx
		jmp	loc_805EC9
; 

loc_805F57:				; CODE XREF: CmpVEExecuteParseLogic+FFj
		xor	al, al
		jmp	short loc_805EE3
; 

loc_805F5B:				; CODE XREF: CmpVEExecuteParseLogic+10Fj
		or	ecx, 5
		xor	al, al
		jmp	short loc_805EF4
; 

loc_805F62:				; CODE XREF: CmpVEExecuteParseLogic+BEj
		test	al, 2
		jnz	loc_805E66
		jmp	short loc_805F0D
CmpVEExecuteParseLogic endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpVEExecuteRealStoreParseLogic(x, x, x, x,	x)
_CmpVEExecuteRealStoreParseLogic@20 proc near ;	CODE XREF: CmpVEExecuteParseLogic+162p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_6		= dword	ptr -6
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_18], edx
		xor	ecx, ecx
		mov	[ebp+var_14], esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_24], ecx
		mov	word ptr [ebp+var_24], ax
		mov	ebx, ecx
		push	ecx
		lea	eax, [ebp+var_20]
		mov	[ebp+var_28], ecx
		or	[ebp+var_28], 0FFFFFFFFh
		mov	edi, ecx
		push	eax
		mov	[ebp+var_10], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ecx
		mov	byte ptr [ebp+var_6], cl
		mov	[ebp+var_C], ecx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	edx, edx
		mov	ecx, esi
		call	_CmpIsKeyDeleted@8 ; CmpIsKeyDeleted(x,x)
		test	al, al
		jnz	short loc_806035
		mov	ecx, [esi+10h]
		xor	edx, edx
		push	edi
		call	CmpBlockHiveWrites
		mov	esi, eax
		test	esi, esi
		js	loc_8060B6
		mov	esi, [ebp+var_14]
		lea	eax, [ebp+var_C]
		mov	edx, [ebp+var_18]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_10]
		mov	ebx, [esi+10h]
		push	eax
		push	edi
		push	edi
		call	_CmpFindPathByNameEx@24	; CmpFindPathByNameEx(x,x,x,x,x,x)
		mov	byte ptr [ebp+var_6+1],	al
		test	al, al
		jz	short loc_806027
		mov	esi, [ebp+var_C]
		lea	eax, [ebp+var_28]
		push	eax
		push	[ebp+var_10]
		push	esi
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jnz	short loc_80600F
		mov	esi, 0C000009Ah
		jmp	loc_8060B6
; 

loc_80600F:				; CODE XREF: CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+97j
		test	dword ptr [edi+34h], 200000h
		jnz	loc_8060B1
		lea	eax, [ebp+var_28]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	esi, [ebp+var_14]

loc_806027:				; CODE XREF: CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+83j
		mov	ecx, [esi+10h]
		xor	edx, edx
		push	0
		call	CmpUnblockHiveWrites
		jmp	short loc_806038
; 

loc_806035:				; CODE XREF: CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+4Dj
		mov	byte ptr [ebp+var_6+1],	bl

loc_806038:				; CODE XREF: CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+C7j
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+arg_8]
		mov	ecx, esi
		call	_CmRealKCBToVirtualPath@16 ; CmRealKCBToVirtualPath(x,x,x,x)
		mov	esi, eax
		xor	ebx, ebx
		xor	edi, edi
		test	esi, esi
		js	short loc_8060B6
		mov	esi, [ebp+arg_0]
		lea	eax, [ebp+var_6]
		push	eax
		lea	edx, [ebp+var_20]
		xor	ecx, ecx
		or	dword ptr [esi], 8
		call	_CmpVirtualBranchIsReplicated@12 ; CmpVirtualBranchIsReplicated(x,x,x)
		test	al, al
		jz	short loc_80609E

loc_80606B:				; CODE XREF: CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+13Fj
		mov	esi, [ebp+arg_4]
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_80607D
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_80607D:				; CODE XREF: CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+107j
		mov	eax, [ebp+var_20]
		mov	[esi], eax
		mov	eax, [ebp+var_1C]
		mov	[esi+4], eax
		lea	eax, [ebp+var_20]
		push	0
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	ebx, ebx
		mov	esi, 104h
		xor	edi, edi
		jmp	short loc_8060B6
; 

loc_80609E:				; CODE XREF: CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+FDj
		test	byte ptr [esi],	1
		jz	short loc_8060AD
		cmp	byte ptr [ebp+var_6+1],	bl
		jnz	short loc_8060AD
		cmp	byte ptr [ebp+var_6], bl
		jnz	short loc_80606B

loc_8060AD:				; CODE XREF: CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+135j
					; CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+13Aj
		xor	ebx, ebx
		xor	edi, edi

loc_8060B1:				; CODE XREF: CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+AAj
		mov	esi, 0C0000271h

loc_8060B6:				; CODE XREF: CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+5Ej
					; CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+9Ej ...
		cmp	[ebp+var_1C], 0
		jz	short loc_8060C6
		push	0
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8060C6:				; CODE XREF: CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+14Ej
		test	edi, edi
		jz	short loc_8060D5
		lea	eax, [ebp+var_28]
		push	eax
		mov	eax, [ebp+var_C]
		push	eax
		call	dword ptr [eax+8]

loc_8060D5:				; CODE XREF: CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+15Cj
		test	ebx, ebx
		jz	short loc_8060E4
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	CmpUnblockHiveWrites

loc_8060E4:				; CODE XREF: CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+16Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_CmpVEExecuteRealStoreParseLogic@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpIsKeyDeleted(x, x)
_CmpIsKeyDeleted@8 proc	near		; CODE XREF: CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+46p
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+4D1p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		xor	eax, eax
		push	esi
		mov	esi, ecx
		mov	[ebp+var_10], eax
		push	edi
		mov	[ebp+var_C], eax
		lea	ecx, [ebp+var_10]
		mov	[ebp+var_8], eax
		mov	edi, edx
		mov	dx, [esi+22h]
		mov	[ebp+var_4], eax
		or	eax, 0FFFFFFFFh
		mov	word ptr [ebp+var_10+2], ax
		call	CmpStartKcbStack
		test	eax, eax
		js	short loc_80612E
		mov	edx, esi
		lea	ecx, [ebp+var_10]
		call	_CmpPopulateKcbStack@8 ; CmpPopulateKcbStack(x,x)

loc_80612E:				; CODE XREF: CmpIsKeyDeleted(x,x)+32j
		mov	edx, edi
		lea	ecx, [ebp+var_10]
		call	CmpIsKeyStackDeleted
		mov	ecx, [ebp+var_4]
		mov	bl, al
		test	ecx, ecx
		jnz	short loc_80614A

loc_806141:				; CODE XREF: CmpIsKeyDeleted(x,x)+5Fj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_80614A:				; CODE XREF: CmpIsKeyDeleted(x,x)+4Fj
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	short loc_806141
_CmpIsKeyDeleted@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpUnblockHiveWrites proc near		; CODE XREF: CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+C2p
					; CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+173p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0091ADA5 SIZE 00000065 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		test	esi, esi
		jz	loc_91ADA5
		or	edi, 0FFFFFFFFh
		lea	ebx, [esi+24h]
		mov	eax, edi
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_806191

loc_806178:				; CODE XREF: CmpUnblockHiveWrites+46j
		mov	ecx, ebx
		call	KeAbPostRelease

loc_80617F:				; CODE XREF: CmpUnblockHiveWrites+114CA9j
		lock xadd [esi+9D8h], edi
		dec	edi
		jz	short loc_80619A

loc_80618A:				; CODE XREF: CmpUnblockHiveWrites+4Fj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_806191:				; CODE XREF: CmpUnblockHiveWrites+24j
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_806178
; 

loc_80619A:				; CODE XREF: CmpUnblockHiveWrites+36j
		mov	ecx, esi
		call	_CmpDeleteHive@4 ; CmpDeleteHive(x)
		jmp	short loc_80618A
CmpUnblockHiveWrites endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpBlockHiveWrites proc	near		; CODE XREF: CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+55p
					; IopMountVolume+13CBFBp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0091AE0A SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		xor	ecx, ecx
		call	CmpGetNextHive
		mov	esi, eax
		test	esi, esi
		jz	short loc_8061D7
		mov	ebx, [ebp+arg_0]

loc_8061C2:				; CODE XREF: CmpBlockHiveWrites+31j
		cmp	edi, esi
		jz	short loc_8061E2
		test	edi, edi
		jz	short loc_8061E2

loc_8061CA:				; CODE XREF: CmpBlockHiveWrites+60j
		mov	ecx, esi
		call	CmpGetNextHive
		mov	esi, eax
		test	esi, esi
		jnz	short loc_8061C2

loc_8061D7:				; CODE XREF: CmpBlockHiveWrites+19j
		test	edi, edi
		jz	short loc_806213
		mov	eax, 0C0000034h
		jmp	short loc_806215
; 

loc_8061E2:				; CODE XREF: CmpBlockHiveWrites+20j
					; CmpBlockHiveWrites+24j
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jnz	loc_91AE0A

loc_8061ED:				; CODE XREF: CmpBlockHiveWrites+114C70j
					; CmpBlockHiveWrites+114C82j
		mov	ecx, esi
		call	_CmpReferenceHive@4 ; CmpReferenceHive(x)
		test	ebx, ebx
		jnz	short loc_80621C

loc_8061F8:				; CODE XREF: CmpBlockHiveWrites+7Aj
		lea	ecx, [esi+24h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx

loc_806202:				; CODE XREF: CmpBlockHiveWrites+114C7Cj
		cmp	edi, esi
		jnz	short loc_8061CA
		or	eax, 0FFFFFFFFh
		lock xadd [esi+9D8h], eax
		jz	short loc_806220

loc_806213:				; CODE XREF: CmpBlockHiveWrites+35j
					; CmpBlockHiveWrites+83j
		xor	eax, eax

loc_806215:				; CODE XREF: CmpBlockHiveWrites+3Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_80621C:				; CODE XREF: CmpBlockHiveWrites+52j
		mov	[ebx], esi
		jmp	short loc_8061F8
; 

loc_806220:				; CODE XREF: CmpBlockHiveWrites+6Dj
		mov	ecx, esi
		call	_CmpDeleteHive@4 ; CmpDeleteHive(x)
		jmp	short loc_806213
CmpBlockHiveWrites endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpGetNextHive	proc near		; CODE XREF: CmpDoFlushAll(x):loc_557F04p
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x):loc_74FC5Fp ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0091AE2B SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], esi
		test	esi, esi
		jz	short loc_8062B0
		lea	ebx, [esi+420h]

loc_80624A:				; CODE XREF: CmpGetNextHive+85j
		xor	edx, edx
		mov	ecx, offset _CmpHiveListHeadLock
		call	ExAcquirePushLockSharedEx
		mov	ebx, [ebx]
		cmp	ebx, offset _CmpHiveListHead
		jz	short loc_80628A

loc_806260:				; CODE XREF: CmpGetNextHive+114C05j
		mov	edx, [ebx+5B8h]
		lea	edi, [ebx-420h]
		test	edx, edx
		jz	loc_91AE2B

loc_806274:				; CODE XREF: CmpGetNextHive+8Bj
		lea	ecx, [edx+1]
		mov	eax, edx
		lea	esi, [edi+9D8h]
		lock cmpxchg [esi], ecx
		mov	esi, [ebp+var_4]
		cmp	eax, edx
		jnz	short loc_8062B7

loc_80628A:				; CODE XREF: CmpGetNextHive+2Ej
					; CmpGetNextHive+114C0Bj
		xor	edx, edx
		mov	ecx, offset _CmpHiveListHeadLock
		call	ExReleasePushLockEx
		test	esi, esi
		jz	short loc_8062A7
		or	ecx, 0FFFFFFFFh
		lock xadd [esi+9D8h], ecx
		jz	short loc_8062C2

loc_8062A7:				; CODE XREF: CmpGetNextHive+68j
					; CmpGetNextHive+99j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8062B0:				; CODE XREF: CmpGetNextHive+12j
		mov	ebx, offset _CmpHiveListHead
		jmp	short loc_80624A
; 

loc_8062B7:				; CODE XREF: CmpGetNextHive+58j
		mov	edx, eax
		test	eax, eax
		jnz	short loc_806274
		jmp	loc_91AE2B
; 

loc_8062C2:				; CODE XREF: CmpGetNextHive+75j
		mov	ecx, esi
		call	_CmpDeleteHive@4 ; CmpDeleteHive(x)
		jmp	short loc_8062A7
CmpGetNextHive	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpLockHashEntryExclusiveByKcb proc near ; CODE	XREF: CmpRemoveHiveFromNamespace(x,x,x)+12p
					; CmpDrainDelayDerefContext+4Ep ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, [eax+10h]
		mov	ecx, ebx
		push	dword ptr [eax+8]
		mov	[ebp+var_4], eax
		mov	esi, [ebx+434h]
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		imul	edi, eax, 0Ch
		mov	ecx, ebx
		mov	eax, [ebp+var_4]
		push	dword ptr [eax+8]
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		imul	ecx, eax, 0Ch
		xor	edx, edx
		add	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, ebx
		mov	[edi+esi+4], eax
		call	_CmpReferenceHive@4 ; CmpReferenceHive(x)
		test	al, al
		jz	loc_8F43DE
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
CmpLockHashEntryExclusiveByKcb endp

; 
		align 4

;  S U B	R O U T	I N E 


CmpLockHashEntrySharedByKcb proc near	; CODE XREF: CmpPerformCompleteKcbCacheLookup+5DBp
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+4B2p ...

; FUNCTION CHUNK AT 0091AE40 SIZE 00000023 BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+10h]
		mov	ecx, esi
		push	dword ptr [edi+8]
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		imul	ecx, eax, 0Ch
		xor	edx, edx
		add	ecx, [esi+434h]
		call	ExAcquirePushLockSharedEx
		mov	ecx, esi
		call	_CmpReferenceHive@4 ; CmpReferenceHive(x)
		test	al, al
		jz	loc_91AE40
		pop	edi
		pop	esi
		retn
CmpLockHashEntrySharedByKcb endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpBlockTwoHiveWrites proc near		; CODE XREF: CmpVirtualBranchIsReplicated(x,x,x)+A0p
					; CmpVirtualPathPresent(x)+3Dp	...

var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 0091AE63 SIZE 000000A2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		push	edi
		xor	edx, edx
		mov	[ebp+var_C], ebx
		mov	ecx, offset _CmpHiveListHeadLock
		mov	[ebp+var_1], 0
		mov	[ebp+var_2], 0
		xor	esi, esi
		call	ExAcquirePushLockSharedEx
		mov	edi, ds:_CmpHiveListHead
		cmp	edi, offset _CmpHiveListHead
		jz	short loc_8063B9
		jmp	short loc_8063A0
; 
		align 10h

loc_8063A0:				; CODE XREF: CmpBlockTwoHiveWrites+37j
					; CmpLockHashEntrySharedByKcb+114B30j
		lea	esi, [edi-420h]
		lea	ecx, [esi+430h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_91AE4E

loc_8063B9:				; CODE XREF: CmpBlockTwoHiveWrites+35j
					; CmpLockHashEntrySharedByKcb+114B36j
		xor	edx, edx
		mov	ecx, offset _CmpHiveListHeadLock
		call	ExReleasePushLockEx
		test	esi, esi
		jz	short loc_80643E
		lea	esp, [esp+0]

loc_8063D0:				; CODE XREF: CmpBlockTwoHiveWrites+DCj
		mov	edi, [ebp+var_8]
		cmp	ebx, esi
		jz	short loc_806443
		cmp	edi, esi
		jz	short loc_806443

loc_8063DB:				; CODE XREF: CmpBlockTwoHiveWrites+10Dj
					; CmpBlockTwoHiveWrites+119j
		xor	edi, edi
		test	esi, esi
		jz	loc_91AE63
		lea	ebx, [esi+420h]

loc_8063EB:				; CODE XREF: CmpBlockTwoHiveWrites+114B08j
		xor	edx, edx
		mov	ecx, offset _CmpHiveListHeadLock
		call	ExAcquirePushLockSharedEx
		mov	ebx, [ebx]
		cmp	ebx, offset _CmpHiveListHead
		jz	short loc_80641A

loc_806401:				; CODE XREF: CmpBlockTwoHiveWrites+114B17j
		lea	edi, [ebx-420h]
		lea	ecx, [edi+430h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_91AE6D

loc_80641A:				; CODE XREF: CmpBlockTwoHiveWrites+9Fj
					; CmpBlockTwoHiveWrites+114B1Dj
		xor	edx, edx
		mov	ecx, offset _CmpHiveListHeadLock
		call	ExReleasePushLockEx
		test	esi, esi
		jz	short loc_806435
		lea	ecx, [esi+430h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_806435:				; CODE XREF: CmpBlockTwoHiveWrites+C8j
		mov	ebx, [ebp+var_C]
		mov	esi, edi
		test	edi, edi
		jnz	short loc_8063D0

loc_80643E:				; CODE XREF: CmpBlockTwoHiveWrites+67j
		mov	edi, [ebp+var_8]
		jmp	short loc_80648A
; 

loc_806443:				; CODE XREF: CmpBlockTwoHiveWrites+75j
					; CmpBlockTwoHiveWrites+79j
		cmp	[ebp+arg_0], 0
		jz	short loc_806450
		mov	ecx, esi
		call	_CmpReferenceHive@4 ; CmpReferenceHive(x)

loc_806450:				; CODE XREF: CmpBlockTwoHiveWrites+E7j
		lea	ecx, [esi+24h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		cmp	ebx, esi
		jnz	short loc_8064AF
		mov	al, [ebp+var_2]
		mov	cl, 1
		mov	[ebp+var_1], cl

loc_806466:				; CODE XREF: CmpBlockTwoHiveWrites+157j
		test	ebx, ebx
		jz	short loc_806473
		cmp	cl, 1
		jnz	loc_8063DB

loc_806473:				; CODE XREF: CmpBlockTwoHiveWrites+108j
		test	edi, edi
		jz	short loc_80647F
		cmp	al, 1
		jnz	loc_8063DB

loc_80647F:				; CODE XREF: CmpBlockTwoHiveWrites+115j
		lea	ecx, [esi+430h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_80648A:				; CODE XREF: CmpBlockTwoHiveWrites+E1j
		mov	cl, [ebp+var_1]
		test	ebx, ebx
		jz	short loc_806495
		test	cl, cl
		jz	short loc_8064B9

loc_806495:				; CODE XREF: CmpBlockTwoHiveWrites+12Fj
		test	edi, edi
		jz	short loc_8064A4
		mov	al, [ebp+var_2]
		test	al, al
		jz	loc_91AE82

loc_8064A4:				; CODE XREF: CmpBlockTwoHiveWrites+137j
		xor	eax, eax

loc_8064A6:				; CODE XREF: CmpBlockTwoHiveWrites+114BA0j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_8064AF:				; CODE XREF: CmpBlockTwoHiveWrites+FCj
		mov	cl, [ebp+var_1]
		mov	al, 1
		mov	[ebp+var_2], al
		jmp	short loc_806466
; 

loc_8064B9:				; CODE XREF: CmpBlockTwoHiveWrites+133j
		mov	al, [ebp+var_2]
		jmp	loc_91AE82
CmpBlockTwoHiveWrites endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmpReferenceHive(x)
_CmpReferenceHive@4 proc near		; CODE XREF: CmpGetLastHive+29p
					; CmpDoQueueLateUnloadWorker+B9p ...
		mov	edi, edi
		push	esi
		lea	esi, [ecx+9D8h]
		mov	edx, [esi]
		test	edx, edx
		jz	short loc_8064E8

loc_8064D1:				; CODE XREF: CmpReferenceHive(x)+24j
		lea	ecx, [edx+1]
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_8064E2
		mov	al, 1
		pop	esi
		retn
; 

loc_8064E2:				; CODE XREF: CmpReferenceHive(x)+1Aj
		mov	edx, eax
		test	eax, eax
		jnz	short loc_8064D1

loc_8064E8:				; CODE XREF: CmpReferenceHive(x)+Dj
		xor	al, al
		pop	esi
		retn
_CmpReferenceHive@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpVirtualBranchIsReplicated(x, x, x)
_CmpVirtualBranchIsReplicated@12 proc near
					; CODE XREF: CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+F6p
					; CmpVEExecuteVirtualStoreParseLogic(x,x,x,x)+50p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_24], 0FFFFFFFFh
		xor	ecx, ecx
		mov	[ebp+var_20], 0
		mov	[ebp+var_10], 0
		mov	[ebp+var_C], 0
		mov	[ebp+var_1C], 0
		mov	[ebp+var_18], 0
		mov	[ebp+var_8], 0
		mov	[ebp+var_14], ecx
		mov	[eax], cl
		push	edi
		mov	edi, edx
		test	esi, esi
		jnz	short loc_80655A
		lea	edx, [ebp+var_8]
		mov	ecx, edi
		call	_CmpGetCmHiveFromVirtualPath@8 ; CmpGetCmHiveFromVirtualPath(x,x)
		test	eax, eax
		js	short loc_80657B
		mov	ecx, ds:_CmpMasterHive
		mov	eax, [ebp+var_8]
		mov	[ebp+var_14], ecx
		jmp	short loc_806589
; 

loc_80655A:				; CODE XREF: CmpVirtualBranchIsReplicated(x,x,x)+4Cj
		cmp	[edi], cx
		jnz	short loc_806586
		cmp	_CmpVEEnabled, cl
		jz	short loc_80657B
		test	dword ptr [esi+68h], 1000000h
		jz	short loc_80657B
		mov	al, 1
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_80657B:				; CODE XREF: CmpVirtualBranchIsReplicated(x,x,x)+5Aj
					; CmpVirtualBranchIsReplicated(x,x,x)+75j ...
		xor	al, al
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_806586:				; CODE XREF: CmpVirtualBranchIsReplicated(x,x,x)+6Dj
		mov	eax, [esi+10h]

loc_806589:				; CODE XREF: CmpVirtualBranchIsReplicated(x,x,x)+68j
		push	1
		mov	edx, eax
		mov	[ebp+var_8], eax
		call	CmpBlockTwoHiveWrites
		test	eax, eax
		js	short loc_80657B
		lea	eax, [ebp+var_C]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	ecx, esi
		push	eax
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		call	_CmpFindPathByNameEx@24	; CmpFindPathByNameEx(x,x,x,x,x,x)
		mov	edi, [ebp+var_C]
		mov	bl, al
		test	edi, edi
		jnz	short loc_8065C0

loc_8065B9:				; CODE XREF: CmpVirtualBranchIsReplicated(x,x,x)+DFj
		xor	bl, bl
		jmp	loc_806644
; 

loc_8065C0:				; CODE XREF: CmpVirtualBranchIsReplicated(x,x,x)+C7j
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_10]
		mov	eax, [edi+4]
		push	edi
		call	eax
		test	eax, eax
		jz	short loc_8065B9
		test	bl, bl
		jz	short loc_8065ED
		cmp	_CmpVEEnabled, 0
		jz	short loc_8065E9
		mov	ecx, 100h
		test	[eax+2], cx
		jnz	short loc_80663A

loc_8065E9:				; CODE XREF: CmpVirtualBranchIsReplicated(x,x,x)+ECj
		xor	bl, bl
		jmp	short loc_80663A
; 

loc_8065ED:				; CODE XREF: CmpVirtualBranchIsReplicated(x,x,x)+E3j
		cmp	_CmpVEEnabled, 0
		jz	short loc_806605
		mov	ecx, 100h
		test	[eax+2], cx
		jz	short loc_806605
		mov	al, 1
		jmp	short loc_806607
; 

loc_806605:				; CODE XREF: CmpVirtualBranchIsReplicated(x,x,x)+104j
					; CmpVirtualBranchIsReplicated(x,x,x)+10Fj
		xor	al, al

loc_806607:				; CODE XREF: CmpVirtualBranchIsReplicated(x,x,x)+113j
		mov	ecx, [ebp+arg_0]
		mov	[ecx], al
		xor	ecx, ecx
		mov	ax, word ptr [ebp+var_1C]
		shr	ax, 1
		movzx	edx, ax
		xor	eax, eax
		cmp	ax, dx
		jnb	short loc_80663A
		mov	esi, [ebp+var_18]

loc_806622:				; CODE XREF: CmpVirtualBranchIsReplicated(x,x,x)+140j
		movzx	eax, cx
		cmp	word ptr [esi+eax*2], 5Ch
		jz	short loc_806634
		inc	ecx
		cmp	cx, dx
		jb	short loc_806622
		jmp	short loc_80663A
; 

loc_806634:				; CODE XREF: CmpVirtualBranchIsReplicated(x,x,x)+13Aj
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax],	0

loc_80663A:				; CODE XREF: CmpVirtualBranchIsReplicated(x,x,x)+F7j
					; CmpVirtualBranchIsReplicated(x,x,x)+FBj ...
		lea	eax, [ebp+var_24]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax

loc_806644:				; CODE XREF: CmpVirtualBranchIsReplicated(x,x,x)+CBj
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_14]
		call	CmpUnblockTwoHiveWrites
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_CmpVirtualBranchIsReplicated@12 endp


;  S U B	R O U T	I N E 


CmpUnblockTwoHiveWrites	proc near	; CODE XREF: CmpVirtualBranchIsReplicated(x,x,x)+15Ap
					; CmpVirtualPathPresent(x)+A3p

; FUNCTION CHUNK AT 0091AF05 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, ecx
		or	esi, 0FFFFFFFFh
		push	edi
		mov	edi, edx
		test	ebx, ebx
		jz	short loc_80667E
		lea	ecx, [ebx+24h]
		mov	eax, esi
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_8066BD

loc_806679:				; CODE XREF: CmpUnblockTwoHiveWrites+6Bj
		call	KeAbPostRelease

loc_80667E:				; CODE XREF: CmpUnblockTwoHiveWrites+Ej
		test	edi, edi
		jz	short loc_806696
		lea	ecx, [edi+24h]
		mov	eax, esi
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_8066C7

loc_806691:				; CODE XREF: CmpUnblockTwoHiveWrites+75j
		call	KeAbPostRelease

loc_806696:				; CODE XREF: CmpUnblockTwoHiveWrites+26j
		test	ebx, ebx
		jz	short loc_8066A6
		mov	eax, esi
		lock xadd [ebx+9D8h], eax
		jz	short loc_8066D1

loc_8066A6:				; CODE XREF: CmpUnblockTwoHiveWrites+3Ej
					; CmpUnblockTwoHiveWrites+7Ej
		test	edi, edi
		jz	short loc_8066B9
		lock xadd [edi+9D8h], esi
		dec	esi
		jz	loc_91AF05

loc_8066B9:				; CODE XREF: CmpUnblockTwoHiveWrites+4Ej
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_8066BD:				; CODE XREF: CmpUnblockTwoHiveWrites+1Dj
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [ebx+24h]
		jmp	short loc_806679
; 

loc_8066C7:				; CODE XREF: CmpUnblockTwoHiveWrites+35j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [edi+24h]
		jmp	short loc_806691
; 

loc_8066D1:				; CODE XREF: CmpUnblockTwoHiveWrites+4Aj
		mov	ecx, ebx
		call	_CmpDeleteHive@4 ; CmpDeleteHive(x)
		jmp	short loc_8066A6
CmpUnblockTwoHiveWrites	endp

; 
		align 10h
; Exported entry 1988. RtlCompareUnicodeStrings

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCompareUnicodeStrings(x,	x, x, x, x)
		public _RtlCompareUnicodeStrings@20
_RtlCompareUnicodeStrings@20 proc near	; CODE XREF: ApiSetpSearchForApiSet+B6p
					; EtwpAvlCompareKeyNames(x,x,x)+3Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		mov	cl, [ebp+arg_10]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		cmp	ebx, eax
		ja	short loc_8066FA
		mov	eax, ebx

loc_8066FA:				; CODE XREF: RtlCompareUnicodeStrings(x,x,x,x,x)+16j
		lea	edi, [esi+eax*2]
		cmp	esi, edi
		jnb	short loc_806723
		test	cl, cl
		jnz	short loc_806733
		mov	edx, [ebp+arg_8]
		sub	edx, esi
		lea	ebx, [ebx+0]

loc_806710:				; CODE XREF: RtlCompareUnicodeStrings(x,x,x,x,x)+41j
		movzx	eax, word ptr [esi]
		movzx	ecx, word ptr [edx+esi]
		cmp	ax, cx
		jnz	short loc_80672A
		add	esi, 2
		cmp	esi, edi
		jb	short loc_806710

loc_806723:				; CODE XREF: RtlCompareUnicodeStrings(x,x,x,x,x)+1Fj
		sub	ebx, [ebp+arg_C]
		mov	eax, ebx
		jmp	short loc_80672C
; 

loc_80672A:				; CODE XREF: RtlCompareUnicodeStrings(x,x,x,x,x)+3Aj
		sub	eax, ecx

loc_80672C:				; CODE XREF: RtlCompareUnicodeStrings(x,x,x,x,x)+48j
					; RtlCompareUnicodeStrings(x,x,x,x,x)+7Bj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
; 

loc_806733:				; CODE XREF: RtlCompareUnicodeStrings(x,x,x,x,x)+23j
		mov	eax, [ebp+arg_8]
		sub	eax, esi
		mov	[ebp+arg_0], eax
		jmp	short loc_806740
; 
		align 10h

loc_806740:				; CODE XREF: RtlCompareUnicodeStrings(x,x,x,x,x)+5Bj
					; RtlCompareUnicodeStrings(x,x,x,x,x)+74j
		movzx	edx, word ptr [eax+esi]
		movzx	ecx, word ptr [esi]
		mov	dword ptr [ebp+arg_10],	edx
		cmp	cx, dx
		jnz	short loc_80675D

loc_80674F:				; CODE XREF: RtlCompareUnicodeStrings(x,x,x,x,x)+ACj
		add	esi, 2
		cmp	esi, edi
		jb	short loc_806740
		sub	ebx, [ebp+arg_C]
		mov	eax, ebx
		jmp	short loc_80672C
; 

loc_80675D:				; CODE XREF: RtlCompareUnicodeStrings(x,x,x,x,x)+6Dj
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	ecx, dword ptr [ebp+arg_10]
		movzx	eax, ax
		mov	[ebp+arg_8], eax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	ecx, [ebp+arg_8]
		movzx	eax, ax
		cmp	cx, ax
		jz	short loc_806789
		pop	edi
		movzx	ecx, cx
		sub	ecx, eax
		pop	esi
		mov	eax, ecx
		pop	ebx
		pop	ebp
		retn	14h
; 

loc_806789:				; CODE XREF: RtlCompareUnicodeStrings(x,x,x,x,x)+99j
		mov	eax, [ebp+arg_0]
		jmp	short loc_80674F
_RtlCompareUnicodeStrings@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmOpenDeviceRegKeyWorker proc near	; CODE XREF: _CmOpenDeviceRegKey+9Bp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0091AF0F SIZE 000000C1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_1C], edx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_14], 0
		mov	[ebp+var_18], 0
		mov	[ebp+var_10], 0
		mov	[ebp+var_8], 0
		mov	[ebp+var_20], 0
		mov	[ebp+var_28], 0
		mov	[ebp+var_24], 0
		mov	[ebp+var_C], 0
		push	esi
		push	edi
		test	ebx, ebx
		jz	loc_91AFC6
		test	ebx, 0FFFFFCE8h
		jnz	loc_91AFC6
		mov	esi, 0F0h
		mov	[ebp+arg_0], esi
		test	ebx, 200h
		jnz	loc_806A04

loc_806804:				; CODE XREF: _CmOpenDeviceRegKeyWorker+27Cj
		push	52504E50h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_91AFB1
		jmp	short loc_806820
; 
		align 10h

loc_806820:				; CODE XREF: _CmOpenDeviceRegKeyWorker+8Bj
					; _CmOpenDeviceRegKeyWorker+269j
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_14]
		mov	ecx, [ebp+var_4]
		push	eax		; int
		mov	eax, esi
		shr	eax, 1
		push	eax		; int
		push	edi		; void *
		push	[ebp+arg_C]	; int
		push	[ebp+arg_4]	; int
		push	ebx		; int
		call	_CmGetDeviceRegKeyPath
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	loc_8069BD
		test	esi, esi
		js	loc_806923
		test	ebx, 100h
		jnz	loc_91AF19
		push	edi
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_806923
		mov	si, word ptr [ebp+var_28]
		movzx	eax, si
		cmp	eax, [ebp+arg_0]
		jnb	loc_91AF0F
		cmp	si, 32h
		jbe	loc_91AF0F
		push	1
		lea	eax, [ebp+var_28]
		push	eax
		push	offset ?ObjectPathRootPrefix@?1??_CmOpenDeviceInterfaceRegKeyWorker@@9@9 ; `_CmOpenDeviceInterfaceRegKeyWorker'::`2'::ObjectPathRootPrefix
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	loc_91AF0F
		lea	eax, [edi+32h]
		mov	[ebp+arg_0], eax
		mov	[ebp+var_24], eax
		mov	eax, 0FFCEh
		add	word ptr [ebp+var_28+2], ax
		add	si, ax
		push	1
		lea	eax, [ebp+var_28]
		mov	word ptr [ebp+var_28], si
		push	eax
		push	offset ?EnumKeyPrefix@?1??_CmOpenDeviceRegKeyWorker@@9@9 ; `_CmOpenDeviceRegKeyWorker'::`2'::EnumKeyPrefix
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	loc_806966
		lea	eax, [edi+3Ch]
		mov	edx, 5
		mov	[ebp+arg_0], eax

loc_8068E0:				; CODE XREF: _CmOpenDeviceRegKeyWorker+1F3j
					; _CmOpenDeviceRegKeyWorker+28Cj
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_18]
		push	eax
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_806923
		mov	edx, [ebp+var_18]

loc_8068F5:				; CODE XREF: _CmOpenDeviceRegKeyWorker+1147B7j
		mov	eax, [ebp+var_4]
		mov	[ebp+arg_4], edx
		test	eax, eax
		jz	loc_806B36
		mov	ecx, [eax+74h]

loc_806906:				; CODE XREF: _CmOpenDeviceRegKeyWorker+3A8j
		push	[ebp+arg_10]
		push	[ebp+arg_8]
		push	0
		push	[ebp+arg_0]
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_806988
		mov	eax, [ebp+arg_14]
		mov	dword ptr [eax], 2

loc_806923:				; CODE XREF: _CmOpenDeviceRegKeyWorker+BCj
					; _CmOpenDeviceRegKeyWorker+DCj ...
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	loc_806B13

loc_80692E:				; CODE XREF: _CmOpenDeviceRegKeyWorker+389j
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_91AFBB

loc_806939:				; CODE XREF: _CmOpenDeviceRegKeyWorker+114831j
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	loc_806B1E

loc_806944:				; CODE XREF: _CmOpenDeviceRegKeyWorker+394j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_806B29

loc_80694F:				; CODE XREF: _CmOpenDeviceRegKeyWorker+3A1j
		test	edi, edi
		jz	short loc_80695B
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_80695B:				; CODE XREF: _CmOpenDeviceRegKeyWorker+1C1j
		mov	eax, esi

loc_80695D:				; CODE XREF: _CmOpenDeviceRegKeyWorker+11483Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_806966:				; CODE XREF: _CmOpenDeviceRegKeyWorker+13Fj
		push	1
		lea	eax, [ebp+var_28]
		push	eax
		push	(offset	loc_401017+1)
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jnz	loc_806A11
		mov	edx, 4
		jmp	loc_8068E0
; 

loc_806988:				; CODE XREF: _CmOpenDeviceRegKeyWorker+188j
		cmp	eax, 0C000017Ch
		jz	loc_91AF4C
		cmp	eax, 0C0000034h
		jnz	loc_91AF56
		cmp	byte ptr [ebp+arg_C], 0
		movzx	eax, bl
		mov	[ebp+var_14], eax
		jnz	loc_806A2E
		cmp	eax, 10h
		jz	short loc_806A21

loc_8069B3:				; CODE XREF: _CmOpenDeviceRegKeyWorker+297j
					; _CmOpenDeviceRegKeyWorker+36Ej
		mov	esi, 0C0000034h
		jmp	loc_806923
; 

loc_8069BD:				; CODE XREF: _CmOpenDeviceRegKeyWorker+B4j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_14]
		mov	ecx, 2
		mul	ecx
		lea	ecx, [ebp+arg_0]
		xor	edi, edi
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_806923
		mov	esi, [ebp+arg_0]
		push	52504E50h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_806820
		jmp	loc_91AFB1
; 

loc_806A04:				; CODE XREF: _CmOpenDeviceRegKeyWorker+6Ej
		mov	esi, 168h
		mov	[ebp+arg_0], esi
		jmp	loc_806804
; 

loc_806A11:				; CODE XREF: _CmOpenDeviceRegKeyWorker+1E8j
		lea	eax, [edi+56h]
		mov	edx, 0Eh
		mov	[ebp+arg_0], eax
		jmp	loc_8068E0
; 

loc_806A21:				; CODE XREF: _CmOpenDeviceRegKeyWorker+221j
		test	ebx, 0F00h
		jnz	short loc_8069B3
		jmp	loc_91AF5D
; 

loc_806A2E:				; CODE XREF: _CmOpenDeviceRegKeyWorker+218j
		cmp	eax, 10h
		jz	loc_91AF67

loc_806A37:				; CODE XREF: _CmOpenDeviceRegKeyWorker+1147E3j
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_20]
		mov	ecx, [ebp+var_4]
		push	0
		push	eax
		push	0
		push	1
		push	0
		push	10h
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_806923

loc_806A5A:				; CODE XREF: _CmOpenDeviceRegKeyWorker+1147DDj
		lea	eax, [ebp+var_C]
		mov	edx, ebx
		mov	ebx, [ebp+var_4]
		mov	ecx, ebx
		push	eax
		call	_CmGetDeviceRegKeySecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	loc_806923
		cmp	[ebp+var_C], 0
		jz	loc_91AF78
		mov	ecx, 0E0006h

loc_806A83:				; CODE XREF: _CmOpenDeviceRegKeyWorker+1147EBj
		cmp	[ebp+var_14], 13h
		mov	[ebp+var_18], ecx
		jnz	loc_91AF80
		mov	edx, 1

loc_806A95:				; CODE XREF: _CmOpenDeviceRegKeyWorker+1147F2j
		mov	[ebp+arg_C], edx
		test	ebx, ebx
		jz	loc_91AF87
		mov	edx, [ebx+74h]
		mov	[ebp+var_1C], edx
		mov	edx, [ebp+arg_C]

loc_806AA9:				; CODE XREF: _CmOpenDeviceRegKeyWorker+1147FEj
		push	[ebp+arg_14]
		lea	eax, [ebp+var_8]
		push	eax
		mov	eax, [ebp+var_C]
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_1C]
		push	edx
		push	[ebp+arg_0]
		mov	edx, [ebp+arg_4]
		call	__SysCtxRegCreateTree@36 ; _SysCtxRegCreateTree(x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jz	loc_91AF93
		test	eax, eax
		js	short loc_806B3D
		mov	eax, [ebp+var_18]
		cmp	eax, [ebp+arg_8]
		jz	loc_91AF9D
		test	ebx, ebx
		jz	short loc_806B44
		mov	ecx, [ebx+74h]

loc_806AE7:				; CODE XREF: _CmOpenDeviceRegKeyWorker+3B6j
		push	[ebp+arg_10]
		mov	edx, [ebp+var_8]
		push	[ebp+arg_8]
		push	0
		push	0
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jz	loc_8069B3
		test	eax, eax
		jns	loc_806923
		mov	esi, eax
		jmp	loc_806923
; 

loc_806B13:				; CODE XREF: _CmOpenDeviceRegKeyWorker+198j
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_80692E
; 

loc_806B1E:				; CODE XREF: _CmOpenDeviceRegKeyWorker+1AEj
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_806944
; 

loc_806B29:				; CODE XREF: _CmOpenDeviceRegKeyWorker+1B9j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_80694F
; 

loc_806B36:				; CODE XREF: _CmOpenDeviceRegKeyWorker+16Dj
		xor	ecx, ecx
		jmp	loc_806906
; 

loc_806B3D:				; CODE XREF: _CmOpenDeviceRegKeyWorker+342j
		mov	esi, eax
		jmp	loc_806923
; 

loc_806B44:				; CODE XREF: _CmOpenDeviceRegKeyWorker+352j
		xor	ecx, ecx
		jmp	short loc_806AE7
_CmOpenDeviceRegKeyWorker endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpQueryKeyData(x, x, x, x,	x, x)
_CmpQueryKeyData@24 proc near		; CODE XREF: CmQueryKey+27Dp
					; CmQueryKey+11184Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		or	[ebp+var_8], 0FFFFFFFFh
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		push	4
		pop	edx
		cmp	edi, edx
		jnz	short loc_806B7F
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	CmpQueryKeyDataFromCache
		mov	edi, eax

loc_806B77:				; CODE XREF: CmpQueryKeyData(x,x,x,x,x,x)+6Fj
					; CmpQueryKeyData(x,x,x,x,x,x)+76j
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn	10h
; 

loc_806B7F:				; CODE XREF: CmpQueryKeyData(x,x,x,x,x,x)+1Aj
		mov	eax, [esi+14h]
		lea	edx, [ebp+var_8]
		mov	ecx, [esi+10h]
		push	edx
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		test	eax, eax
		jz	short loc_806BB9
		push	[ebp+arg_C]
		mov	ecx, [esi+10h]
		mov	edx, eax
		push	esi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edi
		call	CmpQueryKeyDataFromNode
		mov	edi, eax
		lea	ecx, [ebp+var_8]
		mov	eax, [esi+10h]
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		jmp	short loc_806B77
; 

loc_806BB9:				; CODE XREF: CmpQueryKeyData(x,x,x,x,x,x)+48j
		mov	edi, 0C000009Ah
		jmp	short loc_806B77
_CmpQueryKeyData@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmGetVisibleMaxNameLenAndClassLen proc near ; CODE XREF: CmpQueryKeyDataFromCache+92p
					; CmpQueryKeyDataFromNode+1A7p

var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0091AFD0 SIZE 0000009A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		or	[esp+14h+var_8], 0FFFFFFFFh
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	[esp+1Ch+var_C], eax
		mov	[esp+1Ch+var_4], eax
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[edi], eax
		test	esi, esi
		jnz	short loc_806C0C

loc_806BE9:				; CODE XREF: CmGetVisibleMaxNameLenAndClassLen+4Ej
		test	edx, edx
		jnz	short loc_806C10

loc_806BED:				; CODE XREF: CmGetVisibleMaxNameLenAndClassLen+58j
					; CmGetVisibleMaxNameLenAndClassLen+5Fj
		test	ecx, ecx
		jz	short loc_806C01
		cmp	[ebp+arg_0], 0
		movzx	eax, word ptr [ecx+60h]
		mov	[edi], eax
		jnz	loc_91AFD0

loc_806C01:				; CODE XREF: CmGetVisibleMaxNameLenAndClassLen+2Fj
					; CmGetVisibleMaxNameLenAndClassLen+114428j
		xor	eax, eax

loc_806C03:				; CODE XREF: CmGetVisibleMaxNameLenAndClassLen+1144A5j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_806C0C:				; CODE XREF: CmGetVisibleMaxNameLenAndClassLen+27j
		mov	[esi], eax
		jmp	short loc_806BE9
; 

loc_806C10:				; CODE XREF: CmGetVisibleMaxNameLenAndClassLen+2Bj
		movzx	eax, word ptr [edx+34h]
		mov	[edi], eax
		test	esi, esi
		jz	short loc_806BED
		mov	eax, [edx+38h]
		mov	[esi], eax
		jmp	short loc_806BED
CmGetVisibleMaxNameLenAndClassLen endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmGetVisibleMaxValueNameLenAndDataLen proc near	; CODE XREF: CmpQueryKeyDataFromCache+AEp
					; CmpQueryKeyDataFromNode+1C4p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0091B06A SIZE 000000CE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		or	[ebp+var_8], 0FFFFFFFFh
		or	[ebp+var_10], 0FFFFFFFFh
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, ecx
		mov	ecx, [ebp+arg_4]
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edi
		mov	[ecx], edi
		mov	[ebp+var_C], edi
		mov	[ebx], edi
		test	edx, edx
		jnz	short loc_806C6E

loc_806C4D:				; CODE XREF: CmGetVisibleMaxValueNameLenAndDataLen+56j
		test	esi, esi
		jz	short loc_806C65
		movzx	eax, word ptr [esi+62h]
		mov	[ecx], eax
		mov	eax, [esi+64h]
		mov	[ebx], eax
		cmp	[ebp+arg_0], edi
		jnz	loc_91B06A

loc_806C65:				; CODE XREF: CmGetVisibleMaxValueNameLenAndDataLen+2Dj
					; CmGetVisibleMaxValueNameLenAndDataLen+114450j ...
		xor	eax, eax

loc_806C67:				; CODE XREF: CmGetVisibleMaxValueNameLenAndDataLen+114511j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_806C6E:				; CODE XREF: CmGetVisibleMaxValueNameLenAndDataLen+29j
		mov	eax, [edx+3Ch]
		mov	[ecx], eax
		mov	eax, [edx+40h]
		mov	[ebx], eax
		jmp	short loc_806C4D
CmGetVisibleMaxValueNameLenAndDataLen endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpQueryKeyDataFromCache proc near	; CODE XREF: CmpQueryKeyData(x,x,x,x,x,x)+28p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0091B138 SIZE 00000080 BYTES
; FUNCTION CHUNK AT 0091B1CE SIZE 00000008 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A54D8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, ecx
		mov	[ebp+var_38], 0FFFFFFFFh
		mov	[ebp+var_34], 0
		mov	[ebp+var_20], 0
		mov	[ebp+var_24], 0
		mov	[ebp+var_28], 0
		mov	eax, [esi+28h]
		test	eax, eax
		jz	loc_91B138
		movzx	ecx, word ptr [eax+0Ch]
		test	byte ptr [eax],	1
		jz	loc_91B142
		lea	eax, [ecx+ecx]
		movzx	eax, ax

loc_806CF8:				; CODE XREF: CmpQueryKeyDataFromCache+1144C4j
		mov	[ebp+var_1C], eax
		cmp	edx, 4
		jnz	loc_91B149
		push	0
		lea	eax, [ebp+var_20]
		push	eax
		mov	edi, [ebp+arg_C]
		push	edi
		xor	edx, edx
		mov	ecx, esi
		call	CmGetVisibleMaxNameLenAndClassLen
		mov	ebx, eax
		test	ebx, ebx
		js	loc_806DCF
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		xor	edx, edx
		mov	ecx, esi
		call	CmGetVisibleMaxValueNameLenAndDataLen
		mov	ebx, eax
		test	ebx, ebx
		js	loc_806DCF
		mov	[ebp+var_4], 0
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 28h
		cmp	[ebp+arg_4], 28h
		jb	loc_91B153
		push	edi
		xor	edx, edx
		mov	ecx, esi
		call	CmGetKeyLastWriteTime
		mov	edi, [ebp+arg_0]
		mov	[edi], eax
		mov	[edi+4], edx
		mov	dword ptr [edi+8], 0
		mov	eax, [ebp+var_1C]
		movzx	eax, ax
		mov	[edi+20h], eax
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jnz	loc_91B15A

loc_806D84:				; CODE XREF: CmpQueryKeyDataFromCache+1144E2j
					; CmpQueryKeyDataFromCache+1144EAj
		mov	eax, [esi+30h]

loc_806D87:				; CODE XREF: CmpQueryKeyDataFromCache+1144F6j
		mov	[edi+14h], eax
		mov	eax, [ebp+var_20]
		mov	[edi+10h], eax
		mov	eax, [ebp+var_24]
		mov	[edi+18h], eax
		mov	eax, [ebp+var_28]
		mov	[edi+1Ch], eax
		mov	ecx, [esi+4]
		test	cl, 40h
		jnz	loc_91B17B
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	loc_91B17B
		test	cl, 1
		jnz	short loc_806DE5
		test	cl, 2
		jnz	short loc_806DEE
		mov	eax, [esi+3Ch]
		test	cl, 4
		jnz	short loc_806DF7

loc_806DC5:				; CODE XREF: CmpQueryKeyDataFromCache+179j
		mov	[edi+0Ch], eax

loc_806DC8:				; CODE XREF: CmpQueryKeyDataFromCache+16Cj
					; CmpQueryKeyDataFromCache+175j ...
		mov	[ebp+var_4], 0FFFFFFFEh

loc_806DCF:				; CODE XREF: CmpQueryKeyDataFromCache+9Bj
					; CmpQueryKeyDataFromCache+B7j	...
		mov	eax, ebx

loc_806DD1:				; CODE XREF: CmpQueryKeyDataFromCache+1144BDj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_806DE5:				; CODE XREF: CmpQueryKeyDataFromCache+136j
		mov	dword ptr [edi+0Ch], 0
		jmp	short loc_806DC8
; 

loc_806DEE:				; CODE XREF: CmpQueryKeyDataFromCache+13Bj
		mov	dword ptr [edi+0Ch], 1
		jmp	short loc_806DC8
; 

loc_806DF7:				; CODE XREF: CmpQueryKeyDataFromCache+143j
		mov	eax, [eax]
		jmp	short loc_806DC5
CmpQueryKeyDataFromCache endp

; 
		align 10h
; Exported entry 2095. RtlFindUnicodeSubstring

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlFindUnicodeSubstring
RtlFindUnicodeSubstring	proc near	; CODE XREF: CmpTraceSecurityChanging+58p
					; PiDrvDbRegisterNode+9E234p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 0091B1D6 SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		sub	esp, 10h
		movzx	edx, word ptr [eax]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		movzx	ecx, word ptr [edi]
		cmp	cx, dx
		jb	short loc_806E9B
		mov	edi, [edi+4]
		mov	esi, edx
		mov	ebx, ecx
		sub	ebx, esi
		add	ebx, edi
		cmp	[ebp+arg_8], 0
		mov	[ebp+var_C], ebx
		jz	loc_91B1D6
		mov	eax, [eax+4]
		mov	[ebp+var_10], eax
		lea	edx, [esi+eax]
		mov	[ebp+arg_4], edx
		cmp	edi, ebx
		ja	short loc_806E9B
		mov	ecx, edi
		sub	ecx, eax
		mov	[ebp+arg_0], ecx

loc_806E4B:				; CODE XREF: RtlFindUnicodeSubstring+99j
		mov	dword ptr [ebp+arg_8], eax
		cmp	eax, edx
		jnb	short loc_806E89

loc_806E52:				; CODE XREF: RtlFindUnicodeSubstring+AFj
		movzx	esi, word ptr [ecx+eax]
		movzx	ebx, word ptr [eax]
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], ebx
		cmp	si, bx
		jz	short loc_806EA7
		mov	ecx, ebx
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	ecx, [ebp+var_8]
		mov	si, ax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	edx, [ebp+arg_4]
		cmp	ax, si
		mov	eax, dword ptr [ebp+arg_8]
		jz	short loc_806EA4

loc_806E81:				; CODE XREF: RtlFindUnicodeSubstring+B1j
		mov	ebx, [ebp+var_C]
		cmp	eax, edx
		mov	ecx, [ebp+arg_0]

loc_806E89:				; CODE XREF: RtlFindUnicodeSubstring+50j
		jz	short loc_806EB3
		mov	eax, [ebp+var_10]
		add	edi, 2
		add	ecx, 2
		mov	[ebp+arg_0], ecx
		cmp	edi, ebx
		jbe	short loc_806E4B

loc_806E9B:				; CODE XREF: RtlFindUnicodeSubstring+1Aj
					; RtlFindUnicodeSubstring+42j ...
		xor	eax, eax

loc_806E9D:				; CODE XREF: RtlFindUnicodeSubstring+B5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_806EA4:				; CODE XREF: RtlFindUnicodeSubstring+7Fj
		mov	ecx, [ebp+arg_0]

loc_806EA7:				; CODE XREF: RtlFindUnicodeSubstring+62j
		add	eax, 2
		mov	dword ptr [ebp+arg_8], eax
		cmp	eax, edx
		jb	short loc_806E52
		jmp	short loc_806E81
; 

loc_806EB3:				; CODE XREF: RtlFindUnicodeSubstring:loc_806E89j
					; RtlFindUnicodeSubstring+1143F1j
		mov	eax, edi
		jmp	short loc_806E9D
RtlFindUnicodeSubstring	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCompareCompressedName(x,	x, x, x)
_CmpCompareCompressedName@16 proc near	; CODE XREF: CmpDoCompareKeyName(x,x,x,x)+5Bp
					; CmpDoCompareKeyName(x,x,x,x)+7Fp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ax, [ecx]
		sub	esp, 8
		shr	ax, 1
		push	ebx
		mov	ebx, [ecx+4]
		push	esi
		movzx	esi, word ptr [ebp+arg_0]
		push	edi
		movzx	edi, ax
		test	di, di
		jz	short loc_806F0E

loc_806EE0:				; CODE XREF: CmpCompareCompressedName(x,x,x,x)+4Cj
		test	si, si
		jz	short loc_806F0E
		movzx	ecx, word ptr [ebx]
		add	ebx, 2
		movzx	eax, byte ptr [edx]
		inc	edx
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], edx
		cmp	cx, ax
		jnz	short loc_806F1F

loc_806EFD:				; CODE XREF: CmpCompareCompressedName(x,x,x,x)+92j
		add	edi, 0FFFFh
		add	esi, 0FFFFh
		test	di, di
		jnz	short loc_806EE0

loc_806F0E:				; CODE XREF: CmpCompareCompressedName(x,x,x,x)+1Ej
					; CmpCompareCompressedName(x,x,x,x)+23j
		movzx	eax, di
		pop	edi
		movzx	ecx, si
		pop	esi
		sub	eax, ecx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_806F1F:				; CODE XREF: CmpCompareCompressedName(x,x,x,x)+3Bj
		mov	edx, [ebp+arg_4]
		test	dl, 1
		jnz	short loc_806F3A
		cmp	ecx, 61h
		jb	short loc_806F3A
		cmp	ecx, 7Ah
		ja	short loc_806F6C
		add	ecx, 0FFE0h

loc_806F37:				; CODE XREF: CmpCompareCompressedName(x,x,x,x)+BAj
		mov	[ebp+arg_0], ecx

loc_806F3A:				; CODE XREF: CmpCompareCompressedName(x,x,x,x)+65j
					; CmpCompareCompressedName(x,x,x,x)+6Aj
		test	dl, 2
		jnz	short loc_806F45
		cmp	ax, 61h
		jnb	short loc_806F5F

loc_806F45:				; CODE XREF: CmpCompareCompressedName(x,x,x,x)+7Dj
					; CmpCompareCompressedName(x,x,x,x)+AAj ...
		movzx	eax, ax
		movzx	ecx, cx
		sub	ecx, eax
		jnz	short loc_806F54
		mov	edx, [ebp+var_8]
		jmp	short loc_806EFD
; 

loc_806F54:				; CODE XREF: CmpCompareCompressedName(x,x,x,x)+8Dj
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_806F5F:				; CODE XREF: CmpCompareCompressedName(x,x,x,x)+83j
		cmp	ax, 7Ah
		ja	short loc_806F7C
		add	eax, 0FFE0h
		jmp	short loc_806F45
; 

loc_806F6C:				; CODE XREF: CmpCompareCompressedName(x,x,x,x)+6Fj
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	edx, [ebp+arg_4]
		movzx	ecx, ax
		mov	eax, [ebp+var_4]
		jmp	short loc_806F37
; 

loc_806F7C:				; CODE XREF: CmpCompareCompressedName(x,x,x,x)+A3j
		mov	ecx, eax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	ecx, [ebp+arg_0]
		movzx	eax, ax
		jmp	short loc_806F45
_CmpCompareCompressedName@16 endp

; 
		align 10h
; Exported entry 244. CcUnpinData

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcUnpinData(x)
		public _CcUnpinData@4
_CcUnpinData@4	proc near		; CODE XREF: CcUnpinData(x)+41p
					; sub_78A093+1539E9p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		test	bl, 1
		jz	short loc_806FB8
		and	ebx, 0FFFFFFFEh
		mov	dl, 1

loc_806FA7:				; CODE XREF: CcUnpinData(x)+34j
		push	0
		mov	ecx, ebx
		call	CcUnpinFileDataEx
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_806FB8:				; CODE XREF: CcUnpinData(x)+10j
		mov	eax, 2FAh
		cmp	[ebx], ax
		jz	short loc_806FC6
		xor	dl, dl
		jmp	short loc_806FA7
; 

loc_806FC6:				; CODE XREF: CcUnpinData(x)+30j
		mov	eax, [ebx+10h]
		lea	esi, [ebx+10h]
		test	eax, eax
		jz	short loc_806FE0

loc_806FD0:				; CODE XREF: CcUnpinData(x)+4Ej
		push	eax
		call	_CcUnpinData@4	; CcUnpinData(x)
		mov	eax, [esi+4]
		lea	esi, [esi+4]
		test	eax, eax
		jnz	short loc_806FD0

loc_806FE0:				; CODE XREF: CcUnpinData(x)+3Ej
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_CcUnpinData@4	endp

; 
		dd 4 dup(0CCCCCCCCh)
; 
; Exported entry 1569. NtQuerySecurityAttributesToken

		public NtQuerySecurityAttributesToken
NtQuerySecurityAttributesToken:		; DATA XREF: .text:00580E14o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5538
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	dword ptr [ebp-28h], 0
		mov	byte ptr [ebp-1Ah], 0

loc_807040:				; DATA XREF: FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+418o
					; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8FFo ...
		mov	dword ptr [ebp-24h], 0
		mov	dword ptr [ebp-34h], 0
		mov	byte ptr [ebp-1Bh], 0
		mov	eax, large fs:124h
		mov	cl, [eax+15Ah]
		mov	[ebp-19h], cl
		mov	[ebp-2Ch], cl
		mov	ecx, [ebp+18h]
		mov	ebx, [ebp+14h]
		test	ecx, ecx
		jz	loc_80722C

loc_807072:				; CODE XREF: PAGE:0080723Cj
		test	ebx, ebx
		jz	loc_91B206

loc_80707A:				; CODE XREF: PAGE:00807236j
		cmp	byte ptr [ebp-19h], 0
		jz	loc_91B238
		mov	dword ptr [ebp-4], 0
		test	ecx, ecx
		jz	loc_807226
		mov	eax, ebx
		test	bl, 3
		jnz	loc_807257
		lea	edx, [ecx-1]
		add	edx, ebx
		cmp	ebx, edx
		ja	loc_807252
		cmp	edx, ds:_MmUserProbeAddress
		jnb	loc_807252
		and	edx, 0FFFFF000h
		add	edx, 1000h

loc_8070C3:				; CODE XREF: PAGE:008070D3j
		mov	cl, [eax]
		mov	[eax], cl
		and	eax, 0FFFFF000h
		add	eax, 1000h
		cmp	eax, edx
		jnz	short loc_8070C3

loc_8070D5:				; CODE XREF: PAGE:00807227j
		mov	ebx, [ebp+1Ch]
		mov	ecx, ebx
		test	bl, 3
		jnz	loc_807257
		lea	edx, [ebx+3]
		cmp	ebx, edx
		ja	loc_807252
		cmp	edx, ds:_MmUserProbeAddress
		jnb	loc_807252
		and	edx, 0FFFFF000h
		add	edx, 1000h

loc_807106:				; CODE XREF: PAGE:00807118j
		mov	al, [ecx]
		mov	[ecx], al
		and	ecx, 0FFFFF000h
		add	ecx, 1000h
		cmp	ecx, edx
		jnz	short loc_807106
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_807121:				; CODE XREF: PAGE:0091B23Bj
		lea	eax, [ebp-28h]
		push	eax
		mov	esi, [ebp-2Ch]
		push	esi
		mov	edx, [ebp+10h]
		mov	ecx, [ebp+0Ch]
		call	SepCaptureUnicodeStringArray
		mov	edi, eax
		mov	[ebp-20h], edi
		test	edi, edi
		js	loc_91B20E
		lea	eax, [ebp-34h]
		push	eax
		lea	eax, [ebp-1Bh]
		push	eax
		lea	eax, [ebp-24h]
		push	eax
		push	esi
		mov	edx, 8
		mov	ecx, [ebp+8]
		call	SepReferenceTokenByHandle
		mov	edi, eax
		mov	[ebp-20h], edi
		test	edi, edi
		js	loc_91B20E
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	esi, [ebp-24h]
		mov	eax, [esi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	al, 1
		mov	[ebp-1Ah], al
		mov	[ebp+1Fh], al
		cmp	byte ptr [ebp-19h], 0
		jz	loc_91B26E
		mov	dword ptr [ebp-4], 1
		push	ebx
		push	dword ptr [ebp+18h]
		push	dword ptr [ebp+14h]
		push	0
		mov	eax, [ebp+10h]
		push	eax
		push	dword ptr [ebp-28h]
		mov	ecx, esi
		call	SepInternalQuerySecurityAttributesTokenEx
		mov	edi, eax
		mov	[ebp-20h], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_8071C0:				; CODE XREF: PAGE:0091B211j
					; PAGE:0091B28Aj
		mov	bl, [ebp-1Ah]
		mov	al, [ebp-19h]

loc_8071C6:				; CODE XREF: PAGE:0091B269j
		cmp	al, 1
		jnz	short loc_8071D9
		mov	eax, [ebp-28h]
		test	eax, eax
		jz	short loc_8071D9
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8071D9:				; CODE XREF: PAGE:008071C8j
					; PAGE:008071CFj
		test	bl, bl
		jz	short loc_807205
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		nop
		add	word ptr [ecx+13Ch], 1
		jnz	short loc_8071FF
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jnz	short loc_807241

loc_8071FF:				; CODE XREF: PAGE:008071F5j
					; PAGE:00807249j ...
		mov	esi, [ebp-24h]
		mov	edi, [ebp-20h]

loc_807205:				; CODE XREF: PAGE:008071DBj
		test	esi, esi
		jz	short loc_807210
		mov	ecx, esi
		call	ObfDereferenceObject

loc_807210:				; CODE XREF: PAGE:00807207j
		mov	eax, edi

loc_807212:				; CODE XREF: PAGE:0091B233j
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_807226:				; CODE XREF: PAGE:0080708Dj
		nop
		jmp	loc_8070D5
; 

loc_80722C:				; CODE XREF: PAGE:0080706Cj
		test	ebx, ebx
		jnz	loc_91B206
		test	ecx, ecx
		jz	loc_80707A
		jmp	loc_807072
; 

loc_807241:				; CODE XREF: PAGE:008071FDj
		cmp	word ptr [ecx+13Eh], 0
		jnz	short loc_8071FF
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_8071FF
; 

loc_807252:				; CODE XREF: PAGE:008070A5j
					; PAGE:008070B1j ...
		call	_ExRaiseAccessViolation@0 ; ExRaiseAccessViolation()

loc_807257:				; CODE XREF: PAGE:00807098j
					; PAGE:008070DDj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		dd 5 dup(0CCCCCCCCh)
; Exported entry 2283. RtlPrefixUnicodeString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlPrefixUnicodeString(x, x, x)
		public _RtlPrefixUnicodeString@12
_RtlPrefixUnicodeString@12 proc	near	; CODE XREF: SepPotentialGlobalTableAttribute+20p
					; PopFxBuildDripsBlockingDeviceList(x,x,x)+45Ep ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		push	ebx
		mov	bl, [ebp+arg_8]
		movzx	ecx, word ptr [eax]
		push	esi
		mov	esi, [eax+4]
		movzx	eax, word ptr [edx]
		push	edi
		cmp	eax, ecx
		jb	short loc_8072D4
		add	ecx, esi
		mov	[ebp+arg_0], ecx
		cmp	esi, ecx
		jnb	short loc_8072B7
		test	bl, bl
		jz	short loc_8072DD
		mov	eax, [edx+4]
		sub	eax, esi
		mov	dword ptr [ebp+arg_8], eax

loc_8072A3:				; CODE XREF: RtlPrefixUnicodeString(x,x,x)+45j
		movzx	ebx, word ptr [esi]
		movzx	ecx, word ptr [eax+esi]
		cmp	bx, cx
		jnz	short loc_8072C0

loc_8072AF:				; CODE XREF: RtlPrefixUnicodeString(x,x,x)+6Bj
		add	esi, 2
		cmp	esi, [ebp+arg_0]
		jb	short loc_8072A3

loc_8072B7:				; CODE XREF: RtlPrefixUnicodeString(x,x,x)+25j
					; RtlPrefixUnicodeString(x,x,x)+82j
		mov	al, 1

loc_8072B9:				; CODE XREF: RtlPrefixUnicodeString(x,x,x)+66j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_8072C0:				; CODE XREF: RtlPrefixUnicodeString(x,x,x)+3Dj
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	ecx, ebx
		mov	di, ax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		cmp	ax, di
		jz	short loc_8072D8

loc_8072D4:				; CODE XREF: RtlPrefixUnicodeString(x,x,x)+1Cj
					; RtlPrefixUnicodeString(x,x,x)+79j
		xor	al, al
		jmp	short loc_8072B9
; 

loc_8072D8:				; CODE XREF: RtlPrefixUnicodeString(x,x,x)+62j
		mov	eax, dword ptr [ebp+arg_8]
		jmp	short loc_8072AF
; 

loc_8072DD:				; CODE XREF: RtlPrefixUnicodeString(x,x,x)+29j
		mov	edx, [edx+4]
		sub	edx, esi

loc_8072E2:				; CODE XREF: RtlPrefixUnicodeString(x,x,x)+80j
		mov	ax, [esi]
		cmp	ax, [edx+esi]
		jnz	short loc_8072D4
		add	esi, 2
		cmp	esi, ecx
		jb	short loc_8072E2
		jmp	short loc_8072B7
_RtlPrefixUnicodeString@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpRpFileKeyUpdate proc	near		; CODE XREF: PfFileInfoNotify+38Bp
					; PfFileInfoNotify+5D1p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0091B28F SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_8], 0
		mov	edi, edx
		mov	[ebp+var_4], ebx
		xor	esi, esi
		mov	[ebp+var_14], 0
		mov	[ebp+var_C], esi
		test	byte ptr [ebx+60h], 1
		mov	eax, [edi+8]
		mov	[ebp+var_10], eax
		jz	loc_91B28F
		lea	eax, [ebx+50h]
		mov	ecx, eax
		mov	[ebp+var_30], eax
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_91B28F
		cmp	[ebp+arg_0], esi
		jz	loc_807561
		push	4B466650h
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_91B299
		lea	edx, [ebp+var_C]
		mov	ecx, ebx
		call	_PfpRpIsRehashNeeded@8 ; PfpRpIsRehashNeeded(x,x)
		test	eax, eax
		jnz	loc_80764B

loc_80737E:				; CODE XREF: PfpRpFileKeyUpdate+363j
					; PfpRpFileKeyUpdate+36Cj
		mov	ebx, [edi+0Ch]
		movzx	ecx, word ptr [edi+12h]
		mov	edi, 4CB2Fh
		lea	eax, [ebx+ecx*2]
		cmp	ebx, eax
		jnb	short loc_8073B8
		mov	esi, eax

loc_807393:				; CODE XREF: PfpRpFileKeyUpdate+B4j
		movzx	eax, word ptr [ebx]
		push	eax
		call	_RtlUpcaseUnicodeChar@4	; RtlUpcaseUnicodeChar(x)
		imul	edx, edi, 25h
		add	ebx, 2
		movzx	ecx, al
		movzx	edi, ax
		shr	edi, 8
		add	edx, ecx
		imul	eax, edx, 25h
		add	edi, eax
		cmp	ebx, esi
		jb	short loc_807393
		xor	esi, esi

loc_8073B8:				; CODE XREF: PfpRpFileKeyUpdate+8Fj
		test	edi, edi
		jz	loc_91B2A3
		mov	ebx, [ebp+var_4]

loc_8073C3:				; CODE XREF: PfpRpFileKeyUpdate+263j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		add	ebx, 1Ch
		xor	edx, edx
		mov	ecx, ebx
		mov	[ebp+var_18], ebx
		call	ExAcquirePushLockExclusiveEx
		cmp	[ebp+arg_0], 0
		jz	loc_807568
		mov	eax, [ebp+var_4]
		mov	eax, [eax+4]
		mov	ecx, eax
		mov	[ebp+arg_0], eax
		and	ecx, 1Fh
		or	eax, 0FFFFFFFFh
		mov	edx, eax
		shl	edx, cl
		mov	ecx, edx
		mov	[ebp+var_28], edx
		and	ecx, [ebp+var_10]
		mov	edx, ecx
		mov	[ebp+var_2C], ecx
		shr	edx, 18h
		mov	[ebp+var_24], edx
		mov	edx, ecx
		shr	edx, 10h
		mov	[ebp+var_20], edx
		mov	edx, ecx
		shr	edx, 8
		mov	[ebp+var_1C], edx
		mov	edx, [ebp+arg_0]
		shr	edx, 5
		mov	[ebp+arg_0], edx
		test	edx, edx
		jz	short loc_807480
		movzx	ecx, cl
		add	ecx, offset unk_B15DCB
		imul	edx, ecx, 25h
		mov	ecx, [ebp+var_1C]
		movzx	ecx, cl
		add	edx, ecx
		mov	ecx, [ebp+var_20]
		imul	edx, 25h
		movzx	ecx, cl
		add	edx, ecx
		imul	ecx, edx, 25h
		mov	edx, [ebp+arg_0]
		dec	edx
		add	ecx, [ebp+var_24]
		and	edx, ecx
		mov	ecx, [ebp+var_4]
		mov	ecx, [ecx+8]
		lea	edx, [ecx+edx*4]

loc_807463:				; CODE XREF: PfpRpFileKeyUpdate+176j
		mov	edx, [edx]
		test	edx, 1
		jnz	short loc_807480
		mov	ecx, [edx+4]
		and	ecx, [ebp+var_28]
		cmp	[ebp+var_2C], ecx
		jnz	short loc_807463
		mov	[edx+8], edi
		jmp	loc_807514
; 

loc_807480:				; CODE XREF: PfpRpFileKeyUpdate+12Dj
					; PfpRpFileKeyUpdate+16Bj
		mov	eax, [ebp+var_8]
		lea	edx, [ebp+var_14]
		mov	ecx, [ebp+var_10]
		mov	dword ptr [eax], 0
		push	[ebp+var_C]
		mov	[eax+8], edi
		mov	edi, [ebp+var_4]
		mov	[eax+4], ecx
		mov	ecx, edi
		call	PfpRpRehashIfNeeded
		test	eax, eax
		jz	loc_91B2AD
		mov	ecx, [edi+4]
		mov	eax, ecx
		and	ecx, 1Fh
		shr	eax, 5
		mov	[ebp+arg_0], eax
		or	eax, 0FFFFFFFFh
		mov	ebx, eax
		shl	ebx, cl
		mov	ecx, [ebp+var_8]
		and	ebx, [ecx+4]
		mov	ecx, ebx
		movzx	edx, bl
		shr	ecx, 8
		add	edx, offset unk_B15DCB
		movzx	edi, cl
		imul	ecx, edx, 25h
		add	edi, ecx
		mov	ecx, ebx
		shr	ecx, 10h
		movzx	edx, cl
		imul	ecx, edi, 25h
		mov	edi, [ebp+var_8]
		shr	ebx, 18h
		mov	[ebp+var_8], 0
		add	edx, ecx
		imul	ecx, edx, 25h
		mov	edx, [ebp+arg_0]
		dec	edx
		add	ebx, ecx
		and	edx, ebx
		mov	ebx, [ebp+var_4]
		mov	ecx, [ebx+8]
		lea	edx, [ecx+edx*4]
		mov	ecx, [edx]
		mov	[edi], ecx
		mov	[edx], edi
		inc	dword ptr [ebx]

loc_807511:				; CODE XREF: PfpRpFileKeyUpdate+273j
					; PfpRpFileKeyUpdate+2D8j
		mov	ebx, [ebp+var_18]

loc_807514:				; CODE XREF: PfpRpFileKeyUpdate+17Bj
		xor	edi, edi

loc_807516:				; CODE XREF: PfpRpFileKeyUpdate+113FB5j
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_807637

loc_807524:				; CODE XREF: PfpRpFileKeyUpdate+33Ej
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_807530:				; CODE XREF: PfpRpFileKeyUpdate+113F9Ej
					; PfpRpFileKeyUpdate+113FA8j
		mov	ecx, [ebp+var_30]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jnz	loc_80762A

loc_807543:				; CODE XREF: PfpRpFileKeyUpdate+332j
		test	esi, esi
		jnz	loc_807610

loc_80754B:				; CODE XREF: PfpRpFileKeyUpdate+322j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	loc_807671

loc_807556:				; CODE XREF: PfpRpFileKeyUpdate+379j
		mov	eax, edi

loc_807558:				; CODE XREF: PfpRpFileKeyUpdate+113F94j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_807561:				; CODE XREF: PfpRpFileKeyUpdate+4Dj
		xor	edi, edi
		jmp	loc_8073C3
; 

loc_807568:				; CODE XREF: PfpRpFileKeyUpdate+E4j
		mov	ebx, [ebp+var_4]
		or	eax, 0FFFFFFFFh
		mov	edi, edi

loc_807570:				; CODE XREF: PfpRpFileKeyUpdate+304j
		cmp	dword ptr [ebx], 0
		jz	short loc_807511
		mov	ebx, [ebx+4]
		mov	edx, eax
		mov	ecx, ebx
		shr	ebx, 5
		and	ecx, 1Fh
		shl	edx, cl
		mov	ecx, edx
		mov	[ebp+var_C], edx
		and	ecx, [ebp+var_10]
		mov	[ebp+arg_0], ecx
		movzx	edx, cl
		shr	ecx, 8
		add	edx, offset unk_B15DCB
		movzx	edi, cl
		imul	ecx, edx, 25h
		add	edi, ecx
		mov	ecx, [ebp+arg_0]
		shr	ecx, 10h
		movzx	edx, cl
		imul	ecx, edi, 25h
		mov	edi, [ebp+arg_0]
		shr	edi, 18h
		add	edx, ecx
		imul	ecx, edx, 25h
		lea	edx, [ebx-1]
		mov	ebx, [ebp+arg_0]
		add	edi, ecx
		mov	ecx, [ebp+var_4]
		and	edx, edi
		mov	ecx, [ecx+8]
		lea	edi, [ecx+edx*4]
		lea	ecx, [ecx+0]

loc_8075D0:				; CODE XREF: PfpRpFileKeyUpdate+2EAj
		mov	edx, [edi]
		test	edx, 1
		jnz	loc_807511
		mov	ecx, [edx+4]
		and	ecx, [ebp+var_C]
		cmp	ecx, ebx
		jz	short loc_8075EC
		mov	edi, edx
		jmp	short loc_8075D0
; 

loc_8075EC:				; CODE XREF: PfpRpFileKeyUpdate+2E6j
		mov	ebx, [ebp+var_4]
		mov	ecx, [edx]
		mov	[edi], ecx
		dec	dword ptr [ebx]
		or	dword ptr [edx], 80000002h
		cmp	[ebx+0Ch], edx
		jz	short loc_807643

loc_807600:				; CODE XREF: PfpRpFileKeyUpdate+349j
		mov	[edx], esi
		mov	esi, edx
		jmp	loc_807570
; 
		align 10h

loc_807610:				; CODE XREF: PfpRpFileKeyUpdate+245j
					; PfpRpFileKeyUpdate+328j
		mov	eax, esi
		test	esi, esi
		jz	short loc_807618
		mov	esi, [esi]

loc_807618:				; CODE XREF: PfpRpFileKeyUpdate+314j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jz	loc_80754B
		jmp	short loc_807610
; 

loc_80762A:				; CODE XREF: PfpRpFileKeyUpdate+23Dj
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_807543
; 

loc_807637:				; CODE XREF: PfpRpFileKeyUpdate+21Ej
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_807524
; 

loc_807643:				; CODE XREF: PfpRpFileKeyUpdate+2FEj
		lea	ecx, [ebx+10h]
		mov	[ebx+0Ch], ecx
		jmp	short loc_807600
; 

loc_80764B:				; CODE XREF: PfpRpFileKeyUpdate+78j
		mov	eax, [ebp+var_C]
		push	48466650h
		shl	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jnz	loc_80737E
		mov	[ebp+var_C], esi
		jmp	loc_80737E
; 

loc_807671:				; CODE XREF: PfpRpFileKeyUpdate+250j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_807556
PfpRpFileKeyUpdate endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpComputeComponentHashes proc near	; CODE XREF: CmpGetSymbolicLinkTarget+838p
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+42Bp ...

var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0091B2BA SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, [ecx]
		push	ebx
		mov	ebx, [ecx+4]
		mov	ecx, eax
		push	esi
		mov	[ebp+var_8], eax
		mov	esi, edx
		mov	[ebp+var_34], eax
		movzx	eax, ax
		mov	[ebp+var_24], esi
		mov	edx, eax
		mov	[ebp+var_C], ebx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_1], 0
		push	edi
		mov	edi, ebx
		mov	[ebp+var_10], edi
		test	ax, ax
		jz	loc_807921
		xor	eax, eax
		mov	si, cx
		test	dx, dx
		jz	loc_8077EA
		mov	bx, word ptr [ebp+var_2C+2]
		mov	edx, 0FFFEh

loc_8076D1:				; CODE XREF: CmpComputeComponentHashes+81j
		cmp	ax, 20h
		jge	loc_8077E7
		cmp	word ptr [edi],	5Ch
		jz	short loc_807703
		add	edi, 2
		add	si, dx
		add	bx, dx
		mov	[ebp+var_10], edi
		mov	word ptr [ebp+var_2C], si
		mov	word ptr [ebp+var_2C+2], bx

loc_8076F5:				; CODE XREF: CmpComputeComponentHashes+162j
		test	si, si
		jz	loc_8077E7
		mov	ecx, [ebp+var_2C]
		jmp	short loc_8076D1
; 

loc_807703:				; CODE XREF: CmpComputeComponentHashes+5Fj
		mov	edx, [ebp+var_8]
		inc	eax
		sub	edx, ecx
		mov	[ebp+var_14], eax
		mov	[ebp+var_8], edx
		mov	word ptr [ebp+var_34], dx
		mov	word ptr [ebp+var_34+2], dx
		cmp	ax, 8
		jg	loc_80789A

loc_807721:				; CODE XREF: CmpComputeComponentHashes+21Ej
					; CmpComputeComponentHashes+237j
		mov	edx, [ebp+var_34]
		cwde
		dec	eax
		mov	[ebp+var_18], eax
		cmp	eax, 8
		jnb	loc_8078BC
		mov	ecx, [ebp+arg_0]
		mov	edi, [ebp+arg_0]
		mov	[ecx+eax*8+20h], edx
		mov	ecx, [ebp+var_C]
		mov	[edi+eax*8+24h], ecx

loc_807743:				; CODE XREF: CmpComputeComponentHashes+253j
		mov	ecx, [ebp+var_8]
		mov	edi, [ebp+var_10]
		movzx	eax, cx
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		test	ax, ax
		jz	short loc_807796
		mov	edi, [ebp+var_C]
		dec	ax
		shr	ax, 1
		inc	ax
		movzx	edx, ax
		mov	[ebp+var_1C], edx

loc_807766:				; CODE XREF: CmpComputeComponentHashes+111j
		movzx	eax, word ptr [edi]
		cmp	eax, 61h
		jb	short loc_80777D
		cmp	eax, 7Ah
		ja	loc_80787F
		add	eax, 0FFFFFFE0h

loc_80777A:				; CODE XREF: CmpComputeComponentHashes+20Cj
		movzx	eax, ax

loc_80777D:				; CODE XREF: CmpComputeComponentHashes+ECj
		imul	ecx, 25h
		add	edi, 2
		movzx	eax, ax
		add	ecx, eax
		sub	edx, 1
		mov	[ebp+var_8], ecx
		mov	[ebp+var_1C], edx
		jnz	short loc_807766
		mov	edi, [ebp+var_10]

loc_807796:				; CODE XREF: CmpComputeComponentHashes+D4j
		mov	edx, [ebp+var_18]
		mov	eax, [ebp+arg_0]
		cmp	edx, 8
		jnb	loc_8078D8
		mov	[eax+edx*4], ecx

loc_8077A8:				; CODE XREF: CmpComputeComponentHashes+25Fj
		test	si, si
		jz	short loc_8077CE
		mov	eax, 0FFFEh

loc_8077B2:				; CODE XREF: CmpComputeComponentHashes+141j
		cmp	word ptr [edi],	5Ch
		jnz	short loc_8077C3
		add	edi, 2
		add	bx, ax
		add	si, ax
		jnz	short loc_8077B2

loc_8077C3:				; CODE XREF: CmpComputeComponentHashes+136j
		mov	word ptr [ebp+var_2C], si
		mov	word ptr [ebp+var_2C+2], bx
		mov	[ebp+var_10], edi

loc_8077CE:				; CODE XREF: CmpComputeComponentHashes+12Bj
		mov	eax, [ebp+var_2C]
		mov	edx, 0FFFEh
		mov	[ebp+var_8], eax
		mov	[ebp+var_34], eax
		mov	eax, [ebp+var_14]
		mov	[ebp+var_C], edi
		jmp	loc_8076F5
; 

loc_8077E7:				; CODE XREF: CmpComputeComponentHashes+55j
					; CmpComputeComponentHashes+78j
		mov	ebx, [ebp+var_C]

loc_8077EA:				; CODE XREF: CmpComputeComponentHashes+42j
		movzx	edi, ax
		test	si, si
		jnz	loc_91B2BA
		mov	esi, [ebp+arg_0]
		inc	eax
		mov	[ebp+var_14], eax
		cmp	ax, 8
		jg	loc_8078E4

loc_807807:				; CODE XREF: CmpComputeComponentHashes+268j
					; CmpComputeComponentHashes+277j
		movsx	ecx, di
		mov	[ebp+var_1C], ecx
		cmp	ecx, 8
		jnb	loc_807902
		mov	eax, [ebp+var_8]
		mov	[esi+ecx*8+20h], eax
		mov	[esi+ecx*8+24h], ebx

loc_807821:				; CODE XREF: CmpComputeComponentHashes+290j
		mov	ax, word ptr [ebp+var_34]
		xor	esi, esi
		test	ax, ax
		jz	short loc_80785C
		dec	ax
		shr	ax, 1
		inc	ax
		movzx	edi, ax

loc_807836:				; CODE XREF: CmpComputeComponentHashes+1D7j
		movzx	eax, word ptr [ebx]
		cmp	eax, 61h
		jb	short loc_807849
		cmp	eax, 7Ah
		ja	short loc_807891
		add	eax, 0FFFFFFE0h

loc_807846:				; CODE XREF: CmpComputeComponentHashes+218j
		movzx	eax, ax

loc_807849:				; CODE XREF: CmpComputeComponentHashes+1BCj
		imul	esi, 25h
		add	ebx, 2
		movzx	eax, ax
		add	esi, eax
		sub	edi, 1
		jnz	short loc_807836
		mov	ecx, [ebp+var_1C]

loc_80785C:				; CODE XREF: CmpComputeComponentHashes+1AAj
		mov	eax, [ebp+arg_0]
		cmp	ecx, 8
		jnb	loc_807915
		mov	[eax+ecx*4], esi

loc_80786B:				; CODE XREF: CmpComputeComponentHashes+29Cj
		mov	ecx, [ebp+var_24]
		mov	eax, [ebp+var_14]
		mov	[ecx], ax
		xor	eax, eax

loc_807876:				; CODE XREF: CmpComputeComponentHashes+22Ej
					; CmpComputeComponentHashes+27Dj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_80787F:				; CODE XREF: CmpComputeComponentHashes+F1j
		mov	ecx, eax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_1C]
		jmp	loc_80777A
; 

loc_807891:				; CODE XREF: CmpComputeComponentHashes+1C1j
		mov	ecx, eax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		jmp	short loc_807846
; 

loc_80789A:				; CODE XREF: CmpComputeComponentHashes+9Bj
		cmp	[ebp+var_1], 0
		jnz	loc_807721
		mov	ecx, [ebp+arg_0]
		call	_CmpExpandPathInfo@4 ; CmpExpandPathInfo(x)
		test	eax, eax
		js	short loc_807876
		mov	eax, [ebp+var_14]
		mov	[ebp+var_1], 1
		jmp	loc_807721
; 

loc_8078BC:				; CODE XREF: CmpComputeComponentHashes+ACj
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_18]
		mov	edi, [ebp+var_18]
		mov	eax, [eax+60h]
		mov	[eax+ecx*8+20h], edx
		mov	ecx, [ebp+var_C]
		mov	[eax+edi*8+24h], ecx
		jmp	loc_807743
; 

loc_8078D8:				; CODE XREF: CmpComputeComponentHashes+11Fj
		mov	eax, [eax+60h]
		mov	[eax+edx*4-20h], ecx
		jmp	loc_8077A8
; 

loc_8078E4:				; CODE XREF: CmpComputeComponentHashes+181j
		cmp	[ebp+var_1], 0
		jnz	loc_807807
		mov	ecx, esi
		call	_CmpExpandPathInfo@4 ; CmpExpandPathInfo(x)
		test	eax, eax
		jns	loc_807807
		jmp	loc_807876
; 

loc_807902:				; CODE XREF: CmpComputeComponentHashes+190j
		mov	eax, [esi+60h]
		mov	edx, [ebp+var_8]
		mov	[eax+ecx*8+20h], edx
		mov	[eax+ecx*8+24h], ebx
		jmp	loc_807821
; 

loc_807915:				; CODE XREF: CmpComputeComponentHashes+1E2j
		mov	eax, [eax+60h]
		mov	[eax+ecx*4-20h], esi
		jmp	loc_80786B
; 

loc_807921:				; CODE XREF: CmpComputeComponentHashes+34j
		xor	eax, eax
		pop	edi
		mov	[esi], ax
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
CmpComputeComponentHashes endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1987. RtlCompareUnicodeString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCompareUnicodeString(x, x, x)
		public _RtlCompareUnicodeString@12
_RtlCompareUnicodeString@12 proc near	; CODE XREF: FsRtlCompareNodeAndKey+40p
					; KsepCacheHwIdEqual(x,x)+15p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	dl, [ebp+arg_8]
		push	ebx
		push	esi
		mov	esi, [eax+4]
		push	edi
		movzx	edi, word ptr [eax]
		movzx	eax, word ptr [ecx]
		shr	edi, 1
		shr	eax, 1
		mov	[ebp+var_4], edi
		mov	[ebp+arg_4], eax
		cmp	edi, eax
		ja	short loc_80796B
		mov	eax, edi

loc_80796B:				; CODE XREF: RtlCompareUnicodeString(x,x,x)+27j
		lea	ebx, [esi+eax*2]
		cmp	esi, ebx
		jnb	short loc_807996
		test	dl, dl
		jz	short loc_8079CD
		mov	eax, [ecx+4]
		sub	eax, esi
		mov	[ebp+arg_0], eax
		mov	edi, edi

loc_807980:				; CODE XREF: RtlCompareUnicodeString(x,x,x)+51j
		movzx	ecx, word ptr [esi]
		movzx	edi, word ptr [eax+esi]
		cmp	cx, di
		jnz	short loc_80799D

loc_80798C:				; CODE XREF: RtlCompareUnicodeString(x,x,x)+8Bj
		add	esi, 2
		cmp	esi, ebx
		jb	short loc_807980
		mov	edi, [ebp+var_4]

loc_807996:				; CODE XREF: RtlCompareUnicodeString(x,x,x)+30j
					; RtlCompareUnicodeString(x,x,x)+A5j
		sub	edi, [ebp+arg_4]
		mov	eax, edi
		jmp	short loc_8079BF
; 

loc_80799D:				; CODE XREF: RtlCompareUnicodeString(x,x,x)+4Aj
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		movzx	eax, ax
		mov	ecx, edi
		mov	dword ptr [ebp+arg_8], eax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		movzx	ecx, ax
		mov	eax, dword ptr [ebp+arg_8]
		cmp	ax, cx
		jz	short loc_8079C8
		movzx	eax, ax

loc_8079BD:				; CODE XREF: RtlCompareUnicodeString(x,x,x)+9Cj
		sub	eax, ecx

loc_8079BF:				; CODE XREF: RtlCompareUnicodeString(x,x,x)+5Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_8079C8:				; CODE XREF: RtlCompareUnicodeString(x,x,x)+78j
		mov	eax, [ebp+arg_0]
		jmp	short loc_80798C
; 

loc_8079CD:				; CODE XREF: RtlCompareUnicodeString(x,x,x)+34j
		mov	edx, [ecx+4]
		sub	edx, esi

loc_8079D2:				; CODE XREF: RtlCompareUnicodeString(x,x,x)+A3j
		movzx	eax, word ptr [esi]
		movzx	ecx, word ptr [edx+esi]
		cmp	ax, cx
		jnz	short loc_8079BD
		add	esi, 2
		cmp	esi, ebx
		jb	short loc_8079D2
		jmp	short loc_807996
_RtlCompareUnicodeString@12 endp

; 
		align 10h
; Exported entry 2062. RtlEqualUnicodeString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlEqualUnicodeString(x, x,	x)
		public _RtlEqualUnicodeString@12
_RtlEqualUnicodeString@12 proc near	; CODE XREF: AuthzBasepEqualUnicodeString+1Ap
					; .text:005136A1p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	dl, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		movzx	ecx, word ptr [ebx]
		movzx	eax, word ptr [edi]
		cmp	eax, ecx
		jz	short loc_807A14

loc_807A0B:				; CODE XREF: RtlEqualUnicodeString(x,x,x)+77j
					; RtlEqualUnicodeString(x,x,x)+96j
		pop	edi
		pop	esi
		xor	al, al
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_807A14:				; CODE XREF: RtlEqualUnicodeString(x,x,x)+19j
		mov	edi, [edi+4]
		mov	ebx, [ebx+4]
		lea	esi, [eax+edi]
		mov	[ebp+arg_0], esi
		cmp	eax, 4
		jb	short loc_807A3B

loc_807A25:				; CODE XREF: RtlEqualUnicodeString(x,x,x)+49j
		mov	ecx, [edi]
		cmp	ecx, [ebx]
		jnz	short loc_807A3B
		sub	eax, 4
		jz	short loc_807A73
		add	edi, 4
		add	ebx, 4
		cmp	eax, 4
		jnb	short loc_807A25

loc_807A3B:				; CODE XREF: RtlEqualUnicodeString(x,x,x)+33j
					; RtlEqualUnicodeString(x,x,x)+39j
		cmp	edi, esi
		jnb	short loc_807A73
		test	dl, dl
		jz	short loc_807A80
		sub	ebx, edi

loc_807A45:				; CODE XREF: RtlEqualUnicodeString(x,x,x)+81j
		movzx	eax, word ptr [edi]
		movzx	ecx, word ptr [ebx+edi]
		mov	dword ptr [ebp+arg_8], eax
		cmp	ax, cx
		jz	short loc_807A6C
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	ecx, dword ptr [ebp+arg_8]
		mov	si, ax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		cmp	ax, si
		jnz	short loc_807A0B
		mov	esi, [ebp+arg_0]

loc_807A6C:				; CODE XREF: RtlEqualUnicodeString(x,x,x)+62j
		add	edi, 2
		cmp	edi, esi
		jb	short loc_807A45

loc_807A73:				; CODE XREF: RtlEqualUnicodeString(x,x,x)+3Ej
					; RtlEqualUnicodeString(x,x,x)+4Dj ...
		pop	edi
		pop	esi
		mov	al, 1
		pop	ebx
		pop	ebp
		retn	0Ch
; 
		align 10h

loc_807A80:				; CODE XREF: RtlEqualUnicodeString(x,x,x)+51j
					; RtlEqualUnicodeString(x,x,x)+A2j
		mov	ax, [edi]
		cmp	ax, [ebx]
		jnz	short loc_807A0B
		add	edi, 2
		add	ebx, 2
		cmp	edi, esi
		jnb	short loc_807A73
		jmp	short loc_807A80
_RtlEqualUnicodeString@12 endp

; 
		align 10h
; Exported entry 2390. RtlUpcaseUnicodeChar

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlUpcaseUnicodeChar(x)
		public _RtlUpcaseUnicodeChar@4
_RtlUpcaseUnicodeChar@4	proc near	; CODE XREF: AuthzBasepUnicodeStringFromOperandValue+DAp
					; _towupper+8p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	ax, 61h
		jb	short loc_807AB7
		cmp	ax, 7Ah
		ja	short loc_807ABE
		add	eax, 0FFFFFFE0h

loc_807AB7:				; CODE XREF: RtlUpcaseUnicodeChar(x)+Cj
		movzx	eax, ax

loc_807ABA:				; CODE XREF: RtlUpcaseUnicodeChar(x)+5Fj
		pop	ebp
		retn	4
; 

loc_807ABE:				; CODE XREF: RtlUpcaseUnicodeChar(x)+12j
		push	edi
		mov	edi, ds:_Nls844UnicodeUpcaseTable
		test	edi, edi
		jz	short loc_807B01
		mov	ecx, 0C0h
		cmp	ax, cx
		jb	short loc_807B01
		push	esi
		movzx	esi, ax
		mov	ecx, esi
		shr	ecx, 8
		movzx	edx, word ptr [edi+ecx*2]
		mov	ecx, esi
		shr	ecx, 4
		and	esi, 0Fh
		and	ecx, 0Fh
		add	edx, ecx
		movzx	ecx, word ptr [edi+edx*2]
		add	ecx, esi
		pop	esi
		mov	cx, [edi+ecx*2]
		add	cx, ax
		movzx	eax, cx

loc_807AFE:				; CODE XREF: RtlUpcaseUnicodeChar(x)+64j
		pop	edi
		jmp	short loc_807ABA
; 

loc_807B01:				; CODE XREF: RtlUpcaseUnicodeChar(x)+27j
					; RtlUpcaseUnicodeChar(x)+31j
		movzx	eax, ax
		jmp	short loc_807AFE
_RtlUpcaseUnicodeChar@4	endp

; 
		align 10h

SepCaptureUnicodeStringArray:		; CODE XREF: SepCaptureTokenSecurityAttributesInformation+3D9p
					; PAGE:0080712Fp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5560
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	esi, edx
		mov	dword ptr [ebp-20h], 0
		mov	eax, [ebp+0Ch]
		mov	dword ptr [eax], 0
		test	ecx, ecx
		jz	loc_807CFF

loc_807B5F:				; CODE XREF: PAGE:00807D05j
		test	esi, esi
		jz	loc_807D21
		test	ecx, ecx
		jz	loc_807D0B
		mov	ebx, [ebp+8]
		test	bl, bl
		jz	loc_807D28
		lea	eax, [ebp-20h]
		push	eax
		push	ebx
		call	SeCaptureUnicodeStringStructures
		test	eax, eax
		js	loc_807CEB
		mov	eax, esi
		mov	ecx, 8
		mul	ecx
		test	edx, edx
		jb	short loc_807BA8
		ja	loc_91B36A
		cmp	eax, 0FFFFFFFFh
		ja	loc_91B36A

loc_807BA8:				; CODE XREF: PAGE:00807B97j
		lea	ecx, [eax+1]
		and	ecx, 0FFFFFFFEh
		cmp	ecx, eax
		jb	loc_91B2C4
		xor	edx, edx
		mov	edi, [ebp-20h]
		mov	[ebp-24h], edi

loc_807BBE:				; CODE XREF: PAGE:00807BD6j
		mov	[ebp-2Ch], ecx
		cmp	edx, esi
		jnb	short loc_807BD8
		movzx	eax, word ptr [edi+edx*8]
		add	eax, ecx
		cmp	eax, ecx
		jb	loc_91B2DD
		mov	ecx, eax
		inc	edx
		jmp	short loc_807BBE
; 

loc_807BD8:				; CODE XREF: PAGE:00807BC3j
		push	74416553h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp-48h], ebx
		test	ebx, ebx
		jz	loc_91B2F6
		lea	edi, ds:0[esi*8]
		push	edi
		push	dword ptr [ebp-24h]
		push	ebx
		call	_memcpy
		add	esp, 0Ch
		lea	ecx, [edi+1]
		add	ecx, ebx
		and	ecx, 0FFFFFFFEh
		mov	[ebp-1Ch], ecx
		mov	[ebp-40h], ecx
		mov	dword ptr [ebp-4], 0
		xor	edi, edi

loc_807C1D:				; CODE XREF: PAGE:00807CC2j
		mov	[ebp-44h], edi
		cmp	edi, esi
		jnb	loc_807CC7
		mov	eax, [ebp-24h]
		lea	edx, [eax+edi*8]
		mov	[ebp-3Ch], edx
		movzx	eax, word ptr [edx]
		mov	[ebp-30h], eax
		movzx	ecx, ax
		mov	[ebp-34h], ecx
		movzx	ecx, cx
		mov	[ebp-38h], ecx
		test	ax, ax
		mov	ecx, [ebp-1Ch]
		jz	loc_91B321
		mov	eax, [edx+4]
		mov	[ebp-28h], eax
		test	al, 1
		jnz	loc_807D2C
		mov	eax, [ebp-30h]
		movzx	eax, ax
		add	eax, [ebp-28h]
		mov	[ebp-30h], eax
		mov	ecx, ds:_MmUserProbeAddress
		mov	[ebp-38h], ecx
		cmp	eax, ecx
		mov	ecx, [ebp-1Ch]
		ja	loc_91B313
		mov	eax, [ebp-34h]
		movzx	eax, ax
		mov	ecx, [ebp-30h]
		cmp	ecx, [ebp-28h]
		mov	ecx, [ebp-1Ch]
		jb	loc_91B313

loc_807C92:				; CODE XREF: PAGE:0091B31Cj
					; PAGE:0091B324j
		movzx	eax, ax
		push	eax
		mov	eax, [edx+4]
		push	eax
		push	ecx
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [ebp-1Ch]
		mov	[ebx+edi*8+4], ecx
		mov	ax, [ebx+edi*8]
		mov	[ebx+edi*8+2], ax
		mov	eax, [ebp-3Ch]
		movzx	eax, word ptr [eax]
		add	ecx, eax
		mov	[ebp-1Ch], ecx
		mov	[ebp-40h], ecx
		inc	edi
		jmp	loc_807C1D
; 

loc_807CC7:				; CODE XREF: PAGE:00807C22j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp+8]
		cmp	al, 1
		jnz	short loc_807CE4
		mov	eax, [ebp-24h]
		test	eax, eax
		jz	short loc_807CE4
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_807CE4:				; CODE XREF: PAGE:00807CD3j
					; PAGE:00807CDAj
		mov	eax, [ebp+0Ch]
		mov	[eax], ebx
		xor	eax, eax

loc_807CEB:				; CODE XREF: PAGE:00807B86j
					; PAGE:00807D26j ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_807CFF:				; CODE XREF: PAGE:00807B59j
		test	esi, esi
		jnz	short loc_807D21
		test	ecx, ecx
		jnz	loc_807B5F

loc_807D0B:				; CODE XREF: PAGE:00807B69j
					; PAGE:00807D2Aj
		xor	eax, eax
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_807D21:				; CODE XREF: PAGE:00807B61j
					; PAGE:00807D01j
		mov	eax, 0C000000Dh
		jmp	short loc_807CEB
; 

loc_807D28:				; CODE XREF: PAGE:00807B74j
		mov	[eax], ecx
		jmp	short loc_807D0B
; 

loc_807D2C:				; CODE XREF: PAGE:00807C57j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		db 3 dup(0CCh)
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeCaptureUnicodeStringStructures proc near ; CODE XREF:	PAGE:00807B7Fp

var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0091B388 SIZE 0000003D BYTES
; FUNCTION CHUNK AT 0091B3ED SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5580
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, edx
		mov	ebx, ecx
		xor	edx, edx
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		test	ebx, ebx
		jz	loc_91B388

loc_807D88:				; CODE XREF: SeCaptureUnicodeStringStructures+11364Ej
		test	esi, esi
		jz	loc_91B39B
		test	ebx, ebx
		jz	loc_91B394
		cmp	byte ptr [ebp+arg_0], dl
		jz	loc_91B3A5
		mov	eax, esi
		mov	ecx, 8
		mul	ecx
		mov	edi, eax
		test	edx, edx
		jb	short loc_807DBF
		ja	loc_91B3AE
		cmp	edi, 0FFFFFFFFh
		ja	loc_91B3AE

loc_807DBF:				; CODE XREF: SeCaptureUnicodeStringStructures+6Ej
		xor	eax, eax

loc_807DC1:				; CODE XREF: SeCaptureUnicodeStringStructures+113676j
		mov	[ebp+arg_0], eax
		mov	[ebp+var_20], edi
		test	eax, eax
		js	loc_91B3ED
		push	73556553h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_28], edx
		test	edx, edx
		jz	loc_91B3BB
		mov	[ebp+var_4], 0
		test	edi, edi
		jz	short loc_807E0A
		test	bl, 3
		jnz	short loc_807E52
		lea	eax, [edi+ebx]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_807E57
		cmp	eax, ebx
		jb	short loc_807E57

loc_807E0A:				; CODE XREF: SeCaptureUnicodeStringStructures+B2j
					; SeCaptureUnicodeStringStructures+11Aj
		xor	ecx, ecx

loc_807E0C:				; CODE XREF: SeCaptureUnicodeStringStructures+E5j
		mov	[ebp+var_1C], ecx
		cmp	ecx, esi
		jnb	short loc_807E27
		mov	eax, [ebx+ecx*8]
		mov	[edx+ecx*8], eax
		mov	eax, [ebx+ecx*8+4]
		mov	[edx+ecx*8+4], eax
		mov	ecx, [ebp+var_1C]
		inc	ecx
		jmp	short loc_807E0C
; 

loc_807E27:				; CODE XREF: SeCaptureUnicodeStringStructures+D1j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+arg_0]

loc_807E31:				; CODE XREF: sub_91B3D5+13j
		test	eax, eax
		js	loc_91B3EF
		mov	ecx, [ebp+arg_4]
		mov	[ecx], edx

loc_807E3E:				; CODE XREF: SeCaptureUnicodeStringStructures+1136B1j
					; SeCaptureUnicodeStringStructures+1136C2j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_807E52:				; CODE XREF: SeCaptureUnicodeStringStructures+B7j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_807E57:				; CODE XREF: SeCaptureUnicodeStringStructures+C4j
					; SeCaptureUnicodeStringStructures+C8j
		mov	byte ptr [ecx],	0
		jmp	short loc_807E0A
SeCaptureUnicodeStringStructures endp


;  S U B	R O U T	I N E 


; __stdcall CmpKeyNodeNeedsAccessBitUpdate(x, x)
_CmpKeyNodeNeedsAccessBitUpdate@8 proc near ; CODE XREF: CmpGetKeyNodeForKcb:loc_74DB02p
					; CmEnumerateKey+17Bp
		test	dword ptr [ecx+64h], 8001h
		jnz	short loc_807E6F
		mov	al, _CmpAccessBitForPhase
		test	[edx+0Ch], al
		jz	short loc_807E72

loc_807E6F:				; CODE XREF: CmpKeyNodeNeedsAccessBitUpdate(x,x)+7j
		xor	al, al
		retn
; 

loc_807E72:				; CODE XREF: CmpKeyNodeNeedsAccessBitUpdate(x,x)+11j
		mov	al, 1
		retn
_CmpKeyNodeNeedsAccessBitUpdate@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpQueryKeyDataFromNode	proc near	; CODE XREF: CmpEnumerateLayeredKey+1FEp
					; CmpQueryKeyData(x,x,x,x,x,x)+5Dp ...

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0091B407 SIZE 0000000A BYTES
; FUNCTION CHUNK AT 0091B426 SIZE 00000018 BYTES
; FUNCTION CHUNK AT 0091B459 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A55A0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 60h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, edx
		mov	ebx, ecx
		mov	[ebp+var_28], ebx
		xor	edi, edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_3C], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_3C], 0FFFFFFFFh
		xor	eax, eax
		mov	word ptr [ebp+var_38], ax
		push	30h		; size_t
		push	eax		; int
		lea	eax, [ebp+var_70]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	loc_807FAD
		push	[ebp+arg_14]
		mov	edx, esi
		mov	ecx, [ebp+arg_10]
		call	CmGetKeyLastWriteTime
		mov	ebx, eax
		mov	[ebp+var_4], edi
		movzx	eax, word ptr [esi+48h]
		test	byte ptr [esi+2], 20h
		jz	short loc_807F0F
		add	eax, eax
		movzx	eax, ax

loc_807F0F:				; CODE XREF: CmpQueryKeyDataFromNode+88j
		movzx	ecx, ax
		lea	eax, [ecx+10h]
		mov	[ebp+arg_10], eax
		mov	eax, [ebp+arg_C]
		mov	edi, [ebp+arg_10]
		mov	[eax], edi
		mov	eax, [ebp+arg_8]
		cmp	eax, 10h
		mov	edi, [ebp+arg_4]
		jb	loc_8080B3
		mov	[edi], ebx
		mov	[edi+4], edx
		mov	dword ptr [edi+8], 0
		mov	[edi+0Ch], ecx
		lea	edx, [eax-10h]
		test	byte ptr [esi+2], 20h
		jz	loc_91B459
		movzx	eax, word ptr [esi+48h]
		mov	[ebp+var_24], 0
		shr	edx, 1
		cmp	edx, eax
		jb	short loc_807F5E
		mov	edx, eax

loc_807F5E:				; CODE XREF: CmpQueryKeyDataFromNode+DAj
		xor	eax, eax

loc_807F60:				; CODE XREF: CmpQueryKeyDataFromNode+F2j
		mov	[ebp+var_24], eax
		cmp	eax, edx
		jnb	short loc_807F74
		movzx	ecx, byte ptr [eax+esi+4Ch]
		mov	[edi+eax*2+10h], cx
		inc	eax
		jmp	short loc_807F60
; 

loc_807F74:				; CODE XREF: CmpQueryKeyDataFromNode+E5j
					; CmpQueryKeyDataFromNode+1135F0j
		mov	eax, [ebp+arg_10]
		cmp	[ebp+arg_8], eax
		jb	loc_8080A9
		xor	edi, edi

loc_807F82:				; CODE XREF: CmpQueryKeyDataFromNode+22Ej
					; CmpQueryKeyDataFromNode+238j
		mov	[ebp+var_20], edi

loc_807F85:				; CODE XREF: CmpQueryKeyDataFromNode+177j
					; sub_91B485+9j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_807F8C:				; CODE XREF: CmpQueryKeyDataFromNode+1B0j
					; CmpQueryKeyDataFromNode+1CDj	...
		mov	ebx, [ebp+var_1C]

loc_807F8F:				; CODE XREF: CmpQueryKeyDataFromNode+224j
		test	ebx, ebx
		jnz	loc_8080D5

loc_807F97:				; CODE XREF: CmpQueryKeyDataFromNode+262j
		mov	eax, edi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_807FAD:				; CODE XREF: CmpQueryKeyDataFromNode+68j
		sub	eax, 1
		jnz	short loc_807FF9
		push	[ebp+arg_14]
		mov	edx, esi
		mov	ecx, [ebp+arg_10]
		call	CmGetKeyLastWriteTime
		mov	[ebp+var_70], eax
		mov	[ebp+var_6C], edx
		mov	[ebp+var_68], edi
		cmp	[esi+4Ah], di
		ja	loc_91B426

loc_807FD2:				; CODE XREF: CmpQueryKeyDataFromNode+1135B9j
		mov	[ebp+var_4], 1
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		push	[ebp+arg_4]	; int
		movzx	eax, word ptr [esi+4Ah]
		push	eax		; size_t
		push	edi		; void *
		mov	edx, esi
		lea	ecx, [ebp+var_70]
		call	CmpPopulateKeyNodeInformation
		mov	edi, eax

loc_807FF4:				; CODE XREF: sub_91B44E+6j
		mov	[ebp+var_20], edi
		jmp	short loc_807F85
; 

loc_807FF9:				; CODE XREF: CmpQueryKeyDataFromNode+130j
		sub	eax, 1
		jnz	loc_91B407
		mov	ebx, [ebp+arg_14]
		push	ebx
		mov	edx, esi
		mov	ecx, [ebp+arg_10]
		call	CmGetKeyLastWriteTime
		mov	[ebp+var_70], eax
		mov	[ebp+var_6C], edx
		mov	[ebp+var_68], edi
		lea	eax, [ebp+var_54]
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		push	ebx
		mov	edx, esi
		mov	ecx, [ebp+arg_10]
		call	CmGetVisibleMaxNameLenAndClassLen
		mov	edi, eax
		test	edi, edi
		js	loc_807F8C
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	ebx
		mov	edx, esi
		mov	ecx, [ebp+arg_10]
		call	CmGetVisibleMaxValueNameLenAndDataLen
		mov	edi, eax
		test	edi, edi
		js	loc_807F8C
		push	ebx
		mov	edx, esi
		mov	ecx, [ebp+arg_10]
		call	CmGetVisibleSubkeyCount
		mov	[ebp+var_5C], eax
		push	ebx
		mov	edx, esi
		mov	ecx, [ebp+arg_10]
		call	CmGetVisibleValueCount
		mov	[ebp+var_50], eax
		cmp	word ptr [esi+4Ah], 0
		ja	short loc_8080BD
		mov	ebx, [ebp+var_1C]

loc_808079:				; CODE XREF: CmpQueryKeyDataFromNode+253j
		mov	[ebp+var_4], 2
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		movzx	eax, word ptr [esi+4Ah]
		push	eax
		mov	edx, ebx
		lea	ecx, [ebp+var_70]
		call	_CmpPopulateKeyFullInformation@24 ; CmpPopulateKeyFullInformation(x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_20], edi
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_807F8F
; 

loc_8080A9:				; CODE XREF: CmpQueryKeyDataFromNode+FAj
		mov	edi, 80000005h
		jmp	loc_807F82
; 

loc_8080B3:				; CODE XREF: CmpQueryKeyDataFromNode+A9j
		mov	edi, 0C0000023h
		jmp	loc_807F82
; 

loc_8080BD:				; CODE XREF: CmpQueryKeyDataFromNode+1F4j
		mov	eax, [esi+30h]
		lea	ecx, [ebp+var_3C]
		push	ecx
		push	eax
		mov	eax, [ebp+var_28]
		push	eax
		mov	eax, [eax+4]
		call	eax
		mov	ebx, eax
		mov	[ebp+var_1C], ebx
		jmp	short loc_808079
; 

loc_8080D5:				; CODE XREF: CmpQueryKeyDataFromNode+111j
		lea	eax, [ebp+var_3C]
		push	eax
		mov	eax, [ebp+var_28]
		push	eax
		mov	eax, [eax+8]
		call	eax
		jmp	loc_807F97
CmpQueryKeyDataFromNode	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmGetKeyLastWriteTime proc near		; CODE XREF: CmpQueryKeyDataFromCache+DCp
					; CmpQueryKeyDataFromNode+76p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0091B493 SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		push	esi
		push	edi
		test	edx, edx
		jz	short loc_80810D
		mov	esi, [edx+4]
		mov	edi, [edx+8]
		test	ecx, ecx
		jnz	short loc_808113

loc_808103:				; CODE XREF: CmGetKeyLastWriteTime+2Fj
					; CmGetKeyLastWriteTime+1133E2j
		mov	edx, edi
		mov	eax, esi
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_80810D:				; CODE XREF: CmGetKeyLastWriteTime+Fj
		mov	esi, [ecx+58h]
		mov	edi, [ecx+5Ch]

loc_808113:				; CODE XREF: CmGetKeyLastWriteTime+19j
		cmp	[ebp+arg_0], 0
		jz	short loc_808103
		jmp	loc_91B493
CmGetKeyLastWriteTime endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpWalkOneLevel	proc near		; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+1F6p
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+A9Ep

var_8C		= dword	ptr -8Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= byte ptr  24h
arg_1F		= byte ptr  27h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 0091B4CF SIZE 00000168 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ecx
		mov	[ebp+var_4C], 0
		push	ebx
		mov	[ebp+var_C], eax
		xor	ecx, ecx
		push	esi
		mov	ax, [eax+22h]
		mov	esi, [ebp+arg_14]
		dec	ax
		push	edi
		movzx	edi, ax
		mov	[ebp+var_48], 0
		mov	[ebp+var_8], edx
		mov	[ebp+var_34], 0
		mov	[ebp+var_4C], 0FFFFFFFFh
		mov	word ptr [ebp+var_48], cx
		mov	[ebp+var_24], 0FFFFFFFFh
		mov	[ebp+var_10], ecx
		mov	[ebp+var_3C], esi
		test	di, di
		jns	loc_8087E0

loc_808177:				; CODE XREF: CmpWalkOneLevel+779j
		mov	eax, [ebp+arg_4]
		or	ecx, 0FFFFFFFFh
		xor	ebx, ebx
		mov	[eax+2], cx

loc_808183:				; CODE XREF: CmpWalkOneLevel+71Aj
		movzx	eax, bx
		mov	[ebp+var_20], eax
		mov	eax, [ebp+var_C]
		cmp	bx, [eax+22h]
		jg	loc_80821B

loc_808196:				; CODE XREF: CmpWalkOneLevel+F5j
		mov	eax, [ebp+var_8]
		movsx	ecx, bx
		cmp	bx, 2
		jge	loc_91B4DB
		mov	edi, [eax+ecx*4+4]

loc_8081AA:				; CODE XREF: CmpWalkOneLevel+1133C2j
		mov	edi, [edi+10h]
		mov	ecx, edi
		push	esi
		mov	[ebp+arg_14], edi
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		xor	edx, edx
		lea	ecx, [eax+eax*2]
		mov	eax, [edi+434h]
		lea	edi, [eax+ecx*4]
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[edi+4], eax
		mov	edi, [ebp+arg_14]
		mov	edx, [edi+9D8h]
		lea	eax, [edi+9D8h]
		mov	[ebp+var_40], eax
		test	edx, edx
		jz	loc_91B4E7

loc_8081F0:				; CODE XREF: CmpWalkOneLevel+6B2j
		mov	edi, [ebp+var_40]
		lea	ecx, [edx+1]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		mov	edi, [ebp+arg_14]
		cmp	eax, edx
		jnz	loc_8087CE
		movzx	eax, bx
		inc	ebx
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_C]
		cmp	bx, [eax+22h]
		jle	loc_808196

loc_80821B:				; CODE XREF: CmpWalkOneLevel+70j
		mov	ebx, [ebp+var_8]
		xor	edx, edx
		xor	edi, edi
		movzx	eax, word ptr [ebx+2]
		mov	ecx, eax
		cmp	dx, ax
		jg	short loc_808261
		mov	esi, ebx
		nop

loc_808230:				; CODE XREF: CmpWalkOneLevel+137j
		movsx	ebx, di
		cmp	di, 2
		jge	loc_91B4F4
		mov	ebx, [esi+ebx*4+4]

loc_808241:				; CODE XREF: CmpWalkOneLevel+1133DBj
		lea	ecx, [ebx+18h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lock inc dword ptr [ebx+1Ch]
		movzx	eax, word ptr [esi+2]
		inc	edi
		cmp	di, ax
		jle	short loc_808230
		mov	esi, [ebp+var_3C]
		mov	ecx, eax
		mov	ebx, [ebp+var_8]

loc_808261:				; CODE XREF: CmpWalkOneLevel+10Bj
		mov	[ebp+var_30], 0
		movzx	edi, cx
		test	cx, cx
		js	loc_808855
		jmp	short loc_808280
; 
		align 10h

loc_808280:				; CODE XREF: CmpWalkOneLevel+154j
					; CmpWalkOneLevel+72Fj
		movsx	ecx, di
		cmp	di, 2
		jge	loc_91B500
		mov	ecx, [ebx+ecx*4+4]

loc_808291:				; CODE XREF: CmpWalkOneLevel+1133E7j
		xor	edx, edx
		call	_CmpGetEffectiveKcbSemantics@8 ; CmpGetEffectiveKcbSemantics(x,x)
		cmp	eax, 1
		jz	loc_808855
		cmp	dword ptr [ecx+14h], 0FFFFFFFFh
		jz	loc_80884B
		mov	edi, [ebp+arg_18]
		test	edi, edi
		jnz	loc_8088C7

loc_8082B6:				; CODE XREF: CmpWalkOneLevel+7C2j
		mov	ecx, [ebp+var_C]
		mov	edx, [ecx+80h]
		test	edx, edx
		jnz	loc_91B546

loc_8082C7:				; CODE XREF: CmpWalkOneLevel+11343Ej
		test	dword ptr [ecx+68h], 20000h
		jnz	loc_91B563
		mov	edi, [ebp+arg_20]
		test	byte ptr [edi+60h], 1
		jnz	short loc_8082FD
		mov	ecx, dword_6CDE84
		lea	eax, [edi+64h]
		xor	edx, edx
		push	eax
		test	ecx, ecx
		jz	loc_91B56D

loc_8082F1:				; CODE XREF: CmpWalkOneLevel+11345Aj
		call	KiStackAttachProcess
		or	dword ptr [edi+60h], 1
		mov	ecx, [ebp+var_C]

loc_8082FD:				; CODE XREF: CmpWalkOneLevel+1BBj
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_80887B
		xor	edx, edx

loc_80830A:				; CODE XREF: CmpWalkOneLevel+764j
		mov	[ebp+var_2C], edx
		cmp	dx, [ecx+22h]
		jg	loc_91B5D2
		mov	edi, [ebp+var_C]
		lea	ebx, [ebx+0]

loc_808320:				; CODE XREF: CmpWalkOneLevel+7A2j
		movsx	ecx, dx
		mov	[ebp+var_40], ecx
		cmp	dx, 2
		jge	loc_91B57F
		mov	ebx, [ebx+ecx*4+4]

loc_808334:				; CODE XREF: CmpWalkOneLevel+113466j
		mov	ecx, [ebx+14h]
		mov	[ebp+var_14], ebx
		cmp	ecx, 0FFFFFFFFh
		jz	loc_808873
		mov	eax, [ebx+10h]
		lea	edx, [ebp+var_4C]
		push	edx
		push	ecx
		push	eax
		mov	eax, [eax+4]
		call	eax
		mov	edi, eax
		mov	eax, [ebx+10h]
		test	dword ptr [eax+64h], 8001h
		jnz	short loc_80836E
		mov	cl, _CmpAccessBitForPhase
		test	[edi+0Ch], cl
		jz	loc_8088E7

loc_80836E:				; CODE XREF: CmpWalkOneLevel+23Dj
					; CmpWalkOneLevel+826j
		mov	eax, [ebx+10h]
		mov	ebx, 0C0000034h
		mov	[ebp+arg_18], eax
		or	eax, 0FFFFFFFFh
		mov	ecx, [ebp+arg_18]
		mov	[ebp+var_3C], eax
		xor	eax, eax
		mov	[ebp+arg_14], ebx
		mov	[ebp+var_54], 0FFFFFFFFh
		mov	[ebp+var_50], 0
		mov	[ebp+var_18], 0
		mov	[ebp+var_44], 0
		mov	[ebp+var_30], eax
		cmp	[ecx+98h], eax
		jbe	loc_8084B8
		add	edi, 1Ch
		mov	[ebp+var_38], edi
		jmp	short loc_8083C0
; 
		align 10h

loc_8083C0:				; CODE XREF: CmpWalkOneLevel+298j
					; CmpWalkOneLevel+392j
		cmp	dword ptr [edi-8], 0
		jz	loc_8084A2
		mov	eax, [edi]
		lea	ecx, [ebp+var_54]
		push	ecx
		push	eax
		mov	eax, [ebp+arg_18]
		push	eax
		mov	eax, [eax+4]
		call	eax
		mov	ecx, eax
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		jz	loc_91B5A3
		mov	eax, 6972h
		cmp	[ecx], ax
		jz	loc_808770
		mov	edi, [ebp+arg_18]

loc_8083F8:				; CODE XREF: CmpWalkOneLevel+699j
		mov	eax, 686Ch
		cmp	[ecx], ax
		jnz	loc_808621
		mov	edx, [ebp+arg_C]
		mov	eax, [edx]
		mov	edi, [edx+4]
		xor	edx, edx
		mov	[ebp+var_1C], eax
		movzx	ebx, ax
		mov	[ebp+arg_14], edx
		test	ax, ax
		jz	short loc_808455
		dec	bx
		shr	bx, 1
		inc	bx
		movzx	ebx, bx

loc_808428:				; CODE XREF: CmpWalkOneLevel+330j
		movzx	eax, word ptr [edi]
		cmp	eax, 61h
		jb	short loc_80843F
		cmp	eax, 7Ah
		ja	loc_808727
		add	eax, 0FFFFFFE0h

loc_80843C:				; CODE XREF: CmpWalkOneLevel+611j
		movzx	eax, ax

loc_80843F:				; CODE XREF: CmpWalkOneLevel+30Ej
		imul	edx, 25h
		add	edi, 2
		movzx	eax, ax
		add	edx, eax
		mov	[ebp+arg_14], edx
		sub	ebx, 1
		jnz	short loc_808428
		mov	ecx, [ebp+var_28]

loc_808455:				; CODE XREF: CmpWalkOneLevel+2FCj
		xor	eax, eax
		mov	[ebp+var_18], 0FFFFFFFFh
		xor	edi, edi
		cmp	ax, [ecx+2]
		jnb	short loc_808484
		jmp	short loc_808470
; 
		align 10h

loc_808470:				; CODE XREF: CmpWalkOneLevel+346j
					; CmpWalkOneLevel+362j
		movzx	ebx, di
		cmp	edx, [ecx+ebx*8+8]
		jz	loc_808736

loc_80847D:				; CODE XREF: CmpWalkOneLevel+113471j
		inc	edi
		cmp	di, [ecx+2]
		jb	short loc_808470

loc_808484:				; CODE XREF: CmpWalkOneLevel+344j
		mov	edi, [ebp+arg_18]
		mov	ebx, 0C0000034h
		mov	[ebp+arg_14], ebx

loc_80848F:				; CODE XREF: CmpWalkOneLevel+52Ej
		lea	eax, [ebp+var_54]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	edi, [ebp+var_38]

loc_80849C:				; CODE XREF: CmpWalkOneLevel+67Ej
		mov	ecx, [ebp+arg_18]
		mov	eax, [ebp+var_30]

loc_8084A2:				; CODE XREF: CmpWalkOneLevel+2A4j
		inc	eax
		add	edi, 4
		mov	[ebp+var_30], eax
		mov	[ebp+var_38], edi
		cmp	eax, [ecx+98h]
		jb	loc_8083C0

loc_8084B8:				; CODE XREF: CmpWalkOneLevel+28Cj
					; CmpWalkOneLevel+546j	...
		mov	ecx, [ebp+var_14]
		mov	eax, [ecx+10h]
		lea	ecx, [ebp+var_4C]
		push	ecx
		push	eax
		mov	eax, [eax+8]
		call	eax
		cmp	ebx, 0C0000034h
		jnz	loc_80866B
		or	eax, 0FFFFFFFFh

loc_8084D7:				; CODE XREF: CmpWalkOneLevel+559j
		mov	ebx, [ebp+var_14]
		mov	edi, [ebp+var_C]

loc_8084DD:				; CODE XREF: CmpWalkOneLevel+756j
		cmp	word ptr [edi+22h], 0
		jnz	loc_808685
		cmp	[ebp+arg_1C], 0
		jnz	loc_808685
		mov	ecx, [ebp+arg_20]
		mov	[ebp+arg_14], 0C0000034h
		mov	al, [ecx+92h]
		cmp	al, 4
		jnb	short loc_80852C
		movzx	eax, al
		mov	dword ptr [ecx+eax*8+94h], 0C0000034h
		movzx	eax, byte ptr [ecx+92h]
		mov	dword ptr [ecx+eax*8+98h], 50600h
		inc	byte ptr [ecx+92h]

loc_80852C:				; CODE XREF: CmpWalkOneLevel+3E4j
					; CmpWalkOneLevel+602j	...
		mov	ecx, [ebp+var_8]
		xor	eax, eax
		xor	edi, edi
		cmp	ax, [ecx+2]
		jg	short loc_808594
		lea	esp, [esp+0]

loc_808540:				; CODE XREF: CmpWalkOneLevel+472j
		movsx	ebx, di
		cmp	di, 2
		jge	loc_91B5DA
		mov	ebx, [ecx+ebx*4+4]

loc_808551:				; CODE XREF: CmpWalkOneLevel+1134C1j
		test	dword ptr [ebx+4], 80000h
		jnz	loc_91B5E6
		mov	[ebp+arg_1F], 0

loc_808562:				; CODE XREF: CmpWalkOneLevel+1134CAj
		mov	eax, large fs:124h
		lea	ecx, [ebx+1Ch]
		cmp	[ecx], eax
		jz	loc_91B5EF
		lock dec dword ptr [ecx]

loc_808576:				; CODE XREF: CmpWalkOneLevel+1134D6j
		lea	ecx, [ebx+18h]
		xor	edx, edx
		call	ExReleasePushLockEx
		cmp	[ebp+arg_1F], 0
		jnz	loc_91B5FB

loc_80858A:				; CODE XREF: CmpWalkOneLevel+1134E2j
					; CmpWalkOneLevel+1134EFj
		mov	ecx, [ebp+var_8]
		inc	edi
		cmp	di, [ecx+2]
		jle	short loc_808540

loc_808594:				; CODE XREF: CmpWalkOneLevel+417j
		mov	edx, [ebp+var_20]
		cmp	dx, word ptr [ebp+var_24]
		jg	short loc_80860A
		movsx	eax, dx
		lea	edi, ds:0FFFFFFF8h[eax*4]
		jmp	short loc_8085B0
; 
		align 10h

loc_8085B0:				; CODE XREF: CmpWalkOneLevel+487j
					; CmpWalkOneLevel+4E8j
		cmp	dx, 2
		jge	loc_91B614
		mov	ebx, [edi+ecx+0Ch]

loc_8085BE:				; CODE XREF: CmpWalkOneLevel+1134FAj
		mov	ebx, [ebx+10h]
		mov	ecx, ebx
		push	esi
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		xor	edx, edx
		lea	ecx, [eax+eax*2]
		mov	eax, [ebx+434h]
		mov	dword ptr [eax+ecx*4+4], 0
		lea	ecx, [eax+ecx*4]
		call	ExReleasePushLockEx
		or	ecx, 0FFFFFFFFh
		mov	eax, ecx
		lock xadd [ebx+9D8h], eax
		jz	loc_91B61F

loc_8085F7:				; CODE XREF: CmpWalkOneLevel+113506j
		mov	edx, [ebp+var_20]
		add	edi, 4
		mov	ecx, [ebp+var_8]
		inc	edx
		mov	[ebp+var_20], edx
		cmp	dx, word ptr [ebp+var_24]
		jle	short loc_8085B0

loc_80860A:				; CODE XREF: CmpWalkOneLevel+47Bj
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_91B62B

loc_808615:				; CODE XREF: CmpWalkOneLevel+113512j
		mov	eax, [ebp+arg_14]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_808621:				; CODE XREF: CmpWalkOneLevel+2E0j
		lea	eax, [ebp+var_44]
		mov	edx, ecx
		push	eax
		lea	eax, [ebp+var_18]
		mov	ecx, edi
		push	eax
		push	0
		push	[ebp+arg_C]
		call	_CmpFindSubKeyInLeafWithStatus@24 ; CmpFindSubKeyInLeafWithStatus(x,x,x,x,x,x)
		mov	ebx, eax
		mov	[ebp+arg_14], ebx
		test	ebx, ebx
		jns	short loc_808648
		cmp	ebx, 0C0000034h
		jnz	short loc_80865C

loc_808648:				; CODE XREF: CmpWalkOneLevel+51Ej
		mov	eax, [ebp+var_18]

loc_80864B:				; CODE XREF: CmpWalkOneLevel+64Bj
		cmp	eax, 0FFFFFFFFh
		jz	loc_80848F
		mov	[ebp+var_3C], eax
		xor	ebx, ebx

loc_808659:				; CODE XREF: CmpWalkOneLevel+11347Ej
		mov	[ebp+arg_14], ebx

loc_80865C:				; CODE XREF: CmpWalkOneLevel+526j
		lea	eax, [ebp+var_54]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		jmp	loc_8084B8
; 

loc_80866B:				; CODE XREF: CmpWalkOneLevel+3AEj
		test	ebx, ebx
		js	loc_91B5C7
		mov	eax, [ebp+var_3C]
		cmp	eax, 0FFFFFFFFh
		jz	loc_8084D7
		mov	edi, [ebp+var_C]
		mov	ebx, [ebp+var_14]

loc_808685:				; CODE XREF: CmpWalkOneLevel+3C2j
					; CmpWalkOneLevel+3CCj
		lea	ecx, [ebp+var_34]
		mov	edx, eax
		push	ecx
		mov	ecx, [ebx+10h]
		push	esi
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	0
		push	[ebp+var_10]
		push	ebx
		call	CmpCreateKeyControlBlock
		mov	ebx, eax
		mov	[ebp+arg_14], ebx
		test	ebx, ebx
		js	loc_91B5BC
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_80883F

loc_8086B8:				; CODE XREF: CmpWalkOneLevel+726j
		mov	eax, [ebp+arg_4]
		mov	ebx, [ebp+var_34]
		mov	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_40]
		inc	word ptr [eax+2]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_34], 0
		cmp	dx, 2
		jge	loc_91B5B0
		mov	[eax+ecx*4+4], ebx

loc_8086E0:				; CODE XREF: CmpWalkOneLevel+113497j
		movzx	eax, word ptr [edi+22h]
		mov	ecx, eax
		cmp	dx, ax
		jnz	loc_8088A4

loc_8086EF:				; CODE XREF: CmpWalkOneLevel+79Aj
		inc	edx
		mov	[ebp+var_2C], edx
		cmp	dx, cx
		jle	loc_8088BF

loc_8086FC:				; CODE XREF: CmpWalkOneLevel+1134B5j
		mov	al, [ebp+arg_1C]
		test	al, al
		jnz	loc_8087C4

loc_808707:				; CODE XREF: CmpWalkOneLevel+6A9j
		mov	eax, [ebp+arg_8]
		setnz	cl
		mov	[ebp+var_10], 0
		mov	[eax], cl
		mov	eax, [ebp+arg_0]
		mov	[ebp+arg_14], 0
		mov	[eax], ebx
		jmp	loc_80852C
; 

loc_808727:				; CODE XREF: CmpWalkOneLevel+313j
		mov	ecx, eax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	edx, [ebp+arg_14]
		jmp	loc_80843C
; 

loc_808736:				; CODE XREF: CmpWalkOneLevel+357j
		mov	eax, [ecx+ebx*8+4]
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+arg_18]
		push	eax
		push	0
		call	_CmpDoCompareKeyName@16	; CmpDoCompareKeyName(x,x,x,x)
		cmp	eax, 2
		jz	loc_91B596
		test	eax, eax
		jnz	loc_91B58B
		mov	eax, [ebp+var_28]
		mov	edi, [ebp+arg_18]
		mov	eax, [eax+ebx*8+4]
		xor	ebx, ebx
		mov	[ebp+var_18], eax
		mov	[ebp+arg_14], ebx
		jmp	loc_80864B
; 

loc_808770:				; CODE XREF: CmpWalkOneLevel+2CFj
		lea	eax, [ebp+var_18]
		mov	edx, ecx
		mov	ecx, [ebp+arg_18]
		push	eax
		push	0
		push	[ebp+arg_C]
		call	_CmpFindSubKeyInRoot@20	; CmpFindSubKeyInRoot(x,x,x,x,x)
		test	eax, eax
		js	loc_91B596
		lea	eax, [ebp+var_54]
		push	eax
		mov	eax, [ebp+arg_18]
		push	eax
		mov	eax, [eax+8]
		call	eax
		mov	eax, [ebp+var_18]
		cmp	eax, 0FFFFFFFFh
		jz	loc_80849C
		mov	edi, [ebp+arg_18]
		lea	ecx, [ebp+var_54]
		push	ecx
		push	eax
		push	edi
		mov	eax, [edi+4]
		call	eax
		mov	ecx, eax
		mov	[ebp+var_28], eax
		test	ecx, ecx
		jnz	loc_8083F8
		jmp	loc_91B5A3
; 

loc_8087C4:				; CODE XREF: CmpWalkOneLevel+5E1j
		dec	[ebp+var_24]
		test	al, al
		jmp	loc_808707
; 

loc_8087CE:				; CODE XREF: CmpWalkOneLevel+E1j
		mov	edx, eax
		test	eax, eax
		jnz	loc_8081F0
		jmp	loc_91B4E7
; 
		align 10h

loc_8087E0:				; CODE XREF: CmpWalkOneLevel+51j
					; CmpWalkOneLevel+77Fj
		movsx	ebx, di
		cmp	di, 2
		jge	loc_91B4CF
		mov	ebx, [edx+ebx*4+4]

loc_8087F1:				; CODE XREF: CmpWalkOneLevel+1133B6j
		mov	ecx, [ebx+10h]
		push	esi
		call	CmpLockHashEntryShared
		push	[ebp+arg_C]
		mov	eax, [ebx+10h]
		mov	edx, ebx
		push	esi
		mov	ecx, eax
		mov	[ebp+arg_14], eax
		call	CmpFindKcbInHashEntryByName
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	short loc_808889
		mov	ecx, eax
		call	CmpReferenceKeyControlBlockLockNotHeld
		mov	ecx, [ebx+10h]
		push	esi
		call	_CmpUnlockHashEntry@8 ;	CmpUnlockHashEntry(x,x)
		mov	ebx, [ebp+var_10]
		mov	edx, ebx
		mov	ecx, [ebp+arg_4]
		call	_CmpPopulateKcbStack@8 ; CmpPopulateKcbStack(x,x)
		mov	ax, [ebx+22h]
		inc	ax
		movzx	ebx, ax
		jmp	loc_808183
; 

loc_80883F:				; CODE XREF: CmpWalkOneLevel+592j
		mov	ecx, eax
		call	CmpDereferenceKeyControlBlockUnsafe
		jmp	loc_8086B8
; 

loc_80884B:				; CODE XREF: CmpWalkOneLevel+185j
		dec	edi
		test	di, di
		jns	loc_808280

loc_808855:				; CODE XREF: CmpWalkOneLevel+14Ej
					; CmpWalkOneLevel+17Bj	...
		mov	edx, 50200h

loc_80885A:				; CODE XREF: CmpWalkOneLevel+113436j
					; CmpWalkOneLevel+113448j
		mov	[ebp+arg_14], 0C0000034h
		push	0C0000034h

loc_808866:				; CODE XREF: CmpWalkOneLevel+1134A2j
					; CmpWalkOneLevel+1134ADj
		mov	ecx, [ebp+arg_20]
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_80852C
; 

loc_808873:				; CODE XREF: CmpWalkOneLevel+21Dj
		or	eax, 0FFFFFFFFh
		jmp	loc_8084DD
; 

loc_80887B:				; CODE XREF: CmpWalkOneLevel+1E2j
		mov	ax, [eax+22h]
		inc	ax
		movzx	edx, ax
		jmp	loc_80830A
; 

loc_808889:				; CODE XREF: CmpWalkOneLevel+6F2j
		mov	ecx, [ebp+arg_14]
		push	esi
		call	_CmpUnlockHashEntry@8 ;	CmpUnlockHashEntry(x,x)
		mov	edx, [ebp+var_8]
		dec	edi
		test	di, di
		js	loc_808177
		jmp	loc_8087E0
; 

loc_8088A4:				; CODE XREF: CmpWalkOneLevel+5C9j
		mov	ecx, [ebp+var_14]
		push	esi
		mov	ecx, [ecx+10h]
		call	_CmpUnlockHashEntry@8 ;	CmpUnlockHashEntry(x,x)
		inc	[ebp+var_20]
		movzx	ecx, word ptr [edi+22h]
		mov	edx, [ebp+var_2C]
		jmp	loc_8086EF
; 

loc_8088BF:				; CODE XREF: CmpWalkOneLevel+5D6j
		mov	ebx, [ebp+var_8]
		jmp	loc_808320
; 

loc_8088C7:				; CODE XREF: CmpWalkOneLevel+190j
		mov	ebx, [ebx+4]
		lea	edx, [ebp+var_30]
		push	10h
		lea	ecx, [ebx+70h]
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jnz	loc_91B50C

loc_8088DF:				; CODE XREF: CmpWalkOneLevel+11340Aj
					; CmpWalkOneLevel+113421j
		mov	ebx, [ebp+var_8]
		jmp	loc_8082B6
; 

loc_8088E7:				; CODE XREF: CmpWalkOneLevel+248j
		lea	ecx, [ebp+var_4C]
		push	ecx
		push	eax
		mov	eax, [eax+8]
		call	eax
		mov	ecx, [ebx+10h]
		xor	edx, edx
		add	ecx, 24h
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebx+10h]
		lea	edx, [ebp+var_4C]
		mov	eax, [ebx+14h]
		push	edx
		push	eax
		mov	eax, [ecx+4]
		push	ecx
		call	eax
		mov	ecx, [ebx+10h]
		mov	edi, eax
		mov	eax, [ebx+14h]
		mov	edx, edi
		push	eax
		call	_CmpUpdateKeyNodeAccessBits@12 ; CmpUpdateKeyNodeAccessBits(x,x,x)
		mov	ebx, [ebx+10h]
		xor	edx, edx
		add	ebx, 24h
		mov	eax, 11h
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_80893C
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_80893C:				; CODE XREF: CmpWalkOneLevel+813j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ebx, [ebp+var_14]
		jmp	loc_80836E
CmpWalkOneLevel	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCreateKeyControlBlock proc near	; CODE XREF: CmpWalkOneLevel+57Bp
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+10A7p ...

var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 0091B637 SIZE 0000011C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1C], 0
		xor	eax, eax
		mov	[ebp+var_18], 0
		mov	[ebp+var_14], edx
		mov	[ebp+var_8], edi
		test	byte ptr [edi+64h], 20h
		mov	[ebp+var_1C], 0FFFFFFFFh
		mov	word ptr [ebp+var_18], ax
		jnz	loc_808E1F

loc_808988:				; CODE XREF: CmpCreateKeyControlBlock+4DBj
		mov	esi, [ebp+arg_14]
		xor	ebx, ebx
		push	esi
		mov	[ebp+var_24], 0
		mov	[ebp+var_20], 0
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		lea	ecx, [eax+eax*2]
		mov	eax, [edi+434h]
		mov	edi, [eax+ecx*4+8]
		mov	ecx, [ebp+arg_0]
		test	edi, edi
		jnz	loc_808DA4

loc_8089B9:				; CODE XREF: CmpCreateKeyControlBlock+461j
					; CmpCreateKeyControlBlock+534j
		test	ebx, ebx
		jnz	loc_808E89
		xor	edi, edi
		mov	eax, ecx
		test	ecx, ecx
		jz	short loc_8089F7
		lea	esp, [esp+0]

loc_8089D0:				; CODE XREF: CmpCreateKeyControlBlock+A5j
		test	dword ptr [eax+68h], 40000h
		jnz	loc_808D92

loc_8089DD:				; CODE XREF: CmpCreateKeyControlBlock+447j
		mov	ecx, [eax+28h]
		test	byte ptr [ecx],	1
		movzx	edx, word ptr [ecx+0Ch]
		jz	short loc_8089EB
		add	edx, edx

loc_8089EB:				; CODE XREF: CmpCreateKeyControlBlock+97j
		mov	eax, [eax+24h]
		add	edi, 2
		add	edi, edx

loc_8089F3:				; CODE XREF: CmpCreateKeyControlBlock+44Fj
		test	eax, eax
		jnz	short loc_8089D0

loc_8089F7:				; CODE XREF: CmpCreateKeyControlBlock+77j
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		add	eax, 2
		add	eax, edi
		cmp	eax, 0FFFFh
		ja	loc_91B667
		mov	[ebp+var_10], offset _CmPerfCounters
		mov	esi, [ebp+var_10]
		jmp	short loc_808A20
; 
		align 10h

loc_808A20:				; CODE XREF: CmpCreateKeyControlBlock+C7j
					; CmpCreateKeyControlBlock+F2j	...
		mov	edi, ds:_CmPerfCounters
		mov	ebx, edi
		mov	edx, ds:dword_A94394
		add	ebx, 1
		mov	ecx, edx
		mov	[ebp+var_10], edx
		adc	ecx, 0
		mov	eax, edi
		nop
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, edi
		jnz	short loc_808A20
		cmp	edx, [ebp+var_10]
		jnz	short loc_808A20
		inc	dword_6F9D8C
		mov	ecx, offset _CmpKcbLookaside
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	esi, [ebp+arg_14]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_808DC0

loc_808A67:				; CODE XREF: CmpCreateKeyControlBlock+49Aj
		mov	[ebp+var_10], offset dword_A943B0
		mov	esi, [ebp+var_10]

loc_808A71:				; CODE XREF: CmpCreateKeyControlBlock+143j
					; CmpCreateKeyControlBlock+148j
		mov	edi, ds:dword_A943B0
		mov	ebx, edi
		mov	edx, ds:dword_A943B4
		add	ebx, 1
		mov	ecx, edx
		mov	[ebp+var_10], edx
		adc	ecx, 0
		mov	eax, edi
		nop
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, edi
		jnz	short loc_808A71
		cmp	edx, [ebp+var_10]
		jnz	short loc_808A71
		mov	ebx, [ebp+var_C]
		push	0B0h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	esi, [ebp+arg_14]
		add	esp, 0Ch
		test	ebx, ebx
		jz	loc_91B6B0
		lea	eax, [ebx+40h]
		mov	[eax+4], eax
		lea	edi, [ebx+18h]
		mov	[eax], eax
		lea	edx, [ebp+arg_10]
		mov	eax, [ebp+var_8]
		mov	dword ptr [ebx+48h], 0
		mov	dword ptr [ebx+4Ch], 0
		mov	dword ptr [ebx+50h], 0
		mov	dword ptr [ebx+54h], 0
		mov	[ebx+10h], eax
		mov	eax, [ebp+var_14]
		mov	[ebx+14h], eax
		lea	eax, [ebx+70h]
		mov	dword ptr [ebx], 1
		mov	[ebx+8], esi
		mov	dword ptr [edi], 0
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ebx+78h]
		push	ecx
		mov	ecx, [ebp+arg_C]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	dword ptr [ebx+80h], 0
		mov	dword ptr [ebx+84h], 0
		mov	dword ptr [ebx+88h], 0
		mov	dword ptr [ebx+8Ch], 0
		mov	dword ptr [ebx+90h], 0
		mov	dword ptr [ebx+94h], 0
		mov	dword ptr [ebx+98h], 0FFFFFFFFh
		mov	dword ptr [ebx+9Ch], 0
		call	CmpGetNameControlBlock
		mov	[ebx+28h], eax
		test	eax, eax
		jz	loc_91B6B7
		mov	ecx, [ebx+14h]
		cmp	ecx, 0FFFFFFFFh
		jz	loc_808DF5
		mov	eax, [ebx+10h]
		lea	edx, [ebp+var_1C]
		push	edx
		push	ecx
		push	eax
		mov	eax, [eax+4]
		call	eax
		mov	esi, eax
		mov	eax, [ebx+10h]
		test	dword ptr [eax+64h], 8001h
		jnz	short loc_808BA8
		mov	cl, _CmpAccessBitForPhase
		test	[esi+0Ch], cl
		jz	loc_808EA2

loc_808BA8:				; CODE XREF: CmpCreateKeyControlBlock+247j
					; CmpCreateKeyControlBlock+5A8j
		mov	al, [esi+0Dh]
		xor	edx, edx
		and	al, 3
		mov	[ebx+21h], al
		mov	ecx, [esi+28h]
		mov	eax, [esi+24h]
		mov	[ebx+34h], ecx
		mov	[ebx+30h], eax
		movzx	eax, word ptr [esi+2]
		mov	[ebx+6Ah], ax
		mov	eax, [esi+18h]
		add	eax, [esi+14h]
		mov	[ebx+3Ch], eax
		mov	eax, [esi+4]
		mov	[ebx+58h], eax
		mov	eax, [esi+8]
		mov	[ebx+5Ch], eax
		movzx	eax, word ptr [esi+34h]
		mov	[ebx+60h], ax
		movzx	eax, word ptr [esi+3Ch]
		mov	[ebx+62h], ax
		mov	eax, [esi+40h]
		mov	[ebx+64h], eax
		movzx	eax, word ptr [esi+36h]
		xor	eax, [ebx+68h]
		and	eax, 0Fh
		xor	[ebx+68h], eax
		mov	eax, [ebx+68h]
		movzx	ecx, word ptr [esi+36h]
		xor	ecx, eax
		and	ecx, 0F0h
		xor	ecx, eax
		mov	[ebx+68h], ecx
		mov	ecx, edi
		mov	al, [esi+37h]
		push	1
		mov	[ebx+69h], al
		call	KeAbPreAcquire
		lock bts dword ptr [edi], 0
		jb	loc_91B6BE
		test	eax, eax
		jz	short loc_808C34
		or	byte ptr [eax+0Eh], 1

loc_808C34:				; CODE XREF: CmpCreateKeyControlBlock+2DEj
		mov	eax, large fs:124h
		mov	[ebx+1Ch], eax

loc_808C3D:				; CODE XREF: CmpCreateKeyControlBlock+112D70j
					; CmpCreateKeyControlBlock+112D7Fj
		mov	edi, [esi+2Ch]
		mov	[ebp+var_10], 0
		mov	byte ptr [ebp+arg_C+3],	1
		cmp	edi, 0FFFFFFFFh
		jz	loc_808F47
		mov	esi, [ebx+10h]
		xor	edx, edx
		lea	eax, [esi+484h]
		mov	ecx, eax
		mov	[ebp+arg_14], eax
		call	ExAcquirePushLockSharedEx
		lea	eax, [ebp+var_10]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	_CmpFindSecurityCellCacheIndex@12 ; CmpFindSecurityCellCacheIndex(x,x,x)
		test	al, al
		jz	loc_91B6D4
		mov	edx, [esi+4CCh]
		mov	eax, [ebp+var_10]
		mov	eax, [edx+eax*8+4]

loc_808C8B:				; CODE XREF: CmpCreateKeyControlBlock+112D8Aj
		mov	[ebx+2Ch], eax
		xor	edx, edx
		mov	ecx, [ebp+arg_14]
		call	ExReleasePushLockEx
		cmp	byte ptr [ebp+arg_C+3],	0
		jz	loc_91B6DF

loc_808CA2:				; CODE XREF: CmpCreateKeyControlBlock+5FEj
		test	dword ptr [ebx+4], 80000h
		jnz	loc_91B6FD
		mov	byte ptr [ebp+arg_C+3],	0

loc_808CB3:				; CODE XREF: CmpCreateKeyControlBlock+112DB1j
		mov	eax, large fs:124h
		lea	ecx, [ebx+1Ch]
		cmp	[ecx], eax
		jnz	loc_808F65
		mov	dword ptr [ebx+1Ch], 0

loc_808CCB:				; CODE XREF: CmpCreateKeyControlBlock+618j
		xor	edx, edx
		lea	ecx, [ebx+18h]
		call	ExReleasePushLockEx
		cmp	byte ptr [ebp+arg_C+3],	0
		jnz	loc_91B706

loc_808CDF:				; CODE XREF: CmpCreateKeyControlBlock+112DBDj
					; CmpCreateKeyControlBlock+112DCAj
		mov	eax, [ebx+10h]
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	eax
		mov	eax, [eax+8]
		call	eax
		mov	ecx, [ebp+arg_0]

loc_808CEF:				; CODE XREF: CmpCreateKeyControlBlock+4BFj
					; CmpCreateKeyControlBlock+4CAj
		test	ecx, ecx
		jz	loc_808F53
		mov	eax, 1
		lock xadd [ecx], eax
		inc	eax
		jz	loc_91B728
		cmp	eax, 1
		jz	loc_91B736
		test	dword ptr [ebx+68h], 40000h
		mov	[ebx+24h], ecx
		jnz	loc_808E36
		mov	eax, [ecx+4]
		add	eax, 200000h
		xor	eax, [ebx+4]
		and	eax, 7FE00000h
		xor	eax, [ebx+4]

loc_808D33:				; CODE XREF: CmpCreateKeyControlBlock+4F4j
					; CmpCreateKeyControlBlock+610j
		mov	edi, [ebp+arg_4]
		mov	[ebx+4], eax
		test	edi, edi
		jnz	loc_808EFD

loc_808D41:				; CODE XREF: CmpCreateKeyControlBlock+5E2j
		mov	eax, [ebx+8]
		lea	edi, [ebx+8]
		mov	esi, [ebx+10h]
		mov	ecx, esi
		push	eax
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		lea	ecx, [eax+eax*2]
		mov	eax, [esi+434h]
		lea	ecx, [eax+ecx*4]
		mov	eax, [ecx+8]
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+var_8]
		mov	[ecx+8], edi
		cmp	byte ptr [eax+6DCh], 1
		jz	short loc_808DB9

loc_808D73:				; CODE XREF: CmpCreateKeyControlBlock+46Ej
		cmp	ds:_CmpTraceRoutine, 0
		jnz	loc_91B745

loc_808D80:				; CODE XREF: CmpCreateKeyControlBlock+112DFEj
		mov	eax, [ebp+arg_18]
		xor	esi, esi
		mov	[eax], ebx

loc_808D87:				; CODE XREF: CmpCreateKeyControlBlock+112CECj
					; CmpCreateKeyControlBlock+112D1Ej ...
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_808D92:				; CODE XREF: CmpCreateKeyControlBlock+87j
		mov	ecx, [eax+24h]
		test	ecx, ecx
		jz	loc_8089DD
		mov	eax, ecx
		jmp	loc_8089F3
; 

loc_808DA4:				; CODE XREF: CmpCreateKeyControlBlock+63j
					; CmpCreateKeyControlBlock+467j
		cmp	[edi], esi
		jz	loc_808E49

loc_808DAC:				; CODE XREF: CmpCreateKeyControlBlock+502j
					; CmpCreateKeyControlBlock+112D12j
		mov	edi, [edi+4]
		test	edi, edi
		jz	loc_8089B9
		jmp	short loc_808DA4
; 

loc_808DB9:				; CODE XREF: CmpCreateKeyControlBlock+421j
		or	word ptr [ebx+4], 20h
		jmp	short loc_808D73
; 

loc_808DC0:				; CODE XREF: CmpCreateKeyControlBlock+111j
		mov	eax, dword_6F9DA0
		inc	dword_6F9D90
		push	offset _CmpKcbLookaside
		push	eax
		mov	eax, dword_6F9DA4
		push	eax
		mov	eax, dword_6F9D9C
		push	eax
		call	dword_6F9DA8
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		jnz	loc_808A67
		jmp	loc_91B6B0
; 

loc_808DF5:				; CODE XREF: CmpCreateKeyControlBlock+227j
		mov	ecx, [ebp+arg_0]
		mov	al, [ecx+21h]
		cmp	al, 1
		jz	loc_91B71F
		cmp	al, 3
		jz	loc_91B71F

loc_808E0B:				; CODE XREF: CmpCreateKeyControlBlock+112DD3j
		test	[ebp+arg_8], 1
		jz	loc_808CEF
		or	word ptr [ebx+6Ah], 4
		jmp	loc_808CEF
; 

loc_808E1F:				; CODE XREF: CmpCreateKeyControlBlock+32j
		mov	eax, large fs:124h
		cmp	[edi+9ACh], eax
		jz	loc_808988
		jmp	loc_91B637
; 

loc_808E36:				; CODE XREF: CmpCreateKeyControlBlock+3CAj
		mov	eax, [ebx+4]
		xor	eax, [ecx+4]
		and	eax, 7FE00000h
		xor	eax, [ebx+4]
		jmp	loc_808D33
; 

loc_808E49:				; CODE XREF: CmpCreateKeyControlBlock+456j
		lea	eax, [edi-8]
		mov	[ebp+var_10], eax
		cmp	[eax+24h], ecx
		jnz	loc_808DAC
		mov	eax, [eax+28h]
		push	2
		test	byte ptr [eax],	1
		lea	edx, [eax+0Eh]
		movzx	ecx, word ptr [eax+0Ch]
		jz	loc_91B641
		push	ecx
		mov	ecx, [ebp+arg_C]
		call	_CmpCompareCompressedName@16 ; CmpCompareCompressedName(x,x,x,x)
		test	eax, eax
		jnz	loc_91B65F

loc_808E7E:				; CODE XREF: CmpCreateKeyControlBlock+112D09j
		mov	ebx, [ebp+var_10]
		mov	ecx, [ebp+arg_0]
		jmp	loc_8089B9
; 

loc_808E89:				; CODE XREF: CmpCreateKeyControlBlock+6Bj
		mov	ecx, ebx
		call	CmpReferenceKeyControlBlockLockNotHeld
		mov	eax, [ebp+arg_18]
		xor	esi, esi
		pop	edi
		mov	[eax], ebx
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_808EA2:				; CODE XREF: CmpCreateKeyControlBlock+252j
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	eax
		mov	eax, [eax+8]
		call	eax
		mov	ecx, [ebx+10h]
		xor	edx, edx
		add	ecx, 24h
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebx+10h]
		lea	edx, [ebp+var_1C]
		mov	eax, [ebx+14h]
		push	edx
		push	eax
		mov	eax, [ecx+4]
		push	ecx
		call	eax
		mov	ecx, [ebx+10h]
		mov	esi, eax
		mov	eax, [ebx+14h]
		mov	edx, esi
		push	eax
		call	_CmpUpdateKeyNodeAccessBits@12 ; CmpUpdateKeyNodeAccessBits(x,x,x)
		mov	ecx, [ebx+10h]
		xor	edx, edx
		add	ecx, 24h
		mov	eax, 11h
		mov	[ebp+arg_C], ecx
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	short loc_808F3D

loc_808EF3:				; CODE XREF: CmpCreateKeyControlBlock+5F5j
		call	KeAbPostRelease
		jmp	loc_808BA8
; 

loc_808EFD:				; CODE XREF: CmpCreateKeyControlBlock+3EBj
		lea	ecx, [edi+18h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, ebx
		mov	[edi+1Ch], eax
		call	CmpTryToLockKcbExclusive
		mov	edx, ebx
		mov	ecx, edi
		call	_CmpCreateLayerLink@8 ;	CmpCreateLayerLink(x,x)
		mov	ecx, ebx
		mov	esi, eax
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	ecx, edi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		test	esi, esi
		jns	loc_808D41
		jmp	loc_91B66C
; 

loc_808F3D:				; CODE XREF: CmpCreateKeyControlBlock+5A1j
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp+arg_C]
		jmp	short loc_808EF3
; 

loc_808F47:				; CODE XREF: CmpCreateKeyControlBlock+2FEj
		mov	dword ptr [ebx+2Ch], 0
		jmp	loc_808CA2
; 

loc_808F53:				; CODE XREF: CmpCreateKeyControlBlock+3A1j
		mov	eax, [ebx+4]
		and	eax, 803FFFFFh
		or	eax, 200000h
		jmp	loc_808D33
; 

loc_808F65:				; CODE XREF: CmpCreateKeyControlBlock+36Ej
		lock dec dword ptr [ecx]
		jmp	loc_808CCB
CmpCreateKeyControlBlock endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpGetNameControlBlock proc near	; CODE XREF: CmpCreateKeyControlBlock+211p
					; CmRenameKey(x,x,x,x)+A73p

var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 0091B753 SIZE 000000FA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], ebx
		push	esi
		push	edi
		test	edx, edx
		jz	loc_91B753
		mov	esi, [edx]

loc_808F8A:				; CODE XREF: CmpGetNameControlBlock+1127EAj
		movzx	edx, word ptr [ebx]
		mov	edi, 0
		movzx	ecx, dx
		mov	ax, cx
		mov	[ebp+var_C], esi
		shr	ax, 1
		mov	ebx, ecx
		shr	ebx, 1
		movzx	eax, ax
		mov	[ebp+var_1], 1
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], eax
		jz	short loc_808FDE
		mov	eax, [ebp+var_8]
		mov	ecx, 0FFh
		mov	esi, [eax+4]
		lea	esp, [esp+0]

loc_808FC0:				; CODE XREF: CmpGetNameControlBlock+69j
		movzx	eax, word ptr [esi+edi*2]
		cmp	eax, 61h
		jnb	loc_8090F3

loc_808FCD:				; CODE XREF: CmpGetNameControlBlock+18Ej
					; CmpGetNameControlBlock+1FAj
		cmp	ax, cx
		ja	loc_91B75F

loc_808FD6:				; CODE XREF: CmpGetNameControlBlock+1127F9j
		inc	edi
		cmp	edi, ebx
		jb	short loc_808FC0
		mov	esi, [ebp+var_C]

loc_808FDE:				; CODE XREF: CmpGetNameControlBlock+3Fj
		mov	ebx, esi
		xor	edx, edx
		shr	ebx, 9
		xor	ebx, esi
		imul	eax, ebx, 18AA3h
		mov	edi, eax
		shr	edi, 9
		mov	ecx, edi
		xor	ecx, eax
		and	ecx, 7FFh
		shl	ecx, 3
		mov	[ebp+var_28], ecx
		add	ecx, _CmpNameCacheTable
		call	ExAcquirePushLockExclusiveEx
		imul	eax, ebx, 2A3h
		xor	eax, edi
		and	eax, 7FFh
		lea	ecx, ds:0[eax*8]
		mov	eax, _CmpNameCacheTable
		mov	[ebp+var_24], ecx
		mov	edi, [ecx+eax+4]
		test	edi, edi
		jz	short loc_809043

loc_809031:				; CODE XREF: CmpGetNameControlBlock+D1j
		lea	ebx, [edi-4]
		cmp	esi, [edi]
		jz	loc_80910C

loc_80903C:				; CODE XREF: CmpGetNameControlBlock+1A4j
					; CmpGetNameControlBlock+1CEj ...
		mov	edi, [edi+4]
		test	edi, edi
		jnz	short loc_809031

loc_809043:				; CODE XREF: CmpGetNameControlBlock+BFj
		mov	eax, [ebp+var_10]
		mov	ecx, 1
		movzx	edi, ax
		push	624E4D43h
		mov	[ebp+var_18], edi
		lea	edx, [edi+0Eh]
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_20], ebx
		test	ebx, ebx
		jz	loc_91B7E2
		lea	eax, [edi+0Eh]
		push	eax		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [ebx]
		add	esp, 0Ch
		cmp	[ebp+var_1], 0
		jz	loc_91B7FF
		or	eax, 1
		xor	edi, edi
		mov	[ebx], eax
		cmp	[ebp+var_18], edi
		jbe	short loc_8090B0
		mov	esi, [ebp+var_18]

loc_809095:				; CODE XREF: CmpGetNameControlBlock+13Bj
		mov	eax, [ebp+var_8]
		mov	eax, [eax+4]
		movzx	eax, word ptr [eax+edi*2]
		cmp	eax, 61h
		jnb	short loc_809103

loc_8090A4:				; CODE XREF: CmpGetNameControlBlock+19Aj
					; CmpGetNameControlBlock+206j
		mov	[ebx+edi+0Eh], al
		inc	edi
		cmp	edi, esi
		jb	short loc_809095

loc_8090AD:				; CODE XREF: CmpGetNameControlBlock+1128D8j
		mov	esi, [ebp+var_C]

loc_8090B0:				; CODE XREF: CmpGetNameControlBlock+120j
					; CmpGetNameControlBlock+112896j
		mov	eax, [ebx]
		lea	edx, [ebx+4]
		mov	ecx, [ebp+var_24]
		and	eax, 1
		or	eax, 2
		mov	[edx], esi
		add	ecx, _CmpNameCacheTable
		mov	[ebx], eax
		mov	eax, [ebp+var_10]
		mov	[ebx+0Ch], ax
		mov	eax, [ecx+4]
		mov	[edx+4], eax
		mov	[ecx+4], edx

loc_8090D8:				; CODE XREF: CmpGetNameControlBlock+1E6j
					; CmpGetNameControlBlock+20Dj
		mov	ecx, [ebp+var_28]
		xor	edx, edx
		add	ecx, _CmpNameCacheTable
		call	ExReleasePushLockEx
		mov	eax, ebx

loc_8090EA:				; CODE XREF: CmpGetNameControlBlock+11288Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_8090F3:				; CODE XREF: CmpGetNameControlBlock+57j
		cmp	eax, 7Ah
		ja	short loc_809158
		add	eax, 0FFFFFFE0h
		movzx	eax, ax
		jmp	loc_808FCD
; 

loc_809103:				; CODE XREF: CmpGetNameControlBlock+132j
		cmp	eax, 7Ah
		ja	short loc_80916F
		sub	al, 20h
		jmp	short loc_8090A4
; 

loc_80910C:				; CODE XREF: CmpGetNameControlBlock+C6j
		movzx	eax, word ptr [ebx+0Ch]
		cmp	word ptr [ebp+var_10], ax
		jnz	loc_80903C
		mov	ecx, [ebx]
		lea	edx, [ebx+0Eh]
		mov	[ebp+var_20], ecx
		test	cl, 1
		jz	loc_91B76E
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+var_8]
		movzx	eax, ax
		push	2
		push	eax
		call	_CmpCompareCompressedName@16 ; CmpCompareCompressedName(x,x,x,x)
		test	eax, eax
		jnz	loc_80903C
		mov	ecx, [ebp+var_20]

loc_809147:				; CODE XREF: CmpGetNameControlBlock+112816j
					; CmpGetNameControlBlock+11286Dj
		mov	eax, ecx
		and	eax, 0FFFFFFFEh
		cmp	eax, 0FFFFFFFEh
		jz	short loc_80917B
		lea	eax, [ecx+2]
		mov	[ebx], eax
		jmp	short loc_8090D8
; 

loc_809158:				; CODE XREF: CmpGetNameControlBlock+186j
		mov	ecx, eax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	edx, [ebp+var_18]
		mov	ecx, 0FFh
		movzx	eax, ax
		jmp	loc_808FCD
; 

loc_80916F:				; CODE XREF: CmpGetNameControlBlock+196j
		mov	ecx, eax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		jmp	loc_8090A4
; 

loc_80917B:				; CODE XREF: CmpGetNameControlBlock+1DFj
		xor	ebx, ebx
		jmp	loc_8090D8
CmpGetNameControlBlock endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLockTwoKcbsShared(x, x)
_CmpLockTwoKcbsShared@8	proc near	; CODE XREF: CmQueryMultipleValueKey+A1p
					; NtNotifyChangeMultipleKeys+4B2p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		and	[ebp+var_8], 0
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jnz	short loc_8091B1
		test	edi, edi
		jz	short loc_8091AD
		lea	ecx, [edi+18h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lock inc dword ptr [edi+1Ch]

loc_8091AD:				; CODE XREF: CmpLockTwoKcbsShared(x,x)+1Bj
					; CmpLockTwoKcbsShared(x,x)+66j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_8091B1:				; CODE XREF: CmpLockTwoKcbsShared(x,x)+17j
		test	edi, edi
		jz	short loc_8091DA
		cmp	esi, edi
		jz	short loc_8091DA
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	CmpGetCorrectKcbLockOrder
		mov	esi, [ebp+var_4]
		xor	edx, edx
		lea	ecx, [esi+18h]
		call	ExAcquirePushLockSharedEx
		lock inc dword ptr [esi+1Ch]
		mov	esi, [ebp+var_8]

loc_8091DA:				; CODE XREF: CmpLockTwoKcbsShared(x,x)+31j
					; CmpLockTwoKcbsShared(x,x)+35j
		lea	ecx, [esi+18h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lock inc dword ptr [esi+1Ch]
		jmp	short loc_8091AD
_CmpLockTwoKcbsShared@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpFindSubKeyByNumberEx	proc near	; CODE XREF: CmEnumerateKey+14Fp
					; CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+100p ...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 0091B84D SIZE 00000243 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_34], 0FFFFFFFFh
		push	esi
		push	edi
		mov	[ebp+var_C], eax
		mov	esi, ecx
		mov	[ebp+var_30], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_34]
		push	eax
		mov	eax, [esi+4]
		push	edx
		push	esi
		call	eax
		mov	edi, eax
		test	edi, edi
		jz	loc_91B84D
		mov	eax, [ebp+arg_4]
		mov	ebx, [ebp+arg_18]
		mov	dword ptr [eax], 0FFFFFFFFh
		test	ebx, ebx
		jnz	short loc_809278

loc_809237:				; CODE XREF: CmpFindSubKeyByNumberEx+8Ej
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jnz	short loc_809280

loc_80923E:				; CODE XREF: CmpFindSubKeyByNumberEx+98j
		push	eax
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, esi
		call	_CmpFindSubKeyByNumber@16 ; CmpFindSubKeyByNumber(x,x,x,x)
		mov	edx, eax
		xor	ecx, ecx
		mov	[ebp+var_C], edx

loc_809252:				; CODE XREF: CmpFindSubKeyByNumberEx:loc_91B9CFj
					; CmpFindSubKeyByNumberEx+11287Dj
		test	ebx, ebx
		jnz	short loc_80928F

loc_809256:				; CODE XREF: CmpFindSubKeyByNumberEx+A7j
		test	ecx, ecx
		jnz	loc_91BA80

loc_80925E:				; CODE XREF: CmpFindSubKeyByNumberEx+E5j
					; CmpFindSubKeyByNumberEx+11289Bj
		test	edi, edi
		jz	short loc_8092D7
		lea	eax, [ebp+var_34]
		push	eax
		mov	eax, [esi+8]
		push	esi
		call	eax
		mov	eax, [ebp+var_C]

loc_80926F:				; CODE XREF: CmpFindSubKeyByNumberEx+E9j
					; CmpFindSubKeyByNumberEx+112662j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_809278:				; CODE XREF: CmpFindSubKeyByNumberEx+45j
		mov	dword ptr [ebx], 0
		jmp	short loc_809237
; 

loc_809280:				; CODE XREF: CmpFindSubKeyByNumberEx+4Cj
		add	ecx, 70h
		mov	[ebp+var_2C], ecx
		cmp	[ecx], ecx
		jz	short loc_80923E
		jmp	loc_91B857
; 

loc_80928F:				; CODE XREF: CmpFindSubKeyByNumberEx+64j
		mov	eax, [ebp+arg_4]
		mov	eax, [eax]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_809256
		test	ecx, ecx
		jnz	short loc_8092D3
		test	edi, edi
		jz	short loc_8092B2
		lea	eax, [ebp+var_34]
		push	eax
		mov	eax, [esi+8]
		push	esi
		call	eax
		mov	eax, [ebp+arg_4]
		xor	edi, edi
		mov	eax, [eax]

loc_8092B2:				; CODE XREF: CmpFindSubKeyByNumberEx+AFj
		mov	edx, [ebp+arg_C]
		lea	ecx, [ebp+var_10]
		push	ecx
		mov	ecx, [ebp+arg_8]
		push	eax
		push	esi
		call	CmpFindSubkeyInHashByChildCell
		mov	ecx, [ebp+var_10]
		mov	edx, eax
		mov	[ebp+var_C], edx
		test	edx, edx
		js	loc_91BA72

loc_8092D3:				; CODE XREF: CmpFindSubKeyByNumberEx+ABj
					; CmpFindSubKeyByNumberEx+11288Bj
		mov	[ebx], ecx
		jmp	short loc_80925E
; 

loc_8092D7:				; CODE XREF: CmpFindSubKeyByNumberEx+70j
					; CmpFindSubKeyByNumberEx+112768j
		mov	eax, edx
		jmp	short loc_80926F
CmpFindSubKeyByNumberEx	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFindSubKeyByNumber(x, x,	x, x)
_CmpFindSubKeyByNumber@16 proc near	; CODE XREF: CmDeleteLayeredKey(x,x,x)+285p
					; CmDeleteLayeredKey(x,x,x)+34Ep ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	dword ptr [eax], 0FFFFFFFFh
		mov	esi, ecx
		mov	eax, [edx+14h]
		mov	[ebp+var_8], 0FFFFFFFFh
		mov	[ebp+var_4], 0
		push	edi
		cmp	ebx, eax
		jnb	short loc_80934A
		mov	eax, [edx+1Ch]

loc_809311:				; CODE XREF: CmpFindSubKeyByNumber(x,x,x,x)+7Dj
		lea	ecx, [ebp+var_8]
		push	ecx
		push	eax
		mov	eax, [esi+4]
		push	esi
		call	eax
		mov	edi, eax
		test	edi, edi
		jz	short loc_80935F
		push	ebx
		mov	edx, edi
		mov	ecx, esi
		call	CmpDoFindSubKeyByNumber
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		test	edi, edi
		jz	short loc_80933F
		lea	ecx, [ebp+var_8]
		push	ecx
		mov	ecx, [esi+8]
		push	esi
		call	ecx

loc_80933F:				; CODE XREF: CmpFindSubKeyByNumber(x,x,x,x)+53j
					; CmpFindSubKeyByNumber(x,x,x,x)+71j ...
		xor	eax, eax

loc_809341:				; CODE XREF: CmpFindSubKeyByNumber(x,x,x,x)+84j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_80934A:				; CODE XREF: CmpFindSubKeyByNumber(x,x,x,x)+2Cj
		cmp	dword ptr [esi+98h], 1
		jbe	short loc_80933F
		sub	ebx, eax
		cmp	ebx, [edx+18h]
		jnb	short loc_80933F
		mov	eax, [edx+20h]
		jmp	short loc_809311
; 

loc_80935F:				; CODE XREF: CmpFindSubKeyByNumber(x,x,x,x)+40j
		mov	eax, 0C000009Ah
		jmp	short loc_809341
_CmpFindSubKeyByNumber@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpUnlockTwoKcbs proc near		; CODE XREF: CmQueryMultipleValueKey+31Fp
					; NtNotifyChangeMultipleKeys+591p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0091BA90 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		mov	[ebp+var_8], 0
		mov	[ebp+var_4], 0
		push	esi
		mov	esi, edx
		test	ecx, ecx
		jnz	short loc_8093C5
		test	esi, esi
		jz	short loc_8093C0
		test	dword ptr [esi+4], 80000h
		push	ebx
		jnz	short loc_8093EF
		xor	bl, bl

loc_80939D:				; CODE XREF: CmpUnlockTwoKcbs+81j
		mov	eax, large fs:124h
		lea	ecx, [esi+1Ch]
		cmp	[ecx], eax
		jz	short loc_8093F3
		lock dec dword ptr [ecx]

loc_8093AD:				; CODE XREF: CmpUnlockTwoKcbs+8Aj
		lea	ecx, [esi+18h]
		xor	edx, edx
		call	ExReleasePushLockEx
		test	bl, bl
		pop	ebx
		jnz	loc_91BA90

loc_8093C0:				; CODE XREF: CmpUnlockTwoKcbs+1Fj
					; CmpUnlockTwoKcbs+112727j ...
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8093C5:				; CODE XREF: CmpUnlockTwoKcbs+1Bj
		test	esi, esi
		jz	short loc_8093E5
		cmp	ecx, esi
		jz	short loc_8093E5
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	CmpGetCorrectKcbLockOrder
		mov	ecx, [ebp+var_4]
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	ecx, [ebp+var_8]

loc_8093E5:				; CODE XREF: CmpUnlockTwoKcbs+57j
					; CmpUnlockTwoKcbs+5Bj
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8093EF:				; CODE XREF: CmpUnlockTwoKcbs+29j
		mov	bl, 1
		jmp	short loc_80939D
; 

loc_8093F3:				; CODE XREF: CmpUnlockTwoKcbs+38j
		mov	dword ptr [esi+1Ch], 0
		jmp	short loc_8093AD
CmpUnlockTwoKcbs endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpPerformKeyBodyDeletionCheck proc near
					; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+102p
					; CmpDoQueryKeyName+FDp ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0091BAA9 SIZE 0000004F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], 0
		mov	esi, edx
		mov	eax, [edi+1Ch]
		mov	ecx, [edi+8]
		test	al, 9
		jnz	loc_91BAE0
		test	esi, esi
		jnz	short loc_80942F

loc_809426:				; CODE XREF: CmpPerformKeyBodyDeletionCheck+40j
					; CmpPerformKeyBodyDeletionCheck+1126C6j ...
		xor	eax, eax

loc_809428:				; CODE XREF: CmpPerformKeyBodyDeletionCheck+1126F3j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_80942F:				; CODE XREF: CmpPerformKeyBodyDeletionCheck+24j
		lea	ebx, [ecx+70h]
		push	10h
		lea	edx, [ebp+var_4]
		mov	ecx, ebx
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jz	short loc_809426
		jmp	loc_91BAA9
CmpPerformKeyBodyDeletionCheck endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtEnumerateKey	proc near		; CODE XREF: AdtpObjsInitialize+169p
					; AdtpObjsInitialize+1A6p ...

var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= byte ptr -94h
var_93		= byte ptr -93h
var_92		= byte ptr -92h
var_91		= byte ptr -91h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0091BAF8 SIZE 000000AB BYTES
; FUNCTION CHUNK AT 0091BBD1 SIZE 00000019 BYTES
; FUNCTION CHUNK AT 0091BC18 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A55D8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 0E0h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, [ebp+arg_0]
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_A4], eax
		mov	ebx, [ebp+arg_14]
		mov	[ebp+var_EC], 0
		push	4Ch		; size_t
		push	0		; int
		lea	eax, [ebp+var_90]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		xor	edi, edi
		mov	[ebp+var_98], edi
		mov	[ebp+var_A8], edi
		cmp	ds:_CmpTraceRoutine, eax
		jnz	loc_91BAF8

loc_8094EB:				; CODE XREF: NtEnumerateKey+1126B5j
		mov	[ebp+var_92], 0
		mov	[ebp+var_93], 0
		xor	eax, eax
		mov	[ebp+var_E8], eax
		mov	[ebp+var_E4], eax
		mov	[ebp+var_E0], eax
		mov	[ebp+var_DC], eax
		mov	[ebp+var_D8], eax
		mov	[ebp+var_D4], eax
		mov	[ebp+var_D0], eax
		mov	[ebp+var_CC], eax
		mov	[ebp+var_C8], eax
		mov	[ebp+var_9C], eax
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_B4], eax
		mov	[ebp+var_B8], eax
		mov	[ebp+var_AC], edi
		call	CmpAcquireShutdownRundown
		mov	[ebp+var_94], al
		test	al, al
		jz	loc_91BB0A
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jnz	loc_8097E1

loc_809573:				; CODE XREF: NtEnumerateKey+394j
					; NtEnumerateKey+1126C7j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_91], al
		mov	byte ptr [ebp+var_BC], al
		push	0
		lea	eax, [ebp+var_9C]
		push	eax
		push	[ebp+var_BC]
		push	ecx
		mov	edx, 8
		mov	ecx, esi
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_809727
		cmp	ds:_CmpTraceRoutine, edi
		jnz	loc_91BB7A

loc_8095BD:				; CODE XREF: NtEnumerateKey+112732j
					; NtEnumerateKey+112747j
		cmp	[ebp+var_91], 1
		jnz	loc_8097EF
		mov	[ebp+var_4], edi
		push	4
		mov	edi, [ebp+arg_10]
		push	edi
		mov	esi, [ebp+var_A4]
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	ecx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_91BB9C

loc_8095EE:				; CODE XREF: NtEnumerateKey+11274Ej
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_8095F9:				; CODE XREF: NtEnumerateKey+3A8j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	[ebp+var_93], 1
		cmp	_CmpCallBackCount, 0
		jz	short loc_80967B
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredSharedLite
		test	eax, eax
		jnz	short loc_80967B
		mov	ecx, [ebp+var_9C]
		mov	[ebp+var_E8], ecx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_E4], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_E0], eax
		mov	[ebp+var_DC], esi
		mov	[ebp+var_D8], edi
		mov	[ebp+var_D4], ebx
		lea	eax, [ebp+var_B8]
		push	eax
		push	ecx
		push	14h
		push	1
		push	0
		lea	edx, [ebp+var_E8]
		mov	ecx, 5
		call	CmpCallCallBacksEx
		mov	esi, eax
		test	esi, esi
		js	loc_91BBD1
		mov	[ebp+var_92], 1

loc_80967B:				; CODE XREF: NtEnumerateKey+1BCj
					; NtEnumerateKey+1CAj
		lea	eax, [ebp+var_AC]
		push	eax
		push	8
		mov	dl, [ebp+var_91]
		lea	ecx, [ebp+var_9C]
		call	_CmKeyBodyRemapToVirtualForEnum@16 ; CmKeyBodyRemapToVirtualForEnum(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_809721
		push	0		; char
		movsx	eax, [ebp+var_91]
		push	eax		; int
		push	edi		; size_t
		mov	edx, [ebp+var_A4]
		lea	ecx, [ebp+var_90]
		call	CmpBounceContextStart
		mov	esi, eax
		test	esi, esi
		js	short loc_809721
		lea	eax, [ebp+var_A0]
		push	eax
		push	edi
		push	[ebp+var_8C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		mov	edx, [ebp+var_AC]
		mov	ecx, [ebp+var_9C]
		call	CmEnumerateKey
		mov	esi, eax
		test	esi, esi
		js	loc_8097C4

loc_8096F0:				; CODE XREF: NtEnumerateKey+37Aj
					; NtEnumerateKey+38Cj
		mov	[ebp+var_4], 1
		mov	eax, [ebp+var_A0]
		mov	[ebx], eax
		cmp	esi, 0C0000023h
		jz	short loc_80971A
		cmp	edi, eax
		jb	short loc_80970D
		mov	edi, eax

loc_80970D:				; CODE XREF: NtEnumerateKey+2B9j
		mov	edx, edi
		lea	ecx, [ebp+var_90]
		call	_CmpBounceContextCopyDataToCallerBuffer@8 ; CmpBounceContextCopyDataToCallerBuffer(x,x)

loc_80971A:				; CODE XREF: NtEnumerateKey+2B5j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_809721:				; CODE XREF: NtEnumerateKey+249j
					; NtEnumerateKey+26Fj ...
		mov	edi, [ebp+var_98]

loc_809727:				; CODE XREF: NtEnumerateKey+15Bj
					; NtEnumerateKey+1126BFj ...
		mov	ecx, [ebp+var_AC]
		test	ecx, ecx
		jnz	loc_91BC18

loc_809735:				; CODE XREF: NtEnumerateKey+1127CDj
		cmp	[ebp+var_92], 0
		jz	short loc_809761
		lea	eax, [ebp+var_B8]
		push	eax
		push	0
		lea	eax, [ebp+var_E8]
		push	eax
		push	esi
		mov	edx, [ebp+var_9C]
		mov	ecx, 14h
		call	_CmPostCallbackNotificationEx@24 ; CmPostCallbackNotificationEx(x,x,x,x,x,x)
		mov	esi, eax

loc_809761:				; CODE XREF: NtEnumerateKey+2ECj
		cmp	[ebp+var_93], 0
		jz	short loc_80976F
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_80976F:				; CODE XREF: NtEnumerateKey+318j
		mov	ecx, [ebp+var_9C]
		test	ecx, ecx
		jz	short loc_80977E
		call	ObfDereferenceObject

loc_80977E:				; CODE XREF: NtEnumerateKey+327j
		lea	ecx, [ebp+var_90]
		call	_CmpBounceContextCleanup@4 ; CmpBounceContextCleanup(x)
		mov	eax, ds:_CmpTraceRoutine
		test	eax, eax
		jnz	loc_91BC22

loc_809796:				; CODE XREF: NtEnumerateKey+1127E1j
		cmp	[ebp+var_94], 0
		jz	short loc_8097A4
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_8097A4:				; CODE XREF: NtEnumerateKey+34Dj
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_8097C4:				; CODE XREF: NtEnumerateKey+29Aj
		cmp	esi, 80000005h
		jz	loc_8096F0
		cmp	esi, 0C0000023h
		jnz	loc_809721
		jmp	loc_8096F0
; 

loc_8097E1:				; CODE XREF: NtEnumerateKey+11Dj
		cmp	eax, 1
		jz	loc_809573
		jmp	loc_91BB14
; 

loc_8097EF:				; CODE XREF: NtEnumerateKey+174j
		mov	edi, [ebp+arg_10]
		mov	esi, [ebp+var_A4]
		jmp	loc_8095F9
NtEnumerateKey	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmEnumerateKey	proc near		; CODE XREF: NtEnumerateKey+291p

var_6C		= dword	ptr -6Ch
var_62		= byte ptr -62h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4E		= byte ptr -4Eh
var_4D		= byte ptr -4Dh
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0091BC36 SIZE 00000088 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	[esp+58h+var_2C], eax
		mov	ebx, edx
		mov	eax, [ebp+arg_10]
		push	esi
		mov	[esp+5Ch+var_30], eax
		mov	esi, ecx
		xor	eax, eax
		mov	[esp+5Ch+var_28], ebx
		mov	[esp+5Ch+var_34], eax
		lea	ecx, [esp+5Ch+var_24]
		push	edi
		mov	[esp+60h+var_4C], 0
		mov	[esp+60h+var_1C], eax
		mov	[esp+60h+var_18], eax
		mov	[esp+60h+var_14], eax
		mov	[esp+60h+var_10], eax
		mov	[esp+60h+var_C], eax
		mov	[esp+60h+var_8], eax
		mov	[esp+60h+var_24], eax
		mov	[esp+60h+var_20], eax
		mov	[esp+60h+var_40], eax
		mov	[esp+60h+var_38], 0FFFFFFFFh
		mov	word ptr [esp+60h+var_34], ax
		mov	[esp+60h+var_48], eax
		mov	[esp+60h+var_3C], eax
		mov	[esp+60h+var_44], eax
		mov	[esp+60h+var_4D], al
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		lea	ecx, [esp+60h+var_1C]
		call	CmpAttachToRegistryProcess
		mov	eax, [esi+8]
		cmp	word ptr [eax+22h], 0
		jnz	loc_809A4E
		cmp	dword ptr [esi+20h], 0
		jnz	loc_809A90
		cmp	dword ptr [esi+24h], 0
		jnz	loc_809A90
		call	_CmpLockRegistry@0 ; CmpLockRegistry()

loc_8098B7:				; CODE XREF: CmEnumerateKey+295j
		mov	edi, [esi+8]
		mov	[esp+60h+var_4D], 1
		test	ebx, ebx
		jnz	loc_91BC40
		xor	eax, eax

loc_8098C9:				; CODE XREF: CmEnumerateKey+112443j
		mov	edx, edi
		mov	[esp+60h+var_44], eax
		mov	ecx, eax
		call	_CmpLockTwoKcbsShared@8	; CmpLockTwoKcbsShared(x,x)
		xor	edx, edx
		mov	ecx, esi
		call	CmpPerformKeyBodyDeletionCheck
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8099BD
		cmp	dword ptr [esi+20h], 0
		jnz	loc_809A9A
		cmp	dword ptr [esi+24h], 0
		jnz	loc_809A9A

loc_8098FD:				; CODE XREF: CmEnumerateKey+2BEj
		mov	esi, [esp+60h+var_28]
		test	esi, esi
		jnz	loc_91BC48
		cmp	_CmpVEEnabled, 0
		jz	short loc_80991F
		test	dword ptr [edi+68h], 1000000h
		jnz	loc_91BC5D

loc_80991F:				; CODE XREF: CmEnumerateKey+110j
		mov	eax, [esp+60h+var_48]
		mov	esi, [edi+10h]
		mov	edx, [edi+14h]
		test	eax, eax
		jnz	loc_809AC9
		xor	ecx, ecx
		xor	ebx, ebx
		mov	[esp+60h+var_40], ecx

loc_809939:				; CODE XREF: CmEnumerateKey+2D5j
		push	ecx
		lea	ecx, [esp+64h+var_24]
		push	ecx
		push	eax
		push	ebx
		push	[esp+70h+var_40]
		lea	eax, [esp+74h+var_4C]
		mov	ecx, esi
		push	eax
		push	[ebp+arg_0]
		call	CmpFindSubKeyByNumberEx
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_8099BD

loc_80995A:				; CODE XREF: CmEnumerateKey+1124ADj
		mov	ebx, [esp+60h+var_4C]
		cmp	ebx, 0FFFFFFFFh
		jz	loc_809A0C
		lea	eax, [esp+60h+var_38]
		push	eax
		mov	eax, [esi+4]
		push	ebx
		push	esi
		call	eax
		mov	edx, eax
		mov	[esp+6Ch+var_58], eax
		mov	ecx, esi
		call	_CmpKeyNodeNeedsAccessBitUpdate@8 ; CmpKeyNodeNeedsAccessBitUpdate(x,x)
		test	al, al
		jnz	loc_809A13

loc_809988:				; CODE XREF: CmEnumerateKey+249j
		push	[esp+6Ch+var_54]
		mov	edx, [esp+70h+var_58]
		mov	ecx, esi
		push	[esp+70h+var_48]
		push	[esp+74h+var_3C]
		push	[ebp+arg_C]
		push	[esp+7Ch+var_38]
		push	[ebp+arg_4]
		call	CmpQueryKeyDataFromNode
		mov	ebx, eax
		cmp	[esp+6Ch+var_58], 0
		jz	short loc_8099BD
		lea	eax, [esp+6Ch+var_44]
		push	eax
		mov	eax, [esi+8]
		push	esi
		call	eax

loc_8099BD:				; CODE XREF: CmEnumerateKey+E3j
					; CmEnumerateKey+158j ...
		mov	ecx, [esp+74h+var_58]
		mov	edx, edi
		call	CmpUnlockTwoKcbs
		mov	eax, [esp+24h]
		test	eax, eax
		jnz	loc_91BCB2

loc_8099D4:				; CODE XREF: CmEnumerateKey+288j
					; CmEnumerateKey+1124B9j
		xor	dl, dl
		lea	ecx, [esp+74h+var_38]
		call	CmpDrainDelayDerefContext
		cmp	byte ptr [esp+13h], 0
		jz	short loc_8099EB
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_8099EB:				; CODE XREF: CmEnumerateKey+1E4j
		xor	edx, edx
		lea	ecx, [esp+74h+var_30]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [esp+74h+var_18]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_809A0C:				; CODE XREF: CmEnumerateKey+161j
		mov	ebx, 8000001Ah
		jmp	short loc_8099BD
; 

loc_809A13:				; CODE XREF: CmEnumerateKey+182j
		lea	eax, [esp+6Ch+var_44]
		push	eax
		mov	eax, [esi+8]
		push	esi
		call	eax
		lea	ecx, [esi+24h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lea	eax, [esp+74h+var_4C]
		push	eax
		mov	eax, [esi+4]
		push	ebx
		push	esi
		call	eax
		push	ebx
		mov	edx, eax
		mov	[esp+84h+var_6C], eax
		mov	ecx, esi
		call	_CmpUpdateKeyNodeAccessBits@12 ; CmpUpdateKeyNodeAccessBits(x,x,x)
		mov	ecx, esi
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		jmp	loc_809988
; 

loc_809A4E:				; CODE XREF: CmEnumerateKey+98j
		xor	edi, edi

loc_809A50:				; CODE XREF: CmEnumerateKey+28Ej
		cmp	edi, 0Ah
		ja	loc_91BC36
		mov	byte ptr [esp+60h+var_4C], 1

loc_809A5E:				; CODE XREF: CmEnumerateKey+11243Bj
		push	[esp+60h+var_4C]
		mov	edx, [ebp+arg_0]
		lea	eax, [esp+64h+var_44]
		push	eax
		push	[esp+68h+var_30]
		mov	ecx, esi
		push	[ebp+arg_C]
		push	[esp+70h+var_2C]
		push	[ebp+arg_4]
		call	CmpEnumerateLayeredKey
		mov	ebx, eax
		inc	edi
		cmp	ebx, 0C000022Dh
		jnz	loc_8099D4
		jmp	short loc_809A50
; 

loc_809A90:				; CODE XREF: CmEnumerateKey+A2j
					; CmEnumerateKey+ACj
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		jmp	loc_8098B7
; 

loc_809A9A:				; CODE XREF: CmEnumerateKey+EDj
					; CmEnumerateKey+F7j
		lea	edx, [esp+60h+var_48]
		mov	ecx, esi
		call	CmpTransSearchAddTransFromKeyBody
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8099BD
		mov	edx, [esp+60h+var_48]
		mov	ecx, esi
		call	CmpPerformKeyBodyDeletionCheck
		mov	ebx, eax
		test	ebx, ebx
		jns	loc_8098FD
		jmp	loc_8099BD
; 

loc_809AC9:				; CODE XREF: CmEnumerateKey+12Bj
		mov	ebx, [esp+60h+var_44]
		lea	ecx, [esp+60h+var_3C]
		mov	[esp+60h+var_40], edi
		jmp	loc_809939
CmEnumerateKey	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCheckLexicographicalOrder proc near	; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+104p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0091BCBE SIZE 000000A9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_1C], 0FFFFFFFFh
		push	eax
		push	[ebp+arg_0]
		mov	esi, ecx
		mov	[ebp+var_18], 0
		push	esi
		mov	edi, edx
		mov	[ebp+var_24], 0FFFFFFFFh
		mov	[ebp+var_20], 0
		mov	eax, [esi+4]
		mov	[ebp+var_14], 0
		mov	[ebp+var_10], 0
		mov	[ebp+var_C], 0
		mov	[ebp+var_8], 0
		call	eax
		mov	ecx, [esi+4]
		mov	ebx, eax
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		push	esi
		call	ecx
		mov	edi, eax
		test	ebx, ebx
		jz	short loc_809BBA
		test	edi, edi
		jz	short loc_809BBA
		mov	ax, [edi+2]
		lea	ecx, [edi+4Ch]
		and	ax, 20h
		lea	edx, [ebx+4Ch]
		test	byte ptr [ebx+2], 20h
		movzx	eax, ax
		jz	loc_91BCF0
		test	ax, ax
		jz	loc_91BCBE
		movzx	eax, word ptr [ebx+48h]
		push	eax
		push	edx
		movzx	edx, word ptr [edi+48h]
		call	CmpCompareTwoCompressedNames
		test	eax, eax
		jns	short loc_809BB1

loc_809B82:				; CODE XREF: CmpCheckLexicographicalOrder+1121FEj
					; CmpCheckLexicographicalOrder+112237j	...
		mov	[ebp+arg_0], 0

loc_809B89:				; CODE XREF: CmpCheckLexicographicalOrder+D8j
					; CmpCheckLexicographicalOrder+E1j ...
		test	ebx, ebx
		jz	short loc_809B97
		lea	eax, [ebp+var_1C]
		push	eax
		mov	eax, [esi+8]
		push	esi
		call	eax

loc_809B97:				; CODE XREF: CmpCheckLexicographicalOrder+ABj
		test	edi, edi
		jz	short loc_809BA5
		mov	ecx, [esi+8]
		lea	eax, [ebp+var_24]
		push	eax
		push	esi
		call	ecx

loc_809BA5:				; CODE XREF: CmpCheckLexicographicalOrder+B9j
		mov	eax, [ebp+arg_0]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_809BB1:				; CODE XREF: CmpCheckLexicographicalOrder+A0j
		mov	[ebp+arg_0], 0C000014Ch
		jmp	short loc_809B89
; 

loc_809BBA:				; CODE XREF: CmpCheckLexicographicalOrder+65j
					; CmpCheckLexicographicalOrder+69j
		mov	[ebp+arg_0], 0C000009Ah
		jmp	short loc_809B89
CmpCheckLexicographicalOrder endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCompareTwoCompressedNames proc near	; CODE XREF: CmpDoCompareKeyName(x,x,x,x)+50p
					; CmpCheckLexicographicalOrder+99p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch

; FUNCTION CHUNK AT 0091BD67 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		movzx	esi, [ebp+arg_4]
		mov	ebx, ecx
		push	edi
		movzx	edi, dx
		test	di, di
		jz	short loc_809C16

loc_809BE7:				; CODE XREF: CmpCompareTwoCompressedNames+44j
		test	si, si
		jz	short loc_809C16
		mov	ecx, [ebp+arg_0]
		movzx	edx, byte ptr [ebx]
		inc	ebx
		mov	dword ptr [ebp+arg_4], edx
		movzx	eax, byte ptr [ecx]
		inc	ecx
		mov	[ebp+var_4], eax
		mov	[ebp+arg_0], ecx
		cmp	dx, ax
		jnz	short loc_809C20

loc_809C05:				; CODE XREF: CmpCompareTwoCompressedNames+63j
		add	edi, 0FFFFh
		add	esi, 0FFFFh
		test	di, di
		jnz	short loc_809BE7

loc_809C16:				; CODE XREF: CmpCompareTwoCompressedNames+15j
					; CmpCompareTwoCompressedNames+1Aj
		movzx	ecx, si
		movzx	eax, di
		sub	eax, ecx
		jmp	short loc_809C37
; 

loc_809C20:				; CODE XREF: CmpCompareTwoCompressedNames+33j
		cmp	edx, 61h
		jnb	short loc_809C4D

loc_809C25:				; CODE XREF: CmpCompareTwoCompressedNames+8Fj
		cmp	ax, 61h
		jnb	short loc_809C40

loc_809C2B:				; CODE XREF: CmpCompareTwoCompressedNames+7Bj
					; CmpCompareTwoCompressedNames+9Ej
		movzx	eax, ax
		movzx	ecx, dx
		sub	ecx, eax
		jz	short loc_809C05
		mov	eax, ecx

loc_809C37:				; CODE XREF: CmpCompareTwoCompressedNames+4Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_809C40:				; CODE XREF: CmpCompareTwoCompressedNames+59j
		cmp	ax, 7Ah
		ja	short loc_809C61
		add	eax, 0FFE0h
		jmp	short loc_809C2B
; 

loc_809C4D:				; CODE XREF: CmpCompareTwoCompressedNames+53j
		cmp	edx, 7Ah
		ja	loc_91BD67
		add	edx, 0FFE0h

loc_809C5C:				; CODE XREF: CmpCompareTwoCompressedNames+1121A4j
		mov	dword ptr [ebp+arg_4], edx
		jmp	short loc_809C25
; 

loc_809C61:				; CODE XREF: CmpCompareTwoCompressedNames+74j
		mov	ecx, eax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	edx, dword ptr [ebp+arg_4]
		movzx	eax, ax
		jmp	short loc_809C2B
CmpCompareTwoCompressedNames endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtEnumerateValueKey proc near		; CODE XREF: AdtpObjsInitialize+2E6p
					; AdtpObjsInitialize+31Bp
					; DATA XREF: ...

var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B1		= byte ptr -0B1h
var_B0		= dword	ptr -0B0h
var_AB		= byte ptr -0ABh
var_AA		= byte ptr -0AAh
var_A9		= byte ptr -0A9h
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0091BD79 SIZE 000000AA BYTES
; FUNCTION CHUNK AT 0091BE51 SIZE 0000005B BYTES
; FUNCTION CHUNK AT 0091BEDA SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5600
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 0F8h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, [ebp+arg_0]
		mov	ebx, [ebp+arg_C]
		mov	ecx, [ebp+arg_14]
		mov	[ebp+var_C8], ecx
		mov	[ebp+var_108], 0
		xor	eax, eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		push	4Ch		; size_t
		push	eax		; int
		lea	eax, [ebp+var_A8]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		xor	edi, edi
		mov	[ebp+var_B8], edi
		mov	[ebp+var_BC], edi
		cmp	ds:_CmpTraceRoutine, eax
		jnz	loc_91BD79

loc_809D1E:				; CODE XREF: NtEnumerateValueKey+112116j
		mov	[ebp+var_AA], 0
		mov	[ebp+var_AB], 0
		xor	eax, eax
		mov	[ebp+var_104], eax
		mov	[ebp+var_100], eax
		mov	[ebp+var_FC], eax
		mov	[ebp+var_F8], eax
		mov	[ebp+var_F4], eax
		mov	[ebp+var_F0], eax
		mov	[ebp+var_EC], eax
		mov	[ebp+var_E8], eax
		mov	[ebp+var_E4], eax
		mov	[ebp+var_B0], eax
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_D4]
		mov	[ebp+var_D0], eax
		mov	[ebp+var_D4], eax
		mov	[ebp+var_C0], edi
		call	CmpAcquireShutdownRundown
		mov	[ebp+var_B1], al
		test	al, al
		jz	loc_91BD8B
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_809DAB
		cmp	eax, 1
		jnz	loc_80A04D

loc_809DAB:				; CODE XREF: NtEnumerateValueKey+130j
					; NtEnumerateValueKey+3E0j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_A9], al
		mov	byte ptr [ebp+var_D8], al
		push	0
		lea	eax, [ebp+var_B0]
		push	eax
		push	[ebp+var_D8]
		push	ecx
		mov	edx, 1
		mov	ecx, esi
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_809F85
		cmp	ds:_CmpTraceRoutine, edi
		jnz	loc_91BDF2

loc_809DF5:				; CODE XREF: NtEnumerateValueKey+11218Aj
					; NtEnumerateValueKey+11219Fj
		cmp	[ebp+var_A9], 1
		jnz	loc_80A03F
		mov	[ebp+var_4], edi
		mov	edi, [ebp+arg_10]
		test	edi, edi
		jz	short loc_809E2E
		test	bl, 3
		jnz	loc_80A05B
		lea	eax, [ebx+edi]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	loc_91BE14
		cmp	eax, ebx
		jb	loc_91BE14

loc_809E2E:				; CODE XREF: NtEnumerateValueKey+19Aj
					; NtEnumerateValueKey+1121A7j
		mov	esi, [ebp+var_C8]
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_91BE1C

loc_809E43:				; CODE XREF: NtEnumerateValueKey+1121AEj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_809E4E:				; CODE XREF: NtEnumerateValueKey+3D8j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	[ebp+var_AB], 1
		cmp	_CmpCallBackCount, 0
		jz	short loc_809ED0
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredSharedLite
		test	eax, eax
		jnz	short loc_809ED0
		mov	ecx, [ebp+var_B0]
		mov	[ebp+var_104], ecx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_100], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_FC], eax
		mov	[ebp+var_F8], ebx
		mov	[ebp+var_F4], edi
		mov	[ebp+var_F0], esi
		lea	eax, [ebp+var_D4]
		push	eax
		push	ecx
		push	15h
		push	1
		push	0
		lea	edx, [ebp+var_104]
		mov	ecx, 6
		call	CmpCallCallBacksEx
		mov	esi, eax
		test	esi, esi
		js	loc_91BE51
		mov	[ebp+var_AA], 1

loc_809ED0:				; CODE XREF: NtEnumerateValueKey+1F1j
					; NtEnumerateValueKey+1FFj
		lea	eax, [ebp+var_C0]
		push	eax
		push	1
		mov	dl, [ebp+var_A9]
		lea	ecx, [ebp+var_B0]
		call	_CmKeyBodyRemapToVirtualForEnum@16 ; CmKeyBodyRemapToVirtualForEnum(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_809F7F
		push	1		; char
		movsx	eax, [ebp+var_A9]
		push	eax		; int
		push	edi		; size_t
		mov	edx, ebx
		lea	ecx, [ebp+var_A8]
		call	CmpBounceContextStart
		mov	esi, eax
		test	esi, esi
		js	short loc_809F7F
		cmp	[ebp+var_C0], 0
		jnz	loc_91BE6A
		lea	eax, [ebp+var_C4]
		push	eax
		push	edi
		push	[ebp+var_A4]
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_B0]
		call	CmEnumerateValueKey
		mov	esi, eax

loc_809F40:				; CODE XREF: NtEnumerateValueKey+112237j
		test	esi, esi
		js	loc_80A022

loc_809F48:				; CODE XREF: NtEnumerateValueKey+3B8j
					; NtEnumerateValueKey+3CAj
		mov	[ebp+var_4], 1
		mov	eax, [ebp+var_C4]
		mov	ecx, [ebp+var_C8]
		mov	[ecx], eax
		cmp	esi, 0C0000023h
		jz	short loc_809F78
		cmp	edi, eax
		jb	short loc_809F6B
		mov	edi, eax

loc_809F6B:				; CODE XREF: NtEnumerateValueKey+2F7j
		mov	edx, edi
		lea	ecx, [ebp+var_A8]
		call	_CmpBounceContextCopyDataToCallerBuffer@8 ; CmpBounceContextCopyDataToCallerBuffer(x,x)

loc_809F78:				; CODE XREF: NtEnumerateValueKey+2F3j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_809F7F:				; CODE XREF: NtEnumerateValueKey+27Ej
					; NtEnumerateValueKey+2A0j ...
		mov	edi, [ebp+var_B8]

loc_809F85:				; CODE XREF: NtEnumerateValueKey+173j
					; NtEnumerateValueKey+112120j ...
		mov	ecx, [ebp+var_C0]
		test	ecx, ecx
		jnz	loc_91BEDA

loc_809F93:				; CODE XREF: NtEnumerateValueKey+11226Fj
		cmp	[ebp+var_AA], 0
		jz	short loc_809FBF
		lea	eax, [ebp+var_D4]
		push	eax
		push	0
		lea	eax, [ebp+var_104]
		push	eax
		push	esi
		mov	edx, [ebp+var_B0]
		mov	ecx, 15h
		call	_CmPostCallbackNotificationEx@24 ; CmPostCallbackNotificationEx(x,x,x,x,x,x)
		mov	esi, eax

loc_809FBF:				; CODE XREF: NtEnumerateValueKey+32Aj
		cmp	[ebp+var_AB], 0
		jz	short loc_809FCD
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_809FCD:				; CODE XREF: NtEnumerateValueKey+356j
		mov	ecx, [ebp+var_B0]
		test	ecx, ecx
		jz	short loc_809FDC
		call	ObfDereferenceObject

loc_809FDC:				; CODE XREF: NtEnumerateValueKey+365j
		lea	ecx, [ebp+var_A8]
		call	_CmpBounceContextCleanup@4 ; CmpBounceContextCleanup(x)
		mov	eax, ds:_CmpTraceRoutine
		test	eax, eax
		jnz	loc_91BEE4

loc_809FF4:				; CODE XREF: NtEnumerateValueKey+112283j
		cmp	[ebp+var_B1], 0
		jz	short loc_80A002
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_80A002:				; CODE XREF: NtEnumerateValueKey+38Bj
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_80A022:				; CODE XREF: NtEnumerateValueKey+2D2j
		cmp	esi, 80000005h
		jz	loc_809F48
		cmp	esi, 0C0000023h
		jnz	loc_809F7F
		jmp	loc_809F48
; 

loc_80A03F:				; CODE XREF: NtEnumerateValueKey+18Cj
		mov	edi, [ebp+arg_10]
		mov	esi, [ebp+var_C8]
		jmp	loc_809E4E
; 

loc_80A04D:				; CODE XREF: NtEnumerateValueKey+135j
		cmp	eax, 2
		jz	loc_809DAB
		jmp	loc_91BD95
; 

loc_80A05B:				; CODE XREF: NtEnumerateValueKey+19Fj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
NtEnumerateValueKey endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmEnumerateValueKey proc near		; CODE XREF: NtEnumerateValueKey+2C9p

var_6A		= byte ptr -6Ah
var_69		= byte ptr -69h
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0091BEF8 SIZE 000000B2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+44h+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	[esp+48h+var_30], eax
		mov	ebx, edx
		mov	eax, [ebp+arg_C]
		xor	edx, edx
		mov	[esp+48h+var_34], eax
		xor	eax, eax
		push	esi
		push	edi
		mov	[esp+50h+var_20], eax
		mov	edi, ecx
		mov	ecx, dword_6CDE84
		mov	[esp+50h+var_28], eax
		mov	[esp+50h+var_1C], eax
		mov	[esp+50h+var_18], eax
		mov	[esp+50h+var_14], eax
		mov	[esp+50h+var_10], eax
		mov	[esp+50h+var_C], eax
		mov	[esp+50h+var_8], eax
		mov	[esp+50h+var_3C], eax
		mov	word ptr [esp+50h+var_20], ax
		mov	word ptr [esp+50h+var_28], ax
		lea	eax, [esp+50h+var_1C]
		mov	[esp+50h+var_38], ebx
		mov	[esp+50h+var_24], 0FFFFFFFFh
		mov	[esp+50h+var_2C], 0FFFFFFFFh
		push	eax
		test	ecx, ecx
		jz	loc_91BEF8

loc_80A0E4:				; CODE XREF: CmEnumerateValueKey+111EA5j
		call	KiStackAttachProcess
		cmp	ds:_CmpPuntBoot, 0
		jnz	short loc_80A11A
		mov	ecx, large fs:124h
		xor	dl, dl
		call	_PsBoostThreadIo@8 ; PsBoostThreadIo(x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _CmpRegistryLock
		call	ExAcquireResourceSharedLite

loc_80A11A:				; CODE XREF: CmEnumerateValueKey+90j
		mov	esi, [edi+8]
		cmp	word ptr [esi+22h], 0
		jnz	loc_91BF0A
		lea	ecx, [esi+18h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lea	ebx, [esi+1Ch]
		lock inc dword ptr [ebx]
		xor	edx, edx
		mov	ecx, edi
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	loc_91BF28
		xor	eax, eax

loc_80A14B:				; CODE XREF: CmEnumerateValueKey+111EDEj
		mov	[esp+50h+var_40], eax
		test	eax, eax
		js	loc_80A1EE
		cmp	dword ptr [edi+20h], 0
		jnz	loc_91BF43
		cmp	dword ptr [edi+24h], 0
		jnz	loc_91BF43

loc_80A16B:				; CODE XREF: CmEnumerateValueKey+111F15j
					; CmEnumerateValueKey+111F2Cj
		mov	eax, 30h

loc_80A170:				; CODE XREF: CmEnumerateValueKey+111F26j
		mov	edi, [esp+50h+var_38]
		cmp	edi, [eax+esi]
		jnb	loc_80A269
		mov	ecx, [esi+10h]
		lea	edx, [esp+50h+var_24]
		mov	eax, [eax+esi+4]
		push	edx
		push	eax
		mov	eax, [ecx+4]
		push	ecx
		call	eax
		mov	ecx, [esi+10h]
		mov	[esp+5Ch+var_44], eax
		mov	ebx, [eax+edi*4]
		lea	eax, [esp+5Ch+var_38]
		push	eax
		push	ebx
		push	ecx
		mov	ecx, [ecx+4]
		call	ecx
		push	[esp+68h+var_4C] ; int
		mov	edi, eax
		mov	edx, ebx
		push	[ebp+arg_8]	; size_t
		mov	ecx, esi
		push	[esp+70h+var_48] ; int
		push	[ebp+arg_0]	; int
		push	edi		; size_t
		call	CmpQueryKeyValueData
		mov	[esp+68h+var_58], eax
		test	edi, edi
		jz	short loc_80A1D6
		mov	eax, [esi+10h]
		lea	ecx, [esp+68h+var_44]
		push	ecx
		push	eax
		mov	eax, [eax+8]
		call	eax

loc_80A1D6:				; CODE XREF: CmEnumerateValueKey+166j
		cmp	[esp+70h+var_58], 0
		jz	short loc_80A1EB
		mov	eax, [esi+10h]
		lea	ecx, [esp+70h+var_44]
		push	ecx
		push	eax
		mov	eax, [eax+8]
		call	eax

loc_80A1EB:				; CODE XREF: CmEnumerateValueKey+17Bj
		lea	ebx, [esi+1Ch]

loc_80A1EE:				; CODE XREF: CmEnumerateValueKey+F1j
					; CmEnumerateValueKey+111EF4j
		mov	edi, [esp+78h+var_68]

loc_80A1F2:				; CODE XREF: CmEnumerateValueKey+20Ej
					; CmEnumerateValueKey+111F09j
		test	dword ptr [esi+4], 80000h
		jnz	short loc_80A270
		mov	[esp+78h+var_69], 0

loc_80A200:				; CODE XREF: CmEnumerateValueKey+215j
		mov	eax, large fs:124h
		cmp	[ebx], eax
		jz	short loc_80A277
		lock dec dword ptr [ebx]

loc_80A20D:				; CODE XREF: CmEnumerateValueKey+21Ej
		xor	edx, edx
		lea	ecx, [esi+18h]
		call	ExReleasePushLockEx
		cmp	[esp+78h+var_69], 0
		jnz	loc_91BF91

loc_80A222:				; CODE XREF: CmEnumerateValueKey+111EC3j
					; CmEnumerateValueKey+111F38j ...
		cmp	ds:_CmpPuntBoot, 0
		jnz	short loc_80A248
		mov	ecx, offset _CmpRegistryLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, large fs:124h
		mov	dl, 1
		call	_PsBoostThreadIo@8 ; PsBoostThreadIo(x,x)

loc_80A248:				; CODE XREF: CmEnumerateValueKey+1C9j
		xor	edx, edx
		lea	ecx, [esp+78h+var_44]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [esp+78h+var_2C]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_80A269:				; CODE XREF: CmEnumerateValueKey+117j
		mov	edi, 8000001Ah
		jmp	short loc_80A1F2
; 

loc_80A270:				; CODE XREF: CmEnumerateValueKey+199j
		mov	[esp+78h+var_69], 1
		jmp	short loc_80A200
; 

loc_80A277:				; CODE XREF: CmEnumerateValueKey+1A8j
		mov	dword ptr [esi+1Ch], 0
		jmp	short loc_80A20D
CmEnumerateValueKey endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpDoFindSubKeyByNumber	proc near	; CODE XREF: CmpFindSubKeyByNumber(x,x,x,x)+47p
					; CmpCheckRegistry2(x,x,x,x,x,x,x,x)+166p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0091BFAA SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		movzx	eax, word ptr [edx]
		push	ebx
		push	esi
		mov	esi, 6972h
		mov	[ebp+var_C], edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_14], 0FFFFFFFFh
		cmp	ax, si
		mov	[ebp+var_10], 0
		mov	esi, [ebp+arg_0]
		mov	ecx, eax
		jz	short loc_80A2D5

loc_80A2B0:				; CODE XREF: CmpDoFindSubKeyByNumber+AFj
		mov	eax, 666Ch
		cmp	cx, ax
		jz	short loc_80A2C8
		mov	eax, 686Ch
		cmp	cx, ax
		jnz	loc_91BFBF

loc_80A2C8:				; CODE XREF: CmpDoFindSubKeyByNumber+38j
		mov	eax, [edx+esi*8+4]

loc_80A2CC:				; CODE XREF: CmpDoFindSubKeyByNumber+EBj
					; CmpDoFindSubKeyByNumber+111D3Aj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_80A2D5:				; CODE XREF: CmpDoFindSubKeyByNumber+2Ej
		xor	eax, eax
		mov	[ebp+var_8], 0
		cmp	ax, [edx+2]
		jnb	loc_91BFBF
		lea	ebx, [edx+4]
		jmp	short loc_80A2F0
; 
		align 10h

loc_80A2F0:				; CODE XREF: CmpDoFindSubKeyByNumber+6Bj
					; CmpDoFindSubKeyByNumber+AAj
		mov	eax, [ebx]
		lea	ecx, [ebp+var_14]
		push	ecx
		push	eax
		mov	eax, [edi+4]
		push	edi
		call	eax
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_80A368
		movzx	eax, word ptr [ecx+2]
		cmp	esi, eax
		jb	short loc_80A334
		sub	esi, eax
		lea	eax, [ebp+var_14]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	edx, [ebp+var_C]
		add	ebx, 4
		mov	ecx, [ebp+var_8]
		inc	ecx
		mov	[ebp+var_8], ecx
		movzx	eax, word ptr [edx+2]
		cmp	ecx, eax
		jb	short loc_80A2F0
		movzx	ecx, word ptr [edx]
		jmp	loc_80A2B0
; 

loc_80A334:				; CODE XREF: CmpDoFindSubKeyByNumber+89j
		movzx	eax, word ptr [ecx]
		mov	edx, 666Ch
		cmp	ax, dx
		jz	short loc_80A34F
		mov	edx, 686Ch
		cmp	ax, dx
		jnz	loc_91BFAA

loc_80A34F:				; CODE XREF: CmpDoFindSubKeyByNumber+BFj
		mov	esi, [ecx+esi*8+4]
		lea	eax, [ebp+var_14]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_80A368:				; CODE XREF: CmpDoFindSubKeyByNumber+81j
		or	eax, 0FFFFFFFFh
		jmp	loc_80A2CC
CmpDoFindSubKeyByNumber	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCheckLeaf	proc near		; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+11A3p
					; CmpCheckKey(x,x,x,x,x,x,x)+12E0p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0091BFC9 SIZE 000000DC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1C], 0
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		mov	[ebp+var_18], edx
		mov	edx, 686Ch
		mov	word ptr [ebp+var_1C], ax
		mov	[ebp+var_20], 0
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_10], edi
		mov	[ebp+var_28], 0
		mov	[ebp+var_24], 0
		mov	[ebp+var_5], 0
		mov	[ebp+var_20], 0FFFFFFFFh
		cmp	ax, dx
		jnz	loc_80A4F1

loc_80A3C4:				; CODE XREF: CmpCheckLeaf+189j
		xor	esi, esi
		xor	eax, eax
		mov	[ebp+var_14], esi
		cmp	ax, [ecx+2]
		jnb	loc_80A4BA
		lea	ebx, [ecx+8]
		mov	[ebp+var_C], ebx
		jmp	short loc_80A3E0
; 
		align 10h

loc_80A3E0:				; CODE XREF: CmpCheckLeaf+6Bj
					; CmpCheckLeaf+13Ej
		mov	edx, [ebx-4]
		mov	ecx, edi
		push	0
		call	_HvIsCellAllocated@12 ;	HvIsCellAllocated(x,x,x)
		test	al, al
		jz	loc_80A49B
		mov	eax, [ebx-4]
		lea	ecx, [ebp+var_20]
		push	ecx
		push	eax
		mov	eax, [edi+4]
		push	edi
		call	eax
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_91C088
		mov	eax, 0FFFFFFFCh
		sub	eax, [ecx-4]
		cmp	eax, 4Ch
		jb	loc_91C046
		movzx	edx, word ptr [ecx+48h]
		add	eax, 0FFFFFFB4h
		mov	ebx, edx
		cmp	ebx, eax
		ja	loc_91C043
		mov	ax, [ecx+2]
		lea	edi, [ecx+4Ch]
		mov	ecx, [ebp+arg_0]
		and	ax, 20h
		mov	word ptr [ebp+var_28+2], dx
		mov	word ptr [ebp+var_28], dx
		mov	edx, 686Ch
		mov	[ebp+var_24], edi
		movzx	eax, ax
		cmp	[ecx], dx
		jnz	loc_80A4DB
		test	ax, ax
		jz	loc_91BFC9
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_80A480

loc_80A467:				; CODE XREF: CmpCheckLeaf+10Ej
		mov	al, [edi]
		movzx	ecx, al
		cmp	al, 61h
		jnb	short loc_80A4C5
		mov	eax, ecx

loc_80A472:				; CODE XREF: CmpCheckLeaf+15Fj
					; CmpCheckLeaf+169j
		imul	esi, 25h
		inc	edi
		movzx	eax, ax
		add	esi, eax
		sub	ebx, 1
		jnz	short loc_80A467

loc_80A480:				; CODE XREF: CmpCheckLeaf+F5j
					; CmpCheckLeaf+17Fj
		mov	ebx, [ebp+var_C]
		cmp	[ebx], esi
		jnz	loc_91BFE3
		mov	edi, [ebp+var_10]

loc_80A48E:				; CODE XREF: CmpCheckLeaf+111CCEj
		lea	eax, [ebp+var_20]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	esi, [ebp+var_14]

loc_80A49B:				; CODE XREF: CmpCheckLeaf+7Ej
					; CmpCheckLeaf+111CE0j
		mov	eax, [ebp+arg_0]
		inc	esi
		add	ebx, 8
		mov	[ebp+var_14], esi
		mov	[ebp+var_C], ebx
		movzx	eax, word ptr [eax+2]
		cmp	esi, eax
		jb	loc_80A3E0
		cmp	[ebp+var_5], 0
		jnz	short loc_80A501

loc_80A4BA:				; CODE XREF: CmpCheckLeaf+5Fj
					; CmpCheckLeaf+18Fj
		xor	eax, eax

loc_80A4BC:				; CODE XREF: CmpCheckLeaf+196j
					; CmpCheckLeaf+111D13j	...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_80A4C5:				; CODE XREF: CmpCheckLeaf+FEj
		cmp	al, 7Ah
		ja	short loc_80A4D1
		lea	eax, [ecx-20h]
		movzx	eax, ax
		jmp	short loc_80A472
; 

loc_80A4D1:				; CODE XREF: CmpCheckLeaf+157j
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		movzx	eax, ax
		jmp	short loc_80A472
; 

loc_80A4DB:				; CODE XREF: CmpCheckLeaf+E2j
		test	ax, ax
		jz	loc_91BFD6
		mov	edx, ebx
		mov	ecx, edi	; void *
		call	_CmpGenerateFastLeafHintForCompressedString@8 ;	CmpGenerateFastLeafHintForCompressedString(x,x)

loc_80A4ED:				; CODE XREF: CmpCheckLeaf+111C61j
					; CmpCheckLeaf+111C6Ej
		mov	esi, eax
		jmp	short loc_80A480
; 

loc_80A4F1:				; CODE XREF: CmpCheckLeaf+4Ej
		mov	edx, 666Ch
		cmp	ax, dx
		jz	loc_80A3C4
		jmp	short loc_80A4BA
; 

loc_80A501:				; CODE XREF: CmpCheckLeaf+148j
		mov	eax, 8000002Ah
		jmp	short loc_80A4BC
CmpCheckLeaf	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCheckRegistry2(x, x, x, x, x, x,	x, x)
_CmpCheckRegistry2@32 proc near		; CODE XREF: CmCheckRegistry(x,x,x)+158p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		xor	al, al
		mov	[ebp+var_10], 0
		push	edi
		mov	[ebp+var_1], al
		mov	ebx, ecx
		xor	eax, eax
		mov	[ebp+var_14], 0
		push	73634D43h
		push	eax
		mov	word ptr [ebp+var_10], ax
		mov	eax, [ebx+0Ch]
		push	2800h
		mov	[ebp+var_C], edx
		mov	[ebp+var_14], 0FFFFFFFFh
		call	eax
		mov	ecx, [ebp+arg_10]
		mov	edx, eax
		mov	[ebp+var_8], edx
		test	edx, edx
		jnz	short loc_80A577
		push	eax
		push	0C000009Ah
		push	0Dh
		call	SetFailureLocation
		mov	eax, 0C000009Ah
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_80A577:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+4Aj
		test	ecx, ecx
		jz	short loc_80A581
		mov	[ecx+0D4h], edx

loc_80A581:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+69j
		mov	eax, [ebp+arg_0]
		xor	edi, edi
		mov	[edx], eax
		mov	esi, edx
		mov	eax, [ebp+arg_14]
		mov	dword ptr [edx+4], 0FFFFFFFFh
		mov	dword ptr [edx+8], 0FFFFFFFFh
		mov	dword ptr [edx+0Ch], 0
		mov	byte ptr [edx+10h], 0
		mov	[ebp+arg_0], edi
		mov	[eax], edi
		jmp	short loc_80A5B0
; 
		align 10h

loc_80A5B0:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+9Bj
					; CmpCheckRegistry2(x,x,x,x,x,x,x,x)+1DAj
		cmp	byte ptr [esi+10h], 0
		jnz	short loc_80A62B
		mov	eax, [eax]
		mov	byte ptr [esi+10h], 1
		cmp	eax, 0FFFFFFFFh
		jnb	short loc_80A5C7
		mov	edx, [ebp+arg_14]
		inc	eax
		mov	[edx], eax

loc_80A5C7:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+AFj
		mov	eax, [esi+4]
		mov	edx, [ebp+var_C]
		push	ecx
		push	[ebp+arg_C]
		mov	ecx, ebx
		push	[ebp+arg_8]
		push	eax
		mov	eax, [esi]
		push	eax
		call	_CmpCheckKey@28	; CmpCheckKey(x,x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 8000002Ah
		jnz	short loc_80A5EF
		mov	[ebp+var_1], 1
		jmp	short loc_80A5F7
; 

loc_80A5EF:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+D7j
		test	edi, edi
		js	loc_80A70F

loc_80A5F7:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+DDj
		test	[ebp+var_C], 100000h
		mov	edi, [ebp+arg_0]
		jz	short loc_80A62B
		test	edi, edi
		jle	short loc_80A62B
		mov	edx, [esi-0Ch]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_80A626
		mov	eax, [esi]
		mov	ecx, ebx
		push	eax
		call	CmpCheckLexicographicalOrder
		mov	edi, eax
		test	edi, edi
		js	loc_80A6EF
		mov	edi, [ebp+arg_0]

loc_80A626:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+FDj
		mov	eax, [esi]
		mov	[esi-0Ch], eax

loc_80A62B:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+A4j
					; CmpCheckRegistry2(x,x,x,x,x,x,x,x)+F1j ...
		mov	eax, [esi]
		lea	ecx, [ebp+var_14]
		push	ecx
		push	eax
		mov	eax, [ebx+4]
		push	ebx
		call	eax
		test	eax, eax
		jz	loc_80A81E
		mov	ecx, [esi+0Ch]
		mov	[ebp+arg_0], ecx
		cmp	ecx, [eax+14h]
		jnb	short loc_80A6C7
		mov	eax, [eax+1Ch]
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	eax
		mov	eax, [ebx+4]
		push	ebx
		mov	[ebp+var_1C], 0FFFFFFFFh
		mov	[ebp+var_18], 0
		call	eax
		test	eax, eax
		jz	loc_80A7D2
		push	[ebp+arg_0]
		mov	edx, eax
		mov	ecx, ebx
		call	CmpDoFindSubKeyByNumber
		mov	[ebp+arg_0], eax
		mov	ecx, [ebx+8]
		lea	eax, [ebp+var_1C]
		push	eax
		push	ebx
		call	ecx
		mov	eax, [ebp+arg_0]
		cmp	eax, 0FFFFFFFFh
		jz	loc_80A7CB
		inc	dword ptr [esi+0Ch]
		add	esi, 14h
		cmp	edi, 1FFh
		jz	loc_80A7BF
		mov	[esi], eax
		mov	eax, [esi-14h]
		mov	[esi+4], eax
		mov	eax, 1
		mov	dword ptr [esi+8], 0FFFFFFFFh
		mov	dword ptr [esi+0Ch], 0
		mov	byte ptr [esi+10h], 0
		jmp	short loc_80A6CD
; 

loc_80A6C7:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+139j
		sub	esi, 14h
		or	eax, 0FFFFFFFFh

loc_80A6CD:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+1B5j
		add	edi, eax
		lea	eax, [ebp+var_14]
		push	eax
		mov	eax, [ebx+8]
		push	ebx
		mov	[ebp+arg_0], edi
		call	eax
		test	edi, edi
		js	loc_80A7F6
		mov	ecx, [ebp+arg_10]
		mov	eax, [ebp+arg_14]
		jmp	loc_80A5B0
; 

loc_80A6EF:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+10Dj
		xor	edx, edx
		cmp	edi, 0C000014Ch
		jnz	short loc_80A707
		mov	esi, [ebp+var_C]
		lea	eax, [edx+30h]
		and	esi, 20000h
		jmp	short loc_80A74E
; 

loc_80A707:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+1E7j
		push	25h
		push	edi
		jmp	loc_80A828
; 

loc_80A70F:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+E1j
		cmp	edi, 0C000014Ch
		jnz	loc_80A832
		mov	esi, [ebp+var_C]
		and	esi, 20000h
		jz	short loc_80A72A
		xor	edx, edx
		jmp	short loc_80A749
; 

loc_80A72A:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+214j
		cmp	ds:_CmpSelfHeal, 0
		jz	short loc_80A73A
		mov	edx, 1
		jmp	short loc_80A749
; 

loc_80A73A:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+221j
		test	byte ptr _CmpBootType, 6
		mov	edx, 0
		setnz	dl

loc_80A749:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+218j
					; CmpCheckRegistry2(x,x,x,x,x,x,x,x)+228j
		mov	eax, 10h

loc_80A74E:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+1F5j
		mov	ecx, [ebp+arg_10]
		push	eax
		push	edi
		push	0Dh
		call	SetFailureLocation
		test	esi, esi
		jnz	short loc_80A7BB
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_80A770
		test	byte ptr _CmpBootType, 6
		jz	short loc_80A7BB

loc_80A770:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+255j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_80A7BB
		mov	esi, [ebp+var_8]
		lea	eax, [eax+eax*4]
		mov	ecx, ebx
		lea	edx, [esi+eax*4]
		mov	eax, [edx]
		mov	edx, [edx+4]
		push	eax
		call	_CmpRemoveSubKeyCellNoCellRef@12 ; CmpRemoveSubKeyCellNoCellRef(x,x,x)
		test	al, al
		jnz	short loc_80A7AA
		mov	ecx, [ebp+arg_10]
		mov	edi, 0C000014Ch
		push	20h
		push	edi
		push	0Dh
		xor	edx, edx
		call	SetFailureLocation
		jmp	loc_80A835
; 

loc_80A7AA:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+27Fj
		mov	eax, [ebx+20h]
		mov	edi, 0C000022Dh
		or	dword ptr [eax+0FF8h], 4
		jmp	short loc_80A835
; 

loc_80A7BB:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+24Cj
					; CmpCheckRegistry2(x,x,x,x,x,x,x,x)+25Ej ...
		push	18h
		jmp	short loc_80A820
; 

loc_80A7BF:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+190j
		mov	edi, 0C000014Ch
		mov	eax, 60h
		jmp	short loc_80A7DC
; 

loc_80A7CB:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+17Ej
		mov	eax, 58h
		jmp	short loc_80A7D7
; 

loc_80A7D2:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+159j
		mov	eax, 50h

loc_80A7D7:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+2C0j
		mov	edi, 0C000009Ah

loc_80A7DC:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+2B9j
		mov	ecx, [ebp+arg_10]
		xor	edx, edx
		push	eax
		push	edi
		push	0Dh
		call	SetFailureLocation
		lea	eax, [ebp+var_14]
		push	eax
		mov	eax, [ebx+8]
		push	ebx
		call	eax
		jmp	short loc_80A832
; 

loc_80A7F6:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+1CEj
		test	[ebp+var_C], 20000h
		jnz	short loc_80A80E
		mov	ecx, ebx
		call	_CmpCheckAndFixSecurityCellsRefcount@4 ; CmpCheckAndFixSecurityCellsRefcount(x)
		test	al, al
		jnz	short loc_80A80E
		push	70h
		jmp	short loc_80A820
; 

loc_80A80E:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+2EDj
					; CmpCheckRegistry2(x,x,x,x,x,x,x,x)+2F8j
		movzx	edi, [ebp+var_1]
		neg	edi
		sbb	edi, edi
		and	edi, 8000002Ah
		jmp	short loc_80A832
; 

loc_80A81E:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+12Aj
		push	40h

loc_80A820:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+2ADj
					; CmpCheckRegistry2(x,x,x,x,x,x,x,x)+2FCj
		mov	edi, 0C000014Ch
		xor	edx, edx
		push	edi

loc_80A828:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+1FAj
		mov	ecx, [ebp+arg_10]
		push	0Dh
		call	SetFailureLocation

loc_80A832:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+205j
					; CmpCheckRegistry2(x,x,x,x,x,x,x,x)+2E4j ...
		mov	esi, [ebp+var_8]

loc_80A835:				; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+295j
					; CmpCheckRegistry2(x,x,x,x,x,x,x,x)+2A9j
		mov	eax, [ebx+10h]
		push	2800h
		push	esi
		call	eax
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
_CmpCheckRegistry2@32 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtResetWriteWatch proc near		; DATA XREF: .text:00580D4Co

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0091C0A5 SIZE 000000CC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		mov	ecx, [ebp+arg_8]
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[esp+3Ch+var_1C], eax
		mov	[esp+3Ch+var_18], eax
		mov	[esp+3Ch+var_14], eax
		mov	[esp+3Ch+var_10], eax
		mov	[esp+3Ch+var_C], eax
		mov	[esp+3Ch+var_8], eax
		mov	eax, ds:_MmHighestUserAddress
		mov	[esp+3Ch+var_20], esi
		mov	[esp+3Ch+var_24], ecx
		mov	[esp+3Ch+var_30], 0
		push	edi
		cmp	ebx, eax
		ja	loc_91C0A5
		sub	eax, ebx
		inc	eax
		cmp	eax, ecx
		jb	loc_91C167
		test	ecx, ecx
		jz	loc_91C167
		lea	eax, [ebx-1]
		add	eax, ecx
		mov	[esp+40h+var_28], eax
		mov	eax, large fs:124h
		mov	edi, [eax+80h]
		cmp	esi, 0FFFFFFFFh
		jnz	loc_91C0AF
		mov	[esp+40h+var_30], edi
		xor	esi, esi

loc_80A8E0:				; CODE XREF: NtResetWriteWatch+1118A1j
					; NtResetWriteWatch+1118BAj
		lea	eax, [esp+40h+var_2C]
		xor	edx, edx
		push	eax
		mov	ecx, ebx
		call	MiObtainReferencedVadEx
		mov	edi, eax
		test	edi, edi
		jz	loc_91C10F
		mov	eax, [edi+1Ch]
		and	eax, 300000h
		cmp	eax, 300000h
		jz	short loc_80A93C

loc_80A907:				; CODE XREF: NtResetWriteWatch+FDj
					; NtResetWriteWatch+1118D1j
		mov	ebx, 0C00000EFh

loc_80A90C:				; CODE XREF: NtResetWriteWatch+11Bj
					; NtResetWriteWatch+1118E6j
		mov	ecx, edi
		call	MiUnlockAndDereferenceVad

loc_80A913:				; CODE XREF: NtResetWriteWatch+1118C4j
		test	esi, esi
		jnz	loc_91C13B

loc_80A91B:				; CODE XREF: NtResetWriteWatch+1118F6j
		cmp	[esp+40h+var_20], 0FFFFFFFFh
		jnz	loc_91C14B

loc_80A926:				; CODE XREF: NtResetWriteWatch+111909j
					; NtResetWriteWatch+111912j
		mov	eax, ebx

loc_80A928:				; CODE XREF: NtResetWriteWatch+11185Aj
					; NtResetWriteWatch+11191Cj
		mov	ecx, [esp+40h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_80A93C:				; CODE XREF: NtResetWriteWatch+B5j
		mov	eax, [edi+10h]
		mov	edx, [esp+40h+var_28]
		shl	eax, 0Ch
		or	eax, 0FFFh
		cmp	edx, eax
		ja	short loc_80A907
		mov	ecx, edi
		call	_MiGetVadMandatoryPageSize@4 ; MiGetVadMandatoryPageSize(x)
		cmp	eax, 1
		ja	loc_91C119

loc_80A95F:				; CODE XREF: NtResetWriteWatch+1118DBj
		push	1
		push	edi
		mov	ecx, ebx
		call	MiMoveDirtyBitsToPfns
		xor	ebx, ebx
		jmp	short loc_80A90C
NtResetWriteWatch endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtReleaseMutant	proc near		; DATA XREF: .text:00580D90o

var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0091C171 SIZE 0000002C BYTES
; FUNCTION CHUNK AT 0091C1D8 SIZE 0000001B BYTES
; FUNCTION CHUNK AT 0091C20E SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5628
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_24], 0
		mov	[ebp+var_24], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		mov	byte ptr [ebp+var_34], al
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jnz	loc_91C171

loc_80A9D0:				; CODE XREF: NtReleaseMutant+111803j
					; NtReleaseMutant+111828j
		mov	eax, ds:_ExMutantObjectType
		mov	[ebp+var_20], 0
		push	0
		lea	ecx, [ebp+var_20]
		push	ecx
		push	[ebp+var_34]
		push	eax
		push	0
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+arg_4], esi
		test	esi, esi
		js	short loc_80AA46
		mov	[ebp+var_4], 1
		push	0
		push	0
		push	1
		mov	edi, [ebp+var_20]
		push	edi
		call	KeReleaseMutant
		mov	[ebp+var_24], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_80AA19:				; CODE XREF: NtReleaseMutant+DCj
		test	esi, esi
		js	short loc_80AA25
		test	ebx, ebx
		jnz	loc_91C1D8

loc_80AA25:				; CODE XREF: NtReleaseMutant+ABj
					; NtReleaseMutant+11187Ej ...
		test	edi, edi
		jz	short loc_80AA30
		mov	ecx, edi
		call	ObfDereferenceObject

loc_80AA30:				; CODE XREF: NtReleaseMutant+B7j
		mov	eax, esi

loc_80AA32:				; CODE XREF: sub_91C1AD+Dj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_80AA46:				; CODE XREF: NtReleaseMutant+87j
		mov	eax, [ebp+var_24]
		mov	edi, [ebp+var_20]
		jmp	short loc_80AA19
NtReleaseMutant	endp


;  S U B	R O U T	I N E 


sub_80AA4E	proc near		; DATA XREF: .text:006A5648o

; FUNCTION CHUNK AT 0091C1BF SIZE 00000019 BYTES

		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		mov	[ebp-28h], eax
		cmp	dword ptr [ebp-28h], 0C0000046h
		jnz	loc_91C1BF

loc_80AA68:				; CODE XREF: sub_80AA4E+111778j
		mov	dword ptr [ebp-2Ch], 1

loc_80AA6F:				; CODE XREF: sub_80AA4E+111785j
		mov	eax, [ebp-2Ch]
		retn
sub_80AA4E	endp


;  S U B	R O U T	I N E 


sub_80AA73	proc near		; DATA XREF: .text:006A564Co
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-38h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
sub_80AA73	endp ; sp =  4

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtQueryKey	proc near		; CODE XREF: IopLoadDriver+80p
					; IopLoadDriver+DBp ...

var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= byte ptr -98h
var_97		= byte ptr -97h
var_96		= byte ptr -96h
var_95		= byte ptr -95h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0091C215 SIZE 0000009D BYTES
; FUNCTION CHUNK AT 0091C2D0 SIZE 00000042 BYTES
; FUNCTION CHUNK AT 0091C348 SIZE 00000021 BYTES
; FUNCTION CHUNK AT 0091C39A SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5660
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 0FCh
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_20], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_D0], ebx
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_A0], eax
		mov	edi, [ebp+arg_10]
		mov	[ebp+var_9C], edi
		mov	[ebp+var_E4], 0
		mov	[ebp+var_E0], 0
		mov	[ebp+var_108], 0
		mov	[ebp+var_BC], 0
		push	4Ch		; size_t
		push	0		; int
		lea	eax, [ebp+var_94]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_B8], eax
		cmp	ds:_CmpTraceRoutine, eax
		jnz	loc_91C215

loc_80AB5D:				; CODE XREF: NtQueryKey+111782j
		mov	[ebp+var_96], 0
		mov	[ebp+var_97], 0
		mov	[ebp+var_A8], 0
		xor	eax, eax
		mov	[ebp+var_104], eax
		mov	[ebp+var_100], eax
		mov	[ebp+var_FC], eax
		mov	[ebp+var_F8], eax
		mov	[ebp+var_F4], eax
		mov	[ebp+var_F0], eax
		mov	[ebp+var_EC], eax
		mov	[ebp+var_E8], eax
		lea	eax, [ebp+var_C4]
		mov	[ebp+var_C0], eax
		mov	[ebp+var_C4], eax
		mov	[ebp+var_B4], 0
		call	CmpAcquireShutdownRundown
		mov	[ebp+var_98], al
		mov	esi, [ebp+arg_4]
		test	al, al
		jz	loc_91C227
		test	esi, esi
		jz	short loc_80ABE6
		cmp	esi, 3
		jnz	loc_80AEB4

loc_80ABE6:				; CODE XREF: NtQueryKey+13Bj
					; NtQueryKey+417j ...
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_95], al
		mov	byte ptr [ebp+var_CC], al
		cmp	al, 1
		jnz	loc_80AF03
		mov	[ebp+var_4], 0
		push	4
		mov	ebx, [ebp+arg_C]
		push	ebx
		push	[ebp+var_A0]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	loc_91C2AB

loc_80AC2D:				; CODE XREF: NtQueryKey+11180Dj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_80AC38:				; CODE XREF: NtQueryKey+466j
		cmp	esi, 3
		jnz	loc_80AE93

loc_80AC41:				; CODE XREF: NtQueryKey+3F6j
		xor	ecx, ecx

loc_80AC43:				; CODE XREF: NtQueryKey+401j
		mov	[ebp+var_AC], ecx
		mov	eax, ds:_CmKeyObjectType
		mov	[ebp+var_A4], 0
		lea	edx, [ebp+var_E4]
		push	edx
		lea	edx, [ebp+var_A4]
		push	edx
		push	[ebp+var_CC]
		push	eax
		push	ecx
		push	[ebp+var_D0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		mov	eax, [ebp+var_A4]
		mov	[ebp+var_A8], eax
		test	edi, edi
		js	loc_80ADF6
		mov	edi, eax
		cmp	dword ptr [edi], 6B793032h
		jnz	loc_80AF41
		cmp	ds:_CmpTraceRoutine, 0
		jnz	loc_91C2D0

loc_80ACAA:				; CODE XREF: NtQueryKey+111839j
		cmp	esi, 3
		jnz	loc_80AEA6

loc_80ACB3:				; CODE XREF: NtQueryKey+40Fj
		cmp	[ebp+var_E0], 0
		jz	loc_91C2DE

loc_80ACC0:				; CODE XREF: NtQueryKey+409j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	[ebp+var_97], 1
		cmp	_CmpCallBackCount, 0
		jz	short loc_80AD42
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredSharedLite
		test	eax, eax
		jnz	short loc_80AD42
		mov	[ebp+var_104], edi
		mov	[ebp+var_100], esi
		mov	eax, [ebp+var_A0]
		mov	[ebp+var_FC], eax
		mov	[ebp+var_F8], ebx
		mov	eax, [ebp+var_9C]
		mov	[ebp+var_F4], eax
		lea	eax, [ebp+var_C4]
		push	eax
		push	edi
		push	16h
		push	1
		push	0
		lea	edx, [ebp+var_104]
		mov	ecx, 7
		call	CmpCallCallBacksEx
		mov	edi, eax
		test	edi, edi
		js	loc_91C2E8
		mov	[ebp+var_96], 1
		mov	edi, [ebp+var_A4]

loc_80AD42:				; CODE XREF: NtQueryKey+233j
					; NtQueryKey+241j
		cmp	esi, 7
		jz	loc_80AF0B
		lea	eax, [ebp+var_B4]
		push	eax
		push	[ebp+var_AC]
		mov	dl, [ebp+var_95]
		lea	ecx, [ebp+var_A8]
		call	_CmKeyBodyRemapToVirtualForEnum@16 ; CmKeyBodyRemapToVirtualForEnum(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_80ADF6
		push	2		; char
		movsx	eax, [ebp+var_95]
		push	eax		; int
		push	ebx		; size_t
		mov	edx, [ebp+var_A0]
		lea	ecx, [ebp+var_94]
		call	CmpBounceContextStart
		mov	edi, eax
		test	edi, edi
		js	short loc_80ADF6
		lea	eax, [ebp+var_BC]
		push	eax
		push	ebx
		push	[ebp+var_90]
		push	esi
		mov	edx, [ebp+var_B4]
		mov	ecx, [ebp+var_A8]
		call	CmQueryKey
		mov	edi, eax
		test	edi, edi
		js	loc_80AEE6

loc_80ADBF:				; CODE XREF: NtQueryKey+44Cj
					; NtQueryKey+458j
		mov	[ebp+var_4], 3
		mov	eax, [ebp+var_BC]
		mov	ecx, [ebp+var_9C]
		mov	[ecx], eax
		cmp	edi, 0C0000023h
		jz	short loc_80ADEF
		cmp	ebx, eax
		jb	short loc_80ADE2
		mov	ebx, eax

loc_80ADE2:				; CODE XREF: NtQueryKey+33Ej
		mov	edx, ebx
		lea	ecx, [ebp+var_94]
		call	_CmpBounceContextCopyDataToCallerBuffer@8 ; CmpBounceContextCopyDataToCallerBuffer(x,x)

loc_80ADEF:				; CODE XREF: NtQueryKey+33Aj
		mov	[ebp+var_4], 0FFFFFFFEh

loc_80ADF6:				; CODE XREF: NtQueryKey+1E9j
					; NtQueryKey+2CDj ...
		mov	ecx, [ebp+var_B4]
		test	ecx, ecx
		jnz	loc_91C39A

loc_80AE04:				; CODE XREF: NtQueryKey+1118FFj
		cmp	[ebp+var_96], 0
		jz	short loc_80AE30
		lea	eax, [ebp+var_C4]
		push	eax
		push	0
		lea	eax, [ebp+var_104]
		push	eax
		push	edi
		mov	edx, [ebp+var_A8]
		mov	ecx, 16h
		call	_CmPostCallbackNotificationEx@24 ; CmPostCallbackNotificationEx(x,x,x,x,x,x)
		mov	edi, eax

loc_80AE30:				; CODE XREF: NtQueryKey+36Bj
		cmp	[ebp+var_97], 0
		jz	short loc_80AE3E
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_80AE3E:				; CODE XREF: NtQueryKey+397j
		mov	ecx, [ebp+var_A8]
		test	ecx, ecx
		jz	short loc_80AE4D
		call	ObfDereferenceObject

loc_80AE4D:				; CODE XREF: NtQueryKey+3A6j
		lea	ecx, [ebp+var_94]
		call	_CmpBounceContextCleanup@4 ; CmpBounceContextCleanup(x)
		mov	eax, ds:_CmpTraceRoutine
		test	eax, eax
		jnz	loc_91C3A4

loc_80AE65:				; CODE XREF: NtQueryKey+111916j
		cmp	[ebp+var_98], 0
		jz	short loc_80AE73
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_80AE73:				; CODE XREF: NtQueryKey+3CCj
		mov	eax, edi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_20]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_80AE93:				; CODE XREF: NtQueryKey+19Bj
		cmp	esi, 7
		jz	loc_80AC41
		mov	ecx, 1
		jmp	loc_80AC43
; 

loc_80AEA6:				; CODE XREF: NtQueryKey+20Dj
		cmp	esi, 7
		jnz	loc_80ACC0
		jmp	loc_80ACB3
; 

loc_80AEB4:				; CODE XREF: NtQueryKey+140j
		cmp	esi, 4
		jz	loc_80ABE6
		cmp	esi, 7
		jz	loc_80ABE6
		cmp	esi, 2
		jz	loc_80ABE6
		cmp	esi, 8
		jz	loc_80ABE6
		cmp	esi, 5
		jz	loc_80ABE6
		jmp	loc_91C231
; 

loc_80AEE6:				; CODE XREF: NtQueryKey+319j
		cmp	edi, 80000005h
		jz	loc_80ADBF
		cmp	edi, 0C0000023h
		jz	loc_80ADBF
		jmp	loc_80ADF6
; 

loc_80AF03:				; CODE XREF: NtQueryKey+160j
		mov	ebx, [ebp+arg_C]
		jmp	loc_80AC38
; 

loc_80AF0B:				; CODE XREF: NtQueryKey+2A5j
		mov	[ebp+var_4], 2
		mov	eax, [ebp+var_9C]
		mov	dword ptr [eax], 4
		cmp	ebx, 4
		jb	loc_91C2FB
		movzx	eax, word ptr [edi+1Eh]
		mov	ecx, [ebp+var_A0]
		mov	[ecx], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		xor	edi, edi
		jmp	loc_80ADF6
; 

loc_80AF41:				; CODE XREF: NtQueryKey+1F7j
		cmp	esi, 4
		jnz	loc_91C348
		mov	[ebp+var_4], 1
		mov	eax, [ebp+var_9C]
		mov	dword ptr [eax], 28h
		cmp	ebx, 28h
		jb	loc_91C352
		mov	ecx, 0Ah
		xor	eax, eax
		mov	edx, [ebp+var_A0]
		mov	edi, edx
		rep stosd
		mov	eax, [ebp+var_A4]
		mov	eax, [eax+8]
		mov	eax, [eax+30h]
		mov	[edx+14h], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		xor	edi, edi
		jmp	loc_80ADF6
NtQueryKey	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmQueryKey	proc near		; CODE XREF: NtQueryKey+310p

var_E8		= dword	ptr -0E8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0091C3BB SIZE 000000E1 BYTES
; FUNCTION CHUNK AT 0091C4D8 SIZE 0000003F BYTES
; FUNCTION CHUNK AT 0091C52A SIZE 000000DB BYTES
; FUNCTION CHUNK AT 0091C634 SIZE 0000011A BYTES
; FUNCTION CHUNK AT 0091C76C SIZE 0000000C BYTES
; FUNCTION CHUNK AT 0091C796 SIZE 000000A5 BYTES
; FUNCTION CHUNK AT 0091C859 SIZE 0000002D BYTES
; FUNCTION CHUNK AT 0091C8A4 SIZE 00000095 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A56A0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 0D8h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, edx
		mov	[ebp+var_98], esi
		mov	ebx, ecx
		mov	[ebp+var_80], ebx
		mov	[ebp+var_84], esi
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_70], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_78], eax
		mov	[ebp+var_6C], 0C0000001h
		mov	[ebp+var_8C], 0
		mov	[ebp+var_7C], 0
		mov	[ebp+var_A8], 0
		mov	[ebp+var_A4], 0
		xor	eax, eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_A0], eax
		mov	[ebp+var_9C], eax
		lea	ecx, [ebp+var_A0]
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		lea	ecx, [ebp+var_34]
		call	CmpAttachToRegistryProcess
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	edi, [ebx+8]
		mov	[ebp+var_74], edi
		mov	[ebp+var_94], edi
		cmp	word ptr [edi+22h], 0
		jnz	loc_80B27F
		cmp	dword ptr [ebx+20h], 0
		jnz	loc_91C3BB
		cmp	dword ptr [ebx+24h], 0
		jnz	loc_91C3BB

loc_80B089:				; CODE XREF: CmQueryKey+111478j
		test	esi, esi
		jnz	loc_91C432

loc_80B091:				; CODE XREF: CmQueryKey+11149Ej
		mov	ecx, [ebx+8]
		test	esi, esi
		jnz	loc_91C443
		call	_CmpLockKcbShared@4 ; CmpLockKcbShared(x)

loc_80B0A1:				; CODE XREF: CmQueryKey+1114ADj
		mov	[ebp+var_4], 0
		mov	edi, [ebp+arg_0]
		cmp	edi, 3
		jnz	loc_80B1DA
		mov	eax, [ebx+8]
		mov	[ebp+var_88], eax
		mov	edx, [ebp+var_7C]
		mov	ecx, ebx
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	loc_91C452
		xor	edi, edi

loc_80B0D1:				; CODE XREF: CmQueryKey+1114CAj
		mov	[ebp+var_6C], edi
		mov	eax, [ebp+var_88]
		cmp	dword ptr [eax+28h], 0
		jz	loc_91C48F
		cmp	_CmpVEEnabled, 0
		jz	short loc_80B0FA
		test	dword ptr [eax+68h], 1000000h
		jnz	loc_91C46F

loc_80B0FA:				; CODE XREF: CmQueryKey+14Bj
		mov	[ebp+var_90], 0
		mov	[ebp+var_90], 0
		lea	edx, [ebp+var_90]
		mov	ecx, eax
		call	CmpConstructNameWithStatus
		mov	eax, [ebp+var_90]

loc_80B121:				; CODE XREF: CmQueryKey+1114EAj
		mov	[ebp+var_8C], eax

loc_80B127:				; CODE XREF: CmQueryKey+1114DEj
		cmp	[ebp+var_8C], 0
		jz	loc_91C48F
		mov	eax, [ebp+var_8C]
		movzx	eax, word ptr [eax]
		lea	ecx, [eax+4]
		mov	[ebp+var_4], 1
		mov	edx, [ebp+var_78]
		mov	[edx], ecx
		mov	ecx, [ebp+arg_8]
		cmp	ecx, 4
		jb	loc_80B23B
		mov	edx, [ebp+var_70]
		mov	[edx], eax
		add	ecx, 0FFFFFFFCh
		cmp	ecx, eax
		jb	loc_80B22C

loc_80B168:				; CODE XREF: CmQueryKey+296j
		push	eax		; size_t
		mov	eax, [ebp+var_8C]
		mov	eax, [eax+4]
		push	eax		; void *
		lea	eax, [edx+4]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_80B17F:				; CODE XREF: CmQueryKey+2A3j
		mov	[ebp+var_4], 0

loc_80B186:				; CODE XREF: CmQueryKey+287j
					; sub_91C4AF+24j ...
		mov	edx, [ebp+var_70]

loc_80B189:				; CODE XREF: CmQueryKey+379j
		test	edi, edi
		js	short loc_80B1AE

loc_80B18D:				; CODE XREF: CmQueryKey+2DAj
		test	esi, esi
		jnz	loc_91C65A
		cmp	_CmpVEEnabled, 0
		jz	short loc_80B1AE
		mov	ecx, [ebx+8]
		test	dword ptr [ecx+68h], 1000000h
		jnz	loc_91C8A4

loc_80B1AE:				; CODE XREF: CmQueryKey+1EBj
					; CmQueryKey+1FCj ...
		mov	[ebp+var_4], 0FFFFFFFEh
		call	sub_80B31E

loc_80B1BA:				; CODE XREF: CmQueryKey+11148Dj
		mov	eax, edi

loc_80B1BC:				; CODE XREF: CmQueryKey+306j
					; CmQueryKey+11145Dj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_80B1DA:				; CODE XREF: CmQueryKey+10Ej
		test	esi, esi
		jnz	loc_91C4D8

loc_80B1E2:				; CODE XREF: CmQueryKey+111544j
		mov	edx, [ebp+var_7C]
		mov	ecx, ebx
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	loc_91C4EA
		cmp	edi, 5
		jz	loc_80B2AB
		cmp	edi, 6
		jz	loc_91C52A
		mov	edx, [ebp+var_78]
		cmp	edi, 8
		jz	short loc_80B248
		push	[ebp+var_7C]
		push	edx
		push	[ebp+arg_8]
		push	[ebp+var_70]
		mov	edx, edi
		mov	ecx, [ebp+var_74]
		call	_CmpQueryKeyData@24 ; CmpQueryKeyData(x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_6C], edi
		jmp	loc_80B186
; 

loc_80B22C:				; CODE XREF: CmQueryKey+1C2j
		mov	eax, ecx
		mov	edi, 80000005h
		mov	[ebp+var_6C], edi
		jmp	loc_80B168
; 

loc_80B23B:				; CODE XREF: CmQueryKey+1B2j
		mov	edi, 0C0000023h
		mov	[ebp+var_6C], edi
		jmp	loc_80B17F
; 

loc_80B248:				; CODE XREF: CmQueryKey+26Cj
		mov	dword ptr [edx], 4
		cmp	[ebp+arg_8], 4
		jb	loc_91C645
		mov	ecx, [ebp+var_74]
		mov	eax, [ecx+10h]
		mov	edx, [ebp+var_70]
		mov	ecx, [edx]
		test	byte ptr [eax+980h], 1
		jnz	loc_91C652
		or	ecx, 1

loc_80B273:				; CODE XREF: CmQueryKey+1116B5j
		mov	[edx], ecx
		xor	edi, edi
		mov	[ebp+var_6C], edi
		jmp	loc_80B18D
; 

loc_80B27F:				; CODE XREF: CmQueryKey+CFj
		mov	edx, [ebp+var_78]
		push	edx
		push	[ebp+arg_8]
		push	[ebp+var_70]
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	CmQueryLayeredKey
		mov	esi, eax
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	eax, esi
		jmp	loc_80B1BC
; 

loc_80B2AB:				; CODE XREF: CmQueryKey+257j
		mov	[ebp+var_4], 2
		mov	eax, [ebp+var_78]
		mov	dword ptr [eax], 0Ch
		cmp	[ebp+arg_8], 0Ch
		jb	loc_91C50A
		mov	edx, [ebp+var_7C]
		mov	edi, [ebp+var_74]
		mov	ecx, edi
		call	CmGetKeyFlags
		mov	edx, [ebp+var_70]
		mov	[edx], eax
		mov	dword ptr [edx+4], 0
		xor	ecx, ecx
		cmp	[edi+14h], ecx
		jge	short loc_80B2F1
		mov	dword ptr [edx+4], 1
		mov	ecx, 1

loc_80B2F1:				; CODE XREF: CmQueryKey+343j
		mov	eax, [edi+68h]
		test	eax, 100000h
		jz	short loc_80B304
		or	ecx, 2
		mov	[edx+4], ecx
		mov	eax, [edi+68h]

loc_80B304:				; CODE XREF: CmQueryKey+359j
		shr	eax, 4
		and	eax, 0Fh
		mov	[edx+8], eax
		xor	edi, edi

loc_80B30F:				; CODE XREF: CmQueryKey+111572j
		mov	[ebp+var_6C], edi
		mov	[ebp+var_4], 0
		jmp	loc_80B189
CmQueryKey	endp


;  S U B	R O U T	I N E 


sub_80B31E	proc near		; CODE XREF: CmQueryKey+215p
					; PAGE:0091C979j

; FUNCTION CHUNK AT 0091C97E SIZE 00000021 BYTES

		test	esi, esi
		jnz	loc_91C97E
		mov	ecx, [ebx+8]
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)

loc_80B32E:				; CODE XREF: sub_80B31E+11166Bj
		xor	dl, dl
		lea	ecx, [ebp-0A0h]
		call	CmpDrainDelayDerefContext
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	edx, edx
		lea	ecx, [ebp-34h]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		cmp	dword ptr [ebp-0A4h], 0
		jnz	loc_91C98E
		mov	ecx, [ebp-8Ch]
		test	ecx, ecx
		jz	short locret_80B36B
		mov	edx, 624E4D43h
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

locret_80B36B:				; CODE XREF: sub_80B31E+41j
					; sub_80B31E+11167Cj
		retn
sub_80B31E	endp


;  S U B	R O U T	I N E 


; __stdcall CmpDetachFromRegistryProcess(x)
_CmpDetachFromRegistryProcess@4	proc near
					; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+19Ap
					; CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+227p	...
		xor	edx, edx
		jmp	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
_CmpDetachFromRegistryProcess@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 


CmpAttachToRegistryProcess proc	near	; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+18Bp
					; CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+218p	...

; FUNCTION CHUNK AT 0091C99F SIZE 00000012 BYTES

		mov	eax, ecx
		xor	edx, edx
		mov	ecx, dword_6CDE84
		push	eax
		test	ecx, ecx
		jz	loc_91C99F

loc_80B393:				; CODE XREF: CmpAttachToRegistryProcess+11162Cj
		call	KiStackAttachProcess
		retn
CmpAttachToRegistryProcess endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpIsKeyDeletedForKeyBody proc near	; CODE XREF: CmQueryLayeredKey+B6p
					; CmQueryLayeredKey+128p ...

var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0091C9B1 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	byte ptr [ecx+1Ch], 9
		mov	eax, [ecx+8]
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_4], 0
		jnz	short loc_80B40D
		test	esi, esi
		jnz	short loc_80B3C6

loc_80B3BE:				; CODE XREF: CmpIsKeyDeletedForKeyBody+37j
					; CmpIsKeyDeletedForKeyBody+111623j
		xor	al, al

loc_80B3C0:				; CODE XREF: CmpIsKeyDeletedForKeyBody+6Fj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_80B3C6:				; CODE XREF: CmpIsKeyDeletedForKeyBody+1Cj
		lea	edi, [eax+70h]
		push	10h
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jz	short loc_80B3BE
		lea	esp, [esp+0]

loc_80B3E0:				; CODE XREF: CmpIsKeyDeletedForKeyBody+63j
		mov	ecx, [eax+24h]
		cmp	ecx, 2
		jz	loc_91C9B1
		cmp	ecx, 0Bh
		jz	loc_91C9B1
		push	10h
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jnz	short loc_80B3E0
		pop	edi
		xor	al, al
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_80B40D:				; CODE XREF: CmpIsKeyDeletedForKeyBody+18j
					; CmpIsKeyDeletedForKeyBody+11161Dj
		mov	al, 1
		jmp	short loc_80B3C0
CmpIsKeyDeletedForKeyBody endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpBounceContextCopyDataToCallerBuffer(x, x)
_CmpBounceContextCopyDataToCallerBuffer@8 proc near ; CODE XREF: PAGE:007C76D7p
					; NtEnumerateKey+2C5p ...
		mov	eax, [ecx+4]
		push	esi
		mov	esi, [ecx]
		cmp	esi, eax
		jz	short loc_80B435
		push	edx		; size_t
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_80B435:				; CODE XREF: CmpBounceContextCopyDataToCallerBuffer(x,x)+8j
		pop	esi
		retn
_CmpBounceContextCopyDataToCallerBuffer@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpConstructName(x)
_CmpConstructName@4 proc near		; CODE XREF: CmpDoQueryKeyName+124p
					; PAGE:0074BA9Fp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		lea	edx, [ebp+var_4]
		mov	[ebp+var_4], 0
		call	CmpConstructNameWithStatus
		mov	eax, [ebp+var_4]
		mov	esp, ebp
		pop	ebp
		retn
_CmpConstructName@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvIsCellAllocated(x, x, x)
_HvIsCellAllocated@12 proc near		; CODE XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+43p
					; CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+EFp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], 0
		xor	eax, eax
		mov	[ebp+var_8], 0
		mov	ebx, edx
		mov	[ebp+var_C], 0FFFFFFFFh
		mov	word ptr [ebp+var_8], ax
		test	byte ptr [edi+50h], 1
		jnz	loc_80B59A
		push	esi
		mov	esi, ebx
		mov	eax, ebx
		shr	esi, 1Fh
		and	eax, 7FFFFFFFh
		imul	ecx, esi, 19Ch
		cmp	eax, [ecx+edi+0C8h]
		jnb	loc_80B5A6
		test	bl, 7
		jnz	loc_80B5A6
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_80B4F4
		test	esi, esi
		jnz	short loc_80B4F4
		mov	eax, [eax+4]
		mov	ecx, ebx
		shr	ecx, 3
		mov	edx, ecx
		mov	[ebp+var_4], ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		sar	eax, cl
		test	al, 1
		jz	loc_80B5A6
		push	1
		push	[ebp+var_4]
		push	[ebp+arg_0]
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)

loc_80B4F4:				; CODE XREF: HvIsCellAllocated(x,x,x)+61j
					; HvIsCellAllocated(x,x,x)+65j
		imul	eax, esi, 19Ch
		shl	esi, 1Fh
		add	esi, ebx
		cmp	esi, [eax+edi+0C8h]
		jnb	loc_80B5A6
		mov	edx, [eax+edi+0CCh]
		mov	esi, ebx
		mov	eax, ebx
		shr	esi, 15h
		shr	eax, 0Ch
		and	esi, 3FFh
		and	eax, 1FFh
		lea	ecx, [eax+eax*2]
		mov	eax, [edx+esi*4]
		lea	esi, [eax+ecx*4]
		test	esi, esi
		jz	short loc_80B5A6
		test	byte ptr [esi+4], 2
		jnz	short loc_80B5A6
		lea	eax, [ebp+var_C]
		push	eax
		mov	eax, [edi+4]
		push	ebx
		push	edi
		call	eax
		test	eax, eax
		jz	short loc_80B5A2
		add	eax, 0FFFFFFFCh
		jz	short loc_80B5A2
		mov	esi, [esi+4]
		mov	edx, eax
		mov	eax, [eax]
		and	esi, 0FFFFFFF0h
		mov	ecx, eax
		sub	edx, esi
		neg	ecx
		test	eax, eax
		jns	short loc_80B59E
		lea	eax, [ecx-8]
		cmp	eax, 0FFFF8h
		ja	short loc_80B59E
		mov	esi, [esi+8]
		lea	eax, [esi-20h]
		cmp	ecx, eax
		ja	short loc_80B59E
		lea	eax, [ecx+edx]
		cmp	eax, esi
		ja	short loc_80B59E
		cmp	edx, 20h
		jb	short loc_80B59E
		mov	bl, 1

loc_80B585:				; CODE XREF: HvIsCellAllocated(x,x,x)+140j
		mov	ecx, [edi+8]
		lea	eax, [ebp+var_C]
		push	eax
		push	edi
		call	ecx
		mov	al, bl

loc_80B591:				; CODE XREF: HvIsCellAllocated(x,x,x)+144j
					; HvIsCellAllocated(x,x,x)+148j
		pop	esi

loc_80B592:				; CODE XREF: HvIsCellAllocated(x,x,x)+13Cj
		pop	edi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_80B59A:				; CODE XREF: HvIsCellAllocated(x,x,x)+2Dj
		mov	al, 1
		jmp	short loc_80B592
; 

loc_80B59E:				; CODE XREF: HvIsCellAllocated(x,x,x)+101j
					; HvIsCellAllocated(x,x,x)+10Bj ...
		xor	bl, bl
		jmp	short loc_80B585
; 

loc_80B5A2:				; CODE XREF: HvIsCellAllocated(x,x,x)+E8j
					; HvIsCellAllocated(x,x,x)+EDj
		mov	al, 1
		jmp	short loc_80B591
; 

loc_80B5A6:				; CODE XREF: HvIsCellAllocated(x,x,x)+4Dj
					; HvIsCellAllocated(x,x,x)+56j	...
		xor	al, al
		jmp	short loc_80B591
_HvIsCellAllocated@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCheckValueList(x, x, x, x, x, x,	x, x, x, x)
_CmpCheckValueList@40 proc near		; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+CECp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		xor	eax, eax
		mov	[ebp+var_1], dl
		push	ebx
		push	esi
		mov	esi, [ebp+arg_14]
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], eax
		xor	cl, cl
		mov	[ebp+var_28], 0FFFFFFFFh
		mov	[ebp+var_24], eax
		mov	[ebp+var_30], 0FFFFFFFFh
		mov	[ebp+var_2C], eax
		mov	[ebp+var_50], 0FFFFFFFFh
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], 0FFFFFFFFh
		mov	[ebp+var_44], eax
		mov	[ebp+var_38], 0FFFFFFFFh
		mov	[ebp+var_34], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		mov	byte ptr [ebp+arg_14+3], cl
		test	esi, esi
		jz	short loc_80B628
		mov	ecx, [ebp+arg_0]
		mov	[esi+0E8h], ecx
		mov	dword ptr [esi+0ECh], 0FFFFFFFFh
		mov	[esi+0F0h], eax
		mov	[esi+0F4h], eax

loc_80B628:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+57j
		mov	ecx, [ebp+arg_18]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_1C]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	loc_80C0DA
		lea	ecx, [ecx+0]

loc_80B640:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+86Fj
		mov	ebx, [ebp+arg_0]
		lea	eax, [ebx+eax*4]
		mov	ebx, [eax]
		mov	[ebp+var_20], eax
		mov	[ebp+var_C], ebx
		test	dl, dl
		jz	short loc_80B65B
		cmp	ecx, 1
		jnz	loc_80BE24

loc_80B65B:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+A0j
		cmp	ebx, 0FFFFFFFFh
		jz	loc_80BD2C
		push	[ebp+arg_10]
		mov	edx, ebx
		mov	ecx, edi
		call	_HvIsCellAllocated@12 ;	HvIsCellAllocated(x,x,x)
		test	al, al
		jz	loc_80BD0B
		lea	eax, [ebp+var_28]
		push	eax
		mov	eax, [edi+4]
		push	ebx
		push	edi
		call	eax
		mov	ebx, eax
		mov	[ebp+var_10], ebx
		test	ebx, ebx
		jz	loc_80C006
		mov	eax, 0FFFFFFFCh
		sub	eax, [ebx-4]
		cmp	eax, 14h
		jb	loc_80BCCB
		mov	ecx, 6B76h
		cmp	[ebx], cx
		jnz	loc_80BCC4
		movzx	edx, word ptr [ebx+2]
		lea	ecx, [edx+14h]
		cmp	ecx, 14h
		jb	loc_80BCBD
		cmp	ecx, eax
		ja	loc_80BCBD
		movzx	ecx, word ptr [ebx+10h]
		test	cl, 1
		jz	short loc_80B6E4
		mov	eax, 3FFFh
		cmp	dx, ax
		jbe	short loc_80B6FB
		push	92h
		jmp	loc_80BCD0
; 

loc_80B6E4:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+11Ej
		test	dl, 1
		jnz	loc_80BCB6
		mov	eax, 7FFFh
		cmp	dx, ax
		ja	loc_80BCAF

loc_80B6FB:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+128j
		mov	eax, [edi+20h]
		test	byte ptr [eax+90h], 2
		jnz	loc_80B798
		test	cl, 2
		jz	loc_80B798
		mov	byte ptr [ebp+arg_14+3], 1
		test	esi, esi
		jz	short loc_80B734
		mov	eax, [ebp+var_8]
		mov	[esi+0ECh], eax
		mov	eax, [ebp+var_C]
		mov	[esi+0F0h], eax
		mov	[esi+0F4h], ebx

loc_80B734:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+16Aj
		test	[ebp+arg_C], 20000h
		jnz	loc_80BE8A
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_80B757
		test	byte ptr _CmpBootType, 6
		jz	loc_80BE8A

loc_80B757:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+198j
		push	98h
		push	0C000014Ch
		push	0Fh
		mov	edx, 1
		mov	ecx, esi
		call	SetFailureLocation
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		push	0
		push	0
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_80BE5C
		mov	eax, 0FFFDh
		and	[ebx+10h], ax
		mov	eax, [edi+20h]
		or	dword ptr [eax+0FF8h], 4

loc_80B798:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+155j
					; CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+15Ej
		cmp	[ebp+var_1], 0
		jz	short loc_80B7F2
		movzx	edx, word ptr [ebx+10h]
		lea	ecx, [ebx+14h]
		movzx	eax, word ptr [ebx+2]
		mov	[ebp+var_18], edx
		push	0
		test	dl, 1
		jz	short loc_80B7C2
		mov	edx, ecx
		mov	ecx, offset _CmSymbolicLinkValueName
		push	eax
		call	_CmpCompareCompressedName@16 ; CmpCompareCompressedName(x,x,x,x)
		jmp	short loc_80B7DA
; 

loc_80B7C2:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+201j
		mov	[ebp+var_3C], ecx
		lea	edx, [ebp+var_40]
		mov	ecx, offset _CmSymbolicLinkValueName
		mov	word ptr [ebp+var_40], ax
		mov	word ptr [ebp+var_40+2], ax
		call	CmpCompareUnicodeString

loc_80B7DA:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+210j
		test	eax, eax
		jnz	loc_80BEC0
		cmp	dword ptr [ebx+0Ch], 6
		jz	short loc_80B7F2
		test	byte ptr [ebp+var_18], 2
		jz	loc_80BEB9

loc_80B7F2:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+1ECj
					; CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+236j
		movzx	eax, word ptr [ebx+10h]
		movzx	edx, word ptr [ebx+2]
		mov	[ebp+var_1C], eax
		and	eax, 1
		mov	[ebp+var_18], eax
		lea	eax, [edx+edx]
		movzx	eax, ax
		mov	ecx, eax
		jnz	short loc_80B80F
		mov	ecx, edx

loc_80B80F:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+25Bj
		movzx	eax, ax
		mov	[ebp+var_14], eax
		movzx	eax, cx
		mov	ecx, [ebp+arg_18]
		cmp	[ecx], eax
		jnb	short loc_80B835
		cmp	word ptr [ebp+var_18], 0
		jz	short loc_80B82E
		mov	eax, [ebp+var_14]
		movzx	eax, ax
		jmp	short loc_80B830
; 

loc_80B82E:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+274j
		mov	eax, edx

loc_80B830:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+27Cj
		movzx	eax, ax
		mov	[ecx], eax

loc_80B835:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+26Dj
		cmp	[ebp+var_1], 0
		mov	ebx, [ebx+4]
		jz	short loc_80B853
		test	bl, 1
		jnz	loc_80BF12
		cmp	ebx, 0FFFFh
		ja	loc_80BF0B

loc_80B853:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+28Cj
		test	byte ptr [ebp+var_1C], 2
		jz	short loc_80B8AF
		test	ebx, ebx
		jnz	short loc_80B865
		mov	eax, [ebp+var_10]
		cmp	[eax+0Ch], ebx
		jz	short loc_80B8BE

loc_80B865:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+2ABj
					; CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+324j
		push	0E0h

loc_80B86A:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+4EFj
					; CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+6FAj
		push	0C000014Ch
		push	0Fh
		mov	edx, 1
		mov	ecx, esi
		call	SetFailureLocation
		test	esi, esi
		jz	loc_80BCFF
		mov	eax, [ebp+var_8]
		mov	[esi+0ECh], eax
		mov	eax, [ebp+var_C]
		mov	[esi+0F0h], eax
		mov	eax, [ebp+var_10]
		mov	[esi+0F4h], eax
		lea	eax, [ebp+var_28]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		jmp	loc_80BD58
; 

loc_80B8AF:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+2A7j
		cmp	ebx, 80000000h
		jnb	loc_80BC6A
		mov	eax, [ebp+var_10]

loc_80B8BE:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+2B3j
		mov	eax, [eax+8]
		xor	ecx, ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_18], eax
		test	ebx, ebx
		jnz	loc_80BA26
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_80B865

loc_80B8D6:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+49Aj
		cmp	dword ptr [edi+9Ch], 4
		jb	loc_80BC12
		cmp	ebx, 3FD8h
		jbe	loc_80BC12
		mov	eax, 0FFFFFFFCh
		sub	eax, [ecx-4]
		cmp	eax, 8
		jb	loc_80BBCB
		mov	eax, 6264h
		cmp	[ecx], ax
		jnz	loc_80BBCB
		cmp	word ptr [ecx+2], 0
		jz	loc_80BBCB
		mov	edx, [ecx+4]
		cmp	edx, 0FFFFFFFFh
		jz	loc_80BBCB
		push	[ebp+arg_10]
		mov	ecx, edi
		call	_HvIsCellAllocated@12 ;	HvIsCellAllocated(x,x,x)
		test	al, al
		jz	loc_80BB7B
		mov	eax, [ebp+var_14]
		lea	ecx, [ebp+var_38]
		push	ecx
		mov	eax, [eax+4]
		push	eax
		mov	eax, [edi+4]
		push	edi
		call	eax
		mov	ecx, eax
		mov	[ebp+var_18], ecx
		test	ecx, ecx
		jz	loc_80BFAF
		mov	eax, [ebp+var_14]
		movzx	eax, word ptr [eax+2]
		mov	[ebp+var_1C], eax
		lea	edx, ds:0[eax*4]
		cmp	edx, 4
		jb	loc_80BB21
		mov	eax, 0FFFFFFFCh
		sub	eax, [ecx-4]
		cmp	edx, eax
		ja	loc_80BB21
		lea	ecx, [ebx+3FD7h]
		mov	eax, (offset loc_A0643E+1)
		mul	ecx
		mov	eax, [ebp+var_1C]
		sub	ecx, edx
		shr	ecx, 1
		add	ecx, edx
		shr	ecx, 0Dh
		cmp	eax, ecx
		jnz	loc_80BB1A
		xor	ebx, ebx
		test	eax, eax
		jz	short loc_80BA01

loc_80B9A6:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+44Fj
		mov	edx, [ebp+var_18]
		mov	ecx, edi
		push	[ebp+arg_10]
		mov	edx, [edx+ebx*4]
		call	_HvIsCellAllocated@12 ;	HvIsCellAllocated(x,x,x)
		test	al, al
		jz	loc_80BAE7
		mov	eax, [ebp+var_18]
		lea	ecx, [ebp+var_48]
		push	ecx
		mov	eax, [eax+ebx*4]
		push	eax
		mov	eax, [edi+4]
		push	edi
		call	eax
		test	eax, eax
		jz	loc_80BF48
		mov	ecx, 0FFFFFFFCh
		sub	ecx, [eax-4]
		cmp	ecx, 3FD8h
		jb	loc_80BAA4
		lea	eax, [ebp+var_48]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	eax, [ebp+var_14]
		inc	ebx
		movzx	eax, word ptr [eax+2]
		cmp	ebx, eax
		jb	short loc_80B9A6

loc_80BA01:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+3F4j
		lea	eax, [ebp+var_38]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax

loc_80BA0B:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+664j
					; CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+674j
		cmp	[ebp+var_14], 0
		jz	short loc_80BA1B
		lea	eax, [ebp+var_30]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax

loc_80BA1B:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+45Fj
		mov	eax, [ebp+var_10]
		mov	ebx, [eax+4]
		jmp	loc_80BC75
; 

loc_80BA26:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+31Bj
		push	[ebp+arg_10]
		mov	edx, eax
		mov	ecx, edi
		call	_HvIsCellAllocated@12 ;	HvIsCellAllocated(x,x,x)
		test	al, al
		jz	short loc_80BA9A
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_18]
		mov	eax, [edi+4]
		push	edi
		call	eax
		mov	ecx, eax
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jnz	loc_80B8D6
		push	100h
		push	0C000009Ah
		push	0Fh
		xor	edx, edx
		mov	[ebp+arg_4], 0C000009Ah
		mov	ecx, esi
		call	SetFailureLocation
		test	esi, esi
		jz	short loc_80BA82
		mov	eax, [ebp+var_8]
		mov	[esi+0ECh], eax
		mov	eax, [ebp+var_18]
		mov	[esi+0F0h], eax

loc_80BA82:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+4BEj
		lea	eax, [ebp+var_28]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	ebx, [ebp+arg_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_80BA9A:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+484j
		push	0F0h
		jmp	loc_80B86A
; 

loc_80BAA4:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+435j
		push	180h
		push	0C000014Ch
		push	0Fh
		mov	edx, 1
		mov	ecx, esi
		call	SetFailureLocation
		test	esi, esi
		jz	short loc_80BADB
		mov	eax, [ebp+var_18]
		mov	[esi+0ECh], ebx
		mov	eax, [eax+ebx*4]
		mov	[esi+0F0h], eax
		mov	eax, [ebp+var_14]
		mov	[esi+0F4h], eax

loc_80BADB:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+50Ej
		lea	eax, [ebp+var_48]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		jmp	short loc_80BB58
; 

loc_80BAE7:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+408j
		push	160h
		push	0C000014Ch
		push	0Fh
		mov	edx, 1
		mov	ecx, esi
		call	SetFailureLocation
		test	esi, esi
		jz	short loc_80BB58
		mov	eax, [ebp+var_18]
		mov	[esi+0ECh], ebx
		mov	eax, [eax+ebx*4]
		mov	[esi+0F0h], eax
		mov	eax, [ebp+var_14]
		jmp	short loc_80BB52
; 

loc_80BB1A:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+3EAj
		push	150h
		jmp	short loc_80BB26
; 

loc_80BB21:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+3B9j
					; CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+3C9j
		push	140h

loc_80BB26:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+56Fj
		push	0C000014Ch
		push	0Fh
		mov	edx, 1
		mov	ecx, esi
		call	SetFailureLocation
		test	esi, esi
		jz	short loc_80BB58
		mov	eax, [ebp+var_8]
		mov	[esi+0ECh], eax
		mov	eax, [ebp+var_C]
		mov	[esi+0F0h], eax
		mov	eax, [ebp+var_10]

loc_80BB52:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+568j
		mov	[esi+0F4h], eax

loc_80BB58:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+535j
					; CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+551j ...
		lea	eax, [ebp+var_38]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax

loc_80BB62:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+694j
					; CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+6B5j
		lea	eax, [ebp+var_30]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		lea	eax, [ebp+var_28]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		jmp	loc_80BD58
; 

loc_80BB7B:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+381j
		push	120h
		push	0C000014Ch
		push	0Fh
		mov	edx, 1
		mov	ecx, esi
		call	SetFailureLocation
		test	esi, esi
		jz	short loc_80BBB2
		mov	ecx, [ebp+var_14]
		mov	eax, [ebp+var_8]
		mov	[esi+0ECh], eax
		mov	eax, [ecx+4]
		mov	[esi+0F0h], eax
		mov	[esi+0F4h], ecx

loc_80BBB2:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+5E5j
		lea	eax, [ebp+var_30]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		lea	eax, [ebp+var_28]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		jmp	loc_80BD58
; 

loc_80BBCB:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+34Aj
					; CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+358j ...
		push	110h
		push	0C000014Ch
		push	0Fh
		mov	edx, 1
		mov	ecx, esi
		call	SetFailureLocation
		test	esi, esi
		jz	short loc_80BBF9
		mov	eax, [ebp+var_8]
		mov	[esi+0ECh], eax
		mov	eax, [ebp+var_18]
		mov	[esi+0F0h], eax

loc_80BBF9:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+635j
		lea	eax, [ebp+var_30]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		lea	eax, [ebp+var_28]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		jmp	loc_80BD58
; 

loc_80BC12:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+32Dj
					; CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+339j
		test	ebx, ebx
		jz	loc_80BA0B
		mov	eax, 0FFFFFFFCh
		sub	eax, [ecx-4]
		cmp	ebx, eax
		jbe	loc_80BA0B
		push	190h
		push	0C000014Ch
		push	0Fh
		mov	edx, 1
		mov	ecx, esi
		call	SetFailureLocation
		test	esi, esi
		jz	loc_80BB62
		mov	eax, [ebp+var_8]
		mov	[esi+0ECh], eax
		mov	eax, [ebp+var_C]
		mov	[esi+0F0h], eax
		mov	eax, [ebp+var_10]
		mov	[esi+0F4h], eax
		jmp	loc_80BB62
; 

loc_80BC6A:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+305j
		lea	eax, [ebx-80000000h]
		cmp	eax, 4
		ja	short loc_80BCA5

loc_80BC75:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+471j
		cmp	ebx, 80000000h
		jb	short loc_80BC83
		add	ebx, 80000000h

loc_80BC83:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+6CBj
		mov	eax, [ebp+arg_1C]
		cmp	[eax], ebx
		jnb	short loc_80BC8C
		mov	[eax], ebx

loc_80BC8C:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+6D8j
		lea	eax, [ebp+var_28]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	eax, [ebp+var_8]
		mov	cl, byte ptr [ebp+arg_14+3]
		inc	eax
		mov	[ebp+var_8], eax
		jmp	loc_80BE10
; 

loc_80BCA5:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+6C3j
		push	1A0h
		jmp	loc_80B86A
; 

loc_80BCAF:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+145j
		push	96h
		jmp	short loc_80BCD0
; 

loc_80BCB6:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+137j
		push	94h
		jmp	short loc_80BCD0
; 

loc_80BCBD:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+109j
					; CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+111j
		push	90h
		jmp	short loc_80BCD0
; 

loc_80BCC4:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+F9j
		push	88h
		jmp	short loc_80BCD0
; 

loc_80BCCB:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+EBj
		push	80h

loc_80BCD0:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+12Fj
					; CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+704j ...
		push	0C000014Ch
		push	0Fh
		mov	edx, 1
		mov	ecx, esi
		call	SetFailureLocation
		test	esi, esi
		jz	short loc_80BCFF
		mov	eax, [ebp+var_8]
		mov	[esi+0ECh], eax
		mov	eax, [ebp+var_C]
		mov	[esi+0F0h], eax
		mov	[esi+0F4h], ebx

loc_80BCFF:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+2CFj
					; CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+735j
		lea	eax, [ebp+var_28]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		jmp	short loc_80BD58
; 

loc_80BD0B:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+C2j
		push	60h
		push	0C000014Ch
		push	0Fh
		mov	edx, 1
		mov	ecx, esi
		call	SetFailureLocation
		test	esi, esi
		jz	short loc_80BD58
		mov	[esi+0F0h], ebx
		jmp	short loc_80BD4F
; 

loc_80BD2C:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+AEj
		push	50h
		push	0C000014Ch
		push	0Fh
		mov	edx, 1
		mov	ecx, esi
		call	SetFailureLocation
		test	esi, esi
		jz	short loc_80BD58
		mov	dword ptr [esi+0F0h], 0FFFFFFFFh

loc_80BD4F:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+77Aj
		mov	eax, [ebp+var_8]
		mov	[esi+0ECh], eax

loc_80BD58:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+2FAj
					; CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+5C6j ...
		test	[ebp+arg_C], 20000h
		jnz	loc_80C0B8
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_80BD7B
		test	byte ptr _CmpBootType, 6
		jz	loc_80C0B8

loc_80BD7B:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+7BCj
		push	0
		push	0C000014Ch
		push	0Fh
		mov	edx, 1
		mov	ecx, esi
		call	SetFailureLocation
		lea	eax, [ebp+var_50]
		push	eax
		push	[ebp+arg_8]
		mov	eax, [edi+4]
		push	edi
		call	eax
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_80C096
		mov	edx, [ebp+arg_8]
		mov	ecx, edi
		push	0
		push	0
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_80C066
		mov	edx, [ebx+28h]
		mov	ecx, edi
		push	0
		push	0
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_80C05F
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+var_20]
		dec	eax
		dec	dword ptr [ebx+24h]
		mov	[ebp+arg_4], eax
		sub	eax, [ebp+var_8]
		shl	eax, 2
		push	eax		; size_t
		lea	eax, [ecx+4]
		push	eax		; void *
		push	ecx		; void *
		call	_memmove
		mov	eax, [edi+20h]
		add	esp, 0Ch
		or	dword ptr [eax+0FF8h], 4
		lea	eax, [ebp+var_50]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	eax, [ebp+var_8]
		mov	cl, 1
		mov	byte ptr [ebp+arg_14+3], cl

loc_80BE10:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+6F0j
		cmp	eax, [ebp+arg_4]
		jnb	loc_80C047
		mov	ecx, [ebp+arg_4]
		mov	dl, [ebp+var_1]
		jmp	loc_80B640
; 

loc_80BE24:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+A5j
		push	40h
		mov	ebx, 0C000014Ch
		xor	edx, edx
		push	ebx
		push	0Fh
		mov	ecx, esi
		call	SetFailureLocation
		test	esi, esi
		jz	loc_80C0AD
		mov	eax, [ebp+var_8]
		mov	[esi+0ECh], eax
		mov	eax, [ebp+var_C]
		mov	[esi+0F0h], eax
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_80BE5C:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+1CFj
		push	9Ah
		mov	ebx, 0C000017Dh
		mov	edx, 1
		push	ebx
		push	0Fh
		mov	ecx, esi
		call	SetFailureLocation
		lea	eax, [ebp+var_28]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_80BE8A:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+18Bj
					; CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+1A1j
		push	9Ch
		push	0C000014Ch
		push	0Fh
		xor	edx, edx
		mov	ecx, esi
		call	SetFailureLocation
		lea	eax, [ebp+var_28]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	ebx, 0C000014Ch
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_80BEB9:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+23Cj
		push	0B0h
		jmp	short loc_80BEC5
; 

loc_80BEC0:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+22Cj
		push	0A0h

loc_80BEC5:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+90Ej
		push	0C000014Ch
		push	0Fh
		xor	edx, edx
		mov	ecx, esi
		call	SetFailureLocation
		test	esi, esi
		jz	short loc_80BEF1
		mov	eax, [ebp+var_8]
		mov	[esi+0ECh], eax
		mov	eax, [ebp+var_C]
		mov	[esi+0F0h], eax
		mov	[esi+0F4h], ebx

loc_80BEF1:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+927j
					; CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+979j ...
		lea	eax, [ebp+var_28]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	ebx, 0C000014Ch
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_80BF0B:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+29Dj
		push	0D0h
		jmp	short loc_80BF17
; 

loc_80BF12:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+291j
		push	0C0h

loc_80BF17:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+960j
		push	0C000014Ch
		push	0Fh
		xor	edx, edx
		mov	ecx, esi
		call	SetFailureLocation
		test	esi, esi
		jz	short loc_80BEF1
		mov	eax, [ebp+var_8]
		mov	[esi+0ECh], eax
		mov	eax, [ebp+var_C]
		mov	[esi+0F0h], eax
		mov	eax, [ebp+var_10]
		mov	[esi+0F4h], eax
		jmp	short loc_80BEF1
; 

loc_80BF48:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+421j
		push	170h
		push	0C000009Ah
		push	0Fh
		xor	edx, edx
		mov	[ebp+arg_4], 0C000009Ah
		mov	ecx, esi
		call	SetFailureLocation
		test	esi, esi
		jz	short loc_80BF83
		mov	eax, [ebp+var_18]
		mov	[esi+0ECh], ebx
		mov	eax, [eax+ebx*4]
		mov	[esi+0F0h], eax
		mov	eax, [ebp+var_14]
		mov	[esi+0F4h], eax

loc_80BF83:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+9B6j
		lea	eax, [ebp+var_38]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		lea	eax, [ebp+var_30]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		lea	eax, [ebp+var_28]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	ebx, [ebp+arg_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_80BFAF:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+39Fj
		push	130h
		push	0C000009Ah
		push	0Fh
		xor	edx, edx
		mov	[ebp+arg_4], 0C000009Ah
		mov	ecx, esi
		call	SetFailureLocation
		test	esi, esi
		jz	short loc_80BFE4
		mov	eax, [ebp+var_8]
		mov	[esi+0ECh], eax
		mov	eax, [ebp+var_14]
		mov	eax, [eax+4]
		mov	[esi+0F0h], eax

loc_80BFE4:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+A1Dj
		lea	eax, [ebp+var_30]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		lea	eax, [ebp+var_28]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	ebx, [ebp+arg_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_80C006:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+DAj
		push	70h
		push	0C000009Ah
		push	0Fh
		xor	edx, edx
		mov	[ebp+arg_4], 0C000009Ah
		mov	ecx, esi
		call	SetFailureLocation
		test	esi, esi
		jz	loc_80C0A8
		mov	eax, [ebp+var_8]
		mov	ebx, [ebp+arg_4]
		mov	[esi+0ECh], eax
		mov	eax, [ebp+var_C]
		mov	[esi+0F0h], eax
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_80C047:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+863j
		test	cl, cl
		jz	loc_80C0DA
		mov	ebx, 8000002Ah
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_80C05F:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+81Dj
		mov	eax, 28h
		jmp	short loc_80C06B
; 

loc_80C066:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+807j
		mov	eax, 18h

loc_80C06B:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+AB4j
		push	eax
		push	0C000017Dh
		push	0Fh
		xor	edx, edx
		mov	ecx, esi
		call	SetFailureLocation
		lea	eax, [ebp+var_50]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	ebx, 0C000017Dh
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_80C096:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+7F1j
		push	10h
		push	0C000009Ah
		push	0Fh
		xor	edx, edx
		mov	ecx, esi
		call	SetFailureLocation

loc_80C0A8:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+A71j
		mov	ebx, 0C000009Ah

loc_80C0AD:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+889j
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_80C0B8:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+7AFj
					; CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+7C5j
		push	30h
		push	0C000014Ch
		push	0Fh
		xor	edx, edx
		mov	ecx, esi
		call	SetFailureLocation
		mov	ebx, 0C000014Ch
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_80C0DA:				; CODE XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+87j
					; CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+A99j
		pop	edi
		xor	ebx, ebx
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
_CmpCheckValueList@40 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpGetValueData	proc near		; CODE XREF: CmpGetSymbolicLinkTarget+62Cp
					; CmpGetSymbolicLinkTarget+ABCp ...

var_4C		= dword	ptr -4Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0091C9C8 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		sub	esp, 28h
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, ecx
		mov	byte ptr [eax],	0
		mov	dword ptr [ebx], 0
		mov	ecx, [edi+4]
		cmp	ecx, 80000000h
		jnb	short loc_80C160

loc_80C11A:				; CODE XREF: CmpGetValueData+76j
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		cmp	dword ptr [edi+4], 80000000h
		jnb	short loc_80C168
		cmp	dword ptr [esi+9Ch], 4
		jb	short loc_80C13E
		lea	eax, [ecx-3FD9h]
		cmp	eax, 7FFFC026h
		jbe	short loc_80C18A

loc_80C13E:				; CODE XREF: CmpGetValueData+3Fj
		push	[ebp+arg_10]
		mov	eax, [edi+8]
		push	eax
		mov	eax, [esi+4]
		push	esi
		call	eax
		mov	[ebx], eax
		test	eax, eax
		jz	loc_91C9E6
		mov	al, 1

loc_80C157:				; CODE XREF: CmpGetValueData+1108F8j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_80C160:				; CODE XREF: CmpGetValueData+28j
		add	ecx, 80000000h
		jmp	short loc_80C11A
; 

loc_80C168:				; CODE XREF: CmpGetValueData+36j
		push	[ebp+arg_10]
		mov	eax, [esi+4]
		push	edx
		push	esi
		call	eax
		test	eax, eax
		jz	loc_91C9E6
		lea	eax, [edi+8]
		mov	[ebx], eax
		mov	al, 1
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_80C18A:				; CODE XREF: CmpGetValueData+4Cj
		mov	eax, [edi+8]
		lea	ecx, [ebp+var_24]
		push	ecx
		push	eax
		mov	eax, [esi+4]
		push	esi
		mov	[ebp+var_24], 0FFFFFFFFh
		mov	[ebp+var_20], 0
		mov	[ebp+arg_8], 0
		mov	[ebp+var_14], 0FFFFFFFFh
		mov	[ebp+var_10], 0
		mov	[ebp+var_1C], 0FFFFFFFFh
		mov	[ebp+var_18], 0
		mov	byte ptr [ebp+arg_10+3], 1
		call	eax
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	loc_91C9E6
		mov	eax, [eax+4]
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	eax
		mov	eax, [esi+4]
		push	esi
		call	eax
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_91C9C8
		mov	edi, [edi+4]
		push	64764D43h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+arg_8], eax
		test	eax, eax
		jz	loc_91C9D1
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		xor	edx, edx
		mov	[ebp+arg_0], eax
		cmp	dx, [ecx+2]
		jnb	short loc_80C281
		lea	esp, [esp+0]

loc_80C220:				; CODE XREF: CmpGetValueData+18Fj
		mov	ecx, [ebp+var_8]
		movzx	eax, ax
		mov	[ebp+var_C], eax
		mov	eax, [ecx+eax*4]
		lea	ecx, [ebp+var_14]
		push	ecx
		push	eax
		mov	eax, [esi+4]
		push	esi
		call	eax
		test	eax, eax
		jz	loc_91C9D1
		cmp	edi, 3FD8h
		jbe	short loc_80C2B5
		mov	ecx, 3FD8h

loc_80C24C:				; CODE XREF: CmpGetValueData+1C7j
		push	ecx		; size_t
		push	eax		; void *
		imul	eax, [ebp+var_C], 3FD8h
		add	eax, [ebp+arg_8]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_14]
		sub	edi, 3FD8h
		push	eax
		mov	eax, [esi+8]
		push	esi
		call	eax
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		inc	eax
		mov	[ebp+arg_0], eax
		cmp	ax, [ecx+2]
		jb	short loc_80C220

loc_80C281:				; CODE XREF: CmpGetValueData+12Aj
					; CmpGetValueData+1108E5j
		lea	eax, [ebp+var_1C]
		push	eax
		mov	eax, [esi+8]
		push	esi
		call	eax

loc_80C28B:				; CODE XREF: CmpGetValueData+1108DCj
		lea	eax, [ebp+var_24]
		push	eax
		mov	eax, [esi+8]
		push	esi
		call	eax
		cmp	byte ptr [ebp+arg_10+3], 0
		mov	eax, [ebp+arg_8]
		jz	loc_91C9DA
		mov	[ebx], eax
		mov	eax, [ebp+arg_C]
		pop	edi
		pop	esi
		pop	ebx
		mov	byte ptr [eax],	1
		mov	al, 1
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_80C2B5:				; CODE XREF: CmpGetValueData+155j
		mov	ecx, edi
		jmp	short loc_80C24C
CmpGetValueData	endp

; 
		align 10h
; Exported entry 2480. SeOpenObjectAuditAlarmWithTransaction

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeOpenObjectAuditAlarmWithTransaction
SeOpenObjectAuditAlarmWithTransaction proc near	; CODE XREF: ObCheckObjectAccess+D1p
					; SeOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x)+28p ...

var_4C		= byte ptr -4Ch
var_4B		= byte ptr -4Bh
var_4A		= dword	ptr -4Ah
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h
arg_1C		= byte ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

; FUNCTION CHUNK AT 0091C9ED SIZE 000004AA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		cmp	[ebp+arg_1C], 0
		push	ebx
		push	esi
		push	edi
		mov	byte ptr [esp+58h+var_4A], 0
		mov	byte ptr [esp+58h+var_4A+1], 0
		mov	[esp+58h+var_1C], 0
		mov	[esp+58h+var_30], 0
		mov	[esp+58h+var_44], 0
		mov	[esp+58h+var_3C], 0
		mov	[esp+58h+var_38], 0
		mov	[esp+58h+var_28], 3E7h
		jz	loc_80C420
		mov	ebx, [ebp+arg_10]
		mov	edi, [ebx+1Ch]
		lea	edx, [ebx+1Ch]
		mov	[esp+58h+var_4A+2], edx
		mov	esi, [ebx+30h]
		mov	[esp+58h+var_2C], esi
		test	edi, edi
		jnz	short loc_80C32D
		mov	edi, [ebx+24h]

loc_80C32D:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+68j
		cmp	[ebp+arg_C], 0
		jz	loc_80C3EE
		mov	ecx, [ebp+arg_18]
		movzx	ebx, cl
		neg	ebx
		mov	[esp+58h+var_28], 77h
		sbb	ebx, ebx
		and	ebx, 3
		test	cl, cl
		setz	dl
		mov	[esp+58h+var_40], edx
		test	cl, cl
		jz	loc_80C44B

loc_80C35D:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+18Ej
		xor	eax, eax
		mov	[esp+58h+var_10], eax
		mov	[esp+58h+var_C], eax
		mov	[esp+58h+var_8], eax
		mov	[esp+58h+var_4], eax
		mov	eax, dword_6BE548
		test	eax, eax
		jz	short loc_80C393
		test	eax, ebx
		jnz	loc_91CB1F
		xor	al, al
		cmp	dword_6BE588, 0
		mov	[esp+58h+var_4B], al
		jnz	loc_91C9ED

loc_80C393:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+B6j
					; SeOpenObjectAuditAlarmWithTransaction+198j
		mov	ebx, [esp+58h+var_40]

loc_80C397:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110938j
					; SeOpenObjectAuditAlarmWithTransaction+110946j ...
		mov	esi, [esp+58h+var_4A+2]

loc_80C39B:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110999j
		mov	eax, [ebp+arg_10]
		mov	byte ptr [esp+58h+var_18], bl
		mov	edx, [eax+30h]
		mov	eax, [eax+18h]
		and	eax, 2000000h
		jnz	short loc_80C429

loc_80C3AF:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+16Ej
		test	eax, eax
		setnz	bl
		dec	bl
		and	bl, cl
		xor	al, al
		lea	ebx, [ebx+0]

loc_80C3C0:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+112j
		movzx	ecx, al
		cmp	dword ptr [edx+ecx*4+40h], 0
		jl	loc_91CC5E
		inc	al
		cmp	al, 20h
		jb	short loc_80C3C0
		xor	al, al

loc_80C3D6:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+1109AFj
		cmp	byte ptr [esp+58h+var_4A], 0
		mov	esi, [esp+58h+var_2C]
		mov	[esi+0C0h], al
		jnz	short loc_80C463
		mov	ebx, [ebp+arg_10]
		mov	edx, [esp+58h+var_4A+2]

loc_80C3EE:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+71j
		mov	eax, [ebp+arg_18]
		test	al, al
		jz	short loc_80C400
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_80C400
		cmp	dword ptr [ecx], 0
		ja	short loc_80C433

loc_80C400:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+133j
					; SeOpenObjectAuditAlarmWithTransaction+139j ...
		cmp	byte ptr [esp+58h+var_4A+1], 0
		jnz	short loc_80C463
		xor	al, al

loc_80C409:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+1A8j
		mov	[ebx+9], al
		test	al, al
		jnz	loc_91CC7D
		cmp	[esi+0C0h], al
		jnz	loc_91CC7D

loc_80C420:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+4Cj
					; SeOpenObjectAuditAlarmWithTransaction+110BC6j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	28h
; 

loc_80C429:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+EDj
		mov	byte ptr [esp+58h+var_18], 1
		jmp	loc_80C3AF
; 

loc_80C433:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+13Ej
		lea	edi, [esp+58h+var_28]
		push	edi
		push	edx
		push	0
		mov	dl, al
		call	SepAdtAuditPrivilegeUseWithContext
		test	al, al
		jz	short loc_80C400
		jmp	loc_91CC74
; 

loc_80C44B:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+97j
		or	ebx, 30h
		jmp	loc_80C35D
; 

loc_80C453:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110846j
					; SeOpenObjectAuditAlarmWithTransaction+11085Aj
		mov	ecx, [ebp+arg_18]
		test	al, al
		jz	loc_80C393
		jmp	loc_91CB1F
; 

loc_80C463:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+125j
					; SeOpenObjectAuditAlarmWithTransaction+145j ...
		mov	ebx, [ebp+arg_10]
		mov	al, 1
		jmp	short loc_80C409
SeOpenObjectAuditAlarmWithTransaction endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCheckKey(x, x, x, x, x, x, x)
_CmpCheckKey@28	proc near		; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+CAp

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		push	ebx
		mov	ebx, [ebp+arg_10]
		xor	al, al
		mov	[ebp+var_C], edx
		mov	[ebp+var_44], 0FFFFFFFFh
		mov	[ebp+var_40], 0
		mov	[ebp+var_1C], 0
		mov	[ebp+var_18], 0
		mov	[ebp+var_5C], 0FFFFFFFFh
		mov	[ebp+var_58], 0
		mov	[ebp+var_3C], 0FFFFFFFFh
		mov	[ebp+var_38], 0
		mov	[ebp+var_34], 0FFFFFFFFh
		mov	[ebp+var_30], 0
		mov	[ebp+var_64], 0FFFFFFFFh
		mov	[ebp+var_60], 0
		mov	[ebp+var_5], al
		mov	[ebp+var_14], 0
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		test	ebx, ebx
		jz	short loc_80C50E
		mov	[ebx+0D8h], esi
		mov	dword ptr [ebx+0DCh], 0
		mov	dword ptr [ebx+0E0h], 0
		mov	dword ptr [ebx+0E4h], 0FFFFFFFFh

loc_80C50E:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+78j
		push	[ebp+arg_C]
		mov	edx, esi
		call	_HvIsCellAllocated@12 ;	HvIsCellAllocated(x,x,x)
		test	al, al
		jnz	short loc_80C53C
		push	0
		push	0C000014Ch
		push	0Eh
		xor	edx, edx
		mov	ecx, ebx
		call	SetFailureLocation
		mov	eax, 0C000014Ch
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_80C53C:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+AAj
		lea	eax, [ebp+var_5C]
		push	eax
		mov	eax, [edi+4]
		push	esi
		push	edi
		call	eax
		mov	esi, eax
		mov	[ebp+var_10], esi
		test	esi, esi
		jnz	short loc_80C570
		push	10h
		push	0C000009Ah
		push	0Eh
		xor	edx, edx
		mov	ecx, ebx
		call	SetFailureLocation
		mov	eax, 0C000009Ah
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_80C570:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+DEj
		test	ebx, ebx
		jz	short loc_80C57A
		mov	[ebx+0DCh], esi

loc_80C57A:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+102j
		mov	ecx, 0FFFFFFFCh
		sub	ecx, [esi-4]
		lea	eax, [ecx-4Ch]
		cmp	eax, 410h
		ja	loc_80DADA
		movzx	eax, word ptr [esi+48h]
		mov	edx, eax
		lea	ebx, [edx+4Ch]
		mov	[ebp+var_28], ebx
		cmp	ebx, 4Ch
		mov	ebx, [ebp+arg_10]
		jb	loc_80DAD6
		test	ax, ax
		jz	loc_80DAD6
		cmp	[ebp+var_28], ecx
		ja	loc_80DAD6
		test	byte ptr [esi+2], 20h
		jz	loc_80C66D
		mov	ecx, 100h
		cmp	ax, cx
		jbe	short loc_80C5D5
		push	35h
		jmp	loc_80DADC
; 

loc_80C5D5:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+15Cj
		cmp	byte ptr [esi+4Ch], 0
		jnz	short loc_80C5E2
		push	40h
		jmp	loc_80DADC
; 

loc_80C5E2:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+169j
		xor	eax, eax
		test	edx, edx
		jz	short loc_80C5F4

loc_80C5E8:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+182j
		cmp	byte ptr [esi+eax+4Ch],	5Ch
		jz	short loc_80C663
		inc	eax
		cmp	eax, edx
		jb	short loc_80C5E8

loc_80C5F4:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+176j
					; CmpCheckKey(x,x,x,x,x,x,x)+22Ej ...
		mov	eax, 6B6Eh
		cmp	[esi], ax
		jz	loc_80C6D6
		test	[ebp+var_C], 20000h
		mov	esi, 0C000014Ch
		mov	[ebp+var_5], 1
		jnz	loc_80C754
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_80C62E
		test	byte ptr _CmpBootType, 6
		jz	loc_80C754

loc_80C62E:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1AFj
		push	70h
		push	0C000014Ch
		push	0Eh
		mov	edx, 1
		mov	ecx, ebx
		call	SetFailureLocation
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jnz	short loc_80C6C1
		mov	esi, 0C000017Dh
		push	80h
		push	esi
		jmp	loc_80DAE6
; 

loc_80C663:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+17Dj
		push	500h
		jmp	loc_80DADC
; 

loc_80C66D:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+14Ej
		mov	ecx, 200h
		cmp	ax, cx
		jbe	short loc_80C67E
		push	45h
		jmp	loc_80DADC
; 

loc_80C67E:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+205j
		test	al, 1
		jz	short loc_80C689
		push	50h
		jmp	loc_80DADC
; 

loc_80C689:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+210j
		cmp	word ptr [esi+4Ch], 0
		lea	eax, [esi+4Ch]
		jnz	short loc_80C69A
		push	60h
		jmp	loc_80DADC
; 

loc_80C69A:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+221j
		xor	ecx, ecx
		shr	edx, 1
		jz	loc_80C5F4

loc_80C6A4:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+240j
		cmp	word ptr [eax],	5Ch
		jz	short loc_80C6B7
		inc	ecx
		add	eax, 2
		cmp	ecx, edx
		jb	short loc_80C6A4
		jmp	loc_80C5F4
; 

loc_80C6B7:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+238j
		push	510h
		jmp	loc_80DADC
; 

loc_80C6C1:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1E1j
		mov	esi, [ebp+var_10]
		mov	eax, 6B6Eh
		mov	[esi], ax
		mov	eax, [edi+20h]
		or	dword ptr [eax+0FF8h], 4

loc_80C6D6:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+18Cj
		mov	eax, [edi+20h]
		test	byte ptr [eax+90h], 2
		jnz	loc_80C779
		test	byte ptr [esi+0Dh], 3
		jz	loc_80C779
		test	[ebp+var_C], 20000h
		mov	esi, 0C000014Ch
		mov	[ebp+var_5], 1
		jnz	loc_80C820
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_80C71C
		test	byte ptr _CmpBootType, 6
		jz	loc_80C820

loc_80C71C:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+29Dj
		push	92h
		push	0C000014Ch
		push	0Eh
		mov	edx, 1
		mov	ecx, ebx
		call	SetFailureLocation
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jnz	short loc_80C768
		mov	esi, 0C000017Dh
		push	96h
		push	esi
		jmp	loc_80DAE6
; 

loc_80C754:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1A2j
					; CmpCheckKey(x,x,x,x,x,x,x)+1B8j
		push	90h
		push	0C000014Ch
		mov	edx, 1
		jmp	loc_80DAE8
; 

loc_80C768:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+2D2j
		mov	esi, [ebp+var_10]
		and	byte ptr [esi+0Dh], 0FCh
		mov	eax, [edi+20h]
		or	dword ptr [eax+0FF8h], 4

loc_80C779:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+270j
					; CmpCheckKey(x,x,x,x,x,x,x)+27Aj
		mov	eax, [ebp+arg_4]
		cmp	eax, 0FFFFFFFFh
		jz	loc_80C8E9
		lea	ecx, [ebp+var_3C]
		push	ecx
		push	eax
		mov	eax, [edi+4]
		push	edi
		call	eax
		mov	al, [eax+0Dh]
		and	al, 3
		cmp	al, 3
		jnz	loc_80C8DA
		mov	al, [esi+0Dh]
		and	al, 3
		cmp	al, 3
		jz	loc_80C8DA
		cmp	al, 1
		jz	loc_80C8DA
		lea	eax, [ebp+var_3C]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		test	[ebp+var_C], 20000h
		mov	esi, 0C000014Ch
		mov	[ebp+var_5], 1
		jnz	loc_80C8D0
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_80C7E8
		test	byte ptr _CmpBootType, 6
		jz	loc_80C8D0

loc_80C7E8:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+369j
		push	98h
		push	0C000014Ch
		push	0Eh
		mov	edx, 1
		mov	ecx, ebx
		call	SetFailureLocation
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jnz	short loc_80C82A
		mov	esi, 0C000017Dh
		push	9Ah
		push	esi
		jmp	loc_80DAE6
; 

loc_80C820:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+290j
					; CmpCheckKey(x,x,x,x,x,x,x)+2A6j
		push	94h
		jmp	loc_80DAE1
; 

loc_80C82A:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+39Ej
		mov	esi, [ebp+var_10]
		or	byte ptr [esi+0Dh], 3

loc_80C831:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+4F5j
		mov	eax, [edi+20h]
		or	dword ptr [eax+0FF8h], 4

loc_80C83B:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+474j
					; CmpCheckKey(x,x,x,x,x,x,x)+47Ej ...
		mov	eax, [esi+24h]
		movzx	edx, word ptr [esi+4Ah]
		mov	ecx, [esi+30h]
		mov	[ebp+var_20], eax
		mov	eax, [esi+28h]
		mov	[ebp+var_28], eax
		mov	eax, [esi+2Ch]
		mov	[ebp+arg_10], edx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_2C], eax
		test	edx, edx
		jz	loc_80CAF1
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_80C9D8
		test	[ebp+var_C], 20000h
		mov	esi, 0C000014Ch
		mov	[ebp+var_5], 1
		jnz	loc_80C9CE
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_80C897
		test	byte ptr _CmpBootType, 6
		jz	loc_80C9CE

loc_80C897:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+418j
		push	9Bh
		push	0C000014Ch
		push	0Eh
		xor	edx, edx
		mov	ecx, ebx
		call	SetFailureLocation
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jnz	loc_80C974
		mov	esi, 0C000017Dh
		push	9Fh
		push	esi
		jmp	loc_80DAE6
; 

loc_80C8D0:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+35Cj
					; CmpCheckKey(x,x,x,x,x,x,x)+372j
		push	9Ch
		jmp	loc_80DAE1
; 

loc_80C8DA:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+327j
					; CmpCheckKey(x,x,x,x,x,x,x)+334j ...
		lea	eax, [ebp+var_3C]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		jmp	loc_80C83B
; 

loc_80C8E9:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+30Fj
		mov	al, [esi+0Dh]
		and	al, 3
		jz	loc_80C83B
		cmp	al, 2
		jz	loc_80C83B
		test	[ebp+var_C], 20000h
		mov	esi, 0C000014Ch
		mov	[ebp+var_5], 1
		jnz	short loc_80C96A
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_80C920
		test	byte ptr _CmpBootType, 6
		jz	short loc_80C96A

loc_80C920:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+4A5j
		push	1E4h
		push	0C000014Ch
		push	0Eh
		mov	edx, 1
		mov	ecx, ebx
		call	SetFailureLocation
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jnz	short loc_80C958
		mov	esi, 0C000017Dh
		push	1E8h
		push	esi
		jmp	loc_80DAE6
; 

loc_80C958:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+4D6j
		mov	esi, [ebp+var_10]
		mov	al, [esi+0Dh]
		and	al, 0FEh
		or	al, 2
		mov	[esi+0Dh], al
		jmp	loc_80C831
; 

loc_80C96A:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+49Cj
					; CmpCheckKey(x,x,x,x,x,x,x)+4AEj
		push	1ECh
		jmp	loc_80DAE1
; 

loc_80C974:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+44Aj
		mov	esi, [ebp+var_10]
		xor	eax, eax
		mov	[ebp+arg_10], 0
		mov	[esi+4Ah], ax

loc_80C984:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+63Aj
					; CmpCheckKey(x,x,x,x,x,x,x)+65Dj ...
		cmp	[ebp+var_2C], 0FFFFFFFFh
		jz	loc_80CB7E
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+var_C]
		cmp	eax, 0FFFFFFFFh
		jz	loc_80CE9A
		test	ecx, 20000h
		jnz	loc_80CC8A
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_80C9BF
		test	byte ptr _CmpBootType, 6
		jz	loc_80CC8A

loc_80C9BF:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+540j
		cmp	byte ptr [ebp+arg_8], 0
		jnz	loc_80CB9C
		jmp	loc_80CC8A
; 

loc_80C9CE:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+40Bj
					; CmpCheckKey(x,x,x,x,x,x,x)+421j
		push	9Dh
		jmp	loc_80DAE1
; 

loc_80C9D8:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+3F5j
		mov	al, [esi+0Dh]
		and	al, 3
		cmp	al, 1
		jnz	short loc_80CA54
		push	9Eh

loc_80C9E6:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+633j
		push	0C000014Ch
		push	0Eh
		mov	edx, 1
		mov	ecx, ebx
		call	SetFailureLocation

loc_80C9F9:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+5F2j
		test	[ebp+var_C], 20000h
		jnz	loc_80CAD2
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_80CA1C
		test	byte ptr _CmpBootType, 6
		jz	loc_80CAD2

loc_80CA1C:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+59Dj
		push	0A0h
		push	0C000014Ch
		push	0Eh
		mov	edx, 1
		mov	ecx, ebx
		call	SetFailureLocation
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jnz	short loc_80CAAF
		mov	esi, 0C000017Dh
		push	0B0h
		push	esi
		jmp	loc_80DAE6
; 

loc_80CA54:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+56Fj
		push	[ebp+arg_C]
		mov	edx, ecx
		mov	ecx, edi
		call	_HvIsCellAllocated@12 ;	HvIsCellAllocated(x,x,x)
		test	al, al
		jz	short loc_80C9F9
		lea	eax, [ebp+var_64]
		push	eax
		push	[ebp+var_24]
		mov	eax, [edi+4]
		push	edi
		call	eax
		mov	edx, eax
		test	edx, edx
		jnz	short loc_80CA87
		mov	esi, 0C000009Ah
		push	0D0h
		push	esi
		jmp	loc_80DAE6
; 

loc_80CA87:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+605j
		mov	ecx, [edi+8]
		mov	eax, 0FFFFFFFCh
		sub	eax, [edx-4]
		cmp	[ebp+arg_10], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	edi
		jbe	short loc_80CAA8
		call	ecx
		push	0E0h
		jmp	loc_80C9E6
; 

loc_80CAA8:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+62Aj
		call	ecx
		jmp	loc_80C984
; 

loc_80CAAF:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+5D2j
		xor	eax, eax
		mov	dword ptr [esi+30h], 0FFFFFFFFh
		mov	[esi+4Ah], ax
		mov	[ebp+arg_10], eax
		mov	eax, [edi+20h]
		mov	[ebp+var_5], 1
		or	dword ptr [eax+0FF8h], 4
		jmp	loc_80C984
; 

loc_80CAD2:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+590j
					; CmpCheckKey(x,x,x,x,x,x,x)+5A6j
		push	0C0h
		push	0C000014Ch
		push	0Eh
		xor	edx, edx
		mov	ecx, ebx
		call	SetFailureLocation
		mov	esi, 0C000014Ch
		jmp	loc_80DAF1
; 

loc_80CAF1:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+3ECj
		cmp	ecx, 0FFFFFFFFh
		jz	loc_80C984
		test	[ebp+var_C], 20000h
		mov	esi, 0C000014Ch
		mov	[ebp+var_5], 1
		jnz	short loc_80CB74
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_80CB1E
		test	byte ptr _CmpBootType, 6
		jz	short loc_80CB74

loc_80CB1E:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+6A3j
		push	0E8h
		push	0C000014Ch
		push	0Eh
		mov	edx, 1
		mov	ecx, ebx
		call	SetFailureLocation
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jnz	short loc_80CB5B
		mov	esi, 0C000017Dh
		mov	edx, 1
		push	0ECh
		push	esi
		jmp	loc_80DAE8
; 

loc_80CB5B:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+6D4j
		mov	esi, [ebp+var_10]
		mov	dword ptr [esi+30h], 0FFFFFFFFh
		mov	eax, [edi+20h]
		or	dword ptr [eax+0FF8h], 4
		jmp	loc_80C984
; 

loc_80CB74:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+69Aj
					; CmpCheckKey(x,x,x,x,x,x,x)+6ACj
		push	0E4h
		jmp	loc_80DAE1
; 

loc_80CB7E:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+518j
		push	100h

loc_80CB83:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+B08j
		push	0C000014Ch
		push	0Eh
		mov	edx, 1
		mov	ecx, ebx
		call	SetFailureLocation
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+arg_4]

loc_80CB9C:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+553j
		test	ecx, 20000h
		jnz	loc_80DAAA
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_80CBBE
		test	byte ptr _CmpBootType, 6
		jz	loc_80DAAA

loc_80CBBE:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+73Fj
		mov	[ebp+var_4C], 0FFFFFFFFh
		mov	[ebp+var_48], 0
		mov	[ebp+var_54], 0FFFFFFFFh
		mov	[ebp+var_50], 0
		cmp	eax, 0FFFFFFFFh
		jz	loc_80DA8E
		lea	ecx, [ebp+var_4C]
		push	ecx
		push	eax
		mov	eax, [edi+4]
		push	edi
		call	eax
		mov	esi, eax
		mov	[ebp+var_2C], esi
		test	esi, esi
		jz	loc_80DA76
		mov	eax, [esi+2Ch]
		lea	ecx, [ebp+var_54]
		push	ecx
		push	eax
		mov	eax, [edi+4]
		push	edi
		call	eax
		mov	[ebp+arg_8], eax
		test	eax, eax
		jz	loc_80DA54
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jz	loc_80DA28
		mov	edx, [esi+2Ch]
		mov	ecx, edi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jz	loc_80D9F9
		mov	eax, [esi+2Ch]
		mov	edx, edi
		mov	ecx, [ebp+arg_8]
		push	1
		push	eax
		call	_CmpKeySecurityIncrementReferenceCount@16 ; CmpKeySecurityIncrementReferenceCount(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_80D9F1
		mov	eax, [ebp+var_2C]
		mov	esi, [ebp+var_10]
		mov	eax, [eax+2Ch]
		mov	[esi+2Ch], eax
		mov	eax, [edi+20h]
		or	dword ptr [eax+0FF8h], 4
		lea	eax, [ebp+var_54]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		lea	eax, [ebp+var_4C]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_5], 1

loc_80CC8A:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+533j
					; CmpCheckKey(x,x,x,x,x,x,x)+549j ...
		cmp	eax, 0FFFFFFFFh
		jz	loc_80CE9A
		cmp	[esi+10h], eax
		jz	short loc_80CD04
		mov	[ebp+var_5], 1
		mov	esi, 0C000014Ch
		test	ecx, 20000h
		jnz	loc_80CF98
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_80CCC3
		test	byte ptr _CmpBootType, 6
		jz	loc_80CF98

loc_80CCC3:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+844j
		push	140h
		push	0C000014Ch
		push	0Eh
		mov	edx, 1
		mov	ecx, ebx
		call	SetFailureLocation
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jz	loc_80CF7D
		mov	esi, [ebp+var_10]
		mov	edx, [ebp+arg_4]
		mov	[esi+10h], edx
		mov	eax, [edi+20h]
		or	dword ptr [eax+0FF8h], 4
		mov	eax, edx

loc_80CD04:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+826j
		lea	ecx, [ebp+var_3C]
		push	ecx
		push	eax
		mov	eax, [edi+4]
		push	edi
		call	eax
		mov	ecx, eax
		mov	[ebp+arg_8], ecx
		test	ecx, ecx
		jz	loc_80D027
		test	byte ptr [esi+2], 20h
		movzx	eax, word ptr [esi+48h]
		jz	short loc_80CD2B
		add	eax, eax
		movzx	eax, ax

loc_80CD2B:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+8B4j
		cmp	[ecx+34h], ax
		jnb	short loc_80CDAE
		test	[ebp+var_C], 20000h
		mov	esi, 0C000014Ch
		mov	[ebp+var_5], 1
		jnz	loc_80CFCA
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_80CD5D
		test	byte ptr _CmpBootType, 6
		jz	loc_80CFCA

loc_80CD5D:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+8DEj
		push	174h
		push	0C000014Ch
		push	0Eh
		mov	edx, 1
		mov	ecx, ebx
		call	SetFailureLocation
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jz	loc_80CFA2
		mov	esi, [ebp+var_10]
		test	byte ptr [esi+2], 20h
		movzx	eax, word ptr [esi+48h]
		jz	short loc_80CD9B
		add	eax, eax
		movzx	eax, ax

loc_80CD9B:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+924j
		mov	ecx, [ebp+arg_8]
		mov	[ecx+34h], ax
		mov	eax, [edi+20h]
		or	dword ptr [eax+0FF8h], 4
		jmp	short loc_80CDB1
; 

loc_80CDAE:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+8BFj
		mov	ecx, [ebp+arg_8]

loc_80CDB1:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+93Cj
		mov	eax, [ebp+arg_10]
		cmp	[ecx+38h], eax
		jnb	short loc_80CE27
		test	[ebp+var_C], 20000h
		mov	esi, 0C000014Ch
		mov	[ebp+var_5], 1
		jnz	loc_80CFFB
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_80CDE5
		test	byte ptr _CmpBootType, 6
		jz	loc_80CFFB

loc_80CDE5:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+966j
		push	17Ah
		push	0C000014Ch
		push	0Eh
		mov	edx, 1
		mov	ecx, ebx
		call	SetFailureLocation
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jz	loc_80CFEE
		mov	eax, [ebp+arg_8]
		mov	edx, [ebp+arg_10]
		mov	esi, [ebp+var_10]
		mov	[eax+38h], edx
		mov	eax, [edi+20h]
		or	dword ptr [eax+0FF8h], 4

loc_80CE27:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+947j
		lea	eax, [ebp+var_3C]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		test	byte ptr [esi+2], 0Eh
		jz	loc_80CF17
		test	[ebp+var_C], 20000h
		mov	esi, 0C000014Ch
		mov	[ebp+var_5], 1
		jnz	loc_80D01D
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_80CE67
		test	byte ptr _CmpBootType, 6
		jz	loc_80D01D

loc_80CE67:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+9E8j
		push	180h
		push	0C000014Ch
		push	0Eh
		mov	edx, 1
		mov	ecx, ebx
		call	SetFailureLocation
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jz	loc_80D002
		mov	eax, 0FFF1h
		jmp	short loc_80CF06
; 

loc_80CE9A:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+527j
					; CmpCheckKey(x,x,x,x,x,x,x)+81Dj
		movzx	eax, word ptr [esi+2]
		test	al, 50h
		jnz	loc_80D9E7
		test	al, 2
		jz	short loc_80CF17
		mov	[ebp+var_5], 1
		mov	esi, 0C000014Ch
		test	ecx, 20000h
		jnz	loc_80D05D
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_80CED5
		test	byte ptr _CmpBootType, 6
		jz	loc_80D05D

loc_80CED5:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+A56j
		push	1C0h
		push	0C000014Ch
		push	0Eh
		mov	edx, 1
		mov	ecx, ebx
		call	SetFailureLocation
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jz	loc_80D042
		mov	eax, 0FFFDh

loc_80CF06:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+A28j
		mov	esi, [ebp+var_10]
		and	[esi+2], ax
		mov	eax, [edi+20h]
		or	dword ptr [eax+0FF8h], 4

loc_80CF17:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+9C5j
					; CmpCheckKey(x,x,x,x,x,x,x)+A38j
		mov	edx, [esi+2Ch]
		lea	eax, [ebp+arg_8]
		push	eax
		mov	ecx, edi
		mov	[ebp+arg_8], 0
		mov	[ebp+var_24], 0
		call	_CmpFindSecurityCellCacheIndex@12 ; CmpFindSecurityCellCacheIndex(x,x,x)
		test	al, al
		jz	short loc_80CF73
		mov	ecx, [edi+4CCh]
		mov	edx, 1
		mov	eax, [ebp+arg_8]
		mov	eax, [ecx+eax*8+4]
		lea	ecx, [ebp+var_24]
		push	ecx
		mov	[ebp+arg_8], eax
		mov	ecx, [eax+14h]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_80CF67
		mov	edx, [ebp+arg_8]
		mov	eax, [ebp+var_24]
		mov	[edx+14h], eax

loc_80CF67:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+AECj
		cmp	ecx, 0C0000225h
		jnz	loc_80D067

loc_80CF73:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+AC5j
		push	1F0h
		jmp	loc_80CB83
; 

loc_80CF7D:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+879j
		push	150h
		mov	esi, 0C000017Dh
		xor	edx, edx
		push	esi
		push	0Eh
		mov	ecx, ebx
		call	SetFailureLocation
		jmp	loc_80DAC4
; 

loc_80CF98:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+837j
					; CmpCheckKey(x,x,x,x,x,x,x)+84Dj
		push	160h
		jmp	loc_80DA98
; 

loc_80CFA2:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+913j
		push	176h
		mov	esi, 0C000017Dh
		mov	edx, 1
		push	esi
		push	0Eh
		mov	ecx, ebx
		call	SetFailureLocation
		lea	eax, [ebp+var_3C]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		jmp	loc_80DAC4
; 

loc_80CFCA:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+8D1j
					; CmpCheckKey(x,x,x,x,x,x,x)+8E7j
		push	172h

loc_80CFCF:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+B90j
		push	0C000014Ch

loc_80CFD4:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+B89j
		push	0Eh
		xor	edx, edx
		mov	ecx, ebx
		call	SetFailureLocation
		lea	eax, [ebp+var_3C]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		jmp	loc_80DAC4
; 

loc_80CFEE:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+99Bj
		mov	esi, 0C000017Dh
		push	17Ch
		push	esi
		jmp	short loc_80CFD4
; 

loc_80CFFB:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+959j
					; CmpCheckKey(x,x,x,x,x,x,x)+96Fj
		push	178h
		jmp	short loc_80CFCF
; 

loc_80D002:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+A1Dj
		push	190h
		mov	esi, 0C000017Dh
		xor	edx, edx
		push	esi
		push	0Eh
		mov	ecx, ebx
		call	SetFailureLocation
		jmp	loc_80DAC4
; 

loc_80D01D:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+9DBj
					; CmpCheckKey(x,x,x,x,x,x,x)+9F1j
		push	1A0h
		jmp	loc_80DA98
; 

loc_80D027:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+8A6j
		push	170h
		mov	esi, 0C000009Ah
		xor	edx, edx
		push	esi
		push	0Eh
		mov	ecx, ebx
		call	SetFailureLocation
		jmp	loc_80DAC4
; 

loc_80D042:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+A8Bj
		push	1D0h
		mov	esi, 0C000017Dh
		xor	edx, edx
		push	esi
		push	0Eh
		mov	ecx, ebx
		call	SetFailureLocation
		jmp	loc_80DAC4
; 

loc_80D05D:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+A49j
					; CmpCheckKey(x,x,x,x,x,x,x)+A5Fj
		push	1E0h
		jmp	loc_80DA98
; 

loc_80D067:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+AFDj
		test	ecx, ecx
		jns	short loc_80D089
		push	1F4h
		mov	esi, 0C000014Ch
		mov	edx, 1
		push	esi
		push	0Eh
		mov	ecx, ebx
		call	SetFailureLocation
		jmp	loc_80DAC4
; 

loc_80D089:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+BF9j
		test	byte ptr [esi+2], 40h
		jnz	loc_80D3CE
		cmp	[ebp+var_20], 0
		jbe	loc_80D180
		mov	al, [esi+0Dh]
		and	al, 3
		cmp	al, 1
		jnz	short loc_80D0B0
		push	1F8h
		jmp	loc_80D199
; 

loc_80D0B0:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+C34j
		push	[ebp+arg_C]
		mov	edx, [ebp+var_28]
		mov	ecx, edi
		call	_HvIsCellAllocated@12 ;	HvIsCellAllocated(x,x,x)
		test	al, al
		jnz	short loc_80D0CB
		push	200h
		jmp	loc_80D199
; 

loc_80D0CB:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+C4Fj
		lea	eax, [ebp+var_54]
		mov	[ebp+var_54], 0FFFFFFFFh
		push	eax
		push	[ebp+var_28]
		mov	eax, [edi+4]
		push	edi
		mov	[ebp+var_50], 0
		call	eax
		mov	ecx, eax
		mov	[ebp+arg_4], ecx
		test	ecx, ecx
		jnz	short loc_80D10A
		push	210h
		mov	esi, 0C000009Ah
		xor	edx, edx
		push	esi
		push	0Eh
		mov	ecx, ebx
		call	SetFailureLocation
		jmp	loc_80DAC4
; 

loc_80D10A:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+C7Dj
		mov	eax, [ebp+var_20]
		mov	edx, 4
		mul	edx
		mov	[ebp+arg_8], eax
		test	edx, edx
		ja	loc_80D230
		jb	short loc_80D12A
		cmp	eax, 0FFFFFFFFh
		ja	loc_80D230

loc_80D12A:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+CAFj
		mov	eax, 0FFFFFFFCh
		sub	eax, [ecx-4]
		cmp	[ebp+arg_8], eax
		ja	loc_80D230
		mov	dl, [esi+2]
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_18]
		shr	dl, 4
		push	eax
		push	ebx
		push	[ebp+arg_C]
		and	dl, 1
		push	[ebp+var_C]
		push	[ebp+arg_0]
		push	[ebp+var_20]
		push	ecx
		mov	ecx, edi
		call	_CmpCheckValueList@40 ;	CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_54]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		cmp	esi, 8000002Ah
		jnz	loc_80D204
		mov	[ebp+var_5], 1

loc_80D17D:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+D96j
		mov	esi, [ebp+var_10]

loc_80D180:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+C27j
					; CmpCheckKey(x,x,x,x,x,x,x)+D8Fj
		cmp	dword ptr [esi+24h], 0
		jnz	loc_80D283
		cmp	dword ptr [esi+28h], 0FFFFFFFFh
		jz	loc_80D275
		push	260h

loc_80D199:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+C3Bj
					; CmpCheckKey(x,x,x,x,x,x,x)+C56j ...
		mov	esi, 0C000014Ch
		push	esi

loc_80D19F:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+DBBj
		push	0Eh
		mov	edx, 1
		mov	ecx, ebx
		call	SetFailureLocation
		test	[ebp+var_C], 20000h
		jnz	loc_80D25F
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_80D1D0
		test	byte ptr _CmpBootType, 6
		jz	loc_80D25F

loc_80D1D0:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+D51j
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jz	short loc_80D244
		mov	esi, [ebp+var_10]
		mov	[ebp+var_5], 1
		mov	dword ptr [esi+24h], 0
		mov	dword ptr [esi+28h], 0FFFFFFFFh
		mov	eax, [edi+20h]
		or	dword ptr [eax+0FF8h], 4
		jmp	loc_80D180
; 

loc_80D204:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+D03j
		test	esi, esi
		jns	loc_80D17D
		cmp	esi, 0C000014Ch
		jnz	loc_80DAC4
		test	ebx, ebx
		jz	short loc_80D225
		mov	eax, [ebp+arg_4]
		mov	[ebx+0DCh], eax

loc_80D225:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+DAAj
		push	230h
		push	esi
		jmp	loc_80D19F
; 

loc_80D230:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+CA9j
					; CmpCheckKey(x,x,x,x,x,x,x)+CB4j ...
		lea	eax, [ebp+var_54]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		push	220h
		jmp	loc_80D199
; 

loc_80D244:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+D6Ej
		push	240h
		mov	esi, 0C000017Dh
		xor	edx, edx
		push	esi
		push	0Eh
		mov	ecx, ebx
		call	SetFailureLocation
		jmp	loc_80DAC4
; 

loc_80D25F:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+D44j
					; CmpCheckKey(x,x,x,x,x,x,x)+D5Aj
		push	250h
		push	esi
		xor	edx, edx
		mov	ecx, ebx
		push	0Eh
		call	SetFailureLocation
		jmp	loc_80DAC4
; 

loc_80D275:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+D1Ej
		mov	[ebp+var_18], 0
		mov	[ebp+var_1C], 0

loc_80D283:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+D14j
		mov	eax, [esi+3Ch]
		cmp	eax, [ebp+var_18]
		jnb	short loc_80D2F5
		test	[ebp+var_C], 20000h
		mov	esi, 0C000014Ch
		mov	[ebp+var_5], 1
		jnz	loc_80D352
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_80D2B7
		test	byte ptr _CmpBootType, 6
		jz	loc_80D352

loc_80D2B7:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+E38j
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jnz	short loc_80D2E2
		push	264h
		mov	esi, 0C000017Dh
		xor	edx, edx
		push	esi
		push	0Eh
		mov	ecx, ebx
		call	SetFailureLocation
		jmp	loc_80DAC4
; 

loc_80D2E2:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+E55j
		mov	esi, [ebp+var_10]
		mov	eax, [ebp+var_18]
		mov	[esi+3Ch], eax
		mov	eax, [edi+20h]
		or	dword ptr [eax+0FF8h], 4

loc_80D2F5:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+E19j
		mov	ecx, [ebp+var_C]
		mov	eax, [esi+40h]
		and	ecx, 20000h
		mov	[ebp+arg_8], ecx
		cmp	eax, [ebp+var_1C]
		jnb	short loc_80D37E
		mov	[ebp+var_5], 1
		mov	esi, 0C000014Ch
		test	ecx, ecx
		jnz	short loc_80D374
		cmp	ds:_CmpSelfHeal, cl
		jnz	short loc_80D327
		test	byte ptr _CmpBootType, 6
		jz	short loc_80D374

loc_80D327:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+EACj
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jnz	short loc_80D35C
		push	268h
		mov	esi, 0C000017Dh
		xor	edx, edx
		push	esi
		push	0Eh
		mov	ecx, ebx
		call	SetFailureLocation
		jmp	loc_80DAC4
; 

loc_80D352:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+E2Bj
					; CmpCheckKey(x,x,x,x,x,x,x)+E41j
		push	262h
		jmp	loc_80DA98
; 

loc_80D35C:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+EC5j
		mov	esi, [ebp+var_10]
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+arg_8]
		mov	[esi+40h], eax
		mov	eax, [edi+20h]
		or	dword ptr [eax+0FF8h], 4
		jmp	short loc_80D381
; 

loc_80D374:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+EA4j
					; CmpCheckKey(x,x,x,x,x,x,x)+EB5j
		push	266h
		jmp	loc_80DA98
; 

loc_80D37E:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+E97j
		mov	[ebp+arg_8], ecx

loc_80D381:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+F02j
		test	ecx, ecx
		jnz	loc_80D44D
		mov	eax, [esi+3Ch]
		cmp	eax, [ebp+var_18]
		jz	short loc_80D3A6
		mov	edx, [ebp+arg_0]
		push	ecx
		mov	ecx, edi
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jz	short loc_80D3A6
		mov	eax, [ebp+var_18]
		mov	[esi+3Ch], eax

loc_80D3A6:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+F1Fj
					; CmpCheckKey(x,x,x,x,x,x,x)+F2Ej
		mov	eax, [esi+40h]
		cmp	eax, [ebp+var_1C]
		jz	loc_80D44D
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jz	loc_80D44D
		mov	eax, [ebp+var_1C]
		mov	[esi+40h], eax
		jmp	short loc_80D44D
; 

loc_80D3CE:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+C1Dj
		mov	eax, [ebp+var_C]
		mov	esi, 0C000014Ch
		and	eax, 20000h
		mov	[ebp+var_5], 1
		mov	[ebp+arg_8], eax
		jnz	loc_80D9DD
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_80D3FE
		test	byte ptr _CmpBootType, 6
		jz	loc_80D9DD

loc_80D3FE:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+F7Fj
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jnz	short loc_80D429
		push	28Ch
		mov	esi, 0C000017Dh
		xor	edx, edx
		push	esi
		push	0Eh
		mov	ecx, ebx
		call	SetFailureLocation
		jmp	loc_80DAC4
; 

loc_80D429:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+F9Cj
		mov	eax, [ebp+var_10]
		mov	ecx, 0FFBFh
		and	[eax+2], cx
		mov	dword ptr [eax+24h], 0
		mov	dword ptr [eax+28h], 0FFFFFFFFh
		mov	eax, [edi+20h]
		or	dword ptr [eax+0FF8h], 4

loc_80D44D:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+F13j
					; CmpCheckKey(x,x,x,x,x,x,x)+F3Cj ...
		lea	eax, [ebp+var_5C]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	[ebp+arg_0]
		mov	eax, [edi+4]
		push	edi
		call	eax
		mov	esi, eax
		mov	[ebp+var_10], esi
		test	esi, esi
		jnz	short loc_80D488
		push	2B0h
		mov	esi, 0C000009Ah
		xor	edx, edx
		push	esi
		push	0Eh
		mov	ecx, ebx
		call	SetFailureLocation
		jmp	loc_80DAC4
; 

loc_80D488:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+FFBj
		test	ebx, ebx
		jz	short loc_80D492
		mov	[ebx+0DCh], esi

loc_80D492:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+101Aj
		cmp	[ebp+arg_0], 0
		jge	short loc_80D4AC
		cmp	dword ptr [esi+14h], 0
		jz	loc_80D63A
		push	2C0h
		jmp	loc_80DA93
; 

loc_80D4AC:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1026j
		cmp	dword ptr [esi+14h], 0
		jbe	loc_80D63A
		mov	al, [esi+0Dh]
		and	al, 3
		cmp	al, 1
		jnz	short loc_80D4CE
		mov	esi, 0C000014Ch
		mov	eax, 2C8h
		jmp	loc_80D89D
; 

loc_80D4CE:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+104Dj
		push	[ebp+arg_C]
		mov	edx, [esi+1Ch]
		mov	ecx, edi
		call	_HvIsCellAllocated@12 ;	HvIsCellAllocated(x,x,x)
		test	al, al
		jnz	short loc_80D4EE
		mov	esi, 0C000014Ch
		mov	eax, 2D0h
		jmp	loc_80D89D
; 

loc_80D4EE:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+106Dj
		mov	eax, [esi+1Ch]
		lea	ecx, [ebp+var_34]
		push	ecx
		push	eax
		mov	eax, [edi+4]
		push	edi
		call	eax
		mov	ecx, eax
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jnz	short loc_80D515
		mov	esi, 0C000009Ah
		push	2E0h
		push	esi
		jmp	loc_80DAE6
; 

loc_80D515:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1093j
		mov	edx, 0FFFFFFFCh
		sub	edx, [ecx-4]
		cmp	edx, 8
		jb	loc_80D882
		movzx	eax, word ptr [ecx+2]
		mov	[ebp+arg_10], eax
		movzx	eax, ax
		mov	[ebp+arg_4], eax
		call	_CmpGetIndexElementSize@4 ; CmpGetIndexElementSize(x)
		imul	eax, [ebp+arg_4]
		add	eax, 4
		cmp	eax, 4
		jb	loc_80D882
		mov	ecx, [ebp+var_14]
		call	_CmpGetIndexElementSize@4 ; CmpGetIndexElementSize(x)
		imul	eax, [ebp+arg_4]
		add	eax, 4
		cmp	eax, edx
		ja	loc_80D882
		cmp	word ptr [ebp+arg_10], 0
		jnz	short loc_80D57F
		lea	eax, [ebp+var_34]
		mov	esi, 0C000014Ch
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	eax, 310h
		jmp	loc_80D896
; 

loc_80D57F:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+10F4j
		mov	edx, [ebp+var_14]
		test	ebx, ebx
		jz	short loc_80D58C
		mov	[ebx+0E0h], edx

loc_80D58C:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1114j
		movzx	eax, word ptr [edx]
		mov	ecx, 6972h
		mov	[ebp+arg_4], 696Ch
		mov	[ebp+arg_10], 666Ch
		mov	[ebp+var_2C], 686Ch
		mov	[ebp+var_28], ecx
		cmp	ax, word ptr [ebp+arg_4]
		jz	short loc_80D5DC
		cmp	ax, word ptr [ebp+arg_10]
		jz	short loc_80D5DC
		cmp	ax, word ptr [ebp+var_2C]
		jz	short loc_80D5DC
		cmp	ax, cx
		jz	short loc_80D5DC
		lea	eax, [ebp+var_34]
		mov	esi, 0C000014Ch
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	eax, 3E0h
		jmp	loc_80D896
; 

loc_80D5DC:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1140j
					; CmpCheckKey(x,x,x,x,x,x,x)+1146j ...
		movzx	ecx, word ptr [edx+2]
		cmp	ax, word ptr [ebp+var_28]
		jz	loc_80D66F
		cmp	ecx, [esi+14h]
		jz	short loc_80D608
		lea	eax, [ebp+var_34]
		mov	esi, 0C000014Ch
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	eax, 330h
		jmp	loc_80D896
; 

loc_80D608:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+117Dj
		mov	eax, [esi+1Ch]
		mov	ecx, edi
		push	ebx
		push	eax
		push	edx
		mov	edx, [ebp+var_C]
		call	CmpCheckLeaf
		mov	esi, eax
		cmp	esi, 8000002Ah
		jnz	short loc_80D655
		mov	[ebp+var_5], 1

loc_80D626:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+11E7j
		mov	esi, [ebp+var_10]

loc_80D629:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1335j
		lea	eax, [ebp+var_34]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	[ebp+var_14], 0

loc_80D63A:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+102Cj
					; CmpCheckKey(x,x,x,x,x,x,x)+1040j ...
		cmp	dword ptr [esi+20h], 0FFFFFFFFh
		jnz	loc_80D93E
		cmp	dword ptr [esi+18h], 0
		jnz	loc_80D93E
		xor	cl, cl
		jmp	loc_80D940
; 

loc_80D655:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+11B0j
		test	esi, esi
		jns	short loc_80D626
		cmp	esi, 0C000014Ch
		jnz	loc_80DAC4
		mov	eax, 340h
		jmp	loc_80D89D
; 

loc_80D66F:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1174j
		xor	eax, eax
		xor	edx, edx
		mov	[ebp+arg_10], eax
		mov	[ebp+var_24], edx
		mov	[ebp+arg_4], eax
		cmp	ax, cx
		jnb	loc_80D7A2
		mov	esi, [ebp+var_14]
		add	esi, 4
		mov	[ebp+arg_4], esi
		mov	edi, edi

loc_80D690:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1326j
		test	ebx, ebx
		jz	short loc_80D69A
		mov	[ebx+0E4h], edx

loc_80D69A:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1222j
		push	[ebp+arg_C]
		mov	edx, [esi]
		mov	ecx, edi
		call	_HvIsCellAllocated@12 ;	HvIsCellAllocated(x,x,x)
		test	al, al
		jz	loc_80D86C
		mov	eax, [esi]
		lea	ecx, [ebp+var_44]
		push	ecx
		push	eax
		mov	eax, [edi+4]
		push	edi
		call	eax
		mov	edx, eax
		mov	[ebp+var_20], edx
		test	edx, edx
		jz	loc_80D851
		mov	esi, 0FFFFFFFCh
		sub	esi, [edx-4]
		cmp	esi, 8
		jb	loc_80D831
		movzx	eax, word ptr [edx+2]
		mov	ecx, edx
		mov	[ebp+var_2C], eax
		movzx	eax, ax
		mov	[ebp+var_28], eax
		call	_CmpGetIndexElementSize@4 ; CmpGetIndexElementSize(x)
		imul	eax, [ebp+var_28]
		add	eax, 4
		cmp	eax, 4
		jb	loc_80D831
		mov	ecx, edx
		call	_CmpGetIndexElementSize@4 ; CmpGetIndexElementSize(x)
		imul	eax, [ebp+var_28]
		add	eax, 4
		cmp	eax, esi
		ja	loc_80D831
		cmp	word ptr [ebp+var_2C], 0
		jz	loc_80D811
		movzx	eax, word ptr [edx]
		mov	ecx, 696Ch
		cmp	ax, cx
		jz	short loc_80D743
		mov	ecx, 666Ch
		cmp	ax, cx
		jz	short loc_80D743
		mov	ecx, 686Ch
		cmp	ax, cx
		jnz	loc_80D7C4

loc_80D743:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+12B9j
					; CmpCheckKey(x,x,x,x,x,x,x)+12C3j
		mov	eax, [ebp+arg_4]
		mov	ecx, edi
		push	ebx
		mov	eax, [eax]
		push	eax
		push	edx
		mov	edx, [ebp+var_C]
		call	CmpCheckLeaf
		mov	esi, eax
		cmp	esi, 8000002Ah
		jnz	short loc_80D765
		mov	[ebp+var_5], 1
		jmp	short loc_80D769
; 

loc_80D765:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+12EDj
		test	esi, esi
		js	short loc_80D7E7

loc_80D769:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+12F3j
		mov	eax, [ebp+var_20]
		movzx	eax, word ptr [eax+2]
		add	[ebp+arg_10], eax
		lea	eax, [ebp+var_44]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	eax, [ebp+var_14]
		mov	edx, [ebp+var_24]
		mov	esi, [ebp+arg_4]
		inc	edx
		add	esi, 4
		mov	[ebp+var_24], edx
		movzx	eax, word ptr [eax+2]
		mov	[ebp+arg_4], esi
		cmp	edx, eax
		jb	loc_80D690
		mov	esi, [ebp+var_10]
		mov	eax, [ebp+arg_10]

loc_80D7A2:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+120Fj
		cmp	[esi+14h], eax
		jz	loc_80D629
		lea	eax, [ebp+var_34]
		mov	esi, 0C000014Ch
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	eax, 3C0h
		jmp	loc_80D896
; 

loc_80D7C4:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+12CDj
		lea	eax, [ebp+var_44]
		mov	esi, 0C000014Ch
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		lea	eax, [ebp+var_34]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	eax, 3B0h
		jmp	loc_80D896
; 

loc_80D7E7:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+12F7j
		cmp	esi, 0C000014Ch
		jnz	loc_80DAC4
		lea	eax, [ebp+var_44]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		lea	eax, [ebp+var_34]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	eax, 3B8h
		jmp	loc_80D896
; 

loc_80D811:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+12A8j
		lea	eax, [ebp+var_44]
		mov	esi, 0C000014Ch
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		lea	eax, [ebp+var_34]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	eax, 390h
		jmp	short loc_80D896
; 

loc_80D831:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1263j
					; CmpCheckKey(x,x,x,x,x,x,x)+1287j ...
		lea	eax, [ebp+var_44]
		mov	esi, 0C000014Ch
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		lea	eax, [ebp+var_34]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	eax, 370h
		jmp	short loc_80D896
; 

loc_80D851:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1252j
		push	360h
		mov	esi, 0C000009Ah
		xor	edx, edx
		push	esi
		push	0Eh
		mov	ecx, ebx
		call	SetFailureLocation
		jmp	loc_80DAC4
; 

loc_80D86C:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1238j
		lea	eax, [ebp+var_34]
		mov	esi, 0C000014Ch
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	eax, 350h
		jmp	short loc_80D896
; 

loc_80D882:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+10B0j
					; CmpCheckKey(x,x,x,x,x,x,x)+10D2j ...
		lea	eax, [ebp+var_34]
		mov	esi, 0C000014Ch
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	eax, 2F0h

loc_80D896:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+110Aj
					; CmpCheckKey(x,x,x,x,x,x,x)+1167j ...
		mov	[ebp+var_14], 0

loc_80D89D:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1059j
					; CmpCheckKey(x,x,x,x,x,x,x)+1079j ...
		push	eax
		push	esi
		push	0Eh
		mov	edx, 1
		mov	ecx, ebx
		call	SetFailureLocation
		cmp	[ebp+arg_8], 0
		jnz	short loc_80D928
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_80D8C5
		test	byte ptr _CmpBootType, 6
		jz	short loc_80D928

loc_80D8C5:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+144Aj
		push	3F0h
		push	esi
		push	0Eh
		mov	edx, 1
		mov	ecx, ebx
		call	SetFailureLocation
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jnz	short loc_80D904
		push	400h
		mov	esi, 0C000017Dh
		xor	edx, edx
		push	esi
		push	0Eh
		mov	ecx, ebx
		call	SetFailureLocation
		jmp	loc_80DAC4
; 

loc_80D904:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1477j
		mov	esi, [ebp+var_10]
		mov	[ebp+var_5], 1
		mov	dword ptr [esi+14h], 0
		mov	dword ptr [esi+1Ch], 0FFFFFFFFh
		mov	eax, [edi+20h]
		or	dword ptr [eax+0FF8h], 4
		jmp	loc_80D63A
; 

loc_80D928:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1441j
					; CmpCheckKey(x,x,x,x,x,x,x)+1453j
		push	410h
		push	esi
		xor	edx, edx
		mov	ecx, ebx
		push	0Eh
		call	SetFailureLocation
		jmp	loc_80DAC4
; 

loc_80D93E:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+11CEj
					; CmpCheckKey(x,x,x,x,x,x,x)+11D8j
		mov	cl, 1

loc_80D940:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+11E0j
		mov	edx, [ebp+var_C]
		test	edx, 40000h
		jz	short loc_80D959
		test	cl, cl
		jz	short loc_80D959
		push	410h
		jmp	loc_80DA93
; 

loc_80D959:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+14D9j
					; CmpCheckKey(x,x,x,x,x,x,x)+14DDj
		mov	eax, edx
		shr	eax, 1
		and	al, 1
		test	dl, 0Dh
		jz	short loc_80D96A
		test	cl, cl
		jz	short loc_80D96A
		mov	al, 1

loc_80D96A:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+14F2j
					; CmpCheckKey(x,x,x,x,x,x,x)+14F6j
		test	dl, 8
		jz	short loc_80D978
		cmp	dword ptr [edi+9Ch], 4
		jb	short loc_80D97C

loc_80D978:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+14FDj
		test	al, al
		jz	short loc_80D9CA

loc_80D97C:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1506j
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	0
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jnz	short loc_80D9A7
		push	420h
		mov	esi, 0C000017Dh
		xor	edx, edx
		push	esi
		push	0Eh
		mov	ecx, ebx
		call	SetFailureLocation
		jmp	loc_80DAC4
; 

loc_80D9A7:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+151Aj
		test	byte ptr [ebp+var_C], 4
		mov	dword ptr [esi+18h], 0
		jz	short loc_80D9C4
		cmp	dword ptr [edi+9Ch], 4
		jb	short loc_80D9C4
		mov	eax, 0BAADF00Dh
		jmp	short loc_80D9C7
; 

loc_80D9C4:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1542j
					; CmpCheckKey(x,x,x,x,x,x,x)+154Bj
		or	eax, 0FFFFFFFFh

loc_80D9C7:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1552j
		mov	[esi+20h], eax

loc_80D9CA:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+150Aj
		movzx	esi, [ebp+var_5]
		neg	esi
		sbb	esi, esi
		and	esi, 8000002Ah
		jmp	loc_80DAC4
; 

loc_80D9DD:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+F72j
					; CmpCheckKey(x,x,x,x,x,x,x)+F88j
		push	288h
		jmp	loc_80DA98
; 

loc_80D9E7:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+A30j
		push	1B0h
		jmp	loc_80DA93
; 

loc_80D9F1:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+7E0j
		push	124h
		push	esi
		jmp	short loc_80DA33
; 

loc_80D9F9:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+7C6j
		push	120h
		mov	esi, 0C000017Dh
		xor	edx, edx
		push	esi
		push	0Eh
		mov	ecx, ebx
		call	SetFailureLocation
		lea	eax, [ebp+var_54]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		lea	eax, [ebp+var_4C]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		jmp	loc_80DAC4
; 

loc_80DA28:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+7B2j
		mov	esi, 0C000017Dh
		push	11Ch
		push	esi

loc_80DA33:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1587j
		push	0Eh
		xor	edx, edx
		mov	ecx, ebx
		call	SetFailureLocation
		lea	eax, [ebp+var_54]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		lea	eax, [ebp+var_4C]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		jmp	short loc_80DAC4
; 

loc_80DA54:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+79Ej
		push	118h
		mov	esi, 0C000009Ah
		xor	edx, edx
		push	esi
		push	0Eh
		mov	ecx, ebx
		call	SetFailureLocation
		lea	eax, [ebp+var_4C]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		jmp	short loc_80DAC4
; 

loc_80DA76:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+785j
		push	114h
		mov	esi, 0C000009Ah
		xor	edx, edx
		push	esi
		push	0Eh
		mov	ecx, ebx
		call	SetFailureLocation
		jmp	short loc_80DAC4
; 

loc_80DA8E:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+76Dj
		push	110h

loc_80DA93:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1037j
					; CmpCheckKey(x,x,x,x,x,x,x)+14E4j ...
		mov	esi, 0C000014Ch

loc_80DA98:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+B2Dj
					; CmpCheckKey(x,x,x,x,x,x,x)+BB2j ...
		push	0C000014Ch
		xor	edx, edx
		mov	ecx, ebx
		push	0Eh
		call	SetFailureLocation
		jmp	short loc_80DAC4
; 

loc_80DAAA:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+732j
					; CmpCheckKey(x,x,x,x,x,x,x)+748j
		push	130h
		push	0C000014Ch
		push	0Eh
		xor	edx, edx
		mov	ecx, ebx
		call	SetFailureLocation
		mov	esi, 0C000014Ch

loc_80DAC4:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+B23j
					; CmpCheckKey(x,x,x,x,x,x,x)+B55j ...
		cmp	[ebp+var_14], 0
		jz	short loc_80DAF1
		lea	eax, [ebp+var_34]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		jmp	short loc_80DAF1
; 

loc_80DAD6:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+132j
					; CmpCheckKey(x,x,x,x,x,x,x)+13Bj ...
		push	30h
		jmp	short loc_80DADC
; 

loc_80DADA:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+11Aj
		push	20h

loc_80DADC:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+160j
					; CmpCheckKey(x,x,x,x,x,x,x)+16Dj ...
		mov	esi, 0C000014Ch

loc_80DAE1:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+3B5j
					; CmpCheckKey(x,x,x,x,x,x,x)+465j ...
		push	0C000014Ch

loc_80DAE6:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1EEj
					; CmpCheckKey(x,x,x,x,x,x,x)+2DFj ...
		xor	edx, edx

loc_80DAE8:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+2F3j
					; CmpCheckKey(x,x,x,x,x,x,x)+6E6j
		push	0Eh
		mov	ecx, ebx
		call	SetFailureLocation

loc_80DAF1:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+67Cj
					; CmpCheckKey(x,x,x,x,x,x,x)+1658j ...
		cmp	[ebp+var_10], 0
		jz	short loc_80DB01
		lea	eax, [ebp+var_5C]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax

loc_80DB01:				; CODE XREF: CmpCheckKey(x,x,x,x,x,x,x)+1685j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
_CmpCheckKey@28	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCheckOpenAccessOnKeyBody(x, x, x, x, x, x, x, x,	x)
_CmpCheckOpenAccessOnKeyBody@36	proc near
					; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+12E2p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_5], 0
		push	esi
		mov	esi, edx
		mov	[ebp+var_10], ebx
		mov	edx, [ebp+arg_10]
		mov	ecx, esi
		push	edi
		lea	eax, [ebx+4]
		mov	[ebp+var_24], esi
		push	eax
		call	_CmpGetSecurityCacheEntryForKcbStack@12	; CmpGetSecurityCacheEntryForKcbStack(x,x,x)
		cmp	[ebp+arg_C], 0
		mov	esi, [ebp+arg_4]
		jz	short loc_80DB62
		mov	dl, byte ptr [ebp+arg_8]
		add	eax, 18h
		push	1
		push	eax
		mov	ecx, esi
		call	_CmpSetAccessStateForBackupRestore@16 ;	CmpSetAccessStateForBackupRestore(x,x,x,x)
		test	eax, eax
		jns	short loc_80DB62

loc_80DB54:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+167j
					; CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+17Dj
		mov	eax, [ebp+arg_18]
		mov	dword ptr [eax], 0C0000022h
		jmp	loc_80DF97
; 

loc_80DB62:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+2Ej
					; CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+42j
		mov	edi, [ebx+8]
		xor	ecx, ecx
		mov	eax, [esi+18h]
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_44], ecx
		mov	word ptr [ebp+var_44+2], dx
		mov	edx, [edi+10h]
		mov	[ebp+var_1C], edi
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ecx
		test	dword ptr [edx+64h], 100000h
		mov	[ebp+var_38], ecx
		jnz	short loc_80DB93
		xor	ebx, ebx
		jmp	loc_80DC6C
; 

loc_80DB93:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+7Aj
		test	eax, 0D0026h
		jnz	short loc_80DBA1
		xor	ebx, ebx
		jmp	loc_80DC6C
; 

loc_80DBA1:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+88j
		test	eax, 0D0002h
		jz	short loc_80DBB2

loc_80DBA8:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+13Aj
		mov	ebx, 0C0000022h
		jmp	loc_80DC6C
; 

loc_80DBB2:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+96j
		test	dword ptr [edx+980h], 2000h
		jnz	short loc_80DBC8
		mov	ebx, 0C0000022h
		jmp	loc_80DC6C
; 

loc_80DBC8:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+ACj
		cmp	[edi+21h], cl
		jz	short loc_80DBD7
		mov	ebx, 0C0000022h
		jmp	loc_80DC6C
; 

loc_80DBD7:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+BBj
		mov	edx, edi
		lea	ecx, [ebp+var_44]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_80DC69
		mov	cx, [edi+22h]
		dec	cx
		movzx	esi, cx
		test	si, si
		js	short loc_80DC69
		mov	ecx, [ebp+var_38]
		mov	[ebp+var_C], ecx
		nop

loc_80DC00:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+146j
		movsx	eax, si
		cmp	si, 2
		jl	short loc_80DC0F
		mov	edi, [ecx+eax*4-8]
		jmp	short loc_80DC13
; 

loc_80DC0F:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+F7j
		mov	edi, [ebp+eax*4+var_40]

loc_80DC13:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+FDj
		xor	edx, edx
		mov	word ptr [ebp+var_44+2], si
		lea	ecx, [ebp+var_44]
		call	CmpIsKeyStackDeleted
		test	al, al
		jnz	short loc_80DC58
		mov	eax, [edi+10h]
		test	dword ptr [eax+64h], 100000h
		jz	short loc_80DC62
		mov	edi, [ebp+var_1C]
		mov	eax, [edi+10h]
		test	dword ptr [eax+980h], 2000h
		jz	short loc_80DC58
		cmp	byte ptr [edi+21h], 0
		mov	ecx, [ebp+var_C]
		jnz	loc_80DBA8
		dec	esi
		test	si, si
		js	short loc_80DC6C
		jmp	short loc_80DC00
; 

loc_80DC58:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+113j
					; CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+131j
		mov	ecx, [ebp+var_C]
		mov	ebx, 0C0000022h
		jmp	short loc_80DC6C
; 

loc_80DC62:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+11Fj
		mov	ecx, [ebp+var_C]
		xor	ebx, ebx
		jmp	short loc_80DC6C
; 

loc_80DC69:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+D5j
					; CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+E7j
		mov	ecx, [ebp+var_38]

loc_80DC6C:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+7Ej
					; CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+8Cj ...
		test	ecx, ecx
		jz	short loc_80DC75
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_80DC75:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+15Ej
		test	ebx, ebx
		js	loc_80DB54
		mov	ebx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		mov	eax, [ebx+3Ch]
		mov	ecx, [edx+18h]
		and	eax, ecx
		cmp	eax, ecx
		jnz	loc_80DB54
		cmp	[ebp+arg_C], 0
		jz	short loc_80DCBD
		cmp	dword ptr [edx+10h], 0
		jnz	short loc_80DCBD

loc_80DC9F:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+1B7j
					; CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+417j ...
		mov	eax, [ebp+arg_18]
		mov	dl, 1
		mov	ecx, [ebp+arg_14]
		mov	dword ptr [eax], 0
		mov	al, [ebp+var_5]
		mov	[ecx], al
		mov	al, dl
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_80DCBD:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+187j
					; CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+18Dj
		test	ecx, ecx
		jnz	short loc_80DCC9
		test	dword ptr [ebx], 1000h
		jnz	short loc_80DC9F

loc_80DCC9:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+1AFj
		mov	ebx, [ebp+var_10]
		xor	esi, esi
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_34], esi
		mov	[ebp+var_1C], 0
		mov	[ebp+var_14], 0
		test	byte ptr [ebx+1Ch], 9
		mov	edi, [ebx+8]
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		mov	word ptr [ebp+var_34+2], ax
		mov	[ebp+var_18], esi
		jnz	loc_80DF11
		cmp	[ebp+arg_10], esi
		jz	short loc_80DD45
		push	10h
		lea	edx, [ebp+var_18]
		lea	ecx, [edi+70h]
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jz	short loc_80DD45

loc_80DD12:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+21Ej
		mov	ecx, [eax+24h]
		cmp	ecx, 2
		jz	short loc_80DD32
		cmp	ecx, 0Bh
		jz	short loc_80DD32
		push	10h
		lea	edx, [ebp+var_18]
		lea	ecx, [edi+70h]
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jnz	short loc_80DD12
		jmp	short loc_80DD45
; 

loc_80DD32:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+208j
					; CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+20Dj
		mov	edx, [ebp+arg_10]
		mov	ecx, [eax+1Ch]
		call	CmEqualTrans
		test	al, al
		jnz	loc_80DF11

loc_80DD45:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+1EFj
					; CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+200j ...
		mov	edi, [ebx+8]
		xor	ebx, ebx
		movzx	eax, word ptr [edi+22h]
		mov	edx, eax
		mov	ecx, eax
		mov	[ebp+var_18], ecx
		mov	[ebp+var_20], edx
		movzx	eax, cx
		cmp	dx, 2
		jl	short loc_80DDAE
		movsx	ecx, dx
		mov	eax, edx
		movzx	eax, ax
		sub	ecx, 1
		jz	short loc_80DDAE
		lea	eax, ds:0[ecx*4]
		push	35364D43h
		mov	edx, eax
		mov	[ebp+var_18], eax
		lea	ecx, [ebx+1]
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_80DD99
		mov	[ebp+var_C], 0C000009Ah
		jmp	loc_80DF18
; 

loc_80DD99:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+27Bj
		push	[ebp+var_18]	; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		movzx	eax, word ptr [edi+22h]
		add	esp, 0Ch
		mov	edx, [ebp+var_20]

loc_80DDAE:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+24Fj
					; CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+25Cj
		movzx	eax, ax
		mov	word ptr [ebp+var_34], dx
		mov	[ebp+var_28], ebx
		mov	word ptr [ebp+var_34+2], ax
		test	ax, ax
		jnz	short loc_80DDC6
		mov	[ebp+var_30], edi
		jmp	short loc_80DDE4
; 

loc_80DDC6:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+2AFj
		mov	esi, [edi+6Ch]
		mov	edx, eax
		test	esi, esi
		jz	short loc_80DDE4
		nop

loc_80DDD0:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+2D2j
		mov	eax, [esi+8]
		lea	ecx, [ebp+var_34]
		push	eax
		call	_CmpSetKcbAtLayerHeight@12 ; CmpSetKcbAtLayerHeight(x,x,x)
		mov	esi, [esi+0Ch]
		dec	edx
		test	esi, esi
		jnz	short loc_80DDD0

loc_80DDE4:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+2B4j
					; CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+2BDj
		mov	edx, [ebp+arg_10]
		lea	ecx, [ebp+var_34]
		push	0
		mov	[ebp+var_C], 0
		call	_CmpGetSecurityCacheEntryForKcbStack@12	; CmpGetSecurityCacheEntryForKcbStack(x,x,x)
		mov	ebx, [ebp+arg_4]
		mov	ecx, large fs:124h
		lea	edi, [eax+18h]
		lea	esi, [ebx+1Ch]
		dec	word ptr [ecx+13Ch]
		nop
		mov	eax, [esi+8]
		push	1
		mov	eax, [eax+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		cmp	dword ptr [esi], 0
		jz	short loc_80DE3E
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [esi]
		push	1
		mov	eax, [eax+30h]
		push	eax
		call	ExAcquireResourceSharedLite

loc_80DE3E:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+311j
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+arg_8]
		mov	eax, ds:_CmKeyObjectType
		add	eax, 34h
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		mov	eax, [ebx+14h]
		push	eax
		mov	eax, [ebx+10h]
		push	eax
		push	1
		push	esi
		push	edi
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		mov	bl, al
		mov	eax, [ebp+var_14]
		mov	byte ptr [ebp+var_18], bl
		test	eax, eax
		jz	short loc_80DE84
		push	eax
		push	[ebp+arg_4]
		call	SeAppendPrivileges
		push	[ebp+var_14]
		call	_SeFreePrivileges@4 ; SeFreePrivileges(x)

loc_80DE84:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+361j
		mov	ecx, [ebp+arg_4]
		test	bl, bl
		jz	short loc_80DE9B
		mov	eax, [ebp+var_1C]
		or	[ecx+14h], eax
		or	eax, 2000000h
		not	eax
		and	[ecx+10h], eax

loc_80DE9B:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+379j
		mov	edx, [ebp+var_10]
		or	word ptr [edx+1Ch], 2
		cmp	[ebp+arg_10], 0
		jz	short loc_80DEB6
		lea	eax, [ecx+0Ah]
		push	eax
		mov	eax, [ebp+arg_10]
		add	eax, 2Ch
		push	eax
		jmp	short loc_80DEC2
; 

loc_80DEB6:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+397j
		cmp	byte ptr [ebp+arg_8], 0
		jz	short loc_80DEE0
		lea	eax, [ecx+0Ah]
		push	eax
		push	0

loc_80DEC2:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+3A4j
		push	[ebp+arg_8]
		mov	eax, ds:_CmKeyObjectType
		push	[ebp+var_18]
		add	eax, 8
		push	0
		push	ecx
		push	edi
		push	0
		push	edx
		push	eax
		call	SeOpenObjectAuditAlarmWithTransaction
		mov	edx, [ebp+var_10]

loc_80DEE0:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+3AAj
		mov	eax, 0FFFDh
		and	[edx+1Ch], ax
		mov	ecx, [esi+8]
		mov	ecx, [ecx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_80DF0C
		mov	ecx, [ecx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_80DF0C:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+3EDj
		mov	esi, [ebp+var_28]
		jmp	short loc_80DF1A
; 

loc_80DF11:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+1E6j
					; CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+22Fj
		mov	[ebp+var_C], 0C000017Ch

loc_80DF18:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+284j
		xor	bl, bl

loc_80DF1A:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+3FFj
		test	esi, esi
		jz	short loc_80DF25
		mov	ecx, esi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_80DF25:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+40Cj
		test	bl, bl
		jnz	loc_80DC9F
		cmp	[ebp+arg_C], bl
		jnz	short loc_80DF8E
		push	[ebp+var_C]
		mov	ebx, [ebp+arg_4]
		push	[ebp+arg_0]
		mov	esi, [ebp+arg_10]
		mov	edx, esi
		push	[ebp+arg_8]
		mov	ecx, [ebp+var_10]
		push	ebx
		call	_CmpVEPerformOpenAccessCheck@24	; CmpVEPerformOpenAccessCheck(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_80DC9F
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 1
		jnz	short loc_80DF8E
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		mov	ecx, eax
		call	_CmpDoesProcessBelongToServiceSession@4	; CmpDoesProcessBelongToServiceSession(x)
		test	al, al
		jnz	short loc_80DF8E
		test	dword ptr [ebx+10h], 0D0026h
		jz	short loc_80DF8E
		mov	ecx, [ebp+var_24]
		mov	edx, esi
		call	_CmpCheckKeyOwnerForPca@8 ; CmpCheckKeyOwnerForPca(x,x)
		test	al, al
		jz	short loc_80DF8E
		mov	[ebp+var_5], 1

loc_80DF8E:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+420j
					; CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+451j ...
		mov	ecx, [ebp+arg_18]
		mov	dword ptr [ecx], 0C0000022h

loc_80DF97:				; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+4Dj
		xor	dl, dl
		mov	ecx, [ebp+arg_14]
		mov	al, [ebp+var_5]
		pop	edi
		pop	esi
		mov	[ecx], al
		mov	al, dl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_CmpCheckOpenAccessOnKeyBody@36	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmpQueryKeyValueData(size_t,int,int,size_t,int)
CmpQueryKeyValueData proc near		; CODE XREF: CmEnumerateValueKey+15Bp
					; CmQueryValueKey+3E8p	...

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= dword	ptr -1Dh
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0091CE97 SIZE 00000010 BYTES
; FUNCTION CHUNK AT 0091CEBF SIZE 0000000D BYTES
; FUNCTION CHUNK AT 0091CEE1 SIZE 0000001D BYTES
; FUNCTION CHUNK AT 0091CF13 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5720
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_30], edx
		mov	eax, ecx
		mov	[ebp+var_34], eax
		mov	[ebp+var_28], 0
		mov	byte ptr [ebp+var_1D], 0
		mov	[ebp+var_5C], 0FFFFFFFFh
		mov	[ebp+var_58], 0
		mov	eax, [eax+10h]
		mov	[ebp+var_54], eax
		mov	edi, [ebp+arg_8]
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_2C], esi
		movzx	eax, word ptr [esi+2]
		test	byte ptr [esi+10h], 1
		jz	loc_80E296
		add	eax, eax
		movzx	ecx, ax

loc_80E028:				; CODE XREF: CmpQueryKeyValueData+2E8j
		mov	eax, [ebp+arg_4]
		cmp	eax, 2
		jnz	loc_80E11F
		mov	edx, [esi+4]
		cmp	edx, 80000000h
		lea	ecx, [edx-80000000h]
		jnb	short loc_80E047
		mov	ecx, edx

loc_80E047:				; CODE XREF: CmpQueryKeyValueData+93j
		mov	[ebp+arg_8], ecx
		lea	ebx, [ecx+0Ch]
		xor	eax, eax
		mov	[ebp+arg_0], eax
		mov	[ebp+var_4], 2
		mov	eax, [ebp+arg_10]
		mov	[eax], ebx
		mov	ebx, [ebp+arg_C]
		cmp	ebx, 0Ch
		jb	loc_80E32A
		mov	dword ptr [edi], 0
		mov	eax, [esi+0Ch]
		mov	[edi+4], eax
		mov	[edi+8], ecx
		lea	eax, [ebx-0Ch]
		mov	ebx, ecx
		cmp	eax, ecx
		jb	loc_80E1E3

loc_80E086:				; CODE XREF: CmpQueryKeyValueData+240j
		test	ecx, ecx
		jz	short loc_80E0D2
		cmp	edx, 80000000h
		jnb	loc_80E117
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_1D]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+arg_8]
		push	eax
		push	esi
		mov	edx, [ebp+var_30]
		mov	ecx, [ebp+var_34]
		mov	ecx, [ecx+10h]
		call	CmpGetValueData
		test	al, al
		jz	loc_91CF1D

loc_80E0BD:				; CODE XREF: CmpQueryKeyValueData+16Dj
					; CmpQueryKeyValueData+10EF78j
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jz	short loc_80E0D2
		push	ebx		; size_t
		push	ecx		; void *
		lea	eax, [edi+0Ch]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_80E0D2:				; CODE XREF: CmpQueryKeyValueData+D8j
					; CmpQueryKeyValueData+112j
		mov	ebx, [ebp+arg_0]

loc_80E0D5:				; CODE XREF: CmpQueryKeyValueData+382j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_80E0DC:				; CODE XREF: CmpQueryKeyValueData+2D5j
					; CmpQueryKeyValueData+352j ...
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jz	short loc_80E101
		lea	eax, [esi+8]
		cmp	ecx, eax
		jz	short loc_80E101
		cmp	byte ptr [ebp+var_1D], 1
		jz	loc_80E337
		lea	eax, [ebp+var_5C]
		push	eax
		mov	ecx, [ebp+var_54]
		push	ecx
		mov	ecx, [ecx+8]
		call	ecx

loc_80E101:				; CODE XREF: CmpQueryKeyValueData+131j
					; CmpQueryKeyValueData+138j ...
		mov	eax, ebx
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_80E117:				; CODE XREF: CmpQueryKeyValueData+E0j
		lea	eax, [esi+8]
		mov	[ebp+var_28], eax
		jmp	short loc_80E0BD
; 

loc_80E11F:				; CODE XREF: CmpQueryKeyValueData+7Ej
		cmp	eax, 4		; switch 5 cases
		ja	loc_91CF13	; default
		jmp	ds:off_80E450[eax*4] ; switch jump

loc_80E12F:				; DATA XREF: PAGE:off_80E450o
		mov	edx, [esi+4]	; case 0x1
		mov	[ebp+var_44], edx
		cmp	edx, 80000000h
		jnb	loc_80E29D
		mov	ebx, edx

loc_80E143:				; CODE XREF: CmpQueryKeyValueData+2F3j
		mov	[ebp+arg_0], ebx
		mov	[ebp+arg_8], ebx
		movzx	edx, cx
		lea	ecx, [ebx+14h]
		add	ecx, edx
		mov	[ebp+var_38], ecx
		mov	[ebp+arg_4], 0
		test	ebx, ebx
		jz	short loc_80E17E
		sub	ecx, ebx
		cmp	eax, 3
		jz	loc_80E364
		lea	eax, [ecx+3]
		and	eax, 0FFFFFFFCh

loc_80E170:				; CODE XREF: CmpQueryKeyValueData+3BAj
		mov	[ebp+arg_4], eax
		cmp	eax, ecx
		ja	loc_80E28A
		mov	ecx, [ebp+var_38]

loc_80E17E:				; CODE XREF: CmpQueryKeyValueData+1ADj
					; CmpQueryKeyValueData+2E1j
		xor	ebx, ebx
		mov	[ebp+var_4], 1
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx
		mov	ecx, [ebp+arg_C]
		cmp	ecx, 14h
		jb	loc_80E350
		mov	[edi], ebx
		mov	eax, [esi+0Ch]
		mov	[edi+4], eax
		mov	eax, [ebp+arg_0]
		mov	[edi+0Ch], eax
		mov	[edi+10h], edx
		add	ecx, 0FFFFFFECh
		cmp	ecx, edx
		jb	loc_80E441

loc_80E1B4:				; CODE XREF: CmpQueryKeyValueData+49Bj
		test	byte ptr [esi+10h], 1
		jz	short loc_80E1F5
		movzx	eax, word ptr [esi+2]
		mov	[ebp+var_3C], 0
		shr	edx, 1
		cmp	edx, eax
		jb	short loc_80E1CD
		mov	edx, eax

loc_80E1CD:				; CODE XREF: CmpQueryKeyValueData+219j
		xor	eax, eax

loc_80E1CF:				; CODE XREF: CmpQueryKeyValueData+231j
		mov	[ebp+var_3C], eax
		cmp	eax, edx
		jnb	short loc_80E206
		movzx	ecx, byte ptr [eax+esi+14h]
		mov	[edi+eax*2+14h], cx
		inc	eax
		jmp	short loc_80E1CF
; 

loc_80E1E3:				; CODE XREF: CmpQueryKeyValueData+D0j
		mov	ebx, eax
		mov	eax, 80000005h
		mov	[ebp+arg_0], eax
		mov	[ebp+var_24], eax
		jmp	loc_80E086
; 

loc_80E1F5:				; CODE XREF: CmpQueryKeyValueData+208j
		push	edx		; size_t
		lea	eax, [esi+14h]
		push	eax		; void *
		lea	eax, [edi+14h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_80E206:				; CODE XREF: CmpQueryKeyValueData+224j
		cmp	[ebp+arg_0], 0
		jbe	loc_80E344
		cmp	[ebp+var_44], 80000000h
		jnb	loc_80E2A8
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_1D]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+arg_8]
		push	eax
		push	esi
		mov	edx, [ebp+var_30]
		mov	ecx, [ebp+var_34]
		mov	ecx, [ecx+10h]
		call	CmpGetValueData
		test	al, al
		jz	loc_91CEBF

loc_80E244:				; CODE XREF: CmpQueryKeyValueData+10EF17j
		mov	eax, [ebp+arg_8]
		mov	[ebp+arg_0], eax

loc_80E24A:				; CODE XREF: CmpQueryKeyValueData+2FEj
		mov	edx, [ebp+arg_4]
		mov	[edi+8], edx
		mov	eax, [ebp+arg_C]
		sub	eax, edx
		cmp	[ebp+arg_C], edx
		sbb	ecx, ecx
		not	ecx
		and	ecx, eax
		mov	eax, [ebp+arg_0]
		cmp	ecx, eax
		jb	loc_80E31B

loc_80E269:				; CODE XREF: CmpQueryKeyValueData+375j
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jz	short loc_80E27E
		push	eax		; size_t
		push	ecx		; void *
		lea	eax, [edx+edi]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_80E27E:				; CODE XREF: CmpQueryKeyValueData+2BEj
					; CmpQueryKeyValueData+39Bj
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_80E0DC
; 

loc_80E28A:				; CODE XREF: CmpQueryKeyValueData+1C5j
		sub	eax, ecx
		mov	ecx, [ebp+var_38]
		add	ecx, eax
		jmp	loc_80E17E
; 

loc_80E296:				; CODE XREF: CmpQueryKeyValueData+6Dj
		mov	ecx, eax
		jmp	loc_80E028
; 

loc_80E29D:				; CODE XREF: CmpQueryKeyValueData+18Bj
		lea	ebx, [edx-80000000h]
		jmp	loc_80E143
; 

loc_80E2A8:				; CODE XREF: CmpQueryKeyValueData+267j
		lea	eax, [esi+8]
		mov	[ebp+var_28], eax
		jmp	short loc_80E24A
; 

loc_80E2B0:				; CODE XREF: CmpQueryKeyValueData+178j
					; DATA XREF: PAGE:off_80E450o
		movzx	edx, cx		; case 0x0
		lea	ecx, [edx+0Ch]
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx
		mov	ecx, [ebp+arg_C]
		cmp	ecx, 0Ch
		jb	short loc_80E307
		mov	[edi], ebx
		mov	eax, [esi+0Ch]
		mov	[edi+4], eax
		mov	[edi+8], edx
		add	ecx, 0FFFFFFF4h
		cmp	ecx, edx
		jb	loc_80E40A

loc_80E2DE:				; CODE XREF: CmpQueryKeyValueData+464j
		lea	ecx, [esi+14h]
		add	edi, 0Ch
		test	byte ptr [esi+10h], 1
		jz	loc_91CE97
		movzx	eax, word ptr [esi+2]
		push	eax
		push	ecx
		mov	ecx, edi
		call	_CmpCopyCompressedName@16 ; CmpCopyCompressedName(x,x,x,x)

loc_80E2FB:				; CODE XREF: CmpQueryKeyValueData+406j
					; CmpQueryKeyValueData+420j ...
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_80E0DC
; 

loc_80E307:				; CODE XREF: CmpQueryKeyValueData+316j
		mov	ebx, 0C0000023h
		mov	[ebp+var_24], ebx
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_80E0DC
; 

loc_80E31B:				; CODE XREF: CmpQueryKeyValueData+2B3j
		mov	eax, ecx
		mov	ebx, 80000005h
		mov	[ebp+var_24], ebx
		jmp	loc_80E269
; 

loc_80E32A:				; CODE XREF: CmpQueryKeyValueData+B4j
		mov	ebx, 0C0000023h
		mov	[ebp+var_24], ebx
		jmp	loc_80E0D5
; 

loc_80E337:				; CODE XREF: CmpQueryKeyValueData+13Ej
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_80E101
; 

loc_80E344:				; CODE XREF: CmpQueryKeyValueData+25Aj
		mov	dword ptr [edi+8], 0FFFFFFFFh
		jmp	loc_80E27E
; 

loc_80E350:				; CODE XREF: CmpQueryKeyValueData+1E2j
		mov	ebx, 0C0000023h
		mov	[ebp+var_24], ebx
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_80E0DC
; 

loc_80E364:				; CODE XREF: CmpQueryKeyValueData+1B4j
		lea	eax, [ecx+7]
		and	eax, 0FFFFFFF8h
		jmp	loc_80E170
; 

loc_80E36F:				; CODE XREF: CmpQueryKeyValueData+178j
					; DATA XREF: PAGE:off_80E450o
		mov	eax, [esi+4]	; case 0x4
		mov	[ebp+arg_0], eax
		cmp	eax, 80000000h
		lea	edx, [eax-80000000h]
		jb	short loc_80E3F2

loc_80E382:				; CODE XREF: CmpQueryKeyValueData+444j
		mov	[ebp+arg_8], edx
		lea	ecx, [edx+8]
		xor	ebx, ebx
		mov	[ebp+var_4], 3
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx
		mov	ecx, [ebp+arg_C]
		cmp	ecx, 8
		jb	short loc_80E3F6
		mov	eax, [esi+0Ch]
		mov	[edi], eax
		mov	[edi+4], edx
		add	ecx, 0FFFFFFF8h
		mov	[ebp+arg_C], edx
		cmp	ecx, edx
		jb	loc_91CEE1

loc_80E3B4:				; CODE XREF: CmpQueryKeyValueData+10EF3Cj
		test	edx, edx
		jz	loc_80E2FB
		cmp	[ebp+arg_0], 80000000h
		jb	short loc_80E419
		lea	eax, [esi+8]
		mov	[ebp+var_28], eax

loc_80E3CB:				; CODE XREF: CmpQueryKeyValueData+48Aj
					; CmpQueryKeyValueData+10EF49j
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jz	loc_80E2FB
		push	[ebp+arg_C]	; size_t
		push	ecx		; void *
		lea	eax, [edi+8]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_80E0DC
; 

loc_80E3F2:				; CODE XREF: CmpQueryKeyValueData+3D0j
		mov	edx, eax
		jmp	short loc_80E382
; 

loc_80E3F6:				; CODE XREF: CmpQueryKeyValueData+3ECj
		mov	ebx, 0C0000023h
		mov	[ebp+var_24], ebx
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_80E0DC
; 

loc_80E40A:				; CODE XREF: CmpQueryKeyValueData+328j
		mov	edx, ecx
		mov	ebx, 80000005h
		mov	[ebp+var_24], ebx
		jmp	loc_80E2DE
; 

loc_80E419:				; CODE XREF: CmpQueryKeyValueData+413j
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_1D]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+arg_8]
		push	eax
		push	esi
		mov	edx, [ebp+var_30]
		mov	ecx, [ebp+var_34]
		mov	ecx, [ecx+10h]
		call	CmpGetValueData
		test	al, al
		jnz	short loc_80E3CB
		jmp	loc_91CEF1
; 

loc_80E441:				; CODE XREF: CmpQueryKeyValueData+1FEj
		mov	edx, ecx
		mov	ebx, 80000005h
		mov	[ebp+var_24], ebx
		jmp	loc_80E1B4
CmpQueryKeyValueData endp

; 
off_80E450	dd offset loc_80E2B0	; DATA XREF: CmpQueryKeyValueData+178r
		dd offset loc_80E12F	; jump table for switch	statement
		dd offset loc_91CF13
		dd offset loc_80E12F
		dd offset loc_80E36F
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtReadVirtualMemory(x, x, x, x, x)
_NtReadVirtualMemory@20	proc near	; DATA XREF: .text:00580DACo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	10h
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	MiReadWriteVirtualMemory
		pop	ebp
		retn	14h
_NtReadVirtualMemory@20	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReadWriteVirtualMemory proc near	; CODE XREF: NtWriteVirtualMemory(x,x,x,x,x)+16p
					; NtReadVirtualMemory(x,x,x,x,x)+16p

var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0091CF55 SIZE 00000007 BYTES
; FUNCTION CHUNK AT 0091CF7E SIZE 00000008 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5760
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	ebx, edx
		mov	[ebp+var_28], ebx
		mov	edx, ecx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_1C], 0
		mov	eax, large fs:124h
		mov	[ebp+var_34], eax
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		mov	ecx, [ebp+arg_4]
		test	al, al
		jz	loc_91CF7E
		lea	edx, [ebx+ecx]
		cmp	edx, ebx
		jb	loc_80E5F9
		mov	esi, ds:_MmHighestUserAddress
		inc	esi
		cmp	edx, esi
		ja	loc_80E5F9
		mov	edx, [ebp+arg_0]
		lea	eax, [edx+ecx]
		cmp	eax, edx
		jb	loc_80E5F9
		cmp	eax, esi
		ja	loc_80E5F9
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jz	short loc_80E54B
		mov	[ebp+var_4], 0
		mov	edx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_91CF55

loc_80E540:				; CODE XREF: MiReadWriteVirtualMemory+10EAC7j
		mov	eax, [edx]
		mov	[edx], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_80E54B:				; CODE XREF: MiReadWriteVirtualMemory+98j
		mov	edx, [ebp+var_2C]

loc_80E54E:				; CODE XREF: MiReadWriteVirtualMemory+10EAF1j
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		xor	edi, edi
		mov	[ebp+arg_8], edi
		test	ecx, ecx
		jz	short loc_80E5CF
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		push	6D566D4Dh
		push	[ebp+var_24]
		mov	eax, ds:_PsProcessType
		push	eax
		push	[ebp+arg_C]
		push	edx
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+arg_8], edi
		test	edi, edi
		js	short loc_80E5CF
		mov	eax, [ebp+var_34]
		mov	eax, [eax+80h]
		mov	[ebp+var_34], eax
		mov	ebx, [ebp+arg_C]
		lea	ecx, [ebp+var_20]
		push	ecx
		mov	ecx, [ebp+var_24]
		push	ecx
		push	[ebp+arg_4]
		cmp	ebx, 10h
		jnz	short loc_80E612
		push	[ebp+arg_0]
		push	eax
		push	[ebp+var_28]
		push	[ebp+var_1C]
		call	MmCopyVirtualMemory
		mov	edi, eax
		mov	[ebp+arg_8], edi

loc_80E5B4:				; CODE XREF: MiReadWriteVirtualMemory+196j
		mov	edx, ebx
		mov	ecx, [ebp+var_1C]
		call	PsIsProcessLoggingEnabled
		mov	ebx, [ebp+var_20]
		test	eax, eax
		jnz	short loc_80E628

loc_80E5C5:				; CODE XREF: MiReadWriteVirtualMemory+1ADj
		mov	edx, 6D566D4Dh
		call	ObfDereferenceObjectWithTag

loc_80E5CF:				; CODE XREF: MiReadWriteVirtualMemory+CAj
					; MiReadWriteVirtualMemory+EFj
		test	esi, esi
		jz	short loc_80E5E3
		mov	[ebp+var_4], 1
		mov	[esi], ebx
		mov	[ebp+var_4], 0FFFFFFFEh

loc_80E5E3:				; CODE XREF: MiReadWriteVirtualMemory+141j
					; sub_91CF8C+Dj
		mov	eax, edi

loc_80E5E5:				; CODE XREF: sub_91CF6C+Dj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_80E5F9:				; CODE XREF: MiReadWriteVirtualMemory+68j
					; MiReadWriteVirtualMemory+77j	...
		mov	eax, 0C0000005h
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_80E612:				; CODE XREF: MiReadWriteVirtualMemory+10Ej
		push	[ebp+var_28]
		push	[ebp+var_1C]
		push	[ebp+arg_0]
		push	eax
		call	MmCopyVirtualMemory
		mov	edi, eax
		mov	[ebp+arg_8], eax
		jmp	short loc_80E5B4
; 

loc_80E628:				; CODE XREF: MiReadWriteVirtualMemory+133j
		push	ebx
		push	[ebp+var_28]
		push	[ebp+arg_C]
		push	ecx
		mov	edx, [ebp+var_34]
		mov	ecx, edi
		call	EtwTiLogReadWriteVm
		mov	ecx, [ebp+var_1C]
		jmp	short loc_80E5C5
MiReadWriteVirtualMemory endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpConstructNameFromKeyNodes proc near	; CODE XREF: CmpConstructNameWithStatus+87p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0091CF9E SIZE 000000D4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		xor	eax, eax
		mov	[ebp+var_20], 0
		mov	[ebp+var_30], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		or	eax, 0FFFFFFFFh
		mov	word ptr [ebp+var_30+2], ax
		mov	[ebp+var_20], eax
		xor	eax, eax
		push	ebx
		mov	[ebp+var_1C], 0
		mov	word ptr [ebp+var_1C], ax
		movzx	eax, word ptr [ecx+2]
		mov	[ebp+var_18], edx
		push	esi
		push	edi
		movsx	edi, ax
		lfence	eax
		cmp	ax, 2
		jge	loc_91CF9E
		mov	edi, [ecx+edi*4+4]

loc_80E692:				; CODE XREF: CmpConstructNameFromKeyNodes+10E965j
		movzx	esi, word ptr [edi+22h]
		xor	ebx, ebx
		mov	[ebp+var_4], edi
		cmp	si, 2
		jge	loc_91CFAA

loc_80E6A5:				; CODE XREF: CmpConstructNameFromKeyNodes+10E970j
					; CmpConstructNameFromKeyNodes+10E9ABj
		mov	eax, ebx
		mov	word ptr [ebp+var_30], si
		mov	[ebp+var_8], eax
		mov	[ebp+var_24], eax
		xor	esi, esi
		mov	ecx, edi
		jmp	short loc_80E6C0
; 
		align 10h

loc_80E6C0:				; CODE XREF: CmpConstructNameFromKeyNodes+75j
					; CmpConstructNameFromKeyNodes+A5j
		test	dword ptr [ecx+68h], 40000h
		jnz	loc_80E860

loc_80E6CD:				; CODE XREF: CmpConstructNameFromKeyNodes+225j
		mov	eax, [ecx+28h]
		test	byte ptr [eax],	1
		movzx	edx, word ptr [eax+0Ch]
		jz	short loc_80E6DB
		add	edx, edx

loc_80E6DB:				; CODE XREF: CmpConstructNameFromKeyNodes+97j
		mov	ecx, [ecx+24h]
		add	esi, 2
		add	esi, edx

loc_80E6E3:				; CODE XREF: CmpConstructNameFromKeyNodes+22Dj
		test	ecx, ecx
		jnz	short loc_80E6C0
		cmp	esi, 0FFFFh
		ja	loc_91CFF0
		lea	ebx, [esi+8]
		mov	ecx, 1
		push	624E4D43h
		mov	edx, ebx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	loc_91CFFA
		push	ebx		; size_t
		mov	ebx, eax
		push	0		; int
		push	ebx		; void *
		call	_memset
		lea	eax, [ebx+8]
		add	esp, 0Ch
		mov	[ebx+4], eax
		movzx	eax, si
		mov	[ebx], ax
		mov	[ebx+2], ax
		shr	ax, 1
		movzx	edx, ax
		jmp	short loc_80E740
; 
		align 10h

loc_80E740:				; CODE XREF: CmpConstructNameFromKeyNodes+F8j
					; CmpConstructNameFromKeyNodes+1F1j
		test	dword ptr [edi+68h], 40000h
		jnz	loc_80E84E

loc_80E74D:				; CODE XREF: CmpConstructNameFromKeyNodes+213j
		mov	eax, [edi+28h]
		test	byte ptr [eax],	1
		movzx	ecx, word ptr [eax+0Ch]
		jz	loc_91D004
		mov	esi, ecx

loc_80E75F:				; CODE XREF: CmpConstructNameFromKeyNodes+10E9CAj
		movzx	eax, word ptr [edi+22h]
		sub	edx, esi
		mov	[ebp+var_14], edx
		mov	ecx, eax
		mov	word ptr [ebp+var_30+2], ax
		test	ax, ax
		jnz	loc_91D00F
		mov	[ebp+var_2C], edi

loc_80E77A:				; CODE XREF: CmpConstructNameFromKeyNodes+10E9D8j
					; CmpConstructNameFromKeyNodes+10E9FCj
		movzx	eax, ax
		xor	ebx, ebx
		test	ax, ax
		js	short loc_80E7AE
		mov	edi, [ebp+var_8]
		jmp	short loc_80E790
; 
		align 10h

loc_80E790:				; CODE XREF: CmpConstructNameFromKeyNodes+147j
					; CmpConstructNameFromKeyNodes+10EA0Ej
		movsx	ecx, ax
		cmp	ax, 2
		jge	loc_91D041
		mov	ebx, [ebp+ecx*4+var_2C]

loc_80E7A1:				; CODE XREF: CmpConstructNameFromKeyNodes+10EA05j
		cmp	dword ptr [ebx+14h], 0FFFFFFFFh
		jz	loc_91D04A

loc_80E7AB:				; CODE XREF: CmpConstructNameFromKeyNodes+10EA14j
		mov	edi, [ebp+var_4]

loc_80E7AE:				; CODE XREF: CmpConstructNameFromKeyNodes+142j
		mov	ecx, [ebx+10h]
		lea	edx, [ebp+var_20]
		mov	eax, [ebx+14h]
		push	edx
		push	eax
		mov	eax, [ecx+4]
		push	ecx
		call	eax
		mov	ecx, [ebp+var_14]
		movzx	edx, cx
		mov	ecx, [ebp+var_C]
		test	byte ptr [eax+2], 20h
		mov	[ebp+var_10], eax
		movzx	esi, si
		mov	ecx, [ecx+4]
		lea	edx, [ecx+edx*2]
		jz	loc_91D059
		xor	eax, eax
		test	esi, esi
		jz	short loc_80E801
		mov	edi, [ebp+var_10]
		jmp	short loc_80E7F0
; 
		align 10h

loc_80E7F0:				; CODE XREF: CmpConstructNameFromKeyNodes+1A7j
					; CmpConstructNameFromKeyNodes+1BCj
		movzx	ecx, byte ptr [edi+eax+4Ch]
		mov	[edx+eax*2], cx
		inc	eax
		cmp	eax, esi
		jb	short loc_80E7F0
		mov	edi, [ebp+var_4]

loc_80E801:				; CODE XREF: CmpConstructNameFromKeyNodes+1A2j
					; CmpConstructNameFromKeyNodes+10EA2Dj
		mov	eax, [ebx+10h]
		lea	ecx, [ebp+var_20]
		push	ecx
		push	eax
		mov	eax, [eax+8]
		call	eax
		mov	ebx, [ebp+var_C]
		mov	esi, 5Ch
		mov	edx, [ebp+var_14]
		add	edx, 0FFFFh
		movzx	ecx, dx
		mov	eax, [ebx+4]
		mov	[eax+ecx*2], si
		mov	edi, [edi+24h]
		mov	[ebp+var_4], edi

loc_80E82F:				; CODE XREF: CmpConstructNameFromKeyNodes+21Ej
		test	edi, edi
		jnz	loc_80E740
		mov	eax, [ebp+var_18]
		xor	esi, esi
		mov	[eax], ebx

loc_80E83E:				; CODE XREF: CmpConstructNameFromKeyNodes+10E998j
					; CmpConstructNameFromKeyNodes+10E9B5j	...
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	short loc_80E872

loc_80E845:				; CODE XREF: CmpConstructNameFromKeyNodes+239j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_80E84E:				; CODE XREF: CmpConstructNameFromKeyNodes+107j
		mov	eax, [edi+24h]
		test	eax, eax
		jz	loc_80E74D
		mov	edi, eax
		mov	[ebp+var_4], eax
		jmp	short loc_80E82F
; 

loc_80E860:				; CODE XREF: CmpConstructNameFromKeyNodes+87j
		mov	eax, [ecx+24h]
		test	eax, eax
		jz	loc_80E6CD
		mov	ecx, eax
		jmp	loc_80E6E3
; 

loc_80E872:				; CODE XREF: CmpConstructNameFromKeyNodes+203j
		mov	ecx, eax
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	short loc_80E845
CmpConstructNameFromKeyNodes endp

; 
		align 10h
; Exported entry 1389. MmCopyVirtualMemory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmCopyVirtualMemory
MmCopyVirtualMemory proc near		; CODE XREF: PsQueryProcessCommandLine+17Ap
					; MiReadWriteVirtualMemory+11Ap ...

var_35C		= dword	ptr -35Ch
var_34C		= dword	ptr -34Ch
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_338		= dword	ptr -338h
var_330		= dword	ptr -330h
var_32C		= dword	ptr -32Ch
var_328		= dword	ptr -328h
var_324		= dword	ptr -324h
var_320		= dword	ptr -320h
var_31C		= dword	ptr -31Ch
var_318		= dword	ptr -318h
var_314		= dword	ptr -314h
var_30E		= byte ptr -30Eh
var_30D		= byte ptr -30Dh
var_30C		= dword	ptr -30Ch
var_308		= dword	ptr -308h
var_304		= dword	ptr -304h
var_300		= dword	ptr -300h
var_2FC		= dword	ptr -2FCh
var_2F8		= dword	ptr -2F8h
var_2F4		= dword	ptr -2F4h
var_2F0		= dword	ptr -2F0h
var_2EA		= byte ptr -2EAh
var_2E9		= byte ptr -2E9h
var_2E8		= dword	ptr -2E8h
var_2E4		= dword	ptr -2E4h
var_2E0		= dword	ptr -2E0h
var_2DC		= dword	ptr -2DCh
var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2CD		= byte ptr -2CDh
var_2CC		= dword	ptr -2CCh
var_2C8		= dword	ptr -2C8h
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_294		= dword	ptr -294h
var_290		= word ptr -290h
var_28E		= word ptr -28Eh
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_27C		= dword	ptr -27Ch
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 0091D072 SIZE 000004E8 BYTES
; FUNCTION CHUNK AT 0091D57B SIZE 0000005E BYTES
; FUNCTION CHUNK AT 0091D612 SIZE 00000058 BYTES
; FUNCTION CHUNK AT 0091D70A SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5788
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 33Ch
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_20], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_300], esi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_324], edi
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_30C], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_318], eax
		mov	ebx, [ebp+arg_10]
		mov	[ebp+var_2F8], ebx
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_320], eax
		xor	eax, eax
		mov	[ebp+var_23C], eax
		mov	[ebp+var_238], eax
		mov	[ebp+var_234], eax
		mov	[ebp+var_230], eax
		mov	[ebp+var_22C], eax
		mov	[ebp+var_228], eax
		push	58h		; size_t
		push	eax		; int
		lea	eax, [ebp+var_294]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_31C], 0
		test	ebx, ebx
		jz	loc_80EE2B
		mov	eax, [ebp+var_320]
		mov	dword ptr [eax], 0
		mov	[ebp+var_328], 0
		mov	[ebp+var_308], edi
		mov	eax, [ebp+var_318]
		mov	[ebp+var_314], eax
		mov	edx, ebx
		mov	[ebp+var_2DC], edx
		lea	eax, [ebp+var_294]
		mov	[ebp+var_34C], eax
		mov	eax, large fs:124h
		mov	[ebp+var_338], eax
		mov	[ebp+var_2F0], 0
		mov	[ebp+var_304], 0
		mov	[ebp+var_330], 0
		mov	[ebp+var_32C], 0
		xor	eax, eax
		cmp	[esi+148h], eax
		setz	al

loc_80E9B6:				; CODE XREF: MmCopyVirtualMemory+10E7F8j
		lea	ecx, [eax+eax]
		xor	ecx, eax
		and	ecx, 2
		xor	eax, ecx
		mov	[ebp+var_2CC], eax
		mov	edi, ebx
		sub	edi, edx
		mov	[ebp+var_2D8], edi
		mov	ecx, [ebp+var_324]
		add	ecx, edi
		mov	[ebp+var_2E4], ecx
		xor	ecx, ecx
		mov	[ebp+var_2C4], ecx
		mov	[ebp+var_2C0], ecx
		mov	[ebp+var_2BC], ecx
		mov	[ebp+var_2B8], ecx
		mov	[ebp+var_2B4], ecx
		mov	[ebp+var_2B0], ecx
		mov	ebx, large fs:124h
		mov	esi, [ebx+80h]
		mov	ecx, [ebp+var_300]
		cmp	esi, ecx
		jz	short loc_80EA3B
		lea	eax, [ebp+var_2C4]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		mov	eax, [ebp+var_2CC]
		mov	edx, [ebp+var_2DC]
		mov	ecx, [ebp+var_300]

loc_80EA3B:				; CODE XREF: MmCopyVirtualMemory+199j
		mov	[ebp+var_2F4], 0
		mov	[ebp+var_2FC], 0
		mov	ecx, [ecx+24Ch]
		cmp	dword ptr [ecx+70h], 0
		jnz	loc_91D07D
		mov	[ebp+var_2F4], edx

loc_80EA65:				; CODE XREF: MmCopyVirtualMemory+10EA70j
		cmp	esi, [ebp+var_300]
		jz	short loc_80EA80
		xor	edx, edx
		lea	ecx, [ebp+var_2C4]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	eax, [ebp+var_2CC]

loc_80EA80:				; CODE XREF: MmCopyVirtualMemory+1EBj
		mov	esi, [ebp+var_2FC]
		shl	esi, 2
		and	eax, 0FFFFFFF3h
		or	esi, eax
		mov	eax, [ebp+var_318]
		add	eax, edi
		mov	[ebp+var_2D8], eax
		xor	eax, eax
		mov	[ebp+var_2AC], eax
		mov	[ebp+var_2A8], eax
		mov	[ebp+var_2A4], eax
		mov	[ebp+var_2A0], eax
		mov	[ebp+var_29C], eax
		mov	[ebp+var_298], eax
		mov	eax, large fs:124h
		mov	[ebp+var_2E4], eax
		mov	edi, [eax+80h]
		mov	eax, [ebp+var_30C]
		cmp	edi, eax
		jnz	loc_80EF02

loc_80EAE2:				; CODE XREF: MmCopyVirtualMemory+692j
		xor	ebx, ebx
		mov	[ebp+var_2D4], ebx
		xor	eax, eax
		mov	[ebp+var_2CC], eax
		mov	edx, [ebp+var_30C]
		mov	ecx, [edx+24Ch]
		cmp	[ecx+70h], eax
		jnz	loc_91D2F5
		mov	ebx, [ebp+var_2DC]
		mov	[ebp+var_2FC], ebx

loc_80EB13:				; CODE XREF: MmCopyVirtualMemory+10EC82j
		cmp	edi, edx
		jnz	loc_80EF17

loc_80EB1B:				; CODE XREF: MmCopyVirtualMemory+6AAj
		shl	eax, 4
		and	esi, 0FFFFFFCFh
		or	eax, esi
		mov	[ebp+var_2D4], eax
		test	al, 0C0h
		setz	dl
		test	al, 0Ch
		setz	cl
		test	dl, cl
		jnz	short loc_80EB40
		and	eax, 0FFFFFFFDh
		mov	[ebp+var_2D4], eax

loc_80EB40:				; CODE XREF: MmCopyVirtualMemory+2B5j
		mov	[ebp+var_2CC], eax
		mov	[ebp+var_2CC], eax
		mov	edx, [ebp+var_2DC]
		mov	edi, edx
		mov	[ebp+var_2D8], edi
		mov	ecx, [ebp+var_2F4]
		cmp	ecx, edx
		jb	loc_91D507

loc_80EB68:				; CODE XREF: MmCopyVirtualMemory+10EC8Fj
		cmp	ebx, edi
		jb	loc_91D514

loc_80EB70:				; CODE XREF: MmCopyVirtualMemory+10EC9Cj
		mov	ecx, [ebp+var_2F0]
		mov	[ebp+var_2C8], ecx
		lea	esp, [esp+0]

loc_80EB80:				; CODE XREF: MmCopyVirtualMemory+78Ej
		cmp	edi, 200h
		jnb	loc_80EE86

loc_80EB8C:				; CODE XREF: MmCopyVirtualMemory+608j
		and	eax, 0FFFFFFFDh
		mov	[ebp+var_2CC], eax
		mov	[ebp+var_2D4], eax
		mov	esi, [ebp+var_328]
		test	esi, esi
		jnz	loc_91D521
		cmp	edi, 200h
		ja	loc_80EE9B
		lea	ecx, [ebp+var_224]
		mov	[ebp+var_304], ecx

loc_80EBC1:				; CODE XREF: MmCopyVirtualMemory:loc_80EEE5j
					; MmCopyVirtualMemory+10ECA9j
		mov	esi, edi

loc_80EBC3:				; CODE XREF: MmCopyVirtualMemory+66Bj
					; MmCopyVirtualMemory+10ECA3j
		mov	ebx, eax
		mov	[ebp+var_2E8], ebx
		mov	[ebp+var_2E0], esi

loc_80EBD1:				; CODE XREF: MmCopyVirtualMemory+57Dj
		test	edi, edi
		jz	loc_80EE02
		cmp	edi, esi
		jb	loc_80F025

loc_80EBE1:				; CODE XREF: MmCopyVirtualMemory+7ADj
		lea	eax, [ebp+var_23C]
		push	eax
		xor	edx, edx
		mov	ecx, [ebp+var_300]
		call	KiStackAttachProcess
		mov	edx, [ebp+var_324]
		mov	eax, [ebp+var_308]
		cmp	byte ptr [ebp+arg_14], 0
		jz	short loc_80EC3D
		cmp	eax, edx
		jnz	short loc_80EC3D
		mov	[ebp+var_4], 0
		mov	eax, [ebp+var_2F8]
		add	eax, edx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	loc_91D552
		cmp	eax, edx
		jb	loc_91D552

loc_80EC30:				; CODE XREF: MmCopyVirtualMemory+10ECD5j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+var_308]

loc_80EC3D:				; CODE XREF: MmCopyVirtualMemory+385j
					; MmCopyVirtualMemory+389j
		mov	edx, ebx
		and	edx, 2
		mov	[ebp+var_2E4], edx
		mov	[ebp+var_344], edx
		jnz	loc_80EF2F

loc_80EC54:				; CODE XREF: MmCopyVirtualMemory+700j
		mov	ebx, [ebp+var_338]
		add	ebx, 58h
		mov	[ebp+var_340], ebx
		bts	dword ptr [ebx], 5
		setb	[ebp+var_30E]
		mov	[ebp+var_4], 1
		test	edx, edx
		jnz	loc_80EF85
		mov	eax, [ebp+var_2E8]
		test	al, 40h
		jnz	loc_91D59E
		and	eax, 0Ch
		cmp	eax, 8
		jz	loc_91D59E
		cmp	eax, 4
		jz	loc_91D57B
		push	esi		; size_t
		push	[ebp+var_308]	; void *
		push	[ebp+var_304]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [ebp+var_2C8]
		mov	edx, [ebp+var_2E4]

loc_80ECC1:				; CODE XREF: MmCopyVirtualMemory+722j
					; MmCopyVirtualMemory+10ED3Bj
		mov	[ebp+var_4], 0FFFFFFFEh

loc_80ECC8:				; CODE XREF: MmCopyVirtualMemory+80Bj
		cmp	[ebp+var_30E], 0
		jnz	short loc_80ECD5
		btr	dword ptr [ebx], 5

loc_80ECD5:				; CODE XREF: MmCopyVirtualMemory+44Fj
		test	ecx, ecx
		js	loc_80EE4B
		test	edx, edx
		jnz	loc_80EFA7
		mov	ebx, [ebp+var_304]

loc_80ECEB:				; CODE XREF: MmCopyVirtualMemory+744j
		xor	edx, edx
		lea	ecx, [ebp+var_23C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		lea	eax, [ebp+var_23C]
		push	eax
		xor	edx, edx
		mov	ecx, [ebp+var_30C]
		call	KiStackAttachProcess
		mov	eax, [ebp+var_308]
		cmp	byte ptr [ebp+arg_14], 0
		jz	short loc_80ED52
		cmp	eax, [ebp+var_324]
		jnz	short loc_80ED52
		mov	[ebp+var_4], 2
		mov	eax, [ebp+var_2F8]
		mov	edx, [ebp+var_318]
		add	eax, edx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	loc_91D5D1
		cmp	eax, edx
		jb	loc_91D5D1

loc_80ED4B:				; CODE XREF: MmCopyVirtualMemory+10ED54j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_80ED52:				; CODE XREF: MmCopyVirtualMemory+496j
					; MmCopyVirtualMemory+49Ej
		mov	[ebp+var_4], 3
		mov	eax, [ebp+var_2E8]
		test	al, al
		js	loc_91D62F
		and	eax, 30h
		cmp	eax, 20h
		jz	loc_91D62F
		cmp	eax, 10h
		jz	loc_91D612
		push	esi		; size_t
		push	ebx		; void *
		push	[ebp+var_314]	; void *
		call	_memcpy
		add	esp, 0Ch
		xor	ebx, ebx
		mov	[ebp+var_2F0], ebx
		mov	[ebp+var_31C], esi

loc_80ED9A:				; CODE XREF: MmCopyVirtualMemory+10EDC6j
		mov	[ebp+var_2C8], ebx
		cmp	ebx, 0C0000005h
		jz	loc_91D64B
		test	ebx, ebx
		js	loc_80F090
		mov	[ebp+var_4], 0FFFFFFFEh
		xor	edx, edx
		lea	ecx, [ebp+var_23C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		cmp	[ebp+var_2E4], 0
		jnz	loc_80EFCF

loc_80EDD5:				; CODE XREF: MmCopyVirtualMemory+75Bj
		sub	edi, esi
		mov	[ebp+var_2D8], edi
		mov	edx, [ebp+var_2DC]
		sub	edx, esi
		mov	[ebp+var_2DC], edx
		add	[ebp+var_308], esi
		add	[ebp+var_314], esi
		mov	ebx, [ebp+var_2E8]
		jmp	loc_80EBD1
; 

loc_80EE02:				; CODE XREF: MmCopyVirtualMemory+353j
		test	edx, edx
		mov	eax, [ebp+var_2CC]
		jnz	loc_91D072
		cmp	[ebp+var_328], 0
		jnz	loc_80EEF0

loc_80EE1D:				; CODE XREF: MmCopyVirtualMemory+67Dj
		mov	eax, [ebp+var_320]
		mov	ecx, [ebp+var_2F8]
		mov	[eax], ecx

loc_80EE2B:				; CODE XREF: MmCopyVirtualMemory+B5j
		xor	eax, eax

loc_80EE2D:				; CODE XREF: MmCopyVirtualMemory+604j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_20]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_80EE4B:				; CODE XREF: MmCopyVirtualMemory+457j
		test	edx, edx
		jnz	loc_80EFE0
		mov	ecx, [ebp+var_2F8]
		sub	ecx, edi
		mov	eax, [ebp+var_320]
		mov	[eax], ecx
		mov	ebx, 8000000Dh

loc_80EE68:				; CODE XREF: MmCopyVirtualMemory+817j
		xor	edx, edx
		lea	ecx, [ebp+var_23C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		cmp	[ebp+var_328], 0
		jnz	loc_80F013

loc_80EE82:				; CODE XREF: MmCopyVirtualMemory+7A0j
		mov	eax, ebx
		jmp	short loc_80EE2D
; 

loc_80EE86:				; CODE XREF: MmCopyVirtualMemory+306j
		test	al, 2
		jz	loc_80EB8C
		mov	esi, 0E000h
		cmp	[ebp+var_2F8], esi
		jmp	short loc_80EEE5
; 

loc_80EE9B:				; CODE XREF: MmCopyVirtualMemory+32Fj
		mov	esi, 10000h
		cmp	edx, esi
		ja	short loc_80EEB0
		mov	esi, edx
		jmp	short loc_80EEB0
; 
		align 10h

loc_80EEB0:				; CODE XREF: MmCopyVirtualMemory+622j
					; MmCopyVirtualMemory+626j ...
		push	0
		push	100h
		mov	edx, 77526D4Dh
		mov	ecx, esi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_304], eax
		test	eax, eax
		jz	loc_91D52E
		mov	[ebp+var_328], esi

loc_80EED7:				; CODE XREF: MmCopyVirtualMemory+10ECCDj
		mov	eax, [ebp+var_2CC]
		mov	edx, [ebp+var_2DC]
		cmp	edi, esi

loc_80EEE5:				; CODE XREF: MmCopyVirtualMemory+619j
		jbe	loc_80EBC1
		jmp	loc_80EBC3
; 

loc_80EEF0:				; CODE XREF: MmCopyVirtualMemory+597j
		push	0
		push	[ebp+var_304]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_80EE1D
; 

loc_80EF02:				; CODE XREF: MmCopyVirtualMemory+25Cj
		lea	ecx, [ebp+var_2AC]
		push	ecx
		xor	edx, edx
		mov	ecx, eax
		call	KiStackAttachProcess
		jmp	loc_80EAE2
; 

loc_80EF17:				; CODE XREF: MmCopyVirtualMemory+295j
		xor	edx, edx
		lea	ecx, [ebp+var_2AC]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	eax, [ebp+var_2CC]
		jmp	loc_80EB1B
; 

loc_80EF2F:				; CODE XREF: MmCopyVirtualMemory+3CEj
		mov	[ebp+var_294], 0
		mov	ecx, eax
		and	ecx, 0FFFh
		lea	eax, [esi+0FFFh]
		add	eax, ecx
		shr	eax, 0Ch
		lea	eax, ds:1Ch[eax*4]
		mov	[ebp+var_290], ax
		xor	eax, eax
		mov	[ebp+var_28E], ax
		mov	eax, [ebp+var_308]
		and	eax, 0FFFFF000h
		mov	[ebp+var_284], eax
		mov	[ebp+var_27C], ecx
		mov	[ebp+var_280], esi
		jmp	loc_80EC54
; 

loc_80EF85:				; CODE XREF: MmCopyVirtualMemory+3F7j
		push	0
		push	[ebp+arg_14]
		lea	eax, [ebp+var_294]
		push	eax
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	ecx, [ebp+var_2C8]
		mov	edx, [ebp+var_2E4]
		jmp	loc_80ECC1
; 

loc_80EFA7:				; CODE XREF: MmCopyVirtualMemory+45Fj
		push	0C0000020h
		push	0
		push	0
		push	1
		push	0
		lea	eax, [ebp+var_294]
		push	eax
		call	MmMapLockedPagesSpecifyCache
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_80ECEB
		jmp	loc_91D5C0
; 

loc_80EFCF:				; CODE XREF: MmCopyVirtualMemory+54Fj
		lea	eax, [ebp+var_294]
		push	eax
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		jmp	loc_80EDD5
; 

loc_80EFE0:				; CODE XREF: MmCopyVirtualMemory+5CDj
					; MmCopyVirtualMemory+10ED4Cj
		mov	eax, [ebp+var_2CC]
		and	eax, 0FFFFFFFDh
		mov	[ebp+var_2CC], eax
		mov	[ebp+var_2D4], eax
		xor	edx, edx
		lea	ecx, [ebp+var_23C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_80F002:				; CODE XREF: sub_91D680+5Aj
		mov	eax, [ebp+var_2CC]
		mov	edx, [ebp+var_2DC]
		jmp	loc_80EB80
; 

loc_80F013:				; CODE XREF: MmCopyVirtualMemory+5FCj
		push	0
		push	[ebp+var_304]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_80EE82
; 

loc_80F025:				; CODE XREF: MmCopyVirtualMemory+35Bj
		mov	esi, edi
		mov	[ebp+var_2E0], esi
		jmp	loc_80EBE1
; 

loc_80F032:				; DATA XREF: .text:006A57A8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-33Ch], eax
		mov	eax, 1
		retn
; 

loc_80F045:				; DATA XREF: .text:006A57ACo
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-33Ch]
		mov	[ebp-2C8h], ecx
		mov	[ebp-2F0h], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-2E0h]
		mov	edi, [ebp-2D8h]
		mov	eax, [ebp-2D4h]
		mov	[ebp-2CCh], eax
		mov	ebx, [ebp-340h]
		mov	edx, [ebp-344h]
		mov	[ebp-2E4h], edx
		jmp	loc_80ECC8
; 

loc_80F090:				; CODE XREF: MmCopyVirtualMemory+52Ej
					; sub_91D56D+9j ...
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_80EE68
MmCopyVirtualMemory endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmQueryValueKey(int,size_t,int,__int16,int)
CmQueryValueKey	proc near		; CODE XREF: NtQueryValueKey+423p
					; NtQueryValueKey+1064B1p

var_C6		= byte ptr -0C6h
var_C5		= byte ptr -0C5h
var_C0		= dword	ptr -0C0h
var_B4		= dword	ptr -0B4h
var_AA		= word ptr -0AAh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= word ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0091D71A SIZE 0000010C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+8Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[esp+98h+var_50], edx
		mov	esi, ecx
		mov	[esp+98h+var_60], esi
		mov	eax, [ebp+arg_0]
		mov	[esp+98h+var_20], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+98h+var_24], eax
		xor	eax, eax
		xor	ebx, ebx
		mov	[esp+98h+var_1C], eax
		mov	[esp+98h+var_18], eax
		mov	[esp+98h+var_14], eax
		mov	[esp+98h+var_10], eax
		mov	[esp+98h+var_C], eax
		mov	[esp+98h+var_8], eax
		mov	[esp+98h+var_74], eax
		or	eax, 0FFFFFFFFh
		mov	[esp+98h+var_70], ebx
		mov	word ptr [esp+98h+var_70+2], ax
		or	eax, eax
		mov	[esp+98h+var_80], eax
		xor	eax, eax
		mov	[esp+98h+var_38], ebx
		mov	ecx, dword_6CDE84
		xor	edx, edx
		mov	word ptr [esp+98h+var_38], ax
		lea	eax, [esp+98h+var_1C]
		mov	[esp+98h+var_84], ebx
		mov	[esp+98h+var_6C], ebx
		mov	[esp+98h+var_68], ebx
		mov	[esp+98h+var_64], ebx
		mov	[esp+98h+var_54], ebx
		mov	[esp+98h+var_3C], 0FFFFFFFFh
		push	eax
		test	ecx, ecx
		jz	loc_91D71A
		call	KiStackAttachProcess

loc_80F159:				; CODE XREF: CmQueryValueKey+10E694j
		cmp	ds:_CmpPuntBoot, bl
		jnz	short loc_80F191
		mov	ecx, large fs:124h
		xor	dl, dl
		call	_PsBoostThreadIo@8 ; PsBoostThreadIo(x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _CmpRegistryLock
		call	ExAcquireResourceSharedLite
		mov	eax, [esp+98h+var_64]
		mov	[esp+98h+var_84], eax

loc_80F191:				; CODE XREF: CmQueryValueKey+BFj
		mov	esi, [esi+8]
		xor	ebx, ebx
		mov	[esp+98h+var_58], esi
		movzx	eax, word ptr [esi+22h]
		mov	edi, eax
		mov	ecx, eax
		cmp	di, 2
		jge	loc_91D739

loc_80F1AC:				; CODE XREF: CmQueryValueKey+10E69Fj
					; CmQueryValueKey+10E6E8j
		movzx	ecx, ax
		mov	eax, ebx
		mov	[esp+98h+var_5C], ecx
		mov	word ptr [esp+98h+var_70], di
		mov	[esp+98h+var_84], eax
		mov	[esp+98h+var_64], eax
		mov	word ptr [esp+98h+var_70+2], cx
		test	cx, cx
		jnz	loc_80F615
		mov	[esp+98h+var_6C], esi

loc_80F1D4:				; CODE XREF: CmQueryValueKey+57Dj
					; CmQueryValueKey+5A9j
		mov	ebx, [esp+98h+var_60]
		cmp	dword ptr [ebx+20h], 0
		jnz	loc_80F657
		cmp	dword ptr [ebx+24h], 0
		jnz	loc_80F657

loc_80F1EC:				; CODE XREF: CmQueryValueKey+5F7j
		xor	eax, eax
		xor	edi, edi
		cmp	ax, cx
		jg	short loc_80F23A
		mov	eax, [esp+98h+var_84]
		lea	ebx, [esp+98h+var_6C]
		add	eax, 0FFFFFFF8h
		mov	[esp+98h+var_88], eax

loc_80F204:				; CODE XREF: CmQueryValueKey+190j
		cmp	di, 2
		jge	short loc_80F20C
		mov	eax, ebx

loc_80F20C:				; CODE XREF: CmQueryValueKey+168j
		mov	esi, [eax]
		xor	edx, edx
		lea	ecx, [esi+18h]
		call	ExAcquirePushLockSharedEx
		lock inc dword ptr [esi+1Ch]
		mov	eax, [esp+98h+var_88]
		inc	edi
		add	eax, 4
		add	ebx, 4
		mov	[esp+98h+var_88], eax
		cmp	di, word ptr [esp+98h+var_5C]
		jle	short loc_80F204
		mov	esi, [esp+98h+var_58]
		mov	ebx, [esp+98h+var_60]

loc_80F23A:				; CODE XREF: CmQueryValueKey+153j
		mov	eax, [ebx+1Ch]
		mov	ecx, [ebx+8]
		mov	[esp+98h+var_88], 0
		test	al, 9
		jnz	loc_80F6DE
		mov	edi, [esp+98h+var_74]
		test	edi, edi
		jnz	loc_80F69C

loc_80F25C:				; CODE XREF: CmQueryValueKey+614j
					; CmQueryValueKey+67Aj	...
		movzx	ecx, word ptr [esi+22h]
		test	cx, cx
		js	loc_80F5CB
		lea	esp, [esp+0]

loc_80F270:				; CODE XREF: CmQueryValueKey+5B2j
		movzx	eax, cx
		mov	[esp+98h+var_28], eax
		movsx	eax, cx
		cmp	cx, 2
		jge	loc_91D7D2
		mov	ecx, [esp+eax*4+98h+var_6C]

loc_80F288:				; CODE XREF: CmQueryValueKey+10E73Aj
		mov	edx, ebx
		mov	[esp+98h+var_7C], ecx
		call	_CmpGetEffectiveKcbSemantics@8 ; CmpGetEffectiveKcbSemantics(x,x)
		cmp	eax, 1
		jz	loc_80F5C0
		cmp	dword ptr [ecx+14h], 0FFFFFFFFh
		jz	loc_80F5AD
		test	edi, edi
		jnz	loc_80F6B9

loc_80F2AE:				; CODE XREF: CmQueryValueKey+61Fj
		mov	esi, 30h

loc_80F2B3:				; CODE XREF: CmQueryValueKey+62Aj
		mov	edi, [ecx+10h]
		xor	ebx, ebx
		xor	eax, eax
		mov	[esp+98h+var_40], ebx
		mov	word ptr [esp+98h+var_40], ax
		mov	eax, [ecx+esi]
		mov	[esp+98h+var_58], edi
		mov	[esp+98h+var_88], ebx
		mov	[esp+98h+var_44], 0FFFFFFFFh
		mov	[esp+98h+var_78], eax
		test	eax, eax
		jz	short loc_80F2FF
		mov	eax, [ecx+esi+4]
		lea	ecx, [esp+98h+var_44]
		push	ecx
		push	eax
		mov	eax, [edi+4]
		push	edi
		call	eax
		mov	ebx, eax
		mov	[esp+0A4h+var_94], eax
		mov	eax, [esp+0A4h+var_88]
		mov	eax, [eax+esi]
		mov	[esp+0A4h+var_84], eax

loc_80F2FF:				; CODE XREF: CmQueryValueKey+23Cj
		xor	ecx, ecx
		mov	[esp+0A4h+var_58], 0
		mov	[esp+0A4h+var_54], 0
		mov	[esp+0A4h+var_58], 0FFFFFFFFh
		mov	word ptr [esp+0A4h+var_54], cx
		test	eax, eax
		jz	loc_80F3E6
		xor	esi, esi
		mov	[esp+0A4h+var_8C], esi
		test	eax, eax
		jz	loc_80F3E6

loc_80F334:				; CODE XREF: CmQueryValueKey+340j
		mov	eax, [ebx+esi*4]
		lea	ecx, [esp+0A4h+var_58]
		push	ecx
		push	eax
		mov	eax, [edi+4]
		push	edi
		call	eax
		test	byte ptr [eax+10h], 1
		lea	edx, [eax+14h]
		movzx	ebx, word ptr [eax+2]
		jz	loc_80F5D5
		mov	ax, [ebp+arg_C]
		mov	esi, ebx
		mov	ecx, [ebp+arg_10]
		shr	ax, 1
		movzx	edi, ax
		test	di, di
		jz	short loc_80F399

loc_80F368:				; CODE XREF: CmQueryValueKey+2F7j
		test	si, si
		jz	short loc_80F399
		movzx	eax, byte ptr [edx]
		inc	edx
		movzx	ebx, word ptr [ecx]
		add	ecx, 2
		mov	[esp+0B0h+var_48], ecx
		mov	[esp+0B0h+var_4C], eax
		mov	[esp+0B0h+var_44], edx
		cmp	bx, ax
		jnz	short loc_80F3A3

loc_80F388:				; CODE XREF: CmQueryValueKey+4E9j
		add	edi, 0FFFFh
		add	esi, 0FFFFh
		test	di, di
		jnz	short loc_80F368

loc_80F399:				; CODE XREF: CmQueryValueKey+2C6j
					; CmQueryValueKey+2CBj
		movzx	eax, si
		movzx	ebx, di
		sub	ebx, eax
		jmp	short loc_80F3BC
; 

loc_80F3A3:				; CODE XREF: CmQueryValueKey+2E6j
		cmp	ebx, 61h
		jnb	short loc_80F3F4

loc_80F3A8:				; CODE XREF: CmQueryValueKey+363j
					; CmQueryValueKey+561j
		cmp	ax, 61h
		jnb	short loc_80F405

loc_80F3AE:				; CODE XREF: CmQueryValueKey+374j
					; CmQueryValueKey+570j
		movzx	eax, ax
		movzx	ebx, bx
		sub	ebx, eax
		jz	loc_80F581

loc_80F3BC:				; CODE XREF: CmQueryValueKey+301j
		mov	esi, [esp+0B0h+var_98]
		mov	edi, [esp+0B0h+var_70]

loc_80F3C4:				; CODE XREF: CmQueryValueKey+54Ej
		mov	ecx, [edi+8]
		lea	eax, [esp+0B0h+var_64]
		push	eax
		push	edi
		call	ecx
		test	ebx, ebx
		jz	short loc_80F416
		mov	ebx, [esp+0B8h+var_A8]
		inc	esi
		mov	[esp+0B8h+var_A0], esi
		cmp	esi, [esp+0B8h+var_98]
		jb	loc_80F334

loc_80F3E6:				; CODE XREF: CmQueryValueKey+280j
					; CmQueryValueKey+28Ej
		mov	ecx, [esp+0B8h+var_A8]
		or	eax, 0FFFFFFFFh
		mov	ebx, 0C0000034h
		jmp	short loc_80F41F
; 

loc_80F3F4:				; CODE XREF: CmQueryValueKey+306j
		cmp	ebx, 7Ah
		ja	loc_80F5F3
		add	ebx, 0FFE0h
		jmp	short loc_80F3A8
; 

loc_80F405:				; CODE XREF: CmQueryValueKey+30Cj
		cmp	ax, 7Ah
		ja	loc_80F606
		add	eax, 0FFE0h
		jmp	short loc_80F3AE
; 

loc_80F416:				; CODE XREF: CmQueryValueKey+331j
		mov	ecx, [esp+0B8h+var_A8]
		xor	ebx, ebx
		mov	eax, [ecx+esi*4]

loc_80F41F:				; CODE XREF: CmQueryValueKey+352j
		mov	[esp+0B8h+var_A0], eax
		test	ecx, ecx
		jz	short loc_80F432
		lea	eax, [esp+0B8h+var_64]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax

loc_80F432:				; CODE XREF: CmQueryValueKey+385j
		test	ebx, ebx
		js	loc_80F58E
		mov	edi, [esp+0C0h+var_A4]
		mov	eax, [edi+10h]
		mov	[esp+0C0h+var_7C], eax

loc_80F445:				; CODE XREF: CmQueryValueKey+526j
		mov	ebx, [esp+0C0h+var_A8]
		cmp	ebx, 0FFFFFFFFh
		jz	loc_80F5CB
		lea	ecx, [esp+0C0h+var_64]
		push	ecx
		push	ebx
		push	eax
		mov	eax, [eax+4]
		call	eax
		mov	esi, eax
		mov	eax, [esp+0CCh+var_88]
		test	dword ptr [eax+64h], 80000h
		jnz	loc_80F6CF

loc_80F471:				; CODE XREF: CmQueryValueKey+633j
		push	[esp+0CCh+var_58] ; int
		mov	edx, ebx
		mov	ecx, edi
		push	[ebp+arg_4]	; size_t
		push	[esp+0D4h+var_54] ; int
		push	[esp+0D8h+var_84] ; int
		push	esi		; size_t
		call	CmpQueryKeyValueData
		xor	ebx, ebx
		test	eax, eax
		setns	bl
		dec	ebx
		and	ebx, eax
		mov	eax, [esp+0CCh+var_88]

loc_80F49B:				; CODE XREF: CmQueryValueKey+10E744j
		test	esi, esi
		jz	short loc_80F4AA
		lea	ecx, [esp+0CCh+var_70]
		push	ecx
		push	eax
		mov	eax, [eax+8]
		call	eax

loc_80F4AA:				; CODE XREF: CmQueryValueKey+3FDj
					; CmQueryValueKey+4F4j	...
		xor	eax, eax
		xor	esi, esi
		cmp	ax, word ptr [esp+0D4h+var_98]
		jg	loc_91D76C
		mov	eax, [esp+0D4h+var_C0]
		lea	edi, [esp+0D4h+var_A8]
		add	eax, 0FFFFFFF8h
		mov	[esp+0D4h+var_B4], eax

loc_80F4C8:				; CODE XREF: CmQueryValueKey+485j
		cmp	si, 2
		jge	short loc_80F4D0
		mov	eax, edi

loc_80F4D0:				; CODE XREF: CmQueryValueKey+42Cj
		mov	ecx, [eax]
		mov	[esp+0D4h+var_8C], ecx
		test	dword ptr [ecx+4], 80000h
		jnz	loc_91D7E9
		mov	[esp+0D4h+var_C5], 0

loc_80F4E8:				; CODE XREF: CmQueryValueKey+10E74Ej
		mov	eax, large fs:124h
		lea	edx, [ecx+1Ch]
		cmp	[edx], eax
		jz	loc_91D7F3
		lock dec dword ptr [edx]

loc_80F4FC:				; CODE XREF: CmQueryValueKey+10E75Aj
		add	ecx, 18h
		xor	edx, edx
		call	ExReleasePushLockEx
		cmp	[esp+0D4h+var_C5], 0
		jnz	loc_91D7FF

loc_80F511:				; CODE XREF: CmQueryValueKey+10E76Aj
					; CmQueryValueKey+10E775j
		mov	eax, [esp+0D4h+var_B4]
		inc	esi
		add	eax, 4
		add	edi, 4
		mov	[esp+0D4h+var_B4], eax
		cmp	si, [esp+0D4h+var_AA]
		jle	short loc_80F4C8
		mov	esi, [esp+0D4h+var_A0]

loc_80F52B:				; CODE XREF: CmQueryValueKey+10E6D0j
		cmp	ds:_CmpPuntBoot, 0
		jnz	short loc_80F555
		mov	ecx, offset _CmpRegistryLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, large fs:124h
		mov	dl, 1
		call	_PsBoostThreadIo@8 ; PsBoostThreadIo(x,x)
		mov	esi, [esp+0D4h+var_A0]

loc_80F555:				; CODE XREF: CmQueryValueKey+492j
		xor	edx, edx
		lea	ecx, [esp+0D4h+var_58]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		test	esi, esi
		jnz	loc_91D81A

loc_80F568:				; CODE XREF: CmQueryValueKey+10E781j
		mov	ecx, [esp+0D4h+var_40]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_80F581:				; CODE XREF: CmQueryValueKey+316j
		mov	ecx, [esp+0B0h+var_48]
		mov	edx, [esp+0B0h+var_44]
		jmp	loc_80F388
; 

loc_80F58E:				; CODE XREF: CmQueryValueKey+394j
		cmp	ebx, 0C0000034h
		jnz	loc_80F4AA
		mov	ebx, [esp+0C0h+var_88]
		mov	edx, ebx
		mov	ecx, [esp+0C0h+var_A4]
		call	_CmpGetEffectiveKcbSemantics@8 ; CmpGetEffectiveKcbSemantics(x,x)
		test	eax, eax
		jnz	short loc_80F5C0

loc_80F5AD:				; CODE XREF: CmQueryValueKey+200j
		mov	eax, [esp+0C0h+var_50]
		dec	eax
		movzx	eax, ax
		mov	ecx, eax
		test	ax, ax
		jns	loc_80F64E

loc_80F5C0:				; CODE XREF: CmQueryValueKey+1F6j
					; CmQueryValueKey+50Bj
		mov	edi, [esp+0C0h+var_A4]
		xor	eax, eax
		jmp	loc_80F445
; 

loc_80F5CB:				; CODE XREF: CmQueryValueKey+1C3j
					; CmQueryValueKey+3ACj
		mov	ebx, 0C0000034h
		jmp	loc_80F4AA
; 

loc_80F5D5:				; CODE XREF: CmQueryValueKey+2AEj
		push	1
		mov	eax, ebx
		shr	eax, 1
		push	eax
		movzx	eax, [ebp+arg_C]
		push	edx
		shr	eax, 1
		push	eax
		push	[ebp+arg_10]
		call	_RtlCompareUnicodeStrings@20 ; RtlCompareUnicodeStrings(x,x,x,x,x)
		mov	ebx, eax
		jmp	loc_80F3C4
; 

loc_80F5F3:				; CODE XREF: CmQueryValueKey+357j
		mov	ecx, ebx
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		movzx	ebx, ax
		mov	eax, [esp+0B0h+var_4C]
		jmp	loc_80F3A8
; 

loc_80F606:				; CODE XREF: CmQueryValueKey+369j
		mov	ecx, eax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		movzx	eax, ax
		jmp	loc_80F3AE
; 

loc_80F615:				; CODE XREF: CmQueryValueKey+12Aj
		mov	edi, [esi+6Ch]
		movzx	edx, cx
		test	edi, edi
		jz	loc_80F1D4

loc_80F623:				; CODE XREF: CmQueryValueKey+596j
		mov	eax, [edi+8]
		lea	ecx, [esp+98h+var_70]
		push	eax
		call	_CmpSetKcbAtLayerHeight@12 ; CmpSetKcbAtLayerHeight(x,x,x)
		mov	edi, [edi+0Ch]
		dec	edx
		test	edi, edi
		jnz	short loc_80F623
		movzx	ecx, word ptr [esp+98h+var_70+2]
		mov	eax, [esp+98h+var_64]
		mov	[esp+98h+var_84], eax
		mov	[esp+98h+var_5C], ecx
		jmp	loc_80F1D4
; 

loc_80F64E:				; CODE XREF: CmQueryValueKey+51Aj
		mov	edi, [esp+0C0h+var_9C]
		jmp	loc_80F270
; 

loc_80F657:				; CODE XREF: CmQueryValueKey+13Cj
					; CmQueryValueKey+146j
		lea	ecx, [esp+98h+var_70]
		call	_CmpLockKcbStackShared@4 ; CmpLockKcbStackShared(x)
		xor	edx, edx
		mov	ecx, ebx
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	loc_91D78D
		lea	ecx, [esp+98h+var_70]
		call	CmpUnlockKcbStack
		lea	edx, [esp+98h+var_74]
		mov	ecx, ebx
		call	CmpTransSearchAddTransFromKeyBody
		mov	ebx, eax
		test	ebx, ebx
		js	loc_91D76C
		mov	ebx, [esp+98h+var_60]
		mov	ecx, [esp+98h+var_5C]
		jmp	loc_80F1EC
; 

loc_80F69C:				; CODE XREF: CmQueryValueKey+1B6j
		lea	edi, [ecx+70h]
		push	10h
		lea	edx, [esp+9Ch+var_88]
		mov	ecx, edi
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jnz	short loc_80F6F0
		mov	edi, [esp+98h+var_74]
		jmp	loc_80F25C
; 

loc_80F6B9:				; CODE XREF: CmQueryValueKey+208j
		cmp	[ecx+9Ch], edi
		jnz	loc_80F2AE
		mov	esi, 94h
		jmp	loc_80F2B3
; 

loc_80F6CF:				; CODE XREF: CmQueryValueKey+3CBj
		test	byte ptr [esi+10h], 2
		jz	loc_80F471
		jmp	loc_91D7DF
; 

loc_80F6DE:				; CODE XREF: CmQueryValueKey+1AAj
					; CmQueryValueKey+10E723j
		test	al, 1
		jnz	loc_91D7C8
		mov	ebx, 0C000017Ch
		jmp	loc_80F4AA
; 

loc_80F6F0:				; CODE XREF: CmQueryValueKey+60Ej
					; CmQueryValueKey+674j
		mov	ecx, [eax+24h]
		cmp	ecx, 2
		jz	loc_91D7AA
		cmp	ecx, 0Bh
		jz	loc_91D7AA
		push	10h
		lea	edx, [esp+9Ch+var_88]
		mov	ecx, edi
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jnz	short loc_80F6F0
		mov	edi, [esp+98h+var_74]
		jmp	loc_80F25C
CmQueryValueKey	endp

; 
		align 10h

; __stdcall HvpGetCellPaged(x, x, x)
_HvpGetCellPaged@12:			; DATA XREF: HvHiveStartFileBacked+AAo
					; HvHiveStartMemoryBacked+D0o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+0Ch]
		cmp	ecx, 0FFFFFFFFh
		jz	loc_80F7D6
		cmp	ds:_HvShutdownComplete,	1
		jnz	short loc_80F740
		xor	eax, eax
		pop	ebp
		retn	0Ch
; 

loc_80F740:				; CODE XREF: PAGE:0080F738j
		push	ebx
		mov	ebx, [ebp+10h]
		mov	eax, ecx
		shr	eax, 1Fh
		mov	edx, ecx
		push	esi
		mov	esi, ecx
		shr	edx, 0Ch
		push	edi
		mov	edi, ecx
		shr	esi, 15h
		imul	ecx, eax, 19Ch
		and	esi, 3FFh
		mov	eax, [ebp+8]
		and	edx, 1FFh
		and	edi, 0FFFh
		mov	eax, [ecx+eax+0CCh]
		lea	ecx, [edx+edx*2]
		mov	edx, large fs:124h
		mov	eax, [eax+esi*4]
		lea	eax, [eax+ecx*4]
		mov	ecx, [eax+4]
		or	word ptr [ebx+4], 1
		and	ecx, 0FFFFFFF0h
		mov	esi, [eax]
		movzx	eax, byte ptr [edx+308h]
		add	esi, ecx
		mov	ecx, [edx+2F4h]
		mov	byte ptr [edx+308h], 2
		lea	ecx, [eax+ecx*4]
		mov	eax, [esi+edi]
		mov	al, cl
		shr	ecx, 2
		and	al, 3
		mov	[edx+2F4h], ecx
		mov	[edx+308h], al
		mov	eax, [ebp+0Ch]
		mov	[ebx], eax
		lea	eax, [edi+4]
		pop	edi
		add	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_80F7D6:				; CODE XREF: PAGE:0080F72Bj
		push	0FFFFFFFFh
		push	dword ptr [ebp+8]
		push	1
		push	32h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpReleaseCellPaged proc near		; DATA XREF: HvHiveStartFileBacked+B1o
					; HvHiveStartMemoryBacked+D7o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0091D826 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, [eax]
		mov	edx, ebx
		shr	edx, 1Fh
		imul	ecx, edx, 19Ch
		shl	edx, 1Fh
		add	edx, ebx
		cmp	edx, [ecx+esi+0C8h]
		jnb	loc_91D826
		mov	esi, [ecx+esi+0CCh]
		mov	ecx, ebx
		push	edi
		shr	ecx, 0Ch
		mov	edi, ebx
		shr	edi, 15h
		and	ecx, 1FFh
		and	edi, 3FFh
		lea	edx, [ecx+ecx*2]
		mov	ecx, [esi+edi*4]
		pop	edi
		lea	ecx, [ecx+edx*4]
		test	ecx, ecx
		jz	short loc_80F859
		xor	ecx, ecx
		pop	esi
		mov	[eax+4], ecx
		mov	dword ptr [eax], 0FFFFFFFFh
		pop	ebx
		pop	ebp
		retn	8
; 

loc_80F859:				; CODE XREF: HvpReleaseCellPaged+56j
		mov	esi, [ebp+arg_0]
		jmp	loc_91D826
HvpReleaseCellPaged endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpLockRegistry()
_CmpLockRegistry@0 proc	near		; CODE XREF: CmpRecheckHiveVolumePolicy(x)+7p
					; CmpRecheckHiveVolumePolicy(x)+64p ...
		mov	edi, edi
		push	ecx
		cmp	ds:_CmpPuntBoot, 0
		jnz	short loc_80F8A4
		mov	ecx, large fs:124h
		xor	dl, dl
		call	_PsBoostThreadIo@8 ; PsBoostThreadIo(x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _CmpRegistryLock
		call	ExAcquireResourceSharedLite

loc_80F8A4:				; CODE XREF: CmpLockRegistry()+Aj
		pop	ecx
		retn
_CmpLockRegistry@0 endp

; 
		align 10h
; Exported entry 2475. SeLockSubjectContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeLockSubjectContext(x)
		public _SeLockSubjectContext@4
_SeLockSubjectContext@4	proc near	; CODE XREF: IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)+5Ap
					; SeAccessCheckWithHintWithAdminlessChecks+133p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+arg_0]
		push	1
		mov	eax, [esi+8]
		mov	eax, [eax+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		cmp	dword ptr [esi], 0
		jnz	short loc_80F8DF

loc_80F8DA:				; CODE XREF: SeLockSubjectContext(x)+4Aj
		pop	esi
		pop	ebp
		retn	4
; 

loc_80F8DF:				; CODE XREF: SeLockSubjectContext(x)+28j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [esi]
		push	1
		mov	eax, [eax+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		jmp	short loc_80F8DA
_SeLockSubjectContext@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpUnlockRegistry()
_CmpUnlockRegistry@0 proc near		; CODE XREF: CmpTryToRundownHive+B3p
					; CmpTryToRundownHive+11Ap ...
		mov	edi, edi
		push	ecx
		cmp	ds:_CmpPuntBoot, 0
		jnz	short loc_80F929
		mov	ecx, offset _CmpRegistryLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, large fs:124h
		mov	dl, 1
		call	_PsBoostThreadIo@8 ; PsBoostThreadIo(x,x)

loc_80F929:				; CODE XREF: CmpUnlockRegistry()+Aj
		pop	ecx
		retn
_CmpUnlockRegistry@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpIncrementHandleCountEx proc near	; CODE XREF: ObInheritObjectHandle+59p
					; ObCaptureObjectStateForDuplication+FCp ...

var_66		= byte ptr -66h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_4E		= byte ptr -4Eh
var_4D		= byte ptr -4Dh
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_41		= byte ptr -41h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0091D83E SIZE 000000E6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+54h+var_30], ecx
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		mov	[esp+5Ch+var_48], eax
		mov	eax, [ebp+arg_10]
		push	edi
		lea	edi, [ecx-18h]
		mov	[esp+60h+var_4C], eax
		xor	eax, eax
		mov	[esp+60h+var_24], ecx
		mov	ebx, edi
		mov	[esp+60h+var_1C], eax
		shr	ebx, 8
		mov	[esp+60h+var_18], eax
		mov	[esp+60h+var_14], eax
		mov	[esp+60h+var_10], eax
		mov	[esp+60h+var_C], eax
		mov	[esp+60h+var_8], eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		movzx	ecx, bl
		xor	ecx, eax
		mov	[esp+60h+var_28], edx
		movzx	eax, byte ptr [edi+0Ch]
		xor	ecx, eax
		test	[ebp+arg_C], 400h
		mov	esi, ds:_ObTypeIndexTable[ecx*4]
		mov	[esp+60h+var_20], esi
		jnz	loc_80FD5B
		mov	eax, [ebp+arg_8]
		mov	[esp+60h+var_4D], al

loc_80F9B9:				; CODE XREF: ObpIncrementHandleCountEx+430j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [edi+8]
		xor	edx, edx
		mov	ecx, eax
		mov	[esp+60h+var_2C], eax
		call	ExAcquirePushLockExclusiveEx
		mov	dl, [edi+0Fh]
		mov	al, [edi+0Eh]
		mov	dh, dl
		and	dh, 1
		mov	[esp+60h+var_38], 0
		mov	[esp+60h+var_41], dh
		test	al, 8
		jz	loc_80FD54
		movzx	eax, al
		mov	ecx, edi
		and	eax, 0Fh
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax

loc_80FA07:				; CODE XREF: ObpIncrementHandleCountEx+426j
		mov	[esp+60h+var_34], ecx
		test	dh, dh
		jz	short loc_80FA8D
		and	dl, 0FEh
		mov	[edi+0Fh], dl
		test	ecx, ecx
		jz	loc_80FDC5
		mov	edx, [ecx]
		mov	eax, [ecx+4]
		mov	ecx, [esp+60h+var_4C]
		mov	[esp+60h+var_3C], edx
		mov	[esp+60h+var_40], eax
		test	ecx, ecx
		jnz	loc_80FC8B
		mov	ecx, [edi+14h]
		test	ecx, ecx
		jnz	loc_80FC82

loc_80FA41:				; CODE XREF: ObpIncrementHandleCountEx+355j
					; ObpIncrementHandleCountEx+3CBj ...
		mov	ecx, [esp+60h+var_48]
		cmp	ecx, ds:_PsInitialSystemProcess
		jz	loc_80FC78
		mov	ebx, [ecx+188h]
		test	edx, edx
		jz	short loc_80FA73
		push	edx
		push	1
		xor	edx, edx
		mov	ecx, ebx
		call	@PspChargeQuota@16 ; PspChargeQuota(x,x,x,x)
		test	eax, eax
		js	loc_91D848
		mov	eax, [esp+60h+var_40]

loc_80FA73:				; CODE XREF: ObpIncrementHandleCountEx+129j
		test	eax, eax
		jnz	loc_80FB58

loc_80FA7B:				; CODE XREF: ObpIncrementHandleCountEx+236j
		lock inc dword ptr [ebx+200h]

loc_80FA82:				; CODE XREF: ObpIncrementHandleCountEx+34Dj
					; ObpIncrementHandleCountEx+10DF1Aj ...
		mov	[edi+10h], ebx
		test	ebx, ebx
		jz	loc_91D86A

loc_80FA8D:				; CODE XREF: ObpIncrementHandleCountEx+DDj
		mov	dl, [edi+0Fh]
		mov	eax, [ebp+arg_C]
		and	dl, 8
		mov	[esp+60h+var_4C], 0
		test	al, 20h
		jnz	loc_80FE10
		test	dl, dl
		jnz	loc_80FDFA

loc_80FAAE:				; CODE XREF: ObpIncrementHandleCountEx+4D5j
					; ObpIncrementHandleCountEx+53Aj
		cmp	[esp+60h+var_4D], 0
		jz	short loc_80FABF
		test	byte ptr [edi+0Fh], 4
		jnz	loc_91D898

loc_80FABF:				; CODE XREF: ObpIncrementHandleCountEx+183j
		cmp	[esp+60h+var_41], 0
		lea	ebx, [edi+4]
		jz	short loc_80FB3E

loc_80FAC9:				; CODE XREF: ObpIncrementHandleCountEx+211j
					; ObpIncrementHandleCountEx+217j ...
		test	byte ptr [esi+2Ah], 10h
		mov	[esp+60h+var_3C], 0
		jnz	loc_80FB71

loc_80FADB:				; CODE XREF: ObpIncrementHandleCountEx+257j
		lock inc dword ptr [ebx]
		cmp	dword ptr [esi+5Ch], 0
		jnz	loc_80FBC9

loc_80FAE8:				; CODE XREF: ObpIncrementHandleCountEx+313j
		test	byte ptr [esi+2Ah], 10h
		jnz	loc_80FB92

loc_80FAF2:				; CODE XREF: ObpIncrementHandleCountEx+294j
					; ObpIncrementHandleCountEx+47Ej
		xor	edx, edx
		lea	ecx, [edi+8]
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	[esp+60h+var_30], 0
		jnz	short loc_80FB12
		test	byte ptr [edi+0Eh], 1
		jnz	loc_80FE6F

loc_80FB12:				; CODE XREF: ObpIncrementHandleCountEx+1D6j
					; ObpIncrementHandleCountEx+542j ...
		mov	eax, 1
		lock xadd [esi+1Ch], eax
		inc	eax
		cmp	eax, [esi+24h]
		ja	loc_80FDB3

loc_80FB26:				; CODE XREF: ObpIncrementHandleCountEx+343j
					; ObpIncrementHandleCountEx+486j ...
		mov	ecx, [esp+60h+var_4]
		mov	eax, [esp+60h+var_4C]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_80FB3E:				; CODE XREF: ObpIncrementHandleCountEx+197j
		cmp	dword ptr [ebx], 0
		jnz	short loc_80FAC9
		test	byte ptr [esi+2Ah], 10h
		jz	short loc_80FAC9
		cmp	dword ptr [esi+5Ch], 0
		jnz	loc_80FAC9
		jmp	loc_91D8AC
; 

loc_80FB58:				; CODE XREF: ObpIncrementHandleCountEx+145j
		push	eax
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	@PspChargeQuota@16 ; PspChargeQuota(x,x,x,x)
		test	eax, eax
		jns	loc_80FA7B
		jmp	loc_91D84F
; 

loc_80FB71:				; CODE XREF: ObpIncrementHandleCountEx+1A5j
		mov	edx, [esp+60h+var_48]
		lea	eax, [esp+60h+var_3C]
		push	eax
		mov	ecx, edi
		call	ObpLockHandleDataBaseEntry
		mov	[esp+60h+var_4C], eax
		test	eax, eax
		jns	loc_80FADB
		jmp	loc_91D8BE
; 

loc_80FB92:				; CODE XREF: ObpIncrementHandleCountEx+1BCj
		movzx	eax, byte ptr [edi+0Eh]
		mov	edx, edi
		and	eax, 7
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	edx, eax
		test	byte ptr [edi+0Fh], 40h
		jz	loc_80FD65
		dec	byte ptr [edx+7]
		mov	eax, [edx+4]
		lea	ecx, [eax+1]
		xor	ecx, eax
		and	ecx, 0FFFFFFh
		xor	ecx, eax
		mov	[edx+4], ecx
		jmp	loc_80FAF2
; 

loc_80FBC9:				; CODE XREF: ObpIncrementHandleCountEx+1B2j
		xor	edx, edx
		lea	ecx, [edi+8]
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, large fs:124h
		mov	ecx, [esp+60h+var_48]
		mov	[esp+60h+var_4D], 0
		mov	[esp+60h+var_40], 0
		mov	eax, [eax+80h]
		cmp	ecx, eax
		mov	eax, [esp+60h+var_30]
		jnz	loc_80FD00

loc_80FC01:				; CODE XREF: ObpIncrementHandleCountEx+3D3j
					; ObpIncrementHandleCountEx+406j
		push	[esp+60h+var_3C]
		push	[esp+64h+var_28]
		push	[esp+68h+var_24]
		push	ecx
		push	[ebp+arg_8]
		push	eax
		mov	eax, [esi+5Ch]
		call	eax
		cmp	byte ptr [esp+13h], 0
		mov	[esp+78h+var_64], eax
		jnz	loc_80FD3B

loc_80FC26:				; CODE XREF: ObpIncrementHandleCountEx+41Fj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [edi+8]
		call	ExAcquirePushLockExclusiveEx
		cmp	[esp+78h+var_64], 0
		jge	loc_80FAE8
		test	byte ptr [esi+2Ah], 10h
		jz	short loc_80FC5A
		mov	edx, [esp+78h+var_60]
		mov	ecx, edi
		call	_ObpUnlockHandleDatabaseEntry@8	; ObpUnlockHandleDatabaseEntry(x,x)

loc_80FC5A:				; CODE XREF: ObpIncrementHandleCountEx+31Dj
		lock dec dword ptr [ebx]
		xor	edx, edx
		lea	ecx, [edi+8]
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, edi
		call	ObpDeleteNameCheck
		jmp	loc_80FB26
; 

loc_80FC78:				; CODE XREF: ObpIncrementHandleCountEx+11Bj
		mov	ebx, 1
		jmp	loc_80FA82
; 

loc_80FC82:				; CODE XREF: ObpIncrementHandleCountEx+10Bj
		and	ecx, 0FFFFFFF8h
		jz	loc_80FA41

loc_80FC8B:				; CODE XREF: ObpIncrementHandleCountEx+100j
		lea	edx, [esp+60h+var_38]
		call	_SeComputeQuotaInformationSize@8 ; SeComputeQuotaInformationSize(x,x)
		mov	[esp+60h+var_4C], eax
		test	eax, eax
		js	loc_91D8BE
		mov	eax, [esp+60h+var_38]
		test	eax, eax
		jz	loc_80FDF1
		mov	ecx, [esp+60h+var_48]
		cmp	ecx, ds:_PsInitialSystemProcess
		jz	loc_80FDBB
		mov	ebx, [ecx+188h]
		xor	edx, edx
		push	eax
		push	1
		mov	ecx, ebx
		call	@PspChargeQuota@16 ; PspChargeQuota(x,x,x,x)
		test	eax, eax
		js	loc_91D837
		lock inc dword ptr [ebx+200h]

loc_80FCDD:				; CODE XREF: HvpReleaseCellPaged+10E049j
		mov	eax, [esp+60h+var_38]

loc_80FCE1:				; CODE XREF: ObpIncrementHandleCountEx+490j
		mov	ecx, [esp+60h+var_34]
		mov	[ecx+0Ch], ebx
		test	ebx, ebx
		jz	loc_91D83E

loc_80FCF0:				; CODE XREF: ObpIncrementHandleCountEx+4C5j
		mov	edx, [esp+60h+var_3C]
		mov	[ecx+8], eax
		mov	eax, [esp+60h+var_40]
		jmp	loc_80FA41
; 

loc_80FD00:				; CODE XREF: ObpIncrementHandleCountEx+2CBj
		cmp	eax, 3
		jz	loc_80FC01
		push	ecx
		mov	[esp+64h+var_4D], 1
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		push	eax
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	ecx, [esp+60h+var_48]
		xor	edx, edx
		mov	[esp+60h+var_40], eax
		lea	eax, [esp+60h+var_1C]
		push	eax
		call	KiStackAttachProcess
		mov	eax, [esp+60h+var_30]
		mov	ecx, [esp+60h+var_48]
		jmp	loc_80FC01
; 

loc_80FD3B:				; CODE XREF: ObpIncrementHandleCountEx+2F0j
		xor	edx, edx
		lea	ecx, [esp+78h+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		push	[esp+78h+var_58]
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		jmp	loc_80FC26
; 

loc_80FD54:				; CODE XREF: ObpIncrementHandleCountEx+C0j
		xor	ecx, ecx
		jmp	loc_80FA07
; 

loc_80FD5B:				; CODE XREF: ObpIncrementHandleCountEx+7Cj
		mov	[esp+60h+var_4D], 1
		jmp	loc_80F9B9
; 

loc_80FD65:				; CODE XREF: ObpIncrementHandleCountEx+278j
		mov	eax, [edx]
		xor	ebx, ebx
		xor	edx, edx
		mov	ecx, [eax]
		add	eax, 4
		test	ecx, ecx
		jz	short loc_80FD98
		mov	esi, [esp+60h+var_48]

loc_80FD78:				; CODE XREF: ObpIncrementHandleCountEx+452j
		cmp	[eax], esi
		jz	short loc_80FD86

loc_80FD7C:				; CODE XREF: ObpIncrementHandleCountEx+462j
		add	eax, 8
		sub	ecx, 1
		jnz	short loc_80FD78
		jmp	short loc_80FD94
; 

loc_80FD86:				; CODE XREF: ObpIncrementHandleCountEx+44Aj
		test	edx, edx
		jnz	short loc_80FD8C
		mov	edx, eax

loc_80FD8C:				; CODE XREF: ObpIncrementHandleCountEx+458j
		cmp	byte ptr [eax+7], 0FFh
		mov	ebx, eax
		jnb	short loc_80FD7C

loc_80FD94:				; CODE XREF: ObpIncrementHandleCountEx+454j
		mov	esi, [esp+60h+var_20]

loc_80FD98:				; CODE XREF: ObpIncrementHandleCountEx+442j
		mov	eax, [edx+4]
		lea	ecx, [eax+1]
		xor	ecx, eax
		and	ecx, 0FFFFFFh
		xor	ecx, eax
		mov	[edx+4], ecx
		dec	byte ptr [ebx+7]
		jmp	loc_80FAF2
; 

loc_80FDB3:				; CODE XREF: ObpIncrementHandleCountEx+1F0j
		mov	[esi+24h], eax
		jmp	loc_80FB26
; 

loc_80FDBB:				; CODE XREF: ObpIncrementHandleCountEx+386j
		mov	ebx, 1
		jmp	loc_80FCE1
; 

loc_80FDC5:				; CODE XREF: ObpIncrementHandleCountEx+E7j
		movzx	eax, byte ptr ds:_ObHeaderCookie
		movzx	ecx, bl
		xor	ecx, eax
		movzx	eax, byte ptr [edi+0Ch]
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		mov	edx, [eax+50h]
		mov	eax, [eax+54h]
		mov	[esp+60h+var_3C], edx
		mov	[esp+60h+var_40], eax
		jmp	loc_80FA41
; 

loc_80FDF1:				; CODE XREF: ObpIncrementHandleCountEx+376j
		mov	ecx, [esp+60h+var_34]
		jmp	loc_80FCF0
; 

loc_80FDFA:				; CODE XREF: ObpIncrementHandleCountEx+178j
		mov	ecx, edi
		call	_OBJECT_HEADER_TO_PROCESS_INFO@4 ; OBJECT_HEADER_TO_PROCESS_INFO(x)
		mov	eax, [eax]
		test	eax, eax
		jz	loc_80FAAE
		jmp	loc_91D898
; 

loc_80FE10:				; CODE XREF: ObpIncrementHandleCountEx+170j
		test	dl, dl
		setnz	cl
		test	al, 2
		setz	al
		test	cl, al
		jz	loc_91D8A2
		test	dl, dl
		jz	short loc_80FE33
		mov	ecx, edi
		call	_OBJECT_HEADER_TO_PROCESS_INFO@4 ; OBJECT_HEADER_TO_PROCESS_INFO(x)
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_80FE3D

loc_80FE33:				; CODE XREF: ObpIncrementHandleCountEx+4F4j
		cmp	dword ptr [edi+4], 0
		jnz	loc_91D898

loc_80FE3D:				; CODE XREF: ObpIncrementHandleCountEx+501j
		test	dl, dl
		jz	short loc_80FE52
		mov	ecx, edi
		call	_OBJECT_HEADER_TO_PROCESS_INFO@4 ; OBJECT_HEADER_TO_PROCESS_INFO(x)
		mov	eax, [eax]
		test	eax, eax
		jnz	loc_91D88E

loc_80FE52:				; CODE XREF: ObpIncrementHandleCountEx+50Fj
					; ObpIncrementHandleCountEx+10DF62j
		movzx	eax, byte ptr [edi+0Eh]
		and	eax, 1Fh
		movzx	ecx, _ObpInfoMaskToOffset[eax]
		mov	eax, edi
		sub	eax, ecx
		mov	ecx, [esp+60h+var_48]
		mov	[eax], ecx
		jmp	loc_80FAAE
; 

loc_80FE6F:				; CODE XREF: ObpIncrementHandleCountEx+1DCj
		add	edi, 0FFFFFFF0h
		jz	loc_80FB12
		jmp	loc_91D8D3
ObpIncrementHandleCountEx endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 2523. SeUnlockSubjectContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeUnlockSubjectContext(x)
		public _SeUnlockSubjectContext@4
_SeUnlockSubjectContext@4 proc near	; CODE XREF: IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)+108p
					; SeAccessCheckWithHintWithAdminlessChecks+466p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi+8]
		mov	ecx, [ecx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [esi]
		test	ecx, ecx
		jnz	short loc_80FEB4

loc_80FEAF:				; CODE XREF: SeUnlockSubjectContext(x)+31j
		pop	esi
		pop	ebp
		retn	4
; 

loc_80FEB4:				; CODE XREF: SeUnlockSubjectContext(x)+1Dj
		mov	ecx, [ecx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	short loc_80FEAF
_SeUnlockSubjectContext@4 endp

; 
		align 10h

; __stdcall ObCloseHandleTableEntry(x, x, x, x,	x, x)
_ObCloseHandleTableEntry@24:		; CODE XREF: ExSweepHandleTable+A0p
					; ObpCloseHandle+6Ep ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+68h], eax
		mov	eax, [ebp+8]
		push	ebx
		push	esi
		mov	esi, [ebp+0Ch]
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		mov	[esp+20h], eax
		xor	eax, eax
		mov	[esp+38h], esi
		mov	[esp+44h], eax
		mov	[esp+48h], eax
		mov	edx, [edi]
		and	edx, 0FFFFFFF8h
		mov	[esp+4Ch], eax
		mov	[esp+50h], eax
		mov	[esp+54h], eax
		mov	[esp+58h], eax
		mov	eax, edx
		shr	eax, 8
		movzx	ecx, al
		mov	[esp+3Ch], eax
		movzx	eax, byte ptr [edx+0Ch]
		xor	ecx, eax
		mov	[esp+40h], edx
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	byte ptr [esp+12h], 0
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		lea	ecx, [edx+18h]
		mov	[esp+1Ch], eax
		mov	[esp+18h], ecx
		mov	edx, [eax+74h]
		test	edx, edx
		jz	loc_80FFEE
		mov	eax, large fs:124h
		mov	ecx, [esp+20h]
		cmp	[eax+80h], ecx
		jz	short loc_80FF89
		lea	eax, [esp+44h]
		xor	edx, edx
		push	eax
		call	KiStackAttachProcess
		mov	edx, [esp+1Ch]
		mov	ecx, [esp+20h]
		mov	byte ptr [esp+12h], 1
		mov	edx, [edx+74h]

loc_80FF89:				; CODE XREF: PAGE:0080FF6Bj
		push	dword ptr [ebp+10h]
		push	esi
		push	dword ptr [esp+20h]
		push	ecx
		call	edx
		test	al, al
		jnz	short loc_80FFEE
		mov	eax, 1
		lock xadd [edi], eax
		lea	ecx, [ebx+20h]
		mov	dword ptr [esp+28h], 0
		xor	edx, edx
		lea	eax, [esp+28h]
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	short loc_80FFBE
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)

loc_80FFBE:				; CODE XREF: PAGE:0080FFB7j
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	byte ptr [esp+12h], 0
		jz	short loc_80FFD5
		xor	edx, edx
		lea	ecx, [esp+44h]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_80FFD5:				; CODE XREF: PAGE:0080FFC8j
					; PAGE:0081007Ej ...
		mov	eax, 0C0000235h
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+68h]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_80FFEE:				; CODE XREF: PAGE:0080FF55j
					; PAGE:0080FF96j
		mov	eax, [edi]
		mov	ecx, [edi+4]
		and	eax, 6
		mov	[esp+14h], eax
		test	ecx, 4000000h

loc_810000:				; DATA XREF: KeQuerySpeculationControlInformation(x,x,x)+274o
		jz	short loc_810009
		or	eax, 8
		mov	[esp+14h], eax

loc_810009:				; CODE XREF: PAGE:loc_810000j
		test	ecx, 2000000h
		jz	short loc_810018
		or	eax, 1
		mov	[esp+14h], eax

loc_810018:				; CODE XREF: PAGE:0081000Fj
		test	al, 1
		jz	loc_8100CD
		cmp	byte ptr [ebp+14h], 0
		jnz	loc_8100CD
		cmp	byte ptr [ebp+10h], 0
		jz	loc_8103E5
		mov	eax, 1
		lock xadd [edi], eax
		lea	ecx, [ebx+20h]
		mov	dword ptr [esp+2Ch], 0
		xor	edx, edx
		lea	eax, [esp+2Ch]
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	short loc_81005A
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)

loc_81005A:				; CODE XREF: PAGE:00810053j
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	byte ptr [esp+12h], 0
		jz	short loc_810071
		xor	edx, edx
		lea	ecx, [esp+44h]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_810071:				; CODE XREF: PAGE:00810064j
		mov	eax, large fs:124h
		cmp	byte ptr [eax+16Ah], 1
		jz	loc_80FFD5
		test	_NtGlobalFlag, 400000h
		jnz	short loc_8100AF
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	dword ptr [eax+190h], 0
		jnz	short loc_8100AF
		cmp	dword ptr [ebx+54h], 0
		jz	loc_80FFD5

loc_8100AF:				; CODE XREF: PAGE:0081008Ej
					; PAGE:008100A3j
		push	0C0000235h
		call	_KeRaiseUserException@4	; KeRaiseUserException(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+68h]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_8100CD:				; CODE XREF: PAGE:0081001Aj
					; PAGE:00810024j
		test	byte ptr ds:dword_70EFD0, 40h
		jz	short loc_8100FC
		mov	eax, [esp+20h]
		mov	edx, esi
		cmp	eax, ds:_PsInitialSystemProcess
		jnz	short loc_8100EA
		or	edx, 80000000h

loc_8100EA:				; CODE XREF: PAGE:008100E2j
		push	dword ptr [esp+1Ch]
		mov	ecx, 1121h
		push	dword ptr [esp+1Ch]
		call	_EtwpTraceHandle@16 ; EtwpTraceHandle(x,x,x,x)

loc_8100FC:				; CODE XREF: PAGE:008100D4j
		cmp	byte ptr [ebp+14h], 0
		jnz	loc_8101EE
		cmp	dword ptr [ebx+54h], 0
		jz	short loc_81011D
		mov	edx, large fs:124h
		mov	ecx, ebx
		push	2
		push	esi
		call	_ExpUpdateDebugInfo@16 ; ExpUpdateDebugInfo(x,x,x,x)

loc_81011D:				; CODE XREF: PAGE:0081010Aj
		mov	eax, [edi+4]
		lea	ecx, [ebx+20h]
		shr	eax, 1Bh
		xor	edx, edx
		mov	[esp+1Ch], eax
		lea	eax, [esp+30h]
		mov	dword ptr [edi], 0
		mov	dword ptr [esp+30h], 0
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	short loc_81014A
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)

loc_81014A:				; CODE XREF: PAGE:00810143j
		cmp	dword ptr [ebx+4], 0
		jz	short loc_81016D
		mov	edx, esi
		mov	ecx, ebx
		and	edx, 0FFFFFFFCh
		call	_ExpGetHandleExtraInfo@8 ; ExpGetHandleExtraInfo(x,x)
		test	eax, eax
		jz	short loc_81016D
		mov	dword ptr [eax], 0
		mov	dword ptr [eax+4], 0

loc_81016D:				; CODE XREF: PAGE:0081014Ej
					; PAGE:0081015Ej
		mov	dword ptr [edi+4], 0
		mov	al, [ebx+1Ch]
		and	al, 1
		mov	[esp+13h], al
		jnz	short loc_810189
		movzx	esi, large byte	ptr fs:51h
		jmp	short loc_81018B
; 

loc_810189:				; CODE XREF: PAGE:0081017Dj
		xor	esi, esi

loc_81018B:				; CODE XREF: PAGE:00810187j
		inc	esi
		xor	edx, edx
		shl	esi, 6
		add	esi, ebx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		cmp	byte ptr [esp+13h], 0
		jz	short loc_8101B8
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_8101B0
		mov	[eax+4], edi
		mov	[esi+8], edi
		jmp	short loc_8101C8
; 

loc_8101B0:				; CODE XREF: PAGE:008101A6j
		mov	[esi+4], edi
		mov	[esi+8], edi
		jmp	short loc_8101C8
; 

loc_8101B8:				; CODE XREF: PAGE:0081019Fj
		mov	eax, [esi+4]
		mov	[edi+4], eax
		test	eax, eax
		jnz	short loc_8101C5
		mov	[esi+8], edi

loc_8101C5:				; CODE XREF: PAGE:008101C0j
		mov	[esi+4], edi

loc_8101C8:				; CODE XREF: PAGE:008101AEj
					; PAGE:008101B6j
		dec	dword ptr [esi+0Ch]
		or	edi, 0FFFFFFFFh
		mov	eax, edi
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8101E1
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8101E1:				; CODE XREF: PAGE:008101D8j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	esi, [esp+1Ch]
		jmp	short loc_81021A
; 

loc_8101EE:				; CODE XREF: PAGE:00810100j
		mov	esi, [edi+4]
		lea	ecx, [ebx+20h]
		shr	esi, 1Bh
		lea	eax, [esp+34h]
		mov	dword ptr [edi], 0
		xor	edx, edx
		mov	dword ptr [esp+34h], 0
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	short loc_810217
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)

loc_810217:				; CODE XREF: PAGE:00810210j
		or	edi, 0FFFFFFFFh

loc_81021A:				; CODE XREF: PAGE:008101ECj
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	byte ptr [esp+14h], 4
		jz	short loc_810239
		mov	eax, [esp+38h]
		push	1
		and	eax, 0FFFFFFFCh
		push	eax
		push	dword ptr [esp+20h]
		call	_SeCloseObjectAuditAlarm@12 ; SeCloseObjectAuditAlarm(x,x,x)

loc_810239:				; CODE XREF: PAGE:00810224j
		mov	ebx, [esp+40h]
		xor	eax, eax
		mov	[esp+5Ch], eax
		mov	[esp+60h], eax
		mov	[esp+64h], eax
		mov	[esp+68h], eax
		mov	[esp+6Ch], eax
		mov	[esp+70h], eax
		mov	eax, [esp+3Ch]
		movzx	ecx, al
		movzx	eax, byte ptr [ebx+0Ch]
		xor	ecx, eax
		mov	dword ptr [esp+24h], 0
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		mov	[esp+14h], eax
		test	byte ptr [eax+2Ah], 10h
		jnz	short loc_810299
		test	byte ptr [ebx+0Fh], 8
		jnz	short loc_810299
		lock xadd [ebx+4], edi
		dec	edi
		inc	edi
		mov	[esp+18h], edi
		jmp	short loc_81030B
; 

loc_810299:				; CODE XREF: PAGE:00810284j
					; PAGE:0081028Aj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [ebx+8]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebx+4]
		lea	eax, [ebx+4]
		mov	[esp+18h], ecx
		lock xadd [eax], edi
		dec	edi
		jnz	short loc_8102E0
		test	byte ptr [ebx+0Fh], 8
		jz	short loc_8102E0
		movzx	eax, byte ptr [ebx+0Eh]
		mov	ecx, ebx
		and	eax, 1Fh
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		mov	dword ptr [ecx], 0

loc_8102E0:				; CODE XREF: PAGE:008102C0j
					; PAGE:008102C6j
		mov	edi, [esp+14h]
		test	byte ptr [edi+2Ah], 10h
		jz	short loc_8102FA
		mov	edx, [esp+20h]
		lea	eax, [esp+24h]
		push	eax
		mov	ecx, ebx
		call	ObpReleaseHandleInfo

loc_8102FA:				; CODE XREF: PAGE:008102E8j
		xor	edx, edx
		lea	ecx, [ebx+8]
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, edi

loc_81030B:				; CODE XREF: PAGE:00810297j
		mov	ecx, [eax+60h]
		test	ecx, ecx
		jz	short loc_810390
		mov	eax, large fs:124h
		mov	edi, [esp+20h]
		mov	byte ptr [esp+13h], 0
		mov	dword ptr [esp+1Ch], 0
		cmp	[eax+80h], edi
		jz	short loc_81035D
		push	edi
		mov	byte ptr [esp+17h], 1
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		push	eax
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	[esp+1Ch], eax
		xor	edx, edx
		lea	eax, [esp+5Ch]
		mov	ecx, edi
		push	eax
		call	KiStackAttachProcess
		mov	edi, [esp+14h]
		mov	ecx, [edi+60h]
		jmp	short loc_810361
; 

loc_81035D:				; CODE XREF: PAGE:0081032Fj
		mov	edi, [esp+14h]

loc_810361:				; CODE XREF: PAGE:0081035Bj
		push	dword ptr [esp+18h]
		lea	eax, [ebx+18h]
		push	dword ptr [esp+28h]
		push	eax
		push	dword ptr [esp+2Ch]
		call	ecx
		cmp	byte ptr [esp+13h], 0
		jz	short loc_810394
		xor	edx, edx
		lea	ecx, [esp+5Ch]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		push	dword ptr [esp+1Ch]
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		jmp	short loc_810394
; 

loc_810390:				; CODE XREF: PAGE:00810310j
		mov	edi, [esp+14h]

loc_810394:				; CODE XREF: PAGE:00810378j
					; PAGE:0081038Ej
		cmp	dword ptr [esp+18h], 1
		jnz	short loc_8103A2
		mov	ecx, ebx
		call	ObpDeleteNameCheck

loc_8103A2:				; CODE XREF: PAGE:00810399j
		lock dec dword ptr [edi+1Ch]
		cmp	byte ptr [esp+12h], 0
		jz	short loc_8103B8
		xor	edx, edx
		lea	ecx, [esp+44h]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_8103B8:				; CODE XREF: PAGE:008103ABj
		test	esi, esi
		jz	short loc_8103C2
		neg	esi
		lock xadd [ebx], esi

loc_8103C2:				; CODE XREF: PAGE:008103BAj
		mov	edx, 6E48624Fh
		lea	ecx, [ebx+18h]
		call	ObfDereferenceObjectWithTag
		mov	ecx, [esp+74h]
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_8103E5:				; CODE XREF: PAGE:0081002Ej
		push	0
		push	0
		push	0
		push	esi
		push	93h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpLookupObjectName(x, x, x, x, x, x, x, x,	x, x, x, x, x)
_ObpLookupObjectName@52	proc near	; CODE XREF: ObReferenceObjectByNameEx+112p
					; ObOpenObjectByNameEx+1C2p ...

var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_BA		= byte ptr -0BAh
var_B9		= byte ptr -0B9h
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9B		= byte ptr -9Bh
var_9A		= byte ptr -9Ah
var_99		= byte ptr -99h
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0BCh
		xor	eax, eax
		mov	[esp+0BCh+var_94], edx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_20]
		mov	ebx, ecx
		mov	word ptr [esp+0C4h+var_4C+2], ax
		mov	[esp+0C4h+var_38], eax
		mov	[esp+0C4h+var_34], eax
		mov	[esp+0C4h+var_20], eax
		mov	[esp+0C4h+var_1C], eax
		mov	[esp+0C4h+var_C], eax
		mov	[esp+0C4h+var_8], eax
		mov	[esp+0C4h+var_A0], eax
		mov	[esp+0C4h+var_B0], eax
		mov	[esp+0C4h+var_AC], eax
		mov	[esp+0C4h+var_9A], al
		mov	[esp+0C4h+var_9B], al
		mov	[esi], eax
		mov	[esi+4], eax
		mov	[esi+12h], ax
		mov	eax, [ebp+arg_24]
		mov	[esp+0C4h+var_7C], ebx
		mov	[esp+0C4h+var_A8], 0
		mov	[esp+0C4h+var_3C], 40h
		mov	dword ptr [esi+14h], 0FFFF1234h
		push	edi
		test	eax, eax
		jz	short loc_810493
		mov	dword ptr [eax], 0

loc_810493:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+8Bj
		mov	eax, [ebp+arg_28]
		xor	esi, esi
		mov	[esp+0C8h+var_B8], 0
		mov	[esp+0C8h+var_5C], 0
		mov	[esp+0C8h+var_99], 1
		mov	dword ptr [eax], 0
		mov	eax, 0Ch
		mov	word ptr [esp+0C8h+var_4C], ax
		mov	eax, [ebp+arg_18]
		mov	[esp+0C8h+var_A4], 0
		mov	[esp+0C8h+var_B4], esi
		mov	[esp+0C8h+var_48], 0FFFFFFFFh
		mov	[esp+0C8h+var_44], eax
		cmp	_ObpCaseInsensitive, esi
		jz	short loc_81050A
		mov	eax, [ebp+arg_4]
		test	byte ptr [eax+2Ah], 1
		jz	short loc_81050A
		mov	eax, large fs:124h
		mov	eax, [eax+2FCh]
		test	eax, 80000h
		jnz	short loc_81050A
		mov	eax, [ebp+arg_0]
		or	eax, 40h
		jmp	short loc_81050D
; 

loc_81050A:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+E4j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+EDj ...
		mov	eax, [ebp+arg_0]

loc_81050D:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+108j
		mov	edx, [ebp+arg_8]
		mov	cl, 1
		mov	[esp+0C8h+var_80], eax
		test	eax, 400h
		jnz	short loc_81051F
		mov	cl, dl

loc_81051F:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+11Bj
		mov	esi, [ebp+arg_14]
		mov	edi, [ebp+arg_1C]
		mov	byte ptr [esp+0C8h+var_50], cl
		mov	byte ptr [esp+0C8h+var_74], cl
		test	esi, esi
		jnz	loc_81061E
		xor	edx, edx
		mov	[esp+0C8h+var_9B], 1
		xor	bl, bl
		mov	[esp+0C8h+var_30], edx
		mov	[esp+0C8h+var_2C], edx
		lea	eax, [edi+1Ch]
		mov	[esp+0C8h+var_28], edx
		mov	[esp+0C8h+var_24], edx
		mov	[esp+0C8h+var_8C], edx
		mov	[esp+0C8h+var_88], edx
		mov	[esp+0C8h+var_58], edx
		test	cl, cl
		jz	loc_8105F9
		test	eax, eax
		jnz	short loc_81059A
		lea	esi, [esp+0C8h+var_30]
		mov	eax, esi
		push	eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	eax
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		jmp	short loc_81059C
; 

loc_81059A:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+173j
		mov	esi, eax

loc_81059C:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+198j
		lea	eax, [esp+0C8h+var_58]
		push	eax
		lea	eax, [esp+0CCh+var_88]
		push	eax
		push	[esp+0D0h+var_50]
		mov	eax, ds:_SeMediumDaclSd
		push	offset _RtlpRestrictedMapping
		push	0
		push	0
		push	20000h
		push	0
		push	esi
		push	8
		push	eax
		call	_SeAccessCheckWithHint@44 ; SeAccessCheckWithHint(x,x,x,x,x,x,x,x,x,x,x)
		cmp	al, 1
		jnz	short loc_8105FB
		call	_KeIsCetCapable@0 ; KeIsCetCapable()
		test	al, al
		jz	short loc_8105F9
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_8105E1
		mov	eax, [esi+8]

loc_8105E1:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1DCj
		lea	ecx, [esp+0C8h+var_8C]
		push	ecx
		push	1Dh
		push	eax
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		test	eax, eax
		js	short loc_8105FB
		cmp	[esp+0C8h+var_8C], 0
		jnz	short loc_8105FB

loc_8105F9:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+16Bj
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1D6j
		mov	bl, 1

loc_8105FB:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1CDj
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1F0j ...
		lea	eax, [esp+0C8h+var_30]
		cmp	esi, eax
		jnz	short loc_81060C
		push	esi
		call	SeReleaseSubjectContext

loc_81060C:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+204j
		mov	esi, [ebp+arg_14]
		cmp	bl, 1
		mov	ebx, [esp+0C8h+var_7C]
		mov	edx, [ebp+arg_8]
		setnz	[esp+0C8h+var_9A]

loc_81061E:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+12Fj
		test	ebx, ebx
		jz	loc_81078C
		lea	eax, [esp+0C8h+var_38]
		mov	ecx, ebx
		push	eax
		push	0
		lea	eax, [esp+0D0h+var_A8]
		push	eax
		push	746C6644h
		push	edx
		push	0
		xor	edx, edx
		call	ObpReferenceObjectByHandleWithTag
		mov	[esp+0C8h+var_B8], eax
		test	eax, eax
		js	loc_8106DD
		mov	eax, [esp+0C8h+var_34]
		test	eax, eax
		jz	short loc_81068F
		mov	edx, [esp+0C8h+var_48]
		mov	ecx, [edi+18h]
		and	edx, eax
		mov	eax, ecx
		mov	[esp+0C8h+var_48], edx
		and	eax, edx
		cmp	eax, ecx
		jz	short loc_81068F
		mov	ecx, [esp+0C8h+var_A8]
		call	ObfDereferenceObject
		mov	eax, 0C0000022h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_81068F:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+25Bj
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+276j
		mov	ecx, [esp+0C8h+var_94]
		mov	esi, [esp+0C8h+var_A8]
		cmp	word ptr [ecx],	0
		jz	short loc_8106E6
		mov	eax, [ecx+4]
		cmp	word ptr [eax],	5Ch
		jnz	loc_81074B
		lea	eax, [esi-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		cmp	eax, ds:_IoFileObjectType
		jz	short loc_81074B
		mov	ecx, esi
		call	ObfDereferenceObject

loc_8106D8:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+394j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+3A1j
		mov	eax, 0C000003Bh

loc_8106DD:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+24Cj
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+40Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_8106E6:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+29Bj
		lea	eax, [esi-18h]
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		cmp	eax, _ObpDirectoryObjectType
		jnz	short loc_810747
		mov	edx, [ebp+arg_8]
		push	edx
		push	[ebp+arg_4]
		push	0
		push	esi
		call	ObReferenceObjectByPointer
		mov	ecx, [esp+0C8h+var_A8]
		mov	[esp+0C8h+var_B8], eax
		test	eax, eax
		js	short loc_81072C
		mov	[esp+0C8h+var_A4], ecx

loc_81072C:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+326j
		call	ObfDereferenceObject
		mov	edx, [ebp+arg_28]
		mov	eax, [esp+0C8h+var_A4]
		mov	[edx], eax
		mov	eax, [esp+0C8h+var_B8]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_810747:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+30Bj
		mov	ecx, [esp+0C8h+var_94]

loc_81074B:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+2A4j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+2CFj
		mov	eax, [ecx]
		mov	[esp+0C8h+var_B0], eax
		mov	eax, [ecx+4]
		mov	[esp+0C8h+var_AC], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+0C8h+var_14], ecx
		add	eax, 8
		lea	ecx, [esp+0C8h+var_20]
		mov	[esp+0C8h+var_A4], esi
		mov	[esp+0C8h+var_18], eax
		mov	[esp+0C8h+var_10], ebx
		call	SeSetLearningModeObjectInformation
		mov	edi, [esp+0C8h+var_A4]
		jmp	loc_810B10
; 

loc_81078C:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+220j
		mov	edi, [esp+0C8h+var_94]
		cmp	word ptr [edi],	0
		jz	loc_8106D8
		mov	eax, [edi+4]
		cmp	word ptr [eax],	5Ch
		jnz	loc_8106D8
		lea	eax, [esp+0C8h+var_90]
		mov	[esp+0C8h+var_90], 0
		push	eax
		mov	eax, ds:_PsObjectDirectorySiloContextSlot
		push	eax
		push	[ebp+arg_18]
		call	PsGetPermanentSiloContext
		test	eax, eax
		mov	eax, _ObpRootDirectoryObject
		js	short loc_8107CF
		mov	eax, [esp+0C8h+var_90]

loc_8107CF:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+3C9j
		mov	[esp+0C8h+var_A8], eax
		test	eax, eax
		jz	short loc_8107E2
		mov	ecx, eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [esp+0C8h+var_A8]

loc_8107E2:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+3D5j
		cmp	word ptr [edi],	2
		jnz	short loc_810856
		test	eax, eax
		jnz	short loc_810823
		test	esi, esi
		jnz	short loc_8107FE
		mov	eax, 0C000000Dh
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_8107FE:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+3EEj
		mov	edx, [ebp+arg_8]
		push	edx
		push	[ebp+arg_4]
		push	0
		push	esi
		call	ObReferenceObjectByPointer
		test	eax, eax
		js	loc_8106DD
		mov	edx, [ebp+arg_28]
		mov	[edx], esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_810823:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+3EAj
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		push	edx
		push	ecx
		push	0
		push	eax
		call	ObReferenceObjectByPointer
		mov	ecx, [esp+0C8h+var_A8]
		mov	[esp+0C8h+var_B8], eax
		test	eax, eax
		js	short loc_810844
		mov	eax, [ebp+arg_28]
		mov	[eax], ecx

loc_810844:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+43Dj
		call	ObfDereferenceObject
		mov	eax, [esp+0C8h+var_B8]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_810856:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+3E6j
		mov	esi, [ebp+arg_4]
		lea	ecx, [esp+0C8h+var_20]
		mov	[esp+0C8h+var_14], edi
		mov	[esp+0C8h+var_10], 0
		lea	eax, [esi+8]
		mov	[esp+0C8h+var_18], eax
		call	SeSetLearningModeObjectInformation
		jmp	short loc_810886
; 

loc_810883:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+11C6j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+11D8j
		mov	esi, [ebp+arg_4]

loc_810886:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+481j
		mov	ecx, [edi+4]
		test	cl, 7
		jnz	loc_810AF8
		mov	ebx, [esp+0C8h+var_80]
		movzx	edx, word ptr [edi]
		shr	ebx, 0Bh
		and	bl, 1
		cmp	edx, 8
		jb	loc_810A6E
		mov	eax, [ecx]
		cmp	eax, ds:_ObpDosDevicesShortNamePrefix
		jnz	loc_810A6E
		mov	eax, [ecx+4]
		cmp	eax, ds:off_A40164
		jnz	loc_810A6E
		cmp	esi, ds:_IoFileObjectType
		jnz	short loc_8108D6
		mov	ecx, edi
		call	_ObpUseSystemDeviceMap@4 ; ObpUseSystemDeviceMap(x)
		or	bl, al

loc_8108D6:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+4CBj
		xor	al, al
		mov	[esp+0C8h+var_A0], 0
		mov	[esp+0C8h+var_B9], al
		xor	edi, edi
		mov	eax, large fs:124h
		mov	[esp+0C8h+var_88], eax
		mov	eax, [eax+150h]
		push	eax
		mov	[esp+0CCh+var_84], eax
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		mov	esi, eax
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		cmp	esi, eax
		jz	short loc_810913
		mov	cl, 1
		mov	[esp+0C8h+var_B9], cl
		jmp	short loc_810917
; 

loc_810913:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+509j
		mov	cl, [esp+0C8h+var_B9]

loc_810917:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+511j
		mov	esi, [esp+0C8h+var_88]
		mov	eax, [esi+2FCh]
		test	al, 8
		jz	short loc_81099D
		test	bl, bl
		jnz	short loc_81099D
		test	cl, cl
		jnz	loc_8109BF
		push	0
		lea	eax, [esp+0CCh+var_4]
		mov	edx, 1
		push	eax
		lea	eax, [esp+7Eh]
		mov	ecx, esi
		push	eax
		lea	eax, [esp+83h]
		push	eax
		call	_PsReferenceImpersonationTokenEx@24 ; PsReferenceImpersonationTokenEx(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_8109A5
		cmp	dword ptr [edi+18h], 3E7h
		mov	ecx, [edi+1Ch]
		jnz	short loc_810971
		test	ecx, ecx
		jnz	short loc_810971
		mov	[esp+0C8h+var_B9], 1
		jmp	short loc_8109BF
; 

loc_810971:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+564j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+568j
		lea	edx, [esp+0C8h+var_70]
		mov	[esp+0C8h+var_70], 0
		mov	ecx, edi
		call	SeGetTokenDeviceMap
		test	eax, eax
		js	short loc_8109A5
		mov	esi, [esp+0C8h+var_70]
		mov	[esp+0C8h+var_A0], esi
		test	esi, esi
		jz	short loc_8109A9
		lock inc dword ptr [esi+0Ch]
		jmp	loc_810A28
; 

loc_81099D:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+523j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+527j
		test	cl, cl
		jnz	short loc_8109BF
		mov	esi, edi
		jmp	short loc_8109A9
; 

loc_8109A5:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+558j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+586j
		mov	esi, [esp+0C8h+var_A0]

loc_8109A9:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+592j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+5A3j
		mov	eax, [esp+0C8h+var_84]
		cmp	dword ptr [eax+198h], 0
		jnz	short loc_8109BF
		call	ObSetCurrentProcessDeviceMap
		test	eax, eax
		js	short loc_810A28

loc_8109BF:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+52Bj
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+56Fj ...
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	esi, eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		lea	ebx, [esi+70h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		cmp	[esp+0C8h+var_B9], 0
		jz	short loc_8109EB
		mov	esi, [esi]
		jmp	short loc_8109F5
; 

loc_8109EB:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+5E5j
		mov	eax, [esp+0C8h+var_84]
		mov	esi, [eax+198h]

loc_8109F5:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+5E9j
		mov	[esp+0C8h+var_A0], esi
		test	esi, esi
		jz	short loc_810A01
		lock inc dword ptr [esi+0Ch]

loc_810A01:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+5FBj
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		mov	eax, large fs:124h
		nop
		add	word ptr [eax+13Eh], 1
		jnz	short loc_810A28
		nop
		add	eax, 70h
		cmp	[eax], eax
		jz	short loc_810A28
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_810A28:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+598j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+5BDj ...
		test	edi, edi
		jz	short loc_810A33
		mov	ecx, edi
		call	ObfDereferenceObject

loc_810A33:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+62Aj
		test	esi, esi
		jz	loc_810AF4
		cmp	dword ptr [esi], 0
		jz	loc_810AF4
		mov	ecx, [esp+0C8h+var_94]
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		mov	[esp+0C8h+var_B0], eax
		add	ecx, 8
		mov	eax, 0FFF8h
		mov	[esp+0C8h+var_AC], ecx
		add	word ptr [esp+0C8h+var_B0], ax
		add	word ptr [esp+0C8h+var_B0+2], ax
		mov	edi, [esi]
		jmp	loc_810B09
; 

loc_810A6E:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+4A2j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+4B0j ...
		cmp	edx, 6
		jnz	loc_810AF8
		mov	eax, [ecx]
		cmp	eax, dword ptr ds:_ObpDosDevicesShortNameRoot
		jnz	short loc_810AF8
		cmp	word ptr [ecx+4], 3Fh
		jnz	short loc_810AF8
		mov	cl, bl
		call	ObpReferenceDeviceMap
		mov	esi, eax
		mov	[esp+0C8h+var_A0], esi
		test	esi, esi
		jz	short loc_810AF8
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_810AF8
		mov	edx, [ebp+arg_8]
		push	edx
		push	[ebp+arg_4]
		push	0
		push	ecx
		call	ObReferenceObjectByPointer
		mov	[esp+0C8h+var_B8], eax
		test	eax, eax
		js	short loc_810AD2
		mov	edx, [ebp+arg_24]
		test	edx, edx
		jz	short loc_810ACB
		mov	eax, [esp+0C8h+var_48]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_810ACB
		mov	[edx], eax

loc_810ACB:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+6BBj
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+6C7j
		mov	edx, [ebp+arg_28]
		mov	eax, [esi]
		mov	[edx], eax

loc_810AD2:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+6B4j
		mov	ecx, esi
		call	ObfDereferenceDeviceMap
		mov	ecx, [esp+0C8h+var_A8]
		call	ObfDereferenceObject
		call	SeClearLearningModeObjectInformation
		mov	eax, [esp+0C8h+var_B8]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_810AF4:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+635j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+63Ej
		mov	edi, [esp+0C8h+var_94]

loc_810AF8:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+48Cj
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+671j ...
		mov	ecx, [edi]
		mov	eax, [edi+4]
		mov	edi, [esp+0C8h+var_A8]
		mov	[esp+0C8h+var_B0], ecx
		mov	[esp+0C8h+var_AC], eax

loc_810B09:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+669j
		mov	[esp+0C8h+var_A4], edi
		lea	ecx, [ecx+0]

loc_810B10:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+387j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+E78j ...
		movzx	ecx, byte ptr [edi-0Ch]
		lea	eax, [edi-18h]
		mov	ebx, eax
		mov	[esp+0C8h+var_7C], eax
		shr	ebx, 8
		movzx	eax, bl
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		mov	esi, [eax+68h]
		test	esi, esi
		jnz	loc_8112D7
		cmp	eax, _ObpDirectoryObjectType
		jnz	loc_81176A
		cmp	word ptr [esp+0C8h+var_B0], 0
		mov	esi, edi
		mov	[esp+0C8h+var_84], esi
		mov	edx, 0FFFEh
		jz	short loc_810B78
		mov	eax, [esp+0C8h+var_AC]
		cmp	word ptr [eax],	5Ch
		jnz	short loc_810B78
		add	[esp+0C8h+var_AC], 2
		add	word ptr [esp+0C8h+var_B0], dx
		add	word ptr [esp+0C8h+var_B0+2], dx

loc_810B78:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+75Dj
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+767j
		mov	ecx, [esp+0C8h+var_B0]
		mov	eax, [esp+0C8h+var_AC]
		mov	[esp+0C8h+var_64], ecx
		mov	[esp+0C8h+var_60], eax
		test	cx, cx
		jz	short loc_810BA6
		lea	ecx, [ecx+0]

loc_810B90:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+7A4j
		mov	eax, [esp+0C8h+var_AC]
		cmp	word ptr [eax],	5Ch
		jz	short loc_810BA6
		add	[esp+0C8h+var_AC], 2
		add	word ptr [esp+0C8h+var_B0], dx
		jnz	short loc_810B90

loc_810BA6:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+78Bj
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+798j
		sub	ecx, [esp+0C8h+var_B0]
		movzx	eax, cx
		sub	word ptr [esp+0C8h+var_B0+2], ax
		mov	word ptr [esp+0C8h+var_64], cx
		test	ax, ax
		jz	loc_811760
		cmp	byte ptr [esp+0C8h+var_50], 0
		jz	short loc_810C14
		mov	eax, [ebp+arg_1C]
		test	byte ptr [eax+0Ch], 1
		jnz	short loc_810C14
		lea	ecx, [esp+0C8h+var_5C]
		push	ecx
		push	[esp+0CCh+var_74]
		push	ecx
		push	eax
		mov	ecx, edi
		call	_ObpCheckTraverseAccess@24 ; ObpCheckTraverseAccess(x,x,x,x,x,x)
		mov	[esp+0C8h+var_99], al
		test	al, al
		jnz	short loc_810C14
		mov	edx, [esp+0C8h+var_5C]
		test	edx, edx
		js	short loc_810BFB
		mov	edx, 0C0000034h
		mov	[esp+0C8h+var_5C], edx

loc_810BFB:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+7F0j
		cmp	word ptr [esp+0C8h+var_B0], 0
		jnz	loc_811756
		mov	eax, [ebp+arg_14]
		test	eax, eax
		jz	loc_811756
		jmp	short loc_810C1F
; 

loc_810C14:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+7C5j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+7CEj ...
		cmp	word ptr [esp+0C8h+var_B0], 0
		jnz	short loc_810C8A
		mov	eax, [ebp+arg_14]

loc_810C1F:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+812j
		mov	ebx, [ebp+arg_20]
		lea	ecx, [esi+94h]
		test	eax, eax
		mov	eax, large fs:124h
		jz	short loc_810C5E
		mov	dword ptr [ebx+14h], 0AAAA1234h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, esi
		mov	dword ptr [ebx+14h], 0CCCC1234h
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	word ptr [ebx+12h], 101h
		jmp	short loc_810C88
; 

loc_810C5E:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+830j
		mov	dword ptr [ebx+14h], 0BBBB1234h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	ecx, esi
		mov	dword ptr [ebx+14h], 0DDDD1234h
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	word ptr [ebx+12h], 1

loc_810C88:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+85Cj
		mov	[ebx], esi

loc_810C8A:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+81Aj
		movzx	edi, word ptr [esp+0C8h+var_64]
		mov	eax, [esp+0C8h+var_80]
		mov	ecx, [esp+0C8h+var_60]
		and	eax, 40h
		mov	[esp+0C8h+var_78], esi
		xor	esi, esi
		mov	[esp+0C8h+var_40], edi
		shr	edi, 1
		mov	[esp+0C8h+var_7C], eax
		jz	short loc_810CED
		nop

loc_810CB0:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+8EBj
		movzx	eax, word ptr [ecx]
		dec	edi
		add	ecx, 2
		mov	edx, eax
		mov	[esp+0C8h+var_88], ecx
		mov	ebx, eax
		mov	ecx, esi
		lea	esi, [esi+esi*2]
		shr	ecx, 1
		add	esi, ecx
		cmp	edx, 61h
		jb	short loc_810CE3
		cmp	edx, 7Ah
		jbe	short loc_810CE0
		mov	ecx, ebx
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		movzx	eax, ax
		add	esi, eax
		jmp	short loc_810CE5
; 

loc_810CE0:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+8D0j
		add	esi, 0FFFFFFE0h

loc_810CE3:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+8CBj
		add	esi, edx

loc_810CE5:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+8DEj
		mov	ecx, [esp+0C8h+var_88]
		test	edi, edi
		jnz	short loc_810CB0

loc_810CED:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+8ADj
		mov	edi, [ebp+arg_20]
		mov	eax, 0BACF914Dh
		mul	esi
		mov	eax, esi
		mov	ecx, esi
		sub	eax, edx
		mov	[edi+0Ch], esi
		mov	esi, [esp+0C8h+var_84]
		shr	eax, 1
		add	eax, edx
		mov	dl, [edi+12h]
		shr	eax, 5
		imul	eax, 25h
		mov	[esp+0C8h+var_B9], dl
		sub	ecx, eax
		movzx	eax, cx
		mov	[edi+10h], cx
		lea	ebx, [esi+eax*4]
		mov	[esp+0C8h+var_68], ebx
		test	dl, dl
		jnz	short loc_810D61
		mov	eax, large fs:124h
		mov	dword ptr [edi+14h], 0BBBB1234h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+94h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	ecx, esi
		mov	dword ptr [edi+14h], 0DDDD1234h
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	[edi], esi
		mov	word ptr [edi+12h], 1

loc_810D61:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+927j
		mov	esi, [ebx]
		mov	[esp+0C8h+var_8C], esi
		test	esi, esi
		jz	loc_810F54
		mov	eax, [edi+0Ch]
		mov	[esp+0C8h+var_90], eax

loc_810D76:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+B4Ej
		cmp	[esi+8], eax
		jnz	loc_810F42
		mov	edx, [esi+4]
		mov	ecx, [esp+0C8h+var_40]
		sub	edx, 18h
		movzx	eax, byte ptr [edx+0Eh]
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	edx, eax
		movzx	eax, word ptr [edx+4]
		cmp	ecx, eax
		jnz	loc_810F3E
		mov	edi, [esp+0C8h+var_60]
		mov	edx, [edx+8]
		lea	ebx, [edi+ecx]
		mov	[esp+0C8h+var_6C], ebx
		cmp	ecx, 4
		jb	short loc_810DDA
		jmp	short loc_810DC0
; 
		align 10h

loc_810DC0:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+9BBj
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+9D8j
		mov	eax, [edi]
		cmp	eax, [edx]
		jnz	short loc_810DDA
		sub	ecx, 4
		jz	loc_810ED7
		add	edi, 4
		add	edx, 4
		cmp	ecx, 4
		jnb	short loc_810DC0

loc_810DDA:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+9B9j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+9C4j
		cmp	edi, ebx
		jnb	loc_810ED7
		cmp	[esp+0C8h+var_7C], 0
		jz	loc_810F26
		sub	edx, edi
		mov	eax, ebx
		mov	[esp+0C8h+var_88], edx

loc_810DF5:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+ACDj
		movzx	esi, word ptr [edi]
		movzx	ebx, word ptr [edx+edi]
		cmp	si, bx
		jz	loc_810EC8
		cmp	esi, 61h
		jb	short loc_810E61
		cmp	esi, 7Ah
		ja	short loc_810E17
		lea	eax, [esi-20h]
		movzx	eax, ax
		jmp	short loc_810E63
; 

loc_810E17:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+A0Dj
		mov	ecx, ds:_Nls844UnicodeUpcaseTable
		mov	[esp+0C8h+var_70], ecx
		test	ecx, ecx
		jz	short loc_810E61
		mov	eax, 0C0h
		cmp	si, ax
		jb	short loc_810E61
		mov	edx, esi
		mov	eax, esi
		shr	eax, 8
		movzx	ecx, word ptr [ecx+eax*2]
		mov	eax, edx
		shr	eax, 4
		and	edx, 0Fh
		and	eax, 0Fh
		add	ecx, eax
		mov	eax, [esp+0C8h+var_70]
		movzx	eax, word ptr [eax+ecx*2]
		mov	ecx, [esp+0C8h+var_70]
		add	eax, edx
		mov	ax, [ecx+eax*2]
		add	ax, si
		movzx	eax, ax
		jmp	short loc_810E63
; 

loc_810E61:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+A08j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+A23j ...
		mov	eax, esi

loc_810E63:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+A15j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+A5Fj
		mov	[esp+0C8h+var_98], eax
		cmp	ebx, 61h
		jb	short loc_810EB7
		cmp	ebx, 7Ah
		ja	short loc_810E79
		lea	eax, [ebx-20h]
		movzx	eax, ax
		jmp	short loc_810EB9
; 

loc_810E79:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+A6Fj
		mov	esi, ds:_Nls844UnicodeUpcaseTable
		test	esi, esi
		jz	short loc_810EB7
		mov	eax, 0C0h
		cmp	bx, ax
		jb	short loc_810EB7
		mov	edx, ebx
		mov	eax, ebx
		shr	eax, 8
		movzx	ecx, word ptr [esi+eax*2]
		mov	eax, edx
		shr	eax, 4
		and	edx, 0Fh
		and	eax, 0Fh
		add	ecx, eax
		movzx	eax, word ptr [esi+ecx*2]
		add	eax, edx
		mov	ax, [esi+eax*2]
		add	ax, bx
		movzx	eax, ax
		jmp	short loc_810EB9
; 

loc_810EB7:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+A6Aj
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+A81j ...
		mov	eax, ebx

loc_810EB9:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+A77j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+AB5j
		cmp	word ptr [esp+0C8h+var_98], ax
		jnz	short loc_810F3A
		mov	edx, [esp+0C8h+var_88]
		mov	eax, [esp+0C8h+var_6C]

loc_810EC8:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+9FFj
		add	edi, 2
		cmp	edi, eax
		jb	loc_810DF5
		mov	esi, [esp+0C8h+var_8C]

loc_810ED7:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+9C9j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+9DCj ...
		mov	edi, [esi+4]
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		cmp	[esp+0C8h+var_B9], 0
		jnz	loc_811016
		mov	ecx, [esp+0C8h+var_84]
		xor	edx, edx
		lea	ecx, [ecx+94h]
		call	ExReleasePushLockEx
		mov	ebx, [ebp+arg_20]
		mov	ecx, [ebx]
		mov	dword ptr [ebx+14h], 0EEEE1234h
		call	ObfDereferenceObject
		mov	dword ptr [ebx], 0
		mov	word ptr [ebx+12h], 0
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	esi, esi
		jmp	loc_81101D
; 

loc_810F26:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+9E7j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+B36j
		mov	ax, [edi]
		cmp	ax, [edx]
		jnz	short loc_810F3E
		add	edi, 2
		add	edx, 2
		cmp	edi, ebx
		jb	short loc_810F26
		jmp	short loc_810ED7
; 

loc_810F3A:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+ABEj
		mov	esi, [esp+0C8h+var_8C]

loc_810F3E:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+9A2j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+B2Cj
		mov	eax, [esp+0C8h+var_90]

loc_810F42:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+979j
		mov	[esp+0C8h+var_68], esi
		mov	esi, [esi]
		mov	[esp+0C8h+var_8C], esi
		test	esi, esi
		jnz	loc_810D76

loc_810F54:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+969j
		cmp	[esp+0C8h+var_B9], 0
		jnz	short loc_810F8E
		mov	ecx, [esp+0C8h+var_84]
		xor	edx, edx
		lea	ecx, [ecx+94h]
		call	ExReleasePushLockEx
		mov	ebx, [ebp+arg_20]
		mov	ecx, [ebx]
		mov	dword ptr [ebx+14h], 0EEEE1234h
		call	ObfDereferenceObject
		mov	dword ptr [ebx], 0
		mov	word ptr [ebx+12h], 0
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_810F8E:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+B59j
		xor	edi, edi

loc_810F90:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+C31j
		cmp	[esp+0C8h+var_9B], 0
		jz	loc_81125B
		mov	esi, [esp+0C8h+var_78]
		nop

loc_810FA0:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+E55j
		mov	eax, [esi+0A8h]
		xor	ebx, ebx
		mov	[esp+0C8h+var_98], ebx
		test	al, 4
		jnz	loc_81103C
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, large fs:124h
		dec	word ptr [ecx+13Eh]
		nop
		lea	esi, [eax+70h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	ecx, [esp+0C8h+var_78]
		mov	eax, [ecx+98h]
		test	eax, eax
		jz	short loc_810FE9
		mov	ebx, [eax+4]
		mov	[esp+0C8h+var_98], ebx

loc_810FE9:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+BE0j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		mov	eax, large fs:124h
		nop
		add	word ptr [eax+13Eh], 1
		jnz	short loc_811010
		nop
		add	eax, 70h
		cmp	[eax], eax
		jz	short loc_811010
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_811010:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+C01j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+C09j
		mov	esi, [esp+0C8h+var_78]
		jmp	short loc_811054
; 

loc_811016:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+AE6j
		mov	esi, [esp+0C8h+var_68]
		mov	ebx, [ebp+arg_20]

loc_81101D:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+B21j
		mov	ecx, [ebx+4]
		test	ecx, ecx
		jz	short loc_811029
		call	ObfDereferenceObject

loc_811029:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+C22j
		mov	[ebx+4], edi
		mov	[ebx+8], esi
		test	edi, edi
		jz	loc_810F90
		jmp	loc_81125B
; 

loc_81103C:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+BAEj
		test	al, 10h
		jz	short loc_81104A
		cmp	[esp+0C8h+var_9A], bl
		jz	loc_811249

loc_81104A:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+C3Ej
		mov	ebx, [esi+9Ch]
		mov	[esp+0C8h+var_98], ebx

loc_811054:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+C14j
		test	ebx, ebx
		jz	loc_811249
		mov	edi, [ebp+arg_20]
		mov	cl, [edi+12h]
		mov	[esp+0C8h+var_B9], cl
		test	cl, cl
		jz	short loc_811091
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edx, edi
		mov	ecx, esi
		call	_ObpUnlockDirectory@8 ;	ObpUnlockDirectory(x,x)
		mov	edx, ebx
		mov	ecx, edi
		call	_ObpLockDirectoryShared@8 ; ObpLockDirectoryShared(x,x)
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	cl, [edi+12h]
		mov	[esp+0C8h+var_B9], cl

loc_811091:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+C68j
		movzx	eax, word ptr [edi+10h]
		lea	esi, [ebx+eax*4]
		mov	[esp+0C8h+var_68], esi
		test	cl, cl
		jnz	short loc_8110D8
		mov	eax, large fs:124h
		mov	dword ptr [edi+14h], 0BBBB1234h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [ebx+94h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	ecx, ebx
		mov	dword ptr [edi+14h], 0DDDD1234h
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	[edi], ebx
		mov	word ptr [edi+12h], 1

loc_8110D8:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+C9Ej
		mov	edi, [esi]
		mov	[esp+0C8h+var_90], edi
		test	edi, edi
		jz	loc_811212
		mov	eax, [ebp+arg_20]
		mov	eax, [eax+0Ch]
		mov	[esp+0C8h+var_8C], eax

loc_8110F0:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+E08j
		cmp	[edi+8], eax
		jnz	loc_8111FC
		mov	ecx, [edi+4]
		mov	edx, [esp+0C8h+var_40]
		sub	ecx, 18h
		movzx	eax, byte ptr [ecx+0Eh]
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		movzx	eax, word ptr [ecx+4]
		cmp	edx, eax
		jnz	loc_8111F8
		mov	esi, [esp+0C8h+var_60]
		mov	ebx, [ecx+8]
		lea	ecx, [esi+edx]
		mov	[esp+0C8h+var_58], ecx
		cmp	edx, 4
		jb	short loc_81114B

loc_811135:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+D49j
		mov	eax, [esi]
		cmp	eax, [ebx]
		jnz	short loc_81114B
		sub	edx, 4
		jz	short loc_811193
		add	esi, 4
		add	ebx, 4
		cmp	edx, 4
		jnb	short loc_811135

loc_81114B:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+D33j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+D39j
		cmp	esi, ecx
		jnb	short loc_811193
		cmp	[esp+0C8h+var_7C], 0
		jz	loc_8111E0
		sub	ebx, esi
		lea	esp, [esp+0]

loc_811160:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+D8Dj
		movzx	eax, word ptr [esi]
		movzx	ecx, word ptr [ebx+esi]
		mov	[esp+0C8h+var_88], eax
		cmp	ax, cx
		jz	short loc_811186
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	ecx, [esp+0C8h+var_88]
		mov	di, ax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		cmp	ax, di
		jnz	short loc_8111F4

loc_811186:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+D6Ej
		add	esi, 2
		cmp	esi, [esp+0C8h+var_58]
		jb	short loc_811160
		mov	edi, [esp+0C8h+var_90]

loc_811193:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+D3Ej
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+D4Dj ...
		mov	edi, [edi+4]
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		cmp	[esp+0C8h+var_B9], 0
		mov	ebx, [esp+0C8h+var_98]
		jnz	loc_81122D
		lea	ecx, [ebx+94h]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	esi, [ebp+arg_20]
		mov	ecx, [esi]
		mov	dword ptr [esi+14h], 0EEEE1234h
		call	ObfDereferenceObject
		mov	dword ptr [esi], 0
		mov	word ptr [esi+12h], 0
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	esi, esi
		jmp	short loc_811231
; 
		align 10h

loc_8111E0:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+D54j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+DF0j
		mov	ax, [esi]
		cmp	ax, [ebx]
		jnz	short loc_8111F8
		add	esi, 2
		add	ebx, 2
		cmp	esi, ecx
		jb	short loc_8111E0
		jmp	short loc_811193
; 

loc_8111F4:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+D84j
		mov	edi, [esp+0C8h+var_90]

loc_8111F8:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+D1Cj
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+DE6j
		mov	eax, [esp+0C8h+var_8C]

loc_8111FC:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+CF3j
		mov	[esp+0C8h+var_68], edi
		mov	edi, [edi]
		mov	[esp+0C8h+var_90], edi
		test	edi, edi
		jnz	loc_8110F0
		mov	ebx, [esp+0C8h+var_98]

loc_811212:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+CE0j
		cmp	[esp+0C8h+var_B9], 0
		jnz	short loc_811223
		mov	edx, [ebp+arg_20]
		mov	ecx, ebx
		call	_ObpUnlockDirectory@8 ;	ObpUnlockDirectory(x,x)

loc_811223:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+E17j
		mov	esi, ebx
		xor	edi, edi
		mov	[esp+0C8h+var_78], esi
		jmp	short loc_811253
; 

loc_81122D:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+DA6j
		mov	esi, [esp+0C8h+var_68]

loc_811231:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+DDDj
		mov	eax, [ebp+arg_20]
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_811243
		call	ObfDereferenceObject
		mov	eax, [ebp+arg_20]

loc_811243:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+E39j
		mov	[eax+4], edi
		mov	[eax+8], esi

loc_811249:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+C44j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+C56j
		mov	esi, ebx
		mov	[esp+0C8h+var_78], esi
		test	edi, edi
		jnz	short loc_81125B

loc_811253:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+E2Bj
		test	ebx, ebx
		jnz	loc_810FA0

loc_81125B:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+B95j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+C37j ...
		cmp	[esp+0C8h+var_99], 0
		mov	[esp+0C8h+var_A4], edi
		jz	loc_8115DD
		test	edi, edi
		jz	loc_8115E5
		cmp	word ptr [esp+0C8h+var_B0], 0
		jnz	loc_810B10
		lea	eax, [edi-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [edi-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		mov	eax, [eax+68h]
		test	eax, eax
		jz	short loc_8112B9
		cmp	eax, offset ObpParseSymbolicLinkEx
		jz	loc_810B10
		cmp	[ebp+arg_14], 0
		jz	loc_810B10

loc_8112B9:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+EA2j
		mov	edx, [ebp+arg_8]
		push	edx
		push	[ebp+arg_4]
		push	0
		push	edi
		call	ObReferenceObjectByPointer
		mov	esi, [esp+0C8h+var_B4]
		mov	edx, eax
		mov	[esp+0C8h+var_B8], edx
		jmp	loc_811783
; 

loc_8112D7:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+73Aj
		cmp	esi, offset ObpParseSymbolicLinkEx
		jz	short loc_81133E
		cmp	[ebp+arg_14], 0
		jnz	loc_81176A
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edi, [ebp+arg_20]
		cmp	byte ptr [edi+12h], 0
		jz	short loc_811327
		mov	ecx, [edi]
		xor	edx, edx
		add	ecx, 94h
		call	ExReleasePushLockEx
		mov	ecx, [edi]
		mov	dword ptr [edi+14h], 0EEEE1234h
		call	ObfDereferenceObject
		mov	dword ptr [edi], 0
		mov	word ptr [edi+12h], 0
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_811327:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+EF7j
		mov	ecx, [edi+4]
		test	ecx, ecx
		jz	short loc_81133A
		call	ObfDereferenceObject
		mov	dword ptr [edi+4], 0

loc_81133A:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+F2Cj
		mov	edi, [esp+0C8h+var_A4]

loc_81133E:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+EDDj
		mov	eax, [esp+0C8h+var_7C]
		mov	edx, [esp+0C8h+var_94]
		movzx	ecx, byte ptr [eax+0Ch]
		movzx	eax, bl
		mov	ebx, [ebp+arg_1C]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		test	byte ptr [eax+2Bh], 1
		lea	eax, [esp+0C8h+var_A4]
		push	eax
		jz	short loc_811392
		lea	eax, [esp+0CCh+var_4C]
		push	eax
		push	[ebp+arg_10]
		lea	eax, [esp+0D4h+var_B0]
		push	[ebp+arg_C]
		push	eax
		push	edx
		push	[esp+0E0h+var_80]
		push	[esp+0E4h+var_74]
		push	ebx
		push	[ebp+arg_4]
		push	edi
		call	esi
		jmp	short loc_8113AD
; 

loc_811392:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+F6Bj
		push	[ebp+arg_10]
		lea	eax, [esp+0D0h+var_B0]
		push	[ebp+arg_C]
		push	eax
		push	edx
		push	[esp+0DCh+var_80]
		push	[esp+0E0h+var_74]
		push	ebx
		push	[ebp+arg_4]
		push	edi
		call	esi

loc_8113AD:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+F90j
		mov	edx, eax
		mov	[esp+0F0h+var_E0], edx
		cmp	esi, offset ObpParseSymbolicLinkEx
		jz	short loc_8113CB
		mov	ecx, [esp+0F0h+var_A4]
		lea	ecx, [ecx+18h]
		call	ObfDereferenceObject
		mov	edx, [esp+0F0h+var_E0]

loc_8113CB:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+FB9j
		test	edx, edx
		js	loc_8117A2
		mov	esi, [esp+0F0h+var_CC]
		cmp	edx, 104h
		jz	short loc_8113EB
		cmp	edx, 368h
		jz	short loc_8113EB
		mov	[esp+0F0h+var_DC], esi

loc_8113EB:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+FDDj
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+FE5j
		mov	ecx, [ebx+18h]
		mov	eax, ecx
		and	eax, [esp+0F0h+var_70]
		cmp	eax, ecx
		jnz	loc_81179A
		cmp	edx, 104h
		jz	short loc_81141B
		cmp	edx, 368h
		jz	short loc_81141B
		cmp	edx, 118h
		jnz	loc_811774

loc_81141B:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1005j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+100Dj
		test	[esp+0F0h+var_A8], 1000h
		jz	short loc_811431
		cmp	edx, 368h
		jnz	loc_811789

loc_811431:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1023j
		sub	[esp+0F0h+var_64], 1
		jz	loc_811601
		mov	edi, [esp+34h]
		cmp	word ptr [edi],	0
		jz	loc_811760
		mov	ecx, [esp+0F0h+var_D0]
		call	ObfDereferenceObject
		mov	eax, [edi+4]
		mov	ecx, [esp+0F0h+var_E0]
		mov	[esp+0F0h+var_D0], 0
		movzx	eax, word ptr [eax]
		cmp	ecx, 118h
		jnz	short loc_81148B
		cmp	eax, 5Ch
		jz	loc_811760
		mov	eax, [esp+0F0h+var_CC]
		mov	[esp+0F0h+var_D0], eax
		mov	[esp+0F0h+var_DC], 0
		jmp	short loc_8114D6
; 

loc_81148B:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+106Ej
		cmp	eax, 5Ch
		jnz	loc_811760
		cmp	ecx, 368h
		jnz	short loc_8114A4
		mov	ecx, _ObpRootDirectoryObject
		jmp	short loc_8114CD
; 

loc_8114A4:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+109Aj
		lea	eax, [esp+0F0h+var_94]
		mov	[esp+0F0h+var_94], 0
		push	eax
		mov	eax, ds:_PsObjectDirectorySiloContextSlot
		push	eax
		push	[ebp+arg_18]
		call	PsGetPermanentSiloContext
		mov	ecx, _ObpRootDirectoryObject
		test	eax, eax
		js	short loc_8114CD
		mov	ecx, [esp+0F0h+var_94]

loc_8114CD:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+10A2j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+10C7j
		mov	[esp+0F0h+var_D0], ecx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_8114D6:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1089j
		mov	ebx, [esp+0F0h+var_C8]
		test	ebx, ebx
		jz	loc_8115AF
		mov	edx, [ebx+0Ch]
		lea	edi, [ebx+0Ch]
		cmp	edx, 1
		jz	short loc_81150A
		lea	ecx, [ecx+0]

loc_8114F0:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1108j
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		mov	esi, eax
		cmp	esi, edx
		jz	loc_81159B
		mov	edx, esi
		cmp	esi, 1
		jnz	short loc_8114F0

loc_81150A:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+10EBj
		mov	ecx, [ebx+34h]
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	ecx, large fs:124h
		dec	word ptr [ecx+13Eh]
		nop
		lea	ebx, [eax+70h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		or	esi, 0FFFFFFFFh
		lock xadd [edi], esi
		dec	esi
		inc	esi
		xor	edx, edx
		mov	ecx, ebx
		cmp	esi, 1
		jnz	short loc_81158A
		mov	esi, [esp+0F0h+var_C8]
		mov	eax, [esi]
		mov	[eax+98h], edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [esi+34h]
		test	ecx, ecx
		jz	short loc_81156D
		mov	edx, 6D44624Fh
		call	ObfDereferenceObjectWithTag

loc_81156D:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1161j
		mov	eax, [esi+8]
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		mov	ecx, [esi]
		call	ObfDereferenceObject
		push	6D44624Fh
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_8115A3
; 

loc_81158A:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+113Dj
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_81159B:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+10FDj
		test	esi, esi
		jle	loc_811793

loc_8115A3:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1188j
		mov	edi, [esp+34h]
		mov	[esp+0F0h+var_C8], 0

loc_8115AF:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+10DCj
		mov	esi, [ebp+arg_20]
		cmp	byte ptr [esi+12h], 0
		jz	short loc_8115C1
		mov	ecx, [esi]
		mov	edx, esi
		call	_ObpUnlockDirectory@8 ;	ObpUnlockDirectory(x,x)

loc_8115C1:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+11B6j
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	loc_810883
		call	ObfDereferenceObject
		mov	dword ptr [esi+4], 0
		jmp	loc_810883
; 

loc_8115DD:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+E64j
		test	edi, edi
		jnz	loc_811752

loc_8115E5:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+E6Cj
		cmp	word ptr [esp+0C8h+var_B0], 0
		jz	short loc_8115FA
		mov	[esp+0C8h+var_B8], 0C000003Ah
		jmp	loc_8117A2
; 

loc_8115FA:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+11EBj
		mov	esi, [ebp+arg_14]
		test	esi, esi
		jnz	short loc_81160E

loc_811601:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1039j
		mov	[esp+0C8h+var_B8], 0C0000034h
		jmp	loc_8117A2
; 

loc_81160E:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+11FFj
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		cmp	ecx, _ObpDirectoryObjectType
		lea	ecx, [esp+0C8h+var_B8]
		mov	edi, [ebp+arg_1C]
		mov	ebx, [esp+0C8h+var_84]
		setz	al
		push	ecx
		push	[esp+0CCh+var_74]
		lea	ecx, [esp+0D0h+var_64]
		push	0
		push	ecx
		push	edi
		lea	eax, ds:4[eax*4]
		push	eax
		push	ebx
		call	ObCheckCreateObjectAccess
		test	al, al
		jnz	short loc_811662
		cmp	[esp+0C8h+var_B8], 0
		mov	esi, [esp+0C8h+var_B4]
		jl	loc_8117A6
		mov	[esp+0C8h+var_B8], 0C0000034h
		jmp	loc_8117A6
; 

loc_811662:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1244j
		mov	edi, [ebx+0ACh]
		add	esi, 0FFFFFFE8h
		cmp	edi, 0FFFFFFFFh
		jz	short loc_8116C0
		mov	eax, [ebp+arg_4]
		cmp	eax, ds:_MmSectionObjectType
		jz	short loc_811683
		cmp	eax, _ObpSymbolicLinkObjectType
		jnz	short loc_8116C0

loc_811683:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1279j
		call	_PsGetCurrentProcessSessionId@0	; PsGetCurrentProcessSessionId()
		cmp	edi, eax
		jz	short loc_8116C0
		push	[esp+0C8h+var_74]
		mov	eax, ds:dword_A94A2C
		push	eax
		mov	eax, ds:_SeCreateGlobalPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_8116C0
		mov	edx, [esp+0C8h+var_80]
		lea	ecx, [esp+0C8h+var_64]
		shr	edx, 6
		and	dl, 1
		call	_ObpIsUnsecureName@8 ; ObpIsUnsecureName(x,x)
		test	al, al
		jz	loc_81179A

loc_8116C0:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+126Ej
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1281j	...
		movzx	ebx, word ptr [esp+0C8h+var_64]
		push	6D4E624Fh
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_811748
		push	[ebp+arg_20]
		mov	edx, [ebp+arg_14]
		mov	ecx, [esp+0CCh+var_84]
		call	_ObpInsertDirectoryEntry@12 ; ObpInsertDirectoryEntry(x,x,x)
		test	al, al
		jz	short loc_811740
		push	ebx		; size_t
		push	[esp+0CCh+var_60] ; void *
		push	edi		; void *
		call	_memcpy
		movzx	eax, byte ptr [esi+0Eh]
		add	esp, 0Ch
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	esi, eax
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_811718
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_811718:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+130Ej
		mov	ax, word ptr [esp+0C8h+var_64]
		mov	[esi+4], ax
		mov	[esi+6], ax
		mov	eax, [ebp+arg_14]
		mov	[esi+8], edi
		mov	esi, [esp+0C8h+var_B4]
		mov	[esp+0C8h+var_A4], eax
		mov	[esp+0C8h+var_B8], 0
		jmp	loc_8117F0
; 

loc_811740:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+12E9j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_811748:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+12D6j
		mov	[esp+0C8h+var_B8], 0C000009Ah
		jmp	short loc_8117A2
; 

loc_811752:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+11DFj
		mov	edx, [esp+0C8h+var_5C]

loc_811756:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+801j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+80Cj
		mov	esi, [esp+0C8h+var_B4]
		mov	[esp+0C8h+var_B8], edx
		jmp	short loc_811783
; 

loc_811760:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+7BAj
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1047j	...
		mov	[esp+0C8h+var_B8], 0C0000033h
		jmp	short loc_8117A2
; 

loc_81176A:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+746j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+EE3j
		mov	[esp+0C8h+var_B8], 0C0000024h
		jmp	short loc_8117A2
; 

loc_811774:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1015j
		test	esi, esi
		jnz	short loc_811781
		mov	edx, 0C0000034h
		mov	[esp+0F0h+var_E0], edx

loc_811781:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1376j
		xor	esi, esi

loc_811783:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+ED2j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+135Ej
		test	edx, edx
		js	short loc_8117A6
		jmp	short loc_8117F0
; 

loc_811789:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+102Bj
		mov	[esp+0F0h+var_E0], 0C000050Bh
		jmp	short loc_8117A2
; 

loc_811793:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+119Dj
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_81179A:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+FF9j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+12BAj
		mov	[esp+0F0h+var_E0], 0C0000022h

loc_8117A2:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+FCDj
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+11F5j	...
		mov	esi, [esp+0F0h+var_DC]

loc_8117A6:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+124Fj
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+125Dj	...
		mov	ebx, [ebp+arg_20]
		cmp	byte ptr [ebx+12h], 0
		jz	short loc_8117DD
		mov	ecx, [ebx]
		xor	edx, edx
		add	ecx, 94h
		call	ExReleasePushLockEx
		mov	ecx, [ebx]
		mov	dword ptr [ebx+14h], 0EEEE1234h
		call	ObfDereferenceObject
		mov	dword ptr [ebx], 0
		mov	word ptr [ebx+12h], 0
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_8117DD:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+13ADj
		mov	ecx, [ebx+4]
		test	ecx, ecx
		jz	short loc_8117F0
		call	ObfDereferenceObject
		mov	dword ptr [ebx+4], 0

loc_8117F0:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+133Bj
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1387j	...
		mov	eax, [esp+0F0h+var_C8]
		test	eax, eax
		jz	short loc_8117FF
		mov	ecx, eax
		call	ObfDereferenceDeviceMap

loc_8117FF:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+13F6j
		mov	ecx, [esp+0F0h+var_D0]
		test	ecx, ecx
		jz	short loc_81180C
		call	ObfDereferenceObject

loc_81180C:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1405j
		test	esi, esi
		jz	short loc_811817
		mov	ecx, esi
		call	ObfDereferenceObject

loc_811817:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+140Ej
		call	SeClearLearningModeObjectInformation
		mov	ecx, [esp+0F0h+var_E0]
		test	ecx, ecx
		js	short loc_81184D
		mov	edx, [ebp+arg_24]
		test	edx, edx
		jz	short loc_811839
		mov	eax, [esp+0F0h+var_70]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_811839
		mov	[edx], eax

loc_811839:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1429j
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1435j
		mov	edx, [ebp+arg_28]
		mov	eax, [esp+0F0h+var_CC]
		mov	[edx], eax
		mov	eax, ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_81184D:				; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1422j
		mov	eax, [ebp+arg_28]
		pop	edi
		pop	esi
		pop	ebx
		mov	dword ptr [eax], 0
		mov	eax, ecx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
_ObpLookupObjectName@52	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmPostCallbackNotificationEx(x, x, x, x, x,	x)
_CmPostCallbackNotificationEx@24 proc near ; CODE XREF:	CmUnloadKey+322p
					; NtDeleteKey+1EAp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		cmp	_CmpCallBackCount, 0
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jz	short loc_8118F3
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredSharedLite
		test	eax, eax
		jnz	short loc_8118F3
		mov	eax, [ebp+arg_C]
		cmp	[eax], eax
		jz	short loc_8118F3
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_24]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], ecx
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_1C], ecx
		lea	ecx, [ebp+var_24]
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+arg_8]
		push	eax
		mov	[ebp+var_4], ecx
		lea	eax, [ebp+var_8]
		neg	ecx
		mov	[ebp+var_14], 0
		push	esi
		push	edi
		sbb	ecx, ecx
		mov	[ebp+var_10], 0
		and	ecx, eax
		mov	[ebp+var_C], 0
		push	0
		push	ecx
		mov	ecx, edi
		mov	[ebp+var_24], esi
		call	CmpCallCallBacksEx
		mov	eax, [ebp+var_18]

loc_8118EB:				; CODE XREF: CmPostCallbackNotificationEx(x,x,x,x,x,x)+86j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_8118F3:				; CODE XREF: CmPostCallbackNotificationEx(x,x,x,x,x,x)+15j
					; CmPostCallbackNotificationEx(x,x,x,x,x,x)+23j ...
		mov	eax, [ebp+arg_0]
		jmp	short loc_8118EB
_CmPostCallbackNotificationEx@24 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpPerformCompleteKcbCacheLookup proc near ; CODE XREF:	CmpGetSymbolicLinkTarget+87Bp
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+734p

var_66		= byte ptr -66h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_52		= byte ptr -52h
var_51		= byte ptr -51h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0091D924 SIZE 000002F2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		push	ebx
		mov	eax, ecx
		mov	[esp+58h+var_44], edx
		push	esi
		push	edi
		mov	[esp+60h+var_14], eax
		mov	esi, eax
		mov	[esp+60h+var_40], eax
		mov	[esp+60h+var_30], 0

loc_811926:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+44Dj
		mov	ebx, [esi+10h]
		xor	edx, edx
		mov	[esp+60h+var_34], ebx
		mov	eax, 1
		mov	[esp+60h+var_48], edx
		mov	[esp+60h+var_51], dl
		lock xadd [esi], eax
		inc	eax
		jz	loc_91DBCB
		cmp	eax, 1
		jz	loc_91DBE2
		mov	eax, [esp+60h+var_44]
		mov	edi, esi
		mov	ecx, eax
		mov	esi, [esi+8]
		mov	[esp+60h+var_50], edi
		mov	[esp+60h+var_38], eax
		cmp	eax, [ebp+arg_0]
		jnb	loc_811A75
		lea	edx, ds:0FFFFFFE0h[eax*4]
		mov	[esp+60h+var_28], edx
		jmp	short loc_811980
; 
		align 10h

loc_811980:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+77j
					; CmpPerformCompleteKcbCacheLookup+332j
		mov	eax, [ebp+arg_4]
		cmp	ecx, 8
		jnb	loc_811EFE

loc_81198C:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+601j
		lea	eax, [eax+ecx*8]
		add	eax, 20h
		mov	[esp+60h+var_2C], eax
		mov	eax, [ebp+arg_4]
		cmp	ecx, 8
		jnb	loc_811F06
		mov	eax, [eax+edx+20h]

loc_8119A6:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+60Cj
		imul	esi, 25h
		mov	ecx, ebx
		add	esi, eax
		push	esi
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		xor	edx, edx
		lea	ecx, [eax+eax*2]
		mov	eax, [ebx+434h]
		lea	ecx, [eax+ecx*4]
		call	ExAcquirePushLockSharedEx
		mov	edx, [ebx+9D8h]
		test	edx, edx
		jz	loc_91DB4C

loc_8119D4:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+647j
		lea	ecx, [edx+1]
		mov	eax, edx
		lea	edi, [ebx+9D8h]
		lock cmpxchg [edi], ecx
		mov	edi, [esp+60h+var_50]
		cmp	eax, edx
		jnz	loc_811F43
		push	esi
		mov	ecx, ebx
		mov	[esp+64h+var_10], 0
		mov	[esp+64h+var_C], 0
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		lea	ecx, [eax+eax*2]
		mov	eax, [ebx+434h]
		mov	eax, [eax+ecx*4+8]
		mov	[esp+60h+var_4C], eax
		test	eax, eax
		jz	short loc_811A33
		lea	esp, [esp+0]

loc_811A20:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+131j
		cmp	[eax], esi
		jz	loc_811AC2

loc_811A28:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+1CCj
					; CmpPerformCompleteKcbCacheLookup+10C03Fj
		mov	eax, [eax+4]
		mov	[esp+60h+var_4C], eax
		test	eax, eax
		jnz	short loc_811A20

loc_811A33:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+11Aj
					; CmpPerformCompleteKcbCacheLookup+26Ej
		mov	edi, [esp+60h+var_34]
		mov	ecx, edi
		push	esi
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		xor	edx, edx
		lea	ecx, [eax+eax*2]
		mov	eax, [edi+434h]
		mov	dword ptr [eax+ecx*4+4], 0
		lea	ecx, [eax+ecx*4]
		call	ExReleasePushLockEx
		or	eax, 0FFFFFFFFh
		lea	ecx, [edi+9D8h]
		lock xadd [ecx], eax
		jz	loc_91D98E

loc_811A6D:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+10C095j
		mov	edi, [esp+60h+var_50]

loc_811A71:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+328j
		mov	edx, [esp+60h+var_48]

loc_811A75:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+66j
					; CmpPerformCompleteKcbCacheLookup+30Fj
		mov	ebx, [esp+60h+var_40]
		cmp	ebx, [esp+60h+var_14]
		jnz	loc_811D52

loc_811A83:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+45Aj
		mov	esi, [esp+60h+var_30]
		movsx	eax, dx
		add	esi, edx
		add	[esp+60h+var_44], eax
		test	dword ptr [edi+68h], 20000h
		mov	[esp+60h+var_30], esi
		jnz	loc_811C3E

loc_811AA1:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+5F9j
		mov	eax, [ebp+arg_C]
		mov	cl, [esp+60h+var_51]
		mov	[eax], edi
		mov	eax, [ebp+arg_10]
		mov	[eax], cl
		mov	eax, [ebp+arg_14]
		mov	[eax], si
		xor	esi, esi

loc_811AB7:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+10C2B9j
					; CmpPerformCompleteKcbCacheLookup+10C2C6j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_811AC2:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+122j
		lea	ebx, [eax-8]
		mov	[esp+60h+var_3C], ebx
		cmp	[ebx+24h], edi
		jnz	loc_811A28
		mov	edi, [ebx+28h]
		test	byte ptr [edi],	1
		lea	edx, [edi+0Eh]
		jz	loc_811F73
		mov	eax, [esp+60h+var_2C]
		movzx	edi, word ptr [edi+0Ch]
		mov	ecx, [eax+4]
		mov	ax, [eax]
		shr	ax, 1
		movzx	ebx, ax
		test	bx, bx
		jz	short loc_811B58
		lea	ebx, [ebx+0]

loc_811B00:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+256j
		test	di, di
		jz	short loc_811B58
		movzx	eax, word ptr [ecx]
		add	ecx, 2
		mov	[esp+60h+var_1C], ecx
		movzx	ecx, byte ptr [edx]
		inc	edx
		mov	[esp+60h+var_24], ecx
		mov	[esp+60h+var_20], edx
		cmp	ax, cx
		jz	short loc_811B41
		cmp	eax, 61h
		jb	short loc_811B33
		cmp	eax, 7Ah
		ja	loc_91D924
		add	eax, 0FFE0h

loc_811B33:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+223j
					; CmpPerformCompleteKcbCacheLookup+10C032j
		movzx	ecx, cx
		movzx	edx, ax
		sub	edx, ecx
		jnz	short loc_811B60
		mov	edx, [esp+60h+var_20]

loc_811B41:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+21Ej
		add	ebx, 0FFFFh
		add	edi, 0FFFFh
		test	bx, bx
		jz	short loc_811B58
		mov	ecx, [esp+60h+var_1C]
		jmp	short loc_811B00
; 

loc_811B58:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+1F8j
					; CmpPerformCompleteKcbCacheLookup+203j ...
		movzx	eax, di
		movzx	edx, bx
		sub	edx, eax

loc_811B60:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+23Bj
		test	edx, edx
		jnz	loc_91D937
		mov	ebx, [esp+60h+var_3C]

loc_811B6C:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+696j
		test	ebx, ebx
		jz	loc_811A33
		mov	ecx, [ebx]
		test	ecx, ecx
		jz	loc_811D65
		mov	edi, edi

loc_811B80:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+668j
		lea	edx, [ecx+1]
		test	edx, edx
		jz	loc_91DB30
		mov	eax, ecx
		lock cmpxchg [ebx], edx
		cmp	eax, ecx
		jnz	loc_811F64

loc_811B99:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+5BCj
					; CmpPerformCompleteKcbCacheLookup+10C070j ...
		mov	eax, [ebp+arg_0]
		mov	ecx, [esp+60h+var_38]
		dec	eax
		cmp	ecx, eax
		jz	loc_811C37
		mov	edi, [esp+60h+var_34]
		mov	ecx, edi
		push	esi
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		xor	edx, edx
		lea	ecx, [eax+eax*2]
		mov	eax, [edi+434h]
		mov	dword ptr [eax+ecx*4+4], 0
		lea	ecx, [eax+ecx*4]
		call	ExReleasePushLockEx
		or	eax, 0FFFFFFFFh
		lea	ecx, [edi+9D8h]
		lock xadd [ecx], eax
		jz	loc_91D982

loc_811BE3:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+10C089j
		mov	ecx, [esp+60h+var_38]

loc_811BE7:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+33Cj
		mov	edx, [esp+60h+var_50]
		or	eax, 0FFFFFFFFh
		lock xadd [edx], eax
		dec	eax
		jz	loc_91DB59
		mov	edx, [esp+60h+var_48]
		mov	edi, ebx
		inc	edx
		mov	[esp+60h+var_50], edi
		test	dword ptr [ebx+68h], 100000h
		mov	[esp+60h+var_48], edx
		jnz	loc_811A75
		mov	edx, [esp+60h+var_28]
		inc	ecx
		add	edx, 4
		mov	[esp+60h+var_38], ecx
		mov	[esp+60h+var_28], edx
		cmp	ecx, [ebp+arg_0]
		jnb	loc_811A71
		mov	ebx, [esp+60h+var_34]
		jmp	loc_811980
; 

loc_811C37:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+2A3j
		mov	[esp+60h+var_51], 1
		jmp	short loc_811BE7
; 

loc_811C3E:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+19Bj
		lea	ebx, [edi+18h]
		xor	edx, edx
		mov	ecx, ebx
		mov	[esp+60h+var_20], ebx
		call	ExAcquirePushLockSharedEx
		add	edi, 1Ch
		mov	[esp+60h+var_1C], edi
		lock inc dword ptr [edi]
		mov	edx, [esp+60h+var_50]
		test	dword ptr [edx+68h], 20000h
		jz	loc_91DBD9
		mov	esi, [edx+38h]
		mov	eax, 1
		mov	[esp+60h+var_40], esi
		lock xadd [esi], eax
		inc	eax
		jz	loc_91DBCB
		cmp	eax, 1
		jz	loc_91DBE2
		mov	ecx, [esi+10h]
		test	byte ptr [ecx+64h], 20h
		jnz	loc_91D99A

loc_811C96:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+10C0A6j
		test	dword ptr [esi+4], 40000h
		jnz	loc_91DB80
		mov	esi, [edx+4]
		mov	eax, large fs:124h
		and	esi, 80000h
		cmp	[edi], eax
		jz	loc_91DA24
		lock dec dword ptr [edi]

loc_811CBD:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+10C12Aj
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		test	esi, esi
		mov	esi, [esp+60h+var_50]
		jnz	loc_91DA2F

loc_811CD2:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+10C136j
					; CmpPerformCompleteKcbCacheLookup+10C143j
		cmp	[esp+60h+var_51], 0
		jnz	loc_811EC7

loc_811CDD:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+5CEj
		lea	ecx, [esp+60h+var_8]
		mov	[esp+60h+var_8], 0
		mov	[esp+60h+var_4], 0
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		mov	eax, [esi]
		mov	ecx, [esi+10h]
		mov	[esp+60h+var_28], ecx
		cmp	eax, 1
		jbe	loc_91DA64

loc_811D08:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+659j
		lea	edx, [eax-1]
		mov	esi, eax
		cmp	edx, 2
		jz	loc_811F11

loc_811D16:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+61Cj
					; CmpPerformCompleteKcbCacheLookup+10C14Fj
		xor	bl, bl

loc_811D18:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+10C157j
		mov	edi, [esp+60h+var_50]
		mov	ecx, edx
		lock cmpxchg [edi], ecx
		mov	edi, [esp+60h+var_1C]
		cmp	eax, esi
		jnz	loc_811F52
		cmp	eax, edx
		jb	loc_91DB6F
		test	bl, bl
		jnz	loc_91DB1B

loc_811D3E:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+10C216j
					; CmpPerformCompleteKcbCacheLookup+10C224j
		cmp	[esp+60h+var_51], 0
		jnz	loc_811ED3
		mov	esi, [esp+60h+var_40]
		jmp	loc_811926
; 

loc_811D52:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+17Dj
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		dec	eax
		jnz	loc_811A83
		jmp	loc_91DB59
; 

loc_811D65:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+278j
					; CmpPerformCompleteKcbCacheLookup+66Ej
		lea	edi, [ebx+18h]
		xor	edx, edx
		mov	ecx, edi
		mov	[esp+60h+var_20], edi
		call	ExAcquirePushLockSharedEx
		lea	ecx, [ebx+1Ch]
		mov	[esp+60h+var_1C], ecx
		lock inc dword ptr [ecx]
		test	dword ptr [ebx+4], 80000h
		jnz	loc_91DB3E
		mov	eax, 1
		lock xadd [ebx], eax
		inc	eax
		jz	loc_91DB30
		test	byte ptr [ebx+20h], 2
		jz	loc_811E8D
		push	0
		xor	edx, edx
		mov	ecx, offset _CmpDelayedCloseTableLock
		call	KeAbPreAcquire
		mov	cl, 1
		mov	edi, eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		mov	eax, offset _CmpDelayedCloseTableLock
		lock btr dword ptr [eax], 0
		jnb	loc_811F27

loc_811DD0:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+630j
		test	edi, edi
		jz	short loc_811DD8
		or	byte ptr [edi+0Eh], 1

loc_811DD8:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+4D2j
		mov	eax, large fs:124h
		mov	dword_6CE024, eax
		movzx	eax, bl
		mov	ebx, [esp+60h+var_4C]
		mov	dword_6CE03C, eax
		mov	al, [ebx+18h]
		test	al, 2
		jz	short loc_811E4A
		lea	ecx, [ebx+70h]
		test	al, 4
		jnz	loc_91D944
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	loc_91DB29
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	loc_91DB29
		dec	_CmpDelayedCloseElements
		mov	[eax], edx
		mov	[edx+4], eax
		add	ds:dword_A94398, 0FFFFFFFFh
		adc	ds:dword_A9439C, 0FFFFFFFFh

loc_811E30:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+10C04Dj
		mov	[ecx+4], ecx
		lea	eax, [esp+60h+var_18]
		mov	[ecx], ecx
		xor	ecx, ecx
		mov	[esp+60h+var_18], 0
		lock or	[eax], ecx
		and	byte ptr [ebx+18h], 0FDh

loc_811E4A:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+4F4j
		mov	bl, byte ptr dword_6CE03C
		mov	ecx, 1
		mov	dword_6CE024, 0
		xor	eax, eax
		mov	edi, offset _CmpDelayedCloseTableLock
		lock cmpxchg [edi], ecx
		test	eax, eax
		jnz	loc_811F35

loc_811E72:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+63Ej
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [esp+60h+var_1C]
		mov	edi, [esp+60h+var_20]
		mov	ebx, [esp+60h+var_3C]

loc_811E8D:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+4A0j
		test	dword ptr [ebx+4], 80000h
		jnz	loc_91D952
		xor	bl, bl

loc_811E9C:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+10C054j
		mov	eax, large fs:124h
		cmp	[ecx], eax
		jz	loc_91D959
		lock dec dword ptr [ecx]

loc_811EAD:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+10C064j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		test	bl, bl
		mov	ebx, [esp+60h+var_3C]
		jz	loc_811B99
		jmp	loc_91D969
; 

loc_811EC7:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+3D7j
		mov	ecx, esi
		call	_CmpUnlockHashEntryByKcb@4 ; CmpUnlockHashEntryByKcb(x)
		jmp	loc_811CDD
; 

loc_811ED3:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+443j
		mov	ebx, [esp+60h+var_40]
		mov	ecx, ebx
		mov	edi, ebx
		call	CmpLockHashEntrySharedByKcb
		lea	ecx, [ebx+18h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lock inc dword ptr [ebx+1Ch]
		mov	esi, [esp+60h+var_30]

loc_811EF2:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+10C2DDj
		mov	ecx, edi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		jmp	loc_811AA1
; 

loc_811EFE:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+86j
		mov	eax, [eax+60h]
		jmp	loc_81198C
; 

loc_811F06:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+9Cj
		mov	eax, [eax+60h]
		mov	eax, [eax+edx]
		jmp	loc_8119A6
; 

loc_811F11:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+410j
		mov	ebx, [esp+60h+var_50]
		test	dword ptr [ebx+68h], 40000h
		jz	loc_811D16
		jmp	loc_91DA48
; 

loc_811F27:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+4CAj
		mov	edx, edi
		mov	ecx, eax
		call	_ExpAcquireFastMutexContended@8	; ExpAcquireFastMutexContended(x,x)
		jmp	loc_811DD0
; 

loc_811F35:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+56Cj
		mov	edx, eax
		mov	ecx, edi
		call	_ExpReleaseFastMutexContended@8	; ExpReleaseFastMutexContended(x,x)
		jmp	loc_811E72
; 

loc_811F43:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+E9j
		mov	edx, eax
		test	eax, eax
		jnz	loc_8119D4
		jmp	loc_91DB4C
; 

loc_811F52:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+428j
		mov	ecx, [esp+60h+var_28]
		cmp	eax, 1
		ja	loc_811D08
		jmp	loc_91DA5C
; 

loc_811F64:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+293j
		mov	ecx, eax
		test	eax, eax
		jnz	loc_811B80
		jmp	loc_811D65
; 

loc_811F73:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+1DBj
		movzx	eax, word ptr [edi+0Ch]
		mov	ecx, [esp+60h+var_2C]
		mov	[esp+60h+var_C], edx
		lea	edx, [esp+60h+var_10]
		push	2
		mov	word ptr [esp+64h+var_10], ax
		mov	word ptr [esp+64h+var_10+2], ax
		call	CmpCompareUnicodeString
		test	eax, eax
		jz	loc_811B6C
		jmp	loc_91D937
CmpPerformCompleteKcbCacheLookup endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCallCallBacksEx proc	near		; CODE XREF: CmUnloadKey+2ACp
					; NtDeleteKey+111p ...

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0091DC16 SIZE 00000057 BYTES
; FUNCTION CHUNK AT 0091DCA2 SIZE 0000020A BYTES
; FUNCTION CHUNK AT 0091DECC SIZE 0000005A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A57C8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 78h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, edx
		mov	[ebp+var_50], esi
		mov	ebx, ecx
		mov	[ebp+var_24], ebx
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_5C], esi
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_58], eax
		mov	[ebp+var_28], 0
		xor	eax, eax
		mov	[ebp+var_88], eax
		mov	[ebp+var_84], eax
		mov	[ebp+var_80], eax
		mov	[ebp+var_7C], eax
		mov	[ebp+var_78], eax
		mov	[ebp+var_74], eax
		mov	[ebp+var_70], eax
		mov	[ebp+var_6C], eax
		mov	[ebp+var_68], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_19], al
		mov	ecx, large fs:124h
		mov	[ebp+var_34], ecx
		mov	al, byte ptr [ebp+arg_4]
		mov	byte ptr [ebp+arg_C+3],	al
		cmp	al, 1
		jnz	loc_8122CD
		mov	eax, [ecx+358h]
		test	eax, eax
		jnz	loc_8125AD
		mov	edi, offset _CallbackListHead

loc_812059:				; CODE XREF: CmpCallCallBacksEx+600j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _CmpCallbackListLock
		call	ExAcquirePushLockSharedEx

loc_812073:				; CODE XREF: CmpCallCallBacksEx+E5j
					; CmpCallCallBacksEx+3D4j
		mov	edi, [edi]
		mov	[ebp+var_38], edi
		mov	[ebp+var_2C], edi
		mov	[ebp+var_1A], 1
		cmp	edi, offset _CallbackListHead
		jz	loc_812167
		lea	ecx, [edi+8]
		mov	[ebp+var_44], ecx
		mov	eax, [ecx]
		test	eax, eax
		js	short loc_812073
		lock inc dword ptr [ecx]
		xor	edx, edx
		mov	ecx, offset _CmpCallbackListLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		nop
		add	word ptr [ecx+13Ch], 1
		jz	loc_91DBF2

loc_8120BC:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+10C2F8j
					; CmpPerformCompleteKcbCacheLookup+10C306j ...
		xor	al, al
		mov	[ebp+var_1A], al
		mov	[ebp+var_1B], al
		mov	ecx, offset _CmpCallbackContextSList
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edx, eax
		mov	[ebp+var_48], edx
		test	edx, edx
		jz	loc_81291A
		mov	[ebp+var_4C], edx

loc_8120DE:				; CODE XREF: CmpCallCallBacksEx+980j
		test	edx, edx
		jz	loc_91DC16
		mov	[edx+0Ch], edi
		mov	dword ptr [edx+10h], 0
		lea	ecx, [edx+8]
		mov	eax, [ebp+var_34]
		mov	eax, [eax+358h]
		mov	[ecx], eax
		mov	eax, [ebp+var_34]
		mov	[eax+358h], ecx
		mov	eax, [ebp+arg_10]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_91DF02
		mov	[edx], eax
		mov	[edx+4], ecx
		mov	[ecx], edx
		mov	[eax+4], edx
		add	edi, 10h
		cmp	ebx, 30h
		ja	loc_812300
		movzx	eax, ds:byte_8129A4[ebx]
		jmp	ds:off_81296C[eax*4]

loc_812139:				; DATA XREF: PAGE:00812994o
		mov	eax, [esi+4]
		mov	[ebp+var_44], eax
		mov	[ebp+var_30], 0
		test	eax, eax
		jz	short loc_81215D
		cmp	dword ptr [eax], 6B793032h
		jnz	short loc_81215D
		add	eax, 28h
		cmp	[eax], eax
		jnz	loc_8126E2

loc_81215D:				; CODE XREF: CmpCallCallBacksEx+198j
					; CmpCallCallBacksEx+1A0j
		xor	edi, edi
		mov	[esi+30h], edi
		jmp	loc_812300
; 

loc_812167:				; CODE XREF: CmpCallCallBacksEx+D5j
		mov	ebx, [ebp+var_28]
		mov	al, byte ptr [ebp+arg_C+3]

loc_81216D:				; CODE XREF: CmpCallCallBacksEx+10BCACj
		mov	edi, [ebp+var_24]

loc_812170:				; CODE XREF: CmpCallCallBacksEx+10BD66j
		cmp	[ebp+var_1A], 0
		jz	short loc_81219E
		xor	edx, edx
		mov	ecx, offset _CmpCallbackListLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		nop
		add	word ptr [ecx+13Ch], 1
		jz	loc_91DD26

loc_812198:				; CODE XREF: CmpCallCallBacksEx+10BD7Cj
					; CmpCallCallBacksEx+10BD8Aj ...
		mov	ebx, [ebp+var_28]
		mov	al, byte ptr [ebp+arg_C+3]

loc_81219E:				; CODE XREF: CmpCallCallBacksEx+1C4j
		mov	edx, [ebp+arg_0]

loc_8121A1:				; CODE XREF: CmpCallCallBacksEx+323j
		test	al, al
		jz	short loc_8121C8
		mov	ecx, [ebp+var_20]

loc_8121A8:				; CODE XREF: CmpCallCallBacksEx+235j
		cmp	[ebp+var_19], 1
		jz	loc_91DF09

loc_8121B2:				; CODE XREF: CmpCallCallBacksEx+10BF5Bj
					; CmpCallCallBacksEx+10BF66j ...
		mov	eax, ebx
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8121C8:				; CODE XREF: CmpCallCallBacksEx+1F3j
		cmp	[ebp+var_19], 1
		jz	loc_91DD4A
		mov	[ebp+var_20], esi
		mov	[ebp+var_3C], edx
		mov	edx, edi
		mov	[ebp+arg_8], edx
		mov	ecx, esi
		nop

loc_8121E0:				; CODE XREF: CmpCallCallBacksEx+318j
					; CmpCallCallBacksEx+10BE1Bj ...
		mov	eax, [ebp+arg_10]
		cmp	[eax], eax
		jz	short loc_8121A8
		mov	esi, [eax+4]
		mov	[ebp+var_60], esi
		mov	ecx, [esi+4]
		cmp	[esi], eax
		jnz	loc_91DF02
		cmp	[ecx], esi
		jnz	loc_91DF02
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	edi, [esi+0Ch]
		mov	[ebp+var_48], edi
		mov	eax, [esi+10h]
		mov	ecx, [ebp+var_20]
		mov	[ecx+10h], eax
		cmp	edx, 30h
		ja	short loc_81222E
		movzx	eax, ds:byte_812A04[edx]
		jmp	ds:off_8129D8[eax*4]

loc_812227:				; DATA XREF: PAGE:008129F0o
		mov	dword ptr [ecx+14h], 0

loc_81222E:				; CODE XREF: CmpCallCallBacksEx+267j
					; CmpCallCallBacksEx+270j ...
		cmp	[ebp+arg_0], 0
		jnz	loc_8123C5

loc_812238:				; CODE XREF: CmpCallCallBacksEx+419j
		mov	eax, ecx

loc_81223A:				; CODE XREF: CmpCallCallBacksEx+422j
		mov	[ebp+var_4], 1
		push	eax
		push	edx
		mov	eax, [edi+18h]
		push	eax
		mov	eax, [edi+1Ch]
		call	eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_812256:				; CODE XREF: sub_91DEAC+1Bj
		mov	ecx, [ebp+var_34]
		mov	eax, [ecx+358h]
		test	eax, eax
		jz	short loc_81226B
		mov	eax, [eax]
		mov	[ecx+358h], eax

loc_81226B:				; CODE XREF: CmpCallCallBacksEx+2B1j
		mov	ecx, ds:_KeNumberProcessors
		imul	ecx, _CmpCallBackCount
		cmp	ecx, 40h
		ja	loc_91DECC

loc_812281:				; CODE XREF: CmpCallCallBacksEx+10BF21j
		movzx	eax, word ptr dword_6CE36C
		cmp	eax, ecx
		jnb	loc_81295B
		mov	edx, esi
		mov	ecx, offset _CmpCallbackContextSList
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_81229C:				; CODE XREF: CmpCallCallBacksEx+9B3j
		or	eax, 0FFFFFFFFh
		lock xadd [edi+8], eax
		dec	eax
		cmp	eax, 80000000h
		jz	loc_91DED6

loc_8122B0:				; CODE XREF: CmpCallCallBacksEx+10BF3Bj
					; CmpCallCallBacksEx+10BF4Dj
		mov	ecx, [ebp+var_20]
		cmp	[ebp+var_28], 0C0000503h
		jz	loc_812950

loc_8122C0:				; CODE XREF: CmpCallCallBacksEx+9A6j
		xor	ebx, ebx
		mov	[ebp+var_28], ebx
		mov	edx, [ebp+arg_8]
		jmp	loc_8121E0
; 

loc_8122CD:				; CODE XREF: CmpCallCallBacksEx+90j
		mov	ebx, [ebp+var_28]
		mov	edi, [ebp+var_24]
		jmp	loc_8121A1
; 

loc_8122D8:				; CODE XREF: CmpCallCallBacksEx+182j
					; DATA XREF: PAGE:00812988o
		mov	eax, [esi]
		mov	[ebp+var_44], eax
		mov	[ebp+var_30], 0
		test	eax, eax
		jz	short loc_8122FB
		cmp	dword ptr [eax], 6B793032h
		jnz	short loc_8122FB
		add	eax, 28h
		cmp	[eax], eax
		jnz	loc_81275B

loc_8122FB:				; CODE XREF: CmpCallCallBacksEx+336j
					; CmpCallCallBacksEx+33Ej ...
		xor	edi, edi

loc_8122FD:				; CODE XREF: CmpCallCallBacksEx+81Cj
		mov	[esi+1Ch], edi

loc_812300:				; CODE XREF: CmpCallCallBacksEx+175j
					; CmpCallCallBacksEx+182j ...
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_2C]
		test	eax, eax
		jnz	loc_8123B6

loc_81230E:				; CODE XREF: CmpCallCallBacksEx+40Aj
		mov	eax, esi

loc_812310:				; CODE XREF: CmpCallCallBacksEx+410j
		mov	[ebp+var_4], 0
		push	eax
		push	ebx
		mov	eax, [ecx+18h]
		push	eax
		mov	eax, [ecx+1Ch]
		call	eax
		mov	ebx, eax
		mov	[ebp+var_28], ebx
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ecx, [ebp+var_48]

loc_812331:				; CODE XREF: sub_91DC6D+30j
		mov	edi, [ebp+var_24]
		cmp	edi, 0Eh
		jz	loc_8123F8
		test	ebx, ebx
		js	loc_91DCA2

loc_812345:				; CODE XREF: CmpCallCallBacksEx+44Fj
		mov	ebx, edi
		cmp	ebx, 30h
		ja	short loc_812367
		movzx	eax, ds:byte_812A60[ebx]
		jmp	ds:off_812A38[eax*4]

loc_81235A:				; DATA XREF: PAGE:00812A3Co
		mov	eax, [esi+18h]
		mov	[ecx+10h], eax
		mov	dword ptr [esi+18h], 0

loc_812367:				; CODE XREF: CmpCallCallBacksEx+39Aj
					; CmpCallCallBacksEx+3A3j ...
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _CmpCallbackListLock
		call	ExAcquirePushLockSharedEx
		mov	edi, [ebp+var_2C]
		jmp	loc_812073
; 

loc_812389:				; CODE XREF: CmpCallCallBacksEx+270j
					; DATA XREF: PAGE:008129ECo
		mov	eax, [ecx]
		mov	[ebp+arg_4], 0
		test	eax, eax
		jz	short loc_8123AC
		cmp	dword ptr [eax], 6B793032h
		jnz	short loc_8123AC
		add	eax, 28h
		mov	[ebp+arg_C], eax
		cmp	[eax], eax
		jnz	loc_812663

loc_8123AC:				; CODE XREF: CmpCallCallBacksEx+3E4j
					; CmpCallCallBacksEx+3ECj
		xor	ebx, ebx
		mov	[ecx+14h], ebx
		jmp	loc_81222E
; 

loc_8123B6:				; CODE XREF: CmpCallCallBacksEx+358j
		test	byte ptr [ecx+0Ch], 1
		jz	loc_81230E
		jmp	loc_812310
; 

loc_8123C5:				; CODE XREF: CmpCallCallBacksEx+282j
		test	byte ptr [edi+0Ch], 1
		jz	loc_812238
		mov	eax, [ebp+var_3C]
		jmp	loc_81223A
; 

loc_8123D7:				; CODE XREF: CmpCallCallBacksEx+3A3j
					; DATA XREF: PAGE:00812A50o
		mov	eax, [esi+2Ch]
		mov	[ecx+10h], eax
		mov	dword ptr [esi+2Ch], 0
		jmp	short loc_812367
; 

loc_8123E6:				; CODE XREF: CmpCallCallBacksEx+3A3j
					; DATA XREF: PAGE:off_812A38o
		mov	eax, [esi+4]
		mov	[ecx+10h], eax
		mov	dword ptr [esi+4], 0
		jmp	loc_812367
; 

loc_8123F8:				; CODE XREF: CmpCallCallBacksEx+387j
		mov	[ebp+var_28], 0
		jmp	loc_812345
; 

loc_812404:				; CODE XREF: CmpCallCallBacksEx+182j
					; DATA XREF: PAGE:0081298Co
		mov	eax, [esi]
		mov	[ebp+var_44], eax
		mov	[ebp+var_30], 0
		test	eax, eax
		jz	short loc_812427
		cmp	dword ptr [eax], 6B793032h
		jnz	short loc_812427
		add	eax, 28h
		cmp	[eax], eax
		jnz	loc_8127EF

loc_812427:				; CODE XREF: CmpCallCallBacksEx+462j
					; CmpCallCallBacksEx+46Aj
		xor	edi, edi
		mov	[esi+8], edi
		jmp	loc_812300
; 

loc_812431:				; CODE XREF: CmpCallCallBacksEx+3A3j
					; DATA XREF: PAGE:00812A48o
		mov	eax, [esi+14h]
		mov	[ecx+10h], eax
		mov	dword ptr [esi+14h], 0
		jmp	loc_812367
; 

loc_812443:				; CODE XREF: CmpCallCallBacksEx+182j
					; DATA XREF: PAGE:00812984o
		mov	eax, [esi]
		mov	[ebp+var_44], eax
		mov	[ebp+var_30], 0
		test	eax, eax
		jz	short loc_812466
		cmp	dword ptr [eax], 6B793032h
		jnz	short loc_812466
		add	eax, 28h
		cmp	[eax], eax
		jnz	loc_812886

loc_812466:				; CODE XREF: CmpCallCallBacksEx+4A1j
					; CmpCallCallBacksEx+4A9j
		xor	edi, edi
		mov	[esi+18h], edi
		jmp	loc_812300
; 

loc_812470:				; CODE XREF: CmpCallCallBacksEx+182j
					; DATA XREF: PAGE:00812980o
		mov	eax, [esi]
		mov	[ebp+var_44], eax
		mov	[ebp+var_30], 0
		test	eax, eax
		jz	loc_8122FB
		cmp	dword ptr [eax], 6B793032h
		jnz	loc_8122FB
		add	eax, 28h
		cmp	[eax], eax
		jz	loc_8122FB
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _CmpContextListLock
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp+var_44]
		add	ecx, 28h
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	loc_81287E
		mov	edx, [edi]
		mov	[ebp+var_44], edx
		mov	edx, [edi+4]
		mov	edi, [ebp+var_44]

loc_8124D0:				; CODE XREF: CmpCallCallBacksEx+55Bj
		mov	ebx, [eax+10h]
		mov	[ebp+var_40], ebx
		mov	ebx, [eax+14h]
		mov	[ebp+var_44], ebx
		cmp	[ebp+var_40], edi
		mov	ebx, [ebp+var_24]
		jnz	short loc_8124ED
		cmp	[ebp+var_44], edx
		jz	loc_8127B1

loc_8124ED:				; CODE XREF: CmpCallCallBacksEx+532j
		cmp	[ebp+var_44], edx
		jg	short loc_812501
		jl	loc_81287E
		cmp	[ebp+var_40], edi
		jb	loc_81287E

loc_812501:				; CODE XREF: CmpCallCallBacksEx+540j
		mov	eax, [eax]
		cmp	eax, ecx
		jz	loc_81287E
		jmp	short loc_8124D0
; 

loc_81250D:				; CODE XREF: CmpCallCallBacksEx+182j
					; DATA XREF: PAGE:0081297Co
		mov	eax, [esi]
		mov	[ebp+var_44], eax
		mov	[ebp+var_30], 0
		test	eax, eax
		jz	loc_8122FB
		cmp	dword ptr [eax], 6B793032h
		jnz	loc_8122FB
		add	eax, 28h
		cmp	[eax], eax
		jz	loc_8122FB
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _CmpContextListLock
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp+var_44]
		add	ecx, 28h
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	loc_81287E
		mov	edx, [edi]
		mov	[ebp+var_44], edx
		mov	edx, [edi+4]
		mov	edi, [ebp+var_44]
		lea	ecx, [ecx+0]

loc_812570:				; CODE XREF: CmpCallCallBacksEx+5FBj
		mov	ebx, [eax+10h]
		mov	[ebp+var_44], ebx
		mov	ebx, [eax+14h]
		mov	[ebp+var_40], ebx
		cmp	[ebp+var_44], edi
		mov	ebx, [ebp+var_24]
		jnz	short loc_81258D
		cmp	[ebp+var_40], edx
		jz	loc_8127B1

loc_81258D:				; CODE XREF: CmpCallCallBacksEx+5D2j
		cmp	[ebp+var_40], edx
		jg	short loc_8125A1
		jl	loc_81287E
		cmp	[ebp+var_44], edi
		jb	loc_81287E

loc_8125A1:				; CODE XREF: CmpCallCallBacksEx+5E0j
		mov	eax, [eax]
		cmp	eax, ecx
		jz	loc_81287E
		jmp	short loc_812570
; 

loc_8125AD:				; CODE XREF: CmpCallCallBacksEx+9Ej
		mov	edi, [eax+4]
		jmp	loc_812059
; 

loc_8125B5:				; CODE XREF: CmpCallCallBacksEx+182j
					; DATA XREF: PAGE:00812970o
		mov	ecx, [esi]
		mov	edx, edi
		call	CmpGetCallbackObjectContext
		mov	[esi+1Ch], eax
		jmp	loc_812300
; 

loc_8125C6:				; CODE XREF: CmpCallCallBacksEx+182j
					; DATA XREF: PAGE:00812978o
		mov	edx, edi
		mov	ecx, [esi]
		call	CmpGetCallbackObjectContext
		mov	[esi+14h], eax
		jmp	loc_812300
; 

loc_8125D7:				; CODE XREF: CmpCallCallBacksEx+3A3j
					; DATA XREF: PAGE:00812A44o
		mov	eax, [esi+10h]
		mov	[ecx+10h], eax
		mov	dword ptr [esi+10h], 0
		jmp	loc_812367
; 

loc_8125E9:				; CODE XREF: CmpCallCallBacksEx+182j
					; DATA XREF: PAGE:00812974o
		mov	ecx, [esi]
		mov	edx, edi
		call	CmpGetCallbackObjectContext
		mov	[esi+0Ch], eax
		jmp	loc_812300
; 

loc_8125FA:				; CODE XREF: CmpCallCallBacksEx+3A3j
					; DATA XREF: PAGE:00812A40o
		mov	eax, [esi+8]
		mov	[ecx+10h], eax
		mov	dword ptr [esi+8], 0
		jmp	loc_812367
; 

loc_81260C:				; CODE XREF: CmpCallCallBacksEx+182j
					; DATA XREF: PAGE:00812998o
		mov	ecx, [esi]
		mov	edx, edi
		call	CmpGetCallbackObjectContext
		mov	[esi+24h], eax
		jmp	loc_812300
; 

loc_81261D:				; CODE XREF: CmpCallCallBacksEx+3A3j
					; DATA XREF: PAGE:00812A54o
		mov	eax, [esi+20h]
		mov	[ecx+10h], eax
		mov	dword ptr [esi+20h], 0
		jmp	loc_812367
; 

loc_81262F:				; CODE XREF: CmpCallCallBacksEx+182j
					; DATA XREF: PAGE:off_81296Co
		mov	ecx, [esi]
		mov	edx, edi
		call	CmpGetCallbackObjectContext
		mov	[esi+8], eax
		jmp	loc_812300
; 

loc_812640:				; CODE XREF: CmpCallCallBacksEx+182j
					; DATA XREF: PAGE:0081299Co
		mov	ecx, [esi]
		mov	edx, edi
		call	CmpGetCallbackObjectContext
		mov	[esi+10h], eax
		jmp	loc_812300
; 

loc_812651:				; CODE XREF: CmpCallCallBacksEx+3A3j
					; DATA XREF: PAGE:00812A58o
		mov	eax, [esi+0Ch]
		mov	[ecx+10h], eax
		mov	dword ptr [esi+0Ch], 0
		jmp	loc_812367
; 

loc_812663:				; CODE XREF: CmpCallCallBacksEx+3F6j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _CmpContextListLock
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp+arg_C]
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	short loc_8126B9
		mov	edx, [edi+10h]
		mov	[ebp+var_4C], edx
		mov	edx, [edi+14h]
		mov	[ebp+arg_C], edx

loc_812692:				; CODE XREF: CmpCallCallBacksEx+707j
		mov	ebx, [eax+10h]
		mov	edx, [eax+14h]
		cmp	ebx, [ebp+var_4C]
		jnz	short loc_8126A7
		cmp	edx, [ebp+arg_C]
		jnz	short loc_8126A7
		mov	ebx, [eax+20h]
		jmp	short loc_8126BC
; 

loc_8126A7:				; CODE XREF: CmpCallCallBacksEx+6EBj
					; CmpCallCallBacksEx+6F0j
		cmp	edx, [ebp+arg_C]
		jg	short loc_8126B3
		jl	short loc_8126B9
		cmp	ebx, [ebp+var_4C]
		jb	short loc_8126B9

loc_8126B3:				; CODE XREF: CmpCallCallBacksEx+6FAj
		mov	eax, [eax]
		cmp	eax, ecx
		jnz	short loc_812692

loc_8126B9:				; CODE XREF: CmpCallCallBacksEx+6D4j
					; CmpCallCallBacksEx+6FCj ...
		mov	ebx, [ebp+arg_4]

loc_8126BC:				; CODE XREF: CmpCallCallBacksEx+6F5j
		xor	edx, edx
		mov	ecx, offset _CmpContextListLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+var_20]
		mov	[ecx+14h], ebx
		jmp	loc_81222E
; 

loc_8126E2:				; CODE XREF: CmpCallCallBacksEx+1A7j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _CmpContextListLock
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp+var_44]
		add	ecx, 28h
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	loc_8127E7
		mov	edx, [edi]
		mov	[ebp+var_44], edx
		mov	edx, [edi+4]
		mov	edi, [ebp+var_44]

loc_812717:				; CODE XREF: CmpCallCallBacksEx+831j
		mov	ebx, [eax+10h]
		mov	[ebp+var_40], ebx
		mov	ebx, [eax+14h]
		mov	[ebp+var_44], ebx
		cmp	[ebp+var_40], edi
		mov	ebx, [ebp+var_24]
		jnz	loc_8127D1
		cmp	[ebp+var_44], edx
		jnz	loc_8127D1
		mov	edi, [eax+20h]

loc_81273B:				; CODE XREF: CmpCallCallBacksEx+83Aj
		xor	edx, edx
		mov	ecx, offset _CmpContextListLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	[esi+30h], edi
		jmp	loc_812300
; 

loc_81275B:				; CODE XREF: CmpCallCallBacksEx+345j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _CmpContextListLock
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp+var_44]
		add	ecx, 28h
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	loc_81287E
		mov	edx, [edi]
		mov	[ebp+var_44], edx
		mov	edx, [edi+4]
		mov	edi, [ebp+var_44]

loc_812790:				; CODE XREF: CmpCallCallBacksEx+8C8j
		mov	ebx, [eax+10h]
		mov	[ebp+var_40], ebx
		mov	ebx, [eax+14h]
		mov	[ebp+var_44], ebx
		cmp	[ebp+var_40], edi
		mov	ebx, [ebp+var_24]
		jnz	loc_812868
		cmp	[ebp+var_44], edx
		jnz	loc_812868

loc_8127B1:				; CODE XREF: CmpCallCallBacksEx+537j
					; CmpCallCallBacksEx+5D7j
		mov	edi, [eax+20h]

loc_8127B4:				; CODE XREF: CmpCallCallBacksEx+8D1j
		xor	edx, edx
		mov	ecx, offset _CmpContextListLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_8122FD
; 

loc_8127D1:				; CODE XREF: CmpCallCallBacksEx+779j
					; CmpCallCallBacksEx+782j
		cmp	[ebp+var_44], edx
		jg	short loc_8127DD
		jl	short loc_8127E7
		cmp	[ebp+var_40], edi
		jb	short loc_8127E7

loc_8127DD:				; CODE XREF: CmpCallCallBacksEx+824j
		mov	eax, [eax]
		cmp	eax, ecx
		jnz	loc_812717

loc_8127E7:				; CODE XREF: CmpCallCallBacksEx+756j
					; CmpCallCallBacksEx+826j ...
		mov	edi, [ebp+var_30]
		jmp	loc_81273B
; 

loc_8127EF:				; CODE XREF: CmpCallCallBacksEx+471j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _CmpContextListLock
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp+var_44]
		add	ecx, 28h
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	loc_812912
		mov	edx, [edi]
		mov	[ebp+var_44], edx
		mov	edx, [edi+4]
		mov	edi, [ebp+var_44]

loc_812824:				; CODE XREF: CmpCallCallBacksEx+95Cj
		mov	ebx, [eax+10h]
		mov	[ebp+var_40], ebx
		mov	ebx, [eax+14h]
		mov	[ebp+var_44], ebx
		cmp	[ebp+var_40], edi
		mov	ebx, [ebp+var_24]
		jnz	loc_8128FC
		cmp	[ebp+var_44], edx
		jnz	loc_8128FC
		mov	edi, [eax+20h]

loc_812848:				; CODE XREF: CmpCallCallBacksEx+965j
		xor	edx, edx
		mov	ecx, offset _CmpContextListLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	[esi+8], edi
		jmp	loc_812300
; 

loc_812868:				; CODE XREF: CmpCallCallBacksEx+7F2j
					; CmpCallCallBacksEx+7FBj
		cmp	[ebp+var_44], edx
		jg	short loc_812874
		jl	short loc_81287E
		cmp	[ebp+var_40], edi
		jb	short loc_81287E

loc_812874:				; CODE XREF: CmpCallCallBacksEx+8BBj
		mov	eax, [eax]
		cmp	eax, ecx
		jnz	loc_812790

loc_81287E:				; CODE XREF: CmpCallCallBacksEx+50Fj
					; CmpCallCallBacksEx+542j ...
		mov	edi, [ebp+var_30]
		jmp	loc_8127B4
; 

loc_812886:				; CODE XREF: CmpCallCallBacksEx+4B0j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _CmpContextListLock
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp+var_44]
		add	ecx, 28h
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	loc_81294B
		mov	edx, [edi]
		mov	[ebp+var_44], edx
		mov	edx, [edi+4]
		mov	edi, [ebp+var_44]
		jmp	short loc_8128C0
; 
		align 10h

loc_8128C0:				; CODE XREF: CmpCallCallBacksEx+90Bj
					; CmpCallCallBacksEx+995j
		mov	ebx, [eax+10h]
		mov	[ebp+var_40], ebx
		mov	ebx, [eax+14h]
		mov	[ebp+var_44], ebx
		cmp	[ebp+var_40], edi
		mov	ebx, [ebp+var_24]
		jnz	short loc_812935
		cmp	[ebp+var_44], edx
		jnz	short loc_812935
		mov	edi, [eax+20h]

loc_8128DC:				; CODE XREF: CmpCallCallBacksEx+99Ej
		xor	edx, edx
		mov	ecx, offset _CmpContextListLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	[esi+18h], edi
		jmp	loc_812300
; 

loc_8128FC:				; CODE XREF: CmpCallCallBacksEx+886j
					; CmpCallCallBacksEx+88Fj
		cmp	[ebp+var_44], edx
		jg	short loc_812908
		jl	short loc_812912
		cmp	[ebp+var_40], edi
		jb	short loc_812912

loc_812908:				; CODE XREF: CmpCallCallBacksEx+94Fj
		mov	eax, [eax]
		cmp	eax, ecx
		jnz	loc_812824

loc_812912:				; CODE XREF: CmpCallCallBacksEx+863j
					; CmpCallCallBacksEx+951j ...
		mov	edi, [ebp+var_30]
		jmp	loc_812848
; 

loc_81291A:				; CODE XREF: CmpCallCallBacksEx+125j
		push	69634D43h
		push	14h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_48], edx
		mov	[ebp+var_4C], eax
		jmp	loc_8120DE
; 

loc_812935:				; CODE XREF: CmpCallCallBacksEx+922j
					; CmpCallCallBacksEx+927j
		cmp	[ebp+var_44], edx
		jg	short loc_812941
		jl	short loc_81294B
		cmp	[ebp+var_40], edi
		jb	short loc_81294B

loc_812941:				; CODE XREF: CmpCallCallBacksEx+988j
		mov	eax, [eax]
		cmp	eax, ecx
		jnz	loc_8128C0

loc_81294B:				; CODE XREF: CmpCallCallBacksEx+8FAj
					; CmpCallCallBacksEx+98Aj ...
		mov	edi, [ebp+var_30]
		jmp	short loc_8128DC
; 

loc_812950:				; CODE XREF: CmpCallCallBacksEx+30Aj
		mov	eax, [ecx+0Ch]
		mov	[ecx+4], eax
		jmp	loc_8122C0
; 

loc_81295B:				; CODE XREF: CmpCallCallBacksEx+2DAj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_81229C
CmpCallCallBacksEx endp

; 
		retn
; 
		retn
; 
		align 4
off_81296C	dd offset loc_81262F	; DATA XREF: CmpCallCallBacksEx+182r
		dd offset loc_8125B5
		dd offset loc_8125E9
		dd offset loc_8125C6
		dd offset loc_81250D
		dd offset loc_812470
		dd offset loc_812443
		dd offset loc_8122D8
		dd offset loc_812404
		dd offset loc_91DC61
		dd offset loc_812139
		dd offset loc_81260C
		dd offset loc_812640
		dd offset loc_812300
byte_8129A4	db 0			; DATA XREF: CmpCallCallBacksEx+17Br
		db 1, 2, 3
		dd 6050402h, 0D0D0107h,	3080D0Dh, 2 dup(3030303h), 90A0903h
		dd 300090Ah, 302030Bh, 30C0303h, 0C030C0Dh, 3030C03h, 498D03h
off_8129D8	dd offset loc_91DDEB	; DATA XREF: CmpCallCallBacksEx+270r
		dd offset loc_91DE1B
		dd offset loc_91DE03
		dd offset loc_91DE33
		dd offset loc_91DE4B
		dd offset loc_812389
		dd offset loc_812227
		dd offset loc_91DE63
		dd offset loc_91DE7C
		dd offset loc_91DE94
		dd offset loc_81222E
byte_812A04	db 0			; DATA XREF: CmpCallCallBacksEx+269r
		db 1, 2, 3
		dd 4010102h, 0A0A0101h,	5000A0Ah, 2 dup(5050505h), 6070605h
		dd 5000607h, 5020508h, 5090503h, 905090Ah, 3050905h, 498D05h
off_812A38	dd offset loc_8123E6	; DATA XREF: CmpCallCallBacksEx+3A3r
		dd offset loc_81235A
		dd offset loc_8125FA
		dd offset loc_8125D7
		dd offset loc_812431
		dd offset loc_91DD1B
		dd offset loc_8123D7
		dd offset loc_81261D
		dd offset loc_812651
		dd offset loc_812367
byte_812A60	db 0			; DATA XREF: CmpCallCallBacksEx+39Cr
		db 1, 2, 3
		dd 4010102h, 9090101h, 5000909h, 2 dup(5050505h), 5060505h
		dd 5000506h, 5020507h, 5080503h, 8050809h, 3050805h, 0CCCCCC05h
		dd 3 dup(0CCCCCCCCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmQueryPfnList	proc near		; CODE XREF: PfpPfnPrioRequest+83p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0091DF26 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		mov	ebx, ecx
		mov	[esp+8+var_4], eax
		push	esi
		mov	esi, edx
		shl	ebx, 4
		push	edi
		mov	edx, eax
		mov	ecx, offset _MiSystemPartition
		add	ebx, esi
		call	_MiLockDynamicMemoryShared@8 ; MiLockDynamicMemoryShared(x,x)
		cmp	esi, ebx
		jnb	short loc_812B01
		nop

loc_812AD0:				; CODE XREF: MmQueryPfnList+5Fj
		mov	edi, [esi+8]
		mov	ecx, edi
		call	_MiIsPfn@4	; MiIsPfn(x)
		test	eax, eax
		jz	loc_91DF26
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, ds:0[edi*8]
		sub	ecx, edi
		mov	edx, esi
		lea	ecx, [eax+ecx*4]
		call	_MiIdentifyPfnWrapper@8	; MiIdentifyPfnWrapper(x,x)
		add	esi, 10h
		cmp	esi, ebx
		jb	short loc_812AD0

loc_812B01:				; CODE XREF: MmQueryPfnList+2Dj
		xor	esi, esi

loc_812B03:				; CODE XREF: MmQueryPfnList+10B48Fj
		mov	edx, [esp+10h+var_4]
		mov	ecx, offset _MiSystemPartition
		call	_MiUnlockDynamicMemoryShared@8 ; MiUnlockDynamicMemoryShared(x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
MmQueryPfnList	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpGetProcessInformation proc near	; CODE XREF: PAGE:0077E9ABp
					; PAGE:0077EC1Bp

var_544		= dword	ptr -544h
var_524		= dword	ptr -524h
var_520		= dword	ptr -520h
var_4DC		= dword	ptr -4DCh
var_4D4		= byte ptr -4D4h
var_4D3		= byte ptr -4D3h
var_4D2		= byte ptr -4D2h
var_4D1		= byte ptr -4D1h
var_4B8		= dword	ptr -4B8h
var_4B4		= dword	ptr -4B4h
var_4B0		= dword	ptr -4B0h
var_4AC		= dword	ptr -4ACh
var_4A8		= dword	ptr -4A8h
var_4A0		= dword	ptr -4A0h
var_49C		= dword	ptr -49Ch
var_498		= dword	ptr -498h
var_48C		= dword	ptr -48Ch
var_470		= dword	ptr -470h
var_444		= dword	ptr -444h
var_438		= dword	ptr -438h
var_434		= dword	ptr -434h
var_430		= dword	ptr -430h
var_42C		= dword	ptr -42Ch
var_428		= dword	ptr -428h
var_424		= dword	ptr -424h
var_420		= dword	ptr -420h
var_41C		= dword	ptr -41Ch
var_418		= dword	ptr -418h
var_414		= dword	ptr -414h
var_410		= dword	ptr -410h
var_40C		= dword	ptr -40Ch
var_408		= dword	ptr -408h
var_404		= dword	ptr -404h
var_400		= dword	ptr -400h
var_3FC		= dword	ptr -3FCh
var_3F4		= dword	ptr -3F4h
var_3F0		= dword	ptr -3F0h
var_3EC		= dword	ptr -3ECh
var_3E0		= dword	ptr -3E0h
var_3DC		= dword	ptr -3DCh
var_3D6		= byte ptr -3D6h
var_3D5		= byte ptr -3D5h
var_3D4		= dword	ptr -3D4h
var_3D0		= dword	ptr -3D0h
var_3CC		= dword	ptr -3CCh
var_3C8		= dword	ptr -3C8h
var_3C4		= dword	ptr -3C4h
var_3C0		= dword	ptr -3C0h
var_3BC		= dword	ptr -3BCh
var_3B5		= byte ptr -3B5h
var_3B4		= dword	ptr -3B4h
var_3B0		= dword	ptr -3B0h
var_3AC		= dword	ptr -3ACh
var_3A8		= dword	ptr -3A8h
var_3A4		= dword	ptr -3A4h
var_1F4		= dword	ptr -1F4h
var_1AC		= dword	ptr -1ACh
var_AC		= dword	ptr -0ACh
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0091DF34 SIZE 0000004A BYTES
; FUNCTION CHUNK AT 0091DFDE SIZE 00000080 BYTES
; FUNCTION CHUNK AT 0091E0CA SIZE 0000001E BYTES
; FUNCTION CHUNK AT 0091E2AA SIZE 00000054 BYTES
; FUNCTION CHUNK AT 0091E44E SIZE 0000000D BYTES
; FUNCTION CHUNK AT 0091E4BB SIZE 0000000B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A57F0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 534h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_20], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_40C], edx
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_430], eax
		mov	[ebp+var_41C], edx
		mov	[ebp+var_42C], ecx
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_3E0], esi
		mov	[ebp+var_3F0], 82h
		push	1B0h		; size_t
		push	0		; int
		lea	eax, [ebp+var_3A4]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_3F4], 0
		mov	[ebp+var_400], 0
		mov	[ebp+var_3EC], 0FEh
		mov	[ebp+var_3C4], 0
		push	68h		; size_t
		push	0		; int
		lea	eax, [ebp+var_544]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_3A8], 0
		mov	[ebp+var_3D5], 0
		mov	[ebp+var_3BC], 0
		mov	ecx, 8
		xor	eax, eax
		lea	edi, [ebp+var_4DC]
		rep stosd
		mov	[ebp+var_3CC], eax
		push	44h		; size_t
		push	eax		; int
		lea	eax, [ebp+var_1F4]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		jz	short loc_812C26
		mov	dword ptr [esi], 0

loc_812C26:				; CODE XREF: ExpGetProcessInformation+FEj
		cmp	[ebp+var_430], 5
		setnz	al
		mov	[ebp+var_49C], eax
		movzx	eax, al
		add	eax, 2
		shl	eax, 5
		mov	[ebp+var_404], eax
		mov	eax, [ebp+var_42C]
		mov	[ebp+var_3DC], eax
		cmp	[ebp+var_40C], 220h
		jb	loc_813BF1

loc_812C61:				; CODE XREF: ExpGetProcessInformation+10DDj
		mov	[ebp+var_3B5], 0
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		cmp	[ebp+arg_8], 94h
		jz	loc_813D39

loc_812C81:				; CODE XREF: ExpGetProcessInformation+1222j
		mov	cl, bl
		call	_ExIsRestrictedCaller@4	; ExIsRestrictedCaller(x)
		test	eax, eax
		jnz	loc_813D77

loc_812C90:				; CODE XREF: ExpGetProcessInformation+125Ej
		mov	[ebp+var_3B0], 0
		mov	[ebp+var_3FC], 0
		mov	cl, 1
		call	_KeFlushProcessWriteBuffers@4 ;	KeFlushProcessWriteBuffers(x)
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		mov	[ebp+var_470], eax
		mov	[ebp+var_4], 0
		mov	edi, ds:_PsIdleProcess

loc_812CC3:				; CODE XREF: ExpGetProcessInformation+FCAj
		mov	[ebp+var_3C4], edi
		mov	[ebp+var_3AC], edi

loc_812CCF:				; CODE XREF: ExpGetProcessInformation+C40j
		mov	ecx, offset _PspActiveProcessLock
		test	edi, edi
		jz	loc_813AEF
		test	byte ptr [edi+0FCh], 4
		jnz	loc_813842

loc_812CE9:				; CODE XREF: ExpGetProcessInformation+D26j
					; ExpGetProcessInformation+D3Fj ...
		cmp	[ebp+arg_4], 0
		jnz	loc_91DF3E

loc_812CF3:				; CODE XREF: ExpGetProcessInformation+10B42Aj
		mov	ecx, edi
		call	_MmGetSessionId@4 ; MmGetSessionId(x)
		mov	[ebp+var_4A0], eax
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jnz	loc_91DF4F

loc_812D0B:				; CODE XREF: ExpGetProcessInformation+10B437j
		mov	edx, [ebp+var_470]
		mov	ecx, edi
		call	_PsIsProcessInSilo@8 ; PsIsProcessInSilo(x,x)
		test	al, al
		jz	loc_81362F
		mov	ecx, [ebp+var_3CC]
		mov	eax, [ebp+var_42C]
		add	eax, ecx
		mov	[ebp+var_3DC], eax
		mov	[ebp+var_3D4], 220h
		lea	esi, [ecx+220h]
		cmp	esi, ecx
		jb	loc_91DF5C
		mov	[ebp+var_3CC], esi
		xor	ebx, ebx

loc_812D54:				; CODE XREF: ExpGetProcessInformation+10B44Ej
		mov	[ebp+var_3B0], ebx
		test	ebx, ebx
		js	loc_91DF73
		push	68h		; size_t
		push	0		; int
		lea	eax, [ebp+var_544]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		cmp	esi, [ebp+var_41C]
		ja	loc_813784
		lea	eax, [ebp+var_544]
		push	eax
		push	[ebp+var_49C]
		mov	edx, edi
		mov	ecx, [ebp+var_3DC]
		call	ExpCopyProcessInfo
		mov	ebx, eax
		mov	[ebp+var_3B0], ebx
		test	ebx, ebx
		js	loc_91DF73
		mov	[ebp+var_4], 1
		mov	ecx, [ebp+var_3DC]
		mov	dword ptr [ecx+4], 0
		mov	dword ptr [ecx], 0
		mov	eax, [ebp+var_4A0]
		mov	[ecx+50h], eax
		mov	dword ptr [ecx+3Ch], 0
		xor	eax, eax
		mov	[ecx+38h], eax
		cmp	edi, ds:_PsIdleProcess
		jz	loc_813B5E

loc_812DE6:				; CODE XREF: ExpGetProcessInformation+1044j
		mov	[ebp+var_4], eax

loc_812DE9:				; CODE XREF: sub_91DFB7+22j
		test	ebx, ebx
		js	loc_91DF73

loc_812DF1:				; CODE XREF: ExpGetProcessInformation+C75j
		mov	eax, [ebp+var_3DC]
		add	eax, 0B8h
		mov	[ebp+var_3C0], eax
		mov	[ebp+var_3D0], eax
		cmp	edi, ds:_PsIdleProcess
		jz	loc_813AAB
		mov	[ebp+var_410], 0
		xor	edi, edi
		mov	[ebp+var_410], edi
		mov	esi, large fs:124h
		mov	[ebp+var_4B8], esi
		mov	ebx, [ebp+var_3C4]
		mov	[ebp+var_3AC], ebx
		xor	eax, eax
		mov	[ebp+var_3B4], eax
		dec	word ptr [esi+13Ch]
		nop
		lea	ecx, [ebx+0E0h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lea	ecx, [ebx+1D0h]
		mov	eax, [ecx]

loc_812E64:				; CODE XREF: ExpGetProcessInformation+10B4CCj
		mov	[ebp+var_3C8], eax
		cmp	eax, ecx
		jz	short loc_812E98
		lea	edi, [eax-2E4h]
		mov	[ebp+var_410], edi
		mov	edx, 6E457350h
		mov	ecx, edi
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jz	loc_91DFDE
		mov	[ebp+var_3B4], 1

loc_812E98:				; CODE XREF: ExpGetProcessInformation+34Cj
		add	ebx, 0E0h
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jnz	loc_813CB9

loc_812EB2:				; CODE XREF: ExpGetProcessInformation+11A0j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		cmp	[ebp+var_3B4], 0
		jz	loc_813CFD

loc_812ECD:				; CODE XREF: ExpGetProcessInformation+11E5j
		mov	ebx, [ebp+var_3B0]
		mov	eax, [ebp+var_3D0]
		mov	[ebp+var_3C0], eax

loc_812EDF:				; CODE XREF: ExpGetProcessInformation+674j
					; ExpGetProcessInformation+D71j ...
		mov	[ebp+var_3BC], edi
		test	edi, edi
		jz	loc_8131C0
		mov	eax, [edi+4]
		mov	[ebp+var_4AC], eax
		test	al, al
		jnz	loc_81309D
		mov	esi, [ebp+var_404]
		add	esi, [ebp+var_3CC]
		cmp	esi, [ebp+var_3CC]
		jb	loc_91DFF8
		mov	[ebp+var_3CC], esi
		xor	ebx, ebx

loc_812F1E:				; CODE XREF: ExpGetProcessInformation+10B4EAj
		mov	[ebp+var_3B0], ebx
		test	ebx, ebx
		js	loc_91E00F
		mov	eax, [ebp+var_404]
		add	[ebp+var_3D4], eax
		cmp	esi, [ebp+var_41C]
		ja	loc_813199
		lea	edx, [ebp+var_4DC]
		mov	ecx, edi
		call	KeQueryValuesThread
		mov	cl, [ebp+var_4D4]
		cmp	cl, 4
		jz	loc_91E01A
		mov	[ebp+var_4], 2
		mov	eax, [ebp+var_4DC]
		mov	esi, [ebp+var_3C0]
		mov	[esi+18h], eax
		movzx	eax, cl
		mov	[esi+34h], eax
		movzx	eax, [ebp+var_4D3]
		mov	[esi+38h], eax
		movsx	eax, [ebp+var_4D2]
		mov	[esi+28h], eax
		movsx	eax, [ebp+var_4D1]
		mov	[esi+2Ch], eax
		mov	eax, ds:_KeMaximumIncrement
		mul	dword ptr [edi+194h]
		mov	[esi], eax
		mov	[esi+4], edx
		mov	eax, ds:_KeMaximumIncrement
		mul	dword ptr [edi+1C0h]
		mov	[esi+8], eax
		mov	[esi+0Ch], edx
		mov	eax, [edi+280h]
		mov	ecx, [edi+284h]
		mov	[esi+10h], eax
		mov	[esi+14h], ecx
		mov	eax, [edi+8Ch]
		mov	[esi+30h], eax
		mov	eax, [edi+2ACh]
		mov	ecx, [edi+2B0h]
		mov	[esi+20h], eax
		mov	[esi+24h], ecx
		test	dword ptr [edi+58h], 400h
		jnz	loc_8131B5
		mov	eax, [edi+304h]
		test	al, 8
		jnz	loc_813772
		mov	eax, [ebp+var_3BC]
		mov	ecx, [eax+298h]
		mov	[ebp+var_444], 0
		xor	edx, edx
		lea	eax, [ebp+var_444]
		lock or	[eax], edx
		mov	eax, [edi+304h]
		test	al, 8
		jnz	loc_813772

loc_813032:				; CODE XREF: ExpGetProcessInformation+C54j
		mov	eax, [ebp+var_3C4]
		mov	[ebp+var_3AC], eax
		mov	ebx, [ebp+var_3B0]
		mov	edi, [ebp+var_3BC]
		mov	esi, [ebp+var_3D0]

loc_813050:				; CODE XREF: ExpGetProcessInformation+69Bj
		mov	[ebp+var_434], ecx
		cmp	[ebp+var_3B5], 0
		jnz	loc_813D4D

loc_813063:				; CODE XREF: ExpGetProcessInformation+1233j
		mov	[esi+1Ch], ecx

loc_813066:				; CODE XREF: ExpGetProcessInformation+1240j
		cmp	[ebp+var_430], 5
		jnz	loc_8137BC

loc_813073:				; CODE XREF: ExpGetProcessInformation+D06j
		mov	eax, [ebp+var_3DC]
		inc	dword ptr [eax+4]
		mov	[ebp+var_4], 0

loc_813083:				; CODE XREF: sub_91E097+2Ej
		test	ebx, ebx
		js	loc_91E00F
		add	esi, [ebp+var_404]
		mov	[ebp+var_3C0], esi
		mov	[ebp+var_3D0], esi

loc_81309D:				; CODE XREF: ExpGetProcessInformation+3D8j
					; ExpGetProcessInformation+68Aj ...
		mov	eax, [ebp+var_3AC]
		cmp	eax, ds:_PsIdleProcess
		jz	loc_813875
		mov	[ebp+var_420], 0
		xor	edi, edi
		mov	[ebp+var_420], edi
		mov	esi, large fs:124h
		mov	[ebp+var_4B0], esi
		mov	ebx, [ebp+var_3C4]
		mov	[ebp+var_3AC], ebx
		xor	eax, eax
		mov	[ebp+var_3B4], eax
		dec	word ptr [esi+13Ch]
		nop
		lea	ecx, [ebx+0E0h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebp+var_3BC]
		mov	eax, [eax+2E4h]

loc_813103:				; CODE XREF: ExpGetProcessInformation+126Bj
		mov	[ebp+var_3C8], eax
		lea	ecx, [ebx+1D0h]
		cmp	eax, ecx
		jz	short loc_81313D
		lea	edi, [eax-2E4h]
		mov	[ebp+var_420], edi
		mov	edx, 6E457350h
		mov	ecx, edi
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jz	loc_813D83
		mov	[ebp+var_3B4], 1

loc_81313D:				; CODE XREF: ExpGetProcessInformation+5F1j
		add	ebx, 0E0h
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jnz	loc_8138A2

loc_813157:				; CODE XREF: ExpGetProcessInformation+D89j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	edx, 6E457350h
		mov	ecx, [ebp+var_3BC]
		call	ObfDereferenceObjectWithTag
		cmp	[ebp+var_3B4], 0
		jz	loc_813765

loc_813182:				; CODE XREF: ExpGetProcessInformation+C4Dj
		mov	ebx, [ebp+var_3B0]
		mov	eax, [ebp+var_3D0]
		mov	[ebp+var_3C0], eax
		jmp	loc_812EDF
; 

loc_813199:				; CODE XREF: ExpGetProcessInformation+41Ej
		mov	[ebp+var_3A8], 0C0000004h
		cmp	[ebp+var_3E0], 0
		jnz	loc_81309D
		jmp	loc_813B14
; 

loc_8131B5:				; CODE XREF: ExpGetProcessInformation+4CFj
		mov	ecx, [edi+2DCh]
		jmp	loc_813050
; 

loc_8131C0:				; CODE XREF: ExpGetProcessInformation+3C7j
		mov	eax, [ebp+var_3C0]
		mov	ecx, eax
		mov	[ebp+var_3B4], ecx
		mov	[ebp+var_408], ecx
		add	eax, 168h
		mov	[ebp+var_3C0], eax
		mov	[ebp+var_3D0], eax
		cmp	[ebp+var_3A8], 0
		jl	loc_813779
		mov	ebx, [ebp+var_3AC]
		push	ebx
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	esi, eax
		push	offset _PspSysAppIdClaim
		push	esi
		call	SeSecurityAttributePresent
		mov	[ebp+var_3D5], al
		lea	ecx, [ebx+12Ch]
		mov	edx, esi
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		mov	[ebp+var_4], 3
		mov	eax, [ebp+var_3B4]
		mov	dword ptr [eax+34h], 0
		mov	dword ptr [eax+38h], 0
		mov	dword ptr [eax+150h], 0
		mov	eax, [ebx+418h]
		shl	eax, 0Ch
		mov	ebx, [ebp+var_408]
		mov	[ebx+154h], eax
		mov	eax, [ebp+var_524]
		mov	[ebx+28h], eax
		mov	eax, [ebp+var_520]
		mov	[ebx+2Ch], eax
		mov	dword ptr [ebx+30h], 0
		cmp	[ebp+var_3D5], 0
		jnz	loc_813896

loc_81327E:				; CODE XREF: ExpGetProcessInformation+D7Dj
		mov	edx, [ebp+var_3C4]
		mov	[ebp+var_3C8], edx
		mov	esi, [edx+3D0h]
		mov	ecx, 0Ah
		mov	edi, ebx
		test	esi, esi
		jz	loc_813B69
		rep movsd

loc_8132A1:				; CODE XREF: ExpGetProcessInformation+104Dj
		test	dword ptr [edx+3A8h], 1000h
		jnz	loc_813B72
		mov	ecx, edx
		call	_SmIsCompressionProcess@4 ; SmIsCompressionProcess(x)
		test	eax, eax
		jnz	loc_813B92
		mov	eax, dword_6CDE84
		test	eax, eax
		jz	short loc_8132D1
		cmp	edx, eax
		jz	loc_813B80

loc_8132D1:				; CODE XREF: ExpGetProcessInformation+7A7j
		xor	cl, cl

loc_8132D3:				; CODE XREF: ExpGetProcessInformation+1062j
		mov	[ebp+var_3D6], cl
		mov	eax, [ebx+30h]
		test	cl, cl
		jnz	loc_813B87
		and	eax, 0FFFFFFE1h

loc_8132E7:				; CODE XREF: ExpGetProcessInformation+105Bj
					; ExpGetProcessInformation+106Dj ...
		mov	[ebx+30h], eax
		mov	eax, [edx+3E8h]
		mov	ecx, [edx+3ECh]
		mov	[ebx+160h], eax
		mov	[ebx+164h], ecx
		lea	edx, [ebp+var_3A4]
		mov	ecx, [ebp+var_3C8]
		call	_PsQueryProcessEnergyValues@8 ;	PsQueryProcessEnergyValues(x,x)
		lea	edi, [ebx+40h]
		mov	ecx, 44h
		lea	esi, [ebp+var_3A4]
		rep movsd
		mov	eax, [ebp+var_3C8]
		cmp	dword ptr [eax+158h], 0
		mov	ecx, [ebp+var_3B4]
		jnz	loc_81382B
		mov	dword ptr [ecx+158h], 0

loc_813346:				; CODE XREF: ExpGetProcessInformation+D1Dj
		mov	esi, [ebp+var_3C4]
		mov	[ebp+var_3AC], esi
		cmp	dword ptr [esi+0ACh], 0
		jnz	loc_91E0DF
		cmp	ds:_KeHeteroSystem, 0
		jnz	loc_91E0CA

loc_81336C:				; CODE XREF: ExpGetProcessInformation+10B5B9j
					; ExpGetProcessInformation+10B5C3j
		mov	[ebp+var_4], 0
		mov	ebx, [ebp+var_3B0]

loc_813379:				; CODE XREF: sub_91E121+22j
		test	ebx, ebx
		js	loc_91DF73
		mov	eax, [ebp+var_408]
		mov	[ebp+var_3B4], eax
		mov	edi, [ebp+var_3BC]
		mov	eax, [ebp+var_3D0]
		mov	[ebp+var_3C0], eax

loc_81339F:				; CODE XREF: ExpGetProcessInformation+C5Fj
		cmp	[ebp+arg_8], 94h
		jz	loc_8138AE

loc_8133AC:				; CODE XREF: ExpGetProcessInformation+EDEj
					; ExpGetProcessInformation+F86j ...
		cmp	esi, ds:_PsIdleProcess
		jz	loc_8135FC
		cmp	esi, ds:_PsInitialSystemProcess
		jz	loc_813B4A
		mov	ecx, esi
		call	_SmIsCompressionProcess@4 ; SmIsCompressionProcess(x)
		test	eax, eax
		jnz	loc_813B54
		mov	eax, 0C0000225h
		cmp	dword ptr [esi+3D4h], 0
		jnz	loc_91E2AA

loc_8133E5:				; CODE XREF: ExpGetProcessInformation+10B792j
		mov	ebx, [esi+1C0h]
		test	ebx, ebx
		jz	short loc_813448
		movzx	eax, word ptr [ebx+2]
		add	eax, 8
		push	6E497350h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_3C8], eax
		test	eax, eax
		jz	loc_91E2C7
		mov	ecx, [ebx]
		mov	edx, [ebx+4]
		mov	[eax], ecx
		mov	[eax+4], edx
		test	edx, edx
		jz	short loc_813440
		lea	ecx, [eax+8]
		mov	[eax+4], ecx
		movzx	eax, word ptr [ebx+2]
		push	eax		; size_t
		mov	eax, [ebx+4]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_3C8]

loc_813440:				; CODE XREF: ExpGetProcessInformation+900j
		mov	[ebp+var_3FC], eax
		xor	eax, eax

loc_813448:				; CODE XREF: ExpGetProcessInformation+8CDj
					; ExpGetProcessInformation+10B7A2j ...
		mov	[ebp+var_3B0], eax
		test	eax, eax
		js	loc_91E2D1
		mov	edx, [ebp+var_3FC]

loc_81345C:				; CODE XREF: ExpGetProcessInformation+102Fj
					; ExpGetProcessInformation+1039j ...
		mov	[ebp+var_414], edx
		movzx	ebx, word ptr [edx]
		mov	[ebp+var_3C8], ebx
		mov	[ebp+var_3F4], ebx
		mov	esi, [ebp+var_3C0]
		mov	eax, esi
		mov	[ebp+var_3B4], eax
		mov	[ebp+var_428], eax
		mov	[ebp+var_400], ebx
		mov	eax, [edx+4]
		mov	[ebp+var_3C0], eax
		mov	ecx, eax
		mov	[ebp+var_418], ecx
		cmp	[ebp+arg_8], 94h
		jz	short loc_8134EC
		test	ebx, ebx
		jz	short loc_8134EC
		mov	eax, ebx
		shr	eax, 1
		lea	ecx, [ecx+eax*2]
		mov	[ebp+var_418], ecx

loc_8134B6:				; CODE XREF: ExpGetProcessInformation+9A8j
		cmp	ecx, [edx+4]
		jz	short loc_8134D3
		sub	ecx, 2
		mov	[ebp+var_418], ecx
		cmp	word ptr [ecx],	5Ch
		jnz	short loc_8134B6
		add	ecx, 2
		mov	[ebp+var_418], ecx

loc_8134D3:				; CODE XREF: ExpGetProcessInformation+999j
		mov	eax, ecx
		sub	eax, [ebp+var_3C0]
		and	eax, 0FFFFFFFEh
		sub	ebx, eax
		mov	[ebp+var_3C8], ebx
		mov	[ebp+var_400], ebx

loc_8134EC:				; CODE XREF: ExpGetProcessInformation+983j
					; ExpGetProcessInformation+987j
		lea	eax, [ebx+9]
		and	eax, 0FFFFFFF8h
		mov	[ebp+var_3C0], eax
		mov	[ebp+var_3F4], eax
		mov	edx, [ebp+var_3CC]
		lea	ebx, [eax+edx]
		mov	[ebp+var_498], ebx
		cmp	ebx, edx
		jb	loc_91E2DC
		mov	[ebp+var_3CC], ebx
		xor	ebx, ebx
		mov	edx, [ebp+var_498]

loc_813523:				; CODE XREF: ExpGetProcessInformation+10B7CEj
		mov	[ebp+var_3B0], ebx
		test	ebx, ebx
		js	loc_91E00F
		add	[ebp+var_3D4], eax
		cmp	edx, [ebp+var_41C]
		ja	loc_8137A0
		mov	[ebp+var_4], 7
		mov	eax, [ebp+var_3C8]
		test	eax, eax
		jz	loc_91E2F3
		push	eax		; size_t
		push	ecx		; void *
		mov	eax, [ebp+var_3B4]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_3C8]
		shr	eax, 1
		mov	ecx, [ebp+var_3B4]
		lea	ecx, [ecx+eax*2]
		mov	[ebp+var_428], ecx

loc_813580:				; CODE XREF: ExpGetProcessInformation+10B7D9j
		xor	eax, eax
		mov	[ecx], ax
		add	ecx, 2
		mov	[ebp+var_3B4], ecx
		mov	[ebp+var_428], ecx
		mov	[ebp+var_4], eax

loc_813597:				; CODE XREF: sub_91E337+46j
		test	ebx, ebx
		js	loc_91E00F

loc_81359F:				; CODE XREF: ExpGetProcessInformation+C91j
		mov	eax, [ebp+var_3FC]
		test	eax, eax
		jz	short loc_8135BB
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+var_3FC], 0

loc_8135BB:				; CODE XREF: ExpGetProcessInformation+A87j
		cmp	[ebp+var_3A8], 0
		jl	short loc_813629
		mov	[ebp+var_4], 8
		mov	eax, [ebp+var_3B4]
		sub	eax, esi
		sub	eax, 2
		mov	ecx, [ebp+var_3DC]
		mov	[ecx+38h], ax
		mov	eax, [ebp+var_3C0]
		mov	[ecx+3Ah], ax
		mov	[ecx+3Ch], esi
		mov	[ebp+var_4], 0

loc_8135F4:				; CODE XREF: sub_91E3BB+28j
		test	ebx, ebx
		js	loc_91E00F

loc_8135FC:				; CODE XREF: ExpGetProcessInformation+892j
		cmp	[ebp+var_3A8], 0
		jl	short loc_813629
		mov	[ebp+var_4], 9
		mov	ecx, [ebp+var_3D4]
		mov	eax, [ebp+var_3DC]
		mov	[eax], ecx
		mov	[ebp+var_4], 0

loc_813621:				; CODE XREF: sub_91E421+28j
		test	ebx, ebx
		js	loc_91E00F

loc_813629:				; CODE XREF: ExpGetProcessInformation+AA2j
					; ExpGetProcessInformation+AE3j
		mov	edi, [ebp+var_3AC]

loc_81362F:				; CODE XREF: ExpGetProcessInformation+1FAj
					; ExpGetProcessInformation+10B431j
		mov	ecx, offset _PspActiveProcessLock

loc_813634:				; CODE XREF: ExpGetProcessInformation+D4Aj
		cmp	edi, ds:_PsIdleProcess
		jz	loc_813AC4

loc_813640:				; CODE XREF: ExpGetProcessInformation+FA6j
		mov	esi, edi
		mov	[ebp+var_48C], esi
		mov	[ebp+var_438], 0

loc_813652:				; CODE XREF: ExpGetProcessInformation+1214j
					; ExpGetProcessInformation+127Fj
		mov	[ebp+var_424], 0
		xor	edi, edi
		mov	[ebp+var_3AC], edi
		mov	[ebp+var_424], edi
		mov	ebx, large fs:124h
		mov	[ebp+var_4A8], ebx
		xor	eax, eax
		mov	[ebp+var_3B4], eax
		dec	word ptr [ebx+13Eh]
		nop
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		test	esi, esi
		jz	loc_813ACB
		mov	eax, [esi+0E8h]

loc_81369C:				; CODE XREF: ExpGetProcessInformation+FB0j
					; ExpGetProcessInformation+10B936j
		mov	[ebp+var_3C8], eax
		cmp	eax, offset _PsActiveProcessHead
		jz	short loc_8136D9
		lea	edi, [eax-0E8h]
		mov	[ebp+var_3AC], edi
		mov	[ebp+var_424], edi
		mov	edx, 6E457350h
		mov	ecx, edi
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jz	loc_91E44E
		mov	[ebp+var_3B4], 1

loc_8136D9:				; CODE XREF: ExpGetProcessInformation+B87j
		xor	ecx, ecx
		mov	eax, 11h
		mov	edx, offset _PspActiveProcessLock
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jnz	loc_813CA8

loc_8136F2:				; CODE XREF: ExpGetProcessInformation+1194j
		mov	ecx, edx
		call	KeAbPostRelease
		nop
		add	word ptr [ebx+13Eh], 1
		jnz	short loc_813710
		nop
		lea	eax, [ebx+70h]
		cmp	[eax], eax
		jnz	loc_813D90

loc_813710:				; CODE XREF: ExpGetProcessInformation+BE2j
					; ExpGetProcessInformation+1275j
		test	esi, esi
		jz	short loc_813720
		mov	edx, 6E457350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_813720:				; CODE XREF: ExpGetProcessInformation+BF2j
		cmp	[ebp+var_3B4], 0
		jz	loc_813AD5

loc_81372D:				; CODE XREF: ExpGetProcessInformation+FC3j
		mov	esi, edi
		mov	[ebp+var_48C], esi
		test	edi, edi
		jz	loc_813AE8
		test	dword ptr [edi+0FCh], 4000000h
		jz	loc_813D9A
		cmp	[ebp+var_3B5], 0
		jnz	loc_813D0A

loc_81375A:				; CODE XREF: ExpGetProcessInformation+1252j
		mov	[ebp+var_3C4], edi
		jmp	loc_812CCF
; 

loc_813765:				; CODE XREF: ExpGetProcessInformation+65Cj
		xor	edi, edi
		mov	[ebp+var_420], edi
		jmp	loc_813182
; 

loc_813772:				; CODE XREF: ExpGetProcessInformation+4DDj
					; ExpGetProcessInformation+50Cj
		xor	ecx, ecx
		jmp	loc_813032
; 

loc_813779:				; CODE XREF: ExpGetProcessInformation+6CCj
		mov	esi, [ebp+var_3AC]
		jmp	loc_81339F
; 

loc_813784:				; CODE XREF: ExpGetProcessInformation+25Bj
		mov	[ebp+var_3A8], 0C0000004h
		cmp	[ebp+var_3E0], 0
		jnz	loc_812DF1
		jmp	loc_813B0E
; 

loc_8137A0:				; CODE XREF: ExpGetProcessInformation+A1Dj
		mov	[ebp+var_3A8], 0C0000004h
		cmp	[ebp+var_3E0], 0
		jnz	loc_81359F
		jmp	loc_813B14
; 

loc_8137BC:				; CODE XREF: ExpGetProcessInformation+54Dj
		cmp	[ebp+var_3B5], 0
		jnz	loc_91E033
		mov	eax, [edi+28h]
		mov	[esi+40h], eax
		mov	eax, [edi+24h]
		mov	[esi+44h], eax
		mov	eax, [ebp+var_3C4]
		mov	[ebp+var_3AC], eax
		mov	ebx, [ebp+var_3B0]
		mov	edi, [ebp+var_3BC]
		mov	esi, [ebp+var_3D0]

loc_8137F3:				; CODE XREF: ExpGetProcessInformation+10B521j
		mov	eax, [edi+2DCh]
		mov	[ebp+var_434], eax
		jnz	loc_91E046

loc_813805:				; CODE XREF: ExpGetProcessInformation+10B52Cj
		mov	[esi+48h], eax

loc_813808:				; CODE XREF: ExpGetProcessInformation+10B539j
		mov	eax, [edi+0A8h]
		mov	[esi+4Ch], eax
		mov	dword ptr [esi+50h], 0
		mov	dword ptr [esi+54h], 0
		mov	dword ptr [esi+58h], 0
		jmp	loc_813073
; 

loc_81382B:				; CODE XREF: ExpGetProcessInformation+816j
		mov	eax, [eax+158h]
		mov	eax, [eax+2D4h]
		mov	[ecx+158h], eax
		jmp	loc_813346
; 

loc_813842:				; CODE XREF: ExpGetProcessInformation+1C3j
		cmp	dword ptr [edi+4], 0
		jz	loc_812CE9
		cmp	dword ptr [edi+1D8h], 0
		mov	edi, [ebp+var_3C4]
		mov	[ebp+var_3AC], edi
		jnz	loc_812CE9
		lea	eax, [edi+2Ch]
		cmp	[eax], eax
		jz	loc_813634
		jmp	loc_812CE9
; 

loc_813875:				; CODE XREF: ExpGetProcessInformation+589j
		mov	edi, [edi+1D4h]
		add	eax, 2Ch
		cmp	edi, eax
		jz	loc_813ABD

loc_813886:				; CODE XREF: ExpGetProcessInformation+F92j
		add	edi, 0FFFFFE2Ch
		call	KeSynchronizeWithDynamicProcessors
		jmp	loc_812EDF
; 

loc_813896:				; CODE XREF: ExpGetProcessInformation+758j
		mov	dword ptr [ebx+30h], 1
		jmp	loc_81327E
; 

loc_8138A2:				; CODE XREF: ExpGetProcessInformation+631j
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_813157
; 

loc_8138AE:				; CODE XREF: ExpGetProcessInformation+886j
		push	esi
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	ebx, eax
		mov	[ebp+var_4B4], ebx
		lea	eax, [ebp+var_400]
		push	eax
		push	44h
		lea	edx, [ebp+var_1F4]
		mov	ecx, ebx
		call	_SeQueryUserSidToken@16	; SeQueryUserSidToken(x,x,x,x)
		mov	[ebp+var_3EC], 0FEh
		mov	[ebp+var_3F0], 82h
		push	0
		lea	eax, [ebp+var_3F0]
		push	eax
		lea	eax, [ebp+var_AC]
		push	eax
		lea	eax, [ebp+var_3EC]
		push	eax
		lea	eax, [ebp+var_1AC]
		push	eax
		push	ebx
		call	_RtlQueryPackageIdentity@24 ; RtlQueryPackageIdentity(x,x,x,x,x,x)
		mov	[ebp+var_3B0], eax
		test	eax, eax
		jns	short loc_813928
		mov	[ebp+var_3EC], 0
		mov	[ebp+var_3F0], 0

loc_813928:				; CODE XREF: ExpGetProcessInformation+DF2j
		lea	ecx, [esi+12Ch]
		mov	edx, ebx
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		mov	eax, [ebp+var_400]
		add	eax, 7
		and	eax, 0FFFFFFF8h
		mov	[ebp+var_3C8], eax
		mov	[ebp+var_3F4], eax
		lea	ecx, [ebp+var_3CC]
		push	ecx
		mov	edx, eax
		mov	ecx, [ebp+var_3CC]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_3B0], ebx
		test	ebx, ebx
		js	loc_91E00F
		mov	eax, [ebp+var_3C8]
		add	[ebp+var_3D4], eax
		mov	eax, [ebp+var_3CC]
		cmp	eax, [ebp+var_40C]
		ja	loc_813BD5
		mov	[ebp+var_4], 4
		mov	ecx, [ebp+var_3B4]
		mov	dword ptr [ecx+34h], 168h
		push	[ebp+var_400]	; size_t
		lea	eax, [ebp+var_1F4]
		push	eax		; void *
		mov	ecx, [ebp+var_3C0]
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0
		mov	eax, [ebp+var_3C0]
		mov	edx, [ebp+var_3C8]

loc_8139D2:				; CODE XREF: sub_91E181+40j
		test	ebx, ebx
		js	loc_91E00F
		add	eax, edx
		mov	[ebp+var_3C0], eax
		mov	[ebp+var_3D0], eax

loc_8139E8:				; CODE XREF: ExpGetProcessInformation+10C6j
		mov	eax, [ebp+var_3EC]
		test	eax, eax
		jnz	loc_813C08

loc_8139F6:				; CODE XREF: ExpGetProcessInformation+1183j
					; ExpGetProcessInformation+11B6j
		mov	eax, [ebp+var_3F0]
		test	eax, eax
		jz	loc_8133AC
		mov	[ebp+var_3F4], eax
		lea	ecx, [ebp+var_3CC]
		push	ecx
		mov	edx, eax
		mov	ecx, [ebp+var_3CC]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_3B0], ebx
		test	ebx, ebx
		js	loc_91E00F
		mov	ecx, [ebp+var_3F0]
		add	[ebp+var_3D4], ecx
		mov	eax, [ebp+var_3CC]
		cmp	eax, [ebp+var_40C]
		ja	loc_813CE1
		mov	[ebp+var_4], 6
		mov	ecx, [ebp+var_3C0]
		mov	eax, ecx
		mov	edx, [ebp+var_3B4]
		sub	eax, edx
		mov	[edx+150h], eax
		push	[ebp+var_3F0]	; size_t
		lea	eax, [ebp+var_AC]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0
		mov	eax, [ebp+var_3C0]

loc_813A8C:				; CODE XREF: PAGE:0091E2A5j
		test	ebx, ebx
		js	loc_91E00F
		add	eax, [ebp+var_3F0]
		mov	[ebp+var_3C0], eax
		mov	[ebp+var_3D0], eax
		jmp	loc_8133AC
; 

loc_813AAB:				; CODE XREF: ExpGetProcessInformation+2EEj
		lea	eax, [edi+2Ch]
		mov	edi, [eax]
		cmp	edi, eax
		jnz	loc_813886
		jmp	loc_91DFF1
; 

loc_813ABD:				; CODE XREF: ExpGetProcessInformation+D60j
		xor	edi, edi
		jmp	loc_812EDF
; 

loc_813AC4:				; CODE XREF: ExpGetProcessInformation+B1Aj
					; ExpGetProcessInformation+10B424j
		xor	edi, edi
		jmp	loc_813640
; 

loc_813ACB:				; CODE XREF: ExpGetProcessInformation+B70j
		mov	eax, _PsActiveProcessHead
		jmp	loc_81369C
; 

loc_813AD5:				; CODE XREF: ExpGetProcessInformation+C07j
		xor	edi, edi
		mov	[ebp+var_3AC], edi
		mov	[ebp+var_424], edi
		jmp	loc_81372D
; 

loc_813AE8:				; CODE XREF: ExpGetProcessInformation+C17j
		xor	edi, edi
		jmp	loc_812CC3
; 

loc_813AEF:				; CODE XREF: ExpGetProcessInformation+1B6j
		cmp	[ebp+var_3A8], 0
		jge	loc_813BA0

loc_813AFC:				; CODE XREF: ExpGetProcessInformation+1088j
					; ExpGetProcessInformation+10AAj
		mov	esi, [ebp+var_3E0]
		test	esi, esi
		jz	short loc_813B0E
		mov	eax, [ebp+var_3CC]
		mov	[esi], eax

loc_813B0E:				; CODE XREF: ExpGetProcessInformation+C7Bj
					; ExpGetProcessInformation+FE4j ...
		mov	edi, [ebp+var_3BC]

loc_813B14:				; CODE XREF: ExpGetProcessInformation+690j
					; ExpGetProcessInformation+C97j ...
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+var_3AC]
		call	sub_813DA4
		mov	eax, [ebp+var_3A8]

loc_813B2C:				; CODE XREF: ExpGetProcessInformation+1228j
					; ExpGetProcessInformation+10B419j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_20]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_813B4A:				; CODE XREF: ExpGetProcessInformation+89Ej
		mov	edx, offset _ExpSystemProcessName
		jmp	loc_81345C
; 

loc_813B54:				; CODE XREF: ExpGetProcessInformation+8ADj
		mov	edx, offset _ExpCompressionProcessName
		jmp	loc_81345C
; 

loc_813B5E:				; CODE XREF: ExpGetProcessInformation+2C0j
		mov	[ecx+4Ch], eax
		mov	[ecx+50h], eax
		jmp	loc_812DE6
; 

loc_813B69:				; CODE XREF: ExpGetProcessInformation+779j
		xor	eax, eax
		rep stosd
		jmp	loc_8132A1
; 

loc_813B72:				; CODE XREF: ExpGetProcessInformation+78Bj
		mov	eax, [ebx+30h]
		and	eax, 0FFFFFFE3h
		or	eax, 2
		jmp	loc_8132E7
; 

loc_813B80:				; CODE XREF: ExpGetProcessInformation+7ABj
		mov	cl, 1
		jmp	loc_8132D3
; 

loc_813B87:				; CODE XREF: ExpGetProcessInformation+7BEj
		and	eax, 0FFFFFFE9h
		or	eax, 8
		jmp	loc_8132E7
; 

loc_813B92:				; CODE XREF: ExpGetProcessInformation+79Aj
		mov	eax, [ebx+30h]
		and	eax, 0FFFFFFE7h
		or	eax, 6
		jmp	loc_8132E7
; 

loc_813BA0:				; CODE XREF: ExpGetProcessInformation+FD6j
		mov	eax, [ebp+var_3DC]
		test	eax, eax
		jz	loc_813AFC
		mov	[ebp+var_4], 0Ah
		mov	dword ptr [eax], 0
		mov	[ebp+var_4], 0

loc_813BC2:				; CODE XREF: sub_91E494+22j
		mov	eax, [ebp+var_3B0]
		test	eax, eax
		jns	loc_813AFC
		jmp	loc_91E4BB
; 

loc_813BD5:				; CODE XREF: ExpGetProcessInformation+E69j
		mov	[ebp+var_3A8], 0C0000004h
		cmp	[ebp+var_3E0], 0
		jnz	loc_8139E8
		jmp	loc_813B14
; 

loc_813BF1:				; CODE XREF: ExpGetProcessInformation+13Bj
		mov	[ebp+var_3A8], 0C0000004h
		test	esi, esi
		jnz	loc_812C61
		jmp	loc_91DF34
; 

loc_813C08:				; CODE XREF: ExpGetProcessInformation+ED0j
		mov	[ebp+var_3F4], eax
		lea	ecx, [ebp+var_3CC]
		push	ecx
		mov	edx, eax
		mov	ecx, [ebp+var_3CC]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_3B0], ebx
		test	ebx, ebx
		js	loc_91E00F
		mov	ecx, [ebp+var_3EC]
		add	[ebp+var_3D4], ecx
		mov	eax, [ebp+var_3CC]
		cmp	eax, [ebp+var_40C]
		ja	short loc_813CC5
		mov	[ebp+var_4], 5
		mov	ecx, [ebp+var_3C0]
		mov	eax, ecx
		mov	edx, [ebp+var_3B4]
		sub	eax, edx
		mov	[edx+38h], eax
		push	[ebp+var_3EC]	; size_t
		lea	eax, [ebp+var_1AC]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0
		mov	eax, [ebp+var_3C0]

loc_813C89:				; CODE XREF: sub_91E1FF+3Aj
		test	ebx, ebx
		js	loc_91E00F
		add	eax, [ebp+var_3EC]
		mov	[ebp+var_3C0], eax
		mov	[ebp+var_3D0], eax
		jmp	loc_8139F6
; 

loc_813CA8:				; CODE XREF: ExpGetProcessInformation+BCCj
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	edx, offset _PspActiveProcessLock
		jmp	loc_8136F2
; 

loc_813CB9:				; CODE XREF: ExpGetProcessInformation+38Cj
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_812EB2
; 

loc_813CC5:				; CODE XREF: ExpGetProcessInformation+112Aj
		mov	[ebp+var_3A8], 0C0000004h
		cmp	[ebp+var_3E0], 0
		jnz	loc_8139F6
		jmp	loc_813B14
; 

loc_813CE1:				; CODE XREF: ExpGetProcessInformation+F26j
		mov	[ebp+var_3A8], 0C0000004h
		cmp	[ebp+var_3E0], 0
		jnz	loc_8133AC
		jmp	loc_813B14
; 

loc_813CFD:				; CODE XREF: ExpGetProcessInformation+3A7j
		xor	edi, edi
		mov	[ebp+var_410], edi
		jmp	loc_812ECD
; 

loc_813D0A:				; CODE XREF: ExpGetProcessInformation+C34j
		lea	eax, [ebp+var_438]
		push	eax
		push	1
		mov	eax, ds:_PsProcessType
		push	eax
		push	400h
		push	0
		push	200h
		push	edi
		call	ObOpenObjectByPointer
		test	eax, eax
		jns	short loc_813D65
		mov	ecx, offset _PspActiveProcessLock
		jmp	loc_813652
; 

loc_813D39:				; CODE XREF: ExpGetProcessInformation+15Bj
		mov	cl, bl
		call	ExCheckFullProcessInformationAccess
		test	eax, eax
		jns	loc_812C81
		jmp	loc_813B2C
; 

loc_813D4D:				; CODE XREF: ExpGetProcessInformation+53Dj
		cmp	ecx, ds:_MmHighestUserAddress
		jbe	loc_813063
		mov	dword ptr [esi+1Ch], 0
		jmp	loc_813066
; 

loc_813D65:				; CODE XREF: ExpGetProcessInformation+120Dj
		push	0
		push	[ebp+var_438]
		call	ObCloseHandle
		jmp	loc_81375A
; 

loc_813D77:				; CODE XREF: ExpGetProcessInformation+16Aj
		mov	[ebp+var_3B5], 1
		jmp	loc_812C90
; 

loc_813D83:				; CODE XREF: ExpGetProcessInformation+60Dj
		mov	eax, [ebp+var_3C8]
		mov	eax, [eax]
		jmp	loc_813103
; 

loc_813D90:				; CODE XREF: ExpGetProcessInformation+BEAj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_813710
; 

loc_813D9A:				; CODE XREF: ExpGetProcessInformation+C27j
		mov	ecx, offset _PspActiveProcessLock
		jmp	loc_813652
ExpGetProcessInformation endp


;  S U B	R O U T	I N E 


sub_813DA4	proc near		; CODE XREF: ExpGetProcessInformation+1001p
					; sub_91E4C6+Cj

; FUNCTION CHUNK AT 0091E4D7 SIZE 0000004D BYTES

		test	eax, eax
		jnz	loc_91E4D7

loc_813DAC:				; CODE XREF: sub_813DA4+10A739j
					; sub_813DA4+10A74Bj
		test	edi, edi
		jnz	loc_91E4F4

loc_813DB4:				; CODE XREF: sub_813DA4+10A75Cj
					; sub_813DA4+10A76Ej
		mov	eax, [ebp-3FCh]
		test	eax, eax
		jnz	loc_91E517

locret_813DC2:				; CODE XREF: sub_813DA4+10A77Bj
		retn
sub_813DA4	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpUnlockKcb(x)
_CmpUnlockKcb@4	proc near		; CODE XREF: CmpRemoveHiveFromNamespace(x,x,x)+81p
					; CmpRemoveHiveFromNamespace(x,x,x)+88p ...
		mov	eax, large fs:124h
		push	esi
		mov	esi, ecx
		push	edi
		lea	ecx, [esi+1Ch]
		mov	edi, [esi+4]
		and	edi, 80000h
		cmp	[ecx], eax
		jz	short loc_813DFE
		lock dec dword ptr [ecx]
		lea	ecx, [esi+18h]
		xor	edx, edx
		call	ExReleasePushLockEx
		test	edi, edi
		jnz	short loc_813E13

loc_813DFB:				; CODE XREF: CmpUnlockKcb(x)+41j
					; CmpUnlockKcb(x)+4Aj
		pop	edi
		pop	esi
		retn
; 

loc_813DFE:				; CODE XREF: CmpUnlockKcb(x)+18j
		lea	ecx, [esi+18h]
		mov	dword ptr [esi+1Ch], 0
		xor	edx, edx
		call	ExReleasePushLockEx
		test	edi, edi
		jz	short loc_813DFB

loc_813E13:				; CODE XREF: CmpUnlockKcb(x)+29j
		test	dword ptr [esi+4], 80000h
		jz	short loc_813DFB
		pop	edi
		mov	ecx, esi
		pop	esi
		jmp	CmpFreeKeyControlBlock
_CmpUnlockKcb@4	endp

; 
		align 10h
; Exported entry 1637. ObReferenceObjectByHandle

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObReferenceObjectByHandle(x, x, x, x, x, x)
		public _ObReferenceObjectByHandle@24
_ObReferenceObjectByHandle@24 proc near	; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+237p
					; .text:0044700Ap ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	746C6644h
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		pop	ebp
		retn	18h
_ObReferenceObjectByHandle@24 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpReferenceObjectByHandleWithTag proc near
					; CODE XREF: VrpHandleIoctlCreateNamespaceNode+A7p
					; VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+162p	...

var_30		= dword	ptr -30h
var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0091E524 SIZE 00000189 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	esi, ecx
		mov	ecx, [ebp+arg_14]
		mov	[esp+30h+var_14], edx
		mov	[esp+30h+var_8], 0
		mov	ebx, [edi+80h]
		mov	[esp+30h+var_4], 0
		mov	[esp+30h+var_10], ebx
		mov	dword ptr [eax], 0
		mov	[esp+30h+var_1D], 0
		test	ecx, ecx
		jnz	loc_814220

loc_813EAE:				; CODE XREF: ObpReferenceObjectByHandleWithTag+3CDj
		test	esi, esi
		js	loc_81404F
		test	_MmVerifierData, 100h
		jnz	loc_91E5A5

loc_813EC6:				; CODE XREF: ObpReferenceObjectByHandleWithTag+10A749j
					; ObpReferenceObjectByHandleWithTag+10A756j
		dec	word ptr [edi+13Ch]
		nop
		cmp	ebx, [edi+150h]
		jnz	loc_8142E9
		mov	eax, [ebx+0FCh]
		test	eax, 4000000h
		jz	loc_91E6A3
		mov	eax, [ebx+18Ch]

loc_813EF1:				; CODE XREF: ObpReferenceObjectByHandleWithTag+495j
		mov	[esp+30h+var_1C], eax
		test	eax, eax
		jz	loc_91E6A3
		cmp	eax, _ObpKernelHandleTable
		jz	loc_8142E2

loc_813F09:				; CODE XREF: ObpReferenceObjectByHandleWithTag+35Fj
		test	esi, 7FCh
		jz	loc_8142DA
		push	esi
		mov	ecx, eax
		call	ExpLookupHandleTableEntry
		mov	ebx, eax
		mov	[esp+30h+var_18], ebx
		test	ebx, ebx
		jz	loc_8142DA
		mov	ecx, [esp+30h+var_1C]
		lea	eax, [esp+30h+var_8]
		push	eax
		mov	edx, ebx
		call	_ExFastReferenceHandleTableEntry@12 ; ExFastReferenceHandleTableEntry(x,x,x)
		test	eax, eax
		jnz	loc_8140E4
		mov	ebx, [esp+30h+var_8]
		and	ebx, 0FFFFFFF8h

loc_813F4A:				; CODE XREF: ObpReferenceObjectByHandleWithTag+2F9j
					; ObpReferenceObjectByHandleWithTag+304j ...
		cmp	ds:_ObpTraceFlags, 0
		jnz	loc_91E5EA

loc_813F57:				; CODE XREF: ObpReferenceObjectByHandleWithTag+10A798j
		mov	edx, [ebp+arg_0]
		mov	eax, ebx
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [ebx+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		test	edx, edx
		jz	loc_8140B7
		movzx	eax, byte ptr [edx+14h]
		cmp	eax, ecx
		jnz	loc_8140B7

loc_813F85:				; CODE XREF: ObpReferenceObjectByHandleWithTag+274j
		mov	ecx, [esp+30h+var_4]
		mov	edx, ecx
		and	edx, 1FFFFFFh
		cmp	[ebp+arg_4], 0
		jz	short loc_813FAC
		mov	eax, edx
		not	eax
		test	[esp+30h+var_14], eax
		jnz	loc_814291
		mov	al, [ebx+0Eh]
		test	al, 40h
		jnz	short loc_814021

loc_813FAC:				; CODE XREF: ObpReferenceObjectByHandleWithTag+135j
					; ObpReferenceObjectByHandleWithTag+1EAj
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jnz	loc_814169
		mov	eax, [esp+30h+var_8]
		and	eax, 6
		test	ecx, 4000000h
		jnz	loc_814281

loc_813FCA:				; CODE XREF: ObpReferenceObjectByHandleWithTag+424j
		test	ecx, 2000000h
		jnz	loc_814271

loc_813FD6:				; CODE XREF: ObpReferenceObjectByHandleWithTag+414j
		test	al, 4
		jnz	loc_91E607

loc_813FDE:				; CODE XREF: ObpReferenceObjectByHandleWithTag+333j
		mov	[esp+30h+var_1E], 0

loc_813FE3:				; CODE XREF: ObpReferenceObjectByHandleWithTag+10A7ACj
		cmp	[ebp+arg_14], 0
		mov	eax, [esp+30h+var_1C]
		jnz	loc_814232

loc_813FF1:				; CODE XREF: ObpReferenceObjectByHandleWithTag+3D6j
					; ObpReferenceObjectByHandleWithTag+10A7CFj
		cmp	[esp+30h+var_1E], 0
		jnz	loc_91E634

loc_813FFC:				; CODE XREF: ObpReferenceObjectByHandleWithTag+10A7DAj
					; ObpReferenceObjectByHandleWithTag+10A7F1j
		cmp	[esp+30h+var_1D], 0
		lea	eax, [ebx+18h]
		mov	ecx, [ebp+arg_C]
		mov	[ecx], eax
		jnz	loc_8142FA

loc_81400F:				; CODE XREF: ObpReferenceObjectByHandleWithTag+4A9j
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		xor	eax, eax

loc_814018:				; CODE XREF: ObpReferenceObjectByHandleWithTag+455j
					; ObpReferenceObjectByHandleWithTag+10A6D3j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_814021:				; CODE XREF: ObpReferenceObjectByHandleWithTag+14Aj
		movzx	eax, al
		mov	ecx, ebx
		and	eax, 7Fh
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		mov	eax, [ecx]
		cmp	byte ptr [eax+0Ch], 0
		jz	short loc_814046
		mov	eax, [eax+8]
		cmp	eax, 1
		jz	loc_91E5FD

loc_814046:				; CODE XREF: ObpReferenceObjectByHandleWithTag+1D8j
		mov	ecx, [esp+30h+var_4]
		jmp	loc_813FAC
; 

loc_81404F:				; CODE XREF: ObpReferenceObjectByHandleWithTag+50j
		cmp	esi, 0FFFFFFFFh
		jz	loc_8141C4
		cmp	esi, 0FFFFFFFEh
		jnz	loc_81419E
		mov	ecx, [ebp+arg_0]
		cmp	ecx, ds:_PsThreadType
		jnz	loc_81430E

loc_814070:				; CODE XREF: ObpReferenceObjectByHandleWithTag+4B0j
		test	edx, 0FFE00000h
		jnz	loc_91E55B

loc_81407C:				; CODE XREF: ObpReferenceObjectByHandleWithTag+10A701j
		mov	ecx, [ebp+arg_10]
		lea	esi, [edi-18h]
		test	ecx, ecx
		jnz	loc_91E566

loc_81408A:				; CODE XREF: ObpReferenceObjectByHandleWithTag+10A713j
		cmp	ds:_ObpTraceFlags, 0
		jnz	loc_91E578

loc_814097:				; CODE XREF: ObpReferenceObjectByHandleWithTag+10A729j
		mov	ecx, 1
		lock xadd [esi], ecx
		inc	ecx
		cmp	ecx, 1
		jle	loc_91E58E
		mov	[eax], edi
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_8140B7:				; CODE XREF: ObpReferenceObjectByHandleWithTag+113j
					; ObpReferenceObjectByHandleWithTag+11Fj
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		test	eax, eax
		jz	loc_91E661
		cmp	eax, ds:_MmBadPointer
		jz	loc_91E661
		test	edx, edx
		jz	loc_813F85
		mov	esi, 0C0000024h
		jmp	loc_814296
; 

loc_8140E4:				; CODE XREF: ObpReferenceObjectByHandleWithTag+DDj
		jg	loc_814241
		lea	ebx, [ebx+0]

loc_8140F0:				; CODE XREF: ObpReferenceObjectByHandleWithTag+2A6j
					; ObpReferenceObjectByHandleWithTag+4D0j
		mov	edx, [ebx]
		test	dl, 1
		jz	loc_8142D6
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jnz	short loc_8140F0
		mov	ecx, [esp+30h+var_18]
		mov	ebx, [ebx]
		and	ebx, 0FFFFFFF8h
		mov	eax, [ecx]
		mov	[esp+30h+var_8], eax
		mov	eax, [ecx+4]
		mov	[esp+30h+var_4], eax
		call	_ExSlowReplenishHandleTableEntry@4 ; ExSlowReplenishHandleTableEntry(x)
		inc	eax
		mov	ecx, eax
		lock xadd [ebx], ecx
		test	ecx, ecx
		jle	loc_91E5D8
		mov	ecx, [esp+30h+var_18]
		mov	eax, 1
		lock xadd [ecx], eax
		mov	ecx, [esp+30h+var_1C]
		lea	eax, [esp+30h+var_C]
		add	ecx, 20h
		mov	[esp+30h+var_C], 0
		xor	edx, edx
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	loc_813F4A
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	loc_813F4A
; 

loc_814169:				; CODE XREF: ObpReferenceObjectByHandleWithTag+151j
		mov	[eax+4], edx
		mov	edx, [esp+30h+var_8]
		and	edx, 6
		test	ecx, 4000000h
		jnz	loc_814289

loc_81417F:				; CODE XREF: ObpReferenceObjectByHandleWithTag+42Cj
		test	ecx, 2000000h
		jnz	loc_814279

loc_81418B:				; CODE XREF: ObpReferenceObjectByHandleWithTag+41Cj
		and	edx, 7
		mov	[eax], edx
		test	dl, 4
		jz	loc_813FDE
		jmp	loc_91E607
; 

loc_81419E:				; CODE XREF: ObpReferenceObjectByHandleWithTag+1FBj
		cmp	[ebp+arg_4], 0
		jnz	loc_91E59B
		mov	eax, _ObpKernelHandleTable
		xor	esi, 80000000h
		dec	word ptr [edi+13Ch]
		mov	[esp+30h+var_1C], eax
		nop
		jmp	loc_813F09
; 

loc_8141C4:				; CODE XREF: ObpReferenceObjectByHandleWithTag+1F2j
		mov	ecx, [ebp+arg_0]
		cmp	ecx, ds:_PsProcessType
		jnz	loc_8142BA

loc_8141D3:				; CODE XREF: ObpReferenceObjectByHandleWithTag+45Cj
		mov	esi, [edi+80h]
		test	edx, 0FFE00000h
		jnz	loc_91E524

loc_8141E5:				; CODE XREF: ObpReferenceObjectByHandleWithTag+10A6C8j
		mov	ecx, [ebp+arg_10]
		lea	edi, [esi-18h]
		test	ecx, ecx
		jnz	loc_8142C4

loc_8141F3:				; CODE XREF: ObpReferenceObjectByHandleWithTag+471j
		cmp	ds:_ObpTraceFlags, 0
		jnz	loc_91E538

loc_814200:				; CODE XREF: ObpReferenceObjectByHandleWithTag+10A6E9j
		mov	ecx, 1
		lock xadd [edi], ecx
		inc	ecx
		cmp	ecx, 1
		jle	loc_91E54E
		mov	[eax], esi
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_814220:				; CODE XREF: ObpReferenceObjectByHandleWithTag+48j
		mov	dword ptr [ecx], 0
		mov	dword ptr [ecx+4], 0
		jmp	loc_813EAE
; 

loc_814232:				; CODE XREF: ObpReferenceObjectByHandleWithTag+18Bj
		cmp	dword ptr [eax+4], 0
		jz	loc_813FF1
		jmp	loc_91E611
; 

loc_814241:				; CODE XREF: ObpReferenceObjectByHandleWithTag:loc_8140E4j
		mov	ebx, [esp+30h+var_8]
		mov	ecx, eax
		and	ebx, 0FFFFFFF8h
		lock xadd [ebx], ecx
		test	ecx, ecx
		jle	loc_91E5BB
		mov	ecx, [esp+30h+var_18]
		lea	edx, [esp+30h+var_8]
		push	eax
		call	ExFastReplenishHandleTableEntry
		test	eax, eax
		jz	loc_813F4A
		jmp	loc_91E5CD
; 

loc_814271:				; CODE XREF: ObpReferenceObjectByHandleWithTag+170j
		or	eax, 1
		jmp	loc_813FD6
; 

loc_814279:				; CODE XREF: ObpReferenceObjectByHandleWithTag+325j
		or	edx, 1
		jmp	loc_81418B
; 

loc_814281:				; CODE XREF: ObpReferenceObjectByHandleWithTag+164j
		or	eax, 8
		jmp	loc_813FCA
; 

loc_814289:				; CODE XREF: ObpReferenceObjectByHandleWithTag+319j
		or	edx, 8
		jmp	loc_81417F
; 

loc_814291:				; CODE XREF: ObpReferenceObjectByHandleWithTag+13Fj
		mov	esi, 0C0000022h

loc_814296:				; CODE XREF: ObpReferenceObjectByHandleWithTag+27Fj
					; ObpReferenceObjectByHandleWithTag+10A7A2j ...
		mov	edx, [ebp+arg_8]
		lea	ecx, [ebx+18h]
		call	ObfDereferenceObjectWithTag

loc_8142A1:				; CODE XREF: ObpReferenceObjectByHandleWithTag+487j
		cmp	[esp+30h+var_1D], 0
		jnz	loc_91E68F

loc_8142AC:				; CODE XREF: ObpReferenceObjectByHandleWithTag+10A83Ej
					; ObpReferenceObjectByHandleWithTag+10A848j
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	eax, esi
		jmp	loc_814018
; 

loc_8142BA:				; CODE XREF: ObpReferenceObjectByHandleWithTag+36Dj
		test	ecx, ecx
		jz	loc_8141D3
		jmp	short loc_814316
; 

loc_8142C4:				; CODE XREF: ObpReferenceObjectByHandleWithTag+38Dj
		mov	dword ptr [ecx+4], 1FFFFFh
		mov	dword ptr [ecx], 0
		jmp	loc_8141F3
; 

loc_8142D6:				; CODE XREF: ObpReferenceObjectByHandleWithTag+295j
		test	edx, edx
		jnz	short loc_814324

loc_8142DA:				; CODE XREF: ObpReferenceObjectByHandleWithTag+AFj
					; ObpReferenceObjectByHandleWithTag+C5j
		test	esi, esi
		jnz	loc_91E671

loc_8142E2:				; CODE XREF: ObpReferenceObjectByHandleWithTag+A3j
					; ObpReferenceObjectByHandleWithTag+10A82Aj
		mov	esi, 0C0000008h
		jmp	short loc_8142A1
; 

loc_8142E9:				; CODE XREF: ObpReferenceObjectByHandleWithTag+74j
		mov	ecx, ebx
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		mov	[esp+30h+var_1D], 1
		jmp	loc_813EF1
; 

loc_8142FA:				; CODE XREF: ObpReferenceObjectByHandleWithTag+1A9j
		mov	ecx, [esp+30h+var_10]
		add	ecx, 0F0h
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_81400F
; 

loc_81430E:				; CODE XREF: ObpReferenceObjectByHandleWithTag+20Aj
		test	ecx, ecx
		jz	loc_814070

loc_814316:				; CODE XREF: ObpReferenceObjectByHandleWithTag+462j
		pop	edi
		pop	esi
		mov	eax, 0C0000024h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_814324:				; CODE XREF: ObpReferenceObjectByHandleWithTag+478j
		mov	ecx, [esp+30h+var_1C]
		push	edx
		mov	edx, ebx
		call	_ExpBlockOnLockedHandleEntry@12	; ExpBlockOnLockedHandleEntry(x,x,x)
		jmp	loc_8140F0
ObpReferenceObjectByHandleWithTag endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpLookupHandleTableEntry proc near	; CODE XREF: ExSweepHandleTable+54p
					; ObWaitForMultipleObjects+177p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0091E6AD SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	edx, [ecx]
		and	eax, 0FFFFFFFCh
		cmp	eax, edx
		jnb	short loc_814386
		push	esi
		mov	esi, [ecx+8]
		mov	ecx, esi
		and	ecx, 3
		sub	ecx, 0
		jz	short loc_81437E
		sub	ecx, 1
		jnz	loc_91E6AD
		mov	ecx, eax
		shr	ecx, 0Bh
		and	eax, 7FFh
		mov	ecx, [esi+ecx*4-1]

loc_814376:				; CODE XREF: ExpLookupHandleTableEntry+10A389j
		lea	eax, [ecx+eax*2]
		pop	esi
		pop	ebp
		retn	4
; 

loc_81437E:				; CODE XREF: ExpLookupHandleTableEntry+1Dj
		lea	eax, [esi+eax*2]
		pop	esi
		pop	ebp
		retn	4
; 

loc_814386:				; CODE XREF: ExpLookupHandleTableEntry+Fj
		xor	eax, eax
		pop	ebp
		retn	4
ExpLookupHandleTableEntry endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpLockKcbStackShared(x)
_CmpLockKcbStackShared@4 proc near	; CODE XREF: CmQueryLayeredKey+97p
					; CmpEnumerateLayeredKey+11Fp ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		xor	eax, eax
		xor	esi, esi
		cmp	ax, [edi+2]
		jg	short loc_8143C4
		push	ebx

loc_8143A1:				; CODE XREF: CmpLockKcbStackShared(x)+31j
		movsx	ebx, si
		cmp	si, 2
		jge	short loc_8143C7
		mov	ebx, [edi+ebx*4+4]

loc_8143AE:				; CODE XREF: CmpLockKcbStackShared(x)+3Ej
		lea	ecx, [ebx+18h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lock inc dword ptr [ebx+1Ch]
		inc	esi
		cmp	si, [edi+2]
		jle	short loc_8143A1
		pop	ebx

loc_8143C4:				; CODE XREF: CmpLockKcbStackShared(x)+Ej
		pop	edi
		pop	esi
		retn
; 

loc_8143C7:				; CODE XREF: CmpLockKcbStackShared(x)+18j
		mov	eax, [edi+0Ch]
		mov	ebx, [eax+ebx*4-8]
		jmp	short loc_8143AE
_CmpLockKcbStackShared@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpUnlockKcbStack proc near		; CODE XREF: CmQueryLayeredKey+15Dp
					; CmDeleteLayeredKey(x,x,x)+12Bp ...

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 0091E6CE SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		xor	eax, eax
		xor	esi, esi
		cmp	ax, [edi+2]
		jg	short loc_81442B
		push	ebx

loc_8143E5:				; CODE XREF: CmpUnlockKcbStack+58j
		movsx	ebx, si
		cmp	si, 2
		jge	short loc_81443A
		mov	ebx, [edi+ebx*4+4]

loc_8143F2:				; CODE XREF: CmpUnlockKcbStack+71j
		test	dword ptr [ebx+4], 80000h
		jnz	short loc_814443
		mov	[ebp+var_1], 0

loc_8143FF:				; CODE XREF: CmpUnlockKcbStack+77j
		mov	eax, large fs:124h
		lea	ecx, [ebx+1Ch]
		cmp	[ecx], eax
		jz	short loc_814431
		lock dec dword ptr [ecx]

loc_81440F:				; CODE XREF: CmpUnlockKcbStack+68j
		lea	ecx, [ebx+18h]
		xor	edx, edx
		call	ExReleasePushLockEx
		cmp	[ebp+var_1], 0
		jnz	loc_91E6CE

loc_814423:				; CODE XREF: CmpUnlockKcbStack+10A305j
					; CmpUnlockKcbStack+10A312j
		inc	esi
		cmp	si, [edi+2]
		jle	short loc_8143E5
		pop	ebx

loc_81442B:				; CODE XREF: CmpUnlockKcbStack+12j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_814431:				; CODE XREF: CmpUnlockKcbStack+3Aj
		mov	dword ptr [ebx+1Ch], 0
		jmp	short loc_81440F
; 

loc_81443A:				; CODE XREF: CmpUnlockKcbStack+1Cj
		mov	eax, [edi+0Ch]
		mov	ebx, [eax+ebx*4-8]
		jmp	short loc_8143F2
; 

loc_814443:				; CODE XREF: CmpUnlockKcbStack+29j
		mov	[ebp+var_1], 1
		jmp	short loc_8143FF
CmpUnlockKcbStack endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoParseKey(x, x,	x, x, x, x, x, x, x)
_CmpDoParseKey@36 proc near		; CODE XREF: CmpParseKey+23Cp

var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C1		= byte ptr -0C1h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A3		= byte ptr -0A3h
var_A2		= byte ptr -0A2h
var_A1		= dword	ptr -0A1h
var_99		= dword	ptr -99h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= byte ptr -8Ch
var_8B		= byte ptr -8Bh
var_8A		= dword	ptr -8Ah
var_84		= dword	ptr -84h
var_7E		= byte ptr -7Eh
var_7D		= dword	ptr -7Dh
var_76		= byte ptr -76h
var_75		= byte ptr -75h
var_74		= dword	ptr -74h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 138h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_B8], eax
		mov	eax, [ebp+arg_18]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_A8], ecx
		mov	ecx, [ebp+arg_C]
		mov	[ebp+var_134], eax
		xor	eax, eax
		mov	[ebp+var_F8], ebx
		mov	word ptr [ebp+var_F8], ax
		mov	byte ptr [ebp+var_7D], al
		mov	eax, [ecx]
		push	esi
		mov	[ebp+var_D8], eax
		mov	eax, [ecx+4]
		push	edi
		mov	edi, [ebp+arg_10]
		mov	[ebp+var_C8], ecx
		lea	ecx, [ebp+var_EC]
		mov	[ebp+var_B0], edx
		mov	[ebp+var_100], 0
		mov	[ebp+var_84], 0
		mov	[ebp+var_F4], 0
		mov	[ebp+var_F0], 0
		mov	byte ptr [ebp+var_99], 0
		mov	[ebp+var_EC], 0
		mov	[ebp+var_E8], 0
		mov	[ebp+var_A3], 0
		mov	byte ptr [ebp+var_8A+1], 0
		mov	[ebp+var_CC], 0
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_E4], ebx
		mov	byte ptr [ebp+var_A1], bl
		mov	[ebp+var_8A+2],	ebx
		mov	[ebp+var_75], bl
		mov	[ebp+var_C1], bl
		mov	byte ptr [ebp+var_8A], bl
		mov	[ebp+var_A2], bl
		mov	[ebp+var_7E], bl
		mov	[ebp+var_8B], bl
		mov	[ebp+var_94], ebx
		mov	[ebp+var_B4], ebx
		mov	[ebp+var_E0], ebx
		mov	[ebp+var_FC], 0FFFFFFFFh
		mov	[ebp+var_D4], eax
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		xor	eax, eax
		mov	[ebp+var_8C], bl
		push	64h		; size_t
		push	eax		; int
		mov	[ebp+var_DC], eax
		lea	eax, [ebp+var_74]
		push	eax		; void *
		call	_memset
		xor	eax, eax
		add	esp, 0Ch
		mov	[edi+60h], eax
		or	ecx, 0FFFFFFFFh
		mov	[edi+64h], eax
		mov	[edi+68h], eax
		mov	[edi+6Ch], eax
		mov	[edi+70h], eax
		mov	[ebp+var_130], eax
		mov	[ebp+var_120], eax
		mov	[ebp+var_110], eax
		mov	[edi+74h], eax
		mov	[ebp+var_12C], eax
		mov	[ebp+var_128], eax
		mov	[ebp+var_124], eax
		mov	word ptr [ebp+var_130+2], cx
		mov	[ebp+var_11C], eax
		mov	[ebp+var_118], eax
		mov	[ebp+var_114], eax
		mov	word ptr [ebp+var_120+2], cx
		mov	[ebp+var_10C], eax
		mov	[ebp+var_108], eax
		mov	[ebp+var_104], eax
		mov	word ptr [ebp+var_110+2], cx
		mov	[edi+78h], eax
		push	38h		; size_t
		push	eax		; int
		lea	eax, [edi+7Ch]
		push	eax		; void *
		call	_memset
		mov	edx, [edi+38h]
		add	esp, 0Ch
		mov	ecx, edi
		call	_CmpRecordParseCachedSymlinkKcb@8 ; CmpRecordParseCachedSymlinkKcb(x,x)
		test	[ebp+arg_4], 100h
		jz	short loc_81462B
		or	dword ptr [edi], 200h

loc_81462B:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1D3j
		mov	edx, [edi+38h]
		mov	esi, [edi+30h]
		mov	ecx, [ebp+var_A8]
		mov	[ebp+var_99+1],	edx
		mov	[edi+38h], ebx
		test	esi, esi
		jz	short loc_814670
		mov	eax, [ecx+20h]
		test	eax, eax
		jz	short loc_81466C
		cmp	esi, eax
		jz	short loc_81466C
		push	0C0190002h
		mov	edx, 100h
		mov	[ebp+var_7D+1],	0C0190002h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_8164C2
; 

loc_81466C:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1F9j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1FDj
		test	esi, esi
		jnz	short loc_814684

loc_814670:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1F2j
		mov	edx, [ecx+24h]
		mov	esi, [ecx+20h]
		mov	[ebp+var_90], edx
		mov	edx, [ebp+var_99+1]
		jmp	short loc_81468A
; 

loc_814684:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+21Ej
		mov	[ebp+var_90], ebx

loc_81468A:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+232j
		movzx	eax, word ptr [ecx+1Eh]
		mov	[edi+10h], eax
		mov	eax, ds:_CmpRegistryRootObject
		mov	ecx, [ecx+8]
		cmp	ecx, [eax+8]
		jz	short loc_8146BD
		test	edx, edx
		jz	short loc_8146BD
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, [ebp+var_99+1]
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)
		mov	[ebp+var_99+1],	ebx
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_8146BD:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+24Cj
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+250j
		mov	edx, [ebp+var_99+1]
		mov	byte ptr [ebp+var_8A+1], bl
		test	edx, edx
		jz	loc_8149D1
		test	dword ptr [edi], 400h
		jz	short loc_8146E0
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		jmp	short loc_8146E5
; 

loc_8146E0:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+287j
		call	_CmpLockRegistry@0 ; CmpLockRegistry()

loc_8146E5:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+28Ej
		mov	ecx, [ebp+var_99+1]
		lea	edx, [ebp+var_99]
		mov	byte ptr [ebp+var_8A+1], 1
		call	CmpGetCachedFullKCBName
		mov	[ebp+var_D0], eax
		test	eax, eax
		jz	loc_8149B3
		cmp	byte ptr [ebp+var_99], bl
		jnz	loc_8149B3
		push	1
		push	[ebp+var_B8]
		push	eax
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	loc_8149B3
		mov	eax, [ebp+var_D0]
		mov	ebx, [ebp+var_B8]
		movzx	edx, word ptr [eax]
		mov	eax, [ebx+4]
		mov	ecx, edx
		shr	ecx, 1
		lea	eax, [eax+ecx*2]
		mov	cx, [ebx]
		mov	bx, [ebx+2]
		sub	cx, dx
		sub	bx, dx
		mov	[ebp+var_A1+1],	eax
		mov	[ebp+var_C0], ebx
		mov	dx, bx
		mov	[ebp+var_D4], eax
		mov	ebx, 0
		mov	[ebp+var_BC], ecx
		mov	word ptr [ebp+var_D8], cx
		mov	word ptr [ebp+var_D8+2], dx
		test	cx, cx
		jbe	short loc_8147BD
		mov	[ebp+var_D0], 0FFFEh

loc_814790:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+357j
		cmp	word ptr [eax],	5Ch
		jnz	short loc_8147A9
		add	dx, word ptr [ebp+var_D0]
		add	eax, 2
		add	cx, word ptr [ebp+var_D0]
		jnz	short loc_814790

loc_8147A9:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+344j
		mov	[ebp+var_D4], eax
		mov	word ptr [ebp+var_D8], cx
		mov	word ptr [ebp+var_D8+2], dx

loc_8147BD:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+334j
		mov	eax, [ebp+var_99+1]
		mov	edx, [eax+4]
		shr	edx, 15h
		and	edx, 3FFh
		dec	edx
		test	byte ptr [edi],	1
		mov	[ebp+var_D0], edx
		jz	loc_81486B
		test	cx, cx
		jnz	loc_81486B
		mov	eax, [eax+28h]
		movzx	ecx, word ptr [eax+0Ch]
		test	byte ptr [eax],	1
		mov	eax, ecx
		jz	short loc_814825
		add	eax, eax
		sub	[ebp+var_A1+1],	eax
		mov	eax, [ebp+var_A1+1]
		mov	[ebp+var_D4], eax
		mov	eax, [ebp+var_BC]
		lea	eax, [eax+ecx*2]
		mov	word ptr [ebp+var_D8], ax
		mov	eax, [ebp+var_C0]
		lea	eax, [eax+ecx*2]
		jmp	short loc_814853
; 

loc_814825:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+3A4j
		mov	ecx, eax
		and	eax, 0FFFFFFFEh
		sub	[ebp+var_A1+1],	eax
		mov	eax, [ebp+var_A1+1]
		mov	[ebp+var_D4], eax
		mov	eax, [ebp+var_BC]
		add	eax, ecx
		mov	word ptr [ebp+var_D8], ax
		mov	eax, [ebp+var_C0]
		add	eax, ecx

loc_814853:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+3D3j
		dec	edx
		mov	word ptr [ebp+var_D8+2], ax
		mov	[ebp+var_94], 1
		mov	[ebp+var_D0], edx

loc_81486B:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+389j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+392j
		lea	eax, [ebp+var_74]
		push	eax
		lea	edx, [ebp+var_B4]
		lea	ecx, [ebp+var_D8]
		call	CmpComputeComponentHashes
		mov	[ebp+var_7D+1],	eax
		test	eax, eax
		jns	short loc_814899
		push	eax
		mov	edx, 200h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_8164C2
; 

loc_814899:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+435j
		mov	eax, [ebp+var_B4]
		movsx	ecx, ax
		mov	eax, [ebp+var_D0]
		add	eax, ecx
		cmp	eax, 20h
		jbe	short loc_8148CC
		push	0C000000Dh
		mov	edx, 300h
		mov	[ebp+var_7D+1],	0C000000Dh
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_8164C2
; 

loc_8148CC:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+45Dj
		lea	edx, [ebp+var_74]
		call	_CmpValidateComponents@8 ; CmpValidateComponents(x,x)
		mov	[ebp+var_7D+1],	eax
		test	eax, eax
		jns	short loc_8148ED
		push	eax
		mov	edx, 400h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_8164C2
; 

loc_8148ED:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+489j
		mov	eax, [ebp+var_94]
		cmp	ax, word ptr [ebp+var_B4]
		jnz	short loc_81490E
		mov	ecx, [ebp+var_99+1]
		call	CmpLockHashEntrySharedByKcb
		mov	[ebp+var_8B], 1

loc_81490E:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+4AAj
		mov	ecx, [ebp+var_99+1]
		call	_CmpLockKcbShared@4 ; CmpLockKcbShared(x)
		mov	ecx, [ebp+var_99+1]
		xor	edx, edx
		call	_CmpIsKeyDeleted@8 ; CmpIsKeyDeleted(x,x)
		test	al, al
		mov	eax, [ebp+var_99+1]
		jnz	short loc_81494B
		test	dword ptr [eax+4], 40000h
		jnz	short loc_81494B
		mov	ecx, eax
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	edx, [ebp+var_99+1]
		jmp	loc_8149D1
; 

loc_81494B:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+4DEj
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+4E7j
		mov	ecx, eax
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		cmp	[ebp+var_8B], bl
		jz	short loc_814965
		mov	ecx, [ebp+var_99+1]
		call	_CmpUnlockHashEntryByKcb@4 ; CmpUnlockHashEntryByKcb(x)

loc_814965:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+508j
		mov	ecx, [ebp+var_99+1]
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)
		mov	ecx, [ebp+var_C8]
		mov	[ebp+var_99+1],	ebx
		mov	[ebp+var_94], ebx
		mov	eax, [ecx]
		mov	[ebp+var_D8], eax
		mov	eax, [ecx+4]
		lea	ecx, [ebp+var_74]
		mov	[ebp+var_D4], eax
		call	_CmpCleanupPathInfo@4 ;	CmpCleanupPathInfo(x)
		push	64h		; size_t
		lea	eax, [ebp+var_74]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_8B], bl
		jmp	short loc_8149CF
; 

loc_8149B3:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+2B5j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+2C1j ...
		mov	ecx, [ebp+var_99+1]
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)
		mov	[ebp+var_99+1],	ebx
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	byte ptr [ebp+var_8A+1], bl

loc_8149CF:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+561j
		xor	edx, edx

loc_8149D1:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+27Bj
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+4F6j
		mov	al, [ebp+var_8B]
		mov	byte ptr [ebp+var_99], al
		test	edx, edx
		jnz	short loc_814A50
		mov	ecx, [ebp+var_A8]
		lea	eax, [ebp+var_74]
		push	eax
		lea	edx, [ebp+var_B4]
		mov	ecx, [ecx+8]
		mov	[ebp+var_A1+1],	ecx
		lea	ecx, [ebp+var_D8]
		call	CmpComputeComponentHashes
		mov	[ebp+var_7D+1],	eax
		test	eax, eax
		jns	short loc_814A1E
		push	eax
		mov	edx, 500h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_8164AE
; 

loc_814A1E:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+5BAj
		mov	eax, [ebp+var_B4]
		lea	edx, [ebp+var_74]
		movsx	ecx, ax
		call	_CmpValidateComponents@8 ; CmpValidateComponents(x,x)
		mov	[ebp+var_7D+1],	eax
		test	eax, eax
		jns	short loc_814A48
		push	eax
		mov	edx, 600h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_8164AE
; 

loc_814A48:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+5E4j
		mov	edx, [ebp+var_A1+1]
		jmp	short loc_814A56
; 

loc_814A50:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+58Fj
		mov	[ebp+var_A1+1],	edx

loc_814A56:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+5FEj
		mov	ecx, edi
		call	_CmpRecordParseStartingKcb@8 ; CmpRecordParseStartingKcb(x,x)
		mov	eax, [ebp+var_94]
		movzx	ecx, ax
		mov	eax, [ebp+var_B4]
		cwde
		mov	[ebp+var_C0], eax
		mov	eax, [edx+4]
		shr	eax, 15h
		and	eax, 3FFh
		mov	[ebp+var_C8], ecx
		sub	eax, ecx
		add	eax, [ebp+var_C0]
		cmp	eax, 200h
		jbe	short loc_814AB0
		push	0C000000Dh
		mov	edx, 700h
		mov	[ebp+var_7D+1],	0C000000Dh
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_8164AE
; 

loc_814AB0:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+641j
		cmp	byte ptr [ebp+var_8A+1], 0
		jnz	short loc_814AE0
		test	dword ptr [edi], 400h
		jz	short loc_814AC8
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		jmp	short loc_814ACD
; 

loc_814AC8:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+66Fj
		call	_CmpLockRegistry@0 ; CmpLockRegistry()

loc_814ACD:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+676j
		mov	edx, [ebp+var_A1+1]
		mov	ecx, [ebp+var_C8]
		mov	byte ptr [ebp+var_8A+1], 1

loc_814AE0:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+667j
		mov	eax, [ebp+var_A8]
		mov	eax, [eax+1Ch]
		test	al, 9
		jz	short loc_814B15
		and	al, 1
		mov	edx, 800h
		movzx	eax, al
		mov	ecx, edi
		neg	eax
		sbb	eax, eax
		and	eax, 2A9h
		add	eax, 0C000017Ch
		push	eax
		mov	[ebp+var_7D+1],	eax
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_8164AE
; 

loc_814B15:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+69Bj
		mov	ebx, [ebp+var_94]
		cmp	bx, word ptr [ebp+var_B4]
		jnz	short loc_814B5F
		mov	ecx, edx
		call	CmpReferenceKeyControlBlockUnsafe
		mov	ecx, [ebp+var_A1+1]
		mov	ebx, ecx
		mov	[ebp+var_AC], ebx
		cmp	ecx, [ebp+var_99+1]
		jnz	short loc_814B53
		mov	al, byte ptr [ebp+var_99]
		mov	[ebp+var_8B], 0
		mov	byte ptr [ebp+var_7D], al
		jmp	short loc_814BBE
; 

loc_814B53:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+6EFj
		call	CmpLockHashEntrySharedByKcb
		mov	al, 1
		mov	byte ptr [ebp+var_7D], al
		jmp	short loc_814BBE
; 

loc_814B5F:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+6D2j
		lea	eax, [ebp+var_100]
		mov	edx, ecx
		mov	ecx, [ebp+var_A1+1]
		push	eax
		lea	eax, [ebp+var_7D]
		push	eax
		lea	eax, [ebp+var_AC]
		push	eax
		push	edi
		lea	eax, [ebp+var_74]
		push	eax
		push	[ebp+var_C0]
		call	CmpPerformCompleteKcbCacheLookup
		mov	[ebp+var_7D+1],	eax
		test	eax, eax
		js	loc_81648E
		cmp	eax, 103h
		jz	loc_81648E
		mov	eax, [ebp+var_100]
		mov	ecx, edi
		add	ebx, eax
		cwde
		mov	[ebp+var_94], ebx
		mov	ebx, [ebp+var_AC]
		mov	edx, ebx
		push	eax
		call	_CmpRecordParseKcbCacheResult@12 ; CmpRecordParseKcbCacheResult(x,x,x)

loc_814BBE:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+701j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+70Dj
		mov	eax, [ebp+var_94]
		cmp	ax, word ptr [ebp+var_B4]
		jnz	short loc_814BDD
		test	byte ptr [edi],	1
		jnz	short loc_814BDD
		mov	ecx, ebx
		call	_CmpUnlockHashEntryByKcb@4 ; CmpUnlockHashEntryByKcb(x)
		mov	byte ptr [ebp+var_7D], 0

loc_814BDD:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+77Bj
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+780j
		mov	ecx, ebx
		call	_CmpLockKcbShared@4 ; CmpLockKcbShared(x)
		mov	eax, [ebp+var_94]
		cmp	ax, word ptr [ebp+var_B4]
		jge	short loc_814C2D
		movsx	edx, ax
		lea	ecx, [ebp+var_74]
		call	_CmpGetComponentNameAtIndex@8 ;	CmpGetComponentNameAtIndex(x,x)
		mov	ecx, eax
		mov	eax, [ecx+4]
		mov	[ebp+var_F0], eax
		mov	ecx, [ecx+4]
		sub	ecx, [ebp+var_D4]
		mov	eax, [ebp+var_D8]
		and	ecx, 0FFFFFFFEh
		sub	eax, ecx
		mov	word ptr [ebp+var_F4], ax
		mov	word ptr [ebp+var_F4+2], ax
		jmp	short loc_814C3B
; 

loc_814C2D:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+7A1j
		push	0
		lea	eax, [ebp+var_F4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_814C3B:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+7DBj
		mov	eax, [ebp+var_B0]
		lea	edx, [ebp+var_F4]
		add	eax, 1Ch
		mov	ecx, ebx
		push	eax
		push	[ebp+arg_0]
		push	[ebp+var_B8]
		push	edi
		call	CmpVEExecuteParseLogic
		mov	ecx, ebx
		mov	[ebp+var_7D+1],	eax
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	eax, [ebp+var_7D+1]
		cmp	eax, 0C0000271h
		jz	short loc_814C82
		push	eax
		mov	edx, 9C0h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_8164A1
; 

loc_814C82:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+81Ej
		mov	edx, [ebx+10h]
		mov	ecx, [edi+2Ch]
		call	_CmpOKToFollowLink@8 ; CmpOKToFollowLink(x,x)
		test	al, al
		jnz	short loc_814CAE
		push	0C0000022h
		mov	edx, 0A00h
		mov	[ebp+var_7D+1],	0C0000022h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_8164A1
; 

loc_814CAE:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+83Fj
		mov	edx, [ebp+var_90]
		test	esi, esi
		jnz	short loc_814CBC
		test	edx, edx
		jz	short loc_814D25

loc_814CBC:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+866j
		mov	eax, [ebx+10h]
		cmp	eax, ds:_CmpMasterHive
		jnz	short loc_814CDA
		xor	esi, esi
		mov	[ebp+var_A2], 1
		xor	ecx, ecx
		mov	[ebp+var_90], ecx
		jmp	short loc_814D2B
; 

loc_814CDA:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+875j
		test	esi, esi
		jnz	short loc_814CE2
		test	edx, edx
		jz	short loc_814D25

loc_814CE2:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+88Cj
		cmp	word ptr [ebx+22h], 0
		jz	short loc_814D25
		mov	ecx, 8
		call	_CmpLogUnsupportedOperation@4 ;	CmpLogUnsupportedOperation(x)
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jz	short loc_814D08
		xor	esi, esi
		xor	ecx, ecx
		mov	[ebp+var_90], ecx
		jmp	short loc_814D2B
; 

loc_814D08:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+8AAj
		push	0C0190005h
		mov	edx, 0B00h
		mov	[ebp+var_7D+1],	0C0190005h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_8164A1
; 

loc_814D25:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+86Aj
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+890j ...
		mov	ecx, [ebp+var_90]

loc_814D2B:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+888j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+8B6j
		call	_CmpTransSilentIgnore@0	; CmpTransSilentIgnore()
		test	al, al
		jnz	loc_814DB9
		test	esi, esi
		jnz	short loc_814D40
		test	ecx, ecx
		jz	short loc_814DB9

loc_814D40:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+8EAj
		lea	eax, [ebp+var_84]
		mov	edx, ecx
		mov	ecx, [ebx+10h]
		push	eax
		push	0
		push	esi
		call	_CmpTransSearchAddTransFromHive@20 ; CmpTransSearchAddTransFromHive(x,x,x,x,x)
		mov	[ebp+var_7D+1],	eax
		test	eax, eax
		jns	short loc_814DB9
		cmp	byte ptr [ebp+var_7D], 0
		jz	short loc_814D6C
		mov	ecx, ebx
		call	_CmpUnlockHashEntryByKcb@4 ; CmpUnlockHashEntryByKcb(x)
		mov	byte ptr [ebp+var_7D], 0

loc_814D6C:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+90Fj
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	edx, [ebp+var_90]
		lea	eax, [ebp+var_84]
		mov	ecx, [ebx+10h]
		push	eax
		push	1
		push	esi
		call	_CmpTransSearchAddTransFromHive@20 ; CmpTransSearchAddTransFromHive(x,x,x,x,x)
		mov	[ebp+var_7D+1],	eax
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	eax, [ebp+var_7D+1]
		mov	byte ptr [ebp+var_8A+1], 1
		test	eax, eax
		js	short loc_814DA7
		mov	eax, 0C000022Dh
		mov	[ebp+var_7D+1],	eax

loc_814DA7:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+94Dj
		push	eax
		mov	edx, 0C00h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_8164A1
; 

loc_814DB9:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+8E2j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+8EEj ...
		mov	dx, [ebx+22h]
		lea	ecx, [ebp+var_130]
		call	CmpStartKcbStack
		mov	[ebp+var_7D+1],	eax
		test	eax, eax
		jns	short loc_814DE1
		push	eax
		mov	edx, 0D00h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_8164A1
; 

loc_814DE1:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+97Dj
		mov	dx, [ebx+22h]
		lea	ecx, [ebp+var_120]
		call	CmpStartKcbStack
		mov	[ebp+var_7D+1],	eax
		test	eax, eax
		jns	short loc_814E09
		push	eax
		mov	edx, 0E00h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_8164A1
; 

loc_814E09:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+9A5j
		lea	esi, [ebp+var_130]
		mov	edx, ebx
		lea	eax, [ebp+var_120]
		mov	[ebp+var_A1+1],	esi
		mov	ecx, esi
		mov	[ebp+var_BC], eax
		call	_CmpPopulateKcbStack@8 ; CmpPopulateKcbStack(x,x)
		mov	eax, [ebp+var_94]
		cmp	ax, word ptr [ebp+var_B4]
		jge	loc_81518F
		lea	ecx, [ecx+0]

loc_814E40:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+BC1j
		mov	ecx, esi
		call	_CmpLockKcbStackShared@4 ; CmpLockKcbStackShared(x)
		mov	edx, [ebp+var_84]
		mov	ecx, esi
		call	CmpIsKeyStackDeleted
		test	al, al
		jnz	loc_8150F1
		mov	ecx, esi
		call	_CmpIsKeyStackSymlink@4	; CmpIsKeyStackSymlink(x)
		mov	ecx, esi
		test	al, al
		jnz	loc_815077
		call	CmpUnlockKcbStack
		mov	eax, [ebp+var_94]
		lea	ecx, [ebp+var_74]
		movsx	edx, ax
		mov	[ebp+var_90], edx
		call	_CmpGetComponentNameAtIndex@8 ;	CmpGetComponentNameAtIndex(x,x)
		lea	ecx, [ebp+var_74]
		mov	[ebp+var_C8], eax
		call	_CmpGetComponentHashAtIndex@8 ;	CmpGetComponentHashAtIndex(x,x)
		mov	ecx, eax
		imul	eax, [ebx+8], 25h
		add	eax, ecx
		test	byte ptr [edi],	1
		jz	short loc_814EBA
		mov	edx, [ebp+var_C0]
		dec	edx
		mov	byte ptr [ebp+var_D0], 1
		cmp	[ebp+var_90], edx
		jz	short loc_814EC1

loc_814EBA:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+A52j
		mov	byte ptr [ebp+var_D0], 0

loc_814EC1:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+A68j
		push	edi
		push	[ebp+var_D0]
		mov	edx, esi
		push	[ebp+var_84]
		push	eax
		push	ecx
		push	[ebp+var_C8]
		lea	eax, [ebp+var_A1]
		mov	ecx, ebx
		push	eax
		push	[ebp+var_BC]
		lea	eax, [ebp+var_E4]
		push	eax
		call	CmpWalkOneLevel
		mov	[ebp+var_7D+1],	eax
		cmp	eax, 0C0000034h
		jnz	loc_814FA3
		cmp	_CmpLoadingSystemHivesActive, 0
		jz	loc_815065
		mov	eax, _CmpMountThread
		cmp	eax, large fs:124h
		mov	ebx, [ebp+var_AC]
		jz	loc_815062
		mov	eax, [ebx+10h]
		cmp	eax, ds:_CmpMasterHive
		jnz	loc_815062
		mov	eax, [ebx+4]
		mov	esi, [ebp+var_90]
		and	eax, 7FE00000h
		cmp	eax, (offset loc_5FFFFF+1)
		jnz	short loc_814F73
		cmp	word ptr [ebp+var_94], 0
		jle	short loc_814F73
		lea	edx, [esi-1]
		lea	ecx, [ebp+var_74]
		call	_CmpGetComponentNameAtIndex@8 ;	CmpGetComponentNameAtIndex(x,x)
		mov	ecx, eax
		lea	eax, [edi+54h]
		push	eax
		push	ecx
		call	CmpWaitForHiveMount
		test	al, al
		jnz	loc_81501C

loc_814F73:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+AF8j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+B02j
		mov	eax, [ebx+4]
		and	eax, 7FE00000h
		cmp	eax, 400000h
		jnz	short loc_814FA0
		mov	edx, esi
		lea	ecx, [ebp+var_74]
		call	_CmpGetComponentNameAtIndex@8 ;	CmpGetComponentNameAtIndex(x,x)
		mov	ecx, eax
		lea	eax, [edi+54h]
		push	eax
		push	ecx
		call	CmpWaitForHiveMount
		test	al, al
		jnz	loc_81503F

loc_814FA0:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+B30j
		mov	eax, [ebp+var_7D+1]

loc_814FA3:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+AABj
		test	eax, eax
		js	loc_815065
		mov	edx, [ebp+var_E4]
		mov	ecx, edi
		call	_CmpRecordParseWalkResult@8 ; CmpRecordParseWalkResult(x,x)
		mov	ecx, ebx
		call	CmpDereferenceKeyControlBlockUnsafe
		mov	al, byte ptr [ebp+var_A1]
		mov	ebx, [ebp+var_E4]
		mov	ecx, [ebp+var_A1+1]
		mov	esi, [ebp+var_BC]
		mov	byte ptr [ebp+var_7D], al
		mov	eax, [ebp+var_94]
		inc	eax
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_E4], 0
		mov	byte ptr [ebp+var_A1], 0
		mov	[ebp+var_A1+1],	esi
		mov	[ebp+var_BC], ecx
		mov	[ebp+var_94], eax
		cmp	ax, word ptr [ebp+var_B4]
		jl	loc_814E40
		jmp	loc_815195
; 

loc_81501C:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+B1Dj
		or	dword ptr [edi], 100h
		mov	edx, 1400h
		push	103h
		mov	ecx, edi
		mov	[ebp+var_7D+1],	103h
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_8164A1
; 

loc_81503F:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+B4Aj
		or	dword ptr [edi], 100h
		mov	edx, 1500h
		push	103h
		mov	ecx, edi
		mov	[ebp+var_7D+1],	103h
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_8164A1
; 

loc_815062:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+AD0j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+ADFj
		mov	eax, [ebp+var_7D+1]

loc_815065:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+AB8j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+B55j
		push	eax
		mov	edx, 1580h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_8164A1
; 

loc_815077:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+A17j
		lea	eax, [edi+38h]
		push	eax
		push	[ebp+var_B8]
		lea	eax, [ebp+var_EC]
		push	eax
		push	edi
		push	[ebp+var_84]
		lea	edx, [ebp+var_74]
		push	[ebp+var_B4]
		push	[ebp+var_94]
		call	CmpGetSymbolicLinkTarget
		mov	[ebp+var_7D+1],	eax
		test	eax, eax
		jns	short loc_8150BC
		push	eax
		mov	edx, 1200h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_8164A1
; 

loc_8150BC:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+C58j
		and	dword ptr [edi], 0FFFFFFF7h
		cmp	dword ptr [edi+2Ch], 0
		jnz	short loc_8150D4
		mov	eax, [ebx+10h]
		test	byte ptr [eax+980h], 1
		jz	short loc_8150D4
		mov	[edi+2Ch], eax

loc_8150D4:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+C73j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+C7Fj
		push	104h
		mov	edx, 1300h
		mov	[ebp+var_7D+1],	104h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_8164A1
; 

loc_8150F1:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+A06j
		cmp	_CmpLoadingSystemHivesActive, 0
		jz	short loc_815172
		mov	eax, _CmpMountThread
		cmp	eax, large fs:124h
		mov	ebx, [ebp+var_AC]
		jz	short loc_815172
		mov	eax, [ebx+10h]
		cmp	eax, ds:_CmpMasterHive
		jnz	short loc_815172
		mov	eax, [ebx+4]
		and	eax, 7FE00000h
		cmp	eax, (offset loc_5FFFFF+1)
		jnz	short loc_815172
		mov	eax, [ebp+var_94]
		test	ax, ax
		jle	short loc_815172
		movsx	edx, ax
		lea	ecx, [ebp+var_74]
		dec	edx
		call	_CmpGetComponentNameAtIndex@8 ;	CmpGetComponentNameAtIndex(x,x)
		mov	ecx, eax
		lea	eax, [edi+54h]
		push	eax
		push	ecx
		call	CmpWaitForHiveMount
		test	al, al
		jz	short loc_815172
		or	dword ptr [edi], 100h
		mov	edx, 0F00h
		push	103h
		mov	ecx, edi
		mov	[ebp+var_7D+1],	103h
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_816448
; 

loc_815172:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+CA8j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+CBCj ...
		push	0C0000034h
		mov	edx, 1000h
		mov	[ebp+var_7D+1],	0C0000034h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_816448
; 

loc_81518F:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+9E7j
		lea	ecx, [ebp+var_120]

loc_815195:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+BC7j
		lea	eax, [ebx+24h]
		mov	[ebp+var_8A+2],	ecx
		mov	[ebp+var_90], eax
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_8151BB
		mov	edx, eax
		call	_CmpPopulateKcbStack@8 ; CmpPopulateKcbStack(x,x)
		mov	ecx, [ebp+var_90]
		mov	eax, [ecx]
		jmp	short loc_8151C5
; 

loc_8151BB:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+D58j
		mov	[ebp+var_8A+2],	0

loc_8151C5:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+D69j
		mov	ecx, [ebp+var_A8]
		mov	ecx, [ecx+8]
		cmp	eax, ecx
		jz	short loc_8151DF
		cmp	ebx, ecx
		jz	short loc_8151DF
		call	_CmpLockKcbShared@4 ; CmpLockKcbShared(x)
		mov	[ebp+var_7E], 1

loc_8151DF:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+D80j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+D84j
		mov	eax, [ebp+var_8A+2]
		test	eax, eax
		jz	short loc_8151F8
		mov	ecx, eax
		call	_CmpLockKcbStackShared@4 ; CmpLockKcbStackShared(x)
		mov	eax, [ebp+var_8A+2]
		test	eax, eax

loc_8151F8:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+D97j
		setnz	al
		mov	ecx, esi
		mov	[ebp+var_76], al
		mov	[ebp+var_75], al
		call	_CmpLockKcbStackShared@4 ; CmpLockKcbStackShared(x)
		mov	ecx, [ebp+var_A8]
		xor	edx, edx
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jz	short loc_815250
		mov	eax, [ebp+var_A8]
		mov	edx, 1700h
		mov	ecx, edi
		mov	al, [eax+1Ch]
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 2A9h
		add	eax, 0C000017Ch
		push	eax
		mov	[ebp+var_7D+1],	eax
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_815250:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+DC7j
		dec	[ebp+var_94]
		lea	eax, [ebx+68h]
		test	dword ptr [eax], 20000h
		mov	[ebp+var_BC], eax
		jz	short loc_81528A
		push	0C0000034h
		mov	edx, 1800h
		mov	[ebp+var_7D+1],	0C0000034h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_81528A:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+E15j
		mov	edx, [ebp+var_84]
		mov	ecx, esi
		call	_CmRmIsKcbStackVisible@8 ; CmRmIsKcbStackVisible(x,x)
		test	al, al
		jnz	short loc_8152BE
		push	0C0000034h
		mov	edx, 1900h
		mov	[ebp+var_7D+1],	0C0000034h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_8152BE:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+E49j
		mov	eax, [edi]
		mov	ecx, esi
		test	al, 2
		jz	loc_81577A
		call	CmpUnlockKcbStack
		mov	ecx, [ebp+var_8A+2]
		call	CmpUnlockKcbStack
		cmp	[ebp+var_7E], 0
		jz	short loc_8152EE
		mov	eax, [ebp+var_A8]
		mov	ecx, [eax+8]
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)

loc_8152EE:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+E8Ej
		mov	ecx, [edi+24h]
		push	0
		call	CmpTryToLockHashEntryExclusive
		cmp	[ebp+var_7E], 0
		mov	[ebp+var_A3], al
		jz	short loc_815312
		mov	eax, [ebp+var_A8]
		mov	ecx, [eax+8]
		call	_CmpLockKcbShared@4 ; CmpLockKcbShared(x)

loc_815312:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+EB2j
		mov	ecx, [ebp+var_8A+2]
		call	_CmpLockKcbStackTopExclusiveRestShared@4 ; CmpLockKcbStackTopExclusiveRestShared(x)
		mov	ecx, esi
		call	_CmpLockKcbStackTopExclusiveRestShared@4 ; CmpLockKcbStackTopExclusiveRestShared(x)
		mov	eax, [ebp+var_94]
		lea	ecx, [ebp+var_74]
		movsx	edx, ax
		call	_CmpGetComponentNameAtIndex@8 ;	CmpGetComponentNameAtIndex(x,x)
		lea	ecx, [ebp+var_74]
		mov	[ebp+var_C0], eax
		call	_CmpGetComponentHashAtIndex@8 ;	CmpGetComponentHashAtIndex(x,x)
		mov	ecx, [ebp+var_A8]
		xor	edx, edx
		mov	esi, eax
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jz	short loc_81538D
		mov	eax, [ebp+var_A8]
		mov	edx, 1A00h
		mov	ecx, edi
		mov	al, [eax+1Ch]
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 2A9h
		add	eax, 0C000017Ch
		push	eax
		mov	[ebp+var_7D+1],	eax
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_81538D:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+F04j
		mov	edx, [ebp+var_84]
		mov	ecx, [ebp+var_8A+2]
		call	CmpIsKeyStackDeleted
		test	al, al
		jz	short loc_8153C5
		push	0C0000034h
		mov	edx, 1B00h
		mov	[ebp+var_7D+1],	0C0000034h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_8153C5:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+F50j
		mov	edx, [ebp+var_84]
		mov	ecx, [ebp+var_A1+1]
		call	CmpIsKeyStackDeleted
		test	al, al
		jnz	short loc_8153FD
		push	0C0000022h
		mov	edx, 1C00h
		mov	[ebp+var_7D+1],	0C0000022h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_8153FD:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+F88j
		mov	eax, [ebp+var_90]
		mov	ecx, [eax]
		mov	eax, [ecx+10h]
		cmp	eax, ds:_CmpMasterHive
		jz	short loc_815433
		push	0C0000022h
		mov	edx, 1D00h
		mov	[ebp+var_7D+1],	0C0000022h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_815433:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+FBEj
		test	dword ptr [ecx+68h], 20000h
		jz	short loc_81545F
		push	0C0000034h
		mov	edx, 1E00h
		mov	[ebp+var_7D+1],	0C0000034h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_81545F:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+FEAj
		test	byte ptr [edi+60h], 1
		jnz	short loc_815471
		lea	ecx, [edi+64h]
		call	CmpAttachToRegistryProcess
		or	dword ptr [edi+60h], 1

loc_815471:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1013j
		mov	edx, [edi+20h]
		lea	eax, [edi+20h]
		mov	ecx, [edi+24h]
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_8154B1
		mov	edx, [ebp+var_B0]
		push	eax
		push	edi
		push	[ebp+var_C0]
		call	CmpCreateHiveRootCell
		mov	[ebp+var_7D+1],	eax
		test	eax, eax
		jns	short loc_8154D5
		push	eax
		mov	edx, 1E80h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_8154B1:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+102Dj
		call	_CmpUpdateHiveRootCellFlags@8 ;	CmpUpdateHiveRootCellFlags(x,x)
		mov	[ebp+var_7D+1],	eax
		test	eax, eax
		jns	short loc_8154D5
		push	eax
		mov	edx, 1F00h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_8154D5:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1047j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+106Bj
		or	word ptr [ebx+6Ah], 2
		lea	eax, [ebp+var_E0]
		mov	ecx, [edi+24h]
		or	edx, 0FFFFFFFFh
		push	eax
		mov	eax, [edi+34h]
		push	0
		push	esi
		push	[ebp+var_C0]
		push	1
		push	eax
		push	ebx
		call	CmpCreateKeyControlBlock
		mov	[ebp+var_7D+1],	eax
		mov	ecx, 0FFFDh
		mov	eax, [ebp+var_BC]
		mov	ax, [eax+2]
		and	ax, cx
		mov	[ebx+6Ah], ax
		mov	eax, [ebp+var_7D+1]
		test	eax, eax
		jns	short loc_815534
		push	eax
		mov	edx, 2000h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_815534:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+10CAj
		mov	esi, ebx
		mov	ebx, [ebp+var_E0]
		mov	ecx, esi
		call	CmpDereferenceKeyControlBlockUnsafe
		mov	ecx, esi
		call	_CmpUnlockHashEntryByKcb@4 ; CmpUnlockHashEntryByKcb(x)
		mov	edx, ebx
		mov	byte ptr [ebp+var_7D], 0
		lea	ecx, [ebp+var_110]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	[ebp+var_7D+1],	eax
		test	eax, eax
		jns	short loc_81557A
		push	eax
		mov	edx, 2100h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_81557A:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1110j
		or	word ptr [esi+6Ah], 2
		lea	ecx, [ebp+var_110]
		call	_CmpLockKcbStackTopExclusiveRestShared@4 ; CmpLockKcbStackTopExclusiveRestShared(x)
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_8A]
		push	eax
		lea	eax, [ebp+var_CC]
		mov	[ebp+var_C1], 1
		push	eax
		lea	eax, [ebp+var_110]
		mov	ecx, 0FFFDh
		and	[esi+6Ah], cx
		mov	ecx, ebx
		push	eax
		push	1
		push	[ebp+var_84]
		push	edi
		call	CmpCreateKeyBody
		mov	[ebp+var_7D+1],	eax
		test	eax, eax
		jns	short loc_8155E1
		push	eax
		mov	edx, 2180h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_81643D
; 

loc_8155E1:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1177j
		mov	ecx, [esi+10h]
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	ecx, [ebx+10h]
		call	_HvLockHiveFlusherExclusive@4 ;	HvLockHiveFlusherExclusive(x)
		mov	ecx, [ebx+10h]
		mov	edx, [edi+20h]
		push	0
		mov	eax, [ecx+34h]
		mov	[ebp+var_C8], eax
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jnz	short loc_815638
		push	0C000017Dh
		mov	edx, 2200h
		mov	[ebp+var_7D+1],	0C000017Dh
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)

loc_815623:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1217j
		mov	ecx, [ebx+10h]
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)
		mov	ecx, [esi+10h]
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		jmp	loc_81643D
; 

loc_815638:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+11B9j
		push	[ebp+var_84]
		mov	edx, [ebp+var_A1+1]
		mov	ecx, [ebp+var_8A+2]
		push	1
		push	0
		push	0Ah
		push	edi
		push	[ebp+var_C0]
		push	[ebp+var_B0]
		call	_CmpCreateChild@36 ; CmpCreateChild(x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_7D+1],	eax
		test	eax, eax
		js	short loc_815623
		mov	eax, [edi+20h]
		lea	edx, [ebp+var_FC]
		push	1
		mov	ecx, ebx
		mov	[ebx+14h], eax
		call	CmpGetKeyNodeForKcb
		mov	ecx, [esi+14h]
		mov	edx, eax
		push	0
		push	0
		mov	[eax+10h], ecx
		mov	ecx, ebx
		add	dword ptr [ebx+0A8h], 1
		adc	dword ptr [ebx+0ACh], 0
		call	_CmpRebuildKcbCacheFromNode@16 ; CmpRebuildKcbCacheFromNode(x,x,x,x)
		lea	edx, [ebp+var_FC]
		mov	ecx, ebx
		call	_CmpReleaseKeyNodeForKcb@8 ; CmpReleaseKeyNodeForKcb(x,x)
		cmp	[ebp+var_C8], 0
		jnz	short loc_8156BD
		mov	ecx, [ebx+10h]
		call	_HvResetDirtyData@4 ; HvResetDirtyData(x)

loc_8156BD:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1263j
		mov	ecx, [ebx+10h]
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)
		mov	ecx, [esi+10h]
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		or	word ptr [esi+4], 8
		mov	ecx, ebx
		call	CmpReferenceKeyControlBlockUnsafe
		mov	[esi+38h], ebx
		mov	ecx, [edi+24h]
		push	0
		call	_CmpUnlockHashEntry@8 ;	CmpUnlockHashEntry(x,x)
		mov	al, [ebp+var_76]
		mov	esi, [ebp+var_A1+1]
		mov	dword ptr [edi+1Ch], 1
		mov	[ebp+var_75], al

loc_8156F9:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+14D2j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1AF3j ...
		cmp	dword ptr [edi+1Ch], 1
		mov	ecx, [ebp+var_CC]
		jz	loc_8163EA
		lea	eax, [ebp+var_7D+1]
		mov	edx, esi
		push	eax
		lea	eax, [ebp+var_8C]
		push	eax
		mov	eax, [edi+14h]
		push	[ebp+var_84]
		shr	eax, 2
		and	al, 1
		movzx	eax, al
		push	eax
		push	[ebp+arg_0]
		push	[ebp+var_B0]
		push	edi
		call	_CmpCheckOpenAccessOnKeyBody@36	; CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)
		test	al, al
		jnz	loc_8163F5
		cmp	[ebp+var_8C], al
		jz	short loc_815766
		test	byte ptr [edi+60h], 1
		jnz	short loc_815759
		lea	ecx, [edi+64h]
		call	CmpAttachToRegistryProcess
		or	dword ptr [edi+60h], 1

loc_815759:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+12FBj
		mov	ecx, ebx
		call	_CmpConstructName@4 ; CmpConstructName(x)
		mov	[ebp+var_DC], eax

loc_815766:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+12F5j
		push	[ebp+var_7D+1]
		mov	edx, 3CE0h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_81642D
; 

loc_81577A:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+E74j
		test	al, 20h
		jz	loc_815927
		call	CmpUnlockKcbStack
		mov	ecx, [ebp+var_8A+2]
		call	CmpUnlockKcbStack
		mov	ecx, [ebp+var_8A+2]
		call	_CmpLockKcbStackTopExclusiveRestShared@4 ; CmpLockKcbStackTopExclusiveRestShared(x)
		mov	ecx, esi
		call	_CmpLockKcbStackTopExclusiveRestShared@4 ; CmpLockKcbStackTopExclusiveRestShared(x)
		mov	edx, [ebp+var_84]
		mov	ecx, [ebp+var_8A+2]
		call	CmpIsKeyStackDeleted
		test	al, al
		jz	short loc_8157DC
		push	0C0000034h
		mov	edx, 2300h
		mov	[ebp+var_7D+1],	0C0000034h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_8157DC:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1367j
		mov	eax, [ebp+var_90]
		mov	eax, [eax]
		test	dword ptr [eax+68h], 20000h
		jz	short loc_815810
		push	0C0000034h
		mov	edx, 2400h
		mov	[ebp+var_7D+1],	0C0000034h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_815810:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+139Bj
		mov	eax, [ebp+var_94]
		lea	ecx, [ebp+var_74]
		movsx	edx, ax
		call	_CmpGetComponentNameAtIndex@8 ;	CmpGetComponentNameAtIndex(x,x)
		mov	edx, [edi+14h]
		mov	ecx, edx
		mov	[ebp+var_C8], eax
		and	edx, 2
		lea	eax, [ebp+var_7D+1]
		shr	ecx, 2
		push	eax
		push	[ebp+var_84]
		mov	eax, [ebp+arg_0]
		and	cl, 1
		movzx	ecx, cl
		push	ecx
		shl	edx, 4
		push	edx
		mov	edx, [ebp+var_8A+2]
		push	eax
		push	[ebp+var_B0]
		push	edi
		call	CmpCheckCreateAccessOnKcbStack
		test	al, al
		jnz	short loc_81587B
		push	[ebp+var_7D+1]
		mov	edx, 2500h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_81587B:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+140Fj
		lea	edx, [ebp+var_EC]
		mov	ecx, ebx
		call	_CmpCleanUpKcbCachedSymlink@8 ;	CmpCleanUpKcbCachedSymlink(x,x)
		or	word ptr [ebx+6Ah], 40h
		mov	ecx, ebx
		mov	dl, byte ptr [ebp+arg_0]
		mov	dword ptr [ebx+34h], 0FFFFFFFFh
		mov	eax, [edi+28h]
		mov	[ebx+30h], eax
		lea	eax, [ebp+var_8A]
		push	eax
		lea	eax, [ebp+var_CC]
		push	eax
		push	esi
		push	1
		push	[ebp+var_84]
		push	edi
		call	CmpCreateKeyBody
		mov	cl, [ebp+var_76]
		mov	[ebp+var_7D+1],	eax
		mov	[ebp+var_75], cl
		test	eax, eax
		js	loc_816448
		mov	edx, [ebp+var_84]
		mov	ecx, esi
		call	CmpIsKeyStackDeleted
		test	al, al
		jz	short loc_81591C
		push	[ebp+var_84]
		mov	ecx, [ebp+var_8A+2]
		mov	edx, esi
		push	0
		push	0
		push	40h
		push	edi
		push	[ebp+var_C8]
		push	[ebp+var_B0]
		call	_CmpCreateChild@36 ; CmpCreateChild(x,x,x,x,x,x,x,x,x)
		mov	cl, [ebp+var_76]
		mov	[ebp+var_7D+1],	eax
		mov	[ebp+var_75], cl
		test	eax, eax
		js	loc_816448
		mov	dword ptr [edi+1Ch], 1

loc_81591C:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+148Cj
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_8156F9
; 

loc_815927:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+132Cj
		mov	edx, [ebp+var_84]
		call	CmpIsKeyStackDeleted
		test	al, al
		jz	loc_81618C
		cmp	[ebp+var_A2], 0
		jz	short loc_815966
		push	0C000000Dh
		mov	edx, 2600h
		mov	[ebp+var_7D+1],	0C000000Dh
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_815966:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+14F1j
		mov	edx, [ebp+var_84]
		mov	ecx, [ebp+var_8A+2]
		call	CmpIsKeyStackDeleted
		test	al, al
		jnz	loc_816169
		mov	edx, [ebp+var_84]
		mov	ecx, [ebp+var_8A+2]
		call	_CmRmIsKcbStackVisible@8 ; CmRmIsKcbStackVisible(x,x)
		test	al, al
		jz	loc_816169
		mov	eax, [ebp+var_90]
		mov	eax, [eax]
		test	dword ptr [eax+68h], 20000h
		jz	short loc_8159CC
		push	0C0000034h
		mov	edx, 2800h
		mov	[ebp+var_7D+1],	0C0000034h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_8159CC:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1557j
		test	byte ptr [edi],	1
		jnz	loc_815A79
		cmp	_CmpLoadingSystemHivesActive, 0
		jz	short loc_815A56
		mov	eax, _CmpMountThread
		cmp	eax, large fs:124h
		mov	ebx, [ebp+var_AC]
		jz	short loc_815A56
		mov	eax, [ebx+10h]
		cmp	eax, ds:_CmpMasterHive
		jnz	short loc_815A56
		mov	eax, [ebx+4]
		and	eax, 7FE00000h
		cmp	eax, (offset loc_5FFFFF+1)
		jnz	short loc_815A56
		mov	eax, [ebp+var_94]
		lea	ecx, [ebp+var_74]
		movsx	edx, ax
		call	_CmpGetComponentNameAtIndex@8 ;	CmpGetComponentNameAtIndex(x,x)
		lea	ecx, [edi+54h]
		push	ecx
		push	ecx
		mov	ecx, eax
		call	CmpWaitForHiveMount
		test	al, al
		jz	short loc_815A56
		or	dword ptr [edi], 100h
		mov	edx, 2900h
		push	103h
		mov	ecx, edi
		mov	[ebp+var_7D+1],	103h
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_815A56:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+158Cj
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+15A0j ...
		push	0C0000034h
		mov	edx, 2A00h
		mov	[ebp+var_7D+1],	0C0000034h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_815A79:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+157Fj
		lea	eax, [ebx+10h]
		mov	[ebp+var_C8], eax
		mov	eax, [eax]
		cmp	eax, ds:_CmpMasterHive
		jnz	loc_815B3A
		cmp	ds:_CmpNoMasterCreates,	0
		jz	loc_815B3A
		mov	eax, _CmpMountThread
		cmp	eax, large fs:124h
		mov	ebx, [ebp+var_AC]
		jz	loc_815B3A
		cmp	_CmpLoadingSystemHivesActive, 0
		jz	short loc_815B17
		mov	eax, [ebx+4]
		and	eax, 7FE00000h
		cmp	eax, (offset loc_5FFFFF+1)
		jnz	short loc_815B17
		mov	eax, [ebp+var_94]
		lea	ecx, [ebp+var_74]
		movsx	edx, ax
		call	_CmpGetComponentNameAtIndex@8 ;	CmpGetComponentNameAtIndex(x,x)
		lea	ecx, [edi+54h]
		push	ecx
		push	ecx
		mov	ecx, eax
		call	CmpWaitForHiveMount
		test	al, al
		jz	short loc_815B17
		or	dword ptr [edi], 100h
		mov	edx, 2B00h
		push	103h
		mov	ecx, edi
		mov	[ebp+var_7D+1],	103h
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_815B17:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+166Cj
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+167Bj ...
		push	0C000000Dh
		mov	edx, 2C00h
		mov	[ebp+var_7D+1],	0C000000Dh
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_815B3A:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+163Aj
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1647j ...
		mov	eax, [ebp+var_94]
		lea	ecx, [ebp+var_74]
		movsx	edx, ax
		call	_CmpGetComponentNameAtIndex@8 ;	CmpGetComponentNameAtIndex(x,x)
		push	[ebp+var_B8]
		mov	edx, esi
		mov	[ebp+var_E0], eax
		push	edi
		push	eax
		push	1
		push	[ebp+var_8A+2]
		mov	ecx, ebx
		call	_CmpDoWritethroughReparse@28 ; CmpDoWritethroughReparse(x,x,x,x,x,x,x)
		mov	[ebp+var_7D+1],	eax
		cmp	eax, 0C0000271h
		jz	short loc_815B8C
		push	eax
		mov	edx, 2C80h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_815B8C:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1722j
		test	byte ptr [edi+60h], 1
		jnz	short loc_815B9E
		lea	ecx, [edi+64h]
		call	CmpAttachToRegistryProcess
		or	dword ptr [edi+60h], 1

loc_815B9E:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1740j
		mov	eax, [ebp+var_90]
		mov	eax, [eax]
		cmp	dword ptr [eax+14h], 0FFFFFFFFh
		jnz	loc_815CBA
		mov	ecx, [edi+14h]
		lea	eax, [ebp+var_7D+1]
		mov	edx, [ebp+var_8A+2]
		push	eax
		push	[ebp+var_84]
		mov	eax, ecx
		and	ecx, 2
		shr	eax, 2
		and	al, 1
		shl	ecx, 4
		movzx	eax, al
		push	eax
		push	ecx
		push	[ebp+arg_0]
		push	[ebp+var_B0]
		push	edi
		call	CmpCheckCreateAccessOnKcbStack
		test	al, al
		jnz	short loc_815C56
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 1
		jnz	short loc_815C36
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		mov	ecx, eax
		call	_CmpDoesProcessBelongToServiceSession@4	; CmpDoesProcessBelongToServiceSession(x)
		test	al, al
		jnz	short loc_815C36
		mov	edx, [ebp+var_84]
		mov	ecx, [ebp+var_8A+2]
		call	_CmpCheckKeyOwnerForPca@8 ; CmpCheckKeyOwnerForPca(x,x)
		test	al, al
		jz	short loc_815C36
		mov	eax, [ebp+var_90]
		mov	[ebp+var_8C], 1
		mov	ecx, [eax]
		call	_CmpConstructName@4 ; CmpConstructName(x)
		mov	[ebp+var_DC], eax

loc_815C36:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+17A5j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+17B5j ...
		push	[ebp+var_7D+1]
		mov	edx, 2D00h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	ebx, [ebp+var_AC]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_815C56:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1796j
		mov	ecx, esi
		call	CmpUnlockKcbStack
		mov	ecx, [ebp+var_8A+2]
		call	CmpUnlockKcbStack
		cmp	[ebp+var_7E], 0
		jz	short loc_815C80
		mov	eax, [ebp+var_A8]
		mov	ecx, [eax+8]
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	[ebp+var_7E], 0

loc_815C80:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+181Cj
		mov	ecx, [ebp+var_8A+2]
		xor	dl, dl
		push	1
		call	_CmpPromoteKey@12 ; CmpPromoteKey(x,x,x)
		mov	[ebp+var_7D+1],	eax
		test	eax, eax
		jns	short loc_815CD7
		cmp	eax, 0C000017Ch
		jnz	short loc_815CA5
		mov	eax, 0C0000034h
		mov	[ebp+var_7D+1],	eax

loc_815CA5:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+184Bj
		push	eax
		mov	edx, 2E00h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	cl, [ebp+var_76]
		jmp	loc_816456
; 

loc_815CBA:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+175Aj
		mov	ecx, esi
		call	CmpUnlockKcbStack
		mov	ecx, [ebp+var_8A+2]
		call	CmpUnlockKcbStack
		mov	ecx, [ebp+var_8A+2]
		call	_CmpLockKcbStackTopExclusiveRestShared@4 ; CmpLockKcbStackTopExclusiveRestShared(x)

loc_815CD7:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1844j
		mov	ecx, esi
		call	_CmpLockKcbStackTopExclusiveRestShared@4 ; CmpLockKcbStackTopExclusiveRestShared(x)
		mov	edx, [ebp+var_84]
		mov	ecx, esi
		call	_CmRmIsKcbStackVisible@8 ; CmRmIsKcbStackVisible(x,x)
		test	al, al
		jnz	short loc_815D10
		push	0C0000034h
		mov	edx, 2F00h
		mov	[ebp+var_7D+1],	0C0000034h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	[ebp+var_75], 1
		jmp	loc_816448
; 

loc_815D10:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+189Dj
		mov	edx, [ebp+var_84]
		mov	ecx, esi
		call	CmpIsKeyStackDeleted
		test	al, al
		jz	loc_815F69
		mov	edx, [ebp+var_84]
		mov	ecx, [ebp+var_8A+2]
		call	CmpIsKeyStackDeleted
		test	al, al
		jnz	loc_815F48
		mov	edx, [ebp+var_84]
		mov	ecx, [ebp+var_8A+2]
		call	_CmRmIsKcbStackVisible@8 ; CmRmIsKcbStackVisible(x,x)
		test	al, al
		jz	loc_815F48
		mov	eax, [ebp+var_90]
		mov	ecx, [eax]
		test	dword ptr [ecx+68h], 20000h
		jz	short loc_815D89
		push	0C0000034h
		mov	edx, 3100h
		mov	[ebp+var_7D+1],	0C0000034h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	[ebp+var_75], 1
		jmp	loc_816448
; 

loc_815D89:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1916j
		push	[ebp+var_B8]
		mov	eax, [edi+14h]
		mov	edx, ebx
		push	edi
		push	[ebp+var_84]
		and	eax, 2
		shl	eax, 4
		push	eax
		push	[ebp+arg_0]
		push	[ebp+var_B0]
		push	[ebp+var_E0]
		call	_CmpVEExecuteCreateLogic@36 ; CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_7D+1],	eax
		cmp	eax, 0C0000055h
		jnz	short loc_815DE7
		or	dword ptr [edi], 400h
		mov	edx, 3180h
		push	0C000022Dh
		mov	ecx, edi
		mov	[ebp+var_7D+1],	0C000022Dh
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	[ebp+var_75], 1
		jmp	loc_816448
; 

loc_815DE7:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+196Ej
		cmp	eax, 0C0000271h
		jz	short loc_815E04
		push	eax
		mov	edx, 31C0h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	[ebp+var_75], 1
		jmp	loc_816448
; 

loc_815E04:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+199Cj
		mov	ecx, [edi+14h]
		lea	eax, [ebp+var_7D+1]
		mov	edx, [ebp+var_8A+2]
		push	eax
		push	[ebp+var_84]
		mov	eax, ecx
		and	ecx, 2
		shr	eax, 2
		and	al, 1
		shl	ecx, 4
		movzx	eax, al
		push	eax
		push	ecx
		push	[ebp+arg_0]
		push	[ebp+var_B0]
		push	edi
		call	CmpCheckCreateAccessOnKcbStack
		test	al, al
		jnz	short loc_815EA8
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 1
		jnz	short loc_815E8A
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		mov	ecx, eax
		call	_CmpDoesProcessBelongToServiceSession@4	; CmpDoesProcessBelongToServiceSession(x)
		test	al, al
		jnz	short loc_815E8A
		mov	edx, [ebp+var_84]
		mov	ecx, [ebp+var_8A+2]
		call	_CmpCheckKeyOwnerForPca@8 ; CmpCheckKeyOwnerForPca(x,x)
		test	al, al
		jz	short loc_815E8A
		mov	eax, [ebp+var_90]
		mov	[ebp+var_8C], 1
		mov	ecx, [eax]
		call	_CmpConstructName@4 ; CmpConstructName(x)
		mov	[ebp+var_DC], eax

loc_815E8A:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+19F9j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1A09j ...
		push	[ebp+var_7D+1]
		mov	edx, 3200h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	ebx, [ebp+var_AC]
		mov	[ebp+var_75], 1
		jmp	loc_816448
; 

loc_815EA8:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+19EAj
		mov	dl, byte ptr [ebp+arg_0]
		lea	eax, [ebp+var_8A]
		push	eax
		lea	eax, [ebp+var_CC]
		mov	ecx, ebx
		push	eax
		push	esi
		push	1
		push	[ebp+var_84]
		push	edi
		call	CmpCreateKeyBody
		mov	[ebp+var_7D+1],	eax
		test	eax, eax
		jns	short loc_815EE7
		push	eax
		mov	edx, 3280h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	[ebp+var_75], 1
		jmp	loc_816448
; 

loc_815EE7:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1A7Fj
		push	[ebp+var_84]
		mov	ax, [edi+14h]
		mov	edx, esi
		mov	ecx, [ebp+var_8A+2]
		and	ax, 2
		push	0
		push	0
		shl	ax, 3
		movzx	eax, ax
		push	eax
		push	edi
		push	[ebp+var_E0]
		push	[ebp+var_B0]
		call	_CmpCreateChild@36 ; CmpCreateChild(x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_7D+1],	eax
		test	eax, eax
		jns	short loc_815F38
		push	eax
		mov	edx, 32C0h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	[ebp+var_75], 1
		jmp	loc_816448
; 

loc_815F38:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1AD0j
		mov	dword ptr [edi+1Ch], 1

loc_815F3F:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1CFDj
		mov	[ebp+var_75], 1
		jmp	loc_8156F9
; 

loc_815F48:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+18E8j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1901j
		push	0C0000034h
		mov	edx, 3000h
		mov	[ebp+var_7D+1],	0C0000034h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	[ebp+var_75], 1
		jmp	loc_816448
; 

loc_815F69:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+18CFj
		mov	ecx, esi
		call	_CmpIsKeyStackSymlink@4	; CmpIsKeyStackSymlink(x)
		test	al, al
		jz	loc_816058
		test	dword ptr [edi], 200h
		jnz	loc_816058
		test	byte ptr [edi+14h], 2
		jz	short loc_815FAB
		push	0C0000035h
		mov	edx, 3300h
		mov	[ebp+var_7D+1],	0C0000035h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	[ebp+var_75], 1
		jmp	loc_816448
; 

loc_815FAB:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1B38j
		mov	ecx, [ebp+var_8A+2]
		call	CmpUnlockKcbStack
		cmp	[ebp+var_7E], 0
		jz	short loc_815FCE
		mov	eax, [ebp+var_A8]
		mov	ecx, [eax+8]
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	[ebp+var_7E], 0

loc_815FCE:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1B6Aj
		cmp	byte ptr [ebp+var_7D], 0
		jz	short loc_815FDF
		mov	ecx, ebx
		call	_CmpUnlockHashEntryByKcb@4 ; CmpUnlockHashEntryByKcb(x)
		mov	byte ptr [ebp+var_7D], 0

loc_815FDF:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1B82j
		lea	eax, [edi+38h]
		mov	ecx, esi
		push	eax
		push	[ebp+var_B8]
		lea	eax, [ebp+var_EC]
		push	eax
		push	edi
		push	[ebp+var_84]
		lea	edx, [ebp+var_74]
		push	0
		push	0
		call	CmpGetSymbolicLinkTarget
		mov	[ebp+var_7D+1],	eax
		test	eax, eax
		jns	short loc_81601E
		push	eax
		mov	edx, 3400h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_816465
; 

loc_81601E:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1BBAj
		and	dword ptr [edi], 0FFFFFFF7h
		cmp	dword ptr [edi+2Ch], 0
		jnz	short loc_81603B
		mov	eax, [ebp+var_C8]
		mov	eax, [eax]
		test	byte ptr [eax+980h], 1
		jz	short loc_81603B
		mov	[edi+2Ch], eax

loc_81603B:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1BD5j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1BE6j
		push	104h
		mov	edx, 3480h
		mov	[ebp+var_7D+1],	104h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_816465
; 

loc_816058:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1B22j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1B2Ej
		mov	eax, [ebp+var_BC]
		test	dword ptr [eax], 20000h
		jz	short loc_816087
		push	0C0000034h
		mov	edx, 3500h
		mov	[ebp+var_7D+1],	0C0000034h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	[ebp+var_75], 1
		jmp	loc_816448
; 

loc_816087:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1C14j
		test	byte ptr [edi+14h], 2
		jz	short loc_8160AE
		push	0C0000035h
		mov	edx, 3600h
		mov	[ebp+var_7D+1],	0C0000035h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	[ebp+var_75], 1
		jmp	loc_816448
; 

loc_8160AE:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1C3Bj
		push	[ebp+var_B8]
		mov	edx, esi
		mov	ecx, ebx
		push	edi
		push	0
		push	0
		push	[ebp+var_8A+2]
		call	_CmpDoWritethroughReparse@28 ; CmpDoWritethroughReparse(x,x,x,x,x,x,x)
		mov	[ebp+var_7D+1],	eax
		cmp	eax, 0C0000271h
		jz	short loc_8160E8
		push	eax
		mov	edx, 3640h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	[ebp+var_75], 1
		jmp	loc_816448
; 

loc_8160E8:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1C80j
		mov	eax, [ebp+var_B0]
		mov	edx, edi
		add	eax, 1Ch
		mov	ecx, ebx
		push	eax
		push	[ebp+arg_0]
		push	[ebp+var_B8]
		push	1
		call	CmpVEExecuteOpenLogic
		mov	[ebp+var_7D+1],	eax
		cmp	eax, 0C0000271h
		jz	short loc_816126
		push	eax
		mov	edx, 3680h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	[ebp+var_75], 1
		jmp	loc_816448
; 

loc_816126:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1CBEj
		mov	dl, byte ptr [ebp+arg_0]
		lea	eax, [ebp+var_8A]
		push	eax
		lea	eax, [ebp+var_CC]
		mov	ecx, ebx
		push	eax
		push	esi
		push	1
		push	[ebp+var_84]
		push	edi
		call	CmpCreateKeyBody
		mov	[ebp+var_7D+1],	eax
		test	eax, eax
		jns	loc_815F3F
		push	eax
		mov	edx, 36C0h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	[ebp+var_75], 1
		jmp	loc_816448
; 

loc_816169:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1529j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1542j
		push	0C0000034h
		mov	edx, 2700h
		mov	[ebp+var_7D+1],	0C0000034h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_81618C:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+14E4j
		mov	ecx, esi
		call	_CmpIsKeyStackSymlink@4	; CmpIsKeyStackSymlink(x)
		test	al, al
		jz	loc_81628E
		test	dword ptr [edi], 200h
		jnz	loc_81628E
		test	byte ptr [edi+14h], 2
		jz	short loc_8161D0
		push	0C0000035h
		mov	edx, 3700h
		mov	[ebp+var_7D+1],	0C0000035h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_8161D0:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1D5Bj
		mov	eax, [ebp+var_8A+2]
		test	eax, eax
		jz	short loc_8161E9
		mov	ecx, eax
		call	CmpUnlockKcbStack
		mov	eax, [ebp+var_8A+2]
		test	eax, eax

loc_8161E9:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1D88j
		setnz	al
		dec	al
		and	[ebp+var_75], al
		cmp	[ebp+var_7E], 0
		jz	short loc_816209
		mov	eax, [ebp+var_A8]
		mov	ecx, [eax+8]
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	[ebp+var_7E], 0

loc_816209:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1DA5j
		cmp	byte ptr [ebp+var_7D], 0
		jz	short loc_81621A
		mov	ecx, ebx
		call	_CmpUnlockHashEntryByKcb@4 ; CmpUnlockHashEntryByKcb(x)
		mov	byte ptr [ebp+var_7D], 0

loc_81621A:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1DBDj
		lea	eax, [edi+38h]
		mov	ecx, esi
		push	eax
		push	[ebp+var_B8]
		lea	eax, [ebp+var_EC]
		push	eax
		push	edi
		push	[ebp+var_84]
		lea	edx, [ebp+var_74]
		push	0
		push	0
		call	CmpGetSymbolicLinkTarget
		mov	[ebp+var_7D+1],	eax
		test	eax, eax
		jns	short loc_816259
		push	eax
		mov	edx, 3800h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_816453
; 

loc_816259:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1DF5j
		and	dword ptr [edi], 0FFFFFFF7h
		cmp	dword ptr [edi+2Ch], 0
		jnz	short loc_816271
		mov	eax, [ebx+10h]
		test	byte ptr [eax+980h], 1
		jz	short loc_816271
		mov	[edi+2Ch], eax

loc_816271:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1E10j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1E1Cj
		push	104h
		mov	edx, 3900h
		mov	[ebp+var_7D+1],	104h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_816453
; 

loc_81628E:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1D45j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1D51j
		cmp	[ebp+var_A2], 0
		jz	short loc_8162BA
		push	0C000000Dh
		mov	edx, 3A00h
		mov	[ebp+var_7D+1],	0C000000Dh
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_8162BA:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1E45j
		mov	eax, [ebp+var_BC]
		test	dword ptr [eax], 20000h
		jz	short loc_8162EB
		push	0C0000034h
		mov	edx, 3B00h
		mov	[ebp+var_7D+1],	0C0000034h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_8162EB:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1E76j
		test	byte ptr [edi+14h], 2
		jz	short loc_816314
		push	0C0000035h
		mov	edx, 3C00h
		mov	[ebp+var_7D+1],	0C0000035h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_816314:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1E9Fj
		push	[ebp+var_B8]
		mov	edx, esi
		mov	ecx, ebx
		push	edi
		push	0
		push	0
		push	[ebp+var_8A+2]
		call	_CmpDoWritethroughReparse@28 ; CmpDoWritethroughReparse(x,x,x,x,x,x,x)
		mov	[ebp+var_7D+1],	eax
		cmp	eax, 0C0000271h
		jz	short loc_816350
		push	eax
		mov	edx, 3C40h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_816350:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1EE6j
		mov	eax, [ebp+var_B0]
		mov	edx, edi
		add	eax, 1Ch
		mov	ecx, ebx
		push	eax
		push	[ebp+arg_0]
		push	[ebp+var_B8]
		push	0
		call	CmpVEExecuteOpenLogic
		mov	[ebp+var_7D+1],	eax
		cmp	eax, 0C0000271h
		jz	short loc_816390
		push	eax
		mov	edx, 3C80h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	loc_816448
; 

loc_816390:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1F26j
		mov	dl, byte ptr [ebp+arg_0]
		lea	eax, [ebp+var_8A]
		push	eax
		lea	eax, [ebp+var_CC]
		mov	ecx, ebx
		push	eax
		push	esi
		push	0
		push	[ebp+var_84]
		push	edi
		call	CmpCreateKeyBody
		mov	ecx, eax
		mov	al, [ebp+var_76]
		mov	[ebp+var_7D+1],	ecx
		mov	[ebp+var_75], al
		test	ecx, ecx
		jns	loc_8156F9
		cmp	ecx, 0C000017Ch
		jnz	short loc_8163D5
		mov	ecx, 0C0000034h
		mov	[ebp+var_7D+1],	ecx

loc_8163D5:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1F7Bj
		push	ecx
		mov	edx, 3CC0h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	al, [ebp+var_76]
		mov	[ebp+var_75], al
		jmp	short loc_816448
; 

loc_8163EA:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+12B3j
		mov	eax, [ecx+8]
		mov	ax, [eax+22h]
		mov	[ecx+4], ax

loc_8163F5:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+12E9j
		mov	ecx, [ebp+var_134]
		mov	eax, [ebp+var_CC]
		mov	[ebp+var_CC], 0
		mov	[ecx], eax
		cmp	dword ptr [edi+1Ch], 0
		jnz	short loc_81641A
		mov	dword ptr [edi+1Ch], 2

loc_81641A:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1FC1j
		movzx	eax, byte ptr [ebp+var_8A]
		neg	eax
		sbb	eax, eax
		and	eax, 40000016h
		mov	[ebp+var_7D+1],	eax

loc_81642D:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1325j
		cmp	[ebp+var_C1], 0
		mov	[ebp+var_A3], 0
		jz	short loc_816448

loc_81643D:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+118Cj
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+11E3j
		lea	ecx, [ebp+var_110]
		call	CmpUnlockKcbStack

loc_816448:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+D1Dj
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+D3Aj ...
		mov	ecx, [ebp+var_A1+1]
		call	CmpUnlockKcbStack

loc_816453:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1E04j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1E39j
		mov	cl, [ebp+var_75]

loc_816456:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1865j
		test	cl, cl
		jz	short loc_816465
		mov	ecx, [ebp+var_8A+2]
		call	CmpUnlockKcbStack

loc_816465:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1BC9j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1C03j ...
		cmp	[ebp+var_7E], 0
		jz	short loc_816479
		mov	eax, [ebp+var_A8]
		mov	ecx, [eax+8]
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)

loc_816479:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+2019j
		cmp	[ebp+var_A3], 0
		jz	short loc_8164A1
		mov	ecx, [edi+24h]
		push	0
		call	_CmpUnlockHashEntry@8 ;	CmpUnlockHashEntry(x,x)
		jmp	short loc_8164A1
; 

loc_81648E:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+73Ej
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+749j
		push	eax
		mov	edx, 980h
		mov	ecx, edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	ebx, [ebp+var_AC]

loc_8164A1:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+82Dj
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+859j ...
		cmp	byte ptr [ebp+var_7D], 0
		jz	short loc_8164AE
		mov	ecx, ebx
		call	_CmpUnlockHashEntryByKcb@4 ; CmpUnlockHashEntryByKcb(x)

loc_8164AE:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+5C9j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+5F3j ...
		cmp	[ebp+var_8B], 0
		jz	short loc_8164C2
		mov	ecx, [ebp+var_99+1]
		call	_CmpUnlockHashEntryByKcb@4 ; CmpUnlockHashEntryByKcb(x)

loc_8164C2:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+217j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+444j ...
		lea	ecx, [ebp+var_130]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		lea	ecx, [ebp+var_120]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		lea	ecx, [ebp+var_110]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		mov	esi, [ebp+var_E4]
		test	esi, esi
		jz	short loc_8164F8
		mov	ecx, ebx
		call	CmpDereferenceKeyControlBlockUnsafe
		mov	ecx, esi
		jmp	short loc_8164FE
; 

loc_8164F8:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+209Bj
		test	ebx, ebx
		jz	short loc_816503
		mov	ecx, ebx

loc_8164FE:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+20A6j
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)

loc_816503:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+20AAj
		mov	eax, [ebp+var_99+1]
		test	eax, eax
		jz	short loc_816514
		mov	ecx, eax
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)

loc_816514:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+20BBj
		mov	eax, [edi+40h]
		test	eax, eax
		jz	short loc_816538
		test	al, 2
		jz	short loc_816538
		mov	edx, [edi+48h]
		lea	eax, [ebp+var_EC]
		push	ecx
		push	eax
		mov	ecx, offset _CmpSyncKcbCacheForHive@16 ; CmpSyncKcbCacheForHive(x,x,x,x)
		call	_CmpSearchKeyControlBlockTree@16 ; CmpSearchKeyControlBlockTree(x,x,x,x)
		and	dword ptr [edi+40h], 0FFFFFFFDh

loc_816538:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+20C9j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+20CDj
		xor	dl, dl
		lea	ecx, [ebp+var_EC]
		call	CmpDrainDelayDerefContext
		cmp	byte ptr [ebp+var_8A+1], 0
		jz	short loc_816553
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_816553:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+20FCj
		cmp	[ebp+var_8C], 0
		mov	ebx, [ebp+var_DC]
		jz	short loc_816578
		test	ebx, ebx
		jz	short loc_816588
		call	CmpCheckExeOwnerForPca
		test	al, al
		jz	short loc_816578
		mov	edx, ebx
		mov	ecx, edi
		call	CmpPublishEventForPcaResolver

loc_816578:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+2110j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+211Dj
		test	ebx, ebx
		jz	short loc_816588
		mov	edx, 624E4D43h
		mov	ecx, ebx
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_816588:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+2114j
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+212Aj
		test	byte ptr [edi+60h], 1
		jz	short loc_816596
		lea	ecx, [edi+64h]
		call	_CmpDetachFromRegistryProcess@4	; CmpDetachFromRegistryProcess(x)

loc_816596:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+213Cj
		mov	ecx, [ebp+var_CC]
		test	ecx, ecx
		jz	short loc_8165A5
		call	ObfDereferenceObject

loc_8165A5:				; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+214Ej
		lea	ecx, [ebp+var_74]
		call	_CmpCleanupPathInfo@4 ;	CmpCleanupPathInfo(x)
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_7D+1]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_CmpDoParseKey@36 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpCleanupKcbStack(x)
_CmpCleanupKcbStack@4 proc near		; CODE XREF: CmQueryLayeredKey+165p
					; CmDeleteLayeredKey(x,x,x)+1DEp ...
		mov	ecx, [ecx+0Ch]
		test	ecx, ecx
		jnz	_CmpFreePool@4	; CmpFreePool(x)
		retn
_CmpCleanupKcbStack@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpStartKcbStack proc near		; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+195p
					; CmpStartKcbStackForTopLayerKcb(x,x)+Dp ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0091E6E7 SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	di, dx
		xor	ebx, ebx
		mov	esi, ecx
		cmp	di, 2
		jge	loc_91E6E7

loc_8165FA:				; CODE XREF: CmpStartKcbStack+10810Dj
					; CmpStartKcbStack+108148j
		or	eax, 0FFFFFFFFh
		mov	[esi+0Ch], ebx
		mov	[esi+2], ax
		xor	eax, eax
		mov	[esi], di

loc_816609:				; CODE XREF: CmpStartKcbStack+108135j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
CmpStartKcbStack endp


;  S U B	R O U T	I N E 


ExMapHandleToPointer proc near		; CODE XREF: .text:00511771p
					; PspProcessDelete+180p ...

; FUNCTION CHUNK AT 0091E72D SIZE 0000000F BYTES

		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		test	edx, 7FCh
		jz	short loc_816652
		push	edx
		call	ExpLookupHandleTableEntry
		mov	esi, eax
		test	esi, esi
		jz	short loc_816652
		jmp	short loc_816630
; 
		align 10h

loc_816630:				; CODE XREF: ExMapHandleToPointer+1Bj
					; ExMapHandleToPointer+32j ...
		mov	edx, [esi]
		test	dl, 1
		jz	short loc_81664A
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_816630
		mov	eax, esi

loc_816646:				; CODE XREF: ExMapHandleToPointer+44j
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_81664A:				; CODE XREF: ExMapHandleToPointer+25j
		test	edx, edx
		jnz	loc_91E72D

loc_816652:				; CODE XREF: ExMapHandleToPointer+Dj
					; ExMapHandleToPointer+19j
		xor	eax, eax
		jmp	short loc_816646
ExMapHandleToPointer endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpPopulateKcbStack(x, x)
_CmpPopulateKcbStack@8 proc near	; CODE XREF: CmpStartKcbStackForTopLayerKcb(x,x)+1Cp
					; CmpIsKeyDeleted(x,x)+39p ...
		mov	ax, [edx+22h]
		push	esi
		mov	esi, ecx
		mov	[esi+2], ax
		movzx	eax, word ptr [edx+22h]
		test	ax, ax
		jnz	short loc_816679
		mov	[esi+4], edx
		pop	esi
		retn
; 

loc_816679:				; CODE XREF: CmpPopulateKcbStack(x,x)+12j
		push	ebx
		push	edi
		mov	edi, [edx+6Ch]
		mov	ebx, eax
		test	edi, edi
		jz	short loc_816699

loc_816684:				; CODE XREF: CmpPopulateKcbStack(x,x)+37j
		mov	eax, [edi+8]
		mov	edx, ebx
		push	eax
		mov	ecx, esi
		call	_CmpSetKcbAtLayerHeight@12 ; CmpSetKcbAtLayerHeight(x,x,x)
		mov	edi, [edi+0Ch]
		dec	ebx
		test	edi, edi
		jnz	short loc_816684

loc_816699:				; CODE XREF: CmpPopulateKcbStack(x,x)+22j
		pop	edi
		pop	ebx
		pop	esi
		retn
_CmpPopulateKcbStack@8 endp

; 
		align 10h

; __stdcall ObpCreateHandle(x, x, x, x,	x, x, x, x, x, x, x)
_ObpCreateHandle@44:			; CODE XREF: ObOpenObjectByNameEx+2BBp
					; ObOpenObjectByPointer+15Cp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-8], eax
		mov	eax, [ebp+1Ch]
		mov	[ebp-44h], eax
		mov	eax, [ebp+24h]
		mov	[ebp-0ACh], eax
		mov	eax, [ebp+28h]
		mov	[ebp-90h], eax
		mov	eax, [ebp+20h]
		mov	dword ptr [ebp-9Ch], 0
		push	ebx
		mov	[ebp-9Ch], eax
		mov	eax, large fs:124h
		push	esi
		mov	esi, edx
		mov	[ebp-84h], ecx
		mov	edx, [ebp+14h]
		mov	dword ptr [ebp-34h], 0
		mov	dword ptr [ebp-78h], 0
		mov	dword ptr [ebp-74h], 0
		mov	ecx, [eax+80h]
		mov	[ebp-28h], esi
		mov	dword ptr [ebp-54h], 0
		mov	dword ptr [ebp-0A0h], 0
		mov	byte ptr [ebp-2Dh], 0
		mov	dword ptr [ebp-6Ch], 0
		mov	byte ptr [ebp-39h], 0
		mov	[ebp-58h], ecx
		push	edi
		mov	edi, [ebp+0Ch]
		mov	[ebp-24h], edi
		test	edx, 200h
		jz	short loc_816753
		mov	ecx, ds:_PsInitialSystemProcess
		mov	eax, _ObpKernelHandleTable
		mov	[ebp-58h], ecx
		jmp	short loc_816793
; 

loc_816753:				; CODE XREF: PAGE:00816741j
		mov	eax, large fs:124h
		cmp	byte ptr [eax+16Ah], 1
		jnz	short loc_816781
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		mov	[ebp-40h], eax
		test	eax, eax
		jnz	short loc_816778
		mov	esi, 0C000010Ah
		jmp	loc_81794A
; 

loc_816778:				; CODE XREF: PAGE:0081676Cj
		mov	edx, [ebp+14h]
		mov	byte ptr [ebp-39h], 1
		jmp	short loc_816796
; 

loc_816781:				; CODE XREF: PAGE:00816760j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+18Ch]

loc_816793:				; CODE XREF: PAGE:00816751j
		mov	[ebp-40h], eax

loc_816796:				; CODE XREF: PAGE:0081677Fj
		cmp	eax, _ObpKernelHandleTable
		setz	al
		mov	[ebp-1Dh], al
		test	edi, edi
		jz	loc_816E38
		test	al, al
		jz	short loc_8167B8
		cmp	dword ptr [edi+18h], 0
		jz	loc_816E38

loc_8167B8:				; CODE XREF: PAGE:008167ACj
		add	esi, 0FFFFFFE8h
		mov	dword ptr [ebp-60h], 0
		mov	eax, esi
		mov	[ebp-38h], esi
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [esi+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	ebx, ds:_ObTypeIndexTable[ecx*4]
		mov	[ebp-50h], ebx
		test	edx, 400h
		jz	short loc_8167F4
		mov	byte ptr [ebp-2Ch], 1
		jmp	short loc_8167FA
; 

loc_8167F4:				; CODE XREF: PAGE:008167ECj
		mov	eax, [ebp+18h]
		mov	[ebp-2Ch], al

loc_8167FA:				; CODE XREF: PAGE:008167F2j
		mov	eax, [ebp-84h]
		cmp	eax, 1
		jz	loc_8169F3
		cmp	eax, 2
		jz	loc_8169F3
		xor	eax, eax
		lea	esi, [edi+10h]
		mov	[ebp-1Ch], eax
		mov	[ebp-18h], eax
		mov	[ebp-14h], eax
		mov	[ebp-10h], eax
		mov	[ebp-0Ch], eax
		mov	eax, [esi]
		test	eax, 2000000h
		jz	short loc_81683B
		and	eax, 0FDFFFFFFh
		or	eax, 10000000h
		mov	[esi], eax

loc_81683B:				; CODE XREF: PAGE:0081682Dj
		test	eax, 0F0000000h
		jz	short loc_81684E
		lea	eax, [ebx+34h]
		push	eax
		push	esi
		call	_RtlMapGenericMask@8 ; RtlMapGenericMask(x,x)
		mov	eax, [esi]

loc_81684E:				; CODE XREF: PAGE:00816840j
		test	eax, 1000000h
		jz	short loc_8168BE
		mov	eax, ds:_SeSecurityPrivilege
		add	edi, 1Ch
		push	dword ptr [ebp-2Ch]
		mov	[ebp-14h], eax
		mov	eax, ds:dword_A94A3C
		mov	[ebp-10h], eax
		lea	eax, [ebp-1Ch]
		push	edi
		push	eax
		mov	dword ptr [ebp-1Ch], 1
		mov	dword ptr [ebp-18h], 1
		mov	dword ptr [ebp-0Ch], 0
		call	_SePrivilegeCheck@12 ; SePrivilegeCheck(x,x,x)
		test	al, al
		lea	eax, [ebp-1Ch]
		jnz	short loc_8168A7
		push	0
		push	eax
		mov	edx, edi
		xor	ecx, ecx
		call	_SePrivilegedServiceAuditAlarm@16 ; SePrivilegedServiceAuditAlarm(x,x,x,x)
		mov	esi, 0C0000061h
		jmp	loc_817936
; 

loc_8168A7:				; CODE XREF: PAGE:0081688Fj
		mov	edi, [ebp-24h]
		and	dword ptr [esi], 0FEFFFFFFh
		push	eax
		push	edi
		or	dword ptr [edi+14h], 1000000h
		call	SeAppendPrivileges

loc_8168BE:				; CODE XREF: PAGE:00816853j
		mov	eax, [esi]
		or	[edi+14h], eax
		mov	ecx, [ebp-38h]
		mov	dword ptr [esi], 0
		mov	eax, [ebx+44h]
		or	eax, 1000000h
		and	[edi+14h], eax
		lea	edi, [ecx+14h]
		mov	edx, [edi]
		test	dl, 7
		jz	short loc_8168F7

loc_8168E1:				; CODE XREF: PAGE:008168F2j
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_8168F4
		mov	edx, eax
		test	al, 7
		jnz	short loc_8168E1

loc_8168F4:				; CODE XREF: PAGE:008168ECj
		mov	ecx, [ebp-38h]

loc_8168F7:				; CODE XREF: PAGE:008168DFj
		mov	esi, edx
		and	edx, 7
		and	esi, 0FFFFFFF8h
		cmp	edx, 1
		ja	loc_8169C1
		test	esi, esi
		jz	loc_8169C1
		cmp	edx, 1
		jnz	short loc_81692E
		mov	ecx, 7
		lea	eax, [esi-0Ch]
		lock xadd [eax], ecx
		test	ecx, ecx
		jg	short loc_816987
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_816987
; 

loc_81692E:				; CODE XREF: PAGE:00816913j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ebx, [ecx+8]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	esi, [edi]
		mov	ecx, 8
		and	esi, 0FFFFFFF8h
		lea	eax, [esi-0Ch]
		lock xadd [eax], ecx
		test	ecx, ecx
		jg	short loc_816964
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_816964:				; CODE XREF: PAGE:0081695Bj
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_81697B
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_81697B:				; CODE XREF: PAGE:00816972j
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_816987:				; CODE XREF: PAGE:00816923j
					; PAGE:0081692Cj
		mov	ecx, [edi]
		mov	eax, ecx
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		ja	short loc_8169B9

loc_816996:				; CODE XREF: PAGE:008169B7j
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	esi, eax
		jnz	short loc_8169B9
		lea	edx, [ecx+7]
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jz	short loc_8169C1
		mov	ecx, eax
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		jbe	short loc_816996

loc_8169B9:				; CODE XREF: PAGE:00816994j
					; PAGE:0081699Dj
		push	7
		push	esi
		call	ObDereferenceSecurityDescriptor

loc_8169C1:				; CODE XREF: PAGE:00816902j
					; PAGE:0081690Aj ...
		mov	edi, [ebp-24h]
		mov	edx, edi
		push	esi
		mov	eax, [edi+14h]
		lea	ecx, [edi+1Ch]
		push	eax
		call	_SeComputeCreatorDeniedRights@16 ; SeComputeCreatorDeniedRights(x,x,x,x)
		not	eax
		and	[edi+14h], eax
		test	esi, esi
		jz	loc_816E30
		push	1
		push	esi
		call	ObDereferenceSecurityDescriptor
		mov	eax, [edi+14h]
		mov	esi, [ebp-28h]
		jmp	loc_816E85
; 

loc_8169F3:				; CODE XREF: PAGE:00816803j
					; PAGE:0081680Cj
		mov	dword ptr [ebp-94h], 0
		mov	dword ptr [ebp-88h], 0
		mov	dword ptr [ebp-5Ch], 0
		mov	dword ptr [ebp-7Ch], 0
		cmp	dword ptr [ebx+6Ch], offset SeDefaultObjectMethod
		jnz	loc_816B5A
		mov	edx, [esi+14h]
		add	esi, 14h
		test	dl, 7
		jz	short loc_816A43
		lea	ecx, [ecx+0]

loc_816A30:				; CODE XREF: PAGE:00816A41j
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jz	short loc_816A43
		mov	edx, eax
		test	al, 7
		jnz	short loc_816A30

loc_816A43:				; CODE XREF: PAGE:00816A2Bj
					; PAGE:00816A3Bj
		mov	edi, edx
		and	edx, 7
		and	edi, 0FFFFFFF8h
		cmp	edx, 1
		ja	loc_816B13
		test	edi, edi
		jz	loc_816B13
		cmp	edx, 1
		jnz	short loc_816A7A
		mov	ecx, 7
		lea	eax, [edi-0Ch]
		lock xadd [eax], ecx
		test	ecx, ecx
		jg	short loc_816AD9
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_816AD9
; 

loc_816A7A:				; CODE XREF: PAGE:00816A5Fj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, [ebp-38h]
		xor	edx, edx
		add	ebx, 8
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	edi, [esi]
		mov	ecx, 8
		and	edi, 0FFFFFFF8h
		lea	eax, [edi-0Ch]
		lock xadd [eax], ecx
		test	ecx, ecx
		jg	short loc_816AB3
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_816AB3:				; CODE XREF: PAGE:00816AAAj
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_816ACA
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_816ACA:				; CODE XREF: PAGE:00816AC1j
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ebx, [ebp-50h]

loc_816AD9:				; CODE XREF: PAGE:00816A6Fj
					; PAGE:00816A78j
		mov	ecx, [esi]
		mov	eax, ecx
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		ja	short loc_816B0B

loc_816AE8:				; CODE XREF: PAGE:00816B09j
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	edi, eax
		jnz	short loc_816B0B
		lea	edx, [ecx+7]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jz	short loc_816B13
		mov	ecx, eax
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		jbe	short loc_816AE8

loc_816B0B:				; CODE XREF: PAGE:00816AE6j
					; PAGE:00816AEFj
		push	7
		push	edi
		call	ObDereferenceSecurityDescriptor

loc_816B13:				; CODE XREF: PAGE:00816A4Ej
					; PAGE:00816A56j ...
		mov	byte ptr [ebp-1Eh], 0
		test	edi, edi
		jnz	short loc_816B32
		test	byte ptr [ebx+2Ah], 8
		mov	eax, [ebp-38h]
		jnz	loc_81795F
		test	byte ptr [eax+0Eh], 2
		jnz	loc_81795F

loc_816B32:				; CODE XREF: PAGE:00816B19j
		xor	esi, esi

loc_816B34:				; CODE XREF: PAGE:00816C12j
					; PAGE:00816C26j
		test	edi, edi
		jnz	loc_816C34
		mov	edi, [ebp-24h]
		mov	[ebp-60h], esi
		mov	esi, [ebp-28h]
		mov	eax, [edi+10h]
		or	[edi+14h], eax
		mov	eax, [edi+14h]
		mov	dword ptr [edi+10h], 0
		jmp	loc_816E85
; 

loc_816B5A:				; CODE XREF: PAGE:00816A1Cj
		mov	eax, _ObpDefaultSecurityDescriptorLength
		push	7153624Fh
		push	eax
		push	1
		mov	dword ptr [ebp-7Ch], 1BFh
		mov	[ebp-5Ch], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_816B89
		mov	esi, 0C000009Ah
		mov	[ebp-60h], esi
		jmp	loc_816DD8
; 

loc_816B89:				; CODE XREF: PAGE:00816B7Aj
		push	dword ptr [ebp-2Ch]
		mov	ecx, [ebx+6Ch]
		lea	eax, [ebx+34h]
		push	eax
		mov	eax, [ebx+4Ch]
		lea	edx, [esi+14h]
		push	eax
		push	edx
		lea	eax, [ebp-5Ch]
		push	eax
		push	edi
		lea	eax, [ebp-7Ch]
		push	eax
		push	1
		push	dword ptr [ebp-28h]
		call	ecx
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_816C0C
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp-5Ch]
		push	7153624Fh
		push	eax
		push	1
		mov	_ObpDefaultSecurityDescriptorLength, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_816BE5
		mov	esi, 0C000009Ah
		mov	[ebp-60h], esi
		jmp	loc_816DD8
; 

loc_816BE5:				; CODE XREF: PAGE:00816BD6j
		push	dword ptr [ebp-2Ch]
		mov	ecx, [ebx+6Ch]
		lea	eax, [ebx+34h]
		push	eax
		mov	eax, [ebx+4Ch]
		push	eax
		mov	eax, [ebp-38h]
		add	eax, 14h
		push	eax
		lea	eax, [ebp-5Ch]
		push	eax
		push	edi
		lea	eax, [ebp-7Ch]
		push	eax
		push	1
		push	dword ptr [ebp-28h]
		call	ecx
		mov	esi, eax

loc_816C0C:				; CODE XREF: PAGE:00816BB3j
		mov	byte ptr [ebp-1Eh], 1
		test	esi, esi
		jns	loc_816B34
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	byte ptr [ebp-1Eh], 0
		test	esi, esi
		jns	loc_816B34
		mov	[ebp-60h], esi
		jmp	loc_816DD8
; 

loc_816C34:				; CODE XREF: PAGE:00816B36j
		mov	eax, large fs:124h
		mov	esi, [ebp-24h]
		add	esi, 1Ch
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [esi+8]
		push	1
		mov	eax, [eax+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		cmp	dword ptr [esi], 0
		jz	short loc_816C76
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [esi]
		push	1
		mov	eax, [eax+30h]
		push	eax
		call	ExAcquireResourceSharedLite

loc_816C76:				; CODE XREF: PAGE:00816C59j
		mov	ecx, [ebp-24h]
		lea	eax, [ebp-60h]
		push	eax
		lea	eax, [ebp-94h]
		push	eax
		push	dword ptr [ebp-2Ch]
		lea	eax, [ebx+34h]
		push	eax
		lea	eax, [ebp-88h]
		push	eax
		mov	eax, [ecx+14h]
		push	eax
		mov	eax, [ecx+10h]
		push	eax
		push	1
		push	esi
		push	edi
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp-88h]
		mov	[ebp-48h], al
		test	ecx, ecx
		jz	short loc_816CC8
		mov	eax, [ebp-24h]
		push	ecx
		push	eax
		call	SeAppendPrivileges
		push	dword ptr [ebp-88h]
		call	_SeFreePrivileges@4 ; SeFreePrivileges(x)
		mov	al, [ebp-48h]

loc_816CC8:				; CODE XREF: PAGE:00816CAEj
		mov	ecx, [ebp-24h]
		test	al, al
		jz	short loc_816CE2
		mov	eax, [ebp-94h]
		or	[ecx+14h], eax
		or	eax, 2000000h
		not	eax
		and	[ecx+10h], eax

loc_816CE2:				; CODE XREF: PAGE:00816CCDj
		cmp	byte ptr [ebp-2Ch], 0
		jz	short loc_816D06
		lea	eax, [ecx+0Ah]
		push	eax
		push	0
		push	dword ptr [ebp-2Ch]
		lea	eax, [ebx+8]
		push	dword ptr [ebp-48h]
		push	0
		push	ecx
		push	edi
		push	0
		push	dword ptr [ebp-28h]
		push	eax
		call	SeOpenObjectAuditAlarmWithTransaction

loc_816D06:				; CODE XREF: PAGE:00816CE6j
		mov	ecx, [esi+8]
		mov	ecx, [ecx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_816D29
		mov	ecx, [ecx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_816D29:				; CODE XREF: PAGE:00816D1Aj
		cmp	byte ptr [ebp-1Eh], 0
		jz	short loc_816D3C
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_816DCF
; 

loc_816D3C:				; CODE XREF: PAGE:00816D2Dj
		add	edi, 0FFFFFFF0h
		mov	edx, [edi+4]
		lea	ebx, [edi+4]
		lea	ecx, [edx-1]
		test	ecx, ecx
		jle	short loc_816D63
		lea	esp, [esp+0]

loc_816D50:				; CODE XREF: PAGE:00816D61j
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		mov	ecx, eax
		cmp	ecx, edx
		jz	short loc_816DCF
		mov	edx, ecx
		dec	ecx
		test	ecx, ecx
		jg	short loc_816D50

loc_816D63:				; CODE XREF: PAGE:00816D4Aj
		jz	short loc_816D6C
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_816D6C:				; CODE XREF: PAGE:loc_816D63j
		movzx	eax, byte ptr [edi+8]
		lea	ebx, _ObsSecurityDescriptorCache[eax*8]
		mov	eax, large fs:124h
		lea	esi, [ebx+4]
		mov	[ebp-4Ch], eax
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		or	ecx, 0FFFFFFFFh
		lea	eax, [edi+4]
		lock xadd [eax], ecx
		dec	ecx
		test	ecx, ecx
		jg	short loc_816DAC
		jz	short loc_816DEB
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_816DAC:				; CODE XREF: PAGE:00816DA1j
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_816DC0
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_816DC0:				; CODE XREF: PAGE:00816DB7j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [ebp-4Ch]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)

loc_816DCF:				; CODE XREF: PAGE:00816D37j
					; PAGE:00816D5Aj ...
		cmp	byte ptr [ebp-48h], 0
		jnz	short loc_816E2D
		mov	esi, [ebp-60h]

loc_816DD8:				; CODE XREF: PAGE:00816B84j
					; PAGE:00816BE0j ...
		test	esi, esi
		js	loc_817936
		mov	edi, [ebp-24h]
		mov	esi, [ebp-28h]
		jmp	loc_816E88
; 

loc_816DEB:				; CODE XREF: PAGE:00816DA3j
		mov	eax, [esi]
		cmp	eax, edi
		jz	short loc_816DF9

loc_816DF1:				; CODE XREF: PAGE:00816DF7j
		mov	esi, eax
		mov	eax, [esi]
		cmp	eax, edi
		jnz	short loc_816DF1

loc_816DF9:				; CODE XREF: PAGE:00816DEFj
		mov	eax, [edi]
		mov	[esi], eax
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_816E11
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_816E11:				; CODE XREF: PAGE:00816E08j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [ebp-4Ch]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		push	6353624Fh
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_816DCF
; 

loc_816E2D:				; CODE XREF: PAGE:00816DD3j
		mov	edi, [ebp-24h]

loc_816E30:				; CODE XREF: PAGE:008169DAj
		mov	eax, [edi+14h]
		mov	esi, [ebp-28h]
		jmp	short loc_816E85
; 

loc_816E38:				; CODE XREF: PAGE:008167A4j
					; PAGE:008167B2j
		mov	eax, [ebp+8]
		test	eax, 2000000h
		jz	short loc_816E4F
		and	eax, 0FDFFFFFFh
		or	eax, 10000000h
		mov	[ebp+8], eax

loc_816E4F:				; CODE XREF: PAGE:00816E40j
		test	eax, 0F0000000h
		jz	short loc_816E85
		lea	eax, [esi-18h]
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		add	eax, 34h
		push	eax
		lea	eax, [ebp+8]
		push	eax
		call	_RtlMapGenericMask@8 ; RtlMapGenericMask(x,x)
		mov	eax, [ebp+8]

loc_816E85:				; CODE XREF: PAGE:008169EEj
					; PAGE:00816B55j ...
		mov	[ebp-34h], eax

loc_816E88:				; CODE XREF: PAGE:00816DE6j
		mov	ecx, [ebp-44h]
		xor	eax, eax
		mov	[ebp-64h], eax
		test	ecx, ecx
		jz	short loc_816E9A
		mov	eax, [ecx+18h]
		mov	[ebp-64h], eax

loc_816E9A:				; CODE XREF: PAGE:00816E92j
		mov	ebx, [ebp+18h]
		lea	edx, [ebp-34h]
		mov	ecx, [ebp-84h]
		push	eax
		push	dword ptr [ebp+14h]
		push	ebx
		push	esi
		push	dword ptr [ebp-58h]
		call	ObpIncrementHandleCountEx
		mov	esi, eax
		test	esi, esi
		js	loc_817936
		test	edi, edi
		jz	short loc_816F11
		mov	eax, [ebp-44h]
		test	eax, eax
		jz	short loc_816F02
		lea	ecx, [ebp-54h]
		push	ecx
		mov	ecx, [ebp-58h]
		push	eax
		push	ebx
		mov	ebx, [ebp-28h]
		lea	eax, [ebp-34h]
		push	edi
		push	eax
		mov	edx, ebx
		call	ObpInsertOrLocateNamedObject
		mov	esi, eax
		test	esi, esi
		js	loc_817936
		mov	esi, [ebp-54h]
		cmp	esi, ebx
		jnz	short loc_816EF9
		xor	esi, esi
		mov	[ebp-54h], esi
		jmp	short loc_816F05
; 

loc_816EF9:				; CODE XREF: PAGE:00816EF0j
		mov	[ebp-28h], esi
		mov	byte ptr [ebp-2Dh], 1
		jmp	short loc_816F05
; 

loc_816F02:				; CODE XREF: PAGE:00816EC7j
		mov	esi, [ebp-54h]

loc_816F05:				; CODE XREF: PAGE:00816EF7j
					; PAGE:00816F00j
		cmp	byte ptr [edi+0Ah], 0
		jz	short loc_816F14
		or	dword ptr [ebp+14h], 4
		jmp	short loc_816F14
; 

loc_816F11:				; CODE XREF: PAGE:00816EC0j
		mov	esi, [ebp-54h]

loc_816F14:				; CODE XREF: PAGE:00816F09j
					; PAGE:00816F0Fj
		mov	ebx, [ebp-28h]
		movzx	ecx, byte ptr [ebx-0Ch]
		lea	eax, [ebx-18h]
		shr	eax, 8
		mov	[ebp-50h], eax
		movzx	eax, al
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		mov	ecx, [ebp-34h]
		mov	[ebp-48h], eax
		mov	eax, [eax+44h]
		or	eax, 1000000h
		and	ecx, eax
		mov	[ebp-2Ch], ecx
		mov	[ebp-34h], ecx
		test	edi, edi
		jz	loc_817118
		mov	edx, [ebx-4]
		lea	edi, [ebx-4]
		test	dl, 7
		jz	short loc_816F75

loc_816F62:				; CODE XREF: PAGE:00816F73j
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_816F75
		mov	edx, eax
		test	al, 7
		jnz	short loc_816F62

loc_816F75:				; CODE XREF: PAGE:00816F60j
					; PAGE:00816F6Dj
		mov	esi, edx
		and	edx, 7
		and	esi, 0FFFFFFF8h
		cmp	edx, 1
		ja	loc_81703F
		test	esi, esi
		jz	loc_81703F
		cmp	edx, 1
		jnz	short loc_816FAC
		lea	eax, [esi-0Ch]
		mov	ecx, 7
		lock xadd [eax], ecx
		test	ecx, ecx
		jg	short loc_817005
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_817005
; 

loc_816FAC:				; CODE XREF: PAGE:00816F91j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		add	ebx, 0FFFFFFF0h
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	esi, [edi]
		mov	ecx, 8
		and	esi, 0FFFFFFF8h
		lea	eax, [esi-0Ch]
		lock xadd [eax], ecx
		test	ecx, ecx
		jg	short loc_816FE2
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_816FE2:				; CODE XREF: PAGE:00816FD9j
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_816FF9
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_816FF9:				; CODE XREF: PAGE:00816FF0j
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_817005:				; CODE XREF: PAGE:00816FA1j
					; PAGE:00816FAAj
		mov	ecx, [edi]
		mov	eax, ecx
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		ja	short loc_817037

loc_817014:				; CODE XREF: PAGE:00817035j
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	esi, eax
		jnz	short loc_817037
		lea	edx, [ecx+7]
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jz	short loc_81703F
		mov	ecx, eax
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		jbe	short loc_817014

loc_817037:				; CODE XREF: PAGE:00817012j
					; PAGE:0081701Bj
		push	7
		push	esi
		call	ObDereferenceSecurityDescriptor

loc_81703F:				; CODE XREF: PAGE:00816F80j
					; PAGE:00816F88j ...
		mov	edi, [ebp-24h]
		mov	edx, edi
		push	esi
		push	dword ptr [ebp-34h]
		lea	ecx, [edi+1Ch]
		call	_SeComputeCreatorDeniedRights@16 ; SeComputeCreatorDeniedRights(x,x,x,x)
		mov	[ebp-70h], eax
		test	esi, esi
		jz	loc_8170F6
		lea	edi, [esi-10h]
		mov	edx, [edi+4]
		lea	ebx, [edi+4]
		lea	ecx, [edx-1]
		test	ecx, ecx
		jle	short loc_817083
		jmp	short loc_817070
; 
		align 10h

loc_817070:				; CODE XREF: PAGE:0081706Bj
					; PAGE:00817081j
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		mov	ecx, eax
		cmp	ecx, edx
		jz	short loc_8170F3
		mov	edx, ecx
		dec	ecx
		test	ecx, ecx
		jg	short loc_817070

loc_817083:				; CODE XREF: PAGE:00817069j
		jz	short loc_81708C
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_81708C:				; CODE XREF: PAGE:loc_817083j
		movzx	eax, byte ptr [edi+8]
		lea	ebx, _ObsSecurityDescriptorCache[eax*8]
		mov	eax, large fs:124h
		lea	esi, [ebx+4]
		mov	[ebp-4Ch], eax
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		or	ecx, 0FFFFFFFFh
		lea	eax, [edi+4]
		lock xadd [eax], ecx
		dec	ecx
		test	ecx, ecx
		jg	short loc_8170D0
		jz	loc_817288
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8170D0:				; CODE XREF: PAGE:008170C1j
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8170E4
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8170E4:				; CODE XREF: PAGE:008170DBj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [ebp-4Ch]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)

loc_8170F3:				; CODE XREF: PAGE:0081707Aj
					; PAGE:008172CAj
		mov	edi, [ebp-24h]

loc_8170F6:				; CODE XREF: PAGE:00817055j
		mov	esi, [ebp-70h]
		mov	ecx, [ebp-34h]
		not	esi
		mov	eax, [edi+30h]
		and	ecx, esi
		mov	esi, [ebp-54h]
		mov	[ebp-34h], ecx
		mov	[edi+14h], ecx
		mov	eax, [eax+18h]
		mov	[ebp-2Ch], ecx
		mov	[ebp-0A0h], eax

loc_817118:				; CODE XREF: PAGE:00816F51j
		mov	eax, [ebp+10h]
		mov	ebx, [ebp-28h]
		test	eax, eax
		jz	short loc_817132
		push	ecx
		mov	edx, eax
		mov	ecx, ebx
		call	ObReferenceObjectExWithTag
		mov	ecx, [ebp-34h]
		mov	[ebp-2Ch], ecx

loc_817132:				; CODE XREF: PAGE:00817120j
		test	esi, esi
		jz	short loc_817143
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	ecx, [ebp-34h]
		mov	[ebp-2Ch], ecx

loc_817143:				; CODE XREF: PAGE:00817134j
		cmp	dword ptr [ebp-44h], 0
		mov	esi, [ebp-48h]
		jz	short loc_817167
		cmp	byte ptr [ebp-2Dh], 0
		jnz	short loc_817167
		cmp	esi, _ObpSymbolicLinkObjectType
		jnz	short loc_817167
		mov	ecx, ebx
		call	ObpCreateSymbolicLinkName
		mov	ecx, [ebp-34h]
		mov	[ebp-2Ch], ecx

loc_817167:				; CODE XREF: PAGE:0081714Aj
					; PAGE:00817150j ...
		lea	eax, [ebp-78h]
		mov	[ebp-74h], eax
		mov	[ebp-78h], eax
		test	byte ptr [esi+2Ah], 40h
		jz	loc_8172E7
		lea	eax, [esi+88h]
		cmp	[eax], eax
		jz	loc_8172E7
		mov	eax, [ebp-50h]
		mov	edi, ecx
		movzx	ecx, byte ptr [ebx-0Ch]
		xor	edx, edx
		movzx	eax, al
		xor	ecx, eax
		mov	dword ptr [ebp-0D0h], 0
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	dword ptr [ebp-0B4h], 0
		mov	dword ptr [ebp-0B0h], 0
		lea	eax, [ebp-0BCh]
		mov	ecx, ds:_ObTypeIndexTable[ecx*4]
		mov	ebx, [ecx+48h]
		mov	[ebp-0C0h], eax
		and	ebx, edi
		movzx	eax, byte ptr [ebp-1Dh]
		mov	[ebp-0B4h], edx
		mov	[ebp-0B0h], edx
		and	edx, 0FFFFFFFEh
		or	edx, eax
		mov	dword ptr [ebp-0D4h], 1
		mov	eax, [ebp-28h]
		mov	[ebp-0CCh], eax
		mov	eax, [ebp-2Ch]
		mov	[ebp-0B8h], eax
		mov	[ebp-0BCh], eax
		lea	eax, [ebp-78h]
		mov	[ebp-0D0h], edx
		lea	edx, [ebp-0D4h]
		push	eax
		mov	dword ptr [ebp-0C4h], 0
		mov	[ebp-0C8h], ecx
		call	ObpCallPreOperationCallbacks
		mov	esi, eax
		mov	al, [ebp-1Dh]
		test	esi, esi
		js	short loc_817251
		test	al, al
		jnz	short loc_81724D
		mov	eax, [ebp-0BCh]
		or	eax, ebx
		and	edi, eax
		mov	al, [ebp-1Dh]

loc_81724D:				; CODE XREF: PAGE:0081723Ej
		test	esi, esi
		jns	short loc_8172CF

loc_817251:				; CODE XREF: PAGE:0081723Aj
		mov	edi, [ebp-28h]
		mov	ecx, [ebp-58h]
		lea	ebx, [edi-18h]
		mov	edx, ebx
		call	_ObpDecrementHandleCount@8 ; ObpDecrementHandleCount(x,x)
		mov	edx, [ebp+10h]
		test	edx, edx
		jz	loc_817936
		cmp	edx, 1
		jbe	short loc_81727C
		mov	eax, 1
		sub	eax, edx
		lock xadd [ebx], eax

loc_81727C:				; CODE XREF: PAGE:0081726Fj
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	loc_817936
; 

loc_817288:				; CODE XREF: PAGE:008170C3j
		mov	eax, [esi]
		cmp	eax, edi
		jz	short loc_817298
		mov	edi, edi

loc_817290:				; CODE XREF: PAGE:00817296j
		mov	esi, eax
		mov	eax, [esi]
		cmp	eax, edi
		jnz	short loc_817290

loc_817298:				; CODE XREF: PAGE:0081728Cj
		mov	eax, [edi]
		mov	[esi], eax
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8172B0
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8172B0:				; CODE XREF: PAGE:008172A7j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [ebp-4Ch]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		push	6353624Fh
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8170F3
; 

loc_8172CF:				; CODE XREF: PAGE:0081724Fj
		test	al, al
		jnz	short loc_8172E4
		mov	eax, [ebp-24h]
		mov	ecx, edi
		mov	[ebp-34h], ecx
		test	eax, eax
		jz	short loc_8172E7
		mov	[eax+14h], edi
		jmp	short loc_8172E7
; 

loc_8172E4:				; CODE XREF: PAGE:008172D1j
		mov	ecx, [ebp-34h]

loc_8172E7:				; CODE XREF: PAGE:00817174j
					; PAGE:00817182j ...
		mov	eax, [ebp-28h]
		and	ecx, 1FFFFFFh
		mov	edx, [ebp+14h]
		add	eax, 0FFFFFFE8h
		mov	ebx, edx
		and	eax, 0FFFFFFF9h
		and	ebx, 6
		or	ebx, eax
		test	dl, 8
		jz	short loc_81730B
		or	ecx, 4000000h

loc_81730B:				; CODE XREF: PAGE:00817303j
		test	dl, 1
		jz	short loc_817316
		or	ecx, 2000000h

loc_817316:				; CODE XREF: PAGE:0081730Ej
		mov	eax, large fs:124h
		or	ebx, 1
		mov	[ebp-2Ch], ecx
		mov	[ebp-80h], ebx
		mov	[ebp-44h], eax
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebp-40h]
		xor	edi, edi
		mov	[ebp-38h], edi
		mov	al, [ecx+1Ch]
		test	al, 4
		jnz	loc_8174C8
		test	al, 1
		jnz	short loc_817351
		movzx	ebx, large byte	ptr fs:51h
		jmp	short loc_817353
; 

loc_817351:				; CODE XREF: PAGE:00817345j
		xor	ebx, ebx

loc_817353:				; CODE XREF: PAGE:0081734Fj
		mov	edx, ds:_ExpFreeListCount
		mov	[ebp-4Ch], ebx
		mov	[ebp-70h], edx
		nop

loc_817360:				; CODE XREF: PAGE:0081744Ej
		mov	eax, [ecx]
		mov	edi, ebx
		xor	ecx, ecx
		mov	[ebp-0A8h], eax
		mov	[ebp-98h], ecx

loc_817372:				; CODE XREF: PAGE:008173EEj
		lea	esi, [edi+1]
		shl	esi, 6
		add	esi, [ebp-40h]
		cmp	dword ptr [esi+4], 0
		jz	short loc_8173D8
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ebx, [esi+4]
		test	ebx, ebx
		jz	short loc_8173AC
		mov	eax, [ebx+4]
		mov	[esi+4], eax
		test	eax, eax
		jnz	short loc_81739E
		mov	[esi+8], eax

loc_81739E:				; CODE XREF: PAGE:00817399j
		inc	dword ptr [esi+0Ch]
		mov	eax, [esi+0Ch]
		cmp	eax, [esi+10h]
		jle	short loc_8173AC
		mov	[esi+10h], eax

loc_8173AC:				; CODE XREF: PAGE:0081738Fj
					; PAGE:008173A7j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8173C0
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8173C0:				; CODE XREF: PAGE:008173B7j
		mov	ecx, esi
		call	KeAbPostRelease
		test	ebx, ebx
		jnz	loc_817453
		mov	ecx, [ebp-98h]
		mov	edx, [ebp-70h]

loc_8173D8:				; CODE XREF: PAGE:0081737Fj
		lea	eax, [edi+1]
		inc	ecx
		mov	edi, eax
		mov	[ebp-98h], ecx
		sub	edi, edx
		neg	edi
		sbb	edi, edi
		and	edi, eax
		cmp	ecx, edx
		jb	short loc_817372
		mov	eax, [ebp-40h]
		xor	edx, edx
		mov	esi, [ebp-4Ch]
		mov	bl, 1
		inc	esi
		shl	esi, 6
		lea	edi, [eax+24h]
		add	esi, eax
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp-40h]
		mov	eax, [ebp-0A8h]
		cmp	eax, [ecx]
		jnz	short loc_817420
		mov	edx, esi
		call	ExpAllocateHandleTableEntrySlow
		mov	bl, al

loc_817420:				; CODE XREF: PAGE:00817415j
		or	edx, 0FFFFFFFFh
		lock xadd [edi], edx
		and	dl, 6
		cmp	dl, 2
		jnz	short loc_817436
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_817436:				; CODE XREF: PAGE:0081742Dj
		mov	ecx, edi
		call	KeAbPostRelease
		test	bl, bl
		jz	loc_8174C6
		mov	edx, [ebp-70h]
		mov	ebx, [ebp-4Ch]
		mov	ecx, [ebp-40h]
		jmp	loc_817360
; 

loc_817453:				; CODE XREF: PAGE:008173C9j
		mov	eax, ebx
		mov	ecx, ebx
		and	eax, 0FFFFF000h
		sub	ecx, eax
		sar	ecx, 3
		cmp	dword ptr [ebp-0A0h], 0
		mov	eax, [eax+4]
		lea	edi, [eax+ecx*4]
		mov	[ebp-38h], edi
		jnz	short loc_817479
		cmp	dword ptr [ebp+20h], 0
		jz	short loc_8174A1

loc_817479:				; CODE XREF: PAGE:00817471j
		mov	esi, [ebp-40h]
		lea	eax, [ebp-0A0h]
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	_ExpSetHandleExtraInfo@12 ; ExpSetHandleExtraInfo(x,x,x)
		test	eax, eax
		jz	short loc_8174A1
		push	edi
		mov	edx, ebx
		mov	ecx, esi
		call	ExpFreeHandleTableEntry
		xor	edi, edi
		mov	[ebp-38h], edi
		jmp	short loc_8174C8
; 

loc_8174A1:				; CODE XREF: PAGE:00817477j
					; PAGE:0081748Ej
		mov	eax, [ebp-40h]
		mov	esi, [ebp-44h]
		cmp	dword ptr [eax+54h], 0
		jz	short loc_8174B9
		push	1
		push	edi
		mov	edx, esi
		mov	ecx, eax
		call	_ExpUpdateDebugInfo@16 ; ExpUpdateDebugInfo(x,x,x,x)

loc_8174B9:				; CODE XREF: PAGE:008174ABj
		mov	eax, [ebp-2Ch]
		mov	[ebx+4], eax
		mov	eax, [ebp-80h]
		mov	[ebx], eax
		jmp	short loc_8174CB
; 

loc_8174C6:				; CODE XREF: PAGE:0081743Fj
		xor	edi, edi

loc_8174C8:				; CODE XREF: PAGE:0081733Dj
					; PAGE:0081749Fj
		mov	esi, [ebp-44h]

loc_8174CB:				; CODE XREF: PAGE:008174C4j
		mov	ecx, esi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		test	edi, edi
		jnz	short loc_817517
		mov	edi, [ebp-28h]
		mov	ecx, [ebp-58h]
		lea	ebx, [edi-18h]
		mov	edx, ebx
		call	_ObpDecrementHandleCount@8 ; ObpDecrementHandleCount(x,x)
		mov	edx, [ebp+10h]
		test	edx, edx
		jz	short loc_817504
		cmp	edx, 1
		jbe	short loc_8174FD
		mov	eax, 1
		sub	eax, edx
		lock xadd [ebx], eax

loc_8174FD:				; CODE XREF: PAGE:008174F0j
		mov	ecx, edi
		call	ObfDereferenceObject

loc_817504:				; CODE XREF: PAGE:008174EBj
		mov	al, [ebp-1Dh]
		mov	esi, 0C000009Ah
		mov	ebx, [ebp-90h]
		jmp	loc_817903
; 

loc_817517:				; CODE XREF: PAGE:008174D4j
		mov	edx, [ebp-24h]
		test	edx, edx
		jz	loc_8178C8
		mov	esi, [ebp-28h]
		xor	edi, edi
		mov	al, [esi-0Ah]
		test	al, 20h
		jz	loc_817644
		movzx	eax, al
		lea	ecx, [esi-18h]
		and	eax, 3Fh
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		jz	loc_817644
		mov	eax, [ecx]
		test	eax, eax
		jnz	loc_81764F
		cmp	[ebp-64h], edi
		jz	short loc_8175D2
		push	eax
		lea	edx, [ebp-64h]

loc_81755D:				; CODE XREF: PAGE:0081763Fj
		lea	ecx, [esi-18h]
		call	_ObpSetObjectAuditInfo@12 ; ObpSetObjectAuditInfo(x,x,x)

loc_817565:				; CODE XREF: PAGE:00817630j
		mov	edx, [ebp-24h]

loc_817568:				; CODE XREF: PAGE:008175FDj
					; PAGE:00817649j ...
		mov	ecx, [ebp-38h]
		xor	esi, esi
		mov	ebx, [edx+30h]
		mov	[ebp-8Ch], ecx
		mov	byte ptr [ebp-1Eh], 0
		mov	[ebp-68h], esi
		test	edi, edi
		jnz	short loc_81758B
		mov	edi, [ebx+30h]
		test	edi, edi
		jnz	short loc_81758B
		mov	edi, [edx+2Ch]

loc_81758B:				; CODE XREF: PAGE:0081757Fj
					; PAGE:00817586j
		mov	al, [edx+9]
		test	al, al
		jz	loc_81765A
		cmp	byte ptr [edx+60h], 0
		jz	loc_817656
		mov	eax, [ebx]
		mov	ecx, offset _SeSubsystemName
		mov	edi, [ebp-38h]
		push	1
		push	eax
		mov	eax, [edx+14h]
		push	eax
		mov	eax, [edx+28h]
		push	eax
		mov	eax, [edx+24h]
		push	eax
		mov	eax, [edx+1Ch]
		push	eax
		lea	eax, [edx+64h]
		add	edx, 6Ch
		push	edi
		push	eax
		call	SepAdtPrivilegeObjectAuditAlarm
		mov	edx, [ebp-24h]
		jmp	loc_81775F
; 

loc_8175D2:				; CODE XREF: PAGE:00817557j
		mov	eax, [ebp-50h]
		movzx	ecx, byte ptr [esi-0Ch]
		movzx	eax, al
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		cmp	eax, ds:_IoFileObjectType
		jnz	short loc_817603
		mov	eax, [esi+4]
		test	byte ptr [eax+20h], 10h
		jnz	loc_817568

loc_817603:				; CODE XREF: PAGE:008175F4j
		mov	eax, [edx+30h]
		mov	byte ptr [ebp-50h], 0
		test	eax, eax
		jz	short loc_81761B
		mov	eax, [eax+30h]
		test	eax, eax
		jz	short loc_81761B
		mov	byte ptr [ebp-50h], 1
		jmp	short loc_81761D
; 

loc_81761B:				; CODE XREF: PAGE:0081760Cj
					; PAGE:00817613j
		xor	eax, eax

loc_81761D:				; CODE XREF: PAGE:00817619j
		lea	ecx, [ebp-6Ch]
		mov	edx, 20h
		push	ecx
		push	eax
		mov	ecx, esi
		call	ObpAllocateAndQuerySecurityDescriptorInfo
		test	eax, eax
		js	loc_817565
		mov	edi, [ebp-6Ch]
		lea	edx, [ebp-6Ch]
		push	dword ptr [ebp-50h]
		jmp	loc_81755D
; 

loc_817644:				; CODE XREF: PAGE:0081752Cj
					; PAGE:00817544j
		mov	eax, [ebp-64h]
		test	eax, eax
		jz	loc_817568

loc_81764F:				; CODE XREF: PAGE:0081754Ej
		mov	edi, eax
		jmp	loc_817568
; 

loc_817656:				; CODE XREF: PAGE:0081759Aj
		test	al, al
		jnz	short loc_817667

loc_81765A:				; CODE XREF: PAGE:00817590j
		cmp	byte ptr [ebx+0C0h], 0
		jz	loc_81775C

loc_817667:				; CODE XREF: PAGE:00817658j
		push	2
		push	200h
		push	0
		lea	eax, [ebp-68h]
		push	eax
		push	0FFFFFFFFh
		push	ecx
		push	0FFFFFFFFh
		call	_ZwDuplicateObject@28 ;	ZwDuplicateObject(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8176A5
		push	0
		lea	eax, [ebp-0A4h]
		mov	[ebp-0A4h], esi
		push	eax
		push	0
		push	0
		push	0
		push	dword ptr [ebp-68h]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, [ebp-0A4h]

loc_8176A5:				; CODE XREF: PAGE:00817680j
		mov	edx, [ebp-24h]
		mov	ecx, esi
		push	0
		add	edx, 6Ch
		push	1
		call	_SepAdtClassifyObjectIntoSubCategory@16	; SepAdtClassifyObjectIntoSubCategory(x,x,x,x)
		movzx	eax, ax
		mov	[ebp-80h], eax
		test	esi, esi
		jz	short loc_8176C7
		mov	ecx, esi
		call	ObfDereferenceObject

loc_8176C7:				; CODE XREF: PAGE:008176BEj
		mov	eax, [ebp-68h]
		test	eax, eax
		jz	short loc_8176DB
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		mov	dword ptr [ebp-68h], 0

loc_8176DB:				; CODE XREF: PAGE:008176CCj
		mov	eax, [ebp-24h]
		push	eax
		lea	esi, [eax+64h]
		lea	eax, [ebx+1Ch]
		push	eax
		push	0
		push	0
		push	0
		push	2
		call	_PsGetCurrentThreadProcessId@0 ; PsGetCurrentThreadProcessId()
		mov	ecx, [ebp-24h]
		mov	edx, offset _SeSubsystemName
		push	eax
		mov	eax, [ebx]
		push	1
		push	eax
		mov	eax, [ecx+14h]
		push	eax
		mov	eax, [ecx+18h]
		push	eax
		mov	eax, [ecx+24h]
		push	eax
		mov	eax, [ecx+1Ch]
		push	eax
		push	edi
		push	esi
		lea	edi, [ecx+6Ch]
		mov	ecx, [ebp-80h]
		push	edi
		lea	eax, [ebp-8Ch]
		push	eax
		call	_SepAdtOpenObjectAuditAlarm@76 ; SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	[ebp-1Eh], al
		mov	eax, [ebp-24h]
		push	eax
		call	_PsGetCurrentThreadProcessId@0 ; PsGetCurrentThreadProcessId()
		push	eax
		mov	eax, [ebp-24h]
		push	1
		mov	ecx, [eax+14h]
		mov	edx, [eax+18h]
		push	ecx
		mov	ecx, [ebp-80h]
		push	edx
		mov	edx, [eax+24h]
		mov	eax, [eax+1Ch]
		push	edx
		push	eax
		push	esi
		push	edi
		lea	eax, [ebp-8Ch]
		push	eax
		call	_SepAdtStagingEvent@48 ; SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)
		mov	edx, [ebp-24h]

loc_81775C:				; CODE XREF: PAGE:00817661j
		mov	edi, [ebp-38h]

loc_81775F:				; CODE XREF: PAGE:008175CDj
		mov	al, [ebp-1Eh]
		mov	ebx, [ebp-84h]
		mov	[edx+0Ah], al
		test	ebx, ebx
		jnz	short loc_8177AB
		mov	eax, [edx+30h]
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_8177AB
		cmp	[ecx], ebx
		jbe	short loc_8177AB
		mov	eax, large fs:124h
		cmp	[eax+15Ah], bl
		jz	short loc_8177AB
		mov	eax, [edx+14h]
		push	1
		push	ecx
		push	eax
		mov	eax, [edx+28h]
		mov	ecx, offset _SeSubsystemName
		push	eax
		mov	eax, [edx+24h]
		push	eax
		mov	eax, [edx+1Ch]
		xor	edx, edx
		push	eax
		push	edi
		push	ebx
		call	SepAdtPrivilegeObjectAuditAlarm

loc_8177AB:				; CODE XREF: PAGE:0081776Dj
					; PAGE:00817776j ...
		mov	eax, [ebp-6Ch]
		test	eax, eax
		jz	short loc_8177BA
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8177BA:				; CODE XREF: PAGE:008177B0j
		test	ebx, ebx
		jnz	loc_8178C8
		mov	eax, [ebp-48h]
		cmp	eax, ds:_CmKeyObjectType
		jz	short loc_8177D9
		cmp	eax, ds:_IoFileObjectType
		jnz	loc_8178C8

loc_8177D9:				; CODE XREF: PAGE:008177CBj
		mov	eax, [ebp-24h]
		mov	esi, [eax+1Ch]
		test	esi, esi
		jz	loc_8178C8
		mov	edi, [eax+24h]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		cmp	edi, esi
		jnb	short loc_81781A
		mov	eax, [edi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [esi+30h]
		jmp	short loc_817834
; 

loc_81781A:				; CODE XREF: PAGE:008177FCj
		mov	eax, [esi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [edi+30h]

loc_817834:				; CODE XREF: PAGE:00817818j
		push	1
		push	eax
		call	ExAcquireResourceSharedLite
		test	dword ptr [esi+0B0h], 4000h
		jz	short loc_8178AB
		cmp	dword ptr [esi+0ACh], 2
		jl	short loc_8178AB
		mov	eax, [esi+94h]
		mov	eax, [eax]
		push	eax
		mov	eax, [edi+94h]
		mov	eax, [eax]
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	short loc_8178AB
		mov	ecx, [ebp-28h]
		lea	ecx, [ecx-18h]
		call	_OBJECT_HEADER_TO_HANDLE_REVOCATION_INFO@4 ; OBJECT_HEADER_TO_HANDLE_REVOCATION_INFO(x)
		test	eax, eax
		jz	short loc_8178AB
		mov	eax, _SeConstrainedImpersonationCapabilitySid
		lea	ecx, [edi+1ECh]
		push	0
		push	0
		push	1
		push	0
		push	eax
		xor	edx, edx
		call	SepSidInTokenSidHash
		test	al, al
		jz	short loc_8178AB
		mov	ecx, [esi+0C0h]
		mov	edx, [ebp-28h]
		add	ecx, 48h
		call	_ObHandleRevocationBlockAddObject@8 ; ObHandleRevocationBlockAddObject(x,x)

loc_8178AB:				; CODE XREF: PAGE:00817846j
					; PAGE:0081784Fj ...
		mov	ecx, [edi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	edi, [ebp-38h]

loc_8178C8:				; CODE XREF: PAGE:0081751Cj
					; PAGE:008177BCj ...
		cmp	dword ptr [ebp+10h], 0
		jz	short loc_8178DD
		mov	ecx, [ebp-0ACh]
		test	ecx, ecx
		jz	short loc_8178DD
		mov	eax, [ebp-28h]
		mov	[ecx], eax

loc_8178DD:				; CODE XREF: PAGE:008178CCj
					; PAGE:008178D6j
		movzx	esi, byte ptr [ebp-2Dh]
		mov	al, [ebp-1Dh]
		neg	esi
		sbb	esi, esi
		and	esi, 40000000h
		test	al, al
		jz	short loc_8178F8
		or	edi, 80000000h

loc_8178F8:				; CODE XREF: PAGE:008178F0j
		mov	ebx, [ebp-90h]
		mov	[ebx], edi
		mov	edi, [ebp-28h]

loc_817903:				; CODE XREF: PAGE:00817512j
		lea	ecx, [ebp-78h]
		cmp	[ebp-78h], ecx
		jz	short loc_817919
		push	ecx
		push	dword ptr [ebp-34h]
		mov	dl, al
		mov	ecx, edi
		push	esi
		call	_ObpPostInterceptHandleCreate@20 ; ObpPostInterceptHandleCreate(x,x,x,x,x)

loc_817919:				; CODE XREF: PAGE:00817909j
		test	byte ptr ds:dword_70EFD0, 40h
		jz	short loc_817936
		test	esi, esi
		js	short loc_817936
		push	dword ptr [ebp-48h]
		mov	edx, [ebx]
		mov	ecx, 1120h
		push	edi
		call	_EtwpTraceHandle@16 ; EtwpTraceHandle(x,x,x,x)

loc_817936:				; CODE XREF: PAGE:008168A2j
					; PAGE:00816DDAj ...
		cmp	byte ptr [ebp-39h], 0
		jz	short loc_81794A
		mov	ecx, [ebp-58h]
		lea	ecx, [ecx+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_81794A:				; CODE XREF: PAGE:00816773j
					; PAGE:0081793Aj
		mov	ecx, [ebp-8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_81795F:				; CODE XREF: PAGE:00816B22j
					; PAGE:00816B2Cj
		push	0
		push	1
		push	ebx
		push	eax
		push	189h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 0CCh
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1503. NtClose

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtClose
NtClose		proc near		; CODE XREF: SepRmCallLsa+1CDp
					; _RtlpMuiRegLoadInstalledFromKey+CFp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= dword	ptr -2
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0091E73C SIZE 000000DC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, large fs:124h
		test	_MmVerifierData, 100h
		push	ebx
		push	esi
		mov	bl, [eax+15Ah]
		mov	esi, [ebp+arg_0]
		push	edi
		mov	byte ptr [ebp+var_10], bl
		jnz	loc_91E73C

loc_8179AD:				; CODE XREF: NtClose+106DBEj
					; NtClose+106DCFj ...
		mov	edi, large fs:124h
		mov	dl, bl
		mov	byte ptr [ebp+var_2], 0
		mov	ecx, esi
		mov	byte ptr [ebp+var_2+1],	0
		xor	bh, bh
		mov	eax, [edi+80h]
		mov	[ebp+var_C], eax
		call	_ObpIsKernelHandle@8 ; ObpIsKernelHandle(x,x)
		test	al, al
		jnz	short loc_817A3D
		mov	eax, large fs:124h
		cmp	byte ptr [eax+16Ah], 1
		mov	eax, [ebp+var_C]
		mov	[ebp+var_8], eax
		jz	loc_817A7D
		mov	edx, [eax+18Ch]
		mov	[ebp+arg_0], edx
		cmp	edx, _ObpKernelHandleTable
		jz	loc_817AA1

loc_817A02:				; CODE XREF: NtClose+D4j NtClose+10Fj
		dec	word ptr [edi+13Ch]
		nop
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	ExMapHandleToPointer
		test	eax, eax
		jz	short loc_817A56
		mov	edi, [ebp+var_8]
		mov	edx, eax
		mov	ecx, [ebp+arg_0]
		push	0
		push	[ebp+var_10]
		push	esi
		push	edi
		call	_ObCloseHandleTableEntry@24 ; ObCloseHandleTableEntry(x,x,x,x,x,x)
		mov	esi, eax

loc_817A2E:				; CODE XREF: NtClose+FBj
		test	bh, bh
		jnz	short loc_817A94

loc_817A32:				; CODE XREF: NtClose+11Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_817A3D:				; CODE XREF: NtClose+52j
		mov	edx, _ObpKernelHandleTable
		xor	esi, 80000000h
		mov	eax, ds:_PsInitialSystemProcess
		mov	[ebp+arg_0], edx
		mov	[ebp+var_8], eax
		jmp	short loc_817A02
; 

loc_817A56:				; CODE XREF: NtClose+96j
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		test	esi, esi
		jg	short loc_817AB1
		cmp	esi, 0FFFFFFFAh
		jl	short loc_817AB1

loc_817A66:				; CODE XREF: NtClose+179j
					; NtClose+106E29j ...
		add	esi, 6
		mov	eax, 5
		cmp	eax, esi
		sbb	esi, esi
		and	esi, 0C0000008h

loc_817A78:				; CODE XREF: NtClose+106E12j
					; NtClose+106E1Cj
		mov	edi, [ebp+var_8]
		jmp	short loc_817A2E
; 

loc_817A7D:				; CODE XREF: NtClose+67j
		mov	ecx, eax
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		mov	edx, eax
		mov	[ebp+arg_0], edx
		test	edx, edx
		jz	short loc_817AA1
		mov	bh, 1
		jmp	loc_817A02
; 

loc_817A94:				; CODE XREF: NtClose+B0j
		lea	ecx, [edi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	short loc_817A32
; 

loc_817AA1:				; CODE XREF: NtClose+7Cj NtClose+10Bj
		mov	esi, 0C0000008h
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_817AB1:				; CODE XREF: NtClose+DFj NtClose+E4j
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_2+1]
		push	eax
		lea	edx, [ebp+var_2]
		call	ExQueryHandleExceptionsPermanency
		mov	eax, [ebp+arg_0]
		test	byte ptr [eax+1Ch], 10h
		jnz	loc_91E75F

loc_817ACD:				; CODE XREF: NtClose+106DE3j
					; NtClose+106DF8j
		test	bl, bl
		jz	loc_91E7A1
		test	_NtGlobalFlag, 400000h
		jnz	loc_91E77D
		mov	ecx, [ebp+var_C]
		cmp	dword ptr [ecx+190h], 0
		jnz	loc_91E77D
		cmp	dword ptr [eax+54h], 0
		jz	loc_817A66
		jmp	loc_91E77D
NtClose		endp

; 
		align 10h
; Exported entry 1638. ObReferenceObjectByHandleWithTag

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObReferenceObjectByHandleWithTag(x,	x, x, x, x, x, x)
		public _ObReferenceObjectByHandleWithTag@28
_ObReferenceObjectByHandleWithTag@28 proc near ; CODE XREF: PopCreatePowerThread(x,x)+5Ep
					; NtGetWriteWatch+164D96p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	ObpReferenceObjectByHandleWithTag
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_ObReferenceObjectByHandleWithTag@28 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpLockKcbShared(x)
_CmpLockKcbShared@4 proc near		; CODE XREF: CmpDoQueryKeyName+EEp
					; NtFlushKey(x)+157p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	edx, edx
		lea	ecx, [esi+18h]
		call	ExAcquirePushLockSharedEx
		lock inc dword ptr [esi+1Ch]
		pop	esi
		retn
_CmpLockKcbShared@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmObReferenceObjectByHandle(x, x, x, x, x, x)
_CmObReferenceObjectByHandle@24	proc near ; CODE XREF: NtDeleteKey+BAp
					; CmLoadDifferencingKey+847p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		lea	ebx, [ebp+var_C]
		push	edi
		mov	edi, ds:_CmKeyObjectType
		mov	eax, esi
		neg	eax
		mov	[ebp+var_C], 0
		mov	[ebp+var_8], 0
		sbb	eax, eax
		mov	[ebp+var_4], 0
		and	eax, ebx
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		push	edi
		push	edx
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		mov	edi, eax
		test	edi, edi
		js	short loc_817BD6
		cmp	dword ptr [ecx], 6B793032h
		jnz	short loc_817BDE
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		test	esi, esi
		jnz	short loc_817BC9

loc_817BBE:				; CODE XREF: CmObReferenceObjectByHandle(x,x,x,x,x,x)+74j
		xor	eax, eax

loc_817BC0:				; CODE XREF: CmObReferenceObjectByHandle(x,x,x,x,x,x)+7Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_817BC9:				; CODE XREF: CmObReferenceObjectByHandle(x,x,x,x,x,x)+5Cj
		mov	eax, [ebp+var_C]
		mov	[esi], eax
		mov	eax, [ebp+var_8]
		mov	[esi+4], eax
		jmp	short loc_817BBE
; 

loc_817BD6:				; CODE XREF: CmObReferenceObjectByHandle(x,x,x,x,x,x)+4Bj
					; CmObReferenceObjectByHandle(x,x,x,x,x,x)+83j
		test	ecx, ecx
		jnz	short loc_817BE5

loc_817BDA:				; CODE XREF: CmObReferenceObjectByHandle(x,x,x,x,x,x)+8Aj
		mov	eax, edi
		jmp	short loc_817BC0
; 

loc_817BDE:				; CODE XREF: CmObReferenceObjectByHandle(x,x,x,x,x,x)+53j
		mov	edi, 0C0000008h
		jmp	short loc_817BD6
; 

loc_817BE5:				; CODE XREF: CmObReferenceObjectByHandle(x,x,x,x,x,x)+78j
		call	ObfDereferenceObject
		jmp	short loc_817BDA
_CmObReferenceObjectByHandle@24	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpIsKeyStackDeleted proc near		; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+2A3p
					; CmpGetSymbolicLinkTarget+A17p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], 0
		mov	ebx, edx
		movzx	esi, word ptr [edi+2]
		test	si, si
		js	short loc_817C42
		lea	ecx, [ecx+0]

loc_817C10:				; CODE XREF: CmpIsKeyStackDeleted+50j
		movsx	ecx, si
		cmp	si, 2
		jge	short loc_817C5F
		mov	ecx, [edi+ecx*4+4]

loc_817C1D:				; CODE XREF: CmpIsKeyStackDeleted+76j
		xor	edx, edx
		call	_CmpGetEffectiveKcbSemantics@8 ; CmpGetEffectiveKcbSemantics(x,x)
		cmp	eax, 1
		jz	short loc_817C42
		cmp	dword ptr [ecx+14h], 0FFFFFFFFh
		jz	short loc_817C3C
		test	ebx, ebx
		jnz	short loc_817C46

loc_817C33:				; CODE XREF: CmpIsKeyStackDeleted+68j
					; NtClose+106E7Cj ...
		xor	al, al

loc_817C35:				; CODE XREF: CmpIsKeyStackDeleted+54j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_817C3C:				; CODE XREF: CmpIsKeyStackDeleted+3Dj
		dec	esi
		test	si, si
		jns	short loc_817C10

loc_817C42:				; CODE XREF: CmpIsKeyStackDeleted+1Bj
					; CmpIsKeyStackDeleted+37j ...
		mov	al, 1
		jmp	short loc_817C35
; 

loc_817C46:				; CODE XREF: CmpIsKeyStackDeleted+41j
		mov	esi, [edi+4]
		lea	edx, [ebp+var_4]
		push	10h
		lea	ecx, [esi+70h]
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jz	short loc_817C33
		jmp	loc_91E7DE
; 

loc_817C5F:				; CODE XREF: CmpIsKeyStackDeleted+27j
		mov	eax, [edi+0Ch]
		mov	ecx, [eax+ecx*4-8]
		jmp	short loc_817C1D
CmpIsKeyStackDeleted endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpIsKeyStackSymlink(x)
_CmpIsKeyStackSymlink@4	proc near	; CODE XREF: CmQueryLayeredKey+177C99p
					; CmSetValueKey(x,x,x,x,x,x,x)+3D2p ...

var_4		= dword	ptr -4

		mov	edx, ecx
		push	esi
		movzx	eax, word ptr [edx+2]
		test	ax, ax
		js	short loc_817CA3
		lea	esp, [esp+0]

loc_817C80:				; CODE XREF: CmpIsKeyStackSymlink(x)+31j
		movsx	esi, ax
		cmp	ax, 2
		jge	short loc_817CA7
		mov	ecx, [edx+esi*4+4]

loc_817C8D:				; CODE XREF: CmpIsKeyStackSymlink(x)+3Ej
		cmp	dword ptr [ecx+14h], 0FFFFFFFFh
		jz	short loc_817C9D
		mov	eax, [ecx+68h]
		shr	eax, 14h
		and	al, 1
		pop	esi
		retn
; 

loc_817C9D:				; CODE XREF: CmpIsKeyStackSymlink(x)+21j
		dec	eax
		test	ax, ax
		jns	short loc_817C80

loc_817CA3:				; CODE XREF: CmpIsKeyStackSymlink(x)+Aj
		xor	al, al
		pop	esi
		retn
; 

loc_817CA7:				; CODE XREF: CmpIsKeyStackSymlink(x)+17j
		mov	ecx, [edx+0Ch]
		mov	ecx, [ecx+esi*4-8]
		jmp	short loc_817C8D
_CmpIsKeyStackSymlink@4	endp

; 

; __stdcall CmpDereferenceKeyControlBlock(x)
_CmpDereferenceKeyControlBlock@4:	; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+36Ap
					; CmpLateUnloadHiveWorker+D7p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	edx, ecx
		mov	dword ptr [esp+1Ch], 0
		push	edi
		lea	ecx, [esp+20h]
		mov	[esp+14h], edx
		mov	dword ptr [esp+24h], 0
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		mov	eax, [edx]
		mov	ecx, [edx+10h]
		mov	[esp+18h], ecx
		cmp	eax, 1
		jbe	short loc_817D29
		jmp	short loc_817CF0
; 
		align 10h

loc_817CF0:				; CODE XREF: PAGE:00817CEBj
					; PAGE:00817D27j
		lea	esi, [eax-1]
		mov	edi, eax
		cmp	esi, 2
		jnz	short loc_817D10
		test	dword ptr [edx+68h], 40000h
		jz	short loc_817D10
		cmp	byte ptr [ecx+6DCh], 1
		jnz	short loc_817D10
		mov	bl, 1
		jmp	short loc_817D12
; 

loc_817D10:				; CODE XREF: PAGE:00817CF8j
					; PAGE:00817D01j ...
		xor	bl, bl

loc_817D12:				; CODE XREF: PAGE:00817D0Ej
		mov	ecx, esi
		lock cmpxchg [edx], ecx
		cmp	eax, edi
		jz	loc_817DA1
		mov	ecx, [esp+18h]
		cmp	eax, 1
		ja	short loc_817CF0

loc_817D29:				; CODE XREF: PAGE:00817CE9j
		mov	ecx, [edx+10h]
		mov	esi, [edx+8]
		push	esi
		mov	[esp+1Ch], ecx
		mov	ebx, [ecx+434h]
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		mov	ecx, [esp+18h]
		lea	eax, [eax+eax*2]
		lea	edi, [ebx+eax*4]
		mov	eax, [esp+14h]
		mov	eax, [eax+8]
		push	eax
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		xor	edx, edx
		lea	eax, [eax+eax*2]
		lea	ecx, [ebx+eax*4]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[edi+4], eax
		mov	edi, [esp+18h]
		mov	edx, [edi+9D8h]
		lea	ebx, [edi+9D8h]
		mov	[esp+1Ch], ebx
		test	edx, edx
		jz	loc_8180D3

loc_817D88:				; CODE XREF: PAGE:00817D9Fj
		lea	ecx, [edx+1]
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		cmp	eax, edx
		jz	short loc_817DC1
		mov	edx, eax
		test	eax, eax
		jz	loc_8180D3
		jmp	short loc_817D88
; 

loc_817DA1:				; CODE XREF: PAGE:00817D1Aj
		cmp	eax, esi
		jb	loc_8180E4
		test	bl, bl
		jz	loc_8180CC
		mov	ecx, [esp+18h]
		call	CmpDoQueueLateUnloadWorker
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_817DC1:				; CODE XREF: PAGE:00817D93j
		mov	ebx, [esp+14h]
		xor	edx, edx
		lea	ecx, [ebx+18h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[ebx+1Ch], eax
		mov	eax, [ebx+6Ch]
		mov	dword ptr [esp+14h], 0
		test	eax, eax
		jz	short loc_817E2A
		mov	eax, [eax+0Ch]
		test	eax, eax
		jz	short loc_817E2A
		mov	eax, [eax+8]
		mov	ecx, ebx
		mov	[esp+14h], eax
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	ecx, [esp+14h]
		xor	edx, edx
		lea	ecx, [ecx+18h]
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esp+14h]
		xor	edx, edx
		mov	eax, large fs:124h
		mov	[ecx+1Ch], eax
		lea	ecx, [ebx+18h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[ebx+1Ch], eax

loc_817E2A:				; CODE XREF: PAGE:00817DE5j
					; PAGE:00817DECj
		mov	ecx, [ebx+10h]
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		dec	eax
		cmp	eax, 2
		jnz	short loc_817E5E
		test	dword ptr [ebx+68h], 40000h
		jz	loc_818037
		cmp	byte ptr [ecx+6DCh], 1
		jnz	loc_818037
		call	CmpDoQueueLateUnloadWorker
		jmp	loc_818037
; 

loc_817E5E:				; CODE XREF: PAGE:00817E38j
		test	eax, eax
		jnz	loc_818037
		test	dword ptr [ebx+68h], 40000h
		jz	short loc_817ED4
		mov	edi, [ebx+10h]
		lea	edx, [esp+20h]
		mov	ecx, ebx
		call	CmpCleanUpKcbCacheWithLock
		mov	eax, large fs:124h
		or	dword ptr [edi+64h], 80h
		mov	[edi+9B0h], eax
		mov	eax, 1
		lock xadd [edi+9DCh], eax
		inc	eax
		dec	eax
		and	eax, 7Fh
		mov	dword ptr [edi+eax*4+9E0h], 1Fh
		test	byte ptr [edi+64h], 20h
		jnz	loc_818037
		or	eax, 0FFFFFFFFh
		lock xadd [edi+9D8h], eax
		jnz	loc_818037
		mov	ecx, edi
		call	_CmpDeleteHive@4 ; CmpDeleteHive(x)
		jmp	loc_818037
; 

loc_817ED4:				; CODE XREF: PAGE:00817E6Dj
		mov	eax, [ebx+4]
		mov	ecx, eax
		shr	eax, 11h
		and	cl, 20h
		not	al
		and	al, 1
		neg	cl
		sbb	cl, cl
		not	cl
		and	cl, al
		cmp	_CmpHoldLazyFlush, 0
		jz	short loc_817F07
		test	dword ptr [ebx+68h], 100000h
		jnz	short loc_817F07
		test	byte ptr [ebx+4], 8
		jz	loc_818011

loc_817F07:				; CODE XREF: PAGE:00817EF2j
					; PAGE:00817EFBj
		test	cl, cl
		jz	loc_818011
		push	0
		xor	edx, edx
		mov	byte ptr [esp+16h], 0
		mov	ecx, offset _CmpDelayedCloseTableLock
		call	KeAbPreAcquire
		mov	cl, 1
		mov	edi, eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	cl, al
		mov	eax, offset _CmpDelayedCloseTableLock
		mov	[esp+13h], cl
		lock btr dword ptr [eax], 0
		jb	short loc_817F4B
		mov	edx, edi
		mov	ecx, eax
		call	_ExpAcquireFastMutexContended@8	; ExpAcquireFastMutexContended(x,x)
		mov	cl, [esp+13h]

loc_817F4B:				; CODE XREF: PAGE:00817F3Cj
		test	edi, edi
		jz	short loc_817F53
		or	byte ptr [edi+0Eh], 1

loc_817F53:				; CODE XREF: PAGE:00817F4Dj
		mov	eax, large fs:124h
		mov	dword_6CE024, eax
		movzx	eax, cl
		mov	dword_6CE03C, eax
		lea	eax, [ebx+78h]
		cmp	[eax], eax
		jnz	loc_8180F2
		mov	ecx, _CmpDelayedLRUListHead
		cmp	dword ptr [ecx+4], offset _CmpDelayedLRUListHead
		jz	short loc_817F87
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_817F87:				; CODE XREF: PAGE:00817F7Ej
		mov	[eax], ecx
		mov	dword ptr [eax+4], offset _CmpDelayedLRUListHead
		mov	[ecx+4], eax
		mov	_CmpDelayedLRUListHead,	eax
		mov	eax, _CmpDelayedCloseElements
		or	byte ptr [ebx+20h], 2
		inc	eax
		add	ds:dword_A94398, 1
		mov	_CmpDelayedCloseElements, eax
		adc	ds:dword_A9439C, 0
		cmp	eax, _CmpDelayedCloseSize
		jbe	short loc_817FC2
		mov	byte ptr [esp+12h], 1

loc_817FC2:				; CODE XREF: PAGE:00817FBBj
		mov	al, byte ptr dword_6CE03C
		mov	ecx, 1
		mov	[esp+13h], al
		mov	edi, offset _CmpDelayedCloseTableLock
		mov	dword_6CE024, 0
		xor	eax, eax
		lock cmpxchg [edi], ecx
		test	eax, eax
		jz	short loc_817FF2
		mov	edx, eax
		mov	ecx, edi
		call	_ExpReleaseFastMutexContended@8	; ExpReleaseFastMutexContended(x,x)

loc_817FF2:				; CODE XREF: PAGE:00817FE7j
		mov	cl, [esp+13h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, edi
		call	KeAbPostRelease
		cmp	byte ptr [esp+12h], 1
		jnz	short loc_818037
		call	_CmpArmDelayedCloseTimer@0 ; CmpArmDelayedCloseTimer()
		jmp	short loc_818037
; 

loc_818011:				; CODE XREF: PAGE:00817F01j
					; PAGE:00817F09j
		lea	edx, [esp+20h]
		mov	ecx, ebx
		call	CmpCleanUpKcbCacheWithLock
		mov	eax, large fs:124h
		cmp	[ebx+1Ch], eax
		jz	short loc_818037
		test	dword ptr [ebx+4], 80000h
		jz	short loc_818037
		mov	ecx, ebx
		call	CmpFreeKeyControlBlock

loc_818037:				; CODE XREF: PAGE:00817E41j
					; PAGE:00817E4Ej ...
		mov	edi, [ebx+4]
		lea	ecx, [ebx+1Ch]
		mov	eax, large fs:124h
		and	edi, 80000h
		cmp	[ecx], eax
		jnz	short loc_818056
		mov	dword ptr [ebx+1Ch], 0
		jmp	short loc_818059
; 

loc_818056:				; CODE XREF: PAGE:0081804Bj
		lock dec dword ptr [ecx]

loc_818059:				; CODE XREF: PAGE:00818054j
		xor	edx, edx
		lea	ecx, [ebx+18h]
		call	ExReleasePushLockEx
		test	edi, edi
		jz	short loc_818077
		test	dword ptr [ebx+4], 80000h
		jz	short loc_818077
		mov	ecx, ebx
		call	CmpFreeKeyControlBlock

loc_818077:				; CODE XREF: PAGE:00818065j
					; PAGE:0081806Ej
		mov	eax, [esp+14h]
		test	eax, eax
		jz	short loc_818086
		mov	ecx, eax
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)

loc_818086:				; CODE XREF: PAGE:0081807Dj
		mov	ebx, [esp+18h]
		mov	ecx, ebx
		push	esi
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		xor	edx, edx
		lea	ecx, [eax+eax*2]
		mov	eax, [ebx+434h]
		mov	dword ptr [eax+ecx*4+4], 0
		lea	ecx, [eax+ecx*4]
		call	ExReleasePushLockEx
		mov	ecx, [esp+1Ch]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		jnz	short loc_8180C1
		mov	ecx, ebx
		call	_CmpDeleteHive@4 ; CmpDeleteHive(x)

loc_8180C1:				; CODE XREF: PAGE:008180B8j
		xor	dl, dl
		lea	ecx, [esp+20h]
		call	CmpDrainDelayDerefContext

loc_8180CC:				; CODE XREF: PAGE:00817DABj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8180D3:				; CODE XREF: PAGE:00817D82j
					; PAGE:00817D99j
		mov	ebx, [esp+14h]
		push	ebx
		push	8
		push	edi
		push	17h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8180E4:				; CODE XREF: PAGE:00817DA3j
		push	0
		push	0
		push	edx
		push	25h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8180F2:				; CODE XREF: PAGE:00817F6Bj
		push	0
		push	0
		push	ebx
		push	34h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dd 4 dup(0CCCCCCCCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpParseKey	proc near		; DATA XREF: CmpCreateObjectTypes()+8Eo

var_A8		= dword	ptr -0A8h
var_96		= byte ptr -96h
var_95		= byte ptr -95h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

; FUNCTION CHUNK AT 0091E818 SIZE 0000011B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 9Ch
		mov	ecx, [ebp+arg_18]
		push	ebx
		push	esi
		push	edi
		mov	eax, [ecx]
		mov	esi, [ecx+4]
		push	4Ch		; size_t
		mov	[esp+0ACh+var_94], eax
		lea	eax, [esp+0ACh+var_50]
		push	0		; int
		push	eax		; void *
		mov	[esp+0B4h+var_64], 0
		mov	[esp+0B4h+var_60], 0
		mov	[esp+0B4h+var_95], 0
		mov	[esp+0B4h+var_90], esi
		mov	[esp+0B4h+var_8C], 0
		mov	[esp+0B4h+var_68], 0
		call	_memset
		mov	ebx, [ebp+arg_1C]
		xor	eax, eax
		mov	edi, [ebp+arg_0]
		add	esp, 0Ch
		mov	[esp+0A8h+var_80], eax
		mov	[esp+0A8h+var_7C], eax
		mov	[esp+0A8h+var_78], eax
		mov	[esp+0A8h+var_74], eax
		mov	[esp+0A8h+var_70], eax
		mov	[esp+0A8h+var_5C], eax
		lea	eax, [esp+0A8h+var_88]
		mov	[esp+0A8h+var_84], eax
		mov	[esp+0A8h+var_88], eax
		mov	eax, [ebp+arg_28]
		mov	dword ptr [eax], 0
		mov	eax, [ebp+arg_4]
		cmp	eax, ds:_CmKeyObjectType
		jnz	loc_91E818
		cmp	edi, ds:_CmpRegistryRootObject
		jz	loc_818415

loc_8181B7:				; CODE XREF: CmpParseKey+316j
		mov	cx, word ptr [esp+0A8h+var_94]
		test	cx, cx
		jz	short loc_8181EA

loc_8181C1:				; CODE XREF: CmpParseKey+3A6j
		movzx	eax, cx
		shr	eax, 1
		cmp	word ptr [esi+eax*2-2],	5Ch
		jz	loc_8184A9
		test	cx, cx
		jz	short loc_8181EA
		mov	ax, word ptr [esp+0A8h+var_94+2]
		lea	esp, [esp+0]

loc_8181E0:				; CODE XREF: CmpParseKey+33Aj
		cmp	word ptr [esi],	5Ch
		jz	loc_81842B

loc_8181EA:				; CODE XREF: CmpParseKey+AFj
					; CmpParseKey+C5j ...
		test	ebx, ebx
		jz	loc_91E822

loc_8181F2:				; CODE XREF: CmpParseKey+106769j
		mov	ecx, [ebp+arg_24]
		lea	edx, [esp+0A8h+var_94]
		mov	eax, [edi+34h]
		and	eax, [ecx+4]
		mov	ecx, edi
		mov	[esp+0A8h+var_6C], eax
		mov	[ebx+3Ch], eax
		call	_CmpDoesParseEnterRegistryA@8 ;	CmpDoesParseEnterRegistryA(x,x)
		test	al, al
		jnz	loc_8184C1

loc_818215:				; CODE XREF: CmpParseKey+3B4j
		test	dword ptr [ebx], 800h
		jnz	loc_8184CF

loc_818221:				; CODE XREF: CmpParseKey+3CCj
		test	byte ptr [edi+1Ch], 10h
		jnz	loc_8184E7

loc_81822B:				; CODE XREF: CmpParseKey+3DBj
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		cmp	_CmpCallBackCount, 0
		jz	loc_818320
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredSharedLite
		test	eax, eax
		jnz	loc_818320
		mov	ecx, [ebp+arg_8]
		mov	[esp+0A8h+var_18], 1
		mov	eax, [ebx+18h]
		mov	[esp+0A8h+var_10], eax
		mov	eax, [ebp+arg_10]
		mov	[esp+0A8h+var_C], eax
		lea	eax, [esp+0A8h+var_94]
		mov	[esp+0A8h+var_14], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+0A8h+var_8], al
		mov	eax, [ebx+14h]
		mov	[esp+0A8h+var_44], eax
		mov	eax, [ebp+arg_14]
		mov	[esp+0A8h+var_50], eax
		mov	eax, ds:_CmKeyObjectType
		mov	[esp+0A8h+var_48], eax
		mov	eax, [ecx+10h]
		mov	[esp+0A8h+var_34], eax
		mov	eax, [ebp+arg_28]
		mov	[esp+0A8h+var_4C], edi
		mov	[esp+0A8h+var_28], eax
		mov	eax, [ebx+30h]
		test	al, 1
		jnz	loc_818551

loc_8182BD:				; CODE XREF: CmpParseKey+443j
		mov	[esp+0A8h+var_1C], eax
		lea	edx, [esp+0A8h+var_50]
		lea	eax, [esp+0A8h+var_50]
		mov	[esp+0A8h+var_80], eax
		mov	eax, [ebx+3Ch]
		mov	[esp+0A8h+var_7C], eax
		lea	eax, [ebx+58h]
		mov	[esp+0A8h+var_74], eax
		test	byte ptr [ebx],	1
		jnz	loc_818465
		lea	eax, [esp+0A8h+var_88]
		mov	ecx, 1Ch
		push	eax
		push	edi
		push	1Dh

loc_8182F4:				; CODE XREF: CmpParseKey+394j
		push	1
		lea	eax, [esp+0B8h+var_80]
		push	eax
		call	CmpCallCallBacksEx
		mov	esi, eax
		test	esi, esi
		js	loc_91E892
		mov	edi, [esp+0A8h+var_4C]
		mov	eax, [esp+0A8h+var_7C]
		mov	[ebx+3Ch], eax
		mov	[esp+0A8h+var_95], 1
		lea	ebx, [ebx+0]

loc_818320:				; CODE XREF: CmpParseKey+127j
					; CmpParseKey+139j ...
		mov	eax, [esp+0A8h+var_94]
		mov	ecx, edi
		mov	edx, [ebp+arg_8]
		mov	[esp+0A8h+var_64], eax
		mov	eax, [esp+0A8h+var_90]
		mov	[esp+0A8h+var_60], eax
		lea	eax, [esp+0A8h+var_8C]
		push	eax
		push	[ebp+arg_20]
		lea	eax, [esp+0B0h+var_64]
		push	ebx
		push	eax
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	_CmpDoParseKey@36 ; CmpDoParseKey(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 103h
		jz	loc_818506
		cmp	esi, 0C000022Dh
		jz	loc_818530

loc_81836B:				; CODE XREF: CmpParseKey+1067EAj
		mov	eax, [ebp+arg_24]
		mov	edi, [edi+34h]
		mov	edx, [ebp+arg_28]
		and	edi, [eax+4]
		test	esi, esi
		js	short loc_818389
		mov	eax, [esp+0A8h+var_8C]
		mov	[edx], eax
		mov	[esp+0A8h+var_8C], 0

loc_818389:				; CODE XREF: CmpParseKey+269j
		cmp	[esp+0A8h+var_95], 0
		jz	short loc_8183E5
		mov	eax, [ebp+arg_8]
		mov	edx, [edx]
		mov	eax, [eax+14h]
		mov	[esp+0A8h+var_30], eax
		lea	eax, [esp+0A8h+var_88]
		mov	ecx, [ebx]
		push	eax
		not	ecx
		lea	eax, [esp+0ACh+var_80]
		push	eax
		and	ecx, 1
		lea	eax, [esp+0B0h+var_50]
		push	eax
		push	esi
		lea	ecx, ds:1Bh[ecx*2]
		call	_CmPostCallbackNotificationEx@24 ; CmPostCallbackNotificationEx(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8183D5
		mov	eax, [ebp+arg_8]
		mov	ecx, [esp+0A8h+var_30]
		cmp	ecx, [eax+14h]
		jnz	loc_91E8FF

loc_8183D5:				; CODE XREF: CmpParseKey+2B3j
					; CmpParseKey+106800j
		mov	eax, [ebp+arg_28]
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_8183E5
		mov	eax, [esp+0A8h+var_7C]
		mov	[ecx+34h], eax

loc_8183E5:				; CODE XREF: CmpParseKey+27Ej
					; CmpParseKey+2CCj ...
		cmp	esi, 368h
		jz	loc_8184F0
		cmp	esi, 104h
		jz	short loc_818455

loc_8183F9:				; CODE XREF: CmpParseKey+353j
					; CmpParseKey+3F1j ...
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_8183FE:				; CODE XREF: CmpParseKey+106773j
					; CmpParseKey+10677Dj
		mov	edi, [esp+0A8h+var_68]
		test	edi, edi
		jnz	loc_91E91E

loc_81840A:				; CODE XREF: CmpParseKey+10681Ej
		mov	eax, esi

loc_81840C:				; CODE XREF: CmpParseKey+10670Dj
					; CmpParseKey+106735j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_818415:				; CODE XREF: CmpParseKey+A1j
		mov	eax, [ebp+arg_24]
		mov	ecx, [eax+8]
		call	CmpGetRegistryNamespaceRootForSilo
		mov	esi, [esp+0A8h+var_90]
		mov	edi, eax
		jmp	loc_8181B7
; 

loc_81842B:				; CODE XREF: CmpParseKey+D4j
		mov	edx, 0FFFEh
		add	esi, 2
		add	cx, dx
		mov	[esp+0A8h+var_90], esi
		add	ax, dx
		mov	word ptr [esp+0A8h+var_94], cx
		mov	word ptr [esp+0A8h+var_94+2], ax
		test	cx, cx
		jnz	loc_8181E0
		jmp	loc_8181EA
; 

loc_818455:				; CODE XREF: CmpParseKey+2E7j
		mov	[ebx+3Ch], edi
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		mov	ecx, [ebp+arg_24]
		mov	[ecx+8], eax
		jmp	short loc_8183F9
; 

loc_818465:				; CODE XREF: CmpParseKey+1D1j
		movzx	eax, word ptr [ebx+4]
		mov	word ptr [esp+0A8h+var_58], ax
		mov	word ptr [esp+0A8h+var_58+2], ax
		mov	eax, [ebx+8]
		mov	[esp+0A8h+var_54], eax
		lea	eax, [ebx+1Ch]
		mov	[esp+0A8h+var_2C], eax
		lea	eax, [esp+0A8h+var_58]
		mov	[esp+0A8h+var_40], eax
		mov	eax, [ecx+2Ch]
		mov	ecx, 1Ah
		mov	[esp+0A8h+var_3C], eax
		mov	eax, [ebp+arg_20]
		mov	[esp+0A8h+var_38], eax
		lea	eax, [esp+0A8h+var_88]
		push	eax
		push	edi
		push	1Bh
		jmp	loc_8182F4
; 

loc_8184A9:				; CODE XREF: CmpParseKey+BCj
		mov	eax, 0FFFEh
		add	cx, ax
		mov	word ptr [esp+0A8h+var_94], cx
		jnz	loc_8181C1
		jmp	loc_8181EA
; 

loc_8184C1:				; CODE XREF: CmpParseKey+FFj
		test	byte ptr [ebx],	40h
		jnz	loc_818215
		jmp	loc_91E87E
; 

loc_8184CF:				; CODE XREF: CmpParseKey+10Bj
		lea	edx, [esp+0A8h+var_94]
		mov	ecx, edi
		call	_CmpDoesParseEnterRegistryA@8 ;	CmpDoesParseEnterRegistryA(x,x)
		test	al, al
		jnz	loc_818221
		jmp	loc_91E888
; 

loc_8184E7:				; CODE XREF: CmpParseKey+115j
		or	dword ptr [ebx+14h], 10h
		jmp	loc_81822B
; 

loc_8184F0:				; CODE XREF: CmpParseKey+2DBj
					; CmpParseKey+10679Cj
		mov	eax, [ebp+arg_24]
		mov	dword ptr [ebx+2Ch], 0
		mov	dword ptr [eax+8], 0
		jmp	loc_8183F9
; 

loc_818506:				; CODE XREF: CmpParseKey+249j
		mov	eax, [ebx+54h]
		mov	ecx, eax
		push	0
		shl	ecx, 4
		push	0
		sub	ecx, eax
		push	0
		push	0
		lea	eax, dword_6B1670[ecx*8]
		push	eax
		call	KeWaitForSingleObject
		and	dword ptr [ebx], 0FFFFFEFFh
		jmp	loc_818320
; 

loc_818530:				; CODE XREF: CmpParseKey+255j
		mov	esi, [esp+0A8h+var_70]
		cmp	esi, 40h
		jnb	loc_91E8F5
		test	byte ptr [ebx+40h], 4
		jnz	loc_91E8CD

loc_818547:				; CODE XREF: CmpParseKey+1067E0j
		inc	esi
		mov	[esp+0A8h+var_70], esi
		jmp	loc_818320
; 

loc_818551:				; CODE XREF: CmpParseKey+1A7j
		xor	eax, eax
		jmp	loc_8182BD
CmpParseKey	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpDoesParseEnterRegistryA(x, x)
_CmpDoesParseEnterRegistryA@8 proc near	; CODE XREF: CmpParseKey+F8p
					; CmpParseKey+3C5p
		mov	eax, ds:_CmpRegistryRootObject
		mov	ecx, [ecx+8]
		cmp	ecx, [eax+8]
		jz	short loc_818570

loc_81856D:				; CODE XREF: CmpDoesParseEnterRegistryA(x,x)+16j
					; CmpDoesParseEnterRegistryA(x,x)+26j ...
		xor	al, al
		retn
; 

loc_818570:				; CODE XREF: CmpDoesParseEnterRegistryA(x,x)+Bj
		movzx	ecx, word ptr [edx]
		test	cx, cx
		jz	short loc_81856D
		mov	edx, [edx+4]
		movzx	eax, word ptr [edx]
		cmp	eax, 41h
		jz	short loc_818588
		cmp	eax, 61h
		jnz	short loc_81856D

loc_818588:				; CODE XREF: CmpDoesParseEnterRegistryA(x,x)+21j
		cmp	ecx, 2
		jbe	short loc_818594
		cmp	word ptr [edx+2], 5Ch
		jnz	short loc_81856D

loc_818594:				; CODE XREF: CmpDoesParseEnterRegistryA(x,x)+2Bj
		mov	al, 1
		retn
_CmpDoesParseEnterRegistryA@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	NtQueryValueKey(int,int,size_t,int,int,int)
NtQueryValueKey	proc near		; CODE XREF: ExpWatchProductTypeWork+104p
					; ExpWatchProductTypeWork+11E644p ...

var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E1		= byte ptr -0E1h
var_E0		= dword	ptr -0E0h
var_DC		= word ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D3		= byte ptr -0D3h
var_D2		= byte ptr -0D2h
var_D1		= byte ptr -0D1h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0091E933 SIZE 00000156 BYTES
; FUNCTION CHUNK AT 0091EAF3 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5888
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 140h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_F0], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_F4], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_FC], eax
		mov	dword ptr [ebp+var_DC],	0
		mov	[ebp+var_D8], 0
		mov	[ebp+var_150], 0
		push	4Ch		; size_t
		push	0		; int
		lea	eax, [ebp+var_D0]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		mov	[ebp+var_80], eax
		mov	[ebp+var_7C], eax
		mov	[ebp+var_78], eax
		mov	[ebp+var_74], eax
		mov	[ebp+var_70], eax
		mov	[ebp+var_6C], eax
		mov	[ebp+var_68], eax
		mov	[ebp+var_64], eax
		mov	[ebp+var_EC], eax
		mov	[ebp+var_104], eax
		cmp	ds:_CmpTraceRoutine, eax
		jnz	loc_91E933

loc_81865C:				; CODE XREF: NtQueryValueKey+1063A0j
		mov	[ebp+var_D2], 0
		mov	[ebp+var_D3], 0
		mov	[ebp+var_E8], 0
		mov	[ebp+var_F8], 0
		push	0
		lea	eax, [ebp+var_DC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	edi, edi
		mov	[ebp+var_E0], edi
		xor	eax, eax
		mov	[ebp+var_14C], eax
		mov	[ebp+var_148], eax
		mov	[ebp+var_144], eax
		mov	[ebp+var_140], eax
		mov	[ebp+var_13C], eax
		mov	[ebp+var_138], eax
		mov	[ebp+var_134], eax
		mov	[ebp+var_130], eax
		mov	[ebp+var_12C], eax
		lea	eax, [ebp+var_114]
		mov	[ebp+var_110], eax
		mov	[ebp+var_114], eax
		mov	[ebp+var_108], edi
		call	CmpAcquireShutdownRundown
		mov	[ebp+var_E1], al
		mov	ebx, [ebp+arg_8]
		test	al, al
		jz	loc_91E945
		test	ebx, ebx
		jz	short loc_818707
		cmp	ebx, 2
		jnz	loc_818B07

loc_818707:				; CODE XREF: NtQueryValueKey+15Cj
					; NtQueryValueKey+56Aj	...
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_D1], al
		mov	byte ptr [ebp+var_120],	al
		push	0
		lea	eax, [ebp+var_E8]
		push	eax
		push	[ebp+var_120]
		push	ecx
		mov	edx, 1
		mov	ecx, esi
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_100], esi
		test	esi, esi
		js	loc_818B6A
		cmp	ds:_CmpTraceRoutine, edi
		jnz	loc_91E9B8

loc_818757:				; CODE XREF: NtQueryValueKey+106420j
					; NtQueryValueKey+106435j
		mov	[ebp+var_4], edi
		cmp	[ebp+var_D1], 1
		jnz	loc_818AD3
		mov	[ebp+var_11C], 0
		mov	[ebp+var_118], 0
		mov	ecx, ds:_MmUserProbeAddress
		mov	eax, [ebp+var_F0]
		cmp	eax, ecx
		jnb	loc_91E9DA

loc_81878F:				; CODE XREF: NtQueryValueKey+10643Cj
		nop
		mov	ecx, [eax]
		mov	[ebp+var_11C], ecx
		mov	edx, [eax+4]
		mov	[ebp+var_118], edx
		mov	eax, [ebp+var_11C]
		mov	dword ptr [ebp+var_DC],	eax
		mov	[ebp+var_D8], edx
		movzx	eax, cx
		test	ax, ax
		jz	short loc_8187DC
		test	dl, 1
		jnz	loc_818B75
		add	eax, edx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	loc_91E9E1
		cmp	eax, edx
		jb	loc_91E9E1

loc_8187DC:				; CODE XREF: NtQueryValueKey+219j
					; NtQueryValueKey+106444j
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_81880A
		mov	edx, [ebp+var_F4]
		test	dl, 3
		jnz	loc_818B7A
		add	eax, edx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	loc_91E9E9
		cmp	eax, edx
		jb	loc_91E9E9

loc_81880A:				; CODE XREF: NtQueryValueKey+241j
					; NtQueryValueKey+10644Cj
		mov	ecx, [ebp+var_FC]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_91E9F1

loc_81881D:				; CODE XREF: NtQueryValueKey+106453j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ebx, [ebp+var_D8]

loc_818827:				; CODE XREF: NtQueryValueKey+54Aj
		mov	si, [ebp+var_DC]
		mov	[ebp-0DAh], si
		movsx	ecx, [ebp+var_D1]
		mov	edx, ebx
		call	_CmpDoesBufferRequireCapturing@8 ; CmpDoesBufferRequireCapturing(x,x)
		test	al, al
		jz	loc_818AFC
		test	si, si
		jz	loc_818AEF
		cmp	si, 40h
		ja	loc_818B27
		lea	edi, [ebp+var_60]
		mov	[ebp+var_E0], edi

loc_818867:				; CODE XREF: NtQueryValueKey+5B1j
		test	edi, edi
		jz	short loc_818880
		movzx	eax, si
		push	eax		; size_t
		push	ebx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	si, [ebp+var_DC]

loc_818880:				; CODE XREF: NtQueryValueKey+2C9j
					; NtQueryValueKey+557j
		mov	ebx, edi
		mov	[ebp+var_D8], ebx

loc_818888:				; CODE XREF: NtQueryValueKey+562j
		test	byte ptr [ebp+var_DC], 1
		jnz	loc_91EA08

loc_818895:				; CODE XREF: NtQueryValueKey+106479j
		test	si, si
		jz	short loc_8188AD
		movzx	esi, si
		mov	eax, esi
		shr	eax, 1
		cmp	word ptr [ebx+eax*2-2],	0
		jz	loc_91EA0F

loc_8188AD:				; CODE XREF: NtQueryValueKey+2F8j
		mov	[ebp+var_4], 0FFFFFFFEh
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	[ebp+var_D3], 1
		cmp	_CmpCallBackCount, 0
		jz	loc_818B62
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredSharedLite
		mov	ebx, [ebp+arg_10]
		test	eax, eax
		jnz	short loc_81894C
		mov	ecx, [ebp+var_E8]
		mov	[ebp+var_14C], ecx
		lea	eax, [ebp+var_DC]
		mov	[ebp+var_148], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_144], eax
		mov	eax, [ebp+var_F4]
		mov	[ebp+var_140], eax
		mov	[ebp+var_13C], ebx
		mov	eax, [ebp+var_FC]
		mov	[ebp+var_138], eax
		lea	eax, [ebp+var_114]
		push	eax
		push	ecx
		push	17h
		push	1
		push	0
		lea	edx, [ebp+var_14C]
		mov	ecx, 8
		call	CmpCallCallBacksEx
		mov	esi, eax
		test	esi, esi
		js	loc_91EA1E
		mov	[ebp+var_D2], 1

loc_81894C:				; CODE XREF: NtQueryValueKey+33Cj
					; NtQueryValueKey+5C5j
		lea	eax, [ebp+var_108]
		push	eax
		push	1
		mov	dl, [ebp+var_D1]
		lea	ecx, [ebp+var_E8]
		call	_CmKeyBodyRemapToVirtualForEnum@16 ; CmKeyBodyRemapToVirtualForEnum(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_818A07
		push	3		; char
		movsx	eax, [ebp+var_D1]
		push	eax		; int
		push	ebx		; size_t
		mov	edx, [ebp+var_F4]
		lea	ecx, [ebp+var_D0]
		call	CmpBounceContextStart
		mov	esi, eax
		test	esi, esi
		js	short loc_818A07
		mov	ecx, [ebp+var_108]
		test	ecx, ecx
		jnz	loc_91EA34

loc_8189A0:				; CODE XREF: NtQueryValueKey+1064E4j
		push	[ebp+var_D8]	; int
		push	dword ptr [ebp+var_DC] ; __int16
		lea	eax, [ebp+var_F8]
		push	eax		; int
		push	ebx		; size_t
		push	[ebp+var_CC]	; int
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+var_E8]
		call	CmQueryValueKey
		mov	esi, eax
		test	esi, esi
		js	loc_818AB6

loc_8189D2:				; CODE XREF: NtQueryValueKey+51Cj
					; NtQueryValueKey+52Ej	...
		mov	[ebp+var_4], 1
		mov	edx, [ebp+var_F8]
		mov	eax, [ebp+var_FC]
		mov	[eax], edx
		cmp	esi, 0C0000023h
		jz	short loc_818A00
		cmp	edx, ebx
		jb	short loc_8189F5
		mov	edx, ebx

loc_8189F5:				; CODE XREF: NtQueryValueKey+451j
		lea	ecx, [ebp+var_D0]
		call	_CmpBounceContextCopyDataToCallerBuffer@8 ; CmpBounceContextCopyDataToCallerBuffer(x,x)

loc_818A00:				; CODE XREF: NtQueryValueKey+44Dj
					; NtQueryValueKey+106463j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_818A07:				; CODE XREF: NtQueryValueKey+3CAj
					; NtQueryValueKey+3F0j	...
		mov	ebx, [ebp+arg_8]

loc_818A0A:				; CODE XREF: NtQueryValueKey+5D0j
					; NtQueryValueKey+1063AAj ...
		mov	ecx, [ebp+var_108]
		test	ecx, ecx
		jnz	loc_91EAF3

loc_818A18:				; CODE XREF: NtQueryValueKey+106558j
		cmp	[ebp+var_D2], 0
		jz	short loc_818A44
		lea	eax, [ebp+var_114]
		push	eax
		push	0
		lea	eax, [ebp+var_14C]
		push	eax
		push	esi
		mov	edx, [ebp+var_E8]
		mov	ecx, 17h
		call	_CmPostCallbackNotificationEx@24 ; CmPostCallbackNotificationEx(x,x,x,x,x,x)
		mov	esi, eax

loc_818A44:				; CODE XREF: NtQueryValueKey+47Fj
		cmp	[ebp+var_D3], 0
		jz	short loc_818A52
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_818A52:				; CODE XREF: NtQueryValueKey+4ABj
		mov	ecx, [ebp+var_E8]
		test	ecx, ecx
		jz	short loc_818A61
		call	ObfDereferenceObject

loc_818A61:				; CODE XREF: NtQueryValueKey+4BAj
		lea	ecx, [ebp+var_D0]
		call	_CmpBounceContextCleanup@4 ; CmpBounceContextCleanup(x)
		mov	eax, ds:_CmpTraceRoutine
		test	eax, eax
		jnz	loc_91EAFD

loc_818A79:				; CODE XREF: NtQueryValueKey+106574j
		test	edi, edi
		jz	short loc_818A88
		lea	eax, [ebp+var_60]
		cmp	edi, eax
		jnz	loc_818B56

loc_818A88:				; CODE XREF: NtQueryValueKey+4DBj
					; NtQueryValueKey+5BDj
		cmp	[ebp+var_E1], 0
		jz	short loc_818A96
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_818A96:				; CODE XREF: NtQueryValueKey+4EFj
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_818AB6:				; CODE XREF: NtQueryValueKey+42Cj
		cmp	esi, 80000005h
		jz	loc_8189D2
		cmp	esi, 0C0000023h
		jnz	loc_818A07
		jmp	loc_8189D2
; 

loc_818AD3:				; CODE XREF: NtQueryValueKey+1C1j
		mov	ebx, [ebp+var_F0]
		mov	eax, [ebx]
		mov	dword ptr [ebp+var_DC],	eax
		mov	ebx, [ebx+4]
		mov	[ebp+var_D8], ebx
		jmp	loc_818827
; 

loc_818AEF:				; CODE XREF: NtQueryValueKey+2AEj
		xor	edi, edi
		mov	[ebp+var_E0], edi
		jmp	loc_818880
; 

loc_818AFC:				; CODE XREF: NtQueryValueKey+2A5j
		mov	edi, [ebp+var_E0]
		jmp	loc_818888
; 

loc_818B07:				; CODE XREF: NtQueryValueKey+161j
		cmp	ebx, 1
		jz	loc_818707
		cmp	ebx, 3
		jz	loc_818707
		cmp	ebx, 4
		jz	loc_818707
		jmp	loc_91E94F
; 

loc_818B27:				; CODE XREF: NtQueryValueKey+2B8j
		push	6E764D43h
		movzx	edx, si
		call	_CmpAllocateTransientPoolWithQuotaTag@12 ; CmpAllocateTransientPoolWithQuotaTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_E0], edi
		test	edi, edi
		jz	loc_91E9F8
		mov	ebx, [ebp+var_D8]
		mov	si, [ebp+var_DC]
		jmp	loc_818867
; 

loc_818B56:				; CODE XREF: NtQueryValueKey+4E2j
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	loc_818A88
; 

loc_818B62:				; CODE XREF: NtQueryValueKey+327j
		mov	ebx, [ebp+arg_10]
		jmp	loc_81894C
; 

loc_818B6A:				; CODE XREF: NtQueryValueKey+1A5j
		mov	edi, [ebp+var_E0]
		jmp	loc_818A0A
; 

loc_818B75:				; CODE XREF: NtQueryValueKey+21Ej
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_818B7A:				; CODE XREF: NtQueryValueKey+24Cj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger
NtQueryValueKey	endp


;  S U B	R O U T	I N E 


; __stdcall CmpReleaseShutdownRundown(x)
_CmpReleaseShutdownRundown@4 proc near	; CODE XREF: CmpTryToRundownHive+37p
					; CmpTryToRundownHive+17653Ap ...
		mov	ecx, offset _CmpShutdownRundown
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, large fs:124h
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_CmpReleaseShutdownRundown@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpBounceContextCleanup(x)
_CmpBounceContextCleanup@4 proc	near	; CODE XREF: PAGE:007C777Ep
					; NtEnumerateKey+334p ...
		mov	edx, [ecx+4]
		test	edx, edx
		jz	short locret_818BE9
		cmp	edx, [ecx]
		jz	short locret_818BE9
		lea	eax, [ecx+9]
		cmp	edx, eax
		jz	short locret_818BE9
		test	byte ptr [ecx+8], 1
		jz	short loc_818BEA
		mov	ax, word_6FA284
		inc	dword_6FA294
		cmp	ax, word_6FA288
		jnb	short loc_818BD7
		mov	ecx, offset _CmpBounceBufferLookaside
		jmp	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
; 

loc_818BD7:				; CODE XREF: CmpBounceContextCleanup(x)+2Bj
		inc	dword_6FA298
		push	offset _CmpBounceBufferLookaside
		push	edx
		call	dword_6FA2AC

locret_818BE9:				; CODE XREF: CmpBounceContextCleanup(x)+5j
					; CmpBounceContextCleanup(x)+9j ...
		retn
; 

loc_818BEA:				; CODE XREF: CmpBounceContextCleanup(x)+16j
		mov	ecx, edx
		jmp	_CmpFreePool@4	; CmpFreePool(x)
_CmpBounceContextCleanup@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


CmpAcquireShutdownRundown proc near	; CODE XREF: CmpTryToRundownHive+3Fp
					; CmUnloadKey+DAp ...

; FUNCTION CHUNK AT 008CA232 SIZE 00000011 BYTES

		mov	eax, large fs:124h
		push	ebx
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpShutdownRundown
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	bl, al
		test	bl, bl
		jz	loc_8CA232

loc_818C23:				; CODE XREF: CmpAcquireShutdownRundown+B163Ej
		mov	al, bl
		pop	ebx
		retn
CmpAcquireShutdownRundown endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmpBounceContextStart(size_t,int,char)
CmpBounceContextStart proc near		; CODE XREF: PAGE:007C765Dp
					; NtEnumerateKey+266p ...

var_6A		= byte ptr -6Ah
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 0091EB19 SIZE 000000D5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+6Ch+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		mov	[ebx], edi
		test	esi, esi
		jz	loc_818CF0
		cmp	dword_6CDE84, 0
		jz	short loc_818C97
		cmp	[ebp+arg_4], 0
		jz	short loc_818CE0

loc_818C69:				; CODE XREF: CmpBounceContextStart+BBj
		cmp	dword_6B2348, 5
		jbe	short loc_818C83
		mov	eax, dword_6B2350
		and	eax, 4
		or	eax, 0
		jnz	loc_91EB19

loc_818C83:				; CODE XREF: CmpBounceContextStart+40j
					; CmpBounceContextStart+105EF8j ...
		cmp	esi, 40h
		ja	short loc_818CB0
		lea	edi, [ebx+9]

loc_818C8B:				; CODE XREF: CmpBounceContextStart+D9j
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch

loc_818C97:				; CODE XREF: CmpBounceContextStart+31j
					; CmpBounceContextStart+AEj ...
		mov	[ebx+4], edi

loc_818C9A:				; CODE XREF: CmpBounceContextStart+C7j
		xor	eax, eax

loc_818C9C:				; CODE XREF: CmpBounceContextStart+105FB9j
		mov	ecx, [esp+78h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_818CB0:				; CODE XREF: CmpBounceContextStart+56j
		cmp	esi, 1000h
		ja	short loc_818CF9
		inc	dword_6FA28C
		mov	ecx, offset _CmpBounceBufferLookaside
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_818D10

loc_818CCE:				; CODE XREF: CmpBounceContextStart+107j
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		or	byte ptr [ebx+8], 1
		jmp	short loc_818C97
; 

loc_818CE0:				; CODE XREF: CmpBounceContextStart+37j
		mov	ecx, edi
		call	_CmpIsBufferGloballyVisible@4 ;	CmpIsBufferGloballyVisible(x)
		test	al, al
		jnz	short loc_818C97
		jmp	loc_818C69
; 

loc_818CF0:				; CODE XREF: CmpBounceContextStart+24j
		mov	dword ptr [ebx+4], 0
		jmp	short loc_818C9A
; 

loc_818CF9:				; CODE XREF: CmpBounceContextStart+86j
					; CmpBounceContextStart+109j
		push	42424D43h
		mov	edx, esi
		call	_CmpAllocateTransientPoolWithQuotaTag@12 ; CmpAllocateTransientPoolWithQuotaTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_818C8B
		jmp	loc_91EBE4
; 

loc_818D10:				; CODE XREF: CmpBounceContextStart+9Cj
		mov	eax, dword_6FA2A0
		inc	dword_6FA290
		push	offset _CmpBounceBufferLookaside
		push	eax
		mov	eax, dword_6FA2A4
		push	eax
		mov	eax, dword_6FA29C
		push	eax
		call	dword_6FA2A8
		mov	edi, eax
		test	edi, edi
		jnz	short loc_818CCE
		jmp	short loc_818CF9
CmpBounceContextStart endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmKeyBodyRemapToVirtualForEnum(x, x, x, x)
_CmKeyBodyRemapToVirtualForEnum@16 proc	near ; CODE XREF: PAGE:007C7632p
					; NtEnumerateKey+240p ...

var_25C		= byte ptr -25Ch
var_25B		= byte ptr -25Bh
var_25A		= byte ptr -25Ah
var_259		= byte ptr -259h
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_20C		= dword	ptr -20Ch
var_1E8		= dword	ptr -1E8h
var_1DC		= dword	ptr -1DCh
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_19C		= dword	ptr -19Ch
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_D0		= dword	ptr -0D0h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 25Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+25Ch+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		lea	eax, [esp+260h+var_148]
		push	esi
		push	edi
		push	74h		; size_t
		mov	esi, ecx
		mov	[esp+26Ch+var_25A], dl
		push	0		; int
		push	eax		; void *
		mov	[esp+274h+var_238], esi
		mov	[esp+274h+var_24C], ebx
		mov	[esp+274h+var_254], 0
		mov	[esp+274h+var_250], 0
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+268h+var_D0]
		push	0C4h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+268h+var_254]
		push	0
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	esi, [esi]
		xor	eax, eax
		xor	edi, edi
		mov	[esp+268h+var_160], eax
		push	0B4h		; size_t
		mov	[esp+26Ch+var_15C], eax
		mov	[esp+26Ch+var_158], eax
		mov	[esp+26Ch+var_154], eax
		mov	[esp+26Ch+var_150], eax
		mov	[esp+26Ch+var_14C], eax
		lea	eax, [esp+26Ch+var_218]
		push	edi		; int
		push	eax		; void *
		mov	[esp+274h+var_234], esi
		mov	[esp+274h+var_258], edi
		call	_memset
		add	esp, 0Ch
		mov	[esp+268h+var_1DC], 0FFFFFFFFh
		lea	eax, [esp+268h+var_1C0]
		mov	[esp+268h+var_1BC], eax
		mov	[esp+268h+var_1C0], eax
		lea	eax, [esp+268h+var_19C]
		push	38h		; size_t
		push	edi		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		mov	[esp+274h+var_25C], 0
		mov	[ebx], eax
		add	esp, 0Ch
		mov	ebx, [esi+8]
		mov	[esp+268h+var_25B], 0
		mov	[esp+268h+var_248], eax
		mov	[esp+268h+var_244], eax
		mov	[esp+268h+var_240], eax
		mov	[esp+268h+var_23C], eax
		mov	[esp+268h+var_259], al
		cmp	[ebx+22h], ax
		jnz	loc_8190B2
		test	byte ptr [esi+1Ch], 10h
		jnz	loc_8190B2
		mov	ecx, ebx
		call	KCBIsVirtualizable
		test	al, al
		jz	short loc_818E80
		mov	[esp+268h+var_25C], 1
		jmp	short loc_818E9F
; 

loc_818E80:				; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+137j
		cmp	_CmpVEEnabled, 0
		jz	loc_8190B2
		test	dword ptr [ebx+68h], 1000000h
		jz	loc_8190B2
		mov	[esp+268h+var_25B], 1

loc_818E9F:				; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+13Ej
		lea	eax, [esp+268h+var_248]
		push	eax
		call	SeCaptureSubjectContext
		mov	cl, [esp+268h+var_25A]
		lea	eax, [esp+268h+var_20C]
		push	eax
		lea	edx, [esp+26Ch+var_248]
		call	CmpIsSystemEntity
		test	al, al
		jz	short loc_818ED0
		lea	eax, [esp+268h+var_248]
		xor	esi, esi
		push	eax
		call	SeReleaseSubjectContext
		jmp	loc_8190B4
; 

loc_818ED0:				; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+17Dj
		cmp	[esp+268h+var_25C], 0
		jz	short loc_818EF3
		mov	ecx, ebx
		call	CmpHasKcbBeenMirrored
		test	al, al
		jnz	short loc_818EF3
		lea	eax, [esp+268h+var_248]
		xor	esi, esi
		push	eax
		call	SeReleaseSubjectContext
		jmp	loc_8190B4
; 

loc_818EF3:				; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+195j
					; CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+1A0j
		lea	ecx, [esp+268h+var_160]
		call	CmpAttachToRegistryProcess
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, ebx
		call	_CmpLockKcbShared@4 ; CmpLockKcbShared(x)
		cmp	[esp+268h+var_25C], 0
		jz	loc_81901C
		xor	edx, edx
		mov	ecx, esi
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	loc_819031
		lea	eax, [esp+268h+var_254]
		mov	ecx, ebx
		push	eax
		lea	eax, [esp+26Ch+var_248]
		push	eax
		call	_CmpReparseToVirtualPath@16 ; CmpReparseToVirtualPath(x,x,x,x)
		test	al, al
		jz	loc_81902F

loc_818F42:				; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+2E9j
		mov	ecx, ebx
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	ebx, [esp+268h+var_238]
		mov	edi, [ebp+arg_0]
		mov	[esp+268h+var_218], 8
		mov	eax, [ebx]
		mov	eax, [eax+20h]
		mov	[esp+268h+var_1E8], eax
		test	edi, edi
		jnz	short loc_818F75
		mov	[esp+268h+var_218], 1008h

loc_818F75:				; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+22Bj
		mov	eax, ds:_CmKeyObjectType
		lea	edx, [esp+268h+var_148]
		add	eax, 34h
		lea	ecx, [esp+268h+var_248]
		push	eax		; int
		push	edi		; int
		lea	eax, [esp+270h+var_D0]
		push	eax		; void *
		call	_SeCreateAccessStateFromSubjectContext@20 ; SeCreateAccessStateFromSubjectContext(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_81909A
		mov	al, [esp+268h+var_25A]
		lea	edx, [esp+268h+var_148]
		dec	al
		mov	[esp+268h+var_259], 1
		movsx	eax, al
		neg	eax
		mov	[esp+268h+var_230], 18h
		mov	[esp+268h+var_22C], 0
		sbb	eax, eax
		mov	[esp+268h+var_220], 0
		and	eax, 0FFFFFC00h
		mov	[esp+268h+var_21C], 0
		add	eax, 640h
		mov	[esp+268h+var_224], eax
		lea	eax, [esp+268h+var_254]
		mov	[esp+268h+var_228], eax
		lea	eax, [esp+268h+var_258]
		push	eax
		lea	eax, [esp+26Ch+var_218]
		push	eax
		push	0
		push	ecx
		push	edi
		lea	ecx, [esp+27Ch+var_230]
		call	_CmObReferenceObjectByName@28 ;	CmObReferenceObjectByName(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_81903A
		cmp	[esp+268h+var_25B], 0
		mov	edi, [esp+268h+var_258]
		jz	short loc_81905B
		xor	esi, esi
		jmp	short loc_81905B
; 

loc_81901C:				; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+1D0j
		lea	edx, [esp+268h+var_254]
		mov	ecx, ebx
		call	_CmVirtualKCBToRealPath@8 ; CmVirtualKCBToRealPath(x,x)
		test	eax, eax
		jns	loc_818F42

loc_81902F:				; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+1FCj
		xor	esi, esi

loc_819031:				; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+1E3j
		mov	ecx, ebx
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		jmp	short loc_819056
; 

loc_81903A:				; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+2CBj
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	edi, [esp+268h+var_258]
		mov	eax, [edi+8]
		cmp	word ptr [eax+22h], 0
		jz	short loc_81906F
		cmp	[esp+268h+var_25B], 0
		jz	short loc_819056
		xor	esi, esi

loc_819056:				; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+2F8j
					; CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+312j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_81905B:				; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+2D6j
					; CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+2DAj
		test	edi, edi
		jz	short loc_819066
		mov	ecx, edi
		call	ObfDereferenceObject

loc_819066:				; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+31Dj
		cmp	[esp+268h+var_259], 0
		jz	short loc_81909A
		jmp	short loc_81908D
; 

loc_81906F:				; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+30Bj
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		cmp	[esp+268h+var_25C], 0
		mov	ecx, [esp+268h+var_24C]
		jz	short loc_819083
		mov	[ecx], edi
		jmp	short loc_81908B
; 

loc_819083:				; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+33Dj
		mov	eax, [esp+268h+var_234]
		mov	[ebx], edi
		mov	[ecx], eax

loc_81908B:				; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+341j
		xor	esi, esi

loc_81908D:				; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+32Dj
		lea	eax, [esp+268h+var_148]
		push	eax
		call	SeDeleteAccessState

loc_81909A:				; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+25Bj
					; CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+32Bj
		lea	ecx, [esp+268h+var_160]
		call	_CmpDetachFromRegistryProcess@4	; CmpDetachFromRegistryProcess(x)
		lea	eax, [esp+268h+var_248]
		push	eax
		call	SeReleaseSubjectContext
		jmp	short loc_8190B4
; 

loc_8190B2:				; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+11Ej
					; CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+128j	...
		xor	esi, esi

loc_8190B4:				; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+18Bj
					; CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+1AEj	...
		mov	eax, [esp+268h+var_250]
		test	eax, eax
		jz	short loc_8190C4
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8190C4:				; CODE XREF: CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+37Aj
		xor	dl, dl
		lea	ecx, [esp+268h+var_218]
		call	CmpCleanupParseContext
		mov	ecx, [esp+268h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_CmKeyBodyRemapToVirtualForEnum@16 endp

; 
		align 10h

CmpCleanupParseContext:			; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+459p
					; CmUnloadKey+36Dp ...
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		mov	ecx, [esi+38h]
		test	ecx, ecx
		jnz	loc_91EBEE

loc_819104:				; CODE XREF: PAGE:0091EC01j
					; PAGE:0091EC0Cj
		mov	eax, [esi+58h]
		add	esi, 58h
		cmp	[eax+4], esi
		jnz	short loc_819143
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_819143
		mov	[esi], ecx
		mov	[ecx+4], esi
		cmp	eax, esi
		jnz	short loc_819123

loc_81911F:				; CODE XREF: PAGE:0081913Fj
		pop	esi
		pop	ebx
		pop	ecx
		retn
; 

loc_819123:				; CODE XREF: PAGE:0081911Dj
					; PAGE:00819141j
		mov	ecx, eax
		call	_CmpFreeExtraParameter@4 ; CmpFreeExtraParameter(x)
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_819143
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_819143
		mov	[esi], ecx
		mov	[ecx+4], esi
		cmp	eax, esi
		jz	short loc_81911F
		jmp	short loc_819123
; 

loc_819143:				; CODE XREF: PAGE:0081910Dj
					; PAGE:00819114j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dw 0CCCCh
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpIsKcbInsideVirtualizedHive(x)
_CmpIsKcbInsideVirtualizedHive@4 proc near ; CODE XREF:	KCBIsVirtualizable+12p
					; KCBNeedsVirtualImage+12p
		mov	eax, [ecx+10h]
		mov	eax, [eax+980h]
		shr	eax, 4
		and	al, 1
		retn
_CmpIsKcbInsideVirtualizedHive@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpDoesBufferRequireCapturing(x, x)
_CmpDoesBufferRequireCapturing@8 proc near ; CODE XREF:	PAGE:0073215Fp
					; PAGE:007321F5p ...
		test	ecx, ecx
		jz	short loc_819167

loc_819164:				; CODE XREF: CmpDoesBufferRequireCapturing(x,x)+19j
		mov	al, 1
		retn
; 

loc_819167:				; CODE XREF: CmpDoesBufferRequireCapturing(x,x)+2j
		cmp	dword_6CDE84, 0
		jz	short loc_81917B
		mov	ecx, edx
		call	_CmpIsBufferGloballyVisible@4 ;	CmpIsBufferGloballyVisible(x)
		test	al, al
		jz	short loc_819164

loc_81917B:				; CODE XREF: CmpDoesBufferRequireCapturing(x,x)+Ej
		xor	al, al
		retn
_CmpDoesBufferRequireCapturing@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmPostCallbackNotification(x, x, x,	x, x)
_CmPostCallbackNotification@20 proc near ; CODE	XREF: CmpDoQueryKeyName+208p
					; PAGE:007C73E6p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_CmPostCallbackNotificationEx@24 ; CmPostCallbackNotificationEx(x,x,x,x,x,x)
		pop	ebp
		retn	0Ch
_CmPostCallbackNotification@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCallCallBacks(x,	x, x, x, x, x)
_CmpCallCallBacks@24 proc near		; CODE XREF: CmpDoQueryKeyName+AFp
					; PAGE:007C75F2p ...

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	1
		push	0
		call	CmpCallCallBacksEx
		pop	ebp
		retn	10h
_CmpCallCallBacks@24 endp

; 
		align 10h

CmOpenKey:				; CODE XREF: NtOpenKey(x,x,x)+13p
					; ExpWatchProductTypeWork+A7p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A58B0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 134h
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		mov	[ebp-20h], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	edi, edx
		mov	eax, ecx
		mov	[ebp-110h], eax
		mov	[ebp-134h], eax
		mov	ebx, [ebp+8]
		mov	[ebp-118h], ebx
		xor	esi, esi
		mov	[ebp-114h], esi
		mov	[ebp-108h], esi
		mov	[ebp-104h], esi
		mov	byte ptr [ebp-0FDh], 0
		mov	[ebp-10Ch], esi
		mov	[ebp-140h], esi
		xor	eax, eax
		mov	[ebp-44h], eax
		mov	[ebp-40h], eax
		mov	[ebp-3Ch], eax
		mov	[ebp-38h], eax
		mov	[ebp-34h], eax
		mov	[ebp-30h], eax
		mov	[ebp-2Ch], eax
		mov	[ebp-28h], eax
		mov	[ebp-120h], eax
		cmp	ds:_CmpTraceRoutine, eax
		jnz	loc_91EC11

loc_819267:				; CODE XREF: PAGE:0091EC1Ej
		push	0B4h
		push	0
		lea	eax, [ebp-0FCh]
		push	eax
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [ebp-0C0h], 0FFFFFFFFh
		xor	eax, eax
		mov	[ebp-0A4h], eax
		mov	[ebp-0A0h], eax
		lea	eax, [ebp-0A4h]
		mov	[ebp-0A0h], eax
		mov	[ebp-0A4h], eax
		push	38h
		push	0
		lea	eax, [ebp-80h]
		push	eax
		call	_memset
		add	esp, 0Ch
		mov	eax, edi
		and	eax, 300h
		mov	[ebp-0E4h], eax
		and	edi, 0FFFFFCFFh
		mov	[ebp-130h], edi
		call	CmpAcquireShutdownRundown
		test	al, al
		jz	loc_91EC23
		mov	eax, [ebp+0Ch]
		and	eax, 1Ch
		cmp	eax, [ebp+0Ch]
		jnz	loc_91EC49
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp-138h], al
		mov	[ebp-4], esi
		cmp	al, 1
		jnz	loc_81946D
		mov	ecx, [ebp-110h]
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		jnb	loc_91EC58

loc_81931D:				; CODE XREF: PAGE:0091EC5Aj
		mov	dword ptr [ecx], 0
		mov	ecx, ebx
		test	bl, 3
		jnz	loc_819486
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_91EC5F

loc_81933B:				; CODE XREF: PAGE:0091EC61j
		nop
		mov	al, [ecx]
		mov	edx, [ebx+8]
		mov	dword ptr [ebp-128h], 0
		mov	dword ptr [ebp-124h], 0
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_91EC66

loc_819362:				; CODE XREF: PAGE:0091EC68j
		nop
		mov	ecx, [edx]
		mov	[ebp-128h], ecx
		mov	edx, [edx+4]
		mov	[ebp-124h], edx
		mov	eax, [ebp-128h]
		mov	[ebp-108h], eax
		mov	[ebp-104h], edx
		movzx	eax, cx
		test	ax, ax
		jz	short loc_8193AF
		test	dl, 1
		jnz	loc_81948B
		add	eax, edx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	loc_91EC6D
		cmp	eax, edx
		jb	loc_91EC6D

loc_8193AF:				; CODE XREF: PAGE:0081938Cj
					; PAGE:00819481j ...
		mov	ecx, [ebx+4]
		mov	[ebp-10Ch], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_8193BF:				; CODE XREF: PAGE:0091ECC5j
		test	esi, esi
		js	short loc_81942E
		cmp	ds:_CmpTraceRoutine, 0
		jnz	loc_91ECCA

loc_8193D0:				; CODE XREF: PAGE:0091ECCCj
					; PAGE:0091ED12j ...
		mov	eax, [ebp+10h]
		mov	[ebp-0CCh], eax
		mov	eax, [ebp+0Ch]
		mov	[ebp-0E8h], eax
		lea	eax, [ebp-114h]
		push	eax
		lea	eax, [ebp-0FCh]
		push	eax
		push	edi
		push	0
		push	dword ptr [ebp-138h]
		mov	eax, ds:_CmKeyObjectType
		push	eax
		push	ebx
		call	_ObOpenObjectByName@28 ; ObOpenObjectByName(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_81942E
		mov	byte ptr [ebp-0FDh], 1
		mov	dword ptr [ebp-4], 1
		mov	eax, [ebp-114h]
		mov	ecx, [ebp-110h]
		mov	[ecx], eax

loc_819427:				; CODE XREF: PAGE:0091ED54j
					; PAGE:0091ED65j
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_81942E:				; CODE XREF: PAGE:008193C1j
					; PAGE:00819409j
		mov	eax, ds:_CmpTraceRoutine
		test	eax, eax
		jnz	loc_91ED6A

loc_81943B:				; CODE XREF: PAGE:0091ED82j
		xor	dl, dl
		lea	ecx, [ebp-0FCh]
		call	CmpCleanupParseContext
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)
		mov	eax, esi

loc_81944F:				; CODE XREF: PAGE:0091EC44j
					; PAGE:0091EC53j
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-20h]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81946D:				; CODE XREF: PAGE:00819303j
		mov	ecx, [ebx+8]
		mov	eax, [ecx]
		mov	[ebp-108h], eax
		mov	eax, [ecx+4]
		mov	[ebp-104h], eax
		jmp	loc_8193AF
; 

loc_819486:				; CODE XREF: PAGE:00819328j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_81948B:				; CODE XREF: PAGE:00819391j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1630. ObOpenObjectByName

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObOpenObjectByName(x, x, x,	x, x, x, x)
		public _ObOpenObjectByName@28
_ObOpenObjectByName@28 proc near	; CODE XREF: PAGE:007BCBEBp
					; PAGE:00819400p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_18]
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ObOpenObjectByNameEx
		pop	ebp
		retn	1Ch
_ObOpenObjectByName@28 endp

; 
		align 10h
; Exported entry 2441. SeCaptureSubjectContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeCaptureSubjectContext
SeCaptureSubjectContext	proc near	; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+120p
					; SeReportSecurityEventWithSubCategory+F1p ...

var_8		= dword	ptr -8
var_2		= dword	ptr -2
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0091ED87 SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		mov	eax, large fs:124h
		mov	ecx, large fs:124h
		mov	byte ptr [ebp+var_2], 0
		mov	byte ptr [ebp+var_2+1],	0
		push	ebx
		mov	ebx, [eax+80h]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	eax, [ebx+0E4h]
		mov	[esi+0Ch], eax
		test	ecx, ecx
		jz	loc_91ED87
		push	0
		lea	eax, [esi+4]
		xor	edx, edx
		push	eax
		lea	eax, [ebp+var_2+1]
		push	eax
		lea	eax, [ebp+var_2]
		push	eax
		call	_PsReferenceImpersonationTokenEx@24 ; PsReferenceImpersonationTokenEx(x,x,x,x,x,x)

loc_81951F:				; CODE XREF: SeCaptureSubjectContext+1058B9j
		lea	ecx, [ebx+12Ch]
		mov	[esi], eax
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_81954B

loc_819532:				; CODE XREF: SeCaptureSubjectContext+CDj
		mov	[esi+8], edi
		cmp	ds:_SeTokenLeakTracking, 0
		jnz	loc_91ED8E

loc_819542:				; CODE XREF: SeCaptureSubjectContext+1058E0j
					; SeCaptureSubjectContext+1058FCj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_81954B:				; CODE XREF: SeCaptureSubjectContext+60j
		mov	eax, large fs:124h
		mov	[ebp+var_8], eax
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [ebx+0E0h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+arg_0], eax
		call	ExAcquirePushLockSharedEx
		lea	ecx, [ebx+12Ch]
		call	@ObFastReferenceObjectLocked@4 ; ObFastReferenceObjectLocked(x)
		mov	ebx, [ebp+arg_0]
		mov	edi, eax
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jnz	short loc_81959F

loc_81958E:				; CODE XREF: SeCaptureSubjectContext+D6j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [ebp+var_8]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		jmp	short loc_819532
; 

loc_81959F:				; CODE XREF: SeCaptureSubjectContext+BCj
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_81958E
SeCaptureSubjectContext	endp

; 
		align 10h
; Exported entry 2500. SeReleaseSubjectContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeReleaseSubjectContext
SeReleaseSubjectContext	proc near	; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+2CAp
					; ExCpuSetResourceManagerAccessCheck(x)+82p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008195FF SIZE 0000000B BYTES
; FUNCTION CHUNK AT 0091EDD8 SIZE 00000050 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_SeTokenLeakTracking, 0
		push	esi
		mov	esi, [ebp+arg_0]
		jnz	loc_91EDD8

loc_8195C6:				; CODE XREF: SeReleaseSubjectContext+53j
					; SeReleaseSubjectContext+10586Cj ...
		mov	eax, large fs:124h
		mov	edx, [esi+8]
		mov	ecx, [eax+80h]
		add	ecx, 12Ch
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		mov	ecx, [esi]
		mov	dword ptr [esi+8], 0
		test	ecx, ecx
		jnz	short loc_8195F8

loc_8195ED:				; CODE XREF: SeReleaseSubjectContext+4Dj
		mov	dword ptr [esi], 0
		pop	esi
		pop	ebp
		retn	4
; 

loc_8195F8:				; CODE XREF: SeReleaseSubjectContext+3Bj
		call	ObfDereferenceObject
		jmp	short loc_8195ED
SeReleaseSubjectContext	endp

; 
; START	OF FUNCTION CHUNK FOR SeReleaseSubjectContext

loc_8195FF:				; CODE XREF: SeReleaseSubjectContext+10582Dj
					; SeReleaseSubjectContext+10584Aj ...
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_8195C6
		jmp	loc_91EE06
; END OF FUNCTION CHUNK	FOR SeReleaseSubjectContext
; 
		align 10h
; Exported entry 1631. ObOpenObjectByNameEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObOpenObjectByNameEx
ObOpenObjectByNameEx proc near		; CODE XREF: IoRevokeHandlesForProcess(x,x)+D2p
					; IoQueryInformationByName+1F0p ...

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_74		= dword	ptr -74h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 00819CD5 SIZE 00000010 BYTES
; FUNCTION CHUNK AT 0091EE28 SIZE 0000014C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		xor	eax, eax
		mov	[esp+5Ch+var_34], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[esp+60h+var_1C], eax
		mov	[esp+60h+var_18], eax
		mov	[esp+60h+var_14], eax
		mov	[esp+60h+var_10], eax
		mov	[esp+60h+var_C], eax
		mov	[esp+60h+var_8], eax
		mov	[esp+60h+var_4], eax
		mov	[esp+60h+var_50], eax
		mov	eax, [ebp+arg_1C]
		mov	[esp+60h+var_30], 0
		mov	[esp+60h+var_54], 0
		mov	[esp+60h+var_44], 0
		mov	[esp+60h+var_40], 0
		mov	dword ptr [eax], 0
		push	esi
		push	edi
		test	ebx, ebx
		jz	loc_91EF6A
		cmp	[ebp+arg_4], 0
		jz	loc_91EF6A
		mov	eax, large fs:20h
		mov	[esp+68h+var_58], eax
		mov	edi, [eax+5E0h]
		mov	ecx, edi
		inc	dword ptr [edi+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_819B7E
		mov	edi, [esp+68h+var_58]

loc_8196AE:				; CODE XREF: ObOpenObjectByNameEx+58Dj
					; ObOpenObjectByNameEx+5AFj
		mov	eax, [edi+3CCh]
		mov	[esi], eax
		lea	eax, [esi+74h]
		push	1
		push	eax
		lea	eax, [esp+70h+var_34]
		push	eax
		mov	eax, [ebp+arg_8]
		mov	dl, al
		push	ebx
		mov	cl, al
		call	ObpCaptureObjectCreateInformation
		mov	edi, eax
		test	edi, edi
		js	loc_91EE32
		mov	edi, [ebp+arg_C]
		test	edi, edi
		jnz	loc_819787
		mov	eax, [ebp+arg_4]
		add	eax, 34h
		mov	[esp+78h+var_48], eax
		mov	eax, large fs:124h
		mov	ebx, large fs:124h
		mov	[esp+78h+var_38], edi
		mov	ecx, [eax+80h]
		mov	[esp+78h+var_58], ecx
		mov	eax, [ecx+0E4h]
		mov	[esp+78h+var_30], eax
		test	ebx, ebx
		jz	loc_91EE7C
		mov	eax, [ebx+2FCh]
		test	al, 8
		jnz	loc_8199D7
		xor	ebx, ebx
		mov	[esp+78h+var_68], ebx

loc_81972E:				; CODE XREF: ObOpenObjectByNameEx+449j
		mov	[esp+78h+var_3C], ebx

loc_819732:				; CODE XREF: ObOpenObjectByNameEx+105876j
		lea	eax, [ecx+12Ch]
		mov	ecx, eax
		mov	[esp+78h+var_4C], eax
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_819C6C
		mov	ecx, [esp+78h+var_68]

loc_819751:				; CODE XREF: ObOpenObjectByNameEx+6B5j
		cmp	ds:_SeTokenLeakTracking, 0
		mov	[esp+78h+var_34], ebx
		jnz	loc_91EE96

loc_819762:				; CODE XREF: ObOpenObjectByNameEx+1058A3j
					; ObOpenObjectByNameEx+1058BDj	...
		push	[esp+78h+var_48] ; int
		lea	eax, [esi+0A0h]
		mov	edx, esi	; void *
		push	[ebp+arg_10]	; int
		lea	ecx, [esp+80h+var_3C] ;	int
		push	eax		; void *
		call	_SepCreateAccessStateFromSubjectContext@20 ; SepCreateAccessStateFromSubjectContext(x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8198F1
		mov	edi, esi

loc_819787:				; CODE XREF: ObOpenObjectByNameEx+CDj
		mov	ebx, [esi+8Ch]
		test	ebx, ebx
		jnz	loc_819B26
		mov	ebx, [edi+2Ch]

loc_819798:				; CODE XREF: ObOpenObjectByNameEx+519j
		test	ebx, ebx
		jnz	loc_819B2E

loc_8197A0:				; CODE XREF: ObOpenObjectByNameEx+530j
					; ObOpenObjectByNameEx+53Dj ...
		lea	ecx, [esp+78h+var_64]
		push	ecx
		lea	ecx, [esp+7Ch+var_54]
		push	ecx
		mov	ecx, [esi+78h]
		lea	eax, [esi+164h]
		push	eax
		mov	eax, [esi+90h]
		lea	edx, [esp+84h+var_44]
		push	edi
		push	[ebp+arg_18]
		push	0
		push	eax
		push	[ebp+arg_14]
		mov	eax, [esi+74h]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	eax
		call	_ObpLookupObjectName@52	; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8198F1
		cmp	byte ptr [esi+176h], 0
		jnz	loc_819A93

loc_8197EE:				; CODE XREF: ObOpenObjectByNameEx+4B7j
					; ObOpenObjectByNameEx+4FDj
		mov	ecx, [esi+168h]
		test	ecx, ecx
		jnz	loc_819B12

loc_8197FC:				; CODE XREF: ObOpenObjectByNameEx+511j
		mov	edx, [esp+78h+var_64]
		add	edx, 0FFFFFFE8h
		mov	[esp+78h+var_58], edx
		test	byte ptr [edx+0Fh], 1
		jz	loc_8199C0
		mov	eax, [edx+10h]
		mov	[esp+78h+var_5C], 0
		test	eax, eax
		jz	short loc_81985E
		mov	ecx, [eax+18h]
		test	ecx, ecx
		jnz	loc_91EEE3
		mov	edx, eax

loc_81982D:				; CODE XREF: ObOpenObjectByNameEx+1058F1j
		mov	eax, large fs:20h
		mov	[esp+78h+var_48], eax
		mov	ecx, [eax+5C0h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jnb	loc_819BF8

loc_81984E:				; CODE XREF: ObOpenObjectByNameEx+600j
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_819853:				; CODE XREF: ObOpenObjectByNameEx+60Fj
		mov	edx, [esp+78h+var_58]
		mov	dword ptr [edx+10h], 0

loc_81985E:				; CODE XREF: ObOpenObjectByNameEx+20Ej
					; ObOpenObjectByNameEx+3B8j
		mov	eax, edx
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [edx+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		mov	eax, [eax+30h]
		test	[esi+74h], eax
		jnz	loc_91EF06
		lea	eax, [esp+78h+var_44]
		mov	[esp+78h+var_20], eax
		lea	ecx, [esp+78h+var_2C]
		mov	eax, [ebp+arg_4]
		add	eax, 8
		mov	[esp+78h+var_24], eax
		mov	eax, [esi+78h]
		mov	[esp+78h+var_1C], eax
		call	SeSetLearningModeObjectInformation
		mov	edx, [esp+78h+var_64]
		lea	eax, [esp+78h+var_50]
		mov	ecx, [esp+78h+var_5C]
		push	eax
		mov	eax, [esi+74h]
		push	0
		push	[esp+80h+var_54]
		push	0
		push	[ebp+arg_8]
		push	eax
		push	0
		push	edi
		push	0
		call	_ObpCreateHandle@44 ; ObpCreateHandle(x,x,x,x,x,x,x,x,x,x,x)
		mov	[esp+9Ch+var_6C], eax
		test	eax, eax
		js	loc_819C24
		mov	ecx, [ebp+arg_1C]
		mov	eax, [esp+9Ch+var_74]
		mov	[ecx], eax

loc_8198E5:				; CODE XREF: ObOpenObjectByNameEx+621j
					; ObOpenObjectByNameEx+105904j
		mov	edx, [esp+9Ch+var_84]
		test	edx, edx
		jnz	loc_819A5E

loc_8198F1:				; CODE XREF: ObOpenObjectByNameEx+16Fj
					; ObOpenObjectByNameEx+1CBj ...
		cmp	edi, esi
		jnz	short loc_81993C
		mov	ecx, edi
		call	SepDeleteAccessState
		cmp	ds:_SeTokenLeakTracking, 0
		jnz	loc_91EF19

loc_819909:				; CODE XREF: ObOpenObjectByNameEx+6CAj
					; ObOpenObjectByNameEx+10594Ej	...
		mov	eax, large fs:124h
		mov	edx, [edi+24h]
		mov	ecx, [eax+80h]
		add	ecx, 12Ch
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		mov	ecx, [edi+1Ch]
		mov	dword ptr [edi+24h], 0
		test	ecx, ecx
		jnz	loc_8199CD

loc_819935:				; CODE XREF: ObOpenObjectByNameEx+3C2j
		mov	dword ptr [edi+1Ch], 0

loc_81993C:				; CODE XREF: ObOpenObjectByNameEx+2E3j
		mov	ecx, [esi+8Ch]
		test	ecx, ecx
		jnz	loc_819B62

loc_81994A:				; CODE XREF: ObOpenObjectByNameEx+569j
		mov	edx, [esp+9Ch+var_64]
		test	edx, edx
		jz	short loc_819981
		mov	eax, 0F8h
		cmp	word ptr [esp+9Ch+var_68+2], ax
		jnz	short loc_8199B6
		mov	edi, large fs:20h
		mov	ecx, [edi+5C8h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jnb	loc_819C36

loc_81997C:				; CODE XREF: ObOpenObjectByNameEx+63Aj
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_819981:				; CODE XREF: ObOpenObjectByNameEx+340j
					; ObOpenObjectByNameEx+3AEj ...
		call	SeClearLearningModeObjectInformation
		mov	edx, large fs:20h
		mov	ecx, [edx+5E0h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jnb	loc_819BCA

loc_8199A4:				; CODE XREF: ObOpenObjectByNameEx+5CEj
		mov	edx, esi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		mov	eax, ebx

loc_8199AD:				; CODE XREF: ObOpenObjectByNameEx+10581Dj
					; ObOpenObjectByNameEx+105867j	...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_8199B6:				; CODE XREF: ObOpenObjectByNameEx+34Cj
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_819981
; 

loc_8199C0:				; CODE XREF: ObOpenObjectByNameEx+1FBj
		mov	[esp+78h+var_5C], 1
		jmp	loc_81985E
; 

loc_8199CD:				; CODE XREF: ObOpenObjectByNameEx+31Fj
		call	ObfDereferenceObject
		jmp	loc_819935
; 

loc_8199D7:				; CODE XREF: ObOpenObjectByNameEx+112j
		mov	eax, large fs:124h
		mov	[esp+78h+var_4C], eax
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [ebx+2F0h]
		xor	edx, edx
		mov	ecx, eax
		mov	[esp+78h+var_5C], eax
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebx+2FCh]
		test	al, 8
		jz	loc_91EE8B
		mov	eax, [ebx+2C8h]
		and	eax, 0FFFFFFF8h
		mov	ecx, eax
		mov	[esp+78h+var_68], eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [ebx+2C8h]
		mov	ebx, [esp+78h+var_68]
		and	eax, 3
		mov	[esp+78h+var_38], eax

loc_819A2F:				; CODE XREF: ObOpenObjectByNameEx+105881j
		mov	ecx, [esp+78h+var_5C]
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	loc_819C5E

loc_819A47:				; CODE XREF: ObOpenObjectByNameEx+657j
		call	KeAbPostRelease
		mov	ecx, [esp+78h+var_4C]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	ecx, [esp+78h+var_58]
		jmp	loc_81972E
; 

loc_819A5E:				; CODE XREF: ObOpenObjectByNameEx+2DBj
		movzx	eax, byte ptr [edx+0Eh]
		mov	ecx, edx
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+0Ch], eax
		dec	eax
		jnz	short loc_819A86
		mov	ecx, edx
		call	ObpDeleteNameCheck
		mov	edx, [esp+9Ch+var_84]

loc_819A86:				; CODE XREF: ObOpenObjectByNameEx+469j
		lea	ecx, [edx+18h]
		call	ObfDereferenceObject
		jmp	loc_8198F1
; 

loc_819A93:				; CODE XREF: ObOpenObjectByNameEx+1D8j
		mov	eax, [esi+168h]
		sub	eax, 18h
		mov	[esp+78h+var_60], eax
		lea	ecx, [eax+18h]
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, [esp+78h+var_60]
		movzx	eax, byte ptr [ecx+0Eh]
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		lock inc dword ptr [ecx+0Ch]
		cmp	byte ptr [esi+176h], 0
		jz	loc_8197EE
		mov	ecx, [esi+164h]
		xor	edx, edx
		lea	ecx, [ecx+94h]
		call	ExReleasePushLockEx
		mov	ecx, [esi+164h]
		mov	dword ptr [esi+178h], 0EEEE1234h
		call	ObfDereferenceObject
		mov	dword ptr [esi+164h], 0
		mov	word ptr [esi+176h], 0
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_8197EE
; 

loc_819B12:				; CODE XREF: ObOpenObjectByNameEx+1E6j
		call	ObfDereferenceObject
		mov	dword ptr [esi+168h], 0
		jmp	loc_8197FC
; 

loc_819B26:				; CODE XREF: ObOpenObjectByNameEx+17Fj
		mov	[edi+2Ch], ebx
		jmp	loc_819798
; 

loc_819B2E:				; CODE XREF: ObOpenObjectByNameEx+18Aj
		push	ebx
		call	_RtlValidSecurityDescriptor@4 ;	RtlValidSecurityDescriptor(x)
		test	al, al
		jz	loc_91EED9
		test	byte ptr [ebx+2], 10h
		jz	loc_8197A0
		test	dword ptr [edi+14h], 1000000h
		jnz	loc_8197A0
		mov	ecx, ebx
		call	SeObjectCreateSaclAccessBits
		or	[edi+10h], eax
		jmp	loc_8197A0
; 

loc_819B62:				; CODE XREF: ObOpenObjectByNameEx+334j
		movzx	eax, byte ptr [esi+7Ch]
		push	1
		push	eax
		push	ecx
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)
		mov	dword ptr [esi+8Ch], 0
		jmp	loc_81994A
; 

loc_819B7E:				; CODE XREF: ObOpenObjectByNameEx+94j
		inc	dword ptr [edi+10h]
		mov	edi, [esp+68h+var_58]
		mov	eax, [edi+5E4h]
		mov	ecx, eax
		mov	[esp+68h+var_48], eax
		inc	dword ptr [eax+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_8196AE
		mov	ecx, [esp+68h+var_48]
		mov	eax, [ecx+20h]
		inc	dword ptr [ecx+10h]
		push	eax
		mov	eax, [ecx+24h]
		push	eax
		mov	eax, [ecx+1Ch]
		push	eax
		mov	eax, [ecx+28h]
		call	eax
		mov	esi, eax
		test	esi, esi
		jnz	loc_8196AE
		jmp	loc_91EE28
; 

loc_819BCA:				; CODE XREF: ObOpenObjectByNameEx+38Ej
		inc	dword ptr [ecx+18h]
		mov	ecx, [edx+5E4h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	loc_8199A4
		mov	eax, [ecx+2Ch]
		inc	dword ptr [ecx+18h]
		push	esi
		call	eax
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_819BF8:				; CODE XREF: ObOpenObjectByNameEx+238j
		mov	eax, [esp+78h+var_48]
		inc	dword ptr [ecx+18h]
		mov	ecx, [eax+5C4h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	loc_81984E
		mov	eax, [ecx+2Ch]
		inc	dword ptr [ecx+18h]
		push	edx
		call	eax
		jmp	loc_819853
; 

loc_819C24:				; CODE XREF: ObOpenObjectByNameEx+2C6j
		push	[esp+9Ch+var_88]
		call	_ObDereferenceObject@4 ; ObDereferenceObject(x)
		mov	ebx, [esp+9Ch+var_6C]
		jmp	loc_8198E5
; 

loc_819C36:				; CODE XREF: ObOpenObjectByNameEx+366j
		inc	dword ptr [ecx+18h]
		mov	ecx, [edi+5CCh]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	loc_81997C
		mov	eax, [ecx+2Ch]
		inc	dword ptr [ecx+18h]
		push	edx
		call	eax
		jmp	loc_819981
; 

loc_819C5E:				; CODE XREF: ObOpenObjectByNameEx+431j
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [esp+78h+var_5C]
		jmp	loc_819A47
; 

loc_819C6C:				; CODE XREF: ObOpenObjectByNameEx+137j
		mov	eax, large fs:124h
		mov	[esp+78h+var_5C], eax
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [esp+78h+var_58]
		xor	edx, edx
		add	eax, 0E0h
		mov	ecx, eax
		mov	[esp+78h+var_58], eax
		call	ExAcquirePushLockSharedEx
		mov	ecx, [esp+78h+var_4C]
		call	@ObFastReferenceObjectLocked@4 ; ObFastReferenceObjectLocked(x)
		mov	ecx, [esp+78h+var_58]
		mov	ebx, eax
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	short loc_819CCA

loc_819CB3:				; CODE XREF: ObOpenObjectByNameEx+6C3j
		call	KeAbPostRelease
		mov	ecx, [esp+78h+var_5C]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	ecx, [esp+78h+var_3C]
		jmp	loc_819751
; 

loc_819CCA:				; CODE XREF: ObOpenObjectByNameEx+6A1j
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [esp+78h+var_58]
		jmp	short loc_819CB3
ObOpenObjectByNameEx endp

; 
; START	OF FUNCTION CHUNK FOR ObOpenObjectByNameEx

loc_819CD5:				; CODE XREF: ObOpenObjectByNameEx+10590Ej
					; ObOpenObjectByNameEx+10592Bj	...
		mov	eax, [edi+1Ch]
		test	eax, eax
		jz	loc_819909
		jmp	loc_91EF47
; END OF FUNCTION CHUNK	FOR ObOpenObjectByNameEx
; 
		align 10h

ObpCaptureObjectCreateInformation:	; CODE XREF: ObReferenceObjectByNameEx+82p
					; ObOpenObjectByNameEx+B9p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A58D8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 40h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	[ebp-19h], dl
		mov	ebx, ecx
		mov	edi, [ebp+10h]
		mov	dword ptr [ebp-38h], 0
		xor	eax, eax
		mov	esi, [ebp+0Ch]
		mov	[esi], eax
		mov	[esi+4], eax
		push	2Ch
		push	eax
		push	edi
		call	_memset
		add	esp, 0Ch
		mov	eax, [ebp+8]
		test	eax, eax
		jz	loc_819E1B
		mov	[edi+8], bl
		mov	dword ptr [ebp-4], 0
		test	bl, bl
		jz	short loc_819D95
		mov	ecx, large fs:124h
		mov	[ebp-4Ch], ecx
		mov	cl, [ecx+15Ah]
		mov	[ebp+0Fh], cl
		test	cl, cl
		jz	short loc_819D95
		mov	ecx, eax
		test	al, 3
		jnz	loc_819EF5
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		jnb	loc_91EF74

loc_819D92:				; CODE XREF: PAGE:0091EF76j
		nop
		mov	cl, [ecx]

loc_819D95:				; CODE XREF: PAGE:00819D61j
					; PAGE:00819D78j
		cmp	dword ptr [eax], 18h
		jnz	loc_91EF7B
		mov	ecx, [eax+4]
		mov	[edi+4], ecx
		mov	ecx, [eax+0Ch]
		mov	[ebp-40h], ecx
		nop
		cmp	byte ptr [ebp-19h], 0
		jz	short loc_819DBA
		and	ecx, 0FFFFFDFFh
		mov	[ebp-40h], ecx

loc_819DBA:				; CODE XREF: PAGE:00819DAFj
		test	ecx, 0FFFEE00Dh
		jnz	loc_91EF7B
		mov	[edi], ecx
		mov	ecx, [eax+8]
		mov	[ebp-2Ch], ecx
		mov	[ebp-30h], ecx
		mov	edx, [eax+10h]
		mov	[ebp-34h], edx
		mov	ecx, [eax+14h]
		mov	[ebp-28h], ecx
		mov	[ebp-24h], ecx
		nop
		test	ecx, ecx
		jnz	short loc_819E3C

loc_819DE5:				; CODE XREF: PAGE:00819E92j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	edx, edx
		jnz	loc_819EB9

loc_819DF4:				; CODE XREF: PAGE:00819EE7j
		test	ecx, ecx
		jnz	loc_819E97

loc_819DFC:				; CODE XREF: PAGE:00819EAEj
		mov	eax, [ebp-2Ch]
		test	eax, eax
		jz	short loc_819E31
		push	dword ptr [ebp+14h]
		push	esi
		mov	edx, eax
		mov	cl, bl
		call	ObpCaptureObjectName
		mov	[ebp-20h], eax
		test	eax, eax
		js	loc_91EFFD

loc_819E1B:				; CODE XREF: PAGE:00819D4Fj
					; PAGE:00819E35j
		xor	eax, eax

loc_819E1D:				; CODE XREF: PAGE:0091F002j
					; PAGE:0091F01Fj
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_819E31:				; CODE XREF: PAGE:00819E01j
		cmp	dword ptr [edi+4], 0
		jz	short loc_819E1B
		jmp	loc_91EFB3
; 

loc_819E3C:				; CODE XREF: PAGE:00819DE3j
		test	bl, bl
		jz	short loc_819E81
		mov	eax, large fs:124h
		mov	[ebp-50h], eax
		mov	al, [eax+15Ah]
		mov	[ebp+0Bh], al
		test	al, al
		jz	short loc_819E72
		mov	eax, [ebp-24h]
		test	al, 3
		jnz	loc_819EF5
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	loc_91EF8F

loc_819E6F:				; CODE XREF: PAGE:0091EF91j
		nop
		mov	al, [eax]

loc_819E72:				; CODE XREF: PAGE:00819E54j
		mov	ecx, [ebp-24h]
		mov	eax, [ebp-30h]
		mov	[ebp-28h], ecx
		mov	edx, [ebp-34h]
		mov	[ebp-2Ch], eax

loc_819E81:				; CODE XREF: PAGE:00819E3Ej
		mov	eax, [ecx]
		mov	[edi+20h], eax
		mov	eax, [ecx+4]
		mov	[edi+24h], eax
		mov	eax, [ecx+8]
		mov	[edi+28h], eax
		jmp	loc_819DE5
; 

loc_819E97:				; CODE XREF: PAGE:00819DF6j
		lea	eax, [edi+20h]
		mov	dword ptr [eax], 0Ch
		mov	[edi+1Ch], eax
		mov	al, [edi+28h]
		cmp	al, 1
		jnz	short loc_819EEC

loc_819EAA:				; CODE XREF: PAGE:00819EEEj
		cmp	dword ptr [edi+24h], 3
		jbe	loc_819DFC
		jmp	loc_91EFA9
; 

loc_819EB9:				; CODE XREF: PAGE:00819DEEj
		lea	eax, [edi+18h]
		push	eax
		push	1
		push	1
		push	ebx
		push	edx
		call	SeCaptureSecurityDescriptor
		mov	[ebp-20h], eax
		test	eax, eax
		js	loc_91EF96
		lea	edx, [ebp-38h]
		mov	ecx, [edi+18h]
		call	_SeComputeQuotaInformationSize@8 ; SeComputeQuotaInformationSize(x,x)
		mov	eax, [ebp-38h]
		mov	[edi+14h], eax
		mov	ecx, [ebp-28h]
		jmp	loc_819DF4
; 

loc_819EEC:				; CODE XREF: PAGE:00819EA8j
		test	al, al
		jz	short loc_819EAA
		jmp	loc_91EF9F
; 

loc_819EF5:				; CODE XREF: PAGE:00819D7Ej
					; PAGE:00819E5Bj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		dw 0CCCCh
		align 10h

ObpCaptureObjectName:			; CODE XREF: PAGE:00819E0Bp
					; ObReferenceObjectByName+A8p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A58F8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	dword ptr [ebp-44h], 0
		mov	dword ptr [ebp-40h], 0
		mov	dword ptr [ebp-2Ch], 0
		mov	eax, [ebp+8]
		mov	dword ptr [eax+4], 0
		xor	esi, esi
		mov	[eax], esi
		mov	[ebp-20h], esi
		mov	[ebp-24h], esi
		mov	[ebp-4], esi
		test	cl, cl
		jz	loc_81A0A1
		mov	eax, large fs:124h
		mov	[ebp-3Ch], eax
		mov	al, [eax+15Ah]
		mov	[ebp-1Ah], al
		test	al, al
		jz	loc_81A0A1
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_91F024

loc_819F90:				; CODE XREF: PAGE:0091F026j
		nop
		mov	eax, [edx]
		mov	[ebp-44h], eax
		mov	ecx, [edx+4]
		mov	[ebp-28h], ecx
		mov	[ebp-40h], ecx
		movzx	eax, ax
		test	ax, ax
		jz	short loc_819FC8
		test	cl, 1
		jnz	loc_81A102
		add	eax, ecx
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	loc_91F02B
		cmp	eax, ecx
		jb	loc_91F02B

loc_819FC8:				; CODE XREF: PAGE:00819FA5j
					; PAGE:0091F02Ej
		mov	eax, [ebp-44h]
		mov	edi, [ebp-28h]

loc_819FCE:				; CODE XREF: PAGE:0081A0ACj
		test	ax, ax
		jz	loc_81A083
		movzx	ebx, ax
		mov	[ebp-2Ch], ebx
		test	bl, 1
		jnz	loc_91F046
		cmp	ebx, 0FFFEh
		jz	loc_91F046
		mov	dword ptr [ebp-28h], 0
		lea	eax, [ebx+2]
		mov	[ebp-30h], eax
		cmp	eax, ebx
		jb	loc_91F033
		mov	[ebp-28h], eax
		cmp	eax, 0F8h
		ja	loc_81A0B1
		cmp	dword ptr [ebp+0Ch], 0
		jz	loc_81A0B1
		mov	eax, 0F8h
		mov	[ebp-30h], eax
		mov	[ebp-28h], eax
		mov	ebx, large fs:20h
		mov	edi, [ebx+5C8h]
		inc	dword ptr [edi+0Ch]
		mov	ecx, edi
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_81A0C2

loc_81A047:				; CODE XREF: PAGE:0081A0D9j
					; PAGE:0081A0F7j
		mov	eax, [ebx+3CCh]
		mov	[esi], eax

loc_81A04F:				; CODE XREF: PAGE:0081A0FDj
		mov	edi, [ebp-40h]
		mov	ebx, [ebp-2Ch]

loc_81A055:				; CODE XREF: PAGE:0081A0C0j
		mov	ecx, [ebp+8]
		mov	[ecx], bx
		mov	eax, [ebp-30h]
		mov	[ecx+2], ax
		mov	[ecx+4], esi
		mov	[ebp-24h], esi
		test	esi, esi
		jz	loc_91F03A
		push	ebx
		push	edi
		push	esi
		call	_memcpy
		add	esp, 0Ch
		shr	ebx, 1
		xor	eax, eax
		mov	[esi+ebx*2], ax

loc_81A083:				; CODE XREF: PAGE:00819FD1j
					; PAGE:0091F041j ...
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_81A0A1:				; CODE XREF: PAGE:00819F63j
					; PAGE:00819F7Dj
		mov	eax, [edx]
		mov	[ebp-44h], eax
		mov	edi, [edx+4]
		mov	[ebp-40h], edi
		jmp	loc_819FCE
; 

loc_81A0B1:				; CODE XREF: PAGE:0081A00Fj
					; PAGE:0081A019j
		push	6D4E624Fh
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		jmp	short loc_81A055
; 

loc_81A0C2:				; CODE XREF: PAGE:0081A045j
		inc	dword ptr [edi+10h]
		mov	edi, [ebx+5CCh]
		inc	dword ptr [edi+0Ch]
		mov	ecx, edi
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_81A047
		inc	dword ptr [edi+10h]
		mov	eax, [edi+20h]
		push	eax
		mov	eax, [edi+24h]
		push	eax
		mov	eax, [edi+1Ch]
		push	eax
		mov	eax, [edi+28h]
		call	eax
		mov	esi, eax
		test	esi, esi
		jnz	loc_81A047
		jmp	loc_81A04F
; 

loc_81A102:				; CODE XREF: PAGE:00819FAAj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		db 0CCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsReferenceImpersonationTokenEx(x, x, x, x,	x, x)
_PsReferenceImpersonationTokenEx@24 proc near ;	CODE XREF: SepReferenceTokenByHandle+F8p
					; CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)+10Fp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		mov	eax, [esi+2FCh]
		test	al, 8
		jnz	short loc_81A132
		xor	eax, eax

loc_81A12A:				; CODE XREF: PsReferenceImpersonationTokenEx(x,x,x,x,x,x)+CEj
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_81A132:				; CODE XREF: PsReferenceImpersonationTokenEx(x,x,x,x,x,x)+16j
		mov	eax, [esi+150h]
		mov	[ebp+var_4], eax
		mov	eax, large fs:124h
		push	edi
		mov	[ebp+var_C], eax
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [esi+2F0h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	ExAcquirePushLockSharedEx
		mov	eax, [esi+2FCh]
		test	al, 8
		jz	loc_81A20B
		test	bl, 1
		jnz	short loc_81A1F0

loc_81A172:				; CODE XREF: PsReferenceImpersonationTokenEx(x,x,x,x,x,x)+E8j
		mov	ecx, [esi+2FCh]
		mov	edi, [esi+2C8h]
		shr	ecx, 8
		and	edi, 0FFFFFFF8h
		and	cl, 1

loc_81A187:				; CODE XREF: PsReferenceImpersonationTokenEx(x,x,x,x,x,x)+F0j
		mov	eax, [ebp+arg_0]
		mov	[eax], cl
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, [esi+2C8h]
		mov	eax, [ebp+arg_8]
		and	ecx, 3
		mov	[eax], ecx
		mov	ecx, [esi+2C8h]
		mov	eax, [ebp+arg_4]
		shr	ecx, 2
		and	cl, 1
		mov	[eax], cl
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jnz	short loc_81A1E3

loc_81A1B9:				; CODE XREF: PsReferenceImpersonationTokenEx(x,x,x,x,x,x)+DEj
					; PsReferenceImpersonationTokenEx(x,x,x,x,x,x)+FDj
		mov	esi, [ebp+var_8]
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_81A202

loc_81A1CC:				; CODE XREF: PsReferenceImpersonationTokenEx(x,x,x,x,x,x)+F9j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_C]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	eax, edi
		pop	edi
		jmp	loc_81A12A
; 

loc_81A1E3:				; CODE XREF: PsReferenceImpersonationTokenEx(x,x,x,x,x,x)+A7j
		mov	eax, [ebp+var_4]
		mov	al, [eax+3A6h]
		mov	[ecx], al
		jmp	short loc_81A1B9
; 

loc_81A1F0:				; CODE XREF: PsReferenceImpersonationTokenEx(x,x,x,x,x,x)+60j
		mov	edi, [esi+368h]
		test	edi, edi
		jz	loc_81A172
		xor	cl, cl
		jmp	short loc_81A187
; 

loc_81A202:				; CODE XREF: PsReferenceImpersonationTokenEx(x,x,x,x,x,x)+BAj
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_81A1CC
; 

loc_81A20B:				; CODE XREF: PsReferenceImpersonationTokenEx(x,x,x,x,x,x)+57j
		xor	edi, edi
		jmp	short loc_81A1B9
_PsReferenceImpersonationTokenEx@24 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpIsSystemEntity proc near		; CODE XREF: sub_5009EC+1Dp
					; SilentFailAccessCheck+21p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0091F09D SIZE 00000031 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		xor	eax, eax
		push	ebx
		xor	bh, bh
		mov	[esp+1Ch+var_10], eax
		push	esi
		mov	[esp+20h+var_C], eax
		mov	[esp+20h+var_8], eax
		mov	[esp+20h+var_4], eax
		cmp	_CmpVEEnabled, al
		jz	short loc_81A2AD
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_81A246
		mov	eax, [esi]
		test	al, 1
		jnz	short loc_81A2B7

loc_81A246:				; CODE XREF: CmpIsSystemEntity+2Ej
		test	cl, cl
		jz	short loc_81A2AD
		test	edx, edx
		jz	loc_91F09D

loc_81A252:				; CODE XREF: CmpIsSystemEntity+104EAAj
		mov	eax, [edx]
		mov	[esp+20h+var_14], 0
		test	eax, eax
		jnz	short loc_81A29E
		mov	ecx, [edx+8]

loc_81A263:				; CODE XREF: CmpIsSystemEntity+90j
		test	eax, eax
		jnz	short loc_81A27B
		lea	eax, [esp+20h+var_14]
		push	eax
		push	18h
		push	ecx
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		cmp	[esp+20h+var_14], 0
		jnz	short loc_81A2A2

loc_81A27B:				; CODE XREF: CmpIsSystemEntity+55j
		mov	bl, 1

loc_81A27D:				; CODE XREF: CmpIsSystemEntity+94j
		test	esi, esi
		jz	short loc_81A28C
		mov	eax, [esi]
		test	bl, bl
		jz	short loc_81A2A6
		or	eax, 3

loc_81A28A:				; CODE XREF: CmpIsSystemEntity+9Bj
		mov	[esi], eax

loc_81A28C:				; CODE XREF: CmpIsSystemEntity+6Fj
		test	bh, bh
		jnz	loc_91F0BF

loc_81A294:				; CODE XREF: CmpIsSystemEntity+104EB9j
		mov	al, bl
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_81A29E:				; CODE XREF: CmpIsSystemEntity+4Ej
		mov	ecx, eax
		jmp	short loc_81A263
; 

loc_81A2A2:				; CODE XREF: CmpIsSystemEntity+69j
		xor	bl, bl
		jmp	short loc_81A27D
; 

loc_81A2A6:				; CODE XREF: CmpIsSystemEntity+75j
		or	eax, 5
		xor	bl, bl
		jmp	short loc_81A28A
; 

loc_81A2AD:				; CODE XREF: CmpIsSystemEntity+27j
					; CmpIsSystemEntity+38j
		mov	al, 1
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_81A2B7:				; CODE XREF: CmpIsSystemEntity+34j
		shr	eax, 1
		pop	esi
		and	al, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
CmpIsSystemEntity endp

; 
		align 10h
; Exported entry 2487. SeQueryInformationToken

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeQueryInformationToken(x, x, x)
		public _SeQueryInformationToken@12
_SeQueryInformationToken@12 proc near	; CODE XREF: RtlpQueryLowBoxId+52p
					; RtlpQueryLowBoxId+165A62p ...

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		xor	eax, eax
		mov	[esp+54h+var_50], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	[esp+5Ch+var_24], 0
		mov	[esp+5Ch+var_18], eax
		mov	[esp+5Ch+var_14], eax
		mov	[esp+5Ch+var_10], eax
		mov	[esp+5Ch+var_C], eax
		mov	[esp+5Ch+var_8], eax
		mov	[esp+5Ch+var_4], eax
		push	edi
		cmp	esi, 18h
		jz	loc_81B0FD
		lea	eax, [esi-1]
		cmp	eax, 2Fh
		ja	loc_81B029
		movzx	eax, ds:byte_81B214[eax]
		jmp	ds:off_81B1A8[eax*4]

loc_81A32E:				; DATA XREF: PAGE:off_81B1A8o
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+arg_0]
		push	1
		mov	eax, [esi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	eax, [esi+94h]
		push	20206553h
		mov	eax, [eax]
		movzx	eax, byte ptr [eax+1]
		lea	ebx, ds:10h[eax*4]
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_81A38B

loc_81A370:				; CODE XREF: SeQueryInformationToken(x,x,x)+201j
					; SeQueryInformationToken(x,x,x)+3BCj ...
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_81A37D:				; CODE XREF: SeQueryInformationToken(x,x,x)+7C1j
					; SeQueryInformationToken(x,x,x)+800j ...
		mov	eax, 0C000009Ah
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81A38B:				; CODE XREF: SeQueryInformationToken(x,x,x)+9Ej
		lea	eax, [esp+60h+var_54]
		push	eax		; int
		push	eax		; int
		lea	eax, [edi+8]
		push	eax		; void *
		mov	eax, [esi+94h]
		push	edi		; int
		push	ebx		; int
		push	eax		; int
		push	1		; int
		call	_RtlCopySidAndAttributesArray@28 ; RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)

loc_81A3A5:				; CODE XREF: SeQueryInformationToken(x,x,x)+210j
					; SeQueryInformationToken(x,x,x)+475j ...
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81A3C2:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B1ACo
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [ebp+arg_0]
		push	1
		mov	eax, [edi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	edx, [edi+7Ch]
		lea	esi, ds:0FFFFFFFCh[edx*8]
		cmp	edx, 1
		jbe	short loc_81A40B
		mov	ecx, [edi+94h]
		add	ecx, 8
		dec	edx

loc_81A3F7:				; CODE XREF: SeQueryInformationToken(x,x,x)+139j
		mov	eax, [ecx]
		lea	ecx, [ecx+8]
		movzx	eax, byte ptr [eax+1]
		lea	esi, [esi+eax*4]
		add	esi, 8
		sub	edx, 1
		jnz	short loc_81A3F7

loc_81A40B:				; CODE XREF: SeQueryInformationToken(x,x,x)+11Bj
		push	20206553h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_81A439

loc_81A41E:				; CODE XREF: SeQueryInformationToken(x,x,x)+62Dj
					; SeQueryInformationToken(x,x,x)+AD9j ...
		mov	ecx, [edi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, 0C000009Ah
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81A439:				; CODE XREF: SeQueryInformationToken(x,x,x)+14Cj
		mov	eax, [edi+7Ch]
		dec	eax
		mov	[ebx], eax
		lea	eax, [esp+60h+var_54]
		mov	ecx, [edi+7Ch]
		push	eax		; int
		push	eax		; int
		lea	eax, ds:0FFFFFFFCh[ecx*8]
		add	eax, ebx
		push	eax		; void *
		lea	eax, [ebx+4]
		push	eax		; int
		mov	eax, [edi+94h]
		push	esi		; int
		add	eax, 8
		push	eax		; int
		lea	eax, [ecx-1]
		push	eax		; int

loc_81A465:				; CODE XREF: SeQueryInformationToken(x,x,x)+B0Aj
		call	_RtlCopySidAndAttributesArray@28 ; RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)

loc_81A46A:				; CODE XREF: SeQueryInformationToken(x,x,x)+651j
		mov	ecx, [edi+30h]

loc_81A46D:				; CODE XREF: SeQueryInformationToken(x,x,x)+CE9j
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+arg_8]
		mov	[eax], ebx
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81A487:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B1B0o
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+arg_0]
		push	1
		mov	eax, [esi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	ecx, esi
		call	_SepTokenPrivilegeCount@4 ; SepTokenPrivilegeCount(x)
		cmp	eax, 1
		jbe	short loc_81A4BB
		lea	eax, [eax+eax*2]
		lea	eax, ds:4[eax*4]
		jmp	short loc_81A4C0
; 

loc_81A4BB:				; CODE XREF: SeQueryInformationToken(x,x,x)+1DDj
		mov	eax, 10h

loc_81A4C0:				; CODE XREF: SeQueryInformationToken(x,x,x)+1E9j
		push	20206553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_81A370
		mov	edx, edi
		mov	ecx, esi
		call	_SepConvertTokenPrivileges@8 ; SepConvertTokenPrivileges(x,x)
		jmp	loc_81A3A5
; 

loc_81A4E5:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B1D4o
		mov	eax, large fs:124h
		xor	ebx, ebx
		mov	[esp+60h+var_4C], ebx
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+arg_0]
		push	1
		mov	eax, [esi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	ecx, esi
		call	_SepTokenPrivilegeCount@4 ; SepTokenPrivilegeCount(x)
		mov	[esp+60h+var_2C], eax
		lea	eax, [eax+eax*2]
		shl	eax, 2
		mov	[esp+60h+var_40], eax
		mov	eax, [esi+7Ch]
		mov	[esp+60h+var_28], eax
		lea	ecx, ds:0[eax*8]
		mov	edi, ecx
		mov	[esp+60h+var_44], ecx
		xor	ecx, ecx
		mov	[esp+60h+var_50], edi
		cmp	eax, 2
		jb	short loc_81A58C
		mov	edx, [esi+94h]
		dec	eax
		mov	edi, eax
		jmp	short loc_81A550
; 
		align 10h

loc_81A550:				; CODE XREF: SeQueryInformationToken(x,x,x)+274j
					; SeQueryInformationToken(x,x,x)+2AEj
		mov	eax, [edx+ecx*8]
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	ebx, eax
		mov	eax, [edx+ecx*8+8]
		add	ecx, 2
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	[esp+60h+var_4C], eax
		cmp	ecx, edi
		jb	short loc_81A550
		mov	edi, [esp+60h+var_50]
		cmp	ecx, [esp+60h+var_28]
		jb	short loc_81A5A0
		jmp	short loc_81A5B5
; 

loc_81A58C:				; CODE XREF: SeQueryInformationToken(x,x,x)+269j
		test	eax, eax
		jz	short loc_81A5B5
		mov	edx, [esi+94h]
		jmp	short loc_81A5A0
; 
		align 10h

loc_81A5A0:				; CODE XREF: SeQueryInformationToken(x,x,x)+2B8j
					; SeQueryInformationToken(x,x,x)+2C6j
		mov	eax, [edx+ecx*8]
		movzx	eax, byte ptr [eax+1]
		lea	edi, ds:0Bh[eax*4]
		and	edi, 0FFFFFFFCh
		add	edi, [esp+60h+var_44]

loc_81A5B5:				; CODE XREF: SeQueryInformationToken(x,x,x)+2BAj
					; SeQueryInformationToken(x,x,x)+2BEj
		mov	eax, [esp+60h+var_4C]
		add	eax, ebx
		mov	[esp+60h+var_54], 0
		add	edi, eax
		mov	[esp+60h+var_48], 0
		mov	eax, [esi+80h]
		mov	[esp+60h+var_50], edi
		mov	[esp+60h+var_28], eax
		lea	ecx, ds:0[eax*8]
		mov	[esp+60h+var_4C], ecx
		mov	ebx, ecx
		xor	ecx, ecx
		cmp	eax, 2
		jb	short loc_81A63E
		mov	edx, [esi+98h]
		dec	eax
		mov	edi, eax
		jmp	short loc_81A600
; 
		align 10h

loc_81A600:				; CODE XREF: SeQueryInformationToken(x,x,x)+328j
					; SeQueryInformationToken(x,x,x)+360j
		mov	eax, [edx+ecx*8]
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	[esp+60h+var_54], eax
		mov	eax, [edx+ecx*8+8]
		add	ecx, 2
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	[esp+60h+var_48], eax
		cmp	ecx, edi
		jb	short loc_81A600
		mov	edi, [esp+60h+var_50]
		cmp	ecx, [esp+60h+var_28]
		jb	short loc_81A650
		jmp	short loc_81A665
; 

loc_81A63E:				; CODE XREF: SeQueryInformationToken(x,x,x)+31Dj
		test	eax, eax
		jz	short loc_81A665
		mov	edx, [esi+98h]
		jmp	short loc_81A650
; 
		align 10h

loc_81A650:				; CODE XREF: SeQueryInformationToken(x,x,x)+36Aj
					; SeQueryInformationToken(x,x,x)+378j
		mov	eax, [edx+ecx*8]
		movzx	eax, byte ptr [eax+1]
		lea	ebx, ds:0Bh[eax*4]
		and	ebx, 0FFFFFFFCh
		add	ebx, [esp+60h+var_4C]

loc_81A665:				; CODE XREF: SeQueryInformationToken(x,x,x)+36Cj
					; SeQueryInformationToken(x,x,x)+370j
		mov	eax, [esp+60h+var_54]
		add	eax, [esp+60h+var_48]
		mov	ecx, [esp+60h+var_40]
		add	ebx, eax
		add	ecx, 2Ch
		push	20206553h
		lea	eax, [ebx+edi]
		add	eax, ecx
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_81A370
		mov	eax, [esi+18h]
		lea	ecx, [edi+2Ch]
		mov	edx, [esp+60h+var_50]
		mov	[edi+24h], eax
		mov	eax, [esi+1Ch]
		mov	[edi+28h], eax
		mov	[edi+4], edx
		mov	eax, [esi+7Ch]
		mov	[edi], eax
		mov	[edi+8], ecx
		mov	[edi+10h], ebx
		mov	eax, [esi+80h]
		mov	[edi+0Ch], eax
		cmp	dword ptr [esi+80h], 0
		jz	short loc_81A6CF
		lea	eax, [edx+3]
		and	eax, 0FFFFFFFCh
		add	eax, ecx
		jmp	short loc_81A6D1
; 

loc_81A6CF:				; CODE XREF: SeQueryInformationToken(x,x,x)+3F3j
		xor	eax, eax

loc_81A6D1:				; CODE XREF: SeQueryInformationToken(x,x,x)+3FDj
		mov	[edi+14h], eax
		mov	eax, [esp+60h+var_40]
		mov	[edi+1Ch], eax
		mov	eax, [esp+60h+var_2C]
		mov	[edi+18h], eax
		lea	eax, [ecx+ebx]
		add	eax, edx
		sub	edx, [esp+60h+var_44]
		mov	[edi+20h], eax
		lea	eax, [esp+60h+var_54]
		push	eax		; int
		push	eax		; int
		mov	eax, [esp+68h+var_44]
		add	eax, ecx
		push	eax		; void *
		mov	eax, [esi+94h]
		push	ecx		; int
		push	edx		; int
		push	eax		; int
		mov	eax, [esi+7Ch]
		push	eax		; int
		call	_RtlCopySidAndAttributesArray@28 ; RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)
		cmp	dword ptr [edi+0Ch], 0
		jbe	short loc_81A73B
		mov	ecx, [edi+14h]
		lea	eax, [esp+60h+var_54]
		mov	edx, [esp+60h+var_4C]
		sub	ebx, edx
		push	eax		; int
		push	eax		; int
		lea	eax, [edx+ecx]
		push	eax		; void *
		mov	eax, [esi+98h]
		push	ecx		; int
		push	ebx		; int
		push	eax		; int
		mov	eax, [esi+80h]
		push	eax		; int
		call	_RtlCopySidAndAttributesArray@28 ; RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)

loc_81A73B:				; CODE XREF: SeQueryInformationToken(x,x,x)+441j
		mov	edx, [edi+20h]
		mov	ecx, esi
		call	_SepConvertTokenPrivilegesToLuidAndAttributes@8	; SepConvertTokenPrivilegesToLuidAndAttributes(x,x)
		jmp	loc_81A3A5
; 

loc_81A74A:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B1E4o
		mov	eax, large fs:124h
		mov	[esp+60h+var_28], 0
		mov	[esp+60h+var_2C], 0
		mov	[esp+60h+var_30], 0
		dec	word ptr [eax+13Ch]
		mov	[esp+60h+var_34], 0
		mov	[esp+60h+var_38], 0
		mov	[esp+60h+var_3C], 0
		mov	[esp+60h+var_48], 0
		mov	[esp+60h+var_44], 0
		mov	[esp+60h+var_40], 0
		nop
		mov	esi, [ebp+arg_0]
		push	1
		mov	eax, [esi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		lea	eax, [esp+60h+var_40]
		xor	dl, dl
		push	eax
		lea	eax, [esp+64h+var_44]
		mov	ecx, esi
		push	eax
		lea	eax, [esp+68h+var_48]
		push	eax
		lea	eax, [esp+6Ch+var_3C]
		push	eax
		lea	eax, [esp+70h+var_38]
		push	eax
		lea	eax, [esp+74h+var_34]
		push	eax
		lea	eax, [esp+78h+var_30]
		push	eax
		lea	eax, [esp+7Ch+var_2C]
		push	eax
		lea	eax, [esp+80h+var_28]
		push	eax
		lea	eax, [esp+84h+var_24]
		push	eax
		push	0
		call	_SepGetTokenAccessInformationBufferSize@52 ; SepGetTokenAccessInformationBufferSize(x,x,x,x,x,x,x,x,x,x,x,x,x)
		push	20206553h
		mov	ebx, eax
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_81A370
		push	0
		push	0
		push	[esp+68h+var_40]
		mov	edx, edi
		mov	ecx, esi
		push	[esp+6Ch+var_44]
		push	[esp+70h+var_48]
		push	[esp+74h+var_3C]
		push	[esp+78h+var_38]
		push	[esp+7Ch+var_34]
		push	[esp+80h+var_30]
		push	[esp+84h+var_2C]
		push	[esp+88h+var_28]
		push	[esp+8Ch+var_24]
		push	ebx
		call	_SepCopyTokenAccessInformation@60 ; SepCopyTokenAccessInformation(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		jmp	loc_81A3A5
; 

loc_81A83F:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B1B4o
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+arg_0]
		push	1
		mov	eax, [esi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	ecx, [esi+90h]
		mov	eax, [esi+94h]
		push	20206553h
		mov	eax, [eax+ecx*8]
		movzx	eax, byte ptr [eax+1]
		lea	ebx, ds:0Ch[eax*4]
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_81A370
		lea	edx, [edi+4]
		mov	[edi], edx
		mov	ecx, [esi+90h]
		mov	eax, [esi+94h]
		mov	eax, [eax+ecx*8]
		push	eax		; void *
		push	edx		; void *
		lea	eax, [ebx-4]
		push	eax		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		jmp	loc_81A3A5
; 

loc_81A8B0:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B1F0o
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [ebp+arg_0]
		push	1
		mov	eax, [edi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	esi, [edi+1E0h]
		test	esi, esi
		jz	short loc_81A8E3
		movzx	eax, byte ptr [esi+1]
		lea	eax, ds:0Ch[eax*4]
		jmp	short loc_81A8E8
; 

loc_81A8E3:				; CODE XREF: SeQueryInformationToken(x,x,x)+604j
		mov	eax, 4

loc_81A8E8:				; CODE XREF: SeQueryInformationToken(x,x,x)+611j
		push	20206553h
		push	eax
		push	1
		mov	[esp+6Ch+var_24], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_81A41E
		test	esi, esi
		jz	short loc_81A91F
		mov	eax, [edi+1E0h]

loc_81A90D:				; CODE XREF: SeQueryInformationToken(x,x,x)+D4Fj
		push	eax		; void *
		mov	eax, [esp+64h+var_24]
		lea	esi, [ebx+4]
		push	esi		; void *
		add	eax, 0FFFFFFFCh
		push	eax		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)

loc_81A91F:				; CODE XREF: SeQueryInformationToken(x,x,x)+635j
					; SeQueryInformationToken(x,x,x)+D43j
		mov	[ebx], esi
		jmp	loc_81A46A
; 

loc_81A926:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B1E8o
		mov	eax, large fs:124h
		mov	[esp+60h+var_20], 0
		mov	[esp+60h+var_1C], 0
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+arg_0]
		push	1
		mov	eax, [esi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		lea	edx, [esp+60h+var_20]
		mov	ecx, esi
		call	_SepCopyTokenIntegrity@8 ; SepCopyTokenIntegrity(x,x)
		mov	edi, [esp+60h+var_20]
		push	edi
		call	_RtlSubAuthorityCountSid@4 ; RtlSubAuthorityCountSid(x)
		mov	al, [eax]
		test	al, al
		jnz	short loc_81A971
		xor	ecx, ecx
		jmp	short loc_81A97E
; 

loc_81A971:				; CODE XREF: SeQueryInformationToken(x,x,x)+69Bj
		movzx	eax, al
		dec	eax
		push	eax
		push	edi
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	ecx, [eax]

loc_81A97E:				; CODE XREF: SeQueryInformationToken(x,x,x)+69Fj
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81A99B:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B1B8o
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+arg_0]
		push	1
		mov	eax, [esi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	eax, [esi+9Ch]
		push	20206553h
		movzx	eax, byte ptr [eax+1]
		lea	ebx, ds:0Ch[eax*4]
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_81A370
		lea	ecx, [edi+4]
		mov	[edi], ecx
		mov	eax, [esi+9Ch]
		push	eax		; void *
		push	ecx		; void *
		lea	eax, [ebx-4]
		push	eax		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		jmp	loc_81A3A5
; 

loc_81A9FA:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B1BCo
		mov	eax, large fs:124h
		mov	[esp+60h+var_50], 4
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+arg_0]
		push	1
		mov	eax, [esi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	eax, [esi+0A4h]
		test	eax, eax
		jz	short loc_81AA31
		movzx	eax, word ptr [eax+2]
		add	eax, 4
		jmp	short loc_81AA35
; 

loc_81AA31:				; CODE XREF: SeQueryInformationToken(x,x,x)+756j
		mov	eax, [esp+60h+var_50]

loc_81AA35:				; CODE XREF: SeQueryInformationToken(x,x,x)+75Fj
		push	20206553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_81A370
		cmp	dword ptr [esi+0A4h], 0
		lea	edx, [edi+4]
		jz	short loc_81AA74
		mov	[edi], edx
		mov	ecx, [esi+0A4h]
		movzx	eax, word ptr [ecx+2]
		push	eax		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_81A3A5
; 

loc_81AA74:				; CODE XREF: SeQueryInformationToken(x,x,x)+786j
		mov	dword ptr [edi], 0
		jmp	loc_81A3A5
; 

loc_81AA7F:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B1C0o
		push	20206553h
		push	10h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_81A37D
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		mov	[edx], ecx
		mov	ecx, [eax+4]
		mov	[edx+4], ecx
		mov	ecx, [eax+8]
		mov	[edx+8], ecx
		mov	eax, [eax+0Ch]
		mov	[edx+0Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[eax], edx
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81AAC0:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B1C4o
		push	20206553h
		push	4
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_81A37D
		mov	ecx, [ebp+arg_0]
		mov	ecx, [ecx+0A8h]
		mov	[eax], ecx
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81AAF1:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B1D8o
		push	20206553h
		push	4
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_81A37D
		mov	ecx, [ebp+arg_0]
		mov	ecx, [ecx+0C0h]
		mov	eax, [ecx+18h]
		test	al, 4
		jz	short loc_81AB2F
		mov	eax, [ebp+arg_8]
		mov	dword ptr [edx], 3
		mov	[eax], edx
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81AB2F:				; CODE XREF: SeQueryInformationToken(x,x,x)+847j
		test	al, 2
		mov	eax, 0
		setnz	al
		inc	eax
		mov	[edx], eax
		mov	eax, [ebp+arg_8]
		mov	[eax], edx
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81AB4C:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B1DCo
		push	20206553h
		push	4
		push	1
		xor	bl, bl
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+60h+var_4C], eax
		test	eax, eax
		jz	loc_81A37D
		mov	ecx, large fs:124h
		dec	word ptr [ecx+13Ch]
		nop
		mov	edi, [ebp+arg_0]
		push	1
		mov	eax, [edi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	ecx, [edi+40h]
		mov	eax, [edi+44h]
		and	ecx, 20160684h
		and	eax, 11h
		or	ecx, eax
		jz	short loc_81AB9A
		mov	bl, 1

loc_81AB9A:				; CODE XREF: SeQueryInformationToken(x,x,x)+8C6j
		mov	eax, [edi+7Ch]
		xor	esi, esi
		mov	[esp+60h+var_24], eax
		test	eax, eax
		jz	short loc_81ABC3

loc_81ABA7:				; CODE XREF: SeQueryInformationToken(x,x,x)+8F1j
		test	bl, bl
		jnz	short loc_81ABC3
		mov	eax, [edi+94h]
		lea	eax, [eax+esi*8]
		push	eax
		call	_RtlIsElevatedRid@4 ; RtlIsElevatedRid(x)
		inc	esi
		mov	bl, al
		cmp	esi, [esp+60h+var_24]
		jb	short loc_81ABA7

loc_81ABC3:				; CODE XREF: SeQueryInformationToken(x,x,x)+8D5j
					; SeQueryInformationToken(x,x,x)+8D9j
		mov	ecx, [edi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [esp+60h+var_4C]
		movzx	eax, bl
		mov	[ecx], eax
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81ABE9:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B1C8o
		mov	esi, [ebp+arg_0]
		cmp	dword ptr [esi+0A8h], 2
		jnz	loc_81B029
		push	20206553h
		push	4
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_81A37D
		mov	ecx, [esi+0ACh]
		mov	[eax], ecx
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81AC27:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B1CCo
		push	20206553h
		push	38h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_81A37D
		mov	edi, [ebp+arg_0]
		mov	eax, [edi+10h]
		mov	[esi], eax
		mov	eax, [edi+14h]
		mov	[esi+4], eax
		mov	eax, [edi+18h]
		mov	[esi+8], eax
		mov	eax, [edi+1Ch]
		mov	[esi+0Ch], eax
		mov	eax, [edi+0A8h]
		mov	[esi+18h], eax
		mov	eax, [edi+0ACh]
		mov	[esi+1Ch], eax
		mov	eax, [edi+28h]
		mov	[esi+10h], eax
		mov	eax, [edi+2Ch]
		mov	[esi+14h], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [edi+30h]
		push	1
		push	eax
		call	ExAcquireResourceSharedLite
		mov	eax, [edi+88h]
		mov	[esi+20h], eax
		mov	eax, [edi+9Ch]
		mov	ecx, [edi+88h]
		movzx	eax, byte ptr [eax+1]
		shl	eax, 2
		sub	ecx, eax
		mov	eax, [edi+0A4h]
		sub	ecx, 8
		test	eax, eax
		jz	short loc_81ACC1
		movzx	eax, word ptr [eax+2]
		sub	ecx, eax

loc_81ACC1:				; CODE XREF: SeQueryInformationToken(x,x,x)+9E9j
		mov	[esi+24h], ecx
		mov	ecx, edi
		mov	eax, [edi+8Ch]
		mov	[esi+24h], eax
		mov	eax, [edi+7Ch]
		dec	eax
		mov	[esi+28h], eax
		call	_SepTokenPrivilegeCount@4 ; SepTokenPrivilegeCount(x)
		mov	[esi+2Ch], eax
		mov	eax, [edi+34h]
		mov	[esi+30h], eax
		mov	eax, [edi+38h]
		mov	[esi+34h], eax

loc_81ACEA:				; CODE XREF: SeQueryInformationToken(x,x,x)+DDAj
					; SeQueryInformationToken(x,x,x)+DE9j
		mov	ecx, [edi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81AD07:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B1D0o
		push	[ebp+arg_8]
		push	[ebp+arg_0]
		call	_SeQuerySessionIdToken@8 ; SeQuerySessionIdToken(x,x)
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81AD1D:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B1F4o
		mov	eax, large fs:124h
		xor	edi, edi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+arg_0]
		push	1
		mov	eax, [esi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	eax, [esi+274h]
		test	eax, eax
		jz	loc_81A3A5
		mov	edi, [eax+14h]
		jmp	loc_81A3A5
; 

loc_81AD51:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B1ECo
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [ebp+arg_0]
		push	1
		mov	eax, [edi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	edx, [edi+1E8h]
		lea	esi, ds:0Ch[edx*8]
		test	edx, edx
		jz	short loc_81AD98
		mov	ecx, [edi+1E4h]

loc_81AD84:				; CODE XREF: SeQueryInformationToken(x,x,x)+AC6j
		mov	eax, [ecx]
		lea	ecx, [ecx+8]
		movzx	eax, byte ptr [eax+1]
		lea	esi, [esi+eax*4]
		add	esi, 8
		sub	edx, 1
		jnz	short loc_81AD84

loc_81AD98:				; CODE XREF: SeQueryInformationToken(x,x,x)+AACj
		push	20206553h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_81A41E
		mov	eax, [edi+1E8h]
		mov	[ebx], eax
		lea	eax, [esp+60h+var_54]
		mov	ecx, [edi+1E8h]
		push	eax
		push	eax
		lea	eax, ds:0Ch[ecx*8]
		add	eax, ebx
		push	eax
		lea	eax, [ebx+4]
		push	eax
		mov	eax, [edi+1E4h]
		push	esi
		push	eax
		push	ecx
		jmp	loc_81A465
; 

loc_81ADDF:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B1F8o
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 0
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, [ebp+arg_0]
		push	1
		mov	eax, [ebx+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	eax, [ebx+27Ch]
		test	eax, eax
		jz	short loc_81AE49
		mov	edi, [eax+120h]
		test	edi, edi
		jnz	short loc_81AE1D
		cmp	esi, 21h
		jz	short loc_81AE49

loc_81AE1D:				; CODE XREF: SeQueryInformationToken(x,x,x)+B46j
		mov	eax, [eax+124h]
		test	eax, eax
		jnz	short loc_81AE2C
		cmp	esi, 22h
		jz	short loc_81AE49

loc_81AE2C:				; CODE XREF: SeQueryInformationToken(x,x,x)+B55j
		cmp	esi, 21h
		jz	short loc_81AE33
		mov	edi, eax

loc_81AE33:				; CODE XREF: SeQueryInformationToken(x,x,x)+B5Fj
		lea	eax, [esp+60h+var_50]
		xor	edx, edx
		push	eax
		push	0
		mov	ecx, edi
		call	AuthzBasepQueryClaimAttributesToken
		mov	eax, [esp+60h+var_50]
		jmp	short loc_81AE72
; 

loc_81AE49:				; CODE XREF: SeQueryInformationToken(x,x,x)+B3Cj
					; SeQueryInformationToken(x,x,x)+B4Bj ...
		lea	ecx, [esp+60h+var_14]
		mov	[esp+60h+var_C], 0
		mov	[esp+60h+var_10], ecx
		lea	edi, [esp+60h+var_18]
		mov	[esp+60h+var_14], ecx
		mov	eax, 0Ch
		lea	ecx, [esp+60h+var_8]
		mov	[esp+60h+var_4], ecx
		mov	[esp+60h+var_8], ecx

loc_81AE72:				; CODE XREF: SeQueryInformationToken(x,x,x)+B77j
		push	20206553h
		push	eax
		push	1
		mov	[esp+6Ch+var_24], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_81AEA4
		mov	ecx, [ebx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, 0C000009Ah
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81AEA4:				; CODE XREF: SeQueryInformationToken(x,x,x)+BB7j
		lea	eax, [esp+60h+var_50]
		mov	edx, esi
		push	eax
		push	[esp+64h+var_24]
		mov	ecx, edi
		call	AuthzBasepQueryClaimAttributesToken
		mov	ecx, [ebx+30h]
		mov	edi, eax
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	edi, edi
		jns	short loc_81AEDC
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81AEDC:				; CODE XREF: SeQueryInformationToken(x,x,x)+BF7j
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81AEEC:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B1FCo
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, [ebp+arg_0]
		push	1
		mov	eax, [ebx+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	ecx, [ebx+27Ch]
		test	ecx, ecx
		jz	short loc_81AF21
		mov	edi, [ecx]
		test	edi, edi
		jz	short loc_81AF21
		lea	esi, ds:4[edi*8]
		jmp	short loc_81AF26
; 

loc_81AF21:				; CODE XREF: SeQueryInformationToken(x,x,x)+C40j
					; SeQueryInformationToken(x,x,x)+C46j
		xor	edi, edi
		lea	esi, [edi+0Ch]

loc_81AF26:				; CODE XREF: SeQueryInformationToken(x,x,x)+C4Fj
		test	edi, edi
		jz	short loc_81AF44
		mov	ecx, [ecx+4]
		mov	edx, edi
		nop

loc_81AF30:				; CODE XREF: SeQueryInformationToken(x,x,x)+C72j
		mov	eax, [ecx]
		lea	ecx, [ecx+8]
		movzx	eax, byte ptr [eax+1]
		lea	esi, [esi+eax*4]
		add	esi, 8
		sub	edx, 1
		jnz	short loc_81AF30

loc_81AF44:				; CODE XREF: SeQueryInformationToken(x,x,x)+C58j
		push	20206553h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_81AF75
		mov	ecx, [ebp+arg_0]
		mov	ecx, [ecx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, 0C000009Ah
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81AF75:				; CODE XREF: SeQueryInformationToken(x,x,x)+C85j
		mov	dword ptr [ebx+4], 0
		mov	dword ptr [ebx+8], 0
		mov	[ebx], edi
		test	edi, edi
		jz	short loc_81AFB3
		mov	ecx, [ebp+arg_0]
		lea	eax, [esp+60h+var_54]
		push	eax		; int
		push	eax		; int
		lea	eax, ds:4[edi*8]
		mov	ecx, [ecx+27Ch]
		add	eax, ebx
		push	eax		; void *
		lea	eax, [ebx+4]
		push	eax		; int
		mov	eax, [ecx+4]
		push	esi		; int
		push	eax		; int
		mov	eax, [ecx]
		push	eax		; int
		call	_RtlCopySidAndAttributesArray@28 ; RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)

loc_81AFB3:				; CODE XREF: SeQueryInformationToken(x,x,x)+CB7j
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+30h]
		jmp	loc_81A46D
; 

loc_81AFBE:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B200o
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [ebp+arg_0]
		push	1
		mov	eax, [edi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	esi, [edi+280h]
		test	esi, esi
		jz	short loc_81AFF1
		movzx	eax, byte ptr [esi+1]
		lea	eax, ds:0Ch[eax*4]
		jmp	short loc_81AFF6
; 

loc_81AFF1:				; CODE XREF: SeQueryInformationToken(x,x,x)+D12j
		mov	eax, 4

loc_81AFF6:				; CODE XREF: SeQueryInformationToken(x,x,x)+D1Fj
		push	20206553h
		push	eax
		push	1
		mov	[esp+6Ch+var_24], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_81A41E
		test	esi, esi
		jz	loc_81A91F
		mov	eax, [edi+280h]
		jmp	loc_81A90D
; 

loc_81B024:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B20Co
		call	_Feature_PPLEnforcement__private_ReportDeviceUsage@0 ; Feature_PPLEnforcement__private_ReportDeviceUsage()

loc_81B029:				; CODE XREF: SeQueryInformationToken(x,x,x)+4Aj
					; SeQueryInformationToken(x,x,x)+57j ...
		mov	eax, 0C0000003h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81B037:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B204o
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [ebp+arg_0]
		push	1
		mov	eax, [edi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	ecx, [edi+298h]
		mov	eax, 8
		test	ecx, ecx
		jz	short loc_81B069
		movzx	eax, word ptr [ecx+16h]
		add	eax, 8

loc_81B069:				; CODE XREF: SeQueryInformationToken(x,x,x)+D90j
		push	20206553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_81A41E
		cmp	dword ptr [edi+298h], 0
		jz	short loc_81B0AF
		lea	edx, [esi+8]
		mov	byte ptr [esi+4], 1
		mov	[esi], edx
		mov	ecx, [edi+298h]
		movzx	eax, word ptr [ecx+16h]
		push	eax		; size_t
		mov	eax, [ecx+18h]
		push	eax		; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_81ACEA
; 

loc_81B0AF:				; CODE XREF: SeQueryInformationToken(x,x,x)+DB7j
		mov	byte ptr [esi+4], 0
		mov	dword ptr [esi], 0
		jmp	loc_81ACEA
; 

loc_81B0BE:				; CODE XREF: SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: PAGE:0081B208o
		mov	ecx, [ebp+arg_0]
		test	dword ptr [ecx+0B0h], 4000h
		jz	short loc_81B0EB
		call	SepCanTokenMatchAllPackageSid
		test	al, al
		jnz	short loc_81B0EB
		mov	eax, [ebp+arg_8]
		mov	ecx, 1
		mov	[eax], ecx
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81B0EB:				; CODE XREF: SeQueryInformationToken(x,x,x)+DFBj
					; SeQueryInformationToken(x,x,x)+E04j
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		mov	[eax], ecx
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81B0FD:				; CODE XREF: SeQueryInformationToken(x,x,x)+3Ej
					; SeQueryInformationToken(x,x,x)+57j
					; DATA XREF: ...
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+0B0h]
		cmp	esi, 17h
		jnz	short loc_81B121
		mov	eax, [ebp+arg_8]
		shr	ecx, 9
		and	ecx, 1
		mov	[eax], ecx
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81B121:				; CODE XREF: SeQueryInformationToken(x,x,x)+E39j
		cmp	esi, 18h
		jnz	short loc_81B13C
		mov	eax, [ebp+arg_8]
		shr	ecx, 0Ah
		and	ecx, 1
		mov	[eax], ecx
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81B13C:				; CODE XREF: SeQueryInformationToken(x,x,x)+E54j
		cmp	esi, 1Ah
		jnz	short loc_81B157
		mov	eax, [ebp+arg_8]
		shr	ecx, 0Ch
		and	ecx, 1
		mov	[eax], ecx
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81B157:				; CODE XREF: SeQueryInformationToken(x,x,x)+E6Fj
		cmp	esi, 1Dh
		jnz	short loc_81B172
		mov	eax, [ebp+arg_8]
		shr	ecx, 0Eh
		and	ecx, 1
		mov	[eax], ecx
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81B172:				; CODE XREF: SeQueryInformationToken(x,x,x)+E8Aj
		cmp	esi, 15h
		jnz	short loc_81B190
		mov	eax, [ebp+arg_8]
		test	ecx, 810h
		setnz	cl
		mov	[eax], cl
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_81B190:				; CODE XREF: SeQueryInformationToken(x,x,x)+EA5j
		mov	eax, [ebp+arg_8]
		shr	ecx, 10h
		pop	edi
		and	ecx, 1
		pop	esi
		mov	[eax], ecx
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_SeQueryInformationToken@12 endp

; 
		align 4
off_81B1A8	dd offset loc_81A32E	; DATA XREF: SeQueryInformationToken(x,x,x)+57r
		dd offset loc_81A3C2
		dd offset loc_81A487
		dd offset loc_81A83F
		dd offset loc_81A99B
		dd offset loc_81A9FA
		dd offset loc_81AA7F
		dd offset loc_81AAC0
		dd offset loc_81ABE9
		dd offset loc_81AC27
		dd offset loc_81AD07
		dd offset loc_81A4E5
		dd offset loc_81AAF1
		dd offset loc_81AB4C
		dd offset loc_81B0FD
		dd offset loc_81A74A
		dd offset loc_81A926
		dd offset loc_81AD51
		dd offset loc_81A8B0
		dd offset loc_81AD1D
		dd offset loc_81ADDF
		dd offset loc_81AEEC
		dd offset loc_81AFBE
		dd offset loc_81B037
		dd offset loc_81B0BE
		dd offset loc_81B024
		dd offset loc_81B029
byte_81B214	db 0			; DATA XREF: SeQueryInformationToken(x,x,x)+50r
		db 1, 2, 3
		dd 7060504h, 0A1A0908h,	1A1A1A0Bh, 0D1A0C1Ah, 0E0E0F0Eh
		dd 1A1A0E10h, 1312110Eh, 1A1A1414h, 1A1A1A15h, 171A0E16h
		dd 191A181Ah, 3	dup(0CCCCCCCCh)
; Exported entry 1592. NtSetInformationThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtSetInformationThread
NtSetInformationThread proc near	; DATA XREF: .text:00580CB8o

var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_104		= dword	ptr -104h
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_55		= byte ptr -55h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_3E		= byte ptr -3Eh
var_3D		= byte ptr -3Dh
var_3C		= dword	ptr -3Ch
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0081BE89 SIZE 0000000B BYTES
; FUNCTION CHUNK AT 0091F0CE SIZE 0000000F BYTES
; FUNCTION CHUNK AT 0091F105 SIZE 0000002B BYTES
; FUNCTION CHUNK AT 0091F158 SIZE 00000053 BYTES
; FUNCTION CHUNK AT 0091F1D3 SIZE 0000000A BYTES
; FUNCTION CHUNK AT 0091F205 SIZE 00000067 BYTES
; FUNCTION CHUNK AT 0091F294 SIZE 00000014 BYTES
; FUNCTION CHUNK AT 0091F2D0 SIZE 0000002A BYTES
; FUNCTION CHUNK AT 0091F322 SIZE 0000007C BYTES
; FUNCTION CHUNK AT 0091F3C6 SIZE 00000007 BYTES
; FUNCTION CHUNK AT 0091F3F5 SIZE 00000007 BYTES
; FUNCTION CHUNK AT 0091F45B SIZE 0000005C BYTES
; FUNCTION CHUNK AT 0091F4DF SIZE 0000004F BYTES
; FUNCTION CHUNK AT 0091F556 SIZE 0000004C BYTES
; FUNCTION CHUNK AT 0091F5F2 SIZE 000000D7 BYTES
; FUNCTION CHUNK AT 0091F6F1 SIZE 0000007E BYTES
; FUNCTION CHUNK AT 0091F795 SIZE 00000013 BYTES
; FUNCTION CHUNK AT 0091F7D0 SIZE 0000010E BYTES
; FUNCTION CHUNK AT 0091F906 SIZE 0000006F BYTES
; FUNCTION CHUNK AT 0091F99D SIZE 00000071 BYTES
; FUNCTION CHUNK AT 0091FA56 SIZE 00000071 BYTES
; FUNCTION CHUNK AT 0091FAEF SIZE 00000019 BYTES
; FUNCTION CHUNK AT 0091FB30 SIZE 0000000D BYTES
; FUNCTION CHUNK AT 0091FB85 SIZE 00000010 BYTES
; FUNCTION CHUNK AT 0091FBB0 SIZE 000000BA BYTES
; FUNCTION CHUNK AT 0091FC92 SIZE 0000006C BYTES
; FUNCTION CHUNK AT 0091FD26 SIZE 000000EF BYTES
; FUNCTION CHUNK AT 0091FE3D SIZE 0000001B BYTES
; FUNCTION CHUNK AT 0091FEA8 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5918
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 164h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	edi, [ebp+arg_0]
		mov	esi, [ebp+arg_8]
		mov	ebx, [ebp+arg_C]
		mov	[ebp+var_2C], 0
		xor	eax, eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_7C], eax
		mov	[ebp+var_60], eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_A0], eax
		mov	[ebp+var_9C], eax
		mov	[ebp+var_78], eax
		mov	[ebp+var_74], eax
		mov	[ebp+var_70], eax
		mov	[ebp+var_6C], eax
		mov	[ebp+var_68], eax
		mov	[ebp+var_64], eax
		mov	[ebp+var_4C], eax
		mov	[ebp+var_80], eax
		mov	[ebp+var_90], eax
		mov	[ebp+var_8C], eax
		mov	[ebp+var_98], eax
		mov	[ebp+var_94], eax
		mov	eax, large fs:124h
		mov	[ebp+var_34], eax
		mov	dl, [eax+15Ah]
		mov	[ebp+var_35], dl
		mov	byte ptr [ebp+var_30], dl
		test	dl, dl
		jz	loc_81BA11
		mov	[ebp+var_4], 0
		mov	ecx, [ebp+arg_4]
		cmp	ecx, 27h
		jl	loc_81B4CF
		cmp	ecx, 30h
		jge	loc_81B4CF

loc_81B324:				; CODE XREF: NtSetInformationThread+287j
					; NtSetInformationThread+293j ...
		mov	eax, 3

loc_81B329:				; CODE XREF: NtSetInformationThread+103E80j
		test	ebx, ebx
		jz	short loc_81B351
		test	eax, esi
		jnz	loc_81BE89
		lea	eax, [ebx+esi]
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	loc_91F0D5
		cmp	eax, esi
		jb	loc_91F0D5

loc_81B34E:				; CODE XREF: NtSetInformationThread+103E88j
		mov	dl, [ebp+var_35]

loc_81B351:				; CODE XREF: NtSetInformationThread+DBj
		mov	[ebp+var_4], 0FFFFFFFEh

loc_81B358:				; CODE XREF: NtSetInformationThread+7C4j
		cmp	ecx, 2Ch
		jnz	loc_81B465
		cmp	edi, 0FFFFFFFEh
		jnz	loc_91FE0B
		cmp	ebx, 8
		jnz	loc_81BDAB
		mov	[ebp+var_4], 1Bh
		mov	eax, [esi]
		mov	[ebp+var_98], eax
		mov	eax, [esi+4]
		mov	[ebp+var_94], eax
		mov	[ebp+var_4], edi
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_PsThreadType
		push	eax
		push	400h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_81B627
		mov	[ebp+var_88], 0
		mov	[ebp+var_138], 0
		mov	[ebp+var_134], 0
		lea	edx, [ebp+var_98]
		lea	ecx, [ebp+var_138]
		lea	esi, [ebx-4]

loc_81B3E4:				; CODE XREF: NtSetInformationThread+1A7j
		mov	eax, [edx]
		cmp	eax, [ecx]
		jnz	loc_81B62E
		add	edx, 4
		add	ecx, 4
		sub	esi, 4
		jnb	short loc_81B3E4

loc_81B3F9:				; CODE XREF: NtSetInformationThread+3F8j
		xor	eax, eax

loc_81B3FB:				; CODE XREF: NtSetInformationThread+403j
		test	eax, eax
		jz	loc_81B4F7
		lea	edx, [ebp+var_88]
		lea	ecx, [ebp+var_98]
		call	_PspThreadFromTicket@8 ; PspThreadFromTicket(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_81B438
		mov	ecx, [ebp+var_34]
		call	PspRevertContainerImpersonation
		mov	ecx, [ebp+var_88]
		call	PsImpersonateContainerOfThread
		mov	ecx, [ebp+var_88]
		call	ObfDereferenceObject

loc_81B438:				; CODE XREF: NtSetInformationThread+1C8j
					; NtSetInformationThread+2AFj
		mov	edx, 79517350h
		mov	ecx, [ebp+var_2C]
		call	ObfDereferenceObjectWithTag
		mov	eax, edi

loc_81B447:				; CODE XREF: NtSetInformationThread+25Ej
					; NtSetInformationThread+27Aj ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_81B465:				; CODE XREF: NtSetInformationThread+10Bj
		cmp	ecx, 5
		jnz	loc_81B504
		cmp	ebx, 4
		jnz	loc_81BDAB
		mov	[ebp+var_4], 7
		mov	esi, [esi]
		mov	[ebp+var_154], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_PsThreadType
		push	eax
		push	80h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_81B447
		push	esi
		mov	edi, [ebp+var_2C]
		push	edi
		call	PsAssignImpersonationToken

loc_81B4BA:				; CODE XREF: NtSetInformationThread+1047B9j
		mov	esi, eax
		mov	ecx, edi

loc_81B4BE:				; CODE XREF: NtSetInformationThread+104A08j
					; NtSetInformationThread+104A15j ...
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_81B447
; 

loc_81B4CF:				; CODE XREF: NtSetInformationThread+C5j
					; NtSetInformationThread+CEj
		cmp	ecx, 7
		jge	short loc_81B4DD
		cmp	ecx, 5
		jge	loc_81B324

loc_81B4DD:				; CODE XREF: NtSetInformationThread+282j
		lea	eax, [ecx-2]
		cmp	eax, 2Fh
		ja	loc_81B324
		movzx	eax, ds:byte_81BEA0[eax]
		jmp	ds:off_81BE94[eax*4]
; 

loc_81B4F7:				; CODE XREF: NtSetInformationThread+1ADj
		mov	ecx, [ebp+var_34]
		call	PspRevertContainerImpersonation
		jmp	loc_81B438
; 

loc_81B504:				; CODE XREF: NtSetInformationThread+218j
		add	ecx, 0FFFFFFFEh
		cmp	ecx, 30h
		ja	loc_91FEA8
		movzx	eax, ds:byte_81BF4C[ecx]
		jmp	ds:off_81BED0[eax*4]

loc_81B51E:				; DATA XREF: PAGE:0081BF04o
		cmp	ebx, 4
		jnz	loc_81BDAB
		mov	[ebp+var_4], 0Fh
		mov	esi, [esi]
		mov	[ebp+var_170], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		call	_MmGetDefaultPagePriority@0 ; MmGetDefaultPagePriority()
		cmp	esi, eax
		ja	loc_91FE0B
		call	_MmGetMinWsPagePriority@0 ; MmGetMinWsPagePriority()
		cmp	esi, eax
		jb	loc_91FE0B
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_PsThreadType
		push	eax
		push	20h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_81B447
		mov	edx, esi
		mov	ecx, [ebp+var_2C]
		call	PsSetPagePriorityThread
		mov	edx, 79517350h
		mov	ecx, [ebp+var_2C]
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_81B447
; 

loc_81B599:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BED4o
		cmp	ebx, 4
		jnz	loc_81BDAB
		mov	[ebp+var_4], 2
		mov	ebx, [esi]
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_PsThreadType
		push	eax
		push	400h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp+var_3C], eax
		test	eax, eax
		js	loc_81B447
		mov	esi, [ebp+var_2C]
		mov	edx, [esi+150h]
		cmp	ebx, 2
		jg	loc_81BA19
		cmp	ebx, 0FFFFFFFEh
		jl	loc_81BA19

loc_81B5FA:				; CODE XREF: NtSetInformationThread+7CCj
					; NtSetInformationThread+7D5j ...
		mov	eax, [edx+158h]
		mov	[ebp+var_50], eax
		test	eax, eax
		jnz	loc_81B6D5

loc_81B60B:				; CODE XREF: NtSetInformationThread+48Cj
					; NtSetInformationThread+103F42j
		mov	eax, [ebp+var_5C]

loc_81B60E:				; CODE XREF: NtSetInformationThread+103F4Dj
		push	eax
		mov	esi, [ebp+var_2C]
		push	esi
		call	KeSetBasePriorityThread

loc_81B618:				; CODE XREF: NtSetInformationThread+103F56j
		mov	edi, [ebp+var_3C]

loc_81B61B:				; CODE XREF: NtSetInformationThread+103F36j
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_81B627:				; CODE XREF: NtSetInformationThread+161j
					; NtSetInformationThread+104701j
		mov	eax, edi
		jmp	loc_81B447
; 

loc_81B62E:				; CODE XREF: NtSetInformationThread+198j
		cmp	al, [ecx]
		jnz	short loc_81B64E
		mov	al, [edx+1]
		cmp	al, [ecx+1]
		jnz	short loc_81B64E
		mov	al, [edx+2]
		cmp	al, [ecx+2]
		jnz	short loc_81B64E
		mov	al, [edx+3]
		cmp	al, [ecx+3]
		jz	loc_81B3F9

loc_81B64E:				; CODE XREF: NtSetInformationThread+3E0j
					; NtSetInformationThread+3E8j ...
		sbb	eax, eax
		or	eax, 1
		jmp	loc_81B3FB
; 

loc_81B658:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BF08o
		cmp	ebx, 4
		jnz	loc_81BDAB
		mov	[ebp+var_4], 3
		mov	esi, [esi]
		mov	[ebp+var_5C], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		lea	eax, [esi-1]
		cmp	eax, 1Eh
		ja	loc_91FE0B
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_PsThreadType
		push	eax
		push	400h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_81B447
		mov	edi, [ebp+var_2C]
		mov	eax, [edi+150h]
		cmp	esi, 10h
		jge	loc_81BBAE

loc_81B6BB:				; CODE XREF: NtSetInformationThread+965j
					; NtSetInformationThread+981j
		push	esi
		push	edi
		call	KeSetActualBasePriorityThread

loc_81B6C2:				; CODE XREF: NtSetInformationThread+103F88j
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, ebx
		jmp	loc_81B447
; 

loc_81B6D5:				; CODE XREF: NtSetInformationThread+3B5j
		test	byte ptr [eax+18Ch], 20h
		jz	loc_81B60B
		jmp	loc_91F18B
; 

loc_81B6E7:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BEE4o
		cmp	ebx, 4
		jnz	loc_81BDAB
		mov	[ebp+var_4], 0Ah
		mov	ebx, [esi]
		mov	[ebp+var_7C], ebx
		mov	[ebp+var_4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_PsThreadType
		push	eax
		push	20h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp+var_30], eax
		mov	[ebp+var_3C], eax
		test	eax, eax
		js	loc_81B447
		mov	edx, 79517350h
		mov	edi, [ebp+var_2C]
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		cmp	edi, [ebp+var_34]
		jnz	loc_91FE0B
		mov	edi, [edi+150h]
		mov	[ebp+var_34], edi
		push	0

loc_81B750:				; CODE XREF: NtSetInformationThread+51Fj
		push	edi
		call	_PsGetNextProcessThread@8 ; PsGetNextProcessThread(x,x)
		mov	esi, eax
		mov	[ebp+var_2C], esi
		test	esi, esi
		jz	short loc_81B7AA
		lea	ecx, [esi+2ECh]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_81B771

loc_81B76E:				; CODE XREF: NtSetInformationThread+558j
		push	esi
		jmp	short loc_81B750
; 

loc_81B771:				; CODE XREF: NtSetInformationThread+51Cj
		mov	eax, [esi+0A8h]
		test	eax, eax
		jz	short loc_81B79D
		mov	[ebp+var_4], 0Bh
		cmp	ebx, 40h
		jnb	loc_81B9D0
		mov	dword ptr [eax+ebx*4+0E10h], 0

loc_81B796:				; CODE XREF: NtSetInformationThread+786j
					; NtSetInformationThread+79Aj ...
		mov	[ebp+var_4], 0FFFFFFFEh

loc_81B79D:				; CODE XREF: NtSetInformationThread+529j
					; sub_91F40F+1Fj
		lea	ecx, [esi+2ECh]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	short loc_81B76E
; 

loc_81B7AA:				; CODE XREF: NtSetInformationThread+50Dj
		mov	eax, [ebp+var_30]
		jmp	loc_81B447
; 

loc_81B7B2:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BF00o
		cmp	ebx, 4
		jnz	loc_91F4F2

loc_81B7BB:				; CODE XREF: NtSetInformationThread+1042AEj
		mov	[ebp+var_4], 0Dh
		mov	esi, [esi]
		mov	[ebp+var_164], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		xor	bl, bl

loc_81B7D3:				; CODE XREF: NtSetInformationThread+1042D9j
		cmp	esi, 4
		jnb	loc_91FE0B
		cmp	esi, 3
		jnb	loc_91F556

loc_81B7E5:				; CODE XREF: NtSetInformationThread+104329j
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_PsThreadType
		push	eax
		push	20h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_81B447
		mov	edi, [ebp+var_2C]
		cmp	bl, 1
		jz	loc_91F57E

loc_81B815:				; CODE XREF: NtSetInformationThread+10433Cj
					; NtSetInformationThread+10434Dj
		mov	edx, esi
		mov	ecx, edi
		call	PsSetIoPriorityThread
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_81B447
; 

loc_81B831:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BF24o
		mov	[ebp+var_3E], 0
		mov	[ebp+var_44], 0
		mov	[ebp+var_84], 0
		mov	[ebp+var_3C], 0
		mov	[ebp+var_3D], 0
		mov	[ebp+var_4], 17h
		cmp	ebx, 8
		jnz	loc_91FAEF
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_PsThreadType
		push	eax
		push	400h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_3C], edi
		test	edi, edi
		js	loc_91FB8D
		mov	[ebp+var_3E], 1
		cmp	[ebp+var_35], 0
		jz	loc_81BBDC
		mov	[ebp+var_4], 18h
		mov	[ebp+var_A8], 0
		mov	[ebp+var_A4], 0
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_91FAF9

loc_81B8C3:				; CODE XREF: NtSetInformationThread+1048ABj
		nop
		mov	eax, [esi]
		mov	[ebp+var_A8], eax
		mov	edx, [esi+4]
		mov	[ebp+var_54], edx
		mov	[ebp+var_A4], edx
		mov	ecx, [ebp+var_A8]
		mov	[ebp+var_30], ecx
		mov	[ebp+var_90], ecx
		mov	[ebp+var_8C], edx
		movzx	eax, ax
		test	ax, ax
		jz	short loc_81B916
		test	dl, 1
		jnz	loc_81BE8E
		add	eax, edx
		mov	esi, ds:_MmUserProbeAddress
		cmp	eax, esi
		ja	loc_91FB00
		cmp	eax, edx
		jb	loc_91FB00

loc_81B916:				; CODE XREF: NtSetInformationThread+6A3j
					; NtSetInformationThread+1048B3j
		mov	[ebp+var_4], 17h
		mov	edi, [ebp+var_3C]
		mov	esi, [ebp+var_54]

loc_81B923:				; CODE XREF: NtSetInformationThread+9A0j
		test	cl, 1
		jnz	loc_91FB85
		mov	eax, ecx
		shr	eax, 10h
		cmp	cx, ax
		ja	loc_91FB85
		movzx	eax, cx
		mov	[ebp+var_54], eax
		push	6D4E6854h
		add	eax, 8
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_44], ebx
		test	ebx, ebx
		jz	loc_91FB30
		lea	eax, [ebx+8]
		mov	[ebx+4], eax
		mov	eax, [ebp+var_30]
		mov	[ebx], ax
		mov	[ebx+2], ax
		mov	[ebp+var_4], 19h
		push	[ebp+var_54]	; size_t
		push	esi		; void *
		mov	eax, [ebx+4]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 17h
		mov	edx, [ebp+var_34]
		mov	esi, [ebp+var_2C]
		mov	ecx, esi
		call	_PspLockThreadSecurityExclusive@8 ; PspLockThreadSecurityExclusive(x,x)
		mov	[ebp+var_3D], 1
		mov	eax, [esi+394h]
		mov	[ebp+var_84], eax
		mov	[esi+394h], ebx
		xor	ebx, ebx
		mov	[ebp+var_44], ebx
		mov	ecx, esi
		call	EtwTraceThreadSetName

loc_81B9BD:				; CODE XREF: NtSetInformationThread+1048E8j
					; NtSetInformationThread+104940j
		mov	[ebp+var_4], 0FFFFFFFEh
		call	sub_81BE47
		mov	eax, edi
		jmp	loc_81B447
; 

loc_81B9D0:				; CODE XREF: NtSetInformationThread+535j
		cmp	ebx, 440h
		jnb	loc_81B796
		mov	eax, [eax+0F94h]
		mov	[ebp+var_150], eax
		test	eax, eax
		jz	loc_81B796
		lea	eax, [eax+ebx*4]
		add	eax, 0FFFFFF00h
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	loc_91F3F5

loc_81BA06:				; CODE XREF: NtSetInformationThread+1041A7j
		mov	dword ptr [eax], 0
		jmp	loc_81B796
; 

loc_81BA11:				; CODE XREF: NtSetInformationThread+B2j
		mov	ecx, [ebp+arg_4]
		jmp	loc_81B358
; 

loc_81BA19:				; CODE XREF: NtSetInformationThread+39Bj
					; NtSetInformationThread+3A4j
		cmp	ebx, 10h
		jz	loc_81B5FA
		cmp	ebx, 0FFFFFFF0h
		jz	loc_81B5FA
		jmp	loc_91F158
; 

loc_81BA30:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:off_81BED0o
		cmp	ebx, 4
		jnz	loc_81BDAB
		mov	[ebp+var_4], 1
		mov	esi, [esi]
		mov	[ebp+var_15C], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		lea	eax, [esi-1]
		cmp	eax, 1Eh
		ja	loc_91FE0B
		mov	ebx, [ebp+var_30]
		cmp	esi, 10h
		jge	loc_91F105

loc_81BA67:				; CODE XREF: NtSetInformationThread+103ED0j
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	ebx
		mov	eax, ds:_PsThreadType
		push	eax
		push	400h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_81B447
		push	esi
		mov	esi, [ebp+var_2C]
		push	esi
		call	KeSetPriorityThread
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_81B447
; 

loc_81BAA9:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BED8o
		cmp	ebx, 4
		jnz	loc_81BDAB
		mov	[ebp+var_4], 5
		mov	esi, [esi]
		mov	[ebp+var_28], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		test	esi, esi
		jz	loc_91FE0B
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_PsThreadType
		push	eax
		push	400h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_81B447
		mov	edi, [ebp+var_2C]
		mov	ebx, [edi+150h]
		lea	ecx, [ebx+0F0h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_91F29E
		push	esi
		push	edi
		call	_KeSetLegacyAffinityThread@8 ; KeSetLegacyAffinityThread(x,x)
		test	eax, eax
		jz	loc_91F294
		xor	esi, esi

loc_81BB21:				; CODE XREF: NtSetInformationThread+104049j
		lea	ecx, [ebx+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_81BB2C:				; CODE XREF: NtSetInformationThread+104053j
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_81BB38:				; CODE XREF: NtSetInformationThread+1049EDj
		mov	eax, esi
		jmp	loc_81B447
; 

loc_81BB3F:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BEECo
		cmp	ebx, 4
		jnz	loc_81BDAB
		mov	[ebp+var_4], 9
		mov	esi, [esi]
		mov	[ebp+var_158], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_PsThreadType
		push	eax
		push	400h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_81B447
		test	esi, esi
		jz	loc_91F3C6
		lea	edx, [ebx-3]

loc_81BB92:				; CODE XREF: NtSetInformationThread+104178j
		mov	ecx, [ebp+var_2C]
		call	_KeSetDisableBoostThread@8 ; KeSetDisableBoostThread(x,x)
		mov	edx, 79517350h
		mov	ecx, [ebp+var_2C]
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_81B447
; 

loc_81BBAE:				; CODE XREF: NtSetInformationThread+465j
		cmp	byte ptr [eax+1BBh], 4
		jz	loc_81B6BB
		push	[ebp+var_30]
		mov	eax, ds:dword_A949F4
		push	eax
		mov	eax, ds:_SeIncreaseBasePriorityPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	loc_81B6BB
		jmp	loc_91F1D3
; 

loc_81BBDC:				; CODE XREF: NtSetInformationThread+645j
		mov	ecx, [esi]
		mov	[ebp+var_30], ecx
		mov	[ebp+var_90], ecx
		mov	esi, [esi+4]
		mov	[ebp+var_8C], esi
		jmp	loc_81B923
; 

loc_81BBF5:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BF44o
		cmp	edi, 0FFFFFFFEh
		jnz	loc_91FC15
		test	dl, dl
		jnz	loc_91FC15
		cmp	ebx, 4
		jnz	loc_81BDAB
		mov	[ebp+var_4], 1Fh
		mov	eax, [esi]
		mov	[ebp+var_174], eax
		mov	[ebp+var_4], edi
		cmp	eax, 2
		jnb	loc_91FE0B
		mov	ecx, large fs:124h
		shl	eax, 0Bh
		xor	eax, [ecx+300h]
		and	eax, 800h
		xor	[ecx+300h], eax
		call	_KeUpdateThreadCpuSets@4 ; KeUpdateThreadCpuSets(x)
		xor	eax, eax
		jmp	loc_81B447
; 

loc_81BC51:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BF10o
		cmp	ebx, 0Ch
		jnz	loc_81BDAB
		mov	[ebp+var_4], 6
		mov	eax, [esi]
		mov	[ebp+var_28], eax
		mov	eax, [esi+4]
		mov	[ebp+var_24], eax
		mov	eax, [esi+8]
		mov	[ebp+var_20], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	dl, 1
		lea	ecx, [ebp+var_28]
		call	_KeVerifyGroupAffinity@8 ; KeVerifyGroupAffinity(x,x)
		test	al, al
		jz	loc_91FE0B
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_PsThreadType
		push	eax
		push	20h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_81B447
		mov	eax, [ebp+var_2C]
		mov	ebx, [eax+150h]
		mov	edx, [ebp+var_34]
		mov	ecx, ebx
		call	_PspLockProcessShared@8	; PspLockProcessShared(x,x)
		mov	eax, [ebx+158h]
		mov	[ebp+var_50], eax
		mov	esi, eax
		test	esi, esi
		jz	short loc_81BCE9
		push	1
		lea	eax, [esi+20h]
		push	eax
		call	ExAcquireResourceSharedLite
		test	byte ptr [esi+18Ch], 10h
		jnz	loc_91F2D0

loc_81BCE9:				; CODE XREF: NtSetInformationThread+A7Fj
					; NtSetInformationThread+104095j
		lea	edx, [ebp+var_28]
		mov	edi, [ebp+var_2C]
		mov	ecx, edi
		call	_KeSetAffinityThread@8 ; KeSetAffinityThread(x,x)
		mov	[ebp+var_4C], 0

loc_81BCFD:				; CODE XREF: NtSetInformationThread+1040A5j
		test	esi, esi
		jz	short loc_81BD09
		lea	ecx, [esi+20h]
		call	ExReleaseResourceLite

loc_81BD09:				; CODE XREF: NtSetInformationThread+AAFj
		mov	edx, [ebp+var_34]
		mov	ecx, ebx
		call	_PspUnlockProcessShared@8 ; PspUnlockProcessShared(x,x)
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, [ebp+var_4C]
		jmp	loc_81B447
; 

loc_81BD27:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BEF8o
		cmp	ebx, 4
		jnz	short loc_81BDAB
		mov	[ebp+var_4], 0Ch
		mov	esi, [esi]
		mov	[ebp+var_160], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ebx, [ebp+var_30]
		push	ebx
		mov	eax, ds:dword_A94A14
		push	eax
		mov	eax, ds:_SeDebugPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_91F126
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	ebx
		mov	eax, ds:_PsThreadType
		push	eax
		push	20h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_81B447
		mov	ecx, [ebp+var_2C]
		lea	eax, [ecx+2FCh]
		test	esi, esi
		jz	loc_91F4AA
		mov	edx, 20h
		lock or	[eax], edx

loc_81BD9A:				; CODE XREF: NtSetInformationThread+104262j
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_81B447
; 

loc_81BDAB:				; CODE XREF: NtSetInformationThread+11Dj
					; NtSetInformationThread+221j ...
		mov	eax, 0C0000004h
		jmp	loc_81B447
; 

loc_81BDB5:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BF40o
		cmp	ebx, 0Ch
		jnz	short loc_81BDAB
		mov	[ebp+var_4], 1Eh
		mov	eax, [esi]
		mov	ecx, [esi+4]
		mov	edx, [esi+8]
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	eax, 1
		jnz	loc_91FE0B
		test	ecx, 0FFFFFFFEh
		jnz	loc_91FE0B
		mov	eax, ecx
		not	eax
		test	eax, edx
		jnz	loc_91FE0B
		test	cl, 1
		jz	loc_91FE51
		test	dl, 1
		jz	loc_91FE47
		lea	esi, [ebx-0Bh]

loc_81BE06:				; CODE XREF: NtSetInformationThread+104BFCj
					; NtSetInformationThread+104C03j
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_PsThreadType
		push	eax
		push	20h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_81B447
		push	esi
		mov	esi, [ebp+var_2C]
		push	esi
		call	PspSetThreadPpmPolicy
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_81B447
NtSetInformationThread endp


;  S U B	R O U T	I N E 


sub_81BE47	proc near		; CODE XREF: NtSetInformationThread+774p
					; sub_91FB95+6j

; FUNCTION CHUNK AT 0091FBA0 SIZE 00000010 BYTES

		cmp	byte ptr [ebp-3Dh], 0
		jz	short loc_81BE58
		mov	edx, [ebp-34h]
		mov	ecx, [ebp-2Ch]
		call	PspUnlockThreadSecurityExclusive

loc_81BE58:				; CODE XREF: sub_81BE47+4j
		cmp	byte ptr [ebp-3Eh], 0
		jz	short loc_81BE6B
		mov	edx, 79517350h
		mov	ecx, [ebp-2Ch]
		call	ObfDereferenceObjectWithTag

loc_81BE6B:				; CODE XREF: sub_81BE47+15j
		mov	eax, [ebp-84h]
		test	eax, eax
		jz	short loc_81BE80
		push	6D4E6854h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_81BE80:				; CODE XREF: sub_81BE47+2Cj
		test	ebx, ebx
		jnz	loc_91FBA0

locret_81BE88:				; CODE XREF: sub_81BE47+103D64j
		retn
sub_81BE47	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_81BE89:				; CODE XREF: NtSetInformationThread+DFj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_81BE8E:				; CODE XREF: NtSetInformationThread+6A8j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		nop
; END OF FUNCTION CHUNK	FOR NtSetInformationThread
; 
off_81BE94	dd offset loc_81B324	; DATA XREF: NtSetInformationThread+2A0r
		dd offset loc_91F0CE
		dd offset loc_81B324
byte_81BEA0	db 0			; DATA XREF: NtSetInformationThread+299r
		db 2, 0, 2
		dd 2020102h, 3 dup(2020202h), 2000200h,	2020202h, 2010200h
		dd 2 dup(2020200h), 2020202h, 202h
off_81BED0	dd offset loc_81BA30	; DATA XREF: NtSetInformationThread+2C7r
		dd offset loc_81B599
		dd offset loc_81BAA9
		dd offset loc_91F205
		dd offset loc_91FE0B
		dd offset loc_81B6E7
		dd offset loc_91F322
		dd offset loc_81BB3F
		dd offset loc_91F4E8
		dd offset loc_91F45B
		dd offset loc_81BD27
		dd offset loc_91F4DF
		dd offset loc_81B7B2
		dd offset loc_81B51E
		dd offset loc_81B658
		dd offset loc_91F7D0
		dd offset loc_81BC51
		dd offset loc_91F5F2
		dd offset loc_91F6F1
		dd offset loc_91F80B
		dd offset loc_91F906
		dd offset loc_81B831
		dd offset loc_91F99D
		dd offset loc_91FA56
		dd offset loc_91FBB0
		dd offset loc_91FC92
		dd offset loc_91FD26
		dd offset loc_91FE3D
		dd offset loc_81BDB5
		dd offset loc_81BBF5
		dd offset loc_91FEA8
byte_81BF4C	db 0			; DATA XREF: NtSetInformationThread+2C0r
		db 1, 2, 1Eh
		dd 41E031Eh, 61E1E05h, 91E0807h, 1E1E0B0Ah, 0E0D1E0Ch
		dd 0F1E1E1Eh, 12111E10h, 1E141E13h, 1E1E1615h, 1E1E1817h
		dd 1C1B1A19h, 0CCCCCC1Dh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtOpenKeyEx(x, x, x, x)
_NtOpenKeyEx@16	proc near		; DATA XREF: .text:00580F40o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	CmOpenKey
		pop	ebp
		retn	10h
_NtOpenKeyEx@16	endp ; sp = -0Ch

; 
		dd 5 dup(0CCCCCCCCh)
; Exported entry 1561. NtQueryInformationFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	NtQueryInformationFile(int,int,int,size_t,int)
		public _NtQueryInformationFile@20
_NtQueryInformationFile@20 proc	near	; CODE XREF: PfpFileCheckAttributesForPrefetch+27p
					; PfSnGetPrefetchInstructions+13Dp ...

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_74		= dword	ptr -74h
var_6C		= dword	ptr -6Ch
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2A		= byte ptr -2Ah
var_29		= byte ptr -29h
var_28		= byte ptr -28h
var_27		= byte ptr -27h
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_1F		= byte ptr -1Fh
var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0081C485 SIZE 00000231 BYTES
; FUNCTION CHUNK AT 0081C6E1 SIZE 000000ED BYTES
; FUNCTION CHUNK AT 0081C7ED SIZE 00000066 BYTES
; FUNCTION CHUNK AT 0081C896 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5B20
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 84h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_24], 0
		xor	eax, eax
		mov	[ebp+var_90], eax
		mov	[ebp+var_8C], eax
		mov	[ebp+var_88], eax
		mov	[ebp+var_84], eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_1F], al
		mov	[ebp+var_2A], al
		mov	eax, large fs:124h
		mov	[ebp+var_74], eax
		mov	cl, [eax+15Ah]
		mov	[ebp+var_1D], cl
		mov	byte ptr [ebp+var_40], cl
		mov	ebx, [ebp+arg_10]
		push	ebx
		mov	eax, [ebp+arg_C]
		push	eax
		mov	eax, [ebp+arg_8]
		push	eax
		mov	edi, [ebp+arg_4]
		push	edi
		call	IopValidateQueryInformationParameters
		test	eax, eax
		js	loc_81C896
		cmp	[ebp+var_1D], 0
		jnz	short loc_81C064
		cmp	ebx, 4Bh
		jnz	short loc_81C064
		mov	ebx, 47h
		mov	[ebp+arg_10], ebx
		mov	[ebp+var_2A], 1

loc_81C064:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+A1j
					; NtQueryInformationFile(x,x,x,x,x)+A6j
		lea	eax, [ebp+var_54]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_40]
		mov	edx, ds:_IopQueryOperationAccess[ebx*4]
		mov	ecx, [ebp+arg_0]
		call	IopReferenceFileObject
		mov	esi, eax
		mov	[ebp+var_34], esi
		test	esi, esi
		js	loc_81C116
		cmp	ebx, 8
		jnz	loc_81C12C
		call	_IopUpdateOtherOperationCount@0	; IopUpdateOtherOperationCount()
		cmp	[ebp+arg_C], 4
		jnb	short loc_81C0C2
		mov	esi, 0C0000004h
		mov	ecx, [ebp+var_24]
		call	ObfDereferenceObject
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_81C0C2:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+EDj
		mov	[ebp+var_25], 1
		mov	[ebp+var_4], 0
		mov	eax, [ebp+var_50]
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		mov	[ebp+var_25], 0
		mov	dword ptr [edi], 0
		mov	dword ptr [edi+4], 4
		jmp	short loc_81C107
; 

loc_81C0E8:				; DATA XREF: .text:006A5B34o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-60h], eax
		mov	eax, 1
		retn
; 

loc_81C0F8:				; DATA XREF: .text:006A5B38o
		mov	esp, [ebp-18h]
		cmp	byte ptr [ebp-25h], 0
		mov	esi, [ebp-60h]
		jnz	short loc_81C107
		mov	esi, [ebp-34h]

loc_81C107:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+136j
					; NtQueryInformationFile(x,x,x,x,x)+152j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ecx, [ebp+var_24]
		call	ObfDereferenceObject

loc_81C116:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+D5j
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_81C12C:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+DEj
		mov	edi, [ebp+var_24]
		test	dword ptr [edi+2Ch], 800h
		jnz	short loc_81C140
		push	edi
		call	IoGetRelatedDeviceObject
		jmp	short loc_81C149
; 

loc_81C140:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+186j
		mov	eax, [edi+4]
		push	eax
		call	_IoGetAttachedDevice@4 ; IoGetAttachedDevice(x)

loc_81C149:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+18Ej
		mov	[ebp+arg_0], eax
		mov	eax, [eax+8]
		mov	eax, [eax+28h]
		mov	[ebp+var_44], eax
		cmp	ebx, 33h
		jnz	loc_81C21F
		mov	byte ptr [ebp-26h], 1
		cmp	[ebp+arg_C], 1
		jnb	short loc_81C18A
		mov	esi, 0C0000004h
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_81C18A:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+1B6j
		mov	[ebp+var_4], 1
		mov	eax, [edi+4]
		mov	al, [eax+20h]
		shr	al, 4
		and	al, 1
		mov	ecx, [ebp+arg_8]
		mov	[ecx], al
		mov	byte ptr [ebp-26h], 0
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 0
		mov	dword ptr [eax+4], 1
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_81C1D9:				; DATA XREF: .text:006A5B40o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-64h], eax
		mov	eax, 1
		retn
; 

loc_81C1E9:				; DATA XREF: .text:006A5B44o
		mov	esp, [ebp-18h]
		cmp	byte ptr [ebp-26h], 0
		mov	esi, [ebp-64h]
		jnz	short loc_81C1F8
		mov	esi, [ebp-34h]

loc_81C1F8:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+243j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-24h]

loc_81C202:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+315j
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_81C21F:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+1A8j
		cmp	ebx, 3Ah
		jnz	short loc_81C255
		push	[ebp+arg_C]
		mov	ecx, [ebp+arg_8]
		push	ecx
		mov	edx, [ebp+arg_4]
		mov	ecx, [edi+4]
		call	IopGetFileVolumeNameInformation
		mov	esi, eax
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_81C255:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+272j
		mov	eax, [edi+2Ch]
		test	al, 2
		jz	loc_81C491
		shr	eax, 2
		and	al, 1
		mov	byte ptr [ebp+var_30], al
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	0
		mov	edi, [ebp+var_24]
		lea	ecx, [edi+4Ch]
		xor	edx, edx
		call	KeAbPreAcquire
		mov	[ebp+var_27], 0
		mov	edx, 1
		lea	ecx, [edi+44h]
		xchg	edx, [ecx]
		test	edx, edx
		jnz	short loc_81C2AA
		test	eax, eax
		jz	short loc_81C29F
		or	byte ptr [eax+0Eh], 1

loc_81C29F:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+2E9j
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	esi, esi
		jmp	short loc_81C2BE
; 

loc_81C2AA:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+2E5j
		lea	ecx, [ebp+var_27]
		push	ecx
		push	eax
		push	[ebp+var_30]
		mov	dl, [ebp+var_1D]
		mov	ecx, edi
		call	IopWaitAndAcquireFileObjectLock
		mov	esi, eax

loc_81C2BE:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+2F8j
		mov	[ebp+var_34], esi
		cmp	[ebp+var_27], 0
		jnz	loc_81C202
		cmp	ebx, 0Eh
		jnz	loc_81C364
		mov	[ebp+var_28], 1
		cmp	[ebp+arg_C], 8
		jnb	short loc_81C2E5
		mov	esi, 0C0000004h
		jmp	short loc_81C340
; 

loc_81C2E5:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+32Cj
		mov	[ebp+var_4], 2
		mov	eax, [edi+38h]
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		mov	eax, [edi+3Ch]
		mov	[ecx+4], eax
		mov	[ebp+var_28], 0
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 0
		mov	dword ptr [eax+4], 8
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_81C340
; 

loc_81C317:				; DATA XREF: .text:006A5B4Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-68h], eax
		mov	eax, 1
		retn
; 

loc_81C327:				; DATA XREF: .text:006A5B50o
		mov	esp, [ebp-18h]
		cmp	byte ptr [ebp-28h], 0
		mov	esi, [ebp-68h]
		jnz	short loc_81C336
		mov	esi, [ebp-34h]

loc_81C336:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+381j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-24h]

loc_81C340:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+333j
					; NtQueryInformationFile(x,x,x,x,x)+365j ...
		mov	ecx, edi
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_81C364:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+31Ej
		mov	eax, [ebp+var_44]
		test	eax, eax
		jz	loc_81C48D
		mov	edx, [eax+10h]
		mov	[ebp+var_30], edx
		mov	[ebp+var_38], edx
		mov	eax, [eax+14h]
		mov	[ebp+var_44], eax
		cmp	ebx, 4
		jnz	short loc_81C387
		test	edx, edx
		jnz	short loc_81C398

loc_81C387:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+3D1j
		cmp	ebx, 5
		jnz	loc_81C48D
		test	eax, eax
		jz	loc_81C48D

loc_81C398:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+3D5j
		mov	[ebp+var_4C], 0
		mov	[ebp+var_48], 0
		mov	[ebp+var_1E], 0
		mov	[ebp+var_29], 0
		mov	[ebp+var_4], 3
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_81C3C8
		call	_VfFastIoSnapState@0 ; VfFastIoSnapState()
		mov	edx, [ebp+var_30]
		jmp	short loc_81C3CA
; 

loc_81C3C8:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+40Cj
		xor	eax, eax

loc_81C3CA:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+416j
		mov	[ebp+var_3C], eax
		mov	[ebp+var_6C], eax
		mov	[ebp+var_4], 4
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_8]
		push	eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	ecx
		push	1
		push	edi
		cmp	ebx, 4
		jnz	short loc_81C3EF
		call	edx
		jmp	short loc_81C3F2
; 

loc_81C3EF:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+439j
		call	[ebp+var_44]

loc_81C3F2:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+43Dj
		mov	[ebp+var_1E], al
		mov	[ebp+var_4], 3
		mov	ecx, [ebp+var_3C]
		mov	edx, [ebp+var_30]
		call	sub_81C441
		mov	dl, [ebp+var_1E]
		test	dl, dl
		jz	short loc_81C423
		mov	esi, [ebp+var_4C]
		mov	[ebp+var_34], esi
		mov	[ebp+var_29], 1
		mov	ecx, [ebp+arg_4]
		mov	[ecx], esi
		mov	eax, [ebp+var_48]
		mov	[ecx+4], eax

loc_81C423:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+45Cj
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_81C485
_NtQueryInformationFile@20 endp


;  S U B	R O U T	I N E 


sub_81C42C	proc near		; DATA XREF: .text:006A5B68o
		mov	ebx, [ebp+18h]
		mov	esi, [ebp-34h]
		mov	edi, [ebp-24h]
		mov	edx, [ebp-38h]
		mov	ecx, [ebp-6Ch]
		mov	al, [ebp-40h]
		mov	[ebp-1Dh], al
sub_81C42C	endp


;  S U B	R O U T	I N E 


sub_81C441	proc near		; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+452p
		test	ecx, ecx
		jz	short locret_81C44A
		call	_VfFastIoCheckState@8 ;	VfFastIoCheckState(x,x)

locret_81C44A:				; CODE XREF: sub_81C441+2j
		retn
sub_81C441	endp


;  S U B	R O U T	I N E 


sub_81C44B	proc near		; DATA XREF: .text:006A5B58o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-70h], eax
		mov	eax, 1
		retn
sub_81C44B	endp


;  S U B	R O U T	I N E 


sub_81C45B	proc near		; DATA XREF: .text:006A5B5Co
		mov	esp, [ebp-18h]
		cmp	byte ptr [ebp-29h], 0
		jnz	short loc_81C46C
		mov	esi, [ebp-70h]
		mov	[ebp-34h], esi
		jmp	short loc_81C46F
; 

loc_81C46C:				; CODE XREF: sub_81C45B+7j
		mov	esi, [ebp-34h]

loc_81C46F:				; CODE XREF: sub_81C45B+Fj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp+18h]
		mov	edi, [ebp-24h]
		mov	al, [ebp-40h]
		mov	[ebp-1Dh], al
		mov	dl, [ebp-1Eh]
sub_81C45B	endp

; START	OF FUNCTION CHUNK FOR _NtQueryInformationFile@20

loc_81C485:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+47Aj
		test	dl, dl
		jnz	loc_81C340

loc_81C48D:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+3B9j
					; NtQueryInformationFile(x,x,x,x,x)+3DAj ...
		mov	al, 1
		jmp	short loc_81C4A3
; 

loc_81C491:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+2AAj
		push	0
		push	1
		lea	eax, [ebp+var_90]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	al, al

loc_81C4A3:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+4DFj
		mov	byte ptr [ebp+var_30], al
		mov	ecx, edi
		call	_IopResetEvent@4 ; IopResetEvent(x)
		mov	eax, [ebp+4]
		push	eax
		push	0
		mov	eax, [ebp+arg_0]
		mov	dl, [eax+30h]
		mov	ecx, eax
		call	IopAllocateIrpExReturn
		mov	esi, eax
		mov	[ebp+var_38], esi
		test	esi, esi
		jnz	short loc_81C4DD
		xor	edx, edx
		mov	ecx, [ebp+var_24]
		call	_IopAllocateIrpCleanup@8 ; IopAllocateIrpCleanup(x,x)
		mov	eax, 0C000009Ah
		jmp	loc_81C896
; 

loc_81C4DD:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+517j
		mov	eax, [ebp+var_24]
		mov	[ebp+arg_10], eax
		mov	[esi+64h], eax
		mov	ecx, [ebp+var_74]
		mov	[esi+50h], ecx
		mov	cl, [ebp+var_1D]
		mov	[esi+20h], cl
		cmp	byte ptr [ebp+var_30], 0
		jz	short loc_81C503
		or	byte ptr [esi+27h], 2
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		jmp	short loc_81C525
; 

loc_81C503:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+546j
		cmp	cl, 1
		jnz	short loc_81C515
		push	0
		call	_KeSetKernelStackSwapEnable@4 ;	KeSetKernelStackSwapEnable(x)
		mov	[ebp+var_1F], al
		mov	eax, [ebp+arg_10]

loc_81C515:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+556j
		mov	dword ptr [esi+8], 4
		lea	ecx, [ebp+var_5C]
		lea	edx, [ebp+var_90]

loc_81C525:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+551j
		mov	[esi+2Ch], edx
		mov	[esi+28h], ecx
		mov	dword ptr [esi+30h], 0
		mov	edi, [esi+60h]
		mov	byte ptr [edi-24h], 5
		mov	[edi-0Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[esi+3Ch], eax
		mov	dword ptr [esi+0Ch], 0
		mov	dword ptr [esi+4], 0
		mov	[ebp+var_4], 5
		mov	edx, [ebp+arg_C]
		call	sub_4FA154
		mov	[esi+0Ch], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	_IopDisableBufferedIoInit, 0
		jnz	short loc_81C580
		push	[ebp+arg_C]	; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_81C580:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+5C0j
		or	dword ptr [esi+8], 870h
		mov	eax, [ebp+arg_C]
		mov	[edi-20h], eax
		mov	[edi-1Ch], ebx
		cmp	[ebp+var_2A], 0
		jz	short loc_81C59A
		or	byte ptr [edi-22h], 1

loc_81C59A:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+5E4j
		mov	ecx, esi
		call	IopQueueThreadIrp
		call	_IopUpdateOtherOperationCount@0	; IopUpdateOtherOperationCount()
		mov	byte ptr [ebp+arg_8+3],	0
		xor	edi, edi
		cmp	ebx, 10h
		jnz	short loc_81C5CC
		mov	edx, [esi+0Ch]
		mov	ebx, [ebp+arg_10]
		mov	ecx, ebx
		call	_IopGetModeInformation@4 ; IopGetModeInformation(x)
		mov	[edx], eax
		mov	dword ptr [esi+1Ch], 4
		jmp	loc_81C743
; 

loc_81C5CC:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+5FFj
		cmp	ebx, 11h
		jnz	short loc_81C5EB
		mov	ecx, [esi+0Ch]
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+5Ch]
		mov	[ecx], eax
		mov	dword ptr [esi+1Ch], 4
		mov	ebx, [ebp+arg_10]
		jmp	loc_81C743
; 

loc_81C5EB:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+61Fj
		cmp	ebx, 29h
		jnz	short loc_81C63C
		mov	edx, [esi+0Ch]
		mov	[edx], edi
		mov	ebx, [ebp+arg_10]
		mov	ecx, [ebx+2Ch]
		xor	eax, eax
		test	ecx, 4000000h
		jz	short loc_81C613
		mov	dword ptr [edx], 2
		mov	eax, 2
		mov	ecx, [ebx+2Ch]

loc_81C613:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+653j
		test	ecx, 8000000h
		jz	short loc_81C623
		or	eax, 4
		mov	[edx], eax
		mov	ecx, [ebx+2Ch]

loc_81C623:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+669j
		test	ecx, 2000000h
		jz	short loc_81C630
		or	eax, 1
		mov	[edx], eax

loc_81C630:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+679j
		mov	dword ptr [esi+1Ch], 4
		jmp	loc_81C743
; 

loc_81C63C:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+63Ej
		cmp	ebx, 2Bh
		jnz	short loc_81C66C
		mov	edx, [esi+0Ch]
		mov	ebx, [ebp+arg_10]
		mov	ecx, [ebx+7Ch]
		test	ecx, ecx
		jz	short loc_81C65A
		mov	ecx, [ecx+28h]
		call	_IOP_INT_TO_EXT_PRIORITY@4 ; IOP_INT_TO_EXT_PRIORITY(x)
		mov	[edx], eax
		jmp	short loc_81C660
; 

loc_81C65A:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+69Cj
		mov	dword ptr [edx], 2

loc_81C660:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+6A8j
		mov	dword ptr [esi+1Ch], 4
		jmp	loc_81C743
; 

loc_81C66C:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+68Fj
		cmp	ebx, 2Fh
		jnz	short loc_81C6E9
		mov	edx, [esi+0Ch]
		mov	[ebp+var_3C], edi
		lea	eax, [ebp+var_3C]
		push	eax
		push	[ebp+arg_C]
		mov	ebx, [ebp+arg_10]
		mov	ecx, ebx
		call	_IopQueryProcessIdsUsingFile@16	; IopQueryProcessIdsUsingFile(x,x,x,x)
		mov	edi, eax
		mov	al, 1
		mov	byte ptr [ebp+arg_8+3],	al
		mov	byte ptr [ebp+arg_C+3],	al
		cmp	edi, 0C0000004h
		jnz	short loc_81C6E1
		mov	[ebp+var_4], 6
		mov	eax, [ebp+var_3C]
		mov	ecx, [ebp+arg_4]
		mov	[ecx+4], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_81C739
; END OF FUNCTION CHUNK	FOR _NtQueryInformationFile@20

;  S U B	R O U T	I N E 


sub_81C6B6	proc near		; DATA XREF: .text:006A5B7Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-78h], eax
		mov	eax, 1
		retn
sub_81C6B6	endp


;  S U B	R O U T	I N E 


sub_81C6C6	proc near		; DATA XREF: .text:006A5B80o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-78h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-38h]
		mov	ebx, [ebp-24h]
		mov	[ebp+18h], ebx
		mov	dl, [ebp+17h]
		jmp	short loc_81C73C
sub_81C6C6	endp

; 
; START	OF FUNCTION CHUNK FOR _NtQueryInformationFile@20

loc_81C6E1:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+6E8j
		mov	eax, [ebp+var_3C]
		mov	[esi+1Ch], eax
		jmp	short loc_81C739
; 

loc_81C6E9:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+6BFj
		cmp	ebx, 35h
		jnz	short loc_81C70E
		mov	edx, [esi+0Ch]
		mov	ebx, [ebp+arg_10]
		mov	ecx, ebx
		call	_IopGetNumaNodeInformation@8 ; IopGetNumaNodeInformation(x,x)
		mov	edi, eax
		mov	byte ptr [ebp+arg_8+3],	1
		test	edi, edi
		js	short loc_81C739
		mov	dword ptr [esi+1Ch], 2
		jmp	short loc_81C739
; 

loc_81C70E:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+73Cj
		cmp	ebx, 12h
		mov	ebx, [ebp+arg_10]
		jnz	short loc_81C739
		mov	edx, [esi+0Ch]
		mov	eax, [ebp+var_50]
		mov	[edx+4Ch], eax
		mov	ecx, ebx
		call	_IopGetModeInformation@4 ; IopGetModeInformation(x)
		mov	[edx+58h], eax
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+5Ch]
		mov	[edx+5Ch], eax
		mov	dword ptr [esi+1Ch], 0Ch

loc_81C739:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+701j
					; NtQueryInformationFile(x,x,x,x,x)+737j ...
		mov	dl, byte ptr [ebp+arg_8+3]

loc_81C73C:				; CODE XREF: sub_81C6C6+19j
		mov	eax, [ebp+arg_0]
		test	dl, dl
		jz	short loc_81C748

loc_81C743:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+617j
					; NtQueryInformationFile(x,x,x,x,x)+636j ...
		mov	[esi+18h], edi
		jmp	short loc_81C759
; 

loc_81C748:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+791j
		push	2
		push	ebx
		push	[ebp+var_30]
		mov	edx, esi
		mov	ecx, eax
		call	IopCallDriverReference
		mov	edi, eax

loc_81C759:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+796j
		cmp	edi, 103h
		jnz	loc_81C7ED
		cmp	byte ptr [ebp+var_30], 0
		jz	short loc_81C780
		push	[ebp+var_40]
		mov	edx, ebx
		mov	ecx, esi
		call	_IopWaitForSynchronousIo@12 ; IopWaitForSynchronousIo(x,x,x)
		mov	edi, eax
		mov	ecx, ebx
		jmp	loc_81C83D
; 

loc_81C780:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+7B9j
		push	0
		push	0
		push	[ebp+var_40]
		push	0
		lea	eax, [ebp+var_90]
		push	eax
		call	KeWaitForSingleObject
		cmp	eax, 101h
		jz	short loc_81C7A3
		cmp	eax, 0C0h
		jnz	short loc_81C7B0

loc_81C7A3:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+7EAj
		mov	edx, esi
		lea	ecx, [ebp+var_90]
		call	_IopCancelAlertedRequest@8 ; IopCancelAlertedRequest(x,x)

loc_81C7B0:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+7F1j
		mov	edi, [ebp+var_5C]
		mov	[ebp+var_4], 7
		mov	ecx, [ebp+arg_4]
		mov	[ecx], edi
		mov	eax, [ebp+var_58]
		mov	[ecx+4], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_81C842
; END OF FUNCTION CHUNK	FOR _NtQueryInformationFile@20

;  S U B	R O U T	I N E 


sub_81C7CE	proc near		; DATA XREF: .text:006A5B88o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-7Ch], eax
		mov	eax, 1
		retn
sub_81C7CE	endp


;  S U B	R O U T	I N E 


sub_81C7DE	proc near		; DATA XREF: .text:006A5B8Co
		mov	esp, [ebp-18h]
		mov	edi, [ebp-7Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_81C842
sub_81C7DE	endp

; 
; START	OF FUNCTION CHUNK FOR _NtQueryInformationFile@20

loc_81C7ED:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+7AFj
		mov	[ebp+var_38], 0
		mov	bh, byte ptr [ebp+var_30]
		test	bh, bh
		jnz	short loc_81C802
		mov	dword ptr [esi+2Ch], 0

loc_81C802:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+849j
		mov	eax, [ebp+arg_4]
		mov	[esi+28h], eax
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ebp+var_94]
		push	eax
		lea	ecx, [esi+40h]
		push	ecx
		call	_IopCompleteRequest@20 ; IopCompleteRequest(x,x,x,x,x)
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bh, bh
		jz	short loc_81C842
		mov	ecx, [ebp+arg_10]

loc_81C83D:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+7CBj
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)

loc_81C842:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+81Cj
					; sub_81C7DE+Dj ...
		cmp	[ebp+var_1F], 0
		jz	short loc_81C84F
		push	1
		call	_KeSetKernelStackSwapEnable@4 ;	KeSetKernelStackSwapEnable(x)

loc_81C84F:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+896j
		mov	eax, edi
		jmp	short loc_81C896
; END OF FUNCTION CHUNK	FOR _NtQueryInformationFile@20

;  S U B	R O U T	I N E 


sub_81C853	proc near		; DATA XREF: .text:006A5B70o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-80h], eax
		mov	eax, 1
		retn
sub_81C853	endp


;  S U B	R O U T	I N E 


sub_81C863	proc near		; DATA XREF: .text:006A5B74o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-24h]
		movzx	eax, byte ptr [ecx+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		push	0
		push	0
		mov	edx, [ebp-38h]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		cmp	byte ptr [ebp-1Fh], 0
		jz	short loc_81C88C
		push	1
		call	_KeSetKernelStackSwapEnable@4 ;	KeSetKernelStackSwapEnable(x)

loc_81C88C:				; CODE XREF: sub_81C863+20j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-80h]
sub_81C863	endp

; START	OF FUNCTION CHUNK FOR _NtQueryInformationFile@20

loc_81C896:				; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+97j
					; NtQueryInformationFile(x,x,x,x,x)+528j ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; END OF FUNCTION CHUNK	FOR _NtQueryInformationFile@20
; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopValidateQueryInformationParameters proc near	; CODE XREF: IoQueryInformationByName+8Bp
					; NtQueryInformationFile(x,x,x,x,x)+90p

var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0091FF02 SIZE 0000000A BYTES
; FUNCTION CHUNK AT 0091FF2E SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5B90
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		test	cl, cl
		jz	loc_81C96B
		mov	eax, [ebp+arg_C]
		cmp	eax, 4Ch
		jnb	loc_91FF2E
		mov	al, ds:_IopQueryOperationLength[eax]
		test	al, al
		jz	loc_91FF2E
		movzx	eax, al
		mov	edx, [ebp+arg_8]
		cmp	edx, eax
		jb	loc_91FF02
		mov	[ebp+var_4], 0
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_81C981

loc_81C928:				; CODE XREF: IopValidateQueryInformationParameters+D3j
		mov	eax, [ecx]
		mov	[ecx], eax
		test	edx, edx
		jz	short loc_81C98F
		mov	eax, [ebp+arg_4]
		test	al, 3
		jnz	short loc_81C98A
		dec	edx
		add	edx, eax
		cmp	eax, edx
		ja	short loc_81C985
		cmp	edx, ds:_MmUserProbeAddress
		jnb	short loc_81C985
		and	edx, 0FFFFF000h
		add	edx, 1000h

loc_81C952:				; CODE XREF: IopValidateQueryInformationParameters+B2j
		mov	cl, [eax]
		mov	[eax], cl
		and	eax, 0FFFFF000h
		add	eax, 1000h
		cmp	eax, edx
		jnz	short loc_81C952

loc_81C964:				; CODE XREF: IopValidateQueryInformationParameters+E0j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_81C96B:				; CODE XREF: IopValidateQueryInformationParameters+37j
		xor	eax, eax

loc_81C96D:				; CODE XREF: IopValidateQueryInformationParameters+103657j
					; sub_91FF1C+Dj ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_81C981:				; CODE XREF: IopValidateQueryInformationParameters+76j
		mov	ecx, eax
		jmp	short loc_81C928
; 

loc_81C985:				; CODE XREF: IopValidateQueryInformationParameters+8Cj
					; IopValidateQueryInformationParameters+94j
		call	_ExRaiseAccessViolation@0 ; ExRaiseAccessViolation()

loc_81C98A:				; CODE XREF: IopValidateQueryInformationParameters+85j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_81C98F:				; CODE XREF: IopValidateQueryInformationParameters+7Ej
		nop
		jmp	short loc_81C964
IopValidateQueryInformationParameters endp

; 
		align 10h

; __stdcall IopDeleteFile(x)
_IopDeleteFile@4:			; DATA XREF: IoCreateObjectTypes+272o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		xor	eax, eax
		xor	ebx, ebx
		push	esi
		mov	esi, [ebp+8]
		mov	[esp+1Ch], eax
		mov	[esp+20h], eax
		mov	[esp+24h], eax
		mov	[esp+28h], eax
		mov	eax, [esi+4]
		mov	[esp+14h], ebx
		mov	[esp+18h], ebx
		push	edi
		test	eax, eax
		jz	loc_81CB74
		mov	edi, [esi+2Ch]
		test	edi, 800h
		jnz	short loc_81C9EE
		push	esi
		call	IoGetRelatedDeviceObject
		mov	edi, [esi+2Ch]
		jmp	short loc_81C9F4
; 

loc_81C9EE:				; CODE XREF: PAGE:0081C9E1j
		push	eax
		call	_IoGetAttachedDevice@4 ; IoGetAttachedDevice(x)

loc_81C9F4:				; CODE XREF: PAGE:0081C9ECj
		mov	[esp+10h], eax
		test	edi, 240000h
		jnz	short loc_81CA0C
		push	1
		push	1
		push	esi
		push	0
		call	_IopCloseFile@16 ; IopCloseFile(x,x,x,x)

loc_81CA0C:				; CODE XREF: PAGE:0081C9FEj
		push	0
		push	1
		lea	eax, [esp+28h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	ecx, esi
		call	_IopResetEvent@4 ; IopResetEvent(x)
		mov	eax, [esp+10h]
		mov	ecx, eax
		mov	dl, [eax+30h]
		call	IopAllocateIrpMustSucceed
		mov	edi, eax
		lea	eax, [esp+18h]
		mov	ecx, [edi+60h]
		mov	byte ptr [ecx-24h], 2
		mov	[ecx-0Ch], esi
		mov	ecx, edi
		mov	[edi+28h], eax
		lea	eax, [esp+20h]
		mov	[edi+2Ch], eax
		mov	eax, large fs:124h
		mov	[edi+64h], esi
		mov	[edi+50h], eax
		mov	[edi+0Ch], ebx
		mov	dword ptr [edi+8], 404h
		call	IopQueueThreadIrp
		mov	eax, [esi+8]
		mov	[esp+14h], eax
		test	eax, eax
		jz	short loc_81CA97
		test	dword ptr [esi+2Ch], 800h
		jnz	short loc_81CA97
		mov	dl, 1
		mov	ecx, eax
		call	IopDecrementVpbRefCount
		mov	ebx, [esp+14h]
		mov	ebx, [ebx+8]
		test	ebx, ebx
		jz	short loc_81CA97
		mov	dl, 1
		mov	ecx, ebx
		call	IopIncrementDeviceObjectRefCount

loc_81CA97:				; CODE XREF: PAGE:0081CA6Fj
					; PAGE:0081CA78j ...
		mov	ecx, [esi+4]
		test	dword ptr [ecx+1Ch], 400h
		jz	short loc_81CAB1
		mov	dl, 1
		call	IopDecrementDeviceObjectRefCount
		mov	byte ptr [esp+0Fh], 1
		jmp	short loc_81CAB6
; 

loc_81CAB1:				; CODE XREF: PAGE:0081CAA1j
		mov	byte ptr [esp+0Fh], 0

loc_81CAB6:				; CODE XREF: PAGE:0081CAAFj
		mov	ecx, [esp+10h]
		mov	edx, edi
		call	IofCallDriver
		cmp	eax, 103h
		jnz	short loc_81CADA
		push	0
		push	0
		push	0
		push	0
		lea	eax, [esp+30h]
		push	eax
		call	KeWaitForSingleObject

loc_81CADA:				; CODE XREF: PAGE:0081CAC6j
		mov	eax, large fs:124h
		mov	ecx, edi
		mov	[edi+50h], eax
		call	IopDequeueIrpFromThread
		push	edi
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		cmp	word ptr [esi+30h], 0
		jz	short loc_81CB02
		mov	eax, [esi+34h]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_81CB02:				; CODE XREF: PAGE:0081CAF5j
		mov	ecx, [esi+6Ch]
		test	ecx, ecx
		jz	short loc_81CB22
		mov	eax, [ecx+8]
		test	eax, eax
		jnz	short loc_81CB8A
		mov	ecx, [ecx]
		call	ObfDereferenceObject
		mov	eax, [esi+6Ch]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_81CB22:				; CODE XREF: PAGE:0081CB07j
		cmp	dword ptr [esi+7Ch], 0
		jz	short loc_81CB2F
		mov	ecx, esi
		call	_FsRtlPTeardownPerFileObjectContexts@4 ; FsRtlPTeardownPerFileObjectContexts(x)

loc_81CB2F:				; CODE XREF: PAGE:0081CB26j
		cmp	byte ptr [esp+0Fh], 0
		jnz	short loc_81CB50
		mov	ecx, esi
		call	_ObIsObjectDeletionInline@4 ; ObIsObjectDeletionInline(x)
		mov	ecx, [esi+4]
		test	al, al
		setz	al
		xor	dl, dl
		movzx	eax, al
		push	eax
		call	IopDecrementDeviceObjectRef

loc_81CB50:				; CODE XREF: PAGE:0081CB34j
		test	ebx, ebx
		jz	short loc_81CB74
		cmp	dword ptr [esp+14h], 0
		jz	short loc_81CB74
		mov	ecx, esi
		call	_ObIsObjectDeletionInline@4 ; ObIsObjectDeletionInline(x)
		test	al, al
		mov	ecx, ebx
		setz	al
		xor	dl, dl
		movzx	eax, al
		push	eax
		call	IopDecrementDeviceObjectRef

loc_81CB74:				; CODE XREF: PAGE:0081C9D2j
					; PAGE:0081CB52j ...
		cmp	dword ptr [esi+7Ch], 0
		jz	short loc_81CB81
		mov	ecx, esi
		call	IopDeleteFileObjectExtension

loc_81CB81:				; CODE XREF: PAGE:0081CB78j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_81CB8A:				; CODE XREF: PAGE:0081CB0Ej
		push	eax
		push	80h
		push	ecx
		push	esi
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 3 dup(0CCh)
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCloseFile(x, x, x, x)
_IopCloseFile@16 proc near		; CODE XREF: IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+CD9p
					; PAGE:0081CA07p ...

var_36		= byte ptr -36h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		xor	eax, eax
		xor	ebx, ebx
		push	esi
		xor	esi, esi
		mov	[esp+34h+var_10], eax
		cmp	[ebp+arg_8], 1
		push	edi
		mov	[esp+38h+var_C], eax
		mov	[esp+38h+var_8], eax
		mov	[esp+38h+var_4], eax
		mov	[esp+38h+var_24], ebx
		mov	[esp+38h+var_20], eax
		jnz	loc_81CF4E
		mov	edi, [ebp+arg_4]
		cmp	[edi+7Ch], eax
		jz	short loc_81CBFC
		push	esi
		lea	edx, [eax+2]
		mov	ecx, edi
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		mov	ebx, eax
		lea	edx, [esi+4]
		push	esi
		mov	ecx, edi
		mov	[esp+3Ch+var_24], ebx
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		mov	esi, eax

loc_81CBFC:				; CODE XREF: IopCloseFile(x,x,x,x)+3Cj
		cmp	[ebp+arg_C], 1
		jz	loc_81CDD5
		cmp	dword ptr [edi+6Ch], 0
		mov	esi, [ebp+arg_0]
		jnz	short loc_81CC13
		test	ebx, ebx
		jz	short loc_81CC1D

loc_81CC13:				; CODE XREF: IopCloseFile(x,x,x,x)+6Dj
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	IopCleanupProcessResources

loc_81CC1D:				; CODE XREF: IopCloseFile(x,x,x,x)+71j
		push	1
		mov	edx, esi
		mov	ecx, edi
		call	IopSetLockOperationProcess
		test	eax, eax
		js	loc_81CF4E
		mov	ebx, [edi+2Ch]
		mov	[esp+38h+var_18], 0
		mov	[esp+38h+var_14], 0
		test	ebx, 800h
		jnz	short loc_81CC5C
		push	edi
		call	IoGetRelatedDeviceObject
		mov	ebx, [edi+2Ch]
		mov	esi, eax
		mov	[esp+38h+var_24], esi
		jmp	short loc_81CC6B
; 

loc_81CC5C:				; CODE XREF: IopCloseFile(x,x,x,x)+A9j
		mov	eax, [edi+4]
		push	eax
		call	_IoGetAttachedDevice@4 ; IoGetAttachedDevice(x)
		mov	esi, eax
		mov	[esp+38h+var_24], eax

loc_81CC6B:				; CODE XREF: IopCloseFile(x,x,x,x)+BAj
		mov	eax, [esi+8]
		mov	eax, [eax+28h]
		mov	[esp+38h+var_1C], eax
		test	bl, 2
		jz	short loc_81CCE0
		mov	eax, large fs:124h
		push	eax
		call	_PsIsThreadTerminating@4 ; PsIsThreadTerminating(x)
		test	al, al
		jnz	short loc_81CCE0
		mov	[esp+38h+var_20], 1

loc_81CC92:				; CODE XREF: IopCloseFile(x,x,x,x)+12Dj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	0
		xor	edx, edx
		lea	ecx, [edi+4Ch]
		call	KeAbPreAcquire
		mov	ecx, 1
		lea	edx, [edi+44h]
		xchg	ecx, [edx]
		test	ecx, ecx
		jz	short loc_81CCD1
		lea	ecx, [esp+12h]
		xor	dl, dl
		push	ecx
		push	eax
		push	0
		mov	ecx, edi
		call	IopWaitAndAcquireFileObjectLock
		test	eax, eax
		jnz	short loc_81CC92
		jmp	short loc_81CCE0
; 

loc_81CCD1:				; CODE XREF: IopCloseFile(x,x,x,x)+118j
		test	eax, eax
		jz	short loc_81CCD9
		or	byte ptr [eax+0Eh], 1

loc_81CCD9:				; CODE XREF: IopCloseFile(x,x,x,x)+133j
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_81CCE0:				; CODE XREF: IopCloseFile(x,x,x,x)+D8j
					; IopCloseFile(x,x,x,x)+E8j ...
		mov	ebx, [esp+38h+var_1C]
		test	ebx, ebx
		jz	short loc_81CD36
		mov	ebx, [ebx+20h]
		test	ebx, ebx
		jz	short loc_81CD36
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_81CD01
		call	_VfFastIoSnapState@0 ; VfFastIoSnapState()
		mov	esi, eax
		jmp	short loc_81CD03
; 

loc_81CD01:				; CODE XREF: IopCloseFile(x,x,x,x)+156j
		xor	esi, esi

loc_81CD03:				; CODE XREF: IopCloseFile(x,x,x,x)+15Fj
		push	[esp+38h+var_24]
		lea	eax, [esp+3Ch+var_18]
		push	eax
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		push	eax
		push	edi
		call	ebx
		mov	[esp+48h+var_36], al
		test	esi, esi
		jz	short loc_81CD2A
		mov	edx, ebx
		mov	ecx, esi
		call	_VfFastIoCheckState@8 ;	VfFastIoCheckState(x,x)
		mov	al, [esp+48h+var_36]

loc_81CD2A:				; CODE XREF: IopCloseFile(x,x,x,x)+17Bj
		test	al, al
		jnz	loc_81CDBA
		mov	esi, [esp+48h+var_34]

loc_81CD36:				; CODE XREF: IopCloseFile(x,x,x,x)+146j
					; IopCloseFile(x,x,x,x)+14Dj
		push	0
		push	1
		lea	eax, [esp+50h+var_20]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	dl, [esi+30h]
		mov	ecx, esi
		call	IopAllocateIrpMustSucceed
		mov	ecx, large fs:124h
		mov	esi, eax
		lea	eax, [esp+48h+var_20]
		mov	[esi+50h], ecx
		lea	ecx, [esi+18h]
		mov	[esi+2Ch], eax
		mov	eax, [esi+60h]
		mov	[esi+28h], ecx
		mov	ecx, edi
		mov	[esi+64h], edi
		mov	byte ptr [esi+20h], 0
		mov	dword ptr [esi+8], 1004h
		mov	dword ptr [esi+30h], 0
		mov	word ptr [eax-24h], 311h
		mov	[eax-0Ch], edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, esi
		call	IopQueueThreadIrp
		mov	ecx, [esp+48h+var_34]
		mov	edx, esi
		call	IofCallDriver
		cmp	eax, 103h
		jnz	short loc_81CDBA
		push	0
		push	0
		push	0
		push	6
		lea	eax, [esp+58h+var_20]
		push	eax
		call	KeWaitForSingleObject

loc_81CDBA:				; CODE XREF: IopCloseFile(x,x,x,x)+18Cj
					; IopCloseFile(x,x,x,x)+206j
		cmp	[esp+48h+var_30], 1
		jnz	loc_81CF4E
		mov	ecx, edi
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_81CDD5:				; CODE XREF: IopCloseFile(x,x,x,x)+60j
		mov	ebx, [edi+2Ch]
		test	ebx, 800h
		jnz	short loc_81CDEB
		push	edi
		call	IoGetRelatedDeviceObject
		mov	ebx, [edi+2Ch]
		jmp	short loc_81CDF4
; 

loc_81CDEB:				; CODE XREF: IopCloseFile(x,x,x,x)+23Ej
		mov	eax, [edi+4]
		push	eax
		call	_IoGetAttachedDevice@4 ; IoGetAttachedDevice(x)

loc_81CDF4:				; CODE XREF: IopCloseFile(x,x,x,x)+249j
		or	ebx, 40000h
		mov	[esp+38h+var_1C], eax
		cmp	[ebp+arg_0], 0
		mov	[edi+2Ch], ebx
		jz	short loc_81CE6E
		test	bl, 2
		jz	short loc_81CE6E
		mov	[esp+38h+var_20], 1
		jmp	short loc_81CE20
; 
		align 10h

loc_81CE20:				; CODE XREF: IopCloseFile(x,x,x,x)+274j
					; IopCloseFile(x,x,x,x)+2BBj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	0
		xor	edx, edx
		lea	ecx, [edi+4Ch]
		call	KeAbPreAcquire
		mov	ecx, 1
		lea	edx, [edi+44h]
		xchg	ecx, [edx]
		test	ecx, ecx
		jz	short loc_81CE5F
		lea	ecx, [esp+13h]
		xor	dl, dl
		push	ecx
		push	eax
		push	0
		mov	ecx, edi
		call	IopWaitAndAcquireFileObjectLock
		test	eax, eax
		jnz	short loc_81CE20
		jmp	short loc_81CE6E
; 

loc_81CE5F:				; CODE XREF: IopCloseFile(x,x,x,x)+2A6j
		test	eax, eax
		jz	short loc_81CE67
		or	byte ptr [eax+0Eh], 1

loc_81CE67:				; CODE XREF: IopCloseFile(x,x,x,x)+2C1j
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_81CE6E:				; CODE XREF: IopCloseFile(x,x,x,x)+265j
					; IopCloseFile(x,x,x,x)+26Aj ...
		test	esi, esi
		jz	short loc_81CE7B
		mov	edx, esi
		mov	ecx, edi
		call	_IopFreeBandwidthContract@8 ; IopFreeBandwidthContract(x,x)

loc_81CE7B:				; CODE XREF: IopCloseFile(x,x,x,x)+2D0j
		push	0
		push	1
		lea	eax, [esp+40h+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	ecx, edi
		call	_IopResetEvent@4 ; IopResetEvent(x)
		mov	ebx, [esp+38h+var_1C]
		mov	ecx, ebx
		mov	dl, [ebx+30h]
		call	IopAllocateIrpMustSucceed
		mov	ecx, large fs:124h
		mov	esi, eax
		lea	eax, [esp+38h+var_10]
		mov	[esi+50h], ecx
		lea	ecx, [esi+18h]
		mov	[esi+2Ch], eax
		mov	eax, [esi+60h]
		mov	[esi+28h], ecx
		mov	ecx, esi
		mov	[esi+64h], edi
		mov	byte ptr [esi+20h], 0
		mov	dword ptr [esi+30h], 0
		mov	dword ptr [esi+8], 404h
		mov	byte ptr [eax-24h], 12h
		mov	[eax-0Ch], edi
		call	IopQueueThreadIrp
		call	_IopUpdateOtherOperationCount@0	; IopUpdateOtherOperationCount()
		mov	edx, esi
		mov	ecx, ebx
		call	IofCallDriver
		cmp	eax, 103h
		jnz	short loc_81CF04
		push	0
		push	0
		push	0
		push	6
		lea	eax, [esp+48h+var_10]
		push	eax
		call	KeWaitForSingleObject

loc_81CF04:				; CODE XREF: IopCloseFile(x,x,x,x)+350j
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	[esi+50h], eax
		call	IopDequeueIrpFromThread
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		cmp	[esp+38h+var_20], 0
		jz	short loc_81CF28
		mov	ecx, edi
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)

loc_81CF28:				; CODE XREF: IopCloseFile(x,x,x,x)+37Fj
		cmp	dword ptr [edi+6Ch], 0
		mov	eax, [esp+38h+var_24]
		jnz	short loc_81CF36
		test	eax, eax
		jz	short loc_81CF41

loc_81CF36:				; CODE XREF: IopCloseFile(x,x,x,x)+390j
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	eax
		call	IopCleanupProcessResources

loc_81CF41:				; CODE XREF: IopCloseFile(x,x,x,x)+394j
		cmp	dword ptr [edi+7Ch], 0
		jz	short loc_81CF4E
		mov	ecx, edi
		call	_IopCloseFileObjectExtension@4 ; IopCloseFileObjectExtension(x)

loc_81CF4E:				; CODE XREF: IopCloseFile(x,x,x,x)+30j
					; IopCloseFile(x,x,x,x)+8Aj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_IopCloseFile@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall ObIsObjectDeletionInline(x)
_ObIsObjectDeletionInline@4 proc near	; CODE XREF: PAGE:0081CB38p
					; PAGE:0081CB5Dp
		mov	al, [ecx-9]
		shr	al, 7
		retn
_ObIsObjectDeletionInline@4 endp

; 
		align 10h

; __stdcall IopXxxControlFile(x, x, x, x, x, x,	x, x, x, x, x)
_IopXxxControlFile@44:			; CODE XREF: NtDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)+25p
					; NtFsControlFile(x,x,x,x,x,x,x,x,x,x)+25p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5BB0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 94h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	[ebp-70h], edx
		mov	edi, ecx
		mov	dword ptr [ebp-2Ch], 0
		mov	dword ptr [ebp-30h], 0
		mov	dword ptr [ebp-78h], 0
		mov	dword ptr [ebp-74h], 0
		mov	dword ptr [ebp-4Ch], 0
		mov	dword ptr [ebp-48h], 0
		xor	eax, eax
		mov	[ebp-0A4h], eax
		mov	[ebp-0A0h], eax
		mov	[ebp-9Ch], eax
		mov	[ebp-98h], eax
		mov	eax, [ebp+14h]
		mov	ebx, eax
		and	ebx, 3
		mov	[ebp-3Ch], ebx
		mov	[ebp-60h], ebx
		mov	esi, large fs:124h
		mov	[ebp-6Ch], esi
		mov	dl, [esi+15Ah]
		mov	[ebp-1Dh], dl
		mov	[ebp-5Ch], dl
		test	dl, dl
		jz	loc_81D130
		cmp	byte ptr [ebp+28h], 0
		jnz	short loc_81D062
		mov	ecx, eax
		call	_IopIsStandardFsctlIoControlCode@4 ; IopIsStandardFsctlIoControlCode(x)
		test	al, al
		jnz	short loc_81D062
		mov	edx, [esi+80h]
		mov	eax, [edx+4D0h]
		mov	bl, al
		and	al, 4
		and	bl, 2
		jnz	short loc_81D047
		test	al, al
		jz	short loc_81D05C

loc_81D047:				; CODE XREF: PAGE:0081D041j
		xor	ecx, ecx
		test	bl, bl
		setnz	cl
		inc	ecx
		call	_EtwTimLogProhibitFsctlSystemCalls@8 ; EtwTimLogProhibitFsctlSystemCalls(x,x)
		test	bl, bl
		jnz	loc_81D1AB

loc_81D05C:				; CODE XREF: PAGE:0081D045j
		mov	dl, [ebp-1Dh]
		mov	ebx, [ebp-3Ch]

loc_81D062:				; CODE XREF: PAGE:0081D021j
					; PAGE:0081D02Cj
		test	dl, dl
		jz	loc_81D130
		mov	dword ptr [ebp-4], 0
		mov	ecx, [ebp+10h]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_81D07F
		mov	ecx, eax

loc_81D07F:				; CODE XREF: PAGE:0081D07Bj
		mov	eax, [ecx]
		mov	[ecx], eax
		test	ebx, ebx
		jnz	short loc_81D0A6
		mov	eax, [ebp+20h]
		test	eax, eax
		jz	short loc_81D09F
		push	1
		mov	esi, [ebp+24h]
		mov	[ebp-38h], esi
		push	esi
		push	eax
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		jmp	short loc_81D0AC
; 

loc_81D09F:				; CODE XREF: PAGE:0081D08Cj
		xor	esi, esi
		mov	[ebp+24h], esi
		jmp	short loc_81D0A9
; 

loc_81D0A6:				; CODE XREF: PAGE:0081D085j
		mov	esi, [ebp+24h]

loc_81D0A9:				; CODE XREF: PAGE:0081D0A4j
		mov	[ebp-38h], esi

loc_81D0AC:				; CODE XREF: PAGE:0081D09Dj
		cmp	ebx, 3
		jz	short loc_81D0F0
		mov	edx, [ebp+18h]
		test	edx, edx
		jz	short loc_81D0DF
		mov	ebx, [ebp+1Ch]
		mov	[ebp-24h], ebx
		test	ebx, ebx
		jz	short loc_81D0F6
		lea	eax, [edx+ebx]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_81D0D3
		cmp	eax, edx
		jnb	short loc_81D0F6

loc_81D0D3:				; CODE XREF: PAGE:0081D0CDj
		mov	byte ptr [ecx],	0
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_81D13C
; 

loc_81D0DF:				; CODE XREF: PAGE:0081D0B6j
		xor	ebx, ebx
		mov	[ebp+1Ch], ebx
		mov	[ebp-24h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_81D13C
; 

loc_81D0F0:				; CODE XREF: PAGE:0081D0AFj
		mov	ebx, [ebp+1Ch]
		mov	[ebp-24h], ebx

loc_81D0F6:				; CODE XREF: PAGE:0081D0C0j
					; PAGE:0081D0D1j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_81D13C
; 

loc_81D0FF:				; DATA XREF: .text:006A5BC4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-7Ch], eax
		mov	eax, 1
		retn
; 

loc_81D10F:				; DATA XREF: .text:006A5BC8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-7Ch]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_81D130:				; CODE XREF: PAGE:0081D017j
					; PAGE:0081D064j
		mov	eax, [ebp+24h]
		mov	[ebp-38h], eax
		mov	eax, [ebp+1Ch]
		mov	[ebp-24h], eax

loc_81D13C:				; CODE XREF: PAGE:0081D0DDj
					; PAGE:0081D0EEj ...
		lea	eax, [ebp-78h]
		push	eax
		lea	eax, [ebp-2Ch]
		push	eax
		mov	ebx, [ebp-5Ch]
		push	ebx
		xor	edx, edx
		mov	ecx, edi
		call	IopReferenceFileObject
		mov	edi, eax
		test	edi, edi
		js	loc_81D37B
		mov	esi, [ebp-2Ch]
		cmp	dword ptr [esi+6Ch], 0
		jz	short loc_81D18A
		cmp	dword ptr [ebp+8], 0
		jz	short loc_81D18A
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, 0C000000Dh
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_81D18A:				; CODE XREF: PAGE:0081D162j
					; PAGE:0081D168j
		cmp	byte ptr [ebp-1Dh], 0
		jz	short loc_81D1C4
		mov	ecx, [ebp+14h]
		shr	ecx, 0Eh
		and	ecx, 3
		jz	short loc_81D1C4
		mov	eax, [ebp-74h]
		and	eax, ecx
		cmp	eax, ecx
		jz	short loc_81D1C4
		mov	ecx, esi
		call	ObfDereferenceObject

loc_81D1AB:				; CODE XREF: PAGE:0081D056j
		mov	eax, 0C0000022h
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_81D1C4:				; CODE XREF: PAGE:0081D18Ej
					; PAGE:0081D199j ...
		mov	ecx, [ebp+14h]
		cmp	ecx, 94264h
		jz	short loc_81D1D7
		cmp	ecx, 98268h
		jnz	short loc_81D1EA

loc_81D1D7:				; CODE XREF: PAGE:0081D1CDj
		mov	edx, ecx
		mov	ecx, esi
		call	IopCopyOffloadCapable
		mov	edi, eax
		test	edi, edi
		js	loc_81D374

loc_81D1EA:				; CODE XREF: PAGE:0081D1D5j
		mov	ecx, [ebp-70h]
		test	ecx, ecx
		jz	short loc_81D225
		mov	eax, ds:_ExEventObjectType
		mov	dword ptr [ebp-50h], 0
		push	0
		lea	edx, [ebp-50h]
		push	edx
		push	ebx
		push	eax
		push	2
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		mov	ebx, [ebp-50h]
		mov	[ebp-30h], ebx
		test	edi, edi
		js	loc_81D374
		push	ebx
		call	_KeResetEvent@4	; KeResetEvent(x)
		jmp	short loc_81D228
; 

loc_81D225:				; CODE XREF: PAGE:0081D1EFj
		mov	ebx, [ebp-30h]

loc_81D228:				; CODE XREF: PAGE:0081D223j
		mov	dword ptr [ebp-58h], 0
		mov	byte ptr [ebp-1Eh], 0
		xor	al, al
		mov	[ebp-25h], al
		mov	[ebp-26h], al
		cmp	[ebp-1Dh], al
		jz	loc_81D391
		mov	ecx, [ebp+14h]
		mov	eax, [ebp-24h]
		cmp	ecx, 900A4h
		jnz	short loc_81D257
		cmp	eax, 4
		jnb	short loc_81D26C

loc_81D257:				; CODE XREF: PAGE:0081D250j
		cmp	ecx, 9040Ch
		jnz	loc_81D391
		cmp	eax, 24h
		jb	loc_81D391

loc_81D26C:				; CODE XREF: PAGE:0081D255j
		lea	eax, [ebp-0A4h]
		push	eax
		push	dword ptr [ebp-6Ch]
		call	_IoThreadToProcess@4 ; IoThreadToProcess(x)
		push	eax
		push	dword ptr [ebp-6Ch]
		call	SeCaptureSubjectContextEx
		push	dword ptr [ebp-5Ch]
		lea	eax, [ebp-0A4h]
		push	eax
		call	RtlIsSandboxedToken
		mov	[ebp-1Eh], al
		mov	[ebp-41h], al
		lea	eax, [ebp-0A4h]
		push	eax
		call	SeReleaseSubjectContext
		cmp	byte ptr [ebp-1Eh], 0
		jz	loc_81D391
		mov	dword ptr [ebp-64h], 0
		mov	dword ptr [ebp-4], 1
		mov	ecx, [ebp+18h]
		cmp	dword ptr [ebp+14h], 9040Ch
		jnz	short loc_81D2DB
		mov	eax, [ecx+20h]
		mov	[ebp-64h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-24h]
		jmp	short loc_81D336
; 

loc_81D2DB:				; CODE XREF: PAGE:0081D2C7j
		mov	eax, [ecx]
		mov	[ebp-64h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-24h]
		jmp	short loc_81D336
; 

loc_81D2EC:				; DATA XREF: .text:006A5BD0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-80h], eax
		mov	eax, 1
		retn
; 

loc_81D2FC:				; DATA XREF: .text:006A5BD4o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-80h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, [ebp+24h]
		mov	[ebp-38h], edx
		mov	ecx, [ebp+1Ch]
		mov	[ebp-24h], ecx
		mov	esi, [ebp-2Ch]
		mov	ebx, [ebp-30h]
		mov	eax, [ebp-60h]
		mov	[ebp-3Ch], eax
		mov	eax, [ebp-64h]
		mov	dl, [ebp-41h]
		mov	[ebp-1Eh], dl
		mov	dl, [ebp-26h]
		mov	[ebp-25h], dl
		mov	dl, [ebp-5Ch]
		mov	[ebp-1Dh], dl

loc_81D336:				; CODE XREF: PAGE:0081D2D9j
					; PAGE:0081D2EAj
		mov	edx, [ebp-38h]
		test	edi, edi
		js	short loc_81D369
		cmp	eax, 0A0000003h
		jnz	short loc_81D365
		mov	byte ptr [ebp-25h], 1
		lea	eax, [ebp+1Ch]
		push	eax
		lea	eax, [ebp-58h]
		push	eax
		push	edx
		push	ecx
		mov	edx, [ebp+18h]
		mov	ecx, [ebp+14h]
		call	_IopValidateJunctionTarget@24 ;	IopValidateJunctionTarget(x,x,x,x,x,x)
		mov	edi, eax
		mov	eax, [ebp+1Ch]
		mov	[ebp-24h], eax

loc_81D365:				; CODE XREF: PAGE:0081D342j
		test	edi, edi
		jns	short loc_81D391

loc_81D369:				; CODE XREF: PAGE:0081D33Bj
		test	ebx, ebx
		jz	short loc_81D374
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_81D374:				; CODE XREF: PAGE:0081D1E4j
					; PAGE:0081D217j ...
		mov	ecx, esi
		call	ObfDereferenceObject

loc_81D37B:				; CODE XREF: PAGE:0081D155j
		mov	eax, edi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_81D391:				; CODE XREF: PAGE:0081D23Ej
					; PAGE:0081D25Dj ...
		lea	eax, [esi+2Ch]
		mov	[ebp-60h], eax
		mov	eax, [eax]
		test	al, 2
		jz	loc_81D457
		shr	eax, 2
		and	al, 1
		mov	[ebp-40h], al
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	0
		mov	esi, [ebp-2Ch]
		lea	ecx, [esi+4Ch]
		xor	edx, edx
		call	KeAbPreAcquire
		xor	bl, bl
		mov	[ebp-31h], bl
		mov	edx, 1
		lea	ecx, [esi+44h]
		xchg	edx, [ecx]
		test	edx, edx
		jnz	short loc_81D3EC
		test	eax, eax
		jz	short loc_81D3E1
		or	byte ptr [eax+0Eh], 1

loc_81D3E1:				; CODE XREF: PAGE:0081D3DBj
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	edi, edi
		jmp	short loc_81D403
; 

loc_81D3EC:				; CODE XREF: PAGE:0081D3D7j
		lea	ecx, [ebp-31h]
		push	ecx
		push	eax
		push	dword ptr [ebp-40h]
		mov	dl, [ebp-1Dh]
		mov	ecx, esi
		call	IopWaitAndAcquireFileObjectLock
		mov	edi, eax
		mov	bl, [ebp-31h]

loc_81D403:				; CODE XREF: PAGE:0081D3EAj
		test	bl, bl
		jz	short loc_81D43F
		mov	ecx, [ebp-30h]
		test	ecx, ecx
		jz	short loc_81D413
		call	ObfDereferenceObject

loc_81D413:				; CODE XREF: PAGE:0081D40Cj
		mov	eax, [ebp-58h]
		test	eax, eax
		jz	short loc_81D422
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_81D422:				; CODE XREF: PAGE:0081D418j
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, edi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_81D43F:				; CODE XREF: PAGE:0081D405j
		mov	dl, 1
		mov	[ebp-40h], dl
		mov	eax, [ebp-60h]
		mov	eax, [eax]
		mov	ecx, [ebp+24h]
		mov	[ebp-38h], ecx
		mov	edi, [ebp+1Ch]
		mov	ebx, [ebp-30h]
		jmp	short loc_81D45F
; 

loc_81D457:				; CODE XREF: PAGE:0081D39Bj
		xor	cl, cl
		mov	[ebp-40h], cl
		mov	edi, [ebp-24h]

loc_81D45F:				; CODE XREF: PAGE:0081D455j
		test	eax, 800h
		jnz	short loc_81D46E
		push	esi
		call	IoGetRelatedDeviceObject
		jmp	short loc_81D477
; 

loc_81D46E:				; CODE XREF: PAGE:0081D464j
		mov	eax, [esi+4]
		push	eax
		call	_IoGetAttachedDevice@4 ; IoGetAttachedDevice(x)

loc_81D477:				; CODE XREF: PAGE:0081D46Cj
		mov	[ebp-24h], eax
		cmp	byte ptr [ebp+28h], 0
		jz	loc_81D70B
		cmp	byte ptr [ebp-1Eh], 0
		jnz	loc_81D70B
		mov	eax, [eax+8]
		mov	eax, [eax+28h]
		test	eax, eax
		jz	loc_81D70B
		mov	eax, [eax+28h]
		mov	[ebp-88h], eax
		test	eax, eax
		jz	loc_81D70B
		cmp	byte ptr [ebp-1Dh], 0
		jz	short loc_81D4FC
		mov	edx, [ebp+20h]
		test	edx, edx
		jz	short loc_81D4FC
		mov	dword ptr [ebp-4], 2
		mov	eax, [ebp-3Ch]
		cmp	eax, 1
		jnz	short loc_81D4E5
		mov	eax, [ebp-38h]
		test	eax, eax
		jz	short loc_81D4F5
		add	eax, edx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_81D4E0
		cmp	eax, edx
		jnb	short loc_81D4F5

loc_81D4E0:				; CODE XREF: PAGE:0081D4DAj
		mov	byte ptr [ecx],	0
		jmp	short loc_81D4F5
; 

loc_81D4E5:				; CODE XREF: PAGE:0081D4C7j
		cmp	eax, 2
		jnz	short loc_81D4F5
		push	1
		push	dword ptr [ebp-38h]
		push	edx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_81D4F5:				; CODE XREF: PAGE:0081D4CEj
					; PAGE:0081D4DEj ...
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_81D4FC:				; CODE XREF: PAGE:0081D4B1j
					; PAGE:0081D4B8j
		cmp	dword ptr [ebp+14h], 90020h
		jnz	short loc_81D50D
		mov	eax, 0FFDF02DCh
		lock inc dword ptr [eax]

loc_81D50D:				; CODE XREF: PAGE:0081D503j
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_81D577
		call	_VfFastIoSnapState@0 ; VfFastIoSnapState()
		jmp	short loc_81D579
; 

loc_81D51D:				; DATA XREF: .text:006A5BDCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-84h], eax
		mov	eax, 1
		retn
; 

loc_81D530:				; DATA XREF: .text:006A5BE0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-2Ch]
		cmp	byte ptr [ebp-40h], 0
		jz	short loc_81D543
		mov	ecx, esi
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)

loc_81D543:				; CODE XREF: PAGE:0081D53Aj
		mov	ecx, [ebp-30h]
		test	ecx, ecx
		jz	short loc_81D54F
		call	ObfDereferenceObject

loc_81D54F:				; CODE XREF: PAGE:0081D548j
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-84h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_81D577:				; CODE XREF: PAGE:0081D514j
		xor	eax, eax

loc_81D579:				; CODE XREF: PAGE:0081D51Bj
		mov	[ebp-50h], eax
		mov	edx, [ebp-24h]
		push	edx
		lea	eax, [ebp-4Ch]
		push	eax
		push	dword ptr [ebp+14h]
		push	dword ptr [ebp-38h]
		push	dword ptr [ebp+20h]
		push	edi
		push	dword ptr [ebp+18h]
		push	1
		push	esi
		mov	edi, [ebp-88h]
		call	edi
		mov	[ebp-26h], al
		mov	eax, [ebp-50h]
		test	eax, eax
		jz	short loc_81D5AF
		mov	edx, edi
		mov	ecx, eax
		call	_VfFastIoCheckState@8 ;	VfFastIoCheckState(x,x)

loc_81D5AF:				; CODE XREF: PAGE:0081D5A4j
		cmp	byte ptr [ebp-26h], 0
		jz	loc_81D70B
		xor	edi, edi
		mov	[ebp-68h], edi
		mov	[ebp-54h], edi
		mov	byte ptr [ebp-32h], 0
		mov	dword ptr [ebp-4], 3
		mov	ecx, [ebp-4Ch]
		mov	edx, [ebp+10h]
		mov	[edx], ecx
		mov	eax, [ebp-48h]
		mov	[edx+4], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_81D619
; 

loc_81D5E3:				; DATA XREF: .text:006A5BE8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-8Ch], eax
		mov	eax, 1
		retn
; 

loc_81D5F6:				; DATA XREF: .text:006A5BECo
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-8Ch]
		mov	[ebp-4Ch], ecx
		mov	dword ptr [ebp-48h], 0
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-2Ch]
		mov	ebx, [ebp-30h]
		mov	edi, [ebp-68h]

loc_81D619:				; CODE XREF: PAGE:0081D5E1j
		cmp	dword ptr [esi+6Ch], 0
		jz	short loc_81D65C
		test	dword ptr [esi+2Ch], 2000000h
		jz	short loc_81D636
		mov	eax, ecx
		and	eax, 0C0000000h
		cmp	eax, 80000000h
		jnz	short loc_81D65C

loc_81D636:				; CODE XREF: PAGE:0081D626j
		mov	eax, ecx
		and	eax, 0C0000000h
		cmp	eax, 0C0000000h
		jz	short loc_81D65C
		lea	eax, [ebp-54h]
		push	eax
		lea	eax, [ebp-68h]
		push	eax
		lea	edx, [ebp-32h]
		mov	ecx, esi
		call	_IopIncrementCompletionContextUsageCountAndReadData@16 ; IopIncrementCompletionContextUsageCountAndReadData(x,x,x,x)
		mov	ecx, [ebp-4Ch]
		mov	edi, [ebp-68h]

loc_81D65C:				; CODE XREF: PAGE:0081D61Dj
					; PAGE:0081D634j ...
		cmp	dword ptr [ebp-70h], 0
		jz	short loc_81D691
		test	dword ptr [esi+2Ch], 8000000h
		jz	short loc_81D67D
		test	edi, edi
		jz	short loc_81D687
		and	ecx, 0C0000000h
		cmp	ecx, 80000000h
		jnz	short loc_81D687

loc_81D67D:				; CODE XREF: PAGE:0081D669j
		push	0
		push	0
		push	ebx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_81D687:				; CODE XREF: PAGE:0081D66Dj
					; PAGE:0081D67Bj
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	ecx, [ebp-4Ch]

loc_81D691:				; CODE XREF: PAGE:0081D660j
		cmp	byte ptr [ebp-40h], 0
		jz	short loc_81D6A1
		mov	ecx, esi
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)
		mov	ecx, [ebp-4Ch]

loc_81D6A1:				; CODE XREF: PAGE:0081D695j
		test	edi, edi
		jz	short loc_81D6E0
		mov	eax, [ebp+0Ch]
		test	eax, eax
		jz	short loc_81D6E0
		push	1
		push	dword ptr [ebp-48h]
		push	ecx
		push	eax
		push	dword ptr [ebp-54h]
		push	edi
		call	_IoSetIoCompletion@24 ;	IoSetIoCompletion(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_81D6CA
		mov	eax, 0C000009Ah
		mov	[ebp-4Ch], eax
		jmp	short loc_81D6CD
; 

loc_81D6CA:				; CODE XREF: PAGE:0081D6BEj
		mov	eax, [ebp-4Ch]

loc_81D6CD:				; CODE XREF: PAGE:0081D6C8j
		and	eax, 0C0000000h
		cmp	eax, 80000000h
		jnz	short loc_81D6E0
		mov	dword ptr [ebp-4Ch], 103h

loc_81D6E0:				; CODE XREF: PAGE:0081D6A3j
					; PAGE:0081D6AAj ...
		cmp	byte ptr [ebp-32h], 0
		jz	short loc_81D6ED
		mov	ecx, esi
		call	_IopDecrementCompletionContextUsageCount@4 ; IopDecrementCompletionContextUsageCount(x)

loc_81D6ED:				; CODE XREF: PAGE:0081D6E4j
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, [ebp-4Ch]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_81D70B:				; CODE XREF: PAGE:0081D47Ej
					; PAGE:0081D488j ...
		mov	ecx, esi
		call	_IopResetEvent@4 ; IopResetEvent(x)
		mov	eax, [ebp+4]
		push	eax
		mov	al, [ebp-40h]
		xor	al, 1
		movzx	eax, al
		push	eax
		mov	eax, [ebp-24h]
		mov	dl, [eax+30h]
		mov	ecx, eax
		call	IopAllocateIrpExReturn
		mov	esi, eax
		mov	[ebp-54h], esi
		test	esi, esi
		jnz	short loc_81D767
		mov	edx, [ebp-30h]
		mov	ecx, [ebp-2Ch]
		call	_IopAllocateIrpCleanup@8 ; IopAllocateIrpCleanup(x,x)
		mov	eax, [ebp-58h]
		test	eax, eax
		jz	short loc_81D74E
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_81D74E:				; CODE XREF: PAGE:0081D745j
		mov	eax, 0C000009Ah
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_81D767:				; CODE XREF: PAGE:0081D733j
		mov	edx, [ebp-2Ch]
		mov	[esi+64h], edx
		mov	eax, [ebp-6Ch]
		mov	[esi+50h], eax
		mov	dword ptr [esi+54h], 0
		mov	al, [ebp-1Dh]
		mov	[esi+20h], al
		mov	byte ptr [esi+21h], 0
		mov	byte ptr [esi+24h], 0
		mov	dword ptr [esi+38h], 0
		mov	eax, [ebp-30h]
		mov	[esi+2Ch], eax
		mov	eax, [ebp+10h]
		mov	[esi+28h], eax
		mov	eax, [ebp+8]
		mov	[esi+30h], eax
		mov	eax, [ebp+0Ch]
		mov	[esi+34h], eax
		mov	ecx, [esi+60h]
		sub	ecx, 24h
		mov	[ebp+10h], ecx
		xor	eax, eax
		cmp	[ebp+28h], al
		setnz	al
		add	eax, 0Dh
		mov	[ecx], eax
		mov	[ecx+18h], edx
		mov	edi, [ebp+24h]
		mov	[ecx+4], edi
		mov	ebx, [ebp+1Ch]
		mov	[ecx+8], ebx
		mov	eax, [ebp+14h]
		mov	[ecx+0Ch], eax
		xor	eax, eax
		cmp	[ebp+28h], al
		setnz	al
		lea	eax, ds:200h[eax*4]
		mov	[ebp+1Ch], eax
		mov	dword ptr [esi+4], 0
		mov	dword ptr [esi+0Ch], 0
		mov	edx, [ebp-24h]
		test	dword ptr [edx+1Ch], 80000h
		jz	short loc_81D80E
		cmp	byte ptr [ebp-1Eh], 0
		jnz	short loc_81D80E
		mov	edx, 3
		mov	[ebp-3Ch], edx
		jmp	short loc_81D811
; 

loc_81D80E:				; CODE XREF: PAGE:0081D7FCj
					; PAGE:0081D802j
		mov	edx, [ebp-3Ch]

loc_81D811:				; CODE XREF: PAGE:0081D80Cj
		jmp	ds:off_81DAC0[edx*4]

loc_81D818:				; DATA XREF: PAGE:off_81DAC0o
		mov	dword ptr [ecx+10h], 0
		mov	dword ptr [ebp-4], 4
		test	ebx, ebx
		jnz	short loc_81D836
		test	edi, edi
		jnz	short loc_81D836
		mov	[esi+8], edi
		mov	[esi+3Ch], edi
		jmp	short loc_81D87F
; 

loc_81D836:				; CODE XREF: PAGE:0081D828j
					; PAGE:0081D82Cj
		mov	eax, [ebp-58h]
		test	eax, eax
		jz	short loc_81D842
		mov	[esi+0Ch], eax
		jmp	short loc_81D867
; 

loc_81D842:				; CODE XREF: PAGE:0081D83Bj
		cmp	ebx, edi
		mov	edx, ebx
		ja	short loc_81D84A
		mov	edx, edi

loc_81D84A:				; CODE XREF: PAGE:0081D846j
		mov	ecx, [ebp+1Ch]
		call	sub_4F0630
		mov	[esi+0Ch], eax
		mov	ecx, [ebp+18h]
		test	ecx, ecx
		jz	short loc_81D867
		push	ebx
		push	ecx
		push	eax
		call	_memcpy
		add	esp, 0Ch

loc_81D867:				; CODE XREF: PAGE:0081D840j
					; PAGE:0081D85Aj
		mov	dword ptr [esi+8], 30h
		mov	eax, [ebp+20h]
		mov	[esi+3Ch], eax
		test	edi, edi
		jz	short loc_81D87F
		mov	dword ptr [esi+8], 70h

loc_81D87F:				; CODE XREF: PAGE:0081D834j
					; PAGE:0081D876j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		cmp	_IopDisableBufferedIoInit, 0
		jnz	loc_81D9F7
		cmp	ebx, edi
		jnb	loc_81D9F7
		sub	edi, ebx
		push	edi
		push	0
		mov	eax, [esi+0Ch]
		add	eax, ebx
		push	eax
		call	_memset
		add	esp, 0Ch
		jmp	loc_81D9F7
; 

loc_81D8B3:				; DATA XREF: .text:006A5BF4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-90h], eax
		mov	eax, 1
		retn
; 

loc_81D8C6:				; DATA XREF: .text:006A5BF8o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-2Ch]
		movzx	eax, byte ptr [ecx+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		push	0
		push	dword ptr [ebp-30h]
		mov	edx, [ebp-54h]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-90h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_81D904:				; CODE XREF: PAGE:loc_81D811j
					; DATA XREF: PAGE:0081DAC4o ...
		mov	dword ptr [esi+8], 0
		mov	dword ptr [ecx+10h], 0
		mov	dword ptr [ebp-4], 5
		test	ebx, ebx
		jz	short loc_81D944
		cmp	dword ptr [ebp+18h], 0
		jz	short loc_81D944
		mov	edx, ebx
		mov	ecx, eax
		call	sub_4F0630
		mov	[esi+0Ch], eax
		push	ebx
		mov	ecx, [ebp+18h]
		push	ecx
		push	eax
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [esi+8], 30h

loc_81D944:				; CODE XREF: PAGE:0081D91Bj
					; PAGE:0081D921j
		test	edi, edi
		jz	short loc_81D987
		push	esi
		push	1
		push	0
		push	edi
		push	dword ptr [ebp+20h]
		call	IoAllocateMdl
		mov	ecx, eax
		mov	[esi+4], ecx
		test	ecx, ecx
		jz	loc_81DAB5
		mov	edi, [ebp+10h]
		mov	eax, [edi]
		push	eax
		push	dword ptr [ebp-24h]
		xor	eax, eax
		cmp	dword ptr [ebp-3Ch], 1
		setnz	al
		push	eax
		mov	dl, [ebp-1Dh]
		call	sub_4F0820
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_81D9FA
; 

loc_81D987:				; CODE XREF: PAGE:0081D946j
		mov	edi, [ebp+10h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_81D9FA
; 

loc_81D993:				; DATA XREF: .text:006A5C00o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-94h], eax
		mov	eax, 1
		retn
; 

loc_81D9A6:				; DATA XREF: .text:006A5C04o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-2Ch]
		movzx	eax, byte ptr [ecx+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		push	0
		push	dword ptr [ebp-30h]
		mov	edx, [ebp-54h]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-94h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_81D9E4:				; CODE XREF: PAGE:loc_81D811j
					; DATA XREF: PAGE:0081DACCo
		mov	dword ptr [esi+8], 0
		mov	eax, [ebp+20h]
		mov	[esi+3Ch], eax
		mov	eax, [ebp+18h]
		mov	[ecx+10h], eax

loc_81D9F7:				; CODE XREF: PAGE:0081D88Dj
					; PAGE:0081D895j ...
		mov	edi, [ebp+10h]

loc_81D9FA:				; CODE XREF: PAGE:0081D985j
					; PAGE:0081D991j
		mov	eax, [ebp-74h]
		mov	cl, al
		and	cl, 2
		add	cl, cl
		and	al, 1
		or	cl, al
		or	[edi+2], cl
		mov	dl, [ebp+28h]
		test	dl, dl
		jnz	short loc_81DA19
		or	dword ptr [esi+8], 800h

loc_81DA19:				; CODE XREF: PAGE:0081DA10j
		mov	ecx, [ebp+14h]
		cmp	ecx, 90020h
		jnz	short loc_81DA2C
		mov	eax, 0FFDF02DCh
		lock inc dword ptr [eax]

loc_81DA2C:				; CODE XREF: PAGE:0081DA22j
		cmp	byte ptr [ebp-1Eh], 0
		jz	short loc_81DA83
		cmp	byte ptr [ebp-25h], 0
		jnz	short loc_81DA83
		mov	eax, [esi+0Ch]
		cmp	ecx, 9040Ch
		jnz	short loc_81DA46
		add	eax, 20h

loc_81DA46:				; CODE XREF: PAGE:0081DA41j
		cmp	dword ptr [eax], 0A0000003h
		jnz	short loc_81DA83
		mov	eax, [ebp-60h]
		mov	eax, [eax]
		shr	eax, 1
		and	al, 1
		movzx	eax, al
		push	eax
		push	0
		push	dword ptr [ebp-30h]
		mov	edx, esi
		mov	ecx, [ebp-2Ch]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		mov	eax, 0C000000Dh
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_81DA83:				; CODE XREF: PAGE:0081DA30j
					; PAGE:0081DA36j ...
		push	2
		push	dword ptr [ebp-40h]
		push	dword ptr [ebp-5Ch]
		test	dl, dl
		setz	al
		movzx	eax, al
		push	eax
		push	dword ptr [ebp-2Ch]
		mov	edx, esi
		mov	ecx, [ebp-24h]
		call	_IopSynchronousServiceTail@28 ;	IopSynchronousServiceTail(x,x,x,x,x,x,x)
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_81DAB5:				; CODE XREF: PAGE:0081D95Dj
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		nop
; 
off_81DAC0	dd offset loc_81D818	; DATA XREF: PAGE:loc_81D811r
		dd offset loc_81D904
		dd offset loc_81D904
		dd offset loc_81D9E4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCreateKeyBody proc near		; CODE XREF: CmpStartSiloRegistryNamespace(x)+C1p
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+116Dp ...

var_3E		= byte ptr -3Eh
var_3D		= byte ptr -3Dh
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0091FF38 SIZE 00000192 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[esp+3Ch+var_20], edx
		push	edi
		mov	[esp+40h+var_28], ebx
		xor	esi, esi
		mov	[esp+40h+var_24], 0
		mov	eax, 1
		mov	[esp+40h+var_14], 0
		lock xadd [ebx], eax
		inc	eax
		jz	loc_91FF38
		cmp	eax, 1
		jz	loc_91FF46
		mov	eax, [ebp+arg_4]
		mov	byte ptr [esp+40h+var_30+3], 1
		test	eax, eax
		jnz	loc_81DDC1

loc_81DB23:				; CODE XREF: CmpCreateKeyBody+30Cj
					; CmpCreateKeyBody+1024A6j
		xor	eax, eax
		mov	[esp+40h+var_8], esi
		mov	word ptr [esp+40h+var_2C], ax
		mov	eax, ds:_CmKeyObjectType
		mov	[esp+40h+var_C], eax
		mov	eax, large fs:20h
		mov	[esp+40h+var_1C], eax
		mov	byte ptr [esp+40h+var_2C], 1
		mov	[esp+40h+var_4], esi
		mov	eax, [eax+5C0h]
		mov	ecx, eax
		mov	[esp+40h+var_18], esi
		mov	[esp+40h+var_10], eax
		inc	dword ptr [eax+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_81DD5C

loc_81DB6C:				; CODE XREF: CmpCreateKeyBody+2ADj
					; CmpCreateKeyBody+2CFj
		mov	eax, [esp+40h+var_1C]
		push	0
		push	edi
		mov	eax, [eax+3CCh]
		mov	[edi], eax
		lea	eax, [esp+48h+var_8]
		push	eax
		mov	eax, [esp+4Ch+var_20]
		mov	dl, al
		push	0
		mov	cl, al
		call	ObpCaptureObjectCreateInformation
		mov	ebx, eax
		test	ebx, ebx
		js	loc_91FF85
		mov	ebx, [esp+50h+var_1C]
		mov	eax, [edi]
		test	[ebx+30h], eax
		jnz	loc_91FFDA
		test	al, 10h
		jnz	loc_91FFE1

loc_81DBB0:				; CODE XREF: CmpCreateKeyBody+102528j
		mov	eax, [ebx+50h]
		mov	ecx, [ebx+54h]
		mov	dl, byte ptr [esp+50h+var_30]
		mov	[edi+0Ch], eax
		lea	eax, [esp+50h+var_3C]
		push	eax
		lea	eax, [esp+54h+var_28]
		mov	[edi+10h], ecx
		push	eax
		push	38h
		lea	eax, [esp+5Ch+var_18]
		mov	ecx, edi
		push	eax
		push	ebx
		call	_ObpAllocateObject@28 ;	ObpAllocateObject(x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_920003
		cmp	ds:_ObpTraceFlags, esi
		mov	esi, [esp+50h+var_28]
		jnz	loc_920073

loc_81DBF3:				; CODE XREF: CmpCreateKeyBody+1025BAj
		add	esi, 18h

loc_81DBF6:				; CODE XREF: CmpCreateKeyBody+1024F5j
					; CmpCreateKeyBody+102505j ...
		mov	edi, ebx
		test	ebx, ebx
		js	loc_92008F
		push	38h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	edi, [ebp+arg_0]
		add	esp, 0Ch
		mov	ebx, [esp+50h+var_38]
		mov	ax, [edi+10h]
		mov	[esi+1Eh], ax
		mov	[esi+8], ebx
		call	_PsGetCurrentThreadProcessId@0 ; PsGetCurrentThreadProcessId()
		mov	[esi+10h], eax
		xor	eax, eax
		mov	[esi+4], ax
		mov	dword ptr [esi+34h], 0FFFFFFFFh
		test	dword ptr [ebx+68h], 400000h
		jnz	loc_81DDB4
		mov	dword ptr [esi], 6B793032h

loc_81DC47:				; CODE XREF: CmpCreateKeyBody+2ECj
		cmp	[ebp+arg_4], 0
		jnz	loc_81DDE7

loc_81DC51:				; CODE XREF: CmpCreateKeyBody+32Bj
		lea	eax, [esi+28h]
		mov	[eax+4], eax
		mov	[eax], eax
		test	byte ptr [edi+14h], 10h
		jnz	loc_81DDAA

loc_81DC63:				; CODE XREF: CmpCreateKeyBody+2DFj
		mov	ecx, [ebx+68h]
		test	ecx, 400000h
		jnz	short loc_81DCC1
		lea	ebx, [esi+14h]

loc_81DC71:				; CODE XREF: CmpCreateKeyBody+24Dj
					; CmpCreateKeyBody+281j
		mov	[ebx+4], ebx
		mov	edi, 48h
		mov	[ebx], ebx
		jmp	short loc_81DC80
; 
		align 10h

loc_81DC80:				; CODE XREF: CmpCreateKeyBody+1ABj
					; CmpCreateKeyBody+1C7j
		mov	edx, [esi+8]
		mov	ecx, esi
		add	edx, edi
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	short loc_81DCBA
		add	edi, 4
		cmp	edi, 58h
		jb	short loc_81DC80
		cmp	[ebp+arg_8], 0
		mov	edi, [esi+8]
		jz	short loc_81DCFA
		mov	ecx, [edi+44h]
		lea	eax, [edi+40h]
		cmp	[ecx], eax
		jnz	loc_9200B4
		mov	[ebx], eax
		mov	[ebx+4], ecx
		mov	[ecx], ebx
		mov	[eax+4], ebx

loc_81DCBA:				; CODE XREF: CmpCreateKeyBody+1BFj
		mov	ebx, [esp+50h+var_38]
		mov	ecx, [ebx+68h]

loc_81DCC1:				; CODE XREF: CmpCreateKeyBody+19Cj
		mov	eax, [ebp+arg_10]
		shr	ecx, 16h
		and	cl, 1
		mov	[esp+50h+var_3D], 0
		xor	edi, edi
		mov	[eax], esi
		mov	eax, [ebp+arg_14]
		mov	[eax], cl

loc_81DCD8:				; CODE XREF: CmpCreateKeyBody+1025D1j
					; CmpCreateKeyBody+1025DFj
		mov	eax, [esp+50h+var_34]
		test	eax, eax
		jnz	loc_9200BB

loc_81DCE4:				; CODE XREF: CmpCreateKeyBody+1025F5j
		cmp	[esp+50h+var_3D], 0
		jnz	loc_91FF63

loc_81DCEF:				; CODE XREF: CmpCreateKeyBody+10249Aj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_81DCFA:				; CODE XREF: CmpCreateKeyBody+1D0j
		lea	edx, [edi+18h]
		mov	ecx, 1
		mov	eax, 11h
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jnz	short loc_81DD22
		mov	eax, large fs:124h
		mov	[edi+1Ch], eax
		mov	[ebp+arg_8], 1
		jmp	loc_81DC71
; 

loc_81DD22:				; CODE XREF: CmpCreateKeyBody+23Ej
		mov	ecx, [esi+8]
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	edi, [esi+8]
		xor	edx, edx
		lea	ecx, [edi+18h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_C]
		mov	[edi+1Ch], eax
		mov	[ebp+arg_8], 1
		call	CmpIsKeyStackDeleted
		test	al, al
		jz	loc_81DC71
		jmp	loc_9200A6
; 

loc_81DD5C:				; CODE XREF: CmpCreateKeyBody+96j
		mov	eax, [esp+40h+var_10]
		inc	dword ptr [eax+10h]
		mov	eax, [esp+40h+var_1C]
		mov	ecx, [eax+5C4h]
		mov	[esp+40h+var_10], ecx
		inc	dword ptr [ecx+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_81DB6C
		mov	ecx, [esp+40h+var_10]
		mov	eax, [ecx+20h]
		inc	dword ptr [ecx+10h]
		push	eax
		mov	eax, [ecx+24h]
		push	eax
		mov	eax, [ecx+1Ch]
		push	eax
		mov	eax, [ecx+28h]
		call	eax
		mov	edi, eax
		test	edi, edi
		jnz	loc_81DB6C
		jmp	loc_91FF7B
; 

loc_81DDAA:				; CODE XREF: CmpCreateKeyBody+18Dj
		or	word ptr [esi+1Ch], 10h
		jmp	loc_81DC63
; 

loc_81DDB4:				; CODE XREF: CmpCreateKeyBody+16Bj
		mov	eax, [ebx+30h]
		mov	[esi], eax
		mov	[edi+28h], eax
		jmp	loc_81DC47
; 

loc_81DDC1:				; CODE XREF: CmpCreateKeyBody+4Dj
		mov	ecx, [eax+1Ch]
		test	ecx, ecx
		jz	loc_91FF6F
		mov	eax, ecx
		push	eax
		mov	[esp+44h+var_24], eax
		call	_CmpTransReferenceTransaction@4	; CmpTransReferenceTransaction(x)
		mov	edi, eax
		test	edi, edi
		jns	loc_81DB23
		jmp	loc_91FF55
; 

loc_81DDE7:				; CODE XREF: CmpCreateKeyBody+17Bj
		mov	eax, [esp+50h+var_34]
		mov	[esi+20h], eax
		xor	eax, eax
		mov	[esp+50h+var_34], eax
		mov	eax, [esp+50h+var_24]
		mov	[esi+24h], eax
		jmp	loc_81DC51
CmpCreateKeyBody endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpNewSecurityObject proc near		; CODE XREF: SeAssignSecurityEx2(x,x,x,x,x,x,x,x,x,x)+37p
					; SeAssignSecurity(x,x,x,x,x,x,x)+49p ...

var_1D8		= dword	ptr -1D8h
var_1D1		= byte ptr -1D1h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C6		= byte ptr -1C6h
var_1C5		= byte ptr -1C5h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= byte ptr -1B8h
var_1B3		= dword	ptr -1B3h
var_1AC		= byte ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= byte ptr -194h
var_193		= byte ptr -193h
var_192		= byte ptr -192h
var_191		= byte ptr -191h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= byte ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_165		= dword	ptr -165h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_151		= dword	ptr -151h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= word ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= word ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_60		= dword	ptr -60h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 009200CA SIZE 0000076A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1DCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1DCh+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+1DCh+var_11C], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+1DCh+var_13C], eax
		mov	eax, [ebp+arg_18]
		mov	[esp+1DCh+var_180], eax
		mov	eax, [ebp+arg_1C]
		push	ebx
		mov	ebx, [ebp+arg_14]
		mov	[esp+1E0h+var_124], eax
		xor	eax, eax
		push	esi
		mov	[esp+1E4h+var_18C], ecx
		xor	ecx, ecx
		test	[ebp+arg_10], 2000h
		mov	[esp+1E4h+var_118], eax
		mov	[esp+1E4h+var_114], eax
		mov	[esp+1E4h+var_110], eax
		mov	[esp+1E4h+var_10C], eax
		mov	[esp+1E4h+var_108], eax
		mov	[esp+1E4h+var_1BC], eax
		mov	[esp+1E4h+var_1D8], eax
		mov	[esp+1E4h+var_1C6], al
		mov	byte ptr [esp+1E4h+var_190+2], al
		mov	byte ptr [esp+1E4h+var_190+1], al
		mov	[esp+1E4h+var_140], eax
		mov	[esp+1E4h+var_1CC], eax
		mov	[esp+1E4h+var_138], eax
		mov	[esp+1E4h+var_1C5], al
		mov	byte ptr [esp+1E4h+var_1B3+1], al
		mov	byte ptr [esp+1E4h+var_1B3], al
		mov	byte ptr [esp+1E4h+var_151], al
		mov	byte ptr [esp+1E4h+var_165], al
		mov	byte ptr [esp+1E4h+var_1B3+2], al
		mov	[esp+1E4h+var_192], al
		mov	byte ptr [esp+1E4h+var_190], al
		mov	[esp+1E4h+var_F4], eax
		mov	[esp+1E4h+var_F0], eax
		mov	[esp+1E4h+var_EC], eax
		mov	[esp+1E4h+var_E8], eax
		mov	[esp+1E4h+var_E4], eax
		mov	[esp+1E4h+var_134], eax
		mov	[esp+1E4h+var_14C], eax
		mov	[esp+1E4h+var_1D0], eax
		mov	[esp+1E4h+var_1A0], eax
		mov	[esp+1E4h+var_165+1], eax
		mov	[esp+1E4h+var_170], eax
		mov	[esp+1E4h+var_178], eax
		mov	[esp+1E4h+var_151+1], eax
		mov	[esp+1E4h+var_128], eax
		mov	[esp+1E4h+var_17C], eax
		lea	eax, [esp+1E4h+var_E0]
		push	edi
		mov	edi, edx
		mov	[esp+1E8h+var_1C4], edx
		mov	[esp+1E8h+var_198], ebx
		mov	byte ptr [esp+1E8h+var_160], 1
		mov	[esp+1E8h+var_12C], eax
		mov	[esp+1E8h+var_16C], ecx
		mov	[esp+1E8h+var_1D1], cl
		mov	[esp+1E8h+var_158], ecx
		mov	[esp+1E8h+var_194], 1
		mov	[esp+1E8h+var_130], ecx
		mov	byte ptr [esp+1E8h+var_190+3], cl
		jnz	short loc_81DF70
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+1E8h+var_160], al

loc_81DF70:				; CODE XREF: RtlpNewSecurityObject+15Bj
		test	edi, edi
		jnz	loc_81EDEB
		lea	edi, [esp+1E8h+var_118]
		mov	[esp+1E8h+var_193], cl
		mov	byte ptr [esp+1E8h+var_118], 1
		mov	[esp+1E8h+var_1C4], edi

loc_81DF8F:				; CODE XREF: RtlpNewSecurityObject+FF0j
		movzx	eax, word ptr [edi+2]
		test	al, al
		js	loc_9200CA
		xor	dl, dl

loc_81DF9D:				; CODE XREF: RtlpNewSecurityObject+1022CCj
		mov	byte ptr [esp+1E8h+var_1A4], dl
		test	al, 40h
		jnz	loc_9200D1
		mov	[esp+1E8h+var_191], cl

loc_81DFAD:				; CODE XREF: RtlpNewSecurityObject+1022D6j
		test	ebx, ebx
		jz	loc_9200DB

loc_81DFB5:				; CODE XREF: RtlpNewSecurityObject+1022E3j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [ebx+8]
		push	1
		mov	eax, [eax+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	edx, [ebx]
		test	edx, edx
		jnz	loc_81F209

loc_81DFDB:				; CODE XREF: RtlpNewSecurityObject+1428j
		mov	edx, [ebx+8]
		mov	esi, edx

loc_81DFE0:				; CODE XREF: RtlpNewSecurityObject+143Bj
		mov	ecx, [edx+90h]
		mov	eax, [edx+94h]
		mov	edi, [edx+9Ch]
		mov	ebx, [edx+0A4h]
		mov	eax, [eax+ecx*8]
		mov	ecx, [esi+90h]
		mov	[esp+1E8h+var_170], eax
		mov	eax, [esi+94h]
		mov	esi, [esi+9Ch]
		mov	eax, [eax+ecx*8]
		mov	ecx, edx
		mov	[esp+1E8h+var_188], eax
		call	_SepLocateTokenIntegrity@4 ; SepLocateTokenIntegrity(x)
		test	eax, eax
		jz	loc_9200E8
		mov	eax, [eax]

loc_81E029:				; CODE XREF: RtlpNewSecurityObject+1022EDj
		mov	ecx, [esp+1E8h+var_198]
		mov	[esp+1E8h+var_1D0], eax
		call	_SepLocateTokenTrustLevel@4 ; SepLocateTokenTrustLevel(x)
		mov	[esp+1E8h+var_148], eax
		test	eax, eax
		jnz	loc_81F2A3
		mov	dword ptr [esp+1E8h+var_1B8], eax

loc_81E049:				; CODE XREF: RtlpNewSecurityObject+14B2j
		test	edi, edi
		jz	loc_9200F2
		movzx	eax, byte ptr [edi+1]
		lea	eax, ds:8[eax*4]
		mov	dword ptr [esp+1E8h+var_1AC], eax

loc_81E060:				; CODE XREF: RtlpNewSecurityObject+1022FAj
		test	esi, esi
		jz	loc_9200FF
		movzx	eax, byte ptr [esi+1]
		lea	eax, ds:20h[eax*4]
		mov	[esp+1E8h+var_174], eax

loc_81E077:				; CODE XREF: RtlpNewSecurityObject+102307j
		test	ebx, ebx
		jz	loc_92010C
		movzx	edx, word ptr [ebx+2]

loc_81E083:				; CODE XREF: RtlpNewSecurityObject+10230Ej
		mov	eax, [esp+1E8h+var_170]
		push	64536553h
		movzx	ecx, byte ptr [eax+1]
		mov	eax, [esp+1ECh+var_188]
		movzx	eax, byte ptr [eax+1]
		add	ecx, eax
		mov	eax, [esp+1ECh+var_1D0]
		movzx	eax, byte ptr [eax+1]
		add	ecx, eax
		lea	eax, [edx+ecx*4]
		add	eax, dword ptr [esp+1ECh+var_1AC]
		add	eax, dword ptr [esp+1ECh+var_1B8]
		add	eax, [esp+1ECh+var_174]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[esp+1E8h+var_134], edx
		test	edx, edx
		jz	loc_920821
		mov	ecx, [esp+1E8h+var_170]
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcpy
		mov	eax, [esp+1F4h+var_170]
		add	esp, 0Ch
		mov	ecx, [esp+1E8h+var_134]
		add	ecx, 8
		movzx	eax, byte ptr [eax+1]
		lea	edx, [ecx+eax*4]
		mov	ecx, [esp+1E8h+var_1D0]
		mov	[esp+1E8h+var_14C], edx
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcpy
		mov	eax, [esp+1F4h+var_1D0]
		add	esp, 0Ch
		mov	ecx, [esp+1E8h+var_14C]
		add	ecx, 8
		movzx	edx, byte ptr [eax+1]
		lea	edx, [ecx+edx*4]
		mov	ecx, [esp+1E8h+var_148]
		mov	[esp+1E8h+var_1A0], edx
		test	ecx, ecx
		jnz	loc_81F26B
		mov	[esp+1E8h+var_1D0], ecx

loc_81E14B:				; CODE XREF: RtlpNewSecurityObject+149Ej
		test	edi, edi
		jz	loc_920113
		movzx	eax, byte ptr [edi+1]
		mov	[esp+1E8h+var_1B3+3], edx
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	edi		; void *
		push	edx		; void *
		call	_memcpy
		mov	edx, [esp+1F4h+var_1A0]
		add	esp, 0Ch
		movzx	eax, byte ptr [edi+1]
		lea	edx, [edx+eax*4]
		add	edx, 8
		mov	[esp+1E8h+var_1A0], edx

loc_81E17F:				; CODE XREF: RtlpNewSecurityObject+102319j
		mov	edi, [esp+1E8h+var_188]
		movzx	eax, byte ptr [edi+1]
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	edi		; void *
		push	edx		; void *
		call	_memcpy
		mov	ecx, [esp+1F4h+var_1A0]
		add	esp, 0Ch
		movzx	edi, byte ptr [edi+1]
		add	ecx, 8
		lea	edi, [ecx+edi*4]
		mov	[esp+1E8h+var_170], edi
		test	esi, esi
		jz	loc_92011E
		movzx	eax, byte ptr [esi+1]
		mov	[esp+1E8h+var_165+1], edi
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	esi		; void *
		push	edi		; void *
		call	_memcpy
		movzx	eax, byte ptr [esi+1]
		add	esp, 0Ch
		lea	edi, [edi+eax*4]
		add	edi, 8
		mov	[esp+1E8h+var_170], edi

loc_81E1DE:				; CODE XREF: RtlpNewSecurityObject+102329j
		test	ebx, ebx
		jz	loc_92012E
		movzx	eax, word ptr [ebx+2]
		push	eax		; size_t
		push	ebx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_81E1F5:				; CODE XREF: RtlpNewSecurityObject+102336j
		mov	ebx, [esp+1E8h+var_198]
		mov	ecx, [ebx+8]
		mov	ecx, [ecx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebx]
		test	ecx, ecx
		jnz	loc_81F240

loc_81E213:				; CODE XREF: RtlpNewSecurityObject+144Dj
		mov	edi, [esp+1E8h+var_1C4]
		mov	ecx, [esp+1E8h+var_1B3+3]

loc_81E21B:				; CODE XREF: RtlpNewSecurityObject+1022DDj
		movzx	edx, word ptr [edi+2]
		mov	ebx, [edi+4]
		mov	esi, edx
		test	si, si
		js	loc_81EEA1

loc_81E22D:				; CODE XREF: RtlpNewSecurityObject+10AAj
		mov	[esp+1E8h+var_1A8], ebx
		test	ebx, ebx
		jnz	loc_81F345
		test	byte ptr [ebp+arg_10], 20h
		jnz	loc_92013B
		cmp	byte ptr [esp+1E8h+var_1A4], bl
		jnz	loc_81F389
		mov	ebx, [esp+1E8h+var_134]

loc_81E254:				; CODE XREF: RtlpNewSecurityObject+158Dj
		mov	[esp+1E8h+var_1A8], ebx
		test	ebx, ebx
		jz	loc_92017A

loc_81E260:				; CODE XREF: RtlpNewSecurityObject+154Aj
					; RtlpNewSecurityObject+10236Aj
		mov	ebx, [edi+8]
		test	si, si
		js	loc_81EEAF

loc_81E26C:				; CODE XREF: RtlpNewSecurityObject+10B8j
		mov	[esp+1E8h+var_19C], ebx
		test	ebx, ebx
		jnz	short loc_81E296
		test	byte ptr [ebp+arg_10], 40h
		jnz	loc_920184
		cmp	byte ptr [esp+1E8h+var_1A4], bl
		jnz	loc_81F392
		mov	ebx, ecx
		mov	[esp+1E8h+var_19C], ecx

loc_81E28E:				; CODE XREF: RtlpNewSecurityObject+159Dj
					; RtlpNewSecurityObject+1023B0j
		test	ebx, ebx
		jz	loc_9201B5

loc_81E296:				; CODE XREF: RtlpNewSecurityObject+472j
		mov	ecx, [ebp+arg_10]
		mov	eax, ecx
		and	eax, 4
		mov	dword ptr [esp+1E8h+var_184], eax
		jnz	loc_9201BF
		mov	[esp+1E8h+var_1B8], 0

loc_81E2AD:				; CODE XREF: RtlpNewSecurityObject+1023C4j
		and	ecx, 2
		mov	[esp+1E8h+var_1C0], ecx
		setnz	al
		mov	byte ptr [esp+1E8h+var_174], al
		mov	eax, edx
		and	eax, 10h
		mov	ecx, eax
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 4
		test	dl, 20h
		jnz	loc_9201C9
		mov	dword ptr [esp+1E8h+var_1AC], 0

loc_81E2DA:				; CODE XREF: RtlpNewSecurityObject+1023D1j
		mov	edi, edx
		shr	edi, 1
		and	edi, 400h
		test	edx, 2000h
		jnz	loc_9201D6
		xor	edx, edx

loc_81E2F2:				; CODE XREF: RtlpNewSecurityObject+1023DBj
		test	ax, ax
		jnz	loc_81F2D1
		mov	[esp+1E8h+var_1B3+3], 0

loc_81E303:				; CODE XREF: RtlpNewSecurityObject+14EEj
					; RtlpNewSecurityObject+1023E7j
		mov	ebx, [esp+1E8h+var_18C]
		test	ebx, ebx
		jnz	loc_81EF36

loc_81E30F:				; CODE XREF: RtlpNewSecurityObject+113Ej
		xor	ebx, ebx

loc_81E311:				; CODE XREF: RtlpNewSecurityObject+114Aj
					; RtlpNewSecurityObject+115Cj
		or	edi, ecx
		or	edi, edx
		or	edi, dword ptr [esp+1E8h+var_1AC]
		jnz	loc_81EFE1
		test	ebx, ebx
		jnz	loc_81EFE1
		mov	ebx, [esp+1E8h+var_1C0]
		mov	eax, ebx
		neg	eax
		mov	[esp+1E8h+var_1BC], edi
		sbb	eax, eax
		and	eax, 400h
		mov	[esp+1E8h+var_178], eax

loc_81E33E:				; CODE XREF: RtlpNewSecurityObject+129Cj
		mov	edi, [esp+1E8h+var_1C4]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 800h
		movzx	ecx, word ptr [edi+2]
		add	ebx, 8000h
		mov	al, cl
		mov	[esp+1E8h+var_1C0], ebx
		and	al, 30h
		mov	edx, ecx
		cmp	al, 30h
		jz	loc_920233

loc_81E368:				; CODE XREF: RtlpNewSecurityObject+15FFj
					; RtlpNewSecurityObject+102476j
		cmp	dword ptr [esp+1E8h+var_184], 0
		jnz	loc_92027B
		mov	[esp+1E8h+var_1AC], 0

loc_81E378:				; CODE XREF: RtlpNewSecurityObject+102480j
		movzx	ebx, word ptr [edi+2]
		mov	eax, ebx
		mov	esi, ebx
		and	eax, 10h
		mov	ecx, eax
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 4
		test	bl, 20h
		jnz	loc_920285
		xor	edx, edx

loc_81E397:				; CODE XREF: RtlpNewSecurityObject+10248Aj
		shr	ebx, 1
		and	ebx, 400h
		test	ax, ax
		jnz	loc_81F2F3
		mov	[esp+1E8h+var_188], 0

loc_81E3B0:				; CODE XREF: RtlpNewSecurityObject+150Cj
					; RtlpNewSecurityObject+102496j
		mov	edi, [esp+1E8h+var_18C]
		test	edi, edi
		jnz	loc_81EF61

loc_81E3BC:				; CODE XREF: RtlpNewSecurityObject+1169j
		xor	edi, edi

loc_81E3BE:				; CODE XREF: RtlpNewSecurityObject+1175j
					; RtlpNewSecurityObject+1187j
		or	ebx, ecx
		or	ebx, edx
		jnz	loc_81F0A1
		test	edi, edi
		jnz	loc_81F0A1
		mov	[esp+1E8h+var_1D8], edi
		mov	[esp+1E8h+var_144], 8000000Bh

loc_81E3DF:				; CODE XREF: RtlpNewSecurityObject+1366j
		mov	ebx, [esp+1E8h+var_1C4]
		movzx	ecx, word ptr [ebx+2]
		mov	al, cl
		mov	edx, ecx
		and	al, 30h
		cmp	al, 30h
		jz	loc_9202D0

loc_81E3F5:				; CODE XREF: RtlpNewSecurityObject+1620j
					; RtlpNewSecurityObject+1024DDj ...
		mov	edi, [esp+1E8h+var_1D0]
		mov	[esp+1E8h+var_1B3+3], 0

loc_81E401:				; CODE XREF: RtlpNewSecurityObject+62Ej
		movzx	eax, word ptr [ebx+2]
		mov	ecx, eax
		test	al, 10h
		jnz	loc_81F2B7
		xor	ecx, ecx

loc_81E411:				; CODE XREF: RtlpNewSecurityObject+14BDj
					; RtlpNewSecurityObject+14CCj
		lea	eax, [esp+1E8h+var_1B3+3]
		push	eax
		push	14h
		push	ecx
		call	_RtlFindAceByType@12 ; RtlFindAceByType(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_81F46B

loc_81E428:				; CODE XREF: RtlpNewSecurityObject+1670j
					; RtlpNewSecurityObject+1688j
		inc	[esp+1E8h+var_1B3+3]
		test	esi, esi
		jnz	short loc_81E401
		test	[ebp+arg_10], 800h
		jnz	loc_920308

loc_81E43D:				; CODE XREF: RtlpNewSecurityObject+10258Aj
		mov	edi, [esp+1E8h+var_1D8]
		mov	[esp+1E8h+var_130], edi

loc_81E448:				; CODE XREF: RtlpNewSecurityObject+102645j
		movzx	eax, word ptr [ebx+2]
		mov	ecx, eax
		test	al, 10h
		jnz	loc_81F311
		xor	edi, edi

loc_81E458:				; CODE XREF: RtlpNewSecurityObject+1517j
					; RtlpNewSecurityObject+1526j
		mov	[esp+1E8h+var_15C], 0
		mov	[esp+1E8h+var_104], 0
		mov	[esp+1E8h+var_100], 100h
		mov	[esp+1E8h+var_174], 0

loc_81E480:				; CODE XREF: RtlpNewSecurityObject+69Dj
		lea	eax, [esp+1E8h+var_174]
		push	eax
		push	15h
		push	edi
		call	_RtlFindAceByType@12 ; RtlFindAceByType(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_920451

loc_81E497:				; CODE XREF: RtlpNewSecurityObject+10267Bj
					; RtlpNewSecurityObject+1026B8j
		inc	[esp+1E8h+var_174]
		test	esi, esi
		jnz	short loc_81E480
		mov	esi, [esp+1E8h+var_15C]

loc_81E4A6:				; CODE XREF: RtlpNewSecurityObject+1026C3j
		test	esi, esi
		js	loc_920379
		mov	eax, [ebp+arg_10]
		mov	esi, eax
		shr	esi, 8
		and	esi, 1
		test	eax, 200h
		jnz	loc_81F263

loc_81E4C4:				; CODE XREF: RtlpNewSecurityObject+1466j
		test	eax, 400h
		jnz	loc_81F463

loc_81E4CF:				; CODE XREF: RtlpNewSecurityObject+1666j
		mov	ebx, [esp+1E8h+var_1C4]
		test	esi, esi
		jz	loc_81ECC5
		xor	edi, edi

loc_81E4DD:				; CODE XREF: RtlpNewSecurityObject+EEAj
		mov	cl, [esp+1E8h+var_1D1]

loc_81E4E1:				; CODE XREF: RtlpNewSecurityObject+F0Dj
					; RtlpNewSecurityObject+1026DDj
		test	cl, 8
		jnz	loc_81F524

loc_81E4EA:				; CODE XREF: RtlpNewSecurityObject+1738j
		test	esi, esi
		jz	loc_81ED64

loc_81E4F2:				; CODE XREF: RtlpNewSecurityObject+1457j
		test	edi, edi
		jnz	loc_81ED83
		cmp	[esp+1E8h+var_198], edi
		jz	loc_9204F2
		mov	eax, [esp+1E8h+var_14C]
		mov	[esp+1E8h+var_17C], eax
		mov	[esp+1E8h+var_1D1], 0

loc_81E514:				; CODE XREF: RtlpNewSecurityObject+F87j
		test	eax, eax
		jz	loc_81EDB5
		push	78h		; size_t
		lea	eax, [esp+1ECh+var_D8]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [esp+1F4h+var_17C]
		xor	eax, eax
		movzx	ebx, [esp+1F4h+var_1D1]
		add	esp, 0Ch
		mov	[esp+1E8h+var_E0], 800002h
		mov	[esp+1E8h+var_DC], eax
		mov	[esp+1E8h+var_FC], eax
		mov	[esp+1E8h+var_F8], 1000h
		cmp	ecx, ds:_MmUserProbeAddress
		jbe	loc_81F514
		mov	al, [ecx]
		and	al, 0Fh
		cmp	al, 1
		jnz	loc_81F514
		cmp	byte ptr [ecx+1], 0Fh
		ja	loc_81F514
		mov	eax, [ecx+2]
		lea	edx, [esp+1E8h+var_FC]
		add	ecx, 2
		mov	edi, 2
		cmp	eax, [edx]
		jnz	short loc_81E5A1
		add	ecx, 4
		mov	edi, 0FFFFFFFEh
		add	edx, 4

loc_81E5A1:				; CODE XREF: RtlpNewSecurityObject+794j
		mov	al, [ecx]
		cmp	al, [edx]
		jnz	loc_81F50A
		mov	al, [ecx+1]
		cmp	al, [edx+1]
		jnz	loc_81F50A
		cmp	edi, 0FFFFFFFEh
		jz	short loc_81E5D4
		mov	al, [ecx+2]
		cmp	al, [edx+2]
		jnz	loc_81F50A
		mov	al, [ecx+3]
		cmp	al, [edx+3]
		jnz	loc_81F50A

loc_81E5D4:				; CODE XREF: RtlpNewSecurityObject+7BAj
		xor	eax, eax

loc_81E5D6:				; CODE XREF: RtlpNewSecurityObject+170Fj
		test	eax, eax
		jnz	loc_920502
		test	ebx, 0FFFFFFE0h
		jnz	loc_920512
		test	esi, 0FFFFFFF8h
		jnz	loc_920522
		lea	eax, [esp+1E8h+var_E0]
		push	eax
		call	RtlValidAcl
		xor	ebx, ebx
		test	al, al
		jz	loc_920532
		mov	cx, word ptr [esp+1E8h+var_DC]
		lea	edx, [esp+1E8h+var_D8]
		mov	di, word ptr [esp+1E8h+var_E0+2]
		xor	eax, eax
		cmp	ax, cx
		jb	loc_920540

loc_81E62F:				; CODE XREF: RtlpNewSecurityObject+10276Aj
		mov	ebx, [esp+1E8h+var_17C]
		movzx	eax, di
		lea	edi, [esp+1E8h+var_E0]
		add	edi, eax
		cmp	edi, edx
		movzx	eax, byte ptr [ebx+1]
		sbb	ecx, ecx
		add	ax, 4
		not	ecx
		shl	ax, 2
		and	ecx, edx
		movzx	edx, ax
		test	ecx, ecx
		jz	loc_92057F
		lea	eax, [ecx+edx]
		cmp	eax, edi
		ja	loc_92057F
		mov	al, [esp+1E8h+var_1D1]
		mov	[ecx+1], al
		mov	byte ptr [ecx],	11h
		mov	[ecx+2], dx
		mov	[ecx+4], esi
		movzx	eax, byte ptr [ebx+1]
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		lea	eax, [ecx+8]
		push	ebx		; void *
		push	eax		; void *
		call	_memmove
		inc	word ptr [esp+1F4h+var_DC]
		add	esp, 0Ch
		mov	byte ptr [esp+1E8h+var_E0], 2
		xor	esi, esi

loc_81E6A5:				; CODE XREF: RtlpNewSecurityObject+102784j
		test	esi, esi
		js	loc_920379
		mov	ebx, [esp+1E8h+var_1C4]
		lea	eax, [esp+1E8h+var_E0]

loc_81E6B8:				; CODE XREF: RtlpNewSecurityObject+FBEj
		test	[ebp+arg_10], 700h
		jz	loc_81ED18
		mov	edi, 4

loc_81E6CA:				; CODE XREF: RtlpNewSecurityObject+F5Fj
					; RtlpNewSecurityObject+145Ej
		mov	edx, [esp+1E8h+var_18C]
		test	edx, edx
		jnz	loc_81EF8C

loc_81E6D6:				; CODE XREF: RtlpNewSecurityObject+1194j
		xor	esi, esi

loc_81E6D8:				; CODE XREF: RtlpNewSecurityObject+11A0j
					; RtlpNewSecurityObject+11AFj
		mov	[esp+1E8h+var_1D0], esi
		test	edi, edi
		jz	loc_81EBF1

loc_81E6E4:				; CODE XREF: RtlpNewSecurityObject+DF3j
		mov	eax, 0C8h
		mov	[esp+1E8h+var_15C], 0
		mov	dword ptr [esp+1E8h+var_1B8], eax

loc_81E6F8:				; CODE XREF: RtlpNewSecurityObject+1027BDj
		push	63416553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9207E9
		lea	eax, [esp+1E8h+var_178]
		mov	edx, [esp+1E8h+var_12C]
		push	eax		; int
		lea	eax, [esp+1ECh+var_165]
		mov	ecx, esi
		push	eax		; int
		push	ebx		; void *
		lea	eax, [esp+1F4h+var_1B8]
		push	eax		; int
		push	[ebp+arg_8]	; int
		push	[esp+1FCh+var_13C] ; int
		push	3		; int
		push	[esp+204h+var_180] ; int
		push	[esp+208h+var_165+1] ; int
		push	[esp+20Ch+var_1A0] ; int
		push	[esp+210h+var_19C] ; int
		push	[esp+214h+var_1A8] ; int
		push	0		; char
		push	1		; int
		push	[ebp+arg_C]	; int
		push	edi		; int
		call	RtlpInheritAcl2
		mov	esi, eax
		test	esi, esi
		js	loc_81F171
		cmp	dword ptr [esp+1E8h+var_1B8], 0
		jz	loc_9205C2

loc_81E773:				; CODE XREF: RtlpNewSecurityObject+1381j
					; RtlpNewSecurityObject+1027AFj ...
		cmp	esi, 8000000Bh
		jz	loc_81EBF9
		test	esi, esi
		js	loc_920379

loc_81E787:				; CODE XREF: RtlpNewSecurityObject+E08j
		mov	ecx, [esp+1E8h+var_1BC]
		lea	eax, [esp+1E8h+var_140]
		push	eax		; void *
		lea	eax, [esp+1ECh+var_16C]
		mov	edx, ebx
		push	eax		; int
		mov	eax, [esp+1F0h+var_1D8]
		push	eax		; int
		push	[esp+1F4h+var_130] ; void *
		push	eax		; int
		push	eax		; int
		call	RtlpCombineAcls
		mov	edi, [esp+1E8h+var_1C0]
		mov	esi, eax
		test	edi, 2000h
		jnz	loc_9205D1
		xor	eax, eax

loc_81E7C4:				; CODE XREF: RtlpNewSecurityObject+1027D6j
		mov	ecx, [esp+1E8h+var_140]
		or	ecx, eax
		mov	[esp+1E8h+var_15C], ecx
		test	ebx, ebx
		jz	short loc_81E7E9
		cmp	ebx, [esp+1E8h+var_12C]
		jz	short loc_81E7E9
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_81E7E9:				; CODE XREF: RtlpNewSecurityObject+9D6j
					; RtlpNewSecurityObject+9DFj
		test	esi, esi
		js	loc_920379
		mov	esi, [esp+1E8h+var_16C]
		test	esi, esi
		jz	loc_81EDDB
		cmp	[esp+1E8h+var_1C6], 0
		jnz	loc_81F425

loc_81E808:				; CODE XREF: RtlpNewSecurityObject+162Bj
					; RtlpNewSecurityObject+1639j
		mov	ecx, [esp+1E8h+var_178]
		mov	ebx, esi
		mov	[esp+1E8h+var_1BC], ebx
		mov	byte ptr [esp+1E8h+var_190+1], 1
		test	cl, 8
		jnz	loc_9205DB
		mov	edx, 10h

loc_81E825:				; CODE XREF: RtlpNewSecurityObject+1027E0j
		mov	eax, ecx
		and	eax, 400h
		add	eax, eax
		test	ecx, 1000h
		jnz	loc_9205E5
		xor	ecx, ecx

loc_81E83C:				; CODE XREF: RtlpNewSecurityObject+1027EAj
		or	eax, ecx
		or	eax, edx
		or	edi, eax
		mov	[esp+1E8h+var_1C0], edi

loc_81E846:				; CODE XREF: RtlpNewSecurityObject+FDFj
		mov	ecx, [ebp+arg_10]
		mov	eax, ecx
		and	eax, 8
		mov	[esp+1E8h+var_140], eax
		jnz	short loc_81E8AA
		push	0
		push	11h
		push	ebx
		call	_RtlFindAceByType@12 ; RtlFindAceByType(x,x,x)
		test	eax, eax
		jz	loc_81EDC3
		add	eax, 8

loc_81E86C:				; CODE XREF: RtlpNewSecurityObject+FC7j
		test	eax, eax
		jz	loc_81EDCC
		cmp	[esp+1E8h+var_198], 0
		jz	loc_9205EF
		lea	ecx, [esp+1E8h+var_194]
		mov	edx, eax
		push	ecx
		mov	ecx, [esp+1ECh+var_14C]
		call	RtlSidDominates
		mov	esi, eax
		test	esi, esi
		js	loc_920379
		cmp	[esp+1E8h+var_194], 0
		mov	ecx, [ebp+arg_10]
		jz	loc_9205FF

loc_81E8AA:				; CODE XREF: RtlpNewSecurityObject+A55j
					; RtlpNewSecurityObject+FCFj ...
		cmp	dword ptr [esp+1E8h+var_184], 0
		jnz	loc_920609
		mov	[esp+1E8h+var_184], 0

loc_81E8BA:				; CODE XREF: RtlpNewSecurityObject+10280Ej
		mov	edx, [esp+1E8h+var_1C4]
		mov	ebx, ecx
		and	ebx, 1
		mov	byte ptr [esp+1E8h+var_151+1], bl
		movzx	eax, word ptr [edx+2]
		mov	edi, eax
		test	al, 4
		jnz	loc_81EEBD
		xor	esi, esi

loc_81E8DA:				; CODE XREF: RtlpNewSecurityObject+10C3j
					; RtlpNewSecurityObject+10D2j
		mov	ecx, [esp+1E8h+var_18C]
		mov	dword ptr [esp+1E8h+var_1B8], esi
		test	ecx, ecx
		jnz	loc_81EFB4

loc_81E8EA:				; CODE XREF: RtlpNewSecurityObject+11BCj
					; RtlpNewSecurityObject+11D4j
		xor	eax, eax

loc_81E8EC:				; CODE XREF: RtlpNewSecurityObject+11DCj
					; RtlpNewSecurityObject+10281Aj
		mov	[esp+1E8h+var_1D0], eax
		and	edi, 140Ch
		jnz	loc_81EC0D
		test	eax, eax
		jnz	loc_81EC0D
		mov	[esp+1E8h+var_1CC], edi

loc_81E908:				; CODE XREF: RtlpNewSecurityObject+13F5j
		mov	edi, [esp+1E8h+var_1C0]
		test	ebx, ebx
		jnz	loc_81F1FA

loc_81E914:				; CODE XREF: RtlpNewSecurityObject+1404j
		movzx	ecx, word ptr [edx+2]
		mov	al, cl
		mov	edx, ecx
		and	al, 0Ch
		cmp	al, 0Ch
		jz	loc_81F493
		mov	eax, [esp+1E8h+var_170]
		test	eax, eax
		jz	short loc_81E939
		or	edi, 4

loc_81E931:				; CODE XREF: RtlpNewSecurityObject+16C2j
		mov	[esp+1E8h+var_1CC], eax

loc_81E935:				; CODE XREF: RtlpNewSecurityObject+EC0j
		mov	[esp+1E8h+var_1C0], edi

loc_81E939:				; CODE XREF: RtlpNewSecurityObject+B2Cj
		mov	edx, [ebp+arg_10]
		test	edx, 1000h
		jnz	short loc_81E94F
		cmp	[esp+1E8h+var_193], 0
		jnz	loc_81EDF5

loc_81E94F:				; CODE XREF: RtlpNewSecurityObject+B42j
					; RtlpNewSecurityObject+FFBj ...
		test	ebx, ebx
		mov	ebx, [esp+1E8h+var_1CC]
		jnz	loc_81F18C

loc_81E95B:				; CODE XREF: RtlpNewSecurityObject+138Ej
					; RtlpNewSecurityObject+10284Dj
		mov	ecx, [esp+1E8h+var_15C]
		test	ecx, ecx
		jz	loc_81EDD4
		mov	eax, ecx
		and	eax, 1B0h
		cmp	eax, ecx
		jnz	loc_81EDD4
		xor	al, al

loc_81E97B:				; CODE XREF: RtlpNewSecurityObject+FD6j
		cmp	byte ptr [esp+1E8h+var_160], 1
		jnz	short loc_81E9BC
		cmp	byte ptr [esp+1E8h+var_1B3], 0
		mov	esi, [esp+1E8h+var_140]
		jnz	loc_81F4C7

loc_81E997:				; CODE XREF: RtlpNewSecurityObject+16C9j
					; RtlpNewSecurityObject+16D1j ...
		cmp	[esp+1E8h+var_192], 0
		jnz	loc_9206F6
		mov	esi, [esp+1E8h+var_198]

loc_81E9A6:				; CODE XREF: RtlpNewSecurityObject+1028FCj
					; RtlpNewSecurityObject+10299Bj
		cmp	byte ptr [esp+1E8h+var_1B3+1], 0
		jnz	loc_81F34F

loc_81E9B1:				; CODE XREF: RtlpNewSecurityObject+1552j
					; RtlpNewSecurityObject+1569j
		cmp	byte ptr [esp+1E8h+var_1B3+2], 0
		jnz	loc_81EED7

loc_81E9BC:				; CODE XREF: RtlpNewSecurityObject+B83j
					; RtlpNewSecurityObject+10DCj ...
		mov	eax, [esp+1E8h+var_1A8]
		movzx	eax, byte ptr [eax+1]
		lea	ecx, ds:8[eax*4]
		mov	eax, [esp+1E8h+var_19C]
		mov	[esp+1E8h+var_151+1], ecx
		test	eax, eax
		jz	loc_9207A0
		movzx	eax, byte ptr [eax+1]
		lea	esi, ds:8[eax*4]

loc_81E9E9:				; CODE XREF: RtlpNewSecurityObject+1029A2j
		mov	ebx, edi
		mov	[esp+1E8h+var_16C], esi
		and	ebx, 10h
		jz	loc_81EDE4
		mov	eax, [esp+1E8h+var_1BC]
		test	eax, eax
		jz	loc_81EDE4
		movzx	edx, word ptr [eax+2]
		add	edx, 3
		and	edx, 0FFFFFFFCh

loc_81EA0E:				; CODE XREF: RtlpNewSecurityObject+FE6j
		mov	eax, edi
		mov	dword ptr [esp+1E8h+var_184], edx
		and	eax, 4
		mov	[esp+1E8h+var_120], eax
		jz	loc_81F4F3
		mov	eax, [esp+1E8h+var_1CC]
		test	eax, eax
		jz	loc_81F4F3
		movzx	edi, word ptr [eax+2]
		add	edi, 3
		and	edi, 0FFFFFFFCh

loc_81EA3A:				; CODE XREF: RtlpNewSecurityObject+16F5j
		lea	eax, [edi+edx]
		add	ecx, 14h
		add	eax, esi
		push	64536553h
		add	eax, ecx
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+1E8h+var_1A4], ecx
		test	ecx, ecx
		jz	loc_9207A7
		xor	eax, eax
		lea	esi, [ecx+14h]
		mov	[ecx], eax
		mov	[ecx+4], eax
		mov	[ecx+8], eax
		mov	[ecx+0Ch], eax
		mov	[ecx+10h], eax
		mov	eax, [esp+1E8h+var_1C0]
		or	[ecx+2], ax
		mov	byte ptr [ecx],	1
		test	ebx, ebx
		jz	short loc_81EACB
		mov	ebx, [esp+1E8h+var_1BC]
		test	ebx, ebx
		jz	short loc_81EACB
		movzx	eax, word ptr [ebx+2]
		push	eax		; size_t
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	[esp+1E8h+var_1C6], 0
		jnz	short loc_81EAAA
		mov	edx, [esp+1E8h+var_180]
		mov	ecx, esi
		call	_RtlpApplyAclToObject@8	; RtlpApplyAclToObject(x,x)

loc_81EAAA:				; CODE XREF: RtlpNewSecurityObject+C9Dj
		mov	eax, [esp+1E8h+var_1A4]
		mov	dword ptr [eax+0Ch], 14h
		movzx	ecx, word ptr [ebx+2]
		mov	ebx, dword ptr [esp+1E8h+var_184]
		cmp	ebx, ecx
		ja	loc_9207B9

loc_81EAC5:				; CODE XREF: RtlpNewSecurityObject+1029CCj
		mov	ecx, [esp+1E8h+var_1A4]
		add	esi, ebx

loc_81EACB:				; CODE XREF: RtlpNewSecurityObject+C7Fj
					; RtlpNewSecurityObject+C87j
		cmp	[esp+1E8h+var_120], 0
		jz	loc_81F501
		mov	edx, [esp+1E8h+var_1CC]
		test	edx, edx
		jz	loc_81F4FA
		movzx	eax, word ptr [edx+2]
		push	eax		; size_t
		push	edx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	[esp+1E8h+var_1C5], 0
		jnz	short loc_81EB06
		mov	edx, [esp+1E8h+var_180]
		mov	ecx, esi
		call	_RtlpApplyAclToObject@8	; RtlpApplyAclToObject(x,x)

loc_81EB06:				; CODE XREF: RtlpNewSecurityObject+CF9j
		mov	ebx, [esp+1E8h+var_1A4]
		mov	eax, esi
		sub	eax, ebx
		mov	[ebx+10h], eax
		mov	eax, [esp+1E8h+var_1CC]
		movzx	ecx, word ptr [eax+2]
		cmp	edi, ecx
		ja	loc_9207D1

loc_81EB21:				; CODE XREF: RtlpNewSecurityObject+1029E4j
		add	esi, edi

loc_81EB23:				; CODE XREF: RtlpNewSecurityObject+1705j
		mov	edi, [esp+1E8h+var_151+1]
		push	edi		; size_t
		push	[esp+1ECh+var_1A8] ; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, esi
		add	esp, 0Ch
		sub	eax, ebx
		add	esi, edi
		mov	[ebx+4], eax
		mov	eax, [esp+1E8h+var_19C]
		test	eax, eax
		jz	short loc_81EB5C
		push	[esp+1E8h+var_16C] ; size_t
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		sub	esi, ebx
		mov	[ebx+8], esi

loc_81EB5C:				; CODE XREF: RtlpNewSecurityObject+D47j
		mov	edi, [esp+1E8h+var_1D8]
		xor	esi, esi

loc_81EB62:				; CODE XREF: RtlpNewSecurityObject+157Aj
					; RtlpNewSecurityObject+171Fj ...
		mov	eax, [esp+1E8h+var_158]
		test	eax, eax
		jnz	loc_81F1D8

loc_81EB71:				; CODE XREF: RtlpNewSecurityObject+13E0j
		cmp	byte ptr [esp+1E8h+var_190], 0
		jnz	loc_81F3A2

loc_81EB7C:				; CODE XREF: RtlpNewSecurityObject+15ABj
					; RtlpNewSecurityObject+102A0Fj
		mov	eax, [esp+1E8h+var_134]
		test	eax, eax
		jz	short loc_81EB8F
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_81EB8F:				; CODE XREF: RtlpNewSecurityObject+D85j
		cmp	byte ptr [esp+1E8h+var_190+1], 0
		jz	loc_81EDA5

loc_81EB9A:				; CODE XREF: RtlpNewSecurityObject+FB0j
		mov	eax, [esp+1E8h+var_1BC]
		test	eax, eax
		jz	short loc_81EBAA
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_81EBAA:				; CODE XREF: RtlpNewSecurityObject+DA0j
					; RtlpNewSecurityObject+FAAj
		cmp	byte ptr [esp+1E8h+var_190+2], 0
		jnz	loc_81F43E

loc_81EBB5:				; CODE XREF: RtlpNewSecurityObject+1640j
					; RtlpNewSecurityObject+164Ej
		mov	eax, [esp+1E8h+var_130]
		test	eax, eax
		jnz	loc_81F453

loc_81EBC4:				; CODE XREF: RtlpNewSecurityObject+1658j
					; RtlpNewSecurityObject+102A1Cj
		cmp	[esp+1E8h+var_1C5], 0
		jnz	loc_81ED8C

loc_81EBCF:				; CODE XREF: RtlpNewSecurityObject+F92j
					; RtlpNewSecurityObject+FA0j
		mov	eax, [esp+1E8h+var_11C]
		mov	[eax], ebx
		mov	eax, esi

loc_81EBDA:				; CODE XREF: RtlpNewSecurityObject+102A2Fj
		mov	ecx, [esp+1E8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_81EBF1:				; CODE XREF: RtlpNewSecurityObject+8DEj
		test	esi, esi
		jnz	loc_81E6E4

loc_81EBF9:				; CODE XREF: RtlpNewSecurityObject+979j
		mov	ebx, [esp+1E8h+var_12C]
		mov	[esp+1E8h+var_178], 0
		jmp	loc_81E787
; 

loc_81EC0D:				; CODE XREF: RtlpNewSecurityObject+AF6j
					; RtlpNewSecurityObject+AFEj
		mov	eax, 0C8h
		mov	[esp+1E8h+var_16C], 0
		mov	dword ptr [esp+1E8h+var_1AC], eax
		mov	edi, edi

loc_81EC20:				; CODE XREF: RtlpNewSecurityObject+13D3j
		push	63416553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+1E8h+var_1CC], eax
		test	eax, eax
		jz	loc_9207E9
		lea	ecx, [esp+1E8h+var_178]
		mov	edx, esi
		push	ecx		; int
		lea	ecx, [esp+1ECh+var_1B3+2]
		push	ecx		; int
		push	eax		; void *
		lea	eax, [esp+1F4h+var_1AC]
		mov	ecx, [esp+1F4h+var_1D0]
		push	eax		; int
		push	[ebp+arg_8]	; int
		push	[esp+1FCh+var_13C] ; int
		push	1		; int
		push	[esp+204h+var_180] ; int
		push	[esp+208h+var_165+1] ; int
		push	[esp+20Ch+var_1A0] ; int
		push	[esp+210h+var_19C] ; int
		push	[esp+214h+var_1A8] ; int
		push	dword ptr [esp+218h+var_184] ; char
		push	[esp+21Ch+var_151+1] ; int
		push	[ebp+arg_C]	; int
		push	edi		; int
		call	RtlpInheritAcl2
		mov	esi, eax
		test	esi, esi
		js	loc_81F199
		cmp	dword ptr [esp+1E8h+var_1AC], 0
		jz	loc_81F4DC

loc_81ECA1:				; CODE XREF: RtlpNewSecurityObject+13B3j
					; RtlpNewSecurityObject+13C5j ...
		test	esi, esi
		js	loc_81F1E5
		mov	eax, [esp+1E8h+var_178]
		mov	edi, [esp+1E8h+var_1C0]
		and	eax, 1408h
		or	eax, 4
		mov	[esp+1E8h+var_1C5], 1
		or	edi, eax
		jmp	loc_81E935
; 

loc_81ECC5:				; CODE XREF: RtlpNewSecurityObject+6D5j
		movzx	eax, word ptr [ebx+2]
		mov	ecx, eax
		test	al, 10h
		jnz	loc_81F32B
		xor	ecx, ecx

loc_81ECD5:				; CODE XREF: RtlpNewSecurityObject+1531j
					; RtlpNewSecurityObject+1540j
		push	0
		push	11h
		push	ecx
		call	_RtlFindAceByType@12 ; RtlFindAceByType(x,x,x)
		mov	edi, eax
		mov	[esp+1E8h+var_128], edi
		test	edi, edi
		jz	loc_81E4DD
		mov	cl, [edi+1]
		lea	eax, [edi+8]
		mov	esi, [edi+4]
		mov	[esp+1E8h+var_17C], eax
		mov	[esp+1E8h+var_1D1], cl
		cmp	cl, 8
		jz	loc_9204C8
		test	cl, 10h
		jz	loc_81E4E1
		jmp	loc_9204C8
; 

loc_81ED18:				; CODE XREF: RtlpNewSecurityObject+8BFj
		cmp	[esp+1E8h+var_128], 0
		jnz	short loc_81ED2A
		test	eax, eax
		jnz	loc_81F25C

loc_81ED2A:				; CODE XREF: RtlpNewSecurityObject+F20j
		movzx	ecx, word ptr [ebx+2]
		mov	eax, ecx
		shr	eax, 2
		and	eax, 4
		test	cl, 20h
		jnz	loc_920589
		xor	edx, edx

loc_81ED41:				; CODE XREF: RtlpNewSecurityObject+10278Ej
		mov	edi, ecx
		shr	edi, 1
		and	edi, 400h
		test	ecx, 2000h
		jnz	loc_920593
		xor	ecx, ecx

loc_81ED59:				; CODE XREF: RtlpNewSecurityObject+102798j
		or	edi, eax
		or	edi, ecx
		or	edi, edx
		jmp	loc_81E6CA
; 

loc_81ED64:				; CODE XREF: RtlpNewSecurityObject+6ECj
		mov	eax, [esp+1E8h+var_14C]
		test	eax, eax
		jz	short loc_81ED83
		push	0
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		cmp	dword ptr [eax], 2000h
		jb	loc_81F252

loc_81ED83:				; CODE XREF: RtlpNewSecurityObject+6F4j
					; RtlpNewSecurityObject+F6Dj
		mov	eax, [esp+1E8h+var_17C]
		jmp	loc_81E514
; 

loc_81ED8C:				; CODE XREF: RtlpNewSecurityObject+DC9j
		mov	eax, [esp+1E8h+var_1CC]
		test	eax, eax
		jz	loc_81EBCF
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_81EBCF
; 

loc_81EDA5:				; CODE XREF: RtlpNewSecurityObject+D94j
		cmp	[esp+1E8h+var_1C6], 0
		jz	loc_81EBAA
		jmp	loc_81EB9A
; 

loc_81EDB5:				; CODE XREF: RtlpNewSecurityObject+716j
		xor	eax, eax
		mov	[esp+1E8h+var_12C], eax
		jmp	loc_81E6B8
; 

loc_81EDC3:				; CODE XREF: RtlpNewSecurityObject+A63j
		mov	eax, [esp+1E8h+var_17C]
		jmp	loc_81E86C
; 

loc_81EDCC:				; CODE XREF: RtlpNewSecurityObject+A6Ej
		mov	ecx, [ebp+arg_10]
		jmp	loc_81E8AA
; 

loc_81EDD4:				; CODE XREF: RtlpNewSecurityObject+B64j
					; RtlpNewSecurityObject+B73j
		mov	al, 1
		jmp	loc_81E97B
; 

loc_81EDDB:				; CODE XREF: RtlpNewSecurityObject+9F7j
		mov	ebx, [esp+1E8h+var_1BC]
		jmp	loc_81E846
; 

loc_81EDE4:				; CODE XREF: RtlpNewSecurityObject+BF2j
					; RtlpNewSecurityObject+BFEj
		xor	edx, edx
		jmp	loc_81EA0E
; 

loc_81EDEB:				; CODE XREF: RtlpNewSecurityObject+172j
		mov	[esp+1E8h+var_193], 1
		jmp	loc_81DF8F
; 

loc_81EDF5:				; CODE XREF: RtlpNewSecurityObject+B49j
		mov	eax, [esp+1E8h+var_198]
		test	eax, eax
		jz	loc_81E94F
		mov	ecx, [esp+1E8h+var_18C]
		test	ecx, ecx
		jz	loc_81E94F
		push	[esp+1E8h+var_124]
		mov	[esp+1ECh+var_120], 0
		push	[esp+1ECh+var_180]
		mov	dword ptr [esp+1F0h+var_184], 0
		push	eax
		mov	eax, edx
		xor	edx, edx
		or	eax, 1
		push	eax
		push	[ebp+arg_C]
		lea	eax, [esp+1FCh+var_158]
		push	[ebp+arg_8]
		push	[esp+200h+var_13C]
		push	eax
		call	RtlpNewSecurityObject
		mov	esi, eax
		test	esi, esi
		js	loc_920379
		mov	eax, [esp+1E8h+var_158]
		movzx	eax, word ptr [eax+2]
		test	al, 4
		jz	loc_92062D
		test	ax, ax
		mov	eax, [esp+1E8h+var_158]
		jns	loc_92063B
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jz	loc_920634
		mov	edx, eax
		add	edx, ecx

loc_81EE8A:				; CODE XREF: RtlpNewSecurityObject+10282Fj
					; RtlpNewSecurityObject+102836j ...
		mov	cl, 10h
		call	RtlpOwnerAcesPresent
		test	al, al
		jnz	loc_81F543

loc_81EE99:				; CODE XREF: RtlpNewSecurityObject+1778j
		mov	edx, [ebp+arg_10]
		jmp	loc_81E94F
; 

loc_81EEA1:				; CODE XREF: RtlpNewSecurityObject+427j
		lea	eax, [ebx+edi]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, eax
		jmp	loc_81E22D
; 

loc_81EEAF:				; CODE XREF: RtlpNewSecurityObject+466j
		lea	eax, [ebx+edi]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, eax
		jmp	loc_81E26C
; 

loc_81EEBD:				; CODE XREF: RtlpNewSecurityObject+AD2j
		mov	esi, [edx+10h]
		test	di, di
		jns	loc_81E8DA
		lea	eax, [esi+edx]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jmp	loc_81E8DA
; 

loc_81EED7:				; CODE XREF: RtlpNewSecurityObject+BB6j
		cmp	byte ptr [esp+1E8h+var_1A4], 0
		jz	loc_81E9BC
		mov	dl, [esp+1E8h+var_191]
		lea	eax, [esp+1E8h+var_190]
		push	eax		; int
		lea	eax, [esp+1ECh+var_138]
		mov	ecx, ebx
		push	eax		; void *
		push	[esp+1F0h+var_1A0] ; void *
		call	_RtlpCreateServerAcl@20	; RtlpCreateServerAcl(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_920379
		cmp	[esp+1E8h+var_1C5], 0
		jz	short loc_81EF1B
		test	ebx, ebx
		jz	short loc_81EF1B
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_81EF1B:				; CODE XREF: RtlpNewSecurityObject+110Dj
					; RtlpNewSecurityObject+1111j
		mov	eax, [esp+1E8h+var_138]
		mov	[esp+1E8h+var_1CC], eax
		mov	[esp+1E8h+var_138], 0
		jmp	loc_81E9BC
; 

loc_81EF36:				; CODE XREF: RtlpNewSecurityObject+509j
		movzx	eax, word ptr [ebx+2]
		mov	esi, eax
		test	al, 10h
		jz	loc_81E30F
		mov	ebx, [ebx+0Ch]
		test	si, si
		jns	loc_81E311
		mov	eax, [esp+1E8h+var_18C]
		add	eax, ebx
		neg	ebx
		sbb	ebx, ebx
		and	ebx, eax
		jmp	loc_81E311
; 

loc_81EF61:				; CODE XREF: RtlpNewSecurityObject+5B6j
		movzx	eax, word ptr [edi+2]
		mov	esi, eax
		test	al, 10h
		jz	loc_81E3BC
		mov	edi, [edi+0Ch]
		test	si, si
		jns	loc_81E3BE
		mov	eax, [esp+1E8h+var_18C]
		add	eax, edi
		neg	edi
		sbb	edi, edi
		and	edi, eax
		jmp	loc_81E3BE
; 

loc_81EF8C:				; CODE XREF: RtlpNewSecurityObject+8D0j
		movzx	eax, word ptr [edx+2]
		mov	ecx, eax
		test	al, 10h
		jz	loc_81E6D6
		mov	esi, [edx+0Ch]
		test	cx, cx
		jns	loc_81E6D8
		lea	eax, [esi+edx]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jmp	loc_81E6D8
; 

loc_81EFB4:				; CODE XREF: RtlpNewSecurityObject+AE4j
		movzx	eax, word ptr [ecx+2]
		mov	ecx, eax
		test	al, 4
		jz	loc_81E8EA
		test	cx, cx
		jns	loc_920613
		mov	ecx, [esp+1E8h+var_18C]
		mov	eax, [ecx+10h]
		test	eax, eax
		jz	loc_81E8EA
		add	eax, ecx
		jmp	loc_81E8EC
; 

loc_81EFE1:				; CODE XREF: RtlpNewSecurityObject+519j
					; RtlpNewSecurityObject+521j
		mov	eax, 0C8h
		mov	dword ptr [esp+1E8h+var_1AC], 0
		mov	[esp+1E8h+var_188], eax

loc_81EFF2:				; CODE XREF: RtlpNewSecurityObject+102402j
		push	63416553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+1E8h+var_1BC], eax
		test	eax, eax
		jz	loc_9207F9
		lea	ecx, [esp+1E8h+var_178]
		mov	edx, [esp+1E8h+var_1B3+3]
		push	ecx		; int
		lea	ecx, [esp+1ECh+var_1B3]
		push	ecx		; int
		push	eax		; void *
		lea	eax, [esp+1F4h+var_188]
		mov	ecx, ebx
		push	eax		; int
		push	[ebp+arg_8]	; int
		push	[esp+1FCh+var_13C] ; int
		push	2		; int
		push	[esp+204h+var_180] ; int
		push	[esp+208h+var_165+1] ; int
		push	[esp+20Ch+var_1A0] ; int
		push	[esp+210h+var_19C] ; int
		push	[esp+214h+var_1A8] ; int
		push	dword ptr [esp+218h+var_1B8] ; char
		push	[esp+21Ch+var_174] ; int
		push	[ebp+arg_C]	; int
		push	edi		; int
		call	RtlpInheritAcl2
		mov	esi, eax
		test	esi, esi
		jns	loc_81F3B6
		push	0
		push	[esp+1ECh+var_1BC]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esp+1E8h+var_1BC], 0
		cmp	esi, 0C0000023h
		jz	loc_9201EC

loc_81F084:				; CODE XREF: RtlpNewSecurityObject+15BBj
					; RtlpNewSecurityObject+1023F8j ...
		test	esi, esi
		jns	loc_81F3C6
		cmp	esi, 8000000Bh
		jnz	loc_920379
		mov	ebx, [esp+1E8h+var_1C0]
		jmp	loc_81E33E
; 

loc_81F0A1:				; CODE XREF: RtlpNewSecurityObject+5C2j
					; RtlpNewSecurityObject+5CAj
		mov	eax, 0C8h
		mov	dword ptr [esp+1E8h+var_1B8], 0
		mov	[esp+1E8h+var_148], eax

loc_81F0B5:				; CODE XREF: RtlpNewSecurityObject+1024B4j
		push	63416553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+1E8h+var_1D8], eax
		test	eax, eax
		jz	loc_9207E9
		lea	ecx, [esp+1E8h+var_151+1]
		mov	edx, [esp+1E8h+var_188]
		push	ecx		; int
		lea	ecx, [esp+1ECh+var_151]
		push	ecx		; int
		push	eax		; void *
		lea	eax, [esp+1F4h+var_148]
		mov	ecx, edi
		push	eax		; int
		push	[ebp+arg_8]	; int
		push	[esp+1FCh+var_13C] ; int
		push	2		; int
		push	[esp+204h+var_180] ; int
		push	[esp+208h+var_165+1] ; int
		push	[esp+20Ch+var_1A0] ; int
		push	[esp+210h+var_19C] ; int
		push	[esp+214h+var_1A8] ; int
		push	dword ptr [esp+218h+var_1AC] ; char
		push	[esp+21Ch+var_174] ; int
		push	[ebp+arg_C]	; int
		push	ebx		; int
		call	RtlpInheritAcl2
		mov	esi, eax
		test	esi, esi
		jns	loc_81F404
		mov	eax, [esp+1E8h+var_1D8]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esp+1E8h+var_1D8], 0
		cmp	esi, 0C0000023h
		jz	loc_92029B

loc_81F151:				; CODE XREF: RtlpNewSecurityObject+160Cj
					; RtlpNewSecurityObject+1024A7j ...
		mov	[esp+1E8h+var_144], esi
		test	esi, esi
		jns	loc_81F417
		cmp	esi, 8000000Bh
		jz	loc_81E3DF
		jmp	loc_920379
; 

loc_81F171:				; CODE XREF: RtlpNewSecurityObject+962j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ebx, ebx
		cmp	esi, 0C0000023h
		jnz	loc_81E773
		jmp	loc_92059D
; 

loc_81F18C:				; CODE XREF: RtlpNewSecurityObject+B55j
		test	ebx, ebx
		jnz	loc_81E95B
		jmp	loc_920643
; 

loc_81F199:				; CODE XREF: RtlpNewSecurityObject+E90j
		mov	eax, [esp+1E8h+var_1CC]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esp+1E8h+var_1CC], 0
		cmp	esi, 0C0000023h
		jnz	loc_81ECA1
		mov	eax, [esp+1E8h+var_16C]
		inc	eax
		mov	[esp+1E8h+var_16C], eax
		cmp	eax, 2
		jnb	loc_81ECA1
		mov	eax, dword ptr [esp+1E8h+var_1AC]
		mov	esi, dword ptr [esp+1E8h+var_1B8]
		jmp	loc_81EC20
; 

loc_81F1D8:				; CODE XREF: RtlpNewSecurityObject+D6Bj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_81EB71
; 

loc_81F1E5:				; CODE XREF: RtlpNewSecurityObject+EA3j
		cmp	esi, 8000000Bh
		jnz	loc_920379
		mov	edx, [esp+1E8h+var_1C4]
		jmp	loc_81E908
; 

loc_81F1FA:				; CODE XREF: RtlpNewSecurityObject+B0Ej
		or	edi, 400h
		mov	[esp+1E8h+var_1C0], edi
		jmp	loc_81E914
; 

loc_81F209:				; CODE XREF: RtlpNewSecurityObject+1D5j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [ebx]
		push	1
		mov	eax, [eax+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	edx, [ebx]
		test	edx, edx
		jz	loc_81DFDB
		cmp	dword ptr [ebx+4], 1
		jz	loc_81F37F

loc_81F238:				; CODE XREF: RtlpNewSecurityObject+1584j
		mov	esi, [ebx+8]
		jmp	loc_81DFE0
; 

loc_81F240:				; CODE XREF: RtlpNewSecurityObject+40Dj
		mov	ecx, [ecx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_81E213
; 

loc_81F252:				; CODE XREF: RtlpNewSecurityObject+F7Dj
		mov	esi, 1
		jmp	loc_81E4F2
; 

loc_81F25C:				; CODE XREF: RtlpNewSecurityObject+F24j
		xor	edi, edi
		jmp	loc_81E6CA
; 

loc_81F263:				; CODE XREF: RtlpNewSecurityObject+6BEj
		or	esi, 2
		jmp	loc_81E4C4
; 

loc_81F26B:				; CODE XREF: RtlpNewSecurityObject+341j
		movzx	eax, byte ptr [ecx+1]
		mov	[esp+1E8h+var_1D0], edx
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcpy
		mov	eax, [esp+1F4h+var_148]
		add	esp, 0Ch
		mov	edx, [esp+1E8h+var_1A0]
		movzx	eax, byte ptr [eax+1]
		lea	edx, [edx+eax*4]
		add	edx, 8
		mov	[esp+1E8h+var_1A0], edx
		jmp	loc_81E14B
; 

loc_81F2A3:				; CODE XREF: RtlpNewSecurityObject+23Fj
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:8[eax*4]
		mov	dword ptr [esp+1E8h+var_1B8], eax
		jmp	loc_81E049
; 

loc_81F2B7:				; CODE XREF: RtlpNewSecurityObject+609j
		test	cx, cx
		mov	ecx, [ebx+0Ch]
		jns	loc_81E411
		lea	eax, [ecx+ebx]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		jmp	loc_81E411
; 

loc_81F2D1:				; CODE XREF: RtlpNewSecurityObject+4F5j
		test	si, si
		mov	esi, [esp+1E8h+var_1C4]
		jns	loc_9201E0
		mov	ebx, [esi+0Ch]
		lea	eax, [ebx+esi]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, eax
		mov	[esp+1E8h+var_1B3+3], ebx
		jmp	loc_81E303
; 

loc_81F2F3:				; CODE XREF: RtlpNewSecurityObject+5A2j
		test	si, si
		jns	loc_92028F
		mov	esi, [edi+0Ch]
		lea	eax, [esi+edi]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		mov	[esp+1E8h+var_188], esi
		jmp	loc_81E3B0
; 

loc_81F311:				; CODE XREF: RtlpNewSecurityObject+650j
		mov	edi, [ebx+0Ch]
		test	cx, cx
		jns	loc_81E458
		lea	eax, [edi+ebx]
		neg	edi
		sbb	edi, edi
		and	edi, eax
		jmp	loc_81E458
; 

loc_81F32B:				; CODE XREF: RtlpNewSecurityObject+ECDj
		test	cx, cx
		mov	ecx, [ebx+0Ch]
		jns	loc_81ECD5
		lea	eax, [ecx+ebx]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		jmp	loc_81ECD5
; 

loc_81F345:				; CODE XREF: RtlpNewSecurityObject+433j
		mov	byte ptr [esp+1E8h+var_1B3+1], 1
		jmp	loc_81E260
; 

loc_81F34F:				; CODE XREF: RtlpNewSecurityObject+BABj
		test	dl, 10h
		jnz	loc_81E9B1
		push	[esp+1E8h+var_1A4]
		mov	edx, [esp+1ECh+var_1A8]
		mov	ecx, esi
		call	_SepValidOwnerSubjectContext@12	; SepValidOwnerSubjectContext(x,x,x)
		test	al, al
		jnz	loc_81E9B1
		mov	edi, [esp+1E8h+var_1D8]
		mov	esi, 0C000005Ah
		xor	ebx, ebx
		jmp	loc_81EB62
; 

loc_81F37F:				; CODE XREF: RtlpNewSecurityObject+1432j
		mov	byte ptr [esp+1E8h+var_1A4], 1
		jmp	loc_81F238
; 

loc_81F389:				; CODE XREF: RtlpNewSecurityObject+447j
		mov	ebx, [esp+1E8h+var_1A0]
		jmp	loc_81E254
; 

loc_81F392:				; CODE XREF: RtlpNewSecurityObject+482j
		mov	ebx, [esp+1E8h+var_165+1]

loc_81F399:				; CODE XREF: RtlpNewSecurityObject+10239Ej
		mov	[esp+1E8h+var_19C], ebx
		jmp	loc_81E28E
; 

loc_81F3A2:				; CODE XREF: RtlpNewSecurityObject+D76j
		mov	eax, [esp+1E8h+var_138]
		test	eax, eax
		jz	loc_81EB7C
		jmp	loc_920807
; 

loc_81F3B6:				; CODE XREF: RtlpNewSecurityObject+125Fj
		cmp	[esp+1E8h+var_188], 0
		jnz	loc_81F084
		jmp	loc_920207
; 

loc_81F3C6:				; CODE XREF: RtlpNewSecurityObject+1286j
		mov	eax, [esp+1E8h+var_178]
		mov	[esp+1E8h+var_1C6], 1
		test	al, 8
		jnz	loc_92021F
		mov	ecx, 8010h

loc_81F3DC:				; CODE XREF: RtlpNewSecurityObject+102424j
		mov	ebx, eax
		and	ebx, 400h
		add	ebx, ebx
		test	eax, 1000h
		jnz	loc_920229
		xor	eax, eax

loc_81F3F3:				; CODE XREF: RtlpNewSecurityObject+10242Ej
		mov	edi, [esp+1E8h+var_1C4]
		or	ebx, eax
		or	ebx, ecx
		mov	[esp+1E8h+var_1C0], ebx
		jmp	loc_81E368
; 

loc_81F404:				; CODE XREF: RtlpNewSecurityObject+132Bj
		cmp	[esp+1E8h+var_148], 0
		jnz	loc_81F151
		jmp	loc_9202B9
; 

loc_81F417:				; CODE XREF: RtlpNewSecurityObject+135Aj
		mov	ebx, [esp+1E8h+var_1C4]
		mov	byte ptr [esp+1E8h+var_190+2], 1
		jmp	loc_81E3F5
; 

loc_81F425:				; CODE XREF: RtlpNewSecurityObject+A02j
		mov	eax, [esp+1E8h+var_1BC]
		test	eax, eax
		jz	loc_81E808
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_81E808
; 

loc_81F43E:				; CODE XREF: RtlpNewSecurityObject+DAFj
		test	edi, edi
		jz	loc_81EBB5
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_81EBB5
; 

loc_81F453:				; CODE XREF: RtlpNewSecurityObject+DBEj
		cmp	byte ptr [esp+1E8h+var_190+3], 0
		jz	loc_81EBC4
		jmp	loc_920814
; 

loc_81F463:				; CODE XREF: RtlpNewSecurityObject+6C9j
		or	esi, 4
		jmp	loc_81E4CF
; 

loc_81F46B:				; CODE XREF: RtlpNewSecurityObject+622j
		lea	edx, [esi+8]
		test	edx, edx
		jz	loc_81E428
		lea	eax, [esp+1E8h+var_144]
		push	eax
		push	ecx
		mov	ecx, edi
		call	_RtlpValidTrustSubjectContext@16 ; RtlpValidTrustSubjectContext(x,x,x,x)
		test	al, al
		jnz	loc_81E428
		jmp	loc_920481
; 

loc_81F493:				; CODE XREF: RtlpNewSecurityObject+B20j
		test	cl, 4
		jz	loc_92061F
		mov	esi, [esp+1E8h+var_1C4]
		mov	eax, [esi+10h]
		test	dx, dx
		jns	short loc_81F4B2
		test	eax, eax
		jz	loc_920626
		add	eax, esi

loc_81F4B2:				; CODE XREF: RtlpNewSecurityObject+16A6j
					; RtlpNewSecurityObject+102821j ...
		and	ecx, 1000h
		mov	byte ptr [esp+1E8h+var_1B3+2], 1
		or	ecx, 4
		or	edi, ecx
		jmp	loc_81E931
; 

loc_81F4C7:				; CODE XREF: RtlpNewSecurityObject+B91j
		test	esi, esi
		jnz	loc_81E997
		test	al, al
		jz	loc_81E997
		jmp	loc_920652
; 

loc_81F4DC:				; CODE XREF: RtlpNewSecurityObject+E9Bj
		mov	eax, [esp+1E8h+var_1CC]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[esp+1E8h+var_1CC], eax
		jmp	loc_81ECA1
; 

loc_81F4F3:				; CODE XREF: RtlpNewSecurityObject+C1Ej
					; RtlpNewSecurityObject+C2Aj
		xor	edi, edi
		jmp	loc_81EA3A
; 

loc_81F4FA:				; CODE XREF: RtlpNewSecurityObject+CDFj
		mov	dword ptr [ecx+10h], 0

loc_81F501:				; CODE XREF: RtlpNewSecurityObject+CD3j
		mov	ebx, [esp+1E8h+var_1A4]
		jmp	loc_81EB23
; 

loc_81F50A:				; CODE XREF: RtlpNewSecurityObject+7A5j
					; RtlpNewSecurityObject+7B1j ...
		sbb	eax, eax
		or	eax, 1
		jmp	loc_81E5D6
; 

loc_81F514:				; CODE XREF: RtlpNewSecurityObject+764j
					; RtlpNewSecurityObject+770j ...
		mov	edi, [esp+1E8h+var_1D8]
		mov	esi, 0C0000078h
		xor	ebx, ebx
		jmp	loc_81EB62
; 

loc_81F524:				; CODE XREF: RtlpNewSecurityObject+6E4j
		push	0
		push	[esp+1ECh+var_14C]
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		cmp	dword ptr [eax], 2000h
		jnb	loc_81E4EA
		jmp	loc_9204E2
; 

loc_81F543:				; CODE XREF: RtlpNewSecurityObject+1093j
		lea	eax, [esp+1E8h+var_184]
		push	eax
		lea	eax, [esp+1ECh+var_120]
		push	eax
		push	[esp+1F0h+var_160]
		push	[esp+1F4h+var_180]
		push	0
		push	0
		push	40000h
		push	0
		push	[esp+208h+var_198]
		push	[esp+20Ch+var_158]
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		test	al, al
		jnz	loc_81EE99
		jmp	loc_920481
RtlpNewSecurityObject endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpAllocateObject(x, x, x, x, x, x,	x)
_ObpAllocateObject@28 proc near		; CODE XREF: CmpCreateKeyBody+104p
					; IopAllocRealFileObject+E6p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], dl
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, [esi]
		and	ecx, 20h
		mov	eax, ecx
		mov	[ebp+var_1C], ecx
		neg	eax
		mov	ebx, ecx
		mov	ecx, edi
		sbb	eax, eax
		and	eax, 8
		neg	ebx
		mov	[ebp+var_18], eax
		sbb	bl, bl
		and	bl, 10h
		call	_SeAuditHeaderRequired@4 ; SeAuditHeaderRequired(x)
		mov	[ebp+var_1], al
		test	al, al
		jz	short loc_81F5D1
		or	bl, 20h

loc_81F5D1:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+3Cj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	eax, ds:_PsInitialSystemProcess
		jz	short loc_81F60E
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	eax, ds:_PsIdleProcess
		jz	short loc_81F60E
		cmp	ds:_PsInitialSystemProcess, 0
		jz	short loc_81F60E
		mov	[ebp+var_10], 10h
		or	bl, 8
		jmp	short loc_81F615
; 

loc_81F60E:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+53j
					; ObpAllocateObject(x,x,x,x,x,x,x)+67j	...
		mov	[ebp+var_10], 0

loc_81F615:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+7Cj
		mov	cl, [edi+2Ah]
		mov	al, cl
		and	al, 10h
		mov	[ebp+var_2], al
		jz	short loc_81F624
		or	bl, 4

loc_81F624:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+8Fj
		mov	edx, [ebp+arg_4]
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 8
		cmp	word ptr [edx],	0
		jz	short loc_81F656
		test	cl, 2
		jz	short loc_81F64A
		pop	edi
		pop	esi
		mov	eax, 0C0000033h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_81F64A:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+AAj
		mov	[ebp+var_14], 10h
		or	bl, 2
		jmp	short loc_81F65D
; 

loc_81F656:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+A5j
		mov	[ebp+var_14], 0

loc_81F65D:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+C4j
		mov	dl, cl
		sar	dl, 7
		and	dl, 38h
		and	cl, 20h
		mov	byte ptr [ebp+arg_0+3],	dl
		mov	[ebp+var_3], cl
		jz	short loc_81F673
		or	bl, 1

loc_81F673:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+DEj
		movzx	edx, cl
		mov	ecx, [ebp+arg_10]
		neg	edx
		sbb	edx, edx
		and	edx, 10h
		test	ecx, ecx
		jz	short loc_81F6A2
		cmp	byte ptr [ecx],	0
		jnz	short loc_81F68F
		cmp	byte ptr [ecx+1], 0
		jz	short loc_81F6A2

loc_81F68F:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+F7j
		or	bl, 40h
		mov	[ebp+var_8], 8
		mov	[ebp+var_C], 18h
		jmp	short loc_81F6B0
; 

loc_81F6A2:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+F2j
					; ObpAllocateObject(x,x,x,x,x,x,x)+FDj
		mov	[ebp+var_C], 0
		mov	[ebp+var_8], 0

loc_81F6B0:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+110j
		xor	ecx, ecx
		cmp	[ebp+var_1], cl
		setnz	cl
		lea	ecx, ds:18h[ecx*8]
		add	ecx, edx
		mov	edx, [ebp+arg_8]
		add	ecx, eax
		movzx	eax, byte ptr [ebp+arg_0+3]
		add	ecx, [ebp+var_18]
		add	ecx, [ebp+var_10]
		add	ecx, [ebp+var_14]
		add	ecx, [ebp+var_8]
		add	eax, ecx
		mov	[ebp+var_18], ecx
		add	eax, [ebp+var_C]
		add	edx, eax
		cmp	edx, eax
		jnb	short loc_81F6F2
		pop	edi
		pop	esi
		mov	eax, 0C000000Dh
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_81F6F2:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+152j
		mov	eax, [edi+84h]
		mov	ecx, [edi+4Ch]
		push	eax
		push	edx
		or	ecx, 400h
		push	ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_81F71D
		pop	edi
		pop	esi
		mov	eax, 0C000009Ah
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_81F71D:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+17Dj
		cmp	byte ptr [ebp+arg_0+3],	0
		mov	ecx, [ebp+var_18]
		jz	short loc_81F73B
		mov	al, dl
		add	al, cl
		neg	al
		and	al, 3Fh
		jz	short loc_81F73B
		movzx	eax, al
		add	edx, eax
		or	bl, 80h
		mov	[edx-4], eax

loc_81F73B:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+194j
					; ObpAllocateObject(x,x,x,x,x,x,x)+19Ej
		cmp	[ebp+var_8], 0
		jz	short loc_81F769
		lea	eax, [ecx+edx]
		xor	ecx, ecx
		add	eax, [ebp+arg_8]
		mov	[edx], eax
		mov	[eax], ecx
		mov	[eax+4], ecx
		mov	[eax+8], ecx
		mov	[eax+0Ch], ecx
		mov	[eax+10h], ecx
		mov	[eax+14h], ecx
		mov	eax, [ebp+arg_10]
		mov	ecx, [edx]
		add	edx, 8
		mov	al, [eax]
		mov	[ecx+0Ch], al

loc_81F769:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+1AFj
		cmp	[ebp+var_1], 0
		jz	short loc_81F77F
		mov	dword ptr [edx], 0
		mov	dword ptr [edx+4], 0
		add	edx, 8

loc_81F77F:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+1DDj
		cmp	[ebp+var_1C], 0
		jz	short loc_81F78E
		mov	dword ptr [edx], 0
		add	edx, 8

loc_81F78E:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+1F3j
		cmp	[ebp+var_10], 0
		jz	short loc_81F7AF
		mov	eax, [esi+0Ch]
		mov	[edx], eax
		mov	eax, [esi+10h]
		mov	[edx+4], eax
		mov	eax, [esi+14h]
		mov	[edx+8], eax
		mov	dword ptr [edx+0Ch], 0
		add	edx, 10h

loc_81F7AF:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+202j
		mov	ch, [ebp+var_2]
		test	ch, ch
		jz	short loc_81F7CA
		and	dword ptr [edx+4], 0FF000000h
		mov	dword ptr [edx], 0
		mov	byte ptr [edx+7], 0
		add	edx, 8

loc_81F7CA:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+224j
		cmp	[ebp+var_14], 0
		jz	short loc_81F7F1
		mov	eax, [ebp+arg_4]
		mov	eax, [eax]
		mov	[edx+4], eax
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+4]
		mov	[edx+8], eax
		mov	dword ptr [edx], 0
		mov	dword ptr [edx+0Ch], 0
		add	edx, 10h

loc_81F7F1:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+23Ej
		cmp	[ebp+var_3], 0
		jz	short loc_81F81A
		xor	eax, eax
		mov	[edx+0Ch], ax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+0E4h]
		mov	[edx+8], eax
		mov	[edx+4], edx
		mov	[edx], edx
		add	edx, 10h

loc_81F81A:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+265j
		mov	[edx+0Eh], bl
		mov	cl, 1
		mov	byte ptr [edx+0Dh], 0
		mov	byte ptr [edx+0Fh], 1
		test	ch, ch
		jz	short loc_81F831
		mov	byte ptr [edx+0Fh], 41h
		mov	cl, 41h

loc_81F831:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+299j
		mov	eax, edx
		mov	dword ptr [edx], 1
		shr	eax, 8
		mov	dword ptr [edx+4], 0
		mov	dword ptr [edx+8], 0
		xor	al, [edi+14h]
		xor	al, byte ptr ds:_ObHeaderCookie
		cmp	[ebp+var_4], 0
		mov	[edx+0Ch], al
		jnz	short loc_81F870
		or	cl, 2
		mov	[edx+0Fh], cl
		test	dword ptr [esi], 10000h
		jz	short loc_81F870
		or	cl, 4
		mov	[edx+0Fh], cl

loc_81F870:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+2CAj
					; ObpAllocateObject(x,x,x,x,x,x,x)+2D8j
		mov	eax, [esi]
		test	al, 10h
		jz	short loc_81F87E
		or	cl, 10h
		mov	[edx+0Fh], cl
		mov	eax, [esi]

loc_81F87E:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+2E4j
		test	al, 20h
		jz	short loc_81F888
		or	cl, 8
		mov	[edx+0Fh], cl

loc_81F888:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+2F0j
		mov	[edx+10h], esi
		mov	eax, 1
		mov	dword ptr [edx+14h], 0
		lock xadd [edi+18h], eax
		inc	eax
		cmp	eax, [edi+20h]
		jbe	short loc_81F8A5
		mov	[edi+20h], eax

loc_81F8A5:				; CODE XREF: ObpAllocateObject(x,x,x,x,x,x,x)+310j
		mov	eax, [ebp+arg_C]
		pop	edi
		pop	esi
		pop	ebx
		mov	[eax], edx
		xor	eax, eax
		mov	esp, ebp
		pop	ebp
		retn	14h
_ObpAllocateObject@28 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpRemoveObjectRoutine proc near	; CODE XREF: ObfDereferenceObject+88p
					; ObfDereferenceObjectWithTag+9Bp ...

var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 00920834 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1], dl
		mov	eax, esi
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [esi+0Ch]
		lea	ebx, [esi+18h]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		push	edi
		mov	edi, ds:_ObTypeIndexTable[ecx*4]
		cmp	edi, _ObpTypeObjectType
		jz	loc_920834
		mov	eax, [esi+14h]
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	short loc_81F92A

loc_81F907:				; CODE XREF: ObpRemoveObjectRoutine+85j
		mov	eax, [edi+64h]
		test	eax, eax
		jz	short loc_81F91C
		test	dl, dl
		jnz	short loc_81F919
		or	byte ptr [esi+0Fh], 80h
		mov	eax, [edi+64h]

loc_81F919:				; CODE XREF: ObpRemoveObjectRoutine+50j
		push	ebx
		call	eax

loc_81F91C:				; CODE XREF: ObpRemoveObjectRoutine+4Cj
		mov	ecx, esi
		call	ObpFreeObject
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_81F92A:				; CODE XREF: ObpRemoveObjectRoutine+45j
		push	0
		push	0
		push	0
		lea	eax, [ebp+var_8]
		push	eax
		mov	eax, [edi+6Ch]
		push	0
		push	0
		push	0
		push	2
		push	ebx
		call	eax
		mov	dl, [ebp+var_1]
		jmp	short loc_81F907
ObpRemoveObjectRoutine endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpFreeObject	proc near		; CODE XREF: ObpRemoveObjectRoutine+5Ep

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00920850 SIZE 0000011E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	[ebp+var_24], esi
		mov	al, [esi+0Eh]
		test	al, 1
		jnz	loc_920845
		mov	[ebp+var_4], 0

loc_81F972:				; CODE XREF: ObpRemoveObjectRoutine+100F8Bj
		movzx	edx, al
		test	al, 2
		jnz	loc_81FB63
		mov	[ebp+var_C], 0

loc_81F984:				; CODE XREF: ObpFreeObject+226j
		test	al, 4
		jnz	loc_81FADF
		mov	[ebp+var_8], 0

loc_81F993:				; CODE XREF: ObpFreeObject+1A2j
		test	al, 8
		jz	loc_81FBAB
		mov	ecx, edx
		mov	edi, esi
		and	ecx, 0Fh
		movzx	ecx, _ObpInfoMaskToOffset[ecx]
		sub	edi, ecx

loc_81F9AB:				; CODE XREF: ObpFreeObject+25Dj
		test	al, 20h
		jnz	loc_920850
		mov	[ebp+var_10], 0

loc_81F9BA:				; CODE XREF: ObpFreeObject+100F11j
		movzx	ecx, al
		mov	edx, esi
		movzx	ecx, _ObpInfoMaskToOffset[ecx]
		sub	edx, ecx
		mov	[ebp+var_18], edx
		test	al, al
		js	loc_81FB9A

loc_81F9D3:				; CODE XREF: ObpFreeObject+256j
		movzx	eax, byte ptr [esi+0Ch]
		mov	ebx, esi
		shr	ebx, 8
		movzx	ecx, bl
		xor	ecx, eax
		mov	[ebp+var_28], ebx
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, [ebp+var_4]
		mov	ecx, ds:_ObTypeIndexTable[ecx*4]
		mov	[ebp+var_14], ecx
		test	eax, eax
		jnz	loc_920866

loc_81FA02:				; CODE XREF: ObpFreeObject+100F18j
					; ObpFreeObject+100F6Dj
		lock dec dword ptr [ecx+18h]
		test	byte ptr [esi+0Fh], 1
		mov	edx, [esi+10h]
		jnz	loc_81FAF7
		test	edx, edx
		jz	short loc_81FA6F
		test	edi, edi
		jz	loc_81FBB2
		mov	eax, [edi+0Ch]
		mov	edx, [edi]
		mov	ecx, [edi+4]
		mov	[ebp+var_20], edx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_1C], eax
		test	eax, eax
		jnz	loc_81FB32

loc_81FA38:				; CODE XREF: ObpFreeObject+1E8j
					; ObpFreeObject+20Ej ...
		mov	edi, [esi+10h]
		cmp	edi, 1
		jz	short loc_81FA68
		test	edx, edx
		jz	short loc_81FA53
		push	edx
		push	1
		xor	edx, edx
		mov	ecx, edi
		call	PspReturnQuota
		mov	ecx, [ebp+var_4]

loc_81FA53:				; CODE XREF: ObpFreeObject+F2j
		test	ecx, ecx
		jnz	short loc_81FAB9

loc_81FA57:				; CODE XREF: ObpFreeObject+175j
		or	eax, 0FFFFFFFFh
		lock xadd [edi+200h], eax
		jz	loc_9208C9

loc_81FA68:				; CODE XREF: ObpFreeObject+EEj
					; ObpFreeObject+1DDj ...
		mov	dword ptr [esi+10h], 0

loc_81FA6F:				; CODE XREF: ObpFreeObject+C5j
					; ObpFreeObject+1A9j
		mov	edi, [ebp+var_8]
		test	edi, edi
		jnz	short loc_81FAC7

loc_81FA76:				; CODE XREF: ObpFreeObject+17Bj
					; ObpFreeObject+18Dj
		mov	edi, [ebp+var_C]
		test	edi, edi
		jnz	loc_81FB7B

loc_81FA81:				; CODE XREF: ObpFreeObject+230j
					; ObpFreeObject+245j
		mov	edi, [ebp+var_10]
		test	edi, edi
		jnz	loc_920947

loc_81FA8C:				; CODE XREF: ObpFreeObject+100FFBj
					; ObpFreeObject+10100Fj
		xor	bl, byte ptr ds:_ObHeaderCookie
		mov	eax, [ebp+var_14]
		xor	bl, 1
		mov	[esi+0Ch], bl
		pop	edi
		pop	esi
		pop	ebx
		test	eax, eax
		jz	loc_920964
		mov	eax, [eax+84h]

loc_81FAAC:				; CODE XREF: ObpFreeObject+101019j
		push	eax
		push	[ebp+var_18]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_81FAB9:				; CODE XREF: ObpFreeObject+105j
		push	ecx
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	PspReturnQuota
		jmp	short loc_81FA57
; 

loc_81FAC7:				; CODE XREF: ObpFreeObject+124j
		test	byte ptr [esi+0Fh], 40h
		jnz	short loc_81FA76
		mov	eax, [edi]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [edi], 0
		jmp	short loc_81FA76
; 

loc_81FADF:				; CODE XREF: ObpFreeObject+36j
		mov	ecx, edx
		mov	ebx, esi
		and	ecx, 7
		movzx	ecx, _ObpInfoMaskToOffset[ecx]
		sub	ebx, ecx
		mov	[ebp+var_8], ebx
		jmp	loc_81F993
; 

loc_81FAF7:				; CODE XREF: ObpFreeObject+BDj
		test	edx, edx
		jz	loc_81FA6F
		mov	ecx, [edx+18h]
		test	ecx, ecx
		jnz	loc_81FBE8

loc_81FB0A:				; CODE XREF: ObpFreeObject+2B2j
		mov	edi, large fs:20h
		mov	ecx, [edi+5C0h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jnb	loc_81FBC0

loc_81FB28:				; CODE XREF: ObpFreeObject+284j
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		jmp	loc_81FA68
; 

loc_81FB32:				; CODE XREF: ObpFreeObject+E2j
		mov	edi, [edi+8]
		cmp	eax, 1
		jz	loc_81FA38
		test	edi, edi
		jz	short loc_81FB51
		push	edi
		push	1
		xor	edx, edx
		mov	ecx, eax
		call	PspReturnQuota
		mov	eax, [ebp+var_1C]

loc_81FB51:				; CODE XREF: ObpFreeObject+1F0j
		mov	ecx, eax
		call	PspDereferenceQuotaBlock
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_4]
		jmp	loc_81FA38
; 

loc_81FB63:				; CODE XREF: ObpFreeObject+27j
		mov	ecx, edx
		mov	ebx, esi
		and	ecx, 3
		movzx	ecx, _ObpInfoMaskToOffset[ecx]
		sub	ebx, ecx
		mov	[ebp+var_C], ebx
		jmp	loc_81F984
; 

loc_81FB7B:				; CODE XREF: ObpFreeObject+12Bj
		mov	eax, [edi+8]
		test	eax, eax
		jz	loc_81FA81
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [edi+8], 0
		jmp	loc_81FA81
; 

loc_81FB9A:				; CODE XREF: ObpFreeObject+7Dj
		mov	eax, 4
		sub	eax, [edx]
		add	edx, eax
		mov	[ebp+var_18], edx
		jmp	loc_81F9D3
; 

loc_81FBAB:				; CODE XREF: ObpFreeObject+45j
		xor	edi, edi
		jmp	loc_81F9AB
; 

loc_81FBB2:				; CODE XREF: ObpFreeObject+C9j
		mov	edx, [ecx+50h]
		mov	ecx, [ecx+54h]
		mov	[ebp+var_4], ecx
		jmp	loc_81FA38
; 

loc_81FBC0:				; CODE XREF: ObpFreeObject+1D2j
		inc	dword ptr [ecx+18h]
		mov	ecx, [edi+5C4h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	loc_81FB28
		mov	eax, [ecx+2Ch]
		inc	dword ptr [ecx+18h]
		push	edx
		call	eax
		jmp	loc_81FA68
; 

loc_81FBE8:				; CODE XREF: ObpFreeObject+1B4j
		movzx	eax, byte ptr [edx+8]
		push	1
		push	eax
		push	ecx
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)
		mov	eax, [esi+10h]
		mov	dword ptr [eax+18h], 0
		mov	edx, [esi+10h]
		jmp	loc_81FB0A
ObpFreeObject	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpDeleteKeyObject proc	near		; DATA XREF: CmpCreateObjectTypes()+87o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092096E SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		xor	eax, eax
		lea	ecx, [esp+2Ch+var_18]
		push	ebx
		push	esi
		mov	[esp+34h+var_10], eax
		xor	bl, bl
		mov	[esp+34h+var_C], eax
		mov	[esp+34h+var_8], eax
		mov	[esp+34h+var_4], eax
		mov	[esp+34h+var_18], eax
		mov	[esp+34h+var_14], eax
		lea	eax, [esp+34h+var_20]
		push	edi
		mov	[esp+38h+var_1C], eax
		mov	[esp+38h+var_20], eax
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		mov	esi, [ebp+arg_0]
		test	byte ptr [esi+1Ch], 4
		jnz	loc_81FD39
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		cmp	_CmpCallBackCount, 0
		jz	short loc_81FCA9
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredSharedLite
		test	eax, eax
		jnz	short loc_81FCA9
		lea	eax, [esp+38h+var_20]
		mov	[esp+38h+var_10], esi
		push	eax
		push	esi
		push	19h
		push	1
		push	0
		lea	edx, [esp+4Ch+var_10]
		mov	ecx, 0Eh
		call	CmpCallCallBacksEx
		cmp	dword ptr [esi], 6B793032h
		jnz	short loc_81FCA9
		lea	eax, [esi+28h]
		cmp	[eax], eax
		jnz	loc_81FD42

loc_81FCA9:				; CODE XREF: CmpDeleteKeyObject+58j
					; CmpDeleteKeyObject+66j ...
		mov	ecx, [esi+20h]
		test	ecx, ecx
		jnz	loc_81FDA6

loc_81FCB4:				; CODE XREF: CmpDeleteKeyObject+19Ej
		lea	eax, [esp+38h+var_28]
		mov	[esp+38h+var_24], eax
		mov	[esp+38h+var_28], eax
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	edi, [esi+8]
		mov	eax, [esi]
		test	edi, edi
		jz	short loc_81FD0A
		cmp	eax, 6B793032h
		jnz	loc_81FD91
		cmp	dword ptr [esi+0Ch], 0
		jnz	loc_81FD70

loc_81FCE3:				; CODE XREF: CmpDeleteKeyObject+17Cj
		xor	dl, dl
		mov	ecx, esi
		call	DelistKeyBodyFromKCB
		mov	ecx, [edi+10h]
		cmp	byte ptr [ecx+6DCh], 1
		jz	short loc_81FD55

loc_81FCF8:				; CODE XREF: CmpDeleteKeyObject+151j
		mov	ecx, [esi+30h]
		test	ecx, ecx
		jnz	loc_92096E

loc_81FD03:				; CODE XREF: CmpDeleteKeyObject+18Bj
					; CmpDeleteKeyObject+100D74j ...
		mov	ecx, edi
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)

loc_81FD0A:				; CODE XREF: CmpDeleteKeyObject+BCj
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		lea	ecx, [esp+38h+var_28]
		call	_CmpSignalDeferredPosts@4 ; CmpSignalDeferredPosts(x)
		lea	eax, [esp+38h+var_20]
		xor	edx, edx
		push	eax
		push	0
		lea	eax, [esp+40h+var_10]
		push	eax
		push	0
		lea	ecx, [edx+19h]
		call	_CmPostCallbackNotificationEx@24 ; CmPostCallbackNotificationEx(x,x,x,x,x,x)
		test	bl, bl
		jnz	short loc_81FD63

loc_81FD34:				; CODE XREF: CmpDeleteKeyObject+157j
					; CmpDeleteKeyObject+15Ej
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_81FD39:				; CODE XREF: CmpDeleteKeyObject+46j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_81FD42:				; CODE XREF: CmpDeleteKeyObject+93j
		mov	ecx, esi
		call	CmpFireCleanupNotifications
		mov	ecx, esi
		call	CmpFreeCallbackObjectContexts
		jmp	loc_81FCA9
; 

loc_81FD55:				; CODE XREF: CmpDeleteKeyObject+E6j
		mov	edx, 10h
		mov	bl, 1
		call	_CmpLogUnload@8	; CmpLogUnload(x,x)
		jmp	short loc_81FCF8
; 

loc_81FD63:				; CODE XREF: CmpDeleteKeyObject+122j
		cmp	byte ptr [esi-9], 0
		jge	short loc_81FD34
		call	_CmpWaitForLateUnloadWorker@0 ;	CmpWaitForLateUnloadWorker()
		jmp	short loc_81FD34
; 

loc_81FD70:				; CODE XREF: CmpDeleteKeyObject+CDj
		mov	ecx, edi
		call	_CmpLockKcbExclusive@4 ; CmpLockKcbExclusive(x)
		lea	eax, [esp+38h+var_28]
		xor	dl, dl
		push	eax
		mov	ecx, esi
		call	CmpFlushNotify
		mov	ecx, edi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		jmp	loc_81FCE3
; 

loc_81FD91:				; CODE XREF: CmpDeleteKeyObject+C3j
		mov	ecx, [edi+10h]
		cmp	byte ptr [ecx+6DCh], 1
		jnz	loc_81FD03
		jmp	loc_920989
; 

loc_81FDA6:				; CODE XREF: CmpDeleteKeyObject+9Ej
		and	ecx, 0FFFFFFFEh
		call	ObfDereferenceObject
		jmp	loc_81FCB4
CmpDeleteKeyObject endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpSignalDeferredPosts(x)
_CmpSignalDeferredPosts@4 proc near	; CODE XREF: CmpPerformUnloadKey+27Ap
					; CmpSetKeySecurity(x,x,x,x,x,x)+309p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx

loc_81FDC6:				; CODE XREF: CmpSignalDeferredPosts(x)+4Aj
		mov	eax, [esi]
		cmp	eax, esi
		jnz	short loc_81FDCF
		pop	edi
		pop	esi
		retn
; 

loc_81FDCF:				; CODE XREF: CmpSignalDeferredPosts(x)+Aj
		cmp	[eax+4], esi
		jnz	short loc_81FE28
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_81FE28
		mov	[esi], ecx
		lea	edi, [eax-8]
		mov	[ecx+4], esi
		cmp	word ptr [edi+1Ch], 3
		mov	ecx, [edi+20h]
		jz	short loc_81FE0C
		mov	eax, [ecx]

loc_81FDEF:				; CODE XREF: CmpSignalDeferredPosts(x)+66j
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [edi+20h]
		mov	ecx, [ecx]
		call	ObfDereferenceObject

loc_81FE03:				; CODE XREF: CmpSignalDeferredPosts(x)+64j
		mov	ecx, edi
		call	_CmpFreePostBlock@4 ; CmpFreePostBlock(x)
		jmp	short loc_81FDC6
; 

loc_81FE0C:				; CODE XREF: CmpSignalDeferredPosts(x)+2Bj
		mov	edx, [ecx+4]
		test	edx, edx
		jz	short loc_81FE20
		mov	eax, [ecx+8]
		push	eax
		push	edx
		call	ExQueueWorkItem
		mov	ecx, [edi+20h]

loc_81FE20:				; CODE XREF: CmpSignalDeferredPosts(x)+51j
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_81FE03
		jmp	short loc_81FDEF
; 

loc_81FE28:				; CODE XREF: CmpSignalDeferredPosts(x)+12j
					; CmpSignalDeferredPosts(x)+19j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_CmpSignalDeferredPosts@4 endp


DelistKeyBodyFromKCB:			; CODE XREF: CmpDeleteKeyObject+D7p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	bh, dl
		mov	edi, ecx
		xor	bl, bl
		jmp	short loc_81FE40
; 
		align 10h

loc_81FE40:				; CODE XREF: PAGE:0081FE3Bj
					; PAGE:009209B2j
		mov	esi, 48h

loc_81FE45:				; CODE XREF: PAGE:0081FE70j
		cmp	esi, 58h
		jnb	short loc_81FE72
		mov	edx, [edi+8]
		xor	ecx, ecx
		add	edx, esi
		mov	eax, edi
		lock cmpxchg [edx], ecx
		cmp	eax, edi
		jz	short loc_81FEA9
		cmp	eax, 1
		jz	loc_92099A
		cmp	eax, 2
		jz	loc_92099A
		add	esi, 4
		jmp	short loc_81FE45
; 

loc_81FE72:				; CODE XREF: PAGE:0081FE48j
		test	bh, bh
		jnz	short loc_81FE92
		test	bl, bl
		jnz	short loc_81FE92
		mov	esi, [edi+8]
		xor	edx, edx
		lea	ecx, [esi+18h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	bl, 1
		mov	[esi+1Ch], eax

loc_81FE92:				; CODE XREF: PAGE:0081FE74j
					; PAGE:0081FE78j
		mov	edx, [edi+14h]
		lea	eax, [edi+14h]
		cmp	[edx+4], eax
		jnz	short loc_81FEEF
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_81FEEF
		mov	[ecx], edx
		mov	[edx+4], ecx

loc_81FEA9:				; CODE XREF: PAGE:0081FE59j
		test	bl, bl
		jnz	short loc_81FEB1

loc_81FEAD:				; CODE XREF: PAGE:0081FEDFj
					; PAGE:009209BEj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_81FEB1:				; CODE XREF: PAGE:0081FEABj
		mov	esi, [edi+8]
		test	dword ptr [esi+4], 80000h
		jnz	short loc_81FEEB
		xor	bl, bl

loc_81FEBF:				; CODE XREF: PAGE:0081FEEDj
		mov	eax, large fs:124h
		lea	ecx, [esi+1Ch]
		cmp	[ecx], eax
		jnz	short loc_81FEE6
		mov	dword ptr [esi+1Ch], 0

loc_81FED3:				; CODE XREF: PAGE:0081FEE9j
		lea	ecx, [esi+18h]
		xor	edx, edx
		call	ExReleasePushLockEx
		test	bl, bl
		jz	short loc_81FEAD
		jmp	loc_9209B7
; 

loc_81FEE6:				; CODE XREF: PAGE:0081FECAj
		lock dec dword ptr [ecx]
		jmp	short loc_81FED3
; 

loc_81FEEB:				; CODE XREF: PAGE:0081FEBBj
		mov	bl, 1
		jmp	short loc_81FEBF
; 

loc_81FEEF:				; CODE XREF: PAGE:0081FE9Bj
					; PAGE:0081FEA2j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dw 0CCCCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopParseDevice(x, x, x, x, x, x, x,	x, x, x, x)
_IopParseDevice@44 proc	near		; CODE XREF: IopParseFile(x,x,x,x,x,x,x,x,x,x,x)+52p
					; DATA XREF: IoCreateObjectTypes+D1o

var_B8		= dword	ptr -0B8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3D		= byte ptr -3Dh
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_19		= dword	ptr -19h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

; FUNCTION CHUNK AT 00821602 SIZE 0000001B BYTES
; FUNCTION CHUNK AT 0082165D SIZE 0000017B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5C08
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 98h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_19+1],	esp
		mov	[ebp+var_58], 0
		mov	[ebp+var_20], 0
		mov	[ebp+var_64], 0
		mov	[ebp+var_60], 0
		xor	eax, eax
		mov	[ebp+var_A0], eax
		mov	[ebp+var_9C], eax
		mov	[ebp+var_98], eax
		mov	[ebp+var_94], eax
		mov	[ebp+var_8C], eax
		mov	[ebp+var_21], al
		mov	[ebp+var_74], eax
		mov	[ebp+var_7C], eax
		mov	[ebp+var_78], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_5C], eax
		mov	eax, [ebp+arg_4]
		cmp	eax, ds:_IoFileObjectType
		jnz	loc_8217AD
		mov	eax, large fs:124h
		mov	[ebp+var_4C], eax
		mov	byte ptr [ebp+arg_4+3],	4
		push	offset ??_C@_19DDLLJDOO@?$AAF?$AAi?$AAl?$AAe@NNGAKEGL@
		lea	eax, [ebp+var_7C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+arg_28]
		mov	dword ptr [eax], 0
		mov	[ebp+var_48], 0
		mov	ebx, [ebp+arg_1C]
		test	ebx, ebx
		jz	loc_8217AD

loc_81FFD1:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1181j
		mov	ecx, 90h
		cmp	word ptr [ebx],	8
		jnz	loc_8217AD
		cmp	[ebx+2], cx
		jnz	loc_8217AD
		mov	eax, [ebp+arg_0]
		mov	edi, eax
		mov	[ebp+var_28], eax
		cmp	dword ptr [ebx+10h], 1
		jz	loc_821791
		test	byte ptr [ebx+5Ch], 10h
		jz	loc_8200C4
		mov	eax, [eax+2Ch]
		cmp	dword ptr [ebx+0Ch], 0A0000003h
		jnz	short loc_82005F
		cmp	eax, 7
		jz	loc_8200C4
		cmp	eax, 2
		jz	loc_8200C4
		cmp	eax, 24h
		jz	loc_8200C4
		cmp	eax, 1Fh
		jz	loc_8200C4
		cmp	eax, 11h
		jz	loc_8200C4

loc_82003F:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1A8j
		mov	dword ptr [ebx+8], 0C0000278h
		mov	eax, 0C0000278h
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_82005F:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+110j
		cmp	eax, 7
		jz	short loc_82007C
		cmp	eax, 2
		jz	short loc_82007C
		cmp	eax, 24h
		jz	short loc_82007C
		cmp	eax, 1Fh
		jz	short loc_82007C
		cmp	eax, 11h
		jz	short loc_82007C
		xor	dl, dl
		jmp	short loc_82007E
; 

loc_82007C:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+162j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+167j ...
		mov	dl, 1

loc_82007E:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+17Aj
					; DATA XREF: FsRtlHeatInit(x,x,x)+76o ...
		cmp	eax, 14h
		jz	short loc_8200A0
		cmp	eax, 10h
		jz	short loc_8200A0
		cmp	eax, 28h
		jz	short loc_8200A0
		cmp	eax, 6
		jz	short loc_8200A0
		cmp	eax, 36h
		jz	short loc_8200A0
		cmp	eax, 35h
		jz	short loc_8200A0
		xor	al, al
		jmp	short loc_8200A2
; 

loc_8200A0:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+181j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+186j ...
		mov	al, 1

loc_8200A2:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+19Ej
		test	dl, dl
		jnz	short loc_8200AA
		test	al, al
		jz	short loc_82003F

loc_8200AA:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1A4j
		mov	eax, [ebx+68h]
		push	eax
		mov	cl, [ebx+5Ch]
		and	cl, 8
		call	IopSymlinkEnforceEnabledTypes
		mov	[ebp+var_20], eax
		test	eax, eax
		js	loc_82176E

loc_8200C4:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+100j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+115j ...
		mov	eax, [ebx+14h]
		test	eax, eax
		jz	short loc_8200D1
		mov	edi, [eax+4]
		mov	[ebp+var_28], edi

loc_8200D1:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1C9j
		cmp	dword ptr [edi+2Ch], 7
		jnz	short loc_820100
		mov	eax, edi
		mov	ecx, edi
		jmp	short loc_8200E0
; 
		align 10h

loc_8200E0:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1DBj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1EDj
		cmp	dword ptr [eax+24h], 0
		jnz	short loc_8200EF
		mov	eax, [eax+10h]
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_8200E0

loc_8200EF:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1E4j
		test	ecx, ecx
		jz	short loc_820100
		cmp	ecx, edi
		jz	short loc_820100
		or	dword ptr [ebx+5Ch], 2
		mov	edi, ecx
		mov	[ebp+var_28], edi

loc_820100:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1D5j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1F1j ...
		mov	edx, edi
		mov	ecx, ebx
		call	IopCheckDeviceAndDriver
		mov	[ebp+var_20], eax
		test	eax, eax
		js	loc_82176E
		mov	eax, [edi+0B0h]
		test	dword ptr [eax+10h], 400h
		jz	short loc_820174
		cmp	dword ptr [ebx+14h], 0
		jnz	short loc_820174
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		push	eax
		call	_PsGetServerSiloServiceSessionId@4 ; PsGetServerSiloServiceSessionId(x)
		mov	esi, eax
		call	_PsGetCurrentProcessSessionId@0	; PsGetCurrentProcessSessionId()
		cmp	esi, eax
		jnz	short loc_820151
		cmp	_IopSessionZeroAccessCheckEnabled, 0
		jz	short loc_820174
		test	dword ptr [ebx+28h], 40000h
		jnz	short loc_820174

loc_820151:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+23Dj
		mov	ecx, edi
		call	IopGetDevicePDO
		mov	esi, eax
		test	esi, esi
		jz	short loc_820174
		mov	ecx, esi
		call	_IopCheckSessionDeviceAccess@4 ; IopCheckSessionDeviceAccess(x)
		mov	ecx, esi
		test	al, al
		jz	loc_821086
		call	ObfDereferenceObject

loc_820174:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+221j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+227j ...
		mov	esi, [ebp+arg_8]
		lea	edi, [esi+10h]
		mov	eax, ds:_IoFileObjectType
		add	eax, 34h
		push	eax
		push	edi
		call	_RtlMapGenericMask@8 ; RtlMapGenericMask(x,x)
		mov	eax, ds:_IoFileObjectType
		add	eax, 34h
		push	eax
		lea	eax, [esi+18h]
		push	eax
		call	_RtlMapGenericMask@8 ; RtlMapGenericMask(x,x)
		mov	eax, ds:_IoFileObjectType
		add	eax, 34h
		push	eax
		push	esi
		call	_SeSetAccessStateGenericMapping@8 ; SeSetAccessStateGenericMapping(x,x)
		mov	esi, [edi]
		mov	[ebp+var_34], esi
		cmp	byte ptr [ebp+arg_C], 0
		jnz	short loc_8201C2
		test	byte ptr [ebx+38h], 1
		mov	byte ptr [ebp+var_88], 0
		jz	short loc_8201C9

loc_8201C2:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+2B3j
		mov	byte ptr [ebp+var_88], 1

loc_8201C9:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+2C0j
		lea	edx, [ebx+28h]
		mov	eax, [ebx+3Ch]
		push	eax
		push	[ebp+var_88]
		mov	ecx, [ebp+arg_8]
		call	IopCheckBackupRestorePrivilege
		mov	cl, [ebx+54h]
		test	cl, cl
		jz	short loc_8201EE
		mov	eax, [ebp+arg_18]
		cmp	word ptr [eax],	0
		jz	short loc_8201FC

loc_8201EE:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+2E3j
		mov	edx, [ebp+arg_8]
		test	dword ptr [edx+0Ch], 100h
		jz	short loc_820205
		jmp	short loc_8201FF
; 

loc_8201FC:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+2ECj
		mov	edx, [ebp+arg_8]

loc_8201FF:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+2FAj
		or	esi, [edx+14h]
		mov	[ebp+var_34], esi

loc_820205:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+2F8j
		mov	eax, [ebx+14h]
		test	eax, eax
		jz	short loc_820228
		test	dword ptr [eax+2Ch], 400000h
		jz	short loc_820228
		mov	esi, [ebp+arg_18]
		cmp	word ptr [esi],	0
		mov	esi, [ebp+var_34]
		jnz	short loc_820228
		mov	ch, 1
		mov	[ebp+var_21], ch
		jmp	short loc_82022B
; 

loc_820228:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+30Aj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+313j ...
		mov	ch, [ebp+var_21]

loc_82022B:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+326j
		cmp	byte ptr [ebp+arg_C], 0
		jnz	short loc_82023B
		test	byte ptr [ebx+38h], 1
		jz	loc_820505

loc_82023B:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+32Fj
		test	eax, eax
		jz	short loc_820247
		test	ch, ch
		jz	loc_820505

loc_820247:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+33Dj
		test	cl, cl
		jnz	loc_820505
		and	byte ptr [ebp+arg_4+3],	0DFh
		mov	eax, [ebp+arg_18]
		cmp	word ptr [eax],	0
		jnz	loc_8203BA
		mov	eax, [ebp+var_28]
		test	dword ptr [eax+20h], 40001h
		jz	short loc_8202A7
		test	esi, 0FFEDFF7Fh
		jz	short loc_8202A7
		call	_RtlGetActiveConsoleId@0 ; RtlGetActiveConsoleId()
		mov	esi, eax
		call	_PsGetCurrentProcessSessionId@0	; PsGetCurrentProcessSessionId()
		cmp	esi, eax
		jz	short loc_8202A7
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		push	eax
		call	_PsGetServerSiloServiceSessionId@4 ; PsGetServerSiloServiceSessionId(x)
		mov	esi, eax
		call	_PsGetCurrentProcessSessionId@0	; PsGetCurrentProcessSessionId()
		cmp	esi, eax
		jz	short loc_8202A7
		call	_IopAllowRemoteDASD@0 ;	IopAllowRemoteDASD()
		test	al, al
		mov	byte ptr [ebp+var_19], 1
		jz	short loc_8202AB

loc_8202A7:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+36Aj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+372j ...
		mov	byte ptr [ebp+var_19], 0

loc_8202AB:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+3A5j
		mov	[ebp+var_38], 0
		mov	eax, [ebp+var_4C]
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _IopSecurityResource
		call	ExAcquireResourceSharedLite
		mov	esi, [ebp+arg_8]
		add	esi, 1Ch
		push	esi
		call	_SeLockSubjectContext@4	; SeLockSubjectContext(x)
		mov	al, byte ptr [ebp+arg_4+3]
		or	al, 20h
		mov	byte ptr [ebp+arg_4+3],	al
		cmp	byte ptr [ebp+var_19], 0
		jz	short loc_820336
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_8202EF
		mov	eax, [ebp+arg_8]
		mov	eax, [eax+24h]

loc_8202EF:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+3E7j
		push	eax
		call	SeTokenIsAdmin
		test	al, al
		mov	al, byte ptr [ebp+arg_4+3]
		jnz	short loc_820336
		and	al, 0FEh
		mov	byte ptr [ebp+arg_4+3],	al
		mov	[ebp+var_20], 0C0000022h

loc_820308:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+498j
		mov	edx, [ebp+arg_8]

loc_82030B:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+4B5j
		lea	ecx, [edx+0Ah]
		push	ecx
		push	1
		and	al, 1
		movzx	eax, al
		push	eax
		push	0
		push	edx
		mov	edi, [ebp+var_28]
		mov	eax, [edi+98h]
		push	eax
		push	[ebp+arg_14]
		push	edi
		lea	eax, [ebp+var_7C]
		push	eax
		call	_SeOpenObjectAuditAlarm@36 ; SeOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x)
		jmp	loc_8204BE
; 

loc_820336:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+3E1j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+3FAj
		lea	ecx, [ebp+var_20]
		push	ecx
		lea	ecx, [ebp+var_58]
		push	ecx
		push	1
		mov	ecx, ds:_IoFileObjectType
		add	ecx, 34h
		push	ecx
		lea	ecx, [ebp+var_38]
		push	ecx
		push	0
		push	[ebp+var_34]
		shr	al, 5
		and	al, 1
		movzx	eax, al
		push	eax
		push	esi
		mov	eax, [ebp+var_28]
		mov	eax, [eax+98h]
		push	eax
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		mov	cl, al
		mov	al, byte ptr [ebp+arg_4+3]
		xor	cl, al
		and	cl, 1
		xor	al, cl
		mov	byte ptr [ebp+arg_4+3],	al
		mov	ecx, [ebp+var_38]
		test	ecx, ecx
		jz	short loc_820396
		push	ecx
		push	[ebp+arg_8]
		call	SeAppendPrivileges
		push	[ebp+var_38]
		call	_SeFreePrivileges@4 ; SeFreePrivileges(x)
		mov	al, byte ptr [ebp+arg_4+3]

loc_820396:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+480j
		test	al, 1
		jz	loc_820308
		mov	ecx, [ebp+var_58]
		mov	edx, [ebp+arg_8]
		or	[edx+14h], ecx
		or	ecx, 2000000h
		not	ecx
		and	[edi], ecx
		mov	byte ptr [ebx+54h], 1
		jmp	loc_82030B
; 

loc_8203BA:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+35Aj
		lea	esi, [edx+1Ch]
		push	esi
		mov	dl, byte ptr [ebp+arg_C]
		mov	edi, [ebp+var_28]
		mov	ecx, edi
		call	_IopDoFullTraverseCheck@12 ; IopDoFullTraverseCheck(x,x,x)
		test	al, al
		jz	short loc_820408
		push	0
		push	[ebp+var_4C]
		lea	eax, [ebp+var_7C]
		push	eax
		push	[ebp+arg_14]
		lea	eax, [ebp+var_58]
		push	eax
		push	[ebp+var_38]
		push	1
		mov	eax, [ebp+var_34]
		or	eax, 20h
		push	eax
		push	[ebp+arg_8]
		xor	edx, edx
		mov	ecx, edi
		call	_IopCreateSecurityCheck@44 ; IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)
		mov	cl, al
		mov	al, byte ptr [ebp+arg_4+3]
		xor	cl, al
		and	cl, 1
		xor	al, cl
		jmp	loc_8204DA
; 

loc_820408:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+4CDj
		mov	eax, [ebp+arg_8]
		test	byte ptr [eax+0Ch], 1
		jnz	loc_8204D5
		mov	eax, [ebp+var_4C]
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _IopSecurityResource
		call	ExAcquireResourceSharedLite
		push	ecx
		push	20h
		mov	edx, [ebp+arg_8]
		mov	ecx, [edi+98h]
		call	_SeFastTraverseCheck@16	; SeFastTraverseCheck(x,x,x,x)
		mov	cl, al
		mov	al, byte ptr [ebp+arg_4+3]
		xor	cl, al
		and	cl, 1
		xor	al, cl
		mov	byte ptr [ebp+arg_4+3],	al
		test	al, 1
		jnz	short loc_8204BE
		mov	[ebp+var_38], 0
		push	esi
		call	_SeLockSubjectContext@4	; SeLockSubjectContext(x)
		mov	al, byte ptr [ebp+arg_4+3]
		or	al, 20h
		mov	byte ptr [ebp+arg_4+3],	al
		lea	ecx, [ebp+var_20]
		push	ecx
		lea	ecx, [ebp+var_58]
		push	ecx
		push	1
		mov	ecx, ds:_IoFileObjectType
		add	ecx, 34h
		push	ecx
		lea	ecx, [ebp+var_38]
		push	ecx
		push	0
		push	20h
		shr	al, 5
		and	al, 1
		movzx	eax, al
		push	eax
		push	esi
		mov	eax, [edi+98h]
		push	eax
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		mov	cl, al
		mov	al, byte ptr [ebp+arg_4+3]
		xor	cl, al
		and	cl, 1
		xor	al, cl
		mov	byte ptr [ebp+arg_4+3],	al
		mov	eax, [ebp+var_38]
		test	eax, eax
		jz	short loc_8204BE
		push	eax
		push	[ebp+arg_8]
		call	SeAppendPrivileges
		push	[ebp+var_38]
		call	_SeFreePrivileges@4 ; SeFreePrivileges(x)

loc_8204BE:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+431j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+54Ej ...
		mov	ecx, offset _IopSecurityResource
		call	ExReleaseResourceLite
		mov	ecx, [ebp+var_4C]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	al, byte ptr [ebp+arg_4+3]
		jmp	short loc_8204DD
; 

loc_8204D5:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+50Fj
		mov	al, byte ptr [ebp+arg_4+3]
		or	al, 1

loc_8204DA:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+503j
		mov	byte ptr [ebp+arg_4+3],	al

loc_8204DD:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+5D3j
		test	al, 20h
		jz	short loc_8204EA
		push	esi
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)
		mov	al, byte ptr [ebp+arg_4+3]

loc_8204EA:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+5DFj
		test	al, 1
		jz	loc_8210C1
		mov	esi, [ebp+var_34]

loc_8204F5:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+608j
		cmp	byte ptr [ebx+55h], 0
		jnz	short loc_82050A
		cmp	byte ptr [ebx+56h], 0
		jnz	short loc_82050A
		xor	cl, cl
		jmp	short loc_82050C
; 

loc_820505:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+335j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+341j ...
		mov	al, byte ptr [ebp+arg_4+3]
		jmp	short loc_8204F5
; 

loc_82050A:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+5F9j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+5FFj
		mov	cl, 40h

loc_82050C:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+603j
		and	al, 0BFh
		or	al, cl
		mov	ecx, [ebp+arg_18]
		movzx	edx, word ptr [ecx]
		test	dx, dx
		jnz	short loc_820533
		cmp	dword ptr [ebx+14h], 0
		jnz	short loc_820533
		test	esi, 0FEE1FF7Fh
		jnz	short loc_820533
		test	al, 40h
		jnz	short loc_820533
		or	al, 8
		xor	ecx, ecx
		jmp	short loc_820538
; 

loc_820533:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+619j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+61Fj ...
		and	al, 0F7h
		mov	ecx, [ebx+14h]

loc_820538:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+631j
		mov	byte ptr [ebp+arg_4+3],	al
		xor	edi, edi
		mov	[ebp+var_3C], edi
		test	ecx, ecx
		jz	loc_8205F0
		test	dword ptr [ecx+2Ch], 800h
		jnz	loc_8205F0
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_30], esi
		mov	ecx, [ecx+8]
		test	ecx, ecx
		jz	short loc_8205D2
		mov	edi, ecx
		mov	[ebp+var_3C], edi
		mov	ecx, [ebp+var_28]
		test	dword ptr [ecx+20h], 100h
		jz	short loc_8205C6
		mov	eax, [ecx+0B0h]
		test	dword ptr [eax+10h], 800h
		jnz	short loc_8205C6
		cmp	byte ptr [ebp+arg_C], 0
		jnz	short loc_82058E
		test	byte ptr [ebx+38h], 1
		jz	short loc_8205C6

loc_82058E:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+686j
		cmp	[ebp+var_21], 0
		jnz	short loc_8205C6
		mov	[ebp+var_38], 0
		push	0
		push	[ebp+var_4C]
		lea	eax, [ebp+var_7C]
		push	eax
		push	[ebp+arg_14]
		lea	eax, [ebp+var_58]
		push	eax
		push	0
		mov	eax, [ebx+3Ch]
		push	eax
		push	[ebp+var_34]
		push	[ebp+arg_8]
		mov	edx, ecx
		call	_IopCreateSecurityCheck@44 ; IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)
		test	al, al
		jz	loc_8210C1

loc_8205C6:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+671j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+680j ...
		mov	dl, 1
		mov	ecx, edi
		call	IopIncrementVpbRefCount
		mov	al, byte ptr [ebp+arg_4+3]

loc_8205D2:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+660j
		test	byte ptr [ebx+5Ch], 1
		jz	loc_8206B3
		test	edi, edi
		jz	short loc_8205E6
		mov	esi, [edi+8]
		mov	[ebp+var_30], esi

loc_8205E6:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+6DEj
		or	al, 2
		mov	byte ptr [ebp+arg_4+3],	al
		jmp	loc_8206B3
; 

loc_8205F0:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+642j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+64Fj
		mov	esi, [ebp+var_28]
		mov	[ebp+var_30], esi
		mov	ebx, esi
		cmp	[ebx+24h], edi
		mov	ebx, [ebp+arg_1C]
		jz	loc_820695
		test	al, 8
		jnz	loc_820695
		test	dword ptr [esi+20h], 100h
		jz	short loc_82066F
		mov	eax, [esi+0B0h]
		test	dword ptr [eax+10h], 800h
		jnz	short loc_82066F
		cmp	byte ptr [ebp+arg_C], 0
		jnz	short loc_820630
		test	byte ptr [ebx+38h], 1
		jz	short loc_82066F

loc_820630:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+728j
		test	ecx, ecx
		jnz	short loc_820639
		test	dx, dx
		jz	short loc_82066F

loc_820639:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+732j
		cmp	[ebp+var_21], 0
		jnz	short loc_82066F
		mov	[ebp+var_38], edi
		push	0
		push	[ebp+var_4C]
		lea	eax, [ebp+var_7C]
		push	eax
		push	[ebp+arg_14]
		lea	eax, [ebp+var_58]
		push	eax
		push	0
		mov	eax, [ebx+3Ch]
		push	eax
		push	[ebp+var_34]
		push	[ebp+arg_8]
		mov	edx, esi
		mov	ecx, esi
		call	_IopCreateSecurityCheck@44 ; IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)
		test	al, al
		jz	loc_8210C4

loc_82066F:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+713j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+722j ...
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+arg_18]
		mov	edx, esi
		mov	ecx, ebx
		call	IopCheckVpbMounted
		mov	edi, eax
		mov	[ebp+var_3C], eax
		test	edi, edi
		jz	loc_8210FF
		mov	esi, [edi+8]
		mov	[ebp+var_30], esi
		mov	al, byte ptr [ebp+arg_4+3]

loc_820695:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+6FEj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+706j
		test	byte ptr [ebx+5Ch], 1
		jz	short loc_8206A2
		or	al, 2
		mov	byte ptr [ebp+arg_4+3],	al
		jmp	short loc_8206B3
; 

loc_8206A2:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+799j
		cmp	dword ptr [esi+10h], 0
		jz	short loc_8206B3
		push	esi
		call	_IoGetAttachedDevice@4 ; IoGetAttachedDevice(x)
		mov	esi, eax
		mov	[ebp+var_30], esi

loc_8206B3:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+6D6j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+6EBj ...
		mov	ecx, [ebp+var_28]
		mov	eax, [ecx+20h]
		test	eax, 40001h
		jz	short loc_8206F7
		test	dword ptr [ecx+1Ch], 600100h
		jnz	short loc_8206F7
		test	eax, 100h
		jnz	short loc_8206F7
		mov	ecx, [ebp+arg_8]
		lea	ecx, [ecx+1Ch]
		call	_IopIsSecurityContextAppContainer@4 ; IopIsSecurityContextAppContainer(x)
		test	al, al
		jz	short loc_8206F7
		test	edi, edi
		jz	loc_8210C1
		mov	eax, [edi+8]
		test	dword ptr [eax+1Ch], 20000h
		jz	loc_8210B6

loc_8206F7:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+7BEj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+7C7j ...
		mov	al, byte ptr [ebp+arg_4+3]
		test	al, 2
		jz	short loc_820722
		push	[ebp+arg_18]
		shr	al, 3
		and	al, 1
		movzx	eax, al
		push	eax
		mov	edx, ebx
		lea	ecx, [ebp+var_30]
		call	IopCheckTopDeviceHint
		mov	[ebp+var_20], eax
		test	eax, eax
		js	loc_8210E8
		mov	esi, [ebp+var_30]

loc_820722:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+7FCj
		mov	eax, [ebx+5Ch]
		test	al, 10h
		jz	short loc_82072F
		and	eax, 0FFFFFFEFh
		mov	[ebx+5Ch], eax

loc_82072F:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+827j
		test	dword ptr [esi+20h], 100h
		jnz	short loc_82074F
		cmp	_IopRequireDeviceAccessCheck, 0
		jz	short loc_8207A5
		mov	ecx, [ebp+var_28]
		test	dword ptr [ecx+20h], 100000h
		jz	short loc_8207A5
		jmp	short loc_820752
; 

loc_82074F:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+836j
		mov	ecx, [ebp+var_28]

loc_820752:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+84Dj
		cmp	byte ptr [ebp+arg_C], 0
		jnz	short loc_82075E
		test	byte ptr [ebx+38h], 1
		jz	short loc_8207A5

loc_82075E:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+856j
		cmp	dword ptr [ebx+14h], 0
		jnz	short loc_82076D
		mov	eax, [ebp+arg_18]
		cmp	word ptr [eax],	0
		jz	short loc_8207A5

loc_82076D:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+862j
		cmp	[ebp+var_21], 0
		jnz	short loc_8207A5
		mov	[ebp+var_38], 0
		push	1
		push	[ebp+var_4C]
		lea	eax, [ebp+var_7C]
		push	eax
		push	[ebp+arg_14]
		lea	eax, [ebp+var_58]
		push	eax
		push	0
		mov	eax, [ebx+3Ch]
		push	eax
		push	[ebp+var_34]
		push	[ebp+arg_8]
		mov	edx, esi
		call	_IopCreateSecurityCheck@44 ; IopCreateSecurityCheck(x,x,x,x,x,x,x,x,x,x,x)
		test	al, al
		jz	loc_821116

loc_8207A5:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+83Fj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+84Bj ...
		mov	eax, [ebp+4]
		push	eax
		push	0
		mov	eax, [ebp+var_30]
		mov	dl, [eax+30h]
		mov	ecx, eax
		call	IopAllocateIrpExReturn
		mov	esi, eax
		mov	[ebp+var_54], esi
		test	esi, esi
		jz	loc_821773
		mov	eax, [ebp+var_4C]
		mov	[esi+50h], eax
		mov	eax, [ebp+arg_C]
		mov	[esi+20h], al
		mov	dword ptr [esi+8], 884h
		mov	eax, [ebp+arg_20]
		mov	[ebp+var_A0], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_9C], eax
		mov	eax, [ebp+var_34]
		mov	[ebp+var_98], eax
		mov	eax, [ebx+28h]
		mov	[ebp+var_94], eax
		mov	edx, [esi+60h]
		sub	edx, 24h
		mov	[ebp+var_68], edx
		mov	byte ptr [edx+3], 0
		mov	eax, [ebx+4Ch]
		test	eax, eax
		jnz	short loc_82082B
		mov	[edx], al
		mov	eax, [ebx+34h]
		mov	[edx+10h], eax
		mov	al, [ebx+38h]
		mov	[edx+2], al
		test	byte ptr [ebp+arg_10], 40h
		jnz	short loc_82083D
		or	al, 80h
		mov	[edx+2], al
		jmp	short loc_82083D
; 

loc_82082B:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+90Ej
		cmp	eax, 1
		jnz	short loc_820834
		mov	[edx], al
		jmp	short loc_820837
; 

loc_820834:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+92Ej
		mov	byte ptr [edx],	13h

loc_820837:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+932j
		mov	eax, [ebx+50h]
		mov	[edx+10h], eax

loc_82083D:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+922j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+929j
		mov	eax, [ebx+20h]
		mov	[esi+30h], eax
		mov	eax, [ebx+24h]
		mov	[esi+34h], eax
		mov	eax, [ebx+30h]
		mov	[esi+0Ch], eax
		mov	ecx, [ebx+3Ch]
		shl	ecx, 18h
		mov	eax, [ebx+28h]
		and	eax, 0FFFFFFh
		or	ecx, eax
		mov	[edx+8], ecx
		movzx	eax, word ptr [ebx+2Ch]
		mov	[edx+0Ch], ax
		movzx	eax, word ptr [ebx+2Eh]
		mov	[edx+0Eh], ax
		lea	eax, [ebp+var_A0]
		mov	[edx+4], eax
		mov	eax, [ebx+68h]
		mov	[esi+3Ch], eax
		lea	eax, [ebp+var_64]
		mov	[esi+28h], eax
		mov	dword ptr [esi+4], 0
		mov	byte ptr [esi+21h], 0
		mov	byte ptr [esi+24h], 0
		mov	dword ptr [esi+2Ch], 0
		mov	dword ptr [esi+38h], 0
		mov	dword ptr [esi+54h], 0
		cmp	byte ptr [ebx+55h], 0
		jnz	short loc_8208E1
		push	[ebp+var_34]
		push	0
		push	[ebp+arg_24]
		push	ebx
		push	[ebp+arg_C]
		push	[ebp+arg_10]
		push	[ebp+var_28]
		mov	edx, [ebp+var_30]
		lea	ecx, [ebp+var_48]
		call	IopAllocRealFileObject
		mov	[ebp+var_20], eax
		test	eax, eax
		js	loc_821146
		mov	edi, [ebp+var_48]
		jmp	loc_820A3F
; 

loc_8208E1:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+9AFj
		mov	esi, [ebx+58h]
		push	0A0h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	edi, [esi+18h]
		mov	[ebp+var_48], edi
		mov	eax, ds:_IoFileObjectType
		mov	al, [eax+14h]
		mov	ecx, esi
		shr	ecx, 8
		xor	cl, al
		xor	cl, byte ptr ds:_ObHeaderCookie
		mov	[esi+0Ch], cl
		mov	dword ptr [esi], 1
		test	byte ptr [ebp+arg_10], 40h
		jnz	short loc_820925
		or	dword ptr [edi+2Ch], 20000h

loc_820925:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+A1Cj
		mov	dword ptr [edi], 800005h
		mov	eax, [ebx+14h]
		mov	[edi+20h], eax
		mov	esi, [ebp+var_28]
		mov	[edi+4], esi
		test	byte ptr [ebx+5Ch], 20h
		jz	short loc_820981
		cmp	byte ptr [ebp+arg_C], 0
		jz	short loc_820981
		mov	ecx, [ebp+var_30]
		test	dword ptr [ecx+1Ch], 40000h
		jnz	short loc_82096B
		mov	eax, [ecx+2Ch]
		cmp	eax, 8
		jz	short loc_82096B
		cmp	eax, 3
		jz	short loc_82096B
		cmp	eax, 20h
		jz	short loc_82096B
		cmp	eax, 14h
		jz	short loc_82096B
		cmp	eax, 35h
		jnz	short loc_820981

loc_82096B:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+A4Dj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+A55j ...
		push	edi
		push	[ebp+var_34]
		mov	edx, ebx
		call	IopRetrieveTransactionParameters
		mov	[ebp+var_20], eax
		test	eax, eax
		js	loc_821194

loc_820981:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+A3Bj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+A41j ...
		mov	esi, [ebp+arg_24]
		mov	eax, [esi+8]
		push	eax
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jz	short loc_8209B0
		mov	eax, [edi+20h]
		test	eax, eax
		jz	loc_820A3C
		push	eax
		call	_IoGetSilo@4	; IoGetSilo(x)
		push	eax
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jnz	loc_820A3C

loc_8209B0:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+A8Fj
		mov	[ebp+var_6C], 0
		mov	edx, [edi+20h]
		test	edx, edx
		jz	short loc_8209D4
		mov	ecx, [esi+8]
		call	_PsIsServerSilo@4 ; PsIsServerSilo(x)
		test	al, al
		jz	short loc_8209D4
		push	edx
		call	_IoGetSilo@4	; IoGetSilo(x)
		mov	esi, eax
		jmp	short loc_8209D7
; 

loc_8209D4:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+ABCj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+AC8j
		mov	esi, [esi+8]

loc_8209D7:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+AD2j
		push	esi
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jnz	short loc_820A3C
		push	esi
		call	PsAcquireSiloHardReference
		mov	[ebp+var_20], eax
		test	eax, eax
		js	loc_8211D1
		push	0		; int
		lea	eax, [ebp+var_6C]
		push	eax		; int
		push	1		; char
		push	0Ch		; size_t
		mov	edx, 7
		mov	ecx, edi
		call	IopGetSetSpecificExtension
		mov	[ebp+var_20], eax
		test	eax, eax
		jns	short loc_820A20
		push	esi
		call	_PsReleaseSiloHardReference@4 ;	PsReleaseSiloHardReference(x)
		mov	eax, [ebp+var_20]
		test	eax, eax
		js	loc_8211D1

loc_820A20:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+B0Dj
		mov	eax, [ebp+var_6C]
		mov	dword ptr [eax], 0Ch
		mov	[eax+8], esi
		or	dword ptr [eax+4], 1
		mov	edx, 70536F49h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag

loc_820A3C:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+A96j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+AAAj ...
		mov	esi, [ebp+var_54]

loc_820A3F:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+9DCj
		test	byte ptr [ebp+arg_4+3],	8
		jz	short loc_820A4C
		or	dword ptr [edi+2Ch], 800h

loc_820A4C:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+B43j
		mov	ecx, [ebx+88h]
		mov	eax, [ebx+8Ch]
		mov	[ebp+var_80], eax
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_820A6C
		mov	edx, 20h
		jmp	short loc_820A79
; 

loc_820A6C:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+B63j
		and	ecx, 2
		or	ecx, 0
		jz	short loc_820A82
		mov	edx, 40h

loc_820A79:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+B6Aj
		push	1
		mov	ecx, edi
		call	IopSetFileObjectExtensionFlag

loc_820A82:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+B72j
		mov	[esi+64h], edi
		mov	eax, [ebp+var_68]
		mov	[eax+18h], edi
		mov	eax, [ebp+arg_18]
		movzx	eax, word ptr [eax]
		test	ax, ax
		jz	short loc_820AD9
		cmp	eax, 38h
		jnb	short loc_820AA2
		mov	eax, 38h
		jmp	short loc_820ABA
; 

loc_820AA2:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+B99j
		cmp	eax, 78h
		jnb	short loc_820AAE
		mov	eax, 78h
		jmp	short loc_820ABA
; 

loc_820AAE:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+BA5j
		mov	ecx, 0F8h
		cmp	ax, cx
		jnb	short loc_820ABA
		mov	eax, ecx

loc_820ABA:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+BA0j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+BACj ...
		mov	[edi+32h], ax
		push	6D4E6F49h
		movzx	eax, ax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi+34h], eax
		test	eax, eax
		jz	loc_8211DE

loc_820AD9:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+B94j
		lea	eax, [edi+30h]
		mov	[ebp+var_6C], eax
		push	[ebp+arg_18]
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		cmp	byte ptr [ebx+55h], 0
		jz	loc_820BD6
		mov	byte ptr [ebp+var_19], 0
		lea	eax, [ebp+var_19]
		push	eax
		push	[ebp+var_68]
		push	esi
		mov	edx, [ebp+var_30]
		mov	ecx, ebx
		call	_IopQueryInformation@20	; IopQueryInformation(x,x,x,x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		js	loc_821271
		cmp	byte ptr [ebp+var_19], 0
		jnz	loc_821271
		push	0
		push	[ebp+arg_18]
		lea	eax, [edi+30h]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_820BA2
		mov	eax, [edi+34h]
		test	eax, eax
		jz	short loc_820B49
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		lea	eax, [edi+30h]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_820B49:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+C34j
		mov	eax, [ebp+arg_18]
		movzx	eax, word ptr [eax]
		test	ax, ax
		jz	short loc_820BA2
		cmp	eax, 38h
		jnb	short loc_820B60
		mov	eax, 38h
		jmp	short loc_820B78
; 

loc_820B60:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+C57j
		cmp	eax, 78h
		jnb	short loc_820B6C
		mov	eax, 78h
		jmp	short loc_820B78
; 

loc_820B6C:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+C63j
		mov	ecx, 0F8h
		cmp	ax, cx
		jnb	short loc_820B78
		mov	eax, ecx

loc_820B78:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+C5Ej
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+C6Aj ...
		mov	[edi+32h], ax
		push	6D4E6F49h
		movzx	eax, ax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi+34h], eax
		test	eax, eax
		jz	loc_82122D
		push	[ebp+arg_18]
		push	[ebp+var_6C]
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)

loc_820BA2:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+C2Dj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+C52j
		push	[ebp+var_34]
		push	1
		push	[ebp+arg_24]
		push	ebx
		push	[ebp+arg_C]
		push	[ebp+arg_10]
		push	[ebp+var_28]
		mov	edx, [ebp+var_30]
		lea	ecx, [ebp+var_48]
		call	IopAllocRealFileObject
		mov	[ebp+var_20], eax
		mov	edi, [ebp+var_48]
		test	eax, eax
		js	loc_8212A2
		mov	eax, [ebp+var_68]
		mov	[eax+18h], edi
		mov	[esi+64h], edi

loc_820BD6:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+BECj
		cmp	dword ptr [ebx+4Ch], 0
		jnz	short loc_820C4F
		mov	[ebp+var_54], 0
		lea	eax, [ebp+var_54]
		push	eax
		push	esi
		call	_FsRtlGetEcpListFromIrp@8 ; FsRtlGetEcpListFromIrp(x,x)
		mov	[ebp+var_20], eax
		mov	ecx, [ebp+var_54]
		test	ecx, ecx
		jz	short loc_820C4F
		lea	edx, [ebp+var_5C]
		call	_IopSymlinkGetECP@8 ; IopSymlinkGetECP(x,x)
		cmp	eax, 0C0000225h
		jz	short loc_820C4F
		mov	ecx, [ebp+var_5C]
		call	_IopSymlinkGetMostRecentlyUsedName@4 ; IopSymlinkGetMostRecentlyUsedName(x)
		mov	edx, eax
		cmp	word ptr [edx+4], 0
		jnz	short loc_820C4F
		movzx	ecx, word ptr [edx+2]
		push	ecx
		mov	eax, [ebp+arg_14]
		mov	cx, [eax]
		mov	eax, [ebp+arg_18]
		sub	cx, [eax]
		movzx	ecx, cx
		push	ecx
		push	[ebp+arg_14]
		movzx	eax, word ptr [edx]
		push	eax
		mov	ecx, esi
		call	IopSymlinkUpdateECP
		mov	[ebp+var_20], eax
		test	eax, eax
		jns	short loc_820C4F
		mov	[esi+18h], eax
		mov	dword ptr [esi+1Ch], 0
		and	byte ptr [ebp+arg_4+3],	0FBh

loc_820C4F:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+CDAj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+CF5j ...
		lea	eax, [edi+5Ch]
		mov	[ebp+var_34], eax
		push	0
		push	0
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	[ebx+4], edi
		mov	al, byte ptr [ebp+arg_4+3]
		test	al, 4
		jz	short loc_820C84
		mov	ecx, esi
		call	IopQueueThreadIrp
		mov	edx, esi
		mov	ecx, [ebp+var_30]
		call	IoCallDriverWithTracing
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		mov	al, byte ptr [ebp+arg_4+3]
		jmp	short loc_820C87
; 

loc_820C84:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+D67j
		mov	ecx, [ebp+var_20]

loc_820C87:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+D82j
		cmp	ecx, 103h
		jnz	loc_820D3A
		mov	ecx, large fs:124h
		test	dword ptr [ecx+58h], 400h
		jz	short loc_820CA7
		and	al, 7Fh
		jmp	short loc_820CA9
; 

loc_820CA7:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+DA1j
		or	al, 80h

loc_820CA9:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+DA5j
		mov	byte ptr [ebp+arg_4+3],	al
		shr	al, 7
		mov	[ebp+var_80], eax
		push	0
		push	eax
		push	0
		push	0
		mov	edi, [ebp+var_34]
		push	edi
		call	KeWaitForSingleObject
		mov	[ebp+var_20], eax
		cmp	eax, 101h
		jnz	short loc_820D31
		lea	esp, [esp+0]

loc_820CD0:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+E1Bj
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_29], al
		mov	ecx, large fs:124h
		push	ecx
		call	_PsIsThreadTerminating@4 ; PsIsThreadTerminating(x)
		test	al, al
		jnz	short loc_820D1F
		push	edi
		call	_KeReadStateSemaphore@4	; KeReadStateSemaphore(x)
		test	eax, eax
		jnz	short loc_820CFB
		cmp	[esi+24h], al
		jnz	short loc_820D1F

loc_820CFB:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+DF4j
		mov	cl, [ebp+var_29]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	0
		push	[ebp+var_80]
		push	0
		push	0
		push	edi
		call	KeWaitForSingleObject
		mov	[ebp+var_20], eax
		cmp	eax, 101h
		jz	short loc_820CD0
		jmp	short loc_820D31
; 

loc_820D1F:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+DEAj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+DF9j
		mov	cl, [ebp+var_29]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, esi
		mov	ecx, edi
		call	_IopCancelAlertedRequest@8 ; IopCancelAlertedRequest(x,x)

loc_820D31:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+DCAj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+E1Dj
		mov	eax, [ebp+var_64]
		mov	[ebp+var_20], eax
		mov	edi, [ebp+var_48]

loc_820D3A:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+D8Dj
		lea	eax, [ebp+var_50]
		push	eax
		push	esi
		call	_FsRtlGetEcpListFromIrp@8 ; FsRtlGetEcpListFromIrp(x,x)
		mov	[ebp+var_20], eax
		mov	eax, [ebx+38h]
		and	eax, 8
		mov	[ebp+var_80], eax
		setnz	al
		mov	[ebp+var_29], al
		mov	byte ptr [ebp+var_19], al
		cmp	dword ptr [esi+18h], 104h
		jnz	loc_820ED2
		mov	eax, [esi+54h]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+var_50]
		test	eax, eax
		jz	short loc_820D84
		lea	edx, [ebp+var_5C]
		mov	ecx, eax
		call	_IopSymlinkGetECP@8 ; IopSymlinkGetECP(x,x)
		cmp	eax, 0C0000225h
		jnz	short loc_820DCC

loc_820D84:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+E71j
		mov	edx, [ebp+arg_14]
		mov	ax, [edx]
		mov	ecx, [ebp+arg_18]
		sub	ax, [ecx]
		movzx	eax, ax
		lea	ecx, [ebp+var_5C]
		push	ecx
		push	eax
		push	edx
		mov	edx, edi
		mov	ecx, esi
		call	IopSymlinkCreateECP
		mov	[ebp+var_20], eax
		mov	ecx, [ebp+var_50]
		test	eax, eax
		jns	short loc_820DBB
		mov	dword ptr [esi+1Ch], 0
		mov	eax, [ebp+var_20]
		mov	[esi+18h], eax
		jmp	short loc_820DCF
; 

loc_820DBB:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+EAAj
		test	ecx, ecx
		jnz	short loc_820DCF
		lea	eax, [ebp+var_50]
		push	eax
		push	esi
		call	_FsRtlGetEcpListFromIrp@8 ; FsRtlGetEcpListFromIrp(x,x)
		mov	[ebp+var_20], eax

loc_820DCC:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+E82j
		mov	ecx, [ebp+var_50]

loc_820DCF:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+EB9j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+EBDj
		mov	al, [ebp+var_29]
		mov	byte ptr [ebp+var_19], al
		cmp	dword ptr [esi+18h], 104h
		jnz	loc_820ED2
		mov	dl, al
		mov	byte ptr [ebp+var_19], dl
		mov	byte ptr [ebp+var_70], dl
		cmp	[ebp+var_80], 0
		jz	short loc_820E0B
		mov	byte ptr [ebp+var_19], al
		mov	byte ptr [ebp+var_70], al
		test	ecx, ecx
		jz	short loc_820E0B
		push	[ebp+var_44]
		mov	edx, [esi+1Ch]
		call	_IopCheckAndUpdateStopOnSymlinkEcp@12 ;	IopCheckAndUpdateStopOnSymlinkEcp(x,x,x)
		mov	byte ptr [ebp+var_19], al
		mov	byte ptr [ebp+var_70], al

loc_820E0B:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+EEEj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+EF8j
		push	[ebp+var_70]
		push	[ebp+var_44]
		mov	edx, edi
		mov	ecx, esi
		call	IopSymlinkProcessReparse
		mov	eax, [esi+1Ch]
		cmp	eax, 0A0000003h
		jz	short loc_820E36
		cmp	eax, 0A000000Ch
		jz	short loc_820E36
		cmp	eax, 0A0000019h
		jnz	loc_820ED2

loc_820E36:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+F22j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+F29j
		cmp	dword ptr [esi+18h], 0
		jl	short loc_820EBA
		mov	eax, [ebp+var_44]
		movzx	edx, word ptr [eax+6]
		test	dx, dx
		setnz	cl
		dec	cl
		and	cl, 10h
		mov	al, byte ptr [ebp+arg_4+3]
		and	al, 0EFh
		or	al, cl
		mov	byte ptr [ebp+arg_4+3],	al
		mov	ecx, edx
		mov	edx, [ebp+arg_18]
		mov	edx, [edx+4]
		sub	edx, ecx
		mov	ecx, [ebp+arg_18]
		movzx	ecx, word ptr [ecx]
		test	al, 10h
		jnz	short loc_820E73
		cmp	word ptr [edx+ecx], 3Ah
		jnz	short loc_820EBA

loc_820E73:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+F6Aj
		mov	eax, [ebx+28h]
		mov	edx, [ebp+var_44]
		test	al, 41h
		jnz	short loc_820EBD
		mov	ecx, [ebp+var_68]
		cmp	byte ptr [ecx],	0
		jnz	short loc_820EBD
		mov	ecx, [edx]
		cmp	ecx, 0A0000003h
		jz	short loc_820EB2
		cmp	ecx, 0A000000Ch
		jnz	short loc_820EBD
		cmp	dword ptr [edx+10h], 0
		jl	short loc_820EB2
		cmp	ecx, ecx
		jnz	short loc_820EBD
		test	dword ptr [edx+10h], 40000000h
		jz	short loc_820EBD
		or	eax, 40h
		mov	[ebx+28h], eax
		jmp	short loc_820EBD
; 

loc_820EB2:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+F8Dj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+F9Bj
		or	eax, 1
		mov	[ebx+28h], eax
		jmp	short loc_820EBD
; 

loc_820EBA:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+F3Aj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+F71j
		mov	edx, [ebp+var_44]

loc_820EBD:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+F7Bj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+F83j ...
		cmp	byte ptr [ebp+var_19], 0
		jnz	short loc_820ED2
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+var_44], 0

loc_820ED2:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+E60j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+EDCj ...
		cmp	dword ptr [esi+18h], 0
		jnz	short loc_820F08
		cmp	dword ptr [ebx+4Ch], 0
		jnz	short loc_820F08
		push	[ebp+arg_14]
		mov	edx, [ebp+var_50]
		mov	ecx, edi
		call	IopSymlinkPropagateToExtensionIfNeeded
		mov	[ebp+var_20], eax
		test	eax, eax
		jns	short loc_820F08
		push	edi
		push	[ebp+var_30]
		call	_IoCancelFileOpen@8 ; IoCancelFileOpen(x,x)
		mov	dword ptr [esi+1Ch], 0
		mov	eax, [ebp+var_20]
		mov	[esi+18h], eax

loc_820F08:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+FD6j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+FDCj ...
		mov	eax, [ebp+var_50]
		test	eax, eax
		jz	short loc_820F12
		mov	[ebx+68h], eax

loc_820F12:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+100Dj
		mov	ecx, [esi+18h]
		mov	[ebp+var_64], ecx
		mov	eax, [esi+1Ch]
		mov	[ebp+var_60], eax
		mov	[ebp+var_20], ecx
		mov	dword ptr [edi+60h], 1
		test	byte ptr [ebp+arg_4+3],	4
		jz	short loc_820F3B
		mov	eax, [ebp+var_4C]
		mov	[esi+50h], eax
		mov	ecx, esi
		call	IopDequeueIrpFromThread

loc_820F3B:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+102Cj
		mov	eax, [esi+8]
		and	eax, 30h
		cmp	al, 30h
		jnz	short loc_820F50
		push	0
		mov	eax, [esi+0Ch]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_820F50:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1043j
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		mov	eax, [ebp+var_60]
		mov	[ebx+0Ch], eax
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		js	loc_821712
		cmp	ecx, 104h
		jnz	loc_82144A
		test	eax, eax
		jz	short loc_820F97
		cmp	eax, 2
		jz	short loc_820F97
		cmp	eax, 0A0000003h
		jz	short loc_820F91
		cmp	eax, 0A000000Ch
		jz	short loc_820F91
		cmp	eax, 0A0000019h
		jnz	short loc_821006

loc_820F91:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1081j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1088j
		cmp	byte ptr [ebp+var_19], 0
		jnz	short loc_821006

loc_820F97:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1075j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+107Aj
		lea	esi, [edi+30h]
		movzx	eax, word ptr [esi]
		mov	ecx, [ebp+arg_14]
		cmp	[ecx+2], ax
		jnb	short loc_820FE0
		push	63466F49h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_80], eax
		test	eax, eax
		jz	loc_8212F6
		mov	ecx, [ebp+arg_14]
		mov	ecx, [ecx+4]
		test	ecx, ecx
		jz	short loc_820FD3
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_80]

loc_820FD3:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+10C6j
		mov	ecx, [ebp+arg_14]
		mov	[ecx+4], eax
		mov	ax, [esi]
		mov	[ecx+2], ax

loc_820FE0:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+10A4j
		push	esi
		push	ecx
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		mov	eax, [ebp+var_60]
		cmp	eax, 0A0000003h
		jz	short loc_820FFF
		cmp	eax, 0A000000Ch
		jz	short loc_820FFF
		cmp	eax, 0A0000019h
		jnz	short loc_821006

loc_820FFF:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+10EFj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+10F6j
		mov	dword ptr [ebx+14h], 0

loc_821006:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+108Fj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1095j ...
		cmp	word ptr [edi+30h], 0
		jz	short loc_82101E
		push	0
		mov	eax, [edi+34h]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[edi+30h], ax

loc_82101E:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+110Bj
		mov	dword ptr [edi+4], 0
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	dword ptr [ebx+4], 0
		push	0
		xor	dl, dl
		mov	esi, [ebp+var_28]
		mov	ecx, esi
		call	IopDecrementDeviceObjectRef
		mov	eax, [ebp+var_3C]
		test	eax, eax
		jz	short loc_82104F
		mov	ecx, eax
		call	IopDereferenceVpbAndFree

loc_82104F:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1146j
		mov	ecx, [ebp+var_60]
		cmp	ecx, 1
		jnz	loc_82132F
		mov	esi, [ebp+var_8C]
		inc	esi
		mov	[ebp+var_8C], esi
		cmp	esi, 20h
		ja	loc_821316
		mov	eax, [ebp+arg_28]
		mov	dword ptr [eax], 0
		mov	[ebp+var_48], 0
		jmp	loc_81FFD1
; 

loc_821086:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+269j
		call	ObfDereferenceObject
		push	0
		xor	dl, dl
		mov	ecx, edi
		call	IopDecrementDeviceObjectRef
		mov	dword ptr [ebx+8], 0C0000022h
		mov	eax, 0C0000022h
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_8210B6:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+7F1j
		test	edi, edi
		jz	short loc_8210C1
		mov	ecx, edi
		call	IopDereferenceVpbAndFree

loc_8210C1:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+5ECj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+6C0j ...
		mov	esi, [ebp+var_28]

loc_8210C4:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+769j
		push	0
		xor	dl, dl
		mov	ecx, esi
		call	IopDecrementDeviceObjectRef
		mov	eax, 0C0000022h
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_8210E8:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+819j
		test	edi, edi
		jz	short loc_8210F3
		mov	ecx, edi
		call	IopDereferenceVpbAndFree

loc_8210F3:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+11EAj
		push	0
		xor	dl, dl
		mov	ecx, [ebp+var_28]
		call	IopDecrementDeviceObjectRef

loc_8210FF:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+786j
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_821116:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+89Fj
		push	0
		xor	dl, dl
		mov	ecx, [ebp+var_28]
		call	IopDecrementDeviceObjectRef
		test	edi, edi
		jz	short loc_82112D
		mov	ecx, edi
		call	IopDereferenceVpbAndFree

loc_82112D:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1224j
		mov	eax, 0C0000022h
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_821146:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+9D3j
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		push	0
		xor	dl, dl
		mov	ecx, [ebp+var_28]
		call	IopDecrementDeviceObjectRef
		test	edi, edi
		jz	short loc_821163
		mov	ecx, edi
		call	IopDereferenceVpbAndFree

loc_821163:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+125Aj
		mov	ecx, [ebp+var_48]
		test	ecx, ecx
		jz	loc_82176B
		mov	dword ptr [ecx+4], 0
		call	ObfDereferenceObject
		mov	eax, [ebp+var_20]
		mov	[ebx+8], eax
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_821194:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+A7Bj
		push	[ebp+var_54]
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		mov	ecx, esi

loc_82119E:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+12DCj
		xor	dl, dl
		push	0
		call	IopDecrementDeviceObjectRef
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jz	loc_82176B
		call	IopDereferenceVpbAndFree
		mov	eax, [ebp+var_20]
		mov	[ebx+8], eax
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_8211D1:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+AECj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+B1Aj
		push	[ebp+var_54]
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		mov	ecx, [ebp+var_28]
		jmp	short loc_82119E
; 

loc_8211DE:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+BD3j
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		push	0
		xor	dl, dl
		mov	ecx, [ebp+var_28]
		call	IopDecrementDeviceObjectRef
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jz	short loc_8211FC
		call	IopDereferenceVpbAndFree

loc_8211FC:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+12F5j
		mov	dword ptr [edi+4], 0
		cmp	byte ptr [ebx+55h], 0
		jnz	loc_82178A
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, 0C000009Ah
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_82122D:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+C91j
		cmp	dword ptr [edi+7Ch], 0
		jz	short loc_82123A
		mov	ecx, edi
		call	IopDeleteFileObjectExtension

loc_82123A:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1331j
		push	0
		xor	dl, dl
		mov	ecx, [ebp+var_28]
		call	IopDecrementDeviceObjectRef
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jz	short loc_821252
		call	IopDereferenceVpbAndFree

loc_821252:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+134Bj
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		mov	eax, 0C000009Ah
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_821271:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+C0Dj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+C17j
		mov	ecx, [esi+18h]
		mov	[ebx+8], ecx
		mov	eax, [esi+1Ch]
		mov	[ebx+0Ch], eax
		cmp	ecx, 104h
		jnz	short loc_8212A2
		mov	eax, [esi+54h]
		test	eax, eax
		jz	short loc_8212A2
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [esi+54h], 0
		mov	dword ptr [ebx+14h], 0

loc_8212A2:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+CC7j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1383j ...
		cmp	word ptr [edi+30h], 0
		jz	short loc_8212B4
		push	0
		mov	eax, [edi+34h]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8212B4:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+13A7j
		cmp	dword ptr [edi+7Ch], 0
		jz	short loc_8212C1
		mov	ecx, edi
		call	IopDeleteFileObjectExtension

loc_8212C1:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+13B8j
		push	0
		xor	dl, dl
		mov	ecx, [ebp+var_28]
		call	IopDecrementDeviceObjectRef
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jz	short loc_8212D9
		call	IopDereferenceVpbAndFree

loc_8212D9:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+13D2j
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_8212F6:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+10B8j
		mov	dword ptr [ebx+8], 0C000009Ah
		mov	eax, 0C000009Ah
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_821316:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+116Bj
		mov	eax, 0C0000001h
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_82132F:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1155j
		mov	dword ptr [ebx+14h], 0
		cmp	ecx, 0A0000003h
		jz	short loc_82134E
		cmp	ecx, 0A000000Ch
		jz	short loc_82134E
		cmp	ecx, 0A0000019h
		jnz	short loc_821388

loc_82134E:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+143Cj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1444j
		mov	eax, [ebx+5Ch]
		or	eax, 10h
		mov	[ebx+5Ch], eax
		mov	edx, [esi+2Ch]
		cmp	edx, 7
		jz	short loc_821377
		cmp	edx, 2
		jz	short loc_821377
		cmp	edx, 24h
		jz	short loc_821377
		cmp	edx, 1Fh
		jz	short loc_821377
		cmp	edx, 11h
		jz	short loc_821377
		xor	dl, dl
		jmp	short loc_821379
; 

loc_821377:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+145Dj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1462j ...
		mov	dl, 1

loc_821379:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1475j
		test	dl, dl
		jz	short loc_821382
		or	eax, 8
		jmp	short loc_821385
; 

loc_821382:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+147Bj
		and	eax, 0FFFFFFF7h

loc_821385:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1480j
		mov	[ebx+5Ch], eax

loc_821388:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+144Cj
		cmp	byte ptr [ebx+54h], 0
		jnz	loc_8217C6
		mov	eax, [esi+0B0h]
		test	dword ptr [eax+10h], 800h
		jnz	short loc_8213B8
		mov	edx, [ebp+arg_8]
		mov	eax, [edx+18h]
		mov	[edx+10h], eax
		mov	dword ptr [edx+14h], 0
		and	dword ptr [edx+0Ch], 0FFFFFEFFh

loc_8213B8:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+149Fj
		cmp	ecx, 0A0000003h
		jz	short loc_8213D0
		cmp	ecx, 0A000000Ch
		jz	short loc_8213D0
		cmp	ecx, 0A0000019h
		jnz	short loc_821404

loc_8213D0:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+14BEj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+14C6j
		cmp	byte ptr [ebp+var_19], 0
		jz	short loc_8213FC
		mov	eax, [ebp+var_44]
		mov	[ebx+0Ch], eax
		mov	dword ptr [ebx+8], 8000002Dh
		mov	eax, 8000002Dh
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_8213FC:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+14D4j
		cmp	ecx, 0A0000019h
		jz	short loc_821422

loc_821404:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+14CEj
		cmp	ecx, 2
		jz	short loc_821422
		mov	eax, 104h
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_821422:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1502j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1507j
		mov	ebx, [ebp+arg_24]
		mov	eax, [ebx+8]
		push	eax
		call	_PsGetParentSilo@4 ; PsGetParentSilo(x)
		mov	[ebx+8], eax
		mov	eax, 368h
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_82144A:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+106Dj
		push	edi
		call	IoGetRelatedDeviceObject
		mov	esi, eax
		mov	[ebp+arg_C], esi
		cmp	[ebp+var_30], esi
		jz	short loc_82147D
		mov	ecx, [edi+8]
		mov	eax, [ebp+var_3C]
		cmp	ecx, eax
		jz	short loc_82147D
		test	ecx, ecx
		jz	short loc_821472
		mov	dl, 1
		call	IopIncrementVpbRefCount
		mov	eax, [ebp+var_3C]

loc_821472:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1566j
		test	eax, eax
		jz	short loc_82147D
		mov	ecx, eax
		call	IopDereferenceVpbAndFree

loc_82147D:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1558j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1562j ...
		test	byte ptr [ebp+arg_4+3],	40h
		jnz	short loc_8214E7
		mov	eax, [ebp+arg_28]
		mov	[eax], edi
		mov	dword ptr [ebx+10h], 0BEAA0251h
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [edi+20h]
		test	eax, eax
		jz	short loc_8214A6
		test	dword ptr [eax+2Ch], 400000h
		jz	short loc_8214CD

loc_8214A6:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+159Bj
		cmp	word ptr [edi+30h], 0
		jnz	short loc_8214CD
		mov	eax, [esi+2Ch]
		add	eax, 0FFFFFFFDh
		cmp	eax, 1Dh
		ja	short loc_8214CD
		movzx	eax, ds:byte_8217E0[eax]
		jmp	ds:off_8217D8[eax*4]

loc_8214C6:				; DATA XREF: PAGE:off_8217D8o
		or	dword ptr [edi+2Ch], 400000h

loc_8214CD:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+15A4j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+15ABj ...
		mov	eax, [ebp+var_64]
		mov	[ebx+8], eax
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_8214E7:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1581j
		cmp	byte ptr [ebx+55h], 0
		jz	loc_8216E6
		cmp	byte ptr [ebx+80h], 0
		jz	short loc_821514
		lea	ecx, [ebx+7Ch]
		push	ecx
		mov	eax, [ebx+48h]
		push	eax
		mov	eax, [ecx]
		push	eax
		mov	eax, [ebx+78h]
		push	eax
		push	edi
		call	_IoQueryFileInformation@20 ; IoQueryFileInformation(x,x,x,x,x)
		jmp	loc_8216E3
; 

loc_821514:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+15F8j
		xor	al, al
		mov	byte ptr [ebp+arg_8+3],	al
		mov	[ebp+var_3D], al
		mov	eax, [esi+8]
		mov	eax, [eax+28h]
		cmp	byte ptr [ebx+57h], 0
		jnz	loc_82165D
		mov	[ebp+var_5C], 0
		test	eax, eax
		jz	short loc_82153C
		mov	esi, [eax+10h]
		jmp	short loc_82153E
; 

loc_82153C:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1635j
		xor	esi, esi

loc_82153E:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+163Aj
		mov	[ebp+arg_14], esi
		mov	[ebp+var_4], 0
		test	esi, esi
		jz	short loc_821593
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_82155C
		call	_VfFastIoSnapState@0 ; VfFastIoSnapState()
		jmp	short loc_82155E
; 

loc_82155C:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1653j
		xor	eax, eax

loc_82155E:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+165Aj
		mov	[ebp+arg_18], eax
		mov	[ebp+var_A4], eax
		mov	[ebp+var_4], 1
		push	[ebp+arg_C]
		lea	eax, [ebp+var_64]
		push	eax
		mov	eax, [ebx+40h]
		push	eax
		push	1
		push	edi
		call	esi
		mov	byte ptr [ebp+arg_8+3],	al
		mov	[ebp+var_3D], al
		mov	[ebp+var_4], 0
		mov	ecx, [ebp+arg_18]
		call	sub_8215F6

loc_821593:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+164Aj
		cmp	byte ptr [ebp+arg_8+3],	0
		jnz	short loc_82160B
		mov	edx, 28h
		mov	ecx, 200h
		call	IopVerifierExAllocatePool
		mov	esi, eax
		mov	[ebp+var_5C], esi
		test	esi, esi
		jz	short loc_821602
		lea	eax, [ebp+var_74]
		push	eax
		push	esi
		push	28h
		push	4
		push	edi
		call	_IoQueryFileInformation@20 ; IoQueryFileInformation(x,x,x,x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		js	short loc_8215D7
		push	[ebp+var_74]	; size_t
		push	esi		; void *
		mov	eax, [ebx+40h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_8215D7:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+16C5j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_821611
_IopParseDevice@44 endp


;  S U B	R O U T	I N E 


sub_8215E1	proc near		; DATA XREF: .text:006A5C2Co
		mov	edi, [ebp-48h]
		mov	ecx, [ebp-0A4h]
		mov	al, [ebp-3Dh]
		mov	[ebp+13h], al
		mov	esi, [ebp+1Ch]
		mov	ebx, [ebp+24h]
sub_8215E1	endp


;  S U B	R O U T	I N E 


sub_8215F6	proc near		; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+168Ep
		test	ecx, ecx
		jz	short locret_821601
		mov	edx, esi
		call	_VfFastIoCheckState@8 ;	VfFastIoCheckState(x,x)

locret_821601:				; CODE XREF: sub_8215F6+2j
		retn
sub_8215F6	endp

; 
; START	OF FUNCTION CHUNK FOR _IopParseDevice@44

loc_821602:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+16AFj
		mov	[ebp+var_20], 0C000009Ah
		jmp	short loc_821611
; 

loc_82160B:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1697j
		mov	eax, [ebp+var_64]
		mov	[ebp+var_20], eax

loc_821611:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+16DFj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1709j
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_8216E6
; END OF FUNCTION CHUNK	FOR _IopParseDevice@44

;  S U B	R O U T	I N E 


sub_82161D	proc near		; DATA XREF: .text:006A5C1Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0A8h], eax
		mov	eax, 1
		retn
sub_82161D	endp


;  S U B	R O U T	I N E 


sub_821630	proc near		; DATA XREF: .text:006A5C20o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-5Ch]
		test	eax, eax
		jz	short loc_821642
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_821642:				; CODE XREF: sub_821630+8j
		mov	eax, [ebp-0A8h]
		mov	[ebp-20h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-48h]
		mov	ebx, [ebp+24h]
		jmp	loc_8216E6
sub_821630	endp

; 
; START	OF FUNCTION CHUNK FOR _IopParseDevice@44

loc_82165D:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1626j
		test	eax, eax
		jz	short loc_8216AC
		cmp	dword ptr [eax], 38h
		jbe	short loc_8216AC
		mov	eax, [eax+38h]
		mov	[ebp+arg_14], eax
		test	eax, eax
		jz	short loc_8216AC
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_821683
		call	_VfFastIoSnapState@0 ; VfFastIoSnapState()
		mov	[ebp+arg_18], eax
		jmp	short loc_82168A
; 

loc_821683:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1777j
		mov	[ebp+arg_18], 0

loc_82168A:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1781j
		push	esi
		lea	eax, [ebp+var_64]
		push	eax
		mov	eax, [ebx+44h]
		push	eax
		push	1
		push	edi
		mov	esi, [ebp+arg_14]
		call	esi
		mov	byte ptr [ebp+arg_8+3],	al
		mov	ecx, [ebp+arg_18]
		test	ecx, ecx
		jz	short loc_8216AF
		mov	edx, esi
		call	_VfFastIoCheckState@8 ;	VfFastIoCheckState(x,x)

loc_8216AC:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+175Fj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1764j ...
		mov	al, byte ptr [ebp+arg_8+3]

loc_8216AF:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+17A3j
		test	al, al
		jnz	short loc_8216E6
		lea	eax, [ebp+var_74]
		push	eax
		mov	eax, [ebx+44h]
		push	eax
		push	38h
		push	22h
		push	edi
		call	_IoQueryFileInformation@20 ; IoQueryFileInformation(x,x,x,x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		jns	short loc_8216E6
		cmp	eax, 0C000000Dh
		jz	short loc_8216DA
		cmp	eax, 0C0000002h
		jnz	short loc_8216E6

loc_8216DA:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+17D1j
		mov	edx, ebx
		mov	ecx, edi
		call	IopGetNetworkOpenInformation

loc_8216E3:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+160Fj
		mov	[ebp+var_20], eax

loc_8216E6:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+15EBj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1718j ...
		mov	dword ptr [ebx+10h], 0BEAA0251h
		push	1
		push	1
		push	edi
		push	0
		call	_IopCloseFile@16 ; IopCloseFile(x,x,x,x)
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	dword ptr [ebx+4], 0
		mov	eax, [ebp+var_20]
		mov	[ebx+8], eax
		jmp	loc_8217B2
; 

loc_821712:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1061j
		test	dword ptr [edi+2Ch], 200000h
		jz	short loc_821724
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	short loc_821764
; 

loc_821724:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1819j
		cmp	word ptr [edi+30h], 0
		jz	short loc_82173C
		push	0
		mov	eax, [edi+34h]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[edi+30h], ax

loc_82173C:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1829j
		mov	dword ptr [edi+4], 0
		mov	ecx, edi
		call	ObfDereferenceObject
		push	0
		xor	dl, dl
		mov	ecx, [ebp+var_28]
		call	IopDecrementDeviceObjectRef
		mov	eax, [ebp+var_3C]
		test	eax, eax
		jz	short loc_821764
		mov	ecx, eax
		call	IopDereferenceVpbAndFree

loc_821764:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1822j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+185Bj
		mov	dword ptr [ebx+4], 0

loc_82176B:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1268j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+12ACj
		mov	eax, [ebp+var_20]

loc_82176E:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1BEj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+20Ej
		mov	[ebx+8], eax
		jmp	short loc_8217B2
; 

loc_821773:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+8BFj
		push	0
		xor	dl, dl
		mov	ecx, [ebp+var_28]
		call	IopDecrementDeviceObjectRef
		test	edi, edi
		jz	short loc_82178A
		mov	ecx, edi
		call	IopDereferenceVpbAndFree

loc_82178A:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1307j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1881j
		mov	eax, 0C000009Ah
		jmp	short loc_8217B2
; 

loc_821791:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+F6j
		mov	dword ptr [ebx+10h], 0BEAA0251h
		mov	[ebx+14h], eax
		mov	dword ptr [ebx+8], 0
		mov	ecx, eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	eax, eax
		jmp	short loc_8217B2
; 

loc_8217AD:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+95j
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+CBj ...
		mov	eax, 0C0000024h

loc_8217B2:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+180Dj
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1871j ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
; 

loc_8217C6:				; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+148Cj
		push	ecx
		push	[ebp+arg_14]
		push	[ebp+var_30]
		push	esi
		push	0F9h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; END OF FUNCTION CHUNK	FOR _IopParseDevice@44
; 
off_8217D8	dd offset loc_8214C6	; DATA XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+15BFr
		dd offset loc_8214CD
byte_8217E0	db 0			; DATA XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+15B8r
		db 3 dup(1)
		dd 1000001h, 5 dup(1010101h), 0CCCC0001h, 4 dup(0CCCCCCCCh)
; Exported entry 2251. RtlMapGenericMask

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlMapGenericMask(x, x)
		public _RtlMapGenericMask@8
_RtlMapGenericMask@8 proc near		; CODE XREF: SepCreateAccessStateFromSubjectContext(x,x,x,x,x)+126p
					; AlpcpCheckConnectionSecurity+12Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		mov	eax, [edx]
		test	eax, eax
		js	short loc_821843

loc_821822:				; CODE XREF: RtlMapGenericMask(x,x)+3Bj
		test	eax, 40000000h
		jnz	short loc_821852

loc_821829:				; CODE XREF: RtlMapGenericMask(x,x)+4Bj
		test	eax, 20000000h
		jnz	short loc_82185D

loc_821830:				; CODE XREF: RtlMapGenericMask(x,x)+56j
		test	eax, 10000000h
		jnz	short loc_82184D

loc_821837:				; CODE XREF: RtlMapGenericMask(x,x)+40j
		and	eax, 0FFFFFFFh
		mov	[edx], eax
		pop	esi
		pop	ebp
		retn	8
; 

loc_821843:				; CODE XREF: RtlMapGenericMask(x,x)+10j
		mov	ecx, [esi]
		or	ecx, eax
		mov	[edx], ecx
		mov	eax, ecx
		jmp	short loc_821822
; 

loc_82184D:				; CODE XREF: RtlMapGenericMask(x,x)+25j
		or	eax, [esi+0Ch]
		jmp	short loc_821837
; 

loc_821852:				; CODE XREF: RtlMapGenericMask(x,x)+17j
		mov	ecx, [esi+4]
		or	ecx, eax
		mov	[edx], ecx
		mov	eax, ecx
		jmp	short loc_821829
; 

loc_82185D:				; CODE XREF: RtlMapGenericMask(x,x)+1Ej
		mov	ecx, [esi+8]
		or	ecx, eax
		mov	[edx], ecx
		mov	eax, ecx
		jmp	short loc_821830
_RtlMapGenericMask@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCheckBackupRestorePrivilege proc near
					; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+2D9p

var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009209CE SIZE 0000000B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1A], 0
		xor	cl, cl
		mov	esi, edx
		mov	[ebp+var_19], cl
		mov	eax, [edi+0Ch]
		test	eax, 100h
		jnz	loc_821947
		test	dword ptr [esi], 4000h
		jz	loc_821947
		push	ebx
		mov	ebx, [edi+10h]
		or	eax, 100h
		mov	[edi+0Ch], eax
		test	ebx, 2000000h
		jnz	loc_9209CE

loc_8218C3:				; CODE XREF: IopCheckBackupRestorePrivilege+FF164j
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_0]
		cmp	eax, 1
		jnz	loc_8219F1

loc_8218D2:				; CODE XREF: IopCheckBackupRestorePrivilege+184j
					; IopCheckBackupRestorePrivilege+18Dj
		mov	eax, ebx
		and	eax, 11200A9h
		mov	[ebp+var_20], eax
		jz	short loc_82192E
		mov	eax, ds:_SeBackupPrivilege
		mov	[ebp+var_10], eax
		mov	eax, ds:dword_A949E4
		mov	[ebp+var_18], 1
		mov	[ebp+var_14], 1
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], 0
		test	dl, dl
		jz	short loc_821959
		mov	eax, [edi+1Ch]
		test	eax, eax
		jnz	loc_8219E2
		mov	eax, [edi+24h]

loc_821915:				; CODE XREF: IopCheckBackupRestorePrivilege+176j
		push	edx
		push	1
		push	1
		lea	edx, [ebp+var_10]
		mov	ecx, eax
		call	_SepPrivilegeCheck@20 ;	SepPrivilegeCheck(x,x,x,x,x)
		test	al, al
		jnz	short loc_821959

loc_821928:				; CODE XREF: IopCheckBackupRestorePrivilege+10Ej
		mov	edx, [ebp+arg_0]
		mov	cl, [ebp+var_19]

loc_82192E:				; CODE XREF: IopCheckBackupRestorePrivilege+6Cj
					; IopCheckBackupRestorePrivilege+17Cj ...
		and	ebx, 11F0116h
		jnz	short loc_821980
		test	cl, cl
		jnz	short loc_821980

loc_82193A:				; CODE XREF: IopCheckBackupRestorePrivilege+145j
		cmp	[ebp+var_1A], 0
		jnz	short loc_821946
		and	dword ptr [esi], 0FFFFBFFFh

loc_821946:				; CODE XREF: IopCheckBackupRestorePrivilege+CEj
		pop	ebx

loc_821947:				; CODE XREF: IopCheckBackupRestorePrivilege+29j
					; IopCheckBackupRestorePrivilege+35j
		pop	edi
		pop	esi
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_821959:				; CODE XREF: IopCheckBackupRestorePrivilege+95j
					; IopCheckBackupRestorePrivilege+B6j
		lea	eax, [ebp+var_18]
		mov	[ebp+var_1A], 1
		push	eax
		push	edi
		call	SeAppendPrivileges
		mov	eax, [ebp+var_20]
		and	ebx, 0FEEDFF56h
		or	[edi+14h], eax
		and	dword ptr [edi+10h], 0FEEDFF56h
		or	dword ptr [edi+0Ch], 2
		jmp	short loc_821928
; 

loc_821980:				; CODE XREF: IopCheckBackupRestorePrivilege+C4j
					; IopCheckBackupRestorePrivilege+C8j
		mov	eax, ds:_SeRestorePrivilege
		mov	[ebp+var_10], eax
		mov	eax, ds:dword_A949DC
		mov	[ebp+var_C], eax
		lea	eax, [edi+1Ch]
		push	edx
		push	eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], 1
		push	eax
		mov	[ebp+var_14], 1
		mov	[ebp+var_8], 0
		call	_SePrivilegeCheck@12 ; SePrivilegeCheck(x,x,x)
		test	al, al
		jz	short loc_82193A
		lea	eax, [ebp+var_18]
		push	eax
		push	edi
		call	SeAppendPrivileges
		or	[edi+14h], ebx
		and	dword ptr [edi+10h], 0FEE0FEE9h
		or	dword ptr [edi+0Ch], 4
		mov	ecx, [ebp+var_4]
		pop	ebx
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_8219E2:				; CODE XREF: IopCheckBackupRestorePrivilege+9Cj
		cmp	dword ptr [edi+20h], 2
		jge	loc_821915
		jmp	loc_82192E
; 

loc_8219F1:				; CODE XREF: IopCheckBackupRestorePrivilege+5Cj
		cmp	eax, 3
		jz	loc_8218D2
		cmp	eax, 5
		jz	loc_8218D2
		mov	cl, 1
		jmp	loc_82192E
IopCheckBackupRestorePrivilege endp

; 
		align 10h
; Exported entry 2504. SeSetAccessStateGenericMapping

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeSetAccessStateGenericMapping(x, x)
		public _SeSetAccessStateGenericMapping@8
_SeSetAccessStateGenericMapping@8 proc near
					; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+2A5p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	edx, [eax+30h]
		mov	eax, [ecx]
		mov	[edx+4], eax
		mov	eax, [ecx+4]
		mov	[edx+8], eax
		mov	eax, [ecx+8]
		mov	[edx+0Ch], eax
		mov	eax, [ecx+0Ch]
		mov	[edx+10h], eax
		pop	ebp
		retn	8
_SeSetAccessStateGenericMapping@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopSynchronousServiceTail(x, x, x, x, x, x,	x)
_IopSynchronousServiceTail@28 proc near	; CODE XREF: IopQueueCopyWrite(x)+22p
					; IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+561p ...

var_44		= dword	ptr -44h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	[ebp+arg_C], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	[ebp+var_20], ecx
		push	edi
		mov	ecx, [ebx+6Ch]
		mov	edi, edx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_30], ecx
		jnz	loc_821B07
		cmp	dword ptr [edi+30h], 0
		jnz	loc_821B07
		cmp	dword ptr [edi+34h], 0
		jz	short loc_821A9C
		cmp	dword ptr [edi+2Ch], 0
		jnz	short loc_821A9C
		test	ecx, ecx
		jz	short loc_821A9C
		mov	edx, ebx
		mov	ecx, edi
		call	IopQueueIrpToFileObject
		test	al, al
		jz	short loc_821B11
		jmp	short loc_821B18
; 

loc_821A9C:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+41j
					; IopSynchronousServiceTail(x,x,x,x,x,x,x)+47j	...
		test	byte ptr [edi+8], 10h
		jnz	short loc_821B11
		test	ecx, ecx
		jnz	short loc_821B11
		cmp	[ebx+7Ch], ecx
		jz	short loc_821B11
		push	ecx
		lea	edx, [ecx+2]
		mov	ecx, ebx
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_821B11
		lea	esp, [esp+0]

loc_821AC0:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+B9j
		mov	eax, [edi+28h]
		cmp	eax, [esi]
		jb	short loc_821AF4
		add	eax, 8
		cmp	eax, [esi+4]
		ja	short loc_821AF4
		mov	ecx, large fs:124h
		mov	eax, [esi+10h]
		mov	ebx, [ebp+var_24]
		mov	[ebp+var_1C], ebx
		cmp	eax, [ecx+80h]
		jnz	short loc_821AF4
		mov	edx, ebx
		mov	ecx, edi
		call	IopQueueIrpToFileObject
		test	al, al
		jnz	short loc_821AFD

loc_821AF4:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+85j
					; IopSynchronousServiceTail(x,x,x,x,x,x,x)+8Dj	...
		mov	esi, [esi+14h]
		test	esi, esi
		jnz	short loc_821AC0
		jmp	short loc_821B11
; 

loc_821AFD:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+B2j
		mov	eax, [esi+0Ch]
		sub	eax, [esi]
		add	[edi+28h], eax
		jmp	short loc_821B18
; 

loc_821B07:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+2Dj
					; IopSynchronousServiceTail(x,x,x,x,x,x,x)+37j
		test	byte ptr [ebx+2Ch], 2
		jz	short loc_821B11
		or	byte ptr [edi+27h], 2

loc_821B11:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+58j
					; IopSynchronousServiceTail(x,x,x,x,x,x,x)+60j	...
		mov	ecx, edi
		call	IopQueueThreadIrp

loc_821B18:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+5Aj
					; IopSynchronousServiceTail(x,x,x,x,x,x,x)+C5j
		lea	eax, [ebx+7Ch]
		mov	[ebp+var_28], eax
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_821B66
		test	byte ptr [eax],	4
		jz	short loc_821B66
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		call	_PsIsProcessAppContainer@4 ; PsIsProcessAppContainer(x)
		test	al, al
		jz	short loc_821B60
		xor	dl, dl
		mov	[ebp+var_20], 0C0000910h
		mov	ecx, edi
		mov	dword ptr [edi+18h], 0C0000910h
		call	IofCompleteRequest
		mov	esi, [ebp+var_24]
		mov	bh, [ebp+arg_C]
		jmp	loc_821D79
; 

loc_821B60:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+FCj
		mov	ebx, [ebp+var_24]
		mov	[ebp+var_1C], ebx

loc_821B66:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+E2j
					; IopSynchronousServiceTail(x,x,x,x,x,x,x)+E7j
		mov	esi, [ebp+arg_10]
		test	esi, esi
		jz	short loc_821BAE
		cmp	esi, 1
		jz	short loc_821BAE
		cmp	_IoCountOperations, 1
		jnz	loc_821C1D
		mov	eax, large fs:124h
		mov	ecx, 1
		mov	eax, [eax+150h]
		add	eax, 200h
		lock add [eax],	ecx
		jnb	short loc_821B9F
		lock adc dword ptr [eax+4], 0

loc_821B9F:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+158j
		inc	large dword ptr	fs:624h
		mov	ebx, [ebp+var_24]
		mov	[ebp+var_1C], ebx
		jmp	short loc_821C1D
; 

loc_821BAE:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+12Bj
					; IopSynchronousServiceTail(x,x,x,x,x,x,x)+130j
		mov	eax, [ebp+var_20]
		mov	eax, [eax+2Ch]
		cmp	eax, 8
		jz	short loc_821BC8
		sub	eax, 7
		jz	short loc_821BC8
		sub	eax, 2
		jz	short loc_821BC8
		sub	eax, 1Bh
		jnz	short loc_821BDC

loc_821BC8:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+177j
					; IopSynchronousServiceTail(x,x,x,x,x,x,x)+17Cj ...
		mov	edx, large fs:124h
		mov	ecx, edi
		call	IoSetDiskIoAttributionFromThread
		mov	ebx, [ebp+var_24]
		mov	[ebp+var_1C], ebx

loc_821BDC:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+186j
		test	esi, esi
		jnz	short loc_821C18
		cmp	_IoCountOperations, 1
		jnz	short loc_821C1D
		mov	eax, large fs:124h
		mov	ecx, 1
		mov	eax, [eax+150h]
		add	eax, 1F0h
		lock add [eax],	ecx
		jnb	short loc_821C09
		lock adc dword ptr [eax+4], 0

loc_821C09:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+1C2j
		inc	large dword ptr	fs:61Ch
		mov	ebx, [ebp+var_24]
		mov	[ebp+var_1C], ebx
		jmp	short loc_821C1D
; 

loc_821C18:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+19Ej
		call	_IopUpdateWriteOperationCount@0	; IopUpdateWriteOperationCount()

loc_821C1D:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+139j
					; IopSynchronousServiceTail(x,x,x,x,x,x,x)+16Cj ...
		cmp	[ebp+arg_C], 0
		mov	[ebp+var_2C], ebx
		jnz	short loc_821C2D
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_821C2D:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+1E4j
		mov	edx, [ebp+var_28]
		mov	edx, [edx]
		test	edx, edx
		jz	short loc_821C51
		cmp	dword ptr [edx+28h], 0
		jz	short loc_821C51
		mov	eax, [edi+8]
		and	eax, 0FFF1FFFFh
		mov	[edi+8], eax
		mov	edx, [edx+28h]
		shl	edx, 11h
		or	edx, eax
		jmp	short loc_821CAE
; 

loc_821C51:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+1F4j
					; IopSynchronousServiceTail(x,x,x,x,x,x,x)+1FAj
		mov	ebx, large fs:124h
		mov	eax, [ebx+150h]
		mov	ecx, [ebx+2FCh]
		shr	ecx, 9
		and	ecx, 7
		mov	edx, [eax+0FCh]
		and	edx, 100000h
		neg	edx
		sbb	edx, edx
		not	edx
		and	edx, ecx
		cmp	edx, 2
		jnb	short loc_821C9A
		cmp	ebx, large fs:124h
		jnz	short loc_821C9A
		cmp	dword ptr [ebx+32Ch], 0
		jz	short loc_821C9A
		mov	edx, 2

loc_821C9A:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+241j
					; IopSynchronousServiceTail(x,x,x,x,x,x,x)+24Aj ...
		mov	eax, [edi+8]
		inc	edx
		and	eax, 0FFF1FFFFh
		shl	edx, 11h
		or	edx, eax
		mov	eax, [ebp+var_24]
		mov	[ebp+var_1C], eax

loc_821CAE:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+20Fj
		push	edi
		mov	[edi+8], edx
		call	_IoGetIoPriorityHint@4 ; IoGetIoPriorityHint(x)
		cmp	byte ptr [edi+20h], 0
		jnz	short loc_821CF3
		cmp	eax, 2
		jge	short loc_821D10
		mov	ecx, [edi+50h]
		test	ecx, ecx
		jz	short loc_821CDB
		test	dword ptr [ecx+58h], 400h
		jnz	short loc_821CF3
		test	byte ptr [ecx+300h], 80h
		jnz	short loc_821CF3

loc_821CDB:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+287j
		mov	eax, [edi+8]
		inc	_IoKernelIssuedIoBoostedCount
		and	eax, 0FFF1FFFFh
		or	eax, 60000h
		mov	[edi+8], eax
		jmp	short loc_821D10
; 

loc_821CF3:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+27Bj
					; IopSynchronousServiceTail(x,x,x,x,x,x,x)+290j ...
		cmp	eax, 2
		jge	short loc_821D10
		sub	esi, 0
		jz	short loc_821D0A
		sub	esi, 1
		jnz	short loc_821D10
		inc	_IoLowPriorityWriteOperationCount
		jmp	short loc_821D10
; 

loc_821D0A:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+2BBj
		inc	_IoLowPriorityReadOperationCount

loc_821D10:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+280j
					; IopSynchronousServiceTail(x,x,x,x,x,x,x)+2B1j ...
		cmp	byte ptr [edi+27h], 0
		jl	short loc_821D5A
		mov	edx, [edi+68h]
		test	edx, edx
		jz	short loc_821D5A
		test	byte ptr [edx],	2
		jz	short loc_821D5A
		mov	eax, [edx+10h]
		mov	[ebp+var_18], eax
		mov	eax, [edx+14h]
		mov	[ebp+var_14], eax
		mov	eax, [edx+18h]
		mov	[ebp+var_10], eax
		mov	eax, [edx+1Ch]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_IoSetActivityIdThread@4 ; IoSetActivityIdThread(x)
		mov	ecx, [ebp+var_20]
		mov	edx, edi
		mov	esi, eax
		call	IofCallDriver
		push	esi
		mov	[ebp+var_20], eax
		call	_IoSetActivityIdThread@4 ; IoSetActivityIdThread(x)
		jmp	short loc_821D67
; 

loc_821D5A:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+2D4j
					; IopSynchronousServiceTail(x,x,x,x,x,x,x)+2DBj ...
		mov	ecx, [ebp+var_20]
		mov	edx, edi
		call	IofCallDriver
		mov	[ebp+var_20], eax

loc_821D67:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+318j
		mov	bh, [ebp+arg_C]
		test	bh, bh
		jnz	short loc_821D76
		push	[ebp+var_2C]
		call	_ObDereferenceObjectDeferDelete@4 ; ObDereferenceObjectDeferDelete(x)

loc_821D76:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+32Cj
		mov	esi, [ebp+var_1C]

loc_821D79:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+11Bj
		cmp	[ebp+arg_4], 0
		mov	ecx, [ebp+var_20]
		jz	short loc_821DBF
		cmp	ecx, 103h
		jz	short loc_821DBF
		mov	cl, 1
		mov	[ebp+var_1C], 0
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	bl, al
		lea	ecx, [edi+40h]
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		push	ecx
		call	_IopCompleteRequest@20 ; IopCompleteRequest(x,x,x,x,x)
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_20]

loc_821DBF:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+340j
					; IopSynchronousServiceTail(x,x,x,x,x,x,x)+348j
		test	bh, bh
		jz	short loc_821E23
		cmp	ecx, 103h
		jnz	short loc_821E04
		mov	dl, [ebp+arg_8]
		lea	eax, [esi+5Ch]
		push	eax
		mov	eax, [esi+2Ch]
		mov	ecx, edi
		shr	eax, 2
		and	al, 1
		movzx	eax, al
		push	eax
		call	_IopWaitForSynchronousIoEvent@16 ; IopWaitForSynchronousIoEvent(x,x,x,x)
		mov	ebx, [esi+1Ch]
		mov	ecx, esi
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_821E04:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+389j
		mov	ebx, [ebp+var_20]
		mov	ecx, esi
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_821E23:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+381j
		cmp	[ebp+var_30], 0
		mov	eax, ecx
		jz	short loc_821E3E
		and	eax, 0C0000000h
		cmp	eax, 80000000h
		mov	eax, 103h
		jz	short loc_821E3E
		mov	eax, ecx

loc_821E3E:				; CODE XREF: IopSynchronousServiceTail(x,x,x,x,x,x,x)+3E9j
					; IopSynchronousServiceTail(x,x,x,x,x,x,x)+3FAj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
_IopSynchronousServiceTail@28 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopAllocRealFileObject proc near	; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+9C9p
					; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+CBAp

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 009209D9 SIZE 0000013C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, [ebp+arg_4]
		mov	[esp+3Ch+var_C], eax
		xor	eax, eax
		mov	word ptr [esp+3Ch+var_38], ax
		mov	eax, ds:_IoFileObjectType
		mov	[esp+3Ch+var_24], eax
		mov	eax, large fs:20h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[esp+44h+var_30], ecx
		mov	ebx, [eax+5C0h]
		mov	ecx, ebx
		push	edi
		mov	[esp+48h+var_34], edx
		mov	[esp+48h+var_18], 18h
		inc	dword ptr [ebx+0Ch]
		mov	[esp+48h+var_14], esi
		mov	[esp+48h+var_10], esi
		mov	[esp+48h+var_8], esi
		mov	[esp+48h+var_4], esi
		mov	byte ptr [esp+48h+var_38], 1
		mov	[esp+48h+var_20], esi
		mov	[esp+48h+var_1C], esi
		mov	[esp+48h+var_28], esi
		mov	[esp+48h+var_2C], eax
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8221B1
		mov	ebx, [esp+48h+var_2C]

loc_821EE0:				; CODE XREF: IopAllocRealFileObject+36Ej
					; IopAllocRealFileObject+390j
		mov	eax, [ebx+3CCh]
		xor	cl, cl
		mov	dl, [ebp+arg_8]
		push	0
		mov	[edi], eax
		lea	eax, [esp+4Ch+var_20]
		push	edi
		push	eax
		lea	eax, [esp+54h+var_18]
		push	eax
		call	ObpCaptureObjectCreateInformation
		mov	ebx, eax
		test	ebx, ebx
		js	loc_9209F7
		mov	ebx, [esp+58h+var_34]
		mov	eax, [edi]
		test	[ebx+30h], eax
		jnz	loc_920A5A
		test	al, 10h
		jnz	loc_920A61

loc_821F20:				; CODE XREF: IopAllocRealFileObject+FEC16j
		mov	eax, [ebx+50h]
		mov	ecx, [ebx+54h]
		mov	dl, [ebp+arg_8]
		mov	[edi+0Ch], eax
		lea	eax, [esp+58h+var_48]
		push	eax
		lea	eax, [esp+5Ch+var_38]
		mov	[edi+10h], ecx
		push	eax
		push	80h
		lea	eax, [esp+64h+var_30]
		mov	ecx, edi
		push	eax
		push	ebx
		call	_ObpAllocateObject@28 ;	ObpAllocateObject(x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_920A81
		cmp	ds:_ObpTraceFlags, esi
		mov	esi, [esp+58h+var_38]
		jnz	loc_920AED

loc_821F65:				; CODE XREF: IopAllocRealFileObject+FECA4j
		add	esi, 18h
		mov	[esp+58h+var_48], ebx
		mov	eax, ebx

loc_821F6E:				; CODE XREF: IopAllocRealFileObject+FEBF5j
					; IopAllocRealFileObject+FEC88j
		test	ebx, ebx
		js	loc_9209DE
		push	80h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	edi, [ebp+arg_C]
		add	esp, 0Ch
		cmp	[ebp+arg_14], 0
		jnz	loc_8220C5
		test	byte ptr [edi+5Ch], 47h
		mov	ebx, [ebp+arg_10]
		jnz	loc_82218B
		mov	eax, [ebx+8]
		push	eax
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jz	loc_82218B
		mov	eax, [edi+14h]
		test	eax, eax
		jnz	loc_822177

loc_821FBC:				; CODE XREF: IopAllocRealFileObject+325j
		mov	ebx, [esp+58h+var_48]

loc_821FC0:				; CODE XREF: IopAllocRealFileObject+33Dj
		test	ebx, ebx
		js	short loc_82200B
		mov	al, [ebp+arg_8]
		test	al, al
		jz	short loc_821FF6
		test	byte ptr [edi+5Ch], 20h
		jz	short loc_821FF6
		mov	edx, [esp+58h+var_44]
		test	dword ptr [edx+1Ch], 40000h
		jz	loc_822136

loc_821FE2:				; CODE XREF: IopAllocRealFileObject+2DCj
					; IopAllocRealFileObject+2E5j ...
		mov	ecx, [esp+58h+var_44]
		mov	edx, edi
		push	esi
		push	[ebp+arg_18]
		call	IopRetrieveTransactionParameters
		mov	ebx, eax
		mov	al, [ebp+arg_8]

loc_821FF6:				; CODE XREF: IopAllocRealFileObject+169j
					; IopAllocRealFileObject+16Fj ...
		test	ebx, ebx
		js	short loc_82200B
		test	al, al
		jz	short loc_82200B
		test	dword ptr [edi+28h], 20000h
		jnz	loc_82210E

loc_82200B:				; CODE XREF: IopAllocRealFileObject+162j
					; IopAllocRealFileObject+198j ...
		mov	ecx, [esp+58h+var_40]
		mov	[ecx], esi
		cmp	byte ptr [edi+56h], 0
		jnz	short loc_82208F
		cmp	byte ptr [edi+55h], 0
		jnz	short loc_82208F
		test	byte ptr [edi+28h], 30h
		jz	short loc_822036
		mov	eax, [esi+2Ch]
		or	eax, 2
		mov	[esi+2Ch], eax
		test	byte ptr [edi+28h], 10h
		jnz	loc_82212B

loc_822036:				; CODE XREF: IopAllocRealFileObject+1C1j
					; IopAllocRealFileObject+2D1j
		test	byte ptr [esi+2Ch], 2
		jz	short loc_82205E
		push	0
		push	1
		lea	eax, [esi+4Ch]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	dword ptr [esi+40h], 0
		mov	dword ptr [esi+38h], 0
		mov	dword ptr [esi+3Ch], 0

loc_82205E:				; CODE XREF: IopAllocRealFileObject+1DAj
		mov	eax, [edi+28h]
		test	al, 8
		jnz	loc_8221FB

loc_822069:				; CODE XREF: IopAllocRealFileObject+3A2j
		test	al, 2
		jnz	loc_822207

loc_822071:				; CODE XREF: IopAllocRealFileObject+3AEj
		test	al, 4
		jnz	loc_82216B

loc_822079:				; CODE XREF: IopAllocRealFileObject+312j
		test	eax, 800h
		jnz	loc_8221A2

loc_822084:				; CODE XREF: IopAllocRealFileObject+34Cj
		test	eax, 20000h
		jnz	loc_82211F

loc_82208F:				; CODE XREF: IopAllocRealFileObject+1B5j
					; IopAllocRealFileObject+1BBj ...
		test	byte ptr [ebp+arg_4], 40h
		jz	loc_920B09

loc_822099:				; CODE XREF: IopAllocRealFileObject+FECB0j
		mov	dword ptr [esi], (offset loc_800004+1)
		mov	eax, [edi+14h]
		mov	[esi+20h], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+4], eax
		mov	eax, ebx
		mov	dword ptr [esi+70h], 0
		add	esi, 74h
		mov	[esi+4], esi
		mov	[esi], esi

loc_8220BC:				; CODE XREF: IopAllocRealFileObject+FEB82j
					; IopAllocRealFileObject+FEB92j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_8220C5:				; CODE XREF: IopAllocRealFileObject+12Dj
		mov	ebx, [esp+58h+var_40]
		mov	eax, [ebx]
		mov	eax, [eax+0Ch]
		mov	[esi+0Ch], eax
		mov	eax, [ebx]
		mov	eax, [eax+10h]
		mov	[esi+10h], eax
		mov	eax, [ebx]
		movzx	eax, word ptr [eax+30h]
		mov	[esi+30h], ax
		mov	eax, [ebx]
		movzx	eax, word ptr [eax+32h]
		mov	[esi+32h], ax
		mov	eax, [ebx]
		mov	eax, [eax+34h]
		mov	[esi+34h], eax
		mov	eax, [ebx]
		mov	ebx, [esp+58h+var_48]
		mov	eax, [eax+7Ch]
		test	eax, eax
		jz	loc_82200B
		mov	[esi+7Ch], eax
		jmp	loc_82200B
; 

loc_82210E:				; CODE XREF: IopAllocRealFileObject+1A5j
		mov	edx, [edi+14h]
		mov	ecx, esi
		call	_IopCheckInitiatorHint@8 ; IopCheckInitiatorHint(x,x)
		mov	ebx, eax
		jmp	loc_82200B
; 

loc_82211F:				; CODE XREF: IopAllocRealFileObject+229j
		or	dword ptr [esi+2Ch], 2000000h
		jmp	loc_82208F
; 

loc_82212B:				; CODE XREF: IopAllocRealFileObject+1D0j
		or	eax, 4
		mov	[esi+2Ch], eax
		jmp	loc_822036
; 

loc_822136:				; CODE XREF: IopAllocRealFileObject+17Cj
		mov	ecx, [edx+2Ch]
		cmp	ecx, 8
		jz	loc_821FE2
		cmp	ecx, 14h
		jz	loc_821FE2
		cmp	ecx, 3
		jz	loc_821FE2
		cmp	ecx, 20h
		jz	loc_821FE2
		cmp	ecx, 35h
		jnz	loc_821FF6
		jmp	loc_821FE2
; 

loc_82216B:				; CODE XREF: IopAllocRealFileObject+213j
		or	dword ptr [esi+2Ch], 20h
		mov	eax, [edi+28h]
		jmp	loc_822079
; 

loc_822177:				; CODE XREF: IopAllocRealFileObject+156j
		push	eax
		call	_IoGetSilo@4	; IoGetSilo(x)
		push	eax
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jnz	loc_821FBC

loc_82218B:				; CODE XREF: IopAllocRealFileObject+13Aj
					; IopAllocRealFileObject+14Bj
		push	[ebp+arg_18]
		mov	edx, [esp+5Ch+var_44]
		mov	ecx, esi
		push	ebx
		push	edi
		call	IopAllocateFoExtensionsOnCreate
		mov	ebx, eax
		jmp	loc_821FC0
; 

loc_8221A2:				; CODE XREF: IopAllocRealFileObject+21Ej
		or	dword ptr [esi+2Ch], 100000h
		mov	eax, [edi+28h]
		jmp	loc_822084
; 

loc_8221B1:				; CODE XREF: IopAllocRealFileObject+76j
		inc	dword ptr [ebx+10h]
		mov	ebx, [esp+48h+var_2C]
		mov	ecx, [ebx+5C4h]
		mov	[esp+48h+var_2C], ecx
		inc	dword ptr [ecx+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_821EE0
		mov	ecx, [esp+48h+var_2C]
		mov	eax, [ecx+20h]
		inc	dword ptr [ecx+10h]
		push	eax
		mov	eax, [ecx+24h]
		push	eax
		mov	eax, [ecx+1Ch]
		push	eax
		mov	eax, [ecx+28h]
		call	eax
		mov	edi, eax
		test	edi, edi
		jnz	loc_821EE0
		jmp	loc_9209D9
; 

loc_8221FB:				; CODE XREF: IopAllocRealFileObject+203j
		or	dword ptr [esi+2Ch], 8
		mov	eax, [edi+28h]
		jmp	loc_822069
; 

loc_822207:				; CODE XREF: IopAllocRealFileObject+20Bj
		or	dword ptr [esi+2Ch], 10h
		mov	eax, [edi+28h]
		jmp	loc_822071
IopAllocRealFileObject endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopSymlinkPropagateToExtensionIfNeeded proc near
					; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+FE6p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00920B15 SIZE 00000096 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, edx
		xor	edi, edi
		mov	[ebp+var_4], edi
		mov	ebx, ecx
		test	eax, eax
		jz	short loc_822249
		lea	edx, [ebp+var_4]
		mov	ecx, eax
		call	_IopSymlinkRemoveECP@8 ; IopSymlinkRemoveECP(x,x)
		mov	edi, [ebp+var_4]
		test	edi, edi
		jnz	short loc_82228D

loc_822249:				; CODE XREF: IopSymlinkPropagateToExtensionIfNeeded+16j
		mov	ecx, [ebx+20h]
		test	ecx, ecx
		jnz	short loc_822261
		xor	esi, esi
		test	edi, edi
		jnz	short loc_82227E

loc_822256:				; CODE XREF: IopSymlinkPropagateToExtensionIfNeeded+5Cj
					; IopSymlinkPropagateToExtensionIfNeeded+6Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_822261:				; CODE XREF: IopSymlinkPropagateToExtensionIfNeeded+2Ej
		push	0
		mov	edx, 5
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	loc_920B15

loc_822278:				; CODE XREF: IopSymlinkPropagateToExtensionIfNeeded+71j
		xor	esi, esi

loc_82227A:				; CODE XREF: IopSymlinkPropagateToExtensionIfNeeded+80j
					; IopSymlinkPropagateToExtensionIfNeeded+FE913j ...
		test	edi, edi
		jz	short loc_822256

loc_82227E:				; CODE XREF: IopSymlinkPropagateToExtensionIfNeeded+34j
		mov	ecx, edi
		call	_IopSymlinkFreeRelatedMountPointChain@4	; IopSymlinkFreeRelatedMountPointChain(x)
		push	edi
		call	_FsRtlFreeExtraCreateParameter@4 ; FsRtlFreeExtraCreateParameter(x)
		jmp	short loc_822256
; 

loc_82228D:				; CODE XREF: IopSymlinkPropagateToExtensionIfNeeded+27j
		test	byte ptr [edi+2], 1
		jz	short loc_822278

loc_822293:				; CODE XREF: IopSymlinkPropagateToExtensionIfNeeded+FE986j
		mov	edx, edi
		mov	ecx, ebx
		call	_IopSymlinkSetFoExtension@8 ; IopSymlinkSetFoExtension(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_82227A
		mov	ecx, edi
		call	_IopSymlinkFreeRelatedMountPointChain@4	; IopSymlinkFreeRelatedMountPointChain(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
IopSymlinkPropagateToExtensionIfNeeded endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepTokenDeleteMethod proc near		; DATA XREF: SepTokenInitialization()+6Fo

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00920BAB SIZE 00000059 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_SeTokenLeakTracking, 0
		push	esi
		mov	esi, [ebp+arg_0]
		jnz	loc_920BAB

loc_8222D6:				; CODE XREF: SepTokenDeleteMethod+FE8FAj
					; SepTokenDeleteMethod+FE908j
		cmp	dword ptr [esi+27Ch], 0
		jnz	loc_920BCD

loc_8222E3:				; CODE XREF: SepTokenDeleteMethod+FE914j
		cmp	_SepTokenSidSharingEnabled, 0
		jnz	loc_920BD9

loc_8222F0:				; CODE XREF: SepTokenDeleteMethod+FE920j
		test	byte ptr [esi+0B0h], 20h
		jnz	short loc_82232E
		mov	edx, [esi+274h]
		test	edx, edx
		jnz	loc_8223CC

loc_822307:				; CODE XREF: SepTokenDeleteMethod+114j
		mov	edx, [esi+278h]
		test	edx, edx
		jnz	loc_8223EC

loc_822315:				; CODE XREF: SepTokenDeleteMethod+137j
		mov	edx, [esi+298h]
		test	edx, edx
		jnz	loc_920BE5

loc_822323:				; CODE XREF: SepTokenDeleteMethod+FE930j
		mov	ecx, [esi+0C0h]
		call	_SepDeReferenceLogonSessionDirect@4 ; SepDeReferenceLogonSessionDirect(x)

loc_82232E:				; CODE XREF: SepTokenDeleteMethod+37j
		mov	ecx, [esi+29Ch]
		test	ecx, ecx
		jnz	loc_8223C2

loc_82233C:				; CODE XREF: SepTokenDeleteMethod+107j
		mov	ecx, [esi+284h]
		test	ecx, ecx
		jnz	loc_8223FC

loc_82234A:				; CODE XREF: SepTokenDeleteMethod+141j
		cmp	byte ptr [esi+77h], 2
		jz	loc_920BF5

loc_822354:				; CODE XREF: SepTokenDeleteMethod+FE93Fj
		mov	dl, 1
		mov	ecx, esi
		call	_SepRefDerefLuidToIndexEntryIfNecessary@8 ; SepRefDerefLuidToIndexEntryIfNecessary(x,x)
		mov	ecx, [esi+1DCh]
		call	AuthzBasepFreeSecurityAttributesList
		mov	eax, [esi+1DCh]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi+0A0h]
		test	eax, eax
		jz	short loc_822388
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_822388:				; CODE XREF: SepTokenDeleteMethod+BEj
		cmp	dword ptr [esi+1E4h], 0
		jnz	short loc_8223E3

loc_822391:				; CODE XREF: SepTokenDeleteMethod+12Aj
		mov	eax, [esi+1E0h]
		test	eax, eax
		jnz	short loc_8223D9

loc_82239B:				; CODE XREF: SepTokenDeleteMethod+121j
		mov	eax, [esi+30h]
		test	eax, eax
		jz	short loc_8223B3
		push	eax
		call	ExDeleteResourceLite
		mov	eax, [esi+30h]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8223B3:				; CODE XREF: SepTokenDeleteMethod+E0j
		mov	eax, [esi+280h]
		pop	esi
		test	eax, eax
		jnz	short loc_822406

loc_8223BE:				; CODE XREF: SepTokenDeleteMethod+14Ej
		pop	ebp
		retn	4
; 

loc_8223C2:				; CODE XREF: SepTokenDeleteMethod+76j
		call	ObfDereferenceObject
		jmp	loc_82233C
; 

loc_8223CC:				; CODE XREF: SepTokenDeleteMethod+41j
		mov	ecx, [esi+78h]
		call	SepDereferenceLowBoxNumberEntry
		jmp	loc_822307
; 

loc_8223D9:				; CODE XREF: SepTokenDeleteMethod+D9j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_82239B
; 

loc_8223E3:				; CODE XREF: SepTokenDeleteMethod+CFj
		mov	ecx, esi
		call	SepFreeTokenCapabilities
		jmp	short loc_822391
; 

loc_8223EC:				; CODE XREF: SepTokenDeleteMethod+4Fj
		mov	ecx, [esi+0C0h]
		call	SepDereferenceCachedHandlesEntry
		jmp	loc_822315
; 

loc_8223FC:				; CODE XREF: SepTokenDeleteMethod+84j
		call	ObfDereferenceObject
		jmp	loc_82234A
; 

loc_822406:				; CODE XREF: SepTokenDeleteMethod+FCj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_8223BE
SepTokenDeleteMethod endp

; 
		dd 4 dup(0CCCCCCCCh)
; 
; Exported entry 652. FsRtlRemoveExtraCreateParameter

; __stdcall FsRtlRemoveExtraCreateParameter(x, x, x, x)
		public _FsRtlRemoveExtraCreateParameter@16
_FsRtlRemoveExtraCreateParameter@16:	; CODE XREF: FsRtlCheckOplockEx2+152p
					; IopSymlinkRemoveECP(x,x)+9p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+10h]
		push	ebx
		mov	ebx, [ebp+8]
		add	ebx, 8
		mov	dword ptr [ebp+8], 0C0000225h
		push	edi
		mov	dword ptr [eax], 0
		mov	edi, [ebx]
		cmp	edi, ebx
		jz	short loc_82246E
		push	esi

loc_822444:				; CODE XREF: PAGE:0082246Bj
		mov	eax, [ebp+0Ch]
		lea	edx, [edi+8]
		mov	esi, 0Ch
		nop

loc_822450:				; CODE XREF: PAGE:0082245Fj
		mov	ecx, [edx]
		cmp	ecx, [eax]
		jnz	short loc_822477
		add	edx, 4
		add	eax, 4
		sub	esi, 4
		jnb	short loc_822450

loc_822461:				; CODE XREF: PAGE:00822491j
		xor	eax, eax

loc_822463:				; CODE XREF: PAGE:00822498j
		test	eax, eax
		jz	short loc_82249A
		mov	edi, [edi]
		cmp	edi, ebx
		jnz	short loc_822444

loc_82246D:				; CODE XREF: PAGE:008224D2j
		pop	esi

loc_82246E:				; CODE XREF: PAGE:00822441j
		mov	eax, [ebp+8]
		pop	edi
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_822477:				; CODE XREF: PAGE:00822454j
		cmp	cl, [eax]
		jnz	short loc_822493
		mov	cl, [edx+1]
		cmp	cl, [eax+1]
		jnz	short loc_822493
		mov	cl, [edx+2]
		cmp	cl, [eax+2]
		jnz	short loc_822493
		mov	cl, [edx+3]
		cmp	cl, [eax+3]
		jz	short loc_822461

loc_822493:				; CODE XREF: PAGE:00822479j
					; PAGE:00822481j ...
		sbb	eax, eax
		or	eax, 1
		jmp	short loc_822463
; 

loc_82249A:				; CODE XREF: PAGE:00822465j
		or	dword ptr [edi+1Ch], 4
		mov	eax, [edi]
		mov	dword ptr [ebp+8], 0
		cmp	[eax+4], edi
		jnz	short loc_8224E6
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	short loc_8224E6
		mov	[ecx], eax
		mov	[eax+4], ecx
		lea	eax, [edi+2Ch]
		mov	ecx, [ebp+10h]
		mov	dword ptr [edi+4], 0
		mov	dword ptr [edi], 0
		mov	[ecx], eax
		mov	ecx, [ebp+14h]
		test	ecx, ecx
		jz	short loc_82246D
		mov	eax, [edi+20h]
		pop	esi
		sub	eax, 34h
		pop	edi
		mov	[ecx], eax
		mov	eax, [ebp+8]
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_8224E6:				; CODE XREF: PAGE:008224AAj
					; PAGE:008224B1j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		dd 4 dup(0CCCCCCCCh)
; Exported entry 517. FsRtlFindExtraCreateParameter

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlFindExtraCreateParameter(x, x,	x, x)
		public _FsRtlFindExtraCreateParameter@16
_FsRtlFindExtraCreateParameter@16 proc near ; CODE XREF: IopSymlinkGetECP(x,x)+9p
					; FsRtlCheckOplockEx2+118p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	edi
		test	ebx, ebx
		jz	short loc_822514
		mov	dword ptr [ebx], 0

loc_822514:				; CODE XREF: FsRtlFindExtraCreateParameter(x,x,x,x)+Cj
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jnz	short loc_82256A

loc_82251B:				; CODE XREF: FsRtlFindExtraCreateParameter(x,x,x,x)+70j
		mov	eax, [ebp+arg_0]
		add	eax, 8
		mov	[ebp+arg_8], eax
		mov	edi, [eax]
		cmp	edi, eax
		jz	loc_8225BA
		push	esi
		nop

loc_822530:				; CODE XREF: FsRtlFindExtraCreateParameter(x,x,x,x)+5Cj
		mov	eax, [ebp+arg_4]
		lea	edx, [edi+8]
		mov	esi, 0Ch
		jmp	short loc_822540
; 
		align 10h

loc_822540:				; CODE XREF: FsRtlFindExtraCreateParameter(x,x,x,x)+3Bj
					; FsRtlFindExtraCreateParameter(x,x,x,x)+4Fj
		mov	ecx, [edx]
		cmp	ecx, [eax]
		jnz	short loc_822597
		add	edx, 4
		add	eax, 4
		sub	esi, 4
		jnb	short loc_822540

loc_822551:				; CODE XREF: FsRtlFindExtraCreateParameter(x,x,x,x)+B1j
		xor	eax, eax

loc_822553:				; CODE XREF: FsRtlFindExtraCreateParameter(x,x,x,x)+B8j
		test	eax, eax
		jz	short loc_822572
		mov	edi, [edi]
		cmp	edi, [ebp+arg_8]
		jnz	short loc_822530
		pop	esi
		pop	edi
		mov	eax, 0C0000225h
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_82256A:				; CODE XREF: FsRtlFindExtraCreateParameter(x,x,x,x)+19j
		mov	dword ptr [eax], 0
		jmp	short loc_82251B
; 

loc_822572:				; CODE XREF: FsRtlFindExtraCreateParameter(x,x,x,x)+55j
		or	dword ptr [edi+1Ch], 4
		test	ebx, ebx
		jz	short loc_82257F
		lea	ecx, [edi+2Ch]
		mov	[ebx], ecx

loc_82257F:				; CODE XREF: FsRtlFindExtraCreateParameter(x,x,x,x)+78j
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_82258E
		mov	ecx, [edi+20h]
		sub	ecx, 34h
		mov	[eax], ecx

loc_82258E:				; CODE XREF: FsRtlFindExtraCreateParameter(x,x,x,x)+84j
		pop	esi
		pop	edi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_822597:				; CODE XREF: FsRtlFindExtraCreateParameter(x,x,x,x)+44j
		cmp	cl, [eax]
		jnz	short loc_8225B3
		mov	cl, [edx+1]
		cmp	cl, [eax+1]
		jnz	short loc_8225B3
		mov	cl, [edx+2]
		cmp	cl, [eax+2]
		jnz	short loc_8225B3
		mov	cl, [edx+3]
		cmp	cl, [eax+3]
		jz	short loc_822551

loc_8225B3:				; CODE XREF: FsRtlFindExtraCreateParameter(x,x,x,x)+99j
					; FsRtlFindExtraCreateParameter(x,x,x,x)+A1j ...
		sbb	eax, eax
		or	eax, 1
		jmp	short loc_822553
; 

loc_8225BA:				; CODE XREF: FsRtlFindExtraCreateParameter(x,x,x,x)+28j
		pop	edi
		mov	eax, 0C0000225h
		pop	ebx
		pop	ebp
		retn	10h
_FsRtlFindExtraCreateParameter@16 endp

; 
		align 10h
; Exported entry 2483. SePrivilegeCheck

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SePrivilegeCheck(x,	x, x)
		public _SePrivilegeCheck@12
_SePrivilegeCheck@12 proc near		; CODE XREF: SeSinglePrivilegeCheckEx(x,x,x,x)+37p
					; PspSinglePrivCheck(x,x,x,x)+5Ep ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_8]
		test	dl, dl
		jz	short loc_82260C
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_822602
		mov	ecx, [eax+8]

loc_8225E8:				; CODE XREF: SePrivilegeCheck(x,x,x)+36j
		mov	[ebp+arg_8], edx
		mov	edx, [ebp+arg_0]
		mov	eax, [edx+4]
		mov	[ebp+arg_4], eax
		mov	eax, [edx]
		mov	[ebp+arg_0], eax
		add	edx, 8
		pop	ebp
		jmp	_SepPrivilegeCheck@20 ;	SepPrivilegeCheck(x,x,x,x,x)
; 

loc_822602:				; CODE XREF: SePrivilegeCheck(x,x,x)+13j
		cmp	dword ptr [eax+4], 2
		jge	short loc_8225E8
		xor	al, al
		jmp	short loc_82260E
; 

loc_82260C:				; CODE XREF: SePrivilegeCheck(x,x,x)+Aj
		mov	al, 1

loc_82260E:				; CODE XREF: SePrivilegeCheck(x,x,x)+3Aj
		pop	ebp
		retn	0Ch
_SePrivilegeCheck@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopRetrieveTransactionParameters proc near
					; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+A71p
					; IopAllocRealFileObject+18Cp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00920C04 SIZE 00000043 BYTES
; FUNCTION CHUNK AT 00920C88 SIZE 000000A4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5C70
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, edx
		mov	[ebp+var_34], esi
		mov	ebx, ecx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_28], 0
		mov	[ebp+var_20], 0
		mov	[ebp+var_2C], 0
		mov	[ebp+var_4], 0
		lea	eax, [ebp+var_20]
		push	eax
		call	ds:__imp__TmCurrentTransaction@4 ; TmCurrentTransaction(x)
		mov	edi, eax
		mov	[ebp+var_1C], edi
		cmp	edi, 0C00000BBh
		jz	short loc_8226CB
		test	edi, edi
		js	short loc_8226D2

loc_822696:				; CODE XREF: IopRetrieveTransactionParameters+B0j
		cmp	[ebp+var_20], 0
		jnz	loc_920C04

loc_8226A0:				; CODE XREF: IopRetrieveTransactionParameters+FE615j
					; IopRetrieveTransactionParameters+FE622j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_8226A7:				; CODE XREF: sub_920C57+2Cj
		test	edi, edi
		js	short loc_8226B5
		cmp	[ebp+var_20], 0
		jnz	loc_920C88

loc_8226B5:				; CODE XREF: IopRetrieveTransactionParameters+89j
					; IopRetrieveTransactionParameters+FE6DFj ...
		mov	eax, edi

loc_8226B7:				; CODE XREF: IopRetrieveTransactionParameters+B9j
					; sub_920C57+1Aj ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_8226CB:				; CODE XREF: IopRetrieveTransactionParameters+70j
		xor	edi, edi
		mov	[ebp+var_1C], edi
		jmp	short loc_822696
; 

loc_8226D2:				; CODE XREF: IopRetrieveTransactionParameters+74j
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_8226B7
IopRetrieveTransactionParameters endp

; 
		align 10h
; Exported entry 2512. SeSinglePrivilegeCheck

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeSinglePrivilegeCheck
SeSinglePrivilegeCheck proc near	; CODE XREF: ExCpuSetResourceManagerAccessCheck(x)+35p
					; .text:005225F3p ...

var_32		= dword	ptr -32h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00920D2C SIZE 0000004A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		push	ebx
		push	esi
		mov	esi, large fs:124h
		mov	ecx, large fs:124h
		mov	[esp+3Ch+var_28], 0
		mov	byte ptr [esp+3Ch+var_32+1], 0
		mov	esi, [esi+80h]
		mov	byte ptr [esp+3Ch+var_32], 0
		push	edi
		mov	eax, [esi+0E4h]
		mov	[esp+40h+var_20], eax
		test	ecx, ecx
		jz	loc_920D2C
		push	0
		lea	eax, [esp+44h+var_28]
		xor	edx, edx
		push	eax
		lea	eax, [esp+48h+var_32]
		push	eax
		lea	eax, [esp+4Ch+var_32+1]
		push	eax
		call	_PsReferenceImpersonationTokenEx@24 ; PsReferenceImpersonationTokenEx(x,x,x,x,x,x)
		mov	ebx, eax

loc_82274B:				; CODE XREF: SeSinglePrivilegeCheck+FE64Ej
		lea	ecx, [esi+12Ch]
		mov	[esp+40h+var_2C], ebx
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_82287F

loc_822764:				; CODE XREF: SeSinglePrivilegeCheck+1F1j
		cmp	ds:_SeTokenLeakTracking, 0
		mov	[esp+40h+var_24], edi
		jnz	loc_920D33

loc_822775:				; CODE XREF: SeSinglePrivilegeCheck+FE670j
					; SeSinglePrivilegeCheck+FE68Aj ...
		mov	eax, [ebp+arg_0]
		mov	[esp+40h+var_10], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+40h+var_C], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+40h+var_18], 1
		mov	[esp+40h+var_14], 1
		mov	[esp+40h+var_8], 0
		test	al, al
		jz	short loc_8227FE
		test	ebx, ebx
		jnz	short loc_822805
		mov	ecx, edi

loc_8227A8:				; CODE XREF: SeSinglePrivilegeCheck+132j
		push	eax
		push	1
		push	1
		lea	edx, [esp+4Ch+var_10]
		call	_SepPrivilegeCheck@20 ;	SepPrivilegeCheck(x,x,x,x,x)

loc_8227B6:				; CODE XREF: SeSinglePrivilegeCheck+201j
		mov	byte ptr [esp+40h+var_32+2], al
		mov	byte ptr [esp+40h+var_32], al
		test	ebx, ebx
		jnz	short loc_822814
		mov	eax, edi

loc_8227C4:				; CODE XREF: SeSinglePrivilegeCheck+136j
		mov	eax, [eax+94h]
		mov	esi, [eax]
		mov	eax, _SeLocalSystemSid
		push	esi
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	short loc_822818

loc_8227DC:				; CODE XREF: SeSinglePrivilegeCheck+123j
					; SeSinglePrivilegeCheck+182j ...
		lea	eax, [esp+40h+var_2C]
		push	eax
		call	SeReleaseSubjectContext
		mov	ecx, [esp+40h+var_4]
		mov	al, byte ptr [esp+40h+var_32]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_8227FE:				; CODE XREF: SeSinglePrivilegeCheck+C0j
		mov	byte ptr [esp+40h+var_32], 1
		jmp	short loc_8227DC
; 

loc_822805:				; CODE XREF: SeSinglePrivilegeCheck+C4j
		cmp	[esp+40h+var_28], 2
		jl	loc_8228DF
		mov	ecx, ebx
		jmp	short loc_8227A8
; 

loc_822814:				; CODE XREF: SeSinglePrivilegeCheck+E0j
		mov	eax, ebx
		jmp	short loc_8227C4
; 

loc_822818:				; CODE XREF: SeSinglePrivilegeCheck+FAj
		mov	eax, ds:_SeExports
		push	esi
		mov	[esp+44h+var_1C], eax
		mov	eax, [eax+12Ch]
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	short loc_822867
		mov	eax, [esp+40h+var_1C]
		push	esi
		mov	eax, [eax+128h]
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	short loc_822867

loc_822847:				; CODE XREF: SeSinglePrivilegeCheck+19Dj
		push	[esp+40h+var_32+2]
		lea	eax, [esp+44h+var_18]
		mov	edx, offset _SeSubsystemName
		push	eax
		push	edi
		push	ebx
		push	0
		lea	ecx, [esp+54h+var_2C]
		call	SepAdtPrivilegedServiceAuditAlarm
		jmp	loc_8227DC
; 

loc_822867:				; CODE XREF: SeSinglePrivilegeCheck+150j
					; SeSinglePrivilegeCheck+165j
		lea	edx, [esp+40h+var_18]
		mov	ecx, 1
		call	SepFilterPrivilegeAudits
		test	al, al
		jz	loc_8227DC
		jmp	short loc_822847
; 

loc_82287F:				; CODE XREF: SeSinglePrivilegeCheck+7Ej
		mov	eax, large fs:124h
		mov	[esp+40h+var_32+2], eax
		dec	word ptr [eax+13Ch]
		nop
		lea	ebx, [esi+0E0h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		lea	ecx, [esi+12Ch]
		call	@ObFastReferenceObjectLocked@4 ; ObFastReferenceObjectLocked(x)
		mov	edi, eax
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jnz	short loc_8228D6

loc_8228BD:				; CODE XREF: SeSinglePrivilegeCheck+1FDj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [esp+40h+var_32+2]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	ebx, [esp+40h+var_2C]
		jmp	loc_822764
; 

loc_8228D6:				; CODE XREF: SeSinglePrivilegeCheck+1DBj
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_8228BD
; 

loc_8228DF:				; CODE XREF: SeSinglePrivilegeCheck+12Aj
		xor	al, al
		jmp	loc_8227B6
SeSinglePrivilegeCheck endp

; 
		align 10h

; __stdcall PsOpenProcess(x, x,	x, x, x, x)
_PsOpenProcess@24:			; CODE XREF: NtAlpcOpenSenderProcess+147p
					; NtOpenProcess(x,x,x,x)+27p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5C90
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 220h
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		mov	[ebp-1Ch], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	[ebp-1FCh], edx
		mov	esi, ecx
		mov	[ebp-224h], esi
		mov	ebx, [ebp+0Ch]
		push	74h
		push	0
		lea	eax, [ebp-118h]
		push	eax
		call	_memset
		add	esp, 0Ch
		push	0C4h
		push	0
		lea	eax, [ebp-1E0h]
		push	eax
		call	_memset
		add	esp, 0Ch
		xor	edx, edx
		mov	[ebp-1F8h], edx
		xor	ecx, ecx
		mov	[ebp-1F4h], ecx
		mov	[ebp-208h], ecx
		mov	[ebp-1ECh], ecx
		mov	[ebp-200h], ecx
		mov	[ebp-1F0h], ecx
		mov	dword ptr [ebp-20Ch], 0FFFFFFFFh
		cmp	[ebp+10h], cl
		jz	loc_822A91
		mov	[ebp-4], ecx
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_8229B0
		mov	ecx, eax

loc_8229B0:				; CODE XREF: PAGE:008229ACj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+8]
		mov	edx, ecx
		test	cl, 3
		jnz	loc_822E7C
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_8229CD
		mov	edx, eax

loc_8229CD:				; CODE XREF: PAGE:008229C9j
		nop
		mov	al, [edx]
		cmp	dword ptr [ecx+8], 0
		setnz	ah
		mov	[ebp-1E1h], ah
		mov	[ebp-1E2h], ah
		mov	edi, [ecx+0Ch]
		and	edi, 1DF2h
		mov	[ebp-210h], edi
		test	ebx, ebx
		jz	short loc_822A46
		mov	ecx, ebx
		test	bl, 3
		jnz	loc_822E81
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_822A0C
		mov	ecx, eax

loc_822A0C:				; CODE XREF: PAGE:00822A08j
		nop
		mov	al, [ecx]
		mov	edx, [ebx]
		mov	[ebp-1F8h], edx
		mov	ecx, [ebx+4]
		mov	[ebp-1F4h], ecx
		mov	al, 1
		mov	[ebp-1E3h], al
		mov	edi, [ebp-210h]
		mov	bl, [ebp-1E2h]
		mov	[ebp-1E1h], bl
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_822AD5
; 

loc_822A46:				; CODE XREF: PAGE:008229F4j
		xor	al, al
		mov	[ebp-1E3h], al
		mov	ecx, [ebp-1F4h]
		mov	edx, [ebp-1F8h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_822AD5
; 

loc_822A63:				; DATA XREF: .text:006A5CA4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-214h], eax
		mov	eax, 1
		retn
; 

loc_822A76:				; DATA XREF: .text:006A5CA8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-214h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-200h]
		jmp	loc_822DF2
; 

loc_822A91:				; CODE XREF: PAGE:0082299Aj
		mov	eax, [ebp+8]
		cmp	[eax+8], ecx
		setnz	byte ptr [ebp-1E1h]
		mov	eax, [ebp+14h]
		movsx	edi, al
		neg	edi
		sbb	edi, edi
		and	edi, 0FFFEFE00h
		add	edi, 11FF2h
		mov	eax, [ebp+8]
		and	edi, [eax+0Ch]
		test	ebx, ebx
		jz	short loc_822AD3
		mov	edx, [ebx]
		mov	[ebp-1F8h], edx
		mov	ecx, [ebx+4]
		mov	[ebp-1F4h], ecx
		mov	al, 1
		jmp	short loc_822AD5
; 

loc_822AD3:				; CODE XREF: PAGE:00822ABCj
		xor	al, al

loc_822AD5:				; CODE XREF: PAGE:00822A41j
					; PAGE:00822A61j ...
		mov	bl, [ebp-1E1h]
		test	bl, bl
		jnz	loc_822E70
		test	al, al
		jz	loc_822E70
		test	ecx, ecx
		jz	short loc_822B20
		lea	eax, [ebp-1ECh]
		push	eax
		lea	eax, [ebp-1F0h]
		push	eax
		lea	eax, [ebp-1F8h]
		push	eax
		call	PsLookupProcessThreadByCid
		mov	esi, eax
		test	esi, esi
		js	loc_822E75
		mov	ecx, [ebp-1ECh]
		call	ObfDereferenceObject
		jmp	short loc_822B37
; 

loc_822B20:				; CODE XREF: PAGE:00822AEDj
		lea	eax, [ebp-1F0h]
		push	eax
		push	edx
		call	PsLookupProcessByProcessId
		mov	esi, eax
		test	esi, esi
		js	loc_822E75

loc_822B37:				; CODE XREF: PAGE:00822B1Ej
		mov	eax, [ebp-1F0h]
		mov	eax, [eax+0E4h]
		mov	[ebp-20Ch], eax
		xor	ebx, ebx
		mov	eax, ds:_PsProcessType
		add	eax, 34h
		push	eax
		push	dword ptr [ebp-1FCh]
		lea	eax, [ebp-1E0h]
		push	eax
		lea	eax, [ebp-118h]
		push	eax
		call	SeCreateAccessState
		mov	esi, eax
		test	esi, esi
		js	loc_822E75
		mov	eax, edi
		and	eax, 400h
		mov	[ebp-1F4h], eax
		mov	ecx, 1
		mov	[ebp-1ECh], ecx
		mov	[ebp-200h], ecx

loc_822B95:				; CODE XREF: PAGE:00822C7Cj
		test	eax, eax
		jz	short loc_822BA6
		test	ebx, ebx
		jnz	short loc_822BA6
		mov	byte ptr [ebp-204h], 1
		jmp	short loc_822BAF
; 

loc_822BA6:				; CODE XREF: PAGE:00822B97j
					; PAGE:00822B9Bj
		mov	eax, [ebp+14h]
		mov	[ebp-204h], al

loc_822BAF:				; CODE XREF: PAGE:00822BA4j
		push	dword ptr [ebp-204h]
		mov	eax, ds:dword_A94A14
		push	eax
		mov	eax, ds:_SeDebugPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	short loc_822BF3
		mov	eax, [ebp-108h]
		test	eax, 2000000h
		jz	short loc_822BE3
		or	dword ptr [ebp-104h], 1FFFFFh
		jmp	short loc_822BE9
; 

loc_822BE3:				; CODE XREF: PAGE:00822BD5j
		or	[ebp-104h], eax

loc_822BE9:				; CODE XREF: PAGE:00822BE1j
		mov	dword ptr [ebp-108h], 0

loc_822BF3:				; CODE XREF: PAGE:00822BC8j
		lea	eax, [ebp-208h]
		push	eax
		push	dword ptr [ebp+14h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	0
		lea	eax, [ebp-118h]
		push	eax
		push	edi
		push	dword ptr [ebp-1F0h]
		call	ObOpenObjectByPointer
		mov	esi, eax
		test	esi, esi
		jns	short loc_822C89
		cmp	dword ptr [ebp-1F4h], 0
		jz	loc_822DEC
		cmp	esi, 0C0000022h
		jnz	loc_822DEC
		test	ebx, ebx
		jnz	loc_822DEC
		mov	ebx, 1
		lea	eax, [ebp-118h]
		push	eax
		call	SeDeleteAccessState
		mov	eax, ds:_PsProcessType
		add	eax, 34h
		push	eax
		push	dword ptr [ebp-1FCh]
		lea	eax, [ebp-1E0h]
		push	eax
		lea	eax, [ebp-118h]
		push	eax
		call	SeCreateAccessState
		mov	esi, eax
		test	esi, esi
		mov	eax, [ebp-1F4h]
		jns	loc_822B95
		xor	edi, edi
		jmp	loc_822DF2
; 

loc_822C89:				; CODE XREF: PAGE:00822C1Cj
		test	ebx, ebx
		jz	loc_822DD0
		cmp	dword_6B1F50, 5
		jbe	loc_822DD0
		push	4000h
		push	0
		mov	ecx, offset dword_6B1F50
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_822DD0
		push	dword ptr [ebp-1F0h]
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		mov	[ebp-218h], eax
		lea	eax, [ebp-218h]
		mov	[ebp-80h], eax
		mov	dword ptr [ebp-7Ch], 0
		mov	dword ptr [ebp-78h], 4
		mov	dword ptr [ebp-74h], 0
		mov	eax, [ebp-1FCh]
		mov	[ebp-21Ch], eax
		lea	eax, [ebp-21Ch]
		mov	[ebp-70h], eax
		mov	dword ptr [ebp-6Ch], 0
		mov	dword ptr [ebp-68h], 4
		mov	dword ptr [ebp-64h], 0
		mov	[ebp-220h], edi
		lea	eax, [ebp-220h]
		mov	[ebp-60h], eax
		mov	dword ptr [ebp-5Ch], 0
		mov	dword ptr [ebp-58h], 4
		mov	dword ptr [ebp-54h], 0
		mov	al, [ebp+10h]
		mov	[ebp-1E4h], al
		lea	eax, [ebp-1E4h]
		mov	[ebp-50h], eax
		mov	dword ptr [ebp-4Ch], 0
		mov	dword ptr [ebp-48h], 1
		mov	dword ptr [ebp-44h], 0
		mov	eax, [ebp+14h]
		mov	[ebp-1E5h], al
		lea	eax, [ebp-1E5h]
		mov	[ebp-40h], eax
		mov	dword ptr [ebp-3Ch], 0
		mov	dword ptr [ebp-38h], 1
		mov	dword ptr [ebp-34h], 0
		mov	dword ptr [ebp-230h], 1000000h
		mov	dword ptr [ebp-22Ch], 0
		lea	eax, [ebp-230h]
		mov	[ebp-30h], eax
		mov	dword ptr [ebp-2Ch], 0
		mov	dword ptr [ebp-28h], 8
		mov	dword ptr [ebp-24h], 0
		lea	eax, [ebp-0A0h]
		push	eax
		push	8
		push	0
		push	0
		push	offset loc_4229EC
		push	offset dword_6B1F50
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_822DD0:				; CODE XREF: PAGE:00822C8Bj
					; PAGE:00822C98j ...
		mov	dword ptr [ebp-4], 1
		mov	eax, [ebp-208h]
		mov	ecx, [ebp-224h]
		mov	[ecx], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_822DEC:				; CODE XREF: PAGE:00822C25j
					; PAGE:00822C31j ...
		mov	edi, [ebp-1ECh]

loc_822DF2:				; CODE XREF: PAGE:00822A8Cj
					; PAGE:00822C84j ...
		push	esi
		mov	edx, [ebp-1FCh]
		mov	ecx, [ebp-20Ch]
		call	_PspLogAuditOpenProcessEvent@12	; PspLogAuditOpenProcessEvent(x,x,x)
		test	edi, edi
		jz	short loc_822E14
		lea	eax, [ebp-118h]
		push	eax
		call	SeDeleteAccessState

loc_822E14:				; CODE XREF: PAGE:00822E06j
		mov	eax, [ebp-1F0h]
		test	eax, eax
		jz	short loc_822E25
		mov	ecx, eax
		call	ObfDereferenceObject

loc_822E25:				; CODE XREF: PAGE:00822E1Cj
		mov	eax, esi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-1Ch]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_822E45:				; DATA XREF: .text:006A5CB0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-228h], eax
		mov	eax, 1
		retn
; 

loc_822E58:				; DATA XREF: .text:006A5CB4o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-228h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-200h]
		jmp	short loc_822DF2
; 

loc_822E70:				; CODE XREF: PAGE:00822ADDj
					; PAGE:00822AE5j
		mov	esi, 0C0000030h

loc_822E75:				; CODE XREF: PAGE:00822B0Dj
					; PAGE:00822B31j ...
		xor	edi, edi
		jmp	loc_822DF2
; 

loc_822E7C:				; CODE XREF: PAGE:008229BCj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_822E81:				; CODE XREF: PAGE:008229FBj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		dw 0CCCCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspLogAuditOpenProcessEvent(x, x, x)
_PspLogAuditOpenProcessEvent@12	proc near ; CODE XREF: PAGE:00822DFFp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_3C], edx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		mov	eax, dword_6BC5D4
		push	3
		push	0
		push	offset _KERNEL_AUDIT_API_OPENPROCESS
		push	eax
		mov	eax, _EtwApiCallsProvRegHandle
		push	eax
		mov	[ebp+var_38], ecx
		mov	[ebp+var_30], 0
		mov	[ebp+var_2C], 4
		mov	[ebp+var_28], 0
		mov	[ebp+var_20], 0
		mov	[ebp+var_1C], 4
		mov	[ebp+var_18], 0
		mov	[ebp+var_10], 0
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], 0
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_PspLogAuditOpenProcessEvent@12	endp

; 
		align 10h
; Exported entry 2459. SeDeleteAccessState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeDeleteAccessState
SeDeleteAccessState proc near		; CODE XREF: SepCreateTokenEx+890p
					; CmpDoBuildVirtualStack(x,x,x,x,x)+439p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00822F88 SIZE 0000000C BYTES
; FUNCTION CHUNK AT 00920D76 SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	SepDeleteAccessState
		cmp	ds:_SeTokenLeakTracking, 0
		jnz	loc_920D76

loc_822F4D:				; CODE XREF: SeDeleteAccessState+5Dj
					; SeDeleteAccessState+FDE8Bj ...
		mov	eax, large fs:124h
		mov	edx, [esi+24h]
		mov	ecx, [eax+80h]
		add	ecx, 12Ch
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		mov	ecx, [esi+1Ch]
		mov	dword ptr [esi+24h], 0
		test	ecx, ecx
		jnz	short loc_822F81

loc_822F75:				; CODE XREF: SeDeleteAccessState+56j
		mov	dword ptr [esi+1Ch], 0
		pop	esi
		pop	ebp
		retn	4
; 

loc_822F81:				; CODE XREF: SeDeleteAccessState+43j
		call	ObfDereferenceObject
		jmp	short loc_822F75
SeDeleteAccessState endp

; 
; START	OF FUNCTION CHUNK FOR SeDeleteAccessState

loc_822F88:				; CODE XREF: SeDeleteAccessState+FDE4Bj
					; SeDeleteAccessState+FDE68j ...
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	short loc_822F4D
		jmp	loc_920DA4
; END OF FUNCTION CHUNK	FOR SeDeleteAccessState
; 
		align 10h
; Exported entry 2452. SeCreateAccessState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SeCreateAccessState(void *,void	*,int,int)
		public SeCreateAccessState
SeCreateAccessState proc near		; CODE XREF: SepCreateTokenEx+868p
					; SeSubProcessToken+2E6p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= dword	ptr -2
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00920DC7 SIZE 00000052 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, large fs:124h
		mov	ecx, large fs:124h
		mov	[ebp+var_14], 0
		mov	byte ptr [ebp+var_2], 0
		mov	byte ptr [ebp+var_2+1],	0
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax+80h]
		mov	eax, [edi+0E4h]
		mov	[ebp+var_C], eax
		test	ecx, ecx
		jz	loc_920DC7
		push	0
		lea	eax, [ebp+var_14]
		xor	edx, edx
		push	eax
		lea	eax, [ebp+var_2+1]
		push	eax
		lea	eax, [ebp+var_2]
		push	eax
		call	_PsReferenceImpersonationTokenEx@24 ; PsReferenceImpersonationTokenEx(x,x,x,x,x,x)
		mov	[ebp+var_18], eax

loc_822FF6:				; CODE XREF: SeCreateAccessState+FDE2Ej
		lea	ebx, [edi+12Ch]
		mov	ecx, ebx
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_823036

loc_823009:				; CODE XREF: SeCreateAccessState+DEj
		cmp	ds:_SeTokenLeakTracking, 0
		mov	[ebp+var_10], esi
		jnz	loc_920DD3

loc_823019:				; CODE XREF: SeCreateAccessState+FDE53j
					; SeCreateAccessState+FDE6Dj ...
		push	[ebp+arg_C]	; int
		mov	edx, [ebp+arg_0] ; void	*
		lea	ecx, [ebp+var_18] ; int
		push	[ebp+arg_8]	; int
		push	[ebp+arg_4]	; void *
		call	_SepCreateAccessStateFromSubjectContext@20 ; SepCreateAccessStateFromSubjectContext(x,x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_823036:				; CODE XREF: SeCreateAccessState+67j
		mov	eax, large fs:124h
		mov	[ebp+var_8], eax
		dec	word ptr [eax+13Ch]
		nop
		add	edi, 0E0h
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	ecx, ebx
		call	@ObFastReferenceObjectLocked@4 ; ObFastReferenceObjectLocked(x)
		mov	esi, eax
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_823080

loc_82306F:				; CODE XREF: SeCreateAccessState+E7j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_8]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		jmp	short loc_823009
; 

loc_823080:				; CODE XREF: SeCreateAccessState+CDj
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_82306F
SeCreateAccessState endp

; 
		align 10h
; Exported entry 1632. ObOpenObjectByPointer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObOpenObjectByPointer
ObOpenObjectByPointer proc near		; CODE XREF: VrpPostEnumerateKey(x,x)+290p
					; CmLoadDifferencingKey+61Bp ...

var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_D0		= dword	ptr -0D0h
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008233B0 SIZE 00000010 BYTES
; FUNCTION CHUNK AT 00920E19 SIZE 000000DD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 16Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+16Ch+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		lea	eax, [esp+170h+var_D0]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_18]
		push	0C4h		; size_t
		push	0		; int
		push	eax		; void *
		mov	[esp+184h+var_15C], edi
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+178h+var_148]
		push	74h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [edi], 0
		mov	edi, [ebp+arg_10]
		push	6E48624Fh
		push	[ebp+arg_14]
		push	edi
		push	0
		push	ebx
		call	ObReferenceObjectByPointerWithTag
		test	eax, eax
		js	loc_823248
		test	edi, edi
		jz	loc_82325F

loc_82310E:				; CODE XREF: ObOpenObjectByPointer+1EEj
		mov	eax, [ebp+arg_4]
		test	[edi+30h], eax
		jnz	loc_920EDA
		test	byte ptr [ebx-9], 1
		jnz	loc_823324

loc_823124:				; CODE XREF: ObOpenObjectByPointer+298j
		test	esi, esi
		jnz	loc_8231D2
		mov	eax, large fs:124h
		mov	esi, large fs:124h
		mov	[esp+178h+var_154], 0
		mov	ecx, [eax+80h]
		mov	[esp+178h+var_168], ecx
		mov	eax, [ecx+0E4h]
		mov	[esp+178h+var_14C], eax
		test	esi, esi
		jz	loc_920E19
		mov	eax, [esi+2FCh]
		test	al, 8
		jnz	loc_82328A
		xor	esi, esi
		mov	[esp+178h+var_16C], esi

loc_823171:				; CODE XREF: ObOpenObjectByPointer+27Ej
		mov	[esp+178h+var_158], esi

loc_823175:				; CODE XREF: ObOpenObjectByPointer+FDD93j
		lea	eax, [ecx+12Ch]
		mov	ecx, eax
		mov	[esp+178h+var_160], eax
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_823333
		mov	ecx, [esp+178h+var_16C]

loc_823194:				; CODE XREF: ObOpenObjectByPointer+2FEj
		cmp	ds:_SeTokenLeakTracking, 0
		mov	[esp+178h+var_150], esi
		jnz	loc_920E33

loc_8231A5:				; CODE XREF: ObOpenObjectByPointer+FDDC0j
					; ObOpenObjectByPointer+FDDDAj	...
		lea	eax, [edi+34h]
		push	eax		; int
		push	[ebp+arg_C]	; int
		lea	eax, [esp+180h+var_D0]
		push	eax		; void *
		lea	edx, [esp+184h+var_148]	; void *
		lea	ecx, [esp+184h+var_158]	; int
		call	_SepCreateAccessStateFromSubjectContext@20 ; SepCreateAccessStateFromSubjectContext(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_920E76
		mov	eax, [ebp+arg_4]
		lea	esi, [esp+178h+var_148]

loc_8231D2:				; CODE XREF: ObOpenObjectByPointer+96j
		push	[esp+178h+var_15C]
		mov	edx, ebx
		mov	ecx, 1
		push	0
		push	0
		push	0
		push	[ebp+arg_14]
		push	eax
		push	0
		push	esi
		push	0
		call	_ObpCreateHandle@44 ; ObpCreateHandle(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_823313

loc_8231FB:				; CODE XREF: ObOpenObjectByPointer+28Fj
		lea	eax, [esp+19Ch+var_16C]
		cmp	esi, eax
		jnz	short loc_823246
		mov	ecx, esi
		call	SepDeleteAccessState
		cmp	ds:_SeTokenLeakTracking, 0
		jnz	loc_920E89

loc_823217:				; CODE XREF: ObOpenObjectByPointer+325j
					; ObOpenObjectByPointer+FDE3Ej	...
		mov	eax, large fs:124h
		mov	edx, [esi+24h]
		mov	ecx, [eax+80h]
		add	ecx, 12Ch
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		mov	ecx, [esi+1Ch]
		mov	dword ptr [esi+24h], 0
		test	ecx, ecx
		jnz	short loc_823283

loc_82323F:				; CODE XREF: ObOpenObjectByPointer+1F8j
		mov	dword ptr [esi+1Ch], 0

loc_823246:				; CODE XREF: ObOpenObjectByPointer+171j
		mov	eax, edi

loc_823248:				; CODE XREF: ObOpenObjectByPointer+70j
					; ObOpenObjectByPointer+FDDF4j	...
		mov	ecx, [esp+19Ch+var_28]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_82325F:				; CODE XREF: ObOpenObjectByPointer+78j
		lea	eax, [ebx-18h]
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [ebx-0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	edi, ds:_ObTypeIndexTable[ecx*4]
		jmp	loc_82310E
; 

loc_823283:				; CODE XREF: ObOpenObjectByPointer+1ADj
		call	ObfDereferenceObject
		jmp	short loc_82323F
; 

loc_82328A:				; CODE XREF: ObOpenObjectByPointer+D5j
		mov	eax, large fs:124h
		mov	[esp+178h+var_160], eax
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [esi+2F0h]
		xor	edx, edx
		mov	ecx, eax
		mov	[esp+178h+var_164], eax
		call	ExAcquirePushLockSharedEx
		mov	eax, [esi+2FCh]
		test	al, 8
		jz	loc_920E28
		mov	eax, [esi+2C8h]
		and	eax, 0FFFFFFF8h
		mov	ecx, eax
		mov	[esp+178h+var_16C], eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [esi+2C8h]
		mov	esi, [esp+178h+var_16C]
		and	eax, 3
		mov	[esp+178h+var_154], eax

loc_8232E2:				; CODE XREF: ObOpenObjectByPointer+FDD9Ej
		mov	edx, [esp+178h+var_164]
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jnz	loc_823393

loc_8232FA:				; CODE XREF: ObOpenObjectByPointer+30Ej
		mov	ecx, edx
		call	KeAbPostRelease
		mov	ecx, [esp+178h+var_160]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	ecx, [esp+178h+var_168]
		jmp	loc_823171
; 

loc_823313:				; CODE XREF: ObOpenObjectByPointer+165j
		mov	edx, 6E48624Fh
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		jmp	loc_8231FB
; 

loc_823324:				; CODE XREF: ObOpenObjectByPointer+8Ej
		cmp	dword ptr [ebx-8], 0
		jz	loc_823124
		jmp	loc_920EDA
; 

loc_823333:				; CODE XREF: ObOpenObjectByPointer+FAj
		mov	eax, large fs:124h
		mov	[esp+178h+var_164], eax
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [esp+178h+var_168]
		xor	edx, edx
		add	eax, 0E0h
		mov	ecx, eax
		mov	[esp+178h+var_168], eax
		call	ExAcquirePushLockSharedEx
		mov	ecx, [esp+178h+var_160]
		call	@ObFastReferenceObjectLocked@4 ; ObFastReferenceObjectLocked(x)
		mov	edx, [esp+178h+var_168]
		mov	esi, eax
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jnz	short loc_8233A3

loc_82337A:				; CODE XREF: ObOpenObjectByPointer+31Ej
		mov	ecx, edx
		call	KeAbPostRelease
		mov	ecx, [esp+178h+var_164]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	ecx, [esp+178h+var_158]
		jmp	loc_823194
; 

loc_823393:				; CODE XREF: ObOpenObjectByPointer+264j
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	edx, [esp+178h+var_164]
		jmp	loc_8232FA
; 

loc_8233A3:				; CODE XREF: ObOpenObjectByPointer+2E8j
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	edx, [esp+178h+var_168]
		jmp	short loc_82337A
ObOpenObjectByPointer endp

; 
; START	OF FUNCTION CHUNK FOR ObOpenObjectByPointer

loc_8233B0:				; CODE XREF: ObOpenObjectByPointer+FDDFEj
					; ObOpenObjectByPointer+FDE1Bj	...
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	loc_823217
		jmp	loc_920EB7
; END OF FUNCTION CHUNK	FOR ObOpenObjectByPointer
; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1539. NtOpenProcess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtOpenProcess(x, x,	x, x)
		public _NtOpenProcess@16
_NtOpenProcess@16 proc near		; CODE XREF: PfpSourceGetPrefetchSupport+B2p
					; DATA XREF: .text:00580F28o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_4], al
		push	[ebp+var_4]
		push	[ebp+var_4]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_PsOpenProcess@24 ; PsOpenProcess(x,x,x,x,x,x)
		leave
		retn	10h
_NtOpenProcess@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtAlertThreadByThreadId	proc near	; DATA XREF: .text:00581268o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00920EF6 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, large fs:124h
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_0]
		mov	[ebp+var_4], 0
		call	_PsLookupThreadByThreadId@8 ; PsLookupThreadByThreadId(x,x)
		test	eax, eax
		js	short loc_82344C
		push	edi
		mov	edi, [ebp+var_4]
		mov	ecx, edi
		mov	eax, [edi+150h]
		cmp	eax, [esi+150h]
		jnz	loc_920EF6
		call	KeAlertThreadByThreadId
		mov	ecx, edi
		call	ObfDereferenceObject
		xor	eax, eax

loc_82344B:				; CODE XREF: NtAlertThreadByThreadId+FDB00j
		pop	edi

loc_82344C:				; CODE XREF: NtAlertThreadByThreadId+23j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
NtAlertThreadByThreadId	endp

; 
		align 10h
; Exported entry 1864. PsLookupProcessByProcessId

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsLookupProcessByProcessId
PsLookupProcessByProcessId proc	near	; CODE XREF: EtwpPsProvTraceProcess+191p
					; PfpCopyEvent+12Bp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00920F05 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, large fs:124h
		push	edi
		dec	word ptr [esi+13Eh]
		nop
		mov	ecx, [ebp+arg_0]
		mov	dl, 3
		call	PspReferenceCidTableEntry
		mov	edi, eax
		test	edi, edi
		jz	short loc_8234AC
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		test	dword ptr [edi+0FCh], 4000000h
		mov	ebx, eax
		jz	loc_920F05
		mov	edx, ebx
		mov	ecx, edi
		call	_PsIsProcessInSilo@8 ; PsIsProcessInSilo(x,x)
		test	al, al
		jz	short loc_8234FA

loc_8234AC:				; CODE XREF: PsLookupProcessByProcessId+26j
					; PsLookupProcessByProcessId+98j ...
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_8234BF
		nop
		add	esi, 70h
		cmp	[esi], esi
		jnz	short loc_8234DA

loc_8234BF:				; CODE XREF: PsLookupProcessByProcessId+55j
					; PsLookupProcessByProcessId+7Fj
		test	edi, edi
		jz	short loc_8234D3
		mov	eax, [ebp+arg_4]
		mov	[eax], edi
		xor	eax, eax

loc_8234CA:				; CODE XREF: PsLookupProcessByProcessId+78j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_8234D3:				; CODE XREF: PsLookupProcessByProcessId+61j
		mov	eax, 0C000000Bh
		jmp	short loc_8234CA
; 

loc_8234DA:				; CODE XREF: PsLookupProcessByProcessId+5Dj
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_8234BF
; 

loc_8234E1:				; CODE XREF: PsLookupProcessByProcessId+FDABEj
					; PsLookupProcessByProcessId+FDAC9j
		test	dword ptr [edi+0FCh], 4000000h
		jz	short loc_8234FA
		mov	edx, ebx
		mov	ecx, edi
		call	_PsIsProcessInSilo@8 ; PsIsProcessInSilo(x,x)
		test	al, al
		jnz	short loc_8234AC

loc_8234FA:				; CODE XREF: PsLookupProcessByProcessId+4Aj
					; PsLookupProcessByProcessId+8Bj
		mov	edx, 746C6644h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		xor	edi, edi
		jmp	short loc_8234AC
PsLookupProcessByProcessId endp

; 
		align 10h
; Exported entry 1866. PsLookupThreadByThreadId

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsLookupThreadByThreadId(x,	x)
		public _PsLookupThreadByThreadId@8
_PsLookupThreadByThreadId@8 proc near	; CODE XREF: PsOpenThread+1D7p
					; PsLookupProcessThreadByCid+18p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		dec	word ptr [edi+13Eh]
		nop
		mov	ecx, [ebp+arg_0]
		mov	dl, 6
		call	PspReferenceCidTableEntry
		mov	esi, eax
		test	esi, esi
		jz	short loc_82358B
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		test	byte ptr [esi+2FCh], 2
		mov	ebx, eax
		jnz	short loc_823571
		lea	ecx, [esi+2F0h]
		mov	[ebp+var_4], 0
		xor	edx, edx
		lea	eax, [ebp+var_4]
		lock or	[eax], edx
		mov	eax, [ecx]
		test	al, 1
		jz	short loc_823568
		call	@ExfAcquireReleasePushLockExclusive@4 ;	ExfAcquireReleasePushLockExclusive(x)

loc_823568:				; CODE XREF: PsLookupThreadByThreadId(x,x)+51j
		test	byte ptr [esi+2FCh], 2
		jz	short loc_823582

loc_823571:				; CODE XREF: PsLookupThreadByThreadId(x,x)+36j
		mov	ecx, [esi+150h]
		mov	edx, ebx
		call	_PsIsProcessInSilo@8 ; PsIsProcessInSilo(x,x)
		test	al, al
		jnz	short loc_82358B

loc_823582:				; CODE XREF: PsLookupThreadByThreadId(x,x)+5Fj
		mov	ecx, esi
		call	ObfDereferenceObject
		xor	esi, esi

loc_82358B:				; CODE XREF: PsLookupThreadByThreadId(x,x)+26j
					; PsLookupThreadByThreadId(x,x)+70j
		nop
		add	word ptr [edi+13Eh], 1
		jnz	short loc_8235A3
		nop
		lea	eax, [edi+70h]
		cmp	[eax], eax
		jz	short loc_8235A3
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_8235A3:				; CODE XREF: PsLookupThreadByThreadId(x,x)+84j
					; PsLookupThreadByThreadId(x,x)+8Cj
		test	esi, esi
		jz	short loc_8235B7
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_8235B7:				; CODE XREF: PsLookupThreadByThreadId(x,x)+95j
		pop	edi
		pop	esi
		mov	eax, 0C000000Bh
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_PsLookupThreadByThreadId@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspThreadFromTicket(x, x)
_PspThreadFromTicket@8 proc near	; CODE XREF: NtSetInformationThread+1BFp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		xor	eax, ds:_PspWorkOnBehalfEncodingKey
		xor	ecx, ds:dword_A9451C
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		push	edi
		mov	[ebp+var_C], edx
		dec	word ptr [ebx+13Eh]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_18], eax
		nop
		mov	ecx, ds:_PspCidTable
		mov	[ebp+var_18], 0
		mov	[ebp+var_14], 0
		test	eax, 7FCh
		jz	loc_82374C
		push	eax
		call	ExpLookupHandleTableEntry
		mov	edi, eax
		test	edi, edi
		jz	loc_82374C
		mov	ecx, ds:_PspCidTable
		lea	eax, [ebp+var_18]
		push	eax
		mov	edx, edi
		call	_ExFastReferenceHandleTableEntry@12 ; ExFastReferenceHandleTableEntry(x,x,x)
		test	eax, eax
		js	short loc_82365F
		mov	esi, [ebp+var_18]
		and	esi, 0FFFFFFF8h
		mov	al, [esi]
		and	al, 7Fh
		cmp	al, 6
		jz	loc_8236F7
		jmp	loc_823745
; 

loc_82365F:				; CODE XREF: PspThreadFromTicket(x,x)+76j
		cmp	eax, 0FFFFFFFFh
		jnz	loc_8236F5
		mov	ecx, ds:_PspCidTable
		mov	edx, edi
		call	_ExLockHandleTableEntry@8 ; ExLockHandleTableEntry(x,x)
		test	al, al
		jz	loc_82374C
		mov	esi, [edi]
		and	esi, 0FFFFFFF8h
		mov	al, [esi]
		and	al, 7Fh
		cmp	al, 6
		jnz	short loc_8236C7
		mov	eax, [esi+2FCh]
		and	al, 3
		cmp	al, 2
		jnz	short loc_82369F
		mov	ecx, edi
		call	_ExSlowReplenishHandleTableEntry@4 ; ExSlowReplenishHandleTableEntry(x)
		jmp	short loc_8236A1
; 

loc_82369F:				; CODE XREF: PspThreadFromTicket(x,x)+C4j
		xor	eax, eax

loc_8236A1:				; CODE XREF: PspThreadFromTicket(x,x)+CDj
		lea	edx, [eax+1]
		lea	ecx, [esi-18h]
		call	_ObpSafeInterlockedAddNoFence@8	; ObpSafeInterlockedAddNoFence(x,x)
		test	al, al
		jz	short loc_8236BC
		push	746C6644h
		call	ObpTraceObjectReferenceIfActive
		jmp	short loc_8236C9
; 

loc_8236BC:				; CODE XREF: PspThreadFromTicket(x,x)+DEj
		mov	eax, [edi+4]
		and	eax, 7FFFFFFh
		mov	[edi+4], eax

loc_8236C7:				; CODE XREF: PspThreadFromTicket(x,x)+B8j
		xor	esi, esi

loc_8236C9:				; CODE XREF: PspThreadFromTicket(x,x)+EAj
		mov	ecx, ds:_PspCidTable
		mov	eax, 1
		lock xadd [edi], eax
		add	ecx, 20h
		mov	[ebp+var_4], 0
		xor	edx, edx
		lea	eax, [ebp+var_4]
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	short loc_8236F7
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	short loc_8236F7
; 

loc_8236F5:				; CODE XREF: PspThreadFromTicket(x,x)+92j
		xor	esi, esi

loc_8236F7:				; CODE XREF: PspThreadFromTicket(x,x)+84j
					; PspThreadFromTicket(x,x)+11Cj ...
		test	esi, esi
		jz	short loc_82374E
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		test	byte ptr [esi+2FCh], 2
		mov	edi, eax
		jnz	short loc_823734
		lea	ecx, [esi+2F0h]
		mov	[ebp+var_8], 0
		xor	edx, edx
		lea	eax, [ebp+var_8]
		lock or	[eax], edx
		mov	eax, [ecx]
		test	al, 1
		jz	short loc_82372B
		call	@ExfAcquireReleasePushLockExclusive@4 ;	ExfAcquireReleasePushLockExclusive(x)

loc_82372B:				; CODE XREF: PspThreadFromTicket(x,x)+154j
		test	byte ptr [esi+2FCh], 2
		jz	short loc_823745

loc_823734:				; CODE XREF: PspThreadFromTicket(x,x)+139j
		mov	ecx, [esi+150h]
		mov	edx, edi
		call	_PsIsProcessInSilo@8 ; PsIsProcessInSilo(x,x)
		test	al, al
		jnz	short loc_82374E

loc_823745:				; CODE XREF: PspThreadFromTicket(x,x)+8Aj
					; PspThreadFromTicket(x,x)+162j
		mov	ecx, esi
		call	ObfDereferenceObject

loc_82374C:				; CODE XREF: PspThreadFromTicket(x,x)+4Dj
					; PspThreadFromTicket(x,x)+5Dj	...
		xor	esi, esi

loc_82374E:				; CODE XREF: PspThreadFromTicket(x,x)+129j
					; PspThreadFromTicket(x,x)+173j
		nop
		add	word ptr [ebx+13Eh], 1
		jnz	short loc_823766
		nop
		lea	eax, [ebx+70h]
		cmp	[eax], eax
		jz	short loc_823766
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_823766:				; CODE XREF: PspThreadFromTicket(x,x)+187j
					; PspThreadFromTicket(x,x)+18Fj
		test	esi, esi
		jz	short loc_823796
		mov	eax, [ebp+var_C]
		mov	[eax], esi
		mov	eax, [ebp+var_10]
		cmp	[esi+280h], eax
		jnz	short loc_823783
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_823783:				; CODE XREF: PspThreadFromTicket(x,x)+1A8j
		mov	ecx, esi
		call	ObfDereferenceObject
		pop	edi
		pop	esi
		mov	eax, 0C0000225h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_823796:				; CODE XREF: PspThreadFromTicket(x,x)+198j
		pop	edi
		pop	esi
		mov	eax, 0C000000Bh
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PspThreadFromTicket@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspReferenceCidTableEntry proc near	; CODE XREF: PsLookupProcessByProcessId+1Dp
					; PsLookupThreadByThreadId(x,x)+1Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00920F2E SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ds:_PspCidTable
		mov	[ebp+var_C], 0
		mov	[ebp+var_8], 0
		push	ebx
		mov	bl, dl
		push	esi
		push	edi
		test	ecx, 7FCh
		jz	loc_8238BC
		push	ecx
		mov	ecx, eax
		call	ExpLookupHandleTableEntry
		mov	edi, eax
		test	edi, edi
		jz	loc_8238BC
		mov	ecx, ds:_PspCidTable
		lea	eax, [ebp+var_C]
		push	eax
		mov	edx, edi
		call	_ExFastReferenceHandleTableEntry@12 ; ExFastReferenceHandleTableEntry(x,x,x)
		test	eax, eax
		js	short loc_82381E
		mov	esi, [ebp+var_C]
		and	esi, 0FFFFFFF8h
		mov	al, [esi]
		and	al, 7Fh
		cmp	al, bl
		jnz	loc_8238B5

loc_823815:				; CODE XREF: PspReferenceCidTableEntry+F1j
					; PspReferenceCidTableEntry+FD780j
		mov	eax, esi

loc_823817:				; CODE XREF: PspReferenceCidTableEntry+10Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_82381E:				; CODE XREF: PspReferenceCidTableEntry+51j
		cmp	eax, 0FFFFFFFFh
		jnz	loc_920F2E
		mov	ecx, ds:_PspCidTable
		mov	edx, edi
		call	_ExLockHandleTableEntry@8 ; ExLockHandleTableEntry(x,x)
		test	al, al
		jz	loc_8238BC
		mov	esi, [edi]
		and	esi, 0FFFFFFF8h
		mov	al, [esi]
		and	al, 7Fh
		cmp	al, bl
		jnz	loc_8238E4
		cmp	bl, 3
		jz	short loc_8238C3
		mov	eax, [esi+2FCh]
		and	al, 3
		cmp	al, 2

loc_82385C:				; CODE XREF: PspReferenceCidTableEntry+123j
		jnz	short loc_8238D5
		mov	ecx, edi
		call	_ExSlowReplenishHandleTableEntry@4 ; ExSlowReplenishHandleTableEntry(x)

loc_823865:				; CODE XREF: PspReferenceCidTableEntry+127j
		lea	edx, [eax+1]
		lea	ecx, [esi-18h]
		call	_ObpSafeInterlockedAddNoFence@8	; ObpSafeInterlockedAddNoFence(x,x)
		test	al, al
		jz	short loc_8238D9
		push	746C6644h
		call	ObpTraceObjectReferenceIfActive

loc_82387E:				; CODE XREF: PspReferenceCidTableEntry+136j
		mov	ecx, ds:_PspCidTable
		mov	eax, 1
		lock xadd [edi], eax
		add	ecx, 20h
		mov	[ebp+var_4], 0
		xor	edx, edx
		lea	eax, [ebp+var_4]
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	loc_823815
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8238B5:				; CODE XREF: PspReferenceCidTableEntry+5Fj
		mov	ecx, esi
		call	ObfDereferenceObject

loc_8238BC:				; CODE XREF: PspReferenceCidTableEntry+26j
					; PspReferenceCidTableEntry+38j ...
		xor	eax, eax
		jmp	loc_823817
; 

loc_8238C3:				; CODE XREF: PspReferenceCidTableEntry+A0j
		mov	eax, [esi+0FCh]
		and	eax, 400000Ch
		cmp	eax, 4000000h
		jmp	short loc_82385C
; 

loc_8238D5:				; CODE XREF: PspReferenceCidTableEntry:loc_82385Cj
		xor	eax, eax
		jmp	short loc_823865
; 

loc_8238D9:				; CODE XREF: PspReferenceCidTableEntry+C2j
		mov	eax, [edi+4]
		and	eax, 7FFFFFFh
		mov	[edi+4], eax

loc_8238E4:				; CODE XREF: PspReferenceCidTableEntry+97j
		xor	esi, esi
		jmp	short loc_82387E
PspReferenceCidTableEntry endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpIsDuplicateAce proc	near		; CODE XREF: RtlpGenerateInheritedAce+13Ap
					; RtlpGenerateInheritedAce+1DEp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00920F35 SIZE 00000045 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, edx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_10], esi
		mov	al, [ebx]
		cmp	al, 8
		ja	loc_823A15
		cmp	al, 4
		jz	loc_823A15
		mov	cl, [ebx+1]
		test	cl, 10h
		jz	loc_823A15
		mov	eax, [ebx+4]
		mov	dl, cl
		mov	[ebp+var_4], eax
		mov	ch, cl
		mov	eax, [ebp+var_10]
		and	dl, 2
		push	edi
		and	ch, 1
		and	cl, 8
		xor	edi, edi
		add	esi, 8
		movzx	eax, word ptr [eax+4]
		dec	eax
		test	eax, eax
		jle	loc_8239DA
		mov	eax, [ebp+var_4]
		movzx	edx, dl
		neg	edx
		sbb	edx, edx
		and	edx, eax
		mov	[ebp+var_4], edx
		movzx	edx, ch
		neg	edx
		sbb	edx, edx
		and	edx, eax
		mov	[ebp+var_C], edx
		xor	edx, edx
		test	cl, cl
		setnz	dl
		dec	edx
		and	edx, eax
		mov	[ebp+var_8], edx

loc_823970:				; CODE XREF: RtlpIsDuplicateAce+E8j
		mov	al, [esi]
		cmp	al, 8
		ja	short loc_8239C7
		cmp	al, 4
		jz	short loc_8239C7
		mov	ah, [esi+1]
		test	ah, 10h
		jz	short loc_8239C7
		mov	cl, [ebx]
		cmp	al, 5
		jnb	loc_920F35
		cmp	cl, 5
		jnb	loc_920F5A

loc_823995:				; CODE XREF: RtlpIsDuplicateAce+FD673j
		movzx	edx, cl
		movzx	ecx, al
		mov	al, ds:_RtlBaseAceType[edx]
		cmp	al, ds:_RtlBaseAceType[ecx]
		jnz	short loc_8239C7
		cmp	ds:_RtlIsSystemAceType[edx], 0
		jnz	loc_920F68

loc_8239B6:				; CODE XREF: RtlpIsDuplicateAce+FD685j
		lea	eax, [esi+8]
		push	eax
		lea	eax, [ebx+8]
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	short loc_8239E3

loc_8239C7:				; CODE XREF: RtlpIsDuplicateAce+84j
					; RtlpIsDuplicateAce+88j ...
		movzx	eax, word ptr [esi+2]
		inc	edi
		add	esi, eax
		mov	eax, [ebp+var_10]
		movzx	eax, word ptr [eax+4]
		dec	eax
		cmp	edi, eax
		jl	short loc_823970

loc_8239DA:				; CODE XREF: RtlpIsDuplicateAce+52j
		xor	al, al
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8239E3:				; CODE XREF: RtlpIsDuplicateAce+D5j
					; RtlpIsDuplicateAce+FD665j
		mov	cl, [esi+1]
		mov	eax, [esi+4]
		not	eax
		test	cl, 2
		jnz	short loc_823A1D

loc_8239F0:				; CODE XREF: RtlpIsDuplicateAce+130j
		test	cl, 1
		jnz	short loc_823A22

loc_8239F5:				; CODE XREF: RtlpIsDuplicateAce+135j
		mov	edx, [ebp+var_8]
		test	cl, 8
		jnz	short loc_823A02
		and	edx, eax
		mov	[ebp+var_8], edx

loc_823A02:				; CODE XREF: RtlpIsDuplicateAce+10Bj
		mov	eax, edx
		or	eax, [ebp+var_C]
		or	eax, [ebp+var_4]
		jnz	short loc_8239C7
		pop	edi
		pop	esi
		mov	al, 1
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_823A15:				; CODE XREF: RtlpIsDuplicateAce+15j
					; RtlpIsDuplicateAce+1Dj ...
		pop	esi
		xor	al, al
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_823A1D:				; CODE XREF: RtlpIsDuplicateAce+FEj
		and	[ebp+var_4], eax
		jmp	short loc_8239F0
; 

loc_823A22:				; CODE XREF: RtlpIsDuplicateAce+103j
		and	[ebp+var_C], eax
		jmp	short loc_8239F5
RtlpIsDuplicateAce endp

; 
		align 10h
; Exported entry 1541. NtOpenProcessTokenEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtOpenProcessTokenEx
NtOpenProcessTokenEx proc near		; CODE XREF: NtOpenProcessToken(x,x,x)+10p
					; RtlpSysVolTakeOwnership(x)+3Cp
					; DATA XREF: ...

var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5CF8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_1C], 0
		mov	[ebp+var_20], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_28], al
		movsx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 0FFFEFE00h
		add	esi, 11FF2h
		and	esi, [ebp+arg_8]
		test	al, al
		jz	loc_823B21
		mov	[ebp+var_4], 0
		mov	ebx, [ebp+arg_C]
		mov	ecx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	short loc_823B26

loc_823AB5:				; CODE XREF: NtOpenProcessTokenEx+F8j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_823AC0:				; CODE XREF: NtOpenProcessTokenEx+F4j
		lea	edx, [ebp+var_1C]
		mov	ecx, [ebp+arg_0]
		call	_PsOpenTokenOfProcess@8	; PsOpenTokenOfProcess(x,x)
		test	eax, eax
		js	short loc_823B0D
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_28]
		mov	eax, ds:_SeTokenObjectType
		push	eax
		push	[ebp+arg_4]
		push	0
		push	esi
		mov	esi, [ebp+var_1C]
		push	esi
		call	ObOpenObjectByPointer
		mov	edi, eax
		mov	ecx, esi
		call	ObfDereferenceObject
		test	edi, edi
		js	short loc_823B0B
		mov	[ebp+var_4], 1
		mov	eax, [ebp+var_20]
		mov	[ebx], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_823B0B:				; CODE XREF: NtOpenProcessTokenEx+C6j
		mov	eax, edi

loc_823B0D:				; CODE XREF: NtOpenProcessTokenEx+9Dj
					; sub_920F8A+Dj ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_823B21:				; CODE XREF: NtOpenProcessTokenEx+6Aj
		mov	ebx, [ebp+arg_C]
		jmp	short loc_823AC0
; 

loc_823B26:				; CODE XREF: NtOpenProcessTokenEx+83j
		mov	ecx, eax
		jmp	short loc_823AB5
NtOpenProcessTokenEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsOpenTokenOfProcess(x, x)
_PsOpenTokenOfProcess@8	proc near	; CODE XREF: NtOpenProcessTokenEx+96p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	al, [eax+15Ah]
		push	0
		mov	byte ptr [ebp+var_8], al
		lea	eax, [ebp+var_4]
		push	eax
		mov	eax, ds:_PsProcessType
		push	65537350h
		push	[ebp+var_8]
		mov	[ebp+var_C], edx
		push	eax
		push	1000h
		push	ecx
		mov	[ebp+var_4], 0
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_823BA0
		mov	edi, [ebp+var_4]
		lea	ebx, [edi+12Ch]
		mov	ecx, ebx
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_823BA7

loc_823B8D:				; CODE XREF: PsOpenTokenOfProcess(x,x)+C6j
		mov	eax, [ebp+var_C]
		mov	edx, 65537350h
		mov	ecx, edi
		mov	[eax], esi
		call	ObfDereferenceObjectWithTag
		xor	eax, eax

loc_823BA0:				; CODE XREF: PsOpenTokenOfProcess(x,x)+45j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_823BA7:				; CODE XREF: PsOpenTokenOfProcess(x,x)+5Bj
		mov	eax, large fs:124h
		mov	[ebp+var_8], eax
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [ebp+var_4]
		xor	edx, edx
		lea	ecx, [edi+0E0h]
		call	ExAcquirePushLockSharedEx
		mov	ecx, ebx
		call	@ObFastReferenceObjectLocked@4 ; ObFastReferenceObjectLocked(x)
		mov	esi, eax
		lea	ebx, [edi+0E0h]
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jnz	short loc_823BF8

loc_823BE7:				; CODE XREF: PsOpenTokenOfProcess(x,x)+CFj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [ebp+var_8]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		jmp	short loc_823B8D
; 

loc_823BF8:				; CODE XREF: PsOpenTokenOfProcess(x,x)+B5j
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_823BE7
_PsOpenTokenOfProcess@8	endp

; 
		align 10h
; Exported entry 1606. NtWriteFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtWriteFile(x, x, x, x, x, x, x, x,	x)
		public _NtWriteFile@36
_NtWriteFile@36	proc near		; CODE XREF: SmKmIssueFileIo(_SMKM_FILE_INFO *,_SMKM_ISSUE_IO_PARAMS *,_LARGE_INTEGER *,void (*)(void *,_IO_STATUS_BLOCK *,ulong),void *):loc_673F13p
					; NTFastDOSIO(x,x)+207p
					; DATA XREF: ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	eax, large fs:124h
		mov	ecx, [ebp+arg_0]
		push	esi
		mov	[esp+10h+var_C], 0
		mov	dl, [eax+15Ah]
		lea	eax, [esp+10h+var_8]
		push	eax
		lea	eax, [esp+14h+var_C]
		mov	[esp+14h+var_8], 0
		push	eax
		mov	[esp+18h+var_4], 0
		call	ObReferenceFileObjectForWrite
		test	eax, eax
		js	short loc_823C9C
		mov	esi, [esp+10h+var_C]
		mov	ecx, esi
		call	IopFileObjectRevoked
		test	al, al
		jz	short loc_823C78
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, 0C0000910h
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_823C78:				; CODE XREF: NtWriteFile(x,x,x,x,x,x,x,x,x)+53j
		push	ecx
		push	[esp+14h+var_4]
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_IopWriteFile@44 ; IopWriteFile(x,x,x,x,x,x,x,x,x,x,x)

loc_823C9C:				; CODE XREF: NtWriteFile(x,x,x,x,x,x,x,x,x)+44j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	24h
_NtWriteFile@36	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObReferenceFileObjectForWrite proc near	; CODE XREF: NtCopyFileChunk(x,x,x,x,x,x,x,x,x,x)+183p
					; NtWriteFile(x,x,x,x,x,x,x,x,x)+3Dp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00920FBE SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	[ebp+var_C], ecx
		mov	al, dl
		mov	[ebp+var_1], al
		mov	[ebp+var_1C], 0
		mov	[ebp+var_18], 0
		mov	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	esi, large fs:124h
		push	edi
		mov	edi, [ebp+arg_4]
		test	ecx, ecx
		js	loc_823E10
		mov	eax, [esi+80h]
		mov	ebx, [eax+18Ch]
		mov	eax, [eax+0FCh]
		mov	[ebp+var_10], ebx
		test	eax, 4000000h
		jz	loc_823E4C

loc_823D0A:				; CODE XREF: ObReferenceFileObjectForWrite+180j
		dec	word ptr [esi+13Ch]
		nop
		lea	eax, [ebp+var_8]
		mov	edx, ecx
		push	eax
		lea	eax, [ebp+var_1C]
		mov	ecx, ebx
		push	eax
		call	ObpReferenceObjectByHandle
		mov	ebx, eax
		mov	[ebp+var_14], ebx
		nop
		add	word ptr [esi+13Ch], 1
		jnz	short loc_823D3F
		nop
		lea	ecx, [esi+70h]
		cmp	[ecx], ecx
		jnz	loc_823E5A

loc_823D3F:				; CODE XREF: ObReferenceFileObjectForWrite+81j
					; ObReferenceFileObjectForWrite+1B2j ...
		test	ebx, ebx
		jz	loc_823E3A
		mov	ebx, [ebp+var_8]
		mov	edx, 1
		push	746C6644h
		mov	ecx, ebx
		call	ObpTraceObjectReferenceIfActive
		lea	esi, [ebx+18h]
		lea	eax, [esi-18h]
		mov	[ebp+arg_4], esi
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		cmp	eax, ds:_IoFileObjectType
		jnz	loc_921004
		mov	esi, [esi+2Ch]
		mov	ecx, [ebp+var_18]
		mov	eax, ecx
		mov	edx, [ebp+var_1C]
		and	eax, 1FFFFFFh
		shr	esi, 5
		and	edx, 6
		not	esi
		mov	[edi+4], eax
		and	esi, 4
		or	esi, 2
		test	ecx, 4000000h
		jnz	loc_920FBE

loc_823DB9:				; CODE XREF: ObReferenceFileObjectForWrite+FD311j
		test	ecx, 2000000h
		jnz	short loc_823E35

loc_823DC1:				; CODE XREF: ObReferenceFileObjectForWrite+188j
		and	edx, 7
		mov	[edi], edx
		test	eax, esi
		jz	loc_920FFA
		mov	al, [ebp+var_1]
		test	al, al
		jz	short loc_823DF4
		mov	ecx, ebx
		call	_OBJECT_HEADER_TO_HANDLE_REVOCATION_INFO@4 ; OBJECT_HEADER_TO_HANDLE_REVOCATION_INFO(x)
		test	eax, eax
		jz	short loc_823DF1
		mov	eax, [eax+8]
		cmp	eax, 1
		jz	loc_920FC6
		mov	edx, [edi]
		mov	ebx, [ebp+var_8]

loc_823DF1:				; CODE XREF: ObReferenceFileObjectForWrite+12Ej
		mov	al, [ebp+var_1]

loc_823DF4:				; CODE XREF: ObReferenceFileObjectForWrite+123j
		test	dl, 4
		jnz	loc_920FD0

loc_823DFD:				; CODE XREF: ObReferenceFileObjectForWrite+FD322j
					; ObReferenceFileObjectForWrite+FD33Aj
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	[eax], ecx
		xor	eax, eax

loc_823E07:				; CODE XREF: ObReferenceFileObjectForWrite+19Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_823E10:				; CODE XREF: ObReferenceFileObjectForWrite+34j
		test	al, al
		jnz	short loc_823E4C
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_823E4C
		cmp	ecx, 0FFFFFFFEh
		jz	short loc_823E4C
		mov	ebx, _ObpKernelHandleTable
		xor	ecx, 80000000h
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], ebx
		jmp	loc_823D0A
; 

loc_823E35:				; CODE XREF: ObReferenceFileObjectForWrite+10Fj
		or	edx, 1
		jmp	short loc_823DC1
; 

loc_823E3A:				; CODE XREF: ObReferenceFileObjectForWrite+91j
		mov	edi, 0C0000008h

loc_823E3F:				; CODE XREF: ObReferenceFileObjectForWrite+FD35Fj
		mov	ecx, [ebp+arg_0]
		mov	eax, edi
		mov	dword ptr [ecx], 0
		jmp	short loc_823E07
; 

loc_823E4C:				; CODE XREF: ObReferenceFileObjectForWrite+54j
					; ObReferenceFileObjectForWrite+162j ...
		pop	edi
		pop	esi
		mov	eax, 0C0000008h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_823E5A:				; CODE XREF: ObReferenceFileObjectForWrite+89j
		cmp	word ptr [esi+13Eh], 0
		jnz	loc_823D3F
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_823D3F
ObReferenceFileObjectForWrite endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpReferenceObjectByHandle proc	near	; CODE XREF: ObReferenceFileObjectForWrite+6Ep

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00921014 SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		test	edi, 7FCh
		jz	loc_823F5C
		push	edi
		call	ExpLookupHandleTableEntry
		mov	esi, eax
		test	esi, esi
		jz	loc_823F5C
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, ebx
		call	_ExFastReferenceHandleTableEntry@12 ; ExFastReferenceHandleTableEntry(x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	short loc_823ED4
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		mov	eax, [ebp+arg_4]
		and	ecx, 0FFFFFFF8h
		mov	[eax], ecx

loc_823EC9:				; CODE XREF: ObpReferenceObjectByHandle+78j
					; ObpReferenceObjectByHandle+D1j ...
		mov	eax, esi

loc_823ECB:				; CODE XREF: ObpReferenceObjectByHandle+E6j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_823ED4:				; CODE XREF: ObpReferenceObjectByHandle+3Aj
		jle	short loc_823EFF
		mov	ebx, [ebp+arg_0]
		mov	edx, eax
		mov	edi, [ebp+arg_4]
		mov	ecx, [ebx]
		and	ecx, 0FFFFFFF8h
		mov	[edi], ecx
		call	ObpIncrPointerCountEx
		push	[ebp+var_4]
		mov	edx, ebx
		mov	ecx, esi
		call	ExFastReplenishHandleTableEntry
		test	eax, eax
		jz	short loc_823EC9
		jmp	loc_921014
; 

loc_823EFF:				; CODE XREF: ObpReferenceObjectByHandle:loc_823ED4j
		mov	edx, esi
		mov	ecx, ebx
		call	_ExLockHandleTableEntry@8 ; ExLockHandleTableEntry(x,x)
		test	al, al
		jz	short loc_823F5C
		mov	eax, [esi]
		mov	edi, [ebp+arg_4]
		and	eax, 0FFFFFFF8h
		mov	ecx, [ebp+arg_0]
		mov	[edi], eax
		mov	eax, [esi]
		mov	[ecx], eax
		mov	eax, [esi+4]
		mov	[ecx+4], eax
		mov	ecx, esi
		call	_ExSlowReplenishHandleTableEntry@4 ; ExSlowReplenishHandleTableEntry(x)
		mov	ecx, [edi]
		lea	edx, [eax+1]
		call	ObpIncrPointerCountEx
		mov	eax, 1
		lock xadd [esi], eax
		lea	ecx, [ebx+20h]
		mov	[ebp+arg_0], 0
		xor	edx, edx
		lea	eax, [ebp+arg_0]
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	loc_823EC9
		jmp	loc_921021
; 

loc_823F5C:				; CODE XREF: ObpReferenceObjectByHandle+13j
					; ObpReferenceObjectByHandle+23j ...
		test	edi, edi
		jnz	loc_92102D

loc_823F64:				; CODE XREF: ObpReferenceObjectByHandle+FD1C4j
		xor	eax, eax
		jmp	loc_823ECB
ObpReferenceObjectByHandle endp

; 
		align 10h
; Exported entry 2455. SeCreateClientSecurityEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeCreateClientSecurityEx
SeCreateClientSecurityEx proc near	; CODE XREF: AlpcpGetEffectiveTokenMessage+57p
					; AlpcpImpersonateMessage:loc_82F095p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_6		= dword	ptr -6
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00921049 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	byte ptr [ebp+var_6], 0
		mov	[ebp+var_18], 0
		mov	byte ptr [ebp+var_1], 0
		mov	byte ptr [ebp+var_14], 0
		mov	[ebp+var_10], 0
		mov	[ebp+var_C], eax
		push	edi
		cmp	esi, eax
		jz	loc_82405E
		mov	ebx, [esi+150h]

loc_823FAF:				; CODE XREF: SeCreateClientSecurityEx+F4j
		lea	eax, [ebp+var_1]
		xor	edx, edx
		push	eax
		lea	eax, [ebp+var_18]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_6]
		push	eax
		lea	eax, [ebp-2]
		push	eax
		call	_PsReferenceImpersonationTokenEx@24 ; PsReferenceImpersonationTokenEx(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_824057
		lea	ecx, [ebx+12Ch]
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_824072

loc_823FE7:				; CODE XREF: SeCreateClientSecurityEx+14Cj
		mov	al, [ebx+3A6h]
		mov	ebx, 1
		mov	byte ptr [ebp+var_6], 0
		mov	byte ptr [ebp+var_1], al

loc_823FF9:				; CODE XREF: SeCreateClientSecurityEx+ECj
		mov	ecx, [edi+280h]
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		lea	edx, [ebp+var_1]
		call	_SepReconcileTrustSidWithProcessProtection@16 ;	SepReconcileTrustSidWithProcessProtection(x,x,x,x)
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		push	[ebp+var_10]
		push	[ebp+var_14]
		push	esi
		push	1
		push	[ebp+var_18]
		push	[ebp+var_6]
		push	ebx
		push	[ebp+arg_8]
		call	SepCreateClientSecurityEx
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_824069
		mov	eax, [ebp+arg_C]
		cmp	byte ptr [eax+8], 0
		jz	short loc_824069
		mov	ecx, [esi+150h]
		cmp	ecx, ds:_PsInitialSystemProcess
		jz	short loc_8240C1

loc_82404C:				; CODE XREF: SeCreateClientSecurityEx+100j
					; SeCreateClientSecurityEx+160j
		mov	eax, ebx

loc_82404E:				; CODE XREF: SeCreateClientSecurityEx+FD0F2j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_824057:				; CODE XREF: SeCreateClientSecurityEx+5Cj
		mov	ebx, 2
		jmp	short loc_823FF9
; 

loc_82405E:				; CODE XREF: SeCreateClientSecurityEx+33j
		mov	ebx, [eax+80h]
		jmp	loc_823FAF
; 

loc_824069:				; CODE XREF: SeCreateClientSecurityEx+C3j
					; SeCreateClientSecurityEx+CCj
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	short loc_82404C
; 

loc_824072:				; CODE XREF: SeCreateClientSecurityEx+71j
		mov	eax, [ebp+var_C]
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [ebx+0E0h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lea	ecx, [ebx+12Ch]
		call	@ObFastReferenceObjectLocked@4 ; ObFastReferenceObjectLocked(x)
		mov	edi, eax
		lea	edx, [ebx+0E0h]
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jnz	short loc_8240DB

loc_8240AD:				; CODE XREF: SeCreateClientSecurityEx+178j
		mov	ecx, edx
		call	KeAbPostRelease
		mov	ecx, [ebp+var_C]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		jmp	loc_823FE7
; 

loc_8240C1:				; CODE XREF: SeCreateClientSecurityEx+DAj
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		mov	esi, eax
		push	esi
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jnz	loc_82404C
		jmp	loc_921049
; 

loc_8240DB:				; CODE XREF: SeCreateClientSecurityEx+13Bj
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		lea	edx, [ebx+0E0h]
		jmp	short loc_8240AD
SeCreateClientSecurityEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepCreateClientSecurityEx proc near	; CODE XREF: SeCreateClientSecurityFromSubjectContextEx(x,x,x,x)+97p
					; SeCreateClientSecurityFromSubjectContext+50p	...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 00921067 SIZE 000000C0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[esp+20h+var_14], ecx
		xor	cl, cl
		mov	[esp+20h+var_C], 0
		mov	[esp+20h+var_10], 0
		mov	al, [edi+8]
		cmp	al, 1
		jnz	loc_8241C7

loc_824121:				; CODE XREF: SepCreateClientSecurityEx+D9j
		mov	eax, [edi+4]
		cmp	eax, 3
		ja	loc_8242EF
		cmp	[ebp+arg_4], 2
		mov	bl, [ebp+arg_0]
		jz	short loc_824182
		mov	esi, [ebp+arg_20]
		mov	al, [edi+9]
		mov	[esi+11h], al

loc_82413F:				; CODE XREF: SepCreateClientSecurityEx+CFj
		cmp	byte ptr [edi+8], 0
		jz	loc_8241D4
		mov	byte ptr [esi+10h], 1
		test	bl, bl
		jnz	loc_921116

loc_824155:				; CODE XREF: SepCreateClientSecurityEx+119j
					; SepCreateClientSecurityEx+FD032j
		mov	ecx, [esp+20h+var_14]
		mov	dword ptr [esi], 0Ch
		mov	eax, [edi+4]
		mov	[esi+4], eax
		mov	al, [edi+8]
		mov	[esi+8], al
		mov	al, [edi+9]
		mov	[esi+0Ch], ecx
		mov	[esi+9], al
		xor	eax, eax
		mov	[esi+12h], bl

loc_824179:				; CODE XREF: SepCreateClientSecurityEx+1ACj
					; SepCreateClientSecurityEx+1C9j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_824182:				; CODE XREF: SepCreateClientSecurityEx+44j
		mov	edx, [ebp+arg_C]
		cmp	eax, edx
		mov	al, [ebp+arg_10]
		jg	loc_824218

loc_824190:				; CODE XREF: SepCreateClientSecurityEx+132j
		test	edx, edx
		jz	loc_824227
		cmp	edx, 1
		jz	loc_824227
		test	bl, bl
		jnz	loc_921071

loc_8241A9:				; CODE XREF: SepCreateClientSecurityEx+FCF8Aj
		cmp	[ebp+arg_8], 0
		jnz	short loc_824214
		cmp	byte ptr [edi+9], 0
		jnz	short loc_824214
		xor	al, al

loc_8241B7:				; CODE XREF: SepCreateClientSecurityEx+126j
		mov	esi, [ebp+arg_20]
		mov	[esi+11h], al
		test	cl, cl
		jz	loc_82413F
		jmp	short loc_824232
; 

loc_8241C7:				; CODE XREF: SepCreateClientSecurityEx+2Bj
		test	al, al
		jz	loc_824121
		jmp	loc_921067
; 

loc_8241D4:				; CODE XREF: SepCreateClientSecurityEx+53j
		mov	byte ptr [esi+10h], 0
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_92109E
		lea	eax, [esp+20h+var_C]
		push	eax
		push	[ebp+arg_1C]
		push	[ebp+arg_18]

loc_8241F0:				; CODE XREF: SepCreateClientSecurityEx+FD01Aj
		mov	edx, [edi+4]
		push	ecx
		mov	ecx, [esp+30h+var_14]
		call	SeCopyClientToken

loc_8241FD:				; CODE XREF: SepCreateClientSecurityEx+FD00Cj
		mov	ecx, eax
		mov	eax, [esp+20h+var_C]
		mov	[esp+20h+var_14], eax
		test	ecx, ecx
		jns	loc_824155
		jmp	loc_92110F
; 

loc_824214:				; CODE XREF: SepCreateClientSecurityEx+BDj
					; SepCreateClientSecurityEx+C3j
		mov	al, 1
		jmp	short loc_8241B7
; 

loc_824218:				; CODE XREF: SepCreateClientSecurityEx+9Aj
		test	al, al
		jz	loc_8242EF
		mov	cl, 1
		jmp	loc_824190
; 

loc_824227:				; CODE XREF: SepCreateClientSecurityEx+A2j
					; SepCreateClientSecurityEx+ABj ...
		test	al, al
		jz	loc_8242EF
		mov	esi, [ebp+arg_20]

loc_824232:				; CODE XREF: SepCreateClientSecurityEx+D5j
		mov	eax, [esp+20h+var_14]
		test	dword ptr [eax+0B0h], 4000h
		jnz	loc_92107F
		mov	eax, [ebp+arg_14]
		test	eax, eax
		jz	loc_92108E
		mov	ecx, large fs:124h
		cmp	eax, ecx
		jz	loc_921083
		mov	eax, [eax+150h]

loc_824266:				; CODE XREF: SepCreateClientSecurityEx+FCF99j
		push	eax
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	[esp+20h+var_8], eax
		test	dword ptr [eax+0B0h], 4000h
		jnz	short loc_82427E
		xor	eax, eax

loc_82427E:				; CODE XREF: SepCreateClientSecurityEx+18Aj
		lea	edx, [esp+20h+var_10]
		mov	ecx, eax
		call	_SepGetAnonymousToken@8	; SepGetAnonymousToken(x,x)
		mov	ecx, [esp+20h+var_8]
		mov	[esp+20h+var_C], eax
		call	ObfDereferenceObject
		mov	eax, [esp+20h+var_C]

loc_82429A:				; CODE XREF: SepCreateClientSecurityEx+FCFA9j
		test	eax, eax
		js	loc_824179
		mov	ecx, [esp+20h+var_10]
		xor	edx, edx
		push	0
		push	0
		push	0
		push	0
		push	0
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_824179
		mov	ecx, [esp+20h+var_10]
		mov	dword ptr [esi], 0Ch
		mov	dword ptr [esi+4], 0
		mov	byte ptr [esi+8], 0
		mov	al, [edi+9]
		mov	byte ptr [esi+10h], 0
		mov	[esi+0Ch], ecx
		mov	[esi+9], al
		xor	eax, eax
		mov	[esi+12h], bl
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_8242EF:				; CODE XREF: SepCreateClientSecurityEx+37j
					; SepCreateClientSecurityEx+12Aj ...
		pop	edi
		pop	esi
		mov	eax, 0C00000A5h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
SepCreateClientSecurityEx endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 2454. SeCreateClientSecurity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeCreateClientSecurity(x, x, x, x)
		public _SeCreateClientSecurity@16
_SeCreateClientSecurity@16 proc	near	; CODE XREF: AlpcpCreateSecurityContext+64p
					; AlpcpCreateClientPort+313p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_6		= dword	ptr -6
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	ecx, [ebp+arg_0]
		push	ebx
		mov	ebx, large fs:124h
		mov	byte ptr [ebp+var_6], 0
		mov	[ebp+var_14], 0
		mov	byte ptr [ebp+var_1], 0
		mov	byte ptr [ebp+var_10], 0
		mov	[ebp+var_C], 0
		push	esi
		push	edi
		cmp	ecx, ebx
		jz	loc_8243E1
		mov	edi, [ecx+150h]

loc_82434D:				; CODE XREF: SeCreateClientSecurity(x,x,x,x)+D7j
		lea	eax, [ebp+var_1]
		xor	edx, edx
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_6]
		push	eax
		lea	eax, [ebp-2]
		push	eax
		call	_PsReferenceImpersonationTokenEx@24 ; PsReferenceImpersonationTokenEx(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_8243F5
		lea	ecx, [edi+12Ch]
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8243FC

loc_82437F:				; CODE XREF: SeCreateClientSecurity(x,x,x,x)+132j
		mov	al, [edi+3A6h]
		mov	ebx, 1
		mov	byte ptr [ebp+var_6], 0
		mov	byte ptr [ebp+var_1], al

loc_824391:				; CODE XREF: SeCreateClientSecurity(x,x,x,x)+EAj
		mov	ecx, [esi+280h]
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	edx, [ebp+var_1]
		call	_SepReconcileTrustSidWithProcessProtection@16 ;	SepReconcileTrustSidWithProcessProtection(x,x,x,x)
		push	[ebp+arg_C]
		mov	edi, [ebp+arg_4]
		mov	ecx, esi
		push	[ebp+var_C]
		mov	edx, edi
		push	[ebp+var_10]
		push	0
		push	0
		push	[ebp+var_14]
		push	[ebp+var_6]
		push	ebx
		push	[ebp+arg_8]
		call	SepCreateClientSecurityEx
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_8243EC
		cmp	byte ptr [edi+8], 0
		jz	short loc_8243EC

loc_8243D6:				; CODE XREF: SeCreateClientSecurity(x,x,x,x)+E3j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_8243E1:				; CODE XREF: SeCreateClientSecurity(x,x,x,x)+31j
		mov	edi, [ebx+80h]
		jmp	loc_82434D
; 

loc_8243EC:				; CODE XREF: SeCreateClientSecurity(x,x,x,x)+BEj
					; SeCreateClientSecurity(x,x,x,x)+C4j
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	short loc_8243D6
; 

loc_8243F5:				; CODE XREF: SeCreateClientSecurity(x,x,x,x)+58j
		mov	ebx, 2
		jmp	short loc_824391
; 

loc_8243FC:				; CODE XREF: SeCreateClientSecurity(x,x,x,x)+6Dj
		dec	word ptr [ebx+13Ch]
		nop
		lea	ecx, [edi+0E0h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lea	ecx, [edi+12Ch]
		call	@ObFastReferenceObjectLocked@4 ; ObFastReferenceObjectLocked(x)
		mov	esi, eax
		lea	edx, [edi+0E0h]
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jnz	short loc_824447

loc_824434:				; CODE XREF: SeCreateClientSecurity(x,x,x,x)+144j
		mov	ecx, edx
		call	KeAbPostRelease
		mov	ecx, ebx
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		jmp	loc_82437F
; 

loc_824447:				; CODE XREF: SeCreateClientSecurity(x,x,x,x)+122j
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		lea	edx, [edi+0E0h]
		jmp	short loc_824434
_SeCreateClientSecurity@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsReferenceEffectiveToken proc near	; CODE XREF: RtlpQueryLowBoxId+36p
					; SepDesktopAppxSubProcessToken(x,x,x,x,x)+29Cp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00921127 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, large fs:124h
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], edx
		cmp	edi, esi
		jnz	loc_921127
		mov	ecx, [esi+80h]

loc_824485:				; CODE XREF: PsReferenceEffectiveToken+FCCCDj
		mov	eax, [edi+2FCh]
		mov	ebx, [ebp+arg_8]
		mov	[ebp+var_4], ecx
		test	al, 8
		jnz	short loc_8244D8

loc_824495:				; CODE XREF: PsReferenceEffectiveToken+18Ej
		lea	eax, [ecx+12Ch]
		mov	ecx, eax
		mov	[ebp+arg_4], eax
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_824597

loc_8244AF:				; CODE XREF: PsReferenceEffectiveToken+17Cj
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+arg_0]
		mov	dword ptr [ecx], 1
		mov	byte ptr [eax],	0
		test	ebx, ebx
		jz	short loc_8244CD
		mov	eax, [ebp+var_4]
		mov	al, [eax+3A6h]
		mov	[ebx], al

loc_8244CD:				; CODE XREF: PsReferenceEffectiveToken+60j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_8244D8:				; CODE XREF: PsReferenceEffectiveToken+33j
		mov	eax, [edi+150h]
		mov	[ebp+var_10], eax
		mov	eax, large fs:124h
		mov	[ebp+var_14], eax
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [edi+2F0h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	ExAcquirePushLockSharedEx
		mov	eax, [edi+2FCh]
		test	al, 8
		jz	loc_921132
		mov	eax, [edi+2C8h]
		and	eax, 0FFFFFFF8h
		mov	ecx, eax
		mov	[ebp+arg_8], eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, [edi+2C8h]
		mov	eax, [ebp+arg_4]
		and	ecx, 3
		mov	[eax], ecx
		mov	eax, [edi+2C8h]
		mov	ecx, [ebp+arg_0]
		mov	edi, [ebp+arg_8]
		shr	eax, 2
		and	al, 1
		mov	[ecx], al
		test	ebx, ebx
		jz	short loc_824555
		mov	eax, [ebp+var_10]
		mov	al, [eax+3A6h]
		mov	[ebx], al

loc_824555:				; CODE XREF: PsReferenceEffectiveToken+E8j
					; PsReferenceEffectiveToken+FCCD4j
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	short loc_82458D

loc_824568:				; CODE XREF: PsReferenceEffectiveToken+135j
		call	KeAbPostRelease
		mov	ecx, [ebp+var_14]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		test	edi, edi
		jz	short loc_8245EB
		mov	ecx, [ebp+var_C]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	dword ptr [ecx], 2
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_82458D:				; CODE XREF: PsReferenceEffectiveToken+106j
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp+var_8]
		jmp	short loc_824568
; 

loc_824597:				; CODE XREF: PsReferenceEffectiveToken+49j
		dec	word ptr [esi+13Ch]
		nop
		mov	eax, [ebp+var_4]
		xor	edx, edx
		add	eax, 0E0h
		mov	ecx, eax
		mov	[ebp+arg_8], eax
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp+arg_4]
		call	@ObFastReferenceObjectLocked@4 ; ObFastReferenceObjectLocked(x)
		mov	ecx, [ebp+arg_8]
		mov	edi, eax
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	short loc_8245E1

loc_8245D0:				; CODE XREF: PsReferenceEffectiveToken+189j
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		jmp	loc_8244AF
; 

loc_8245E1:				; CODE XREF: PsReferenceEffectiveToken+16Ej
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp+arg_8]
		jmp	short loc_8245D0
; 

loc_8245EB:				; CODE XREF: PsReferenceEffectiveToken+117j
		mov	ecx, [ebp+var_4]
		jmp	loc_824495
PsReferenceEffectiveToken endp

; 
		align 10h
; Exported entry 2003. RtlCopySidAndAttributesArray

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlCopySidAndAttributesArray(int,int,int,int,void *,int,int)
		public _RtlCopySidAndAttributesArray@28
_RtlCopySidAndAttributesArray@28 proc near ; CODE XREF:	SepCreateTokenEx+74Ap
					; SepCreateTokenEx+774p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_10]
		push	edi
		xor	edi, edi
		cmp	[ebp+arg_0], edi
		jbe	short loc_82467B
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+arg_4]
		mov	edx, ecx
		sub	edx, eax
		mov	[ebp+arg_C], edx
		lea	ebx, [eax+4]

loc_824622:				; CODE XREF: RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)+79j
		mov	eax, [ecx+edi*8]
		movzx	eax, byte ptr [eax+1]
		lea	ecx, ds:8[eax*4]
		mov	eax, [ebp+arg_8]
		mov	[ebp+arg_10], ecx
		cmp	ecx, eax
		ja	short loc_824691
		sub	eax, ecx
		mov	[ebx-4], esi
		mov	[ebp+arg_8], eax
		mov	eax, [edx+ebx]
		mov	edx, [ebp+arg_4]
		mov	[ebx], eax
		mov	edx, [edx+edi*8]
		movzx	eax, byte ptr [edx+1]
		lea	eax, ds:8[eax*4]
		cmp	eax, ecx
		ja	short loc_82466A
		push	eax		; size_t
		push	edx		; void *
		push	esi		; void *
		call	_memmove
		mov	ecx, [ebp+arg_10]
		add	esp, 0Ch

loc_82466A:				; CODE XREF: RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)+5Aj
		mov	edx, [ebp+arg_C]
		add	esi, ecx
		mov	ecx, [ebp+arg_4]
		inc	edi
		add	ebx, 8
		cmp	edi, [ebp+arg_0]
		jb	short loc_824622

loc_82467B:				; CODE XREF: RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)+10j
		mov	eax, [ebp+arg_14]
		mov	ecx, [ebp+arg_8]
		pop	edi
		mov	[eax], esi
		mov	eax, [ebp+arg_18]
		pop	esi
		pop	ebx
		mov	[eax], ecx
		xor	eax, eax
		pop	ebp
		retn	1Ch
; 

loc_824691:				; CODE XREF: RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)+38j
		pop	edi
		pop	esi
		mov	eax, 0C0000023h
		pop	ebx
		pop	ebp
		retn	1Ch
_RtlCopySidAndAttributesArray@28 endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1574. NtReadFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtReadFile(x, x, x,	x, x, x, x, x, x)
		public _NtReadFile@36
_NtReadFile@36	proc near		; CODE XREF: SmKmIssueFileIo(_SMKM_FILE_INFO *,_SMKM_ISSUE_IO_PARAMS *,_LARGE_INTEGER *,void (*)(void *,_IO_STATUS_BLOCK *,ulong),void *)+2Ap
					; PfSnGetPrefetchInstructions+197p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		mov	edx, 1
		mov	ecx, [ebp+arg_0]
		push	0
		mov	[ebp+var_4], 0
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_8], al
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_8]
		call	IopReferenceFileObject
		test	eax, eax
		js	short loc_82470C
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_4]
		push	0
		push	0
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_IopReadFile@44	; IopReadFile(x,x,x,x,x,x,x,x,x,x,x)

loc_82470C:				; CODE XREF: NtReadFile(x,x,x,x,x,x,x,x,x)+36j
		mov	esp, ebp
		pop	ebp
		retn	24h
_NtReadFile@36	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQueryVirtualMemory(x, x, x, x, x,	x)
_NtQueryVirtualMemory@24 proc near	; DATA XREF: .text:00580DE0o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	2
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	MmQueryVirtualMemory
		pop	ebp
		retn	18h
_NtQueryVirtualMemory@24 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmQueryVirtualMemory proc near		; CODE XREF: SMKM_STORE<SM_TRAITS>::SmStCheckResident(void *,ulong)+4Bp
					; PfpVirtualQuery+9Fp ...

var_E8		= dword	ptr -0E8h
var_DC		= dword	ptr -0DCh
var_A8		= dword	ptr -0A8h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00921139 SIZE 0000003C BYTES
; FUNCTION CHUNK AT 0092119D SIZE 0000007A BYTES
; FUNCTION CHUNK AT 0092123F SIZE 0000005C BYTES
; FUNCTION CHUNK AT 009212B7 SIZE 00000023 BYTES
; FUNCTION CHUNK AT 009212E8 SIZE 0000003A BYTES
; FUNCTION CHUNK AT 00921330 SIZE 00000015 BYTES
; FUNCTION CHUNK AT 00921377 SIZE 0000009C BYTES
; FUNCTION CHUNK AT 009214B8 SIZE 00000144 BYTES
; FUNCTION CHUNK AT 0092162E SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5D20
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 0DCh
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_20], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	edi, edx
		mov	[ebp+var_4C], edi
		mov	esi, ecx
		mov	[ebp+var_44], esi
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_40], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_50], eax
		mov	[ebp+var_60], 0
		mov	[ebp+var_70], 0
		mov	[ebp+var_74], 0
		xor	eax, eax
		mov	[ebp+var_A0], eax
		mov	[ebp+var_9C], eax
		mov	[ebp+var_98], eax
		mov	[ebp+var_94], eax
		mov	[ebp+var_90], eax
		mov	[ebp+var_8C], eax
		mov	[ebp+var_88], eax
		mov	[ebp+var_84], eax
		mov	[ebp+var_80], eax
		mov	[ebp+var_7C], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_68], eax
		mov	ebx, [ebp+arg_0]
		cmp	ebx, 6
		jnz	loc_824B68

loc_824815:				; CODE XREF: MmQueryVirtualMemory+421j
					; DATA XREF: PAGE:off_8251E8o
		cmp	[ebp+arg_8], 0Ch ; case	0x6
		jb	loc_921143

loc_82481F:				; CODE XREF: MmQueryVirtualMemory+421j
					; MmQueryVirtualMemory+42Cj ...
		mov	ecx, large fs:124h ; case 0x2
		mov	[ebp+var_58], ecx
		mov	al, [ecx+15Ah]
		mov	[ebp+var_45], al
		mov	byte ptr [ebp+var_A8], al
		cmp	[ebp+var_3C], 40h
		jnb	loc_824F1C

loc_824842:				; CODE XREF: MmQueryVirtualMemory+7CEj
					; MmQueryVirtualMemory+7E4j
		mov	ecx, [ebp+arg_10]
		mov	[ebp+var_6C], ecx

loc_824848:				; CODE XREF: MmQueryVirtualMemory+9E5j
		test	al, al
		jz	short loc_824872
		mov	[ebp+var_4], 0
		push	4
		push	[ebp+arg_8]
		push	[ebp+var_40]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	edx, [ebp+var_50]
		test	edx, edx
		jnz	loc_824E02

loc_82486B:				; CODE XREF: MmQueryVirtualMemory+6C5j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_824872:				; CODE XREF: MmQueryVirtualMemory+FAj
		mov	eax, ds:_MmHighestUserAddress
		mov	[ebp+var_78], eax
		cmp	edi, eax
		ja	loc_825145
		mov	eax, edi
		and	eax, 0FFFFF000h
		mov	[ebp+var_54], eax
		cmp	ebx, 0Ah
		jz	loc_92119D

loc_824895:				; CODE XREF: MmQueryVirtualMemory+FCAC2j
		cmp	esi, 0FFFFFFFFh
		jnz	loc_824BC1
		mov	edi, [ebp+var_58]
		mov	eax, [edi+80h]
		mov	[ebp+var_44], eax
		mov	[ebp+var_70], eax

loc_8248AD:				; CODE XREF: MmQueryVirtualMemory+4C2j
		cmp	ebx, 0Bh
		jz	loc_92125F
		cmp	ebx, 4
		jz	loc_824F4F
		cmp	ebx, 1
		jz	loc_8251A5
		cmp	ebx, 5
		jz	loc_9212E8
		cmp	esi, 0FFFFFFFFh
		jnz	loc_824C17
		lea	ebx, [ebx+0]

loc_8248E0:				; CODE XREF: MmQueryVirtualMemory+4D5j
					; MmQueryVirtualMemory+FCC50j ...
		mov	edx, [ebp+var_44]
		mov	ecx, edi
		call	_LOCK_ADDRESS_SPACE_SHARED@8 ; LOCK_ADDRESS_SPACE_SHARED(x,x)
		mov	edx, [ebp+var_44]
		test	byte ptr [edx+0FCh], 20h
		jnz	loc_82514F
		xor	edi, edi
		xor	esi, esi
		cmp	[edx+358h], esi
		jz	loc_824F8A
		mov	edi, [edx+350h]
		mov	esi, [ebp+var_4C]
		shr	esi, 0Ch

loc_824916:				; CODE XREF: MmQueryVirtualMemory+1EBj
					; MmQueryVirtualMemory+1F9j
		test	edi, edi
		jz	loc_824F8A
		mov	eax, [edi+0Ch]
		cmp	esi, eax
		jb	short loc_82493D
		cmp	esi, [edi+10h]
		jbe	short loc_82494B
		cmp	esi, eax
		jb	short loc_82493D
		mov	eax, [edi+4]
		test	eax, eax
		jz	loc_824F8A
		mov	edi, eax
		jmp	short loc_824916
; 

loc_82493D:				; CODE XREF: MmQueryVirtualMemory+1D3j
					; MmQueryVirtualMemory+1DCj
		mov	eax, [edi]
		test	eax, eax
		jz	loc_824F8A
		mov	edi, eax
		jmp	short loc_824916
; 

loc_82494B:				; CODE XREF: MmQueryVirtualMemory+1D8j
		mov	eax, [ebp+var_3C]
		or	eax, 2
		mov	[ebp+var_3C], eax

loc_824954:				; CODE XREF: MmQueryVirtualMemory+83Dj
		test	al, 2
		jz	loc_824F92
		mov	ecx, edi
		call	_MiReferenceVad@4 ; MiReferenceVad(x)
		mov	eax, [ebp+var_58]
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, eax
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)
		mov	edx, edi
		mov	ecx, [ebp+var_58]
		call	_MiLockVadShared@8 ; MiLockVadShared(x,x)
		mov	ecx, [ebp+var_58]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	ecx, edi
		call	_MiVadDeleted@4	; MiVadDeleted(x)
		cmp	eax, 1
		jz	loc_921377
		cmp	esi, [edi+0Ch]
		jb	loc_921635
		cmp	esi, [edi+10h]
		ja	loc_921635
		mov	[ebp+var_94], 0
		mov	[ebp+var_90], 0
		mov	[ebp+var_8C], 0
		mov	esi, [ebp+var_54]
		mov	[ebp+var_A0], esi
		mov	eax, [edi+0Ch]
		shl	eax, 0Ch
		mov	[ebp+var_9C], eax
		call	MI_GET_GRAPHICS_PROTECTION_FROM_VAD
		mov	ecx, eax
		mov	eax, [edi+1Ch]
		shr	eax, 7
		and	eax, 1Fh
		or	ecx, ds:_MmProtectToValue[eax*4]
		mov	[ebp+var_98], ecx
		mov	eax, [edi+1Ch]
		test	eax, 100000h
		jnz	loc_824E9F
		and	al, 70h
		cmp	al, 20h
		jnz	loc_824B87
		mov	[ebp+var_88], 1000000h
		cmp	ebx, 7
		jz	loc_9213C6

loc_824A24:				; CODE XREF: MmQueryVirtualMemory+466j
					; MmQueryVirtualMemory+7C1j ...
		cmp	ebx, 2
		jz	loc_824EE2

loc_824A2D:				; CODE XREF: MmQueryVirtualMemory+787j
					; MmQueryVirtualMemory+7ACj ...
		cmp	ebx, 3
		jz	loc_824CB7
		cmp	ebx, 7
		jz	loc_824CB7
		cmp	ebx, 6
		jnz	loc_824C2A
		xor	ebx, ebx
		mov	[ebp+var_84], ebx
		mov	esi, ebx
		mov	[ebp+var_80], esi
		mov	eax, ebx
		mov	[ebp+var_4C], eax
		mov	[ebp+var_7C], eax
		mov	eax, [edi+1Ch]
		test	eax, 100000h
		jnz	loc_824B02
		and	al, 70h
		cmp	al, 20h
		jnz	loc_824B02
		mov	eax, [edi+2Ch]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_68], eax
		mov	ecx, [edi+0Ch]
		shl	ecx, 0Ch
		mov	[ebp+var_54], ecx
		mov	[ebp+var_84], ecx
		lea	esi, [eax+10h]
		or	eax, 0FFFFFFFFh
		or	edx, eax
		nop
		or	ebx, eax
		or	ecx, eax
		lock cmpxchg8b qword ptr [esi]
		mov	esi, eax
		mov	[ebp+var_A8], edx
		mov	[ebp+var_80], esi
		mov	ecx, [ebp+var_68]
		movzx	edx, byte ptr [ecx+0Bh]
		shr	edx, 2
		and	edx, 3FFFFFFCh
		mov	ecx, [ebp+var_4C]
		and	ecx, 0FFFFFFC3h
		or	edx, ecx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_7C], edx
		mov	eax, [edi+1Ch]
		and	eax, 0F80h
		cmp	eax, 80h
		jz	loc_82517C

loc_824ADB:				; CODE XREF: MmQueryVirtualMemory+A35j
		mov	ecx, [edi+10h]
		sub	ecx, [edi+0Ch]
		inc	ecx
		test	esi, 0FFFh
		jnz	loc_9213F0
		xor	ebx, ebx

loc_824AF0:				; CODE XREF: MmQueryVirtualMemory+FCCA5j
		mov	eax, esi
		shr	eax, 0Ch
		add	eax, ebx
		mov	ebx, [ebp+var_54]
		cmp	ecx, eax
		jb	loc_9213FA

loc_824B02:				; CODE XREF: MmQueryVirtualMemory+315j
					; MmQueryVirtualMemory+31Fj ...
		mov	ecx, edi
		call	MiUnlockAndDereferenceVadShared
		mov	eax, [ebp+var_3C]
		test	al, 1
		jnz	loc_8250FA

loc_824B14:				; CODE XREF: MmQueryVirtualMemory+9C3j
		mov	[ebp+var_60], 0Ch
		mov	[ebp+var_4], 8
		mov	edx, [ebp+var_40]
		mov	[edx], ebx
		mov	[edx+4], esi
		mov	ecx, [ebp+var_4C]
		mov	[edx+8], ecx
		or	eax, 2
		mov	[ebp+var_3C], eax
		mov	ecx, [ebp+var_50]
		test	ecx, ecx
		jnz	loc_921408

loc_824B41:				; CODE XREF: MmQueryVirtualMemory+556j
					; MmQueryVirtualMemory+562j ...
		mov	[ebp+var_4], 0FFFFFFFEh
		xor	eax, eax

loc_824B4A:				; CODE XREF: MmQueryVirtualMemory+4A3j
					; MmQueryVirtualMemory+5F7j ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_20]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_824B68:				; CODE XREF: MmQueryVirtualMemory+BFj
		cmp	ebx, 0Bh	; switch 12 cases
		ja	loc_921164	; default
		jmp	ds:off_8251E8[ebx*4] ; switch jump

loc_824B78:				; DATA XREF: PAGE:off_8251E8o
		cmp	[ebp+arg_8], 10h ; case	0x3
		jnb	loc_82481F	; case 0x2
		jmp	loc_921143
; 

loc_824B87:				; CODE XREF: MmQueryVirtualMemory+2BBj
		mov	[ebp+var_88], 40000h
		cmp	ebx, 3
		jnz	loc_824F0E
		cmp	[ebp+arg_8], 1Ch
		jb	loc_824F0E

loc_824BA4:				; CODE XREF: MmQueryVirtualMemory+7C7j
		mov	eax, [edi+2Ch]
		mov	eax, [eax]
		cmp	dword ptr [eax+20h], 0
		jz	loc_825118
		cmp	ebx, 7
		jnz	loc_824A24
		jmp	loc_9213DA
; 

loc_824BC1:				; CODE XREF: MmQueryVirtualMemory+148j
		mov	ecx, 1000h
		test	[ebp+var_6C], 40000000h
		jnz	loc_92123F

loc_824BD3:				; CODE XREF: MmQueryVirtualMemory+FCAF4j
		push	0
		lea	eax, [ebp+var_70]
		push	eax
		push	6D566D4Dh
		push	[ebp+var_A8]
		mov	eax, ds:_PsProcessType
		push	eax
		push	ecx
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_824B4A
		mov	eax, [ebp+var_70]
		mov	[ebp+var_44], eax
		test	dword ptr [eax+3A8h], 1000h
		jnz	loc_921249
		mov	edi, [ebp+var_58]
		jmp	loc_8248AD
; 

loc_824C17:				; CODE XREF: MmQueryVirtualMemory+184j
		lea	ecx, [ebp+var_38]
		push	ecx
		push	eax
		call	KeStackAttachProcess
		or	[ebp+var_3C], 1
		jmp	loc_8248E0
; 

loc_824C2A:				; CODE XREF: MmQueryVirtualMemory+2F2j
		test	ebx, ebx
		jnz	loc_824E1A

loc_824C32:				; CODE XREF: MmQueryVirtualMemory+6CDj
					; MmQueryVirtualMemory+6DCj
		push	edi
		push	[ebp+var_68]
		mov	edx, esi
		lea	ecx, [ebp+var_A0]
		call	_MiQueryAddressSpan@16 ; MiQueryAddressSpan(x,x,x,x)
		sub	eax, [ebp+var_A0]
		mov	[ebp+var_94], eax

loc_824C4F:				; CODE XREF: MmQueryVirtualMemory+6D6j
		mov	ecx, edi
		call	MiUnlockAndDereferenceVadShared
		mov	eax, [ebp+var_3C]
		test	al, 1
		jz	short loc_824C76
		lea	eax, [ebp+var_38]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		mov	edx, 6D566D4Dh
		mov	ecx, [ebp+var_44]
		call	ObfDereferenceObjectWithTag
		mov	eax, [ebp+var_3C]

loc_824C76:				; CODE XREF: MmQueryVirtualMemory+50Bj
		test	ebx, ebx
		jnz	loc_824E31

loc_824C7E:				; CODE XREF: MmQueryVirtualMemory+6E4j
					; MmQueryVirtualMemory+6EDj
		and	eax, 0FFFFFFFDh
		mov	[ebp+var_3C], eax
		mov	[ebp+var_4], 9
		mov	ecx, 7
		lea	esi, [ebp+var_A0]
		mov	edi, [ebp+var_40]
		rep movsd

loc_824C9B:				; CODE XREF: MmQueryVirtualMemory+8FBj
		or	eax, 2
		mov	[ebp+var_3C], eax
		mov	ecx, [ebp+var_50]
		test	ecx, ecx
		jz	loc_824B41
		mov	dword ptr [ecx], 1Ch
		jmp	loc_824B41
; 

loc_824CB7:				; CODE XREF: MmQueryVirtualMemory+2E0j
					; MmQueryVirtualMemory+2E9j
		mov	[ebp+var_68], 0
		mov	eax, [edi+10h]
		sub	eax, [edi+0Ch]
		inc	eax
		shl	eax, 0Ch
		mov	[ebp+var_74], eax
		mov	ecx, [edi+20h]
		and	ecx, 7FFFFFFFh
		mov	[ebp+var_5C], ecx
		cmp	ecx, 0FFFFDh
		jnb	loc_9214B8

loc_824CE3:				; CODE XREF: MmQueryVirtualMemory+FCD6Fj
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	esi, eax
		xor	ecx, ecx
		mov	eax, [edi+1Ch]
		test	eax, 100000h
		jnz	loc_8250C8
		mov	eax, [edi+2Ch]
		test	eax, eax
		jz	short loc_824D0E
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_824D0E
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	esi, eax

loc_824D0E:				; CODE XREF: MmQueryVirtualMemory+5AFj
					; MmQueryVirtualMemory+5B5j ...
		xor	eax, eax

loc_824D10:				; CODE XREF: MmQueryVirtualMemory+9A5j
					; MmQueryVirtualMemory+FCDB5j
		test	eax, eax
		js	loc_921519
		movzx	eax, word ptr [esi]
		mov	[ebp+var_54], eax

loc_824D1E:				; CODE XREF: MmQueryVirtualMemory+FCDD0j
		test	ecx, ecx
		jnz	loc_921525

loc_824D26:				; CODE XREF: MmQueryVirtualMemory+FCDDAj
		mov	esi, [edi+1Ch]
		shr	esi, 0Ch
		and	esi, 3Fh
		mov	ecx, edi
		call	MiUnlockAndDereferenceVadShared
		mov	edx, [ebp+var_3C]
		test	dl, 1
		jnz	loc_82506B

loc_824D42:				; CODE XREF: MmQueryVirtualMemory+934j
		mov	eax, [ebp+var_68]
		test	eax, eax
		js	loc_824B4A
		mov	ecx, [ebp+var_5C]
		shl	ecx, 0Ch
		mov	[ebp+var_5C], ecx
		and	edx, 0FFFFFFFDh
		mov	[ebp+var_3C], edx
		mov	[ebp+var_4], 7
		mov	eax, [ebp+var_9C]
		mov	ebx, [ebp+var_40]
		mov	[ebx], eax
		mov	eax, [ebp+var_98]
		mov	[ebx+4], eax
		mov	eax, [ebp+var_74]
		mov	[ebx+0Ch], eax
		cmp	[ebp+arg_0], 7
		jz	loc_92152F
		mov	eax, [ebp+var_88]

loc_824D8D:				; CODE XREF: MmQueryVirtualMemory+FCE97j
		mov	[ebx+8], eax
		mov	eax, 10h
		mov	[ebp+var_60], eax
		mov	edi, [ebp+arg_8]
		cmp	edi, 14h
		jb	short loc_824DAB
		mov	[ebx+10h], ecx
		mov	eax, 14h
		mov	[ebp+var_60], eax

loc_824DAB:				; CODE XREF: MmQueryVirtualMemory+64Ej
		cmp	edi, 18h
		jb	short loc_824DC1
		mov	eax, [ebp+var_54]
		movzx	eax, ax
		mov	[ebx+14h], eax
		mov	eax, 18h
		mov	[ebp+var_60], eax

loc_824DC1:				; CODE XREF: MmQueryVirtualMemory+65Ej
		cmp	edi, 1Ch
		jb	short loc_824DDD
		test	esi, esi
		jnz	loc_9215EC
		mov	dword ptr [ebx+18h], 0FFFFFFFFh

loc_824DD5:				; CODE XREF: MmQueryVirtualMemory+FCEA0j
		mov	eax, 1Ch
		mov	[ebp+var_60], eax

loc_824DDD:				; CODE XREF: MmQueryVirtualMemory+674j
		or	edx, 2
		mov	[ebp+var_3C], edx
		mov	ecx, [ebp+var_50]
		test	ecx, ecx
		jz	loc_824B41
		jmp	loc_9215F5
; 

loc_824DF3:				; CODE XREF: MmQueryVirtualMemory+421j
					; DATA XREF: PAGE:off_8251E8o
		cmp	[ebp+arg_8], 1Ch ; case	0x0
		jnb	loc_82481F	; case 0x2
		jmp	loc_921143	; struct _exception *
; 

loc_824E02:				; CODE XREF: MmQueryVirtualMemory+115j
		mov	ecx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_92116E

loc_824E11:				; CODE XREF: MmQueryVirtualMemory+FCA20j
		mov	eax, [ecx]
		mov	[ecx], eax
		jmp	loc_82486B
; 

loc_824E1A:				; CODE XREF: MmQueryVirtualMemory+4DCj
		cmp	ebx, 8
		jz	loc_824C32
		cmp	ebx, 0Ah
		jnz	loc_824C4F
		jmp	loc_824C32
; 

loc_824E31:				; CODE XREF: MmQueryVirtualMemory+528j
		cmp	ebx, 8
		jz	loc_824C7E
		cmp	ebx, 0Ah
		jz	loc_824C7E
		mov	ebx, [ebp+var_5C]
		test	ebx, ebx
		jz	loc_8250BE
		cmp	ebx, 1
		jz	loc_825061
		mov	[ebp+var_60], 0
		push	[ebp+var_A8]
		lea	eax, [ebp+var_60]
		push	eax
		push	[ebp+arg_8]
		mov	edx, [ebp+var_40]
		mov	ecx, ebx
		call	ObQueryNameStringMode
		mov	esi, eax
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	ecx, [ebp+var_50]
		test	ecx, ecx
		jz	short loc_824E98
		mov	[ebp+var_4], 0Ah
		mov	eax, [ebp+var_60]
		mov	[ecx], eax

loc_824E91:				; CODE XREF: sub_921478+9j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_824E98:				; CODE XREF: MmQueryVirtualMemory+733j
		mov	eax, esi
		jmp	loc_824B4A
; 

loc_824E9F:				; CODE XREF: MmQueryVirtualMemory+2B1j
		mov	[ebp+var_88], 20000h
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		test	eax, eax
		mov	eax, [ebp+var_3C]
		jnz	loc_9213A5

loc_824EB9:				; CODE XREF: MmQueryVirtualMemory+FCC5Bj
		mov	ecx, [edi+20h]
		and	ecx, 7FFFFFFFh
		cmp	ecx, 0FFFFDh
		jz	loc_9213B0

loc_824ECE:				; CODE XREF: MmQueryVirtualMemory+FCC66j
		mov	ecx, [edi+1Ch]
		and	cl, 70h
		cmp	cl, 10h
		jnz	loc_824A2D
		jmp	loc_9213BB
; 

loc_824EE2:				; CODE XREF: MmQueryVirtualMemory+2D7j
		mov	eax, [edi+2Ch]
		mov	ecx, [eax]
		mov	eax, [ecx+20h]
		and	eax, 0FFFFFFF8h
		mov	[ebp+var_5C], eax
		jz	short loc_824EFA
		call	MiReferenceControlAreaFile
		mov	[ebp+var_5C], eax

loc_824EFA:				; CODE XREF: MmQueryVirtualMemory+7A0j
		test	eax, eax
		jnz	loc_824A2D
		mov	[ebp+var_5C], 1
		jmp	loc_824A2D
; 

loc_824F0E:				; CODE XREF: MmQueryVirtualMemory+444j
					; MmQueryVirtualMemory+44Ej
		cmp	ebx, 7
		jnz	loc_824A24
		jmp	loc_824BA4
; 

loc_824F1C:				; CODE XREF: MmQueryVirtualMemory+ECj
		test	al, al
		jz	loc_824842
		call	_MiIsUserQueryVmCallerTrusted@4	; MiIsUserQueryVmCallerTrusted(x)
		test	eax, eax
		jz	loc_825127
		mov	al, [ebp+var_45]
		jmp	loc_824842
; 

loc_824F39:				; CODE XREF: MmQueryVirtualMemory+421j
					; DATA XREF: PAGE:off_8251E8o
		cmp	[ebp+arg_8], 8	; case 0x4

loc_824F3D:				; CODE XREF: MmQueryVirtualMemory+A50j
		jb	loc_921143

loc_824F43:				; CODE XREF: MmQueryVirtualMemory+FCA0Fj
		mov	[ebp+var_3C], 40h
		jmp	loc_82481F	; case 0x2
; 

loc_824F4F:				; CODE XREF: MmQueryVirtualMemory+169j
		mov	ebx, [ebp+arg_8]
		push	ebx
		push	[ebp+var_40]
		mov	edx, [ebp+var_6C]
		mov	ecx, eax
		call	_MiGetWorkingSetInfoList@16 ; MiGetWorkingSetInfoList(x,x,x,x)
		mov	edi, eax
		cmp	esi, 0FFFFFFFFh
		jnz	loc_82518A

loc_824F6B:				; CODE XREF: MmQueryVirtualMemory+A47j
		test	edi, edi
		js	loc_8251C8
		mov	[ebp+var_4], 3

loc_824F7A:				; CODE XREF: MmQueryVirtualMemory+FCB46j
		mov	ecx, [ebp+var_50]
		test	ecx, ecx
		jz	loc_824B41
		jmp	loc_92162E
; 

loc_824F8A:				; CODE XREF: MmQueryVirtualMemory+1B4j
					; MmQueryVirtualMemory+1C8j ...
		mov	eax, [ebp+var_3C]
		jmp	loc_824954
; 

loc_824F92:				; CODE XREF: MmQueryVirtualMemory+206j
		test	edi, edi
		jz	loc_921330
		mov	ecx, [edi+0Ch]
		cmp	ecx, esi
		jnb	loc_825050
		mov	ecx, [edi+4]
		test	ecx, ecx
		jz	loc_825089
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_824FC0

loc_824FB6:				; CODE XREF: MmQueryVirtualMemory+86Ej
		mov	ecx, edx
		mov	eax, [edx]
		mov	edx, eax
		test	eax, eax
		jnz	short loc_824FB6

loc_824FC0:				; CODE XREF: MmQueryVirtualMemory+864j
		mov	edx, [ebp+var_44]

loc_824FC3:				; CODE XREF: MmQueryVirtualMemory+93Fj
					; MmQueryVirtualMemory+947j ...
		mov	esi, [ebp+var_4C]
		mov	eax, esi
		and	eax, 0FFFFF000h
		test	ecx, ecx
		jz	loc_82513A
		mov	edi, [ecx+0Ch]

loc_824FD8:				; CODE XREF: MmQueryVirtualMemory+90Cj
		shl	edi, 0Ch
		sub	edi, eax

loc_824FDD:				; CODE XREF: MmQueryVirtualMemory+9F0j
					; MmQueryVirtualMemory+FCBF0j
		mov	ecx, [ebp+var_58]
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)
		mov	eax, [ebp+var_3C]
		test	al, 1
		jz	short loc_825005
		lea	eax, [ebp+var_38]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		mov	edx, 6D566D4Dh
		mov	ecx, [ebp+var_44]
		call	ObfDereferenceObjectWithTag
		mov	eax, [ebp+var_3C]

loc_825005:				; CODE XREF: MmQueryVirtualMemory+89Aj
		test	ebx, ebx
		jnz	loc_8250AC

loc_82500D:				; CODE XREF: MmQueryVirtualMemory+95Fj
					; MmQueryVirtualMemory+968j
		and	eax, 0FFFFFFFDh
		mov	[ebp+var_3C], eax
		mov	[ebp+var_4], 6
		mov	ecx, [ebp+var_40]
		mov	dword ptr [ecx+4], 0
		mov	dword ptr [ecx+8], 0
		and	esi, 0FFFFF000h
		mov	[ecx], esi
		mov	[ecx+0Ch], edi
		mov	dword ptr [ecx+10h], 10000h
		mov	dword ptr [ecx+14h], 1
		mov	dword ptr [ecx+18h], 0
		jmp	loc_824C9B
; 

loc_825050:				; CODE XREF: MmQueryVirtualMemory+84Fj
		mov	esi, [ebp+var_4C]
		mov	eax, esi
		and	eax, 0FFFFF000h
		mov	edi, ecx
		jmp	loc_824FD8
; 

loc_825061:				; CODE XREF: MmQueryVirtualMemory+701j
		mov	eax, 0C0000098h
		jmp	loc_824B4A
; 

loc_82506B:				; CODE XREF: MmQueryVirtualMemory+5ECj
		lea	eax, [ebp+var_38]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		mov	edx, 6D566D4Dh
		mov	ecx, [ebp+var_44]
		call	ObfDereferenceObjectWithTag
		mov	edx, [ebp+var_3C]
		jmp	loc_824D42
; 

loc_825089:				; CODE XREF: MmQueryVirtualMemory+85Aj
		mov	ecx, [edi+8]
		and	ecx, 0FFFFFFFCh
		jz	loc_824FC3

loc_825095:				; CODE XREF: MmQueryVirtualMemory+955j
		cmp	[ecx], edi
		jz	loc_824FC3
		mov	edi, ecx
		mov	ecx, [ecx+8]
		and	ecx, 0FFFFFFFCh
		jnz	short loc_825095
		jmp	loc_824FC3
; 

loc_8250AC:				; CODE XREF: MmQueryVirtualMemory+8B7j
		cmp	ebx, 8
		jz	loc_82500D
		cmp	ebx, 0Ah
		jz	loc_82500D

loc_8250BE:				; CODE XREF: MmQueryVirtualMemory+6F8j
		mov	eax, 0C0000141h
		jmp	loc_824B4A
; 

loc_8250C8:				; CODE XREF: MmQueryVirtualMemory+5A4j
		mov	ecx, eax
		and	ecx, 70h
		cmp	cl, 30h
		jz	loc_9214C4
		test	eax, 400000h
		jnz	loc_9214D2
		and	eax, 0C0000h
		cmp	eax, 80000h
		jnb	loc_9214D2

loc_8250F1:				; CODE XREF: MmQueryVirtualMemory+FCD7Dj
		xor	eax, eax
		xor	ecx, ecx
		jmp	loc_824D10
; 

loc_8250FA:				; CODE XREF: MmQueryVirtualMemory+3BEj
		lea	eax, [ebp+var_38]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		mov	edx, 6D566D4Dh
		mov	ecx, [ebp+var_44]
		call	ObfDereferenceObjectWithTag
		mov	eax, [ebp+var_3C]
		jmp	loc_824B14
; 

loc_825118:				; CODE XREF: MmQueryVirtualMemory+45Dj
		mov	[ebp+var_88], 8000000h
		jmp	loc_824A24
; 

loc_825127:				; CODE XREF: MmQueryVirtualMemory+7DBj
		mov	eax, [ebp+arg_10]
		or	eax, 40000000h
		mov	[ebp+var_6C], eax
		mov	al, [ebp+var_45]
		jmp	loc_824848
; 

loc_82513A:				; CODE XREF: MmQueryVirtualMemory+87Fj
		mov	edi, [ebp+var_78]
		sub	edi, eax
		inc	edi
		jmp	loc_824FDD
; 

loc_825145:				; CODE XREF: MmQueryVirtualMemory+12Cj
					; MmQueryVirtualMemory+FCA8Ej ...
		mov	eax, 0C000000Dh
		jmp	loc_824B4A
; 

loc_82514F:				; CODE XREF: MmQueryVirtualMemory+1A4j
		mov	ecx, edi
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)
		test	byte ptr [ebp+var_3C], 1
		jz	short loc_825172
		lea	eax, [ebp+var_38]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		mov	edx, 6D566D4Dh
		mov	ecx, [ebp+var_44]
		call	ObfDereferenceObjectWithTag

loc_825172:				; CODE XREF: MmQueryVirtualMemory+A0Aj
		mov	eax, 0C000010Ah
		jmp	loc_824B4A
; 

loc_82517C:				; CODE XREF: MmQueryVirtualMemory+385j
		or	edx, 2
		mov	[ebp+var_4C], edx
		mov	[ebp+var_7C], edx
		jmp	loc_824ADB
; 

loc_82518A:				; CODE XREF: MmQueryVirtualMemory+815j
		mov	edx, 6D566D4Dh
		mov	ecx, [ebp+var_44]
		call	ObfDereferenceObjectWithTag
		jmp	loc_824F6B
; 

loc_82519C:				; CODE XREF: MmQueryVirtualMemory+421j
					; DATA XREF: PAGE:off_8251E8o
		cmp	[ebp+arg_8], 4	; case 0x1
		jmp	loc_824F3D
; 

loc_8251A5:				; CODE XREF: MmQueryVirtualMemory+172j
		lea	ecx, [ebp+var_74]
		push	ecx
		push	[ebp+arg_8]
		push	[ebp+var_40]
		mov	edx, [ebp+var_6C]
		mov	ecx, eax
		call	MiGetWorkingSetInfo
		mov	edi, eax
		cmp	esi, 0FFFFFFFFh
		jnz	loc_9212B7

loc_8251C4:				; CODE XREF: MmQueryVirtualMemory+FCB74j
		test	edi, edi
		jns	short loc_8251CF

loc_8251C8:				; CODE XREF: MmQueryVirtualMemory+81Dj
					; MmQueryVirtualMemory+FCB39j
		mov	eax, edi
		jmp	loc_824B4A
; 

loc_8251CF:				; CODE XREF: MmQueryVirtualMemory+A76j
		mov	[ebp+var_4], 4
		mov	ecx, [ebp+var_50]
		test	ecx, ecx
		jz	loc_824B41
		jmp	loc_9212C9
MmQueryVirtualMemory endp

; 
		align 4
off_8251E8	dd offset loc_824DF3	; DATA XREF: MmQueryVirtualMemory+421r
		dd offset loc_82519C	; jump table for switch	statement
		dd offset loc_82481F
		dd offset loc_824B78
		dd offset loc_824F39
		dd offset loc_92114D
		dd offset loc_824815
		dd offset loc_921139
		dd offset loc_824DF3
		dd offset loc_921164
		dd offset loc_921164
		dd offset loc_921159
		align 10h
; Exported entry 1565. NtQueryInformationToken

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQueryInformationToken(x, x, x, x,	x)
		public _NtQueryInformationToken@20
_NtQueryInformationToken@20 proc near	; CODE XREF: RtlGetAppContainerNamedObjectPath(x,x,x,x)+ABp
					; RtlGetAppContainerNamedObjectPath(x,x,x,x)+F4p ...

var_1F4		= dword	ptr -1F4h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_130		= dword	ptr -130h
var_104		= dword	ptr -104h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A5DB8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 1D4h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_20], 0
		mov	[ebp+var_38], 0
		mov	[ebp+var_7C], 0
		mov	[ebp+var_74], 0
		mov	[ebp+var_104], 0
		mov	[ebp+var_44], 0
		mov	[ebp+var_9C], 0
		mov	[ebp+var_98], 0
		mov	[ebp+var_30], 0
		mov	[ebp+var_40], 0
		xor	eax, eax
		mov	[ebp+var_1E4], eax
		mov	[ebp+var_1E0], eax
		mov	[ebp+var_1DC], eax
		mov	[ebp+var_94], eax
		mov	[ebp+var_90], eax
		mov	[ebp+var_8C], eax
		mov	[ebp+var_88], eax
		mov	[ebp+var_84], eax
		mov	[ebp+var_80], eax
		mov	byte ptr [ebp+var_28], al
		mov	[ebp+var_24], eax
		mov	eax, large fs:124h
		mov	cl, [eax+15Ah]
		mov	[ebp+var_31], cl
		mov	byte ptr [ebp+var_2C], cl
		test	cl, cl
		jz	short loc_825365
		mov	[ebp+var_4], 0
		push	4
		mov	ebx, [ebp+arg_C]
		push	ebx
		mov	edi, [ebp+arg_8]
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	esi, [ebp+arg_10]
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_82531E
		mov	ecx, eax

loc_82531E:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+FAj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	cl, [ebp+var_31]
		jmp	short loc_82536E
; 

loc_82532E:				; DATA XREF: .text:006A5DCCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1BCh], eax
		mov	eax, 1
		retn
; 

loc_825341:				; DATA XREF: .text:006A5DD0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1BCh]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_825365:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+D6j
		mov	esi, [ebp+arg_10]
		mov	ebx, [ebp+arg_C]
		mov	edi, [ebp+arg_8]

loc_82536E:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+10Cj
		mov	eax, [ebp+arg_4]
		dec	eax
		cmp	eax, 2Fh	; switch 48 cases
		ja	loc_826059	; default
		jmp	ds:off_82818C[eax*4] ; switch jump

loc_825382:				; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x0
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+94h]
		mov	eax, [eax]
		movzx	eax, byte ptr [eax+1]
		lea	edx, ds:10h[eax*4]
		mov	[ebp+var_4], 1
		mov	[esi], edx
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, edx
		jnb	short loc_825411

loc_8253E3:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+362j
					; NtQueryInformationToken(x,x,x,x,x)+4EEj ...
		mov	ecx, [ecx+30h]

loc_8253E6:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+7E1j
					; NtQueryInformationToken(x,x,x,x,x)+A3Aj
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_8253F0:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+B67j
					; NtQueryInformationToken(x,x,x,x,x)+C52j ...
		mov	ecx, [ebp+var_20]

loc_8253F3:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+E69j
					; NtQueryInformationToken(x,x,x,x,x)+14C5j ...
		call	ObfDereferenceObject

loc_8253F8:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15E5j
					; NtQueryInformationToken(x,x,x,x,x)+2ED4j
		mov	eax, 0C0000023h
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_825411:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1C1j
		mov	[ebp+var_4], 2
		lea	eax, [edi+8]
		lea	esi, [ebp+var_30]
		push	esi		; int
		push	esi		; int
		push	eax		; void *
		push	edi		; int
		push	edx		; int
		mov	eax, [ecx+94h]

loc_825429:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2374j
		push	eax		; int

loc_82542A:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+261Fj
		push	1		; int

loc_82542C:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2963j
		call	_RtlCopySidAndAttributesArray@28 ; RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)

loc_825431:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+80Fj
					; NtQueryInformationToken(x,x,x,x,x)+930j ...
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ebx, [ebp+var_20]

loc_82543B:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1360j
					; NtQueryInformationToken(x,x,x,x,x)+1509j ...
		mov	ecx, [ebx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_825448:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1105j
					; NtQueryInformationToken(x,x,x,x,x)+1A5Fj
		mov	ecx, ebx

loc_82544A:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+A8Bj
					; NtQueryInformationToken(x,x,x,x,x)+B94j ...
		call	ObfDereferenceObject

loc_82544F:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2EF7j
		xor	eax, eax
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_825465:				; DATA XREF: .text:006A5DE4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1C0h], eax
		mov	eax, 1
		retn
; 

loc_825478:				; DATA XREF: .text:006A5DE8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1C0h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8254B3:				; DATA XREF: .text:006A5DD8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0A0h], eax
		mov	eax, 1
		retn
; 

loc_8254C6:				; DATA XREF: .text:006A5DDCo
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0A0h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_825501:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x1
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+7Ch]
		lea	edx, ds:0FFFFFFFCh[eax*8]
		cmp	eax, 1
		jbe	short loc_825570
		mov	ecx, [ecx+94h]
		add	ecx, 8
		lea	edi, [eax-1]

loc_825556:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+348j
		mov	eax, [ecx]
		movzx	eax, byte ptr [eax+1]
		lea	edx, [edx+eax*4]
		add	edx, 8
		lea	ecx, [ecx+8]
		sub	edi, 1
		jnz	short loc_825556
		mov	edi, [ebp+arg_8]
		mov	ecx, [ebp+var_20]

loc_825570:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+328j
		mov	[ebp+var_4], 3
		mov	[esi], edx
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, edx
		jb	loc_8253E3
		mov	[ebp+var_4], 4
		mov	eax, [ecx+7Ch]
		dec	eax
		mov	[edi], eax
		mov	ecx, [ecx+7Ch]
		lea	eax, ds:0FFFFFFFCh[ecx*8]
		add	eax, edi
		lea	esi, [ebp+var_30]
		push	esi		; int
		push	esi		; int
		push	eax		; void *
		lea	eax, [edi+4]
		push	eax		; int
		push	edx		; int
		mov	ebx, [ebp+var_20]
		mov	eax, [ebx+94h]
		add	eax, 8
		push	eax		; int
		lea	eax, [ecx-1]
		push	eax		; int
		call	_RtlCopySidAndAttributesArray@28 ; RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ecx, [ebx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, ebx
		call	ObfDereferenceObject
		xor	eax, eax
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8255F3:				; DATA XREF: .text:006A5DFCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0A4h], eax
		mov	eax, 1
		retn
; 

loc_825606:				; DATA XREF: .text:006A5E00o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0A4h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_825641:				; DATA XREF: .text:006A5DF0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0A8h], eax
		mov	eax, 1
		retn
; 

loc_825654:				; DATA XREF: .text:006A5DF4o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0A8h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82568F:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0xA
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+80h]
		lea	edx, ds:4[eax*8]
		test	eax, eax
		jz	short loc_8256FC
		mov	ecx, [ecx+98h]
		mov	edi, eax

loc_8256E2:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+4D4j
		mov	eax, [ecx]
		movzx	eax, byte ptr [eax+1]
		lea	edx, [edx+eax*4]
		add	edx, 8
		lea	ecx, [ecx+8]
		sub	edi, 1
		jnz	short loc_8256E2
		mov	edi, [ebp+arg_8]
		mov	ecx, [ebp+var_20]

loc_8256FC:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+4B8j
		mov	[ebp+var_4], 5
		mov	[esi], edx
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, edx
		jb	loc_8253E3
		mov	[ebp+var_4], 6
		mov	eax, [ecx+80h]
		mov	[edi], eax
		mov	ecx, [ecx+80h]
		lea	eax, ds:4[ecx*8]
		add	eax, edi
		lea	esi, [ebp+var_30]
		push	esi		; int
		push	esi		; int
		push	eax		; void *
		lea	eax, [edi+4]
		push	eax		; int
		push	edx		; int
		mov	ebx, [ebp+var_20]
		mov	eax, [ebx+98h]
		push	eax		; int
		push	ecx		; int
		call	_RtlCopySidAndAttributesArray@28 ; RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ecx, [ebx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, ebx
		call	ObfDereferenceObject
		xor	eax, eax
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82577E:				; DATA XREF: .text:006A5E14o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0ACh], eax
		mov	eax, 1
		retn
; 

loc_825791:				; DATA XREF: .text:006A5E18o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0ACh]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8257CC:				; DATA XREF: .text:006A5E08o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B0h], eax
		mov	eax, 1
		retn
; 

loc_8257DF:				; DATA XREF: .text:006A5E0Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0B0h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82581A:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x2
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	eax, [ebp+var_20]
		mov	eax, [eax+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	ecx, [ebp+var_20]
		call	_SepTokenPrivilegeCount@4 ; SepTokenPrivilegeCount(x)
		cmp	eax, 1
		jbe	short loc_82586A
		lea	eax, [eax+eax*2]
		lea	eax, ds:4[eax*4]
		jmp	short loc_82586F
; 

loc_82586A:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+63Cj
		mov	eax, 10h

loc_82586F:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+648j
		mov	[ebp+var_4], 7
		mov	[esi], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, eax
		jnb	short loc_8258B3
		mov	ebx, [ebp+var_20]
		mov	ecx, [ebx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	eax, 0C0000023h
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8258B3:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+661j
		mov	[ebp+var_4], 8
		mov	edx, edi
		mov	ebx, [ebp+var_20]
		mov	ecx, ebx
		call	_SepConvertTokenPrivileges@8 ; SepConvertTokenPrivileges(x,x)
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ecx, [ebx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, ebx
		call	ObfDereferenceObject
		xor	eax, eax
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8258F7:				; DATA XREF: .text:006A5E2Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B4h], eax
		mov	eax, 1
		retn
; 

loc_82590A:				; DATA XREF: .text:006A5E30o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0B4h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_825945:				; DATA XREF: .text:006A5E20o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B8h], eax
		mov	eax, 1
		retn
; 

loc_825958:				; DATA XREF: .text:006A5E24o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0B8h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_825993:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x3
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	edx, [ebp+var_20]
		mov	ecx, [edx+90h]
		mov	eax, [edx+94h]
		mov	eax, [eax+ecx*8]
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:0Ch[eax*4]
		mov	[ebp+arg_0], eax
		mov	[ebp+var_4], 9
		mov	[esi], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, eax
		jnb	short loc_825A06

loc_8259FE:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1286j
					; NtQueryInformationToken(x,x,x,x,x)+25E5j ...
		mov	ecx, [edx+30h]
		jmp	loc_8253E6
; 

loc_825A06:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+7DCj
		lea	esi, [edi+4]
		mov	[ebp+var_4], 0Ah
		mov	[edi], esi
		mov	ecx, [edx+90h]
		mov	eax, [edx+94h]
		mov	eax, [eax+ecx*8]
		push	eax		; void *
		push	esi		; void *
		mov	eax, [ebp+arg_0]
		add	eax, 0FFFFFFFCh
		push	eax		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		jmp	loc_825431
; 

loc_825A34:				; DATA XREF: .text:006A5E44o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0BCh], eax
		mov	eax, 1
		retn
; 

loc_825A47:				; DATA XREF: .text:006A5E48o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0BCh]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_825A82:				; DATA XREF: .text:006A5E38o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C0h], eax
		mov	eax, 1
		retn
; 

loc_825A95:				; DATA XREF: .text:006A5E3Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0C0h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_825AD0:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x4
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+9Ch]
		movzx	eax, byte ptr [eax+1]
		lea	edx, ds:0Ch[eax*4]
		mov	[ebp+var_4], 0Bh
		mov	[esi], edx
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, edx
		jb	loc_8253E3
		lea	esi, [edi+4]
		mov	[ebp+var_4], 0Ch
		mov	[edi], esi
		mov	eax, [ecx+9Ch]
		push	eax		; void *
		push	esi		; void *
		lea	eax, [edx-4]
		push	eax		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		jmp	loc_825431
; 

loc_825B55:				; DATA XREF: .text:006A5E5Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C4h], eax
		mov	eax, 1
		retn
; 

loc_825B68:				; DATA XREF: .text:006A5E60o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0C4h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_825BA3:				; DATA XREF: .text:006A5E50o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C8h], eax
		mov	eax, 1
		retn
; 

loc_825BB6:				; DATA XREF: .text:006A5E54o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0C8h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_825BF1:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x5
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	eax, [ebp+var_20]
		mov	ecx, [eax+0A4h]
		test	ecx, ecx
		jz	short loc_825C3E
		movzx	ecx, word ptr [ecx+2]
		add	ecx, 4
		jmp	short loc_825C43
; 

loc_825C3E:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+A13j
		mov	ecx, 4

loc_825C43:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+A1Cj
		mov	[ebp+var_4], 0Dh
		mov	[esi], ecx
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, ecx
		jnb	short loc_825C5F

loc_825C57:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2A78j
					; NtQueryInformationToken(x,x,x,x,x)+2DA5j
		mov	ecx, [eax+30h]
		jmp	loc_8253E6
; 

loc_825C5F:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+A35j
		lea	edx, [edi+4]
		mov	[ebp+var_4], 0Eh
		cmp	dword ptr [eax+0A4h], 0
		jz	short loc_825C8E
		mov	[edi], edx
		mov	ecx, [eax+0A4h]
		movzx	eax, word ptr [ecx+2]
		push	eax		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_20]
		jmp	short loc_825C94
; 

loc_825C8E:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+A50j
		mov	dword ptr [edi], 0

loc_825C94:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+A6Cj
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ecx, [eax+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebp+var_20]
		jmp	loc_82544A
; 

loc_825CB0:				; DATA XREF: .text:006A5E74o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0CCh], eax
		mov	eax, 1
		retn
; 

loc_825CC3:				; DATA XREF: .text:006A5E78o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0CCh]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_825CFE:				; DATA XREF: .text:006A5E68o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0D0h], eax
		mov	eax, 1
		retn
; 

loc_825D11:				; DATA XREF: .text:006A5E6Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0D0h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_825D4C:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x6
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 10h
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		mov	[ebp+var_4], 0Fh
		mov	dword ptr [esi], 10h
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, 10h
		jb	loc_8253F0
		mov	[ebp+var_4], 10h
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx]
		mov	[edi], eax
		mov	eax, [ecx+4]
		mov	[edi+4], eax
		mov	eax, [ecx+8]
		mov	[edi+8], eax
		mov	eax, [ecx+0Ch]
		mov	[edi+0Ch], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_82544A
; 

loc_825DB9:				; DATA XREF: .text:006A5E8Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0D4h], eax
		mov	eax, 1
		retn
; 

loc_825DCC:				; DATA XREF: .text:006A5E90o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0D4h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_825DF8:				; DATA XREF: .text:006A5E80o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0D8h], eax
		mov	eax, 1
		retn
; 

loc_825E0B:				; DATA XREF: .text:006A5E84o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0D8h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_825E37:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x7
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		mov	[ebp+var_4], 11h
		mov	dword ptr [esi], 4
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, 4
		jb	loc_8253F0
		mov	[ebp+var_4], 12h
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+0A8h]
		mov	[edi], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_82544A
; 

loc_825E96:				; DATA XREF: .text:006A5EA4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0DCh], eax
		mov	eax, 1
		retn
; 

loc_825EA9:				; DATA XREF: .text:006A5EA8o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0DCh]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_825ED5:				; DATA XREF: .text:006A5E98o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0E0h], eax
		mov	eax, 1
		retn
; 

loc_825EE8:				; DATA XREF: .text:006A5E9Co
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0E0h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_825F14:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x11
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		mov	[ebp+var_4], 13h
		mov	dword ptr [esi], 4
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, 4
		jb	loc_8253F0
		mov	[ebp+var_4], 14h
		mov	esi, [ebp+var_20]
		mov	eax, [esi+0C0h]
		mov	eax, [eax+18h]
		test	al, 4
		jz	short loc_825F8F
		call	SeIsSModeAdminlessEnabled
		xor	ecx, ecx
		test	al, al
		setz	cl
		lea	ecx, ds:1[ecx*2]
		mov	[edi], ecx
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ecx, esi
		jmp	loc_82544A
; 

loc_825F8F:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+D4Aj
		test	al, 2
		mov	eax, 0
		setnz	al
		inc	eax
		mov	[edi], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ecx, esi
		jmp	loc_82544A
; 

loc_825FAA:				; DATA XREF: .text:006A5EBCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0E4h], eax
		mov	eax, 1
		retn
; 

loc_825FBD:				; DATA XREF: .text:006A5EC0o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0E4h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_825FE9:				; DATA XREF: .text:006A5EB0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0E8h], eax
		mov	eax, 1
		retn
; 

loc_825FFC:				; DATA XREF: .text:006A5EB4o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0E8h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_826028:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x8
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	short loc_82605E
		mov	ecx, [ebp+var_20]
		cmp	dword ptr [ecx+0A8h], 2
		jz	short loc_826072
		call	ObfDereferenceObject

loc_826059:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+155j
					; NtQueryInformationToken(x,x,x,x,x)+15Bj ...
		mov	eax, 0C0000003h	; default

loc_82605E:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+180j
					; NtQueryInformationToken(x,x,x,x,x)+2FFj ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_826072:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+E32j
		mov	[ebp+var_4], 15h
		mov	dword ptr [esi], 4
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, 4
		jb	loc_8253F3
		mov	[ebp+var_4], 16h
		mov	eax, [ecx+0ACh]
		mov	[edi], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_82544A
; 

loc_8260AA:				; DATA XREF: .text:006A5ED4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0ECh], eax
		mov	eax, 1
		retn
; 

loc_8260BD:				; DATA XREF: .text:006A5ED8o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0ECh]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8260E9:				; DATA XREF: .text:006A5EC8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0F0h], eax
		mov	eax, 1
		retn
; 

loc_8260FC:				; DATA XREF: .text:006A5ECCo
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0F0h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_826128:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x9
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		mov	[ebp+var_4], 17h
		mov	dword ptr [esi], 38h
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, 38h
		jb	loc_8253F0
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	esi, [ebp+var_20]
		push	1
		mov	eax, [esi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	[ebp+var_4], 18h
		mov	[ebp+var_58], 0
		mov	eax, [esi+10h]
		mov	[edi], eax
		mov	eax, [esi+14h]
		mov	[edi+4], eax
		mov	eax, [esi+18h]
		mov	ecx, [esi+1Ch]
		mov	[edi+8], eax
		mov	[edi+0Ch], ecx
		mov	eax, [esi+28h]
		mov	ecx, [esi+2Ch]
		mov	[edi+10h], eax
		mov	[edi+14h], ecx
		mov	eax, [esi+0A8h]
		mov	[edi+18h], eax
		mov	eax, [esi+0ACh]
		mov	[edi+1Ch], eax
		mov	eax, [esi+88h]
		mov	[edi+20h], eax
		mov	eax, [esi+9Ch]
		movzx	eax, byte ptr [eax+1]
		shl	eax, 2
		mov	ecx, [esi+88h]
		sub	ecx, eax
		sub	ecx, 8
		mov	[ebp+var_58], ecx
		mov	eax, [esi+0A4h]
		test	eax, eax
		jz	short loc_8261F6
		movzx	eax, word ptr [eax+2]
		sub	ecx, eax
		mov	[ebp+var_58], ecx

loc_8261F6:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+FCBj
		mov	[edi+24h], ecx
		mov	eax, [esi+7Ch]
		dec	eax
		mov	[edi+28h], eax
		mov	ecx, esi
		call	_SepTokenPrivilegeCount@4 ; SepTokenPrivilegeCount(x)
		mov	[edi+2Ch], eax
		mov	eax, [esi+34h]
		mov	ecx, [esi+38h]
		mov	[edi+30h], eax
		mov	[edi+34h], ecx
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		jmp	loc_82544A
; 

loc_826231:				; DATA XREF: .text:006A5EECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0F4h], eax
		mov	eax, 1
		retn
; 

loc_826244:				; DATA XREF: .text:006A5EF0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0F4h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82627F:				; DATA XREF: .text:006A5EE0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0F8h], eax
		mov	eax, 1
		retn
; 

loc_826292:				; DATA XREF: .text:006A5EE4o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0F8h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8262BE:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0xB
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		mov	[ebp+var_4], 19h
		mov	dword ptr [esi], 4
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, 4
		jb	loc_8253F0
		lea	eax, [ebp+var_40]
		push	eax
		mov	ebx, [ebp+var_20]
		push	ebx
		call	_SeQuerySessionIdToken@8 ; SeQuerySessionIdToken(x,x)
		mov	[ebp+var_4], 1Ah
		mov	eax, [ebp+var_40]
		mov	[edi], eax
		mov	dword ptr [esi], 4
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_825448
; 

loc_82632A:				; DATA XREF: .text:006A5F04o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0FCh], eax
		mov	eax, 1
		retn
; 

loc_82633D:				; DATA XREF: .text:006A5F08o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0FCh]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_826369:				; DATA XREF: .text:006A5EF8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-100h], eax
		mov	eax, 1
		retn
; 

loc_82637C:				; DATA XREF: .text:006A5EFCo
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-100h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8263A8:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0xC
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	eax, [ebp+var_20]
		mov	eax, [eax+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	ecx, [ebp+var_20]
		call	_SepTokenPrivilegeCount@4 ; SepTokenPrivilegeCount(x)
		mov	[ebp+var_48], eax
		lea	eax, [eax+eax*2]
		shl	eax, 2
		mov	[ebp+var_40], eax
		mov	edx, [ebp+var_20]
		mov	ecx, [edx+7Ch]
		mov	[ebp+arg_4], ecx
		lea	eax, ds:0[ecx*8]
		mov	[ebp+var_44], eax
		mov	[ebp+arg_0], eax
		test	ecx, ecx
		jz	short loc_82643B
		mov	ecx, [edx+94h]
		mov	edi, [ebp+arg_4]
		jmp	short loc_826420
; 
		align 10h

loc_826420:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+11F6j
					; NtQueryInformationToken(x,x,x,x,x)+1219j
		mov	eax, [ecx]
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	[ebp+arg_0], eax
		lea	ecx, [ecx+8]
		sub	edi, 1
		jnz	short loc_826420

loc_82643B:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+11EBj
		mov	eax, [edx+80h]
		lea	ecx, ds:0[eax*8]
		mov	[ebp+var_3C], ecx
		mov	[ebp+arg_4], ecx
		test	eax, eax
		mov	edi, [ebp+arg_8]
		jz	short loc_826487
		mov	ebx, [edx+98h]
		mov	esi, eax
		lea	ecx, [ecx+0]

loc_826460:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+125Aj
		mov	eax, [ebx]
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	ecx, eax
		mov	eax, ecx
		lea	ebx, [ebx+8]
		sub	esi, 1
		jnz	short loc_826460
		mov	[ebp+arg_4], ecx
		mov	esi, [ebp+arg_10]
		mov	ebx, [ebp+arg_C]
		jmp	short loc_826489
; 

loc_826487:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1233j
		mov	eax, ecx

loc_826489:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1265j
		add	eax, [ebp+var_40]
		mov	ecx, [ebp+arg_0]
		add	ecx, 2Ch
		add	eax, ecx
		mov	[ebp+var_4], 1Bh
		mov	[esi], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, eax
		jb	loc_8259FE
		mov	[ebp+var_4], 1Ch
		mov	eax, [edx+18h]
		mov	ecx, [edx+1Ch]
		mov	[edi+24h], eax
		mov	[edi+28h], ecx
		mov	ecx, [ebp+arg_0]
		mov	[edi+4], ecx
		mov	eax, [edx+7Ch]
		mov	[edi], eax
		lea	eax, [edi+2Ch]
		mov	[edi+8], eax
		mov	esi, [ebp+arg_4]
		mov	[edi+10h], esi
		mov	eax, [edx+80h]
		mov	[edi+0Ch], eax
		lea	eax, [edi+2Ch]
		cmp	dword ptr [edx+80h], 0
		jz	short loc_8264F8
		lea	ebx, [ecx+3]
		and	ebx, 0FFFFFFFCh
		add	ebx, eax
		mov	[edi+14h], ebx
		jmp	short loc_826505
; 

loc_8264F8:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+12C9j
		mov	dword ptr [edi+14h], 0
		mov	ebx, [ebp+var_104]

loc_826505:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+12D6j
		mov	edx, [ebp+var_40]
		mov	[edi+1Ch], edx
		mov	edx, [ebp+var_48]
		mov	[edi+18h], edx
		lea	edx, [eax+esi]
		add	edx, ecx
		mov	[ebp+arg_0], edx
		mov	[edi+20h], edx
		lea	edx, [ebp+var_30]
		push	edx		; int
		push	edx		; int
		add	eax, [ebp+var_44]
		push	eax		; void *
		lea	eax, [edi+2Ch]
		push	eax		; int
		sub	ecx, [ebp+var_44]
		push	ecx		; int
		mov	edx, [ebp+var_20]
		mov	eax, [edx+94h]
		push	eax		; int
		mov	eax, [edx+7Ch]
		push	eax		; int
		call	_RtlCopySidAndAttributesArray@28 ; RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_3C]
		lea	eax, [ebx+ecx]
		test	ebx, ebx
		jz	short loc_82656C
		lea	edx, [ebp+var_30]
		push	edx		; int
		push	edx		; int
		push	eax		; void *
		push	ebx		; int
		sub	esi, ecx
		push	esi		; int
		mov	ebx, [ebp+var_20]
		mov	eax, [ebx+98h]
		push	eax		; int
		mov	eax, [ebx+80h]
		push	eax		; int
		call	_RtlCopySidAndAttributesArray@28 ; RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)
		jmp	short loc_82656F
; 

loc_82656C:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1328j
		mov	ebx, [ebp+var_20]

loc_82656F:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+134Aj
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	_SepConvertTokenPrivilegesToLuidAndAttributes@8	; SepConvertTokenPrivilegesToLuidAndAttributes(x,x)
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_82543B
; 

loc_826585:				; DATA XREF: .text:006A5F1Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-108h], eax
		mov	eax, 1
		retn
; 

loc_826598:				; DATA XREF: .text:006A5F20o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-108h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8265D3:				; DATA XREF: .text:006A5F10o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-10Ch], eax
		mov	eax, 1
		retn
; 

loc_8265E6:				; DATA XREF: .text:006A5F14o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-10Ch]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_826621:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		mov	[ebp+var_78], 0	; case 0x15
		mov	[ebp+var_70], 0
		mov	[ebp+var_6C], 0
		mov	[ebp+var_68], 0
		mov	[ebp+var_64], 0
		mov	[ebp+var_60], 0
		mov	[ebp+var_5C], 0
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	eax, [ebp+var_20]
		mov	eax, [eax+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_64]
		push	eax
		lea	eax, [ebp+var_68]
		push	eax
		lea	eax, [ebp+var_6C]
		push	eax
		lea	eax, [ebp+var_70]
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		lea	eax, [ebp+var_78]
		push	eax
		lea	eax, [ebp+var_7C]
		push	eax
		lea	eax, [ebp+var_44]
		push	eax
		push	[ebp+var_24]
		mov	dl, byte ptr [ebp+var_28]
		mov	ecx, [ebp+var_20]
		call	_SepGetTokenAccessInformationBufferSize@52 ; SepGetTokenAccessInformationBufferSize(x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_4], 1Dh
		mov	[esi], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, eax
		jnb	short loc_8266EA

loc_8266D3:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+234Bj
		mov	ebx, [ebp+var_20]
		mov	ecx, [ebx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, ebx
		jmp	loc_8253F3
; 

loc_8266EA:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+14B1j
		mov	[ebp+var_4], 1Eh
		push	[ebp+var_24]
		push	[ebp+var_28]
		push	[ebp+var_5C]
		push	[ebp+var_60]
		push	[ebp+var_64]
		push	[ebp+var_68]
		push	[ebp+var_6C]
		push	[ebp+var_70]
		push	[ebp+var_74]
		push	[ebp+var_78]
		push	[ebp+var_7C]
		push	[ebp+var_44]
		push	ebx
		mov	edx, edi
		mov	ebx, [ebp+var_20]
		mov	ecx, ebx
		call	_SepCopyTokenAccessInformation@60 ; SepCopyTokenAccessInformation(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_82543B
; 

loc_82672E:				; DATA XREF: .text:006A5F34o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-110h], eax
		mov	eax, 1
		retn
; 

loc_826741:				; DATA XREF: .text:006A5F38o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-110h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82677C:				; DATA XREF: .text:006A5F28o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-114h], eax
		mov	eax, 1
		retn
; 

loc_82678F:				; DATA XREF: .text:006A5F2Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-114h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8267CA:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0xE
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		mov	[ebp+var_4], 1Fh
		mov	dword ptr [esi], 4
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, 4
		jb	loc_8253F8
		mov	[ebp+var_4], 20h
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+0B0h]
		shr	eax, 6
		and	eax, 1
		mov	[edi], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_82544A
; 

loc_82682F:				; DATA XREF: .text:006A5F4Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-118h], eax
		mov	eax, 1
		retn
; 

loc_826842:				; DATA XREF: .text:006A5F50o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-118h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82686E:				; DATA XREF: .text:006A5F40o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-11Ch], eax
		mov	eax, 1
		retn
; 

loc_826881:				; DATA XREF: .text:006A5F44o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-11Ch]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8268A5:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		push	[ebp+var_2C]	; case 0xF
		mov	eax, ds:dword_A94A3C
		push	eax
		mov	eax, ds:_SeSecurityPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_8268D6
		mov	eax, 0C0000061h
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8268D6:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+169Bj
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		mov	[ebp+var_4], 21h
		mov	dword ptr [esi], 1Fh
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, 1Fh
		jb	loc_8253F0
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	ebx, [ebp+var_20]
		push	1
		mov	eax, [ebx+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	[ebp+var_4], 22h
		lea	esi, [ebx+58h]
		mov	ecx, 7
		rep movsd
		movsw
		movsb
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_82543B
; 

loc_82694A:				; DATA XREF: .text:006A5F64o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-120h], eax
		mov	eax, 1
		retn
; 

loc_82695D:				; DATA XREF: .text:006A5F68o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-120h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_826998:				; DATA XREF: .text:006A5F58o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-124h], eax
		mov	eax, 1
		retn
; 

loc_8269AB:				; DATA XREF: .text:006A5F5Co
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-124h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8269D7:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x10
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		mov	[ebp+var_4], 23h
		mov	dword ptr [esi], 8
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, 8
		jb	loc_8253F0
		mov	[ebp+var_4], 24h
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+0C4h]
		mov	[edi], eax
		mov	eax, [ecx+0C8h]
		mov	[edi+4], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_82544A
; 

loc_826A3F:				; DATA XREF: .text:006A5F7Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-128h], eax
		mov	eax, 1
		retn
; 

loc_826A52:				; DATA XREF: .text:006A5F80o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-128h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_826A7E:				; DATA XREF: .text:006A5F70o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-12Ch], eax
		mov	eax, 1
		retn
; 

loc_826A91:				; DATA XREF: .text:006A5F74o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-12Ch]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_826ABD:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		mov	[ebp+var_4C], 0	; case 0x12
		mov	[ebp+var_3C], 0
		mov	[ebp+var_50], 0
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		mov	[ebp+var_4], 25h
		mov	dword ptr [esi], 4
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, 4
		jz	short loc_826B30
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObject

loc_826B17:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1BE9j
		mov	eax, 0C0000004h
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_826B30:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+18EDj
		push	[ebp+var_2C]
		mov	eax, ds:dword_A949B4
		push	eax
		mov	eax, ds:_SeTcbPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		add	esi, 2
		call	SeIsSModeAdminlessEnabled
		test	al, al
		jz	short loc_826B95
		mov	[ebp+var_48], 0
		lea	ecx, [ebp+var_48]
		call	_SepGetStackTraceHash@4	; SepGetStackTraceHash(x)
		push	1
		push	0
		mov	dl, 1
		mov	ecx, [ebp+var_48]
		call	_EtwTraceAdminlessAccessFailure@16 ; EtwTraceAdminlessAccessFailure(x,x,x,x)
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObject
		mov	eax, 0C000005Fh
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_826B95:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1935j
		mov	ebx, [ebp+var_20]
		mov	edx, [ebx+0C0h]
		lea	eax, [ebp+var_4C]
		push	eax
		lea	ecx, [edx+0Ch]
		mov	edx, [edx+58h]
		call	_SepReferenceLogonSessionSilo@12 ; SepReferenceLogonSessionSilo(x,x,x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		jns	short loc_826BD2
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_826BD2:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1992j
		mov	[ebp+var_1D8], 18h
		mov	[ebp+var_1D4], 0
		xor	eax, eax
		cmp	[ebp+var_31], al
		setnz	al
		dec	eax
		and	eax, 200h
		mov	[ebp+var_1CC], eax
		mov	[ebp+var_1D0], 0
		mov	[ebp+var_1C8], 0
		mov	[ebp+var_1C4], 0
		lea	eax, [ebp+var_50]
		push	eax		; int
		push	0		; int
		push	0		; int
		push	1		; size_t
		push	esi		; int
		push	0		; char
		lea	edx, [ebp+var_1D8]
		mov	esi, [ebp+var_4C]
		mov	ecx, [esi+20h]
		call	_SepDuplicateToken@32 ;	SepDuplicateToken(x,x,x,x,x,x,x,x)
		mov	[ebp+arg_0], eax
		mov	ecx, esi
		call	_SepDeReferenceLogonSessionDirect@4 ; SepDeReferenceLogonSessionDirect(x)
		mov	esi, [ebp+arg_0]
		test	esi, esi
		js	loc_8279EE
		lea	eax, [ebp+var_3C]
		push	eax
		push	0
		push	0
		push	0F01FFh
		push	0
		push	[ebp+var_50]
		call	_ObInsertObject@24 ; ObInsertObject(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8279EE
		mov	[ebp+var_4], 26h
		mov	eax, [ebp+var_3C]
		mov	[edi], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_825448
; 

loc_826C84:				; DATA XREF: .text:006A5F94o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-130h], eax
		mov	eax, 1
		retn
; 

loc_826C97:				; DATA XREF: .text:006A5F98o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		push	dword ptr [ebp-3Ch]
		call	NtClose
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+var_130]
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_826CCB:				; DATA XREF: .text:006A5F88o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-134h], eax
		mov	eax, 1
		retn
; 

loc_826CDE:				; DATA XREF: .text:006A5F8Co
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-134h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_826D0A:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x14
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		mov	[ebp+var_4], 27h
		mov	dword ptr [esi], 1
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, 1
		jb	loc_8253F0
		mov	[ebp+var_4], 28h
		mov	ecx, [ebp+var_20]
		test	dword ptr [ecx+0B0h], 810h
		setnz	al
		mov	[edi], al
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_82544A
; 

loc_826D70:				; DATA XREF: .text:006A5FACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-138h], eax
		mov	eax, 1
		retn
; 

loc_826D83:				; DATA XREF: .text:006A5FB0o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-138h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_826DAF:				; DATA XREF: .text:006A5FA0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-13Ch], eax
		mov	eax, 1
		retn
; 

loc_826DC2:				; DATA XREF: .text:006A5FA4o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-13Ch]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_826DEE:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		mov	byte ptr [ebp+arg_8+3],	0 ; case 0x13
		mov	[ebp+var_4], 29h
		mov	dword ptr [esi], 4
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, 4
		jnz	loc_826B17
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		lea	edx, [ebx+4]
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	edx, [ebp+var_20]
		mov	ecx, [edx+40h]
		and	ecx, 20160684h
		mov	eax, [edx+44h]
		and	eax, 11h
		or	ecx, eax
		mov	bl, 1
		jnz	short loc_826E5F
		mov	bl, byte ptr [ebp+arg_8+3]

loc_826E5F:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1C3Aj
		xor	esi, esi
		mov	eax, [edx+7Ch]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_826E8E
		jmp	short loc_826E70
; 
		align 10h

loc_826E70:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1C4Bj
					; NtQueryInformationToken(x,x,x,x,x)+1C6Cj
		test	bl, bl
		jnz	short loc_826E8E
		mov	eax, [edx+94h]
		lea	eax, [eax+esi*8]
		push	eax
		call	_RtlIsElevatedRid@4 ; RtlIsElevatedRid(x)
		mov	bl, al
		inc	esi
		cmp	esi, [ebp+arg_0]
		mov	edx, [ebp+var_20]
		jb	short loc_826E70

loc_826E8E:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1C49j
					; NtQueryInformationToken(x,x,x,x,x)+1C52j
		mov	ecx, [edx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	[ebp+var_4], 2Ah
		movzx	eax, bl
		mov	[edi], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ecx, [ebp+var_20]
		jmp	loc_82544A
; 

loc_826EB6:				; DATA XREF: .text:006A5FC4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-140h], eax
		mov	eax, 1
		retn
; 

loc_826EC9:				; DATA XREF: .text:006A5FC8o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-140h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_826EF5:				; DATA XREF: .text:006A5FB8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-144h], eax
		mov	eax, 1
		retn
; 

loc_826F08:				; DATA XREF: .text:006A5FBCo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-144h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_826F2C:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x16
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		mov	[ebp+var_4], 2Bh
		mov	dword ptr [esi], 4
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, 4
		jb	loc_8253F0
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+var_20]
		cmp	eax, 17h
		jnz	short loc_826F83
		mov	eax, [ecx+0B0h]
		shr	eax, 9
		jmp	short loc_826FC0
; 

loc_826F83:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1D56j
		cmp	eax, 18h
		jnz	short loc_826F93
		mov	eax, [ecx+0B0h]
		shr	eax, 0Ah
		jmp	short loc_826FC0
; 

loc_826F93:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1D66j
		cmp	eax, 1Ah
		jnz	short loc_826FA3
		mov	eax, [ecx+0B0h]
		shr	eax, 0Ch
		jmp	short loc_826FC0
; 

loc_826FA3:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1D76j
		cmp	eax, 28h
		mov	eax, [ecx+0B0h]
		jnz	short loc_826FBD
		test	al, 18h
		jnz	short loc_826FB6
		xor	eax, eax
		jmp	short loc_826FC3
; 

loc_826FB6:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1D90j
		mov	eax, 1
		jmp	short loc_826FC3
; 

loc_826FBD:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1D8Cj
		shr	eax, 10h

loc_826FC0:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1D61j
					; NtQueryInformationToken(x,x,x,x,x)+1D71j ...
		and	eax, 1

loc_826FC3:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1D94j
					; NtQueryInformationToken(x,x,x,x,x)+1D9Bj
		mov	[ebp+var_4], 2Ch
		mov	[edi], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_82544A
; 

loc_826FD8:				; DATA XREF: .text:006A5FDCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-148h], eax
		mov	eax, 1
		retn
; 

loc_826FEB:				; DATA XREF: .text:006A5FE0o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-148h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_827017:				; DATA XREF: .text:006A5FD0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-14Ch], eax
		mov	eax, 1
		retn
; 

loc_82702A:				; DATA XREF: .text:006A5FD4o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-14Ch]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_827056:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x1C
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		mov	[ebp+var_4], 2Dh
		mov	dword ptr [esi], 4
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ecx, [ebp+var_20]
		cmp	ebx, 4
		jb	loc_8253F3
		mov	eax, [ecx+0B0h]
		and	eax, 4000h
		mov	[ebp+var_4], 2Eh
		xor	edx, edx
		test	eax, eax
		setnz	dl
		mov	[edi], edx
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_82544A
; 

loc_8270C1:				; DATA XREF: .text:006A5FF4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-150h], eax
		mov	eax, 1
		retn
; 

loc_8270D4:				; DATA XREF: .text:006A5FF8o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-150h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_827100:				; DATA XREF: .text:006A5FE8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-154h], eax
		mov	eax, 1
		retn
; 

loc_827113:				; DATA XREF: .text:006A5FECo
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-154h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82713F:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x1F
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		mov	[ebp+var_4], 2Fh
		mov	dword ptr [esi], 4
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, 4
		jb	loc_8253F0
		xor	ebx, ebx
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	esi, [ebp+var_20]
		push	1
		mov	eax, [esi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	eax, [esi+274h]
		test	eax, eax
		jz	short loc_8271A2
		mov	ebx, [eax+14h]

loc_8271A2:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1F7Dj
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	[ebp+var_4], 30h
		mov	[edi], ebx
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ecx, esi
		jmp	loc_82544A
; 

loc_8271C6:				; DATA XREF: .text:006A600Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-158h], eax
		mov	eax, 1
		retn
; 

loc_8271D9:				; DATA XREF: .text:006A6010o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-158h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_827205:				; DATA XREF: .text:006A6000o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-15Ch], eax
		mov	eax, 1
		retn
; 

loc_827218:				; DATA XREF: .text:006A6004o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-15Ch]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_827244:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x1E
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	ecx, [ebp+var_20]
		mov	edx, [ecx+1E0h]
		test	edx, edx
		jnz	short loc_82728D
		lea	eax, [edx+4]
		jmp	short loc_827298
; 

loc_82728D:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2066j
		movzx	eax, byte ptr [edx+1]
		lea	eax, ds:0Ch[eax*4]

loc_827298:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+206Bj
		mov	[ebp+arg_0], eax
		mov	[ebp+var_4], 31h
		mov	[esi], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, eax
		jb	loc_8253E3
		test	edx, edx
		jz	short loc_8272BA
		lea	edx, [edi+4]

loc_8272BA:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2095j
		mov	[ebp+var_4], 32h
		mov	[edi], edx
		test	edx, edx
		jz	short loc_8272DE
		mov	eax, [ecx+1E0h]
		push	eax		; void *
		push	edx		; void *
		mov	eax, [ebp+arg_0]
		add	eax, 0FFFFFFFCh
		push	eax		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		mov	ecx, [ebp+var_20]

loc_8272DE:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+20A5j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ecx, [ecx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebp+var_20]
		jmp	loc_82544A
; 

loc_8272FA:				; DATA XREF: .text:006A6024o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-160h], eax
		mov	eax, 1
		retn
; 

loc_82730D:				; DATA XREF: .text:006A6028o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-160h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_827348:				; DATA XREF: .text:006A6018o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-164h], eax
		mov	eax, 1
		retn
; 

loc_82735B:				; DATA XREF: .text:006A601Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-164h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_827396:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x1D
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+1E8h]
		lea	edx, ds:4[eax*8]
		test	eax, eax
		jz	short loc_82740A
		mov	ecx, [ecx+1E4h]
		mov	edi, eax
		lea	esp, [esp+0]

loc_8273F0:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+21E2j
		mov	eax, [ecx]
		movzx	eax, byte ptr [eax+1]
		lea	edx, [edx+eax*4]
		add	edx, 8
		lea	ecx, [ecx+8]
		sub	edi, 1
		jnz	short loc_8273F0
		mov	edi, [ebp+arg_8]
		mov	ecx, [ebp+var_20]

loc_82740A:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+21BFj
		mov	[ebp+var_4], 33h
		mov	[esi], edx
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, edx
		jb	loc_8253E3
		mov	[ebp+var_4], 34h
		mov	eax, [ecx+1E8h]
		mov	[edi], eax
		mov	ecx, [ecx+1E8h]
		lea	eax, ds:4[ecx*8]
		add	eax, edi
		lea	esi, [ebp+var_30]
		push	esi		; int
		push	esi		; int
		push	eax		; void *
		lea	eax, [edi+4]
		push	eax		; int
		push	edx		; int
		mov	ebx, [ebp+var_20]
		mov	eax, [ebx+1E4h]
		push	eax		; int
		push	ecx		; int
		call	_RtlCopySidAndAttributesArray@28 ; RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_82543B
; 

loc_827467:				; DATA XREF: .text:006A603Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-168h], eax
		mov	eax, 1
		retn
; 

loc_82747A:				; DATA XREF: .text:006A6040o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-168h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8274B5:				; DATA XREF: .text:006A6030o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-16Ch], eax
		mov	eax, 1
		retn
; 

loc_8274C8:				; DATA XREF: .text:006A6034o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-16Ch]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_827503:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x18
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	eax, [ebp+var_20]
		mov	eax, [eax+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		lea	edx, [ebp+var_9C]
		mov	ecx, [ebp+var_20]
		call	_SepCopyTokenIntegrity@8 ; SepCopyTokenIntegrity(x,x)
		mov	ecx, [ebp+var_9C]
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:10h[eax*4]
		mov	[ebp+var_4], 35h
		mov	[esi], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, eax
		jb	loc_8266D3
		mov	[ebp+var_4], 36h
		lea	eax, [edi+8]
		lea	edx, [ebp+var_30]
		push	edx
		push	edx
		push	eax
		push	edi
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:8[eax*4]
		push	eax
		lea	eax, [ebp+var_9C]
		jmp	loc_825429
; 

loc_827599:				; DATA XREF: .text:006A6054o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-170h], eax
		mov	eax, 1
		retn
; 

loc_8275AC:				; DATA XREF: .text:006A6058o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-170h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8275E7:				; DATA XREF: .text:006A6048o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-174h], eax
		mov	eax, 1
		retn
; 

loc_8275FA:				; DATA XREF: .text:006A604Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-174h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_827635:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x1A
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		mov	[ebp+var_4], 37h
		mov	dword ptr [esi], 4
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, 4
		jb	loc_8253F0
		mov	[ebp+var_4], 38h
		mov	edx, edi
		mov	ecx, [ebp+var_20]
		call	_SeQueryMandatoryPolicyToken@8 ; SeQueryMandatoryPolicyToken(x,x)
		mov	esi, eax
		mov	[ebp+var_54], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		call	ObfDereferenceObject
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8276AE:				; DATA XREF: .text:006A606Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-178h], eax
		mov	eax, 1
		retn
; 

loc_8276C1:				; DATA XREF: .text:006A6070o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-178h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8276ED:				; DATA XREF: .text:006A6060o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-17Ch], eax
		mov	eax, 1
		retn
; 

loc_827700:				; DATA XREF: .text:006A6064o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-17Ch]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82772C:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x1B
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		xor	ecx, ecx
		mov	edx, [ebp+var_20]
		mov	eax, [edx+7Ch]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_82779A
		mov	eax, [edx+94h]
		mov	[ebp+arg_8], eax
		lea	edx, [eax+4]
		mov	edi, edi

loc_827780:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2575j
		mov	eax, [edx]
		and	eax, 0C0000000h
		cmp	eax, 0C0000000h
		jz	short loc_8277CE
		inc	ecx
		add	edx, 8
		cmp	ecx, [ebp+arg_0]
		jb	short loc_827780
		mov	edx, [ebp+var_20]

loc_82779A:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2550j
		xor	eax, eax

loc_82779C:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+25B7j
		test	eax, eax
		jnz	short loc_8277D9
		mov	ecx, [edx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObject
		mov	eax, 0C0000225h
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8277CE:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+256Cj
		mov	eax, [ebp+arg_8]
		mov	eax, [eax+ecx*8]
		mov	edx, [ebp+var_20]
		jmp	short loc_82779C
; 

loc_8277D9:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+257Ej
		shl	ecx, 3
		mov	[ebp+arg_0], ecx
		mov	eax, [edx+94h]
		mov	eax, [ecx+eax]
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:14h[eax*4]
		mov	[ebp+var_4], 39h
		mov	[esi], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, eax
		jb	loc_8259FE
		mov	[ebp+var_4], 3Ah
		mov	dword ptr [edi], 1
		lea	ecx, [edi+0Ch]
		mov	eax, [edx+94h]
		mov	edx, [ebp+arg_0]
		add	edx, eax
		lea	eax, [ebp+var_30]
		push	eax
		push	eax
		push	ecx
		lea	eax, [edi+4]
		push	eax
		mov	eax, [edx]
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:8[eax*4]
		push	eax
		push	edx
		jmp	loc_82542A
; 

loc_827844:				; DATA XREF: .text:006A6084o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-180h], eax
		mov	eax, 1
		retn
; 

loc_827857:				; DATA XREF: .text:006A6088o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-180h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_827892:				; DATA XREF: .text:006A6078o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-184h], eax
		mov	eax, 1
		retn
; 

loc_8278A5:				; DATA XREF: .text:006A607Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-184h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8278E0:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x20
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	ecx, [ebp+var_20]
		mov	edx, [ecx+27Ch]
		test	edx, edx
		jz	short loc_82796F
		mov	eax, [edx+120h]
		mov	[ebp+arg_0], eax
		test	eax, eax
		mov	eax, [ebp+arg_4]
		jnz	short loc_827939
		cmp	eax, 21h
		jz	short loc_82796F

loc_827939:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2712j
		mov	edx, [edx+124h]
		test	edx, edx
		jnz	short loc_827948
		cmp	eax, 22h
		jz	short loc_82796F

loc_827948:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2721j
		cmp	eax, 21h
		jnz	short loc_827952
		mov	ecx, [ebp+arg_0]
		jmp	short loc_827957
; 

loc_827952:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+272Bj
		mov	ecx, edx
		mov	[ebp+arg_0], ecx

loc_827957:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2730j
		lea	eax, [ebp+var_38]
		push	eax
		push	0
		xor	edx, edx
		call	AuthzBasepQueryClaimAttributesToken
		mov	edx, [ebp+var_38]
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+arg_0]
		jmp	short loc_8279A5
; 

loc_82796F:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2702j
					; NtQueryInformationToken(x,x,x,x,x)+2717j ...
		mov	edx, 0Ch
		lea	eax, [ebp+var_90]
		mov	[ebp+var_8C], eax
		mov	[ebp+var_90], eax
		mov	[ebp+var_88], 0
		lea	eax, [ebp+var_84]
		mov	[ebp+var_80], eax
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_94]

loc_8279A5:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+274Dj
		mov	[ebp+var_4], 3Bh
		mov	[esi], edx
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, edx
		jb	loc_8253E3
		mov	[ebp+var_4], 3Ch
		lea	ecx, [ebp+var_38]
		push	ecx
		push	ebx
		mov	edx, edi
		mov	ecx, eax
		call	AuthzBasepQueryClaimAttributesToken

loc_8279D2:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2A9Aj
		mov	esi, eax
		mov	[ebp+var_54], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ebx, [ebp+var_20]

loc_8279E1:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2CF0j
		mov	ecx, [ebx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_8279EE:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+1A25j
					; NtQueryInformationToken(x,x,x,x,x)+1A46j
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_827A0B:				; DATA XREF: .text:006A609Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-188h], eax
		mov	eax, 1
		retn
; 

loc_827A1E:				; DATA XREF: .text:006A60A0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-188h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_827A59:				; DATA XREF: .text:006A6090o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-18Ch], eax
		mov	eax, 1
		retn
; 

loc_827A6C:				; DATA XREF: .text:006A6094o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-18Ch]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_827AA7:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x24
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+27Ch]
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	short loc_827B00
		mov	eax, [eax]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_827B00
		lea	edx, ds:4[eax*8]
		jmp	short loc_827B08
; 

loc_827B00:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+28CCj
					; NtQueryInformationToken(x,x,x,x,x)+28D5j
		xor	eax, eax
		mov	[ebp+arg_0], eax
		lea	edx, [eax+0Ch]

loc_827B08:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+28DEj
		test	eax, eax
		jz	short loc_827B31
		mov	ecx, [ebp+arg_4]
		mov	ecx, [ecx+4]
		mov	edi, eax

loc_827B14:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2906j
		mov	eax, [ecx]
		movzx	eax, byte ptr [eax+1]
		lea	edx, [edx+eax*4]
		add	edx, 8
		lea	ecx, [ecx+8]
		sub	edi, 1
		jnz	short loc_827B14
		mov	edi, [ebp+arg_8]
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_20]

loc_827B31:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+28EAj
		mov	[ebp+var_4], 3Dh
		mov	[esi], edx
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, edx
		jb	loc_8253E3
		mov	[ebp+var_4], 3Eh
		xor	esi, esi
		mov	[edi+4], esi
		mov	[edi+8], esi
		mov	[edi], eax
		test	eax, eax
		jz	loc_825431
		lea	eax, ds:4[eax*8]
		add	eax, edi
		lea	esi, [ebp+var_30]
		push	esi
		push	esi
		push	eax
		lea	eax, [edi+4]
		push	eax
		push	edx
		mov	eax, [ecx+27Ch]
		mov	eax, [eax+4]
		push	eax
		push	[ebp+arg_0]
		jmp	loc_82542C
; 

loc_827B88:				; DATA XREF: .text:006A60B4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-190h], eax
		mov	eax, 1
		retn
; 

loc_827B9B:				; DATA XREF: .text:006A60B8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-190h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_827BD6:				; DATA XREF: .text:006A60A8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-194h], eax
		mov	eax, 1
		retn
; 

loc_827BE9:				; DATA XREF: .text:006A60ACo
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-194h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_827C24:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x26
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	eax, [ebp+var_20]
		mov	ecx, [eax+1DCh]
		test	ecx, ecx
		jnz	short loc_827C6F
		mov	ecx, 0Ch
		jmp	short loc_827C86
; 

loc_827C6F:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2A46j
		lea	eax, [ebp+var_38]
		push	eax		; int
		push	0		; size_t
		push	0		; size_t
		push	0		; int
		xor	edx, edx
		call	AuthzBasepQuerySecurityAttributesToken
		mov	ecx, [ebp+var_38]
		mov	eax, [ebp+var_20]

loc_827C86:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2A4Dj
		mov	[ebp+var_4], 3Fh
		mov	[esi], ecx
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, ecx
		jb	loc_825C57
		mov	[ebp+var_4], 40h
		lea	ecx, [ebp+var_38]
		push	ecx		; int
		push	ebx		; size_t
		push	edi		; size_t
		push	0		; int
		xor	edx, edx
		mov	ecx, [eax+1DCh]
		call	AuthzBasepQuerySecurityAttributesToken
		jmp	loc_8279D2
; 

loc_827CBF:				; DATA XREF: .text:006A60CCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-198h], eax
		mov	eax, 1
		retn
; 

loc_827CD2:				; DATA XREF: .text:006A60D0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-198h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_827D0D:				; DATA XREF: .text:006A60C0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-19Ch], eax
		mov	eax, 1
		retn
; 

loc_827D20:				; DATA XREF: .text:006A60C4o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-19Ch]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_827D5B:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x28
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	edx, [ebp+var_20]
		cmp	byte ptr [ebp+var_28], 0
		mov	ecx, [ebp+var_24]
		jnz	short loc_827DA4
		mov	ecx, [edx+280h]

loc_827DA4:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2B7Cj
		test	ecx, ecx
		jnz	short loc_827DAD
		lea	eax, [ecx+4]
		jmp	short loc_827DB8
; 

loc_827DAD:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2B86j
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:0Ch[eax*4]

loc_827DB8:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2B8Bj
		mov	[ebp+arg_0], eax
		mov	[ebp+var_4], 41h
		mov	[esi], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, eax
		jb	loc_8259FE
		test	ecx, ecx
		jz	short loc_827DDA
		lea	ecx, [edi+4]

loc_827DDA:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2BB5j
		mov	[ebp+var_4], 42h
		mov	[edi], ecx
		test	ecx, ecx
		jz	loc_825431
		cmp	byte ptr [ebp+var_28], 0
		mov	eax, [ebp+var_24]
		jnz	short loc_827DFA
		mov	eax, [edx+280h]

loc_827DFA:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2BD2j
		push	eax		; void *
		push	ecx		; void *
		mov	eax, [ebp+arg_0]
		add	eax, 0FFFFFFFCh
		push	eax		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		jmp	loc_825431
; 

loc_827E0D:				; DATA XREF: .text:006A60E4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1A0h], eax
		mov	eax, 1
		retn
; 

loc_827E20:				; DATA XREF: .text:006A60E8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1A0h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_827E5B:				; DATA XREF: .text:006A60D8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1A4h], eax
		mov	eax, 1
		retn
; 

loc_827E6E:				; DATA XREF: .text:006A60DCo
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1A4h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_827EA9:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		call	_Feature_PPLEnforcement__private_ReportDeviceUsage@0 ; case 0x2F
		jmp	loc_826059	; default
; 

loc_827EB3:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x2A
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	eax, [ebp+var_20]
		mov	eax, [eax+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	[ebp+var_4], 45h
		push	esi		; int
		push	ebx		; size_t
		push	edi		; size_t
		push	1		; int
		push	0		; int
		push	0		; int
		mov	ebx, [ebp+var_20]
		mov	ecx, ebx
		call	SepInternalQuerySecurityAttributesTokenEx
		mov	esi, eax
		mov	[ebp+var_54], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_8279E1
; 

loc_827F15:				; DATA XREF: .text:006A6108o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1A8h], eax
		mov	eax, 1
		retn
; 

loc_827F28:				; DATA XREF: .text:006A610Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1A8h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_827F63:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		lea	eax, [ebp+var_24] ; case 0x2B
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_2C]
		mov	edx, 8
		mov	ecx, [ebp+arg_0]
		call	SepReferenceTokenByHandle
		test	eax, eax
		js	loc_82605E
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	ecx, 8
		mov	eax, [ebp+var_20]
		mov	edx, [eax+298h]
		test	edx, edx
		jz	short loc_827FB3
		movzx	ecx, word ptr [edx+16h]
		add	ecx, 8

loc_827FB3:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2D8Aj
		mov	[ebp+var_4], 46h
		mov	[esi], ecx
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, ecx
		jb	loc_825C57
		mov	[ebp+var_4], 47h
		mov	ebx, [ebp+var_20]
		cmp	dword ptr [ebx+298h], 0
		jz	short loc_82802B
		mov	byte ptr [edi+4], 1
		lea	esi, [edi+8]
		mov	[edi], esi
		call	_Feature_2543631672__private_IsEnabledDeviceUsage@0 ; Feature_2543631672__private_IsEnabledDeviceUsage()
		mov	ecx, [ebx+298h]
		test	eax, eax
		movzx	eax, word ptr [ecx+16h]
		push	eax		; size_t
		mov	eax, [ecx+18h]
		push	eax		; void *
		jz	short loc_828014
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_82543B	; void *
; 

loc_828014:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2DDDj
		mov	eax, [edi]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_82543B
; 

loc_82802B:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+2DBCj
		mov	byte ptr [edi+4], 0
		mov	dword ptr [edi], 0
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_82543B
; 

loc_828041:				; DATA XREF: .text:006A6120o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1ACh], eax
		mov	eax, 1
		retn
; 

loc_828054:				; DATA XREF: .text:006A6124o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1ACh]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82808F:				; DATA XREF: .text:006A6114o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1B0h], eax
		mov	eax, 1
		retn
; 

loc_8280A2:				; DATA XREF: .text:006A6118o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1B0h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8280DD:				; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+15Bj
					; DATA XREF: PAGE:off_82818Co
		mov	[ebp+var_4], 48h ; case	0x2E
		mov	dword ptr [esi], 4
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	ebx, 4
		jb	loc_8253F8
		mov	[ebp+var_4], 49h
		mov	dl, cl
		mov	ecx, [ebp+arg_0]
		call	RtlIsSandboxedTokenHandle
		movzx	eax, al
		mov	[edi], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_82544F
_NtQueryInformationToken@20 endp


;  S U B	R O U T	I N E 


sub_82811C	proc near		; DATA XREF: .text:006A6138o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1B4h], eax
		mov	eax, 1
		retn
sub_82811C	endp


;  S U B	R O U T	I N E 


sub_82812F	proc near		; DATA XREF: .text:006A613Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1B4h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
sub_82812F	endp ; sp =  4

; 

loc_828153:				; DATA XREF: .text:006A612Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1B8h], eax
		mov	eax, 1
		retn
; 

loc_828166:				; DATA XREF: .text:006A6130o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1B8h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 
		align 4
off_82818C	dd offset loc_825382	; DATA XREF: NtQueryInformationToken(x,x,x,x,x)+15Br
		dd offset loc_825501	; jump table for switch	statement
		dd offset loc_82581A
		dd offset loc_825993
		dd offset loc_825AD0
		dd offset loc_825BF1
		dd offset loc_825D4C
		dd offset loc_825E37
		dd offset loc_826028
		dd offset loc_826128
		dd offset loc_82568F
		dd offset loc_8262BE
		dd offset loc_8263A8
		dd offset loc_826059
		dd offset loc_8267CA
		dd offset loc_8268A5
		dd offset loc_8269D7
		dd offset loc_825F14
		dd offset loc_826ABD
		dd offset loc_826DEE
		dd offset loc_826D0A
		dd offset loc_826621
		dd offset loc_826F2C
		dd offset loc_826F2C
		dd offset loc_827503
		dd offset loc_826F2C
		dd offset loc_827635
		dd offset loc_82772C
		dd offset loc_827056
		dd offset loc_827396
		dd offset loc_827244
		dd offset loc_82713F
		dd offset loc_8278E0
		dd offset loc_8278E0
		dd offset loc_826059
		dd offset loc_826059
		dd offset loc_827AA7
		dd offset loc_826059
		dd offset loc_827C24
		dd offset loc_826F2C
		dd offset loc_827D5B
		dd offset loc_826F2C
		dd offset loc_827EB3
		dd offset loc_827F63
		dd offset loc_826059
		dd offset loc_826059
		dd offset loc_8280DD
		dd offset loc_827EA9
		dd 5 dup(0CCCCCCCCh)
; 
; Exported entry 1741. ProbeForWrite

; __stdcall ProbeForWrite(x, x,	x)
		public _ProbeForWrite@12
_ProbeForWrite@12:			; CODE XREF: NtGetWriteWatch+176p
					; KiDispatchException+50Ap ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+0Ch]
		test	edx, edx
		jz	short loc_8282A8
		mov	ecx, [ebp+10h]
		mov	eax, [ebp+8]
		dec	ecx
		test	ecx, eax
		jnz	short loc_8282B0
		dec	edx
		add	edx, eax
		cmp	edx, ds:_MmUserProbeAddress
		jnb	short loc_8282AB
		cmp	eax, edx
		ja	short loc_8282AB
		and	edx, 0FFFFF000h
		add	edx, 1000h

loc_828292:				; CODE XREF: PAGE:008282A2j
		mov	cl, [eax]
		mov	[eax], cl
		and	eax, 0FFFFF000h
		add	eax, 1000h
		cmp	eax, edx
		jnz	short loc_828292

loc_8282A4:				; CODE XREF: PAGE:008282A9j
		pop	ebp
		retn	0Ch
; 

loc_8282A8:				; CODE XREF: PAGE:0082826Aj
		nop
		jmp	short loc_8282A4
; 

loc_8282AB:				; CODE XREF: PAGE:00828280j
					; PAGE:00828284j
		call	_ExRaiseAccessViolation@0 ; ExRaiseAccessViolation()

loc_8282B0:				; CODE XREF: PAGE:00828275j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		db 3 dup(0CCh)
		align 10h

;  S U B	R O U T	I N E 


; __stdcall IopFreeMiniCompletionPacket(x)
_IopFreeMiniCompletionPacket@4 proc near ; CODE	XREF: IoRemoveIoCompletion+D3p
					; IoFreeMiniCompletionPacket(x)+Cp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	byte ptr [esi+8], 4
		jnz	short loc_8282EB
		mov	ecx, [esi+1Ch]
		test	ecx, ecx
		jz	short loc_8282DB
		mov	eax, [esi+20h]
		push	eax
		push	esi
		call	ecx

loc_8282D9:				; CODE XREF: IopFreeMiniCompletionPacket(x)+1Fj
		pop	esi
		retn
; 

loc_8282DB:				; CODE XREF: IopFreeMiniCompletionPacket(x)+10j
		cmp	byte ptr [esi+24h], 0
		jz	short loc_8282D9
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
; 

loc_8282EB:				; CODE XREF: IopFreeMiniCompletionPacket(x)+9j
		mov	ecx, large fs:20h
		push	edi
		mov	edi, [ecx+5D8h]
		mov	ax, [edi+4]
		inc	dword ptr [edi+14h]
		cmp	ax, [edi+8]
		jnb	short loc_828317

loc_828306:				; CODE XREF: IopFreeMiniCompletionPacket(x)+6Bj
		cmp	byte ptr [esi+8], 3
		jz	short loc_82833B

loc_82830C:				; CODE XREF: IopFreeMiniCompletionPacket(x)+82j
		mov	ecx, edi
		mov	edx, esi
		pop	edi
		pop	esi
		jmp	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
; 

loc_828317:				; CODE XREF: IopFreeMiniCompletionPacket(x)+44j
		inc	dword ptr [edi+18h]
		mov	edi, [ecx+5DCh]
		mov	ax, [edi+4]
		inc	dword ptr [edi+14h]
		cmp	ax, [edi+8]
		jb	short loc_828306
		inc	dword ptr [edi+18h]
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
; 

loc_82833B:				; CODE XREF: IopFreeMiniCompletionPacket(x)+4Aj
		mov	ecx, esi
		call	ExReturnPoolQuota
		jmp	short loc_82830C
_IopFreeMiniCompletionPacket@4 endp

; 
		align 10h
; Exported entry 1605. NtWaitForSingleObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtWaitForSingleObject
NtWaitForSingleObject proc near		; CODE XREF: SepRmCallLsa+1C2p
					; PfSnPrefetchFileMetadata+119CC6p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A61B0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_28], 0
		mov	[ebp+var_24], 0
		mov	eax, large fs:124h
		mov	cl, [eax+15Ah]
		mov	byte ptr [ebp+var_20], cl
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_8283D7
		test	cl, cl
		jz	short loc_8283D7
		mov	[ebp+var_4], 0
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	short loc_8283FC

loc_8283BE:				; CODE XREF: NtWaitForSingleObject+AEj
		nop
		mov	ecx, [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_28]
		mov	[ebp+arg_8], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_8283D7:				; CODE XREF: NtWaitForSingleObject+57j
					; NtWaitForSingleObject+5Bj
		push	eax
		push	[ebp+arg_4]
		mov	eax, [ebp+var_20]
		push	eax
		push	eax
		push	[ebp+arg_0]
		call	ObWaitForSingleObject

loc_8283E8:				; CODE XREF: sub_921658+Dj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_8283FC:				; CODE XREF: NtWaitForSingleObject+6Cj
		mov	eax, ecx
		jmp	short loc_8283BE
NtWaitForSingleObject endp

; 
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1650. ObWaitForSingleObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObWaitForSingleObject
ObWaitForSingleObject proc near		; CODE XREF: NtWaitForSingleObject+93p

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0092166A SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A61D0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_1C], 0
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	7457624Fh
		push	[ebp+arg_4]
		push	0
		push	100000h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8284D3
		mov	edi, [ebp+var_1C]
		lea	eax, [edi-18h]
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [edi-0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	ecx, ds:_ObTypeIndexTable[ecx*4]
		mov	[ebp+arg_4], ecx
		mov	ebx, edi
		mov	eax, [ecx+10h]
		test	al, 1
		jnz	short loc_8284E9
		test	eax, eax
		js	short loc_8284A3

loc_8284A1:				; CODE XREF: ObWaitForSingleObject+F4j
		add	eax, ebx

loc_8284A3:				; CODE XREF: ObWaitForSingleObject+8Fj
					; ObWaitForSingleObject+FAj ...
		mov	[ebp+var_4], 0
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	6
		push	eax
		call	KeWaitForSingleObject
		mov	esi, eax
		mov	[ebp+var_24], esi
		mov	[ebp+var_4], 0FFFFFFFEh

loc_8284C7:				; CODE XREF: sub_92168F+13j
		mov	edx, 7457624Fh
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_8284D3:				; CODE XREF: ObWaitForSingleObject+5Dj
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8284E9:				; CODE XREF: ObWaitForSingleObject+8Bj
		test	al, 2
		jz	short loc_828506
		movzx	esi, word ptr [ecx+7Ch]
		mov	edx, [ecx+78h]
		mov	ecx, edx
		and	ecx, [esi+ebx]
		cmp	ecx, edx
		jz	loc_92166A
		add	eax, 0FFFFFFFDh
		jmp	short loc_8284A1
; 

loc_828506:				; CODE XREF: ObWaitForSingleObject+DBj
		mov	eax, [eax+ebx-1]
		jmp	short loc_8284A3
ObWaitForSingleObject endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtRemoveIoCompletionEx proc near	; DATA XREF: .text:00580D80o

var_94		= dword	ptr -94h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5C		= dword	ptr -5Ch
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 009216EF SIZE 0000002C BYTES
; FUNCTION CHUNK AT 00921743 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A61F0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_94], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_78], eax
		mov	esi, [ebp+arg_8]
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_80], edi
		push	40h		; size_t
		push	0		; int
		lea	eax, [ebp+var_5C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_88], 0
		mov	[ebp+var_84], 0
		mov	[ebp+var_70], 0
		test	esi, esi
		jz	loc_921743
		cmp	esi, 0FFFFFFFh
		ja	loc_921743
		mov	[ebp+var_68], 0
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_74], bl
		test	bl, bl
		jnz	loc_82866E
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_6C], eax
		test	eax, eax
		jz	loc_8286C6

loc_8285CE:				; CODE XREF: NtRemoveIoCompletionEx+1BCj
		cmp	esi, 10h
		ja	loc_9216EF

loc_8285D7:				; CODE XREF: NtRemoveIoCompletionEx+F91F9j
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_64], eax

loc_8285DD:				; CODE XREF: NtRemoveIoCompletionEx+F91F0j
		mov	eax, ds:_IoCompletionObjectType
		mov	[ebp+var_7C], 0
		push	0
		lea	ecx, [ebp+var_7C]
		push	ecx
		push	[ebp+var_74]
		push	eax
		push	2
		push	[ebp+var_94]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_82862C
		push	[ebp+arg_14]
		push	[ebp+var_6C]
		push	[ebp+var_74]
		lea	eax, [ebp+var_70]
		push	eax
		push	esi
		push	[ebp+var_64]
		mov	edx, [ebp+var_78]
		mov	ecx, [ebp+var_7C]
		call	IoRemoveIoCompletion
		mov	edi, eax
		mov	ecx, [ebp+var_7C]
		call	ObfDereferenceObject

loc_82862C:				; CODE XREF: NtRemoveIoCompletionEx+F4j
		lea	ecx, [ebp+var_5C]
		mov	eax, [ebp+var_64]
		cmp	eax, ecx
		jnz	loc_92170E

loc_82863A:				; CODE XREF: NtRemoveIoCompletionEx+F9206j
		test	edi, edi
		js	short loc_82864E
		test	bl, bl
		jnz	loc_8286D1
		mov	eax, [ebp+var_70]
		mov	ecx, [ebp+var_80]
		mov	[ecx], eax

loc_82864E:				; CODE XREF: NtRemoveIoCompletionEx+12Cj
					; NtRemoveIoCompletionEx+1D7j ...
		mov	eax, edi

loc_828650:				; CODE XREF: sub_9216DA+10j
					; NtRemoveIoCompletionEx+F9238j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_82866E:				; CODE XREF: NtRemoveIoCompletionEx+AAj
		mov	[ebp+var_4], 0
		push	4
		mov	eax, esi
		shl	eax, 4
		push	eax
		push	[ebp+var_78]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	short loc_8286EC

loc_828690:				; CODE XREF: NtRemoveIoCompletionEx+1DEj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	short loc_8286BF
		lea	eax, [ebp+var_88]
		mov	[ebp+var_68], eax
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_8286F0

loc_8286AD:				; CODE XREF: NtRemoveIoCompletionEx+1E2j
		nop
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		mov	[ebp+var_88], eax
		mov	[ebp+var_84], ecx

loc_8286BF:				; CODE XREF: NtRemoveIoCompletionEx+189j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_8286C6:				; CODE XREF: NtRemoveIoCompletionEx+B8j
		mov	eax, [ebp+var_68]
		mov	[ebp+var_6C], eax
		jmp	loc_8285CE
; 

loc_8286D1:				; CODE XREF: NtRemoveIoCompletionEx+130j
		mov	[ebp+var_4], 1
		mov	eax, [ebp+var_70]
		mov	ecx, [ebp+var_80]
		mov	[ecx], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_82864E
; 

loc_8286EC:				; CODE XREF: NtRemoveIoCompletionEx+17Ej
		mov	ecx, eax
		jmp	short loc_828690
; 

loc_8286F0:				; CODE XREF: NtRemoveIoCompletionEx+19Bj
		mov	ecx, eax
		jmp	short loc_8286AD
NtRemoveIoCompletionEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapViewOfDataSection proc near	; CODE XREF: MiMapViewOfSection+32Dp

var_76		= byte ptr -76h
var_75		= byte ptr -75h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 0092174D SIZE 0000029F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	[esp+84h+var_8], 0
		push	edi
		mov	edi, ecx
		mov	[esp+88h+var_4], 0
		mov	[esp+88h+var_2C], edi
		test	byte ptr [esi+28h], 2
		mov	[esp+88h+var_18], 0
		jnz	loc_921782
		call	_MiAweControlArea@4 ; MiAweControlArea(x)
		test	eax, eax
		jnz	loc_921782
		mov	ebx, [esi+3Ch]
		mov	[esp+88h+var_28], eax
		mov	eax, [edi]
		mov	[esp+88h+var_50], eax
		mov	eax, [esi+14h]
		mov	ecx, eax
		mov	[esp+88h+var_74], ebx
		and	ecx, 2000h
		jnz	loc_828F61

loc_82876A:				; CODE XREF: MiMapViewOfDataSection+865j
		mov	edx, eax
		and	edx, 40000000h
		test	eax, 20000000h
		jnz	loc_92174D
		test	edx, edx
		jnz	loc_92179B

loc_828785:				; CODE XREF: MiMapViewOfDataSection:loc_92177Cj
					; MiMapViewOfDataSection+F90A5j ...
		mov	eax, [esi+8]
		cmp	eax, 200000h
		jnb	loc_9217B6

loc_828793:				; CODE XREF: MiMapViewOfDataSection+F90BAj
		test	ecx, ecx
		jnz	loc_828F70

loc_82879B:				; CODE XREF: MiMapViewOfDataSection+87Aj
					; MiMapViewOfDataSection+889j
		mov	eax, large fs:124h
		xor	ebx, ebx
		mov	[esp+88h+var_70], eax
		mov	ecx, edi
		mov	eax, [esp+88h+var_74]
		mov	[esp+88h+var_58], ebx
		mov	[esp+88h+var_14], ebx
		mov	[esp+88h+var_20], ebx
		mov	eax, [eax+24Ch]
		add	eax, 18h
		mov	[esp+88h+var_4C], eax
		call	MiCheckPurgeAndUpMapCount
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		mov	edx, ecx
		mov	eax, [eax+4]
		mov	edi, eax
		shrd	edx, edi, 0Ch
		mov	[esp+88h+var_5C], edi
		mov	edi, [esi+0Ch]
		shr	[esp+88h+var_5C], 0Ch
		mov	[esp+88h+var_60], edx
		xor	edx, edx
		add	edi, ecx
		adc	edx, eax
		shrd	edi, edx, 0Ch
		mov	[esp+88h+var_40], edi
		mov	edi, [esp+88h+var_2C]
		mov	ecx, edi
		sar	edx, 0Ch
		mov	[esp+88h+var_44], edx
		call	_MiGetControlAreaPtes@4	; MiGetControlAreaPtes(x)
		mov	ecx, edx
		mov	[esp+88h+var_34], eax
		mov	edx, [esp+88h+var_5C]
		mov	[esp+88h+var_1C], ecx
		cmp	edx, ecx
		jb	loc_82908C
		ja	loc_9217CA
		mov	ecx, [esp+88h+var_60]
		cmp	ecx, eax
		jnb	loc_9217CA

loc_828833:				; CODE XREF: MiMapViewOfDataSection+990j
		mov	[esp+88h+var_75], bl
		cmp	[edi+20h], ebx
		jnz	loc_828C92
		mov	[esp+88h+var_8], ecx
		lea	ecx, [edi+50h]
		mov	[esp+88h+var_4], edx
		lea	edx, [esp+88h+var_8]
		call	_MiLocatePagefileSubsection@8 ;	MiLocatePagefileSubsection(x,x)
		cmp	[ebp+arg_10], 18h
		mov	[esp+88h+var_64], eax
		jz	loc_828D76

loc_82886B:				; CODE XREF: MiMapViewOfDataSection+5A9j
					; MiMapViewOfDataSection+679j ...
		mov	ax, [eax+10h]
		xor	ecx, ecx
		shr	ax, 6
		movzx	eax, ax
		cdq
		mov	edx, [esp+88h+var_64]
		or	ecx, [edx+14h]
		sub	[esp+88h+var_60], ecx
		mov	edx, [esp+88h+var_40]
		sbb	[esp+88h+var_5C], eax
		sub	edx, ecx
		mov	ecx, [esp+88h+var_44]
		sbb	ecx, eax
		mov	[esp+88h+var_40], edx
		cmp	[esp+88h+var_75], 1
		mov	[esp+88h+var_44], ecx
		jz	loc_828DF9

loc_8288A7:				; CODE XREF: MiMapViewOfDataSection+708j
		push	ecx
		mov	ecx, [esp+8Ch+var_64]
		push	edx
		mov	edx, 8
		call	MiAddViewsForSection
		mov	[esp+88h+var_6C], eax
		mov	[esp+88h+var_48], eax
		test	eax, eax
		js	loc_82905D
		mov	eax, [esp+88h+var_64]
		mov	ecx, [esp+88h+var_60]
		mov	eax, [eax+4]
		lea	eax, [eax+ecx*8]
		mov	[esp+88h+var_24], eax
		cmp	[edi+20h], ebx
		jnz	short loc_8288E9
		mov	edx, [ebp+arg_14]
		test	edx, edx
		jnz	loc_828D96

loc_8288E9:				; CODE XREF: MiMapViewOfDataSection+1DCj
					; MiMapViewOfDataSection+6A3j ...
		mov	eax, [ebp+arg_8]
		xor	edx, edx
		mov	[esp+88h+var_38], edx
		mov	eax, [eax+0Ch]
		shl	eax, 0Ch
		mov	[esp+88h+var_34], eax
		call	_MmGetCurrentProcessorColor@0 ;	MmGetCurrentProcessorColor()
		or	eax, 80000000h
		mov	ecx, 4Ch
		push	eax
		push	edx
		push	40h
		mov	edx, 20646156h
		call	ExAllocatePoolMm
		mov	ebx, eax
		mov	[esp+88h+var_10], ebx
		test	ebx, ebx
		jz	loc_9217DE
		mov	ecx, [ebx+28h]
		mov	eax, [esp+88h+var_24]
		and	ecx, 0FBFFFFFFh
		mov	[ebx+30h], eax
		mov	eax, [esp+88h+var_64]
		mov	[ebx+2Ch], eax
		mov	eax, [ebp+arg_C]
		dec	eax
		mov	dword ptr [ebx+8], 0FFFFFFFEh
		neg	eax
		sbb	eax, eax
		and	eax, 0FC000000h
		add	eax, 4000000h
		or	ecx, eax
		mov	eax, [ebp+arg_10]
		shl	eax, 7
		xor	eax, [ebx+1Ch]
		and	eax, 0F80h
		mov	[ebx+28h], ecx
		xor	[ebx+1Ch], eax
		mov	eax, [esi+20h]
		mov	ecx, [ebx+1Ch]
		shl	eax, 0Ch
		xor	eax, ecx
		and	eax, 3F000h
		xor	eax, ecx
		mov	[ebx+1Ch], eax
		cmp	dword ptr [esi+20h], 0
		jnz	loc_9217E8

loc_82898C:				; CODE XREF: MiMapViewOfDataSection+F90F9j
		cmp	dword ptr [edi+20h], 0
		jnz	loc_828C75

loc_828996:				; CODE XREF: MiMapViewOfDataSection+57Cj
					; MiMapViewOfDataSection+58Dj
		mov	dword ptr [ebx+18h], 0
		lea	eax, [ebx+18h]
		mov	[esp+88h+var_C], eax
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		mov	eax, [eax+4]
		shrd	ecx, eax, 10h
		mov	eax, [ebx+28h]
		and	ecx, 0FFFFFFh
		and	eax, 0FF000000h
		or	eax, ecx
		mov	[ebx+28h], eax
		test	dword ptr [esi+28h], 4000000h
		jnz	loc_9217FE

loc_8289D0:				; CODE XREF: MiMapViewOfDataSection+F910Fj
		mov	eax, [ebp+arg_8]
		mov	eax, [eax+14h]
		test	al, 3
		jnz	loc_829066
		xor	eax, eax

loc_8289E0:				; CODE XREF: MiMapViewOfDataSection+978j
		mov	edx, [esp+88h+var_74]
		mov	ecx, [esp+88h+var_70]
		mov	[ebx+48h], eax
		call	_LOCK_ADDRESS_SPACE@8 ;	LOCK_ADDRESS_SPACE(x,x)
		mov	eax, [esp+88h+var_74]
		test	byte ptr [eax+0FCh], 20h
		jnz	loc_92181C
		test	byte ptr [esi+30h], 1
		jnz	loc_828E26
		mov	eax, [esp+88h+var_34]
		test	eax, eax
		jnz	loc_921826
		mov	eax, [esi+8]
		xor	edx, edx
		mov	ecx, [esi+14h]
		mov	[esp+88h+var_68], eax
		mov	eax, [esi+0Ch]
		mov	[esp+88h+var_34], eax
		mov	eax, [esi+4]
		mov	[esp+88h+var_3C], eax
		mov	eax, [esi]
		mov	[esp+88h+var_6C], eax
		mov	eax, large fs:124h
		mov	[esp+88h+var_38], edx
		mov	[esp+88h+var_54], edx
		mov	[esp+88h+var_30], 0
		mov	edx, [eax+80h]
		mov	eax, [edx+24Ch]
		add	eax, 18h
		mov	[esp+88h+var_1C], eax
		test	ecx, 100000h
		jnz	loc_828DD3
		test	dword ptr [edx+0FCh], 200000h
		jnz	loc_828DD3
		mov	edx, [esp+88h+var_34]
		lea	ecx, [esp+88h+var_30]
		push	ecx
		lea	ecx, [esp+8Ch+var_54]
		push	ecx
		push	[ebp+arg_10]
		mov	ecx, eax
		push	[esp+94h+var_3C]
		push	[esp+98h+var_6C]
		push	0
		push	[esp+0A0h+var_68]
		call	MiFindEmptyAddressRange

loc_828AA2:				; CODE XREF: MiMapViewOfDataSection+6F4j
		cmp	[esp+88h+var_30], 1
		mov	[esp+88h+var_6C], eax
		jnz	short loc_828ABF
		cmp	[esp+88h+var_68], 10000h
		jnz	short loc_828ABF
		mov	edx, [esp+88h+var_1C]
		mov	[esp+88h+var_38], edx

loc_828ABF:				; CODE XREF: MiMapViewOfDataSection+3ABj
					; MiMapViewOfDataSection+3B5j
		mov	[esp+88h+var_48], eax
		test	eax, eax
		js	loc_829008
		mov	edx, [esi+0Ch]
		mov	ecx, [esp+88h+var_54]
		dec	edx
		add	edx, ecx
		mov	[esp+88h+var_68], ecx
		mov	[esp+88h+var_3C], edx

loc_828ADD:				; CODE XREF: MiMapViewOfDataSection+76Cj
		mov	edx, ecx
		mov	ecx, [esp+88h+var_3C]
		shr	edx, 0Ch
		shr	ecx, 0Ch
		mov	[ebx+0Ch], edx
		mov	[ebx+10h], ecx
		test	dword ptr [esi+14h], 2000h
		mov	[esp+88h+var_1C], edx
		mov	[esp+88h+var_34], ecx
		jnz	loc_828E88

loc_828B04:				; CODE XREF: MiMapViewOfDataSection+85Cj
		mov	eax, [ebp+arg_10]
		and	eax, 5
		cmp	al, 5
		jz	loc_828E71

loc_828B12:				; CODE XREF: MiMapViewOfDataSection+783j
		sub	ecx, edx
		xor	eax, eax
		add	ecx, [esp+88h+var_60]
		adc	eax, [esp+88h+var_5C]
		push	eax
		push	ecx
		mov	ecx, [esp+90h+var_64]
		call	_MiComputeContiguousSubsectionPte@12 ; MiComputeContiguousSubsectionPte(x,x,x)
		mov	[ebx+34h], eax
		test	dword ptr [esi+14h], 400000h
		jnz	loc_828D43
		mov	eax, [ebp+arg_8]
		test	dword ptr [eax+20h], 4000h
		jnz	loc_828D43

loc_828B49:				; CODE XREF: MiMapViewOfDataSection+65Fj
		test	dword ptr [esi+14h], 20000000h
		jnz	loc_92189B

loc_828B56:				; CODE XREF: MiMapViewOfDataSection+F91BAj
		cmp	dword ptr [edi+20h], 0
		jnz	short loc_828B7D
		mov	edx, [esp+88h+var_74]
		mov	ecx, edi
		push	0
		call	MiInsertSharedCommitNode
		mov	[esp+88h+var_6C], eax
		test	eax, eax
		js	loc_9218C6
		mov	[esp+88h+var_20], 1

loc_828B7D:				; CODE XREF: MiMapViewOfDataSection+45Aj
		mov	eax, [esp+88h+var_28]
		test	eax, eax
		jnz	loc_82901A

loc_828B89:				; CODE XREF: MiMapViewOfDataSection+92Aj
		mov	edx, [esp+88h+var_74]
		push	ecx
		mov	ecx, ebx
		call	MiInsertVadCharges
		mov	[esp+88h+var_6C], eax
		test	eax, eax
		js	loc_9218C6
		cmp	dword ptr [edi+20h], 0
		mov	ecx, [esp+88h+var_4C]
		jnz	short loc_828BB5
		cmp	dword ptr [edi+1Ch], 0
		jl	loc_9218F8

loc_828BB5:				; CODE XREF: MiMapViewOfDataSection+4A9j
					; MiMapViewOfDataSection+F920Ej
		mov	eax, [esp+88h+var_58]
		test	eax, eax
		jnz	loc_921913
		mov	ecx, [esp+88h+var_70]
		mov	edx, ebx
		call	_MiLockVad@8	; MiLockVad(x,x)

loc_828BCC:				; CODE XREF: MiMapViewOfDataSection+F9229j
		mov	ecx, ebx
		call	MiGetWsAndInsertVad
		cmp	dword ptr [edi+20h], 0
		jnz	short loc_828BE7
		mov	ecx, [esp+88h+var_50]
		cmp	dword ptr [ecx+24h], 0
		jz	loc_828D6A

loc_828BE7:				; CODE XREF: MiMapViewOfDataSection+4D7j
					; MiMapViewOfDataSection+671j
		mov	eax, [esp+88h+var_38]
		test	eax, eax
		jz	short loc_828BFD
		mov	edx, [esp+88h+var_34]
		mov	ecx, [esp+88h+var_1C]
		push	eax
		call	MiAdvanceVadHint

loc_828BFD:				; CODE XREF: MiMapViewOfDataSection+4EDj
		mov	eax, [ebp+arg_10]
		cmp	eax, 4
		jnz	short loc_828C6E

loc_828C05:				; CODE XREF: MiMapViewOfDataSection+573j
		cmp	dword ptr [edi+20h], 0
		jnz	loc_828E1D

loc_828C0F:				; CODE XREF: MiMapViewOfDataSection+571j
					; MiMapViewOfDataSection+721j
		test	ds:_PerfGlobalGroupMask, 8000h
		jnz	loc_92192E

loc_828C1F:				; CODE XREF: MiMapViewOfDataSection+F923Dj
		xor	edi, edi
		and	eax, 2
		mov	[ebp+arg_10], eax
		jnz	loc_828CAE

loc_828C2D:				; CODE XREF: MiMapViewOfDataSection+5B5j
		cmp	[esi+38h], edi
		jnz	loc_828CBB
		mov	esi, [esp+88h+var_58]
		test	esi, esi
		jnz	loc_921989
		mov	ecx, [esp+88h+var_70]
		mov	edx, ebx
		call	MiUnlockVad
		mov	edx, [esp+88h+var_74]
		mov	ecx, [esp+88h+var_70]
		call	UNLOCK_ADDRESS_SPACE

loc_828C5A:				; CODE XREF: MiMapViewOfDataSection+F92C2j
		mov	ecx, [ebp+arg_0]
		mov	eax, [esp+88h+var_68]
		mov	[ecx], eax
		mov	eax, edi

loc_828C65:				; CODE XREF: MiMapViewOfDataSection+F9087j
					; MiMapViewOfDataSection+F90C5j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_828C6E:				; CODE XREF: MiMapViewOfDataSection+503j
		cmp	eax, 6
		jnz	short loc_828C0F
		jmp	short loc_828C05
; 

loc_828C75:				; CODE XREF: MiMapViewOfDataSection+290j
		test	dword ptr [esi+14h], 20002000h
		jnz	loc_828996
		mov	eax, [ebx+28h]
		or	eax, 2000000h
		mov	[ebx+28h], eax
		jmp	loc_828996
; 

loc_828C92:				; CODE XREF: MiMapViewOfDataSection+13Aj
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		mov	eax, [ecx+4]
		push	eax
		mov	eax, [ecx]
		mov	ecx, edi
		push	eax
		call	_MiLocateSubsectionNode@16 ; MiLocateSubsectionNode(x,x,x,x)
		mov	[esp+88h+var_64], eax
		jmp	loc_82886B
; 

loc_828CAE:				; CODE XREF: MiMapViewOfDataSection+527j
		call	_MiIsProcessCfgEnabled@0 ; MiIsProcessCfgEnabled()
		test	eax, eax
		jz	loc_828C2D

loc_828CBB:				; CODE XREF: MiMapViewOfDataSection+530j
		mov	edx, [esp+88h+var_74]
		mov	ecx, [esp+88h+var_70]
		call	UNLOCK_ADDRESS_SPACE_UNORDERED
		mov	ecx, ebx
		call	_MiReferenceVad@4 ; MiReferenceVad(x)
		cmp	[ebp+arg_10], edi
		jnz	loc_829035

loc_828CD8:				; CODE XREF: MiMapViewOfDataSection+93Cj
					; MiMapViewOfDataSection+952j
		cmp	dword ptr [esi+38h], 0
		jz	short loc_828D1C
		mov	eax, [esi+34h]
		cmp	eax, 2
		jnz	loc_828E0D

loc_828CEA:				; CODE XREF: MiMapViewOfDataSection+712j
					; MiMapViewOfDataSection+F9245j ...
		mov	edx, [esp+88h+var_68]
		lea	ecx, [esp+88h+var_18]
		push	ecx
		push	0
		push	eax
		mov	eax, [esi+0Ch]
		mov	ecx, ebx
		push	eax
		call	_MiSecureVad@24	; MiSecureVad(x,x,x,x,x,x)
		test	eax, eax
		js	loc_921959
		mov	ecx, [esp+88h+var_74]
		mov	eax, [esi+38h]
		xor	ecx, [esp+88h+var_18]
		xor	ecx, dword_6D061C
		mov	[eax], ecx

loc_828D1C:				; CODE XREF: MiMapViewOfDataSection+5DCj
		mov	esi, [esp+88h+var_58]
		mov	ecx, ebx
		test	esi, esi
		jnz	loc_921982
		call	MiUnlockAndDereferenceVad
		mov	ecx, [ebp+arg_0]
		mov	eax, [esp+88h+var_68]
		mov	[ecx], eax
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_828D43:				; CODE XREF: MiMapViewOfDataSection+433j
					; MiMapViewOfDataSection+443j
		mov	edx, [esp+88h+var_68]
		mov	ecx, ebx
		push	0
		push	80000000h
		push	[esp+90h+var_3C]
		call	MiAddSecureEntry
		mov	[esp+88h+var_14], eax
		test	eax, eax
		jnz	loc_828B49
		jmp	loc_921894
; 

loc_828D6A:				; CODE XREF: MiMapViewOfDataSection+4E1j
		mov	eax, [esp+88h+var_68]
		mov	[ecx+24h], eax
		jmp	loc_828BE7
; 

loc_828D76:				; CODE XREF: MiMapViewOfDataSection+165j
		cmp	[ebp+arg_14], ebx
		jnz	loc_82886B
		test	dword ptr [edi+1Ch], 1000h
		jz	loc_82886B
		mov	[esp+88h+var_75], 1
		jmp	loc_82886B
; 

loc_828D96:				; CODE XREF: MiMapViewOfDataSection+1E3j
		mov	ecx, edi
		call	_MiGetCommittedPages@4 ; MiGetCommittedPages(x)
		xor	ecx, ecx
		cmp	ecx, [esp+88h+var_1C]
		ja	loc_8288E9
		jb	short loc_828DB5
		cmp	eax, [esp+88h+var_34]
		jnb	loc_8288E9

loc_828DB5:				; CODE XREF: MiMapViewOfDataSection+6A9j
		test	edx, 0FFFh
		jnz	loc_9217D4
		xor	eax, eax

loc_828DC3:				; CODE XREF: MiMapViewOfDataSection+F90D9j
		mov	ecx, edx
		shr	ecx, 0Ch
		add	ecx, eax
		mov	[esp+88h+var_28], ecx
		jmp	loc_8288E9
; 

loc_828DD3:				; CODE XREF: MiMapViewOfDataSection+366j
					; MiMapViewOfDataSection+376j
		mov	edx, [esp+88h+var_34]
		lea	ecx, [esp+88h+var_54]
		push	ecx
		push	[ebp+arg_10]
		mov	ecx, eax
		push	[esp+90h+var_3C]
		push	[esp+94h+var_6C]
		push	0
		push	[esp+9Ch+var_68]
		call	MiFindEmptyAddressRangeDown
		jmp	loc_828AA2
; 

loc_828DF9:				; CODE XREF: MiMapViewOfDataSection+1A1j
		mov	edx, 1
		xor	ecx, ecx
		mov	[esp+88h+var_40], edx
		mov	[esp+88h+var_44], ecx
		jmp	loc_8288A7
; 

loc_828E0D:				; CODE XREF: MiMapViewOfDataSection+5E4j
		cmp	eax, 80000001h
		jz	loc_828CEA
		jmp	loc_921942
; 

loc_828E1D:				; CODE XREF: MiMapViewOfDataSection+509j
		lock inc dword ptr [edi+34h]
		jmp	loc_828C0F
; 

loc_828E26:				; CODE XREF: MiMapViewOfDataSection+305j
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]

loc_828E2B:				; CODE XREF: MiMapViewOfDataSection+F912Dj
		mov	edx, [esi+0Ch]
		dec	edx
		mov	[esp+88h+var_68], ecx
		add	edx, ecx
		mov	[esp+88h+var_54], ecx
		test	dword ptr [esi+28h], 4000000h
		mov	[esp+88h+var_3C], edx
		jnz	loc_921832
		mov	eax, [esi+4]
		sub	edx, ecx
		push	eax
		mov	eax, [esi]
		inc	edx
		push	eax
		push	edx
		mov	edx, ecx
		mov	ecx, [esp+94h+var_74]
		call	MiIsVaRangeAvailable
		test	eax, eax
		jz	loc_828F94

loc_828E68:				; CODE XREF: MiMapViewOfDataSection+F9147j
		mov	ecx, [esp+88h+var_68]
		jmp	loc_828ADD
; 

loc_828E71:				; CODE XREF: MiMapViewOfDataSection+40Cj
		mov	eax, [ebx+10h]
		sub	eax, [ebx+0Ch]
		inc	eax
		xor	eax, [ebx+20h]
		and	eax, 7FFFFFFFh
		xor	[ebx+20h], eax
		jmp	loc_828B12
; 

loc_828E88:				; CODE XREF: MiMapViewOfDataSection+3FEj
		mov	eax, [esp+88h+var_70]
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset dword_6CF3C8
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esp+88h+var_50]
		mov	ecx, [eax+18h]
		mov	[esp+88h+var_6C], ecx
		test	ecx, ecx
		jnz	loc_829012
		push	ecx
		push	40h
		mov	edx, 78436D4Dh
		mov	ecx, 10h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[esp+88h+var_6C], eax
		test	eax, eax
		jz	loc_921856
		mov	edi, [esp+88h+var_50]
		mov	dword ptr [eax+8], 1
		add	edi, 10h
		or	eax, 0FFFFFFFFh
		or	edx, eax
		nop
		or	ebx, eax
		or	ecx, eax
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [esp+88h+var_6C]
		mov	ebx, [esp+88h+var_10]
		mov	edi, [esp+88h+var_2C]
		mov	[ecx], eax
		mov	eax, [esp+88h+var_50]
		mov	[ecx+4], edx
		mov	[eax+18h], ecx

loc_828F05:				; CODE XREF: MiMapViewOfDataSection+915j
		mov	eax, [ebp+arg_8]
		mov	edx, [eax+18h]
		mov	eax, [eax+1Ch]
		mov	[esp+88h+var_2C], eax
		mov	eax, [ecx+4]
		cmp	eax, [esp+88h+var_2C]
		ja	short loc_828F29
		jb	loc_921886
		cmp	[ecx], edx
		jb	loc_921886

loc_828F29:				; CODE XREF: MiMapViewOfDataSection+819j
					; MiMapViewOfDataSection+F918Fj
		or	eax, 0FFFFFFFFh
		mov	ecx, offset dword_6CF3C8
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_82907D

loc_828F3F:				; CODE XREF: MiMapViewOfDataSection+987j
		call	KeAbPostRelease
		mov	ecx, [esp+88h+var_70]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [esp+88h+var_6C]
		mov	edx, [esp+88h+var_1C]
		mov	ecx, [esp+88h+var_34]
		mov	[ebx+44h], eax
		jmp	loc_828B04
; 

loc_828F61:				; CODE XREF: MiMapViewOfDataSection+64j
		cmp	dword ptr [edi+20h], 0
		jnz	loc_82876A
		jmp	loc_921782
; 

loc_828F70:				; CODE XREF: MiMapViewOfDataSection+95j
		mov	ecx, [ebp+arg_4]
		cmp	dword ptr [ecx+4], 100h
		jb	loc_82879B
		ja	loc_9217C0
		cmp	dword ptr [ecx], 0
		jb	loc_82879B
		jmp	loc_9217C0
; 

loc_828F94:				; CODE XREF: MiMapViewOfDataSection+762j
		mov	esi, 0C0000018h
		mov	eax, ecx

loc_828F9B:				; CODE XREF: MiMapViewOfDataSection+910j
					; MiMapViewOfDataSection+F9121j
		mov	ecx, [esp+88h+var_70]
		mov	edx, eax
		call	UNLOCK_ADDRESS_SPACE
		cmp	[esp+88h+var_20], 1
		jz	loc_9218E6

loc_828FB1:				; CODE XREF: MiMapViewOfDataSection+F90E3j
					; MiMapViewOfDataSection+F9117j ...
		push	[esp+88h+var_44]
		mov	ecx, [esp+8Ch+var_64]
		push	[esp+8Ch+var_40]
		call	_MiRemoveViewsFromSectionWithPfn@16 ; MiRemoveViewsFromSectionWithPfn(x,x,x,x)

loc_828FC2:				; CODE XREF: MiMapViewOfDataSection+961j
					; MiMapViewOfDataSection+F90CFj
		mov	ecx, edi
		call	_MiDereferenceControlArea@4 ; MiDereferenceControlArea(x)
		test	ebx, ebx
		jz	short loc_828FF1
		cmp	dword ptr [ebx+44h], 0
		jl	loc_9219C7

loc_828FD7:				; CODE XREF: MiMapViewOfDataSection+F92D0j
		mov	ecx, [ebx+48h]
		test	ecx, ecx
		jnz	loc_9219D5

loc_828FE2:				; CODE XREF: MiMapViewOfDataSection+F92DAj
		mov	ecx, ebx
		call	MiFreePlaceholderStorage
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_828FF1:				; CODE XREF: MiMapViewOfDataSection+8CBj
		mov	eax, [esp+88h+var_14]
		test	eax, eax
		jnz	loc_9219DF

loc_828FFD:				; CODE XREF: MiMapViewOfDataSection+F92E7j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_829008:				; CODE XREF: MiMapViewOfDataSection+3C5j
		mov	esi, [esp+88h+var_6C]

loc_82900C:				; CODE XREF: MiMapViewOfDataSection+F9151j
					; MiMapViewOfDataSection+F91D0j ...
		mov	eax, [esp+88h+var_74]
		jmp	short loc_828F9B
; 

loc_829012:				; CODE XREF: MiMapViewOfDataSection+7ADj
		inc	dword ptr [ecx+8]
		jmp	loc_828F05
; 

loc_82901A:				; CODE XREF: MiMapViewOfDataSection+483j
		mov	edx, [esp+88h+var_24]
		mov	ecx, [esp+88h+var_64]
		push	eax
		call	MiChargeSegmentCommit
		test	eax, eax
		jnz	loc_828B89
		jmp	loc_9218BF
; 

loc_829035:				; CODE XREF: MiMapViewOfDataSection+5D2j
		call	_MiIsProcessCfgEnabled@0 ; MiIsProcessCfgEnabled()
		test	eax, eax
		jz	loc_828CD8
		push	[ebp+arg_18]
		xor	edx, edx
		mov	ecx, ebx
		call	MiCommitVadCfgBits
		mov	edi, eax
		test	edi, edi
		jns	loc_828CD8
		jmp	loc_92195B
; 

loc_82905D:				; CODE XREF: MiMapViewOfDataSection+1C1j
		mov	esi, [esp+88h+var_6C]
		jmp	loc_828FC2
; 

loc_829066:				; CODE XREF: MiMapViewOfDataSection+2D8j
		and	eax, 0FFFFFFFCh
		mov	ecx, eax
		mov	[esp+88h+var_1C], eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [esp+88h+var_1C]
		jmp	loc_8289E0
; 

loc_82907D:				; CODE XREF: MiMapViewOfDataSection+839j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset dword_6CF3C8
		jmp	loc_828F3F
; 

loc_82908C:				; CODE XREF: MiMapViewOfDataSection+11Bj
		mov	ecx, [esp+88h+var_60]
		jmp	loc_828833
MiMapViewOfDataSection endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmCleanProcessAddressSpace proc	near	; CODE XREF: PspRundownSingleProcess(x,x)+1A4p

var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009219EC SIZE 0000009C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_28]
		stosd
		mov	esi, ecx
		mov	[ebp+var_4], esi
		stosd
		stosd
		stosd
		call	MiCleanEmbryonicProcess
		cmp	eax, 1
		jz	loc_8292B4
		lea	eax, [esi+240h]
		push	0
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_28]
		push	0
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	ebx, large fs:124h
		mov	edx, esi
		mov	ecx, ebx
		call	MiBeginProcessClean
		mov	[ebp+var_18], eax
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	ecx, [esi+24Ch]
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], ecx

loc_829101:				; CODE XREF: MmCleanProcessAddressSpace+F8984j
					; MmCleanProcessAddressSpace+F8994j
		mov	edx, esi
		mov	[ebp+var_8], 0
		mov	ecx, ebx
		call	_LOCK_ADDRESS_SPACE_SHARED@8 ; LOCK_ADDRESS_SPACE_SHARED(x,x)
		mov	edx, [ebp+var_4]
		xor	esi, esi
		mov	eax, [edx+350h]
		test	eax, eax
		jz	short loc_829128

loc_829120:				; CODE XREF: MmCleanProcessAddressSpace+86j
		mov	esi, eax
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_829120

loc_829128:				; CODE XREF: MmCleanProcessAddressSpace+7Ej
		test	esi, esi
		jz	loc_829201
		mov	ecx, esi
		call	_MiReferenceVad@4 ; MiReferenceVad(x)

loc_829137:				; CODE XREF: MmCleanProcessAddressSpace+12Aj
		mov	eax, [esi+4]
		mov	edi, esi
		mov	ecx, esi
		test	eax, eax
		jz	loc_8291CF
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_82915A
		mov	edi, edi

loc_829150:				; CODE XREF: MmCleanProcessAddressSpace+B8j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_829150

loc_82915A:				; CODE XREF: MmCleanProcessAddressSpace+ACj
					; MmCleanProcessAddressSpace+135j ...
		test	esi, esi
		jz	short loc_829165
		mov	ecx, esi
		call	_MiReferenceVad@4 ; MiReferenceVad(x)

loc_829165:				; CODE XREF: MmCleanProcessAddressSpace+BCj
		mov	ecx, ebx
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)
		mov	edx, edi
		mov	ecx, ebx
		call	_MiLockVad@8	; MiLockVad(x,x)
		mov	ecx, edi
		call	_MiVadDeleted@4	; MiVadDeleted(x)
		cmp	eax, 1
		jz	loc_9219EC
		xor	edx, edx
		test	dword ptr [edi+1Ch], 100000h
		push	0
		jnz	short loc_8291EE
		call	MiUnmapVad

loc_829197:				; CODE XREF: MmCleanProcessAddressSpace+153j
					; MmCleanProcessAddressSpace+F895Fj
		mov	edi, [ebp+var_4]
		mov	ecx, ebx
		mov	edx, edi
		call	_LOCK_ADDRESS_SPACE_SHARED@8 ; LOCK_ADDRESS_SPACE_SHARED(x,x)
		test	esi, esi
		jz	short loc_8291F5
		mov	edx, esi
		mov	ecx, ebx
		call	_MiLockVad@8	; MiLockVad(x,x)
		mov	ecx, esi
		call	_MiVadDeleted@4	; MiVadDeleted(x)
		mov	edx, esi
		mov	ecx, ebx
		test	eax, eax
		jnz	loc_921A04
		call	MiUnlockVad
		mov	edx, edi
		jmp	loc_829137
; 

loc_8291CF:				; CODE XREF: MmCleanProcessAddressSpace+A0j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jz	short loc_82915A

loc_8291D7:				; CODE XREF: MmCleanProcessAddressSpace+147j
		cmp	[esi], ecx
		jz	loc_82915A
		mov	ecx, esi
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_8291D7
		jmp	loc_82915A
; 

loc_8291EE:				; CODE XREF: MmCleanProcessAddressSpace+F0j
		call	_MiDeleteVad@12	; MiDeleteVad(x,x,x)
		jmp	short loc_829197
; 

loc_8291F5:				; CODE XREF: MmCleanProcessAddressSpace+105j
		cmp	[ebp+var_8], 0
		jnz	loc_921A29
		mov	edx, edi

loc_829201:				; CODE XREF: MmCleanProcessAddressSpace+8Aj
		mov	edi, [ebp+var_C]
		lea	eax, [ebp+var_28]
		mov	[edi+78h], eax
		or	eax, 0FFFFFFFFh
		lock xadd [edi+68h], eax
		jnz	loc_921A39
		xor	esi, esi

loc_82921A:				; CODE XREF: MmCleanProcessAddressSpace+F899Ej
		mov	ecx, ebx
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)
		cmp	esi, 1
		jz	loc_921A43

loc_82922A:				; CODE XREF: MmCleanProcessAddressSpace+F89B4j
		mov	ecx, [ebp+var_10]
		mov	al, [ecx+63h]
		and	al, 60h
		cmp	al, 60h
		jz	loc_921A59

loc_82923A:				; CODE XREF: MmCleanProcessAddressSpace+F89BEj
		call	ExFreeSvmAsid
		call	_MiCleanCfg@0	; MiCleanCfg()
		mov	edi, [ebp+var_4]
		mov	ecx, ebx
		mov	edx, edi
		call	_LOCK_ADDRESS_SPACE@8 ;	LOCK_ADDRESS_SPACE(x,x)
		mov	ecx, [ebp+var_C]
		mov	dword ptr [ecx+78h], 0
		mov	eax, [edi+24Ch]
		mov	ecx, [eax+9Ch]
		test	ecx, ecx
		jnz	loc_921A63

loc_82926E:				; CODE XREF: MmCleanProcessAddressSpace+F89CAj
					; MmCleanProcessAddressSpace+F89E3j
		xor	edx, edx
		mov	ecx, edi
		call	MiDeleteCloneZombies
		mov	ecx, edi
		call	_MiCleanWorkingSet@4 ; MiCleanWorkingSet(x)
		mov	edx, edi
		mov	ecx, ebx
		mov	esi, eax
		call	UNLOCK_ADDRESS_SPACE
		push	esi
		mov	ecx, edi
		call	_PsReturnProcessQuota@12 ; PsReturnProcessQuota(x,x,x)
		mov	edx, esi
		mov	esi, [ebp+var_14]
		mov	ecx, esi
		call	_MiReturnResident@8 ; MiReturnResident(x,x)
		test	dword ptr [edi+0FCh], 10000h
		jz	short loc_8292AE
		call	_MiDereferenceSession@0	; MiDereferenceSession()

loc_8292AE:				; CODE XREF: MmCleanProcessAddressSpace+207j
		cmp	[ebp+var_18], 0
		jnz	short loc_8292BB

loc_8292B4:				; CODE XREF: MmCleanProcessAddressSpace+21j
					; MmCleanProcessAddressSpace+222j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8292BB:				; CODE XREF: MmCleanProcessAddressSpace+212j
		mov	ecx, esi
		call	MiContractWsSwapPageFile
		jmp	short loc_8292B4
MmCleanProcessAddressSpace endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAdvanceVadHint proc near		; CODE XREF: MiMapViewOfImageSection+73Dp
					; MiReserveUserMemory+2B5p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00921A88 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		shr	edx, 4
		shr	ecx, 4
		movzx	edx, dx
		mov	eax, [edi+4]
		sub	eax, dword_6D2E88
		shl	eax, 3
		movzx	esi, cx
		cmp	edx, eax
		jb	short loc_82935E
		mov	ecx, [edi]
		add	ecx, eax
		cmp	esi, ecx
		jnb	short loc_82935E
		push	ebx
		xor	ebx, ebx
		mov	[ebp+arg_0], ebx
		cmp	esi, eax
		jb	loc_921A88

loc_82930C:				; CODE XREF: MiAdvanceVadHint+F87C2j
		cmp	edx, ecx
		jnb	loc_921A97

loc_829314:				; CODE XREF: MiAdvanceVadHint+F87D2j
		sub	edx, eax
		sub	esi, eax
		mov	ecx, edx
		sub	ecx, esi
		lea	ecx, [ecx+1]
		jnz	short loc_829374
		test	ebx, ebx
		jnz	short loc_829374

loc_829325:				; CODE XREF: MiAdvanceVadHint+A7j
		inc	edx
		mov	[edi+8], edx

loc_829329:				; CODE XREF: MiAdvanceVadHint+AAj
		mov	ebx, [edi+10h]
		cmp	ebx, edx
		jnb	short loc_829364
		mov	eax, [edi+0Ch]
		add	eax, ebx
		cmp	eax, esi
		jbe	short loc_829364
		mov	eax, [ebp+arg_0]
		mov	esi, 1

loc_829341:				; CODE XREF: MiAdvanceVadHint+A0j
		mov	[edi+10h], edx

loc_829344:				; CODE XREF: MiAdvanceVadHint+A2j
		cmp	ecx, 1
		jbe	short loc_82935D
		test	eax, eax
		jnz	short loc_82935D
		test	esi, esi
		jz	short loc_82935A
		mov	eax, [edi+0Ch]
		cmp	ecx, eax
		jb	short loc_82935A
		mov	ecx, eax

loc_82935A:				; CODE XREF: MiAdvanceVadHint+7Fj
					; MiAdvanceVadHint+86j
		mov	[edi+0Ch], ecx

loc_82935D:				; CODE XREF: MiAdvanceVadHint+77j
					; MiAdvanceVadHint+7Bj	...
		pop	ebx

loc_82935E:				; CODE XREF: MiAdvanceVadHint+24j
					; MiAdvanceVadHint+2Cj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_829364:				; CODE XREF: MiAdvanceVadHint+5Ej
					; MiAdvanceVadHint+67j
		cmp	ecx, 1
		jbe	short loc_82935D
		mov	eax, [ebp+arg_0]
		xor	esi, esi
		test	eax, eax
		jz	short loc_829341
		jmp	short loc_829344
; 

loc_829374:				; CODE XREF: MiAdvanceVadHint+4Fj
					; MiAdvanceVadHint+53j
		cmp	esi, [edi+8]
		jz	short loc_829325
		inc	edx
		jmp	short loc_829329
MiAdvanceVadHint endp

; 
		dd 5 dup(0CCCCCCCCh)
; Exported entry 1534. NtMapViewOfSection

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtMapViewOfSection
NtMapViewOfSection proc	near		; DATA XREF: .text:00580F88o

var_94		= dword	ptr -94h
var_88		= dword	ptr -88h
var_64		= byte ptr -64h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

; FUNCTION CHUNK AT 00921AA7 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6218
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 84h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		push	58h		; size_t
		push	0		; int
		lea	eax, [ebp+var_94]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jnz	loc_921AA7

loc_829400:				; CODE XREF: NtMapViewOfSection+F871Aj
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_C+3],	al
		mov	byte ptr [ebp+var_1C], al
		lea	eax, [ebp+var_3C]
		push	eax
		push	[ebp+var_1C]
		push	esi
		push	[ebp+arg_24]
		mov	edi, [ebp+arg_14]
		push	edi
		mov	ebx, [ebp+arg_18]
		push	ebx
		push	[ebp+arg_8]
		push	0
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		call	MiMapViewOfSectionCommon
		test	eax, eax
		js	loc_829546
		push	esi
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+var_38]
		push	[ebp+var_3C]
		push	[ebp+var_24]
		mov	edx, [ebp+var_28]
		lea	ecx, [ebp+var_94]
		call	MiMapParametersInitialize
		mov	esi, eax
		test	esi, esi
		js	loc_829514
		push	0
		push	[ebp+arg_1C]
		lea	eax, [ebp+var_34]
		push	eax
		push	[ebp+arg_10]
		lea	eax, [ebp+var_3C]
		push	eax
		lea	edx, [ebp+var_94]
		mov	ecx, [ebp+var_28]
		call	MiMapViewOfSection
		mov	esi, eax
		mov	[ebp+arg_14], esi
		test	esi, esi
		js	loc_829514
		test	[ebp+var_64], 4
		jnz	short loc_829501

loc_829496:				; CODE XREF: NtMapViewOfSection+182j
		mov	eax, [ebp+var_28]
		test	byte ptr [eax+20h], 20h
		jnz	short loc_8294A9
		test	byte ptr [ebp+var_2C], 2
		jnz	loc_82952A

loc_8294A9:				; CODE XREF: NtMapViewOfSection+10Dj
					; NtMapViewOfSection+1B1j
		mov	[ebp+var_4], 0
		mov	eax, [ebp+var_88]
		mov	[ebx], eax
		mov	eax, [ebp+var_3C]
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		test	edi, edi
		jz	short loc_8294CF
		mov	eax, [ebp+var_34]
		mov	[edi], eax
		mov	eax, [ebp+var_30]
		mov	[edi+4], eax

loc_8294CF:				; CODE XREF: NtMapViewOfSection+132j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_8294D6:				; CODE XREF: NtMapViewOfSection+190j
					; NtMapViewOfSection+198j ...
		mov	ecx, [ebp+var_28]
		call	ObfDereferenceObject
		mov	edx, 77566D4Dh
		mov	ecx, [ebp+var_24]
		call	ObfDereferenceObjectWithTag
		mov	eax, esi

loc_8294ED:				; CODE XREF: NtMapViewOfSection+F8725j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	28h
; 

loc_829501:				; CODE XREF: NtMapViewOfSection+104j
		sub	esp, 10h
		push	[ebp+var_3C]
		mov	edx, [ebp+var_28]
		mov	ecx, [ebp+var_24]
		call	DbgkMapViewOfSection
		jmp	short loc_829496
; 

loc_829514:				; CODE XREF: NtMapViewOfSection+CFj
					; NtMapViewOfSection+FAj
		cmp	[ebp+var_3C], 0
		jz	short loc_829522
		inc	dword_6D3108
		jmp	short loc_8294D6
; 

loc_829522:				; CODE XREF: NtMapViewOfSection+188j
		inc	dword_6D3104
		jmp	short loc_8294D6
; 

loc_82952A:				; CODE XREF: NtMapViewOfSection+113j
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+var_38]
		push	[ebp+var_3C]
		mov	dl, byte ptr [ebp+arg_C+3]
		mov	ecx, [ebp+var_24]
		call	EtwTiLogMapExecView
		jmp	loc_8294A9
; 

loc_829546:				; CODE XREF: NtMapViewOfSection+A7j
		inc	dword_6D3104
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	28h
NtMapViewOfSection endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapViewOfSectionCommon proc near	; CODE XREF: MiMapViewOfSectionExCommon+9Ep
					; NtMapViewOfSection+A0p

var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 00921AD2 SIZE 00000035 BYTES
; FUNCTION CHUNK AT 00921B41 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6238
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	ebx, edx
		mov	[ebp+var_20], ebx
		mov	edx, ecx
		xor	eax, eax
		mov	esi, [ebp+arg_1C]
		mov	[esi], eax
		mov	[esi+4], eax
		mov	[esi+8], eax
		mov	[esi+0Ch], eax
		mov	[esi+14h], eax
		mov	[esi+18h], eax
		mov	[esi+1Ch], eax
		mov	ecx, [ebp+arg_10]
		and	ecx, 0BFFFFFFFh
		call	_MiMakeProtectionMask@4	; MiMakeProtectionMask(x)
		mov	[esi+10h], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_921AD2
		and	eax, 7
		mov	[esi+10h], eax
		lea	edi, [esi+18h]
		cmp	[ebp+arg_0], 0
		jnz	loc_82971B
		push	0
		push	edi
		push	77566D4Dh
		mov	ebx, [ebp+arg_18]
		push	ebx
		mov	eax, ds:_PsProcessType
		push	eax
		push	8
		push	edx
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_8296EF
		mov	ecx, ds:_MmSectionObjectType
		mov	eax, [esi+10h]
		mov	eax, ds:_MmMakeSectionAccess[eax*4]
		mov	[ebp+arg_18], 0
		push	0
		lea	edx, [ebp+arg_18]
		push	edx
		push	ebx
		push	ecx
		push	eax
		push	[ebp+var_20]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	[ebp+arg_10], eax
		mov	edx, [ebp+arg_18]
		mov	[esi+14h], edx
		test	eax, eax
		js	loc_829728

loc_82963D:				; CODE XREF: MiMapViewOfSectionCommon+1C3j
		mov	[ebp+var_4], 0
		mov	ecx, [ebp+arg_4]
		test	bl, bl
		jz	loc_829713
		mov	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_921ADC

loc_82965E:				; CODE XREF: MiMapViewOfSectionCommon+F857Ej
		mov	eax, [edx]
		mov	[edx], eax
		mov	edx, [ebp+arg_8]
		mov	edi, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_921AE3

loc_829674:				; CODE XREF: MiMapViewOfSectionCommon+F8585j
		mov	eax, [edi]
		mov	[edi], eax

loc_829678:				; CODE XREF: MiMapViewOfSectionCommon+1B6j
		mov	eax, [ecx]
		mov	[esi], eax
		mov	eax, [edx]
		mov	[esi+4], eax
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	short loc_829703
		test	bl, bl
		jz	short loc_8296AC
		test	cl, 3
		jnz	loc_82974B
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_921AEA

loc_8296A2:				; CODE XREF: MiMapViewOfSectionCommon+F858Dj
		mov	al, [ecx]
		mov	[ecx], al
		mov	al, [ecx+4]
		mov	[ecx+4], al

loc_8296AC:				; CODE XREF: MiMapViewOfSectionCommon+12Aj
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		mov	[esi+8], eax
		mov	[esi+0Ch], ecx

loc_8296B7:				; CODE XREF: MiMapViewOfSectionCommon+1B1j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ecx, [esi]
		mov	eax, ds:_MmHighestUserAddress
		cmp	ecx, eax
		ja	loc_921AF2
		mov	edx, [esi+4]
		sub	eax, ecx
		inc	eax
		cmp	edx, eax
		ja	loc_921AF9
		add	edx, ecx
		or	eax, 0FFFFFFFFh
		mov	ecx, [ebp+arg_14]
		shr	eax, cl
		cmp	edx, eax
		ja	loc_921B00
		xor	eax, eax

loc_8296EF:				; CODE XREF: MiMapViewOfSectionCommon+9Ej
					; MiMapViewOfSectionCommon+F8577j ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_829703:				; CODE XREF: MiMapViewOfSectionCommon+126j
		mov	dword ptr [esi+8], 0
		mov	dword ptr [esi+0Ch], 0
		jmp	short loc_8296B7
; 

loc_829713:				; CODE XREF: MiMapViewOfSectionCommon+E9j
		mov	edx, [ebp+arg_8]
		jmp	loc_829678
; 

loc_82971B:				; CODE XREF: MiMapViewOfSectionCommon+7Cj
		mov	[edi], edx
		mov	[esi+14h], ebx
		mov	ebx, [ebp+arg_18]
		jmp	loc_82963D
; 

loc_829728:				; CODE XREF: MiMapViewOfSectionCommon+D7j
		mov	edx, 77566D4Dh
		mov	ecx, [edi]
		call	ObfDereferenceObjectWithTag
		mov	eax, [ebp+arg_10]
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_82974B:				; CODE XREF: MiMapViewOfSectionCommon+12Fj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

; __stdcall MiSectionClose(x, x, x, x)
_MiSectionClose@16:			; DATA XREF: MiSectionInitialization+99o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		push	0
		call	MiRemoveSharedCommitNode
		pop	ebp
		retn	10h
MiMapViewOfSectionCommon endp ;	sp = -3Ch

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSectionOpen(x, x,	x, x, x, x)
_MiSectionOpen@24 proc near		; DATA XREF: MiSectionInitialization+92o

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_C]
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	edx, [ebp+arg_8]
		mov	ecx, eax
		push	0
		call	MiInsertSharedCommitNode
		pop	ebp
		retn	18h
_MiSectionOpen@24 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInsertSharedCommitNode proc near	; CODE XREF: MiDeletePartialVad+DD3D2p
					; MmLinkJobProcess+150p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00921B63 SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		call	_MiIncludeSharedCommit@4 ; MiIncludeSharedCommit(x)
		test	eax, eax
		jz	loc_82991F
		test	byte ptr [edi+1Ch], 20h
		jnz	loc_82991F
		xor	eax, eax
		test	bl, 1
		jnz	loc_8299B8
		test	byte ptr [ebx+3A8h], 10h
		mov	ecx, ebx
		mov	[esp+30h+var_24], ecx
		jnz	loc_82991F
		mov	[esp+30h+var_14], eax
		mov	[esp+30h+var_18], 28h

loc_8297E3:				; CODE XREF: MiInsertSharedCommitNode+23Fj
		mov	esi, [edi]
		mov	edx, [ebp+arg_0]
		and	edx, 1
		mov	[esp+30h+var_8], esi
		mov	[esp+30h+var_4], edx
		lea	eax, [esi+30h]
		mov	[esp+30h+var_10], eax
		mov	eax, large fs:124h
		mov	[esp+30h+var_1C], eax
		jnz	short loc_82981F
		dec	word ptr [eax+13Eh]
		nop
		add	ecx, 41Ch
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esp+30h+var_1C]

loc_82981F:				; CODE XREF: MiInsertSharedCommitNode+74j
		mov	ecx, [ebp+arg_0]
		and	ecx, 2
		mov	[esp+30h+var_C], ecx
		jnz	short loc_82983D
		dec	word ptr [eax+13Eh]
		nop
		lea	ecx, [esi+1Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx

loc_82983D:				; CODE XREF: MiInsertSharedCommitNode+99j
		mov	esi, [esi+30h]
		mov	byte ptr [esp+30h+var_20], 0
		test	esi, esi
		jnz	loc_8299E0

loc_82984D:				; CODE XREF: MiInsertSharedCommitNode+270j
					; MiInsertSharedCommitNode+27Aj
		call	_MmGetCurrentProcessorColor@0 ;	MmGetCurrentProcessorColor()
		mov	ecx, [esp+30h+var_18]
		or	eax, 80000000h
		push	eax
		push	0
		push	100h
		mov	edx, 6E53694Dh
		call	ExAllocatePoolMm
		mov	edx, eax
		mov	[esp+30h+var_18], edx
		test	edx, edx
		jz	loc_921B63
		mov	ecx, edi
		mov	dword ptr [edx+10h], 1
		mov	dword ptr [edx+14h], 0
		mov	[edx+0Ch], ebx
		call	_MiGetCommittedPages@4 ; MiGetCommittedPages(x)
		mov	ecx, [esp+30h+var_24]
		mov	ebx, eax
		test	ecx, ecx
		jz	loc_829A0F
		add	ecx, 420h
		mov	[edx+20h], edi
		mov	eax, [ecx+4]
		mov	[esp+30h+var_14], eax
		cmp	[eax], ecx
		lea	eax, [edx+18h]
		jnz	loc_921B6D
		mov	edx, [esp+30h+var_14]
		mov	[eax+4], edx
		mov	[eax], ecx
		mov	[edx], eax
		mov	edx, [esp+30h+var_18]
		mov	[ecx+4], eax
		mov	eax, [esp+30h+var_24]
		add	eax, 418h

loc_8298D7:				; CODE XREF: MiInsertSharedCommitNode+288j
		lock xadd [eax], ebx
		push	edx
		push	[esp+34h+var_20]
		push	esi
		push	[esp+3Ch+var_10]
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		mov	ebx, [esp+30h+var_24]
		test	ebx, ebx
		jz	short loc_82992B
		test	byte ptr [ebx+3A8h], 8
		jz	short loc_82992B
		mov	edx, [ebx+158h]
		mov	ecx, edi
		or	edx, 1
		push	3
		call	MiInsertSharedCommitNode
		mov	[esp+30h+var_14], eax
		test	eax, eax
		js	loc_921B74

loc_829919:				; CODE XREF: MiInsertSharedCommitNode+F83F4j
		mov	ebx, [esp+30h+var_14]
		jmp	short loc_82992D
; 

loc_82991F:				; CODE XREF: MiInsertSharedCommitNode+19j
					; MiInsertSharedCommitNode+23j	...
		xor	eax, eax
		jmp	short loc_8299A0
; 

loc_829923:				; CODE XREF: MiInsertSharedCommitNode:loc_8299F0j
		add	dword ptr [esi+10h], 1
		adc	dword ptr [esi+14h], 0

loc_82992B:				; CODE XREF: MiInsertSharedCommitNode+160j
					; MiInsertSharedCommitNode+169j
		xor	ebx, ebx

loc_82992D:				; CODE XREF: MiInsertSharedCommitNode+18Dj
					; MiInsertSharedCommitNode+F83D8j
		or	eax, 0FFFFFFFFh
		cmp	[esp+30h+var_C], 0
		jnz	loc_8299D4
		mov	esi, [esp+30h+var_8]
		add	esi, 1Ch
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_829A1D

loc_829950:				; CODE XREF: MiInsertSharedCommitNode+294j
		mov	ecx, esi
		call	KeAbPostRelease
		nop
		mov	edi, [esp+30h+var_1C]
		add	word ptr [edi+13Eh], 1
		jz	loc_921B89

loc_82996A:				; CODE XREF: MiInsertSharedCommitNode+F83FFj
					; MiInsertSharedCommitNode+F840Aj
		or	eax, 0FFFFFFFFh

loc_82996D:				; CODE XREF: MiInsertSharedCommitNode+248j
		cmp	[esp+30h+var_4], 0
		jnz	short loc_82999E
		mov	esi, [esp+30h+var_24]
		add	esi, 41Ch
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_829A29

loc_82998C:				; CODE XREF: MiInsertSharedCommitNode+2A0j
		mov	ecx, esi
		call	KeAbPostRelease
		nop
		add	word ptr [edi+13Eh], 1
		jz	short loc_8299A9

loc_82999E:				; CODE XREF: MiInsertSharedCommitNode+1E2j
					; MiInsertSharedCommitNode+21Fj ...
		mov	eax, ebx

loc_8299A0:				; CODE XREF: MiInsertSharedCommitNode+191j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_8299A9:				; CODE XREF: MiInsertSharedCommitNode+20Cj
		nop
		lea	eax, [edi+70h]
		cmp	[eax], eax
		jz	short loc_82999E
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_82999E
; 

loc_8299B8:				; CODE XREF: MiInsertSharedCommitNode+2Ej
		mov	esi, ebx
		mov	[esp+30h+var_18], 18h
		and	esi, 0FFFFFFFEh
		xor	ecx, ecx
		mov	[esp+30h+var_14], esi
		mov	[esp+30h+var_24], ecx
		jmp	loc_8297E3
; 

loc_8299D4:				; CODE XREF: MiInsertSharedCommitNode+1A5j
		mov	edi, [esp+30h+var_1C]
		jmp	short loc_82996D
; 
		align 10h

loc_8299E0:				; CODE XREF: MiInsertSharedCommitNode+B7j
					; MiInsertSharedCommitNode+25Ej
		cmp	ebx, [esi+0Ch]
		jbe	short loc_8299F0
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_829A05

loc_8299EC:				; CODE XREF: MiInsertSharedCommitNode+26Aj
		mov	esi, eax
		jmp	short loc_8299E0
; 

loc_8299F0:				; CODE XREF: MiInsertSharedCommitNode+253j
		jnb	loc_829923
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_8299EC
		mov	byte ptr [esp+30h+var_20], al
		jmp	loc_82984D
; 

loc_829A05:				; CODE XREF: MiInsertSharedCommitNode+25Aj
		mov	byte ptr [esp+30h+var_20], 1
		jmp	loc_82984D
; 

loc_829A0F:				; CODE XREF: MiInsertSharedCommitNode+10Bj
		mov	eax, [esp+30h+var_14]
		add	eax, 31Ch
		jmp	loc_8298D7
; 

loc_829A1D:				; CODE XREF: MiInsertSharedCommitNode+1BAj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_829950
; 

loc_829A29:				; CODE XREF: MiInsertSharedCommitNode+1F6j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_82998C
MiInsertSharedCommitNode endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiRemoveSharedCommitNode proc near	; CODE XREF: MiDeleteVad(x,x,x)+108Ep
					; MiDeletePartialVad+DD405p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00921B9F SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		test	bl, 1
		jnz	loc_829C37
		mov	[esp+28h+var_10], edx
		call	_MiIncludeSharedCommit@4 ; MiIncludeSharedCommit(x)
		test	eax, eax
		jz	loc_829B04
		test	byte ptr [edi+1Ch], 20h
		jnz	loc_829B04
		test	byte ptr [ebx+3A8h], 10h
		jnz	loc_829B04
		mov	[esp+28h+var_C], 0

loc_829A8B:				; CODE XREF: MiRemoveSharedCommitNode+206j
		mov	eax, large fs:124h
		mov	ecx, [edi]
		mov	[esp+28h+var_18], ecx
		mov	ecx, [ebp+arg_0]
		mov	esi, ecx
		and	esi, 1
		mov	[esp+28h+var_14], eax
		mov	[esp+28h+var_4], esi
		jnz	short loc_829AC5
		dec	word ptr [eax+13Eh]
		nop
		lea	ecx, [edx+41Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esp+28h+var_14]
		mov	ecx, [ebp+arg_0]

loc_829AC5:				; CODE XREF: MiRemoveSharedCommitNode+67j
		and	ecx, 2
		mov	[esp+28h+var_8], ecx
		jnz	short loc_829AE4
		dec	word ptr [eax+13Eh]
		nop
		mov	ecx, [esp+28h+var_18]
		xor	edx, edx
		add	ecx, 1Ch
		call	ExAcquirePushLockExclusiveEx

loc_829AE4:				; CODE XREF: MiRemoveSharedCommitNode+8Cj
		mov	edx, [esp+28h+var_18]
		add	edx, 30h
		mov	esi, [edx]
		test	esi, esi
		jz	short loc_829B14

loc_829AF1:				; CODE XREF: MiRemoveSharedCommitNode+D2j
		cmp	ebx, [esi+0Ch]
		ja	short loc_829B0D
		jnb	short loc_829B14
		mov	esi, [esi]
		jmp	short loc_829B10
; 

loc_829AFC:				; CODE XREF: MiRemoveSharedCommitNode+161j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_829B04:				; CODE XREF: MiRemoveSharedCommitNode+26j
					; MiRemoveSharedCommitNode+30j	...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_829B0D:				; CODE XREF: MiRemoveSharedCommitNode+B4j
		mov	esi, [esi+4]

loc_829B10:				; CODE XREF: MiRemoveSharedCommitNode+BAj
		test	esi, esi
		jnz	short loc_829AF1

loc_829B14:				; CODE XREF: MiRemoveSharedCommitNode+AFj
					; MiRemoveSharedCommitNode+B6j
		add	dword ptr [esi+10h], 0FFFFFFFFh
		mov	ecx, [esi+10h]
		adc	dword ptr [esi+14h], 0FFFFFFFFh
		or	ecx, [esi+14h]
		jz	loc_829BAC
		xor	esi, esi

loc_829B2A:				; CODE XREF: MiRemoveSharedCommitNode+1B7j
					; MiRemoveSharedCommitNode+1C4j ...
		or	eax, 0FFFFFFFFh
		cmp	[esp+28h+var_8], 0
		jnz	loc_829C4B
		mov	edi, [esp+28h+var_18]
		add	edi, 1Ch
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_829C66

loc_829B4D:				; CODE XREF: MiRemoveSharedCommitNode+22Dj
		mov	ecx, edi
		call	KeAbPostRelease
		nop
		mov	ebx, [esp+28h+var_14]
		add	word ptr [ebx+13Eh], 1
		jz	loc_921BA6

loc_829B67:				; CODE XREF: MiRemoveSharedCommitNode+F816Cj
					; MiRemoveSharedCommitNode+F8177j
		or	eax, 0FFFFFFFFh

loc_829B6A:				; CODE XREF: MiRemoveSharedCommitNode+20Fj
		cmp	[esp+28h+var_4], 0
		jnz	short loc_829B9F
		mov	edi, [esp+28h+var_10]
		add	edi, 41Ch
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_829C72

loc_829B89:				; CODE XREF: MiRemoveSharedCommitNode+239j
		mov	ecx, edi
		call	KeAbPostRelease
		nop
		add	word ptr [ebx+13Eh], 1
		jz	loc_829C21

loc_829B9F:				; CODE XREF: MiRemoveSharedCommitNode+12Fj
					; MiRemoveSharedCommitNode+1E7j ...
		test	esi, esi
		jnz	loc_829AFC
		jmp	loc_829B04
; 

loc_829BAC:				; CODE XREF: MiRemoveSharedCommitNode+E2j
		push	esi
		push	edx
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		mov	ecx, edi
		call	_MiGetCommittedPages@4 ; MiGetCommittedPages(x)
		mov	ebx, [esp+30h+var_18]
		mov	edx, eax
		neg	edx
		test	ebx, ebx
		jz	loc_829C54
		lea	ecx, [ebx+418h]
		lock xadd [ecx], edx
		mov	edx, [esi+18h]
		lea	ecx, [esi+18h]
		cmp	[edx+4], ecx
		jnz	loc_921B9F
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	loc_921B9F
		test	byte ptr [ebp+arg_0], 4
		mov	[eax], edx
		mov	[edx+4], eax
		jnz	loc_829B2A
		test	byte ptr [ebx+3A8h], 8
		jz	loc_829B2A
		mov	edx, [ebx+158h]
		mov	ecx, edi
		or	edx, 1
		push	3
		call	MiRemoveSharedCommitNode
		jmp	loc_829B2A
; 

loc_829C21:				; CODE XREF: MiRemoveSharedCommitNode+159j
		nop
		lea	eax, [ebx+70h]
		cmp	[eax], eax
		jz	loc_829B9F
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_829B9F
; 

loc_829C37:				; CODE XREF: MiRemoveSharedCommitNode+15j
		mov	eax, ebx
		and	eax, 0FFFFFFFEh
		xor	edx, edx
		mov	[esp+28h+var_C], eax
		mov	[esp+28h+var_10], edx
		jmp	loc_829A8B
; 

loc_829C4B:				; CODE XREF: MiRemoveSharedCommitNode+F2j
		mov	ebx, [esp+28h+var_14]
		jmp	loc_829B6A
; 

loc_829C54:				; CODE XREF: MiRemoveSharedCommitNode+184j
		mov	eax, [esp+30h+var_14]
		add	eax, 31Ch
		lock xadd [eax], edx
		jmp	loc_829B2A
; 

loc_829C66:				; CODE XREF: MiRemoveSharedCommitNode+107j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_829B4D
; 

loc_829C72:				; CODE XREF: MiRemoveSharedCommitNode+143j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_829B89
MiRemoveSharedCommitNode endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapParametersInitialize proc near	; CODE XREF: MmMapViewOfSection+3Ap
					; MiMapViewOfSectionExCommon+FCp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00921BBC SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ecx, edx
		push	edi
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		push	58h		; size_t
		push	0		; int
		push	esi		; void *
		mov	edi, eax
		call	_memset
		mov	ecx, large fs:124h
		add	esp, 0Ch
		mov	eax, [ebp+arg_0]
		mov	ebx, [ebp+arg_C]
		mov	ecx, [ecx+80h]
		mov	[esi+3Ch], eax
		mov	eax, large fs:124h
		mov	[esi+40h], ecx
		mov	ecx, ebx
		and	ecx, 7Fh
		mov	al, [eax+15Ah]
		mov	[esi+44h], al
		movzx	eax, ds:_KeNumberNodes
		mov	[esi+20h], ecx
		cmp	ecx, eax
		ja	loc_921BBC
		mov	eax, ebx
		and	eax, 0FFFFFF80h
		cmp	[ebp+arg_4], 0
		mov	[esi+14h], eax
		mov	eax, [ebp+arg_10]
		mov	[esi+18h], eax
		jnz	short loc_829D54

loc_829CF3:				; CODE XREF: MiMapParametersInitialize+D8j
		mov	eax, [ebp+arg_8]
		mov	[esi+0Ch], eax
		test	byte ptr [edi+1Ch], 20h
		jnz	short loc_829D05
		test	byte ptr [esi+30h], 1
		jnz	short loc_829D5A

loc_829D05:				; CODE XREF: MiMapParametersInitialize+7Dj
		mov	ecx, [ebp+arg_14]
		mov	edx, ds:_MmHighestUserAddress
		mov	eax, edx
		test	ecx, ecx
		jnz	loc_921BC6

loc_829D18:				; CODE XREF: MiMapParametersInitialize+F7F4Dj
					; MiMapParametersInitialize+F7F55j
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+1CCh]
		lea	eax, [ecx-1]
		cmp	edx, eax
		ja	short loc_829D68

loc_829D28:				; CODE XREF: MiMapParametersInitialize+E6j
					; MiMapParametersInitialize+EBj
		mov	[esi+4], edx
		mov	dword ptr [esi+8], 10000h
		test	dword ptr [edi+1Ch], 420h
		jnz	short loc_829D4B
		test	ebx, 20000000h
		jnz	short loc_829D6D
		test	ebx, 40000000h
		jnz	short loc_829D76

loc_829D4B:				; CODE XREF: MiMapParametersInitialize+B9j
					; MiMapParametersInitialize+F4j ...
		xor	eax, eax

loc_829D4D:				; CODE XREF: MiMapParametersInitialize+F7F41j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	18h
; 

loc_829D54:				; CODE XREF: MiMapParametersInitialize+71j
		or	dword ptr [esi+30h], 1
		jmp	short loc_829CF3
; 

loc_829D5A:				; CODE XREF: MiMapParametersInitialize+83j
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	MiGetUserReservationHighestAddress
		mov	edx, eax
		jmp	short loc_829D28
; 

loc_829D68:				; CODE XREF: MiMapParametersInitialize+A6j
		lea	edx, [ecx-1]
		jmp	short loc_829D28
; 

loc_829D6D:				; CODE XREF: MiMapParametersInitialize+C1j
		mov	dword ptr [esi+8], 200000h
		jmp	short loc_829D4B
; 

loc_829D76:				; CODE XREF: MiMapParametersInitialize+C9j
		mov	dword ptr [esi+8], 1000h
		jmp	short loc_829D4B
MiMapParametersInitialize endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSectionDelete	proc near		; DATA XREF: MiSectionInitialization+A0o

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00921BDA SIZE 0000006E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	edi
		movzx	edi, word ptr [esi+22h]
		and	edi, 1
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		cmp	dword ptr [esi+0Ch], 0
		mov	ebx, eax
		jnz	loc_921BDA

loc_829DA5:				; CODE XREF: MiSectionDelete+F7EABj
		mov	ecx, [esi+14h]
		test	cl, 3
		jz	short loc_829DB5
		and	ecx, 0FFFFFFFCh
		call	ObfDereferenceObject

loc_829DB5:				; CODE XREF: MiSectionDelete+2Bj
		test	dword ptr [esi+20h], 8000000h
		mov	edx, [ebx+1Ch]
		setnz	cl
		test	dl, 20h
		setz	al
		test	cl, al
		jnz	short loc_829DF4

loc_829DCC:				; CODE XREF: MiSectionDelete+78j
					; MiSectionDelete+81j
		test	edx, 4000000h
		jnz	short loc_829E03

loc_829DD4:				; CODE XREF: MiSectionDelete+9Ej
		test	dword ptr ds:byte_70EFC4, 400001h
		jnz	loc_921C30

loc_829DE4:				; CODE XREF: MiSectionDelete+F7EB4j
					; MiSectionDelete+F7EC3j
		mov	edx, edi
		mov	ecx, ebx
		call	_MiDereferenceControlAreaBySection@8 ; MiDereferenceControlAreaBySection(x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_829DF4:				; CODE XREF: MiSectionDelete+4Aj
		cmp	dword ptr [ebx+20h], 0
		jz	short loc_829DCC
		lock dec dword ptr [ebx+34h]
		mov	edx, [ebx+1Ch]
		jmp	short loc_829DCC
; 

loc_829E03:				; CODE XREF: MiSectionDelete+52j
		mov	edx, [esi+24h]
		shr	edx, 0Ch
		and	edx, 7FFFFh
		cmp	edx, 7FFFFh
		jz	short loc_829E20

loc_829E17:				; CODE XREF: MiSectionDelete+A3j
		mov	ecx, ebx
		call	_MiDereferencePerSessionProtos@8 ; MiDereferencePerSessionProtos(x,x)
		jmp	short loc_829DD4
; 

loc_829E20:				; CODE XREF: MiSectionDelete+95j
		or	edx, 0FFFFFFFFh
		jmp	short loc_829E17
MiSectionDelete	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiReturnImageBase(x)
_MiReturnImageBase@4 proc near		; CODE XREF: MiCheckControlArea+A0p
					; MiCheckControlArea+19Ap ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi]
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_829E38

loc_829E34:				; CODE XREF: MiReturnImageBase(x)+83j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_829E38:				; CODE XREF: MiReturnImageBase(x)+Cj
		cmp	byte ptr [edi+8], 1
		jz	short loc_829EA5
		mov	edx, 7800h
		sub	edx, [edi+4]
		sub	edx, esi
		shl	edx, 10h
		call	_MiZeroCfgSystemWideBitmap@8 ; MiZeroCfgSystemWideBitmap(x,x)
		mov	ebx, large fs:124h
		dec	word ptr [ebx+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset unk_6CF4C8
		call	ExAcquirePushLockExclusiveEx
		push	dword ptr [edi+4]
		push	esi
		push	offset dword_6CF4CC
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		or	eax, 0FFFFFFFFh
		mov	esi, offset unk_6CF4C8
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_829E9C

loc_829E8B:				; CODE XREF: MiReturnImageBase(x)+7Dj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, ebx
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
; 

loc_829E9C:				; CODE XREF: MiReturnImageBase(x)+63j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_829E8B
; 

loc_829EA5:				; CODE XREF: MiReturnImageBase(x)+16j
		cmp	byte ptr [edi+9], 1
		jnz	short loc_829E34
		mov	edx, [edi+4]
		shl	esi, 10h
		shl	edx, 10h
		add	esi, dword_6D07D0
		pop	edi
		mov	ecx, esi
		pop	esi
		pop	ebx
		jmp	_MiReturnSystemImageAddress@8 ;	MiReturnSystemImageAddress(x,x)
_MiReturnImageBase@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1515. NtCreateSection

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtCreateSection
NtCreateSection	proc near		; CODE XREF: PfpFileBuildReadSupport+133p
					; PfSnGetSectionObject+1B4p
					; DATA XREF: ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 00921C48 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	edx, [ebp+arg_14]
		sub	esp, 10h
		xor	eax, eax
		xor	ecx, ecx
		push	esi
		push	edi
		lea	edi, [esp+18h+var_10]
		mov	esi, ecx
		stosd
		stosd
		stosd
		stosd
		mov	eax, edx
		and	eax, 1Fh
		jnz	loc_921C48

loc_829EF3:				; CODE XREF: NtCreateSection+F7D9Dj
		push	1
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	esi
		push	[ebp+arg_18]
		push	edx
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	MiCreateSectionCommon
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	1Ch
NtCreateSection	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCaptureSectionCreateExtendedParameters proc near
					; CODE XREF: MmCreateSectionEx(x,x,x,x,x,x,x,x,x,x,x)+27p
					; MiCreateSectionCommon+153p

var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00921C6C SIZE 000000E9 BYTES

		push	20h
		push	offset dword_6A6258
		call	__SEH_prolog4
		mov	[ebp+var_20], edx
		mov	esi, ecx
		and	[ebp+var_24], 0
		xor	eax, eax
		mov	ebx, [ebp+arg_4]
		mov	edi, ebx
		stosd
		stosd
		stosd
		stosd
		test	edx, edx
		jnz	loc_921C6C
		mov	eax, esi
		neg	eax
		sbb	eax, eax
		and	eax, 0C000000Dh

loc_829F4B:				; CODE XREF: MiCaptureSectionCreateExtendedParameters+F7D5Dj
					; MiCaptureSectionCreateExtendedParameters+F7D75j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
MiCaptureSectionCreateExtendedParameters endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreateSectionCommon proc near		; CODE XREF: NtCreateSection+40p
					; NtCreateSectionEx(x,x,x,x,x,x,x,x,x)+22p

var_58		= dword	ptr -58h
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 00921D7A SIZE 00000023 BYTES
; FUNCTION CHUNK AT 00921DBF SIZE 0000001E BYTES
; FUNCTION CHUNK AT 00921DF5 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6278
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 38h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_2C], edx
		mov	edx, ecx
		mov	[ebp+var_30], edx
		mov	[ebp+var_1C], 0
		mov	[ebp+var_20], 0
		xor	eax, eax
		lea	edi, [ebp+var_48]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_38], 0
		mov	[ebp+var_34], 0
		xor	ecx, ecx
		mov	edi, [ebp+arg_C]
		mov	eax, edi
		and	eax, 3000000h
		cmp	eax, 3000000h
		jz	loc_82A1D1
		mov	eax, edi
		and	eax, 1100000h
		cmp	eax, 1100000h
		jz	loc_921D7A

loc_829FEB:				; CODE XREF: MiCreateSectionCommon+F7E1Fj
		mov	eax, edi
		and	eax, 2100000h
		jnz	loc_921D84

loc_829FF8:				; CODE XREF: MiCreateSectionCommon+F7E26j
		xor	ecx, ecx

loc_829FFA:				; CODE XREF: MiCreateSectionCommon+F7E31j
		test	edi, 2083FFFFh
		jnz	loc_82A1D1
		test	edi, 0F100000h
		jz	loc_82A1D1
		test	edi, 3100000h
		jnz	loc_82A1C0

loc_82A01E:				; CODE XREF: MiCreateSectionCommon+26Bj
		mov	eax, edi
		and	eax, 0C000000h
		cmp	eax, 0C000000h
		jz	loc_82A1D1
		mov	eax, edi
		and	eax, 80080000h
		cmp	eax, 80080000h
		jz	loc_82A1D1
		mov	esi, [ebp+arg_8]
		test	esi, 701h
		jnz	loc_921DF5
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+arg_8], bl
		test	bl, bl
		jz	loc_82A1D8
		test	ecx, ecx
		jnz	loc_82A1D1
		mov	[ebp+var_4], ecx
		mov	ecx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_921D96

loc_82A082:				; CODE XREF: MiCreateSectionCommon+F7E38j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jnz	loc_82A1FC

loc_82A091:				; CODE XREF: MiCreateSectionCommon+2B5j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_82A098:				; CODE XREF: MiCreateSectionCommon+27Dj
					; MiCreateSectionCommon+28Ej
		cmp	[ebp+arg_1C], 0
		jz	loc_921DBF
		mov	byte ptr [ebp+arg_4], 0

loc_82A0A6:				; CODE XREF: MiCreateSectionCommon+F7E62j
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_18]
		mov	ecx, [ebp+arg_14]
		call	MiCaptureSectionCreateExtendedParameters
		test	eax, eax
		js	loc_82A1AC
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[ebp+arg_C], eax
		cmp	bl, 1
		jnz	loc_82A1F3
		mov	cl, [eax+3A5h]
		mov	byte ptr [ebp+arg_4+3],	cl
		push	eax
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	ebx, eax
		mov	eax, [ebp+arg_C]
		mov	cl, byte ptr [ebp+arg_4+3]

loc_82A0EF:				; CODE XREF: MiCreateSectionCommon+297j
		mov	byte ptr [ebp+var_28], cl
		mov	ecx, eax
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+arg_4], eax
		lea	esp, [esp+0]

loc_82A100:				; CODE XREF: MiCreateSectionCommon+F7E78j
		lea	ecx, [ebp+var_48]
		push	ecx
		push	eax
		push	[ebp+arg_8]
		push	0
		push	[ebp+arg_10]
		push	[ebp+var_28]
		push	ebx
		push	0
		push	edi
		push	esi
		push	[ebp+var_34]
		push	[ebp+var_38]
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_1C]
		call	MiCreateSection
		mov	[ebp+arg_C], eax
		cmp	eax, 0C0000054h
		jz	loc_921DC7
		test	ebx, ebx
		jz	short loc_82A142
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	eax, [ebp+arg_C]

loc_82A142:				; CODE XREF: MiCreateSectionCommon+1D6j
		test	eax, eax
		js	short loc_82A1AC
		mov	ebx, [ebp+var_1C]
		mov	ecx, ebx
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_82A175
		cmp	dword ptr [edi+20h], 0
		jz	short loc_82A175
		mov	ecx, edi
		call	MiReferenceControlAreaFile
		mov	esi, eax
		mov	ecx, esi
		call	_CcZeroEndOfLastPage@4 ; CcZeroEndOfLastPage(x)
		mov	edx, esi
		mov	ecx, edi
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)

loc_82A175:				; CODE XREF: MiCreateSectionCommon+1F4j
					; MiCreateSectionCommon+1FAj
		lea	eax, [ebp+var_20]
		push	eax
		push	0
		push	0
		push	0
		push	[ebp+var_2C]
		xor	edx, edx
		mov	ecx, ebx
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+arg_4], ecx
		test	ecx, ecx
		js	short loc_82A1AA
		mov	[ebp+var_4], 1
		mov	eax, [ebp+var_20]
		mov	edx, [ebp+var_30]
		mov	[edx], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_82A1AA:				; CODE XREF: MiCreateSectionCommon+232j
					; sub_921DE3+Dj
		mov	eax, ecx

loc_82A1AC:				; CODE XREF: MiCreateSectionCommon+15Aj
					; MiCreateSectionCommon+1E4j ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_82A1C0:				; CODE XREF: MiCreateSectionCommon+B8j
		mov	esi, 0CC440000h
		test	eax, eax
		jnz	short loc_82A21A

loc_82A1C9:				; CODE XREF: MiCreateSectionCommon+2BFj
		test	esi, edi
		jz	loc_82A01E

loc_82A1D1:				; CODE XREF: MiCreateSectionCommon+73j
					; MiCreateSectionCommon+A0j ...
		mov	eax, 0C00000F4h
		jmp	short loc_82A1AC
; 

loc_82A1D8:				; CODE XREF: MiCreateSectionCommon+102j
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	loc_82A098
		mov	eax, [ecx]
		mov	[ebp+var_38], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_34], eax
		jmp	loc_82A098
; 

loc_82A1F3:				; CODE XREF: MiCreateSectionCommon+172j
		xor	ebx, ebx
		xor	cl, cl
		jmp	loc_82A0EF
; 

loc_82A1FC:				; CODE XREF: MiCreateSectionCommon+12Bj
		mov	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_82A221

loc_82A207:				; CODE XREF: MiCreateSectionCommon+2C3j
		nop
		mov	al, [edx]
		mov	eax, [ecx]
		mov	[ebp+var_38], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_34], eax
		jmp	loc_82A091
; 

loc_82A21A:				; CODE XREF: MiCreateSectionCommon+267j
		mov	esi, 0CC040000h
		jmp	short loc_82A1C9
; 

loc_82A221:				; CODE XREF: MiCreateSectionCommon+2A5j
		mov	edx, eax
		jmp	short loc_82A207
MiCreateSectionCommon endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreateImageOrDataSection proc	near	; CODE XREF: MiCreateSection+83p

var_78		= dword	ptr -78h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00921DFF SIZE 00000194 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		push	ebx
		push	esi
		push	edi
		push	50h		; size_t
		lea	eax, [ebp+var_78]
		mov	[ebp+var_8], 0
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_18], esi
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_20], 1
		cmp	byte ptr [esi+7Ch], 0
		jnz	loc_921DFF
		mov	ecx, [esi+8]
		test	ecx, 80000h
		jnz	loc_921DFF
		mov	ebx, [esi+20h]
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		jnz	loc_82A3ED
		test	ecx, ecx
		js	loc_921DFF
		mov	eax, [esi+18h]
		lea	edi, [ebp+var_14]
		mov	ecx, [esi+1Ch]
		and	eax, 7
		push	ebx
		push	edi
		mov	[ebp+var_14], ebx
		mov	edx, ds:_MmMakeFileAccess[eax*4]
		mov	al, [esi+2Ch]
		mov	byte ptr [ebp+var_1C], al
		push	[ebp+var_1C]
		mov	eax, ds:_IoFileObjectType
		push	eax
		push	edx
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, [ebp+var_14]
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], ebx
		test	eax, eax
		js	loc_82A477
		cmp	dword ptr [ebx+14h], 0
		mov	edi, 1
		jz	loc_921E89
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_82A2E2:				; CODE XREF: MiCreateImageOrDataSection+2CDj
		mov	[esi+24h], ebx
		mov	[ebp+var_5C], 2
		test	ebx, ebx
		jz	loc_921E95
		mov	[ebp+var_58], ebx

loc_82A2F7:				; CODE XREF: MiCreateImageOrDataSection+F7C6Cj
		test	dword ptr [esi+8], 1000000h
		mov	[ebp+var_10], 0
		jz	short loc_82A342
		test	dword ptr [esi], 400h
		jz	short loc_82A31E
		mov	ecx, ebx
		call	_IoAllowExecution@4 ; IoAllowExecution(x)
		test	al, al
		jz	loc_921EA1

loc_82A31E:				; CODE XREF: MiCreateImageOrDataSection+DDj
		mov	ecx, ebx
		call	CcWaitForUninitializeCacheMap
		mov	ecx, [esi]
		test	ecx, 400h
		jz	short loc_82A33B
		mov	dl, [esi+10h]
		test	dl, 10h
		jnz	loc_82A557

loc_82A33B:				; CODE XREF: MiCreateImageOrDataSection+FDj
					; MiCreateImageOrDataSection+33Aj
		mov	[ebp+var_20], 2

loc_82A342:				; CODE XREF: MiCreateImageOrDataSection+D5j
		mov	edi, large fs:124h
		mov	[ebp+var_1C], edi
		dec	word ptr [edi+13Ch]
		nop

loc_82A354:				; CODE XREF: MiCreateImageOrDataSection+34Fj
		mov	ecx, esi
		call	MiCallCreateSectionFilters
		mov	[ebp+var_4], eax
		test	eax, eax
		js	loc_921F7F
		test	byte ptr [esi],	1
		jnz	short loc_82A37D
		call	_IoGetTopLevelIrp@0 ; IoGetTopLevelIrp()
		push	1
		mov	[esi+78h], eax
		call	_IoSetTopLevelIrp@4 ; IoSetTopLevelIrp(x)
		or	dword ptr [esi], 2

loc_82A37D:				; CODE XREF: MiCreateImageOrDataSection+139j
		lea	eax, [ebp+var_8]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_78]
		call	MiReferenceControlArea
		mov	[ebp+var_4], eax
		test	eax, eax
		js	loc_82A56F
		mov	eax, [ebp+var_8]
		mov	[esi+28h], eax
		test	byte ptr [eax+1Ch], 2
		jnz	loc_82A47E
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	ecx, esi
		call	MiShareExistingControlArea
		mov	[ebp+var_4], eax
		test	eax, eax
		js	loc_921F6B
		mov	edi, 1

loc_82A3C4:				; CODE XREF: MiCreateImageOrDataSection+249j
					; MiCreateImageOrDataSection+2AFj ...
		cmp	eax, 0C0000476h
		jz	loc_921EBE

loc_82A3CF:				; CODE XREF: MiCreateImageOrDataSection+F7CA7j
					; MiCreateImageOrDataSection+F7CB0j ...
		mov	esi, [ebp+var_4]

loc_82A3D2:				; CODE XREF: MiCreateImageOrDataSection+F7CD0j
		test	edi, edi
		jz	short loc_82A3E9

loc_82A3D6:				; CODE XREF: MiCreateImageOrDataSection+F7C60j
					; MiCreateImageOrDataSection+F7C7Dj ...
		mov	edx, edi
		mov	ecx, ebx
		call	@ObDereferenceObjectEx@8 ; ObDereferenceObjectEx(x,x)
		mov	eax, [ebp+var_4]

loc_82A3E2:				; CODE XREF: MiCreateImageOrDataSection+1BBj
					; MiCreateImageOrDataSection+F7BD4j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_82A3E9:				; CODE XREF: MiCreateImageOrDataSection+1A4j
		mov	eax, esi
		jmp	short loc_82A3E2
; 

loc_82A3ED:				; CODE XREF: MiCreateImageOrDataSection+4Fj
		and	ecx, 1000000h
		jnz	loc_921E09

loc_82A3F9:				; CODE XREF: MiCreateImageOrDataSection+F7BE4j
		mov	eax, [ebx+14h]
		test	eax, eax
		jz	loc_921E24
		mov	edx, [esi+4]
		test	edx, edx
		jnz	loc_921E2E

loc_82A40F:				; CODE XREF: MiCreateImageOrDataSection+F7C05j
					; MiCreateImageOrDataSection+F7C12j
		test	ecx, ecx
		jnz	loc_921E47

loc_82A417:				; CODE XREF: MiCreateImageOrDataSection+F7C1Aj
		mov	eax, [eax]
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], 0C0000001h
		test	eax, eax
		jz	loc_82A4E4
		mov	ecx, esi
		call	MiReferenceExistingControlArea
		mov	[ebp+var_4], eax
		test	eax, eax
		js	loc_82A4E4
		mov	ecx, [esi]
		or	ecx, 4
		test	dword ptr [esi+8], 1000000h
		mov	[esi], ecx
		mov	edx, [ebx+14h]
		jnz	loc_921E4F
		mov	edx, [edx]
		mov	ebx, [esi+64h]
		mov	edi, [esi+60h]
		mov	[ebp+var_1C], ebx
		mov	[esi+4Ch], ebx
		mov	ebx, [ebp+var_C]
		mov	[ebp+var_8], edx
		mov	[esi+48h], edi
		test	cl, 1
		jz	loc_921E59

loc_82A474:				; CODE XREF: MiCreateImageOrDataSection+F7C2Cj
					; MiCreateImageOrDataSection+F7C54j
		mov	[esi+28h], edx

loc_82A477:				; CODE XREF: MiCreateImageOrDataSection+96j
		xor	edi, edi
		jmp	loc_82A3C4
; 

loc_82A47E:				; CODE XREF: MiCreateImageOrDataSection+170j
		lea	edx, [ebp+var_10]
		mov	ecx, esi
		call	_MiCreateNewSection@8 ;	MiCreateNewSection(x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		mov	eax, [ebp+var_10]
		js	short loc_82A508
		mov	eax, [eax]
		mov	[esi+28h], eax
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		lea	esi, [eax+348h]

loc_82A4A2:				; CODE XREF: MiCreateImageOrDataSection+28Dj
					; MiCreateImageOrDataSection+292j
		mov	edi, [esi]
		mov	ebx, edi
		mov	edx, [esi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[ebp+var_10], edx
		adc	ecx, 0
		mov	eax, edi
		nop
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, edi
		jnz	short loc_82A4A2
		cmp	edx, [ebp+var_10]
		jnz	short loc_82A4A2
		mov	esi, [ebp+var_18]
		xor	eax, eax
		mov	ebx, [ebp+var_C]
		mov	edi, [ebp+var_1C]
		mov	[ebp+var_10], eax

loc_82A4D2:				; CODE XREF: MiCreateImageOrDataSection+322j
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	eax, [ebp+var_4]
		mov	edi, [ebp+var_10]
		jmp	loc_82A3C4
; 

loc_82A4E4:				; CODE XREF: MiCreateImageOrDataSection+1F5j
					; MiCreateImageOrDataSection+207j
		push	ecx
		mov	edx, 2
		mov	ecx, ebx
		call	ObReferenceObjectExWithTag
		cmp	[ebp+var_4], 0C0000476h
		mov	edi, 2
		jnz	loc_82A2E2
		jmp	loc_921EBE
; 

loc_82A508:				; CODE XREF: MiCreateImageOrDataSection+260j
		test	eax, eax
		jnz	loc_921F16

loc_82A510:				; CODE XREF: MiCreateImageOrDataSection+F7CEEj
		mov	eax, [esi+8]
		mov	ecx, ebx
		mov	edx, [ebp+var_8]
		push	eax
		call	_MiZeroSectionObjectPointer@12 ; MiZeroSectionObjectPointer(x,x,x)
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_78]
		cmp	[ebp+var_8], eax
		jnz	loc_921F23
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		lea	ecx, [ecx+20h]
		call	@ObFastReplaceObject@8 ; ObFastReplaceObject(x,x)
		mov	ebx, eax

loc_82A543:				; CODE XREF: MiCreateImageOrDataSection+F7D36j
		mov	ecx, [ebp+var_24]
		call	_MiReleaseControlAreaWaiters@4 ; MiReleaseControlAreaWaiters(x)
		mov	[ebp+var_10], 1
		jmp	loc_82A4D2
; 

loc_82A557:				; CODE XREF: MiCreateImageOrDataSection+105j
		mov	al, dl
		or	ecx, 10h
		and	al, 30h
		mov	[esi], ecx
		cmp	al, 30h
		jz	short loc_82A58A

loc_82A564:				; CODE XREF: MiCreateImageOrDataSection+362j
		and	dl, 0Fh
		mov	[esi+10h], dl
		jmp	loc_82A33B
; 

loc_82A56F:				; CODE XREF: MiCreateImageOrDataSection+160j
		cmp	eax, 0C000060Bh
		jz	loc_921F05
		cmp	eax, 0C0000476h
		jnz	loc_82A354
		jmp	loc_921EB2
; 

loc_82A58A:				; CODE XREF: MiCreateImageOrDataSection+332j
		or	ecx, 1000h
		mov	[esi], ecx
		jmp	short loc_82A564
MiCreateImageOrDataSection endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreateSection	proc near		; CODE XREF: MiCreateSystemSection+30p
					; MmCreateSectionEx(x,x,x,x,x,x,x,x,x,x,x)+A0p	...

var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_30		= dword	ptr -30h
var_14		= dword	ptr -14h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h

; FUNCTION CHUNK AT 00921F93 SIZE 00000096 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0A4h
		push	ebx
		push	esi
		push	edi
		push	88h		; size_t
		xor	esi, esi
		mov	[esp+0B4h+var_8C], ecx
		lea	eax, [esp+0B4h+var_88]
		mov	ebx, edx
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [esp+0B0h+var_88]
		mov	edx, ebx
		push	[ebp+arg_2C]
		push	[ebp+arg_28]
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	MiInitializeCreateSectionPacket
		mov	edi, eax
		test	edi, edi
		js	loc_82A6FA
		jmp	short loc_82A610
; 
		align 10h

loc_82A610:				; CODE XREF: MiCreateSection+65j
					; MiCreateSection+F7A57j
		or	[esp+0B0h+var_88], esi
		cmp	[esp+0B0h+var_6C], 0
		jz	loc_82A710

loc_82A61F:				; CODE XREF: MiCreateSection+175j
		lea	ecx, [esp+0B0h+var_88]
		call	MiCreateImageOrDataSection
		mov	edi, eax
		cmp	edi, 0C0000054h
		jz	loc_921F93
		cmp	edi, 0C0000476h
		jz	loc_921F93

loc_82A642:				; CODE XREF: MiCreateSection+186j
		test	edi, edi
		js	loc_82A6FA
		lea	ecx, [esp+0B0h+var_88]
		call	MiFinishCreateSection
		mov	edi, eax
		test	edi, edi
		js	loc_82A6FA
		mov	eax, [esp+0B0h+var_60]
		mov	ecx, [esp+0B0h+var_30]
		mov	[esp+0B0h+var_98], eax
		mov	[esp+0B0h+var_9C], ecx
		mov	esi, [eax]
		or	eax, 0FFFFFFFFh
		add	esi, 10h
		or	edx, eax
		nop
		or	ebx, eax
		or	ecx, eax
		lock cmpxchg8b qword ptr [esi]
		test	byte ptr [esp+0B0h+var_88], 9
		mov	esi, [esp+0B0h+var_98]
		setz	bl
		test	dword ptr [esi+1Ch], 8000h
		setnz	cl
		test	bl, cl
		mov	ebx, [esp+0B0h+var_9C]
		jz	short loc_82A6D6
		mov	ecx, eax

loc_82A6A3:				; CODE XREF: MiCreateSection+13Dj
					; MiCreateSection+142j
		mov	eax, [ebx+18h]
		mov	[esp+0B0h+var_98], eax
		mov	eax, [ebx+1Ch]
		mov	[esp+0B0h+var_94], eax
		mov	[ebx+18h], ecx
		mov	ecx, ebx
		mov	[ebx+1Ch], edx
		lea	edx, [esp+0B0h+var_98]
		mov	eax, [esp+0B0h+var_88]
		and	eax, 1
		push	eax
		call	MmExtendSection
		mov	edi, eax
		test	edi, edi
		js	loc_922002
		jmp	short loc_82A6E4
; 

loc_82A6D6:				; CODE XREF: MiCreateSection+FFj
		cmp	[ebx+1Ch], edx
		jb	short loc_82A6E4
		mov	ecx, eax
		ja	short loc_82A6A3
		cmp	[ebx+18h], ecx
		ja	short loc_82A6A3

loc_82A6E4:				; CODE XREF: MiCreateSection+134j
					; MiCreateSection+139j
		mov	eax, [esp+0B0h+var_8C]
		mov	[eax], ebx
		test	dword ptr ds:byte_70EFC4, 400001h
		jnz	loc_92200E

loc_82A6FA:				; CODE XREF: MiCreateSection+5Fj
					; MiCreateSection+A4j ...
		mov	ecx, [esp+0B0h+var_14]
		test	ecx, ecx
		jnz	short loc_82A72B

loc_82A705:				; CODE XREF: MiCreateSection+190j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	30h
; 

loc_82A710:				; CODE XREF: MiCreateSection+79j
		cmp	[esp+0B0h+var_68], 0
		jnz	loc_82A61F
		lea	ecx, [esp+0B0h+var_88]
		call	_MiCreatePagingFileMap@4 ; MiCreatePagingFileMap(x)
		mov	edi, eax
		jmp	loc_82A642
; 

loc_82A72B:				; CODE XREF: MiCreateSection+163j
		call	PsDereferencePartition
		jmp	short loc_82A705
MiCreateSection	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeCreateSectionPacket	proc near ; CODE XREF: MiCreateSection+56p
					; MiCreateSection+F7A48p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h

; FUNCTION CHUNK AT 00922029 SIZE 00000066 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		mov	esi, ecx
		push	edi
		test	bl, 7Fh
		jnz	loc_922085
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_10]
		mov	[esi+60h], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+64h], eax
		mov	eax, [ebp+arg_14]
		mov	[esi+68h], eax
		mov	eax, [ebp+arg_28]
		mov	[esi+6Ch], eax
		mov	eax, [ebp+arg_24]
		mov	[esi+2Ch], al
		mov	al, byte ptr [ebp+arg_18]
		mov	[esi+4], edx
		mov	edx, [ebp+arg_8]
		mov	[esi+0Ch], ebx
		mov	[esi+14h], edx
		mov	[esi+10h], al
		test	cl, 1
		jnz	loc_82A8B9

loc_82A792:				; CODE XREF: MiInitializeCreateSectionPacket+17Fj
		test	cl, 2
		jnz	loc_82A893

loc_82A79B:				; CODE XREF: MiInitializeCreateSectionPacket+159j
		mov	eax, [esi+54h]
		mov	edi, [ebp+arg_1C]
		xor	eax, edx
		mov	edx, [ebp+arg_20]
		and	eax, 0FFFh
		xor	[esi+54h], eax
		mov	eax, ebx
		and	eax, 1100000h
		mov	[esi+20h], edx
		mov	[esi+1Ch], edi
		cmp	eax, 1100000h
		jz	loc_922033

loc_82A7C6:				; CODE XREF: MiInitializeCreateSectionPacket+F78FFj
		test	ebx, 100000h
		jnz	loc_82A92A
		test	ebx, 2000000h
		jnz	loc_82A991

loc_82A7DE:				; CODE XREF: MiInitializeCreateSectionPacket+212j
					; MiInitializeCreateSectionPacket+24Cj
		mov	[ebp+arg_18], 0
		test	ebx, 40000h
		jnz	loc_82A8C4

loc_82A7F1:				; CODE XREF: MiInitializeCreateSectionPacket+1D9j
		test	ebx, 1000000h
		jnz	short loc_82A85B
		test	ebx, 10000000h
		jnz	loc_92206F
		test	ebx, 40000000h
		jnz	loc_82A91E

loc_82A811:				; CODE XREF: MiInitializeCreateSectionPacket+14Cj
					; MiInitializeCreateSectionPacket+174j	...
		mov	ecx, [esi+14h]
		mov	[esi+8], ebx
		call	_MiMakeProtectionMask@4	; MiMakeProtectionMask(x)
		mov	[esi+18h], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_92207B
		mov	ecx, [ebp+arg_2C]
		test	ecx, ecx
		jz	short loc_82A852
		mov	al, [ecx]
		mov	[esi+7Ch], al
		mov	eax, [ecx+4]
		mov	[esi+80h], eax
		movzx	eax, ds:_KeNumberNodes
		mov	ecx, [ecx+8]
		cmp	ecx, eax
		ja	loc_922085
		mov	[esi+70h], ecx

loc_82A852:				; CODE XREF: MiInitializeCreateSectionPacket+EDj
		xor	eax, eax

loc_82A854:				; CODE XREF: MiInitializeCreateSectionPacket+1AFj
					; MiInitializeCreateSectionPacket+F78EEj ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	30h
; 

loc_82A85B:				; CODE XREF: MiInitializeCreateSectionPacket+B7j
		test	cl, 8
		jnz	loc_92204C

loc_82A864:				; CODE XREF: MiInitializeCreateSectionPacket+F7912j
		mov	eax, ebx
		and	eax, 11000000h
		cmp	eax, 11000000h
		jz	short loc_82A8A4
		or	dword ptr [esi], 400h
		mov	eax, [esi]
		test	al, 20h
		jnz	loc_82A957

loc_82A882:				; CODE XREF: MiInitializeCreateSectionPacket+21Ej
		test	ds:_MiFlags, 100000h
		jz	short loc_82A811
		jmp	loc_922063
; 

loc_82A893:				; CODE XREF: MiInitializeCreateSectionPacket+55j
		or	dword ptr [esi], 1
		test	cl, 4
		jz	loc_82A79B
		jmp	loc_922029
; 

loc_82A8A4:				; CODE XREF: MiInitializeCreateSectionPacket+130j
		cmp	dword ptr [esi+14h], 2
		jnz	loc_92207B
		and	ebx, 0EFFFFFFFh
		jmp	loc_82A811
; 

loc_82A8B9:				; CODE XREF: MiInitializeCreateSectionPacket+4Cj
		or	dword ptr [esi], 800h
		jmp	loc_82A792
; 

loc_82A8C4:				; CODE XREF: MiInitializeCreateSectionPacket+ABj
		test	edi, edi
		jz	loc_922085
		test	edx, edx
		jnz	loc_922085
		push	ecx
		lea	eax, [ebp+arg_18]
		mov	edx, 2
		push	eax
		push	70434D4Dh
		push	[ebp+arg_24]
		mov	ecx, edi
		call	_PsReferencePartitionByHandle@24 ; PsReferencePartitionByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	loc_82A854
		mov	ecx, [ebp+arg_18]
		cmp	dword ptr [ecx], offset	_MiSystemPartition
		jnz	loc_922044
		call	PsDereferencePartition

loc_82A909:				; CODE XREF: MiInitializeCreateSectionPacket+F7907j
		mov	ecx, [ebp+arg_10]
		and	ebx, 0FFFBFFFFh
		mov	dword ptr [esi+1Ch], 0
		jmp	loc_82A7F1
; 

loc_82A91E:				; CODE XREF: MiInitializeCreateSectionPacket+CBj
		or	dword ptr [esi+14h], 400h
		jmp	loc_82A811
; 

loc_82A92A:				; CODE XREF: MiInitializeCreateSectionPacket+8Cj
		mov	eax, [esi]
		test	ebx, 200000h
		jnz	short loc_82A969

loc_82A934:				; CODE XREF: MiInitializeCreateSectionPacket+232j
		or	eax, 20h
		and	ebx, 0FFEFFFFFh
		mov	[esi], eax
		test	ebx, 400000h
		jnz	short loc_82A974
		mov	al, 1

loc_82A949:				; CODE XREF: MiInitializeCreateSectionPacket+26Aj
		or	ebx, 1000000h
		mov	[esi+10h], al
		jmp	loc_82A7DE
; 

loc_82A957:				; CODE XREF: MiInitializeCreateSectionPacket+13Cj
		test	byte ptr ds:_MiFlags+2,	1
		jz	loc_82A882
		jmp	loc_922057
; 

loc_82A969:				; CODE XREF: MiInitializeCreateSectionPacket+1F2j
		and	ebx, 0FFDFFFFFh
		or	eax, 40h
		jmp	short loc_82A934
; 

loc_82A974:				; CODE XREF: MiInitializeCreateSectionPacket+205j
		or	eax, 100h
		and	ebx, 0FFBFFFFFh
		mov	[esi], eax
		or	ebx, 1000000h
		mov	al, 0Ch
		mov	[esi+10h], al
		jmp	loc_82A7DE
; 

loc_82A991:				; CODE XREF: MiInitializeCreateSectionPacket+98j
		or	dword ptr [esi], 10h
		test	ebx, 400000h
		jz	short loc_82A9AC
		and	ebx, 0FFBFFFFFh
		mov	al, 0Ch

loc_82A9A4:				; CODE XREF: MiInitializeCreateSectionPacket+26Ej
		and	ebx, 0FDFFFFFFh
		jmp	short loc_82A949
; 

loc_82A9AC:				; CODE XREF: MiInitializeCreateSectionPacket+25Aj
		mov	al, 4
		jmp	short loc_82A9A4
MiInitializeCreateSectionPacket	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFinishCreateSection proc near		; CODE XREF: MiCreateSection+AEp

var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 0092208F SIZE 0000016E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_14], 0
		push	esi
		push	edi
		mov	[ebp+var_8], 0
		mov	edi, [ebx+28h]
		mov	[ebp+var_10], edi
		mov	eax, [edi]
		mov	[ebp+var_C], eax
		mov	eax, [ebx+54h]
		mov	[ebx+44h], edi
		and	eax, 7FFFFFFFh
		mov	edx, [edi+1Ch]
		and	edx, 0FFF7FFFFh
		mov	[ebx+54h], eax
		test	dword ptr [ebx+8], 1000000h
		mov	[ebx+50h], edx
		jnz	loc_82AB13

loc_82A9FD:				; CODE XREF: MiFinishCreateSection+175j
					; MiFinishCreateSection+181j ...
		mov	eax, [edi+1Ch]
		test	eax, 4000000h
		jnz	loc_82ABBA
		cmp	dword ptr [ebx+20h], 0
		jnz	short loc_82AA25
		test	byte ptr [ebx+14h], 44h
		setnz	cl
		test	al, 20h
		setz	al
		test	cl, al
		jnz	loc_82AB44

loc_82AA25:				; CODE XREF: MiFinishCreateSection+5Fj
					; MiFinishCreateSection+198j ...
		mov	ecx, [ebx+24h]
		mov	[ebp+var_1], 0
		test	ecx, ecx
		jz	short loc_82AA42
		mov	eax, [ecx+4]
		test	byte ptr [eax+20h], 10h
		jnz	loc_82ABE0
		call	ObfDereferenceObject

loc_82AA42:				; CODE XREF: MiFinishCreateSection+7Ej
					; MiFinishCreateSection+234j
		test	byte ptr [edi+1Ch], 20h
		mov	esi, 50h
		jnz	short loc_82AA66
		cmp	dword ptr [edi+20h], 0
		jz	short loc_82AA66
		imul	esi, [edi+0A8h], 54h
		mov	[ebp+var_C], 0
		add	esi, 5Ch
		jmp	short loc_82AA8A
; 

loc_82AA66:				; CODE XREF: MiFinishCreateSection+9Bj
					; MiFinishCreateSection+A1j
		mov	eax, [ebp+var_C]
		mov	eax, [eax+4]
		lea	eax, ds:28h[eax*8]
		mov	[ebp+var_C], eax
		lea	eax, [edi+50h]
		lea	esp, [esp+0]

loc_82AA80:				; CODE XREF: MiFinishCreateSection+D8j
		mov	eax, [eax+8]
		add	esi, 28h
		test	eax, eax
		jnz	short loc_82AA80

loc_82AA8A:				; CODE XREF: MiFinishCreateSection+B4j
		mov	cl, [ebx+2Ch]
		lea	edi, [ebp+var_8]
		mov	eax, [ebx+4]
		mov	edx, ds:_MmSectionObjectType
		push	0
		push	edi
		push	esi
		push	[ebp+var_C]
		push	28h
		push	ecx
		push	ecx
		push	eax
		call	ObCreateObjectEx
		mov	edi, [ebp+var_10]
		mov	esi, eax
		mov	[ebp+var_18], esi
		test	esi, esi
		js	loc_82AB8E
		cmp	[ebp+var_1], 1
		lea	esi, [ebx+30h]
		mov	eax, [ebp+var_8]
		mov	ecx, 0Ah
		mov	edi, eax
		rep movsd
		lea	esi, [eax+0Ch]
		mov	dword ptr [esi], 0
		jz	loc_82ABE9

loc_82AADC:				; CODE XREF: MiFinishCreateSection+24Ej
		test	byte ptr [ebx],	1
		jnz	short loc_82AB06
		or	dword ptr [eax+20h], 10000h
		mov	ecx, [ebx+8]
		mov	edx, [eax+20h]
		test	ecx, 400000h
		jnz	loc_82AB7D

loc_82AAFA:				; CODE XREF: MiFinishCreateSection+1D9j
		test	ecx, 200000h
		jnz	loc_9220C3

loc_82AB06:				; CODE XREF: MiFinishCreateSection+12Fj
					; MiFinishCreateSection+F7837j
		mov	[ebx+58h], eax
		mov	eax, [ebp+var_18]

loc_82AB0C:				; CODE XREF: MiFinishCreateSection+F76F6j
					; MiFinishCreateSection+F773Cj	...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_82AB13:				; CODE XREF: MiFinishCreateSection+47j
		mov	esi, [ebx]
		mov	ecx, edx
		test	esi, 400h
		jz	short loc_82AB72

loc_82AB1F:				; CODE XREF: MiFinishCreateSection+1CBj
		cmp	byte ptr [ebx+10h], 1
		mov	edx, ecx
		ja	loc_82A9FD
		test	esi, 80000h
		jnz	loc_82A9FD
		or	eax, 80000000h
		mov	[ebx+54h], eax
		jmp	loc_82A9FD
; 

loc_82AB44:				; CODE XREF: MiFinishCreateSection+6Fj
		cmp	dword ptr [edi+20h], 0
		jz	loc_82AA25
		or	edx, 8000000h
		lea	esi, [edi+34h]
		mov	[ebx+50h], edx
		lock inc dword ptr [esi]
		mov	ecx, [ebx+24h]
		call	_ObCheckActiveHandles@4	; ObCheckActiveHandles(x)
		test	al, al
		jnz	loc_82AA25
		jmp	loc_92208F
; 

loc_82AB72:				; CODE XREF: MiFinishCreateSection+16Dj
		or	ecx, 80000h
		mov	[ebx+50h], ecx
		jmp	short loc_82AB1F
; 

loc_82AB7D:				; CODE XREF: MiFinishCreateSection+144j
		or	edx, 4000h
		mov	[eax+20h], edx
		mov	ecx, [ebx+8]
		jmp	loc_82AAFA
; 

loc_82AB8E:				; CODE XREF: MiFinishCreateSection+104j
		test	dword ptr [ebx+50h], 8000000h
		jnz	short loc_82AC03
		test	dword ptr [edi+1Ch], 4000000h
		jnz	loc_9220AB

loc_82ABA4:				; CODE XREF: MiFinishCreateSection+257j
					; MiFinishCreateSection+F770Ej
		cmp	[ebp+var_1], 1
		jz	short loc_82AC09

loc_82ABAA:				; CODE XREF: MiFinishCreateSection+261j
		mov	ecx, ebx
		call	MiDereferenceFailedControlArea
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_82ABBA:				; CODE XREF: MiFinishCreateSection+55j
		mov	edx, [ebx+6Ch]
		mov	ecx, edi
		call	MiCreatePerSessionProtos
		mov	esi, eax
		test	esi, esi
		js	short loc_82AC09
		mov	eax, [ebx+6Ch]
		shl	eax, 0Ch
		xor	eax, [ebx+54h]
		and	eax, 7FFFF000h
		xor	[ebx+54h], eax
		jmp	loc_82AA25
; 

loc_82ABE0:				; CODE XREF: MiFinishCreateSection+87j
		mov	[ebp+var_1], 1
		jmp	loc_82AA42
; 

loc_82ABE9:				; CODE XREF: MiFinishCreateSection+126j
		mov	ecx, [ebp+var_10]
		mov	edx, [ebx+24h]
		mov	[eax+14h], edx
		test	byte ptr [ecx+1Ch], 20h
		jnz	short loc_82AC13
		or	edx, 2

loc_82ABFB:				; CODE XREF: MiFinishCreateSection+266j
		mov	[eax+14h], edx
		jmp	loc_82AADC
; 

loc_82AC03:				; CODE XREF: MiFinishCreateSection+1E5j
		lock dec dword ptr [edi+34h]
		jmp	short loc_82ABA4
; 

loc_82AC09:				; CODE XREF: MiFinishCreateSection+1F8j
					; MiFinishCreateSection+218j
		mov	ecx, [ebx+24h]
		call	ObfDereferenceObject
		jmp	short loc_82ABAA
; 

loc_82AC13:				; CODE XREF: MiFinishCreateSection+246j
		or	edx, 1
		jmp	short loc_82ABFB
MiFinishCreateSection endp

; 
		align 10h
; Exported entry 1512. NtCreateEvent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtCreateEvent
NtCreateEvent	proc near		; CODE XREF: PfSnPrefetchMetadata+66p
					; PfSnPopulateReadList+C3p ...

var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 009221FD SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A62A0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_20], 0
		mov	[ebp+var_1C], 0
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_28], bl
		test	bl, bl
		jz	loc_82AD2D
		mov	[ebp+var_4], 0
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	loc_9221FD

loc_82AC93:				; CODE XREF: NtCreateEvent+F75DFj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_82AC9E:				; CODE XREF: NtCreateEvent+110j
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jz	short loc_82ACAE
		cmp	esi, 1
		jnz	loc_82AD3C

loc_82ACAE:				; CODE XREF: NtCreateEvent+83j
		mov	edx, ds:_ExEventObjectType
		push	0
		lea	eax, [ebp+var_20]
		push	eax
		push	0
		push	0
		push	10h
		push	ecx
		push	[ebp+var_28]
		push	[ebp+arg_8]
		mov	cl, bl
		call	ObCreateObjectEx
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_82AD17
		push	[ebp+arg_10]
		push	esi
		mov	esi, [ebp+var_20]
		push	esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [ebp+var_1C]
		push	eax
		push	0
		push	0
		push	0
		push	[ebp+arg_4]
		xor	edx, edx
		mov	ecx, esi
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+arg_0], ecx
		test	ecx, ecx
		js	short loc_82AD17
		test	bl, bl
		jz	short loc_82AD35
		mov	[ebp+var_4], 1
		mov	eax, [ebp+var_1C]
		mov	[edi], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_82AD17:				; CODE XREF: NtCreateEvent+B2j
					; NtCreateEvent+DEj ...
		mov	eax, ecx

loc_82AD19:				; CODE XREF: sub_922214+Dj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82AD2D:				; CODE XREF: NtCreateEvent+54j
		mov	edi, [ebp+arg_0]
		jmp	loc_82AC9E
; 

loc_82AD35:				; CODE XREF: NtCreateEvent+E2j
		mov	eax, [ebp+var_1C]
		mov	[edi], eax
		jmp	short loc_82AD17
; 

loc_82AD3C:				; CODE XREF: NtCreateEvent+88j
		mov	eax, 0C000000Dh
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
NtCreateEvent	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SepDuplicateToken(char,int,size_t,int,int,int)
_SepDuplicateToken@32 proc near		; CODE XREF: SepGetAnonymousToken(x,x)+40p
					; SepLinkLogonSessions+F7p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_18], edx
		cmp	[ebp+arg_4], 2
		mov	esi, ecx
		mov	[ebp+var_20], esi
		mov	[ebp+var_4], 0
		mov	[ebp+var_C], 0
		mov	[ebp+var_10], edi
		jnz	short loc_82ADA6
		mov	eax, [ebp+arg_8]
		cmp	eax, 3
		jg	short loc_82AD98
		test	eax, eax
		jns	short loc_82ADA6

loc_82AD98:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+32j
		mov	eax, 0C00000A5h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_82ADA6:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+2Aj
					; SepDuplicateToken(x,x,x,x,x,x,x,x)+36j
		push	74416553h
		push	18h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_24], ebx
		test	ebx, ebx
		jz	short loc_82ADFB
		lea	eax, [ebx+4]
		mov	[ebx], edi
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ebx+10h]
		mov	[ebx+0Ch], edi
		mov	[eax+4], eax
		mov	[eax], eax
		cmp	ds:_SeTokenLeakTracking, edi
		jz	short loc_82AE09
		push	74416553h
		push	9Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_10], edi
		test	edi, edi
		jnz	short loc_82AE09
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_82ADFB:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+5Bj
					; SepDuplicateToken(x,x,x,x,x,x,x,x)+CFj
		mov	eax, 0C000009Ah
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_82AE09:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+78j
					; SepDuplicateToken(x,x,x,x,x,x,x,x)+92j
		push	6C546553h
		push	38h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	short loc_82AE47
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	ds:_SeTokenLeakTracking, 0
		jz	short loc_82ADFB
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C000009Ah
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_82AE47:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+BFj
		mov	edx, [esi+84h]
		lea	eax, [ebp+var_C]
		push	eax
		mov	ecx, 2A0h
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	[ebp+var_14], eax
		push	0
		test	eax, eax
		jns	short loc_82AE92
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_8]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	ds:_SeTokenLeakTracking, 0
		jz	short loc_82AE86
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_82AE86:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+11Cj
		mov	eax, [ebp+var_14]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_82AE92:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+102j
		mov	ecx, [esi+88h]
		lea	eax, [ebp+var_4]
		mov	edx, ds:_SeTokenObjectType
		push	eax
		mov	eax, [ebp+var_C]
		push	eax
		push	ecx
		push	eax
		mov	eax, [ebp+arg_C]
		push	ecx
		push	eax
		push	[ebp+var_18]
		mov	cl, al
		call	ObCreateObjectEx
		mov	esi, eax
		test	esi, esi
		jns	short loc_82AEEC
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_8]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	ds:_SeTokenLeakTracking, 0
		jz	short loc_82AEE1
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_82AEE1:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+177j
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_82AEEC:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+15Bj
		mov	eax, [ebp+var_4]
		mov	esi, offset _ExpLuid
		mov	[ebp+var_1C], eax
		mov	eax, _ExpLuid
		mov	edi, dword_6B5B94
		mov	edx, edi
		mov	ebx, ds:_ExpLuidIncrement
		mov	ecx, ds:dword_40AA94
		add	ebx, eax
		mov	[ebp+arg_C], eax
		adc	ecx, edi
		mov	[ebp+var_18], esi
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	esi, eax
		mov	ecx, edx
		mov	eax, [ebp+arg_C]
		cmp	eax, esi
		jnz	short loc_82AF30
		cmp	edi, ecx
		jz	short loc_82AF5E
		mov	edi, edi

loc_82AF30:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+1C8j
					; SepDuplicateToken(x,x,x,x,x,x,x,x)+1F8j ...
		mov	eax, esi
		mov	[ebp+arg_C], esi
		add	esi, ds:_ExpLuidIncrement
		mov	edx, ecx
		mov	edi, ecx
		adc	ecx, ds:dword_40AA94
		nop
		mov	ebx, esi
		mov	esi, [ebp+var_18]
		lock cmpxchg8b qword ptr [esi]
		mov	esi, eax
		mov	ecx, edx
		mov	eax, [ebp+arg_C]
		cmp	eax, esi
		jnz	short loc_82AF30
		cmp	edi, ecx
		jnz	short loc_82AF30

loc_82AF5E:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+1CCj
		mov	ecx, [ebp+var_1C]
		mov	[ecx+14h], edi
		mov	edi, [ebp+var_4]
		mov	[ecx+10h], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+arg_C], edi
		mov	byte ptr [edi+0B4h], 0
		mov	[edi+0A8h], eax
		mov	eax, [ebp+arg_8]
		mov	[edi+0ACh], eax
		mov	eax, [ebp+var_8]
		push	eax
		mov	[edi+30h], eax
		call	ExInitializeResourceLite
		mov	ebx, [ebp+var_20]
		mov	eax, [ebx+18h]
		mov	[edi+18h], eax
		mov	eax, [ebx+1Ch]
		mov	[edi+1Ch], eax
		mov	eax, [ebx]
		mov	[edi], eax
		mov	eax, [ebx+4]
		mov	[edi+4], eax
		mov	eax, [ebx+8]
		mov	[edi+8], eax
		mov	eax, [ebx+0Ch]
		mov	[edi+0Ch], eax
		mov	dword ptr [edi+8Ch], 0
		mov	eax, [ebx+20h]
		mov	[edi+20h], eax
		mov	eax, [ebx+24h]
		mov	[edi+24h], eax
		mov	eax, [ebx+28h]
		mov	[edi+28h], eax
		mov	eax, [ebx+2Ch]
		mov	[edi+2Ch], eax
		mov	eax, [ebx+0C4h]
		mov	[edi+0C4h], eax
		mov	eax, [ebx+0C8h]
		mov	[edi+0C8h], eax
		mov	eax, [ebp+var_10]
		mov	dword ptr [edi+288h], 0
		mov	dword ptr [edi+28Ch], 0
		mov	dword ptr [edi+27Ch], 0
		mov	[edi+294h], eax
		mov	dword ptr [edi+78h], 0
		mov	dword ptr [edi+29Ch], 0
		cmp	ds:_SeTokenLeakTracking, 0
		jz	short loc_82B067
		push	0
		push	1Eh
		add	eax, 1Ch
		push	eax
		call	RtlWalkFrameChain
		mov	esi, eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_82B067
		mov	eax, [edi+294h]
		mov	ecx, 1Eh
		add	eax, 1Ch
		sub	ecx, esi
		push	1
		push	ecx
		lea	eax, [eax+esi*4]
		push	eax
		call	RtlWalkFrameChain

loc_82B067:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+2D0j
					; SepDuplicateToken(x,x,x,x,x,x,x,x)+2E9j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [ebx+30h]
		push	1
		push	eax
		call	ExAcquireResourceSharedLite
		mov	esi, [ebp+var_4]
		mov	eax, [ebx+34h]
		lea	ecx, [esi+80h]
		mov	[ebp+var_10], ecx
		mov	[esi+34h], eax
		mov	eax, [ebx+38h]
		mov	[esi+38h], eax
		mov	eax, [ebx+88h]
		mov	[esi+88h], eax
		mov	eax, [ebx+90h]
		mov	[esi+90h], eax
		mov	eax, [ebx+80h]
		mov	[ecx], eax
		mov	eax, [ebx+84h]
		mov	[esi+84h], eax
		mov	eax, [ebx+0B0h]
		and	eax, 0FFFFFBDFh
		mov	[esi+0B0h], eax
		mov	eax, [ebx+78h]
		mov	[ebp+arg_4], eax
		cmp	[edi+78h], eax
		jz	short loc_82B10B
		mov	[edi+78h], eax
		cmp	ds:_SeTokenDoesNotTrackSessionObject, 0
		jnz	short loc_82B10B
		mov	ecx, [edi+29Ch]
		test	ecx, ecx
		jz	short loc_82B0FE
		call	ObfDereferenceObject
		mov	eax, [ebp+arg_4]

loc_82B0FE:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+394j
		mov	ecx, eax
		call	MmGetSessionObjectById
		mov	[edi+29Ch], eax

loc_82B10B:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+37Ej
					; SepDuplicateToken(x,x,x,x,x,x,x,x)+38Aj
		mov	eax, [ebx+78h]
		mov	ecx, 8
		mov	[edi+78h], eax
		lea	edi, [esi+58h]
		lea	esi, [ebx+58h]
		rep movsd
		mov	esi, [ebp+var_4]
		mov	eax, [ebx+0B8h]
		push	88h		; size_t
		push	0		; int
		mov	[esi+0B8h], eax
		mov	eax, [ebx+0BCh]
		mov	[esi+0BCh], eax
		mov	eax, [ebx+40h]
		mov	[esi+40h], eax
		mov	eax, [ebx+44h]
		mov	[esi+44h], eax
		mov	eax, [ebx+48h]
		mov	[esi+48h], eax
		mov	eax, [ebx+4Ch]
		mov	[esi+4Ch], eax
		mov	eax, [ebx+50h]
		mov	[esi+50h], eax
		mov	eax, [ebx+54h]
		mov	[esi+54h], eax
		mov	eax, [ebp+var_24]
		mov	[esi+1DCh], eax
		lea	eax, [esi+1E4h]
		mov	dword ptr [esi+274h], 0
		mov	dword ptr [esi+278h], 0
		mov	dword ptr [esi+298h], 0
		mov	dword ptr [eax], 0
		mov	[ebp+var_20], eax
		lea	eax, [esi+1E8h]
		mov	dword ptr [esi+1E0h], 0
		mov	[ebp+var_18], eax
		mov	dword ptr [eax], 0
		lea	eax, [esi+1ECh]
		push	eax		; void *
		mov	[ebp+var_1C], eax
		call	_memset
		mov	dword ptr [esi+0A0h], 0
		add	esp, 0Ch
		mov	dword ptr [esi+280h], 0
		mov	dword ptr [esi+284h], 0
		mov	dword ptr [esi+290h], 0
		cmp	byte ptr [esi+77h], 2
		jnz	short loc_82B1FD
		mov	dl, 1
		lea	ecx, [esi+58h]
		call	_SepModifyTokenPolicyCounter@8 ; SepModifyTokenPolicyCounter(x,x)

loc_82B1FD:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+491j
		test	byte ptr [ebx+0B0h], 20h
		jnz	short loc_82B22D
		mov	ecx, [ebx+0C0h]
		mov	eax, 1
		mov	[esi+0C0h], ecx
		lock xadd [ecx+14h], eax
		inc	eax
		cmp	eax, 1
		jg	short loc_82B229
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_82B229:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+4C0j
		xor	edi, edi
		jmp	short loc_82B25A
; 

loc_82B22D:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+4A4j
		lea	edx, [esi+0C0h]
		lea	ecx, [ebx+18h]
		call	_SepReferenceLogonSession@8 ; SepReferenceLogonSession(x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_82B25A
		or	dword ptr [esi+0B0h], 20h
		mov	dword ptr [esi+0C0h], 0
		test	edi, edi
		js	loc_82B2EE

loc_82B25A:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+4CBj
					; SepDuplicateToken(x,x,x,x,x,x,x,x)+4DFj
		mov	eax, [ebx+290h]
		test	eax, eax
		jz	short loc_82B271
		mov	ecx, eax
		call	_SepReferenceLuidToIndexEntry@4	; SepReferenceLuidToIndexEntry(x)
		mov	eax, [ebx+290h]

loc_82B271:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+502j
		mov	[esi+290h], eax
		mov	ecx, [ebx+1DCh]
		cmp	dword ptr [ecx], 0
		jz	short loc_82B296
		push	[ebp+arg_10]
		mov	edx, [esi+1DCh]
		call	AuthzBasepDuplicateSecurityAttributes
		mov	edi, eax
		test	edi, edi
		js	short loc_82B2EE

loc_82B296:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+520j
		mov	eax, [ebx+84h]
		push	eax		; size_t
		lea	eax, [ebx+2A0h]
		push	eax		; void *
		lea	eax, [esi+2A0h]
		push	eax		; void *
		call	_memcpy
		mov	ecx, esi
		lea	edx, [esi+94h]
		add	esp, 0Ch
		mov	[ebp+arg_4], edx
		sub	ecx, ebx
		cmp	_SepTokenSidSharingEnabled, 0
		jz	short loc_82B30D
		mov	eax, [ebx+94h]
		add	eax, ecx
		mov	[ebp+arg_8], ecx
		mov	[edx], eax
		mov	ecx, ebx
		mov	edx, esi
		call	_SepDuplicateTokenUserAndGroups@8 ; SepDuplicateTokenUserAndGroups(x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_82B330
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 0

loc_82B2EE:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+4F4j
					; SepDuplicateToken(x,x,x,x,x,x,x,x)+534j ...
		mov	ecx, [ebx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_82B2FB:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+7DFj
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_82B30D:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+567j
		mov	eax, [ebx+7Ch]
		mov	[esi+7Ch], eax
		mov	eax, [ebx+94h]
		add	eax, ecx
		mov	[edx], eax
		mov	edx, [esi+7Ch]
		test	edx, edx
		jz	short loc_82B333

loc_82B324:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+5CCj
		add	[eax], ecx
		lea	eax, [eax+8]
		sub	edx, 1
		jnz	short loc_82B324
		jmp	short loc_82B333
; 

loc_82B330:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+583j
		mov	ecx, [ebp+arg_8]

loc_82B333:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+5C2j
					; SepDuplicateToken(x,x,x,x,x,x,x,x)+5CEj
		mov	eax, [ebx+98h]
		lea	edx, [esi+98h]
		mov	[ebp+var_24], edx
		mov	[edx], eax
		test	eax, eax
		jz	short loc_82B35F
		add	eax, ecx
		mov	[edx], eax
		mov	edx, [ebp+var_10]
		mov	edx, [edx]
		test	edx, edx
		jz	short loc_82B35F

loc_82B355:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+5FDj
		add	[eax], ecx
		lea	eax, [eax+8]
		sub	edx, 1
		jnz	short loc_82B355

loc_82B35F:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+5E6j
					; SepDuplicateToken(x,x,x,x,x,x,x,x)+5F3j
		mov	eax, [ebx+9Ch]
		movzx	eax, byte ptr [eax+1]
		lea	ecx, ds:8[eax*4]
		mov	eax, [ebx+0A4h]
		mov	[ebp+arg_8], ecx
		test	eax, eax
		jz	short loc_82B386
		movzx	eax, word ptr [eax+2]
		add	ecx, eax
		mov	[ebp+arg_8], ecx

loc_82B386:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+61Bj
		push	64546553h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+arg_10], ecx
		mov	[esi+0A0h], ecx
		test	ecx, ecx
		jnz	short loc_82B3C4
		mov	ecx, [ebx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, 0C000009Ah
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_82B3C4:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+640j
		push	[ebp+arg_8]	; size_t
		mov	eax, [ebx+0A0h]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		mov	ecx, [ebp+arg_10]
		add	esp, 0Ch
		sub	ecx, [ebx+0A0h]
		mov	eax, [ebx+0A4h]
		mov	[esi+0A4h], eax
		test	eax, eax
		jz	short loc_82B3F8
		add	eax, ecx
		mov	[esi+0A4h], eax

loc_82B3F8:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+68Ej
		mov	eax, [ebx+9Ch]
		add	eax, ecx
		mov	[esi+9Ch], eax
		mov	eax, [ebx+1E8h]
		test	eax, eax
		jz	short loc_82B427
		mov	edx, [ebx+1E0h]
		mov	ecx, esi
		push	eax
		mov	eax, [ebx+1E4h]
		push	eax
		call	SepSetTokenCapabilities
		mov	edi, eax

loc_82B427:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+6AEj
		test	edi, edi
		js	loc_82B2EE
		mov	edx, [ebx+1E0h]
		test	edx, edx
		jz	short loc_82B442
		mov	ecx, esi
		call	_SepSetTokenPackage@8 ;	SepSetTokenPackage(x,x)
		mov	edi, eax

loc_82B442:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+6D7j
		test	edi, edi
		js	loc_82B2EE
		mov	ecx, [ebx+274h]
		mov	edx, 1
		test	ecx, ecx
		jz	short loc_82B478
		mov	eax, edx
		lock xadd [ecx+0Ch], eax
		inc	eax
		cmp	eax, edx
		jg	short loc_82B46C
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_82B46C:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+703j
		mov	eax, [ebx+274h]
		mov	[esi+274h], eax

loc_82B478:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+6F7j
		mov	ecx, [ebx+278h]
		test	ecx, ecx
		jz	short loc_82B4A2
		mov	eax, edx
		lock xadd [ecx+0Ch], eax
		inc	eax
		cmp	eax, 1
		jg	short loc_82B496
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_82B496:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+72Dj
		mov	eax, [ebx+278h]
		mov	[esi+278h], eax

loc_82B4A2:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+720j
		mov	ecx, [ebx+298h]
		test	ecx, ecx
		jz	short loc_82B4CC
		mov	eax, edx
		lock xadd [ecx+0Ch], eax
		inc	eax
		cmp	eax, 1
		jg	short loc_82B4C0
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_82B4C0:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+757j
		mov	eax, [ebx+298h]
		mov	[esi+298h], eax

loc_82B4CC:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+74Aj
		cmp	dword ptr [ebx+27Ch], 0
		jz	short loc_82B4E8
		mov	edx, esi
		mov	ecx, ebx
		call	_SepDuplicateTokenClaims@8 ; SepDuplicateTokenClaims(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_82B2EE

loc_82B4E8:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+773j
		mov	ecx, [ebx+280h]
		xor	edi, edi
		mov	[ebp+arg_8], edi
		mov	[ebp+var_14], edi
		test	ecx, ecx
		jz	short loc_82B50B
		lea	edx, [ebp+var_14]
		call	_SepDuplicateSid@8 ; SepDuplicateSid(x,x)
		mov	edi, eax
		mov	[ebp+arg_8], edi
		test	edi, edi
		js	short loc_82B530

loc_82B50B:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+798j
		mov	eax, [esi+280h]
		test	eax, eax
		jz	short loc_82B527
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [esi+280h], 0

loc_82B527:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+7B3j
		mov	eax, [ebp+var_14]
		mov	[esi+280h], eax

loc_82B530:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+7A9j
		mov	ecx, [ebx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	edi, edi
		js	loc_82B2FB
		cmp	ds:_SeTokenLeakTracking, 0
		mov	edi, [ebp+arg_C]
		jz	loc_82B5F6
		mov	eax, large fs:124h
		mov	ecx, [edi+294h]
		mov	eax, [eax+2ACh]
		mov	[ecx], eax
		mov	eax, large fs:124h
		mov	ecx, [edi+294h]
		mov	eax, [eax+2B0h]
		mov	[ecx+4], eax
		mov	eax, [edi+294h]
		mov	dword ptr [eax+18h], 0Dh
		mov	eax, [edi+294h]
		mov	dword ptr [eax+94h], 0
		mov	eax, [edi+294h]
		mov	dword ptr [eax+98h], 0
		mov	eax, large fs:124h
		mov	ecx, [edi+294h]
		mov	esi, [ebp+var_4]
		mov	edx, [eax+80h]
		mov	eax, [edx+1ACh]
		mov	[ecx+8], eax
		mov	eax, [edx+1B0h]
		mov	[ecx+0Ch], eax
		mov	eax, [edx+1B4h]
		mov	[ecx+10h], eax
		mov	ax, [edx+1B8h]
		mov	[ecx+14h], ax
		mov	al, [edx+1BAh]
		mov	[ecx+16h], al
		mov	ecx, esi
		call	_SepAddTokenLogonSession@4 ; SepAddTokenLogonSession(x)

loc_82B5F6:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+7EFj
		cmp	[ebp+arg_0], 0
		jz	short loc_82B603
		mov	ecx, esi
		call	SepMakeTokenEffectiveOnly

loc_82B603:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+89Aj
		lea	eax, [esi+0CCh]
		push	eax		; void *
		mov	eax, [esi+7Ch]
		push	eax		; int
		mov	eax, [ebp+arg_4]
		mov	eax, [eax]
		push	eax		; int
		call	RtlSidHashInitialize
		lea	eax, [esi+154h]
		push	eax		; void *
		mov	eax, [ebp+var_10]
		mov	eax, [eax]
		push	eax		; int
		mov	eax, [ebp+var_24]
		mov	eax, [eax]
		push	eax		; int
		call	RtlSidHashInitialize
		mov	eax, [ebp+var_20]
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_82B649
		mov	eax, [ebp+var_18]
		push	[ebp+var_1C]	; void *
		mov	eax, [eax]
		push	eax		; int
		push	ecx		; int
		call	RtlSidHashInitialize

loc_82B649:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+8D8j
		cmp	ds:_SeTokenLeakTracking, 0
		jz	short loc_82B6CA
		cmp	_SepTokenLeakMethodWatch, 0Dh
		jnz	short loc_82B6CA
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+0E4h]
		cmp	eax, _SepTokenLeakProcessCid
		jnz	short loc_82B6C7
		mov	ecx, 1
		lock xadd _SepTokenLeakMethodCount, ecx
		inc	ecx
		mov	eax, [edi+294h]
		mov	[eax+94h], ecx
		mov	eax, [edi+294h]
		mov	eax, [eax+94h]
		cmp	eax, _SepTokenLeakBreakCount
		jl	short loc_82B6C7
		mov	esi, [ebp+var_4]
		push	esi
		push	eax
		push	offset ??_C@_0BL@PEIKBMNL@?6Token?5number?50x?$CFx?5?$DN?50x?$CFp?6@NNGAKEGL@ ;	"\nToken number	0x%x = 0x%p\n"
		call	_DbgPrint
		add	esp, 0Ch
		int	3		; Trap to Debugger
		mov	eax, [ebp+arg_14]
		mov	[eax], esi
		mov	eax, [ebp+arg_8]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_82B6C7:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+913j
					; SepDuplicateToken(x,x,x,x,x,x,x,x)+941j
		mov	esi, [ebp+var_4]

loc_82B6CA:				; CODE XREF: SepDuplicateToken(x,x,x,x,x,x,x,x)+8F0j
					; SepDuplicateToken(x,x,x,x,x,x,x,x)+8F9j
		mov	eax, [ebp+arg_14]
		pop	edi
		mov	[eax], esi
		mov	eax, [ebp+arg_8]
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
_SepDuplicateToken@32 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObCreateObjectEx proc near		; CODE XREF: TtmiCreateEventQueue(x,x)+58p
					; VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+51p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 0092223E SIZE 0000007C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, large fs:20h
		push	ebx
		push	esi
		mov	[esp+1Ch+var_10], ecx
		mov	ebx, [eax+5C0h]
		mov	ecx, ebx
		push	edi
		mov	edi, edx
		mov	[esp+20h+var_8], 0
		mov	[esp+20h+var_4], 0
		inc	dword ptr [ebx+0Ch]
		mov	[esp+20h+var_C], 0
		mov	[esp+20h+var_14], eax
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_82B843
		mov	ebx, [esp+20h+var_14]

loc_82B734:				; CODE XREF: ObCreateObjectEx+180j
					; ObCreateObjectEx+1A2j
		mov	eax, [ebx+3CCh]
		mov	bl, [ebp+arg_4]
		mov	cl, byte ptr [esp+20h+var_10]
		mov	dl, bl
		push	0
		mov	[esi], eax
		lea	eax, [esp+24h+var_8]
		push	esi
		push	eax
		push	[ebp+arg_0]
		call	ObpCaptureObjectCreateInformation
		mov	[esp+30h+var_24], eax
		test	eax, eax
		js	loc_922248
		mov	eax, [esi]
		test	[edi+30h], eax
		jnz	loc_922294
		test	al, 10h
		jnz	short loc_82B7CE

loc_82B770:				; CODE XREF: ObCreateObjectEx+105j
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jnz	short loc_82B77A
		mov	eax, [edi+50h]

loc_82B77A:				; CODE XREF: ObCreateObjectEx+95j
		mov	ecx, [ebp+arg_14]
		test	ecx, ecx
		jnz	short loc_82B784
		mov	ecx, [edi+54h]

loc_82B784:				; CODE XREF: ObCreateObjectEx+9Fj
		push	[ebp+arg_1C]
		mov	[esi+0Ch], eax
		mov	dl, bl
		lea	eax, [esp+34h+var_1C]
		mov	[esi+10h], ecx
		push	eax
		push	[ebp+arg_C]
		lea	eax, [esp+3Ch+var_18]
		mov	ecx, esi
		push	eax
		push	edi
		call	_ObpAllocateObject@28 ;	ObpAllocateObject(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_82B7EC
		cmp	ds:_ObpTraceFlags, 0
		mov	esi, [esp+30h+var_1C]
		jnz	loc_92229E

loc_82B7BB:				; CODE XREF: ObCreateObjectEx+F6BD5j
		mov	eax, [ebp+arg_18]
		lea	ecx, [esi+18h]
		mov	[eax], ecx
		mov	eax, edi

loc_82B7C5:				; CODE XREF: ObCreateObjectEx+F6B63j
					; ObCreateObjectEx+F6BAFj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_82B7CE:				; CODE XREF: ObCreateObjectEx+8Ej
		push	[esp+30h+var_20]
		mov	eax, ds:dword_A94A34
		push	eax
		mov	eax, ds:_SeCreatePermanentPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_82B770
		mov	edi, 0C0000061h

loc_82B7EC:				; CODE XREF: ObCreateObjectEx+C8j
					; ObCreateObjectEx+F6BB9j
		cmp	[esp+30h+var_14], 0
		jz	short loc_82B7FC
		lea	ecx, [esp+30h+var_18]
		call	ObpFreeObjectNameBuffer

loc_82B7FC:				; CODE XREF: ObCreateObjectEx+111j
		mov	ecx, [esi+18h]
		test	ecx, ecx
		jz	short loc_82B817
		movzx	eax, byte ptr [esi+8]
		push	1
		push	eax
		push	ecx
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)
		mov	dword ptr [esi+18h], 0

loc_82B817:				; CODE XREF: ObCreateObjectEx+121j
		mov	edx, large fs:20h
		mov	ecx, [edx+5C0h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jnb	short loc_82B88D

loc_82B831:				; CODE XREF: ObCreateObjectEx+1C1j
		mov	edx, esi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_82B843:				; CODE XREF: ObCreateObjectEx+4Aj
		inc	dword ptr [ebx+10h]
		mov	ebx, [esp+20h+var_14]
		mov	ecx, [ebx+5C4h]
		mov	[esp+20h+var_14], ecx
		inc	dword ptr [ecx+0Ch]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_82B734
		mov	ecx, [esp+20h+var_14]
		mov	eax, [ecx+20h]
		inc	dword ptr [ecx+10h]
		push	eax
		mov	eax, [ecx+24h]
		push	eax
		mov	eax, [ecx+1Ch]
		push	eax
		mov	eax, [ecx+28h]
		call	eax
		mov	esi, eax
		test	esi, esi
		jnz	loc_82B734
		jmp	loc_92223E
; 

loc_82B88D:				; CODE XREF: ObCreateObjectEx+14Fj
		inc	dword ptr [ecx+18h]
		mov	ecx, [edx+5C4h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	short loc_82B831
		mov	eax, [ecx+2Ch]
		inc	dword ptr [ecx+18h]
		push	esi
		call	eax
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
ObCreateObjectEx endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObInsertObjectEx(x,	x, x, x, x, x, x)
_ObInsertObjectEx@28 proc near		; CODE XREF: NtCreateTimer+ECp
					; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+45Ep ...

var_1E4		= dword	ptr -1E4h
var_1C0		= dword	ptr -1C0h
var_1B5		= byte ptr -1B5h
var_1B4		= dword	ptr -1B4h
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_191		= byte ptr -191h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_D0		= dword	ptr -0D0h
var_28		= dword	ptr -28h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 19Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+19Ch+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		push	edi
		mov	[esp+1A8h+var_16C], eax
		mov	esi, ecx
		mov	eax, [ebp+arg_10]
		mov	edi, edx
		push	0C4h		; size_t
		mov	[esp+1ACh+var_170], eax
		lea	eax, [esp+1ACh+var_D0]
		push	0		; int
		push	eax		; void *
		mov	[esp+1B4h+var_17C], esi
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+1A8h+var_148]
		push	74h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ebx, [esi-8]
		lea	eax, [esi-18h]
		mov	[esp+1B4h+var_15C], eax
		xor	edx, edx
		shr	eax, 8
		add	esp, 0Ch
		movzx	ecx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	ecx, eax
		mov	[esp+1A8h+var_180], edx
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		lea	ecx, [esi-18h]
		mov	[esp+1A8h+var_19C], eax
		mov	al, [ecx+0Eh]
		test	al, 2
		jz	short loc_82B972
		movzx	eax, al
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		jz	short loc_82B96F
		lea	edx, [ecx+4]
		mov	[esp+1A8h+var_180], edx

loc_82B96F:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+A6j
		lea	ecx, [esi-18h]

loc_82B972:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+95j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[esp+1A8h+var_191], al
		mov	byte ptr [esp+1A8h+var_168], al
		mov	eax, [esp+1A8h+var_19C]
		test	byte ptr [eax+2Ah], 8
		jnz	loc_82BA73
		test	edx, edx
		jnz	loc_82BA73
		cmp	[ebx+18h], edx
		jnz	loc_82BA73
		mov	eax, [esp+1A8h+var_170]
		mov	[ecx+10h], edx
		test	eax, eax
		jz	short loc_82B9D6
		push	eax
		push	[esp+1ACh+var_16C]
		mov	[eax], edx
		xor	ecx, ecx
		mov	eax, [ebx]
		push	edx
		push	edx
		push	[esp+1B8h+var_168]
		push	eax
		mov	eax, [ebp+arg_4]
		inc	eax
		push	eax
		push	edx
		push	[ebp+arg_0]
		mov	edx, esi
		call	_ObpCreateHandle@44 ; ObpCreateHandle(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		jmp	short loc_82B9D8
; 

loc_82B9D6:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+EEj
		xor	edi, edi

loc_82B9D8:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+114j
		mov	edx, [ebx+18h]
		test	edx, edx
		jz	short loc_82B9F3
		movzx	ecx, byte ptr [ebx+8]
		push	1
		push	ecx
		push	edx
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)
		mov	dword ptr [ebx+18h], 0

loc_82B9F3:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+11Dj
		mov	edx, large fs:20h
		mov	ecx, [edx+5C0h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	short loc_82BA4C
		inc	dword ptr [ecx+18h]
		mov	ecx, [edx+5C4h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	short loc_82BA4C
		mov	eax, [ecx+2Ch]
		inc	dword ptr [ecx+18h]
		push	ebx
		call	eax
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+1A0h+var_8]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82BA4C:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+14Bj
					; ObInsertObjectEx(x,x,x,x,x,x,x)+161j
		mov	edx, ebx
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+19Ch+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82BA73:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+CEj
					; ObInsertObjectEx(x,x,x,x,x,x,x)+D6j ...
		test	edi, edi
		jnz	loc_82BC3F
		mov	eax, large fs:124h
		lea	edi, [esp+1A8h+var_148]
		mov	esi, large fs:124h
		mov	[esp+1A8h+var_18C], esi
		mov	[esp+1A8h+var_154], 0
		mov	ecx, [eax+80h]
		mov	[esp+1A8h+var_190], ecx
		mov	eax, [ecx+0E4h]
		mov	[esp+1A8h+var_14C], eax
		test	esi, esi
		jz	loc_82BB48
		mov	eax, [esi+2FCh]
		test	al, 8
		jnz	short loc_82BAC5
		xor	esi, esi
		jmp	loc_82BB48
; 

loc_82BAC5:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+1FCj
		mov	eax, large fs:124h
		mov	[esp+1A8h+var_198], eax
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [esi+2F0h]
		xor	edx, edx
		mov	ecx, eax
		mov	[esp+1A8h+var_178], eax
		call	ExAcquirePushLockSharedEx
		mov	eax, [esi+2FCh]
		test	al, 8
		jz	short loc_82BB17
		mov	esi, [esi+2C8h]
		and	esi, 0FFFFFFF8h
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, [esp+1A8h+var_18C]
		mov	eax, [ecx+2C8h]
		and	eax, 3
		mov	[esp+1A8h+var_154], eax
		jmp	short loc_82BB19
; 

loc_82BB17:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+232j
		xor	esi, esi

loc_82BB19:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+255j
		mov	ecx, [esp+1A8h+var_178]
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_82BB36
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [esp+1A8h+var_178]

loc_82BB36:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+26Bj
		call	KeAbPostRelease
		mov	ecx, [esp+1A8h+var_198]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	ecx, [esp+1A8h+var_190]

loc_82BB48:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+1EEj
					; ObInsertObjectEx(x,x,x,x,x,x,x)+200j
		lea	ecx, [ecx+12Ch]
		mov	[esp+1A8h+var_158], esi
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_82BBC4
		mov	eax, large fs:124h
		mov	[esp+1A8h+var_198], eax
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [esp+1A8h+var_190]
		xor	edx, edx
		add	esi, 0E0h
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	ecx, [esp+1A8h+var_190]
		lea	ecx, [ecx+12Ch]
		call	@ObFastReferenceObjectLocked@4 ; ObFastReferenceObjectLocked(x)
		mov	[esp+1A8h+var_18C], eax
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_82BBAC
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_82BBAC:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+2E3j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [esp+1A8h+var_198]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	esi, [esp+1A8h+var_158]
		mov	ecx, [esp+1A8h+var_18C]

loc_82BBC4:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+29Bj
		cmp	ds:_SeTokenLeakTracking, 0
		mov	[esp+1A8h+var_150], ecx
		jz	short loc_82BC07
		test	ecx, ecx
		jz	short loc_82BBEC
		mov	eax, [ecx+294h]
		add	eax, 98h
		lock inc dword ptr [eax]
		cmp	ecx, _SepTokenLeakToken
		jnz	short loc_82BBEC
		int	3		; Trap to Debugger

loc_82BBEC:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+313j
					; ObInsertObjectEx(x,x,x,x,x,x,x)+329j
		test	esi, esi
		jz	short loc_82BC07
		mov	eax, [esi+294h]
		add	eax, 98h
		lock inc dword ptr [eax]
		cmp	esi, _SepTokenLeakToken
		jnz	short loc_82BC07
		int	3		; Trap to Debugger

loc_82BC07:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+30Fj
					; ObInsertObjectEx(x,x,x,x,x,x,x)+32Ej	...
		mov	eax, [esp+1A8h+var_19C]
		lea	edx, [esp+1A8h+var_148]	; void *
		add	eax, 34h
		lea	ecx, [esp+1A8h+var_158]	; int
		push	eax		; int
		push	[ebp+arg_0]	; int
		lea	eax, [esp+1B0h+var_D0]
		push	eax		; void *
		call	_SepCreateAccessStateFromSubjectContext@20 ; SepCreateAccessStateFromSubjectContext(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_82BC3B
		mov	ecx, [esp+1A8h+var_17C]
		call	ObfDereferenceObject
		jmp	loc_82C012
; 

loc_82BC3B:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+36Bj
		mov	esi, [esp+1A8h+var_17C]

loc_82BC3F:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+1B5j
		mov	eax, [ebx+18h]
		mov	[esp+1A8h+var_198], eax
		mov	[edi+2Ch], eax
		test	eax, eax
		jz	short loc_82BC76
		push	eax
		call	_RtlValidSecurityDescriptor@4 ;	RtlValidSecurityDescriptor(x)
		test	al, al
		jz	loc_82BD8F
		mov	ecx, [esp+1A8h+var_198]
		test	byte ptr [ecx+2], 10h
		jz	short loc_82BC76
		test	dword ptr [edi+14h], 1000000h
		jnz	short loc_82BC76
		call	SeObjectCreateSaclAccessBits
		or	[edi+10h], eax

loc_82BC76:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+38Bj
					; ObInsertObjectEx(x,x,x,x,x,x,x)+3A3j	...
		mov	eax, [esp+1A8h+var_180]
		mov	ecx, [esp+1A8h+var_19C]
		test	eax, eax
		jnz	loc_82BE4D
		test	byte ptr [ecx+2Ah], 8
		jnz	short loc_82BC95
		cmp	[ebx+18h], eax
		jz	loc_82BE4D

loc_82BC95:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+3CAj
		mov	eax, [ebp+arg_8]
		mov	edx, [edi+2Ch]
		and	eax, 1
		shl	eax, 4
		mov	[ebp+arg_8], eax
		lea	eax, [esp+1A8h+var_164]
		push	eax
		lea	eax, [esp+1ACh+var_174]
		mov	[esp+1ACh+var_164], 0
		push	eax
		push	0
		mov	[esp+1B4h+var_174], 0
		mov	[esp+1B4h+var_184], 0
		mov	[esp+1B4h+var_188], 0
		mov	[esp+1B4h+var_160], 0
		mov	[esp+1B4h+var_164], 8
		call	SeComputeAutoInheritByObjectTypeEx
		mov	[esp+1A8h+var_190], eax
		test	eax, eax
		js	short loc_82BD55
		mov	ecx, [esp+1A8h+var_174]
		or	ecx, [ebp+arg_8]
		mov	eax, [esp+1A8h+var_19C]
		cmp	eax, _ObpDirectoryObjectType
		mov	edx, [esp+1A8h+var_188]
		setz	al
		mov	byte ptr [esp+1A8h+var_198], al
		test	edx, edx
		jnz	short loc_82BD10
		mov	edx, [edi+2Ch]

loc_82BD10:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+44Bj
		mov	eax, [esp+1A8h+var_19C]
		push	ecx
		add	eax, 34h
		push	eax
		mov	[esp+1B0h+var_18C], eax
		lea	eax, [edi+1Ch]
		push	eax
		lea	eax, [esp+1B4h+var_164]
		push	eax
		push	ecx
		push	[esp+1BCh+var_198]
		lea	eax, [esp+1C0h+var_184]
		xor	ecx, ecx
		push	0
		push	eax
		call	_SeAssignSecurityEx2@40	; SeAssignSecurityEx2(x,x,x,x,x,x,x,x,x,x)
		mov	[esp+1A8h+var_190], eax
		test	eax, eax
		mov	eax, [esp+1A8h+var_188]
		jns	loc_82BDCA
		test	eax, eax
		jz	short loc_82BD55
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_82BD55:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+42Bj
					; ObInsertObjectEx(x,x,x,x,x,x,x)+48Bj	...
		mov	ecx, esi
		call	ObfDereferenceObject
		lea	eax, [esp+1A8h+var_148]
		cmp	edi, eax
		jnz	short loc_82BD74
		mov	ecx, edi
		call	SepDeleteAccessState
		lea	eax, [edi+1Ch]
		push	eax
		call	SeReleaseSubjectContext

loc_82BD74:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+4A2j
		mov	eax, [esp+1A8h+var_190]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+19Ch+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82BD8F:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+395j
		mov	ecx, esi
		call	ObfDereferenceObject
		lea	eax, [esp+1A8h+var_148]
		cmp	edi, eax
		jnz	short loc_82BDAE
		mov	ecx, edi
		call	SepDeleteAccessState
		lea	eax, [edi+1Ch]
		push	eax
		call	SeReleaseSubjectContext

loc_82BDAE:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+4DCj
		mov	eax, 0C0000079h
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [esp+19Ch+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82BDCA:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+483j
		test	eax, eax
		jz	short loc_82BDD6
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_82BDD6:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+50Cj
		mov	eax, [esp+1A8h+var_19C]
		mov	ecx, [eax+6Ch]
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+1A8h+var_198], al
		push	[esp+1A8h+var_198]
		push	[esp+1ACh+var_18C]
		push	1
		push	0
		push	0
		push	[esp+1BCh+var_184]
		push	0
		push	3
		push	esi
		call	ecx
		mov	[esp+1CCh+var_1B4], eax
		test	eax, eax
		jns	short loc_82BE1D
		lea	eax, [esp+1CCh+var_1A8]
		push	eax
		call	_SeDeassignSecurity@4 ;	SeDeassignSecurity(x)
		jmp	loc_82BD55
; 

loc_82BE1D:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+54Cj
		mov	al, [ebx+8]
		mov	ecx, [ebx+18h]
		test	al, al
		jz	short loc_82BE2B
		cmp	al, 1
		jnz	short loc_82BE37

loc_82BE2B:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+565j
		test	ecx, ecx
		jz	short loc_82BE37
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_82BE37:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+569j
					; ObInsertObjectEx(x,x,x,x,x,x,x)+56Dj
		mov	eax, [esp+1CCh+var_1A4]
		mov	ecx, [esp+1CCh+var_1C0]
		mov	dword ptr [ebx+18h], 0
		mov	dword ptr [edi+2Ch], 0

loc_82BE4D:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+3C0j
					; ObInsertObjectEx(x,x,x,x,x,x,x)+3CFj
		mov	edx, [esp+38h]
		mov	dword ptr [esi-8], 0
		test	edx, edx
		jz	short loc_82BE9C
		push	edx
		push	[esp+1D0h+var_190]
		neg	eax
		mov	dword ptr [edx], 0
		push	0
		sbb	eax, eax
		mov	edx, esi
		and	eax, ebx
		xor	ecx, ecx
		push	eax
		push	[esp+1DCh+var_18C]
		mov	eax, [ebx]
		push	eax
		mov	eax, [ebp+arg_4]
		inc	eax
		push	eax
		push	edi
		push	0
		call	_ObpCreateHandle@44 ; ObpCreateHandle(x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, esi
		mov	[esp+1F0h+var_1E4], eax
		call	ObfDereferenceObject
		mov	esi, [esp+1F0h+var_1E4]
		jmp	loc_82BF23
; 

loc_82BE9C:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+59Aj
		lea	eax, [esp+1CCh+var_16C]
		cmp	edi, eax
		jz	short loc_82BED0
		test	dword ptr [ebx], 400h
		mov	dl, 1
		jnz	short loc_82BEB2
		mov	dl, [esp+1CCh+var_1B5]

loc_82BEB2:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+5ECj
		push	esi
		push	ecx
		mov	ecx, edi
		call	ObpAdjustCreatorAccessState
		mov	[esp+1CCh+var_1C0], eax
		test	eax, eax
		jns	short loc_82BED0
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	esi, [esp+1CCh+var_1C0]
		jmp	short loc_82BF23
; 

loc_82BED0:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+5E2j
					; ObInsertObjectEx(x,x,x,x,x,x,x)+601j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [esi-10h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, [esp+1CCh+var_180]
		push	0
		mov	edx, [eax+80h]
		call	ObpChargeQuotaForObject
		xor	edx, edx
		mov	[esp+1CCh+var_1C0], eax
		lea	ecx, [esi-10h]
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	esi, [esp+1CCh+var_1C0]
		test	esi, esi
		jns	short loc_82BF23
		mov	ecx, [esp+1CCh+var_1A0]
		call	ObfDereferenceObject

loc_82BF23:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+5D7j
					; ObInsertObjectEx(x,x,x,x,x,x,x)+60Ej	...
		mov	ecx, [ebx+18h]
		test	ecx, ecx
		jz	short loc_82BF3E
		movzx	eax, byte ptr [ebx+8]
		push	1
		push	eax
		push	ecx
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)
		mov	dword ptr [ebx+18h], 0

loc_82BF3E:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+668j
		mov	edx, large fs:20h
		mov	ecx, [edx+5C0h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	short loc_82BF79
		inc	dword ptr [ecx+18h]
		mov	ecx, [edx+5C4h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	short loc_82BF79
		mov	eax, [ecx+2Ch]
		inc	dword ptr [ecx+18h]
		push	ebx
		call	eax
		jmp	short loc_82BF80
; 

loc_82BF79:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+696j
					; ObInsertObjectEx(x,x,x,x,x,x,x)+6ACj
		mov	edx, ebx
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_82BF80:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+6B7j
		lea	eax, [esp+1CCh+var_16C]
		cmp	edi, eax
		jnz	loc_82C012
		mov	ecx, edi
		call	SepDeleteAccessState
		cmp	ds:_SeTokenLeakTracking, 0
		jz	short loc_82BFDE
		mov	eax, [edi+24h]
		test	eax, eax
		jz	short loc_82BFBD
		mov	eax, [eax+294h]
		add	eax, 98h
		lock dec dword ptr [eax]
		mov	eax, [edi+24h]
		cmp	eax, _SepTokenLeakToken
		jnz	short loc_82BFBD
		int	3		; Trap to Debugger

loc_82BFBD:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+6E1j
					; ObInsertObjectEx(x,x,x,x,x,x,x)+6FAj
		mov	eax, [edi+1Ch]
		test	eax, eax
		jz	short loc_82BFDE
		mov	eax, [eax+294h]
		add	eax, 98h
		lock dec dword ptr [eax]
		mov	eax, [edi+1Ch]
		cmp	eax, _SepTokenLeakToken
		jnz	short loc_82BFDE
		int	3		; Trap to Debugger

loc_82BFDE:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+6DAj
					; ObInsertObjectEx(x,x,x,x,x,x,x)+702j	...
		mov	eax, large fs:124h
		mov	edx, [edi+24h]
		mov	ecx, [eax+80h]
		add	ecx, 12Ch
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		mov	ecx, [edi+1Ch]
		mov	dword ptr [edi+24h], 0
		test	ecx, ecx
		jz	short loc_82C00B
		call	ObfDereferenceObject

loc_82C00B:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+744j
		mov	dword ptr [edi+1Ch], 0

loc_82C012:				; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+376j
					; ObInsertObjectEx(x,x,x,x,x,x,x)+6C6j
		mov	ecx, [esp+1CCh+var_28]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
_ObInsertObjectEx@28 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeDefaultObjectMethod proc near		; DATA XREF: ObDuplicateObject+40Bo
					; PAGE:00816A15o ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 009222BA SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		cmp	eax, 3		; switch 4 cases
		ja	loc_9222D2	; default
		jmp	ds:off_82C204[eax*4] ; switch jump

loc_82C04B:				; DATA XREF: PAGE:off_82C204o
		mov	esi, [ebp+arg_C] ; case	0x3
		mov	[ebp+arg_8], 0
		test	esi, esi
		jz	loc_82C1C2
		push	8
		lea	eax, [ebp+arg_8]
		push	eax
		push	esi
		call	ObLogSecurityDescriptor
		mov	edi, eax
		test	edi, edi
		js	short loc_82C0D0
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_82C0C9
		add	ecx, 7
		mov	[eax-4], ecx
		jmp	short loc_82C0D0
; 

loc_82C089:				; CODE XREF: SeDefaultObjectMethod+14j
					; DATA XREF: PAGE:off_82C204o
		mov	eax, [ebp+arg_14] ; case 0x2
		mov	esi, [eax]
		mov	edi, esi
		and	esi, 0FFFFFFF8h
		mov	dword ptr [eax], 0
		sub	esi, 10h
		and	edi, 7
		mov	edx, [esi+4]
		lea	ebx, [esi+4]
		inc	edi
		mov	ecx, edx
		sub	ecx, edi
		test	ecx, ecx
		jle	short loc_82C110
		mov	edi, edi

loc_82C0B0:				; CODE XREF: SeDefaultObjectMethod+187j
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		mov	ecx, eax
		cmp	ecx, edx
		jnz	loc_82C1B1

loc_82C0C0:				; CODE XREF: SeDefaultObjectMethod+1C6j
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	24h
; 

loc_82C0C9:				; CODE XREF: SeDefaultObjectMethod+4Fj
		mov	dword ptr [eax-4], 0

loc_82C0D0:				; CODE XREF: SeDefaultObjectMethod+3Dj
					; SeDefaultObjectMethod+57j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	24h
; 

loc_82C0D9:				; CODE XREF: SeDefaultObjectMethod+14j
					; DATA XREF: PAGE:off_82C204o
		mov	edx, [ebp+arg_8] ; case	0x1
		push	ecx
		push	[ebp+arg_10]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_C]
		call	_ObQuerySecurityDescriptorInfo@20 ; ObQuerySecurityDescriptorInfo(x,x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	24h
; 

loc_82C0F2:				; CODE XREF: SeDefaultObjectMethod+14j
					; DATA XREF: PAGE:off_82C204o
		push	[ebp+arg_1C]	; case 0x0
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_0]
		call	ObSetSecurityDescriptorInfo
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	24h
; 

loc_82C110:				; CODE XREF: SeDefaultObjectMethod+7Cj
					; SeDefaultObjectMethod+18Dj
		jnz	loc_9222BA

loc_82C116:				; CODE XREF: SeDefaultObjectMethod+F6291j
		movzx	eax, byte ptr [esi+8]
		lea	ecx, _ObsSecurityDescriptorCache[eax*8]
		lea	eax, [ecx+4]
		mov	[ebp+arg_C], ecx
		mov	[ebp+arg_0], eax
		mov	eax, large fs:124h
		mov	[ebp+arg_8], eax
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, edi
		neg	eax
		lock xadd [ebx], eax
		sub	eax, edi
		test	eax, eax
		jg	loc_82C1D7
		jnz	loc_9222C6
		mov	edx, [ebp+arg_0]
		mov	ecx, [edx]
		cmp	ecx, esi
		jz	short loc_82C171

loc_82C163:				; CODE XREF: SeDefaultObjectMethod+13Cj
		mov	eax, [ecx]
		mov	[ebp+arg_0], ecx
		mov	ecx, eax
		cmp	eax, esi
		jnz	short loc_82C163
		mov	edx, [ebp+arg_0]

loc_82C171:				; CODE XREF: SeDefaultObjectMethod+131j
		mov	eax, [esi]
		mov	edi, [ebp+arg_C]
		mov	[edx], eax
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_82C1A8

loc_82C185:				; CODE XREF: SeDefaultObjectMethod+17Fj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+arg_8]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		push	6353624Fh
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	24h
; 

loc_82C1A8:				; CODE XREF: SeDefaultObjectMethod+153j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_82C185
; 

loc_82C1B1:				; CODE XREF: SeDefaultObjectMethod+8Aj
		mov	edx, ecx
		sub	ecx, edi
		test	ecx, ecx
		jg	loc_82C0B0
		jmp	loc_82C110
; 

loc_82C1C2:				; CODE XREF: SeDefaultObjectMethod+27j
		mov	eax, [ebp+arg_0]
		xor	edi, edi
		mov	dword ptr [eax-4], 0
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	24h
; 

loc_82C1D7:				; CODE XREF: SeDefaultObjectMethod+11Ej
					; SeDefaultObjectMethod+F629Dj
		mov	edi, [ebp+arg_C]
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_82C1FB

loc_82C1E7:				; CODE XREF: SeDefaultObjectMethod+1D2j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+arg_8]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		jmp	loc_82C0C0
; 

loc_82C1FB:				; CODE XREF: SeDefaultObjectMethod+1B5j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_82C1E7
SeDefaultObjectMethod endp

; 
off_82C204	dd offset loc_82C0F2	; DATA XREF: SeDefaultObjectMethod+14r
		dd offset loc_82C0D9	; jump table for switch	statement
		dd offset loc_82C089
		dd offset loc_82C04B
		align 10h
; Exported entry 1628. ObLogSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObLogSecurityDescriptor
ObLogSecurityDescriptor	proc near	; CODE XREF: ExpWnfCreateNameInstance+ABp
					; ObAssignObjectSecurityDescriptor(x,x,x)+1Cp ...

var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_0]
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		mov	ecx, eax
		xor	ebx, ebx
		mov	eax, [ebp+arg_0]
		mov	esi, ecx
		and	esi, 0FFFFFFFCh
		mov	[ebp+var_10], ecx
		xor	ecx, ecx
		mov	edi, eax
		lea	edx, [esi+eax]
		add	esi, 7
		shr	esi, 3
		cmp	edx, eax
		sbb	edx, edx
		not	edx
		and	edx, esi
		jbe	short loc_82C26D
		lea	esp, [esp+0]

loc_82C260:				; CODE XREF: ObLogSecurityDescriptor+4Bj
		xor	ebx, [edi]
		lea	edi, [edi+8]
		inc	ecx
		rol	ebx, 3
		cmp	ecx, edx
		jb	short loc_82C260

loc_82C26D:				; CODE XREF: ObLogSecurityDescriptor+37j
		mov	ecx, large fs:124h
		movzx	eax, bl
		mov	[ebp+var_8], 0
		mov	[ebp+var_4], ecx
		dec	word ptr [ecx+13Ch]
		lea	eax, _ObsSecurityDescriptorCache[eax*8]
		mov	[ebp+var_C], eax
		lea	esi, [eax+4]
		nop
		mov	ecx, eax

loc_82C298:				; CODE XREF: ObLogSecurityDescriptor+F0j
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		nop

loc_82C2A0:				; CODE XREF: ObLogSecurityDescriptor+1C3j
		mov	edi, [esi]
		test	edi, edi
		jz	short loc_82C2B5

loc_82C2A6:				; CODE XREF: ObLogSecurityDescriptor+93j
		cmp	[edi+8], ebx
		jz	short loc_82C312
		ja	short loc_82C2B5

loc_82C2AD:				; CODE XREF: ObLogSecurityDescriptor+F8j
					; ObLogSecurityDescriptor+15Ej
		mov	esi, edi
		mov	edi, [edi]
		test	edi, edi
		jnz	short loc_82C2A6

loc_82C2B5:				; CODE XREF: ObLogSecurityDescriptor+84j
					; ObLogSecurityDescriptor+8Bj
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	loc_82C3D5
		mov	edi, [ebp+var_C]
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jnz	loc_82C437

loc_82C2D7:				; CODE XREF: ObLogSecurityDescriptor+21Ej
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_4]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		push	[ebp+arg_8]
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+arg_0]
		push	ebx
		call	_ObpCreateCacheEntry@16	; ObpCreateCacheEntry(x,x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_9222E5
		mov	eax, [ebp+var_4]
		lea	esi, [edi+4]
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, edi
		jmp	short loc_82C298
; 

loc_82C312:				; CODE XREF: ObLogSecurityDescriptor+89j
		mov	eax, [ebp+var_10]
		cmp	[edi+0Ch], eax
		jnz	short loc_82C2AD
		mov	ecx, [ebp+arg_0]
		lea	edx, [edi+10h]
		mov	esi, eax
		sub	esi, 4
		jb	short loc_82C338

loc_82C327:				; CODE XREF: ObLogSecurityDescriptor+116j
		mov	eax, [ecx]
		cmp	eax, [edx]
		jnz	short loc_82C33D
		add	ecx, 4
		add	edx, 4
		sub	esi, 4
		jnb	short loc_82C327

loc_82C338:				; CODE XREF: ObLogSecurityDescriptor+105j
		cmp	esi, 0FFFFFFFCh
		jz	short loc_82C37A

loc_82C33D:				; CODE XREF: ObLogSecurityDescriptor+10Bj
		mov	al, [ecx]
		cmp	al, [edx]
		jnz	loc_82C44C
		cmp	esi, 0FFFFFFFDh
		jz	short loc_82C37A
		mov	al, [ecx+1]
		cmp	al, [edx+1]
		jnz	loc_82C44C
		cmp	esi, 0FFFFFFFEh
		jz	short loc_82C37A
		mov	al, [ecx+2]
		cmp	al, [edx+2]
		jnz	loc_82C44C
		cmp	esi, 0FFFFFFFFh
		jz	short loc_82C37A
		mov	al, [ecx+3]
		cmp	al, [edx+3]
		jnz	loc_82C44C

loc_82C37A:				; CODE XREF: ObLogSecurityDescriptor+11Bj
					; ObLogSecurityDescriptor+12Aj	...
		xor	eax, eax

loc_82C37C:				; CODE XREF: ObLogSecurityDescriptor+231j
		test	eax, eax
		jnz	loc_82C2AD
		mov	ecx, [ebp+arg_8]
		lea	eax, [edi+4]
		lock xadd [eax], ecx
		test	ecx, ecx
		jg	short loc_82C399
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_82C399:				; CODE XREF: ObLogSecurityDescriptor+170j
		mov	ebx, [ebp+var_C]
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jnz	short loc_82C418

loc_82C3AC:				; CODE XREF: ObLogSecurityDescriptor+1FFj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [ebp+var_4]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	eax, [ebp+arg_4]
		lea	ecx, [edi+10h]
		mov	[eax], ecx
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	short loc_82C421

loc_82C3CA:				; CODE XREF: ObLogSecurityDescriptor+1F6j
		xor	eax, eax

loc_82C3CC:				; CODE XREF: SeDefaultObjectMethod+F62BAj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_82C3D5:				; CODE XREF: ObLogSecurityDescriptor+9Aj
		mov	[eax], edi
		mov	ecx, eax
		mov	eax, edi
		lock cmpxchg [esi], ecx
		mov	esi, eax
		cmp	esi, edi
		jnz	loc_82C2A0
		mov	esi, [ebp+var_C]
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jnz	short loc_82C443

loc_82C3FC:				; CODE XREF: ObLogSecurityDescriptor+22Aj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_4]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+var_8]
		add	ecx, 10h
		mov	[eax], ecx
		jmp	short loc_82C3CA
; 

loc_82C418:				; CODE XREF: ObLogSecurityDescriptor+18Aj
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_82C3AC
; 

loc_82C421:				; CODE XREF: ObLogSecurityDescriptor+1A8j
		push	6353624Fh
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_82C437:				; CODE XREF: ObLogSecurityDescriptor+B1j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_82C2D7
; 

loc_82C443:				; CODE XREF: ObLogSecurityDescriptor+1DAj
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_82C3FC
; 

loc_82C44C:				; CODE XREF: ObLogSecurityDescriptor+121j
					; ObLogSecurityDescriptor+132j	...
		sbb	eax, eax
		or	eax, 1
		jmp	loc_82C37C
ObLogSecurityDescriptor	endp

; 
		align 10h
; Exported entry 2238. RtlLengthSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlLengthSecurityDescriptor(x)
		public _RtlLengthSecurityDescriptor@4
_RtlLengthSecurityDescriptor@4 proc near
					; CODE XREF: AdtpBuildAccessReasonAuditString(x,x,x,x,x,x,x,x,x)+131p
					; ExpWnfLookupPermanentName+F1p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		movzx	ebx, word ptr [esi+2]
		mov	ecx, [esi+4]
		mov	edi, ebx
		test	di, di
		jns	short loc_82C482
		lea	eax, [ecx+esi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_82C482:				; CODE XREF: RtlLengthSecurityDescriptor(x)+17j
		mov	eax, 14h
		test	ecx, ecx
		jz	short loc_82C49C
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	eax, 14h

loc_82C49C:				; CODE XREF: RtlLengthSecurityDescriptor(x)+29j
		mov	edx, [esi+8]
		test	di, di
		jns	short loc_82C4AD
		lea	ecx, [edx+esi]
		neg	edx
		sbb	edx, edx
		and	edx, ecx

loc_82C4AD:				; CODE XREF: RtlLengthSecurityDescriptor(x)+42j
		test	edx, edx
		jz	short loc_82C4C1
		movzx	ecx, byte ptr [edx+1]
		lea	ecx, ds:0Bh[ecx*4]
		and	ecx, 0FFFFFFFCh
		add	eax, ecx

loc_82C4C1:				; CODE XREF: RtlLengthSecurityDescriptor(x)+4Fj
		test	bl, 4
		jz	short loc_82C4E7
		mov	edx, [esi+10h]
		test	di, di
		jns	short loc_82C4D7
		lea	ecx, [edx+esi]
		neg	edx
		sbb	edx, edx
		and	edx, ecx

loc_82C4D7:				; CODE XREF: RtlLengthSecurityDescriptor(x)+6Cj
		test	edx, edx
		jz	short loc_82C4E7
		movzx	ecx, word ptr [edx+2]
		add	ecx, 3
		and	ecx, 0FFFFFFFCh
		add	eax, ecx

loc_82C4E7:				; CODE XREF: RtlLengthSecurityDescriptor(x)+64j
					; RtlLengthSecurityDescriptor(x)+79j
		test	bl, 10h
		jz	short loc_82C50D
		mov	edx, [esi+0Ch]
		test	di, di
		jns	short loc_82C4FD
		lea	ecx, [edx+esi]
		neg	edx
		sbb	edx, edx
		and	edx, ecx

loc_82C4FD:				; CODE XREF: RtlLengthSecurityDescriptor(x)+92j
		test	edx, edx
		jz	short loc_82C50D
		movzx	ecx, word ptr [edx+2]
		add	ecx, 3
		and	ecx, 0FFFFFFFCh
		add	eax, ecx

loc_82C50D:				; CODE XREF: RtlLengthSecurityDescriptor(x)+8Aj
					; RtlLengthSecurityDescriptor(x)+9Fj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_RtlLengthSecurityDescriptor@4 endp

; 
		align 10h
; Exported entry 2402. RtlValidSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlValidSecurityDescriptor(x)
		public _RtlValidSecurityDescriptor@4
_RtlValidSecurityDescriptor@4 proc near	; CODE XREF: AdtpIsSDValidSelfRelative(x,x)+1Cp
					; ObOpenObjectByNameEx+51Fp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		cmp	byte ptr [esi],	1
		jnz	loc_82C5BA
		movzx	ebx, word ptr [esi+2]
		mov	ecx, [esi+4]
		mov	edi, ebx
		test	di, di
		jns	short loc_82C54B
		lea	eax, [ecx+esi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_82C54B:				; CODE XREF: RtlValidSecurityDescriptor(x)+20j
		test	ecx, ecx
		jnz	short loc_82C5BE

loc_82C54F:				; CODE XREF: RtlValidSecurityDescriptor(x)+A6j
		mov	ecx, [esi+8]
		test	di, di
		jns	short loc_82C560
		lea	eax, [ecx+esi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_82C560:				; CODE XREF: RtlValidSecurityDescriptor(x)+35j
		test	ecx, ecx
		jnz	short loc_82C5CA

loc_82C564:				; CODE XREF: RtlValidSecurityDescriptor(x)+B2j
		test	bl, 4
		jz	short loc_82C588
		mov	eax, [esi+10h]
		test	di, di
		jns	short loc_82C57A
		lea	ecx, [eax+esi]
		neg	eax
		sbb	eax, eax
		and	eax, ecx

loc_82C57A:				; CODE XREF: RtlValidSecurityDescriptor(x)+4Fj
		test	eax, eax
		jz	short loc_82C588
		push	eax
		call	RtlValidAcl
		test	al, al
		jz	short loc_82C5BA

loc_82C588:				; CODE XREF: RtlValidSecurityDescriptor(x)+47j
					; RtlValidSecurityDescriptor(x)+5Cj
		movzx	eax, word ptr [esi+2]
		mov	ecx, eax
		test	al, 10h
		jnz	short loc_82C59B

loc_82C592:				; CODE XREF: RtlValidSecurityDescriptor(x)+8Ej
					; RtlValidSecurityDescriptor(x)+98j
		mov	al, 1

loc_82C594:				; CODE XREF: RtlValidSecurityDescriptor(x)+9Cj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_82C59B:				; CODE XREF: RtlValidSecurityDescriptor(x)+70j
		test	cx, cx
		mov	ecx, [esi+0Ch]
		jns	short loc_82C5AC
		lea	eax, [ecx+esi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_82C5AC:				; CODE XREF: RtlValidSecurityDescriptor(x)+81j
		test	ecx, ecx
		jz	short loc_82C592
		push	ecx
		call	RtlValidAcl
		test	al, al
		jnz	short loc_82C592

loc_82C5BA:				; CODE XREF: RtlValidSecurityDescriptor(x)+Ej
					; RtlValidSecurityDescriptor(x)+66j ...
		xor	al, al
		jmp	short loc_82C594
; 

loc_82C5BE:				; CODE XREF: RtlValidSecurityDescriptor(x)+2Dj
		push	ecx
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jnz	short loc_82C54F
		jmp	short loc_82C5BA
; 

loc_82C5CA:				; CODE XREF: RtlValidSecurityDescriptor(x)+42j
		push	ecx
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jnz	short loc_82C564
		jmp	short loc_82C5BA
_RtlValidSecurityDescriptor@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2499. SeReleaseSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeReleaseSecurityDescriptor(x, x, x)
		public _SeReleaseSecurityDescriptor@12
_SeReleaseSecurityDescriptor@12	proc near
					; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+72Ap
					; AlpcpConnectPort+230p ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	al, [ebp+arg_4]
		test	al, al
		jz	short loc_82C600

loc_82C5E8:				; CODE XREF: SeReleaseSecurityDescriptor(x,x,x)+2Aj
		cmp	al, 1
		jnz	short loc_82C5FC

loc_82C5EC:				; CODE XREF: SeReleaseSecurityDescriptor(x,x,x)+28j
		cmp	[ebp+arg_0], 0
		jz	short loc_82C5FC
		push	0
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_82C5FC:				; CODE XREF: SeReleaseSecurityDescriptor(x,x,x)+Ej
					; SeReleaseSecurityDescriptor(x,x,x)+14j
		pop	ebp
		retn	0Ch
; 

loc_82C600:				; CODE XREF: SeReleaseSecurityDescriptor(x,x,x)+Aj
		cmp	[ebp+arg_8], 1
		jz	short loc_82C5EC
		jmp	short loc_82C5E8
_SeReleaseSecurityDescriptor@12	endp

; 
		align 10h
; Exported entry 2440. SeCaptureSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SeCaptureSecurityDescriptor(size_t,char,int,int,int)
		public SeCaptureSecurityDescriptor
SeCaptureSecurityDescriptor proc near	; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+36Ep
					; AlpcpConnectPort+246p ...

var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_88		= dword	ptr -88h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 009222EF SIZE 0000001F BYTES
; FUNCTION CHUNK AT 00922330 SIZE 0000002B BYTES
; FUNCTION CHUNK AT 0092237D SIZE 0000001A BYTES
; FUNCTION CHUNK AT 009223B9 SIZE 00000024 BYTES
; FUNCTION CHUNK AT 009223FF SIZE 0000001A BYTES
; FUNCTION CHUNK AT 00922441 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6370
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 0A0h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		xor	eax, eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_60], eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_64], eax
		xor	ebx, ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_54], eax
		mov	[ebp+var_58], eax
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_48], ebx
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	loc_9222EF
		mov	al, [ebp+arg_4]
		test	al, al
		jz	loc_82CBBB

loc_82C68F:				; CODE XREF: SeCaptureSecurityDescriptor+5B6j
		mov	[ebp+var_4], ebx
		mov	ecx, edx
		test	dl, 3
		jnz	loc_82CE3C
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_922307

loc_82C6AA:				; CODE XREF: SeCaptureSecurityDescriptor+F5CF9j
		nop
		mov	al, [ecx]
		mov	ecx, [edx]
		mov	[ebp+var_B0], ecx
		mov	esi, [edx+4]
		mov	[ebp+var_AC], esi
		mov	edi, [edx+8]
		mov	[ebp+var_A8], edi
		mov	eax, [edx+0Ch]
		mov	[ebp+arg_C], eax
		mov	[ebp+var_A4], eax
		mov	ebx, [edx+10h]
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+var_64]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+var_44]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_58]
		mov	[ebp+var_54], eax
		mov	eax, [ebp+var_48]
		mov	[ebp+var_2C], eax

loc_82C6FB:				; CODE XREF: SeCaptureSecurityDescriptor+5EBj
		cmp	cl, 1
		jnz	loc_922330
		mov	[ebp+var_4], 1
		mov	byte ptr [ebp+var_40], cl
		mov	eax, ecx
		shr	eax, 8
		mov	byte ptr [ebp+var_40+1], al
		shr	ecx, 10h
		mov	eax, ecx
		and	eax, 7FFFh
		mov	word ptr [ebp+var_40+2], ax
		test	cx, cx
		js	loc_82CB8C
		mov	eax, [edx+4]

loc_82C730:				; CODE XREF: SeCaptureSecurityDescriptor+587j
					; SeCaptureSecurityDescriptor+762j
		mov	[ebp+var_20], eax
		mov	[ebp+var_3C], eax
		test	cx, cx
		js	loc_82CB9C
		mov	edi, [edx+8]

loc_82C742:				; CODE XREF: SeCaptureSecurityDescriptor+596j
					; SeCaptureSecurityDescriptor+75Bj
		mov	[ebp+var_28], edi
		mov	[ebp+var_38], edi
		test	cl, 10h
		jnz	loc_82CC0F
		xor	eax, eax

loc_82C753:				; CODE XREF: SeCaptureSecurityDescriptor+615j
					; SeCaptureSecurityDescriptor+754j ...
		mov	[ebp+arg_C], eax
		mov	[ebp+var_34], eax
		test	cl, 4
		jz	loc_82CD97
		test	cx, cx
		js	loc_82CBAB
		mov	esi, [edx+10h]

loc_82C76E:				; CODE XREF: SeCaptureSecurityDescriptor+5A6j
					; SeCaptureSecurityDescriptor+789j ...
		mov	[ebp+var_1C], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		xor	eax, eax
		mov	[ebp+arg_0], eax
		mov	[ebp+var_5C], eax
		xor	edx, edx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_68], eax
		xor	ebx, ebx
		mov	[ebp+var_70], eax
		mov	eax, [ebp+var_40+2]
		mov	ecx, eax
		and	ecx, 10h
		mov	[ebp+var_88], ecx
		jnz	loc_82CC2A

loc_82C7A7:				; CODE XREF: SeCaptureSecurityDescriptor+61Fj
		xor	ecx, ecx
		mov	[ebp+arg_C], ecx
		mov	[ebp+var_34], ecx
		mov	dl, [ebp+arg_4]

loc_82C7B2:				; CODE XREF: SeCaptureSecurityDescriptor+6E2j
		and	eax, 4
		mov	[ebp+var_6C], eax
		jz	loc_82CD7E
		test	esi, esi
		jz	loc_82CD7E
		test	dl, dl
		jz	loc_82CC00
		mov	[ebp+var_4], 3
		add	esi, 2
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_92237D

loc_82C7E5:				; CODE XREF: SeCaptureSecurityDescriptor+F5D6Fj
		nop
		mov	ax, [esi]
		movzx	edx, ax
		mov	[ebp+var_4C], edx
		mov	[ebp+var_60], edx
		test	edx, edx
		jz	loc_92238C
		test	byte ptr [ebp+var_30], 3
		jnz	loc_82CE46
		mov	esi, [ebp+var_30]
		mov	[ebp+var_1C], esi
		lea	eax, [esi+edx]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	loc_922384
		cmp	eax, esi
		jb	loc_922384

loc_82C823:				; CODE XREF: SeCaptureSecurityDescriptor+F5D77j
					; SeCaptureSecurityDescriptor+F5D82j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+var_34]
		mov	[ebp+arg_C], eax
		mov	edi, [ebp+var_38]
		mov	[ebp+var_28], edi
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+var_5C]
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_64]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+var_44]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_58]
		mov	[ebp+var_54], eax
		mov	eax, [ebp+var_48]
		mov	[ebp+var_2C], eax

loc_82C85A:				; CODE XREF: SeCaptureSecurityDescriptor+5FAj
		lea	ebx, [edx+3]
		and	ebx, 0FFFFFFFCh
		cmp	ebx, 0FFFFh
		ja	loc_9223B9
		cmp	ebx, 8
		jb	loc_9223B9

loc_82C875:				; CODE XREF: SeCaptureSecurityDescriptor+776j
		mov	edx, [ebp+var_20]
		mov	cl, [ebp+arg_4]
		test	edx, edx
		jz	loc_82C926
		test	cl, cl
		jz	loc_82CD9E
		mov	[ebp+var_4], 4
		inc	edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_9223C3

loc_82C8A0:				; CODE XREF: SeCaptureSecurityDescriptor+F5DB5j
		nop
		mov	al, [edx]
		movzx	edx, al
		mov	[ebp+var_50], edx
		mov	[ebp+var_64], edx
		lea	eax, ds:8[edx*4]
		mov	[ebp+var_24], eax
		mov	[ebp+var_44], eax
		test	eax, eax
		jz	loc_9223D2
		test	byte ptr [ebp+var_3C], 3
		jnz	loc_82CE4B
		mov	edx, [ebp+var_3C]
		mov	[ebp+var_20], edx
		add	eax, edx
		mov	esi, ds:_MmUserProbeAddress
		cmp	eax, esi
		ja	loc_9223CA
		cmp	eax, edx
		jb	loc_9223CA

loc_82C8E9:				; CODE XREF: SeCaptureSecurityDescriptor+F5DBDj
					; SeCaptureSecurityDescriptor+F5DC8j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	esi, [ebp+var_30]
		mov	[ebp+var_1C], esi
		mov	eax, [ebp+var_34]
		mov	[ebp+arg_C], eax
		mov	edi, [ebp+var_38]
		mov	[ebp+var_28], edi
		mov	eax, [ebp+var_5C]
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_60]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+var_58]
		mov	[ebp+var_54], eax
		mov	eax, [ebp+var_48]
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+var_24]

loc_82C91D:				; CODE XREF: SeCaptureSecurityDescriptor+7B1j
		add	eax, 3
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_70], eax

loc_82C926:				; CODE XREF: SeCaptureSecurityDescriptor+26Dj
		test	edi, edi
		jz	loc_82CB77
		test	cl, cl
		jz	loc_82CDC6
		mov	[ebp+var_4], 5
		inc	edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	loc_9223FF

loc_82C94B:				; CODE XREF: SeCaptureSecurityDescriptor+F5DF1j
		nop
		mov	al, [edi]
		movzx	edx, al
		mov	[ebp+var_54], edx
		mov	[ebp+var_58], edx
		lea	eax, ds:8[edx*4]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_48], eax
		test	eax, eax
		jz	loc_92240E
		test	byte ptr [ebp+var_38], 3
		jnz	loc_82CE58
		mov	edi, [ebp+var_38]
		mov	[ebp+var_28], edi
		add	eax, edi
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	loc_922406
		cmp	eax, edi
		jb	loc_922406

loc_82C994:				; CODE XREF: SeCaptureSecurityDescriptor+F5DF9j
					; SeCaptureSecurityDescriptor+F5E04j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	esi, [ebp+var_30]
		mov	[ebp+var_1C], esi
		mov	eax, [ebp+var_34]
		mov	[ebp+arg_C], eax
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+var_5C]
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_60]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+var_64]
		mov	[ebp+var_50], eax
		mov	ecx, [ebp+var_44]
		mov	[ebp+var_24], ecx
		mov	eax, [ebp+var_2C]

loc_82C9C8:				; CODE XREF: SeCaptureSecurityDescriptor+7D6j
		add	eax, 3
		and	eax, 0FFFFFFFCh

loc_82C9CE:				; CODE XREF: SeCaptureSecurityDescriptor+569j
		add	eax, [ebp+var_70]
		add	eax, ebx
		mov	ecx, [ebp+var_68]
		add	ecx, 14h
		add	eax, ecx
		mov	[ebp+var_58], eax
		push	63536553h
		push	eax
		push	[ebp+arg_8]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+arg_8], edi
		test	edi, edi
		jz	loc_922441
		push	[ebp+var_58]	; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, [ebp+var_40]
		mov	[edi], eax
		mov	eax, [ebp+var_20]
		mov	[edi+4], eax
		mov	eax, [ebp+var_28]
		mov	[edi+8], eax
		mov	eax, [ebp+arg_C]
		mov	[edi+0Ch], eax
		mov	[edi+10h], esi
		lea	esi, [edi+14h]
		mov	ecx, 8000h
		or	[edi+2], cx
		cmp	word ptr [ebp+var_88], 0
		jnz	loc_82CCFD

loc_82CA3B:				; CODE XREF: SeCaptureSecurityDescriptor+6EFj
		mov	dword ptr [edi+0Ch], 0

loc_82CA42:				; CODE XREF: SeCaptureSecurityDescriptor+74Cj
		cmp	word ptr [ebp+var_6C], 0
		jz	loc_82CD8B
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	loc_82CD8B
		mov	[ebp+var_4], 7
		push	[ebp+var_4C]	; size_t
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	[ebp+arg_4], 0
		jz	short loc_82CA9F
		mov	ecx, [ebp+var_4C]
		cmp	ecx, 8
		jb	loc_82CE1B
		movzx	eax, word ptr [esi+2]
		cmp	ecx, eax
		jnz	loc_82CE1B
		push	esi
		call	RtlValidAcl
		test	al, al
		jz	loc_82CE1B

loc_82CA9F:				; CODE XREF: SeCaptureSecurityDescriptor+467j
		mov	eax, esi
		sub	eax, edi
		mov	[edi+10h], eax
		mov	[esi+2], bx
		add	esi, ebx

loc_82CAAC:				; CODE XREF: SeCaptureSecurityDescriptor+782j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	loc_82CB82
		mov	[ebp+var_4], 8
		push	[ebp+var_24]	; size_t
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [ebp+var_50]
		mov	[esi+1], cl
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	bl, [ebp+arg_4]
		test	bl, bl
		jz	short loc_82CB00
		cmp	esi, ds:_MmUserProbeAddress
		jbe	loc_82CDFA
		mov	al, [esi]
		and	al, 0Fh
		cmp	cl, 0Fh
		ja	loc_82CDFA
		cmp	al, 1
		jnz	loc_82CDFA

loc_82CB00:				; CODE XREF: SeCaptureSecurityDescriptor+4CDj
		mov	eax, esi
		sub	eax, edi
		add	esi, [ebp+var_70]

loc_82CB07:				; CODE XREF: SeCaptureSecurityDescriptor+577j
		mov	[edi+4], eax
		mov	eax, [ebp+var_28]
		test	eax, eax
		jz	short loc_82CB7E
		mov	[ebp+var_4], 9
		push	[ebp+var_2C]	; size_t
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [ebp+var_54]
		mov	[esi+1], cl
		mov	[ebp+var_4], 0FFFFFFFEh
		test	bl, bl
		jz	short loc_82CB57
		cmp	esi, ds:_MmUserProbeAddress
		jbe	loc_82CDFA
		mov	al, [esi]
		and	al, 0Fh
		cmp	cl, 0Fh
		ja	loc_82CDFA
		cmp	al, 1
		jnz	loc_82CDFA

loc_82CB57:				; CODE XREF: SeCaptureSecurityDescriptor+524j
		sub	esi, edi

loc_82CB59:				; CODE XREF: SeCaptureSecurityDescriptor+570j
		mov	[edi+8], esi
		mov	eax, [ebp+arg_10]
		mov	[eax], edi
		xor	eax, eax

loc_82CB63:				; CODE XREF: SeCaptureSecurityDescriptor+F5CE6j
					; SeCaptureSecurityDescriptor+F5CF2j ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82CB77:				; CODE XREF: SeCaptureSecurityDescriptor+318j
		xor	eax, eax
		jmp	loc_82C9CE
; 

loc_82CB7E:				; CODE XREF: SeCaptureSecurityDescriptor+4FFj
		xor	esi, esi
		jmp	short loc_82CB59
; 

loc_82CB82:				; CODE XREF: SeCaptureSecurityDescriptor+4A1j
		xor	eax, eax
		mov	bl, [ebp+arg_4]
		jmp	loc_82CB07
; 

loc_82CB8C:				; CODE XREF: SeCaptureSecurityDescriptor+117j
		test	esi, esi
		jz	loc_82CD70
		lea	eax, [esi+edx]
		jmp	loc_82C730
; 

loc_82CB9C:				; CODE XREF: SeCaptureSecurityDescriptor+129j
		test	edi, edi
		jz	loc_82CD69
		add	edi, edx
		jmp	loc_82C742
; 

loc_82CBAB:				; CODE XREF: SeCaptureSecurityDescriptor+155j
		test	ebx, ebx
		jz	loc_92233A
		lea	esi, [ebx+edx]
		jmp	loc_82C76E
; 

loc_82CBBB:				; CODE XREF: SeCaptureSecurityDescriptor+79j
		cmp	byte ptr [ebp+arg_C], bl
		jz	loc_9222FB
		test	al, al
		jnz	loc_82C68F
		mov	ecx, [edx]
		mov	[ebp+var_B0], ecx
		mov	esi, [edx+4]
		mov	[ebp+var_AC], esi
		mov	edi, [edx+8]
		mov	[ebp+var_A8], edi
		mov	eax, [edx+0Ch]
		mov	[ebp+arg_C], eax
		mov	[ebp+var_A4], eax
		mov	ebx, [edx+10h]
		mov	[ebp+var_A0], ebx
		jmp	loc_82C6FB
; 

loc_82CC00:				; CODE XREF: SeCaptureSecurityDescriptor+1B8j
		movzx	edx, word ptr [esi+2]
		mov	[ebp+var_4C], edx
		mov	[ebp+var_60], edx
		jmp	loc_82C85A
; 

loc_82CC0F:				; CODE XREF: SeCaptureSecurityDescriptor+13Bj
		test	cx, cx
		jns	loc_82CD61
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	loc_82CD77
		add	eax, edx
		jmp	loc_82C753
; 

loc_82CC2A:				; CODE XREF: SeCaptureSecurityDescriptor+191j
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	loc_82C7A7
		mov	dl, [ebp+arg_4]
		test	dl, dl
		jz	loc_82CDEB
		mov	[ebp+var_4], 2
		add	ecx, 2
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_922341

loc_82CC57:				; CODE XREF: SeCaptureSecurityDescriptor+F5D33j
		nop
		mov	ax, [ecx]
		movzx	ecx, ax
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_5C], ecx
		test	ecx, ecx
		jz	loc_922350
		test	byte ptr [ebp+var_34], 3
		jnz	loc_82CE41
		mov	ecx, [ebp+var_34]
		mov	[ebp+arg_C], ecx
		mov	eax, [ebp+arg_0]
		add	eax, ecx
		mov	esi, ds:_MmUserProbeAddress
		cmp	eax, esi
		ja	loc_922348
		cmp	eax, ecx
		jb	loc_922348

loc_82CC97:				; CODE XREF: SeCaptureSecurityDescriptor+F5D3Bj
		mov	ecx, [ebp+arg_0]

loc_82CC9A:				; CODE XREF: SeCaptureSecurityDescriptor+F5D46j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	esi, [ebp+var_30]
		mov	[ebp+var_1C], esi
		mov	edi, [ebp+var_38]
		mov	[ebp+var_28], edi
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+var_40+2]
		mov	[ebp+var_6C], eax
		mov	eax, [ebp+var_60]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+var_64]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+var_44]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_58]
		mov	[ebp+var_54], eax
		mov	eax, [ebp+var_48]
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+var_6C]

loc_82CCDA:				; CODE XREF: SeCaptureSecurityDescriptor+7E5j
		add	ecx, 3
		and	ecx, 0FFFFFFFCh
		mov	[ebp+var_68], ecx
		cmp	ecx, 0FFFFh
		ja	loc_9223B9
		cmp	ecx, 8
		jnb	loc_82C7B2
		jmp	loc_9223B9
; 

loc_82CCFD:				; CODE XREF: SeCaptureSecurityDescriptor+425j
		test	eax, eax
		jz	loc_82CA3B
		mov	[ebp+var_4], 6
		push	[ebp+arg_0]	; size_t
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	[ebp+arg_4], 0
		jz	short loc_82CD4C
		mov	ecx, [ebp+arg_0]
		cmp	ecx, 8
		jb	loc_82CE1B
		movzx	eax, word ptr [esi+2]
		cmp	ecx, eax
		jnz	loc_82CE1B
		push	esi
		call	RtlValidAcl
		test	al, al
		jz	loc_82CE1B

loc_82CD4C:				; CODE XREF: SeCaptureSecurityDescriptor+714j
		mov	dword ptr [edi+0Ch], 14h
		mov	eax, [ebp+var_68]
		mov	[esi+2], ax
		add	esi, eax
		jmp	loc_82CA42
; 

loc_82CD61:				; CODE XREF: SeCaptureSecurityDescriptor+602j
		mov	eax, [edx+0Ch]
		jmp	loc_82C753
; 

loc_82CD69:				; CODE XREF: SeCaptureSecurityDescriptor+58Ej
		xor	edi, edi
		jmp	loc_82C742
; 

loc_82CD70:				; CODE XREF: SeCaptureSecurityDescriptor+57Ej
		xor	eax, eax
		jmp	loc_82C730
; 

loc_82CD77:				; CODE XREF: SeCaptureSecurityDescriptor+60Dj
		xor	eax, eax
		jmp	loc_82C753
; 

loc_82CD7E:				; CODE XREF: SeCaptureSecurityDescriptor+1A8j
					; SeCaptureSecurityDescriptor+1B0j
		xor	esi, esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_30], esi
		jmp	loc_82C875
; 

loc_82CD8B:				; CODE XREF: SeCaptureSecurityDescriptor+437j
					; SeCaptureSecurityDescriptor+442j
		mov	dword ptr [edi+10h], 0
		jmp	loc_82CAAC
; 

loc_82CD97:				; CODE XREF: SeCaptureSecurityDescriptor+14Cj
		xor	esi, esi
		jmp	loc_82C76E
; 

loc_82CD9E:				; CODE XREF: SeCaptureSecurityDescriptor+275j
		movzx	edx, byte ptr [edx+1]
		mov	[ebp+var_50], edx
		mov	[ebp+var_64], edx
		cmp	edx, 3FFFFFF7h
		ja	loc_82CE50
		lea	eax, ds:8[edx*4]

loc_82CDBB:				; CODE XREF: SeCaptureSecurityDescriptor+843j
		mov	[ebp+var_44], eax
		mov	[ebp+var_24], eax
		jmp	loc_82C91D
; 

loc_82CDC6:				; CODE XREF: SeCaptureSecurityDescriptor+320j
		movzx	edx, byte ptr [edi+1]
		mov	[ebp+var_54], edx
		cmp	edx, 3FFFFFF7h
		ja	loc_82CE5D
		lea	eax, ds:8[edx*4]

loc_82CDE0:				; CODE XREF: SeCaptureSecurityDescriptor+850j
		mov	[ebp+var_48], eax
		mov	[ebp+var_2C], eax
		jmp	loc_82C9C8
; 

loc_82CDEB:				; CODE XREF: SeCaptureSecurityDescriptor+62Aj
		movzx	ecx, word ptr [ecx+2]
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_5C], ecx
		jmp	loc_82CCDA
; 

loc_82CDFA:				; CODE XREF: SeCaptureSecurityDescriptor+4D5j
					; SeCaptureSecurityDescriptor+4E2j ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C0000078h
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82CE1B:				; CODE XREF: SeCaptureSecurityDescriptor+46Fj
					; SeCaptureSecurityDescriptor+47Bj ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C0000077h
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82CE3C:				; CODE XREF: SeCaptureSecurityDescriptor+87j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_82CE41:				; CODE XREF: SeCaptureSecurityDescriptor+660j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_82CE46:				; CODE XREF: SeCaptureSecurityDescriptor+1EEj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_82CE4B:				; CODE XREF: SeCaptureSecurityDescriptor+2B5j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_82CE50:				; CODE XREF: SeCaptureSecurityDescriptor+79Ej
		or	eax, 0FFFFFFFFh
		jmp	loc_82CDBB
; 

loc_82CE58:				; CODE XREF: SeCaptureSecurityDescriptor+360j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_82CE5D:				; CODE XREF: SeCaptureSecurityDescriptor+7C3j
		or	eax, 0FFFFFFFFh
		jmp	loc_82CDE0
SeCaptureSecurityDescriptor endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepCreateImpersonationTokenDacl	proc near ; CODE XREF: NtOpenThreadTokenEx+1B5p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092253B SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [edx+94h]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_14], edx
		test	dword ptr [edx+0B0h], 4000h
		mov	ebx, ecx
		mov	eax, [eax]
		push	edi
		mov	[ebp+var_C], 0
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], eax
		jnz	loc_82D036

loc_82CEA7:				; CODE XREF: SepCreateImpersonationTokenDacl+1CFj
		test	dword ptr [ebx+0B0h], 4000h
		mov	eax, [ebx+94h]
		mov	edi, [eax]
		mov	[ebp+var_10], edi
		jnz	loc_82CFE4
		xor	edx, edx

loc_82CEC4:				; CODE XREF: SepCreateImpersonationTokenDacl+17Dj
		mov	eax, ds:_SeRestrictedSid
		movzx	ecx, byte ptr [eax+1]
		mov	eax, ds:_SeAliasAdminsSid
		movzx	eax, byte ptr [eax+1]
		add	ecx, eax
		mov	eax, _SeLocalSystemSid
		movzx	eax, byte ptr [eax+1]
		add	ecx, eax
		movzx	eax, byte ptr [edi+1]
		add	ecx, eax
		mov	eax, [ebp+var_8]
		movzx	eax, byte ptr [eax+1]
		add	ecx, eax
		lea	edi, ds:58h[ecx*4]
		test	edx, edx
		jnz	loc_82CFF2

loc_82CF01:				; CODE XREF: SepCreateImpersonationTokenDacl+18Cj
		test	esi, esi
		jnz	loc_82D044

loc_82CF09:				; CODE XREF: SepCreateImpersonationTokenDacl+1E2j
					; SepCreateImpersonationTokenDacl+214j
		push	20206553h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_92253B
		cmp	edi, 8
		jb	short loc_82CF47
		cmp	edi, 0FFFCh
		ja	short loc_82CF47
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	word ptr [esi],	2
		xor	eax, eax
		mov	[esi+2], di
		mov	[esi+4], eax

loc_82CF47:				; CODE XREF: SepCreateImpersonationTokenDacl+B3j
					; SepCreateImpersonationTokenDacl+BBj
		push	0
		push	[ebp+var_8]
		mov	edx, 2
		mov	ecx, esi
		push	0F01FFh
		push	0
		call	RtlpAddKnownAce
		push	0
		push	[ebp+var_10]
		mov	edx, 2
		mov	ecx, esi
		push	0F01FFh
		push	0
		call	RtlpAddKnownAce
		mov	eax, ds:_SeAliasAdminsSid
		mov	edx, 2
		push	0
		push	eax
		push	0F01FFh
		push	0
		mov	ecx, esi
		call	RtlpAddKnownAce
		mov	eax, _SeLocalSystemSid
		mov	edx, 2
		push	0
		push	eax
		push	0F01FFh
		push	0
		mov	ecx, esi
		call	RtlpAddKnownAce
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_82D001

loc_82CFB4:				; CODE XREF: SepCreateImpersonationTokenDacl+1A7j
		mov	eax, [ebp+var_4]
		test	eax, eax
		jnz	loc_82D057

loc_82CFBF:				; CODE XREF: SepCreateImpersonationTokenDacl+1FDj
		mov	eax, [ebp+var_14]
		cmp	dword ptr [eax+98h], 0
		jnz	short loc_82D019
		cmp	dword ptr [ebx+98h], 0
		jnz	short loc_82D019

loc_82CFD4:				; CODE XREF: SepCreateImpersonationTokenDacl+1C4j
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		xor	eax, eax

loc_82CFDB:				; CODE XREF: SepCreateImpersonationTokenDacl+F56D9j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_82CFE4:				; CODE XREF: SepCreateImpersonationTokenDacl+4Cj
		mov	edx, [ebx+1E0h]
		mov	[ebp+var_C], edx
		jmp	loc_82CEC4
; 

loc_82CFF2:				; CODE XREF: SepCreateImpersonationTokenDacl+8Bj
		movzx	eax, byte ptr [edx+1]
		lea	edi, [edi+eax*4]
		add	edi, 10h
		jmp	loc_82CF01
; 

loc_82D001:				; CODE XREF: SepCreateImpersonationTokenDacl+142j
		push	0
		push	eax
		push	0F01FFh
		push	0
		mov	edx, 2
		mov	ecx, esi
		call	RtlpAddKnownAce
		jmp	short loc_82CFB4
; 

loc_82D019:				; CODE XREF: SepCreateImpersonationTokenDacl+159j
					; SepCreateImpersonationTokenDacl+162j
		mov	eax, ds:_SeRestrictedSid
		mov	edx, 2
		push	0
		push	eax
		push	0F01FFh
		push	0
		mov	ecx, esi
		call	RtlpAddKnownAce
		jmp	short loc_82CFD4
; 

loc_82D036:				; CODE XREF: SepCreateImpersonationTokenDacl+31j
		mov	esi, [edx+1E0h]
		mov	[ebp+var_4], esi
		jmp	loc_82CEA7
; 

loc_82D044:				; CODE XREF: SepCreateImpersonationTokenDacl+93j
		test	edx, edx
		jnz	short loc_82D072

loc_82D048:				; CODE XREF: SepCreateImpersonationTokenDacl+20Bj
		movzx	eax, byte ptr [esi+1]
		lea	edi, [edi+eax*4]
		add	edi, 10h
		jmp	loc_82CF09
; 

loc_82D057:				; CODE XREF: SepCreateImpersonationTokenDacl+149j
		push	0
		push	eax
		push	0F01FFh
		push	0
		mov	edx, 2
		mov	ecx, esi
		call	RtlpAddKnownAce
		jmp	loc_82CFBF
; 

loc_82D072:				; CODE XREF: SepCreateImpersonationTokenDacl+1D6j
		push	edx
		push	esi
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	short loc_82D048
		mov	[ebp+var_4], 0
		jmp	loc_82CF09
SepCreateImpersonationTokenDacl	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpAddKnownAce	proc near		; CODE XREF: RtlAddAccessAllowedAce(x,x,x,x)+15p
					; sub_785212+11BEp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 0092254E SIZE 00000039 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	esi, ecx
		cmp	edi, ds:_MmUserProbeAddress
		jbe	loc_82D194
		test	edi, edi
		jz	loc_82D194
		mov	al, [edi]
		and	al, 0Fh
		cmp	al, 1
		jnz	loc_82D194
		cmp	byte ptr [edi+1], 0Fh
		ja	loc_82D194
		push	ebx
		mov	bl, [esi]
		cmp	bl, 4
		ja	loc_92257D
		cmp	edx, 4
		ja	loc_92257D
		cmp	bl, dl
		ja	short loc_82D0E1
		mov	bl, dl

loc_82D0E1:				; CODE XREF: RtlpAddKnownAce+4Dj
		mov	eax, [ebp+arg_0]
		mov	bh, [ebp+arg_C]
		and	eax, 0FFFFFFE0h
		jnz	loc_92254E

loc_82D0F0:				; CODE XREF: RtlpAddKnownAce+F54D3j
		push	esi
		call	RtlValidAcl
		test	al, al
		jz	loc_922573
		movzx	ecx, word ptr [esi+4]
		lea	eax, [esi+8]
		xor	edx, edx
		mov	dword ptr [ebp+arg_C], ecx
		test	ecx, ecx
		jz	short loc_82D12E
		movzx	ecx, word ptr [esi+2]
		add	ecx, esi
		mov	[ebp+arg_8], ecx

loc_82D117:				; CODE XREF: RtlpAddKnownAce+9Cj
		cmp	eax, ecx
		jnb	loc_922573
		movzx	ecx, word ptr [eax+2]
		inc	edx
		add	eax, ecx
		mov	ecx, [ebp+arg_8]
		cmp	edx, dword ptr [ebp+arg_C]
		jb	short loc_82D117

loc_82D12E:				; CODE XREF: RtlpAddKnownAce+7Cj
		movzx	ecx, word ptr [esi+2]
		add	ecx, esi
		cmp	ecx, eax
		mov	dword ptr [ebp+arg_C], ecx
		sbb	ecx, ecx
		not	ecx
		and	ecx, eax
		movzx	eax, byte ptr [edi+1]
		add	ax, 4
		shl	ax, 2
		movzx	edx, ax
		test	ecx, ecx
		jz	short loc_82D19F
		lea	eax, [ecx+edx]
		cmp	eax, dword ptr [ebp+arg_C]
		ja	short loc_82D19F
		mov	eax, [ebp+arg_0]
		mov	[ecx+1], al
		mov	eax, [ebp+arg_4]
		mov	[ecx+4], eax
		mov	[ecx], bh
		mov	[ecx+2], dx
		movzx	eax, byte ptr [edi+1]
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		lea	eax, [ecx+8]
		push	edi		; void *
		push	eax		; void *
		call	_memmove
		inc	word ptr [esi+4]
		add	esp, 0Ch
		mov	[esi], bl
		xor	eax, eax

loc_82D18D:				; CODE XREF: RtlpAddKnownAce+114j
					; RtlpAddKnownAce+F54DEj ...
		pop	ebx
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
; 

loc_82D194:				; CODE XREF: RtlpAddKnownAce+12j
					; RtlpAddKnownAce+1Aj ...
		pop	edi
		mov	eax, 0C0000078h
		pop	esi
		pop	ebp
		retn	10h
; 

loc_82D19F:				; CODE XREF: RtlpAddKnownAce+C0j
					; RtlpAddKnownAce+C8j
		mov	eax, 0C0000099h
		jmp	short loc_82D18D
RtlpAddKnownAce	endp

; 
		align 10h
; Exported entry 2400. RtlValidAcl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlValidAcl
RtlValidAcl	proc near		; CODE XREF: RtlValidRelativeSecurityDescriptor(x,x,x)+E1p
					; RtlValidRelativeSecurityDescriptor(x,x,x)+134p ...

var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00922587 SIZE 00000085 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	al, [edi]
		sub	al, 2
		cmp	al, 2
		ja	loc_82D2F6
		lea	eax, [edi+3]
		lea	ecx, [edi+2]
		and	eax, 0FFFFFFFEh
		cmp	eax, ecx
		jnz	loc_82D2F6
		cmp	word ptr [ecx],	8
		jb	loc_82D2F6
		xor	eax, eax
		mov	[ebp+var_4], 0
		lea	esi, [edi+8]
		cmp	ax, [edi+4]
		jnb	loc_82D293
		lea	esp, [esp+0]

loc_82D200:				; CODE XREF: RtlValidAcl+DDj
		movzx	edx, word ptr [ecx]
		lea	eax, [esi+4]
		add	edx, edi
		cmp	eax, edx
		jnb	loc_82D2F6
		lea	eax, [esi+3]
		lea	ebx, [esi+2]
		and	eax, 0FFFFFFFEh
		cmp	eax, ebx
		jnz	loc_82D2F6
		movzx	eax, word ptr [ebx]
		movzx	ecx, ax
		mov	[ebp+arg_0], eax
		lea	eax, [ecx+esi]
		cmp	eax, edx
		ja	loc_82D2F6
		mov	dl, [esi]
		cmp	dl, 3
		ja	short loc_82D29E

loc_82D23C:				; CODE XREF: RtlValidAcl+FFj
					; RtlValidAcl+104j ...
		lea	eax, [ecx+3]
		and	eax, 0FFFFFFFCh
		cmp	eax, ecx
		jnz	loc_82D2F6
		cmp	word ptr [ebp+arg_0], 10h
		jb	loc_82D2F6
		cmp	byte ptr [esi+8], 1
		jnz	loc_82D2F6
		mov	al, [esi+9]
		cmp	al, 0Fh
		ja	loc_82D2F6
		movzx	eax, al
		lea	eax, ds:10h[eax*4]
		cmp	ecx, eax
		jb	short loc_82D2F6

loc_82D278:				; CODE XREF: RtlValidAcl+144j
					; RtlValidAcl+F53FDj ...
		movzx	eax, word ptr [ebx]
		mov	ecx, [ebp+var_4]
		add	esi, eax
		movzx	eax, word ptr [edi+4]
		inc	ecx
		mov	[ebp+var_4], ecx
		cmp	ecx, eax
		lea	ecx, [edi+2]
		jb	loc_82D200

loc_82D293:				; CODE XREF: RtlValidAcl+43j
		mov	al, 1

loc_82D295:				; CODE XREF: RtlValidAcl+148j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_82D29E:				; CODE XREF: RtlValidAcl+8Aj
		cmp	dl, 0Ah
		jbe	short loc_82D2FA

loc_82D2A3:				; CODE XREF: RtlValidAcl+153j
		cmp	dl, 0Eh
		jbe	loc_922587

loc_82D2AC:				; CODE XREF: RtlValidAcl+F53DAj
		cmp	dl, 11h
		jz	short loc_82D23C
		cmp	dl, 14h
		jz	short loc_82D23C
		cmp	dl, 13h
		jz	short loc_82D23C
		cmp	dl, 4
		jz	loc_922595
		cmp	dl, 8
		jbe	loc_9225B2

loc_82D2CD:				; CODE XREF: RtlValidAcl+F5405j
		cmp	dl, 0Ch
		jbe	loc_9225BD

loc_82D2D6:				; CODE XREF: RtlValidAcl+F5410j
		mov	al, dl
		sub	al, 0Fh
		cmp	al, 1
		jbe	loc_9225C6
		cmp	dl, 12h
		jnz	loc_9225E3
		mov	ecx, esi
		call	_RtlpValidAttributeAce@4 ; RtlpValidAttributeAce(x)
		test	al, al
		jnz	short loc_82D278

loc_82D2F6:				; CODE XREF: RtlValidAcl+12j
					; RtlValidAcl+23j ...
		xor	al, al
		jmp	short loc_82D295
; 

loc_82D2FA:				; CODE XREF: RtlValidAcl+F1j
		cmp	dl, 9
		jnb	loc_82D23C
		jmp	short loc_82D2A3
RtlValidAcl	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2522. SeTokenType

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeTokenType(x)
		public _SeTokenType@4
_SeTokenType@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+0A8h]
		pop	ebp
		retn	4
_SeTokenType@4	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1544. NtOpenThreadToken

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtOpenThreadToken(x, x, x, x)
		public _NtOpenThreadToken@16
_NtOpenThreadToken@16 proc near		; DATA XREF: .text:00580F00o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	NtOpenThreadTokenEx
		pop	ebp
		retn	10h
_NtOpenThreadToken@16 endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1545. NtOpenThreadTokenEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public NtOpenThreadTokenEx
NtOpenThreadTokenEx proc near		; CODE XREF: NtOpenThreadToken(x,x,x,x)+13p
					; DATA XREF: .text:00580EFCo

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_3C		= byte ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0092260C SIZE 00000007 BYTES
; FUNCTION CHUNK AT 00922635 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6418
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 70h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_24], 0
		mov	[ebp+var_1A], 0
		mov	[ebp+var_3C], 0
		mov	[ebp+var_30], 0
		xor	eax, eax
		mov	[ebp+var_54], eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_4C], eax
		mov	[ebp+var_1B], al
		mov	[ebp+var_38], eax
		mov	[ebp+var_68], eax
		mov	[ebp+var_64], eax
		mov	[ebp+var_60], eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_58], eax
		mov	[ebp+var_80], eax
		mov	[ebp+var_7C], eax
		mov	[ebp+var_78], eax
		mov	[ebp+var_74], eax
		mov	[ebp+var_70], eax
		mov	[ebp+var_6C], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_19], al
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_44], al
		movsx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 0FFFEFE00h
		add	esi, 11FF2h
		and	esi, [ebp+arg_C]
		test	al, al
		jz	short loc_82D422
		mov	[ebp+var_4], 0
		mov	ecx, [ebp+arg_10]
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		jnb	loc_92260C

loc_82D417:				; CODE XREF: NtOpenThreadTokenEx+F52BEj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_82D422:				; CODE XREF: NtOpenThreadTokenEx+ADj
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_C], al
		mov	eax, ds:_PsThreadType
		mov	[ebp+var_20], 0
		push	0
		lea	ecx, [ebp+var_20]
		push	ecx
		push	[ebp+arg_C]
		push	eax
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_82D487
		push	0
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		lea	eax, [ebp+var_1A]
		push	eax
		xor	edx, edx
		mov	ebx, [ebp+var_20]
		mov	ecx, ebx
		call	_PsReferenceImpersonationTokenEx@24 ; PsReferenceImpersonationTokenEx(x,x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		jnz	short loc_82D49B
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	eax, 0C000007Ch

loc_82D487:				; CODE XREF: NtOpenThreadTokenEx+106j
					; NtOpenThreadTokenEx+2F2j ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82D49B:				; CODE XREF: NtOpenThreadTokenEx+129j
		cmp	[ebp+var_30], 0
		jle	loc_922635
		mov	al, byte ptr [ebp+arg_8]
		test	al, al
		jz	short loc_82D4C8
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_54]
		push	ecx
		push	eax
		call	_PsDisableImpersonation@8 ; PsDisableImpersonation(x,x)
		mov	[ebp+var_1B], al
		mov	ecx, [ebp+var_28]
		mov	ebx, [ebp+var_20]
		mov	al, byte ptr [ebp+arg_8]

loc_82D4C8:				; CODE XREF: NtOpenThreadTokenEx+15Aj
		cmp	[ebp+var_1A], 0
		jz	loc_82D647
		test	al, al
		jz	loc_82D668
		mov	eax, [ebp+var_54]
		test	eax, eax
		jz	short loc_82D4EE
		mov	eax, [eax+280h]
		mov	[ebp+var_34], eax
		mov	[ebp+var_19], 1

loc_82D4EE:				; CODE XREF: NtOpenThreadTokenEx+18Fj
					; NtOpenThreadTokenEx+326j
		mov	ebx, [ebx+150h]
		push	ebx
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	edi, eax
		lea	eax, [ebp+var_2C]
		push	eax
		mov	edx, edi
		mov	ecx, [ebp+var_28]
		call	SepCreateImpersonationTokenDacl
		mov	[ebp+arg_8], eax
		lea	ecx, [ebx+12Ch]
		mov	edx, edi
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		mov	ebx, [ebp+arg_8]
		mov	edi, [ebp+var_2C]
		test	ebx, ebx
		js	loc_82D5CF
		test	edi, edi
		jz	short loc_82D549
		mov	byte ptr [ebp+var_68], 1
		cmp	word ptr [ebp+var_68+2], 0
		jl	short loc_82D549
		mov	[ebp+var_58], edi
		mov	eax, [ebp+var_68+2]
		and	eax, 0FFF7h
		or	eax, 4
		mov	word ptr [ebp+var_68+2], ax

loc_82D549:				; CODE XREF: NtOpenThreadTokenEx+1DAj
					; NtOpenThreadTokenEx+1E5j
		mov	[ebp+var_80], 18h
		mov	[ebp+var_7C], 0
		mov	[ebp+var_74], esi
		mov	[ebp+var_78], 0
		test	edi, edi
		jz	loc_92264B
		lea	eax, [ebp+var_68]
		mov	[ebp+var_70], eax

loc_82D56F:				; CODE XREF: NtOpenThreadTokenEx+F5302j
		mov	[ebp+var_6C], 0
		lea	eax, [ebp+var_24]
		push	eax		; int
		push	0		; int
		push	0		; int
		push	[ebp+var_30]	; size_t
		push	2		; int
		push	dword ptr [ebp+var_3C] ; char
		lea	edx, [ebp+var_80]
		mov	ecx, [ebp+var_28]
		call	_SepDuplicateToken@32 ;	SepDuplicateToken(x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_82D5CF
		cmp	[ebp+var_19], 0
		jz	short loc_82D5AA
		mov	edx, [ebp+var_34]
		mov	ecx, [ebp+var_24]
		call	_SepSetTokenTrust@8 ; SepSetTokenTrust(x,x)
		mov	ebx, eax

loc_82D5AA:				; CODE XREF: NtOpenThreadTokenEx+24Bj
		test	ebx, ebx
		js	short loc_82D5CF
		mov	ecx, [ebp+var_24]
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		lea	eax, [ebp+var_38]
		push	eax
		push	0
		push	0
		push	0
		push	[ebp+arg_4]
		xor	edx, edx
		mov	ecx, [ebp+var_24]
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)

loc_82D5CD:				; CODE XREF: NtOpenThreadTokenEx+313j
		mov	ebx, eax

loc_82D5CF:				; CODE XREF: NtOpenThreadTokenEx+1D2j
					; NtOpenThreadTokenEx+245j ...
		test	edi, edi
		jz	short loc_82D5DB
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_82D5DB:				; CODE XREF: NtOpenThreadTokenEx+281j
		cmp	[ebp+var_1B], 0
		jz	short loc_82D5F1
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_54]
		push	ecx
		push	eax
		call	PsRestoreImpersonation

loc_82D5F1:				; CODE XREF: NtOpenThreadTokenEx+28Fj
		mov	esi, [ebp+var_20]
		test	ebx, ebx
		js	short loc_82D60B
		cmp	[ebp+var_1A], 0
		jz	short loc_82D60B
		push	[ebp+var_24]
		mov	edx, [ebp+var_28]
		mov	ecx, esi
		call	PsSwapImpersonationToken

loc_82D60B:				; CODE XREF: NtOpenThreadTokenEx+2A6j
					; NtOpenThreadTokenEx+2ACj
		mov	ecx, [ebp+var_28]
		call	ObfDereferenceObject
		mov	ecx, [ebp+var_24]
		test	ecx, ecx
		jz	short loc_82D61F
		call	ObfDereferenceObject

loc_82D61F:				; CODE XREF: NtOpenThreadTokenEx+2C8j
		mov	ecx, esi
		call	ObfDereferenceObject
		test	ebx, ebx
		js	short loc_82D640
		mov	[ebp+var_4], 1
		mov	eax, [ebp+var_38]
		mov	ecx, [ebp+arg_10]
		mov	[ecx], eax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_82D640:				; CODE XREF: NtOpenThreadTokenEx+2D8j
		mov	eax, ebx
		jmp	loc_82D487
; 

loc_82D647:				; CODE XREF: NtOpenThreadTokenEx+17Cj
		lea	eax, [ebp+var_38]
		push	eax
		push	[ebp+var_44]
		mov	eax, ds:_SeTokenObjectType
		push	eax
		push	[ebp+arg_4]
		push	0
		push	esi
		push	ecx
		call	ObOpenObjectByPointer
		mov	edi, [ebp+var_2C]
		jmp	loc_82D5CD
; 

loc_82D668:				; CODE XREF: NtOpenThreadTokenEx+184j
		mov	ecx, [ebx+368h]
		test	ecx, ecx
		jnz	short loc_82D67B

loc_82D672:				; CODE XREF: NtOpenThreadTokenEx+334j
		setnz	[ebp+var_19]
		jmp	loc_82D4EE
; 

loc_82D67B:				; CODE XREF: NtOpenThreadTokenEx+320j
		mov	eax, [ecx+280h]
		mov	[ebp+var_34], eax
		jmp	short loc_82D672
NtOpenThreadTokenEx endp

; 
		align 10h
; Exported entry 1761. PsDisableImpersonation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsDisableImpersonation(x, x)
		public _PsDisableImpersonation@8
_PsDisableImpersonation@8 proc near	; CODE XREF: NtOpenThreadTokenEx+167p
					; CmpStartCLFSLog+D1p ...

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+2FCh]
		mov	[ebp+var_1], 0
		push	edi
		lea	edi, [esi+2FCh]
		test	al, 8
		jz	loc_82D744
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	edx, eax
		mov	[ebp+arg_0], eax
		call	_PspLockThreadSecurityExclusive@8 ; PspLockThreadSecurityExclusive(x,x)
		lock btr dword ptr [edi], 3
		mov	ebx, [ebp+arg_4]
		jnb	short loc_82D70D
		mov	eax, [esi+2C8h]
		and	eax, 3
		mov	[ebp+var_1], 1
		mov	[ebx+8], eax
		mov	eax, [esi+2C8h]
		shr	eax, 2
		and	al, 1
		mov	[ebx+5], al
		mov	eax, [edi]
		shr	eax, 8
		and	al, 1
		mov	[ebx+4], al
		mov	eax, [esi+368h]
		test	eax, eax
		jnz	short loc_82D728
		mov	eax, [esi+2C8h]
		and	eax, 0FFFFFFF8h
		mov	[ebx], eax

loc_82D70D:				; CODE XREF: PsDisableImpersonation(x,x)+3Ej
					; PsDisableImpersonation(x,x)+B2j
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	PspUnlockThreadSecurityExclusive
		cmp	[ebp+var_1], 0
		jz	short loc_82D747
		mov	al, 1

loc_82D71F:				; CODE XREF: PsDisableImpersonation(x,x)+CCj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_82D728:				; CODE XREF: PsDisableImpersonation(x,x)+70j
		mov	[ebx], eax
		mov	ecx, [esi+2C8h]
		and	ecx, 0FFFFFFF8h
		mov	dword ptr [esi+368h], 0
		call	ObfDereferenceObject
		jmp	short loc_82D70D
; 

loc_82D744:				; CODE XREF: PsDisableImpersonation(x,x)+1Ej
		mov	ebx, [ebp+arg_4]

loc_82D747:				; CODE XREF: PsDisableImpersonation(x,x)+8Bj
		mov	dword ptr [ebx+8], 0
		xor	al, al
		mov	word ptr [ebx+4], 0
		mov	dword ptr [ebx], 0
		jmp	short loc_82D71F
_PsDisableImpersonation@8 endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1889. PsRestoreImpersonation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsRestoreImpersonation
PsRestoreImpersonation proc near	; CODE XREF: NtOpenThreadTokenEx+29Cp
					; CmpStartCLFSLog+754FEp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00922679 SIZE 0000004A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	edx, large fs:124h
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	[ebp+var_10], 0
		mov	edi, [ebx]
		mov	[ebp+var_14], 0
		mov	[ebp+var_8], 0
		mov	[ebp+var_1], 0
		mov	[ebp+var_C], edx
		test	edi, edi
		jz	loc_922679
		mov	ecx, edi
		call	_SeQueryTokenTrustLink@4 ; SeQueryTokenTrustLink(x)
		test	eax, eax
		jnz	loc_82D847

loc_82D7BA:				; CODE XREF: PsRestoreImpersonation+EDj
		movzx	esi, byte ptr [ebx+5]
		mov	eax, [ebx+8]
		neg	esi
		sbb	esi, esi
		and	eax, 3
		and	esi, 4
		and	edi, 0FFFFFFF8h
		or	esi, eax
		or	esi, edi

loc_82D7D2:				; CODE XREF: PsRestoreImpersonation+F4F0Bj
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		call	_PspLockThreadSecurityExclusive@8 ; PspLockThreadSecurityExclusive(x,x)
		mov	eax, [edi+2FCh]
		lea	ecx, [edi+2FCh]
		test	al, 8
		jnz	loc_922680

loc_82D7F0:				; CODE XREF: PsRestoreImpersonation+F4F25j
		cmp	dword ptr [ebx], 0
		jz	short loc_82D862
		mov	eax, [ebp+var_8]
		mov	[edi+2C8h], esi
		mov	[edi+368h], eax
		cmp	byte ptr [ebx+4], 0
		jz	short loc_82D83D
		mov	eax, 100h
		lock or	[ecx], eax

loc_82D812:				; CODE XREF: PsRestoreImpersonation+D5j
		mov	eax, 8
		lock or	[ecx], eax

loc_82D81A:				; CODE XREF: PsRestoreImpersonation+FBj
		mov	bl, [ebp+var_1]

loc_82D81D:				; CODE XREF: PsRestoreImpersonation+F9j
		mov	esi, [ebp+var_C]
		mov	ecx, edi
		mov	edx, esi
		call	PspUnlockThreadSecurityExclusive
		mov	ecx, [ebp+var_10]
		test	ecx, ecx
		jnz	loc_92269A

loc_82D834:				; CODE XREF: PsRestoreImpersonation+F4F3Fj
					; PsRestoreImpersonation+F4F4Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_82D83D:				; CODE XREF: PsRestoreImpersonation+98j
		mov	eax, 0FFFFFEFFh
		lock and [ecx],	eax
		jmp	short loc_82D812
; 

loc_82D847:				; CODE XREF: PsRestoreImpersonation+44j
		call	_SeQueryTokenTrustLink@4 ; SeQueryTokenTrustLink(x)
		mov	edi, eax
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [ebx]
		mov	edx, [ebp+var_C]
		mov	[ebp+var_8], eax
		jmp	loc_82D7BA
; 

loc_82D862:				; CODE XREF: PsRestoreImpersonation+83j
		lock btr dword ptr [ecx], 3
		mov	bl, 1
		jb	short loc_82D81D
		jmp	short loc_82D81A
PsRestoreImpersonation endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1564. NtQueryInformationThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	NtQueryInformationThread(int,int,int,size_t,int)
		public NtQueryInformationThread
NtQueryInformationThread proc near	; DATA XREF: .text:00580E60o

var_190		= dword	ptr -190h
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_10C		= dword	ptr -10Ch
var_F0		= dword	ptr -0F0h
var_D4		= dword	ptr -0D4h
var_B0		= dword	ptr -0B0h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_27		= byte ptr -27h
var_26		= byte ptr -26h
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0082E1B8 SIZE 0000000D BYTES
; FUNCTION CHUNK AT 009226C3 SIZE 0000000F BYTES
; FUNCTION CHUNK AT 0092276B SIZE 0000001D BYTES
; FUNCTION CHUNK AT 009227AA SIZE 0000004A BYTES
; FUNCTION CHUNK AT 00922804 SIZE 00000008 BYTES
; FUNCTION CHUNK AT 0092282E SIZE 00000069 BYTES
; FUNCTION CHUNK AT 009228B9 SIZE 00000015 BYTES
; FUNCTION CHUNK AT 009228F6 SIZE 0000006E BYTES
; FUNCTION CHUNK AT 009229B4 SIZE 00000055 BYTES
; FUNCTION CHUNK AT 00922A59 SIZE 0000005C BYTES
; FUNCTION CHUNK AT 00922ADB SIZE 0000003C BYTES
; FUNCTION CHUNK AT 00922B3F SIZE 0000003D BYTES
; FUNCTION CHUNK AT 00922BA7 SIZE 00000011 BYTES
; FUNCTION CHUNK AT 00922BE0 SIZE 00000087 BYTES
; FUNCTION CHUNK AT 00922C8F SIZE 00000099 BYTES
; FUNCTION CHUNK AT 00922D53 SIZE 0000005E BYTES
; FUNCTION CHUNK AT 00922DCD SIZE 00000076 BYTES
; FUNCTION CHUNK AT 00922E6C SIZE 00000025 BYTES
; FUNCTION CHUNK AT 00922EAD SIZE 00000072 BYTES
; FUNCTION CHUNK AT 00922F47 SIZE 0000009C BYTES
; FUNCTION CHUNK AT 0092303E SIZE 00000057 BYTES
; FUNCTION CHUNK AT 009230B1 SIZE 0000006F BYTES
; FUNCTION CHUNK AT 0092313C SIZE 000000B7 BYTES
; FUNCTION CHUNK AT 0092323B SIZE 00000104 BYTES
; FUNCTION CHUNK AT 00923352 SIZE 00000064 BYTES
; FUNCTION CHUNK AT 009233D2 SIZE 00000017 BYTES
; FUNCTION CHUNK AT 00923411 SIZE 0000000D BYTES
; FUNCTION CHUNK AT 00923469 SIZE 0000000B BYTES
; FUNCTION CHUNK AT 00923482 SIZE 00000067 BYTES
; FUNCTION CHUNK AT 00923511 SIZE 00000015 BYTES
; FUNCTION CHUNK AT 0092356E SIZE 0000005A BYTES
; FUNCTION CHUNK AT 009235DB SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6440
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 180h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_B0], 0
		xor	eax, eax
		mov	[ebp+var_12C], eax
		mov	[ebp+var_128], eax
		mov	[ebp+var_124], eax
		mov	[ebp+var_120], eax
		mov	[ebp+var_11C], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_64], eax
		mov	[ebp+var_60], eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], eax
		mov	[ebp+var_14C], eax
		mov	[ebp+var_148], eax
		mov	[ebp+var_144], eax
		mov	[ebp+var_140], eax
		mov	[ebp+var_13C], eax
		mov	[ebp+var_138], eax
		mov	[ebp+var_134], eax
		mov	[ebp+var_130], eax
		mov	esi, large fs:124h
		mov	[ebp+var_10C], esi
		mov	[ebp+var_4C], esi
		mov	cl, [esi+15Ah]
		mov	[ebp+var_27], cl
		mov	byte ptr [ebp+var_20], cl
		test	cl, cl
		jz	loc_82DDA9
		mov	[ebp+var_4], eax
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_C]
		cmp	ecx, 4
		jb	loc_82E075

loc_82D963:				; CODE XREF: NtQueryInformationThread+7F8j
		mov	eax, 4

loc_82D968:				; CODE XREF: NtQueryInformationThread+803j
		mov	[ebp+var_40], eax
		mov	ebx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_82D994
		dec	eax
		test	eax, ebx
		jnz	loc_82E1B8
		lea	eax, [ebx+ecx]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	loc_9226C3
		cmp	eax, ebx
		jb	loc_9226C3

loc_82D994:				; CODE XREF: NtQueryInformationThread+F0j
					; NtQueryInformationThread+F4E46j
		mov	edi, [ebp+arg_10]
		test	edi, edi
		jnz	loc_82DD5C

loc_82D99F:				; CODE XREF: NtQueryInformationThread+4EFj
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	cl, [ebp+var_27]

loc_82D9A9:				; CODE XREF: NtQueryInformationThread+532j
		cmp	edx, 2Dh	; switch 46 cases
		ja	loc_9235DB	; default
		jmp	ds:off_82E1C8[edx*4] ; switch jump

loc_82D9B9:				; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 10h ; case	0x17
		jnz	loc_9235BE
		mov	ecx, [ebp+arg_0]
		cmp	ecx, 0FFFFFFFEh
		jnz	loc_922B3F
		mov	[ebp+var_1C], esi
		xor	eax, eax
		mov	[ebp+arg_C], eax

loc_82D9D7:				; CODE XREF: NtQueryInformationThread+F52ECj
		lea	eax, [ebp+var_58]
		push	eax
		push	esi
		call	KeQueryTotalCycleTimeThread
		mov	[ebp+var_4], 0Eh
		mov	[ebx], eax
		mov	[ebx+4], edx
		mov	eax, [ebp+var_58]
		mov	[ebx+8], eax
		mov	eax, [ebp+var_54]
		mov	[ebx+0Ch], eax
		test	edi, edi
		jnz	loc_922B71

loc_82DA01:				; CODE XREF: NtQueryInformationThread+F52F7j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ebx, [ebp+arg_C]

loc_82DA0B:				; CODE XREF: sub_922B8F+13j
		cmp	[ebp+arg_0], 0FFFFFFFEh
		jnz	loc_922BA7

loc_82DA15:				; CODE XREF: NtQueryInformationThread+7F0j
					; NtQueryInformationThread+F5333j
		mov	eax, ebx
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82DA2B:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 4	; case 0x19
		jnz	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_82DA88
		mov	ecx, [ebp+var_1C]
		movsx	esi, byte ptr [ecx+15Bh]
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	[ebp+var_4], 2

loc_82DA75:				; CODE XREF: NtQueryInformationThread+673j
					; NtQueryInformationThread+F5184j
		mov	[ebx], esi

loc_82DA77:				; CODE XREF: NtQueryInformationThread+F569Aj
		test	edi, edi
		jnz	loc_82DEF8

loc_82DA7F:				; CODE XREF: NtQueryInformationThread+2D9j
					; NtQueryInformationThread+2E5j ...
		mov	[ebp+var_4], 0FFFFFFFEh
		xor	eax, eax

loc_82DA88:				; CODE XREF: NtQueryInformationThread+1D8j
					; NtQueryInformationThread+249j ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82DA9C:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 20h ; case	0x1
		jnz	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_82DA88
		mov	eax, ds:_KeMaximumIncrement
		mov	esi, [ebp+var_1C]
		mul	dword ptr [esi+194h]
		mov	[ebp+var_15C], eax
		mov	[ebp+var_158], edx
		mov	eax, ds:_KeMaximumIncrement
		mul	dword ptr [esi+1C0h]
		mov	[ebp+var_154], eax
		mov	[ebp+var_150], edx
		mov	eax, [esi+280h]
		mov	[ebp+var_16C], eax
		mov	eax, [esi+284h]
		mov	[ebp+var_168], eax
		cmp	byte ptr [esi+4], 0
		jnz	loc_92276B
		mov	[ebp+var_164], 0
		mov	[ebp+var_160], 0

loc_82DB32:				; CODE XREF: NtQueryInformationThread+F4F03j
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	[ebp+var_4], 4
		mov	ecx, 8
		lea	esi, [ebp+var_16C]
		mov	edi, ebx
		rep movsd
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	loc_82DA7F
		mov	dword ptr [eax], 20h
		jmp	loc_82DA7F
; 

loc_82DB6A:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 1Ch ; case	0x0
		jnz	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_82DA88
		mov	esi, [ebp+var_1C]
		cmp	byte ptr [esi+4], 0
		jnz	loc_82E088
		mov	[ebp+var_188], 103h

loc_82DBB4:				; CODE XREF: NtQueryInformationThread+814j
		mov	eax, [esi+0A8h]
		mov	[ebp+var_184], eax
		mov	eax, [esi+2ACh]
		mov	[ebp+var_180], eax
		mov	eax, [esi+2B0h]
		mov	[ebp+var_17C], eax
		mov	eax, [esi+154h]
		mov	[ebp+var_178], eax
		movsx	eax, byte ptr [esi+87h]
		mov	[ebp+var_174], eax
		mov	ecx, esi
		call	_KeQueryBasePriorityThread@4 ; KeQueryBasePriorityThread(x)
		mov	[ebp+var_170], eax
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	[ebp+var_4], 1
		mov	ecx, 7
		lea	esi, [ebp+var_188]
		mov	edi, ebx
		rep movsd
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	loc_82DA7F
		mov	dword ptr [eax], 1Ch
		jmp	loc_82DA7F
; 

loc_82DC36:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 4	; case 0x18
		jnz	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_82DA88
		mov	[ebp+var_4], 0Fh
		mov	ecx, [ebp+var_1C]
		mov	eax, [ecx+2FCh]
		shr	eax, 0Ch

loc_82DC7E:				; CODE XREF: NtQueryInformationThread+4D7j
		and	eax, 7

loc_82DC81:				; CODE XREF: NtQueryInformationThread+F5D39j
		mov	[ebx], eax

loc_82DC83:				; CODE XREF: NtQueryInformationThread+487j
					; NtQueryInformationThread+F5B64j
		test	edi, edi
		jnz	loc_82E109

loc_82DC8B:				; CODE XREF: NtQueryInformationThread+88Fj
		mov	[ebp+var_4], 0FFFFFFFEh

loc_82DC92:				; CODE XREF: NtQueryInformationThread+F4F87j
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82DCB2:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 4	; case 0x2A
		jnz	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_82DA88
		mov	[ebp+var_4], 1Eh
		mov	ecx, [ebp+var_1C]
		test	dword ptr [ecx+2FCh], 40000h
		jnz	loc_9233DE
		mov	dword ptr [ebx], 0
		jmp	loc_82DC83
; 

loc_82DD0C:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 4	; case 0x16
		jnz	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		js	loc_82DA88
		mov	[ebp+var_4], 0Dh
		mov	ecx, [ebp+var_1C]
		mov	eax, [ecx+2FCh]
		shr	eax, 9
		jmp	loc_82DC7E
; 

loc_82DD5C:				; CODE XREF: NtQueryInformationThread+119j
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	loc_9226CB

loc_82DD6B:				; CODE XREF: NtQueryInformationThread+F4E4Dj
		mov	eax, [ecx]
		mov	[ecx], eax
		jmp	loc_82D99F
; 

loc_82DD74:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 4	; case 0xC
		jnz	loc_9235BE
		mov	eax, [esi+150h]
		cmp	dword ptr [eax+1D8h], 1
		jz	loc_9228B9
		xor	eax, eax

loc_82DD93:				; CODE XREF: NtQueryInformationThread+F503Ej
		mov	[ebp+var_4], 7

loc_82DD9A:				; CODE XREF: NtQueryInformationThread+884j
		mov	[ebx], eax
		test	edi, edi
		jz	loc_82DA7F
		jmp	loc_9228C3
; 

loc_82DDA9:				; CODE XREF: NtQueryInformationThread+CBj
		mov	ebx, [ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	edi, [ebp+arg_10]
		jmp	loc_82D9A9
; 

loc_82DDB7:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		mov	[ebp+var_50], 0	; case 0x2C
		cmp	[ebp+arg_C], 10h
		jnz	loc_9235BE
		cmp	[ebp+arg_0], 0FFFFFFFEh
		jnz	loc_922DE8
		xor	eax, eax
		lea	edi, [ebp+var_74]
		stosd
		stosd
		stosd
		stosd
		lea	edx, [ebp+var_50]
		mov	ecx, esi
		call	_PsGetWorkOnBehalfThread@8 ; PsGetWorkOnBehalfThread(x,x)
		mov	ecx, eax
		lea	edx, [ebp+var_74]
		test	ecx, ecx
		jnz	loc_82E099
		mov	ecx, esi
		call	_PsEncodeThreadWorkOnBehalfTicket@8 ; PsEncodeThreadWorkOnBehalfTicket(x,x)
		or	[ebp+var_6C], 1

loc_82DDFD:				; CODE XREF: NtQueryInformationThread+822j
					; NtQueryInformationThread+F5C96j
		mov	[ebp+var_4], 22h
		mov	eax, [ebp+var_74]
		mov	[ebx], eax
		mov	eax, [ebp+var_70]
		mov	[ebx+4], eax
		mov	eax, [ebp+var_6C]
		mov	[ebx+8], eax
		mov	eax, [ebp+var_68]
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	loc_82DA7F
		jmp	loc_92351B
; 

loc_82DE2B:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 4	; case 0x9
		jnz	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	40h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_82DE8A
		mov	ecx, [ebp+var_1C]
		mov	eax, [ecx+2DCh]
		mov	[ebp+arg_C], eax
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	[ebp+var_4], 5
		mov	eax, [ebp+arg_C]
		mov	[ebx], eax
		test	edi, edi
		jnz	loc_82DF03

loc_82DE83:				; CODE XREF: NtQueryInformationThread+689j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_82DE8A:				; CODE XREF: NtQueryInformationThread+5D7j
					; NtQueryInformationThread+912j ...
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82DEA0:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 4	; case 0x14
		jnz	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_82DA88
		mov	eax, [ebp+var_1C]
		mov	esi, [eax+2FCh]
		and	esi, 1
		mov	edx, 79517350h
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObjectWithTag
		mov	[ebp+var_4], 0Bh
		jmp	loc_82DA75
; 

loc_82DEF8:				; CODE XREF: NtQueryInformationThread+1F9j
		mov	dword ptr [edi], 4
		jmp	loc_82DA7F
; 

loc_82DF03:				; CODE XREF: NtQueryInformationThread+5FDj
		mov	dword ptr [edi], 4
		jmp	loc_82DE83
; 

loc_82DF0E:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 4	; case 0x23
		jnz	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp+arg_C], eax
		test	eax, eax
		js	loc_82DA88
		mov	[ebp+var_4], 18h
		mov	esi, [ebp+var_1C]
		mov	ecx, [esi+5Ch]
		shr	ecx, 0Eh
		and	ecx, 1
		movsx	eax, byte ptr [esi+18Ch]
		add	ecx, eax
		mov	[ebx], ecx
		test	edi, edi
		jz	short loc_82DF6C
		mov	dword ptr [edi], 4

loc_82DF6C:				; CODE XREF: NtQueryInformationThread+6E4j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	edi, [ebp+arg_C]

loc_82DF76:				; CODE XREF: sub_92301E+1Bj
					; NtQueryInformationThread+F5ABAj
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82DF98:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		mov	[ebp+var_25], 0	; case 0x26
		mov	[ebp+var_24], 0
		mov	[ebp+var_26], 0
		mov	[ebp+var_4], 1Fh
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp+var_24], eax
		test	eax, eax
		js	loc_923469
		mov	[ebp+var_25], 1
		mov	edx, esi
		mov	ecx, [ebp+var_1C]
		call	_PspLockThreadSecurityShared@8 ; PspLockThreadSecurityShared(x,x)
		mov	[ebp+var_26], 1
		mov	ecx, [ebp+var_1C]
		mov	edx, [ecx+394h]
		test	edx, edx
		jnz	loc_82E114
		mov	[ebp+var_44], offset ??_C@_11LOCGONAA@@NNGAKEGL@
		xor	eax, eax

loc_82E006:				; CODE XREF: NtQueryInformationThread+89Dj
		mov	[ebp+var_48], eax
		movzx	eax, ax
		mov	[ebp+arg_0], eax
		lea	edx, [eax+8]
		mov	[ebp+var_F0], edx
		mov	[ebp+var_4], 20h
		cmp	edx, [ebp+arg_C]
		ja	loc_923411
		lea	esi, [ebx+8]
		push	eax		; size_t
		push	[ebp+var_44]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_48]
		mov	[ebx], ax
		mov	[ebx+2], ax
		mov	[ebx+4], esi
		mov	esi, [ebp+var_10C]
		mov	ecx, [ebp+var_1C]
		mov	ebx, [ebp+var_24]
		mov	edx, [ebp+var_F0]

loc_82E057:				; CODE XREF: NtQueryInformationThread+F5B99j
		test	edi, edi
		jz	short loc_82E05D
		mov	[edi], edx

loc_82E05D:				; CODE XREF: NtQueryInformationThread+7D9j
		mov	[ebp+var_4], 1Fh

loc_82E064:				; CODE XREF: NtQueryInformationThread+F5BEFj
		mov	[ebp+var_4], 0FFFFFFFEh
		call	sub_82E197
		jmp	loc_82DA15
; 

loc_82E075:				; CODE XREF: NtQueryInformationThread+DDj
		cmp	edx, 26h
		jz	loc_82D963
		mov	eax, 1
		jmp	loc_82D968
; 

loc_82E088:				; CODE XREF: NtQueryInformationThread+324j
		push	esi
		call	PsGetThreadExitStatus
		mov	[ebp+var_188], eax
		jmp	loc_82DBB4
; 

loc_82E099:				; CODE XREF: NtQueryInformationThread+56Cj
		call	_PsEncodeThreadWorkOnBehalfTicket@8 ; PsEncodeThreadWorkOnBehalfTicket(x,x)
		cmp	[ebp+var_50], 0
		jz	loc_82DDFD
		jmp	loc_923511
; 

loc_82E0AD:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 4	; case 0x10
		jnz	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	40h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_82DA88
		mov	ecx, [ebp+var_1C]
		lea	eax, [ecx+2CCh]
		xor	edx, edx
		cmp	[eax], eax
		setnz	dl
		mov	[ebp+arg_C], edx
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	[ebp+var_4], 9
		mov	eax, [ebp+arg_C]
		jmp	loc_82DD9A
; 

loc_82E109:				; CODE XREF: NtQueryInformationThread+405j
		mov	dword ptr [edi], 4
		jmp	loc_82DC8B
; 

loc_82E114:				; CODE XREF: NtQueryInformationThread+777j
		mov	eax, [edx+4]
		mov	[ebp+var_44], eax
		movzx	eax, word ptr [edx]
		jmp	loc_82E006
; 

loc_82E122:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 0Ch ; case	0x1E
		jnz	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_82DA88
		lea	edx, [ebp+var_3C]
		mov	ecx, [ebp+var_1C]
		call	KeQueryAffinityThread
		mov	[ebp+var_4], 3
		mov	eax, [ebp+var_3C]
		mov	[ebx], eax
		mov	eax, [ebp+var_38]
		mov	[ebx+4], eax
		mov	eax, [ebp+var_34]
		mov	[ebx+8], eax
		test	edi, edi
		jnz	short loc_82E1BD

loc_82E17E:				; CODE XREF: NtQueryInformationThread+943j
					; sub_92275D+9j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	edx, 79517350h
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObjectWithTag
		jmp	loc_82DE8A
NtQueryInformationThread endp


;  S U B	R O U T	I N E 


sub_82E197	proc near		; CODE XREF: NtQueryInformationThread+7EBp
					; sub_923474+9j
		cmp	byte ptr [ebp-26h], 0
		jz	short loc_82E1A4
		mov	edx, esi
		call	_PspUnlockThreadSecurityShared@8 ; PspUnlockThreadSecurityShared(x,x)

loc_82E1A4:				; CODE XREF: sub_82E197+4j
		cmp	byte ptr [ebp-25h], 0
		jz	short locret_82E1B7
		mov	edx, 79517350h
		mov	ecx, [ebp-1Ch]
		call	ObfDereferenceObjectWithTag

locret_82E1B7:				; CODE XREF: sub_82E197+11j
		retn
sub_82E197	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_82E1B8:				; CODE XREF: NtQueryInformationThread+F5j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_82E1BD:				; CODE XREF: NtQueryInformationThread+8FCj
		mov	dword ptr [edi], 0Ch
		jmp	short loc_82E17E
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread
; 
		align 4
off_82E1C8	dd offset loc_82DB6A	; DATA XREF: NtQueryInformationThread+132r
		dd offset loc_82DA9C	; jump table for switch	statement
		dd offset loc_9235DB
		dd offset loc_9235DB
		dd offset loc_9235DB
		dd offset loc_9235DB
		dd offset loc_9227AA
		dd offset loc_9235DB
		dd offset loc_9235DB
		dd offset loc_82DE2B
		dd offset loc_9235DB
		dd offset loc_92282E
		dd offset loc_82DD74
		dd offset loc_9235DB
		dd offset loc_9228F6
		dd offset loc_9235DB
		dd offset loc_82E0AD
		dd offset loc_922A59
		dd offset loc_9229B4
		dd offset loc_9235DB
		dd offset loc_82DEA0
		dd offset loc_922AEC
		dd offset loc_82DD0C
		dd offset loc_82D9B9
		dd offset loc_82DC36
		dd offset loc_82DA2B
		dd offset loc_922BE0
		dd offset loc_9235DB
		dd offset loc_9235DB
		dd offset loc_922F47
		dd offset loc_82E122
		dd offset loc_9235DB
		dd offset loc_922DF2
		dd offset loc_922EB9
		dd offset loc_922F84
		dd offset loc_82DF0E
		dd offset loc_92303E
		dd offset loc_9230BD
		dd offset loc_82DF98
		dd offset loc_92314A
		dd offset loc_92323B
		dd offset loc_923352
		dd offset loc_82DCB2
		dd offset loc_923482
		dd offset loc_82DDB7
		dd offset loc_92356E

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpReferenceConnectedPort proc near	; CODE XREF: AlpcpPortQueryServerSessionInfo+17p
					; AlpcpPortQueryConnectedSidInfo+72p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009235E5 SIZE 0000000C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		mov	eax, [ebx+0F4h]
		and	al, 6
		cmp	al, 2
		jz	loc_9235E5
		push	edi
		mov	edi, [ebx+8]
		test	edi, edi
		jz	short loc_82E2F2
		lea	eax, [edi-4]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebx+0F4h]
		and	eax, 6
		cmp	eax, 4
		jz	short loc_82E2FB
		cmp	eax, 6
		jnz	short loc_82E2D8
		mov	esi, [edi+8]

loc_82E2C9:				; CODE XREF: AlpcpReferenceConnectedPort+7Ej
		test	esi, esi
		jz	short loc_82E2D8
		mov	ecx, esi
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		test	al, al
		jz	short loc_82E309

loc_82E2D8:				; CODE XREF: AlpcpReferenceConnectedPort+44j
					; AlpcpReferenceConnectedPort+4Bj ...
		mov	edi, [ebp+var_4]
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_82E300

loc_82E2EB:				; CODE XREF: AlpcpReferenceConnectedPort+87j
		mov	ecx, edi
		call	KeAbPostRelease

loc_82E2F2:				; CODE XREF: AlpcpReferenceConnectedPort+22j
		mov	eax, esi
		pop	edi

loc_82E2F5:				; CODE XREF: AlpcpReferenceConnectedPort+F536Cj
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_82E2FB:				; CODE XREF: AlpcpReferenceConnectedPort+3Fj
		mov	esi, [edi+4]
		jmp	short loc_82E2C9
; 

loc_82E300:				; CODE XREF: AlpcpReferenceConnectedPort+69j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_82E2EB
; 

loc_82E309:				; CODE XREF: AlpcpReferenceConnectedPort+56j
		xor	esi, esi
		jmp	short loc_82E2D8
AlpcpReferenceConnectedPort endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	AlpcpCaptureMessageData(void *)
@AlpcpCaptureMessageData@12 proc near	; CODE XREF: AlpcpSetupMessageDataForDeferredCopy(x,x,x,x,x,x)+3Fp
					; AlpcpReplyLegacySynchronousRequest(x,x,x)+209p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_AlpcpAvailableBufferSize@4 ; AlpcpAvailableBufferSize(x)
		mov	ebx, eax
		cmp	edi, ebx
		ja	short loc_82E380
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_82E342
		push	edi		; size_t
		push	eax		; void *
		lea	eax, [esi+98h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_82E342:				; CODE XREF: AlpcpCaptureMessageData(x,x,x)+1Fj
		mov	eax, [esi+78h]
		test	eax, eax
		jz	loc_82E46D
		push	42456C41h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [esi+1Ch]
		mov	dword ptr [esi+78h], 0
		test	ecx, ecx
		jz	short loc_82E36E
		mov	edx, [esi+7Ch]
		call	_AlpcpReleasePagedPoolQuota@8 ;	AlpcpReleasePagedPoolQuota(x,x)

loc_82E36E:				; CODE XREF: AlpcpCaptureMessageData(x,x,x)+54j
		pop	edi
		mov	dword ptr [esi+7Ch], 0
		xor	eax, eax
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_82E380:				; CODE XREF: AlpcpCaptureMessageData(x,x,x)+18j
		cmp	edi, 0FFD7h
		jbe	short loc_82E396
		pop	edi
		pop	esi
		mov	eax, 80000005h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_82E396:				; CODE XREF: AlpcpCaptureMessageData(x,x,x)+76j
		mov	eax, [esi+7Ch]
		mov	[ebp+var_4], eax
		add	eax, ebx
		cmp	edi, eax
		jbe	loc_82E443
		mov	eax, [esi+78h]
		test	eax, eax
		jz	short loc_82E3BF
		push	42456C41h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [esi+7Ch], 0

loc_82E3BF:				; CODE XREF: AlpcpCaptureMessageData(x,x,x)+9Bj
		mov	eax, edi
		sub	eax, ebx
		push	42456C41h
		push	eax
		push	1
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [esi+1Ch]
		mov	[esi+78h], eax
		test	eax, eax
		jnz	short loc_82E3F7
		test	ecx, ecx
		jz	short loc_82E3E9
		mov	edx, [ebp+var_4]
		call	_AlpcpReleasePagedPoolQuota@8 ;	AlpcpReleasePagedPoolQuota(x,x)

loc_82E3E9:				; CODE XREF: AlpcpCaptureMessageData(x,x,x)+CFj
		pop	edi
		pop	esi
		mov	eax, 0C000009Ah
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_82E3F7:				; CODE XREF: AlpcpCaptureMessageData(x,x,x)+CBj
		mov	edx, [ebp+var_8]
		mov	[esi+7Ch], edx
		test	ecx, ecx
		jz	short loc_82E443
		sub	edx, [ebp+var_4]
		call	_AlpcpChargePagedPoolQuota@8 ; AlpcpChargePagedPoolQuota(x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jns	short loc_82E443
		mov	ecx, [esi+78h]
		push	42456C41h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, [ebp+var_4]
		mov	ecx, [esi+1Ch]
		mov	dword ptr [esi+78h], 0
		mov	dword ptr [esi+7Ch], 0
		call	_AlpcpReleasePagedPoolQuota@8 ;	AlpcpReleasePagedPoolQuota(x,x)
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_82E443:				; CODE XREF: AlpcpCaptureMessageData(x,x,x)+90j
					; AlpcpCaptureMessageData(x,x,x)+EFj ...
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_82E46D
		push	ebx		; size_t
		push	eax		; void *
		lea	eax, [esi+98h]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		sub	edi, ebx
		add	eax, ebx
		push	edi		; size_t
		push	eax		; void *
		mov	eax, [esi+78h]
		push	eax		; void *
		call	_memcpy
		add	esp, 18h

loc_82E46D:				; CODE XREF: AlpcpCaptureMessageData(x,x,x)+37j
					; AlpcpCaptureMessageData(x,x,x)+138j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
@AlpcpCaptureMessageData@12 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2472. SeImpersonateClientEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeImpersonateClientEx(x, x)
		public _SeImpersonateClientEx@8
_SeImpersonateClientEx@8 proc near	; CODE XREF: EtwpCreateLogFile+18Fp
					; PAGE:007CC4F6p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		cmp	byte ptr [ecx+10h], 0
		jz	short loc_82E4B4
		mov	al, [ecx+11h]

loc_82E48F:				; CODE XREF: SeImpersonateClientEx(x,x)+39j
		mov	byte ptr [ebp+arg_0], al
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	short loc_82E49F
		mov	eax, large fs:124h

loc_82E49F:				; CODE XREF: SeImpersonateClientEx(x,x)+19j
		push	dword ptr [ecx+4]
		push	[ebp+arg_0]
		push	1
		push	dword ptr [ecx+0Ch]
		push	eax
		call	PsImpersonateClient
		pop	ebp
		retn	8
; 

loc_82E4B4:				; CODE XREF: SeImpersonateClientEx(x,x)+Cj
		mov	al, [ecx+9]
		jmp	short loc_82E48F
_SeImpersonateClientEx@8 endp

; 
		align 10h
; Exported entry 1745. PsAssignImpersonationToken

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsAssignImpersonationToken
PsAssignImpersonationToken proc	near	; CODE XREF: NtSetInformationThread+265p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009235F1 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_4]
		mov	eax, large fs:124h
		push	esi
		push	edi
		test	ecx, ecx
		jnz	short loc_82E4EE
		push	2
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+arg_0]
		call	PsImpersonateClient
		xor	esi, esi

loc_82E4E4:				; CODE XREF: PsAssignImpersonationToken+86j
		mov	eax, esi

loc_82E4E6:				; CODE XREF: PsAssignImpersonationToken+57j
					; PsAssignImpersonationToken+F513Dj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_82E4EE:				; CODE XREF: PsAssignImpersonationToken+13j
		mov	al, [eax+15Ah]
		lea	edx, [ebp+var_4]
		push	0
		push	edx
		mov	byte ptr [ebp+arg_4], al
		push	[ebp+arg_4]
		mov	eax, ds:_SeTokenObjectType
		push	eax
		push	4
		push	ecx
		mov	[ebp+var_4], 0
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_82E4E6
		mov	edi, [ebp+var_4]
		cmp	dword ptr [edi+0A8h], 2
		jnz	loc_9235F1
		mov	eax, [edi+0ACh]
		push	eax
		push	0
		push	0
		push	edi
		push	[ebp+arg_0]
		call	PsImpersonateClient
		mov	ecx, edi
		mov	esi, eax
		call	ObfDereferenceObject
		jmp	short loc_82E4E4
PsAssignImpersonationToken endp

; 
		align 10h
; Exported entry 1838. PsImpersonateClient

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsImpersonateClient
PsImpersonateClient proc near		; CODE XREF: CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)+169p
					; EtwpCreateLogFile+1B2p ...

var_12		= byte ptr -12h
var_11		= dword	ptr -11h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00923602 SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	[esp+18h+var_4], 0
		mov	[esp+18h+var_12], 0
		mov	byte ptr [esp+18h+var_11], 0
		mov	[esp+18h+var_11+1], 0
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, [edi+150h]
		test	ebx, ebx
		jnz	loc_82E616
		mov	eax, [edi+2FCh]
		lea	esi, [edi+2FCh]
		mov	[esp+20h+var_8], ebx
		test	al, 8
		jz	short loc_82E60B
		mov	eax, large fs:124h
		mov	ecx, edi
		mov	edx, eax
		mov	[esp+20h+var_C], eax
		call	_PspLockThreadSecurityExclusive@8 ; PspLockThreadSecurityExclusive(x,x)
		mov	eax, [esi]
		test	al, 8
		jz	short loc_82E5DE
		mov	eax, [edi+368h]
		mov	ebx, [edi+2C8h]
		mov	[esp+20h+var_8], eax
		and	ebx, 0FFFFFFF8h
		mov	dword ptr [edi+368h], 0
		mov	eax, 0FFFFFFF7h
		lock and [esi],	eax

loc_82E5DE:				; CODE XREF: PsImpersonateClient+67j
					; PsImpersonateClient+189j ...
		mov	edx, [esp+20h+var_C]
		mov	ecx, edi
		call	PspUnlockThreadSecurityExclusive
		mov	edx, [esp+20h+var_C]
		mov	ecx, edi
		call	PspWriteTebImpersonationInfo
		test	ebx, ebx
		jz	short loc_82E5FF
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_82E5FF:				; CODE XREF: PsImpersonateClient+A6j
		mov	eax, [esp+20h+var_8]
		test	eax, eax
		jnz	loc_82E729

loc_82E60B:				; CODE XREF: PsImpersonateClient+4Ej
					; PsImpersonateClient+1E0j
		xor	eax, eax

loc_82E60D:				; CODE XREF: PsImpersonateClient+F50C3j
					; PsImpersonateClient+F50DBj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_82E616:				; CODE XREF: PsImpersonateClient+36j
		push	esi
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	[esp+20h+var_C], eax
		test	eax, eax
		jz	loc_923630
		lea	ecx, [esp+20h+var_11]
		mov	edx, ebx
		push	ecx
		mov	ecx, [ebp+arg_10]
		mov	[esp+24h+var_8], ecx
		push	ecx
		mov	ecx, eax
		call	_SeTokenCanImpersonate@16 ; SeTokenCanImpersonate(x,x,x,x)
		test	eax, eax
		js	loc_82E74D
		cmp	byte ptr [esp+20h+var_11], 0
		jnz	loc_82E6EB

loc_82E651:				; CODE XREF: PsImpersonateClient+1D4j
					; PsImpersonateClient+23Dj ...
		mov	edx, [esp+20h+var_C]
		lea	ecx, [esi+12Ch]
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		cmp	[esp+20h+var_12], 0
		jnz	short loc_82E66E

loc_82E667:				; CODE XREF: PsImpersonateClient+F50E7j
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_82E66E:				; CODE XREF: PsImpersonateClient+115j
		movzx	esi, [ebp+arg_C]
		and	ebx, 0FFFFFFF8h
		mov	ecx, [esp+20h+var_8]
		and	esi, 1
		mov	eax, large fs:124h
		and	ecx, 3
		shl	esi, 2
		mov	edx, eax
		or	esi, ebx
		mov	[esp+20h+var_C], eax
		or	esi, ecx
		mov	ecx, edi
		call	_PspLockThreadSecurityExclusive@8 ; PspLockThreadSecurityExclusive(x,x)
		mov	eax, [edi+2FCh]
		lea	ecx, [edi+2FCh]
		test	al, 8
		jnz	loc_82E735
		xor	ebx, ebx
		mov	eax, 8
		mov	[esp+20h+var_8], ebx
		lock or	[ecx], eax

loc_82E6BB:				; CODE XREF: PsImpersonateClient+1F8j
		cmp	[ebp+arg_8], 0
		mov	eax, [esp+20h+var_11+1]
		mov	[edi+2C8h], esi
		mov	[edi+368h], eax
		jz	short loc_82E6DE
		mov	eax, 100h
		lock or	[ecx], eax
		jmp	loc_82E5DE
; 

loc_82E6DE:				; CODE XREF: PsImpersonateClient+17Fj
		mov	eax, 0FFFFFEFFh
		lock and [ecx],	eax
		jmp	loc_82E5DE
; 

loc_82E6EB:				; CODE XREF: PsImpersonateClient+FBj
		mov	ecx, [esp+20h+var_C]
		lea	eax, [esp+20h+var_11+1]
		push	eax
		call	_SeQueryTokenTrustSid@4	; SeQueryTokenTrustSid(x)
		mov	edx, [ebp+arg_10]
		push	eax
		push	1
		push	ecx
		mov	ecx, ebx
		call	SeCopyClientToken
		mov	[esp+20h+var_4], eax
		test	eax, eax
		js	loc_923618
		cmp	[ebp+arg_8], 0
		jz	short loc_82E792
		mov	ecx, [esp+20h+var_11+1]
		mov	edx, ebx
		call	_SeSetTokenTrustLink@8 ; SeSetTokenTrustLink(x,x)
		jmp	loc_82E651
; 

loc_82E729:				; CODE XREF: PsImpersonateClient+B5j
		mov	ecx, eax
		call	ObfDereferenceObject
		jmp	loc_82E60B
; 

loc_82E735:				; CODE XREF: PsImpersonateClient+157j
		mov	ebx, [edi+2C8h]
		mov	eax, [edi+368h]
		and	ebx, 0FFFFFFF8h
		mov	[esp+20h+var_8], eax
		jmp	loc_82E6BB
; 

loc_82E74D:				; CODE XREF: PsImpersonateClient+F0j
		cmp	dword ptr [ebx+0A8h], 2
		mov	edx, 1
		mov	[esp+20h+var_8], edx
		jnz	short loc_82E769
		mov	eax, [ebx+0ACh]
		cmp	eax, edx
		jl	short loc_82E7A8

loc_82E769:				; CODE XREF: PsImpersonateClient+20Dj
					; PsImpersonateClient+25Ej
		lea	eax, [esp+20h+var_4]
		push	eax
		push	0
		push	0
		push	ecx
		mov	ecx, ebx
		call	SeCopyClientToken
		mov	ebx, eax
		test	ebx, ebx
		js	loc_923602
		mov	ebx, [esp+20h+var_4]
		mov	[esp+20h+var_12], 1
		jmp	loc_82E651
; 

loc_82E792:				; CODE XREF: PsImpersonateClient+1C7j
		mov	ebx, [esp+20h+var_11+1]
		mov	[esp+20h+var_11+1], 0
		mov	[esp+20h+var_12], 1
		jmp	loc_82E651
; 

loc_82E7A8:				; CODE XREF: PsImpersonateClient+217j
		mov	edx, eax
		mov	[esp+20h+var_8], eax
		jmp	short loc_82E769
PsImpersonateClient endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspWriteTebImpersonationInfo proc near	; CODE XREF: PsImpersonateClient+9Fp
					; PsRestoreImpersonation+F4F49p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_36		= byte ptr -36h
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092363C SIZE 00000014 BYTES
; FUNCTION CHUNK AT 00923671 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6600
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	edi, edx
		mov	[ebp+var_3C], edi
		mov	esi, ecx
		mov	[ebp+var_44], esi
		xor	eax, eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	ebx, [esi+0A8h]
		mov	[ebp+var_40], ebx
		test	ebx, ebx
		jz	loc_82E8B0
		test	dword ptr [esi+58h], 400h
		jnz	loc_82E8B0
		mov	ecx, [esi+150h]
		cmp	[edi+80h], ecx
		jnz	loc_92363C
		mov	[ebp+var_35], al

loc_82E839:				; CODE XREF: PspWriteTebImpersonationInfo+F4E9Bj
		cmp	esi, edi
		jnz	loc_82E8CE
		jmp	short loc_82E850
; 
		align 10h

loc_82E850:				; CODE XREF: PspWriteTebImpersonationInfo+91j
					; PspWriteTebImpersonationInfo+F0j ...
		mov	ecx, [esi+2FCh]
		and	ecx, 8
		mov	[ebp+var_4], 0
		setnz	dl
		mov	[ebp+var_36], dl
		xor	eax, eax
		test	ecx, ecx
		setnz	al
		mov	[ebx+0F9Ch], eax
		mov	dword ptr [ebx+0FC4h], 0
		mov	[ebp+var_4], 0FFFFFFFEh

loc_82E884:				; CODE XREF: sub_923656+16j
		mov	[ebp+var_48], 0
		xor	ecx, ecx
		lea	eax, [ebp+var_48]
		lock or	[eax], ecx
		mov	eax, [esi+2FCh]
		shr	eax, 3
		and	al, 1
		cmp	dl, al
		jnz	short loc_82E850
		cmp	esi, edi
		jnz	short loc_82E8E3

loc_82E8A6:				; CODE XREF: PspWriteTebImpersonationInfo+131j
					; PspWriteTebImpersonationInfo+13Ej
		cmp	[ebp+var_35], 0
		jnz	loc_923671

loc_82E8B0:				; CODE XREF: PspWriteTebImpersonationInfo+61j
					; PspWriteTebImpersonationInfo+6Ej ...
		xor	eax, eax
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_82E8CE:				; CODE XREF: PspWriteTebImpersonationInfo+8Bj
		lea	ecx, [esi+2ECh]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	loc_82E850
		jmp	short loc_82E8A6
; 

loc_82E8E3:				; CODE XREF: PspWriteTebImpersonationInfo+F4j
		lea	ecx, [esi+2ECh]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	short loc_82E8A6
PspWriteTebImpersonationInfo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeTokenCanImpersonate(x, x,	x, x)
_SeTokenCanImpersonate@16 proc near	; CODE XREF: PsImpersonateClient+E9p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		cmp	[ebp+arg_0], 2
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_18], 0
		mov	esi, ecx
		mov	[ebp+var_14], 0
		mov	[ebp+var_10], 0
		mov	[ebp+var_C], 0
		mov	[ebp+var_3], 0
		mov	byte ptr [ebp-2], 0
		mov	byte ptr [ebp+var_1], 0
		mov	[ebp+var_8], 0
		mov	byte ptr [ebx],	0
		jge	short loc_82E945

loc_82E93A:				; CODE XREF: SeTokenCanImpersonate(x,x,x,x)+6Ej
					; SeTokenCanImpersonate(x,x,x,x)+91j ...
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_82E945:				; CODE XREF: SeTokenCanImpersonate(x,x,x,x)+48j
		cmp	dword ptr [edi+18h], 3E6h
		jnz	short loc_82E99E
		cmp	dword ptr [edi+1Ch], 0
		jnz	short loc_82E99E
		test	dword ptr [esi+0B0h], 4000h
		jz	short loc_82E93A
		test	dword ptr [edi+0B0h], 4000h
		jz	short loc_82E990
		mov	edi, [edi+1E0h]
		mov	esi, [esi+1E0h]
		push	edi
		push	esi
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	short loc_82E93A
		mov	edx, edi
		mov	ecx, esi
		call	_RtlIsParentOfChildAppContainer@8 ; RtlIsParentOfChildAppContainer(x,x)
		test	al, al
		jnz	short loc_82E93A

loc_82E990:				; CODE XREF: SeTokenCanImpersonate(x,x,x,x)+7Aj
		mov	eax, 0C0000061h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_82E99E:				; CODE XREF: SeTokenCanImpersonate(x,x,x,x)+5Cj
					; SeTokenCanImpersonate(x,x,x,x)+62j
		mov	edx, [edi+280h]
		lea	eax, [ebp-2]
		mov	ecx, [esi+280h]
		push	eax
		call	_RtlSidDominatesForTrust@12 ; RtlSidDominatesForTrust(x,x,x)
		test	eax, eax
		js	loc_82EB76
		cmp	byte ptr [ebp-2], 0
		jnz	short loc_82E9C4
		mov	byte ptr [ebx],	1

loc_82E9C4:				; CODE XREF: SeTokenCanImpersonate(x,x,x,x)+CFj
		mov	eax, [esi+48h]
		and	eax, [esi+40h]
		and	eax, 20000000h
		or	eax, 0
		jnz	loc_82E93A
		mov	edx, edi
		mov	ecx, esi
		call	_SepAcquireOrderedReadLocks@8 ;	SepAcquireOrderedReadLocks(x,x)
		lea	edx, [ebp+var_18]
		mov	ecx, esi
		call	_SepCopyTokenIntegrity@8 ; SepCopyTokenIntegrity(x,x)
		lea	edx, [ebp+var_10]
		mov	ecx, edi
		call	_SepCopyTokenIntegrity@8 ; SepCopyTokenIntegrity(x,x)
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_3]
		mov	ecx, [ebp+var_18]
		push	eax
		call	RtlSidDominates
		mov	ebx, eax
		test	ebx, ebx
		js	loc_82EB5A
		cmp	[ebp+var_3], 0
		jz	loc_82EB55
		mov	edx, edi
		mov	ecx, esi
		call	SepIsImpersonationAllowedDueToCapability
		test	al, al
		jz	short loc_82EA2C

loc_82EA25:				; CODE XREF: SeTokenCanImpersonate(x,x,x,x)+150j
		xor	ebx, ebx
		jmp	loc_82EB5A
; 

loc_82EA2C:				; CODE XREF: SeTokenCanImpersonate(x,x,x,x)+133j
		mov	eax, [esi+18h]
		cmp	eax, [edi+0C4h]
		jnz	short loc_82EA42
		mov	eax, [esi+1Ch]
		cmp	eax, [edi+0C8h]
		jz	short loc_82EA25

loc_82EA42:				; CODE XREF: SeTokenCanImpersonate(x,x,x,x)+145j
		mov	eax, [edi+94h]
		mov	eax, [eax]
		push	eax
		mov	eax, [esi+94h]
		mov	eax, [eax]
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	loc_82EB55
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlQueryElevationFlags@4 ; RtlQueryElevationFlags(x)
		test	eax, eax
		js	short loc_82EADB
		test	byte ptr [ebp+var_8], 1
		jz	short loc_82EADB
		lea	edx, [ebp-1]
		mov	ecx, edi
		call	_SeTokenIsElevated@8 ; SeTokenIsElevated(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_82EB5A
		cmp	byte ptr [ebp+var_1], 0
		jz	short loc_82EAB8
		lea	edx, [ebp+var_1]
		mov	ecx, esi
		call	_SeTokenIsElevated@8 ; SeTokenIsElevated(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_82EB5A
		cmp	byte ptr [ebp+var_1], 0
		jnz	short loc_82EAB8
		mov	eax, [esi+0C0h]
		test	byte ptr [eax+18h], 4
		jnz	loc_82EB55

loc_82EAB8:				; CODE XREF: SeTokenCanImpersonate(x,x,x,x)+19Cj
					; SeTokenCanImpersonate(x,x,x,x)+1B6j
		mov	eax, [esi+0C0h]
		test	byte ptr [eax+18h], 4
		jz	short loc_82EADB
		mov	eax, [edi+0C0h]
		test	byte ptr [eax+18h], 4
		jnz	short loc_82EADB
		mov	edx, edi
		mov	ecx, esi
		call	_SepLogUnmatchedSessionFlagImpersonationAttempt@8 ; SepLogUnmatchedSessionFlagImpersonationAttempt(x,x)
		jmp	short loc_82EB55
; 

loc_82EADB:				; CODE XREF: SeTokenCanImpersonate(x,x,x,x)+17Cj
					; SeTokenCanImpersonate(x,x,x,x)+182j ...
		xor	ebx, ebx
		test	dword ptr [esi+0B0h], 4000h
		jz	short loc_82EB21
		test	dword ptr [edi+0B0h], 4000h
		jz	short loc_82EB55
		mov	eax, [edi+1E0h]
		mov	ecx, [esi+1E0h]
		push	eax
		push	ecx
		mov	[ebp+arg_4], eax
		mov	[ebp+arg_0], ecx
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	short loc_82EB21
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	_RtlIsParentOfChildAppContainer@8 ; RtlIsParentOfChildAppContainer(x,x)
		test	al, al
		jz	short loc_82EB55

loc_82EB21:				; CODE XREF: SeTokenCanImpersonate(x,x,x,x)+1F7j
					; SeTokenCanImpersonate(x,x,x,x)+220j
		push	esi
		call	_SeTokenIsRestricted@4 ; SeTokenIsRestricted(x)
		test	al, al
		jz	short loc_82EB49
		push	edi
		call	_SeTokenIsRestricted@4 ; SeTokenIsRestricted(x)
		test	al, al
		jz	short loc_82EB55
		push	esi
		call	_SeTokenIsWriteRestricted@4 ; SeTokenIsWriteRestricted(x)
		test	al, al
		jnz	short loc_82EB49
		push	edi
		call	_SeTokenIsWriteRestricted@4 ; SeTokenIsWriteRestricted(x)
		test	al, al
		jnz	short loc_82EB55

loc_82EB49:				; CODE XREF: SeTokenCanImpersonate(x,x,x,x)+239j
					; SeTokenCanImpersonate(x,x,x,x)+24Dj
		mov	eax, [edi+78h]
		cmp	[esi+78h], eax
		jz	short loc_82EB5A
		test	eax, eax
		jnz	short loc_82EB5A

loc_82EB55:				; CODE XREF: SeTokenCanImpersonate(x,x,x,x)+122j
					; SeTokenCanImpersonate(x,x,x,x)+16Bj ...
		mov	ebx, 0C0000061h

loc_82EB5A:				; CODE XREF: SeTokenCanImpersonate(x,x,x,x)+118j
					; SeTokenCanImpersonate(x,x,x,x)+137j ...
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [edi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, ebx

loc_82EB76:				; CODE XREF: SeTokenCanImpersonate(x,x,x,x)+C5j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_SeTokenCanImpersonate@16 endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1876. PsReferencePrimaryToken

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsReferencePrimaryToken(x)
		public _PsReferencePrimaryToken@4
_PsReferencePrimaryToken@4 proc	near	; CODE XREF: SepReferenceTokenByHandle+130p
					; RtlpQueryLowBoxId+165A53p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [esi+12Ch]
		mov	ecx, edi
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		test	eax, eax
		jz	short loc_82EBB1

loc_82EBAB:				; CODE XREF: PsReferencePrimaryToken(x)+6Aj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_82EBB1:				; CODE XREF: PsReferencePrimaryToken(x)+19j
		push	ebx
		mov	ebx, large fs:124h
		dec	word ptr [ebx+13Ch]
		nop
		add	esi, 0E0h
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	ecx, edi
		call	@ObFastReferenceObjectLocked@4 ; ObFastReferenceObjectLocked(x)
		mov	edi, eax
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_82EBFC

loc_82EBE9:				; CODE XREF: PsReferencePrimaryToken(x)+73j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, ebx
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	eax, edi
		pop	ebx
		jmp	short loc_82EBAB
; 

loc_82EBFC:				; CODE XREF: PsReferencePrimaryToken(x)+57j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_82EBE9
_PsReferencePrimaryToken@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


AlpcpUnlockBlob	proc near		; CODE XREF: AlpcpCreateSectionView(x,x,x,x,x)+37p
					; AlpcpCreateSectionView(x,x,x,x,x)+6Dp ...

; FUNCTION CHUNK AT 00923680 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	dl, [esi-10h]
		test	dl, 1
		jz	short loc_82EC4B
		movsx	eax, word ptr [esi-0Eh]
		mov	ecx, 10000h
		sub	ecx, eax
		and	dl, 0FEh
		xor	eax, eax
		mov	[esi-10h], dl
		mov	[esi-0Eh], ax
		test	ecx, ecx
		jle	short loc_82EC4B
		neg	ecx
		lea	eax, [esi-0Ch]
		mov	edx, ecx
		lock xadd [eax], edx
		add	edx, ecx
		test	edx, edx
		jle	short loc_82EC65

loc_82EC4B:				; CODE XREF: AlpcpUnlockBlob+Dj
					; AlpcpUnlockBlob+28j
		add	esi, 0FFFFFFFCh
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		mov	ecx, esi
		cmp	al, 2
		jz	short loc_82ECD7

loc_82EC5D:				; CODE XREF: AlpcpUnlockBlob+CEj
		pop	edi
		pop	esi
		pop	ebx
		jmp	KeAbPostRelease
; 

loc_82EC65:				; CODE XREF: AlpcpUnlockBlob+39j
		jnz	loc_92368F
		movzx	eax, byte ptr [esi-0Fh]
		lea	edi, [esi-18h]
		push	esi
		mov	ebx, ds:_AlpcpRegisteredTypes[eax*4]
		mov	eax, [ebx+14h]
		call	eax
		lea	ecx, [esi-4]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_82ED03

loc_82EC8F:				; CODE XREF: AlpcpUnlockBlob+FBj
		call	KeAbPostRelease
		mov	eax, [ebx+1Ch]
		push	esi
		call	eax
		test	eax, eax
		js	short loc_82ECD3
		test	byte ptr [edi+8], 2
		jz	short loc_82ECE3
		mov	eax, [ebx+8]
		lea	ecx, [eax+eax*2]
		shl	ecx, 6
		add	ecx, offset _AlpcpLookasides
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jnb	short loc_82ECCA
		mov	edx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
; 

loc_82ECCA:				; CODE XREF: AlpcpUnlockBlob+AEj
		mov	eax, [ecx+2Ch]
		inc	dword ptr [ecx+18h]
		push	edi
		call	eax

loc_82ECD3:				; CODE XREF: AlpcpUnlockBlob+8Cj
					; AlpcpUnlockBlob+F4A7Aj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_82ECD7:				; CODE XREF: AlpcpUnlockBlob+4Bj
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, esi
		jmp	loc_82EC5D
; 

loc_82ECE3:				; CODE XREF: AlpcpUnlockBlob+92j
		cmp	dword ptr [ebx+20h], 0
		jbe	loc_923680
		mov	eax, [ebx+8]
		push	edi
		lea	eax, [eax+eax*2]
		shl	eax, 6
		mov	eax, dword_6FB02C[eax]
		call	eax
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_82ED03:				; CODE XREF: AlpcpUnlockBlob+7Dj
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [esi-4]
		jmp	short loc_82EC8F
AlpcpUnlockBlob	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall AlpcpIsImpersonationAllowed(x, x)
_AlpcpIsImpersonationAllowed@8 proc near ; CODE	XREF: AlpcpImpersonateMessage+3Cp
		mov	eax, [edx+14h]
		and	eax, 7
		cmp	al, 3
		jnz	short loc_82ED45
		mov	eax, 4000h
		test	[edx+84h], ax
		jnz	short loc_82ED45
		mov	edx, [edx+8]
		cmp	edx, ecx
		jz	short loc_82ED41
		mov	eax, [ecx+0F4h]
		and	eax, 6
		cmp	al, 6
		jnz	short loc_82ED45
		mov	eax, [ecx+8]
		cmp	edx, [eax]
		jnz	short loc_82ED45

loc_82ED41:				; CODE XREF: AlpcpIsImpersonationAllowed(x,x)+1Dj
		xor	eax, eax
		inc	eax
		retn
; 

loc_82ED45:				; CODE XREF: AlpcpIsImpersonationAllowed(x,x)+8j
					; AlpcpIsImpersonationAllowed(x,x)+16j	...
		xor	eax, eax
		retn
_AlpcpIsImpersonationAllowed@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtAlpcImpersonateClientOfPort proc near	; CODE XREF: NtImpersonateClientOfPort(x,x)+Dp
					; DATA XREF: .text:00581210o

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 009236A4 SIZE 0000000D BYTES
; FUNCTION CHUNK AT 009236D9 SIZE 000000A8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6620
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 64h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_2C], 0
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	[ebp+var_28], 0
		mov	[ebp+var_24], 0
		mov	[ebp+var_20], 0
		mov	[ebp+var_34], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_38], al
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	loc_9236D9
		mov	[ebp+var_4], 0
		mov	ecx, large fs:124h
		mov	cl, [ecx+15Ah]
		test	cl, cl
		jz	short loc_82EE03
		mov	ecx, eax
		test	al, 3
		jnz	loc_82EF14
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		jnb	loc_92369D

loc_82EE00:				; CODE XREF: AlpcpUnlockBlob+F4A8Fj
		nop
		mov	cl, [ecx]

loc_82EE03:				; CODE XREF: NtAlpcImpersonateClientOfPort+96j
		mov	esi, [eax+10h]
		mov	[ebp+var_28], esi
		mov	eax, [eax+14h]
		mov	[ebp+arg_4], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		test	esi, esi
		jz	loc_9236A4

loc_82EE21:				; CODE XREF: NtAlpcImpersonateClientOfPort+F4992j
		mov	ecx, [ebp+arg_8]
		mov	ebx, ecx
		shr	ebx, 2
		cmp	ebx, 3
		ja	loc_9236A4
		mov	eax, ecx
		and	eax, 1
		mov	[ebp+var_34], eax
		lea	eax, ds:0[ebx*4]
		or	eax, 2
		test	eax, ecx
		jnz	loc_9236E7
		mov	[ebp+arg_8], 0

loc_82EE53:				; CODE XREF: NtAlpcImpersonateClientOfPort+F499Ej
		mov	eax, ds:_AlpcPortObjectType
		mov	[ebp+var_1C], 0
		push	0
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_38]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [ebp+var_1C]
		test	eax, eax
		js	loc_82EF22
		test	esi, esi
		jz	loc_9236F3
		lea	eax, [ebp+var_2C]
		push	eax
		push	ecx
		push	[ebp+arg_4]
		mov	edx, esi
		mov	ecx, edi
		call	AlpcpLookupMessage
		mov	esi, eax
		test	esi, esi
		js	short loc_82EEC2
		push	ebx
		push	[ebp+arg_8]
		push	[ebp+var_34]
		mov	ebx, [ebp+var_2C]
		mov	edx, ebx
		mov	ecx, edi
		call	AlpcpImpersonateMessage
		mov	esi, eax
		cmp	_AlpcpMessageLogEnabled, 0
		jnz	short loc_82EF19

loc_82EEBB:				; CODE XREF: NtAlpcImpersonateClientOfPort+1D0j
		mov	ecx, ebx
		call	AlpcpUnlockBlob

loc_82EEC2:				; CODE XREF: NtAlpcImpersonateClientOfPort+14Bj
					; NtAlpcImpersonateClientOfPort+1D4j ...
		xor	ecx, ecx

loc_82EEC4:				; CODE XREF: sub_9236C1+13j
					; NtAlpcImpersonateClientOfPort+F49BAj	...
		test	ecx, ecx
		jnz	short loc_82EF26

loc_82EEC8:				; CODE XREF: NtAlpcImpersonateClientOfPort+1DBj
		test	edi, edi
		jz	short loc_82EED3
		mov	ecx, edi
		call	ObfDereferenceObject

loc_82EED3:				; CODE XREF: NtAlpcImpersonateClientOfPort+17Aj
		mov	ecx, large fs:124h
		nop
		add	word ptr [ecx+13Ch], 1
		jnz	short loc_82EEED
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jnz	short loc_82EF03

loc_82EEED:				; CODE XREF: NtAlpcImpersonateClientOfPort+193j
					; NtAlpcImpersonateClientOfPort+1BBj ...
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_82EF03:				; CODE XREF: NtAlpcImpersonateClientOfPort+19Bj
		cmp	word ptr [ecx+13Eh], 0
		jnz	short loc_82EEED
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_82EEED
; 

loc_82EF14:				; CODE XREF: NtAlpcImpersonateClientOfPort+9Cj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_82EF19:				; CODE XREF: NtAlpcImpersonateClientOfPort+169j
		mov	ecx, ebx
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)
		jmp	short loc_82EEBB
; 

loc_82EF22:				; CODE XREF: NtAlpcImpersonateClientOfPort+128j
		mov	esi, eax
		jmp	short loc_82EEC2
; 

loc_82EF26:				; CODE XREF: NtAlpcImpersonateClientOfPort+176j
		call	ObfDereferenceObject
		jmp	short loc_82EEC8
NtAlpcImpersonateClientOfPort endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpImpersonateMessage	proc near	; CODE XREF: NtAlpcImpersonateClientOfPort+15Bp

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00923781 SIZE 0000004F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	3Ch		; size_t
		lea	eax, [ebp+var_40]
		mov	edi, edx
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_48], 0
		xor	ebx, ebx
		mov	edx, edi
		mov	ecx, esi
		mov	[ebp+var_44], ebx
		call	_AlpcpIsImpersonationAllowed@8 ; AlpcpIsImpersonationAllowed(x,x)
		test	eax, eax
		jz	loc_82F0A9
		mov	esi, [edi+48h]
		test	esi, esi
		jnz	loc_82F05D
		call	AlpcpReferenceConnectedPort
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_82F0A9
		test	dword ptr [ebx+98h], 10000h
		jz	loc_923790
		test	dword ptr [ebx+0F4h], 400h
		jz	loc_82F087
		mov	eax, [edi+10h]
		test	eax, eax
		jz	loc_82F09F
		cmp	[ebp+arg_4], esi
		jnz	loc_92379A

loc_82EFC7:				; CODE XREF: AlpcpImpersonateMessage+F4873j
		cmp	[ebp+arg_0], 0
		lea	edx, [ebp+var_40]
		push	edx
		push	0
		lea	ecx, [ebx+9Ch]
		push	ecx
		push	eax
		jnz	loc_82F095
		call	_SeCreateClientSecurity@16 ; SeCreateClientSecurity(x,x,x,x)

loc_82EFE4:				; CODE XREF: AlpcpImpersonateMessage+16Aj
		mov	esi, eax
		test	esi, esi
		js	short loc_82F023
		lea	ecx, [ebp+var_40]
		mov	[ebp+var_48], 1

loc_82EFF4:				; CODE XREF: AlpcpImpersonateMessage+152j
					; AlpcpImpersonateMessage+15Aj
		mov	[ebp+var_44], ecx
		cmp	[ebp+arg_4], 0
		lea	edi, [ebp+var_88]
		mov	eax, [ebp+var_44]
		mov	ecx, 0Fh
		mov	esi, eax
		rep movsd
		jnz	loc_9237B3

loc_82F013:				; CODE XREF: AlpcpImpersonateMessage+F489Bj
		push	0
		lea	eax, [ebp+var_88]
		push	eax
		call	_SeImpersonateClientEx@8 ; SeImpersonateClientEx(x,x)
		mov	esi, eax

loc_82F023:				; CODE XREF: AlpcpImpersonateMessage+B8j
					; AlpcpImpersonateMessage+174j	...
		test	ebx, ebx
		jz	short loc_82F02E
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_82F02E:				; CODE XREF: AlpcpImpersonateMessage+F5j
		cmp	[ebp+var_48], 0
		jz	short loc_82F048
		mov	eax, [ebp+var_44]
		mov	ecx, [eax+0Ch]
		cmp	dword ptr [ecx+0A8h], 1
		jnz	short loc_82F08F

loc_82F043:				; CODE XREF: AlpcpImpersonateMessage+161j
		call	ObfDereferenceObject

loc_82F048:				; CODE XREF: AlpcpImpersonateMessage+102j
					; AlpcpImpersonateMessage+163j	...
		mov	eax, esi

loc_82F04A:				; CODE XREF: AlpcpImpersonateMessage+F485Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_82F05D:				; CODE XREF: AlpcpImpersonateMessage+4Ej
		lea	ecx, [esi-4]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+4Ch]
		mov	ecx, esi
		test	al, 1
		jnz	loc_923781
		or	eax, 2
		mov	[esi+4Ch], eax
		call	_AlpcpUnlockCommunicationInfoExclusive@4 ; AlpcpUnlockCommunicationInfoExclusive(x)
		lea	ecx, [esi+10h]
		jmp	loc_82EFF4
; 

loc_82F087:				; CODE XREF: AlpcpImpersonateMessage+7Dj
		lea	ecx, [ebx+20h]
		jmp	loc_82EFF4
; 

loc_82F08F:				; CODE XREF: AlpcpImpersonateMessage+111j
		test	ecx, ecx
		jnz	short loc_82F043
		jmp	short loc_82F048
; 

loc_82F095:				; CODE XREF: AlpcpImpersonateMessage+A9j
		call	SeCreateClientSecurityEx
		jmp	loc_82EFE4
; 

loc_82F09F:				; CODE XREF: AlpcpImpersonateMessage+88j
		mov	esi, 0C0000022h
		jmp	loc_82F023
; 

loc_82F0A9:				; CODE XREF: AlpcpImpersonateMessage+43j
					; AlpcpImpersonateMessage+5Dj
		mov	esi, 0C0000022h
		jmp	short loc_82F048
AlpcpImpersonateMessage	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpCallPreOperationCallbacks proc near	; CODE XREF: ObpPreInterceptHandleDuplicate(x,x,x,x,x,x)+81p
					; PAGE:0081722Ep

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009237D0 SIZE 000000BE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		xor	eax, eax
		mov	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	ebx, edx
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		lea	eax, [esi+88h]
		mov	[ebp+var_C], eax
		mov	eax, large fs:124h
		push	edi
		xor	edi, edi
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebx+8]
		mov	edx, 6243624Fh
		call	ObfReferenceObjectWithTag
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		lea	eax, [esi+80h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	ExAcquirePushLockSharedEx
		lea	ecx, [esi+88h]
		mov	esi, [ecx]
		cmp	esi, ecx
		jz	loc_82F1D7

loc_82F133:				; CODE XREF: ObpCallPreOperationCallbacks+121j
		test	byte ptr [esi+0Ch], 1
		jz	loc_82F1CD
		mov	eax, [esi+8]
		test	[ebx], eax
		jz	loc_82F1CD
		lea	ecx, [esi+20h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_82F1CA
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	eax, large fs:124h
		nop
		add	word ptr [eax+13Eh], 1
		jnz	short loc_82F17B
		nop
		add	eax, 70h
		cmp	[eax], eax
		jnz	loc_82F230

loc_82F17B:				; CODE XREF: ObpCallPreOperationCallbacks+BDj
					; ObpCallPreOperationCallbacks+185j
		test	edi, edi
		jnz	loc_9237D0

loc_82F183:				; CODE XREF: ObpCallPreOperationCallbacks+F4729j
		cmp	dword ptr [esi+1Ch], 0
		jnz	loc_9237DE

loc_82F18D:				; CODE XREF: ObpCallPreOperationCallbacks+F4763j
		mov	ecx, [esi+18h]
		test	ecx, ecx
		jz	short loc_82F1B2
		mov	eax, [esi+10h]
		push	ebx
		mov	eax, [eax+4]
		push	eax
		call	ecx
		cmp	dword ptr [esi+1Ch], 0
		jnz	loc_923818
		lea	edi, [esi+20h]

loc_82F1AB:				; CODE XREF: ObpCallPreOperationCallbacks+F4771j
		mov	dword ptr [ebx+10h], 0

loc_82F1B2:				; CODE XREF: ObpCallPreOperationCallbacks+E2j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx

loc_82F1CA:				; CODE XREF: ObpCallPreOperationCallbacks+A2j
		mov	ecx, [ebp+var_C]

loc_82F1CD:				; CODE XREF: ObpCallPreOperationCallbacks+87j
					; ObpCallPreOperationCallbacks+92j
		mov	esi, [esi]
		cmp	esi, ecx
		jnz	loc_82F133

loc_82F1D7:				; CODE XREF: ObpCallPreOperationCallbacks+7Dj
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	eax, large fs:124h
		nop
		add	word ptr [eax+13Eh], 1
		jnz	short loc_82F1FA
		nop
		add	eax, 70h
		cmp	[eax], eax
		jnz	short loc_82F229

loc_82F1FA:				; CODE XREF: ObpCallPreOperationCallbacks+140j
					; ObpCallPreOperationCallbacks+17Ej
		test	edi, edi
		jz	short loc_82F205
		mov	ecx, edi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_82F205:				; CODE XREF: ObpCallPreOperationCallbacks+14Cj
		mov	eax, [ebp+arg_0]
		cmp	[eax], eax
		jnz	short loc_82F21E
		mov	ecx, [ebx+8]
		mov	edx, 6243624Fh
		call	ObfDereferenceObjectWithTag
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_82F21E:				; CODE XREF: ObpCallPreOperationCallbacks+15Aj
		xor	eax, eax

loc_82F220:				; CODE XREF: ObpCallPreOperationCallbacks+F47D9j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_82F229:				; CODE XREF: ObpCallPreOperationCallbacks+148j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_82F1FA
; 

loc_82F230:				; CODE XREF: ObpCallPreOperationCallbacks+C5j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_82F17B
ObpCallPreOperationCallbacks endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpExposeHandleAttribute proc	near	; CODE XREF: sub_8CA260+17p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092388E SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6640
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 40h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, edx
		mov	[ebp+var_38], esi
		mov	ebx, [esi+50h]
		test	ebx, ebx
		jnz	short loc_82F297
		xor	eax, eax

loc_82F283:				; CODE XREF: AlpcpExposeHandleAttribute+102j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_82F297:				; CODE XREF: AlpcpExposeHandleAttribute+3Fj
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_2C], al
		mov	[ebp+var_3C], ebx
		xor	edi, edi
		mov	[ebp+var_24], edi
		xor	edx, edx
		mov	[ebp+var_28], edx
		mov	eax, [ecx+0F4h]
		and	al, 6
		cmp	al, 2
		jz	loc_82F347

loc_82F2C3:				; CODE XREF: AlpcpExposeHandleAttribute+11Ej
		mov	edx, [ecx+98h]
		test	edx, 80000h
		jz	loc_92389A
		xor	eax, eax
		lea	edi, [ebp+var_4C]
		stosd
		stosd
		stosd
		stosd
		mov	edi, [ebx+4]
		mov	[ebp+var_20], edi
		test	edx, 2000000h
		jz	short loc_82F36A
		mov	eax, 40000h
		mov	[ebp+var_4C], eax
		mov	[ebp+var_44], edi
		mov	edi, 1
		mov	[ebp+var_24], edi
		mov	edx, [ebp+var_20]

loc_82F302:				; CODE XREF: AlpcpExposeHandleAttribute+177j
		mov	[ebp+var_20], 0
		mov	[ebp+var_4], 0
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, [ebp+var_48]
		mov	[ecx+4], eax
		mov	[ecx+8], edx
		mov	eax, [ebp+var_40]
		mov	[ecx+0Ch], eax
		mov	eax, [ebp+arg_4]
		or	dword ptr [eax], 10000000h
		mov	[ebp+var_4], 0FFFFFFFEh

loc_82F334:				; CODE XREF: AlpcpExposeHandleAttribute+19Bj
					; AlpcpExposeHandleAttribute+F4655j ...
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jnz	short loc_82F363

loc_82F33B:				; CODE XREF: AlpcpExposeHandleAttribute+128j
		test	edi, edi
		jz	short loc_82F3BC

loc_82F33F:				; CODE XREF: AlpcpExposeHandleAttribute+18Fj
		mov	eax, [ebp+var_20]
		jmp	loc_82F283
; 

loc_82F347:				; CODE XREF: AlpcpExposeHandleAttribute+7Dj
		mov	ecx, [esi+0Ch]
		call	AlpcpReferenceConnectedPort
		mov	edx, eax
		mov	[ebp+var_28], edx
		test	edx, edx
		jz	loc_92388E
		mov	ecx, edx
		jmp	loc_82F2C3
; 

loc_82F363:				; CODE XREF: AlpcpExposeHandleAttribute+F9j
		call	ObfDereferenceObject
		jmp	short loc_82F33B
; 

loc_82F36A:				; CODE XREF: AlpcpExposeHandleAttribute+AAj
		cmp	edi, 1
		ja	loc_9238A6
		mov	eax, [ecx+0C0h]
		and	eax, [ebx]
		jz	loc_9238B2
		mov	edx, [ecx+0Ch]
		test	dl, 1
		jnz	short loc_82F3D4

loc_82F389:				; CODE XREF: AlpcpExposeHandleAttribute+196j
		test	edx, edx
		jz	loc_9238BE
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_40]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_2C]
		lea	ecx, [ebx+8]
		call	ObCompleteObjectDuplication
		mov	[ebp+var_20], eax
		test	eax, eax
		js	short loc_82F3D8
		mov	edx, [ebp+var_44]
		mov	eax, [ebp+var_4C]
		mov	edi, [ebp+var_24]
		jmp	loc_82F302
; 

loc_82F3BC:				; CODE XREF: AlpcpExposeHandleAttribute+FDj
		mov	edx, 1
		mov	ecx, ebx
		call	AlpcpDereferenceBlobEx
		mov	dword ptr [esi+50h], 0
		jmp	loc_82F33F
; 

loc_82F3D4:				; CODE XREF: AlpcpExposeHandleAttribute+147j
		xor	edx, edx
		jmp	short loc_82F389
; 

loc_82F3D8:				; CODE XREF: AlpcpExposeHandleAttribute+16Cj
					; AlpcpExposeHandleAttribute+F466Dj ...
		mov	edi, [ebp+var_24]
		jmp	loc_82F334
AlpcpExposeHandleAttribute endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpExposeTokenAttribute proc near	; CODE XREF: AlpcpExposeAttributes+9Ap

var_84		= dword	ptr -84h
var_78		= dword	ptr -78h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6660
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 78h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, edx
		mov	ebx, ecx
		push	3Ch		; size_t
		push	0		; int
		lea	eax, [ebp+var_84]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	edi, edi
		mov	[ebp+var_20], edi
		test	byte ptr [esi+14h], 80h
		jnz	loc_82F51F
		mov	eax, [esi+48h]
		test	eax, eax
		jnz	loc_82F574
		mov	ecx, [esi+0Ch]
		mov	eax, [ebx+0F4h]
		and	al, 6
		cmp	al, 2
		jnz	loc_82F51F
		test	ecx, ecx
		jz	loc_82F51F
		mov	edx, [ecx+0F4h]
		mov	eax, edx
		and	al, 6
		cmp	al, 4
		jnz	loc_82F51F
		test	edx, 400h
		jnz	loc_82F533
		mov	edi, [ecx+2Ch]
		test	edi, edi
		jz	loc_82F51F
		mov	[ebp+var_20], edi
		xor	eax, eax

loc_82F48F:				; CODE XREF: AlpcpExposeTokenAttribute+172j
		mov	[ebp+var_19], 0
		test	eax, eax
		js	loc_82F51F

loc_82F49B:				; CODE XREF: AlpcpExposeTokenAttribute+182j
					; AlpcpExposeTokenAttribute+1A4j
		mov	eax, [edi+18h]
		mov	[ebp+var_40], eax
		mov	eax, [edi+1Ch]
		mov	[ebp+var_3C], eax
		mov	eax, [edi+10h]
		mov	[ebp+var_48], eax
		mov	eax, [edi+14h]
		mov	[ebp+var_44], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+var_20]
		push	1
		mov	eax, [esi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	edi, [esi+34h]
		mov	ebx, [esi+38h]
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	[ebp+var_19], 0
		jnz	short loc_82F567

loc_82F4E8:				; CODE XREF: AlpcpExposeTokenAttribute+18Fj
		mov	[ebp+var_4], 0
		mov	eax, [ebp+var_48]
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, [ebp+var_44]
		mov	[ecx+4], eax
		mov	eax, [ebp+var_40]
		mov	[ecx+8], eax
		mov	eax, [ebp+var_3C]
		mov	[ecx+0Ch], eax
		mov	[ecx+10h], edi
		mov	[ecx+14h], ebx
		mov	eax, [ebp+arg_4]
		or	dword ptr [eax], 8000000h

loc_82F518:				; CODE XREF: sub_923915+3j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_82F51F:				; CODE XREF: AlpcpExposeTokenAttribute+55j
					; AlpcpExposeTokenAttribute+73j ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_82F533:				; CODE XREF: AlpcpExposeTokenAttribute+99j
		mov	edx, [esi+10h]
		test	edx, edx
		jz	short loc_82F51F
		lea	eax, [ebp+var_84]
		push	eax
		push	0
		lea	eax, [ecx+9Ch]
		push	eax
		push	edx
		call	SeCreateClientSecurityEx
		test	eax, eax
		js	loc_82F48F
		mov	edi, [ebp+var_78]
		mov	[ebp+var_20], edi
		mov	[ebp+var_19], 1
		jmp	loc_82F49B
; 

loc_82F567:				; CODE XREF: AlpcpExposeTokenAttribute+106j
		mov	ecx, [ebp+var_78]
		call	ObfDereferenceObject
		jmp	loc_82F4E8
; 

loc_82F574:				; CODE XREF: AlpcpExposeTokenAttribute+60j
		cmp	dword ptr [eax+14h], 1
		jl	short loc_82F51F
		mov	edi, [eax+1Ch]
		mov	[ebp+var_20], edi
		mov	[ebp+var_19], 0
		jmp	loc_82F49B
AlpcpExposeTokenAttribute endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtAlpcSendWaitReceivePort proc near	; CODE XREF: .text:005EDB9Ap
					; DATA XREF: .text:005811F8o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 0092391D SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	[ebp+var_24], 0
		dec	word ptr [eax+13Ch]
		mov	[ebp+var_20], 0
		mov	[ebp+var_1C], 0
		mov	[ebp+var_18], 0
		mov	[ebp+var_14], 0
		mov	[ebp+var_C], 0
		mov	[ebp+var_8], 0
		nop
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_4]
		mov	esi, [ebp+arg_4]
		push	0
		push	ecx
		mov	al, [eax+15Ah]
		and	esi, 0FFFF0000h
		mov	byte ptr [ebp+arg_4], al
		push	[ebp+arg_4]
		mov	eax, ds:_AlpcPortObjectType
		push	eax
		push	1
		push	[ebp+arg_0]
		mov	[ebp+var_4], 0
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_82F6D8
		push	edi
		mov	edi, [ebp+var_4]
		test	esi, 40000h
		jnz	loc_82F73C

loc_82F62B:				; CODE XREF: NtAlpcSendWaitReceivePort+1B3j
		test	esi, 20000h
		jnz	short loc_82F686
		mov	edx, [ebp+arg_8]
		mov	[ebp+var_28], edi
		mov	[ebp+var_10], esi
		test	edx, edx
		jnz	loc_82F6FB

loc_82F644:				; CODE XREF: NtAlpcSendWaitReceivePort+1A4j
		mov	edx, [ebp+arg_10]
		test	edx, edx
		jz	short loc_82F65E
		push	[ebp+arg_1C]
		lea	ecx, [ebp+var_28]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		call	AlpcpReceiveMessage
		mov	ebx, eax

loc_82F65E:				; CODE XREF: NtAlpcSendWaitReceivePort+B9j
		lea	eax, [ebp+var_10]
		btr	dword ptr [eax], 2
		setb	al
		test	al, al
		jz	short loc_82F6D0
		push	0
		xor	dl, dl
		lea	ecx, [ebp+var_28]
		call	AlpcpSignal
		mov	ecx, [ebp+var_18]
		test	ecx, ecx
		jz	short loc_82F6D0
		call	ObfDereferenceObject
		jmp	short loc_82F6D0
; 

loc_82F686:				; CODE XREF: NtAlpcSendWaitReceivePort+A1j
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	loc_92391D
		test	esi, 10000h
		jnz	loc_923927
		test	esi, 1000000h
		jnz	loc_923931
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	loc_92393B
		push	[ebp+arg_4]
		mov	edx, esi
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	ecx
		push	[ebp+arg_C]
		mov	ecx, edi
		push	eax
		call	_AlpcpProcessSynchronousRequest@36 ; AlpcpProcessSynchronousRequest(x,x,x,x,x,x,x,x,x)
		mov	ebx, eax

loc_82F6D0:				; CODE XREF: NtAlpcSendWaitReceivePort+DAj
					; NtAlpcSendWaitReceivePort+EDj ...
		mov	ecx, edi
		call	ObfDereferenceObject
		pop	edi

loc_82F6D8:				; CODE XREF: NtAlpcSendWaitReceivePort+85j
		mov	eax, large fs:124h
		nop
		add	word ptr [eax+13Ch], 1
		jnz	short loc_82F6F1
		nop
		lea	ecx, [eax+70h]
		cmp	[ecx], ecx
		jnz	short loc_82F748

loc_82F6F1:				; CODE XREF: NtAlpcSendWaitReceivePort+157j
					; NtAlpcSendWaitReceivePort+1C0j ...
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_82F6FB:				; CODE XREF: NtAlpcSendWaitReceivePort+AEj
		test	esi, 1000000h
		jnz	loc_923945
		push	[ebp+arg_4]
		or	esi, 4
		mov	[ebp+var_18], 0
		push	[ebp+arg_C]
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_10], esi
		mov	[ebp+var_1C], 0
		mov	[ebp+var_14], 0
		call	@AlpcpSendMessage@16 ; AlpcpSendMessage(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	loc_82F644
		jmp	short loc_82F6D0
; 

loc_82F73C:				; CODE XREF: NtAlpcSendWaitReceivePort+95j
		mov	ecx, edi
		call	AlpcpTrackPortReferences
		jmp	loc_82F62B
; 

loc_82F748:				; CODE XREF: NtAlpcSendWaitReceivePort+15Fj
		cmp	word ptr [eax+13Eh], 0
		jnz	short loc_82F6F1
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	short loc_82F6F1
NtAlpcSendWaitReceivePort endp

; 
		align 10h

; __stdcall AlpcpProcessSynchronousRequest(x, x, x, x, x, x, x,	x, x)
_AlpcpProcessSynchronousRequest@36:	; CODE XREF: LpcSendWaitReceivePort(x,x,x,x,x,x)+2Fp
					; NtRequestWaitReplyPort+8Ep ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6680
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 7Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	[ebp-3Ch], edx
		mov	edx, ecx
		mov	[ebp-28h], edx
		mov	dword ptr [ebp-2Ch], 0
		mov	dword ptr [ebp-88h], 0
		mov	dword ptr [ebp-84h], 0
		mov	dword ptr [ebp-80h], 0
		mov	dword ptr [ebp-7Ch], 0
		mov	dword ptr [ebp-78h], 0
		mov	dword ptr [ebp-70h], 0
		mov	dword ptr [ebp-6Ch], 0
		mov	dword ptr [ebp-54h], 0
		mov	dword ptr [ebp-50h], 0
		xor	edi, edi
		mov	[ebp-2Ch], edi
		mov	dword ptr [ebp-30h], 0FFFFFFFFh
		cmp	byte ptr [ebp+20h], 0
		jz	loc_82F992
		mov	[ebp-4], edi
		mov	ecx, [ebp+1Ch]
		test	ecx, ecx
		jz	short loc_82F826
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_82F814
		mov	ecx, eax

loc_82F814:				; CODE XREF: PAGE:0082F810j
		nop
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		mov	[ebp-54h], eax
		mov	[ebp-50h], ecx
		lea	eax, [ebp-54h]
		mov	[ebp+1Ch], eax

loc_82F826:				; CODE XREF: PAGE:0082F807j
		mov	ecx, [ebp+10h]
		test	cl, 3
		jnz	loc_82FDB6
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_82F83E
		mov	byte ptr [eax],	0

loc_82F83E:				; CODE XREF: PAGE:0082F839j
		mov	al, [ecx]
		mov	[ecx], al
		mov	al, [ecx+14h]
		mov	[ecx+14h], al
		mov	ecx, [ebp+14h]
		test	ecx, ecx
		jz	short loc_82F873
		mov	esi, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_82F85C
		mov	esi, eax

loc_82F85C:				; CODE XREF: PAGE:0082F858j
		nop
		mov	eax, [esi]
		mov	[ebp-30h], eax
		mov	esi, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_82F86F
		mov	esi, eax

loc_82F86F:				; CODE XREF: PAGE:0082F86Bj
		mov	eax, [esi]
		mov	[esi], eax

loc_82F873:				; CODE XREF: PAGE:0082F84Dj
		mov	ebx, [ebp+18h]
		test	ebx, ebx
		jz	loc_82F955
		mov	byte ptr [ebp-20h], 1
		mov	edi, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_82F88F
		mov	edi, eax

loc_82F88F:				; CODE XREF: PAGE:0082F88Bj
		nop
		mov	edi, [edi]
		mov	dword ptr [ebp-24h], 0
		mov	ecx, 8
		mov	[ebp-24h], ecx
		test	edi, edi
		jns	short loc_82F8AD
		mov	ecx, 14h
		mov	[ebp-24h], ecx

loc_82F8AD:				; CODE XREF: PAGE:0082F8A3j
		test	edi, 40000000h
		jz	short loc_82F8BB
		add	ecx, 10h
		mov	[ebp-24h], ecx

loc_82F8BB:				; CODE XREF: PAGE:0082F8B3j
		test	edi, 20000000h
		jz	short loc_82F8C9
		add	ecx, 14h
		mov	[ebp-24h], ecx

loc_82F8C9:				; CODE XREF: PAGE:0082F8C1j
		test	edi, 10000000h
		jz	short loc_82F8D7
		add	ecx, 10h
		mov	[ebp-24h], ecx

loc_82F8D7:				; CODE XREF: PAGE:0082F8CFj
		test	edi, 8000000h
		jz	short loc_82F8E5
		add	ecx, 18h
		mov	[ebp-24h], ecx

loc_82F8E5:				; CODE XREF: PAGE:0082F8DDj
		test	edi, 4000000h
		jz	short loc_82F8F3
		add	ecx, 4
		mov	[ebp-24h], ecx

loc_82F8F3:				; CODE XREF: PAGE:0082F8EBj
		test	edi, 2000000h
		jz	short loc_82F901
		add	ecx, 8
		mov	[ebp-24h], ecx

loc_82F901:				; CODE XREF: PAGE:0082F8F9j
		cmp	ecx, 1000h
		jnb	short loc_82F93D
		test	bl, 3
		jnz	loc_82FDBB
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_82F91E
		mov	byte ptr [eax],	0

loc_82F91E:				; CODE XREF: PAGE:0082F919j
		mov	al, [ebx]
		mov	[ebx], al
		cmp	ecx, 4
		jbe	short loc_82F949
		dec	ecx
		and	ecx, 0FFFFFFFCh
		mov	al, [ecx+ebx]
		mov	[ecx+ebx], al
		mov	[ebp-2Ch], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_82F9AA
; 

loc_82F93D:				; CODE XREF: PAGE:0082F907j
		push	4
		push	ecx
		push	ebx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	edx, [ebp-28h]

loc_82F949:				; CODE XREF: PAGE:0082F925j
		mov	[ebp-2Ch], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_82F9AA
; 

loc_82F955:				; CODE XREF: PAGE:0082F878j
		mov	edi, [ebp-2Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_82F9AA
; 

loc_82F961:				; DATA XREF: .text:006A6694o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		mov	eax, 1
		retn
; 

loc_82F971:				; DATA XREF: .text:006A6698o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-40h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_82F992:				; CODE XREF: PAGE:0082F7F9j
		mov	ecx, [ebp+14h]
		test	ecx, ecx
		jz	short loc_82F99E
		mov	eax, [ecx]
		mov	[ebp-30h], eax

loc_82F99E:				; CODE XREF: PAGE:0082F997j
		mov	ebx, [ebp+18h]
		test	ebx, ebx
		jz	short loc_82F9AA
		mov	edi, [ebx]
		mov	[ebp-2Ch], edi

loc_82F9AA:				; CODE XREF: PAGE:0082F93Bj
					; PAGE:0082F953j ...
		mov	ecx, [edx+0F4h]
		mov	eax, ecx
		and	eax, 6
		cmp	al, 6
		jnz	loc_82FA51
		mov	esi, [edx+8]
		mov	[ebp-44h], esi
		lea	eax, [esi-4]
		mov	[ebp-34h], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockSharedEx
		mov	esi, [esi]
		mov	[ebp+18h], esi
		mov	[ebp-38h], esi
		test	esi, esi
		jz	short loc_82FA14
		mov	ecx, esi
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		test	al, al
		jz	short loc_82FA14
		xor	edx, edx
		mov	eax, 11h
		mov	ecx, [ebp-34h]
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_82FA04
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp-34h]

loc_82FA04:				; CODE XREF: PAGE:0082F9FAj
		call	KeAbPostRelease
		mov	edx, [ebp-28h]
		mov	ecx, [edx+0F4h]
		jmp	short loc_82FA59
; 

loc_82FA14:				; CODE XREF: PAGE:0082F9DCj
					; PAGE:0082F9E7j
		mov	esi, [ebp-44h]
		add	esi, 0FFFFFFFCh
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_82FA31
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_82FA31:				; CODE XREF: PAGE:0082FA28j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	eax, 0C0000037h
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_82FA51:				; CODE XREF: PAGE:0082F9B7j
		mov	esi, edx
		mov	[ebp+18h], edx
		mov	[ebp-38h], edx

loc_82FA59:				; CODE XREF: PAGE:0082FA12j
		mov	[ebp-8Ch], edx
		mov	eax, [ebp-3Ch]
		mov	[ebp-74h], eax
		mov	eax, [ebp+20h]
		push	eax
		test	ecx, 1000h
		jnz	short loc_82FA84
		push	dword ptr [ebp+0Ch]
		mov	edx, [ebp+8]
		lea	ecx, [ebp-8Ch]
		call	@AlpcpSendMessage@16 ; AlpcpSendMessage(x,x,x,x)
		jmp	short loc_82FA95
; 

loc_82FA84:				; CODE XREF: PAGE:0082FA6Fj
		push	dword ptr [ebp+8]
		lea	edx, [ebp-8Ch]
		mov	ecx, [ebp-28h]
		call	_AlpcpSendLegacySynchronousRequest@16 ;	AlpcpSendLegacySynchronousRequest(x,x,x,x)

loc_82FA95:				; CODE XREF: PAGE:0082FA82j
		mov	[ebp+20h], eax
		test	eax, eax
		js	loc_82FB7A
		mov	eax, [ebp-3Ch]
		test	eax, 100000h
		jz	short loc_82FAAE
		mov	dl, 1
		jmp	short loc_82FACC
; 

loc_82FAAE:				; CODE XREF: PAGE:0082FAA8j
		test	eax, 2000000h
		jz	short loc_82FABD
		test	al, 2
		jz	short loc_82FABD
		xor	dl, dl
		jmp	short loc_82FACC
; 

loc_82FABD:				; CODE XREF: PAGE:0082FAB3j
					; PAGE:0082FAB7j
		mov	eax, large fs:124h
		mov	edi, [ebp-2Ch]
		mov	dl, [eax+15Ah]

loc_82FACC:				; CODE XREF: PAGE:0082FAACj
					; PAGE:0082FABBj
		mov	dword ptr [ebp-34h], 0
		mov	[ebp-8Ch], esi
		push	dword ptr [ebp+1Ch]
		push	edi
		lea	eax, [ebp-34h]
		push	eax
		lea	ecx, [ebp-8Ch]
		call	@AlpcpReceiveSynchronousReply@20 ; AlpcpReceiveSynchronousReply(x,x,x,x,x)
		mov	[ebp+20h], eax
		test	eax, eax
		jnz	loc_82FB7A
		mov	esi, [ebp-34h]
		movzx	eax, word ptr [esi+80h]
		add	eax, 18h
		mov	[ebp+0Ch], eax
		cmp	dword ptr [ebp+14h], 0
		jz	loc_82FBD3
		cmp	eax, [ebp-30h]
		jbe	loc_82FBD3
		xor	eax, eax
		mov	[ebp-68h], eax
		mov	[ebp-64h], eax
		mov	[ebp-60h], eax
		mov	[ebp-5Ch], eax
		mov	[ebp-58h], eax
		lea	eax, [ebp-68h]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp+18h]
		call	_AlpcpReturnMessageOnInsufficientBuffer@12 ; AlpcpReturnMessageOnInsufficientBuffer(x,x,x)
		mov	[ebp+20h], eax
		cmp	eax, 0C0000023h
		jnz	short loc_82FBC2
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_82FB53
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_82FB53:				; CODE XREF: PAGE:0082FB4Aj
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	dword ptr [ebp-4], 1
		mov	eax, [ebp+14h]
		mov	ecx, [ebp+0Ch]
		mov	[eax], ecx
		push	ebx
		push	edi
		lea	edx, [ebp-68h]
		call	_AlpcpExposeCapturedContextAttribute@16	; AlpcpExposeCapturedContextAttribute(x,x,x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_82FB7A:				; CODE XREF: PAGE:0082FA9Aj
					; PAGE:0082FAF1j ...
		mov	ebx, [ebp+20h]

loc_82FB7D:				; CODE XREF: PAGE:0082FD80j
					; PAGE:0082FDA4j
		mov	ecx, [ebp+18h]

loc_82FB80:				; CODE XREF: PAGE:0082FBC0j
		cmp	ecx, [ebp-28h]
		jz	short loc_82FB8A
		call	ObfDereferenceObject

loc_82FB8A:				; CODE XREF: PAGE:0082FB83j
		mov	eax, ebx
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_82FBA0:				; DATA XREF: .text:006A66A0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-48h], eax
		mov	eax, 1
		retn
; 

loc_82FBB0:				; DATA XREF: .text:006A66A4o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-48h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-38h]
		jmp	short loc_82FB80
; 

loc_82FBC2:				; CODE XREF: PAGE:0082FB41j
		push	10000h
		mov	edx, esi
		mov	ecx, [ebp+18h]
		call	@AlpcpCancelMessage@12 ; AlpcpCancelMessage(x,x,x)
		jmp	short loc_82FB7A
; 

loc_82FBD3:				; CODE XREF: PAGE:0082FB0Bj
					; PAGE:0082FB14j
		mov	dword ptr [ebp-4], 2
		mov	eax, [esi+80h]
		mov	ecx, [ebp+10h]
		mov	[ecx], eax
		mov	eax, [esi+84h]
		mov	[ecx+4], eax
		mov	eax, [esi+88h]
		mov	[ecx+8], eax
		mov	eax, [esi+8Ch]
		mov	[ecx+0Ch], eax
		mov	eax, [esi+90h]
		mov	[ecx+10h], eax
		mov	eax, [esi+94h]
		mov	[ecx+14h], eax
		mov	eax, [ebp-28h]
		test	dword ptr [eax+98h], 1000h
		jz	short loc_82FC2A
		mov	eax, 0FFFFC00Fh
		and	[ecx+4], ax

loc_82FC2A:				; CODE XREF: PAGE:0082FC1Fj
		lea	edx, [ecx+18h]
		mov	[ebp-44h], edx
		mov	ecx, esi
		cmp	dword ptr [esi+60h], 0
		jz	short loc_82FC3F
		call	AlpcpGetDataFromUserVaSafe
		jmp	short loc_82FC8E
; 

loc_82FC3F:				; CODE XREF: PAGE:0082FC36j
		call	_AlpcpAvailableBufferSize@4 ; AlpcpAvailableBufferSize(x)
		mov	[ebp+8], eax
		movzx	eax, word ptr [esi+80h]
		mov	[ebp+10h], eax
		mov	ecx, [ebp+8]
		cmp	eax, ecx
		ja	short loc_82FC63
		push	eax
		lea	eax, [esi+98h]
		push	eax
		push	edx
		jmp	short loc_82FC86
; 

loc_82FC63:				; CODE XREF: PAGE:0082FC56j
		push	ecx
		lea	eax, [esi+98h]
		push	eax
		push	edx
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+10h]
		sub	eax, [ebp+8]
		push	eax
		mov	eax, [esi+78h]
		push	eax
		mov	eax, [ebp-44h]
		add	eax, [ebp+8]
		push	eax

loc_82FC86:				; CODE XREF: PAGE:0082FC61j
		call	_memcpy
		add	esp, 0Ch

loc_82FC8E:				; CODE XREF: PAGE:0082FC3Dj
		mov	eax, [ebp+14h]
		test	eax, eax
		jz	short loc_82FC9A
		mov	ecx, [ebp+0Ch]
		mov	[eax], ecx

loc_82FC9A:				; CODE XREF: PAGE:0082FC93j
		test	ebx, ebx
		jz	short loc_82FCA9
		push	ebx
		push	edi
		push	esi
		mov	ecx, [ebp-28h]
		call	AlpcpExposeAttributes

loc_82FCA9:				; CODE XREF: PAGE:0082FC9Cj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp+20h]
		jmp	short loc_82FCDB
; 

loc_82FCB5:				; DATA XREF: .text:006A66ACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		mov	eax, 1
		retn
; 

loc_82FCC5:				; DATA XREF: .text:006A66B0o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-4Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-34h]
		mov	eax, [ebp-38h]
		mov	[ebp+18h], eax

loc_82FCDB:				; CODE XREF: PAGE:0082FCB3j
		test	dword ptr [esi+14h], 200h
		jz	short loc_82FD25
		cmp	dword ptr [esi+34h], 0
		jnz	short loc_82FD25
		mov	eax, [ebp-28h]
		test	dword ptr [eax+0F4h], 2000h
		jz	short loc_82FD25
		mov	edx, esi
		lea	ecx, [eax+100h]
		xor	eax, eax
		lock cmpxchg [ecx], edx
		test	eax, eax
		jnz	short loc_82FD25
		inc	word ptr [esi-0Eh]
		push	esi
		call	AlpcMessageCleanupProcedure
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_82FD35
		mov	ecx, esi
		call	_AlpcpEnterFreeEventMessageLog@4 ; AlpcpEnterFreeEventMessageLog(x)

loc_82FD25:				; CODE XREF: PAGE:0082FCE2j
					; PAGE:0082FCE8j ...
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_82FD35
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_82FD35:				; CODE XREF: PAGE:0082FD1Cj
					; PAGE:0082FD2Cj
		xor	edx, edx
		lea	edi, [esi-18h]
		mov	cl, [edi+8]
		test	cl, 1
		jz	short loc_82FD59
		movsx	eax, word ptr [edi+0Ah]
		mov	edx, 10000h
		sub	edx, eax
		and	cl, 0FEh
		mov	[edi+8], cl
		xor	eax, eax
		mov	[edi+0Ah], ax

loc_82FD59:				; CODE XREF: PAGE:0082FD40j
		test	edx, edx
		jle	short loc_82FD7E
		neg	edx
		mov	ecx, edx
		lea	eax, [edi+0Ch]
		lock xadd [eax], ecx
		add	ecx, edx
		test	ecx, ecx
		jg	short loc_82FD7E
		jnz	short loc_82FDA9
		mov	edx, 1
		mov	ecx, esi
		call	@AlpcpDestroyBlob@8 ; AlpcpDestroyBlob(x,x)
		xor	esi, esi

loc_82FD7E:				; CODE XREF: PAGE:0082FD5Bj
					; PAGE:0082FD6Cj
		test	esi, esi
		jz	loc_82FB7D
		add	edi, 14h
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_82FD9D
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_82FD9D:				; CODE XREF: PAGE:0082FD94j
		mov	ecx, edi
		call	KeAbPostRelease
		jmp	loc_82FB7D
; 

loc_82FDA9:				; CODE XREF: PAGE:0082FD6Ej
		push	ecx
		push	28h
		push	esi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_82FDB6:				; CODE XREF: PAGE:0082F82Cj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_82FDBB:				; CODE XREF: PAGE:0082F90Cj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		dd 4 dup(0CCCCCCCCh)
; 

; __fastcall AlpcpReceiveSynchronousReply(x, x,	x, x, x)
@AlpcpReceiveSynchronousReply@20:	; CODE XREF: AlpcpProcessConnectionRequest+130p
					; AlpcpReceiveLegacyConnectionReply+2Ap ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx]
		push	1
		push	dword ptr [ebp+10h]
		mov	[ebp-4], eax
		add	eax, 2B4h
		push	edx
		push	11h
		mov	edx, eax
		mov	[ebp-0Ch], edi
		mov	[ebp-8], eax
		call	AlpcpSignalAndWait
		mov	ecx, [ebp-4]
		mov	ebx, eax
		xor	esi, esi
		add	ecx, 314h
		xchg	esi, [ecx]
		test	esi, esi
		jnz	short loc_82FE33
		test	ebx, ebx
		jz	short loc_82FE25
		mov	ecx, [ebp-8]
		lea	edx, [esi+11h]
		push	esi
		push	esi
		push	esi
		call	_AlpcpWaitForSingleObject@20 ; AlpcpWaitForSingleObject(x,x,x,x,x)

loc_82FE25:				; CODE XREF: PAGE:0082FE15j
		mov	eax, 0C0000701h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_82FE33:				; CODE XREF: PAGE:0082FE11j
		lea	ecx, [esi-4]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [esi-10h], 1
		lea	eax, [esi-0Ch]
		mov	ecx, 10000h
		lock xadd [eax], ecx
		add	ecx, 10000h
		test	ecx, ecx
		jle	loc_83000F
		mov	eax, [esi+14h]
		test	eax, 800h
		jz	short loc_82FE6D
		and	eax, 0FFFFF7FFh
		mov	[esi+14h], eax

loc_82FE6D:				; CODE XREF: PAGE:0082FE63j
		dec	word ptr [esi-0Eh]
		mov	ecx, [esi+14h]
		mov	eax, ecx
		and	eax, 7
		cmp	al, 5
		jz	short loc_82FE90
		mov	eax, [ebp-4]
		cmp	[esi+10h], eax
		jnz	short loc_82FEF7
		test	ebx, ebx
		jnz	short loc_82FEA2
		mov	ebx, 0C0000701h
		jmp	short loc_82FEA2
; 

loc_82FE90:				; CODE XREF: PAGE:0082FE7Bj
		and	ecx, 0FFFFFFF8h
		mov	[esi+14h], ecx
		test	ebx, ebx
		jz	short loc_82FEF3
		mov	eax, [ebp-4]
		cmp	[esi+10h], eax
		jnz	short loc_82FEDB

loc_82FEA2:				; CODE XREF: PAGE:0082FE87j
					; PAGE:0082FE8Ej
		mov	dword ptr [esi+10h], 0
		dec	word ptr [esi-0Eh]
		test	byte ptr [esi+14h], 80h
		jnz	short loc_82FEC9
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	@AlpcpCancelMessage@12 ; AlpcpCancelMessage(x,x,x)
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_82FEC9:				; CODE XREF: PAGE:0082FEB1j
		mov	ecx, esi
		call	_AlpcpUnlockMessage@4 ;	AlpcpUnlockMessage(x)
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_82FEDB:				; CODE XREF: PAGE:0082FEA0j
		mov	ecx, [ebp-8]
		mov	edx, 11h
		push	0
		push	0
		push	0
		call	_AlpcpWaitForSingleObject@20 ; AlpcpWaitForSingleObject(x,x,x,x,x)
		mov	ecx, [esi+14h]
		xor	ebx, ebx

loc_82FEF3:				; CODE XREF: PAGE:0082FE98j
		test	cl, cl
		jns	short loc_82FF0C

loc_82FEF7:				; CODE XREF: PAGE:0082FE83j
		mov	ecx, esi
		call	_AlpcpUnlockMessage@4 ;	AlpcpUnlockMessage(x)
		mov	eax, 0C0000701h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_82FF0C:				; CODE XREF: PAGE:0082FEF5j
		test	ecx, 200h
		jz	short loc_82FF4C
		mov	eax, [esi+48h]
		neg	eax
		sbb	eax, eax
		and	eax, 80000000h
		cmp	dword ptr [esi+4Ch], 0
		jz	short loc_82FF2B
		or	eax, 40000000h

loc_82FF2B:				; CODE XREF: PAGE:0082FF24j
		cmp	dword ptr [esi+50h], 0
		jz	short loc_82FF36
		or	eax, 10000000h

loc_82FF36:				; CODE XREF: PAGE:0082FF2Fj
		test	[ebp+0Ch], eax
		jnz	short loc_82FF4C
		mov	eax, 0FFFFDFFFh
		and	[esi+84h], ax
		jmp	loc_82FFEF
; 

loc_82FF4C:				; CODE XREF: PAGE:0082FF12j
					; PAGE:0082FF39j
		mov	eax, 2000h
		add	edi, 0D0h
		or	[esi+84h], ax
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebp-0Ch]
		mov	ecx, [eax+0F4h]
		test	cl, 40h
		jz	short loc_82FFAD
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jz	short loc_82FF8C
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_82FF8C:				; CODE XREF: PAGE:0082FF83j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp-0Ch]
		mov	edx, esi
		push	0
		call	@AlpcpCancelMessage@12 ; AlpcpCancelMessage(x,x,x)
		mov	eax, 0C0000700h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_82FFAD:				; CODE XREF: PAGE:0082FF73j
		test	dword ptr [eax+98h], 1000h
		jz	short loc_82FFC4
		test	cl, 20h
		jz	short loc_82FFC4
		cmp	dword ptr [esi+10h], 0
		jnz	short loc_82FFD1

loc_82FFC4:				; CODE XREF: PAGE:0082FFB7j
					; PAGE:0082FFBCj
		inc	word ptr [esi-0Eh]
		mov	edx, esi
		mov	ecx, eax
		call	_AlpcpInsertMessagePendingQueue@8 ; AlpcpInsertMessagePendingQueue(x,x)

loc_82FFD1:				; CODE XREF: PAGE:0082FFC2j
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_82FFE8
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_82FFE8:				; CODE XREF: PAGE:0082FFDFj
		mov	ecx, edi
		call	KeAbPostRelease

loc_82FFEF:				; CODE XREF: PAGE:0082FF47j
		cmp	_AlpcpLogEnabled, 0
		jz	short loc_82FFFF
		mov	ecx, esi
		call	_AlpcpLogReceiveMessage@4 ; AlpcpLogReceiveMessage(x)

loc_82FFFF:				; CODE XREF: PAGE:0082FFF6j
		mov	eax, [ebp+8]
		pop	edi
		mov	[eax], esi
		mov	eax, ebx
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_83000F:				; CODE XREF: PAGE:0082FE55j
		push	ecx
		push	26h
		push	esi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dd 0CCCCCCCCh
; 

; __fastcall AlpcpDispatchReplyToWaitingThread(x)
@AlpcpDispatchReplyToWaitingThread@4:	; CODE XREF: AlpcpDispatchMessage(x)+12p
					; PAGE:00830DEFp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	edx, ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [edx+4]
		mov	eax, [edx]
		mov	dword ptr [edx+10h], 0
		mov	dword ptr [edx+0Ch], 0
		mov	dword ptr [edx+14h], 0
		mov	ecx, [edi+0Ch]
		mov	esi, [edi+14h]
		mov	[ebp-1Ch], eax
		mov	eax, [edx+18h]
		mov	ebx, [ecx+0F4h]
		mov	[ebp-10h], eax
		mov	eax, [edi+10h]
		mov	[ebp-18h], eax
		movzx	eax, word ptr [edx+1Ch]
		shr	ebx, 1
		mov	[ebp-14h], edx
		mov	[ebp-4], ecx
		mov	[ebp-20h], esi
		cmp	eax, [ecx+0A8h]
		jbe	short loc_83009C
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_830089
		mov	ecx, edi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_830089:				; CODE XREF: PAGE:00830080j
		mov	ecx, edi
		call	AlpcpUnlockBlob
		mov	eax, 0C0000023h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_83009C:				; CODE XREF: PAGE:00830077j
		mov	[ebp-8], esi
		or	esi, 0FFFFFFFFh
		mov	dword ptr [edi+0Ch], 0
		mov	dword ptr [edi+6Ch], 0
		cmp	word ptr [edx+1Eh], 0Bh
		jnz	short loc_8300F8
		lea	eax, [ecx+0D0h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp-0Ch], eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp-4]
		mov	ecx, [ebp-0Ch]
		and	dword ptr [eax+0F4h], 0FFFFFFF7h
		mov	eax, esi
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8300EA
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp-0Ch]

loc_8300EA:				; CODE XREF: PAGE:008300E0j
		call	KeAbPostRelease
		mov	eax, [edi+14h]
		mov	edx, [ebp-14h]
		mov	[ebp-8], eax

loc_8300F8:				; CODE XREF: PAGE:008300B5j
		mov	eax, large fs:124h
		mov	[ebp-0Ch], eax
		movzx	eax, word ptr [edx+1Ch]
		mov	[edi+82h], ax
		movzx	eax, word ptr [edx+1Ch]
		sub	ax, 18h
		test	dword ptr [ebp-10h], 10000h
		mov	[edi+80h], ax
		movzx	ecx, word ptr [edx+1Eh]
		mov	[edi+84h], cx
		movzx	eax, word ptr [edx+20h]
		mov	edx, [ebp-0Ch]
		mov	[edi+86h], ax
		mov	eax, [edx+2ACh]
		mov	[edi+88h], eax
		mov	eax, [edx+2B0h]
		mov	[edi+8Ch], eax
		mov	eax, ecx
		jz	short loc_830169
		and	eax, 0FFFFDFFFh
		movzx	ecx, ax
		mov	eax, [ebp-8]
		or	eax, 200h
		jmp	short loc_830179
; 

loc_830169:				; CODE XREF: PAGE:00830155j
		or	eax, 2000h
		movzx	ecx, ax
		mov	eax, [ebp-8]
		and	eax, 0FFFFFDFFh

loc_830179:				; CODE XREF: PAGE:00830167j
		mov	edx, [ebp-1Ch]
		mov	[edi+14h], eax
		mov	[edi+84h], cx
		push	ecx
		mov	ecx, edi
		call	_AlpcpSetOwnerPortMessage@12 ; AlpcpSetOwnerPortMessage(x,x,x)
		mov	eax, [ebp-10h]
		and	eax, 20000h
		mov	[ebp-8], eax
		jz	short loc_8301B2
		mov	eax, [ebp-0Ch]
		mov	ecx, edi
		add	eax, 314h
		xchg	ecx, [eax]
		or	dword ptr [edi+14h], 800h
		inc	word ptr [edi-0Eh]

loc_8301B2:				; CODE XREF: PAGE:00830199j
		or	dword ptr [edi+14h], 100h
		mov	ecx, [edi+8]
		mov	eax, [edi+14h]
		mov	[ebp-1Ch], ecx
		test	ecx, ecx
		jz	short loc_830217
		lea	ecx, [ecx+70h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [ebp-1Ch]
		dec	dword ptr [edx+10Ch]
		and	dword ptr [edi+14h], 0FFFFFFF8h
		mov	dword ptr [edi+8], 0
		mov	ecx, [edi+4]
		mov	eax, [edi]
		mov	[ecx], eax
		mov	ecx, [edi]
		mov	eax, [edi+4]
		mov	[ecx+4], eax
		mov	eax, esi
		lea	esi, [edx+70h]
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_830209
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_830209:				; CODE XREF: PAGE:00830200j
		mov	ecx, esi
		call	KeAbPostRelease
		dec	word ptr [edi-0Eh]
		mov	eax, [edi+14h]

loc_830217:				; CODE XREF: PAGE:008301C4j
		mov	esi, [ebp-4]
		and	eax, 0FFFFFFFDh
		or	eax, 5
		mov	[edi+14h], eax
		mov	eax, 1
		lock xadd [esi+0E8h], eax
		inc	eax
		and	ebx, 3
		mov	[edi+18h], eax
		mov	eax, [edi+14h]
		shl	ebx, 3
		and	eax, 0FFFFFF87h
		or	ebx, eax
		mov	[edi+14h], ebx
		shr	ebx, 3
		and	ebx, 0Fh
		sub	ebx, 1
		jz	short loc_83025B
		mov	eax, [esi+1Ch]
		sub	ebx, 1
		mov	[edi+40h], eax
		jmp	short loc_830298
; 

loc_83025B:				; CODE XREF: PAGE:0083024Ej
		mov	esi, [esi+8]
		xor	edx, edx
		lea	ebx, [esi-4]
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_830274
		mov	eax, [eax+1Ch]

loc_830274:				; CODE XREF: PAGE:0083026Fj
		mov	[edi+40h], eax
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_83028E
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_83028E:				; CODE XREF: PAGE:00830285j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	esi, [ebp-4]

loc_830298:				; CODE XREF: PAGE:00830259j
		cmp	dword ptr [edi+60h], 0
		jz	short loc_8302AC
		mov	ecx, edi
		call	_AlpcpCaptureMessageDataSafe@4 ; AlpcpCaptureMessageDataSafe(x)
		mov	dword ptr [edi+60h], 0

loc_8302AC:				; CODE XREF: PAGE:0083029Cj
		lea	ebx, [esi+0D0h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		cmp	dword ptr [edi+4Ch], 0
		jz	short loc_8302CA
		mov	edx, edi
		mov	ecx, esi
		call	AlpcpExposeViewAttributeInSenderContext

loc_8302CA:				; CODE XREF: PAGE:008302BFj
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_8302E1
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8302E1:				; CODE XREF: PAGE:008302D8j
		mov	ecx, ebx
		call	KeAbPostRelease
		cmp	_AlpcpLogEnabled, 0
		jz	short loc_8302F8
		mov	ecx, edi
		call	_AlpcpLogSendMessage@4 ; AlpcpLogSendMessage(x)

loc_8302F8:				; CODE XREF: PAGE:008302EFj
		cmp	dword ptr [ebp-8], 0
		jz	short loc_830339
		cmp	_AlpcpLogEnabled, 0
		mov	eax, [ebp-0Ch]
		mov	ecx, [ebp-18h]
		mov	[edi+10h], eax
		mov	eax, [ebp-14h]
		mov	[eax+0Ch], ecx
		jz	short loc_83031D
		mov	ecx, edi
		call	_AlpcpLogWaitForReply@4	; AlpcpLogWaitForReply(x)

loc_83031D:				; CODE XREF: PAGE:00830314j
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_83032D
		mov	ecx, edi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_83032D:				; CODE XREF: PAGE:00830324j
		mov	ecx, edi
		call	AlpcpUnlockBlob
		jmp	loc_830462
; 

loc_830339:				; CODE XREF: PAGE:008302FCj
		dec	word ptr [edi-0Eh]
		lea	esi, [edi-18h]
		mov	dword ptr [edi+10h], 0
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_830357
		mov	ecx, edi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_830357:				; CODE XREF: PAGE:0083034Ej
		mov	cl, [edi-10h]
		test	cl, 1
		jz	loc_830418
		movsx	eax, word ptr [edi-0Eh]
		mov	edx, 10000h
		sub	edx, eax
		and	cl, 0FEh
		xor	eax, eax
		mov	[edi-10h], cl
		mov	[edi-0Eh], ax
		test	edx, edx
		jle	loc_830418
		neg	edx
		lea	eax, [edi-0Ch]
		mov	ecx, edx
		lock xadd [eax], ecx
		add	ecx, edx
		test	ecx, ecx
		jg	loc_830418
		jnz	loc_83047B
		movzx	eax, byte ptr [esi+9]
		push	edi
		mov	ebx, ds:_AlpcpRegisteredTypes[eax*4]
		mov	eax, [ebx+14h]
		call	eax
		lea	ecx, [edi-4]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8303C6
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [edi-4]

loc_8303C6:				; CODE XREF: PAGE:008303BCj
		call	KeAbPostRelease
		mov	eax, [ebx+1Ch]
		push	edi
		call	eax
		test	eax, eax
		js	short loc_830436
		test	byte ptr [esi+8], 2
		jz	short loc_8303F2
		mov	eax, [ebx+8]
		push	esi
		lea	eax, [eax+eax*2]
		shl	eax, 6
		add	eax, offset _AlpcpLookasides
		push	eax
		call	_ExFreeToPagedLookasideList@8 ;	ExFreeToPagedLookasideList(x,x)
		jmp	short loc_830436
; 

loc_8303F2:				; CODE XREF: PAGE:008303D9j
		cmp	dword ptr [ebx+20h], 0
		jbe	short loc_83040C
		mov	eax, [ebx+8]
		push	esi
		lea	eax, [eax+eax*2]
		shl	eax, 6
		mov	eax, dword_6FB02C[eax]
		call	eax
		jmp	short loc_830436
; 

loc_83040C:				; CODE XREF: PAGE:008303F6j
		mov	eax, [ebx+4]
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_830436
; 

loc_830418:				; CODE XREF: PAGE:0083035Dj
					; PAGE:0083037Cj ...
		add	edi, 0FFFFFFFCh
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_83042F
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_83042F:				; CODE XREF: PAGE:00830426j
		mov	ecx, edi
		call	KeAbPostRelease

loc_830436:				; CODE XREF: PAGE:008303D3j
					; PAGE:008303F0j ...
		test	byte ptr [ebp-10h], 4
		jz	short loc_830447
		mov	eax, [ebp-14h]
		mov	ecx, [ebp-18h]
		mov	[eax+0Ch], ecx
		jmp	short loc_83045F
; 

loc_830447:				; CODE XREF: PAGE:0083043Aj
		push	2
		push	ecx
		mov	ecx, [ebp-18h]
		mov	edx, 1
		push	1
		add	ecx, 2B4h
		call	KeReleaseSemaphoreEx

loc_83045F:				; CODE XREF: PAGE:00830445j
		mov	esi, [ebp-4]

loc_830462:				; CODE XREF: PAGE:00830334j
		test	dword ptr [ebp-20h], 1000h
		jz	short loc_830472
		mov	ecx, esi
		call	ObfDereferenceObject

loc_830472:				; CODE XREF: PAGE:00830469j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_83047B:				; CODE XREF: PAGE:00830397j
		push	ecx
		push	28h
		push	edi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dd 2 dup(0CCCCCCCCh)
; 

; __fastcall AlpcpSendMessage(x, x, x, x)
@AlpcpSendMessage@16:			; CODE XREF: ExpWorkerFactoryStartDeferredWork(x,x)+C4p
					; LpcRequestPort(x,x)+43p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A66B8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 70h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	esi, edx
		mov	[ebp-34h], esi
		mov	[ebp-40h], ecx
		mov	dword ptr [ebp-24h], 0
		xor	eax, eax
		mov	[ebp-80h], eax
		mov	[ebp-7Ch], eax
		mov	[ebp-78h], eax
		mov	[ebp-74h], eax
		mov	[ebp-70h], eax
		mov	[ebp-6Ch], eax
		mov	[ebp-68h], eax
		mov	[ebp-64h], eax
		mov	[ebp-60h], eax
		mov	[ebp-5Ch], eax
		mov	edx, [ecx]
		mov	[ebp-20h], edx
		mov	ebx, [ecx+18h]
		mov	[ebp-28h], ebx
		mov	eax, [edx+0F4h]
		test	al, 10h
		jz	short loc_830522
		mov	eax, 0C0000041h
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_830522:				; CODE XREF: PAGE:00830507j
		test	al, 8
		jz	short loc_83053F
		mov	eax, 0C0000707h
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_83053F:				; CODE XREF: PAGE:00830524j
		test	al, 20h
		jz	short loc_830568
		test	dword ptr [edx+98h], 1000h
		jnz	short loc_830568
		mov	eax, 0C0000037h
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_830568:				; CODE XREF: PAGE:00830541j
					; PAGE:0083054Dj
		cmp	byte ptr [ebp+0Ch], 0
		jz	loc_830692
		mov	dword ptr [ebp-4], 0
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_830586
		mov	ecx, eax

loc_830586:				; CODE XREF: PAGE:00830582j
		mov	esi, [ecx]
		mov	[ebp-58h], esi
		mov	eax, [ecx+4]
		mov	[ebp-54h], eax
		mov	eax, [ecx+8]
		mov	[ebp-2Ch], eax
		mov	[ebp-50h], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp-30h], eax
		mov	[ebp-4Ch], eax
		mov	edi, [ecx+10h]
		mov	[ebp-48h], edi
		mov	eax, [ecx+14h]
		mov	[ebp-44h], eax
		nop
		test	dword ptr [edx+98h], 1000h
		jnz	short loc_8305C5
		test	bl, 2
		jnz	short loc_8305C5
		xor	cl, cl
		jmp	short loc_8305C7
; 

loc_8305C5:				; CODE XREF: PAGE:008305BAj
					; PAGE:008305BFj
		mov	cl, 1

loc_8305C7:				; CODE XREF: PAGE:008305C3j
		lea	eax, [esi+18h]
		mov	si, [ebp-58h]
		cmp	si, ax
		jnb	short loc_830641
		movzx	eax, word ptr [ebp-56h]
		test	cl, cl
		movzx	ecx, si
		jz	short loc_8305EB
		add	ecx, 18h
		cmp	ecx, eax
		ja	short loc_830641
		mov	[ebp-56h], cx
		jmp	short loc_8305F2
; 

loc_8305EB:				; CODE XREF: PAGE:008305DCj
		add	ecx, 18h
		cmp	ecx, eax
		jnz	short loc_830641

loc_8305F2:				; CODE XREF: PAGE:008305E9j
		mov	eax, 7FFFh
		and	[ebp-54h], ax
		cmp	word ptr [ebp-52h], 0
		jz	short loc_83062F
		lea	edx, [ebp-58h]
		mov	ecx, [ebp-34h]
		call	_AlpcpValidateDataInformation@8	; AlpcpValidateDataInformation(x,x)
		test	eax, eax
		jns	short loc_83062C
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_83062C:				; CODE XREF: PAGE:0083060Fj
		mov	edx, [ebp-20h]

loc_83062F:				; CODE XREF: PAGE:00830600j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [edx+98h]
		jmp	loc_8306ED
; 

loc_830641:				; CODE XREF: PAGE:008305D1j
					; PAGE:008305E3j ...
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_830648:				; CODE XREF: PAGE:0083071Ej
					; PAGE:0083073Fj ...
		mov	eax, 0C000000Dh
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_830661:				; DATA XREF: .text:006A66CCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		mov	eax, 1
		retn
; 

loc_830671:				; DATA XREF: .text:006A66D0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-38h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_830692:				; CODE XREF: PAGE:0083056Cj
		mov	eax, [esi]
		mov	[ebp-58h], eax
		mov	eax, [esi+4]
		mov	[ebp-54h], eax
		mov	eax, [esi+8]
		mov	[ebp-50h], eax
		mov	eax, [esi+0Ch]
		mov	[ebp-4Ch], eax
		mov	eax, [esi+10h]
		mov	[ebp-48h], eax
		mov	eax, [esi+14h]
		mov	[ebp-44h], eax
		mov	esi, [edx+98h]
		test	esi, 1000h
		jnz	short loc_8306CC
		test	bl, 2
		jnz	short loc_8306CC
		xor	dl, dl
		jmp	short loc_8306CE
; 

loc_8306CC:				; CODE XREF: PAGE:008306C1j
					; PAGE:008306C6j
		mov	dl, 1

loc_8306CE:				; CODE XREF: PAGE:008306CAj
		lea	ecx, [ebp-58h]
		call	_AlpcpValidateMessage@8	; AlpcpValidateMessage(x,x)
		test	eax, eax
		js	loc_830E0D
		mov	edi, [ebp-48h]
		mov	eax, [ebp-4Ch]
		mov	[ebp-30h], eax
		mov	eax, [ebp-50h]
		mov	[ebp-2Ch], eax

loc_8306ED:				; CODE XREF: PAGE:0083063Cj
		test	esi, 1000h
		jnz	short loc_8306FE
		test	bl, 2
		jnz	short loc_8306FE
		xor	al, al
		jmp	short loc_830700
; 

loc_8306FE:				; CODE XREF: PAGE:008306F3j
					; PAGE:008306F8j
		mov	al, 1

loc_830700:				; CODE XREF: PAGE:008306FCj
		movzx	ecx, byte ptr [ebp-54h]
		mov	esi, ecx
		mov	edx, [ebp-54h]
		and	edx, 0FF00h
		test	al, al
		jz	loc_830813
		test	bl, 1
		jz	short loc_83072E
		test	edi, edi
		jz	loc_830648
		xor	edx, edx
		lea	ecx, [edx+2]
		jmp	loc_8307CF
; 

loc_83072E:				; CODE XREF: PAGE:0083071Aj
		mov	eax, esi
		test	ebx, 10000h
		jz	short loc_830778
		test	eax, eax
		jz	short loc_830771
		cmp	eax, 3
		jb	loc_830648
		cmp	eax, 6
		jbe	short loc_830753
		cmp	eax, 0Dh
		jnz	loc_830648

loc_830753:				; CODE XREF: PAGE:00830748j
		test	bl, 2
		jnz	short loc_8307CD
		mov	eax, 0C000000Dh
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_830771:				; CODE XREF: PAGE:0083073Aj
		mov	ecx, 3
		jmp	short loc_8307CD
; 

loc_830778:				; CODE XREF: PAGE:00830736j
		test	eax, eax
		jz	short loc_8307C8
		cmp	eax, 1
		jz	short loc_8307AB
		add	eax, 0FFFFFFF9h
		cmp	eax, 2
		ja	loc_830648
		test	bl, 2
		jnz	short loc_8307CD
		mov	eax, 0C000000Dh
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_8307AB:				; CODE XREF: PAGE:0083077Fj
		test	edi, edi
		jnz	short loc_8307CF
		mov	eax, 0C000000Dh
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_8307C8:				; CODE XREF: PAGE:0083077Aj
		mov	ecx, 1

loc_8307CD:				; CODE XREF: PAGE:00830756j
					; PAGE:00830776j ...
		xor	edi, edi

loc_8307CF:				; CODE XREF: PAGE:00830729j
					; PAGE:008307ADj
		mov	[ebp-48h], edi
		cmp	byte ptr [ebp+0Ch], 0
		jnz	short loc_8307DF
		mov	dword ptr [ebp-44h], 0

loc_8307DF:				; CODE XREF: PAGE:008307D6j
					; PAGE:0083084Aj ...
		and	edx, 0EFFFh
		or	edx, ecx
		mov	[ebp-54h], dx
		movzx	eax, word ptr [ebp-56h]
		mov	ecx, [ebp-20h]
		cmp	eax, [ecx+0A8h]
		jbe	short loc_83086F
		mov	eax, 0C000002Fh
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_830813:				; CODE XREF: PAGE:00830711j
		cmp	ecx, 7
		jnz	short loc_83081E
		cmp	byte ptr [ebp+0Ch], 0
		jz	short loc_830848

loc_83081E:				; CODE XREF: PAGE:00830816j
		test	edi, edi
		jz	short loc_830837
		js	short loc_830837
		mov	eax, ebx
		and	eax, 10000h
		neg	eax
		sbb	eax, eax
		neg	eax
		inc	eax
		movzx	ecx, ax
		jmp	short loc_830848
; 

loc_830837:				; CODE XREF: PAGE:00830820j
					; PAGE:00830822j
		mov	ecx, ebx
		and	ecx, 10000h
		or	ecx, 8000h
		shr	ecx, 0Fh

loc_830848:				; CODE XREF: PAGE:0083081Cj
					; PAGE:00830835j
		test	edi, edi
		jnz	short loc_8307DF
		cmp	[ebp-2Ch], edi
		jnz	short loc_830856
		cmp	[ebp-30h], edi
		jz	short loc_8307DF

loc_830856:				; CODE XREF: PAGE:0083084Fj
		mov	eax, 0C0000702h
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_83086F:				; CODE XREF: PAGE:008307F8j
		test	ebx, 20000h
		jz	short loc_8308A2
		mov	eax, large fs:124h
		test	byte ptr [eax+300h], 20h
		jz	short loc_83089F
		mov	eax, 0C0000001h
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_83089F:				; CODE XREF: PAGE:00830884j
		mov	edi, [ebp-48h]

loc_8308A2:				; CODE XREF: PAGE:00830875j
		test	edi, edi
		jnz	loc_8309C4
		inc	dword_6FB00C
		mov	ecx, offset _AlpcpLookasides
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jnz	short loc_8308E4
		inc	dword_6FB010
		mov	eax, dword_6FB020
		push	eax
		mov	eax, dword_6FB024
		push	eax
		mov	eax, dword_6FB01C
		push	eax
		call	dword_6FB028
		test	eax, eax
		jz	loc_8309A9

loc_8308E4:				; CODE XREF: PAGE:008308BCj
		xor	ecx, ecx
		mov	[eax+8], ecx
		mov	[eax+0Ch], ecx
		mov	[eax+10h], ecx
		mov	[eax+14h], ecx
		mov	byte ptr [eax+9], 2
		mov	[eax+4], eax
		mov	[eax], eax
		or	byte ptr [eax+8], 2
		mov	dword ptr [eax+0Ch], 1
		lea	ebx, [eax+18h]
		test	ebx, ebx
		jz	loc_8309A9
		lea	ecx, [ebx-4]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [ebx-10h], 1
		mov	ecx, 10000h
		lea	eax, [ebx-0Ch]
		lock xadd [eax], ecx
		add	ecx, 10000h
		test	ecx, ecx
		jle	loc_830E21
		mov	esi, [ebx+90h]
		push	98h
		push	0
		push	ebx
		call	_memset
		add	esp, 0Ch
		mov	eax, 18h
		mov	[ebx+82h], ax
		dec	word ptr [ebx-0Eh]
		and	esi, 7FFFFFFFh
		mov	[ebx+90h], esi
		jmp	short loc_830970
; 
		align 10h

loc_830970:				; CODE XREF: PAGE:0083096Bj
					; PAGE:0083097Ej
		mov	eax, 1
		lock xadd ds:_AlpcpNextCallbackId, eax
		inc	eax
		jz	short loc_830970
		mov	[ebx+94h], eax
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_830996
		mov	ecx, ebx
		call	_AlpcpEnterAllocationEventMessageLog@4 ; AlpcpEnterAllocationEventMessageLog(x)

loc_830996:				; CODE XREF: PAGE:0083098Dj
		mov	eax, 18h
		mov	[ebx+82h], ax
		xor	esi, esi
		jmp	loc_830BB5
; 

loc_8309A9:				; CODE XREF: PAGE:008308DEj
					; PAGE:0083090Bj
		mov	esi, 0C000009Ah
		mov	eax, esi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_8309C4:				; CODE XREF: PAGE:008308A4j
		or	ebx, 10h
		mov	[ebp-28h], ebx
		lea	eax, [ebp-24h]
		push	eax
		push	ecx
		push	dword ptr [ebp-44h]
		mov	edx, edi
		call	AlpcpLookupMessage
		mov	esi, eax
		mov	ebx, [ebp-24h]
		test	esi, esi
		js	loc_830C27
		mov	eax, [ebx+14h]
		mov	[ebp-3Ch], eax
		test	al, al
		js	loc_830BB1
		mov	ecx, [ebx+0Ch]
		mov	[ebp-30h], ecx
		test	ecx, ecx
		jz	loc_830AA1
		mov	ecx, [ebx+8]
		mov	[ebp-2Ch], ecx
		mov	ecx, eax
		and	ecx, 7
		mov	edx, [ebp-20h]
		cmp	[ebp-2Ch], edx
		jz	loc_830B42
		test	ecx, ecx
		jnz	loc_830B24
		mov	eax, [ebp-30h]
		mov	eax, [eax+8]
		mov	[ebp-2Ch], eax
		lea	ecx, [eax-4]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp-30h]
		mov	eax, [ecx+0F4h]
		shr	eax, 1
		and	eax, 3
		sub	eax, 1
		jz	short loc_830A67
		sub	eax, 1
		jnz	short loc_830A67
		mov	eax, [ebp-2Ch]
		mov	ecx, [ebp-20h]
		cmp	[eax], ecx
		jz	short loc_830A61
		cmp	[eax+4], ecx
		jz	short loc_830A61
		mov	byte ptr [ebp-19h], 0
		jmp	short loc_830A74
; 

loc_830A61:				; CODE XREF: PAGE:00830A54j
					; PAGE:00830A59j
		mov	byte ptr [ebp-19h], 1
		jmp	short loc_830A74
; 

loc_830A67:				; CODE XREF: PAGE:00830A45j
					; PAGE:00830A4Aj
		mov	eax, [ebp-2Ch]
		mov	ecx, [ebp-20h]
		cmp	[eax+8], ecx
		setz	byte ptr [ebp-19h]

loc_830A74:				; CODE XREF: PAGE:00830A5Fj
					; PAGE:00830A65j
		lea	ecx, [eax-4]
		mov	[ebp-30h], ecx
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_830A92
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp-30h]

loc_830A92:				; CODE XREF: PAGE:00830A88j
		call	KeAbPostRelease
		cmp	byte ptr [ebp-19h], 0
		jz	loc_830B52

loc_830AA1:				; CODE XREF: PAGE:008309FCj
					; PAGE:00830B4Cj
		cmp	dword ptr [ebx+10h], 0
		jz	loc_830BB1
		cmp	dword ptr [ebx+1Ch], 0
		jnz	loc_830BB1
		test	dword ptr [ebp-28h], 30000h
		jnz	loc_830BB1
		mov	edx, 198h
		cmp	dword ptr [ebx+78h], 0
		jz	short loc_830AD6
		mov	edx, [ebx+7Ch]
		add	edx, 198h

loc_830AD6:				; CODE XREF: PAGE:00830ACBj
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		call	_AlpcpChargePagedPoolQuota@8 ; AlpcpChargePagedPoolQuota(x,x)
		mov	edi, eax
		mov	[ebp-3Ch], edi
		test	edi, edi
		jns	loc_830B82
		mov	esi, [ebp-24h]
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_830B07
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_830B07:				; CODE XREF: PAGE:00830AFEj
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	eax, edi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_830B24:				; CODE XREF: PAGE:00830A1Bj
		mov	eax, [edx+0F4h]
		and	eax, 6
		cmp	al, 6
		jnz	short loc_830B52
		mov	eax, [edx+8]
		test	eax, eax
		jz	short loc_830B52
		mov	edx, [ebp-2Ch]
		cmp	[eax], edx
		jnz	short loc_830B52
		mov	eax, [ebp-3Ch]

loc_830B42:				; CODE XREF: PAGE:00830A13j
		cmp	ecx, 3
		jnz	short loc_830B52
		test	eax, 2000h
		jz	loc_830AA1

loc_830B52:				; CODE XREF: PAGE:00830A9Bj
					; PAGE:00830B2Fj ...
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_830B62
		mov	ecx, ebx
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_830B62:				; CODE XREF: PAGE:00830B59j
		mov	ecx, ebx
		call	AlpcpUnlockBlob
		mov	eax, 0C0000022h
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_830B82:				; CODE XREF: PAGE:00830AEEj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[ebx+1Ch], eax
		mov	ecx, large fs:124h
		mov	edx, 63706C41h
		mov	ecx, [ecx+80h]
		call	ObfReferenceObjectWithTag
		mov	edi, [ebp-48h]
		mov	ebx, [ebp-24h]
		mov	esi, [ebp-3Ch]

loc_830BB1:				; CODE XREF: PAGE:008309EEj
					; PAGE:00830AA5j ...
		test	esi, esi
		js	short loc_830C27

loc_830BB5:				; CODE XREF: PAGE:008309A4j
		mov	dword ptr [ebp-24h], 0
		mov	edx, [ebp+8]
		test	edx, edx
		jz	short loc_830BDC
		lea	eax, [ebp-80h]
		mov	[ebp-24h], eax
		push	eax
		push	ebx
		push	edx
		mov	edx, [ebp-28h]
		mov	ecx, [ebp-20h]
		call	AlpcpCaptureAttributes
		mov	esi, eax
		mov	edx, [ebp+8]

loc_830BDC:				; CODE XREF: PAGE:00830BC1j
		test	edi, edi
		jz	short loc_830C3D
		mov	eax, [ebx+14h]
		mov	ecx, eax
		shr	ecx, 7
		test	eax, 200h
		jnz	short loc_830BF4
		test	cl, 1
		jz	short loc_830C3D

loc_830BF4:				; CODE XREF: PAGE:00830BEDj
		and	cl, 1
		movzx	esi, cl
		neg	esi
		sbb	esi, esi
		and	esi, 0C0000703h
		test	edx, edx
		jz	short loc_830C10
		mov	ecx, [ebp-24h]
		call	AlpcpReleaseAttributes

loc_830C10:				; CODE XREF: PAGE:00830C06j
		lea	ecx, [ebx+38h]
		call	AlpcpReleaseAttributes
		push	10000h
		mov	edx, ebx
		mov	ecx, [ebp-20h]
		call	@AlpcpCancelMessage@12 ; AlpcpCancelMessage(x,x,x)

loc_830C27:				; CODE XREF: PAGE:008309E0j
					; PAGE:00830BB3j
		mov	eax, esi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_830C3D:				; CODE XREF: PAGE:00830BDEj
					; PAGE:00830BF2j
		test	esi, esi
		jns	short loc_830C6E

loc_830C41:				; CODE XREF: PAGE:00830D85j
					; PAGE:00830DA6j
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_830C51
		mov	ecx, ebx
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_830C51:				; CODE XREF: PAGE:00830C48j
		mov	ecx, ebx
		call	AlpcpUnlockBlob
		mov	eax, esi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_830C6E:				; CODE XREF: PAGE:00830C3Fj
		test	edi, edi
		jz	short loc_830CCB
		mov	ecx, [ebx+70h]
		test	ecx, ecx
		jz	short loc_830CB0
		mov	eax, [ebx+90h]
		mov	esi, ecx
		and	esi, 7
		and	ecx, 0FFFFFFF8h
		push	0
		push	1
		push	0FFFFFFFFh
		push	eax
		lea	eax, [esi-7]
		neg	eax
		sbb	eax, eax
		and	eax, esi
		push	eax
		xor	edx, edx
		cmp	esi, 7
		setnz	dl
		dec	edx
		and	edx, 2
		call	_PspChargeProcessWakeCounter@28	; PspChargeProcessWakeCounter(x,x,x,x,x,x,x)
		mov	dword ptr [ebx+70h], 0

loc_830CB0:				; CODE XREF: PAGE:00830C77j
		mov	ecx, [ebx+74h]
		test	ecx, ecx
		jz	short loc_830CCB
		mov	eax, [ebx+90h]
		push	eax
		push	ecx
		call	_PsReleaseProcessWakeCounter@8 ; PsReleaseProcessWakeCounter(x,x)
		mov	dword ptr [ebx+74h], 0

loc_830CCB:				; CODE XREF: PAGE:00830C70j
					; PAGE:00830CB5j
		xor	eax, eax
		test	edi, edi
		jz	short loc_830D47
		js	short loc_830D47
		mov	eax, [ebx+54h]
		mov	[ebp+8], eax
		mov	dword ptr [ebx+54h], 0
		mov	ecx, [ebx+48h]
		test	ecx, ecx
		jz	short loc_830CF8
		mov	edx, 1
		call	AlpcpDereferenceBlobEx
		mov	dword ptr [ebx+48h], 0

loc_830CF8:				; CODE XREF: PAGE:00830CE5j
		mov	ecx, [ebx+4Ch]
		test	ecx, ecx
		jz	short loc_830D0B
		call	_AlpcpReleaseViewAttribute@4 ; AlpcpReleaseViewAttribute(x)
		mov	dword ptr [ebx+4Ch], 0

loc_830D0B:				; CODE XREF: PAGE:00830CFDj
		mov	ecx, [ebx+50h]
		test	ecx, ecx
		jz	short loc_830D23
		mov	edx, 1
		call	AlpcpDereferenceBlobEx
		mov	dword ptr [ebx+50h], 0

loc_830D23:				; CODE XREF: PAGE:00830D10j
		mov	ecx, [ebx+54h]
		test	cl, 1
		jz	short loc_830D44
		cmp	ecx, 4
		jb	short loc_830D3D
		test	cl, 2
		jz	short loc_830D3D
		and	ecx, 0FFFFFFFCh
		call	ObfDereferenceObject

loc_830D3D:				; CODE XREF: PAGE:00830D2Ej
					; PAGE:00830D33j
		mov	dword ptr [ebx+54h], 0

loc_830D44:				; CODE XREF: PAGE:00830D29j
		mov	eax, [ebp+8]

loc_830D47:				; CODE XREF: PAGE:00830CCFj
					; PAGE:00830CD1j
		mov	edx, [ebp-24h]
		test	edx, edx
		jz	short loc_830D5A
		lea	edi, [ebx+38h]
		mov	ecx, 0Ah
		mov	esi, edx
		rep movsd

loc_830D5A:				; CODE XREF: PAGE:00830D4Cj
		test	eax, eax
		jz	short loc_830D61
		mov	[ebx+54h], eax

loc_830D61:				; CODE XREF: PAGE:00830D5Cj
		xor	esi, esi
		mov	ecx, [ebp-34h]
		add	ecx, 18h
		mov	dx, [ebp-58h]
		cmp	byte ptr [ebp+0Ch], 0
		jz	short loc_830D8A
		movzx	eax, dx
		add	eax, ecx
		cmp	eax, ds:_MmUserProbeAddress
		jbe	short loc_830D8A
		mov	esi, 0C0000005h
		jmp	loc_830C41
; 

loc_830D8A:				; CODE XREF: PAGE:00830D71j
					; PAGE:00830D7Ej
		mov	[ebx+60h], ecx
		movzx	edx, dx
		mov	ecx, ebx
		call	_AlpcpAvailableBufferSize@4 ; AlpcpAvailableBufferSize(x)
		cmp	edx, eax
		jbe	short loc_830DA4
		push	0
		call	@AlpcpCaptureMessageData@12 ; AlpcpCaptureMessageData(x,x,x)
		mov	esi, eax

loc_830DA4:				; CODE XREF: PAGE:00830D99j
		test	esi, esi
		js	loc_830C41
		mov	ecx, [ebp-40h]
		mov	[ecx+4], ebx
		movzx	eax, word ptr [ebp-56h]
		mov	[ecx+1Ch], ax
		movzx	eax, word ptr [ebp-54h]
		mov	[ecx+1Eh], ax
		movzx	eax, word ptr [ebp-52h]
		mov	[ecx+20h], ax
		cmp	dword ptr [ebx+0Ch], 0
		jnz	short loc_830DE9
		call	@AlpcpDispatchNewMessage@4 ; AlpcpDispatchNewMessage(x)
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_830DE9:				; CODE XREF: PAGE:00830DCEj
		cmp	dword ptr [ebx+10h], 0
		jz	short loc_830E08
		call	@AlpcpDispatchReplyToWaitingThread@4 ; AlpcpDispatchReplyToWaitingThread(x)
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_830E08:				; CODE XREF: PAGE:00830DEDj
		call	_AlpcpDispatchReplyToPort@4 ; AlpcpDispatchReplyToPort(x)

loc_830E0D:				; CODE XREF: PAGE:008306D8j
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_830E21:				; CODE XREF: PAGE:00830933j
		push	ecx
		push	26h
		push	ebx
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall AlpcpDispatchNewMessage(x)
@AlpcpDispatchNewMessage@4 proc	near	; CODE XREF: AlpcpDispatchMessage(x):loc_79A7CAp
					; PAGE:00830DD0p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	ecx, [eax]
		mov	edx, [eax+18h]
		mov	esi, [eax+4]
		mov	dword ptr [eax+10h], 0
		mov	dword ptr [eax+0Ch], 0
		mov	dword ptr [eax+14h], 0
		mov	ebx, [ecx+8]
		mov	[ebp+var_8], eax
		mov	eax, large fs:124h
		mov	edi, [ecx+0F4h]
		mov	[ebp+var_C], ecx
		lea	ecx, [ebx-4]
		mov	[ebp+var_10], edx
		xor	edx, edx
		shr	edi, 1
		mov	[ebp+var_4], ebx
		and	edi, 3
		mov	[ebp+var_14], eax
		call	ExAcquirePushLockSharedEx
		sub	edi, 1
		jz	short loc_830E9D
		sub	edi, 1
		jz	short loc_830E96
		mov	edi, [ebx+8]
		jmp	short loc_830E9F
; 

loc_830E96:				; CODE XREF: AlpcpDispatchNewMessage(x)+5Fj
		mov	edi, [ebx]
		mov	ebx, [ebx+4]
		jmp	short loc_830EA1
; 

loc_830E9D:				; CODE XREF: AlpcpDispatchNewMessage(x)+5Aj
		mov	edi, [ebx]

loc_830E9F:				; CODE XREF: AlpcpDispatchNewMessage(x)+64j
		mov	ebx, edi

loc_830EA1:				; CODE XREF: AlpcpDispatchNewMessage(x)+6Bj
		test	edi, edi
		jz	short loc_830EB5
		mov	ecx, edi
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	edi, eax

loc_830EB5:				; CODE XREF: AlpcpDispatchNewMessage(x)+73j
		test	ebx, ebx
		jz	short loc_830EC9
		mov	ecx, ebx
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	ebx, eax

loc_830EC9:				; CODE XREF: AlpcpDispatchNewMessage(x)+87j
		test	edi, edi
		jz	loc_831132
		test	ebx, ebx
		jz	loc_831132
		lea	ecx, [edi+0D0h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		cmp	ebx, edi
		jz	short loc_830EF7
		lea	ecx, [ebx+0D0h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx

loc_830EF7:				; CODE XREF: AlpcpDispatchNewMessage(x)+B8j
		test	byte ptr [edi+0F4h], 20h
		jnz	short loc_830F21
		test	byte ptr [ebx+0F4h], 20h
		jnz	short loc_830F21
		mov	eax, [ebp+var_C]
		test	byte ptr [eax+0F4h], 20h
		jz	short loc_830F31
		test	dword ptr [eax+98h], 1000h
		jnz	short loc_830F31

loc_830F21:				; CODE XREF: AlpcpDispatchNewMessage(x)+CEj
					; AlpcpDispatchNewMessage(x)+D7j
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		push	ebx
		call	@AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo@12 ; AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo(x,x,x)
		jmp	loc_83116E
; 

loc_830F31:				; CODE XREF: AlpcpDispatchNewMessage(x)+E3j
					; AlpcpDispatchNewMessage(x)+EFj
		mov	edx, [ebp+var_8]
		mov	eax, [edx]
		test	dword ptr [eax+98h], 800000h
		jz	short loc_830F9F
		mov	eax, [edx+4]
		test	dword ptr [eax+14h], 200h
		jnz	short loc_830F9F
		mov	eax, [edi+0Ch]
		test	al, 1
		jnz	short loc_830F9F
		test	eax, eax
		jz	short loc_830F9F
		push	eax
		call	_PsGetProcessJob@4 ; PsGetProcessJob(x)
		test	eax, eax
		jz	short loc_830F9C
		mov	ecx, eax
		call	_PsGetJobEffectiveFreezeCount@4	; PsGetJobEffectiveFreezeCount(x)
		test	eax, eax
		jz	short loc_830F9C
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		push	ebx
		call	@AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo@12 ; AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo(x,x,x)
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_830F89
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_830F89:				; CODE XREF: AlpcpDispatchNewMessage(x)+150j
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	eax, 0C0000036h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_830F9C:				; CODE XREF: AlpcpDispatchNewMessage(x)+131j
					; AlpcpDispatchNewMessage(x)+13Cj
		mov	edx, [ebp+var_8]

loc_830F9F:				; CODE XREF: AlpcpDispatchNewMessage(x)+110j
					; AlpcpDispatchNewMessage(x)+11Cj ...
		test	dword ptr [edi+98h], 20000h
		jnz	short loc_830FD9
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		push	ebx
		call	@AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo@12 ; AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo(x,x,x)
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_830FC6
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_830FC6:				; CODE XREF: AlpcpDispatchNewMessage(x)+18Dj
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	eax, 0C0000707h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_830FD9:				; CODE XREF: AlpcpDispatchNewMessage(x)+179j
		movzx	eax, word ptr [edx+1Ch]
		cmp	eax, [edi+0A8h]
		jbe	short loc_831013
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		push	ebx
		call	@AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo@12 ; AlpcpUnlockAndDereferenceTargetPortsAndCommunicationInfo(x,x,x)
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_831000
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_831000:				; CODE XREF: AlpcpDispatchNewMessage(x)+1C7j
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	eax, 0C0000023h
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_831013:				; CODE XREF: AlpcpDispatchNewMessage(x)+1B3j
		mov	dword ptr [esi+6Ch], 0
		movzx	eax, word ptr [edx+1Ch]
		mov	[esi+82h], ax
		movzx	eax, word ptr [edx+1Ch]
		sub	ax, 18h
		test	[ebp+var_10], 10000h
		mov	[esi+80h], ax
		movzx	ecx, word ptr [edx+1Eh]
		mov	[esi+84h], cx
		movzx	eax, word ptr [edx+20h]
		mov	edx, [ebp+var_14]
		mov	[esi+86h], ax
		mov	eax, [edx+2ACh]
		mov	[esi+88h], eax
		mov	eax, [edx+2B0h]
		mov	[esi+8Ch], eax
		mov	eax, [esi+14h]
		jz	short loc_83107E
		and	ecx, 0FFFFDFFFh
		or	eax, 200h
		jmp	short loc_831089
; 

loc_83107E:				; CODE XREF: AlpcpDispatchNewMessage(x)+23Fj
		or	ecx, 2000h
		and	eax, 0FFFFFDFFh

loc_831089:				; CODE XREF: AlpcpDispatchNewMessage(x)+24Cj
		mov	edx, [ebp+var_C]
		movzx	ecx, cx
		mov	[esi+14h], eax
		mov	[esi+84h], cx
		push	ecx
		mov	ecx, esi
		call	_AlpcpSetOwnerPortMessage@12 ; AlpcpSetOwnerPortMessage(x,x,x)
		mov	eax, 1
		lock xadd [ebx+0E8h], eax
		inc	eax
		mov	ecx, [ebp+var_4]
		mov	[esi+18h], eax
		mov	eax, [ebx+1Ch]
		mov	[esi+40h], eax
		mov	[esi+64h], ecx
		mov	eax, [ecx]
		mov	[esi+68h], eax
		cmp	ebx, edi
		jz	short loc_8310F0
		lea	ecx, [ebx+0D0h]
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_8310E8
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		lea	ecx, [ebx+0D0h]

loc_8310E8:				; CODE XREF: AlpcpDispatchNewMessage(x)+2ABj
		call	KeAbPostRelease
		mov	ecx, [ebp+var_4]

loc_8310F0:				; CODE XREF: AlpcpDispatchNewMessage(x)+295j
		test	[ebp+var_10], 20000h
		jz	short loc_831112
		mov	eax, [ebp+var_14]
		and	dword ptr [esi+14h], 0FFFFFEFFh
		add	word ptr [esi-0Eh], 2
		mov	[esi+10h], eax
		add	eax, 314h
		xchg	esi, [eax]

loc_831112:				; CODE XREF: AlpcpDispatchNewMessage(x)+2C7j
		mov	eax, [ebp+var_8]
		mov	[eax+8], ecx
		mov	ecx, eax
		mov	[eax+10h], edi
		call	AlpcpCompleteDispatchMessage
		mov	ecx, ebx
		call	ObfDereferenceObject
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_831132:				; CODE XREF: AlpcpDispatchNewMessage(x)+9Bj
					; AlpcpDispatchNewMessage(x)+A3j
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		add	ecx, 0FFFFFFFCh
		mov	eax, 11h
		mov	[ebp+var_14], ecx
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_831153
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp+var_14]

loc_831153:				; CODE XREF: AlpcpDispatchNewMessage(x)+319j
		call	KeAbPostRelease
		test	edi, edi
		jz	short loc_831163
		mov	ecx, edi
		call	ObfDereferenceObject

loc_831163:				; CODE XREF: AlpcpDispatchNewMessage(x)+32Aj
		test	ebx, ebx
		jz	short loc_83116E
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_83116E:				; CODE XREF: AlpcpDispatchNewMessage(x)+FCj
					; AlpcpDispatchNewMessage(x)+335j
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_83117E
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_83117E:				; CODE XREF: AlpcpDispatchNewMessage(x)+345j
		mov	ecx, esi
		call	AlpcpUnlockBlob
		pop	edi
		pop	esi
		mov	eax, 0C0000037h
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
@AlpcpDispatchNewMessage@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpCompleteDispatchMessage proc near	; CODE XREF: AlpcpDispatchConnectionRequest+121p
					; AlpcpDispatchReplyToPort(x)+291p ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_32		= byte ptr -32h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00831C74 SIZE 000002BC BYTES
; FUNCTION CHUNK AT 00831F3A SIZE 00000009 BYTES
; FUNCTION CHUNK AT 0092394F SIZE 000001D8 BYTES
; FUNCTION CHUNK AT 00923B49 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+40h+var_31], 0
		mov	ecx, [edi+18h]
		mov	edx, ecx
		mov	eax, [edi+8]
		and	edx, 20000h
		mov	ebx, [edi+10h]
		mov	esi, [edi+4]
		mov	[esp+40h+var_20], eax
		mov	eax, ecx
		and	eax, 4
		mov	[esp+40h+var_2C], edx
		mov	[esp+40h+var_28], eax
		and	ecx, (offset loc_7FFFFF+1)
		mov	eax, [edi]
		mov	eax, [eax+98h]
		test	eax, 400000h
		jnz	loc_831AD6
		test	eax, 200000h
		jnz	loc_92394F
		mov	[esp+40h+var_30], 0

loc_831206:				; CODE XREF: AlpcpCompleteDispatchMessage+93Ej
					; AlpcpCompleteDispatchMessage+F27B7j
		test	edx, edx
		jz	loc_831433

loc_83120E:				; CODE XREF: AlpcpCompleteDispatchMessage+295j
		mov	[esp+40h+var_24], 1

loc_831216:				; CODE XREF: AlpcpCompleteDispatchMessage+29Fj
		test	dword ptr [esi+14h], 200h
		jnz	short loc_831293
		mov	ecx, [ebx+0Ch]
		mov	eax, ecx
		and	al, 1
		movzx	edx, al
		neg	edx
		sbb	edx, edx
		not	edx
		and	edx, ecx
		mov	[esp+40h+var_14], edx
		jz	short loc_831293
		mov	ecx, [esp+40h+var_24]
		mov	eax, [esp+40h+var_30]
		test	ecx, ecx
		jz	loc_8319D5

loc_831247:				; CODE XREF: AlpcpCompleteDispatchMessage+837j
					; AlpcpCompleteDispatchMessage+84Aj
		mov	ecx, 1
		sub	eax, 0
		jnz	loc_831AE3
		mov	eax, ds:_AlpcpWakePolicyDefault
		test	al, cl
		jz	short loc_83126B
		mov	ecx, 3
		test	al, 2
		jnz	loc_923966

loc_83126B:				; CODE XREF: AlpcpCompleteDispatchMessage+BCj
					; AlpcpCompleteDispatchMessage+946j ...
		mov	eax, [esi+90h]
		push	eax
		push	2
		push	ecx
		push	edx
		call	_PsChargeProcessWakeCounter@16 ; PsChargeProcessWakeCounter(x,x,x,x)
		mov	edx, [esp+40h+var_14]
		mov	ecx, [esp+40h+var_24]
		mov	[esi+70h], eax

loc_831286:				; CODE XREF: AlpcpCompleteDispatchMessage+844j
		cmp	ds:_KeHeteroSystem, 0
		jnz	loc_923970

loc_831293:				; CODE XREF: AlpcpCompleteDispatchMessage+7Dj
					; AlpcpCompleteDispatchMessage+95j ...
		test	byte ptr [edi+18h], 8
		jnz	loc_8318F5
		lea	eax, [ebx+8Ch]
		cmp	[eax], eax
		jnz	loc_831762

loc_8312AB:				; CODE XREF: AlpcpCompleteDispatchMessage+96Dj
		cmp	dword ptr [ebx+10h], 0
		jz	loc_8315B0
		mov	[esp+40h+var_32], 1
		mov	[esp+40h+var_14], 0

loc_8312C2:				; CODE XREF: AlpcpCompleteDispatchMessage+425j
		mov	eax, [ebx+0D4h]
		mov	[esp+40h+var_30], eax
		test	eax, eax
		jnz	loc_831444

loc_8312D4:				; CODE XREF: AlpcpCompleteDispatchMessage+2AEj
					; AlpcpCompleteDispatchMessage+300j ...
		cmp	dword ptr [esi+60h], 0
		jz	short loc_8312E8
		mov	ecx, esi
		call	_AlpcpCaptureMessageDataSafe@4 ; AlpcpCaptureMessageDataSafe(x)
		mov	dword ptr [esi+60h], 0

loc_8312E8:				; CODE XREF: AlpcpCompleteDispatchMessage+138j
		cmp	dword ptr [esi+4Ch], 0
		jnz	loc_8318E7

loc_8312F2:				; CODE XREF: AlpcpCompleteDispatchMessage+750j
		inc	word ptr [esi-0Eh]
		lea	ecx, [ebx+5Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+14h]
		mov	[esi+8], ebx
		and	eax, 0FFFFFF87h
		mov	ecx, [ebx+0F4h]
		and	ecx, 6
		shl	ecx, 2
		or	ecx, eax
		and	ecx, 0FFFFFFF9h
		or	ecx, 1
		mov	[esi+14h], ecx
		lea	ecx, [ebx+60h]
		mov	eax, [ecx+4]
		mov	[esi+4], eax
		mov	[esi], ecx
		mov	eax, [ecx+4]
		mov	[eax], esi
		or	eax, 0FFFFFFFFh
		inc	dword ptr [ebx+104h]
		mov	[ecx+4], esi
		lea	ecx, [ebx+5Ch]
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_831A74

loc_83134D:				; CODE XREF: AlpcpCompleteDispatchMessage+577j
					; AlpcpCompleteDispatchMessage+585j ...
		call	KeAbPostRelease

loc_831352:				; CODE XREF: AlpcpCompleteDispatchMessage+9D8j
					; AlpcpCompleteDispatchMessage+F2903j
		cmp	_AlpcpLogEnabled, 0
		jnz	loc_923AA8

loc_83135F:				; CODE XREF: AlpcpCompleteDispatchMessage+F290Fj
		cmp	[esp+40h+var_31], 0
		jnz	loc_83158E

loc_83136A:				; CODE XREF: AlpcpCompleteDispatchMessage+3F5j
					; AlpcpCompleteDispatchMessage+F291Bj
		cmp	_AlpcpLogEnabled, 0
		jnz	loc_8315A0

loc_831377:				; CODE XREF: AlpcpCompleteDispatchMessage+405j
					; AlpcpCompleteDispatchMessage+F2927j
		and	dword ptr [esi+14h], 0FFFF7FFFh
		cmp	_AlpcpMessageLogEnabled, 0
		jnz	loc_923ACC

loc_83138B:				; CODE XREF: AlpcpCompleteDispatchMessage+F2933j
		mov	dl, [esi-10h]
		test	dl, 1
		jz	short loc_8313C3
		movsx	eax, word ptr [esi-0Eh]
		mov	ecx, 10000h
		sub	ecx, eax
		and	dl, 0FEh
		xor	eax, eax
		mov	[esi-10h], dl
		mov	[esi-0Eh], ax
		test	ecx, ecx
		jle	short loc_8313C3
		neg	ecx
		lea	eax, [esi-0Ch]
		mov	edx, ecx
		lock xadd [eax], edx
		add	edx, ecx
		test	edx, edx
		jle	loc_831B7D

loc_8313C3:				; CODE XREF: AlpcpCompleteDispatchMessage+1F1j
					; AlpcpCompleteDispatchMessage+20Cj
		add	esi, 0FFFFFFFCh
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_831A68

loc_8313D7:				; CODE XREF: AlpcpCompleteDispatchMessage+8CFj
		mov	ecx, esi
		call	KeAbPostRelease

loc_8313DE:				; CODE XREF: AlpcpCompleteDispatchMessage+9EFj
		mov	esi, [esp+40h+var_20]
		xor	edx, edx
		add	esi, 0FFFFFFFCh
		mov	eax, 11h
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	loc_831A50

loc_8313F9:				; CODE XREF: AlpcpCompleteDispatchMessage+8B7j
		mov	ecx, esi
		call	KeAbPostRelease
		cmp	[esp+40h+var_14], 0
		jnz	loc_8315CA
		cmp	[esp+40h+var_32], 0
		jz	loc_8319FB
		cmp	[esp+40h+var_2C], 0
		jz	loc_831735

loc_831421:				; CODE XREF: AlpcpCompleteDispatchMessage+59Aj
		mov	al, [esp+40h+var_31]
		mov	byte ptr [edi+22h], 1
		mov	[edi+23h], al

loc_83142C:				; CODE XREF: AlpcpCompleteDispatchMessage+484j
					; AlpcpCompleteDispatchMessage+5BDj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_831433:				; CODE XREF: AlpcpCompleteDispatchMessage+68j
		test	ecx, ecx
		jnz	loc_83120E
		mov	[esp+40h+var_24], ecx
		jmp	loc_831216
; 

loc_831444:				; CODE XREF: AlpcpCompleteDispatchMessage+12Ej
		test	dword ptr [ebx+0F4h], 10000h
		jz	loc_8312D4
		lea	ecx, [esi+38h]
		mov	[esp+40h+var_8], 0
		mov	[esp+40h+var_4], 0
		call	sub_8339C2
		mov	[esp+40h+var_24], eax
		add	ecx, 20h
		push	8		; size_t
		lea	eax, [esp+44h+var_8]
		push	eax		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_83148F
		or	[esp+40h+var_24], 2000000h

loc_83148F:				; CODE XREF: AlpcpCompleteDispatchMessage+2E5j
		mov	ecx, [esp+40h+var_30]
		mov	eax, [ecx+50h]
		mov	[esp+40h+var_1C], eax
		not	eax
		test	[esp+40h+var_24], eax
		jnz	loc_8312D4
		movzx	eax, word ptr [esi+84h]
		and	eax, 0FFFF00FFh
		cmp	eax, 5
		mov	eax, [esp+40h+var_1C]
		jz	loc_831B44

loc_8314BF:				; CODE XREF: AlpcpCompleteDispatchMessage+9A9j
		movzx	edx, word ptr [esi+82h]
		mov	[esp+40h+var_24], edx
		test	eax, eax
		jz	loc_923A3E
		movzx	edx, word ptr [esi+82h]
		lea	eax, [esi+80h]
		add	edx, eax
		mov	eax, 4
		and	edx, 3
		sub	eax, edx
		neg	edx
		sbb	edx, edx
		and	edx, eax
		mov	eax, [ecx+54h]
		mov	[esp+40h+var_1C], edx
		add	eax, edx
		mov	edx, [esp+40h+var_24]
		add	edx, eax
		mov	[esp+40h+var_24], edx

loc_831504:				; CODE XREF: AlpcpCompleteDispatchMessage+F28A6j
		mov	ecx, ebx
		call	AlpcpAllocateCompletionBuffer
		mov	[esp+40h+var_18], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_8312D4
		mov	ecx, [esp+40h+var_30]
		mov	edx, [ecx+3Ch]
		mov	ecx, [esi+80h]
		add	edx, eax
		mov	[esp+40h+var_10], edx
		mov	[edx], ecx
		mov	eax, [esi+84h]
		mov	[edx+4], eax
		mov	eax, [esi+88h]
		mov	[edx+8], eax
		mov	eax, [esi+8Ch]
		mov	[edx+0Ch], eax
		mov	eax, [esi+90h]
		mov	[edx+10h], eax
		mov	eax, [esi+94h]
		mov	[edx+14h], eax
		test	dword ptr [ebx+98h], 1000h
		jnz	loc_923A4B

loc_83156A:				; CODE XREF: AlpcpCompleteDispatchMessage+F28B4j
		movzx	eax, word ptr [esi+82h]
		add	edx, 18h
		cmp	dword ptr [esi+60h], 0
		mov	ecx, esi
		mov	[esp+40h+var_C], eax
		jnz	loc_831629
		call	@AlpcpReadMessageData@8	; AlpcpReadMessageData(x,x)
		jmp	loc_83162E
; 

loc_83158E:				; CODE XREF: AlpcpCompleteDispatchMessage+1C4j
		cmp	_AlpcpLogEnabled, 0
		jz	loc_83136A
		jmp	loc_923AB4
; 

loc_8315A0:				; CODE XREF: AlpcpCompleteDispatchMessage+1D1j
		cmp	[esp+40h+var_2C], 0
		jz	loc_831377
		jmp	loc_923AC0
; 

loc_8315B0:				; CODE XREF: AlpcpCompleteDispatchMessage+10Fj
		mov	ecx, [ebx+0F4h]
		shr	ecx, 9
		and	ecx, 1
		mov	[esp+40h+var_32], 0
		mov	[esp+40h+var_14], ecx
		jmp	loc_8312C2
; 

loc_8315CA:				; CODE XREF: AlpcpCompleteDispatchMessage+265j
		lea	esi, [ebx+0D0h]
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	loc_831A5C

loc_8315E4:				; CODE XREF: AlpcpCompleteDispatchMessage+8C3j
		mov	ecx, esi
		call	KeAbPostRelease
		cmp	[esp+40h+var_28], 0
		jnz	loc_83172A
		cmp	[esp+40h+var_2C], 0
		jnz	loc_83172A
		push	0
		push	ecx
		mov	ecx, [ebx+94h]
		mov	edx, 1
		push	1
		call	KeReleaseSemaphoreEx

loc_831616:				; CODE XREF: AlpcpCompleteDispatchMessage+888j
					; AlpcpCompleteDispatchMessage+89Fj
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	dword ptr [edi+10h], 0
		jmp	loc_83142C
; 

loc_831629:				; CODE XREF: AlpcpCompleteDispatchMessage+3DEj
		call	AlpcpGetDataFromUserVaSafe

loc_83162E:				; CODE XREF: AlpcpCompleteDispatchMessage+3E9j
		mov	ecx, [esp+40h+var_30]
		mov	edx, [ecx+50h]
		test	edx, edx
		jz	short loc_83165B
		mov	eax, [esp+40h+var_10]
		add	eax, [esp+40h+var_C]
		add	eax, [esp+40h+var_1C]
		push	eax
		mov	[eax], edx
		mov	dword ptr [eax+4], 0
		mov	eax, [ecx+50h]
		mov	ecx, ebx
		push	eax
		push	esi
		call	AlpcpExposeAttributes

loc_83165B:				; CODE XREF: AlpcpCompleteDispatchMessage+497j
		mov	edx, [esp+40h+var_18]
		mov	ecx, ebx
		call	AlpcpInsertCompletionListEntry
		mov	[esp+40h+var_C], eax
		test	eax, eax
		jz	loc_923A59
		mov	edx, [esp+40h+var_30]
		mov	eax, [esi+90h]
		mov	[esp+40h+var_31], 1
		mov	ecx, [edx+28h]
		mov	[ecx+48h], eax
		mov	ecx, [edx+28h]
		mov	eax, [esi+94h]
		mov	[ecx+4Ch], eax
		mov	eax, [esp+40h+var_C]
		and	eax, 2
		cmp	[esp+40h+var_32], 0
		jz	short loc_8316A9
		test	eax, eax
		jz	loc_831A98

loc_8316A9:				; CODE XREF: AlpcpCompleteDispatchMessage+4FFj
					; AlpcpCompleteDispatchMessage+91Bj ...
		test	dword ptr [esi+14h], 200h
		jnz	loc_831B54
		inc	word ptr [esi-0Eh]
		lea	ecx, [ebx+70h]
		mov	eax, 2000h
		xor	edx, edx
		or	[esi+84h], ax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+14h]
		mov	[esi+8], ebx
		and	eax, 0FFFFFF87h
		mov	ecx, [ebx+0F4h]
		and	ecx, 6
		shl	ecx, 2
		or	ecx, eax
		and	ecx, 0FFFFFFFBh
		or	ecx, 3
		mov	[esi+14h], ecx
		lea	ecx, [ebx+74h]
		mov	eax, [ecx+4]
		mov	[esi+4], eax
		mov	[esi], ecx
		mov	eax, [ecx+4]
		mov	[eax], esi
		or	eax, 0FFFFFFFFh
		inc	dword ptr [ebx+10Ch]
		mov	[ecx+4], esi
		lea	ecx, [ebx+70h]
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	loc_83134D
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [ebx+70h]
		jmp	loc_83134D
; 

loc_83172A:				; CODE XREF: AlpcpCompleteDispatchMessage+450j
					; AlpcpCompleteDispatchMessage+45Bj
		mov	byte ptr [edi+22h], 0
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_831735:				; CODE XREF: AlpcpCompleteDispatchMessage+27Bj
		cmp	[esp+40h+var_28], 0
		jnz	loc_831421
		mov	dl, [esp+40h+var_31]
		mov	ecx, ebx
		push	0
		push	1
		call	_AlpcpQueueIoCompletionPort@16 ; AlpcpQueueIoCompletionPort(x,x,x,x)
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	dword ptr [edi+10h], 0
		jmp	loc_83142C
; 

loc_831762:				; CODE XREF: AlpcpCompleteDispatchMessage+105j
		lea	ecx, [ebx+88h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebx+8Ch]
		lea	eax, [ebx+8Ch]
		mov	[esp+40h+var_14], ecx
		cmp	ecx, eax
		jz	loc_831AF1
		cmp	dword ptr [esi+60h], 0
		lea	eax, [ecx-31Ch]
		mov	[esp+40h+var_30], eax
		jz	short loc_8317A5
		mov	ecx, esi
		call	_AlpcpCaptureMessageDataSafe@4 ; AlpcpCaptureMessageDataSafe(x)
		mov	dword ptr [esi+60h], 0

loc_8317A5:				; CODE XREF: AlpcpCompleteDispatchMessage+5F5j
		cmp	dword ptr [esi+4Ch], 0
		jnz	loc_831A81

loc_8317AF:				; CODE XREF: AlpcpCompleteDispatchMessage+8EAj
		test	dword ptr [esi+14h], 200h
		jz	loc_8319B7
		lea	ecx, [esi+38h]
		call	sub_8339C2
		mov	ecx, [esp+40h+var_30]
		test	[ecx+318h], eax
		jnz	loc_8319B7
		mov	eax, 0FFFFDFFFh
		and	[esi+84h], ax

loc_8317E0:				; CODE XREF: AlpcpCompleteDispatchMessage+830j
		inc	word ptr [esi-0Eh]
		mov	eax, [esp+40h+var_30]
		or	dword ptr [esi+14h], 2000h
		cmp	_AlpcpLogEnabled, 0
		mov	[eax+318h], esi
		jnz	loc_923A1F

loc_831802:				; CODE XREF: AlpcpCompleteDispatchMessage+F2886j
		mov	eax, [esp+40h+var_14]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_923A37
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_923A37
		mov	[edx], ecx
		mov	[ecx+4], edx
		mov	dword ptr [eax], 0
		and	dword ptr [esi+14h], 0FFFF7FFFh
		cmp	_AlpcpMessageLogEnabled, 0
		jnz	loc_923A2B

loc_83183B:				; CODE XREF: AlpcpCompleteDispatchMessage+F2892j
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	esi, [esp+40h+var_20]
		xor	edx, edx
		add	esi, 0FFFFFFFCh
		mov	eax, 11h
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	loc_831A44

loc_83185D:				; CODE XREF: AlpcpCompleteDispatchMessage+8ABj
		mov	ecx, esi
		call	KeAbPostRelease
		or	eax, 0FFFFFFFFh
		lea	esi, [ebx+88h]
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_831B12

loc_83187B:				; CODE XREF: AlpcpCompleteDispatchMessage+979j
		mov	ecx, esi
		call	KeAbPostRelease
		lea	esi, [ebx+0D0h]
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	loc_8319EF

loc_83189C:				; CODE XREF: AlpcpCompleteDispatchMessage+856j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, ebx
		call	ObfDereferenceObject
		cmp	[esp+40h+var_2C], 0
		mov	dword ptr [edi+10h], 0
		jnz	loc_8319A9
		cmp	[esp+40h+var_28], 0
		jnz	loc_8319A9
		push	2
		push	ecx
		mov	ecx, [esp+48h+var_30]
		mov	edx, 1
		push	1
		lea	ecx, [ecx+2B4h]
		call	KeReleaseSemaphoreEx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8318E7:				; CODE XREF: AlpcpCompleteDispatchMessage+14Cj
		mov	edx, esi
		mov	ecx, ebx
		call	AlpcpExposeViewAttributeInSenderContext
		jmp	loc_8312F2
; 

loc_8318F5:				; CODE XREF: AlpcpCompleteDispatchMessage+F7j
		cmp	dword ptr [esi+60h], 0
		jz	short loc_831909
		mov	ecx, esi
		call	_AlpcpCaptureMessageDataSafe@4 ; AlpcpCaptureMessageDataSafe(x)
		mov	dword ptr [esi+60h], 0

loc_831909:				; CODE XREF: AlpcpCompleteDispatchMessage+759j
		cmp	dword ptr [esi+4Ch], 0
		jnz	loc_831B2A

loc_831913:				; CODE XREF: AlpcpCompleteDispatchMessage+993j
		inc	word ptr [esi-0Eh]
		mov	edx, esi
		mov	ecx, ebx
		call	_AlpcpInsertMessageDirectQueue@8 ; AlpcpInsertMessageDirectQueue(x,x)
		mov	eax, [esi+54h]
		mov	[edi+14h], eax
		and	dword ptr [esi+14h], 0FFFF7FFFh
		mov	dword ptr [esi+54h], 0
		cmp	_AlpcpMessageLogEnabled, 0
		jnz	loc_9239D7

loc_831941:				; CODE XREF: AlpcpCompleteDispatchMessage+F283Ej
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	esi, [esp+40h+var_20]
		xor	edx, edx
		add	esi, 0FFFFFFFCh
		mov	eax, 11h
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	loc_831B1E

loc_831963:				; CODE XREF: AlpcpCompleteDispatchMessage+985j
		mov	ecx, esi
		call	KeAbPostRelease
		lea	esi, [ebx+0D0h]
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	loc_831B38

loc_831984:				; CODE XREF: AlpcpCompleteDispatchMessage+99Fj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, ebx
		call	ObfDereferenceObject
		cmp	[esp+40h+var_28], 0
		mov	dword ptr [edi+10h], 0
		jnz	loc_83142C
		jmp	loc_9239E3
; 

loc_8319A9:				; CODE XREF: AlpcpCompleteDispatchMessage+716j
					; AlpcpCompleteDispatchMessage+721j
		mov	eax, [esp+40h+var_30]
		mov	[edi+0Ch], eax
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8319B7:				; CODE XREF: AlpcpCompleteDispatchMessage+616j
					; AlpcpCompleteDispatchMessage+62Ej
		mov	eax, 2000h
		mov	edx, esi
		or	[esi+84h], ax
		mov	ecx, ebx
		inc	word ptr [esi-0Eh]
		call	_AlpcpInsertMessagePendingQueue@8 ; AlpcpInsertMessagePendingQueue(x,x)
		jmp	loc_8317E0
; 

loc_8319D5:				; CODE XREF: AlpcpCompleteDispatchMessage+A1j
		test	eax, eax
		jnz	loc_831247
		test	byte ptr ds:_AlpcpWakePolicyDefault, 1
		jnz	loc_831286
		jmp	loc_831247
; 

loc_8319EF:				; CODE XREF: AlpcpCompleteDispatchMessage+6F6j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_83189C
; 

loc_8319FB:				; CODE XREF: AlpcpCompleteDispatchMessage+270j
		mov	eax, [ebx+0D8h]
		lea	esi, [ebx+0D0h]
		mov	[esp+40h+var_C], eax
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_831A8F

loc_831A1B:				; CODE XREF: AlpcpCompleteDispatchMessage+8F6j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [esp+40h+var_C]
		test	ecx, ecx
		jz	loc_831616
		mov	eax, [edi+18h]
		push	eax
		mov	eax, [ebx+0DCh]
		push	eax
		push	ecx
		call	_ExNotifyCallback@12 ; ExNotifyCallback(x,x,x)
		jmp	loc_831616
; 

loc_831A44:				; CODE XREF: AlpcpCompleteDispatchMessage+6B7j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_83185D
; 

loc_831A50:				; CODE XREF: AlpcpCompleteDispatchMessage+253j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_8313F9
; 

loc_831A5C:				; CODE XREF: AlpcpCompleteDispatchMessage+43Ej
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_8315E4
; 

loc_831A68:				; CODE XREF: AlpcpCompleteDispatchMessage+231j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_8313D7
; 

loc_831A74:				; CODE XREF: AlpcpCompleteDispatchMessage+1A7j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [ebx+5Ch]
		jmp	loc_83134D
; 

loc_831A81:				; CODE XREF: AlpcpCompleteDispatchMessage+609j
		mov	edx, esi
		mov	ecx, ebx
		call	AlpcpExposeViewAttributeInSenderContext
		jmp	loc_8317AF
; 

loc_831A8F:				; CODE XREF: AlpcpCompleteDispatchMessage+879j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_831A1B
; 

loc_831A98:				; CODE XREF: AlpcpCompleteDispatchMessage+503j
		mov	ecx, [edx+28h]
		mov	eax, [ecx+40h]
		mov	ecx, [ecx+44h]
		mov	eax, [ebx+18h]
		shr	ecx, 10h
		mov	eax, [eax+8]
		mov	[esp+40h+var_24], eax
		xor	eax, eax
		add	[esp+40h+var_24], ecx
		mov	ecx, [edx+4Ch]
		adc	eax, eax
		test	eax, eax
		jb	loc_8316A9
		ja	loc_923A7F
		cmp	[esp+40h+var_24], ecx
		jb	loc_8316A9
		jmp	loc_923A7F
; 

loc_831AD6:				; CODE XREF: AlpcpCompleteDispatchMessage+4Dj
		mov	[esp+40h+var_30], 2
		jmp	loc_831206
; 

loc_831AE3:				; CODE XREF: AlpcpCompleteDispatchMessage+AFj
		sub	eax, 1
		jnz	loc_83126B
		jmp	loc_92395C
; 

loc_831AF1:				; CODE XREF: AlpcpCompleteDispatchMessage+5E1j
		or	eax, 0FFFFFFFFh
		lea	ecx, [ebx+88h]
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	loc_831B94

loc_831B08:				; CODE XREF: AlpcpCompleteDispatchMessage+9FFj
		call	KeAbPostRelease
		jmp	loc_8312AB
; 

loc_831B12:				; CODE XREF: AlpcpCompleteDispatchMessage+6D5j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_83187B
; 

loc_831B1E:				; CODE XREF: AlpcpCompleteDispatchMessage+7BDj
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_831963
; 

loc_831B2A:				; CODE XREF: AlpcpCompleteDispatchMessage+76Dj
		mov	edx, esi
		mov	ecx, ebx
		call	AlpcpExposeViewAttributeInSenderContext
		jmp	loc_831913
; 

loc_831B38:				; CODE XREF: AlpcpCompleteDispatchMessage+7DEj
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_831984
; 

loc_831B44:				; CODE XREF: AlpcpCompleteDispatchMessage+319j
		test	eax, 20000000h
		jnz	loc_8314BF
		jmp	loc_8312D4
; 

loc_831B54:				; CODE XREF: AlpcpCompleteDispatchMessage+510j
		movzx	edx, word ptr [esi+84h]
		lea	ecx, [esi+38h]
		call	sub_8339C2
		test	eax, eax
		jnz	loc_923A89
		and	edx, 0FFFFDFFFh
		mov	[esi+84h], dx
		jmp	loc_831352
; 

loc_831B7D:				; CODE XREF: AlpcpCompleteDispatchMessage+21Dj
		jnz	loc_923AD8
		mov	edx, 1
		mov	ecx, esi
		call	@AlpcpDestroyBlob@8 ; AlpcpDestroyBlob(x,x)
		jmp	loc_8313DE
; 

loc_831B94:				; CODE XREF: AlpcpCompleteDispatchMessage+962j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [ebx+88h]
		jmp	loc_831B08
AlpcpCompleteDispatchMessage endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall AlpcpSetOwnerPortMessage(x,	x, x)
_AlpcpSetOwnerPortMessage@12 proc near	; CODE XREF: AlpcpDispatchConnectionRequest+110p
					; AlpcpReplyLegacySynchronousRequest(x,x,x)+354p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		or	dword ptr [edi+14h], 1000h
		mov	[edi+0Ch], esi
		pop	edi
		pop	esi
		retn	4
_AlpcpSetOwnerPortMessage@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpCaptureAttributes proc near	; CODE XREF: PAGE:0079A550p
					; AlpcpFormatConnectionRequest+51p ...

var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_20		= byte ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00831F30 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A66D8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_30], edx
		mov	[ebp+var_28], ecx
		xor	eax, eax
		mov	edi, [ebp+arg_8]
		mov	[edi], eax
		mov	[edi+4], eax
		mov	[edi+8], eax
		mov	[edi+0Ch], eax
		mov	[edi+10h], eax
		mov	[edi+14h], eax
		mov	[edi+18h], eax
		mov	[edi+1Ch], eax
		mov	[edi+20h], eax
		mov	[edi+24h], eax
		mov	ecx, [ebp+arg_4]
		mov	eax, [ecx+38h]
		mov	[edi], eax
		mov	eax, [ecx+3Ch]
		mov	[edi+4], eax
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jz	loc_831E2E
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	loc_831F30
		mov	[ebp+var_4], 0
		mov	[ebp+var_20], 0
		mov	esi, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_923AE6
AlpcpCaptureAttributes endp

; START	OF FUNCTION CHUNK FOR AlpcpCompleteDispatchMessage

loc_831C74:				; CODE XREF: AlpcpCompleteDispatchMessage+F2948j
		nop
		mov	esi, [esi]
		mov	[ebp+var_24], 0
		mov	eax, 8
		mov	[ebp+var_24], eax
		test	esi, esi
		js	loc_831E48

loc_831C8E:				; CODE XREF: AlpcpCompleteDispatchMessage+CB0j
		test	esi, 40000000h
		jz	short loc_831C9C
		add	eax, 10h
		mov	[ebp+var_24], eax

loc_831C9C:				; CODE XREF: AlpcpCompleteDispatchMessage+AF4j
		test	esi, 20000000h
		jz	short loc_831CAA
		add	eax, 14h
		mov	[ebp+var_24], eax

loc_831CAA:				; CODE XREF: AlpcpCompleteDispatchMessage+B02j
		test	esi, 10000000h
		jz	short loc_831CB8
		add	eax, 10h
		mov	[ebp+var_24], eax

loc_831CB8:				; CODE XREF: AlpcpCompleteDispatchMessage+B10j
		test	esi, 8000000h
		jz	short loc_831CC6
		add	eax, 18h
		mov	[ebp+var_24], eax

loc_831CC6:				; CODE XREF: AlpcpCompleteDispatchMessage+B1Ej
		test	esi, 4000000h
		jz	short loc_831CD4
		add	eax, 4
		mov	[ebp+var_24], eax

loc_831CD4:				; CODE XREF: AlpcpCompleteDispatchMessage+B2Cj
		test	esi, 2000000h
		jz	short loc_831CE2
		add	eax, 8
		mov	[ebp+var_24], eax

loc_831CE2:				; CODE XREF: AlpcpCompleteDispatchMessage+B3Aj
		test	esi, 0A0000000h
		jz	loc_831EB6
		mov	byte ptr [ebp+var_20], 1
		test	eax, eax
		jz	loc_923AF5
		cmp	eax, 1000h
		jnb	loc_923AF5
		test	bl, 3
		jnz	loc_831F3E
		mov	ecx, ds:_MmUserProbeAddress
		cmp	ebx, ecx
		jnb	loc_923AED

loc_831D1C:				; CODE XREF: AlpcpCompleteDispatchMessage+F2950j
		mov	cl, [ebx]
		mov	[ebx], cl
		cmp	eax, 4
		jbe	short loc_831D31
		lea	ecx, [eax-1]
		and	ecx, 0FFFFFFFCh
		mov	al, [ecx+ebx]
		mov	[ecx+ebx], al

loc_831D31:				; CODE XREF: AlpcpCompleteDispatchMessage+B83j
					; AlpcpCompleteDispatchMessage+D38j ...
		mov	[ebp-34h], esi
		mov	ebx, [ebx+4]
		mov	[ebp+var_38], ebx
		mov	[ebp+var_4], 0FFFFFFFEh

loc_831D41:				; CODE XREF: AlpcpCaptureAttributes+365j
		mov	eax, esi
		not	eax
		test	eax, ebx
		jnz	loc_923B49
		xor	eax, eax
		mov	[ebp+arg_8], eax
		test	ebx, ebx
		js	loc_831E55

loc_831D5A:				; CODE XREF: AlpcpCompleteDispatchMessage+CD4j
		test	ebx, 40000000h
		jnz	loc_831E8C

loc_831D66:				; CODE XREF: AlpcpCompleteDispatchMessage+D0Ej
		test	ebx, 20000000h
		jz	short loc_831DA7
		mov	eax, esi
		and	eax, 0C0000000h
		mov	ecx, eax
		sar	ecx, 1Fh
		and	ecx, 0Ch
		add	ecx, 8
		test	eax, 40000000h
		jz	short loc_831D8A
		add	ecx, 10h

loc_831D8A:				; CODE XREF: AlpcpCompleteDispatchMessage+BE5j
		push	edi
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		lea	edx, [ecx+edx]
		mov	ecx, [ebp+var_28]
		call	AlpcpCaptureContextAttribute
		mov	[ebp+arg_8], eax
		test	eax, eax
		js	loc_831E7A

loc_831DA7:				; CODE XREF: AlpcpCompleteDispatchMessage+BCCj
		test	ebx, 10000000h
		jnz	loc_831F08

loc_831DB3:				; CODE XREF: AlpcpCompleteDispatchMessage+D85j
		test	ebx, 4000000h
		jnz	loc_831EDD

loc_831DBF:				; CODE XREF: AlpcpCompleteDispatchMessage+D5Dj
		test	ebx, 2000000h
		jz	loc_831E86
		mov	[ebp+arg_8], 0
		mov	[ebp+var_40], 0
		mov	[ebp+var_3C], 0
		mov	esi, large fs:124h
		lea	edx, [ebp+arg_8]
		mov	ecx, esi
		call	_PsGetWorkOnBehalfThread@8 ; PsGetWorkOnBehalfThread(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_831E44
		push	esi
		call	_IoThreadToProcess@4 ; IoThreadToProcess(x)
		cmp	[eax+430h], ebx
		jnz	short loc_831E0E
		call	_PoEnergyEstimationEnabled@0 ; PoEnergyEstimationEnabled()
		test	al, al
		jz	short loc_831E18

loc_831E0E:				; CODE XREF: AlpcpCompleteDispatchMessage+C63j
		mov	ecx, esi

loc_831E10:				; CODE XREF: AlpcpCompleteDispatchMessage+CA6j
		lea	edx, [ebp+var_40]
		call	_PsEncodeThreadWorkOnBehalfTicket@8 ; PsEncodeThreadWorkOnBehalfTicket(x,x)

loc_831E18:				; CODE XREF: AlpcpCompleteDispatchMessage+C6Cj
		cmp	[ebp+arg_8], 0
		jnz	loc_923B53

loc_831E22:				; CODE XREF: AlpcpCompleteDispatchMessage+F29BAj
		mov	eax, [ebp+var_40]
		mov	[edi+20h], eax
		mov	eax, [ebp+var_3C]
		mov	[edi+24h], eax

loc_831E2E:				; CODE XREF: AlpcpCaptureAttributes+70j
		xor	eax, eax

loc_831E30:				; CODE XREF: AlpcpCompleteDispatchMessage+CE4j
					; AlpcpCompleteDispatchMessage+CE8j ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_831E44:				; CODE XREF: AlpcpCompleteDispatchMessage+C55j
		mov	ecx, ebx
		jmp	short loc_831E10
; 

loc_831E48:				; CODE XREF: AlpcpCompleteDispatchMessage+AE8j
		mov	eax, 14h
		mov	[ebp+var_24], eax
		jmp	loc_831C8E
; 

loc_831E55:				; CODE XREF: AlpcpCompleteDispatchMessage+BB4j
		push	edi
		mov	edx, 80000000h
		mov	ecx, esi
		call	_AlpcpGetMessageAttributeOffset@8 ; AlpcpGetMessageAttributeOffset(x,x)
		add	eax, [ebp+arg_0]
		mov	edx, eax
		mov	ecx, [ebp+var_28]
		call	AlpcpCaptureSecurityAttribute
		mov	[ebp+arg_8], eax
		test	eax, eax
		jns	loc_831D5A

loc_831E7A:				; CODE XREF: AlpcpCompleteDispatchMessage+C01j
					; AlpcpCompleteDispatchMessage+CEAj ...
		mov	ecx, edi
		call	AlpcpReleaseAttributes
		mov	eax, [ebp+arg_8]
		jmp	short loc_831E30
; 

loc_831E86:				; CODE XREF: AlpcpCompleteDispatchMessage+C25j
		test	eax, eax
		jns	short loc_831E30
		jmp	short loc_831E7A
; 

loc_831E8C:				; CODE XREF: AlpcpCompleteDispatchMessage+BC0j
		push	edi
		push	[ebp+arg_4]
		mov	edx, 40000000h
		mov	ecx, esi
		call	_AlpcpGetMessageAttributeOffset@8 ; AlpcpGetMessageAttributeOffset(x,x)
		add	eax, [ebp+arg_0]
		mov	edx, eax
		mov	ecx, [ebp+var_28]
		call	AlpcpCaptureViewAttribute
		mov	[ebp+arg_8], eax
		test	eax, eax
		jns	loc_831D66
		jmp	short loc_831E7A
; 

loc_831EB6:				; CODE XREF: AlpcpCompleteDispatchMessage+B48j
		mov	edx, ebx
		mov	ecx, ebx
		and	ecx, 3
		cmp	eax, 10000h
		jnb	loc_923B03
		test	ecx, ecx
		jnz	short loc_831F3E
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	short loc_831F3A

loc_831ED5:				; CODE XREF: AlpcpCompleteDispatchMessage+D9Cj
		nop
		mov	al, [edx]
		jmp	loc_831D31
; 

loc_831EDD:				; CODE XREF: AlpcpCompleteDispatchMessage+C19j
		push	ebx
		push	[ebp+var_30]
		push	edi
		mov	edx, 4000000h
		mov	ecx, esi
		call	_AlpcpGetMessageAttributeOffset@8 ; AlpcpGetMessageAttributeOffset(x,x)
		add	eax, [ebp+arg_0]
		mov	ecx, eax
		call	AlpcpCaptureDirectAttribute
		mov	[ebp+arg_8], eax
		test	eax, eax
		jns	loc_831DBF
		jmp	loc_831E7A
; 

loc_831F08:				; CODE XREF: AlpcpCompleteDispatchMessage+C0Dj
		mov	edx, 10000000h
		mov	ecx, esi
		call	_AlpcpGetMessageAttributeOffset@8 ; AlpcpGetMessageAttributeOffset(x,x)
		add	eax, [ebp+arg_0]
		mov	edx, edi
		mov	ecx, eax
		call	AlpcpCaptureHandleAttribute
		mov	[ebp+arg_8], eax
		test	eax, eax
		jns	loc_831DB3
		jmp	loc_831E7A
; END OF FUNCTION CHUNK	FOR AlpcpCompleteDispatchMessage
; 
; START	OF FUNCTION CHUNK FOR AlpcpCaptureAttributes

loc_831F30:				; CODE XREF: AlpcpCaptureAttributes+84j
		mov	esi, [ebx]
		mov	ebx, [ebx+4]
		jmp	loc_831D41
; END OF FUNCTION CHUNK	FOR AlpcpCaptureAttributes
; 
; START	OF FUNCTION CHUNK FOR AlpcpCompleteDispatchMessage

loc_831F3A:				; CODE XREF: AlpcpCompleteDispatchMessage+D33j
		mov	edx, eax
		jmp	short loc_831ED5
; 

loc_831F3E:				; CODE XREF: AlpcpCompleteDispatchMessage+B68j
					; AlpcpCompleteDispatchMessage+D2Aj ...
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; END OF FUNCTION CHUNK	FOR AlpcpCompleteDispatchMessage
; 
		db 0CCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpCaptureContextAttribute proc near	; CODE XREF: AlpcpCompleteDispatchMessage+BF7p

var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A66F8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_4], 0
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+90h]
		mov	[edx+0Ch], eax
		mov	eax, [esi+94h]
		mov	[edx+10h], eax
		mov	dword ptr [edx+8], 0
		mov	eax, [ecx+1Ch]
		mov	[edx], eax
		mov	edx, [edx+4]
		mov	[ebp+var_20], edx
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ecx+0F4h]
		and	al, 6
		cmp	al, 4
		mov	eax, [ebp+arg_4]
		jnz	short loc_831FE1
		mov	[eax], edx

loc_831FCB:				; CODE XREF: AlpcpCaptureContextAttribute+94j
		xor	eax, eax

loc_831FCD:				; CODE XREF: sub_923B6F+Dj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_831FE1:				; CODE XREF: AlpcpCaptureContextAttribute+77j
		mov	[eax+4], edx
		jmp	short loc_831FCB
AlpcpCaptureContextAttribute endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpLookupMessage proc	near		; CODE XREF: PAGE:0079A182p
					; NtAlpcQueryInformationMessage+A9p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00923B81 SIZE 00000162 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_18], ecx
		test	edi, edi
		js	loc_832192
		test	edi, 0FC000000h
		jnz	loc_923BB8
		mov	edx, ds:_AlpcMessageTable

loc_83201A:				; CODE XREF: AlpcpLookupMessage+F1BDEj
		mov	[ebp+var_4], edx
		test	edx, edx
		jz	loc_832218
		mov	eax, large fs:124h
		mov	esi, edi
		and	esi, 3FFFFFFh
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_20], al
		test	esi, 7FCh
		jz	loc_83220B
		push	esi
		mov	ecx, edx
		call	ExpLookupHandleTableEntry
		mov	edx, eax
		mov	[ebp+var_8], edx
		test	edx, edx
		jz	loc_83220B
		lea	ecx, [ecx+0]

loc_832060:				; CODE XREF: AlpcpLookupMessage+86j
					; AlpcpLookupMessage+F1BF7j
		mov	ebx, [edx]
		test	bl, 1
		jz	loc_923BD3
		lea	ecx, [ebx-1]
		mov	eax, ebx
		lock cmpxchg [edx], ecx
		cmp	eax, ebx
		jnz	short loc_832060
		mov	esi, [edx]
		and	esi, 0FFFFFFF8h
		cmp	[esi+90h], edi
		jnz	loc_923BEC
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jz	short loc_83209C
		cmp	[esi+94h], ebx
		jnz	loc_832222

loc_83209C:				; CODE XREF: AlpcpLookupMessage+9Ej
		mov	eax, [esi-0Ch]
		test	eax, eax
		jle	loc_923C35

loc_8320A7:				; CODE XREF: AlpcpLookupMessage+F1C3Aj
		mov	edx, eax
		lea	ecx, [eax+1]
		lea	ebx, [esi-0Ch]
		lock cmpxchg [ebx], ecx
		mov	ebx, [ebp+arg_0]
		cmp	eax, edx
		jnz	loc_923C28
		add	eax, 1
		jz	loc_923CB0
		lea	ecx, [esi-4]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [esi-10h], 1
		lea	ecx, [esi-0Ch]
		mov	eax, 10000h
		lock xadd [ecx], eax
		add	eax, 10000h
		test	eax, eax
		jle	loc_923C44
		dec	word ptr [esi-0Eh]
		mov	eax, 1
		mov	ecx, [ebp+var_8]
		lock xadd [ecx], eax
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_14]
		add	ecx, 20h
		mov	[ebp+var_14], 0
		xor	edx, edx
		lock or	[eax], edx
		cmp	[ecx], edx
		jnz	loc_923C51

loc_83211B:				; CODE XREF: AlpcpLookupMessage+F1C68j
		cmp	[esi+90h], edi
		jnz	loc_923C5D
		test	ebx, ebx
		jz	short loc_832137
		cmp	[esi+94h], ebx
		jnz	loc_923C5D

loc_832137:				; CODE XREF: AlpcpLookupMessage+139j
		cmp	dword ptr [esi+0Ch], 0
		jz	short loc_832165

loc_83213D:				; CODE XREF: AlpcpLookupMessage+179j
		mov	ecx, [ebp+var_18]
		test	ecx, ecx
		jz	short loc_832170
		mov	eax, [esi+64h]
		cmp	eax, [ecx+8]
		jz	short loc_832155
		cmp	[esi+68h], ecx
		jnz	loc_923C8F

loc_832155:				; CODE XREF: AlpcpLookupMessage+15Aj
					; AlpcpLookupMessage+19Bj ...
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		xor	eax, eax

loc_83215C:				; CODE XREF: AlpcpLookupMessage+22Dj
					; AlpcpLookupMessage+F1BB9j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_832165:				; CODE XREF: AlpcpLookupMessage+14Bj
		cmp	dword ptr [esi+8], 0
		jnz	short loc_83213D
		jmp	loc_923C68
; 

loc_832170:				; CODE XREF: AlpcpLookupMessage+152j
		mov	eax, [esi+8]
		test	eax, eax
		jz	loc_923C84
		mov	ecx, large fs:124h
		mov	eax, [eax+0Ch]
		cmp	eax, [ecx+80h]
		jz	short loc_832155
		jmp	loc_923C84
; 

loc_832192:				; CODE XREF: AlpcpLookupMessage+12j
		test	ecx, ecx
		jz	loc_832218
		mov	ecx, [ecx+8]
		test	ecx, ecx
		jz	loc_923BAE
		and	edi, 7FFFFFFFh
		add	ecx, 14h
		push	offset _AlpcReserveType
		mov	edx, edi
		call	AlpcReferenceBlobByHandle
		mov	edi, eax
		test	edi, edi
		jz	loc_923BAE
		mov	esi, [edi+0Ch]
		mov	ecx, esi
		call	AlpcpLockForCachedReferenceBlob
		mov	edx, 1
		lea	ecx, [edi+14h]
		xor	eax, eax
		lock cmpxchg [ecx], edx
		test	eax, eax
		jnz	loc_923B81
		and	dword ptr [esi+90h], 7FFFFFFFh
		mov	edi, edi

loc_8321F0:				; CODE XREF: AlpcpLookupMessage+20Ej
		mov	eax, 1
		lock xadd ds:_AlpcpNextCallbackId, eax
		inc	eax
		jz	short loc_8321F0
		mov	[esi+94h], eax
		jmp	loc_832155
; 

loc_83220B:				; CODE XREF: AlpcpLookupMessage+52j
					; AlpcpLookupMessage+67j ...
		push	[ebp+var_20]
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		call	ExHandleLogBadReference

loc_832218:				; CODE XREF: AlpcpLookupMessage+2Fj
					; AlpcpLookupMessage+1A4j ...
		mov	eax, 0C0000702h
		jmp	loc_83215C
; 

loc_832222:				; CODE XREF: AlpcpLookupMessage+A6j
		mov	eax, 1
		lock xadd [edx], eax
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_10]
		add	ecx, 20h
		mov	[ebp+var_10], 0
		xor	edx, edx
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	short loc_832218
		jmp	loc_923C1C
AlpcpLookupMessage endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspChargeProcessWakeCounter(x, x, x, x, x, x, x)
_PspChargeProcessWakeCounter@28	proc near ; CODE XREF: PsReleaseProcessWakeCounter(x,x)+2Ep
					; PsChargeProcessWakeCounter(x,x,x,x)+23p ...

var_22		= byte ptr -22h
var_21		= byte ptr -21h
var_20		= byte ptr -20h
var_1F		= byte ptr -1Fh
var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		mov	eax, edx
		mov	[esp+2Ch+var_10], 1
		mov	[esp+2Ch+var_18], eax
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	[esp+30h+var_1F], 0
		and	eax, 2
		mov	[esp+30h+var_20], 0
		mov	[esp+30h+var_1C], eax
		mov	eax, [ebp+arg_0]
		setnz	bh
		mov	[esp+30h+var_14], eax
		mov	eax, large fs:124h
		mov	[esp+30h+var_1D], 0
		mov	[esp+30h+var_1E], 0
		mov	[esp+30h+var_4], eax
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+0E0h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	eax, [esi+158h]
		mov	bl, bh
		mov	[esp+30h+var_C], eax
		mov	[esp+30h+var_21], bl
		test	eax, eax
		jz	loc_832384
		mov	ecx, [eax+310h]
		mov	[esp+30h+var_21], bl
		test	ecx, 1000h
		jz	loc_832384
		cmp	[ebp+arg_C], 0
		mov	eax, large fs:124h
		mov	edx, [esp+30h+var_1C]
		mov	eax, [eax+80h]
		mov	[esp+30h+var_8], eax
		jz	short loc_832340
		test	edx, edx
		jz	short loc_832315
		test	ecx, 800000h
		jz	short loc_832315
		mov	[esp+30h+var_21], bh
		cmp	[ebp+arg_8], edi
		jg	loc_83242F

loc_832315:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+AEj
					; PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+B6j
		mov	ecx, [esp+30h+var_18]
		test	cl, 1
		jz	short loc_832344
		push	[ebp+arg_0]
		mov	edx, [esp+34h+var_C]
		mov	ecx, eax
		mov	[esp+34h+var_21], bh
		call	_PspCheckConditionalWakeCharge@12 ; PspCheckConditionalWakeCharge(x,x,x)
		test	al, al
		jz	loc_83242F
		mov	eax, [esp+30h+var_8]
		mov	edx, [esp+30h+var_1C]

loc_832340:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+AAj
		mov	ecx, [esp+30h+var_18]

loc_832344:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+CCj
		test	byte ptr [eax+0F8h], 40h
		jnz	short loc_832376
		test	edx, edx
		jz	short loc_832376
		mov	eax, ecx
		mov	[esp+30h+var_14], 7
		sar	eax, 1Fh
		mov	bl, bh
		and	eax, 2
		mov	[esp+30h+var_21], bl
		add	eax, 5
		mov	[esp+30h+var_10], eax
		mov	al, 1
		mov	[esp+30h+var_1F], al
		jmp	short loc_832388
; 

loc_832376:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+FBj
					; PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+FFj
		xor	bl, bl
		mov	al, 1
		mov	[esp+30h+var_21], bl
		mov	[esp+30h+var_1F], al
		jmp	short loc_832388
; 

loc_832384:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+76j
					; PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+8Cj
		mov	al, [esp+30h+var_1F]

loc_832388:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+124j
					; PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+132j
		cmp	[ebp+arg_C], 0
		jz	short loc_8323A4
		test	al, al
		jnz	short loc_8323A4
		mov	eax, [esi+460h]
		or	eax, [esi+464h]
		jz	loc_83242F

loc_8323A4:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+13Cj
					; PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+140j
		test	bl, bl
		jnz	short loc_8323B6
		mov	ecx, [ebp+arg_0]
		add	ecx, 11Ah
		lea	ecx, [esi+ecx*4]
		jmp	short loc_8323C4
; 

loc_8323B6:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+156j
		lea	ecx, [esi+48Ch]
		mov	[esp+30h+var_14], 7

loc_8323C4:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+164j
		mov	edx, [ebp+arg_8]
		mov	eax, edx
		lock xadd [ecx], eax
		lea	edi, [eax+edx]
		mov	edx, edi
		test	edi, edi
		jns	short loc_8323DC
		and	edi, 7FFFFFFFh

loc_8323DC:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+184j
		shr	edx, 1Fh
		mov	[esp+30h+var_1D], 1
		mov	bh, dl
		test	bl, bl
		jnz	short loc_832433
		mov	eax, [esi+460h]
		or	eax, [esi+464h]
		jz	short loc_832433
		mov	ecx, [ebp+arg_0]
		mov	eax, 1
		shl	eax, cl
		cmp	[ebp+arg_8], 0
		jle	short loc_832423
		test	[esi+484h], eax
		jz	short loc_83241A
		cmp	edi, 1

loc_832413:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+1DDj
		mov	[esp+30h+var_20], 1
		jz	short loc_83241F

loc_83241A:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+1BEj
					; PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+1D9j
		mov	[esp+30h+var_20], 0

loc_83241F:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+1C8j
		mov	bh, dl
		jmp	short loc_832433
; 

loc_832423:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+1B6j
		test	[esi+488h], eax
		jz	short loc_83241A
		test	edi, edi
		jmp	short loc_832413
; 

loc_83242F:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+BFj
					; PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+E2j ...
		mov	bh, [esp+30h+var_1E]

loc_832433:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+198j
					; PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+1A6j ...
		xor	edx, edx
		lea	ecx, [esi+0E0h]
		mov	eax, 11h
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_832454
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		lea	ecx, [esi+0E0h]

loc_832454:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+1F7j
		call	KeAbPostRelease
		mov	ecx, [esp+30h+var_4]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		cmp	[esp+30h+var_20], 0
		jz	short loc_83249C
		push	0
		push	0
		push	0
		push	0
		push	0
		push	0
		lea	eax, [esi+460h]
		push	eax
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		test	ds:dword_70EFD0, 400h
		jz	short loc_83249C
		cmp	edi, 1
		jnz	short loc_83249C
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_EtwTraceWakeEvent@8 ; EtwTraceWakeEvent(x,x)

loc_83249C:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+217j
					; PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+23Bj ...
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_8324A5
		mov	[eax], edi

loc_8324A5:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+251j
		mov	ecx, [ebp+arg_4]
		test	bh, bh
		jnz	short loc_8324BD
		cmp	[esp+30h+var_1F], 0
		jnz	short loc_8324BD
		mov	eax, [ebp+arg_8]
		cdq
		mov	edi, eax
		mov	ebx, edx
		jmp	short loc_8324DE
; 

loc_8324BD:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+25Aj
					; PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+261j
		mov	eax, [ebp+arg_8]
		push	ecx
		mov	ecx, [esp+34h+var_C]
		push	esi
		push	[esp+38h+var_10]
		cdq
		mov	ebx, edx
		mov	edi, eax
		push	ebx
		push	edi
		push	[ebp+arg_0]
		xor	edx, edx
		call	PspChargeJobWakeCounter
		mov	ecx, [ebp+arg_4]

loc_8324DE:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+26Bj
		cmp	[esp+30h+var_1D], 0
		jz	short loc_832538
		test	ds:dword_70EFD0, 2000h
		jz	short loc_832506
		cmp	[esp+30h+var_21], 0
		jnz	short loc_832506
		mov	edx, [ebp+arg_0]
		push	ecx
		push	esi
		push	ebx
		push	edi
		mov	ecx, esi
		call	_EtwTraceWakeCounter@24	; EtwTraceWakeCounter(x,x,x,x,x,x)

loc_832506:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+29Fj
					; PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+2A6j
		cmp	[ebp+arg_C], 0
		jz	short loc_832538
		cmp	[ebp+arg_8], 0
		jle	short loc_83252D
		mov	edx, 6B577350h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	eax, [esp+30h+var_14]
		or	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_83252D:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+2C0j
		push	6B577350h
		push	esi
		call	ObDereferenceObjectDeferDeleteWithTag

loc_832538:				; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+293j
					; PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+2BAj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
_PspChargeProcessWakeCounter@28	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpCaptureMessageDataSafe(x)
_AlpcpCaptureMessageDataSafe@4 proc near ; CODE	XREF: PAGE:008302A0p
					; AlpcpCompleteDispatchMessage+13Cp ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6718
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, ecx
		mov	[ebp+var_28], esi
		mov	[ebp+var_4], 0
		mov	ebx, [esi+60h]
		movzx	edi, word ptr [esi+80h]
		call	_AlpcpAvailableBufferSize@4 ; AlpcpAvailableBufferSize(x)
		mov	ecx, eax
		mov	[ebp+var_1C], ecx
		cmp	edi, ecx
		ja	short loc_8325F6
		test	ebx, ebx
		jz	short loc_8325BE
		push	edi		; size_t
		push	ebx		; void *
		lea	eax, [esi+98h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_8325BE:				; CODE XREF: AlpcpCaptureMessageDataSafe(x)+5Bj
		mov	eax, [esi+78h]
		test	eax, eax
		jz	loc_832727
		push	42456C41h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [esi+78h], 0
		mov	ecx, [esi+1Ch]
		test	ecx, ecx
		jz	short loc_8325EA
		mov	edx, [esi+7Ch]
		call	_AlpcpReleasePagedPoolQuota@8 ;	AlpcpReleasePagedPoolQuota(x,x)

loc_8325EA:				; CODE XREF: AlpcpCaptureMessageDataSafe(x)+90j
		mov	dword ptr [esi+7Ch], 0
		jmp	loc_832727
; 

loc_8325F6:				; CODE XREF: AlpcpCaptureMessageDataSafe(x)+57j
		cmp	edi, 0FFD7h
		ja	loc_832727
		mov	eax, [esi+7Ch]
		mov	[ebp+var_20], eax
		add	eax, ecx
		cmp	edi, eax
		jbe	loc_8326A6
		mov	eax, [esi+78h]
		test	eax, eax
		jz	short loc_83262E
		push	42456C41h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [esi+7Ch], 0
		mov	ecx, [ebp+var_1C]

loc_83262E:				; CODE XREF: AlpcpCaptureMessageDataSafe(x)+C7j
		mov	eax, edi
		sub	eax, ecx
		mov	[ebp+var_24], eax
		push	42456C41h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+78h], eax
		mov	ecx, [esi+1Ch]
		test	eax, eax
		jnz	short loc_832661
		test	ecx, ecx
		jz	loc_832727
		mov	edx, [ebp+var_20]
		call	_AlpcpReleasePagedPoolQuota@8 ;	AlpcpReleasePagedPoolQuota(x,x)
		jmp	loc_832727
; 

loc_832661:				; CODE XREF: AlpcpCaptureMessageDataSafe(x)+FAj
		mov	edx, [ebp+var_24]
		mov	[esi+7Ch], edx
		test	ecx, ecx
		jz	short loc_8326A3
		sub	edx, [ebp+var_20]
		call	_AlpcpChargePagedPoolQuota@8 ; AlpcpChargePagedPoolQuota(x,x)
		test	eax, eax
		jns	short loc_8326A3
		push	42456C41h
		mov	eax, [esi+78h]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [esi+78h], 0
		mov	dword ptr [esi+7Ch], 0
		mov	edx, [ebp+var_20]
		mov	ecx, [esi+1Ch]
		call	_AlpcpReleasePagedPoolQuota@8 ;	AlpcpReleasePagedPoolQuota(x,x)
		jmp	loc_832727
; 

loc_8326A3:				; CODE XREF: AlpcpCaptureMessageDataSafe(x)+119j
					; AlpcpCaptureMessageDataSafe(x)+125j
		mov	ecx, [ebp+var_1C]

loc_8326A6:				; CODE XREF: AlpcpCaptureMessageDataSafe(x)+BCj
		test	ebx, ebx
		jz	short loc_832727
		push	ecx		; size_t
		push	ebx		; void *
		lea	eax, [esi+98h]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_1C]
		sub	edi, eax
		push	edi		; size_t
		add	eax, ebx
		push	eax		; int
		mov	eax, [esi+78h]
		push	eax		; void *
		call	_memcpy
		jmp	short loc_832724
; 

loc_8326CC:				; DATA XREF: .text:006A672Co
		mov	eax, 1
		retn
; 

loc_8326D2:				; DATA XREF: .text:006A6730o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-28h]
		mov	ecx, esi
		call	_AlpcpAvailableBufferSize@4 ; AlpcpAvailableBufferSize(x)
		mov	edi, eax
		movzx	eax, word ptr [esi+80h]
		cmp	eax, edi
		ja	short loc_832700
		push	eax
		push	0
		lea	eax, [esi+98h]
		push	eax
		call	_memset
		add	esp, 0Ch
		jmp	short loc_832727
; 

loc_832700:				; CODE XREF: AlpcpCaptureMessageDataSafe(x)+19Aj
		push	edi
		push	0
		lea	eax, [esi+98h]
		push	eax
		call	_memset
		movzx	eax, word ptr [esi+80h]
		sub	eax, edi
		push	eax
		push	0
		mov	eax, [esi+78h]
		push	eax
		call	_memset

loc_832724:				; CODE XREF: AlpcpCaptureMessageDataSafe(x)+17Aj
		add	esp, 18h

loc_832727:				; CODE XREF: AlpcpCaptureMessageDataSafe(x)+73j
					; AlpcpCaptureMessageDataSafe(x)+A1j ...
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_AlpcpCaptureMessageDataSafe@4 endp

; 

AlpcpReceiveMessage:			; CODE XREF: NtAlpcSendWaitReceivePort+C7p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6738
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 68h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	[ebp-50h], edx
		mov	[ebp-3Ch], ecx
		mov	dword ptr [ebp-30h], 0
		mov	dword ptr [ebp-28h], 0
		mov	dword ptr [ebp-2Ch], 0
		mov	eax, large fs:124h
		mov	[ebp-40h], eax
		mov	esi, [ecx+18h]
		mov	eax, [ecx]
		mov	[ebp-44h], eax
		mov	[ebp-5Ch], eax
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp-19h], al
		mov	dword ptr [ebp-64h], 0
		mov	dword ptr [ebp-60h], 0
		mov	dword ptr [ebp-2Ch], 0FFFFFFFFh
		mov	dword ptr [ebp-38h], 0
		mov	dword ptr [ebp-34h], 0
		test	al, al
		jz	loc_832AC0
		mov	dword ptr [ebp-4], 0
		mov	ecx, [ebp+10h]
		test	ecx, ecx
		jnz	loc_832B61

loc_8327F0:				; CODE XREF: PAGE:00832B7Cj
		test	dl, 3
		jnz	loc_832BB0
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_923CE3

loc_832806:				; CODE XREF: PAGE:00923CE6j
		mov	al, [edx]
		mov	[edx], al
		mov	al, [edx+14h]
		mov	[edx+14h], al
		and	esi, 1000000h
		jnz	loc_832AAF

loc_83281C:				; CODE XREF: PAGE:00832ABBj
		mov	edx, [ebp+0Ch]
		test	edx, edx
		jz	loc_923D13
		mov	byte ptr [ebp-20h], 1
		mov	ebx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	loc_923CEB

loc_83283A:				; CODE XREF: PAGE:00923CEDj
		nop
		mov	ebx, [ebx]
		mov	dword ptr [ebp-24h], 0
		mov	eax, 8
		mov	[ebp-24h], eax
		test	ebx, ebx
		jns	short loc_832858
		mov	eax, 14h
		mov	[ebp-24h], eax

loc_832858:				; CODE XREF: PAGE:0083284Ej
		test	ebx, 40000000h
		jz	short loc_832866
		add	eax, 10h
		mov	[ebp-24h], eax

loc_832866:				; CODE XREF: PAGE:0083285Ej
		test	ebx, 20000000h
		jz	short loc_832874
		add	eax, 14h
		mov	[ebp-24h], eax

loc_832874:				; CODE XREF: PAGE:0083286Cj
		test	ebx, 10000000h
		jz	short loc_832882
		add	eax, 10h
		mov	[ebp-24h], eax

loc_832882:				; CODE XREF: PAGE:0083287Aj
		test	ebx, 8000000h
		jz	short loc_832890
		add	eax, 18h
		mov	[ebp-24h], eax

loc_832890:				; CODE XREF: PAGE:00832888j
		test	ebx, 4000000h
		jnz	loc_923CF2

loc_83289C:				; CODE XREF: PAGE:00923CF8j
		test	ebx, 2000000h
		jz	short loc_8328AA
		add	eax, 8
		mov	[ebp-24h], eax

loc_8328AA:				; CODE XREF: PAGE:008328A2j
		cmp	eax, 1000h
		jnb	loc_923D05
		test	dl, 3
		jnz	loc_832BB0
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		jnb	loc_923CFD

loc_8328CC:				; CODE XREF: PAGE:00923D00j
		mov	cl, [edx]
		mov	[edx], cl
		cmp	eax, 4
		jbe	short loc_8328E1
		lea	ecx, [eax-1]
		and	ecx, 0FFFFFFFCh
		mov	al, [ecx+edx]
		mov	[ecx+edx], al

loc_8328E1:				; CODE XREF: PAGE:008328D3j
					; PAGE:00923D0Ej ...
		mov	[ebp-28h], ebx
		mov	edi, [ebp+8]
		test	edi, edi
		jz	short loc_832916
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	loc_923D1A

loc_8328FA:				; CODE XREF: PAGE:00923D1Cj
		nop
		mov	eax, [ecx]
		mov	[ebp-2Ch], eax
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	loc_923D21

loc_83290F:				; CODE XREF: PAGE:00923D23j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ebx, [ebp-28h]

loc_832916:				; CODE XREF: PAGE:008328E9j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-3Ch]

loc_832920:				; CODE XREF: PAGE:00832AF2j
		mov	dl, [ebp-19h]

loc_832923:				; CODE XREF: PAGE:00832AFAj
		push	ebx
		lea	eax, [ebp-30h]
		push	eax
		test	esi, esi
		jnz	loc_832A9F
		push	dword ptr [ebp+10h]
		call	@AlpcpReceiveMessagePort@20 ; AlpcpReceiveMessagePort(x,x,x,x,x)

loc_832938:				; CODE XREF: PAGE:00832AAAj
		mov	[ebp-3Ch], eax
		test	eax, eax
		jnz	loc_832A6B
		mov	dword ptr [ebp-4], 1
		mov	esi, [ebp-30h]
		mov	ax, [esi+80h]
		add	ax, 18h
		movzx	eax, ax
		mov	[ebp-4Ch], eax
		test	edi, edi
		jz	short loc_83296B
		cmp	eax, [ebp-2Ch]
		ja	loc_832AFF

loc_83296B:				; CODE XREF: PAGE:00832960j
		mov	eax, [ebp-40h]
		mov	[esi+6Ch], eax
		mov	eax, [esi+80h]
		mov	ecx, [ebp-50h]
		mov	[ecx], eax
		mov	eax, [esi+84h]
		mov	[ecx+4], eax
		mov	eax, [esi+88h]
		mov	[ecx+8], eax
		mov	eax, [esi+8Ch]
		mov	[ecx+0Ch], eax
		mov	eax, [esi+90h]
		mov	[ecx+10h], eax
		mov	eax, [esi+94h]
		mov	[ecx+14h], eax
		mov	edi, [ebp-44h]
		test	dword ptr [edi+98h], 1000h
		jnz	loc_923D4A

loc_8329BC:				; CODE XREF: PAGE:00923D53j
		lea	edx, [ecx+18h]
		mov	ecx, esi
		cmp	dword ptr [esi+60h], 0
		jz	loc_832A7F
		call	AlpcpGetDataFromUserVaSafe

loc_8329D0:				; CODE XREF: PAGE:00832A84j
		mov	eax, [ebp+0Ch]
		test	eax, eax
		jz	short loc_8329E1
		push	eax
		push	ebx
		push	esi
		mov	ecx, edi
		call	AlpcpExposeAttributes

loc_8329E1:				; CODE XREF: PAGE:008329D5j
					; PAGE:00832B24j ...
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-3Ch]

loc_8329EB:				; CODE XREF: PAGE:00923D7Ej
		cmp	ebx, 0C0000023h
		jz	short loc_8329FC
		cmp	[esi+24h], edi
		jz	loc_832B81

loc_8329FC:				; CODE XREF: PAGE:008329F1j
					; PAGE:00832B8Fj
		test	ebx, ebx
		js	loc_832B44

loc_832A04:				; CODE XREF: PAGE:00832B4Aj
		cmp	_AlpcpMessageLogEnabled, 0
		jnz	loc_923D9D

loc_832A11:				; CODE XREF: PAGE:00923DA4j
		xor	ecx, ecx
		lea	edi, [esi-18h]
		mov	dl, [edi+8]
		test	dl, 1
		jz	short loc_832A35
		movsx	eax, word ptr [edi+0Ah]
		mov	ecx, 10000h
		sub	ecx, eax
		and	dl, 0FEh
		mov	[edi+8], dl
		xor	eax, eax
		mov	[edi+0Ah], ax

loc_832A35:				; CODE XREF: PAGE:00832A1Cj
		test	ecx, ecx
		jle	short loc_832A4A
		neg	ecx
		mov	edx, ecx
		lea	eax, [edi+0Ch]
		lock xadd [eax], edx
		add	edx, ecx
		test	edx, edx
		jle	short loc_832A89

loc_832A4A:				; CODE XREF: PAGE:00832A37j
					; PAGE:00832A9Dj
		test	esi, esi
		jz	short loc_832A69
		add	edi, 14h
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_832B55

loc_832A62:				; CODE XREF: PAGE:00832B5Cj
		mov	ecx, edi
		call	KeAbPostRelease

loc_832A69:				; CODE XREF: PAGE:00832A4Cj
					; PAGE:00923D98j
		mov	eax, ebx

loc_832A6B:				; CODE XREF: PAGE:0083293Dj
					; PAGE:00923D45j
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_832A7F:				; CODE XREF: PAGE:008329C5j
		call	@AlpcpReadMessageData@8	; AlpcpReadMessageData(x,x)
		jmp	loc_8329D0
; 

loc_832A89:				; CODE XREF: PAGE:00832A48j
		jnz	loc_923DA9
		mov	edx, 1
		mov	ecx, esi
		call	@AlpcpDestroyBlob@8 ; AlpcpDestroyBlob(x,x)
		xor	esi, esi
		jmp	short loc_832A4A
; 

loc_832A9F:				; CODE XREF: PAGE:0083292Aj
		push	dword ptr [ebp-34h]
		mov	edx, [ebp-38h]
		call	@AlpcpReceiveDirectMessagePort@20 ; AlpcpReceiveDirectMessagePort(x,x,x,x,x)
		jmp	loc_832938
; 

loc_832AAF:				; CODE XREF: PAGE:00832816j
		mov	eax, [edx+10h]
		mov	[ebp-38h], eax
		mov	eax, [edx+14h]
		mov	[ebp-34h], eax
		jmp	loc_83281C
; 

loc_832AC0:				; CODE XREF: PAGE:008327D8j
		and	esi, 1000000h
		jnz	loc_832B94

loc_832ACC:				; CODE XREF: PAGE:00832BA0j
		mov	edx, [ebp+0Ch]
		test	edx, edx
		jz	loc_832BA5
		mov	ebx, [edx]

loc_832AD9:				; CODE XREF: PAGE:00832BA7j
		mov	[ebp-28h], ebx
		mov	edi, [ebp+8]
		test	edi, edi
		jz	short loc_832AE8
		mov	eax, [edi]
		mov	[ebp-2Ch], eax

loc_832AE8:				; CODE XREF: PAGE:00832AE1j
		mov	eax, [ebp-40h]
		test	dword ptr [eax+58h], 400h
		jz	loc_832920
		mov	dl, 1
		jmp	loc_832923
; 

loc_832AFF:				; CODE XREF: PAGE:00832965j
		xor	eax, eax
		lea	edi, [ebp-78h]
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp-78h]
		push	eax
		mov	edx, esi
		mov	edi, [ebp-44h]
		mov	ecx, edi
		call	_AlpcpReturnMessageOnInsufficientBuffer@12 ; AlpcpReturnMessageOnInsufficientBuffer(x,x,x)
		mov	[ebp-3Ch], eax
		mov	[ebp-58h], eax
		cmp	eax, 0C0000023h
		jnz	loc_8329E1
		mov	eax, [ebp+8]
		mov	ecx, [ebp-4Ch]
		mov	[eax], ecx
		mov	eax, [ebp+0Ch]
		push	eax
		push	ebx
		lea	edx, [ebp-78h]
		call	_AlpcpExposeCapturedContextAttribute@16	; AlpcpExposeCapturedContextAttribute(x,x,x,x)
		jmp	loc_8329E1
; 

loc_832B44:				; CODE XREF: PAGE:008329FEj
		cmp	ebx, 0C0000023h
		jz	loc_832A04
		jmp	loc_923D83
; 

loc_832B55:				; CODE XREF: PAGE:00832A5Cj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_832A62
; 

loc_832B61:				; CODE XREF: PAGE:008327EAj
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_832BAC

loc_832B6A:				; CODE XREF: PAGE:00832BAEj
		nop
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		mov	[ebp-64h], eax
		mov	[ebp-60h], ecx
		lea	eax, [ebp-64h]
		mov	[ebp+10h], eax
		jmp	loc_8327F0
; 

loc_832B81:				; CODE XREF: PAGE:008329F6j
		mov	dword ptr [esi+24h], 0
		mov	dword ptr [esi+20h], 0
		jmp	loc_8329FC
; 

loc_832B94:				; CODE XREF: PAGE:00832AC6j
		mov	eax, [edx+10h]
		mov	[ebp-38h], eax
		mov	eax, [edx+14h]
		mov	[ebp-34h], eax
		jmp	loc_832ACC
; 

loc_832BA5:				; CODE XREF: PAGE:00832AD1j
		xor	ebx, ebx
		jmp	loc_832AD9
; 

loc_832BAC:				; CODE XREF: PAGE:00832B68j
		mov	ecx, eax
		jmp	short loc_832B6A
; 

loc_832BB0:				; CODE XREF: PAGE:008327F3j
					; PAGE:008328B8j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		db 3 dup(0CCh)
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcMessageCleanupProcedure proc near	; CODE XREF: PAGE:0082FD10p
					; DATA XREF: .text:00403C44o

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00923DB7 SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		or	dword ptr [esi+90h], 80000000h
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_832BEF
		test	dword ptr [esi+14h], 1000h
		jz	short loc_832BE8
		call	ObfDereferenceObject

loc_832BE8:				; CODE XREF: AlpcMessageCleanupProcedure+21j
		mov	dword ptr [esi+0Ch], 0

loc_832BEF:				; CODE XREF: AlpcMessageCleanupProcedure+18j
		mov	ecx, [esi+48h]
		test	ecx, ecx
		jnz	short loc_832C2E

loc_832BF6:				; CODE XREF: AlpcMessageCleanupProcedure+7Fj
		mov	ecx, [esi+4Ch]
		test	ecx, ecx
		jnz	short loc_832C69

loc_832BFD:				; CODE XREF: AlpcMessageCleanupProcedure+B5j
		mov	ecx, [esi+50h]
		test	ecx, ecx
		jnz	loc_923DB7

loc_832C08:				; CODE XREF: AlpcMessageCleanupProcedure+F1208j
		mov	ecx, [esi+54h]
		test	cl, 1
		jnz	short loc_832C8D

loc_832C10:				; CODE XREF: AlpcMessageCleanupProcedure+E6j
		mov	ecx, [esi+70h]
		test	ecx, ecx
		jnz	short loc_832C77

loc_832C17:				; CODE XREF: AlpcMessageCleanupProcedure+CBj
		mov	ecx, [esi+74h]
		test	ecx, ecx
		jnz	loc_923DCD

loc_832C22:				; CODE XREF: AlpcMessageCleanupProcedure+F1221j
		mov	eax, [esi+34h]
		test	eax, eax
		jnz	short loc_832C41

loc_832C29:				; CODE XREF: AlpcMessageCleanupProcedure+A7j
		pop	esi
		pop	ebp
		retn	4
; 

loc_832C2E:				; CODE XREF: AlpcMessageCleanupProcedure+34j
		mov	edx, 1
		call	AlpcpDereferenceBlobEx
		mov	dword ptr [esi+48h], 0
		jmp	short loc_832BF6
; 

loc_832C41:				; CODE XREF: AlpcMessageCleanupProcedure+67j
		xor	ecx, ecx
		mov	dword ptr [esi+80h], 180000h
		mov	dword ptr [esi+64h], 0
		add	eax, 14h
		mov	dword ptr [esi+68h], 0
		mov	dword ptr [esi+14h], 0
		xchg	ecx, [eax]
		jmp	short loc_832C29
; 

loc_832C69:				; CODE XREF: AlpcMessageCleanupProcedure+3Bj
		call	_AlpcpReleaseViewAttribute@4 ; AlpcpReleaseViewAttribute(x)
		mov	dword ptr [esi+4Ch], 0
		jmp	short loc_832BFD
; 

loc_832C77:				; CODE XREF: AlpcMessageCleanupProcedure+55j
		mov	eax, [esi+90h]
		push	eax
		push	ecx
		call	_PsReleaseProcessWakeCounter@8 ; PsReleaseProcessWakeCounter(x,x)
		mov	dword ptr [esi+70h], 0
		jmp	short loc_832C17
; 

loc_832C8D:				; CODE XREF: AlpcMessageCleanupProcedure+4Ej
		cmp	ecx, 4
		jb	short loc_832C9F
		test	cl, 2
		jz	short loc_832C9F
		and	ecx, 0FFFFFFFCh
		call	ObfDereferenceObject

loc_832C9F:				; CODE XREF: AlpcMessageCleanupProcedure+D0j
					; AlpcMessageCleanupProcedure+D5j
		mov	dword ptr [esi+54h], 0
		jmp	loc_832C10
AlpcMessageCleanupProcedure endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcMessageDestroyProcedure proc near	; DATA XREF: .text:00403C4Co

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00923DE6 SIZE 0000000C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	_AlpcpMessageLogEnabled, 0
		push	esi
		mov	esi, [ebp+arg_0]
		jnz	loc_923DE6

loc_832CC6:				; CODE XREF: AlpcMessageDestroyProcedure+F113Dj
		mov	ecx, [esi+34h]
		test	ecx, ecx
		jnz	short loc_832CEF
		mov	ecx, [esi+1Ch]
		test	ecx, ecx
		jnz	short loc_832D03

loc_832CD4:				; CODE XREF: AlpcMessageDestroyProcedure+89j
					; AlpcMessageDestroyProcedure+99j
		mov	eax, [esi+78h]
		test	eax, eax
		jnz	short loc_832CE2

loc_832CDB:				; CODE XREF: AlpcMessageDestroyProcedure+3Dj
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	4
; 

loc_832CE2:				; CODE XREF: AlpcMessageDestroyProcedure+29j
		push	42456C41h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_832CDB
; 

loc_832CEF:				; CODE XREF: AlpcMessageDestroyProcedure+1Bj
		mov	edx, 1
		call	AlpcpDereferenceBlobEx
		mov	eax, 0C0000001h
		pop	esi
		pop	ebp
		retn	4
; 

loc_832D03:				; CODE XREF: AlpcMessageDestroyProcedure+22j
		cmp	dword ptr [esi+78h], 0
		mov	edx, 198h
		jz	short loc_832D17
		mov	edx, [esi+7Ch]
		add	edx, 198h

loc_832D17:				; CODE XREF: AlpcMessageDestroyProcedure+5Cj
		test	dword ptr [esi+14h], 400h
		jnz	short loc_832D3B
		call	_AlpcpReleasePagedPoolQuota@8 ;	AlpcpReleasePagedPoolQuota(x,x)
		mov	ecx, [esi+1Ch]
		mov	edx, 63706C41h
		call	ObfDereferenceObjectWithTag
		mov	dword ptr [esi+1Ch], 0
		jmp	short loc_832CD4
; 

loc_832D3B:				; CODE XREF: AlpcMessageDestroyProcedure+6Ej
		push	0
		call	PsReturnSharedPoolQuota
		mov	dword ptr [esi+1Ch], 0
		jmp	short loc_832CD4
AlpcMessageDestroyProcedure endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpExposeWorkOnBehalfAttribute proc near ; CODE XREF:	AlpcpExposeAttributes+BEp

Source2		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6760
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+Source2], 0
		mov	[ebp+var_1C], 0
		test	byte ptr [edx+14h], 80h
		jnz	short loc_832DF0
		mov	esi, [edx+0Ch]
		mov	eax, [ecx+0F4h]
		and	al, 6
		cmp	al, 2
		jnz	short loc_832DF0
		test	esi, esi
		jz	short loc_832DF0
		mov	eax, [esi+0F4h]
		and	al, 6
		cmp	al, 4
		jnz	short loc_832DF0
		mov	[ebp+var_4], 0
		add	edx, 58h
		mov	eax, [edx]
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, [edx+4]
		mov	[ecx+4], eax
		push	8		; Length
		lea	eax, [ebp+Source2]
		push	eax		; Source2
		push	edx		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 8
		jz	short loc_832DE9
		mov	eax, [ebp+arg_4]
		or	dword ptr [eax], 2000000h

loc_832DE9:				; CODE XREF: AlpcpExposeWorkOnBehalfAttribute+8Ej
					; sub_923DF8+3j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_832DF0:				; CODE XREF: AlpcpExposeWorkOnBehalfAttribute+47j
					; AlpcpExposeWorkOnBehalfAttribute+56j	...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
AlpcpExposeWorkOnBehalfAttribute endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall AlpcpReceiveMessagePort(x,	x, x, x, x)
@AlpcpReceiveMessagePort@20 proc near	; CODE XREF: AlpcpReceiveLegacyMessage+10Cp
					; PAGE:00832933p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx]
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_C], edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], eax

loc_832E2F:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+24Ej
					; AlpcpReceiveMessagePort(x,x,x,x,x)+2A4j ...
		lea	eax, [edi+0D0h]
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockSharedEx
		xor	eax, eax

loc_832E40:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+C4j
					; AlpcpReceiveMessagePort(x,x,x,x,x)+15Ej
		mov	[ebp+var_4], eax
		jmp	short loc_832E50
; 
		align 10h

loc_832E50:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+33j
		mov	ecx, [edi+0F4h]
		test	cl, 40h
		jnz	loc_8333C9
		test	cl, 10h
		jnz	loc_8333C2
		lea	ecx, [edi+5Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, edi
		call	_AlpcpQueryHeadLargeQueue@4 ; AlpcpQueryHeadLargeQueue(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_832F73
		mov	ecx, edi
		call	_AlpcpQueryHeadMainQueue@4 ; AlpcpQueryHeadMainQueue(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_832F73
		mov	ecx, edi
		call	_AlpcpQueryHeadCanceledQueue@4 ; AlpcpQueryHeadCanceledQueue(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_832ED9
		mov	ecx, ebx
		call	AlpcpTryLockForCachedReferenceBlob
		test	al, al
		jnz	loc_833167

loc_832EB0:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+176j
		mov	ecx, edi
		call	_AlpcpUnlockIncomingQueue@4 ; AlpcpUnlockIncomingQueue(x)
		cmp	[ebp+var_4], 0
		jz	loc_832F5B
		mov	ecx, edi
		call	_AlpcpUnlockPortExclusive@4 ; AlpcpUnlockPortExclusive(x)
		mov	ecx, edi
		call	_AlpcpLockPortExclusive@4 ; AlpcpLockPortExclusive(x)
		mov	eax, 1
		jmp	loc_832E40
; 

loc_832ED9:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+8Fj
		mov	eax, [edi+0D4h]
		test	eax, eax
		jz	short loc_832EFE
		mov	eax, [eax+28h]
		mov	ecx, [eax+40h]
		mov	eax, [eax+44h]
		and	ecx, 0FFFFFFh
		cmp	ecx, 0FFFFFFh
		jnz	loc_8331C6

loc_832EFE:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+D1j
		mov	ecx, edi
		call	_AlpcpUnlockIncomingQueue@4 ; AlpcpUnlockIncomingQueue(x)
		cmp	dword ptr [edi+10h], 0
		jnz	loc_8332B6
		test	dword ptr [edi+0F4h], 200h
		jnz	loc_833063
		cmp	dword ptr [edi+0D8h], 0
		jnz	loc_8332A9
		mov	ebx, [ebp+var_8]
		test	byte ptr [ebx+300h], 20h
		jnz	loc_8332B6
		cmp	[ebp+var_4], 0
		jnz	short loc_832FB0
		mov	ecx, 1
		lea	edx, [edi+0D0h]
		mov	eax, 11h
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jz	short loc_832F69

loc_832F5B:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+ABj
		mov	ecx, edi
		call	_AlpcpUnlockPortShared@4 ; AlpcpUnlockPortShared(x)
		mov	ecx, edi
		call	_AlpcpLockPortExclusive@4 ; AlpcpLockPortExclusive(x)

loc_832F69:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+149j
		mov	eax, 1
		jmp	loc_832E40
; 

loc_832F73:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+6Dj
					; AlpcpReceiveMessagePort(x,x,x,x,x)+7Ej
		mov	ecx, ebx
		call	AlpcpTryLockForCachedReferenceBlob
		test	al, al
		jnz	loc_8332C3
		cmp	dword ptr [ebx+34h], 0
		jnz	loc_832EB0
		mov	ecx, ebx
		call	AlpcpReferenceBlob
		mov	ecx, edi
		call	_AlpcpUnlockIncomingQueue@4 ; AlpcpUnlockIncomingQueue(x)
		cmp	[ebp+var_4], 0
		mov	ecx, edi
		jz	loc_8330B9
		call	_AlpcpUnlockPortExclusive@4 ; AlpcpUnlockPortExclusive(x)
		jmp	loc_8330BE
; 

loc_832FB0:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+130j
		mov	eax, [ebp+arg_8]
		xor	edx, edx
		mov	[ebx+318h], eax
		lea	ebx, [edi+88h]
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [edi+90h]
		lea	eax, [edi+8Ch]
		mov	ecx, [ebp+var_8]
		add	ecx, 31Ch
		cmp	[edx], eax
		jnz	loc_8332A2
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		mov	eax, esi
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_833002
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_833002:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+1E9j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, edi
		call	_AlpcpUnlockPortExclusive@4 ; AlpcpUnlockPortExclusive(x)
		cmp	_AlpcpLogEnabled, 0
		jz	short loc_833020
		mov	ecx, edi
		call	_AlpcpLogWaitForNewMessage@4 ; AlpcpLogWaitForNewMessage(x)

loc_833020:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+207j
		push	[ebp+arg_0]
		mov	edx, [ebp+var_8]
		push	[ebp+var_C]
		add	edx, 2B4h
		push	ecx
		mov	ecx, [ebp+var_10]
		call	@AlpcpCompleteDeferSignalRequestAndWait@20 ; AlpcpCompleteDeferSignalRequestAndWait(x,x,x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	loc_8331DA
		mov	eax, [ebp+var_8]
		mov	ebx, [eax+318h]
		mov	dword ptr [eax+318h], 0
		test	ebx, ebx
		jnz	loc_83328B
		jmp	loc_832E2F
; 

loc_833063:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+109j
		test	dword ptr [edi+98h], 1000h
		jz	loc_8332B6
		cmp	[ebp+var_4], 0
		mov	ecx, edi
		jz	short loc_833082
		call	_AlpcpUnlockPortExclusive@4 ; AlpcpUnlockPortExclusive(x)
		jmp	short loc_833087
; 

loc_833082:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+269j
		call	_AlpcpUnlockPortShared@4 ; AlpcpUnlockPortShared(x)

loc_833087:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+270j
		cmp	_AlpcpLogEnabled, 0
		jz	short loc_833097
		mov	ecx, edi
		call	_AlpcpLogWaitForNewMessage@4 ; AlpcpLogWaitForNewMessage(x)

loc_833097:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+27Ej
		push	[ebp+arg_0]
		mov	edx, [edi+94h]
		push	[ebp+var_C]
		push	ecx
		mov	ecx, [ebp+var_10]
		call	@AlpcpCompleteDeferSignalRequestAndWait@20 ; AlpcpCompleteDeferSignalRequestAndWait(x,x,x,x,x)
		test	eax, eax
		jnz	loc_8333EB
		jmp	loc_832E2F
; 

loc_8330B9:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+190j
		call	_AlpcpUnlockPortShared@4 ; AlpcpUnlockPortShared(x)

loc_8330BE:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+19Bj
		mov	ecx, ebx
		call	AlpcpLockForCachedReferenceBlob
		dec	word ptr [ebx-0Eh]
		lea	ecx, [edi+0D0h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	eax, [edi+0F4h]
		mov	[ebp+var_4], 0
		test	al, 50h
		jnz	short loc_833144
		xor	edx, edx
		lea	ecx, [edi+5Ch]
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, edi
		call	_AlpcpQueryHeadLargeQueue@4 ; AlpcpQueryHeadLargeQueue(x)
		test	eax, eax
		jnz	short loc_83310B
		mov	ecx, edi
		call	_AlpcpQueryHeadMainQueue@4 ; AlpcpQueryHeadMainQueue(x)
		cmp	ebx, eax
		jz	loc_8332C3

loc_83310B:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+2EAj
		mov	ecx, edi
		call	_AlpcpQueryHeadLargeQueue@4 ; AlpcpQueryHeadLargeQueue(x)
		cmp	ebx, eax
		jz	loc_8332C3
		mov	ecx, edi
		call	_AlpcpUnlockIncomingQueue@4 ; AlpcpUnlockIncomingQueue(x)
		mov	ecx, edi
		call	_AlpcpUnlockPortShared@4 ; AlpcpUnlockPortShared(x)
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_833138
		mov	ecx, ebx
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_833138:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+31Fj
		mov	ecx, ebx
		call	AlpcpUnlockBlob
		jmp	loc_832E2F
; 

loc_833144:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+2D5j
		mov	ecx, edi
		call	_AlpcpUnlockPortShared@4 ; AlpcpUnlockPortShared(x)
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_83315B
		mov	ecx, ebx
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_83315B:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+342j
		mov	ecx, ebx
		call	AlpcpUnlockBlob
		jmp	loc_832E2F
; 

loc_833167:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+9Aj
		and	dword ptr [ebx+14h], 0FFFEFFFFh
		mov	ecx, [ebx+30h]
		mov	eax, [ebx+2Ch]
		mov	[ecx], eax
		mov	ecx, [ebx+2Ch]
		mov	eax, [ebx+30h]
		mov	[ecx+4], eax
		mov	ecx, edi
		dec	dword ptr [edi+114h]
		call	_AlpcpUnlockIncomingQueue@4 ; AlpcpUnlockIncomingQueue(x)
		cmp	[ebp+var_4], 0
		mov	ecx, edi
		jz	short loc_8331AD
		call	_AlpcpUnlockPortExclusive@4 ; AlpcpUnlockPortExclusive(x)
		mov	eax, [ebp+arg_4]
		dec	word ptr [ebx-0Eh]
		pop	edi
		pop	esi
		mov	[eax], ebx
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_8331AD:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+382j
		call	_AlpcpUnlockPortShared@4 ; AlpcpUnlockPortShared(x)
		mov	eax, [ebp+arg_4]
		dec	word ptr [ebx-0Eh]
		pop	edi
		pop	esi
		mov	[eax], ebx
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_8331C6:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+E8j
		mov	ecx, edi
		call	_AlpcpUnlockIncomingQueue@4 ; AlpcpUnlockIncomingQueue(x)
		mov	eax, [ebp+var_4]
		mov	esi, 40000030h
		jmp	loc_8333CE
; 

loc_8331DA:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+22Dj
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [ebp+var_8]
		mov	ecx, [esi+31Ch]
		lea	eax, [esi+31Ch]
		test	ecx, ecx
		jz	short loc_833246
		mov	dword ptr [esi+318h], 0
		mov	edx, [eax+4]
		cmp	[ecx+4], eax
		jnz	loc_8332A2
		cmp	[edx], eax
		jnz	loc_8332A2
		mov	[edx], ecx
		mov	[ecx+4], edx
		mov	dword ptr [eax], 0
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_833233
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_833233:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+41Aj
		mov	ecx, ebx
		call	KeAbPostRelease

loc_83323A:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+479j
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_833246:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+3E4j
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_83325A
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_83325A:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+441j
		mov	ecx, ebx
		call	KeAbPostRelease
		push	0
		push	0
		push	0
		mov	edx, 10h
		lea	ecx, [esi+2B4h]
		call	_AlpcpWaitForSingleObject@20 ; AlpcpWaitForSingleObject(x,x,x,x,x)
		mov	ebx, [esi+318h]
		mov	dword ptr [esi+318h], 0
		test	ebx, ebx
		jz	short loc_83323A

loc_83328B:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+248j
		mov	ecx, ebx
		call	AlpcpLockForCachedReferenceBlob
		dec	word ptr [ebx-0Eh]
		and	dword ptr [ebx+14h], 0FFFFDFFFh
		jmp	loc_8333A2
; 

loc_8332A2:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+1CFj
					; AlpcpReceiveMessagePort(x,x,x,x,x)+3F6j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8332A9:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+116j
		mov	eax, [ebp+var_4]
		mov	esi, 102h
		jmp	loc_8333CE
; 

loc_8332B6:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+F9j
					; AlpcpReceiveMessagePort(x,x,x,x,x)+126j ...
		mov	eax, [ebp+var_4]
		mov	esi, 0C0000001h
		jmp	loc_8333CE
; 

loc_8332C3:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+16Cj
					; AlpcpReceiveMessagePort(x,x,x,x,x)+2F5j ...
		mov	eax, [ebx+14h]
		and	eax, 7
		sub	eax, 1
		jz	short loc_8332D6
		dec	dword ptr [edi+108h]
		jmp	short loc_8332DC
; 

loc_8332D6:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+4BCj
		dec	dword ptr [edi+104h]

loc_8332DC:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+4C4j
		and	dword ptr [ebx+14h], 0FFFFFFF8h
		mov	dword ptr [ebx+8], 0
		mov	ecx, [ebx+4]
		mov	eax, [ebx]
		mov	[ecx], eax
		mov	ecx, [ebx]
		mov	eax, [ebx+4]
		mov	[ecx+4], eax
		test	dword ptr [ebx+14h], 200h
		jz	short loc_83331E
		lea	ecx, [ebx+38h]
		call	sub_8339C2
		test	[ebp+arg_8], eax
		jnz	short loc_83331E
		mov	eax, 0FFFFDFFFh
		and	[ebx+84h], ax
		dec	word ptr [ebx-0Eh]
		jmp	short loc_833387
; 

loc_83331E:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+4EDj
					; AlpcpReceiveMessagePort(x,x,x,x,x)+4FAj
		mov	eax, 2000h
		lea	esi, [edi+70h]
		or	[ebx+84h], ax
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebx+14h]
		mov	[ebx+8], edi
		and	eax, 0FFFFFF83h
		mov	ecx, [edi+0F4h]
		and	ecx, 6
		shl	ecx, 2
		or	ecx, eax
		or	ecx, 3
		mov	[ebx+14h], ecx
		lea	ecx, [edi+74h]
		mov	eax, [ecx+4]
		mov	[ebx+4], eax
		mov	[ebx], ecx
		mov	eax, [ecx+4]
		mov	[eax], ebx
		or	eax, 0FFFFFFFFh
		inc	dword ptr [edi+10Ch]
		mov	[ecx+4], ebx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_833380
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_833380:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+567j
		mov	ecx, esi
		call	KeAbPostRelease

loc_833387:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+50Cj
		mov	ecx, edi
		call	_AlpcpUnlockIncomingQueue@4 ; AlpcpUnlockIncomingQueue(x)
		cmp	[ebp+var_4], 0
		mov	ecx, edi
		jz	short loc_83339D
		call	_AlpcpUnlockPortExclusive@4 ; AlpcpUnlockPortExclusive(x)
		jmp	short loc_8333A2
; 

loc_83339D:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+584j
		call	_AlpcpUnlockPortShared@4 ; AlpcpUnlockPortShared(x)

loc_8333A2:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+48Dj
					; AlpcpReceiveMessagePort(x,x,x,x,x)+58Bj
		cmp	_AlpcpLogEnabled, 0
		jz	short loc_8333B2
		mov	ecx, ebx
		call	_AlpcpLogReceiveMessage@4 ; AlpcpLogReceiveMessage(x)

loc_8333B2:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+599j
		mov	eax, [ebp+arg_4]
		pop	edi
		pop	esi
		mov	[eax], ebx
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_8333C2:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+52j
		mov	esi, 0C0000041h
		jmp	short loc_8333CE
; 

loc_8333C9:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+49j
		mov	esi, 0C0000700h

loc_8333CE:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+3C5j
					; AlpcpReceiveMessagePort(x,x,x,x,x)+4A1j ...
		mov	ecx, edi
		test	eax, eax
		jz	short loc_8333E4
		call	_AlpcpUnlockPortExclusive@4 ; AlpcpUnlockPortExclusive(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_8333E4:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+5C2j
		call	_AlpcpUnlockPortShared@4 ; AlpcpUnlockPortShared(x)
		mov	eax, esi

loc_8333EB:				; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+29Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
@AlpcpReceiveMessagePort@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall AlpcpQueryHeadLargeQueue(x)
_AlpcpQueryHeadLargeQueue@4 proc near	; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+64p
					; AlpcpReceiveMessagePort(x,x,x,x,x)+2E3p ...
		mov	eax, [ecx+68h]
		add	ecx, 68h
		cmp	eax, ecx
		jnz	short loc_83340D

loc_83340A:				; CODE XREF: AlpcpQueryHeadLargeQueue(x)+11j
		xor	eax, eax

locret_83340C:				; CODE XREF: AlpcpQueryHeadLargeQueue(x)+Fj
		retn
; 

loc_83340D:				; CODE XREF: AlpcpQueryHeadLargeQueue(x)+8j
		test	eax, eax
		jnz	short locret_83340C
		jmp	short loc_83340A
_AlpcpQueryHeadLargeQueue@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall AlpcpQueryHeadMainQueue(x)
_AlpcpQueryHeadMainQueue@4 proc	near	; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+75p
					; AlpcpReceiveMessagePort(x,x,x,x,x)+2EEp
		add	ecx, 60h
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	short loc_833422
		test	eax, eax
		jz	short loc_833422
		retn
; 

loc_833422:				; CODE XREF: AlpcpQueryHeadMainQueue(x)+7j
					; AlpcpQueryHeadMainQueue(x)+Bj
		xor	eax, eax
		retn
_AlpcpQueryHeadMainQueue@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


AlpcpTryLockForCachedReferenceBlob proc	near ; CODE XREF: AlpcpCancelMessagesByRequestor+F5p
					; AlpcpReceiveMessagePort(x,x,x,x,x)+93p ...

; FUNCTION CHUNK AT 00923E00 SIZE 00000021 BYTES

		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		xor	edx, edx
		push	edi
		push	1
		lea	edi, [esi-4]
		mov	ecx, edi
		call	KeAbPreAcquire
		lock bts dword ptr [edi], 0
		jb	loc_923E0D
		test	eax, eax
		jnz	short loc_833477

loc_833454:				; CODE XREF: AlpcpTryLockForCachedReferenceBlob+4Bj
		or	byte ptr [esi-10h], 1
		lea	ecx, [esi-0Ch]
		mov	eax, 10000h
		lock xadd [ecx], eax
		add	eax, 10000h
		test	eax, eax
		jle	loc_923E00
		mov	al, 1

loc_833473:				; CODE XREF: AlpcpTryLockForCachedReferenceBlob+F09ECj
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_833477:				; CODE XREF: AlpcpTryLockForCachedReferenceBlob+22j
		or	byte ptr [eax+0Eh], 1
		jmp	short loc_833454
AlpcpTryLockForCachedReferenceBlob endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsQueryProcessEnergyValues(x, x)
_PsQueryProcessEnergyValues@8 proc near	; CODE XREF: PspFoldProcessAccountingIntoJob(x,x,x)+1D3p
					; PopEtProcessEnumSnapshotCallback(x,x)+84p ...

var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		push	1B0h		; size_t
		mov	ebx, edx
		mov	esi, ecx
		push	0		; int
		push	ebx		; void *
		mov	[ebp+var_C], ebx
		mov	[ebp+var_18], esi
		call	_memset
		add	esp, 0Ch
		call	_PoEnergyEstimationEnabled@0 ; PoEnergyEstimationEnabled()
		test	al, al
		jz	loc_83386F
		cmp	esi, ds:_PsIdleProcess
		jz	loc_83386F
		mov	edx, [esi+3E0h]
		mov	esi, 0FFDF0324h
		mov	[ebp+var_8], edx
		mov	eax, [edx+40h]
		mov	ecx, [edx+44h]
		mov	[ebx+40h], eax
		mov	[ebx+44h], ecx
		mov	eax, [edx+48h]
		mov	ecx, [edx+4Ch]
		mov	[ebx+48h], eax
		mov	[ebx+4Ch], ecx
		mov	eax, [edx+50h]
		mov	ecx, [edx+54h]
		mov	[ebx+50h], eax
		mov	[ebx+54h], ecx
		mov	eax, [edx+58h]
		mov	ecx, [edx+5Ch]
		mov	[ebx+58h], eax
		mov	[ebx+5Ch], ecx
		mov	eax, [edx+60h]
		mov	ecx, [edx+64h]
		mov	edx, 0FFDF0320h
		mov	[ebx+60h], eax
		mov	eax, 0FFDF0328h
		mov	[ebx+64h], ecx
		mov	esi, [esi]
		mov	edx, [edx]
		mov	eax, [eax]
		mov	ecx, ds:0FFDF0004h
		mov	[ebp+var_14], ecx
		cmp	esi, eax
		jz	short loc_833546
		mov	eax, 0FFDF0324h
		mov	edi, 0FFDF0320h
		mov	ebx, 0FFDF0328h

loc_833534:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+BEj
		pause
		mov	esi, [eax]
		mov	edx, [edi]
		mov	ecx, [ebx]
		cmp	esi, ecx
		jnz	short loc_833534
		mov	ebx, [ebp+var_C]
		mov	ecx, [ebp+var_14]

loc_833546:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+A3j
		mov	eax, edx
		shl	esi, 8
		mul	ecx
		imul	esi, ecx
		mov	edi, eax
		shrd	edi, edx, 18h
		add	edi, esi
		call	_KeQueryTimelineBitmapTime@0 ; KeQueryTimelineBitmapTime()
		mov	[ebp+var_14], eax
		lea	edx, [ebx+110h]
		mov	eax, [ebp+var_8]
		mov	esi, 0Eh
		sub	eax, ebx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_4], eax
		mov	ebx, eax
		jmp	short loc_833580
; 
		align 10h

loc_833580:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+F8j
					; PsQueryProcessEnergyValues(x,x)+113j
		mov	ecx, [ebx+edx]
		lea	edx, [edx+8]
		mov	[edx-8], ecx
		mov	eax, [ebx+edx-4]
		mov	[edx-4], eax
		sub	esi, 1
		jnz	short loc_833580
		mov	ebx, [ebp+var_C]
		mov	[ebp+var_10], 3
		lea	esi, [ebx+68h]

loc_8335A2:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+1A6j
		mov	edx, [ebp+var_4]
		xor	ecx, ecx
		mov	eax, [esi+edx]
		mov	edx, [esi+edx+4]
		mov	[esi], eax
		mov	[esi+4], edx
		test	edx, edx
		jns	short loc_8335ED
		mov	eax, [ebp+var_4]
		and	edx, 7FFFFFFFh
		mov	[esi+4], edx
		mov	eax, [esi+eax]
		cmp	edi, eax
		jbe	short loc_8335ED
		mov	ecx, edi
		mov	[esi], edi
		sub	ecx, eax
		cmp	ecx, 0FFFFFFFFh
		jnb	short loc_8335E2
		mov	eax, ecx
		not	eax
		cmp	eax, edx
		jb	short loc_8335E2
		lea	eax, [ecx+edx]
		jmp	short loc_8335E5
; 

loc_8335E2:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+153j
					; PsQueryProcessEnergyValues(x,x)+15Bj
		or	eax, 0FFFFFFFFh

loc_8335E5:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+160j
		and	eax, 7FFFFFFFh
		mov	[esi+4], eax

loc_8335ED:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+135j
					; PsQueryProcessEnergyValues(x,x)+148j
		lea	eax, [ebx+68h]
		cmp	esi, eax
		jnz	short loc_8335FB
		mov	eax, 130h
		jmp	short loc_833607
; 

loc_8335FB:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+172j
		lea	eax, [ebx+70h]
		cmp	esi, eax
		jnz	short loc_83361F
		mov	eax, 138h

loc_833607:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+179j
		add	eax, ebx
		jz	short loc_83361F
		test	ecx, ecx
		jz	short loc_83361F
		mov	edx, [ebp+var_14]
		shr	ecx, 0Ch
		push	edx
		sub	edx, ecx
		mov	ecx, eax
		call	_RtlTimelineBitmapUpdateRange@12 ; RtlTimelineBitmapUpdateRange(x,x,x)

loc_83361F:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+180j
					; PsQueryProcessEnergyValues(x,x)+189j	...
		add	esi, 8
		sub	[ebp+var_10], 1
		jnz	loc_8335A2
		lea	esi, [ebx+180h]
		mov	[ebp+var_10], 5
		lea	esp, [esp+0]

loc_833640:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+25Bj
		mov	edx, [ebp+var_4]
		xor	ecx, ecx
		mov	eax, [esi+edx]
		mov	edx, [esi+edx+4]
		mov	[esi], eax
		mov	[esi+4], edx
		test	edx, edx
		jns	short loc_83368B
		mov	eax, [ebp+var_4]
		and	edx, 7FFFFFFFh
		mov	[esi+4], edx
		mov	eax, [esi+eax]
		cmp	edi, eax
		jbe	short loc_83368B
		mov	ecx, edi
		mov	[esi], edi
		sub	ecx, eax
		cmp	ecx, 0FFFFFFFFh
		jnb	short loc_833680
		mov	eax, ecx
		not	eax
		cmp	eax, edx
		jb	short loc_833680
		lea	eax, [ecx+edx]
		jmp	short loc_833683
; 

loc_833680:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+1F1j
					; PsQueryProcessEnergyValues(x,x)+1F9j
		or	eax, 0FFFFFFFFh

loc_833683:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+1FEj
		and	eax, 7FFFFFFFh
		mov	[esi+4], eax

loc_83368B:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+1D3j
					; PsQueryProcessEnergyValues(x,x)+1E6j
		lea	eax, [ebx+188h]
		cmp	esi, eax
		jnz	short loc_83369C
		mov	eax, 160h
		jmp	short loc_8336BC
; 

loc_83369C:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+213j
		lea	eax, [ebx+190h]
		cmp	esi, eax
		jnz	short loc_8336AD
		mov	eax, 168h
		jmp	short loc_8336BC
; 

loc_8336AD:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+224j
		lea	eax, [ebx+198h]
		cmp	esi, eax
		jnz	short loc_8336D4
		mov	eax, 170h

loc_8336BC:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+21Aj
					; PsQueryProcessEnergyValues(x,x)+22Bj
		add	eax, ebx
		jz	short loc_8336D4
		test	ecx, ecx
		jz	short loc_8336D4
		mov	edx, [ebp+var_14]
		shr	ecx, 0Ch
		push	edx
		sub	edx, ecx
		mov	ecx, eax
		call	_RtlTimelineBitmapUpdateRange@12 ; RtlTimelineBitmapUpdateRange(x,x,x)

loc_8336D4:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+235j
					; PsQueryProcessEnergyValues(x,x)+23Ej	...
		add	esi, 8
		sub	[ebp+var_10], 1
		jnz	loc_833640
		mov	esi, [ebp+var_8]
		mov	eax, [esi+80h]
		mov	[ebx+80h], eax
		mov	eax, [esi+84h]
		mov	[ebx+84h], eax
		mov	eax, [esi+88h]
		mov	[ebx+88h], eax
		mov	eax, [esi+1A8h]
		mov	[ebx+1A8h], eax
		mov	eax, [esi+1ACh]
		mov	[ebx+1ACh], eax
		mov	eax, large fs:124h
		mov	[ebp+var_20], eax
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [ebp+var_18]
		xor	edx, edx
		add	eax, 398h
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebp+var_8]
		mov	ecx, 10h
		mov	edi, ebx
		rep movsd
		lea	edi, [ebx+90h]
		mov	ecx, 10h
		lea	esi, [eax+90h]
		rep movsd
		lea	esi, [eax+0D0h]
		mov	ecx, 10h
		lea	edi, [ebx+0D0h]
		rep movsd
		mov	ecx, [ebp+var_18]
		add	ecx, 1D0h
		mov	[ebp+var_10], ecx
		mov	eax, [ecx]
		mov	[ebp+var_14], eax
		cmp	eax, ecx
		jz	loc_833846

loc_833790:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+3C0j
		mov	edi, [eax+0A4h]
		mov	ebx, [ebp+var_1C]
		mov	edx, [edi+0C0h]
		mov	eax, [edi+0C4h]
		mov	ecx, [ebx]
		cmp	edx, ecx
		jbe	short loc_8337CD
		mov	esi, edx
		mov	[ebx], edx
		sub	esi, ecx
		cmp	esi, 20h
		jnb	short loc_8337C4
		mov	edx, [ebx+4]
		mov	ecx, esi
		shl	edx, cl
		or	eax, edx
		mov	[ebx+4], eax
		jmp	short loc_8337D9
; 

loc_8337C4:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+334j
		xor	edx, edx
		or	eax, edx
		mov	[ebx+4], eax
		jmp	short loc_8337D9
; 

loc_8337CD:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+329j
		sub	ecx, edx
		cmp	ecx, 20h
		jnb	short loc_8337D9
		shl	eax, cl
		or	[ebx+4], eax

loc_8337D9:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+342j
					; PsQueryProcessEnergyValues(x,x)+34Bj	...
		mov	eax, [ebp+var_C]
		lea	esi, [edi+80h]
		mov	ebx, edi
		mov	[ebp+var_18], 4
		sub	ebx, eax
		lea	ecx, [ecx+0]

loc_8337F0:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+3B3j
		mov	edi, 2

loc_8337F5:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+3ADj
		mov	ecx, [ebx+eax]
		mov	edx, [ebx+eax+4]
		add	[eax], ecx
		adc	[eax+4], edx
		mov	ecx, [esi-40h]
		mov	edx, [esi-3Ch]
		add	[eax+90h], ecx
		adc	[eax+94h], edx
		mov	ecx, [esi]
		mov	edx, [esi+4]
		add	[eax+0D0h], ecx
		adc	[eax+0D4h], edx
		add	eax, 8
		add	esi, 8
		sub	edi, 1
		jnz	short loc_8337F5
		sub	[ebp+var_18], 1
		jnz	short loc_8337F0
		mov	eax, [ebp+var_14]
		mov	eax, [eax]
		mov	[ebp+var_14], eax
		cmp	eax, [ebp+var_10]
		jnz	loc_833790

loc_833846:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+30Aj
		mov	esi, [ebp+var_4]
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_833860
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_833860:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+3D7j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_20]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)

loc_83386F:				; CODE XREF: PsQueryProcessEnergyValues(x,x)+2Cj
					; PsQueryProcessEnergyValues(x,x)+38j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PsQueryProcessEnergyValues@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpExposeAttributes proc near		; CODE XREF: AlpcpProcessConnectionRequest+18Cp
					; PAGE:0082FCA4p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	[esp+0Ch+var_4], ecx
		push	edi
		mov	edi, [ebp+arg_8]
		mov	dword ptr [edi+4], 0
		lea	ebx, [edi+4]
		test	esi, esi
		jns	short loc_8338BF
		mov	edx, 80000000h
		mov	ecx, esi
		call	_AlpcpGetMessageAttributeOffset@8 ; AlpcpGetMessageAttributeOffset(x,x)
		mov	edx, eax
		mov	eax, [ebp+arg_0]
		cmp	dword ptr [eax+48h], 0
		jnz	loc_83394C

loc_8338BF:				; CODE XREF: AlpcpExposeAttributes+22j
					; AlpcpExposeAttributes+E3j
		test	esi, 40000000h
		jnz	sub_8CA243

loc_8338CB:				; CODE XREF: sub_8CA243+18j
		test	esi, 20000000h
		jz	short loc_8338EF
		push	ebx
		mov	edx, 20000000h
		mov	ecx, esi
		call	_AlpcpGetMessageAttributeOffset@8 ; AlpcpGetMessageAttributeOffset(x,x)
		mov	edx, [ebp+arg_0]
		add	eax, edi
		mov	ecx, [esp+14h+var_4]
		push	eax
		call	@AlpcpExposeContextAttribute@16	; AlpcpExposeContextAttribute(x,x,x,x)

loc_8338EF:				; CODE XREF: AlpcpExposeAttributes+51j
		test	esi, 10000000h
		jnz	sub_8CA260

loc_8338FB:				; CODE XREF: sub_8CA260+1Cj
		test	esi, 8000000h
		jz	short loc_83391F
		push	ebx
		mov	edx, 8000000h
		mov	ecx, esi
		call	_AlpcpGetMessageAttributeOffset@8 ; AlpcpGetMessageAttributeOffset(x,x)
		mov	edx, [ebp+arg_0]
		add	eax, edi
		mov	ecx, [esp+14h+var_4]
		push	eax
		call	AlpcpExposeTokenAttribute

loc_83391F:				; CODE XREF: AlpcpExposeAttributes+81j
		test	esi, 2000000h
		jz	short loc_833943
		push	ebx
		mov	edx, 2000000h
		mov	ecx, esi
		call	_AlpcpGetMessageAttributeOffset@8 ; AlpcpGetMessageAttributeOffset(x,x)
		mov	edx, [ebp+arg_0]
		add	eax, edi
		mov	ecx, [esp+14h+var_4]
		push	eax
		call	AlpcpExposeWorkOnBehalfAttribute

loc_833943:				; CODE XREF: AlpcpExposeAttributes+A5j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_83394C:				; CODE XREF: AlpcpExposeAttributes+39j
		mov	dword ptr [edx+edi], 0
		mov	ecx, [eax+48h]
		mov	eax, [ecx+4]
		mov	[edx+edi+8], eax
		or	dword ptr [ebx], 80000000h
		jmp	loc_8338BF
AlpcpExposeAttributes endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall AlpcpGetMessageAttributeOffset(x, x)
_AlpcpGetMessageAttributeOffset@8 proc near
					; CODE XREF: AlpcpExposeCapturedContextAttribute(x,x,x,x)+27p
					; AlpcpCompleteDispatchMessage+CBDp ...
		imul	edx, -2
		and	edx, ecx
		mov	eax, edx
		sar	eax, 1Fh
		and	eax, 0Ch
		add	eax, 8
		test	edx, 40000000h
		jnz	short loc_8339B3

loc_833988:				; CODE XREF: AlpcpGetMessageAttributeOffset(x,x)+46j
		test	edx, 20000000h
		jnz	short loc_8339A9

loc_833990:				; CODE XREF: AlpcpGetMessageAttributeOffset(x,x)+3Cj
		test	edx, 10000000h
		jnz	short loc_8339B8

loc_833998:				; CODE XREF: AlpcpGetMessageAttributeOffset(x,x)+4Bj
		test	edx, 8000000h
		jnz	short loc_8339AE

loc_8339A0:				; CODE XREF: AlpcpGetMessageAttributeOffset(x,x)+41j
		test	edx, 2000000h
		jnz	short loc_8339BD
		retn
; 

loc_8339A9:				; CODE XREF: AlpcpGetMessageAttributeOffset(x,x)+1Ej
		add	eax, 14h
		jmp	short loc_833990
; 

loc_8339AE:				; CODE XREF: AlpcpGetMessageAttributeOffset(x,x)+2Ej
		add	eax, 18h
		jmp	short loc_8339A0
; 

loc_8339B3:				; CODE XREF: AlpcpGetMessageAttributeOffset(x,x)+16j
		add	eax, 10h
		jmp	short loc_833988
; 

loc_8339B8:				; CODE XREF: AlpcpGetMessageAttributeOffset(x,x)+26j
		add	eax, 10h
		jmp	short loc_833998
; 

loc_8339BD:				; CODE XREF: AlpcpGetMessageAttributeOffset(x,x)+36j
		add	eax, 8
		retn
_AlpcpGetMessageAttributeOffset@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


sub_8339C2	proc near		; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+160p
					; AlpcpCompleteDispatchMessage+2C7p ...
		mov	eax, [ecx+10h]
		neg	eax
		sbb	eax, eax
		and	eax, 80000000h
		cmp	dword ptr [ecx+14h], 0
		jnz	short loc_8339DB

loc_8339D4:				; CODE XREF: sub_8339C2+1Ej
		cmp	dword ptr [ecx+18h], 0
		jnz	short loc_8339E2
		retn
; 

loc_8339DB:				; CODE XREF: sub_8339C2+10j
		or	eax, 40000000h
		jmp	short loc_8339D4
; 

loc_8339E2:				; CODE XREF: sub_8339C2+16j
		or	eax, 10000000h
		retn
sub_8339C2	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall AlpcpExposeContextAttribute(x, x, x, x)
@AlpcpExposeContextAttribute@16	proc near
					; CODE XREF: AlpcpReturnMessageOnInsufficientBuffer(x,x,x)+B5p
					; AlpcpExposeAttributes+6Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[edx+20h], ecx
		jz	short loc_833A50
		cmp	[edx+24h], ecx
		jz	short loc_833A50
		mov	eax, [edx+40h]

loc_8339FA:				; CODE XREF: AlpcpExposeContextAttribute(x,x,x,x)+6Bj
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[esi], eax
		cmp	[edx+20h], ecx
		jz	short loc_833A55
		cmp	[edx+24h], ecx
		jz	short loc_833A55
		mov	eax, [edx+18h]

loc_833A0D:				; CODE XREF: AlpcpExposeContextAttribute(x,x,x,x)+70j
		mov	[esi+8], eax
		mov	eax, [ecx+0F4h]
		and	al, 6
		cmp	al, 4
		jz	short loc_833A4B
		mov	eax, [edx+3Ch]

loc_833A1F:				; CODE XREF: AlpcpExposeContextAttribute(x,x,x,x)+66j
		mov	[esi+4], eax
		mov	eax, [edx+90h]
		mov	[esi+0Ch], eax
		mov	eax, [edx+94h]
		mov	[esi+10h], eax
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_833A46
		cmp	dword ptr [esi], 0
		jz	short loc_833A46
		or	dword ptr [eax], 20000000h

loc_833A46:				; CODE XREF: AlpcpExposeContextAttribute(x,x,x,x)+51j
					; AlpcpExposeContextAttribute(x,x,x,x)+56j
		pop	esi
		pop	ebp
		retn	8
; 

loc_833A4B:				; CODE XREF: AlpcpExposeContextAttribute(x,x,x,x)+32j
		mov	eax, [edx+38h]
		jmp	short loc_833A1F
; 

loc_833A50:				; CODE XREF: AlpcpExposeContextAttribute(x,x,x,x)+8j
					; AlpcpExposeContextAttribute(x,x,x,x)+Dj
		mov	eax, [edx+44h]
		jmp	short loc_8339FA
; 

loc_833A55:				; CODE XREF: AlpcpExposeContextAttribute(x,x,x,x)+1Bj
					; AlpcpExposeContextAttribute(x,x,x,x)+20j
		mov	eax, [edx+28h]
		jmp	short loc_833A0D
@AlpcpExposeContextAttribute@16	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpInsertCompletionListEntry proc near ; CODE	XREF: AlpcpCompleteDispatchMessage+4C1p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00923E21 SIZE 000001CC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ecx
		mov	[ebp+var_20], edx
		push	ebx
		push	esi
		push	edi
		mov	ebx, [eax+0D4h]
		mov	[ebp+var_8], eax
		mov	[ebp+var_30], ebx
		mov	[ebp+var_24], 0
		mov	esi, [ebx+30h]
		mov	edi, [ebx+28h]
		shr	esi, 2
		mov	[ebp+var_28], edi
		test	esi, esi
		jz	loc_833B79
		add	edi, 40h
		mov	[ebp+var_C], edi
		lea	ecx, [ecx+0]

loc_833AA0:				; CODE XREF: AlpcpInsertCompletionListEntry+F0588j
		mov	ecx, [eax+0D4h]
		xor	edx, edx
		add	ecx, 0Ch
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [edi]
		mov	eax, edx
		mov	edi, [edi+4]
		and	eax, 0FFFFFFh
		mov	[ebp+var_2C], eax
		mov	ecx, edx
		mov	eax, edi
		mov	[ebp+var_4], edx
		shrd	ecx, eax, 18h
		mov	eax, [ebp+var_2C]
		and	ecx, 0FFFFFFh
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], 0
		cmp	eax, 0FFFFFFh
		jnz	loc_923E41
		cmp	ecx, eax
		jnz	loc_923E41
		mov	eax, [ebx+2Ch]
		xor	ebx, ebx
		mov	ecx, [ebp+var_20]
		mov	[eax], ecx
		mov	ecx, edi
		and	ecx, 0FFFF0000h
		mov	eax, edx
		mov	[ebp+var_2C], ecx
		mov	edx, edi
		nop
		mov	edi, [ebp+var_C]
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [ebp+var_8]
		mov	edi, [ecx+0D4h]
		add	edi, 0Ch
		cmp	eax, [ebp+var_4]
		jnz	loc_923E21
		cmp	edx, [ebp+var_18]
		jnz	loc_923E21
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_833B64

loc_833B3C:				; CODE XREF: AlpcpInsertCompletionListEntry+10Bj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, [ebp+var_28]
		lock inc dword ptr [eax+80h]
		cmp	[ebp+var_2C], 10000h
		ja	short loc_833B58
		jb	short loc_833B6D

loc_833B58:				; CODE XREF: AlpcpInsertCompletionListEntry+F4j
					; AlpcpInsertCompletionListEntry+F0506j
		mov	eax, 1

loc_833B5D:				; CODE XREF: AlpcpInsertCompletionListEntry+11Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_833B64:				; CODE XREF: AlpcpInsertCompletionListEntry+DAj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_833B3C
; 

loc_833B6D:				; CODE XREF: AlpcpInsertCompletionListEntry+F6j
		pop	edi
		pop	esi
		mov	eax, 3
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_833B79:				; CODE XREF: AlpcpInsertCompletionListEntry+31j
					; AlpcpInsertCompletionListEntry+F0498j ...
		xor	eax, eax
		jmp	short loc_833B5D
AlpcpInsertCompletionListEntry endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpAllocateCompletionBuffer proc near	; CODE XREF: AlpcpCompleteDispatchMessage+366p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00923FED SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+0D4h]
		lea	ebx, [edx+3Fh]
		shr	ebx, 6
		mov	[ebp+var_4], 0
		mov	eax, [edi+44h]
		mov	ecx, [edi+34h]
		shr	eax, 5
		mov	[ebp+var_8], ecx
		lea	edx, [ecx+eax*4]
		mov	eax, [edi+30h]
		shr	eax, 2
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	short loc_833C20
		lea	ecx, [ecx+0]

loc_833BC0:				; CODE XREF: AlpcpAllocateCompletionBuffer+9Aj
		mov	esi, [edi+48h]
		cmp	esi, [edi+44h]
		jnb	short loc_833C1C
		and	esi, 0FFFFFFE0h

loc_833BCB:				; CODE XREF: AlpcpAllocateCompletionBuffer+9Ej
		mov	eax, esi
		shr	eax, 5
		push	ebx
		lea	eax, [ecx+eax*4]
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	AlpcpAllocateFromBitmap
		cmp	eax, 0FFFFFFFEh
		jz	short loc_833C08
		cmp	eax, 0FFFFFFFFh
		jz	loc_923FED
		add	eax, esi

loc_833BEE:				; CODE XREF: AlpcpAllocateCompletionBuffer+92j
					; AlpcpAllocateCompletionBuffer+F0484j
		cmp	eax, 0FFFFFFFFh
		jz	short loc_833C20
		cmp	eax, 0FFFFFFFEh
		jz	short loc_833C20
		lea	ecx, [eax+ebx]
		shl	eax, 6
		mov	[edi+48h], ecx

loc_833C01:				; CODE XREF: AlpcpAllocateCompletionBuffer+A3j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_833C08:				; CODE XREF: AlpcpAllocateCompletionBuffer+61j
					; AlpcpAllocateCompletionBuffer+F048Aj
		mov	ecx, [ebp+var_4]
		inc	ecx
		mov	[ebp+var_4], ecx
		cmp	ecx, [ebp+var_10]
		jnb	short loc_833BEE
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_14]
		jmp	short loc_833BC0
; 

loc_833C1C:				; CODE XREF: AlpcpAllocateCompletionBuffer+46j
		xor	esi, esi
		jmp	short loc_833BCB
; 

loc_833C20:				; CODE XREF: AlpcpAllocateCompletionBuffer+3Bj
					; AlpcpAllocateCompletionBuffer+71j ...
		or	eax, 0FFFFFFFFh
		jmp	short loc_833C01
AlpcpAllocateCompletionBuffer endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpAllocateFromBitmap	proc near	; CODE XREF: AlpcpAllocateCompletionBuffer+59p
					; AlpcpAllocateCompletionBuffer+F047Cp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092400F SIZE 0000005A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	eax, edx
		mov	[ebp+var_C], ecx
		mov	ebx, ecx
		mov	[ebp+var_10], eax
		push	edi
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_18], ebx
		xor	esi, esi
		cmp	ebx, eax
		jz	loc_924061
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_8], esi
		jmp	short loc_833C60
; 
		align 10h

loc_833C60:				; CODE XREF: AlpcpAllocateFromBitmap+2Bj
					; AlpcpAllocateFromBitmap+5Ej
		mov	eax, [ecx]
		xor	ecx, ecx

loc_833C64:				; CODE XREF: AlpcpAllocateFromBitmap+4Cj
		test	al, 1
		jnz	loc_833D00
		cmp	edi, 0FFFFFFFFh
		jz	short loc_833C95

loc_833C71:				; CODE XREF: AlpcpAllocateFromBitmap+70j
		inc	esi
		cmp	esi, edx
		jz	short loc_833CA2

loc_833C76:				; CODE XREF: AlpcpAllocateFromBitmap+D5j
		inc	ecx
		shr	eax, 1
		cmp	ecx, 20h
		jb	short loc_833C64
		mov	ecx, [ebp+var_C]
		add	[ebp+var_8], 4
		add	ecx, 4
		mov	[ebp+var_C], ecx
		cmp	ecx, [ebp+var_10]
		jnz	short loc_833C60
		jmp	loc_924061
; 

loc_833C95:				; CODE XREF: AlpcpAllocateFromBitmap+3Fj
		mov	edi, [ebp+var_8]
		sar	edi, 2
		shl	edi, 5
		add	edi, ecx
		jmp	short loc_833C71
; 

loc_833CA2:				; CODE XREF: AlpcpAllocateFromBitmap+44j
		mov	eax, edi
		shr	eax, 5
		lea	eax, [ebx+eax*4]
		mov	ebx, 1
		mov	[ebp+var_4], eax
		mov	eax, edi
		and	eax, 1Fh
		ja	short loc_833D0A
		mov	eax, [ebp+var_4]

loc_833CBC:				; CODE XREF: AlpcpAllocateFromBitmap+133j
		cmp	esi, 20h
		jnb	loc_92400F

loc_833CC5:				; CODE XREF: AlpcpAllocateFromBitmap+F041Dj
		test	esi, esi
		jz	short loc_833CF5
		mov	eax, [eax]
		mov	ecx, esi
		shl	ebx, cl
		dec	ebx
		mov	[ebp+var_10], eax
		test	eax, ebx
		jnz	loc_833D75
		jmp	short loc_833CE0
; 
		align 10h

loc_833CE0:				; CODE XREF: AlpcpAllocateFromBitmap+ABj
					; AlpcpAllocateFromBitmap+13Fj
		mov	edx, [ebp+var_4]
		mov	ecx, eax
		or	ecx, ebx
		lock cmpxchg [edx], ecx
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		cmp	ecx, [ebp+var_10]
		jnz	short loc_833D68

loc_833CF5:				; CODE XREF: AlpcpAllocateFromBitmap+97j
		mov	eax, edi

loc_833CF7:				; CODE XREF: AlpcpAllocateFromBitmap+F0434j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_833D00:				; CODE XREF: AlpcpAllocateFromBitmap+36j
		or	edi, 0FFFFFFFFh
		xor	esi, esi
		jmp	loc_833C76
; 

loc_833D0A:				; CODE XREF: AlpcpAllocateFromBitmap+87j
		mov	ecx, 20h
		sub	ecx, eax
		mov	[ebp+var_10], ecx
		cmp	esi, ecx
		jnb	short loc_833D1D
		mov	ecx, esi
		mov	[ebp+var_10], esi

loc_833D1D:				; CODE XREF: AlpcpAllocateFromBitmap+E6j
		mov	[ebp+var_8], ebx
		shl	[ebp+var_8], cl
		mov	ecx, eax
		mov	eax, [ebp+var_4]
		dec	[ebp+var_8]
		shl	[ebp+var_8], cl
		mov	ecx, [eax]
		mov	eax, [ebp+var_8]
		mov	[ebp+var_C], ecx
		test	ecx, eax
		jnz	short loc_833D7D
		lea	ebx, [ebx+0]

loc_833D40:				; CODE XREF: AlpcpAllocateFromBitmap+168j
		mov	edx, [ebp+var_4]
		or	ecx, eax
		mov	eax, [ebp+var_C]
		lock cmpxchg [edx], ecx
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_14], eax
		cmp	eax, [ebp+var_C]
		jnz	short loc_833D8B
		mov	eax, [ebp+var_4]
		sub	esi, [ebp+var_10]
		add	eax, 4
		mov	[ebp+var_4], eax
		jmp	loc_833CBC
; 

loc_833D68:				; CODE XREF: AlpcpAllocateFromBitmap+C3j
		mov	[ebp+var_10], ecx
		mov	eax, ecx
		test	ecx, ebx
		jz	loc_833CE0

loc_833D75:				; CODE XREF: AlpcpAllocateFromBitmap+A5j
					; AlpcpAllocateFromBitmap+F03E6j ...
		sub	edx, esi
		jnz	loc_924052

loc_833D7D:				; CODE XREF: AlpcpAllocateFromBitmap+108j
					; AlpcpAllocateFromBitmap+166j	...
		pop	edi
		pop	esi
		mov	eax, 0FFFFFFFEh
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_833D8B:				; CODE XREF: AlpcpAllocateFromBitmap+125j
		mov	ecx, eax
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_8]
		test	[ebp+var_14], eax
		jnz	short loc_833D7D
		jmp	short loc_833D40
AlpcpAllocateFromBitmap	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpGetDataFromUserVaSafe proc	near	; CODE XREF: AlpcpProcessConnectionRequest+26Fp
					; AlpcpReceiveLegacyConnectionReply:loc_7B0FEFp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	10h
		push	offset dword_6A6780
		call	__SEH_prolog4
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		and	[ebp+ms_exc.disabled], 0
		movzx	eax, word ptr [ecx+80h]
		push	eax		; size_t
		push	dword ptr [ecx+60h] ; void *
		push	edx		; void *
		call	_memcpy

loc_833DC1:				; CODE XREF: sub_92406D+18j
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
AlpcpGetDataFromUserVaSafe endp

; 
		align 4

;  S U B	R O U T	I N E 


FsRtlpOplockUpperLowerCompatible proc near
					; CODE XREF: FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)+24Ap
					; LdrpGetResourceFileName+363p	...

; FUNCTION CHUNK AT 0092408A SIZE 00000038 BYTES

		xor	eax, eax
		inc	eax
		and	ecx, 1701Eh
		jz	short locret_833E19
		cmp	ecx, 10000h
		jz	short locret_833E19
		push	esi
		push	edi
		test	edx, edx
		jz	short loc_833E23
		mov	esi, 1000h
		cmp	edx, esi
		jz	loc_9240AC
		mov	edi, 3000h
		cmp	edx, edi
		jz	short loc_833E1A
		cmp	edx, 5000h
		jz	loc_92408A

loc_833E17:				; CODE XREF: FsRtlpOplockUpperLowerCompatible+40j
					; FsRtlpOplockUpperLowerCompatible+49j	...
		pop	edi
		pop	esi

locret_833E19:				; CODE XREF: FsRtlpOplockUpperLowerCompatible+9j
					; FsRtlpOplockUpperLowerCompatible+11j
		retn
; 

loc_833E1A:				; CODE XREF: FsRtlpOplockUpperLowerCompatible+2Dj
		cmp	ecx, edi
		jz	short loc_833E17
		jmp	loc_9240AC
; 

loc_833E23:				; CODE XREF: FsRtlpOplockUpperLowerCompatible+17j
					; FsRtlpOplockUpperLowerCompatible+F02B4j ...
		xor	al, al
		jmp	short loc_833E17
FsRtlpOplockUpperLowerCompatible endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlpOplockFsctrlInternal proc	near	; CODE XREF: FsRtlOplockFsctrlEx(x,x,x,x)+16p
					; FsRtlOplockFsctrl(x,x,x)+15p	...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00834142 SIZE 00000015 BYTES
; FUNCTION CHUNK AT 009240C2 SIZE 00000049 BYTES
; FUNCTION CHUNK AT 00924136 SIZE 0000006F BYTES
; FUNCTION CHUNK AT 009241F5 SIZE 00000180 BYTES
; FUNCTION CHUNK AT 00924396 SIZE 00000117 BYTES
; FUNCTION CHUNK AT 009244D4 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A67C0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	ebx, edx
		mov	[ebp+var_20], ecx
		xor	edi, edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_1C], edi
		mov	esi, [ebx+60h]
		cmp	byte ptr [esi],	0
		jz	loc_834009
		mov	edi, 2
		mov	eax, [esi+0Ch]
		cmp	eax, 90240h
		jnz	loc_8340C5
		mov	edi, [ebx+0Ch]
		mov	[ebp+var_28], edi
		cmp	dword ptr [esi+8], 0Ch
		jb	loc_9244D4
		cmp	dword ptr [esi+4], 18h
		jb	loc_9244D4
		cmp	word ptr [edi],	1
		ja	sub_9241DB
		mov	eax, [edi+8]
		test	al, 1
		jz	loc_924396
		mov	eax, [edi+4]
		mov	[ebp+var_38], eax
		mov	edi, eax
		and	edi, 1
		jz	loc_9241F5
		mov	[ebp+var_2C], 1000h

loc_833ED5:				; CODE XREF: FsRtlpOplockFsctrlInternal+F03CCj
		mov	edx, eax
		and	edx, 4
		mov	[ebp+var_30], edx
		jnz	loc_924201
		xor	edx, edx

loc_833EE5:				; CODE XREF: FsRtlpOplockFsctrlInternal+F03D6j
		and	eax, 2
		mov	[ebp+var_34], eax
		jz	loc_92420B
		mov	eax, 2000h

loc_833EF6:				; CODE XREF: FsRtlpOplockFsctrlInternal+F03DDj
		or	eax, edx
		or	eax, [ebp+var_2C]
		cmp	eax, 3000h
		jnz	loc_924212

loc_833F06:				; CODE XREF: FsRtlpOplockFsctrlInternal+F03FCj
		cmp	[ebp+arg_0], 0
		jnz	loc_834142
		push	ebx
		call	_IoIsOperationSynchronous@4 ; IoIsOperationSynchronous(x)
		test	al, al
		jnz	loc_834142
		mov	eax, [esi+18h]
		test	dword ptr [eax+2Ch], 4000h
		jnz	loc_834142
		mov	[ebp+var_4], 1
		test	edi, edi
		jz	loc_92432F
		mov	edi, 1000h

loc_833F42:				; CODE XREF: FsRtlpOplockFsctrlInternal+F0501j
		cmp	[ebp+var_30], 0
		jnz	loc_924336
		xor	edx, edx

loc_833F4E:				; CODE XREF: FsRtlpOplockFsctrlInternal+F050Bj
		cmp	[ebp+var_34], 0
		jz	loc_924340
		mov	eax, 2000h

loc_833F5D:				; CODE XREF: FsRtlpOplockFsctrlInternal+F0512j
		or	eax, edx
		or	eax, edi
		test	eax, 2000h
		jz	loc_924347
		push	6F725346h
		push	24h
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_1C], edi
		mov	ecx, 9
		xor	eax, eax
		rep stosd
		mov	eax, [ebp+var_28]
		mov	ecx, [eax+4]
		mov	eax, [ebp+var_1C]

loc_833F91:				; CODE XREF: FsRtlpOplockFsctrlInternal+F051Cj
		test	eax, eax
		jz	loc_924351
		lea	eax, [ebp+var_1C]
		mov	[ebp+arg_0], eax

loc_833F9F:				; CODE XREF: FsRtlpOplockFsctrlInternal+F0528j
		test	cl, 1
		jz	loc_92435D
		mov	edi, 1000h

loc_833FAD:				; CODE XREF: FsRtlpOplockFsctrlInternal+F052Fj
		test	cl, 4
		jnz	loc_924364
		xor	edx, edx

loc_833FB8:				; CODE XREF: FsRtlpOplockFsctrlInternal+F0539j
		test	cl, 2
		jz	loc_92436E
		mov	eax, 2000h

loc_833FC6:				; CODE XREF: FsRtlpOplockFsctrlInternal+F0540j
		push	[ebp+arg_8]
		push	0
		push	1
		push	[ebp+arg_0]
		or	eax, edx
		or	eax, edi
		push	eax
		push	ebx
		mov	edx, esi
		mov	esi, [ebp+var_20]
		mov	ecx, esi
		call	_FsRtlpRequestShareableOplock@32 ; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_24], edi
		mov	[ebp+var_4], 0FFFFFFFEh
		call	sub_834122

loc_833FF3:				; CODE XREF: FsRtlpOplockFsctrlInternal+1ECj
					; FsRtlpOplockFsctrlInternal+1FCj ...
		mov	eax, edi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_834009:				; CODE XREF: FsRtlpOplockFsctrlInternal+45j
		mov	eax, [esi+8]
		test	eax, 100000h
		jnz	loc_9240C2
		test	eax, 10000h
		jz	short loc_833FF3
		mov	ecx, ebx
		call	FsRtlpAttachOplockKey
		mov	edi, eax
		mov	[ebp+var_24], edi
		test	edi, edi
		jnz	short loc_833FF3
		mov	edi, [ebp+var_20]
		mov	eax, [edi]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_8340B6

loc_83403A:				; CODE XREF: FsRtlpOplockFsctrlInternal+290j
		mov	[ebp+arg_4], eax
		mov	[ebp+var_4], 0
		mov	ecx, [eax+4Ch]
		call	ExAcquireFastMutexUnsafe
		push	0
		push	0
		push	0
		push	30000000h
		push	ebx
		push	edi
		call	_FsRtlCheckOplockEx@24 ; FsRtlCheckOplockEx(x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_24], edi
		test	edi, edi
		jnz	short loc_8340A2
		push	6F725346h
		push	24h
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_1C], edi
		mov	ecx, 9
		xor	eax, eax
		rep stosd
		push	[ebp+arg_8]
		push	eax
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	10000h
		push	0
		mov	edx, esi
		mov	ecx, [ebp+var_20]
		call	_FsRtlpRequestShareableOplock@32 ; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_24], edi

loc_8340A2:				; CODE XREF: FsRtlpOplockFsctrlInternal+235j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	esi, [ebp+arg_0]
		call	sub_83412E
		jmp	loc_833FF3
; 

loc_8340B6:				; CODE XREF: FsRtlpOplockFsctrlInternal+208j
		call	FsRtlpAllocateOplock
		mov	[ebp+arg_0], eax
		mov	[edi], eax
		jmp	loc_83403A
; 

loc_8340C5:				; CODE XREF: FsRtlpOplockFsctrlInternal+58j
		sub	eax, 90000h
		cmp	eax, 5Ch
		ja	sub_9241DB
		movzx	eax, ds:byte_83417C[eax]
		jmp	ds:off_834158[eax*4]

loc_8340E1:				; CODE XREF: sub_92412C+5j
					; DATA XREF: PAGE:00834160o
		add	edi, edi

loc_8340E3:				; CODE XREF: FsRtlpOplockFsctrlInternal+2AAj
					; DATA XREF: PAGE:off_834158o
		cmp	[ebp+arg_0], 1
		jnz	short loc_834142
		push	ebx
		call	_IoIsOperationSynchronous@4 ; IoIsOperationSynchronous(x)
		test	al, al
		jnz	short loc_834142
		test	byte ptr [ebx+8], 40h
		jnz	short loc_834142
		mov	eax, [esi+18h]
		test	dword ptr [eax+2Ch], 4000h
		jnz	short loc_834142
		push	[ebp+arg_8]
		or	edi, 40h
		push	edi
		push	0
		push	1
		push	ebx
		mov	edx, esi
		mov	ecx, [ebp+var_20]
		call	_FsRtlpRequestExclusiveOplock@28 ; FsRtlpRequestExclusiveOplock(x,x,x,x,x,x,x)
		mov	edi, eax
		jmp	loc_833FF3
FsRtlpOplockFsctrlInternal endp


;  S U B	R O U T	I N E 


sub_834122	proc near		; CODE XREF: FsRtlpOplockFsctrlInternal+1BEp
					; sub_924375+6j

; FUNCTION CHUNK AT 00924380 SIZE 00000016 BYTES

		mov	edx, [ebp-1Ch]
		test	edx, edx
		jnz	loc_924380

locret_83412D:				; CODE XREF: sub_834122+F026Fj
		retn
sub_834122	endp


;  S U B	R O U T	I N E 


sub_83412E	proc near		; CODE XREF: FsRtlpOplockFsctrlInternal+27Cp
					; sub_92410B+6j

; FUNCTION CHUNK AT 00924116 SIZE 00000016 BYTES

		mov	edx, [ebp-1Ch]
		test	edx, edx
		jnz	loc_924116

loc_834139:				; CODE XREF: sub_83412E+EFFF9j
		mov	ecx, [esi+4Ch]
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		retn
sub_83412E	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlpOplockFsctrlInternal

loc_834142:				; CODE XREF: FsRtlpOplockFsctrlInternal+DAj
					; FsRtlpOplockFsctrlInternal+E8j ...
		mov	dword ptr [ebx+18h], 0C00000E2h
		mov	dl, 1
		mov	ecx, ebx
		call	IofCompleteRequest
		jmp	loc_924136
; END OF FUNCTION CHUNK	FOR FsRtlpOplockFsctrlInternal
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_9. PRESS KEYPAD "+" TO EXPAND]
off_834158	dd offset loc_8340E3	; DATA XREF: FsRtlpOplockFsctrlInternal+2AAr
		dd offset loc_924140
		dd offset loc_8340E1
		dd offset loc_92418F
		dd offset sub_9241BB
		dd offset sub_9241CC
		dd offset sub_9241A5
		dd offset sub_92412C
		dd offset sub_9241DB
byte_83417C	db 0			; DATA XREF: FsRtlpOplockFsctrlInternal+2A3r
		db 3 dup(8)
		dd 8080801h, 8080802h, 8080803h, 8080804h, 8080805h, 0Eh dup(8080808h)
		dd 8080806h, 2 dup(8080808h), 0CCCCCC07h, 0CCCCCCCCh
; 

; __stdcall EtwpAddUmRegEntry(x, x, x, x, x, x)
_EtwpAddUmRegEntry@24:			; CODE XREF: EtwpRegisterUMGuid+165p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		push	0
		lea	eax, [ebp-4]
		mov	[ebp-8], edx
		mov	edx, ds:_EtwpRegistrationObjectType
		mov	ebx, ecx
		push	eax
		push	0
		push	0
		push	3Ch
		push	ecx
		push	1
		lea	eax, [ebp-24h]
		mov	dword ptr [ebp-0Ch], 0
		push	eax
		xor	cl, cl
		mov	dword ptr [ebp-4], 0
		mov	dword ptr [ebp-24h], 18h
		mov	dword ptr [ebp-20h], 0
		mov	dword ptr [ebp-18h], 40h
		mov	dword ptr [ebp-1Ch], 0
		mov	dword ptr [ebp-14h], 0
		mov	dword ptr [ebp-10h], 0
		call	ObCreateObjectEx
		mov	esi, eax
		test	esi, esi
		js	loc_83430C
		push	3Ch
		push	0
		push	dword ptr [ebp-4]
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		mov	edx, 52777445h
		mov	esi, [eax+80h]
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	edi, [ebp-4]
		mov	eax, 2
		mov	[edi+28h], esi
		lea	esi, [edi+32h]
		lock or	[esi], ax
		cmp	[ebp-8], eax
		jz	loc_834317

loc_834294:				; CODE XREF: PAGE:00834320j
		mov	ax, [ebp+8]
		mov	ecx, ebx
		mov	[edi+30h], ax
		mov	eax, [ebp+0Ch]
		mov	[edi+2Ch], eax
		call	EtwpReferenceGuidEntry
		mov	[edi+10h], ebx
		add	ebx, 24h
		mov	eax, [ebx]
		cmp	[eax+4], ebx
		jnz	short loc_834325
		mov	[edi], eax
		mov	[edi+4], ebx
		mov	[eax+4], edi
		lea	eax, [edi+8]
		mov	[ebx], edi
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, 80h
		lock or	[esi], ax
		mov	eax, ds:_EtwpRegistrationObjectType
		push	0
		push	eax
		push	0
		push	edi
		call	ObReferenceObjectByPointer
		push	dword ptr [ebp+14h]
		lea	eax, [ebp-0Ch]
		xor	edx, edx
		push	eax
		push	0
		push	1
		push	804h
		mov	ecx, edi
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+10h]
		mov	[eax], edi
		test	esi, esi
		js	short loc_83430C
		mov	ecx, edi
		call	ObfDereferenceObject

loc_83430C:				; CODE XREF: PAGE:0083424Cj
					; PAGE:00834303j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_834317:				; CODE XREF: PAGE:0083428Ej
		mov	eax, 8
		lock or	[esi], ax
		jmp	loc_834294
; 

loc_834325:				; CODE XREF: PAGE:008342B4j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 5 dup(0CCCCCCCCh)
; Exported entry 1601. NtTraceControl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	NtTraceControl(int,void	*,int,void *,int,int)
		public _NtTraceControl@24
_NtTraceControl@24 proc	near		; CODE XREF: PerfDiagpProxyWorker+9Dp
					; PerfDiagpSaveActiveDCLLogFileName+8Dp ...

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A67F8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 48h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		xor	edi, edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		call	_EtwpGetCurrentSiloState@0 ; EtwpGetCurrentSiloState()
		mov	[ebp+var_24], eax
		xor	al, al
		mov	[ebp+var_19], al
		mov	byte ptr [ebp+var_2C], al
		test	bl, bl
		mov	ebx, [ebp+arg_0]
		jz	loc_834428
		test	ebx, ebx
		jns	short loc_8343B7
		mov	[ebp+var_19], 1
		and	ebx, 7FFFFFFFh
		mov	[ebp+arg_0], ebx
		jmp	short loc_8343BA
; 

loc_8343B7:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+66j
		mov	[ebp+var_19], al

loc_8343BA:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+75j
		mov	[ebp+var_4], edi
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_8343E1
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_8343E8
		lea	edx, [eax+ecx]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		ja	short loc_8343DC
		cmp	edx, eax
		jnb	short loc_8343E8

loc_8343DC:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+96j
		mov	byte ptr [ecx],	0
		jmp	short loc_8343E8
; 

loc_8343E1:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+82j
		mov	[ebp+arg_8], 0

loc_8343E8:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+89j
					; NtTraceControl(x,x,x,x,x,x)+9Aj ...
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_8343FC
		push	1
		push	[ebp+arg_10]
		push	eax
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		jmp	short loc_834403
; 

loc_8343FC:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+ADj
		mov	[ebp+arg_10], 0

loc_834403:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+BAj
		mov	edx, [ebp+arg_14]
		test	edx, edx
		jz	short loc_83447D
		mov	ecx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_834417
		mov	ecx, eax

loc_834417:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+D3j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	al, [ebp+var_19]
		mov	byte ptr [ebp+var_2C], al

loc_834428:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+5Ej
		cmp	ebx, 1Bh
		jz	loc_8344F2
		cmp	ebx, 0Eh
		jz	loc_8344F2
		cmp	ebx, 0Ch
		jz	loc_8344F2
		mov	ebx, [ebp+arg_8]
		mov	esi, [ebp+arg_10]
		test	ebx, ebx
		jnz	short loc_834455
		test	esi, esi
		jz	loc_8344F8

loc_834455:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+10Bj
		cmp	ebx, esi
		mov	eax, ebx
		ja	short loc_83445D
		mov	eax, esi

loc_83445D:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+119j
		push	50777445h
		push	eax
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	edi, eax
		mov	[ebp+var_28], edi
		test	edi, edi
		jnz	short loc_8344AC
		mov	esi, 0C0000017h
		jmp	loc_834C4B
; 

loc_83447D:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+C8j
		mov	esi, 0C000000Dh
		mov	[ebp+var_3C], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_834C4B
; 

loc_834491:				; DATA XREF: .text:006A680Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		mov	eax, 1
		retn
; 

loc_8344A1:				; DATA XREF: .text:006A6810o
		mov	esi, [ebp-38h]
		mov	[ebp-3Ch], esi
		jmp	loc_834C3E
; 

loc_8344AC:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+131j
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_8344FB
		mov	[ebp+var_4], 1
		push	ebx		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_8344F8
; 

loc_8344DA:				; DATA XREF: .text:006A6818o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		mov	eax, 1
		retn
; 

loc_8344EA:				; DATA XREF: .text:006A681Co
		mov	esi, [ebp-40h]
		jmp	loc_834C3E
; 

loc_8344F2:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+EBj
					; NtTraceControl(x,x,x,x,x,x)+F4j ...
		mov	esi, [ebp+arg_10]
		mov	ebx, [ebp+arg_8]

loc_8344F8:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+10Fj
					; NtTraceControl(x,x,x,x,x,x)+198j
		mov	ecx, [ebp+arg_4]

loc_8344FB:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+17Dj
		mov	eax, [ebp+arg_0]
		dec	eax
		mov	[ebp+arg_4], eax
		cmp	eax, 2Ah	; switch 43 cases
		ja	loc_834BA0	; default
		jmp	ds:off_834C70[eax*4] ; switch jump

loc_834512:				; DATA XREF: PAGE:off_834C70o
		push	esi		; case 0x0
		mov	edx, ebx
		mov	ecx, edi
		call	_EtwpValidateUserModeLoggerInfo@12 ; EtwpValidateUserModeLoggerInfo(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_834BA5
		mov	eax, [ebp+arg_4]
		cmp	eax, 6		; switch 7 cases
		ja	loc_8345EA	; default
		jmp	ds:off_834D1C[eax*4] ; switch jump

loc_834539:				; DATA XREF: PAGE:off_834D1Co
		mov	esi, [edi+50h]	; case 0x0
		and	esi, 0FFFFFFFEh
		movzx	eax, [ebp+var_19]
		cdq
		or	esi, eax
		or	[edi+54h], edx
		mov	[edi+50h], esi
		mov	edx, edi
		mov	ecx, [ebp+var_24]
		call	_EtwpStartTrace@8 ; EtwpStartTrace(x,x)
		mov	esi, eax
		mov	[ebp+var_20], 0B0h
		jmp	loc_834BA5
; 

loc_834564:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1F2j
					; DATA XREF: PAGE:off_834D1Co
		push	0		; case 0x1
		mov	edx, edi
		mov	ecx, [ebp+var_24]
		call	EtwpStopTrace
		mov	esi, eax
		mov	[ebp+var_20], 0B0h
		jmp	loc_834BA5
; 

loc_83457E:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1F2j
					; DATA XREF: PAGE:off_834D1Co
		mov	edx, edi	; case 0x2
		mov	ecx, [ebp+var_24]
		call	_EtwpQueryTrace@8 ; EtwpQueryTrace(x,x)
		mov	esi, eax
		mov	[ebp+var_20], 0B0h
		jmp	loc_834BA5
; 

loc_834596:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1F2j
					; DATA XREF: PAGE:off_834D1Co
		mov	edx, edi	; case 0x3
		mov	ecx, [ebp+var_24]
		call	EtwpUpdateTrace
		mov	esi, eax
		mov	[ebp+var_20], 0B0h
		jmp	loc_834BA5
; 

loc_8345AE:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1F2j
					; DATA XREF: PAGE:off_834D1Co
		mov	edx, edi	; case 0x4
		mov	ecx, [ebp+var_24]
		call	EtwpFlushTrace
		mov	esi, eax
		mov	[ebp+var_20], 0B0h
		jmp	loc_834BA5
; 

loc_8345C6:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1F2j
					; DATA XREF: PAGE:off_834D1Co
		mov	edx, edi	; case 0x5
		mov	ecx, [ebp+var_24]
		call	_EtwpIncrementTraceFile@8 ; EtwpIncrementTraceFile(x,x)
		mov	esi, eax
		mov	[ebp+var_20], 0B0h
		jmp	loc_834BA5
; 

loc_8345DE:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1F2j
					; DATA XREF: PAGE:off_834D1Co
		mov	edx, edi	; case 0x6
		mov	ecx, [ebp+var_24]
		call	_EtwpTransitionToRealtime@8 ; EtwpTransitionToRealtime(x,x)
		mov	esi, eax

loc_8345EA:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1ECj
		mov	[ebp+var_20], 0B0h ; default
		jmp	loc_834BA5
; 

loc_8345F6:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 0A0h	; case 0xE
		jnz	loc_83478E
		lea	eax, [esi-0A0h]
		cmp	eax, 0FF60h
		ja	loc_83478E
		lea	eax, [ebp+var_20]
		push	eax		; int
		push	[ebp+var_2C]	; char
		push	esi		; int
		mov	edx, edi	; void *
		mov	ecx, [ebp+var_24] ; int
		call	EtwpRegisterUMGuid
		mov	esi, eax
		jmp	loc_834BA5
; 

loc_83462C:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 8		; case 0x19
		jnz	loc_83478E
		mov	edx, edi
		mov	ecx, [ebp+var_24]
		call	EtwpTrackProviderBinary
		mov	esi, eax
		jmp	loc_834BA5
; 

loc_834646:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		test	ebx, ebx	; case 0xF
		jnz	loc_83478E
		lea	eax, [esi-48h]
		cmp	eax, 0FFB8h
		ja	loc_83478E
		lea	eax, [ebp+var_20]
		push	eax		; int
		push	[ebp+var_2C]	; void *
		mov	edx, esi
		mov	ecx, edi
		call	EtwpReceiveNotification
		mov	esi, eax
		jmp	loc_834BA5
; 

loc_834673:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 48h	; case 0x10
		jb	loc_83478E
		cmp	esi, 48h
		jnz	loc_83478E
		cmp	[edi+4], ebx
		jnz	loc_83478E
		cmp	dword ptr [edi], 3
		jnz	short loc_8346B6
		cmp	ebx, 78h
		jb	loc_83478E
		push	1
		mov	edx, edi
		mov	ecx, [ebp+var_24]
		call	EtwpEnableGuid
		mov	esi, eax
		mov	[ebp+var_20], 48h
		jmp	loc_834BA5
; 

loc_8346B6:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+351j
		push	1
		mov	edx, edi
		mov	ecx, [ebp+var_24]
		call	_EtwpNotifyGuid@12 ; EtwpNotifyGuid(x,x,x)
		mov	esi, eax
		mov	[ebp+var_20], 48h
		jmp	loc_834BA5
; 

loc_8346D0:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 48h	; case 0x11
		jb	loc_83478E
		cmp	[edi+4], ebx
		jnz	loc_83478E
		call	_PsGetCurrentThreadProcessId@0 ; PsGetCurrentThreadProcessId()
		mov	[edi+24h], eax
		mov	ecx, edi
		call	_EtwpSendReplyDataBlock@4 ; EtwpSendReplyDataBlock(x)
		mov	esi, eax
		jmp	loc_834BA5
; 

loc_8346F8:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 8		; case 0x12
		jnz	loc_83478E
		mov	[ebp+var_30], 0
		lea	eax, [ebp+var_30]
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	EtwpReceiveReplyDataBlock
		mov	esi, eax
		mov	eax, [ebp+var_30]
		mov	[ebp+var_20], eax
		jmp	loc_834BA5
; 

loc_834722:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 60h	; case 0xA
		jnz	short loc_83478E
		cmp	esi, ebx
		jnz	short loc_83478E
		mov	ecx, edi
		call	EtwpRealtimeConnect
		mov	esi, eax
		mov	[ebp+var_20], ebx
		jmp	loc_834BA5
; 

loc_83473C:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 8		; case 0xD
		jnz	short loc_83478E
		test	esi, esi
		jnz	short loc_83478E
		mov	[ebp+var_4], 2
		mov	ecx, [ecx]
		mov	[ebp+var_54], ecx
		mov	[ebp+var_4], 0FFFFFFFEh
		call	_EtwpRealtimeDisconnectConsumerByHandle@4 ; EtwpRealtimeDisconnectConsumerByHandle(x)
		mov	esi, eax
		jmp	loc_834BA5
; 

loc_834764:				; DATA XREF: .text:006A6824o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44h], eax
		mov	eax, 1
		retn
; 

loc_834774:				; DATA XREF: .text:006A6828o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-44h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-28h]
		jmp	loc_834BA5
; 

loc_834789:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	esi, 10h	; case 0xB
		jz	short loc_834798

loc_83478E:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+2BCj
					; NtTraceControl(x,x,x,x,x,x)+2CDj ...
		mov	esi, 0C000000Dh
		jmp	loc_834BA5
; 

loc_834798:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+44Cj
		xor	esi, esi
		mov	[ebp+var_4], 3
		mov	ecx, [ebp+arg_C]
		call	_EtwpCreateActivityId@4	; EtwpCreateActivityId(x)
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_834BA5
; 

loc_8347B5:				; DATA XREF: .text:006A6830o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-48h], eax
		mov	eax, 1
		retn
; 

loc_8347C5:				; DATA XREF: .text:006A6834o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-48h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-28h]
		jmp	loc_834BA5
; 

loc_8347DA:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 30h	; case 0xC
		jnz	short loc_83478E
		test	esi, esi
		jnz	short loc_83478E
		mov	ecx, edi
		call	_WdiDispatchControl@4 ;	WdiDispatchControl(x)
		mov	esi, eax
		jmp	loc_834BA5
; 

loc_8347F1:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		test	ebx, ebx	; case 0x13
		jnz	short loc_83478E
		test	esi, esi
		jnz	short loc_83478E
		call	_WdiUpdateSem@0	; WdiUpdateSem()
		mov	esi, eax
		jmp	loc_834BA5
; 

loc_834805:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		mov	[ebp+var_20], esi ; case 0x14
		lea	eax, [ebp+var_20]
		push	eax
		mov	edx, edi
		mov	ecx, [ebp+var_24]
		call	_EtwpGetTraceGuidList@12 ; EtwpGetTraceGuidList(x,x,x)
		mov	esi, eax
		jmp	loc_834BA5
; 

loc_83481D:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 10h	; case 0x15
		jnz	loc_83478E
		mov	[ebp+var_20], esi
		lea	eax, [ebp+var_20]
		push	eax		; int
		push	edi		; void *
		mov	edx, edi
		mov	ecx, [ebp+var_24]
		call	_EtwpGetTraceGuidInfo@16 ; EtwpGetTraceGuidInfo(x,x,x,x)
		mov	esi, eax
		jmp	loc_834BA5
; 

loc_83483F:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		mov	[ebp+var_20], esi ; case 0x1F
		lea	eax, [ebp+var_20]
		push	eax
		mov	edx, edi
		mov	ecx, [ebp+var_24]
		call	_EtwpGetTraceGroupList@12 ; EtwpGetTraceGroupList(x,x,x)
		mov	esi, eax
		jmp	loc_834BA5
; 

loc_834857:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 10h	; case 0x20
		jnz	loc_83478E
		mov	[ebp+var_20], esi
		lea	eax, [ebp+var_20]
		push	eax		; int
		push	edi		; void *
		mov	edx, edi
		mov	ecx, [ebp+var_24]
		call	_EtwpGetTraceGroupInfo@16 ; EtwpGetTraceGroupInfo(x,x,x,x)
		mov	esi, eax
		jmp	loc_834BA5
; 

loc_834879:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 8		; case 0x21
		jnz	loc_83478E
		mov	[ebp+var_20], esi
		lea	eax, [ebp+var_20]
		push	eax		; int
		push	edi		; void *
		mov	edx, edi
		mov	ecx, [ebp+var_24]
		call	_EtwpGetDisallowList@16	; EtwpGetDisallowList(x,x,x,x)
		mov	esi, eax
		jmp	loc_834BA5
; 

loc_83489B:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		mov	[ebp+var_20], esi ; case 0x16
		lea	eax, [ebp+var_20]
		push	eax
		mov	edx, edi
		mov	ecx, [ebp+var_24]
		call	_EtwpEnumerateTraceGuids@12 ; EtwpEnumerateTraceGuids(x,x,x)
		mov	esi, eax
		jmp	loc_834BA5
; 

loc_8348B3:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		test	ebx, ebx	; case 0x17
		jnz	loc_83478E
		test	esi, esi
		jnz	loc_83478E
		mov	ecx, [ebp+var_24]
		call	_EtwpRegisterSecurityProvider@4	; EtwpRegisterSecurityProvider(x)
		mov	esi, eax
		jmp	loc_834BA5
; 

loc_8348D2:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 4		; case 0x18
		jnz	loc_83478E
		cmp	esi, 10h
		jnz	loc_83478E
		mov	edx, [edi]
		push	edi
		mov	ecx, [ebp+var_24]
		call	_EtwpQueryReferenceTime@12 ; EtwpQueryReferenceTime(x,x,x)
		mov	esi, eax
		mov	[ebp+var_20], 10h
		jmp	loc_834BA5
; 

loc_8348FD:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 4		; case 0x1A
		jnz	loc_83478E
		mov	[ebp+var_4], ebx
		mov	ecx, [ecx]
		mov	[ebp+var_58], ecx
		mov	[ebp+var_4], 0FFFFFFFEh
		test	ecx, ecx
		jz	loc_83478E
		mov	dl, [ebp+var_19]
		call	_EtwpAddNotificationEvent@8 ; EtwpAddNotificationEvent(x,x)
		mov	esi, eax
		jmp	loc_834BA5
; 

loc_83492C:				; DATA XREF: .text:006A683Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		mov	eax, 1
		retn
; 

loc_83493C:				; DATA XREF: .text:006A6840o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-4Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-28h]
		jmp	loc_834BA5
; 

loc_834951:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 8		; case 0x1B
		jb	loc_83478E
		mov	edx, [edi+4]
		mov	eax, edx
		shl	eax, 4
		add	eax, 8
		cmp	eax, ebx
		jnz	loc_83478E
		mov	ecx, edx
		lea	eax, [edi+8]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		push	ecx
		push	edx
		mov	edx, [edi]
		mov	ecx, [ebp+var_24]
		call	_EtwpUpdateDisallowList@16 ; EtwpUpdateDisallowList(x,x,x,x)
		mov	esi, eax
		jmp	loc_834BA5
; 

loc_83498B:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 18h	; case 0x1D
		jnz	loc_83478E
		lea	eax, [esi-78h]
		cmp	eax, 0FF88h
		ja	loc_83478E
		lea	eax, [ebp+var_20]
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	_EtwpSetProviderTraitsUm@12 ; EtwpSetProviderTraitsUm(x,x,x)
		mov	esi, eax
		jmp	loc_834BA5
; 

loc_8349B6:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 10h	; case 0x1E
		jnz	loc_83478E
		test	esi, esi
		jnz	loc_83478E
		mov	ecx, edi
		call	_EtwpUseDescriptorTypeUm@4 ; EtwpUseDescriptorTypeUm(x)
		mov	esi, eax
		jmp	loc_834BA5
; 

loc_8349D5:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 10h	; case 0x22
		jnz	loc_83478E
		test	esi, esi
		jnz	loc_83478E
		mov	ecx, edi
		call	_EtwpSetCompressionSettings@4 ;	EtwpSetCompressionSettings(x)
		mov	esi, eax
		jmp	loc_834BA5
; 

loc_8349F4:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 8		; case 0x23
		jnz	loc_83478E
		cmp	esi, 10h
		jnz	loc_83478E
		mov	[ebp+var_20], esi
		mov	edx, edi
		mov	ecx, edi
		call	_EtwpGetCompressionSettings@8 ;	EtwpGetCompressionSettings(x,x)
		mov	esi, eax
		jmp	loc_834BA5
; 

loc_834A19:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 0Ch	; case 0x24
		jb	loc_83478E
		movzx	edx, word ptr [edi+8]
		cmp	edx, 10h
		jbe	short loc_834A35
		mov	esi, 0C000000Dh
		jmp	loc_834BA5
; 

loc_834A35:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+6E9j
		mov	esi, [edi+4]
		test	esi, esi
		jz	short loc_834A4B
		cmp	esi, 5
		jnb	short loc_834A4B
		mov	esi, 0C000000Dh
		jmp	loc_834BA5
; 

loc_834A4B:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+6FAj
					; NtTraceControl(x,x,x,x,x,x)+6FFj
		test	dx, dx
		jnz	short loc_834A5D
		test	esi, esi
		jnz	loc_83478E
		test	dx, dx
		jz	short loc_834A6B

loc_834A5D:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+70Ej
		test	esi, esi
		jnz	short loc_834A6B
		mov	esi, 0C000000Dh
		jmp	loc_834BA5
; 

loc_834A6B:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+71Bj
					; NtTraceControl(x,x,x,x,x,x)+71Fj
		mov	eax, edx
		shl	eax, 4
		add	eax, 0Ch
		cmp	eax, ebx
		jnz	loc_83478E
		lea	eax, [edi+0Ch]
		mov	ecx, edx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		push	ecx
		push	edx
		mov	edx, esi
		mov	ecx, [edi]
		call	_EtwpUpdatePeriodicCaptureState@16 ; EtwpUpdatePeriodicCaptureState(x,x,x,x)
		mov	esi, eax
		jmp	loc_834BA5
; 

loc_834A98:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 8		; case 0x25
		jb	loc_83478E
		test	bl, 7
		jnz	loc_83478E
		cmp	esi, 2
		jb	loc_83478E
		shr	ebx, 3
		mov	[ebp+var_34], 0
		lea	eax, [ebp+var_34]
		push	eax
		mov	edx, ebx
		mov	ecx, edi
		call	_EtwpGetPrivateSessionTraceHandle@12 ; EtwpGetPrivateSessionTraceHandle(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_834BA5
		mov	[ebp+var_20], 2
		mov	ax, word ptr [ebp+var_34]
		mov	[edi], ax
		jmp	loc_834BA5
; 

loc_834AE7:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 2		; case 0x26
		jb	loc_83478E
		cmp	esi, 8
		jb	loc_83478E
		push	edi
		lea	eax, [edi+4]
		push	eax
		call	_EtwpGetCurrentSiloState@0 ; EtwpGetCurrentSiloState()
		mov	dx, [edi]
		mov	ecx, eax
		call	_EtwpRegisterPrivateSession@16 ; EtwpRegisterPrivateSession(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_834BA5
		mov	[ebp+var_20], 8
		jmp	loc_834BA5
; 

loc_834B23:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 4		; case 0x27
		jb	loc_83478E
		cmp	esi, 2
		jb	loc_83478E
		mov	edx, edi
		mov	ecx, [edi]
		call	_EtwpQuerySessionDemuxObject@8 ; EtwpQuerySessionDemuxObject(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_834BA5
		mov	[ebp+var_20], 2
		jmp	short loc_834BA5
; 

loc_834B4D:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	ebx, 8		; case 0x28
		jb	loc_83478E
		movzx	eax, byte ptr [edi+4]
		push	eax
		mov	edx, [edi]
		mov	ecx, [ebp+var_24]
		call	_EtwpSetProviderBinaryTracking@12 ; EtwpSetProviderBinaryTracking(x,x,x)
		mov	esi, eax
		jmp	short loc_834BA5
; 

loc_834B69:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	esi, 4		; case 0x29
		jb	loc_83478E
		mov	eax, [ebp+var_24]
		mov	eax, [eax+8]
		mov	[edi], eax
		mov	[ebp+var_20], 4
		xor	esi, esi
		jmp	short loc_834BA5
; 

loc_834B85:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: PAGE:off_834C70o
		cmp	esi, 4		; case 0x2A
		jb	loc_83478E
		mov	eax, ds:_EtwpMaxPmcCounter
		mov	[edi], eax
		mov	[ebp+var_20], 4
		xor	esi, esi
		jmp	short loc_834BA5
; 

loc_834BA0:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1C5j
					; NtTraceControl(x,x,x,x,x,x)+1CBj
					; DATA XREF: ...
		mov	esi, 0C0000010h	; default

loc_834BA5:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+1E0j
					; NtTraceControl(x,x,x,x,x,x)+21Fj ...
		mov	[ebp+var_4], 5
		test	esi, esi
		js	short loc_834BCE
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_834BC4
		push	eax		; size_t
		push	edi		; void *
		push	[ebp+arg_C]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_834BC4:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+875j
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+arg_14]
		mov	[ecx], eax
		jmp	short loc_834BD1
; 

loc_834BCE:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+86Ej
		mov	ecx, [ebp+arg_14]

loc_834BD1:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+88Cj
		mov	eax, [ebp+arg_0]
		cmp	esi, 0C0000023h
		jnz	short loc_834BF0
		cmp	eax, 10h
		jz	short loc_834C1D
		cmp	eax, 0Fh
		jz	short loc_834C1D
		cmp	eax, 15h
		jz	short loc_834C1D
		cmp	eax, 16h
		jz	short loc_834C1D

loc_834BF0:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+89Aj
		cmp	eax, 17h
		jz	short loc_834C1D
		cmp	eax, 13h
		jz	short loc_834C1D
		cmp	eax, 20h
		jz	short loc_834C1D
		cmp	eax, 21h
		jz	short loc_834C1D
		cmp	eax, 22h
		jz	short loc_834C1D
		cmp	eax, 24h
		jz	short loc_834C1D
		cmp	eax, 26h
		jz	short loc_834C1D
		cmp	eax, 27h
		jz	short loc_834C1D
		cmp	eax, 28h
		jnz	short loc_834C22

loc_834C1D:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+89Fj
					; NtTraceControl(x,x,x,x,x,x)+8A4j ...
		mov	eax, [ebp+var_20]
		mov	[ecx], eax

loc_834C22:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+8DBj
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_834C4B
; 

loc_834C2B:				; DATA XREF: .text:006A6848o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-50h], eax
		mov	eax, 1
		retn
; 

loc_834C3B:				; DATA XREF: .text:006A684Co
		mov	esi, [ebp-50h]

loc_834C3E:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+167j
					; NtTraceControl(x,x,x,x,x,x)+1ADj
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-28h]

loc_834C4B:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+138j
					; NtTraceControl(x,x,x,x,x,x)+14Cj ...
		test	edi, edi
		jz	short loc_834C57
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_834C57:				; CODE XREF: NtTraceControl(x,x,x,x,x,x)+90Dj
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
_NtTraceControl@24 endp

; 
		align 10h
off_834C70	dd offset loc_834512	; DATA XREF: NtTraceControl(x,x,x,x,x,x)+1CBr
		dd offset loc_834512	; jump table for switch	statement
		dd offset loc_834512
		dd offset loc_834512
		dd offset loc_834512
		dd offset loc_834512
		dd offset loc_834512
		dd offset loc_834BA0
		dd offset loc_834BA0
		dd offset loc_834BA0
		dd offset loc_834722
		dd offset loc_834789
		dd offset loc_8347DA
		dd offset loc_83473C
		dd offset loc_8345F6
		dd offset loc_834646
		dd offset loc_834673
		dd offset loc_8346D0
		dd offset loc_8346F8
		dd offset loc_8347F1
		dd offset loc_834805
		dd offset loc_83481D
		dd offset loc_83489B
		dd offset loc_8348B3
		dd offset loc_8348D2
		dd offset loc_83462C
		dd offset loc_8348FD
		dd offset loc_834951
		dd offset loc_834BA0
		dd offset loc_83498B
		dd offset loc_8349B6
		dd offset loc_83483F
		dd offset loc_834857
		dd offset loc_834879
		dd offset loc_8349D5
		dd offset loc_8349F4
		dd offset loc_834A19
		dd offset loc_834A98
		dd offset loc_834AE7
		dd offset loc_834B23
		dd offset loc_834B4D
		dd offset loc_834B69
		dd offset loc_834B85
off_834D1C	dd offset loc_834539	; DATA XREF: NtTraceControl(x,x,x,x,x,x)+1F2r
		dd offset loc_834564	; jump table for switch	statement
		dd offset loc_83457E
		dd offset loc_834596
		dd offset loc_8345AE
		dd offset loc_8345C6
		dd offset loc_8345DE
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall EtwpRegisterUMGuid(int,void *,int,char,int)
EtwpRegisterUMGuid proc	near		; CODE XREF: NtTraceControl(x,x,x,x,x,x)+2E0p

var_46		= byte ptr -46h
var_45		= dword	ptr -45h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_36		= byte ptr -36h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 009244EE SIZE 00000145 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[esp+48h+var_28], 0
		push	10h		; size_t
		mov	esi, ecx
		mov	[esp+4Ch+var_20], edi
		push	offset _SecurityProviderGuid ; void *
		mov	eax, [edi+14h]
		mov	ebx, [edi+10h]
		push	edi		; void *
		mov	[esp+54h+var_2C], esi
		mov	[esp+54h+var_30], 0
		mov	byte ptr [esp+1Fh], 0
		mov	[esp+54h+var_18], ebx
		mov	[esp+54h+var_1C], eax
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_9244EE
		cmp	ebx, 3
		jnz	loc_835008

loc_834D9E:				; CODE XREF: EtwpRegisterUMGuid+2CBj
		xor	ebx, ebx

loc_834DA0:				; CODE XREF: EtwpRegisterUMGuid+2D6j
		push	ebx
		mov	edx, edi
		mov	ecx, esi
		call	_EtwpFindGuidEntryByGuid@12 ; EtwpFindGuidEntryByGuid(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_83508D

loc_834DB4:				; CODE XREF: EtwpRegisterUMGuid+35Dj
		xor	eax, eax
		mov	ebx, [esi+2Ch]
		lea	edi, [esp+48h+var_10]
		mov	[esp+48h+var_2C], 0
		stosd
		mov	[esp+48h+var_24], 0
		stosd
		stosd
		stosd
		lea	eax, [esp+48h+var_10]
		push	eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	eax
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		lea	eax, [esp+48h+var_2C]
		push	eax
		lea	eax, [esp+4Ch+var_24]
		push	eax
		push	1
		push	offset _EtwpGenericMapping
		push	0
		push	0
		push	800h
		push	0
		lea	eax, [esp+68h+var_10]
		push	eax
		push	ebx
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		lea	eax, [esp+48h+var_10]
		push	eax
		call	SeReleaseSubjectContext
		mov	edi, [esp+48h+var_2C]
		test	edi, edi
		js	loc_834FF6
		cmp	dword ptr [esi+168h], 0
		jnz	loc_924502

loc_834E39:				; CODE XREF: EtwpRegisterUMGuid+EF7F6j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+16Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ebx, [ebp+arg_8]
		or	dl, 0FFh
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	[esi+170h], eax
		mov	dword ptr [ebx], 0A0h
		call	EtwpGetSchematizedFilterSize
		mov	ecx, 0A0h
		test	eax, eax
		jnz	loc_92453B

loc_834E80:				; CODE XREF: EtwpRegisterUMGuid+EF803j
		cmp	ecx, [ebp+arg_0]
		ja	loc_924548
		mov	ebx, [esp+48h+var_20]
		lea	eax, [esp+48h+var_28]
		mov	edx, [esp+48h+var_18]
		mov	ecx, esi
		push	eax
		lea	eax, [esp+4Ch+var_30]
		push	eax
		mov	eax, [ebx+20h]
		push	eax
		push	[esp+54h+var_1C]
		call	_EtwpAddUmRegEntry@24 ;	EtwpAddUmRegEntry(x,x,x,x,x,x)
		mov	edi, eax
		mov	[esp+58h+var_3C], edi
		test	edi, edi
		js	loc_834FB8
		cmp	[ebp+arg_4], 0
		mov	edi, [esp+58h+var_40]
		mov	[esp+58h+var_28], edi
		jnz	loc_924552

loc_834ECA:				; CODE XREF: EtwpRegisterUMGuid+EF81Ej
		mov	eax, [esp+20h]
		cdq
		mov	[ebx+18h], eax
		mov	[ebx+1Ch], edx
		cmp	dword ptr [esi+40h], 0
		jnz	loc_83502C

loc_834EDF:				; CODE XREF: EtwpRegisterUMGuid+304j
		mov	al, [edi+34h]
		mov	ecx, edi
		mov	dl, [edi+32h]
		mov	byte ptr [esp+58h+var_45+1], al
		lea	eax, [esp+58h+var_45+1]
		push	eax
		push	0
		shr	dl, 3
		push	0
		and	dl, 1
		call	EtwpApplyScopeFilters
		mov	ecx, [esi+168h]
		test	ecx, ecx
		jnz	loc_924563

loc_834F0D:				; CODE XREF: EtwpRegisterUMGuid+EF85Fj
		test	byte ptr [edi+32h], 8
		mov	al, byte ptr [esp+58h+var_45+1]
		jnz	loc_83501B
		and	[edi+34h], al
		mov	al, byte ptr [esp+58h+var_45]
		and	[edi+36h], al
		mov	cl, [edi+36h]

loc_834F28:				; CODE XREF: EtwpRegisterUMGuid+2E7j
		mov	al, [edi+34h]
		mov	byte ptr [esp+58h+var_45], al
		mov	byte ptr [esp+58h+var_45+1], al
		test	al, al
		jnz	loc_835049
		test	cl, cl
		jnz	loc_835049
		xor	eax, eax
		lea	edi, [ebx+70h]
		mov	ecx, 8
		rep stosd
		mov	edi, [esp+58h+var_28]
		mov	[ebx+98h], eax
		mov	[ebx+90h], eax
		mov	[ebx+94h], eax

loc_834F65:				; CODE XREF: EtwpRegisterUMGuid+348j
		mov	eax, [ebp+arg_8]
		mov	ecx, esi
		mov	dl, byte ptr [esp+58h+var_45]
		mov	dword ptr [eax], 0A0h
		call	EtwpGetSchematizedFilterSize
		test	eax, eax
		jnz	loc_9245A4

loc_834F81:				; CODE XREF: EtwpRegisterUMGuid+EF8A9j
		mov	[ebx+9Ch], eax
		mov	ecx, edi
		mov	eax, [ebp+arg_8]
		mov	eax, [eax]
		mov	[ebx+2Ch], eax
		call	EtwpTrackProviderRegistration
		mov	eax, dword_6BC30C
		push	offset _ETW_EVENT_PROVIDER_REGISTER
		push	eax
		mov	eax, _EtwpEventTracingProvRegHandle
		push	eax
		call	EtwEventEnabled
		test	al, al
		jnz	loc_9245EE

loc_834FB4:				; CODE XREF: EtwpRegisterUMGuid+EF8C0j
		mov	edi, [esp+58h+var_3C]

loc_834FB8:				; CODE XREF: EtwpRegisterUMGuid+172j
					; EtwpRegisterUMGuid+EF80Dj
		xor	edx, edx
		mov	dword ptr [esi+170h], 0
		lea	ecx, [esi+16Ch]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [esi+168h]
		test	eax, eax
		jnz	loc_924605

loc_834FE9:				; CODE XREF: EtwpRegisterUMGuid+EF8EEj
		mov	ecx, [esp+58h+var_40]
		test	ecx, ecx
		jz	short loc_834FF6
		call	ObfDereferenceObject

loc_834FF6:				; CODE XREF: EtwpRegisterUMGuid+E6j
					; EtwpRegisterUMGuid+2AFj
		mov	ecx, esi
		call	EtwpUnreferenceGuidEntry

loc_834FFD:				; CODE XREF: EtwpRegisterUMGuid+EF7BDj
		mov	eax, edi

loc_834FFF:				; CODE XREF: EtwpRegisterUMGuid+EF7B3j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_835008:				; CODE XREF: EtwpRegisterUMGuid+58j
		cmp	ebx, 2
		jz	loc_834D9E
		mov	ebx, 1
		jmp	loc_834DA0
; 

loc_83501B:				; CODE XREF: EtwpRegisterUMGuid+1D5j
		mov	[edi+34h], al
		mov	al, byte ptr [esp+58h+var_45]
		mov	[edi+36h], al
		mov	cl, al
		jmp	loc_834F28
; 

loc_83502C:				; CODE XREF: EtwpRegisterUMGuid+199j
		mov	dl, [edi+32h]
		lea	eax, [edi+34h]
		push	eax
		push	1
		shr	dl, 3
		mov	ecx, esi
		push	0
		and	dl, 1
		call	EtwpUpdateEnableMask
		jmp	loc_834EDF
; 

loc_835049:				; CODE XREF: EtwpRegisterUMGuid+1F5j
					; EtwpRegisterUMGuid+1FDj
		lea	edx, [ebx+70h]
		mov	ecx, edi
		call	EtwpComputeRegEntryEnableInfo
		movzx	eax, byte ptr [esi+3Bh]
		and	eax, 1
		mov	byte ptr [esp+58h+var_28+3], 0
		mov	[ebx+98h], eax
		mov	ax, [esi+38h]
		mov	ecx, [esi+30h]
		mov	word ptr [esp+58h+var_28], ax
		mov	al, [esi+3Ah]
		mov	byte ptr [esp+58h+var_28+2], al
		mov	eax, [esp+58h+var_28]
		mov	[ebx+90h], eax
		mov	[ebx+94h], ecx
		jmp	loc_834F65
; 

loc_83508D:				; CODE XREF: EtwpRegisterUMGuid+6Ej
		mov	ecx, [esp+48h+var_2C]
		mov	edx, edi
		push	ebx
		call	_EtwpAddGuidEntry@12 ; EtwpAddGuidEntry(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_834DB4
		jmp	loc_9244F8
EtwpRegisterUMGuid endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpGetSchematizedFilterSize proc near	; CODE XREF: EtwpClearSessionAndUnreferenceEntry+1C5p
					; EtwpBuildNotificationPacket+18p ...

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 00924633 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ecx+160h]
		push	esi
		xor	esi, esi
		mov	[ebp+var_1], dl
		test	ebx, ebx
		jnz	short loc_8350C6

loc_8350C0:				; CODE XREF: EtwpGetSchematizedFilterSize+3Cj
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8350C6:				; CODE XREF: EtwpGetSchematizedFilterSize+16j
		push	edi
		xor	edx, edx
		lea	edi, [ecx+60h]
		mov	ch, [ebp+var_1]
		add	ebx, 2Ch

loc_8350D2:				; CODE XREF: EtwpGetSchematizedFilterSize+39j
		cmp	dword ptr [edi], 0
		jnz	short loc_8350E6

loc_8350D7:				; CODE XREF: EtwpGetSchematizedFilterSize+45j
					; EtwpGetSchematizedFilterSize+EF594j ...
		inc	edx
		add	edi, 20h
		add	ebx, 34h
		cmp	edx, 8
		jb	short loc_8350D2
		pop	edi
		jmp	short loc_8350C0
; 

loc_8350E6:				; CODE XREF: EtwpGetSchematizedFilterSize+2Dj
		mov	eax, [ebx]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_8350D7
		jmp	loc_924633
EtwpGetSchematizedFilterSize endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2453. SeCreateAccessStateEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SeCreateAccessStateEx(int,int,void *,void *,int,int)
		public _SeCreateAccessStateEx@24
_SeCreateAccessStateEx@24 proc near	; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+43Cp
					; ObReferenceObjectByNameEx+BEp ...

var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	edi
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	SeCaptureSubjectContextEx
		push	[ebp+arg_14]	; int
		mov	edx, [ebp+arg_8] ; void	*
		lea	ecx, [ebp+var_10] ; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		call	_SepCreateAccessStateFromSubjectContext@20 ; SepCreateAccessStateFromSubjectContext(x,x,x,x,x)
		pop	edi
		leave
		retn	18h
_SeCreateAccessStateEx@24 endp

; 
		align 10h
; Exported entry 2442. SeCaptureSubjectContextEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeCaptureSubjectContextEx
SeCaptureSubjectContextEx proc near	; CODE XREF: ExCpuSetResourceManagerAccessCheck(x)+50p
					; .text:00521E7Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00924655 SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, [ebx+0E4h]
		mov	[esi+0Ch], eax
		test	edi, edi
		jz	short loc_835198
		mov	eax, [edi+2FCh]
		test	al, 8
		jnz	short loc_83519C
		xor	edi, edi

loc_83516A:				; CODE XREF: SeCaptureSubjectContextEx+5Aj
					; SeCaptureSubjectContextEx+CFj
		lea	ecx, [ebx+12Ch]
		mov	[esi], edi
		call	@ObFastReferenceObject@4 ; ObFastReferenceObject(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_835214

loc_835181:				; CODE XREF: SeCaptureSubjectContextEx+126j
		mov	[esi+8], edi
		cmp	ds:_SeTokenLeakTracking, 0
		jnz	loc_92465C

loc_835191:				; CODE XREF: SeCaptureSubjectContextEx+EF53Ej
					; SeCaptureSubjectContextEx+EF55Aj ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_835198:				; CODE XREF: SeCaptureSubjectContextEx+1Cj
		xor	edi, edi
		jmp	short loc_83516A
; 

loc_83519C:				; CODE XREF: SeCaptureSubjectContextEx+26j
		mov	eax, large fs:124h
		mov	[ebp+arg_0], eax
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [edi+2F0h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+arg_4], eax
		call	ExAcquirePushLockSharedEx
		mov	eax, [edi+2FCh]
		test	al, 8
		jz	loc_924655
		mov	ecx, [edi+2C8h]
		and	ecx, 0FFFFFFF8h
		mov	[ebp+arg_8], ecx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [edi+2C8h]
		mov	edi, [ebp+arg_8]
		and	eax, 3
		mov	[esi+4], eax

loc_8351ED:				; CODE XREF: SeCaptureSubjectContextEx+EF517j
		mov	edx, [ebp+arg_4]
		xor	ecx, ecx
		mov	eax, 11h
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jnz	short loc_83526B

loc_835200:				; CODE XREF: SeCaptureSubjectContextEx+135j
		mov	ecx, edx
		call	KeAbPostRelease
		mov	ecx, [ebp+arg_0]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		jmp	loc_83516A
; 

loc_835214:				; CODE XREF: SeCaptureSubjectContextEx+3Bj
		mov	eax, large fs:124h
		mov	[ebp+arg_8], eax
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [ebx+0E0h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+arg_4], eax
		call	ExAcquirePushLockSharedEx
		lea	ecx, [ebx+12Ch]
		call	@ObFastReferenceObjectLocked@4 ; ObFastReferenceObjectLocked(x)
		mov	ebx, [ebp+arg_4]
		mov	edi, eax
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jnz	short loc_835277

loc_835257:				; CODE XREF: SeCaptureSubjectContextEx+13Ej
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [ebp+arg_8]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		jmp	loc_835181
; 

loc_83526B:				; CODE XREF: SeCaptureSubjectContextEx+BEj
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	edx, [ebp+arg_4]
		jmp	short loc_835200
; 

loc_835277:				; CODE XREF: SeCaptureSubjectContextEx+115j
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_835257
SeCaptureSubjectContextEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpDeleteRegistrationObject proc near	; DATA XREF: EtwpInitializeRegistration()+8Fo

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009246A6 SIZE 000000D8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		push	ebx
		mov	ebx, [ebp+arg_0]
		test	byte ptr [ebx+32h], 4
		push	esi
		push	edi
		mov	eax, [ebx+10h]
		lea	edi, [ebx+32h]
		mov	esi, [ebx+14h]
		mov	[esp+68h+var_58], eax
		mov	[esp+68h+var_50], esi
		jnz	loc_83540D
		test	esi, esi
		jnz	loc_8353B9

loc_8352B4:				; CODE XREF: EtwpDeleteRegistrationObject+157j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	eax, [esp+68h+var_58]
		xor	edx, edx
		add	eax, 16Ch
		mov	ecx, eax
		mov	[esp+68h+var_4C], eax
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esp+68h+var_58]
		mov	eax, large fs:124h
		mov	[ecx+170h], eax
		mov	edx, [ebx]
		cmp	[edx+4], ebx
		jnz	loc_835489
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jnz	loc_835489
		mov	[eax], edx
		mov	[edx+4], eax
		lea	eax, [ebx+8]
		mov	edx, [eax]
		mov	[esp+68h+var_54], edx
		cmp	[edx+4], eax
		jnz	loc_835489
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_835489
		mov	eax, [esp+68h+var_54]
		mov	[edx], eax
		mov	[eax+4], edx
		xor	edx, edx
		mov	dword ptr [ecx+170h], 0
		mov	ecx, [esp+68h+var_4C]
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	esi, esi
		jnz	loc_8353DC

loc_835342:				; CODE XREF: EtwpDeleteRegistrationObject+178j
					; EtwpDeleteRegistrationObject+1C3j
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	ax
		movzx	eax, word ptr [edi]
		test	al, 2
		jz	loc_835448
		mov	eax, 4
		lea	edi, [ebx+18h]
		mov	ebx, [esp+68h+var_58]
		mov	[esp+68h+var_54], eax

loc_835366:				; CODE XREF: EtwpDeleteRegistrationObject+FCj
		xor	esi, esi
		xchg	esi, [edi]
		test	esi, esi
		jnz	loc_9246A6

loc_835372:				; CODE XREF: EtwpDeleteRegistrationObject+EF490j
		add	edi, 4
		sub	eax, 1
		mov	[esp+68h+var_54], eax
		jnz	short loc_835366
		mov	ebx, [ebp+arg_0]
		mov	edx, ebx
		mov	ecx, [ebx+28h]
		call	_EtwpRundownNotifications@8 ; EtwpRundownNotifications(x,x)
		mov	ecx, [ebx+28h]
		mov	edx, 52777445h
		call	ObfDereferenceObjectWithTag
		mov	ecx, ebx
		call	_EtwpReleaseProviderTraitsReference@4 ;	EtwpReleaseProviderTraitsReference(x)
		mov	esi, [esp+68h+var_50]

loc_8353A3:				; CODE XREF: EtwpDeleteRegistrationObject+1F1j
		mov	ecx, [esp+68h+var_58]
		call	EtwpUnreferenceGuidEntry
		test	esi, esi
		jnz	short loc_8353FD
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_8353B9:				; CODE XREF: EtwpDeleteRegistrationObject+2Ej
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		lea	ecx, [esi+16Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+170h], eax
		jmp	loc_8352B4
; 

loc_8353DC:				; CODE XREF: EtwpDeleteRegistrationObject+BCj
		lea	ecx, [esi+16Ch]
		mov	dword ptr [esi+170h], 0
		xor	edx, edx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_835342
; 

loc_8353FD:				; CODE XREF: EtwpDeleteRegistrationObject+12Ej
		mov	ecx, esi
		call	EtwpUnreferenceGuidEntry
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_83540D:				; CODE XREF: EtwpDeleteRegistrationObject+26j
		xor	edx, edx
		mov	ecx, offset _EtwpReplyListLock
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebx]
		cmp	[ecx+4], ebx
		jnz	short loc_835489
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jnz	short loc_835489
		mov	[eax], ecx
		mov	[ecx+4], eax
		or	eax, 0FFFFFFFFh
		mov	ecx, offset _EtwpReplyListLock
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_835476

loc_83543E:				; CODE XREF: EtwpDeleteRegistrationObject+200j
		call	KeAbPostRelease
		jmp	loc_835342
; 

loc_835448:				; CODE XREF: EtwpDeleteRegistrationObject+D0j
		test	al, 4
		jz	loc_924736
		mov	eax, [ebx+18h]
		mov	dl, 1
		mov	ecx, eax
		mov	[esp+68h+var_4C], eax
		call	_KeRundownQueueEx@8 ; KeRundownQueueEx(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_835482

loc_835466:				; CODE XREF: EtwpDeleteRegistrationObject+EF4B1j
		push	0
		push	[esp+6Ch+var_4C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8353A3
; 

loc_835476:				; CODE XREF: EtwpDeleteRegistrationObject+1BCj
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset _EtwpReplyListLock
		jmp	short loc_83543E
; 

loc_835482:				; CODE XREF: EtwpDeleteRegistrationObject+1E4j
		mov	edi, ebx
		jmp	loc_924715
; 

loc_835489:				; CODE XREF: EtwpDeleteRegistrationObject+64j
					; EtwpDeleteRegistrationObject+6Fj ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
EtwpDeleteRegistrationObject endp	; AL = character to display


EtwpUnreferenceGuidEntry:		; CODE XREF: .text:004474CAp
					; FsRtlInsertPerFileContext+125p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ecx
		or	ecx, 0FFFFFFFFh
		mov	[ebp-4], eax
		lock xadd [eax+10h], ecx
		dec	ecx
		mov	[ebp-8], ecx
		jz	short loc_8354B6
		test	ecx, ecx
		js	loc_924747

loc_8354B2:				; CODE XREF: PAGE:00835532j
		mov	eax, ecx
		leave
		retn
; 

loc_8354B6:				; CODE XREF: PAGE:008354A8j
		mov	ecx, [eax+1Ch]
		mov	edx, [eax+18h]
		push	ebx
		mov	ebx, [eax+20h]
		push	esi
		mov	esi, [eax+14h]
		push	edi
		mov	edi, [eax+164h]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	ebx, ecx
		add	edi, 1A8h
		xor	ebx, edx
		xor	edx, edx
		xor	ebx, esi
		and	ebx, 3Fh
		imul	eax, ebx, 1Ch
		add	edi, eax
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [ebp-4]
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_835540
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_835540
		mov	[eax], ecx
		mov	[ecx+4], eax
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_835537

loc_835519:				; CODE XREF: PAGE:0083553Ej
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	EtwpFreeGuidEntry
		mov	ecx, [ebp-8]
		pop	edi
		pop	esi
		pop	ebx
		jmp	loc_8354B2
; 

loc_835537:				; CODE XREF: PAGE:00835517j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_835519
; 

loc_835540:				; CODE XREF: PAGE:008354FEj
					; PAGE:00835505j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpFindGuidEntryByGuid(x, x, x)
_EtwpFindGuidEntryByGuid@12 proc near	; CODE XREF: .text:004473F5p
					; EtwpNotifyGuid(x,x,x)+12Ap ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, edx
		push	ebx
		push	esi
		mov	[ebp+var_4], eax
		mov	esi, [eax+0Ch]
		xor	esi, [eax+8]
		xor	esi, [eax+4]
		xor	esi, [eax]
		and	esi, 3Fh
		push	edi
		lea	eax, ds:0[esi*8]
		sub	eax, esi
		lea	ecx, [ecx+eax*4]
		mov	eax, [ebp+arg_0]
		lea	ecx, [ecx+190h]
		lea	ebx, [ecx+eax*8]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	esi, [ecx+18h]
		xor	edx, edx
		mov	ecx, esi
		mov	[ebp+arg_0], esi
		call	ExAcquirePushLockSharedEx
		mov	edi, [ebx]
		cmp	edi, ebx
		jz	short loc_8355E0
		jmp	short loc_8355B0
; 
		align 10h

loc_8355B0:				; CODE XREF: EtwpFindGuidEntryByGuid(x,x,x)+57j
					; EtwpFindGuidEntryByGuid(x,x,x)+8Bj
		mov	edx, [ebp+var_4]
		lea	eax, [edi+14h]
		mov	esi, 0Ch
		jmp	short loc_8355C0
; 
		align 10h

loc_8355C0:				; CODE XREF: EtwpFindGuidEntryByGuid(x,x,x)+6Bj
					; EtwpFindGuidEntryByGuid(x,x,x)+7Fj
		mov	ecx, [edx]
		cmp	ecx, [eax]
		jnz	short loc_835622
		add	edx, 4
		add	eax, 4
		sub	esi, 4
		jnb	short loc_8355C0

loc_8355D1:				; CODE XREF: EtwpFindGuidEntryByGuid(x,x,x)+ECj
		xor	eax, eax

loc_8355D3:				; CODE XREF: EtwpFindGuidEntryByGuid(x,x,x)+F3j
		test	eax, eax
		jz	short loc_8355E4

loc_8355D7:				; CODE XREF: EtwpFindGuidEntryByGuid(x,x,x)+9Dj
		mov	edi, [edi]
		cmp	edi, ebx
		jnz	short loc_8355B0
		mov	esi, [ebp+arg_0]

loc_8355E0:				; CODE XREF: EtwpFindGuidEntryByGuid(x,x,x)+55j
		xor	ebx, ebx
		jmp	short loc_8355F4
; 

loc_8355E4:				; CODE XREF: EtwpFindGuidEntryByGuid(x,x,x)+85j
		mov	ecx, edi
		call	EtwpReferenceGuidEntry
		test	al, al
		jz	short loc_8355D7
		mov	esi, [ebp+arg_0]
		mov	ebx, edi

loc_8355F4:				; CODE XREF: EtwpFindGuidEntryByGuid(x,x,x)+92j
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_83560B
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_83560B:				; CODE XREF: EtwpFindGuidEntryByGuid(x,x,x)+B2j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_835622:				; CODE XREF: EtwpFindGuidEntryByGuid(x,x,x)+74j
		cmp	cl, [eax]
		jnz	short loc_83563E
		mov	cl, [edx+1]
		cmp	cl, [eax+1]
		jnz	short loc_83563E
		mov	cl, [edx+2]
		cmp	cl, [eax+2]
		jnz	short loc_83563E
		mov	cl, [edx+3]
		cmp	cl, [eax+3]
		jz	short loc_8355D1

loc_83563E:				; CODE XREF: EtwpFindGuidEntryByGuid(x,x,x)+D4j
					; EtwpFindGuidEntryByGuid(x,x,x)+DCj ...
		sbb	eax, eax
		or	eax, 1
		jmp	short loc_8355D3
_EtwpFindGuidEntryByGuid@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


EtwpReferenceGuidEntry proc near	; CODE XREF: FsRtlInsertPerFileContext+10Cp
					; EtwpGetNextGuidEntry(x,x,x)+73p ...
		mov	edi, edi
		push	esi
		push	edi
		lea	edi, [ecx+10h]
		mov	esi, [edi]
		test	esi, esi
		jz	short loc_835673

loc_835653:				; CODE XREF: EtwpReferenceGuidEntry+2Bj
		lea	edx, [esi+1]
		mov	eax, esi
		lock cmpxchg [edi], edx
		cmp	eax, esi
		jnz	short loc_83566D
		test	esi, esi
		js	loc_924759
		mov	al, 1

loc_83566A:				; CODE XREF: EtwpReferenceGuidEntry+2Fj
		pop	edi
		pop	esi
		retn
; 

loc_83566D:				; CODE XREF: EtwpReferenceGuidEntry+18j
		mov	esi, eax
		test	eax, eax
		jnz	short loc_835653

loc_835673:				; CODE XREF: EtwpReferenceGuidEntry+Bj
		xor	al, al
		jmp	short loc_83566A
EtwpReferenceGuidEntry endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpTrackProviderRegistration proc near	; CODE XREF: EtwpRegisterProvider+135p
					; EtwpRegisterUMGuid+251p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 0092477E SIZE 00000053 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		movzx	eax, word ptr [edi+32h]
		mov	ecx, [edi+10h]
		mov	bl, al
		not	bl
		mov	[ebp+var_8], ecx
		and	bl, 1
		mov	[ebp+var_1], bl
		mov	esi, [ecx+164h]
		mov	[ebp+var_10], esi
		test	al, 8
		jnz	short loc_835722
		lea	eax, [ecx+66h]
		mov	ebx, 1
		xor	esi, esi
		mov	[ebp+var_C], eax
		jmp	short loc_8356C0
; 
		align 10h

loc_8356C0:				; CODE XREF: EtwpTrackProviderRegistration+3Bj
					; EtwpTrackProviderRegistration+59j
		test	[edi+34h], bl
		jnz	short loc_8356E2

loc_8356C5:				; CODE XREF: EtwpTrackProviderRegistration+A0j
		test	[edi+36h], bl
		jnz	loc_92477E

loc_8356CE:				; CODE XREF: EtwpTrackProviderRegistration+EF14Cj
		add	esi, 20h
		rol	ebx, 1
		cmp	esi, 100h
		jb	short loc_8356C0

loc_8356DB:				; CODE XREF: EtwpTrackProviderRegistration+A6j
					; EtwpTrackProviderRegistration+B9j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8356E2:				; CODE XREF: EtwpTrackProviderRegistration+43j
		movzx	edx, word ptr [eax+esi]
		mov	ecx, [ebp+var_10]
		push	0
		call	EtwpAcquireLoggerContextByLoggerId
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	short loc_83571A
		test	byte ptr [edi+32h], 20h
		jnz	loc_92476B
		test	dword ptr [eax+258h], 2000000h
		jnz	loc_92476B

loc_835711:				; CODE XREF: EtwpDeleteRegistrationObject+EF4F9j
		xor	dl, dl
		mov	ecx, eax
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_83571A:				; CODE XREF: EtwpTrackProviderRegistration+75j
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		jmp	short loc_8356C5
; 

loc_835722:				; CODE XREF: EtwpTrackProviderRegistration+2Cj
		test	byte ptr [ecx+3Bh], 1
		jz	short loc_8356DB
		movzx	edx, word ptr [ecx+38h]
		mov	ecx, esi
		push	0
		call	EtwpAcquireLoggerContextByLoggerId
		mov	esi, eax
		test	esi, esi
		jz	short loc_8356DB
		push	edi
		mov	dl, bl
		mov	ecx, esi
		call	EtwpProviderArrivalCallback
		xor	dl, dl
		mov	ecx, esi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
EtwpTrackProviderRegistration endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpApplyScopeFilters proc near		; CODE XREF: EtwpUpdateRegEntryEnableMask+43p
					; EtwpRegisterUMGuid+1BAp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= byte ptr  8
arg_3		= byte ptr  0Bh
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 009247D1 SIZE 000000C8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		test	byte ptr [ecx+32h], 1
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_1], dl
		mov	[ebp+var_C], ecx
		jnz	short loc_8357B5
		cmp	[ebp+arg_0], 0
		mov	edx, [ebp+arg_8]
		mov	byte ptr [edx],	0
		jnz	short loc_8357F9
		mov	eax, [ecx+10h]

loc_835786:				; CODE XREF: EtwpApplyScopeFilters+9Cj
		cmp	[ebp+arg_4], 0
		mov	[ebp+var_8], eax
		jnz	loc_9247D1

loc_835793:				; CODE XREF: EtwpApplyScopeFilters+EF07Aj
		xor	ebx, ebx
		lea	esi, [eax+68h]
		xor	edi, edi
		lea	ebx, [ebx+0]

loc_8357A0:				; CODE XREF: EtwpApplyScopeFilters+53j
		cmp	dword ptr [esi-8], 0
		jnz	short loc_8357BE

loc_8357A6:				; CODE XREF: EtwpApplyScopeFilters+97j
					; EtwpApplyScopeFilters+152j ...
		add	edi, 34h
		inc	ebx
		add	esi, 20h
		cmp	edi, 1A0h
		jb	short loc_8357A0

loc_8357B5:				; CODE XREF: EtwpApplyScopeFilters+15j
					; EtwpApplyScopeFilters+92j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_8357BE:				; CODE XREF: EtwpApplyScopeFilters+44j
		cmp	[ebp+arg_4], 0
		jnz	loc_9247DF

loc_8357C8:				; CODE XREF: EtwpApplyScopeFilters+EF08Bj
		cmp	[ebp+var_1], 0
		jnz	loc_8358A1

loc_8357D2:				; CODE XREF: EtwpApplyScopeFilters+158j
		mov	eax, [eax+160h]
		mov	[ebp+arg_3], 1
		test	eax, eax
		jnz	short loc_8357FE

loc_8357E0:				; CODE XREF: EtwpApplyScopeFilters+136j
		movzx	ecx, byte ptr [edx]
		movzx	eax, bl
		bts	ecx, eax
		mov	[edx], cl

loc_8357EB:				; CODE XREF: EtwpApplyScopeFilters+10Fj
					; EtwpApplyScopeFilters+13Cj
		mov	ecx, [ebp+var_C]

loc_8357EE:				; CODE XREF: EtwpApplyScopeFilters+D1j
					; EtwpApplyScopeFilters+EF0DDj
		cmp	[ebp+var_1], 0
		jnz	short loc_8357B5
		mov	eax, [ebp+var_8]
		jmp	short loc_8357A6
; 

loc_8357F9:				; CODE XREF: EtwpApplyScopeFilters+21j
		mov	eax, [ecx+14h]
		jmp	short loc_835786
; 

loc_8357FE:				; CODE XREF: EtwpApplyScopeFilters+7Ej
		add	eax, edi
		mov	[ebp+var_18], eax
		mov	eax, [eax]
		mov	[ebp+var_14], eax
		and	eax, 80000004h
		cmp	eax, 80000004h
		jz	loc_9247F0
		mov	al, [ebp+arg_3]

loc_83581B:				; CODE XREF: EtwpApplyScopeFilters+EF0E3j
		and	[ebp+var_14], 80000008h
		cmp	[ebp+var_14], 80000008h
		jz	loc_92484F

loc_83582F:				; CODE XREF: EtwpApplyScopeFilters+EF103j
		test	al, al
		jz	short loc_8357EE
		mov	ecx, [ebp+var_8]
		mov	ecx, [ecx+160h]
		add	ecx, edi
		mov	[ebp+var_1C], ecx
		mov	ecx, [ecx]
		mov	[ebp+var_20], ecx
		and	ecx, 80000010h
		cmp	ecx, 80000010h
		jz	loc_924868
		mov	ecx, [ebp+var_20]
		and	ecx, 80000020h
		cmp	ecx, 80000020h
		jz	loc_924868

loc_83586D:				; CODE XREF: EtwpApplyScopeFilters+EF120j
		test	al, al
		jz	loc_8357EB
		mov	eax, [ebp+var_8]
		mov	ecx, [eax+160h]
		mov	eax, [ecx+edi]
		and	eax, 80008000h
		cmp	eax, 80008000h
		jz	loc_924885
		mov	al, [ebp+arg_3]

loc_835894:				; CODE XREF: EtwpApplyScopeFilters+EF134j
		test	al, al
		jnz	loc_8357E0
		jmp	loc_8357EB
; 

loc_8358A1:				; CODE XREF: EtwpApplyScopeFilters+6Cj
		mov	edx, [ebp+var_8]
		mov	ax, [esi-2]
		cmp	ax, [edx+38h]
		mov	edx, [ebp+arg_8]
		mov	eax, [ebp+var_8]
		jnz	loc_8357A6
		jmp	loc_8357D2
EtwpApplyScopeFilters endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall EtwpReleaseProviderTraitsReference(x)
_EtwpReleaseProviderTraitsReference@4 proc near
					; CODE XREF: EtwpSetProviderTraitsCommon+295p
					; EtwpDeleteRegistrationObject+11Ap ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		lea	eax, [ecx+38h]
		xchg	esi, [eax]
		test	esi, esi
		jnz	short loc_8358D4

loc_8358CE:				; CODE XREF: EtwpReleaseProviderTraitsReference(x)+3Ej
					; EtwpReleaseProviderTraitsReference(x)+48j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		retn
; 

loc_8358D4:				; CODE XREF: EtwpReleaseProviderTraitsReference(x)+Ej
		test	byte ptr [ecx+32h], 1
		jnz	short loc_835911
		mov	edi, offset _EtwpProviderTraitsUmMutex
		mov	ebx, offset _EtwpProviderTraitsUmTree

loc_8358E4:				; CODE XREF: EtwpReleaseProviderTraitsReference(x)+5Dj
		mov	ecx, edi
		call	ExAcquireFastMutex
		sub	dword ptr [esi+0Ch], 1
		jz	short loc_835908
		xor	esi, esi

loc_8358F3:				; CODE XREF: EtwpReleaseProviderTraitsReference(x)+51j
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	esi, esi
		jz	short loc_8358CE
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_8358CE
; 

loc_835908:				; CODE XREF: EtwpReleaseProviderTraitsReference(x)+31j
		push	esi
		push	ebx
		call	RtlRbRemoveNode
		jmp	short loc_8358F3
; 

loc_835911:				; CODE XREF: EtwpReleaseProviderTraitsReference(x)+1Aj
		mov	edi, offset _EtwpProviderTraitsKmMutex
		mov	ebx, offset _EtwpProviderTraitsKmTree
		jmp	short loc_8358E4
_EtwpReleaseProviderTraitsReference@4 endp

; 
		align 2

; __stdcall EtwpRundownNotifications(x,	x)
_EtwpRundownNotifications@8:		; CODE XREF: EtwpDeleteRegistrationObject+106p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ecx+19Ch]
		push	edi
		mov	edi, edx
		mov	[ebp-4], edi
		test	esi, esi
		jz	short loc_835973
		lea	eax, [ebp-0Ch]
		mov	[ebp-8], eax
		mov	[ebp-0Ch], eax
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		lea	ebx, [esi+8]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		add	esi, 0Ch
		mov	edx, [esi]

loc_835957:				; CODE XREF: PAGE:008359ABj
					; PAGE:008359D7j
		cmp	edx, esi
		jnz	short loc_8359A4
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_835969:				; CODE XREF: PAGE:008359A2j
		mov	esi, [ebp-0Ch]
		lea	eax, [ebp-0Ch]
		cmp	esi, eax
		jnz	short loc_835978

loc_835973:				; CODE XREF: PAGE:00835936j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_835978:				; CODE XREF: PAGE:00835971j
		lea	eax, [ebp-0Ch]
		cmp	[esi+4], eax
		jnz	short loc_8359DC
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_8359DC
		mov	[ebp-0Ch], eax
		lea	ecx, [ebp-0Ch]
		mov	[eax+4], ecx
		mov	ecx, [esi+8]
		call	_EtwpUnreferenceDataBlock@4 ; EtwpUnreferenceDataBlock(x)
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_EtwpReleaseQueueEntry@8 ; EtwpReleaseQueueEntry(x,x)
		jmp	short loc_835969
; 

loc_8359A4:				; CODE XREF: PAGE:00835959j
		mov	eax, edx
		mov	edx, [edx]
		cmp	[eax+0Ch], edi
		jnz	short loc_835957
		cmp	[edx+4], eax
		jnz	short loc_8359DC
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_8359DC
		mov	[ecx], edx
		mov	[edx+4], ecx
		lea	ecx, [ebp-0Ch]
		mov	edi, [ebp-0Ch]
		cmp	[edi+4], ecx
		jnz	short loc_8359DC
		mov	[eax], edi
		mov	[eax+4], ecx
		mov	[edi+4], eax
		mov	edi, [ebp-4]
		mov	[ebp-0Ch], eax
		jmp	loc_835957
; 

loc_8359DC:				; CODE XREF: PAGE:0083597Ej
					; PAGE:00835985j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpAddRegEntryToGroup proc near	; CODE XREF: EtwpSetProviderTraitsCommon+288p

var_B4		= dword	ptr -0B4h
var_A6		= byte ptr -0A6h
var_A5		= dword	ptr -0A5h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00924899 SIZE 000003DF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0ACh+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+0B8h+var_80], eax
		mov	eax, [ebp+arg_8]
		mov	esi, edx
		mov	[esp+0B8h+var_88], eax
		push	2
		mov	eax, [edi+10h]
		mov	[esp+0BCh+var_98], edi
		mov	[esp+0BCh+var_A6], 0
		mov	[esp+0BCh+var_7C], 0
		mov	eax, [eax+164h]
		mov	ecx, eax
		mov	[esp+0BCh+var_8C], eax
		call	_EtwpFindGuidEntryByGuid@12 ; EtwpFindGuidEntryByGuid(x,x,x)
		mov	ebx, eax
		mov	[esp+0B8h+var_90], ebx
		test	ebx, ebx
		jz	loc_924899

loc_835A56:				; CODE XREF: EtwpAddRegEntryToGroup+EEEBEj
		mov	esi, [esp+0B8h+var_88]
		mov	eax, large fs:124h
		mov	dword ptr [esi], 78h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [ebx+16Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[ebx+170h], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [edi+10h]
		xor	edx, edx
		add	ecx, 16Ch
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, large fs:124h
		mov	eax, [edi+10h]
		mov	[eax+170h], ecx
		cmp	dword ptr [edi+14h], 0
		jnz	loc_835C83
		xor	eax, eax
		mov	esi, [ebx+2Ch]
		lea	edi, [esp+0B8h+var_78]
		mov	[esp+0B8h+var_94], 0
		stosd
		mov	[esp+0B8h+var_84], 0
		stosd
		stosd
		stosd
		lea	eax, [esp+0B8h+var_78]
		push	eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	eax
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		lea	eax, [esp+0B8h+var_94]
		push	eax
		lea	eax, [esp+0BCh+var_84]
		push	eax
		push	1
		push	offset _EtwpGenericMapping
		push	0
		push	0
		push	1000h
		push	0
		lea	eax, [esp+0D8h+var_78]
		push	eax
		push	esi
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		lea	eax, [esp+0B8h+var_78]
		push	eax
		call	SeReleaseSubjectContext
		mov	esi, [esp+0B8h+var_94]
		mov	edi, [esp+0B8h+var_98]
		test	esi, esi
		js	loc_835C85
		mov	dl, [edi+34h]
		mov	ecx, [edi+10h]
		call	EtwpGetSchematizedFilterSize
		mov	esi, [esp+0B8h+var_88]
		mov	[esp+0B8h+var_84], eax
		test	eax, eax
		jnz	loc_9248BE

loc_835B56:				; CODE XREF: EtwpAddRegEntryToGroup+EEED3j
		test	byte ptr [edi+32h], 2
		jz	short loc_835B67
		mov	eax, [esi]
		cmp	eax, [ebp+arg_4]
		ja	loc_9248C8

loc_835B67:				; CODE XREF: EtwpAddRegEntryToGroup+16Aj
		mov	ecx, ebx
		call	EtwpReferenceGuidEntry
		lea	ecx, [ebx+24h]
		mov	[edi+14h], ebx
		mov	edx, [ecx]
		lea	eax, [edi+8]
		cmp	[edx+4], ecx
		jnz	loc_9248D2
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[edx+4], eax
		mov	[ecx], eax
		cmp	dword ptr [ebx+40h], 0
		jz	loc_9248D9

loc_835B96:				; CODE XREF: EtwpAddRegEntryToGroup+EEEF7j
		mov	edi, [esp+0B8h+var_90]
		mov	esi, 8
		xor	ebx, ebx
		mov	[esp+0B8h+var_9C], esi
		add	edi, 66h
		jmp	short loc_835BB0
; 
		align 10h

loc_835BB0:				; CODE XREF: EtwpAddRegEntryToGroup+1B8j
					; EtwpAddRegEntryToGroup+1D5j
		cmp	dword ptr [edi-6], 0
		jnz	loc_835D13

loc_835BBA:				; CODE XREF: EtwpAddRegEntryToGroup+3DFj
					; EtwpAddRegEntryToGroup+EEF13j ...
		inc	ebx
		add	edi, 20h
		sub	esi, 1
		mov	[esp+0B8h+var_9C], esi
		jnz	short loc_835BB0
		mov	bl, [esp+0B8h+var_A6]
		lea	eax, [esp+0B8h+var_A5]
		mov	edi, [esp+0B8h+var_98]
		xor	dl, dl
		push	eax
		push	0
		push	2
		mov	ecx, edi
		mov	byte ptr [esp+0C4h+var_A5], bl
		call	EtwpApplyScopeFilters
		mov	al, byte ptr [esp+0B8h+var_A5]
		and	al, bl
		mov	ebx, [esp+0B8h+var_90]
		mov	[edi+35h], al
		mov	ecx, [ebx+168h]
		test	ecx, ecx
		jnz	loc_924925

loc_835C00:				; CODE XREF: EtwpAddRegEntryToGroup+EF04Aj
		test	al, al
		jz	loc_924A3F
		mov	edx, 8
		xor	esi, esi
		xor	ebx, ebx
		mov	[esp+0B8h+var_9C], edx

loc_835C15:				; CODE XREF: EtwpAddRegEntryToGroup+242j
		mov	eax, 1
		mov	ecx, esi
		shl	eax, cl
		test	[edi+35h], al
		jnz	loc_835DD4

loc_835C27:				; CODE XREF: EtwpAddRegEntryToGroup+43Cj
		inc	esi
		add	ebx, 20h
		sub	edx, 1
		mov	[esp+0B8h+var_9C], edx
		jnz	short loc_835C15
		mov	al, [edi+37h]
		mov	ebx, [esp+0B8h+var_90]
		test	al, al
		jnz	loc_924AD0

loc_835C43:				; CODE XREF: EtwpAddRegEntryToGroup+EF1CCj
		test	byte ptr [edi+32h], 1
		jnz	loc_835E31
		mov	edx, [esp+0B8h+var_80]
		mov	ecx, edi
		add	edx, 48h
		call	EtwpComputeRegEntryEnableInfo
		mov	esi, [esp+0B8h+var_88]
		mov	dword ptr [esi], 78h
		mov	dl, [edi+34h]
		mov	ecx, [edi+10h]
		call	EtwpGetSchematizedFilterSize
		test	eax, eax
		jnz	loc_924C20
		mov	eax, [esp+0B8h+var_80]
		mov	dword ptr [eax+74h], 0

loc_835C83:				; CODE XREF: EtwpAddRegEntryToGroup+C9j
					; EtwpAddRegEntryToGroup+4ADj ...
		xor	esi, esi

loc_835C85:				; CODE XREF: EtwpAddRegEntryToGroup+145j
					; EtwpAddRegEntryToGroup+EEEDDj
		mov	eax, [edi+10h]
		xor	edx, edx
		mov	dword ptr [eax+170h], 0
		mov	ecx, [edi+10h]
		add	ecx, 16Ch
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	edx, edx
		mov	dword ptr [ebx+170h], 0
		lea	ecx, [ebx+16Ch]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, ebx
		call	EtwpUnreferenceGuidEntry
		test	esi, esi
		js	short loc_835CFA
		mov	eax, dword_6BC30C
		push	offset _ETW_EVENT_GROUP_JOIN
		push	eax
		mov	eax, _EtwpEventTracingProvRegHandle
		push	eax
		call	EtwEventEnabled
		test	al, al
		jnz	loc_924C69

loc_835CFA:				; CODE XREF: EtwpAddRegEntryToGroup+2EAj
					; EtwpAddRegEntryToGroup+EEEC9j ...
		mov	ecx, [esp+0B8h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_835D13:				; CODE XREF: EtwpAddRegEntryToGroup+1C4j
		movzx	edx, word ptr [edi]
		mov	ecx, [esp+0B8h+var_8C]
		push	0
		call	EtwpAcquireLoggerContextByLoggerId
		mov	ecx, eax
		mov	eax, [esp+0B8h+var_98]
		mov	[esp+0B8h+var_A0], ecx
		mov	edx, [eax+10h]
		add	edx, 14h
		call	EtwpIsGuidAllowed
		test	al, al
		jz	loc_9248F8
		mov	eax, [esp+0B8h+var_A0]
		xor	edx, edx
		add	eax, 1F0h
		mov	ecx, eax
		mov	[esp+0B8h+var_94], eax
		call	ExAcquirePushLockSharedEx
		mov	eax, [esp+0B8h+var_A0]
		mov	eax, [eax+234h]
		test	eax, eax
		jz	loc_924908
		push	eax
		mov	eax, [esp+0BCh+var_98]
		mov	ecx, [eax+10h]
		add	ecx, 14h
		call	_EtwpAccessCheckFromState@12 ; EtwpAccessCheckFromState(x,x,x)
		mov	[esp+0B8h+var_A5+1], eax

loc_835D7A:				; CODE XREF: EtwpAddRegEntryToGroup+EEF20j
		mov	ecx, [esp+0B8h+var_94]
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	loc_835EA2

loc_835D92:				; CODE XREF: EtwpAddRegEntryToGroup+4BBj
		call	KeAbPostRelease
		cmp	[esp+0B8h+var_A5+1], 0
		jl	loc_924915
		mov	al, 1
		mov	ecx, ebx
		shl	al, cl
		mov	edx, 1
		mov	ecx, [esp+0B8h+var_A0]
		add	[esp+0B8h+var_A6], al
		mov	eax, [ecx+2E4h]
		mov	esi, [ecx]
		mov	ecx, [eax+188h]
		mov	ecx, [ecx+esi*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		mov	esi, [esp+0B8h+var_9C]
		jmp	loc_835BBA
; 

loc_835DD4:				; CODE XREF: EtwpAddRegEntryToGroup+231j
		mov	eax, [edi+14h]
		mov	ecx, [esp+0B8h+var_8C]
		push	0
		movzx	edx, word ptr [ebx+eax+66h]
		call	EtwpAcquireLoggerContextByLoggerId
		mov	ecx, eax
		movzx	eax, word ptr [edi+32h]
		mov	[esp+0B8h+var_A5+1], ecx
		test	al, 20h
		jnz	loc_924A59
		test	dword ptr [ecx+258h], 2000000h
		jnz	loc_924A59

loc_835E09:				; CODE XREF: EtwpAddRegEntryToGroup+EF0DBj
		mov	eax, [ecx+2E4h]
		mov	edx, 1
		mov	edi, [ecx]
		mov	ecx, [eax+188h]
		mov	ecx, [ecx+edi*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		mov	edx, [esp+0B8h+var_9C]
		mov	edi, [esp+0B8h+var_98]
		jmp	loc_835C27
; 

loc_835E31:				; CODE XREF: EtwpAddRegEntryToGroup+257j
		mov	esi, [edi+2Ch]
		test	esi, esi
		jz	short loc_835E99
		xor	eax, eax
		lea	edi, [esp+0B8h+var_48]
		stosd
		lea	edx, [esp+0B8h+var_68]
		mov	ecx, 8
		xor	ebx, ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+0B8h+var_68]
		rep stosd
		mov	edi, [esp+0B8h+var_98]
		mov	ecx, edi
		call	EtwpComputeRegEntryEnableInfo
		mov	eax, [esp+0B8h+var_84]
		test	eax, eax
		jnz	loc_924BC1

loc_835E6C:				; CODE XREF: EtwpAddRegEntryToGroup+EF1E2j
					; EtwpAddRegEntryToGroup+EF21Ej
		mov	eax, [edi+28h]
		push	eax
		push	[esp+0BCh+var_7C]
		push	[esp+0C0h+var_4C]
		push	[esp+0C4h+var_50]
		push	[esp+0C8h+var_54]
		push	[esp+0CCh+var_58]
		push	[esp+0D0h+var_64]
		push	1
		push	offset _GUID_NULL
		call	esi
		test	ebx, ebx
		jnz	loc_924C13

loc_835E99:				; CODE XREF: EtwpAddRegEntryToGroup+446j
					; EtwpAddRegEntryToGroup+EF22Bj
		mov	ebx, [esp+0DCh+var_B4]
		jmp	loc_835C83
; 

loc_835EA2:				; CODE XREF: EtwpAddRegEntryToGroup+39Cj
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [esp+0B8h+var_94]
		jmp	loc_835D92
EtwpAddRegEntryToGroup endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpAcquireLoggerContextByLoggerId proc	near ; CODE XREF: EtwpAdjustSiloTraceBuffers(x)+26p
					; EtwpGetCompressionSettings(x,x)+26p ...

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 00924C78 SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		cmp	edi, [esi+8]
		jnb	loc_924C78
		mov	eax, [esi+18Ch]
		mov	eax, [eax+edi*4]

loc_835ECE:				; CODE XREF: EtwpAcquireLoggerContextByLoggerId+EEDCDj
		test	al, 1
		jnz	short loc_835F20
		mov	ecx, [esi+188h]
		mov	edx, 1
		mov	ecx, [ecx+edi*4]
		call	@ExAcquireRundownProtectionCacheAwareEx@8 ; ExAcquireRundownProtectionCacheAwareEx(x,x)
		test	al, al
		jz	short loc_835F20
		cmp	edi, [esi+8]
		jnb	short loc_835F42
		lfence	eax
		mov	eax, [esi+18Ch]
		mov	ebx, [eax+edi*4]

loc_835EFA:				; CODE XREF: EtwpAcquireLoggerContextByLoggerId+97j
		test	bl, 1
		jnz	loc_924C82
		mov	al, [ebp+arg_0]
		test	al, al
		jnz	short loc_835F29

loc_835F0A:				; CODE XREF: EtwpAcquireLoggerContextByLoggerId+90j
		cmp	dword ptr [ebx+0F8h], 0
		jz	loc_924C9A
		mov	eax, ebx

loc_835F19:				; CODE XREF: EtwpAcquireLoggerContextByLoggerId+EEDF5j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_835F20:				; CODE XREF: EtwpAcquireLoggerContextByLoggerId+20j
					; EtwpAcquireLoggerContextByLoggerId+37j ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	4
; 

loc_835F29:				; CODE XREF: EtwpAcquireLoggerContextByLoggerId+58j
		push	0
		push	0
		push	0
		push	0
		lea	eax, [ebx+1D0h]
		push	eax
		call	KeWaitForSingleObject
		mov	al, [ebp+arg_0]
		jmp	short loc_835F0A
; 

loc_835F42:				; CODE XREF: EtwpAcquireLoggerContextByLoggerId+3Cj
		mov	ebx, 1
		jmp	short loc_835EFA
EtwpAcquireLoggerContextByLoggerId endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 623. FsRtlOplockFsctrlEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlOplockFsctrlEx(x, x, x, x)
		public _FsRtlOplockFsctrlEx@16
_FsRtlOplockFsctrlEx@16	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	7000h
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	FsRtlpOplockFsctrlInternal
		pop	ebp
		retn	10h
_FsRtlOplockFsctrlEx@16	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 622. FsRtlOplockFsctrl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlOplockFsctrl(x, x, x)
		public _FsRtlOplockFsctrl@12
_FsRtlOplockFsctrl@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	7000h
		push	0
		push	[ebp+arg_8]
		call	FsRtlpOplockFsctrlInternal
		pop	ebp
		retn	0Ch
_FsRtlOplockFsctrl@12 endp

; 
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1639. ObReferenceObjectByName

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObReferenceObjectByName
ObReferenceObjectByName	proc near	; CODE XREF: IopGetDriverPathInformation(x,x,x)+4Fp
					; CmLoadDifferencingKey+5D7p ...

var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_168		= dword	ptr -168h
var_160		= dword	ptr -160h
var_150		= dword	ptr -150h
var_148		= dword	ptr -148h
var_D8		= dword	ptr -0D8h
var_D0		= dword	ptr -0D0h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 00924CAA SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 19Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+19Ch+var_4], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_8]
		mov	[esp+1A4h+var_188], eax
		mov	eax, [ebp+arg_18]
		push	edi
		mov	[esp+1A8h+var_184], eax
		mov	eax, [ebp+arg_1C]
		push	0C4h		; size_t
		mov	[esp+1ACh+var_180], eax
		lea	eax, [esp+1ACh+var_D0]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+1A8h+var_190], 0
		lea	eax, [esp+1A8h+var_148]
		mov	[esp+1A8h+var_18C], 0
		mov	[esp+1A8h+var_198], 0
		push	74h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		lea	edi, [esp+1B4h+var_160]
		mov	ecx, 6
		add	esp, 0Ch
		rep stosd
		lea	edi, [esp+1A8h+var_17C]
		mov	ecx, 7
		rep stosd
		test	ebx, ebx
		jz	loc_924CAA
		push	1
		lea	eax, [esp+1ACh+var_190]
		mov	edx, ebx
		mov	ebx, [ebp+arg_14]
		mov	cl, bl
		push	eax
		call	ObpCaptureObjectName
		mov	[esp+1B0h+var_19C], eax
		test	eax, eax
		js	loc_83617B
		cmp	word ptr [esp+1B0h+var_198], 0
		jz	loc_924CAA
		mov	edi, [esp+1B0h+var_190]
		test	esi, esi
		jnz	short loc_8360A9
		mov	eax, large fs:124h
		lea	esi, [esp+1B0h+var_150]
		mov	edx, large fs:124h
		mov	ecx, [eax+80h]
		lea	eax, [edi+34h]
		push	eax		; int
		push	[ebp+arg_C]	; int
		lea	eax, [esp+1B8h+var_D8]
		push	eax		; void *
		mov	eax, esi
		push	eax		; void *
		push	ecx		; int
		push	edx		; int
		call	_SeCreateAccessStateEx@24 ; SeCreateAccessStateEx(x,x,x,x,x,x)
		mov	[esp+1B0h+var_19C], eax
		test	eax, eax
		js	loc_83616E

loc_8360A9:				; CODE XREF: ObReferenceObjectByName+CBj
		lea	eax, [esp+1B0h+var_1A0]
		push	eax
		push	0
		lea	eax, [esp+1B8h+var_168]
		push	eax
		push	esi
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		push	0
		push	0
		push	[esp+1CCh+var_18C]
		lea	edx, [esp+1D0h+var_198]
		xor	ecx, ecx
		push	ebx
		push	edi
		push	[ebp+arg_4]
		call	_ObpLookupObjectName@52	; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)
		lea	ecx, [esp+1B0h+var_168]
		mov	[esp+1B0h+var_19C], eax
		call	_ObpReleaseLookupContext@4 ; ObpReleaseLookupContext(x)
		cmp	[esp+1B0h+var_19C], 0
		mov	edi, [esp+1B0h+var_188]
		mov	dword ptr [edi], 0
		jl	short loc_836156
		mov	ecx, [esp+1B0h+var_1A0]
		lea	eax, [ecx-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [ecx-0Ch]
		lea	ecx, [esp+1B0h+var_184]
		xor	edx, eax
		mov	[esp+1B0h+var_174], 0
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		add	eax, 8
		mov	[esp+1B0h+var_17C], eax
		lea	eax, [esp+1B0h+var_198]
		mov	[esp+1B0h+var_178], eax
		call	SeSetLearningModeObjectInformation
		lea	eax, [esp+1B0h+var_19C]
		mov	edx, esi
		push	eax
		push	ebx
		push	ecx
		mov	ecx, [esp+1BCh+var_1A0]
		call	ObpCheckObjectReference
		test	al, al
		jz	short loc_836192
		mov	eax, [esp+1B0h+var_1A0]
		mov	[edi], eax

loc_836151:				; CODE XREF: ObReferenceObjectByName+1FBj
		call	SeClearLearningModeObjectInformation

loc_836156:				; CODE XREF: ObReferenceObjectByName+150j
		lea	eax, [esp+1B0h+var_150]
		cmp	esi, eax
		jnz	short loc_83616E
		mov	ecx, esi
		call	SepDeleteAccessState
		add	esi, 1Ch
		push	esi
		call	SeReleaseSubjectContext

loc_83616E:				; CODE XREF: ObReferenceObjectByName+103j
					; ObReferenceObjectByName+1BCj
		lea	ecx, [esp+1B0h+var_198]
		call	ObpFreeObjectNameBuffer
		mov	eax, [esp+1B0h+var_19C]

loc_83617B:				; CODE XREF: ObReferenceObjectByName+B3j
					; ObReferenceObjectByName+EED0Fj
		mov	ecx, [esp+1B0h+var_C]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_836192:				; CODE XREF: ObReferenceObjectByName+1A9j
		push	[esp+1B0h+var_1A0]
		call	_ObDereferenceObject@4 ; ObDereferenceObject(x)
		jmp	short loc_836151
ObReferenceObjectByName	endp

; 
		align 2

;  S U B	R O U T	I N E 


ObpFreeObjectNameBuffer	proc near	; CODE XREF: ObReferenceObjectByNameEx+1D3p
					; ObCreateObjectEx+117p ...

; FUNCTION CHUNK AT 00924CB4 SIZE 00000009 BYTES

		mov	edx, [ecx+4]
		mov	eax, 0F8h
		cmp	[ecx+2], ax
		jnz	short loc_8361CD
		push	esi
		mov	esi, large fs:20h
		mov	ecx, [esi+5C8h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jnb	short loc_8361D6

loc_8361C7:				; CODE XREF: ObpFreeObjectNameBuffer+4Cj
		pop	esi
		jmp	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
; 

loc_8361CD:				; CODE XREF: ObpFreeObjectNameBuffer+Cj
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
; 

loc_8361D6:				; CODE XREF: ObpFreeObjectNameBuffer+27j
		inc	dword ptr [ecx+18h]
		mov	ecx, [esi+5CCh]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	short loc_8361C7
		jmp	loc_924CB4
ObpFreeObjectNameBuffer	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpInsertOrLocateNamedObject proc near	; CODE XREF: PAGE:00816EDCp

var_E0		= dword	ptr -0E0h
var_CE		= byte ptr -0CEh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_89		= dword	ptr -89h
var_84		= dword	ptr -84h
var_58		= dword	ptr -58h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00924CBD SIZE 0000009F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0E0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[ebp+var_A0], eax
		mov	ebx, edx
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_10]
		push	edi
		mov	[ebp+var_9C], eax
		lea	edi, [ebp+var_E0]
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_98], ecx
		mov	ecx, 6
		mov	[ebp+var_B0], eax
		xor	eax, eax
		push	74h		; size_t
		push	eax		; int
		rep stosd
		lea	eax, [ebp+var_84]
		mov	[ebp+var_90], ebx
		push	eax		; void *
		mov	[ebp+var_C8], esi
		mov	[ebp+var_C0], 0
		mov	byte ptr [ebp+var_89], 0
		mov	[ebp+var_89+1],	0
		call	_memset
		lea	edi, [ebx-18h]
		mov	dword ptr [esi], 0
		mov	al, [edi+0Eh]
		add	esp, 0Ch
		mov	[ebp+var_BC], 0
		mov	[ebp+var_C4], edi
		test	al, 2
		jz	loc_924CBD
		movzx	eax, al
		mov	esi, edi
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	esi, eax

loc_8362BB:				; CODE XREF: ObpInsertOrLocateNamedObject+EEABFj
		mov	bl, [edi+0Fh]
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		mov	cl, [edi+0Ch]
		mov	edx, edi
		shr	edx, 8
		xor	cl, dl
		mov	[ebp+var_B8], edx
		xor	cl, byte ptr ds:_ObHeaderCookie
		lea	edx, [ebp+var_89+1]
		push	edx
		push	0
		lea	edx, [ebp+var_E0]
		shr	bl, 1
		push	edx
		mov	edx, [ebp+var_9C]
		not	bl
		push	edx
		push	eax
		push	[ebp+var_90]
		mov	eax, [ebp+var_B0]
		lea	edx, [esi+4]
		and	bl, 1
		mov	eax, [eax+1Ch]
		push	eax
		push	0
		movzx	eax, bl
		push	eax
		movzx	eax, cl
		mov	ecx, [ebp+var_B0]
		mov	eax, ds:_ObTypeIndexTable[eax*4]
		push	eax
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		push	eax
		call	_ObpLookupObjectName@52	; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_836660
		mov	eax, [ebp+var_89+1]
		mov	ebx, [ebp+var_90]
		cmp	eax, ebx
		jnz	loc_83646F
		mov	ecx, [esi]
		mov	[ebp+var_A4], 0
		mov	byte ptr [ebp+var_AC], 0
		mov	[ebp+var_90], 0
		test	ecx, ecx
		jz	short loc_8363A9
		test	byte ptr [ecx+0A8h], 8
		jnz	loc_836538
		cmp	_ObpObjectSecurityInheritance, 0
		jnz	loc_836538

loc_836386:				; CODE XREF: ObpInsertOrLocateNamedObject+342j
		push	[ebp+arg_8]
		lea	eax, [ebp+var_AC]
		push	eax
		lea	edx, [ebp+var_A4]
		call	ObpGetObjectSecurity
		mov	[ebp+var_94], eax
		test	eax, eax
		js	loc_8366A5

loc_8363A9:				; CODE XREF: ObpInsertOrLocateNamedObject+16Aj
		mov	eax, [ebp+var_9C]
		mov	edx, eax
		mov	ecx, [esi]
		mov	byte ptr [ebp+var_A0], 0
		mov	[ebp+var_A8], edx
		test	ecx, ecx
		jz	short loc_8363DE
		test	byte ptr [ecx+0A8h], 8
		jnz	loc_836547
		cmp	_ObpObjectSecurityInheritance, 0
		jnz	loc_836547

loc_8363DE:				; CODE XREF: ObpInsertOrLocateNamedObject+1C2j
					; ObpInsertOrLocateNamedObject+34Cj ...
		cmp	dword ptr [edx+2Ch], 0
		mov	ecx, [ebp+var_90]
		jz	loc_836524

loc_8363EE:				; CODE XREF: ObpInsertOrLocateNamedObject+326j
					; ObpInsertOrLocateNamedObject+333j
		mov	al, [ebx-0Ch]
		xor	al, byte ptr [ebp+var_B8]
		xor	al, byte ptr ds:_ObHeaderCookie
		push	[ebp+var_A0]
		mov	esi, [ebp+var_A4]
		mov	edx, esi
		movzx	eax, al
		push	ecx
		mov	ecx, [ebp+var_A8]
		mov	eax, ds:_ObTypeIndexTable[eax*4]
		push	eax
		push	ebx
		call	ObpAssignSecurity
		mov	ebx, eax
		test	esi, esi
		jz	loc_836672
		push	[ebp+var_AC]
		push	esi
		call	_ObReleaseObjectSecurity@8 ; ObReleaseObjectSecurity(x,x)

loc_836439:				; CODE XREF: ObpInsertOrLocateNamedObject+4A0j
		test	ebx, ebx
		js	loc_83664A
		lea	ecx, [ebp+var_E0]
		call	_ObpReleaseLookupContext@4 ; ObpReleaseLookupContext(x)

loc_83644C:				; CODE XREF: ObpInsertOrLocateNamedObject+319j
		mov	ecx, [ebp+var_C8]
		mov	eax, [ebp+var_89+1]
		mov	[ecx], eax

loc_83645A:				; CODE XREF: ObpInsertOrLocateNamedObject+46Dj
					; ObpInsertOrLocateNamedObject+EEB57j
		mov	eax, ebx

loc_83645C:				; CODE XREF: ObpInsertOrLocateNamedObject+EEB03j
					; ObpInsertOrLocateNamedObject+EEB47j
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_83646F:				; CODE XREF: ObpInsertOrLocateNamedObject+145j
		xor	esi, esi
		cmp	[ebp+var_CE], 0
		jz	short loc_836484
		lea	esi, [eax-18h]
		mov	ecx, esi
		call	_ObpReferenceNamedObject@4 ; ObpReferenceNamedObject(x)

loc_836484:				; CODE XREF: ObpInsertOrLocateNamedObject+278j
		lea	ecx, [ebp+var_E0]
		call	_ObpReleaseLookupContext@4 ; ObpReleaseLookupContext(x)
		mov	edx, edi
		mov	edi, [ebp+var_98]
		mov	ecx, edi
		call	_ObpDecrementHandleCount@8 ; ObpDecrementHandleCount(x,x)
		mov	ebx, [ebp+var_B0]
		test	byte ptr [ebx],	80h
		jz	loc_8365B6
		mov	ecx, [ebp+var_9C]
		push	[ebp+var_A0]
		mov	edx, [ebp+var_89+1]
		mov	eax, [ecx+18h]
		mov	[ecx+10h], eax
		mov	dword ptr [ecx+14h], 0
		mov	eax, [ebx]
		push	eax
		push	[ebp+arg_8]
		push	ecx
		mov	ecx, 1
		call	ObpGrantAccess
		mov	[ebp+var_B8], eax
		test	eax, eax
		js	loc_8365E4
		mov	eax, [ebx]
		mov	ecx, 1
		mov	edx, [ebp+var_A0]
		push	0
		push	eax
		push	[ebp+arg_8]
		push	[ebp+var_89+1]
		push	edi
		call	ObpIncrementHandleCountEx
		mov	ebx, eax
		test	esi, esi
		jz	short loc_836517
		mov	ecx, esi
		call	_ObpDereferenceNamedObject@4 ; ObpDereferenceNamedObject(x)

loc_836517:				; CODE XREF: ObpInsertOrLocateNamedObject+30Ej
		test	ebx, ebx
		jns	loc_83644C
		jmp	loc_924D4C
; 

loc_836524:				; CODE XREF: ObpInsertOrLocateNamedObject+1E8j
		test	ecx, ecx
		jz	loc_8363EE
		mov	byte ptr [ebp+var_A0], 1
		jmp	loc_8363EE
; 

loc_836538:				; CODE XREF: ObpInsertOrLocateNamedObject+173j
					; ObpInsertOrLocateNamedObject+180j
		mov	[ebp+var_90], 3
		jmp	loc_836386
; 

loc_836547:				; CODE XREF: ObpInsertOrLocateNamedObject+1CBj
					; ObpInsertOrLocateNamedObject+1D8j
		mov	eax, [eax+2Ch]
		test	eax, eax
		jz	loc_8363DE
		lea	ecx, [ebp-0B1h]
		push	ecx
		lea	ecx, [ebp+var_BC]
		push	ecx
		lea	ecx, [ebp+var_89]
		push	ecx
		push	eax
		call	_RtlGetDaclSecurityDescriptor@16 ; RtlGetDaclSecurityDescriptor(x,x,x,x)
		mov	[ebp+var_94], eax
		test	eax, eax
		js	loc_924CC4
		mov	esi, [ebp+var_9C]
		lea	eax, [ebp+var_94]
		push	eax
		lea	eax, [ebp+var_C0]
		push	eax
		mov	eax, [esi+2Ch]
		push	eax
		call	_RtlGetControlSecurityDescriptor@12 ; RtlGetControlSecurityDescriptor(x,x,x)
		mov	[ebp+var_94], eax
		test	eax, eax
		js	loc_924D08
		cmp	[ebp+var_BC], 0
		jz	short loc_836613

loc_8365AF:				; CODE XREF: ObpInsertOrLocateNamedObject+41Dj
		mov	edx, esi
		jmp	loc_8363DE
; 

loc_8365B6:				; CODE XREF: ObpInsertOrLocateNamedObject+2A7j
		test	esi, esi
		jz	short loc_8365C1
		mov	ecx, esi
		call	_ObpDereferenceNamedObject@4 ; ObpDereferenceNamedObject(x)

loc_8365C1:				; CODE XREF: ObpInsertOrLocateNamedObject+3B8j
		mov	ecx, [ebp+var_89+1]
		call	ObfDereferenceObject
		mov	eax, 0C0000035h
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_8]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8365E4:				; CODE XREF: ObpInsertOrLocateNamedObject+2E5j
		test	esi, esi
		jz	short loc_8365EF
		mov	ecx, esi
		call	_ObpDereferenceNamedObject@4 ; ObpDereferenceNamedObject(x)

loc_8365EF:				; CODE XREF: ObpInsertOrLocateNamedObject+3E6j
		mov	ecx, [ebp+var_89+1]
		call	ObfDereferenceObject
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_B8]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_836613:				; CODE XREF: ObpInsertOrLocateNamedObject+3ADj
		test	[ebp+var_C0], 1000h
		jnz	short loc_8365AF
		mov	ecx, 1Dh
		lea	edi, [ebp+var_84]
		rep movsd
		mov	edi, [ebp+var_C4]
		lea	edx, [ebp+var_84]
		mov	[ebp+var_58], 0
		mov	[ebp+var_A8], edx
		jmp	loc_8363DE
; 

loc_83664A:				; CODE XREF: ObpInsertOrLocateNamedObject+23Bj
					; ObpInsertOrLocateNamedObject+474j ...
		lea	ecx, [ebp+var_E0]
		call	_ObpDeleteDirectoryEntry@4 ; ObpDeleteDirectoryEntry(x)
		lea	ecx, [ebp+var_E0]
		call	_ObpReleaseLookupContext@4 ; ObpReleaseLookupContext(x)

loc_836660:				; CODE XREF: ObpInsertOrLocateNamedObject+131j
		mov	ecx, [ebp+var_98]
		mov	edx, edi
		call	_ObpDecrementHandleCount@8 ; ObpDecrementHandleCount(x,x)
		jmp	loc_83645A
; 

loc_836672:				; CODE XREF: ObpInsertOrLocateNamedObject+227j
		test	ebx, ebx
		js	short loc_83664A
		mov	esi, [ebp+var_B0]
		push	1
		movzx	eax, byte ptr [esi+8]
		push	eax
		mov	eax, [esi+18h]
		push	eax
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)
		mov	edx, [ebp+var_9C]
		mov	dword ptr [esi+18h], 0
		mov	dword ptr [edx+2Ch], 0
		jmp	loc_836439
; 

loc_8366A5:				; CODE XREF: ObpInsertOrLocateNamedObject+1A3j
		mov	ebx, [ebp+var_94]
		jmp	short loc_83664A
ObpInsertOrLocateNamedObject endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWnfCheckCallerAccess(x, x)
_ExpWnfCheckCallerAccess@8 proc	near	; CODE XREF: NtDeleteWnfStateName+1C9p
					; NtDeleteWnfStateName+211p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+28h+var_10]
		stosd
		mov	esi, edx
		mov	ebx, ecx
		stosd
		stosd
		stosd
		xor	edi, edi
		mov	[esp+28h+var_14], edi
		mov	[esp+28h+var_18], edi
		test	esi, esi
		jz	short loc_83672A
		lea	eax, [esp+28h+var_10]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		lea	eax, [esp+28h+var_18]
		push	eax
		lea	eax, [esp+2Ch+var_14]
		push	eax
		push	1
		push	offset _ExpWnfNotificationMapping
		push	edi
		push	edi
		push	esi
		push	edi
		lea	eax, [esp+48h+var_10]
		push	eax
		push	ebx
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		lea	eax, [esp+28h+var_10]
		push	eax
		call	SeReleaseSubjectContext
		mov	eax, [esp+28h+var_18]

loc_836723:				; CODE XREF: ExpWnfCheckCallerAccess(x,x)+7Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_83672A:				; CODE XREF: ExpWnfCheckCallerAccess(x,x)+28j
		xor	eax, eax
		jmp	short loc_836723
_ExpWnfCheckCallerAccess@8 endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1996. RtlConvertSidToUnicodeString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlConvertSidToUnicodeString
RtlConvertSidToUnicodeString proc near	; CODE XREF: OpenGlobalizationUserSettingsKey_ForMua+C4p
					; PiDqOpenUserObjectRegKey+D7p	...

var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 00924D5C SIZE 00000079 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 218h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		push	edi
		mov	[ebp+var_208], eax
		mov	[ebp+var_210], 0
		mov	[ebp+var_20C], 0
		call	_RtlValidSid@4	; RtlValidSid(x)
		cmp	al, 1
		jnz	loc_924DCB
		cmp	[edi], al
		jnz	loc_924DCB
		push	esi
		push	(offset	loc_8BEA85+1)
		lea	eax, [ebp+var_204]
		push	100h
		push	eax
		call	_wcscpy_s
		add	esp, 0Ch
		lea	esi, [ebp+var_1FC]
		cmp	byte ptr [edi+2], 0
		jnz	loc_924D5C
		cmp	byte ptr [edi+3], 0
		jnz	loc_924D5C
		movzx	ecx, byte ptr [edi+4]
		movzx	eax, byte ptr [edi+5]
		shl	ecx, 8
		add	ecx, eax
		movzx	eax, byte ptr [edi+6]
		shl	ecx, 8
		add	ecx, eax
		movzx	eax, byte ptr [edi+7]
		shl	ecx, 8
		add	ecx, eax
		mov	eax, esi
		push	eax
		push	0FCh
		push	0Ah
		push	ecx
		call	RtlIntegerToUnicode

loc_8367EF:				; CODE XREF: RtlConvertSidToUnicodeString+EE686j
		test	eax, eax
		js	short loc_836871
		push	ebx
		xor	bl, bl
		cmp	[edi+1], bl
		jbe	short loc_836851
		mov	ecx, 2Dh

loc_836800:				; CODE XREF: RtlConvertSidToUnicodeString+10Fj
		lea	eax, [ebp+var_8]
		cmp	esi, eax
		jnb	short loc_836817

loc_836807:				; CODE XREF: RtlConvertSidToUnicodeString+D5j
		cmp	word ptr [esi],	0
		jz	short loc_836817
		add	esi, 2
		lea	eax, [ebp+var_8]
		cmp	esi, eax
		jb	short loc_836807

loc_836817:				; CODE XREF: RtlConvertSidToUnicodeString+C5j
					; RtlConvertSidToUnicodeString+CBj
		mov	[esi], cx
		lea	eax, [ebp+var_204]
		add	esi, 2
		mov	ecx, esi
		sub	ecx, eax
		mov	eax, 100h
		push	esi
		sar	ecx, 1
		sub	eax, ecx
		push	eax
		movzx	eax, bl
		push	0Ah
		mov	eax, [edi+eax*4+8]
		push	eax
		call	RtlIntegerToUnicode
		test	eax, eax
		js	short loc_836870
		inc	bl
		mov	ecx, 2Dh
		cmp	bl, [edi+1]
		jb	short loc_836800

loc_836851:				; CODE XREF: RtlConvertSidToUnicodeString+B9j
		cmp	[ebp+arg_8], 0
		jz	short loc_836883
		mov	ecx, [ebp+var_208]
		lea	eax, [ebp+var_204]
		push	eax		; void *
		push	ecx		; int
		call	RtlCreateUnicodeString
		test	al, al
		jz	short loc_8368E8

loc_83686E:				; CODE XREF: RtlConvertSidToUnicodeString+1A6j
		xor	eax, eax

loc_836870:				; CODE XREF: RtlConvertSidToUnicodeString+103j
					; RtlConvertSidToUnicodeString+1ADj ...
		pop	ebx

loc_836871:				; CODE XREF: RtlConvertSidToUnicodeString+B1j
		pop	esi

loc_836872:				; CODE XREF: RtlConvertSidToUnicodeString+EE690j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_836883:				; CODE XREF: RtlConvertSidToUnicodeString+115j
		lea	eax, [ebp+var_8+2]
		cmp	esi, eax
		jnb	short loc_8368A0
		lea	ebx, [ebx+0]

loc_836890:				; CODE XREF: RtlConvertSidToUnicodeString+15Ej
		cmp	word ptr [esi],	0
		jz	short loc_8368A0
		add	esi, 2
		lea	eax, [ebp+var_8+2]
		cmp	esi, eax
		jb	short loc_836890

loc_8368A0:				; CODE XREF: RtlConvertSidToUnicodeString+148j
					; RtlConvertSidToUnicodeString+154j
		mov	ecx, [ebp+var_208]
		lea	eax, [ebp+var_204]
		sub	esi, eax
		and	esi, 0FFFFFFFEh
		movzx	eax, word ptr [ecx+2]
		cmp	esi, eax
		jnb	short loc_8368EF
		movzx	eax, si
		mov	word ptr [ebp+var_210],	ax
		add	eax, 2
		mov	word ptr [ebp+var_210+2], ax
		lea	eax, [ebp+var_204]
		mov	[ebp+var_20C], eax
		lea	eax, [ebp+var_210]
		push	eax
		push	ecx
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		jmp	short loc_83686E
; 

loc_8368E8:				; CODE XREF: RtlConvertSidToUnicodeString+12Cj
		mov	eax, 0C0000017h
		jmp	short loc_836870
; 

loc_8368EF:				; CODE XREF: RtlConvertSidToUnicodeString+177j
		mov	eax, 80000005h
		jmp	loc_836870
RtlConvertSidToUnicodeString endp

; 
		align 10h
; Exported entry 2182. RtlIntegerToUnicode

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlIntegerToUnicode
RtlIntegerToUnicode proc near		; CODE XREF: RtlConvertSidToUnicodeString+AAp
					; RtlConvertSidToUnicodeString+FCp

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00924DD5 SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6870
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_1C], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_64], eax
		mov	ebx, [ebp+arg_4]
		cmp	ebx, 0Ah
		jnz	loc_836A10

loc_83694A:				; CODE XREF: RtlIntegerToUnicode+EE4EEj
		xor	eax, eax
		xor	edx, edx

loc_83694E:				; CODE XREF: RtlIntegerToUnicode+136j
		mov	[ebp+var_6C], edx
		mov	[ebp+var_68], eax
		lea	esi, [ebp-1Eh]
		mov	edi, [ebp+arg_0]
		lea	ebx, [ebx+0]

loc_836960:				; CODE XREF: RtlIntegerToUnicode+9Dj
		test	eax, eax
		jnz	loc_836A05
		cmp	ebx, 0Ah
		jnz	loc_836A6C
		mov	eax, 0CCCCCCCDh
		mul	edi
		mov	ecx, edx
		shr	ecx, 3
		mov	eax, edi
		xor	edx, edx
		mov	edi, ebx
		div	edi

loc_836985:				; CODE XREF: RtlIntegerToUnicode+174j
		mov	edi, ecx

loc_836987:				; CODE XREF: RtlIntegerToUnicode+10Bj
		sub	esi, 2
		mov	ax, ds:_RtlpIntegerWChars[edx*2]
		mov	[esi], ax
		test	edi, edi
		mov	eax, [ebp+var_68]
		mov	edx, [ebp+var_6C]
		jnz	short loc_836960
		lea	ebx, [ebp-1Eh]
		sub	ebx, esi
		sar	ebx, 1
		mov	edi, [ebp+arg_8]
		test	edi, edi
		js	loc_836A3B

loc_8369B1:				; CODE XREF: RtlIntegerToUnicode+13Fj
		mov	ecx, [ebp+var_64]

loc_8369B4:				; CODE XREF: RtlIntegerToUnicode+167j
		cmp	ebx, edi
		jg	loc_924DFD
		mov	[ebp+var_4], 0
		lea	eax, [ebx+ebx]
		push	eax		; size_t
		push	esi		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	ebx, edi
		jge	short loc_8369DE
		xor	eax, eax
		mov	edi, [ebp+var_64]
		mov	[edi+ebx*2], ax

loc_8369DE:				; CODE XREF: RtlIntegerToUnicode+D3j
		mov	[ebp+var_4], 0FFFFFFFEh
		xor	eax, eax

loc_8369E7:				; CODE XREF: RtlIntegerToUnicode+EE4F8j
					; RtlIntegerToUnicode+EE502j ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_1C]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_836A05:				; CODE XREF: RtlIntegerToUnicode+62j
		and	edx, edi
		mov	ecx, eax
		shr	edi, cl
		jmp	loc_836987
; 

loc_836A10:				; CODE XREF: RtlIntegerToUnicode+44j
		cmp	ebx, 10h
		ja	loc_924DF3
		movzx	eax, ds:byte_836A90[ebx]
		jmp	ds:off_836A7C[eax*4]

loc_836A27:				; DATA XREF: PAGE:00836A88o
		mov	eax, 4

loc_836A2C:				; CODE XREF: RtlIntegerToUnicode+EE4DAj
					; RtlIntegerToUnicode+EE4E4j
		mov	edx, 1
		mov	ecx, eax
		shl	edx, cl
		dec	edx
		jmp	loc_83694E
; 

loc_836A3B:				; CODE XREF: RtlIntegerToUnicode+ABj
		neg	edi
		cmp	edi, ebx
		jle	loc_8369B1
		sub	edi, ebx
		mov	edx, edi
		mov	ecx, edi
		mov	eax, 300030h
		mov	edi, [ebp+var_64]
		shr	ecx, 1
		rep stosd
		adc	ecx, ecx
		rep stosw
		mov	edi, ebx
		mov	ecx, [ebp+var_64]
		lea	ecx, [ecx+edx*2]
		mov	[ebp+var_64], ecx
		jmp	loc_8369B4
; 

loc_836A6C:				; CODE XREF: RtlIntegerToUnicode+6Bj
		mov	eax, edi
		xor	edx, edx
		div	ebx
		mov	ecx, eax
		jmp	loc_836985
RtlIntegerToUnicode endp

; 
		align 4
off_836A7C	dd offset loc_924DE9	; DATA XREF: RtlIntegerToUnicode+120r
		dd offset loc_924DDF
		dd offset loc_924DD5
		dd offset loc_836A27
		dd offset loc_924DF3
byte_836A90	db 0			; DATA XREF: RtlIntegerToUnicode+119r
		db 4, 1, 4
		dd 4040404h, 4040402h, 4040404h, 0CCCCCC03h, 3 dup(0CCCCCCCCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpSetSecurityObject proc near		; CODE XREF: SeSetSecurityDescriptorInfoEx2(x,x,x,x,x,x,x,x)+20p
					; SeSetSecurityDescriptorInfoEx(x,x,x,x,x,x,x)+24p ...

var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B5		= byte ptr -0B5h
var_B4		= byte ptr -0B4h
var_B3		= byte ptr -0B3h
var_B2		= byte ptr -0B2h
var_B1		= byte ptr -0B1h
var_B0		= byte ptr -0B0h
var_AF		= byte ptr -0AFh
var_AE		= byte ptr -0AEh
var_AD		= byte ptr -0ADh
var_AC		= byte ptr -0ACh
var_AB		= byte ptr -0ABh
var_AA		= byte ptr -0AAh
var_A9		= dword	ptr -0A9h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= word ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00924E29 SIZE 00000723 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0ECh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0ECh+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[esp+0F8h+var_E8], ebx
		mov	eax, [ebp+arg_C]
		mov	[esp+0F8h+var_48], eax
		mov	eax, [ebp+arg_14]
		mov	[esp+0F8h+var_9C], eax
		xor	eax, eax
		mov	edx, [ebp+arg_4]
		mov	esi, [ebp+arg_0]
		mov	[esp+0F8h+var_A9+1], eax
		lea	edi, [esp+0F8h+var_44]
		mov	[esp+0F8h+var_94], eax
		mov	[esp+0F8h+var_DC], eax
		mov	[esp+0F8h+var_8C], eax
		mov	[esp+0F8h+var_D8], eax
		mov	[esp+0F8h+var_90], eax
		mov	[esp+0F8h+var_C8], eax
		mov	[esp+0F8h+var_88], eax
		mov	[esp+0F8h+var_BC], eax
		mov	[esp+0F8h+var_84], eax
		mov	[esp+0F8h+var_A0], eax
		mov	byte ptr [esp+0F8h+var_80], al
		mov	byte ptr [esp+0F8h+var_5C], al
		mov	[esp+0F8h+var_B3], al
		mov	[esp+0F8h+var_C4], eax
		mov	[esp+0F8h+var_6C], eax
		stosd
		mov	[esp+0F8h+var_D4], esi
		mov	[esp+0F8h+var_D0], edx
		stosd
		mov	[esp+0F8h+var_B1], 0
		mov	[esp+0F8h+var_B2], 0
		mov	byte ptr [esp+0F8h+var_A9], 0
		stosd
		mov	[esp+0F8h+var_B0], 0
		mov	[esp+0F8h+var_AA], 0
		mov	[esp+0F8h+var_AF], 0
		stosd
		movzx	eax, word ptr [esi+2]
		mov	[esp+0F8h+var_AE], 0
		mov	ecx, eax
		mov	[esp+0F8h+var_AD], 0
		mov	[esp+0F8h+var_AC], 0
		mov	[esp+0F8h+var_AB], 0
		mov	[esp+0F8h+var_58], 0
		mov	[esp+0F8h+var_70], 0
		mov	[esp+0F8h+var_A4], 0
		mov	[esp+0F8h+var_74], 0
		mov	[esp+0F8h+var_EC], 8000h
		test	al, 10h
		jnz	loc_83718E
		mov	[esp+0F8h+var_E4], 0

loc_836BC0:				; CODE XREF: RtlpSetSecurityObject+6F8j
					; RtlpSetSecurityObject+A51j ...
		mov	ecx, [edx]
		movzx	eax, word ptr [ecx+2]
		mov	edx, eax
		test	al, 10h
		jz	loc_836FF4
		mov	esi, [ecx+0Ch]
		test	dx, dx
		jns	short loc_836BE1
		lea	eax, [esi+ecx]
		neg	esi
		sbb	esi, esi
		and	esi, eax

loc_836BE1:				; CODE XREF: RtlpSetSecurityObject+126j
					; RtlpSetSecurityObject+546j
		cmp	[esp+0F8h+var_9C], 0
		jnz	short loc_836C42
		lea	eax, [esp+0F8h+var_44]
		push	eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	eax
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	edx, [esp+0F8h+var_94]
		lea	eax, [esp+0F8h+var_44]
		mov	ecx, [esp+0F8h+var_D0]
		mov	[esp+0F8h+var_A9+1], edx
		mov	edx, [esp+0F8h+var_8C]
		mov	[esp+0F8h+var_DC], edx
		mov	edx, [esp+0F8h+var_90]
		mov	ecx, [ecx]
		mov	[esp+0F8h+var_D8], edx
		mov	edx, [esp+0F8h+var_88]
		mov	[esp+0F8h+var_C8], edx
		mov	edx, [esp+0F8h+var_84]
		mov	[esp+0F8h+var_9C], eax
		mov	[esp+0F8h+var_BC], edx

loc_836C42:				; CODE XREF: RtlpSetSecurityObject+136j
		mov	eax, ecx
		cmp	word ptr [eax+2], 0
		jge	loc_924E36
		mov	eax, [esp+0F8h+var_D4]
		movzx	eax, word ptr [eax+2]
		mov	edi, eax
		test	al, al
		js	loc_924E40
		mov	byte ptr [esp+0F8h+var_98], 0

loc_836C66:				; CODE XREF: RtlpSetSecurityObject+EE395j
		test	al, 40h
		jnz	loc_924E4A
		mov	[esp+0F8h+var_B4], 0

loc_836C73:				; CODE XREF: RtlpSetSecurityObject+EE39Fj
		mov	edx, ebx
		and	edx, 80h
		test	ebx, 100h
		jnz	loc_924E54
		mov	[esp+0F8h+var_B5], 0

loc_836C8C:				; CODE XREF: RtlpSetSecurityObject+EE3A9j
		test	ebx, 10000h
		jnz	loc_924E5E

loc_836C98:				; CODE XREF: RtlpSetSecurityObject+EE3D9j
					; RtlpSetSecurityObject+EE3E3j	...
		test	bl, 1
		jnz	loc_837328
		cmp	word ptr [ecx+2], 0
		jge	loc_924ECF
		mov	eax, [ecx+4]
		test	eax, eax
		jz	loc_925542
		lea	edi, [eax+ecx]

loc_836CBA:				; CODE XREF: RtlpSetSecurityObject+EE422j
		mov	[esp+0F8h+var_C0], edi
		test	edi, edi

loc_836CC0:				; CODE XREF: RtlpSetSecurityObject+8CAj
		jz	loc_925542

loc_836CC6:				; CODE XREF: RtlpSetSecurityObject+8B3j
		push	edi
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_925542
		test	bl, 2
		jnz	loc_83747E
		mov	eax, [esp+0F8h+var_D0]
		mov	eax, [eax]
		cmp	word ptr [eax+2], 0
		jge	loc_924EDE
		mov	ecx, [eax+8]
		test	ecx, ecx
		jz	loc_924EE6
		lea	edi, [ecx+eax]

loc_836CFC:				; CODE XREF: RtlpSetSecurityObject+9ECj
					; RtlpSetSecurityObject+EE431j
		mov	[esp+0F8h+var_CC], edi
		test	edi, edi
		jz	loc_924EE6
		push	edi
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_924EE6
		test	ebx, 1F8h
		jnz	loc_83700E
		mov	[esp+0F8h+var_A4], esi

loc_836D26:				; CODE XREF: RtlpSetSecurityObject+6D9j
		test	bl, 4
		jz	loc_8371BA
		mov	ebx, [esp+0F8h+var_D4]
		movzx	ecx, word ptr [ebx+2]
		mov	edx, ecx
		mov	eax, ecx
		and	eax, 4
		test	byte ptr [ebp+arg_8], 1
		jnz	loc_9252D6
		test	ax, ax
		jz	loc_925372
		test	dx, dx
		js	loc_836FE1
		mov	esi, [ebx+10h]

loc_836D5D:				; CODE XREF: RtlpSetSecurityObject+53Fj
					; RtlpSetSecurityObject+EE8C4j	...
		mov	edx, [esp+0F8h+var_EC]
		mov	eax, ecx
		and	eax, 1000h
		mov	[esp+0F8h+var_E8], esi
		or	eax, 4
		and	ecx, 500h
		or	edx, eax
		mov	[esp+0F8h+var_EC], edx
		cmp	ecx, 500h
		jz	loc_8372F3

loc_836D87:				; CODE XREF: RtlpSetSecurityObject+84Dj
					; RtlpSetSecurityObject+EE8BDj
		cmp	byte ptr [esp+0F8h+var_98], 0
		jnz	loc_925380

loc_836D92:				; CODE XREF: RtlpSetSecurityObject+738j
		mov	eax, [esp+0F8h+var_C0]
		movzx	eax, byte ptr [eax+1]
		lea	ecx, ds:8[eax*4]
		movzx	eax, byte ptr [edi+1]
		mov	[esp+0F8h+var_60], ecx
		lea	edx, ds:8[eax*4]
		mov	eax, [esp+0F8h+var_A4]
		mov	[esp+0F8h+var_64], edx
		test	eax, eax
		jz	loc_836FFB
		movzx	ebx, word ptr [eax+2]
		add	ebx, 3
		and	ebx, 0FFFFFFFCh

loc_836DD0:				; CODE XREF: RtlpSetSecurityObject+54Dj
		test	esi, esi
		jz	loc_92544F
		movzx	eax, word ptr [esi+2]
		add	eax, 3
		and	eax, 0FFFFFFFCh

loc_836DE2:				; CODE XREF: RtlpSetSecurityObject+EE9A1j
		mov	[esp+0F8h+var_A0], eax
		add	ecx, 14h
		add	eax, ebx
		add	eax, edx
		push	64536553h
		add	eax, ecx
		push	eax
		push	[esp+100h+var_48]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_925456
		mov	ecx, esi
		call	_RtlCreateSecurityDescriptorRelative@8 ; RtlCreateSecurityDescriptorRelative(x,x)
		cmp	[esp+0F8h+var_B3], 0
		lea	edi, [esi+14h]
		jnz	loc_925460

loc_836E20:				; CODE XREF: RtlpSetSecurityObject+EE9B8j
		mov	ax, [esi+2]
		mov	edx, 4000h
		or	ax, word ptr [esp+0F8h+var_EC]
		mov	[esi+2], ax
		movzx	ecx, ax
		mov	eax, [esp+0F8h+var_D4]
		test	[eax+2], dx
		jnz	loc_92546D

loc_836E43:				; CODE XREF: RtlpSetSecurityObject+EE9C9j
		mov	ecx, [esp+0F8h+var_A4]
		test	ecx, ecx
		jz	loc_837002
		movzx	eax, word ptr [ecx+2]
		push	eax		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		mov	edx, [ebp+arg_10]
		add	esp, 0Ch
		mov	ecx, edi
		call	_RtlpApplyAclToObject@8	; RtlpApplyAclToObject(x,x)
		mov	eax, [esp+0F8h+var_A4]
		mov	dword ptr [esi+0Ch], 14h
		movzx	ecx, word ptr [eax+2]
		cmp	ebx, ecx
		ja	loc_92547E

loc_836E7F:				; CODE XREF: RtlpSetSecurityObject+EE9E1j
		add	edi, ebx

loc_836E81:				; CODE XREF: RtlpSetSecurityObject+559j
		test	byte ptr [esp+0F8h+var_EC], 10h
		jnz	short loc_836E9E
		mov	eax, [esp+0F8h+var_D0]
		mov	ecx, 2830h
		mov	eax, [eax]
		mov	ax, [eax+2]
		and	ax, cx
		or	[esi+2], ax

loc_836E9E:				; CODE XREF: RtlpSetSecurityObject+3D6j
		mov	ebx, [esp+0F8h+var_E8]
		test	ebx, ebx
		jz	loc_925496
		movzx	eax, word ptr [ebx+2]
		push	eax		; size_t
		push	ebx		; void *
		push	edi		; void *
		call	_memcpy
		mov	edx, [ebp+arg_10]
		add	esp, 0Ch
		mov	ecx, edi
		call	_RtlpApplyAclToObject@8	; RtlpApplyAclToObject(x,x)
		mov	eax, edi
		sub	eax, esi
		mov	[esi+10h], eax
		movzx	ecx, word ptr [ebx+2]
		mov	ebx, [esp+0F8h+var_A0]
		cmp	ebx, ecx
		ja	loc_9254A2

loc_836EDA:				; CODE XREF: RtlpSetSecurityObject+EEA05j
		add	edi, ebx

loc_836EDC:				; CODE XREF: RtlpSetSecurityObject+EE9EDj
		test	byte ptr [esp+0F8h+var_EC], 4
		jz	loc_8371ED

loc_836EE7:				; CODE XREF: RtlpSetSecurityObject+75Bj
					; RtlpSetSecurityObject+7E8j
		mov	ebx, [esp+0F8h+var_60]
		push	ebx		; size_t
		push	[esp+0FCh+var_C0] ; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, edi
		add	esp, 0Ch
		sub	eax, esi
		add	edi, ebx
		cmp	[esp+0F8h+var_B2], 0
		mov	ebx, [esp+0F8h+var_D0]
		mov	[esi+4], eax
		jnz	short loc_836F1E
		mov	eax, [ebx]
		mov	ax, [eax+2]
		and	ax, 1
		or	[esi+2], ax

loc_836F1E:				; CODE XREF: RtlpSetSecurityObject+45Ej
		push	[esp+0F8h+var_64] ; size_t
		push	[esp+0FCh+var_CC] ; void *
		push	edi		; void *
		call	_memcpy
		sub	edi, esi
		add	esp, 0Ch
		cmp	[esp+0F8h+var_B1], 0
		mov	[esi+8], edi
		jnz	short loc_836F4C
		mov	eax, [ebx]
		mov	ax, [eax+2]
		and	ax, 2
		or	[esi+2], ax

loc_836F4C:				; CODE XREF: RtlpSetSecurityObject+48Cj
		mov	[ebx], esi
		xor	ebx, ebx

loc_836F50:				; CODE XREF: RtlpSetSecurityObject+791j
					; RtlpSetSecurityObject+EE977j	...
		cmp	[esp+0F8h+var_B0], 0
		jnz	loc_9254CF

loc_836F5B:				; CODE XREF: RtlpSetSecurityObject+EE528j
					; RtlpSetSecurityObject+EE897j	...
		mov	esi, [esp+0F8h+var_BC]

loc_836F5F:				; CODE XREF: RtlpSetSecurityObject+6B4j
					; RtlpSetSecurityObject+EE7E6j
		mov	edx, [esp+0F8h+var_D8]

loc_836F63:				; CODE XREF: RtlpSetSecurityObject+EE5C3j
		mov	eax, [esp+0F8h+var_DC]

loc_836F67:				; CODE XREF: RtlpSetSecurityObject+EE66Ej
		mov	edi, [esp+0F8h+var_C8]

loc_836F6B:				; CODE XREF: RtlpSetSecurityObject+EE748j
		mov	ecx, [esp+0F8h+var_A9+1]
		test	ecx, ecx
		jnz	loc_8372E3

loc_836F77:				; CODE XREF: RtlpSetSecurityObject+838j
					; RtlpSetSecurityObject+EEA42j
		test	edx, edx
		jnz	loc_8372A3

loc_836F7F:				; CODE XREF: RtlpSetSecurityObject+7F8j
					; RtlpSetSecurityObject+EEA53j
		test	eax, eax
		jnz	loc_8372B3

loc_836F87:				; CODE XREF: RtlpSetSecurityObject+808j
					; RtlpSetSecurityObject+EEA60j
		test	edi, edi
		jnz	loc_8372C3

loc_836F8F:				; CODE XREF: RtlpSetSecurityObject+818j
					; RtlpSetSecurityObject+EEA6Dj
		test	esi, esi
		jnz	loc_8372D3

loc_836F97:				; CODE XREF: RtlpSetSecurityObject+828j
					; RtlpSetSecurityObject+EEA7Aj
		mov	eax, [esp+0F8h+var_A4]
		test	eax, eax
		jz	short loc_836FAA
		cmp	[esp+0F8h+var_AA], 0
		jnz	loc_8371AD

loc_836FAA:				; CODE XREF: RtlpSetSecurityObject+4EDj
					; RtlpSetSecurityObject+705j
		cmp	byte ptr [esp+0F8h+var_A9], 0
		jnz	loc_92552F

loc_836FB5:				; CODE XREF: RtlpSetSecurityObject+EE38Bj
					; RtlpSetSecurityObject+EE43Bj	...
		lea	eax, [esp+0F8h+var_44]
		cmp	[esp+0F8h+var_9C], eax
		jnz	short loc_836FC8
		push	eax
		call	SeReleaseSubjectContext

loc_836FC8:				; CODE XREF: RtlpSetSecurityObject+510j
		mov	ecx, [esp+0F8h+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_836FE1:				; CODE XREF: RtlpSetSecurityObject+2A4j
		mov	eax, [ebx+10h]
		test	eax, eax
		jz	loc_925379
		lea	esi, [eax+ebx]
		jmp	loc_836D5D
; 

loc_836FF4:				; CODE XREF: RtlpSetSecurityObject+11Aj
		xor	esi, esi
		jmp	loc_836BE1
; 

loc_836FFB:				; CODE XREF: RtlpSetSecurityObject+310j
		xor	ebx, ebx
		jmp	loc_836DD0
; 

loc_837002:				; CODE XREF: RtlpSetSecurityObject+399j
		mov	dword ptr [esi+0Ch], 0
		jmp	loc_836E81
; 

loc_83700E:				; CODE XREF: RtlpSetSecurityObject+26Cj
		mov	eax, ebx
		and	eax, 10h
		mov	[esp+0F8h+var_68], eax
		jz	short loc_837076
		mov	[esp+0F8h+var_E0], 0

loc_837024:				; CODE XREF: RtlpSetSecurityObject+5C4j
		lea	eax, [esp+0F8h+var_E0]
		push	eax
		push	11h
		push	[esp+100h+var_E4]
		call	_RtlFindAceByType@12 ; RtlFindAceByType(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_837055
		test	dword ptr [edi+4], 0FFFFFFF8h
		lea	eax, [edi+8]
		mov	[esp+0F8h+var_A0], eax
		mov	al, [edi+1]
		mov	byte ptr [esp+0F8h+var_80], al
		jnz	loc_924EF0

loc_837055:				; CODE XREF: RtlpSetSecurityObject+588j
		push	[esp+0F8h+var_80]
		mov	edx, [esp+0FCh+var_A0]
		mov	ecx, [esp+0FCh+var_9C]
		call	SepValidLabelSubjectContext
		test	al, al
		jz	loc_924EF0
		inc	[esp+0F8h+var_E0]
		test	edi, edi
		jnz	short loc_837024

loc_837076:				; CODE XREF: RtlpSetSecurityObject+56Aj
		mov	ecx, [esp+0F8h+var_9C]
		call	_SepLocateTokenTrustLevel@4 ; SepLocateTokenTrustLevel(x)
		mov	edi, eax
		mov	eax, ebx
		and	eax, 80h
		mov	[esp+0F8h+var_A0], edi
		mov	[esp+0F8h+var_80], eax
		jnz	loc_837386

loc_837096:				; CODE XREF: RtlpSetSecurityObject+932j
		mov	ecx, ebx
		and	ecx, 100h
		mov	[esp+0F8h+var_E0], ecx
		jnz	loc_924F04

loc_8370A8:				; CODE XREF: RtlpSetSecurityObject+EE48Aj
		mov	edi, [ebp+arg_8]
		mov	eax, [esp+0F8h+var_D4]
		and	edi, 2
		test	bl, 8
		jnz	loc_8374A1
		mov	[esp+0F8h+var_A9+1], esi

loc_8370BF:				; CODE XREF: RtlpSetSecurityObject+A29j
					; RtlpSetSecurityObject+A37j ...
		test	bl, 20h
		jnz	loc_83743D
		mov	[esp+0F8h+var_D8], esi

loc_8370CC:				; CODE XREF: RtlpSetSecurityObject+9BBj
					; RtlpSetSecurityObject+9C9j ...
		test	bl, 40h
		mov	ebx, [esp+0F8h+var_D4]
		jnz	loc_925078
		mov	[esp+0F8h+var_DC], esi

loc_8370DD:				; CODE XREF: RtlpSetSecurityObject+EE659j
					; RtlpSetSecurityObject+EE695j	...
		cmp	[esp+0F8h+var_80], 0
		jnz	loc_8373E7
		mov	edx, [esp+0F8h+var_EC]
		mov	[esp+0F8h+var_C8], esi

loc_8370F0:				; CODE XREF: RtlpSetSecurityObject+969j
					; RtlpSetSecurityObject+979j ...
		test	ecx, ecx
		jnz	loc_9251FD
		mov	edi, [esp+0F8h+var_CC]
		mov	eax, esi

loc_8370FE:				; CODE XREF: RtlpSetSecurityObject+EE7DDj
		mov	[esp+0F8h+var_BC], eax

loc_837102:				; CODE XREF: RtlpSetSecurityObject+EE811j
					; RtlpSetSecurityObject+EE821j
		cmp	[esp+0F8h+var_68], 0
		jz	loc_83737F
		movzx	ecx, word ptr [ebx+2]
		mov	eax, ecx
		and	ecx, 0A00h
		and	eax, 2000h
		or	eax, 10h
		or	edx, eax
		mov	eax, [esp+0F8h+var_E4]
		mov	[esp+0F8h+var_EC], edx
		cmp	ecx, 0A00h
		jz	loc_83742E

loc_83713A:				; CODE XREF: RtlpSetSecurityObject+8D1j
					; RtlpSetSecurityObject+988j
		mov	esi, [esp+0F8h+var_BC]
		lea	ecx, [esp+0F8h+var_74]
		push	0		; void *
		push	ecx		; int
		mov	ecx, [esp+100h+var_A9+1]
		mov	edx, eax
		push	esi		; int
		push	[esp+104h+var_C8] ; void *
		push	[esp+108h+var_DC] ; int
		push	[esp+10Ch+var_D8] ; int
		call	RtlpCombineAcls
		mov	ebx, eax
		test	ebx, ebx
		js	loc_836F5F
		cmp	[esp+0F8h+var_A9+1], 0
		mov	eax, [esp+0F8h+var_74]
		mov	[esp+0F8h+var_A4], eax
		jz	loc_837302

loc_837180:				; CODE XREF: RtlpSetSecurityObject+854j
					; RtlpSetSecurityObject+85Fj ...
		mov	ebx, [esp+0F8h+var_E8]
		mov	[esp+0F8h+var_AA], 1
		jmp	loc_836D26
; 

loc_83718E:				; CODE XREF: RtlpSetSecurityObject+102j
		mov	eax, [esi+0Ch]
		test	cx, cx
		jns	loc_8374FD
		test	eax, eax
		jz	loc_924E29
		add	esi, eax
		mov	[esp+0F8h+var_E4], esi
		jmp	loc_836BC0
; 

loc_8371AD:				; CODE XREF: RtlpSetSecurityObject+4F4j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_836FAA
; 

loc_8371BA:				; CODE XREF: RtlpSetSecurityObject+279j
		mov	eax, [esp+0F8h+var_D0]
		mov	esi, [eax]
		movzx	eax, word ptr [esi+2]
		mov	ecx, eax
		test	al, 4
		jz	loc_925439
		test	cx, cx
		jns	loc_925447
		mov	eax, [esi+10h]
		test	eax, eax
		jz	loc_925440
		add	esi, eax

loc_8371E4:				; CODE XREF: RtlpSetSecurityObject+EE984j
					; RtlpSetSecurityObject+EE98Bj	...
		mov	[esp+0F8h+var_E8], esi
		jmp	loc_836D92
; 

loc_8371ED:				; CODE XREF: RtlpSetSecurityObject+431j
		mov	eax, [esp+0F8h+var_D0]
		mov	ecx, 140Ch
		mov	eax, [eax]
		mov	ax, [eax+2]
		and	ax, cx
		or	[esi+2], ax
		cmp	byte ptr [esp+0F8h+var_5C], 0
		jz	loc_836EE7
		push	1
		lea	eax, [esp+0FCh+var_7C]
		mov	[esp+0FCh+var_7C], 0
		push	eax
		lea	eax, [esp+100h+var_34]
		mov	[esp+100h+var_78], 300h
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_836F50
		mov	[esp+0F8h+var_2C], 4
		mov	[esp+0F8h+var_E0], 0
		lea	ebx, [ebx+0]

loc_837260:				; CODE XREF: RtlpSetSecurityObject+EEA1Aj
		movzx	eax, word ptr [esi+2]
		mov	ecx, eax
		test	al, 4
		jz	loc_837506
		test	cx, cx
		jns	loc_837514
		mov	eax, [esi+10h]
		test	eax, eax
		jz	loc_83750D
		lea	ecx, [eax+esi]

loc_837285:				; CODE XREF: RtlpSetSecurityObject+A58j
					; RtlpSetSecurityObject+A5Fj ...
		lea	eax, [esp+0F8h+var_E0]
		push	eax
		lea	edx, [esp+0FCh+var_34]
		call	RtlFindAceBySid
		test	eax, eax
		jz	loc_836EE7
		jmp	loc_9254BA
; 

loc_8372A3:				; CODE XREF: RtlpSetSecurityObject+4C9j
		cmp	[esp+0F8h+var_AE], 0
		jz	loc_836F7F
		jmp	loc_9254F7
; 

loc_8372B3:				; CODE XREF: RtlpSetSecurityObject+4D1j
		cmp	[esp+0F8h+var_AD], 0
		jz	loc_836F87
		jmp	loc_925508
; 

loc_8372C3:				; CODE XREF: RtlpSetSecurityObject+4D9j
		cmp	[esp+0F8h+var_AC], 0
		jz	loc_836F8F
		jmp	loc_925515
; 

loc_8372D3:				; CODE XREF: RtlpSetSecurityObject+4E1j
		cmp	[esp+0F8h+var_AB], 0
		jz	loc_836F97
		jmp	loc_925522
; 

loc_8372E3:				; CODE XREF: RtlpSetSecurityObject+4C1j
		cmp	[esp+0F8h+var_AF], 0
		jz	loc_836F77
		jmp	loc_9254E2
; 

loc_8372F3:				; CODE XREF: RtlpSetSecurityObject+2D1j
		or	edx, 400h
		mov	[esp+0F8h+var_EC], edx
		jmp	loc_836D87
; 

loc_837302:				; CODE XREF: RtlpSetSecurityObject+6CAj
		test	eax, eax
		jz	loc_837180
		cmp	word ptr [eax+4], 0
		jnz	loc_837180
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[esp+0F8h+var_A4], eax
		jmp	loc_837180
; 

loc_837328:				; CODE XREF: RtlpSetSecurityObject+1EBj
		mov	eax, ebx
		shr	eax, 2
		not	al
		and	eax, 0FFFFFF01h
		mov	[esp+0F8h+var_5C], eax
		test	di, di
		jns	loc_8374EC
		mov	ecx, [esp+0F8h+var_D4]
		mov	eax, [ecx+4]
		test	eax, eax
		jz	loc_924EC8
		lea	edi, [eax+ecx]

loc_837356:				; CODE XREF: RtlpSetSecurityObject+A43j
					; RtlpSetSecurityObject+EE41Aj
		test	byte ptr [ebp+arg_8], 8
		mov	[esp+0F8h+var_C0], edi
		mov	[esp+0F8h+var_B2], 1
		jnz	loc_836CC6
		push	[esp+0F8h+var_98]
		mov	ecx, [esp+0FCh+var_9C]
		mov	edx, edi
		call	_SepValidOwnerSubjectContext@12	; SepValidOwnerSubjectContext(x,x,x)
		test	al, al
		jmp	loc_836CC0
; 

loc_83737F:				; CODE XREF: RtlpSetSecurityObject+65Aj
		mov	eax, esi
		jmp	loc_83713A
; 

loc_837386:				; CODE XREF: RtlpSetSecurityObject+5E0j
		test	edi, edi
		jz	loc_924EFA
		mov	[esp+0F8h+var_E0], 0

loc_837396:				; CODE XREF: RtlpSetSecurityObject+92Cj
		lea	eax, [esp+0F8h+var_E0]
		push	eax
		push	14h
		push	[esp+100h+var_E4]
		call	_RtlFindAceByType@12 ; RtlFindAceByType(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_8373D6
		test	dword ptr [edi+4], 0FF000000h
		jnz	loc_924EF0
		lea	eax, [esp+0F8h+var_58]
		push	eax
		push	ecx
		mov	ecx, [esp+100h+var_A0]
		lea	edx, [edi+8]
		call	_RtlpValidTrustSubjectContext@16 ; RtlpValidTrustSubjectContext(x,x,x,x)
		test	al, al
		jz	loc_924EFA

loc_8373D6:				; CODE XREF: RtlpSetSecurityObject+8FAj
		inc	[esp+0F8h+var_E0]
		test	edi, edi
		jnz	short loc_837396
		mov	edi, [esp+0F8h+var_A0]
		jmp	loc_837096
; 

loc_8373E7:				; CODE XREF: RtlpSetSecurityObject+632j
		movzx	edx, word ptr [ebx+2]
		test	edi, edi
		jnz	loc_925158
		mov	eax, [esp+0F8h+var_E4]
		mov	[esp+0F8h+var_C8], eax
		mov	eax, edx
		and	eax, 2000h
		and	edx, 0A00h
		or	eax, 10h
		or	[esp+0F8h+var_EC], eax
		cmp	edx, 0A00h
		mov	edx, [esp+0F8h+var_EC]
		jnz	loc_8370F0
		or	edx, 800h
		mov	[esp+0F8h+var_EC], edx
		jmp	loc_8370F0
; 

loc_83742E:				; CODE XREF: RtlpSetSecurityObject+684j
		or	edx, 800h
		mov	[esp+0F8h+var_EC], edx
		jmp	loc_83713A
; 

loc_83743D:				; CODE XREF: RtlpSetSecurityObject+612j
		movzx	edx, word ptr [eax+2]
		test	edi, edi
		jnz	loc_924FDD
		mov	eax, [esp+0F8h+var_E4]
		mov	[esp+0F8h+var_D8], eax
		mov	eax, edx
		and	eax, 2000h
		and	edx, 0A00h
		or	eax, 10h
		or	[esp+0F8h+var_EC], eax
		cmp	edx, 0A00h
		jnz	loc_8370CC
		or	[esp+0F8h+var_EC], 800h
		jmp	loc_8370CC
; 

loc_83747E:				; CODE XREF: RtlpSetSecurityObject+227j
		mov	ecx, [esp+0F8h+var_D4]
		cmp	word ptr [ecx+2], 0
		jge	short loc_8374F8
		mov	eax, [ecx+8]
		test	eax, eax
		jz	loc_924ED7
		lea	edi, [eax+ecx]

loc_837497:				; CODE XREF: RtlpSetSecurityObject+A4Bj
					; RtlpSetSecurityObject+EE429j
		mov	[esp+0F8h+var_B1], 1
		jmp	loc_836CFC
; 

loc_8374A1:				; CODE XREF: RtlpSetSecurityObject+605j
		movzx	edx, word ptr [eax+2]
		test	edi, edi
		jnz	loc_924F3F
		mov	ecx, [esp+0F8h+var_E4]
		mov	[esp+0F8h+var_EC], edx
		and	edx, 0A00h
		and	[esp+0F8h+var_EC], 2000h
		or	[esp+0F8h+var_EC], 8010h
		mov	[esp+0F8h+var_A9+1], ecx
		mov	ecx, [esp+0F8h+var_E0]
		cmp	edx, 0A00h
		jnz	loc_8370BF
		or	[esp+0F8h+var_EC], 800h
		jmp	loc_8370BF
; 

loc_8374EC:				; CODE XREF: RtlpSetSecurityObject+88Ej
		mov	eax, [esp+0F8h+var_D4]
		mov	edi, [eax+4]
		jmp	loc_837356
; 

loc_8374F8:				; CODE XREF: RtlpSetSecurityObject+9D7j
		mov	edi, [ecx+8]
		jmp	short loc_837497
; 

loc_8374FD:				; CODE XREF: RtlpSetSecurityObject+6E4j
		mov	[esp+0F8h+var_E4], eax
		jmp	loc_836BC0
; 

loc_837506:				; CODE XREF: RtlpSetSecurityObject+7B8j
		xor	ecx, ecx
		jmp	loc_837285
; 

loc_83750D:				; CODE XREF: RtlpSetSecurityObject+7CCj
		xor	ecx, ecx
		jmp	loc_837285
; 

loc_837514:				; CODE XREF: RtlpSetSecurityObject+7C1j
		mov	ecx, [esi+10h]
		jmp	loc_837285
RtlpSetSecurityObject endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2403. RtlValidSid

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlValidSid(x)
		public _RtlValidSid@4
_RtlValidSid@4	proc near		; CODE XREF: AdtpPackageParameters+30Ep
					; SepValidateCAPID(x)+11p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		cmp	ecx, ds:_MmUserProbeAddress
		jbe	short loc_837548
		test	ecx, ecx
		jz	short loc_837548
		mov	al, [ecx]
		and	al, 0Fh
		cmp	al, 1
		jnz	short loc_837548
		cmp	byte ptr [ecx+1], 0Fh
		ja	short loc_837548

loc_837544:				; CODE XREF: RtlValidSid(x)+28j
		pop	ebp
		retn	4
; 

loc_837548:				; CODE XREF: RtlValidSid(x)+Ej
					; RtlValidSid(x)+12j ...
		xor	al, al
		jmp	short loc_837544
_RtlValidSid@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall RtlpApplyAclToObject(x, x)
_RtlpApplyAclToObject@8	proc near	; CODE XREF: ExpWnfSpecializeSecurityDescriptor(x)+3Dp
					; ExpWnfSpecializeSecurityDescriptor(x)+6Bp ...
		mov	edi, edi
		push	ebx
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		test	edi, edi
		jz	short loc_8375C6
		push	esi
		xor	ecx, ecx
		lea	eax, [edi+8]
		xor	esi, esi
		cmp	cx, [edi+4]
		jnb	short loc_8375C5
		lea	ebx, [ebx+0]

loc_837570:				; CODE XREF: RtlpApplyAclToObject(x,x)+73j
		mov	cl, [eax]
		cmp	cl, 8
		ja	short loc_8375C9

loc_837577:				; CODE XREF: RtlpApplyAclToObject(x,x)+7Cj
					; RtlpApplyAclToObject(x,x)+86j
		test	byte ptr [eax+1], 8
		jnz	short loc_8375B6
		mov	edx, [eax+4]
		test	edx, edx
		js	short loc_8375D8

loc_837584:				; CODE XREF: RtlpApplyAclToObject(x,x)+91j
		test	edx, 40000000h
		jnz	short loc_8375EF

loc_83758C:				; CODE XREF: RtlpApplyAclToObject(x,x)+A9j
		test	edx, 20000000h
		jnz	short loc_8375E3

loc_837594:				; CODE XREF: RtlpApplyAclToObject(x,x)+9Dj
		test	edx, 10000000h
		jz	short loc_83759F
		or	edx, [ebx+0Ch]

loc_83759F:				; CODE XREF: RtlpApplyAclToObject(x,x)+4Aj
		and	edx, 0FFFFFFFh
		mov	[eax+4], edx
		mov	cl, [eax]
		test	cl, cl
		jnz	short loc_8375FB

loc_8375AE:				; CODE XREF: RtlpApplyAclToObject(x,x)+AEj
					; RtlpApplyAclToObject(x,x)+B3j ...
		mov	ecx, [ebx+0Ch]

loc_8375B1:				; CODE XREF: RtlpApplyAclToObject(x,x)+D2j
		and	ecx, edx
		mov	[eax+4], ecx

loc_8375B6:				; CODE XREF: RtlpApplyAclToObject(x,x)+2Bj
					; RtlpApplyAclToObject(x,x)+84j
		movzx	ecx, word ptr [eax+2]
		inc	esi
		add	eax, ecx
		movzx	ecx, word ptr [edi+4]
		cmp	esi, ecx
		jb	short loc_837570

loc_8375C5:				; CODE XREF: RtlpApplyAclToObject(x,x)+18j
		pop	esi

loc_8375C6:				; CODE XREF: RtlpApplyAclToObject(x,x)+Aj
		pop	edi
		pop	ebx
		retn
; 

loc_8375C9:				; CODE XREF: RtlpApplyAclToObject(x,x)+25j
		cmp	cl, 0Ah
		jbe	short loc_837577
		sub	cl, 0Dh
		cmp	cl, 1
		ja	short loc_8375B6
		jmp	short loc_837577
; 

loc_8375D8:				; CODE XREF: RtlpApplyAclToObject(x,x)+32j
		mov	ecx, [ebx]
		or	ecx, edx
		mov	[eax+4], ecx
		mov	edx, ecx
		jmp	short loc_837584
; 

loc_8375E3:				; CODE XREF: RtlpApplyAclToObject(x,x)+42j
		mov	ecx, [ebx+8]
		or	ecx, edx
		mov	[eax+4], ecx
		mov	edx, ecx
		jmp	short loc_837594
; 

loc_8375EF:				; CODE XREF: RtlpApplyAclToObject(x,x)+3Aj
		mov	ecx, [ebx+4]
		or	ecx, edx
		mov	[eax+4], ecx
		mov	edx, ecx
		jmp	short loc_83758C
; 

loc_8375FB:				; CODE XREF: RtlpApplyAclToObject(x,x)+5Cj
		cmp	cl, 9
		jz	short loc_8375AE
		cmp	cl, 1
		jz	short loc_8375AE
		cmp	cl, 4
		jz	short loc_8375AE
		cmp	cl, 5
		jz	short loc_8375AE
		cmp	cl, 6
		jz	short loc_8375AE
		cmp	cl, 0Ah
		jz	short loc_8375AE
		mov	ecx, [ebx+0Ch]
		or	ecx, 1000000h
		jmp	short loc_8375B1
_RtlpApplyAclToObject@8	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2017. RtlCreateUnicodeString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlCreateUnicodeString(int,void	*)
		public RtlCreateUnicodeString
RtlCreateUnicodeString proc near	; CODE XREF: EtwpCaptureString+B1p
					; EtwpStartLogger+B36p	...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008376C4 SIZE 00000004 BYTES

		push	10h
		push	offset dword_6A6890
		call	__SEH_prolog4
		mov	ecx, [ebp+arg_4]
		lea	edx, [ecx+2]
		xor	edi, edi

loc_83763E:				; CODE XREF: RtlCreateUnicodeString+1Dj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_83763E
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, [ecx+ecx]
		mov	[ebp+var_1C], eax
		lea	ebx, [eax+2]
		cmp	ebx, 0FFFEh
		ja	short loc_8376C4
		test	ebx, ebx
		jz	short loc_8376C4
		push	ebx
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	esi, [ebp+arg_0]
		mov	[esi+4], eax
		test	eax, eax
		jz	short loc_8376C4
		mov	[ebp+ms_exc.disabled], edi
		mov	[ebp+var_20], 1
		mov	[esi+2], bx
		push	ebx		; size_t
		push	[ebp+arg_4]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_1C]
		mov	[esi], ax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+var_20], 0
		call	sub_8376BA
		mov	al, 1

loc_8376A8:				; CODE XREF: RtlCreateUnicodeString+9Cj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
RtlCreateUnicodeString endp


;  S U B	R O U T	I N E 


sub_8376BA	proc near		; CODE XREF: RtlCreateUnicodeString+77p
					; sub_92554C+5j

; FUNCTION CHUNK AT 00925556 SIZE 0000000C BYTES

		cmp	[ebp-20h], edi
		jnz	loc_925556
		retn
sub_8376BA	endp

; 
; START	OF FUNCTION CHUNK FOR RtlCreateUnicodeString

loc_8376C4:				; CODE XREF: RtlCreateUnicodeString+32j
					; RtlCreateUnicodeString+36j ...
		xor	al, al
		jmp	short loc_8376A8
; END OF FUNCTION CHUNK	FOR RtlCreateUnicodeString
; 
		align 10h
; Exported entry 2045. RtlDuplicateUnicodeString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlDuplicateUnicodeString
RtlDuplicateUnicodeString proc near	; CODE XREF: DrvDbGetObjectDatabaseNode+79p
					; MiResolveImageReferences+321p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00837842 SIZE 00000008 BYTES
; FUNCTION CHUNK AT 00925562 SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A68B0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_1C], 0
		xor	edi, edi
		mov	[ebp+arg_0], edi
		xor	ecx, ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_28], 1
		test	esi, 0FFFFFFFCh
		jnz	loc_92556A
		cmp	[ebp+arg_8], ecx
		jz	loc_92556A
		mov	eax, esi
		and	eax, 2
		mov	[ebp+arg_0], eax
		and	esi, 1
		test	eax, eax
		jnz	loc_925562

loc_837748:				; CODE XREF: RtlDuplicateUnicodeString+EDE94j
		mov	eax, [ebp+arg_4]
		push	eax
		push	0
		call	_RtlValidateUnicodeString@8 ; RtlValidateUnicodeString(x,x)
		mov	ebx, eax
		mov	[ebp+var_1C], ebx
		test	ebx, ebx
		js	loc_837846
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_83776A
		movzx	edi, word ptr [eax]

loc_83776A:				; CODE XREF: RtlDuplicateUnicodeString+95j
		movzx	eax, di
		test	esi, esi
		jz	short loc_83777F
		mov	ecx, 0FFFEh
		cmp	di, cx
		jz	loc_925577

loc_83777F:				; CODE XREF: RtlDuplicateUnicodeString+9Fj
		mov	ebx, eax
		test	esi, esi
		jz	loc_837826
		lea	eax, [ebx+2]
		movzx	eax, ax

loc_83778F:				; CODE XREF: RtlDuplicateUnicodeString+159j
		mov	[ebp+var_20], eax
		cmp	[ebp+arg_0], 0
		jnz	short loc_8377A1
		test	di, di
		jz	loc_83782E

loc_8377A1:				; CODE XREF: RtlDuplicateUnicodeString+C6j
		test	ax, ax
		jz	loc_837842
		movzx	eax, ax
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	ecx, eax
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jz	loc_925584
		test	di, di
		jz	short loc_8377DC
		push	ebx		; size_t
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+4]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [ebp+arg_0]

loc_8377DC:				; CODE XREF: RtlDuplicateUnicodeString+F6j
		test	esi, esi
		jz	short loc_8377E8
		shr	ebx, 1
		xor	eax, eax
		mov	[ecx+ebx*2], ax

loc_8377E8:				; CODE XREF: RtlDuplicateUnicodeString+10Ej
					; RtlDuplicateUnicodeString+174j
		mov	edx, [ebp+var_20]

loc_8377EB:				; CODE XREF: RtlDuplicateUnicodeString+165j
		mov	eax, [ebp+arg_8]
		mov	[eax+2], dx
		mov	[eax], di
		mov	[eax+4], ecx
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx

loc_8377FD:				; CODE XREF: RtlDuplicateUnicodeString+178j
					; RtlDuplicateUnicodeString+EDEA2j ...
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	[ebp+var_28], 0
		call	sub_837837
		mov	eax, ebx
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_837826:				; CODE XREF: RtlDuplicateUnicodeString+B3j
		movzx	eax, di
		jmp	loc_83778F
; 

loc_83782E:				; CODE XREF: RtlDuplicateUnicodeString+CBj
		xor	edx, edx
		mov	[ebp+var_20], edx
		xor	ecx, ecx
		jmp	short loc_8377EB
RtlDuplicateUnicodeString endp


;  S U B	R O U T	I N E 


sub_837837	proc near		; CODE XREF: RtlDuplicateUnicodeString+13Bp
					; sub_925591+6j

; FUNCTION CHUNK AT 0092559C SIZE 00000013 BYTES

		cmp	dword ptr [ebp-28h], 0
		jnz	loc_92559C

locret_837841:				; CODE XREF: sub_837837+EDD67j
					; sub_837837+EDD73j
		retn
sub_837837	endp

; 
; START	OF FUNCTION CHUNK FOR RtlDuplicateUnicodeString

loc_837842:				; CODE XREF: RtlDuplicateUnicodeString+D4j
		xor	ecx, ecx
		jmp	short loc_8377E8
; 

loc_837846:				; CODE XREF: RtlDuplicateUnicodeString+8Aj
					; RtlDuplicateUnicodeString+EDEAFj
		xor	ecx, ecx
		jmp	short loc_8377FD
; END OF FUNCTION CHUNK	FOR RtlDuplicateUnicodeString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpAllocateStringRoutine(x)
_ExpAllocateStringRoutine@4 proc near	; CODE XREF: PnpDuplicateUnicodeString(x,x)+13p
					; RtlAnsiStringToUnicodeString+C3p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	67727453h
		push	[ebp+arg_0]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	4
_ExpAllocateStringRoutine@4 endp


;  S U B	R O U T	I N E 


; __stdcall RtlCreateSecurityDescriptorRelative(x, x)
_RtlCreateSecurityDescriptorRelative@8 proc near ; CODE	XREF: RtlpSetSecurityObject+35Dp
					; SeQuerySecurityDescriptorInfo+39Ap ...
		mov	edi, edi
		push	edi
		xor	eax, eax
		mov	edi, ecx
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	byte ptr [ecx],	1
		pop	edi
		retn
_RtlCreateSecurityDescriptorRelative@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2508. SeSetSecurityDescriptorInfo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeSetSecurityDescriptorInfo(x, x, x, x, x, x)
		public _SeSetSecurityDescriptorInfo@24
_SeSetSecurityDescriptorInfo@24	proc near ; CODE XREF: ObSetSecurityDescriptorInfo+53p
					; IopSetDeviceSecurityDescriptor+79p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		xor	ecx, ecx
		cmp	[eax], ecx
		jz	short loc_8378A5
		mov	edx, [ebp+arg_4]
		push	ecx
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		mov	edx, [edx]
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	eax
		push	[ebp+arg_8]
		call	RtlpSetSecurityObject

loc_8378A1:				; CODE XREF: SeSetSecurityDescriptorInfo(x,x,x,x,x,x)+30j
		pop	ebp
		retn	18h
; 

loc_8378A5:				; CODE XREF: SeSetSecurityDescriptorInfo(x,x,x,x,x,x)+Cj
		mov	eax, 0C00000D7h
		jmp	short loc_8378A1
_SeSetSecurityDescriptorInfo@24	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1646. ObSetSecurityDescriptorInfo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObSetSecurityDescriptorInfo
ObSetSecurityDescriptorInfo proc near	; CODE XREF: WmipSecurityMethod+92p
					; SeDefaultObjectMethod+D4p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 009255AF SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, large fs:124h
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		and	[ebp+var_8], esi
		dec	word ptr [eax+13Ch]
		lea	ebx, [edi-4]
		mov	[ebp+var_10], ebx
		nop
		lea	eax, [edi-10h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_14], eax
		call	ExAcquirePushLockExclusiveEx
		push	[ebp+arg_14]
		mov	ebx, [ebx]
		lea	eax, [ebp+var_4]
		push	[ebp+arg_10]
		and	ebx, 0FFFFFFF8h
		push	eax
		push	[ebp+arg_8]
		mov	[ebp+var_4], ebx
		push	[ebp+arg_4]
		push	edi
		call	_SeSetSecurityDescriptorInfo@24	; SeSetSecurityDescriptorInfo(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8379B2
		push	8
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_4]
		call	ObLogSecurityDescriptor
		mov	edi, eax
		test	edi, edi
		js	short loc_83796A
		mov	ecx, [ebp+var_4]
		lea	edx, [ebp+var_C]
		call	_SeComputeQuotaInformationSize@8 ; SeComputeQuotaInformationSize(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_83796A
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+arg_0]
		call	_ObAdjustSecurityQuota@8 ; ObAdjustSecurityQuota(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_83796A
		mov	eax, [ebp+var_8]
		mov	ecx, eax
		or	ecx, 7
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	ecx, [ebp+var_10]
		xchg	eax, [ecx]
		and	[ebp+var_8], esi
		test	ebx, ebx
		jz	short loc_83796A
		mov	esi, eax
		and	esi, 7
		inc	esi

loc_83796A:				; CODE XREF: ObSetSecurityDescriptorInfo+74j
					; ObSetSecurityDescriptorInfo+85j ...
		mov	ecx, [ebp+var_14]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	[ebp+var_8], 0
		jnz	loc_9255AF

loc_83798A:				; CODE XREF: ObSetSecurityDescriptorInfo+EDD07j
		test	ebx, ebx
		jz	short loc_837999
		test	esi, esi
		jz	short loc_837999
		push	esi
		push	ebx
		call	ObDereferenceSecurityDescriptor

loc_837999:				; CODE XREF: ObSetSecurityDescriptorInfo+DAj
					; ObSetSecurityDescriptorInfo+DEj
		cmp	[ebp+var_4], 0
		jz	short loc_8379A9
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8379A9:				; CODE XREF: ObSetSecurityDescriptorInfo+EBj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_8379B2:				; CODE XREF: ObSetSecurityDescriptorInfo+5Cj
		and	[ebp+var_4], esi
		jmp	short loc_83796A
ObSetSecurityDescriptorInfo endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObQuerySecurityDescriptorInfo(x, x,	x, x, x)
_ObQuerySecurityDescriptorInfo@20 proc near ; CODE XREF: WmipSecurityMethod+7Bp
					; WmipSecurityMethod+CEp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		add	ecx, 0FFFFFFE8h
		mov	esi, edx
		call	ObpReferenceSecurityDescriptor
		mov	edi, eax
		lea	eax, [ebp+var_4]
		push	eax		; void *
		push	[ebp+arg_4]	; int
		mov	[ebp+var_4], edi
		push	[ebp+arg_0]	; int
		push	esi		; int
		call	SeQuerySecurityDescriptorInfo
		mov	esi, eax
		test	edi, edi
		jz	short loc_8379ED
		push	1
		push	edi
		call	ObDereferenceSecurityDescriptor

loc_8379ED:				; CODE XREF: ObQuerySecurityDescriptorInfo(x,x,x,x,x)+2Bj
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	0Ch
_ObQuerySecurityDescriptorInfo@20 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1644. ObReleaseObjectSecurity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObReleaseObjectSecurity(x, x)
		public _ObReleaseObjectSecurity@8
_ObReleaseObjectSecurity@8 proc	near	; CODE XREF: SepSetProcessTrustLabelAceForToken(x)+24Bp
					; MiAllowImageMap(x,x,x,x)+13Ap ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_837A14
		cmp	[ebp+arg_4], 0
		jnz	short loc_837A18
		push	1
		push	eax
		call	ObDereferenceSecurityDescriptor

loc_837A14:				; CODE XREF: ObReleaseObjectSecurity(x,x)+Aj
					; ObReleaseObjectSecurity(x,x)+26j
		pop	ebp
		retn	8
; 

loc_837A18:				; CODE XREF: ObReleaseObjectSecurity(x,x)+10j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_837A14
_ObReleaseObjectSecurity@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepAppendAceToTokenObjectAcl proc near	; CODE XREF: SepFinalizeTokenAcls(x)+Ep
					; SeCopyClientToken+A9p ...

var_44		= dword	ptr -44h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_11		= dword	ptr -11h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009255BE SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		push	ebx
		push	edi
		lea	edi, [ebp+var_11+1]
		mov	[ebp+var_2C], edx
		stosd
		lea	edx, [ebp+var_18]
		push	0
		mov	[ebp+var_30], ecx
		mov	[ebp+var_18], 0
		stosd
		mov	byte ptr [ebp+var_11], 0
		mov	[ebp+var_28], 0
		mov	[ebp+var_20], 0
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_44]
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_11]
		push	eax
		call	ObpGetObjectSecurity
		mov	ebx, [ebp+var_18]
		mov	edi, eax
		test	edi, edi
		js	short loc_837ACA
		test	ebx, ebx
		jz	short loc_837AE2
		movzx	eax, word ptr [ebx+2]
		test	al, 4
		jz	short loc_837ACA
		push	esi
		test	ax, ax
		jns	loc_9255BE
		mov	eax, [ebx+10h]
		test	eax, eax
		jz	short loc_837AC9
		lea	esi, [eax+ebx]

loc_837AB2:				; CODE XREF: SepAppendAceToTokenObjectAcl+EDB91j
		mov	[ebp+var_24], esi
		test	esi, esi
		jz	short loc_837AC9
		mov	edx, [ebp+var_1C]
		mov	ecx, esi
		push	0
		call	RtlFindAceBySid
		test	eax, eax
		jz	short loc_837AF4

loc_837AC9:				; CODE XREF: SepAppendAceToTokenObjectAcl+7Dj
					; SepAppendAceToTokenObjectAcl+87j ...
		pop	esi

loc_837ACA:				; CODE XREF: SepAppendAceToTokenObjectAcl+60j
					; SepAppendAceToTokenObjectAcl+6Cj
		test	ebx, ebx
		jz	short loc_837AE0
		cmp	byte ptr [ebp+var_11], 0
		jnz	loc_9255D0
		push	1
		push	ebx
		call	ObDereferenceSecurityDescriptor

loc_837AE0:				; CODE XREF: SepAppendAceToTokenObjectAcl+9Cj
					; SepAppendAceToTokenObjectAcl+EDBA8j
		mov	eax, edi

loc_837AE2:				; CODE XREF: SepAppendAceToTokenObjectAcl+64j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_837AF4:				; CODE XREF: SepAppendAceToTokenObjectAcl+97j
		push	2
		push	0Ch
		lea	eax, [ebp+var_11+1]
		push	eax
		push	esi
		call	_RtlQueryInformationAcl@16 ; RtlQueryInformationAcl(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_837AC9
		push	1
		push	4
		lea	eax, [ebp+var_20]
		push	eax
		push	esi
		call	_RtlQueryInformationAcl@16 ; RtlQueryInformationAcl(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_837AC9
		push	[ebp+var_1C]
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		mov	edi, [ebp+var_C]
		add	edi, 0Bh
		add	edi, eax
		push	63416553h
		and	edi, 0FFFFFFFCh
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	loc_9255C6
		mov	esi, [ebp+var_20]
		push	esi		; int
		push	edi		; size_t
		push	eax		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_837BDC
		lea	eax, [ebp+var_28]
		push	eax
		push	0
		push	[ebp+var_24]
		call	_RtlGetAce@12	; RtlGetAce(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_837BDC
		mov	eax, [ebp+var_C]
		add	eax, 0FFFFFFF8h
		push	eax
		push	[ebp+var_28]
		push	0
		push	esi
		push	[ebp+var_18]
		call	RtlAddAce
		mov	edi, eax
		test	edi, edi
		js	short loc_837BDC
		push	0
		push	[ebp+var_1C]
		mov	edx, esi
		mov	esi, [ebp+var_18]
		push	[ebp+var_2C]
		mov	ecx, esi
		push	0
		call	RtlpAddKnownAce
		mov	edi, eax
		test	edi, edi
		js	short loc_837BDC
		push	1
		lea	eax, [ebp+var_44]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_837BDC
		push	0
		push	esi
		push	1
		lea	eax, [ebp+var_44]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	edi, eax
		test	edi, edi
		js	short loc_837BDC
		lea	eax, [ebp+var_44]
		push	eax
		push	4
		push	[ebp+var_30]
		call	_ObSetSecurityObjectByPointer@12 ; ObSetSecurityObjectByPointer(x,x,x)
		mov	edi, eax

loc_837BDC:				; CODE XREF: SepAppendAceToTokenObjectAcl+126j
					; SepAppendAceToTokenObjectAcl+13Ej ...
		push	0
		push	[ebp+var_18]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_837AC9
SepAppendAceToTokenObjectAcl endp

; 
		align 10h
; Exported entry 1619. ObDereferenceSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObDereferenceSecurityDescriptor
ObDereferenceSecurityDescriptor	proc near ; CODE XREF: IopCompleteUnloadOrDelete+6Dp
					; ExpWnfDeleteNameInstance+19Cp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009255DD SIZE 0000000C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		add	edi, 0FFFFFFF0h
		mov	edx, [edi+4]
		lea	esi, [edi+4]
		mov	ecx, edx
		sub	ecx, ebx
		test	ecx, ecx
		jle	short loc_837C29

loc_837C10:				; CODE XREF: ObDereferenceSecurityDescriptor+DCj
		mov	eax, edx
		lock cmpxchg [esi], ecx
		mov	ecx, eax
		cmp	ecx, edx
		jnz	loc_837CC6

loc_837C20:				; CODE XREF: ObDereferenceSecurityDescriptor+106j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_837C29:				; CODE XREF: ObDereferenceSecurityDescriptor+1Ej
					; ObDereferenceSecurityDescriptor+E2j
		jnz	loc_837D04

loc_837C2F:				; CODE XREF: ObDereferenceSecurityDescriptor+11Bj
		movzx	eax, byte ptr [edi+8]
		lea	ecx, _ObsSecurityDescriptorCache[eax*8]
		lea	eax, [ecx+4]
		mov	[ebp+arg_4], ecx
		mov	[ebp+arg_0], eax
		mov	eax, large fs:124h
		mov	[ebp+var_4], eax
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, ebx
		neg	eax
		lock xadd [esi], eax
		sub	eax, ebx
		test	eax, eax
		jg	short loc_837CD7
		jnz	loc_9255DD
		mov	edx, [ebp+arg_0]
		mov	ecx, [edx]
		cmp	ecx, edi
		jz	short loc_837C86

loc_837C78:				; CODE XREF: ObDereferenceSecurityDescriptor+91j
		mov	eax, [ecx]
		mov	[ebp+arg_0], ecx
		mov	ecx, eax
		cmp	eax, edi
		jnz	short loc_837C78
		mov	edx, [ebp+arg_0]

loc_837C86:				; CODE XREF: ObDereferenceSecurityDescriptor+86j
		mov	eax, [edi]
		mov	esi, [ebp+arg_4]
		mov	[edx], eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_837CBD

loc_837C9A:				; CODE XREF: ObDereferenceSecurityDescriptor+D4j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_4]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		push	6353624Fh
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_837CBD:				; CODE XREF: ObDereferenceSecurityDescriptor+A8j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_837C9A
; 

loc_837CC6:				; CODE XREF: ObDereferenceSecurityDescriptor+2Aj
		mov	edx, ecx
		sub	ecx, ebx
		test	ecx, ecx
		jg	loc_837C10
		jmp	loc_837C29
; 

loc_837CD7:				; CODE XREF: ObDereferenceSecurityDescriptor+77j
					; ObDereferenceSecurityDescriptor+ED9F4j
		mov	esi, [ebp+arg_4]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_837CFB

loc_837CE7:				; CODE XREF: ObDereferenceSecurityDescriptor+112j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_4]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		jmp	loc_837C20
; 

loc_837CFB:				; CODE XREF: ObDereferenceSecurityDescriptor+F5j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_837CE7
; 

loc_837D04:				; CODE XREF: ObDereferenceSecurityDescriptor:loc_837C29j
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_837C2F
ObDereferenceSecurityDescriptor	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpGetObjectSecurity proc near		; CODE XREF: MiAllowImageMap(x,x,x,x)+109p
					; ObpCheckObjectReference+4Bp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009255E9 SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ecx
		push	ebx
		push	esi
		mov	[ebp+var_C], eax
		mov	ebx, edx
		lea	esi, [eax-18h]
		push	edi
		mov	eax, esi
		shr	eax, 8
		movzx	edi, al
		movzx	eax, byte ptr [esi+0Ch]
		xor	edi, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edi, eax
		mov	edi, ds:_ObTypeIndexTable[edi*4]
		mov	[ebp+var_10], edi
		cmp	dword ptr [edi+6Ch], offset SeDefaultObjectMethod
		jnz	short loc_837D72
		mov	ecx, esi
		call	ObpReferenceSecurityDescriptor
		mov	[ebx], eax
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax],	0
		cmp	dword ptr [ebx], 0
		jz	loc_9255E9

loc_837D67:				; CODE XREF: ObpGetObjectSecurity+ED8E5j
		xor	eax, eax

loc_837D69:				; CODE XREF: ObpGetObjectSecurity+C8j
					; ObpGetObjectSecurity+ED8FDj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_837D72:				; CODE XREF: ObpGetObjectSecurity+3Dj
		mov	eax, _ObpDefaultSecurityDescriptorLength
		push	7153624Fh
		push	eax
		push	1
		mov	[ebp+var_8], 1BFh
		mov	[ebp+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx], eax
		test	eax, eax
		jz	loc_925635
		push	[ebp+arg_4]
		mov	eax, [ebp+arg_0]
		lea	edx, [esi+14h]
		mov	byte ptr [eax],	1
		lea	eax, [edi+34h]
		mov	ecx, [edi+6Ch]
		push	eax
		mov	eax, [edi+4Ch]
		mov	edi, [ebp+var_C]
		push	eax
		push	edx
		lea	eax, [ebp+var_4]
		push	eax
		mov	eax, [ebx]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		push	edi
		call	ecx
		mov	[ebp+var_C], eax
		cmp	eax, 0C0000023h
		jz	short loc_837DDF

loc_837DCD:				; CODE XREF: ObpGetObjectSecurity+12Cj
		test	eax, eax
		js	loc_9255FA
		cmp	dword ptr [ebx], 0
		jnz	short loc_837D69
		jmp	loc_925612
; 

loc_837DDF:				; CODE XREF: ObpGetObjectSecurity+BBj
		mov	eax, [ebx]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_0]
		push	7153624Fh
		mov	byte ptr [eax],	0
		mov	eax, [ebp+var_4]
		push	eax
		push	1
		mov	_ObpDefaultSecurityDescriptorLength, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx], eax
		test	eax, eax
		jz	loc_925635
		mov	eax, [ebp+arg_0]
		push	[ebp+arg_4]
		mov	byte ptr [eax],	1
		mov	eax, [ebp+var_10]
		mov	ecx, [eax+6Ch]
		lea	edx, [eax+34h]
		mov	eax, [eax+4Ch]
		push	edx
		push	eax
		lea	eax, [esi+14h]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		mov	eax, [ebx]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		push	edi
		call	ecx
		mov	[ebp+var_C], eax
		jmp	short loc_837DCD
ObpGetObjectSecurity endp

; 
		align 10h

;  S U B	R O U T	I N E 


ObpReferenceSecurityDescriptor proc near ; CODE	XREF: ObpAdjustCreatorAccessState+68p
					; ObQuerySecurityDescriptorInfo(x,x,x,x,x)+Dp ...

; FUNCTION CHUNK AT 0092563F SIZE 00000016 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		mov	edx, [ebx+14h]
		push	esi
		push	edi
		lea	edi, [ebx+14h]
		test	dl, 7
		jz	short loc_837E5F

loc_837E52:				; CODE XREF: ObpReferenceSecurityDescriptor+80j
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_837EBC

loc_837E5F:				; CODE XREF: ObpReferenceSecurityDescriptor+10j
					; ObpReferenceSecurityDescriptor+82j
		mov	esi, edx
		and	edx, 7
		and	esi, 0FFFFFFF8h
		cmp	edx, 1
		jbe	short loc_837E72

loc_837E6C:				; CODE XREF: ObpReferenceSecurityDescriptor+34j
					; ObpReferenceSecurityDescriptor+75j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_837E72:				; CODE XREF: ObpReferenceSecurityDescriptor+2Aj
		test	esi, esi
		jz	short loc_837E6C
		cmp	edx, 1
		jnz	short loc_837ECE
		mov	ecx, 7
		lea	eax, [esi-0Ch]
		lock xadd [eax], ecx
		test	ecx, ecx
		jg	short loc_837E92
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_837E92:				; CODE XREF: ObpReferenceSecurityDescriptor+49j
					; ObpReferenceSecurityDescriptor+D9j
		mov	ecx, [edi]
		mov	eax, ecx
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		ja	short loc_837EC4

loc_837EA1:				; CODE XREF: ObpReferenceSecurityDescriptor+ED80Aj
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	esi, eax
		jnz	short loc_837EC4
		lea	edx, [ecx+7]
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jz	short loc_837E6C
		jmp	loc_92563F
; 

loc_837EBC:				; CODE XREF: ObpReferenceSecurityDescriptor+1Dj
		mov	edx, eax
		test	al, 7
		jnz	short loc_837E52
		jmp	short loc_837E5F
; 

loc_837EC4:				; CODE XREF: ObpReferenceSecurityDescriptor+5Fj
					; ObpReferenceSecurityDescriptor+68j ...
		push	7
		push	esi
		call	ObDereferenceSecurityDescriptor
		jmp	short loc_837E6C
; 

loc_837ECE:				; CODE XREF: ObpReferenceSecurityDescriptor+39j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		add	ebx, 8
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	esi, [edi]
		mov	ecx, 8
		and	esi, 0FFFFFFF8h
		lea	eax, [esi-0Ch]
		lock xadd [eax], ecx
		test	ecx, ecx
		jle	short loc_837F1E

loc_837EFD:				; CODE XREF: ObpReferenceSecurityDescriptor+E5j
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jnz	short loc_837F27

loc_837F0D:				; CODE XREF: ObpReferenceSecurityDescriptor+EEj
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_837E92
; 

loc_837F1E:				; CODE XREF: ObpReferenceSecurityDescriptor+BBj
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_837EFD
; 

loc_837F27:				; CODE XREF: ObpReferenceSecurityDescriptor+CBj
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_837F0D
ObpReferenceSecurityDescriptor endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2291. RtlQueryInformationAcl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlQueryInformationAcl(x, x, x, x)
		public _RtlQueryInformationAcl@16
_RtlQueryInformationAcl@16 proc	near	; CODE XREF: SepAppendAceToTokenDefaultDacl+58p
					; SepAppendAceToTokenDefaultDacl+70p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edi
		mov	cl, [esi]
		mov	al, cl
		sub	al, 2
		cmp	al, 2
		ja	short loc_837FBE
		mov	eax, [ebp+arg_C]
		sub	eax, 1
		jz	short loc_837F97
		sub	eax, 1
		jnz	short loc_837FA7
		cmp	[ebp+arg_8], 0Ch
		jb	short loc_837FB7
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		call	_RtlFirstFreeAce@8 ; RtlFirstFreeAce(x,x)
		test	al, al
		jz	short loc_837FBE
		mov	ecx, [ebp+arg_4]
		movzx	eax, word ptr [esi+4]
		mov	[ecx], eax
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_837FAE
		sub	eax, esi
		mov	[ecx+4], eax
		movzx	edi, word ptr [esi+2]
		sub	edi, eax

loc_837F8C:				; CODE XREF: RtlQueryInformationAcl(x,x,x,x)+7Fj
		mov	[ecx+8], edi

loc_837F8F:				; CODE XREF: RtlQueryInformationAcl(x,x,x,x)+6Fj
		xor	eax, eax

loc_837F91:				; CODE XREF: RtlQueryInformationAcl(x,x,x,x)+76j
					; RtlQueryInformationAcl(x,x,x,x)+86j ...
		pop	edi
		pop	esi
		leave
		retn	10h
; 

loc_837F97:				; CODE XREF: RtlQueryInformationAcl(x,x,x,x)+20j
		cmp	[ebp+arg_8], 4
		jb	short loc_837FB7
		mov	eax, [ebp+arg_4]
		movzx	ecx, cl
		mov	[eax], ecx
		jmp	short loc_837F8F
; 

loc_837FA7:				; CODE XREF: RtlQueryInformationAcl(x,x,x,x)+25j
		mov	eax, 0C0000003h
		jmp	short loc_837F91
; 

loc_837FAE:				; CODE XREF: RtlQueryInformationAcl(x,x,x,x)+49j
		movzx	eax, word ptr [esi+2]
		mov	[ecx+4], eax
		jmp	short loc_837F8C
; 

loc_837FB7:				; CODE XREF: RtlQueryInformationAcl(x,x,x,x)+2Bj
					; RtlQueryInformationAcl(x,x,x,x)+65j
		mov	eax, 0C0000023h
		jmp	short loc_837F91
; 

loc_837FBE:				; CODE XREF: RtlQueryInformationAcl(x,x,x,x)+18j
					; RtlQueryInformationAcl(x,x,x,x)+39j
		mov	eax, 0C000000Dh
		jmp	short loc_837F91
_RtlQueryInformationAcl@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpSecurityMethod proc near		; DATA XREF: CmpCreateObjectTypes()+95o

var_66		= byte ptr -66h
var_65		= byte ptr -65h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 00925655 SIZE 0000006A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+6Ch+var_4], eax
		mov	eax, [ebp+arg_8]
		mov	ecx, 8
		mov	[esp+6Ch+var_64], eax
		mov	eax, [ebp+arg_10]
		mov	[esp+6Ch+var_58], eax
		mov	eax, [ebp+arg_14]
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[esp+70h+var_48], eax
		mov	eax, [ebp+arg_1C]
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		mov	[esp+78h+var_4C], eax
		lea	edi, [esp+78h+var_28]
		xor	eax, eax
		mov	[esp+78h+var_50], esi
		rep stosd
		mov	[esp+78h+var_54], eax
		cmp	ds:_CmpTraceRoutine, eax
		jnz	loc_925655

loc_83802C:				; CODE XREF: CmpSecurityMethod+ED693j
		lea	eax, [esp+78h+var_60]
		mov	[esp+78h+var_65], 0
		mov	[esp+78h+var_5C], eax
		lea	edi, [esp+78h+var_44]
		mov	[esp+78h+var_60], eax
		mov	ecx, 7
		xor	eax, eax
		rep stosd
		cmp	ds:_CmpTraceRoutine, eax
		jnz	loc_925668

loc_838056:				; CODE XREF: CmpSecurityMethod+ED69Aj
					; CmpSecurityMethod+ED6A7j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		cmp	_CmpCallBackCount, 0
		mov	edi, [ebp+arg_4]
		jz	short loc_8380C3
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredSharedLite
		test	eax, eax
		jnz	short loc_8380C3
		cmp	edi, 1
		jnz	loc_83814D
		mov	eax, [esp+78h+var_64]
		lea	ecx, [edi+23h]
		mov	[esp+78h+var_40], eax
		mov	eax, [esp+78h+var_58]
		mov	[esp+78h+var_38], eax
		lea	eax, [edi+24h]

loc_838094:				; CODE XREF: CmpSecurityMethod+193j
		lea	edx, [esp+78h+var_60]
		mov	[esp+78h+var_3C], esi
		push	edx
		push	ebx
		push	eax
		push	1
		push	0
		lea	edx, [esp+8Ch+var_44]
		mov	[esp+8Ch+var_44], ebx
		call	CmpCallCallBacksEx
		mov	esi, eax
		test	esi, esi
		js	loc_92567C
		mov	esi, [esp+78h+var_50]
		mov	[esp+78h+var_65], 1

loc_8380C3:				; CODE XREF: CmpSecurityMethod+95j
					; CmpSecurityMethod+A3j ...
		cmp	edi, 1
		jnz	short loc_83812D
		mov	edx, [esp+78h+var_64]
		push	ecx
		push	[esp+7Ch+var_58]
		mov	ecx, ebx
		push	esi
		call	CmpQueryKeySecurity

loc_8380D9:				; CODE XREF: CmpSecurityMethod+17Bj
					; CmpSecurityMethod+1BFj
		mov	esi, eax
		test	esi, esi
		js	short loc_8380E1

loc_8380DF:				; CODE XREF: CmpSecurityMethod+1A7j
		xor	esi, esi

loc_8380E1:				; CODE XREF: CmpSecurityMethod+10Dj
		cmp	[esp+78h+var_65], 0
		jz	short loc_838104
		cmp	edi, 1
		jnz	short loc_838168
		lea	ecx, [edi+24h]

loc_8380F0:				; CODE XREF: CmpSecurityMethod+19Fj
		lea	eax, [esp+78h+var_60]
		mov	edx, ebx
		push	eax
		lea	eax, [esp+7Ch+var_44]
		push	eax
		push	esi
		call	_CmPostCallbackNotification@20 ; CmPostCallbackNotification(x,x,x,x,x)
		mov	esi, eax

loc_838104:				; CODE XREF: CmpSecurityMethod+116j
					; CmpSecurityMethod+19Aj ...
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, ds:_CmpTraceRoutine
		test	ecx, ecx
		jnz	loc_92569F

loc_838117:				; CODE XREF: CmpSecurityMethod+ED6EAj
		mov	ecx, [esp+78h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_83812D:				; CODE XREF: CmpSecurityMethod+F6j
		mov	eax, edi
		sub	eax, 0
		jnz	short loc_838174
		push	[esp+78h+var_4C]
		mov	edx, [esp+7Ch+var_64]
		mov	ecx, ebx
		push	[ebp+arg_18]
		push	[esp+80h+var_48]
		push	esi
		call	_CmpSetKeySecurity@24 ;	CmpSetKeySecurity(x,x,x,x,x,x)
		jmp	short loc_8380D9
; 

loc_83814D:				; CODE XREF: CmpSecurityMethod+A8j
		test	edi, edi
		jnz	loc_8380C3
		mov	eax, [esp+78h+var_64]
		lea	ecx, [edi+26h]
		mov	[esp+78h+var_40], eax
		lea	eax, [edi+27h]
		jmp	loc_838094
; 

loc_838168:				; CODE XREF: CmpSecurityMethod+11Bj
		test	edi, edi
		jnz	short loc_838104
		lea	ecx, [edi+27h]
		jmp	loc_8380F0
; 

loc_838174:				; CODE XREF: CmpSecurityMethod+162j
		sub	eax, 2
		jz	loc_8380DF
		sub	eax, 1
		jnz	loc_92568F
		mov	edx, esi
		mov	ecx, ebx
		call	CmpAssignKeySecurity
		jmp	loc_8380D9
CmpSecurityMethod endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpQueryKeySecurity proc near		; CODE XREF: CmpSecurityMethod+104p

var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_6		= byte ptr -6
var_5		= byte ptr -5
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009256BF SIZE 00000045 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_14], edx
		push	esi
		push	edi
		lea	edi, [ebp+var_24]
		mov	[ebp+var_C], 0
		stosd
		mov	ebx, ecx
		mov	[ebp+var_5], 0
		stosd
		stosd
		stosd
		or	eax, 0FFFFFFFFh
		mov	word ptr [ebp+var_24+2], ax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpShutdownRundown
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	[ebp+var_6], al
		test	al, al
		jz	loc_9256BF
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	edi, [ebx+8]
		lea	ecx, [ebp+var_24]
		mov	[ebp+var_5], 1
		mov	dx, [edi+22h]
		call	CmpStartKcbStack
		mov	esi, eax
		test	esi, esi
		js	short loc_83827C
		mov	edx, edi
		lea	ecx, [ebp+var_24]
		call	_CmpPopulateKcbStack@8 ; CmpPopulateKcbStack(x,x)
		test	esi, esi
		js	short loc_83827C
		lea	ecx, [ebp+var_24]
		call	_CmpLockKcbStackShared@4 ; CmpLockKcbStackShared(x)
		xor	edx, edx
		mov	ecx, ebx
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	short loc_838274
		cmp	dword ptr [ebx+20h], 0
		jnz	loc_9256D5
		cmp	dword ptr [ebx+24h], 0
		jnz	loc_9256D5
		mov	edi, [ebp+var_C]

loc_838248:				; CODE XREF: CmpQueryKeySecurity+ED55Fj
		push	0
		mov	edx, edi
		lea	ecx, [ebp+var_24]
		call	_CmpGetSecurityCacheEntryForKcbStack@12	; CmpGetSecurityCacheEntryForKcbStack(x,x,x)
		add	eax, 18h
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_10]
		push	eax		; void *
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		push	[ebp+var_14]	; int
		call	SeQuerySecurityDescriptorInfo
		mov	esi, eax
		test	esi, esi
		js	short loc_838274
		xor	esi, esi

loc_838274:				; CODE XREF: CmpQueryKeySecurity+8Fj
					; CmpQueryKeySecurity+D0j ...
		lea	ecx, [ebp+var_24]
		call	CmpUnlockKcbStack

loc_83827C:				; CODE XREF: CmpQueryKeySecurity+6Aj
					; CmpQueryKeySecurity+78j ...
		mov	ecx, [ebp+var_18]
		test	ecx, ecx
		jnz	short loc_8382B5

loc_838283:				; CODE XREF: CmpQueryKeySecurity+11Aj
		cmp	[ebp+var_5], 0
		jz	short loc_83828E
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_83828E:				; CODE XREF: CmpQueryKeySecurity+E7j
		cmp	[ebp+var_6], 0
		jz	short loc_8382AA
		mov	ecx, offset _CmpShutdownRundown
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_8382AA:				; CODE XREF: CmpQueryKeySecurity+F2j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_8382B5:				; CODE XREF: CmpQueryKeySecurity+E1j
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	short loc_838283
CmpQueryKeySecurity endp

; 
		dd 5 dup(0CCCCCCCCh)
; Exported entry 2492. SeQuerySecurityDescriptorInfo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SeQuerySecurityDescriptorInfo(int,int,int,void *)
		public SeQuerySecurityDescriptorInfo
SeQuerySecurityDescriptorInfo proc near	; CODE XREF: IopGetSetSecurityObject+31Ap
					; ObQuerySecurityDescriptorInfo(x,x,x,x,x)+22p	...

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00925704 SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A68D0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_30], 0
		mov	[ebp+var_34], 0
		mov	[ebp+var_38], 0
		mov	[ebp+var_28], 0
		mov	[ebp+var_4], 0
		mov	ecx, [ebp+arg_8]
		mov	edx, [ecx]
		mov	[ebp+var_3C], edx
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]
		test	eax, eax
		jz	loc_83865C
		mov	edx, [eax]
		mov	[ebp+var_54], edx
		mov	ecx, [eax+4]
		mov	[ebp+var_50], ecx
		mov	ecx, [eax+8]
		mov	[ebp+var_4C], ecx
		mov	ecx, [eax+0Ch]
		mov	[ebp+var_48], ecx
		mov	ecx, [eax+10h]
		mov	[ebp+var_44], ecx
		movzx	ecx, word ptr [eax+2]
		mov	[ebp+var_24], ecx
		movzx	esi, cx
		test	si, si
		jns	loc_92570B
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	loc_925704
		add	ecx, eax
		mov	[ebp+arg_C], ecx
		mov	ecx, [ebp+var_24]
		mov	edi, [ebp+arg_C]

loc_838383:				; CODE XREF: SeQuerySecurityDescriptorInfo+ED441j
		mov	[ebp+var_50], edi
		mov	edi, [eax+8]
		test	si, si
		jns	short loc_838398
		test	edi, edi
		jz	loc_925716
		add	edi, eax

loc_838398:				; CODE XREF: SeQuerySecurityDescriptorInfo+BCj
					; SeQuerySecurityDescriptorInfo+ED448j
		mov	[ebp+var_20], edi
		mov	[ebp+var_4C], edi
		test	cl, 4
		jz	loc_92571D
		mov	ebx, [eax+10h]
		test	si, si
		jns	short loc_8383BB
		lea	ecx, [eax+ebx]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, ecx
		mov	ecx, [ebp+var_24]

loc_8383BB:				; CODE XREF: SeQuerySecurityDescriptorInfo+DDj
					; SeQuerySecurityDescriptorInfo+ED44Fj
		mov	[ebp+var_44], ebx
		test	cl, 10h
		jnz	loc_8385CF
		xor	ecx, ecx

loc_8383C9:				; CODE XREF: SeQuerySecurityDescriptorInfo+305j
					; SeQuerySecurityDescriptorInfo+313j
		mov	[ebp+var_24], ecx
		mov	[ebp+var_48], ecx
		shr	edx, 10h
		and	edx, 7FFFh
		mov	word ptr [ebp+var_54+2], dx
		mov	esi, 14h
		mov	[ebp+var_1C], esi
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		mov	eax, ecx
		and	eax, 80h
		mov	edx, ecx
		and	edx, 100h
		test	ecx, 10000h
		jnz	loc_838695

loc_838404:				; CODE XREF: SeQuerySecurityDescriptorInfo+3E0j
					; SeQuerySecurityDescriptorInfo+ED469j
		test	cl, 1
		jz	short loc_83842A
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_83842A
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_30], eax
		lea	esi, [eax+3]
		and	esi, 0FFFFFFFCh
		add	esi, 14h
		mov	[ebp+var_1C], esi

loc_83842A:				; CODE XREF: SeQuerySecurityDescriptorInfo+137j
					; SeQuerySecurityDescriptorInfo+13Ej
		test	cl, 2
		jz	short loc_83844C
		test	edi, edi
		jz	short loc_83844C
		movzx	eax, byte ptr [edi+1]
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_34], eax
		add	eax, 3
		and	eax, 0FFFFFFFCh
		add	esi, eax
		mov	[ebp+var_1C], esi

loc_83844C:				; CODE XREF: SeQuerySecurityDescriptorInfo+15Dj
					; SeQuerySecurityDescriptorInfo+161j
		mov	al, byte ptr [ebp+var_54+2]
		test	cl, 4
		jz	short loc_83846E
		test	al, 4
		jz	short loc_83846E
		test	ebx, ebx
		jz	short loc_83846E
		movzx	edx, word ptr [ebx+2]
		add	edx, 3
		and	edx, 0FFFFFFFCh
		mov	[ebp+var_38], edx
		add	esi, edx
		mov	[ebp+var_1C], esi

loc_83846E:				; CODE XREF: SeQuerySecurityDescriptorInfo+182j
					; SeQuerySecurityDescriptorInfo+186j ...
		and	ecx, 1F8h
		jz	short loc_83847E
		test	al, 10h
		jnz	loc_8385E8

loc_83847E:				; CODE XREF: SeQuerySecurityDescriptorInfo+1A4j
					; SeQuerySecurityDescriptorInfo+31Dj ...
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		cmp	esi, [ebp+var_3C]
		ja	loc_83860C
		xor	eax, eax
		mov	edi, [ebp+arg_4]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	edi, [ebp+arg_4]
		mov	byte ptr [edi],	1
		mov	ecx, 8000h
		mov	ax, [edi+2]
		or	ax, cx
		movzx	ecx, ax
		mov	[edi+2], ax
		lea	esi, [edi+17h]
		and	esi, 0FFFFFFFCh
		mov	[ebp+var_2C], esi
		mov	eax, [ebp+arg_0]
		mov	edx, [eax]
		mov	eax, ecx
		test	dl, 1
		jz	short loc_838507
		mov	[ebp+arg_4], eax
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	loc_92573E
		push	[ebp+var_30]	; size_t
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, esi
		sub	eax, edi
		mov	[edi+4], eax
		mov	eax, [ebp+var_54+2]
		and	eax, 1
		or	[edi+2], ax
		mov	eax, [ebp+var_30]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		add	esi, eax
		mov	[ebp+var_2C], esi
		mov	eax, [ebp+arg_0]
		mov	edx, [eax]
		movzx	eax, word ptr [edi+2]

loc_838507:				; CODE XREF: SeQuerySecurityDescriptorInfo+1F2j
					; SeQuerySecurityDescriptorInfo+ED471j
		movzx	ecx, ax
		mov	[ebp+arg_4], ecx
		test	dl, 2
		jz	short loc_838557
		movzx	ecx, ax
		mov	[ebp+arg_4], ecx
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_838557
		push	[ebp+var_34]	; size_t
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, esi
		sub	eax, edi
		mov	[edi+8], eax
		mov	eax, [ebp+var_54+2]
		and	eax, 2
		or	[edi+2], ax
		mov	eax, [ebp+var_34]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		add	esi, eax
		mov	[ebp+var_2C], esi
		mov	eax, [ebp+arg_0]
		mov	edx, [eax]
		movzx	eax, word ptr [edi+2]
		mov	[ebp+arg_4], eax

loc_838557:				; CODE XREF: SeQuerySecurityDescriptorInfo+240j
					; SeQuerySecurityDescriptorInfo+24Dj
		mov	ecx, [ebp+var_54+2]
		test	dl, 4
		jz	short loc_838596
		mov	eax, ecx
		and	eax, 140Ch
		or	eax, [ebp+arg_4]
		mov	[edi+2], ax
		mov	al, cl
		test	al, 4
		jz	short loc_838599
		test	ebx, ebx
		jz	short loc_838599
		movzx	eax, word ptr [ebx+2]
		push	eax		; size_t
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, esi
		sub	eax, edi
		mov	[edi+10h], eax
		add	esi, [ebp+var_38]
		mov	[ebp+var_2C], esi
		mov	ecx, [ebp+var_54+2]

loc_838596:				; CODE XREF: SeQuerySecurityDescriptorInfo+28Dj
		mov	al, byte ptr [ebp+var_54+2]

loc_838599:				; CODE XREF: SeQuerySecurityDescriptorInfo+2A1j
					; SeQuerySecurityDescriptorInfo+2A5j
		mov	edx, [ebp+arg_0]
		test	dword ptr [edx], 1F8h
		jz	short loc_8385B2
		and	ecx, 2830h
		or	[edi+2], cx
		test	al, 10h
		jnz	short loc_83862C

loc_8385B2:				; CODE XREF: SeQuerySecurityDescriptorInfo+2D2j
					; SeQuerySecurityDescriptorInfo+361j ...
		mov	[ebp+var_4], 0FFFFFFFEh
		xor	eax, eax

loc_8385BB:				; CODE XREF: sub_925756+Dj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_8385CF:				; CODE XREF: SeQuerySecurityDescriptorInfo+F1j
		mov	ecx, [eax+0Ch]
		test	si, si
		jns	loc_8383C9
		add	eax, ecx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		jmp	loc_8383C9
; 

loc_8385E8:				; CODE XREF: SeQuerySecurityDescriptorInfo+1A8j
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	loc_83847E
		push	ecx
		lea	ecx, [ebp+var_28]
		push	ecx
		xor	edx, edx
		mov	ecx, eax
		call	RtlpFilterSacl
		add	esi, [ebp+var_28]
		mov	[ebp+var_1C], esi
		jmp	loc_83847E
; 

loc_83860C:				; CODE XREF: SeQuerySecurityDescriptorInfo+1B6j
					; SeQuerySecurityDescriptorInfo+395j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, 0C0000023h
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_83862C:				; CODE XREF: SeQuerySecurityDescriptorInfo+2E0j
		mov	ecx, [ebp+var_24]
		test	ecx, ecx
		jz	loc_8385B2
		mov	eax, [edx]
		and	eax, 1F8h
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		mov	edx, esi
		call	RtlpFilterSacl
		mov	eax, esi
		sub	eax, edi
		mov	[edi+0Ch], eax
		add	esi, [ebp+var_28]
		mov	[ebp+var_2C], esi
		jmp	loc_8385B2
; 

loc_83865C:				; CODE XREF: SeQuerySecurityDescriptorInfo+67j
		mov	dword ptr [ecx], 14h
		cmp	edx, 14h
		jb	short loc_83860C
		mov	ecx, [ebp+arg_4]
		call	_RtlCreateSecurityDescriptorRelative@8 ; RtlCreateSecurityDescriptorRelative(x,x)
		mov	eax, 8000h
		or	[ecx+2], ax
		mov	[ebp+var_4], 0FFFFFFFEh
		xor	eax, eax
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_838695:				; CODE XREF: SeQuerySecurityDescriptorInfo+12Ej
		or	ecx, 1FFh
		mov	edi, [ebp+arg_0]
		mov	[edi], ecx
		test	eax, eax
		mov	edi, [ebp+var_20]
		mov	eax, [ebp+arg_0]
		jz	loc_925724

loc_8386AE:				; CODE XREF: SeQuerySecurityDescriptorInfo+ED45Cj
		test	edx, edx
		jnz	loc_838404
		jmp	loc_925731
SeQuerySecurityDescriptorInfo endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpFilterSacl	proc near		; CODE XREF: SeQuerySecurityDescriptorInfo+32Cp
					; SeQuerySecurityDescriptorInfo+375p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00925768 SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	eax, ecx
		push	esi
		push	edi
		push	8
		pop	ecx
		mov	esi, ecx
		mov	[ebp+var_8], edx
		movzx	ecx, word ptr [eax+4]
		lea	edx, [eax+8]
		mov	[ebp+var_4], eax
		mov	edi, edx
		mov	[ebp+var_C], edx
		test	ecx, ecx
		jz	short loc_838716

loc_8386E7:				; CODE XREF: RtlpFilterSacl+58j
		movzx	eax, byte ptr [edi]
		add	eax, 0FFFFFFFEh
		cmp	eax, 13h
		ja	short loc_83872C
		movzx	eax, ds:byte_83881C[eax]
		jmp	ds:off_838800[eax*4]

loc_838700:				; DATA XREF: PAGE:00838804o
		test	bl, 10h

loc_838703:				; CODE XREF: RtlpFilterSacl+73j
					; RtlpFilterSacl+138j ...
		jz	short loc_83870B

loc_838705:				; CODE XREF: RtlpFilterSacl+129j
		movzx	eax, word ptr [edi+2]
		add	esi, eax

loc_83870B:				; CODE XREF: RtlpFilterSacl:loc_838703j
					; RtlpFilterSacl+123j
		movzx	eax, word ptr [edi+2]
		add	edi, eax
		sub	ecx, 1
		jnz	short loc_8386E7

loc_838716:				; CODE XREF: RtlpFilterSacl+29j
		mov	eax, [ebp+arg_0]
		add	esi, 3
		and	esi, 0FFFFFFFCh
		cmp	[eax], esi
		jnb	short loc_838731
		mov	[eax], esi

loc_838725:				; CODE XREF: RtlpFilterSacl+A6j
					; RtlpFilterSacl+10Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_83872C:				; CODE XREF: RtlpFilterSacl+34j
					; RtlpFilterSacl+3Dj
					; DATA XREF: ...
		test	bl, 8
		jmp	short loc_838703
; 

loc_838731:				; CODE XREF: RtlpFilterSacl+65j
		mov	edi, [ebp+var_8]
		xor	esi, esi
		mov	ecx, [ebp+var_4]
		push	8
		mov	eax, [ecx]
		mov	[edi], eax
		mov	eax, [ecx+4]
		lea	ecx, [edi+8]
		mov	[edi+4], eax
		xor	eax, eax
		mov	[edi+4], ax
		pop	eax
		mov	[edi+2], ax
		xor	edi, edi
		mov	eax, [ebp+var_4]
		mov	[ebp+arg_4], ecx
		cmp	di, [eax+4]
		mov	edi, [ebp+var_8]
		jnb	short loc_838725

loc_838764:				; CODE XREF: RtlpFilterSacl+112j
		movzx	eax, byte ptr [edx]
		add	eax, 0FFFFFFFEh
		cmp	eax, 13h
		ja	loc_92578F
		movzx	eax, ds:byte_83884C[eax]
		jmp	ds:off_838830[eax*4]

loc_838781:				; DATA XREF: PAGE:00838834o
		mov	eax, ebx
		shr	eax, 4

loc_838786:				; CODE XREF: RtlpFilterSacl+119j
					; RtlpFilterSacl+133j ...
		and	al, 1

loc_838788:				; CODE XREF: RtlpFilterSacl+ED0DEj
		test	al, al
		jz	short loc_8387D7
		movzx	eax, word ptr [edx+2]
		push	eax		; size_t
		push	edx		; void *
		push	ecx		; void *
		call	_memcpy
		mov	edx, [ebp+var_C]
		add	esp, 0Ch
		inc	word ptr [edi+4]
		mov	ax, [edx+2]
		add	[edi+2], ax
		movzx	ecx, word ptr [edx+2]
		add	[ebp+arg_4], ecx
		mov	eax, ecx
		mov	ecx, [ebp+arg_4]

loc_8387B6:				; CODE XREF: RtlpFilterSacl+11Fj
		movzx	eax, ax
		inc	esi
		add	edx, eax
		mov	eax, [ebp+var_4]
		mov	[ebp+var_C], edx
		movzx	eax, word ptr [eax+4]
		cmp	esi, eax
		jnb	loc_838725
		jmp	short loc_838764
; 

loc_8387D0:				; CODE XREF: RtlpFilterSacl+BEj
					; DATA XREF: PAGE:off_838830o
		mov	eax, ebx
		shr	eax, 3
		jmp	short loc_838786
; 

loc_8387D7:				; CODE XREF: RtlpFilterSacl+CEj
					; RtlpFilterSacl+ED0D6j
		movzx	eax, word ptr [edx+2]
		jmp	short loc_8387B6
; 

loc_8387DD:				; CODE XREF: RtlpFilterSacl+3Dj
					; DATA XREF: PAGE:00838810o
		test	bl, bl
		jns	loc_83870B
		jmp	loc_838705
; 

loc_8387EA:				; CODE XREF: RtlpFilterSacl+BEj
					; DATA XREF: PAGE:00838840o
		mov	eax, ebx
		shr	eax, 7
		jmp	short loc_838786
; 

loc_8387F1:				; CODE XREF: RtlpFilterSacl+3Dj
					; DATA XREF: PAGE:00838808o
		test	bl, 20h
		jmp	loc_838703
; 

loc_8387F9:				; CODE XREF: RtlpFilterSacl+BEj
					; DATA XREF: PAGE:00838838o
		mov	eax, ebx
		shr	eax, 5
		jmp	short loc_838786
RtlpFilterSacl	endp

; 
off_838800	dd offset loc_83872C	; DATA XREF: RtlpFilterSacl+3Dr
		dd offset loc_838700
		dd offset loc_8387F1
		dd offset loc_925768
		dd offset loc_8387DD
		dd offset loc_925770
		dd offset loc_83872C
byte_83881C	db 0			; DATA XREF: RtlpFilterSacl+36r
		align 2
		dw 606h
		dd 6000006h, 60606h, 1000000h, 5040302h
off_838830	dd offset loc_8387D0	; DATA XREF: RtlpFilterSacl+BEr
		dd offset loc_838781
		dd offset loc_8387F9
		dd offset loc_92577B
		dd offset loc_8387EA
		dd offset loc_925785
		dd offset loc_92578F
byte_83884C	db 0			; DATA XREF: RtlpFilterSacl+B7r
		align 2
		dw 606h
		dd 6000006h, 60606h, 1000000h, 5040302h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObAdjustSecurityQuota(x, x)
_ObAdjustSecurityQuota@8 proc near	; CODE XREF: ObSetSecurityDescriptorInfo+8Dp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		add	ecx, 0FFFFFFE8h
		push	ebx
		mov	ebx, edx
		cmp	dword ptr [ecx+10h], 1
		jz	short loc_8388CC
		push	edi
		call	_OBJECT_HEADER_TO_QUOTA_INFO@4 ; OBJECT_HEADER_TO_QUOTA_INFO(x)
		mov	ecx, large fs:124h
		mov	edi, eax
		push	0
		mov	ecx, [ecx+80h]
		call	PsChargeSharedPoolQuota
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_8388D0
		push	esi
		mov	esi, [edi+0Ch]
		test	esi, esi
		jz	short loc_8388BF
		cmp	esi, 1
		jz	short loc_8388BF
		mov	eax, [edi+8]
		test	eax, eax
		jz	short loc_8388B5
		push	eax
		push	1
		xor	edx, edx
		mov	ecx, esi
		call	PspReturnQuota

loc_8388B5:				; CODE XREF: ObAdjustSecurityQuota(x,x)+47j
		mov	ecx, esi
		call	PspDereferenceQuotaBlock
		mov	eax, [ebp+var_4]

loc_8388BF:				; CODE XREF: ObAdjustSecurityQuota(x,x)+3Bj
					; ObAdjustSecurityQuota(x,x)+40j
		mov	[edi+0Ch], eax
		xor	eax, eax
		mov	[edi+8], ebx
		pop	esi

loc_8388C8:				; CODE XREF: ObAdjustSecurityQuota(x,x)+75j
		pop	edi

loc_8388C9:				; CODE XREF: ObAdjustSecurityQuota(x,x)+6Ej
		pop	ebx
		leave
		retn
; 

loc_8388CC:				; CODE XREF: ObAdjustSecurityQuota(x,x)+10j
		xor	eax, eax
		jmp	short loc_8388C9
; 

loc_8388D0:				; CODE XREF: ObAdjustSecurityQuota(x,x)+33j
		mov	eax, 0C0000044h
		jmp	short loc_8388C8
_ObAdjustSecurityQuota@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtQueryObject	proc near		; CODE XREF: IopLoadDriver+3F9p
					; IopQueryRegistryKeySystemPath+ADp
					; DATA XREF: ...

var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 009257C1 SIZE 00000047 BYTES
; FUNCTION CHUNK AT 0092583E SIZE 000000A5 BYTES
; FUNCTION CHUNK AT 00925912 SIZE 0000000D BYTES
; FUNCTION CHUNK AT 00925996 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A68F0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 0A4h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_40], 0
		mov	[ebp+var_3C], 0
		push	38h		; size_t
		push	0		; int
		lea	eax, [ebp+var_AC]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_54], 0
		mov	[ebp+var_50], 0
		mov	[ebp+arg_4], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_30], al
		test	al, al
		jz	short loc_838994
		mov	[ebp+var_4], 0
		lea	eax, [esi-4]
		neg	eax
		sbb	eax, eax
		and	eax, 3
		inc	eax
		push	eax
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jnz	loc_838D91

loc_83898D:				; CODE XREF: NtQueryObject+4C1j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_838994:				; CODE XREF: NtQueryObject+82j
		cmp	esi, 3
		jz	loc_9257C1
		mov	[ebp+var_44], 0
		lea	eax, [ebp+var_40]
		push	eax
		lea	eax, [ebp+var_44]
		push	eax
		push	[ebp+var_30]
		push	0
		push	0
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_58], edi
		mov	ebx, [ebp+var_44]
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_20], edi
		test	edi, edi
		js	loc_838B7D
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_4C], eax
		lea	edx, [ebx-18h]
		mov	eax, edx
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [edx+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		mov	ecx, [ebp+var_3C]

loc_8389FB:				; CODE XREF: NtQueryObject+ECEF7j
		mov	[ebp+var_34], eax
		mov	[ebp+arg_0], eax
		mov	[ebp+var_28], edx
		cmp	esi, 4		; switch 5 cases
		ja	loc_925996	; default
		jmp	ds:off_838DE8[esi*4] ; switch jump

loc_838A14:				; DATA XREF: PAGE:off_838DE8o
		cmp	[ebp+arg_C], 38h ; case	0x0
		jnz	loc_9257DC
		mov	[ebp+var_94], 0
		mov	[ebp+var_90], 0
		mov	[ebp+var_8C], 0
		mov	[ebp+var_88], 0
		mov	[ebp+var_84], 0
		mov	[ebp+var_80], 0
		mov	esi, [ebp+var_40]
		mov	[ebp+var_AC], esi
		mov	al, [edx+0Fh]
		test	al, 10h
		jnz	loc_838C33

loc_838A6B:				; CODE XREF: NtQueryObject+35Cj
		test	al, 8
		jnz	loc_9257ED

loc_838A73:				; CODE XREF: NtQueryObject+ECF16j
		mov	[ebp+var_A8], ecx
		mov	eax, [edx+4]
		mov	[ebp+var_A4], eax
		mov	eax, [edx]
		mov	[ebp+var_A0], eax
		mov	ecx, edx
		call	_OBJECT_HEADER_TO_QUOTA_INFO@4 ; OBJECT_HEADER_TO_QUOTA_INFO(x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_838D65
		mov	eax, [ecx]
		mov	[ebp+var_9C], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_98], eax

loc_838AAC:				; CODE XREF: NtQueryObject+499j
		mov	edi, [ebp+arg_0]
		cmp	edi, _ObpSymbolicLinkObjectType
		jz	loc_9257FB
		xor	eax, eax
		mov	[ebp+var_7C], eax

loc_838AC0:				; CODE XREF: NtQueryObject+ECF23j
		mov	[ebp+var_78], eax
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	esi, [ebp+var_28]
		lea	ecx, [esi+8]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	al, [esi+0Eh]
		test	al, 2
		jnz	loc_838C41

loc_838AE0:				; CODE XREF: NtQueryObject+375j
					; NtQueryObject+382j
		xor	edx, edx
		mov	eax, 11h
		lea	ecx, [esi+8]
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	loc_838DA6

loc_838AF7:				; CODE XREF: NtQueryObject+4CEj
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	eax, eax

loc_838B03:				; CODE XREF: NtQueryObject+422j
		mov	[ebp+var_88], eax
		movzx	eax, word ptr [edi+8]
		add	eax, 62h
		mov	[ebp+var_84], eax
		test	[ebp+var_4C], 20000h
		jz	short loc_838B2B
		add	esi, 14h
		cmp	dword ptr [esi], 0
		jnz	loc_838BC6

loc_838B2B:				; CODE XREF: NtQueryObject+23Dj
					; NtQueryObject+30Bj
		mov	eax, [ebp+var_54]
		mov	[ebp+var_80], eax
		mov	[ebp+var_4], 1
		mov	ecx, 0Eh
		lea	esi, [ebp+var_AC]
		mov	edi, [ebp+arg_8]
		rep movsd
		mov	[ebp+arg_4], 38h
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	edi, [ebp+var_58]

loc_838B59:				; CODE XREF: NtQueryObject+2CCj
					; NtQueryObject+2E4j ...
		mov	[ebp+var_4], 4
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jnz	loc_838D87

loc_838B6B:				; CODE XREF: NtQueryObject+4ACj
		mov	[ebp+var_4], 0FFFFFFFEh

loc_838B72:				; CODE XREF: sub_925981+10j
		test	ebx, ebx
		jz	short loc_838B7D
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_838B7D:				; CODE XREF: NtQueryObject+EBj
					; NtQueryObject+294j
		mov	eax, edi

loc_838B7F:				; CODE XREF: sub_9257AF+Dj
					; NtQueryObject+ECF08j	...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_838B93:				; CODE XREF: NtQueryObject+12Dj
					; DATA XREF: PAGE:off_838DE8o
		push	[ebp+var_30]	; case 0x1
		lea	eax, [ebp+arg_4]
		push	eax
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_8]
		mov	ecx, ebx
		call	ObQueryNameStringMode
		mov	edi, eax
		mov	[ebp+var_20], edi
		jmp	short loc_838B59
; 

loc_838BAE:				; CODE XREF: NtQueryObject+12Dj
					; DATA XREF: PAGE:off_838DE8o
		lea	ecx, [ebp+arg_4] ; case	0x2
		push	ecx
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_8]
		mov	ecx, eax
		call	ObQueryTypeInfo
		mov	edi, eax
		mov	[ebp+var_20], edi
		jmp	short loc_838B59
; 

loc_838BC6:				; CODE XREF: NtQueryObject+245j
		mov	[ebp+var_50], 0Fh
		mov	ecx, [edi+4Ch]
		lea	eax, [edi+34h]
		push	[ebp+var_30]
		push	eax
		push	ecx
		push	esi
		lea	eax, [ebp+var_54]
		push	eax
		push	0
		lea	eax, [ebp+var_50]
		push	eax
		push	1
		push	ebx
		mov	eax, [edi+6Ch]
		call	eax
		jmp	loc_838B2B
; 

loc_838BF0:				; CODE XREF: NtQueryObject+12Dj
					; DATA XREF: PAGE:off_838DE8o
		mov	[ebp+var_4], 3	; case 0x4
		mov	[ebp+arg_4], 2
		cmp	[ebp+arg_C], 2
		jb	loc_925912
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	0
		mov	ecx, [ebp+var_40]
		test	cl, 2
		jnz	loc_838DB3

loc_838C1A:				; CODE XREF: NtQueryObject+4D6j
		mov	byte ptr [eax+1], 0
		test	cl, 1
		jnz	loc_838D7E

loc_838C27:				; CODE XREF: NtQueryObject+4A2j
					; NtQueryObject+ECF83j	...
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_838B59
; 

loc_838C33:				; CODE XREF: NtQueryObject+185j
		or	esi, 10h
		mov	[ebp+var_AC], esi
		jmp	loc_838A6B
; 

loc_838C41:				; CODE XREF: NtQueryObject+1FAj
		movzx	eax, al
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		mov	ecx, esi
		sub	ecx, eax
		mov	[ebp+arg_0], ecx
		jz	loc_838AE0
		mov	eax, [ecx]
		mov	[ebp+arg_C], eax
		test	eax, eax
		jz	loc_838AE0
		mov	ecx, eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	ecx, ecx
		mov	eax, 11h
		lea	edx, [esi+8]
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jnz	loc_838DC7

loc_838C86:				; CODE XREF: NtQueryObject+4F1j
		mov	ecx, edx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebp+arg_0]
		movzx	ecx, word ptr [ecx+4]
		add	ecx, 2
		mov	[ebp+var_28], ecx

loc_838C9F:				; CODE XREF: NtQueryObject+480j
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_48], eax
		test	eax, eax
		jz	short loc_838CFC
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	eax, [ebp+arg_C]
		add	eax, 0FFFFFFF0h
		mov	[ebp+arg_0], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp+arg_C]
		add	ecx, 0FFFFFFE8h
		mov	al, [ecx+0Eh]
		test	al, 2
		jnz	short loc_838D07

loc_838CCD:				; CODE XREF: NtQueryObject+436j
					; NtQueryObject+43Cj
		xor	edx, edx
		mov	eax, 11h
		mov	ecx, [ebp+arg_0]
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	loc_838DD6

loc_838CE4:				; CODE XREF: NtQueryObject+4FEj
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_838CFC
		mov	ecx, eax
		call	ObfDereferenceObject

loc_838CFC:				; CODE XREF: NtQueryObject+3C7j
					; NtQueryObject+413j
		mov	eax, [ebp+var_28]
		add	eax, 0Ah
		jmp	loc_838B03
; 

loc_838D07:				; CODE XREF: NtQueryObject+3EBj
		movzx	eax, al
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		jz	short loc_838CCD
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_838CCD
		movzx	eax, word ptr [ecx+4]
		mov	ecx, [ebp+var_28]
		add	ecx, 2
		add	ecx, eax
		mov	[ebp+var_28], ecx
		mov	eax, edx
		mov	[ebp+arg_C], eax
		mov	ecx, eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	ecx, ecx
		mov	eax, 11h
		mov	edx, [ebp+arg_0]
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jnz	short loc_838DBB

loc_838D4C:				; CODE XREF: NtQueryObject+4E5j
		mov	ecx, edx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebp+var_48]
		call	ObfDereferenceObject
		jmp	loc_838C9F
; 

loc_838D65:				; CODE XREF: NtQueryObject+1B5j
		mov	[ebp+var_9C], 0
		mov	[ebp+var_98], 0
		jmp	loc_838AAC
; 

loc_838D7E:				; CODE XREF: NtQueryObject+341j
		mov	byte ptr [eax+1], 1
		jmp	loc_838C27
; 

loc_838D87:				; CODE XREF: NtQueryObject+285j
		mov	eax, [ebp+arg_4]
		mov	[ecx], eax
		jmp	loc_838B6B
; 

loc_838D91:				; CODE XREF: NtQueryObject+A7j
		mov	ecx, eax
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		jnb	short loc_838DE3

loc_838D9D:				; CODE XREF: NtQueryObject+505j
		mov	eax, [ecx]
		mov	[ecx], eax
		jmp	loc_83898D
; 

loc_838DA6:				; CODE XREF: NtQueryObject+211j
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		lea	ecx, [esi+8]
		jmp	loc_838AF7
; 

loc_838DB3:				; CODE XREF: NtQueryObject+334j
		mov	byte ptr [eax],	1
		jmp	loc_838C1A
; 

loc_838DBB:				; CODE XREF: NtQueryObject+46Aj
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	edx, [ebp+arg_0]
		jmp	short loc_838D4C
; 

loc_838DC7:				; CODE XREF: NtQueryObject+3A0j
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		lea	edx, [esi+8]
		jmp	loc_838C86
; 

loc_838DD6:				; CODE XREF: NtQueryObject+3FEj
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp+arg_0]
		jmp	loc_838CE4
; 

loc_838DE3:				; CODE XREF: NtQueryObject+4BBj
		mov	ecx, edx
		jmp	short loc_838D9D
NtQueryObject	endp

; 
		align 4
off_838DE8	dd offset loc_838A14	; DATA XREF: NtQueryObject+12Dr
		dd offset loc_838B93	; jump table for switch	statement
		dd offset loc_838BAE
		dd offset loc_92583E
		dd offset loc_838BF0

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpChargeQuotaForObject	proc near	; CODE XREF: ObInsertObjectEx(x,x,x,x,x,x,x)+63Ap

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009259A7 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], edx
		mov	ebx, ecx
		mov	[ebp+var_8], edi
		call	_OBJECT_HEADER_TO_QUOTA_INFO@4 ; OBJECT_HEADER_TO_QUOTA_INFO(x)
		mov	esi, eax
		mov	al, [ebx+0Fh]
		test	al, 1
		jz	short loc_838E89
		and	al, 0FEh
		mov	[ebx+0Fh], al
		test	esi, esi
		jz	short loc_838E92
		mov	ecx, [esi]
		mov	eax, [esi+4]
		mov	[ebp+var_4], ecx
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_10], eax
		test	ecx, ecx
		jnz	short loc_838E46
		mov	ecx, [ebx+14h]
		test	ecx, ecx
		jz	short loc_838E72
		and	ecx, 0FFFFFFF8h
		jz	short loc_838E72

loc_838E46:				; CODE XREF: ObpChargeQuotaForObject+3Cj
		lea	edx, [ebp+var_8]
		call	_SeComputeQuotaInformationSize@8 ; SeComputeQuotaInformationSize(x,x)
		test	eax, eax
		js	short loc_838E8B
		mov	edi, [ebp+var_8]
		test	edi, edi
		jz	short loc_838E6C
		mov	ecx, [ebp+var_C]
		mov	edx, edi
		push	0
		call	PsChargeSharedPoolQuota
		mov	[esi+0Ch], eax
		test	eax, eax
		jz	short loc_838EB8

loc_838E6C:				; CODE XREF: ObpChargeQuotaForObject+5Bj
		mov	eax, [ebp+var_10]
		mov	[esi+8], edi

loc_838E72:				; CODE XREF: ObpChargeQuotaForObject+43j
					; ObpChargeQuotaForObject+48j
		mov	edx, [ebp+var_4]

loc_838E75:				; CODE XREF: ObpChargeQuotaForObject+BAj
		mov	ecx, [ebp+var_C]
		push	eax
		call	PsChargeSharedPoolQuota
		mov	[ebx+10h], eax
		test	eax, eax
		jz	loc_9259A7

loc_838E89:				; CODE XREF: ObpChargeQuotaForObject+21j
		xor	eax, eax

loc_838E8B:				; CODE XREF: ObpChargeQuotaForObject+54j
					; ObpChargeQuotaForObject+C1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_838E92:				; CODE XREF: ObpChargeQuotaForObject+2Aj
		mov	eax, ebx
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [ebx+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		mov	edx, [eax+50h]
		mov	eax, [eax+54h]
		jmp	short loc_838E75
; 

loc_838EB8:				; CODE XREF: ObpChargeQuotaForObject+6Ej
					; ObpChargeQuotaForObject+ECBADj ...
		mov	eax, 0C0000044h
		jmp	short loc_838E8B
ObpChargeQuotaForObject	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsChargeSharedPoolQuota	proc near	; CODE XREF: sub_759647+8E9p
					; RtlpAllocateAtom+44p	...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009259C8 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, edx
		cmp	ecx, ds:_PsInitialSystemProcess
		jz	short loc_838F17
		push	esi
		mov	esi, [ecx+188h]
		test	edi, edi
		jz	short loc_838EEB
		push	edi
		push	1
		xor	edx, edx
		mov	ecx, esi
		call	@PspChargeQuota@16 ; PspChargeQuota(x,x,x,x)
		test	eax, eax
		js	short loc_838F1C

loc_838EEB:				; CODE XREF: PsChargeSharedPoolQuota+19j
		cmp	[ebp+arg_0], 0
		ja	short loc_838F00

loc_838EF1:				; CODE XREF: PsChargeSharedPoolQuota+50j
		lock inc dword ptr [esi+200h]
		mov	eax, esi

loc_838EFA:				; CODE XREF: PsChargeSharedPoolQuota+5Ej
		pop	esi

loc_838EFB:				; CODE XREF: PsChargeSharedPoolQuota+5Aj
		pop	edi
		pop	ebp
		retn	4
; 

loc_838F00:				; CODE XREF: PsChargeSharedPoolQuota+2Fj
		push	[ebp+arg_0]
		xor	edx, edx
		mov	ecx, esi
		push	0
		call	@PspChargeQuota@16 ; PspChargeQuota(x,x,x,x)
		test	eax, eax
		jns	short loc_838EF1
		jmp	loc_9259C8
; 

loc_838F17:				; CODE XREF: PsChargeSharedPoolQuota+Ej
		xor	eax, eax
		inc	eax
		jmp	short loc_838EFB
; 

loc_838F1C:				; CODE XREF: PsChargeSharedPoolQuota+29j
					; PsChargeSharedPoolQuota+ECB0Aj ...
		xor	eax, eax
		jmp	short loc_838EFA
PsChargeSharedPoolQuota	endp


;  S U B	R O U T	I N E 


; __stdcall SeComputeQuotaInformationSize(x, x)
_SeComputeQuotaInformationSize@8 proc near ; CODE XREF:	ObpIncrementHandleCountEx+35Fp
					; PAGE:00819ED9p ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		mov	dword ptr [esi], 0
		cmp	byte ptr [ecx],	1
		jnz	short loc_838F90
		mov	edx, [ecx+8]
		push	ebx
		movzx	ebx, word ptr [ecx+2]
		push	edi
		mov	edi, ebx
		test	di, di
		jns	short loc_838F49
		lea	eax, [edx+ecx]
		neg	edx
		sbb	edx, edx
		and	edx, eax

loc_838F49:				; CODE XREF: SeComputeQuotaInformationSize(x,x)+1Ej
		test	bl, 4
		jz	short loc_838F8C
		mov	eax, [ecx+10h]
		test	di, di
		jns	short loc_838F5E
		add	ecx, eax
		neg	eax
		sbb	eax, eax
		and	eax, ecx

loc_838F5E:				; CODE XREF: SeComputeQuotaInformationSize(x,x)+34j
					; SeComputeQuotaInformationSize(x,x)+6Ej
		xor	ecx, ecx
		pop	edi
		pop	ebx
		test	edx, edx
		jz	short loc_838F76
		movzx	ecx, byte ptr [edx+1]
		lea	ecx, ds:0Bh[ecx*4]
		and	ecx, 0FFFFFFFCh
		mov	[esi], ecx

loc_838F76:				; CODE XREF: SeComputeQuotaInformationSize(x,x)+44j
		test	eax, eax
		jz	short loc_838F88
		movzx	eax, word ptr [eax+2]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		add	eax, ecx
		mov	[esi], eax

loc_838F88:				; CODE XREF: SeComputeQuotaInformationSize(x,x)+58j
		xor	eax, eax
		pop	esi
		retn
; 

loc_838F8C:				; CODE XREF: SeComputeQuotaInformationSize(x,x)+2Cj
		xor	eax, eax
		jmp	short loc_838F5E
; 

loc_838F90:				; CODE XREF: SeComputeQuotaInformationSize(x,x)+Ej
		mov	eax, 0C0000058h
		pop	esi
		retn
_SeComputeQuotaInformationSize@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObQueryNameStringMode proc near		; CODE XREF: IopGetRelatedFileName+68p
					; PspInitializeFullProcessImageName+85p ...

var_58		= dword	ptr -58h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 009259E1 SIZE 0000002F BYTES
; FUNCTION CHUNK AT 00925A4D SIZE 00000051 BYTES
; FUNCTION CHUNK AT 00925AD8 SIZE 000000C1 BYTES
; FUNCTION CHUNK AT 00925BB4 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6940
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	ebx, edx
		mov	[ebp+var_40], ebx
		mov	edx, ecx
		mov	[ebp+var_48], edx
		mov	[ebp+var_19], 1
		mov	[ebp+var_1A], 0
		mov	[ebp+var_3C], 0
		mov	[ebp+var_24], 0
		mov	[ebp+var_20], 0C0000001h
		lea	esi, [edx-18h]
		mov	[ebp+var_44], esi
		mov	eax, esi
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [esi+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	ecx, ds:_ObTypeIndexTable[ecx*4]
		mov	al, [esi+0Eh]
		test	al, 2
		jnz	loc_8393AE
		xor	edi, edi

loc_83902D:				; CODE XREF: ObQueryNameStringMode+41Fj
		mov	[ebp+var_2C], edi
		mov	eax, [ecx+70h]
		test	eax, eax
		jnz	loc_8393C4
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		mov	ecx, eax
		call	_OBP_GET_SILO_ROOT_DIRECTORY_FROM_SILO@4 ; OBP_GET_SILO_ROOT_DIRECTORY_FROM_SILO(x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx

loc_83904C:				; CODE XREF: ObQueryNameStringMode+ECA5Fj
		test	edi, edi
		jz	loc_839463
		mov	[ebp+var_4], 2
		mov	eax, [ebp+var_48]
		cmp	eax, ecx
		jz	loc_925A91
		cmp	eax, _ObpRootDirectoryObject
		jz	loc_925A91
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+8]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebp+var_2C]
		mov	edi, [eax]
		test	edi, edi
		jz	short loc_8390A0
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	[ebp+var_24], edi
		mov	eax, [ebp+var_2C]

loc_8390A0:				; CODE XREF: ObQueryNameStringMode+F1j
		movzx	eax, word ptr [eax+4]
		add	eax, 2
		mov	[ebp+var_34], eax
		mov	[ebp+var_28], eax
		xor	edx, edx
		mov	eax, 11h
		lea	ecx, [esi+8]
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	loc_8394D3

loc_8390C4:				; CODE XREF: ObQueryNameStringMode+53Bj
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+var_34]

loc_8390D1:				; CODE XREF: ObQueryNameStringMode+200j
		cmp	edi, [ebp+var_30]
		jz	loc_8391AB
		cmp	edi, _ObpRootDirectoryObject
		jz	loc_8391AB
		test	edi, edi
		jz	loc_8391AB
		test	byte ptr [edi+0A8h], 20h
		jnz	loc_8391AB
		lea	eax, [edi-18h]
		mov	[ebp+var_38], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [ebp+var_38]
		lea	eax, [edi+8]
		mov	[ebp+var_2C], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockSharedEx
		mov	al, [edi+0Eh]
		test	al, 2
		jz	loc_925A4D
		movzx	eax, al
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	edi, eax
		mov	[ebp+var_38], edi
		jz	loc_925A4D
		mov	edi, [edi]
		test	edi, edi
		jz	loc_925A4D
		mov	eax, [ebp+var_38]
		movzx	ecx, word ptr [eax+4]
		mov	eax, [ebp+var_28]
		add	eax, 2
		add	eax, ecx
		mov	[ebp+var_34], eax
		mov	[ebp+var_28], eax
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	ecx, ecx
		mov	eax, 11h
		mov	edx, [ebp+var_2C]
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jnz	loc_8394C4

loc_839181:				; CODE XREF: ObQueryNameStringMode+52Ej
		mov	ecx, edx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebp+var_24]
		call	ObfDereferenceObject
		mov	[ebp+var_24], edi
		mov	eax, [ebp+var_34]
		cmp	eax, 0FFFFh
		jbe	loc_8390D1
		jmp	loc_925A81
; 

loc_8391AB:				; CODE XREF: ObQueryNameStringMode+134j
					; ObQueryNameStringMode+140j ...
		cmp	eax, 0FFFFh
		ja	loc_925A81

loc_8391B6:				; CODE XREF: ObQueryNameStringMode+ECAF9j
		lea	ecx, [eax+0Ah]
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_4], 3
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		mov	[ebp+var_4], 2
		cmp	[ebp+arg_0], ecx
		jb	loc_83949E

loc_8391D8:				; CODE XREF: ObQueryNameStringMode+509j
					; ObQueryNameStringMode+ECAECj	...
		mov	[ebp+var_4], 0FFFFFFFEh
		call	sub_8394FB
		cmp	[ebp+var_19], 0
		jz	loc_8393DF
		mov	al, [esi+0Eh]
		test	al, 2
		jnz	loc_8394AE
		xor	edi, edi

loc_8391FB:				; CODE XREF: ObQueryNameStringMode+51Fj
		mov	[ebp+var_2C], edi
		test	edi, edi
		jz	loc_9259FC
		mov	eax, [ebp+var_3C]
		lea	edx, [ebx+8]
		mov	[ebp+var_4], 4
		lea	ecx, [eax-2]
		add	ecx, ebx
		mov	[ebp+var_38], ecx
		mov	[ebp+arg_8], ecx
		xor	eax, eax
		mov	[ecx], ax
		mov	eax, [ebp+var_48]
		cmp	eax, [ebp+var_30]
		jz	loc_925B76
		cmp	eax, _ObpRootDirectoryObject
		jz	loc_925B76
		movzx	eax, word ptr [edi+4]
		sub	ecx, eax
		mov	[ebp+arg_8], ecx
		cmp	ecx, edx
		jbe	loc_925AD8
		push	eax		; size_t
		mov	eax, [edi+8]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+8]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	edi, [edi]
		mov	[ebp+var_38], edi
		test	edi, edi
		jz	short loc_839285
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	[ebp+var_24], edi

loc_839285:				; CODE XREF: ObQueryNameStringMode+2D9j
		xor	edx, edx
		mov	eax, 11h
		lea	edi, [esi+8]
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	loc_8394EF

loc_83929C:				; CODE XREF: ObQueryNameStringMode+556j
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	edi, [ebp+arg_8]
		jmp	short loc_8392B0
; 
		align 10h

loc_8392B0:				; CODE XREF: ObQueryNameStringMode+30Bj
					; ObQueryNameStringMode+409j
		mov	ecx, [ebp+var_38]
		cmp	ecx, [ebp+var_30]
		jz	loc_8393E7
		cmp	ecx, _ObpRootDirectoryObject
		jz	loc_8393E7
		test	ecx, ecx
		jz	loc_8393E7
		test	byte ptr [ecx+0A8h], 20h
		jnz	loc_8393E7
		lea	eax, [edi-2]
		mov	edi, eax
		mov	[ebp+arg_8], eax
		mov	edx, 5Ch
		mov	[eax], dx
		add	ecx, 0FFFFFFE8h
		mov	[ebp+var_38], ecx
		mov	al, [ecx+0Eh]
		test	al, 2
		jz	loc_925AE1
		movzx	eax, al
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax

loc_83930D:				; CODE XREF: ObQueryNameStringMode+ECB43j
		mov	[ebp+var_34], ecx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [ebp+var_38]
		add	eax, 8
		mov	[ebp+var_2C], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebp+var_34]
		test	eax, eax
		jz	loc_925B17
		cmp	dword ptr [eax], 0
		jz	loc_925B17
		mov	ecx, [ebp+var_24]
		call	ObfDereferenceObject
		mov	ecx, [ebp+var_34]
		mov	eax, [ecx]
		mov	[ebp+var_38], eax
		mov	ecx, eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [ebp+var_38]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_34]
		movzx	ecx, word ptr [eax+4]
		sub	edi, ecx
		mov	[ebp+arg_8], edi
		lea	edx, [ebx+8]
		cmp	edi, edx
		jbe	loc_925AE8
		push	ecx		; size_t
		mov	eax, [eax+8]
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	ecx, ecx
		mov	eax, 11h
		mov	edx, [ebp+var_2C]
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jnz	loc_8394E0

loc_83939D:				; CODE XREF: ObQueryNameStringMode+54Aj
		mov	ecx, edx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_8392B0
; 

loc_8393AE:				; CODE XREF: ObQueryNameStringMode+85j
		movzx	eax, al
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		mov	edi, esi
		sub	edi, eax
		jmp	loc_83902D
; 

loc_8393C4:				; CODE XREF: ObQueryNameStringMode+95j
		test	edi, edi
		jnz	loc_9259E1

loc_8393CC:				; CODE XREF: ObQueryNameStringMode+ECA46j
		xor	cl, cl

loc_8393CE:				; CODE XREF: ObQueryNameStringMode+ECA4Ej
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	ebx
		push	ecx
		push	edx
		call	eax
		mov	[ebp+var_20], eax

loc_8393DF:				; CODE XREF: ObQueryNameStringMode+248j
					; sub_925A20+10j
		cmp	[ebp+var_20], 0
		jge	short loc_83943E
		jmp	short loc_83944C
; 

loc_8393E7:				; CODE XREF: ObQueryNameStringMode+316j
					; ObQueryNameStringMode+322j ...
		add	edi, 0FFFFFFFEh
		mov	[ebp+arg_8], edi
		mov	eax, 5Ch
		mov	[edi], ax
		mov	eax, ebx
		sub	eax, edi
		add	eax, [ebp+var_3C]
		movzx	ecx, ax
		mov	[ebp+var_58], ecx
		mov	[ebx+2], cx
		lea	eax, [ecx-2]
		mov	[ebx], ax
		lea	eax, [ebx+8]
		mov	[ebx+4], eax
		cmp	eax, edi
		jnz	loc_925B7E

loc_83941A:				; CODE XREF: ObQueryNameStringMode+ECB3Cj
					; ObQueryNameStringMode+ECB72j	...
		mov	[ebp+var_4], 0FFFFFFFEh

loc_839421:				; CODE XREF: sub_925B9F+10j
		mov	ecx, [ebp+var_24]
		test	ecx, ecx
		jz	short loc_83942D
		call	ObfDereferenceObject

loc_83942D:				; CODE XREF: ObQueryNameStringMode+486j
		cmp	[ebp+var_1A], 0
		jnz	loc_925BB4
		mov	[ebp+var_20], 0

loc_83943E:				; CODE XREF: ObQueryNameStringMode+443j
					; ObQueryNameStringMode+4FCj
		mov	[ebp+var_4], 5

loc_839445:				; CODE XREF: sub_925BE5+9j
		mov	[ebp+var_4], 0FFFFFFFEh

loc_83944C:				; CODE XREF: ObQueryNameStringMode+445j
					; ObQueryNameStringMode+ECA6Bj
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_839463:				; CODE XREF: ObQueryNameStringMode+AEj
		mov	[ebp+var_4], 0
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 8
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	[ebp+arg_0], 8
		jb	loc_925A04
		mov	[ebp+var_4], 1
		xor	eax, eax
		mov	[ebx], eax
		mov	[ebx+4], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	[ebp+var_20], eax
		jmp	short loc_83943E
; 

loc_83949E:				; CODE XREF: ObQueryNameStringMode+232j
		mov	[ebp+var_20], 0C0000004h
		mov	[ebp+var_19], 0
		jmp	loc_8391D8
; 

loc_8394AE:				; CODE XREF: ObQueryNameStringMode+253j
		movzx	eax, al
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		mov	edi, esi
		sub	edi, eax
		jmp	loc_8391FB
; 

loc_8394C4:				; CODE XREF: ObQueryNameStringMode+1DBj
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	edx, [ebp+var_2C]
		jmp	loc_839181
; 

loc_8394D3:				; CODE XREF: ObQueryNameStringMode+11Ej
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		lea	ecx, [esi+8]
		jmp	loc_8390C4
; 

loc_8394E0:				; CODE XREF: ObQueryNameStringMode+3F7j
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	edx, [ebp+var_2C]
		jmp	loc_83939D
; 

loc_8394EF:				; CODE XREF: ObQueryNameStringMode+2F6j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_83929C
ObQueryNameStringMode endp


;  S U B	R O U T	I N E 


sub_8394FB	proc near		; CODE XREF: ObQueryNameStringMode+23Fp
					; PAGE:00925AD3j
		mov	ecx, [ebp-24h]
		test	ecx, ecx
		jz	short locret_83950E
		call	ObfDereferenceObject
		mov	dword ptr [ebp-24h], 0

locret_83950E:				; CODE XREF: sub_8394FB+5j
		retn
sub_8394FB	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObQueryTypeInfo	proc near		; CODE XREF: NtQueryObject+2DAp
					; NtQueryObject+ECFE3p

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	14h
		push	offset dword_6A6998
		call	__SEH_prolog4
		mov	[ebp+var_1C], edx
		mov	ebx, ecx
		mov	esi, 0C0000004h
		and	[ebp+ms_exc.disabled], 0
		movzx	ecx, word ptr [ebx+8]
		add	ecx, 5
		and	ecx, 0FFFFFFFCh
		add	ecx, 60h
		mov	eax, [ebp+arg_4]
		add	[eax], ecx
		mov	eax, [eax]
		cmp	[ebp+arg_0], eax
		jb	loc_8395E6
		mov	eax, [ebx+18h]
		mov	[edx+8], eax
		mov	eax, [ebx+1Ch]
		mov	[edx+0Ch], eax
		mov	eax, [ebx+20h]
		mov	[edx+20h], eax
		mov	eax, [ebx+24h]
		mov	[edx+24h], eax
		mov	eax, [ebx+30h]
		mov	[edx+38h], eax
		lea	esi, [ebx+34h]
		lea	edi, [edx+3Ch]
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ebx+44h]
		mov	[edx+4Ch], eax
		mov	al, [ebx+2Ah]
		shr	al, 3
		and	al, 1
		mov	[edx+50h], al
		mov	al, [ebx+2Ah]
		shr	al, 4
		and	al, 1
		mov	[edx+51h], al
		mov	eax, [ebx+4Ch]
		mov	[edx+54h], eax
		mov	eax, [ebx+50h]
		mov	[edx+58h], eax
		mov	eax, [ebx+54h]
		mov	[edx+5Ch], eax
		mov	al, [ebx+14h]
		mov	[edx+52h], al
		mov	byte ptr [edx+53h], 0
		lea	ecx, [edx+60h]
		mov	[edx+4], ecx
		mov	ax, [ebx+8]
		mov	[edx], ax
		mov	ax, [ebx+8]
		add	ax, 2
		mov	[edx+2], ax
		movzx	eax, word ptr [ebx+8]
		push	eax		; size_t
		push	dword ptr [ebx+0Ch] ; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		movzx	eax, word ptr [ebx+8]
		shr	eax, 1
		xor	edx, edx
		mov	ecx, [ebp+var_1C]
		mov	[ecx+eax*2+60h], dx
		xor	esi, esi

loc_8395E3:				; CODE XREF: sub_925C01+6j
		mov	[ebp+var_24], esi

loc_8395E6:				; CODE XREF: ObQueryTypeInfo+31j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
ObQueryTypeInfo	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1944. RtlAddAce

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlAddAce
RtlAddAce	proc near		; CODE XREF: SepAppendAceToTokenDefaultDacl+DEp
					; SepSetProcessTrustLabelAceForToken(x)+1C6p ...

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00925C0C SIZE 00000059 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		xor	edi, edi
		push	esi
		mov	[ebp+var_8], edi
		call	RtlValidAcl
		test	al, al
		jz	loc_925C2E
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	_RtlFirstFreeAce@8 ; RtlFirstFreeAce(x,x)
		test	al, al
		jz	loc_925C2E
		mov	al, [esi]
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_1], al
		cmp	cl, al
		ja	loc_925C0C

loc_839648:				; CODE XREF: RtlAddAce+EC609j
		mov	eax, [ebp+arg_C]
		mov	edx, eax
		mov	ebx, [ebp+arg_10]
		mov	[ebp+arg_4], edi
		lea	esi, [eax+ebx]
		mov	[ebp+arg_10], esi
		cmp	eax, esi
		mov	esi, [ebp+arg_0]
		jnb	loc_925C38

loc_839664:				; CODE XREF: RtlAddAce+76j
		mov	al, [edx]
		cmp	al, 3
		ja	loc_925C14

loc_83966E:				; CODE XREF: RtlAddAce+EC619j
					; RtlAddAce:loc_925C28j
		movzx	eax, word ptr [edx+2]
		add	edx, eax
		inc	[ebp+arg_4]
		mov	eax, [ebp+arg_10]
		cmp	edx, eax
		jb	short loc_839664

loc_83967E:				; CODE XREF: RtlAddAce+EC635j
		cmp	edx, eax
		ja	loc_925C2E
		mov	edx, [ebp+var_8]
		test	edx, edx
		jz	short loc_8396F0
		movzx	ecx, word ptr [esi+2]
		lea	eax, [edx+ebx]
		add	ecx, esi
		cmp	eax, ecx
		ja	short loc_8396F0
		lea	ecx, [esi+8]
		cmp	[ebp+arg_8], edi
		ja	short loc_8396D5

loc_8396A2:				; CODE XREF: RtlAddAce+E0j
		sub	edx, ecx
		sub	edx, 1
		jns	short loc_8396E8

loc_8396A9:				; CODE XREF: RtlAddAce+EC65Aj
		test	ebx, ebx
		jz	short loc_8396C0
		mov	esi, [ebp+arg_C]
		sub	esi, ecx

loc_8396B2:				; CODE XREF: RtlAddAce+B5j
		mov	al, [esi+ecx]
		mov	[ecx], al
		inc	ecx
		sub	ebx, 1
		jnz	short loc_8396B2
		mov	esi, [ebp+arg_0]

loc_8396C0:				; CODE XREF: RtlAddAce+A5j
		mov	eax, [ebp+arg_4]
		add	[esi+4], ax
		mov	al, [ebp+var_1]
		mov	[esi], al
		xor	eax, eax

loc_8396CE:				; CODE XREF: RtlAddAce+EFj
					; RtlAddAce+EC62Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_8396D5:				; CODE XREF: RtlAddAce+9Aj
		movzx	eax, word ptr [esi+4]
		mov	esi, eax

loc_8396DB:				; CODE XREF: RtlAddAce+EC644j
		cmp	edi, esi
		jb	loc_925C40

loc_8396E3:				; CODE XREF: RtlAddAce+EC64Aj
		mov	esi, [ebp+arg_0]
		jmp	short loc_8396A2
; 

loc_8396E8:				; CODE XREF: RtlAddAce+A1j
		lea	edi, [ecx+ebx]
		jmp	loc_925C55
; 

loc_8396F0:				; CODE XREF: RtlAddAce+85j
					; RtlAddAce+92j
		mov	eax, 0C0000023h
		jmp	short loc_8396CE
RtlAddAce	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2096. RtlFirstFreeAce

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlFirstFreeAce(x, x)
		public _RtlFirstFreeAce@8
_RtlFirstFreeAce@8 proc	near		; CODE XREF: RtlDeleteAce(x,x)+29p
					; RtlAddMandatoryAce+97p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		lea	ecx, [edx+8]
		xor	esi, esi
		mov	[edi], esi
		movzx	ebx, word ptr [edx+4]
		test	ebx, ebx
		jnz	short loc_83972E

loc_839719:				; CODE XREF: RtlFirstFreeAce(x,x)+4Dj
		movzx	eax, word ptr [edx+2]
		add	eax, edx
		cmp	ecx, eax
		ja	short loc_839725
		mov	[edi], ecx

loc_839725:				; CODE XREF: RtlFirstFreeAce(x,x)+25j
		mov	al, 1

loc_839727:				; CODE XREF: RtlFirstFreeAce(x,x)+51j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_83972E:				; CODE XREF: RtlFirstFreeAce(x,x)+1Bj
		movzx	eax, word ptr [edx+2]
		add	eax, edx
		mov	[ebp+arg_4], eax

loc_839737:				; CODE XREF: RtlFirstFreeAce(x,x)+4Bj
		cmp	ecx, eax
		jnb	short loc_83974B
		movzx	eax, word ptr [ecx+2]
		inc	esi
		add	ecx, eax
		mov	eax, [ebp+arg_4]
		cmp	esi, ebx
		jb	short loc_839737
		jmp	short loc_839719
; 

loc_83974B:				; CODE XREF: RtlFirstFreeAce(x,x)+3Dj
		xor	al, al
		jmp	short loc_839727
_RtlFirstFreeAce@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1647. ObSetSecurityObjectByPointer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObSetSecurityObjectByPointer(x, x, x)
		public _ObSetSecurityObjectByPointer@12
_ObSetSecurityObjectByPointer@12 proc near
					; CODE XREF: SepSetProcessTrustLabelAceForToken(x)+233p
					; NtSetSecurityObject+11Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, [edi-18h]
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [edi-0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	ecx, ds:_ObTypeIndexTable[ecx*4]
		mov	byte ptr [ebp+arg_0], al
		push	[ebp+arg_0]
		mov	edx, [ecx+6Ch]
		lea	eax, [ecx+34h]
		push	eax
		push	dword ptr [ecx+4Ch]
		lea	eax, [edi-4]
		push	eax
		push	0
		push	[ebp+arg_8]
		lea	eax, [ebp+arg_4]
		push	eax
		push	0
		push	edi
		call	edx
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
_ObSetSecurityObjectByPointer@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2332. RtlSetDaclSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlSetDaclSecurityDescriptor
RtlSetDaclSecurityDescriptor proc near	; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+1F3p
					; SepInitProcessAuditSd+86C84p	...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 00925C65 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	byte ptr [eax],	1
		jnz	short loc_839800
		movzx	ecx, word ptr [eax+2]
		test	cx, cx
		js	short loc_839807
		cmp	[ebp+arg_4], 0
		jz	loc_925C65
		and	dword ptr [eax+10h], 0
		or	ecx, 4
		mov	edx, [ebp+arg_8]
		movzx	ecx, cx
		test	edx, edx
		jz	short loc_8397EA
		mov	[eax+10h], edx

loc_8397EA:				; CODE XREF: RtlSetDaclSecurityDescriptor+2Fj
		and	ecx, 0FFF7h
		cmp	[ebp+arg_C], 0
		mov	[eax+2], cx
		jnz	short loc_83980E

loc_8397FA:				; CODE XREF: RtlSetDaclSecurityDescriptor+EC4B9j
		xor	eax, eax

loc_8397FC:				; CODE XREF: RtlSetDaclSecurityDescriptor+4Fj
					; RtlSetDaclSecurityDescriptor+56j
		pop	ebp
		retn	10h
; 

loc_839800:				; CODE XREF: RtlSetDaclSecurityDescriptor+Bj
		mov	eax, 0C0000058h
		jmp	short loc_8397FC
; 

loc_839807:				; CODE XREF: RtlSetDaclSecurityDescriptor+14j
		mov	eax, 0C0000079h
		jmp	short loc_8397FC
; 

loc_83980E:				; CODE XREF: RtlSetDaclSecurityDescriptor+42j
		or	ecx, 8
		jmp	loc_925C6B
RtlSetDaclSecurityDescriptor endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2015. RtlCreateSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCreateSecurityDescriptor(x, x)
		public _RtlCreateSecurityDescriptor@8
_RtlCreateSecurityDescriptor@8 proc near ; CODE	XREF: SepVerifyDesktopAppxImage(x,x,x,x)+70p
					; SepVerifyDesktopAppxImage(x,x,x,x)+C4p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 1
		jnz	short loc_83983E
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		push	edi
		mov	edi, ecx
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	byte ptr [ecx],	1
		pop	edi

loc_83983A:				; CODE XREF: RtlCreateSecurityDescriptor(x,x)+27j
		pop	ebp
		retn	8
; 

loc_83983E:				; CODE XREF: RtlCreateSecurityDescriptor(x,x)+9j
		mov	eax, 0C0000058h
		jmp	short loc_83983A
_RtlCreateSecurityDescriptor@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2008. RtlCreateAcl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlCreateAcl(void *,size_t,int)
		public _RtlCreateAcl@12
_RtlCreateAcl@12 proc near		; CODE XREF: RtlCheckTokenMembershipEx(x,x,x,x)+166p
					; SepAppendAceToTokenDefaultDacl+B1p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	edi, 8
		jb	short loc_83989A
		push	ebx
		mov	ebx, [ebp+arg_8]
		cmp	ebx, 2
		jb	short loc_8398A1
		cmp	ebx, 4
		ja	short loc_8398A1
		cmp	edi, 0FFFCh
		ja	short loc_8398A1
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi], bl
		and	edi, 0FFFCh
		mov	byte ptr [esi+1], 0
		xor	eax, eax
		mov	[esi+2], di
		mov	[esi+4], eax
		pop	esi

loc_839894:				; CODE XREF: RtlCreateAcl(x,x,x)+5Cj
		pop	ebx

loc_839895:				; CODE XREF: RtlCreateAcl(x,x,x)+55j
		pop	edi
		pop	ebp
		retn	0Ch
; 

loc_83989A:				; CODE XREF: RtlCreateAcl(x,x,x)+Cj
		mov	eax, 0C0000023h
		jmp	short loc_839895
; 

loc_8398A1:				; CODE XREF: RtlCreateAcl(x,x,x)+15j
					; RtlCreateAcl(x,x,x)+1Aj ...
		mov	eax, 0C000000Dh
		jmp	short loc_839894
_RtlCreateAcl@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspDereferenceQuotaBlock proc near	; CODE XREF: PspProcessDelete+212p
					; PsReturnSharedPoolQuota+27p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00925C74 SIZE 00000077 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_8], ebx
		lock xadd [ebx+200h], eax
		jz	loc_925C74

loc_8398C6:				; CODE XREF: PspDereferenceQuotaBlock+EC43Ej
		pop	ebx
		leave
		retn
PspDereferenceQuotaBlock endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpGetVirtualizationID proc near	; CODE XREF: CmpGetVirtualStoreRoot(x,x,x,x)+27p
					; CmRealKCBToVirtualPath(x,x,x,x)+49p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00925CEB SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_50]
		push	44h		; size_t
		push	ebx		; int
		push	eax		; void *
		mov	edi, edx
		mov	[ebp+var_58], ebx
		mov	esi, ecx
		mov	[ebp+var_54], ebx
		call	_memset
		mov	eax, [edi]
		add	esp, 0Ch
		mov	ecx, eax
		test	eax, eax
		jnz	loc_925CEB

loc_839906:				; CODE XREF: CmpGetVirtualizationID+EC42Bj
		mov	ecx, [edi+8]

loc_839909:				; CODE XREF: CmpGetVirtualizationID+EC425j
		push	ebx
		push	44h
		lea	edx, [ebp+var_50]
		call	_SeQueryUserSidToken@16	; SeQueryUserSidToken(x,x,x,x)
		push	1
		lea	eax, [ebp+var_50]
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		call	RtlConvertSidToUnicodeString
		mov	edi, eax
		test	edi, edi
		js	short loc_83995F
		mov	ecx, [ebp+var_58]
		add	ecx, 14h
		mov	[esi+2], cx
		push	65564D43h
		movzx	ecx, cx
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+4], eax
		test	eax, eax
		jz	short loc_839979
		lea	eax, [ebp+var_58]
		push	eax
		push	esi
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		push	offset ??_C@_1BC@PGMOPNLK@?$AA_?$AAC?$AAl?$AAa?$AAs?$AAs?$AAe?$AAs@NNGAKEGL@ ; "_Classes"
		push	esi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)

loc_83995F:				; CODE XREF: CmpGetVirtualizationID+5Dj
					; CmpGetVirtualizationID+B4j
		lea	eax, [ebp+var_58]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_839979:				; CODE XREF: CmpGetVirtualizationID+7Ej
		mov	edi, 0C000009Ah
		jmp	short loc_83995F
CmpGetVirtualizationID endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2103. RtlFreeUTF8String
; Exported entry 2104. RtlFreeUnicodeString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlFreeUTF8String(x)
		public _RtlFreeUTF8String@4
_RtlFreeUTF8String@4 proc near		; CODE XREF: sub_4DD888+Ap
					; .text:005136BDp ...

arg_0		= dword	ptr  8

		mov	edi, edi	; RtlFreeUTF8String
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_8399A3
		push	eax
		call	_ExFreePool@4	; ExFreePool(x)
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0

loc_8399A3:				; CODE XREF: RtlFreeUTF8String(x)+Ej
		pop	esi
		pop	ebp
		retn	4
_RtlFreeUTF8String@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmRealKCBToVirtualPath(x, x, x, x)
_CmRealKCBToVirtualPath@16 proc	near	; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+182p
					; CmpVEExecuteRealStoreParseLogic(x,x,x,x,x)+D8p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		xor	ebx, ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		cmp	_CmpVEEnabled, bl
		jnz	short loc_8399D5
		mov	eax, 0C000000Dh
		jmp	loc_839B21
; 

loc_8399D5:				; CODE XREF: CmRealKCBToVirtualPath(x,x,x,x)+21j
		call	_CmpConstructName@4 ; CmpConstructName(x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	short loc_8399EB
		mov	eax, 0C000009Ah
		jmp	loc_839B21
; 

loc_8399EB:				; CODE XREF: CmRealKCBToVirtualPath(x,x,x,x)+37j
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_14]
		call	CmpGetVirtualizationID
		mov	esi, eax
		test	esi, esi
		js	loc_839B09
		mov	eax, [ebp+var_4]
		movzx	esi, word ptr [ebp+var_14]
		add	esi, 26h
		movzx	ecx, word ptr [eax]
		add	esi, ecx
		test	edi, edi
		jz	short loc_839A55
		mov	ecx, [edi+4]
		mov	eax, [edi]
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jz	short loc_839A55
		test	ax, ax
		jz	short loc_839A55
		movzx	edx, word ptr [ecx]
		test	dx, dx
		jz	short loc_839A55
		cmp	edx, 5Ch
		jnz	short loc_839A46
		add	ecx, 2
		mov	[ebp+var_8], ecx
		mov	ecx, 0FFFEh
		add	ax, cx
		mov	word ptr [ebp+var_C], ax

loc_839A46:				; CODE XREF: CmRealKCBToVirtualPath(x,x,x,x)+8Aj
		test	ax, ax
		jz	short loc_839A55
		movzx	eax, ax
		add	esi, 2
		mov	bl, 1
		add	esi, eax

loc_839A55:				; CODE XREF: CmRealKCBToVirtualPath(x,x,x,x)+69j
					; CmRealKCBToVirtualPath(x,x,x,x)+78j ...
		push	624E4D43h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, [ebp+arg_4]
		mov	[edi+4], eax
		test	eax, eax
		jnz	short loc_839A76
		mov	esi, 0C000009Ah
		jmp	loc_839B09
; 

loc_839A76:				; CODE XREF: CmRealKCBToVirtualPath(x,x,x,x)+C2j
		push	offset ??_C@_1CA@DOEFBOAB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAU?$AAs?$AAe?$AAr?$AA?2@NNGAKEGL@ ; "\\Registry\\User\\"
		xor	eax, eax
		mov	[edi+2], si
		push	edi		; int
		mov	[edi], ax
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_839B03
		lea	eax, [ebp+var_14]
		push	eax
		push	edi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_839B03
		push	offset ??_C@_1BM@HHPHHPEN@?$AA?2?$AAV?$AAi?$AAr?$AAt?$AAu?$AAa?$AAl?$AAS?$AAt?$AAo?$AAr?$AAe@NNGAKEGL@ ; void *
		push	edi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_839B03
		mov	ecx, [ebp+var_4]
		push	12h
		pop	edx
		mov	eax, [ecx]
		mov	[ebp+var_1C], eax
		mov	eax, [ecx+4]
		add	eax, edx
		mov	[ebp+var_18], eax
		mov	ax, [ecx]
		sub	ax, dx
		mov	word ptr [ebp+var_1C], ax
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_839B03
		test	bl, bl
		jz	short loc_839B09
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@ ; void	*
		push	edi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_839B03
		lea	eax, [ebp+var_C]
		push	eax
		push	edi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_839B09

loc_839B03:				; CODE XREF: CmRealKCBToVirtualPath(x,x,x,x)+E6j
					; CmRealKCBToVirtualPath(x,x,x,x)+F6j ...
		push	edi
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_839B09:				; CODE XREF: CmRealKCBToVirtualPath(x,x,x,x)+52j
					; CmRealKCBToVirtualPath(x,x,x,x)+C9j ...
		mov	ecx, [ebp+var_4]
		mov	edx, 624E4D43h
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, esi

loc_839B21:				; CODE XREF: CmRealKCBToVirtualPath(x,x,x,x)+28j
					; CmRealKCBToVirtualPath(x,x,x,x)+3Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_CmRealKCBToVirtualPath@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpGetSidExtendedHeaderItem proc near	; CODE XREF: .text:005287D1p
					; EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+47Cp

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_49		= dword	ptr -49h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00925CFA SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	eax, eax
		mov	ebx, ecx
		push	edi
		push	44h		; size_t
		push	eax		; int
		mov	byte ptr [ebp+var_49], al
		mov	[ebp+var_54], eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_49+1]
		push	eax		; void *
		call	_memset
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_54]
		add	esp, 0Ch
		mov	[ebp+var_58], eax
		lea	edx, [ebp+var_50]
		push	0
		push	ecx
		lea	ecx, [ebp+var_49]
		push	ecx
		mov	ecx, eax
		call	PsReferenceEffectiveToken
		mov	edi, [ebp+var_50]
		mov	esi, eax
		push	2
		pop	eax
		cmp	edi, eax
		jz	short loc_839BFE

loc_839B85:				; CODE XREF: EtwpGetSidExtendedHeaderItem+D9j
					; EtwpGetSidExtendedHeaderItem+EC1F0j
		lea	eax, [ebp+var_5C]
		mov	ecx, esi
		push	eax
		push	44h
		lea	edx, [ebp+var_49+1]
		call	_SeQueryUserSidToken@16	; SeQueryUserSidToken(x,x,x,x)
		cmp	edi, 1
		jnz	short loc_839C08
		mov	eax, [ebp+var_58]
		mov	edx, esi
		mov	ecx, [eax+150h]
		add	ecx, 12Ch
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)

loc_839BB0:				; CODE XREF: EtwpGetSidExtendedHeaderItem+E2j
					; EtwpGetSidExtendedHeaderItem+EBj
		mov	eax, [ebp+var_5C]
		push	2
		pop	ecx
		push	eax		; size_t
		lea	edi, [eax+8]
		mov	[ebx+6], ax
		lea	eax, [ebp+var_49+1]
		mov	[ebx+2], cx
		push	eax		; void *
		lea	esi, [edi+7]
		xor	ecx, ecx
		lea	eax, [ebx+8]
		mov	[ebx+4], cx
		and	esi, 0FFFFFFF8h
		push	eax		; void *
		mov	[ebx], si
		call	_memcpy
		sub	esi, edi
		lea	eax, [ebx+edi]
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+var_4]
		add	esp, 18h
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_839BFE:				; CODE XREF: EtwpGetSidExtendedHeaderItem+5Bj
		cmp	[ebp+var_54], eax
		jge	short loc_839B85
		jmp	loc_925CFA
; 

loc_839C08:				; CODE XREF: EtwpGetSidExtendedHeaderItem+70j
		test	esi, esi
		jz	short loc_839BB0
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	short loc_839BB0
EtwpGetSidExtendedHeaderItem endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeQueryUserSidToken(x, x, x, x)
_SeQueryUserSidToken@16	proc near	; CODE XREF: EtwQueryProcessTelemetryInfo+BDp
					; PopEtGetProcessSidAndPackageIdentity(x,x,x)+4Ap ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	esi, ecx
		mov	[ebp+var_4], edx
		mov	edi, 0C0000023h
		nop
		mov	eax, [esi+30h]
		push	1
		push	eax
		call	ExAcquireResourceSharedLite
		mov	eax, [esi+94h]
		mov	ecx, [eax]
		movzx	eax, byte ptr [ecx+1]
		lea	ebx, ds:8[eax*4]
		cmp	[ebp+arg_0], ebx
		jb	short loc_839C73
		push	ebx		; size_t
		push	ecx		; void *
		push	[ebp+var_4]	; void *
		call	_memmove
		add	esp, 0Ch
		xor	edi, edi

loc_839C73:				; CODE XREF: SeQueryUserSidToken(x,x,x,x)+42j
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebp+arg_4]
		mov	eax, edi
		test	ecx, ecx
		jz	short loc_839C8B
		mov	[ecx], ebx

loc_839C8B:				; CODE XREF: SeQueryUserSidToken(x,x,x,x)+67j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_SeQueryUserSidToken@16	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1609. ObCheckCreateObjectAccess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObCheckCreateObjectAccess
ObCheckCreateObjectAccess proc near	; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+123Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 00925D1D SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	[ebp+arg_14]
		mov	[ebp+var_10], eax
		mov	byte ptr [ebp+var_C], al
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		lea	eax, [esi-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		lea	edx, [ebp+var_8]
		mov	[ebp+arg_0], eax
		lea	eax, [ebp+var_C]
		push	eax
		call	ObpGetObjectSecurity
		test	eax, eax
		js	short loc_839D4A
		mov	ebx, [ebp+arg_8]
		lea	esi, [ebx+1Ch]
		push	esi
		call	_SeLockSubjectContext@4	; SeLockSubjectContext(x)
		cmp	[ebp+var_8], 0
		jz	short loc_839D53
		push	[ebp+arg_18]
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+arg_14]
		mov	eax, [ebp+arg_0]
		add	eax, 34h
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		push	[ebp+arg_4]
		push	1
		push	esi
		push	[ebp+var_8]
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		cmp	[ebp+var_4], 0
		mov	byte ptr [ebp+arg_18+3], al
		jnz	loc_925D1D

loc_839D30:				; CODE XREF: ObCheckCreateObjectAccess+BDj
					; ObCheckCreateObjectAccess+EC094j
		push	esi
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)
		push	[ebp+var_C]
		push	[ebp+var_8]
		call	_ObReleaseObjectSecurity@8 ; ObReleaseObjectSecurity(x,x)
		mov	al, byte ptr [ebp+arg_18+3]

loc_839D44:				; CODE XREF: ObCheckCreateObjectAccess+B7j
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_839D4A:				; CODE XREF: ObCheckCreateObjectAccess+50j
		mov	ecx, [ebp+arg_18]
		mov	[ecx], eax
		xor	al, al
		jmp	short loc_839D44
; 

loc_839D53:				; CODE XREF: ObCheckCreateObjectAccess+62j
		mov	byte ptr [ebp+arg_18+3], 1
		jmp	short loc_839D30
ObCheckCreateObjectAccess endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeCaptureSid	proc near		; CODE XREF: SeAccessCheckByTypeWithAdminlessChecks+94Cp
					; AlpcpConnectPort+103p ...

var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00925D33 SIZE 00000031 BYTES
; FUNCTION CHUNK AT 00925D84 SIZE 0000000F BYTES

		push	1Ch
		push	offset dword_6A69B8
		call	__SEH_prolog4
		mov	[ebp+var_24], ecx
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		test	dl, dl
		jz	loc_925D33

loc_839D76:				; CODE XREF: SeCaptureSid+EBFEAj
		mov	[ebp+ms_exc.disabled], ebx
		lea	eax, [ecx+1]
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		jnb	loc_925D5D

loc_839D8A:				; CODE XREF: SeCaptureSid+EC005j
		nop
		mov	al, [eax]
		movzx	eax, al
		mov	[ebp+arg_C], eax
		mov	[ebp+var_2C], eax
		lea	esi, ds:8[eax*4]
		mov	[ebp+var_1C], esi
		test	esi, esi
		jz	short loc_839DB9
		test	cl, 3
		jnz	short loc_839E1D
		lea	edx, [esi+ecx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_839E22
		cmp	edx, ecx
		jb	short loc_839E22

loc_839DB9:				; CODE XREF: SeCaptureSid+48j
					; SeCaptureSid+CAj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_839DC0:				; CODE XREF: SeCaptureSid+EC034j
		push	69536553h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, [ebp+arg_10]
		mov	[edi], eax
		test	eax, eax
		jz	short loc_839E26
		mov	[ebp+ms_exc.disabled], 1
		push	esi		; size_t
		push	[ebp+var_24]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [edi]
		mov	ecx, [ebp+arg_C]
		mov	[eax+1], cl
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [edi]
		push	esi
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	sub_925D93

loc_839E09:				; CODE XREF: SeCaptureSid+EBFE3j
		xor	eax, eax

loc_839E0B:				; CODE XREF: SeCaptureSid+D1j
					; sub_925D72+Dj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_839E1D:				; CODE XREF: SeCaptureSid+4Dj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_839E22:				; CODE XREF: SeCaptureSid+59j
					; SeCaptureSid+5Dj
		mov	[eax], bl
		jmp	short loc_839DB9
; 

loc_839E26:				; CODE XREF: SeCaptureSid+7Aj
		mov	eax, 0C000009Ah
		jmp	short loc_839E0B
SeCaptureSid	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopQueryName(x, x, x, x, x,	x)
_IopQueryName@24 proc near		; DATA XREF: IoCreateObjectTypes+287o

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_14]	; int
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		push	[ebp+arg_8]	; int
		push	0		; int
		call	IopQueryNameInternal
		pop	ebp
		retn	18h
_IopQueryName@24 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 917. IoQueryFileDosDeviceName

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoQueryFileDosDeviceName(x,	x)
		public _IoQueryFileDosDeviceName@8
_IoQueryFileDosDeviceName@8 proc near	; CODE XREF: CcMmLogLostDelayedWriteError(x,x)+21p
					; PAGE:0083B715p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, 0C8h
		mov	ebx, 6E446F49h
		mov	[esp+10h+var_4], edi

loc_839E6C:				; CODE XREF: IoQueryFileDosDeviceName(x,x)+66j
		push	ebx
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_839EBA
		mov	ecx, [ebp+arg_0]
		lea	eax, [esp+10h+var_4]
		push	0		; int
		push	eax		; int
		push	edi		; void *
		push	esi		; int
		push	1		; int
		call	IopQueryNameInternal
		mov	edi, eax
		test	edi, edi
		jnz	short loc_839EA4
		mov	eax, [ebp+arg_4]
		mov	[eax], esi

loc_839E99:				; CODE XREF: IoQueryFileDosDeviceName(x,x)+60j
		mov	eax, edi

loc_839E9B:				; CODE XREF: IoQueryFileDosDeviceName(x,x)+6Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_839EA4:				; CODE XREF: IoQueryFileDosDeviceName(x,x)+40j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	edi, 80000005h
		jnz	short loc_839E99
		mov	edi, [esp+10h+var_4]
		jmp	short loc_839E6C
; 

loc_839EBA:				; CODE XREF: IoQueryFileDosDeviceName(x,x)+27j
		mov	eax, 0C000009Ah
		jmp	short loc_839E9B
_IoQueryFileDosDeviceName@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IopQueryNameInternal(int,int,void *,int,int)
IopQueryNameInternal proc near		; CODE XREF: IopQueryName(x,x,x,x,x,x)+16p
					; IoQueryFileDosDeviceName(x,x)+37p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00925DD5 SIZE 00000059 BYTES
; FUNCTION CHUNK AT 00925E43 SIZE 0000000B BYTES
; FUNCTION CHUNK AT 00925E66 SIZE 0000003E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6A28
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, ecx
		mov	[ebp+var_38], esi
		mov	edi, [ebp+arg_8]
		mov	ecx, edi
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_24], 0
		xor	ebx, ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_1D], bl
		mov	byte ptr [ebp+arg_8+3],	bl
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ebx
		cmp	edi, 8
		jb	loc_83A2BC

loc_839F33:				; CODE XREF: IopQueryNameInternal+3F1j
		mov	eax, [ebp+arg_10]
		cmp	al, 1
		jz	loc_83A1D7
		cmp	ecx, 8
		jb	loc_83A2C6
		mov	edx, [ebp+arg_4]

loc_839F4A:				; CODE XREF: IopQueryNameInternal+3F9j
		mov	[ebp+var_28], edx

loc_839F4D:				; CODE XREF: IopQueryNameInternal+325j
		mov	ecx, [esi+4]
		cmp	byte ptr [ebp+arg_0], 0
		jz	loc_83A136
		test	byte ptr [ecx+20h], 10h
		jnz	loc_925DDF
		push	edx
		push	ecx
		call	IoVolumeDeviceToDosName
		mov	esi, eax
		mov	edx, [ebp+var_28]
		movzx	eax, word ptr [edx]
		add	eax, 0Ah
		mov	[ebp+var_24], eax

loc_839F79:				; CODE XREF: IopQueryNameInternal+EBF34j
		mov	[ebp+var_30], eax
		test	esi, esi
		js	loc_925E09
		mov	cl, 1

loc_839F86:				; CODE XREF: IopQueryNameInternal+27Dj
		test	esi, esi
		js	loc_83A245
		test	cl, cl
		jz	loc_83A21E

loc_839F96:				; CODE XREF: IopQueryNameInternal+355j
					; IopQueryNameInternal+37Bj ...
		mov	edx, [ebp+arg_4]
		add	edx, 8
		mov	[ebp+var_34], edx
		cmp	byte ptr [ebp+arg_0], 0
		jz	loc_83A152
		test	cl, cl
		jz	loc_83A152
		mov	esi, [ebp+var_28]
		cmp	edi, eax
		jb	loc_925E1D
		movzx	ecx, word ptr [esi]

loc_839FBF:				; CODE XREF: IopQueryNameInternal+EBF59j
		push	ecx		; size_t
		mov	eax, [esi+4]
		push	eax		; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_38]
		mov	eax, [eax+4]
		test	byte ptr [eax+20h], 10h
		jnz	short loc_839FE4
		push	0
		mov	eax, [esi+4]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_839FE4:				; CODE XREF: IopQueryNameInternal+107j
		mov	esi, [ebp+var_24]

loc_839FE7:				; CODE XREF: IopQueryNameInternal+2DBj
		mov	ecx, [ebp+arg_10]
		mov	edx, [ebp+var_34]

loc_839FED:				; CODE XREF: IopQueryNameInternal+28Bj
		mov	eax, [ebp+var_2C]

loc_839FF0:				; CODE XREF: IopQueryNameInternal+296j
					; IopQueryNameInternal+29Fj
		cmp	[ebp+var_1D], 0
		jnz	loc_925E43

loc_839FFA:				; CODE XREF: IopQueryNameInternal+EBF79j
		mov	byte ptr [ebp+arg_8+3],	0
		cmp	esi, edi
		ja	loc_83A256
		cmp	eax, 8
		jb	loc_83A256
		mov	[ebp+var_4], 1
		mov	eax, [ebp+arg_4]
		mov	[eax+4], edx
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+var_28]
		movzx	eax, word ptr [eax]
		add	edx, eax
		mov	[ebp+var_34], edx
		mov	al, byte ptr [ebp+arg_8+3]

loc_83A031:				; CODE XREF: IopQueryNameInternal+390j
		cmp	cl, 1
		jz	loc_83A1FA
		test	al, al
		jnz	loc_83A2AE
		add	edx, 0FFFFFFFCh
		mov	eax, [edx]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_4]
		sub	eax, edx
		add	edi, 0FFFFFFFEh
		add	edi, eax

loc_83A054:				; CODE XREF: IopQueryNameInternal+3E7j
					; IopQueryNameInternal+40Ej
		mov	[ebp+var_30], edx

loc_83A057:				; CODE XREF: IopQueryNameInternal+331j
					; IopQueryNameInternal+33Cj
		cmp	cl, 1
		jz	loc_83A1B0

loc_83A060:				; CODE XREF: IopQueryNameInternal+2E4j
		mov	eax, [ebp+var_38]
		test	byte ptr [eax+2Ch], 2
		jz	loc_83A1BD
		lea	ecx, [ebp+var_24]
		push	ecx
		push	edx
		push	9
		mov	edx, edi
		mov	ecx, eax
		call	IopGetFileInformation

loc_83A07D:				; CODE XREF: IopQueryNameInternal+302j
		mov	esi, eax
		and	eax, 0C0000000h
		cmp	eax, 0C0000000h
		jz	loc_83A283
		mov	eax, [ebp+var_24]
		mov	ecx, [ebp+var_30]
		cmp	eax, 4
		jb	loc_925E83

loc_83A09E:				; CODE XREF: IopQueryNameInternal+3D9j
					; IopQueryNameInternal+EBFBBj
		cmp	byte ptr [ebp+arg_8+3],	0
		jnz	loc_83A265
		lea	edx, [eax-4]
		mov	[ebp+arg_0], edx
		mov	eax, [ecx]
		cmp	edx, eax
		ja	loc_925E90

loc_83A0B8:				; CODE XREF: IopQueryNameInternal+EBFC5j
		sub	eax, [ebp+arg_4]
		mov	edi, [ebp+var_34]
		add	eax, edi
		mov	[ebp+var_24], eax
		lea	eax, [ecx+4]
		mov	[ebp+arg_8], eax
		cmp	word ptr [eax],	5Ch
		jnz	loc_925E9A
		mov	[ebp+var_4], 2
		mov	eax, [ebp+arg_10]
		cmp	al, 1
		jz	loc_83A230
		mov	eax, [ebp+var_28]
		mov	[ecx], eax

loc_83A0EA:				; CODE XREF: IopQueryNameInternal+370j
		add	edi, edx
		xor	eax, eax
		mov	[edi], ax
		mov	eax, [ebp+var_24]
		add	eax, 2
		mov	[ebp+var_24], eax
		mov	ecx, [ebp+arg_C]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_4]
		sub	edi, ecx
		lea	eax, [edi-8]
		mov	[ecx], ax
		lea	eax, [edi-6]
		mov	[ecx+2], ax
		mov	[ebp+var_4], 0FFFFFFFEh

loc_83A118:				; CODE XREF: IopQueryNameInternal+381j
					; IopQueryNameInternal+3AEj ...
		test	ebx, ebx
		jnz	loc_83A211

loc_83A120:				; CODE XREF: IopQueryNameInternal+349j
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_83A136:				; CODE XREF: IopQueryNameInternal+84j
					; IopQueryNameInternal+EBF3Fj
		push	0
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		call	ObQueryNameStringMode
		mov	esi, eax
		mov	eax, [ebp+var_24]
		mov	cl, byte ptr [ebp+arg_8+3]
		mov	[ebp+var_30], eax
		jmp	loc_839F86
; 

loc_83A152:				; CODE XREF: IopQueryNameInternal+D3j
					; IopQueryNameInternal+DBj
		mov	ecx, [ebp+arg_10]
		mov	esi, [ebp+var_30]
		cmp	cl, 1
		jnz	loc_839FED
		mov	eax, [ebp+var_2C]
		cmp	esi, edi
		ja	loc_839FF0
		cmp	eax, 8
		jb	loc_839FF0
		mov	[ebp+var_4], 0
		mov	ecx, [ebp+var_28]
		movzx	eax, word ptr [ecx]
		mov	edx, [ebp+arg_4]
		mov	[edx], ax
		movzx	eax, word ptr [ecx+2]
		mov	[edx+2], ax
		lea	eax, [esi-8]
		push	eax		; size_t
		lea	eax, [ecx+8]
		push	eax		; void *
		mov	edx, [ebp+var_34]
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_839FE7
; 

loc_83A1B0:				; CODE XREF: IopQueryNameInternal+18Aj
		cmp	byte ptr [ebp+arg_0], 0
		jnz	loc_83A060
		mov	eax, [ebp+var_38]

loc_83A1BD:				; CODE XREF: IopQueryNameInternal+197j
		push	1
		lea	esi, [ebp+var_24]
		push	esi
		push	edx
		push	ecx
		push	edi
		mov	edx, 9
		mov	ecx, eax
		call	IopQueryXxxInformation
		jmp	loc_83A07D
; 

loc_83A1D7:				; CODE XREF: IopQueryNameInternal+68j
		mov	edx, edi
		mov	ecx, 1
		call	IopVerifierExAllocatePool
		mov	ebx, eax
		mov	[ebp+var_3C], ebx
		test	ebx, ebx
		jz	loc_925DD5
		mov	edx, ebx
		mov	[ebp+var_28], ebx
		jmp	loc_839F4D
; 

loc_83A1FA:				; CODE XREF: IopQueryNameInternal+164j
		mov	edx, ebx
		mov	[ebp+var_30], edx
		test	al, al
		jnz	loc_83A057
		sub	edi, esi
		add	edi, 4
		jmp	loc_83A057
; 

loc_83A211:				; CODE XREF: IopQueryNameInternal+24Aj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_83A120
; 

loc_83A21E:				; CODE XREF: IopQueryNameInternal+C0j
		mov	edx, [ebp+var_28]
		cmp	word ptr [edx],	0
		jnz	loc_839F96
		jmp	loc_925E14
; 

loc_83A230:				; CODE XREF: IopQueryNameInternal+20Fj
		push	edx		; size_t
		push	[ebp+arg_8]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edx, [ebp+arg_0]
		jmp	loc_83A0EA
; 

loc_83A245:				; CODE XREF: IopQueryNameInternal+B8j
		cmp	esi, 0C0000004h
		jz	loc_839F96
		jmp	loc_83A118
; 

loc_83A256:				; CODE XREF: IopQueryNameInternal+130j
					; IopQueryNameInternal+139j
		mov	eax, [ebp+arg_C]
		mov	[eax], esi
		mov	al, 1
		mov	byte ptr [ebp+arg_8+3],	al
		jmp	loc_83A031
; 

loc_83A265:				; CODE XREF: IopQueryNameInternal+1D2j
		mov	eax, [ecx]
		mov	ecx, [ebp+arg_C]
		add	[ecx], eax
		cmp	[ebp+var_2C], 8
		sbb	esi, esi
		and	esi, 3FFFFFFFh
		add	esi, 80000005h
		jmp	loc_83A118
; 

loc_83A283:				; CODE XREF: IopQueryNameInternal+1B9j
		cmp	esi, 0C000000Dh
		jnz	short loc_83A2CE

loc_83A28B:				; CODE XREF: IopQueryNameInternal+404j
					; IopQueryNameInternal+EBF9Cj ...
		mov	[ebp+var_24], 4
		mov	ecx, [ebp+var_30]
		mov	dword ptr [ecx], 0
		mov	eax, 5Ch
		mov	[ecx+4], ax
		xor	esi, esi
		mov	eax, [ebp+var_24]
		jmp	loc_83A09E
; 

loc_83A2AE:				; CODE XREF: IopQueryNameInternal+16Cj
		cmp	[ebp+var_2C], 8
		jnb	short loc_83A2DB
		lea	edx, [ebp+var_50]
		jmp	loc_83A054
; 

loc_83A2BC:				; CODE XREF: IopQueryNameInternal+5Dj
		mov	edi, 8
		jmp	loc_839F33
; 

loc_83A2C6:				; CODE XREF: IopQueryNameInternal+71j
		lea	edx, [ebp+var_50]
		jmp	loc_839F4A
; 

loc_83A2CE:				; CODE XREF: IopQueryNameInternal+3B9j
		cmp	esi, 0C0000010h
		jz	short loc_83A28B
		jmp	loc_925E66
; 

loc_83A2DB:				; CODE XREF: IopQueryNameInternal+3E2j
		mov	edx, [ebp+arg_4]
		jmp	loc_83A054
IopQueryNameInternal endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopGetFileInformation proc near		; CODE XREF: IopGetRelatedFileName+E2p
					; IopGraftName(x,x,x)+247p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00925ECC SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		and	[esp+1Ch+var_18], 0
		xor	eax, eax
		and	[esp+1Ch+var_14], 0
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+28h+var_10]
		mov	[esp+28h+var_1C], edx
		stosd
		mov	ebx, ecx
		stosd
		stosd
		stosd
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		push	0
		push	1
		lea	eax, [esp+30h+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	ebx
		call	IoGetRelatedDeviceObject
		push	dword ptr [ebp+4]
		mov	edi, eax
		push	0
		mov	ecx, edi
		mov	dl, [edi+30h]
		call	IopAllocateIrpExReturn
		mov	esi, eax
		test	esi, esi
		jz	loc_925ECC
		mov	eax, large fs:124h
		mov	ecx, [esi+60h]
		and	dword ptr [esi+30h], 0
		mov	[esi+50h], eax
		lea	eax, [esp+28h+var_10]
		mov	[esi+2Ch], eax
		lea	eax, [esp+28h+var_18]
		mov	[esi+28h], eax
		mov	eax, [ebp+arg_4]
		mov	dword ptr [esi+8], 1004h
		mov	[esi+64h], ebx
		mov	byte ptr [esi+20h], 0
		mov	byte ptr [ecx-24h], 5
		mov	[ecx-0Ch], ebx
		or	dword ptr [esi+8], 10h
		mov	[esi+0Ch], eax
		mov	eax, [esp+28h+var_1C]
		mov	[ecx-20h], eax
		mov	eax, [ebp+arg_0]
		mov	[ecx-1Ch], eax
		mov	ecx, esi
		call	IopQueueThreadIrp
		mov	edx, esi
		mov	ecx, edi
		call	IofCallDriver
		mov	edx, eax
		cmp	edx, 103h
		jnz	short loc_83A3B8
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+38h+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	edx, [esp+28h+var_18]

loc_83A3B8:				; CODE XREF: IopGetFileInformation+BEj
		mov	ecx, [ebp+arg_8]
		mov	eax, [esp+28h+var_14]
		mov	[ecx], eax
		mov	eax, edx

loc_83A3C3:				; CODE XREF: IopGetFileInformation+EBBF4j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
IopGetFileInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtApphelpCacheControl proc near		; DATA XREF: .text:005811F0o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00925EDD SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		xor	eax, eax
		xor	ebx, ebx
		push	esi
		push	edi
		lea	edi, [esp+38h+var_10]
		mov	[esp+38h+var_20], ebx
		stosd
		mov	[esp+38h+var_1C], ebx
		mov	[esp+38h+var_18], ebx
		mov	[esp+38h+var_14], ebx
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		cmp	eax, 0Ch
		jge	loc_925F02
		mov	edi, eax
		mov	[esp+38h+var_24], ebx
		shl	edi, 2
		or	edi, 220003h
		mov	[esp+38h+var_28], ebx
		cmp	eax, 9
		jz	loc_925EDD
		cmp	eax, 0Bh
		ja	loc_925F02
		mov	ecx, 0C0000001h
		jmp	ds:off_83A4F0[eax*4]

loc_83A433:				; DATA XREF: PAGE:off_83A4F0o
					; PAGE:0083A508o
		mov	esi, 0C0000225h

loc_83A438:				; CODE XREF: NtApphelpCacheControl+D0j
					; NtApphelpCacheControl+D4j
		cmp	_g_AhcDeviceObject, ebx
		jz	short loc_83A4A2

loc_83A440:				; CODE XREF: NtApphelpCacheControl+117j
					; NtApphelpCacheControl+EBB27j
		push	ebx
		push	1
		lea	eax, [esp+40h+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+38h+var_18]
		push	eax
		lea	eax, [esp+3Ch+var_10]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	0C4h
		push	[ebp+arg_4]
		push	_g_AhcDeviceObject
		push	edi
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_925EF8
		call	_PsGetCurrentThreadPreviousMode@0 ; PsGetCurrentThreadPreviousMode()
		mov	[esi+20h], al
		mov	edx, esi
		mov	ecx, _g_AhcDeviceObject
		call	IofCallDriver

loc_83A48D:				; CODE XREF: NtApphelpCacheControl+EBB19j
		mov	esi, eax

loc_83A48F:				; CODE XREF: NtApphelpCacheControl+E7j
					; NtApphelpCacheControl+104j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_83A49A:				; CODE XREF: NtApphelpCacheControl+60j
					; DATA XREF: PAGE:0083A500o ...
		mov	esi, ecx
		jmp	short loc_83A438
; 

loc_83A49E:				; CODE XREF: NtApphelpCacheControl+60j
					; DATA XREF: PAGE:0083A4F4o ...
		mov	esi, ebx
		jmp	short loc_83A438
; 

loc_83A4A2:				; CODE XREF: NtApphelpCacheControl+72j
		push	offset ??_C@_1CA@PEJJNCFJ@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAa?$AAh?$AAc?$AAa?$AAc?$AAh?$AAe@NNGAKEGL@
		lea	eax, [esp+3Ch+var_20]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_83A48F
		lea	eax, [esp+38h+var_28]
		push	eax
		lea	eax, [esp+3Ch+var_24]
		push	eax
		push	0C0000000h
		lea	eax, [esp+44h+var_20]
		push	eax
		call	IoGetDeviceObjectPointer
		test	eax, eax
		js	short loc_83A48F
		mov	ecx, [esp+38h+var_28]
		mov	edx, offset _g_AhcDeviceObject
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	loc_83A440
		jmp	loc_925EEA
NtApphelpCacheControl endp

; 
		align 10h
off_83A4F0	dd offset loc_83A433	; DATA XREF: NtApphelpCacheControl+60r
		dd offset loc_83A49E
		dd offset loc_83A49E
		dd offset loc_83A49E
		dd offset loc_83A49A
		dd offset loc_83A49A
		dd offset loc_83A433
		dd offset loc_83A49E
		dd offset loc_83A49A
		dd offset loc_925F02
		dd offset loc_83A49E
		dd offset loc_83A49A
		dd 4 dup(0CCCCCCCCh)
; Exported entry 1042. IoVolumeDeviceToDosName
; Exported entry 2407. RtlVolumeDeviceToDosName

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoVolumeDeviceToDosName
IoVolumeDeviceToDosName	proc near	; CODE XREF: IopQueryNameInternal+96p
					; IopMountVolume+13C962p ...

var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_208		= dword	ptr -208h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00925F0C SIZE 000000CC BYTES

		mov	edi, edi	; IoVolumeDeviceToDosName
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 240h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+240h+var_4], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+240h+var_21C], eax
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [esp+248h+var_22C]
		mov	[esp+248h+var_234], 0
		stosd
		mov	[esp+248h+var_230], 0
		mov	[esp+248h+var_218], 0
		mov	[esp+248h+var_214], 0
		stosd
		mov	[esp+248h+var_23C], 0
		mov	[esp+248h+var_238], 0
		stosd
		stosd
		mov	eax, [esi+2Ch]
		cmp	eax, 7
		jnz	loc_925F0C

loc_83A59E:				; CODE XREF: IoVolumeDeviceToDosName+EB9DFj
					; IoVolumeDeviceToDosName+EB9E8j ...
		push	0
		push	0
		lea	eax, [esp+250h+var_22C]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+248h+var_234]
		push	eax
		lea	eax, [esp+24Ch+var_22C]
		push	eax
		push	0
		push	200h
		lea	eax, [esp+258h+var_208]
		push	eax
		push	0
		push	0
		push	esi
		push	4D0008h
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	loc_925F9B
		mov	edx, eax
		mov	ecx, esi
		call	IofCallDriver
		cmp	eax, 103h
		jz	loc_925F31

loc_83A5ED:				; CODE XREF: IoVolumeDeviceToDosName+EBA17j
		test	eax, eax
		js	loc_83A756
		push	offset ??_C@_1DE@MJJBHHAG@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAM?$AAo?$AAu?$AAn?$AAt?$AAP?$AAo@NNGAKEGL@
		lea	eax, [esp+24Ch+var_218]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+248h+var_238]
		push	eax
		lea	eax, [esp+24Ch+var_23C]
		push	eax
		push	80h
		lea	eax, [esp+254h+var_218]
		push	eax
		call	IoGetDeviceObjectPointer
		test	eax, eax
		js	loc_83A756
		push	0
		push	0
		lea	eax, [esp+250h+var_22C]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	esi, [esp+248h+var_238]
		lea	eax, [esp+248h+var_234]
		push	eax
		lea	eax, [esp+24Ch+var_22C]
		push	eax
		push	0
		push	8
		lea	eax, [esp+258h+var_210]
		push	eax
		push	200h
		lea	eax, [esp+260h+var_208]
		push	eax
		push	esi
		push	offset unk_6D0030
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	loc_925F92
		mov	edx, eax
		mov	ecx, esi
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jz	loc_925F4C

loc_83A67E:				; CODE XREF: IoVolumeDeviceToDosName+EBA32j
		test	esi, esi
		jns	short loc_83A68E
		cmp	esi, 80000005h
		jnz	loc_925F67

loc_83A68E:				; CODE XREF: IoVolumeDeviceToDosName+150j
		mov	edi, [esp+248h+var_210]
		add	edi, 8
		cmp	edi, 0FFFFh
		ja	loc_925F77
		push	20643244h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_925F92
		push	0
		push	0
		lea	eax, [esp+250h+var_22C]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+248h+var_234]
		push	eax
		lea	eax, [esp+24Ch+var_22C]
		push	eax
		push	0
		push	edi
		mov	edi, [esp+258h+var_238]
		lea	eax, [esp+258h+var_208]
		push	esi
		push	200h
		push	eax
		push	edi
		push	offset unk_6D0030
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	loc_925F8A
		mov	edx, eax
		mov	ecx, edi
		call	IofCallDriver
		mov	edi, eax
		cmp	edi, 103h
		jz	loc_925FA5

loc_83A70C:				; CODE XREF: IoVolumeDeviceToDosName+EBA8Bj
		test	edi, edi
		js	loc_925FC0
		movzx	ecx, word ptr [esi]
		mov	edi, [esp+248h+var_21C]
		sub	cx, 4
		lea	eax, [ecx+2]
		mov	[edi], cx
		mov	[edi+2], ax
		movzx	eax, cx
		push	eax		; size_t
		lea	eax, [esi+4]
		mov	[edi+4], esi
		push	eax		; void *
		push	esi		; void *
		call	_memmove
		movzx	ecx, word ptr [edi]
		xor	edx, edx
		mov	eax, [edi+4]
		add	esp, 0Ch
		shr	ecx, 1
		mov	[eax+ecx*2], dx
		mov	ecx, [esp+248h+var_23C]
		call	ObfDereferenceObject
		xor	eax, eax

loc_83A756:				; CODE XREF: IoVolumeDeviceToDosName+BFj
					; IoVolumeDeviceToDosName+EFj ...
		mov	ecx, [esp+248h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
IoVolumeDeviceToDosName	endp

; 
		dd 5 dup(0CCCCCCCCh)
; Exported entry 857. IoGetDeviceObjectPointer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoGetDeviceObjectPointer
IoGetDeviceObjectPointer proc near	; CODE XREF: IoVolumeDeviceNameToGuidPath+EDp
					; NtApphelpCacheControl+FDp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00925FD8 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		cmp	_IopCaseInsensitive, 0
		push	esi
		mov	[ebp+var_4], 0
		mov	[ebp+var_C], 0
		mov	[ebp+var_8], 0
		mov	[ebp+var_24], 18h
		mov	[ebp+var_20], 0
		jz	loc_925FD8
		mov	eax, 240h

loc_83A7BE:				; CODE XREF: IoGetDeviceObjectPointer+EB85Dj
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_1C], eax
		mov	eax, large fs:124h
		mov	[ebp+var_14], 0
		mov	[ebp+var_10], 0
		dec	word ptr [eax+13Ch]
		nop
		push	40h
		push	3
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+arg_4]
		lea	eax, [ebp+var_4]
		push	eax
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_83A841
		mov	eax, ds:_IoFileObjectType
		lea	ecx, [ebp+arg_0]
		push	0
		push	ecx
		push	0
		push	eax
		push	0
		push	[ebp+var_4]
		mov	[ebp+arg_0], 0
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_83A839
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		push	ecx
		mov	[eax], ecx
		call	IoGetRelatedDeviceObject
		mov	ecx, [ebp+arg_C]
		mov	[ecx], eax

loc_83A839:				; CODE XREF: IoGetDeviceObjectPointer+A4j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_83A841:				; CODE XREF: IoGetDeviceObjectPointer+7Fj
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	10h
IoGetDeviceObjectPointer endp

; 
		align 10h
		dd 4 dup(0CCCCCCCCh)
; 
; Exported entry 1532. NtLockFile

; __stdcall NtLockFile(x, x, x,	x, x, x, x, x, x, x)
		public _NtLockFile@40
_NtLockFile@40:				; DATA XREF: .text:00580FACo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6A80
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 54h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	dword ptr [ebp-20h], 0
		mov	dword ptr [ebp-24h], 0
		mov	dword ptr [ebp-54h], 0
		mov	dword ptr [ebp-50h], 0
		mov	dword ptr [ebp-5Ch], 0
		mov	dword ptr [ebp-58h], 0
		mov	dword ptr [ebp-64h], 0
		mov	dword ptr [ebp-60h], 0
		mov	eax, large fs:124h
		mov	[ebp-34h], eax
		mov	bl, [eax+15Ah]
		mov	[ebp-1Bh], bl
		mov	[ebp-38h], bl
		lea	eax, [ebp-64h]
		push	eax
		lea	eax, [ebp-20h]
		push	eax
		mov	edi, [ebp-38h]
		push	edi
		xor	edx, edx
		mov	ecx, [ebp+8]
		call	IopReferenceFileObject
		test	eax, eax
		js	loc_83ADD6
		test	bl, bl
		jz	loc_83AA10
		test	byte ptr [ebp-60h], 3
		jnz	short loc_83A92F
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	eax, 0C0000022h
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	28h
; 

loc_83A92F:				; CODE XREF: PAGE:0083A90Cj
		mov	dword ptr [ebp-4], 0
		mov	ebx, [ebp+18h]
		mov	ecx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_83A946
		mov	ecx, eax

loc_83A946:				; CODE XREF: PAGE:0083A942j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+1Ch]
		mov	edx, ecx
		test	cl, 3
		jnz	loc_83ADEA
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_83A963
		mov	edx, eax

loc_83A963:				; CODE XREF: PAGE:0083A95Fj
		nop
		mov	al, [edx]
		mov	eax, [ecx]
		mov	[ebp-54h], eax
		mov	eax, [ecx+4]
		mov	[ebp-50h], eax
		mov	ecx, [ebp+20h]
		mov	edx, ecx
		test	cl, 3
		jnz	loc_83ADEF
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_83A98A
		mov	edx, eax

loc_83A98A:				; CODE XREF: PAGE:0083A986j
		nop
		mov	al, [edx]
		mov	eax, [ecx]
		mov	[ebp-5Ch], eax
		mov	eax, [ecx+4]
		mov	[ebp-58h], eax
		mov	esi, [ebp-20h]
		cmp	dword ptr [esi+6Ch], 0
		jz	short loc_83A9CE
		cmp	dword ptr [ebp+10h], 0
		jz	short loc_83A9CE
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C000000Dh
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	28h
; 

loc_83A9CE:				; CODE XREF: PAGE:0083A99Fj
					; PAGE:0083A9A5j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_83AA32
; 

loc_83A9D7:				; DATA XREF: .text:006A6A94o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3Ch], eax
		mov	eax, 1
		retn
; 

loc_83A9E7:				; DATA XREF: .text:006A6A98o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3Ch]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	28h
; 

loc_83AA10:				; CODE XREF: PAGE:0083A902j
		mov	ecx, [ebp+1Ch]
		mov	eax, [ecx]
		mov	[ebp-54h], eax
		mov	eax, [ecx+4]
		mov	[ebp-50h], eax
		mov	ecx, [ebp+20h]
		mov	eax, [ecx]
		mov	[ebp-5Ch], eax
		mov	eax, [ecx+4]
		mov	[ebp-58h], eax
		mov	esi, [ebp-20h]
		mov	ebx, [ebp+18h]

loc_83AA32:				; CODE XREF: PAGE:0083A9D5j
		mov	byte ptr [esi+24h], 1
		push	0
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	edx, eax
		mov	ecx, esi
		call	IopSetLockOperationProcess
		test	eax, eax
		js	loc_83ADD6
		mov	ecx, [ebp+0Ch]
		test	ecx, ecx
		jz	short loc_83AA83
		mov	eax, ds:_ExEventObjectType
		mov	dword ptr [ebp-28h], 0
		push	0
		lea	edx, [ebp-28h]
		push	edx
		push	edi
		push	eax
		push	2
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [ebp-28h]
		mov	[ebp-24h], edi
		test	eax, eax
		js	short loc_83AA86
		push	edi
		call	_KeResetEvent@4	; KeResetEvent(x)
		jmp	short loc_83AA86
; 

loc_83AA83:				; CODE XREF: PAGE:0083AA53j
		mov	edi, [ebp-24h]

loc_83AA86:				; CODE XREF: PAGE:0083AA79j
					; PAGE:0083AA81j
		push	esi
		call	IoGetRelatedDeviceObject
		mov	[ebp+0Ch], eax
		mov	ecx, [eax+8]
		mov	eax, [ecx+28h]
		test	eax, eax
		jz	loc_83AC01
		mov	eax, [eax+18h]
		mov	[ebp+8], eax
		test	eax, eax
		jz	loc_83AC01
		mov	dword ptr [ebp-4Ch], 0
		mov	dword ptr [ebp-48h], 0
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_83AAC9
		call	_VfFastIoSnapState@0 ; VfFastIoSnapState()
		jmp	short loc_83AACB
; 

loc_83AAC9:				; CODE XREF: PAGE:0083AAC0j
		xor	eax, eax

loc_83AACB:				; CODE XREF: PAGE:0083AAC7j
		mov	[ebp+20h], eax
		mov	eax, [ebp-34h]
		mov	eax, [eax+80h]
		push	dword ptr [ebp+0Ch]
		lea	ecx, [ebp-4Ch]
		push	ecx
		push	dword ptr [ebp+2Ch]
		push	dword ptr [ebp+28h]
		push	dword ptr [ebp+24h]
		push	eax
		lea	eax, [ebp-5Ch]
		push	eax
		lea	eax, [ebp-54h]
		push	eax
		push	esi
		call	dword ptr [ebp+8]
		mov	[ebp+1Fh], al
		mov	eax, [ebp+20h]
		test	eax, eax
		jz	short loc_83AB08
		mov	edx, [ebp+8]
		mov	ecx, eax
		call	_VfFastIoCheckState@8 ;	VfFastIoCheckState(x,x)

loc_83AB08:				; CODE XREF: PAGE:0083AAFCj
		cmp	byte ptr [ebp+1Fh], 0
		jz	loc_83AC01
		mov	dword ptr [ebp-4], 1
		mov	eax, [ebp-4Ch]
		mov	[ebx], eax
		mov	eax, [ebp-48h]
		mov	[ebx+4], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_83AB5A
; 

loc_83AB2D:				; DATA XREF: .text:006A6AA0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		mov	eax, 1
		retn
; 

loc_83AB3D:				; DATA XREF: .text:006A6AA4o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-40h]
		mov	[ebp-4Ch], eax
		mov	dword ptr [ebp-48h], 0
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-20h]
		mov	edi, [ebp-24h]

loc_83AB5A:				; CODE XREF: PAGE:0083AB2Bj
		test	edi, edi
		jz	short loc_83AB78
		test	dword ptr [esi+2Ch], 8000000h
		jnz	short loc_83AB71
		push	0
		push	0
		push	edi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_83AB71:				; CODE XREF: PAGE:0083AB65j
		mov	ecx, edi
		call	ObfDereferenceObject

loc_83AB78:				; CODE XREF: PAGE:0083AB5Cj
		cmp	dword ptr [esi+6Ch], 0
		jz	short loc_83ABE3
		mov	edi, [ebp+14h]
		test	edi, edi
		jz	short loc_83ABE3
		test	dword ptr [esi+2Ch], 2000000h
		jnz	short loc_83ABE3
		mov	dword ptr [ebp-2Ch], 0
		mov	dword ptr [ebp-30h], 0
		mov	byte ptr [ebp-19h], 0
		lea	eax, [ebp-30h]
		push	eax
		lea	eax, [ebp-2Ch]
		push	eax
		lea	edx, [ebp-19h]
		mov	ecx, esi
		call	_IopIncrementCompletionContextUsageCountAndReadData@16 ; IopIncrementCompletionContextUsageCountAndReadData(x,x,x,x)
		mov	eax, [ebp-2Ch]
		test	eax, eax
		jz	short loc_83ABD6
		push	1
		push	dword ptr [ebp-48h]
		push	dword ptr [ebp-4Ch]
		push	edi
		push	dword ptr [ebp-30h]
		push	eax
		call	_IoSetIoCompletion@24 ;	IoSetIoCompletion(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_83ABD6
		mov	dword ptr [ebp-4Ch], 0C000009Ah

loc_83ABD6:				; CODE XREF: PAGE:0083ABB7j
					; PAGE:0083ABCDj
		cmp	byte ptr [ebp-19h], 0
		jz	short loc_83ABE3
		mov	ecx, esi
		call	_IopDecrementCompletionContextUsageCount@4 ; IopDecrementCompletionContextUsageCount(x)

loc_83ABE3:				; CODE XREF: PAGE:0083AB7Cj
					; PAGE:0083AB83j ...
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, [ebp-4Ch]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	28h
; 

loc_83AC01:				; CODE XREF: PAGE:0083AA97j
					; PAGE:0083AAA5j ...
		mov	eax, [esi+2Ch]
		test	al, 2
		jz	loc_83AC9F
		shr	eax, 2
		and	al, 1
		mov	[ebp+1Ch], al
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	0
		mov	esi, [ebp-20h]
		lea	ecx, [esi+4Ch]
		xor	edx, edx
		call	KeAbPreAcquire
		xor	bl, bl
		mov	[ebp-1Ah], bl
		mov	edx, 1
		lea	ecx, [esi+44h]
		xchg	edx, [ecx]
		test	edx, edx
		jnz	short loc_83AC57
		test	eax, eax
		jz	short loc_83AC4C
		or	byte ptr [eax+0Eh], 1

loc_83AC4C:				; CODE XREF: PAGE:0083AC46j
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	edi, edi
		jmp	short loc_83AC6E
; 

loc_83AC57:				; CODE XREF: PAGE:0083AC42j
		lea	ecx, [ebp-1Ah]
		push	ecx
		push	eax
		push	dword ptr [ebp+1Ch]
		mov	dl, [ebp-1Bh]
		mov	ecx, esi
		call	IopWaitAndAcquireFileObjectLock
		mov	edi, eax
		mov	bl, [ebp-1Ah]

loc_83AC6E:				; CODE XREF: PAGE:0083AC55j
		test	bl, bl
		jz	short loc_83AC9B
		mov	ecx, [ebp-24h]
		test	ecx, ecx
		jz	short loc_83AC7E
		call	ObfDereferenceObject

loc_83AC7E:				; CODE XREF: PAGE:0083AC77j
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, edi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	28h
; 

loc_83AC9B:				; CODE XREF: PAGE:0083AC70j
		mov	bl, 1
		jmp	short loc_83ACA1
; 

loc_83AC9F:				; CODE XREF: PAGE:0083AC06j
		xor	bl, bl

loc_83ACA1:				; CODE XREF: PAGE:0083AC9Dj
		mov	[ebp+1Ch], bl
		mov	ecx, esi
		call	_IopResetEvent@4 ; IopResetEvent(x)
		mov	eax, [ebp+4]
		push	eax
		xor	bl, 1
		movzx	eax, bl
		push	eax
		mov	ebx, [ebp+0Ch]
		mov	dl, [ebx+30h]
		mov	ecx, ebx
		call	IopAllocateIrpExReturn
		mov	edi, eax
		mov	[ebp+20h], edi
		mov	ecx, [ebp-20h]
		test	edi, edi
		jnz	short loc_83ACF0
		mov	edx, [ebp-24h]
		call	_IopAllocateIrpCleanup@8 ; IopAllocateIrpCleanup(x,x)
		mov	eax, 0C000009Ah
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	28h
; 

loc_83ACF0:				; CODE XREF: PAGE:0083ACCDj
		mov	[edi+64h], ecx
		mov	eax, [ebp-34h]
		mov	[edi+50h], eax
		mov	al, [ebp-1Bh]
		mov	[edi+20h], al
		mov	eax, [ebp-24h]
		mov	[edi+2Ch], eax
		mov	eax, [ebp+18h]
		mov	[edi+28h], eax
		mov	eax, [ebp+10h]
		mov	[edi+30h], eax
		mov	eax, [ebp+14h]
		mov	[edi+34h], eax
		mov	esi, [edi+60h]
		mov	word ptr [esi-24h], 111h
		mov	[esi-0Ch], ecx
		mov	byte ptr [esi-22h], 0
		xor	al, al
		cmp	[ebp+28h], al
		jz	short loc_83AD34
		mov	byte ptr [esi-22h], 1
		mov	al, 1

loc_83AD34:				; CODE XREF: PAGE:0083AD2Cj
		cmp	byte ptr [ebp+2Ch], 0
		jz	short loc_83AD3F
		or	al, 2
		mov	[esi-22h], al

loc_83AD3F:				; CODE XREF: PAGE:0083AD38j
		mov	eax, [ebp+24h]
		mov	[esi-1Ch], eax
		mov	eax, [ebp-54h]
		mov	[esi-18h], eax
		mov	eax, [ebp-50h]
		mov	[esi-14h], eax
		mov	dword ptr [ebp-4], 2
		call	sub_565698
		mov	ecx, [ebp-5Ch]
		mov	[eax], ecx
		mov	ecx, [ebp-58h]
		mov	[eax+4], ecx
		mov	[edi+54h], eax
		mov	[esi-20h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	2
		push	dword ptr [ebp+1Ch]
		push	dword ptr [ebp-38h]
		push	0
		push	dword ptr [ebp-20h]
		mov	edx, edi
		mov	ecx, ebx
		call	_IopSynchronousServiceTail@28 ;	IopSynchronousServiceTail(x,x,x,x,x,x,x)
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	28h
; 

loc_83AD9F:				; DATA XREF: .text:006A6AACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44h], eax
		mov	eax, 1
		retn
; 

loc_83ADAF:				; DATA XREF: .text:006A6AB0o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		movzx	eax, byte ptr [ecx+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		push	0
		push	dword ptr [ebp-24h]
		mov	edx, [ebp+20h]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-44h]

loc_83ADD6:				; CODE XREF: PAGE:0083A8FAj
					; PAGE:0083AA48j
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	28h
; 

loc_83ADEA:				; CODE XREF: PAGE:0083A952j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_83ADEF:				; CODE XREF: PAGE:0083A979j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1624. ObGetObjectType

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObGetObjectType(x)
		public _ObGetObjectType@4
_ObGetObjectType@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		lea	eax, [ecx-18h]
		movzx	ecx, byte ptr [ecx-0Ch]
		shr	eax, 8
		movzx	eax, al
		xor	eax, ecx
		movzx	ecx, byte ptr ds:_ObHeaderCookie
		xor	eax, ecx
		mov	eax, ds:_ObTypeIndexTable[eax*4]
		pop	ebp
		retn	4
_ObGetObjectType@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObQueryDeviceMapInformation proc near	; CODE XREF: PAGE:0083C5C2p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00925FE2 SIZE 00000045 BYTES
; FUNCTION CHUNK AT 00926049 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6B00
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_24], edx
		mov	esi, ecx
		mov	[ebp+var_48], 0
		mov	[ebp+var_44], 0
		mov	[ebp+var_40], 0
		mov	[ebp+var_3C], 0
		mov	[ebp+var_38], 0
		mov	[ebp+var_34], 0
		mov	[ebp+var_30], 0
		mov	[ebp+var_2C], 0
		mov	[ebp+var_19], 0
		mov	eax, [ebp+arg_0]
		test	eax, 0FFFFFFFEh
		jnz	loc_926049
		test	al, 1
		jnz	loc_925FE2
		mov	edi, 1

loc_83AEC1:				; CODE XREF: ObQueryDeviceMapInformation+EB1B4j
		test	esi, esi
		jz	short loc_83AED9
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	eax, esi
		jnz	loc_926049

loc_83AED9:				; CODE XREF: ObQueryDeviceMapInformation+93j
		xor	cl, cl
		call	ObpReferenceDeviceMap
		mov	[ebp+arg_0], eax
		test	esi, esi
		jz	loc_925FE9
		push	esi
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		mov	ecx, eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)

loc_83AEF8:				; CODE XREF: ObQueryDeviceMapInformation+EB1BEj
		mov	ebx, eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		lea	eax, [ebx+70h]
		mov	[ebp+var_20], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	loc_925FF3
		mov	[ebp+var_19], 1

loc_83AF26:				; CODE XREF: ObQueryDeviceMapInformation+EB1D2j
		test	ecx, ecx
		jz	loc_926007
		mov	esi, ecx
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_83AF43
		mov	eax, [eax+98h]
		test	eax, eax
		jz	short loc_83AF43
		mov	esi, eax

loc_83AF43:				; CODE XREF: ObQueryDeviceMapInformation+105j
					; ObQueryDeviceMapInformation+10Fj
		mov	ebx, [ecx+10h]
		mov	[ebp+var_4C], ebx
		mov	edx, 1
		xor	eax, eax

loc_83AF50:				; CODE XREF: ObQueryDeviceMapInformation+149j
		mov	cl, [ecx+eax+14h]
		mov	byte ptr [ebp+eax+var_48], cl
		test	ebx, edx
		jnz	short loc_83AF70
		test	edi, edi
		jz	short loc_83AF70
		mov	cl, [esi+eax+14h]
		mov	byte ptr [ebp+eax+var_48], cl
		mov	ecx, [esi+10h]
		and	ecx, edx
		or	[ebp+var_4C], ecx

loc_83AF70:				; CODE XREF: ObQueryDeviceMapInformation+12Aj
					; ObQueryDeviceMapInformation+12Ej
		inc	eax
		add	edx, edx
		cmp	eax, 20h
		mov	ecx, [ebp+arg_0]
		jb	short loc_83AF50
		xor	edx, edx
		mov	ecx, [ebp+var_20]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		cmp	[ebp+var_19], 1
		jnz	short loc_83AF9F
		mov	ecx, [ebp+arg_0]
		call	ObfDereferenceDeviceMap

loc_83AF9F:				; CODE XREF: ObQueryDeviceMapInformation+165j
		mov	[ebp+var_4], 0
		mov	ecx, 9
		lea	esi, [ebp+var_4C]
		mov	edi, [ebp+var_24]
		rep movsd
		mov	[ebp+var_4], 0FFFFFFFEh
		xor	eax, eax

loc_83AFBC:				; CODE XREF: ObQueryDeviceMapInformation+EB1F2j
					; sub_926037+Dj ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
ObQueryDeviceMapInformation endp

; 

ObfDereferenceDeviceMap:		; CODE XREF: ObDereferenceDeviceMap(x)+5Aj
					; ObSetCurrentProcessDeviceMap+E3p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		lea	ebx, [esi+0Ch]
		mov	edx, [ebx]
		cmp	edx, 1
		jz	short loc_83B008

loc_83AFE5:				; CODE XREF: PAGE:0083B006j
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [ebx], ecx
		mov	edi, eax
		cmp	edi, edx
		jnz	short loc_83B001

loc_83AFF4:				; CODE XREF: PAGE:00926064j
		test	edi, edi
		jle	loc_83B08E

loc_83AFFC:				; CODE XREF: PAGE:0083B080j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_83B001:				; CODE XREF: PAGE:0083AFF2j
		mov	edx, edi
		cmp	edi, 1
		jnz	short loc_83AFE5

loc_83B008:				; CODE XREF: PAGE:0083AFE3j
		mov	ecx, [esi+34h]
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	ecx, large fs:124h
		dec	word ptr [ecx+13Eh]
		nop
		add	eax, 70h
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp-4], eax
		call	ExAcquirePushLockExclusiveEx
		or	edi, 0FFFFFFFFh
		lock xadd [ebx], edi
		dec	edi
		mov	ecx, [ebp-4]
		inc	edi
		xor	edx, edx
		cmp	edi, 1
		jnz	loc_926053
		mov	eax, [esi]
		and	[eax+98h], edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [esi+34h]
		mov	edi, 6D44624Fh
		test	ecx, ecx
		jnz	short loc_83B085

loc_83B06A:				; CODE XREF: PAGE:0083B08Cj
		push	dword ptr [esi+8]
		call	_ZwClose@4	; ZwClose(x)
		mov	ecx, [esi]
		call	ObfDereferenceObject
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_83AFFC
; 

loc_83B085:				; CODE XREF: PAGE:0083B068j
		mov	edx, edi
		call	ObfDereferenceObjectWithTag
		jmp	short loc_83B06A
; 

loc_83B08E:				; CODE XREF: PAGE:0083AFF6j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpReferenceDeviceMap proc near		; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+68Ap
					; ObQueryDeviceMapInformation+ABp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 00926069 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	ebx, [eax+150h]
		xor	esi, esi
		push	ebx
		mov	[ebp+var_2], cl
		mov	[ebp+var_C], esi
		mov	[ebp+var_1], 0
		mov	[ebp+var_8], eax
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		mov	edi, eax
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		cmp	edi, eax
		jnz	loc_926069
		mov	cl, [ebp+var_1]

loc_83B0DE:				; CODE XREF: ObpReferenceDeviceMap+EAFCEj
		mov	edi, [ebp+var_8]
		mov	eax, [edi+2FCh]
		test	al, 8
		jnz	loc_83B16F

loc_83B0EF:				; CODE XREF: ObpReferenceDeviceMap+D3j
		test	cl, cl
		jnz	short loc_83B100

loc_83B0F3:				; CODE XREF: ObpReferenceDeviceMap+FEj
					; ObpReferenceDeviceMap+11Dj ...
		cmp	dword ptr [ebx+198h], 0
		jz	loc_926073

loc_83B100:				; CODE XREF: ObpReferenceDeviceMap+51j
					; ObpReferenceDeviceMap+DBj ...
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	esi, eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		lea	edi, [esi+70h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		cmp	[ebp+var_1], 0
		jnz	loc_83B1E8
		mov	esi, [ebx+198h]

loc_83B131:				; CODE XREF: ObpReferenceDeviceMap+14Aj
		test	esi, esi
		jz	short loc_83B139
		lock inc dword ptr [esi+0Ch]

loc_83B139:				; CODE XREF: ObpReferenceDeviceMap+93j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		mov	eax, large fs:124h
		nop
		add	word ptr [eax+13Eh], 1
		jnz	short loc_83B15F
		nop
		add	eax, 70h
		cmp	[eax], eax
		jnz	loc_83B1EF

loc_83B15F:				; CODE XREF: ObpReferenceDeviceMap+B1j
					; ObpReferenceDeviceMap+132j ...
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jnz	short loc_83B1D4

loc_83B166:				; CODE XREF: ObpReferenceDeviceMap+139j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_83B16F:				; CODE XREF: ObpReferenceDeviceMap+49j
		cmp	[ebp+var_2], 0
		jnz	loc_83B0EF
		test	cl, cl
		jnz	short loc_83B100
		push	0
		lea	eax, [ebp+var_10]
		mov	edx, 1
		push	eax
		lea	eax, [ebp-3]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp-4]
		push	eax
		call	_PsReferenceImpersonationTokenEx@24 ; PsReferenceImpersonationTokenEx(x,x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	loc_83B0F3
		cmp	dword ptr [ecx+18h], 3E7h
		mov	edx, [ecx+1Ch]
		jz	short loc_83B1DB

loc_83B1B0:				; CODE XREF: ObpReferenceDeviceMap+13Dj
		lea	edx, [ebp+var_8]
		mov	[ebp+var_8], esi
		call	SeGetTokenDeviceMap
		test	eax, eax
		js	loc_83B0F3
		mov	esi, [ebp+var_8]
		test	esi, esi
		jz	loc_83B0F3
		lock inc dword ptr [esi+0Ch]
		jmp	short loc_83B15F
; 

loc_83B1D4:				; CODE XREF: ObpReferenceDeviceMap+C4j
		call	ObfDereferenceObject
		jmp	short loc_83B166
; 

loc_83B1DB:				; CODE XREF: ObpReferenceDeviceMap+10Ej
		test	edx, edx
		jnz	short loc_83B1B0
		mov	[ebp+var_1], 1
		jmp	loc_83B100
; 

loc_83B1E8:				; CODE XREF: ObpReferenceDeviceMap+85j
		mov	esi, [esi]
		jmp	loc_83B131
; 

loc_83B1EF:				; CODE XREF: ObpReferenceDeviceMap+B9j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_83B15F
ObpReferenceDeviceMap endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsQueryRuntimeProcess(x, x)
_PsQueryRuntimeProcess@8 proc near	; CODE XREF: VdmCheckPMCliTimeStamp()+3Ap
					; VdmSetPMCliTimeStamp(x)+38p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	esi, ecx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], eax
		nop
		lea	eax, [esi+398h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	ExAcquirePushLockSharedEx
		mov	edi, [esi+9Ch]
		mov	ebx, [esi+0A0h]
		add	esi, 1D0h
		mov	eax, [esi]
		cmp	eax, esi
		jz	short loc_83B262
		jmp	short loc_83B250
; 
		align 10h

loc_83B250:				; CODE XREF: PsQueryRuntimeProcess(x,x)+4Bj
					; PsQueryRuntimeProcess(x,x)+60j
		add	edi, [eax-150h]
		add	ebx, [eax-124h]
		mov	eax, [eax]
		cmp	eax, esi
		jnz	short loc_83B250

loc_83B262:				; CODE XREF: PsQueryRuntimeProcess(x,x)+49j
		mov	esi, [ebp+var_4]
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_83B292

loc_83B275:				; CODE XREF: PsQueryRuntimeProcess(x,x)+99j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_8]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	eax, [ebp+var_C]
		mov	[eax], ebx
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_83B292:				; CODE XREF: PsQueryRuntimeProcess(x,x)+73j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_83B275
_PsQueryRuntimeProcess@8 endp

; 
		align 10h
; Exported entry 1562. NtQueryInformationProcess

; __stdcall NtQueryInformationProcess(x, x, x, x, x)
		public _NtQueryInformationProcess@20
_NtQueryInformationProcess@20:		; DATA XREF: .text:00580E68o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6B20
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 748h
		mov	eax, ___security_cookie
		xor	[ebp-8], eax
		xor	eax, ebp
		mov	[ebp-1Ch], eax
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp-10h]
		mov	large fs:0, eax
		mov	[ebp-18h], esp
		mov	ebx, [ebp+10h]
		mov	[ebp-644h], ebx
		mov	esi, [ebp+8]
		mov	[ebp-360h], esi
		mov	[ebp-3A0h], ebx
		mov	[ebp-384h], ebx
		mov	edi, [ebp+18h]
		mov	[ebp-380h], edi
		mov	[ebp-3C4h], edi
		xor	eax, eax
		mov	[ebp-68h], eax
		mov	[ebp-64h], eax
		mov	[ebp-60h], eax
		mov	[ebp-5Ch], eax
		mov	[ebp-58h], eax
		mov	[ebp-54h], eax
		mov	[ebp-370h], eax
		mov	[ebp-374h], eax
		mov	[ebp-3E4h], eax
		mov	[ebp-74h], eax
		mov	[ebp-70h], eax
		mov	[ebp-6Ch], eax
		mov	[ebp-3A4h], eax
		mov	[ebp-394h], eax
		mov	[ebp-5A0h], eax
		mov	[ebp-69Ch], eax
		push	30h
		push	eax
		lea	eax, [ebp-680h]
		push	eax
		call	_memset
		push	78h
		push	0
		lea	eax, [ebp-110h]
		push	eax
		call	_memset
		xor	eax, eax
		mov	[ebp-450h], eax
		mov	[ebp-44Ch], eax
		mov	[ebp-448h], eax
		mov	[ebp-444h], eax
		mov	[ebp-440h], eax
		mov	[ebp-43Ch], eax
		mov	[ebp-438h], eax
		mov	[ebp-434h], eax
		mov	[ebp-430h], eax
		mov	[ebp-42Ch], eax
		mov	[ebp-428h], eax
		mov	[ebp-424h], eax
		mov	[ebp-650h], eax
		mov	[ebp-64Ch], eax
		mov	[ebp-3D4h], eax
		mov	[ebp-50h], eax
		mov	[ebp-4Ch], eax
		mov	[ebp-48h], eax
		mov	[ebp-44h], eax
		mov	[ebp-40h], eax
		mov	[ebp-3Ch], eax
		mov	[ebp-38h], eax
		mov	[ebp-34h], eax
		mov	[ebp-30h], eax
		mov	[ebp-2Ch], eax
		mov	[ebp-36Ch], eax
		mov	[ebp-368h], eax
		mov	[ebp-3C0h], ax
		mov	[ebp-354h], eax
		mov	[ebp-458h], eax
		mov	[ebp-454h], eax
		mov	[ebp-3B8h], eax
		push	68h
		push	eax
		lea	eax, [ebp-708h]
		push	eax
		call	_memset
		push	40h
		push	0
		lea	eax, [ebp-640h]
		push	eax
		call	_memset
		add	esp, 30h
		mov	eax, large fs:124h
		mov	cl, [eax+15Ah]
		mov	[ebp-361h], cl
		mov	[ebp-358h], cl
		mov	eax, large fs:124h
		mov	[ebp-398h], eax
		test	cl, cl
		jz	loc_83B544
		mov	dword ptr [ebp-4], 0
		mov	edx, [ebp+0Ch]
		cmp	edx, 3Dh
		jz	short loc_83B4A4
		cmp	edx, 41h
		jnz	short loc_83B47A
		lea	eax, [edx-3Eh]
		jmp	short loc_83B4A6
; 

loc_83B47A:				; CODE XREF: PAGE:0083B473j
		cmp	edx, 46h
		jz	short loc_83B4A4
		cmp	edx, 4Ah
		jz	short loc_83B4A4
		cmp	edx, 5Ch
		jnz	short loc_83B48E
		lea	eax, [edx-55h]
		jmp	short loc_83B4A6
; 

loc_83B48E:				; CODE XREF: PAGE:0083B487j
		cmp	edx, 5Eh
		jnz	short loc_83B498
		lea	eax, [edx-57h]
		jmp	short loc_83B4A6
; 

loc_83B498:				; CODE XREF: PAGE:0083B491j
		lea	eax, [edx-57h]
		neg	eax
		sbb	eax, eax
		and	eax, 3
		jmp	short loc_83B4A6
; 

loc_83B4A4:				; CODE XREF: PAGE:0083B46Ej
					; PAGE:0083B47Dj ...
		xor	eax, eax

loc_83B4A6:				; CODE XREF: PAGE:0083B478j
					; PAGE:0083B48Cj ...
		mov	ecx, [ebp+14h]
		test	ecx, ecx
		jz	short loc_83B4D8
		test	eax, ebx
		jnz	loc_83FAEC
		lea	eax, [ebx+ecx]
		mov	edx, ds:_MmUserProbeAddress
		mov	[ebp-390h], edx
		cmp	eax, edx
		mov	edx, [ebp+0Ch]
		ja	short loc_83B4CF
		cmp	eax, ebx
		jnb	short loc_83B4D8

loc_83B4CF:				; CODE XREF: PAGE:0083B4C9j
		mov	eax, [ebp-390h]
		mov	byte ptr [eax],	0

loc_83B4D8:				; CODE XREF: PAGE:0083B4ABj
					; PAGE:0083B4CDj
		test	edi, edi
		jz	short loc_83B513
		mov	eax, edi
		mov	[ebp-390h], edi
		mov	esi, ds:_MmUserProbeAddress
		mov	[ebp-3D0h], esi
		cmp	edi, esi
		mov	esi, [ebp-360h]
		jb	short loc_83B506
		mov	eax, [ebp-3D0h]
		mov	[ebp-390h], eax

loc_83B506:				; CODE XREF: PAGE:0083B4F8j
		mov	eax, [eax]
		mov	edx, [ebp-390h]
		mov	[edx], eax
		mov	edx, [ebp+0Ch]

loc_83B513:				; CODE XREF: PAGE:0083B4DAj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_83B54A
; 

loc_83B51C:				; DATA XREF: .text:006A6B34o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4D8h], eax
		mov	eax, 1
		retn
; 

loc_83B52F:				; DATA XREF: .text:006A6B38o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-4D8h]
		jmp	loc_83FACE
; 

loc_83B544:				; CODE XREF: PAGE:0083B45Bj
		mov	ecx, [ebp+14h]
		mov	edx, [ebp+0Ch]

loc_83B54A:				; CODE XREF: PAGE:0083B51Aj
		cmp	edx, 61h
		ja	loc_83FAC9
		movzx	eax, ds:byte_83FC00[edx]
		jmp	ds:off_83FAF4[eax*4]

loc_83B561:				; DATA XREF: PAGE:0083FB3Co
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		mov	esi, [ebp+14h]
		cmp	esi, 8
		jnb	short loc_83B5A0
		lea	ebx, [ebp-650h]
		xor	edx, edx
		jmp	short loc_83B5A3
; 

loc_83B5A0:				; CODE XREF: PAGE:0083B594j
		lea	edx, [esi-8]

loc_83B5A3:				; CODE XREF: PAGE:0083B59Ej
		mov	eax, [ebp-384h]
		add	eax, 8
		cmp	esi, 8
		sbb	ecx, ecx
		not	ecx
		and	ecx, eax
		mov	[ebp-384h], ecx
		mov	[ebp-370h], edx
		lea	eax, [ebp-370h]
		push	eax
		push	ecx
		mov	edx, ebx
		mov	ecx, [ebp-354h]
		call	PsQueryFullProcessImageName
		mov	ebx, eax
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		test	ebx, ebx
		js	short loc_83B5FA
		cmp	dword ptr [ebp-384h], 0
		jnz	short loc_83B5FA
		mov	ebx, 0C0000004h

loc_83B5FA:				; CODE XREF: PAGE:0083B5EAj
					; PAGE:0083B5F3j
		test	edi, edi
		jz	short loc_83B64D
		test	ebx, ebx
		jns	short loc_83B60A
		cmp	ebx, 0C0000004h
		jnz	short loc_83B64D

loc_83B60A:				; CODE XREF: PAGE:0083B600j
		mov	eax, [ebp-370h]
		add	eax, 8
		mov	dword ptr [ebp-4], 1
		mov	[edi], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, ebx
		jmp	loc_83FACE
; 

loc_83B62A:				; DATA XREF: .text:006A6B40o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-568h], eax
		mov	eax, 1
		retn
; 

loc_83B63D:				; DATA XREF: .text:006A6B44o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-568h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_83B64D:				; CODE XREF: PAGE:0083B5FCj
					; PAGE:0083B608j ...
		mov	eax, ebx
		jmp	loc_83FACE
; 

loc_83B654:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB6Co
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_83B7DA
		mov	ecx, [ebp-354h]
		mov	eax, [ecx+1A8h]
		mov	[ebp-370h], eax
		mov	[ebp-3A4h], eax
		test	eax, eax
		jz	short loc_83B6D5
		lea	eax, [ecx+0F0h]
		mov	[ebp-384h], eax
		mov	ecx, eax
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_83B6CE
		mov	ecx, [ebp-370h]
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, [ebp-384h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	short loc_83B6F0
; 

loc_83B6CE:				; CODE XREF: PAGE:0083B6B4j
		mov	esi, 0C000010Ah
		jmp	short loc_83B6F0
; 

loc_83B6D5:				; CODE XREF: PAGE:0083B69Dj
		lea	eax, [ebp-3A4h]
		push	eax
		push	ecx
		call	_PsReferenceProcessFilePointer@8 ; PsReferenceProcessFilePointer(x,x)
		mov	esi, eax
		mov	eax, [ebp-3A4h]
		mov	[ebp-370h], eax

loc_83B6F0:				; CODE XREF: PAGE:0083B6CCj
					; PAGE:0083B6D3j
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		test	esi, esi
		js	loc_83B7DA
		lea	eax, [ebp-368h]
		push	eax
		push	dword ptr [ebp-370h]
		call	_IoQueryFileDosDeviceName@8 ; IoQueryFileDosDeviceName(x,x)
		mov	esi, eax
		mov	[ebp-384h], esi
		mov	ecx, [ebp-370h]
		call	ObfDereferenceObject
		test	esi, esi
		js	loc_83B7DA
		mov	edx, [ebp-368h]
		movzx	eax, word ptr [edx+2]
		add	eax, 8
		mov	[ebp-3D0h], eax
		mov	dword ptr [ebp-4], 2
		cmp	eax, [ebp+14h]
		jbe	short loc_83B761
		mov	esi, 0C0000004h
		mov	[ebp-35Ch], esi
		jmp	short loc_83B79C
; 

loc_83B761:				; CODE XREF: PAGE:0083B752j
		movzx	eax, word ptr [edx]
		mov	[ebx], ax
		movzx	eax, word ptr [edx+2]
		mov	[ebx+2], ax
		movzx	eax, word ptr [edx+2]
		test	ax, ax
		jz	short loc_83B78B
		lea	esi, [ebx+8]
		push	eax
		mov	eax, [edx+4]
		push	eax
		push	esi
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_83B78D
; 

loc_83B78B:				; CODE XREF: PAGE:0083B776j
		xor	esi, esi

loc_83B78D:				; CODE XREF: PAGE:0083B789j
		mov	[ebx+4], esi
		mov	esi, [ebp-384h]
		mov	eax, [ebp-3D0h]

loc_83B79C:				; CODE XREF: PAGE:0083B75Fj
		test	edi, edi
		jz	short loc_83B7C6
		mov	[edi], eax
		jmp	short loc_83B7C6
; 

loc_83B7A4:				; DATA XREF: .text:006A6B4Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-584h], eax
		mov	eax, 1
		retn
; 

loc_83B7B7:				; DATA XREF: .text:006A6B50o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-584h]
		mov	[ebp-35Ch], esi

loc_83B7C6:				; CODE XREF: PAGE:0083B79Ej
					; PAGE:0083B7A2j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	0
		push	dword ptr [ebp-368h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_83B7DA:				; CODE XREF: PAGE:0083B67Dj
					; PAGE:0083B702j ...
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83B7E1:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB18o
		push	dword ptr [ebp-358h]
		push	edi
		push	ecx
		push	ebx
		mov	ecx, esi
		call	_PspQueryWorkingSetWatch@24 ; PspQueryWorkingSetWatch(x,x,x,x,x,x)
		jmp	loc_83FACE
; 

loc_83B7F6:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:off_83FAF4o
		xor	eax, eax
		mov	[ebp-80h], eax
		mov	[ebp-7Ch], eax
		mov	[ebp-78h], eax
		mov	[ebp-379h], al
		cmp	ecx, 20h
		jnz	short loc_83B870
		mov	[ebp-368h], ebx
		mov	dword ptr [ebp-4], 3
		mov	[ebx], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_83B859
; 

loc_83B824:				; DATA XREF: .text:006A6B58o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-588h], eax
		mov	eax, 1
		retn
; 

loc_83B837:				; DATA XREF: .text:006A6B5Co
		mov	esp, [ebp-18h]
		mov	eax, [ebp-588h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-360h]
		mov	ebx, [ebp-3A0h]
		mov	edi, [ebp-3C4h]

loc_83B859:				; CODE XREF: PAGE:0083B822j
		test	eax, eax
		js	loc_83FACE
		add	ebx, 4
		mov	dword ptr [ebp-380h], 20h
		jmp	short loc_83B885
; 

loc_83B870:				; CODE XREF: PAGE:0083B80Aj
		cmp	ecx, 18h
		jnz	loc_83DAA9
		mov	[ebp-368h], eax
		mov	[ebp-380h], ecx

loc_83B885:				; CODE XREF: PAGE:0083B86Ej
		mov	[ebp-390h], ebx
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp-3A0h], ecx
		mov	[ebp-35Ch], ecx
		test	ecx, ecx
		js	loc_83CC1D
		mov	dword ptr [ebp-4], 4
		mov	esi, [ebp-354h]
		mov	eax, [esi+34Ch]
		mov	[ebx], eax
		mov	eax, [esi+17Ch]
		mov	[ebx+4], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_83B92E
; 

loc_83B8ED:				; DATA XREF: .text:006A6B64o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-58Ch], eax
		mov	eax, 1
		retn
; 

loc_83B900:				; DATA XREF: .text:006A6B68o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-58Ch]
		mov	[ebp-3A0h], ecx
		mov	[ebp-35Ch], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-354h]
		mov	ebx, [ebp-390h]
		mov	edi, [ebp-3C4h]

loc_83B92E:				; CODE XREF: PAGE:0083B8EBj
		test	ecx, ecx
		jns	short loc_83B949
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, [ebp-3A0h]
		jmp	loc_83FACE
; 

loc_83B949:				; CODE XREF: PAGE:0083B930j
		mov	dword ptr [ebp-390h], 0
		call	_MmGetMinWsPagePriority@0 ; MmGetMinWsPagePriority()
		mov	[ebp-394h], eax
		lea	ecx, [eax-1]
		test	ecx, eax
		jz	short loc_83B973
		mov	eax, [ebp-398h]
		cmp	esi, [eax+150h]
		jnz	short loc_83B9C7

loc_83B973:				; CODE XREF: PAGE:0083B963j
		push	0
		lea	eax, [ebp-394h]
		push	eax
		lea	edx, [ebp-80h]
		mov	ecx, esi
		call	_KeQueryAffinityProcess@16 ; KeQueryAffinityProcess(x,x,x,x)
		mov	edx, [ebp-394h]
		lea	eax, [edx-1]
		test	eax, edx
		jnz	short loc_83B998
		bsf	ecx, edx
		jmp	short loc_83B9B8
; 

loc_83B998:				; CODE XREF: PAGE:0083B991j
		mov	eax, [ebp-398h]
		cmp	esi, [eax+150h]
		jnz	short loc_83B9C7
		movzx	ecx, word ptr [eax+158h]
		mov	eax, 1
		shl	eax, cl
		test	eax, edx
		jz	short loc_83B9C7

loc_83B9B8:				; CODE XREF: PAGE:0083B996j
		cmp	ecx, 1
		jz	short loc_83B9C7
		mov	eax, [ebp+ecx*4-78h]
		mov	[ebp-390h], eax

loc_83B9C7:				; CODE XREF: PAGE:0083B971j
					; PAGE:0083B9A4j ...
		cmp	dword ptr [ebp-368h], 0
		jz	short loc_83B9DF
		push	0
		lea	edx, [ebp-379h]
		mov	ecx, esi
		call	_PsQueryProcessAttributes@12 ; PsQueryProcessAttributes(x,x,x)

loc_83B9DF:				; CODE XREF: PAGE:0083B9CEj
		mov	dword ptr [ebp-4], 5
		mov	eax, [ebp-390h]
		mov	[ebx+8], eax
		movsx	eax, byte ptr [esi+68h]
		mov	[ebx+0Ch], eax
		mov	eax, [esi+0E4h]
		mov	[ebx+10h], eax
		mov	eax, [esi+170h]
		mov	[ebx+14h], eax
		mov	ebx, [ebp-368h]
		test	ebx, ebx
		jz	loc_83BAAB
		mov	dword ptr [ebx+1Ch], 0
		push	esi
		call	_PsIsProtectedProcess@4	; PsIsProtectedProcess(x)
		test	eax, eax
		jz	short loc_83BA2E
		mov	dword ptr [ebx+1Ch], 1

loc_83BA2E:				; CODE XREF: PAGE:0083BA25j
		lea	edx, [esi+0FCh]
		mov	eax, [edx]
		test	eax, 40000008h
		jz	short loc_83BA41
		or	dword ptr [ebx+1Ch], 4

loc_83BA41:				; CODE XREF: PAGE:0083BA3Bj
		mov	eax, [ebx+1Ch]
		mov	esi, [ebp-354h]
		mov	ecx, [esi+0F8h]
		shr	ecx, 4
		xor	ecx, eax
		and	ecx, 8
		xor	ecx, eax
		mov	[ebx+1Ch], ecx
		mov	eax, [esi+64h]
		shr	eax, 3
		and	eax, 1
		add	eax, [esi+98h]
		jz	short loc_83BA74
		or	ecx, 10h
		mov	[ebx+1Ch], ecx

loc_83BA74:				; CODE XREF: PAGE:0083BA6Cj
		mov	eax, [edx]
		shr	eax, 0Fh
		xor	eax, ecx
		and	eax, 20h
		xor	eax, ecx
		mov	[ebx+1Ch], eax
		cmp	byte ptr [ebp-379h], 0
		jz	short loc_83BA92
		or	eax, 40h
		mov	[ebx+1Ch], eax

loc_83BA92:				; CODE XREF: PAGE:0083BA8Aj
		cmp	dword ptr [esi+3D4h], 0
		jz	short loc_83BAA3
		or	eax, 100h
		mov	[ebx+1Ch], eax

loc_83BAA3:				; CODE XREF: PAGE:0083BA99j
		mov	ebx, [ebp-35Ch]
		jmp	short loc_83BAB1
; 

loc_83BAAB:				; CODE XREF: PAGE:0083BA10j
		mov	ebx, [ebp-3A0h]

loc_83BAB1:				; CODE XREF: PAGE:0083BAA9j
		test	edi, edi
		jz	short loc_83BABD
		mov	eax, [ebp-380h]
		mov	[edi], eax

loc_83BABD:				; CODE XREF: PAGE:0083BAB3j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, ebx
		jmp	loc_83FACE
; 

loc_83BAD7:				; DATA XREF: .text:006A6B70o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-590h], eax
		mov	eax, 1
		retn
; 

loc_83BAEA:				; DATA XREF: .text:006A6B74o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-590h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-354h]
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, ebx
		jmp	loc_83FACE
; 

loc_83BB13:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB10o
		cmp	ecx, 4
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		mov	ecx, [ebp-354h]
		mov	esi, [ecx+1E0h]
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	dword ptr [ebp-4], 6
		jmp	loc_83D7B7
; 

loc_83BB6B:				; DATA XREF: .text:006A6B7Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-594h], eax
		mov	eax, 1
		retn
; 

loc_83BB7E:				; DATA XREF: .text:006A6B80o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-594h]
		jmp	loc_83FACE
; 

loc_83BB93:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FAF8o
		push	dword ptr [ebp-358h]
		push	edi
		push	ecx
		push	ebx
		mov	ecx, esi
		call	PspQueryQuotaLimits
		jmp	loc_83FACE
; 

loc_83BBA8:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB14o
		push	dword ptr [ebp-358h]
		push	edi
		push	ecx
		mov	edx, ebx
		mov	ecx, esi
		call	_PspQueryPooledQuotaLimits@20 ;	PspQueryPooledQuotaLimits(x,x,x,x,x)
		jmp	loc_83FACE
; 

loc_83BBBE:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FAFCo
		cmp	ecx, 30h
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp-384h], eax
		test	eax, eax
		js	loc_83FACE
		lea	edx, [ebp-708h]
		mov	ecx, [ebp-354h]
		call	PsQueryStatisticsProcess
		mov	eax, [ebp-6E0h]
		mov	[ebp-680h], eax
		mov	eax, [ebp-6DCh]
		mov	[ebp-67Ch], eax
		mov	eax, [ebp-6D8h]
		mov	[ebp-678h], eax
		mov	eax, [ebp-6D4h]
		mov	[ebp-674h], eax
		mov	eax, [ebp-6D0h]
		mov	[ebp-670h], eax
		mov	eax, [ebp-6CCh]
		mov	[ebp-66Ch], eax
		mov	eax, [ebp-6C8h]
		mov	[ebp-668h], eax
		mov	eax, [ebp-6C4h]
		mov	[ebp-664h], eax
		mov	eax, [ebp-6C0h]
		mov	[ebp-660h], eax
		mov	eax, [ebp-6BCh]
		mov	[ebp-65Ch], eax
		mov	eax, [ebp-6B8h]
		mov	[ebp-658h], eax
		mov	eax, [ebp-6B4h]
		mov	[ebp-654h], eax
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		mov	dword ptr [ebp-4], 7
		mov	ecx, 0Ch
		lea	esi, [ebp-680h]
		mov	edi, ebx
		rep movsd
		mov	eax, [ebp-380h]
		test	eax, eax
		jz	short loc_83BCD1
		mov	dword ptr [eax], 30h

loc_83BCD1:				; CODE XREF: PAGE:0083BCC9j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-384h]
		jmp	loc_83FACE
; 

loc_83BCE3:				; DATA XREF: .text:006A6B88o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-59Ch], eax
		mov	eax, 1
		retn
; 

loc_83BCF6:				; DATA XREF: .text:006A6B8Co
		mov	esp, [ebp-18h]
		mov	eax, [ebp-59Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83FACE
; 

loc_83BD0B:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB00o
		cmp	ecx, 2Ch
		jz	short loc_83BD1E
		cmp	ecx, 30h
		jz	short loc_83BD1E
		cmp	ecx, 40h
		jnz	loc_83DAA9

loc_83BD1E:				; CODE XREF: PAGE:0083BD0Ej
					; PAGE:0083BD13j
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		mov	dword ptr [ebp-634h], 0
		mov	dword ptr [ebp-630h], 0
		mov	dword ptr [ebp-62Ch], 0
		mov	dword ptr [ebp-628h], 0
		mov	dword ptr [ebp-624h], 0
		mov	dword ptr [ebp-620h], 0
		mov	dword ptr [ebp-610h], 0
		mov	dword ptr [ebp-60Ch], 0
		mov	esi, [ebp-354h]
		mov	eax, [esi+118h]
		mov	[ebp-640h], eax
		mov	eax, [esi+11Ch]
		mov	[ebp-63Ch], eax
		mov	eax, [esi+244h]
		mov	[ebp-638h], eax
		lea	eax, [ebp-68h]
		push	eax
		push	esi
		call	KeStackAttachProcess
		lea	eax, [ebp-5A0h]
		push	eax
		lea	eax, [ebp-3D4h]
		push	eax
		lea	eax, [ebp-36Ch]
		push	eax
		lea	eax, [ebp-610h]
		push	eax
		lea	edx, [ebp-630h]
		lea	ecx, [ebp-634h]
		call	_MmQueryWorkingSetInformation@24 ; MmQueryWorkingSetInformation(x,x,x,x,x,x)
		mov	[ebp-35Ch], eax
		lea	eax, [ebp-68h]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		lea	eax, [ebp-62Ch]
		push	eax
		lea	eax, [ebp-628h]
		push	eax
		mov	edx, 1
		mov	ecx, esi
		call	_PsQueryProcessQuotaCounters@16	; PsQueryProcessQuotaCounters(x,x,x,x)
		lea	eax, [ebp-624h]
		push	eax
		lea	eax, [ebp-620h]
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	_PsQueryProcessQuotaCounters@16	; PsQueryProcessQuotaCounters(x,x,x,x)
		mov	eax, [esi+224h]
		shl	eax, 0Ch
		mov	[ebp-61Ch], eax
		mov	eax, [ebp-354h]
		mov	eax, [eax+228h]
		shl	eax, 0Ch
		mov	[ebp-618h], eax
		mov	eax, [ebp-354h]
		mov	ecx, [eax+418h]
		xor	eax, eax
		shld	eax, ecx, 0Ch
		shl	ecx, 0Ch
		mov	[ebp-608h], ecx
		mov	[ebp-604h], eax
		mov	eax, [ebp-61Ch]
		mov	[ebp-614h], eax
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		mov	eax, [ebp-35Ch]
		test	eax, eax
		js	loc_83FACE
		mov	dword ptr [ebp-4], 8
		mov	esi, [ebp+14h]
		push	esi
		lea	eax, [ebp-640h]
		push	eax
		push	ebx
		call	_memcpy
		add	esp, 0Ch
		test	edi, edi
		jz	loc_83D7C3
		mov	[edi], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	eax, eax
		jmp	loc_83FACE
; 

loc_83BEDE:				; DATA XREF: .text:006A6B94o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5A4h], eax
		mov	eax, 1
		retn
; 

loc_83BEF1:				; DATA XREF: .text:006A6B98o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-5A4h]
		jmp	loc_83FACE
; 

loc_83BF06:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB04o
		cmp	ecx, 20h
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp-36Ch], eax
		test	eax, eax
		js	loc_83FACE
		lea	edx, [ebp-3B8h]
		mov	esi, [ebp-354h]
		mov	ecx, esi
		call	_PsQueryRuntimeProcess@8 ; PsQueryRuntimeProcess(x,x)
		mov	dword ptr [ebp-4], 9
		mul	ds:_KeMaximumIncrement
		mov	[ebx+10h], eax
		mov	[ebx+14h], edx
		mov	eax, [ebp-3B8h]
		mul	ds:_KeMaximumIncrement
		mov	[ebx+18h], eax
		mov	[ebx+1Ch], edx
		mov	eax, [esi+100h]
		mov	[ebx], eax
		mov	eax, [esi+104h]
		mov	[ebx+4], eax
		mov	eax, [esi+388h]
		mov	ecx, [esi+38Ch]
		mov	[ebx+8], eax
		mov	[ebx+0Ch], ecx
		test	edi, edi
		jz	short loc_83BFA7
		mov	dword ptr [edi], 20h

loc_83BFA7:				; CODE XREF: PAGE:0083BF9Fj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-36Ch]
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_83FACE
; 

loc_83BFC7:				; DATA XREF: .text:006A6BA0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5A8h], eax
		mov	eax, 1
		retn
; 

loc_83BFDA:				; DATA XREF: .text:006A6BA4o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-5A8h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-354h]
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_83FACE
; 

loc_83C003:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBF0o
		cmp	ecx, 8
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_83B7DA
		mov	dword ptr [ebp-4], 0Ah
		mov	ecx, [ebp-354h]
		mov	eax, [ecx+3E8h]
		mov	[ebx], eax
		mov	eax, [ecx+3ECh]
		mov	[ebx+4], eax
		test	edi, edi
		jz	short loc_83C063
		mov	dword ptr [edi], 8

loc_83C063:				; CODE XREF: PAGE:0083C05Bj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83C07B:				; DATA XREF: .text:006A6BACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5ACh], eax
		mov	eax, 1
		retn
; 

loc_83C08E:				; DATA XREF: .text:006A6BB0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-5ACh]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-354h]
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83C0B5:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB08o
		cmp	ecx, 4
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	400h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		mov	ecx, [ebp-354h]
		mov	esi, [ecx+190h]
		neg	esi
		sbb	esi, esi
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	dword ptr [ebp-4], 0Bh
		jmp	loc_83D7B7
; 

loc_83C111:				; DATA XREF: .text:006A6BB8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5B0h], eax
		mov	eax, 1
		retn
; 

loc_83C124:				; DATA XREF: .text:006A6BBCo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-5B0h]
		jmp	loc_83FACE
; 

loc_83C139:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB48o
		cmp	ecx, 4
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	400h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		lea	eax, [ebp-374h]
		push	eax
		mov	dl, [ebp-361h]
		mov	ecx, [ebp-354h]
		call	_DbgkOpenProcessDebugPort@12 ; DbgkOpenProcessDebugPort(x,x,x)
		mov	ecx, eax
		mov	[ebp-3D4h], ecx
		xor	eax, eax
		test	ecx, ecx
		sets	al
		dec	eax
		and	eax, [ebp-374h]
		mov	[ebp-36Ch], eax
		mov	[ebp-374h], eax
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		mov	dword ptr [ebp-4], 0Ch
		mov	eax, [ebp-36Ch]
		mov	[ebx], eax
		test	edi, edi
		jz	short loc_83C1D2
		mov	dword ptr [edi], 4

loc_83C1D2:				; CODE XREF: PAGE:0083C1CAj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3D4h]
		jmp	loc_83FACE
; 

loc_83C1E4:				; DATA XREF: .text:006A6BC4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5B4h], eax
		mov	eax, 1
		retn
; 

loc_83C1F7:				; DATA XREF: .text:006A6BC8o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-374h]
		test	eax, eax
		jz	short loc_83C210
		push	dword ptr [ebp-358h]
		push	eax
		call	ObCloseHandle

loc_83C210:				; CODE XREF: PAGE:0083C202j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-5B4h]
		jmp	loc_83FACE
; 

loc_83C222:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB4Co
		cmp	ecx, 4
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	400h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_83B7DA
		mov	dword ptr [ebp-4], 0Dh
		mov	ecx, [ebp-354h]
		mov	eax, [ecx+0FCh]
		shr	eax, 1
		not	eax
		and	eax, 1
		mov	[ebx], eax
		test	edi, edi
		jz	short loc_83C280
		mov	dword ptr [edi], 4

loc_83C280:				; CODE XREF: PAGE:0083C278j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83C298:				; DATA XREF: .text:006A6BD0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5B8h], eax
		mov	eax, 1
		retn
; 

loc_83C2AB:				; DATA XREF: .text:006A6BD4o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-5B8h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-354h]
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83C2D2:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB24o
		mov	dword ptr [ebp-38Ch], 0
		cmp	ecx, 4
		jz	short loc_83C2EA
		cmp	ecx, 8
		jnz	loc_83DAA9

loc_83C2EA:				; CODE XREF: PAGE:0083C2DFj
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		lea	edx, [ebp-38Ch]
		mov	ecx, [ebp-354h]
		call	_ObGetProcessHandleCount@8 ; ObGetProcessHandleCount(x,x)
		mov	[ebp-3B8h], eax
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		mov	dword ptr [ebp-4], 0Eh
		mov	eax, [ebp-3B8h]
		mov	[ebx], eax
		cmp	dword ptr [ebp+14h], 4
		jz	loc_83D7B9
		mov	eax, [ebp-38Ch]
		mov	[ebx+4], eax
		jmp	loc_83D7B9
; 

loc_83C365:				; DATA XREF: .text:006A6BDCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5BCh], eax
		mov	eax, 1
		retn
; 

loc_83C378:				; DATA XREF: .text:006A6BE0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-5BCh]
		jmp	loc_83FACE
; 

loc_83C38D:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB0Co
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	410h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		push	edi
		mov	esi, [ebp+14h]
		push	esi
		mov	edx, ebx
		mov	ecx, [ebp-354h]
		call	_PspQueryLdtInformation@16 ; PspQueryLdtInformation(x,x,x,x)

loc_83C3CC:				; CODE XREF: PAGE:0083F3F8j
		mov	esi, eax

loc_83C3CE:				; CODE XREF: PAGE:0083D340j
		mov	ecx, [ebp-354h]
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83C3E5:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB20o
		cmp	ecx, 4
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	400h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp-36Ch], eax
		test	eax, eax
		js	loc_83FACE
		mov	ecx, [ebp-354h]
		movzx	esi, byte ptr [ecx+0FFh]
		and	esi, 1
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	dword ptr [ebp-4], 0Fh

loc_83C442:				; CODE XREF: PAGE:0083C4E3j
		mov	[ebx], esi
		test	edi, edi
		jz	short loc_83C44E
		mov	dword ptr [edi], 4

loc_83C44E:				; CODE XREF: PAGE:0083C446j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-36Ch]
		jmp	loc_83FACE
; 

loc_83C460:				; DATA XREF: .text:006A6BE8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5C0h], eax
		mov	eax, 1
		retn
; 

loc_83C473:				; DATA XREF: .text:006A6BECo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-5C0h]
		jmp	loc_83FACE
; 

loc_83C488:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB2Co
		cmp	ecx, 4
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp-36Ch], eax
		test	eax, eax
		js	loc_83FACE
		mov	ecx, [ebp-354h]
		mov	esi, [ecx+64h]
		shr	esi, 1
		and	esi, 1
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	dword ptr [ebp-4], 10h
		jmp	loc_83C442
; 

loc_83C4E8:				; DATA XREF: .text:006A6BF4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5C4h], eax
		mov	eax, 1
		retn
; 

loc_83C4FB:				; DATA XREF: .text:006A6BF8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-5C4h]
		jmp	loc_83FACE
; 

loc_83C510:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB30o
		cmp	ecx, 24h
		jb	loc_83DAA9
		cmp	ecx, 28h
		jnz	short loc_83C574
		mov	dword ptr [ebp-4], 11h
		mov	eax, [ebx+24h]
		mov	[ebp-38Ch], eax
		mov	[ebp-3CCh], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		test	eax, 0FFFFFFFEh
		jz	short loc_83C587
		mov	eax, 0C000000Dh
		jmp	loc_83FACE
; 

loc_83C54C:				; DATA XREF: .text:006A6C00o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5C8h], eax
		mov	eax, 1
		retn
; 

loc_83C55F:				; DATA XREF: .text:006A6C04o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-5C8h]
		jmp	loc_83FACE
; 

loc_83C574:				; CODE XREF: PAGE:0083C51Cj
		cmp	ecx, 24h
		jnz	loc_83DAA9
		mov	dword ptr [ebp-38Ch], 0

loc_83C587:				; CODE XREF: PAGE:0083C540j
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	400h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		push	dword ptr [ebp-38Ch]
		mov	edx, ebx
		mov	ecx, [ebp-354h]
		call	ObQueryDeviceMapInformation
		mov	ebx, eax
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		test	ebx, ebx
		js	loc_83B64D
		test	edi, edi
		jz	loc_83B64D
		mov	dword ptr [ebp-4], 12h
		mov	esi, [ebp+14h]
		mov	[edi], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, ebx
		jmp	loc_83FACE
; 

loc_83C603:				; DATA XREF: .text:006A6C0Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-47Ch], eax
		mov	eax, 1
		retn
; 

loc_83C616:				; DATA XREF: .text:006A6C10o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-47Ch]
		jmp	loc_83FACE
; 

loc_83C62B:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB34o
		cmp	ecx, 4
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		mov	ecx, [ebp-354h]
		call	_MmGetSessionId@4 ; MmGetSessionId(x)
		mov	esi, eax
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		mov	dword ptr [ebp-4], 13h
		mov	[ebx], esi
		mov	eax, [ebp-380h]
		test	eax, eax
		jz	loc_83D7C3
		mov	dword ptr [eax], 4
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	eax, eax
		jmp	loc_83FACE
; 

loc_83C6A9:				; DATA XREF: .text:006A6C18o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-480h], eax
		mov	eax, 1
		retn
; 

loc_83C6BC:				; DATA XREF: .text:006A6C1Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-480h]
		jmp	loc_83FACE
; 

loc_83C6D1:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB1Co
		cmp	ecx, 2
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		mov	ecx, [ebp-354h]
		mov	al, [ecx+1BBh]
		mov	[ebp-3BFh], al
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	dword ptr [ebp-4], 14h
		mov	ax, [ebp-3C0h]
		mov	[ebx], ax
		test	edi, edi
		jz	loc_83D7C3
		mov	dword ptr [edi], 2
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	eax, eax
		jmp	loc_83FACE
; 

loc_83C750:				; DATA XREF: .text:006A6C24o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-484h], eax
		mov	eax, 1
		retn
; 

loc_83C763:				; DATA XREF: .text:006A6C28o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-484h]
		jmp	loc_83FACE
; 

loc_83C778:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB38o
		cmp	ecx, 4
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		mov	dword ptr [ebp-4], 15h
		mov	dword ptr [ebx], 0
		jmp	loc_83D7B9
; 

loc_83C7D0:				; DATA XREF: .text:006A6C30o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-488h], eax
		mov	eax, 1
		retn
; 

loc_83C7E3:				; DATA XREF: .text:006A6C34o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-488h]
		jmp	loc_83FACE
; 

loc_83C7F8:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB40o
		cmp	ecx, 4
		jnz	loc_83DAA9
		mov	dword ptr [ebp-4], 16h
		mov	dword ptr [ebx], 1
		jmp	loc_83D7B9
; 

loc_83C813:				; DATA XREF: .text:006A6C3Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-48Ch], eax
		mov	eax, 1
		retn
; 

loc_83C826:				; DATA XREF: .text:006A6C40o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-48Ch]
		jmp	loc_83FACE
; 

loc_83C83B:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB44o
		cmp	ecx, 4
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		mov	ecx, [ebp-354h]
		mov	esi, [ecx+0FCh]
		shr	esi, 0Dh
		and	esi, 1
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	dword ptr [ebp-4], 17h
		jmp	loc_83D7B7
; 

loc_83C899:				; DATA XREF: .text:006A6C48o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-490h], eax
		mov	eax, 1
		retn
; 

loc_83C8AC:				; DATA XREF: .text:006A6C4Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-490h]
		jmp	loc_83FACE
; 

loc_83C8C1:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB50o
		cmp	ecx, 8
		jb	loc_83DAA9
		mov	cl, [ebp-361h]
		call	_ExIsRestrictedCaller@4	; ExIsRestrictedCaller(x)
		test	eax, eax
		jnz	loc_83F5C9
		mov	ecx, [ebp+14h]
		lea	ecx, [ecx-8]
		mov	eax, 0CCCCCCCDh
		mul	ecx
		shr	edx, 6
		mov	[ebp-38Ch], edx
		lea	eax, [ebx+8]
		mov	[ebp-370h], eax
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	400h
		mov	eax, [ebp-360h]
		push	eax
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp-374h], esi
		test	esi, esi
		js	loc_83FACE
		mov	edi, [ebp-354h]
		mov	ecx, edi
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		mov	[ebp-36Ch], eax
		test	eax, eax
		jz	loc_83CB39
		mov	ecx, eax
		call	_ExReferenceHandleDebugInfo@4 ;	ExReferenceHandleDebugInfo(x)
		mov	ecx, eax
		mov	[ebp-368h], ecx
		test	ecx, ecx
		jz	loc_83CB1A
		mov	dword ptr [ebp-4], 18h
		mov	dword ptr [ebx+4], 0
		mov	eax, [ecx+2Ch]
		xor	edx, edx
		div	dword ptr [ecx+4]
		mov	[ebp-3ECh], edx
		xor	eax, eax

loc_83C987:				; CODE XREF: PAGE:0083CA45j
					; PAGE:0083CA71j
		mov	[ebp-3E8h], eax
		cmp	eax, [ecx+4]
		jnb	loc_83CA76
		lea	eax, [edx+edx*4]
		shl	eax, 4
		lea	esi, [ecx+30h]
		add	esi, eax
		mov	ecx, 14h
		lea	edi, [ebp-758h]
		rep movsd
		mov	eax, [ebx]
		cmp	eax, [ebp-750h]
		jz	short loc_83C9BC
		test	eax, eax
		jnz	short loc_83CA24

loc_83C9BC:				; CODE XREF: PAGE:0083C9B6j
		mov	esi, [ebp-74Ch]
		test	esi, esi
		jz	short loc_83CA24
		inc	dword ptr [ebx+4]
		mov	edi, [ebp-38Ch]
		test	edi, edi
		jz	short loc_83CA4A
		dec	edi
		mov	[ebp-38Ch], edi
		mov	[ebp-6A0h], edi
		mov	ecx, [ebp-370h]
		mov	eax, [ebp-750h]
		mov	[ecx], eax
		mov	eax, [ebp-758h]
		mov	[ecx+4], eax
		mov	eax, [ebp-754h]
		mov	[ecx+8], eax
		mov	eax, ecx
		mov	[eax+0Ch], esi
		lea	edi, [eax+10h]
		mov	ecx, 10h
		lea	esi, [ebp-748h]
		rep movsd
		add	eax, 50h
		mov	[ebp-370h], eax
		mov	[ebp-684h], eax

loc_83CA24:				; CODE XREF: PAGE:0083C9BAj
					; PAGE:0083C9C4j
		mov	esi, [ebp-374h]

loc_83CA2A:				; CODE XREF: PAGE:0083CA5Bj
		test	edx, edx
		jnz	short loc_83CA5D
		mov	ecx, [ebp-368h]
		mov	edx, [ecx+4]
		dec	edx
		mov	[ebp-3ECh], edx
		mov	eax, [ebp-3E8h]
		inc	eax
		jmp	loc_83C987
; 

loc_83CA4A:				; CODE XREF: PAGE:0083C9D1j
		mov	esi, 0C0000004h
		mov	[ebp-374h], esi
		mov	[ebp-35Ch], esi
		jmp	short loc_83CA2A
; 

loc_83CA5D:				; CODE XREF: PAGE:0083CA2Cj
		dec	edx
		mov	[ebp-3ECh], edx
		mov	ecx, [ebp-368h]
		mov	eax, [ebp-3E8h]
		inc	eax
		jmp	loc_83C987
; 

loc_83CA76:				; CODE XREF: PAGE:0083C990j
		mov	edi, [ebp-380h]
		test	edi, edi
		jz	short loc_83CA8A
		mov	eax, [ebp-370h]
		sub	eax, ebx
		mov	[edi], eax

loc_83CA8A:				; CODE XREF: PAGE:0083CA7Ej
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, ecx
		mov	ecx, [ebp-36Ch]
		call	_ExDereferenceHandleDebugInfo@8	; ExDereferenceHandleDebugInfo(x,x)
		mov	edi, [ebp-354h]
		mov	ecx, edi
		call	_ObDereferenceProcessHandleTable@4 ; ObDereferenceProcessHandleTable(x)
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83CABE:				; DATA XREF: .text:006A6C54o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-494h], eax
		mov	eax, 1
		retn
; 

loc_83CAD1:				; DATA XREF: .text:006A6C58o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-494h]
		mov	[ebp-35Ch], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-368h]
		mov	edx, ecx
		mov	ecx, [ebp-36Ch]
		call	_ExDereferenceHandleDebugInfo@8	; ExDereferenceHandleDebugInfo(x,x)
		mov	edi, [ebp-354h]
		mov	ecx, edi
		call	_ObDereferenceProcessHandleTable@4 ; ObDereferenceProcessHandleTable(x)
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83CB1A:				; CODE XREF: PAGE:0083C963j
		mov	esi, 0C000000Dh
		mov	ecx, edi
		call	_ObDereferenceProcessHandleTable@4 ; ObDereferenceProcessHandleTable(x)
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83CB39:				; CODE XREF: PAGE:0083C94Cj
					; PAGE:0083E564j ...
		mov	esi, 0C000010Ah
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83CB51:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB58o
		cmp	ecx, 4
		jnz	loc_83DAA9
		cmp	esi, 0FFFFFFFFh
		jz	short loc_83CB94
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	400h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		mov	eax, [ebp-354h]
		jmp	short loc_83CB99
; 

loc_83CB94:				; CODE XREF: PAGE:0083CB5Dj
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()

loc_83CB99:				; CODE XREF: PAGE:0083CB92j
		mov	[ebp-38Ch], eax
		lea	edx, [ebp-3E4h]
		mov	ecx, eax
		call	_KeGetExecuteOptions@8 ; KeGetExecuteOptions(x,x)
		mov	ecx, eax
		mov	[ebp-36Ch], ecx
		cmp	esi, 0FFFFFFFFh
		jz	short loc_83CBCF
		mov	edx, 79517350h
		mov	ecx, [ebp-38Ch]
		call	ObfDereferenceObjectWithTag
		mov	ecx, [ebp-36Ch]

loc_83CBCF:				; CODE XREF: PAGE:0083CBB7j
		test	ecx, ecx
		js	short loc_83CC1D
		mov	dword ptr [ebp-4], 19h
		mov	eax, [ebp-3E4h]
		mov	[ebx], eax
		test	edi, edi
		jz	short loc_83CC16
		mov	dword ptr [edi], 4
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, ecx
		jmp	loc_83FACE
; 

loc_83CBFA:				; DATA XREF: .text:006A6C60o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-498h], eax
		mov	eax, 1
		retn
; 

loc_83CC0D:				; DATA XREF: .text:006A6C64o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-498h]

loc_83CC16:				; CODE XREF: PAGE:0083CBE4j
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_83CC1D:				; CODE XREF: PAGE:0083B8C0j
					; PAGE:0083CBD1j ...
		mov	eax, ecx
		jmp	loc_83FACE
; 

loc_83CC24:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB5Co
		mov	dword ptr [ebp-418h], 0
		mov	dword ptr [ebp-414h], 0
		cmp	ecx, 4
		jnz	loc_83DAA9
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_83CC53
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	[ebp-354h], eax
		jmp	short loc_83CC8C
; 

loc_83CC53:				; CODE XREF: PAGE:0083CC44j
		mov	eax, ds:_PsProcessType
		mov	dword ptr [ebp-3BCh], 0
		push	0
		lea	ecx, [ebp-3BCh]
		push	ecx
		push	dword ptr [ebp-358h]
		push	eax
		push	20h
		push	esi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, eax
		mov	eax, [ebp-3BCh]
		mov	[ebp-354h], eax
		test	ecx, ecx
		js	short loc_83CC1D

loc_83CC8C:				; CODE XREF: PAGE:0083CC51j
		xor	ecx, ecx
		mov	[ebp-35Ch], ecx

loc_83CC94:				; CODE XREF: PAGE:0083CD95j
		mov	[ebp-368h], ecx
		lea	ecx, [eax+164h]
		mov	[ebp-384h], ecx
		mov	ecx, [ecx]
		test	ecx, ecx
		jz	short loc_83CD14
		mov	dword ptr [ebp-4], 1Ah
		mov	[ebx], ecx
		test	edi, edi
		jz	short loc_83CCBF
		mov	dword ptr [edi], 4

loc_83CCBF:				; CODE XREF: PAGE:0083CCB7j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_83CCFD
; 

loc_83CCC8:				; DATA XREF: .text:006A6C6Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-49Ch], eax
		mov	eax, 1
		retn
; 

loc_83CCDB:				; DATA XREF: .text:006A6C70o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-49Ch]
		mov	[ebp-368h], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-354h]
		mov	esi, [ebp-360h]

loc_83CCFD:				; CODE XREF: PAGE:0083CCC6j
		cmp	esi, 0FFFFFFFFh
		jz	short loc_83CD09
		mov	ecx, eax
		call	ObfDereferenceObject

loc_83CD09:				; CODE XREF: PAGE:0083CD00j
		mov	eax, [ebp-368h]
		jmp	loc_83FACE
; 

loc_83CD14:				; CODE XREF: PAGE:0083CCAAj
		lea	eax, [ebp-418h]
		push	eax
		call	_KeQuerySystemTimePrecise@4 ; KeQuerySystemTimePrecise(x)
		mov	edi, large fs:20h
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	esi, eax
		mov	[ebp-644h], edx
		mov	ecx, 1
		call	ExGenRandom
		mov	ecx, eax
		rdtsc
		xor	ecx, eax
		mov	edx, [edi+3CF8h]
		xor	edx, ecx
		mov	ecx, [edi+590h]
		xor	ecx, [edi+4B4h]
		xor	ecx, [edi+4A0h]
		xor	ecx, esi
		xor	ecx, [ebp-414h]
		xor	ecx, [ebp-418h]
		xor	ecx, edx
		xor	eax, eax
		mov	edx, [ebp-384h]
		lock cmpxchg [edx], ecx
		mov	eax, [ebp-354h]
		mov	ecx, [ebp-35Ch]
		mov	edi, [ebp-380h]
		mov	esi, [ebp-360h]
		jmp	loc_83CC94
; 

loc_83CD9A:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB60o
		cmp	ecx, 30h
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_83B7DA
		mov	eax, [ebp-398h]
		mov	edx, [ebp-354h]
		cmp	edx, [eax+150h]
		jz	short loc_83CE54
		mov	dword ptr [ebp-3BCh], 1
		lea	eax, [edx+0F0h]
		mov	[ebp-36Ch], eax
		mov	ecx, eax
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_83CE18
		mov	esi, 0C000010Ah
		mov	dword ptr [ebp-368h], 0
		jmp	short loc_83CE73
; 

loc_83CE18:				; CODE XREF: PAGE:0083CE05j
		mov	eax, [ebp-354h]
		mov	eax, [eax+15Ch]
		mov	[ebp-368h], eax
		test	eax, eax
		jz	short loc_83CE42
		mov	ecx, eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, [ebp-36Ch]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	short loc_83CE73
; 

loc_83CE42:				; CODE XREF: PAGE:0083CE2Cj
		mov	esi, 0C000000Dh
		mov	ecx, [ebp-36Ch]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	short loc_83CE73
; 

loc_83CE54:				; CODE XREF: PAGE:0083CDE4j
		mov	eax, [edx+15Ch]
		mov	[ebp-368h], eax
		test	eax, eax
		jnz	short loc_83CE69
		mov	esi, 0C000010Ah

loc_83CE69:				; CODE XREF: PAGE:0083CE62j
		mov	dword ptr [ebp-3BCh], 0

loc_83CE73:				; CODE XREF: PAGE:0083CE16j
					; PAGE:0083CE40j ...
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		test	esi, esi
		js	short loc_83CEEE
		push	ebx
		push	1
		mov	ebx, [ebp-368h]
		push	ebx
		call	_MmGetSectionInformation@12 ; MmGetSectionInformation(x,x,x)
		mov	esi, eax
		cmp	dword ptr [ebp-3BCh], 0
		jz	short loc_83CEA8
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_83CEA8:				; CODE XREF: PAGE:0083CE9Fj
		test	esi, esi
		js	short loc_83CEEE
		test	edi, edi
		jz	short loc_83CEEE
		mov	dword ptr [ebp-4], 1Bh
		mov	dword ptr [edi], 30h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83CECB:				; DATA XREF: .text:006A6C78o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4A0h], eax
		mov	eax, 1
		retn
; 

loc_83CEDE:				; DATA XREF: .text:006A6C7Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-4A0h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_83CEEE:				; CODE XREF: PAGE:0083CE85j
					; PAGE:0083CEAAj ...
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83CEF5:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB54o
		cmp	ecx, 4
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp-35Ch], esi
		test	esi, esi
		js	loc_83B7DA
		mov	dword ptr [ebp-4], 1Ch
		mov	ecx, [ebp-354h]
		mov	eax, [ecx+0FCh]
		shr	eax, 1Bh
		and	eax, 7
		mov	[ebx], eax
		test	edi, edi
		jz	short loc_83CF58
		mov	dword ptr [edi], 4

loc_83CF58:				; CODE XREF: PAGE:0083CF50j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83CF70:				; DATA XREF: .text:006A6C84o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4A4h], eax
		mov	eax, 1
		retn
; 

loc_83CF83:				; DATA XREF: .text:006A6C88o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-4A4h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-354h]
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83CFAA:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB64o
		cmp	ecx, 10h
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_83B7DA
		lea	eax, [ebp-458h]
		push	eax
		push	dword ptr [ebp-354h]
		call	_PsQueryTotalCycleTimeProcess@8	; PsQueryTotalCycleTimeProcess(x,x)
		mov	dword ptr [ebp-4], 1Dh
		mov	[ebx], eax
		mov	[ebx+4], edx
		mov	eax, [ebp-458h]
		mov	[ebx+8], eax
		mov	eax, [ebp-454h]
		mov	[ebx+0Ch], eax
		test	edi, edi
		jz	short loc_83D03A
		mov	dword ptr [edi], 10h
		jmp	short loc_83D03A
; 

loc_83D01E:				; DATA XREF: .text:006A6C90o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4A8h], eax
		mov	eax, 1
		retn
; 

loc_83D031:				; DATA XREF: .text:006A6C94o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-4A8h]

loc_83D03A:				; CODE XREF: PAGE:0083D014j
					; PAGE:0083D01Cj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83D058:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB68o
		cmp	ecx, 4
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_83B7DA
		mov	dword ptr [ebp-4], 1Eh
		mov	ecx, [ebp-354h]
		mov	eax, [ecx+0F8h]
		shr	eax, 0Ch
		and	eax, 7
		mov	[ebx], eax
		test	edi, edi
		jz	short loc_83D0B5
		mov	dword ptr [edi], 4

loc_83D0B5:				; CODE XREF: PAGE:0083D0ADj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83D0CD:				; DATA XREF: .text:006A6C9Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4ACh], eax
		mov	eax, 1
		retn
; 

loc_83D0E0:				; DATA XREF: .text:006A6CA0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-4ACh]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-354h]
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83D107:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBB4o
		cmp	ecx, 28h
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		mov	dword ptr [ebp-438h], 0
		mov	dword ptr [ebp-434h], 0
		mov	dword ptr [ebp-430h], 0
		mov	dword ptr [ebp-42Ch], 0
		mov	eax, [ebp-354h]
		cmp	dword ptr [eax+158h], 0
		jnz	short loc_83D190
		mov	esi, 0C00001AEh
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83D190:				; CODE XREF: PAGE:0083D172j
		lea	eax, [ebp-68h]
		push	eax
		push	dword ptr [ebp-354h]
		call	KeStackAttachProcess
		push	0
		push	28h
		lea	eax, [ebp-50h]
		push	eax
		push	1Ch
		push	0
		call	_ZwQueryInformationJobObject@20	; ZwQueryInformationJobObject(x,x,x,x,x)
		push	0
		push	78h
		lea	eax, [ebp-110h]
		push	eax
		push	9
		push	0
		call	_ZwQueryInformationJobObject@20	; ZwQueryInformationJobObject(x,x,x,x,x)
		lea	eax, [ebp-68h]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		mov	eax, [ebp-50h]
		mov	[ebp-448h], eax
		mov	eax, [ebp-4Ch]
		mov	[ebp-444h], eax
		mov	eax, [ebp-48h]
		mov	[ebp-440h], eax
		mov	eax, [ebp-44h]
		mov	[ebp-43Ch], eax
		mov	eax, [ebp-40h]
		mov	[ebp-450h], eax
		mov	eax, [ebp-3Ch]
		mov	[ebp-44Ch], eax
		mov	ecx, [ebp-100h]
		test	ecx, 200000h
		jz	short loc_83D227
		mov	eax, [ebp-0A0h]
		mov	[ebp-430h], eax
		mov	dword ptr [ebp-42Ch], 0

loc_83D227:				; CODE XREF: PAGE:0083D20Fj
		test	ecx, 200h
		jz	short loc_83D245
		mov	eax, [ebp-0ACh]
		mov	[ebp-438h], eax
		mov	dword ptr [ebp-434h], 0

loc_83D245:				; CODE XREF: PAGE:0083D22Dj
		mov	dword ptr [ebp-4], 1Fh
		mov	ecx, 0Ah
		lea	esi, [ebp-450h]
		mov	edi, ebx
		rep movsd
		mov	eax, [ebp-380h]
		test	eax, eax
		jz	short loc_83D26B
		mov	dword ptr [eax], 28h

loc_83D26B:				; CODE XREF: PAGE:0083D263j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	esi, esi
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83D28B:				; DATA XREF: .text:006A6CA8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4B0h], eax
		mov	eax, 1
		retn
; 

loc_83D29E:				; DATA XREF: .text:006A6CACo
		mov	esp, [ebp-18h]
		mov	esi, [ebp-4B0h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83D2C5:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB70o
		mov	dword ptr [ebp-3E0h], 0
		cmp	ecx, 4
		jnz	loc_83DAA9
		mov	dword ptr [ebp-4], 20h
		mov	edi, [ebx]
		mov	[ebp-688h], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		mov	ebx, [ebp-358h]
		push	ebx
		mov	eax, ds:_PsProcessType
		push	eax
		push	400h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		push	0
		lea	eax, [ebp-3A4h]
		push	eax
		push	79517350h
		push	ebx
		mov	eax, ds:_IoFileObjectType
		push	eax
		push	100020h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_83C3CE
		lea	eax, [ebp-3E0h]
		push	eax
		mov	esi, [ebp-354h]
		push	esi
		call	_PsReferenceProcessFilePointer@8 ; PsReferenceProcessFilePointer(x,x)
		mov	edi, eax
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	ecx, [ebp-3A4h]
		test	edi, edi
		js	loc_83DB61
		mov	ebx, [ecx+14h]
		mov	esi, [ebp-3E0h]
		mov	edi, [esi+14h]
		mov	eax, ebx
		sub	eax, edi
		neg	eax
		sbb	eax, eax
		and	eax, 0C0000001h
		mov	[ebp-36Ch], eax
		call	ObfDereferenceObject
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	ecx, [ebp-36Ch]
		mov	edx, ecx
		cmp	ebx, edi
		jnz	short loc_83D3F4
		mov	eax, [ebp-380h]
		test	eax, eax
		jz	short loc_83D3F4
		mov	dword ptr [ebp-4], 21h
		mov	dword ptr [eax], 0
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, edx
		jmp	loc_83FACE
; 

loc_83D3D1:				; DATA XREF: .text:006A6CC0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4B4h], eax
		mov	eax, 1
		retn
; 

loc_83D3E4:				; DATA XREF: .text:006A6CC4o
		mov	esp, [ebp-18h]
		mov	edx, [ebp-4B4h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_83D3F4:				; CODE XREF: PAGE:0083D3AAj
					; PAGE:0083D3B4j
		mov	eax, edx
		jmp	loc_83FACE
; 

loc_83D3FB:				; DATA XREF: .text:006A6CB4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4B8h], eax
		mov	eax, 1
		retn
; 

loc_83D40E:				; DATA XREF: .text:006A6CB8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-4B8h]
		jmp	loc_83FACE
; 

loc_83D423:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB74o
		cmp	ecx, 4
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		mov	eax, [ebp-354h]
		mov	eax, [eax+0F8h]
		mov	[ebp-3CCh], eax
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		mov	eax, [ebp-3CCh]
		shr	eax, 13h
		and	eax, 1
		test	dword ptr [ebp-3CCh], 40000h
		jz	short loc_83D496
		or	eax, 2

loc_83D496:				; CODE XREF: PAGE:0083D491j
		mov	dword ptr [ebp-4], 22h
		mov	[ebx], eax
		jmp	loc_83D7B9
; 

loc_83D4A4:				; DATA XREF: .text:006A6CCCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4BCh], eax
		mov	eax, 1
		retn
; 

loc_83D4B7:				; DATA XREF: .text:006A6CD0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-4BCh]
		jmp	loc_83FACE
; 

loc_83D4CC:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB28o
		cmp	ecx, 4
		jz	short loc_83D4DA
		cmp	ecx, 0Ch
		jnz	loc_83DAA9

loc_83D4DA:				; CODE XREF: PAGE:0083D4CFj
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp-36Ch], eax
		test	eax, eax
		js	loc_83FACE
		call	_MmGetMinWsPagePriority@0 ; MmGetMinWsPagePriority()
		mov	[ebp-394h], eax
		lea	ecx, [eax-1]
		test	ecx, eax
		jz	short loc_83D53B

loc_83D51F:				; CODE XREF: PAGE:0083D55Dj
		mov	esi, 0C000000Dh
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83D53B:				; CODE XREF: PAGE:0083D51Dj
		push	0
		lea	eax, [ebp-394h]
		push	eax
		lea	edx, [ebp-74h]
		mov	ecx, [ebp-354h]
		call	_KeQueryAffinityProcess@16 ; KeQueryAffinityProcess(x,x,x,x)
		mov	ecx, [ebp-394h]
		lea	eax, [ecx-1]
		test	eax, ecx
		jnz	short loc_83D51F
		bsf	ecx, ecx
		mov	eax, [ebp+ecx*4-6Ch]
		mov	dword ptr [ebp-4], 23h
		mov	esi, [ebp+14h]
		cmp	esi, 0Ch
		jnz	short loc_83D579
		mov	[ebx+4], cx

loc_83D579:				; CODE XREF: PAGE:0083D573j
		mov	[ebx], eax
		test	edi, edi
		jz	short loc_83D581
		mov	[edi], esi

loc_83D581:				; CODE XREF: PAGE:0083D57Dj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-36Ch]
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83D5A5:				; DATA XREF: .text:006A6CD8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4C0h], eax
		mov	eax, 1
		retn
; 

loc_83D5B8:				; DATA XREF: .text:006A6CDCo
		mov	esp, [ebp-18h]
		mov	esi, [ebp-4C0h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83D5DF:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB7Co
		test	edi, edi
		jz	loc_83FA02
		test	cl, 1
		jnz	loc_83FA02
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		call	_MmGetMinWsPagePriority@0 ; MmGetMinWsPagePriority()
		mov	[ebp-394h], eax
		mov	dword ptr [ebp-4], 24h
		mov	ecx, [ebp-370h]
		mov	esi, [ebp+14h]
		jmp	short loc_83D640
; 
		align 10h

loc_83D640:				; CODE XREF: PAGE:0083D638j
					; PAGE:0083D66Dj
		bsf	eax, eax
		add	ecx, 2
		mov	[ebp-370h], ecx
		cmp	ecx, esi
		ja	short loc_83D65C
		mov	[ebx], ax
		add	ebx, 2
		mov	[ebp-68Ch], ebx

loc_83D65C:				; CODE XREF: PAGE:0083D64Ej
		lea	edx, [ebp-394h]
		btr	[edx], eax
		mov	eax, [ebp-394h]
		test	eax, eax
		jnz	short loc_83D640
		mov	[edi], ecx
		cmp	esi, ecx
		sbb	esi, esi
		and	esi, 0C0000023h
		jmp	short loc_83D699
; 

loc_83D67D:				; DATA XREF: .text:006A6CE4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4C4h], eax
		mov	eax, 1
		retn
; 

loc_83D690:				; DATA XREF: .text:006A6CE8o
		mov	esi, [ebp-4C4h]

loc_83D696:				; CODE XREF: PAGE:0083F3B4j
		mov	esp, [ebp-18h]

loc_83D699:				; CODE XREF: PAGE:0083D67Bj
					; PAGE:0083F396j
		mov	[ebp-35Ch], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83D6BD:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB78o
		cmp	ecx, 4
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		mov	eax, [ebp-354h]
		mov	eax, [eax+0FCh]
		mov	[ebp-3CCh], eax
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		mov	ecx, [ebp-3CCh]
		and	ecx, 200000h
		mov	dword ptr [ebp-4], 25h
		xor	eax, eax
		test	ecx, ecx
		setnz	al
		mov	[ebx], eax
		jmp	loc_83D7B9
; 

loc_83D736:				; DATA XREF: .text:006A6CF0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4C8h], eax
		mov	eax, 1
		retn
; 

loc_83D749:				; DATA XREF: .text:006A6CF4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-4C8h]
		jmp	loc_83FACE
; 

loc_83D75E:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB80o
		cmp	ecx, 4
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		mov	eax, [ebp-354h]
		mov	esi, [eax+178h]
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		mov	dword ptr [ebp-4], 26h

loc_83D7B7:				; CODE XREF: PAGE:0083BB66j
					; PAGE:0083C10Cj ...
		mov	[ebx], esi

loc_83D7B9:				; CODE XREF: PAGE:0083C351j
					; PAGE:0083C360j ...
		test	edi, edi
		jz	short loc_83D7C3
		mov	dword ptr [edi], 4

loc_83D7C3:				; CODE XREF: PAGE:0083BEC8j
					; PAGE:0083C68Fj ...
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	eax, eax
		jmp	loc_83FACE
; 

loc_83D7D1:				; DATA XREF: .text:006A6CFCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4CCh], eax
		mov	eax, 1
		retn
; 

loc_83D7E4:				; DATA XREF: .text:006A6D00o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-4CCh]
		jmp	loc_83FACE
; 

loc_83D7F9:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB84o
		xor	eax, eax
		mov	[ebp-98h], eax
		mov	[ebp-94h], eax
		mov	[ebp-90h], eax
		mov	[ebp-8Ch], eax
		mov	[ebp-88h], eax
		mov	[ebp-84h], eax
		mov	[ebp-3F0h], eax
		mov	[ebp-3DCh], eax
		mov	[ebp-3D8h], eax
		mov	[ebp-378h], eax
		cmp	byte ptr [ebp-361h], 1
		jz	short loc_83D84A
		mov	eax, 0C0000001h
		jmp	loc_83FACE
; 

loc_83D84A:				; CODE XREF: PAGE:0083D83Ej
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	1
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp-35Ch], eax
		test	eax, eax
		js	loc_83FACE
		mov	esi, [ebp-354h]
		lea	ecx, [esi+0F0h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_83D8AC
		mov	esi, 0C000010Ah
		mov	edi, [ebp-354h]
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83D8AC:				; CODE XREF: PAGE:0083D88Cj
		lea	eax, [ebp-98h]
		push	eax
		push	esi
		call	KeStackAttachProcess
		mov	dword ptr [ebp-4], 27h
		mov	eax, [esi+17Ch]
		mov	eax, [eax+10h]
		mov	[ebp-39Ch], eax
		add	eax, 68h
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_83D8DE
		mov	eax, ecx

loc_83D8DE:				; CODE XREF: PAGE:0083D8DAj
		nop
		mov	eax, [eax]
		mov	[ebp-3F0h], eax
		mov	dword ptr [ebp-420h], 0
		mov	dword ptr [ebp-41Ch], 0
		mov	ecx, [ebp-39Ch]
		add	ecx, 70h
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_83D90F
		mov	ecx, eax

loc_83D90F:				; CODE XREF: PAGE:0083D90Bj
		nop
		mov	eax, [ecx]
		mov	[ebp-420h], eax
		mov	eax, [ecx+4]
		mov	[ebp-41Ch], eax
		mov	ecx, [ebp-420h]
		mov	[ebp-39Ch], ecx
		mov	[ebp-3DCh], ecx
		mov	[ebp-3D8h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-35Ch]
		mov	[ebp-374h], eax
		jmp	short loc_83D98F
; 

loc_83D94E:				; DATA XREF: .text:006A6D08o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4D0h], eax
		mov	eax, 1
		retn
; 

loc_83D961:				; DATA XREF: .text:006A6D0Co
		mov	esp, [ebp-18h]
		mov	eax, [ebp-4D0h]
		mov	[ebp-374h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-3DCh]
		mov	[ebp-39Ch], ecx
		mov	ebx, [ebp-3A0h]
		mov	edi, [ebp-3C4h]

loc_83D98F:				; CODE XREF: PAGE:0083D94Cj
		mov	esi, [ebp+14h]
		lea	eax, [ebp-98h]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		cmp	dword ptr [ebp-374h], 0
		jl	loc_83DA62
		mov	dword ptr [ebp-4], 28h
		mov	ecx, [ebp-39Ch]
		movzx	eax, cx
		add	eax, 6
		test	edi, edi
		jz	short loc_83D9C4
		mov	[edi], eax

loc_83D9C4:				; CODE XREF: PAGE:0083D9C0j
		cmp	esi, eax
		jnb	short loc_83D9DC
		mov	esi, 0C0000004h
		mov	[ebp-35Ch], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_83DA2C
; 

loc_83D9DC:				; CODE XREF: PAGE:0083D9C6j
		mov	eax, [ebp-3F0h]
		mov	[ebx], eax
		mov	[ebx+4], cx
		mov	esi, [ebp-374h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_83DA2C
; 

loc_83D9F7:				; DATA XREF: .text:006A6D14o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4D4h], eax
		mov	eax, 1
		retn
; 

loc_83DA0A:				; DATA XREF: .text:006A6D18o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-4D4h]
		mov	[ebp-35Ch], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-3DCh]
		mov	ebx, [ebp-3A0h]

loc_83DA2C:				; CODE XREF: PAGE:0083D9DAj
					; PAGE:0083D9F5j
		test	esi, esi
		js	short loc_83DA68
		test	cx, cx
		jz	short loc_83DA68
		lea	eax, [ebp-378h]
		push	eax
		push	1
		movzx	eax, cx
		push	eax
		lea	eax, [ebx+6]
		push	eax
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		push	eax
		push	dword ptr [ebp-3D8h]
		mov	edi, [ebp-354h]
		push	edi
		call	MmCopyVirtualMemory
		mov	esi, eax
		jmp	short loc_83DA6E
; 

loc_83DA62:				; CODE XREF: PAGE:0083D9A5j
		mov	esi, [ebp-374h]

loc_83DA68:				; CODE XREF: PAGE:0083DA2Ej
					; PAGE:0083DA33j
		mov	edi, [ebp-354h]

loc_83DA6E:				; CODE XREF: PAGE:0083DA60j
		lea	ecx, [edi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83DA8C:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB88o
		cmp	ecx, 8
		jnb	short loc_83DADB
		test	edi, edi
		jz	short loc_83DAA9
		mov	dword ptr [ebp-4], 29h

loc_83DA9C:				; CODE XREF: PAGE:0083F9D0j
		mov	dword ptr [edi], 8
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_83DAA9:				; CODE XREF: PAGE:0083B873j
					; PAGE:0083BB16j ...
		mov	eax, 0C0000004h
		jmp	loc_83FACE
; 

loc_83DAB3:				; DATA XREF: .text:006A6D20o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4DCh], eax
		mov	eax, 1
		retn
; 

loc_83DAC6:				; DATA XREF: .text:006A6D24o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-4DCh]
		jmp	loc_83FACE
; 

loc_83DADB:				; CODE XREF: PAGE:0083DA8Fj
		mov	eax, ds:_PsProcessType
		mov	dword ptr [ebp-3C8h], 0
		push	0
		lea	ecx, [ebp-3C8h]
		push	ecx
		push	dword ptr [ebp-358h]
		push	eax
		push	400h
		push	esi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		mov	eax, [ebp-398h]
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebp-3C8h]
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		test	eax, eax
		jnz	short loc_83DB37
		mov	edi, 0C000010Ah
		mov	esi, [ebp-3C8h]
		jmp	short loc_83DB54
; 

loc_83DB37:				; CODE XREF: PAGE:0083DB28j
		push	edi
		mov	esi, [ebp+14h]
		push	esi
		mov	edx, ebx
		mov	ecx, eax
		call	ExQueryProcessHandleInformation
		mov	edi, eax
		mov	esi, [ebp-3C8h]
		mov	ecx, esi
		call	_ObDereferenceProcessHandleTable@4 ; ObDereferenceProcessHandleTable(x)

loc_83DB54:				; CODE XREF: PAGE:0083DB35j
		mov	ecx, [ebp-398h]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	ecx, esi

loc_83DB61:				; CODE XREF: PAGE:0083D36Fj
		call	ObfDereferenceObject
		mov	eax, edi
		jmp	loc_83FACE
; 

loc_83DB6D:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB8Co
		mov	dword ptr [ebp-3A8h], 0
		mov	byte ptr [ebp-37Ah], 0
		mov	byte ptr [ebp-37Bh], 0
		cmp	ecx, 8
		jnz	loc_83DAA9
		mov	dword ptr [ebp-4], 2Ah
		mov	edi, [ebx]
		mov	[ebp-698h], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		cmp	esi, 0FFFFFFFFh
		jz	short loc_83DBD7
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_83DBE2
		jmp	loc_83FACE
; 

loc_83DBD7:				; CODE XREF: PAGE:0083DBA7j
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	[ebp-354h], eax

loc_83DBE2:				; CODE XREF: PAGE:0083DBD0j
		lea	eax, [edi-1]	; switch 16 cases
		cmp	eax, 0Fh
		ja	loc_83E4BF	; default
		jmp	ds:off_83FC64[eax*4] ; switch jump

loc_83DBF5:				; DATA XREF: PAGE:off_83FC64o
		mov	dword ptr [ebp-35Ch], 0	; case 0x1
		mov	dword ptr [ebp-4], 2Bh
		mov	dword ptr [ebx+4], 0
		mov	ecx, [ebp-354h]
		mov	eax, [ecx+490h]
		test	al, 40h
		jnz	short loc_83DC2C
		mov	eax, [ebx+4]
		or	eax, 1
		mov	[ebx+4], eax
		mov	eax, [ecx+490h]

loc_83DC2C:				; CODE XREF: PAGE:0083DC1Bj
		test	al, 10h
		jz	short loc_83DC3F
		mov	eax, [ebx+4]
		or	eax, 2
		mov	[ebx+4], eax
		mov	eax, [ecx+490h]

loc_83DC3F:				; CODE XREF: PAGE:0083DC2Ej
		test	al, 20h
		jz	short loc_83DC52
		mov	eax, [ebx+4]
		or	eax, 4
		mov	[ebx+4], eax
		mov	eax, [ecx+490h]

loc_83DC52:				; CODE XREF: PAGE:0083DC41j
		test	al, 8

loc_83DC54:				; CODE XREF: PAGE:0083DDC5j
					; PAGE:0083E48Fj
		jz	short loc_83DC5F
		mov	eax, [ebx+4]
		or	eax, 8
		mov	[ebx+4], eax

loc_83DC5F:				; CODE XREF: PAGE:loc_83DC54j
					; PAGE:0083DE5Cj ...
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83DC6B:				; DATA XREF: .text:006A6D38o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4E0h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83DC7E:				; DATA XREF: .text:006A6D3Co
		mov	esp, [ebp-18h]
		mov	eax, [ebp-4E0h]
		mov	[ebp-35Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83DC99:				; CODE XREF: PAGE:0083DBEEj
					; DATA XREF: PAGE:off_83FC64o
		mov	dword ptr [ebp-35Ch], 0	; case 0x3
		mov	ecx, [ebp-354h]
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		test	eax, eax
		jz	loc_83DD4C
		lea	ecx, [ebp-37Bh]
		push	ecx
		lea	edx, [ebp-37Ah]
		mov	ecx, eax
		call	ExQueryHandleExceptionsPermanency
		mov	dword ptr [ebp-4], 2Ch
		mov	dword ptr [ebx+4], 0
		cmp	byte ptr [ebp-37Ah], 0
		jz	short loc_83DCEA
		mov	eax, [ebx+4]
		or	eax, 1
		mov	[ebx+4], eax

loc_83DCEA:				; CODE XREF: PAGE:0083DCDFj
		cmp	byte ptr [ebp-37Bh], 0
		jz	short loc_83DD35
		mov	eax, [ebx+4]
		or	eax, 2
		mov	[ebx+4], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-354h]
		call	_ObDereferenceProcessHandleTable@4 ; ObDereferenceProcessHandleTable(x)
		jmp	loc_83E4C9
; 

loc_83DD13:				; DATA XREF: .text:006A6D44o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4E4h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83DD26:				; DATA XREF: .text:006A6D48o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-4E4h]
		mov	[ebp-35Ch], eax

loc_83DD35:				; CODE XREF: PAGE:0083DCF1j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-354h]
		call	_ObDereferenceProcessHandleTable@4 ; ObDereferenceProcessHandleTable(x)
		jmp	loc_83E4C9
; 

loc_83DD4C:				; CODE XREF: PAGE:0083DCB0j
		mov	dword ptr [ebp-35Ch], 0C000010Ah
		jmp	loc_83E4C9
; 

loc_83DD5B:				; CODE XREF: PAGE:0083DBEEj
					; DATA XREF: PAGE:off_83FC64o
		mov	dword ptr [ebp-35Ch], 0	; case 0x4
		mov	dword ptr [ebp-4], 2Dh
		mov	dword ptr [ebx+4], 0
		mov	eax, [ebp-354h]
		mov	eax, [eax+490h]
		test	eax, 1000h
		jz	short loc_83DD8E
		mov	eax, [ebx+4]
		or	eax, 1
		jmp	short loc_83DD9B
; 

loc_83DD8E:				; CODE XREF: PAGE:0083DD84j
		test	eax, 2000h
		jz	short loc_83DD9E
		mov	eax, [ebx+4]
		or	eax, 2

loc_83DD9B:				; CODE XREF: PAGE:0083DD8Cj
		mov	[ebx+4], eax

loc_83DD9E:				; CODE XREF: PAGE:0083DD93j
		mov	eax, [ebp-354h]
		mov	eax, [eax+4D0h]
		test	al, 2
		jz	short loc_83DDC3
		mov	eax, [ebx+4]
		or	eax, 4
		mov	[ebx+4], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83DDC3:				; CODE XREF: PAGE:0083DDACj
		test	al, 4
		jmp	loc_83DC54
; 

loc_83DDCA:				; DATA XREF: .text:006A6D50o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4E8h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83DDDD:				; DATA XREF: .text:006A6D54o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-4E8h]
		mov	[ebp-35Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83DDF8:				; CODE XREF: PAGE:0083DBEEj
					; DATA XREF: PAGE:off_83FC64o
		mov	dword ptr [ebp-35Ch], 0	; case 0x2
		mov	dword ptr [ebp-4], 2Eh
		mov	dword ptr [ebx+4], 0
		mov	ecx, [ebp-354h]
		mov	eax, [ecx+490h]
		test	eax, 100h
		jz	short loc_83DE2B
		mov	eax, [ebx+4]
		or	eax, 1
		jmp	short loc_83DE38
; 

loc_83DE2B:				; CODE XREF: PAGE:0083DE21j
		test	eax, 800h
		jz	short loc_83DE3B
		mov	eax, [ebx+4]
		or	eax, 8

loc_83DE38:				; CODE XREF: PAGE:0083DE29j
		mov	[ebx+4], eax

loc_83DE3B:				; CODE XREF: PAGE:0083DE30j
		mov	eax, [ecx+490h]
		test	eax, 200h
		jz	short loc_83DE57
		mov	eax, [ebx+4]
		or	eax, 2
		mov	[ebx+4], eax
		mov	eax, [ecx+490h]

loc_83DE57:				; CODE XREF: PAGE:0083DE46j
		test	eax, 400h
		jz	loc_83DC5F
		mov	eax, [ebx+4]
		or	eax, 4
		mov	[ebx+4], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83DE77:				; DATA XREF: .text:006A6D5Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4ECh], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83DE8A:				; DATA XREF: .text:006A6D60o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-4ECh]
		mov	[ebp-35Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83DEA5:				; CODE XREF: PAGE:0083DBEEj
					; DATA XREF: PAGE:off_83FC64o
		mov	dword ptr [ebp-35Ch], 0	; case 0x6
		mov	dword ptr [ebp-4], 2Fh
		mov	dword ptr [ebx+4], 0
		mov	eax, [ebp-354h]
		test	byte ptr [eax+490h], 80h
		jz	loc_83DC5F

loc_83DED0:				; CODE XREF: PAGE:0083E3CFj
		mov	eax, [ebx+4]
		or	eax, 1
		mov	[ebx+4], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83DEE5:				; DATA XREF: .text:006A6D68o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4F0h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83DEF8:				; DATA XREF: .text:006A6D6Co
		mov	esp, [ebp-18h]
		mov	eax, [ebp-4F0h]
		mov	[ebp-35Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83DF13:				; CODE XREF: PAGE:0083DBEEj
					; DATA XREF: PAGE:off_83FC64o
		mov	dword ptr [ebp-35Ch], 0	; case 0x7
		mov	dword ptr [ebp-4], 30h
		mov	dword ptr [ebx+4], 0
		mov	ecx, [ebp-354h]
		mov	eax, [ecx+490h]
		test	al, 1
		jz	short loc_83DF4A
		mov	eax, [ebx+4]
		or	eax, 1
		mov	[ebx+4], eax
		mov	eax, [ecx+490h]

loc_83DF4A:				; CODE XREF: PAGE:0083DF39j
		test	al, 2
		jz	short loc_83DF5D
		mov	eax, [ebx+4]
		or	eax, 2
		mov	[ebx+4], eax
		mov	eax, [ecx+490h]

loc_83DF5D:				; CODE XREF: PAGE:0083DF4Cj
		test	al, 4
		jz	loc_83DC5F
		mov	eax, [ebx+4]
		or	eax, 4
		mov	[ebx+4], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83DF7A:				; DATA XREF: .text:006A6D74o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4F4h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83DF8D:				; DATA XREF: .text:006A6D78o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-4F4h]
		mov	[ebp-35Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83DFA8:				; CODE XREF: PAGE:0083DBEEj
					; DATA XREF: PAGE:off_83FC64o
		mov	dword ptr [ebp-35Ch], 0	; case 0x8
		lea	eax, [ebp-3A8h]
		push	eax
		push	dword ptr [ebp-354h]
		call	_PsQueryProcessSignatureMitigationPolicy@8 ; PsQueryProcessSignatureMitigationPolicy(x,x)
		mov	dword ptr [ebp-4], 31h
		mov	eax, [ebp-3A8h]
		mov	[ebx+4], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83DFE0:				; DATA XREF: .text:006A6D80o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4F8h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83DFF3:				; DATA XREF: .text:006A6D84o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-4F8h]
		mov	[ebp-35Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83E00E:				; CODE XREF: PAGE:0083DBEEj
					; DATA XREF: PAGE:off_83FC64o
		mov	dword ptr [ebp-35Ch], 0	; case 0x9
		mov	dword ptr [ebp-4], 32h
		mov	dword ptr [ebx+4], 0
		mov	eax, [ebp-354h]
		mov	eax, [eax+490h]
		test	eax, 10000h
		jz	short loc_83E04E
		mov	eax, [ebx+4]
		or	eax, 1
		mov	[ebx+4], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83E04E:				; CODE XREF: PAGE:0083E037j
		test	eax, 20000h
		jz	loc_83DC5F
		mov	eax, [ebx+4]
		or	eax, 2
		mov	[ebx+4], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83E06E:				; DATA XREF: .text:006A6D8Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4FCh], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83E081:				; DATA XREF: .text:006A6D90o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-4FCh]
		mov	[ebp-35Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83E09C:				; CODE XREF: PAGE:0083DBEEj
					; DATA XREF: PAGE:off_83FC64o
		mov	dword ptr [ebp-35Ch], 0	; case 0xA
		mov	dword ptr [ebp-4], 33h
		mov	dword ptr [ebx+4], 0
		mov	ecx, [ebp-354h]
		mov	eax, [ecx+490h]
		test	eax, 80000h
		jz	short loc_83E0CF
		mov	eax, [ebx+4]
		or	eax, 1
		jmp	short loc_83E0DC
; 

loc_83E0CF:				; CODE XREF: PAGE:0083E0C5j
		test	eax, 100000h
		jz	short loc_83E0DF
		mov	eax, [ebx+4]
		or	eax, 8

loc_83E0DC:				; CODE XREF: PAGE:0083E0CDj
		mov	[ebx+4], eax

loc_83E0DF:				; CODE XREF: PAGE:0083E0D4j
		mov	eax, [ecx+490h]
		test	eax, 200000h
		jz	short loc_83E0F4
		mov	eax, [ebx+4]
		or	eax, 2
		jmp	short loc_83E101
; 

loc_83E0F4:				; CODE XREF: PAGE:0083E0EAj
		test	eax, 400000h
		jz	short loc_83E104
		mov	eax, [ebx+4]
		or	eax, 10h

loc_83E101:				; CODE XREF: PAGE:0083E0F2j
		mov	[ebx+4], eax

loc_83E104:				; CODE XREF: PAGE:0083E0F9j
		test	dword ptr [ecx+490h], 40000h
		jz	loc_83DC5F
		mov	eax, [ebx+4]
		or	eax, 4
		mov	[ebx+4], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83E129:				; DATA XREF: .text:006A6D98o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-500h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83E13C:				; DATA XREF: .text:006A6D9Co
		mov	esp, [ebp-18h]
		mov	eax, [ebp-500h]
		mov	[ebp-35Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83E157:				; CODE XREF: PAGE:0083DBEEj
					; DATA XREF: PAGE:off_83FC64o
		mov	dword ptr [ebp-35Ch], 0	; case 0xB
		mov	dword ptr [ebp-4], 34h
		mov	dword ptr [ebx+4], 0
		call	_PsGetWin32KFilterSet@0	; PsGetWin32KFilterSet()
		mov	ecx, [ebx+4]
		and	ecx, 0FFFFFFF0h
		and	eax, 0Fh
		or	ecx, eax
		mov	[ebx+4], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83E18E:				; DATA XREF: .text:006A6DA4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-504h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83E1A1:				; DATA XREF: .text:006A6DA8o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-504h]
		mov	[ebp-35Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83E1BC:				; CODE XREF: PAGE:0083DBEEj
					; DATA XREF: PAGE:off_83FC64o
		mov	dword ptr [ebp-35Ch], 0	; case 0xC
		mov	dword ptr [ebp-4], 35h
		mov	dword ptr [ebx+4], 0
		mov	ecx, [ebp-354h]
		mov	eax, [ecx+494h]
		test	al, 1
		jz	short loc_83E1F3
		mov	eax, [ebx+4]
		or	eax, 1
		mov	[ebx+4], eax
		mov	eax, [ecx+494h]

loc_83E1F3:				; CODE XREF: PAGE:0083E1E2j
		test	al, 4
		jz	short loc_83E206
		mov	eax, [ebx+4]
		or	eax, 4
		mov	[ebx+4], eax
		mov	eax, [ecx+494h]

loc_83E206:				; CODE XREF: PAGE:0083E1F5j
		test	eax, 400h
		jz	short loc_83E21C
		mov	eax, [ebx+4]
		or	eax, 10h
		mov	[ebx+4], eax
		mov	eax, [ecx+494h]

loc_83E21C:				; CODE XREF: PAGE:0083E20Bj
		test	al, 10h
		jz	short loc_83E22F
		mov	eax, [ebx+4]
		or	eax, 40h
		mov	[ebx+4], eax
		mov	eax, [ecx+494h]

loc_83E22F:				; CODE XREF: PAGE:0083E21Ej
		test	al, 40h
		jz	short loc_83E244
		mov	eax, [ebx+4]
		or	eax, 100h
		mov	[ebx+4], eax
		mov	eax, [ecx+494h]

loc_83E244:				; CODE XREF: PAGE:0083E231j
		test	eax, 100h
		jz	short loc_83E25C
		mov	eax, [ebx+4]
		or	eax, 400h
		mov	[ebx+4], eax
		mov	eax, [ecx+494h]

loc_83E25C:				; CODE XREF: PAGE:0083E249j
		test	al, 2
		jz	short loc_83E26F
		mov	eax, [ebx+4]
		or	eax, 2
		mov	[ebx+4], eax
		mov	eax, [ecx+494h]

loc_83E26F:				; CODE XREF: PAGE:0083E25Ej
		test	al, 8
		jz	short loc_83E282
		mov	eax, [ebx+4]
		or	eax, 8
		mov	[ebx+4], eax
		mov	eax, [ecx+494h]

loc_83E282:				; CODE XREF: PAGE:0083E271j
		test	eax, 800h
		jz	short loc_83E298
		mov	eax, [ebx+4]
		or	eax, 20h
		mov	[ebx+4], eax
		mov	eax, [ecx+494h]

loc_83E298:				; CODE XREF: PAGE:0083E287j
		test	al, 20h
		jz	short loc_83E2AD
		mov	eax, [ebx+4]
		or	eax, 80h
		mov	[ebx+4], eax
		mov	eax, [ecx+494h]

loc_83E2AD:				; CODE XREF: PAGE:0083E29Aj
		test	al, al
		jns	short loc_83E2C2
		mov	eax, [ebx+4]
		or	eax, 200h
		mov	[ebx+4], eax
		mov	eax, [ecx+494h]

loc_83E2C2:				; CODE XREF: PAGE:0083E2AFj
		test	eax, 200h
		jz	loc_83DC5F
		mov	eax, [ebx+4]
		or	eax, 800h
		mov	[ebx+4], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83E2E4:				; DATA XREF: .text:006A6DB0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-508h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83E2F7:				; DATA XREF: .text:006A6DB4o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-508h]
		mov	[ebp-35Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83E312:				; CODE XREF: PAGE:0083DBEEj
					; DATA XREF: PAGE:off_83FC64o
		mov	dword ptr [ebp-35Ch], 0	; case 0xD
		mov	ecx, [ebp-354h]
		call	PspGetNoChildProcessRestrictedPolicy
		mov	dword ptr [ebp-4], 36h
		mov	dword ptr [ebx+4], 0
		sub	eax, 1
		jz	short loc_83E366
		sub	eax, 1
		jz	short loc_83E35D
		sub	eax, 1
		jnz	loc_83DC5F
		mov	eax, [ebx+4]
		or	eax, 2
		mov	[ebx+4], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83E35D:				; CODE XREF: PAGE:0083E33Dj
		mov	eax, [ebx+4]
		or	eax, 4
		mov	[ebx+4], eax

loc_83E366:				; CODE XREF: PAGE:0083E338j
		mov	eax, [ebx+4]
		or	eax, 1
		mov	[ebx+4], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83E37B:				; DATA XREF: .text:006A6DBCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-50Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83E38E:				; DATA XREF: .text:006A6DC0o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-50Ch]
		mov	[ebp-35Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83E3A9:				; CODE XREF: PAGE:0083DBEEj
					; DATA XREF: PAGE:off_83FC64o
		mov	dword ptr [ebp-35Ch], 0	; case 0x10
		mov	ecx, [ebp-354h]
		call	_PspGetRedirectionTrustPolicy@4	; PspGetRedirectionTrustPolicy(x)
		mov	dword ptr [ebp-4], 37h
		mov	dword ptr [ebx+4], 0
		sub	eax, 1
		jz	loc_83DED0
		sub	eax, 1
		jnz	loc_83DC5F
		mov	eax, [ebx+4]
		or	eax, 2
		mov	[ebx+4], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83E3F3:				; DATA XREF: .text:006A6DC8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-510h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83E406:				; DATA XREF: .text:006A6DCCo
		mov	esp, [ebp-18h]
		mov	eax, [ebp-510h]
		mov	[ebp-35Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83E4C9
; 

loc_83E421:				; CODE XREF: PAGE:0083DBEEj
					; DATA XREF: PAGE:off_83FC64o
		mov	dword ptr [ebp-35Ch], 0	; case 0xE
		mov	dword ptr [ebp-4], 38h
		mov	dword ptr [ebx+4], 0
		mov	ecx, [ebp-354h]
		mov	eax, [ecx+490h]
		test	eax, 40000000h
		jz	short loc_83E45B
		mov	eax, [ebx+4]
		or	eax, 1
		mov	[ebx+4], eax
		mov	eax, [ecx+490h]

loc_83E45B:				; CODE XREF: PAGE:0083E44Aj
		test	eax, eax
		jns	short loc_83E468
		mov	eax, [ebx+4]
		or	eax, 2
		mov	[ebx+4], eax

loc_83E468:				; CODE XREF: PAGE:0083E45Dj
		mov	ecx, [ebp-354h]
		mov	eax, [ecx+494h]
		test	eax, 1000h
		jz	short loc_83E48A
		mov	eax, [ebx+4]
		or	eax, 4
		mov	[ebx+4], eax
		mov	eax, [ecx+494h]

loc_83E48A:				; CODE XREF: PAGE:0083E479j
		test	eax, 2000h
		jmp	loc_83DC54
; 

loc_83E494:				; DATA XREF: .text:006A6DD4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-514h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83E4A7:				; DATA XREF: .text:006A6DD8o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-514h]
		mov	[ebp-35Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_83E4C9
; 

loc_83E4BF:				; CODE XREF: PAGE:0083DBE8j
					; PAGE:0083DBEEj
					; DATA XREF: ...
		mov	dword ptr [ebp-35Ch], 0C00000BBh ; default

loc_83E4C9:				; CODE XREF: PAGE:0083DC66j
					; PAGE:0083DC94j ...
		mov	eax, [ebp-360h]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_83E4E4
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag

loc_83E4E4:				; CODE XREF: PAGE:0083E4D2j
		mov	eax, [ebp-35Ch]
		jmp	loc_83FACE
; 

loc_83E4EF:				; DATA XREF: .text:006A6D2Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-518h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83E502:				; DATA XREF: .text:006A6D30o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-518h]
		jmp	loc_83FACE
; 

loc_83E517:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB90o
		cmp	ecx, 4
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	400h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp-35Ch], esi
		test	esi, esi
		js	loc_83B7DA
		mov	edi, [ebp-354h]
		mov	ecx, edi
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		test	eax, eax
		jz	loc_83CB39
		mov	ecx, eax
		call	_ExQueryHandleExceptions@4 ; ExQueryHandleExceptions(x)
		mov	dword ptr [ebp-4], 39h

loc_83E578:				; CODE XREF: PAGE:0083EC8Ej
		xor	ecx, ecx
		test	al, al
		setnz	cl
		mov	[ebx], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, edi
		call	_ObDereferenceProcessHandleTable@4 ; ObDereferenceProcessHandleTable(x)
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83E5A2:				; DATA XREF: .text:006A6DE0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-51Ch], eax
		mov	eax, 1
		retn
; 

loc_83E5B5:				; DATA XREF: .text:006A6DE4o
		mov	esi, [ebp-51Ch]

loc_83E5BB:				; CODE XREF: PAGE:0083ECACj
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-354h]
		mov	ecx, edi
		call	_ObDereferenceProcessHandleTable@4 ; ObDereferenceProcessHandleTable(x)
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83E5E5:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB94o
		cmp	ecx, 8
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	400h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_83B7DA
		mov	dword ptr [ebp-4], 3Ah
		mov	dl, 1
		mov	ecx, [ebp-354h]
		call	_PsGetKeepAliveCountProcess@8 ;	PsGetKeepAliveCountProcess(x,x)
		mov	[ebx], eax
		xor	dl, dl
		call	_PsGetKeepAliveCountProcess@8 ;	PsGetKeepAliveCountProcess(x,x)
		mov	[ebx+4], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83E655:				; DATA XREF: .text:006A6DECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-520h], eax
		mov	eax, 1
		retn
; 

loc_83E668:				; DATA XREF: .text:006A6DF0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-520h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-354h]
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83E68F:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB98o
		mov	dword ptr [ebp-3ACh], 0
		mov	dword ptr [ebp-388h], 0
		cmp	ecx, 4
		jb	loc_83DAA9
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp-378h], al
		lea	eax, [ebp-388h]
		push	eax
		lea	eax, [ebp-3ACh]
		push	eax
		push	1
		push	dword ptr [ebp-378h]
		mov	edx, ecx
		mov	ecx, ebx
		call	ExLockUserBuffer
		test	eax, eax
		js	loc_83FACE
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	440h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_83E7C6
		xor	eax, eax
		mov	[ebp-3FCh], eax
		mov	[ebp-3F8h], eax
		mov	[ebp-3F4h], eax
		mov	ebx, [ebp-354h]
		mov	ecx, ebx
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		test	eax, eax
		jz	short loc_83E77A
		mov	ecx, [ebp-3ACh]
		mov	[ebp-3FCh], ecx
		mov	esi, [ebp+14h]
		shr	esi, 2
		mov	[ebp-3F8h], esi
		mov	dword ptr [ebp-3F4h], 0
		push	0
		lea	ecx, [ebp-3FCh]
		push	ecx
		push	offset PspHandleTableWalker
		push	eax
		call	ExEnumHandleTable
		xor	esi, esi
		mov	ecx, ebx
		call	_ObDereferenceProcessHandleTable@4 ; ObDereferenceProcessHandleTable(x)
		jmp	short loc_83E77F
; 

loc_83E77A:				; CODE XREF: PAGE:0083E737j
		mov	esi, 0C000010Ah

loc_83E77F:				; CODE XREF: PAGE:0083E778j
		mov	edx, 79517350h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		test	edi, edi
		jz	short loc_83E7C6
		mov	dword ptr [ebp-4], 3Bh
		mov	eax, [ebp-3F4h]
		shl	eax, 2
		mov	[edi], eax
		jmp	short loc_83E7BF
; 

loc_83E7A3:				; DATA XREF: .text:006A6DF8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-524h], eax
		mov	eax, 1
		retn
; 

loc_83E7B6:				; DATA XREF: .text:006A6DFCo
		mov	esp, [ebp-18h]
		mov	esi, [ebp-524h]

loc_83E7BF:				; CODE XREF: PAGE:0083E7A1j
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_83E7C6:				; CODE XREF: PAGE:0083E70Ej
					; PAGE:0083E78Dj
		mov	ecx, [ebp-388h]
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83E7D8:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBA0o
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		push	edi
		push	dword ptr [ebp-358h]
		mov	esi, [ebp+14h]
		push	esi
		push	ebx
		mov	esi, [ebp-354h]
		push	esi
		call	PsQueryProcessCommandLine
		mov	[ebp-378h], eax
		test	esi, esi
		jz	loc_83FACE
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, [ebp-378h]
		jmp	loc_83FACE
; 

loc_83E842:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBA4o
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		cmp	dword ptr [ebp+14h], 1
		jnb	short loc_83E882
		mov	eax, 0C0000004h
		mov	[ebp-388h], eax
		jmp	short loc_83E8DB
; 

loc_83E882:				; CODE XREF: PAGE:0083E873j
		mov	dword ptr [ebp-4], 3Ch
		mov	esi, [ebp-354h]
		push	esi
		call	_PsGetProcessProtection@4 ; PsGetProcessProtection(x)
		mov	[ebx], al
		test	edi, edi
		jz	short loc_83E8A1
		mov	dword ptr [edi], 1

loc_83E8A1:				; CODE XREF: PAGE:0083E899j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	eax, eax
		mov	[ebp-388h], eax
		jmp	short loc_83E8E1
; 

loc_83E8B2:				; DATA XREF: .text:006A6E04o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-528h], eax
		mov	eax, 1
		retn
; 

loc_83E8C5:				; DATA XREF: .text:006A6E08o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-528h]
		mov	[ebp-388h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_83E8DB:				; CODE XREF: PAGE:0083E880j
		mov	esi, [ebp-354h]

loc_83E8E1:				; CODE XREF: PAGE:0083E8B0j
		test	esi, esi
		jz	loc_83FACE
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, [ebp-388h]
		jmp	loc_83FACE
; 

loc_83E900:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FB9Co
		cmp	ecx, 4
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	400h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_83B7DA
		mov	ecx, [ebp-354h]
		mov	eax, [ecx+64h]
		shr	eax, 5
		and	eax, 1
		mov	dword ptr [ebp-4], 3Dh
		mov	[ebx], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83E968:				; DATA XREF: .text:006A6E10o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-52Ch], eax
		mov	eax, 1
		retn
; 

loc_83E97B:				; DATA XREF: .text:006A6E14o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-52Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-354h]
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83E9A2:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBA8o
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_83B7DA
		push	edi
		push	dword ptr [ebp-358h]
		mov	esi, [ebp+14h]
		push	esi
		mov	edx, ebx
		mov	edi, [ebp-354h]
		mov	ecx, edi
		call	EtwQueryProcessTelemetryInfo
		mov	esi, eax
		test	edi, edi
		jz	loc_83B7DA
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83EA08:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBACo
		mov	dword ptr [ebp-3B0h], 0
		cmp	ecx, 14h
		jz	short loc_83EA21
		mov	esi, 0C0000004h
		jmp	loc_83EB6B
; 

loc_83EA21:				; CODE XREF: PAGE:0083EA15j
		mov	dword ptr [ebp-4], 3Eh
		mov	edi, [ebx]
		mov	[ebp-410h], edi
		mov	edx, [ebx+4]
		mov	[ebp-40Ch], edx
		mov	ecx, [ebx+8]
		mov	[ebp-408h], ecx
		mov	eax, [ebx+0Ch]
		mov	[ebp-404h], eax
		mov	eax, [ebx+10h]
		mov	[ebp-400h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		cmp	edi, 3
		jz	short loc_83EA6A
		mov	esi, 0C0000059h
		jmp	loc_83EB6B
; 

loc_83EA6A:				; CODE XREF: PAGE:0083EA5Ej
		test	edx, 0FFFFFFF8h
		jnz	loc_83EB41
		test	ecx, ecx
		jnz	loc_83EB41
		push	ecx
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_83EB6B
		lea	eax, [ebp-400h]
		push	eax
		lea	eax, [ebp-404h]
		push	eax
		lea	eax, [ebp-408h]
		push	eax
		lea	edx, [ebp-3B0h]
		mov	ecx, [ebp-354h]
		call	MmQueryCommitReleaseState
		mov	ecx, [ebp-40Ch]
		mov	eax, ecx
		xor	eax, [ebp-3B0h]
		and	eax, 1
		xor	ecx, eax
		mov	edx, [ebp-408h]
		shl	edx, 0Ch
		mov	esi, [ebp-404h]
		shl	esi, 0Ch
		mov	edi, [ebp-400h]
		shl	edi, 0Ch
		mov	dword ptr [ebp-4], 3Fh
		mov	eax, [ebp-410h]
		mov	[ebx], eax
		mov	[ebx+4], ecx
		mov	[ebx+8], edx
		mov	[ebx+0Ch], esi
		mov	[ebx+10h], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	esi, esi
		jmp	short loc_83EB6B
; 

loc_83EB26:				; DATA XREF: .text:006A6E28o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-530h], eax
		mov	eax, 1
		retn
; 

loc_83EB39:				; DATA XREF: .text:006A6E2Co
		mov	esi, [ebp-530h]
		jmp	short loc_83EB61
; 

loc_83EB41:				; CODE XREF: PAGE:0083EA70j
					; PAGE:0083EA78j
		mov	esi, 0C000000Dh
		jmp	short loc_83EB6B
; 

loc_83EB48:				; DATA XREF: .text:006A6E1Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-534h], eax
		mov	eax, 1
		retn
; 

loc_83EB5B:				; DATA XREF: .text:006A6E20o
		mov	esi, [ebp-534h]

loc_83EB61:				; CODE XREF: PAGE:0083EB3Fj
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_83EB6B:				; CODE XREF: PAGE:0083EA1Cj
					; PAGE:0083EA65j ...
		mov	ecx, [ebp-354h]
		test	ecx, ecx
		jz	loc_83B7DA
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83EB8A:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBB8o
		cmp	ecx, 1
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_83B7DA
		mov	dword ptr [ebp-4], 40h
		mov	ecx, [ebp-354h]
		cmp	dword ptr [ecx+0F8h], 0
		setl	al
		mov	[ebx], al
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83EBF3:				; DATA XREF: .text:006A6E34o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-538h], eax
		mov	eax, 1
		retn
; 

loc_83EC06:				; DATA XREF: .text:006A6E38o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-538h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-354h]
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83EC2D:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBBCo
		cmp	ecx, 4
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp-35Ch], esi
		test	esi, esi
		js	loc_83B7DA
		mov	edi, [ebp-354h]
		mov	ecx, edi
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		test	eax, eax
		jz	loc_83CB39
		mov	ecx, eax
		call	_ExQueryRaiseUMExceptionOnInvalidHandleClose@4 ; ExQueryRaiseUMExceptionOnInvalidHandleClose(x)
		mov	dword ptr [ebp-4], 41h
		jmp	loc_83E578
; 

loc_83EC93:				; DATA XREF: .text:006A6E40o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-53Ch], eax
		mov	eax, 1
		retn
; 

loc_83ECA6:				; DATA XREF: .text:006A6E44o
		mov	esi, [ebp-53Ch]
		jmp	loc_83E5BB
; 

loc_83ECB1:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBB0o
		test	cl, 7
		jnz	loc_83DAA9
		cmp	ecx, 8
		ja	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp-378h], eax
		test	eax, eax
		js	loc_83FACE
		xor	ecx, ecx
		cmp	dword ptr [ebp+0Ch], 43h
		setz	cl
		push	ecx
		push	ecx
		lea	edx, [ebp-694h]
		mov	ecx, [ebp-354h]
		call	_KeQueryCpuSetsProcess@16 ; KeQueryCpuSetsProcess(x,x,x,x)
		mov	esi, eax
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		lea	ecx, ds:0[esi*8]
		mov	dword ptr [ebp-4], 42h
		mov	eax, [ebp-380h]
		test	eax, eax
		jz	short loc_83ED3E
		mov	[eax], ecx

loc_83ED3E:				; CODE XREF: PAGE:0083ED3Aj
		mov	esi, [ebp+14h]
		cmp	ecx, esi
		jb	short loc_83ED47
		mov	ecx, esi

loc_83ED47:				; CODE XREF: PAGE:0083ED43j
		push	ecx
		lea	eax, [ebp-694h]
		push	eax
		push	ebx
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-378h]
		jmp	loc_83FACE
; 

loc_83ED6A:				; DATA XREF: .text:006A6E4Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-540h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83ED7D:				; DATA XREF: .text:006A6E50o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-540h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83FACE
; 

loc_83ED92:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBC0o
		cmp	ecx, 3
		jnz	loc_83DAA9
		cmp	esi, 0FFFFFFFFh
		jz	short loc_83EDD5
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	400h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		mov	eax, [ebp-354h]
		jmp	short loc_83EDE0
; 

loc_83EDD5:				; CODE XREF: PAGE:0083ED9Ej
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	[ebp-354h], eax

loc_83EDE0:				; CODE XREF: PAGE:0083EDD3j
		mov	ecx, eax
		call	PspGetNoChildProcessRestrictedPolicy
		mov	dword ptr [ebp-4], 43h
		xor	ecx, ecx
		mov	[ebx], cx
		mov	[ebx+2], cl
		sub	eax, 1
		jz	short loc_83EE0F
		sub	eax, 1
		jz	short loc_83EE0B
		sub	eax, 1
		jnz	short loc_83EE12
		mov	byte ptr [ebx+2], 1
		jmp	short loc_83EE12
; 

loc_83EE0B:				; CODE XREF: PAGE:0083EDFEj
		mov	byte ptr [ebx+1], 1

loc_83EE0F:				; CODE XREF: PAGE:0083EDF9j
		mov	byte ptr [ebx],	1

loc_83EE12:				; CODE XREF: PAGE:0083EE03j
					; PAGE:0083EE09j
		test	edi, edi
		jz	short loc_83EE1C
		mov	dword ptr [edi], 3

loc_83EE1C:				; CODE XREF: PAGE:0083EE14j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		jmp	short loc_83EE50
; 

loc_83EE27:				; DATA XREF: .text:006A6E58o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-544h], eax
		mov	eax, 1
		retn
; 

loc_83EE3A:				; DATA XREF: .text:006A6E5Co
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-544h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-360h]

loc_83EE50:				; CODE XREF: PAGE:0083EE25j
		cmp	esi, 0FFFFFFFFh
		jz	loc_83B64D
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		mov	eax, ebx
		jmp	loc_83FACE
; 

loc_83EE70:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBC4o
		cmp	ecx, 1
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_83B7DA
		mov	dword ptr [ebp-4], 44h
		mov	ecx, [ebp-354h]
		mov	eax, [ecx+3A8h]
		shr	eax, 9
		and	al, 1
		mov	[ebx], al
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83EEDA:				; DATA XREF: .text:006A6E64o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-548h], eax
		mov	eax, 1
		retn
; 

loc_83EEED:				; DATA XREF: .text:006A6E68o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-548h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-354h]
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83EF14:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBC8o
		cmp	ecx, 4
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_83B7DA
		mov	dword ptr [ebp-4], 45h
		mov	ecx, [ebp-354h]
		mov	eax, [ecx+3D4h]
		neg	eax
		sbb	eax, eax
		and	eax, dword_6BEE0C
		mov	[ebx], eax
		test	edi, edi
		jz	short loc_83EF75
		mov	dword ptr [edi], 4

loc_83EF75:				; CODE XREF: PAGE:0083EF6Dj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83EF8D:				; DATA XREF: .text:006A6E70o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-54Ch], eax
		mov	eax, 1
		retn
; 

loc_83EFA0:				; DATA XREF: .text:006A6E74o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-54Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-354h]
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83EFC7:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBCCo
		push	1B0h
		push	0
		lea	eax, [ebp-350h]
		push	eax
		call	_memset
		add	esp, 0Ch
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp-378h], eax
		test	eax, eax
		js	loc_83FACE
		lea	edx, [ebp-350h]
		mov	ecx, [ebp-354h]
		call	_PsQueryProcessEnergyValues@8 ;	PsQueryProcessEnergyValues(x,x)
		mov	dword ptr [ebp-4], 46h
		mov	esi, [ebp+14h]
		cmp	esi, 1B0h
		jbe	short loc_83F038
		mov	esi, 1B0h

loc_83F038:				; CODE XREF: PAGE:0083F031j
		push	esi
		lea	eax, [ebp-350h]
		push	eax
		push	ebx
		call	_memcpy
		add	esp, 0Ch
		test	edi, edi
		jz	short loc_83F053
		mov	dword ptr [edi], 1B0h

loc_83F053:				; CODE XREF: PAGE:0083F04Bj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-378h]
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83F077:				; DATA XREF: .text:006A6E7Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-550h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83F08A:				; DATA XREF: .text:006A6E80o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-550h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83F0B1:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBD0o
		xor	eax, eax
		mov	[ebp-28h], eax
		mov	[ebp-24h], eax
		mov	[ebp-20h], eax
		cmp	ecx, 0Ch
		jnz	loc_83DAA9
		mov	ecx, ds:_PspBamExtensionHost
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		mov	[ebp-378h], eax
		test	eax, eax
		jnz	short loc_83F0E4
		mov	eax, 0C0000002h
		jmp	loc_83FACE
; 

loc_83F0E4:				; CODE XREF: PAGE:0083F0D8j
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_83F189
		lea	eax, [ebp-28h]
		push	eax
		push	dword ptr [ebp-354h]
		mov	eax, [ebp-378h]
		mov	eax, [eax+8]
		call	eax
		mov	esi, eax
		test	esi, esi
		js	short loc_83F179
		mov	dword ptr [ebp-4], 47h
		mov	eax, [ebp-28h]
		mov	[ebx], eax
		mov	eax, [ebp-24h]
		mov	[ebx+4], eax
		mov	eax, [ebp-20h]
		mov	[ebx+8], eax
		test	edi, edi
		jz	short loc_83F14C
		mov	dword ptr [edi], 0Ch

loc_83F14C:				; CODE XREF: PAGE:0083F144j
		xor	esi, esi
		jmp	short loc_83F16C
; 

loc_83F150:				; DATA XREF: .text:006A6E88o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-554h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83F163:				; DATA XREF: .text:006A6E8Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-554h]

loc_83F16C:				; CODE XREF: PAGE:0083F14Ej
		mov	[ebp-35Ch], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_83F179:				; CODE XREF: PAGE:0083F128j
		mov	edx, 79517350h
		mov	ecx, [ebp-354h]
		call	ObfDereferenceObjectWithTag

loc_83F189:				; CODE XREF: PAGE:0083F10Dj
		mov	ecx, ds:_PspBamExtensionHost
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83F19B:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBD4o
		cmp	ecx, 8
		jnz	loc_83DAA9
		cmp	esi, 0FFFFFFFFh
		jz	short loc_83F1DE
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	400h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		mov	ecx, [ebp-354h]
		jmp	short loc_83F1EB
; 

loc_83F1DE:				; CODE XREF: PAGE:0083F1A7j
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	ecx, eax
		mov	[ebp-354h], ecx

loc_83F1EB:				; CODE XREF: PAGE:0083F1DCj
		mov	dword ptr [ebp-4], 48h
		mov	dword ptr [ebx], 0
		mov	edx, [ecx+490h]
		xor	eax, eax
		test	edx, 4000h
		jz	short loc_83F219
		mov	dword ptr [ebx], 1
		mov	edx, [ecx+490h]
		mov	eax, 1

loc_83F219:				; CODE XREF: PAGE:0083F206j
		test	edx, 8000h
		jz	short loc_83F226
		or	eax, 2
		mov	[ebx], eax

loc_83F226:				; CODE XREF: PAGE:0083F21Fj
		mov	eax, [ecx+438h]
		mov	[ebx+4], eax
		test	edi, edi
		jz	short loc_83F239
		mov	dword ptr [edi], 8

loc_83F239:				; CODE XREF: PAGE:0083F231j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		jmp	short loc_83F273
; 

loc_83F244:				; DATA XREF: .text:006A6E94o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-558h], eax
		mov	eax, 1
		retn
; 

loc_83F257:				; DATA XREF: .text:006A6E98o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-558h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-354h]
		mov	esi, [ebp-360h]

loc_83F273:				; CODE XREF: PAGE:0083F242j
		cmp	esi, 0FFFFFFFFh
		jz	loc_83B64D
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, ebx
		jmp	loc_83FACE
; 

loc_83F28D:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBD8o
		cmp	byte ptr [ebp-361h], 0
		jnz	loc_83F5C9
		cmp	ecx, 30h
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	0
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		push	ebx
		mov	esi, [ebp-354h]
		mov	edx, esi
		mov	ecx, [ebp-398h]
		call	PspAllocateAndQueryProcessNotificationChannel
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_83F2F0
		test	edi, edi
		jz	short loc_83F2F0
		mov	dword ptr [edi], 30h

loc_83F2F0:				; CODE XREF: PAGE:0083F2E4j
					; PAGE:0083F2E8j
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, ebx
		jmp	loc_83FACE
; 

loc_83F303:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBDCo
		push	90h
		push	0
		lea	eax, [ebp-1A0h]
		push	eax
		call	_memset
		add	esp, 0Ch
		mov	esi, [ebp+14h]
		cmp	esi, 8
		jb	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		mov	eax, [ebp-360h]
		push	eax
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		lea	edx, [ebp-1A0h]
		mov	ecx, [ebp-354h]
		call	_PoQueryProcessEnergyTrackingState@8 ; PoQueryProcessEnergyTrackingState(x,x)
		mov	dword ptr [ebp-4], 49h
		cmp	esi, 90h
		jb	short loc_83F37D
		mov	esi, 90h

loc_83F37D:				; CODE XREF: PAGE:0083F376j
		push	esi
		lea	eax, [ebp-1A0h]
		push	eax
		push	ebx
		call	_memcpy
		add	esp, 0Ch
		test	edi, edi
		jz	short loc_83F394
		mov	[edi], esi

loc_83F394:				; CODE XREF: PAGE:0083F390j
		xor	esi, esi
		jmp	loc_83D699
; 

loc_83F39B:				; DATA XREF: .text:006A6EA0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-55Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83F3AE:				; DATA XREF: .text:006A6EA4o
		mov	esi, [ebp-55Ch]
		jmp	loc_83D696
; 

loc_83F3B9:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBE0o
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		push	edi
		mov	esi, [ebp+14h]
		push	esi
		mov	edx, ebx
		mov	ecx, [ebp-354h]
		call	_EtwQueryProcessTelemetryCoverage@16 ; EtwQueryProcessTelemetryCoverage(x,x,x,x)
		jmp	loc_83C3CC
; 

loc_83F3FD:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBE4o
		cmp	edx, 57h
		jnz	short loc_83F40B
		cmp	ecx, 1
		jb	loc_83DAA9

loc_83F40B:				; CODE XREF: PAGE:0083F400j
		cmp	edx, 60h
		jnz	short loc_83F419
		cmp	ecx, 4
		jb	loc_83DAA9

loc_83F419:				; CODE XREF: PAGE:0083F40Ej
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_83B7DA
		mov	dword ptr [ebp-4], 4Ah
		mov	ecx, [ebp-354h]
		mov	eax, [ecx+0F8h]
		shr	eax, 18h
		and	al, 3
		mov	[ebx], al
		cmp	dword ptr [ebp+0Ch], 60h
		jnz	short loc_83F476
		mov	eax, [ecx+3A8h]
		shr	eax, 11h
		and	eax, 0Ch
		or	[ebx], eax

loc_83F476:				; CODE XREF: PAGE:0083F466j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83F48E:				; DATA XREF: .text:006A6EACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-560h], eax
		mov	eax, 1
		retn
; 

loc_83F4A1:				; DATA XREF: .text:006A6EB0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-560h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-354h]
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83F4C8:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBECo
		mov	dword ptr [ebp-3B4h], 0
		cmp	ecx, 4
		jnz	loc_83DAA9
		cmp	byte ptr [ebp-361h], 0
		jz	short loc_83F503
		mov	dword ptr [ebp-4], 4Bh
		mov	ecx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_83F4F8
		mov	ecx, eax

loc_83F4F8:				; CODE XREF: PAGE:0083F4F4j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_83F503:				; CODE XREF: PAGE:0083F4E2j
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	ecx, eax
		cmp	esi, 0FFFFFFFFh
		jnz	loc_83F5C9
		mov	eax, [ebp-398h]
		cmp	ecx, [eax+150h]
		jnz	loc_83F5C9
		lea	eax, [ebp-3B4h]
		push	eax
		push	dword ptr [ebp-358h]
		mov	eax, ds:_MmSectionObjectType
		push	eax
		push	5
		push	0
		push	0
		mov	eax, [ecx+15Ch]
		push	eax
		call	ObOpenObjectByPointer
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_83F5C2
		mov	dword ptr [ebp-4], 4Ch
		mov	eax, [ebp-3B4h]
		mov	[ebx], eax
		test	edi, edi
		jz	short loc_83F5BB
		mov	dword ptr [edi], 4
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, ecx
		jmp	loc_83FACE
; 

loc_83F577:				; DATA XREF: .text:006A6EB8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-564h], eax
		mov	eax, 1
		retn
; 

loc_83F58A:				; DATA XREF: .text:006A6EBCo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-564h]
		jmp	loc_83FACE
; 

loc_83F59F:				; DATA XREF: .text:006A6EC4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-598h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83F5B2:				; DATA XREF: .text:006A6EC8o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-598h]

loc_83F5BB:				; CODE XREF: PAGE:0083F561j
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_83F5C2:				; CODE XREF: PAGE:0083F54Ej
		mov	eax, ecx
		jmp	loc_83FACE
; 

loc_83F5C9:				; CODE XREF: PAGE:0083C8D7j
					; PAGE:0083F294j ...
		mov	eax, 0C0000022h
		jmp	loc_83FACE
; 

loc_83F5D3:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBE8o
		xor	eax, eax
		mov	[ebp-478h], eax
		mov	[ebp-474h], eax
		mov	[ebp-470h], eax
		mov	[ebp-46Ch], eax
		mov	[ebp-468h], eax
		mov	[ebp-464h], eax
		mov	[ebp-460h], eax
		mov	[ebp-45Ch], eax
		push	eax
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		mov	dword ptr [ebp-5F0h], 0
		mov	dword ptr [ebp-5ECh], 0
		xor	eax, eax
		mov	[ebp-3B0h], eax
		mov	[ebp-5E8h], eax
		mov	[ebp-3ACh], eax
		mov	[ebp-5E4h], eax
		mov	[ebp-3A8h], eax
		mov	[ebp-5E0h], eax
		mov	[ebp-39Ch], eax
		mov	[ebp-5DCh], eax
		mov	[ebp-3B4h], eax
		mov	[ebp-5CCh], eax
		mov	edx, [ebp-398h]
		mov	esi, [ebp-354h]
		mov	ecx, esi
		call	_PspLockProcessShared@8	; PspLockProcessShared(x,x)
		mov	eax, [esi+410h]
		mov	edx, [esi+414h]
		mov	ecx, edx
		shr	ecx, 1Dh
		cmp	ecx, 3
		jz	short loc_83F6B1
		cmp	ecx, 4
		jnz	short loc_83F71D

loc_83F6B1:				; CODE XREF: PAGE:0083F6AAj
		mov	[ebp-3A8h], eax
		and	edx, 1FFFFFFFh
		mov	[ebp-39Ch], edx
		mov	[ebp-5E0h], eax
		mov	[ebp-5DCh], edx
		mov	eax, [esi+408h]
		mov	edx, [esi+40Ch]
		mov	[ebp-5F0h], eax
		mov	[ebp-5ECh], edx
		sub	eax, [esi+3F0h]
		mov	[ebp-3B0h], eax
		sbb	edx, [esi+3F4h]
		mov	[ebp-3ACh], edx
		mov	[ebp-5E8h], eax
		mov	[ebp-5E4h], edx
		cmp	ecx, 3
		jnz	short loc_83F71D
		xor	eax, eax
		or	eax, 200h
		mov	[ebp-3B4h], eax

loc_83F71D:				; CODE XREF: PAGE:0083F6AFj
					; PAGE:0083F70Ej
		movzx	ecx, byte ptr [esi+3A7h]
		mov	edx, [esi+3A8h]
		and	edx, 4
		shl	edx, 5
		mov	eax, ecx
		and	eax, 38h
		or	edx, eax
		add	edx, edx
		and	ecx, 7
		or	edx, ecx
		mov	eax, [ebp-3B4h]
		and	eax, 0FFFFFE00h
		or	edx, eax
		mov	[ebp-5D0h], edx
		mov	edx, [ebp-398h]
		mov	ecx, esi
		call	_PspUnlockProcessShared@8 ; PspUnlockProcessShared(x,x)
		lea	edx, [ebp-478h]
		mov	ecx, esi
		call	_PsGetProcessDeepFreezeStats@8 ; PsGetProcessDeepFreezeStats(x,x)
		mov	eax, [ebp-478h]
		mov	[ebp-600h], eax
		mov	eax, [ebp-474h]
		mov	[ebp-5FCh], eax
		mov	eax, [ebp-470h]
		mov	[ebp-5F8h], eax
		mov	ecx, [ebp-46Ch]
		mov	[ebp-5F4h], ecx
		mov	edx, [ebp-468h]
		mov	[ebp-5D8h], edx
		mov	edx, [ebp-464h]
		mov	[ebp-5D4h], edx
		mov	edx, [ebp-3B0h]
		or	edx, [ebp-3ACh]
		jnz	short loc_83F7F3
		mov	edx, [ebp-478h]
		sub	edx, [esi+3F0h]
		mov	edi, [ebp-474h]
		sbb	edi, [esi+3F4h]
		mov	[ebp-378h], edi
		mov	[ebp-5E8h], edx
		mov	edx, edi
		mov	[ebp-5E4h], edx
		mov	edi, [ebp-380h]

loc_83F7F3:				; CODE XREF: PAGE:0083F7BFj
		mov	edx, [ebp-3A8h]
		or	edx, [ebp-39Ch]
		jnz	short loc_83F825
		sub	eax, [esi+3F8h]
		sbb	ecx, [esi+3FCh]
		sub	eax, [ebp-468h]
		sbb	ecx, [ebp-464h]
		mov	[ebp-5E0h], eax
		mov	[ebp-5DCh], ecx

loc_83F825:				; CODE XREF: PAGE:0083F7FFj
		mov	dword ptr [ebp-4], 4Dh
		mov	esi, [ebp+14h]
		cmp	esi, 38h
		jb	short loc_83F839
		mov	esi, 38h

loc_83F839:				; CODE XREF: PAGE:0083F832j
		push	esi
		lea	eax, [ebp-600h]
		push	eax
		push	ebx
		call	_memcpy
		add	esp, 0Ch
		test	edi, edi
		jz	short loc_83F850
		mov	[edi], esi

loc_83F850:				; CODE XREF: PAGE:0083F84Cj
		xor	esi, esi
		mov	[ebp-35Ch], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-354h]
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83F876:				; DATA XREF: .text:006A6ED0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-56Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83F889:				; DATA XREF: .text:006A6ED4o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-56Ch]
		mov	[ebp-35Ch], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-354h]
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83F8B6:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBF4o
		cmp	ecx, 8
		jnz	loc_83DAA9
		push	0
		lea	eax, [ebp-354h]
		push	eax
		push	79517350h
		push	dword ptr [ebp-358h]
		mov	eax, ds:_PsProcessType
		push	eax
		push	1000h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_83FACE
		mov	eax, [ebp-354h]
		test	dword ptr [eax+0F8h], 8000h
		jnz	short loc_83F914
		mov	edx, 79517350h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag
		mov	eax, 0C000007Ch
		jmp	loc_83FACE
; 

loc_83F914:				; CODE XREF: PAGE:0083F8FCj
		mov	dword ptr [ebp-570h], 0
		xor	edx, edx
		lea	ecx, [ebp-570h]
		lock or	[ecx], edx
		mov	dword ptr [ebp-4], 4Eh
		lea	esi, [eax+4A0h]
		xor	eax, eax
		nop
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [ebp-644h]
		mov	[ecx], eax
		mov	[ecx+4], edx
		test	edi, edi
		jz	short loc_83F956
		mov	dword ptr [edi], 8

loc_83F956:				; CODE XREF: PAGE:0083F94Ej
		xor	esi, esi
		mov	[ebp-35Ch], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-354h]
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83F97C:				; DATA XREF: .text:006A6EDCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-574h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83F98F:				; DATA XREF: .text:006A6EE0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-574h]
		mov	[ebp-35Ch], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-354h]
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_83FACE
; 

loc_83F9BC:				; CODE XREF: PAGE:0083B55Aj
					; DATA XREF: PAGE:0083FBF8o
		cmp	ecx, 8
		jz	short loc_83F9FD
		test	edi, edi
		jz	loc_83DAA9
		mov	dword ptr [ebp-4], 4Fh
		jmp	loc_83DA9C
; 

loc_83F9D5:				; DATA XREF: .text:006A6EE8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-578h], eax
		mov	eax, 1
		retn
; 

loc_83F9E8:				; DATA XREF: .text:006A6EECo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-578h]
		jmp	loc_83FACE
; 

loc_83F9FD:				; CODE XREF: PAGE:0083F9BFj
		cmp	esi, 0FFFFFFFFh
		jz	short loc_83FA0C

loc_83FA02:				; CODE XREF: PAGE:0083D5E1j
					; PAGE:0083D5EAj
		mov	eax, 0C000000Dh
		jmp	loc_83FACE
; 

loc_83FA0C:				; CODE XREF: PAGE:0083FA00j
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		xor	ecx, ecx
		mov	eax, [eax+17Ch]
		test	eax, eax
		jz	short loc_83FA77
		mov	dword ptr [ebp-4], 50h
		test	byte ptr [eax+474h], 1
		jz	short loc_83FA37
		mov	dword ptr [ebp-428h], 1

loc_83FA37:				; CODE XREF: PAGE:0083FA2Bj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_83FA6F
; 

loc_83FA40:				; DATA XREF: .text:006A6EF4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-57Ch], eax
		mov	eax, 1
		retn
; 

loc_83FA53:				; DATA XREF: .text:006A6EF8o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-57Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-3A0h]
		mov	edi, [ebp-3C4h]

loc_83FA6F:				; CODE XREF: PAGE:0083FA3Ej
		test	ecx, ecx
		js	loc_83CC1D

loc_83FA77:				; CODE XREF: PAGE:0083FA1Bj
		mov	dword ptr [ebp-4], 51h
		mov	eax, [ebp-428h]
		mov	[ebx], eax
		mov	eax, [ebp-424h]
		mov	[ebx+4], eax
		test	edi, edi
		jz	short loc_83FA99
		mov	dword ptr [edi], 8

loc_83FA99:				; CODE XREF: PAGE:0083FA91j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, ecx
		jmp	short loc_83FACE
; 

loc_83FAA4:				; DATA XREF: .text:006A6F00o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-580h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_83FAB7:				; DATA XREF: .text:006A6F04o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-580h]
		jmp	short loc_83FACE
; 

loc_83FAC9:				; CODE XREF: PAGE:0083B54Dj
					; PAGE:0083B55Aj
					; DATA XREF: ...
		mov	eax, 0C0000003h

loc_83FACE:				; CODE XREF: PAGE:0083B53Fj
					; PAGE:0083B588j ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp-1Ch]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_83FAEC:				; CODE XREF: PAGE:0083B4AFj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		lea	ecx, [ecx+0]
; 
off_83FAF4	dd offset loc_83B7F6	; DATA XREF: PAGE:0083B55Ar
		dd offset loc_83BB93
		dd offset loc_83BBBE
		dd offset loc_83BD0B
		dd offset loc_83BF06
		dd offset loc_83C0B5
		dd offset loc_83C38D
		dd offset loc_83BB13
		dd offset loc_83BBA8
		dd offset loc_83B7E1
		dd offset loc_83C6D1
		dd offset loc_83C3E5
		dd offset loc_83C2D2
		dd offset loc_83D4CC
		dd offset loc_83C488
		dd offset loc_83C510
		dd offset loc_83C62B
		dd offset loc_83C778
		dd offset loc_83B561
		dd offset loc_83C7F8
		dd offset loc_83C83B
		dd offset loc_83C139
		dd offset loc_83C222
		dd offset loc_83C8C1
		dd offset loc_83CEF5
		dd offset loc_83CB51
		dd offset loc_83CC24
		dd offset loc_83CD9A
		dd offset loc_83CFAA
		dd offset loc_83D058
		dd offset loc_83B654
		dd offset loc_83D2C5
		dd offset loc_83D423
		dd offset loc_83D6BD
		dd offset loc_83D5DF
		dd offset loc_83D75E
		dd offset loc_83D7F9
		dd offset loc_83DA8C
		dd offset loc_83DB6D
		dd offset loc_83E517
		dd offset loc_83E5E5
		dd offset loc_83E68F
		dd offset loc_83E900
		dd offset loc_83E7D8
		dd offset loc_83E842
		dd offset loc_83E9A2
		dd offset loc_83EA08
		dd offset loc_83ECB1
		dd offset loc_83D107
		dd offset loc_83EB8A
		dd offset loc_83EC2D
		dd offset loc_83ED92
		dd offset loc_83EE70
		dd offset loc_83EF14
		dd offset loc_83EFC7
		dd offset loc_83F0B1
		dd offset loc_83F19B
		dd offset loc_83F28D
		dd offset loc_83F303
		dd offset loc_83F3B9
		dd offset loc_83F3FD
		dd offset loc_83F5D3
		dd offset loc_83F4C8
		dd offset loc_83C003
		dd offset loc_83F8B6
		dd offset loc_83F9BC
		dd offset loc_83FAC9
byte_83FC00	db 0			; DATA XREF: PAGE:0083B553r
		db 1, 2, 3
		dd 5424204h, 42064242h,	9084207h, 0B0A4242h, 0F0E0D0Ch
		dd 12114210h, 16151413h, 42191817h, 1D1C1B1Ah, 1E094242h
		dd 2221201Fh, 25242342h, 28274226h, 2A294242h, 42422C2Bh
		dd 2F2F2E2Dh, 32313042h, 35343342h, 38423736h, 423A3942h
		dd 3C423B42h, 42423E3Dh, 4240423Fh, 0FF8B413Ch
off_83FC64	dd offset loc_83DBF5	; DATA XREF: PAGE:0083DBEEr
		dd offset loc_83DDF8	; jump table for switch	statement
		dd offset loc_83DC99
		dd offset loc_83DD5B
		dd offset loc_83E4BF
		dd offset loc_83DEA5
		dd offset loc_83DF13
		dd offset loc_83DFA8
		dd offset loc_83E00E
		dd offset loc_83E09C
		dd offset loc_83E157
		dd offset loc_83E1BC
		dd offset loc_83E312
		dd offset loc_83E421
		dd offset loc_83E4BF
		dd offset loc_83E3A9

;  S U B	R O U T	I N E 


PopGetLockConsoleTimeout proc near	; CODE XREF: PopConsoleSessionPassiveInput(x,x,x)+24p
					; PopGetDisplayTimeout(x)+10p
		mov	edi, edi
		push	ecx
		cmp	byte_6BFBB6, 0
		jnz	loc_9260CE

loc_83FCB4:				; CODE XREF: CmpInitializeLazyWriters+A150Cj
					; CmpInitializeLazyWriters+A1515j
		xor	eax, eax
		pop	ecx
		retn
PopGetLockConsoleTimeout endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopConsoleSessionPassiveInput(x, x,	x)
_PopConsoleSessionPassiveInput@12 proc near ; CODE XREF: PopSessionInputChange(x,x,x)+83p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		xor	ebx, ebx
		push	esi
		push	edi
		mov	[ebp+var_8], ebx
		mov	esi, edx
		mov	edi, ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	byte ptr [ebp+var_8+1],	1
		mov	byte_6BFBC4, bl
		call	PopGetLockConsoleTimeout
		push	2
		pop	edx
		mov	ecx, edi
		mov	dword_6BFBB8, esi
		call	_PopSetSessionUserStatus@8 ; PopSetSessionUserStatus(x,x)
		mov	eax, [ebp+arg_0]
		lea	edx, [ebp+var_14]
		mov	ecx, dword_6BFBAC
		mov	[ebp+var_14], ecx
		mov	[eax+4], ecx
		mov	ecx, edi
		mov	[eax], ebx
		lea	eax, [ebp+var_C]
		push	eax
		call	_PopUpdateTimeouts@12 ;	PopUpdateTimeouts(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopConsoleSessionPassiveInput@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ExAcquireTimeRefreshLock(x)
_ExAcquireTimeRefreshLock@4 proc near	; CODE XREF: .text:00685214p
					; PoBroadcastSystemState+2A3p ...
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	ecx
		push	offset _ExpTimeRefreshLock
		call	ExAcquireResourceExclusiveLite
		test	al, al
		jz	short loc_83FD38
		mov	al, 1
		retn
; 

loc_83FD38:				; CODE XREF: ExAcquireTimeRefreshLock(x)+1Bj
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	al, al
		retn
_ExAcquireTimeRefreshLock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoRundownSystemTimer proc near		; CODE XREF: ExTraceTimerResolution+Fp

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009260EA SIZE 00000073 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	eax, ds:_KeTimeIncrement
		mov	[ebp+var_68], eax
		mov	eax, _ExpKernelRequestedTimerResolution
		mov	[ebp+var_7C], eax
		mov	eax, _ExpKernelResolutionCount
		mov	[ebp+var_78], eax
		mov	eax, ds:_KeMaximumIncrement
		mov	[ebp+var_74], eax
		mov	eax, ds:_KeMinimumIncrement
		mov	[ebp+var_70], eax
		mov	eax, ds:_KeNonHrTimeIncrement
		mov	[ebp+var_6C], eax
		jz	short loc_83FDB2
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_TIME_RESOLUTION_RUNDOWN
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_9260EA

loc_83FDAF:				; CODE XREF: PoRundownSystemTimer+E6418j
		pop	edi
		pop	esi
		pop	ebx

loc_83FDB2:				; CODE XREF: PoRundownSystemTimer+49j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
PoRundownSystemTimer endp


;  S U B	R O U T	I N E 


ExTraceTimerResolution proc near	; CODE XREF: PopDiagTraceControlCallback+46p

; FUNCTION CHUNK AT 0092615D SIZE 00000014 BYTES

		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	cl, 1
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		sub	esp, 10h
		call	PoRundownSystemTimer
		mov	esi, _ExpTimerResolutionListHead
		mov	edi, offset _ExpTimerResolutionListHead

loc_83FDDF:				; CODE XREF: ExTraceTimerResolution+E63ACj
		cmp	esi, edi
		jnz	loc_92615D
		mov	ecx, offset _ExpTimeRefreshLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ecx
		retn
ExTraceTimerResolution endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopLoggingInformation proc near		; CODE XREF: PopDiagTraceControlCallback+10Bp
					; NtPowerInformation+171F58p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00926171 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, _PowerStateDisableReasonListHead
		push	ebx
		push	esi
		push	edi
		push	4
		xor	edi, edi
		mov	[ebp+var_10], edx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_8], edi
		mov	[ebp+var_C], eax
		pop	esi
		mov	[ebp+var_4], esi
		cmp	eax, offset _PowerStateDisableReasonListHead
		jz	loc_926171

loc_83FE29:				; CODE XREF: PopLoggingInformation+75j
		lea	eax, [ebp+var_4]
		inc	edi
		push	eax
		push	10h
		pop	edx
		mov	ecx, esi
		mov	[ebp+var_8], edi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_83FEEA
		mov	esi, [ebp+var_C]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_4]
		push	eax
		mov	edx, [esi+14h]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_83FEEA
		mov	esi, [esi]
		cmp	esi, offset _PowerStateDisableReasonListHead
		mov	[ebp+var_C], esi
		mov	esi, [ebp+var_4]
		jnz	short loc_83FE29
		test	edi, edi
		jz	loc_926171

loc_83FE79:				; CODE XREF: PopLoggingInformation+E637Aj
		push	66756263h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_83FEF1
		mov	ecx, [ebp+var_10]
		xor	ebx, ebx
		mov	[ebp+var_10], ebx
		mov	[ecx], esi
		mov	ecx, [ebp+var_14]
		mov	[ecx], eax
		lea	ecx, [eax+4]
		mov	[eax], esi
		mov	[ebp+var_14], ecx
		test	edi, edi
		jz	loc_926179
		mov	edi, _PowerStateDisableReasonListHead
		cmp	edi, offset _PowerStateDisableReasonListHead
		jz	short loc_83FEEA
		mov	eax, [ebp+var_8]
		mov	ebx, ecx

loc_83FEBC:				; CODE XREF: PopLoggingInformation+EBj
		test	eax, eax
		jz	short loc_83FEE7
		mov	esi, [edi+14h]
		lea	eax, [edi+8]
		add	esi, 10h
		push	esi		; size_t
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		mov	edi, [edi]
		add	ebx, esi
		dec	eax
		mov	[ebp+var_8], eax
		cmp	edi, offset _PowerStateDisableReasonListHead
		jnz	short loc_83FEBC

loc_83FEE7:				; CODE XREF: PopLoggingInformation+C4j
		mov	ebx, [ebp+var_10]

loc_83FEEA:				; CODE XREF: PopLoggingInformation+45j
					; PopLoggingInformation+61j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_83FEF1:				; CODE XREF: PopLoggingInformation+8Ej
		mov	ebx, 0C000009Ah
		jmp	short loc_83FEEA
PopLoggingInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceDeviceVerboseRundown proc near ; CODE XREF:	PopDiagTraceFxRundown+7Cp

var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00926189 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 114h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_114], ebx
		mov	[ebp+var_110], ebx
		cmp	_PopDiagHandleRegistered, bl
		jz	loc_84017B
		push	offset _POP_ETW_EVENT_DEVICE_VERBOSE_RUNDOWN
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_84017B
		mov	ecx, [esi+20h]
		lea	edx, [ebp+var_EC]
		push	edi
		mov	edi, [esi+1Ch]
		mov	[ebp+var_EC], ebx
		mov	[ebp+var_E8], edi
		mov	ax, [edi+48h]
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_F0], eax
		mov	ax, [edi+14h]
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_F4], eax
		mov	ax, [edi+1Ch]
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_F8], eax
		call	PopPepGetDevicePlatformStateDependents
		mov	ecx, [ebp+var_E8]
		xor	edx, edx
		mov	eax, [ecx+8]
		mov	[ebp+var_100], eax
		mov	eax, [ecx+10h]
		lea	ecx, [esi+238h]
		mov	[ebp+var_FC], eax
		xor	eax, eax
		lock cmpxchg [ecx], edx
		mov	[ebp+var_104], eax
		cmp	[esi+30Ch], ebx
		jz	loc_926189
		lea	ebx, [esi+308h]

loc_83FFD5:				; CODE XREF: PopDiagTraceDeviceVerboseRundown+E62A8j
		movzx	edx, word ptr [ebx]
		xor	ecx, ecx
		mov	ax, dx
		mov	[ebp+var_E0], ecx
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_108], eax
		mov	eax, [esi+168h]
		mov	[ebp+var_10C], eax

loc_83FFFB:				; DATA XREF: CcGetVirtualAddress+440o
					; MiMapViewOfSection+145o ...
		lea	eax, [ebp+var_E8]
		mov	[ebp+var_E4], eax
		lea	eax, [ebp+var_F0]
		mov	[ebp+var_D4], eax
		mov	[ebp+var_D8], ecx
		mov	[ebp+var_D0], ecx
		mov	[ebp+var_C8], ecx
		push	2
		pop	esi
		mov	[ebp+var_DC], 4
		mov	[ebp+var_CC], esi
		movzx	ecx, word ptr [edi+48h]
		mov	eax, [edi+4Ch]
		and	[ebp+var_C0], 0
		mov	[ebp+var_C4], eax
		mov	eax, ecx
		mov	[ebp+var_BC], eax
		xor	ecx, ecx
		mov	[ebp+var_B8], ecx
		lea	eax, [ebp+var_F4]
		mov	[ebp+var_B4], eax
		mov	[ebp+var_B0], ecx
		mov	[ebp+var_A8], ecx
		mov	[ebp+var_AC], esi
		movzx	ecx, word ptr [edi+14h]
		mov	eax, [edi+18h]
		and	[ebp+var_A0], 0	; DATA XREF: PsBootPhaseComplete+17o
		mov	[ebp+var_A4], eax
		mov	eax, ecx
		mov	[ebp+var_9C], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_F8]
		mov	[ebp+var_98], ecx
		mov	[ebp+var_94], eax
		mov	[ebp+var_90], ecx
		mov	[ebp+var_88], ecx
		mov	[ebp+var_8C], esi
		movzx	ecx, word ptr [edi+1Ch]
		mov	eax, [edi+20h]
		xor	edi, edi
		mov	[ebp+var_84], eax
		mov	eax, ecx
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_EC]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_FC]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_100]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_104]
		push	4
		pop	ecx
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_108]
		mov	[ebp+var_80], edi
		mov	[ebp+var_78], edi
		mov	[ebp+var_70], edi
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], edi
		mov	[ebp+var_60], edi
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], edi
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_28], edi
		mov	eax, [ebx+4]
		mov	[ebp+var_24], eax
		mov	eax, edx
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_10C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_E4]
		push	eax
		push	0Eh
		push	offset _PopDiagActivityId
		push	offset _POP_ETW_EVENT_DEVICE_VERBOSE_RUNDOWN
		push	dword_6C1D74
		mov	[ebp+var_20], edi
		push	_PopDiagHandle
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	edi

loc_84017B:				; CODE XREF: PopDiagTraceDeviceVerboseRundown+2Dj
					; PopDiagTraceDeviceVerboseRundown+4Bj
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopDiagTraceDeviceVerboseRundown endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxTraceDeviceRegistration proc near	; CODE XREF: PopDiagTraceFxRundown+75p
					; PopFxRegisterDevice+F5p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009261A5 SIZE 000001BA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	al, dl
		mov	[ebp+var_11], al
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_34], ebx
		test	al, al
		jz	short loc_8401E3
		mov	eax, offset _POP_ETW_EVENT_DEVICE_REGISTRATION_RUNDOWN

loc_8401B0:				; CODE XREF: PopFxTraceDeviceRegistration+72j
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_18], eax
		jz	short loc_8401D6
		push	eax
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jnz	loc_9261A5

loc_8401D6:				; CODE XREF: PopFxTraceDeviceRegistration+30j
					; PopFxTraceDeviceRegistration+E61D0j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_8401E3:				; CODE XREF: PopFxTraceDeviceRegistration+1Fj
		mov	ecx, [ebx+1Ch]
		xor	edx, edx
		push	0
		push	dword ptr [ebx+23Ch]
		push	1
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		mov	eax, offset _POP_ETW_EVENT_DEVICE_REGISTRATION
		jmp	short loc_8401B0
PopFxTraceDeviceRegistration endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTracePlatformRoleRundown()
_PopDiagTracePlatformRoleRundown@0 proc	near ; CODE XREF: PopDiagTraceControlCallback+1C1p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		jz	short loc_840261
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_PLATFORMROLE_RUNDOWN
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_84025E
		lea	eax, [ebp+var_14]
		mov	[ebp+var_14], offset _PopFirmwarePlatformRole
		push	eax
		push	1
		xor	ecx, ecx
		mov	[ebp+var_C], 4
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_84025E:				; CODE XREF: PopDiagTracePlatformRoleRundown()+39j
		pop	edi
		pop	esi
		pop	ebx

loc_840261:				; CODE XREF: PopDiagTracePlatformRoleRundown()+19j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTracePlatformRoleRundown@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopRundownThermalRequests()
_PopRundownThermalRequests@0 proc near	; CODE XREF: PopDiagTraceControlCallback+1C6p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ecx, offset _PopCoolingExtensionLock
		call	_PopAcquireRwLockExclusive@4 ; PopAcquireRwLockExclusive(x)
		mov	esi, _PopCoolingExtensionList
		jmp	short loc_84028F
; 

loc_840285:				; CODE XREF: PopRundownThermalRequests()+4Aj
		lea	ecx, [esi+10h]
		call	_PopReleaseRwLock@4 ; PopReleaseRwLock(x)

loc_84028D:				; CODE XREF: PopRundownThermalRequests()+2Dj
		mov	esi, [esi]

loc_84028F:				; CODE XREF: PopRundownThermalRequests()+15j
		cmp	esi, offset _PopCoolingExtensionList
		jz	short loc_8402D0
		cmp	byte ptr [esi+20h], 0
		jz	short loc_84028D
		lea	ecx, [esi+10h]
		call	_PopAcquireRwLockExclusive@4 ; PopAcquireRwLockExclusive(x)
		mov	edx, offset _POP_ETW_EVENT_COOLING_EXTENSION_RUNDOWN
		mov	ecx, esi
		call	PopDiagTraceCoolingExtension
		lea	ebx, [esi+8]
		mov	edi, [ebx]

loc_8402B6:				; CODE XREF: PopRundownThermalRequests()+60j
		cmp	edi, ebx
		jz	short loc_840285
		cmp	byte ptr [edi+0Ah], 0
		jz	short loc_8402CC
		mov	edx, offset _POP_ETW_EVENT_THERMAL_REQUEST_RUNDOWN
		mov	ecx, edi
		call	PopDiagTraceThermalRequest

loc_8402CC:				; CODE XREF: PopRundownThermalRequests()+50j
		mov	edi, [edi]
		jmp	short loc_8402B6
; 

loc_8402D0:				; CODE XREF: PopRundownThermalRequests()+27j
		mov	ecx, offset _PopCoolingExtensionLock
		pop	edi
		pop	esi
		pop	ebx
		jmp	_PopReleaseRwLock@4 ; PopReleaseRwLock(x)
_PopRundownThermalRequests@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopTraceStandbyConnectivityRundown proc	near ; CODE XREF: PopDiagTraceControlCallback+1D0p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092635F SIZE 00000039 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		jz	short loc_840320
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_STANDBY_CONNECTIVITY_RUNDOWN
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_92635F

loc_84031D:				; CODE XREF: PopTraceStandbyConnectivityRundown+E60B5j
		pop	edi
		pop	esi
		pop	ebx

loc_840320:				; CODE XREF: PopTraceStandbyConnectivityRundown+19j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopTraceStandbyConnectivityRundown endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceDeviceComplianceRundown proc near ;	CODE XREF: PopDiagTraceControlCallback+1D5p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		jz	short loc_840368
		push	edi
		mov	edi, offset _POP_ETW_EVENT_CS_COMPLIANCE_RUNDOWN
		push	edi
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jnz	sub_926398

loc_840367:				; CODE XREF: sub_926398+58j
		pop	edi

loc_840368:				; CODE XREF: PopDiagTraceDeviceComplianceRundown+19j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopDiagTraceDeviceComplianceRundown endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceDynamicTickStatusRundown()
_PopDiagTraceDynamicTickStatusRundown@0	proc near
					; CODE XREF: PopDiagTraceControlCallback+1DFp

var_15		= dword	ptr -15h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		jz	short loc_8403DC
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_DYNAMIC_TICK_STATUS_RUNDOWN
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_8403D9
		call	_KeGetDynamicTickDisableReason@0 ; KeGetDynamicTickDisableReason()
		mov	byte ptr [ebp+var_15], al
		xor	ecx, ecx
		lea	eax, [ebp+var_15]
		inc	ecx
		mov	[ebp+var_15+1],	eax
		xor	edx, edx
		lea	eax, [ebp+var_15+1]
		mov	[ebp+var_10], edx
		push	eax
		push	ecx
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_8403D9:				; CODE XREF: PopDiagTraceDynamicTickStatusRundown()+39j
		pop	edi
		pop	esi
		pop	ebx

loc_8403DC:				; CODE XREF: PopDiagTraceDynamicTickStatusRundown()+19j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceDynamicTickStatusRundown@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTracePowerStateEventRundown proc	near ; CODE XREF: PopDiagTraceControlCallback+210p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009263F5 SIZE 0000006D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		jz	short loc_840424
		push	ebx
		mov	ebx, offset _POP_ETW_EVENT_POWER_STATE_RUNDOWN
		push	ebx
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jnz	loc_9263F5

loc_840423:				; CODE XREF: PopDiagTracePowerStateEventRundown+E6075j
		pop	ebx

loc_840424:				; CODE XREF: PopDiagTracePowerStateEventRundown+19j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopDiagTracePowerStateEventRundown endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceSystemIdleRundown proc near	; CODE XREF: PopDiagTraceControlCallback+258p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00926462 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		jz	short loc_840472
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_SYSTEM_IDLE_RUNDOWN
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_926462

loc_84046F:				; CODE XREF: PopDiagTraceSystemIdleRundown+E6057j
		pop	edi
		pop	esi
		pop	ebx

loc_840472:				; CODE XREF: PopDiagTraceSystemIdleRundown+19j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopDiagTraceSystemIdleRundown endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtSetInformationObject proc near	; DATA XREF: .text:00580CC4o

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0092648C SIZE 00000034 BYTES

		push	54h
		push	offset dword_6A6F08
		call	__SEH_prolog4
		xor	eax, eax
		mov	word ptr [ebp+var_1C], ax
		mov	edi, 0C0000003h
		mov	eax, [ebp+arg_4]
		sub	eax, 4
		jnz	short loc_840510
		cmp	[ebp+arg_C], 2
		jnz	loc_9264AF
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_4], al
		xor	ebx, ebx
		mov	[ebp+ms_exc.disabled], ebx
		test	al, al
		jz	short loc_8404DA
		mov	ecx, [ebp+arg_8]
		lea	edx, [ecx+2]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	loc_9264B9
		cmp	edx, ecx
		jb	loc_9264B9

loc_8404DA:				; CODE XREF: NtSetInformationObject+3Fj
					; NtSetInformationObject+E603Dj
		mov	eax, [ebp+arg_8]
		mov	ax, [eax]
		mov	word ptr [ebp+var_1C], ax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	[ebp+arg_4]
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+arg_0]
		call	ObSetHandleAttributes
		mov	edi, eax

loc_8404FC:				; CODE XREF: NtSetInformationObject+9Ej
					; NtSetInformationObject+F4j ...
		mov	eax, edi

loc_8404FE:				; CODE XREF: NtSetInformationObject+E6036j
					; sub_9264D0+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_840510:				; CODE XREF: NtSetInformationObject+1Dj
		sub	eax, 1
		jz	loc_8405DB
		sub	eax, 1
		jnz	short loc_8404FC
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_4], al
		push	[ebp+arg_4]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_92648C
		xor	ebx, ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ebx
		mov	eax, _ObpDirectoryObjectType
		mov	[ebp+arg_C], ebx
		lea	ecx, [ebp+var_2C]
		push	ecx
		lea	ecx, [ebp+arg_C]
		push	ecx
		push	[ebp+arg_4]
		push	eax
		push	ebx
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_8404FC
		call	_PsGetCurrentProcessSessionId@0	; PsGetCurrentProcessSessionId()
		mov	ecx, eax
		call	MmGetSessionObjectById
		mov	[ebp+arg_0], eax
		mov	esi, [ebp+arg_C]
		test	eax, eax
		jz	loc_9264A5
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ebx
		xor	eax, eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_38], 0FFFF1234h
		mov	edx, esi
		lea	ecx, [ebp+var_4C]
		call	_ObpLockDirectoryExclusive@8 ; ObpLockDirectoryExclusive(x,x)
		mov	ecx, [ebp+arg_0]
		cmp	[esi+0A4h], ebx
		jnz	loc_926496
		mov	[esi+0A4h], ecx

loc_8405C5:				; CODE XREF: NtSetInformationObject+E6022j
		lea	edx, [ebp+var_4C]

loc_8405C8:				; CODE XREF: NtSetInformationObject+1EAj
		mov	ecx, esi
		call	_ObpUnlockDirectory@8 ;	ObpUnlockDirectory(x,x)

loc_8405CF:				; CODE XREF: NtSetInformationObject+E602Cj
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	loc_8404FC
; 

loc_8405DB:				; CODE XREF: NtSetInformationObject+95j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_4], al
		push	[ebp+arg_4]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_92648C
		xor	ebx, ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		mov	eax, _ObpDirectoryObjectType
		mov	[ebp+var_20], ebx
		lea	ecx, [ebp+var_34]
		push	ecx
		lea	ecx, [ebp+var_20]
		push	ecx
		push	[ebp+arg_4]
		push	eax
		push	ebx
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8404FC
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], ebx
		xor	eax, eax
		mov	[ebp+var_54], eax
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_50], 0FFFF1234h
		mov	esi, [ebp+var_20]
		mov	edx, esi
		lea	ecx, [ebp+var_64]
		call	_ObpLockDirectoryExclusive@8 ; ObpLockDirectoryExclusive(x,x)
		call	_PsGetCurrentProcessSessionId@0	; PsGetCurrentProcessSessionId()
		mov	[esi+0ACh], eax
		lea	edx, [ebp+var_64]
		jmp	loc_8405C8
NtSetInformationObject endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1645. ObSetHandleAttributes

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObSetHandleAttributes
ObSetHandleAttributes proc near		; CODE XREF: NtSetInformationObject+77p

var_2C		= byte ptr -2Ch
var_2B		= byte ptr -2Bh
var_2A		= byte ptr -2Ah
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 009264E2 SIZE 00000073 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		mov	dl, [ebp+arg_8]
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+38h+var_1C]
		mov	[esp+38h+var_2B], bl
		rep stosd
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	[esp+38h+var_2A], bl
		mov	edi, [eax+80h]
		mov	[esp+38h+var_28], edi
		call	_ObpIsKernelHandle@8 ; ObpIsKernelHandle(x,x)
		test	al, al
		jnz	loc_840786
		call	_KeIsAttachedProcess@0 ; KeIsAttachedProcess()
		test	al, al
		jnz	loc_9264E2
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	edi, [eax+18Ch]

loc_8406E4:				; CODE XREF: ObSetHandleAttributes+12Aj
					; ObSetHandleAttributes+141j ...
		mov	eax, large fs:124h
		mov	[esp+38h+var_20], eax
		dec	word ptr [eax+13Ch]
		nop
		mov	edx, esi
		mov	ecx, edi
		call	ExMapHandleToPointer
		mov	esi, eax
		test	esi, esi
		jz	loc_926537
		mov	eax, [ebp+arg_4]
		mov	edx, [esi]
		and	edx, 0FFFFFFF8h
		mov	cl, [eax]
		mov	[esp+38h+var_29], cl
		test	cl, cl
		jnz	loc_926503

loc_84071F:				; CODE XREF: ObSetHandleAttributes+E5EC0j
		movzx	edx, cl
		neg	edx
		sbb	edx, edx
		and	edx, 2
		cmp	[eax+1], bl
		jz	short loc_840731
		or	edx, 1

loc_840731:				; CODE XREF: ObSetHandleAttributes+BAj
		push	3
		mov	ecx, esi
		call	ExSetHandleAttributes

loc_84073A:				; CODE XREF: ObSetHandleAttributes+E5EB3j
		xor	eax, eax
		inc	eax
		lock xadd [esi], eax
		lea	ecx, [edi+20h]
		mov	[esp+38h+var_24], ebx
		xor	edx, edx
		lea	eax, [esp+38h+var_24]
		lock or	[eax], edx
		cmp	[ecx], ebx
		jnz	short loc_8407C5

loc_840755:				; CODE XREF: ObSetHandleAttributes+15Aj
					; ObSetHandleAttributes+E5ECAj
		mov	ecx, [esp+38h+var_20]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	[esp+38h+var_2B], 0
		jnz	short loc_8407B8

loc_840765:				; CODE XREF: ObSetHandleAttributes+151j
		cmp	[esp+38h+var_2A], 0
		jnz	loc_926541

loc_840770:				; CODE XREF: ObSetHandleAttributes+E5EDEj
		mov	eax, ebx

loc_840772:				; CODE XREF: ObSetHandleAttributes+E5E82j
		mov	ecx, [esp+38h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_840786:				; CODE XREF: ObSetHandleAttributes+4Dj
		mov	ecx, ds:_PsInitialSystemProcess
		xor	esi, 80000000h
		mov	edi, _ObpKernelHandleTable
		cmp	[esp+38h+var_28], ecx
		jz	loc_8406E4
		lea	eax, [esp+38h+var_1C]
		xor	edx, edx
		push	eax
		call	KiStackAttachProcess
		mov	[esp+38h+var_2B], 1
		jmp	loc_8406E4
; 

loc_8407B8:				; CODE XREF: ObSetHandleAttributes+F1j
		xor	edx, edx
		lea	ecx, [esp+38h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	short loc_840765
; 

loc_8407C5:				; CODE XREF: ObSetHandleAttributes+E1j
		xor	edx, edx
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	short loc_840755
ObSetHandleAttributes endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpLookupDirectoryEntryEx proc near	; CODE XREF: ObpDeleteNameCheck+162p
					; ObpCreateSymbolicLinkName+189p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00926555 SIZE 0000005F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [edx+4]
		push	esi
		push	edi
		movzx	edi, word ptr [edx]
		xor	esi, esi
		shr	eax, 6
		and	al, 1
		mov	[ebp+var_8], edx
		shr	edi, 1
		mov	[ebp+var_4], ecx
		mov	byte ptr [ebp+arg_0], al
		jz	short loc_840820

loc_8407F8:				; CODE XREF: ObpLookupDirectoryEntryEx+4Ej
		movzx	eax, word ptr [ebx]
		lea	ebx, [ebx+2]
		mov	ecx, esi
		mov	[ebp+var_C], eax
		shr	ecx, 1
		lea	esi, [esi+esi*2]
		mov	edx, eax
		dec	edi
		add	esi, ecx
		cmp	edx, 61h
		jb	short loc_84081A
		cmp	edx, 7Ah
		ja	short loc_840863
		add	esi, 0FFFFFFE0h

loc_84081A:				; CODE XREF: ObpLookupDirectoryEntryEx+40j
		add	esi, edx

loc_84081C:				; CODE XREF: ObpLookupDirectoryEntryEx+A0j
		test	edi, edi
		jnz	short loc_8407F8

loc_840820:				; CODE XREF: ObpLookupDirectoryEntryEx+26j
		mov	edi, [ebp+arg_C]
		mov	eax, 0BACF914Dh
		push	[ebp+arg_0]
		mul	esi
		mov	eax, esi
		mov	ecx, esi
		sub	eax, edx
		mov	[edi+0Ch], esi
		shr	eax, 1
		add	eax, edx
		mov	edx, [ebp+var_8]
		shr	eax, 5
		imul	eax, 25h
		push	edi
		sub	ecx, eax
		mov	[edi+10h], cx
		mov	ecx, [ebp+var_4]
		call	ObpLookupDirectoryUsingHash
		mov	esi, eax
		test	esi, esi
		jz	short loc_840872

loc_840858:				; CODE XREF: ObpLookupDirectoryEntryEx+A6j
					; ObpLookupDirectoryEntryEx+E5DD5j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_840863:				; CODE XREF: ObpLookupDirectoryEntryEx+45j
		mov	ecx, [ebp+var_C]
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		movzx	eax, ax
		add	esi, eax
		jmp	short loc_84081C
; 

loc_840872:				; CODE XREF: ObpLookupDirectoryEntryEx+86j
		cmp	[ebp+arg_4], 0
		jz	short loc_840858
		mov	eax, [ebp+var_4]
		jmp	loc_926555
ObpLookupDirectoryEntryEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpLookupDirectoryUsingHash proc near	; CODE XREF: ObpLookupDirectoryEntryEx+7Dp
					; ObpLookupDirectoryEntryEx+E5DC7p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009265B4 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_C], edx
		push	edi
		mov	[ebp+var_8], ecx
		movzx	eax, word ptr [esi+10h]
		mov	dl, [esi+12h]
		mov	[ebp+var_1], dl
		lea	ebx, [ecx+eax*4]
		test	dl, dl
		jz	loc_84092C

loc_8408A9:				; CODE XREF: ObpLookupDirectoryUsingHash+B5j
		mov	edi, [ebx]
		test	edi, edi
		jz	short loc_84091E
		mov	eax, [esi+0Ch]
		mov	esi, [ebp+var_C]
		mov	[ebp+var_10], eax

loc_8408B8:				; CODE XREF: ObpLookupDirectoryUsingHash+9Aj
		cmp	[edi+8], eax
		jnz	short loc_840914
		mov	ecx, [edi+4]
		push	[ebp+arg_4]
		sub	ecx, 18h
		movzx	eax, byte ptr [ecx+0Eh]
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		add	ecx, 4
		push	ecx
		push	esi
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_840911

loc_8408E4:				; CODE XREF: ObpLookupDirectoryUsingHash+9Cj
		mov	esi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_84091E
		mov	edi, [edi+4]
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		cmp	[ebp+var_1], 0
		jz	short loc_84093A

loc_8408FB:				; CODE XREF: ObpLookupDirectoryUsingHash+C6j
		mov	ecx, [esi+4]
		test	ecx, ecx
		jnz	short loc_840948

loc_840902:				; CODE XREF: ObpLookupDirectoryUsingHash+CDj
		mov	[esi+4], edi
		mov	eax, edi
		mov	[esi+8], ebx

loc_84090A:				; CODE XREF: ObpLookupDirectoryUsingHash+AAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_840911:				; CODE XREF: ObpLookupDirectoryUsingHash+62j
		mov	eax, [ebp+var_10]

loc_840914:				; CODE XREF: ObpLookupDirectoryUsingHash+3Bj
		mov	ebx, edi
		mov	edi, [edi]
		test	edi, edi
		jnz	short loc_8408B8
		jmp	short loc_8408E4
; 

loc_84091E:				; CODE XREF: ObpLookupDirectoryUsingHash+2Dj
					; ObpLookupDirectoryUsingHash+69j
		cmp	[ebp+var_1], 0
		jz	loc_9265B4

loc_840928:				; CODE XREF: ObpLookupDirectoryUsingHash+E5D3Ej
		xor	eax, eax
		jmp	short loc_84090A
; 

loc_84092C:				; CODE XREF: ObpLookupDirectoryUsingHash+23j
		mov	edx, ecx
		mov	ecx, esi
		call	_ObpLockDirectoryShared@8 ; ObpLockDirectoryShared(x,x)
		jmp	loc_8408A9
; 

loc_84093A:				; CODE XREF: ObpLookupDirectoryUsingHash+79j
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	_ObpUnlockDirectory@8 ;	ObpUnlockDirectory(x,x)
		xor	ebx, ebx
		jmp	short loc_8408FB
; 

loc_840948:				; CODE XREF: ObpLookupDirectoryUsingHash+80j
		call	ObfDereferenceObject
		jmp	short loc_840902
ObpLookupDirectoryUsingHash endp

; 
		align 10h

;  S U B	R O U T	I N E 


ObpRemovePendingDirectoryItem proc near	; CODE XREF: ObpDeleteNameCheck:loc_8CA13Cp

; FUNCTION CHUNK AT 009265C3 SIZE 0000001C BYTES

		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _ObpPendingObjectDirectoryListLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	esi, _ObpPendingObjectDirectoryList
		test	esi, esi
		jnz	loc_9265C3

loc_84097F:				; CODE XREF: ObpRemovePendingDirectoryItem+E5C7Dj
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	esi, esi
		jnz	loc_9265D2

loc_840995:				; CODE XREF: ObpRemovePendingDirectoryItem+E5C8Aj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
ObpRemovePendingDirectoryItem endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpMarkDirectoryObjectsTemporary proc near ; CODE XREF:	ObpDeleteNameCheck+181607p
					; ObpDeleteNameCheck+181619p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 009265DF SIZE 00000094 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_2C], 0FFFF1234h
		xor	ecx, ecx
		mov	[ebp+var_1C], esi
		mov	[ebp+var_38], ecx
		xor	eax, eax
		mov	[ebp+var_34], ecx
		mov	edx, esi
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ecx
		lea	ecx, [ebp+var_40]
		push	edi
		mov	[ebp+var_30], eax
		call	_ObpLockDirectoryExclusive@8 ; ObpLockDirectoryExclusive(x,x)
		push	25h
		mov	ebx, esi
		pop	eax
		mov	[ebp+var_14], ebx
		mov	[ebp+var_18], eax

loc_8409DB:				; CODE XREF: ObpMarkDirectoryObjectsTemporary+54j
		mov	esi, [ebx]
		mov	[ebp+var_10], ebx
		test	esi, esi
		jnz	short loc_840A02

loc_8409E4:				; CODE XREF: ObpMarkDirectoryObjectsTemporary+FEj
		add	ebx, 4
		sub	eax, 1
		mov	[ebp+var_14], ebx
		mov	[ebp+var_18], eax
		jnz	short loc_8409DB
		mov	ecx, [ebp+var_1C]
		lea	edx, [ebp+var_40]
		call	_ObpUnlockDirectory@8 ;	ObpUnlockDirectory(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_840A02:				; CODE XREF: ObpMarkDirectoryObjectsTemporary+46j
		mov	ebx, [ebp+var_1C]

loc_840A05:				; CODE XREF: ObpMarkDirectoryObjectsTemporary+F2j
		mov	edx, [esi+4]
		mov	[ebp+var_1], 0
		mov	[ebp+var_8], edx
		lea	edi, [edx-18h]
		mov	al, [edi+0Eh]
		test	al, 2
		jz	loc_9265DF
		movzx	eax, al
		mov	ecx, edi
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		mov	[ebp+var_C], ecx

loc_840A31:				; CODE XREF: ObpMarkDirectoryObjectsTemporary+E5C47j
		mov	ecx, edx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [edi+8]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_28], eax
		call	ExAcquirePushLockExclusiveEx
		and	byte ptr [edi+0Fh], 0EFh
		cmp	dword ptr [edi+4], 0
		setz	al
		test	al, al
		jnz	loc_9265E8

loc_840A68:				; CODE XREF: ObpMarkDirectoryObjectsTemporary+E5C53j
		mov	edi, [ebp+var_8]

loc_840A6B:				; CODE XREF: ObpMarkDirectoryObjectsTemporary+E5CD2j
		mov	ecx, [ebp+var_28]
		xor	edx, edx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, edi
		call	ObfDereferenceObject
		cmp	[ebp+var_1], 0
		jnz	short loc_840A8C
		mov	[ebp+var_10], esi
		mov	esi, [esi]

loc_840A8C:				; CODE XREF: ObpMarkDirectoryObjectsTemporary+E9j
		test	esi, esi
		jnz	loc_840A05
		mov	ebx, [ebp+var_14]
		mov	eax, [ebp+var_18]
		jmp	loc_8409E4
ObpMarkDirectoryObjectsTemporary endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	NtQueryDirectoryObject(int,void	*,int,char,int,int,int)
_NtQueryDirectoryObject@28 proc	near	; DATA XREF: .text:00580E94o

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A6F28
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 54h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_4C], 0
		mov	[ebp+var_48], 0
		mov	[ebp+var_5C], 0
		mov	[ebp+var_58], 0
		xor	eax, eax
		mov	[ebp+var_54], eax
		mov	[ebp+var_64], eax
		mov	[ebp+var_60], eax
		mov	[ebp+var_50], 0FFFF1234h
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_3C], al
		test	al, al
		jz	loc_840BA9
		mov	[ebp+var_4], 0
		push	2
		mov	ebx, [ebp+arg_8]
		push	ebx
		push	[ebp+arg_4]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	edx, [ebp+arg_14]
		mov	ecx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_840B3F
		mov	ecx, eax

loc_840B3F:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+9Bj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	esi, [ebp+arg_18]
		test	esi, esi
		jz	short loc_840B5B
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_840B57
		mov	ecx, eax

loc_840B57:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+B3j
		mov	eax, [ecx]
		mov	[ecx], eax

loc_840B5B:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+A8j
		cmp	byte ptr [ebp+arg_10], 0
		jz	short loc_840B65
		xor	eax, eax
		jmp	short loc_840B67
; 

loc_840B65:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+BFj
		mov	eax, [edx]

loc_840B67:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+C3j
		mov	[ebp+var_40], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	esi, eax
		jmp	short loc_840BBE
; 

loc_840B78:				; DATA XREF: .text:006A6F3Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44h], eax
		mov	eax, 1
		retn
; 

loc_840B88:				; DATA XREF: .text:006A6F40o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-44h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_840BA9:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+74j
		mov	ebx, [ebp+arg_8]
		cmp	byte ptr [ebp+arg_10], 0
		jz	short loc_840BB6
		xor	esi, esi
		jmp	short loc_840BBB
; 

loc_840BB6:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+110j
		mov	esi, [ebp+arg_14]
		mov	esi, [esi]

loc_840BBB:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+114j
		mov	[ebp+var_20], esi

loc_840BBE:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+D6j
		lea	eax, [ebx+10h]
		cmp	ebx, eax
		jbe	short loc_840BDE
		mov	eax, 0C000000Dh
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_840BDE:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+123j
		push	6D4E624Fh
		push	eax
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	[ebp+var_30], eax
		test	eax, eax
		jnz	short loc_840C0B
		mov	eax, 0C000009Ah
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_840C0B:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+150j
		push	ebx		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, _ObpDirectoryObjectType
		mov	[ebp+var_2C], 0
		push	0
		lea	ecx, [ebp+var_2C]
		push	ecx
		push	[ebp+var_3C]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_840C5D
		push	0
		push	[ebp+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_840C5D:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+19Bj
		mov	eax, [ebp+var_30]
		mov	[ebp+arg_10], eax
		mov	[ebp+var_28], 10h
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+arg_0], ebx
		mov	[ebp+var_24], 8000001Ah
		mov	edi, [ebp+var_2C]
		mov	edx, edi
		lea	ecx, [ebp+var_64]
		call	_ObpLockDirectoryShared@8 ; ObpLockDirectoryShared(x,x)
		xor	eax, eax
		mov	[ebp+var_38], eax
		jmp	short loc_840C90
; 
		align 10h

loc_840C90:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+1EBj
					; NtQueryDirectoryObject(x,x,x,x,x,x,x)+35Dj
		mov	ecx, [edi+eax*4]
		mov	[ebp+var_34], ecx
		test	ecx, ecx
		jz	loc_840DF6
		mov	edi, edi

loc_840CA0:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+34Aj
		mov	[ebp+var_3C], ebx
		mov	eax, ebx
		inc	ebx
		mov	[ebp+var_1C], ebx
		cmp	esi, eax
		jnz	loc_840DE3
		mov	esi, [ecx+4]
		mov	al, [esi-0Ah]
		test	al, 2
		jz	short loc_840CDD
		movzx	eax, al
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		lea	ecx, [esi-18h]
		sub	ecx, eax
		jz	short loc_840CDD
		mov	ebx, [ecx+4]
		mov	[ebp+var_4C], ebx
		mov	eax, [ecx+8]
		mov	[ebp+var_48], eax
		jmp	short loc_840CEB
; 

loc_840CDD:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+219j
					; NtQueryDirectoryObject(x,x,x,x,x,x,x)+22Dj
		push	0
		lea	eax, [ebp+var_4C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ebx, [ebp+var_4C]

loc_840CEB:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+23Bj
		lea	edx, [esi-18h]
		shr	edx, 8
		mov	[ebp+var_24], edx
		movzx	edx, dl
		movzx	eax, byte ptr [esi-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		movzx	edi, word ptr [eax+8]
		movzx	ebx, bx
		call	_Feature_1148767544__private_IsEnabledDeviceUsage@0 ; Feature_1148767544__private_IsEnabledDeviceUsage()
		add	edi, 14h
		add	edi, [ebp+var_28]
		add	edi, ebx
		test	eax, eax
		jz	short loc_840D2E
		cmp	[ebp+var_28], edi
		ja	loc_840F0D

loc_840D2E:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+283j
		cmp	edi, [ebp+arg_8]
		ja	loc_840EDC
		movzx	eax, word ptr [ebp+var_4C]
		mov	ecx, [ebp+arg_10]
		mov	[ecx], ax
		mov	eax, [ebp+var_4C]
		add	eax, 2
		mov	[ecx+2], ax
		mov	eax, [ebp+var_48]
		mov	[ecx+4], eax
		mov	dl, byte ptr ds:_ObHeaderCookie
		movzx	ecx, dl
		mov	ebx, [ebp+var_24]
		movzx	eax, bl
		xor	ecx, eax
		movzx	eax, byte ptr [esi-0Ch]
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		movzx	eax, word ptr [eax+8]
		mov	ecx, [ebp+arg_10]
		mov	[ecx+8], ax
		movzx	ecx, dl
		movzx	eax, bl
		xor	ecx, eax
		movzx	eax, byte ptr [esi-0Ch]
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		movzx	eax, word ptr [eax+8]
		add	ax, 2
		mov	ecx, [ebp+arg_10]
		mov	[ecx+0Ah], ax
		movzx	ecx, dl
		movzx	eax, bl
		xor	ecx, eax
		movzx	eax, byte ptr [esi-0Ch]
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		mov	eax, [eax+0Ch]
		mov	ecx, [ebp+arg_10]
		mov	[ecx+0Ch], eax
		xor	ebx, ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_28], edi
		add	ecx, 10h
		mov	[ebp+arg_10], ecx
		mov	eax, [ebp+arg_0]
		inc	eax
		mov	[ebp+arg_0], eax
		cmp	[ebp+arg_C], bl
		jnz	short loc_840E0C
		mov	esi, [ebp+var_20]
		inc	esi
		mov	[ebp+var_20], esi
		mov	ecx, [ebp+var_34]
		mov	ebx, [ebp+var_1C]

loc_840DE3:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+20Bj
		mov	ecx, [ecx]
		mov	[ebp+var_34], ecx
		test	ecx, ecx
		jnz	loc_840CA0
		mov	eax, [ebp+var_38]
		mov	edi, [ebp+var_2C]

loc_840DF6:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+1F8j
		inc	eax
		mov	[ebp+var_38], eax
		cmp	eax, 25h
		jb	loc_840C90
		mov	ebx, [ebp+var_24]
		mov	ecx, [ebp+arg_10]
		mov	eax, [ebp+arg_0]

loc_840E0C:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+334j
		mov	esi, [ebp+var_1C]

loc_840E0F:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+468j
					; NtQueryDirectoryObject(x,x,x,x,x,x,x)+481j
		test	ebx, ebx
		js	loc_840E94
		xor	edx, edx
		mov	[ecx], edx
		mov	[ecx+4], edx
		mov	[ecx+8], edx
		mov	[ecx+0Ch], edx
		lea	edi, [ecx+10h]
		test	eax, eax
		jz	short loc_840E94
		mov	esi, [ebp+var_30]
		lea	ebx, [esi+0Ch]

loc_840E31:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+3ECj
		dec	eax
		mov	[ebp+arg_0], eax
		movzx	eax, word ptr [ebx-0Ch]
		push	eax		; size_t
		mov	eax, [ebx-8]
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, edi
		sub	eax, esi
		add	eax, [ebp+arg_4]
		mov	[ebx-8], eax
		movzx	eax, word ptr [ebx-0Ch]
		add	edi, eax
		xor	eax, eax
		mov	[edi], ax
		add	edi, 2
		movzx	eax, word ptr [ebx-4]
		push	eax		; size_t
		mov	eax, [ebx]
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 18h
		mov	eax, edi
		sub	eax, esi
		add	eax, [ebp+arg_4]
		mov	[ebx], eax
		movzx	eax, word ptr [ebx-4]
		add	edi, eax
		xor	eax, eax
		mov	[edi], ax
		add	edi, 2
		lea	ebx, [ebx+10h]
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_840E31
		mov	esi, [ebp+var_1C]
		mov	ebx, [ebp+var_24]

loc_840E94:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+371j
					; NtQueryDirectoryObject(x,x,x,x,x,x,x)+389j
		lea	edx, [ebp+var_64]
		mov	ecx, [ebp+var_2C]
		call	_ObpUnlockDirectory@8 ;	ObpUnlockDirectory(x,x)
		mov	[ebp+var_4], 1
		mov	edi, [ebp+var_28]
		mov	eax, [ebp+arg_8]
		cmp	edi, eax
		ja	short loc_840EB2
		mov	eax, edi

loc_840EB2:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+40Ej
		push	eax		; size_t
		push	[ebp+var_30]	; void *
		push	[ebp+arg_4]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+arg_18]
		test	eax, eax
		jz	short loc_840ECA
		mov	[eax], edi

loc_840ECA:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+426j
		test	ebx, ebx
		js	short loc_840ED3
		mov	eax, [ebp+arg_14]
		mov	[eax], esi

loc_840ED3:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+42Cj
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_840F39
; 

loc_840EDC:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+291j
		mov	al, [ebp+arg_C]
		test	al, al
		jz	short loc_840EE6
		mov	[ebp+var_28], edi

loc_840EE6:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+441j
		mov	esi, [ebp+var_3C]
		mov	[ebp+var_1C], esi
		movzx	ebx, al
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 0BFFFFF1Eh
		add	ebx, 105h
		mov	[ebp+var_24], ebx
		mov	ecx, [ebp+arg_10]
		mov	eax, [ebp+arg_0]
		jmp	loc_840E0F
; 

loc_840F0D:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+288j
		mov	ebx, 105h
		mov	[ebp+var_24], ebx
		mov	esi, [ebp+var_3C]
		mov	[ebp+var_1C], esi
		mov	ecx, [ebp+arg_10]
		mov	eax, [ebp+arg_0]
		jmp	loc_840E0F
; 

loc_840F26:				; DATA XREF: .text:006A6F48o
		mov	eax, 1
		retn
; 

loc_840F2C:				; DATA XREF: .text:006A6F4Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-24h]

loc_840F39:				; CODE XREF: NtQueryDirectoryObject(x,x,x,x,x,x,x)+43Aj
		mov	ecx, [ebp+var_2C]
		call	ObfDereferenceObject
		push	0
		push	[ebp+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, ebx
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_NtQueryDirectoryObject@28 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSessionInputChange(x, x,	x)
_PopSessionInputChange@12 proc near	; CODE XREF: NtPowerInformation+E7Fp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		mov	bh, [edx]
		mov	eax, offset ??_C@_06MAFFGDO@Active@NNGAKEGL@ ; "Active"
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [edx+4]
		test	bh, bh
		jnz	short loc_840F83
		mov	eax, offset ??_C@_07NPCGECPI@Passive@NNGAKEGL@ ; "Passive"

loc_840F83:				; CODE XREF: PopSessionInputChange(x,x,x)+1Aj
		cmp	_PopConsoleContext, esi
		jnz	short loc_840FF8
		mov	ecx, offset ??_C@_07PGLPGHFC@Console@NNGAKEGL@ ; "Console"
		cmp	esi, 0FFFFFFFFh
		jz	short loc_840FF8

loc_840F95:				; CODE XREF: PopSessionInputChange(x,x,x)+9Bj
		push	eax
		push	esi
		push	ecx
		push	offset ??_C@_0CN@DEKNCEJP@PopAdaptive?3?$DO?$DO?$DO?$DO?$DO?5?$CFs?5session?5?$CFu@NNGAKEGL@ ; "PopAdaptive:>>>>> %s session %u	input i"...
		push	3
		call	_PopPrintEx
		add	esp, 14h
		cmp	_PopConsoleContext, esi
		jnz	short loc_840FFF
		cmp	esi, 0FFFFFFFFh
		jz	short loc_840FFF
		mov	bl, 1

loc_840FB6:				; CODE XREF: PopSessionInputChange(x,x,x)+9Fj
		mov	ecx, offset _POP_ETW_ADPM_ACTIVE_INPUT
		test	bh, bh
		jnz	short loc_840FC4
		mov	ecx, offset _POP_ETW_ADPM_PASSIVE_INPUT

loc_840FC4:				; CODE XREF: PopSessionInputChange(x,x,x)+5Bj
		movzx	eax, bl
		mov	edx, esi
		push	eax
		call	_PopDiagTraceSessionState@12 ; PopDiagTraceSessionState(x,x,x)
		mov	cl, 1
		call	PopAcquireAdaptiveLock
		mov	ecx, esi
		test	bh, bh
		jnz	short loc_841003
		test	bl, bl
		jz	short loc_841013
		push	[ebp+arg_0]
		mov	edx, edi
		call	_PopConsoleSessionPassiveInput@12 ; PopConsoleSessionPassiveInput(x,x,x)

loc_840FEA:				; CODE XREF: PopSessionInputChange(x,x,x)+AFj
					; PopSessionInputChange(x,x,x)+CDj
		call	PopReleaseAdaptiveLock
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_840FF8:				; CODE XREF: PopSessionInputChange(x,x,x)+27j
					; PopSessionInputChange(x,x,x)+31j
		mov	ecx, offset ??_C@_06MHHFENDB@Remote@NNGAKEGL@ ;	"Remote"
		jmp	short loc_840F95
; 

loc_840FFF:				; CODE XREF: PopSessionInputChange(x,x,x)+4Bj
					; PopSessionInputChange(x,x,x)+50j
		xor	bl, bl
		jmp	short loc_840FB6
; 

loc_841003:				; CODE XREF: PopSessionInputChange(x,x,x)+78j
		test	bl, bl
		jz	short loc_841031
		push	[ebp+arg_0]
		mov	edx, edi
		call	_PopConsoleSessionActiveInput@12 ; PopConsoleSessionActiveInput(x,x,x)
		jmp	short loc_840FEA
; 

loc_841013:				; CODE XREF: PopSessionInputChange(x,x,x)+7Cj
		push	2
		pop	edx

loc_841016:				; CODE XREF: PopSessionInputChange(x,x,x)+D1j
		call	_PopSetSessionUserStatus@8 ; PopSetSessionUserStatus(x,x)
		mov	ecx, esi
		call	_PopGetDisplayTimeout@4	; PopGetDisplayTimeout(x)
		mov	ecx, [ebp+arg_0]
		mov	[ecx+4], eax
		mov	eax, _PopInputTimeout
		mov	[ecx], eax
		jmp	short loc_840FEA
; 

loc_841031:				; CODE XREF: PopSessionInputChange(x,x,x)+A3j
		xor	edx, edx
		jmp	short loc_841016
_PopSessionInputChange@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopReleaseAdaptiveLock proc near	; CODE XREF: PopSessionInputChange(x,x,x):loc_840FEAp
					; PopSetDisplayStatus(x)+31p ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= byte ptr -28h
var_27		= byte ptr -27h
var_26		= byte ptr -26h
var_25		= byte ptr -25h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00926673 SIZE 00000079 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	6
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		and	ds:_PopAdpmLockThread, eax
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_38]
		push	6
		pop	ecx
		rep stosd
		cmp	_PopLazyContext, al
		jnz	loc_926673

loc_84106E:				; CODE XREF: PopReleaseAdaptiveLock+E564Fj
		mov	ecx, offset _PopAdpmLock
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	byte ptr [ebp+var_38], 0
		jnz	loc_92668A

loc_84108E:				; CODE XREF: PopReleaseAdaptiveLock+E56A0j
					; PopReleaseAdaptiveLock+E56B1j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopReleaseAdaptiveLock endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopAcquireAdaptiveLock proc near	; CODE XREF: PopSessionInputChange(x,x,x)+6Fp
					; PopSetDisplayStatus(x)+21p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009266EC SIZE 0000005C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	bl, cl
		lea	edi, [ebp+var_1C]
		push	6
		xor	eax, eax
		or	esi, 0FFFFFFFFh
		pop	ecx
		rep stosd
		test	bl, bl
		jz	loc_9266EC

loc_8410C8:				; CODE XREF: PopAcquireAdaptiveLock+E566Dj
					; PopAcquireAdaptiveLock+E5689j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PopAdpmLock
		call	ExAcquireResourceExclusiveLite
		mov	eax, large fs:124h
		mov	ds:_PopAdpmLockThread, eax
		test	bl, bl
		jz	loc_92672A

loc_8410F5:				; CODE XREF: PopAcquireAdaptiveLock+E56A7j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopAcquireAdaptiveLock endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceSessionState(x,	x, x)
_PopDiagTraceSessionState@12 proc near	; CODE XREF: PopSessionInputChange(x,x,x)+68p
					; PopSetSessionUserStatus(x,x)+43p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		push	esi
		mov	[ebp+var_28], edx
		mov	esi, ecx
		jz	short loc_841173
		push	ebx
		mov	ebx, _PopDiagHandle
		push	edi
		mov	edi, dword_6C1D74
		push	esi
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jz	short loc_841171
		push	4
		pop	ecx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_24], eax
		xor	edx, edx
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_20], edx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	esi
		push	edi
		push	ebx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_841171:				; CODE XREF: PopDiagTraceSessionState(x,x,x)+39j
		pop	edi
		pop	ebx

loc_841173:				; CODE XREF: PopDiagTraceSessionState(x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDiagTraceSessionState@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceSessionStateCounted(x, x, x, x)
_PopDiagTraceSessionStateCounted@16 proc near ;	CODE XREF: PopEvaluateGlobalUserStatus+73p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		or	[ebp+var_3C], 0FFFFFFFFh
		cmp	_PopDiagHandleRegistered, 0
		mov	eax, _PopGlobalUserPresenceStateTransitions
		mov	[ebp+var_38], eax
		jz	short loc_84120D
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_ADPM_GLOBAL_INPUT_STATE
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_84120A
		lea	eax, [ebp+var_3C]
		xor	edx, edx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_0]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_84120A:				; CODE XREF: PopDiagTraceSessionStateCounted(x,x,x,x)+45j
		pop	edi
		pop	esi
		pop	ebx

loc_84120D:				; CODE XREF: PopDiagTraceSessionStateCounted(x,x,x,x)+25j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopDiagTraceSessionStateCounted@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PopSetPowerSettingValueAcDc(int,SIZE_T	Length,void *)
_PopSetPowerSettingValueAcDc@12	proc near ; CODE XREF: PdcPoLowPower(x)+1Dp
					; PopScanIdleList(x,x,x)+28Cp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_0]	; void *
		mov	edi, edx
		xor	esi, esi
		push	edi		; Length
		push	esi		; int
		or	edx, 0FFFFFFFFh
		mov	ebx, ecx
		call	PopSetPowerSettingValue
		test	eax, eax
		js	short loc_841258

loc_84123B:				; CODE XREF: PopSetPowerSettingValueAcDc(x,x,x)+3Ej
		push	[ebp+arg_0]	; void *
		or	edx, 0FFFFFFFFh
		mov	ecx, ebx
		push	edi		; Length
		push	1		; int
		call	PopSetPowerSettingValue
		test	eax, eax
		js	short loc_84125C

loc_84124F:				; CODE XREF: PopSetPowerSettingValueAcDc(x,x,x)+42j
					; PopSetPowerSettingValueAcDc(x,x,x)+46j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_841258:				; CODE XREF: PopSetPowerSettingValueAcDc(x,x,x)+1Dj
		mov	esi, eax
		jmp	short loc_84123B
; 

loc_84125C:				; CODE XREF: PopSetPowerSettingValueAcDc(x,x,x)+31j
		test	esi, esi
		js	short loc_84124F
		mov	esi, eax
		jmp	short loc_84124F
_PopSetPowerSettingValueAcDc@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUpdateTimeouts(x, x, x)
_PopUpdateTimeouts@12 proc near		; CODE XREF: PopConsoleSessionPassiveInput(x,x,x)+53p
					; PopConsoleSessionActiveInput(x,x,x)+57p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		movzx	eax, byte ptr [edi+4]
		movzx	edx, byte ptr [edi+5]
		mov	ecx, [edi]
		push	eax
		call	_PopDiagTraceDisplayTimeout@12 ; PopDiagTraceDisplayTimeout(x,x,x)
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_841291
		mov	eax, [esi]
		mov	[ebp+arg_0], eax
		jmp	short loc_841295
; 

loc_841291:				; CODE XREF: PopUpdateTimeouts(x,x,x)+24j
		and	[ebp+arg_0], 0

loc_841295:				; CODE XREF: PopUpdateTimeouts(x,x,x)+2Bj
		mov	ebx, offset ??_C@_06BCNFPLAD@Zeroed@NNGAKEGL@ ;	"Zeroed"
		mov	eax, offset ??_C@_00CNPNBAHC@@NNGAKEGL@
		test	esi, esi
		jz	short loc_8412B1
		cmp	byte ptr [esi+5], 0
		jz	short loc_8412AD
		mov	ecx, ebx
		jmp	short loc_8412B6
; 

loc_8412AD:				; CODE XREF: PopUpdateTimeouts(x,x,x)+43j
		mov	ecx, eax
		jmp	short loc_8412B6
; 

loc_8412B1:				; CODE XREF: PopUpdateTimeouts(x,x,x)+3Dj
		mov	ecx, offset ??_C@_06FFEJIFDJ@?5NULL?5@NNGAKEGL@

loc_8412B6:				; CODE XREF: PopUpdateTimeouts(x,x,x)+47j
					; PopUpdateTimeouts(x,x,x)+4Bj
		mov	edx, offset ??_C@_08IMIDLJHM@Computed@NNGAKEGL@	; "Computed"
		test	esi, esi
		jz	short loc_8412C9
		cmp	byte ptr [esi+4], 0
		jz	short loc_8412CE
		mov	eax, edx
		jmp	short loc_8412CE
; 

loc_8412C9:				; CODE XREF: PopUpdateTimeouts(x,x,x)+59j
		mov	eax, offset ??_C@_04HIBGFPH@NULL@NNGAKEGL@ ; "NULL"

loc_8412CE:				; CODE XREF: PopUpdateTimeouts(x,x,x)+5Fj
					; PopUpdateTimeouts(x,x,x)+63j
		cmp	byte ptr [edi+5], 0
		jnz	short loc_8412D9
		mov	ebx, offset ??_C@_00CNPNBAHC@@NNGAKEGL@

loc_8412D9:				; CODE XREF: PopUpdateTimeouts(x,x,x)+6Ej
		cmp	byte ptr [edi+4], 0
		jnz	short loc_8412E4
		mov	edx, offset ??_C@_00CNPNBAHC@@NNGAKEGL@

loc_8412E4:				; CODE XREF: PopUpdateTimeouts(x,x,x)+79j
		push	[ebp+arg_0]
		push	ecx
		push	eax
		push	dword ptr [edi]
		push	ebx
		push	edx
		push	[ebp+var_4]
		push	offset ??_C@_0EK@LADGLMEH@PopAdaptive?3?5Console?5session?5?$CFu@NNGAKEGL@ ; "PopAdaptive: Console session %u timeout"...
		push	3
		call	_PopPrintEx
		mov	eax, [edi]
		add	esp, 24h
		mov	dword_6BFBAC, eax
		mov	eax, [edi+4]
		mov	dword_6BFBB0, eax
		test	esi, esi
		jz	short loc_841331
		mov	eax, [esi]
		mov	dword_6BFBA4, eax
		mov	eax, [esi+4]
		mov	dword_6BFBA8, eax
		movzx	eax, byte ptr [esi+4]
		movzx	edx, byte ptr [esi+5]
		mov	ecx, [esi]
		push	eax
		call	_PopDiagTraceInputTimeout@12 ; PopDiagTraceInputTimeout(x,x,x)

loc_841331:				; CODE XREF: PopUpdateTimeouts(x,x,x)+ACj
		cmp	byte ptr [edi+4], 0
		jz	short loc_841381
		mov	edi, ds:0FFDF0004h
		mov	ebx, 0FFDF0324h
		mov	[ebp+arg_0], edi
		mov	esi, [ebx]
		lea	edx, [ebx-4]
		mov	edx, [edx]
		lea	ecx, [ebx+4]
		mov	eax, [ecx]
		cmp	esi, eax
		jz	short loc_84136C
		lea	edi, [ebx-4]

loc_841358:				; CODE XREF: PopUpdateTimeouts(x,x,x)+103j
		pause
		mov	esi, [ebx]
		mov	edx, [edi]
		mov	ecx, [ecx]
		cmp	esi, ecx
		mov	ecx, 0FFDF0328h
		jnz	short loc_841358
		mov	edi, [ebp+arg_0]

loc_84136C:				; CODE XREF: PopUpdateTimeouts(x,x,x)+EFj
		mov	eax, edx
		shl	esi, 8
		mul	edi
		imul	esi, edi
		shrd	eax, edx, 18h
		add	eax, esi
		mov	dword_6BFBBC, eax

loc_841381:				; CODE XREF: PopUpdateTimeouts(x,x,x)+D1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopUpdateTimeouts@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceInputTimeout(x,	x, x)
_PopDiagTraceInputTimeout@12 proc near	; CODE XREF: PopUpdateTimeouts(x,x,x)+C8p
					; PopCheckConsoleTimeouts()+77p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], ecx
		jz	short loc_84140D
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_ADPM_INPUT_TIMEOUT
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_84140A
		lea	eax, [ebp+var_38]
		xor	edx, edx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_3C]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_84140A:				; CODE XREF: PopDiagTraceInputTimeout(x,x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebx

loc_84140D:				; CODE XREF: PopDiagTraceInputTimeout(x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDiagTraceInputTimeout@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetSessionUserStatus(x, x)
_PopSetSessionUserStatus@8 proc	near	; CODE XREF: PopConsoleSessionPassiveInput(x,x,x)+34p
					; PopSessionInputChange(x,x,x):loc_841016p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		cmp	_PopConsoleContext, esi
		jnz	short loc_84143C
		cmp	esi, 0FFFFFFFFh
		jz	short loc_84143C
		mov	dword_6BFBC0, edi

loc_84143C:				; CODE XREF: PopSetSessionUserStatus(x,x)+13j
					; PopSetSessionUserStatus(x,x)+18j
		mov	ecx, edi
		mov	[ebp+var_4], edi
		call	_PopPrintUserActivityPresence@4	; PopPrintUserActivityPresence(x)
		push	eax
		push	esi
		push	offset ??_C@_0DK@LPHCJPDP@PopAdaptive?3?5Session?5?$CFu?5user?5pr@NNGAKEGL@
		push	3
		call	_PopPrintEx
		add	esp, 10h
		mov	edx, esi
		mov	ecx, offset _POP_ETW_ADPM_SESSION_INPUT_STATE
		push	edi
		call	_PopDiagTraceSessionState@12 ; PopDiagTraceSessionState(x,x,x)
		lea	eax, [ebp+var_4]
		mov	ebx, offset _GUID_SESSION_USER_PRESENCE
		push	eax		; void *
		push	4		; Length
		push	0		; int
		mov	edx, esi
		mov	ecx, ebx
		call	PopSetPowerSettingValue
		lea	eax, [ebp+var_4]
		mov	edx, esi
		push	eax		; void *
		push	4		; Length
		push	1		; int
		mov	ecx, ebx
		call	PopSetPowerSettingValue
		mov	edx, edi
		mov	ecx, esi
		call	_PopSetGlobalUserStatus@8 ; PopSetGlobalUserStatus(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopSetSessionUserStatus@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopSetGlobalUserStatus(x, x)
_PopSetGlobalUserStatus@8 proc near	; CODE XREF: PopSetSessionUserStatus(x,x)+73p
		mov	edi, edi
		push	ecx
		mov	eax, _PopMaximumConnectionSessions
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	eax, eax
		jz	short loc_8414D5
		cmp	esi, eax
		jnb	short loc_8414E3

loc_8414B0:				; CODE XREF: PopSetGlobalUserStatus(x,x)+4Ej
		cmp	_PopMaximumConnectionSessions, 0
		jz	short loc_8414D5
		mov	ecx, dword_6BFB84
		mov	edx, esi
		shr	edx, 3
		and	esi, 7
		movsx	eax, byte ptr [edx+ecx]
		test	edi, edi
		jz	short loc_8414DE
		btr	eax, esi

loc_8414D2:				; CODE XREF: PopSetGlobalUserStatus(x,x)+47j
		mov	[edx+ecx], al

loc_8414D5:				; CODE XREF: PopSetGlobalUserStatus(x,x)+10j
					; PopSetGlobalUserStatus(x,x)+1Dj
		call	PopEvaluateGlobalUserStatus
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_8414DE:				; CODE XREF: PopSetGlobalUserStatus(x,x)+33j
		bts	eax, esi
		jmp	short loc_8414D2
; 

loc_8414E3:				; CODE XREF: PopSetGlobalUserStatus(x,x)+14j
		call	PopExtendConnectionState
		jmp	short loc_8414B0
_PopSetGlobalUserStatus@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopEvaluateGlobalUserStatus proc near	; CODE XREF: PopSetGlobalUserStatus(x,x):loc_8414D5p
					; PopUserPresentOverride(x):loc_9B9D70p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00926748 SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		push	esi
		push	edi
		xor	edi, edi
		cmp	_PopUserPresentOverrideCount, edi
		jnz	loc_926748
		cmp	_PopMaximumConnectionSessions, edi
		jz	loc_926748
		push	offset _PopConnectionBitmap
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	esi, eax
		neg	esi
		sbb	esi, esi
		and	esi, 0FFFFFFFEh
		add	esi, 2

loc_841524:				; CODE XREF: PopEvaluateGlobalUserStatus+E5260j
		cmp	esi, _PopGlobalUserPresenceState
		jnz	short loc_841530

loc_84152C:				; CODE XREF: PopEvaluateGlobalUserStatus+D1j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_841530:				; CODE XREF: PopEvaluateGlobalUserStatus+40j
		mov	eax, _PopGlobalUserPresenceStateTransitions
		mov	ecx, esi
		inc	eax
		mov	[ebp+var_4], esi
		push	eax
		mov	_PopGlobalUserPresenceState, esi
		mov	_PopGlobalUserPresenceStateTransitions,	eax
		call	_PopPrintUserActivityPresence@4	; PopPrintUserActivityPresence(x)
		push	eax
		push	offset ??_C@_0EA@LNCIJMCD@PopAdaptive?3?5Global?5user?5presen@NNGAKEGL@	; "PopAdaptive:	Global user presence/activ"...
		push	3
		call	_PopPrintEx
		add	esp, 0Ch
		push	esi
		call	_PopDiagTraceSessionStateCounted@16 ; PopDiagTraceSessionStateCounted(x,x,x,x)
		lea	eax, [ebp+var_4]
		mov	ecx, offset _GUID_GLOBAL_USER_PRESENCE ; int
		push	eax		; void *
		push	4
		pop	edx
		call	_PopSetPowerSettingValueAcDc@12	; PopSetPowerSettingValueAcDc(x,x,x)
		lea	eax, [ebp+var_58]
		push	44h		; size_t
		push	edi		; int
		push	eax		; void *
		test	esi, esi
		jnz	short loc_8415C0
		mov	[ebp+var_C], edi
		call	_memset
		mov	[ebp+var_54], edi

loc_841589:				; CODE XREF: PopEvaluateGlobalUserStatus+E4j
		add	esp, 0Ch
		mov	[ebp+var_58], 0Ch
		lea	ecx, [ebp+var_58]
		push	edi
		push	44h
		pop	edx
		call	PopUmpoSendPowerMessage
		mov	eax, _PopGlobalUserPresenceStateTransitions
		push	edi
		push	edi
		push	edi
		push	edi
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_C]
		push	8
		push	eax
		push	offset _WNF_PO_SLEEP_STUDY_USER_PRESENCE_CHANGED
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		jmp	loc_84152C	; void *
; 

loc_8415C0:				; CODE XREF: PopEvaluateGlobalUserStatus+92j
		xor	esi, esi
		inc	esi
		mov	[ebp+var_C], esi
		call	_memset
		mov	[ebp+var_54], esi
		jmp	short loc_841589
PopEvaluateGlobalUserStatus endp


;  S U B	R O U T	I N E 


; __stdcall PopPrintUserActivityPresence(x)
_PopPrintUserActivityPresence@4	proc near ; CODE XREF: PopSetSessionUserStatus(x,x)+25p
					; PopEvaluateGlobalUserStatus+5Dp
		sub	ecx, 0
		jz	short loc_8415E5
		sub	ecx, 1
		jz	short loc_8415F1
		sub	ecx, 1
		jnz	short loc_8415EB
		mov	eax, offset ??_C@_1CE@KDFOPCHJ@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAU?$AAs?$AAe?$AAr?$AAI?$AAn?$AAa?$AAc?$AAt?$AAi@NNGAKEGL@
		retn
; 

loc_8415E5:				; CODE XREF: PopPrintUserActivityPresence(x)+3j
		mov	eax, offset ??_C@_1CC@GFDAHDL@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAU?$AAs?$AAe?$AAr?$AAP?$AAr?$AAe?$AAs?$AAe?$AAn@NNGAKEGL@ ; "P"
		retn
; 

loc_8415EB:				; CODE XREF: PopPrintUserActivityPresence(x)+Dj
		mov	eax, offset ??_C@_1BA@EOKOFGEP@?$AAI?$AAn?$AAv?$AAa?$AAl?$AAi?$AAd@NNGAKEGL@
		retn
; 

loc_8415F1:				; CODE XREF: PopPrintUserActivityPresence(x)+8j
		mov	eax, offset ??_C@_1CI@BEOFJHFK@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAU?$AAs?$AAe?$AAr?$AAN?$AAo?$AAt?$AAP?$AAr?$AAe@NNGAKEGL@
		retn
_PopPrintUserActivityPresence@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceDisplayTimeout(x, x, x)
_PopDiagTraceDisplayTimeout@12 proc near ; CODE	XREF: PopUpdateTimeouts(x,x,x)+1Ap
					; PopCheckConsoleTimeouts()+ECp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], ecx
		jz	short loc_84167D
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_ADPM_DISPLAY_TIMEOUT
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_84167A
		lea	eax, [ebp+var_38]
		xor	edx, edx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_3C]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_84167A:				; CODE XREF: PopDiagTraceDisplayTimeout(x,x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebx

loc_84167D:				; CODE XREF: PopDiagTraceDisplayTimeout(x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDiagTraceDisplayTimeout@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopIdleGlobalUserPresenceCallback(void *,int,int,int)
_PopIdleGlobalUserPresenceCallback@16 proc near
					; DATA XREF: PopIdleInitAoAcDozeS4Timer()+34o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	10h		; size_t
		push	offset _GUID_GLOBAL_USER_PRESENCE ; void *
		push	[ebp+arg_0]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_8416E8
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_8416E8
		cmp	[ebp+arg_8], 4
		jnz	short loc_8416E8
		mov	esi, [esi]
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		test	esi, esi
		jnz	short loc_8416E3
		push	2
		pop	ecx
		call	PopIdleCancelAoAcDozeS4Timer
		xor	eax, eax
		mov	dword_6C2710, eax
		mov	dword_6C2714, eax
		mov	dword_6C2778, eax
		mov	dword_6C277C, eax
		mov	dword_6C22D0, eax

loc_8416E3:				; CODE XREF: PopIdleGlobalUserPresenceCallback(x,x,x,x)+32j
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_8416E8:				; CODE XREF: PopIdleGlobalUserPresenceCallback(x,x,x,x)+1Aj
					; PopIdleGlobalUserPresenceCallback(x,x,x,x)+21j ...
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	10h
_PopIdleGlobalUserPresenceCallback@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceControlCallback proc near	; DATA XREF: PopDiagInitialize()+Ao

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_10		= dword	ptr  18h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 0092674F SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		cmp	[ebp+arg_4], 2
		mov	[esp+40h+var_30], edi
		jz	short loc_841729

loc_841715:				; CODE XREF: PopDiagTraceControlCallback+279j
					; PopDiagTraceControlCallback+E507Ej ...
		mov	ecx, [esp+40h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_841729:				; CODE XREF: PopDiagTraceControlCallback+23j
		cmp	[ebp+arg_20], offset dword_6B23F8
		jz	loc_92674F
		call	ExTraceTimerResolution
		mov	edx, _PopFxSystemLatencyLimit
		mov	cl, 1
		call	PopDiagTraceSystemLatencyUpdate
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopPowerRequestLock
		call	ExAcquirePushLockSharedEx
		mov	esi, _PopPowerRequestObjectList
		mov	ebx, offset _PopPowerRequestObjectList
		jmp	short loc_84177A
; 

loc_84176F:				; CODE XREF: PopDiagTraceControlCallback+8Cj
		mov	edx, esi
		mov	cl, 1
		call	_PopDiagTracePowerRequestCreate@8 ; PopDiagTracePowerRequestCreate(x,x)
		mov	esi, [esi]

loc_84177A:				; CODE XREF: PopDiagTraceControlCallback+7Dj
		cmp	esi, ebx
		jnz	short loc_84176F
		cmp	dword_6C3884, edi
		jnz	loc_92677E

loc_84178A:				; CODE XREF: PopDiagTraceControlCallback+E5094j
		xor	edx, edx
		mov	ecx, offset _PopPowerRequestLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	eax, eax
		mov	[esp+40h+var_14], edi
		cmp	dword_6C2D0C, eax
		mov	[esp+40h+var_10], 4
		setz	al
		mov	[esp+40h+var_C], edi
		mov	[esp+40h+var_24], eax
		lea	eax, [esp+40h+var_24]
		mov	[esp+40h+var_18], eax
		lea	eax, [esp+40h+var_18]
		push	eax
		push	1
		push	edi
		push	offset _POP_ETW_EVENT_ACDC_STATE_RUNDOWN
		push	dword_6C1D74
		push	_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		call	_PopRundownPowerSettings@0 ; PopRundownPowerSettings()
		call	_PopThermalTraceRundownEvents@0	; PopThermalTraceRundownEvents()
		mov	[esp+40h+var_2C], edi
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		lea	edx, [esp+40h+var_30]
		lea	ecx, [esp+40h+var_2C]
		call	PopLoggingInformation
		mov	esi, eax
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		mov	ebx, [esp+40h+var_2C]
		test	esi, esi
		js	short loc_841883
		mov	ecx, [ebx]
		lea	eax, [ebx+4]
		mov	[esp+40h+var_1C], ecx
		mov	[esp+40h+var_20], eax
		mov	[esp+40h+var_28], edi
		test	ecx, ecx
		jz	short loc_841883
		mov	eax, [esp+40h+var_30]
		add	eax, ebx
		mov	ebx, [esp+40h+var_20]
		mov	[esp+40h+var_30], eax

loc_841832:				; CODE XREF: PopDiagTraceControlCallback+18Dj
		cmp	ebx, eax
		jnb	short loc_84187F
		mov	esi, [ebx+0Ch]
		lea	eax, [esp+40h+var_18]
		push	eax
		push	1
		push	edi
		push	(offset	loc_407D2E+2)
		push	dword_6C1D74
		add	esi, 10h
		mov	[esp+54h+var_18], ebx
		push	_PopDiagHandle
		mov	[esp+58h+var_14], edi
		mov	[esp+58h+var_10], esi
		mov	[esp+58h+var_C], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [esp+40h+var_28]
		add	ebx, esi
		mov	eax, [esp+40h+var_30]
		inc	ecx
		mov	[esp+40h+var_28], ecx
		cmp	ecx, [esp+40h+var_1C]
		jb	short loc_841832

loc_84187F:				; CODE XREF: PopDiagTraceControlCallback+144j
		mov	ebx, [esp+40h+var_2C]

loc_841883:				; CODE XREF: PopDiagTraceControlCallback+11Dj
					; PopDiagTraceControlCallback+132j
		test	ebx, ebx
		jz	short loc_84188E
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_84188E:				; CODE XREF: PopDiagTraceControlCallback+195j
		xor	ecx, ecx
		mov	edx, offset _PopDiagDeviceRundownRequests
		inc	ecx
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	short loc_8418AC
		push	1
		push	offset _PopDiagDeviceRundownWorkItem
		call	ExQueueWorkItem

loc_8418AC:				; CODE XREF: PopDiagTraceControlCallback+1AEj
		call	PopDiagTraceFxRundown
		call	_PopDiagTracePlatformRoleRundown@0 ; PopDiagTracePlatformRoleRundown()
		call	_PopRundownThermalRequests@0 ; PopRundownThermalRequests()
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		call	PopTraceStandbyConnectivityRundown
		call	PopDiagTraceDeviceComplianceRundown
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		call	_PopDiagTraceDynamicTickStatusRundown@0	; PopDiagTraceDynamicTickStatusRundown()
		call	PopDiagTraceDeepSleepConstraintRundown
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopPowerEventLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C040C, eax
		call	PopDiagTracePowerStateEventRundown
		cmp	dword_6C040C, edi
		jz	short loc_841913
		mov	dword_6C040C, edi

loc_841913:				; CODE XREF: PopDiagTraceControlCallback+21Bj
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopSystemIdleLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C00E4, eax
		call	PopDiagTraceSystemIdleRundown
		cmp	dword_6C00E4, edi
		jz	short loc_84195B
		mov	dword_6C00E4, edi

loc_84195B:				; CODE XREF: PopDiagTraceControlCallback+263j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_841715
PopDiagTraceControlCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtSetThreadExecutionState proc near	; DATA XREF: .text:00580C64o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00926789 SIZE 00000057 BYTES

		push	20h
		push	offset dword_6A6F70
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_1C], ecx
		mov	eax, large fs:124h
		mov	dl, [eax+15Ah]
		test	dl, dl
		jz	loc_926789
		mov	esi, large fs:124h
		mov	[ebp+var_28], esi
		mov	ebx, [ebp+arg_0]
		test	ebx, 7FFFFFBCh
		jnz	loc_926793
		test	bl, 40h
		jnz	loc_92679D

loc_8419B8:				; CODE XREF: NtSetThreadExecutionState+E4E33j
		mov	[ebp+ms_exc.disabled], ecx
		mov	edi, [ebp+arg_4]
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jnb	loc_9267A6

loc_8419CD:				; CODE XREF: NtSetThreadExecutionState+E4E3Aj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, ebx
		shr	eax, 1Fh
		xor	al, 1
		mov	[ebp+arg_0], eax
		mov	esi, [esi+2E0h]
		mov	[ebp+var_20], esi
		test	esi, esi
		jnz	short loc_841A2F
		test	al, al
		jnz	short loc_841A2F
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		push	1
		push	esi
		xor	ecx, ecx
		call	_PoCaptureReasonContext@24 ; PoCaptureReasonContext(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_841A5F
		mov	edi, [ebp+var_1C]
		push	edi
		xor	dl, dl
		lea	ecx, [ebp+var_20]
		call	_PopCreateUserPowerRequest@12 ;	PopCreateUserPowerRequest(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9267AD
		mov	esi, [ebp+var_20]
		mov	eax, [ebp+var_28]
		mov	[eax+2E0h], esi
		mov	edi, [ebp+arg_4]

loc_841A2F:				; CODE XREF: NtSetThreadExecutionState+7Fj
					; NtSetThreadExecutionState+83j
		lea	eax, [ebp+var_24]
		push	eax
		mov	edx, ebx
		mov	ecx, esi
		call	_PopGetLegacyPowerRequestFlags@12 ; PopGetLegacyPowerRequestFlags(x,x,x)
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_24]
		mov	[edi], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	byte ptr [ebp+arg_0], 0
		jnz	short loc_841A73
		push	eax
		mov	ecx, esi
		call	PopApplyLegacyPowerRequestFlags

loc_841A5D:				; CODE XREF: NtSetThreadExecutionState+115j
					; NtSetThreadExecutionState+163j ...
		xor	esi, esi

loc_841A5F:				; CODE XREF: NtSetThreadExecutionState+98j
					; NtSetThreadExecutionState+E4E20j ...
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_841A73:				; CODE XREF: NtSetThreadExecutionState+E5j
		mov	ecx, [ebp+var_28]
		call	_PopDiagTraceSetThreadExecutionState@8 ; PopDiagTraceSetThreadExecutionState(x,x)
		test	bl, 1
		jnz	short loc_841AE5

loc_841A80:				; CODE XREF: NtSetThreadExecutionState+186j
		test	bl, 2
		jz	short loc_841A5D
		push	0
		push	3
		mov	ecx, large fs:124h
		push	0Ch
		pop	edx
		mov	ecx, [ecx+80h]
		call	_PoEnergyContextUpdateComponentPower@16	; PoEnergyContextUpdateComponentPower(x,x,x,x)
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		xor	bl, bl
		cmp	_PopPlatformAoAc, bl
		jnz	loc_9267C1

loc_841AB1:				; CODE XREF: NtSetThreadExecutionState+E4E59j
					; NtSetThreadExecutionState+E4E65j ...
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		call	SessionIsInteractive
		test	al, al
		jz	short loc_841A5D
		test	bl, bl
		jnz	short loc_841A5D
		push	8
		mov	cl, 1
		call	PopNotifyConsoleUserPresent
		jmp	loc_841A5D
; 

loc_841AE5:				; CODE XREF: NtSetThreadExecutionState+110j
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		call	_PopSystemRequiredSet@4	; PopSystemRequiredSet(x)
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		jmp	short loc_841A80
NtSetThreadExecutionState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopUnicodeStringDeepCopy proc near	; CODE XREF: PoGetRequester(x,x,x)+BDp
					; PopAvlFindOrMakeStatsForPowerRequest+C9p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00926813 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], ebx
		mov	eax, 0FFFFh
		push	esi
		lea	esi, [ecx+4]
		movzx	ebx, word ptr [ebx]
		add	ebx, 2
		cmp	ebx, eax
		ja	short loc_841B75

loc_841B19:				; CODE XREF: PopUnicodeStringDeepCopy+86j
		push	edi
		mov	edi, esi
		cmp	dword ptr [edi], 0
		jnz	loc_926813

loc_841B25:				; CODE XREF: PopUnicodeStringDeepCopy+E4D29j
		push	[ebp+arg_4]
		push	ebx
		push	[ebp+arg_0]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+arg_4], eax
		mov	esi, edi
		test	eax, eax
		jz	short loc_841B7E
		mov	ecx, [edi]
		test	ecx, ecx
		jnz	loc_926824

loc_841B44:				; CODE XREF: PopUnicodeStringDeepCopy+E4D39j
		mov	ecx, [ebp+var_4]
		mov	[edi], eax
		xor	eax, eax
		mov	[ecx], ax
		mov	[ecx+2], bx

loc_841B52:				; CODE XREF: PopUnicodeStringDeepCopy+8Bj
					; PopUnicodeStringDeepCopy+E4D23j
		pop	edi

loc_841B53:				; CODE XREF: PopUnicodeStringDeepCopy+82j
		mov	edx, [ebp+var_8]
		call	_RtlUnicodeStringCopy@8	; RtlUnicodeStringCopy(x,x)
		test	eax, eax
		js	short loc_841B6F
		mov	ecx, [ebp+var_4]
		movzx	edx, word ptr [ecx]
		mov	ecx, [esi]
		shr	edx, 1
		xor	esi, esi
		mov	[ecx+edx*2], si

loc_841B6F:				; CODE XREF: PopUnicodeStringDeepCopy+67j
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_841B75:				; CODE XREF: PopUnicodeStringDeepCopy+21j
		cmp	dword ptr [esi], 0
		jnz	short loc_841B53
		mov	ebx, eax
		jmp	short loc_841B19
; 

loc_841B7E:				; CODE XREF: PopUnicodeStringDeepCopy+42j
		mov	ecx, [ebp+var_4]
		jmp	short loc_841B52
PopUnicodeStringDeepCopy endp

; 
		align 8
; Exported entry 1668. PoDeletePowerRequest

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoDeletePowerRequest(x)
		public _PoDeletePowerRequest@4
_PoDeletePowerRequest@4	proc near	; CODE XREF: PoUnregisterSystemState(x)+Cj

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		call	_PopPowerRequestCleanUp@4 ; PopPowerRequestCleanUp(x)
		mov	ecx, [ebp+arg_0]
		call	ObfDereferenceObject
		pop	ecx
		pop	ebp
		retn	4
_PoDeletePowerRequest@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerRequestCreateInfo(x, x, x)
_PopPowerRequestCreateInfo@12 proc near	; CODE XREF: NtPowerInformation+9D9p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	esi, esi
		mov	bl, dl
		mov	[ebp+var_8], esi
		cmp	byte ptr [eax+15Ah], 0
		push	edi
		mov	[ebp+var_4], esi
		mov	[ebp+var_C], esi
		jnz	short loc_841BD5
		mov	esi, [ebp+var_4]
		mov	edi, 0C00000BBh
		jmp	short loc_841C46
; 

loc_841BD5:				; CODE XREF: PopPowerRequestCreateInfo(x,x,x)+25j
		lea	eax, [ebp+var_4]
		mov	dl, 1
		push	eax
		push	esi
		push	1
		push	esi
		call	_PoCaptureReasonContext@24 ; PoCaptureReasonContext(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_841C46
		mov	esi, [ebp+var_4]
		lea	ecx, [ebp+var_C]
		push	esi
		mov	dl, bl
		call	_PopCreateUserPowerRequest@12 ;	PopCreateUserPowerRequest(x,x,x)
		mov	ebx, [ebp+var_C]
		mov	edi, eax
		test	edi, edi
		js	short loc_841C36
		xor	edi, edi
		mov	edx, 72506F50h
		mov	ecx, ebx
		mov	esi, edi
		call	ObfReferenceObjectWithTag
		lea	eax, [ebp+var_8]
		xor	edx, edx
		push	eax
		push	edi
		push	edi
		push	edi
		push	edi
		mov	ecx, ebx
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_841C36
		push	[ebp+var_8]
		mov	edx, [ebx+14h]
		mov	ecx, [ebx+8]
		call	PopNotifySessionUserPowerRequestCreated

loc_841C36:				; CODE XREF: PopPowerRequestCreateInfo(x,x,x)+5Bj
					; PopPowerRequestCreateInfo(x,x,x)+82j
		test	ebx, ebx
		jz	short loc_841C46
		mov	edx, 72506F50h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_841C46:				; CODE XREF: PopPowerRequestCreateInfo(x,x,x)+2Fj
					; PopPowerRequestCreateInfo(x,x,x)+44j	...
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_841C52
		mov	eax, [ebp+var_8]
		mov	[ecx], eax

loc_841C52:				; CODE XREF: PopPowerRequestCreateInfo(x,x,x)+A7j
		test	esi, esi
		jz	short loc_841C5D
		mov	ecx, esi
		call	_PoDestroyReasonContext@4 ; PoDestroyReasonContext(x)

loc_841C5D:				; CODE XREF: PopPowerRequestCreateInfo(x,x,x)+B0j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopPowerRequestCreateInfo@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopNotifySessionUserPowerRequestCreated	proc near
					; CODE XREF: PopPowerRequestCreateInfo(x,x,x)+8Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00926834 SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		dec	word ptr [eax+13Ch]
		mov	edi, edx
		nop
		xor	edx, edx
		mov	ecx, offset _PopPowerRequestLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		and	[ebp+var_C], ebx
		mov	dword_6C3884, eax
		lea	eax, [ebp+var_C]
		push	eax
		push	offset _PopPowerRequestTable
		mov	[ebp+var_8], edi
		call	_RtlLookupElementGenericTableAvl@8 ; RtlLookupElementGenericTableAvl(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_841CC2
		mov	ecx, [esi]
		mov	eax, [ebp+arg_0]
		mov	ebx, [ecx+44h]
		mov	[ecx+48h], eax

loc_841CC2:				; CODE XREF: PopNotifySessionUserPowerRequestCreated+4Fj
		cmp	dword_6C3884, 0
		jz	short loc_841CD2
		and	dword_6C3884, 0

loc_841CD2:				; CODE XREF: PopNotifySessionUserPowerRequestCreated+63j
		xor	edx, edx
		mov	ecx, offset _PopPowerRequestLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	esi, esi
		jz	short loc_841CF4
		cmp	ds:_TtmpEnabled, 1
		jz	loc_926834

loc_841CF4:				; CODE XREF: PopNotifySessionUserPowerRequestCreated+7Fj
					; PopNotifySessionUserPowerRequestCreated+E4BF0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
PopNotifySessionUserPowerRequestCreated	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopClosePowerRequestObject(x, x, x,	x)
_PopClosePowerRequestObject@16 proc near ; DATA	XREF: PopPowerRequestInit()+8Eo

arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 1
		jnz	short loc_841D0F
		mov	ecx, [ebp+arg_4]
		call	_PopPowerRequestCleanUp@4 ; PopPowerRequestCleanUp(x)

loc_841D0F:				; CODE XREF: PopClosePowerRequestObject(x,x,x,x)+9j
		pop	ebp
		retn	10h
_PopClosePowerRequestObject@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopStatsMarkPowerRequestActive(x, x)
_PopStatsMarkPowerRequestActive@8 proc near
					; CODE XREF: PopUpdatePowerRequestProcessWakeCounter(x,x)+19p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_4], 3
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PowerReqestStatsLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6BF4B4, eax
		mov	ecx, [esi+64h]
		test	ecx, ecx
		jz	short loc_841D68
		push	1
		push	3
		pop	edx
		call	_PopGetStopWatchByRequestType@12 ; PopGetStopWatchByRequestType(x,x,x)
		test	eax, eax
		jz	short loc_841D68
		mov	ecx, eax
		call	_PoStartStopWatch@4 ; PoStartStopWatch(x)

loc_841D68:				; CODE XREF: PopStatsMarkPowerRequestActive(x,x)+3Dj
					; PopStatsMarkPowerRequestActive(x,x)+4Bj
		lea	eax, [ebp+var_4]
		mov	edx, esi
		push	eax
		mov	ecx, (offset loc_8BD95D+1)
		call	_PopLogPowerRequestAction@12 ; PopLogPowerRequestAction(x,x,x)
		cmp	dword_6BF4B4, 0
		jz	short loc_841D88
		and	dword_6BF4B4, 0

loc_841D88:				; CODE XREF: PopStatsMarkPowerRequestActive(x,x)+6Bj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		leave
		retn
_PopStatsMarkPowerRequestActive@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopStatsMarkPowerRequestInactive(x,	x)
_PopStatsMarkPowerRequestInactive@8 proc near
					; CODE XREF: PopUpdatePowerRequestProcessWakeCounter(x,x)+3Ep

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_4], 3
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PowerReqestStatsLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6BF4B4, eax
		mov	ecx, [esi+64h]
		test	ecx, ecx
		jz	short loc_841DEE
		push	0
		push	3
		pop	edx
		call	_PopGetStopWatchByRequestType@12 ; PopGetStopWatchByRequestType(x,x,x)
		test	eax, eax
		jz	short loc_841DEE
		mov	ecx, eax
		call	_PoPauseStopWatch@4 ; PoPauseStopWatch(x)

loc_841DEE:				; CODE XREF: PopStatsMarkPowerRequestInactive(x,x)+3Dj
					; PopStatsMarkPowerRequestInactive(x,x)+4Bj
		lea	eax, [ebp+var_4]
		mov	edx, esi
		push	eax
		mov	ecx, offset ??_C@_0BD@LCGDJIEH@PowerRequest?5Clear@NNGAKEGL@
		call	_PopLogPowerRequestAction@12 ; PopLogPowerRequestAction(x,x,x)
		cmp	dword_6BF4B4, 0
		jz	short loc_841E0E
		and	dword_6BF4B4, 0

loc_841E0E:				; CODE XREF: PopStatsMarkPowerRequestInactive(x,x)+6Bj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		leave
		retn
_PopStatsMarkPowerRequestInactive@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCreateUserPowerRequest(x, x, x)
_PopCreateUserPowerRequest@12 proc near	; CODE XREF: NtSetThreadExecutionState+A3p
					; PopPowerRequestCreateInfo(x,x,x)+4Fp

var_E		= byte ptr -0Eh
var_D		= byte ptr -0Dh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, large fs:124h
		push	ebx
		mov	bl, dl
		mov	[esp+18h+var_4], ecx
		xor	ecx, ecx
		mov	eax, [eax+80h]
		mov	[esp+18h+var_C], ecx
		mov	[esp+18h+var_D], cl
		mov	[esp+18h+var_8], eax
		push	esi
		push	edi
		test	bl, bl
		jz	short loc_841E6F
		push	ecx
		lea	edx, [esp+17h]
		mov	ecx, eax
		call	_PsQueryProcessAttributes@12 ; PsQueryProcessAttributes(x,x,x)
		cmp	[esp+20h+var_D], 0
		jz	short loc_841E6F
		mov	eax, 0C00000BBh
		jmp	loc_841F56
; 

loc_841E6F:				; CODE XREF: PopCreateUserPowerRequest(x,x,x)+30j
					; PopCreateUserPowerRequest(x,x,x)+43j
		mov	edi, [ebp+arg_0]
		lea	ecx, [esp+20h+var_C]
		mov	edx, edi
		call	PopCreatePowerRequestObject
		test	eax, eax
		js	loc_841F56
		mov	esi, [esp+20h+var_C]
		mov	[esi+5Ch], bl
		test	bl, bl
		jnz	short loc_841E97
		mov	eax, [esp+20h+var_8]
		mov	[esi+54h], eax

loc_841E97:				; CODE XREF: PopCreateUserPowerRequest(x,x,x)+6Ej
		call	_Feature_3401902395__private_IsEnabledDeviceUsage@0 ; Feature_3401902395__private_IsEnabledDeviceUsage()
		test	eax, eax
		jz	short loc_841EA5
		mov	eax, [edi+14h]
		jmp	short loc_841EAD
; 

loc_841EA5:				; CODE XREF: PopCreateUserPowerRequest(x,x,x)+7Ej
		mov	ecx, [edi+4]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)

loc_841EAD:				; CODE XREF: PopCreateUserPowerRequest(x,x,x)+83j
		test	bl, bl
		jz	short loc_841EBA
		mov	dword ptr [esi+0Ch], 8
		jmp	short loc_841ED1
; 

loc_841EBA:				; CODE XREF: PopCreateUserPowerRequest(x,x,x)+8Fj
		mov	ecx, eax
		call	SessionIsInteractive
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 21h
		add	eax, 1Eh
		mov	[esi+0Ch], eax

loc_841ED1:				; CODE XREF: PopCreateUserPowerRequest(x,x,x)+98j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopPowerRequestLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dl, bl
		mov	esi, [esp+20h+var_C]
		mov	ecx, esi
		mov	dword_6C3884, eax
		call	PopInsertPowerRequestObject
		cmp	_PopPowerRequestNotificationsEnabled, 0
		jz	short loc_841F1C
		cmp	dword ptr [esi+44h], 0
		jz	short loc_841F1C
		mov	ecx, [esi+14h]
		call	_PopUmpoSendPowerRequestCreate@4 ; PopUmpoSendPowerRequestCreate(x)

loc_841F1C:				; CODE XREF: PopCreateUserPowerRequest(x,x,x)+ECj
					; PopCreateUserPowerRequest(x,x,x)+F2j
		test	bl, bl
		jnz	short loc_841F27
		mov	ecx, esi
		call	_PopUmpoSendPowerRequestOverrideQuery@4	; PopUmpoSendPowerRequestOverrideQuery(x)

loc_841F27:				; CODE XREF: PopCreateUserPowerRequest(x,x,x)+FEj
		cmp	dword_6C3884, 0
		jz	short loc_841F37
		and	dword_6C3884, 0

loc_841F37:				; CODE XREF: PopCreateUserPowerRequest(x,x,x)+10Ej
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	edx, esi
		xor	cl, cl
		call	_PopDiagTracePowerRequestCreate@8 ; PopDiagTracePowerRequestCreate(x,x)
		mov	eax, [esp+20h+var_4]
		mov	[eax], esi
		xor	eax, eax

loc_841F56:				; CODE XREF: PopCreateUserPowerRequest(x,x,x)+4Aj
					; PopCreateUserPowerRequest(x,x,x)+5Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_PopCreateUserPowerRequest@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PdcPoPowerRequestBlockingCallback(x)
_PdcPoPowerRequestBlockingCallback@4 proc near ; DATA XREF: PopPdcRegister+AEo

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	cl, [ebp+arg_0]
		call	_PopStatsNotifyPowerRequestBlocking@4 ;	PopStatsNotifyPowerRequestBlocking(x)
		pop	ebp
		retn	4
_PdcPoPowerRequestBlockingCallback@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopStatsNotifyPowerRequestBlocking(x)
_PopStatsNotifyPowerRequestBlocking@4 proc near
					; CODE XREF: PdcPoPowerRequestBlockingCallback(x)+8p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, large fs:124h
		push	ebx
		push	edi
		mov	bl, cl
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PowerReqestStatsLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6BF4B4, eax
		test	bl, bl
		jnz	short loc_841FF3
		mov	edi, offset _ExecutionRequiredStopWatchCollection
		mov	ecx, edi
		call	_PoIsArmedStopWatchCollection@4	; PoIsArmedStopWatchCollection(x)
		test	al, al
		jz	short loc_841FCC
		push	0
		xor	edx, edx
		mov	ecx, offset ??_C@_0BN@FFEOBLLB@Power?5Request?5Blocking?5Ended@NNGAKEGL@
		call	_PopLogPowerRequestAction@12 ; PopLogPowerRequestAction(x,x,x)
		mov	ecx, edi
		call	_PoUnarmStopWatchCollection@4 ;	PoUnarmStopWatchCollection(x)

loc_841FCC:				; CODE XREF: PopStatsNotifyPowerRequestBlocking(x)+43j
					; PopStatsNotifyPowerRequestBlocking(x)+99j
		cmp	dword_6BF4B4, 0
		jz	short loc_841FDC
		and	dword_6BF4B4, 0

loc_841FDC:				; CODE XREF: PopStatsNotifyPowerRequestBlocking(x)+61j
		xor	edx, edx
		mov	ecx, offset _PowerReqestStatsLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_841FF3:				; CODE XREF: PopStatsNotifyPowerRequestBlocking(x)+33j
		push	0
		xor	edx, edx
		mov	ecx, offset ??_C@_0BP@JDFINCKB@Power?5Request?5Blocking?5Started@NNGAKEGL@
		call	_PopLogPowerRequestAction@12 ; PopLogPowerRequestAction(x,x,x)
		mov	ecx, offset _ExecutionRequiredStopWatchCollection
		call	_PoArmStopWatchCollection@4 ; PoArmStopWatchCollection(x)
		jmp	short loc_841FCC
_PopStatsNotifyPowerRequestBlocking@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopCreatePowerRequestObject proc near	; CODE XREF: PopCreateUserPowerRequest(x,x,x)+58p
					; PopCreateKernelPowerRequest(x,x)+16p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092685B SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_14], ecx
		xor	ebx, ebx
		mov	[ebp+var_10], esi
		inc	ebx
		push	edi
		cmp	dword ptr [esi], 0
		jz	loc_8420F0
		mov	eax, large fs:124h
		mov	byte ptr [ebp+var_4], bl
		push	dword ptr [eax+80h]
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		mov	[ebp+var_C], eax

loc_842044:				; CODE XREF: PopCreatePowerRequestObject+EAj
		and	[ebp+var_8], 0
		lock xadd _PopPowerRequestId, ebx
		inc	ebx
		mov	ecx, ebx
		call	_PopPowerRequestInsertElementNoLock@4 ;	PopPowerRequestInsertElementNoLock(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_92685B
		mov	eax, [esi+1Ch]
		xor	esi, esi
		mov	edx, ds:_PopPowerRequestObjectType
		push	20h
		pop	ecx
		push	esi
		add	eax, ecx
		mov	[ebp+var_20], ecx
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_2C], 18h
		push	ecx
		push	esi
		push	eax
		push	68h
		push	ecx
		push	[ebp+var_4]
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_28], esi
		push	eax
		xor	cl, cl
		mov	[ebp+var_24], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		call	ObCreateObjectEx
		mov	[ebp+var_4], eax
		test	eax, eax
		js	short loc_8420E3
		push	68h		; size_t
		push	esi		; int
		mov	esi, [ebp+var_8]
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		call	_PsGetCurrentProcessSessionId@0	; PsGetCurrentProcessSessionId()
		mov	[esi+8], eax
		mov	ecx, esi
		mov	eax, [ebp+var_C]
		mov	[esi+44h], eax
		mov	eax, [ebp+var_10]
		mov	[esi+40h], eax
		mov	[esi+14h], ebx
		mov	[edi+4], ebx
		mov	[edi], esi
		xor	edi, edi
		call	_PopStatsCreatePowerRequest@4 ;	PopStatsCreatePowerRequest(x)
		mov	eax, [ebp+var_14]
		mov	[eax], esi
		mov	eax, [ebp+var_4]

loc_8420E3:				; CODE XREF: PopCreatePowerRequestObject+97j
		test	edi, edi
		jnz	loc_926865

loc_8420EB:				; CODE XREF: PopCreatePowerRequestObject+E4852j
					; PopCreatePowerRequestObject+E4861j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8420F0:				; CODE XREF: PopCreatePowerRequestObject+19j
		and	[ebp+var_C], 0
		mov	byte ptr [ebp+var_4], 0
		jmp	loc_842044
PopCreatePowerRequestObject endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopStatsCreatePowerRequest(x)
_PopStatsCreatePowerRequest@4 proc near	; CODE XREF: PopCreatePowerRequestObject+C8p
		mov	edi, edi
		push	ecx
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PowerReqestStatsLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	dword_6BF4B4, eax
		call	PopAvlFindOrMakeStatsForPowerRequest
		test	eax, eax
		jz	short loc_84213A
		lock inc dword ptr [eax]

loc_84213A:				; CODE XREF: PopStatsCreatePowerRequest(x)+37j
		push	0
		mov	edx, esi
		mov	[esi+64h], eax
		mov	ecx, offset ??_C@_0BE@GFOKILEK@Create?5PowerRequest@NNGAKEGL@
		call	_PopLogPowerRequestAction@12 ; PopLogPowerRequestAction(x,x,x)
		cmp	dword_6BF4B4, 0
		jz	short loc_84215B
		and	dword_6BF4B4, 0

loc_84215B:				; CODE XREF: PopStatsCreatePowerRequest(x)+54j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ecx
		retn
_PopStatsCreatePowerRequest@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopAvlFindOrMakeStatsForPowerRequest proc near
					; CODE XREF: PopStatsCreatePowerRequest(x)+30p

var_B9		= dword	ptr -0B9h
var_B4		= dword	ptr -0B4h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00926874 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	0B0h		; size_t
		lea	eax, [ebp+var_B9+1]
		mov	byte ptr [ebp+var_B9], 0
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		mov	esi, [edi+64h]
		add	esp, 0Ch
		test	esi, esi
		jnz	short loc_8421D4
		lea	edx, [ebp+var_B4]
		mov	ecx, edi
		call	_PopAvlGetPowerRequestKey@8 ; PopAvlGetPowerRequestKey(x,x)
		test	eax, eax
		js	short loc_8421D4
		lea	eax, [ebp+var_B9+1]
		mov	edi, offset _PowerRequestStatsDatabase
		push	eax
		push	edi
		call	_RtlLookupElementGenericTableAvl@8 ; RtlLookupElementGenericTableAvl(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8421EF

loc_8421D4:				; CODE XREF: PopAvlFindOrMakeStatsForPowerRequest+3Bj
					; PopAvlFindOrMakeStatsForPowerRequest+4Cj ...
		lea	ecx, [ebp+var_B4]
		call	_PopFreeUnicodeString@4	; PopFreeUnicodeString(x)
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_8421EF:				; CODE XREF: PopAvlFindOrMakeStatsForPowerRequest+64j
		lea	eax, [ebp+var_B9]
		push	eax		; int
		push	0B0h		; size_t
		lea	eax, [ebp+var_B9+1]
		push	eax		; void *
		push	edi		; int
		call	_RtlInsertElementGenericTableAvl@16 ; RtlInsertElementGenericTableAvl(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8421D4
		cmp	byte ptr [ebp+var_B9], 0
		jz	short loc_8421D4
		push	0B0h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [esi+4]
		lea	edx, [ebp+var_B4]
		push	54515750h
		push	1
		call	PopUnicodeStringDeepCopy
		test	eax, eax
		jns	short loc_8421D4
		jmp	loc_926874
PopAvlFindOrMakeStatsForPowerRequest endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopAvlGetPowerRequestKey(x,	x)
_PopAvlGetPowerRequestKey@8 proc near	; CODE XREF: PopAvlFindOrMakeStatsForPowerRequest+45p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		mov	esi, [ecx+40h]
		xor	eax, eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		push	edi
		mov	edi, edx
		cmp	[esi], eax
		jnz	short loc_842281
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_84227A
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_84227A
		lea	edx, [eax+1Ch]
		jmp	short loc_8422C6
; 

loc_84227A:				; CODE XREF: PopAvlGetPowerRequestKey(x,x)+26j
					; PopAvlGetPowerRequestKey(x,x)+2Dj
		push	offset _UNIDENTIFIED_DRIVER ; "Unidentified Driver"
		jmp	short loc_8422BA
; 

loc_842281:				; CODE XREF: PopAvlGetPowerRequestKey(x,x)+1Fj
		call	_Feature_3401902395__private_IsEnabledDeviceUsage@0 ; Feature_3401902395__private_IsEnabledDeviceUsage()
		test	eax, eax
		jz	short loc_842291
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		jmp	short loc_842298
; 

loc_842291:				; CODE XREF: PopAvlGetPowerRequestKey(x,x)+42j
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_8422B5

loc_842298:				; CODE XREF: PopAvlGetPowerRequestKey(x,x)+49j
		add	eax, 1ACh
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitString@8 ; RtlInitString(x,x)
		push	ecx
		push	ecx
		lea	edx, [ebp+var_8]
		mov	ecx, edi
		call	PopAnsiStringToUnicodeString
		jmp	short loc_8422D4
; 

loc_8422B5:				; CODE XREF: PopAvlGetPowerRequestKey(x,x)+50j
		push	offset _UNIDENTIFIED_PROCESS ; "Unidentified Process"

loc_8422BA:				; CODE XREF: PopAvlGetPowerRequestKey(x,x)+39j
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	edx, [ebp+var_10]

loc_8422C6:				; CODE XREF: PopAvlGetPowerRequestKey(x,x)+32j
		push	54515750h
		push	1
		mov	ecx, edi
		call	PopUnicodeStringDeepCopy

loc_8422D4:				; CODE XREF: PopAvlGetPowerRequestKey(x,x)+6Dj
		pop	edi
		pop	esi
		leave
		retn
_PopAvlGetPowerRequestKey@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDeletePowerRequestObject(x)
_PopDeletePowerRequestObject@4 proc near ; DATA	XREF: PopPowerRequestInit()+95o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_PopPowerRequestCleanUp@4 ; PopPowerRequestCleanUp(x)
		pop	ebp
		retn	4
_PopDeletePowerRequestObject@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUmpoSendPowerRequestOverrideCleanup(x)
_PopUmpoSendPowerRequestOverrideCleanup@4 proc near
					; CODE XREF: PopPowerRequestCleanUp(x)+1E3p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	esi
		push	44h		; size_t
		lea	eax, [ebp+var_44]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [esi+14h]
		lea	ecx, [ebp+var_44]
		add	esp, 0Ch
		mov	[ebp+var_44], 9
		mov	[ebp+var_40], eax
		push	0
		push	44h
		pop	edx
		call	PopUmpoSendPowerMessage
		pop	esi
		leave
		retn
_PopUmpoSendPowerRequestOverrideCleanup@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTracePowerRequestCreate(x, x)
_PopDiagTracePowerRequestCreate@8 proc near ; CODE XREF: PopDiagTraceControlCallback+83p
					; PopCreateUserPowerRequest(x,x,x)+129p ...

var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_181		= byte ptr -181h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_30		= word ptr -30h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1CCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		mov	al, cl
		push	esi
		mov	esi, edx
		mov	[ebp+var_181], al
		push	edi
		mov	[ebp+var_188], esi
		mov	[ebp+var_1B4], ebx
		mov	[ebp+var_1CC], ebx
		mov	[ebp+var_1C8], ebx
		mov	[ebp+var_1B8], ebx
		mov	[ebp+var_198], ebx
		mov	[ebp+var_194], ebx
		cmp	_PopDiagHandleRegistered, bl
		jz	loc_8428B4
		test	al, al
		jnz	short loc_842387
		push	offset _POP_ETW_EVENT_CREATE_POWER_REQUEST
		jmp	short loc_84238C
; 

loc_842387:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+5Cj
		push	offset _POP_ETW_EVENT_POWER_REQUEST_RUNDOWN

loc_84238C:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+63j
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_8428B4
		mov	eax, [esi+40h]
		xor	edx, edx
		push	ebx
		mov	[ebp+var_18C], ebx
		mov	eax, [eax]
		mov	[ebp+var_190], eax
		lea	eax, [ebp+var_18C]
		mov	[ebp+var_19C], ebx
		mov	[ebp+var_1A0], ebx
		mov	[ebp+var_1A4], ebx
		mov	[ebp+var_1A8], ebx
		mov	[ebp+var_1AC], ebx
		mov	[ebp+var_1B0], ebx
		mov	[ebp+var_1C4], ebx
		mov	[ebp+var_1C0], ebx
		mov	[ebp+var_1BC], ebx
		mov	ecx, [esi+40h]
		push	eax
		call	_PoStoreRequester@16 ; PoStoreRequester(x,x,x,x)
		push	50455654h
		push	[ebp+var_18C]
		xor	ebx, ebx
		inc	ebx
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8428B4
		mov	ecx, [ebp+var_188]
		lea	eax, [ebp+var_18C]
		xor	esi, esi
		mov	edx, edi
		push	esi
		push	eax
		mov	ecx, [ecx+40h]
		call	_PoStoreRequester@16 ; PoStoreRequester(x,x,x,x)
		test	eax, eax
		js	loc_8428A9
		cmp	[ebp+var_190], esi
		jnz	short loc_842470
		mov	edx, [edi+8]
		mov	esi, [edi+0Ch]
		add	edx, edi
		push	ecx
		push	ecx
		lea	ecx, [ebp+var_1CC]
		add	esi, edi
		call	RtlUnicodeStringInitWorker
		push	ecx
		push	ecx
		mov	edx, esi
		lea	ecx, [ebp+var_198]
		call	RtlUnicodeStringInitWorker
		xor	esi, esi
		jmp	short loc_8424E2
; 

loc_842470:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+122j
		mov	eax, [edi+0Ch]
		mov	[ebp+var_19C], eax
		call	_Feature_3401902395__private_IsEnabledDeviceUsage@0 ; Feature_3401902395__private_IsEnabledDeviceUsage()
		test	eax, eax
		mov	eax, [ebp+var_188]
		jz	short loc_84248D
		mov	eax, [eax+8]
		jmp	short loc_842498
; 

loc_84248D:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+164j
		mov	ecx, [eax+40h]
		mov	ecx, [ecx+4]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)

loc_842498:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+169j
		push	ecx
		mov	[ebp+var_1A0], eax
		mov	edx, [edi+8]
		push	ecx
		add	edx, edi
		lea	ecx, [ebp+var_1CC]
		call	RtlUnicodeStringInitWorker
		cmp	[ebp+var_190], 2
		jnz	short loc_8424D5
		push	dword ptr [edi+10h] ; char
		lea	eax, [ebp+var_30]
		push	offset ??_C@_15KNBIKKIN@?$AA?$CF?$AAd@NNGAKEGL@	; wchar_t *
		push	2Ch		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 10h
		lea	eax, [ebp+var_30]
		push	eax
		jmp	short loc_8424D6
; 

loc_8424D5:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+195j
		push	esi

loc_8424D6:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+1B1j
		lea	eax, [ebp+var_198]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_8424E2:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+14Cj
		mov	edx, [ebp+var_188]
		cmp	[edx+40h], esi
		jnz	short loc_8424F3
		mov	[ebp+var_1A4], ebx

loc_8424F3:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+1C9j
		mov	eax, [edx+0Ch]
		test	al, 2
		jz	short loc_842503
		mov	[ebp+var_1A8], ebx
		mov	eax, [edx+0Ch]

loc_842503:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+1D6j
		test	al, 1
		jz	short loc_842510
		mov	[ebp+var_1AC], ebx
		mov	eax, [edx+0Ch]

loc_842510:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+1E3j
		test	al, 4
		jz	short loc_84251D
		mov	[ebp+var_1B0], ebx
		mov	eax, [edx+0Ch]

loc_84251D:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+1F0j
		test	al, 8
		jz	short loc_84252A
		mov	[ebp+var_1BC], ebx
		mov	eax, [edx+0Ch]

loc_84252A:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+1FDj
		test	al, 10h
		jz	short loc_842537
		mov	[ebp+var_1C0], ebx
		mov	eax, [edx+0Ch]

loc_842537:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+20Aj
		test	al, 20h
		jz	short loc_842541
		mov	[ebp+var_1C4], ebx

loc_842541:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+217j
		mov	cx, word ptr [ebp+var_1CC]
		mov	bx, word ptr [ebp+var_198]
		shr	cx, 1
		movzx	eax, cx
		mov	[ebp+var_1B4], eax
		shr	bx, 1
		movzx	eax, bx
		mov	[ebp+var_1B8], eax
		lea	eax, [ebp+var_188]
		mov	[ebp+var_180], eax
		lea	eax, [ebp+var_190]
		mov	[ebp+var_170], eax
		lea	eax, [ebp+var_19C]
		mov	[ebp+var_160], eax
		lea	eax, [ebp+var_1A0]
		mov	[ebp+var_150], eax
		lea	eax, [ebp+var_1A4]
		mov	[ebp+var_140], eax
		lea	eax, [ebp+var_1A8]
		mov	[ebp+var_130], eax
		lea	eax, [ebp+var_1AC]
		mov	[ebp+var_120], eax
		lea	eax, [ebp+var_1B0]
		mov	[ebp+var_110], eax
		lea	eax, [edx+1Ch]
		mov	[ebp+var_100], eax
		lea	eax, [edx+18h]
		mov	[ebp+var_F0], eax
		lea	eax, [edx+20h]
		mov	[ebp+var_E0], eax
		lea	eax, [ebp+var_1B4]
		mov	[ebp+var_D0], eax
		lea	eax, [ebp+var_1B8]
		mov	[ebp+var_17C], esi
		mov	[ebp+var_174], esi
		mov	[ebp+var_16C], esi
		mov	[ebp+var_164], esi
		mov	[ebp+var_15C], esi
		mov	[ebp+var_154], esi
		mov	[ebp+var_14C], esi
		mov	[ebp+var_144], esi
		mov	[ebp+var_13C], esi
		mov	[ebp+var_134], esi
		mov	[ebp+var_12C], esi
		mov	[ebp+var_124], esi
		mov	[ebp+var_11C], esi
		mov	[ebp+var_114], esi
		mov	[ebp+var_10C], esi
		mov	[ebp+var_104], esi
		mov	[ebp+var_FC], esi
		mov	[ebp+var_F4], esi
		mov	[ebp+var_EC], esi
		mov	[ebp+var_E4], esi
		mov	[ebp+var_DC], esi
		mov	[ebp+var_D4], esi
		mov	[ebp+var_CC], esi
		mov	[ebp+var_C4], esi
		mov	[ebp+var_BC], esi
		mov	[ebp+var_B4], esi
		mov	[ebp+var_178], 4
		mov	[ebp+var_168], 4
		mov	[ebp+var_158], 4
		mov	[ebp+var_148], 4
		mov	[ebp+var_138], 4
		mov	[ebp+var_128], 4
		mov	[ebp+var_118], 4
		mov	[ebp+var_108], 4
		mov	[ebp+var_F8], 4
		mov	[ebp+var_E8], 4
		mov	[ebp+var_D8], 4
		mov	[ebp+var_C8], 2
		mov	[ebp+var_C0], eax
		mov	[ebp+var_B8], 2
		push	0Dh
		pop	esi
		test	cx, cx
		jz	short loc_842748
		mov	eax, [ebp+var_1C8]
		and	[ebp+var_AC], 0
		mov	[ebp+var_B0], eax
		movzx	eax, cx
		add	eax, eax
		and	[ebp+var_A4], 0
		push	0Eh
		mov	[ebp+var_A8], eax
		pop	esi

loc_842748:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+3FCj
		test	bx, bx
		jz	short loc_84277E
		mov	eax, [ebp+var_194]
		mov	ecx, esi
		add	ecx, ecx
		and	[ebp+ecx*8+var_17C], 0
		mov	[ebp+ecx*8+var_180], eax
		movzx	eax, bx
		xor	ebx, ebx
		add	eax, eax
		mov	[ebp+ecx*8+var_174], ebx
		mov	[ebp+ecx*8+var_178], eax
		inc	esi
		jmp	short loc_842780
; 

loc_84277E:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+429j
		xor	ebx, ebx

loc_842780:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+45Aj
		mov	eax, esi
		lea	ecx, [ebp+var_1BC]
		add	eax, eax
		mov	[ebp+eax*8+var_180], ecx
		lea	ecx, [ebp+var_1C0]
		mov	[ebp+eax*8+var_17C], ebx
		mov	[ebp+eax*8+var_178], 4
		mov	[ebp+eax*8+var_174], ebx
		mov	[ebp+eax*8+var_170], ecx
		lea	ecx, [esi+2]
		mov	[ebp+eax*8+var_16C], ebx
		lea	esi, [ebp+var_1C4]
		mov	[ebp+eax*8+var_168], 4
		mov	[ebp+eax*8+var_164], ebx
		mov	eax, ecx
		add	eax, eax
		mov	[ebp+eax*8+var_180], esi
		lea	esi, [ecx+1]
		mov	[ebp+eax*8+var_17C], ebx
		mov	ecx, esi
		mov	[ebp+eax*8+var_178], 4
		add	ecx, ecx
		mov	[ebp+eax*8+var_174], ebx
		lea	eax, [edx+24h]
		mov	[ebp+ecx*8+var_180], eax
		lea	eax, [edx+28h]
		mov	[ebp+ecx*8+var_17C], ebx
		mov	[ebp+ecx*8+var_178], 4
		mov	[ebp+ecx*8+var_174], ebx
		lea	ecx, [esi+1]
		add	ecx, ecx
		mov	[ebp+ecx*8+var_180], eax
		lea	eax, [edx+2Ch]
		mov	[ebp+ecx*8+var_17C], ebx
		mov	[ebp+ecx*8+var_178], 4
		mov	[ebp+ecx*8+var_174], ebx
		lea	ecx, [esi+2]
		add	ecx, ecx
		add	esi, 3
		cmp	[ebp+var_181], 0
		mov	[ebp+ecx*8+var_180], eax
		lea	eax, [ebp+var_180]
		push	eax
		push	esi
		mov	[ebp+ecx*8+var_17C], ebx
		mov	[ebp+ecx*8+var_178], 4
		mov	[ebp+ecx*8+var_174], ebx
		push	ebx
		jz	short loc_842893
		push	offset _POP_ETW_EVENT_POWER_REQUEST_RUNDOWN
		jmp	short loc_842898
; 

loc_842893:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+568j
		push	offset _POP_ETW_EVENT_CREATE_POWER_REQUEST

loc_842898:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+56Fj
		push	dword_6C1D74
		push	_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_8428A9:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+116j
		push	50455654h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8428B4:				; CODE XREF: PopDiagTracePowerRequestCreate(x,x)+54j
					; PopDiagTracePowerRequestCreate(x,x)+7Dj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTracePowerRequestCreate@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopReleaseUmpoPushLock()
_PopReleaseUmpoPushLock@0 proc near	; CODE XREF: PopUmpoSendPowerMessage:loc_53FC87p
		xor	edx, edx
		mov	ecx, offset _PopUmpoPushLock
		call	ExReleasePushLockEx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopReleaseUmpoPushLock@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopAcquireUmpoPushLock(x)
_PopAcquireUmpoPushLock@4 proc near	; CODE XREF: PopUmpoSendPowerMessage+3Ap
					; PopUmpoProcessMessage+171169p
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		test	cl, cl
		mov	ecx, offset _PopUmpoPushLock
		jnz	ExAcquirePushLockExclusiveEx
		jmp	ExAcquirePushLockSharedEx
_PopAcquireUmpoPushLock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPowerRequestActionInfo proc near	; CODE XREF: NtPowerInformation+855p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 00926888 SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		push	ecx
		mov	[ebp+var_8], ecx
		mov	bl, [eax+15Ah]
		lea	eax, [ebp+var_8]
		push	eax
		push	72506F50h
		mov	byte ptr [ebp+var_C], bl
		push	[ebp+var_C]
		mov	byte ptr [ebp+var_1], cl
		push	ds:_PopPowerRequestObjectType
		push	ecx
		push	dword ptr [edi]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_842978
		mov	eax, [edi+4]
		sub	eax, 3
		jz	short loc_84297F
		sub	eax, 1
		jz	loc_926888

loc_84294E:				; CODE XREF: PopPowerRequestActionInfo+89j
					; PopPowerRequestActionInfo+9Fj ...
		cmp	byte ptr [edi+8], 0
		mov	ecx, [ebp+var_8]
		mov	edx, [edi+4]
		jz	short loc_8429A0
		cmp	byte ptr [ecx+5Ch], 0
		jnz	loc_92689B
		call	PoSetPowerRequestInternal

loc_842969:				; CODE XREF: PopPowerRequestActionInfo+B3j
					; PopPowerRequestActionInfo+BAj ...
		mov	esi, eax

loc_84296B:				; CODE XREF: PopPowerRequestActionInfo+99j
					; PopPowerRequestActionInfo+A6j ...
		mov	ecx, [ebp+var_8]
		mov	edx, 72506F50h
		call	ObfDereferenceObjectWithTag

loc_842978:				; CODE XREF: PopPowerRequestActionInfo+43j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_84297F:				; CODE XREF: PopPowerRequestActionInfo+4Bj
		test	bl, bl
		jz	short loc_84294E
		lea	edx, [ebp+var_1]
		xor	ecx, ecx
		call	_SeIsAppContainerOrIdentifyLevelContext@8 ; SeIsAppContainerOrIdentifyLevelContext(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_84296B
		cmp	byte ptr [ebp+var_1], 0
		jz	short loc_84294E
		mov	esi, 0C0000022h
		jmp	short loc_84296B
; 

loc_8429A0:				; CODE XREF: PopPowerRequestActionInfo+60j
		cmp	byte ptr [ecx+5Ch], 0
		jnz	short loc_8429AD
		call	PoClearPowerRequestInternal
		jmp	short loc_842969
; 

loc_8429AD:				; CODE XREF: PopPowerRequestActionInfo+ACj
		call	_PopClearSpecialRequest@8 ; PopClearSpecialRequest(x,x)
		jmp	short loc_842969
PopPowerRequestActionInfo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSystemRequiredCallback(x, x, x)
_PopSystemRequiredCallback@12 proc near	; DATA XREF: .data:006B1474o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		inc	edx
		call	_PopHandleConvergedPowerRequestUpdate@8	; PopHandleConvergedPowerRequestUpdate(x,x)
		xor	eax, eax
		pop	ebp
		retn	0Ch
_PopSystemRequiredCallback@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopReleasePowerRequestPushLock()
_PopReleasePowerRequestPushLock@0 proc near ; CODE XREF: PoClearPowerRequestInternal+170p
					; PopPowerRequestCleanUp(x)+36p ...
		cmp	dword_6C3884, 0
		jz	short loc_8429DA
		and	dword_6C3884, 0

loc_8429DA:				; CODE XREF: PopReleasePowerRequestPushLock()+7j
		xor	edx, edx
		mov	ecx, offset _PopPowerRequestLock
		call	ExReleasePushLockEx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopReleasePowerRequestPushLock@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopAcquirePowerRequestPushLock(x)
_PopAcquirePowerRequestPushLock@4 proc near ; CODE XREF: PoClearPowerRequestInternal+A2p
					; PopPowerRequestCleanUp(x)+2Bp ...
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		test	cl, cl
		mov	ecx, offset _PopPowerRequestLock
		jz	short loc_842A16
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C3884, eax
		retn
; 

loc_842A16:				; CODE XREF: PopAcquirePowerRequestPushLock(x)+17j
		jmp	ExAcquirePushLockSharedEx
_PopAcquirePowerRequestPushLock@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerRequestFindEntryById(x)
_PopPowerRequestFindEntryById@4	proc near
					; CODE XREF: PopProcessPowerRequestOverrideQueryResponse+4Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		push	eax
		push	offset _PopPowerRequestTable
		mov	[ebp+var_4], ecx
		call	_RtlLookupElementGenericTableAvl@8 ; RtlLookupElementGenericTableAvl(x,x)
		leave
		retn
_PopPowerRequestFindEntryById@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTracePowerRequestClose(x)
_PopDiagTracePowerRequestClose@4 proc near ; CODE XREF:	PopPowerRequestCleanUp(x)+D7p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_18], ecx
		jz	short loc_842A9F
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_CLOSE_POWER_REQUEST
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_842A9C
		lea	eax, [ebp+var_18]
		mov	[ebp+var_C], 4
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], ecx
		push	eax
		push	1
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_842A9C:				; CODE XREF: PopDiagTracePowerRequestClose(x)+3Cj
		pop	edi
		pop	esi
		pop	ebx

loc_842A9F:				; CODE XREF: PopDiagTracePowerRequestClose(x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTracePowerRequestClose@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopStatsDeletePowerRequest(x)
_PopStatsDeletePowerRequest@4 proc near	; CODE XREF: PopPowerRequestCleanUp(x)+D0p
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PowerReqestStatsLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	edx, esi
		push	0
		mov	ecx, offset ??_C@_0BE@FGNJKCLK@Delete?5PowerRequest@NNGAKEGL@
		mov	dword_6BF4B4, eax
		call	_PopLogPowerRequestAction@12 ; PopLogPowerRequestAction(x,x,x)
		mov	ecx, esi
		call	_PopDereferencePowerRequestStats@4 ; PopDereferencePowerRequestStats(x)
		cmp	dword_6BF4B4, 0
		jz	short loc_842AFC
		and	dword_6BF4B4, 0

loc_842AFC:				; CODE XREF: PopStatsDeletePowerRequest(x)+47j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		pop	edi
		pop	esi
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopStatsDeletePowerRequest@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDereferencePowerRequestStats(x)
_PopDereferencePowerRequestStats@4 proc	near ; CODE XREF: PopStatsDeletePowerRequest(x)+3Bp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+64h]
		test	esi, esi
		jz	short loc_842B39
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		dec	eax
		jnz	short loc_842B39
		mov	ecx, esi
		call	_PopPausePowerRequestStats@4 ; PopPausePowerRequestStats(x)
		mov	ecx, esi
		call	_PopIsDataAccruedByPowerRequestStats@4 ; PopIsDataAccruedByPowerRequestStats(x)
		test	al, al
		jz	short loc_842B41

loc_842B39:				; CODE XREF: PopDereferencePowerRequestStats(x)+Fj
					; PopDereferencePowerRequestStats(x)+19j ...
		and	dword ptr [edi+64h], 0
		pop	edi
		pop	esi
		leave
		retn
; 

loc_842B41:				; CODE XREF: PopDereferencePowerRequestStats(x)+2Bj
		mov	ecx, esi
		call	_PopAvlDeleteStatsForPowerRequest@4 ; PopAvlDeleteStatsForPowerRequest(x)
		jmp	short loc_842B39
_PopDereferencePowerRequestStats@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopLogPowerRequestAction(x,	x, x)
_PopLogPowerRequestAction@12 proc near	; CODE XREF: PopStatsMarkPowerRequestActive(x,x)+5Fp
					; PopStatsMarkPowerRequestInactive(x,x)+5Fp ...

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+74h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		xor	ebx, ebx
		push	edi
		mov	edi, offset ??_C@_11LOCGONAA@@NNGAKEGL@
		test	eax, eax
		jnz	loc_842C11
		xor	esi, esi

loc_842B77:				; CODE XREF: PopLogPowerRequestAction(x,x,x)+C9j
		test	edx, edx
		jz	short loc_842B88
		mov	eax, [edx+64h]
		mov	ebx, [edx+14h]
		test	eax, eax
		jz	short loc_842B88
		mov	edi, [eax+8]

loc_842B88:				; CODE XREF: PopLogPowerRequestAction(x,x,x)+2Fj
					; PopLogPowerRequestAction(x,x,x)+39j
		cmp	dword_6B23F8, 5
		jbe	short loc_842BFD
		mov	edx, ecx
		lea	ecx, [esp+80h+var_48]
		call	_tlgCreate1Sz_char
		mov	edx, edi
		lea	ecx, [esp+80h+var_38]
		call	_tlgCreate1Sz_wchar_t
		push	4
		pop	ecx
		lea	eax, [esp+80h+var_70]
		mov	[esp+80h+var_70], ebx
		mov	[esp+80h+var_28], eax
		xor	edx, edx
		lea	eax, [esp+80h+var_6C]
		mov	[esp+80h+var_24], edx
		mov	[esp+80h+var_18], eax
		lea	eax, [esp+80h+var_68]
		push	eax
		push	6
		push	edx
		push	edx
		push	offset loc_420E88
		push	offset dword_6B23F8
		mov	[esp+98h+var_20], ecx
		mov	[esp+98h+var_1C], edx
		mov	[esp+98h+var_6C], esi
		mov	[esp+98h+var_14], edx
		mov	[esp+98h+var_10], ecx
		mov	[esp+98h+var_C], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_842BFD:				; CODE XREF: PopLogPowerRequestAction(x,x,x)+45j
		mov	ecx, [esp+80h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_842C11:				; CODE XREF: PopLogPowerRequestAction(x,x,x)+25j
		mov	esi, [eax]
		jmp	loc_842B77
_PopLogPowerRequestAction@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerRequestDeleteEntryById(x)
_PopPowerRequestDeleteEntryById@4 proc near ; CODE XREF: PopPowerRequestCleanUp(x)+C4p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		push	esi
		push	eax
		mov	esi, offset _PopPowerRequestTable
		mov	[ebp+var_4], ecx
		push	esi
		call	_RtlLookupElementGenericTableAvl@8 ; RtlLookupElementGenericTableAvl(x,x)
		test	eax, eax
		jz	short loc_842C41
		push	eax
		push	esi
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)

loc_842C41:				; CODE XREF: PopPowerRequestDeleteEntryById(x)+20j
		pop	esi
		leave
		retn
_PopPowerRequestDeleteEntryById@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerRequestIsExecutionRequiredCapable(x)
_PopPowerRequestIsExecutionRequiredCapable@4 proc near
					; CODE XREF: PopPowerRequestCleanUp(x)+83p
					; PopHandleExecutionRequiredPowerRequestUpdate(x)+22p ...
		xor	edx, edx
		cmp	[ecx+54h], edx
		jz	short loc_842C54
		mov	eax, [ecx+40h]
		cmp	[eax], edx
		jz	short loc_842C54
		mov	dl, 1

loc_842C54:				; CODE XREF: PopPowerRequestIsExecutionRequiredCapable(x)+5j
					; PopPowerRequestIsExecutionRequiredCapable(x)+Cj
		mov	al, dl
		retn
_PopPowerRequestIsExecutionRequiredCapable@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerRequestInsertElementNoLock(x)
_PopPowerRequestInsertElementNoLock@4 proc near	; CODE XREF: PopCreatePowerRequestObject+45p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], edi
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _PopPowerRequestLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		push	edi		; int
		mov	dword_6C3884, eax
		lea	eax, [ebp+var_8]
		push	8		; size_t
		push	eax		; void *
		push	offset _PopPowerRequestTable ; int
		call	_RtlInsertElementGenericTableAvl@16 ; RtlInsertElementGenericTableAvl(x,x,x,x)
		mov	esi, eax
		cmp	dword_6C3884, edi
		jz	short loc_842CB2
		mov	dword_6C3884, edi

loc_842CB2:				; CODE XREF: PopPowerRequestInsertElementNoLock(x)+52j
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PopPowerRequestInsertElementNoLock@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopAnsiStringToUnicodeString proc near	; CODE XREF: PopAvlGetPowerRequestKey(x,x)+68p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009268A8 SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	eax, edx
		mov	ebx, ecx
		push	esi
		push	eax
		mov	[ebp+var_C], eax
		call	_RtlxAnsiStringToUnicodeSize@4 ; RtlxAnsiStringToUnicodeSize(x)
		mov	ecx, eax
		lea	esi, [ebx+4]
		mov	eax, 0FFFFh
		mov	[ebp+var_4], ecx
		cmp	ecx, eax
		ja	loc_9268A8

loc_842CF4:				; CODE XREF: PopAnsiStringToUnicodeString+E3BEEj
		push	edi
		mov	edi, esi
		cmp	dword ptr [edi], 0
		jnz	loc_9268BB

loc_842D00:				; CODE XREF: PopAnsiStringToUnicodeString+E3BFFj
		push	54515750h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_8], eax
		mov	esi, edi
		test	eax, eax
		jz	short loc_842D2E
		mov	ecx, [edi]
		test	ecx, ecx
		jnz	loc_9268CC

loc_842D20:				; CODE XREF: PopAnsiStringToUnicodeString+E3C0Fj
		mov	[edi], eax
		xor	eax, eax
		mov	[ebx], ax
		mov	eax, [ebp+var_4]
		mov	[ebx+2], ax

loc_842D2E:				; CODE XREF: PopAnsiStringToUnicodeString+4Cj
					; PopAnsiStringToUnicodeString+E3BF9j
		pop	edi

loc_842D2F:				; CODE XREF: PopAnsiStringToUnicodeString+E3BE3j
		push	0
		push	[ebp+var_C]
		push	ebx
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	short loc_842D4B
		movzx	edx, word ptr [ebx]
		mov	ecx, [esi]
		shr	edx, 1
		xor	esi, esi
		mov	[ecx+edx*2], si

loc_842D4B:				; CODE XREF: PopAnsiStringToUnicodeString+74j
		pop	esi
		pop	ebx
		leave
		retn	8
PopAnsiStringToUnicodeString endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopInsertPowerRequestObject proc near	; CODE XREF: PopCreateUserPowerRequest(x,x,x)+E0p
					; PopCreateKernelPowerRequest(x,x)+59p

; FUNCTION CHUNK AT 009268DC SIZE 00000026 BYTES

		test	dl, dl
		jnz	loc_9268DC
		mov	eax, dword_6C390C
		mov	edx, offset _PopPowerRequestObjectList
		cmp	[eax], edx
		jnz	short loc_842D7C
		inc	_PopPowerRequestObjectCount
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	dword_6C390C, ecx
		retn
; 

loc_842D7C:				; CODE XREF: PopInsertPowerRequestObject+14j
					; PopInsertPowerRequestObject+E3B96j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall PopProcessDisplayRequiredChange(x, x)
_PopProcessDisplayRequiredChange@8:	; CODE XREF: PopPowerRequestCleanUp(x)+1F1p
					; PoSetPowerRequestInternal+1C3p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		test	edx, edx
		jz	short loc_842D9B
		mov	eax, edx
		cdq
		push	edx
		push	eax
		push	0Ch
		pop	edx
		call	_PoEnergyContextUpdateComponentPower@16	; PoEnergyContextUpdateComponentPower(x,x,x,x)

loc_842D9B:				; CODE XREF: PopInsertPowerRequestObject+3Aj
		mov	esp, ebp
		pop	ebp
		retn
PopInsertPowerRequestObject endp ; sp =	 4

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopNotifySessionUserPowerRequestDeleted	proc near
					; CODE XREF: PopPowerRequestCleanUp(x)+1D8p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h

; FUNCTION CHUNK AT 00926902 SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		cmp	ds:_TtmpEnabled, 1
		push	esi
		mov	esi, edx
		jz	short loc_842DC4

loc_842DB4:				; CODE XREF: PopNotifySessionUserPowerRequestDeleted+29j
		cmp	_PopPowerRequestNotificationsEnabled, 0
		jnz	loc_926902

loc_842DC1:				; CODE XREF: PopNotifySessionUserPowerRequestDeleted+E3B89j
		pop	esi
		leave
		retn
; 

loc_842DC4:				; CODE XREF: PopNotifySessionUserPowerRequestDeleted+12j
		call	_TtmNotifySessionPowerRequestDeleted@8 ; TtmNotifySessionPowerRequestDeleted(x,x)
		jmp	short loc_842DB4
PopNotifySessionUserPowerRequestDeleted	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopUpdatePowerRequestProcessWakeCounter(x, x)
_PopUpdatePowerRequestProcessWakeCounter@8 proc	near
					; CODE XREF: PopPowerRequestCleanUp(x)+8Ep
					; PopHandleExecutionRequiredPowerRequestUpdate(x):loc_7636EBp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	al, [esi+50h]
		test	dl, dl
		jz	short loc_842DF8
		test	al, al
		jnz	short loc_842E21
		cmp	dword_6D6FF8, 0
		jz	short loc_842E21
		call	_PopStatsMarkPowerRequestActive@8 ; PopStatsMarkPowerRequestActive(x,x)
		push	1
		call	dword_6D6FF8
		mov	byte ptr [esi+50h], 1
		pop	esi
		retn
; 

loc_842DF8:				; CODE XREF: PopUpdatePowerRequestProcessWakeCounter(x,x)+Aj
		test	al, al
		jz	short loc_842E0F
		push	0
		call	dword_6D6FF8
		mov	ecx, esi
		mov	byte ptr [esi+50h], 0
		call	_PopStatsMarkPowerRequestInactive@8 ; PopStatsMarkPowerRequestInactive(x,x)

loc_842E0F:				; CODE XREF: PopUpdatePowerRequestProcessWakeCounter(x,x)+2Ej
		mov	eax, [esi+58h]
		test	eax, eax
		jz	short loc_842E21
		push	esi
		push	eax
		call	_PsReleaseProcessWakeCounter@8 ; PsReleaseProcessWakeCounter(x,x)
		and	dword ptr [esi+58h], 0

loc_842E21:				; CODE XREF: PopUpdatePowerRequestProcessWakeCounter(x,x)+Ej
					; PopUpdatePowerRequestProcessWakeCounter(x,x)+17j ...
		pop	esi
		retn
_PopUpdatePowerRequestProcessWakeCounter@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopAvlDeleteStatsForPowerRequest(x)
_PopAvlDeleteStatsForPowerRequest@4 proc near
					; CODE XREF: PopDereferencePowerRequestStats(x)+37p
					; PopPublishAndPurgePowerRequestStats(x,x,x)+2C3p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi

loc_842E31:				; CODE XREF: PopAvlDeleteStatsForPowerRequest(x)+20j
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	_PopGetStopWatchByRequestType@12 ; PopGetStopWatchByRequestType(x,x,x)
		test	eax, eax
		jnz	short loc_842E69

loc_842E40:				; CODE XREF: PopAvlDeleteStatsForPowerRequest(x)+4Cj
		inc	esi
		cmp	esi, 4
		jb	short loc_842E31
		mov	eax, [edi+4]
		push	edi
		mov	[ebp+var_8], eax
		mov	eax, [edi+8]
		push	offset _PowerRequestStatsDatabase
		mov	[ebp+var_4], eax
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)
		lea	ecx, [ebp+var_8]
		call	_PopFreeUnicodeString@4	; PopFreeUnicodeString(x)
		pop	edi
		pop	esi
		leave
		retn
; 

loc_842E69:				; CODE XREF: PopAvlDeleteStatsForPowerRequest(x)+1Aj
		mov	ecx, eax
		call	_PoUninitializeStopWatch@4 ; PoUninitializeStopWatch(x)
		jmp	short loc_842E40
_PopAvlDeleteStatsForPowerRequest@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopPausePowerRequestStats(x)
_PopPausePowerRequestStats@4 proc near	; CODE XREF: PopDereferencePowerRequestStats(x)+1Dp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi

loc_842E7A:				; CODE XREF: PopPausePowerRequestStats(x)+1Dj
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	_PopGetStopWatchByRequestType@12 ; PopGetStopWatchByRequestType(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_842E94

loc_842E8B:				; CODE XREF: PopPausePowerRequestStats(x)+29j
					; PopPausePowerRequestStats(x)+30j
		inc	esi
		cmp	esi, 4
		jb	short loc_842E7A
		pop	edi
		pop	esi
		retn
; 

loc_842E94:				; CODE XREF: PopPausePowerRequestStats(x)+17j
		call	_PoIsRunningStopWatch@4	; PoIsRunningStopWatch(x)
		test	al, al
		jz	short loc_842E8B
		call	_PoPauseStopWatch@4 ; PoPauseStopWatch(x)
		jmp	short loc_842E8B
_PopPausePowerRequestStats@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIsDataAccruedByPowerRequestStats(x)
_PopIsDataAccruedByPowerRequestStats@4 proc near
					; CODE XREF: PopDereferencePowerRequestStats(x)+24p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		mov	esi, ebx

loc_842EBA:				; CODE XREF: PopIsDataAccruedByPowerRequestStats(x)+28j
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	_PopGetStopWatchByRequestType@12 ; PopGetStopWatchByRequestType(x,x,x)
		test	eax, eax
		jnz	short loc_842ED0

loc_842EC8:				; CODE XREF: PopIsDataAccruedByPowerRequestStats(x)+3Dj
					; PopIsDataAccruedByPowerRequestStats(x)+42j
		inc	esi
		cmp	esi, 4
		jb	short loc_842EBA
		jmp	short loc_842EEA
; 

loc_842ED0:				; CODE XREF: PopIsDataAccruedByPowerRequestStats(x)+22j
		push	ecx
		push	ebx
		lea	edx, [ebp+var_8]
		mov	ecx, eax
		call	PoQueryStopWatch
		cmp	[ebp+var_4], ebx
		ja	short loc_842EE8
		jb	short loc_842EC8
		cmp	[ebp+var_8], ebx
		jbe	short loc_842EC8

loc_842EE8:				; CODE XREF: PopIsDataAccruedByPowerRequestStats(x)+3Bj
		mov	bl, 1

loc_842EEA:				; CODE XREF: PopIsDataAccruedByPowerRequestStats(x)+2Aj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_PopIsDataAccruedByPowerRequestStats@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopGetStopWatchByRequestType(x, x, x)
_PopGetStopWatchByRequestType@12 proc near
					; CODE XREF: PopStatsMarkPowerRequestActive(x,x)+44p
					; PopStatsMarkPowerRequestInactive(x,x)+44p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, edx
		push	esi
		xor	esi, esi
		lea	edx, [eax-3]
		neg	edx
		sbb	edx, edx
		not	edx
		and	edx, offset _ExecutionRequiredStopWatchCollection
		jnz	short loc_842F14

loc_842F0D:				; CODE XREF: PopGetStopWatchByRequestType(x,x,x)+33j
					; PopGetStopWatchByRequestType(x,x,x)+3Cj ...
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
; 

loc_842F14:				; CODE XREF: PopGetStopWatchByRequestType(x,x,x)+19j
		imul	eax, 28h
		lea	esi, [ecx+10h]
		add	esi, eax
		mov	ecx, esi
		call	_CmpIsWriteQueueActive@4 ; CmpIsWriteQueueActive(x)
		test	al, al
		jnz	short loc_842F0D
		cmp	[ebp+arg_0], al
		jnz	short loc_842F30
		xor	esi, esi
		jmp	short loc_842F0D
; 

loc_842F30:				; CODE XREF: PopGetStopWatchByRequestType(x,x,x)+38j
		call	_PoInitializeStopWatch@8 ; PoInitializeStopWatch(x,x)
		jmp	short loc_842F0D
_PopGetStopWatchByRequestType@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopExecutionRequiredCallback(x, x, x)
_PopExecutionRequiredCallback@12 proc near ; DATA XREF:	.data:006B1484o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		push	3
		pop	edx
		call	_PopHandleConvergedPowerRequestUpdate@8	; PopHandleConvergedPowerRequestUpdate(x,x)
		xor	eax, eax
		pop	ebp
		retn	0Ch
_PopExecutionRequiredCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeIsAppContainerOrIdentifyLevelContext(x, x)
_SeIsAppContainerOrIdentifyLevelContext@8 proc near
					; CODE XREF: IopDoFullTraverseCheck(x,x,x)+23p
					; IopIsSecurityContextAppContainer(x)+Dp ...

var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+30h+var_14], edx
		lea	edi, [esp+30h+var_10]
		mov	byte ptr [edx],	1
		stosd
		xor	ebx, ebx
		mov	esi, ecx
		mov	[esp+30h+var_1C], ebx
		mov	[esp+30h+var_18], ebx
		mov	[esp+30h+var_1D], bl
		stosd
		stosd
		stosd
		test	esi, esi
		jnz	short loc_842FA7
		lea	eax, [esp+30h+var_10]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		lea	esi, [esp+30h+var_10]
		mov	[esp+30h+var_1D], 1

loc_842FA7:				; CODE XREF: SeIsAppContainerOrIdentifyLevelContext(x,x)+31j
		lea	eax, [esp+30h+var_1C]
		push	eax
		lea	eax, [esp+34h+var_18]
		push	eax
		push	1
		push	offset _SystemContextGenericMapping
		push	ebx
		push	ebx
		push	1
		push	ebx
		push	esi
		push	ds:_SeNullDaclSd
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		test	al, al
		jz	short loc_842FD3
		mov	eax, [esp+30h+var_14]
		mov	[eax], bl

loc_842FD3:				; CODE XREF: SeIsAppContainerOrIdentifyLevelContext(x,x)+7Dj
		cmp	[esp+30h+var_1C], 0C0000022h
		jz	short loc_842FE1
		mov	ebx, [esp+30h+var_1C]

loc_842FE1:				; CODE XREF: SeIsAppContainerOrIdentifyLevelContext(x,x)+8Dj
		cmp	[esp+30h+var_1D], 0
		jz	short loc_842FEE
		push	esi
		call	SeReleaseSubjectContext

loc_842FEE:				; CODE XREF: SeIsAppContainerOrIdentifyLevelContext(x,x)+98j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_SeIsAppContainerOrIdentifyLevelContext@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspLocateInPEManifest proc near		; CODE XREF: PspSetupUserProcessAddressSpace+BBp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092692E SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	ecx, [ecx+160h]
		xor	eax, eax
		push	esi
		push	eax
		push	eax
		mov	[ebp+var_8], eax
		mov	esi, edx
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	eax
		mov	[ebp+var_10], 18h
		lea	eax, [esi+0B8h]
		mov	[ebp+var_C], 1
		push	eax
		push	30h
		push	3
		lea	eax, [ebp+var_10]
		push	eax
		push	ecx
		call	_LdrResSearchResource@32 ; LdrResSearchResource(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_84305A
		mov	eax, [ebp+var_4]
		or	byte ptr [esi+8], 20h
		mov	[esi+0BCh], eax
		mov	eax, [esi+7Ch]
		or	dword ptr [eax+8], 2000h

loc_843055:				; CODE XREF: PspLocateInPEManifest+67j
					; PspLocateInPEManifest+6Ej ...
		xor	eax, eax

loc_843057:				; CODE XREF: PspLocateInPEManifest+E3941j
		pop	esi
		leave
		retn
; 

loc_84305A:				; CODE XREF: PspLocateInPEManifest+44j
		cmp	eax, 0C000008Ah
		jz	short loc_843055
		cmp	eax, 0C0000089h
		jz	short loc_843055
		cmp	eax, 0C000008Bh
		jz	short loc_843055
		jmp	loc_92692E
PspLocateInPEManifest endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1349. LdrResSearchResource

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LdrResSearchResource(x, x, x, x, x,	x, x, x)
		public _LdrResSearchResource@32
_LdrResSearchResource@32 proc near	; CODE XREF: PspLocateInPEManifest+3Dp
					; LdrResFindResource(x,x,x,x,x,x,x,x,x)+3Bp ...

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		push	50h
		push	offset dword_6A6FD8
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_5C], eax
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+arg_10]
		mov	[ebp+var_4C], edx
		mov	edx, [ebp+arg_14]
		mov	[ebp+var_48], edx
		mov	ebx, [ebp+arg_18]
		mov	[ebp+var_44], ebx
		mov	esi, [ebp+arg_1C]
		mov	[ebp+var_40], esi
		xor	edi, edi
		mov	[ebp+var_38], edi
		test	eax, eax
		jz	loc_8433E7
		test	ecx, ecx
		jz	loc_8433E7
		test	ebx, ebx
		jz	short loc_8430C8
		test	esi, esi
		jz	loc_8433E7

loc_8430C8:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+44j
		mov	ebx, [ebp+arg_C]
		mov	edi, 0C00h
		test	ebx, edi
		jz	short loc_8430DE

loc_8430D4:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+86j
					; LdrResSearchResource(x,x,x,x,x,x,x,x)+DDj ...
		mov	esi, 0C00000F2h
		jmp	loc_8433EC
; 

loc_8430DE:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+58j
		test	ebx, 0F00h
		jnz	short loc_8430EC
		or	ebx, 100h

loc_8430EC:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+6Aj
		test	ebx, 2000h
		jnz	short loc_8430FA
		or	ebx, 1000h

loc_8430FA:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+78j
		test	ebx, 0FFF00000h
		jnz	short loc_8430D4
		mov	esi, [ebp+arg_8]
		cmp	esi, 3
		jnb	short loc_84310F
		test	bl, 2
		jz	short loc_843114

loc_84310F:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+8Ej
		cmp	esi, 4
		jbe	short loc_84311E

loc_843114:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+93j
		mov	esi, 0C00000F1h
		jmp	loc_8433EC
; 

loc_84311E:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+98j
		mov	eax, ebx
		and	eax, 41h
		jz	short loc_843134
		cmp	esi, 4
		jz	short loc_843139
		mov	eax, 0C00000F1h
		jmp	loc_8433EE
; 

loc_843134:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+A9j
		cmp	esi, 4
		jnz	short loc_843147

loc_843139:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+AEj
		test	eax, eax
		jnz	short loc_843147
		mov	eax, 0C00000F2h
		jmp	loc_8433EE
; 

loc_843147:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+BDj
					; LdrResSearchResource(x,x,x,x,x,x,x,x)+C1j
		test	ebx, 100h
		jz	short loc_84315C
		test	ebx, 0E00h

loc_843155:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+F0j
		jz	short loc_843174
		jmp	loc_8430D4
; 

loc_84315C:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+D3j
		mov	eax, ebx
		and	eax, edi
		test	ebx, 200h
		jz	short loc_84316C
		test	eax, eax
		jmp	short loc_843155
; 

loc_84316C:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+ECj
		cmp	eax, edi
		jz	loc_8430D4

loc_843174:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x):loc_843155j
		test	ebx, 8000h
		jz	short loc_84318B
		mov	eax, ebx
		not	eax
		test	eax, 810h
		jnz	loc_8430D4

loc_84318B:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+100j
		mov	eax, ebx
		mov	edi, 3000h
		and	eax, edi
		cmp	eax, edi
		jz	loc_8430D4
		mov	eax, ebx
		and	eax, 18h
		cmp	al, 18h
		jz	loc_8430D4
		xor	eax, eax
		mov	[ebp+var_30], eax
		test	ebx, 20000h
		jz	short loc_843200
		mov	[ebp+ms_exc.disabled], eax
		test	ebx, 400h
		jz	short loc_8431D6
		test	edx, edx
		jz	short loc_8431D6
		mov	eax, [edx]
		test	eax, eax
		jz	short loc_8431D6
		mov	[ebp+var_30], eax
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi
		jmp	short loc_843203
; 

loc_8431D6:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+145j
					; LdrResSearchResource(x,x,x,x,x,x,x,x)+149j ...
		mov	esi, 0C000000Dh

loc_8431DB:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+184j
					; LdrResSearchResource(x,x,x,x,x,x,x,x)+1FDj
		mov	[ebp+var_3C], esi

loc_8431DE:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+246j
					; LdrResSearchResource(x,x,x,x,x,x,x,x)+368j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_8433EC
; 

loc_8431EA:				; DATA XREF: .text:006A6FECo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_50], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8431F8:				; DATA XREF: .text:006A6FF0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_50]
		jmp	short loc_8431DB
; 

loc_843200:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+13Aj
		push	0FFFFFFFEh
		pop	edi

loc_843203:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+15Aj
		test	ebx, 80000h
		jz	short loc_84322A
		mov	[ebp+ms_exc.disabled], 1
		test	ebx, 300h
		jz	short loc_843253
		test	edx, edx
		jz	short loc_843253
		mov	eax, [edx]
		test	eax, eax
		jz	short loc_843253
		mov	[ebp+var_30], eax
		mov	[ebp+ms_exc.disabled], edi

loc_84322A:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+18Fj
		mov	[ebp+ms_exc.disabled], 2
		mov	eax, esi
		shl	eax, 2
		push	eax		; size_t
		push	ecx		; void *
		lea	eax, [ebp+var_2C]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], edi
		push	3
		pop	eax
		cmp	esi, eax
		jbe	short loc_84327C
		mov	[ebp+arg_8], eax
		jmp	short loc_84327E
; 

loc_843253:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+19Ej
					; LdrResSearchResource(x,x,x,x,x,x,x,x)+1A2j ...
		mov	esi, 0C000000Dh
		mov	[ebp+var_3C], esi
		mov	[ebp+ms_exc.disabled], edi
		jmp	loc_8433EC
; 

loc_843263:				; DATA XREF: .text:006A6FF8o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_54], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_843271:				; DATA XREF: .text:006A6FFCo
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_54]
		jmp	loc_8431DB
; 

loc_84327C:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+1D2j
		jnz	short loc_8432F1

loc_84327E:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+1D7j
		mov	ecx, [ebp+var_24] ; void *
		cmp	ecx, 10000h
		jb	short loc_8432C5
		mov	[ebp+ms_exc.disabled], eax
		xor	eax, eax
		cmp	[ecx], ax
		jz	short loc_84329E
		push	2
		pop	edx
		call	_DownLevelLanguageNameToLangID@8 ; DownLevelLanguageNameToLangID(x,x)
		movzx	eax, ax

loc_84329E:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+217j
		mov	[ebp+var_34], eax
		mov	[ebp+ms_exc.disabled], edi
		movzx	eax, ax
		mov	[ebp+var_24], eax
		jmp	short loc_8432F1
; 

loc_8432AC:				; DATA XREF: .text:006A7010o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_58], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8432BA:				; DATA XREF: .text:006A7014o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_58]
		jmp	loc_8431DE
; 

loc_8432C5:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+20Dj
		test	ecx, ecx
		jz	short loc_8432F1
		test	ecx, 3FFh
		jz	loc_8433E7
		cmp	ecx, 7Fh
		jz	loc_8433E7
		push	2
		push	0
		xor	edx, edx
		call	DownLevelLangIDToLanguageName
		test	eax, eax
		jz	loc_8433E7

loc_8432F1:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x):loc_84327Cj
					; LdrResSearchResource(x,x,x,x,x,x,x,x)+230j ...
		mov	esi, ebx
		and	esi, 1000h
		test	ebx, 300h
		jz	short loc_843334
		mov	ecx, [ebp+var_5C]
		mov	eax, ecx
		mov	[ebp+var_38], eax
		test	ebx, 200h
		jz	short loc_84331C
		test	cl, 1
		jnz	short loc_84331C
		or	eax, 1
		mov	[ebp+var_38], eax

loc_84331C:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+295j
					; LdrResSearchResource(x,x,x,x,x,x,x,x)+29Aj
		push	ecx
		push	ebx
		lea	edx, [ebp+var_30]
		mov	ecx, eax
		call	_LdrpResGetMappingSize@16 ; LdrpResGetMappingSize(x,x,x,x)
		test	eax, eax
		jns	short loc_843334
		test	esi, esi
		jnz	loc_8433EE

loc_843334:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+285j
					; LdrResSearchResource(x,x,x,x,x,x,x,x)+2B0j
		push	[ebp+var_40]
		push	[ebp+var_44]
		push	[ebp+var_48]
		push	[ebp+var_4C]
		mov	edi, [ebp+arg_8]
		push	edi
		lea	eax, [ebp+var_2C]
		push	eax
		push	ebx
		mov	edx, [ebp+var_30]
		mov	ecx, [ebp+var_38]
		call	LdrpResSearchResourceMappedFile
		mov	esi, eax
		cmp	esi, 0C000008Ah
		jnz	loc_8433EC
		cmp	[ebp+var_2C], 18h
		jz	loc_8433EC
		cmp	[ebp+var_2C], 10h
		jz	short loc_8433EC
		xor	eax, eax
		mov	[ebp+var_34], eax
		push	1000000h
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		mov	edx, 0F2EEh
		mov	ecx, [ebp+var_38]
		call	LdrLoadAlternateResourceModuleEx
		test	eax, eax
		js	short loc_8433EC
		and	[ebp+var_30], 0
		push	ecx
		push	ebx
		lea	edx, [ebp+var_30]
		mov	ecx, [ebp+var_34]
		call	_LdrpResGetMappingSize@16 ; LdrpResGetMappingSize(x,x,x,x)
		test	eax, eax
		js	short loc_8433EC
		push	[ebp+var_40]
		push	[ebp+var_44]
		push	[ebp+var_48]
		push	[ebp+var_4C]
		push	edi
		lea	eax, [ebp+var_2C]
		push	eax
		or	ebx, 1000000h
		push	ebx
		mov	edx, [ebp+var_30]
		mov	ecx, [ebp+var_34]
		call	LdrpResSearchResourceMappedFile
		mov	esi, eax
		jmp	short loc_8433EC
; 

loc_8433CE:				; DATA XREF: .text:006A7004o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_60], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8433DC:				; DATA XREF: .text:006A7008o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_60]
		jmp	loc_8431DE
; 

loc_8433E7:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+34j
					; LdrResSearchResource(x,x,x,x,x,x,x,x)+3Cj ...
		mov	esi, 0C000000Dh

loc_8433EC:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+5Fj
					; LdrResSearchResource(x,x,x,x,x,x,x,x)+9Fj ...
		mov	eax, esi

loc_8433EE:				; CODE XREF: LdrResSearchResource(x,x,x,x,x,x,x,x)+B5j
					; LdrResSearchResource(x,x,x,x,x,x,x,x)+C8j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
_LdrResSearchResource@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LdrpResGetMappingSize(x, x,	x, x)
_LdrpResGetMappingSize@16 proc near	; CODE XREF: LdrpResSearchResourceMappedFile+B2BAEp
					; LdrResSearchResource(x,x,x,x,x,x,x,x)+2A9p ...

var_50		= dword	ptr -50h
var_44		= dword	ptr -44h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	40h
		push	offset dword_6A7018
		call	__SEH_prolog4
		mov	ebx, edx
		mov	edx, ecx
		mov	[ebp+var_34], edx
		and	[ebp+var_20], 0
		push	7
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_50]
		rep stosd
		test	edx, edx
		jz	loc_843553
		test	ebx, ebx
		jz	loc_843553
		xor	ecx, ecx
		mov	[ebp+var_28], ecx
		test	[ebp+arg_0], 80000h
		jz	short loc_843446
		mov	esi, [ebx]
		jmp	loc_843540
; 

loc_843446:				; CODE XREF: LdrpResGetMappingSize(x,x,x,x)+3Dj
		test	[ebp+arg_0], 20000h
		jz	short loc_843454
		mov	eax, [ebx]
		mov	[ebp+var_28], eax

loc_843454:				; CODE XREF: LdrpResGetMappingSize(x,x,x,x)+4Dj
		and	[ebx], ecx
		xor	esi, esi
		xor	edi, edi
		mov	[ebp+var_19], cl
		test	[ebp+arg_0], 100h
		jz	short loc_84346F
		test	dl, 1
		jnz	short loc_84346F
		mov	[ebp+var_19], 1

loc_84346F:				; CODE XREF: LdrpResGetMappingSize(x,x,x,x)+64j
					; LdrpResGetMappingSize(x,x,x,x)+69j
		mov	eax, edx
		and	eax, 0FFFFFFFCh
		mov	[ebp+arg_0], eax
		lea	ecx, [ebp+var_20]
		push	ecx
		push	0
		push	0
		push	eax
		push	1
		call	RtlImageNtHeaderEx
		test	eax, eax
		js	loc_843558
		and	[ebp+ms_exc.disabled], esi
		mov	edi, [ebp+var_20]
		movzx	ecx, word ptr [edi+18h]
		mov	edx, 10Bh
		cmp	cx, dx
		jz	short loc_8434AD
		mov	edx, 20Bh
		cmp	cx, dx
		jnz	short loc_8434B5

loc_8434AD:				; CODE XREF: LdrpResGetMappingSize(x,x,x,x)+A1j
		mov	edi, [edi+50h]
		mov	[ebp+var_24], edi
		jmp	short loc_8434C2
; 

loc_8434B5:				; CODE XREF: LdrpResGetMappingSize(x,x,x,x)+ABj
		xor	edi, edi
		mov	[ebp+var_24], edi
		mov	eax, 0C000007Bh
		mov	[ebp+var_30], eax

loc_8434C2:				; CODE XREF: LdrpResGetMappingSize(x,x,x,x)+B3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	eax, eax
		js	loc_843558
		cmp	[ebp+var_19], 0
		jz	short loc_8434DB
		test	edi, edi
		jnz	short loc_843537

loc_8434DB:				; CODE XREF: LdrpResGetMappingSize(x,x,x,x)+D5j
		mov	ecx, [ebp+var_34]
		call	_LdrpKrnGetDataTableEntry@4 ; LdrpKrnGetDataTableEntry(x)
		test	eax, eax
		jz	short loc_8434EA
		mov	esi, [eax+20h]

loc_8434EA:				; CODE XREF: LdrpResGetMappingSize(x,x,x,x)+E5j
		test	esi, esi
		jz	short loc_843512
		xor	eax, eax
		jmp	short loc_84352D
; 

loc_8434F2:				; DATA XREF: .text:006A702Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_843500:				; DATA XREF: .text:006A7030o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_30], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_843558
; 

loc_843512:				; CODE XREF: LdrpResGetMappingSize(x,x,x,x)+ECj
		push	0
		push	1Ch
		lea	eax, [ebp+var_50]
		push	eax
		push	3
		push	[ebp+arg_0]
		push	0FFFFFFFFh
		call	_ZwQueryVirtualMemory@24 ; ZwQueryVirtualMemory(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_84352D
		mov	esi, [ebp+var_44]

loc_84352D:				; CODE XREF: LdrpResGetMappingSize(x,x,x,x)+F0j
					; LdrpResGetMappingSize(x,x,x,x)+128j
		test	esi, esi
		jnz	short loc_843539
		test	edi, edi
		jz	short loc_843539
		xor	eax, eax

loc_843537:				; CODE XREF: LdrpResGetMappingSize(x,x,x,x)+D9j
		mov	esi, edi

loc_843539:				; CODE XREF: LdrpResGetMappingSize(x,x,x,x)+12Fj
					; LdrpResGetMappingSize(x,x,x,x)+133j
		test	eax, eax
		js	short loc_843558
		mov	ecx, [ebp+var_28]

loc_843540:				; CODE XREF: LdrpResGetMappingSize(x,x,x,x)+41j
		test	ecx, ecx
		jz	short loc_84354F
		cmp	ecx, esi
		jnb	short loc_84354F
		mov	eax, 0C000001Fh
		jmp	short loc_843558
; 

loc_84354F:				; CODE XREF: LdrpResGetMappingSize(x,x,x,x)+142j
					; LdrpResGetMappingSize(x,x,x,x)+146j
		mov	[ebx], esi
		jmp	short loc_843558
; 

loc_843553:				; CODE XREF: LdrpResGetMappingSize(x,x,x,x)+23j
					; LdrpResGetMappingSize(x,x,x,x)+2Bj
		mov	eax, 0C000000Dh

loc_843558:				; CODE XREF: LdrpResGetMappingSize(x,x,x,x)+89j
					; LdrpResGetMappingSize(x,x,x,x)+CBj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_LdrpResGetMappingSize@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrpResSearchResourceInsideDirectory proc near
					; CODE XREF: LdrpResSearchResourceMappedFile+2ADp

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

; FUNCTION CHUNK AT 0092693E SIZE 00000173 BYTES
; FUNCTION CHUNK AT 00926ACA SIZE 0000000A BYTES

		push	7Ch
		push	offset dword_6A7060
		call	__SEH_prolog4
		mov	ebx, ecx
		xor	esi, esi
		mov	[ebp+var_5C], esi
		mov	eax, esi
		mov	[ebp+var_70], eax
		mov	[ebp+var_3C], esi
		mov	[ebp+var_60], eax
		mov	[ebp+var_50], esi
		mov	[ebp+var_20], esi
		cmp	[ebp+arg_4], eax
		jz	loc_926ACA
		cmp	[ebp+arg_8], eax
		jz	loc_926ACA
		cmp	[ebp+arg_10], eax
		jz	loc_926ACA
		mov	edx, [ebp+arg_14]
		lea	eax, [edx-1]
		cmp	eax, 3
		ja	loc_926ACA
		mov	eax, [ebp+arg_24]
		mov	[ebp+var_2C], eax
		test	eax, 8000h
		jnz	loc_926ACA
		mov	ecx, eax
		and	ecx, 1000h
		mov	[ebp+var_24], ecx
		setnz	al
		mov	byte ptr [ebp+var_64], al
		mov	eax, [ebp+var_2C]
		mov	edi, 8800h
		and	eax, edi
		test	ecx, ecx
		jz	short loc_8435F1
		cmp	[ebp+arg_0], esi
		jz	loc_926ACA

loc_8435F1:				; CODE XREF: LdrpResSearchResourceInsideDirectory+7Cj
		cmp	eax, edi
		jz	loc_926ACA
		test	ebx, ebx
		jz	loc_926ACA
		cmp	eax, edi
		jz	loc_926ACA
		mov	[ebp+var_58], edx
		mov	eax, [ebp+arg_4]
		mov	edi, eax
		mov	edx, esi
		mov	[ebp+var_28], edx
		mov	[ebp+var_48], esi
		cmp	[ebp+arg_28], edx
		jz	short loc_84362A
		mov	edx, [ebp+arg_28]
		xor	eax, eax
		mov	[edx], ax
		mov	edx, esi
		mov	eax, edi

loc_84362A:				; CODE XREF: LdrpResSearchResourceInsideDirectory+B2j
		mov	[ebp+ms_exc.disabled], esi
		mov	[ebp+var_68], 8

loc_843634:				; CODE XREF: LdrpResSearchResourceInsideDirectory+2AFj
		test	edi, edi
		jz	loc_843915
		mov	eax, [ebp+var_58]
		mov	ecx, eax
		dec	ecx
		mov	[ebp+var_58], ecx
		mov	[ebp+var_80], ecx
		test	eax, eax
		mov	ecx, [ebp+var_24]
		jz	loc_9269F5
		mov	eax, [ebp+arg_10]
		mov	eax, [eax]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_54], eax
		cmp	[ebp+var_58], 0
		jz	loc_84387C

loc_843668:				; CODE XREF: LdrpResSearchResourceInsideDirectory+316j
					; LdrpResSearchResourceInsideDirectory+34Dj ...
		test	ecx, ecx
		jz	short loc_843698
		lea	eax, [ebp+var_20]
		push	eax
		push	18h
		pop	edx
		mov	ecx, edi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_843D34
		mov	ecx, ebx
		and	ecx, 0FFFFFFFCh
		add	ecx, [ebp+arg_0]
		lea	eax, [edi+18h]
		cmp	eax, ecx
		ja	loc_843D34
		mov	ecx, [ebp+var_24]

loc_843698:				; CODE XREF: LdrpResSearchResourceInsideDirectory+100j
		movzx	edx, word ptr [edi+0Ch]
		mov	[ebp+var_40], edx
		mov	[ebp+var_4C], edx
		test	edx, edx
		jnz	loc_843A79

loc_8436AA:				; CODE XREF: LdrpResSearchResourceInsideDirectory+511j
					; LdrpResSearchResourceInsideDirectory+562j
		lea	eax, [edi+10h]
		mov	[ebp+var_38], eax
		mov	[ebp+var_44], eax
		test	[ebp+var_3C], 0FFFF0000h
		jnz	loc_843D1F
		test	edx, edx
		jnz	loc_843AD1

loc_8436C8:				; CODE XREF: LdrpResSearchResourceInsideDirectory+58Fj
		movzx	edx, word ptr [edi+0Eh]
		mov	[ebp+var_40], edx
		mov	[ebp+var_4C], edx
		mov	ecx, [ebp+var_24]
		test	ecx, ecx
		jz	short loc_843727
		mov	eax, edx
		mul	[ebp+var_68]
		push	edx
		push	eax
		lea	ecx, [ebp+var_50]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_843D34
		lea	eax, [ebp+var_20]
		push	eax
		mov	edi, [ebp+var_50]
		mov	edx, edi
		mov	ecx, [ebp+var_38]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_843D34
		mov	edx, [ebp+var_40]
		mov	[ebp+var_40], edx
		mov	ecx, ebx
		and	ecx, 0FFFFFFFCh
		add	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_38]
		add	eax, edi
		cmp	eax, ecx
		ja	loc_843D34

loc_843724:				; CODE XREF: LdrpResSearchResourceInsideDirectory+7B8j
		mov	ecx, [ebp+var_24]

loc_843727:				; CODE XREF: LdrpResSearchResourceInsideDirectory+16Dj
		test	edx, edx
		jz	loc_843D17
		mov	eax, [ebp+var_2C]

loc_843732:				; CODE XREF: LdrpResSearchResourceInsideDirectory+E3486j
		cmp	[ebp+var_48], 0
		jnz	loc_8438CC

loc_84373C:				; CODE XREF: LdrpResSearchResourceInsideDirectory+364j
					; LdrpResSearchResourceInsideDirectory+E3465j
		mov	edi, esi
		mov	[ebp+var_34], edi
		mov	eax, [ebp+var_38]
		mov	[ebp+var_44], eax
		mov	ecx, [ebp+var_40]
		lea	eax, [eax+ecx*8]
		add	eax, 0FFFFFFF8h
		mov	[ebp+var_6C], eax

loc_843753:				; CODE XREF: LdrpResSearchResourceInsideDirectory+30Dj
		mov	eax, ecx
		mov	[ebp+var_4C], eax
		mov	[ebp+var_54], ecx

loc_84375B:				; CODE XREF: LdrpResSearchResourceInsideDirectory+E341Ej
		mov	ecx, [ebp+var_24]
		mov	edx, [ebp+var_6C]
		cmp	[ebp+var_44], edx
		mov	edx, [ebp+var_28]
		ja	loc_8437FA
		mov	edx, [ebp+var_54]
		mov	[ebp+var_4C], edx
		sar	[ebp+var_4C], 1
		mov	edx, [ebp+var_28]
		jnz	loc_84381E
		cmp	[ebp+var_54], edi
		jz	short loc_8437FA
		lea	eax, [ebp+var_5C]
		push	eax
		push	[ebp+var_2C]
		push	[ebp+var_44]
		push	[ebp+arg_4]
		push	[ebp+var_3C]
		push	[ebp+arg_0]
		mov	ecx, ebx
		call	LdrpResCompareResourceNames
		mov	[ebp+var_1C], eax
		test	eax, eax
		js	loc_926958
		mov	ecx, [ebp+var_24]
		cmp	[ebp+var_5C], edi
		jnz	loc_843B57
		mov	eax, [ebp+var_44]
		mov	edx, [eax+4]
		test	edx, edx
		jns	loc_843B5F

loc_8437C3:				; CODE XREF: LdrpResSearchResourceInsideDirectory+5B3j
		test	ecx, ecx
		jz	loc_92698D
		cmp	[ebp+var_48], edi
		jnz	loc_843D34
		lea	eax, [ebp+var_20]
		push	eax
		and	edx, 7FFFFFFFh
		mov	ecx, [ebp+arg_4]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_843D34
		mov	edi, [ebp+var_20]
		mov	[ebp+var_34], edi
		mov	edx, [ebp+var_28]

loc_8437F7:				; CODE XREF: LdrpResSearchResourceInsideDirectory+623j
		mov	ecx, [ebp+var_24]

loc_8437FA:				; CODE XREF: LdrpResSearchResourceInsideDirectory+1FDj
					; LdrpResSearchResourceInsideDirectory+218j ...
		mov	eax, [ebp+arg_4]

loc_8437FD:				; CODE XREF: LdrpResSearchResourceInsideDirectory+E340Fj
					; LdrpResSearchResourceInsideDirectory+E3436j
		cmp	[ebp+var_48], 0
		jnz	loc_843AFE

loc_843807:				; CODE XREF: LdrpResSearchResourceInsideDirectory+596j
					; LdrpResSearchResourceInsideDirectory+E3474j
		mov	eax, [ebp+arg_10]
		add	eax, 4
		mov	[ebp+arg_10], eax
		mov	[ebp+var_8C], eax
		mov	eax, [ebp+arg_4]
		jmp	loc_843634
; 

loc_84381E:				; CODE XREF: LdrpResSearchResourceInsideDirectory+20Fj
		and	al, 1
		mov	[ebp+var_74], eax
		mov	eax, [ebp+var_4C]
		mov	ecx, [ebp+var_44]
		lea	eax, [ecx+eax*8]
		mov	[ebp+var_54], eax
		jnz	short loc_843837
		add	eax, 0FFFFFFF8h
		mov	[ebp+var_54], eax

loc_843837:				; CODE XREF: LdrpResSearchResourceInsideDirectory+2C5j
		lea	ecx, [ebp+var_5C]
		push	ecx
		push	[ebp+var_2C]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+var_3C]
		push	[ebp+arg_0]
		mov	ecx, ebx
		call	LdrpResCompareResourceNames
		mov	[ebp+var_1C], eax
		test	eax, eax
		js	loc_926958
		mov	eax, [ebp+var_5C]
		test	eax, eax
		mov	eax, [ebp+var_54]
		jz	loc_843B15
		js	loc_843B9C
		add	eax, 8
		mov	[ebp+var_44], eax

loc_843874:				; CODE XREF: LdrpResSearchResourceInsideDirectory+63Cj
		mov	ecx, [ebp+var_4C]
		jmp	loc_843753
; 

loc_84387C:				; CODE XREF: LdrpResSearchResourceInsideDirectory+F8j
		cmp	[ebp+arg_14], 3
		jnz	loc_843668
		mov	eax, edi
		mov	[ebp+var_48], eax
		mov	[ebp+var_84], eax
		mov	edx, [ebp+arg_18]
		test	edx, edx
		jz	loc_92693E
		movzx	eax, word ptr [edx]
		mov	[ebp+var_70], eax
		mov	[ebp+var_88], eax
		mov	eax, esi
		mov	[ebp+var_60], eax
		mov	[ebp+var_78], eax
		mov	eax, [ebp+var_2C]
		not	eax
		test	al, 4
		jz	loc_843668
		movzx	eax, word ptr [edx+4]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_54], eax
		jmp	loc_843668
; 

loc_8438CC:				; CODE XREF: LdrpResSearchResourceInsideDirectory+1CCj
		test	al, 20h
		jz	loc_84373C
		mov	edi, esi
		mov	[ebp+var_34], edi
		test	ecx, ecx
		jz	loc_926948
		lea	eax, [ebp+var_20]
		push	eax
		mov	eax, [ebp+var_38]
		mov	edx, [eax+4]
		mov	ecx, [ebp+arg_4]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_843D34
		mov	edx, [ebp+var_20]
		mov	eax, [ebp+arg_4]

loc_843901:				; CODE XREF: LdrpResSearchResourceInsideDirectory+E33E9j
		mov	[ebp+var_30], edx
		mov	[ebp+var_28], edx
		mov	ecx, [ebp+var_38]
		mov	ecx, [ecx]
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_54], ecx
		mov	ecx, [ebp+var_24]

loc_843915:				; CODE XREF: LdrpResSearchResourceInsideDirectory+CCj
					; LdrpResSearchResourceInsideDirectory+5A0j ...
		and	[ebp+var_2C], 2
		test	edx, edx
		jz	loc_843B28
		cmp	[ebp+var_2C], 0
		jnz	loc_843B28
		test	ecx, ecx
		jz	short loc_84394A
		cmp	edx, eax
		jbe	loc_9269FD
		mov	ecx, ebx
		and	ecx, 0FFFFFFFCh
		add	ecx, [ebp+arg_0]
		lea	eax, [edx+10h]
		cmp	eax, ecx
		ja	loc_9269FD

loc_84394A:				; CODE XREF: LdrpResSearchResourceInsideDirectory+3C3j
		mov	ecx, [ebp+arg_28]
		test	ecx, ecx
		jz	short loc_843957
		mov	eax, [ebp+var_3C]
		mov	[ecx], ax

loc_843957:				; CODE XREF: LdrpResSearchResourceInsideDirectory+3E5j
		mov	edi, ebx
		and	edi, 0FFFFFFFCh
		test	bl, 1
		jnz	loc_843BB1
		mov	edx, esi

loc_843967:				; CODE XREF: LdrpResSearchResourceInsideDirectory+7A8j
		mov	eax, [ebp+var_28]

loc_84396A:				; CODE XREF: LdrpResSearchResourceInsideDirectory+6D5j
		mov	ecx, [eax+4]
		mov	[ebp+arg_8], ecx
		cmp	[ebp+var_24], 0
		jz	loc_926A31
		lea	ecx, [ebp+var_20]
		push	ecx
		mov	ecx, [eax]
		call	_RtlULongPtrSub@12 ; RtlULongPtrSub(x,x,x)
		test	eax, eax
		js	loc_843D34
		mov	eax, [ebp+var_20]
		mov	[ebp+arg_10], eax
		mov	ecx, [ebp+arg_4]
		sub	ecx, ebx
		cmp	eax, ecx
		jb	loc_9269FD
		cmp	eax, [ebp+arg_0]
		ja	loc_9269FD
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	loc_9269FD
		cmp	ecx, [ebp+arg_0]
		ja	loc_9269FD
		add	eax, ecx
		cmp	eax, [ebp+arg_0]
		ja	loc_9269FD
		mov	eax, [ebp+arg_10]

loc_8439CB:				; CODE XREF: LdrpResSearchResourceInsideDirectory+E34CCj
		mov	ecx, [ebp+arg_1C]
		test	ecx, ecx
		jz	short loc_843A15
		cmp	[ebp+var_24], 0
		jz	loc_926A3B
		lea	ecx, [ebp+var_20]
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_843D34
		cmp	[ebp+var_20], edi
		jb	loc_843D34
		mov	eax, edi
		and	eax, 0FFFFFFFCh
		add	eax, [ebp+arg_0]
		cmp	[ebp+var_20], eax
		ja	loc_843D34
		mov	eax, [ebp+arg_10]
		mov	ecx, [ebp+arg_1C]

loc_843A11:				; CODE XREF: LdrpResSearchResourceInsideDirectory+E34D8j
		add	eax, edi
		mov	[ecx], eax

loc_843A15:				; CODE XREF: LdrpResSearchResourceInsideDirectory+466j
		mov	eax, [ebp+arg_20]
		test	eax, eax
		jz	short loc_843A5B
		mov	edi, [ebp+arg_8]
		cmp	[ebp+var_24], 0
		jz	short loc_843A59
		test	ecx, ecx
		jz	short loc_843A59
		mov	eax, [ecx]
		mov	[ebp+arg_4], eax
		lea	ecx, [ebp+var_20]
		push	ecx
		mov	edx, edi
		mov	ecx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_843D34
		and	ebx, 0FFFFFFFCh
		add	ebx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		add	eax, edi
		cmp	eax, ebx
		ja	loc_843D34
		mov	eax, [ebp+arg_20]

loc_843A59:				; CODE XREF: LdrpResSearchResourceInsideDirectory+4B9j
					; LdrpResSearchResourceInsideDirectory+4BDj
		mov	[eax], edi

loc_843A5B:				; CODE XREF: LdrpResSearchResourceInsideDirectory+4B0j
					; LdrpResSearchResourceInsideDirectory+5E8j ...
		mov	[ebp+var_1C], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi

loc_843A67:				; CODE XREF: LdrpResSearchResourceInsideDirectory+E33F5j
					; LdrpResSearchResourceInsideDirectory+E3565j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	2Ch
; 

loc_843A79:				; CODE XREF: LdrpResSearchResourceInsideDirectory+13Aj
		test	ecx, ecx
		jz	loc_8436AA
		mov	eax, edx
		mul	[ebp+var_68]
		push	edx
		push	eax
		lea	ecx, [ebp+var_50]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_843D34
		lea	eax, [ebp+var_20]
		push	eax
		mov	edx, [ebp+var_50]
		add	edx, 10h
		mov	ecx, edi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_843D34
		mov	ecx, ebx
		and	ecx, 0FFFFFFFCh
		add	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_50]
		add	eax, 10h
		add	eax, edi
		cmp	eax, ecx
		ja	loc_843D34
		mov	edx, [ebp+var_40]
		jmp	loc_8436AA
; 

loc_843AD1:				; CODE XREF: LdrpResSearchResourceInsideDirectory+158j
		cmp	[ebp+var_24], 0
		jz	short loc_843AF0
		lea	ecx, [ebp+var_20]
		push	ecx
		mov	ecx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_843D34
		mov	eax, [ebp+var_38]
		mov	edx, [ebp+var_40]

loc_843AF0:				; CODE XREF: LdrpResSearchResourceInsideDirectory+56Bj
		lea	eax, [eax+edx*8]
		mov	[ebp+var_38], eax
		mov	[ebp+var_44], eax
		jmp	loc_8436C8
; 

loc_843AFE:				; CODE XREF: LdrpResSearchResourceInsideDirectory+297j
		test	edx, edx
		jnz	loc_843807
		test	byte ptr [ebp+var_2C], 4
		jnz	loc_843915
		jmp	loc_9269A5
; 

loc_843B15:				; CODE XREF: LdrpResSearchResourceInsideDirectory+2F8j
		mov	edx, [eax+4]
		mov	ecx, [ebp+var_24]
		test	edx, edx
		js	loc_8437C3
		jmp	loc_926964
; 

loc_843B28:				; CODE XREF: LdrpResSearchResourceInsideDirectory+3B1j
					; LdrpResSearchResourceInsideDirectory+3BBj
		test	edi, edi
		jnz	loc_926A47

loc_843B30:				; CODE XREF: LdrpResSearchResourceInsideDirectory+7B0j
					; LdrpResSearchResourceInsideDirectory+E34E1j
		mov	eax, [ebp+arg_14]
		sub	eax, [ebp+var_58]
		sub	eax, 1
		jz	short loc_843B92
		sub	eax, 1
		jz	loc_843D27
		sub	eax, 1
		jnz	loc_92693E
		mov	esi, 0C0000204h
		jmp	loc_843A5B
; 

loc_843B57:				; CODE XREF: LdrpResSearchResourceInsideDirectory+245j
		mov	edx, [ebp+var_28]
		jmp	loc_8437FA
; 

loc_843B5F:				; CODE XREF: LdrpResSearchResourceInsideDirectory+253j
					; LdrpResSearchResourceInsideDirectory+E33FFj
		test	ecx, ecx
		jz	loc_92696E
		cmp	[ebp+var_48], edi
		jz	loc_843D34
		lea	eax, [ebp+var_20]
		push	eax
		mov	ecx, [ebp+arg_4]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_843D34
		mov	edx, [ebp+var_20]
		mov	[ebp+var_28], edx
		mov	[ebp+var_30], edx
		jmp	loc_8437F7
; 

loc_843B92:				; CODE XREF: LdrpResSearchResourceInsideDirectory+5CFj
		mov	esi, 0C000008Ah
		jmp	loc_843A5B
; 

loc_843B9C:				; CODE XREF: LdrpResSearchResourceInsideDirectory+2FEj
		add	eax, 0FFFFFFF8h
		mov	[ebp+var_6C], eax
		cmp	byte ptr [ebp+var_74], 0
		jnz	loc_843874
		jmp	loc_92697E
; 

loc_843BB1:				; CODE XREF: LdrpResSearchResourceInsideDirectory+3F5j
		mov	ecx, [ebp+arg_8]
		movzx	eax, word ptr [ecx+18h]
		mov	edx, 10Bh
		cmp	ax, dx
		jnz	loc_926A05
		mov	ecx, [ecx+88h]

loc_843BCC:				; CODE XREF: LdrpResSearchResourceInsideDirectory+E34ABj
		mov	[ebp+arg_10], ecx

loc_843BCF:				; CODE XREF: LdrpResSearchResourceInsideDirectory+E34B5j
		test	ecx, ecx
		jz	loc_926A24
		cmp	[ebp+var_24], 0
		jz	short loc_843C0C
		lea	eax, [ebp+var_20]
		push	eax
		mov	edx, ecx
		mov	ecx, edi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_843D34
		lea	eax, [ebp+var_20]
		push	eax
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_20]
		call	_RtlULongPtrSub@12 ; RtlULongPtrSub(x,x,x)
		test	eax, eax
		js	loc_843D34
		mov	ecx, [ebp+arg_10]

loc_843C0C:				; CODE XREF: LdrpResSearchResourceInsideDirectory+671j
		mov	eax, ecx
		sub	eax, [ebp+arg_4]
		add	eax, edi
		mov	[ebp+arg_28], eax
		push	[ebp+var_64]
		push	ecx
		push	ecx
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_LdrpSectionTableFromVirtualAddress@24 ; LdrpSectionTableFromVirtualAddress(x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_9269FD
		mov	eax, [ebp+var_28]
		mov	edx, [eax]
		cmp	edx, [ecx+8]
		ja	short loc_843C44
		mov	edx, [ebp+arg_28]
		jmp	loc_84396A
; 

loc_843C44:				; CODE XREF: LdrpResSearchResourceInsideDirectory+6D0j
		mov	eax, [ecx+0Ch]
		mov	[ebp+arg_18], eax
		push	[ebp+var_64]
		push	edx
		push	ecx
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_LdrpSectionTableFromVirtualAddress@24 ; LdrpSectionTableFromVirtualAddress(x,x,x,x,x,x)
		test	eax, eax
		jz	loc_9269FD
		mov	eax, [eax+0Ch]
		mov	[ebp+arg_10], eax
		push	[ebp+var_64]
		push	eax
		push	ecx
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_LdrpSectionTableFromVirtualAddress@24 ; LdrpSectionTableFromVirtualAddress(x,x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+arg_8], ecx
		test	ecx, ecx
		jz	loc_843D3E
		cmp	[ebp+var_24], 0
		jz	short loc_843CC1
		lea	eax, [ebp+var_20]
		push	eax
		mov	edx, [ebp+arg_10]
		sub	edx, [ecx+0Ch]
		mov	ecx, edi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_843D34
		lea	eax, [ebp+var_20]
		push	eax
		mov	edx, [ebp+arg_8]
		mov	edx, [edx+14h]
		mov	ecx, [ebp+var_20]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_843D34
		mov	ecx, [ebp+arg_8]

loc_843CC1:				; CODE XREF: LdrpResSearchResourceInsideDirectory+723j
		mov	eax, [ecx+14h]
		sub	eax, [ecx+0Ch]
		add	eax, [ebp+arg_10]
		add	eax, edi
		mov	[ebp+arg_10], eax

loc_843CCF:				; CODE XREF: LdrpResSearchResourceInsideDirectory+7D7j
		cmp	[ebp+var_24], 0
		jz	short loc_843D01
		lea	eax, [ebp+var_20]
		push	eax
		mov	edx, [ebp+arg_18]
		mov	ecx, [ecx+0Ch]
		call	_RtlULongPtrSub@12 ; RtlULongPtrSub(x,x,x)
		test	eax, eax
		js	short loc_843D34
		lea	eax, [ebp+var_20]
		push	eax
		mov	edx, [ebp+arg_10]
		sub	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_20]
		call	_RtlULongPtrSub@12 ; RtlULongPtrSub(x,x,x)
		test	eax, eax
		js	short loc_843D34
		mov	ecx, [ebp+arg_8]

loc_843D01:				; CODE XREF: LdrpResSearchResourceInsideDirectory+769j
		mov	eax, [ecx+0Ch]
		sub	eax, [ebp+arg_18]
		sub	eax, [ebp+arg_10]
		add	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_28]
		add	edx, eax
		jmp	loc_843967
; 

loc_843D17:				; CODE XREF: LdrpResSearchResourceInsideDirectory+1BFj
		mov	[ebp+var_34], esi
		jmp	loc_843B30
; 

loc_843D1F:				; CODE XREF: LdrpResSearchResourceInsideDirectory+150j
		mov	edx, [ebp+var_40]
		jmp	loc_843724
; 

loc_843D27:				; CODE XREF: LdrpResSearchResourceInsideDirectory+5D4j
		mov	esi, 0C000008Bh
		jmp	loc_843A5B
; 

loc_843D31:				; CODE XREF: LdrpResSearchResourceInsideDirectory+E34FBj
					; LdrpResSearchResourceInsideDirectory+E3511j
		mov	[ebp+var_34], esi

loc_843D34:				; CODE XREF: LdrpResSearchResourceInsideDirectory+112j
					; LdrpResSearchResourceInsideDirectory+125j ...
		mov	esi, 0C000007Bh
		jmp	loc_843A5B
; 

loc_843D3E:				; CODE XREF: LdrpResSearchResourceInsideDirectory+719j
		mov	[ebp+arg_10], esi
		jmp	short loc_843CCF
LdrpResSearchResourceInsideDirectory endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrpResCompareResourceNames proc near	; CODE XREF: LdrpResSearchResourceInsideDirectory+22Fp
					; LdrpResSearchResourceInsideDirectory+2E0p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00926AD4 SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_10]
		push	ebx
		push	edi
		mov	[ebp+var_4], ecx
		xor	edi, edi
		mov	ecx, [ebp+arg_8]
		and	eax, 1000h
		mov	[ebp+arg_10], edi
		test	ecx, ecx
		jz	loc_926AFA
		mov	ebx, [ebp+arg_C]
		test	ebx, ebx
		jz	loc_926AFA
		mov	ebx, [ebx]
		mov	edx, 0FFFF0000h
		push	esi
		mov	esi, [ebp+arg_4]
		test	esi, edx
		jnz	short loc_843DA5
		test	ebx, ebx
		js	loc_926AED
		test	eax, eax
		jz	short loc_843D95
		test	ebx, edx
		jnz	loc_843E22

loc_843D95:				; CODE XREF: LdrpResCompareResourceNames+47j
		mov	ecx, [ebp+arg_14]
		sub	esi, ebx
		mov	[ecx], esi

loc_843D9C:				; CODE XREF: LdrpResCompareResourceNames+D9j
					; LdrpResCompareResourceNames+E3j ...
		mov	eax, edi
		pop	esi

loc_843D9F:				; CODE XREF: LdrpResCompareResourceNames+E2DBBj
		pop	edi
		pop	ebx
		leave
		retn	18h
; 

loc_843DA5:				; CODE XREF: LdrpResCompareResourceNames+3Bj
		test	ebx, ebx
		jns	loc_926AD4
		and	ebx, 7FFFFFFFh
		test	eax, eax
		jz	short loc_843E2C
		lea	eax, [ebp+arg_10]
		mov	edx, ebx
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_843E22
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+arg_8]
		and	ecx, 0FFFFFFFCh
		add	ecx, [ebp+arg_0]
		add	eax, ebx
		cmp	eax, ecx
		ja	short loc_843E22
		mov	ebx, [ebp+arg_10]
		mov	edx, 0FFFF0000h

loc_843DE0:				; CODE XREF: LdrpResCompareResourceNames+EAj
		lea	ecx, [ebx+2]
		test	ecx, edx
		jz	short loc_843E22
		movzx	eax, word ptr [ebx]
		push	eax		; size_t
		push	ecx		; wchar_t *
		push	esi		; wchar_t *
		call	_wcsncmp
		mov	ecx, eax
		add	esp, 0Ch
		test	ecx, ecx
		jnz	short loc_843E18
		lea	edx, [esi+2]

loc_843DFE:				; CODE XREF: LdrpResCompareResourceNames+C3j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, di
		jnz	short loc_843DFE
		movzx	eax, word ptr [ebx]
		sub	esi, edx
		sar	esi, 1
		cmp	esi, eax
		jnz	loc_926ADF

loc_843E18:				; CODE XREF: LdrpResCompareResourceNames+B5j
		mov	eax, [ebp+arg_14]
		mov	[eax], ecx
		jmp	loc_843D9C
; 

loc_843E22:				; CODE XREF: LdrpResCompareResourceNames+4Bj
					; LdrpResCompareResourceNames+80j ...
		mov	edi, 0C000007Bh
		jmp	loc_843D9C
; 

loc_843E2C:				; CODE XREF: LdrpResCompareResourceNames+71j
		add	ebx, ecx
		jmp	short loc_843DE0
LdrpResCompareResourceNames endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrpResGetResourceDirectory proc near	; CODE XREF: LdrpResSearchResourceMappedFile+3A4p
					; LdrpResSearchResourceMappedFile+484p

var_13C		= dword	ptr -13Ch
var_100		= dword	ptr -100h
var_E0		= dword	ptr -0E0h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_BC		= dword	ptr -0BCh
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00926B04 SIZE 00000040 BYTES
; FUNCTION CHUNK AT 00926B5D SIZE 0000000A BYTES
; FUNCTION CHUNK AT 00926B80 SIZE 0000000A BYTES

		push	12Ch
		push	offset dword_6A7080
		call	__SEH_prolog4
		mov	[ebp+var_3C], edx
		mov	eax, ecx
		mov	[ebp+var_2C], eax
		xor	ebx, ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_1D], 1
		mov	byte ptr [ebp+var_30], 1
		mov	[ebp+var_34], ebx
		test	eax, eax
		jz	loc_926B80
		cmp	[ebp+arg_4], ebx
		jz	loc_926B80
		cmp	[ebp+arg_8], ebx
		jz	loc_926B80
		test	al, 3
		jz	short loc_843E87
		and	ecx, 1
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_2C], eax
		xor	cl, 1
		mov	[ebp+var_30], ecx

loc_843E87:				; CODE XREF: LdrpResGetResourceDirectory+46j
		and	[ebp+arg_0], 1000h
		lea	ecx, [ebp+var_28]
		push	ecx
		push	ebx
		push	edx
		push	eax
		push	0
		pop	eax
		setz	al
		push	eax
		call	RtlImageNtHeaderEx
		test	eax, eax
		js	loc_843FA1
		mov	[ebp+ms_exc.disabled], ebx
		mov	edx, [ebp+var_28]
		lea	esi, [edx+18h]
		movzx	eax, word ptr [esi]
		mov	ecx, 10Bh
		cmp	ax, cx
		jnz	loc_926B04
		push	38h
		pop	ecx
		lea	edi, [ebp+var_13C]
		rep movsd
		mov	cl, [ebp+var_1D]

loc_843ED1:				; CODE XREF: LdrpResGetResourceDirectory+E2CEFj
		test	cl, cl
		mov	eax, [ebp+var_E0]
		jz	loc_926B24

loc_843EDF:				; CODE XREF: LdrpResGetResourceDirectory+E2CFAj
		cmp	eax, 2
		jbe	loc_843FBF
		test	cl, cl
		mov	edi, [ebp+var_CC]
		jz	loc_926B2F

loc_843EF6:				; CODE XREF: LdrpResGetResourceDirectory+E2D05j
		test	edi, edi
		jz	loc_843FBF
		mov	ecx, ds:_MmHighestUserAddress
		mov	esi, [ebp+var_2C]
		cmp	esi, ecx
		jnb	short loc_843F16
		lea	eax, [edi+esi]
		cmp	eax, ecx
		jnb	loc_84400C

loc_843F16:				; CODE XREF: LdrpResGetResourceDirectory+D9j
		cmp	byte ptr [ebp+var_30], 0
		jz	loc_843FD0

loc_843F20:				; CODE XREF: LdrpResGetResourceDirectory+1A6j
		lea	eax, [ebp+var_34]
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_84400C
		mov	edx, [ebp+var_34]

loc_843F38:				; CODE XREF: LdrpResGetResourceDirectory+1D7j
		mov	[ebp+var_38], edx
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi
		test	edx, edx
		jz	loc_926B5D
		cmp	[ebp+arg_0], 0
		jz	short loc_843F92
		cmp	edx, esi
		jbe	loc_926B3A
		and	esi, 0FFFFFFFCh
		add	esi, [ebp+var_3C]
		lea	eax, [edx+10h]
		cmp	eax, esi
		ja	loc_926B3A
		mov	[ebp+ms_exc.disabled], 1
		movzx	eax, word ptr [edx+0Ch]
		mov	[ebp+var_48], eax
		movzx	ecx, word ptr [edx+0Eh]
		mov	[ebp+var_4C], ecx
		mov	[ebp+ms_exc.disabled], edi
		test	ax, ax
		jz	short loc_843FB3

loc_843F85:				; CODE XREF: LdrpResGetResourceDirectory+186j
		add	ecx, eax
		lea	eax, [edx+ecx*8]
		cmp	eax, esi
		ja	loc_926B3A

loc_843F92:				; CODE XREF: LdrpResGetResourceDirectory+11Dj
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		mov	eax, [ebp+var_28]
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax

loc_843F9F:				; CODE XREF: LdrpResGetResourceDirectory+18Dj
					; LdrpResGetResourceDirectory+19Ej ...
		mov	eax, ebx

loc_843FA1:				; CODE XREF: LdrpResGetResourceDirectory+73j
					; LdrpResGetResourceDirectory+E2D55j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_843FB3:				; CODE XREF: LdrpResGetResourceDirectory+153j
		test	cx, cx
		jnz	short loc_843F85
		mov	ebx, 0C000008Ah
		jmp	short loc_843F9F
; 

loc_843FBF:				; CODE XREF: LdrpResGetResourceDirectory+B2j
					; LdrpResGetResourceDirectory+C8j ...
		mov	ebx, 0C0000089h

loc_843FC4:				; CODE XREF: LdrpResGetResourceDirectory+1E1j
					; sub_926B75+6j
		mov	[ebp+var_24], ebx

loc_843FC7:				; CODE XREF: sub_926B52+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_843F9F
; 

loc_843FD0:				; CODE XREF: LdrpResGetResourceDirectory+EAj
		cmp	edi, [ebp+var_100]
		jb	loc_843F20
		cmp	[ebp+arg_0], 0
		setnz	al
		movzx	eax, al
		push	eax
		push	edi
		push	ecx
		push	edx
		mov	edx, [ebp+var_3C]
		mov	ecx, esi
		call	_LdrpSectionTableFromVirtualAddress@24 ; LdrpSectionTableFromVirtualAddress(x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_84400C
		cmp	[eax+10h], ebx
		jz	short loc_843FBF
		mov	edx, [eax+14h]
		sub	edx, [eax+0Ch]
		add	edx, edi
		add	edx, esi
		jmp	loc_843F38
; 

loc_84400C:				; CODE XREF: LdrpResGetResourceDirectory+E0j
					; LdrpResGetResourceDirectory+FFj ...
		mov	ebx, 0C000007Bh
		jmp	short loc_843FC4
LdrpResGetResourceDirectory endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrResFallbackLangList proc near	; CODE XREF: LdrpResSearchResourceMappedFile+3F3p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00926B8A SIZE 00000041 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ecx, ebx
		mov	[ebp+var_4], ecx
		test	esi, esi
		jz	loc_926B8A
		xor	eax, eax
		mov	[esi+204h], bl
		push	edi
		mov	[esi], ax
		mov	edx, ebx
		jmp	short loc_844093
; 

loc_844040:				; CODE XREF: LdrResFallbackLangList+97j
		mov	ax, ds:_PsMachineUILanguageId
		movzx	ecx, ax
		test	ax, ax
		jz	loc_926B94

loc_844052:				; CODE XREF: LdrResFallbackLangList+E2B85j
		push	5

loc_844054:				; CODE XREF: LdrResFallbackLangList+10Ej
		pop	edx

loc_844055:				; CODE XREF: LdrResFallbackLangList+F0j
		mov	[ebp+var_4], ecx

loc_844058:				; CODE XREF: LdrResFallbackLangList+131j
		mov	eax, 0EEEEh
		cmp	cx, ax
		jz	short loc_844090

loc_844062:				; CODE XREF: LdrResFallbackLangList+D9j
		movzx	eax, word ptr [esi]
		mov	edi, ebx
		mov	[ebp+var_10], eax
		movzx	eax, ax
		test	eax, eax
		jz	short loc_8440CA
		lea	ebx, [esi+4]
		mov	[ebp+var_C], ebx
		xor	ebx, ebx
		mov	esi, [ebp+var_C]

loc_84407C:				; CODE XREF: LdrResFallbackLangList+73j
		cmp	[esi], cx
		jz	short loc_844089
		inc	edi
		add	esi, 8
		cmp	edi, eax
		jb	short loc_84407C

loc_844089:				; CODE XREF: LdrResFallbackLangList+6Bj
		mov	esi, [ebp+arg_8]
		cmp	edi, eax
		jnb	short loc_8440CA

loc_844090:				; CODE XREF: LdrResFallbackLangList+4Cj
					; LdrResFallbackLangList+CCj
		mov	edx, [ebp+var_8]

loc_844093:				; CODE XREF: LdrResFallbackLangList+2Aj
		mov	eax, edx
		mov	edi, edx
		inc	edx
		mov	[ebp+var_8], edx
		sub	eax, ebx
		jz	loc_84414A
		sub	eax, 1
		jz	short loc_844127
		sub	eax, 1
		jz	short loc_844040
		sub	eax, 1
		jz	short loc_844112
		sub	eax, 1
		jz	short loc_8440F2
		sub	eax, 1
		jz	short loc_8440E2
		sub	eax, 1
		jz	short loc_844109

loc_8440C1:				; CODE XREF: LdrResFallbackLangList+BBj
					; LdrResFallbackLangList+153j
		pop	edi

loc_8440C2:				; CODE XREF: LdrResFallbackLangList+E2B7Bj
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
; 

loc_8440CA:				; CODE XREF: LdrResFallbackLangList+5Bj
					; LdrResFallbackLangList+7Aj
		cmp	word ptr [ebp+var_10], 40h
		jnb	short loc_8440C1
		mov	[esi+eax*8+4], cx
		movzx	eax, word ptr [esi]
		mov	[esi+eax*8+8], edx
		inc	word ptr [esi]
		jmp	short loc_844090
; 

loc_8440E2:				; CODE XREF: LdrResFallbackLangList+A6j
		mov	ecx, 409h
		push	8

loc_8440E9:				; CODE XREF: LdrResFallbackLangList+FCj
		mov	[ebp+var_4], ecx
		pop	edx
		jmp	loc_844062
; 

loc_8440F2:				; CODE XREF: LdrResFallbackLangList+A1j
		mov	eax, ds:_PsDefaultSystemLocaleId
		test	eax, eax
		movzx	eax, ax
		jz	short loc_844152

loc_8440FE:				; CODE XREF: LdrResFallbackLangList+143j
		push	7
		pop	edx

loc_844101:				; CODE XREF: LdrResFallbackLangList+13Cj
		movzx	ecx, ax
		jmp	loc_844055
; 

loc_844109:				; CODE XREF: LdrResFallbackLangList+ABj
		mov	ecx, 1234h
		push	9
		jmp	short loc_8440E9
; 

loc_844112:				; CODE XREF: LdrResFallbackLangList+9Cj
		mov	ax, ds:_PsInstallUILanguageId
		movzx	ecx, ax
		test	ax, ax
		jz	short loc_844159

loc_844120:				; CODE XREF: LdrResFallbackLangList+14Aj
		push	6
		jmp	loc_844054
; 

loc_844127:				; CODE XREF: LdrResFallbackLangList+92j
		test	[ebp+arg_4], 4
		jnz	short loc_844160
		test	[ebp+arg_0], 3FFh
		jnz	loc_926B9E
		mov	ecx, 0EEEEh
		mov	[ebp+var_4], ecx

loc_844142:				; CODE XREF: LdrResFallbackLangList+E2BB2j
		push	2
		pop	edx
		jmp	loc_844058
; 

loc_84414A:				; CODE XREF: LdrResFallbackLangList+89j
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		inc	edx
		jmp	short loc_844101
; 

loc_844152:				; CODE XREF: LdrResFallbackLangList+E8j
		mov	eax, 0EEEEh
		jmp	short loc_8440FE
; 

loc_844159:				; CODE XREF: LdrResFallbackLangList+10Aj
		mov	ecx, 0EEEEh
		jmp	short loc_844120
; 

loc_844160:				; CODE XREF: LdrResFallbackLangList+117j
		mov	byte ptr [esi+204h], 1
		jmp	loc_8440C1
LdrResFallbackLangList endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2087. RtlFindMessage

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlFindMessage(x, x, x, x, x)
		public _RtlFindMessage@20
_RtlFindMessage@20 proc	near		; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+207p
					; PiGetDefaultMessageString+6Dp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		xor	eax, eax
		mov	[ebp+var_14], 1
		push	ebx
		mov	ebx, [ebp+arg_10]
		lea	edx, [ebp+var_18]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_C]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	40h
		push	4
		mov	[ebp+var_C], esi
		call	_LdrpSearchResourceSection_U@20	; LdrpSearchResourceSection_U(x,x,x,x,x)
		test	eax, eax
		js	short loc_8441EA
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_24]
		mov	ecx, edi
		push	eax
		call	LdrpAccessResourceData
		test	eax, eax
		js	short loc_8441EA
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_24]
		push	ebx
		push	esi
		call	_RtlpFindMessageInTable@16 ; RtlpFindMessageInTable(x,x,x,x)

loc_8441EA:				; CODE XREF: RtlFindMessage(x,x,x,x,x)+53j
					; RtlFindMessage(x,x,x,x,x)+69j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_RtlFindMessage@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrpAccessResourceData proc near	; CODE XREF: RtlFindMessage(x,x,x,x,x)+62p
					; LdrAccessResource(x,x,x,x)+11p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00926BCB SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		test	edi, edi
		jz	loc_926BCB
		test	esi, esi
		jz	loc_926BCB
		cmp	_PnPBootDriversInitialized, 1
		jnz	short loc_84425E
		lea	eax, [ebp+var_C]
		mov	ebx, edi
		push	eax
		push	2
		push	1
		push	edi
		and	ebx, 0FFFFFFFCh
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		test	eax, eax
		jz	short loc_844298
		cmp	esi, eax
		jnb	short loc_844274

loc_844247:				; CODE XREF: LdrpAccessResourceData+92j
					; LdrpAccessResourceData+98j
		lea	eax, [ebp+var_8]
		mov	ecx, edi
		push	eax
		push	esi
		call	LdrpGetAlternateResourceModuleHandleEx
		test	eax, eax
		jz	short loc_84425E
		cmp	eax, 0FFFFFFFFh
		jz	short loc_84425E
		mov	edi, eax

loc_84425E:				; CODE XREF: LdrpAccessResourceData+2Ej
					; LdrpAccessResourceData+59j ...
		push	[ebp+arg_4]
		mov	edx, esi
		mov	ecx, edi
		push	[ebp+arg_0]
		call	LdrpAccessResourceDataNoMultipleLanguage

loc_84426D:				; CODE XREF: LdrpAccessResourceData+87j
					; LdrpAccessResourceData+A1j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_844274:				; CODE XREF: LdrpAccessResourceData+49j
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	LdrpGetImageSize
		cmp	eax, 0C000007Bh
		jz	short loc_84426D
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_84425E
		cmp	esi, ebx
		jb	short loc_844247
		add	eax, ebx
		cmp	esi, eax
		jnb	short loc_844247
		jmp	short loc_84425E
; 

loc_844298:				; CODE XREF: LdrpAccessResourceData+45j
		mov	eax, 0C0000089h
		jmp	short loc_84426D
LdrpAccessResourceData endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrpAccessResourceDataNoMultipleLanguage proc near
					; CODE XREF: LdrpFindMessageInAlternateModule+21p
					; LdrpGetRcConfig+8Fp ...

var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00926BD5 SIZE 0000008B BYTES

		push	30h
		push	offset dword_6A70C8
		call	__SEH_prolog4
		mov	[ebp+var_1C], edx
		mov	ebx, ecx
		and	[ebp+ms_exc.disabled], 0
		lea	eax, [ebp+var_38]
		push	eax
		push	2
		push	1
		push	ebx
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	[ebp+var_24], eax
		test	eax, eax
		jz	loc_926BD5
		and	[ebp+var_20], 0
		lea	edx, [ebp+var_20]
		mov	ecx, ebx
		call	LdrpGetImageSize
		mov	edi, eax
		mov	[ebp+var_40], edi
		mov	ecx, 0C000007Bh
		cmp	edi, ecx
		jz	loc_926BE6
		mov	esi, ebx
		and	esi, 0FFFFFFFCh
		mov	[ebp+var_2C], esi
		mov	edx, [ebp+var_1C]
		cmp	edx, esi
		jbe	loc_926BE6
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	loc_8443D4

loc_84430C:				; CODE XREF: LdrpAccessResourceDataNoMultipleLanguage+138j
		xor	eax, eax
		mov	[ebp+var_30], eax
		test	bl, 3
		jz	short loc_844322
		test	bl, 1
		jz	short loc_84431F
		inc	eax
		mov	[ebp+var_30], eax

loc_84431F:				; CODE XREF: LdrpAccessResourceDataNoMultipleLanguage+79j
		and	ebx, 0FFFFFFFCh

loc_844322:				; CODE XREF: LdrpAccessResourceDataNoMultipleLanguage+74j
		cmp	eax, 1
		jnz	loc_8443E3
		push	ebx
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_926BD5
		movzx	eax, word ptr [esi+18h]
		mov	ecx, 10Bh
		cmp	ax, cx
		jnz	loc_926BF4
		mov	ecx, [esi+88h]

loc_844353:				; CODE XREF: LdrpAccessResourceDataNoMultipleLanguage+E2964j
					; LdrpAccessResourceDataNoMultipleLanguage+E296Bj
		test	ecx, ecx
		jz	loc_926BD5
		mov	eax, ecx
		sub	eax, [ebp+var_24]
		add	eax, ebx
		mov	[ebp+var_28], eax
		push	ecx
		mov	ecx, esi
		call	RtlSectionTableFromVirtualAddress
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_926BD5
		mov	eax, [ebp+var_1C]
		mov	edx, [eax]
		cmp	edx, [ecx+8]
		ja	loc_926C10
		mov	edx, [ebp+var_28]

loc_844388:				; CODE XREF: LdrpAccessResourceDataNoMultipleLanguage+E29A7j
		mov	esi, [ebp+var_2C]

loc_84438B:				; CODE XREF: LdrpAccessResourceDataNoMultipleLanguage+148j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_8443AA
		mov	eax, [eax]
		sub	eax, edx
		lea	edx, [eax+ebx]
		mov	[ecx], edx
		cmp	edx, esi
		jbe	loc_926C4C
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	short loc_8443EA

loc_8443AA:				; CODE XREF: LdrpAccessResourceDataNoMultipleLanguage+F0j
					; LdrpAccessResourceDataNoMultipleLanguage+14Ej
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_8443B9
		mov	edx, [ebp+var_1C]
		mov	eax, [edx+4]
		mov	[ecx], eax

loc_8443B9:				; CODE XREF: LdrpAccessResourceDataNoMultipleLanguage+10Fj
					; sub_926C6E+9j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, edi

loc_8443C2:				; CODE XREF: LdrpAccessResourceDataNoMultipleLanguage+E2941j
					; LdrpAccessResourceDataNoMultipleLanguage+E294Fj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_8443D4:				; CODE XREF: LdrpAccessResourceDataNoMultipleLanguage+66j
		add	eax, esi
		cmp	edx, eax
		jb	loc_84430C
		jmp	loc_926BE6
; 

loc_8443E3:				; CODE XREF: LdrpAccessResourceDataNoMultipleLanguage+85j
		xor	edx, edx
		mov	eax, [ebp+var_1C]
		jmp	short loc_84438B
; 

loc_8443EA:				; CODE XREF: LdrpAccessResourceDataNoMultipleLanguage+108j
		add	eax, esi
		cmp	edx, eax
		jb	short loc_8443AA
		jmp	loc_926C4C
LdrpAccessResourceDataNoMultipleLanguage endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LdrpSearchResourceSection_U(x, x, x, x, x)
_LdrpSearchResourceSection_U@20	proc near ; CODE XREF: LdrpGetRcConfig+79p
					; LdrpLoadResourceFromAlternativeModule+70p ...

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_82		= byte ptr -82h
var_81		= byte ptr -81h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_52		= dword	ptr -52h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_39		= byte ptr -39h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2E		= byte ptr -2Eh
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	98h
		push	offset dword_6A7108
		call	__SEH_prolog4_GS
		mov	edi, edx
		mov	[ebp+var_4C], edi
		mov	edx, ecx
		mov	[ebp+var_52+2],	edx
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_44], esi
		and	[ebp+var_48], 0
		mov	[ebp+var_94], edi
		mov	byte ptr [ebp+var_80], 0
		mov	[ebp+var_39], 1
		mov	[ebp+var_2E], 1
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		cmp	ecx, 3
		jnb	short loc_84443E
		test	al, 2
		jz	loc_844B7F

loc_84443E:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+3Ej
		push	4
		pop	ebx
		cmp	ecx, ebx
		ja	loc_844B7F
		and	eax, 41h
		jz	short loc_844456
		cmp	ecx, ebx
		jnz	loc_844B7F

loc_844456:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+56j
		cmp	ecx, ebx
		jnz	short loc_84446E
		test	eax, eax
		jz	loc_844B7F
		cmp	ecx, ebx
		jnz	short loc_84446E
		push	3
		pop	eax
		mov	[ebp+var_68], eax
		jmp	short loc_844473
; 

loc_84446E:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+62j
					; LdrpSearchResourceSection_U(x,x,x,x,x)+6Ej
		mov	eax, ecx
		mov	[ebp+var_68], ecx

loc_844473:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+76j
		mov	[ebp+var_70], eax
		xor	eax, eax
		mov	[ebp+var_78], eax
		xor	ebx, ebx
		mov	[ebp+var_38], ebx
		and	[ebp+ms_exc.disabled], eax
		test	edi, edi
		jz	loc_844B4F
		cmp	edi, 0FFFFFFFFh
		jz	loc_844B4F
		test	edx, edx
		jz	loc_844B4F
		cmp	edx, 0FFFFFFFFh
		jz	loc_844B4F
		test	esi, esi
		jz	loc_844B4F
		cmp	esi, 0FFFFFFFFh
		jz	loc_844B4F
		lea	eax, [ebp+var_90]
		push	eax
		push	2
		push	1
		push	edx
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	[ebp+var_5C], eax
		test	eax, eax
		jnz	short loc_8444DF
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000089h
		jmp	loc_844B84
; 

loc_8444DF:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+D6j
		mov	esi, eax
		mov	[ebp+var_58], esi
		mov	[ebp+var_48], 0EEEEh
		and	[ebp+var_7C], 0
		xor	eax, eax
		mov	[ebp+var_6C], eax
		mov	[ebp+var_74], eax
		and	[ebp+var_64], eax
		mov	edx, [ebp+arg_4]
		mov	eax, edx
		not	eax
		mov	[ebp+var_60], eax
		test	al, 10h
		jz	loc_8445AC
		mov	ecx, [ebp+var_68]
		lea	eax, [ecx-1]
		cmp	eax, 2
		ja	loc_8445AC
		mov	al, _PnPBootDriversInitialized
		cmp	al, 1
		jnz	loc_8445AC
		cmp	ecx, 3
		jnz	short loc_844533
		movzx	edi, word ptr [edi+8]
		jmp	short loc_844535
; 

loc_844533:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+135j
		xor	edi, edi

loc_844535:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+13Bj
		movzx	eax, di
		mov	[ebp+var_78], eax
		mov	[ebp+var_98], eax
		mov	eax, [ebp+var_4C]
		mov	eax, [eax]
		cmp	eax, 10h
		jz	short loc_84456B
		cmp	eax, 18h
		jz	short loc_84456B
		test	eax, 0FFFF0000h
		jz	short loc_844595
		push	offset ??_C@_17JCBKHJFJ@?$AAM?$AAU?$AAI@NNGAKEGL@ ; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_844595
		mov	edx, [ebp+arg_4]

loc_84456B:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+153j
					; LdrpSearchResourceSection_U(x,x,x,x,x)+158j
		test	byte ptr [ebp+var_60], 8
		jz	short loc_844595
		test	di, di
		jz	short loc_84458A
		mov	eax, 400h
		cmp	di, ax
		jz	short loc_84458A
		mov	eax, 800h
		cmp	di, ax
		jnz	short loc_844595

loc_84458A:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+17Ej
					; LdrpSearchResourceSection_U(x,x,x,x,x)+188j
		or	edx, 10h
		mov	[ebp+arg_4], edx
		mov	edi, [ebp+var_4C]
		jmp	short loc_8445AC
; 

loc_844595:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+15Fj
					; LdrpSearchResourceSection_U(x,x,x,x,x)+170j ...
		push	ecx
		push	ecx
		mov	edi, [ebp+var_4C]
		mov	edx, edi
		mov	ecx, [ebp+var_52+2]
		call	_LdrIsResItemExist@16 ;	LdrIsResItemExist(x,x,x,x)
		mov	edx, [ebp+arg_4]
		or	edx, eax
		mov	[ebp+arg_4], edx

loc_8445AC:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+110j
					; LdrpSearchResourceSection_U(x,x,x,x,x)+11Fj ...
		mov	cl, _PnPBootDriversInitialized
		cmp	cl, 1
		jnz	short loc_8445D1
		mov	eax, edx
		not	eax
		test	eax, 80000h
		jz	short loc_8445D1
		test	eax, 20000h
		jz	short loc_8445D1
		test	al, 10h
		jz	short loc_8445D1
		mov	al, cl
		jmp	short loc_8445D3
; 

loc_8445D1:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+1BFj
					; LdrpSearchResourceSection_U(x,x,x,x,x)+1CAj ...
		xor	al, al

loc_8445D3:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+1D9j
		mov	[ebp+var_2D], al
		test	cl, cl
		jz	short loc_8445E2
		test	edx, 2040000h
		jz	short loc_8445E9

loc_8445E2:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+1E2j
		xor	cl, cl
		mov	[ebp+var_2E], cl
		jmp	short loc_8445EC
; 

loc_8445E9:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+1EAj
		mov	cl, [ebp+var_2E]

loc_8445EC:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+1F1j
		test	al, al
		jnz	short loc_8445F4
		test	cl, cl
		jz	short loc_844615

loc_8445F4:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+1F8j
		mov	eax, [edi]
		mov	[ebp+var_2C], eax
		cmp	[ebp+var_68], 2
		jb	short loc_844604
		mov	eax, [edi+4]
		jmp	short loc_844606
; 

loc_844604:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+207j
		xor	eax, eax

loc_844606:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+20Cj
		mov	[ebp+var_28], eax
		cmp	[ebp+arg_0], 4
		jnz	short loc_844615
		mov	eax, [edi+0Ch]
		mov	[ebp+var_20], eax

loc_844615:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+1FCj
					; LdrpSearchResourceSection_U(x,x,x,x,x)+217j ...
		mov	edi, [ebp+var_70]
		test	esi, esi
		jz	loc_8446B6
		mov	eax, edi
		dec	edi
		mov	[ebp+var_70], edi
		mov	[ebp+var_A8], edi
		test	eax, eax
		jz	loc_8446B6
		test	edi, edi
		jnz	short loc_844678
		test	cl, cl
		jz	short loc_844667
		push	[ebp+var_44]
		or	edx, 1000000h
		push	edx
		push	[ebp+arg_0]
		lea	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_52+2]
		call	LdrpLoadResourceFromAlternativeModule
		mov	[ebp+var_34], eax
		test	eax, eax
		js	short loc_844667

loc_84465B:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+324j
					; LdrpSearchResourceSection_U(x,x,x,x,x)+32Ej ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_844B84
; 

loc_844667:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+244j
					; LdrpSearchResourceSection_U(x,x,x,x,x)+263j
		test	edi, edi
		jnz	short loc_844678
		cmp	[ebp+var_68], 3
		jnz	short loc_844678
		mov	eax, esi
		mov	[ebp+var_64], eax
		jmp	short loc_84467B
; 

loc_844678:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+240j
					; LdrpSearchResourceSection_U(x,x,x,x,x)+273j ...
		mov	eax, [ebp+var_64]

loc_84467B:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+280j
		test	eax, eax
		jz	loc_84498E
		mov	eax, [ebp+var_94]
		movzx	esi, word ptr [eax+8]
		mov	[ebp+var_78], esi
		mov	[ebp+var_98], esi
		mov	ecx, esi
		and	ecx, 3FFh
		neg	cx
		sbb	cl, cl
		inc	cl
		mov	[ebp+var_80], ecx
		mov	[ebp+var_81], cl
		mov	edx, [ebp+arg_4]
		jmp	loc_844741
; 

loc_8446B6:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+224j
					; LdrpSearchResourceSection_U(x,x,x,x,x)+238j
		mov	ecx, [ebp+var_6C]

loc_8446B9:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+61Bj
		mov	eax, edx
		and	eax, 2
		test	ecx, ecx
		jz	short loc_8446CF
		test	eax, eax
		jnz	short loc_8446CF
		mov	eax, [ebp+var_44]
		mov	[eax], ecx

loc_8446CB:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+2E6j
		xor	eax, eax
		jmp	short loc_844712
; 

loc_8446CF:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+2CAj
					; LdrpSearchResourceSection_U(x,x,x,x,x)+2CEj
		test	esi, esi
		jz	short loc_8446DE
		test	eax, eax
		jz	short loc_8446DE
		mov	eax, [ebp+var_44]
		mov	[eax], esi
		jmp	short loc_8446CB
; 

loc_8446DE:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+2DBj
					; LdrpSearchResourceSection_U(x,x,x,x,x)+2DFj ...
		mov	eax, [ebp+var_68]
		sub	eax, edi
		sub	eax, 1
		jz	short loc_84470D
		sub	eax, 1
		jz	short loc_844703
		sub	eax, 1
		jz	short loc_8446F9
		mov	eax, 0C000000Dh
		jmp	short loc_844712
; 

loc_8446F9:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+2FAj
		mov	eax, 0C0000204h
		mov	[ebp+var_34], eax
		jmp	short loc_844720
; 

loc_844703:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+2F5j
		mov	eax, 0C000008Bh
		jmp	loc_844B77
; 

loc_84470D:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+2F0j
		mov	eax, 0C000008Ah

loc_844712:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+2D7j
					; LdrpSearchResourceSection_U(x,x,x,x,x)+301j
		mov	[ebp+var_34], eax
		cmp	eax, 0C0000204h
		jnz	loc_84465B

loc_844720:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+30Bj
		cmp	[ebp+var_64], 0
		jz	loc_84465B
		xor	eax, eax
		mov	[ebp+var_6C], eax
		mov	[ebp+var_74], eax
		cmp	[ebp+var_39], al
		jz	loc_844B48
		mov	ecx, [ebp+var_80]
		mov	esi, [ebp+var_78]

loc_844741:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+2BBj
		mov	edi, [ebp+var_7C]

loc_844744:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+57Bj
		mov	eax, edi
		inc	edi
		mov	[ebp+var_7C], edi
		sub	eax, 0
		jz	loc_844927
		sub	eax, 1
		jz	loc_8448CE
		sub	eax, 1
		jz	loc_84486C
		sub	eax, 1
		jz	loc_844823
		sub	eax, 1
		jz	short loc_8447CB
		sub	eax, 1
		jz	short loc_84478C
		sub	eax, 1
		jnz	loc_844B48
		or	edx, 20h
		mov	[ebp+arg_4], edx
		jmp	loc_84495E
; 

loc_84478C:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+380j
		mov	ecx, 409h
		mov	ebx, ecx
		mov	[ebp+var_38], ebx
		cmp	ds:_PsDefaultSystemLocaleId, ecx
		jz	loc_8448C2
		cmp	cx, ds:_PsInstallUILanguageId
		jz	loc_8448C2
		cmp	cx, ds:_PsMachineUILanguageId
		jz	loc_8448C2
		cmp	[ebp+var_2D], 0
		jz	loc_84495E
		mov	[ebp+var_24], ecx
		jmp	short loc_844801
; 

loc_8447CB:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+37Bj
		mov	eax, ds:_PsDefaultSystemLocaleId
		movzx	ecx, ax
		mov	ebx, ecx
		mov	[ebp+var_38], ebx
		cmp	cx, ds:_PsInstallUILanguageId
		jz	loc_8448C2
		cmp	cx, ds:_PsMachineUILanguageId
		jz	loc_8448C2
		cmp	[ebp+var_2D], 0
		jz	loc_84495E
		mov	eax, ecx
		mov	[ebp+var_24], eax

loc_844801:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+3D3j
		push	[ebp+var_44]
		push	edx
		push	[ebp+arg_0]
		lea	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_52+2]
		call	LdrpLoadResourceFromAlternativeModule
		mov	[ebp+var_34], eax
		test	eax, eax
		js	loc_84495B
		jmp	loc_84465B
; 

loc_844823:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+372j
		mov	cx, ds:_PsInstallUILanguageId
		cmp	cx, ds:_PsMachineUILanguageId
		jz	loc_8448C2
		cmp	[ebp+var_2D], 0
		jz	short loc_844860
		movzx	eax, cx
		mov	[ebp+var_24], eax
		push	[ebp+var_44]
		push	edx
		push	[ebp+arg_0]
		lea	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_52+2]
		call	LdrpLoadResourceFromAlternativeModule
		mov	[ebp+var_34], eax
		test	eax, eax
		jns	loc_84465B

loc_844860:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+445j
		movzx	ebx, ds:_PsInstallUILanguageId
		jmp	loc_844958
; 

loc_84486C:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+369j
		test	cl, cl
		jz	loc_844B48
		cmp	[ebp+var_2D], 0
		jz	short loc_8448B4
		mov	ax, ds:_PsMachineUILanguageId
		test	ax, ax
		jz	short loc_8448B4
		movzx	eax, ax
		mov	[ebp+var_24], eax
		push	[ebp+var_44]
		push	edx
		push	[ebp+arg_0]
		lea	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_52+2]
		call	LdrpLoadResourceFromAlternativeModule
		mov	[ebp+var_34], eax
		test	eax, eax
		jns	loc_84465B
		movzx	ebx, ds:_PsMachineUILanguageId
		jmp	loc_844958
; 

loc_8448B4:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+482j
					; LdrpSearchResourceSection_U(x,x,x,x,x)+48Dj
		mov	ax, ds:_PsMachineUILanguageId
		test	ax, ax
		movzx	ebx, ax
		jnz	short loc_8448C6

loc_8448C2:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+3A6j
					; LdrpSearchResourceSection_U(x,x,x,x,x)+3B3j ...
		movzx	ebx, word ptr [ebp+var_48]

loc_8448C6:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+4CAj
		mov	[ebp+var_38], ebx
		jmp	loc_84495E
; 

loc_8448CE:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+360j
		test	bx, bx
		jz	short loc_8448EB
		lea	edx, [ebp+var_38]
		mov	ecx, ebx
		call	LdrpGetParentLangId
		test	eax, eax
		jns	short loc_8448E8
		xor	ebx, ebx
		mov	[ebp+var_38], ebx
		jmp	short loc_8448EB
; 

loc_8448E8:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+4E9j
		mov	ebx, [ebp+var_38]

loc_8448EB:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+4DBj
					; LdrpSearchResourceSection_U(x,x,x,x,x)+4F0j
		cmp	[ebp+var_2D], 0
		jz	short loc_84491C
		test	bx, bx
		jz	short loc_84495B
		movzx	eax, bx
		mov	[ebp+var_24], eax
		push	[ebp+var_44]
		mov	eax, [ebp+arg_4]
		push	eax
		push	[ebp+arg_0]
		lea	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_52+2]
		call	LdrpLoadResourceFromAlternativeModule
		mov	[ebp+var_34], eax
		test	eax, eax
		jns	loc_84465B

loc_84491C:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+4F9j
		test	bx, bx
		jz	short loc_84495B
		dec	edi
		mov	[ebp+var_7C], edi
		jmp	short loc_84495B
; 

loc_844927:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+357j
		cmp	[ebp+var_2D], 0
		jz	short loc_844955
		test	si, si
		jz	short loc_844955
		movzx	eax, si
		mov	[ebp+var_24], eax
		push	[ebp+var_44]
		push	edx
		push	[ebp+arg_0]
		lea	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_52+2]
		call	LdrpLoadResourceFromAlternativeModule
		mov	[ebp+var_34], eax
		test	eax, eax
		jns	loc_84465B

loc_844955:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+535j
					; LdrpSearchResourceSection_U(x,x,x,x,x)+53Aj
		movzx	ebx, si

loc_844958:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+471j
					; LdrpSearchResourceSection_U(x,x,x,x,x)+4B9j
		mov	[ebp+var_38], ebx

loc_84495B:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+422j
					; LdrpSearchResourceSection_U(x,x,x,x,x)+4FEj ...
		mov	edx, [ebp+arg_4]

loc_84495E:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+391j
					; LdrpSearchResourceSection_U(x,x,x,x,x)+3CAj ...
		mov	eax, edx
		not	eax
		test	al, 20h
		jz	short loc_844976
		movzx	eax, bx
		cmp	eax, [ebp+var_48]
		jnz	short loc_844976
		mov	ecx, [ebp+var_80]
		jmp	loc_844744
; 

loc_844976:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+56Ej
					; LdrpSearchResourceSection_U(x,x,x,x,x)+576j
		movzx	eax, bx
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_4C], eax
		mov	[ebp+var_A0], eax
		mov	esi, [ebp+var_64]
		mov	[ebp+var_58], esi

loc_84498E:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+287j
		movzx	eax, word ptr [esi+0Ch]
		mov	[ebp+var_60], eax
		movzx	ecx, ax
		mov	[ebp+var_40], ecx
		lea	edi, [esi+10h]
		mov	[ebp+var_88], edi
		movzx	edx, ax
		mov	eax, [ebp+var_4C]
		test	dword ptr [eax], 0FFFF0000h
		mov	eax, [ebp+var_60]
		jnz	short loc_8449CC
		movzx	eax, ax
		lea	edi, [edi+eax*8]
		mov	[ebp+var_88], edi
		movzx	eax, word ptr [esi+0Eh]
		mov	ecx, eax
		mov	[ebp+var_40], ecx
		mov	edx, eax

loc_8449CC:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+5BDj
		test	dx, dx
		jnz	short loc_8449EB
		and	[ebp+var_58], 0
		xor	al, al
		mov	[ebp+var_39], al
		mov	[ebp+var_82], al
		mov	edx, [ebp+arg_4]
		mov	edi, [ebp+var_70]
		jmp	loc_8446DE
; 

loc_8449EB:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+5D9j
		cmp	[ebp+var_64], 0
		jz	short loc_844A16
		mov	eax, [ebp+arg_4]
		test	al, 20h
		jz	short loc_844A16
		xor	esi, esi
		mov	[ebp+var_58], esi
		mov	eax, [edi]
		mov	[ebp+var_48], eax
		mov	ecx, [edi+4]
		add	ecx, [ebp+var_5C]
		mov	[ebp+var_74], ecx
		mov	edx, [ebp+arg_4]
		mov	edi, [ebp+var_70]
		jmp	loc_8446B9
; 

loc_844A16:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+5F9j
					; LdrpSearchResourceSection_U(x,x,x,x,x)+600j
		xor	esi, esi
		mov	[ebp+var_58], esi
		movzx	eax, dx
		dec	eax
		lea	eax, [edi+eax*8]
		mov	[ebp+var_8C], eax
		movzx	edx, dx

loc_844A2B:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+70Bj
		cmp	edi, eax
		ja	short loc_844A9B
		mov	ax, dx
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_60], eax
		test	ax, ax
		jz	loc_844B06
		and	cl, 1
		mov	[ebp+var_9C], ecx
		movzx	eax, ax
		mov	[ebp+var_90], eax
		lea	ecx, [edi+eax*8]
		mov	[ebp+var_40], ecx
		jnz	short loc_844A64
		add	ecx, 0FFFFFFF8h
		mov	[ebp+var_40], ecx

loc_844A64:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+666j
		mov	eax, [ebp+var_4C]
		mov	eax, [eax]
		mov	byte ptr [ebp+var_52+1], 0
		lea	edx, [ebp+var_52+1]
		push	edx		; int
		push	ecx		; int
		push	[ebp+var_5C]	; int
		push	eax		; wchar_t *
		call	_LdrpCompareResourceNamesWithValidation@24 ; LdrpCompareResourceNamesWithValidation(x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_844AB5
		mov	eax, [ebp+var_40]
		mov	eax, [eax+4]
		test	eax, eax
		js	loc_844B35
		xor	esi, esi
		mov	[ebp+var_58], esi

loc_844A92:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+739j
		add	eax, [ebp+var_5C]
		mov	[ebp+var_74], eax
		mov	[ebp+var_6C], eax

loc_844A9B:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+637j
					; LdrpSearchResourceSection_U(x,x,x,x,x)+713j ...
		mov	edi, [ebp+var_4C]
		add	edi, 4
		mov	[ebp+var_4C], edi
		mov	[ebp+var_A0], edi
		mov	edx, [ebp+arg_4]
		mov	cl, [ebp+var_2E]
		jmp	loc_844615
; 

loc_844AB5:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+687j
		jns	short loc_844AE0
		mov	eax, [ebp+var_40]
		add	eax, 0FFFFFFF8h
		mov	[ebp+var_8C], eax
		cmp	byte ptr [ebp+var_9C], 0
		jz	short loc_844AD1
		mov	eax, [ebp+var_60]
		jmp	short loc_844AD8
; 

loc_844AD1:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+6D4j
		mov	eax, [ebp+var_90]
		dec	eax

loc_844AD8:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+6D9j
		movzx	ecx, ax
		movzx	eax, ax
		jmp	short loc_844AF2
; 

loc_844AE0:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x):loc_844AB5j
		mov	edi, [ebp+var_40]
		add	edi, 8
		mov	[ebp+var_88], edi
		mov	eax, [ebp+var_60]
		movzx	ecx, ax

loc_844AF2:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+6E8j
		movzx	eax, ax
		mov	[ebp+var_40], ecx
		movzx	edx, ax
		mov	eax, [ebp+var_8C]
		jmp	loc_844A2B
; 

loc_844B06:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+648j
		test	dx, dx
		jz	short loc_844A9B
		mov	eax, [ebp+var_4C]
		mov	eax, [eax]
		mov	byte ptr [ebp+var_52], 0
		lea	ecx, [ebp+var_52]
		push	ecx		; int
		push	edi		; int
		push	[ebp+var_5C]	; int
		push	eax		; wchar_t *
		call	_LdrpCompareResourceNamesWithValidation@24 ; LdrpCompareResourceNamesWithValidation(x,x,x,x,x,x)
		test	eax, eax
		jnz	loc_844A9B
		mov	eax, [edi+4]
		test	eax, eax
		jns	loc_844A92

loc_844B35:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+691j
		mov	esi, eax
		and	esi, 7FFFFFFFh
		add	esi, [ebp+var_5C]
		mov	[ebp+var_58], esi
		jmp	loc_844A9B
; 

loc_844B48:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+33Fj
					; LdrpSearchResourceSection_U(x,x,x,x,x)+385j ...
		mov	eax, 0C0000204h
		jmp	short loc_844B77
; 

loc_844B4F:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+8Fj
					; LdrpSearchResourceSection_U(x,x,x,x,x)+98j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000000Dh
		jmp	short loc_844B84
; 

loc_844B5D:				; DATA XREF: .text:006A711Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_A4], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_844B6E:				; DATA XREF: .text:006A7120o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_A4]

loc_844B77:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+312j
					; LdrpSearchResourceSection_U(x,x,x,x,x)+757j
		mov	[ebp+var_34], eax
		jmp	loc_84465B
; 

loc_844B7F:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+42j
					; LdrpSearchResourceSection_U(x,x,x,x,x)+4Dj ...
		mov	eax, 0C00000F1h

loc_844B84:				; CODE XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+E4j
					; LdrpSearchResourceSection_U(x,x,x,x,x)+26Cj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_LdrpSearchResourceSection_U@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LdrpSectionTableFromVirtualAddress(x, x, x,	x, x, x)
_LdrpSectionTableFromVirtualAddress@24 proc near
					; CODE XREF: LdrpResSearchResourceInsideDirectory+6B9p
					; LdrpResSearchResourceInsideDirectory+6EDp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], ecx
		push	edi
		test	esi, esi
		jz	short loc_844BF8
		mov	ax, [esi+14h]
		lea	edx, [esi+18h]
		movzx	eax, ax
		add	edx, eax
		jz	short loc_844BF8
		movzx	esi, word ptr [esi+6]
		xor	edi, edi
		test	esi, esi
		jz	short loc_844BF8
		mov	bl, [ebp+arg_C]

loc_844BC8:				; CODE XREF: LdrpSectionTableFromVirtualAddress(x,x,x,x,x,x)+60j
		test	bl, bl
		jz	short loc_844BD9
		and	ecx, 0FFFFFFFCh
		lea	eax, [edx+28h]
		add	ecx, [ebp+var_4]
		cmp	eax, ecx
		ja	short loc_844BF8

loc_844BD9:				; CODE XREF: LdrpSectionTableFromVirtualAddress(x,x,x,x,x,x)+34j
		mov	ecx, [edx+0Ch]
		cmp	[ebp+arg_8], ecx
		jz	short loc_844BFC
		jbe	short loc_844BED
		mov	eax, [edx+10h]
		add	eax, ecx
		cmp	[ebp+arg_8], eax
		jb	short loc_844BFC

loc_844BED:				; CODE XREF: LdrpSectionTableFromVirtualAddress(x,x,x,x,x,x)+4Bj
		mov	ecx, [ebp+var_8]
		add	edx, 28h
		inc	edi
		cmp	edi, esi
		jl	short loc_844BC8

loc_844BF8:				; CODE XREF: LdrpSectionTableFromVirtualAddress(x,x,x,x,x,x)+15j
					; LdrpSectionTableFromVirtualAddress(x,x,x,x,x,x)+23j ...
		xor	eax, eax
		jmp	short loc_844BFE
; 

loc_844BFC:				; CODE XREF: LdrpSectionTableFromVirtualAddress(x,x,x,x,x,x)+49j
					; LdrpSectionTableFromVirtualAddress(x,x,x,x,x,x)+55j
		mov	eax, edx

loc_844BFE:				; CODE XREF: LdrpSectionTableFromVirtualAddress(x,x,x,x,x,x)+64j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_LdrpSectionTableFromVirtualAddress@24 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopFreeUnicodeString(x)
_PopFreeUnicodeString@4	proc near	; CODE XREF: PopAvlFindOrMakeStatsForPowerRequest+6Cp
					; PopAvlDeleteStatsForPowerRequest(x)+3Cp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_844C1E
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+4], 0

loc_844C1E:				; CODE XREF: PopFreeUnicodeString(x)+Aj
		xor	eax, eax
		mov	[esi], eax
		pop	esi
		retn
_PopFreeUnicodeString@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpInitLoggerContext proc near		; CODE XREF: EtwpStartLogger+412p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00926C7C SIZE 0000007F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		movzx	esi, word ptr [eax]
		mov	ebx, edx
		mov	[ebp+var_C], esi
		xor	edi, edi
		xor	esi, esi
		mov	[ebp+var_10], eax
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], esi
		test	ebx, 10000000h
		jz	loc_844E57

loc_844C52:				; CODE XREF: EtwpInitLoggerContext+24Cj
					; EtwpInitLoggerContext+25Aj
		mov	eax, [ebp+var_C]
		push	4C777445h
		lea	eax, [eax+esi*2]
		add	eax, 382h
		add	eax, edi
		push	eax
		push	204h
		mov	[ebp+var_C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_926C91
		push	[ebp+var_C]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_4]
		lea	edi, [esi+380h]
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_926C98

loc_844C9B:				; CODE XREF: EtwpInitLoggerContext+E207Cj
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	loc_844E92

loc_844CA6:				; CODE XREF: EtwpInitLoggerContext+27Ej
		mov	ecx, [ebp+var_10]
		movzx	eax, word ptr [ecx]
		push	eax		; size_t
		push	dword ptr [ecx+4] ; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [esi+5Ch]
		push	edi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, ebx
		mov	[esi+0Ch], ebx
		mov	ecx, 1000000h
		mov	dword ptr [esi+1Ch], 0FFFFh
		and	eax, ecx
		mov	dword ptr [esi+18h], 0C00D0000h
		neg	eax
		mov	dword ptr [esi+14h], 0C0120000h
		sbb	eax, eax
		and	eax, 0FFFFFE01h
		add	eax, 200h
		mov	[esi+0E0h], eax
		test	ebx, ebx
		js	loc_844E83

loc_844D00:				; CODE XREF: EtwpInitLoggerContext+263j
					; EtwpInitLoggerContext+E2089j
		cmp	ds:_EtwpFileSystemReady, 0
		push	4
		pop	ecx
		jz	short loc_844D15
		lea	eax, [esi+258h]
		lock or	[eax], ecx

loc_844D15:				; CODE XREF: EtwpInitLoggerContext+E6j
		mov	edi, 4000h
		test	ebx, 8000h
		jnz	loc_926CB2
		test	ebx, edi
		jnz	loc_926CC3

loc_844D2E:				; CODE XREF: EtwpInitLoggerContext+E209Aj
					; EtwpInitLoggerContext+E20A9j
		or	dword ptr [esi+370h], 0FFFFFFFFh
		mov	ecx, 1000h
		or	dword ptr [esi+374h], 0FFFFFFFFh
		mov	dword ptr [esi+0F8h], 1
		mov	eax, dword_6D3018
		mov	eax, [eax]
		mov	eax, [eax+0F48h]
		mul	ecx
		shrd	eax, edx, 14h
		cmp	eax, 200h
		jbe	loc_926CD2
		mov	ecx, 400h
		cmp	ecx, eax
		sbb	eax, eax
		and	eax, 0C000h
		add	eax, edi
		mov	[esi+4], eax

loc_844D7C:				; CODE XREF: EtwpInitLoggerContext+E20B5j
		mov	ecx, esi
		call	EtwpQueryUsedProcessorCount
		add	eax, eax
		mov	[esi+98h], eax
		test	ebx, 4000000h
		jnz	loc_926CDE

loc_844D97:				; CODE XREF: EtwpInitLoggerContext+E20D2j
		add	eax, 16h
		mov	[esi+0A4h], eax
		lea	eax, [esi+240h]
		push	eax
		call	_KeQuerySystemTimePrecise@4 ; KeQuerySystemTimePrecise(x)
		xor	ebx, ebx
		lea	eax, [esi+1D0h]
		push	ebx
		push	eax
		call	_KeInitializeMutex@8 ; KeInitializeMutex(x,x)
		mov	[esi+1F0h], ebx
		lea	eax, [esi+100h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+34h]
		mov	[esi+30h], eax
		mov	[eax], ebx
		lea	eax, [esi+3Ch]
		mov	[esi+38h], eax
		mov	[eax], ebx
		lea	eax, [esi+40h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+48h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+2C8h]
		mov	[eax+4], eax
		mov	[eax], eax
		xor	eax, eax
		push	ebx
		mov	[esi+2D4h], ax
		lea	eax, [esi+164h]
		push	ebx
		mov	[esi+2D8h], ebx
		push	eax
		mov	[esi+1F4h], ebx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	ebx
		push	1
		lea	eax, [esi+174h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	1
		lea	eax, [esi+188h]
		push	eax
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	esi
		push	offset EtwpLoggerDpc
		lea	eax, [esi+1B0h]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	byte ptr [esi+1B1h], 3
		mov	eax, esi

loc_844E52:				; CODE XREF: EtwpInitLoggerContext+E206Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_844E57:				; CODE XREF: EtwpInitLoggerContext+28j
		push	0FFFFh
		call	KeQueryMaximumProcessorCountEx
		cmp	eax, 20h
		ja	loc_926C7C

loc_844E6A:				; CODE XREF: EtwpInitLoggerContext+E2060j
		test	ebx, 400h
		jz	loc_844C52
		mov	esi, eax
		shl	esi, 3
		mov	[ebp+var_8], esi
		jmp	loc_844C52
; 

loc_844E83:				; CODE XREF: EtwpInitLoggerContext+D6j
		mov	eax, ebx
		test	eax, ecx
		jz	loc_844D00
		jmp	loc_926CA5
; 

loc_844E92:				; CODE XREF: EtwpInitLoggerContext+7Cj
		mov	[esi+364h], edi
		add	edi, eax
		mov	[esi+368h], edi
		add	edi, eax
		jmp	loc_844CA6
EtwpInitLoggerContext endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCreateMutant(x, x, x, x)
_NtCreateMutant@16 proc	near		; DATA XREF: .text:0058113Co

var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A7170
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_1C], 0
		mov	[ebp+var_20], 0
		xor	esi, esi
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_28], bl
		test	bl, bl
		jz	short loc_844F59
		mov	[ebp+var_4], esi
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jb	short loc_844F1B
		mov	ecx, eax

loc_844F1B:				; CODE XREF: NtCreateMutant(x,x,x,x)+67j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_844F5C
; 

loc_844F28:				; DATA XREF: .text:006A7184o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		mov	eax, 1
		retn
; 

loc_844F38:				; DATA XREF: .text:006A7188o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-24h]
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_844F59:				; CODE XREF: NtCreateMutant(x,x,x,x)+56j
		mov	edi, [ebp+arg_0]

loc_844F5C:				; CODE XREF: NtCreateMutant(x,x,x,x)+76j
		mov	edx, ds:_ExMutantObjectType
		push	0
		lea	eax, [ebp+var_20]
		push	eax
		push	0
		push	0
		push	20h
		push	ecx
		push	[ebp+var_28]
		push	[ebp+arg_8]
		mov	cl, bl
		call	ObCreateObjectEx
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_844FEF
		cmp	_ExpForceEnableMutantAutoboost,	0
		jz	short loc_844F90
		mov	esi, 1

loc_844F90:				; CODE XREF: NtCreateMutant(x,x,x,x)+D9j
		push	esi
		mov	dl, [ebp+arg_C]
		mov	ecx, [ebp+var_20]
		call	_KeInitializeMutantEx@12 ; KeInitializeMutantEx(x,x,x)
		lea	eax, [ebp+var_1C]
		push	eax
		push	0
		push	0
		push	0
		push	[ebp+arg_4]
		xor	edx, edx
		mov	ecx, [ebp+var_20]
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	ecx, eax
		mov	dword ptr [ebp+arg_C], ecx
		test	ecx, ecx
		js	short loc_844FEF
		test	bl, bl
		jz	short loc_844FEA
		mov	[ebp+var_4], 1
		mov	eax, [ebp+var_1C]
		mov	[edi], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_844FEF
; 

loc_844FD5:				; DATA XREF: .text:006A7190o
		mov	eax, 1
		retn
; 

loc_844FDB:				; DATA XREF: .text:006A7194o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp+14h]
		jmp	short loc_844FEF
; 

loc_844FEA:				; CODE XREF: NtCreateMutant(x,x,x,x)+10Ej
		mov	eax, [ebp+var_1C]
		mov	[edi], eax

loc_844FEF:				; CODE XREF: NtCreateMutant(x,x,x,x)+D0j
					; NtCreateMutant(x,x,x,x)+10Aj	...
		mov	eax, ecx
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_NtCreateMutant@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PnpSetCustomTargetEvent(int,int,int,void *)
PnpSetCustomTargetEvent	proc near	; CODE XREF: IoReportTargetDeviceChangeAsynchronous+C0p
					; IoReportTargetDeviceChange(x,x)+DAp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00927220 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	[ebp+var_C], esi
		test	edi, edi
		jnz	loc_927220

loc_845020:				; CODE XREF: PnpSetCustomTargetEvent+E2223j
		cmp	dword_6CC5E4, 0
		jnz	loc_92722E
		test	esi, esi
		jz	loc_927238
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]

loc_84503E:				; CODE XREF: PnpSetCustomTargetEvent+E2234j
		movzx	ecx, word ptr [eax+14h]
		mov	[ebp+var_4], eax
		add	ecx, 49h
		mov	eax, [ebp+arg_C]
		and	ecx, 0FFFFFFFCh
		movzx	eax, word ptr [eax+2]
		add	ecx, eax
		mov	[ebp+var_8], ecx
		lea	eax, [ecx+48h]
		mov	ecx, eax
		mov	[ebp+var_10], eax
		call	_PnpCreateDeviceEventEntry@4 ; PnpCreateDeviceEventEntry(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_92723F
		mov	edx, 56706E50h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+arg_4]
		mov	esi, offset _GUID_PNP_CUSTOM_NOTIFICATION
		mov	[ebx+14h], eax
		mov	eax, [ebp+arg_8]
		mov	[ebx+18h], eax
		mov	eax, [ebp+arg_0]
		mov	[ebx+10h], edi
		lea	edi, [ebx+48h]
		movsd
		movsd
		movsd
		movsd
		and	dword ptr [ebx+60h], 0
		mov	[ebx+5Ch], eax
		mov	eax, [ebp+var_8]
		mov	[ebx+64h], eax
		mov	eax, [ebp+var_C]
		mov	[ebx+68h], eax
		mov	eax, [ebp+var_4]
		mov	dword ptr [ebx+58h], 3
		mov	ecx, [eax+18h]
		test	ecx, ecx
		jz	short loc_8450CE
		movzx	eax, word ptr [eax+14h]
		push	eax		; size_t
		push	ecx		; void *
		lea	eax, [ebx+70h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_8450CE:				; CODE XREF: PnpSetCustomTargetEvent+B4j
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+var_10]
		movzx	eax, word ptr [edx+2]
		sub	ecx, eax
		add	ecx, ebx
		mov	[ebx+6Ch], ecx
		movzx	eax, word ptr [edx+2]
		push	eax		; size_t
		push	edx		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, ebx
		call	PnpInsertEventInQueue

loc_8450F5:				; CODE XREF: PnpSetCustomTargetEvent+E222Dj
					; PnpSetCustomTargetEvent+E223Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
PnpSetCustomTargetEvent	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiUEventProcessEventWorker(x)
_PiUEventProcessEventWorker@4 proc near	; DATA XREF: PAGE:00763C7Fo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	ebx, offset _PiUEventUsermodeEventQueueLock

loc_84510B:				; CODE XREF: PiUEventProcessEventWorker(x)+6Bj
		mov	ecx, ebx
		call	ExAcquireFastMutex
		mov	edi, _PiUEventUsermodeEventQueue
		mov	ecx, ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, edi
		call	_PiUEventProcessNotifyEventEntry@4 ; PiUEventProcessNotifyEventEntry(x)
		mov	ecx, ebx
		call	ExAcquireFastMutex
		mov	ecx, _PiUEventUsermodeEventQueue
		mov	edx, offset _PiUEventUsermodeEventQueue
		cmp	[ecx+4], edx
		jnz	short loc_84517D
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_84517D
		mov	_PiUEventUsermodeEventQueue, eax
		mov	[eax+4], edx
		cmp	_PiUEventUsermodeEventQueue, edx
		jnz	short loc_845157
		xor	esi, esi
		inc	esi

loc_845157:				; CODE XREF: PiUEventProcessEventWorker(x)+56j
		mov	ecx, ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, edi
		call	PiUEventDereferenceEventEntry
		test	esi, esi
		jz	short loc_84510B
		push	59706E50h
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_84517D:				; CODE XREF: PiUEventProcessEventWorker(x)+3Fj
					; PiUEventProcessEventWorker(x)+46j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PiUEventProcessEventWorker@4 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiUEventDequeuePendingEventWorker(x, x, x)
_PiUEventDequeuePendingEventWorker@12 proc near	; CODE XREF: PiUEventHandleGetEvent+AEp
					; PAGE:008F9A51p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		mov	edx, [esi]
		cmp	[edx+4], esi
		jnz	short loc_8451BE
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_8451BE
		cmp	[ebp+arg_0], 0
		mov	[eax], edx
		mov	[edx+4], eax
		jnz	short loc_8451A6
		dec	dword ptr [ecx+48h]

loc_8451A6:				; CODE XREF: PiUEventDequeuePendingEventWorker(x,x,x)+1Fj
		mov	ecx, [esi+10h]
		call	PiUEventDereferenceEventEntry
		push	59706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		pop	ebp
		retn	4
; 

loc_8451BE:				; CODE XREF: PiUEventDequeuePendingEventWorker(x,x,x)+Dj
					; PiUEventDequeuePendingEventWorker(x,x,x)+14j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_PiUEventDequeuePendingEventWorker@12 endp


;  S U B	R O U T	I N E 


PiUEventDereferenceEventEntry proc near	; CODE XREF: PiUEventProcessEventWorker(x)+64p
					; PiUEventDequeuePendingEventWorker(x,x,x)+27p	...

; FUNCTION CHUNK AT 00927249 SIZE 0000001A BYTES

		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	ecx, [esi+8]
		call	ExAcquireFastMutex
		dec	dword ptr [esi+1Ch]
		cmp	byte ptr [esi+28h], 0
		mov	edi, [esi+1Ch]
		jnz	loc_927249

loc_8451E3:				; CODE XREF: PiUEventDereferenceEventEntry+E2088j
					; PiUEventDereferenceEventEntry+E209Aj
		mov	ecx, [esi+8]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	edi, edi
		jz	short loc_8451F5

loc_8451EF:				; CODE XREF: PiUEventDereferenceEventEntry+38j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_8451F5:				; CODE XREF: PiUEventDereferenceEventEntry+29j
		mov	ecx, esi
		call	_PiUEventFreeEventEntry@4 ; PiUEventFreeEventEntry(x)
		jmp	short loc_8451EF
PiUEventDereferenceEventEntry endp


;  S U B	R O U T	I N E 


; __stdcall PiUEventFreeEventEntry(x)
_PiUEventFreeEventEntry@4 proc near	; CODE XREF: PiUEventDereferenceEventEntry+33p
					; PAGE:008D5ABFp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, 59706E50h
		mov	eax, [esi+0Ch]
		test	eax, eax
		jnz	short loc_845238

loc_845210:				; CODE XREF: PiUEventFreeEventEntry(x)+41j
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_84521E
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_84521E:				; CODE XREF: PiUEventFreeEventEntry(x)+17j
		mov	eax, [esi+18h]
		test	eax, eax
		jnz	short loc_84522F

loc_845225:				; CODE XREF: PiUEventFreeEventEntry(x)+38j
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
; 

loc_84522F:				; CODE XREF: PiUEventFreeEventEntry(x)+25j
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_845225
; 

loc_845238:				; CODE XREF: PiUEventFreeEventEntry(x)+10j
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_845210
_PiUEventFreeEventEntry@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PiUEventProcessNotifyEventEntry(x)
_PiUEventProcessNotifyEventEntry@4 proc	near ; CODE XREF: PiUEventProcessEventWorker(x)+25p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+3Ch]
		cmp	eax, 3
		jnz	short loc_845260

loc_84524F:				; CODE XREF: PiUEventProcessNotifyEventEntry(x)+26j
		call	PiUEventNotifyTargetDeviceChange

loc_845254:				; CODE XREF: PiUEventProcessNotifyEventEntry(x)+37j
					; PiUEventProcessNotifyEventEntry(x)+45j ...
		test	eax, eax
		js	short loc_845290

loc_845258:				; CODE XREF: PiUEventProcessNotifyEventEntry(x):loc_84527Bj
					; PiUEventProcessNotifyEventEntry(x)+3Ej
		mov	ecx, esi
		pop	esi
		jmp	PiUEventProcessBroadcastNotifications
; 

loc_845260:				; CODE XREF: PiUEventProcessNotifyEventEntry(x)+Bj
		cmp	eax, 2
		jz	short loc_845289
		cmp	eax, 1
		jz	short loc_84524F
		cmp	eax, 4
		jz	short loc_845282
		cmp	eax, 9
		jnz	short loc_84527B
		call	PiUEventNotifyDeviceInstancePropertyChange
		jmp	short loc_845254
; 

loc_84527B:				; CODE XREF: PiUEventProcessNotifyEventEntry(x)+30j
		jle	short loc_845258
		cmp	eax, 0Bh
		jg	short loc_845258

loc_845282:				; CODE XREF: PiUEventProcessNotifyEventEntry(x)+2Bj
		call	PiUEventNotifyDeviceInstanceChange
		jmp	short loc_845254
; 

loc_845289:				; CODE XREF: PiUEventProcessNotifyEventEntry(x)+21j
		call	_PiUEventNotifyDeviceInterfaceChange@4 ; PiUEventNotifyDeviceInterfaceChange(x)
		jmp	short loc_845254
; 

loc_845290:				; CODE XREF: PiUEventProcessNotifyEventEntry(x)+14j
		pop	esi
		retn
_PiUEventProcessNotifyEventEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiUEventProcessBroadcastNotifications proc near
					; CODE XREF: PiUEventProcessNotifyEventEntry(x)+19j

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00927263 SIZE 0000022A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		mov	ebx, ecx
		mov	[esp+28h+var_10], ecx
		mov	[esp+28h+var_14], ecx
		mov	[esp+28h+var_18], ecx
		mov	[esp+28h+var_8], ecx
		mov	[esp+28h+var_4], ecx
		mov	[esp+28h+var_1C], ecx
		cmp	_PiUEventBroadcastSubscriberPresent, cl
		jz	loc_84536B
		mov	eax, [edi+3Ch]
		sub	eax, ecx
		jz	loc_927449
		sub	eax, 1
		jz	loc_845457
		sub	eax, 1
		jz	loc_8453E3
		sub	eax, 1
		jnz	loc_845374
		lea	eax, [edi+54h]
		mov	edx, 0C8h
		lea	ecx, [esp+28h+var_10]
		mov	[esp+28h+var_C], eax
		push	ecx
		mov	ecx, eax
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_84536B
		mov	edx, [esp+28h+var_10]
		test	edx, edx
		jz	short loc_84536B
		lea	eax, [esp+28h+var_14]
		push	eax
		push	44h
		lea	edx, ds:2[edx*2]
		pop	ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_84536B
		mov	ecx, [esp+28h+var_14]
		lea	eax, [esp+28h+var_14]
		push	eax
		push	3
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_84536B
		mov	eax, [esp+28h+var_14]
		and	eax, 0FFFFFFFCh
		push	10h		; size_t
		add	eax, 30h
		add	eax, edi
		push	offset _GUID_IO_VOLUME_NAME_CHANGE ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_92726D

loc_84536B:				; CODE XREF: PiUEventProcessBroadcastNotifications+32j
					; PiUEventProcessBroadcastNotifications+7Aj ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_845374:				; CODE XREF: PiUEventProcessBroadcastNotifications+58j
		sub	eax, 1
		jnz	short loc_84536B
		mov	esi, 1B4h
		mov	ecx, esi
		call	_PiUEventAllocMem@4 ; PiUEventAllocMem(x)
		mov	ebx, eax
		mov	[esp+28h+var_10], ebx
		test	ebx, ebx
		jz	loc_927263
		push	esi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+28h+var_18]
		xor	ecx, ecx
		lea	esi, [ebx+10h]
		lea	edx, [edi+50h]
		push	ecx
		push	eax
		push	4
		push	esi
		lea	eax, [esp+38h+var_1C]
		push	eax
		push	offset _DEVPKEY_Device_SessionId
		push	ecx
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	loc_8454F7

loc_8453D3:				; CODE XREF: PiUEventProcessBroadcastNotifications+270j
		xor	ebx, ebx
		or	dword ptr [esi], 0FFFFFFFFh

loc_8453D8:				; CODE XREF: PiUEventProcessBroadcastNotifications+26Aj
		mov	ecx, [esp+28h+var_10]

loc_8453DC:				; CODE XREF: PiUEventProcessBroadcastNotifications+241j
					; PiUEventProcessBroadcastNotifications+E203Cj	...
		call	_PiUEventQueueBroadcastEventEntry@4 ; PiUEventQueueBroadcastEventEntry(x)
		jmp	short loc_84536B
; 

loc_8453E3:				; CODE XREF: PiUEventProcessBroadcastNotifications+4Fj
		push	10h
		pop	esi
		push	esi		; size_t
		lea	eax, [edi+2Ch]
		push	offset _GUID_DEVICE_INTERFACE_ARRIVAL ;	void *
		push	eax		; void *
		mov	[esp+34h+var_C], eax
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8454D8

loc_845404:				; CODE XREF: PiUEventProcessBroadcastNotifications+25Aj
		push	esi		; size_t
		lea	eax, [edi+50h]
		push	offset _GUID_DEVINTERFACE_VOLUME ; void	*
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_9272D3
		push	esi		; size_t
		lea	eax, [edi+50h]
		push	offset _GUID_DEVINTERFACE_PARALLEL ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_92732A
		push	esi		; size_t
		lea	eax, [edi+50h]
		push	(offset	loc_407D9D+3) ;	void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_84536B
		jmp	loc_92732A
; 

loc_845457:				; CODE XREF: PiUEventProcessBroadcastNotifications+46j
		push	10h
		pop	esi
		push	esi		; size_t
		lea	eax, [edi+2Ch]
		push	offset _GUID_DEVICE_ARRIVAL ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_927410

loc_845474:				; CODE XREF: PiUEventProcessBroadcastNotifications+E2192j
					; PiUEventProcessBroadcastNotifications+E21B2j
		mov	esi, 1B4h
		mov	ecx, esi
		call	_PiUEventAllocMem@4 ; PiUEventAllocMem(x)
		mov	ebx, eax
		mov	[esp+28h+var_C], ebx
		test	ebx, ebx
		jz	loc_927263
		push	esi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+28h+var_18]
		xor	ecx, ecx
		lea	esi, [ebx+10h]
		lea	edx, [edi+50h]
		push	ecx
		push	eax
		push	4
		push	esi
		lea	eax, [esp+38h+var_1C]
		push	eax
		push	offset _DEVPKEY_Device_SessionId
		push	ecx
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_845507

loc_8454CA:				; CODE XREF: PiUEventProcessBroadcastNotifications+27Cj
		xor	ebx, ebx
		or	dword ptr [esi], 0FFFFFFFFh

loc_8454CF:				; CODE XREF: PiUEventProcessBroadcastNotifications+27Aj
		mov	ecx, [esp+28h+var_C]
		jmp	loc_8453DC
; 

loc_8454D8:				; CODE XREF: PiUEventProcessBroadcastNotifications+16Cj
		push	esi		; size_t
		lea	eax, [edi+2Ch]
		push	(offset	loc_407DCD+3) ;	void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_845404
		jmp	loc_84536B
; 

loc_8454F7:				; CODE XREF: PiUEventProcessBroadcastNotifications+13Bj
		cmp	[esp+28h+var_18], 4
		jz	loc_8453D8
		jmp	loc_8453D3
; 

loc_845507:				; CODE XREF: PiUEventProcessBroadcastNotifications+236j
		cmp	[esp+28h+var_18], 4
		jz	short loc_8454CF
		jmp	short loc_8454CA
PiUEventProcessBroadcastNotifications endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiUEventNotifyTargetDeviceChange proc near
					; CODE XREF: PiUEventProcessNotifyEventEntry(x):loc_84524Fp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 0092748D SIZE 000000BE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_14], ecx
		push	10h		; size_t
		lea	edi, [ecx+2Ch]
		mov	[ebp+var_8], eax
		push	(offset	loc_4055E5+3) ;	void *
		push	edi		; void *
		mov	esi, eax
		mov	[ebp+var_1], al
		mov	ebx, eax
		mov	[ebp+var_2], al
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_845598
		push	10h		; size_t
		push	offset _GUID_TARGET_DEVICE_REMOVE_CANCELLED ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_845598
		push	10h		; size_t
		push	offset _GUID_DEVICE_REMOVE_PENDING ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_845598
		push	10h		; size_t
		push	offset _GUID_TARGET_DEVICE_REMOVE_COMPLETE ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_845598
		push	10h		; size_t
		push	offset _GUID_PNP_CUSTOM_NOTIFICATION ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_845667

loc_845598:				; CODE XREF: PiUEventNotifyTargetDeviceChange+32j
					; PiUEventNotifyTargetDeviceChange+46j	...
		mov	edi, [ebp+var_14]
		mov	eax, [edi+3Ch]
		sub	eax, 1
		jz	loc_92748D
		dec	eax
		sub	eax, 1
		jnz	loc_845667
		mov	[ebp+var_1], 1
		push	54h

loc_8455B7:				; CODE XREF: PiUEventNotifyTargetDeviceChange+E1F7Fj
		pop	eax
		add	eax, edi
		mov	[ebp+var_14], eax
		cmp	[edi+28h], bl
		jnz	loc_927494

loc_8455C6:				; CODE XREF: PiUEventNotifyTargetDeviceChange+E1FB8j
		mov	ecx, offset _PiUEventClientRegistrationListLock
		call	ExAcquireFastMutex
		mov	ecx, [ebp+var_14]
		call	_PiUEventHashStringIntoBucket@4	; PiUEventHashStringIntoBucket(x)
		lea	ecx, _PiUEventDevHandleClientList[eax*8]
		mov	eax, [ecx]
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], eax
		cmp	eax, ecx
		jz	short loc_845645

loc_8455EB:				; CODE XREF: PiUEventNotifyTargetDeviceChange+133j
		cmp	[ebp+var_1], 0
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_C], eax
		mov	ecx, [ecx]
		mov	[ebp+var_10], ecx
		jz	short loc_845602
		cmp	byte ptr [eax+14h], 0
		jnz	short loc_84563D

loc_845602:				; CODE XREF: PiUEventNotifyTargetDeviceChange+EAj
		mov	eax, [eax+0Ch]
		push	dword ptr [eax+0Ch] ; wchar_t *
		push	[ebp+var_14]	; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_84563D
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		call	PiUEventApplyAdditionalFilters
		test	al, al
		jz	short loc_84563D
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		call	PiUEventNotifyClient
		mov	[ebp+var_8], eax
		test	eax, eax
		js	short loc_84563D
		test	esi, esi
		jnz	loc_9274CD

loc_84563D:				; CODE XREF: PiUEventNotifyTargetDeviceChange+F0j
					; PiUEventNotifyTargetDeviceChange+104j ...
		mov	eax, [ebp+var_10]
		cmp	eax, [ebp+var_18]
		jnz	short loc_8455EB

loc_845645:				; CODE XREF: PiUEventNotifyTargetDeviceChange+D9j
		test	esi, esi
		jnz	loc_9274ED

loc_84564D:				; CODE XREF: PiUEventNotifyTargetDeviceChange+E1FE0j
					; PiUEventNotifyTargetDeviceChange+E2026j
		mov	ecx, offset _PiUEventClientRegistrationListLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	esi, esi
		jnz	loc_92753B

loc_84565F:				; CODE XREF: PiUEventNotifyTargetDeviceChange+E2036j
		mov	eax, [ebp+var_8]

loc_845662:				; CODE XREF: PiUEventNotifyTargetDeviceChange+159j
					; PiUEventNotifyTargetDeviceChange+E1FA0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_845667:				; CODE XREF: PiUEventNotifyTargetDeviceChange+82j
					; PiUEventNotifyTargetDeviceChange+9Bj
		mov	eax, ebx
		jmp	short loc_845662
PiUEventNotifyTargetDeviceChange endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiUEventNotifyClient proc near		; CODE XREF: PiUEventNotifyTargetDeviceChange+119p
					; PiUEventNotifyDeviceInterfaceChange(x)+79p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 0092754B SIZE 00000085 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ecx
		xor	ebx, ebx
		mov	[ebp+var_1], bl
		mov	ecx, [edi+8]
		call	ExAcquireFastMutex
		cmp	[edi+54h], bl
		jz	loc_927595
		xor	esi, esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		cmp	[edi+48h], esi
		ja	loc_92754B

loc_8456A3:				; CODE XREF: PiUEventNotifyClient+E1F13j
					; PiUEventNotifyClient+E1F20j ...
		mov	ecx, [edi+8]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		cmp	[ebp+var_1], bl
		jnz	short loc_845704
		push	59706E50h
		push	18h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_84570B
		mov	ebx, [ebp+var_8]
		mov	ecx, ebx
		call	_PiUEventReferenceEventEntry@4 ; PiUEventReferenceEventEntry(x)
		mov	[esi+10h], ebx
		mov	ecx, [edi+8]
		call	ExAcquireFastMutex
		mov	edx, esi
		mov	ecx, edi
		call	_PiUEventQueuePendingEvent@8 ; PiUEventQueuePendingEvent(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_92759E

loc_8456EC:				; CODE XREF: PiUEventNotifyClient+E1F4Ej
		lea	eax, [esi+8]
		push	eax
		call	KeQuerySystemTime
		mov	ecx, [edi+8]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, edi
		call	_PiUEventNotifyClientPendingEvent@4 ; PiUEventNotifyClientPendingEvent(x)

loc_845704:				; CODE XREF: PiUEventNotifyClient+42j
					; PiUEventNotifyClient+A4j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_84570B:				; CODE XREF: PiUEventNotifyClient+56j
		mov	ebx, 0C000009Ah
		jmp	short loc_845704
PiUEventNotifyClient endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiUEventNotifyClientPendingEvent(x)
_PiUEventNotifyClientPendingEvent@4 proc near ;	CODE XREF: PiUEventHandleGetEvent+F9p
					; PiUEventNotifyClient+93p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+8]
		call	ExAcquireFastMutex
		mov	ecx, esi
		call	_PiUEventEstimateRequiredClientBufferSize@4 ; PiUEventEstimateRequiredClientBufferSize(x)
		mov	ecx, [esi+8]
		mov	[ebp+var_4], eax
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	4
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [esi+30h]
		push	eax
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		pop	esi
		leave
		retn
_PiUEventNotifyClientPendingEvent@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PiUEventQueuePendingEvent(x, x)
_PiUEventQueuePendingEvent@8 proc near	; CODE XREF: PiUEventNotifyClient+71p
					; PiUEventNotifyClient+E1F45p
		xor	eax, eax
		cmp	dword ptr [ecx+48h], 10000h
		jnb	short loc_845775
		push	esi
		lea	esi, [ecx+40h]
		push	edi
		mov	edi, [esi+4]
		cmp	[edi], esi
		jnz	short loc_84577B
		mov	[edx], esi
		mov	[edx+4], edi
		mov	[edi], edx
		mov	[esi+4], edx
		inc	dword ptr [ecx+48h]
		pop	edi
		pop	esi
		retn
; 

loc_845775:				; CODE XREF: PiUEventQueuePendingEvent(x,x)+9j
		mov	eax, 0C0000001h
		retn
; 

loc_84577B:				; CODE XREF: PiUEventQueuePendingEvent(x,x)+15j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PiUEventQueuePendingEvent@8 endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall PiUEventReferenceEventEntry(x)
_PiUEventReferenceEventEntry@4 proc near ; CODE	XREF: PiUEventNotifyClient+5Dp
					; PAGE:008D5A73p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, [edi+8]
		call	ExAcquireFastMutex
		mov	esi, [edi+1Ch]
		mov	ecx, [edi+8]
		inc	esi
		mov	[edi+1Ch], esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ecx
		retn
_PiUEventReferenceEventEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiUEventApplyAdditionalFilters proc near ; CODE	XREF: PiUEventNotifyTargetDeviceChange+10Bp
					; PiUEventNotifyDeviceInterfaceChange(x)+6Ap ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_15		= dword	ptr -15h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009275D0 SIZE 0000009A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_20], edx
		xor	ecx, ecx
		inc	ecx
		mov	bl, cl
		mov	eax, [edi+3Ch]
		mov	byte ptr [ebp+var_15], bl
		sub	eax, ecx
		jz	short loc_8457D5
		sub	eax, ecx
		jz	short loc_84580A
		sub	eax, ecx
		jnz	short loc_84581B

loc_8457D5:				; CODE XREF: PiUEventApplyAdditionalFilters+27j
					; PiUEventApplyAdditionalFilters+7Aj ...
		lea	eax, [ebp+var_15]
		push	eax
		lea	esi, [edx+20h]
		push	esi
		push	0
		push	ecx
		lea	edx, [edi+50h]

loc_8457E3:				; CODE XREF: PiUEventApplyAdditionalFilters+75j
		mov	ecx, _PiPnpRtlCtx
		call	_PiPnpRtlApplyMandatoryFilters@24 ; PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)
		test	eax, eax
		js	loc_9275D0
		mov	bl, byte ptr [ebp+var_15]

loc_8457F9:				; CODE XREF: PiUEventApplyAdditionalFilters+8Bj
					; PiUEventApplyAdditionalFilters+E1E77j ...
		mov	ecx, [ebp+var_4]
		mov	al, bl
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_84580A:				; CODE XREF: PiUEventApplyAdditionalFilters+2Bj
		lea	eax, [ebp+var_15]
		push	eax
		lea	esi, [edx+20h]
		push	esi
		push	0
		push	3
		lea	edx, [edi+60h]
		jmp	short loc_8457E3
; 

loc_84581B:				; CODE XREF: PiUEventApplyAdditionalFilters+2Fj
		sub	eax, 1
		jz	short loc_8457D5
		sub	eax, 5
		jz	short loc_8457D5
		sub	eax, 1
		jz	short loc_8457D5
		sub	eax, 1
		jz	short loc_8457D5
		jmp	short loc_8457F9
PiUEventApplyAdditionalFilters endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpInsertEventInQueue proc near		; CODE XREF: PnpSetDeviceInstanceStartedEventFromDeviceInstance+8Cp
					; PnpSetDeviceInstancePropertyChangeEventFromDeviceInstance+8Cp ...

var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 0092766A SIZE 0000000E BYTES
; FUNCTION CHUNK AT 0092768E SIZE 00000062 BYTES

		push	24h
		push	offset dword_6A7198
		call	__SEH_prolog4
		mov	[ebp+var_1C], ecx
		mov	esi, offset _GUID_NULL
		lea	edi, [ebp+var_34]
		movsd
		movsd
		movsd
		movsd
		and	[ebp+var_20], 0
		xor	ebx, ebx
		mov	[ebp+var_24], ebx
		call	_IoGetActivityIdThread@0 ; IoGetActivityIdThread()
		test	eax, eax
		jnz	loc_92766A
		call	_PnpIsSafeToExamineUserModeTeb@0 ; PnpIsSafeToExamineUserModeTeb()
		test	al, al
		jnz	loc_845936

loc_845870:				; CODE XREF: PnpInsertEventInQueue+12Cj
					; PnpInsertEventInQueue+E1E41j	...
		mov	edi, [ebp+var_1C]
		add	edi, 34h
		lea	esi, [ebp+var_34]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_1C]
		test	byte_6CD8BB, 8
		jnz	loc_92768E

loc_84588D:				; CODE XREF: PnpInsertEventInQueue+E1E85j
					; PnpInsertEventInQueue+E1EADj
		mov	ecx, ds:_PnpDeviceEventList
		lea	ecx, [ecx+24h]
		call	ExAcquireFastMutex
		mov	edi, offset _PnpNotificationInProgressLock
		mov	ecx, edi
		call	ExAcquireFastMutex
		cmp	ds:_PnpNotificationInProgress, 0
		jnz	short loc_8458DC
		push	4C706E50h
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9276E4
		mov	ds:_PnpNotificationInProgress, 1
		push	offset _PnpEventQueueEmpty
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_8458DC:				; CODE XREF: PnpInsertEventInQueue+7Cj
					; PnpInsertEventInQueue+E1EB9j
		mov	eax, ds:_PnpDeviceEventList
		add	eax, 44h
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_845963
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, ds:_PnpDeviceEventList
		lea	ecx, [ecx+24h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	ebx, ebx
		jz	short loc_845923
		mov	dword ptr [ebx+8], offset PnpDeviceEventWorker
		mov	[ebx+0Ch], ebx
		and	dword ptr [ebx], 0
		push	1
		push	ebx
		call	ExQueueWorkItem

loc_845923:				; CODE XREF: PnpInsertEventInQueue+DAj
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_845936:				; CODE XREF: PnpInsertEventInQueue+38j
		and	[ebp+ms_exc.disabled], ebx
		cmp	large dword ptr	fs:18h,	0
		jz	short loc_845957
		mov	esi, large fs:18h
		add	esi, 0F50h
		lea	edi, [ebp+var_34]
		movsd
		movsd
		movsd
		movsd

loc_845957:				; CODE XREF: PnpInsertEventInQueue+10Fj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_845870
; 

loc_845963:				; CODE XREF: PnpInsertEventInQueue+B7j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall PnpCreateDeviceEventEntry(x)
_PnpCreateDeviceEventEntry@4:		; CODE XREF: PnpSetDeviceInstanceStartedEventFromDeviceInstance+28p
					; PnpSetDeviceInstancePropertyChangeEventFromDeviceInstance+28p ...
		mov	edi, edi
		push	esi
		push	edi
		push	4B706E50h
		mov	edi, ecx
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_845994
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [esi+24h], 1

loc_845994:				; CODE XREF: PnpInsertEventInQueue+14Dj
		pop	edi
		mov	eax, esi
		pop	esi
		retn
PnpInsertEventInQueue endp ; sp	= -38h

; 
		align 10h
; Exported entry 2146. RtlHashUnicodeString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlHashUnicodeString
RtlHashUnicodeString proc near		; CODE XREF: PiUEventHashStringIntoBucket(x)+29p
					; KsepCacheHwIdHash(x)+19p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 009276F0 SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		mov	dl, byte ptr [ebp+arg_4]
		push	esi
		test	ecx, ecx
		jz	loc_92772C
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jz	loc_92772C
		push	ebx
		mov	ebx, [ecx+4]
		push	edi
		mov	[esi], eax
		movzx	edi, word ptr [ecx]
		shr	edi, 1
		cmp	[ebp+arg_8], 1
		ja	loc_927722
		test	edi, edi
		jz	short loc_845A0C
		test	dl, dl
		jz	short loc_845A33
		nop

loc_8459E0:				; CODE XREF: RtlHashUnicodeString+67j
		movzx	ecx, word ptr [ebx]
		lea	ebx, [ebx+2]
		dec	edi
		mov	[ebp+arg_0], ecx
		cmp	ecx, 61h
		jb	short loc_8459F7
		cmp	ecx, 7Ah
		ja	short loc_845A17
		add	ecx, 0FFFFFFE0h

loc_8459F7:				; CODE XREF: RtlHashUnicodeString+4Dj
					; RtlHashUnicodeString+82j ...
		imul	eax, 1003Fh
		movzx	ecx, cx
		movzx	ecx, cx
		add	eax, ecx
		test	edi, edi
		jnz	short loc_8459E0
		mov	esi, [ebp+arg_C]

loc_845A0C:				; CODE XREF: RtlHashUnicodeString+39j
					; RtlHashUnicodeString+A6j
		mov	[esi], eax
		xor	eax, eax

loc_845A10:				; CODE XREF: RtlHashUnicodeString+E1D87j
		pop	edi
		pop	ebx

loc_845A12:				; CODE XREF: RtlHashUnicodeString+E1D91j
		pop	esi
		pop	ebp
		retn	10h
; 

loc_845A17:				; CODE XREF: RtlHashUnicodeString+52j
		mov	edx, ds:_Nls844UnicodeUpcaseTable
		mov	[ebp+arg_4], edx
		test	edx, edx
		jz	short loc_8459F7
		mov	esi, 0C0h
		cmp	cx, si
		jb	short loc_8459F7
		jmp	loc_9276F0
; 

loc_845A33:				; CODE XREF: RtlHashUnicodeString+3Dj
					; RtlHashUnicodeString+A4j
		movzx	ecx, word ptr [ebx]
		lea	ebx, [ebx+2]
		imul	eax, 1003Fh
		add	eax, ecx
		sub	edi, 1
		jnz	short loc_845A33
		jmp	short loc_845A0C
RtlHashUnicodeString endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDrvDbLoadNodeWorkerCallback proc near	; DATA XREF: PiDrvDbLoadNode+DFo

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00928C26 SIZE 000000C3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	eax, eax
		mov	ecx, offset _KMPnPEvt_DriverDatabaseLoad_Start
		mov	[esp+20h+var_8], eax
		mov	[esp+20h+var_14], 1
		mov	[esp+20h+var_10], eax
		lea	ebx, [edi+8]
		mov	[esp+20h+var_C], eax
		mov	edx, ebx
		mov	[esp+20h+var_4], ebx
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)
		mov	edx, ebx
		mov	ecx, offset _KMPnPEvt_DriverDatabaseLoaded_Start
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)
		lea	ecx, [esp+20h+var_8]
		xor	ebx, ebx
		push	ecx
		push	ebx
		lea	edx, [edi+18h]
		lea	ecx, [edi+10h]
		call	PiDrvDbLoadHive
		mov	esi, eax
		test	esi, esi
		js	loc_928CAD
		mov	edx, [esp+20h+var_8]
		lea	ebx, [edi+24h]
		push	ebx
		push	2000000h
		push	0
		push	offset ??_C@_1BO@JJFLMBDN@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAD?$AAa?$AAt?$AAa?$AAb?$AAa?$AAs?$AAe@NNGAKEGL@ ; "DriverDatabase"
		xor	ecx, ecx
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_928C90
		cmp	dword ptr [edi+108h], 0FFFFFFFFh
		jnz	short loc_845AE0
		cmp	dword ptr [edi+10Ch], 0
		jz	short loc_845B5A

loc_845AE0:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+8Dj
					; PiDrvDbLoadNodeWorkerCallback+152j ...
		lea	esi, [edi+118h]
		cmp	dword ptr [esi], 103h
		jz	loc_845BBF

loc_845AF2:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+E324Cj
		xor	ebx, ebx

loc_845AF4:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+1F5j
					; PiDrvDbLoadNodeWorkerCallback+E3243j
		push	[esp+20h+var_8]
		call	_ZwClose@4	; ZwClose(x)
		push	ebx
		push	dword ptr [edi+100h]
		call	_ZwResetEvent@8	; ZwResetEvent(x,x)
		mov	edx, [edi+100h]
		lea	ecx, [edi+10h]
		call	PiDrvDbUnloadHive
		mov	esi, eax
		cmp	esi, 103h
		jnz	loc_928C99
		mov	esi, ebx

loc_845B27:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+E327Fj
					; PiDrvDbLoadNodeWorkerCallback+E328Aj
		push	ebx
		push	ebx
		lea	eax, [edi+68h]
		mov	[edi+88h], esi
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	edi, [esp+20h+var_4]
		mov	ecx, offset _KMPnPEvt_DriverDatabaseLoad_Stop
		push	esi
		mov	edx, edi
		call	_PnpDiagnosticTraceObjectWithStatus@12 ; PnpDiagnosticTraceObjectWithStatus(x,x,x)
		test	esi, esi
		js	loc_928CD7

loc_845B51:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+E329Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_845B5A:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+96j
		mov	edx, [edi+0Ch]
		lea	eax, [esp+20h+var_10]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	eax
		push	4
		lea	eax, [esp+2Ch+var_C]
		push	eax
		lea	eax, [esp+30h+var_14]
		push	eax
		push	offset _DEVPKEY_DriverDatabase_UnloadTimeout
		push	0
		push	dword ptr [ebx]
		push	7
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	loc_928C26

loc_845B8E:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+E31E3j
					; PiDrvDbLoadNodeWorkerCallback+E31EEj
		mov	eax, 1D4C0h
		mov	[esp+20h+var_C], eax

loc_845B97:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+E31F8j
		cmp	eax, 0FFFFFFFFh
		jz	loc_845AE0
		mov	ecx, 2710h
		mul	ecx
		neg	eax
		mov	[edi+108h], eax
		adc	edx, 0
		neg	edx
		mov	[edi+10Ch], edx
		jmp	loc_845AE0
; 

loc_845BBF:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+A4j
		mov	edx, [edi+0Ch]
		lea	eax, [esp+20h+var_10]
		mov	ecx, _PiPnpRtlCtx
		lea	ebx, [edi+114h]
		push	0
		push	eax
		push	4
		push	ebx
		lea	eax, [esp+30h+var_14]
		push	eax
		push	offset _DEVPKEY_DriverDatabase_SetupOptions
		push	0
		push	dword ptr [edi+24h]
		push	7
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	loc_928C45

loc_845BF6:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+E3202j
					; PiDrvDbLoadNodeWorkerCallback+E3213j
		mov	dword ptr [ebx], 33h

loc_845BFC:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+E320Dj
		mov	edx, [edi+0Ch]
		lea	eax, [esp+20h+var_10]
		mov	ecx, _PiPnpRtlCtx
		xor	ebx, ebx
		push	ebx
		push	eax
		push	4
		push	esi
		lea	eax, [esp+30h+var_14]
		push	eax
		push	offset _DEVPKEY_DriverDatabase_SetupStatus
		push	ebx
		push	dword ptr [edi+24h]
		push	7
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_845C48
		cmp	[esp+20h+var_14], 18h
		jnz	short loc_845C48
		cmp	[esp+20h+var_10], 4
		jnz	short loc_845C48
		cmp	dword ptr [esi], 103h
		jnz	loc_845AF4
		jmp	loc_928C60
; 

loc_845C48:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+1DFj
					; PiDrvDbLoadNodeWorkerCallback+1E6j ...
		mov	dword ptr [esi], 103h
		jmp	loc_928C60
PiDrvDbLoadNodeWorkerCallback endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDrvDbUnloadNodeWorkerCallback(x)
_PiDrvDbUnloadNodeWorkerCallback@4 proc	near ; DATA XREF: PiDrvDbUnloadNodeDpcRoutine+2Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	edi
		call	PiDrvDbUnloadNodeReset
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		lea	edi, [esi+2Ch]
		push	edi
		call	ExAcquireResourceExclusiveLite
		cmp	byte ptr [esi+110h], 0
		jz	short loc_845CD8
		push	ebx
		lea	edx, [esi+8]
		mov	ecx, offset _KMPnPEvt_DriverDatabaseUnload_Start
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)
		mov	eax, [esi+24h]
		test	eax, eax
		jz	short loc_845CA6
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		and	dword ptr [esi+24h], 0

loc_845CA6:				; CODE XREF: PiDrvDbUnloadNodeWorkerCallback(x)+46j
		lea	edx, [esi+8]
		mov	word ptr [esi+110h], 0
		mov	ecx, offset _KMPnPEvt_DriverDatabaseUnload_Pend
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)
		lea	eax, [esi+0F0h]
		and	dword ptr [eax], 0
		push	1
		push	eax
		mov	dword ptr [eax+8], offset _PiDrvDbUnloadNodeWaitWorkerCallback@4 ; PiDrvDbUnloadNodeWaitWorkerCallback(x)
		mov	[eax+0Ch], esi
		call	ExQueueWorkItem
		pop	ebx

loc_845CD8:				; CODE XREF: PiDrvDbUnloadNodeWorkerCallback(x)+31j
		mov	ecx, edi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_PiDrvDbUnloadNodeWorkerCallback@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDrvDbUnloadHive proc near		; CODE XREF: PiDrvDbLoadNodeWorkerCallback+CAp
					; PiDrvDbSetupNodeHive(x,x)+381p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00928CE9 SIZE 0000000C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		xor	eax, eax
		mov	[ebp+var_18], 18h
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], 240h
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		test	edx, edx
		jz	loc_928CE9
		push	edx
		lea	eax, [ebp+var_18]
		push	eax
		call	_ZwUnloadKeyEx@8 ; ZwUnloadKeyEx(x,x)
		leave
		retn
PiDrvDbUnloadHive endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDrvDbLoadHive	proc near		; CODE XREF: PiDrvDbLoadNodeWorkerCallback+54p
					; PiDrvDbSetupNodeHive(x,x)+2E7p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	ebx, ebx
		push	18h
		pop	esi
		push	ebx
		push	ebx
		push	ebx
		mov	eax, 240h
		mov	[edi], ebx
		mov	[ebp+var_C], eax
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	ebx
		or	eax, 80h
		mov	[ebp+var_18], esi
		push	eax
		lea	eax, [ebp+var_30]
		mov	[ebp+var_14], ebx
		push	eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_10], ecx
		push	eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		call	_ZwLoadKeyEx@32	; ZwLoadKeyEx(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_845DA2
		lea	eax, [ebp+var_18]
		push	eax
		push	2000000h
		push	edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	sub_928CF5

loc_845DA2:				; CODE XREF: PiDrvDbLoadHive+5Dj
					; sub_928CF5+Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
PiDrvDbLoadHive	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmpDummyApc(x, x, x)
_CmpDummyApc@12	proc near		; DATA XREF: NtNotifyChangeMultipleKeys+372o
		retn	0Ch
_CmpDummyApc@12	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpCleanUpHigherLayerKcbCachesPreCallback(x, x)
_CmpCleanUpHigherLayerKcbCachesPreCallback@8 proc near
					; DATA XREF: CmpInvalidateAllHigherLayerKcbs(x,x,x,x)+1Bo
					; CmpPrepareToInvalidateAllHigherLayerKcbs(x,x,x)+2Eo ...
		xor	eax, eax
		inc	eax
		retn	8
_CmpCleanUpHigherLayerKcbCachesPreCallback@8 endp

; Exported entry 554. FsRtlInitializeOplock

;  S U B	R O U T	I N E 


; __stdcall PopPdcCallback(x)
		public _PopPdcCallback@4
_PopPdcCallback@4 proc near		; CODE XREF: PnprInitiateReplaceOperation()+281p
					; EtwpFreePmcData(x)+1Fp ...
		retn	4
_PopPdcCallback@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpTriageDumpRestoreState(x)
_DbgkpTriageDumpRestoreState@4 proc near ; DATA	XREF: DbgkpTriageDumpInitialize(x,x,x,x)+6Bo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, [edx]
		mov	eax, [edx+8]
		mov	[edx+14h], eax
		mov	eax, [edx+0Ch]
		mov	[ecx+1060h], eax
		mov	ecx, [edx]
		mov	eax, [edx+10h]
		mov	[ecx+1064h], eax
		pop	ebp
		retn	4
_DbgkpTriageDumpRestoreState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpTriageDumpSaveState(x)
_DbgkpTriageDumpSaveState@4 proc near	; DATA XREF: DbgkpTriageDumpInitialize(x,x,x,x)+64o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, [edx]
		mov	eax, [edx+14h]
		mov	[edx+8], eax
		mov	eax, [ecx+1060h]
		mov	[edx+0Ch], eax
		mov	eax, [ecx+1064h]
		mov	[edx+10h], eax
		pop	ebp
		retn	4
_DbgkpTriageDumpSaveState@4 endp


;  S U B	R O U T	I N E 


; __stdcall EmFalseCallback(x, x, x, x,	x, x, x)
_EmFalseCallback@28 proc near		; DATA XREF: .text:00401B90o
		xor	eax, eax
		retn	1Ch
_EmFalseCallback@28 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall EmTrueCallback(x, x, x, x, x, x, x)
_EmTrueCallback@28 proc	near		; DATA XREF: .text:00401B84o
		push	2
		pop	eax
		retn	1Ch
_EmTrueCallback@28 endp


;  S U B	R O U T	I N E 


; __stdcall xHalAcpiGetMultiNode()
_xHalAcpiGetMultiNode@0	proc near	; DATA XREF: .data:006B1398o
		xor	eax, eax
		retn
_xHalAcpiGetMultiNode@0	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall xHalAddInterruptRemapping(x, x, x, x, x, x)
_xHalAddInterruptRemapping@24 proc near	; DATA XREF: .data:006B1310o
		xor	eax, eax
		retn	18h
_xHalAddInterruptRemapping@24 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall xHalAllocatePmcCounterSet(x, x, x, x)
_xHalAllocatePmcCounterSet@16 proc near	; CODE XREF: EtwpUpdatePmcCounters(x,x,x)+A9p
					; DATA XREF: .text:005810D0o ...
		mov	eax, 0C00000BBh
		retn	10h
_xHalAllocatePmcCounterSet@16 endp


;  S U B	R O U T	I N E 


; __stdcall xHalCollectPmcCounters(x, x)
_xHalCollectPmcCounters@8 proc near	; CODE XREF: EtwpReserveWithPmcCounters(x,x,x,x,x,x)+BAp
					; DATA XREF: .data:off_6B1334o
		retn	8
_xHalCollectPmcCounters@8 endp

; 
		align 2
; Exported entry 1387. MmConfigureGraphicsPtes

;  S U B	R O U T	I N E 


; __stdcall MmConfigureGraphicsPtes(x, x)
		public _MmConfigureGraphicsPtes@8
_MmConfigureGraphicsPtes@8 proc	near	; CODE XREF: PnprReplaceStart()+4Ap
					; DATA XREF: .text:005812D4o ...
		mov	eax, 0C00000BBh
		retn	8
_MmConfigureGraphicsPtes@8 endp


;  S U B	R O U T	I N E 


; __stdcall xHalSaveAndDisableHvEnlightenment()
_xHalSaveAndDisableHvEnlightenment@0 proc near ; CODE XREF: PopSaveHiberContext+B8FEp
					; PopHiberCheckResume+7095p ...
		retn	0
_xHalSaveAndDisableHvEnlightenment@0 endp

; 
		align 2
; Exported entry 1351. LpcReplyWaitReplyPort

;  S U B	R O U T	I N E 


; __stdcall LpcReplyWaitReplyPort(x, x,	x)
		public _LpcReplyWaitReplyPort@12
_LpcReplyWaitReplyPort@12 proc near	; CODE XREF: HvlpQueryApicIdAndNumaNode+29p
					; DATA XREF: .text:00581150o ...
		mov	eax, 0C00000BBh
		retn	0Ch
_LpcReplyWaitReplyPort@12 endp


;  S U B	R O U T	I N E 


; __stdcall xHalIommuMapDevice(x, x, x,	x)
_xHalIommuMapDevice@16 proc near	; DATA XREF: .data:006B319Co
		mov	eax, 0C0000002h
		retn	10h
_xHalIommuMapDevice@16 endp


;  S U B	R O U T	I N E 


; __stdcall NtSetHighWaitLowEventPair(x)
_NtSetHighWaitLowEventPair@4 proc near	; DATA XREF: .text:00580BA4o
					; .text:00580BA8o ...
		mov	eax, 0C0000002h
		retn	4
_NtSetHighWaitLowEventPair@4 endp


;  S U B	R O U T	I N E 


; __stdcall PsNotifyWriteToExecutableMemory(x, x)
_PsNotifyWriteToExecutableMemory@8 proc	near
					; CODE XREF: MiKernelWriteToExecutableMemory(x,x,x,x)+48p
					; DATA XREF: .data:006B1274o ...
		mov	eax, 0C0000002h
		retn
_PsNotifyWriteToExecutableMemory@8 endp


;  S U B	R O U T	I N E 


; __stdcall xHalQuerySystemInformation(x, x, x,	x)
_xHalQuerySystemInformation@16 proc near ; CODE	XREF: HvlStartBootLogicalProcessors+8A5DAp
					; BapdRecordFirmwareBootStats+BAp ...
		mov	eax, 0C0000148h
		retn	10h
_xHalQuerySystemInformation@16 endp


;  S U B	R O U T	I N E 


; __stdcall xHalRegisterBusHandler(x, x, x, x, x, x, x,	x)
_xHalRegisterBusHandler@32 proc	near	; DATA XREF: .data:006B1220o
		mov	eax, 0C00000BBh
		retn	20h
_xHalRegisterBusHandler@32 endp


;  S U B	R O U T	I N E 


; __stdcall xHalRemoveInterruptRemapping(x, x, x, x, x,	x)
_xHalRemoveInterruptRemapping@24 proc near ; DATA XREF:	.data:006B1314o
		retn	18h
_xHalRemoveInterruptRemapping@24 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall xHalSetSystemInformation(x,	x, x)
_xHalSetSystemInformation@12 proc near	; CODE XREF: KiSetIntervalWorker(x,x)+Cp
					; EtwSetPerformanceTraceInformation(x,x,x)+532p ...
		mov	eax, 0C0000148h
		retn	0Ch
_xHalSetSystemInformation@12 endp


;  S U B	R O U T	I N E 


; __stdcall xHalStartMirroring()
_xHalStartMirroring@0 proc near		; DATA XREF: .data:off_6B2C00o
		mov	eax, 0C00000BBh
		retn
_xHalStartMirroring@0 endp


;  S U B	R O U T	I N E 


; __stdcall xHalTimerQueryCycleCounter(x)
_xHalTimerQueryCycleCounter@4 proc near	; CODE XREF: TxtpAddCacheEntry+24D1p
					; AnFwpBackgroundUpdateTimer(x,x,x,x)+25p ...
		xor	eax, eax
		xor	edx, edx
		retn	4
_xHalTimerQueryCycleCounter@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; public: virtual long __thiscall NT_DISK::GetPnpProperty(void *, void * *)
?GetPnpProperty@NT_DISK@@UAEJPAXPAPAX@Z	proc near
		mov	eax, 0C0000002h
		retn	8
?GetPnpProperty@NT_DISK@@UAEJPAXPAPAX@Z	endp


;  S U B	R O U T	I N E 


; __stdcall IopCancelIrpsInCurrentThreadListDummyApc(x,	x, x, x, x)
_IopCancelIrpsInCurrentThreadListDummyApc@20 proc near
					; DATA XREF: IopCancelIrpsInThreadList(x,x)+84o
		retn	14h
_IopCancelIrpsInCurrentThreadListDummyApc@20 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IopDmaOverrideConflict(x, x)
_IopDmaOverrideConflict@8 proc near	; DATA XREF: IopDmaInitialize()+3Ao
		xor	al, al
		retn	8
_IopDmaOverrideConflict@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopDmaScoreRequirement(x)
_IopDmaScoreRequirement@4 proc near	; DATA XREF: IopDmaInitialize()+30o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+0Ch]
		sub	eax, [ecx+8]
		pop	ebp
		retn	4
_IopDmaScoreRequirement@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopDmaUnpackRequirement(x, x, x, x,	x)
_IopDmaUnpackRequirement@20 proc near	; DATA XREF: IopIrqInitialize()+15o
					; IopDmaInitialize()+12o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		push	esi
		xor	esi, esi
		mov	eax, [edx+8]
		mov	[ecx], eax
		mov	[ecx+4], esi
		mov	eax, [edx+0Ch]
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		mov	eax, [ebp+arg_C]
		mov	[ecx+4], esi
		xor	ecx, ecx
		inc	ecx
		mov	[eax+4], esi
		mov	[eax], ecx
		mov	eax, [ebp+arg_10]
		mov	[eax+4], esi
		mov	[eax], ecx
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	14h
_IopDmaUnpackRequirement@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopDmaUnpackResource(x, x, x)
_IopDmaUnpackResource@12 proc near	; DATA XREF: IopDmaInitialize()+26o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	eax, [eax+4]
		and	dword ptr [ecx+4], 0
		mov	[ecx], eax
		mov	eax, [ebp+arg_8]
		and	dword ptr [eax+4], 0
		mov	dword ptr [eax], 1
		xor	eax, eax
		pop	ebp
		retn	0Ch
_IopDmaUnpackResource@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopIrqUnpackResource(x, x, x)
_IopIrqUnpackResource@12 proc near	; DATA XREF: IopIrqInitialize()+29o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	eax, [eax+8]
		and	dword ptr [ecx+4], 0
		mov	[ecx], eax
		mov	eax, [ebp+arg_8]
		and	dword ptr [eax+4], 0
		mov	dword ptr [eax], 1
		xor	eax, eax
		pop	ebp
		retn	0Ch
_IopIrqUnpackResource@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopBusNumberUnpackResource(x, x, x)
_IopBusNumberUnpackResource@12 proc near ; DATA	XREF: IopBusNumberInitialize()+26o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	eax, [edx+4]
		and	dword ptr [ecx+4], 0
		mov	[ecx], eax
		mov	ecx, [ebp+arg_8]
		mov	eax, [edx+8]
		and	dword ptr [ecx+4], 0
		mov	[ecx], eax
		xor	eax, eax
		pop	ebp
		retn	0Ch
_IopBusNumberUnpackResource@12 endp


;  S U B	R O U T	I N E 


; __stdcall ArbPreprocessEntry(x, x)
_ArbPreprocessEntry@8 proc near		; DATA XREF: ArbInitializeArbiterInstance+135o
					; ArbInitializeArbiterInstance+1B3o ...
		xor	eax, eax
		retn	8
_ArbPreprocessEntry@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PnprStartMirroring()
_PnprStartMirroring@0 proc near		; DATA XREF: PnprInitiateReplaceOperation()+11Ao
		mov	eax, _PnprContext
		or	dword ptr [eax+30h], 4
		mov	byte ptr [eax+9Ch], 0
		xor	eax, eax
		retn
_PnprStartMirroring@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopExecuteHwpDefaultSelect(x, x, x)
_IopExecuteHwpDefaultSelect@12 proc near
					; DATA XREF: IopExecuteHardwareProfileChange(x,x,x,x,x)+156o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0
		xor	eax, eax
		pop	ebp
		retn	0Ch
_IopExecuteHwpDefaultSelect@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PopPowerAggregatorInvalidStateHandler(x)
_PopPowerAggregatorInvalidStateHandler@4 proc near ; DATA XREF:	PAGEDATA:00A934BCo
					; PAGEDATA:00A934F0o
		mov	eax, 0C000A003h
		retn	4
_PopPowerAggregatorInvalidStateHandler@4 endp


;  S U B	R O U T	I N E 


; __stdcall TtmpCalloutLiveDumpSecondaryCallback(x, x, x, x, x,	x, x, x)
_TtmpCalloutLiveDumpSecondaryCallback@32 proc near
					; DATA XREF: TtmpCalloutWatchdogCallback(x,x,x,x,x,x)+6Bo
		xor	eax, eax
		retn	20h
_TtmpCalloutLiveDumpSecondaryCallback@32 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspEnableProcessTimerVirtualization(x, x)
_PspEnableProcessTimerVirtualization@8 proc near ; DATA	XREF: sub_759647+89Bo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		add	eax, 64h
		lock bts dword ptr [eax], 4
		xor	eax, eax
		pop	ebp
		retn	8
_PspEnableProcessTimerVirtualization@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspGetPicoProcessContext(x)
_PspGetPicoProcessContext@4 proc near	; DATA XREF: PsRegisterPicoProvider(x,x)+62o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+3D4h]
		pop	ebp
		retn	4
_PspGetPicoProcessContext@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspGetPicoThreadContext(x)
_PspGetPicoThreadContext@4 proc	near	; DATA XREF: PsRegisterPicoProvider(x,x)+69o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+37Ch]
		pop	ebp
		retn	4
_PspGetPicoThreadContext@4 endp


;  S U B	R O U T	I N E 


; __stdcall RtlDecompressFragmentNS(x, x, x, x,	x, x, x, x)
_RtlDecompressFragmentNS@32 proc near	; DATA XREF: PAGE:00A40880o
					; PAGE:00A40884o
		mov	eax, 0C000025Fh
		retn	20h
_RtlDecompressFragmentNS@32 endp


;  S U B	R O U T	I N E 


; __stdcall RtlReserveChunkNS(x, x, x, x)
_RtlReserveChunkNS@16 proc near		; DATA XREF: PAGE:00A40858o
					; PAGE:00A4085Co ...
		mov	eax, 0C000025Fh
		retn	10h
_RtlReserveChunkNS@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSetRuntimeUpdatableSigningLevel(x)
_SepSetRuntimeUpdatableSigningLevel@4 proc near	; DATA XREF: .text:004037E4o

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	al, [ebp+arg_0]
		mov	_SeILSigningPolicyRuntime, al
		pop	ebp
		retn	4
_SepSetRuntimeUpdatableSigningLevel@4 endp

; 
		align 2
; Exported entry 1510. NtCreateCrossVmEvent

;  S U B	R O U T	I N E 


; __stdcall NtCreateCrossVmEvent(x, x, x, x, x,	x)
		public _NtCreateCrossVmEvent@24
_NtCreateCrossVmEvent@24 proc near	; DATA XREF: .text:005812CCo
					; .text:005812D0o ...
		mov	eax, 0C00000BBh
		retn	18h
_NtCreateCrossVmEvent@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ArbpQueryConflictCallback(x, x)
_ArbpQueryConflictCallback@8 proc near	; DATA XREF: ArbQueryConflict(x,x)+89o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	[eax], ecx
		xor	al, al
		pop	ebp
		retn	8
_ArbpQueryConflictCallback@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCloneProcessAddressSpace proc	near	; CODE XREF: MmInitializeProcessAddressSpace+2B5p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FAA1D SIZE 00000123 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_34], ecx
		push	6
		pop	ecx
		mov	esi, eax
		mov	[ebp+var_28], eax
		lea	edi, [ebp+var_20]
		mov	[ebp+var_30], eax
		rep stosd
		mov	edi, [ebp+var_34]
		mov	ebx, edx
		mov	[ebp+var_2C], eax
		xor	edx, edx
		mov	[ebp+var_40], eax
		inc	edx
		mov	eax, large fs:124h
		mov	ecx, edi
		mov	[ebp+var_48], edx
		mov	[ebp+var_38], esi
		mov	eax, [eax+80h]
		mov	[ebp+var_3C], eax
		call	_MiIsStoreProcess@4 ; MiIsStoreProcess(x)
		test	eax, eax
		jnz	loc_8FAA1D
		mov	ecx, ebx
		call	MiLockDownWorkingSet
		cmp	[ebp+var_3C], edi
		jz	short loc_846082
		lea	eax, [ebp+var_20]
		mov	[ebp+var_28], 1
		push	eax
		xor	edx, edx
		mov	ecx, edi
		call	KiStackAttachProcess

loc_846082:				; CODE XREF: MiCloneProcessAddressSpace+66j
		mov	edx, [edi+24Ch]
		mov	ecx, [ebp+arg_0]
		and	ecx, 1
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		mov	eax, [edx+88h]
		or	eax, [edx+8Ch]
		jnz	loc_8FAA27

loc_8460A6:				; CODE XREF: MiCloneProcessAddressSpace+B4A23j
		push	0
		push	0FFFFFFFFh
		or	edx, 0FFFFFFFFh
		mov	ecx, edi
		call	MiLockVadRange
		mov	edi, eax
		mov	[ebp+var_44], edi
		test	edi, edi
		jz	loc_8FAA36
		lea	edx, [ebp+var_2C]
		mov	ecx, ebx
		call	MiCreateCloneChain
		mov	edi, eax
		mov	[ebp+var_24], edi
		test	edi, edi
		js	loc_8FAA45
		lea	edx, [ebp+var_30]
		mov	ecx, ebx
		call	MiAllocateChildVads
		mov	edi, eax
		mov	[ebp+var_24], edi
		test	edi, edi
		js	loc_8FAA45
		cmp	[ebp+var_4C], esi
		jz	short loc_846153
		mov	eax, [ebp+var_50]
		mov	ecx, ebx
		push	dword ptr [eax+8Ch]
		push	dword ptr [eax+88h]
		push	2
		pop	edx
		call	MiBuildNewCloneDescriptor
		mov	esi, eax
		mov	[ebp+var_38], esi
		test	esi, esi
		jz	loc_8FAA3D
		mov	eax, [esi+14h]
		shl	eax, 4
		push	eax		; size_t
		push	0		; int
		push	dword ptr [esi+0Ch] ; void *
		call	_memset
		mov	ecx, [esi+0Ch]
		mov	edx, 7FFFFFFh
		add	esp, 0Ch
		mov	eax, [ecx+8]
		and	eax, edx
		or	eax, 20000000h
		mov	[ecx+8], eax
		mov	ecx, [esi+0Ch]
		mov	eax, [ecx+18h]
		and	eax, edx
		or	eax, 8000000h
		mov	[ecx+18h], eax

loc_846153:				; CODE XREF: MiCloneProcessAddressSpace+ECj
		mov	ecx, [ebp+var_34]
		lea	eax, [ebp+var_40]
		push	eax
		push	[ebp+arg_0]
		mov	edx, ebx
		push	esi
		push	[ebp+var_2C]
		call	MiCloneVads
		mov	edi, eax
		mov	[ebp+var_24], edi
		test	edi, edi
		js	loc_8FAA45
		mov	edx, [ebp+var_30]
		and	[ebp+var_2C], 0
		mov	[ebp+var_30], edx
		test	edx, edx
		jnz	loc_8FAAB5

loc_846187:				; CODE XREF: MiCloneProcessAddressSpace+B4B21j
					; MiCloneProcessAddressSpace+B4B2Bj
		xor	edi, edi
		mov	[ebp+var_24], edi

loc_84618C:				; CODE XREF: MiCloneProcessAddressSpace+B4B17j
		mov	ecx, [ebp+var_34]
		or	edx, 0FFFFFFFFh
		push	0
		push	[ebp+var_44]
		call	_MiUnlockVadRange@16 ; MiUnlockVadRange(x,x,x,x)
		cmp	[ebp+var_28], 0
		jz	short loc_8461B0
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		and	[ebp+var_28], 0

loc_8461B0:				; CODE XREF: MiCloneProcessAddressSpace+19Aj
		cmp	[ebp+var_3C], ebx
		jz	short loc_8461C9
		lea	eax, [ebp+var_20]
		mov	[ebp+var_28], 1
		push	eax
		xor	edx, edx
		mov	ecx, ebx
		call	KiStackAttachProcess

loc_8461C9:				; CODE XREF: MiCloneProcessAddressSpace+1ADj
		call	_MiCreateForkWsles@0 ; MiCreateForkWsles()
		mov	esi, [ebp+var_38]
		test	esi, esi
		jz	short loc_846203
		mov	edx, [esi+14h]
		xor	ecx, ecx
		test	edx, edx
		jz	short loc_846249
		mov	eax, [esi+0Ch]
		add	eax, 0Ch

loc_8461E4:				; CODE XREF: MiCloneProcessAddressSpace+1E6j
		add	ecx, [eax]
		lea	eax, [eax+10h]
		sub	edx, 1
		jnz	short loc_8461E4
		test	ecx, ecx
		jz	short loc_846249
		mov	[esi+18h], ecx
		mov	ecx, ebx
		push	edx
		mov	edx, esi
		call	MiInsertClone

loc_8461FF:				; CODE XREF: MiCloneProcessAddressSpace+24Cj
		and	[ebp+var_38], 0

loc_846203:				; CODE XREF: MiCloneProcessAddressSpace+1CDj
		test	edi, edi
		js	loc_8FAA55
		xor	edx, edx
		mov	ecx, ebx
		call	MiLockDownWorkingSet
		and	[ebp+var_48], 0
		cmp	[ebp+var_28], 0
		jz	short loc_84622C
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		and	[ebp+var_28], 0

loc_84622C:				; CODE XREF: MiCloneProcessAddressSpace+216j
		cmp	[ebp+var_40], 0
		jnz	loc_8FAB36

loc_846236:				; CODE XREF: MiCloneProcessAddressSpace+B4AAAj
		mov	eax, edi

loc_846238:				; CODE XREF: MiCloneProcessAddressSpace+B4A1Cj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_846249:				; CODE XREF: MiCloneProcessAddressSpace+1D6j
					; MiCloneProcessAddressSpace+1EAj
		mov	edx, esi
		mov	ecx, ebx
		call	_MiFreeCloneDescriptor@8 ; MiFreeCloneDescriptor(x,x)
		jmp	short loc_8461FF
MiCloneProcessAddressSpace endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocateChildVads proc near		; CODE XREF: MiCloneProcessAddressSpace+D7p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FAB40 SIZE 00000163 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_38], edx
		and	[ebp+var_24], eax
		lea	edi, [ebp+var_1C]
		mov	esi, ecx
		xor	edx, edx
		push	6
		pop	ecx
		rep stosd
		mov	eax, large fs:124h
		xor	edi, edi
		mov	[ebp+var_20], esi
		mov	[ebp+var_30], edx
		mov	eax, [eax+80h]
		mov	eax, [eax+350h]
		jmp	short loc_84629D
; 

loc_846299:				; CODE XREF: MiAllocateChildVads+4Bj
		mov	edi, eax
		mov	eax, [eax]

loc_84629D:				; CODE XREF: MiAllocateChildVads+43j
		test	eax, eax
		jnz	short loc_846299
		test	edi, edi
		jz	loc_846437

loc_8462A9:				; CODE XREF: MiAllocateChildVads+1DAj
		mov	eax, [edi+4]
		mov	ebx, edi
		mov	[ebp+var_2C], ebx
		mov	ecx, edi
		test	eax, eax
		jnz	short loc_8462C7

loc_8462B7:				; CODE XREF: MiAllocateChildVads+71j
		mov	edi, [edi+8]
		and	edi, 0FFFFFFFCh
		jz	short loc_8462D9
		cmp	[edi], ecx
		jz	short loc_8462D9
		mov	ecx, edi
		jmp	short loc_8462B7
; 

loc_8462C7:				; CODE XREF: MiAllocateChildVads+61j
		mov	edi, eax
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_8462D9

loc_8462CF:				; CODE XREF: MiAllocateChildVads+83j
		mov	eax, [ecx]
		mov	edi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_8462CF

loc_8462D9:				; CODE XREF: MiAllocateChildVads+69j
					; MiAllocateChildVads+6Dj ...
		mov	ecx, ebx
		call	_MiVadShouldBeForked@4 ; MiVadShouldBeForked(x)
		test	eax, eax
		jz	loc_8464B7
		mov	edx, [ebx+1Ch]
		mov	eax, edx
		and	eax, 100000h
		mov	[ebp+var_34], 6C646156h
		mov	ecx, eax
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 0FFFFFFDCh
		add	ecx, 4Ch
		mov	esi, ecx
		mov	[ebp+var_28], esi
		test	eax, eax
		jnz	loc_84644D
		mov	eax, edx
		mov	[ebp+var_28], esi
		and	al, 70h
		cmp	al, 20h
		jnz	short loc_84632C
		mov	[ebp+var_28], esi
		test	edx, 200000h
		jnz	loc_8464BF

loc_84632C:				; CODE XREF: MiAllocateChildVads+C7j
		mov	edx, [ebp+var_34]

loc_84632F:				; CODE XREF: MiAllocateChildVads+1FEj
					; MiAllocateChildVads+27Fj
		push	0
		push	40h
		mov	ecx, esi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8FAC24
		push	[ebp+var_28]	; size_t
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		mov	ecx, [esi+1Ch]
		mov	edx, 100000h
		add	esp, 0Ch
		test	[ebx+1Ch], edx
		jnz	loc_846457
		mov	eax, [ebp+var_20]
		or	eax, 1
		mov	[esi+40h], eax

loc_84636B:				; CODE XREF: MiAllocateChildVads+206j
		xor	eax, eax
		and	ecx, 0FFFFFFFCh
		mov	[esi+1Ch], ecx
		mov	[esi+24h], eax
		mov	[esi+14h], eax
		mov	[esi+18h], eax
		mov	[esi+4], eax
		test	ecx, edx
		jnz	short loc_846397
		mov	eax, ecx
		and	al, 70h
		cmp	al, 20h
		jnz	short loc_846397
		test	ecx, 400000h
		jnz	loc_8FAB40

loc_846397:				; CODE XREF: MiAllocateChildVads+12Dj
					; MiAllocateChildVads+135j ...
		mov	ecx, ebx
		mov	dword ptr [esi+8], 0FFFFFFFEh
		call	_MiVadHasSharedCommit@4	; MiVadHasSharedCommit(x)
		test	eax, eax
		jz	short loc_8463C2
		mov	eax, [ebx+2Ch]
		mov	edx, [ebp+var_20]
		push	0
		mov	ecx, [eax]
		call	MiInsertSharedCommitNode
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8FAC0B

loc_8463C2:				; CODE XREF: MiAllocateChildVads+153j
		mov	ecx, esi
		call	_MiVadPureReserve@4 ; MiVadPureReserve(x)
		test	eax, eax
		jnz	loc_846475

loc_8463D1:				; CODE XREF: MiAllocateChildVads+22Ej
					; MiAllocateChildVads+23Fj
		mov	ecx, [ebp+var_2C]
		test	byte ptr [ecx+1Ch], 8
		jnz	loc_84649E

loc_8463DE:				; CODE XREF: MiAllocateChildVads+25Ej
		mov	edx, 80h
		call	_MiLocateVadEvent@8 ; MiLocateVadEvent(x,x)
		test	eax, eax
		jnz	loc_8FAB4E

loc_8463F0:				; CODE XREF: MiAllocateChildVads+B4929j
		mov	eax, [ecx+1Ch]
		mov	edx, 300000h
		and	eax, edx
		cmp	eax, edx
		jz	loc_8FAB82

loc_846402:				; CODE XREF: MiAllocateChildVads+B4964j
		call	_MiIsVadLargePrivate@4 ; MiIsVadLargePrivate(x)
		test	eax, eax
		jnz	loc_8FABBD
		mov	eax, [ecx+1Ch]
		and	al, 70h
		cmp	al, 20h
		jz	short loc_84645F

loc_846418:				; CODE XREF: MiAllocateChildVads+21Aj
					; MiAllocateChildVads+B4990j
		cmp	[ebp+var_24], 0
		jnz	loc_8FABE9

loc_846422:				; CODE XREF: MiAllocateChildVads+B49A3j
		mov	ecx, [ebp+var_30]
		mov	edx, esi
		mov	[esi], ecx
		mov	[ebp+var_30], edx

loc_84642C:				; CODE XREF: MiAllocateChildVads+266j
		test	edi, edi
		jnz	loc_8462A9
		mov	esi, [ebp+var_20]

loc_846437:				; CODE XREF: MiAllocateChildVads+4Fj
		mov	ecx, esi
		call	MiInsertChildVads

loc_84643E:				; CODE XREF: MiAllocateChildVads+B4A4Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_84644D:				; CODE XREF: MiAllocateChildVads+B8j
		mov	edx, 6C646156h
		jmp	loc_84632F
; 

loc_846457:				; CODE XREF: MiAllocateChildVads+108j
		and	ecx, 0FFFFFFF7h
		jmp	loc_84636B
; 

loc_84645F:				; CODE XREF: MiAllocateChildVads+1C2j
		push	ecx
		mov	ecx, [ebp+var_20]
		mov	edx, esi
		call	MiCloneImageVad
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_846418
		jmp	loc_8FAC29
; 

loc_846475:				; CODE XREF: MiAllocateChildVads+177j
		mov	eax, [esi+20h]
		and	eax, 7FFFFFFFh
		cmp	eax, 0FFFFDh
		jnb	loc_8463D1
		mov	ecx, esi
		call	MiCloneCaptureVadCommit
		mov	ebx, eax
		test	ebx, ebx
		jns	loc_8463D1
		jmp	loc_8FAC17
; 

loc_84649E:				; CODE XREF: MiAllocateChildVads+184j
		mov	edx, esi
		call	_MiCloneNoChange@8 ; MiCloneNoChange(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8FAC29
		mov	ecx, [ebp+var_2C]
		jmp	loc_8463DE
; 

loc_8464B7:				; CODE XREF: MiAllocateChildVads+8Ej
		mov	edx, [ebp+var_30]
		jmp	loc_84642C
; 

loc_8464BF:				; CODE XREF: MiAllocateChildVads+D2j
		mov	ecx, [ebx+2Ch]
		mov	ecx, [ecx]
		call	_MiBytesForFixupVad@4 ;	MiBytesForFixupVad(x)
		mov	esi, eax
		mov	edx, 49646156h
		mov	[ebp+var_28], esi
		jmp	loc_84632F
MiAllocateChildVads endp


;  S U B	R O U T	I N E 


; __stdcall MiVadHasSharedCommit(x)
_MiVadHasSharedCommit@4	proc near	; CODE XREF: MiAllocateChildVads+14Cp
					; MiAllocateChildVads+B49C5p ...
		mov	edx, [ecx+1Ch]
		mov	eax, edx
		and	al, 70h
		cmp	al, 20h
		jz	short loc_846506
		test	edx, 100000h
		jz	short loc_8464EE

loc_8464EB:				; CODE XREF: MiVadHasSharedCommit(x)+1Aj
					; MiVadHasSharedCommit(x)+21j ...
		xor	eax, eax
		retn
; 

loc_8464EE:				; CODE XREF: MiVadHasSharedCommit(x)+11j
		cmp	dword ptr [ecx+44h], 0
		jl	short loc_8464EB
		mov	ecx, [ecx+2Ch]
		test	ecx, ecx
		jz	short loc_8464EB
		mov	ecx, [ecx]
		call	_MiIncludeSharedCommit@4 ; MiIncludeSharedCommit(x)
		test	eax, eax
		jz	short loc_8464EB

loc_846506:				; CODE XREF: MiVadHasSharedCommit(x)+9j
		xor	eax, eax
		inc	eax
		retn
_MiVadHasSharedCommit@4	endp


;  S U B	R O U T	I N E 


; __stdcall MiCloneNoChange(x, x)
_MiCloneNoChange@8 proc	near		; CODE XREF: MiAllocateChildVads+24Cp
		mov	edi, edi
		push	ecx
		mov	ecx, [ecx+24h]
		push	esi
		push	edi
		mov	edi, edx
		jmp	short loc_846557
; 

loc_846516:				; CODE XREF: MiCloneNoChange(x,x)+4Fj
		cmp	dword ptr [ecx+24h], 2
		jnz	short loc_846555
		mov	edx, [ecx+4]
		test	dl, dl
		js	short loc_846555
		mov	esi, edx
		and	esi, 4
		mov	eax, esi
		neg	eax
		sbb	eax, eax
		and	eax, 80000000h
		test	dl, 8
		jz	short loc_846544
		test	esi, esi
		jnz	short loc_846541
		test	dl, 3
		jnz	short loc_846555

loc_846541:				; CODE XREF: MiCloneNoChange(x,x)+30j
		or	eax, 1

loc_846544:				; CODE XREF: MiCloneNoChange(x,x)+2Cj
		test	edx, 100h
		jz	short loc_846551
		or	eax, 20000000h

loc_846551:				; CODE XREF: MiCloneNoChange(x,x)+40j
		test	eax, eax
		jnz	short loc_846561

loc_846555:				; CODE XREF: MiCloneNoChange(x,x)+10j
					; MiCloneNoChange(x,x)+17j ...
		mov	ecx, [ecx]

loc_846557:				; CODE XREF: MiCloneNoChange(x,x)+Aj
		test	ecx, ecx
		jnz	short loc_846516

loc_84655B:				; CODE XREF: MiCloneNoChange(x,x)+84j
		xor	eax, eax

loc_84655D:				; CODE XREF: MiCloneNoChange(x,x)+8Bj
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_846561:				; CODE XREF: MiCloneNoChange(x,x)+49j
		mov	ecx, edx
		shr	ecx, 5
		and	ecx, 1
		test	dl, 40h
		jz	short loc_846571
		or	ecx, 4

loc_846571:				; CODE XREF: MiCloneNoChange(x,x)+62j
		mov	edx, [edi+0Ch]
		push	ecx
		push	eax
		mov	eax, [edi+10h]
		mov	ecx, edi
		shl	eax, 0Ch
		or	eax, 0FFFh
		shl	edx, 0Ch
		push	eax
		call	MiAddSecureEntry
		test	eax, eax
		jnz	short loc_84655B
		mov	eax, 0C000009Ah
		jmp	short loc_84655D
_MiCloneNoChange@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiCopyForkedFixupVad(x, x)
_MiCopyForkedFixupVad@8	proc near	; CODE XREF: MiCloneImageVad+50p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [edx+2Ch]
		mov	ecx, [ecx]
		call	_MiBytesForFixupVad@4 ;	MiBytesForFixupVad(x)
		sub	eax, 4Ch
		push	eax		; size_t
		lea	eax, [edx+4Ch]
		push	eax		; void *
		lea	eax, [esi+4Ch]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [esi+58h]
		mov	[esi+54h], eax
		pop	esi
		retn
_MiCopyForkedFixupVad@8	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiBuildNewCloneDescriptor proc near	; CODE XREF: MiCloneVads+E6p
					; MiCloneProcessAddressSpace+102p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FACA3 SIZE 0000004D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, edx
		push	ebx
		mov	[ebp+var_10], eax
		shl	eax, 4
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_14], eax
		lea	esi, [eax+10h]
		mov	[ebp+var_C], edi
		push	esi
		push	edi
		call	_PsChargeProcessNonPagedPoolQuota@8 ; PsChargeProcessNonPagedPoolQuota(x,x)
		test	eax, eax
		js	loc_8FACB2
		push	0
		push	40h
		push	30h
		mov	edx, 64436D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_18], ebx
		test	ebx, ebx
		jz	loc_8FACB9
		push	0
		push	112h
		mov	edx, 6C436D4Dh
		mov	ecx, esi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jz	loc_8FACA3
		mov	edi, ecx
		xor	eax, eax
		mov	edx, 68436D4Dh
		stosd
		stosd
		stosd
		stosd
		xor	edi, edi
		push	edi
		push	40h
		push	10h
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_8FACC2
		mov	edi, [ebp+var_8]
		mov	edx, esi
		mov	ecx, edi
		call	MiLockPagedRange
		test	eax, eax
		jz	loc_8FACD7
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_14]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_4]
		mov	[eax+8], edi
		mov	[eax], edx
		mov	dword ptr [eax+4], 1
		and	dword ptr [ebx+18h], 0
		mov	[ebx+1Ch], eax
		mov	eax, [ebp+arg_0]
		mov	[ebx+28h], eax
		mov	eax, [ebp+arg_4]
		mov	[ebx+0Ch], edi
		add	edi, 0FFFFFFF0h
		mov	[ebx+2Ch], eax
		add	ecx, edi
		mov	eax, [ebp+var_C]
		add	eax, 358h
		mov	[ebx+10h], ecx
		mov	[ebx+14h], edx
		mov	edi, eax
		mov	[ebx+20h], esi

loc_8466B3:				; CODE XREF: MiBuildNewCloneDescriptor+10Aj
					; MiBuildNewCloneDescriptor+10Fj
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[ebp+arg_4], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_8466B3
		cmp	edx, [ebp+arg_4]
		jnz	short loc_8466B3
		mov	eax, [ebp+var_4]
		mov	edi, [ebp+var_C]
		mov	[eax+0Ch], edi
		mov	eax, [ebp+var_18]

loc_8466E1:				; CODE XREF: MiBuildNewCloneDescriptor+B46F0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
MiBuildNewCloneDescriptor endp


;  S U B	R O U T	I N E 


MiLockPagedRange proc near		; CODE XREF: MiInsertNewCombineBlocks(x,x,x)+20p
					; MiBuildNewCloneDescriptor+97p

; FUNCTION CHUNK AT 008FACF0 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	esi, esi
		mov	ebx, ecx
		test	edi, edi
		jz	short loc_846711

loc_8466F7:				; CODE XREF: MiLockPagedRange+27j
		lea	ecx, [esi+ebx]
		call	MiLockPagedAddress
		test	eax, eax
		jz	loc_8FACFE
		add	esi, 1000h
		cmp	esi, edi
		jb	short loc_8466F7

loc_846711:				; CODE XREF: MiLockPagedRange+Dj
		xor	eax, eax
		inc	eax

loc_846714:				; CODE XREF: MiLockPagedRange+B461Cj
		pop	edi
		pop	esi
		pop	ebx
		retn
MiLockPagedRange endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInsertChildVads proc near		; CODE XREF: MiAllocateChildVads+1E5p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FAD09 SIZE 000000A7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_24], ecx
		lea	edi, [ebp+var_1C]
		push	6
		pop	ecx
		xor	eax, eax
		mov	esi, edx
		rep stosd
		mov	ecx, [ebp+var_24]
		lea	eax, [ebp+var_1C]
		push	eax
		xor	edx, edx
		xor	ebx, ebx
		call	KiStackAttachProcess

loc_84674C:				; CODE XREF: MiInsertChildVads+CFj
		mov	[ebp+var_20], esi
		test	esi, esi
		jz	loc_8467F1
		lea	edi, [esi+1Ch]
		test	dword ptr [edi], 100000h
		jnz	short loc_846776
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	MiUpControlAreaRefs
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8FADA1

loc_846776:				; CODE XREF: MiInsertChildVads+48j
		mov	ecx, esi
		call	MiCommitPageTableRangesForVad
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8FAD90
		mov	edx, [ebp+var_24]
		push	ecx
		mov	ecx, esi
		call	MiInsertVadCharges
		mov	ecx, [edi]
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8FAD88
		mov	esi, [esi]
		mov	eax, ecx
		and	eax, 0C0000h
		cmp	eax, 40000h
		jz	loc_8FAD09

loc_8467B2:				; CODE XREF: MiInsertChildVads+B4608j
					; MiInsertChildVads+B4613j
		mov	eax, [edi]
		test	eax, 100000h
		jnz	short loc_8467EC
		mov	ecx, [ebp+var_20]
		mov	ecx, [ecx+48h]
		test	ecx, ecx
		jnz	short loc_84680C

loc_8467C5:				; CODE XREF: MiInsertChildVads+FBj
		test	eax, 100000h
		jnz	short loc_8467EC
		mov	edi, [ebp+var_20]
		cmp	dword ptr [edi+44h], 0
		jl	loc_8FAD30

loc_8467D9:				; CODE XREF: MiInsertChildVads+D7j
					; MiInsertChildVads+B466Bj
		mov	ecx, edi
		mov	dword ptr [edi+8], 0FFFFFFFEh
		call	MiGetWsAndInsertVad
		jmp	loc_84674C
; 

loc_8467EC:				; CODE XREF: MiInsertChildVads+A1j
					; MiInsertChildVads+B2j
		mov	edi, [ebp+var_20]
		jmp	short loc_8467D9
; 

loc_8467F1:				; CODE XREF: MiInsertChildVads+39j
					; MiInsertChildVads+B4693j
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_84680C:				; CODE XREF: MiInsertChildVads+ABj
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [edi]
		jmp	short loc_8467C5
MiInsertChildVads endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiUnlockNestedVad(x)
_MiUnlockNestedVad@4 proc near		; CODE XREF: MiDeleteVad(x,x,x)+100Bp
					; MiUpControlAreaRefs+109p ...
		mov	edi, edi
		push	esi
		lea	esi, [ecx+18h]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_846831

loc_846829:				; CODE XREF: MiUnlockNestedVad(x)+22j
		mov	ecx, esi
		pop	esi
		jmp	KeAbPostRelease
; 

loc_846831:				; CODE XREF: MiUnlockNestedVad(x)+11j
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_846829
_MiUnlockNestedVad@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiLockNestedVad(x)
_MiLockNestedVad@4 proc	near		; CODE XREF: MiUpControlAreaRefs+71p
					; MiFreeVadRange+10AF73p ...
		add	ecx, 18h
		xor	edx, edx
		jmp	ExAcquirePushLockExclusiveEx
_MiLockNestedVad@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeCloneDescriptor(x, x)
_MiFreeCloneDescriptor@8 proc near	; CODE XREF: MiCloneVads+79Fp
					; MiCloneVads+98821p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	eax, edx
		mov	[ebp+var_C], ecx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_10], eax
		mov	edi, [eax+1Ch]
		mov	ebx, [eax+20h]
		mov	[ebp+var_8], edi
		mov	ecx, [edi+8]
		mov	[ebp+var_4], ecx
		test	ebx, ebx
		jz	short loc_846883
		mov	edi, ecx

loc_84686E:				; CODE XREF: MiFreeCloneDescriptor(x,x)+3Aj
		lea	ecx, [edi+esi]
		call	_MiUnlockPagedAddress@4	; MiUnlockPagedAddress(x)
		add	esi, 1000h
		cmp	esi, ebx
		jb	short loc_84686E
		mov	edi, [ebp+var_8]

loc_846883:				; CODE XREF: MiFreeCloneDescriptor(x,x)+26j
		push	ebx
		push	[ebp+var_C]
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		mov	ecx, [edi+0Ch]
		call	MiDecrementCloneHeaderCount
		xor	esi, esi
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	esi
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	esi
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiFreeCloneDescriptor@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExQueryProcessHandleInformation	proc near ; CODE XREF: PAGE:0083DB40p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FADB0 SIZE 0000000C BYTES
; FUNCTION CHUNK AT 008FADDF SIZE 00000025 BYTES

		push	44h
		push	offset dword_6A45A0
		call	__SEH_prolog4_GS
		mov	[ebp+var_38], edx
		mov	[ebp+var_28], ecx
		and	[ebp+var_20], 0
		xor	eax, eax
		lea	edi, [ebp+var_54]
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	edi, [edx+8]
		mov	eax, [ebp+arg_0]
		add	eax, 0FFFFFFF8h
		xor	edx, edx
		push	1Ch
		pop	ebx
		div	ebx
		mov	[ebp+var_34], eax
		and	[ebp+var_24], 0
		push	8
		pop	esi
		xor	eax, eax
		mov	[ebp+var_30], eax
		xor	edx, edx

loc_8468F5:				; CODE XREF: ExQueryProcessHandleInformation+E5j
		lea	eax, [ebp+var_20]
		push	eax
		call	_ExpGetNextHandleTableEntry@12 ; ExpGetNextHandleTableEntry(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_84699E
		mov	eax, [ebp+var_34]
		cmp	[ebp+var_24], eax
		jnb	loc_8FADDF
		mov	edx, ebx
		mov	ecx, [ebp+var_28]
		call	_ExLockHandleTableEntry@8 ; ExLockHandleTableEntry(x,x)
		test	al, al
		jz	short loc_846994
		lea	edx, [ebp+var_54]
		mov	ecx, ebx
		call	_ObQueryHandleEntryInformation@8 ; ObQueryHandleEntryInformation(x,x)
		xor	eax, eax
		inc	eax
		lock xadd [ebx], eax
		mov	ecx, [ebp+var_28]
		add	ecx, 20h
		and	[ebp+var_2C], 0
		xor	edx, edx
		lea	eax, [ebp+var_2C]
		lock or	[eax], edx
		cmp	[ecx], edx
		jnz	loc_8FADB0

loc_84694D:				; CODE XREF: ExQueryProcessHandleInformation+B4503j
		add	esi, 1Ch
		mov	[ebp+var_2C], esi
		mov	ecx, [ebp+var_24]
		inc	ecx
		mov	[ebp+var_24], ecx
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [ebp+var_20]
		mov	[edi], eax
		mov	eax, [ebp+var_54]
		mov	[edi+4], eax
		mov	eax, [ebp+var_50]
		mov	[edi+8], eax
		mov	eax, [ebp+var_4C]
		mov	[edi+0Ch], eax
		mov	eax, [ebp+var_48]
		mov	[edi+10h], eax
		mov	eax, [ebp+var_44]
		mov	[edi+14h], eax
		and	dword ptr [edi+18h], 0
		mov	eax, [ebp+var_38]
		mov	[eax], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		add	edi, 1Ch

loc_846994:				; CODE XREF: ExQueryProcessHandleInformation+6Cj
					; ExQueryProcessHandleInformation+B4532j ...
		mov	edx, ebx
		mov	ecx, [ebp+var_28]
		jmp	loc_8468F5
; 

loc_84699E:				; CODE XREF: ExQueryProcessHandleInformation+4Ej
		mov	eax, [ebp+var_30]

loc_8469A1:				; CODE XREF: sub_8FADCA+10j
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_8469B8
		mov	[ebp+ms_exc.disabled], 1
		mov	[ecx], esi

loc_8469B1:				; CODE XREF: sub_8FAE12+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_8469B8:				; CODE XREF: ExQueryProcessHandleInformation+F2j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
ExQueryProcessHandleInformation	endp


;  S U B	R O U T	I N E 


; __stdcall ObQueryHandleEntryInformation(x, x)
_ObQueryHandleEntryInformation@8 proc near ; CODE XREF:	ExQueryProcessHandleInformation+73p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		push	7
		pop	edx
		mov	esi, [edi]
		and	esi, 0FFFFFFF8h
		call	_ExGetHandleAttributes@8 ; ExGetHandleAttributes(x,x)
		movzx	eax, al
		mov	[ebx+10h], eax
		mov	eax, esi
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [esi+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		movzx	eax, byte ptr [eax+14h]
		mov	[ebx+0Ch], eax
		mov	eax, [esi]
		mov	[ebx+4], eax
		mov	eax, [esi+4]
		mov	[ebx], eax
		mov	eax, [edi+4]
		pop	edi
		and	eax, 1FFFFFFh
		pop	esi
		mov	[ebx+8], eax
		pop	ebx
		retn
_ObQueryHandleEntryInformation@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtQueryMutant	proc near		; DATA XREF: .text:00580E34o

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008FAE1D SIZE 00000011 BYTES
; FUNCTION CHUNK AT 008FAE4E SIZE 0000000B BYTES
; FUNCTION CHUNK AT 008FAE65 SIZE 0000000D BYTES
; FUNCTION CHUNK AT 008FAE76 SIZE 00000024 BYTES

		push	1Ch
		push	offset dword_6A45C8
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], edx
		cmp	[ebp+arg_4], edx
		jz	short loc_846A47
		cmp	[ebp+arg_4], 1
		jnz	loc_8FAE90

loc_846A47:				; CODE XREF: NtQueryMutant+17j
		push	8
		pop	ebx
		mov	ecx, [ebp+arg_C]
		cmp	ecx, ebx
		jnz	loc_8FAE1D
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_C+3],	al
		mov	byte ptr [ebp+var_24], al
		test	al, al
		jz	loc_8FAE4E
		mov	[ebp+ms_exc.disabled], edx
		push	4
		push	ecx
		mov	edi, [ebp+arg_8]
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	esi, [ebp+arg_10]
		test	esi, esi
		jz	short loc_846A98
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8FAE27

loc_846A94:				; CODE XREF: NtQueryMutant+B4405j
		mov	eax, [ecx]
		mov	[ecx], eax

loc_846A98:				; CODE XREF: NtQueryMutant+5Fj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	edx, edx

loc_846AA1:				; CODE XREF: NtQueryMutant+B4430j
		mov	eax, ds:_ExMutantObjectType
		mov	[ebp+var_1C], edx
		push	edx
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_24]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	[ebp+arg_10], eax
		test	eax, eax
		js	short loc_846B05
		cmp	[ebp+arg_4], 0
		jz	short loc_846B1A
		lea	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_1C]
		call	_KeQueryOwnerMutant@8 ;	KeQueryOwnerMutant(x,x)
		cmp	byte ptr [ebp+arg_C+3],	0
		jz	loc_8FAE76
		mov	[ebp+ms_exc.disabled], 2
		mov	eax, [ebp+var_2C]
		mov	[edi], eax
		mov	eax, [ebp+var_28]
		mov	[edi+4], eax

loc_846AF0:				; CODE XREF: NtQueryMutant+131j
		test	esi, esi
		jz	short loc_846AF6
		mov	[esi], ebx

loc_846AF6:				; CODE XREF: NtQueryMutant+CEj
					; sub_8FAE5D+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_846AFD:				; CODE XREF: NtQueryMutant+B445Fj
					; NtQueryMutant+B4467j
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObject

loc_846B05:				; CODE XREF: NtQueryMutant+9Dj
		mov	eax, [ebp+arg_10]

loc_846B08:				; CODE XREF: NtQueryMutant+B43FEj
					; sub_8FAE3C+Dj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_846B1A:				; CODE XREF: NtQueryMutant+A3j
		mov	eax, [ebp+var_1C]
		mov	ecx, [eax+4]
		mov	[ebp+arg_4], ecx
		mov	dl, [eax+1Ch]
		and	dl, 1
		mov	ecx, large fs:124h
		mov	eax, [ebp+var_1C]
		cmp	[eax+18h], ecx
		setz	cl
		cmp	byte ptr [ebp+arg_C+3],	0
		jz	loc_8FAE65
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+arg_4]
		mov	[edi], eax
		mov	[edi+4], cl
		mov	[edi+5], dl
		jmp	short loc_846AF0
NtQueryMutant	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ObpUnlockHandleDatabaseEntry(x, x)
_ObpUnlockHandleDatabaseEntry@8	proc near ; CODE XREF: ObpIncrementHandleCountEx+325p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_OBJECT_HEADER_TO_HANDLE_INFO@4	; OBJECT_HEADER_TO_HANDLE_INFO(x)
		test	byte ptr [esi+0Fh], 40h
		jnz	short loc_846BAE
		mov	eax, [eax]
		xor	ecx, ecx
		mov	edx, [eax]
		add	eax, 4
		test	edx, edx
		jz	short loc_846B99

loc_846B78:				; CODE XREF: ObpUnlockHandleDatabaseEntry(x,x)+2Aj
		cmp	[eax], edi
		jz	short loc_846B86

loc_846B7C:				; CODE XREF: ObpUnlockHandleDatabaseEntry(x,x)+5Dj
		add	eax, 8
		sub	edx, 1
		jnz	short loc_846B78
		jmp	short loc_846B95
; 

loc_846B86:				; CODE XREF: ObpUnlockHandleDatabaseEntry(x,x)+22j
		mov	cl, [eax+7]
		cmp	cl, 0FFh
		jnb	short loc_846BB3
		dec	cl
		mov	[eax+7], cl
		xor	ecx, ecx

loc_846B95:				; CODE XREF: ObpUnlockHandleDatabaseEntry(x,x)+2Cj
		test	ecx, ecx
		jnz	short loc_846BB7

loc_846B99:				; CODE XREF: ObpUnlockHandleDatabaseEntry(x,x)+1Ej
					; ObpUnlockHandleDatabaseEntry(x,x)+59j ...
		cmp	byte ptr [eax+7], 0
		pop	edi
		pop	esi
		jnz	short locret_846BAD
		test	dword ptr [eax+4], 0FFFFFFh
		jnz	short locret_846BAD
		and	dword ptr [eax], 0

locret_846BAD:				; CODE XREF: ObpUnlockHandleDatabaseEntry(x,x)+47j
					; ObpUnlockHandleDatabaseEntry(x,x)+50j
		retn
; 

loc_846BAE:				; CODE XREF: ObpUnlockHandleDatabaseEntry(x,x)+11j
		dec	byte ptr [eax+7]
		jmp	short loc_846B99
; 

loc_846BB3:				; CODE XREF: ObpUnlockHandleDatabaseEntry(x,x)+34j
		mov	ecx, eax
		jmp	short loc_846B7C
; 

loc_846BB7:				; CODE XREF: ObpUnlockHandleDatabaseEntry(x,x)+3Fj
		dec	byte ptr [ecx+7]
		mov	eax, ecx
		jmp	short loc_846B99
_ObpUnlockHandleDatabaseEntry@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpEnumerateTraceGuids(x, x, x)
_EtwpEnumerateTraceGuids@12 proc near	; CODE XREF: NtTraceControl(x,x,x,x,x,x)+567p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax]
		mov	edi, ecx
		mov	[ebp+var_4], edx
		xor	esi, esi
		push	24h
		xor	edx, edx
		mov	[ebp+var_8], edi
		pop	ecx
		div	ecx
		mov	ebx, esi
		xor	edx, edx
		mov	[ebp+var_C], eax
		jmp	short loc_846C2F
; 

loc_846BE8:				; CODE XREF: EtwpEnumerateTraceGuids(x,x,x)+7Dj
		inc	ebx
		cmp	ebx, 71C71C7h
		ja	loc_846CC5
		cmp	ebx, [ebp+var_C]
		ja	short loc_846C2D
		mov	edx, [ebp+var_4]
		lea	esi, [ecx+14h]
		mov	edi, edx
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ecx+30h]
		mov	edi, [ebp+var_8]
		mov	[edx+1Ch], eax
		movzx	eax, word ptr [ecx+38h]
		mov	[edx+14h], eax
		movzx	eax, byte ptr [ecx+3Ah]
		mov	[edx+18h], eax
		mov	al, [ecx+3Bh]
		and	al, 1
		mov	[edx+20h], al
		add	edx, 24h
		mov	[ebp+var_4], edx
		xor	esi, esi

loc_846C2D:				; CODE XREF: EtwpEnumerateTraceGuids(x,x,x)+3Aj
		mov	edx, ecx

loc_846C2F:				; CODE XREF: EtwpEnumerateTraceGuids(x,x,x)+28j
		push	esi
		mov	ecx, edi
		call	_EtwpGetNextGuidEntry@12 ; EtwpGetNextGuidEntry(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_846BE8
		cmp	edi, ds:_EtwpHostSiloState
		jnz	short loc_846C4C
		mov	eax, 7FFE0380h
		jmp	short loc_846C5A
; 

loc_846C4C:				; CODE XREF: EtwpEnumerateTraceGuids(x,x,x)+85j
		mov	eax, [edi+4]
		mov	eax, [eax+28Ch]
		add	eax, 226h

loc_846C5A:				; CODE XREF: EtwpEnumerateTraceGuids(x,x,x)+8Cj
		mov	edi, [ebp+var_4]
		mov	edx, esi
		add	edi, 1Ch
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], edi
		xor	ecx, ecx

loc_846C6A:				; CODE XREF: EtwpEnumerateTraceGuids(x,x,x)+103j
		movzx	esi, ds:byte_A41114[edx]
		mov	[ebp+var_10], esi
		cmp	[eax+esi*2], cl
		jz	short loc_846CBB
		inc	ebx
		cmp	ebx, 71C71C7h
		ja	short loc_846CC5
		cmp	ebx, [ebp+var_C]
		ja	short loc_846CBB
		mov	esi, ds:_EtwpUmglProviders[edx]
		add	edi, 0FFFFFFE4h
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_4]
		mov	esi, [ebp+var_10]
		movzx	eax, byte ptr [eax+esi*2]
		mov	[edi-8], eax
		mov	eax, [ebp+var_8]
		movzx	eax, byte ptr [eax+esi*2+1]
		mov	[edi], eax
		mov	eax, [ebp+var_8]
		mov	[edi-4], ecx
		mov	byte ptr [edi+4], 1
		add	edi, 24h
		mov	[ebp+var_4], edi

loc_846CBB:				; CODE XREF: EtwpEnumerateTraceGuids(x,x,x)+B9j
					; EtwpEnumerateTraceGuids(x,x,x)+C7j
		add	edx, 8
		cmp	edx, 50h
		jb	short loc_846C6A
		jmp	short loc_846CCA
; 

loc_846CC5:				; CODE XREF: EtwpEnumerateTraceGuids(x,x,x)+31j
					; EtwpEnumerateTraceGuids(x,x,x)+C2j
		mov	ecx, 80000005h

loc_846CCA:				; CODE XREF: EtwpEnumerateTraceGuids(x,x,x)+105j
		mov	edx, [ebp+arg_0]
		imul	eax, ebx, 24h
		mov	[edx], eax
		test	ecx, ecx
		js	short loc_846CE0
		cmp	ebx, [ebp+var_C]
		jbe	short loc_846CE0
		mov	ecx, 0C0000023h

loc_846CE0:				; CODE XREF: EtwpEnumerateTraceGuids(x,x,x)+116j
					; EtwpEnumerateTraceGuids(x,x,x)+11Bj
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	4
_EtwpEnumerateTraceGuids@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiPnpRtlServiceFilterCallback proc near	; DATA XREF: PiPnpRtlGetFilteredDeviceList+ECo

var_88		= dword	ptr -88h
var_82		= byte ptr -82h
var_81		= byte ptr -81h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_C		= word ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008FAE9A SIZE 00000084 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+8Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[esp+98h+var_80], eax
		xor	eax, eax
		push	4Eh		; size_t
		push	eax		; int
		mov	[esp+0A0h+var_5C], eax
		lea	eax, [esp+0A0h+var_58]
		push	eax		; void *
		mov	[esp+0A4h+var_78], edi
		call	_memset
		xor	ecx, ecx
		add	esp, 0Ch
		mov	bl, cl
		mov	[esp+98h+var_74], ecx
		mov	[esp+98h+var_6C], ecx
		mov	[esp+98h+var_64], ecx
		mov	[esp+98h+var_60], ecx
		mov	[esp+98h+var_81], cl
		mov	[esp+98h+var_88], ecx
		mov	[esp+98h+var_70], ecx
		cmp	[esi+4], cl
		jnz	loc_8FAE9A
		mov	edi, [esp+98h+var_80]

loc_846D5D:				; CODE XREF: PiPnpRtlServiceFilterCallback+B41D6j
		mov	eax, [esi]
		test	eax, eax
		jz	loc_8FAF17
		push	2
		pop	edx
		cmp	[eax], dx
		jb	loc_8FAF17
		mov	eax, [eax+4]
		cmp	[eax], cx
		jz	loc_8FAF17
		mov	edi, [esi+8]

loc_846D82:				; CODE XREF: PiPnpRtlServiceFilterCallback+330j
		mov	eax, [esi+0Ch]
		mov	edx, [esp+98h+var_78]
		push	ecx
		mov	[esp+9Ch+var_88], eax
		lea	eax, [esp+9Ch+var_88]
		push	eax
		push	edi
		lea	eax, [esp+0A4h+var_74]
		push	eax
		push	5
		push	ecx
		mov	ecx, [esp+0B0h+var_80]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		push	2
		pop	edx
		test	eax, eax
		jnz	short loc_846DB2
		cmp	[esp+98h+var_88], edx
		jb	short loc_846DFA

loc_846DB2:				; CODE XREF: PiPnpRtlServiceFilterCallback+C0j
		cmp	eax, 0C0000023h
		jz	loc_846FDF

loc_846DBD:				; CODE XREF: PiPnpRtlServiceFilterCallback+B41EEj
		test	eax, eax
		jnz	short loc_846DF7
		mov	ecx, [esi+0Ch]
		xor	edx, edx
		mov	eax, [esi+8]
		shr	ecx, 1
		mov	[eax+ecx*2-2], dx
		lea	eax, [esp+98h+var_64]
		push	dword ptr [esi+8]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_846DF7
		push	1
		lea	eax, [esp+9Ch+var_64]
		push	eax
		push	dword ptr [esi]
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	loc_8FAEDD

loc_846DF7:				; CODE XREF: PiPnpRtlServiceFilterCallback+D5j
					; PiPnpRtlServiceFilterCallback+F5j
		push	2
		pop	edx

loc_846DFA:				; CODE XREF: PiPnpRtlServiceFilterCallback+C6j
					; PiPnpRtlServiceFilterCallback+2F9j
		mov	edi, offset dword_4045C4
		xor	ecx, ecx
		mov	[esp+98h+var_7C], edi
		mov	[esp+98h+var_68], ecx

loc_846E09:				; CODE XREF: PiPnpRtlServiceFilterCallback+1F0j
		cmp	[edi], edx
		jnz	short loc_846E65
		cmp	word ptr [esp+98h+var_58], 0
		jnz	short loc_846E65
		mov	edx, [esp+98h+var_78]
		lea	eax, [esp+98h+var_88]
		push	ecx
		push	eax
		lea	eax, [esp+0A0h+var_58]
		mov	[esp+0A0h+var_88], 4Eh
		push	eax
		lea	eax, [esp+0A4h+var_74]
		push	eax
		push	9
		push	ecx
		mov	ecx, [esp+0B0h+var_80]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_846EE0
		cmp	[esp+98h+var_74], 1
		jnz	loc_846EE0
		cmp	[esp+98h+var_88], 2
		jb	loc_846EE0
		xor	eax, eax
		mov	[esp+98h+var_C], ax

loc_846E65:				; CODE XREF: PiPnpRtlServiceFilterCallback+121j
					; PiPnpRtlServiceFilterCallback+129j ...
		mov	ecx, [edi]
		mov	eax, [esi+0Ch]
		mov	edx, [esp+98h+var_78]
		mov	[esp+98h+var_88], eax
		cmp	ecx, 1
		jz	short loc_846E7B
		lea	edx, [esp+98h+var_58]

loc_846E7B:				; CODE XREF: PiPnpRtlServiceFilterCallback+18Bj
		xor	edi, edi
		push	edi
		lea	edi, [esp+9Ch+var_70]
		push	edi
		mov	edi, [esp+0A0h+var_7C]
		push	eax
		push	dword ptr [esi+8]
		lea	eax, [esp+0A8h+var_6C]
		push	eax
		push	dword ptr [edi-4]
		xor	eax, eax
		push	eax
		push	eax
		push	ecx
		mov	ecx, [esp+0BCh+var_80]
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [esp+98h+var_70]
		mov	[esp+98h+var_88], ecx
		push	2
		pop	edx
		test	eax, eax
		jz	short loc_846F05

loc_846EB0:				; CODE XREF: PiPnpRtlServiceFilterCallback+21Dj
		cmp	eax, 0C0000023h
		jz	loc_846F9D

loc_846EBB:				; CODE XREF: PiPnpRtlServiceFilterCallback+B4221j
		test	eax, eax
		jns	short loc_846F0B

loc_846EBF:				; CODE XREF: PiPnpRtlServiceFilterCallback+229j
					; PiPnpRtlServiceFilterCallback+2AEj
		push	2
		pop	edx

loc_846EC2:				; CODE XREF: PiPnpRtlServiceFilterCallback+21Fj
					; PiPnpRtlServiceFilterCallback+2B5j
		mov	eax, [esp+98h+var_68]
		add	edi, 8
		add	eax, 8
		mov	[esp+98h+var_7C], edi
		mov	[esp+98h+var_68], eax
		push	0
		pop	ecx
		cmp	eax, 20h
		jb	loc_846E09

loc_846EE0:				; CODE XREF: PiPnpRtlServiceFilterCallback+155j
					; PiPnpRtlServiceFilterCallback+160j ...
		mov	edi, [esp+98h+var_80]

loc_846EE4:				; CODE XREF: PiPnpRtlServiceFilterCallback+B422Fj
		test	bl, bl
		jnz	loc_8FAEE3

loc_846EEC:				; CODE XREF: PiPnpRtlServiceFilterCallback+B41C4j
					; PiPnpRtlServiceFilterCallback+B41CEj	...
		mov	ecx, [esp+98h+var_4]
		mov	al, bl
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_846F05:				; CODE XREF: PiPnpRtlServiceFilterCallback+1C4j
		cmp	ecx, edx
		jnb	short loc_846EB0
		jmp	short loc_846EC2
; 

loc_846F0B:				; CODE XREF: PiPnpRtlServiceFilterCallback+1D3j
		cmp	[esp+98h+var_6C], 2012h
		jnz	short loc_846EBF
		mov	ecx, [esi+0Ch]
		cmp	ecx, 2
		jbe	short loc_846F2C
		mov	eax, [esi+8]
		shr	ecx, 1
		xor	edx, edx
		mov	[eax+ecx*2-2], dx
		mov	ecx, [esi+0Ch]

loc_846F2C:				; CODE XREF: PiPnpRtlServiceFilterCallback+231j
		cmp	ecx, 4
		jbe	short loc_846F3D
		mov	eax, [esi+8]
		shr	ecx, 1
		xor	edx, edx
		mov	[eax+ecx*2-4], dx

loc_846F3D:				; CODE XREF: PiPnpRtlServiceFilterCallback+245j
		mov	edi, [esi+8]
		jmp	short loc_846F59
; 

loc_846F42:				; CODE XREF: PiPnpRtlServiceFilterCallback+263j
					; PiPnpRtlServiceFilterCallback+2A0j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+98h+var_5C]
		jnz	short loc_846F42
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2

loc_846F59:				; CODE XREF: PiPnpRtlServiceFilterCallback+256j
		xor	eax, eax
		cmp	[edi], ax
		jz	short loc_846F8C
		push	edi
		lea	eax, [esp+9Ch+var_64]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_846F85
		push	1
		lea	eax, [esp+9Ch+var_64]
		push	eax
		push	dword ptr [esi]
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	loc_8FAF10

loc_846F85:				; CODE XREF: PiPnpRtlServiceFilterCallback+283j
		mov	ecx, edi
		lea	edx, [ecx+2]
		jmp	short loc_846F42
; 

loc_846F8C:				; CODE XREF: PiPnpRtlServiceFilterCallback+274j
					; PiPnpRtlServiceFilterCallback+B4228j
		test	bl, bl
		jnz	loc_8FAEDF
		mov	edi, [esp+98h+var_7C]
		jmp	loc_846EBF
; 

loc_846F9D:				; CODE XREF: PiPnpRtlServiceFilterCallback+1CBj
		cmp	ecx, edx
		jb	loc_846EC2
		push	47706E50h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8FAF02
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_846FCC
		xor	eax, eax
		push	eax
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_846FCC:				; CODE XREF: PiPnpRtlServiceFilterCallback+2D7j
		mov	eax, [esp+98h+var_88]
		mov	[esi+8], edi
		mov	edi, [esp+98h+var_7C]
		mov	[esi+0Ch], eax
		jmp	loc_846E65
; 

loc_846FDF:				; CODE XREF: PiPnpRtlServiceFilterCallback+CDj
		cmp	[esp+98h+var_88], edx
		jb	loc_846DFA
		push	47706E50h
		push	[esp+9Ch+var_88]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8FAED3
		mov	eax, [esi+8]
		test	eax, eax
		jnz	loc_8FAEC5

loc_84700E:				; CODE XREF: PiPnpRtlServiceFilterCallback+B41E4j
		mov	eax, [esp+98h+var_88]
		xor	ecx, ecx
		mov	[esi+0Ch], eax
		mov	[esi+8], edi
		jmp	loc_846D82
PiPnpRtlServiceFilterCallback endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtQuerySemaphore proc near		; DATA XREF: .text:00580E08o

var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008FAF1E SIZE 0000000F BYTES
; FUNCTION CHUNK AT 008FAF4D SIZE 0000001F BYTES
; FUNCTION CHUNK AT 008FAF78 SIZE 0000001B BYTES

		push	18h
		push	offset dword_6A4600
		call	__SEH_prolog4
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		mov	byte ptr [ebp+var_28], al
		test	al, al
		jz	loc_8FAF4D
		and	[ebp+ms_exc.disabled], 0
		mov	ebx, [ebp+arg_8]
		test	bl, 3
		jnz	loc_847116
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8FAF1E

loc_847063:				; CODE XREF: NtQuerySemaphore+B3F01j
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+4]
		mov	[ebx+4], al
		mov	esi, [ebp+arg_10]
		test	esi, esi
		jz	short loc_847087
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_8FAF26

loc_847083:				; CODE XREF: NtQuerySemaphore+B3F08j
		mov	eax, [ecx]
		mov	[ecx], eax

loc_847087:				; CODE XREF: NtQuerySemaphore+52j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_84708E:				; CODE XREF: NtQuerySemaphore+B3F33j
		cmp	[ebp+arg_4], 0
		jnz	loc_8FAF58
		cmp	[ebp+arg_C], 8
		jnz	loc_8FAF62
		mov	eax, ds:_ExSemaphoreObjectType
		and	[ebp+var_20], 0
		push	0
		lea	ecx, [ebp+var_20]
		push	ecx
		push	[ebp+var_28]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	[ebp+arg_8], eax
		test	eax, eax
		js	short loc_847101
		mov	ecx, [ebp+var_20]
		mov	edi, [ecx+4]
		mov	eax, [ecx+10h]
		mov	[ebp+arg_10], eax
		call	ObfDereferenceObject
		cmp	[ebp+var_19], 0
		jz	loc_8FAF78
		mov	[ebp+ms_exc.disabled], 1
		mov	[ebx], edi
		mov	eax, [ebp+arg_10]
		mov	[ebx+4], eax
		test	esi, esi
		jz	short loc_8470FA
		mov	dword ptr [esi], 8

loc_8470FA:				; CODE XREF: NtQuerySemaphore+D2j
					; sub_8FAF70+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_847101:				; CODE XREF: NtQuerySemaphore+A4j
					; NtQuerySemaphore+B3F62j ...
		mov	eax, [ebp+arg_8]

loc_847104:				; CODE XREF: sub_8FAF3B+Dj
					; NtQuerySemaphore+B3F3Dj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_847116:				; CODE XREF: NtQuerySemaphore+30j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger

; __stdcall NtSuspendProcess(x)
_NtSuspendProcess@4:			; DATA XREF: .text:00580C28o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		and	[ebp+ms_exc.disabled], 0
		push	esi
		push	edi
		mov	al, [eax+15Ah]
		mov	edi, 75537350h
		push	0
		mov	byte ptr [ebp+ms_exc.msEH_ptr],	al
		lea	eax, [ebp+ms_exc.disabled]
		push	eax
		push	edi
		push	[ebp+ms_exc.msEH_ptr]
		push	ds:_PsProcessType
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_847174
		push	[ebp+ms_exc.disabled]
		call	PsSuspendProcess
		mov	ecx, [ebp+ms_exc.disabled]
		mov	edx, edi
		mov	esi, eax
		call	ObfDereferenceObjectWithTag

loc_847174:				; CODE XREF: NtQuerySemaphore+13Ej
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	4
NtQuerySemaphore endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1920. PsSuspendProcess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsSuspendProcess
PsSuspendProcess proc near		; CODE XREF: NtQuerySemaphore+143p
					; PspFreezeProcessWorker(x,x)+51p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FAF93 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		push	edi
		dec	word ptr [ebx+13Ch]
		nop
		mov	edi, [ebp+arg_0]
		lea	ecx, [edi+0F0h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		cmp	al, 1
		jnz	short loc_8471FA
		push	0

loc_8471AD:				; CODE XREF: PsSuspendProcess+49j
		push	edi
		call	_PsGetNextProcessThread@8 ; PsGetNextProcessThread(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8471CD
		test	dword ptr [esi+58h], 200000h
		jnz	short loc_8471CA
		push	0
		push	esi
		call	PsSuspendThread

loc_8471CA:				; CODE XREF: PsSuspendProcess+3Ej
		push	esi
		jmp	short loc_8471AD
; 

loc_8471CD:				; CODE XREF: PsSuspendProcess+35j
		lea	ecx, [edi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		xor	esi, esi

loc_8471DA:				; CODE XREF: PsSuspendProcess+7Dj
		test	dword ptr [edi+3A8h], 80000h
		jnz	loc_8FAF93

loc_8471EA:				; CODE XREF: PsSuspendProcess+B3E1Dj
		mov	ecx, ebx
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_8471FA:				; CODE XREF: PsSuspendProcess+27j
		mov	esi, 0C000010Ah
		jmp	short loc_8471DA
PsSuspendProcess endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmProcessQueryStoreStats proc near	; CODE XREF: PfpPrivSourceEnum(x,x,x)+51Bp
					; EtwpLogMemInfoWs(x,x)+23Ep

var_60C		= dword	ptr -60Ch
var_608		= dword	ptr -608h
var_5FC		= dword	ptr -5FCh
var_5E8		= dword	ptr -5E8h
var_5DC		= dword	ptr -5DCh
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FAFA4 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 60Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+60Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	600h		; size_t
		mov	[esp+61Ch+var_60C], eax
		xor	edi, edi
		lea	eax, [esp+61Ch+var_608]
		mov	ebx, edx
		push	edi		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		add	esp, 0Ch
		lea	edx, [esp+618h+var_608]
		mov	ecx, esi
		call	_SmpProcessQueryStoreStats@8 ; SmpProcessQueryStoreStats(x,x)
		mov	edx, eax
		test	edx, edx
		jns	short loc_84726B

loc_847252:				; CODE XREF: SmProcessQueryStoreStats+86j
					; SmProcessQueryStoreStats+B3DABj
		mov	ecx, [esp+618h+var_4]
		mov	eax, edx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_84726B:				; CODE XREF: SmProcessQueryStoreStats+4Ej
		test	ebx, ebx
		jz	short loc_847282
		mov	[ebx], edi

loc_847271:				; CODE XREF: SmProcessQueryStoreStats+7Ej
		mov	eax, [esp+edi*8+618h+var_5DC]
		imul	eax, [esp+618h+var_5FC]
		add	[ebx], eax
		inc	edi
		cmp	edi, 8
		jb	short loc_847271

loc_847282:				; CODE XREF: SmProcessQueryStoreStats+6Bj
		mov	ecx, [esp+618h+var_60C]
		test	ecx, ecx
		jz	short loc_847252
		jmp	loc_8FAFA4
SmProcessQueryStoreStats endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpDeprioritizeOldPagesInWs proc near	; CODE XREF: PfSetSuperfetchInformation+14Ep

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008FAFB2 SIZE 00000014 BYTES

		push	24h
		push	offset dword_6A4628
		call	__SEH_prolog4
		mov	[ebp+var_20], edx
		mov	esi, ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		stosd
		stosd
		stosd
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		push	0Ch
		pop	eax
		cmp	[esi+10h], eax
		jnz	loc_8FAFB2
		mov	[ebp+ms_exc.disabled], ebx
		test	dl, dl
		jz	short loc_8472E6
		mov	ecx, [esi+0Ch]
		test	cl, 3
		jnz	loc_84739C
		lea	edi, [ecx+0Ch]
		mov	edx, ds:_MmUserProbeAddress
		cmp	edi, edx
		ja	loc_8FAFBC
		cmp	edi, ecx
		jb	loc_8FAFBC

loc_8472E6:				; CODE XREF: PfpDeprioritizeOldPagesInWs+2Fj
					; PfpDeprioritizeOldPagesInWs+B3D31j
		push	eax		; size_t
		push	dword ptr [esi+0Ch] ; void *
		lea	eax, [ebp+var_34]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+var_34], 3
		jnz	loc_8473A1
		mov	edi, [ebp+var_2C]
		test	edi, 0FFFFFFC0h
		jnz	loc_8473A1
		mov	eax, edi
		and	eax, 0Fh
		mov	[ebp+var_24], eax
		cmp	eax, 8
		ja	short loc_8473A1
		shr	edi, 4
		and	edi, 3
		cmp	edi, 3
		jnb	short loc_8473A1
		cmp	eax, 8
		jnz	short loc_847337
		test	edi, edi
		jz	short loc_8473A1

loc_847337:				; CODE XREF: PfpDeprioritizeOldPagesInWs+A1j
		push	ebx
		lea	eax, [ebp+var_1C]
		push	eax
		push	73576650h
		push	[ebp+var_20]
		push	ds:_PsProcessType
		push	2000h
		push	[ebp+var_30]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_847379
		test	edi, edi
		jz	short loc_84736B
		xor	ebx, ebx
		inc	ebx
		cmp	edi, ebx
		jnz	short loc_84736B
		push	3
		pop	ebx

loc_84736B:				; CODE XREF: PfpDeprioritizeOldPagesInWs+CFj
					; PfpDeprioritizeOldPagesInWs+D6j
		push	ebx
		mov	edx, [ebp+var_24]
		mov	ecx, [ebp+var_1C]
		call	MmUpdateOldWorkingSetPages
		mov	esi, eax

loc_847379:				; CODE XREF: PfpDeprioritizeOldPagesInWs+CBj
					; PfpDeprioritizeOldPagesInWs+116j ...
		mov	ecx, [ebp+var_1C]
		test	ecx, ecx
		jz	short loc_84738A
		mov	edx, 73576650h
		call	ObfDereferenceObjectWithTag

loc_84738A:				; CODE XREF: PfpDeprioritizeOldPagesInWs+EEj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_84739C:				; CODE XREF: PfpDeprioritizeOldPagesInWs+37j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_8473A1:				; CODE XREF: PfpDeprioritizeOldPagesInWs+71j
					; PfpDeprioritizeOldPagesInWs+80j ...
		mov	esi, 0C000000Dh
		jmp	short loc_847379
PfpDeprioritizeOldPagesInWs endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DbgkpSendErrorMessage proc near		; CODE XREF: DbgkForwardException+159p

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_79		= byte ptr -79h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_68		= dword	ptr -68h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FAFE6 SIZE 000000F1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	6Ch		; size_t
		mov	[ebp+var_8C], eax
		xor	ebx, ebx
		lea	eax, [ebp+var_78]
		mov	[ebp+var_A4], ecx
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		mov	[ebp+var_88], ebx
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_9C], ebx
		mov	edi, [eax+150h]
		push	edi
		mov	[ebp+var_79], bl
		mov	[ebp+var_84], eax
		mov	[ebp+var_80], edi
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		mov	ebx, eax
		mov	ecx, ebx
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		test	byte ptr [edi+3A8h], 1
		lea	esi, [eax+238h]
		mov	[ebp+var_A8], esi
		jnz	loc_8FAFE6
		lea	eax, [ebp+var_78]
		push	eax
		push	1
		push	dword ptr [edi+15Ch]
		call	_MmGetSectionInformation@12 ; MmGetSectionInformation(x,x,x)
		push	ebx
		call	_PsGetServerSiloServiceSessionId@4 ; PsGetServerSiloServiceSessionId(x)
		mov	ecx, edi
		mov	edx, eax
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		cmp	eax, edx
		jz	short loc_847464
		cmp	[ebp+var_68], 1
		jz	short loc_847464
		call	DbgkpSuspendProcess
		mov	[ebp+var_79], al

loc_847464:				; CODE XREF: DbgkpSendErrorMessage+ACj
					; DbgkpSendErrorMessage+B2j
		call	_DbgkpStartSystemErrorHandler@0	; DbgkpStartSystemErrorHandler()
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8476A3
		mov	eax, ds:_DbgkErrorPortStartTimeout
		cmp	eax, 0FFFFFFFFh
		jnz	loc_8FAFF0
		xor	eax, eax

loc_847483:				; CODE XREF: DbgkpSendErrorMessage+B3C61j
		push	eax
		push	0
		push	1
		push	0
		push	dword ptr [esi+0Ch]
		call	KeWaitForSingleObject
		cmp	eax, 102h
		jz	loc_8FB0CD
		cmp	dword ptr [esi+4], 0
		jz	loc_8FB0CD
		cmp	eax, 101h
		jz	loc_8FB0C3
		cmp	eax, 0C0h
		jz	loc_8FB0C3
		mov	eax, [ebp+var_84]
		xor	ebx, ebx
		and	[ebp+var_94], ebx
		xor	edi, edi
		mov	[ebp+var_90], edi
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	eax, [esi+8]
		mov	edi, [ebp+var_80]
		cmp	edi, eax
		jz	loc_8FB00E
		mov	edi, [esi+4]
		mov	[ebp+var_90], edi
		test	edi, edi
		jz	loc_8FB018
		mov	edx, 50676244h
		mov	[ebp+var_94], eax
		mov	ecx, eax
		call	ObfReferenceObjectWithTag
		lock inc dword ptr [edi]

loc_847518:				; CODE XREF: DbgkpSendErrorMessage+B3C75j
		mov	edi, [ebp+var_80]

loc_84751B:				; CODE XREF: DbgkpSendErrorMessage+B3C6Bj
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jnz	loc_8476CA

loc_84752D:				; CODE XREF: DbgkpSendErrorMessage+329j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_84]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		test	ebx, ebx
		js	loc_8476A3
		mov	eax, [ebp+var_8C]
		xor	ecx, ecx
		mov	edx, [ebp+var_A4]
		mov	[eax+8], ecx
		lea	esi, [eax+20h]
		mov	[eax+0Ch], ecx
		mov	[eax+10h], ecx
		mov	[eax+14h], ecx
		mov	ecx, 0FFFF8007h
		mov	dword ptr [eax+4], 8
		mov	[eax+4], cx
		mov	ecx, esi	; void *
		mov	dword ptr [eax], offset	dword_A4008C
		mov	dword ptr [eax+18h], 7
		mov	dword ptr [eax+1Ch], 80010001h
		mov	[ebp+var_9C], esi
		call	_KeCopyExceptionRecord@8 ; KeCopyExceptionRecord(x,x)
		push	0Ch
		lea	edi, [esi+50h]
		pop	ecx
		lea	esi, [ebp+var_78]
		rep movsd
		mov	esi, [ebp+var_9C]
		mov	edi, [ebp+var_80]
		push	edi
		and	dword ptr [esi+80h], 0
		call	_PsIsProtectedProcess@4	; PsIsProtectedProcess(x)
		test	eax, eax
		jnz	loc_8FB022

loc_8475BE:				; CODE XREF: DbgkpSendErrorMessage+B3C84j
		mov	edx, [ebp+var_94]
		mov	cl, 1
		push	edi
		call	_PsTestProtectedProcessIncompatibility@12 ; PsTestProtectedProcessIncompatibility(x,x,x)
		movzx	esi, al
		lea	eax, [ebp+var_88]
		push	eax
		neg	esi
		lea	eax, [ebp+var_78]
		push	6Ch
		sbb	esi, esi
		push	eax
		and	esi, 0FFF01C01h
		push	10000000h
		add	esi, 1FFFFFh
		call	_AlpcInitializeMessageAttribute@16 ; AlpcInitializeMessageAttribute(x,x,x,x)
		mov	eax, 10000000h
		push	eax
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_78]
		push	eax
		call	_AlpcGetMessageAttribute@8 ; AlpcGetMessageAttribute(x,x)
		push	0
		and	dword ptr [eax], 0
		mov	[eax+0Ch], esi
		mov	dword ptr [eax+8], 4
		mov	dword ptr [eax+4], 0FFFFFFFEh
		mov	[ebp+var_88], 0A8h
		call	KeTestAlertThread
		mov	ecx, [ebp+var_84]
		mov	eax, [ecx+2FCh]
		test	al, 1
		jnz	loc_8FB031

loc_847641:				; CODE XREF: DbgkpSendErrorMessage+B3C8Ej
		mov	esi, [ebp+var_90]
		test	ebx, ebx
		js	loc_8FB0A6
		push	0
		push	0
		lea	eax, [ebp+var_88]
		push	eax
		mov	eax, [ebp+var_8C]
		lea	ecx, [ebp+var_78]
		push	eax
		push	ecx
		push	eax
		push	220000h
		push	dword ptr [esi+8]
		call	_ZwAlpcSendWaitReceivePort@32 ;	ZwAlpcSendWaitReceivePort(x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8FB0A0
		cmp	ebx, 101h
		jnz	short loc_8476D6
		mov	ebx, 0C000004Bh

loc_84768A:				; CODE XREF: DbgkpSendErrorMessage+348j
					; DbgkpSendErrorMessage+B3CB3j	...
		mov	ecx, [ebp+var_94]
		mov	edx, 50676244h
		call	ObfDereferenceObjectWithTag
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		jz	short loc_8476F7

loc_8476A3:				; CODE XREF: DbgkpSendErrorMessage+C5j
					; DbgkpSendErrorMessage+199j ...
		cmp	[ebp+var_79], 0
		jz	short loc_8476B7
		xor	dl, dl
		mov	ecx, edi
		call	PsThawProcess
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_8476B7:				; CODE XREF: DbgkpSendErrorMessage+2FFj
					; DbgkpSendErrorMessage+B3C43j
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_8476CA:				; CODE XREF: DbgkpSendErrorMessage+17Fj
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	loc_84752D
; 

loc_8476D6:				; CODE XREF: DbgkpSendErrorMessage+2DBj
		mov	ebx, [ebp+var_8C]
		mov	eax, 2000h
		test	[ebx+4], ax
		jnz	loc_8FB03B

loc_8476EB:				; CODE XREF: DbgkpSendErrorMessage+B3CA8j
		mov	ebx, [ebx+1Ch]
		test	ebx, ebx
		js	short loc_84768A
		jmp	loc_8FB055
; 

loc_8476F7:				; CODE XREF: DbgkpSendErrorMessage+2F9j
		mov	ecx, esi
		call	@DbgkpDeleteErrorPort@4	; DbgkpDeleteErrorPort(x)
		jmp	short loc_8476A3
DbgkpSendErrorMessage endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpStartSystemErrorHandler()
_DbgkpStartSystemErrorHandler@0	proc near ; CODE XREF: DbgkpSendErrorMessage:loc_847464p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	4
		xor	ebx, ebx
		lea	eax, [ebp+var_24]
		push	eax
		push	ebx
		push	1
		mov	edi, offset _WNF_WER_SERVICE_START
		mov	[ebp+var_20], ebx
		push	edi
		mov	[ebp+var_1C], ebx
		mov	esi, ebx
		mov	[ebp+var_24], ebx
		call	_ZwQueryWnfStateNameInformation@20 ; ZwQueryWnfStateNameInformation(x,x,x,x,x)
		test	eax, eax
		js	short loc_847750
		cmp	[ebp+var_24], ebx
		jz	short loc_847750
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	edi
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_847750
		inc	esi

loc_847750:				; CODE XREF: DbgkpStartSystemErrorHandler()+38j
					; DbgkpStartSystemErrorHandler()+3Dj ...
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	edx, offset loc_405BA8 ; void *
		mov	ecx, [eax+1F0h]	; int
		lea	eax, [ebp+var_20]
		push	eax		; int
		push	dword ptr [ebp+4] ; int
		push	ebx		; int
		push	ebx		; int
		push	3		; int
		call	EtwpRegisterProvider
		test	eax, eax
		js	short loc_8477B2
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+var_1C]
		push	[ebp+var_20]
		call	EtwEventEnabled
		test	al, al
		jz	short loc_8477A7
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+var_1C]
		push	[ebp+var_20]
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8477A7
		inc	esi

loc_8477A7:				; CODE XREF: DbgkpStartSystemErrorHandler()+8Ej
					; DbgkpStartSystemErrorHandler()+A4j
		push	[ebp+var_1C]
		push	[ebp+var_20]
		call	EtwUnregister

loc_8477B2:				; CODE XREF: DbgkpStartSystemErrorHandler()+72j
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		cmp	eax, esi
		pop	edi
		sbb	eax, eax
		xor	ecx, ebp
		and	eax, 3FFFFF80h
		pop	esi
		add	eax, 0C0000080h
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_DbgkpStartSystemErrorHandler@0	endp

; 
		align 2

;  S U B	R O U T	I N E 


DbgkpSuspendProcess proc near		; CODE XREF: DbgkpSendErrorMessage+B4p
					; DbgkpSendApiMessageLpc+B367Fp ...

; FUNCTION CHUNK AT 008FB0D7 SIZE 0000000B BYTES

		mov	edi, edi
		push	esi
		mov	esi, large fs:124h
		dec	word ptr [esi+13Ch]
		nop
		xor	dl, dl
		call	PsFreezeProcess
		test	al, al
		jz	loc_8FB0D7
		mov	al, 1
		pop	esi
		retn
DbgkpSuspendProcess endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1908. PsSetProcessFaultInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsSetProcessFaultInformation
PsSetProcessFaultInformation proc near	; CODE XREF: PAGE:007AA34Fp
					; DbgkForwardException+C6p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FB0E2 SIZE 000000B8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		test	byte ptr [esi],	1
		jz	short loc_847829
		push	4
		pop	edi
		lea	edx, [ebx+3A8h]
		mov	eax, [edx]

loc_84781B:				; CODE XREF: PsSetProcessFaultInformation+27j
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_84781B
		test	al, 4
		jz	short loc_847867

loc_847829:				; CODE XREF: PsSetProcessFaultInformation+12j
					; PsSetProcessFaultInformation+AEj
		mov	eax, [esi]
		or	esi, 0FFFFFFFFh
		test	al, 2
		jnz	loc_8FB0E2
		lea	edi, [ebx+0E0h]

loc_84783C:				; CODE XREF: PsSetProcessFaultInformation+B397Dj
		test	al, 4
		jnz	short loc_8478AF
		mov	esi, [ebp+arg_4]

loc_847843:				; CODE XREF: PsSetProcessFaultInformation+111j
		test	al, 8
		jnz	loc_847912

loc_84784B:				; CODE XREF: PsSetProcessFaultInformation+15Aj
		mov	ecx, ds:_PspHwTraceExtensionHost
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jnz	loc_8FB17E

loc_84785E:				; CODE XREF: PsSetProcessFaultInformation+B3999j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	8
; 

loc_847867:				; CODE XREF: PsSetProcessFaultInformation+2Bj
		mov	eax, dword_6B2AE8
		cmp	eax, ds:0FFDF037Ch
		jnb	short loc_84789A
		cmp	dword_6B2AE4, 0
		jnz	short loc_847890
		mov	ecx, off_6B2AE0
		lea	edx, [ebp+arg_0]
		call	_TelemetryCoverageStringHashInternal@8 ; TelemetryCoverageStringHashInternal(x,x)
		mov	dword_6B2AE4, eax

loc_847890:				; CODE XREF: PsSetProcessFaultInformation+7Fj
		push	offset off_6B2AE0
		call	_EtwTelemetryCoverageReport@4 ;	EtwTelemetryCoverageReport(x)

loc_84789A:				; CODE XREF: PsSetProcessFaultInformation+76j
		mov	ecx, ebx
		call	_PspRecordCrashedProcessIntoBlackbox@4 ; PspRecordCrashedProcessIntoBlackbox(x)
		mov	edx, edi
		mov	ecx, ebx
		call	PsSetProcessTelemetryAppState
		jmp	loc_847829
; 

loc_8478AF:				; CODE XREF: PsSetProcessFaultInformation+42j
		mov	eax, large fs:124h
		mov	[ebp+arg_0], eax
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	cl, [ebx+3A7h]
		mov	al, cl
		and	al, 38h
		cmp	al, 38h
		jnb	short loc_8478E6
		lea	eax, [ecx+8]
		xor	al, cl
		and	al, 38h
		xor	al, cl
		mov	[ebx+3A7h], al

loc_8478E6:				; CODE XREF: PsSetProcessFaultInformation+D9j
		mov	eax, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8478F9
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8478F9:				; CODE XREF: PsSetProcessFaultInformation+F4j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+arg_0]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	esi, [ebp+arg_4]
		mov	eax, [esi]
		jmp	loc_847843
; 

loc_847912:				; CODE XREF: PsSetProcessFaultInformation+49j
		mov	eax, large fs:124h
		mov	[ebp+arg_4], eax
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [ebx+3A7h], 40h
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_847947
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_847947:				; CODE XREF: PsSetProcessFaultInformation+142j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+arg_4]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		jmp	loc_84784B
PsSetProcessFaultInformation endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspRecordCrashedProcessIntoBlackbox(x)
_PspRecordCrashedProcessIntoBlackbox@4 proc near
					; CODE XREF: PsSetProcessFaultInformation+A0p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		xor	eax, eax
		push	edi
		mov	edi, [ecx+1C0h]
		mov	ebx, eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		test	edi, edi
		jz	short loc_84798B
		cmp	[edi+4], eax
		jz	short loc_84798B
		movzx	eax, word ptr [edi]
		test	ax, ax
		jz	short loc_84798B
		lea	ebx, [eax+2]

loc_84798B:				; CODE XREF: PspRecordCrashedProcessIntoBlackbox(x)+1Dj
					; PspRecordCrashedProcessIntoBlackbox(x)+22j ...
		lea	eax, [ebx+8]
		push	62427350h
		push	eax
		push	1
		mov	[ebp+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_847A02
		lea	eax, [ebx+8]
		push	eax		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [esi], 1
		lea	eax, [ebx+8]
		mov	[esi+4], eax
		test	ebx, ebx
		jz	short loc_8479D9
		movzx	eax, word ptr [edi]
		push	eax		; size_t
		push	dword ptr [edi+4] ; void *
		lea	eax, [esi+8]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	esp, 0Ch

loc_8479D9:				; CODE XREF: PspRecordCrashedProcessIntoBlackbox(x)+65j
		push	0
		push	0
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_18]
		push	14h
		push	eax
		push	5Eh
		mov	[ebp+var_C], 0Dh
		mov	[ebp+var_18], esi
		call	_ZwPowerInformation@20 ; ZwPowerInformation(x,x,x,x,x)
		push	62427350h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_847A02:				; CODE XREF: PspRecordCrashedProcessIntoBlackbox(x)+46j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PspRecordCrashedProcessIntoBlackbox@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmGetInstallerClassMappedPropertyFromRegValue(int,void *,int,int,int,int)
_CmGetInstallerClassMappedPropertyFromRegValue proc near
					; CODE XREF: _CmGetInstallerClassMappedProperty+119p
					; _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+FBp

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= word ptr -1Dh
var_8		= word ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008FB19A SIZE 0000029D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_40], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_5C], edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_3C], eax
		mov	eax, [edi+10h]
		mov	[ebp+var_2C], eax
		mov	eax, offset off_A42C38
		mov	esi, [ebp+var_2C]
		mov	[ebp+var_38], ecx
		xor	ecx, ecx
		mov	[ebp+var_50], edx
		mov	[ebp+var_58], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_24], ecx
		mov	byte ptr [ebp+var_1D], cl
		mov	[ebp+var_54], ecx
		mov	[ebp+var_44], eax
		mov	[ebp+var_28], ecx

loc_847A69:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+84j
		mov	edx, [eax]
		mov	ebx, eax
		mov	[ebp+var_2C], ebx
		cmp	esi, [edx+10h]
		jz	short loc_847A90

loc_847A75:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B3798j
		add	ecx, 10h
		xor	ebx, ebx
		add	eax, 10h
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_44], eax
		cmp	ecx, 0D0h
		jb	short loc_847A69
		jmp	short loc_847AA4
; 

loc_847A90:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+6Bj
		push	10h		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8FB19A

loc_847AA4:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+86j
		mov	esi, [ebp+var_58]
		mov	edi, [ebp+var_5C]
		test	ebx, ebx
		jz	loc_8FB1A5
		mov	eax, [ebp+var_40]
		xor	ecx, ecx
		mov	edx, [ebp+var_34]
		mov	[eax], ecx
		mov	eax, [ebp+var_3C]
		mov	[eax], ecx
		test	edx, edx
		jz	loc_8FB1AF
		mov	ecx, [ebp+arg_10]
		mov	[ebp+var_28], ecx
		neg	ecx
		sbb	eax, eax
		and	eax, edx
		xor	ecx, ecx
		mov	[ebp+var_34], eax

loc_847ADA:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B37AAj
		test	edi, edi
		jnz	short loc_847AFE
		mov	edx, [ebp+var_50]
		lea	eax, [ebp+var_30]
		push	ecx
		push	eax
		push	ecx
		push	1
		push	ecx
		mov	ecx, [ebp+var_38]
		push	20h
		call	_CmOpenCommonClassRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_847B85

loc_847AFE:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+D4j
		mov	eax, [ebp+arg_4]
		mov	ebx, [eax+10h]
		cmp	ebx, 7
		jz	loc_8FB1B7

loc_847B0D:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B37CAj
		cmp	ebx, 8
		jz	loc_8FB1D7

loc_847B16:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B37E7j
		cmp	ebx, 9
		jz	loc_8FB1F4

loc_847B1F:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B3806j
		cmp	ebx, 0Ah
		jz	loc_847BB0

loc_847B28:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+1BCj
		cmp	ebx, 0Fh
		jz	loc_8FB213

loc_847B31:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B381Fj
		cmp	ebx, 2
		jz	loc_8FB298

loc_847B3A:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B3960j
					; _CmGetInstallerClassMappedPropertyFromRegValue+B397Aj
		mov	ebx, [ebp+var_2C]
		mov	eax, [ebp+var_28]
		mov	[ebp+var_24], eax
		mov	ecx, [ebx+8]
		test	edi, edi
		jnz	short loc_847B4D
		mov	edi, [ebp+var_30]

loc_847B4D:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+140j
		mov	edx, [ebp+var_38]
		mov	eax, [edx+108h]
		test	eax, eax
		jnz	short loc_847B5F
		mov	eax, offset _PnpRegQueryValueIndirect

loc_847B5F:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+150j
		lea	ebx, [ebp+var_1D]
		push	ebx
		lea	ebx, [ebp+var_24]
		push	ebx
		push	[ebp+var_34]
		lea	ebx, [ebp+var_48]
		push	ebx
		push	ecx
		push	edi
		push	edx
		call	eax ; _PnpRegQueryValueIndirect
		mov	ecx, eax
		mov	ebx, [ebp+var_2C]
		cmp	ecx, 0C0000034h
		jnz	short loc_847BFD

loc_847B80:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+1EEj
					; _CmGetInstallerClassMappedPropertyFromRegValue+1FBj ...
		mov	esi, 0C0000225h

loc_847B85:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+F0j
					; _CmGetInstallerClassMappedPropertyFromRegValue+22Cj ...
		cmp	[ebp+var_4C], 0
		jnz	loc_8FB42A

loc_847B8F:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B3A2Aj
		cmp	[ebp+var_30], 0
		jz	short loc_847B9D
		push	[ebp+var_30]
		call	_ZwClose@4	; ZwClose(x)

loc_847B9D:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+18Bj
					; _CmGetInstallerClassMappedPropertyFromRegValue+B37A2j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_847BB0:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+11Aj
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_NoUseClass ; void *
		push	[ebp+arg_4]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_847B28

loc_847BCA:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B37C1j
					; _CmGetInstallerClassMappedPropertyFromRegValue+B37E1j ...
		mov	ebx, [ebp+var_2C]
		mov	[ebp+var_24], 16h
		mov	edx, [ebx+8]
		test	edi, edi
		jnz	short loc_847BDE
		mov	edi, [ebp+var_30]

loc_847BDE:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+1D1j
		lea	eax, [ebp+var_24]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_1D+1]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		call	_RegRtlQueryValue
		cmp	eax, 0C0000034h
		jz	short loc_847B80
		jmp	loc_8FB232
; 

loc_847BFD:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+176j
		cmp	ecx, 0C000017Ch
		jz	loc_847B80
		mov	edx, 0C0000023h
		test	ecx, ecx
		jnz	loc_8FB41B

loc_847C16:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B3944j
					; _CmGetInstallerClassMappedPropertyFromRegValue+B3A15j
		mov	edi, [ebp+var_3C]
		mov	eax, [ebp+var_24]
		mov	[edi], eax
		mov	eax, [ebx+4]
		mov	ebx, [ebp+var_40]
		mov	[ebx], eax
		test	ecx, ecx
		jnz	short loc_847C3F
		cmp	[ebp+var_28], 0
		jz	short loc_847C3F

loc_847C30:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+239j
		cmp	byte ptr [ebp+var_1D], 0
		jz	loc_847B85
		jmp	loc_8FB351
; 

loc_847C3F:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+220j
					; _CmGetInstallerClassMappedPropertyFromRegValue+226j
		mov	esi, edx
		jmp	short loc_847C30
_CmGetInstallerClassMappedPropertyFromRegValue endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLogReserveVaFailed proc near		; CODE XREF: MiReserveUserMemory+461p

var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_A8		= dword	ptr -0A8h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FB437 SIZE 00000139 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0FCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_BC], ecx
		cmp	dword_6D35BC, 0
		lea	edi, [ebp+var_B8]
		stosd
		mov	ebx, edx
		stosd
		stosd
		stosd
		jz	short loc_847CA0
		mov	eax, large fs:124h
		mov	esi, 800h
		mov	edi, [eax+80h]
		lea	edx, [edi+3A8h]
		mov	eax, [edx]

loc_847C92:				; CODE XREF: MiLogReserveVaFailed+56j
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_847C92
		test	eax, esi
		jz	short loc_847CB1

loc_847CA0:				; CODE XREF: MiLogReserveVaFailed+33j
					; MiLogReserveVaFailed+83j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_847CB1:				; CODE XREF: MiLogReserveVaFailed+5Aj
		lea	edx, [ebp+var_B8]
		mov	ecx, edi
		call	_EtwGetProcessAppSessionGuid@8 ; EtwGetProcessAppSessionGuid(x,x)
		mov	esi, dword_6D35BC
		cmp	dword ptr [esi], 5
		jbe	short loc_847CA0
		push	4000h
		push	0
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_847CA0
		jmp	loc_8FB437
MiLogReserveVaFailed endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiExpandVadBitMapDown proc near		; CODE XREF: MiExpandVadBitMap(x,x)+10Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FB570 SIZE 00000099 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	eax, [eax+80h]
		mov	esi, ecx
		push	edi
		mov	eax, [eax+24Ch]
		mov	ecx, [esi+4]
		mov	[ebp+var_8], eax
		mov	eax, ecx
		sub	eax, dword_6D2E88
		shl	eax, 3
		cmp	edx, eax
		jbe	loc_8FB570

loc_847D1C:				; CODE XREF: MiExpandVadBitMapDown+B38CDj
		xor	eax, eax

loc_847D1E:				; CODE XREF: MiExpandVadBitMapDown+B3924j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiExpandVadBitMapDown endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl PspSortHandleList(const void *,const void	*)
_PspSortHandleList proc	near		; DATA XREF: PspBuildCreateProcessContext(x,x,x,x)+1022o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, [eax]
		mov	eax, [ebp+arg_4]
		mov	edx, [eax]
		xor	eax, eax
		cmp	esi, edx
		setnle	al
		xor	ecx, ecx
		cmp	esi, edx
		pop	esi
		setl	cl
		sub	eax, ecx
		pop	ebp
		retn
_PspSortHandleList endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ExReferenceHandleDebugInfo(x)
_ExReferenceHandleDebugInfo@4 proc near	; CODE XREF: PAGE:0083C954p
					; ExpUpdateDebugInfo(x,x,x,x)+12p
		mov	edi, edi
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		dec	word ptr [ebx+13Ch]
		nop
		lea	edi, [esi+24h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [esi+54h]
		test	esi, esi
		jnz	short loc_847D9B

loc_847D71:				; CODE XREF: ExReferenceHandleDebugInfo(x)+56j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_847D92

loc_847D7E:				; CODE XREF: ExReferenceHandleDebugInfo(x)+51j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, ebx
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_847D92:				; CODE XREF: ExReferenceHandleDebugInfo(x)+34j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_847D7E
; 

loc_847D9B:				; CODE XREF: ExReferenceHandleDebugInfo(x)+27j
		lock inc dword ptr [esi]
		jmp	short loc_847D71
_ExReferenceHandleDebugInfo@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtResumeProcess(x)
_NtResumeProcess@4 proc	near		; DATA XREF: .text:00580D44o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		xor	ecx, ecx
		push	esi
		push	edi
		push	ecx
		mov	al, [eax+15Ah]
		mov	edi, 75537350h
		push	ecx
		mov	[esp+18h+var_8], ecx
		mov	edx, 800h
		lea	ecx, [esp+18h+var_8]
		mov	byte ptr [esp+18h+var_4], al
		mov	eax, ds:_PsProcessType
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	edi
		push	[esp+20h+var_4]
		push	eax
		call	ObpReferenceObjectByHandleWithTag
		mov	esi, eax
		test	esi, esi
		js	short loc_847E02
		push	[esp+10h+var_8]
		call	PsResumeProcess
		mov	ecx, [esp+10h+var_8]
		mov	edx, edi
		mov	esi, eax
		call	ObfDereferenceObjectWithTag

loc_847E02:				; CODE XREF: NtResumeProcess(x)+4Aj
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
_NtResumeProcess@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCreateProcessEx proc near		; CODE XREF: NtCreateProcess(x,x,x,x,x,x,x,x)+35p
					; DATA XREF: .text:00581124o

var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		push	10h
		push	offset dword_6A4668
		call	__SEH_prolog4
		cmp	[ebp+arg_C], 0
		jz	short loc_847E7E
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_20], al
		test	al, al
		jz	short loc_847E4C
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_847E85

loc_847E41:				; CODE XREF: NtCreateProcessEx+7Bj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_847E4C:				; CODE XREF: NtCreateProcessEx+23j
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+var_20]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	PspCreateProcess

loc_847E6C:				; CODE XREF: NtCreateProcessEx+77j
					; sub_8FB617+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_847E7E:				; CODE XREF: NtCreateProcessEx+10j
		mov	eax, 0C000000Dh
		jmp	short loc_847E6C
; 

loc_847E85:				; CODE XREF: NtCreateProcessEx+33j
		mov	ecx, eax
		jmp	short loc_847E41
NtCreateProcessEx endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspProcessRundownWorkerSingle(x)
_PspProcessRundownWorkerSingle@4 proc near ; DATA XREF:	PspInitPhase0+6BFo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		push	edi
		mov	edi, offset _PspRundownNeededCountCache

loc_847E99:				; CODE XREF: PspProcessRundownWorkerSingle(x)+4Dj
		xor	eax, eax
		inc	eax
		xchg	eax, [edi]

loc_847E9E:				; CODE XREF: PspProcessRundownWorkerSingle(x)+3Fj
		cmp	ds:_PspRundownProcessCache, 0
		jz	short loc_847ECB
		xor	esi, esi
		mov	eax, offset _PspRundownProcessCache
		xchg	esi, [eax]
		test	esi, esi
		jz	short loc_847ECB
		xor	dl, dl
		mov	ecx, esi
		call	_PspRundownSingleProcess@8 ; PspRundownSingleProcess(x,x)
		mov	edx, 77537350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		jmp	short loc_847E9E
; 

loc_847ECB:				; CODE XREF: PspProcessRundownWorkerSingle(x)+1Bj
					; PspProcessRundownWorkerSingle(x)+28j
		xor	eax, eax
		xor	ecx, ecx
		inc	eax
		lock cmpxchg [edi], ecx
		cmp	eax, 1
		jnz	short loc_847E99
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
_PspProcessRundownWorkerSingle@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMOpenDeviceInterfaceKey proc	near	; CODE XREF: PiCMHandleIoctl+E7p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008FB629 SIZE 00000061 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_30]
		push	9
		xor	eax, eax
		pop	ecx
		rep stosd
		mov	eax, [ebp+arg_C]
		xor	ecx, ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], ecx
		mov	[eax], ecx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_C], al
		lea	eax, [ebp+var_30]
		push	eax
		push	ecx
		mov	ecx, esi
		call	PiCMCaptureRegistryInputData
		mov	ebx, eax
		test	ebx, ebx
		js	loc_847FE1
		mov	edi, [ebp+var_24]
		test	edi, edi
		jz	loc_8FB66A
		cmp	[ebp+var_2C], 0
		jnz	loc_8FB66A
		cmp	[ebp+var_28], 4
		jnz	loc_8FB66A
		cmp	[ebp+var_14], 0
		jnz	loc_8FB66A
		cmp	[ebp+arg_0], 0
		jz	loc_8FB66A
		cmp	[ebp+arg_4], 10h
		jb	loc_8FB66A
		xor	ebx, ebx
		lea	eax, [ebp+var_4]
		push	ebx
		push	eax
		push	ebx
		push	[ebp+var_1C]
		mov	edx, edi
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	32h
		call	_CmOpenDeviceInterfaceRegKey
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_8FB629

loc_847F91:				; CODE XREF: PiCMOpenDeviceInterfaceKey+B3783j
		test	esi, esi
		js	short loc_847FA9
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_C]
		push	[ebp+var_1C]
		call	_PiCMDuplicateRegistryHandle@20	; PiCMDuplicateRegistryHandle(x,x,x,x,x)
		mov	esi, eax

loc_847FA9:				; CODE XREF: PiCMOpenDeviceInterfaceKey+B1j
					; PiCMOpenDeviceInterfaceKey+B374Bj ...
		push	[ebp+arg_C]
		mov	edi, [ebp+var_8]
		mov	ecx, esi
		push	[ebp+arg_4]
		mov	edx, edi
		push	[ebp+arg_0]
		push	[ebp+var_10]
		call	PiCMReturnHandleResultData
		cmp	[ebp+var_4], 0
		mov	ebx, eax
		jz	short loc_847FD1
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_847FD1:				; CODE XREF: PiCMOpenDeviceInterfaceKey+E5j
		test	ebx, ebx
		js	loc_8FB674
		test	esi, esi
		js	loc_8FB674

loc_847FE1:				; CODE XREF: PiCMOpenDeviceInterfaceKey+43j
					; PiCMOpenDeviceInterfaceKey+B3794j ...
		lea	ecx, [ebp+var_30]
		call	_PiCMReleaseObjectInputData@8 ;	PiCMReleaseObjectInputData(x,x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
PiCMOpenDeviceInterfaceKey endp


;  S U B	R O U T	I N E 


PspRundownProcess proc near		; CODE XREF: PspProcessClose+8Bp

; FUNCTION CHUNK AT 008FB68A SIZE 0000003B BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	edx, edx
		lea	ecx, [esi+0F0h]
		call	ExAcquireRundownProtectionEx
		test	al, al
		jz	short loc_848046
		push	edi
		mov	edx, 77537350h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	ecx, esi
		mov	edi, offset _PspRundownProcessCache
		xor	eax, eax
		lock cmpxchg [edi], ecx
		pop	edi
		test	eax, eax
		jnz	loc_8FB68A
		inc	eax
		lock xadd ds:_PspRundownNeededCountCache, eax
		inc	eax
		cmp	eax, 1
		jnz	short loc_848046
		push	3
		push	offset _PspProcessRundownCacheWorkItem

loc_848041:				; CODE XREF: PspRundownProcess+B36CEj
		call	ExQueueWorkItem

loc_848046:				; CODE XREF: PspRundownProcess+14j
					; PspRundownProcess+46j ...
		pop	esi
		retn
PspRundownProcess endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DbgkpSendApiMessageLpc proc near	; CODE XREF: DbgkForwardException+124p

var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_8		= dword	ptr -8
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008FB6C5 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 178h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	[ebp+arg_0], 0
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	esi, [eax+80h]
		mov	ebx, edx
		mov	edi, ecx
		mov	[ebp+var_174], esi
		jnz	loc_8FB6C5

loc_848080:				; CODE XREF: DbgkpSendApiMessageLpc+B3687j
		push	0
		lea	eax, [ebp+var_170]
		mov	dword ptr [edi+1Ch], 103h
		push	eax
		lea	eax, [ebp+var_16C]
		mov	[ebp+var_170], 160h
		push	eax
		push	edi
		push	20000h
		push	ebx
		call	_LpcSendWaitReceivePort@24 ; LpcSendWaitReceivePort(x,x,x,x,x,x)
		mov	ebx, eax
		cmp	ebx, 0C0h
		jz	short loc_8480E9
		test	ebx, ebx
		js	short loc_8480CC
		push	2Ah
		pop	ecx
		lea	esi, [ebp+var_16C]
		rep movsd
		mov	esi, [ebp+var_174]

loc_8480CC:				; CODE XREF: DbgkpSendApiMessageLpc+71j
					; DbgkpSendApiMessageLpc+A6j
		cmp	[ebp+arg_0], 0
		jnz	loc_8FB6D4

loc_8480D6:				; CODE XREF: DbgkpSendApiMessageLpc+B369Aj
		mov	ecx, [ebp+var_8]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_8480E9:				; CODE XREF: DbgkpSendApiMessageLpc+6Dj
		mov	ebx, 0C000004Bh
		jmp	short loc_8480CC
DbgkpSendApiMessageLpc endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMGetDeviceInterfaceAlias proc near	; CODE XREF: PiCMHandleIoctl+10Bp

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008FB6E7 SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		and	[ebp+var_44], 0
		and	[ebp+var_40], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_30], eax
		push	9
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_2C], ebx
		lea	edi, [ebp+var_28]
		rep stosd
		mov	eax, [ebp+var_30]
		xor	ecx, ecx
		mov	[ebp+var_3C], ecx
		mov	edi, ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], ecx
		mov	[eax], ecx
		lea	eax, [ebp+var_28]
		push	eax
		push	ecx
		mov	ecx, esi
		call	PiCMCaptureInterfaceAliasInputData
		mov	esi, eax
		test	esi, esi
		js	loc_848243
		cmp	[ebp+var_10], edi
		jz	loc_8FB71C
		cmp	[ebp+var_24], edi
		jnz	loc_8FB71C
		test	ebx, ebx
		jz	loc_8FB702
		mov	eax, [ebp+arg_4]
		cmp	eax, 14h
		jb	loc_8FB702
		add	eax, 0FFFFFFECh
		cmp	eax, 2
		sbb	ebx, ebx
		not	ebx
		and	ebx, eax
		jbe	loc_8FB6F1
		push	34706E50h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8FB6E7

loc_84819C:				; CODE XREF: PiCMGetDeviceInterfaceAlias+B35FCj
					; PiCMGetDeviceInterfaceAlias+B3603j
		test	esi, esi
		js	short loc_84820D
		cmp	ebx, 2
		jb	short loc_8481AA
		xor	eax, eax
		mov	[edi], ax

loc_8481AA:				; CODE XREF: PiCMGetDeviceInterfaceAlias+B3j
		push	[ebp+var_10]
		lea	eax, [ebp+var_3C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_84820D
		lea	eax, [ebp+var_44]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		call	IoGetDeviceInterfaceAlias
		mov	esi, eax
		test	esi, esi
		js	short loc_84820D
		movzx	ecx, word ptr [ebp+var_44]
		lea	eax, [ecx+2]
		shr	eax, 1
		mov	[ebp+var_34], eax
		add	eax, eax
		mov	[ebp+var_38], eax
		cmp	eax, ebx
		ja	loc_8FB6F8
		push	ecx		; size_t
		push	[ebp+var_40]	; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [ebp+var_38]
		add	esp, 0Ch
		xor	ecx, ecx
		mov	[eax+edi-2], cx

loc_848203:				; CODE XREF: PiCMGetDeviceInterfaceAlias+B360Dj
		push	0
		push	[ebp+var_40]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_84820D:				; CODE XREF: PiCMGetDeviceInterfaceAlias+AEj
					; PiCMGetDeviceInterfaceAlias+CAj ...
		mov	ebx, [ebp+var_2C]

loc_848210:				; CODE XREF: PiCMGetDeviceInterfaceAlias+B3631j
		mov	edx, [ebp+var_34]
		add	edx, edx
		test	esi, esi
		js	loc_8FB709
		push	[ebp+var_30]	; int
		push	[ebp+arg_4]	; int
		push	ebx		; int
		push	[ebp+var_8]	; int
		push	edx		; size_t
		push	edi		; void *

loc_848229:				; CODE XREF: PiCMGetDeviceInterfaceAlias+B3627j
		push	0		; int
		mov	ecx, esi
		call	PiCMReturnBufferResultData
		mov	esi, eax
		test	edi, edi
		jz	short loc_848243
		push	34706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_848243:				; CODE XREF: PiCMGetDeviceInterfaceAlias+57j
					; PiCMGetDeviceInterfaceAlias+146j
		cmp	[ebp+var_10], 0
		jz	short loc_848262
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_848262
		push	0
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_848262:				; CODE XREF: PiCMGetDeviceInterfaceAlias+157j
					; PiCMGetDeviceInterfaceAlias+166j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
PiCMGetDeviceInterfaceAlias endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 853. IoGetDeviceInterfaceAlias

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoGetDeviceInterfaceAlias
IoGetDeviceInterfaceAlias proc near	; CODE XREF: PiCMGetDeviceInterfaceAlias+D8p

var_94		= dword	ptr -94h
var_8D		= dword	ptr -8Dh
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FB726 SIZE 000000DF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+94h+var_4], eax
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		push	ebx
		mov	[esp+98h+var_94], eax
		mov	ebx, edx
		mov	eax, [ebp+arg_8]
		mov	[esp+98h+var_74], eax
		xor	eax, eax
		mov	[esp+98h+var_6C], ecx
		mov	byte ptr [esp+98h+var_8D], dl
		mov	[esp+98h+var_78], edx
		mov	byte ptr [esp+98h+var_80], dl
		mov	[esp+98h+var_7C], edx
		mov	[esp+98h+var_70], edx
		mov	[esp+98h+var_8D+1], edx
		push	esi
		push	edi
		lea	edi, [esp+0A0h+var_68]
		stosd
		stosd
		stosd
		stosd
		mov	edi, edx
		test	ecx, ecx
		jz	loc_8FB7FB
		cmp	[ecx+4], edx
		jz	loc_8FB7FB
		cmp	[ecx], dx
		jz	loc_8FB7FB
		push	ecx
		lea	ecx, [esp+0A4h+var_8D+1]
		call	PnpUnicodeStringToWstr
		mov	esi, eax
		test	esi, esi
		js	loc_848551
		mov	edx, [esp+0A0h+var_8D+1]
		call	__CmValidateDeviceInterfaceName@8 ; _CmValidateDeviceInterfaceName(x,x)
		test	eax, eax
		js	loc_8FB726
		lea	eax, [esp+0A0h+var_68]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	edx, [esp+0A0h+var_8D+1]
		lea	eax, [esp+0A0h+var_8D]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		lea	eax, [esp+0A4h+var_68]
		push	eax
		push	edi
		push	3
		call	_PiPnpRtlApplyMandatoryFilters@24 ; PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)
		mov	esi, eax
		lea	eax, [esp+0A0h+var_68]
		push	eax
		call	SeReleaseSubjectContext
		test	esi, esi
		js	loc_848551
		cmp	byte ptr [esp+0A0h+var_8D], bl
		jz	loc_8FB730
		push	ecx		; int
		mov	ecx, [esp+0A4h+var_94] ; int
		lea	edx, [esp+0A4h+var_58] ; void *
		call	_PnpStringFromGuid@12 ;	PnpStringFromGuid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_848551
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceExclusiveLite
		push	20207050h
		mov	esi, 190h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[esp+0A0h+var_94], ebx
		test	ebx, ebx
		jz	loc_8FB73A
		mov	edx, [esp+0A0h+var_8D+1]
		lea	eax, [esp+0A0h+var_70]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	esi
		push	ebx
		lea	eax, [esp+0B0h+var_7C]
		push	eax
		push	offset _DEVPKEY_Device_InstanceId
		push	ecx
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	3
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_848522
		cmp	[esp+0A0h+var_7C], 12h
		jnz	loc_8FB744
		mov	esi, 20207050h
		mov	[esp+0A0h+var_88], 80h
		push	esi
		push	100h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8FB73A
		mov	edx, [esp+0A0h+var_8D+1]
		lea	eax, [esp+0A0h+var_88]
		push	eax
		push	80h
		push	edi
		call	_CmGetDeviceInterfaceReferenceString
		mov	ebx, eax
		cmp	ebx, 0C0000023h
		jz	loc_8FB74E

loc_848440:				; CODE XREF: IoGetDeviceInterfaceAlias+B350Ej
		mov	eax, 0C0000034h
		cmp	ebx, eax
		jz	loc_8FB78D

loc_84844D:				; CODE XREF: IoGetDeviceInterfaceAlias+B3520j
		mov	esi, ebx
		sub	esi, eax
		neg	esi
		sbb	esi, esi
		and	esi, ebx
		sub	ebx, eax
		neg	ebx
		sbb	ebx, ebx
		and	edi, ebx
		mov	ebx, edi
		test	esi, esi
		js	loc_84851E
		mov	edx, [esp+0A0h+var_8D+1]
		lea	eax, [esp+0A0h+var_80]
		push	eax
		call	__CmGetDeviceInterfacePathFormat@12 ; _CmGetDeviceInterfacePathFormat(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_84851E
		push	20207050h
		push	400h
		mov	esi, 200h
		push	1
		mov	[esp+0ACh+var_84], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+0A0h+var_88], edi
		test	edi, edi
		jz	loc_8FB79F
		lea	eax, [esp+0A0h+var_84]
		push	eax
		push	esi
		push	edi
		push	[esp+0ACh+var_80]
		lea	edx, [esp+0B0h+var_58]
		push	ebx
		push	[esp+0B4h+var_94]
		call	_CmGetDeviceInterfaceName
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	loc_8FB7A9

loc_8484D0:				; CODE XREF: IoGetDeviceInterfaceAlias+B356Ej
		mov	edi, ebx
		test	esi, esi
		js	short loc_84851E
		push	[esp+0A0h+var_88]
		push	[esp+0A4h+var_74]
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_84851E
		mov	edx, [esp+0A0h+var_88]
		lea	eax, [esp+0A0h+var_78]
		push	0
		push	eax
		push	0
		push	20019h
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	30h
		call	_CmOpenDeviceInterfaceRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_8FB7ED
		push	[esp+0A0h+var_78]
		call	_ZwClose@4	; ZwClose(x)

loc_84851C:				; CODE XREF: IoGetDeviceInterfaceAlias+B352Aj
					; IoGetDeviceInterfaceAlias+B357Cj
		mov	edi, ebx

loc_84851E:				; CODE XREF: IoGetDeviceInterfaceAlias+1E9j
					; IoGetDeviceInterfaceAlias+201j ...
		mov	ebx, [esp+0A0h+var_94]

loc_848522:				; CODE XREF: IoGetDeviceInterfaceAlias+16Fj
					; IoGetDeviceInterfaceAlias+B34C5j ...
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	edx, edx

loc_84853A:				; CODE XREF: IoGetDeviceInterfaceAlias+B3586j
		test	edi, edi
		jz	short loc_848545
		push	edx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_848545:				; CODE XREF: IoGetDeviceInterfaceAlias+2C2j
		test	ebx, ebx
		jz	short loc_848551
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_848551:				; CODE XREF: IoGetDeviceInterfaceAlias+84j
					; IoGetDeviceInterfaceAlias+E2j ...
		mov	edx, [esp+0A0h+var_6C]
		mov	ecx, [esp+0A0h+var_8D+1]
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)
		mov	ecx, [esp+0A0h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
IoGetDeviceInterfaceAlias endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetDeviceInterfacePathFormat(x, x, x)
__CmGetDeviceInterfacePathFormat@12 proc near ;	CODE XREF: IoGetDeviceInterfaceAlias+1F8p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	ebx, ebx
		push	edi
		mov	edi, edx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		call	__CmValidateDeviceInterfaceName@8 ; _CmValidateDeviceInterfaceName(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8485D3
		push	edi
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8485E4
		push	ebx
		lea	eax, [ebp+var_C]
		push	eax
		push	offset loc_401574
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_8485DC
		push	ebx
		lea	eax, [ebp+var_C]
		push	eax
		push	(offset	loc_40156B+1)
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_8485E4
		mov	eax, [ebp+arg_0]
		mov	[eax], bl

loc_8485D3:				; CODE XREF: _CmGetDeviceInterfacePathFormat(x,x,x)+1Ej
					; _CmGetDeviceInterfacePathFormat(x,x,x)+6Aj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8485DC:				; CODE XREF: _CmGetDeviceInterfacePathFormat(x,x,x)+41j
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax],	1
		jmp	short loc_8485D3
; 

loc_8485E4:				; CODE XREF: _CmGetDeviceInterfacePathFormat(x,x,x)+2Ej
					; _CmGetDeviceInterfacePathFormat(x,x,x)+54j
		mov	esi, 0C0000033h
		jmp	short loc_8485D3
__CmGetDeviceInterfacePathFormat@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetDeviceInterfaceReferenceString proc near ; CODE XREF: IoGetDeviceInterfaceAlias+1B3p
					; IoGetDeviceInterfaceAlias+B3507p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FB805 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		call	__CmValidateDeviceInterfaceName@8 ; _CmValidateDeviceInterfaceName(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_84867C
		push	5Ch
		pop	ebx
		lea	ecx, [edi+8]
		push	ebx		; wchar_t
		push	ecx		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_8FB805
		lea	edi, [eax+2]
		movzx	eax, word ptr [edi]
		mov	edx, edi
		test	ax, ax
		jz	short loc_84863F
		mov	ecx, eax

loc_848627:				; CODE XREF: _CmGetDeviceInterfaceReferenceString+51j
		cmp	cx, bx
		jz	short loc_848685
		cmp	cx, 2Fh
		jz	short loc_848685
		add	edx, 2
		movzx	eax, word ptr [edx]
		mov	ecx, eax
		test	ax, ax
		jnz	short loc_848627

loc_84863F:				; CODE XREF: _CmGetDeviceInterfaceReferenceString+37j
					; _CmGetDeviceInterfaceReferenceString+9Ej
		test	esi, esi
		js	short loc_84867C
		mov	ecx, edi
		xor	esi, esi
		lea	edx, [ecx+2]

loc_84864A:				; CODE XREF: _CmGetDeviceInterfaceReferenceString+67j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_84864A
		mov	eax, [ebp+arg_8]
		sub	ecx, edx
		sar	ecx, 1
		inc	ecx
		test	eax, eax
		jz	short loc_848663
		mov	[eax], ecx

loc_848663:				; CODE XREF: _CmGetDeviceInterfaceReferenceString+73j
		mov	edx, [ebp+arg_4]
		cmp	ecx, edx
		ja	short loc_84868C
		mov	ecx, [ebp+arg_0]
		push	900h
		push	esi
		push	esi
		push	edi
		call	RtlStringCchCopyExW
		mov	esi, eax

loc_84867C:				; CODE XREF: _CmGetDeviceInterfaceReferenceString+13j
					; _CmGetDeviceInterfaceReferenceString+55j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_848685:				; CODE XREF: _CmGetDeviceInterfaceReferenceString+3Ej
					; _CmGetDeviceInterfaceReferenceString+44j
		mov	esi, 0C0000039h
		jmp	short loc_84863F
; 

loc_84868C:				; CODE XREF: _CmGetDeviceInterfaceReferenceString+7Cj
		mov	esi, 0C0000023h
		jmp	short loc_84867C
_CmGetDeviceInterfaceReferenceString endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMCaptureInterfaceAliasInputData proc	near ; CODE XREF: PiCMGetDeviceInterfaceAlias+4Ep

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FB80F SIZE 0000000F BYTES
; FUNCTION CHUNK AT 008FB832 SIZE 0000005F BYTES

		push	18h
		push	offset dword_6A4688
		call	__SEH_prolog4
		mov	esi, edx
		mov	edx, ecx
		and	[ebp+var_20], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		test	edx, edx
		jz	loc_8FB884
		test	esi, esi
		jz	loc_8FB884
		and	[ebp+ms_exc.disabled], ebx
		test	dl, 3
		jnz	loc_848784
		lea	ecx, [edx+esi]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	loc_8FB80F
		cmp	ecx, edx
		jb	loc_8FB80F

loc_8486F0:				; CODE XREF: PiCMCaptureInterfaceAliasInputData+B317Ej
		cmp	esi, 24h
		jb	loc_8FB817
		push	9
		pop	ecx
		mov	esi, edx
		mov	eax, [ebp+arg_4]
		mov	edi, eax
		rep movsd
		cmp	dword ptr [eax], 24h
		jnz	loc_8FB817

loc_84870E:				; CODE XREF: PiCMCaptureInterfaceAliasInputData+B31A1j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+arg_4]
		test	ebx, ebx
		js	loc_8FB85B
		lea	edi, [esi+18h]
		mov	eax, [edi]
		and	dword ptr [edi], 0
		test	eax, eax
		jz	loc_8FB83E
		mov	ecx, [esi+1Ch]
		cmp	ecx, 2
		jb	loc_8FB83A
		push	1
		push	[ebp+var_24]
		push	2
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	PiControlMakeUserModeCallersCopy
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_848789
		mov	[ebp+var_20], 1
		mov	edx, [esi+1Ch]
		shr	edx, 1
		mov	ecx, [edi]
		xor	eax, eax
		mov	[ecx+edx*2-2], ax

loc_848768:				; CODE XREF: PiCMCaptureInterfaceAliasInputData+FCj
					; PiCMCaptureInterfaceAliasInputData+B31B2j ...
		test	ebx, ebx
		js	loc_8FB85B

loc_848770:				; CODE XREF: PiCMCaptureInterfaceAliasInputData+B31EBj
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_848784:				; CODE XREF: PiCMCaptureInterfaceAliasInputData+3Ej
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_848789:				; CODE XREF: PiCMCaptureInterfaceAliasInputData+BDj
		and	dword ptr [edi], 0
		and	dword ptr [esi+1Ch], 0
		jmp	short loc_848768
PiCMCaptureInterfaceAliasInputData endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetInstallerClassMappedPropertyFromCoInstallers proc	near
					; CODE XREF: _CmGetInstallerClassMappedProperty+163p
					; _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+22Ap

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008FB891 SIZE 00000075 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], edx
		mov	[eax], esi
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		push	edi
		mov	[eax], esi
		test	ebx, ebx
		jz	short loc_848809
		mov	edi, [ebp+arg_C]
		mov	eax, edi
		neg	eax
		sbb	eax, eax
		and	ebx, eax

loc_8487C4:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromCoInstallers+79j
		lea	eax, [ebp+var_4]
		push	eax
		push	0Dh
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		test	eax, eax
		js	short loc_84880D
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+arg_8]
		push	eax
		push	ebx
		mov	ebx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		push	eax
		mov	edx, ebx
		mov	[ebp+arg_8], edi
		call	_RegRtlQueryValue
		mov	ecx, eax
		cmp	ecx, 0C0000034h
		jnz	loc_8FB891

loc_8487FB:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromCoInstallers+B3105j
		mov	esi, 0C0000225h

loc_848800:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromCoInstallers+7Dj
					; _CmGetInstallerClassMappedPropertyFromCoInstallers+B3119j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_848809:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromCoInstallers+25j
		mov	edi, esi
		jmp	short loc_8487C4
; 

loc_84880D:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromCoInstallers+40j
		mov	esi, eax
		jmp	short loc_848800
_CmGetInstallerClassMappedPropertyFromCoInstallers endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapLockedPagesInUserSpace proc near	; CODE XREF: MmMapLockedPagesSpecifyCache+19Cp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FB906 SIZE 000000C0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		mov	eax, ecx
		mov	ecx, 0FFFh
		push	esi
		push	edi
		mov	[ebp+var_38], eax
		test	[ebp+arg_4], ecx
		jnz	loc_8FB906
		mov	ebx, [eax+14h]
		lea	edi, [eax+1Ch]
		and	edx, ecx
		mov	[ebp+var_8], edi
		push	0
		add	edx, ecx
		mov	[ebp+var_10], edi
		push	40h
		add	ebx, edx
		mov	edx, 6C646156h
		push	28h
		shr	ebx, 0Ch
		pop	ecx
		mov	[ebp+var_14], ebx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_3C], esi
		test	esi, esi
		jz	loc_8FB92A
		mov	eax, [ebp+arg_8]
		and	dword ptr [esi+18h], 0
		sar	eax, 1Fh
		and	eax, 0FFFFFFFDh
		mov	dword ptr [esi+8], 0FFFFFFFEh
		add	eax, 4
		mov	ecx, eax
		mov	[ebp+var_20], eax
		mov	eax, [esi+1Ch]
		and	ecx, 1Fh
		shl	ecx, 7
		and	eax, 0FFFFF01Fh
		or	ecx, eax
		mov	eax, large fs:124h
		and	[ebp+var_1C], 0
		or	ecx, 8100010h
		mov	[esi+1Ch], ecx
		xor	ecx, ecx
		mov	[ebp+var_18], eax
		mov	eax, [eax+80h]
		mov	edx, eax
		mov	[ebp+var_24], ecx
		mov	ecx, [ebp+var_18]
		mov	[ebp+var_4], eax
		call	_LOCK_ADDRESS_SPACE@8 ;	LOCK_ADDRESS_SPACE(x,x)
		mov	edx, [ebp+var_4]
		test	byte ptr [edx+0FCh], 20h
		jnz	loc_8FB931
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		call	MiGetUserReservationHighestAddress
		mov	edi, [ebp+arg_4]
		mov	ecx, eax
		mov	eax, ebx
		shl	eax, 0Ch
		mov	[ebp+var_28], eax
		test	edi, edi
		jnz	loc_8FB93B
		lea	edx, [ebp+arg_4]
		push	edx
		lea	edx, [ebp+var_1C]
		push	edx
		push	edi
		push	[ebp+var_20]
		xor	edx, edx
		push	ecx
		push	10000h
		push	eax
		push	ecx
		xor	ecx, ecx
		call	_MiSelectUserAddress@40	; MiSelectUserAddress(x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		js	loc_848A62
		mov	edi, [ebp+arg_4]
		mov	ebx, [ebp+var_14]

loc_84891F:				; CODE XREF: MiMapLockedPagesInUserSpace+B3139j
		mov	ecx, [ebp+var_28]
		mov	eax, edi
		and	[ebp+arg_4], 0
		dec	ecx
		add	ecx, edi
		shr	eax, 0Ch
		mov	[ebp+var_34], ecx
		shr	ecx, 0Ch
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], ecx
		mov	[esi+0Ch], eax
		mov	[esi+10h], ecx
		test	ebx, ebx
		jz	short loc_8489A0
		mov	eax, [ebp+var_10]

loc_848947:				; CODE XREF: MiMapLockedPagesInUserSpace+18Cj
		mov	ebx, [eax]
		mov	ecx, ebx
		call	_MiIsPfn@4	; MiIsPfn(x)
		test	eax, eax
		jz	loc_848A3A
		imul	eax, ebx, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	ecx, eax
		mov	[ebp+var_28], eax
		call	_MiLegitimatePageForDriversToMap@4 ; MiLegitimatePageForDriversToMap(x)
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		js	loc_848A62
		mov	ecx, [ebp+var_28]
		call	_MiDoubleLockMdlPage@4 ; MiDoubleLockMdlPage(x)
		test	eax, eax
		jz	loc_848A62

loc_848988:				; CODE XREF: MiMapLockedPagesInUserSpace+24Aj
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_24], eax
		add	eax, 4
		mov	[ebp+arg_4], ecx
		mov	[ebp+var_10], eax
		cmp	ecx, [ebp+var_14]
		jb	short loc_848947

loc_8489A0:				; CODE XREF: MiMapLockedPagesInUserSpace+130j
		mov	edx, [ebp+var_4]
		push	ecx
		mov	ecx, esi
		call	MiInsertVadCharges
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		js	loc_848A62
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_8489CB
		mov	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_30]
		push	eax
		call	MiAdvanceVadHint

loc_8489CB:				; CODE XREF: MiMapLockedPagesInUserSpace+1ABj
		mov	ecx, [ebp+var_18]
		mov	edx, esi
		call	_MiLockVad@8	; MiLockVad(x,x)
		push	[ebp+arg_8]
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		push	esi
		push	[ebp+var_14]
		push	[ebp+arg_0]
		push	0
		call	MiMapLockedPagesInUserSpaceHelper
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_18]
		call	UNLOCK_ADDRESS_SPACE_UNORDERED
		mov	ecx, esi
		call	_MiReferenceVad@4 ; MiReferenceVad(x)
		xor	eax, eax
		mov	edx, edi
		cmp	[ebp+var_20], 1
		mov	ecx, esi
		push	0
		setnz	al
		lea	eax, ds:2[eax*2]
		push	eax
		push	[ebp+var_34]
		call	MiAddSecureEntry
		mov	ecx, esi
		test	eax, eax
		jz	loc_8FB921
		call	MiUnlockAndDereferenceVad
		mov	eax, [ebp+var_38]
		add	edi, [eax+18h]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_848A3A:				; CODE XREF: MiMapLockedPagesInUserSpace+140j
		push	ecx
		push	0
		push	0
		push	[ebp+arg_0]
		mov	ecx, ebx
		push	1
		call	_MiSanitizePage@4 ; MiSanitizePage(x)
		xor	ecx, ecx
		mov	edx, eax
		inc	ecx
		call	MiReferenceIoPages
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		jns	loc_848988

loc_848A62:				; CODE XREF: MiMapLockedPagesInUserSpace+101j
					; MiMapLockedPagesInUserSpace+160j ...
		mov	edx, [ebp+var_4]
		jmp	loc_8FB95B
MiMapLockedPagesInUserSpace endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpCreateUmReplyObject	proc near	; CODE XREF: EtwpNotifyGuid(x,x,x)+1ACp
					; EtwpEnableGuid+78Cp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FB9C6 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_10], edx
		push	71777445h
		push	2Ch
		push	200h
		mov	[ebp+var_C], ecx
		mov	[ebp+var_14], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_2C], 18h
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], 40h
		mov	[ebp+var_24], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8FB9C6
		push	2Ch		; size_t
		push	esi		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		push	esi
		push	edi
		call	_KeInitializeQueue@8 ; KeInitializeQueue(x,x)
		mov	edx, ds:_EtwpRegistrationObjectType
		lea	eax, [ebp+var_8]
		push	esi
		push	eax
		push	esi
		push	esi
		push	3Ch
		push	ecx
		push	1
		lea	eax, [ebp+var_2C]
		xor	cl, cl
		push	eax
		call	ObCreateObjectEx
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8FB9E4
		push	3Ch		; size_t
		push	esi		; int
		mov	esi, [ebp+var_8]
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	ebx, [esi+32h]
		push	4
		pop	eax
		mov	[ebx], ax
		mov	[esi+18h], edi
		mov	edi, [ebp+var_C]
		mov	ecx, edi
		call	EtwpReferenceGuidEntry
		mov	[esi+10h], edi
		xor	edx, edx
		mov	edi, offset _EtwpReplyListLock
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, _EtwpReplyListHead
		mov	ecx, offset _EtwpReplyListHead
		cmp	[eax+4], ecx
		jnz	short loc_848B99
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[eax+4], esi
		or	eax, 0FFFFFFFFh
		mov	_EtwpReplyListHead, esi
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_8FB9D0

loc_848B54:				; CODE XREF: EtwpCreateUmReplyObject+B2F68j
					; EtwpCreateUmReplyObject+B2F75j
		mov	ecx, edi
		call	KeAbPostRelease
		lea	eax, [esi+8]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, 80h
		lock or	[ebx], ax
		push	[ebp+var_10]
		lea	eax, [ebp+var_14]
		xor	edx, edx
		push	eax
		push	0
		push	1
		push	804h
		mov	ecx, esi
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_848B90
		mov	eax, [ebp+arg_0]
		mov	[eax], esi

loc_848B90:				; CODE XREF: EtwpCreateUmReplyObject+11Fj
					; EtwpCreateUmReplyObject+B2F61j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
; 

loc_848B99:				; CODE XREF: EtwpCreateUmReplyObject+CBj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
EtwpCreateUmReplyObject	endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpReceiveReplyDataBlock proc near	; CODE XREF: NtTraceControl(x,x,x,x,x,x)+3D0p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FB9F0 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		push	ds:dword_40FA04
		mov	eax, ecx
		mov	[ebp+var_C], edx
		mov	ecx, [ebp+arg_0]
		xor	ebx, ebx
		push	ds:_EtwpOneMs
		mov	[ebp+var_10], eax
		push	ebx
		mov	[ecx], ebx
		push	dword ptr [eax+4]
		mov	esi, [eax]
		call	__allmul
		push	ebx
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_1C], eax
		mov	eax, ds:_EtwpRegistrationObjectType
		push	ecx
		push	1
		push	eax
		push	4
		push	esi
		mov	[ebp+var_18], edx
		mov	[ebp+var_8], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_848C68
		mov	ebx, [ebp+var_8]
		test	byte ptr [ebx+32h], 4
		jz	loc_8FB9F0
		mov	eax, [ebx+18h]
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	1
		push	eax
		call	_KeRemoveQueue@12 ; KeRemoveQueue(x,x,x)
		mov	edi, eax
		cmp	edi, 102h
		jz	short loc_848C78
		cmp	edi, 0C0h
		jz	short loc_848C78
		mov	ebx, [edi+8]
		mov	eax, [ebx+4]
		cmp	eax, [ebp+var_C]
		ja	short loc_848C71
		push	eax		; size_t
		push	ebx		; void *
		push	[ebp+var_10]	; void *
		call	_memcpy
		mov	eax, [ebx+4]
		add	esp, 0Ch
		xor	esi, esi

loc_848C3E:				; CODE XREF: EtwpReceiveReplyDataBlock+D8j
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		or	eax, 0FFFFFFFFh
		lock xadd [ebx+8], eax
		dec	eax
		jnz	short loc_848C56
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_848C56:				; CODE XREF: EtwpReceiveReplyDataBlock+AEj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, [ebp+var_8]

loc_848C61:				; CODE XREF: EtwpReceiveReplyDataBlock+DCj
					; EtwpReceiveReplyDataBlock+B2E57j
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_848C68:				; CODE XREF: EtwpReceiveReplyDataBlock+53j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_848C71:				; CODE XREF: EtwpReceiveReplyDataBlock+8Cj
		mov	esi, 0C0000023h
		jmp	short loc_848C3E
; 

loc_848C78:				; CODE XREF: EtwpReceiveReplyDataBlock+79j
					; EtwpReceiveReplyDataBlock+81j
		mov	esi, edi
		jmp	short loc_848C61
EtwpReceiveReplyDataBlock endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpSendReplyDataBlock(x)
_EtwpSendReplyDataBlock@4 proc near	; CODE XREF: NtTraceControl(x,x,x,x,x,x)+3ACp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, [eax+18h]
		mov	edi, [eax+10h]
		mov	[ebp+var_8], eax
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	eax, ds:_EtwpRegistrationObjectType
		lea	ecx, [ebp+var_4]
		and	[ebp+var_4], 0
		push	0
		push	ecx
		push	1
		push	eax
		push	4
		push	esi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_848CFA
		mov	ebx, [ebp+var_4]
		test	byte ptr [ebx+32h], 2
		jz	short loc_848D06
		cmp	edi, 4
		jnb	short loc_848D0D
		add	edi, 6
		lea	eax, [ebx+edi*4]
		xor	edi, edi
		xchg	edi, [eax]
		test	edi, edi
		jz	short loc_848D0D
		mov	ecx, [edi+10h]
		test	byte ptr [ecx+32h], 40h
		jnz	short loc_848D14
		mov	edx, [ebp+var_8]
		mov	ecx, [ecx+18h]
		call	EtwpQueueReply
		mov	esi, eax

loc_848CE9:				; CODE XREF: EtwpSendReplyDataBlock(x)+9Dj
		push	2
		pop	edx
		mov	ecx, edi
		call	_EtwpReleaseQueueEntry@8 ; EtwpReleaseQueueEntry(x,x)

loc_848CF3:				; CODE XREF: EtwpSendReplyDataBlock(x)+8Fj
					; EtwpSendReplyDataBlock(x)+96j
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_848CFA:				; CODE XREF: EtwpSendReplyDataBlock(x)+39j
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_848D06:				; CODE XREF: EtwpSendReplyDataBlock(x)+42j
		mov	esi, 0C0000008h
		jmp	short loc_848CF3
; 

loc_848D0D:				; CODE XREF: EtwpSendReplyDataBlock(x)+47j
					; EtwpSendReplyDataBlock(x)+55j
		mov	esi, 0C000000Dh
		jmp	short loc_848CF3
; 

loc_848D14:				; CODE XREF: EtwpSendReplyDataBlock(x)+5Ej
		mov	esi, 0C0000301h
		jmp	short loc_848CE9
_EtwpSendReplyDataBlock@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpQueueReply	proc near		; CODE XREF: EtwpSendReplyDataBlock(x)+66p
					; EtwpDeleteRegistrationObject+EF47Bp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FB9FA SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		mov	eax, edx
		push	ebx
		push	esi
		mov	esi, ecx
		lea	ecx, [ebp+var_4]
		push	ecx
		mov	ecx, [eax+4]
		call	_EtwpAllocDataBlock@12 ; EtwpAllocDataBlock(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_848D77
		push	72777445h
		push	20h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_8FB9FA
		push	edi
		push	8
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd
		mov	ecx, [ebp+var_4]
		push	edx
		push	esi
		mov	[edx+8], ecx
		call	KeInsertQueue
		pop	edi

loc_848D71:				; CODE XREF: EtwpQueueReply+5Fj
					; EtwpQueueReply+B2CF3j ...
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_848D77:				; CODE XREF: EtwpQueueReply+20j
		lock inc dword ptr [esi+28h]
		jmp	short loc_848D71
EtwpQueueReply	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpRealtimeSaveState proc near		; CODE XREF: EtwpLogger(x)+3D1p

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_51		= byte ptr -51h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FBA22 SIZE 000000DF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_50]
		push	48h		; size_t
		push	edi		; int
		push	eax		; void *
		mov	ebx, ecx
		mov	[ebp+var_5C], edi
		mov	esi, 0C0000001h
		mov	[ebp+var_58], edi
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_68], edi
		test	byte ptr [ebx+258h], 1
		mov	[ebp+var_64], edi
		jnz	loc_8FBA22

loc_848DC4:				; CODE XREF: EtwpRealtimeSaveState+B2D7Ej
		push	0Dh
		push	1
		lea	eax, [ebp-51h]
		mov	[ebp+var_51], 1
		push	eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	dword ptr [ebx+110h]
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)

loc_848DDF:				; CODE XREF: EtwpRealtimeSaveState+B2D5Aj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
EtwpRealtimeSaveState endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 261. CmUnRegisterCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CmUnRegisterCallback
CmUnRegisterCallback proc near		; CODE XREF: VrpDecrementSiloCount()+32p
					; EtwpRegTraceEnableCallback(x,x,x,x,x,x,x,x,x)+8Ep

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FBB01 SIZE 00000016 BYTES
; FUNCTION CHUNK AT 008FBB2A SIZE 00000116 BYTES
; FUNCTION CHUNK AT 008FBC53 SIZE 0000005D BYTES

		push	38h
		push	offset dword_6A46A8
		call	__SEH_prolog4
		mov	[ebp+var_24], 0C000000Dh
		xor	eax, eax
		lea	edi, [ebp+var_48]
		stosd
		stosd
		stosd
		xor	ebx, ebx
		mov	[ebp+var_2C], ebx
		call	_CmpLockCallbackListExclusive@0	; CmpLockCallbackListExclusive()
		mov	esi, offset _CallbackListHead

loc_848E20:				; CODE XREF: CmUnRegisterCallback+4Dj
					; CmUnRegisterCallback+55j ...
		push	ebx
		lea	edx, [ebp+var_2C]
		mov	ecx, esi
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		mov	edi, eax
		test	edi, edi
		mov	[ebp+var_28], edi
		jz	loc_848F11
		mov	ecx, 80000000h
		mov	eax, [edi+10h]
		cmp	eax, [ebp+arg_0]
		jnz	short loc_848E20
		mov	eax, [edi+14h]
		cmp	eax, [ebp+arg_4]
		jnz	short loc_848E20
		mov	eax, [edi+8]
		mov	[ebp+var_20], eax
		cmp	eax, ebx
		jnz	loc_8FBB01
		mov	ecx, [edi]
		mov	eax, [edi+4]
		cmp	[ecx+4], edi
		jnz	loc_848F21
		cmp	[eax], edi
		jnz	loc_848F21
		mov	[eax], ecx
		mov	[ecx+4], eax
		call	_CmpUnlockCallbackList@0 ; CmpUnlockCallbackList()
		mov	[ebp+var_24], ebx

loc_848E7E:				; CODE XREF: CmUnRegisterCallback+11Ej
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_38], eax
		mov	[ebp+var_3C], eax
		mov	byte ptr [ebp+arg_4+3],	bl
		call	_CmpLockContextListExclusive@0 ; CmpLockContextListExclusive()
		lea	ecx, [edi+28h]
		mov	eax, [ecx]
		mov	[ebp+var_30], ecx
		cmp	eax, ecx
		jnz	loc_8FBB63

loc_848E9F:				; CODE XREF: CmUnRegisterCallback+B2DF6j
		call	_CmpUnlockContextList@0	; CmpUnlockContextList()

loc_848EA4:				; CODE XREF: CmUnRegisterCallback+B2E73j
		lea	eax, [ebp+var_3C]
		mov	esi, [ebp+var_3C]
		cmp	esi, eax
		jnz	loc_8FBBF9
		cmp	byte ptr [ebp+arg_4+3],	0
		jnz	loc_8FBC6E

loc_848EBC:				; CODE XREF: CmUnRegisterCallback+B2EB5j
		or	eax, 0FFFFFFFFh
		lock xadd _CmpCallBackCount, eax
		dec	eax
		jnz	short loc_848EE7
		mov	ecx, offset _CmpCallbackContextSList
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		mov	esi, eax
		jmp	short loc_848EE3
; 

loc_848ED8:				; CODE XREF: CmUnRegisterCallback+EFj
		mov	ecx, esi
		mov	esi, [esi]
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_848EE3:				; CODE XREF: CmUnRegisterCallback+E0j
		test	esi, esi
		jnz	short loc_848ED8

loc_848EE7:				; CODE XREF: CmUnRegisterCallback+D2j
		mov	eax, [edi+24h]
		test	eax, eax
		jz	short loc_848EF5
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_848EF5:				; CODE XREF: CmUnRegisterCallback+F6j
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_848EFC:				; CODE XREF: CmUnRegisterCallback+129j
		mov	eax, [ebp+var_24]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_848F11:				; CODE XREF: CmUnRegisterCallback+3Cj
					; CmUnRegisterCallback+B2D68j
		cmp	[ebp+var_24], ebx
		jge	loc_848E7E
		call	_CmpUnlockCallbackList@0 ; CmpUnlockCallbackList()
		jmp	short loc_848EFC
; 

loc_848F21:				; CODE XREF: CmUnRegisterCallback+6Dj
					; CmUnRegisterCallback+75j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
CmUnRegisterCallback endp		; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall CmpUnlockCallbackList()
_CmpUnlockCallbackList@0 proc near	; CODE XREF: CmUnRegisterCallback+80p
					; CmUnRegisterCallback+124p ...
		xor	edx, edx
		mov	ecx, offset _CmpCallbackListLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_CmpUnlockCallbackList@0 endp


;  S U B	R O U T	I N E 


; __stdcall CmpLockCallbackListExclusive()
_CmpLockCallbackListExclusive@0	proc near ; CODE XREF: CmUnRegisterCallback+20p
					; CmUnRegisterCallback+B2D40p
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _CmpCallbackListLock
		jmp	ExAcquirePushLockExclusiveEx
_CmpLockCallbackListExclusive@0	endp


;  S U B	R O U T	I N E 


; __stdcall CmpUnlockContextList()
_CmpUnlockContextList@0	proc near	; CODE XREF: CmUnRegisterCallback:loc_848E9Fp
					; CmUnRegisterCallback+B2E8Ap
		xor	edx, edx
		mov	ecx, offset _CmpContextListLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_CmpUnlockContextList@0	endp


;  S U B	R O U T	I N E 


; __stdcall CmpLockContextListExclusive()
_CmpLockContextListExclusive@0 proc near ; CODE	XREF: CmUnRegisterCallback+94p
					; CmUnRegisterCallback:loc_8FBC76p
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _CmpContextListLock
		jmp	ExAcquirePushLockExclusiveEx
_CmpLockContextListExclusive@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtQueryIntervalProfile proc near	; DATA XREF: .text:00580E48o

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	0Ch
		push	offset dword_6A46C8
		call	__SEH_prolog4
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		test	bl, bl
		jz	short loc_848FC1
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, [ebp+arg_4]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_848FF6

loc_848FB6:				; CODE XREF: NtQueryIntervalProfile+6Ej
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_848FC1:				; CODE XREF: NtQueryIntervalProfile+1Aj
		mov	ecx, [ebp+arg_0]
		call	_KeQueryIntervalProfile@4 ; KeQueryIntervalProfile(x)
		mov	ecx, eax
		test	bl, bl
		jz	short loc_848FFA
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx

loc_848FDB:				; CODE XREF: sub_8FBCD4+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_848FE2:				; CODE XREF: NtQueryIntervalProfile+75j
		xor	eax, eax

loc_848FE4:				; CODE XREF: sub_8FBCBE+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_848FF6:				; CODE XREF: NtQueryIntervalProfile+2Aj
		mov	ecx, eax
		jmp	short loc_848FB6
; 

loc_848FFA:				; CODE XREF: NtQueryIntervalProfile+43j
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		jmp	short loc_848FE2
NtQueryIntervalProfile endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryIntervalProfile(x)
_KeQueryIntervalProfile@4 proc near	; CODE XREF: NtQueryIntervalProfile+3Ap
					; KeSetIntervalProfile(x,x)+32p ...

var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_4], 0
		xor	eax, eax
		push	edi
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		stosd
		cmp	ecx, 1
		jz	short loc_849042
		lea	eax, [ebp+var_4]
		mov	[ebp+var_14], ecx
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		push	10h
		push	1
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_849049
		cmp	[ebp+var_10], 0
		jz	short loc_849049
		mov	eax, [ebp+var_C]

loc_84903F:				; CODE XREF: KeQueryIntervalProfile(x)+45j
					; KeQueryIntervalProfile(x)+49j
		pop	edi
		leave
		retn
; 

loc_849042:				; CODE XREF: KeQueryIntervalProfile(x)+19j
		mov	eax, _KiProfileAlignmentFixupInterval
		jmp	short loc_84903F
; 

loc_849049:				; CODE XREF: KeQueryIntervalProfile(x)+32j
					; KeQueryIntervalProfile(x)+38j
		xor	eax, eax
		jmp	short loc_84903F
_KeQueryIntervalProfile@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiUnmapLockedPagesInUserSpace proc near	; CODE XREF: MmUnmapLockedPages+113p

var_28		= dword	ptr -28h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

; FUNCTION CHUNK AT 008FBCDC SIZE 00000068 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	[ebp+var_8], edx
		xor	edx, edx
		mov	eax, [eax+80h]
		inc	edx
		push	edi
		mov	[ebp+var_C], eax
		mov	edi, ecx
		lea	eax, [ebp+var_10]
		push	eax
		call	MiObtainReferencedVadEx
		mov	esi, eax
		test	esi, esi
		jz	short loc_8490D3
		mov	ecx, [esi+0Ch]
		mov	ebx, ecx
		mov	eax, [esi+1Ch]
		and	al, 70h
		shl	ebx, 0Ch
		cmp	al, 10h
		jnz	short loc_8490DA
		mov	eax, edi
		and	eax, 0FFFFF000h
		cmp	eax, ebx
		jnz	short loc_8490DA
		mov	eax, [esi+10h]
		sub	eax, ecx
		inc	eax
		cmp	[ebp+var_8], eax
		jnz	short loc_8490DA
		mov	ecx, esi
		call	_MiLocateOldestSecure@4	; MiLocateOldestSecure(x)
		test	eax, eax
		jz	loc_8FBCDC
		mov	edx, eax
		mov	ecx, esi
		call	MiRemoveSecureEntry
		test	byte ptr [esi+1Ch], 8
		jnz	loc_8FBCEC

loc_8490C8:				; CODE XREF: MiUnmapLockedPagesInUserSpace+B2CA8j
					; MiUnmapLockedPagesInUserSpace+B2CC8j
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	_MiDeleteVad@12	; MiDeleteVad(x,x,x)

loc_8490D3:				; CODE XREF: MiUnmapLockedPagesInUserSpace+2Fj
					; MiUnmapLockedPagesInUserSpace+93j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8490DA:				; CODE XREF: MiUnmapLockedPagesInUserSpace+40j
					; MiUnmapLockedPagesInUserSpace+4Bj ...
		mov	ecx, esi
		call	MiUnlockAndDereferenceVad
		jmp	short loc_8490D3
MiUnmapLockedPagesInUserSpace endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	DrvDbGetDriverPackageSignerScore(int,void *)
_DrvDbGetDriverPackageSignerScore@16 proc near
					; CODE XREF: DrvDbGetDriverPackageMappedProperty+2BCp
					; DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+18Bp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		push	eax		; int
		push	4		; int
		push	[ebp+arg_4]	; void *
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	offset _DEVPKEY_DriverPackage_SignerScore ; void *
		push	[ebp+arg_0]	; int
		call	DrvDbGetDriverPackageMappedProperty
		test	eax, eax
		js	short locret_84911D
		cmp	[ebp+var_4], 7
		jnz	short loc_849121
		cmp	[ebp+var_8], 4
		jnz	short loc_849121

locret_84911D:				; CODE XREF: DrvDbGetDriverPackageSignerScore(x,x,x,x)+2Bj
					; DrvDbGetDriverPackageSignerScore(x,x,x,x)+42j
		leave
		retn	8
; 

loc_849121:				; CODE XREF: DrvDbGetDriverPackageSignerScore(x,x,x,x)+31j
					; DrvDbGetDriverPackageSignerScore(x,x,x,x)+37j
		mov	eax, 0C0000001h
		jmp	short locret_84911D
_DrvDbGetDriverPackageSignerScore@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtAcquireProcessActivityReference proc near ; DATA XREF: .text:00581290o

var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FBD44 SIZE 00000007 BYTES
; FUNCTION CHUNK AT 008FBD6B SIZE 0000000A BYTES
; FUNCTION CHUNK AT 008FBD90 SIZE 0000000D BYTES

		push	1Ch
		push	offset dword_6A46F0
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_20], esi
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_28], bl
		test	bl, bl
		jz	short loc_84916D
		mov	[ebp+ms_exc.disabled], esi
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_8FBD44

loc_849162:				; CODE XREF: NtAcquireProcessActivityReference+B2C1Ej
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_84916D:				; CODE XREF: NtAcquireProcessActivityReference+25j
		cmp	[ebp+arg_8], 0
		jnz	loc_8FBD6B
		mov	cl, bl
		call	_ExCpuSetResourceManagerAccessCheck@4 ;	ExCpuSetResourceManagerAccessCheck(x)
		test	eax, eax
		js	short loc_8491E4
		push	esi
		lea	eax, [ebp+var_20]
		push	eax
		push	63417350h
		push	[ebp+var_28]
		push	ds:_PsProcessType
		push	1000h
		push	[ebp+arg_4]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8491E4
		lea	edx, [ebp+var_1C]
		mov	ecx, [ebp+var_20]
		call	_PspCreateActivityReference@8 ;	PspCreateActivityReference(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8491D5
		test	bl, bl
		jz	loc_8FBD90
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_8491CE:				; CODE XREF: sub_8FBD85+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_8491D5:				; CODE XREF: NtAcquireProcessActivityReference+8Dj
					; NtAcquireProcessActivityReference+B2C70j
		mov	edx, 63417350h
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObjectWithTag
		mov	eax, esi

loc_8491E4:				; CODE XREF: NtAcquireProcessActivityReference+58j
					; NtAcquireProcessActivityReference+7Cj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
NtAcquireProcessActivityReference endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspCreateActivityReference(x, x)
_PspCreateActivityReference@8 proc near	; CODE XREF: NtAcquireProcessActivityReference+84p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	al, [eax+15Ah]
		mov	ebx, ecx
		xor	ecx, ecx
		mov	byte ptr [esp+30h+var_1C], al
		push	ecx
		lea	eax, [esp+34h+var_20]
		mov	[esp+34h+var_20], ecx
		push	eax
		push	4
		push	ecx
		push	4
		push	ecx
		push	[esp+48h+var_1C]
		lea	eax, [esp+4Ch+var_18]
		mov	[esp+4Ch+var_14], ecx
		mov	edi, edx
		mov	[esp+4Ch+var_10], ecx
		mov	edx, ds:_PspActivityReferenceObjectType
		mov	[esp+4Ch+var_8], ecx
		mov	[esp+4Ch+var_4], ecx
		xor	cl, cl
		push	eax
		mov	[esp+50h+var_18], 18h
		mov	[esp+50h+var_C], 20h
		call	ObCreateObjectEx
		test	eax, eax
		js	short loc_849289
		mov	esi, [esp+30h+var_20]
		push	esi
		push	5
		push	0
		push	ebx
		call	_PsChargeProcessWakeCounter@16 ; PsChargeProcessWakeCounter(x,x,x,x)
		push	edi
		mov	[esi], eax
		xor	edx, edx
		xor	eax, eax
		mov	ecx, esi
		push	eax
		push	eax
		push	eax
		push	0F0000h
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)

loc_849289:				; CODE XREF: PspCreateActivityReference(x,x)+6Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PspCreateActivityReference@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1885. PsRemoveCreateThreadNotifyRoutine

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsRemoveCreateThreadNotifyRoutine
PsRemoveCreateThreadNotifyRoutine proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FBD9D SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	[ebp+var_4], eax
		nop
		xor	ebx, ebx
		mov	edi, offset _PspCreateThreadNotifyRoutine

loc_8492B7:				; CODE XREF: PsRemoveCreateThreadNotifyRoutine+8Cj
		mov	ecx, edi
		call	ExReferenceCallBackBlock
		mov	esi, eax
		test	esi, esi
		jz	short loc_84931B
		mov	eax, [ebp+arg_0]
		cmp	[esi+4], eax
		jnz	short loc_849329
		push	esi
		xor	edx, edx
		mov	ecx, edi
		call	ExCompareExchangeCallBack
		test	al, al
		jz	short loc_849329
		cmp	dword ptr [esi+8], 0
		mov	eax, offset _PspCreateThreadNotifyRoutineNonSystemCount
		jnz	short loc_8492EA
		mov	eax, offset _PspCreateThreadNotifyRoutineCount

loc_8492EA:				; CODE XREF: PsRemoveCreateThreadNotifyRoutine+4Dj
		lock dec dword ptr [eax]
		lea	ecx, _PspCreateThreadNotifyRoutine[ebx*4]
		mov	edx, esi
		call	_ExDereferenceCallBackBlock@8 ;	ExDereferenceCallBackBlock(x,x)
		mov	ecx, [ebp+var_4]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, esi
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax

loc_849314:				; CODE XREF: PsRemoveCreateThreadNotifyRoutine+B2B14j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_84931B:				; CODE XREF: PsRemoveCreateThreadNotifyRoutine+2Cj
					; PsRemoveCreateThreadNotifyRoutine+9Cj
		inc	ebx
		add	edi, 4
		cmp	ebx, 40h
		jb	short loc_8492B7
		jmp	loc_8FBD9D
; 

loc_849329:				; CODE XREF: PsRemoveCreateThreadNotifyRoutine+34j
					; PsRemoveCreateThreadNotifyRoutine+42j
		mov	edx, esi
		mov	ecx, edi
		call	_ExDereferenceCallBackBlock@8 ;	ExDereferenceCallBackBlock(x,x)
		jmp	short loc_84931B
PsRemoveCreateThreadNotifyRoutine endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1648. ObUnRegisterCallbacks

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObUnRegisterCallbacks(x)
		public _ObUnRegisterCallbacks@4
_ObUnRegisterCallbacks@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		xor	ebx, ebx
		cmp	ax, [esi+2]
		jnb	short loc_8493B0
		push	edi
		lea	edi, [esi+24h]

loc_849352:				; CODE XREF: ObUnRegisterCallbacks(x)+73j
		lea	ecx, [edi+0Ch]
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		mov	ecx, [edi]
		xor	edx, edx
		sub	ecx, 0FFFFFF80h
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [edi-14h]
		lea	edx, [edi-14h]
		cmp	[ecx+4], edx
		jnz	short loc_8493C1
		mov	eax, [edi-10h]
		cmp	[eax], edx
		jnz	short loc_8493C1
		mov	[eax], ecx
		xor	edx, edx
		mov	[ecx+4], eax
		mov	ecx, [edi]
		sub	ecx, 0FFFFFF80h
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		movzx	eax, word ptr [esi+2]
		inc	ebx
		add	edi, 24h
		cmp	ebx, eax
		jb	short loc_849352
		pop	edi

loc_8493B0:				; CODE XREF: ObUnRegisterCallbacks(x)+12j
		push	6C46624Fh
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_8493C1:				; CODE XREF: ObUnRegisterCallbacks(x)+43j
					; ObUnRegisterCallbacks(x)+4Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ObUnRegisterCallbacks@4 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmInSwapVirtualAddresses proc near	; CODE XREF: SmPerformStoreSwapOperation+2Cp

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, dword_6BC304
		xor	eax, eax
		push	edi
		mov	edi, _EtwpMemoryProvRegHandle
		mov	ebx, ecx
		push	eax
		push	80h
		push	eax
		push	esi
		push	edi
		mov	[ebp+var_84], edx
		mov	[ebp+var_7C], eax
		mov	[ebp+var_78], eax
		mov	[ebp+var_74], eax
		mov	[ebp+var_70], eax
		mov	[ebp+var_80], 2
		call	EtwProviderEnabled
		test	al, al
		jnz	sub_8FBDAF

loc_84941D:				; CODE XREF: sub_8FBDAF+45j
		mov	esi, [ebp+var_84]
		mov	ecx, esi
		push	2
		call	MiProcessWsInSwapSupport
		xor	edi, edi
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	ecx, eax
		call	MiContractWsSwapPageFile
		mov	esi, dword_6BC304
		push	edi
		push	80h
		push	edi
		mov	[ebp+var_70], edi
		mov	edi, _EtwpMemoryProvRegHandle
		push	esi
		push	edi
		call	EtwProviderEnabled
		test	al, al
		jnz	sub_8FBDF9

loc_849466:				; CODE XREF: sub_8FBDF9+45j
		mov	ecx, [ebp+var_8]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
MmInSwapVirtualAddresses endp

; 
		align 2

;  S U B	R O U T	I N E 


EtwpAddReplyIndex proc near		; CODE XREF: EtwpQueueNotification+13Bp

; FUNCTION CHUNK AT 008FBE43 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		lea	edi, [ecx+18h]
		mov	edx, 0C0000001h
		xor	esi, esi

loc_84948B:				; CODE XREF: EtwpAddReplyIndex+B29D0j
		mov	ecx, ebx
		xor	eax, eax
		lock cmpxchg [edi], ecx
		test	eax, eax
		jnz	loc_8FBE43
		mov	[ebx+1Ah], si
		xor	edx, edx

loc_8494A1:				; CODE XREF: EtwpAddReplyIndex+B29D6j
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		retn
EtwpAddReplyIndex endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1886. PsRemoveLoadImageNotifyRoutine

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsRemoveLoadImageNotifyRoutine
PsRemoveLoadImageNotifyRoutine proc near ; CODE	XREF: EtwpCoverageSamplerStop(x)+E4p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FBE55 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	[ebp+var_4], eax
		nop
		xor	ebx, ebx
		mov	edi, offset _PspLoadImageNotifyRoutine

loc_8494CE:				; CODE XREF: PsRemoveLoadImageNotifyRoutine+B29B9j
		mov	ecx, edi
		call	ExReferenceCallBackBlock
		mov	esi, eax
		test	esi, esi
		jz	loc_8FBE5E
		mov	eax, [ebp+arg_0]
		cmp	[esi+4], eax
		jnz	loc_8FBE55
		push	esi
		xor	edx, edx
		mov	ecx, edi
		call	ExCompareExchangeCallBack
		test	al, al
		jz	loc_8FBE55
		lock dec ds:_PspLoadImageNotifyRoutineCount
		lea	ecx, _PspLoadImageNotifyRoutine[ebx*4]
		mov	edx, esi
		call	_ExDereferenceCallBackBlock@8 ;	ExDereferenceCallBackBlock(x,x)
		mov	ecx, [ebp+var_4]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, esi
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax

loc_84952B:				; CODE XREF: PsRemoveLoadImageNotifyRoutine+B29CCj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
PsRemoveLoadImageNotifyRoutine endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtUnloadDriver(x)
_NtUnloadDriver@4 proc near		; DATA XREF: .text:00580BF0o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	dl, dl
		call	IopUnloadDriver
		pop	ebp
		retn	4
_NtUnloadDriver@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspCloseActivityReference(x, x, x, x)
_PspCloseActivityReference@16 proc near	; DATA XREF: PspInitPhase0+5E8o

arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 1
		jnz	short loc_849561
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_849561
		push	eax
		push	ecx
		call	_PsReleaseProcessWakeCounter@8 ; PsReleaseProcessWakeCounter(x,x)

loc_849561:				; CODE XREF: PspCloseActivityReference(x,x,x,x)+9j
					; PspCloseActivityReference(x,x,x,x)+12j
		pop	ebp
		retn	10h
_PspCloseActivityReference@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CMFFreeFn(x, x)
_CMFFreeFn@8	proc near		; CODE XREF: XpressDecodeClose(x,x,x)+14p
					; DATA XREF: PiInitializeDDBCache()+2o	...

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	8
_CMFFreeFn@8	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 503. FsRtlDeleteExtraCreateParameterLookasideList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlDeleteExtraCreateParameterLookasideList(x, x)
		public _FsRtlDeleteExtraCreateParameterLookasideList@8
_FsRtlDeleteExtraCreateParameterLookasideList@8	proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_4], 2
		push	[ebp+arg_0]
		jnz	short loc_849595
		call	_ExDeletePagedLookasideList@4 ;	ExDeletePagedLookasideList(x)

loc_849591:				; CODE XREF: FsRtlDeleteExtraCreateParameterLookasideList(x,x)+1Cj
		pop	ebp
		retn	8
; 

loc_849595:				; CODE XREF: FsRtlDeleteExtraCreateParameterLookasideList(x,x)+Cj
		call	_ExDeleteNPagedLookasideList@4 ; ExDeleteNPagedLookasideList(x)
		jmp	short loc_849591
_FsRtlDeleteExtraCreateParameterLookasideList@8	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2524. SeUnregisterImageVerificationCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeUnregisterImageVerificationCallback(x)
		public _SeUnregisterImageVerificationCallback@4
_SeUnregisterImageVerificationCallback@4 proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		lock dec dword_6FBAD0
		pop	ebp
		jmp	ExUnregisterCallback
_SeUnregisterImageVerificationCallback@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtLoadDriver(x)
_NtLoadDriver@4	proc near		; DATA XREF: .text:00580FC0o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	IopLoadDriverImage
		pop	ebp
		retn	4
_NtLoadDriver@4	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 661. FsRtlSetDriverBacking

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlSetDriverBacking(x, x)
		public _FsRtlSetDriverBacking@8
_FsRtlSetDriverBacking@8 proc near	; CODE XREF: IoRegisterFileSystem+10p
					; IoRegisterFsRegistrationChangeMountAware+2Bp

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		test	[ebp+arg_4], 1
		jz	short loc_8495E6
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+2Ch]
		test	ecx, ecx
		jz	short loc_8495EA
		call	MmBackSystemImageWithPagefile

loc_8495E6:				; CODE XREF: FsRtlSetDriverBacking(x,x)+Bj
					; FsRtlSetDriverBacking(x,x)+25j
		pop	ebp
		retn	8
; 

loc_8495EA:				; CODE XREF: FsRtlSetDriverBacking(x,x)+15j
		mov	eax, 0C0000263h
		jmp	short loc_8495E6
_FsRtlSetDriverBacking@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


MmBackSystemImageWithPagefile proc near	; CODE XREF: FsRtlSetDriverBacking(x,x)+17p

; FUNCTION CHUNK AT 008FBE7D SIZE 0000001C BYTES

		mov	edi, edi
		push	ebx
		push	esi
		xor	edx, edx
		mov	esi, ecx
		push	edi
		inc	edx
		call	_MiLookupDataTableEntry@8 ; MiLookupDataTableEntry(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8FBE7D
		call	_MmAcquireLoadLock@0 ; MmAcquireLoadLock()
		mov	ecx, ebx
		mov	edi, eax
		call	MiBackSystemImageWithPagefile
		mov	ecx, edi
		mov	esi, eax
		call	_MmReleaseLoadLock@4 ; MmReleaseLoadLock(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
MmBackSystemImageWithPagefile endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiBackSystemImageWithPagefile proc near	; CODE XREF: MmBackSystemImageWithPagefile+22p
					; MiBackSystemImageWithPagefile+88p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	[esp+20h+var_8], edi
		mov	ebx, [esi+70h]
		mov	[esp+20h+var_4], edi
		test	bl, 0Ch
		jnz	loc_8496EA
		mov	edx, [esi+18h]
		mov	ecx, edx
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 1
		jz	loc_8FBE8F
		mov	ecx, edx
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jz	loc_8FBE8F
		cmp	[esi+3Ch], edi
		jnz	short loc_8496F3

loc_849676:				; CODE XREF: MiBackSystemImageWithPagefile+CEj
					; MiBackSystemImageWithPagefile+DDj ...
		mov	ebx, [esi+4Ch]
		xor	eax, eax
		inc	eax
		cmp	ebx, 0FFFFFFFEh
		jz	short loc_8496D3
		cmp	ebx, eax
		jz	short loc_8496D3
		test	bl, al
		jnz	loc_849717

loc_84968D:				; CODE XREF: MiBackSystemImageWithPagefile+FEj
		or	dword ptr [esi+70h], 8
		mov	eax, edi
		mov	[esp+20h+var_10], eax
		cmp	[ebx], edi
		jbe	short loc_8496D3
		lea	ecx, [ebx+4]
		mov	[esp+20h+var_C], ecx

loc_8496A2:				; CODE XREF: MiBackSystemImageWithPagefile+A9j
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_8496D3
		cmp	dword ptr [edx+4Ch], 1
		jz	short loc_8496C3
		mov	ecx, edx
		call	MiBackSystemImageWithPagefile
		mov	edi, eax
		test	edi, edi
		js	short loc_8496D3
		mov	eax, [esp+20h+var_10]
		mov	ecx, [esp+20h+var_C]

loc_8496C3:				; CODE XREF: MiBackSystemImageWithPagefile+84j
		inc	eax
		add	ecx, 4
		mov	[esp+20h+var_10], eax
		mov	[esp+20h+var_C], ecx
		cmp	eax, [ebx]
		jb	short loc_8496A2

loc_8496D3:				; CODE XREF: MiBackSystemImageWithPagefile+57j
					; MiBackSystemImageWithPagefile+5Bj ...
		mov	eax, [esi+70h]
		and	eax, 0FFFFFFF7h
		mov	[esi+70h], eax
		test	edi, edi
		js	short loc_8496E6
		or	eax, 4
		mov	[esi+70h], eax

loc_8496E6:				; CODE XREF: MiBackSystemImageWithPagefile+B6j
		mov	eax, edi
		jmp	short loc_8496EC
; 

loc_8496EA:				; CODE XREF: MiBackSystemImageWithPagefile+20j
		xor	eax, eax

loc_8496EC:				; CODE XREF: MiBackSystemImageWithPagefile+C0j
					; MmBackSystemImageWithPagefile+B28A2j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8496F3:				; CODE XREF: MiBackSystemImageWithPagefile+4Cj
		test	bl, 2
		jnz	loc_849676
		mov	ecx, edx
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	loc_849676
		mov	ecx, esi
		call	_MiBackSingleImageWithPagefile@4 ; MiBackSingleImageWithPagefile(x)
		jmp	loc_849676
; 

loc_849717:				; CODE XREF: MiBackSystemImageWithPagefile+5Fj
		and	ebx, 0FFFFFFFEh
		mov	[esp+20h+var_8], eax
		mov	[esp+20h+var_4], ebx
		lea	ebx, [esp+20h+var_8]
		jmp	loc_84968D
MiBackSystemImageWithPagefile endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiReturnSystemImageAddress(x, x)
_MiReturnSystemImageAddress@8 proc near	; CODE XREF: MiUnloadSystemImage+422p
					; MiReturnImageBase(x)+99j ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		xor	esi, esi
		inc	esi
		cmp	eax, esi
		jz	short loc_84974C
		mov	ecx, edi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jz	short loc_84974C
		xor	esi, esi

loc_84974C:				; CODE XREF: MiReturnSystemImageAddress(x,x)+10j
					; MiReturnSystemImageAddress(x,x)+1Cj
		shr	edx, 0Ch
		mov	ecx, edi
		push	edx
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	edx, eax
		mov	ecx, esi
		call	MiReleaseDriverPtes
		pop	edi
		pop	esi
		retn
_MiReturnSystemImageAddress@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReleaseDriverPtes proc near		; CODE XREF: MiUnloadSystemImage+4B1p
					; MiReturnSystemImageAddress(x,x)+2Fp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FBE99 SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, edx
		push	ebx
		mov	[ebp+var_4], eax
		mov	ebx, ecx
		shl	eax, 9
		xor	ecx, ecx
		push	esi
		mov	[ebp+var_10], eax
		mov	eax, large fs:124h
		mov	[ebp+var_8], ecx
		mov	ecx, eax
		push	edi
		mov	[ebp+var_C], eax
		xor	edi, edi
		call	_MiLockDriverMappings@4	; MiLockDriverMappings(x)
		lea	eax, dword_6CF580[ebx*4]
		mov	esi, [eax]
		mov	[ebp+var_18], eax
		test	esi, esi
		jz	loc_8FBEAC
		mov	ecx, [ebp+var_4]

loc_8497AA:				; CODE XREF: MiReleaseDriverPtes+54j
		mov	edx, [esi+4]
		cmp	ecx, edx
		jnb	short loc_8497BC

loc_8497B1:				; CODE XREF: MiReleaseDriverPtes+75j
		mov	[ebp+var_8], esi
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_8497AA
		jmp	short loc_8497DB
; 

loc_8497BC:				; CODE XREF: MiReleaseDriverPtes+4Bj
		mov	eax, [esi+14h]
		and	al, 1
		movzx	edi, al
		mov	eax, [esi+8]
		neg	edi
		sbb	edi, edi
		and	edi, 0FFFFFFF1h
		add	edi, 10h
		imul	eax, edi
		lea	eax, [edx+eax*8]
		cmp	ecx, eax
		jnb	short loc_8497B1

loc_8497DB:				; CODE XREF: MiReleaseDriverPtes+56j
		test	esi, esi
		jz	loc_8FBEAC
		mov	eax, [ebp+arg_0]
		mov	ecx, edi
		dec	eax
		neg	ecx
		add	eax, edi
		xor	edx, edx
		and	eax, ecx
		div	edi
		xor	edx, edx
		mov	ecx, eax
		mov	eax, [ebp+var_4]
		sub	eax, [esi+4]
		sar	eax, 3
		div	edi
		push	ecx
		mov	edx, eax
		mov	[ebp+var_14], ecx
		lea	eax, [esi+8]
		mov	[ebp+var_4], edx
		push	edx
		push	eax
		call	_RtlAreBitsSet@12 ; RtlAreBitsSet(x,x,x)
		test	al, al
		jz	loc_8FBE99
		test	byte ptr [esi+14h], 2
		jnz	short loc_84984E
		push	[ebp+var_14]
		lea	eax, [esi+8]
		push	[ebp+var_4]
		push	eax
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		lea	eax, [esi+8]
		push	eax
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		test	eax, eax
		jz	short loc_84984E
		mov	ecx, [ebp+var_C]
		call	MiUnlockDriverMappings

loc_849847:				; CODE XREF: MiReleaseDriverPtes+128j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_84984E:				; CODE XREF: MiReleaseDriverPtes+BDj
					; MiReleaseDriverPtes+D9j
		mov	ecx, [esi+4]
		mov	edx, [esi+8]
		shl	ecx, 9
		neg	ebx
		push	0
		sbb	ebx, ebx
		imul	edx, edi
		add	ebx, 0Ch
		push	ebx
		shl	edx, 0Ch
		add	edx, ecx
		call	_MiReturnSystemVa@16 ; MiReturnSystemVa(x,x,x,x)
		mov	ecx, [ebp+var_8]
		mov	eax, [esi]
		test	ecx, ecx
		jnz	short loc_84987A
		mov	ecx, [ebp+var_18]

loc_84987A:				; CODE XREF: MiReleaseDriverPtes+111j
		mov	[ecx], eax
		mov	ecx, [ebp+var_C]
		call	MiUnlockDriverMappings
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_849847
MiReleaseDriverPtes endp


;  S U B	R O U T	I N E 


; __stdcall MiSelectSystemImageAddress(x, x)
_MiSelectSystemImageAddress@8 proc near	; CODE XREF: MiSelectImageBase+175p
					; MiGetSystemAddressForImage+170p
		mov	edi, edi
		push	ecx
		xor	eax, eax
		cmp	ecx, 2
		mov	ecx, edx
		setz	al
		push	eax
		call	MiReserveDriverPtes
		test	eax, eax
		jz	short loc_8498AA
		shl	eax, 9
		pop	ecx
		retn
; 

loc_8498AA:				; CODE XREF: MiSelectSystemImageAddress(x,x)+15j
		xor	eax, eax
		pop	ecx
		retn
_MiSelectSystemImageAddress@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReserveDriverPtes proc near		; CODE XREF: MiSelectSystemImageAddress(x,x)+Ep

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FBECD SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		lea	ebx, [ecx+0Fh]
		mov	[ebp+var_4], eax
		push	edi
		mov	ecx, eax
		shr	ebx, 4
		call	_MiLockDriverMappings@4	; MiLockDriverMappings(x)
		mov	eax, [ebp+arg_0]
		mov	esi, dword_6CF580[eax*4]

loc_8498D9:				; CODE XREF: MiReserveDriverPtes+6Cj
		test	esi, esi
		jz	short loc_84991C
		test	byte ptr [esi+14h], 1
		jnz	short loc_849918
		lea	eax, [esi+8]
		cmp	[eax], ebx
		jb	short loc_849918
		push	dword ptr [esi+10h]
		push	ebx
		push	eax
		call	RtlFindClearBitsAndSet
		mov	edi, eax
		cmp	edi, 0FFFFFFFFh
		jz	short loc_849918
		lea	eax, [ebx+edi]
		shl	edi, 7
		add	edi, [esi+4]
		mov	[esi+10h], eax

loc_849907:				; CODE XREF: MiReserveDriverPtes+CAj
		mov	ecx, [ebp+var_4]
		call	MiUnlockDriverMappings
		mov	eax, edi

loc_849911:				; CODE XREF: MiReserveDriverPtes+178j
					; MiReserveDriverPtes+B2648j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_849918:				; CODE XREF: MiReserveDriverPtes+33j
					; MiReserveDriverPtes+3Aj ...
		mov	esi, [esi]
		jmp	short loc_8498D9
; 

loc_84991C:				; CODE XREF: MiReserveDriverPtes+2Dj
		xor	ecx, ecx
		inc	ecx
		call	ExGenRandom
		and	eax, 3Fh
		xor	edi, edi
		mov	[ebp+var_24], eax
		mov	ecx, edi
		add	eax, ebx
		mov	[ebp+var_28], eax
		shl	eax, 4
		add	eax, 1FFh
		and	eax, 0FFFFFE00h
		mov	[ebp+var_8], eax
		shr	eax, 4
		mov	[ebp+var_20], eax
		shr	eax, 3
		mov	[ebp+var_1C], eax
		lea	esi, [eax+18h]
		cmp	_InitializationPhase, edi
		jz	loc_8FBEC5
		mov	eax, 100h

loc_849963:				; CODE XREF: MiReleaseDriverPtes+B2764j
		push	ecx
		push	eax
		mov	edx, 70446D4Dh
		mov	ecx, esi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_10], esi
		test	esi, esi
		jz	short loc_849907
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_8]
		neg	eax
		sbb	eax, eax
		shr	ecx, 9
		add	eax, 0Ch
		mov	edx, eax
		mov	[ebp+var_C], eax
		call	MiObtainSystemVa
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	loc_8FBEE5
		mov	ecx, eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		cmp	[ebp+arg_0], 0
		mov	ecx, eax
		mov	[ebp+var_14], ecx
		jnz	short loc_8499CA
		mov	eax, [ebp+var_8]
		push	[ebp+var_C]
		dec	eax
		push	1
		lea	edx, [ecx+eax*8]
		call	_MiMakeZeroedPageTables@16 ; MiMakeZeroedPageTables(x,x,x,x)
		test	eax, eax
		jz	loc_8FBECD

loc_8499CA:				; CODE XREF: MiReserveDriverPtes+101j
		push	[ebp+var_1C]	; size_t
		add	esi, 18h
		push	edi		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_10]
		add	esp, 0Ch
		mov	ecx, [ebp+var_20]
		add	eax, 8
		push	ebx
		mov	ebx, [ebp+var_24]
		push	ebx
		push	eax
		mov	[eax], ecx
		mov	[eax+4], esi
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		mov	ecx, [ebp+var_10]
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+var_28]
		mov	esi, [ebp+var_14]
		mov	[ecx+14h], edi
		mov	[ecx+10h], eax
		mov	[ecx+4], esi
		mov	eax, dword_6CF580[edx*4]
		mov	[ecx], eax
		mov	dword_6CF580[edx*4], ecx
		mov	ecx, [ebp+var_4]
		call	MiUnlockDriverMappings
		shl	ebx, 7
		lea	eax, [esi+ebx]
		jmp	loc_849911
MiReserveDriverPtes endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiBackSingleImageWithPagefile(x)
_MiBackSingleImageWithPagefile@4 proc near ; CODE XREF:	MiBackSystemImageWithPagefile+E5p
					; MmLoadSystemImageEx(x,x,x,x,x,x)+447p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi

loc_849A3F:				; CODE XREF: MiBackSingleImageWithPagefile(x)+3Ej
		lea	eax, [ebp+var_8]
		mov	edx, esi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		push	8
		mov	ecx, edi
		call	MiSnapDriverRange
		mov	edx, [ebp+var_4]
		mov	esi, eax
		test	edx, edx
		jz	short loc_849A68
		push	4
		push	[ebp+var_8]
		mov	ecx, edi
		call	_MiMakeDriverPagesPrivate@16 ; MiMakeDriverPagesPrivate(x,x,x,x)

loc_849A68:				; CODE XREF: MiBackSingleImageWithPagefile(x)+2Ej
		test	esi, esi
		jnz	short loc_849A3F
		or	dword ptr [edi+70h], 2
		pop	edi
		pop	esi
		leave
		retn
_MiBackSingleImageWithPagefile@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopOpenRegistryKey proc	near		; CODE XREF: IopReadDumpRegistry(x,x)+38p
					; SecureDump_ReadRegistry+2Cp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 008FBEFB SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, [ebp+arg_0]
		push	esi
		xor	esi, esi
		mov	[ebp+var_20], 18h
		cmp	[ebp+arg_8], 0
		mov	[ebp+var_8], esi
		mov	[ebp+var_1C], edx
		mov	[ebp+var_14], 240h
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		jnz	loc_8FBEFB
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+arg_4]
		push	ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)

loc_849AB6:				; CODE XREF: IopOpenRegistryKey+B249Cj
		pop	esi
		leave
		retn	0Ch
IopOpenRegistryKey endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLoadUnloadDriver(x)
_IopLoadUnloadDriver@4 proc near	; CODE XREF: IopLoadDriverImage+15Ap
					; IopCompleteUnloadOrDelete+D4277p
					; DATA XREF: ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		mov	[esp+18h+var_4], ebx
		mov	[esp+18h+var_8], ebx
		mov	eax, [edi+20h]
		test	eax, eax
		jnz	short loc_849B39
		push	ebx
		push	20019h
		push	dword ptr [edi+24h]
		xor	edx, edx
		lea	ecx, [esp+24h+var_8]
		call	IopOpenRegistryKey
		mov	esi, eax
		test	esi, esi
		js	short loc_849B22
		mov	ecx, [esp+18h+var_8]
		lea	eax, [esp+18h+var_4]
		push	eax
		push	ebx
		mov	dl, 1
		call	IopLoadDriver
		mov	esi, eax
		cmp	esi, 0C0000365h
		jz	short loc_849B41
		cmp	esi, 0C000038Eh
		jz	short loc_849B47

loc_849B1B:				; CODE XREF: IopLoadUnloadDriver(x)+89j
					; IopLoadUnloadDriver(x)+90j
		xor	cl, cl
		call	_IopCallDriverReinitializationRoutines@4 ; IopCallDriverReinitializationRoutines(x)

loc_849B22:				; CODE XREF: IopLoadUnloadDriver(x)+3Aj
					; IopLoadUnloadDriver(x)+83j
		push	ebx
		push	ebx
		lea	eax, [edi+10h]
		mov	[edi+28h], esi
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_849B39:				; CODE XREF: IopLoadUnloadDriver(x)+20j
		push	eax
		call	dword ptr [eax+34h]
		mov	esi, ebx
		jmp	short loc_849B22
; 

loc_849B41:				; CODE XREF: IopLoadUnloadDriver(x)+55j
		mov	esi, [esp+18h+var_4]
		jmp	short loc_849B1B
; 

loc_849B47:				; CODE XREF: IopLoadUnloadDriver(x)+5Dj
		mov	esi, 0C0000034h
		jmp	short loc_849B1B
_IopLoadUnloadDriver@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopCallDriverReinitializationRoutines(x)
_IopCallDriverReinitializationRoutines@4 proc near
					; CODE XREF: PnpCompleteSystemStartProcess()+21p
					; IopLoadUnloadDriver(x)+61p ...
		mov	edi, edi
		push	ebx
		mov	bl, cl
		xor	bh, bh
		test	bl, bl
		jnz	short loc_849B61
		cmp	_IopInitSystemCompletedEnoughForReInitRoutines,	bh
		jz	short loc_849B80

loc_849B61:				; CODE XREF: IopCallDriverReinitializationRoutines(x)+9j
		push	esi
		push	edi
		mov	edi, offset _IopDriverReinitializeQueueHead

loc_849B68:				; CODE XREF: IopCallDriverReinitializationRoutines(x)+80j
		mov	ecx, edi
		call	IopInterlockedRemoveHeadList
		mov	esi, eax
		test	esi, esi
		jnz	short loc_849B84

loc_849B75:				; CODE XREF: IopCallDriverReinitializationRoutines(x)+75j
		cmp	bl, 1
		jz	short loc_849BC5
		pop	edi
		pop	esi
		mov	al, bh
		pop	ebx
		retn
; 

loc_849B80:				; CODE XREF: IopCallDriverReinitializationRoutines(x)+11j
		xor	al, al
		pop	ebx
		retn
; 

loc_849B84:				; CODE XREF: IopCallDriverReinitializationRoutines(x)+25j
		mov	bh, 1

loc_849B86:				; CODE XREF: IopCallDriverReinitializationRoutines(x)+73j
		mov	eax, [esi+8]
		mov	eax, [eax+18h]
		inc	dword ptr [eax+8]
		mov	eax, [esi+8]
		and	dword ptr [eax+8], 0FFFFFFF7h
		mov	ecx, [esi+8]
		mov	eax, [ecx+18h]
		push	dword ptr [eax+8]
		push	dword ptr [esi+10h]
		push	ecx
		call	dword ptr [esi+0Ch]
		mov	ecx, [esi+8]
		call	ObfDereferenceObject
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, edi
		call	IopInterlockedRemoveHeadList
		mov	esi, eax
		test	esi, esi
		jnz	short loc_849B86
		jmp	short loc_849B75
; 

loc_849BC5:				; CODE XREF: IopCallDriverReinitializationRoutines(x)+2Aj
		mov	_IopInitSystemCompletedEnoughForReInitRoutines,	1
		xor	bl, bl
		jmp	short loc_849B68
_IopCallDriverReinitializationRoutines@4 endp


;  S U B	R O U T	I N E 


MiUseLargeDriverPage proc near		; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+2CAp
					; MiHandleBootImage+11Cp

; FUNCTION CHUNK AT 008FBF15 SIZE 0000001B BYTES

		test	ds:_MiFlags, 8000h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		jnz	short loc_849C06
		test	byte ptr ds:_MiFlags+2,	1
		jnz	short loc_849C06
		cmp	byte_6CF559, 1
		jz	short loc_849C0C
		mov	esi, dword_6CF560
		mov	ebx, offset dword_6CF560

loc_849BFE:				; CODE XREF: MiUseLargeDriverPage+B235Bj
		cmp	esi, ebx
		jnz	loc_8FBF15

loc_849C06:				; CODE XREF: MiUseLargeDriverPage+Fj
					; MiUseLargeDriverPage+18j
		xor	eax, eax

loc_849C08:				; CODE XREF: MiUseLargeDriverPage+3Fj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_849C0C:				; CODE XREF: MiUseLargeDriverPage+21j
					; MiUseLargeDriverPage+B2353j
		xor	eax, eax
		inc	eax
		jmp	short loc_849C08
MiUseLargeDriverPage endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeDriverInitialization(x)
_MiFreeDriverInitialization@4 proc near	; CODE XREF: IopLoadDriver+4F1p
					; MiLoadImportDll(x,x,x,x,x)+51p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, [ebx+18h]
		mov	ecx, edi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	short loc_849C66

loc_849C35:				; CODE XREF: MiFreeDriverInitialization(x)+4Dj
					; MiFreeDriverInitialization(x)+5Aj ...
		lea	eax, [ebp+var_8]
		mov	edx, esi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		push	2
		mov	ecx, ebx
		call	MiSnapDriverRange
		mov	edx, [ebp+var_4]
		mov	esi, eax
		test	edx, edx
		jz	short loc_849C5D
		push	ecx
		push	[ebp+var_8]
		mov	ecx, ebx
		call	MiFreeInitializationCode

loc_849C5D:				; CODE XREF: MiFreeDriverInitialization(x)+3Ej
		test	esi, esi
		jnz	short loc_849C35

loc_849C61:				; CODE XREF: MiFreeDriverInitialization(x)+64j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_849C66:				; CODE XREF: MiFreeDriverInitialization(x)+21j
		cmp	edi, ds:_PsNtosImageBase
		jz	short loc_849C35
		cmp	edi, ds:_PsHalImageBase
		jz	short loc_849C35
		jmp	short loc_849C61
_MiFreeDriverInitialization@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFreeInitializationCode proc near	; CODE XREF: MiFreeDriverInitialization(x)+46p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FBF30 SIZE 0000000B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		lea	edi, [ebp+var_28]
		mov	edx, ecx
		mov	[ebp+var_8], esi
		push	6
		xor	eax, eax
		mov	[ebp+var_10], edx
		pop	ecx
		rep stosd
		mov	edi, [ebp+arg_0]
		lea	ebx, [edx+5Ch]
		sub	edi, [ebp+var_8]
		mov	ecx, ebx
		mov	eax, [edx+18h]
		add	edi, 8
		shl	esi, 9
		xor	edx, edx
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], esi
		sar	edi, 3
		call	_MiLockLoaderEntry@8 ; MiLockLoaderEntry(x,x)
		mov	ecx, [ebp+var_C]
		push	edi
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, [ebp+var_8]
		sub	ecx, eax
		sar	ecx, 3
		push	ecx
		push	dword ptr [ebx+3Ch]
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		xor	edx, edx
		mov	ecx, ebx
		call	MiUnlockLoaderEntry
		mov	ecx, esi
		mov	[ebp+arg_0], offset _MiSystemPartition
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	loc_849D7E
		mov	ecx, [ebp+var_10]
		mov	ecx, [ecx+3Ch]
		test	ecx, ecx
		jz	short loc_849D7A
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	edx, eax
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	[ebp+arg_0], eax

loc_849D0D:				; CODE XREF: MiFreeInitializationCode+104j
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		push	eax
		inc	ecx
		push	ecx
		push	edi
		push	[ebp+var_8]
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	ecx, eax
		call	_MiDeleteSystemPagableVm@24 ; MiDeleteSystemPagableVm(x,x,x,x,x,x)

loc_849D25:				; CODE XREF: MiFreeInitializationCode+108j
					; MiFreeInitializationCode+148j
		mov	esi, [ebp+var_1C]
		test	esi, esi
		jnz	short loc_849D33

loc_849D2C:				; CODE XREF: MiFreeInitializationCode+100j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_849D33:				; CODE XREF: MiFreeInitializationCode+B2j
		sub	[ebx+18h], esi
		sub	[ebx+1Ch], esi
		mov	eax, [ebp+var_C]
		cmp	eax, ds:_PsNtosImageBase
		jz	loc_8FBF30
		cmp	eax, ds:_PsHalImageBase
		jz	loc_8FBF30
		mov	eax, esi
		mov	ecx, offset unk_6D362C
		neg	eax
		lock xadd [ecx], eax

loc_849D61:				; CODE XREF: MiFreeInitializationCode+B22BEj
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_MiReturnResident@8 ; MiReturnResident(x,x)
		sub	esi, [ebp+var_24]
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	MiReturnCommit
		jmp	short loc_849D2C
; 

loc_849D7A:				; CODE XREF: MiFreeInitializationCode+84j
		xor	edx, edx
		jmp	short loc_849D0D
; 

loc_849D7E:				; CODE XREF: MiFreeInitializationCode+76j
		test	edi, edi
		jz	short loc_849D25

loc_849D82:				; CODE XREF: MiFreeInitializationCode+14Ej
		mov	ecx, esi
		call	_MiVaToPfn@4	; MiVaToPfn(x)
		mov	edx, eax
		imul	ecx, edx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		cmp	word ptr [ecx+14h], 2
		jnz	short loc_849DC8
		and	eax, 1FFh
		mov	esi, 200h
		sub	esi, eax
		cmp	esi, edi
		jbe	short loc_849DAD
		mov	esi, edi

loc_849DAD:				; CODE XREF: MiFreeInitializationCode+131j
		push	esi
		call	MiFreeLargeInitializationCodePages
		mov	eax, esi
		shl	eax, 0Ch
		add	[ebp+var_4], eax
		sub	edi, esi
		mov	esi, [ebp+var_4]
		jz	loc_849D25
		jmp	short loc_849D82
; 

loc_849DC8:				; CODE XREF: MiFreeInitializationCode+121j
		call	_MiBadRefCount@4 ; MiBadRefCount(x)
		int	3		; Trap to Debugger
MiFreeInitializationCode endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDisablePagingOfDriver(x)
_MiDisablePagingOfDriver@4 proc	near	; CODE XREF: MiHandleDriverNonPagedSections+5Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], ebx
		push	edi
		mov	ecx, [ebx+18h]
		mov	[ebp+var_C], esi
		mov	[ebp+var_4], esi
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	short loc_849E31
		mov	edi, esi

loc_849DF4:				; CODE XREF: MiDisablePagingOfDriver(x)+61j
		lea	eax, [ebp+var_C]
		mov	edx, esi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		push	4
		mov	ecx, ebx
		call	MiSnapDriverRange
		mov	edx, [ebp+var_4]
		mov	esi, eax
		test	edx, edx
		jz	short loc_849E2D
		test	edi, edi
		jnz	short loc_849E36

loc_849E15:				; CODE XREF: MiDisablePagingOfDriver(x)+6Aj
					; MiDisablePagingOfDriver(x)+71j
		mov	ebx, [ebp+var_C]
		cmp	edx, ebx
		ja	short loc_849E2A
		mov	ecx, [ebp+var_8]
		push	2
		push	ebx
		call	_MiLockCode@16	; MiLockCode(x,x,x,x)
		lea	edi, [ebx+8]

loc_849E2A:				; CODE XREF: MiDisablePagingOfDriver(x)+4Cj
		mov	ebx, [ebp+var_8]

loc_849E2D:				; CODE XREF: MiDisablePagingOfDriver(x)+41j
		test	esi, esi
		jnz	short loc_849DF4

loc_849E31:				; CODE XREF: MiDisablePagingOfDriver(x)+22j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_849E36:				; CODE XREF: MiDisablePagingOfDriver(x)+45j
		cmp	edx, edi
		jnb	short loc_849E15
		mov	edx, edi
		mov	[ebp+var_4], edx
		jmp	short loc_849E15
_MiDisablePagingOfDriver@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSnapDriverRange proc near		; CODE XREF: MiBackSingleImageWithPagefile(x)+22p
					; MiFreeDriverInitialization(x)+32p ...

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008FBF3B SIZE 0000007A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_34], edx
		mov	edx, ecx
		mov	[ebp+var_2C], ebx
		mov	ecx, [ebp+arg_C]
		push	esi
		mov	[eax], ebx
		push	edi
		mov	[ecx], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	ebx, [edx+18h]
		push	ebx
		mov	[ebp+var_54], edx
		mov	[ebp+var_48], eax
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_3C], ebx
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	edx, eax
		mov	[ebp+var_5C], edx
		mov	eax, [edx+38h]
		mov	esi, eax
		mov	[ebp+var_58], eax
		mov	eax, 1000h
		mov	[ebp+var_38], esi
		cmp	esi, eax
		ja	loc_8FBF3B

loc_849EB2:				; CODE XREF: MiSnapDriverRange+B20FEj
		movzx	eax, word ptr [edx+6]
		mov	ecx, [ebp+var_34]
		mov	[ebp+var_44], eax
		cmp	ecx, eax
		ja	loc_84A06B
		movzx	edi, word ptr [edx+14h]
		imul	eax, 28h
		mov	[ebp+var_60], edi
		mov	[ebp+var_8], 40000000h
		add	eax, 18h
		add	eax, edi
		add	eax, edx
		sub	eax, ebx
		xor	ebx, ebx
		and	[ebp+var_30], ebx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_0]
		and	eax, 8
		mov	[ebp+var_50], eax

loc_849EF2:				; CODE XREF: MiSnapDriverRange+14Bj
		test	ecx, ecx
		jz	loc_84A020
		imul	eax, ecx, 28h
		add	eax, edi
		lea	edi, [edx-10h]
		add	edi, eax

loc_849F04:				; CODE XREF: MiSnapDriverRange+1E1j
		mov	ecx, [edi+10h]
		mov	eax, [edi+8]
		mov	[ebp+var_40], ecx
		cmp	ecx, eax
		jb	loc_84A08C

loc_849F15:				; CODE XREF: MiSnapDriverRange+24Dj
		cmp	[ebp+var_50], 0
		jnz	loc_84A094
		mov	eax, [ebp+arg_0]
		test	al, 1
		jnz	loc_849FF5
		test	al, 4
		jnz	loc_849FD5
		test	al, 10h
		jnz	loc_8FBF45
		test	al, 20h
		jnz	loc_8FBF53
		mov	eax, [edi]
		test	eax, eax
		jz	loc_84A0C5

loc_849F4C:				; CODE XREF: MiSnapDriverRange+288j
		mov	ecx, [ebp+var_54]
		mov	esi, [edi+24h]
		and	esi, 2000000h
		test	dword ptr [ecx+34h], 4000000h
		jnz	loc_84A07E

loc_849F65:				; CODE XREF: MiSnapDriverRange+1AEj
					; MiSnapDriverRange+1BCj ...
		test	esi, esi
		jnz	short loc_849F92
		mov	esi, [ebp+var_38]

loc_849F6C:				; CODE XREF: MiSnapDriverRange+B2114j
					; MiSnapDriverRange+B211Ej ...
		mov	eax, [ebp+var_30]

loc_849F6F:				; CODE XREF: MiSnapDriverRange+191j
		test	ebx, ebx
		jnz	loc_84A0A8

loc_849F77:				; CODE XREF: MiSnapDriverRange+18Fj
					; MiSnapDriverRange+292j
		mov	ecx, [ebp+var_34]
		inc	ecx
		mov	[ebp+var_34], ecx
		cmp	ecx, [ebp+var_44]
		ja	loc_84A028
		mov	edx, [ebp+var_5C]
		mov	edi, [ebp+var_60]
		jmp	loc_849EF2
; 

loc_849F92:				; CODE XREF: MiSnapDriverRange+125j
					; MiSnapDriverRange+B214Cj
		mov	edx, [edi+0Ch]
		test	ebx, ebx
		jz	short loc_84A003

loc_849F99:				; CODE XREF: MiSnapDriverRange+1D9j
		mov	esi, [ebp+var_38]
		lea	eax, [edx+esi]
		mov	edx, [ebp+var_40]
		add	eax, [ebp+var_3C]
		dec	edx
		add	edx, eax
		mov	eax, esi
		neg	eax
		and	edx, eax
		mov	ecx, edx
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	[ebp+var_30], eax
		test	edx, 0FFFh
		jnz	loc_8FBF93

loc_849FC4:				; CODE XREF: MiSnapDriverRange+B2155j
					; MiSnapDriverRange+B2167j
		sub	eax, 8
		mov	[ebp+var_30], eax

loc_849FCA:				; CODE XREF: MiSnapDriverRange+B2161j
		cmp	[ebp+var_58], 1000h
		jbe	short loc_849F77
		jmp	short loc_849F6F
; 

loc_849FD5:				; CODE XREF: MiSnapDriverRange+EAj
		mov	esi, [edi+24h]
		mov	ecx, edi
		and	esi, 0E0000000h
		call	MmImageSectionPagable
		neg	eax
		sbb	eax, eax
		inc	eax
		neg	esi
		sbb	esi, esi

loc_849FEE:				; CODE XREF: MiSnapDriverRange+245j
		and	esi, eax
		jmp	loc_849F65
; 

loc_849FF5:				; CODE XREF: MiSnapDriverRange+E2j
		mov	ecx, edi
		call	MmImageSectionPagable
		mov	esi, eax
		jmp	loc_849F65
; 

loc_84A003:				; CODE XREF: MiSnapDriverRange+155j
		mov	ecx, [ebp+var_3C]
		add	ecx, 0FFFh
		add	ecx, edx
		and	ecx, 0FFFFF000h
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ebx, eax
		jmp	loc_849F99
; 

loc_84A020:				; CODE XREF: MiSnapDriverRange+B2j
		lea	edi, [ebp+var_2C]
		jmp	loc_849F04
; 

loc_84A028:				; CODE XREF: MiSnapDriverRange+13Fj
		test	ebx, ebx
		jz	short loc_84A06B
		mov	ecx, [edi+10h]
		mov	eax, [edi+8]
		cmp	ecx, eax
		jb	loc_8FBFAE

loc_84A03A:				; CODE XREF: MiSnapDriverRange+B216Ej
		mov	eax, [edi+0Ch]
		dec	eax
		add	eax, esi
		neg	esi
		add	eax, [ebp+var_3C]
		add	ecx, eax
		and	ecx, esi
		add	ecx, 0FFFh
		and	ecx, 0FFFFF000h
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		sub	eax, 8
		cmp	ebx, eax
		ja	short loc_84A06B
		mov	ecx, [ebp+var_48]
		mov	[ecx], ebx
		mov	ecx, [ebp+var_4C]
		mov	[ecx], eax

loc_84A06B:				; CODE XREF: MiSnapDriverRange+7Cj
					; MiSnapDriverRange+1E8j ...
		xor	eax, eax

loc_84A06D:				; CODE XREF: MiSnapDriverRange+281j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_84A07E:				; CODE XREF: MiSnapDriverRange+11Dj
		sub	eax, 54494E49h
		neg	eax
		sbb	eax, eax
		jmp	loc_849FEE
; 

loc_84A08C:				; CODE XREF: MiSnapDriverRange+CDj
		mov	[ebp+var_40], eax
		jmp	loc_849F15
; 

loc_84A094:				; CODE XREF: MiSnapDriverRange+D7j
		mov	esi, [edi+24h]
		and	esi, 0E0000000h
		neg	esi
		sbb	esi, esi
		neg	esi
		jmp	loc_849F65
; 

loc_84A0A8:				; CODE XREF: MiSnapDriverRange+12Fj
		cmp	ebx, eax
		ja	short loc_84A0D2
		mov	ecx, [ebp+var_48]
		mov	[ecx], ebx
		mov	ecx, [ebp+var_4C]
		mov	[ecx], eax
		mov	ecx, [ebp+var_34]
		inc	ecx
		cmp	[ebp+var_44], ecx
		sbb	eax, eax
		not	eax
		and	eax, ecx
		jmp	short loc_84A06D
; 

loc_84A0C5:				; CODE XREF: MiSnapDriverRange+104j
		lea	ecx, [ebp+var_2C]
		cmp	edi, ecx
		jz	loc_849F4C
		jmp	short loc_84A06B
; 

loc_84A0D2:				; CODE XREF: MiSnapDriverRange+268j
		xor	ebx, ebx
		jmp	loc_849F77
MiSnapDriverRange endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiChargeSystemImageCommitment(x, x)
_MiChargeSystemImageCommitment@8 proc near ; CODE XREF:	MiMapSystemImage+3Dp
					; MiMapSystemImage+B12CDp ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	eax, [eax]
		mov	edx, [eax+4]
		test	edx, edx
		jz	short loc_84A104
		mov	ecx, offset _MiSystemPartition
		cmp	esi, 1
		jnz	short loc_84A10F
		push	0
		push	0
		call	MiAcquireNonPagedResources
		test	eax, eax
		js	short loc_84A108

loc_84A104:				; CODE XREF: MiChargeSystemImageCommitment(x,x)+11j
					; MiChargeSystemImageCommitment(x,x)+3Aj
		xor	eax, eax
		pop	esi
		retn
; 

loc_84A108:				; CODE XREF: MiChargeSystemImageCommitment(x,x)+28j
		mov	eax, 0C000009Ah
		pop	esi
		retn
; 

loc_84A10F:				; CODE XREF: MiChargeSystemImageCommitment(x,x)+1Bj
		call	_MiReleaseNonPagedResources@8 ;	MiReleaseNonPagedResources(x,x)
		jmp	short loc_84A104
_MiChargeSystemImageCommitment@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiImageSuitableForSystem(x,	x)
_MiImageSuitableForSystem@8 proc near	; CODE XREF: MiGetSystemAddressForImage+87p
					; MiGetSystemAddressForImage+B206Ep
		mov	eax, [ecx+38h]
		cmp	dword ptr [eax+10h], 0
		jz	short loc_84A134
		mov	dword ptr [edx], 1
		test	dword ptr [ecx+1Ch], 10000000h
		jz	short loc_84A137
		mov	eax, [ecx]
		mov	eax, [eax+18h]
		retn
; 

loc_84A134:				; CODE XREF: MiImageSuitableForSystem(x,x)+7j
		and	dword ptr [edx], 0

loc_84A137:				; CODE XREF: MiImageSuitableForSystem(x,x)+16j
		xor	eax, eax
		retn
_MiImageSuitableForSystem@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetSystemAddressForImage proc	near	; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+181p

var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= word ptr -64h
var_62		= word ptr -62h
var_60		= word ptr -60h
var_5E		= word ptr -5Eh
var_5C		= word ptr -5Ch
var_5A		= word ptr -5Ah
var_58		= word ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FBFB5 SIZE 00000198 BYTES
; FUNCTION CHUNK AT 008FC163 SIZE 0000009D BYTES

		push	0BCh
		push	offset dword_6A4778
		call	__SEH_prolog4_GS
		mov	[ebp+var_B4], edx
		mov	esi, ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_BC], eax
		xor	ebx, ebx
		mov	[ebp+var_C0], ebx
		push	64h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_88]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	0Ah
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_B0]
		rep stosd
		xor	edi, edi
		inc	edi
		mov	eax, [ebp+var_BC]
		mov	[eax], edi
		mov	ecx, esi
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	esi, eax
		mov	[ebp+var_B8], esi
		mov	ecx, [esi]
		mov	ecx, [ecx+4]
		shl	ecx, 0Ch
		call	_MiBytesToMapSystemImage@4 ; MiBytesToMapSystemImage(x)
		test	eax, eax
		jz	loc_84A33E
		shr	eax, 0Ch
		mov	[ebp+var_C8], eax
		lea	edx, [ebp+var_C0]
		mov	ecx, esi
		call	_MiImageSuitableForSystem@8 ; MiImageSuitableForSystem(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_84A1FA
		mov	eax, _PsLoadedModuleList
		mov	[ebp+var_C4], eax
		cmp	eax, offset _PsLoadedModuleList
		jz	short loc_84A1FA
		mov	edx, ecx

loc_84A1E0:				; CODE XREF: MiGetSystemAddressForImage+BEj
		mov	ecx, [eax+3Ch]
		test	ecx, ecx
		jnz	loc_84A26B

loc_84A1EB:				; CODE XREF: MiGetSystemAddressForImage+144j
		mov	eax, [eax]
		mov	[ebp+var_C4], eax
		cmp	eax, offset _PsLoadedModuleList
		jnz	short loc_84A1E0

loc_84A1FA:				; CODE XREF: MiGetSystemAddressForImage+90j
					; MiGetSystemAddressForImage+A2j
		mov	eax, ebx

loc_84A1FC:				; CODE XREF: MiGetSystemAddressForImage+1FFj
		test	esi, esi
		jz	loc_84A30A
		cmp	eax, edi
		mov	eax, [ebp+var_B4]
		jz	short loc_84A283
		test	al, 2
		jnz	short loc_84A283
		mov	edx, eax
		and	edx, edi
		jnz	loc_84A2EB

loc_84A21C:				; CODE XREF: MiGetSystemAddressForImage+1BAj
					; MiGetSystemAddressForImage+1CAj
		test	edx, edx
		jnz	short loc_84A23F
		mov	ecx, esi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, edi
		jz	loc_84A30A
		mov	ecx, esi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jz	loc_84A30A

loc_84A23F:				; CODE XREF: MiGetSystemAddressForImage+E4j
		test	ds:_MiFlags, 8000h
		jnz	loc_8FBFB5

loc_84A24F:				; CODE XREF: MiGetSystemAddressForImage+1ACj
					; MiGetSystemAddressForImage+B1E84j
		test	edx, edx
		jnz	loc_84A315

loc_84A257:				; CODE XREF: MiGetSystemAddressForImage+1EAj
		mov	eax, esi

loc_84A259:				; CODE XREF: MiGetSystemAddressForImage+206j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_84A26B:				; CODE XREF: MiGetSystemAddressForImage+ABj
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		cmp	edx, eax
		jz	loc_84A32F
		mov	eax, [ebp+var_C4]
		jmp	loc_84A1EB
; 

loc_84A283:				; CODE XREF: MiGetSystemAddressForImage+D2j
					; MiGetSystemAddressForImage+D6j ...
		and	eax, edi
		mov	[ebp+var_CC], eax
		inc	eax
		mov	[ebp+var_BC], eax
		cmp	[ebp+var_C0], ebx
		jz	loc_8FBFC9

loc_84A29E:				; CODE XREF: MiGetSystemAddressForImage+B207Aj
					; MiGetSystemAddressForImage+B208Dj
		mov	edx, [ebp+var_C8]
		mov	ecx, [ebp+var_BC]
		call	_MiSelectSystemImageAddress@8 ;	MiSelectSystemImageAddress(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_84A33E
		test	ds:_MiFlags, 8000h
		jnz	loc_8FC1CC

loc_84A2C9:				; CODE XREF: MiGetSystemAddressForImage+B209Dj
		mov	ebx, edi
		mov	edx, esi
		mov	ecx, [ebp+var_B8]
		call	MiAddPrivateFixupEntryForSystemImage
		test	eax, eax
		jz	loc_8FC1E5
		mov	edx, [ebp+var_CC]
		jmp	loc_84A24F
; 

loc_84A2EB:				; CODE XREF: MiGetSystemAddressForImage+DCj
		mov	ecx, esi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, edi
		jz	loc_84A21C
		mov	ecx, esi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jz	loc_84A21C

loc_84A30A:				; CODE XREF: MiGetSystemAddressForImage+C4j
					; MiGetSystemAddressForImage+EFj ...
		mov	eax, [ebp+var_B4]
		jmp	loc_84A283
; 

loc_84A315:				; CODE XREF: MiGetSystemAddressForImage+117j
		mov	edx, [ebp+var_B8]
		mov	ecx, esi
		call	MiSessionInsertImage
		test	eax, eax
		jns	loc_84A257
		jmp	loc_8FC1FA
; 

loc_84A32F:				; CODE XREF: MiGetSystemAddressForImage+138j
		mov	eax, [ebp+var_BC]
		mov	[eax], ebx
		mov	eax, edi
		jmp	loc_84A1FC
; 

loc_84A33E:				; CODE XREF: MiGetSystemAddressForImage+70j
					; MiGetSystemAddressForImage+179j ...
		xor	eax, eax
		jmp	loc_84A259
MiGetSystemAddressForImage endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	MiConstructLoaderEntry(void *,int,int,int)
MiConstructLoaderEntry proc near	; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+3C2p
					; MiInitializeLoadedModuleList(x)+77p

var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008FC200 SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		push	ebx
		push	esi
		push	edi
		push	50h		; size_t
		xor	esi, esi
		mov	[ebp+var_18], edx
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_C], ecx
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	edi, [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, [ebp+arg_C]
		mov	ebx, esi
		mov	edx, 54446D4Dh
		mov	[ebp+var_40], esi
		mov	[ebp+var_28], ebx
		movzx	ecx, word ptr [edi]
		push	esi
		add	ecx, 2
		mov	[eax], esi
		push	100h
		mov	[ebp+var_30], esi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jz	loc_8FC200
		movzx	eax, word ptr [edi]
		push	eax		; size_t
		push	dword ptr [edi+4] ; void *
		mov	word ptr [ebp+var_40], ax
		push	ecx		; void *
		mov	word ptr [ebp+var_40+2], ax
		call	_memcpy
		movzx	eax, word ptr [edi]
		xor	edx, edx
		mov	ecx, [ebp+var_10]
		add	esp, 0Ch
		shr	eax, 1
		mov	[ecx+eax*2], dx
		mov	eax, [ebp+var_C]
		mov	eax, [eax+18h]
		push	eax
		mov	[ebp+var_8], eax
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	ecx, eax
		xor	edx, edx
		mov	eax, [ebp+arg_4]
		inc	edx
		mov	[ebp+var_44], eax
		and	eax, edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_2C], eax
		jnz	loc_84A8BD
		movzx	edi, word ptr [ecx+6]
		or	eax, 0FFFFFFFFh
		xor	edx, edx
		mov	[ebp+var_34], edi
		div	edi
		cmp	eax, 4
		jb	loc_8FC207

loc_84A409:				; CODE XREF: MiConstructLoaderEntry+57Aj
		mov	edi, esi
		mov	[ebp+arg_0], esi
		mov	[ebp+arg_4], edi
		mov	[ebp+var_24], esi
		mov	[ebp+var_38], 1Ch
		cmp	[ebp+var_2C], ebx
		jnz	loc_84A6EA

loc_84A424:				; CODE XREF: MiConstructLoaderEntry+3AEj
					; MiConstructLoaderEntry+443j
		mov	eax, [ecx+50h]
		mov	ecx, eax
		and	ecx, 0FFFh
		neg	ecx
		push	0
		sbb	ecx, ecx
		shr	eax, 0Ch
		neg	ecx
		add	ecx, eax
		test	cl, 1Fh
		pop	eax
		setnz	al
		shr	ecx, 5
		add	eax, 2
		add	eax, ecx
		shl	eax, 2
		mov	[ebp+var_4], eax
		add	eax, 9Eh
		cmp	eax, 9Eh
		jbe	loc_8FC20E
		test	edi, edi
		jnz	loc_84A8C5

loc_84A469:				; CODE XREF: MiConstructLoaderEntry+58Cj
		mov	ecx, [ebp+var_18]
		movzx	ecx, word ptr [ecx]
		add	ecx, 3
		and	ecx, 0FFFFFFFCh
		mov	[ebp+var_1C], ecx
		add	ecx, eax
		cmp	ecx, eax
		jbe	loc_8FC20E
		mov	eax, [ebp+var_34]
		test	eax, eax
		jz	short loc_84A496
		lea	eax, [ecx+eax*4]
		cmp	eax, ecx
		jbe	loc_8FC20E
		mov	ecx, eax

loc_84A496:				; CODE XREF: MiConstructLoaderEntry+141j
		push	esi
		push	40h
		mov	edx, 644C6D4Dh
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_28], ebx
		test	ebx, ebx
		jz	loc_8FC215
		mov	eax, [ebp+var_C]
		mov	eax, [eax+3Ch]
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	short loc_84A4F4
		mov	ecx, eax
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		push	esi
		mov	eax, [eax]
		mov	eax, [eax+4]
		mov	ecx, eax
		and	ecx, 0FFFh
		neg	ecx
		sbb	ecx, ecx
		shr	eax, 0Ch
		neg	ecx
		add	ecx, eax
		mov	[ebp+var_30], ecx
		mov	edx, ecx
		mov	ecx, offset _MiSystemPartition
		call	_MiChargeResident@12 ; MiChargeResident(x,x,x)
		test	eax, eax
		jz	loc_8FC215

loc_84A4F4:				; CODE XREF: MiConstructLoaderEntry+175j
		mov	edx, [ebp+var_30]
		lea	eax, [ebx+9Ch]
		mov	[ebx+98h], eax
		add	eax, [ebp+var_4]
		cmp	[ebp+var_34], 0
		mov	[ebx+7Ch], edx
		mov	[ebx+94h], esi
		mov	[ebp+var_4], eax
		lea	edx, [eax+edi]
		mov	[ebx+90h], eax
		jz	short loc_84A52C
		mov	eax, [ebp+var_1C]
		add	eax, edx
		mov	[ebx+80h], eax

loc_84A52C:				; CODE XREF: MiConstructLoaderEntry+1D9j
		mov	esi, [ebp+var_C]
		mov	edi, ebx
		push	17h
		pop	ecx
		rep movsd
		mov	edi, [ebp+var_20]
		push	5
		pop	eax
		cmp	[edi+40h], ax
		jb	short loc_84A54F
		cmp	[edi+44h], ax
		jb	short loc_84A54F
		or	dword ptr [ebx+34h], 8000000h

loc_84A54F:				; CODE XREF: MiConstructLoaderEntry+1FAj
					; MiConstructLoaderEntry+200j
		test	byte ptr [edi+5Eh], 80h
		jnz	loc_84A6DB

loc_84A559:				; CODE XREF: MiConstructLoaderEntry+399j
		mov	esi, [ebp+var_18]
		mov	[ebx+30h], edx
		mov	ax, [esi]
		mov	[ebx+2Ch], ax
		mov	ax, [esi]
		mov	[ebx+2Eh], ax
		movzx	eax, word ptr [esi]
		push	eax		; size_t
		push	dword ptr [esi+4] ; void *
		push	edx		; void *
		call	_memcpy
		movzx	ecx, word ptr [esi]
		xor	edx, edx
		mov	eax, [ebx+30h]
		xor	esi, esi
		shr	ecx, 1
		add	esp, 0Ch
		mov	[eax+ecx*2], dx
		mov	eax, [ebp+var_40]
		mov	[ebx+24h], eax
		mov	eax, [ebp+var_10]
		mov	[ebx+28h], eax
		mov	[ebx+14h], esi
		cmp	[ebp+var_2C], edx
		jnz	loc_84A78E

loc_84A5A5:				; CODE XREF: MiConstructLoaderEntry+49Aj
					; MiConstructLoaderEntry+4CBj ...
		mov	eax, [edi+28h]
		add	eax, [ebp+var_8]
		mov	[ebx+1Ch], eax
		mov	eax, [edi+58h]
		mov	[ebx+40h], eax
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_84A5FF
		mov	ecx, eax
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	dx, [ebx+3Ah]
		mov	esi, eax
		mov	eax, 0FFF0h
		and	dx, ax
		mov	ecx, [esi]
		mov	cl, [ecx+0Bh]
		shr	cl, 4
		movzx	ecx, cl
		or	cx, dx
		mov	[ebx+3Ah], cx
		and	ecx, 0FF8Fh
		mov	eax, [esi]
		mov	al, [eax+0Bh]
		shr	al, 1
		and	al, 7
		movzx	eax, al
		shl	ax, 4
		or	ax, cx
		mov	[ebx+3Ah], ax

loc_84A5FF:				; CODE XREF: MiConstructLoaderEntry+273j
		mov	eax, [edi+50h]
		mov	ecx, ebx
		mov	[ebx+54h], eax
		mov	eax, [edi+8]
		mov	[ebx+58h], eax
		call	_MiCaptureImageExceptionValues@4 ; MiCaptureImageExceptionValues(x)
		mov	ecx, ebx
		call	MiLockdownSections
		cmp	[ebp+var_14], 0
		jz	loc_84A6D0
		mov	eax, [esi]
		mov	eax, [eax+4]

loc_84A628:				; CODE XREF: MiConstructLoaderEntry+390j
		cmp	[ebp+var_2C], 0
		lea	edi, [ebx+5Ch]
		mov	[ebp+arg_0], eax
		jnz	short loc_84A657
		mov	edx, [ebp+var_8]
		mov	[edi+18h], eax
		mov	[edi+1Ch], eax
		mov	ecx, ds:_PsNtosImageBase
		cmp	edx, ecx
		jz	loc_84A8E2
		cmp	edx, ds:_PsHalImageBase
		jz	loc_84A8F0

loc_84A657:				; CODE XREF: MiConstructLoaderEntry+2ECj
					; MiConstructLoaderEntry+5A5j
		cmp	[ebp+arg_8], 0
		jz	loc_84A8D7

loc_84A661:				; CODE XREF: MiConstructLoaderEntry+597j
		test	ds:byte_7051AC,	1
		jnz	short loc_84A6E4
		test	byte ptr [ebp+var_44], 2
		jnz	short loc_84A6E4

loc_84A670:				; CODE XREF: MiConstructLoaderEntry+3A2j
		mov	ecx, ebx
		call	ExCovAddInfoToLoaderEntry
		xor	eax, eax
		mov	ecx, ebx
		lea	edx, [eax+1]
		call	_MiProcessLoaderEntry@8	; MiProcessLoaderEntry(x,x)
		cmp	[ebp+var_14], 0
		jz	short loc_84A6C2
		cmp	[ebp+var_2C], 0
		jnz	short loc_84A6C2
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		mov	eax, ecx
		mov	dword ptr [edi+10h], 0FFFFFFFEh
		or	eax, 3
		dec	ecx
		mov	[edi+8], eax
		mov	eax, [ebp+arg_0]
		shl	eax, 0Ch
		add	eax, ecx
		lea	ecx, [ebp+var_A0]
		mov	[edi+0Ch], eax
		push	3
		mov	[ebp+var_A0], esi
		call	MiManageSubsectionView

loc_84A6C2:				; CODE XREF: MiConstructLoaderEntry+341j
					; MiConstructLoaderEntry+347j
		mov	eax, [ebp+arg_C]
		mov	[eax], ebx
		xor	eax, eax

loc_84A6C9:				; CODE XREF: MiConstructLoaderEntry+B1EEAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_84A6D0:				; CODE XREF: MiConstructLoaderEntry+2D7j
		mov	eax, [ebx+20h]
		shr	eax, 0Ch
		jmp	loc_84A628
; 

loc_84A6DB:				; CODE XREF: MiConstructLoaderEntry+20Dj
		or	dword ptr [ebx+34h], 20h
		jmp	loc_84A559
; 

loc_84A6E4:				; CODE XREF: MiConstructLoaderEntry+322j
					; MiConstructLoaderEntry+328j
		or	dword ptr [edi+14h], 10h
		jmp	short loc_84A670
; 

loc_84A6EA:				; CODE XREF: MiConstructLoaderEntry+D8j
		cmp	dword ptr [ecx+74h], 6
		push	20h
		pop	edi
		mov	[ebp+arg_4], edi
		jbe	loc_84A424
		lea	edx, [ecx+0A8h]
		mov	eax, [edx]
		mov	[ebp+var_24], edx
		test	eax, eax
		jz	short loc_84A780
		mov	edx, [edx+4]
		test	edx, edx
		jz	short loc_84A780
		lea	edi, [edx+eax]
		mov	[ebp+var_4], edi
		cmp	edi, eax
		mov	edi, [ebp+arg_4]
		jbe	short loc_84A780
		mov	ebx, [ecx+50h]
		cmp	[ebp+var_4], ebx
		mov	[ebp+var_14], ebx
		mov	ebx, esi
		jnb	short loc_84A780
		add	eax, [ebp+var_8]
		lea	edi, [edx+20h]
		mov	[ebp+arg_0], eax
		mov	eax, edx
		xor	edx, edx
		mov	[ebp+arg_4], esi
		div	[ebp+var_38]
		mov	edx, [ebp+arg_0]
		test	eax, eax
		jz	short loc_84A777
		mov	esi, [ebp+var_14]
		mov	ecx, eax
		mov	[ebp+arg_4], eax

loc_84A74C:				; CODE XREF: MiConstructLoaderEntry+427j
		mov	eax, [edx+14h]
		test	eax, eax
		jz	short loc_84A765
		cmp	eax, esi
		jnb	short loc_84A765
		mov	ebx, [edx+10h]
		add	eax, ebx
		mov	[ebp+arg_0], ebx
		cmp	eax, esi
		jnb	short loc_84A765
		add	edi, ebx

loc_84A765:				; CODE XREF: MiConstructLoaderEntry+40Bj
					; MiConstructLoaderEntry+40Fj ...
		push	1Ch
		pop	eax
		add	edx, eax
		sub	ecx, 1
		jnz	short loc_84A74C
		mov	ebx, [ebp+var_28]
		xor	esi, esi
		mov	ecx, [ebp+var_20]

loc_84A777:				; CODE XREF: MiConstructLoaderEntry+3FCj
		imul	eax, [ebp+arg_4], var_1C
		add	edx, eax
		mov	[ebp+arg_0], edx

loc_84A780:				; CODE XREF: MiConstructLoaderEntry+3C1j
					; MiConstructLoaderEntry+3C8j ...
		add	edi, 3
		and	edi, 0FFFFFFFCh
		mov	[ebp+arg_4], edi
		jmp	loc_84A424
; 

loc_84A78E:				; CODE XREF: MiConstructLoaderEntry+259j
		or	dword ptr [ebx+34h], 20000000h
		mov	eax, 494Eh
		mov	ecx, [ebp+var_4]
		mov	[ebx+14h], ecx
		mov	[ecx], ax
		xor	eax, eax
		inc	eax
		mov	[ecx+2], ax
		mov	eax, [ebp+arg_4]
		mov	[ecx+4], eax
		mov	ax, [edi+4]
		mov	[ecx+8], ax
		mov	ax, [edi+16h]
		mov	[ecx+0Ah], ax
		mov	eax, [edi+8]
		mov	[ecx+0Ch], eax
		mov	eax, [edi+58h]
		mov	[ecx+10h], eax
		mov	eax, [edi+50h]
		mov	[ecx+14h], eax
		mov	eax, [ebp+var_8]
		mov	[ecx+18h], eax
		mov	eax, [ebp+arg_0]
		mov	[ecx+1Ch], esi
		test	eax, eax
		jz	loc_84A5A5
		mov	edx, [ebp+var_24]
		add	ecx, 20h
		mov	[ebp+var_10], ecx
		push	dword ptr [edx+4] ; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		mov	eax, [ebp+var_24]
		add	esp, 0Ch
		xor	edx, edx
		mov	[ebp+arg_4], esi
		mov	eax, [eax+4]
		push	1Ch
		pop	ecx
		mov	[ebp+var_1C], eax
		div	ecx
		test	eax, eax
		jz	loc_84A5A5
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_4]
		add	ecx, 10h
		mov	ebx, [ebp+var_1C]
		add	eax, 34h
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_18], eax

loc_84A82C:				; CODE XREF: MiConstructLoaderEntry+569j
		mov	eax, [ecx+4]
		mov	edx, [ecx]
		mov	[ebp+var_4], ebx
		mov	[ebp+var_C], edx
		test	eax, eax
		jz	loc_84A8FC
		mov	ecx, [edi+50h]
		cmp	eax, ecx
		mov	[ebp+var_1C], ecx
		mov	ecx, [ebp+arg_0]
		jnb	loc_84A8FC
		lea	edi, [edx+eax]
		mov	[ebp+var_30], edi
		cmp	edi, eax
		mov	edi, [ebp+var_20]
		jbe	loc_84A8FC
		mov	edi, [ebp+var_1C]
		cmp	[ebp+var_30], edi
		mov	edi, [ebp+var_20]
		jnb	loc_84A8FC
		add	eax, [ebp+var_8]
		push	edx		; size_t
		push	eax		; void *
		mov	eax, [ebp+var_10]
		add	eax, ebx
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		add	ebx, [ebp+var_C]

loc_84A889:				; CODE XREF: MiConstructLoaderEntry+5B9j
		mov	eax, [ebp+var_18]
		mov	edx, [ebp+var_4]
		push	1Ch
		mov	[eax], edx
		pop	edx
		add	eax, edx
		add	ecx, edx
		mov	[ebp+var_18], eax
		xor	edx, edx
		mov	eax, [ebp+var_24]
		inc	[ebp+arg_4]
		mov	[ebp+arg_0], ecx
		mov	eax, [eax+4]
		div	[ebp+var_38]
		cmp	[ebp+arg_4], eax
		jb	loc_84A82C
		mov	ebx, [ebp+var_28]
		jmp	loc_84A5A5
; 

loc_84A8BD:				; CODE XREF: MiConstructLoaderEntry+A6j
		mov	[ebp+var_34], esi
		jmp	loc_84A409
; 

loc_84A8C5:				; CODE XREF: MiConstructLoaderEntry+11Dj
		lea	ecx, [eax+edi]
		cmp	ecx, eax
		jbe	loc_8FC20E
		mov	eax, ecx
		jmp	loc_84A469
; 

loc_84A8D7:				; CODE XREF: MiConstructLoaderEntry+315j
		xor	eax, eax
		inc	eax
		or	[edi+14h], eax
		jmp	loc_84A661
; 

loc_84A8E2:				; CODE XREF: MiConstructLoaderEntry+2FFj
					; MiConstructLoaderEntry+5ACj
		sub	eax, ds:_MxKernelFreedGapCharges

loc_84A8E8:				; CODE XREF: MiConstructLoaderEntry+5B4j
		mov	[edi+18h], eax
		jmp	loc_84A657
; 

loc_84A8F0:				; CODE XREF: MiConstructLoaderEntry+30Bj
		cmp	edx, ecx
		jz	short loc_84A8E2
		sub	eax, ds:_MxHalFreedGapCharges
		jmp	short loc_84A8E8
; 

loc_84A8FC:				; CODE XREF: MiConstructLoaderEntry+4F3j
					; MiConstructLoaderEntry+504j ...
		mov	[ebp+var_4], esi
		jmp	short loc_84A889
MiConstructLoaderEntry endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExCovAddInfoToLoaderEntry proc near	; CODE XREF: MiConstructLoaderEntry+32Cp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

; FUNCTION CHUNK AT 008FC235 SIZE 00000159 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edi
		mov	[esi+48h], edi
		cmp	_ExCovMaxPagedPoolToUse, edi
		jz	short loc_84A932
		mov	ecx, [esi+18h]
		lea	edx, [ebp+var_8]
		call	ExpCovGetSectionInfo
		test	eax, eax
		jnz	loc_8FC235

loc_84A932:				; CODE XREF: ExCovAddInfoToLoaderEntry+1Bj
					; ExCovAddInfoToLoaderEntry+B1951j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
ExCovAddInfoToLoaderEntry endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpCovGetSectionInfo proc near		; CODE XREF: ExCovAddInfoToLoaderEntry+23p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FC38E SIZE 00000066 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	eax, edx
		mov	esi, ecx
		push	edi
		push	esi
		mov	[ebp+var_4], eax
		and	dword ptr [eax], 0
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jz	short loc_84A97C
		movzx	ebx, word ptr [eax+14h]
		xor	ecx, ecx
		movzx	edi, word ptr [eax+6]
		add	ebx, eax
		lea	edx, [ebx+18h]
		test	edi, edi
		jz	short loc_84A97C

loc_84A968:				; CODE XREF: ExpCovGetSectionInfo+42j
		cmp	dword ptr [edx], 766F632Eh
		jz	loc_8FC38E
		inc	ecx
		add	edx, 28h
		cmp	ecx, edi
		jb	short loc_84A968

loc_84A97C:				; CODE XREF: ExpCovGetSectionInfo+1Bj
					; ExpCovGetSectionInfo+2Ej ...
		xor	eax, eax

loc_84A97E:				; CODE XREF: ExpCovGetSectionInfo+B1AA0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
ExpCovGetSectionInfo endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLockdownSections proc	near		; CODE XREF: MiConstructLoaderEntry+2CEp
					; MiInitializeLoadedModuleList(x)+83p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FC3F4 SIZE 00000068 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	edx, [ecx+18h]
		push	ebx
		push	esi
		lea	ebx, [ecx+5Ch]
		mov	[ebp+var_C], edx
		xor	esi, esi
		mov	[ebp+var_14], ebx
		test	byte ptr ds:_MiFlags+2,	1
		push	edi
		jnz	loc_8FC3F4

loc_84A9AA:				; CODE XREF: MiLockdownSections+B1A79j
					; MiLockdownSections+B1A82j
		mov	ecx, edx
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 1
		jz	short loc_84A9C5
		mov	ecx, edx
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jz	short loc_84A9C5
		or	esi, 1

loc_84A9C5:				; CODE XREF: MiLockdownSections+30j
					; MiLockdownSections+3Cj
		test	esi, esi
		jz	short loc_84AA33
		push	edx
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	edi, eax
		xor	edx, edx
		mov	ecx, ebx
		movzx	eax, word ptr [edi+14h]
		add	eax, edi
		mov	[ebp+var_8], eax
		call	_MiLockLoaderEntry@8 ; MiLockLoaderEntry(x,x)
		movzx	ecx, word ptr [edi+6]
		mov	eax, [ebx+3Ch]
		mov	[ebp+var_10], eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	short loc_84AA2A
		mov	edi, [ebp+var_8]
		mov	ebx, [ebp+var_C]
		add	edi, 3Ch

loc_84A9FD:				; CODE XREF: MiLockdownSections+A1j
		xor	eax, eax
		cmp	dword ptr [edi-24h], 766F632Eh
		jz	loc_8FC40B

loc_84AA0C:				; CODE XREF: MiLockdownSections+B1A90j
					; MiLockdownSections+B1A99j
		test	dword ptr [edi], 20000000h
		jnz	short loc_84AA38

loc_84AA14:				; CODE XREF: MiLockdownSections+B7j
		test	eax, esi
		jnz	loc_8FC422

loc_84AA1C:				; CODE XREF: MiLockdownSections+B1AD3j
		dec	ecx
		add	edi, 28h
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jg	short loc_84A9FD
		mov	ebx, [ebp+var_14]

loc_84AA2A:				; CODE XREF: MiLockdownSections+6Ej
		xor	edx, edx
		mov	ecx, ebx
		call	MiUnlockLoaderEntry

loc_84AA33:				; CODE XREF: MiLockdownSections+43j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_84AA38:				; CODE XREF: MiLockdownSections+8Ej
		or	eax, 2
		jmp	short loc_84AA14
MiLockdownSections endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCaptureImageExceptionValues(x)
_MiCaptureImageExceptionValues@4 proc near ; CODE XREF:	MiConstructLoaderEntry+2C7p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, [edi+18h]
		push	eax
		mov	[ebp+var_4], eax
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	esi, [edi+98h]
		mov	ebx, eax
		mov	edx, [edi+20h]
		shr	edx, 0Ch
		push	esi
		lea	ecx, [esi+8]
		mov	[esi], edx
		mov	[esi+4], ecx
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		mov	eax, 400h
		test	[ebx+5Eh], ax
		jnz	short loc_84AAB7
		cmp	dword ptr [ebx+74h], 0Ah
		jbe	short loc_84AAB2
		mov	eax, [ebx+0C8h]
		push	0
		pop	edx
		add	eax, [ebp+var_4]
		jz	short loc_84AAC1
		cmp	[ebx+0CCh], edx
		jz	short loc_84AAC1
		cmp	dword ptr [eax], 48h
		jb	short loc_84AAC1
		mov	ecx, [eax+40h]
		test	ecx, ecx
		jz	short loc_84AAC1
		cmp	[eax+44h], edx
		jz	short loc_84AAC1
		mov	[edi+8], ecx
		mov	eax, [eax+44h]
		mov	[edi+0Ch], eax

loc_84AAB2:				; CODE XREF: MiCaptureImageExceptionValues(x)+42j
					; MiCaptureImageExceptionValues(x)+81j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_84AAB7:				; CODE XREF: MiCaptureImageExceptionValues(x)+3Cj
		or	dword ptr [edi+8], 0FFFFFFFFh
		or	dword ptr [edi+0Ch], 0FFFFFFFFh
		jmp	short loc_84AAB2
; 

loc_84AAC1:				; CODE XREF: MiCaptureImageExceptionValues(x)+50j
					; MiCaptureImageExceptionValues(x)+58j	...
		mov	[edi+8], edx
		mov	[edi+0Ch], edx
		jmp	short loc_84AAB2
_MiCaptureImageExceptionValues@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCacheImageSymbols proc near		; CODE XREF: MiDriverLoadSucceeded+98p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	10h
		push	offset dword_6A4798
		call	__SEH_prolog4
		and	[ebp+var_1C], 0
		and	[ebp+ms_exc.disabled], 0
		lea	eax, [ebp+var_20]
		push	eax
		push	6
		push	1
		push	ecx
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	[ebp+var_1C], eax

loc_84AAEF:				; CODE XREF: sub_8FC460+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiCacheImageSymbols endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2373. RtlUnicodeStringToAnsiSize
; Exported entry 2415. RtlxUnicodeStringToAnsiSize

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlxUnicodeStringToAnsiSize(x)
		public _RtlxUnicodeStringToAnsiSize@4
_RtlxUnicodeStringToAnsiSize@4 proc near ; CODE	XREF: DbgUnicodeStringToAnsiString+9p
					; ExpSystemErrorHandler(x,x,x,x,x)+24Ap ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi	; RtlUnicodeStringToAnsiSize
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		and	[ebp+var_4], 0
		movzx	eax, word ptr [ecx]
		push	eax
		push	dword ptr [ecx+4]
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUnicodeToMultiByteSize
		mov	eax, [ebp+var_4]
		inc	eax
		leave
		retn	4
_RtlxUnicodeStringToAnsiSize@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiResolveImageReferences proc near	; CODE XREF: MiResolveImageImports+76p

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FC468 SIZE 000000FD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		push	ebx
		push	esi
		push	edi
		push	3Ah
		mov	eax, ecx
		mov	[ebp+var_34], edx
		pop	ecx
		push	3Ch
		xor	edx, edx
		mov	[ebp+var_38], eax
		mov	edi, [eax+18h]
		mov	word ptr [ebp+var_58], cx
		pop	ecx
		mov	dword ptr [eax+4Ch], 0FFFFFFFEh
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	1
		push	edi
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_44], edx
		mov	word ptr [ebp+var_58+2], cx
		mov	[ebp+var_54], offset ??_C@_1DM@EOIDMIEH@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@
		mov	[ebp+var_C], edx
		mov	[ebp+var_18], edx
		mov	byte ptr [ebp+var_1], dl
		mov	[ebp+var_10], edi
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_20], ebx
		test	ebx, ebx
		jz	loc_84AD98
		xor	eax, eax
		lea	edx, [ebp+var_1C]
		mov	ecx, ebx
		mov	[ebp+var_2], al
		mov	[ebp+var_1C], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_28], eax
		call	_MiPrepareImportList@8 ; MiPrepareImportList(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8FC502
		cmp	dword ptr [ebx+0Ch], 0
		jz	loc_84AD68
		mov	eax, [ebp+var_1C]
		add	eax, 4
		mov	[ebp+var_30], eax

loc_84ABDF:				; CODE XREF: MiResolveImageReferences+22Ej
		cmp	dword ptr [ebx], 0
		jz	loc_84AD68
		mov	ebx, [ebx+0Ch]
		lea	eax, [ebp+var_60]
		and	[ebp+var_24], 0
		add	ebx, edi
		push	ebx
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_40]
		push	eax
		call	RtlAnsiStringToUnicodeString
		mov	esi, eax
		test	esi, esi
		js	loc_8FC502
		cmp	[ebp+var_3C], 0
		jz	loc_8FC4FD
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_1]
		push	eax
		push	[ebp+var_34]
		call	PsQueryCurrentApiSetSchema
		lea	edx, [ebp+var_40]
		mov	ecx, eax
		call	ApiSetResolveToHost
		mov	esi, eax
		test	esi, esi
		js	loc_8FC502
		cmp	byte ptr [ebp+var_1], 0
		jnz	loc_84AE2A
		mov	eax, [ebp+arg_0]
		and	[ebp+var_14], 0
		mov	[ebp+var_2C], eax

loc_84AC56:				; CODE XREF: MiResolveImageReferences+32Aj
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jnz	loc_84ADAA

loc_84AC61:				; CODE XREF: MiResolveImageReferences+288j
					; MiResolveImageReferences+2A0j
		mov	eax, [ebp+var_40]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_4C], eax

loc_84AC6D:				; CODE XREF: MiResolveImageReferences+2F1j
		mov	esi, _PsLoadedModuleList
		lea	eax, [ebp+var_50]
		mov	[ebp+var_24], eax
		mov	ebx, offset _PsLoadedModuleList

loc_84AC7E:				; CODE XREF: MiResolveImageReferences+167j
		cmp	esi, ebx
		jz	loc_84AE78
		push	1
		lea	eax, [esi+2Ch]
		push	eax
		lea	eax, [ebp+var_50]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_84AC9D
		mov	esi, [esi]
		jmp	short loc_84AC7E
; 

loc_84AC9D:				; CODE XREF: MiResolveImageReferences+163j
		mov	ebx, [esi+18h]
		test	ebx, ebx
		jz	loc_84AE78
		test	dword ptr [esi+34h], 1000h
		jnz	short loc_84ACDB
		mov	ecx, ebx
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 1
		jz	loc_84AEDA
		mov	ecx, ebx
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jz	loc_84AEDA
		cmp	dword ptr [esi+4Ch], 1
		jnz	loc_84ADA1

loc_84ACDB:				; CODE XREF: MiResolveImageReferences+17Bj
					; MiResolveImageReferences+271j ...
		test	ebx, ebx
		jz	loc_84AE78

loc_84ACE3:				; CODE XREF: MiResolveImageReferences+3A1j
		test	dword ptr [esi+34h], 1000h
		jnz	short loc_84AD00
		cmp	dword ptr [esi+4Ch], 1
		jz	short loc_84AD00
		mov	eax, [ebp+var_30]
		inc	[ebp+var_28]
		mov	[eax], esi
		add	eax, 4
		mov	[ebp+var_30], eax

loc_84AD00:				; CODE XREF: MiResolveImageReferences+1B6j
					; MiResolveImageReferences+1BCj
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_84AD42
		mov	ecx, [ecx+10h]
		add	edi, eax
		mov	eax, [ebp+var_10]
		add	ecx, eax

loc_84AD13:				; CODE XREF: MiResolveImageReferences+20Aj
		cmp	dword ptr [edi], 0
		mov	[ebp+var_2C], ecx
		jz	short loc_84AD40
		push	0
		push	ecx
		push	edi
		mov	edx, eax
		mov	ecx, ebx
		call	MiSnapThunk
		mov	esi, eax
		test	esi, esi
		js	loc_8FC558
		mov	ecx, [ebp+var_2C]
		add	edi, 4
		mov	eax, [ebp+var_10]
		add	ecx, 4
		jmp	short loc_84AD13
; 

loc_84AD40:				; CODE XREF: MiResolveImageReferences+1E5j
		mov	edi, eax

loc_84AD42:				; CODE XREF: MiResolveImageReferences+1D3j
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	[ebp+var_2], 0
		jnz	loc_84AEEC

loc_84AD55:				; CODE XREF: MiResolveImageReferences+304j
					; MiResolveImageReferences+3C6j
		mov	ebx, [ebp+var_20]
		add	ebx, 14h
		mov	[ebp+var_20], ebx
		cmp	dword ptr [ebx+0Ch], 0
		jnz	loc_84ABDF

loc_84AD68:				; CODE XREF: MiResolveImageReferences+9Cj
					; MiResolveImageReferences+AEj
		mov	ecx, [ebp+var_1C]
		call	_MiCompressImportList@4	; MiCompressImportList(x)
		mov	ecx, edi
		mov	esi, eax
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 1
		jz	loc_84AE69
		mov	ecx, edi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jz	loc_84AE69
		mov	eax, [ebp+var_38]
		mov	[eax+4Ch], esi

loc_84AD98:				; CODE XREF: MiResolveImageReferences+6Dj
					; MiResolveImageReferences+33Fj
		xor	eax, eax

loc_84AD9A:				; CODE XREF: MiResolveImageReferences+B1A18j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_84ADA1:				; CODE XREF: MiResolveImageReferences+1A1j
		inc	word ptr [esi+38h]
		jmp	loc_84ACDB
; 

loc_84ADAA:				; CODE XREF: MiResolveImageReferences+127j
		push	8		; size_t
		push	offset ??_C@_08PBNAIBKE@ntoskrnl@NNGAKEGL@ ; "ntoskrnl"
		push	ebx		; char *
		call	__strnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_84AC61
		push	3		; size_t
		push	(offset	loc_8BC00C+2) ;	char *
		push	ebx		; char *
		call	__strnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_84AC61
		mov	ax, [esi]
		mov	edx, 54446D4Dh
		add	ax, word ptr [ebp+var_40]
		push	0
		movzx	ecx, ax
		push	100h
		mov	word ptr [ebp+var_50+2], ax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_4C], eax
		test	eax, eax
		jz	loc_8FC4FD
		xor	eax, eax
		mov	word ptr [ebp+var_50], ax
		lea	eax, [ebp+var_50]
		push	esi
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		lea	eax, [ebp+var_40]
		push	eax
		lea	eax, [ebp+var_50]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	[ebp+var_2], 1
		jmp	loc_84AC6D
; 

loc_84AE2A:				; CODE XREF: MiResolveImageReferences+112j
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	word ptr [ebp+var_48], 0
		jz	loc_84AD55
		lea	eax, [ebp+var_58]
		mov	[ebp+var_14], 80000000h
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_40]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		push	0
		call	RtlDuplicateUnicodeString
		mov	esi, eax
		test	esi, esi
		jns	loc_84AC56
		jmp	loc_8FC502
; 

loc_84AE69:				; CODE XREF: MiResolveImageReferences+248j
					; MiResolveImageReferences+258j
		mov	ecx, edi
		call	_MiSessionLookupImage@4	; MiSessionLookupImage(x)
		mov	[eax+30h], esi
		jmp	loc_84AD98
; 

loc_84AE78:				; CODE XREF: MiResolveImageReferences+14Cj
					; MiResolveImageReferences+16Ej ...
		mov	ebx, [ebp+var_2C]
		lea	eax, [ebp+var_48]
		push	eax
		lea	edx, [ebp+var_40]
		mov	ecx, ebx
		call	_MiFormFullImageName@12	; MiFormFullImageName(x,x,x)
		test	eax, eax
		jz	loc_8FC4FD
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+var_14]
		lea	ecx, [ebp+var_48]
		call	_MiLoadImportDll@20 ; MiLoadImportDll(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000018h
		jz	loc_8FC468

loc_84AEB5:				; CODE XREF: MiResolveImageReferences+B196Cj
		cmp	esi, 0C0000034h
		jz	short loc_84AEFF

loc_84AEBD:				; CODE XREF: MiResolveImageReferences+413j
					; MiResolveImageReferences+B194Aj ...
		push	0
		push	[ebp+var_44]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		js	loc_8FC502
		mov	esi, [ebp+var_C]
		mov	ebx, [esi+18h]
		jmp	loc_84ACE3
; 

loc_84AEDA:				; CODE XREF: MiResolveImageReferences+187j
					; MiResolveImageReferences+197j
		mov	ecx, ebx
		call	_MiSessionReferenceImage@4 ; MiSessionReferenceImage(x)
		neg	eax
		sbb	eax, eax
		and	ebx, eax
		jmp	loc_84ACDB
; 

loc_84AEEC:				; CODE XREF: MiResolveImageReferences+21Bj
		push	0
		push	[ebp+var_4C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+var_2], 0
		jmp	loc_84AD55
; 

loc_84AEFF:				; CODE XREF: MiResolveImageReferences+387j
		push	0
		push	[ebp+var_44]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lea	eax, [ebp+var_58]
		cmp	ebx, eax
		jz	loc_8FC4A5
		mov	ecx, eax

loc_84AF16:				; CODE XREF: MiResolveImageReferences+B197Ej
		lea	eax, [ebp+var_48]
		push	eax
		lea	edx, [ebp+var_40]
		call	_MiFormFullImageName@12	; MiFormFullImageName(x,x,x)
		test	eax, eax
		jz	loc_8FC4FD
		mov	ebx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		mov	edx, [ebp+arg_4]
		lea	ecx, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	ebx
		call	_MiLoadImportDll@20 ; MiLoadImportDll(x,x,x,x,x)
		cmp	byte ptr [ebp+var_1], 0
		mov	esi, eax
		jz	loc_84AEBD
		jmp	loc_8FC4B7
MiResolveImageReferences endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSnapThunk	proc near		; CODE XREF: MiResolveImageReferences+1EFp
					; MiSnapThunk+245p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FC565 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	eax, [ebp+var_14]
		xor	ecx, ecx
		mov	[ebp+var_10], edi
		push	eax
		push	ecx
		push	1
		mov	ebx, edx
		mov	[ebp+var_2C], ecx
		push	edi
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_14], ecx
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	edx, eax
		mov	[ebp+var_8], edx
		test	edx, edx
		jz	loc_8FC577
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_8]
		mov	esi, [eax]
		test	esi, esi
		js	loc_84B1C7
		test	ecx, ecx
		jnz	short loc_84AFA9
		lea	ecx, [esi+ebx]

loc_84AFA9:				; CODE XREF: MiSnapThunk+52j
					; MiSnapThunk+277j
		mov	eax, [edx+24h]
		mov	ebx, [edx+20h]
		add	eax, edi
		movzx	esi, word ptr [ecx]
		add	ebx, edi
		mov	[ebp+var_C], eax
		add	ecx, 2
		mov	eax, [edx+18h]
		mov	[ebp+var_18], ebx
		mov	[ebp+arg_8], eax
		mov	[ebp+arg_0], ecx
		cmp	esi, eax
		jnb	loc_8FC565
		mov	eax, [ebx+esi*4]
		add	eax, edi

loc_84AFD5:				; CODE XREF: MiSnapThunk+A5j
		mov	bl, [ecx]
		cmp	bl, [eax]
		jnz	loc_84B0C4
		test	bl, bl
		jz	short loc_84AFF9
		mov	bl, [ecx+1]
		cmp	bl, [eax+1]
		jnz	loc_84B0C4
		add	ecx, 2
		add	eax, 2
		test	bl, bl
		jnz	short loc_84AFD5

loc_84AFF9:				; CODE XREF: MiSnapThunk+8Fj
		xor	eax, eax

loc_84AFFB:				; CODE XREF: MiSnapThunk+177j
		test	eax, eax
		jnz	short loc_84B033
		mov	eax, [ebp+var_C]
		movzx	eax, word ptr [eax+esi*2]

loc_84B006:				; CODE XREF: MiSnapThunk+159j
					; MiSnapThunk+287j
		movzx	ecx, ax
		cmp	ecx, [edx+14h]
		jnb	loc_8FC56D
		mov	eax, [edx+1Ch]
		lea	eax, [eax+ecx*4]
		mov	esi, [eax+edi]
		mov	eax, [ebp+arg_4]
		add	esi, edi
		mov	[eax], esi
		cmp	esi, edx
		ja	loc_84B0CE

loc_84B02A:				; CODE XREF: MiSnapThunk+183j
		xor	eax, eax

loc_84B02C:				; CODE XREF: MiSnapThunk+269j
					; MiSnapThunk+B1620j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_84B033:				; CODE XREF: MiSnapThunk+ABj
		mov	eax, [ebp+arg_8]

loc_84B036:				; CODE XREF: MiSnapThunk+B1616j
		xor	ebx, ebx
		test	eax, eax
		jz	loc_8FC577
		lea	esi, [eax-1]
		test	esi, esi
		js	loc_8FC577

loc_84B04B:				; CODE XREF: MiSnapThunk+145j
		mov	eax, [ebp+var_18]
		lea	ecx, [ebx+esi]
		sar	ecx, 1
		mov	eax, [eax+ecx*4]
		add	eax, edi
		mov	edi, [ebp+arg_0]

loc_84B05B:				; CODE XREF: MiSnapThunk+133j
		mov	dl, [edi]
		cmp	dl, [eax]
		mov	byte ptr [ebp+arg_8+3],	dl
		mov	edx, [ebp+var_8]
		jnz	short loc_84B0BD
		cmp	byte ptr [ebp+arg_8+3],	0
		jz	short loc_84B087
		mov	dl, [edi+1]
		cmp	dl, [eax+1]
		mov	byte ptr [ebp+arg_8+3],	dl
		mov	edx, [ebp+var_8]
		jnz	short loc_84B0BD
		add	edi, 2
		add	eax, 2
		cmp	byte ptr [ebp+arg_8+3],	0
		jnz	short loc_84B05B

loc_84B087:				; CODE XREF: MiSnapThunk+119j
		xor	eax, eax

loc_84B089:				; CODE XREF: MiSnapThunk+170j
		test	eax, eax
		js	short loc_84B0B0
		jle	short loc_84B099
		lea	ebx, [ecx+1]

loc_84B092:				; CODE XREF: MiSnapThunk+169j
		mov	edi, [ebp+var_10]
		cmp	esi, ebx
		jge	short loc_84B04B

loc_84B099:				; CODE XREF: MiSnapThunk+13Bj
		cmp	esi, ebx
		jl	loc_8FC577
		mov	eax, [ebp+var_C]
		mov	edi, [ebp+var_10]
		movzx	eax, word ptr [eax+ecx*2]
		jmp	loc_84B006
; 

loc_84B0B0:				; CODE XREF: MiSnapThunk+139j
		test	ecx, ecx
		jz	loc_8FC577
		lea	esi, [ecx-1]
		jmp	short loc_84B092
; 

loc_84B0BD:				; CODE XREF: MiSnapThunk+113j
					; MiSnapThunk+127j
		sbb	eax, eax
		or	eax, 1
		jmp	short loc_84B089
; 

loc_84B0C4:				; CODE XREF: MiSnapThunk+87j
					; MiSnapThunk+97j
		sbb	eax, eax
		or	eax, 1
		jmp	loc_84AFFB
; 

loc_84B0CE:				; CODE XREF: MiSnapThunk+D2j
		mov	eax, [ebp+var_14]
		add	eax, edx
		cmp	esi, eax
		jnb	loc_84B02A
		push	2Eh		; int
		push	esi		; char *
		mov	[ebp+var_20], esi
		call	_strchr
		pop	ecx
		pop	ecx
		xor	ecx, ecx
		push	1
		lea	ebx, [ecx+1]
		sub	ebx, esi
		add	ebx, eax
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_2C]
		mov	word ptr [ebp+var_24], bx
		push	eax
		mov	word ptr [ebp+var_24+2], bx
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	loc_8FC577
		mov	edi, _PsLoadedModuleList
		mov	[ebp+arg_0], 0C0000263h

loc_84B11D:				; CODE XREF: MiSnapThunk+270j
		cmp	edi, offset _PsLoadedModuleList
		jz	loc_84B1AF
		push	1
		lea	eax, [edi+2Ch]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlPrefixString@12 ; RtlPrefixString(x,x,x)
		test	al, al
		jz	loc_84B1C0
		movzx	ebx, bx
		add	ebx, esi
		mov	ecx, ebx
		lea	edx, [ecx+1]

loc_84B14A:				; CODE XREF: MiSnapThunk+1FDj
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_84B14A
		sub	ecx, edx
		mov	edx, 20206D4Dh
		push	0
		push	100h
		lea	eax, [ecx+1]
		lea	ecx, [eax+4]
		mov	[ebp+var_18], eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_84B1AF
		push	[ebp+var_18]	; size_t
		lea	ecx, [esi+2]
		push	ebx		; void *
		push	ecx		; void *
		call	_memcpy
		mov	edx, [ebp+var_1C]
		add	esp, 0Ch
		xor	eax, eax
		mov	[esi], ax
		and	[ebp+arg_8], eax
		lea	eax, [ebp+arg_8]
		mov	ecx, [edi+18h]
		push	esi
		push	eax
		push	eax
		call	MiSnapThunk
		push	0
		push	esi
		mov	[ebp+arg_0], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		mov	[eax], ecx

loc_84B1AF:				; CODE XREF: MiSnapThunk+1D1j
					; MiSnapThunk+21Fj
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, [ebp+arg_0]
		jmp	loc_84B02C
; 

loc_84B1C0:				; CODE XREF: MiSnapThunk+1E8j
		mov	edi, [edi]
		jmp	loc_84B11D
; 

loc_84B1C7:				; CODE XREF: MiSnapThunk+4Aj
		test	ecx, ecx
		jnz	loc_84AFA9
		mov	ax, si
		sub	ax, [edx+10h]
		movzx	eax, ax
		jmp	loc_84B006
MiSnapThunk	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsQueryCurrentApiSetSchema proc	near	; CODE XREF: MiResolveImageReferences+F5p
					; ExIsMultiSessionSku+839C5p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FC581 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_8FC581
		lea	edx, [ebp+var_8]
		lea	ecx, [ebp+var_4]
		call	_MmQueryApiSetSchema@8 ; MmQueryApiSetSchema(x,x)
		mov	eax, [ebp+var_4]
		mov	eax, [eax]
		leave
		retn
PsQueryCurrentApiSetSchema endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCompressImportList(x)
_MiCompressImportList@4	proc near	; CODE XREF: MiResolveImageReferences+237p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		xor	ecx, ecx
		mov	[ebp+var_8], edi
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_84B286
		lea	edx, [edi+4]
		mov	ebx, eax

loc_84B226:				; CODE XREF: MiCompressImportList(x)+33j
		mov	edi, [edx]
		mov	[ebp+var_4], edi
		test	edi, edi
		jz	short loc_84B235
		mov	esi, edi
		or	esi, 1
		inc	ecx

loc_84B235:				; CODE XREF: MiCompressImportList(x)+25j
		add	edx, 4
		sub	ebx, 1
		jnz	short loc_84B226
		mov	edi, [ebp+var_8]
		lea	ebx, [edi+4]
		test	ecx, ecx
		jz	short loc_84B286
		cmp	ecx, 1
		jz	short loc_84B277
		cmp	ecx, eax
		jz	short loc_84B28B
		call	_MiAllocateImportList@4	; MiAllocateImportList(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_84B28B
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_84B277
		lea	ecx, [esi+4]

loc_84B264:				; CODE XREF: MiCompressImportList(x)+6Dj
		mov	edx, [ebx]
		test	edx, edx
		jz	short loc_84B26F
		mov	[ecx], edx
		add	ecx, 4

loc_84B26F:				; CODE XREF: MiCompressImportList(x)+60j
		add	ebx, 4
		sub	eax, 1
		jnz	short loc_84B264

loc_84B277:				; CODE XREF: MiCompressImportList(x)+42j
					; MiCompressImportList(x)+57j ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi

loc_84B281:				; CODE XREF: MiCompressImportList(x)+85j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_84B286:				; CODE XREF: MiCompressImportList(x)+17j
					; MiCompressImportList(x)+3Dj
		push	0FFFFFFFEh
		pop	esi
		jmp	short loc_84B277
; 

loc_84B28B:				; CODE XREF: MiCompressImportList(x)+46j
					; MiCompressImportList(x)+51j
		mov	eax, edi
		jmp	short loc_84B281
_MiCompressImportList@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MiPrepareImportList(x, x)
_MiPrepareImportList@8 proc near	; CODE XREF: MiResolveImageReferences+89p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		xor	eax, eax
		mov	esi, eax
		mov	[edi], eax
		cmp	[ecx+0Ch], eax
		jz	short loc_84B2BD

loc_84B2A1:				; CODE XREF: MiPrepareImportList(x,x)+1Cj
		cmp	[ecx], eax
		jz	short loc_84B2AE
		add	ecx, 14h
		inc	esi
		cmp	[ecx+0Ch], eax
		jnz	short loc_84B2A1

loc_84B2AE:				; CODE XREF: MiPrepareImportList(x,x)+13j
		test	esi, esi
		jz	short loc_84B2BD
		mov	ecx, esi
		call	_MiAllocateImportList@4	; MiAllocateImportList(x)
		test	eax, eax
		jz	short loc_84B2C4

loc_84B2BD:				; CODE XREF: MiPrepareImportList(x,x)+Fj
					; MiPrepareImportList(x,x)+20j
		mov	[edi], eax
		xor	eax, eax

loc_84B2C1:				; CODE XREF: MiPrepareImportList(x,x)+39j
		pop	edi
		pop	esi
		retn
; 

loc_84B2C4:				; CODE XREF: MiPrepareImportList(x,x)+2Bj
		mov	eax, 0C000009Ah
		jmp	short loc_84B2C1
_MiPrepareImportList@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiAllocateImportList(x)
_MiAllocateImportList@4	proc near	; CODE XREF: MiCompressImportList(x)+48p
					; MiPrepareImportList(x,x)+24p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	esi, 3FFFFFFEh
		ja	short loc_84B2F9
		push	0
		lea	ecx, ds:4[esi*4]
		mov	edx, 54446D4Dh
		push	100h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		test	eax, eax
		jz	short loc_84B2F7
		mov	[eax], esi

loc_84B2F7:				; CODE XREF: MiAllocateImportList(x)+27j
		pop	esi
		retn
; 

loc_84B2F9:				; CODE XREF: MiAllocateImportList(x)+Bj
		xor	eax, eax
		pop	esi
		retn
_MiAllocateImportList@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapSystemImage proc near		; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+283p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 008FC58E SIZE 00000080 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		xor	eax, eax
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		test	[ebp+arg_4], 1
		mov	edi, eax
		mov	esi, [edi]
		mov	ebx, [esi+4]
		jnz	short loc_84B380
		mov	ecx, [ebp+var_C]
		xor	esi, esi
		or	dword ptr [ebp+arg_4], 0FFFFFFFFh
		inc	esi
		mov	edx, esi
		mov	[ebp+var_8], esi
		call	_MiChargeSystemImageCommitment@8 ; MiChargeSystemImageCommitment(x,x)
		test	eax, eax
		js	short loc_84B379

loc_84B344:				; CODE XREF: MiMapSystemImage+DBj
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_18]
		push	esi
		push	dword ptr [ebp+arg_4]
		push	eax
		push	edi
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	edx, ebx
		mov	ecx, eax
		call	MiAddMappedPtes
		mov	[ebp+var_10], eax
		test	eax, eax
		js	loc_8FC5C1
		cmp	[ebp+var_8], esi
		jnz	short loc_84B377
		mov	eax, offset unk_6CF598
		lock xadd [eax], ebx

loc_84B377:				; CODE XREF: MiMapSystemImage+6Ej
		xor	eax, eax

loc_84B379:				; CODE XREF: MiMapSystemImage+44j
					; MiMapSystemImage+EBj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_84B380:				; CODE XREF: MiMapSystemImage+2Cj
		mov	ecx, ebx
		shl	ecx, 0Ch
		call	_MiBytesToMapSystemImage@4 ; MiBytesToMapSystemImage(x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	short loc_84B3E4
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		test	dword ptr [edi+1Ch], 4000000h
		mov	dword ptr [ebp+arg_4], eax
		jnz	loc_8FC58E

loc_84B3B3:				; CODE XREF: MiMapSystemImage+B12A1j
		mov	eax, [ebp+var_4]
		xor	esi, esi
		mov	ecx, [ebp+var_10]
		inc	esi
		push	esi
		dec	eax
		push	esi
		add	ecx, eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, [ebp+var_4]
		mov	edx, eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, eax
		call	_MiMakeZeroedPageTables@16 ; MiMakeZeroedPageTables(x,x,x,x)
		test	eax, eax
		jnz	loc_84B344
		jmp	loc_8FC5A4
; 

loc_84B3E4:				; CODE XREF: MiMapSystemImage+91j
		mov	eax, 0C000001Fh
		jmp	short loc_84B379
MiMapSystemImage endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiResolveImageImports proc near		; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+461p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FC60E SIZE 000000F6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_8], 0
		xor	eax, eax
		and	[ebp+var_14], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], eax
		mov	esi, ecx
		lea	eax, [ebp+var_8]
		mov	[ebp+var_18], edx
		push	eax
		push	0Ch
		mov	ecx, [esi+18h]
		push	1
		push	ecx
		mov	[ebp+var_C], ecx
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		xor	edi, edi
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_8FC646
		mov	ebx, [ebp+var_8]
		test	ebx, ebx
		jz	loc_8FC646
		push	4
		push	ebx
		mov	edx, eax
		mov	ecx, esi
		call	_MiSetImageProtection@16 ; MiSetImageProtection(x,x,x,x)
		test	eax, eax
		jz	loc_8FC60E
		mov	[ebp+var_4], 1

loc_84B450:				; CODE XREF: MiResolveImageImports+B12BDj
		push	[ebp+var_18]
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		push	[ebp+arg_0]
		or	dword ptr [esi+34h], 1000h
		call	MiResolveImageReferences
		mov	ecx, [esi+3Ch]
		mov	[ebp+arg_0], eax
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		cmp	dword ptr [eax+58h], 0
		jz	short loc_84B492
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	loc_8FC6B6
		push	100h
		push	ebx
		mov	edx, eax
		mov	ecx, esi
		call	_MiSetImageProtection@16 ; MiSetImageProtection(x,x,x,x)

loc_84B492:				; CODE XREF: MiResolveImageImports+8Aj
					; MiResolveImageImports+B12D0j	...
		and	dword ptr [esi+34h], 0FFFFEFFFh
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		js	short loc_84B4A9

loc_84B4A0:				; CODE XREF: MiResolveImageImports+C3j
		mov	eax, ecx

loc_84B4A2:				; CODE XREF: MiResolveImageImports+B1255j
					; MiResolveImageImports+B12C5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_84B4A9:				; CODE XREF: MiResolveImageImports+B2j
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	1
		jmp	short loc_84B4A0
MiResolveImageImports endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiProcessLoadConfigForDriver(x, x)
_MiProcessLoadConfigForDriver@8	proc near ; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+472p
					; MiReloadBootLoadedDrivers(x)+5Bp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		call	ExGenRandom
		mov	edx, [esi+20h]
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [esi+18h]
		call	_LdrInitSecurityCookie@20 ; LdrInitSecurityCookie(x,x,x,x,x)
		xor	eax, eax
		pop	esi
		retn
_MiProcessLoadConfigForDriver@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LdrInitSecurityCookie(x, x,	x, x, x)
_LdrInitSecurityCookie@20 proc near	; CODE XREF: MiProcessLoadConfigForDriver(x,x)+15p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_LdrpFetchAddressOfSecurityCookie@16 ; LdrpFetchAddressOfSecurityCookie(x,x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_84B504
		cmp	dword ptr [eax], 5Ch
		jb	short loc_84B504
		test	dword ptr [eax+58h], 800h
		jnz	short loc_84B546

loc_84B504:				; CODE XREF: LdrInitSecurityCookie(x,x,x,x,x)+24j
					; LdrInitSecurityCookie(x,x,x,x,x)+29j
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	short loc_84B542
		mov	esi, [ecx]
		mov	ebx, 0BB40E64Eh
		mov	edi, 0BB40h
		cmp	esi, ebx
		jnz	short loc_84B53E

loc_84B51B:				; CODE XREF: LdrInitSecurityCookie(x,x,x,x,x)+70j
		rdtsc
		xor	eax, ecx
		xor	eax, [ebp+arg_4]
		cmp	esi, edi
		jz	short loc_84B54B

loc_84B526:				; CODE XREF: LdrInitSecurityCookie(x,x,x,x,x)+7Ej
		cmp	eax, ebx
		jz	short loc_84B550

loc_84B52A:				; CODE XREF: LdrInitSecurityCookie(x,x,x,x,x)+85j
		test	eax, eax
		jz	short loc_84B557
		cmp	eax, edi
		jz	short loc_84B557

loc_84B532:				; CODE XREF: LdrInitSecurityCookie(x,x,x,x,x)+8Cj
		mov	[ecx], eax
		xor	eax, eax
		inc	eax

loc_84B537:				; CODE XREF: LdrInitSecurityCookie(x,x,x,x,x)+74j
		pop	edi
		pop	esi
		pop	ebx

locret_84B53A:				; CODE XREF: LdrInitSecurityCookie(x,x,x,x,x)+79j
		leave
		retn	0Ch
; 

loc_84B53E:				; CODE XREF: LdrInitSecurityCookie(x,x,x,x,x)+49j
		cmp	esi, edi
		jz	short loc_84B51B

loc_84B542:				; CODE XREF: LdrInitSecurityCookie(x,x,x,x,x)+39j
		xor	eax, eax
		jmp	short loc_84B537
; 

loc_84B546:				; CODE XREF: LdrInitSecurityCookie(x,x,x,x,x)+32j
		xor	eax, eax
		inc	eax
		jmp	short locret_84B53A
; 

loc_84B54B:				; CODE XREF: LdrInitSecurityCookie(x,x,x,x,x)+54j
		movzx	eax, ax
		jmp	short loc_84B526
; 

loc_84B550:				; CODE XREF: LdrInitSecurityCookie(x,x,x,x,x)+58j
		mov	eax, 0BB40E64Fh
		jmp	short loc_84B52A
; 

loc_84B557:				; CODE XREF: LdrInitSecurityCookie(x,x,x,x,x)+5Cj
					; LdrInitSecurityCookie(x,x,x,x,x)+60j
		mov	eax, 0BB41h
		jmp	short loc_84B532
_LdrInitSecurityCookie@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LdrpFetchAddressOfSecurityCookie(x,	x, x, x)
_LdrpFetchAddressOfSecurityCookie@16 proc near
					; CODE XREF: LdrInitSecurityCookie(x,x,x,x,x)+18p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_4]
		xor	ebx, ebx
		push	eax
		push	ebx
		push	ebx
		mov	esi, ecx
		mov	edi, edx
		push	esi
		push	1
		call	RtlImageNtHeaderEx
		mov	ecx, esi
		call	LdrImageDirectoryEntryToLoadConfig
		mov	ecx, [ebp+arg_0]
		mov	edx, eax
		mov	[ecx], ebx
		test	edx, edx
		jz	short loc_84B5B4
		cmp	dword ptr [edx], 48h
		jb	short loc_84B5B4
		mov	ecx, [edx+3Ch]
		cmp	ecx, esi
		jbe	short loc_84B5B4
		lea	eax, [edi-4]
		add	eax, esi
		cmp	ecx, eax
		jnb	short loc_84B5B4
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_84B5AB
		mov	[eax], edx

loc_84B5AB:				; CODE XREF: LdrpFetchAddressOfSecurityCookie(x,x,x,x)+49j
		mov	eax, ecx

loc_84B5AD:				; CODE XREF: LdrpFetchAddressOfSecurityCookie(x,x,x,x)+65j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_84B5B4:				; CODE XREF: LdrpFetchAddressOfSecurityCookie(x,x,x,x)+2Dj
					; LdrpFetchAddressOfSecurityCookie(x,x,x,x)+32j ...
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_84B5C1
		test	edx, edx
		jnz	short loc_84B5C5

loc_84B5BF:				; CODE XREF: LdrpFetchAddressOfSecurityCookie(x,x,x,x)+6Aj
		mov	[eax], ebx

loc_84B5C1:				; CODE XREF: LdrpFetchAddressOfSecurityCookie(x,x,x,x)+5Bj
					; LdrpFetchAddressOfSecurityCookie(x,x,x,x)+6Ej
		xor	eax, eax
		jmp	short loc_84B5AD
; 

loc_84B5C5:				; CODE XREF: LdrpFetchAddressOfSecurityCookie(x,x,x,x)+5Fj
		cmp	dword ptr [edx], 4
		jb	short loc_84B5BF
		mov	[eax], edx
		jmp	short loc_84B5C1
_LdrpFetchAddressOfSecurityCookie@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrImageDirectoryEntryToLoadConfig proc	near
					; CODE XREF: LdrpFetchAddressOfSecurityCookie(x,x,x,x)+1Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FC704 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		push	ebx
		mov	esi, ecx
		mov	[ebp+var_4], ebx
		push	esi
		push	1
		mov	[ebp+var_8], ebx
		call	RtlImageNtHeaderEx
		test	esi, esi
		jz	short loc_84B63F
		lea	eax, [ebp+var_4]
		push	eax
		push	0Ah
		push	1
		push	esi
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	edx, eax
		cmp	esi, ds:_MmHighestUserAddress
		jb	loc_8FC704

loc_84B60F:				; CODE XREF: LdrImageDirectoryEntryToLoadConfig+B1144j
					; LdrImageDirectoryEntryToLoadConfig+B114Cj
		test	edx, edx
		jz	short loc_84B63F
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_84B63F
		cmp	eax, 40h
		jz	short loc_84B623
		cmp	eax, [edx]
		jnz	short loc_84B63F

loc_84B623:				; CODE XREF: LdrImageDirectoryEntryToLoadConfig+4Fj
		mov	eax, [ebp+var_8]
		mov	cx, [eax+4]
		call	_RtlWow64GetEquivalentMachineCHPE@4 ; RtlWow64GetEquivalentMachineCHPE(x)
		mov	ecx, 14Ch
		cmp	ax, cx
		jnz	short loc_84B63F
		mov	eax, edx

loc_84B63B:				; CODE XREF: LdrImageDirectoryEntryToLoadConfig+73j
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_84B63F:				; CODE XREF: LdrImageDirectoryEntryToLoadConfig+23j
					; LdrImageDirectoryEntryToLoadConfig+43j ...
		xor	eax, eax
		jmp	short loc_84B63B
LdrImageDirectoryEntryToLoadConfig endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiHandleDriverNonPagedSections proc near ; CODE	XREF: MiSessionRemoveImage+D7p
					; MmLoadSystemImageEx(x,x,x,x,x,x)+502p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FC71F SIZE 000000E4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		mov	eax, ecx
		xor	esi, esi
		mov	ecx, esi
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], ecx
		mov	ebx, edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_4], ecx
		mov	ecx, [eax+18h]
		push	edi
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	loc_84B77D
		xor	edi, edi
		mov	[ebp+var_14], esi
		inc	edi
		cmp	[ebp+arg_0], edi
		jnz	loc_84B766
		test	ds:byte_7051AC,	1
		jnz	loc_84B713
		test	bl, 2
		jnz	short loc_84B713
		mov	edi, ebx
		and	edi, 1
		jnz	short loc_84B6A6
		mov	ecx, [ebp+var_8]
		call	_MiDisablePagingOfDriver@4 ; MiDisablePagingOfDriver(x)

loc_84B6A6:				; CODE XREF: MiHandleDriverNonPagedSections+58j
		xor	edi, 1
		inc	edi

loc_84B6AA:				; CODE XREF: MiHandleDriverNonPagedSections+129j
		mov	ebx, [ebp+var_8]
		mov	[ebp+var_20], esi

loc_84B6B0:				; CODE XREF: MiHandleDriverNonPagedSections+B119Ej
		mov	[ebp+var_C], esi

loc_84B6B3:				; CODE XREF: MiHandleDriverNonPagedSections+B11BAj
		lea	eax, [ebx+5Ch]

loc_84B6B6:				; CODE XREF: MiHandleDriverNonPagedSections+B118Fj
		mov	ecx, [ebx+18h]
		push	2
		mov	[ebp+var_24], ecx
		mov	ecx, eax
		pop	edx
		mov	[ebp+var_8], esi
		call	_MiLockLoaderEntry@8 ; MiLockLoaderEntry(x,x)
		mov	eax, [ebx+98h]
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_4], eax
		cmp	ecx, [eax]
		jz	short loc_84B6EE
		push	ecx
		push	1
		push	eax
		call	RtlFindSetBits
		mov	[ebp+var_1C], eax
		cmp	eax, 0FFFFFFFFh
		jnz	loc_8FC767

loc_84B6EE:				; CODE XREF: MiHandleDriverNonPagedSections+93j
					; MiHandleDriverNonPagedSections+B1126j
		mov	[ebp+var_8], 0C0000225h

loc_84B6F5:				; CODE XREF: MiHandleDriverNonPagedSections+B116Ej
		push	2
		pop	edx
		lea	ecx, [ebx+5Ch]
		call	MiUnlockLoaderEntry
		cmp	[ebp+var_8], esi
		jge	loc_8FC7B7

loc_84B709:				; CODE XREF: MiHandleDriverNonPagedSections+11Ej
					; MiHandleDriverNonPagedSections+B10DDj ...
		mov	eax, [ebp+var_14]

loc_84B70C:				; CODE XREF: MiHandleDriverNonPagedSections+13Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_84B713:				; CODE XREF: MiHandleDriverNonPagedSections+48j
					; MiHandleDriverNonPagedSections+51j
		not	ebx
		mov	[ebp+arg_0], esi
		and	ebx, 1
		inc	ebx

loc_84B71C:				; CODE XREF: MiHandleDriverNonPagedSections+137j
		mov	eax, esi

loc_84B71E:				; CODE XREF: MiHandleDriverNonPagedSections+120j
		lea	ecx, [ebp+var_4]
		mov	edx, eax
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_8]
		push	8
		call	MiSnapDriverRange
		mov	edi, [ebp+var_C]
		mov	[ebp+var_18], eax
		test	edi, edi
		jz	short loc_84B760
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	loc_8FC71F
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		push	ebx
		push	[ebp+var_4]
		call	_MiLockCode@16	; MiLockCode(x,x,x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		js	short loc_84B778

loc_84B75D:				; CODE XREF: MiHandleDriverNonPagedSections+B10EEj
		mov	eax, [ebp+var_18]

loc_84B760:				; CODE XREF: MiHandleDriverNonPagedSections+F7j
		test	eax, eax
		jz	short loc_84B709
		jmp	short loc_84B71E
; 

loc_84B766:				; CODE XREF: MiHandleDriverNonPagedSections+3Bj
		test	ds:byte_7051AC,	1
		jz	loc_84B6AA
		jmp	loc_8FC737
; 

loc_84B778:				; CODE XREF: MiHandleDriverNonPagedSections+117j
		mov	[ebp+arg_0], edi
		jmp	short loc_84B71C
; 

loc_84B77D:				; CODE XREF: MiHandleDriverNonPagedSections+2Cj
					; MiHandleDriverNonPagedSections+B111Ej
		xor	eax, eax
		jmp	short loc_84B70C
MiHandleDriverNonPagedSections endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDriverLoadSucceeded proc near		; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+53Fp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 008FC803 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		xor	eax, eax
		cmp	[ebp+arg_C], 1
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_24]
		push	7
		pop	ecx
		rep stosd
		jnz	loc_84B8DA
		or	dword ptr [ebx+34h], 41004000h
		mov	ecx, edx
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	edi, eax
		mov	ecx, [edi]
		mov	byte ptr [ebp+var_20], 3
		mov	eax, [ebp+var_20]
		and	eax, 0FFF80FFFh
		movzx	edx, byte ptr [ecx+0Bh]
		movzx	ecx, byte ptr [ecx+0Bh]
		and	edx, 0Eh
		and	[ebp+var_18], 0
		and	ecx, 0FFFFF8F1h
		and	[ebp+var_10], 0
		shl	edx, 7
		or	edx, ecx
		mov	ecx, edi
		or	edx, 1
		shl	edx, 8
		or	edx, eax
		mov	eax, [ebx+20h]
		mov	[ebp+var_14], eax
		mov	eax, [ebx+18h]
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], eax
		call	MiReferenceControlAreaFile
		mov	ecx, [ebp+arg_0]
		mov	esi, eax
		push	esi
		lea	eax, [ebp+var_24]
		xor	edx, edx
		push	eax
		call	PsCallImageNotifyRoutines
		mov	edx, esi
		mov	ecx, edi
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)
		mov	ecx, [ebx+18h]
		call	MiCacheImageSymbols
		test	eax, eax
		jz	loc_84B8DA
		xor	eax, eax
		mov	edx, 6E4C6D4Dh
		push	eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	eax, 100h
		push	eax
		mov	ecx, eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_84B8DA
		mov	edi, [ebp+arg_4]
		push	16h
		pop	eax
		cmp	[edi], ax
		jbe	loc_8FC803
		push	0Bh		; size_t
		push	offset ??_C@_1BI@OMNCDEIM@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt@NNGAKEGL@ ; wchar_t *
		push	dword ptr [edi+4] ; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8FC803
		mov	eax, [edi]
		mov	[ebp+var_8], eax
		mov	eax, [edi+4]
		add	eax, 16h
		mov	[ebp+var_4], eax
		mov	eax, 0FFEAh
		add	word ptr [ebp+var_8], ax
		lea	eax, [ebp+var_8]
		push	eax
		call	RtlGetNtSystemRoot
		add	eax, 4
		push	eax		; char
		push	offset ??_C@_1O@CJCOHIOA@?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAZ@NNGAKEGL@	; wchar_t *
		push	100h		; int
		push	esi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 14h

loc_84B8AC:				; CODE XREF: MiDriverLoadSucceeded+B1097j
		test	eax, eax
		js	short loc_84B8D2
		push	esi
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, [ebx+18h]
		push	ecx
		lea	ecx, [ebp+var_8]
		call	_DbgLoadImageSymbolsUnicode@12 ; DbgLoadImageSymbolsUnicode(x,x,x)
		cmp	eax, 1
		jnz	short loc_84B8D2
		or	dword ptr [ebx+34h], 100000h

loc_84B8D2:				; CODE XREF: MiDriverLoadSucceeded+12Cj
					; MiDriverLoadSucceeded+147j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_84B8DA:				; CODE XREF: MiDriverLoadSucceeded+1Bj
					; MiDriverLoadSucceeded+9Fj ...
		mov	ecx, [ebx+3Ch]
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		cmp	dword ptr [eax+58h], 0
		jz	short loc_84B91C
		test	dword ptr [ebx+34h], 8000000h
		jz	short loc_84B91C

loc_84B8F1:				; CODE XREF: MiDriverLoadSucceeded+1A1j
		mov	edx, [ebx+18h]
		mov	ecx, edx
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 1
		jz	short loc_84B913
		mov	ecx, edx
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jz	short loc_84B913

loc_84B90C:				; CODE XREF: MiDriverLoadSucceeded+198j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_84B913:				; CODE XREF: MiDriverLoadSucceeded+17Cj
					; MiDriverLoadSucceeded+188j
		mov	ecx, ebx
		call	_MiSessionUpdateImageCharges@4 ; MiSessionUpdateImageCharges(x)
		jmp	short loc_84B90C
; 

loc_84B91C:				; CODE XREF: MiDriverLoadSucceeded+164j
					; MiDriverLoadSucceeded+16Dj
		mov	ecx, ebx
		call	MiProtectSystemImage
		jmp	short loc_84B8F1
MiDriverLoadSucceeded endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1427. MmLoadSystemImage

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmLoadSystemImage(x, x, x, x, x, x)
		public _MmLoadSystemImage@24
_MmLoadSystemImage@24 proc near		; CODE XREF: PAGE:007B3A20p
					; IopLoadDriver+206p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_C], 7FFFFFFCh
		jnz	short loc_84B953
		push	[ebp+arg_14]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_10]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_MmLoadSystemImageEx@24	; MmLoadSystemImageEx(x,x,x,x,x,x)

loc_84B94F:				; CODE XREF: MmLoadSystemImage(x,x,x,x,x,x)+2Ej
		pop	ebp
		retn	18h
; 

loc_84B953:				; CODE XREF: MmLoadSystemImage(x,x,x,x,x,x)+Cj
		mov	eax, 0C00000F2h
		jmp	short loc_84B94F
_MmLoadSystemImage@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmLoadSystemImageEx(x, x, x, x, x, x)
_MmLoadSystemImageEx@24	proc near	; CODE XREF: IopLoadCrashdumpDriver+45p
					; PAGE:007B3848p ...

var_B8		= byte ptr -0B8h
var_B7		= byte ptr -0B7h
var_B6		= byte ptr -0B6h
var_B5		= byte ptr -0B5h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0BCh
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		push	edi		; struct _exception *
		mov	esi, ecx
		mov	[esp+0C8h+var_7C], edx
		xor	ecx, ecx
		mov	[esp+0C8h+var_80], esi
		xor	edi, edi
		mov	[esp+0C8h+var_70], ecx
		inc	edi
		mov	[esp+0C8h+var_78], ecx
		mov	[esp+0C8h+var_74], ecx
		mov	[esp+0C8h+var_90], ecx
		mov	[esp+0C8h+var_8C], ecx
		mov	[esp+0C8h+var_68], ecx
		mov	[esp+0C8h+var_64], ecx
		mov	[esp+0C8h+var_9C], edi
		mov	[esp+0C8h+var_88], edi
		mov	[eax], ecx
		mov	byte ptr [esp+0C8h+var_84], cl
		mov	[esp+0C8h+var_6C], ecx
		mov	[esp+0C8h+var_B5], cl
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		cmp	byte ptr [eax+2A4h], 0
		jz	short loc_84B9D1
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		push	eax
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	[esp+0C8h+var_6C], eax
		mov	[esp+0C8h+var_B5], 1

loc_84B9D1:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+61j
		mov	ebx, [ebp+arg_4]
		mov	eax, ebx
		and	eax, 1
		mov	[esp+0C8h+var_A4], eax
		jz	short loc_84BA26
		test	bl, 2
		jz	short loc_84B9EE

loc_84B9E4:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+9Ej
					; MmLoadSystemImageEx(x,x,x,x,x,x)+CFj
		mov	esi, 0C00000F2h
		jmp	loc_84BF2B
; 

loc_84B9EE:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+88j
		mov	eax, ebx
		and	eax, 80000004h
		cmp	eax, 4
		jz	short loc_84B9E4
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+0FCh], 10000h
		jnz	short loc_84BA1C
		mov	esi, 0C0000017h
		jmp	loc_84BF2B
; 

loc_84BA1C:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+B6j
		mov	eax, [esp+0C8h+var_88]
		mov	[esp+0C8h+var_9C], eax
		jmp	short loc_84BA2B
; 

loc_84BA26:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+83j
		test	bl, 4
		jnz	short loc_84B9E4

loc_84BA2B:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+CAj
		mov	edx, [esp+0C8h+var_7C]
		lea	eax, [esp+0C8h+var_78]
		push	eax
		lea	eax, [esp+0CCh+var_68]
		mov	ecx, esi
		push	eax
		lea	eax, [esp+0D0h+var_90]
		push	eax
		push	[ebp+arg_0]
		call	MiGenerateSystemImageNames
		mov	esi, eax
		test	esi, esi
		js	loc_84BF2B
		xor	eax, eax
		mov	[esp+0C8h+var_B4], 1
		mov	[esp+0C8h+var_B8], 1
		mov	[esp+0C8h+var_A8], eax
		mov	[esp+0C8h+var_B0], eax
		mov	[esp+0C8h+var_B7], al
		call	_MmAcquireLoadLock@0 ; MmAcquireLoadLock()
		mov	edx, [esp+0C8h+var_80]
		mov	[esp+0C8h+var_94], eax
		lea	eax, [esp+0C8h+var_B0]
		push	eax
		push	ebx
		push	ecx
		lea	ecx, [esp+0D4h+var_78]
		call	MiObtainSectionForDriver
		mov	edi, [esp+0C8h+var_B0]
		mov	esi, eax
		test	esi, esi
		js	loc_84BECD
		mov	ecx, [edi+3Ch]
		mov	[esp+0C8h+var_A0], ecx
		test	ecx, ecx
		jz	short loc_84BAB5
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	edx, eax
		mov	ecx, [edx]
		mov	eax, [ecx+4]
		mov	ecx, [esp+0C8h+var_A0]
		jmp	short loc_84BAB9
; 

loc_84BAB5:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+147j
		xor	edx, edx
		xor	eax, eax

loc_84BAB9:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+159j
		mov	[esp+0C8h+var_B0], eax
		mov	[esp+0C8h+var_AC], edx
		test	esi, esi
		jnz	loc_84BB61
		shl	eax, 0Ch
		mov	edx, ebx
		mov	[edi+20h], eax
		lea	eax, [esp+0C8h+var_88]
		push	eax
		mov	byte ptr [esp+0CCh+var_84], 1
		call	MiGetSystemAddressForImage
		mov	ebx, eax
		mov	[esp+0C8h+var_98], ebx
		test	ebx, ebx
		jnz	short loc_84BB04
		push	[esp+0C8h+var_A0]
		call	_ObDereferenceObjectDeferDelete@4 ; ObDereferenceObjectDeferDelete(x)
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, 0C000009Ah
		jmp	loc_84BEFB
; 

loc_84BB04:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+18Ej
		mov	esi, [esp+0C8h+var_AC]
		mov	ecx, esi
		call	MiCheckPurgeAndUpMapCount
		mov	al, byte ptr [esp+0C8h+var_A4]
		mov	[edi+18h], ebx
		mov	[esp+0C8h+var_B7], al
		test	al, al
		jnz	short loc_84BB57
		call	_MmGetMinWsPagePriority@0 ; MmGetMinWsPagePriority()
		mov	[esp+0C8h+var_B4], eax
		test	eax, eax
		jnz	short loc_84BB35
		mov	esi, 0C000060Bh
		jmp	loc_84BED1
; 

loc_84BB35:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+1CFj
		cmp	eax, 2
		jnz	short loc_84BB57
		push	21h
		lea	ecx, [esi+50h]
		mov	edx, 88h
		call	MiReferenceActiveSubsection
		mov	esi, eax
		test	esi, esi
		jns	short loc_84BB57
		xor	eax, eax
		inc	eax
		jmp	loc_84BEBF
; 

loc_84BB57:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+1C2j
					; MmLoadSystemImageEx(x,x,x,x,x,x)+1DEj ...
		mov	eax, [esp+0C8h+var_88]
		mov	[esp+0C8h+var_9C], eax
		jmp	short loc_84BBD3
; 

loc_84BB61:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+169j
		cmp	[esp+0C8h+var_A4], 0
		mov	ebx, [edi+18h]
		mov	[esp+0C8h+var_98], ebx
		jz	short loc_84BB97
		mov	ecx, ebx
		call	MiSessionInsertImage
		mov	esi, eax
		test	esi, esi
		jns	short loc_84BB8A

loc_84BB7C:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+25Dj
					; MmLoadSystemImageEx(x,x,x,x,x,x)+273j
		mov	ecx, [esp+0C8h+var_94]
		call	_MmReleaseLoadLock@4 ; MmReleaseLoadLock(x)
		jmp	loc_84BF19
; 

loc_84BB8A:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+220j
		cmp	esi, 110h
		jz	short loc_84BB9F
		mov	[esp+0C8h+var_B7], 1

loc_84BB97:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+213j
		cmp	esi, 110h
		jnz	short loc_84BBCF

loc_84BB9F:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+236j
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		mov	eax, [ebp+arg_C]
		mov	[eax], ebx
		test	dword ptr [edi+34h], 4000000h
		jz	short loc_84BBB9
		mov	esi, 0C000019Dh
		jmp	short loc_84BB7C
; 

loc_84BBB9:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+256j
		mov	esi, [esp+0C8h+var_A4]
		neg	esi
		sbb	esi, esi
		and	esi, 3FFFFEF2h
		add	esi, 0C000010Eh
		jmp	short loc_84BB7C
; 

loc_84BBCF:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+243j
		inc	word ptr [edi+38h]

loc_84BBD3:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+205j
		push	[ebp+arg_4]
		mov	edx, ebx
		push	ecx
		mov	ecx, [esp+0D0h+var_A0]
		call	MiMapSystemImage
		mov	esi, eax
		test	esi, esi
		js	loc_84BECD
		cmp	[esp+0C8h+var_A4], 0
		mov	esi, [esp+0C8h+var_B0]
		jnz	short loc_84BC02
		mov	eax, esi
		mov	ecx, offset unk_6D362C
		lock xadd [ecx], eax

loc_84BC02:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+29Bj
		and	[esp+0C8h+var_B0], 0
		test	byte ptr [ebp+arg_4], 21h
		mov	[esp+0C8h+var_A8], 1
		jnz	short loc_84BC56
		mov	eax, [esp+0C8h+var_AC]
		mov	eax, [eax]
		cmp	ebx, [eax+18h]
		jnz	short loc_84BC56
		lea	ecx, [esp+0C8h+var_90]
		call	MiUseLargeDriverPage
		test	eax, eax
		jz	short loc_84BC56
		push	ecx		; int
		mov	ecx, [esp+0CCh+var_A0]
		mov	edx, esi
		push	ebx		; void *
		call	_MiMapSystemImageWithLargePage@16 ; MiMapSystemImageWithLargePage(x,x,x,x)
		mov	[esp+0C8h+var_B0], eax
		test	eax, eax
		jz	short loc_84BC56
		neg	esi
		mov	ecx, offset unk_6CF598
		lock xadd [ecx], esi
		mov	ebx, eax
		mov	[edi+18h], eax
		mov	[esp+0C8h+var_98], ebx

loc_84BC56:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+2B9j
					; MmLoadSystemImageEx(x,x,x,x,x,x)+2C4j ...
		xor	al, al
		cmp	byte ptr [esp+0C8h+var_84], 1
		mov	[esp+0C8h+var_B8], al
		mov	[esp+0C8h+var_B6], al
		jnz	loc_84BD43
		push	ebx
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_84BC81
		mov	esi, 0C0000221h
		jmp	loc_84BECD
; 

loc_84BC81:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+31Bj
		mov	eax, 14Ch
		cmp	[ebx+4], ax
		jnz	loc_84BD39
		add	eax, 0FFFFFFBFh
		cmp	[ebx+18h], ax
		jnz	loc_84BD39
		test	byte ptr ds:_MiFlags+2,	1
		jz	short loc_84BD04
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		call	_MiValidateStrongCodeDriverImage@8 ; MiValidateStrongCodeDriverImage(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_84BD04
		push	5Ch		; size_t
		lea	eax, [esp+0CCh+var_60]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [esp+0D4h+var_90]
		lea	edx, [esp+0D4h+var_60]
		mov	[esp+0D4h+var_34], eax
		add	esp, 0Ch
		mov	eax, [esp+0C8h+var_8C]
		mov	ecx, (offset loc_8BBE81+1)
		mov	[esp+0C8h+var_30], eax
		mov	eax, [ebx+58h]
		mov	[esp+0C8h+var_20], eax
		mov	eax, [ebx+8]
		mov	[esp+0C8h+var_8], eax
		call	_MiLogStrongCodeDriverLoadFailure@8 ; MiLogStrongCodeDriverLoadFailure(x,x)
		jmp	loc_84BEBB
; 

loc_84BD04:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+34Aj
					; MmLoadSystemImageEx(x,x,x,x,x,x)+35Aj
		mov	ebx, [esp+0C8h+var_9C]
		lea	eax, [esp+0C8h+var_70]
		push	eax		; int
		push	ebx		; int
		push	[ebp+arg_4]	; int
		lea	eax, [esp+0D4h+var_78]
		mov	ecx, edi
		push	eax		; void *
		lea	edx, [esp+0D8h+var_90]
		call	MiConstructLoaderEntry
		mov	esi, eax
		test	esi, esi
		js	loc_84BECD
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [esp+0C8h+var_70]
		jmp	short loc_84BD47
; 

loc_84BD39:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+330j
					; MmLoadSystemImageEx(x,x,x,x,x,x)+33Dj
		mov	esi, 0C0000130h
		jmp	loc_84BECD
; 

loc_84BD43:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+30Bj
		mov	ebx, [esp+0C8h+var_9C]

loc_84BD47:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+3DDj
		cmp	[esp+0C8h+var_B4], 2
		mov	[esp+0C8h+var_A8], 5
		jnz	short loc_84BD5D
		or	dword ptr [edi+70h], 80h

loc_84BD5D:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+3FAj
		cmp	[esp+0C8h+var_B0], 0
		jnz	short loc_84BDA6
		cmp	[esp+0C8h+var_A4], 0
		jnz	short loc_84BDA6
		test	ebx, ebx
		jz	short loc_84BD9F
		mov	ecx, [esp+0C8h+var_AC]
		call	MiReferenceControlAreaFile
		mov	esi, eax
		mov	edx, [esi+4]
		mov	ecx, edx
		call	_IoIsDeviceEjectable@4 ; IoIsDeviceEjectable(x)
		test	al, al
		jnz	short loc_84BD8E
		test	byte ptr [edx+20h], 11h
		jz	short loc_84BD90

loc_84BD8E:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+42Cj
		xor	ebx, ebx

loc_84BD90:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+432j
		mov	ecx, [esp+0C8h+var_AC]
		mov	edx, esi
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)
		test	ebx, ebx
		jnz	short loc_84BDA6

loc_84BD9F:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+413j
		mov	ecx, edi
		call	_MiBackSingleImageWithPagefile@4 ; MiBackSingleImageWithPagefile(x)

loc_84BDA6:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+408j
					; MmLoadSystemImageEx(x,x,x,x,x,x)+40Fj ...
		mov	edx, [esp+0C8h+var_7C]
		lea	eax, [esp+0C8h+var_B6]
		push	eax
		lea	eax, [esp+0CCh+var_90]
		mov	ecx, edi
		push	eax
		lea	eax, [esp+0D0h+var_68]
		push	eax
		call	MiResolveImageImports
		mov	esi, eax
		test	esi, esi
		js	loc_84BEC5
		mov	ecx, edi
		call	_MiProcessLoadConfigForDriver@8	; MiProcessLoadConfigForDriver(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_84BEC5
		mov	ecx, [esp+0C8h+var_AC]
		mov	ebx, [esp+0C8h+var_98]
		mov	eax, [ecx]
		mov	eax, [eax+24h]
		test	byte ptr [eax+1Eh], 40h
		jnz	short loc_84BE33
		mov	eax, [ecx+38h]
		mov	ecx, edi
		push	4
		push	4
		mov	eax, [eax+10h]
		mov	esi, [eax+20h]
		add	esi, ebx
		mov	edx, esi
		call	_MiSetImageProtection@16 ; MiSetImageProtection(x,x,x,x)
		mov	edx, [esp+0C8h+var_AC]
		mov	eax, [edx+38h]
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jz	short loc_84BE17
		mov	ecx, [ecx+14h]

loc_84BE17:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+4B8j
		mov	eax, ebx
		sub	eax, ecx
		mov	[esi], eax
		cmp	dword ptr [edx+58h], 0
		jz	short loc_84BE33
		push	100h
		push	4
		mov	edx, esi
		mov	ecx, edi
		call	_MiSetImageProtection@16 ; MiSetImageProtection(x,x,x,x)

loc_84BE33:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+492j
					; MmLoadSystemImageEx(x,x,x,x,x,x)+4C7j
		push	0
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	VfDriverLoadImage
		mov	ecx, edi
		call	_KseDriverLoadImage@4 ;	KseDriverLoadImage(x)
		mov	esi, eax
		mov	[esp+0C8h+var_A8], 17h
		test	esi, esi
		js	short loc_84BEC5
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		push	1
		call	MiHandleDriverNonPagedSections
		mov	esi, eax
		test	esi, esi
		js	short loc_84BEC5
		cmp	[esp+0C8h+var_B7], 1
		mov	[esp+0C8h+var_A8], 1Fh
		jnz	short loc_84BE81
		mov	ecx, ebx
		call	_MiSessionLookupImage@4	; MiSessionLookupImage(x)
		mov	byte ptr [eax+24h], 1

loc_84BE81:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+51Aj
		push	[esp+0C8h+var_84]
		mov	edx, [esp+0CCh+var_A0]
		lea	eax, [esp+0CCh+var_90]
		push	eax
		lea	eax, [esp+0D0h+var_78]
		mov	ecx, edi
		push	eax
		push	[esp+0D4h+var_80]
		call	MiDriverLoadSucceeded
		mov	ecx, [esp+0C8h+var_94]
		call	_MmReleaseLoadLock@4 ; MmReleaseLoadLock(x)
		mov	eax, [ebp+arg_8]
		xor	esi, esi
		mov	[eax], edi
		mov	eax, [ebp+arg_C]
		mov	[eax], ebx
		mov	al, [esp+0C8h+var_B6]
		mov	[esp+0C8h+var_B8], al

loc_84BEBB:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+3A5j
		mov	eax, [esp+0C8h+var_B4]

loc_84BEBF:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+1F8j
		test	esi, esi
		jns	short loc_84BF19
		jmp	short loc_84BED1
; 

loc_84BEC5:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+46Aj
					; MmLoadSystemImageEx(x,x,x,x,x,x)+47Bj ...
		mov	al, [esp+0C8h+var_B6]
		mov	[esp+0C8h+var_B8], al

loc_84BECD:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+138j
					; MmLoadSystemImageEx(x,x,x,x,x,x)+28Cj ...
		mov	eax, [esp+0C8h+var_B4]

loc_84BED1:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+1D6j
					; MmLoadSystemImageEx(x,x,x,x,x,x)+569j
		test	edi, edi
		jz	short loc_84BEFB
		mov	ebx, [esp+0C8h+var_A8]
		cmp	eax, 2
		jnz	short loc_84BEF2
		test	bl, 4
		jnz	short loc_84BEF2
		mov	ecx, [edi+3Ch]
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	ecx, eax
		call	_MiReturnCrossPartitionControlAreaCharges@4 ; MiReturnCrossPartitionControlAreaCharges(x)

loc_84BEF2:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+582j
					; MmLoadSystemImageEx(x,x,x,x,x,x)+587j
		mov	edx, ebx
		mov	ecx, edi
		call	MiUnloadSystemImage

loc_84BEFB:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+1A5j
					; MmLoadSystemImageEx(x,x,x,x,x,x)+579j
		mov	ecx, [esp+0C8h+var_94]
		call	_MmReleaseLoadLock@4 ; MmReleaseLoadLock(x)
		cmp	[esp+0C8h+var_B8], 0
		jnz	short loc_84BF19
		mov	ecx, [esp+0C8h+var_80]
		xor	edx, edx
		push	esi
		push	0
		call	_MiLogFailedDriverLoad@16 ; MiLogFailedDriverLoad(x,x,x,x)

loc_84BF19:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+22Bj
					; MmLoadSystemImageEx(x,x,x,x,x,x)+567j ...
		cmp	[esp+0C8h+var_7C], 0
		jz	short loc_84BF2B
		push	0
		push	[esp+0CCh+var_74]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_84BF2B:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+8Fj
					; MmLoadSystemImageEx(x,x,x,x,x,x)+BDj	...
		cmp	[esp+0C8h+var_B5], 0
		jz	short loc_84BF3B
		push	[esp+0C8h+var_6C]
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)

loc_84BF3B:				; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+5D6j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_MmLoadSystemImageEx@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiObtainSectionForDriver proc near	; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+12Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FC81E SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_8]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_10], edx
		mov	edx, large fs:124h
		push	esi
		mov	[ebp+var_C], ebx
		mov	esi, [ebp+var_C]
		push	edi
		mov	[ebp+var_4], ecx
		mov	[eax], ebx
		mov	[ebp+var_8], edx

loc_84BF6E:				; CODE XREF: MiObtainSectionForDriver+9Aj
					; MiObtainSectionForDriver+A0j	...
		mov	edi, _PsLoadedModuleList
		cmp	edi, offset _PsLoadedModuleList
		jz	short loc_84BFA0

loc_84BF7C:				; CODE XREF: MiObtainSectionForDriver+55j
		push	1
		lea	eax, [edi+24h]
		push	eax
		push	ecx
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	loc_84C010
		mov	edi, [edi]
		mov	ecx, [ebp+var_4]
		cmp	edi, offset _PsLoadedModuleList
		jnz	short loc_84BF7C
		mov	edx, [ebp+var_8]

loc_84BFA0:				; CODE XREF: MiObtainSectionForDriver+34j
		test	esi, esi
		jnz	short loc_84BFF3
		mov	ecx, edx
		call	_MmReleaseLoadLock@4 ; MmReleaseLoadLock(x)
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+arg_4]
		xor	edx, edx
		call	MiCreateSectionForDriver
		mov	esi, eax
		call	_MmAcquireLoadLock@0 ; MmAcquireLoadLock()
		test	esi, esi
		js	short loc_84C046
		mov	esi, [ebp+var_C]
		mov	ecx, esi
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_8]
		mov	eax, [eax]
		mov	eax, [eax+24h]
		cmp	[eax+1Eh], bx
		jge	short loc_84BF6E
		cmp	dword ptr [eax+10h], 1
		jnz	short loc_84BF6E
		test	byte ptr [ebp+arg_4], 1
		jnz	short loc_84BF6E
		jmp	loc_8FC81E
; 

loc_84BFF3:				; CODE XREF: MiObtainSectionForDriver+5Cj
		mov	ecx, esi
		call	_MiAllocateTempLoaderEntry@4 ; MiAllocateTempLoaderEntry(x)
		test	eax, eax
		jz	loc_8FC825
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		xor	eax, eax

loc_84C009:				; CODE XREF: MiObtainSectionForDriver+F2j
					; MiObtainSectionForDriver+102j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_84C010:				; CODE XREF: MiObtainSectionForDriver+44j
		test	esi, esi
		jnz	short loc_84C04A

loc_84C014:				; CODE XREF: MiObtainSectionForDriver+10Aj
		mov	ecx, [edi+18h]
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jnz	short loc_84C03A

loc_84C021:				; CODE XREF: MiObtainSectionForDriver+F9j
		xor	ebx, ebx
		inc	ebx

loc_84C024:				; CODE XREF: MiObtainSectionForDriver+F7j
		test	byte ptr [ebp+arg_4], 1
		jz	short loc_84C041
		test	ebx, ebx

loc_84C02C:				; CODE XREF: MiObtainSectionForDriver+FEj
		jz	short loc_84C052
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		mov	eax, 110h
		jmp	short loc_84C009
; 

loc_84C03A:				; CODE XREF: MiObtainSectionForDriver+D9j
		cmp	eax, 1
		jnz	short loc_84C024
		jmp	short loc_84C021
; 

loc_84C041:				; CODE XREF: MiObtainSectionForDriver+E2j
		cmp	ebx, 1
		jmp	short loc_84C02C
; 

loc_84C046:				; CODE XREF: MiObtainSectionForDriver+7Fj
		mov	eax, esi
		jmp	short loc_84C009
; 

loc_84C04A:				; CODE XREF: MiObtainSectionForDriver+CCj
		push	esi
		call	_ObDereferenceObjectDeferDelete@4 ; ObDereferenceObjectDeferDelete(x)
		jmp	short loc_84C014
; 

loc_84C052:				; CODE XREF: MiObtainSectionForDriver:loc_84C02Cj
		mov	eax, 0C0000018h
		jmp	short loc_84C009
MiObtainSectionForDriver endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGenerateSystemImageNames proc	near	; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+E9p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008FC837 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	[ebp+var_4], edx
		mov	edx, ecx
		push	esi
		push	edi
		push	5Ch
		mov	edi, [edx+4]
		movzx	eax, word ptr [edx]
		pop	ebx
		cmp	[edi], bx
		jnz	loc_8FC841
		shr	eax, 1
		lea	eax, [edi+eax*2]
		mov	ecx, eax

loc_84C081:				; CODE XREF: MiGenerateSystemImageNames+33j
		lea	esi, [ecx-2]
		cmp	[esi], bx
		jz	short loc_84C094
		mov	ecx, esi
		cmp	ecx, edi
		jnz	short loc_84C081
		jmp	loc_8FC837
; 

loc_84C094:				; CODE XREF: MiGenerateSystemImageNames+2Dj
		mov	esi, [ebp+arg_4]
		sub	eax, ecx
		and	eax, 0FFFFFFFEh
		mov	[esi], ax

loc_84C09F:				; CODE XREF: MiGenerateSystemImageNames+B07F0j
		mov	ebx, [ebp+arg_8]
		mov	edi, [ebp+arg_C]
		mov	[esi+4], ecx
		mov	ax, [esi]
		mov	ecx, [ebp+var_4]
		mov	[esi+2], ax
		mov	eax, [edx]
		mov	[ebx], eax
		mov	eax, [edx+4]
		mov	[ebx+4], eax
		mov	ax, [esi]
		sub	[ebx], ax
		mov	ax, [ebx]
		mov	[ebx+2], ax
		mov	eax, [edx]
		mov	[edi], eax
		mov	eax, [edx+4]
		mov	[edi+4], eax
		test	ecx, ecx
		jnz	short loc_84C0EB

loc_84C0D7:				; CODE XREF: MiGenerateSystemImageNames+11Aj
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	loc_84C179

loc_84C0E2:				; CODE XREF: MiGenerateSystemImageNames+129j
		xor	eax, eax

loc_84C0E4:				; CODE XREF: MiGenerateSystemImageNames+133j
					; MiGenerateSystemImageNames+B07E2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_84C0EB:				; CODE XREF: MiGenerateSystemImageNames+7Bj
		movzx	eax, word ptr [ebx]
		mov	[edi+2], ax
		mov	cx, [ecx]
		add	cx, ax
		movzx	ebx, cx
		mov	[ebp+arg_4], ebx
		mov	ebx, [ebp+arg_8]
		movzx	edx, cx
		cmp	cx, ax
		jb	short loc_84C188
		mov	[edi+2], cx
		mov	ax, [esi]
		add	ax, dx
		movzx	eax, ax
		cmp	ax, word ptr [ebp+arg_4]
		jb	short loc_84C188
		push	0
		mov	ecx, eax
		mov	[edi+2], ax
		push	100h
		mov	edx, 644C6D4Dh
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[edi+4], eax
		test	eax, eax
		jz	short loc_84C188
		push	ebx
		xor	eax, eax
		push	edi
		mov	[edi], ax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	[ebp+var_4]
		push	edi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	esi
		push	edi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		movzx	ecx, word ptr [ebx]
		mov	eax, [edi+4]
		shr	ecx, 1
		lea	eax, [eax+ecx*2]
		mov	ecx, [ebp+var_4]
		mov	[esi+4], eax
		mov	ax, [ecx]
		add	[esi], ax
		mov	ax, [ecx]
		add	[esi+2], ax
		jmp	loc_84C0D7
; 

loc_84C179:				; CODE XREF: MiGenerateSystemImageNames+82j
		mov	eax, [ecx]
		mov	[esi], eax
		mov	eax, [ecx+4]
		mov	[esi+4], eax
		jmp	loc_84C0E2
; 

loc_84C188:				; CODE XREF: MiGenerateSystemImageNames+ADj
					; MiGenerateSystemImageNames+C0j ...
		mov	eax, 0C000009Ah
		jmp	loc_84C0E4
MiGenerateSystemImageNames endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KseShimDriverIoCallbacks proc near	; CODE XREF: IopLoadDriver+493p
					; IopInitializeBuiltinDriver(x,x,x,x,x,x)+2F3p

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FC84F SIZE 00000130 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 98h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	eax, [ebp+var_94]
		push	80h		; size_t
		push	0		; int
		push	eax		; void *
		mov	ebx, [edi+18h]
		call	_memset
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		xor	eax, eax
		mov	[ebp+var_14], ecx
		add	esp, 0Ch
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], eax
		mov	esi, ecx
		mov	dword ptr [ebp+var_8], ecx
		test	edx, edx
		jz	short loc_84C235
		cmp	dword_6D4A78, 2
		jnz	short loc_84C224
		test	byte ptr _KseEngine, 1
		jnz	short loc_84C224
		lea	ecx, [ebp+var_C]
		call	KsepStringDuplicateUnicode
		mov	esi, eax
		test	esi, esi
		js	short loc_84C21D
		lea	edx, [ebp+var_14]
		lea	ecx, [ebp+var_C]
		call	_KsepDriverPathTail@8 ;	KsepDriverPathTail(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_84C21D
		mov	ecx, [edi+0Ch]
		lea	edx, [ebp+var_94]
		call	KsepGetShimCallbacksForDriver
		mov	esi, eax
		test	esi, esi
		jns	loc_8FC84F

loc_84C21D:				; CODE XREF: KseShimDriverIoCallbacks+60j
					; KseShimDriverIoCallbacks+71j	...
		xor	ecx, ecx
		call	KsepPoolFreeNonPaged

loc_84C224:				; CODE XREF: KseShimDriverIoCallbacks+49j
					; KseShimDriverIoCallbacks+52j	...
		lea	ecx, [ebp+var_C]
		call	KsepStringFree
		mov	eax, esi

loc_84C22E:				; CODE XREF: KseShimDriverIoCallbacks+F2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4		; char
; 

loc_84C235:				; CODE XREF: KseShimDriverIoCallbacks+40j
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryMessagesIndex, eax
		inc	eax
		and	eax, 3Fh
		mov	esi, offset ??_C@_0EA@FDFKMGIG@KSE?3?5Callback?5shimming?5?9?5missin@NNGAKEGL@ ; "KSE: Callback	shimming - missing driver"...
		test	_KsepDebugFlag,	1
		push	8
		mov	dword_6C7244[eax*8], ecx
		pop	ecx
		mov	word_6C7242[eax*8], cx
		mov	ecx, 94h
		mov	_KsepHistoryMessages[eax*8], cx
		jnz	loc_8FC970

loc_84C275:				; CODE XREF: KseShimDriverIoCallbacks+B07E8j
		push	esi
		push	0
		call	_KsepLogInfo
		pop	ecx
		pop	ecx
		mov	eax, 0C000000Dh
		jmp	short loc_84C22E
KseShimDriverIoCallbacks endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KsepGetShimCallbacksForDriver proc near	; CODE XREF: KseShimDriverIoCallbacks+7Cp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FC97F SIZE 0000038B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edx
		xor	esi, esi
		inc	edi
		mov	[ebp+var_10], esi
		mov	ebx, ecx
		push	7
		pop	ecx
		test	edx, edx
		jz	loc_8FC97F

loc_84C2A9:				; CODE XREF: KsepGetShimCallbacksForDriver+B072Ej
					; KsepGetShimCallbacksForDriver+B0748j
		push	80h		; size_t
		push	esi		; int
		push	edx		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_10]
		mov	edx, ebx
		mov	ecx, offset _KseEngine
		push	eax
		call	KsepIsModuleShimmed
		test	eax, eax
		jnz	loc_8FC9D3
		mov	esi, 0C0000225h

loc_84C2D5:				; CODE XREF: KsepGetShimCallbacksForDriver+B0A7Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn			; char
KsepGetShimCallbacksForDriver endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpPrepareDriverLoading	proc near	; CODE XREF: IopLoadDriver+244p
					; IopInitializeBuiltinDriver(x,x,x,x,x,x)+26Ap

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FCD0A SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_1C], 0
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_24], ecx
		and	dword ptr [ebx], 0
		push	eax
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], eax
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8FCD0A
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		mov	edx, esi
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+arg_4]
		push	dword ptr [ecx+50h]
		mov	ecx, [ebp+var_24]
		push	[ebp+var_20]
		call	PpCheckInDriverDatabase
		mov	esi, eax
		cmp	esi, 0C000036Ch
		jz	short loc_84C396
		cmp	esi, 0C000036Bh
		jz	short loc_84C396

loc_84C34B:				; CODE XREF: PnpPrepareDriverLoading+C2j
		mov	ecx, [ebp+var_28]
		lea	eax, [ebp+var_1C]
		push	eax
		push	0
		mov	edx, offset ??_C@_1BC@JLNJLCPI@?$AAP?$AAn?$AAp?$AAF?$AAl?$AAa?$AAg?$AAs@NNGAKEGL@ ; "PnpFlags"
		call	IopGetRegistryValue
		test	eax, eax
		jns	short loc_84C375

loc_84C362:				; CODE XREF: PnpPrepareDriverLoading+B8j
		mov	eax, esi

loc_84C364:				; CODE XREF: PnpPrepareDriverLoading+B0A33j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_84C375:				; CODE XREF: PnpPrepareDriverLoading+84j
		mov	ecx, [ebp+var_1C]
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_84C38C
		cmp	dword ptr [ecx+0Ch], 4
		jnz	short loc_84C38C
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		mov	[ebx], eax

loc_84C38C:				; CODE XREF: PnpPrepareDriverLoading+A0j
					; PnpPrepareDriverLoading+A6j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_84C362
; 

loc_84C396:				; CODE XREF: PnpPrepareDriverLoading+65j
					; PnpPrepareDriverLoading+6Dj
		lea	ecx, [ebp+var_18]
		call	_PnpSetBlockedDriverEvent@4 ; PnpSetBlockedDriverEvent(x)
		jmp	short loc_84C34B
PnpPrepareDriverLoading	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpCheckInDriverDatabase	proc near	; CODE XREF: PnpPrepareDriverLoading+58p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008FCD14 SIZE 0000005A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		cmp	_InitIsWinPEMode, 0
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		jnz	loc_84C47A
		cmp	ds:_PpBootDDBInitialized, 0
		jz	loc_84C47A
		lea	eax, [ebp+var_8]
		push	eax
		call	IopBuildFullDriverPath
		mov	esi, eax
		mov	ebx, 0C000036Bh
		test	esi, esi
		js	loc_8FCD14
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PiDDBLock
		call	ExAcquireResourceExclusiveLite
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_0]
		push	ecx
		lea	ecx, [ebp+var_8]
		call	PiLookupInDDBCache
		mov	esi, eax
		cmp	esi, 0C0000001h
		jnz	short loc_84C42B
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_8]
		push	[ebp+arg_4]
		call	PiLookupInDDB
		mov	esi, eax

loc_84C42B:				; CODE XREF: PpCheckInDriverDatabase+76j
		cmp	esi, 0C000036Ch
		jz	short loc_84C471

loc_84C433:				; CODE XREF: PpCheckInDriverDatabase+D4j
					; PpCheckInDriverDatabase+D8j
		mov	ecx, offset _PiDDBLock
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	edi
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_84C452:				; CODE XREF: PpCheckInDriverDatabase+B097Bj
					; PpCheckInDriverDatabase+B09AEj
		cmp	esi, 0C000036Ch
		jz	loc_8FCD53
		cmp	esi, ebx
		jz	loc_8FCD53
		mov	esi, edi

loc_84C468:				; CODE XREF: PpCheckInDriverDatabase+B09BAj
					; PpCheckInDriverDatabase+B09C9j
		mov	eax, esi

loc_84C46A:				; CODE XREF: PpCheckInDriverDatabase+DCj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_84C471:				; CODE XREF: PpCheckInDriverDatabase+91j
		cmp	[ebp+arg_8], edi
		jnz	short loc_84C433
		mov	esi, ebx
		jmp	short loc_84C433
; 

loc_84C47A:				; CODE XREF: PpCheckInDriverDatabase+1Aj
					; PpCheckInDriverDatabase+27j
		xor	eax, eax
		jmp	short loc_84C46A
PpCheckInDriverDatabase	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiLookupInDDBCache proc	near		; CODE XREF: PpCheckInDriverDatabase+69p

var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FCD6E SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	esi, ecx
		mov	[ebp+var_34], eax
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_30], edx
		lea	edi, [ebp+var_2C]
		mov	ds:dword_A944E4, eax
		rep stosd
		push	offset _PiDDBCacheTable
		mov	ebx, 0C0000001h
		call	_RtlIsGenericTableEmptyAvl@4 ; RtlIsGenericTableEmptyAvl(x)
		test	al, al
		jnz	short loc_84C521
		push	[ebp+var_30]
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_84C521
		push	5Ch		; wchar_t
		push	dword ptr [esi+4] ; wchar_t *
		call	_wcsrchr
		pop	ecx
		pop	ecx
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8FCD6E
		add	ecx, 2

loc_84C4E7:				; CODE XREF: PiLookupInDDBCache+B08F3j
		mov	[ebp+var_20], ecx
		lea	edx, [ecx+2]
		xor	esi, esi

loc_84C4EF:				; CODE XREF: PiLookupInDDBCache+7Aj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_84C4EF
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, [ecx+ecx]
		mov	word ptr [ebp+var_24], ax
		mov	word ptr [ebp+var_24+2], ax
		mov	eax, [edi+8]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	offset _PiDDBCacheTable
		call	_RtlLookupElementGenericTableAvl@8 ; RtlLookupElementGenericTableAvl(x,x)
		test	eax, eax
		jnz	short loc_84C534

loc_84C521:				; CODE XREF: PiLookupInDDBCache+40j
					; PiLookupInDDBCache+4Ej ...
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_84C534:				; CODE XREF: PiLookupInDDBCache+A1j
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_84C575
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_84C575
		mov	[edx], ecx
		mov	[ecx+4], edx
		mov	edx, offset _PiDDBCacheList
		mov	ecx, ds:dword_A944EC
		cmp	[ecx], edx
		jnz	short loc_84C575
		mov	edi, [ebp+var_34]
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	ds:dword_A944EC, eax
		mov	ebx, [eax+14h]
		test	edi, edi
		jz	short loc_84C521
		lea	esi, [eax+18h]
		movsd
		movsd
		movsd
		movsd
		jmp	short loc_84C521
; 

loc_84C575:				; CODE XREF: PiLookupInDDBCache+BBj
					; PiLookupInDDBCache+C2j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

IopBuildFullDriverPath:			; CODE XREF: PpCheckInDriverDatabase+31p
					; IopLoadDriver+189p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		push	18h
		pop	eax
		push	1Ah
		mov	word ptr [ebp+var_38], ax
		mov	ebx, edx
		pop	eax
		push	22h
		mov	word ptr [ebp+var_38+2], ax
		pop	eax
		push	24h
		mov	word ptr [ebp+var_40], ax
		pop	eax
		push	esi
		push	edi
		mov	[ebp+var_8], ecx
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_34], offset ??_C@_1BK@DHFJHPDK@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2@NNGAKEGL@ ; "\\"
		mov	word ptr [ebp+var_40+2], ax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	edx, [ebp+var_20]
		mov	[ebp+arg_0], esi
		mov	ecx, ebx
		call	IopQueryRegistryKeySystemPath
		mov	esi, eax
		test	esi, esi
		js	loc_84C728
		lea	eax, [ebp+arg_0]
		mov	edx, offset ??_C@_1BE@CMLCLKJK@?$AAI?$AAm?$AAa?$AAg?$AAe?$AAP?$AAa?$AAt?$AAh@NNGAKEGL@ ; "ImagePath"
		push	eax
		push	100h
		mov	ecx, ebx
		call	IopGetRegistryValue
		mov	ebx, [ebp+arg_0]
		test	eax, eax
		js	loc_84C76E
		mov	eax, [ebx+0Ch]
		cmp	eax, 2
		jb	loc_84C76E
		cmp	eax, 0FFFFh
		ja	loc_8FCD76
		movzx	eax, ax
		mov	word ptr [ebp+var_10+2], ax
		add	eax, 0FFFFFFFEh
		mov	word ptr [ebp+var_10], ax
		mov	esi, [ebx+8]
		add	esi, ebx
		movzx	ecx, ax
		mov	[ebp+var_C], esi
		mov	[ebp+arg_0], ecx
		cmp	word ptr [esi],	5Ch
		jz	loc_84C73A
		mov	eax, [ebp+var_20]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_14], eax

loc_84C689:				; CODE XREF: PiLookupInDDBCache+2EBj
					; PiLookupInDDBCache+325j
		movzx	eax, word ptr [ebp+var_28]
		movzx	ecx, word ptr [ebp+var_30]
		add	ecx, eax
		movzx	eax, word ptr [ebp+var_18]
		add	ecx, eax
		movzx	eax, word ptr [ebp+var_10]
		add	eax, 2
		add	eax, ecx
		cmp	eax, 0FFFFh
		ja	loc_8FCD76
		xor	edx, edx
		movzx	eax, ax
		xor	ecx, ecx
		mov	[edi], dx
		mov	edx, eax
		mov	[edi+2], ax
		inc	ecx
		call	IopVerifierExAllocatePool
		mov	[edi+4], eax
		test	eax, eax
		jz	loc_8FCD80
		lea	eax, [ebp+var_18]
		push	eax
		push	edi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_84C71C
		lea	eax, [ebp+var_28]
		push	eax
		push	edi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_84C71C
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_84C71C
		lea	eax, [ebp+var_30]
		push	eax
		push	edi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_84C71C
		movzx	ecx, word ptr [edi]
		mov	eax, [edi+4]
		shr	ecx, 1
		xor	edx, edx
		mov	[eax+ecx*2], dx

loc_84C71C:				; CODE XREF: PiLookupInDDBCache+25Ej
					; PiLookupInDDBCache+26Ej ...
		test	ebx, ebx
		jz	short loc_84C728
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_84C728:				; CODE XREF: PiLookupInDDBCache+19Cj
					; PiLookupInDDBCache+2A0j
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_84C73A:				; CODE XREF: PiLookupInDDBCache+1F9j
		push	1
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_84C7A8
		mov	eax, [ebp+var_20]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_14], eax
		lea	eax, [esi+18h]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_0]
		add	eax, 0FFFFFFE8h
		mov	word ptr [ebp+var_10], ax
		jmp	loc_84C689
; 

loc_84C76E:				; CODE XREF: PiLookupInDDBCache+1BCj
					; PiLookupInDDBCache+1C8j
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_40]
		mov	[ebp+var_28], eax
		mov	eax, [ecx]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_30]
		mov	[ebp+var_24], offset ??_C@_1CE@GJFMKGAN@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA3?$AA2?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@NNGAKEGL@
		push	offset ??_C@_19GEHBKJLM@?$AA?4?$AAS?$AAY?$AAS@NNGAKEGL@

loc_84C79D:				; CODE XREF: PiLookupInDDBCache+32Fj
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	loc_84C689
; 

loc_84C7A8:				; CODE XREF: PiLookupInDDBCache+2CDj
		push	0
		lea	eax, [ebp+var_18]
		jmp	short loc_84C79D
PiLookupInDDBCache endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopLoadDriver	proc near		; CODE XREF: IopLoadUnloadDriver(x)+48p
					; PipCallDriverAddDeviceQueryRoutine+16Cp ...

var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_6D		= byte ptr -6Dh
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FCD8A SIZE 00000217 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_BC], eax
		push	esi
		push	edi
		mov	[eax], ebx
		mov	edi, ecx
		xor	eax, eax
		mov	[ebp+var_6D], dl
		mov	[ebp+var_60], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_88]
		mov	[ebp+var_64], edi
		push	eax
		push	ebx
		push	ebx
		push	ebx
		mov	esi, ebx
		mov	[ebp+var_A4], ebx
		push	edi
		mov	[ebp+var_88], ebx
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], esi
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_B0], ebx
		mov	[ebp+var_80], ebx
		mov	[ebp+var_A8], ebx
		mov	[ebp+var_74], ebx
		mov	[ebp+var_78], ebx
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_B4], ebx
		call	NtQueryKey
		cmp	eax, 0C0000023h
		jnz	loc_8FCD8A

loc_84C840:				; CODE XREF: IopLoadDriver+B05DFj
		mov	ecx, [ebp+var_88]
		lea	eax, [ebp+var_AC]
		push	eax
		push	8
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_8FCD9F
		mov	edx, [ebp+var_AC]
		mov	ecx, 200h
		call	IopVerifierExAllocatePool
		mov	[ebp+var_A4], eax
		test	eax, eax
		jz	loc_8FCDA9
		lea	ecx, [ebp+var_88]
		push	ecx
		push	[ebp+var_88]
		push	eax
		push	ebx
		push	edi
		call	NtQueryKey
		mov	ebx, eax
		test	ebx, ebx
		js	loc_84CD62
		mov	esi, [ebp+var_A4]
		push	2
		pop	ebx
		movzx	ecx, word ptr [esi+0Ch]
		mov	word ptr [ebp+var_60], cx
		lea	eax, [ecx+8]
		lea	edx, [ebx+ecx]
		mov	word ptr [ebp+var_60+2], ax
		xor	ecx, ecx
		lea	eax, [esi+10h]
		inc	ecx
		mov	[ebp+var_5C], eax
		call	IopVerifierExAllocatePool
		mov	edi, eax
		mov	[ebp+var_68], edi
		test	edi, edi
		jz	loc_8FCF29
		mov	dx, word ptr [ebp+var_60]
		mov	ecx, [ebp+var_60]
		movzx	esi, dx
		add	ecx, ebx
		push	esi		; size_t
		push	[ebp+var_5C]	; void *
		mov	word ptr [ebp+var_6C], dx
		push	edi		; void *
		mov	word ptr [ebp+var_6C+2], cx
		call	_memcpy
		add	esp, 0Ch
		shr	esi, 1
		xor	eax, eax
		mov	[edi+esi*2], ax
		lea	eax, [ebp+var_60]
		push	offset ??_C@_19GEHBKJLM@?$AA?4?$AAS?$AAY?$AAS@NNGAKEGL@	; void *
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		xor	ecx, ecx
		lea	edx, [ebp+var_60]
		inc	ecx
		call	HeadlessKernelAddLogEntry
		lea	edx, [ebp+var_6C]
		mov	ecx, offset _KMPnPEvt_DriverLoad_Start
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)
		xor	esi, esi
		cmp	_InitSafeBootMode, esi
		jnz	loc_84CD53

loc_84C92D:				; CODE XREF: IopLoadDriver+5A7j
		mov	edi, [ebp+var_64]

loc_84C930:				; CODE XREF: IopLoadDriver+B0683j
					; IopLoadDriver+B0695j
		lea	eax, [ebp+var_60]
		mov	edx, edi
		push	eax
		lea	ecx, [ebp+var_6C]
		call	IopBuildFullDriverPath
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8FCE87
		lea	edx, [ebp+var_7C]
		mov	ecx, edi
		call	IopGetDriverNameFromKeyNode
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8FCF37
		mov	eax, _IopCaseInsensitive
		neg	eax
		mov	[ebp+var_D4], 18h
		push	1
		sbb	eax, eax
		mov	[ebp+var_D0], esi
		and	eax, 40h
		mov	[ebp+var_C4], esi
		add	eax, 210h
		mov	[ebp+var_C0], esi
		mov	[ebp+var_C8], eax
		lea	eax, [ebp+var_7C]
		push	offset _IopDriverLoadResource
		mov	[ebp+var_CC], eax
		call	ExAcquireResourceExclusiveLite
		lea	eax, [ebp+var_80]
		push	eax
		lea	eax, [ebp+var_8C]
		push	eax
		push	esi
		push	esi
		push	esi
		lea	eax, [ebp+var_60]
		push	eax
		call	_MmLoadSystemImage@24 ;	MmLoadSystemImage(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_84CDB1
		push	[ebp+var_80]
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	edx, edi
		movzx	ecx, word ptr [eax+44h]
		movzx	eax, word ptr [eax+46h]
		shl	ecx, 10h
		or	ecx, eax
		lea	eax, [ebp+var_B4]
		push	eax
		movzx	eax, [ebp+arg_0]
		push	eax
		push	[ebp+var_80]
		mov	[ebp+var_A8], ecx
		lea	ecx, [ebp+var_6C]
		call	PnpPrepareDriverLoading
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8FCEB9
		mov	eax, large fs:124h
		mov	edi, 0D0h
		mov	edx, ds:_IoDriverObjectType
		push	esi
		mov	cl, [eax+15Ah]
		lea	eax, [ebp+var_B0]
		push	eax
		push	esi
		push	esi
		push	edi
		push	ecx
		push	esi
		lea	eax, [ebp+var_D4]
		push	eax
		call	ObCreateObjectEx
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8FCEB9
		push	edi		; size_t
		push	esi		; int
		mov	esi, [ebp+var_B0]
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esi+0A8h]
		mov	[esi+18h], eax
		lea	edi, [esi+38h]
		mov	[eax], esi
		mov	eax, offset _IopInvalidDeviceRequest@8 ; IopInvalidDeviceRequest(x,x)
		push	1Ch
		pop	edx
		mov	ecx, edx
		mov	[ebp+var_B8], edx
		rep stosd
		push	4
		pop	eax
		mov	[esi], ax
		mov	eax, 0A8h
		mov	[esi+2], ax
		push	[ebp+var_80]
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	edx, eax
		movzx	eax, word ptr [edx+44h]
		movzx	ecx, word ptr [edx+46h]
		shl	eax, 10h
		or	eax, ecx
		mov	ecx, [edx+28h]
		add	ecx, [ebp+var_80]
		mov	[ebp+var_A8], eax
		mov	eax, 2000h
		test	[edx+5Eh], ax
		jnz	short loc_84CAB1
		push	2
		pop	eax
		or	[esi+8], eax

loc_84CAB1:				; CODE XREF: IopLoadDriver+2F9j
		mov	[esi+2Ch], ecx
		xor	edi, edi
		mov	eax, [ebp+var_8C]
		mov	ecx, esi
		mov	[esi+14h], eax
		mov	eax, [ebp+var_80]
		mov	[esi+0Ch], eax
		mov	eax, [edx+50h]
		xor	edx, edx
		mov	[esi+10h], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	edi
		push	edi
		push	edi
		push	1
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	ecx, offset _IopDriverLoadResource
		mov	ebx, eax
		call	ExReleaseResourceLite
		test	ebx, ebx
		js	loc_84CE34
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_90]
		push	edi
		push	ecx
		mov	[ebp+var_90], edi
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_84], al
		push	[ebp+var_84]
		mov	eax, ds:_IoDriverObjectType
		push	eax
		push	edi
		push	[ebp+var_74]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		jnz	loc_8FCEC9
		push	[ebp+var_74]
		call	_ZwClose@4	; ZwClose(x)
		mov	esi, [ebp+var_90]
		mov	edi, 200h
		mov	ecx, edi
		mov	dword ptr [esi+24h], offset _CmRegistryMachineHardwareDescriptionSystemName
		movzx	edx, word ptr [ebp+var_7C+2]
		call	IopVerifierExAllocatePool
		mov	[esi+20h], eax
		test	eax, eax
		jz	short loc_84CB7D
		mov	ax, word ptr [ebp+var_7C+2]
		mov	[esi+1Eh], ax
		mov	ax, word ptr [ebp+var_7C]
		mov	[esi+1Ch], ax
		movzx	eax, word ptr [ebp+var_7C+2]
		push	eax		; size_t
		push	[ebp+var_78]	; void *
		push	dword ptr [esi+20h] ; void *
		call	_memcpy
		add	esp, 0Ch

loc_84CB7D:				; CODE XREF: IopLoadDriver+3A8j
		mov	ebx, 1000h
		mov	ecx, edi
		mov	edx, ebx
		call	IopVerifierExAllocatePool
		mov	edi, eax
		mov	[ebp+var_84], edi
		test	edi, edi
		jz	loc_8FCEDE
		lea	eax, [ebp+var_B8]
		push	eax
		push	ebx
		push	edi
		push	1
		push	[ebp+var_64]
		call	NtQueryObject
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8FCEF8
		mov	edi, [ebp+var_68]
		test	edi, edi
		jz	short loc_84CC01
		mov	bx, word ptr [ebp+var_6C+2]
		mov	ecx, 200h
		movzx	edx, bx
		call	IopVerifierExAllocatePool
		mov	ecx, [esi+18h]
		mov	[ecx+10h], eax
		mov	eax, [esi+18h]
		cmp	dword ptr [eax+10h], 0
		jz	short loc_84CC01
		mov	[eax+0Eh], bx
		mov	ecx, [esi+18h]
		mov	ax, word ptr [ebp+var_6C]
		mov	[ecx+0Ch], ax
		movzx	eax, bx
		push	eax		; size_t
		mov	eax, [esi+18h]
		push	edi		; void *
		push	dword ptr [eax+10h] ; void *
		call	_memcpy
		add	esp, 0Ch

loc_84CC01:				; CODE XREF: IopLoadDriver+40Dj
					; IopLoadDriver+42Dj
		test	byte ptr [ebp+var_B4], 1
		jnz	loc_8FCF12

loc_84CC0E:				; CODE XREF: IopLoadDriver+B0769j
		mov	edi, [ebp+var_84]
		mov	ecx, offset _KMPnPEvt_DriverInit_Start
		mov	edx, edi
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)
		mov	ecx, esi
		call	VfDifCaptureDriverEntry
		mov	edx, edi
		mov	ecx, esi
		call	_PnpCallDriverEntry@8 ;	PnpCallDriverEntry(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_84CC48
		mov	ecx, esi
		call	_VfDifCaptureIoCallbacks@4 ; VfDifCaptureIoCallbacks(x)
		lea	eax, [ebp+var_60]
		mov	ecx, esi
		push	eax
		call	KseShimDriverIoCallbacks

loc_84CC48:				; CODE XREF: IopLoadDriver+484j
		push	ebx
		mov	edx, edi
		mov	ecx, offset _KMPnPEvt_DriverInit_Stop
		call	_PnpDiagnosticTraceObjectWithStatus@12 ; PnpDiagnosticTraceObjectWithStatus(x,x,x)
		mov	eax, [ebp+var_BC]
		mov	[eax], ebx
		test	ebx, ebx
		js	loc_84CE43

loc_84CC65:				; CODE XREF: IopLoadDriver+698j
		push	1Ch
		lea	eax, [esi+38h]
		pop	ecx

loc_84CC6B:				; CODE XREF: IopLoadDriver+4CAj
		cmp	dword ptr [eax], 0
		jz	loc_8FCF1E

loc_84CC74:				; CODE XREF: IopLoadDriver+B0774j
		add	eax, 4
		sub	ecx, 1
		jnz	short loc_84CC6B
		push	ecx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		js	loc_84CE4D
		mov	dl, 1
		lea	ecx, [ebp+var_60]
		call	IopBootLog
		mov	esi, [esi+14h]
		call	_MmAcquireLoadLock@0 ; MmAcquireLoadLock()
		mov	ecx, esi
		mov	edi, eax
		call	_MiFreeDriverInitialization@4 ;	MiFreeDriverInitialization(x)
		mov	ecx, edi
		call	_MmReleaseLoadLock@4 ; MmReleaseLoadLock(x)
		mov	ecx, [ebp+var_90]
		call	_IopReadyDeviceObjects@4 ; IopReadyDeviceObjects(x)
		add	ecx, 1Ch
		call	EtwTiLogDriverObjectLoad

loc_84CCC0:				; CODE XREF: IopLoadDriver+68Ej
					; IopLoadDriver+6AAj ...
		mov	esi, [ebp+var_68]
		test	ebx, ebx
		js	loc_84CD62

loc_84CCCB:				; CODE XREF: IopLoadDriver+5B8j
		push	2

loc_84CCCD:				; CODE XREF: IopLoadDriver+5C0j
		pop	eax
		xor	edx, edx
		mov	ecx, eax
		call	HeadlessKernelAddLogEntry
		test	ebx, ebx
		js	loc_84CD75

loc_84CCDF:				; CODE XREF: IopLoadDriver+5CBj
					; IopLoadDriver+B07ECj
		mov	edi, [ebp+var_64]

loc_84CCE2:				; CODE XREF: IopLoadDriver+5E1j
					; IopLoadDriver+5F6j ...
		mov	eax, [ebp+var_A4]
		test	eax, eax
		jz	short loc_84CCF4
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_84CCF4:				; CODE XREF: IopLoadDriver+53Aj
		test	esi, esi
		jz	short loc_84CD18
		push	[ebp+var_A8]
		lea	eax, [ebp+var_7C]
		mov	ecx, offset _KMPnPEvt_DriverLoad_Stop
		push	eax
		push	ebx
		lea	edx, [ebp+var_6C]
		call	_PnpDiagnosticTraceDriverFullInfo@20 ; PnpDiagnosticTraceDriverFullInfo(x,x,x,x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_84CD18:				; CODE XREF: IopLoadDriver+546j
		cmp	[ebp+var_78], 0
		jz	short loc_84CD28
		push	0
		push	[ebp+var_78]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_84CD28:				; CODE XREF: IopLoadDriver+56Cj
		cmp	[ebp+var_5C], 0
		jz	short loc_84CD38
		push	0
		push	[ebp+var_5C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_84CD38:				; CODE XREF: IopLoadDriver+57Cj
		push	0
		push	edi
		call	ObCloseHandle
		mov	eax, ebx

loc_84CD42:				; CODE XREF: IopLoadDriver+B06D2j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_84CD53:				; CODE XREF: IopLoadDriver+177j
		cmp	[ebp+var_6D], 0
		jz	loc_84C92D
		jmp	loc_8FCDB3
; 

loc_84CD62:				; CODE XREF: IopLoadDriver+E4j
					; IopLoadDriver+515j ...
		cmp	ebx, 0C000010Eh
		jz	loc_84CCCB

loc_84CD6E:				; CODE XREF: IopLoadDriver+B05EAj
					; IopLoadDriver+B05F4j	...
		push	3
		jmp	loc_84CCCD
; 

loc_84CD75:				; CODE XREF: IopLoadDriver+529j
		cmp	ebx, 0C000025Eh
		jz	loc_84CCDF
		and	[ebp+var_A0], 0
		mov	edi, [ebp+var_64]
		cmp	ebx, 0C000010Eh
		jz	loc_84CCE2
		xor	edx, edx
		mov	ecx, edi
		call	PnpDriverLoadingFailed
		cmp	ebx, 0C0000365h
		jz	loc_84CCE2
		jmp	loc_8FCF3F
; 

loc_84CDB1:				; CODE XREF: IopLoadDriver+20Fj
		cmp	ebx, 0C000010Eh
		jnz	short loc_84CE2A
		mov	esi, ds:_IoDriverObjectType
		lea	eax, [ebp+var_74]
		push	eax
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		xor	edi, edi
		lea	eax, [ebp+var_D4]
		push	edi
		push	edi
		push	edi
		push	edi
		push	esi
		push	eax
		call	ObOpenObjectByNameEx
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8FCE8F
		mov	eax, ds:_IoDriverObjectType
		lea	ecx, [ebp+var_9C]
		push	edi
		push	ecx
		push	edi
		push	eax
		push	edi
		push	[ebp+var_74]
		mov	[ebp+var_9C], edi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		push	[ebp+var_74]
		mov	ebx, eax
		call	_ZwClose@4	; ZwClose(x)
		test	ebx, ebx
		js	short loc_84CE2A
		mov	ecx, [ebp+var_9C]
		call	IopResurrectDriver
		mov	ecx, [ebp+var_9C]
		mov	ebx, eax
		call	ObfDereferenceObject

loc_84CE2A:				; CODE XREF: IopLoadDriver+607j
					; IopLoadDriver+660j ...
		mov	ecx, offset _IopDriverLoadResource
		call	ExReleaseResourceLite

loc_84CE34:				; CODE XREF: IopLoadDriver+33Bj
		xor	dl, dl
		lea	ecx, [ebp+var_60]
		call	IopBootLog
		jmp	loc_84CCC0
; 

loc_84CE43:				; CODE XREF: IopLoadDriver+4AFj
		mov	ebx, 0C0000365h
		jmp	loc_84CC65
; 

loc_84CE4D:				; CODE XREF: IopLoadDriver+4D5j
		push	esi
		call	_ObMakeTemporaryObject@4 ; ObMakeTemporaryObject(x)
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	loc_84CCC0
IopLoadDriver	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopQueryRegistryKeySystemPath proc near	; CODE XREF: PiLookupInDDBCache+193p
					; PiDrvDbResolveKeyFilePaths(x)+33p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FCFA1 SIZE 000000F5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		push	ebx
		push	esi
		push	edi
		push	6
		xor	eax, eax
		mov	[ebp+var_10], edx
		mov	esi, ecx
		mov	[ebp+var_24], offset ??_C@_1O@GINMMDNN@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm@NNGAKEGL@
		pop	ecx
		push	0Ch
		lea	edi, [ebp+var_50]
		mov	[ebp+var_34], offset ??_C@_1BK@DHFJHPDK@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2@NNGAKEGL@ ; "\\"
		rep stosd
		pop	eax
		push	0Eh
		mov	word ptr [ebp+var_28], ax
		xor	ebx, ebx
		pop	eax
		push	18h
		mov	word ptr [ebp+var_28+2], ax
		pop	eax
		push	1Ah
		mov	word ptr [ebp+var_38], ax
		pop	eax
		push	1Ch
		mov	word ptr [ebp+var_38+2], ax
		pop	eax
		push	1Eh
		mov	word ptr [ebp+var_30], ax
		pop	eax
		push	ebx
		push	edx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ebx
		mov	word ptr [ebp+var_30+2], ax
		mov	[ebp+var_2C], offset ??_C@_1BO@DFBFEJHF@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAS?$AAt?$AAo?$AAr?$AAe?$AAs?$AA?2@NNGAKEGL@ ; "\\DriverStores\\"
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	ecx, ecx
		mov	edi, 1000h
		mov	edx, edi
		inc	ecx
		call	IopVerifierExAllocatePool
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		jz	loc_8FCFA1
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		push	ebx
		push	1
		push	esi
		call	NtQueryObject
		mov	esi, eax
		mov	[ebp+var_8], esi
		test	esi, esi
		js	loc_84D009
		movzx	edi, ds:_CmRegistryMachineName
		push	2
		pop	eax
		add	edi, eax
		cmp	[ebx], di
		jb	loc_8FD08C
		push	1
		push	ebx
		push	offset _CmRegistryMachineName
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	loc_8FD08C
		mov	eax, [ebx+4]
		mov	ecx, edi
		shr	ecx, 1
		push	5Ch
		lea	edx, [eax+ecx*2]
		pop	eax
		cmp	[edx-2], ax
		jnz	loc_8FD08C
		mov	[ebp+var_1C], edx
		xor	eax, eax
		mov	cx, [ebx]
		sub	cx, di
		xor	edi, edi
		mov	word ptr [ebp+var_20+2], cx
		mov	word ptr [ebp+var_20], di
		cmp	ax, cx
		jnb	short loc_84CF9D
		push	2
		pop	ebx
		push	5Ch
		pop	esi

loc_84CF80:				; CODE XREF: IopQueryRegistryKeySystemPath+135j
		movzx	eax, di
		shr	eax, 1
		cmp	[edx+eax*2], si
		jz	short loc_84CF97
		add	di, bx
		mov	word ptr [ebp+var_20], di
		cmp	di, cx
		jb	short loc_84CF80

loc_84CF97:				; CODE XREF: IopQueryRegistryKeySystemPath+129j
		mov	esi, [ebp+var_8]
		mov	ebx, [ebp+var_C]

loc_84CF9D:				; CODE XREF: IopQueryRegistryKeySystemPath+118j
		push	1
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	loc_8FCFAB

loc_84CFB4:				; CODE XREF: IopQueryRegistryKeySystemPath+B020Dj
					; IopQueryRegistryKeySystemPath+B0218j
		cmp	word ptr [ebp+var_18], 0
		jnz	short loc_84CFF0
		push	1Ah
		pop	edi
		cmp	word ptr [ebp+var_18+2], di
		jnb	short loc_84CFE3
		cmp	[ebp+var_14], 0
		jnz	loc_8FD07D

loc_84CFCE:				; CODE XREF: IopQueryRegistryKeySystemPath+B0227j
		xor	ecx, ecx
		mov	word ptr [ebp+var_18+2], di
		mov	edx, edi
		inc	ecx
		call	IopVerifierExAllocatePool
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	short loc_84D021

loc_84CFE3:				; CODE XREF: IopQueryRegistryKeySystemPath+162j
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)

loc_84CFF0:				; CODE XREF: IopQueryRegistryKeySystemPath+159j
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_18]
		push	0
		mov	[ecx], eax
		mov	eax, [ebp+var_14]
		mov	[ecx+4], eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_84D009:				; CODE XREF: IopQueryRegistryKeySystemPath+B9j
					; IopQueryRegistryKeySystemPath+1C6j ...
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_84D011:				; CODE XREF: IopQueryRegistryKeySystemPath+B0146j
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_84D021:				; CODE XREF: IopQueryRegistryKeySystemPath+181j
					; IopQueryRegistryKeySystemPath+B017Aj
		mov	esi, 0C000009Ah
		jmp	short loc_84D009
IopQueryRegistryKeySystemPath endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopGetDriverNameFromKeyNode proc near	; CODE XREF: IopLoadDriver+19Dp
					; IopUnloadDriver+86p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FD096 SIZE 000000CC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_8]
		mov	ebx, edx
		push	eax
		mov	edi, ecx
		mov	[ebp+var_18], ebx
		xor	esi, esi
		mov	[ebp+var_14], edi
		push	40h
		mov	edx, offset ??_C@_1BG@OBMODCLN@?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@ ; "ObjectName"
		mov	[ebp+var_8], esi
		call	IopGetRegistryValue
		test	eax, eax
		jns	loc_8FD096
		lea	eax, [ebp+var_8]
		mov	[ebp+var_C], esi
		push	eax
		push	esi
		mov	edx, offset ??_C@_19BIEPDBPA@?$AAT?$AAy?$AAp?$AAe@NNGAKEGL@
		mov	[ebp+var_20], esi
		mov	ecx, edi
		mov	[ebp+var_1C], esi
		call	IopGetRegistryValue
		test	eax, eax
		js	loc_8FD158
		mov	esi, [ebp+var_8]
		cmp	dword ptr [esi+0Ch], 0
		jz	loc_8FD150
		mov	eax, [esi+8]
		mov	[ebp+var_10], offset ??_C@_1BC@PAOLLJBM@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?2@NNGAKEGL@
		mov	eax, [esi+eax]
		cmp	eax, 2
		jz	loc_84D17A
		mov	[ebp+var_8], 10h
		cmp	eax, 8
		jz	loc_84D17A

loc_84D0AF:				; CODE XREF: IopGetDriverNameFromKeyNode+160j
		mov	edx, 0A4h
		mov	ecx, 200h
		mov	[ebp+var_4], edx
		call	IopVerifierExAllocatePool
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8FD13C
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_4]
		push	ebx
		push	0
		push	edi
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 80000005h
		jz	loc_8FD0E7
		cmp	edi, 0C0000023h
		jz	loc_8FD0E7

loc_84D0F5:				; CODE XREF: IopGetDriverNameFromKeyNode+B00EEj
		test	edi, edi
		js	loc_8FD11B
		mov	edx, [ebx+0Ch]
		lea	eax, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_8FD125
		mov	eax, [ebp+var_C]
		mov	ecx, 200h
		movzx	edx, ax
		call	IopVerifierExAllocatePool
		mov	edi, [ebp+var_18]
		mov	[edi+4], eax
		test	eax, eax
		jz	loc_8FD134
		push	[ebp+var_10]	; void *
		xor	eax, eax
		mov	[edi], ax
		mov	eax, [ebp+var_C]
		push	edi		; int
		mov	[edi+2], ax
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	ax, [ebx+0Ch]
		mov	word ptr [ebp+var_20], ax
		mov	word ptr [ebp+var_20+2], ax
		lea	eax, [ebx+10h]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_20]
		push	eax
		push	edi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_84D173:				; CODE XREF: IopGetDriverNameFromKeyNode+B00B3j
		xor	eax, eax

loc_84D175:				; CODE XREF: IopGetDriverNameFromKeyNode+B0123j
					; IopGetDriverNameFromKeyNode+B0135j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_84D17A:				; CODE XREF: IopGetDriverNameFromKeyNode+71j
					; IopGetDriverNameFromKeyNode+81j
		mov	[ebp+var_10], offset ??_C@_1BK@GABKLNKA@?$AA?2?$AAF?$AAi?$AAl?$AAe?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2@NNGAKEGL@ ; "\\"
		mov	[ebp+var_8], 18h
		jmp	loc_84D0AF
IopGetDriverNameFromKeyNode endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopGetRegistryValue proc near		; CODE XREF: .text:00568321p
					; IopReadDumpRegistry(x,x)+4Ep	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FD162 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		lea	eax, [ebp+var_C]
		xor	edi, edi
		mov	ebx, ecx
		push	esi
		push	eax
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_84D22B
		lea	ecx, [esi+2]

loc_84D1B9:				; CODE XREF: IopGetRegistryValue+34j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, di
		jnz	short loc_84D1B9
		mov	eax, [ebp+arg_0]
		sub	esi, ecx
		sar	esi, 1
		lea	esi, ds:1Bh[esi*2]
		and	esi, 0FFFFFFFCh
		test	eax, eax
		jnz	short loc_84D232
		add	esi, 4

loc_84D1DC:				; CODE XREF: IopGetRegistryValue+ACj
		xor	ecx, ecx
		mov	edx, esi
		inc	ecx
		call	IopVerifierExAllocatePool
		mov	edi, eax
		test	edi, edi
		jz	loc_84D272
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		push	edi
		push	1
		lea	eax, [ebp+var_C]
		push	eax
		push	ebx
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_84D224
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	esi, 80000005h
		jz	short loc_84D23C
		cmp	esi, 0C0000023h
		jz	short loc_84D23C
		mov	eax, esi
		jmp	short loc_84D22B
; 

loc_84D224:				; CODE XREF: IopGetRegistryValue+78j
		mov	eax, [ebp+arg_4]
		mov	[eax], edi

loc_84D229:				; CODE XREF: IopGetRegistryValue+E2j
		xor	eax, eax

loc_84D22B:				; CODE XREF: IopGetRegistryValue+26j
					; IopGetRegistryValue+94j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_84D232:				; CODE XREF: IopGetRegistryValue+49j
		add	esi, 3
		add	esi, eax
		and	esi, 0FFFFFFFCh
		jmp	short loc_84D1DC
; 

loc_84D23C:				; CODE XREF: IopGetRegistryValue+88j
					; IopGetRegistryValue+90j
		mov	edx, [ebp+var_4]
		xor	ecx, ecx
		inc	ecx
		call	IopVerifierExAllocatePool
		mov	esi, eax
		test	esi, esi
		jz	short loc_84D272
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_4]
		lea	eax, [ebp+var_C]
		push	esi
		push	1
		push	eax
		push	ebx
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8FD162
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		jmp	short loc_84D229
; 

loc_84D272:				; CODE XREF: IopGetRegistryValue+5Cj
					; IopGetRegistryValue+BDj
		mov	eax, 0C000009Ah
		jmp	short loc_84D22B
IopGetRegistryValue endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiLookupInDDB	proc near		; CODE XREF: PpCheckInDriverDatabase+84p

var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FD171 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		xor	eax, eax
		mov	ebx, ds:_PpDDBPatchHandle
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	[ebp+var_4], ecx
		stosd
		mov	ecx, ds:_PpDDBHandle
		mov	[ebp+var_8], edx
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_28]
		stosd
		stosd
		stosd
		stosd
		test	ecx, ecx
		jz	short loc_84D2EF

loc_84D2AD:				; CODE XREF: PiLookupInDDB+8Ej
		push	[ebp+arg_4]
		mov	edi, [ebp+var_8]
		push	[ebp+arg_0]
		mov	edx, [ebp+var_4]
		push	edi
		call	PiIsDriverBlocked
		mov	esi, eax
		test	esi, esi
		js	short loc_84D2D6
		cmp	ds:_PpDDBHandle, 0
		jz	short loc_84D30A

loc_84D2CE:				; CODE XREF: PiLookupInDDB+B7j
		test	ebx, ebx
		jnz	loc_8FD171

loc_84D2D6:				; CODE XREF: PiLookupInDDB+49j
					; PiLookupInDDB+89j ...
		cmp	[ebp+var_18], 0
		jnz	short loc_84D324

loc_84D2DC:				; CODE XREF: PiLookupInDDB+B2j
		cmp	[ebp+var_28], 0
		jnz	loc_8FD189

loc_84D2E6:				; CODE XREF: PiLookupInDDB+AFF17j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_84D2EF:				; CODE XREF: PiLookupInDDB+31j
		lea	eax, [ebp+var_18]
		xor	dl, dl
		push	eax
		mov	ecx, offset ??_C@_1EC@CMHHICB@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAA?$AAp?$AAp@LBKOJDO@ ; "\\SystemRoot\\AppPatch\\drvmain.sdb"
		call	PiInitializeDDB
		mov	esi, eax
		test	esi, esi
		js	short loc_84D2D6
		mov	ecx, [ebp+var_18]
		jmp	short loc_84D2AD
; 

loc_84D30A:				; CODE XREF: PiLookupInDDB+52j
		lea	eax, [ebp+var_28]
		mov	dl, 1
		push	eax
		mov	ecx, offset ??_C@_1EE@HOPNLEHB@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAA?$AAp?$AAp@LBKOJDO@ ;	"\\SystemRoot\\AppPatch\\drvpatch.sdb"
		call	PiInitializeDDB
		mov	esi, eax
		test	esi, esi
		jns	short loc_84D32E
		xor	esi, esi
		jmp	short loc_84D2D6
; 

loc_84D324:				; CODE XREF: PiLookupInDDB+60j
		lea	ecx, [ebp+var_18]
		call	_PiReleaseDDB@4	; PiReleaseDDB(x)
		jmp	short loc_84D2DC
; 

loc_84D32E:				; CODE XREF: PiLookupInDDB+A4j
		mov	ebx, [ebp+var_28]
		jmp	short loc_84D2CE
PiLookupInDDB	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiIsDriverBlocked proc near		; CODE XREF: PiLookupInDDB+40p
					; PiLookupInDDB+AFF03p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FD196 SIZE 00000169 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	ebx, ecx
		mov	[ebp+var_50], eax
		pop	ecx
		push	[ebp+arg_4]
		xor	eax, eax
		mov	[ebp+var_38], ebx
		and	[ebp+var_34], eax
		lea	edi, [ebp+var_30]
		rep stosd
		mov	esi, edx
		mov	edx, [ebp+arg_0]
		push	edx
		mov	[ebp+var_4C], edx
		push	ecx
		mov	edx, [esi+4]
		mov	ecx, ebx
		mov	[ebp+var_40], esi
		call	SdbGetDatabaseMatch
		mov	edi, eax
		test	edi, edi
		jnz	loc_8FD196
		xor	ebx, ebx

loc_84D387:				; CODE XREF: PiIsDriverBlocked+AFEFDj
					; PiIsDriverBlocked+AFF0Fj ...
		mov	edi, 0C000036Bh
		cmp	ebx, edi
		jz	loc_8FD27C
		cmp	ebx, 0C000036Ch
		jz	loc_8FD27C

loc_84D3A0:				; CODE XREF: PiIsDriverBlocked+AFF99j
		cmp	ebx, edi
		jz	short loc_84D3B0
		cmp	ebx, 0C000036Ch
		jz	short loc_84D3B0
		test	ebx, ebx
		jnz	short loc_84D3D4

loc_84D3B0:				; CODE XREF: PiIsDriverBlocked+6Ej
					; PiIsDriverBlocked+76j
		mov	edx, [ebp+var_4C]
		lea	eax, [ebp+var_30]
		push	eax
		push	ebx
		push	ecx
		mov	ecx, esi
		call	PiUpdateDriverDBCache
		cmp	ebx, edi
		jz	loc_8FD2D2
		cmp	ebx, 0C000036Ch
		jz	loc_8FD2D2

loc_84D3D4:				; CODE XREF: PiIsDriverBlocked+7Aj
					; PiIsDriverBlocked+AFFA3j ...
		mov	ecx, [ebp+var_8]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
PiIsDriverBlocked endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiUpdateDriverDBCache proc near		; CODE XREF: PiIsDriverBlocked+87p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= word ptr -28h
var_26		= word ptr -26h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FD2FF SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ebx, ecx
		push	edi
		push	0Ah
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_30]
		rep stosd
		push	edx
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	[ebp+var_34], eax
		test	eax, eax
		jz	loc_84D538
		mov	ds:dword_A944E4, 1
		push	5Ch		; wchar_t
		push	dword ptr [ebx+4] ; wchar_t *
		call	_wcsrchr
		pop	ecx
		pop	ecx
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8FD2FF
		add	ecx, 2

loc_84D440:				; CODE XREF: PiUpdateDriverDBCache+AFF1Aj
		mov	[ebp+var_24], ecx
		lea	edx, [ecx+2]
		xor	edi, edi

loc_84D448:				; CODE XREF: PiUpdateDriverDBCache+69j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_84D448
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, [ecx+ecx]
		mov	[ebp+var_28], ax
		mov	[ebp+var_26], ax
		lea	eax, [ebp+var_30]
		push	eax
		push	offset _PiDDBCacheTable
		call	_RtlLookupElementGenericTableAvl@8 ; RtlLookupElementGenericTableAvl(x,x)
		mov	edi, offset _PiDDBCacheList
		test	eax, eax
		jnz	loc_84D549
		push	offset _PiDDBCacheTable
		call	_RtlNumberGenericTableElementsAvl@4 ; RtlNumberGenericTableElementsAvl(x)
		cmp	eax, 100h
		jnb	loc_8FD307

loc_84D492:				; CODE XREF: PiUpdateDriverDBCache+176j
					; PiUpdateDriverDBCache+192j
		mov	eax, [ebp+arg_4]
		lea	edi, [ebp+var_18]
		movsd
		push	5Ch		; wchar_t
		push	dword ptr [ebx+4] ; wchar_t *
		movsd
		movsd
		movsd
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_34]
		mov	eax, [eax+8]
		mov	[ebp+var_20], eax
		call	_wcsrchr
		mov	esi, eax
		pop	ecx
		pop	ecx
		test	esi, esi
		jz	loc_8FD32E
		add	esi, 2

loc_84D4C1:				; CODE XREF: PiUpdateDriverDBCache+AFF49j
		mov	ecx, esi
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_84D4C8:				; CODE XREF: PiUpdateDriverDBCache+E9j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_84D4C8
		sub	ecx, edx
		sar	ecx, 1
		push	20207050h
		lea	eax, [ecx+ecx]
		mov	[ebp+var_26], ax
		mov	[ebp+var_28], ax
		movzx	eax, ax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_24], eax
		test	eax, eax
		jz	short loc_84D538
		movzx	ecx, [ebp+var_28]
		push	ecx		; size_t
		push	esi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_30]
		push	ebx		; int
		push	28h		; size_t
		push	eax		; void *
		push	offset _PiDDBCacheTable	; int
		call	_RtlInsertElementGenericTableAvl@16 ; RtlInsertElementGenericTableAvl(x,x,x,x)
		test	eax, eax
		jz	short loc_84D538
		mov	ecx, ds:dword_A944EC
		mov	edx, offset _PiDDBCacheList
		cmp	[ecx], edx
		jnz	short loc_84D57F
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	ds:dword_A944EC, eax

loc_84D538:				; CODE XREF: PiUpdateDriverDBCache+2Fj
					; PiUpdateDriverDBCache+10Fj ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_84D549:				; CODE XREF: PiUpdateDriverDBCache+8Fj
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_84D57F
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_84D57F
		mov	[edx], ecx
		mov	[ecx+4], edx

loc_84D55C:				; CODE XREF: PiUpdateDriverDBCache+AFF41j
		test	eax, eax
		jz	loc_84D492
		mov	edi, [eax+0Ch]
		push	eax
		push	offset _PiDDBCacheTable
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_84D492
; 

loc_84D57F:				; CODE XREF: PiUpdateDriverDBCache+142j
					; PiUpdateDriverDBCache+166j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
PiUpdateDriverDBCache endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbGetDatabaseMatch proc near		; CODE XREF: PiIsDriverBlocked+42p

var_C8		= dword	ptr -0C8h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= byte ptr -88h
var_8		= dword	ptr -8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FD336 SIZE 000000AF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		lea	eax, [ebp+var_C8]
		push	edi
		push	34h		; size_t
		push	0		; int
		push	eax		; void *
		mov	edi, edx
		mov	ebx, ecx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_8C]
		push	80h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		mov	[ebp+var_C8], 0Ah
		add	esp, 0Ch
		mov	[ebp+var_94], eax
		mov	[ebp+var_90], eax
		test	esi, esi
		jz	short loc_84D5F2
		mov	[ebp+var_C8], 1Ah

loc_84D5F2:				; CODE XREF: SdbGetDatabaseMatch+62j
		push	eax
		push	eax
		push	0FFFFFFFFh
		mov	edx, edi
		lea	ecx, [ebp+var_90]
		call	AslFileMappingCreate
		test	eax, eax
		js	short loc_84D680

loc_84D607:				; CODE XREF: SdbGetDatabaseMatch+117j
		mov	edx, [ebp+var_90]
		lea	ecx, [ebp+var_C8]
		sub	esp, 10h
		call	_SdbpCreateSearchDBContext@24 ;	SdbpCreateSearchDBContext(x,x,x,x,x,x)
		test	eax, eax
		jz	loc_8FD362
		mov	edx, [ebx+4]
		lea	eax, [ebp+var_8C]
		push	ecx		; int
		push	eax		; void *
		lea	eax, [ebp+var_C8]
		push	eax		; int
		push	ecx		; int
		mov	ecx, ebx
		call	SdbpSearchDB
		mov	edi, offset ??_C@_0BE@BEOLDIOM@SdbGetDatabaseMatch@NNGAKEGL@
		cmp	eax, 10h
		ja	loc_8FD380

loc_84D64B:				; CODE XREF: SdbGetDatabaseMatch+AFE14j
		test	eax, eax
		jnz	loc_8FD39D

loc_84D653:				; CODE XREF: SdbGetDatabaseMatch+AFDD9j
					; SdbGetDatabaseMatch+AFDF7j ...
		lea	ecx, [ebp+var_C8]
		call	_SdbpReleaseSearchDBContext@4 ;	SdbpReleaseSearchDBContext(x)
		mov	ecx, [ebp+var_90]
		call	AslFileMappingDelete
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_94]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_84D680:				; CODE XREF: SdbGetDatabaseMatch+81j
		test	esi, esi
		jz	loc_8FD343
		push	[ebp+arg_8]
		mov	edx, edi
		lea	ecx, [ebp+var_90]
		push	esi
		call	AslFileMappingCreateFromImageView
		test	eax, eax
		jns	loc_84D607
		jmp	loc_8FD336
SdbGetDatabaseMatch endp


;  S U B	R O U T	I N E 


AslFileMappingDelete proc near		; CODE XREF: SdbGetDatabaseMatch+E0p
					; AslFileMappingCreate+130p ...

; FUNCTION CHUNK AT 008FD3E5 SIZE 00000010 BYTES

		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		test	esi, esi
		jz	short loc_84D6E0
		lea	ecx, [esi+8]
		call	RtlFileMapFree
		mov	eax, [esi+2Ch]
		mov	edi, 74705041h
		test	eax, eax
		jnz	loc_8FD3E5

loc_84D6C9:				; CODE XREF: AslFileMappingDelete+AFD4Aj
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_84D6D9
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi], 0

loc_84D6D9:				; CODE XREF: AslFileMappingDelete+27j
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_84D6E0:				; CODE XREF: AslFileMappingDelete+9j
		pop	edi
		pop	esi
		pop	ecx
		retn
AslFileMappingDelete endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpReleaseSearchDBContext(x)
_SdbpReleaseSearchDBContext@4 proc near	; CODE XREF: SdbGetDatabaseMatch+D5p
					; SdbpCheckKObject+115p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	esi, esi
		jz	loc_84D7F7
		mov	eax, [esi+0Ch]
		xor	ebx, ebx
		mov	edi, 74705041h
		test	eax, eax
		jz	short loc_84D712
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+0Ch], ebx

loc_84D712:				; CODE XREF: SdbpReleaseSearchDBContext(x)+22j
		mov	eax, [esi+20h]
		test	eax, eax
		jz	short loc_84D723
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+20h], ebx

loc_84D723:				; CODE XREF: SdbpReleaseSearchDBContext(x)+33j
		mov	eax, [esi+24h]
		test	eax, eax
		jz	short loc_84D79D
		mov	ecx, ebx
		mov	[esp+10h+var_4], ecx
		cmp	[eax], ebx
		jbe	short loc_84D78F

loc_84D734:				; CODE XREF: SdbpReleaseSearchDBContext(x)+A2j
		lea	edi, [eax+4]
		add	edi, ebx
		jz	short loc_84D779
		mov	ecx, [edi+8]
		test	ecx, ecx
		jz	short loc_84D74B
		call	_AslHashFree@4	; AslHashFree(x)
		and	dword ptr [edi+8], 0

loc_84D74B:				; CODE XREF: SdbpReleaseSearchDBContext(x)+5Cj
		mov	ecx, [edi+0Ch]
		test	ecx, ecx
		jz	short loc_84D75B
		call	_AslHashFree@4	; AslHashFree(x)
		and	dword ptr [edi+0Ch], 0

loc_84D75B:				; CODE XREF: SdbpReleaseSearchDBContext(x)+6Cj
		mov	eax, [edi+14h]
		test	eax, eax
		jz	short loc_84D775
		push	74705041h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi+10h], 0
		and	dword ptr [edi+14h], 0

loc_84D775:				; CODE XREF: SdbpReleaseSearchDBContext(x)+7Cj
		mov	ecx, [esp+10h+var_4]

loc_84D779:				; CODE XREF: SdbpReleaseSearchDBContext(x)+55j
		mov	eax, [esi+24h]
		inc	ecx
		add	ebx, 18h
		mov	[esp+10h+var_4], ecx
		cmp	ecx, [eax]
		jb	short loc_84D734
		xor	ebx, ebx
		mov	edi, 74705041h

loc_84D78F:				; CODE XREF: SdbpReleaseSearchDBContext(x)+4Ej
		test	eax, eax
		jz	short loc_84D79A
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_84D79A:				; CODE XREF: SdbpReleaseSearchDBContext(x)+ADj
		mov	[esi+24h], ebx

loc_84D79D:				; CODE XREF: SdbpReleaseSearchDBContext(x)+44j
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_84D7AE
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+10h], ebx

loc_84D7AE:				; CODE XREF: SdbpReleaseSearchDBContext(x)+BEj
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_84D7BF
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+14h], ebx

loc_84D7BF:				; CODE XREF: SdbpReleaseSearchDBContext(x)+CFj
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_84D7D0
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+18h], ebx

loc_84D7D0:				; CODE XREF: SdbpReleaseSearchDBContext(x)+E0j
		mov	ecx, [esi+2Ch]
		test	ecx, ecx
		jz	short loc_84D7DF
		call	_SdbpFreeAppAttributes@4 ; SdbpFreeAppAttributes(x)
		mov	[esi+2Ch], ebx

loc_84D7DF:				; CODE XREF: SdbpReleaseSearchDBContext(x)+F1j
		call	_Feature_CompatBuildInVb__private_IsEnabledDeviceUsage@0 ; Feature_CompatBuildInVb__private_IsEnabledDeviceUsage()
		test	eax, eax
		jz	short loc_84D7F7
		mov	ecx, [esi+30h]
		test	ecx, ecx
		jz	short loc_84D7F7
		call	_SdbpFreeAppAttributes@4 ; SdbpFreeAppAttributes(x)
		mov	[esi+30h], ebx

loc_84D7F7:				; CODE XREF: SdbpReleaseSearchDBContext(x)+10j
					; SdbpReleaseSearchDBContext(x)+102j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_SdbpReleaseSearchDBContext@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AslFileMappingCreate proc near		; CODE XREF: SdbGetDatabaseMatch+7Ap
					; SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+175p ...

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FD3F5 SIZE 00000129 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_28], edx
		mov	edx, ecx
		mov	[ebp+var_30], eax
		push	6
		pop	ecx
		lea	edi, [ebp+var_24]
		mov	[ebp+var_34], edx
		rep stosd
		mov	edi, [ebp+var_28]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], eax
		test	edi, edi
		jz	loc_8FD514
		cmp	[edi], ax
		jz	loc_8FD514
		test	edx, edx
		jz	loc_8FD514
		mov	[edx], eax
		lea	eax, [ebp+var_30]
		push	edi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ecx
		push	38h
		pop	edx
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8FD3F5
		mov	edx, edi
		mov	ecx, ebx
		call	AslStringDuplicate
		mov	esi, eax
		test	esi, esi
		js	loc_8FD3FF
		mov	edx, [ebp+arg_0]
		lea	esi, [ebx+8]
		inc	edx
		neg	edx
		sbb	edx, edx
		and	edx, [ebp+arg_0]
		jnz	loc_8FD428
		lea	edx, [ebp+var_30]
		mov	ecx, esi
		call	_RtlFileMapInitializeByNtPath@8	; RtlFileMapInitializeByNtPath(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_84D91C
		lea	esi, [ebx+8]

loc_84D8A6:				; CODE XREF: AslFileMappingCreate+AFC3Bj
		push	5
		push	18h
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		push	dword ptr [esi]
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8FD409
		mov	edx, [ebp+arg_4]
		xor	ecx, ecx
		inc	ecx
		test	edx, edx
		jnz	loc_8FD493

loc_84D8D1:				; CODE XREF: AslFileMappingCreate+AFCA1j
		mov	eax, [ebp+var_1C]
		mov	[ebx+10h], eax
		mov	eax, [ebp+var_18]
		mov	[ebx+14h], eax
		mov	eax, [ebp+var_1C]
		test	edx, edx
		jnz	loc_8FD4A4
		or	eax, [ebp+var_18]
		jz	short loc_84D8F0
		push	2
		pop	ecx

loc_84D8F0:				; CODE XREF: AslFileMappingCreate+EDj
		mov	[ebx+28h], ecx

loc_84D8F3:				; CODE XREF: AslFileMappingCreate+AFCDAj
					; AslFileMappingCreate+AFD03j
		mov	eax, [ebp+var_34]
		mov	[eax], ebx
		xor	ebx, ebx
		xor	esi, esi

loc_84D8FC:				; CODE XREF: AslFileMappingCreate+127j
					; AslFileMappingCreate+AFC25j ...
		test	ebx, ebx
		jnz	short loc_84D92C

loc_84D900:				; CODE XREF: AslFileMappingCreate+135j
					; AslFileMappingCreate+AFBFCj
		cmp	[ebp+var_2C], edi
		jnz	loc_8FD506

loc_84D909:				; CODE XREF: AslFileMappingCreate+AFD11j
		mov	eax, esi

loc_84D90B:				; CODE XREF: AslFileMappingCreate+AFD1Bj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_84D91C:				; CODE XREF: AslFileMappingCreate+A3j
		mov	ecx, esi
		call	AslFileNotFound
		test	eax, eax
		jnz	short loc_84D8FC
		jmp	loc_8FD43E
; 

loc_84D92C:				; CODE XREF: AslFileMappingCreate+100j
		mov	ecx, ebx
		call	AslFileMappingDelete
		jmp	short loc_84D900
AslFileMappingCreate endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KsepGetShimsForDriver proc near		; CODE XREF: KseDriverLoadImage(x)+8Ep

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008FD51E SIZE 00000122 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		xor	eax, eax
		push	edi
		mov	edi, [ebp+arg_C]
		mov	ebx, ecx
		mov	[ebp+var_4], eax
		mov	ecx, offset _KseEngine
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		mov	[esi], eax
		mov	[edi], eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_14], edx
		mov	edx, [ebp+arg_0]
		push	eax
		mov	[ebp+var_10], ebx
		call	KsepIsModuleShimmed
		test	eax, eax
		jnz	loc_8FD51E
		lea	eax, [ebp+var_8]
		mov	edx, ebx
		push	eax
		lea	eax, [ebp+var_4]
		mov	ecx, offset _KseEngine
		push	eax
		call	KsepEngineGetShimsFromRegistry
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	short loc_84D9AD
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_8]
		mov	ecx, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		call	KsepDbGetDriverShims
		mov	esi, eax

loc_84D9AD:				; CODE XREF: KsepGetShimsForDriver+5Dj
		mov	edi, [ebp+var_4]
		mov	ebx, [ebp+var_8]
		test	esi, esi
		jns	loc_8FD532

loc_84D9BB:				; CODE XREF: KsepGetShimsForDriver+AFCA3j
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		mov	eax, [ebp+arg_C]
		mov	[eax], ebx

loc_84D9C5:				; CODE XREF: KsepGetShimsForDriver+AFC21j
					; KsepGetShimsForDriver+AFC29j	...
		test	esi, esi
		jns	loc_8FD5DE

loc_84D9CD:				; CODE XREF: KsepGetShimsForDriver+AFD05j
		mov	eax, esi

loc_84D9CF:				; CODE XREF: KsepGetShimsForDriver+AFBF7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
KsepGetShimsForDriver endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KsepDbGetDriverShims proc near		; CODE XREF: KsepGetShimsForDriver+70p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FD640 SIZE 000000DF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	[ebp+var_18], edx
		mov	eax, ecx
		xor	edx, edx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_4], edx
		mov	ebx, edx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_14], edx
		mov	[ebp+var_8], edx
		push	edi
		mov	edi, edx
		mov	[ebp+var_10], edi
		test	eax, eax
		jz	loc_8FD715
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	loc_8FD715
		mov	ecx, [ebp+arg_8]
		mov	[eax], edx
		mov	[ecx], edx
		lea	ecx, [ebp+var_8]
		call	KseShimDatabaseOpen
		mov	esi, eax
		test	esi, esi
		js	short loc_84DA8D
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_4]
		mov	edx, offset _KsepMatchMachineInfo
		push	eax
		push	[ebp+arg_0]
		mov	ecx, [ecx]
		push	[ebp+var_18]
		push	[ebp+var_1C]
		call	KsepDbGetDriverShimsInternal
		mov	esi, eax
		test	esi, esi
		jns	short loc_84DA54
		cmp	esi, 0C0000225h
		jnz	short loc_84DA7A

loc_84DA54:				; CODE XREF: KsepDbGetDriverShims+74j
		mov	eax, [ebp+var_8]
		mov	ecx, [eax+28h]
		test	ecx, ecx
		jnz	loc_8FD640

loc_84DA62:				; CODE XREF: KsepDbGetDriverShims+AFCA4j
		mov	esi, [ebp+var_14]
		test	esi, esi
		jnz	loc_8FD68D
		test	edi, edi
		jnz	loc_8FD67F
		mov	esi, 0C0000225h

loc_84DA7A:				; CODE XREF: KsepDbGetDriverShims+7Cj
					; KsepDbGetDriverShims+AFC99j ...
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jnz	loc_8FD6FA

loc_84DA85:				; CODE XREF: KsepDbGetDriverShims+AFD2Cj
		test	ebx, ebx
		jnz	loc_8FD707

loc_84DA8D:				; CODE XREF: KsepDbGetDriverShims+4Ej
					; KsepDbGetDriverShims+AFD3Aj
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_84DA9B
		mov	ecx, eax
		call	KseShimDatabaseClose

loc_84DA9B:				; CODE XREF: KsepDbGetDriverShims+BCj
		mov	eax, esi

loc_84DA9D:				; CODE XREF: KsepDbGetDriverShims+AFD44j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
KsepDbGetDriverShims endp


;  S U B	R O U T	I N E 


KseShimDatabaseClose proc near		; CODE XREF: KsepDbGetDriverShims+C0p
					; KsepDbCacheReadDevice+96p ...

; FUNCTION CHUNK AT 008FD71F SIZE 00000056 BYTES

		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	edi, offset _KsepShimDbLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		cmp	esi, _KsepShimDbHandle
		jnz	loc_8FD71F

loc_84DACA:				; CODE XREF: KseShimDatabaseClose+AFCB4j
					; KseShimDatabaseClose+AFCCCj
		cmp	_KsepShimDbDuringBoot, 0
		jz	short loc_84DAF5
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_84DB47

loc_84DAE0:				; CODE XREF: KseShimDatabaseClose+AAj
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		call	KseShimDatabaseBootRelease

loc_84DAF1:				; CODE XREF: KseShimDatabaseClose+A1j
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_84DAF5:				; CODE XREF: KseShimDatabaseClose+2Dj
		cmp	_KsepShimDbHandle, 0
		jz	short loc_84DB2C
		mov	eax, _KsepShimDbRefCount
		test	eax, eax
		jz	short loc_84DB11
		dec	eax
		mov	_KsepShimDbRefCount, eax
		test	eax, eax
		jnz	short loc_84DB2C

loc_84DB11:				; CODE XREF: KseShimDatabaseClose+61j
		mov	ecx, offset _KsepShimDb
		call	_KsepSdbUnmapFromMemory@4 ; KsepSdbUnmapFromMemory(x)
		mov	ecx, offset unk_6C7488
		call	_KsepSdbUnmapFromMemory@4 ; KsepSdbUnmapFromMemory(x)
		and	_KsepShimDbHandle, 0

loc_84DB2C:				; CODE XREF: KseShimDatabaseClose+58j
					; KseShimDatabaseClose+6Bj
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_84DB50

loc_84DB39:				; CODE XREF: KseShimDatabaseClose+B3j
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	short loc_84DAF1
; 

loc_84DB47:				; CODE XREF: KseShimDatabaseClose+3Aj
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_84DAE0
; 

loc_84DB50:				; CODE XREF: KseShimDatabaseClose+93j
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_84DB39
KseShimDatabaseClose endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KsepDbGetDriverShimsInternal proc near	; CODE XREF: KsepDbGetDriverShims+6Bp
					; KsepDbGetDriverShims+AFC80p

var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008FD775 SIZE 000001E4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		stosd
		mov	esi, ecx
		xor	ecx, ecx
		push	edx		; int
		push	[ebp+arg_8]	; int
		stosd
		xor	edx, edx
		push	[ebp+arg_4]	; int
		mov	[ebp+var_C], ecx
		push	ecx		; int
		stosd
		mov	[ebp+var_14], ecx
		stosd
		mov	eax, [ebp+arg_10]
		mov	edi, ecx
		mov	[eax], ecx
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		mov	ecx, esi
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax+4] ; wchar_t *
		call	SdbGetDatabaseMatchEx
		test	eax, eax
		jnz	loc_8FD775

loc_84DBAD:				; CODE XREF: KsepDbGetDriverShimsInternal+AFC2Ej
					; KsepDbGetDriverShimsInternal+AFC48j
		mov	esi, 0C0000225h

loc_84DBB2:				; CODE XREF: KsepDbGetDriverShimsInternal+AFDFAj
		mov	eax, [ebp+arg_10]
		mov	ecx, edi
		mov	edx, [eax]
		call	KsepDbFreeDriverShims

loc_84DBBE:				; CODE XREF: KsepDbGetDriverShimsInternal+AFDEDj
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
KsepDbGetDriverShimsInternal endp

; 
		align 2

;  S U B	R O U T	I N E 


KsepDbFreeDriverShims proc near		; CODE XREF: KsepDbGetDriverShimsInternal+5Fp
					; KsepGetShimsForDriver+AFC33p	...

; FUNCTION CHUNK AT 008FD959 SIZE 00000042 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		test	ebx, ebx
		jnz	loc_8FD959
		pop	edi
		pop	esi
		pop	ebx
		retn
KsepDbFreeDriverShims endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbGetDatabaseID proc near		; CODE XREF: SdbpValidateAndApplyCompatFlags+21p
					; SdbReadEntryInformation(x,x,x)+C7p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FD99B SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		mov	eax, [esi+10h]
		test	al, 2
		jnz	short loc_84DC62
		push	7001h
		xor	edx, edx
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	loc_8FD99B
		push	9007h
		mov	edx, eax
		mov	ecx, esi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8FD9A7
		push	10h		; int
		lea	edi, [esi+14h]
		mov	edx, ebx
		push	edi		; void *
		mov	ecx, esi
		call	SdbReadBinaryTag
		test	eax, eax
		jz	loc_8FD9C5
		or	dword ptr [esi+10h], 2
		mov	eax, [esi+10h]
		mov	edx, [ebp+var_4]

loc_84DC4A:				; CODE XREF: SdbGetDatabaseID+7Dj
		test	al, 2
		jz	short loc_84DC67
		push	10h		; size_t
		push	edi		; void *
		push	edx		; void *
		call	_memmove
		xor	eax, eax
		add	esp, 0Ch
		inc	eax

loc_84DC5D:				; CODE XREF: SdbGetDatabaseID+81j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_84DC62:				; CODE XREF: SdbGetDatabaseID+13j
		lea	edi, [esi+14h]
		jmp	short loc_84DC4A
; 

loc_84DC67:				; CODE XREF: SdbGetDatabaseID+64j
					; SdbGetDatabaseID+AFDD8j ...
		xor	eax, eax
		jmp	short loc_84DC5D
SdbGetDatabaseID endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AslStringDuplicate proc	near		; CODE XREF: AslFileMappingCreate+72p
					; AslFileMappingCreateFromImageView+46p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FD9E4 SIZE 0000008B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ecx
		xor	ecx, ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], ecx
		mov	[eax], ecx
		push	esi
		test	ebx, ebx
		jz	loc_84DD1F
		lea	eax, [ebp+var_4]
		mov	edx, 7FFFFFFFh
		push	eax
		mov	ecx, ebx
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8FD9E4
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		xor	edx, edx
		push	eax
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8FDA10
		mov	eax, [ebp+var_4]
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8FD9F1
		mov	edx, [ebp+var_8]
		push	edi
		push	ecx
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8FDA1D
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		push	ebx
		call	RtlStringCchCopyW
		mov	esi, eax
		test	esi, esi
		js	loc_8FDA40
		mov	eax, [ebp+var_C]
		mov	[eax], edi
		xor	edi, edi
		xor	esi, esi

loc_84DD10:				; CODE XREF: AslStringDuplicate+AFDEEj
		test	edi, edi
		jnz	loc_8FDA5F

loc_84DD18:				; CODE XREF: AslStringDuplicate+AFDCFj
					; AslStringDuplicate+AFDFEj
		pop	edi

loc_84DD19:				; CODE XREF: AslStringDuplicate+B5j
					; AslStringDuplicate+AFD9Fj
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_84DD1F:				; CODE XREF: AslStringDuplicate+1Dj
		mov	esi, ecx
		jmp	short loc_84DD19
AslStringDuplicate endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbpFindFirstIndexedWildCardTag	proc near ; CODE XREF: SdbGetDatabaseMatchEx+6Cp
					; SdbpSearchDB+AF6DDp ...

var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_10		= dword	ptr -10h
var_8		= byte ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FDA6F SIZE 00000072 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 128h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	eax, ecx
		push	esi
		push	edi
		lea	ecx, [ebp+var_11C]
		mov	[ebp+var_120], eax
		push	ecx
		mov	ecx, 600Bh
		xor	edi, edi
		push	ecx
		mov	ecx, eax
		mov	[ebp+var_124], edi
		mov	esi, edx
		mov	[ebp+var_11C], edi
		call	SdbGetIndex
		mov	[ebx], eax
		test	eax, eax
		mov	eax, 600Bh
		jz	loc_8FDA6F
		mov	esi, [ebp+arg_4]
		mov	[ebx+0Ch], ax
		mov	eax, [ebp+var_11C]
		push	104h		; size_t
		mov	[ebx+14h], eax
		lea	eax, [ebp+var_118]
		push	edi		; int
		push	eax		; void *
		mov	[ebx+20h], esi
		call	_memset
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		lea	ecx, [ebp+var_118]
		add	esp, 0Ch
		stosd
		push	esi
		stosw
		call	AslStringUpcaseToMultiByteN
		test	eax, eax
		js	loc_8FDA92
		mov	edx, [ebx]
		lea	eax, [ebp+var_124]
		mov	ecx, [ebp+var_120]
		push	eax
		call	SdbpGetIndex
		mov	edi, eax
		test	edi, edi
		jz	loc_8FDAB0
		cmp	[ebp+var_124], 0
		ja	short loc_84DDF9

loc_84DDE6:				; CODE XREF: SdbpFindFirstIndexedWildCardTag+11Dj
					; SdbpFindFirstIndexedWildCardTag+AFD69j ...
		xor	eax, eax

loc_84DDE8:				; CODE XREF: SdbpFindFirstIndexedWildCardTag+16Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_84DDF9:				; CODE XREF: SdbpFindFirstIndexedWildCardTag+C0j
		mov	edx, [ebp+var_11C]
		and	edx, 2
		xor	esi, esi
		mov	[ebp+var_11C], edx

loc_84DE0A:				; CODE XREF: SdbpFindFirstIndexedWildCardTag+125j
		mov	ecx, [edi+4]
		mov	eax, [edi]
		push	ecx
		push	eax
		test	edx, edx
		jz	loc_8FDAD0
		lea	ecx, [ebp+var_10+1]
		call	_SdbpKeyToAnsiString@12	; SdbpKeyToAnsiString(x,x,x)
		mov	byte ptr [ebp+var_10], 2Ah

loc_84DE25:				; CODE XREF: SdbpFindFirstIndexedWildCardTag+AFDB8j
		lea	edx, [ebp+var_118]
		lea	ecx, [ebp+var_10]
		call	AslStringPatternMatchA
		test	eax, eax
		jnz	short loc_84DE4B

loc_84DE37:				; CODE XREF: SdbpFindFirstIndexedWildCardTag+144j
					; SdbpFindFirstIndexedWildCardTag+155j	...
		inc	esi
		add	edi, 0Ch
		cmp	esi, [ebp+var_124]
		jnb	short loc_84DDE6
		mov	edx, [ebp+var_11C]
		jmp	short loc_84DE0A
; 

loc_84DE4B:				; CODE XREF: SdbpFindFirstIndexedWildCardTag+111j
		mov	ecx, [edi+8]
		mov	edx, ecx
		movzx	eax, word ptr [ebx+0Ch]
		mov	[ebp+var_128], ecx
		mov	ecx, [ebp+var_120]
		push	eax
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	short loc_84DE37
		mov	ecx, [ebp+var_120]
		mov	edx, eax
		call	SdbGetStringTagPtr
		test	eax, eax
		jz	short loc_84DE37
		mov	edx, [ebx+20h]
		mov	ecx, eax
		call	AslStringPatternMatchW
		test	eax, eax
		jz	short loc_84DE37
		mov	eax, [ebp+var_128]
		mov	[ebx+10h], esi
		jmp	loc_84DDE8
SdbpFindFirstIndexedWildCardTag	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SdbGetDatabaseMatchEx(wchar_t *,int,int,int,int)
SdbGetDatabaseMatchEx proc near		; CODE XREF: KsepDbGetDriverShimsInternal+46p
					; KsepDbCacheReadDeviceInternal+2Bp

var_3C		= dword	ptr -3Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008FDAE1 SIZE 00000057 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_3C]
		push	0Ah
		xor	eax, eax
		mov	[ebp+var_8], ebx
		pop	ecx
		mov	ebx, [ebx+4]
		rep stosd
		test	edx, edx
		jnz	short loc_84DF19
		mov	edi, [ebp+arg_0]
		push	5Ch		; wchar_t
		push	edi		; wchar_t *
		mov	[ebp+var_C], 701Ch
		call	_wcsrchr
		mov	esi, eax
		pop	ecx
		pop	ecx
		test	esi, esi
		jz	loc_8FDAE1
		add	esi, 2

loc_84DEDA:				; CODE XREF: SdbGetDatabaseMatchEx+8Dj
					; SdbGetDatabaseMatchEx+AFC4Bj
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_3C]
		and	[ebp+arg_0], 0
		mov	ecx, ebx
		push	eax
		push	esi
		push	6001h
		call	SdbFindFirstStringIndexedTag

loc_84DEF2:				; CODE XREF: SdbGetDatabaseMatchEx+AFC5Aj
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	short loc_84DF27
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_3C]
		push	eax
		push	esi
		push	ecx
		mov	ecx, ebx
		call	SdbpFindFirstIndexedWildCardTag

loc_84DF09:				; CODE XREF: SdbGetDatabaseMatchEx+EDj
		mov	esi, eax
		test	esi, esi
		jnz	short loc_84DF5E

loc_84DF0F:				; CODE XREF: SdbGetDatabaseMatchEx+BFj
					; SdbGetDatabaseMatchEx+AFC7Cj	...
		mov	eax, [ebp+arg_0]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_84DF19:				; CODE XREF: SdbGetDatabaseMatchEx+1Fj
		mov	esi, [ebp+arg_0]
		xor	edi, edi
		mov	[ebp+var_C], 701Ah
		jmp	short loc_84DEDA
; 

loc_84DF27:				; CODE XREF: SdbGetDatabaseMatchEx+5Fj
		push	[ebp+arg_10]
		mov	edx, eax
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	ecx
		mov	ecx, [ebp+var_8]
		push	edi
		call	SdbpCheckKObject
		test	eax, eax
		jz	loc_8FDAE8
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+arg_0]
		push	eax
		push	[ebp+var_10]
		mov	edx, ebx
		call	SdbTagIDToTagRef
		test	eax, eax
		jnz	short loc_84DF0F
		jmp	loc_8FDAF7
; 

loc_84DF5E:				; CODE XREF: SdbGetDatabaseMatchEx+75j
		push	[ebp+arg_10]
		mov	edx, esi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	ecx
		mov	ecx, [ebp+var_8]
		push	edi
		call	SdbpCheckKObject
		test	eax, eax
		jnz	loc_8FDB03
		lea	edx, [ebp+var_3C]
		mov	ecx, ebx
		call	SdbpFindNextIndexedWildCardTag
		jmp	short loc_84DF09
SdbGetDatabaseMatchEx endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbpGetIndex	proc near		; CODE XREF: SdbpFindFirstIndexedWildCardTag+AAp
					; SdbpFindNextIndexedWildCardTag+65p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FDB38 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	SdbGetTagFromTagID
		mov	ecx, 9801h
		cmp	ax, cx
		jnz	loc_8FDB38
		mov	edx, esi
		mov	ecx, edi
		call	SdbGetTagDataSize
		push	0Ch
		xor	edx, edx
		pop	ecx
		div	ecx
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		mov	[ecx], eax
		mov	ecx, edi
		call	SdbpGetMappedTagData

loc_84DFC4:				; CODE XREF: SdbpGetIndex+AFBCCj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
SdbpGetIndex	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbFindFirstStringIndexedTag proc near	; CODE XREF: SdbGetDatabaseMatchEx+55p
					; SdbpSearchDB+96p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FDB59 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		mov	eax, edx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, ecx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_8], eax
		push	ecx
		push	edi
		mov	ecx, ebx
		call	SdbGetIndex
		mov	esi, [ebp+arg_8]
		mov	[esi], eax
		test	eax, eax
		jz	loc_8FDB59
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+var_4]
		mov	[esi+0Ch], di
		mov	[esi+20h], ecx
		mov	[esi+14h], edx
		call	_SdbMakeIndexKeyFromStringEx@8 ; SdbMakeIndexKeyFromStringEx(x,x)
		push	esi
		push	edx
		mov	[esi+1Ch], edx
		mov	ecx, ebx
		mov	edx, [esi]
		push	eax
		mov	[esi+18h], eax
		call	SdbpGetFirstIndexedRecord
		test	eax, eax
		jnz	short loc_84E02F

loc_84E026:				; CODE XREF: SdbFindFirstStringIndexedTag+AFBB3j
		xor	eax, eax

loc_84E028:				; CODE XREF: SdbFindFirstStringIndexedTag+6Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_84E02F:				; CODE XREF: SdbFindFirstStringIndexedTag+5Aj
		push	esi
		mov	edx, eax
		mov	ecx, ebx
		call	SdbpFindMatchingName
		jmp	short loc_84E028
SdbFindFirstStringIndexedTag endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbpGetFirstIndexedRecord proc near	; CODE XREF: SdbFindFirstStringIndexedTag+53p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FDB82 SIZE 0000004B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	SdbGetTagFromTagID
		mov	ecx, 9801h
		cmp	ax, cx
		jnz	loc_8FDB82
		mov	edx, esi
		mov	ecx, edi
		call	SdbGetTagDataSize
		push	0Ch
		xor	edx, edx
		pop	ecx
		div	ecx
		mov	edx, esi
		mov	ecx, edi
		mov	[ebp+var_4], eax
		call	SdbpGetMappedTagData
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_8FDB8F
		mov	edi, [ebp+arg_8]
		xor	esi, esi
		mov	edx, [ebp+var_4]
		mov	ecx, eax
		push	ebx
		test	byte ptr [edi+14h], 1
		lea	ebx, [edi+10h]
		push	ebx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		jnz	short loc_84E0B3
		call	_SdbpBinarySearchFirst@20 ; SdbpBinarySearchFirst(x,x,x,x,x)
		mov	edx, [ebp+var_8]

loc_84E0A6:				; CODE XREF: SdbpGetFirstIndexedRecord+8Fj
		test	eax, eax
		jnz	short loc_84E0CD

loc_84E0AA:				; CODE XREF: SdbpGetFirstIndexedRecord+98j
		mov	eax, esi
		pop	ebx

loc_84E0AD:				; CODE XREF: SdbpGetFirstIndexedRecord+AFB6Fj
		pop	edi
		pop	esi
		leave
		retn	0Ch
; 

loc_84E0B3:				; CODE XREF: SdbpGetFirstIndexedRecord+60j
		call	_SdbpBinarySearchUnique@20 ; SdbpBinarySearchUnique(x,x,x,x,x)
		test	eax, eax
		jnz	loc_8FDBB0

loc_84E0C0:				; CODE XREF: SdbpGetFirstIndexedRecord+AFB7Cj
		mov	edx, [ebp+var_8]
		mov	ecx, esi

loc_84E0C5:				; CODE XREF: SdbpGetFirstIndexedRecord+AFB8Cj
		mov	[edi+8], ecx
		mov	[edi+4], esi
		jmp	short loc_84E0A6
; 

loc_84E0CD:				; CODE XREF: SdbpGetFirstIndexedRecord+6Cj
		imul	eax, [ebx], 0Ch
		mov	esi, [eax+edx+8]
		jmp	short loc_84E0AA
SdbpGetFirstIndexedRecord endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbReadDWORDTag	proc near		; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+1AAp
					; InitOnceScanIndexes+FCp ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FDBCD SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, edx
		mov	ebx, ecx
		mov	[ebp+arg_0], edi
		call	SdbGetTagFromTagID
		mov	ecx, 0F000h
		mov	edx, esi
		and	ax, cx
		mov	ecx, 4000h
		cmp	ax, cx
		mov	ecx, ebx
		jnz	loc_8FDBCD
		push	4		; int
		lea	eax, [ebp+arg_0]
		push	eax		; void *
		call	SdbpReadTagData
		test	eax, eax
		mov	eax, edi
		jz	short loc_84E11B
		mov	eax, [ebp+arg_0]

loc_84E11B:				; CODE XREF: SdbReadDWORDTag+40j
					; SdbReadDWORDTag+AFB1Cj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
SdbReadDWORDTag	endp


;  S U B	R O U T	I N E 


SdbpGetMappedTagData proc near		; CODE XREF: SdbpGetIndex+37p
					; SdbpGetFirstIndexedRecord+37p ...

; FUNCTION CHUNK AT 008FDBF7 SIZE 0000003B BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	SdbpGetTagHeadSize
		mov	ecx, [edi+0Ch]
		add	eax, esi
		cmp	eax, ecx
		jnb	loc_8FDBF7
		mov	esi, [edi+4]
		add	esi, eax
		jz	loc_8FDC14

loc_84E147:				; CODE XREF: SdbpGetMappedTagData+AFB0Bj
		pop	edi
		mov	eax, esi
		pop	esi
		retn
SdbpGetMappedTagData endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbFindNextTag	proc near		; CODE XREF: InitOnceScanIndexes+13Bp
					; KsepDbCacheReadDeviceInternal+9Dp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FDC32 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		mov	edx, [ebp+arg_0]
		push	edi
		mov	[ebp+var_8], esi
		xor	edi, edi
		call	SdbGetTagFromTagID
		push	[ebp+arg_0]
		movzx	eax, ax
		mov	[ebp+var_4], eax
		test	ax, ax
		jz	loc_8FDC32
		mov	edx, esi

loc_84E17B:				; CODE XREF: SdbFindNextTag+5Aj
		mov	ecx, ebx
		call	SdbGetNextChild
		mov	esi, eax
		test	esi, esi
		jz	short loc_84E199
		mov	edx, esi
		mov	ecx, ebx
		call	SdbGetTagFromTagID
		cmp	ax, word ptr [ebp+var_4]
		jnz	short loc_84E1A2
		mov	edi, esi

loc_84E199:				; CODE XREF: SdbFindNextTag+3Aj
		mov	eax, edi

loc_84E19B:				; CODE XREF: SdbFindNextTag+AFAFEj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_84E1A2:				; CODE XREF: SdbFindNextTag+49j
		mov	edx, [ebp+var_8]
		push	esi
		jmp	short loc_84E17B
SdbFindNextTag	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbReadWORDTag	proc near		; CODE XREF: InitOnceScanIndexes+A6p
					; InitOnceScanIndexes+D3p ...

arg_0		= word ptr  8

; FUNCTION CHUNK AT 008FDC4F SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	di, [ebp+arg_0]
		mov	esi, edx
		movzx	eax, di
		mov	ebx, ecx
		mov	dword ptr [ebp+arg_0], eax
		call	SdbGetTagFromTagID
		mov	ecx, 0F000h
		mov	edx, esi
		and	ax, cx
		mov	ecx, 3000h
		cmp	ax, cx
		mov	ecx, ebx
		jnz	loc_8FDC4F
		push	2		; int
		lea	eax, [ebp+arg_0]
		push	eax		; void *
		call	SdbpReadTagData
		test	eax, eax
		mov	ax, di
		jz	short loc_84E1F3
		mov	ax, [ebp+arg_0]

loc_84E1F3:				; CODE XREF: SdbReadWORDTag+45j
					; SdbReadWORDTag+AFACDj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
SdbReadWORDTag	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SdbpReadTagData(void *,int)
SdbpReadTagData	proc near		; CODE XREF: SdbReadDWORDTag+37p
					; SdbReadWORDTag+3Bp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FDC7A SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		call	SdbGetTagDataSize
		mov	esi, eax
		cmp	esi, [ebp+arg_4]
		ja	loc_8FDC7A
		mov	edx, edi
		mov	ecx, ebx
		call	SdbpGetTagHeadSize
		push	esi		; size_t
		push	[ebp+arg_0]	; void *
		mov	ecx, ebx
		lea	edx, [edi+eax]
		call	SdbpReadMappedData
		test	eax, eax
		jz	loc_8FDC99
		xor	eax, eax
		inc	eax

loc_84E238:				; CODE XREF: SdbpReadTagData+AFABAj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
SdbpReadTagData	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

InitOnceScanIndexes proc near		; DATA XREF: SdbGetIndex+22o

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FDCB9 SIZE 000000A0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	loc_8FDCB9
		cmp	[ebp+arg_8], 0
		jz	loc_8FDCC5
		push	ebx
		push	edi
		push	0A00h		; size_t
		xor	edi, edi
		lea	eax, [esi+28h]
		push	edi		; int
		push	eax		; void *
		mov	[ebp+var_4], eax
		call	_memset
		add	esp, 0Ch
		xor	edx, edx
		mov	ecx, esi
		call	_SdbGetFirstChild@8 ; SdbGetFirstChild(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8FDCE5
		mov	edx, ebx
		mov	ecx, esi
		call	SdbGetTagFromTagID
		mov	ecx, 7802h
		cmp	ax, cx
		jnz	loc_8FDD16
		push	7803h
		mov	edx, ebx
		mov	[esi+0A38h], edi
		mov	ecx, esi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)

loc_84E2B3:				; CODE XREF: InitOnceScanIndexes+140j
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	loc_84E392
		cmp	dword ptr [esi+0A38h], 40h
		jz	loc_8FDD4D
		push	3802h
		mov	edx, eax
		mov	ecx, esi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	loc_8FDD41
		push	edi
		mov	edx, eax
		mov	ecx, esi
		call	SdbReadWORDTag
		imul	ecx, [esi+0A38h], 28h
		mov	edx, [ebp+arg_4]
		push	3803h
		mov	[ecx+esi+2Ch], ax
		mov	ecx, esi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	loc_8FDD35
		push	edi
		mov	edx, eax
		mov	ecx, esi
		call	SdbReadWORDTag
		imul	ecx, [esi+0A38h], 28h
		mov	edx, [ebp+arg_4]
		push	4016h
		mov	[ecx+esi+2Eh], ax
		mov	ecx, esi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	short loc_84E385
		push	edi
		mov	edx, eax
		mov	ecx, esi
		call	SdbReadDWORDTag
		imul	ecx, [esi+0A38h], 28h
		mov	[ecx+esi+48h], eax

loc_84E34C:				; CODE XREF: InitOnceScanIndexes+150j
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		push	9801h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		imul	ecx, [esi+0A38h], 28h
		test	eax, eax
		jz	loc_8FDCF1
		push	[ebp+arg_4]
		mov	[ecx+esi+28h], eax
		mov	edx, ebx
		inc	dword ptr [esi+0A38h]
		mov	ecx, esi
		call	SdbFindNextTag
		jmp	loc_84E2B3
; 

loc_84E385:				; CODE XREF: InitOnceScanIndexes+F5j
		imul	eax, [esi+0A38h], 28h
		mov	[eax+esi+48h], edi
		jmp	short loc_84E34C
; 

loc_84E392:				; CODE XREF: InitOnceScanIndexes+78j
		mov	eax, [ebp+arg_8]
		xor	edi, edi
		mov	ecx, [ebp+var_4]
		inc	edi
		mov	[eax], ecx

loc_84E39D:				; CODE XREF: InitOnceScanIndexes+AFAD1j
					; InitOnceScanIndexes+AFAF0j
		mov	eax, edi
		pop	edi
		pop	ebx

loc_84E3A1:				; CODE XREF: InitOnceScanIndexes+AFAA0j
		pop	esi
		leave
		retn	0Ch
InitOnceScanIndexes endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbFindFirstTag(x, x, x)
_SdbFindFirstTag@12 proc near		; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+39p
					; SdbpCheckSdbCapability(x,x,x,x,x,x,x)+1Ap ...

var_4		= dword	ptr -4
arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	eax, edx
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_4], eax
		xor	edi, edi
		call	_SdbGetFirstChild@8 ; SdbGetFirstChild(x,x)

loc_84E3BD:				; CODE XREF: SdbFindFirstTag(x,x,x)+37j
		mov	esi, eax
		test	esi, esi
		jz	short loc_84E3E1
		mov	edx, esi
		mov	ecx, ebx
		call	SdbGetTagFromTagID
		cmp	ax, [ebp+arg_0]
		jz	short loc_84E3DF
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		push	esi
		call	SdbGetNextChild
		jmp	short loc_84E3BD
; 

loc_84E3DF:				; CODE XREF: SdbFindFirstTag(x,x,x)+2Aj
		mov	edi, esi

loc_84E3E1:				; CODE XREF: SdbFindFirstTag(x,x,x)+1Bj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_SdbFindFirstTag@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbGetNextChild	proc near		; CODE XREF: SdbpMatchList(x,x,x,x,x,x,x,x)+14Bp
					; SdbFindNextTag+31p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FDD59 SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		test	edi, edi
		jz	short loc_84E435
		call	SdbGetTagFromTagID
		mov	ecx, 0F000h
		and	ax, cx
		mov	ecx, 7000h
		cmp	ax, cx
		jnz	loc_8FDD59
		mov	edx, edi
		mov	ecx, esi
		call	SdbpGetNextTagId
		mov	edi, eax

loc_84E41F:				; CODE XREF: SdbGetNextChild+4Ej
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	SdbpGetNextTagId
		cmp	eax, edi
		sbb	ecx, ecx
		and	eax, ecx

loc_84E42F:				; CODE XREF: SdbGetNextChild+AF98Aj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_84E435:				; CODE XREF: SdbGetNextChild+Dj
		mov	edi, [esi+0Ch]
		jmp	short loc_84E41F
SdbGetNextChild	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbpGetTagHeadSize proc	near		; CODE XREF: SdbpGetMappedTagData+8p
					; SdbpReadTagData+20p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FDD79 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	2		; size_t
		push	eax		; void *
		call	SdbpReadMappedData
		test	eax, eax
		jz	loc_8FDD79
		mov	eax, [ebp+var_4]
		mov	ecx, 7000h
		and	eax, 0F000h
		cmp	ax, cx
		sbb	eax, eax
		and	eax, 0FFFFFFFCh
		add	eax, 6
		leave
		retn
SdbpGetTagHeadSize endp

; 
		align 2

;  S U B	R O U T	I N E 


SdbpGetNextTagId proc near		; CODE XREF: SdbGetNextChild+2Ep
					; SdbGetNextChild+3Ap ...

; FUNCTION CHUNK AT 008FDD93 SIZE 00000021 BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	SdbGetTagFromTagID
		mov	ecx, 0F000h
		and	ax, cx
		mov	ecx, 7000h
		cmp	ax, cx
		jnz	short loc_84E4A3
		mov	edx, edi
		mov	ecx, esi
		call	SdbGetTagDataSize
		cmp	eax, 0FFFFFFFFh
		jz	loc_8FDD93

loc_84E4A3:				; CODE XREF: SdbpGetNextTagId+1Dj
		push	ebx
		mov	edx, edi
		mov	ecx, esi
		call	SdbpGetTagHeadSize
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_84E4D1
		mov	edx, edi
		mov	ecx, esi
		call	SdbGetTagDataSize
		test	byte ptr [esi+0A28h], 1
		jnz	short loc_84E4C9
		inc	eax
		and	eax, 0FFFFFFFEh

loc_84E4C9:				; CODE XREF: SdbpGetNextTagId+51j
		add	eax, ebx
		add	eax, edi

loc_84E4CD:				; CODE XREF: SdbpGetNextTagId+62j
		pop	ebx

loc_84E4CE:				; CODE XREF: SdbpGetNextTagId+AF93Dj
		pop	edi
		pop	esi
		retn
; 

loc_84E4D1:				; CODE XREF: SdbpGetNextTagId+3Fj
		mov	eax, [esi+0Ch]
		jmp	short loc_84E4CD
SdbpGetNextTagId endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbGetTagDataSize proc near		; CODE XREF: SdbpGetIndex+22p
					; SdbpGetFirstIndexedRecord+24p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FDDB4 SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	ebx, edx
		mov	edi, ecx
		mov	[ebp+var_8], esi
		call	SdbGetTagFromTagID
		and	eax, 0F000h
		cmp	eax, 3000h
		jz	short loc_84E563
		cmp	eax, 4000h
		jz	short loc_84E568
		cmp	eax, 6000h
		jz	short loc_84E568
		cmp	eax, 5000h
		jz	short loc_84E56C
		cmp	eax, 1000h
		jz	short loc_84E53B
		cmp	eax, 2000h
		jz	short loc_84E570
		push	4		; size_t
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], esi
		push	eax		; void *
		lea	edx, [ebx+2]
		mov	ecx, edi
		call	SdbpReadMappedData
		test	eax, eax
		jz	loc_8FDDB4

loc_84E538:				; CODE XREF: SdbGetTagDataSize+AF8F7j
		mov	esi, [ebp+var_4]

loc_84E53B:				; CODE XREF: SdbGetTagDataSize+3Ej
					; SdbGetTagDataSize+90j ...
		lea	eax, [ebp+var_8]
		mov	edx, ebx
		push	eax
		mov	ecx, esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_8FDDD2
		mov	eax, [ebp+var_8]
		cmp	eax, [edi+0Ch]
		ja	loc_8FDDD2

loc_84E55C:				; CODE XREF: SdbGetTagDataSize+AF918j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_84E563:				; CODE XREF: SdbGetTagDataSize+22j
		push	2

loc_84E565:				; CODE XREF: SdbGetTagDataSize+94j
					; SdbGetTagDataSize+98j
		pop	esi
		jmp	short loc_84E53B
; 

loc_84E568:				; CODE XREF: SdbGetTagDataSize+29j
					; SdbGetTagDataSize+30j
		push	4
		jmp	short loc_84E565
; 

loc_84E56C:				; CODE XREF: SdbGetTagDataSize+37j
		push	8
		jmp	short loc_84E565
; 

loc_84E570:				; CODE XREF: SdbGetTagDataSize+45j
		xor	esi, esi
		inc	esi
		jmp	short loc_84E53B
SdbGetTagDataSize endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbGetTagFromTagID proc	near		; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+292p
					; SdbpFindMatcher(x,x,x,x,x)+14p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FDDF3 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	2		; size_t
		push	eax		; void *
		call	SdbpReadMappedData
		test	eax, eax
		jz	loc_8FDDF3
		mov	ax, word ptr [ebp+var_4]
		leave
		retn
SdbGetTagFromTagID endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SdbpReadMappedData(void	*,size_t)
SdbpReadMappedData proc	near		; CODE XREF: SdbpReadTagData+2Ep
					; SdbpGetTagHeadSize+10p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FDE10 SIZE 00000040 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	ecx, [ebp+arg_4]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_8FDE10
		mov	eax, [edi+0Ch]
		cmp	eax, [ebp+var_4]
		jb	loc_8FDE2B
		mov	eax, [edi+4]
		push	[ebp+arg_4]	; size_t
		add	eax, esi
		push	eax		; void *
		push	[ebp+arg_0]	; void *
		call	_memcpy
		xor	eax, eax
		add	esp, 0Ch
		inc	eax

loc_84E5E1:				; CODE XREF: SdbpReadMappedData+AF8B1j
		pop	edi
		pop	esi
		leave
		retn	8
SdbpReadMappedData endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall SdbGetFirstChild(x,	x)
_SdbGetFirstChild@8 proc near		; CODE XREF: SdbpMatchList(x,x,x,x,x,x,x,x)+3Ap
					; InitOnceScanIndexes+39p ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		test	esi, esi
		jz	short loc_84E620
		call	SdbGetTagFromTagID
		mov	ecx, 0F000h
		and	ax, cx
		mov	ecx, 7000h
		cmp	ax, cx
		jnz	short loc_84E628
		mov	edx, esi
		mov	ecx, edi
		call	SdbpGetNextTagId
		lea	ecx, [esi+6]

loc_84E617:				; CODE XREF: SdbGetFirstChild(x,x)+3Ej
		cmp	ecx, eax
		sbb	eax, eax
		and	eax, ecx

loc_84E61D:				; CODE XREF: SdbGetFirstChild(x,x)+42j
		pop	edi
		pop	esi
		retn
; 

loc_84E620:				; CODE XREF: SdbGetFirstChild(x,x)+Aj
		mov	eax, [edi+0Ch]
		push	0Ch
		pop	ecx
		jmp	short loc_84E617
; 

loc_84E628:				; CODE XREF: SdbGetFirstChild(x,x)+21j
		xor	eax, eax
		jmp	short loc_84E61D
_SdbGetFirstChild@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbMakeIndexKeyFromStringEx(x, x)
_SdbMakeIndexKeyFromStringEx@8 proc near ; CODE	XREF: SdbFindFirstStringIndexedTag+41p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+48h+var_4], eax
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+50h+var_3C], ecx
		xor	esi, esi
		lea	eax, [edi+2]
		mov	[esp+50h+var_44], eax

loc_84E653:				; CODE XREF: SdbMakeIndexKeyFromStringEx(x,x)+30j
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, si
		jnz	short loc_84E653
		sub	edi, [esp+50h+var_44]
		and	edx, 2
		sar	edi, 1
		mov	[esp+50h+var_38], esi
		mov	[esp+50h+var_34], esi
		mov	[esp+50h+var_30], esi
		mov	[esp+50h+var_2C], esi
		mov	[esp+50h+var_44], esi
		mov	[esp+50h+var_40], esi
		cmp	edi, 8
		jbe	short loc_84E68E
		test	edx, edx
		jz	short loc_84E68E
		lea	ecx, [ecx+edi*2]
		add	ecx, 0FFFFFFF0h

loc_84E68E:				; CODE XREF: SdbMakeIndexKeyFromStringEx(x,x)+56j
					; SdbMakeIndexKeyFromStringEx(x,x)+5Aj
		push	ecx
		lea	eax, [esp+54h+var_38]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	10h
		lea	eax, [esp+54h+var_14]
		mov	[esp+54h+var_2C], eax
		lea	eax, [esp+54h+var_38]
		pop	edi
		push	eax
		lea	eax, [esp+54h+var_30]
		mov	word ptr [esp+54h+var_30+2], di
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		lea	eax, [esp+50h+var_24]
		mov	word ptr [esp+50h+var_44+2], di
		mov	[esp+50h+var_40], eax
		lea	eax, [esp+50h+var_30]
		push	esi
		push	eax
		lea	eax, [esp+58h+var_44]
		push	eax
		call	RtlUpcaseUnicodeString
		test	eax, eax
		jns	short loc_84E6FC
		push	[esp+50h+var_3C]
		push	offset ??_C@_0CG@LALKBFHG@Failed?5to?5upcase?5unicode?5string@NNGAKEGL@
		push	4C7h
		push	offset ??_C@_0BM@OMOLFLGG@SdbMakeIndexKeyFromStringEx@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_84E6F6:				; CODE XREF: SdbMakeIndexKeyFromStringEx(x,x):loc_84E730j
		xor	eax, eax
		xor	edx, edx
		jmp	short loc_84E770
; 

loc_84E6FC:				; CODE XREF: SdbMakeIndexKeyFromStringEx(x,x)+ABj
		movzx	edi, word ptr [esp+50h+var_44]
		shr	edi, 1
		call	_Feature_CompatBuildInVb__private_IsEnabledDeviceUsage@0 ; Feature_CompatBuildInVb__private_IsEnabledDeviceUsage()
		test	eax, eax
		jz	short loc_84E72D
		movzx	ecx, word ptr [esp+50h+var_44]
		mov	eax, esi
		shr	ecx, 1
		jz	short loc_84E72D
		mov	edx, [esp+50h+var_40]

loc_84E71B:				; CODE XREF: SdbMakeIndexKeyFromStringEx(x,x)+FFj
		cmp	edi, 8
		jnb	short loc_84E730
		cmp	byte ptr [edx+eax*2+1],	0
		jz	short loc_84E728
		inc	edi

loc_84E728:				; CODE XREF: SdbMakeIndexKeyFromStringEx(x,x)+F9j
		inc	eax
		cmp	eax, ecx
		jb	short loc_84E71B

loc_84E72D:				; CODE XREF: SdbMakeIndexKeyFromStringEx(x,x)+DEj
					; SdbMakeIndexKeyFromStringEx(x,x)+E9j
		cmp	edi, 8

loc_84E730:				; CODE XREF: SdbMakeIndexKeyFromStringEx(x,x)+F2j
		ja	short loc_84E6F6
		mov	[esp+50h+var_30], esi
		mov	edx, esi
		mov	[esp+50h+var_2C], edx
		test	edi, edi
		jz	short loc_84E76E
		lea	ecx, [esp+50h+var_2C+3]
		lea	edx, [esp+50h+var_24]

loc_84E748:				; CODE XREF: SdbMakeIndexKeyFromStringEx(x,x)+138j
		movzx	eax, word ptr [edx]
		lea	edx, [edx+2]
		mov	[ecx], al
		dec	ecx
		shr	eax, 8
		test	al, al
		jz	short loc_84E761
		cmp	esi, 7
		jnb	short loc_84E761
		mov	[ecx], al
		dec	ecx
		inc	esi

loc_84E761:				; CODE XREF: SdbMakeIndexKeyFromStringEx(x,x)+12Aj
					; SdbMakeIndexKeyFromStringEx(x,x)+12Fj
		inc	esi
		cmp	esi, edi
		jb	short loc_84E748
		mov	edx, [esp+50h+var_2C]
		mov	esi, [esp+50h+var_30]

loc_84E76E:				; CODE XREF: SdbMakeIndexKeyFromStringEx(x,x)+112j
		mov	eax, esi

loc_84E770:				; CODE XREF: SdbMakeIndexKeyFromStringEx(x,x)+CEj
		mov	ecx, [esp+50h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_SdbMakeIndexKeyFromStringEx@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SdbpSearchDB(int,int,void *,int)
SdbpSearchDB	proc near		; CODE XREF: SdbGetDatabaseMatch+B4p

var_48		= dword	ptr -48h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FDE50 SIZE 00000284 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	[ebp+var_18], ecx
		lea	edi, [ebp+var_48]
		pop	ecx
		xor	eax, eax
		mov	esi, edx
		rep stosd
		xor	edi, edi
		push	80h		; size_t
		push	edi		; int
		push	[ebp+arg_8]	; void *
		mov	ebx, edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], ebx
		mov	[ebp+var_14], edi
		call	_memset
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		mov	edx, 7007h
		mov	ecx, esi
		mov	eax, [eax+14h]
		push	edi
		push	600Bh
		mov	[ebp+var_C], eax
		call	SdbGetIndex
		mov	[ebp+var_20], 10h
		test	eax, eax
		jnz	loc_8FDE50

loc_84E7E4:				; CODE XREF: SdbpSearchDB+AF729j
		push	edi
		push	6001h
		mov	edx, 7007h
		mov	ecx, esi
		call	SdbGetIndex
		mov	ecx, esi
		test	eax, eax
		jz	loc_8FDEB0
		lea	eax, [ebp+var_48]
		mov	[ebp+var_1C], 1
		push	eax
		push	[ebp+var_C]
		mov	edx, 7007h
		push	6001h
		call	SdbFindFirstStringIndexedTag

loc_84E81D:				; CODE XREF: SdbpSearchDB+AF784j
					; SdbpSearchDB+AF7CEj ...
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	loc_8FDF0B
		mov	eax, [ebp+arg_4]
		cmp	[eax+18h], edi
		jnz	loc_8FDF6D

loc_84E834:				; CODE XREF: SdbpSearchDB+AF8C1j
		push	edi
		push	600Bh
		mov	edx, 7007h
		mov	ecx, esi
		call	SdbGetIndex
		test	eax, eax
		jnz	loc_8FE048

loc_84E84E:				; CODE XREF: SdbpSearchDB+AF70Aj
					; SdbpSearchDB+AF769j ...
		cmp	ebx, 10h
		ja	short loc_84E865
		mov	eax, ebx
		mov	[ebp+var_20], eax
		test	eax, eax
		jnz	short loc_84E865

loc_84E85C:				; CODE XREF: SdbpSearchDB+AF94Dj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
; 

loc_84E865:				; CODE XREF: SdbpSearchDB+CFj
					; SdbpSearchDB+D8j ...
		mov	ebx, [ebp+var_20]
		jmp	loc_8FE0A8
SdbpSearchDB	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbGetIndex	proc near		; CODE XREF: SdbpFindFirstIndexedWildCardTag+42p
					; SdbFindFirstStringIndexedTag+1Fp ...

var_8		= dword	ptr -8
var_2		= word ptr -2
arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FE0D4 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	esi, esi
		mov	[ebp+var_2], dx
		mov	[ebp+var_8], esi
		test	edi, edi
		jz	short loc_84E88B
		mov	[edi], esi

loc_84E88B:				; CODE XREF: SdbGetIndex+19j
		lea	eax, [ebp+var_8]
		push	eax
		push	ecx
		push	offset InitOnceScanIndexes
		lea	eax, [ecx+0A2Ch]
		push	eax
		call	RtlRunOnceExecuteOnce
		test	eax, eax
		js	loc_8FE0D4
		mov	edx, [ebp+var_8]
		mov	eax, esi
		lea	ecx, [edx+4]

loc_84E8B1:				; CODE XREF: SdbGetIndex+58j
		movzx	ebx, word ptr [ecx]
		test	bx, bx
		jz	short loc_84E8E4
		cmp	bx, [ebp+var_2]
		jz	short loc_84E8CA

loc_84E8BF:				; CODE XREF: SdbGetIndex+64j
		inc	eax
		add	ecx, 28h
		cmp	eax, 40h
		jl	short loc_84E8B1
		jmp	short loc_84E8E4
; 

loc_84E8CA:				; CODE XREF: SdbGetIndex+4Fj
		mov	bx, [ebp+arg_0]
		cmp	[ecx+2], bx
		jnz	short loc_84E8BF
		imul	ecx, eax, 28h
		mov	esi, [ecx+edx]
		test	edi, edi
		jz	short loc_84E8E4
		mov	ecx, [ecx+edx+20h]
		mov	[edi], ecx

loc_84E8E4:				; CODE XREF: SdbGetIndex+49j
					; SdbGetIndex+5Aj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
SdbGetIndex	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpBinarySearchFirst(x, x,	x, x, x)
_SdbpBinarySearchFirst@20 proc near	; CODE XREF: SdbpGetFirstIndexedRecord+62p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, edx
		mov	[ebp+var_4], ecx
		push	ebx
		push	esi
		mov	[ebp+var_C], eax
		lea	esi, [eax-1]
		mov	eax, [ebp+arg_8]
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], edi
		or	dword ptr [eax], 0FFFFFFFFh
		test	esi, esi
		js	short loc_84E98D

loc_84E913:				; CODE XREF: SdbpBinarySearchFirst(x,x,x,x,x)+67j
		lea	eax, [esi+edi]
		cdq
		sub	eax, edx
		mov	ecx, eax
		sar	ecx, 1
		js	short loc_84E98D
		cmp	ecx, [ebp+var_C]
		jnb	short loc_84E98D
		mov	ebx, [ebp+var_4]
		imul	edx, ecx, 0Ch
		mov	eax, [edx+ebx]
		mov	[ebp+var_8], eax
		mov	eax, [edx+ebx+4]
		mov	ebx, [ebp+var_8]
		cmp	[ebp+arg_0], ebx
		mov	ebx, [ebp+var_10]
		jnz	short loc_84E988
		cmp	[ebp+arg_4], eax
		jz	short loc_84E965

loc_84E944:				; CODE XREF: SdbpBinarySearchFirst(x,x,x,x,x)+9Dj
		ja	short loc_84E950
		jb	short loc_84E960
		mov	eax, [ebp+var_8]
		cmp	[ebp+arg_0], eax
		jb	short loc_84E960

loc_84E950:				; CODE XREF: SdbpBinarySearchFirst(x,x,x,x,x):loc_84E944j
		lea	edi, [ecx+1]

loc_84E953:				; CODE XREF: SdbpBinarySearchFirst(x,x,x,x,x)+75j
		cmp	esi, edi
		jge	short loc_84E913

loc_84E957:				; CODE XREF: SdbpBinarySearchFirst(x,x,x,x,x)+98j
		mov	eax, ebx

loc_84E959:				; CODE XREF: SdbpBinarySearchFirst(x,x,x,x,x)+A1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_84E960:				; CODE XREF: SdbpBinarySearchFirst(x,x,x,x,x)+58j
					; SdbpBinarySearchFirst(x,x,x,x,x)+60j	...
		lea	esi, [ecx-1]
		jmp	short loc_84E953
; 

loc_84E965:				; CODE XREF: SdbpBinarySearchFirst(x,x,x,x,x)+54j
		test	ecx, ecx
		jz	short loc_84E97E
		mov	esi, [ebp+var_4]
		mov	eax, [edx+esi-0Ch]
		mov	edx, [edx+esi-8]
		cmp	eax, [ebp+arg_0]
		jnz	short loc_84E97E
		cmp	edx, [ebp+arg_4]
		jz	short loc_84E960

loc_84E97E:				; CODE XREF: SdbpBinarySearchFirst(x,x,x,x,x)+79j
					; SdbpBinarySearchFirst(x,x,x,x,x)+89j
		mov	eax, [ebp+arg_8]
		xor	ebx, ebx
		inc	ebx
		mov	[eax], ecx
		jmp	short loc_84E957
; 

loc_84E988:				; CODE XREF: SdbpBinarySearchFirst(x,x,x,x,x)+4Fj
		cmp	[ebp+arg_4], eax
		jmp	short loc_84E944
; 

loc_84E98D:				; CODE XREF: SdbpBinarySearchFirst(x,x,x,x,x)+23j
					; SdbpBinarySearchFirst(x,x,x,x,x)+2Fj	...
		xor	eax, eax
		jmp	short loc_84E959
_SdbpBinarySearchFirst@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AslStringUpcaseToMultiByteN proc near	; CODE XREF: SdbpFindFirstIndexedWildCardTag+8Ep
					; SdbpFindNextIndexedWildCardTag+51p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FE0F3 SIZE 0000004F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_0]
		xor	ebx, ebx
		lea	eax, [ebp+var_14]
		push	eax
		mov	edi, ecx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	edx, word ptr [ebp+var_14+2]
		push	ecx
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_8FE0F3
		mov	ax, word ptr [ebp+var_14+2]
		mov	word ptr [ebp+var_C+2],	ax
		xor	eax, eax
		mov	word ptr [ebp+var_C], ax
		lea	eax, [ebp+var_14]
		push	ebx
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	RtlUpcaseUnicodeString
		mov	esi, eax
		test	esi, esi
		js	loc_8FE116
		push	ebx
		lea	eax, [ebp+var_C]
		mov	[ebp+var_18], edi
		push	eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_1C], 1000000h
		push	eax
		call	RtlUnicodeStringToAnsiString
		mov	esi, eax
		test	esi, esi
		js	loc_8FE123
		movzx	eax, word ptr [ebp+var_1C]
		mov	esi, ebx
		mov	[eax+edi], bl

loc_84EA1F:				; CODE XREF: AslStringUpcaseToMultiByteN+AF77Fj
					; AslStringUpcaseToMultiByteN+AF7ABj
		cmp	[ebp+var_8], ebx
		jz	short loc_84EA31
		push	74705041h
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_84EA31:				; CODE XREF: AslStringUpcaseToMultiByteN+90j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
AslStringUpcaseToMultiByteN endp


;  S U B	R O U T	I N E 


; __stdcall AslAlloc(x,	x, x)
_AslAlloc@12	proc near		; CODE XREF: SdbpCreateSearchDBContext(x,x,x,x,x,x)+84p
					; SdbpCreateSearchDBContext(x,x,x,x,x,x)+FAp ...
		mov	edi, edi
		push	esi
		push	edi
		push	74705041h
		mov	edi, edx
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_84EA5F
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch

loc_84EA5F:				; CODE XREF: AslAlloc(x,x,x)+17j
		pop	edi
		mov	eax, esi
		pop	esi
		retn	4
_AslAlloc@12	endp


;  S U B	R O U T	I N E 


KseShimDatabaseOpen proc near		; CODE XREF: KsepDbGetDriverShims+45p
					; KsepDbCacheReadDevice+4Fp ...

; FUNCTION CHUNK AT 008FE142 SIZE 0000005A BYTES

		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	edi, ecx
		nop
		mov	ebx, offset _KsepShimDbLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		cmp	_KsepShimDbDuringBoot, 0
		mov	eax, _KsepShimDbHandle
		jz	short loc_84EAD6
		test	eax, eax
		jz	loc_8FE142
		inc	_KsepShimDbRefCount
		xor	esi, esi
		mov	[edi], eax
		lock inc dword_6C6F90

loc_84EAAE:				; CODE XREF: KseShimDatabaseOpen+BDj
					; KseShimDatabaseOpen+D0j ...
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		test	al, 2
		jnz	loc_8FE188

loc_84EABD:				; CODE XREF: KseShimDatabaseOpen+AF724j
					; KseShimDatabaseOpen+AF731j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_84EAD6:				; CODE XREF: KseShimDatabaseOpen+2Dj
		test	eax, eax
		jnz	short loc_84EB25
		mov	edx, offset _KsepShimDb
		mov	ecx, offset aSystemrootAp_1 ; "\\SystemRoot\\AppPatch\\drvmain.sdb"
		call	KsepSdbMapToMemory
		mov	esi, eax
		test	esi, esi
		js	loc_8FE174
		mov	edx, offset unk_6C7488
		mov	ecx, offset aSystemrootAppp ; "\\SystemRoot\\AppPatch\\drvpatch.sdb"
		call	KsepSdbMapToMemory
		test	eax, eax
		jns	loc_8FE14F

loc_84EB0A:				; CODE XREF: KseShimDatabaseOpen+AF6F4j
					; KseShimDatabaseOpen+AF709j
		inc	_KsepShimDbRefCount
		mov	eax, offset _KsepShimDb
		mov	_KsepShimDbHandle, eax
		mov	[edi], eax
		lock inc dword_6C6F94
		jmp	short loc_84EAAE
; 

loc_84EB25:				; CODE XREF: KseShimDatabaseOpen+72j
		inc	_KsepShimDbRefCount
		xor	esi, esi
		mov	[edi], eax
		lock inc dword_6C6F98
		jmp	loc_84EAAE
KseShimDatabaseOpen endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KsepRegistryQueryDriverShims proc near	; CODE XREF: KsepEngineGetShimsFromRegistry+3Fp

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FE19C SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, edx
		push	esi
		test	ecx, ecx
		jz	short loc_84EB8C
		test	ebx, ebx
		jz	short loc_84EB8C
		lea	eax, [ebp+var_4]
		mov	edx, ecx	; void *
		push	eax		; int
		mov	ecx, offset ??_C@_1JA@BBOFJBHB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\Registry\\Machine\\System\\CurrentControl"...
		call	KsepRegistryOpenKey
		mov	esi, eax
		test	esi, esi
		jns	loc_8FE19C

loc_84EB6D:				; CODE XREF: KsepRegistryQueryDriverShims+AF67Aj
		cmp	esi, 0C0000034h
		jnz	short loc_84EB7A
		mov	esi, 0C0000225h

loc_84EB7A:				; CODE XREF: KsepRegistryQueryDriverShims+37j
		cmp	[ebp+var_4], 0
		jnz	loc_8FE1BB

loc_84EB84:				; CODE XREF: KsepRegistryQueryDriverShims+AF68Ej
		mov	eax, esi

loc_84EB86:				; CODE XREF: KsepRegistryQueryDriverShims+55j
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_84EB8C:				; CODE XREF: KsepRegistryQueryDriverShims+11j
					; KsepRegistryQueryDriverShims+15j
		mov	eax, 0C000000Dh
		jmp	short loc_84EB86
KsepRegistryQueryDriverShims endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	KsepStringConcatenate(void *,int)
KsepStringConcatenate proc near		; CODE XREF: KsepLoadShimProvider(x)+41p
					; KsepRegistryOpenKey+4Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FE1CF SIZE 00000102 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, ecx
		mov	ebx, edx
		xor	ecx, ecx
		inc	esi
		mov	[ebp+var_8], ebx
		push	3
		pop	edx
		test	edi, edi
		jz	loc_8FE1CF

loc_84EBB6:				; CODE XREF: KsepStringConcatenate+AF673j
					; KsepStringConcatenate+AF694j
		test	ebx, ebx
		jz	loc_8FE22D

loc_84EBBE:				; CODE XREF: KsepStringConcatenate+AF6CEj
					; KsepStringConcatenate+AF6E5j
		cmp	[ebp+arg_0], 0
		jz	loc_8FE27E

loc_84EBC8:				; CODE XREF: KsepStringConcatenate+AF720j
					; KsepStringConcatenate+AF738j
		mov	ecx, ebx
		xor	eax, eax
		mov	[edi], eax
		xor	ebx, ebx
		mov	[edi+4], eax
		lea	edx, [ecx+2]

loc_84EBD6:				; CODE XREF: KsepStringConcatenate+4Bj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_84EBD6
		sub	ecx, edx
		sar	ecx, 1
		lea	esi, [ecx+ecx]
		mov	ecx, [ebp+arg_0]
		lea	edx, [ecx+2]

loc_84EBEE:				; CODE XREF: KsepStringConcatenate+63j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_84EBEE
		mov	ebx, [ebp+arg_4]
		sub	ecx, edx
		sar	ecx, 1
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 2
		lea	eax, [ecx+ecx]
		mov	[ebp+var_4], eax
		add	eax, ebx
		add	eax, esi
		mov	[ebp+var_C], eax
		lea	ecx, [eax+2]
		cmp	ecx, 0FFFFh
		ja	short loc_84EC98
		test	ecx, ecx
		jz	short loc_84EC98
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		test	eax, eax
		jz	short loc_84EC91
		push	esi		; size_t
		push	[ebp+var_8]	; void *
		mov	[edi+4], eax
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	[ebp+arg_4], 0
		jz	short loc_84EC50
		mov	eax, [edi+4]
		mov	ecx, esi
		shr	ecx, 1
		push	5Ch
		pop	edx
		mov	[eax+ecx*2], dx

loc_84EC50:				; CODE XREF: KsepStringConcatenate+ACj
		mov	eax, [edi+4]
		lea	ecx, [ebx+esi]
		push	[ebp+var_4]	; size_t
		shr	ecx, 1
		push	[ebp+arg_0]	; void *
		lea	eax, [eax+ecx*2]
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		mov	eax, [edi+4]
		add	esp, 0Ch
		shr	ecx, 1
		mov	[eax+ecx*2], dx
		lea	eax, [ebx+esi]
		add	eax, [ebp+var_4]
		mov	[edi], ax
		add	eax, 2
		mov	[edi+2], ax
		xor	eax, eax

loc_84EC8A:				; CODE XREF: KsepStringConcatenate+102j
					; KsepStringConcatenate+109j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_84EC91:				; CODE XREF: KsepStringConcatenate+96j
		mov	eax, 0C0000017h
		jmp	short loc_84EC8A
; 

loc_84EC98:				; CODE XREF: KsepStringConcatenate+89j
					; KsepStringConcatenate+8Dj
		mov	eax, 80000005h
		jmp	short loc_84EC8A
KsepStringConcatenate endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall KsepRegistryOpenKey(int,void *,int)
KsepRegistryOpenKey proc near		; CODE XREF: KsepRegistryQueryDriverShims+22p
					; KsepDbQueryRegistryDeviceData+42p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FE2D1 SIZE 000000A5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [esp+30h+var_18]
		xor	eax, eax
		mov	ebx, edx
		and	[esp+30h+var_1C], eax
		and	[esp+30h+var_24], eax
		mov	[esp+30h+var_20], eax
		push	6
		pop	ecx
		rep stosd
		push	4
		pop	ecx
		test	esi, esi
		jz	loc_8FE2D1

loc_84ECD4:				; CODE XREF: KsepRegistryOpenKey+AF67Ej
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	loc_8FE323

loc_84ECDF:				; CODE XREF: KsepRegistryOpenKey+AF6B9j
					; KsepRegistryOpenKey+AF6D1j
		lea	ecx, [esp+30h+var_20]
		mov	edx, esi
		test	ebx, ebx
		jz	short loc_84ED4B
		push	1		; int
		push	ebx		; void *
		call	KsepStringConcatenate

loc_84ECF1:				; CODE XREF: KsepRegistryOpenKey+B0j
		mov	esi, eax
		test	esi, esi
		js	short loc_84ED37
		lea	eax, [esp+30h+var_20]
		mov	[esp+30h+var_18], 18h
		mov	[esp+30h+var_10], eax
		xor	ecx, ecx
		lea	eax, [esp+30h+var_18]
		mov	[esp+30h+var_14], ecx
		push	eax
		push	20019h
		lea	eax, [esp+38h+var_24]
		mov	[esp+38h+var_C], 240h
		push	eax
		mov	[esp+3Ch+var_8], ecx
		mov	[esp+3Ch+var_4], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_84ED52

loc_84ED37:				; CODE XREF: KsepRegistryOpenKey+55j
					; KsepRegistryOpenKey+BFj
		lea	ecx, [esp+30h+var_20]
		call	KsepStringFree
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_84ED4B:				; CODE XREF: KsepRegistryOpenKey+47j
		call	KsepStringDuplicate
		jmp	short loc_84ECF1
; 

loc_84ED52:				; CODE XREF: KsepRegistryOpenKey+95j
		mov	eax, [esp+30h+var_24]
		mov	[edi], eax
		lock inc dword_6C6FB8
		jmp	short loc_84ED37
KsepRegistryOpenKey endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseDriverLoadImage(x)
_KseDriverLoadImage@4 proc near		; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+4E8p
					; IopInitializeBuiltinDriver(x,x,x,x,x,x)+2BCp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	dword ptr [ebp+var_4], 0
		xor	eax, eax
		and	[ebp+var_8], 0
		and	dword ptr [ebp+var_C], eax
		and	[ebp+var_14], eax
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_18], eax
		push	esi
		push	edi
		test	ebx, ebx
		jz	loc_84EEFB
		mov	ecx, [ebx+18h]
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		xor	edi, edi
		inc	edi
		cmp	eax, edi
		jz	loc_84EEFB
		cmp	dword_6D4A78, 2
		jnz	loc_84EEFB
		test	byte ptr _KseEngine, 1
		jnz	loc_84EEFB
		lea	edx, [ebx+2Ch]
		lea	ecx, [ebp+var_10]
		call	KsepStringDuplicateUnicode
		mov	esi, eax
		test	esi, esi
		js	short loc_84EE21
		lea	edx, [ebx+24h]
		lea	ecx, [ebp+var_18]
		call	KsepStringDuplicateUnicode
		mov	esi, eax
		test	esi, esi
		js	short loc_84EE21
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	dword ptr [ebx+20h]
		lea	edx, [ebp+var_18]
		push	dword ptr [ebx+18h]
		lea	ecx, [ebp+var_10]
		call	KsepGetShimsForDriver
		mov	esi, eax
		test	esi, esi
		js	short loc_84EE21
		push	dword ptr [ebp+var_4]
		lea	edx, [ebp+var_10]
		mov	ecx, ebx
		push	[ebp+var_8]
		call	_KsepApplyShimsToDriver@16 ; KsepApplyShimsToDriver(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_84EE21
		push	dword ptr [ebp+var_4]
		mov	edx, [ebp+var_8]
		lea	ecx, [ebp+var_10]
		call	_KsepEvntLogShimsApplied@12 ; KsepEvntLogShimsApplied(x,x,x)
		test	esi, esi

loc_84EE21:				; CODE XREF: KseDriverLoadImage(x)+67j
					; KseDriverLoadImage(x)+78j ...
		jnz	short loc_84EE35
		or	dword_6D4A7C, 800h
		mov	eax, [ebx+18h]
		mov	dword_6D4AA4, eax

loc_84EE35:				; CODE XREF: KseDriverLoadImage(x):loc_84EE21j
		test	esi, esi
		jns	short loc_84EE9D
		cmp	esi, 0C000036Ch
		jnz	loc_84EEFB
		lock xadd _KsepHistoryMessagesIndex, edi
		inc	edi
		and	edi, 3Fh
		push	7
		pop	eax
		and	dword_6C7244[edi*8], 0
		test	_KsepDebugFlag,	1
		mov	word_6C7242[edi*8], ax
		mov	eax, 0BFh
		mov	_KsepHistoryMessages[edi*8], ax
		mov	edi, offset ??_C@_0CJ@NHCFFINH@KSE?3?5driver?5blocked?5from?5loadin@NNGAKEGL@
		jz	short loc_84EE8D
		push	dword ptr [ebp+var_C] ;	char
		push	edi		; char *
		push	4		; int
		call	_KsepDebugPrint
		add	esp, 0Ch

loc_84EE8D:				; CODE XREF: KseDriverLoadImage(x)+11Bj
		push	dword ptr [ebp+var_C]
		push	edi
		push	4
		call	_KsepLogInfo
		add	esp, 0Ch
		jmp	short loc_84EEFD
; 

loc_84EE9D:				; CODE XREF: KseDriverLoadImage(x)+D5j
		lock xadd _KsepHistoryMessagesIndex, edi
		inc	edi
		and	edi, 3Fh
		push	7
		pop	eax
		and	dword_6C7244[edi*8], 0
		test	_KsepDebugFlag,	1
		mov	word_6C7242[edi*8], ax
		mov	eax, 0C8h
		mov	_KsepHistoryMessages[edi*8], ax
		mov	edi, offset ??_C@_0CD@NGLBONJA@KSE?3?5Applied?5?$CFd?5shim?$CIs?$CJ?5to?5?$FL?$CFws@NNGAKEGL@
		jz	short loc_84EEE8
		push	dword ptr [ebp+var_C]
		push	dword ptr [ebp+var_4] ;	char
		push	edi		; char *
		push	4		; int
		call	_KsepDebugPrint
		add	esp, 10h

loc_84EEE8:				; CODE XREF: KseDriverLoadImage(x)+173j
		push	dword ptr [ebp+var_C]
		push	dword ptr [ebp+var_4]
		push	edi
		push	4
		call	_KsepLogInfo
		add	esp, 10h
		jmp	short loc_84EEFD
; 

loc_84EEFB:				; CODE XREF: KseDriverLoadImage(x)+25j
					; KseDriverLoadImage(x)+38j ...
		xor	esi, esi

loc_84EEFD:				; CODE XREF: KseDriverLoadImage(x)+139j
					; KseDriverLoadImage(x)+197j
		lea	ecx, [ebp+var_10]
		call	KsepStringFree
		lea	ecx, [ebp+var_18]
		call	KsepStringFree
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_KseDriverLoadImage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KsepEngineGetShimsFromRegistry proc near ; CODE	XREF: KsepGetShimsForDriver+50p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FE376 SIZE 0000011D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_C], 0
		and	[ebp+var_4], 0
		and	[ebp+var_10], 0
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, edx
		test	byte ptr [ecx+8], 1
		push	edi
		mov	[ebp+var_8], ebx
		jnz	short loc_84EF8A
		mov	ecx, 800h
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	short loc_84EF91
		lea	ecx, [ebp+var_C]
		mov	edx, eax
		push	ecx
		push	ecx
		mov	ecx, [esi+4]
		call	KsepRegistryQueryDriverShims
		mov	esi, eax
		test	esi, esi
		jns	loc_8FE376

loc_84EF62:				; CODE XREF: KsepEngineGetShimsFromRegistry+AF552j
					; KsepEngineGetShimsFromRegistry+AF57Aj
		mov	ecx, [ebp+var_14]
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
		test	esi, esi
		jns	short loc_84EF81

loc_84EF6E:				; CODE XREF: KsepEngineGetShimsFromRegistry+7Bj
					; KsepEngineGetShimsFromRegistry+82j
		mov	ecx, ebx
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax], 0
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0

loc_84EF81:				; CODE XREF: KsepEngineGetShimsFromRegistry+58j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_84EF8A:				; CODE XREF: KsepEngineGetShimsFromRegistry+22j
		mov	esi, 0C0000225h
		jmp	short loc_84EF6E
; 

loc_84EF91:				; CODE XREF: KsepEngineGetShimsFromRegistry+33j
		mov	esi, 0C0000017h
		jmp	short loc_84EF6E
KsepEngineGetShimsFromRegistry endp


;  S U B	R O U T	I N E 


KsepStringFree	proc near		; CODE XREF: KsepLoadShimProvider(x)+64p
					; KsepCacheHwIdFree(x)+10p ...

; FUNCTION CHUNK AT 008FE493 SIZE 00000053 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	loc_8FE493
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_84EFB8
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0

loc_84EFB8:				; CODE XREF: KsepStringFree+12j
					; KsepStringFree+AF534j
		pop	esi
		retn
KsepStringFree	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KsepStringDuplicateUnicode proc	near	; CODE XREF: KseShimDriverIoCallbacks+57p
					; KseDriverLoadImage(x)+5Ep ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FE4E6 SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	ebx, ebx
		mov	esi, ecx
		test	edi, edi
		jz	loc_8FE4E6

loc_84EFD1:				; CODE XREF: KsepStringDuplicateUnicode+AF565j
					; KsepStringDuplicateUnicode+AF57Cj
		mov	[esi], ebx
		mov	[esi+4], ebx
		movzx	eax, word ptr [edi]
		mov	[ebp+var_4], eax
		lea	ecx, [eax+2]
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_84F021
		push	[ebp+var_4]	; size_t
		push	dword ptr [edi+4] ; void *
		push	ebx		; void *
		call	_memcpy
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		add	ecx, 2
		add	esp, 0Ch
		mov	eax, ecx
		movzx	ecx, cx
		shr	eax, 1
		mov	[ebx+eax*2-2], dx
		lea	eax, [ecx-2]
		mov	[esi], ax
		xor	eax, eax
		mov	[esi+4], ebx
		mov	[esi+2], cx

loc_84F01C:				; CODE XREF: KsepStringDuplicateUnicode+6Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_84F021:				; CODE XREF: KsepStringDuplicateUnicode+2Ej
		mov	eax, 0C0000017h
		jmp	short loc_84F01C
KsepStringDuplicateUnicode endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KsepIsModuleShimmed proc near		; CODE XREF: KsepGetShimCallbacksForDriver+3Dp
					; KsepGetShimsForDriver+34p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FE53B SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	eax, ecx
		xor	edi, edi
		mov	[ebp+var_4], eax
		test	ebx, ebx
		jz	short loc_84F0A5
		test	eax, eax
		jz	short loc_84F0A5
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_84F0A5
		mov	eax, large fs:124h
		mov	[esi], edi
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset unk_6D4A90
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [ebp+var_4]
		add	edx, 14h
		mov	eax, [edx]

loc_84F06D:				; CODE XREF: KsepIsModuleShimmed+AF51Aj
		cmp	eax, edx
		jnz	loc_8FE53B

loc_84F075:				; CODE XREF: KsepIsModuleShimmed+AF525j
		or	eax, 0FFFFFFFFh
		mov	esi, offset unk_6D4A90
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_84F09C

loc_84F087:				; CODE XREF: KsepIsModuleShimmed+7Bj
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, edi

loc_84F095:				; CODE XREF: KsepIsModuleShimmed+7Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_84F09C:				; CODE XREF: KsepIsModuleShimmed+5Dj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_84F087
; 

loc_84F0A5:				; CODE XREF: KsepIsModuleShimmed+14j
					; KsepIsModuleShimmed+18j ...
		xor	eax, eax
		jmp	short loc_84F095
KsepIsModuleShimmed endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpBinarySearchUnique(x, x, x, x, x)
_SdbpBinarySearchUnique@20 proc	near	; CODE XREF: SdbpGetFirstIndexedRecord:loc_84E0B3p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	eax, edx
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		xor	esi, esi
		lea	edi, [eax-1]
		mov	[ebp+var_4], ecx
		or	eax, 0FFFFFFFFh
		mov	[ebx], eax
		test	edi, edi
		js	short loc_84F10E

loc_84F0CD:				; CODE XREF: SdbpBinarySearchUnique(x,x,x,x,x)+62j
		lea	eax, [edi+esi]
		cdq
		sub	eax, edx
		sar	eax, 1
		js	short loc_84F127
		cmp	eax, [ebp+var_8]
		jnb	short loc_84F127
		mov	edx, [ebp+var_4]
		mov	ebx, [ebp+var_4]
		imul	ecx, eax, 0Ch
		mov	edx, [ecx+edx]
		mov	ecx, [ecx+ebx+4]
		mov	ebx, [ebp+arg_8]
		cmp	[ebp+arg_4], ecx
		ja	short loc_84F107
		jb	short loc_84F122
		cmp	[ebp+arg_0], edx
		jbe	short loc_84F122

loc_84F0FB:				; CODE XREF: SdbpBinarySearchUnique(x,x,x,x,x)+7Bj
		cmp	[ebp+arg_4], ecx
		jb	short loc_84F10A
		ja	short loc_84F107
		cmp	[ebp+arg_0], edx
		jb	short loc_84F10A

loc_84F107:				; CODE XREF: SdbpBinarySearchUnique(x,x,x,x,x)+48j
					; SdbpBinarySearchUnique(x,x,x,x,x)+56j
		lea	esi, [eax+1]

loc_84F10A:				; CODE XREF: SdbpBinarySearchUnique(x,x,x,x,x)+54j
					; SdbpBinarySearchUnique(x,x,x,x,x)+5Bj
		cmp	edi, esi
		jge	short loc_84F0CD

loc_84F10E:				; CODE XREF: SdbpBinarySearchUnique(x,x,x,x,x)+21j
		xor	ecx, ecx
		sub	esi, edi
		inc	ecx
		cmp	esi, ecx
		jg	short loc_84F12B
		xor	ecx, ecx

loc_84F119:				; CODE XREF: SdbpBinarySearchUnique(x,x,x,x,x)+83j
		mov	eax, ecx

loc_84F11B:				; CODE XREF: SdbpBinarySearchUnique(x,x,x,x,x)+7Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_84F122:				; CODE XREF: SdbpBinarySearchUnique(x,x,x,x,x)+4Aj
					; SdbpBinarySearchUnique(x,x,x,x,x)+4Fj
		lea	edi, [eax-1]
		jmp	short loc_84F0FB
; 

loc_84F127:				; CODE XREF: SdbpBinarySearchUnique(x,x,x,x,x)+2Bj
					; SdbpBinarySearchUnique(x,x,x,x,x)+30j
		xor	eax, eax
		jmp	short loc_84F11B
; 

loc_84F12B:				; CODE XREF: SdbpBinarySearchUnique(x,x,x,x,x)+6Bj
		mov	[ebx], eax
		jmp	short loc_84F119
_SdbpBinarySearchUnique@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall KsepDriverPathTail(x, x)
_KsepDriverPathTail@8 proc near		; CODE XREF: KseShimDriverIoCallbacks+68p
		test	ecx, ecx
		jz	short loc_84F169
		test	edx, edx
		jz	short loc_84F169
		push	esi
		movzx	esi, word ptr [ecx]
		shr	esi, 1
		jz	short loc_84F155
		mov	eax, [ecx+4]
		lea	eax, [eax+esi*2]

loc_84F146:				; CODE XREF: KsepDriverPathTail(x,x)+23j
		cmp	word ptr [eax-2], 5Ch
		jz	short loc_84F15A
		sub	eax, 2
		sub	esi, 1
		jnz	short loc_84F146

loc_84F155:				; CODE XREF: KsepDriverPathTail(x,x)+Ej
					; KsepDriverPathTail(x,x)+2Cj
		mov	eax, [ecx+4]
		jmp	short loc_84F15E
; 

loc_84F15A:				; CODE XREF: KsepDriverPathTail(x,x)+1Bj
		test	eax, eax
		jz	short loc_84F155

loc_84F15E:				; CODE XREF: KsepDriverPathTail(x,x)+28j
		push	eax
		push	edx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		pop	esi
		retn
; 

loc_84F169:				; CODE XREF: KsepDriverPathTail(x,x)+2j
					; KsepDriverPathTail(x,x)+6j
		mov	eax, 0C000000Dh
		retn
_KsepDriverPathTail@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreateSectionForDriver proc near	; CODE XREF: MiObtainSectionForDriver+71p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FE552 SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		xor	esi, esi
		mov	byte_6CF558, 1
		mov	ebx, edx
		mov	[ebp+var_8], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		mov	[eax], esi
		mov	[ebp+var_4], esi
		push	edi
		mov	edi, ecx
		test	ebx, ebx
		jnz	short loc_84F1E0
		cmp	_KdDebuggerEnabled, dl
		jnz	loc_8FE552

loc_84F1A9:				; CODE XREF: MiCreateSectionForDriver+AF3E9j
					; MiCreateSectionForDriver+AF3F8j ...
		push	esi
		push	5
		lea	eax, [ebp+var_10]
		mov	[ebp+var_28], 18h
		push	eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_24], esi
		push	eax
		push	20h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_1C], 240h
		push	eax
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_84F25B
		mov	ebx, [ebp+var_4]

loc_84F1E0:				; CODE XREF: MiCreateSectionForDriver+2Bj
		mov	edx, [ebp+arg_0]
		mov	ecx, edx
		and	ecx, 1
		mov	esi, ecx
		shl	esi, 15h
		add	esi, 100000h
		test	edx, edx
		js	short loc_84F276

loc_84F1F7:				; CODE XREF: MiCreateSectionForDriver+10Cj
		xor	eax, eax
		mov	[ebp+var_28], 18h
		mov	[ebp+var_24], eax
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_20], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		test	ecx, ecx
		jnz	short loc_84F262
		or	eax, 0FFFFFFFFh

loc_84F21A:				; CODE XREF: MiCreateSectionForDriver+104j
		push	ecx
		push	ecx
		push	eax
		push	ecx
		push	ecx
		push	ebx
		shr	edx, 1Bh
		lea	eax, [ebp+var_28]
		and	edx, 8
		lea	ecx, [ebp+var_8]
		push	edx
		push	esi
		sub	esp, 0Ch
		push	eax
		call	MiCreateSystemSection
		cmp	[ebp+var_4], 0
		mov	esi, eax
		jz	short loc_84F249
		push	0
		push	[ebp+var_4]
		call	ObCloseHandle

loc_84F249:				; CODE XREF: MiCreateSectionForDriver+CDj
		test	esi, esi
		js	loc_8FE585
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_8]
		mov	[ecx], eax
		xor	eax, eax

loc_84F25B:				; CODE XREF: MiCreateSectionForDriver+6Bj
					; MiCreateSectionForDriver+AF423j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_84F262:				; CODE XREF: MiCreateSectionForDriver+A5j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	short loc_84F21A
; 

loc_84F276:				; CODE XREF: MiCreateSectionForDriver+85j
		or	esi, 400000h
		jmp	loc_84F1F7
MiCreateSectionForDriver endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiAllocateTempLoaderEntry(x)
_MiAllocateTempLoaderEntry@4 proc near	; CODE XREF: MiObtainSectionForDriver+AFp
		mov	edi, edi
		push	esi
		push	0
		push	40h
		push	5Ch
		mov	esi, ecx
		mov	edx, 644C6D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		test	eax, eax
		jz	short loc_84F2B4
		xor	ecx, ecx
		mov	[eax+3Ch], esi
		inc	ecx
		mov	dword ptr [eax+34h], 1000000h
		mov	[eax+38h], cx
		mov	dword ptr [eax+4Ch], 0FFFFFFFEh

loc_84F2B4:				; CODE XREF: MiAllocateTempLoaderEntry(x)+18j
		pop	esi
		retn
_MiAllocateTempLoaderEntry@4 endp


;  S U B	R O U T	I N E 


SdbGetDatabaseEdition proc near		; CODE XREF: KsepSdbMapToMemory+1AEp
					; KsepSdbBootInitialize+44p

; FUNCTION CHUNK AT 008FE598 SIZE 0000001E BYTES

		mov	edi, edi
		push	esi
		push	edi
		push	7001h
		xor	edx, edx
		mov	edi, ecx
		xor	esi, esi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	loc_8FE598
		push	4055h
		mov	edx, eax
		mov	ecx, edi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	short loc_84F2F0
		push	esi
		mov	edx, eax
		mov	ecx, edi
		call	SdbReadDWORDTag
		mov	esi, eax

loc_84F2F0:				; CODE XREF: SdbGetDatabaseEdition+2Cj
					; SdbGetDatabaseEdition+AF2FBj
		pop	edi
		mov	eax, esi
		pop	esi
		retn
SdbGetDatabaseEdition endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KsepSdbUnmapFromMemory(x)
_KsepSdbUnmapFromMemory@4 proc near	; CODE XREF: KseShimDatabaseClose+72p
					; KseShimDatabaseClose+7Cp ...
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_84F30C
		call	SdbReleaseDatabase
		mov	[esi], edi

loc_84F30C:				; CODE XREF: KsepSdbUnmapFromMemory(x)+Dj
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_84F31C
		push	eax
		call	_MmUnmapViewInSystemSpace@4 ; MmUnmapViewInSystemSpace(x)
		mov	[esi+4], edi

loc_84F31C:				; CODE XREF: KsepSdbUnmapFromMemory(x)+1Bj
		mov	ecx, [esi+10h]
		test	ecx, ecx
		jz	short loc_84F32B
		call	ObfDereferenceObject
		mov	[esi+10h], edi

loc_84F32B:				; CODE XREF: KsepSdbUnmapFromMemory(x)+2Bj
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_84F33B
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		mov	[esi+0Ch], edi

loc_84F33B:				; CODE XREF: KsepSdbUnmapFromMemory(x)+3Aj
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_84F34B
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		mov	[esi+8], edi

loc_84F34B:				; CODE XREF: KsepSdbUnmapFromMemory(x)+4Aj
		pop	edi
		pop	esi
		pop	ecx
		retn
_KsepSdbUnmapFromMemory@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KsepSdbMapToMemory proc	near		; CODE XREF: KseShimDatabaseOpen+7Ep
					; KseShimDatabaseOpen+97p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FE5B6 SIZE 000001A6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_1C], edx
		push	edi		; char
		push	ecx
		lea	eax, [ebp+var_24]
		mov	[ebp+var_24], esi
		mov	edi, esi
		mov	[ebp+var_20], esi
		push	eax
		mov	[ebp+var_2C], esi
		mov	ebx, esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_24]
		mov	[ebp+var_44], 18h
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_2C]
		push	5
		push	eax
		lea	eax, [ebp+var_44]
		mov	[ebp+var_40], esi
		push	eax
		push	80000000h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_38], 240h
		push	eax
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], esi
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	esi, eax
		xor	eax, eax
		test	esi, esi
		jns	short loc_84F440
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	2
		push	9
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 2AAh
		mov	dword_6C7024[eax*8], esi
		mov	_KsepHistoryErrors[eax*8], cx
		jnz	loc_8FE5B6

loc_84F3FD:				; CODE XREF: KsepSdbMapToMemory+AF274j
		push	offset ??_C@_0CJ@EBFFHOCD@KSE?3?5ZwOpenFile?5failed?5opening?5@NNGAKEGL@ ; "KSE: ZwOpenFile failed opening DB file!"...

loc_84F402:				; CODE XREF: KsepSdbMapToMemory+AF2C3j
		push	0		; int
		call	_KsepLogError
		pop	ecx
		pop	ecx
		mov	edx, ebx

loc_84F40D:				; CODE XREF: KsepSdbMapToMemory+18Fj
					; KsepSdbMapToMemory+AF31Dj ...
		test	esi, esi
		jns	loc_84F4E4

loc_84F415:				; CODE XREF: KsepSdbMapToMemory+AF3D6j
		test	edi, edi
		jnz	loc_8FE72B

loc_84F41D:				; CODE XREF: KsepSdbMapToMemory+AF3E1j
		test	ebx, ebx
		jnz	loc_8FE736

loc_84F425:				; CODE XREF: KsepSdbMapToMemory+AF3EDj
		cmp	[ebp+var_8], 0
		jnz	loc_8FE742

loc_84F42F:				; CODE XREF: KsepSdbMapToMemory+AF3FAj
		cmp	[ebp+var_4], 0
		jnz	loc_8FE74F

loc_84F439:				; CODE XREF: KsepSdbMapToMemory+1B9j
					; KsepSdbMapToMemory+AF407j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn			; char
; 

loc_84F440:				; CODE XREF: KsepSdbMapToMemory+72j
		push	[ebp+var_4]
		mov	[ebp+var_40], eax
		push	8000000h
		push	2
		push	eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	4
		lea	eax, [ebp+var_8]
		mov	[ebp+var_44], 18h
		push	eax
		mov	[ebp+var_38], 240h
		call	_ZwCreateSection@28 ; ZwCreateSection(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8FE5C9
		mov	eax, ds:_MmSectionObjectType
		lea	ecx, [ebp+var_14]
		xor	edx, edx
		push	edx
		push	ecx
		push	edx
		push	eax
		push	0F001Fh
		push	[ebp+var_8]
		mov	[ebp+var_14], edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, [ebp+var_14]
		mov	esi, eax
		test	esi, esi
		js	loc_8FE618
		lea	eax, [ebp+var_18]
		xor	edi, edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_18], edi
		push	eax
		push	ebx
		call	_MmMapViewInSystemSpace@12 ; MmMapViewInSystemSpace(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8FE672
		mov	edi, [ebp+var_10]
		mov	ecx, edi
		mov	edx, [ebp+var_18]
		call	SdbInitDatabaseInMemory
		mov	edx, eax
		test	edx, edx
		jz	loc_8FE6CE
		xor	esi, esi
		jmp	loc_84F40D
; 

loc_84F4E4:				; CODE XREF: KsepSdbMapToMemory+BFj
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+var_4]
		mov	[ecx+8], eax
		mov	eax, [ebp+var_8]
		mov	[ecx+0Ch], eax
		mov	[ecx+10h], ebx
		mov	[ecx+4], edi
		mov	[ecx], edx
		mov	ecx, [edx+4]
		call	SdbGetDatabaseEdition
		mov	edx, [ebp+var_1C]
		mov	[edx+20h], eax
		jmp	loc_84F439
KsepSdbMapToMemory endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopBootLog	proc near		; CODE XREF: IopLoadDriver+4E0p
					; IopLoadDriver+689p ...

var_434		= dword	ptr -434h
var_430		= dword	ptr -430h
var_42C		= dword	ptr -42Ch
var_428		= dword	ptr -428h
var_424		= dword	ptr -424h
var_420		= dword	ptr -420h
var_41C		= dword	ptr -41Ch
var_418		= dword	ptr -418h
var_414		= dword	ptr -414h
var_410		= dword	ptr -410h
var_40C		= dword	ptr -40Ch
var_408		= dword	ptr -408h
var_208		= word ptr -208h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FE75C SIZE 000001AE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 434h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_410], 1000000h
		mov	[ebp+var_42C], eax
		mov	[ebp+var_428], eax
		mov	[ebp+var_434], eax
		mov	[ebp+var_430], eax
		mov	[ebp+var_424], eax
		mov	[ebp+var_420], eax
		mov	[ebp+var_41C], eax
		mov	[ebp+var_418], eax
		lea	eax, [ebp+var_408]
		push	ebx
		push	esi
		mov	[ebp+var_40C], eax
		mov	bl, dl
		mov	eax, ds:dword_A933A4
		mov	esi, ecx
		push	edi
		test	eax, eax
		jnz	loc_8FE75C

loc_84F57F:				; CODE XREF: IopBootLog+AF3F7j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
IopBootLog	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpCallDriverEntry(x, x)
_PnpCallDriverEntry@8 proc near		; CODE XREF: IopLoadDriver+47Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], eax
		push	5
		mov	esi, edx
		mov	[ebp+var_8], edi
		lea	edx, [ebp+var_C]
		pop	ecx
		call	_PnpEnableWatchdog@8 ; PnpEnableWatchdog(x,x)
		push	esi
		push	edi
		mov	ebx, eax
		call	dword ptr [edi+2Ch]
		mov	esi, eax
		test	ebx, ebx
		jz	short loc_84F5D3
		mov	ecx, ebx
		call	PnpCancelWatchdog
		mov	ecx, ebx
		call	_PnpFreeWatchdog@4 ; PnpFreeWatchdog(x)

loc_84F5D3:				; CODE XREF: PnpCallDriverEntry(x,x)+35j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PnpCallDriverEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTiLogDriverObjectLoad proc near	; CODE XREF: IopLoadDriver+50Bp
					; IoCreateDriver+237p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FE90A SIZE 000000B8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_3C], 0
		push	ebx
		mov	ebx, _EtwThreatIntProvRegHandle
		push	esi
		push	edi
		mov	edi, dword_6BC124
		mov	esi, ecx
		push	offset _THREATINT_DRIVER_OBJECT_LOAD
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8FE90A

loc_84F615:				; CODE XREF: EtwTiLogDriverObjectLoad+AF342j
					; EtwTiLogDriverObjectLoad+AF3E3j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
EtwTiLogDriverObjectLoad endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopReadyDeviceObjects(x)
_IopReadyDeviceObjects@4 proc near	; CODE XREF: IopLoadDriver+503p
					; IopInitializeBuiltinDriver(x,x,x,x,x,x)+332p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+4]
		lea	edx, [ebp+var_4]
		and	[ebp+var_4], 0
		push	esi
		xor	esi, esi
		lock or	[edx], esi
		or	dword ptr [ecx+8], 10h
		pop	esi
		jmp	short loc_84F64B
; 

loc_84F641:				; CODE XREF: IopReadyDeviceObjects(x)+29j
		and	dword ptr [eax+1Ch], 0FFFFFF7Fh
		mov	eax, [eax+0Ch]

loc_84F64B:				; CODE XREF: IopReadyDeviceObjects(x)+1Bj
		test	eax, eax
		jnz	short loc_84F641
		leave
		retn
_IopReadyDeviceObjects@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SdbReadBinaryTag(void *,int)
SdbReadBinaryTag proc near		; CODE XREF: SdbGetDatabaseID+4Bp
					; SdbpGetExeEntryFlags+4Bp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FE9C2 SIZE 00000045 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	SdbGetTagFromTagID
		mov	ecx, 0F000h
		mov	edx, esi
		and	ax, cx
		mov	ecx, 9000h
		cmp	ax, cx
		mov	ecx, edi
		jnz	loc_8FE9C2
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; void *
		call	SdbpReadTagData
		test	eax, eax
		jz	loc_8FE9E7
		xor	eax, eax
		inc	eax

loc_84F692:				; CODE XREF: SdbReadBinaryTag+AF3B0j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
SdbReadBinaryTag endp


;  S U B	R O U T	I N E 


SdbpValidateAndApplyCompatFlags	proc near ; CODE XREF: SdbpOpenDatabaseInMemory+5Ep
					; SdbOpenDatabaseEx(x,x,x,x)+175p

; FUNCTION CHUNK AT 008FEA07 SIZE 0000004B BYTES

		mov	edx, [edx]
		mov	eax, edx
		push	esi
		xor	esi, esi
		sub	eax, 1
		jz	loc_8FEA28
		sub	eax, 1
		jz	short loc_84F6CF
		sub	eax, 1
		jnz	loc_8FEA07

loc_84F6B6:				; CODE XREF: SdbpValidateAndApplyCompatFlags+3Ej
		lea	edx, [ecx+14h]
		call	SdbGetDatabaseID
		test	eax, eax
		jz	loc_8FEA34

loc_84F6C6:				; CODE XREF: SdbpValidateAndApplyCompatFlags+AF3B5j
		xor	esi, esi
		inc	esi

loc_84F6C9:				; CODE XREF: SdbpValidateAndApplyCompatFlags+AF38Bj
		mov	eax, esi
		pop	esi
		retn	4
; 

loc_84F6CF:				; CODE XREF: SdbpValidateAndApplyCompatFlags+13j
					; SdbpValidateAndApplyCompatFlags+AF397j
		or	dword ptr [ecx+0A28h], 2
		jmp	short loc_84F6B6
SdbpValidateAndApplyCompatFlags	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbpOpenDatabaseInMemory proc near	; CODE XREF: SdbInitDatabaseInMemory+23p
					; SdbpOpenCompressedDatabase(x,x,x)+10Cp

var_10		= dword	ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FEA52 SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4], ecx
		lea	edi, [ebp+var_10]
		mov	ebx, edx
		stosd
		mov	edx, 0A58h
		push	ecx
		stosd
		stosd
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8FEA52
		mov	eax, [ebp+var_4]
		xor	edx, edx
		and	dword ptr [esi+8], 0
		mov	ecx, esi
		or	dword ptr [esi+10h], 1
		and	dword ptr [esi], 0
		mov	[esi+4], eax
		lea	eax, [ebp+var_10]
		push	0Ch		; size_t
		push	eax		; void *
		mov	[esi+0Ch], ebx
		call	SdbpReadMappedData
		test	eax, eax
		jz	loc_8FEA6D
		push	ecx
		lea	edx, [ebp+var_10]
		mov	ecx, esi
		call	SdbpValidateAndApplyCompatFlags
		test	eax, eax
		jz	loc_8FEA86
		mov	eax, esi

loc_84F745:				; CODE XREF: SdbpOpenDatabaseInMemory+AF3BBj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
SdbpOpenDatabaseInMemory endp


;  S U B	R O U T	I N E 


SdbCloseDatabaseRead proc near		; CODE XREF: SdbReleaseDatabase+5Cp
					; SdbInitDatabaseInMemory:loc_8FEB25p ...

; FUNCTION CHUNK AT 008FEA98 SIZE 00000072 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, 74705041h
		mov	eax, [esi+0A3Ch]
		test	eax, eax
		jnz	loc_8FEA98

loc_84F768:				; CODE XREF: SdbCloseDatabaseRead+AF350j
					; SdbCloseDatabaseRead+AF383j ...
		mov	eax, [esi+10h]
		test	al, 8
		jnz	loc_8FEAE5

loc_84F773:				; CODE XREF: SdbCloseDatabaseRead+AF39Bj
					; SdbCloseDatabaseRead+AF3A6j ...
		mov	ecx, [esi]
		call	AslFileMappingDelete
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		retn
SdbCloseDatabaseRead endp

; 
		align 2

;  S U B	R O U T	I N E 


SdbInitDatabaseInMemory	proc near	; CODE XREF: KsepSdbMapToMemory+17Ep
					; PiInitializeDDB+10Fp	...

; FUNCTION CHUNK AT 008FEB0A SIZE 00000054 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		push	ecx
		mov	edx, 400h
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8FEB0A
		push	ecx
		mov	edx, esi
		mov	ecx, edi
		call	SdbpOpenDatabaseInMemory
		mov	[ebx+4], eax
		test	eax, eax
		jz	loc_8FEB3C
		xor	eax, eax
		mov	dword ptr [ebx+28h], 2
		inc	eax
		lea	edi, [ebx+14h]
		mov	[ebx+0Ch], eax
		mov	ecx, ebx
		mov	[ebx+10h], eax
		mov	eax, [ebx+4]
		mov	[ebx+24h], eax
		mov	esi, [ebx+4]
		add	esi, 14h
		movsd
		movsd
		movsd
		movsd
		call	_SdbpInitializeMatchers@4 ; SdbpInitializeMatchers(x)
		mov	eax, ebx

loc_84F7E5:				; CODE XREF: SdbInitDatabaseInMemory+AF3B1j
		pop	edi
		pop	esi
		pop	ebx
		retn
SdbInitDatabaseInMemory	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall SdbpInitializeMatchers(x)
_SdbpInitializeMatchers@4 proc near	; CODE XREF: SdbInitDatabaseInMemory+58p
		lea	edx, [ecx+1B0h]
		xor	ecx, ecx

loc_84F7F2:				; CODE XREF: SdbpInitializeMatchers(x)+37j
		mov	eax, ds:dword_4045E0[ecx]
		mov	[edx-4], eax
		mov	eax, ds:off_4045E4[ecx]
		mov	[edx], eax
		lea	edx, [edx+10h]
		mov	eax, ds:dword_4045E8[ecx]
		mov	[edx-0Ch], eax
		mov	eax, ds:dword_4045EC[ecx]
		add	ecx, 10h
		mov	[edx-8], eax
		cmp	ecx, 170h
		jb	short loc_84F7F2
		retn
_SdbpInitializeMatchers@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbReleaseDatabase proc	near		; CODE XREF: KsepSdbUnmapFromMemory(x)+Fp
					; PiReleaseDDB(x)+Bp ...

var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008FEB5E SIZE 0000005E BYTES

		push	10h
		push	offset dword_6A47B8
		call	__SEH_prolog4
		mov	esi, ecx
		push	(offset	loc_8C21F3+1)
		push	53h
		mov	edi, offset ??_C@_0BD@JBPJCCEK@SdbReleaseDatabase@NNGAKEGL@
		push	edi
		push	3
		call	AslLogCallPrintf
		add	esp, 10h
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, [esi+3FCh]
		cmp	dword ptr [esi+3F8h], 0
		jnz	loc_8FEB5E
		test	ecx, ecx
		jg	loc_8FEB98
		mov	ecx, esi
		call	SdbpCleanupLocalDatabaseSupport
		test	byte ptr [esi+58h], 2
		jnz	loc_8FEBAF

loc_84F879:				; CODE XREF: SdbReleaseDatabase+AF393j
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_84F885
		call	SdbCloseDatabaseRead

loc_84F885:				; CODE XREF: SdbReleaseDatabase+5Aj
					; SdbReleaseDatabase+94j
		mov	edx, [esi+1A4h]
		test	edx, edx
		jnz	short loc_84F8B1

loc_84F88F:				; CODE XREF: SdbReleaseDatabase+AF349j
					; SdbReleaseDatabase+AF36Fj
		push	74705041h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_84F89A:				; CODE XREF: SdbReleaseDatabase+AF386j
					; sub_8FEC0C+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_84F8B1:				; CODE XREF: SdbReleaseDatabase+69j
		mov	ecx, esi
		call	_SdbpRemoveSDBLookupEntry@8 ; SdbpRemoveSDBLookupEntry(x,x)
		jmp	short loc_84F885
SdbReleaseDatabase endp


;  S U B	R O U T	I N E 


SdbpCleanupLocalDatabaseSupport	proc near ; CODE XREF: SdbReleaseDatabase+46p

; FUNCTION CHUNK AT 008FEC14 SIZE 0000002D BYTES

		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		test	dword ptr [esi+10h], 0FFF8h
		jnz	short loc_84F8DB

loc_84F8CA:				; CODE XREF: SdbpCleanupLocalDatabaseSupport+AF374j
		cmp	dword ptr [esi+8], 0
		jnz	loc_8FEC33

loc_84F8D4:				; CODE XREF: SdbpCleanupLocalDatabaseSupport+AF382j
		xor	eax, eax
		pop	edi
		inc	eax
		pop	esi
		pop	ecx
		retn
; 

loc_84F8DB:				; CODE XREF: SdbpCleanupLocalDatabaseSupport+Ej
		push	3
		pop	edi
		jmp	loc_8FEC14
SdbpCleanupLocalDatabaseSupport	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AslLogCallPrintf proc near		; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+2E2p
					; SdbpGetPathAppPatchPreRS3(x,x,x,x)+90p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008FEC41 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, _g_AslLogPfnVPrintf
		test	eax, eax
		jnz	loc_8FEC41
		pop	ebp
		retn
AslLogCallPrintf endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbpReadStringRef proc near		; CODE XREF: SdbGetStringTagPtr+3Cp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FEC55 SIZE 00000045 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	SdbGetTagFromTagID
		mov	ecx, 0F000h
		mov	edx, esi
		and	ax, cx
		mov	ecx, 6000h
		cmp	ax, cx
		mov	ecx, edi
		jnz	loc_8FEC55
		push	4		; int
		lea	eax, [ebp+var_4]
		push	eax		; void *
		call	SdbpReadTagData
		test	eax, eax
		jz	loc_8FEC7A
		mov	eax, [ebp+var_4]

loc_84F93D:				; CODE XREF: SdbpReadStringRef+AF39Dj
		pop	edi
		pop	esi
		leave
		retn
SdbpReadStringRef endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbpGetStringTableItemFromStringRef proc near ;	CODE XREF: SdbpGetMappedStringFromTable+17p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FEC9A SIZE 0000009F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_C], edx
		push	edi
		xor	edi, edi
		and	[ebp+var_8], edi
		cmp	[ebx+8], edi
		jnz	loc_8FEC9A
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		push	offset InitOnceGetStringTableOffset
		lea	eax, [ebx+0A30h]
		push	eax
		call	RtlRunOnceExecuteOnce
		mov	esi, eax
		test	esi, esi
		js	loc_8FECCC
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	loc_8FED08
		mov	eax, [eax]
		test	eax, eax
		jz	loc_8FED08
		mov	edi, ebx

loc_84F99B:				; CODE XREF: SdbpGetStringTableItemFromStringRef+AF385j
		add	eax, [ebp+var_C]
		mov	ecx, edi
		mov	edx, eax
		mov	[ebp+var_4], eax
		call	SdbGetTagFromTagID
		mov	ecx, 8801h
		cmp	ax, cx
		jnz	loc_8FECE8
		xor	esi, esi

loc_84F9BA:				; CODE XREF: SdbpGetStringTableItemFromStringRef+AF3E6j
					; SdbpGetStringTableItemFromStringRef+AF3F2j
		mov	eax, [ebp+arg_0]
		not	esi
		mov	ecx, [ebp+var_4]
		shr	esi, 1Fh
		mov	[eax], ecx
		mov	eax, [ebp+arg_4]
		mov	[eax], edi
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
SdbpGetStringTableItemFromStringRef endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbpGetMappedStringFromTable proc near	; CODE XREF: SdbGetStringTagPtr+4Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FED39 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	SdbpGetStringTableItemFromStringRef
		test	eax, eax
		jz	loc_8FED39
		mov	edx, [ebp+var_4]
		test	edx, edx
		jz	loc_8FED39
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	loc_8FED39
		call	SdbpGetMappedTagData
		leave
		retn
SdbpGetMappedStringFromTable endp

; 
		align 4

;  S U B	R O U T	I N E 


SdbGetStringTagPtr proc	near		; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+207p
					; SdbpCheckApplicationTypeAttributes(x,x,x,x)+23Fp ...

; FUNCTION CHUNK AT 008FED56 SIZE 0000003A BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		mov	ebx, edx
		test	esi, esi
		jz	loc_8FED56
		call	SdbGetTagFromTagID
		mov	ecx, 0F000h
		and	ax, cx
		mov	ecx, 8000h
		cmp	ax, cx
		jz	loc_8FED82
		mov	ecx, 6000h
		cmp	ax, cx
		jnz	short loc_84FA6C
		mov	edx, ebx
		mov	ecx, esi
		call	SdbpReadStringRef
		test	eax, eax
		jz	loc_8FED62
		mov	edx, eax
		mov	ecx, esi
		call	SdbpGetMappedStringFromTable

loc_84FA6A:				; CODE XREF: SdbGetStringTagPtr+AF373j
		mov	edi, eax

loc_84FA6C:				; CODE XREF: SdbGetStringTagPtr+36j
		mov	eax, edi

loc_84FA6E:				; CODE XREF: SdbGetStringTagPtr+AF365j
		pop	edi
		pop	esi
		pop	ebx
		retn
SdbGetStringTagPtr endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiInitializeDDB	proc near		; CODE XREF: PiLookupInDDB+80p
					; PiLookupInDDB+9Bp

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FED90 SIZE 000000C3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		mov	[ebp+var_20], eax
		mov	edi, ebx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		stosd
		push	ecx
		mov	[ebp+var_5], dl
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	edi, edi
		mov	[ebp+var_48], 18h
		push	edi
		lea	eax, [ebp+var_20]
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_30]
		push	5
		push	eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_3C], 240h
		push	eax
		push	80000000h
		lea	eax, [ebp+var_14]
		mov	[ebp+var_38], edi
		push	eax
		mov	[ebp+var_34], edi
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_84FB19
		cmp	[ebp+var_5], 0
		jz	loc_8FED90

loc_84FAF5:				; CODE XREF: PiInitializeDDB+139j
					; PiInitializeDDB+AF325j ...
		cmp	[ebp+var_C], edi
		jnz	loc_8FEE2A

loc_84FAFE:				; CODE XREF: PiInitializeDDB+AF3C2j
		cmp	[ebp+var_10], edi
		jnz	loc_8FEE39

loc_84FB07:				; CODE XREF: PiInitializeDDB+AF3CFj
		cmp	[ebp+var_14], edi
		jnz	loc_8FEE46

loc_84FB10:				; CODE XREF: PiInitializeDDB+AF3DCj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_84FB19:				; CODE XREF: PiInitializeDDB+77j
		push	[ebp+var_14]
		lea	eax, [ebp+var_48]
		mov	[ebp+var_48], 18h
		push	8000000h
		push	2
		push	edi
		push	eax
		push	4
		lea	eax, [ebp+var_10]
		mov	[ebp+var_44], edi
		push	eax
		mov	[ebp+var_3C], 240h
		mov	[ebp+var_40], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], edi
		call	_ZwCreateSection@28 ; ZwCreateSection(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8FEDE8
		push	2
		push	edi
		push	1
		lea	eax, [ebp+var_18]
		push	eax
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_C]
		push	eax
		push	0FFFFFFFFh
		push	[ebp+var_10]
		call	_ZwMapViewOfSection@40 ; ZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8FEDFF
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_C]
		call	SdbInitDatabaseInMemory
		test	eax, eax
		jz	loc_8FEE16
		mov	[ebx], eax
		mov	eax, [ebp+var_14]
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+var_10]
		mov	[ebx+8], eax
		mov	eax, [ebp+var_C]
		mov	[ebx+4], eax
		mov	[ebp+var_C], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_14], edi
		jmp	loc_84FAF5
PiInitializeDDB	endp


;  S U B	R O U T	I N E 


; __stdcall PiReleaseDDB(x)
_PiReleaseDDB@4	proc near		; CODE XREF: PiLookupInDDB+ADp
					; PiLookupInDDB+AFF12p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_84FBC0
		call	SdbReleaseDatabase

loc_84FBC0:				; CODE XREF: PiReleaseDDB(x)+9j
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_84FBCF
		push	eax
		push	0FFFFFFFFh
		call	_ZwUnmapViewOfSection@8	; ZwUnmapViewOfSection(x,x)

loc_84FBCF:				; CODE XREF: PiReleaseDDB(x)+15j
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_84FBDC
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_84FBDC:				; CODE XREF: PiReleaseDDB(x)+24j
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_84FBE9
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_84FBE9:				; CODE XREF: PiReleaseDDB(x)+31j
		xor	eax, eax
		pop	esi
		retn
_PiReleaseDDB@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbpFindMatchingName proc near		; CODE XREF: SdbFindFirstStringIndexedTag+6Ap
					; SdbFindNextStringIndexedTag(x,x)+1Ap

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FEE99 SIZE 00000054 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], ecx
		push	edi
		test	esi, esi
		jz	short loc_84FC57
		mov	edi, [ebp+arg_0]

loc_84FC04:				; CODE XREF: SdbpFindMatchingName+75j
		movzx	eax, word ptr [edi+0Ch]
		mov	edx, esi
		push	eax
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8FEEC7
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		call	SdbGetStringTagPtr
		test	eax, eax
		jz	loc_8FEEAB
		test	byte ptr [edi+14h], 1
		mov	ecx, [edi+20h]
		jnz	loc_8FEE99
		push	ecx		; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax

loc_84FC44:				; CODE XREF: SdbpFindMatchingName+AF2B8j
		jz	short loc_84FC57
		mov	edx, [edi]
		mov	ecx, [ebp+var_4]
		push	edi
		call	SdbpGetNextIndexedRecord
		mov	esi, eax
		test	esi, esi
		jnz	short loc_84FC60

loc_84FC57:				; CODE XREF: SdbpFindMatchingName+11j
					; SdbpFindMatchingName:loc_84FC44j
		mov	eax, esi

loc_84FC59:				; CODE XREF: SdbpFindMatchingName+AF2FAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_84FC60:				; CODE XREF: SdbpFindMatchingName+67j
		mov	ecx, [ebp+var_4]
		jmp	short loc_84FC04
SdbpFindMatchingName endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KseDriverUnloadImage proc near		; CODE XREF: MiUnloadSystemImage+211p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FEEED SIZE 00000285 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		test	edi, edi
		jz	short loc_84FCC2
		cmp	dword_6D4A78, 2
		jnz	short loc_84FCBB
		test	byte ptr _KseEngine, 1
		jnz	short loc_84FCBB
		mov	ecx, [edi+18h]
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		xor	ebx, ebx
		inc	ebx
		cmp	eax, ebx
		jz	short loc_84FCBB
		lea	eax, [ebp+var_4]
		mov	edx, ecx
		push	eax
		mov	ecx, offset _KseEngine
		call	KsepIsModuleShimmed
		test	eax, eax
		jnz	loc_8FEEED

loc_84FCB4:				; CODE XREF: KseDriverUnloadImage+AF28Bj
					; KseDriverUnloadImage+AF4F5j
		xor	eax, eax

loc_84FCB6:				; CODE XREF: KseDriverUnloadImage+5Aj
					; KseDriverUnloadImage+61j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_84FCBB:				; CODE XREF: KseDriverUnloadImage+1Cj
					; KseDriverUnloadImage+25j ...
		mov	eax, 0C00000BBh
		jmp	short loc_84FCB6
; 

loc_84FCC2:				; CODE XREF: KseDriverUnloadImage+13j
		mov	eax, 0C000000Dh
		jmp	short loc_84FCB6
KseDriverUnloadImage endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbpGetNextIndexedRecord proc near	; CODE XREF: SdbpFindMatchingName+5Ep
					; SdbFindNextStringIndexedTag(x,x)+Cp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FF172 SIZE 00000099 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ebx
		call	SdbGetTagFromTagID
		mov	ecx, 9801h
		cmp	ax, cx
		jnz	loc_8FF165
		mov	edx, edi
		mov	ecx, ebx
		call	SdbpGetMappedTagData
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8FF172
		push	esi
		mov	esi, [ebp+arg_0]
		test	byte ptr [esi+14h], 1
		jnz	loc_8FF193
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		call	SdbGetTagDataSize
		xor	edx, edx
		mov	edi, [esi+10h]
		push	0Ch
		pop	ecx
		div	ecx
		dec	eax
		cmp	edi, eax
		jz	short loc_84FD44
		imul	ecx, edi, 0Ch
		mov	eax, [ecx+ebx+4]
		mov	edx, [ecx+ebx]
		mov	[ebp+arg_0], eax
		mov	eax, [ecx+ebx+0Ch]
		mov	ecx, [ecx+ebx+10h]
		cmp	edx, eax
		jnz	short loc_84FD44
		cmp	[ebp+arg_0], ecx
		jz	short loc_84FD4D

loc_84FD44:				; CODE XREF: SdbpGetNextIndexedRecord+5Aj
					; SdbpGetNextIndexedRecord+73j	...
		xor	eax, eax

loc_84FD46:				; CODE XREF: SdbpGetNextIndexedRecord+92j
		pop	esi

loc_84FD47:				; CODE XREF: SdbpGetNextIndexedRecord+AF4C4j
		pop	edi
		pop	ebx
		leave
		retn	4
; 

loc_84FD4D:				; CODE XREF: SdbpGetNextIndexedRecord+78j
		lea	eax, [edi+1]
		mov	[esi+10h], eax
		imul	eax, 0Ch
		mov	edi, [eax+ebx+8]

loc_84FD5A:				; CODE XREF: SdbpGetNextIndexedRecord+AF53Cj
		mov	eax, edi
		jmp	short loc_84FD46
SdbpGetNextIndexedRecord endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

InitOnceGetStringTableOffset proc near	; DATA XREF: SdbpGetStringTableItemFromStringRef+27o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008FF20B SIZE 0000005E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	loc_8FF20B
		push	edi
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	loc_8FF22B
		push	ebx
		push	7801h
		xor	edx, edx
		mov	ecx, esi
		xor	ebx, ebx
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		add	esi, 0A34h
		mov	[esi], eax
		test	eax, eax
		jz	loc_8FF24B
		mov	[edi], esi
		inc	ebx

loc_84FD9F:				; CODE XREF: InitOnceGetStringTableOffset+AF506j
		mov	eax, ebx
		pop	ebx

loc_84FDA2:				; CODE XREF: InitOnceGetStringTableOffset+AF4E8j
		pop	edi

loc_84FDA3:				; CODE XREF: InitOnceGetStringTableOffset+AF4C8j
		pop	esi
		pop	ebp
		retn	0Ch
InitOnceGetStringTableOffset endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopUnloadDriver	proc near		; CODE XREF: NtUnloadDriver(x)+Ap
					; PnpUnloadAttachedDriver+87C7Ep ...

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1E		= byte ptr -1Eh
var_1D		= dword	ptr -1Dh
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008FF280 SIZE 00000018 BYTES
; FUNCTION CHUNK AT 008FF2C8 SIZE 00000011 BYTES

		push	80h
		push	offset dword_6A47D8
		call	__SEH_prolog4
		mov	[ebp+var_1E], dl
		mov	ebx, ecx
		xor	eax, eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_30], eax
		mov	byte ptr [ebp+var_1D], al
		mov	[ebp+var_34], eax
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_38], al
		test	al, al
		jnz	loc_84FFFE

loc_84FDEA:				; CODE XREF: IopUnloadDriver+258j
		mov	edx, ebx
		mov	ecx, offset _KMPnPEvt_DriverUnload_Start
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)
		and	[ebp+var_48], 0
		xor	eax, eax
		mov	[ebp+var_4C], eax
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	sub_8FF269
		push	0
		push	20019h
		push	ebx
		xor	edx, edx
		lea	ecx, [ebp+var_2C]
		call	IopOpenRegistryKey
		mov	edi, eax
		test	edi, edi
		js	loc_84FFC8
		lea	edx, [ebp+var_4C]
		mov	ecx, [ebp+var_2C]
		call	IopGetDriverNameFromKeyNode
		mov	edi, eax
		push	0
		push	[ebp+var_2C]
		call	ObCloseHandle
		test	edi, edi
		js	loc_84FFC8
		mov	[ebp+var_64], 18h
		xor	ecx, ecx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_58], 240h
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_5C], eax
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], ecx
		mov	esi, ds:_IoDriverObjectType
		lea	eax, [ebp+var_30]
		push	eax
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		xor	eax, eax
		push	eax
		push	1
		push	eax
		push	eax
		push	esi
		lea	eax, [ebp+var_64]
		push	eax
		call	ObOpenObjectByNameEx
		mov	edi, eax
		test	edi, edi
		js	loc_84FFC8
		mov	eax, ds:_IoDriverObjectType
		xor	edx, edx
		mov	[ebp+var_24], edx
		push	edx
		lea	ecx, [ebp+var_24]
		push	ecx
		push	edx
		push	eax
		push	edx
		push	[ebp+var_30]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		push	0
		push	[ebp+var_30]
		call	ObCloseHandle
		test	edi, edi
		js	loc_84FFC8
		mov	esi, [ebp+var_24]
		push	dword ptr [esi+0Ch]
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		movzx	ecx, word ptr [eax+44h]
		shl	ecx, 10h
		movzx	eax, word ptr [eax+46h]
		or	ecx, eax
		mov	[ebp+var_34], ecx
		lea	eax, [esi+34h]
		mov	[ebp+var_38], eax
		cmp	dword ptr [eax], 0
		jz	loc_8FF2C8
		cmp	dword ptr [esi+14h], 0
		jz	loc_8FF2C8
		cmp	[ebp+var_1E], 0
		jnz	short loc_84FF08
		mov	ecx, esi
		call	_PnpIsLegacyDriver@4 ; PnpIsLegacyDriver(x)
		test	eax, eax
		jz	loc_8FF2CA

loc_84FF08:				; CODE XREF: IopUnloadDriver+14Fj
		lea	edx, [ebp+var_1D]
		mov	ecx, esi
		call	IopCheckUnloadDriver
		mov	edi, eax
		test	edi, edi
		jns	loc_84FFC8
		cmp	edi, 0C0000010h
		jz	loc_84FFC8
		cmp	byte ptr [ebp+var_1D], 0
		jz	loc_84FFBF
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	eax, ds:_PsInitialSystemProcess
		jz	loc_8500A3
		xor	eax, eax
		mov	[ebp+var_8C], eax
		mov	[ebp+var_80], eax
		mov	[ebp+var_7C], eax
		mov	[ebp+var_78], eax
		mov	[ebp+var_74], eax
		mov	[ebp+var_6C], eax
		mov	[ebp+var_68], eax
		push	eax
		push	eax
		lea	eax, [ebp+var_80]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	esi, [ebp+var_24]
		mov	[ebp+var_70], esi
		mov	[ebp+var_88], offset _IopLoadUnloadDriver@4 ; IopLoadUnloadDriver(x)
		lea	eax, [ebp+var_90]
		mov	[ebp+var_84], eax
		and	[ebp+var_90], 0
		push	1
		push	eax
		call	ExQueueWorkItem
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_80]
		push	eax
		call	KeWaitForSingleObject

loc_84FFA9:				; CODE XREF: IopUnloadDriver+30Cj
		mov	edx, esi
		mov	ecx, esi
		call	IopCleanupNotifications
		push	esi
		call	_ObMakeTemporaryObject@4 ; ObMakeTemporaryObject(x)
		mov	ecx, esi
		call	ObfDereferenceObject

loc_84FFBF:				; CODE XREF: IopUnloadDriver+184j
		mov	ecx, esi
		call	ObfDereferenceObject
		xor	edi, edi

loc_84FFC8:				; CODE XREF: IopUnloadDriver+7Aj
					; IopUnloadDriver+99j ...
		push	[ebp+var_34]
		lea	eax, [ebp+var_4C]
		push	eax
		push	edi
		mov	edx, ebx
		mov	ecx, offset _KMPnPEvt_DriverUnload_Stop
		call	_PnpDiagnosticTraceDriverFullInfo@20 ; PnpDiagnosticTraceDriverFullInfo(x,x,x,x,x)
		cmp	[ebp+var_48], 0
		jz	short loc_84FFEC
		push	0
		push	[ebp+var_48]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_84FFEC:				; CODE XREF: IopUnloadDriver+238j
		mov	eax, edi

loc_84FFEE:				; CODE XREF: IopUnloadDriver+2F6j
					; sub_8FF269+12j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_84FFFE:				; CODE XREF: IopUnloadDriver+3Cj
		test	dl, dl
		jnz	loc_84FDEA
		push	[ebp+var_38]
		push	ds:dword_A94E04
		push	ds:_SeLoadDriverPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_8FF276
		and	[ebp+ms_exc.disabled], 0
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_8FF280

loc_850033:				; CODE XREF: IopUnloadDriver+AF4DAj
		nop
		mov	eax, [ebx]
		mov	[ebp+var_44], eax
		mov	ecx, [ebx+4]
		mov	[ebp+var_40], ecx
		movzx	eax, ax
		test	ax, ax
		jz	loc_8FF287
		test	cl, 1
		jnz	short loc_8500B9
		lea	edx, [ecx+eax]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_8500BE
		cmp	edx, ecx
		jb	short loc_8500BE

loc_850060:				; CODE XREF: IopUnloadDriver+319j
		movzx	edx, word ptr [ebp+var_44]
		call	sub_549BAA
		mov	edi, eax
		mov	[ebp+var_28], edi
		movzx	ecx, word ptr [ebp+var_44]
		push	ecx		; size_t
		push	[ebp+var_40]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_40], edi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		lea	eax, [ebp+var_44]
		push	eax
		call	_ZwUnloadDriver@4 ; ZwUnloadDriver(x)
		mov	esi, eax
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		jmp	loc_84FFEE
; 

loc_8500A3:				; CODE XREF: IopUnloadDriver+19Cj
		mov	esi, [ebp+var_24]
		push	esi
		mov	eax, [ebp+var_38]
		call	dword ptr [eax]
		lea	ecx, [esi+1Ch]
		call	EtwTiLogDriverObjectUnLoad
		jmp	loc_84FFA9
; 

loc_8500B9:				; CODE XREF: IopUnloadDriver+2A6j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_8500BE:				; CODE XREF: IopUnloadDriver+2B2j
					; IopUnloadDriver+2B6j
		mov	byte ptr [eax],	0
		jmp	short loc_850060
IopUnloadDriver	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PnpIsLegacyDriver(x)
_PnpIsLegacyDriver@4 proc near		; CODE XREF: IopUnloadDriver+153p
					; PipCallDriverAddDeviceQueryRoutine+1A9p ...
		mov	eax, [ecx+18h]
		cmp	dword ptr [eax+4], 0
		jz	short loc_8500D0

loc_8500CD:				; CODE XREF: PnpIsLegacyDriver(x)+10j
		xor	eax, eax
		retn
; 

loc_8500D0:				; CODE XREF: PnpIsLegacyDriver(x)+7j
		test	byte ptr [ecx+8], 2
		jz	short loc_8500CD
		xor	eax, eax
		inc	eax
		retn
_PnpIsLegacyDriver@4 endp

; 
		align 10h
; Exported entry 295. EtwUnregister

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public EtwUnregister
EtwUnregister	proc near		; CODE XREF: BapdWriteEtwEvents+1D0p
					; BapdWriteEtwEvents+1E3p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FF2D9 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	esi, esi
		jz	loc_8FF2D9
		test	byte ptr [esi+32h], 1
		jz	loc_8FF2E3
		xor	edi, edi
		mov	ebx, 16Ch
		cmp	[esi+14h], edi
		jnz	loc_8501DC

loc_850111:				; CODE XREF: EtwUnregister+126j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [esi+10h]
		xor	edx, edx
		add	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, large fs:124h
		mov	eax, [esi+10h]
		mov	[eax+170h], ecx
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	loc_85022E
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	loc_85022E
		mov	[eax], ecx
		mov	[ecx+4], eax
		lea	eax, [esi+8]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_85022E
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_85022E
		mov	[ecx], edx
		mov	[edx+4], ecx
		xor	edx, edx
		mov	eax, [esi+10h]
		mov	[eax+170h], edi
		mov	ecx, [esi+10h]
		add	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [esi+14h]
		test	eax, eax
		jnz	short loc_85020B

loc_850195:				; CODE XREF: EtwUnregister+142j
		mov	ebx, offset _ETW_EVENT_PROVIDER_UNREGISTERS
		push	ebx
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jnz	loc_8FF2F4

loc_8501B4:				; CODE XREF: EtwUnregister+AF227j
		mov	ecx, [esi+10h]
		call	EtwpUnreferenceGuidEntry
		mov	ecx, [esi+14h]
		test	ecx, ecx
		jnz	short loc_850227

loc_8501C3:				; CODE XREF: EtwUnregister+14Cj
		mov	ecx, esi
		call	_EtwpReleaseProviderTraitsReference@4 ;	EtwpReleaseProviderTraitsReference(x)
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax

loc_8501D3:				; CODE XREF: EtwUnregister+AF1FEj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_8501DC:				; CODE XREF: EtwUnregister+2Bj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [esi+14h]
		xor	edx, edx
		add	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, large fs:124h
		mov	eax, [esi+14h]
		mov	[eax+170h], ecx
		jmp	loc_850111
; 

loc_85020B:				; CODE XREF: EtwUnregister+B3j
		mov	[eax+170h], edi
		xor	edx, edx
		mov	ecx, [esi+14h]
		add	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_850195
; 

loc_850227:				; CODE XREF: EtwUnregister+E1j
		call	EtwpUnreferenceGuidEntry
		jmp	short loc_8501C3
; 

loc_85022E:				; CODE XREF: EtwUnregister+60j
					; EtwUnregister+6Bj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
EtwUnregister	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMGetRegistryProperty	proc near	; CODE XREF: PiCMHandleIoctl+5Ap

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008FF325 SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		mov	ebx, [ebp+arg_C]
		xor	eax, eax
		push	esi
		push	edi
		push	0Ah
		mov	esi, ecx
		mov	[ebx], eax
		pop	ecx
		lea	edi, [ebp+var_34]
		mov	[ebp+var_8], eax
		rep stosd
		mov	[ebp+var_C], eax
		mov	edi, eax
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	ecx
		mov	ecx, esi
		call	PiCMCaptureRegistryPropertyInputData
		mov	esi, eax
		test	esi, esi
		js	loc_85034C
		cmp	[ebp+var_28], edi
		jz	loc_8FF35A
		cmp	[ebp+var_30], edi
		jnz	loc_8FF35A
		cmp	[ebp+var_18], edi
		jnz	loc_8FF35A
		cmp	[ebp+var_14], edi
		jnz	loc_8FF35A
		cmp	[ebp+var_1C], edi
		jnz	loc_8FF35A
		cmp	[ebp+arg_0], edi
		jz	loc_8FF364
		mov	eax, [ebp+arg_4]
		cmp	eax, 14h
		jb	loc_8FF364
		lea	ebx, [eax-14h]
		test	ebx, ebx
		jz	loc_850372
		push	34706E50h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8FF325

loc_8502D5:				; CODE XREF: PiCMGetRegistryProperty+140j
					; PiCMGetRegistryProperty+AF0F6j
		test	esi, esi
		js	loc_85035D
		mov	ecx, [ebp+var_20]
		lea	edx, [ebp+var_C]
		call	PiCMConvertRegistryProperty
		mov	esi, eax
		test	esi, esi
		js	short loc_85035D
		cmp	[ebp+var_2C], 1
		mov	[ebp+var_4], ebx
		jnz	loc_8FF32F
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_4]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	eax
		push	edi
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_C]
		push	0
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)

loc_850319:				; CODE XREF: PiCMGetRegistryProperty+AF11Ej
		mov	ebx, [ebp+arg_C]
		mov	esi, eax

loc_85031E:				; CODE XREF: PiCMGetRegistryProperty+AF12Bj
		test	esi, esi
		js	short loc_85035D
		mov	edx, [ebp+var_4]
		push	ebx		; int
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		push	[ebp+var_10]	; int
		push	edx		; size_t
		push	edi		; void *

loc_850331:				; CODE XREF: PiCMGetRegistryProperty+13Cj
		push	[ebp+var_8]	; int
		mov	ecx, esi
		call	PiCMReturnBufferResultData
		mov	esi, eax
		test	edi, edi
		jz	short loc_85034C
		push	34706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_85034C:				; CODE XREF: PiCMGetRegistryProperty+37j
					; PiCMGetRegistryProperty+10Bj
		lea	ecx, [ebp+var_34]
		call	PiCMReleaseRegistryPropertyInputData
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_85035D:				; CODE XREF: PiCMGetRegistryProperty+A3j
					; PiCMGetRegistryProperty+B8j ...
		push	[ebp+arg_C]
		mov	edx, [ebp+var_4]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	[ebp+var_10]
		push	0
		push	0
		jmp	short loc_850331
; 

loc_850372:				; CODE XREF: PiCMGetRegistryProperty+84j
		xor	edi, edi
		jmp	loc_8502D5
PiCMGetRegistryProperty	endp

; 
		align 2

;  S U B	R O U T	I N E 


PiCMReleaseRegistryPropertyInputData proc near ; CODE XREF: PiCMGetRegistryProperty+11Bp
					; PiCMSetRegistryProperty(x,x,x,x,x,x)+137p

; FUNCTION CHUNK AT 008FF36E SIZE 00000015 BYTES

		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, [eax+15Ah]
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_85039D
		test	bl, bl
		jz	short loc_85039D
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_85039D:				; CODE XREF: PiCMReleaseRegistryPropertyInputData+15j
					; PiCMReleaseRegistryPropertyInputData+19j
		mov	eax, [esi+1Ch]
		test	eax, eax
		jnz	loc_8FF36E

loc_8503A8:				; CODE XREF: PiCMReleaseRegistryPropertyInputData+AEFF6j
					; PiCMReleaseRegistryPropertyInputData+AF004j
		pop	esi
		xor	eax, eax
		pop	ebx
		retn
PiCMReleaseRegistryPropertyInputData endp

; 
		align 2

;  S U B	R O U T	I N E 


PiCMConvertRegistryProperty proc near	; CODE XREF: PiCMGetRegistryProperty+AFp
					; PiCMSetRegistryProperty(x,x,x,x,x,x)+8Ap

; FUNCTION CHUNK AT 008FF383 SIZE 00000099 BYTES

		xor	eax, eax
		dec	ecx
		cmp	ecx, 24h	; switch 37 cases
		ja	loc_8FF416	; default
		jmp	ds:off_850432[ecx*4] ; switch jump

loc_8503C1:				; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 2 ; case 0x1
		retn
; 

loc_8503C8:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 3 ; case 0x2
		retn
; 

loc_8503CF:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 9 ; case 0x8
		retn
; 

loc_8503D6:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 1 ; case 0x0
		retn
; 

loc_8503DD:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 5 ; case 0x4
		retn
; 

loc_8503E4:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 0Ch ; case 0xB
		retn
; 

loc_8503EB:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 0Dh ; case 0xC
		retn
; 

loc_8503F2:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 8 ; case 0x7
		retn
; 

loc_8503F9:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 16h ; case 0x15
		retn
; 

loc_850400:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 15h ; case 0x14
		retn
; 

loc_850407:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 0Eh ; case 0xD
		retn
; 

loc_85040E:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 12h ; case 0x11
		retn
; 

loc_850415:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 13h ; case 0x12
		retn
; 

loc_85041C:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 10h ; case 0xF
		retn
; 

loc_850423:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 0Ah ; case 0x9
		retn
; 

loc_85042A:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 23h ; case 0x22
		retn
PiCMConvertRegistryProperty endp

; 
		align 2
off_850432	dd offset loc_8503D6	; DATA XREF: PiCMConvertRegistryProperty+Cr
		dd offset loc_8503C1	; jump table for switch	statement
		dd offset loc_8503C8
		dd offset loc_8FF383
		dd offset loc_8503DD
		dd offset loc_8FF38A
		dd offset loc_8FF391
		dd offset loc_8503F2
		dd offset loc_8503CF
		dd offset loc_850423
		dd offset loc_8FF398
		dd offset loc_8503E4
		dd offset loc_8503EB
		dd offset loc_850407
		dd offset loc_8FF39F
		dd offset loc_85041C
		dd offset loc_8FF3A6
		dd offset loc_85040E
		dd offset loc_850415
		dd offset loc_8FF3AD
		dd offset loc_850400
		dd offset loc_8503F9
		dd offset loc_8FF3B4
		dd offset loc_8FF3BB
		dd offset loc_8FF3C2
		dd offset loc_8FF3C9
		dd offset loc_8FF3D0
		dd offset loc_8FF3D7
		dd offset loc_8FF3DE
		dd offset loc_8FF3E5
		dd offset loc_8FF3EC
		dd offset loc_8FF3F3
		dd offset loc_8FF3FA
		dd offset loc_8FF401
		dd offset loc_85042A
		dd offset loc_8FF408
		dd offset loc_8FF40F

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMCaptureRegistryPropertyInputData proc near ; CODE XREF: PiCMGetRegistryProperty+2Ep
					; PiCMSetRegistryProperty(x,x,x,x,x,x)+26p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FF41C SIZE 00000018 BYTES
; FUNCTION CHUNK AT 008FF45D SIZE 000000BF BYTES

		push	20h
		push	offset dword_6A47F8
		call	__SEH_prolog4
		mov	esi, edx
		mov	edx, ecx
		and	[ebp+var_28], 0
		and	[ebp+var_2C], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_20], al
		xor	eax, eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_24], eax
		test	edx, edx
		jz	loc_8FF50F
		test	esi, esi
		jz	loc_8FF50F
		and	[ebp+ms_exc.disabled], eax
		test	dl, 3
		jnz	loc_8505DD
		lea	edi, [edx+esi]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edi, ecx
		ja	loc_8FF41C
		cmp	edi, edx
		jb	loc_8FF41C

loc_85052A:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+AEF59j
		mov	ebx, [ebp+arg_4]
		cmp	esi, 28h
		jb	loc_8FF424
		push	0Ah
		pop	ecx
		mov	esi, edx
		mov	edi, ebx
		rep movsd
		cmp	dword ptr [ebx], 28h
		jnz	loc_8FF424

loc_850548:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+AEF69j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_85054F:				; CODE XREF: sub_8FF442+16j
		test	eax, eax
		js	loc_8505EB
		lea	edi, [ebx+0Ch]
		mov	eax, [edi]
		and	dword ptr [edi], 0
		test	eax, eax
		jz	loc_8FF461
		mov	ecx, [ebx+10h]
		cmp	ecx, 2
		jb	loc_8FF45D
		push	1
		push	[ebp+var_20]
		push	2
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	PiControlMakeUserModeCallersCopy
		mov	esi, eax
		test	esi, esi
		js	short loc_8505E2
		mov	[ebp+var_28], 1
		mov	edx, [ebx+10h]
		shr	edx, 1
		mov	ecx, [edi]
		xor	eax, eax
		mov	[ecx+edx*2-2], ax

loc_85059F:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+123j
					; PiCMCaptureRegistryPropertyInputData+AEFF7j
		lea	edi, [ebx+1Ch]
		mov	eax, [edi]
		and	dword ptr [edi], 0
		test	eax, eax
		jnz	loc_8FF4C2

loc_8505AF:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+AF034j
		cmp	dword ptr [ebx+20h], 0
		ja	loc_8FF471
		test	eax, eax
		jnz	loc_8FF500

loc_8505C1:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+128j
					; PiCMCaptureRegistryPropertyInputData+AF021j ...
		test	esi, esi
		js	loc_8FF476

loc_8505C9:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+AEFEFj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_8505DD:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+45j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_8505E2:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+C2j
		and	dword ptr [edi], 0
		and	dword ptr [ebx+10h], 0
		jmp	short loc_85059F
; 

loc_8505EB:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+8Bj
		mov	esi, [ebp+var_1C]
		jmp	short loc_8505C1
PiCMCaptureRegistryPropertyInputData endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwSetProcessTelemetryCoverage proc near ; CODE	XREF: PAGE:007AAB1Fp

; FUNCTION CHUNK AT 008FF51C SIZE 0000007B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, edx
		cmp	ecx, [eax+80h]
		jnz	short loc_850654
		cmp	_EtwpCoverageContext, 0
		jz	short loc_850649

loc_850613:				; CODE XREF: EtwSetProcessTelemetryCoverage+60j
		test	byte ptr [esi+0Ch], 1
		mov	edi, _EtwpCoverageContext
		jnz	short loc_85065B
		mov	eax, [esi+8]
		cmp	eax, 0FFFFFF00h
		jnb	loc_8FF526
		mov	edx, esi
		mov	ecx, edi
		call	_EtwpCoverageRecord@8 ;	EtwpCoverageRecord(x,x)
		mov	ecx, edi
		call	EtwpCoverageEnsureUserModeView
		test	eax, eax
		js	short loc_850643

loc_850641:				; CODE XREF: EtwSetProcessTelemetryCoverage+AEF51j
					; EtwSetProcessTelemetryCoverage+AEF91j ...
		xor	eax, eax

loc_850643:				; CODE XREF: EtwSetProcessTelemetryCoverage+4Fj
					; EtwSetProcessTelemetryCoverage+62j ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_850649:				; CODE XREF: EtwSetProcessTelemetryCoverage+21j
		call	_EtwpCoverageEnsureContext@0 ; EtwpCoverageEnsureContext()
		test	eax, eax
		jns	short loc_850613
		jmp	short loc_850643
; 

loc_850654:				; CODE XREF: EtwSetProcessTelemetryCoverage+18j
		mov	eax, 0C00000BBh
		jmp	short loc_850643
; 

loc_85065B:				; CODE XREF: EtwSetProcessTelemetryCoverage+2Dj
		or	dword ptr [esi+8], 0FFFFFFFFh
		jmp	loc_8FF51C
EtwSetProcessTelemetryCoverage endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpCoverageEnsureUserModeView proc near ; CODE	XREF: EtwSetProcessTelemetryCoverage+48p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 008FF5D2 SIZE 00000022 BYTES

		push	30h
		push	offset dword_6A4818
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_28], esi
		mov	eax, large fs:124h
		mov	ebx, [eax+80h]
		mov	[ebp+var_24], ebx
		mov	[ebp+ms_exc.disabled], esi
		mov	eax, [ebx+17Ch]
		mov	[ebp+var_30], eax
		mov	[ebp+var_28], eax
		cmp	[eax+45Ch], esi
		jnz	loc_85077C
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], esi
		mov	[ebp+var_2C], esi
		push	2
		push	esi
		push	1
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_40]
		push	eax
		push	esi
		push	esi
		lea	eax, [ebp+var_20]
		push	eax
		push	ebx
		push	dword ptr [ecx+4]
		call	MmMapViewOfSection
		mov	[ebp+var_1C], eax
		test	eax, eax
		js	loc_850786
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	edi, offset _EtwpCoverageLock
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	_EtwpCoverageLockOwner,	eax
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_30]
		cmp	[ecx+45Ch], esi
		jnz	short loc_85071E
		mov	eax, [ebp+var_20]
		mov	[ecx+45Ch], eax
		mov	[ebp+var_20], esi

loc_85071E:				; CODE XREF: EtwpCoverageEnsureUserModeView+ACj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+var_1C], esi

loc_850728:				; CODE XREF: EtwpCoverageEnsureUserModeView+127j
		mov	eax, _EtwpCoverageLockOwner
		cmp	eax, large fs:124h
		jnz	short loc_85075E
		mov	_EtwpCoverageLockOwner,	esi
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_8FF5D2

loc_85074B:				; CODE XREF: EtwpCoverageEnsureUserModeView+AEF70j
					; EtwpCoverageEnsureUserModeView+AEF7Dj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_85075E:				; CODE XREF: EtwpCoverageEnsureUserModeView+D0j
		mov	edx, [ebp+var_20]
		test	edx, edx
		jnz	loc_8FF5E6

loc_850769:				; CODE XREF: EtwpCoverageEnsureUserModeView+AEF8Bj
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_85077C:				; CODE XREF: EtwpCoverageEnsureUserModeView+38j
		mov	[ebp+var_1C], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_850786:				; CODE XREF: EtwpCoverageEnsureUserModeView+6Fj
					; sub_8FF5A5+28j
		mov	edi, offset _EtwpCoverageLock
		jmp	short loc_850728
EtwpCoverageEnsureUserModeView endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageRecord(x, x)
_EtwpCoverageRecord@8 proc near		; CODE XREF: EtwTelemetryCoverageReport(x)+ACp
					; EtwpCoverageHighIrqlCPWorkItemCallback(x)+E3p ...

var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_98		= dword	ptr -98h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 164h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_110], 0
		mov	eax, 0FFDF0324h
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, [eax]
		add	eax, 0FFFFFFFCh
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10C], ebx
		mov	ecx, ds:0FFDF0004h
		mov	edx, [eax]
		mov	eax, 0FFDF0328h
		mov	[ebp+var_114], edi
		mov	[ebp+var_11C], ecx
		mov	eax, [eax]
		cmp	esi, eax
		jz	short loc_850809
		mov	eax, 0FFDF0324h
		lea	edi, [eax-4]
		lea	ebx, [eax+4]

loc_8507EB:				; CODE XREF: EtwpCoverageRecord(x,x)+67j
		pause
		mov	esi, [eax]
		mov	edx, [edi]
		mov	ecx, [ebx]
		cmp	esi, ecx
		jnz	short loc_8507EB
		mov	edi, [ebp+var_114]
		mov	ebx, [ebp+var_10C]
		mov	ecx, [ebp+var_11C]

loc_850809:				; CODE XREF: EtwpCoverageRecord(x,x)+50j
		and	[ebp+var_118], 0
		mov	eax, edx
		and	[ebp+var_10C], 0
		mul	ecx
		shl	esi, 8
		imul	esi, ecx
		mov	ecx, ebx
		shrd	eax, edx, 18h
		lea	edx, [ebp+var_118]
		add	eax, esi
		mov	[ebp+var_114], eax
		call	_EtwpCoverageValidateCP@8 ; EtwpCoverageValidateCP(x,x)
		or	ecx, 0FFFFFFFFh
		mov	edx, offset _EtwpCoverageLock
		test	eax, eax
		jz	loc_850984
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _EtwpCoverageLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, [ebx+8]
		mov	_EtwpCoverageLockOwner,	eax
		mov	eax, [edi+8]
		mov	[ebp+var_120], ecx
		mov	eax, [eax+18h]
		cmp	ecx, eax
		jb	short loc_850892

loc_850882:				; CODE XREF: EtwpCoverageRecord(x,x)+124j
		xor	esi, esi
		mov	edx, offset _EtwpCoverageLock
		inc	esi
		or	ecx, 0FFFFFFFFh
		jmp	loc_85098A
; 

loc_850892:				; CODE XREF: EtwpCoverageRecord(x,x)+F2j
		mov	esi, [ebx+4]
		mov	edx, esi
		mov	[ebx+8], eax
		mov	eax, [edi+8]
		mov	ecx, eax
		mov	[ebp+var_11C], eax
		call	TelemetryCoverageTableLocateInternal
		mov	[ebp+var_124], eax
		cmp	[eax], esi
		jz	short loc_850882
		mov	eax, [ebp+var_11C]
		mov	eax, [eax+20h]
		cmp	eax, [edi+14h]
		jb	short loc_8508CF

loc_8508C2:				; CODE XREF: EtwpCoverageRecord(x,x)+178j
		mov	eax, [edi]
		add	eax, 4
		lock inc dword ptr [eax]
		jmp	loc_85097C
; 

loc_8508CF:				; CODE XREF: EtwpCoverageRecord(x,x)+132j
		push	[ebp+var_118]
		mov	edx, [ebx]
		mov	ecx, [edi+1Ch]
		call	_EtwpCoverageAddToStringBuffer@12 ; EtwpCoverageAddToStringBuffer(x,x,x)
		mov	edx, eax
		mov	[ebp+var_10C], edx
		test	edx, edx
		jnz	short loc_85091E
		mov	ecx, edi
		call	_EtwpCoverageFlushPending@4 ; EtwpCoverageFlushPending(x)
		mov	ecx, edi
		call	EtwpCoverageEnsureStringBuffer
		test	eax, eax
		jns	short loc_850908
		mov	eax, [ebp+var_120]
		mov	[ebx+8], eax
		jmp	short loc_8508C2
; 

loc_850908:				; CODE XREF: EtwpCoverageRecord(x,x)+16Dj
		push	[ebp+var_118]
		mov	edx, [ebx]
		mov	ecx, [edi+1Ch]
		call	_EtwpCoverageAddToStringBuffer@12 ; EtwpCoverageAddToStringBuffer(x,x,x)
		mov	[ebp+var_10C], eax

loc_85091E:				; CODE XREF: EtwpCoverageRecord(x,x)+15Bj
		mov	ecx, [ebp+var_124]
		mov	eax, [ebx+4]
		mov	[ecx], eax
		mov	eax, [edi+8]
		inc	dword ptr [edi+28h]
		inc	dword ptr [eax+20h]
		cmp	dword ptr [edi+28h], 1
		jnz	short loc_85097C
		xor	edx, edx
		lea	ecx, [ebp+var_160]
		push	ecx
		push	edx
		push	edx
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_160], edx
		push	eax
		push	0FFFFD8F0h
		push	edx
		push	dword ptr [edi+10h]
		mov	[ebp+var_15C], edx
		mov	[ebp+var_158], eax
		mov	[ebp+var_154], eax
		call	__allmul
		push	edx
		push	eax
		mov	eax, [edi]
		add	eax, 98h
		push	eax
		call	KeSetTimer2

loc_85097C:				; CODE XREF: EtwpCoverageRecord(x,x)+13Cj
					; EtwpCoverageRecord(x,x)+1A8j
		mov	edx, offset _EtwpCoverageLock
		or	ecx, 0FFFFFFFFh

loc_850984:				; CODE XREF: EtwpCoverageRecord(x,x)+B6j
		mov	esi, [ebp+var_110]

loc_85098A:				; CODE XREF: EtwpCoverageRecord(x,x)+FFj
		mov	eax, _EtwpCoverageLockOwner
		cmp	eax, large fs:124h
		jnz	short loc_8509C3
		and	_EtwpCoverageLockOwner,	0
		lock xadd [edx], ecx
		and	cl, 6
		cmp	cl, 2
		jnz	short loc_8509B7
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, offset _EtwpCoverageLock

loc_8509B7:				; CODE XREF: EtwpCoverageRecord(x,x)+21Bj
		mov	ecx, edx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_8509C3:				; CODE XREF: EtwpCoverageRecord(x,x)+208j
		test	esi, esi
		jnz	loc_850AD7
		cmp	[ebp+var_10C], esi
		jz	loc_850AD7
		cmp	dword_6B2A68, 5
		jbe	loc_850AD7
		push	esi
		push	2
		mov	ecx, offset dword_6B2A68
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_850AD7
		mov	ecx, [edi]
		xor	edx, edx
		mov	eax, [ecx]
		mov	[ebp+var_128], eax
		lea	eax, [ebp+var_128]
		mov	[ebp+var_E8], eax
		mov	[ebp+var_E4], edx
		mov	[ebp+var_DC], edx
		mov	[ebp+var_E0], 4
		mov	eax, [ecx+4]
		mov	[ebp+var_12C], eax
		lea	eax, [ebp+var_12C]
		mov	[ebp+var_D8], eax
		mov	[ebp+var_D4], edx
		mov	[ebp+var_CC], edx
		mov	edx, [ebp+var_114]
		mov	eax, edx
		mov	[ebp+var_D0], 4
		sub	eax, [ecx+10h]
		and	[ebp+var_C4], esi
		and	[ebp+var_BC], esi
		mov	[ebp+var_130], eax
		lea	eax, [ebp+var_130]
		mov	[ebp+var_C8], eax
		lea	eax, [ebp+var_134]
		mov	[ebp+var_C0], 4
		sub	edx, [ecx+14h]
		lea	ecx, [ebp+var_A8]
		and	[ebp+var_B4], esi
		and	[ebp+var_AC], esi
		mov	[ebp+var_134], edx
		mov	edx, [ebx]
		mov	[ebp+var_B8], eax
		mov	[ebp+var_B0], 4
		call	_tlgCreate1Sz_char
		lea	eax, [ebp+var_108]
		push	eax
		push	7
		push	esi
		push	esi
		push	offset loc_422DEB
		push	offset dword_6B2A68
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_850AD7:				; CODE XREF: EtwpCoverageRecord(x,x)+237j
					; EtwpCoverageRecord(x,x)+243j	...
		cmp	_EtwpCoverageCoreTracingEnabled, 0
		jz	loc_850BE2
		cmp	dword_6B2A68, 5
		jbe	loc_850BE2
		push	0
		push	1
		mov	ecx, offset dword_6B2A68
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_850BE2
		mov	ecx, [edi]
		xor	edi, edi
		push	4
		pop	edx
		push	4
		mov	eax, [ecx]
		mov	[ebp+var_138], eax
		lea	eax, [ebp+var_138]
		mov	[ebp+var_78], eax
		mov	[ebp+var_70], edx
		mov	[ebp+var_74], edi
		mov	[ebp+var_6C], edi
		mov	eax, [ecx+4]
		mov	[ebp+var_13C], eax
		lea	eax, [ebp+var_13C]
		mov	[ebp+var_68], eax
		mov	[ebp+var_60], edx
		mov	edx, [ebp+var_114]
		mov	eax, edx
		mov	[ebp+var_64], edi
		mov	[ebp+var_5C], edi
		sub	eax, [ecx+10h]
		mov	[ebp+var_140], eax
		lea	eax, [ebp+var_140]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_144]
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], 4
		mov	[ebp+var_4C], edi
		sub	edx, [ecx+14h]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+var_10C]
		pop	ecx
		mov	[ebp+var_148], eax
		lea	eax, [ebp+var_148]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_14C]
		mov	[ebp+var_144], edx
		mov	edx, [ebx]
		mov	[ebp+var_40], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_20], ecx
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_44], edi
		mov	[ebp+var_3C], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_2C], edi
		mov	[ebp+var_14C], esi
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], edi
		mov	[ebp+var_1C], edi
		call	_tlgCreate1Sz_char
		lea	eax, [ebp+var_98]
		push	eax
		push	9
		push	edi
		push	edi
		push	offset loc_422E4C
		push	offset dword_6B2A68
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_850BE2:				; CODE XREF: EtwpCoverageRecord(x,x)+350j
					; EtwpCoverageRecord(x,x)+35Dj	...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpCoverageRecord@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 789. IoCreateDeviceSecure

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoCreateDeviceSecure
IoCreateDeviceSecure proc near

var_3E		= byte ptr -3Eh
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= byte ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 008FF5F4 SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, [ebp+arg_20]
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+50h+var_28]
		mov	[eax], edx
		mov	eax, edx
		mov	[esp+13h], dl
		mov	[esp+50h+var_3C], eax
		mov	[esp+50h+var_34], eax
		stosd
		mov	[esp+50h+var_38], edx
		mov	[esp+50h+var_2C], edx
		mov	[esp+50h+var_30], edx
		stosd
		stosd
		stosd
		stosd
		cmp	[ebp+arg_8], edx
		jz	loc_850DA1

loc_850C37:				; CODE XREF: IoCreateDeviceSecure+1AFj
		mov	edi, [ebp+arg_1C]
		test	edi, edi
		jz	short loc_850C57
		mov	edx, [ebp+arg_0]
		lea	eax, [esp+50h+var_28]
		push	eax
		mov	ecx, edi
		call	IopCreateSecureDeviceClassSettings
		mov	esi, eax
		test	esi, esi
		js	loc_8FF606

loc_850C57:				; CODE XREF: IoCreateDeviceSecure+46j
		mov	ebx, [esp+50h+var_28]
		test	bl, 2
		jnz	loc_850CE6
		mov	esi, [ebp+arg_18]
		movzx	ecx, word ptr [esi]
		movzx	eax, word ptr [esi+2]
		lea	edx, [ecx+2]
		cmp	eax, edx
		jnz	loc_850DB0
		mov	eax, [esi+4]
		xor	edi, edi
		shr	ecx, 1
		cmp	[eax+ecx*2], di
		mov	edi, [ebp+arg_1C]
		jnz	loc_850DB0
		xor	ecx, ecx
		push	ecx
		lea	ecx, [esp+54h+var_38]
		push	ecx
		push	1
		push	eax

loc_850C98:				; CODE XREF: IoCreateDeviceSecure+1FFj
		call	SeConvertStringSecurityDescriptorToSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	loc_8FF60A
		mov	eax, [esp+50h+var_38]
		push	2
		pop	ebx
		mov	[esp+50h+var_20], eax
		or	word ptr [eax+2], 8
		test	edi, edi
		jz	short loc_850CE6
		xor	ecx, ecx
		mov	[esp+50h+var_14], ebx
		mov	[esp+50h+var_10], ecx
		lea	edx, [esp+50h+var_14]
		mov	[esp+50h+var_8], ecx
		mov	[esp+50h+var_4], ecx
		mov	ecx, edi
		mov	[esp+50h+var_C], eax
		call	_IopUpdateSecureDeviceClassState@8 ; IopUpdateSecureDeviceClassState(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8FF60A

loc_850CE6:				; CODE XREF: IoCreateDeviceSecure+68j
					; IoCreateDeviceSecure+C3j
		mov	al, [ebp+arg_14]
		mov	ecx, [ebp+arg_C]
		mov	byte ptr [esp+50h+var_38], al
		test	bl, 1
		jnz	loc_8FF61C

loc_850CF9:				; CODE XREF: IoCreateDeviceSecure+AEA2Aj
		mov	edx, [esp+50h+var_1C]
		test	bl, 4
		jnz	short loc_850D05
		mov	edx, [ebp+arg_10]

loc_850D05:				; CODE XREF: IoCreateDeviceSecure+10Aj
		test	bl, 8
		jnz	loc_8FF625

loc_850D0E:				; CODE XREF: IoCreateDeviceSecure+AEA37j
		lea	eax, [esp+50h+var_34]
		push	eax
		push	[esp+54h+var_38]
		push	edx
		push	ecx
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	IoCreateDevice
		mov	edi, [esp+50h+var_34]
		mov	esi, eax
		test	esi, esi
		js	loc_8FF60E
		test	bl, 2
		jz	short loc_850D6E
		mov	ecx, [esp+50h+var_20]
		lea	eax, [esp+50h+var_2C]
		push	eax
		lea	edx, [esp+17h]
		call	IopGetSecurityDescriptorInformation
		mov	esi, eax
		test	esi, esi
		js	loc_8FF60E
		push	[esp+50h+var_20]
		push	[esp+54h+var_2C]
		push	edi
		call	_ObSetSecurityObjectByPointer@12 ; ObSetSecurityObjectByPointer(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8FF60E

loc_850D6E:				; CODE XREF: IoCreateDeviceSecure+142j
		mov	eax, [ebp+arg_20]
		xor	edx, edx
		mov	[eax], edi
		mov	edi, edx

loc_850D77:				; CODE XREF: IoCreateDeviceSecure+AEA0Bj
					; IoCreateDeviceSecure+AEA1Aj
		test	bl, 2
		jz	short loc_850D86
		push	edx
		push	[esp+54h+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_850D86:				; CODE XREF: IoCreateDeviceSecure+184j
		test	edi, edi
		jnz	loc_8FF632

loc_850D8E:				; CODE XREF: IoCreateDeviceSecure+AEA42j
		mov	eax, [esp+50h+var_30]
		test	eax, eax
		jnz	short loc_850DFA

loc_850D96:				; CODE XREF: IoCreateDeviceSecure+20Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_850DA1:				; CODE XREF: IoCreateDeviceSecure+3Bj
		test	byte ptr [ebp+arg_10], 80h
		jnz	loc_850C37
		jmp	loc_8FF5F4
; 

loc_850DB0:				; CODE XREF: IoCreateDeviceSecure+7Dj
					; IoCreateDeviceSecure+91j
		push	63466F49h
		push	edx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+50h+var_30], ecx
		test	ecx, ecx
		jz	loc_8FF615
		movzx	eax, word ptr [esi]
		push	eax		; size_t
		push	dword ptr [esi+4] ; void *
		push	ecx		; void *
		call	_memcpy
		movzx	eax, word ptr [esi]
		add	esp, 0Ch
		mov	ecx, [esp+50h+var_30]
		xor	edx, edx
		shr	eax, 1
		mov	[ecx+eax*2], dx
		xor	eax, eax
		push	eax
		lea	eax, [esp+54h+var_38]
		push	eax
		push	1
		push	ecx
		jmp	loc_850C98
; 

loc_850DFA:				; CODE XREF: IoCreateDeviceSecure+19Ej
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_850D96
IoCreateDeviceSecure endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopGetSecurityDescriptorInformation proc near ;	CODE XREF: IoCreateDeviceSecure+151p
					; IopQuerySecureDeviceClassState+8Ep

var_8		= dword	ptr -8
var_2		= dword	ptr -2
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008FF63D SIZE 00000008 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		push	edi
		mov	[eax], ebx
		mov	edi, edx
		lea	eax, [ebp-1]
		mov	byte ptr [ebp+var_2], bl
		push	eax
		lea	eax, [ebp+var_8]
		mov	byte ptr [ebp+var_2+1],	bl
		push	eax
		push	esi
		mov	[ebp+var_8], ebx
		mov	[edi], bl
		call	_RtlGetOwnerSecurityDescriptor@12 ; RtlGetOwnerSecurityDescriptor(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_850EA6
		cmp	[ebp+var_8], ebx
		jnz	loc_8FF63D

loc_850E43:				; CODE XREF: IopGetSecurityDescriptorInformation+AE83Aj
		lea	eax, [ebp+var_2+1]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	_RtlGetGroupSecurityDescriptor@12 ; RtlGetGroupSecurityDescriptor(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_850EA6
		cmp	[ebp+var_8], 0
		jnz	short loc_850EAF

loc_850E5D:				; CODE XREF: IopGetSecurityDescriptorInformation+ACj
		lea	eax, [ebp+var_2+1]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_2]
		push	eax
		push	esi
		call	_RtlGetSaclSecurityDescriptor@16 ; RtlGetSaclSecurityDescriptor(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_850EA6
		cmp	byte ptr [ebp+var_2], 0
		jnz	short loc_850EB4

loc_850E7B:				; CODE XREF: IopGetSecurityDescriptorInformation+B1j
		lea	eax, [ebp+var_2+1]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_2]
		push	eax
		push	esi
		call	_RtlGetDaclSecurityDescriptor@16 ; RtlGetDaclSecurityDescriptor(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_850EA6
		cmp	byte ptr [ebp+var_2], 0
		jz	short loc_850E9C
		or	ebx, 4

loc_850E9C:				; CODE XREF: IopGetSecurityDescriptorInformation+91j
		mov	al, byte ptr [ebp+var_2+1]
		mov	[edi], al
		mov	eax, [ebp+arg_0]
		mov	[eax], ebx

loc_850EA6:				; CODE XREF: IopGetSecurityDescriptorInformation+32j
					; IopGetSecurityDescriptorInformation+4Fj ...
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	4
; 

loc_850EAF:				; CODE XREF: IopGetSecurityDescriptorInformation+55j
		or	ebx, 2
		jmp	short loc_850E5D
; 

loc_850EB4:				; CODE XREF: IopGetSecurityDescriptorInformation+73j
		or	ebx, 8
		jmp	short loc_850E7B
IopGetSecurityDescriptorInformation endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2125. RtlGetGroupSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetGroupSecurityDescriptor(x, x,	x)
		public _RtlGetGroupSecurityDescriptor@12
_RtlGetGroupSecurityDescriptor@12 proc near
					; CODE XREF: IopGetSecurityDescriptorInformation+46p
					; PipChangeDeviceObjectFromRegistryProperties+13Ep ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		cmp	byte ptr [ecx],	1
		jnz	short loc_850EF6
		cmp	word ptr [ecx+2], 0
		mov	edx, [ecx+8]
		jge	short loc_850EDE
		lea	eax, [edx+ecx]
		neg	edx
		sbb	edx, edx
		and	edx, eax

loc_850EDE:				; CODE XREF: RtlGetGroupSecurityDescriptor(x,x,x)+15j
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		mov	cl, [ecx+2]
		mov	eax, [ebp+arg_8]
		shr	cl, 1
		and	cl, 1
		mov	[eax], cl
		xor	eax, eax

loc_850EF2:				; CODE XREF: RtlGetGroupSecurityDescriptor(x,x,x)+3Dj
		pop	ebp
		retn	0Ch
; 

loc_850EF6:				; CODE XREF: RtlGetGroupSecurityDescriptor(x,x,x)+Bj
		mov	eax, 0C0000058h
		jmp	short loc_850EF2
_RtlGetGroupSecurityDescriptor@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LocalConvertStringSDToSD_Rev1 proc near	; CODE XREF: SeConvertStringSecurityDescriptorToSecurityDescriptor+25p

var_3E		= dword	ptr -3Eh
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008FF645 SIZE 0000018A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		push	ebx
		xor	eax, eax
		xor	ecx, ecx
		push	esi
		push	edi
		lea	edi, [esp+50h+var_14]
		mov	[esp+50h+var_34], ecx
		stosd
		mov	edx, ecx
		mov	ebx, ecx
		mov	[esp+50h+var_3E+2], edx
		mov	esi, ecx
		mov	[esp+50h+var_28], ebx
		mov	[esp+50h+var_30], ecx
		stosd
		mov	[esp+50h+var_38], ecx
		mov	byte ptr [esp+50h+var_3E], cl
		mov	byte ptr [esp+50h+var_3E+1], cl
		stosd
		mov	[esp+50h+var_2C], ecx
		mov	byte ptr [esp+50h+var_24], cl
		mov	byte ptr [esp+50h+var_20], cl
		stosd
		mov	[esp+50h+var_18], ecx
		mov	[esp+50h+var_1C], ecx
		stosd
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	loc_8FF7C7
		cmp	[ebp+arg_8], ecx
		jz	loc_8FF7C7
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jnz	loc_8FF645

loc_850F6E:				; CODE XREF: LocalConvertStringSDToSD_Rev1+106j
					; LocalConvertStringSDToSD_Rev1+10Dj ...
		test	eax, eax
		jz	loc_851010
		movzx	edi, word ptr [eax]
		mov	ecx, edi
		test	cx, cx
		jz	loc_851009
		cmp	ecx, 44h
		jnz	loc_851115
		push	3Ah
		pop	ecx
		cmp	[eax+2], cx
		jnz	loc_8FF6CA
		add	eax, 4
		cmp	[esp+50h+var_34], 0
		jnz	loc_8FF6CA
		push	28h
		pop	ecx
		cmp	[eax], cx
		jz	short loc_850FD2
		lea	ecx, [esp+50h+var_38]
		xor	edx, edx
		push	ecx		; int
		lea	ecx, [esp+54h+var_18]
		inc	edx		; int
		push	ecx		; int
		mov	ecx, eax	; wchar_t *
		call	LocalGetSDControlForString
		mov	esi, eax
		test	esi, esi
		jnz	loc_851151
		mov	eax, [esp+50h+var_38]

loc_850FD2:				; CODE XREF: LocalConvertStringSDToSD_Rev1+B0j
		push	0		; int
		push	0		; int
		push	0		; int
		push	0		; int
		lea	ecx, [esp+60h+var_38]
		mov	dl, 1		; int
		push	ecx		; int
		lea	ecx, [esp+64h+var_34]
		push	ecx		; int
		mov	ecx, eax	; wchar_t *
		call	LocalGetAclForString
		mov	esi, eax
		test	esi, esi
		jnz	loc_851151
		mov	byte ptr [esp+50h+var_24], 1

loc_850FFC:				; CODE XREF: LocalConvertStringSDToSD_Rev1+24Dj
					; LocalConvertStringSDToSD_Rev1+AE7BFj
		mov	eax, [esp+50h+var_38]
		mov	edx, [esp+50h+var_3E+2]
		jmp	loc_850F6E
; 

loc_851009:				; CODE XREF: LocalConvertStringSDToSD_Rev1+80j
		xor	eax, eax
		jmp	loc_850F6E
; 

loc_851010:				; CODE XREF: LocalConvertStringSDToSD_Rev1+72j
		push	1
		lea	eax, [esp+54h+var_14]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		test	eax, eax
		js	loc_8FF6D2

loc_851024:				; CODE XREF: LocalConvertStringSDToSD_Rev1+AE7DCj
		mov	eax, [esp+50h+var_1C]
		or	eax, [esp+50h+var_18]
		or	word ptr [esp+50h+var_14+2], ax
		test	esi, esi
		jnz	loc_851151
		mov	eax, [esp+50h+var_3E+2]
		test	eax, eax
		jnz	loc_851193

loc_851045:				; CODE XREF: LocalConvertStringSDToSD_Rev1+2A4j
					; LocalConvertStringSDToSD_Rev1+AE7F1j
		test	ebx, ebx
		jnz	loc_8511AD

loc_85104D:				; CODE XREF: LocalConvertStringSDToSD_Rev1+2BEj
					; LocalConvertStringSDToSD_Rev1+AE806j
		cmp	byte ptr [esp+50h+var_24], 0
		jz	short loc_851070
		push	0
		push	[esp+54h+var_34]
		lea	eax, [esp+58h+var_14]
		push	[esp+58h+var_24]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		test	eax, eax
		js	loc_8FF709

loc_851070:				; CODE XREF: LocalConvertStringSDToSD_Rev1+154j
					; LocalConvertStringSDToSD_Rev1+AE81Bj
		cmp	byte ptr [esp+50h+var_20], 0
		jnz	loc_8FF71E

loc_85107B:				; CODE XREF: LocalConvertStringSDToSD_Rev1+AE836j
					; LocalConvertStringSDToSD_Rev1+AE84Cj
		mov	edi, [ebp+arg_8]
		lea	eax, [esp+50h+var_2C]
		push	eax
		lea	eax, [esp+54h+var_14]
		push	dword ptr [edi]
		push	eax
		call	_RtlAbsoluteToSelfRelativeSD@12	; RtlAbsoluteToSelfRelativeSD(x,x,x)
		cmp	eax, 0C0000023h
		jnz	loc_8FF772
		push	ecx
		mov	ecx, [esp+54h+var_2C]
		xor	esi, esi
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	[edi], eax
		test	eax, eax
		jz	loc_8FF74F
		lea	ecx, [esp+50h+var_2C]
		push	ecx
		push	eax
		lea	eax, [esp+58h+var_14]
		push	eax
		call	_RtlAbsoluteToSelfRelativeSD@12	; RtlAbsoluteToSelfRelativeSD(x,x,x)
		test	eax, eax
		js	loc_8FF757

loc_8510C8:				; CODE XREF: LocalConvertStringSDToSD_Rev1+AE87Fj
		mov	ecx, [ebp+arg_C]
		mov	edx, [esp+50h+var_3E+2]
		test	ecx, ecx
		jnz	loc_8FF782

loc_8510D7:				; CODE XREF: LocalConvertStringSDToSD_Rev1+226j
					; LocalConvertStringSDToSD_Rev1+22Aj ...
		cmp	byte ptr [esp+50h+var_3E], 1
		jz	loc_8FF78D

loc_8510E2:				; CODE XREF: LocalConvertStringSDToSD_Rev1+AE891j
					; LocalConvertStringSDToSD_Rev1+AE89Fj
		cmp	byte ptr [esp+50h+var_3E+1], 1
		jz	loc_8FF7A2

loc_8510ED:				; CODE XREF: LocalConvertStringSDToSD_Rev1+AE8A6j
					; LocalConvertStringSDToSD_Rev1+AE8B4j
		cmp	[esp+50h+var_34], 0
		jz	short loc_8510FF
		push	0
		push	[esp+54h+var_34]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8510FF:				; CODE XREF: LocalConvertStringSDToSD_Rev1+1F4j
		cmp	[esp+50h+var_30], 0
		jnz	loc_8FF7B7

loc_85110A:				; CODE XREF: LocalConvertStringSDToSD_Rev1+AE8C4j
		mov	eax, esi

loc_85110C:				; CODE XREF: LocalConvertStringSDToSD_Rev1+AE8CCj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_851115:				; CODE XREF: LocalConvertStringSDToSD_Rev1+89j
		cmp	ecx, 47h
		jnz	short loc_851157
		push	57h
		pop	esi
		push	3Ah
		pop	ecx
		cmp	[eax+2], cx
		jnz	short loc_8510D7
		test	ebx, ebx
		jnz	short loc_8510D7
		sub	esp, 10h
		lea	ecx, [esp+60h+var_3E+1]
		lea	edx, [esp+60h+var_28]
		push	ecx
		lea	ecx, [esp+64h+var_38]
		push	ecx
		lea	ecx, [eax+4]
		call	LocalGetSidForString
		mov	ebx, [esp+50h+var_28]

loc_851147:				; CODE XREF: LocalConvertStringSDToSD_Rev1+293j
		mov	esi, eax
		test	esi, esi
		jz	loc_850FFC

loc_851151:				; CODE XREF: LocalConvertStringSDToSD_Rev1+CAj
					; LocalConvertStringSDToSD_Rev1+F3j ...
		mov	edx, [esp+50h+var_3E+2]
		jmp	short loc_8510D7
; 

loc_851157:				; CODE XREF: LocalConvertStringSDToSD_Rev1+21Aj
		cmp	ecx, 4Fh
		jnz	loc_8FF64C
		push	57h
		pop	esi
		push	3Ah
		pop	ecx
		cmp	[eax+2], cx
		jnz	loc_8510D7
		test	edx, edx
		jnz	loc_8510D7
		sub	esp, 10h
		lea	ecx, [esp+60h+var_3E]
		lea	edx, [esp+60h+var_3E+2]
		push	ecx
		lea	ecx, [esp+64h+var_38]
		push	ecx
		lea	ecx, [eax+4]
		call	LocalGetSidForString
		jmp	short loc_851147
; 

loc_851193:				; CODE XREF: LocalConvertStringSDToSD_Rev1+141j
		push	0
		push	eax
		lea	eax, [esp+58h+var_14]
		push	eax
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		test	eax, eax
		jns	loc_851045
		jmp	loc_8FF6DF
; 

loc_8511AD:				; CODE XREF: LocalConvertStringSDToSD_Rev1+149j
		push	0
		push	ebx
		lea	eax, [esp+58h+var_14]
		push	eax
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		test	eax, eax
		jns	loc_85104D
		jmp	loc_8FF6F4
LocalConvertStringSDToSD_Rev1 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall LocalGetAclForString(wchar_t *,int,int,int,int,int,int,int)
LocalGetAclForString proc near		; CODE XREF: LocalConvertStringSDToSD_Rev1+EAp
					; LocalConvertStringSDToSD_Rev1+AE7ABp

var_E8		= dword	ptr -0E8h
var_E4		= byte ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8A		= byte ptr -8Ah
var_89		= byte ptr -89h
var_88		= dword	ptr -88h
var_81		= byte ptr -81h
var_80		= dword	ptr -80h
var_70		= dword	ptr -70h
var_60		= dword	ptr -60h
var_5C		= word ptr -5Ch
var_58		= dword	ptr -58h
var_10		= word ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008FF7CF SIZE 00000949 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ECh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[ebp+var_89], dl
		mov	ebx, ecx
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		mov	[ebp+var_CC], ecx
		mov	[ebp+var_98], eax
		mov	[ebp+var_C8], edx
		mov	[ebp+var_E0], edx
		mov	[ebp+var_C0], edx
		mov	[ebp+var_D4], edx
		mov	[ebp+var_8A], dl
		mov	[ebp+var_A0], edx
		mov	[ebp+var_A4], edx
		mov	[ebp+var_AC], edx
		mov	[ebp+var_B8], edx
		mov	[ebp+var_D8], edx
		mov	[ebp+var_A8], edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], 100h
		push	esi
		mov	esi, edx
		mov	[ebp+var_88], esi
		mov	[ebp+var_9C], esi
		push	edi
		mov	edi, edx
		test	ebx, ebx
		jz	loc_900110
		test	eax, eax
		jz	loc_900110
		test	ecx, ecx
		jz	loc_900110
		push	11h		; size_t
		push	offset ??_C@_1CE@KMLBPDC@?$AAN?$AAO?$AA_?$AAA?$AAC?$AAC?$AAE?$AAS?$AAS?$AA_?$AAC?$AAO?$AAN?$AAT?$AAR@NNGAKEGL@ ; wchar_t *
		push	ebx		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_8FF7CF
		mov	edi, [ebp+var_CC]
		xor	eax, eax
		cmp	[ebp+var_89], al
		mov	edx, edi
		mov	ecx, ebx	; wchar_t *
		setz	al
		inc	eax
		mov	[ebp+var_D0], eax
		call	LocalGetSDDLDeliminator
		test	eax, eax
		jnz	loc_851745
		mov	eax, [edi]
		cmp	eax, ebx
		jz	loc_900110
		test	eax, eax
		jnz	loc_8FF7E9
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_8512C7:				; CODE XREF: LocalGetAclForString+10Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_C8]
		jnz	short loc_8512C7
		sub	ecx, edx
		sar	ecx, 1
		lea	edx, [ebx+ecx*2]

loc_8512DD:				; CODE XREF: LocalGetAclForString+AE624j
		lea	eax, [ebp+var_C0]
		mov	[edi], edx
		push	eax
		mov	ecx, ebx
		call	LocalGetAceCount
		mov	edi, eax
		test	edi, edi
		jnz	loc_9000EF
		mov	eax, [ebp+var_C0]
		test	eax, eax
		jz	loc_8517AC
		imul	eax, 54h
		mov	ecx, 0FFFFh
		add	eax, 8
		mov	[ebp+var_BC], eax
		cmp	eax, ecx
		ja	loc_8FF7F1

loc_85131E:				; CODE XREF: LocalGetAclForString+AE631j
		push	ecx
		mov	ecx, eax
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	ecx, [ebp+var_98]
		xor	edx, edx
		mov	[ecx], eax
		test	eax, eax
		jz	loc_8FF7FE
		mov	byte ptr [eax],	2
		mov	eax, [ecx]
		mov	[ebp+var_C4], 8
		mov	[eax+1], dl
		mov	eax, [ecx]
		mov	edx, [ebp+var_BC]
		mov	[eax+2], dx
		xor	edx, edx
		mov	eax, [ecx]
		mov	[eax+4], dx
		mov	eax, [ecx]
		xor	ecx, ecx
		mov	[ebp+var_DC], ecx
		mov	[eax+6], cx
		cmp	[ebp+var_C0], ecx
		jbe	loc_8516FE

loc_851378:				; CODE XREF: LocalGetAclForString+530j
		xor	eax, eax
		mov	[ebp+var_81], cl
		lea	edi, [ebp+var_70]
		mov	[ebp+var_90], ecx
		stosd
		push	20h
		pop	edx
		mov	[ebp+var_B4], ecx
		stosd
		mov	[ebp+var_B0], ecx
		mov	[ebp+var_94], ecx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_80]
		stosd
		stosd
		stosd
		stosd
		movzx	eax, word ptr [ebx]
		mov	ecx, eax
		cmp	ax, dx
		jz	loc_8FF806

loc_8513B9:				; CODE XREF: LocalGetAclForString+AE64Bj
		push	28h
		pop	edi
		movzx	eax, cx
		cmp	cx, di
		jnz	short loc_8513CA
		add	ebx, 2
		movzx	eax, word ptr [ebx]

loc_8513CA:				; CODE XREF: LocalGetAclForString+1FAj
		cmp	ax, dx
		jz	loc_8FF818

loc_8513D3:				; CODE XREF: LocalGetAclForString+AE658j
		push	[ebp+var_D0]
		xor	edx, edx
		mov	ecx, ebx
		call	_LookupAceTypeInTable@12 ; LookupAceTypeInTable(x,x,x)
		test	eax, eax
		jz	loc_9000C2
		mov	cl, [eax+8]
		mov	eax, [eax+4]
		push	20h
		pop	edx
		push	3Bh
		lea	esi, [ebx+eax*2]
		mov	[ebp+var_89], cl
		movzx	eax, word ptr [esi]
		mov	[ebp+var_E4], cl
		pop	ecx
		cmp	ax, cx
		jnz	loc_8FF825

loc_851411:				; CODE XREF: LocalGetAclForString+AE660j
		mov	bl, [ebp+var_89]
		add	esi, 2
		cmp	bl, 5
		jnb	loc_8FF838

loc_851423:				; CODE XREF: LocalGetAclForString+AE673j
		cmp	bl, 0Bh
		jz	loc_8FF841

loc_85142C:				; CODE XREF: LocalGetAclForString+AE684j
					; LocalGetAclForString+AE68Cj
		cmp	[esi], dx
		jz	loc_8FF851
		mov	edi, [ebp+var_CC]
		cmp	esi, [edi]
		jz	short loc_85144E

loc_85143F:				; CODE XREF: LocalGetAclForString+5D1j
		movzx	eax, word ptr [esi]
		cmp	ax, cx
		jnz	loc_851756
		add	esi, 2

loc_85144E:				; CODE XREF: LocalGetAclForString+275j
					; LocalGetAclForString+AE6A1j
		movzx	eax, word ptr [esi]
		mov	ecx, eax
		cmp	ax, dx
		jz	loc_8FF86E

loc_85145C:				; CODE XREF: LocalGetAclForString+AE6B3j
		push	3Bh
		pop	edi
		cmp	cx, di
		jz	short loc_8514B3
		movzx	ecx, cx

loc_851467:				; CODE XREF: LocalGetAclForString+2E9j
		cmp	cx, dx
		jz	loc_8FF880

loc_851470:				; CODE XREF: LocalGetAclForString+AE6C0j
		cmp	bl, 11h
		jz	loc_8FF88D
		mov	eax, [ebp+var_D0]

loc_85147F:				; CODE XREF: LocalGetAclForString+AE6C8j
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	_LookupAccessMaskInTable@12 ; LookupAccessMaskInTable(x,x,x)
		test	eax, eax
		jz	loc_851801
		mov	edx, [ebp+var_90]
		or	edx, [eax+8]
		mov	eax, [eax+4]
		mov	[ebp+var_90], edx
		lea	esi, [esi+eax*2]

loc_8514A6:				; CODE XREF: LocalGetAclForString+664j
		movzx	eax, word ptr [esi]
		mov	ecx, eax
		push	20h
		pop	edx
		cmp	ax, di
		jnz	short loc_851467

loc_8514B3:				; CODE XREF: LocalGetAclForString+29Aj
		add	esi, 2
		xor	eax, eax
		mov	edi, eax

loc_8514BA:				; CODE XREF: LocalGetAclForString+313j
		movzx	eax, word ptr [esi]
		mov	ecx, eax
		cmp	ax, dx
		jz	loc_8FF895

loc_8514C8:				; CODE XREF: LocalGetAclForString+AE6DAj
		push	3Bh
		pop	eax
		cmp	cx, ax
		jnz	loc_8FF8A7

loc_8514D4:				; CODE XREF: LocalGetAclForString+AE74Bj
					; LocalGetAclForString+AE754j
		add	esi, 2
		inc	edi
		cmp	edi, 2
		jb	short loc_8514BA

loc_8514DD:				; CODE XREF: LocalGetAclForString+AE767j
		cmp	[esi], dx
		jz	loc_8FF92C
		sub	esp, 10h
		lea	eax, [ebp+var_8A]
		lea	edx, [ebp+var_9C]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_A8]
		push	eax
		call	LocalGetSidForString
		mov	esi, [ebp+var_9C]
		mov	edi, eax
		test	edi, edi
		jnz	loc_9000C7
		mov	eax, [ebp+var_A8]
		test	eax, eax
		jz	loc_9000BB
		mov	[ebp+var_88], esi
		test	esi, esi
		jz	loc_9000BB
		push	20h
		pop	edx
		mov	esi, eax
		cmp	[eax], dx
		jz	loc_8FF934

loc_85153E:				; CODE XREF: LocalGetAclForString+AE774j
		cmp	bl, 9
		jz	loc_8FF941
		cmp	bl, 0Ah
		jz	loc_8FF941
		cmp	bl, 12h
		jz	loc_8FF941
		cmp	bl, 0Dh
		jz	loc_8FF941
		cmp	bl, 0Bh
		jz	loc_8FF941
		cmp	bl, 15h
		jz	loc_8FF941
		mov	ecx, [ebp+var_B8]
		mov	ebx, [ebp+var_A4]

loc_851580:				; CODE XREF: LocalGetAclForString+AE86Aj
					; LocalGetAclForString+AE878j
		cmp	[eax], dx
		jz	loc_8FFA37
		cmp	word ptr [eax],	29h
		jnz	loc_8FF82E
		movzx	esi, [ebp+var_89]
		add	eax, 2
		mov	[ebp+var_E8], eax
		cmp	esi, 11h
		ja	loc_8FFB0D
		jz	short loc_8515C9
		cmp	esi, 0Ah
		ja	loc_8FFA81
		cmp	esi, 9
		jnb	loc_8FFA92
		cmp	esi, 3
		ja	loc_8FFA45

loc_8515C9:				; CODE XREF: LocalGetAclForString+3E4j
					; LocalGetAclForString+AE94Fj ...
		mov	[ebp+var_94], 0Ch

loc_8515D3:				; CODE XREF: LocalGetAclForString+AE8A8j
					; LocalGetAclForString+AE8B4j ...
		lea	eax, [ebp+var_94]
		push	eax
		push	[ebp+var_88]
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		mov	ecx, [ebp+var_94]
		lea	edx, [eax-4]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_8FFAB8
		mov	ebx, [ebp+var_94]
		lea	eax, [ebp+var_E0]
		mov	edx, [ebp+var_C4]
		mov	ecx, ebx
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_8FFAB8
		mov	eax, [ebp+var_BC]
		cmp	[ebp+var_E0], eax
		ja	loc_8FFB2B
		mov	ecx, [ebp+var_98]

loc_851635:				; CODE XREF: LocalGetAclForString+AEA1Cj
		add	[ebp+var_C4], ebx
		cmp	esi, 0Bh
		ja	loc_8FFDDB
		jz	loc_8FFCFD
		cmp	esi, 5
		ja	loc_8FFC69
		jz	loc_8FFC39
		xor	eax, eax
		sub	esi, eax
		jnz	loc_8FFBE9
		push	eax

loc_851664:				; CODE XREF: LocalGetAclForString+AEA6Cj
		mov	esi, [ebp+var_88]
		mov	eax, [ebp+var_90]
		mov	ecx, [ecx]
		push	esi
		push	eax
		movzx	eax, [ebp+var_81]
		push	eax
		push	2
		pop	edx
		call	RtlpAddKnownAce

loc_851684:				; CODE XREF: LocalGetAclForString+AEA65j
					; LocalGetAclForString+AEA9Cj ...
		mov	ebx, eax

loc_851686:				; CODE XREF: LocalGetAclForString+AEE4Bj
		test	ebx, ebx
		js	loc_9000AB
		cmp	[ebp+var_8A], 1
		jz	loc_8517E6

loc_85169B:				; CODE XREF: LocalGetAclForString+627j
		mov	eax, [ebp+var_A0]
		xor	ecx, ecx
		mov	esi, ecx
		mov	[ebp+var_88], esi
		mov	[ebp+var_9C], esi
		test	eax, eax
		jnz	loc_900018

loc_8516B9:				; CODE XREF: LocalGetAclForString+AEE5Fj
		mov	eax, [ebp+var_AC]
		mov	[ebp+var_A4], ecx
		test	eax, eax
		jnz	loc_90002C

loc_8516CD:				; CODE XREF: LocalGetAclForString+AEE73j
		mov	ebx, [ebp+var_E8]
		push	28h
		pop	eax
		mov	[ebp+var_B8], ecx
		cmp	[ebx], ax
		jz	loc_8517A4

loc_8516E5:				; CODE XREF: LocalGetAclForString+5DFj
		mov	edx, [ebp+var_DC]
		inc	edx
		mov	[ebp+var_DC], edx
		cmp	edx, [ebp+var_C0]
		jb	loc_851378

loc_8516FE:				; CODE XREF: LocalGetAclForString+1AAj
					; LocalGetAclForString+AEED2j ...
		mov	eax, [ebp+var_98]
		mov	eax, [eax]
		test	edi, edi
		jnz	loc_9000CE
		mov	ecx, [ebp+var_C4]
		xor	edx, edx
		mov	[eax+2], cx

loc_85171A:				; CODE XREF: LocalGetAclForString+AEF1Bj
		cmp	[ebp+var_8A], 0
		jnz	loc_8517F4

loc_851727:				; CODE XREF: LocalGetAclForString+62Ej
					; LocalGetAclForString+AE61Cj ...
		mov	eax, [ebp+var_A0]
		test	eax, eax
		jnz	loc_9000F6

loc_851735:				; CODE XREF: LocalGetAclForString+AEF35j
		mov	eax, [ebp+var_AC]
		test	eax, eax
		jnz	loc_900102

loc_851743:				; CODE XREF: LocalGetAclForString+619j
					; LocalGetAclForString+66Bj ...
		mov	eax, edi

loc_851745:				; CODE XREF: LocalGetAclForString+E2j
					; LocalGetAclForString+AEF4Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_851756:				; CODE XREF: LocalGetAclForString+27Dj
		cmp	ax, dx
		jz	loc_8FF859

loc_85175F:				; CODE XREF: LocalGetAclForString+AE699j
		push	dword ptr [ebp+var_E4] ; char
		xor	edx, edx	; int
		mov	ecx, esi	; wchar_t *
		push	[ebp+var_D0]	; int
		call	LookupAceFlagsInTable
		test	eax, eax
		jz	loc_900040
		mov	cl, [ebp+var_81]
		or	cl, [eax+8]
		mov	eax, [eax+4]
		push	20h
		pop	edx
		push	3Bh
		lea	esi, [esi+eax*2]
		mov	[ebp+var_81], cl
		pop	ecx
		cmp	esi, [edi]
		jnz	loc_85143F
		jmp	loc_8FF866
; 

loc_8517A4:				; CODE XREF: LocalGetAclForString+517j
		add	ebx, 2
		jmp	loc_8516E5
; 

loc_8517AC:				; CODE XREF: LocalGetAclForString+137j
		push	ecx
		push	8
		pop	ebx
		mov	ecx, ebx
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	ecx, [ebp+var_98]
		mov	[ecx], eax
		test	eax, eax
		jz	short loc_851831
		mov	byte ptr [eax],	2
		xor	edx, edx
		mov	eax, [ecx]
		mov	[eax+1], dl
		mov	eax, [ecx]
		mov	[eax+2], bx
		mov	eax, [ecx]
		mov	[eax+4], dx
		mov	eax, [ecx]
		xor	ecx, ecx
		mov	[eax+6], cx
		jmp	loc_851743
; 

loc_8517E6:				; CODE XREF: LocalGetAclForString+4CDj
		xor	eax, eax
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_85169B
; 

loc_8517F4:				; CODE XREF: LocalGetAclForString+559j
		test	esi, esi
		jz	loc_851727
		jmp	loc_9000E8
; 

loc_851801:				; CODE XREF: LocalGetAclForString+2C3j
		xor	eax, eax
		push	eax		; int
		lea	eax, [ebp+var_D4]
		push	eax		; wchar_t **
		push	esi		; wchar_t *
		call	_wcstoul
		or	[ebp+var_90], eax
		add	esp, 0Ch
		cmp	[ebp+var_D4], esi
		jz	loc_8FF82E
		mov	esi, [ebp+var_D4]
		jmp	loc_8514A6
; 

loc_851831:				; CODE XREF: LocalGetAclForString+5F9j
		mov	edi, ebx
		jmp	loc_851743
LocalGetAclForString endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall LocalGetSDDLDeliminator(wchar_t *)
LocalGetSDDLDeliminator	proc near	; CODE XREF: LocalGetAclForString+DBp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00900118 SIZE 0000007F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	eax, edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], eax
		xor	ecx, ecx
		mov	[ebp+var_4], ecx
		mov	esi, ecx
		mov	ebx, ecx
		mov	[eax], ecx
		mov	ecx, edi	; wchar_t *
		call	FContainCallBackAce
		test	eax, eax
		jnz	loc_900118
		push	3Ah		; wchar_t
		push	edi		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		mov	ecx, [ebp+var_8]
		mov	[ecx], eax

loc_851872:				; CODE XREF: LocalGetSDDLDeliminator+AE8E5j
					; LocalGetSDDLDeliminator+AE94Fj ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
LocalGetSDDLDeliminator	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LocalGetAceCount proc near		; CODE XREF: LocalGetAclForString+120p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00900197 SIZE 000000BF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, edx
		push	edi
		mov	[ebp+var_10], ebx
		mov	edi, ecx
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], esi
		mov	[eax], esi
		call	FContainCallBackAce
		test	eax, eax
		jnz	loc_900197
		mov	eax, [ebp+var_10]
		mov	ebx, esi
		sub	eax, edi
		mov	edx, esi
		inc	eax
		shr	eax, 1
		cmp	[ebp+var_10], edi
		sbb	ecx, ecx
		not	ecx
		and	ecx, eax
		jbe	short loc_8518ED
		mov	[ebp+var_10], 3Bh
		mov	[ebp+var_C], 28h

loc_8518CE:				; CODE XREF: LocalGetAceCount+6Cj
		movzx	eax, word ptr [edi]
		cmp	ax, word ptr [ebp+var_10]
		jz	short loc_85190F
		cmp	ax, word ptr [ebp+var_C]
		jz	short loc_8518E0
		xor	ebx, ebx
		inc	ebx

loc_8518E0:				; CODE XREF: LocalGetAceCount+61j
					; LocalGetAceCount+96j
		add	edi, 2
		inc	edx
		cmp	edx, ecx
		jb	short loc_8518CE
		mov	[ebp+var_8], esi
		xor	esi, esi

loc_8518ED:				; CODE XREF: LocalGetAceCount+44j
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		push	5
		mov	eax, ecx
		pop	edi
		div	edi
		test	edx, edx
		jnz	short loc_851916
		test	ecx, ecx
		jz	short loc_851912

loc_851901:				; CODE XREF: LocalGetAceCount+9Aj
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax

loc_851906:				; CODE XREF: LocalGetAceCount+9Fj
					; LocalGetAceCount+AE949j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_85190F:				; CODE XREF: LocalGetAceCount+5Bj
		inc	esi
		jmp	short loc_8518E0
; 

loc_851912:				; CODE XREF: LocalGetAceCount+85j
		test	ebx, ebx
		jz	short loc_851901

loc_851916:				; CODE XREF: LocalGetAceCount+81j
					; LocalGetAceCount+AE95Ej
		push	57h
		pop	esi
		jmp	short loc_851906
LocalGetAceCount endp

; 
		align 4

;  S U B	R O U T	I N E 


; int __fastcall FContainCallBackAce(wchar_t *)
FContainCallBackAce proc near		; CODE XREF: LocalGetSDDLDeliminator+1Ep
					; LocalGetAceCount+22p

; FUNCTION CHUNK AT 00900256 SIZE 0000004A BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		xor	edi, edi
		mov	esi, ebx
		cmp	[ebx], di
		jz	loc_8519D6

loc_851930:				; CODE XREF: FContainCallBackAce+B4j
		cmp	[esi+2], di
		jz	loc_8519D6
		push	2		; size_t
		push	offset ??_C@_15INEIOLJO@?$AAX?$AAA@NNGAKEGL@ ; "XA"
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_8519DC
		push	2		; size_t
		push	offset ??_C@_15LKJGBLKM@?$AAX?$AAD@NNGAKEGL@ ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_8519DC
		push	2		; size_t
		push	offset ??_C@_15CMNDMIPI@?$AAR?$AAA@NNGAKEGL@ ; "RA"
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_8519DC
		push	2		; size_t
		push	offset ??_C@_15PCKCLKH@?$AAS?$AAP@NNGAKEGL@ ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_8519DC
		push	2		; size_t
		push	offset ??_C@_15FCDDCLFG@?$AAX?$AAU@NNGAKEGL@ ; "XU"
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_8519DC
		push	2		; size_t
		push	offset ??_C@_15MAIAEKJF@?$AAZ?$AAA@NNGAKEGL@ ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_8519DC
		push	2		; size_t
		push	offset ??_C@_15EGPOFAKI@?$AAF?$AAL@NNGAKEGL@ ; "F"
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_8519DC

loc_8519CA:				; CODE XREF: FContainCallBackAce+AE958j
					; FContainCallBackAce+AE976j
		add	esi, 2
		cmp	[esi], di
		jnz	loc_851930

loc_8519D6:				; CODE XREF: FContainCallBackAce+Ej
					; FContainCallBackAce+18j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_8519DC:				; CODE XREF: FContainCallBackAce+30j
					; FContainCallBackAce+48j ...
		xor	edx, edx
		lea	eax, [esi-2]
		inc	edx
		cmp	eax, ebx
		jb	loc_900269
		push	20h
		lea	ecx, [esi-2]
		pop	edi
		jmp	loc_900256
FContainCallBackAce endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall LocalGetSDControlForString(wchar_t *,int,int,int)
LocalGetSDControlForString proc	near	; CODE XREF: LocalConvertStringSDToSD_Rev1+C1p
					; LocalConvertStringSDToSD_Rev1+AE782p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009002A0 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		test	esi, esi
		jz	loc_851A9A
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	loc_851A9A
		cmp	[ebp+arg_4], 0
		jz	short loc_851A9A
		xor	eax, eax
		push	20h
		mov	[ecx], ax
		pop	eax

loc_851A23:				; CODE XREF: LocalGetSDControlForString+AE8AEj
		cmp	[esi], ax
		jz	loc_9002A0

loc_851A2C:				; CODE XREF: LocalGetSDControlForString+AE8B4j
		push	ebx
		push	edi

loc_851A2E:				; CODE XREF: LocalGetSDControlForString+8Fj
					; LocalGetSDControlForString+9Aj ...
		xor	edi, edi
		mov	ebx, offset dword_404264

loc_851A35:				; CODE XREF: LocalGetSDControlForString+64j
		mov	eax, [ebx+8]
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_851A53
		push	dword ptr [ebx]	; size_t
		push	dword ptr [ebx-4] ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsnicmp
		mov	edx, [ebp+var_4]
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_851A6A

loc_851A53:				; CODE XREF: LocalGetSDControlForString+46j
		inc	edi
		add	ebx, 10h
		cmp	edi, 6
		jb	short loc_851A35
		mov	eax, [ebp+arg_4]
		pop	edi
		pop	ebx
		mov	[eax], esi
		xor	eax, eax

loc_851A65:				; CODE XREF: LocalGetSDControlForString+A7j
		pop	esi
		leave
		retn	8
; 

loc_851A6A:				; CODE XREF: LocalGetSDControlForString+5Bj
		mov	ecx, [ebp+arg_0]
		shl	edi, 4
		mov	ax, word ptr ds:dword_404268[edi]
		or	[ecx], ax
		mov	eax, ds:dword_404264[edi]
		lea	esi, [esi+eax*2]
		test	esi, esi
		jz	short loc_851A2E
		push	20h
		pop	eax

loc_851A8A:				; CODE XREF: LocalGetSDControlForString+A0j
		mov	edx, [ebp+var_4]
		cmp	[esi], ax
		jnz	short loc_851A2E
		inc	esi
		add	esi, 1
		jnz	short loc_851A8A
		jmp	short loc_851A2E
; 

loc_851A9A:				; CODE XREF: LocalGetSDControlForString+Ej
					; LocalGetSDControlForString+19j ...
		push	57h
		pop	eax
		jmp	short loc_851A65
LocalGetSDControlForString endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DrvDbDispatchDeviceId proc near		; DATA XREF: .text:00404C84o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 009002AF SIZE 00000112 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		mov	edx, [ebp+arg_8]
		push	esi
		push	eax
		call	__PnpCtxGetObjectContext@12 ; _PnpCtxGetObjectContext(x,x,x)
		test	eax, eax
		js	short loc_851B01
		mov	ecx, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+var_4]
		push	edi
		mov	edi, [ebp+arg_10]
		mov	eax, [ebx+8]
		test	eax, 10000000h
		jz	loc_9002AF

loc_851AD7:				; CODE XREF: DrvDbDispatchDeviceId+AE822j
					; DrvDbDispatchDeviceId+AE83Cj	...
		dec	ecx
		cmp	ecx, 8		; switch 9 cases
		ja	short loc_851B06 ; default
		jmp	ds:off_851B10[ecx*4] ; switch jump

loc_851AE4:				; DATA XREF: PAGE:off_851B10o
		push	dword ptr [edi+18h] ; case 0x7
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		push	dword ptr [edi+14h] ; int
		push	dword ptr [edi+10h] ; int
		push	dword ptr [edi+0Ch] ; int
		push	dword ptr [edi+8] ; void *
		push	dword ptr [edi]	; int
		call	DrvDbGetDeviceIdMappedProperty

loc_851AFF:				; CODE XREF: DrvDbDispatchDeviceId+6Bj
					; DrvDbDispatchDeviceId+AE818j	...
		pop	edi
		pop	ebx

loc_851B01:				; CODE XREF: DrvDbDispatchDeviceId+1Cj
		pop	esi
		leave
		retn	14h
; 

loc_851B06:				; CODE XREF: DrvDbDispatchDeviceId+3Bj
					; DrvDbDispatchDeviceId+3Dj
					; DATA XREF: ...
		mov	eax, 0C000000Dh	; default
		jmp	short loc_851AFF
DrvDbDispatchDeviceId endp

; 
		align 10h
off_851B10	dd offset loc_900303	; DATA XREF: DrvDbDispatchDeviceId+3Dr
		dd offset loc_900310	; jump table for switch	statement
		dd offset loc_900339
		dd offset loc_900352
		dd offset loc_900366
		dd offset loc_90038A
		dd offset loc_851B06
		dd offset loc_851AE4
		dd offset loc_9003A4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	DrvDbGetDeviceIdMappedProperty(int,void	*,int,int,int,int)
DrvDbGetDeviceIdMappedProperty proc near ; CODE	XREF: DrvDbDispatchDeviceId+5Ap

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 009003C1 SIZE 000001CF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, edx
		push	edi
		mov	edi, [ebp+arg_14]
		mov	[ebp+var_C], ecx
		xor	ecx, ecx
		mov	[eax], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_1], cl
		mov	[edi], ecx
		mov	ecx, [esi+10h]
		mov	[ebp+var_18], ebx
		mov	[ebp+arg_14], ecx
		cmp	ecx, 2
		jz	loc_9003C1
		cmp	ecx, 3
		jnz	loc_9004F6
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceId_DriverInfMatches ; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_9004F3
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceId_DriverInfMatches ; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		mov	byte ptr [ebp+arg_14], 1
		test	eax, eax
		jnz	loc_900425

loc_851BAE:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+AE8F5j
		cmp	word ptr [ebx],	40h
		jz	loc_90042E

loc_851BB8:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+AE909j
					; DrvDbGetDeviceIdMappedProperty+AE919j
		mov	eax, ebx

loc_851BBA:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+AE913j
		cmp	eax, ebx
		mov	eax, [ebp+var_C]
		jnz	loc_90048A
		cmp	dword ptr [eax+18h], 0
		jnz	loc_90048A
		lea	edx, [eax+0Ch]
		mov	ecx, [edx]
		mov	[ebp+arg_4], edx
		mov	[ebp+arg_0], ecx
		cmp	ecx, edx
		jz	short loc_851C26

loc_851BDE:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+E2j
		push	0
		push	0
		lea	edx, [ebp+var_8]
		push	edx
		push	0
		push	1
		push	ebx
		mov	edx, ecx
		mov	ecx, eax
		push	5
		call	DrvDbOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		jns	short loc_851C3E
		cmp	esi, 0C0000034h
		jnz	short loc_851C18

loc_851C04:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+AE924j
		xor	esi, esi

loc_851C06:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+165j
		mov	ecx, [ebp+arg_0]
		mov	ecx, [ecx]
		mov	[ebp+arg_0], ecx
		cmp	ecx, [ebp+arg_4]
		jz	short loc_851C18
		mov	eax, [ebp+var_C]
		jmp	short loc_851BDE
; 

loc_851C18:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+CEj
					; DrvDbGetDeviceIdMappedProperty+DDj ...
		test	esi, esi
		js	loc_90046F

loc_851C20:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+AE947j
		cmp	[ebp+var_1], 0
		jnz	short loc_851C9E

loc_851C26:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+A8j
		mov	esi, 0C0000034h

loc_851C2B:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+198j
					; DrvDbGetDeviceIdMappedProperty+1A2j ...
		cmp	[ebp+var_8], 0
		jnz	loc_900583

loc_851C35:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+AE9FBj
					; DrvDbGetDeviceIdMappedProperty+AEA57j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_851C3E:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+C6j
		push	[ebp+arg_14]
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_10]
		push	eax
		mov	eax, [ebp+arg_10]
		sub	eax, [ebp+var_14]
		shr	eax, 1
		push	eax
		mov	eax, [ebp+arg_C]
		add	eax, [ebp+var_14]
		push	eax
		mov	[ebp+var_1], 1
		call	DrvDbGetDeviceIdDriverInfMatches
		push	[ebp+var_8]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_8], 0
		test	esi, esi
		js	loc_900452

loc_851C77:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+AE936j
		mov	eax, [ebp+var_10]
		add	eax, eax
		cmp	eax, 2
		jbe	short loc_851C84
		sub	eax, 2

loc_851C84:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+14Bj
		cmp	[ebp+arg_C], 0
		jz	short loc_851C97
		mov	ecx, [ebp+var_14]
		add	ecx, eax
		cmp	ecx, [ebp+arg_10]
		jnb	short loc_851C97
		mov	[ebp+var_14], ecx

loc_851C97:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+154j
					; DrvDbGetDeviceIdMappedProperty+15Ej
		add	[edi], eax
		jmp	loc_851C06
; 

loc_851C9E:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+F0j
		cmp	dword ptr [edi], 0
		jz	loc_900480
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+arg_C]
		mov	dword ptr [eax], 2012h
		mov	eax, [edi]
		add	eax, 2
		mov	[edi], eax
		test	ecx, ecx
		jz	short loc_851CD1
		cmp	eax, [ebp+arg_10]
		ja	short loc_851CD1
		shr	eax, 1
		xor	edx, edx
		mov	[ecx+eax*2-2], dx
		jmp	loc_851C2B
; 

loc_851CD1:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+188j
					; DrvDbGetDeviceIdMappedProperty+18Dj
		mov	esi, 0C0000023h
		jmp	loc_851C2B
DrvDbGetDeviceIdMappedProperty endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DrvDbGetDeviceIdDriverInfMatches proc near ; CODE XREF:	DrvDbGetDeviceIdMappedProperty+128p
					; DrvDbGetDeviceIdMappedProperty+AE993p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 00900590 SIZE 00000076 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, [ebp+arg_8]
		mov	ecx, edx
		xor	edx, edx
		mov	[ebp+var_1C], ecx
		push	esi
		push	edx
		mov	[eax], edx
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_24], edx
		push	eax
		push	edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_14], edx
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_851E61
		push	ebx
		mov	ebx, [ebp+var_4]
		inc	ebx
		cmp	[ebp+var_8], 0
		jz	loc_900590
		cmp	[ebp+arg_C], 0
		mov	eax, ebx
		jz	short loc_851D38
		lea	eax, [ebx+10h]
		mov	ebx, eax

loc_851D38:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+55j
		push	edi
		push	42444450h
		add	eax, eax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_90059A
		xor	ecx, ecx
		mov	eax, ecx
		mov	[ebp+var_20], ecx
		cmp	[ebp+var_8], eax
		jbe	loc_851E6F

loc_851D62:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+18Ej
		cmp	[ebp+arg_C], 0
		mov	edx, eax
		mov	[ebp+var_4], ebx
		jz	loc_9005AE
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_18], 4
		push	ecx		; int
		lea	ecx, [ebp+var_C]
		push	ecx		; void *
		lea	ecx, [ebp+var_10]
		push	ecx		; int
		lea	ecx, [ebp+var_4]
		push	ecx		; int
		mov	ecx, [ebp+var_1C]
		push	edi		; void *
		call	_RegRtlEnumValue
		mov	esi, eax
		test	esi, esi
		js	loc_9005E4
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	loc_9005DA
		cmp	[ebp+var_10], 3
		jnz	loc_9005A4
		cmp	[ebp+var_18], 4
		jnz	loc_9005DA

loc_851DBA:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+AE8CDj
		mov	eax, ebx
		lea	edx, [ebp+var_C]
		sub	eax, ecx
		push	eax		; int
		lea	eax, [edi+ecx*2]
		push	eax		; void *
		call	DrvDbBuildDeviceIdDriverInfMatch
		mov	esi, eax
		test	esi, esi
		js	loc_851E56
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_851DDA:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+108j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_24]
		jnz	short loc_851DDA
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, [ecx+1]

loc_851DED:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+AE8F9j
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_18], eax
		test	ecx, ecx
		jz	short loc_851E22
		add	eax, [ebp+var_14]
		mov	[ebp+var_4], eax
		cmp	eax, [ebp+arg_4]
		jnb	short loc_851E22
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		push	900h
		push	eax
		push	eax
		mov	eax, [ebp+var_14]
		sub	edx, eax
		push	edi
		lea	ecx, [ecx+eax*2]
		call	RtlStringCchCopyExW
		mov	eax, [ebp+var_4]
		mov	[ebp+var_14], eax

loc_851E22:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+119j
					; DrvDbGetDeviceIdDriverInfMatches+124j
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+var_18]
		add	[ecx], eax
		mov	eax, [ebp+var_20]
		inc	eax
		mov	[ebp+var_20], eax
		cmp	eax, [ebp+var_8]
		jb	short loc_851E68

loc_851E36:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+196j
					; DrvDbGetDeviceIdDriverInfMatches+AE911j ...
		test	esi, esi
		js	short loc_851E56
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_851E74
		inc	eax
		mov	[ecx], eax
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_851E7B
		cmp	eax, [ebp+arg_4]
		ja	short loc_851E7B
		xor	edx, edx
		mov	[ecx+eax*2-2], dx

loc_851E56:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+F3j
					; DrvDbGetDeviceIdDriverInfMatches+15Cj ...
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_851E5F:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+AE8C3j
		pop	edi

loc_851E60:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+AE8B9j
		pop	ebx

loc_851E61:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+3Aj
		mov	eax, esi
		pop	esi
		leave
		retn	10h
; 

loc_851E68:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+158j
		xor	ecx, ecx
		jmp	loc_851D62
; 

loc_851E6F:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+80j
					; DrvDbGetDeviceIdDriverInfMatches+AE925j
		mov	ecx, [ebp+arg_8]
		jmp	short loc_851E36
; 

loc_851E74:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+162j
		mov	esi, 0C0000225h
		jmp	short loc_851E56
; 

loc_851E7B:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+16Cj
					; DrvDbGetDeviceIdDriverInfMatches+171j
		mov	esi, 0C0000023h
		jmp	short loc_851E56
DrvDbGetDeviceIdDriverInfMatches endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	DrvDbBuildDeviceIdDriverInfMatch(void *,int)
DrvDbBuildDeviceIdDriverInfMatch proc near ; CODE XREF:	DrvDbGetDeviceIdDriverInfMatches+EAp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00900606 SIZE 0000004C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edi
		mov	al, [esi]
		mov	[ebp+var_4], edi
		test	al, al
		jz	loc_900636
		cmp	al, 2
		ja	loc_900606
		cmp	al, 1
		jnz	short loc_851F04
		mov	eax, edi

loc_851EAE:				; CODE XREF: DrvDbBuildDeviceIdDriverInfMatch+87j
		push	eax
		push	offset ??_C@_11LOCGONAA@@NNGAKEGL@ ; char
		push	offset ??_C@_1O@HBHOJDCM@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAX@NNGAKEGL@ ; wchar_t *
		mov	ebx, 800h
		lea	eax, [ebp+var_4]
		push	ebx		; int
		push	eax		; int
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; void *
		call	RtlStringCchPrintfExW
		add	esp, 20h
		test	eax, eax
		js	short loc_851EE1
		mov	cl, [esi+1]
		cmp	cl, 0FFh
		jnz	short loc_851EE8

loc_851EE1:				; CODE XREF: DrvDbBuildDeviceIdDriverInfMatch+55j
					; DrvDbBuildDeviceIdDriverInfMatch+80j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_851EE8:				; CODE XREF: DrvDbBuildDeviceIdDriverInfMatch+5Dj
		movzx	eax, cl
		push	eax		; char
		push	offset ??_C@_17MBIMHFNH@?$AA?2?$AA?$CF?$AAX@NNGAKEGL@ ;	"\\%X"
		push	ebx		; int
		push	edi		; int
		push	edi		; int
		push	[ebp+var_4]	; int
		push	[ebp+var_8]	; void *

loc_851EFA:				; CODE XREF: DrvDbBuildDeviceIdDriverInfMatch+AE7A5j
		call	RtlStringCchPrintfExW
		add	esp, 1Ch
		jmp	short loc_851EE1
; 

loc_851F04:				; CODE XREF: DrvDbBuildDeviceIdDriverInfMatch+28j
		movzx	eax, word ptr [esi+2]
		inc	eax
		jmp	short loc_851EAE
DrvDbBuildDeviceIdDriverInfMatch endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAllocateDriverPage proc near		; CODE XREF: MiPrivateFixup(x,x,x,x,x)+131p
					; MiLockCode(x,x,x,x)+357p ...

var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 00900652 SIZE 00000069 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		or	[ebp+var_4], 0FFFFFFFFh
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		xor	esi, esi
		stosd
		mov	ebx, ecx
		mov	[ebp+var_8], esi
		stosd
		stosd
		lea	eax, [ebp+var_8]
		push	eax
		call	MiUseSlabAllocatorForDriverPage
		test	eax, eax
		jnz	loc_900652

loc_851F3B:				; CODE XREF: MiAllocateDriverPage+AE75Fj
		test	[ebp+arg_0], 1
		jz	short loc_851F4B

loc_851F41:				; CODE XREF: MiAllocateDriverPage+AE789j
		or	eax, 0FFFFFFFFh

loc_851F44:				; CODE XREF: MiAllocateDriverPage+A2j
					; MiAllocateDriverPage+AE759j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_851F4B:				; CODE XREF: MiAllocateDriverPage+33j
		lea	eax, [ebp+var_4]
		xor	edx, edx
		push	eax
		push	esi
		push	20000000h
		mov	eax, 80000000h
		mov	ecx, ebx
		push	eax
		push	eax
		push	1
		push	1
		push	esi
		push	dword_6CF55C
		call	_MiFindContiguousPages@44 ; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_900670
		mov	eax, dword_6CF588
		mov	ecx, [ebp+var_4]
		inc	eax
		mov	dword_6CF588, eax
		cmp	ebx, offset _MiSystemPartition
		jnz	short loc_851F9D
		test	eax, 1FFh
		jz	short loc_851FB0
		lea	eax, [ecx-1]
		mov	dword_6CF55C, eax

loc_851F9D:				; CODE XREF: MiAllocateDriverPage+80j
					; MiAllocateDriverPage+ABj
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	_MiPreInitializeSystemImagePage@4 ; MiPreInitializeSystemImagePage(x)
		mov	eax, [ebp+var_4]
		jmp	short loc_851F44
; 

loc_851FB0:				; CODE XREF: MiAllocateDriverPage+87j
		or	dword_6CF55C, 0FFFFFFFFh
		jmp	short loc_851F9D
MiAllocateDriverPage endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlEnumeratorFilterCallback(x,	x, x, x)
_PiPnpRtlEnumeratorFilterCallback@16 proc near
					; DATA XREF: PiPnpRtlGetFilteredDeviceList+79o
					; PiPnpRtlGetFilteredDeviceList+A9o ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		xor	ebx, ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	byte ptr [ebp+var_1], bl
		cmp	[esi+4], bl
		jz	short loc_851FEF
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_1]
		mov	ecx, [ebp+arg_0]
		push	eax
		call	__CmIsDevicePresent@12 ; _CmIsDevicePresent(x,x,x)
		test	eax, eax
		js	short loc_85200E
		cmp	byte ptr [ebp+var_1], bl
		jz	short loc_85200E

loc_851FEF:				; CODE XREF: PiPnpRtlEnumeratorFilterCallback(x,x,x,x)+1Bj
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_852016

loc_851FF5:				; CODE XREF: PiPnpRtlEnumeratorFilterCallback(x,x,x,x)+60j
					; PiPnpRtlEnumeratorFilterCallback(x,x,x,x)+68j ...
		mov	eax, [esi+8]
		mov	bl, 1
		test	eax, eax
		jz	short loc_85200E
		push	dword ptr [esi+0Ch]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	eax
		mov	bl, al

loc_85200E:				; CODE XREF: PiPnpRtlEnumeratorFilterCallback(x,x,x,x)+2Ej
					; PiPnpRtlEnumeratorFilterCallback(x,x,x,x)+33j ...
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	10h
; 

loc_852016:				; CODE XREF: PiPnpRtlEnumeratorFilterCallback(x,x,x,x)+39j
		cmp	word ptr [eax],	2
		jb	short loc_851FF5
		mov	eax, [eax+4]
		cmp	[eax], bx
		jz	short loc_851FF5
		push	[ebp+arg_4]
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_85200E
		push	1
		lea	eax, [ebp+var_C]
		push	eax
		push	dword ptr [esi]
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_85200E
		jmp	short loc_851FF5
_PiPnpRtlEnumeratorFilterCallback@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmIsDevicePresent(x, x, x)
__CmIsDevicePresent@12 proc near	; CODE XREF: PiPnpRtlEnumeratorFilterCallback(x,x,x,x)+27p
					; PiPnpRtlServiceFilterCallback+B41BDp	...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_4], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		push	edi
		mov	edi, ecx
		test	esi, esi
		jz	short loc_8520AD
		push	edx
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_8520A0
		push	ecx
		lea	eax, [ebp+var_4]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	edx, [ebp+var_14]
		call	__NtPlugPlayGetDeviceStatus@24 ; _NtPlugPlayGetDeviceStatus(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8520A0
		mov	byte ptr [esi],	1

loc_852099:				; CODE XREF: _CmIsDevicePresent(x,x,x)+5Dj
					; _CmIsDevicePresent(x,x,x)+63j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8520A0:				; CODE XREF: _CmIsDevicePresent(x,x,x)+31j
					; _CmIsDevicePresent(x,x,x)+4Cj
		cmp	eax, 0C000000Eh
		jnz	short loc_852099
		mov	eax, ebx
		mov	[esi], bl
		jmp	short loc_852099
; 

loc_8520AD:				; CODE XREF: _CmIsDevicePresent(x,x,x)+23j
		mov	eax, 0C000000Dh
		jmp	short loc_852099
__CmIsDevicePresent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMMandatoryFilterCallback(x, x, x, x)
_PiCMMandatoryFilterCallback@16	proc near ; DATA XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+230o

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		xor	eax, eax
		mov	[ebp+var_1], al
		cmp	[ebp+arg_C], eax
		jz	short locret_8520E9
		sub	[ebp+arg_8], 1
		jnz	short locret_8520E9
		mov	edx, [ebp+arg_4]
		lea	ecx, [ebp-1]
		push	ecx
		push	[ebp+arg_C]
		mov	ecx, [ebp+arg_0]
		push	eax
		push	1
		call	_PiPnpRtlApplyMandatoryFilters@24 ; PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)
		test	eax, eax
		sets	al
		dec	al
		and	al, [ebp+var_1]

locret_8520E9:				; CODE XREF: PiCMMandatoryFilterCallback(x,x,x,x)+Ej
					; PiCMMandatoryFilterCallback(x,x,x,x)+14j
		leave
		retn	10h
_PiCMMandatoryFilterCallback@16	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqObjectManagerServiceActionQueue proc near ;	DATA XREF: PiDqObjectManagerInit(x,x)+3Co

var_44		= byte ptr -44h
var_43		= byte ptr -43h
var_42		= byte ptr -42h
var_41		= byte ptr -41h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009006BB SIZE 000000A0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+44h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ecx, ecx
		push	edi
		xor	eax, eax
		mov	[esp+50h+var_2C], esi
		lea	edi, [esp+50h+var_14]
		mov	[esp+50h+var_40], ecx
		stosd
		mov	bl, 1
		mov	[esp+50h+var_3C], ecx
		mov	[esp+50h+var_41], 1
		mov	[esp+50h+var_28], ecx
		stosd
		stosd
		stosd
		lea	eax, [esi+38h]
		lea	edi, [esi+70h]
		mov	[esp+50h+var_1C], eax
		mov	[esp+50h+var_18], edi

loc_85213B:				; CODE XREF: PiDqObjectManagerServiceActionQueue+346j
		mov	eax, large fs:124h
		mov	[esp+50h+var_38], ecx
		mov	[esp+50h+var_34], ecx
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	esi
		call	ExAcquireResourceExclusiveLite
		lea	ecx, [esi+38h]
		call	ExAcquireFastMutex
		cmp	[edi], edi
		jz	loc_9006BB
		mov	ecx, [edi]
		mov	eax, [edi+4]
		mov	[esp+50h+var_3C], eax
		lea	eax, [esp+50h+var_40]
		mov	[esp+50h+var_40], ecx
		mov	[ecx+4], eax
		mov	ecx, eax
		mov	eax, [esp+50h+var_3C]
		mov	[eax], ecx
		mov	[edi+4], edi
		mov	[edi], edi

loc_85218A:				; CODE XREF: PiDqObjectManagerServiceActionQueue+AE5D9j
		mov	eax, [esi+7Ch]
		and	al, 2
		neg	al
		sbb	al, al
		not	al
		and	bl, al
		mov	bh, bl
		mov	[esp+50h+var_43], bl
		mov	[esp+50h+var_42], bh
		jz	short loc_852201
		mov	edi, [esi+78h]
		mov	[esp+50h+var_34], edi
		mov	[esp+50h+var_43], bl
		test	edi, edi
		jz	short loc_852201
		push	58706E50h
		mov	eax, edi
		shl	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+50h+var_38], eax
		test	eax, eax
		jz	loc_9006CC
		lea	edx, [esi+68h]
		mov	[esp+50h+var_43], bl
		mov	eax, [edx]
		xor	ecx, ecx
		cmp	eax, edx
		jz	short loc_852201
		mov	ebx, [esp+50h+var_38]

loc_8521E3:				; CODE XREF: PiDqObjectManagerServiceActionQueue+109j
		cmp	ecx, edi
		jnb	loc_9006CC
		mov	[ebx+ecx*4], eax
		inc	ecx
		lock inc dword ptr [eax+70h]
		mov	eax, [eax]
		cmp	eax, edx
		jnz	short loc_8521E3
		mov	bl, [esp+50h+var_42]

loc_8521FD:				; CODE XREF: PiDqObjectManagerServiceActionQueue+AE5E0j
		mov	[esp+50h+var_43], bl

loc_852201:				; CODE XREF: PiDqObjectManagerServiceActionQueue+B3j
					; PiDqObjectManagerServiceActionQueue+C2j ...
		test	bl, bl
		jz	loc_9006D3

loc_852209:				; CODE XREF: PiDqObjectManagerServiceActionQueue+AE642j
		lea	ecx, [esi+38h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	esi, [esp+50h+var_34]

loc_852215:				; CODE XREF: PiDqObjectManagerServiceActionQueue+2A8j
		mov	edi, [esp+50h+var_40]
		lea	eax, [esp+50h+var_40]
		mov	[esp+50h+var_20], edi
		cmp	edi, eax
		jz	loc_85239B
		cmp	[edi+4], eax
		jnz	loc_852439
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	loc_852439
		mov	[esp+50h+var_40], eax
		lea	ecx, [esp+50h+var_40]
		mov	[eax+4], ecx
		test	bl, bl
		jz	loc_852383
		xor	ecx, ecx
		mov	[esp+50h+var_30], ecx
		test	esi, esi
		jz	loc_852383

loc_85225E:				; CODE XREF: PiDqObjectManagerServiceActionQueue+287j
		mov	eax, [esp+50h+var_38]
		mov	esi, [eax+ecx*4]
		mov	[esp+50h+var_24], esi
		mov	eax, [esi+7Ch]
		cmp	eax, [edi+14h]
		jb	short loc_852283
		ja	loc_85236C
		mov	eax, [esi+78h]
		cmp	eax, [edi+10h]
		ja	loc_85236C

loc_852283:				; CODE XREF: PiDqObjectManagerServiceActionQueue+181j
		mov	ecx, [esi+0Ch]	; Source2
		mov	[esp+50h+var_42], 0
		call	_PnpIsNullGuid@4 ; PnpIsNullGuid(x)
		test	al, al
		jnz	short loc_8522BA
		mov	esi, [esi+0Ch]
		lea	edi, [esp+50h+var_14]
		lea	eax, [esp+50h+var_14]
		push	eax
		movsd
		movsd
		movsd
		movsd
		call	_IoSetActivityIdThread@4 ; IoSetActivityIdThread(x)
		mov	esi, [esp+50h+var_24]
		mov	edi, [esp+50h+var_20]
		mov	[esp+50h+var_28], eax
		mov	[esp+50h+var_42], 1

loc_8522BA:				; CODE XREF: PiDqObjectManagerServiceActionQueue+1A4j
		cmp	byte_6CD8BA, 0
		jl	loc_900735

loc_8522C7:				; CODE XREF: PiDqObjectManagerServiceActionQueue+AE655j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+20h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ebx, [esi+74h]
		lea	ecx, [esi+20h]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	bl, 9
		jnz	short loc_85234B
		mov	edx, [edi+8]
		mov	ecx, esi
		call	PiDqQueryApplyObjectEvent
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ebx, [esi+20h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		test	byte ptr [esi+74h], 1
		jnz	loc_852426
		lea	eax, [esi+64h]
		cmp	[eax], eax
		jnz	loc_852426

loc_852336:				; CODE XREF: PiDqObjectManagerServiceActionQueue+33Fj
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_85234B:				; CODE XREF: PiDqObjectManagerServiceActionQueue+20Dj
		cmp	byte_6CD8BA, 0
		jl	loc_900748

loc_852358:				; CODE XREF: PiDqObjectManagerServiceActionQueue+AE668j
		cmp	[esp+50h+var_42], 0
		jz	short loc_852368
		push	[esp+50h+var_28]
		call	_IoClearActivityIdThread@4 ; IoClearActivityIdThread(x)

loc_852368:				; CODE XREF: PiDqObjectManagerServiceActionQueue+26Fj
		mov	ecx, [esp+50h+var_30]

loc_85236C:				; CODE XREF: PiDqObjectManagerServiceActionQueue+183j
					; PiDqObjectManagerServiceActionQueue+18Fj
		inc	ecx
		mov	[esp+50h+var_30], ecx
		cmp	ecx, [esp+50h+var_34]
		jb	loc_85225E
		mov	bl, [esp+50h+var_43]
		mov	esi, [esp+50h+var_34]

loc_852383:				; CODE XREF: PiDqObjectManagerServiceActionQueue+15Cj
					; PiDqObjectManagerServiceActionQueue+16Aj
		mov	ecx, [edi+8]
		call	PiPnpRtlObjectEventRelease
		push	58706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_852215
; 

loc_85239B:				; CODE XREF: PiDqObjectManagerServiceActionQueue+135j
		mov	eax, [esp+50h+var_38]
		test	eax, eax
		jz	short loc_8523C9
		mov	edi, [esp+50h+var_34]
		xor	esi, esi
		test	edi, edi
		jz	short loc_8523BE

loc_8523AD:				; CODE XREF: PiDqObjectManagerServiceActionQueue+2CEj
		mov	ecx, [eax+esi*4]
		call	PiDqQueryRelease
		mov	eax, [esp+50h+var_38]
		inc	esi
		cmp	esi, edi
		jb	short loc_8523AD

loc_8523BE:				; CODE XREF: PiDqObjectManagerServiceActionQueue+2BDj
		push	58706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8523C9:				; CODE XREF: PiDqObjectManagerServiceActionQueue+2B3j
		mov	ecx, [esp+50h+var_1C]
		call	ExAcquireFastMutex
		mov	edi, [esp+50h+var_18]
		mov	esi, [esp+50h+var_2C]
		cmp	[edi], edi
		jnz	short loc_8523F0
		mov	eax, [esi+7Ch]
		test	al, 2
		jnz	short loc_8523F0
		and	eax, 0FFFFFFFEh
		mov	[esp+50h+var_41], 0
		mov	[esi+7Ch], eax

loc_8523F0:				; CODE XREF: PiDqObjectManagerServiceActionQueue+2EEj
					; PiDqObjectManagerServiceActionQueue+2F5j
		lea	ecx, [esi+38h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, esi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	[esp+50h+var_41], 0
		jnz	short loc_852432
		mov	ecx, [esp+50h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_852426:				; CODE XREF: PiDqObjectManagerServiceActionQueue+237j
					; PiDqObjectManagerServiceActionQueue+242j
		mov	ecx, esi
		call	PiDqQueryCompletePendedIrp
		jmp	loc_852336
; 

loc_852432:				; CODE XREF: PiDqObjectManagerServiceActionQueue+322j
		xor	ecx, ecx
		jmp	loc_85213B
; 

loc_852439:				; CODE XREF: PiDqObjectManagerServiceActionQueue+13Ej
					; PiDqObjectManagerServiceActionQueue+149j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
PiDqObjectManagerServiceActionQueue endp ; AL =	character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqQueryApplyObjectEvent proc near	; CODE XREF: PiDqObjectManagerServiceActionQueue+214p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_6		= byte ptr -6
var_5		= byte ptr -5
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090075B SIZE 000002F1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	ebx, ebx
		mov	esi, ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], esi
		mov	[ebp+var_2C], ebx
		mov	eax, [edi+4]
		mov	byte ptr [ebp+var_4+3],	bl
		mov	[ebp+var_5], bl
		mov	byte ptr [ebp+var_4], bl
		test	al, 3
		jnz	loc_85258B
		test	al, 8
		jnz	short loc_852479
		cmp	[edi+2Ch], ebx
		jbe	loc_85258B

loc_852479:				; CODE XREF: PiDqQueryApplyObjectEvent+30j
		test	al, 4
		jnz	loc_90075B

loc_852481:				; CODE XREF: PiDqQueryApplyObjectEvent+AE331j
		mov	ecx, [esi+0Ch]
		mov	eax, [ecx+20h]
		mov	edx, eax
		and	edx, 4
		test	al, 2
		jnz	loc_8527B9
		mov	eax, [ecx+2Ch]
		test	edx, edx
		jnz	loc_8527F3
		mov	[ebp+var_20], ebx
		test	eax, eax
		jz	short loc_8524FC
		mov	eax, ebx
		mov	[ebp+var_1C], ebx

loc_8524AB:				; CODE XREF: PiDqQueryApplyObjectEvent+BCj
		mov	edx, [ecx+30h]
		add	edx, eax
		mov	[ebp+var_24], ebx
		mov	[ebp+var_18], edx
		cmp	[edi+2Ch], ebx
		jbe	short loc_8524E7
		lea	eax, [edi+44h]
		mov	[ebp+var_C], eax

loc_8524C1:				; CODE XREF: PiDqQueryApplyObjectEvent+A4j
		mov	ecx, [ebp+var_C]
		mov	eax, [edx+10h]
		cmp	eax, [ecx-4]
		mov	eax, ecx
		jz	loc_852678

loc_8524D2:				; CODE XREF: PiDqQueryApplyObjectEvent+25Ej
					; PiDqQueryApplyObjectEvent+38Fj ...
		mov	ecx, [ebp+var_24]
		add	eax, 1Ch
		inc	ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_24], ecx
		cmp	ecx, [edi+2Ch]
		jb	short loc_8524C1

loc_8524E4:				; CODE XREF: PiDqQueryApplyObjectEvent+285j
		mov	eax, [ebp+var_1C]

loc_8524E7:				; CODE XREF: PiDqQueryApplyObjectEvent+7Bj
		mov	edx, [ebp+var_20]
		add	eax, 1Ch
		mov	ecx, [esi+0Ch]
		inc	edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], eax
		cmp	edx, [ecx+2Ch]
		jb	short loc_8524AB

loc_8524FC:				; CODE XREF: PiDqQueryApplyObjectEvent+66j
					; PiDqQueryApplyObjectEvent+387j ...
		mov	eax, [esi+0Ch]
		cmp	[eax+14h], ebx
		jnz	short loc_85250E
		test	byte ptr [edi+4], 8
		jnz	loc_8527D2

loc_85250E:				; CODE XREF: PiDqQueryApplyObjectEvent+C4j
		mov	edx, ebx
		lea	ecx, [edi+44h]
		mov	al, bl
		mov	[ebp+var_24], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_5], al

loc_85251E:				; CODE XREF: PiDqQueryApplyObjectEvent+132j
		cmp	edx, [edi+2Ch]
		jnb	short loc_852572
		mov	edx, [esi+0Ch]
		mov	[ebp+var_28], ebx
		cmp	[edx+34h], ebx
		jbe	short loc_852561
		mov	[ebp+var_1C], ebx

loc_852531:				; CODE XREF: PiDqQueryApplyObjectEvent+11Ej
		mov	eax, [edx+38h]
		mov	edx, [ebp+var_1C]
		add	edx, 4
		add	edx, eax
		mov	[ebp+var_20], edx
		mov	eax, [edx+10h]
		cmp	eax, [ecx-4]
		jz	loc_8526C8

loc_85254B:				; CODE XREF: PiDqQueryApplyObjectEvent+29Ej
					; PiDqQueryApplyObjectEvent+2ACj ...
		mov	eax, [ebp+var_28]
		mov	edx, [esi+0Ch]
		inc	eax
		add	[ebp+var_1C], 2Ch
		mov	[ebp+var_28], eax
		cmp	eax, [edx+34h]
		jb	short loc_852531
		mov	al, [ebp+var_5]

loc_852561:				; CODE XREF: PiDqQueryApplyObjectEvent+EEj
					; PiDqQueryApplyObjectEvent+2CEj
		mov	edx, [ebp+var_24]
		add	ecx, 1Ch
		inc	edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_24], edx
		test	al, al
		jz	short loc_85251E

loc_852572:				; CODE XREF: PiDqQueryApplyObjectEvent+E3j
					; PiDqQueryApplyObjectEvent+399j
		cmp	byte ptr [ebp+var_4+3],	bl
		jnz	short loc_85258B
		test	al, al
		jnz	short loc_85258B

loc_85257B:				; CODE XREF: PiDqQueryApplyObjectEvent+235j
		mov	eax, [ebp+var_10]

loc_85257E:				; CODE XREF: PiDqQueryApplyObjectEvent+1DDj
		test	eax, eax
		js	loc_900775

loc_852586:				; CODE XREF: PiDqQueryApplyObjectEvent+AE371j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_85258B:				; CODE XREF: PiDqQueryApplyObjectEvent+28j
					; PiDqQueryApplyObjectEvent+35j ...
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [esi+20h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_24], eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+8]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [esi+24h]
		push	eax
		call	_RtlLookupElementGenericTableAvl@8 ; RtlLookupElementGenericTableAvl(x,x)
		test	eax, eax
		lea	ecx, [esi+20h]
		setnz	[ebp+var_6]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [edi+4]
		test	al, 2
		jnz	loc_900A41
		test	al, 1
		jnz	loc_852711
		cmp	[ebp+var_5], bl
		jnz	loc_852711
		mov	al, [ebp+var_6]
		mov	cl, al

loc_8525F8:				; CODE XREF: PiDqQueryApplyObjectEvent+376j
		test	cl, cl
		jnz	loc_8527DC

loc_852600:				; CODE XREF: PiDqQueryApplyObjectEvent+2EAj
					; PiDqQueryApplyObjectEvent+33Bj ...
		cmp	[ebp+var_6], bl
		jnz	loc_9009D6
		mov	esi, [ebp+var_14]

loc_85260C:				; CODE XREF: PiDqQueryApplyObjectEvent+AE606j
		mov	cl, bl

loc_85260E:				; CODE XREF: PiDqQueryApplyObjectEvent+3B0j
					; PiDqQueryApplyObjectEvent+492j ...
		mov	eax, [ebp+var_10]
		test	eax, eax
		js	loc_900775
		test	cl, cl
		jz	loc_85257E
		mov	edx, [edi+8]
		lea	eax, [ebp+var_2C]
		push	eax
		push	edi
		mov	ecx, ebx
		call	_PiDqQueryActionQueueEntryCreate@16 ; PiDqQueryActionQueueEntryCreate(x,x,x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		js	loc_900775
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [esi+20h]
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [ebp+var_2C]
		mov	ecx, esi
		call	PiDqQueryAppendActionEntry
		xor	edx, edx
		lea	ecx, [esi+20h]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_85257B
; 

loc_852678:				; CODE XREF: PiDqQueryApplyObjectEvent+8Ej
		push	10h		; size_t
		add	eax, 0FFFFFFECh
		push	eax		; void *
		push	edx		; void *
		call	_memcmp
		mov	edx, [ebp+var_18]
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8527CA
		mov	ecx, [ebp+var_C]
		mov	eax, [edx+14h]
		cmp	eax, [ecx]
		mov	eax, ecx
		jnz	loc_8524D2
		mov	esi, [eax+4]
		mov	ecx, [edx+18h]
		cmp	ecx, esi
		mov	[ebp+var_28], esi
		mov	esi, [ebp+var_14]
		jnz	loc_9008AC

loc_8526B6:				; CODE XREF: PiDqQueryApplyObjectEvent+AE498j
		cmp	dword ptr [eax], 1
		jz	loc_9008DB

loc_8526BF:				; CODE XREF: PiDqQueryApplyObjectEvent+AE4A0j
		mov	byte ptr [ebp+var_4+3],	1
		jmp	loc_8524E4
; 

loc_8526C8:				; CODE XREF: PiDqQueryApplyObjectEvent+107j
		push	10h		; size_t
		lea	eax, [ecx-14h]
		push	eax		; void *
		push	edx		; void *
		call	_memcmp
		mov	ecx, [ebp+var_C]
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_85254B
		mov	edx, [ebp+var_20]
		mov	eax, [edx+14h]
		cmp	eax, [ecx]
		jnz	loc_85254B
		mov	eax, [edx+18h]
		mov	edx, [ecx+4]
		cmp	eax, edx
		jnz	loc_9008E9

loc_8526FE:				; CODE XREF: PiDqQueryApplyObjectEvent+AE4CFj
		cmp	dword ptr [ecx], 1
		jz	loc_900912

loc_852707:				; CODE XREF: PiDqQueryApplyObjectEvent+AE4D7j
		mov	al, 1
		mov	[ebp+var_5], al
		jmp	loc_852561
; 

loc_852711:				; CODE XREF: PiDqQueryApplyObjectEvent+1A6j
					; PiDqQueryApplyObjectEvent+1AFj
		mov	edx, [esi+0Ch]
		mov	eax, [edx+14h]
		sub	eax, ebx
		jnz	loc_900920
		mov	cl, 1
		mov	dl, cl

loc_852723:				; CODE XREF: PiDqQueryApplyObjectEvent+AE570j
		mov	byte ptr [ebp+var_4+2],	cl

loc_852726:				; CODE XREF: PiDqQueryApplyObjectEvent+AE551j
		test	dl, dl
		jz	loc_852600

loc_85272E:				; CODE XREF: PiDqQueryApplyObjectEvent+AE578j
		mov	eax, [esi+0Ch]
		cmp	[eax+14h], ebx
		jnz	short loc_852777
		mov	edx, [edi+8]
		lea	eax, [ebp+var_4+2]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		lea	eax, [esi+10h]
		push	eax
		push	ebx
		push	dword ptr [edx+14h]
		mov	edx, [edx+0Ch]
		call	_PiPnpRtlApplyMandatoryFilters@24 ; PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)
		mov	[ebp+var_10], eax
		cmp	eax, 0C0000034h
		jz	loc_9009BB
		cmp	eax, 0C0000225h
		jz	loc_9009BB
		mov	cl, byte ptr [ebp+var_4+2]

loc_85276F:				; CODE XREF: PiDqQueryApplyObjectEvent+AE587j
		test	eax, eax
		js	loc_900775

loc_852777:				; CODE XREF: PiDqQueryApplyObjectEvent+2F6j
		test	cl, cl
		jz	loc_852600
		mov	eax, [esi+0Ch]
		cmp	[eax+38h], ebx
		jz	short loc_8527B1
		mov	edx, [edi+8]
		lea	eax, [ebp+var_4+2]
		push	eax
		mov	ecx, esi
		mov	edx, [edx+0Ch]
		call	PiDqQueryEvaluateFilter
		mov	[ebp+var_10], eax
		cmp	eax, 0C0000034h
		jz	loc_9009CA
		mov	cl, byte ptr [ebp+var_4+2]

loc_8527A9:				; CODE XREF: PiDqQueryApplyObjectEvent+AE593j
		test	eax, eax
		js	loc_900775

loc_8527B1:				; CODE XREF: PiDqQueryApplyObjectEvent+347j
		mov	al, [ebp+var_6]
		jmp	loc_8525F8
; 

loc_8527B9:				; CODE XREF: PiDqQueryApplyObjectEvent+50j
		test	edx, edx
		jnz	loc_9007B4

loc_8527C1:				; CODE XREF: PiDqQueryApplyObjectEvent+447j
					; PiDqQueryApplyObjectEvent+AE397j
		mov	byte ptr [ebp+var_4+3],	1
		jmp	loc_8524FC
; 

loc_8527CA:				; CODE XREF: PiDqQueryApplyObjectEvent+24Ej
		mov	eax, [ebp+var_C]
		jmp	loc_8524D2
; 

loc_8527D2:				; CODE XREF: PiDqQueryApplyObjectEvent+CAj
		mov	al, 1
		mov	[ebp+var_5], al
		jmp	loc_852572
; 

loc_8527DC:				; CODE XREF: PiDqQueryApplyObjectEvent+1BCj
		test	al, al
		jz	loc_852890
		cmp	byte ptr [ebp+var_4+3],	0
		push	2
		pop	ebx
		setnz	cl
		jmp	loc_85260E
; 

loc_8527F3:				; CODE XREF: PiDqQueryApplyObjectEvent+5Bj
		mov	[ebp+var_24], ebx
		test	eax, eax
		jz	loc_8524FC
		mov	eax, ebx
		mov	[ebp+var_28], ebx

loc_852803:				; CODE XREF: PiDqQueryApplyObjectEvent+414j
		mov	edx, [ecx+30h]
		add	edx, eax
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], edx
		cmp	[edi+2Ch], ebx
		jbe	short loc_85283F
		lea	ecx, [edi+48h]
		mov	[ebp+var_C], ecx

loc_852819:				; CODE XREF: PiDqQueryApplyObjectEvent+3F3j
		mov	eax, [edx+10h]
		cmp	eax, [ecx-8]
		jz	short loc_852859

loc_852821:				; CODE XREF: PiDqQueryApplyObjectEvent+432j
					; PiDqQueryApplyObjectEvent+43Aj ...
		mov	eax, [ebp+var_20]
		add	ecx, 1Ch
		inc	eax
		mov	[ebp+var_C], ecx
		mov	[ebp+var_20], eax
		cmp	eax, [edi+2Ch]
		jb	short loc_852819
		cmp	byte ptr [ebp+var_4+3],	bl
		jnz	loc_8524FC
		mov	eax, [ebp+var_28]

loc_85283F:				; CODE XREF: PiDqQueryApplyObjectEvent+3D3j
		mov	edx, [ebp+var_24]
		add	eax, 1Ch
		mov	ecx, [esi+0Ch]
		inc	edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_28], eax
		cmp	edx, [ecx+2Ch]
		jb	short loc_852803
		jmp	loc_8524FC
; 

loc_852859:				; CODE XREF: PiDqQueryApplyObjectEvent+3E1j
		push	10h		; size_t
		lea	eax, [ecx-18h]
		push	eax		; void *
		push	edx		; void *
		call	_memcmp
		mov	ecx, [ebp+var_C]
		add	esp, 0Ch
		mov	edx, [ebp+var_18]
		test	eax, eax
		jnz	short loc_852821
		mov	eax, [ecx-4]
		cmp	[edx+14h], eax
		jnz	short loc_852821
		cmp	eax, 1
		jz	loc_90083C

loc_852883:				; CODE XREF: PiDqQueryApplyObjectEvent+AE407j
		cmp	[ecx], ebx
		jz	loc_8527C1
		jmp	loc_90084A
; 

loc_852890:				; CODE XREF: PiDqQueryApplyObjectEvent+3A0j
		mov	eax, large fs:124h
		xor	ebx, ebx
		inc	ebx
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [esi+20h]
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [edi+8]
		mov	ecx, esi
		call	_PiDqQueryAddObjectToResultSet@8 ; PiDqQueryAddObjectToResultSet(x,x)
		xor	edx, edx
		mov	[ebp+var_10], eax
		lea	ecx, [esi+20h]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	cl, bl
		jmp	loc_85260E
PiDqQueryApplyObjectEvent endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipQuerySetExecuteSI proc near		; CODE XREF: WmipIoControl+B6p
					; IoWMIQuerySingleInstance+8Ap	...

var_6E		= dword	ptr -6Eh
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00900A4C SIZE 0000004F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+74h+var_4], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		xor	ebx, ebx
		push	40h		; size_t
		mov	[esp+84h+var_6E+2], eax
		mov	esi, ecx
		lea	eax, [esp+84h+var_48]
		mov	[esp+84h+var_60], edx
		push	ebx		; int
		push	eax		; void *
		mov	[esp+8Ch+var_68], esi
		mov	[esp+8Ch+var_4C], edi
		call	_memset
		mov	byte ptr [esp+8Ch+var_6E+1], bl
		add	esp, 0Ch
		mov	byte ptr [esp+80h+var_6E], bl
		mov	[esp+80h+var_54], ebx
		mov	[esp+80h+var_50], ebx
		mov	bl, [ebp+arg_4]
		movzx	eax, bl
		mov	edx, ds:_DesiredAccessForFunction[eax*4]
		test	esi, esi
		jnz	loc_852AA3
		and	[esp+80h+var_68], esi
		mov	eax, ds:_WmipGuidObjectType
		mov	ecx, [edi+10h]
		push	esi
		lea	esi, [esp+84h+var_68]
		push	esi
		push	[ebp+arg_0]
		push	eax
		push	edx
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [esp+80h+var_68]
		mov	[esp+80h+var_68], eax

loc_852965:				; CODE XREF: WmipQuerySetExecuteSI+1E3j
		test	esi, esi
		js	loc_852A8D
		lea	ecx, [esp+80h+var_48]
		mov	[esp+80h+var_64], 10h
		mov	[esp+80h+var_5C], ecx
		mov	edx, edi
		lea	ecx, [esp+80h+var_6E]
		push	ecx
		lea	ecx, [esp+84h+var_6E+1]
		push	ecx
		lea	ecx, [esp+88h+var_5C]
		push	ecx
		lea	ecx, [esp+8Ch+var_64]
		push	ecx
		mov	ecx, eax
		call	WmipPrepareWnodeSI
		mov	esi, eax
		test	esi, esi
		js	loc_852A80
		cmp	byte ptr [esp+80h+var_6E], 0
		jnz	loc_900A4C
		cmp	byte ptr [esp+80h+var_6E+1], 0
		jz	loc_852ADB
		cmp	bl, 3
		jz	short loc_8529C9
		mov	esi, 0C0000296h
		cmp	bl, 9
		jnz	short loc_8529CE

loc_8529C9:				; CODE XREF: WmipQuerySetExecuteSI+E7j
		mov	esi, 0C0000297h

loc_8529CE:				; CODE XREF: WmipQuerySetExecuteSI+F1j
		xor	eax, eax
		mov	[esp+80h+var_58], eax
		cmp	[esp+80h+var_64], eax
		jbe	short loc_852A35
		mov	ebx, [esp+80h+var_5C]

loc_8529DE:				; CODE XREF: WmipQuerySetExecuteSI+AE19Bj
		mov	eax, [ebx+eax*4]
		lea	ecx, [edi+18h]
		mov	edx, [eax+2Ch]
		mov	eax, [esp+80h+var_60]
		mov	[edi+4], edx
		test	eax, eax
		jz	loc_852ABE
		push	edi
		push	[ebp+arg_C]
		push	ecx
		push	edx
		mov	dl, [ebp+arg_4]
		mov	ecx, eax
		call	WmipForwardWmiIrp
		mov	ecx, eax
		mov	eax, [esp+80h+var_60]
		add	eax, 1Ch

loc_852A0F:				; CODE XREF: WmipQuerySetExecuteSI+200j
		test	ecx, ecx
		js	short loc_852A1B
		mov	edx, [esp+80h+var_6E+2]
		mov	eax, [eax]
		mov	[edx], eax

loc_852A1B:				; CODE XREF: WmipQuerySetExecuteSI+13Bj
		cmp	ecx, 0C0000296h
		jz	loc_900A64
		cmp	ecx, 0C0000295h
		jz	loc_900A64
		mov	esi, ecx

loc_852A35:				; CODE XREF: WmipQuerySetExecuteSI+102j
					; WmipQuerySetExecuteSI+AE1A1j
		xor	ebx, ebx
		cmp	[esp+80h+var_64], ebx
		jbe	short loc_852A59
		mov	edi, [esp+80h+var_5C]

loc_852A41:				; CODE XREF: WmipQuerySetExecuteSI+17Dj
		mov	edx, [edi+ebx*4]
		mov	ecx, offset _WmipISChunkInfo
		call	WmipUnreferenceEntry
		inc	ebx
		cmp	ebx, [esp+80h+var_64]
		jb	short loc_852A41
		mov	edi, [esp+80h+var_4C]

loc_852A59:				; CODE XREF: WmipQuerySetExecuteSI+165j
		mov	eax, [esp+80h+var_5C]
		lea	ecx, [esp+80h+var_48]
		cmp	eax, ecx
		jnz	loc_900A7C

loc_852A69:				; CODE XREF: WmipQuerySetExecuteSI+AE189j
					; WmipQuerySetExecuteSI+AE1A8j	...
		mov	ecx, [esp+80h+var_6E+2]

loc_852A6D:				; CODE XREF: WmipQuerySetExecuteSI+23Bj
		test	esi, esi
		js	short loc_852A7C
		mov	eax, [ebp+arg_C]
		cmp	[ecx], eax
		ja	loc_900A91

loc_852A7C:				; CODE XREF: WmipQuerySetExecuteSI+199j
					; WmipQuerySetExecuteSI+22Dj ...
		and	dword ptr [edi+4], 0

loc_852A80:				; CODE XREF: WmipQuerySetExecuteSI+C8j
		mov	ecx, [esp+80h+var_68]
		test	ecx, ecx
		jz	short loc_852A8D
		call	ObfDereferenceObject

loc_852A8D:				; CODE XREF: WmipQuerySetExecuteSI+91j
					; WmipQuerySetExecuteSI+1B0j
		mov	ecx, [esp+80h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_852AA3:				; CODE XREF: WmipQuerySetExecuteSI+62j
		push	[ebp+arg_0]
		push	ds:_WmipGuidObjectType
		push	edx
		push	esi
		call	ObReferenceObjectByPointer
		mov	esi, eax
		mov	eax, [esp+80h+var_68]
		jmp	loc_852965
; 

loc_852ABE:				; CODE XREF: WmipQuerySetExecuteSI+11Aj
		lea	eax, [esp+80h+var_54]
		push	eax
		push	edi
		push	[ebp+arg_C]
		push	ecx
		mov	cl, [ebp+arg_4]
		call	_WmipSendWmiIrp@24 ; WmipSendWmiIrp(x,x,x,x,x,x)
		mov	ecx, eax
		lea	eax, [esp+80h+var_50]
		jmp	loc_852A0F
; 

loc_852ADB:				; CODE XREF: WmipQuerySetExecuteSI+DEj
		mov	eax, [esp+80h+var_60]
		lea	ecx, [edi+18h]
		mov	edx, [edi+4]
		test	eax, eax
		jz	short loc_852B16
		push	edi
		push	[ebp+arg_C]
		push	ecx
		push	edx
		mov	dl, bl
		mov	ecx, eax
		call	WmipForwardWmiIrp
		mov	esi, eax
		mov	eax, [esp+80h+var_60]
		add	eax, 1Ch

loc_852B01:				; CODE XREF: WmipQuerySetExecuteSI+257j
		test	esi, esi
		js	loc_852A7C
		mov	ecx, [esp+80h+var_6E+2]
		mov	eax, [eax]
		mov	[ecx], eax
		jmp	loc_852A6D
; 

loc_852B16:				; CODE XREF: WmipQuerySetExecuteSI+211j
		lea	eax, [esp+80h+var_54]
		push	eax
		push	edi
		push	[ebp+arg_C]
		push	ecx
		mov	cl, bl
		call	_WmipSendWmiIrp@24 ; WmipSendWmiIrp(x,x,x,x,x,x)
		mov	esi, eax
		lea	eax, [esp+80h+var_50]
		jmp	short loc_852B01
WmipQuerySetExecuteSI endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipPrepareWnodeSI proc	near		; CODE XREF: WmipQuerySetExecuteSI+BFp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_15		= byte ptr -15h
var_14		= word ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00900A9B SIZE 000000B0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[ebp+var_44], eax
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_28], eax
		xor	eax, eax
		mov	[ebp+var_4C], eax
		mov	ebx, eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		mov	byte ptr [esi],	1
		mov	eax, [ecx+28h]
		mov	[ebp+var_34], edx
		mov	[ebp+var_38], esi
		mov	[ebp+var_2C], eax
		push	edi
		test	eax, eax
		jz	loc_900B41
		xor	ecx, ecx
		cmp	[eax+14h], ecx
		jbe	loc_900B41
		lea	esi, [eax+28h]
		mov	[ebp+var_20], ecx
		lea	edi, [edx+18h]
		movsd
		movsd
		movsd
		movsd
		test	byte ptr [eax+8], 1
		mov	eax, [ebp+var_28]
		jnz	loc_900A9B
		mov	[eax], cl
		mov	ecx, [edx+30h]
		add	ecx, edx
		call	_WmipCountedToSz@4 ; WmipCountedToSz(x)
		mov	edi, eax
		mov	[ebp+var_24], edi
		test	edi, edi
		jz	loc_900B10
		mov	eax, [ebp+var_48]
		mov	eax, [eax]
		mov	ebx, eax
		mov	[ebp+var_40], eax
		mov	eax, [ebp+var_44]
		mov	[ebp+var_28], ebx
		mov	eax, [eax]
		mov	[ebp+var_50], eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		mov	[ebp+var_15], al
		call	KeWaitForSingleObject
		mov	eax, [ebp+var_2C]
		xor	edx, edx
		cmp	[eax+14h], edx
		jbe	loc_900B04
		add	eax, 20h
		mov	[ebp+var_1C], eax
		mov	esi, [eax]
		cmp	esi, eax
		jz	short loc_852C61
		mov	ebx, [ebp+var_34]
		mov	al, dl
		mov	ecx, [ebp+var_1C]

loc_852C06:				; CODE XREF: WmipPrepareWnodeSI+129j
		test	al, al
		jnz	short loc_852C5B
		mov	eax, [esi+8]
		test	eax, 89000h
		jnz	loc_900AFC
		test	al, 1
		jnz	loc_852CA2
		test	al, 2
		jnz	loc_900AA5
		mov	ecx, esi
		call	WmipReferenceEntry
		push	esi
		push	[ebp+var_40]
		lea	eax, [ebp+var_50]
		push	eax
		lea	edx, [ebp+var_3C]
		lea	ecx, [ebp+var_28]
		call	WmipAddProviderIdToPIList
		mov	[ebp+var_20], eax
		test	eax, eax
		js	loc_900AF2

loc_852C4D:				; CODE XREF: WmipPrepareWnodeSI+1AEj
					; WmipPrepareWnodeSI+1C5j ...
		mov	al, [ebp+var_15]

loc_852C50:				; CODE XREF: WmipPrepareWnodeSI+ADFC7j
		xor	edx, edx

loc_852C52:				; CODE XREF: WmipPrepareWnodeSI+25Dj
					; WmipPrepareWnodeSI+ADFBDj
		mov	ecx, [ebp+var_1C]

loc_852C55:				; CODE XREF: WmipPrepareWnodeSI+ADFCFj
		mov	esi, [esi]
		cmp	esi, ecx
		jnz	short loc_852C06

loc_852C5B:				; CODE XREF: WmipPrepareWnodeSI+D8j
		mov	ebx, [ebp+var_28]
		mov	edi, [ebp+var_24]

loc_852C61:				; CODE XREF: WmipPrepareWnodeSI+CCj
					; WmipPrepareWnodeSI+ADFDBj
		push	edx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		push	eax
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)

loc_852C75:				; CODE XREF: WmipPrepareWnodeSI+ADFE7j
		mov	eax, [ebp+var_38]
		cmp	byte ptr [eax],	0
		jz	loc_852D92
		mov	eax, [ebp+var_44]
		mov	esi, [ebp+var_3C]
		mov	[eax], esi
		mov	eax, [ebp+var_48]
		mov	[eax], ebx

loc_852C8E:				; CODE XREF: WmipPrepareWnodeSI+264j
					; WmipPrepareWnodeSI+27Cj ...
		mov	eax, [ebp+var_20]

loc_852C91:				; CODE XREF: WmipPrepareWnodeSI+ADF70j
					; WmipPrepareWnodeSI+AE016j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_852CA2:				; CODE XREF: WmipPrepareWnodeSI+EAj
		mov	eax, [esi+30h]
		mov	edx, [eax]
		add	eax, 4
		mov	edi, eax
		mov	[ebp+var_2C], edx
		mov	[ebp+var_30], eax
		xor	edx, edx
		lea	ecx, [edi+2]

loc_852CB7:				; CODE XREF: WmipPrepareWnodeSI+190j
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, dx
		jnz	short loc_852CB7
		sub	edi, ecx
		mov	ecx, [ebp+var_24]
		sar	edi, 1
		lea	edx, [ecx+2]

loc_852CCC:				; CODE XREF: WmipPrepareWnodeSI+1A6j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_4C]
		jnz	short loc_852CCC
		sub	ecx, edx
		sar	ecx, 1
		cmp	ecx, edi
		jbe	loc_852C4D
		push	edi		; size_t
		push	[ebp+var_30]	; wchar_t *
		push	[ebp+var_24]	; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_852C4D
		mov	eax, [ebp+var_24]
		lea	eax, [eax+edi*2]
		push	eax		; wchar_t *
		mov	[ebp+var_30], eax
		call	__wtoi
		pop	ecx
		mov	ecx, [ebp+var_30]
		mov	edi, eax
		call	_WmipIsNumber@4	; WmipIsNumber(x)
		test	al, al
		jz	loc_852C4D
		mov	ecx, [ebp+var_2C]
		cmp	edi, ecx
		jb	loc_852C4D
		mov	eax, [esi+24h]
		add	eax, ecx
		cmp	edi, eax
		jnb	loc_852C4D
		cmp	edi, 0F423Fh
		jnb	loc_852C4D
		push	edi		; char
		push	offset ??_C@_15KNBIKKIN@?$AA?$CF?$AAd@NNGAKEGL@	; wchar_t *
		lea	eax, [ebp+var_14]
		push	0Eh		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		push	[ebp+var_30]	; wchar_t *
		lea	eax, [ebp+var_14]
		push	eax		; wchar_t *
		call	__wcsicmp
		add	esp, 18h
		test	eax, eax
		jnz	loc_852C4D
		mov	ecx, [ebp+var_34]
		mov	ebx, ecx
		sub	edi, [ebp+var_2C]
		or	dword ptr [ecx+2Ch], 80h
		xor	edx, edx
		mov	eax, [esi+2Ch]
		mov	[ecx+4], eax
		mov	eax, [ebp+var_38]
		mov	[ecx+34h], edi
		mov	[eax], dl
		mov	al, 1
		mov	[ebp+var_15], al
		jmp	loc_852C52
; 

loc_852D92:				; CODE XREF: WmipPrepareWnodeSI+14Bj
		test	ebx, ebx
		jz	loc_852C8E
		mov	esi, [ebp+var_3C]
		xor	eax, eax
		mov	edi, eax
		test	esi, esi
		jnz	loc_900B1C

loc_852DA9:				; CODE XREF: WmipPrepareWnodeSI+AE000j
		cmp	ebx, [ebp+var_40]
		jz	loc_852C8E
		jmp	loc_900B35
WmipPrepareWnodeSI endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall WmipCountedToSz(x)
_WmipCountedToSz@4 proc	near		; CODE XREF: WmipPrepareWnodeSI+7Ap
					; WmipAddDataSource+E5p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		push	70696D57h
		movzx	esi, word ptr [ebx]
		lea	eax, [esi+2]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_852DEE
		push	esi		; size_t
		lea	ecx, [ebx+2]
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		shr	esi, 1
		add	esp, 0Ch
		xor	eax, eax
		mov	[edi+esi*2], ax

loc_852DEE:				; CODE XREF: WmipCountedToSz(x)+1Ej
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_WmipCountedToSz@4 endp


;  S U B	R O U T	I N E 


; __stdcall WmipIsNumber(x)
_WmipIsNumber@4	proc near		; CODE XREF: WmipPrepareWnodeSI+1E0p
					; WmipFindISinGEbyName+9CD09p
		movzx	eax, word ptr [ecx]
		test	ax, ax
		jz	short loc_852E14
		mov	edx, eax

loc_852DFE:				; CODE XREF: WmipIsNumber(x)+1Ej
		lea	eax, [edx-30h]
		cmp	ax, 9
		ja	short loc_852E17
		add	ecx, 2
		movzx	eax, word ptr [ecx]
		mov	edx, eax
		test	ax, ax
		jnz	short loc_852DFE

loc_852E14:				; CODE XREF: WmipIsNumber(x)+6j
		mov	al, 1
		retn
; 

loc_852E17:				; CODE XREF: WmipIsNumber(x)+11j
		xor	al, al
		retn
_WmipIsNumber@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetDeviceInterfaceName proc near	; CODE XREF: IoGetDeviceInterfaceAlias+243p
					; IopRegisterDeviceInterface+C2p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00900B4B SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, edx
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], eax
		mov	ecx, eax
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		call	__PnpIsValidGuidString@4 ; _PnpIsValidGuidString(x)
		test	al, al
		jz	loc_900B4B
		mov	edx, [ebp+arg_0]
		call	__CmValidateDeviceName@8 ; _CmValidateDeviceName(x,x)
		test	eax, eax
		js	loc_900B4B
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		test	ebx, ebx
		jnz	loc_852F72
		mov	esi, edi
		mov	[ebp+var_C], edi

loc_852E61:				; CODE XREF: _CmGetDeviceInterfaceName+189j
					; _CmGetDeviceInterfaceName+1AEj
		mov	ecx, [ebp+arg_0]
		lea	edx, [ecx+2]

loc_852E67:				; CODE XREF: _CmGetDeviceInterfaceName+56j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_852E67
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, [ecx+2Bh]
		test	esi, esi
		jnz	loc_852FCD

loc_852E81:				; CODE XREF: _CmGetDeviceInterfaceName+1B6j
		mov	ecx, [ebp+arg_14]
		inc	eax
		test	ecx, ecx
		jz	short loc_852E8B
		mov	[ecx], eax

loc_852E8B:				; CODE XREF: _CmGetDeviceInterfaceName+6Dj
		mov	edx, [ebp+arg_10]
		cmp	eax, edx
		ja	loc_900B5F
		cmp	[ebp+arg_8], 0
		mov	eax, offset ??_C@_19JHEHLFPM@?$AA?2?$AA?$DP?$AA?$DP?$AA?2@NNGAKEGL@ ; "\\??\\"
		jnz	short loc_852EA6
		mov	eax, offset ??_C@_19MJCDBCKE@?$AA?2?$AA?2?$AA?$DP?$AA?2@NNGAKEGL@ ; "\\"

loc_852EA6:				; CODE XREF: _CmGetDeviceInterfaceName+85j
		mov	edi, [ebp+arg_C]
		lea	ecx, [ebp+var_4]
		push	900h
		push	ecx
		lea	ecx, [ebp+var_8]
		push	ecx
		push	eax
		mov	ecx, edi
		call	RtlStringCchCopyExW
		mov	ecx, eax
		test	ecx, ecx
		js	loc_852F61
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		push	900h
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_0]
		call	RtlStringCchCopyExW
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_852F61
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		push	900h
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	offset ??_C@_13GMDMCADD@?$AA?$CD@NNGAKEGL@
		call	RtlStringCchCopyExW
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_852F61
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		push	900h
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_10]
		call	RtlStringCchCopyExW
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_852F61
		lea	edx, [edi+8]
		movzx	eax, word ptr [edx]
		test	ax, ax
		jz	short loc_852F5D
		push	5Ch
		pop	ebx
		push	2Fh
		mov	edi, eax
		pop	esi

loc_852F40:				; CODE XREF: _CmGetDeviceInterfaceName+13Bj
		cmp	di, bx
		jz	short loc_852F6A
		cmp	di, si
		jz	short loc_852F6A

loc_852F4A:				; CODE XREF: _CmGetDeviceInterfaceName+156j
		add	edx, 2
		movzx	eax, word ptr [edx]
		mov	edi, eax
		test	ax, ax
		jnz	short loc_852F40
		mov	esi, [ebp+var_C]
		mov	ebx, [ebp+arg_4]

loc_852F5D:				; CODE XREF: _CmGetDeviceInterfaceName+11Cj
		test	esi, esi
		jnz	short loc_852FD5

loc_852F61:				; CODE XREF: _CmGetDeviceInterfaceName+A8j
					; _CmGetDeviceInterfaceName+CDj ...
		pop	esi
		pop	ebx

loc_852F63:				; CODE XREF: _CmGetDeviceInterfaceName+ADD36j
		mov	eax, ecx
		pop	edi
		leave
		retn	18h
; 

loc_852F6A:				; CODE XREF: _CmGetDeviceInterfaceName+129j
					; _CmGetDeviceInterfaceName+12Ej
		push	23h
		pop	eax
		mov	[edx], ax
		jmp	short loc_852F4A
; 

loc_852F72:				; CODE XREF: _CmGetDeviceInterfaceName+3Cj
		mov	esi, ebx
		lea	ecx, [esi+2]

loc_852F77:				; CODE XREF: _CmGetDeviceInterfaceName+166j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, di
		jnz	short loc_852F77
		sub	esi, ecx
		sar	esi, 1
		mov	[ebp+var_C], esi
		jz	loc_900B55
		cmp	esi, 104h
		jnb	loc_900B55
		movzx	eax, word ptr [ebx]
		mov	edx, ebx
		test	ax, ax
		jz	loc_852E61
		mov	ecx, eax

loc_852FAB:				; CODE XREF: _CmGetDeviceInterfaceName+1ACj
		push	5Ch
		pop	eax
		cmp	cx, ax
		jz	short loc_853019
		push	2Fh
		pop	eax
		cmp	cx, ax
		jz	short loc_853019
		add	edx, 2
		movzx	eax, word ptr [edx]
		mov	ecx, eax
		test	ax, ax
		jnz	short loc_852FAB
		jmp	loc_852E61
; 

loc_852FCD:				; CODE XREF: _CmGetDeviceInterfaceName+61j
		lea	eax, [esi+1]
		jmp	loc_852E81
; 

loc_852FD5:				; CODE XREF: _CmGetDeviceInterfaceName+145j
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		mov	esi, 900h
		push	esi
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@
		call	RtlStringCchCopyExW
		mov	ecx, eax
		test	ecx, ecx
		js	loc_852F61
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		push	esi
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		call	RtlStringCchCopyExW
		mov	ecx, eax
		jmp	loc_852F61
; 

loc_853019:				; CODE XREF: _CmGetDeviceInterfaceName+197j
					; _CmGetDeviceInterfaceName+19Fj
		mov	ecx, 0C0000033h
		jmp	loc_852F61
_CmGetDeviceInterfaceName endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMGetDeviceStatus(x, x, x, x, x, x)
_PiCMGetDeviceStatus@24	proc near	; CODE XREF: PiCMHandleIoctl+A5p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		mov	ebx, [ebp+arg_C]
		xor	eax, eax
		push	esi
		push	edi
		push	7
		mov	esi, ecx
		mov	[ebx], eax
		pop	ecx
		lea	edi, [ebp+var_24]
		mov	[ebp+var_8], eax
		rep stosd
		mov	[ebp+var_4], eax
		mov	[ebp+arg_C], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	ecx
		mov	ecx, esi
		call	PiCMCaptureObjectInputData
		mov	esi, [ebp+var_18]
		mov	edi, eax
		test	edi, edi
		js	short loc_8530B8
		test	esi, esi
		jz	short loc_8530DE
		cmp	[ebp+var_20], 0
		jnz	short loc_8530DE
		cmp	[ebp+var_1C], 1
		jnz	short loc_8530DE
		cmp	[ebp+var_10], 0
		jnz	short loc_8530DE
		cmp	[ebp+arg_0], 0
		jz	short loc_8530DE
		cmp	[ebp+arg_4], 14h
		jb	short loc_8530DE
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+arg_C]
		push	eax
		lea	eax, [ebp+var_4]
		mov	edx, esi
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	0
		call	__CmGetDeviceStatus@28 ; _CmGetDeviceStatus(x,x,x,x,x,x,x)

loc_85309C:				; CODE XREF: PiCMGetDeviceStatus(x,x,x,x,x,x)+BFj
		mov	edx, [ebp+var_8]
		mov	ecx, eax
		push	ebx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	[ebp+var_C]
		push	[ebp+arg_C]
		push	[ebp+var_4]
		call	PiCMReturnStatusResultData
		mov	edi, eax

loc_8530B8:				; CODE XREF: PiCMGetDeviceStatus(x,x,x,x,x,x)+38j
		test	esi, esi
		jz	short loc_8530D5
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_8530D5
		push	0
		push	[ebp+var_18]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8530D5:				; CODE XREF: PiCMGetDeviceStatus(x,x,x,x,x,x)+96j
					; PiCMGetDeviceStatus(x,x,x,x,x,x)+A5j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_8530DE:				; CODE XREF: PiCMGetDeviceStatus(x,x,x,x,x,x)+3Cj
					; PiCMGetDeviceStatus(x,x,x,x,x,x)+42j	...
		mov	eax, 0C000000Dh
		jmp	short loc_85309C
_PiCMGetDeviceStatus@24	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMReturnStatusResultData proc	near	; CODE XREF: PiCMGetDeviceStatus(x,x,x,x,x,x)+8Dp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		push	14h
		push	offset dword_6A4840
		call	__SEH_prolog4
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		xor	edi, edi
		mov	eax, [ebp+arg_14]
		mov	[eax], edi
		push	14h
		pop	ebx
		cmp	[ebp+arg_10], ebx
		jb	short loc_85315B
		cmp	[ebp+arg_8], ebx
		jnz	short loc_85315B
		mov	[ebp+ms_exc.disabled], edi
		push	4
		push	[ebp+arg_10]
		mov	esi, [ebp+arg_C]
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	[esi], ebx
		mov	eax, [ebp+var_1C]
		mov	[esi+4], eax
		mov	eax, [ebp+var_20]
		mov	[esi+8], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+0Ch], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+10h], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_85313E:				; CODE XREF: sub_900B77+10j
		test	edi, edi
		js	short loc_853147
		mov	ecx, [ebp+arg_14]
		mov	[ecx], ebx

loc_853147:				; CODE XREF: PiCMReturnStatusResultData+5Aj
					; PiCMReturnStatusResultData+7Aj
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_85315B:				; CODE XREF: PiCMReturnStatusResultData+1Fj
					; PiCMReturnStatusResultData+24j
		mov	edi, 0C000000Dh
		jmp	short loc_853147
PiCMReturnStatusResultData endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RegRtlEnumValue(void *,int,int,void *,int)
_RegRtlEnumValue proc near		; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+B0p
					; _PnpCtxRegEnumValue(x,x,x,x,x,x,x,x)+19p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00900B8C SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_10]
		mov	[ebp+var_14], ecx
		xor	ecx, ecx
		mov	eax, [esi]
		mov	[ebp+var_10], edx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], ecx
		push	2
		test	edi, edi
		jz	loc_853295
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_8], 1
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_85328C
		mov	eax, ecx
		mov	ecx, [ebp+var_4]
		push	eax
		push	18h
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_85328C
		mov	edx, [edi]
		lea	eax, [ebp+var_4]
		push	eax

loc_8531C9:				; CODE XREF: _RegRtlEnumValue+14Fj
		mov	ecx, [ebp+var_4]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_85328C
		push	4C474552h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_900B8C
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+var_4]
		push	edi
		push	[ebp+var_8]
		push	[ebp+var_10]
		push	[ebp+var_14]
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_900B96

loc_853214:				; CODE XREF: _RegRtlEnumValue+ADA40j
		cmp	[ebp+var_8], 0
		mov	ecx, [ebp+arg_8]
		jz	loc_8532B6
		test	ecx, ecx
		jz	short loc_85322A
		mov	eax, [edi+4]
		mov	[ecx], eax

loc_85322A:				; CODE XREF: _RegRtlEnumValue+C1j
		test	ebx, ebx
		jnz	loc_900BA7
		mov	ecx, [edi+10h]
		shr	ecx, 1
		mov	[ebp+arg_4], ecx
		lea	eax, [ecx+1]
		cmp	[esi], eax
		jb	loc_900BA7
		mov	eax, [ebp+arg_10]
		mov	edx, [edi+0Ch]
		cmp	[eax], edx
		jb	loc_900BA7
		mov	[eax], edx
		lea	eax, [edi+14h]
		push	dword ptr [edi+10h] ; size_t
		mov	[esi], ecx
		mov	esi, [ebp+arg_0]
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		mov	[esi+eax*2], cx
		push	dword ptr [edi+0Ch] ; size_t
		mov	eax, [edi+8]
		add	eax, edi
		push	eax		; void *
		push	[ebp+arg_C]	; void *
		call	_memcpy
		add	esp, 18h

loc_853284:				; CODE XREF: _RegRtlEnumValue+18Aj
					; _RegRtlEnumValue+ADA3Aj ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_85328C:				; CODE XREF: _RegRtlEnumValue+43j
					; _RegRtlEnumValue+5Bj	...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	14h
; 

loc_853295:				; CODE XREF: _RegRtlEnumValue+25j
		mov	[ebp+var_8], ecx
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_85328C
		mov	eax, ecx
		push	eax
		push	10h
		pop	edx
		jmp	loc_8531C9
; 

loc_8532B6:				; CODE XREF: _RegRtlEnumValue+B9j
		test	ecx, ecx
		jnz	short loc_8532EE

loc_8532BA:				; CODE XREF: _RegRtlEnumValue+191j
		test	ebx, ebx
		jnz	short loc_8532F5
		mov	ecx, [edi+8]
		mov	eax, ecx
		shr	eax, 1
		mov	[ebp+arg_10], eax
		inc	eax
		cmp	[esi], eax
		jb	short loc_8532F5
		mov	esi, [ebp+arg_0]
		lea	eax, [edi+0Ch]
		push	ecx		; size_t
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+arg_10]
		add	esp, 0Ch
		xor	ecx, ecx
		mov	[esi+eax*2], cx
		mov	esi, [ebp+arg_4]

loc_8532EA:				; CODE XREF: _RegRtlEnumValue+19Ej
		mov	[esi], eax
		jmp	short loc_853284
; 

loc_8532EE:				; CODE XREF: _RegRtlEnumValue+156j
		mov	eax, [edi+4]
		mov	[ecx], eax
		jmp	short loc_8532BA
; 

loc_8532F5:				; CODE XREF: _RegRtlEnumValue+15Aj
					; _RegRtlEnumValue+169j
		mov	eax, [edi+8]
		mov	ebx, 0C0000023h
		shr	eax, 1
		inc	eax
		jmp	short loc_8532EA
_RegRtlEnumValue endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqObjectManagerHandleObjectEvent proc	near ; CODE XREF: PiPnpRtlObjectEventDispatch(x)+2Cj

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00900BC1 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	ebx, ebx
		mov	esi, ecx
		mov	[ebp+var_4], ebx
		mov	byte ptr [ebp+var_8], bl
		test	byte ptr [edi+4], 2
		jnz	loc_900BC1

loc_853323:				; CODE XREF: PiDqObjectManagerHandleObjectEvent+AD8CDj
		lea	ecx, [esi+38h]
		call	ExAcquireFastMutex
		mov	ecx, [esi+7Ch]
		test	cl, 2
		jnz	short loc_85333A
		lea	eax, [esi+68h]
		cmp	[eax], eax
		jnz	short loc_85335D

loc_85333A:				; CODE XREF: PiDqObjectManagerHandleObjectEvent+2Fj
					; PiDqObjectManagerHandleObjectEvent+85j
		test	cl, 1
		jnz	short loc_85334A
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jnz	short loc_853389
		test	ebx, ebx
		js	short loc_853389

loc_85334A:				; CODE XREF: PiDqObjectManagerHandleObjectEvent+3Bj
					; PiDqObjectManagerHandleObjectEvent+92j
		lea	ecx, [esi+38h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		cmp	byte ptr [ebp+var_8], 0
		jnz	short loc_853396

loc_853358:				; CODE XREF: PiDqObjectManagerHandleObjectEvent+9Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_85335D:				; CODE XREF: PiDqObjectManagerHandleObjectEvent+36j
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	_PiDqObjectActionQueueEntryCreate@8 ; PiDqObjectActionQueueEntryCreate(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_8533A8
		lea	ecx, [esi+70h]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_8533A3
		mov	eax, [ebp+var_4]
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax

loc_853384:				; CODE XREF: PiDqObjectManagerHandleObjectEvent+AAj
		mov	ecx, [esi+7Ch]
		jmp	short loc_85333A
; 

loc_853389:				; CODE XREF: PiDqObjectManagerHandleObjectEvent+42j
					; PiDqObjectManagerHandleObjectEvent+46j
		xor	eax, eax
		inc	eax
		or	ecx, eax
		mov	[ebp+var_8], eax
		mov	[esi+7Ch], ecx
		jmp	short loc_85334A
; 

loc_853396:				; CODE XREF: PiDqObjectManagerHandleObjectEvent+54j
		push	3
		lea	eax, [esi+58h]
		push	eax
		call	ExQueueWorkItem
		jmp	short loc_853358
; 

loc_8533A3:				; CODE XREF: PiDqObjectManagerHandleObjectEvent+73j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8533A8:				; CODE XREF: PiDqObjectManagerHandleObjectEvent+69j
		or	dword ptr [esi+7Ch], 2
		jmp	short loc_853384
PiDqObjectManagerHandleObjectEvent endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDqObjectActionQueueEntryCreate(x,	x)
_PiDqObjectActionQueueEntryCreate@8 proc near
					; CODE XREF: PiDqObjectManagerHandleObjectEvent+60p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		push	58706E50h
		push	18h
		mov	edi, edx
		mov	ebx, ecx
		push	1
		mov	[ebp+var_8], edi
		xor	esi, esi
		mov	[ebp+var_C], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[edi], edx
		test	edx, edx
		jz	short loc_853435
		push	6
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd
		mov	[edx+8], ebx

loc_8533E7:				; CODE XREF: PiDqObjectActionQueueEntryCreate(x,x)+64j
					; PiDqObjectActionQueueEntryCreate(x,x)+68j
		mov	eax, _PiDqSequenceNumber
		mov	ebx, eax
		mov	edi, dword_6CBA8C
		add	ebx, 1
		mov	ecx, edi
		mov	[ebp+var_4], eax
		adc	ecx, esi
		mov	edx, edi
		mov	esi, offset _PiDqSequenceNumber
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [ebp+var_4]
		push	0
		pop	esi
		cmp	eax, ecx
		jnz	short loc_8533E7
		cmp	edx, edi
		jnz	short loc_8533E7
		mov	eax, [ebp+var_8]
		add	ecx, 1
		adc	edi, esi
		mov	eax, [eax]
		mov	[eax+10h], ecx
		mov	[eax+14h], edi
		mov	eax, [ebp+var_C]
		lock inc dword ptr [eax]

loc_85342E:				; CODE XREF: PiDqObjectActionQueueEntryCreate(x,x)+8Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_853435:				; CODE XREF: PiDqObjectActionQueueEntryCreate(x,x)+2Bj
		mov	esi, 0C000009Ah
		jmp	short loc_85342E
_PiDqObjectActionQueueEntryCreate@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SPCallServerHandleWaitForDisplayWindow proc near ; CODE	XREF: sub_785212+1478p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00900BD4 SIZE 00000082 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		xor	ebx, ebx
		mov	eax, edx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_4], ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	loc_900BD4
		test	eax, eax
		jz	loc_900BD4
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	loc_900BD4
		mov	eax, [ecx+8]
		mov	esi, ebx
		test	eax, eax
		jz	loc_900BDE
		cmp	dword ptr [ecx], 3
		jbe	loc_900BDE

loc_853488:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+7Aj
		mov	ecx, [eax]
		mov	[ebp+var_18], ecx
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_8534CF
		xor	edx, edx

loc_853496:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+9Bj
		mov	[ebp+arg_4], ecx
		test	edx, edx
		js	short loc_8534CB
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_8534CB
		mov	eax, [ebp+arg_4]
		inc	ebx
		cmp	ebx, 3
		jb	short loc_853488
		mov	ebx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	loc_853887
		xor	edx, edx

loc_8534C7:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+453j
		test	edx, edx
		jns	short loc_8534D9

loc_8534CB:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+5Fj
					; SPCallServerHandleWaitForDisplayWindow+71j
		mov	eax, esi
		jmp	short loc_8534E3
; 

loc_8534CF:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+56j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	short loc_853496
; 

loc_8534D9:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+8Dj
		mov	esi, ebx
		mov	eax, ebx
		neg	esi
		sbb	esi, esi
		and	esi, ecx

loc_8534E3:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+91j
		test	edx, edx
		js	short loc_8534FB
		cmp	eax, 8
		jnz	loc_8537D0
		mov	eax, [esi]
		mov	[ebp+var_10], eax
		mov	eax, [esi+4]
		mov	[ebp+var_14], eax

loc_8534FB:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+A9j
		xor	ebx, ebx

loc_8534FD:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+AD7A7j
		test	edx, edx
		js	loc_8536CB
		push	offset ??_C@_1EA@KEBBLPOF@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AA?9?$AAS?$AAP?$AAP?$AA?9?$AAG?$AAe@NNGAKEGL@
		lea	eax, [ebp+var_24]
		mov	[ebp+var_24], ebx
		xor	esi, esi
		mov	[ebp+var_20], ebx
		push	eax
		mov	[ebp+arg_4], ebx
		inc	esi
		mov	[ebp+var_8], ebx
		mov	[ebp+var_18], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_18]
		push	eax
		push	4
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+arg_4]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	ds:dword_A93EE4
		mov	edx, eax
		cmp	edx, 0C0000034h
		jz	short loc_853579
		test	edx, edx
		js	loc_8536CB
		cmp	[ebp+arg_4], 4
		jnz	loc_900BE8
		cmp	[ebp+var_8], 0
		jz	loc_900BE8

loc_853563:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+AD7AEj
		test	edx, edx
		js	loc_8536CB
		test	esi, esi
		jz	short loc_853579
		push	offset unk_6B72C0
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_853579:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+109j
					; SPCallServerHandleWaitForDisplayWindow+131j
		mov	ds:dword_A93E4C, 1

loc_853583:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+160j
		push	ebx
		push	1
		push	1
		push	6
		push	offset unk_6B72C0
		call	KeWaitForSingleObject
		mov	esi, eax
		cmp	esi, 101h
		jz	short loc_853583
		test	esi, esi
		js	short loc_8535AE
		cmp	esi, 0C0h
		jnz	loc_900BEF

loc_8535AE:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+164j
					; SPCallServerHandleWaitForDisplayWindow+AD7D0j ...
		mov	[ebp+arg_4], ebx
		lea	eax, [ebp+arg_4]
		xor	ecx, ecx
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_900C3A
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+arg_4]
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_900C3A
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+arg_4]
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_900C3A
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_4], eax

loc_853601:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+AD801j
		test	edx, edx
		js	loc_8536CB
		mov	[ebp+var_C], 8
		lea	ecx, [ebp+var_C]
		mov	edx, eax
		push	ecx
		push	8
		pop	ecx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_8536CB
		mov	eax, [ebp+var_C]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_85367C
		mov	edx, 0C0000095h

loc_85363A:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+29Aj
		test	edx, edx
		js	loc_8536CB
		mov	ecx, [ebp+var_1C]
		mov	edx, ebx
		push	4
		mov	eax, [ecx+10h]
		mov	[ebp+var_18], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+arg_4]
		pop	ecx
		push	eax
		mov	[ebp+arg_4], ecx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_8536CB
		mov	eax, [ebp+arg_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jnb	short loc_8536DB
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	short loc_8536DD
; 

loc_85367C:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+1F7j
		lea	ebx, [ecx+8]
		cmp	ebx, ecx
		jnb	short loc_8536D4

loc_853683:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+2C2j
		mov	edx, 0C0000095h

loc_853688:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+2D2j
		test	edx, edx
		js	short loc_8536CB
		mov	eax, [ebp+var_4]
		lea	ebx, [edi+4]
		mov	[ebx], eax
		test	eax, eax
		jz	loc_900C42
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_900C4C
		mov	[edi+8], edx
		and	dword ptr [edi], 0
		or	esi, 10000000h
		lea	eax, [edx+4]
		cmp	eax, edx
		jnb	short loc_853713

loc_8536C6:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+34Bj
					; SPCallServerHandleWaitForDisplayWindow+37Dj ...
		mov	edx, 0C0000095h

loc_8536CB:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+C3j
					; SPCallServerHandleWaitForDisplayWindow+10Dj ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	8
; 

loc_8536D4:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+245j
		xor	edx, edx
		jmp	loc_85363A
; 

loc_8536DB:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+234j
		xor	edx, edx

loc_8536DD:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+23Ej
		mov	[ebp+arg_4], ecx
		test	edx, edx
		js	short loc_8536CB
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_8536CB
		mov	eax, [ebp+arg_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_853683
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		jmp	loc_853688
; 

loc_853713:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+288j
		mov	ecx, [ebx]
		lea	eax, [edx+8]
		add	ecx, edx
		cmp	eax, ecx
		ja	loc_8537D0
		mov	dword ptr [edx], 4
		mov	[edx+4], esi
		inc	dword ptr [edi]
		mov	ecx, [edi]
		mov	[ebp+var_1C], ecx
		mov	eax, [edi+8]
		mov	[ebp+var_18], eax
		test	eax, eax
		jnz	loc_8537DA
		mov	ecx, [ebx]
		push	ebx
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_8536CB
		inc	dword ptr [edi]

loc_853757:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+40Fj
		mov	eax, ds:dword_A93F1C
		mov	[ebp+var_10], eax
		mov	eax, [edi+8]
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	loc_853856
		mov	ecx, [edi]
		mov	esi, eax
		and	[ebp+var_14], 0
		mov	[ebp+arg_4], esi
		mov	[ebp+var_1C], ecx
		test	ecx, ecx
		jz	short loc_8537B4

loc_85377F:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+373j
		mov	edx, [esi]
		add	edx, 4
		cmp	edx, 4
		jb	loc_8536C6
		lea	eax, [ebp+arg_4]
		mov	ecx, esi
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_8536CB
		mov	ecx, [ebp+var_14]
		mov	esi, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_14], ecx
		cmp	ecx, [ebp+var_1C]
		jb	short loc_85377F
		mov	eax, [ebp+var_18]

loc_8537B4:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+341j
		lea	ecx, [esi+4]
		cmp	ecx, esi
		jb	loc_8536C6
		mov	ecx, [ebx]
		xor	edx, edx
		add	ecx, eax
		lea	eax, [esi+8]
		cmp	eax, ecx
		jbe	loc_853874

loc_8537D0:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+AEj
					; SPCallServerHandleWaitForDisplayWindow+2E0j ...
		mov	edx, 0C0000023h
		jmp	loc_8536CB
; 

loc_8537DA:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+2FEj
		and	[ebp+var_8], 0
		mov	esi, eax
		mov	[ebp+arg_4], esi
		test	ecx, ecx
		jz	short loc_853815

loc_8537E7:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+3D7j
		mov	edx, [esi]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_853844
		lea	eax, [ebp+arg_4]
		mov	ecx, esi
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_8536CB
		mov	ecx, [ebp+var_8]
		mov	esi, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_8], ecx
		cmp	ecx, [ebp+var_1C]
		jb	short loc_8537E7

loc_853815:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+3A9j
		lea	eax, [esi+4]
		cmp	eax, esi
		jb	loc_8536C6
		mov	ecx, [ebx]
		lea	eax, [esi+0Ch]
		add	ecx, [ebp+var_18]
		xor	edx, edx
		cmp	eax, ecx
		ja	short loc_8537D0
		mov	eax, [ebp+var_10]
		mov	dword ptr [esi], 8
		mov	[esi+4], eax
		mov	eax, [ebp+var_14]
		mov	[esi+8], eax
		inc	dword ptr [edi]
		jmp	short loc_853849
; 

loc_853844:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+3B3j
		mov	edx, 0C0000095h

loc_853849:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+406j
		test	edx, edx
		jns	loc_853757
		jmp	loc_8536CB
; 

loc_853856:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+32Bj
		mov	ecx, [ebx]
		push	ebx
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_8536CB
		inc	dword ptr [edi]
		xor	edx, edx
		jmp	loc_8536CB
; 

loc_853874:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+38Ej
		mov	eax, [ebp+var_10]
		mov	dword ptr [esi], 4
		mov	[esi+4], eax
		inc	dword ptr [edi]
		jmp	loc_8536CB
; 

loc_853887:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+83j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	loc_8534C7
SPCallServerHandleWaitForDisplayWindow endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _RegRtlQueryInfoKey(x, x, x, x, x, x)
__RegRtlQueryInfoKey@24	proc near	; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+31p
					; _RegRtlDeleteTreeInternal+8Bp ...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		mov	[ebp+var_3C], eax
		lea	edi, [ebp+var_30]
		mov	eax, [ebp+arg_4]
		mov	esi, ecx
		push	0Ah
		mov	[ebp+var_40], eax
		mov	eax, [ebp+arg_8]
		pop	ecx
		mov	[ebp+var_44], eax
		xor	eax, eax
		and	[ebp+var_34], eax
		rep stosd
		lea	eax, [ebp+var_34]
		mov	[ebp+var_38], edx
		push	eax
		push	28h
		lea	eax, [ebp+var_30]
		push	eax
		push	4
		push	esi
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_853914
		mov	eax, [ebp+var_38]
		test	eax, eax
		jnz	short loc_853930

loc_8538EF:				; CODE XREF: _RegRtlQueryInfoKey(x,x,x,x,x,x)+A1j
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jnz	short loc_853927

loc_8538F6:				; CODE XREF: _RegRtlQueryInfoKey(x,x,x,x,x,x)+9Aj
		mov	ecx, [ebp+var_40]
		test	ecx, ecx
		jz	short loc_853902
		mov	eax, [ebp+var_1C]
		mov	[ecx], eax

loc_853902:				; CODE XREF: _RegRtlQueryInfoKey(x,x,x,x,x,x)+67j
		mov	ecx, [ebp+var_44]
		test	ecx, ecx
		jz	short loc_853910
		mov	eax, [ebp+var_18]
		shr	eax, 1
		mov	[ecx], eax

loc_853910:				; CODE XREF: _RegRtlQueryInfoKey(x,x,x,x,x,x)+73j
		test	ebx, ebx
		jnz	short loc_853937

loc_853914:				; CODE XREF: _RegRtlQueryInfoKey(x,x,x,x,x,x)+52j
					; _RegRtlQueryInfoKey(x,x,x,x,x,x)+A8j
		mov	ecx, [ebp+var_4]
		mov	eax, edx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_853927:				; CODE XREF: _RegRtlQueryInfoKey(x,x,x,x,x,x)+60j
		mov	eax, [ebp+var_20]
		shr	eax, 1
		mov	[ecx], eax
		jmp	short loc_8538F6
; 

loc_853930:				; CODE XREF: _RegRtlQueryInfoKey(x,x,x,x,x,x)+59j
		mov	ecx, [ebp+var_24]
		mov	[eax], ecx
		jmp	short loc_8538EF
; 

loc_853937:				; CODE XREF: _RegRtlQueryInfoKey(x,x,x,x,x,x)+7Ej
		mov	eax, [ebp+var_14]
		mov	[ebx], eax
		jmp	short loc_853914
__RegRtlQueryInfoKey@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipProbeWnodeSingleInstance(x, x, x, x)
_WmipProbeWnodeSingleInstance@16 proc near ; CODE XREF:	WmipIoControl+29Fp
					; WmipIoControl+1334C6p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		push	40h
		pop	edx
		cmp	edi, edx
		jb	short loc_853998
		mov	ecx, [ebp+arg_4]
		test	cl, cl
		jz	short loc_85395E
		cmp	[ebp+arg_0], edx
		jb	short loc_853998
		test	cl, cl

loc_85395E:				; CODE XREF: WmipProbeWnodeSingleInstance(x,x,x,x)+17j
		setz	al
		movzx	eax, al
		push	eax
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, esi
		push	edi
		push	dword ptr [esi+3Ch]
		push	dword ptr [esi+38h]
		push	dword ptr [esi+30h]
		call	_WmipProbeWnodeWorker@36 ; WmipProbeWnodeWorker(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_853992
		mov	eax, [esi+2Ch]
		test	al, 2
		jz	short loc_853998
		cmp	edi, [esi]
		jnz	short loc_853998
		test	eax, 0FFFFFF7Dh
		jnz	short loc_853998
		xor	eax, eax

loc_853992:				; CODE XREF: WmipProbeWnodeSingleInstance(x,x,x,x)+3Ej
					; WmipProbeWnodeSingleInstance(x,x,x,x)+5Fj
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_853998:				; CODE XREF: WmipProbeWnodeSingleInstance(x,x,x,x)+10j
					; WmipProbeWnodeSingleInstance(x,x,x,x)+1Cj ...
		mov	eax, 0C0000001h
		jmp	short loc_853992
_WmipProbeWnodeSingleInstance@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipProbeWnodeMethodItem(x,	x, x)
_WmipProbeWnodeMethodItem@12 proc near	; CODE XREF: WmipIoControl+92p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		push	44h
		pop	edx
		cmp	edi, edx
		jb	short loc_8539E9
		push	1
		push	1
		push	[ebp+arg_0]
		push	edi
		push	dword ptr [esi+40h]
		push	dword ptr [esi+3Ch]
		push	dword ptr [esi+30h]
		call	_WmipProbeWnodeWorker@36 ; WmipProbeWnodeWorker(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8539E3
		mov	eax, [esi+2Ch]
		test	eax, 8000h
		jz	short loc_8539E9
		cmp	edi, [esi]
		jnz	short loc_8539E9
		test	eax, 0FFFF7F7Fh
		jnz	short loc_8539E9
		xor	eax, eax

loc_8539E3:				; CODE XREF: WmipProbeWnodeMethodItem(x,x,x)+2Aj
					; WmipProbeWnodeMethodItem(x,x,x)+4Ej
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_8539E9:				; CODE XREF: WmipProbeWnodeMethodItem(x,x,x)+10j
					; WmipProbeWnodeMethodItem(x,x,x)+34j ...
		mov	eax, 0C0000001h
		jmp	short loc_8539E3
_WmipProbeWnodeMethodItem@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipProbeWnodeWorker(x, x, x, x, x,	x, x, x, x)
_WmipProbeWnodeWorker@36 proc near	; CODE XREF: WmipProbeWnodeSingleInstance(x,x,x,x)+37p
					; WmipProbeWnodeMethodItem(x,x,x)+23p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= byte ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_10]
		mov	eax, edx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	edx, edx
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_4], eax
		push	edi
		mov	edi, [ebp+arg_C]
		test	ecx, ecx
		jz	short loc_853A65
		cmp	ecx, eax
		jb	loc_853AA5
		lea	eax, [ecx+1]
		and	eax, 0FFFFFFFEh
		cmp	eax, ecx
		jnz	short loc_853AA5
		lea	eax, [edi-2]
		cmp	ecx, eax
		ja	short loc_853AA5
		lea	eax, [ebp+arg_0]
		push	eax
		mov	eax, [ebp+var_8]
		movzx	edx, word ptr [eax+ecx]
		add	edx, 2
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_853AA5
		cmp	[ebp+arg_0], edi
		ja	short loc_853AA5
		mov	cl, [ebp+arg_14]
		test	cl, cl
		jz	short loc_853A57
		cmp	[ebp+arg_0], ebx
		ja	short loc_853AA5

loc_853A57:				; CODE XREF: WmipProbeWnodeWorker(x,x,x,x,x,x,x,x,x)+60j
		test	esi, esi
		jz	short loc_853A70
		cmp	esi, [ebp+arg_0]
		jb	short loc_853AA5
		mov	eax, [ebp+var_4]
		jmp	short loc_853A68
; 

loc_853A65:				; CODE XREF: WmipProbeWnodeWorker(x,x,x,x,x,x,x,x,x)+22j
		mov	cl, [ebp+arg_14]

loc_853A68:				; CODE XREF: WmipProbeWnodeWorker(x,x,x,x,x,x,x,x,x)+73j
		test	esi, esi
		jz	short loc_853A70
		cmp	esi, eax
		jb	short loc_853AA5

loc_853A70:				; CODE XREF: WmipProbeWnodeWorker(x,x,x,x,x,x,x,x,x)+69j
					; WmipProbeWnodeWorker(x,x,x,x,x,x,x,x,x)+7Aj
		lea	eax, [esi+7]
		and	eax, 0FFFFFFF8h
		cmp	eax, esi
		jnz	short loc_853AA5
		cmp	[ebp+arg_18], 0
		jz	short loc_853A90
		test	esi, esi
		jz	short loc_853A90
		cmp	[ebp+arg_8], edi
		ja	short loc_853AA5
		sub	edi, [ebp+arg_8]
		cmp	esi, edi
		ja	short loc_853AA5

loc_853A90:				; CODE XREF: WmipProbeWnodeWorker(x,x,x,x,x,x,x,x,x)+8Ej
					; WmipProbeWnodeWorker(x,x,x,x,x,x,x,x,x)+92j
		test	cl, cl
		jz	short loc_853AA1
		cmp	ebx, [ebp+var_4]
		jb	short loc_853AA5
		cmp	esi, ebx
		ja	short loc_853AA5
		test	esi, esi
		jz	short loc_853AA5

loc_853AA1:				; CODE XREF: WmipProbeWnodeWorker(x,x,x,x,x,x,x,x,x)+A2j
		mov	eax, edx
		jmp	short loc_853AAA
; 

loc_853AA5:				; CODE XREF: WmipProbeWnodeWorker(x,x,x,x,x,x,x,x,x)+26j
					; WmipProbeWnodeWorker(x,x,x,x,x,x,x,x,x)+34j ...
		mov	eax, 0C0000001h

loc_853AAA:				; CODE XREF: WmipProbeWnodeWorker(x,x,x,x,x,x,x,x,x)+B3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_WmipProbeWnodeWorker@36 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFreeRelocations proc near		; CODE XREF: MiDeleteControlArea+75p
					; MiRelocateImage+14E1BEp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_7		= byte ptr -7
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00900C56 SIZE 00000060 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+20h+var_10]
		mov	ebx, edx
		stosd
		mov	esi, ecx
		stosd
		stosd
		stosd
		test	ebx, ebx
		jz	short loc_853AFF
		mov	eax, [esi+30h]
		cmp	eax, 0FFFFFFFFh
		jnz	loc_900C56

loc_853ADE:				; CODE XREF: MiFreeRelocations+AD1EAj
		lea	ecx, [ebx+28h]
		call	_MiFreeImageLoadConfig@4 ; MiFreeImageLoadConfig(x)
		mov	eax, [ebx+8]
		test	eax, eax
		jnz	short loc_853B06

loc_853AED:				; CODE XREF: MiFreeRelocations+64j
		mov	esi, [ebx+3Ch]

loc_853AF0:				; CODE XREF: MiFreeRelocations+AD1FFj
		test	esi, esi
		jnz	loc_900CA1
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_853AFF:				; CODE XREF: MiFreeRelocations+1Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_853B06:				; CODE XREF: MiFreeRelocations+39j
					; MiFreeRelocations+62j
		mov	esi, [eax]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		test	esi, esi
		jnz	short loc_853B06
		jmp	short loc_853AED
MiFreeRelocations endp


;  S U B	R O U T	I N E 


; __stdcall MiFreeImageLoadConfig(x)
_MiFreeImageLoadConfig@4 proc near	; CODE XREF: MiParseImageLoadConfig+2C6p
					; MiFreeRelocations+2Fp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_853B33
		push	4C617652h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+0Ch], 0

loc_853B33:				; CODE XREF: MiFreeImageLoadConfig(x)+Aj
		pop	esi
		retn
_MiFreeImageLoadConfig@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCompareDDBCacheEntries(x,	x, x)
_PiCompareDDBCacheEntries@12 proc near	; DATA XREF: PiInitializeDDBCache()+Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_4]
		push	1
		lea	eax, [esi+8]
		push	eax
		lea	eax, [edi+8]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jns	short loc_853B5E

loc_853B56:				; CODE XREF: PiCompareDDBCacheEntries(x,x,x)+43j
		xor	eax, eax

loc_853B58:				; CODE XREF: PiCompareDDBCacheEntries(x,x,x)+2Dj
					; PiCompareDDBCacheEntries(x,x,x)+3Bj
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_853B5E:				; CODE XREF: PiCompareDDBCacheEntries(x,x,x)+1Ej
		jle	short loc_853B65

loc_853B60:				; CODE XREF: PiCompareDDBCacheEntries(x,x,x)+47j
		xor	eax, eax
		inc	eax
		jmp	short loc_853B58
; 

loc_853B65:				; CODE XREF: PiCompareDDBCacheEntries(x,x,x):loc_853B5Ej
		mov	eax, [ebp+arg_0]
		cmp	dword ptr [eax+34h], 0
		jz	short loc_853B73

loc_853B6E:				; CODE XREF: PiCompareDDBCacheEntries(x,x,x)+45j
		push	2
		pop	eax
		jmp	short loc_853B58
; 

loc_853B73:				; CODE XREF: PiCompareDDBCacheEntries(x,x,x)+36j
		mov	eax, [edi+10h]
		cmp	eax, [esi+10h]
		jb	short loc_853B56
		jbe	short loc_853B6E
		jmp	short loc_853B60
_PiCompareDDBCacheEntries@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmGetDeviceLogConfKeyPath(int,int,int,void *,int,int)
__CmGetDeviceLogConfKeyPath@32 proc near ; CODE	XREF: _CmGetDeviceRegKeyPath+AAp

arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_0], 0FFFFFFEBh
		jnz	short loc_853BE9
		mov	ecx, edx
		push	esi
		push	edi
		xor	edi, edi
		lea	esi, [ecx+2]

loc_853B97:				; CODE XREF: _CmGetDeviceLogConfKeyPath(x,x,x,x,x,x,x,x)+20j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_853B97
		mov	eax, [ebp+arg_14]
		sub	ecx, esi
		sar	ecx, 1
		add	ecx, 27h
		test	eax, eax
		jz	short loc_853BB2
		mov	[eax], ecx

loc_853BB2:				; CODE XREF: _CmGetDeviceLogConfKeyPath(x,x,x,x,x,x,x,x)+2Ej
		cmp	ecx, [ebp+arg_10]
		ja	short loc_853BE2
		push	offset ??_C@_1BA@EMGOOHIB@?$AAL?$AAo?$AAg?$AAC?$AAo?$AAn?$AAf@NNGAKEGL@	; "LogConf"
		push	edx
		push	offset ??_C@_1DM@BNJPOICG@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@ ; char
		push	offset ??_C@_1BC@GLIGFLDD@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@	; "%s\\%s\\%s"
		push	800h		; int
		push	edi		; int
		push	edi		; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		call	RtlStringCchPrintfExW
		add	esp, 24h

loc_853BDC:				; CODE XREF: _CmGetDeviceLogConfKeyPath(x,x,x,x,x,x,x,x)+67j
		pop	edi
		pop	esi

loc_853BDE:				; CODE XREF: _CmGetDeviceLogConfKeyPath(x,x,x,x,x,x,x,x)+6Ej
		pop	ebp
		retn	18h
; 

loc_853BE2:				; CODE XREF: _CmGetDeviceLogConfKeyPath(x,x,x,x,x,x,x,x)+35j
		mov	eax, 0C0000023h
		jmp	short loc_853BDC
; 

loc_853BE9:				; CODE XREF: _CmGetDeviceLogConfKeyPath(x,x,x,x,x,x,x,x)+Cj
		mov	eax, 0C000000Dh
		jmp	short loc_853BDE
__CmGetDeviceLogConfKeyPath@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpNotifyDeviceClassChange proc	near	; CODE XREF: PAGE:00763F9Bp

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_1C		= dword	ptr -1Ch
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00900CB6 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	eax, [ebp+arg_0]
		inc	esi
		and	[ebp+var_3C], 0
		mov	word ptr [ebp+var_30], si
		lea	edi, [ebp+var_2C]
		push	28h
		pop	esi
		mov	word ptr [ebp+var_30+2], si
		or	ebx, 0FFFFFFFFh
		mov	esi, ecx
		mov	[ebp+var_34], edx
		mov	ecx, offset _PnpDeviceClassNotifyLock
		mov	[ebp+var_38], eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, edx
		lea	edi, [ebp+var_1C]
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+var_C], eax
		call	ExAcquireFastMutex
		mov	edi, [ebp+var_34]
		xor	edx, edx
		push	0Dh
		pop	ecx
		mov	eax, [edi+0Ch]
		add	eax, [edi+8]
		add	eax, [edi+4]
		add	eax, [edi]
		div	ecx
		lea	eax, _PnpDeviceClassNotifyList[edx*8]
		mov	esi, [eax]
		mov	[ebp+var_40], eax
		cmp	esi, eax
		jz	loc_853CFE

loc_853C6B:				; CODE XREF: PnpNotifyDeviceClassChange+108j
		mov	[ebp+var_34], esi
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		push	eax
		call	_PsGetServerSiloServiceSessionId@4 ; PsGetServerSiloServiceSessionId(x)
		cmp	[esi+0Ch], eax
		jnz	loc_853D1B

loc_853C82:				; CODE XREF: PnpNotifyDeviceClassChange+135j
		inc	word ptr [esi+20h]
		mov	ecx, offset _PnpDeviceClassNotifyLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, large fs:124h
		dec	word ptr [ecx+13Ch]
		nop
		push	1
		push	dword ptr [esi+28h]
		call	ExAcquireResourceExclusiveLite
		cmp	ebx, 0FFFFFFFFh
		jnz	loc_900CB6

loc_853CB2:				; CODE XREF: PnpNotifyDeviceClassChange+AD0CFj
		cmp	byte ptr [esi+22h], 0
		jnz	short loc_853CCD
		lea	eax, [esi+2Ch]
		cmp	eax, edi
		jz	short loc_853D2A
		push	10h		; Length
		push	edi		; Source2
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 10h
		jz	short loc_853D2A

loc_853CCD:				; CODE XREF: PnpNotifyDeviceClassChange+C6j
					; PnpNotifyDeviceClassChange+148j ...
		mov	ecx, [esi+28h]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, offset _PnpDeviceClassNotifyLock
		call	ExAcquireFastMutex
		mov	ecx, [ebp+var_34]
		mov	esi, [esi]
		call	_PnpDereferenceNotify@4	; PnpDereferenceNotify(x)
		cmp	esi, [ebp+var_40]
		jnz	loc_853C6B

loc_853CFE:				; CODE XREF: PnpNotifyDeviceClassChange+75j
		mov	ecx, offset _PnpDeviceClassNotifyLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, [ebp+var_8]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_853D1B:				; CODE XREF: PnpNotifyDeviceClassChange+8Cj
		mov	ecx, [ebp+var_38]
		call	_IopGetSessionIdFromSymbolicName@4 ; IopGetSessionIdFromSymbolicName(x)
		mov	ebx, eax
		jmp	loc_853C82
; 

loc_853D2A:				; CODE XREF: PnpNotifyDeviceClassChange+CDj
					; PnpNotifyDeviceClassChange+DBj
		lea	eax, [ebp+var_3C]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_30]
		call	PnpNotifyDriverCallback
		jmp	short loc_853CCD
PnpNotifyDeviceClassChange endp


;  S U B	R O U T	I N E 


; __stdcall PnpDereferenceNotify(x)
_PnpDereferenceNotify@4	proc near	; CODE XREF: PnpUnregisterPlugPlayNotification+89p
					; PnpUnregisterPlugPlayNotification+81EDBp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, 0FFFFh
		add	[esi+20h], ax
		jz	short loc_853D4C
		pop	esi
		retn
; 

loc_853D4C:				; CODE XREF: PnpDereferenceNotify(x)+Ej
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_853DAF
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_853DAF
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	ecx, [esi+1Ch]
		call	ObfDereferenceObject
		cmp	dword ptr [esi+8], 3
		jz	short loc_853D9D

loc_853D6D:				; CODE XREF: PnpDereferenceNotify(x)+68j
					; PnpDereferenceNotify(x)+73j
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_853D7E
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		and	dword ptr [esi+10h], 0

loc_853D7E:				; CODE XREF: PnpDereferenceNotify(x)+38j
		push	dword ptr [esi+28h]
		call	ExDeleteResourceLite
		push	56706E50h
		push	dword ptr [esi+28h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
; 

loc_853D9D:				; CODE XREF: PnpDereferenceNotify(x)+31j
		mov	ecx, [esi+30h]
		test	ecx, ecx
		jz	short loc_853D6D
		call	ObfDereferenceObject
		and	dword ptr [esi+30h], 0
		jmp	short loc_853D6D
; 

loc_853DAF:				; CODE XREF: PnpDereferenceNotify(x)+17j
					; PnpDereferenceNotify(x)+1Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PnpDereferenceNotify@4	endp		; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall IopGetSessionIdFromSymbolicName(x)
_IopGetSessionIdFromSymbolicName@4 proc	near ; CODE XREF: PnpNotifyDeviceClassChange+12Ep
					; IoRegisterPlugPlayNotification+2A9p ...
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		or	edi, 0FFFFFFFFh
		call	_IopDeviceObjectFromSymbolicName@4 ; IopDeviceObjectFromSymbolicName(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_853DF0
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_853DF0
		test	dword ptr [eax+10Ch], 20000h
		jnz	short loc_853DF0
		mov	ecx, esi
		call	_IopGetSessionIdFromPDO@4 ; IopGetSessionIdFromPDO(x)
		mov	ecx, esi
		mov	edi, eax
		call	ObfDereferenceObject

loc_853DF0:				; CODE XREF: IopGetSessionIdFromSymbolicName(x)+11j
					; IopGetSessionIdFromSymbolicName(x)+1Ej ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ecx
		retn
_IopGetSessionIdFromSymbolicName@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopGetSessionIdFromPDO(x)
_IopGetSessionIdFromPDO@4 proc near	; CODE XREF: IopCheckSessionDeviceAccess(x)+5Cp
					; PnpNotifyTargetDeviceChangeNotifyEntry(x,x,x,x)+23p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	edx, edx
		push	esi
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_C], edx
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], edx
		test	ecx, ecx
		jz	short loc_853E49
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_853E49
		test	dword ptr [eax+10Ch], 20000h
		jnz	short loc_853E49
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		push	edx
		push	edx
		push	offset _DEVPKEY_Device_SessionId
		push	ecx
		call	IoGetDevicePropertyData
		test	eax, eax
		jns	short loc_853E4E

loc_853E49:				; CODE XREF: IopGetSessionIdFromPDO(x)+19j
					; IopGetSessionIdFromPDO(x)+26j ...
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_853E4E:				; CODE XREF: IopGetSessionIdFromPDO(x)+51j
		mov	esi, [ebp+var_4]
		jmp	short loc_853E49
_IopGetSessionIdFromPDO@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopDeviceObjectFromSymbolicName(x)
_IopDeviceObjectFromSymbolicName@4 proc	near
					; CODE XREF: IopGetSessionIdFromSymbolicName(x)+8p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, ecx
		mov	[ebp+var_10], edi
		mov	[ebp+var_4], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		test	ebx, ebx
		jz	loc_853F1D
		cmp	[ebx+4], edi
		jz	loc_853F1D
		cmp	[ebx], di
		jz	loc_853F1D
		push	ebx
		xor	edx, edx
		lea	ecx, [ebp+var_4]
		call	PnpUnicodeStringToWstr
		test	eax, eax
		js	loc_853F1D
		mov	eax, 190h
		push	47706E50h
		push	eax
		push	1
		mov	[ebp+var_C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_853F1D
		mov	edx, [ebp+var_4]
		lea	ecx, [ebp+var_C]
		push	edi
		push	ecx
		push	[ebp+var_C]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	offset _DEVPKEY_Device_InstanceId
		push	edi
		push	edi
		push	3
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		mov	esi, eax
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)
		test	esi, esi
		mov	esi, [ebp+var_8]
		js	short loc_853F12
		cmp	[ebp+var_10], 12h
		jnz	short loc_853F12
		push	esi
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_853F12
		mov	edx, 746C6644h
		lea	ecx, [ebp+var_18]
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	edi, eax

loc_853F12:				; CODE XREF: IopDeviceObjectFromSymbolicName(x)+99j
					; IopDeviceObjectFromSymbolicName(x)+9Fj ...
		push	47706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_853F1D:				; CODE XREF: IopDeviceObjectFromSymbolicName(x)+1Dj
					; IopDeviceObjectFromSymbolicName(x)+26j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopDeviceObjectFromSymbolicName@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 545. FsRtlInitExtraCreateParameterLookasideList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlInitExtraCreateParameterLookasideList(x, x, x,	x)
		public _FsRtlInitExtraCreateParameterLookasideList@16
_FsRtlInitExtraCreateParameterLookasideList@16 proc near ; CODE	XREF: INIT:00AC291Bp

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_8]
		xor	eax, eax
		add	ecx, 34h
		test	[ebp+arg_4], 2
		push	eax
		jnz	short loc_853F52
		push	eax
		push	[ebp+arg_C]
		push	ecx
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_0]
		call	ExInitializePagedLookasideListInternal

loc_853F4E:				; CODE XREF: FsRtlInitExtraCreateParameterLookasideList(x,x,x,x)+3Bj
		pop	ebp
		retn	10h
; 

loc_853F52:				; CODE XREF: FsRtlInitExtraCreateParameterLookasideList(x,x,x,x)+12j
		push	[ebp+arg_C]
		push	ecx
		push	200h
		push	eax
		push	eax
		push	[ebp+arg_0]
		call	_ExInitializeNPagedLookasideList@28 ; ExInitializeNPagedLookasideList(x,x,x,x,x,x,x)
		jmp	short loc_853F4E
_FsRtlInitExtraCreateParameterLookasideList@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopProcessorInformation	proc near	; CODE XREF: NtPowerInformation+A6Ap
					; NtPowerInformation+12B1p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= word ptr -18h
var_16		= word ptr -16h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00900CC4 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	eax, eax
		xor	esi, esi
		mov	[ebp+var_C], ecx
		push	edi
		mov	[ebp+var_16], ax
		mov	[ebp+var_4], esi
		call	_KeQueryGroupAffinity@4	; KeQueryGroupAffinity(x)
		mov	[ebp+var_8], eax
		nop
		not	eax
		movzx	ecx, al
		shr	eax, 8
		mov	dl, ds:_RtlpBitsClearTotal[ecx]
		movzx	ecx, al
		shr	eax, 8
		add	dl, ds:_RtlpBitsClearTotal[ecx]
		mov	ecx, eax
		shr	ecx, 8
		movzx	eax, al
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		movzx	eax, cl
		imul	ecx, eax, 18h
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], ecx
		cmp	ecx, 300h
		ja	loc_900CC4
		test	eax, eax
		jz	loc_854097
		mov	eax, large fs:124h
		push	ebx
		mov	ebx, esi
		mov	[ebp+arg_0], ebx
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebp+var_8]
		mov	[ebp+var_18], di
		mov	edi, [ebp+var_C]
		mov	[ebp+var_1C], eax
		add	edi, 4
		mov	[ebp+var_20], esi

loc_854010:				; CODE XREF: PopProcessorInformation+113j
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_85407D
		cmp	ebx, [ebp+var_10]
		jnb	short loc_85407D
		mov	ecx, [ebp+var_4]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ebx, eax
		lea	edx, [edi+4]
		push	esi
		push	esi
		push	esi
		movzx	ecx, byte ptr [ebx+3C4h]
		mov	[edi-4], ecx
		lea	ecx, [edx+4]
		push	ecx
		mov	ecx, ebx
		call	PpmPerfGetCurrentState
		mov	eax, [ebx+3EA0h]
		test	eax, eax
		jz	short loc_8540A7
		mov	eax, [eax+54h]

loc_854058:				; CODE XREF: PopProcessorInformation+145j
		mov	[edi], eax
		mov	ecx, [ebx+3D70h]
		test	ecx, ecx
		jz	short loc_8540AF
		mov	eax, [ecx+20h]
		mov	[edi+0Ch], eax
		mov	eax, [ecx+10h]
		inc	eax

loc_85406E:				; CODE XREF: PopProcessorInformation+14Cj
		mov	ebx, [ebp+arg_0]
		inc	ebx
		mov	[edi+10h], eax
		mov	[ebp+arg_0], ebx
		add	edi, 18h
		jmp	short loc_854010
; 

loc_85407D:				; CODE XREF: PopProcessorInformation+B7j
					; PopProcessorInformation+BCj
		pop	ebx
		cmp	dword_6C2ADC, esi
		jnz	short loc_8540B6

loc_854086:				; CODE XREF: PopProcessorInformation+154j
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_854097:				; CODE XREF: PopProcessorInformation+6Fj
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_14]
		mov	[ecx], eax

loc_85409F:				; CODE XREF: PopProcessorInformation+ACD6Aj
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	8
; 

loc_8540A7:				; CODE XREF: PopProcessorInformation+EBj
		mov	eax, [ebx+3C0h]
		jmp	short loc_854058
; 

loc_8540AF:				; CODE XREF: PopProcessorInformation+FAj
		mov	[edi+0Ch], esi
		mov	eax, esi
		jmp	short loc_85406E
; 

loc_8540B6:				; CODE XREF: PopProcessorInformation+11Cj
		mov	dword_6C2ADC, esi
		jmp	short loc_854086
PopProcessorInformation	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpProcessScenarioPhase	proc near	; CODE XREF: PfSetSuperfetchInformation+2A3p
					; PfSnSetPrefetcherInformation+18Ep

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 00900CD7 SIZE 000000DC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[esp+10h+var_1], dl
		push	4
		pop	esi
		cmp	[ebx], esi
		jnz	loc_900CE0
		mov	ecx, [ebx+4]
		lea	eax, [ecx-1]
		cmp	eax, esi
		ja	loc_900DA9
		mov	eax, [ebx+10h]
		mov	edx, eax
		and	edx, 1
		cmp	ecx, 2
		jle	short loc_85415F
		cmp	ecx, 3
		jz	loc_900CF1
		cmp	ecx, esi
		jnz	loc_900CD7
		mov	eax, [ebx+8]
		xor	edi, edi
		sub	eax, edi
		jz	loc_900CEA
		sub	eax, 1
		jnz	short loc_854156
		call	_RtlGetActiveConsoleId@0 ; RtlGetActiveConsoleId()
		mov	esi, eax
		call	_PsGetCurrentProcessSessionId@0	; PsGetCurrentProcessSessionId()
		cmp	eax, esi
		jnz	short loc_854156
		push	edi
		push	edi
		push	4
		pop	edx
		mov	ecx, offset unk_6D4870
		call	PfpScenCtxScenarioSet
		call	_PFP_CAN_DO_ACCESS_LOGGING@0 ; PFP_CAN_DO_ACCESS_LOGGING()
		test	eax, eax
		jz	short loc_854156
		push	1
		push	dword_6D4890
		push	3
		push	2
		pop	edx
		push	5
		pop	ecx
		call	_PfpLogScenarioEvent@20	; PfpLogScenarioEvent(x,x,x,x,x)

loc_854156:				; CODE XREF: PfpProcessScenarioPhase+59j
					; PfpProcessScenarioPhase+69j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_85415F:				; CODE XREF: PfpProcessScenarioPhase+36j
					; PfpProcessScenarioPhase+ACC1Cj
		cmp	[esp+10h+var_1], 0
		jnz	short loc_85417A
		cmp	ecx, 5
		jz	short loc_854181

loc_85416B:				; CODE XREF: PfpProcessScenarioPhase+C5j
		mov	ecx, [ebx+8]
		shr	eax, 1
		push	eax
		call	PfPowerActionNotify
		xor	edi, edi
		jmp	short loc_854156
; 

loc_85417A:				; CODE XREF: PfpProcessScenarioPhase+A6j
		mov	edi, 0C0000022h
		jmp	short loc_854156
; 

loc_854181:				; CODE XREF: PfpProcessScenarioPhase+ABj
		or	edx, esi
		jmp	short loc_85416B
PfpProcessScenarioPhase	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfpLogScenarioEvent(x, x, x, x, x)
_PfpLogScenarioEvent@20	proc near	; CODE XREF: PfPowerActionNotify+9B75p
					; PfpProcessScenarioPhase+93p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		xor	ecx, ecx
		push	edi
		inc	ecx
		xor	edi, edi
		call	MmPerformMemoryListCommand
		push	10h
		pop	ecx
		call	PfTSetTraceWorkerPriority
		xor	edx, edx
		mov	[ebp+var_8], eax
		inc	edx
		mov	ecx, offset dword_6D42C0
		call	PfGenerateTrace
		mov	ecx, [ebp+arg_0]
		and	edi, 0FFF00000h
		movzx	eax, [ebp+arg_4]
		and	ecx, 3
		shl	ecx, 10h
		and	ebx, 3
		or	ecx, eax
		mov	[ebp+var_10], esi
		shl	ecx, 2
		lea	eax, [ebp+var_10]
		or	ecx, edi
		push	8		; size_t
		or	ecx, ebx
		push	eax		; void *
		mov	[ebp+var_C], ecx
		call	_PFP_GET_CURRENT_TIME@0	; PFP_GET_CURRENT_TIME()
		push	1Bh
		mov	edx, eax
		pop	ecx
		call	PfLogEvent
		test	[ebp+arg_8], 1
		jz	short loc_854203
		xor	edx, edx
		mov	ecx, offset dword_6D42C0
		call	PfGenerateTrace

loc_854203:				; CODE XREF: PfpLogScenarioEvent(x,x,x,x,x)+6Fj
		mov	eax, [ebp+var_8]
		cmp	eax, 1Fh
		jg	short loc_854212
		mov	ecx, eax
		call	PfTSetTraceWorkerPriority

loc_854212:				; CODE XREF: PfpLogScenarioEvent(x,x,x,x,x)+83j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PfpLogScenarioEvent@20	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfGenerateTrace	proc near		; CODE XREF: PfPowerActionNotify+EFp
					; PfSetSuperfetchInformation+457p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00900DB3 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		nop
		mov	edi, offset _PfTGlobals
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		xor	esi, esi
		cmp	[ebx], esi
		jz	loc_900DB3
		lea	edi, [ebx+34h]
		cmp	[ebp+var_4], esi
		jnz	short loc_85425B
		lock inc dword ptr [edi]

loc_85425B:				; CODE XREF: PfGenerateTrace+3Cj
		lea	eax, [ebx+24h]
		push	eax
		mov	[ebp+var_8], eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		push	esi
		push	esi
		lea	eax, [ebx+14h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ebx, [ebx]
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		or	eax, 0FFFFFFFFh
		mov	ecx, offset _PfTGlobals
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_8542C8

loc_85428D:				; CODE XREF: PfGenerateTrace+B8j
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+var_8]
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_10]
		push	1
		push	eax
		push	2
		mov	[ebp+var_C], ebx
		call	KeWaitForMultipleObjects
		mov	ecx, ebx
		call	ObfDereferenceObject
		cmp	[ebp+var_4], esi
		jnz	short loc_8542C1
		lock dec dword ptr [edi]

loc_8542C1:				; CODE XREF: PfGenerateTrace+A2j
					; PfGenerateTrace+ACBBEj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8542C8:				; CODE XREF: PfGenerateTrace+71j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset _PfTGlobals
		jmp	short loc_85428D
PfGenerateTrace	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 792. IoCreateFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IoCreateFile(int,int,int,int,int,int,int,int,int,void *,int,int,int,int)
		public _IoCreateFile@56
_IoCreateFile@56 proc near		; CODE XREF: PopCreateHiberFile(x,x)+165p
					; PopCreateHiberFile(x,x)+1E0p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0		; void *
		push	0		; int
		push	[ebp+arg_34]	; int
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_30]	; int
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_2C]	; int
		push	[ebp+arg_28]	; int
		push	[ebp+arg_24]	; void *
		push	[ebp+arg_20]	; int
		push	[ebp+arg_1C]	; int
		push	[ebp+arg_18]	; int
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		call	_IopCreateFile@64 ; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	38h
_IoCreateFile@56 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpRealtimeConnect proc near		; CODE XREF: NtTraceControl(x,x,x,x,x,x)+3EDp

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 00900DDD SIZE 0000005A BYTES

		push	68h
		push	offset dword_6A4880
		call	__SEH_prolog4
		mov	ebx, ecx
		xor	ecx, ecx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], ecx
		mov	eax, [ebx]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_20], ecx
		mov	edx, [ebx+10h]
		mov	[ebp+var_58], edx
		mov	eax, [ebx+8]
		mov	[ebp+var_34], eax
		mov	edi, [ebx+4]
		mov	[ebp+var_4C], edi
		mov	eax, edi
		shr	eax, 0Ch
		mov	[ebp+var_54], eax
		mov	esi, [ebx+30h]
		mov	[ebp+var_48], esi
		mov	ecx, [ebx+28h]
		mov	[ebp+var_30], ecx
		mov	ecx, [ebx+38h]
		mov	[ebp+var_38], ecx
		mov	ecx, [ebx+40h]
		mov	[ebp+var_3C], ecx
		and	[ebp+ms_exc.disabled], 0
		push	4
		add	eax, 1Fh
		shr	eax, 3
		and	eax, 1FFFFFFCh
		push	eax
		push	edx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	4
		push	edi
		push	[ebp+var_34]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_900DDD

loc_85439E:				; CODE XREF: EtwpRealtimeConnect+ACAC9j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+var_38]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_900DE4

loc_8543B2:				; CODE XREF: EtwpRealtimeConnect+ACAD0j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+var_3C]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_900DEB

loc_8543C6:				; CODE XREF: EtwpRealtimeConnect+ACAD7j
		mov	eax, [ecx]
		mov	[ecx], eax
		push	4
		push	4
		push	[ebp+var_30]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	eax, [eax+1F0h]
		mov	[ebp+var_50], eax
		push	1
		mov	edx, [ebp+var_2C]
		mov	ecx, eax
		call	EtwpAcquireLoggerContextByLoggerId
		mov	edi, eax
		test	edi, edi
		jz	loc_900DF2
		test	dword ptr [edi+0Ch], 100h
		jz	loc_900DFC
		mov	edx, edi
		mov	ecx, 400h
		call	_EtwpCheckLoggerControlAccess@8	; EtwpCheckLoggerControlAccess(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_900E01
		lea	ecx, [ebp+var_20]
		call	_EtwpOpenConsumer@4 ; EtwpOpenConsumer(x)
		mov	esi, eax
		test	esi, esi
		js	loc_900E01
		mov	eax, ds:_ExEventObjectType
		mov	ecx, [ebx+18h]
		and	[ebp+var_24], 0
		push	0
		lea	edx, [ebp+var_24]
		push	edx
		push	1
		push	eax
		push	2
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_24]
		mov	[ebp+var_40], eax
		test	esi, esi
		js	loc_900E01
		mov	eax, ds:_ExEventObjectType
		mov	ecx, [ebx+20h]
		and	[ebp+var_28], 0
		push	0
		lea	edx, [ebp+var_28]
		push	edx
		push	1
		push	eax
		push	2
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_28]
		mov	[ebp+var_44], eax
		test	esi, esi
		js	loc_900E01
		mov	[ebp+var_78], 18h
		xor	ecx, ecx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_6C], 40h
		mov	[ebp+var_70], ecx
		mov	[ebp+var_68], ecx
		mov	[ebp+var_64], ecx
		mov	edx, ds:_EtwpRealTimeConnectionObjectType
		push	ecx
		lea	eax, [ebp+var_1C]
		push	eax
		push	ecx
		push	ecx
		push	58h
		push	ecx
		push	1
		lea	eax, [ebp+var_78]
		push	eax
		xor	cl, cl
		call	ObCreateObjectEx
		mov	esi, eax
		test	esi, esi
		js	loc_900E01
		push	58h		; size_t
		push	0		; int
		mov	esi, [ebp+var_1C]
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, [ebp+var_2C]
		mov	[esi+30h], ax
		mov	eax, [ebp+var_20]
		mov	[esi+8], eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, [ebp+var_1C]
		mov	[ecx+0Ch], eax
		mov	eax, [ebp+var_24]
		mov	[ecx+18h], eax
		mov	eax, [ebp+var_28]
		mov	[ecx+1Ch], eax
		mov	eax, [ebp+var_48]
		mov	[ecx+20h], eax
		mov	eax, [ebp+var_30]
		mov	[ecx+24h], eax
		mov	eax, [ebp+var_34]
		mov	[ecx+3Ch], eax
		mov	eax, [ebp+var_4C]
		mov	[ecx+40h], eax
		mov	eax, [ebp+var_38]
		mov	[ecx+4Ch], eax
		mov	eax, [ebp+var_3C]
		mov	[ecx+50h], eax
		mov	eax, [ebp+var_50]
		mov	[ecx+54h], eax
		mov	eax, [ebp+var_54]
		mov	[ecx+34h], eax
		mov	eax, [ebp+var_58]
		mov	[ecx+38h], eax
		mov	[ecx+14h], ebx
		lea	eax, [ebx+48h]
		push	eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	0
		push	1
		push	400h
		xor	edx, edx
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_854590
		lea	esi, [edi+1F0h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_1C]
		mov	[edi+10Ch], ecx
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		push	20h
		pop	edx
		mov	ecx, edi
		call	EtwpSynchronizeWithLogger

loc_854590:				; CODE XREF: EtwpRealtimeConnect+24Dj
		mov	dl, 1
		mov	ecx, edi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		mov	eax, ebx

loc_85459B:				; CODE XREF: EtwpRealtimeConnect+ACAE1j
					; EtwpRealtimeConnect+ACB1Cj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
EtwpRealtimeConnect endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall EtwpOpenConsumer(x)
_EtwpOpenConsumer@4 proc near		; CODE XREF: EtwpRealtimeConnect+111p
		mov	eax, large fs:124h
		push	ecx
		push	0
		push	ds:_PsProcessType
		mov	eax, [eax+80h]
		push	28h
		push	0
		push	200h
		push	eax
		call	ObOpenObjectByPointer
		retn
_EtwpOpenConsumer@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopSetDeviceSecurityDescriptor proc near ; CODE	XREF: IopGetSetSecurityObject+2B6p
					; IopSetDeviceSecurityDescriptors(x,x,x,x,x,x)+27p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00900E57 SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		push	edi
		mov	edi, large fs:124h
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], esi

loc_8545F6:				; CODE XREF: IopSetDeviceSecurityDescriptor+AC8AEj
		dec	word ptr [edi+13Ch]
		nop
		push	1
		push	offset _IopSecurityResource
		call	ExAcquireResourceSharedLite
		mov	esi, [esi+98h]
		test	esi, esi
		jz	short loc_854627
		xor	ecx, ecx
		lea	eax, [esi-0Ch]
		inc	ecx
		lock xadd [eax], ecx
		test	ecx, ecx
		jg	short loc_854627
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_854627:				; CODE XREF: IopSetDeviceSecurityDescriptor+40j
					; IopSetDeviceSecurityDescriptor+4Ej
		mov	ecx, offset _IopSecurityResource
		call	ExReleaseResourceLite
		mov	ecx, edi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	[ebp+arg_8]
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], esi
		push	[ebp+arg_4]
		push	eax
		push	[ebp+arg_0]
		push	ebx
		push	0
		call	_SeSetSecurityDescriptorInfo@24	; SeSetSecurityDescriptorInfo(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_900E85
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_4]
		call	ObLogSecurityDescriptor
		push	0
		push	[ebp+var_4]
		mov	ebx, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		js	short loc_8546D3
		dec	word ptr [edi+13Ch]
		nop
		push	1
		push	offset _IopSecurityResource
		call	ExAcquireResourceExclusiveLite
		mov	ecx, [ebp+var_C]
		cmp	[ecx+98h], esi
		jnz	loc_900E57
		mov	eax, [ebp+var_8]
		mov	[ecx+98h], eax
		mov	eax, [ecx+0B0h]
		mov	ecx, offset _IopSecurityResource
		and	dword ptr [eax+10h], 0FFFFF7FFh
		call	ExReleaseResourceLite
		mov	ecx, edi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	2

loc_8546C4:				; CODE XREF: IopSetDeviceSecurityDescriptor+103j
		push	esi
		call	ObDereferenceSecurityDescriptor

loc_8546CA:				; CODE XREF: IopSetDeviceSecurityDescriptor+AC8B5j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
; 

loc_8546D3:				; CODE XREF: IopSetDeviceSecurityDescriptor+A4j
					; IopSetDeviceSecurityDescriptor+AC8BBj
		push	1
		jmp	short loc_8546C4
IopSetDeviceSecurityDescriptor endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspCreateProcess proc near		; CODE XREF: NtCreateProcessEx+5Bp
					; PspInitPhase0+705p

var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_16D		= dword	ptr -16Dh
var_169		= dword	ptr -169h
var_30		= dword	ptr -30h
var_2C		= byte ptr -2Ch
var_28		= dword	ptr -28h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 00900E92 SIZE 000000C3 BYTES
; FUNCTION CHUNK AT 00900F7B SIZE 0000013B BYTES
; FUNCTION CHUNK AT 009010DD SIZE 00000012 BYTES

		push	1A4h
		push	offset dword_6A48A0
		call	__SEH_prolog4_GS
		mov	[ebp+var_1AC], edx
		mov	[ebp+var_1A0], ecx
		mov	esi, [ebp+arg_C]
		mov	ebx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_198], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_174], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_19C], eax
		mov	edi, [ebp+arg_18]
		mov	[ebp+var_188], edi
		xor	eax, eax
		mov	[ebp+var_1B4], eax
		mov	[ebp+var_1B0], eax
		mov	byte ptr [ebp+var_169],	al
		mov	[ebp+var_18C], eax
		mov	[ebp+var_17C], eax
		mov	byte ptr [ebp+var_178],	al
		mov	byte ptr [ebp+var_184],	al
		mov	[ebp+var_180], eax
		test	esi, 0FFF94040h
		jnz	loc_900E9A
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	eax
		call	_PsIsProtectedProcess@4	; PsIsProtectedProcess(x)
		mov	ecx, [ebp+arg_8]
		test	eax, eax
		jnz	loc_900E92

loc_854778:				; CODE XREF: PspCreateProcess+AC7BCj
		mov	eax, esi
		and	eax, 2000h
		test	esi, 4000h
		jnz	loc_900EA4

loc_85478B:				; CODE XREF: PspCreateProcess+AC7D0j
		mov	edx, esi
		and	edx, 800h
		mov	[ebp+var_190], edx
		test	eax, eax
		jnz	loc_900EAD

loc_8547A1:				; CODE XREF: PspCreateProcess+AC7D9j
		test	edx, edx
		jnz	loc_900EB6

loc_8547A9:				; CODE XREF: PspCreateProcess+AC837j
		test	esi, 20000h
		jnz	loc_900F14

loc_8547B5:				; CODE XREF: PspCreateProcess+AC848j
		push	144h		; size_t
		xor	esi, esi
		push	esi		; int
		lea	eax, [ebp+var_169+1]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_2C], cl
		test	ebx, ebx
		jnz	loc_900F25

loc_8547DA:				; CODE XREF: PspCreateProcess+AC8B9j
		mov	edx, [ebp+var_174]
		test	edx, edx
		jnz	loc_900F96
		mov	eax, esi
		mov	[ebp+var_174], eax
		mov	[ebp+var_1A4], eax

loc_8547F6:				; CODE XREF: PspCreateProcess+AC8FFj
		mov	eax, [ebp+var_198]
		test	eax, eax
		jz	short loc_854829
		push	esi
		lea	edx, [ebp+var_18C]
		push	edx
		push	72437350h
		push	ecx
		push	ds:_PsProcessType
		push	80h
		push	eax
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8549B4

loc_854829:				; CODE XREF: PspCreateProcess+126j
		lea	eax, [ebp+var_180]
		push	eax
		push	[ebp+arg_8]
		mov	edx, edi
		mov	edi, [ebp+var_18C]
		mov	ecx, edi
		call	_PspReferenceTokenForNewProcess@16 ; PspReferenceTokenForNewProcess(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8549A4
		test	edi, edi
		jz	loc_8549D2
		cmp	[ebp+var_174], 0
		jnz	loc_900FDC
		mov	al, [edi+3A6h]
		mov	byte ptr [ebp+var_16D],	al
		mov	al, [edi+3A5h]
		mov	byte ptr [ebp+var_184],	al
		mov	al, [edi+3A4h]
		mov	byte ptr [ebp+var_178],	al

loc_854885:				; CODE XREF: PspCreateProcess+31Bj
					; PspCreateProcess+AC954j
		mov	eax, [ebp+var_174]
		test	eax, eax
		jnz	loc_90103C

loc_854893:				; CODE XREF: PspCreateProcess+AC98Fj
		cmp	[ebp+var_190], 0
		jnz	loc_90106C
		lea	eax, [ebp+var_17C]
		push	eax
		lea	eax, [ebp+var_1B4]
		push	eax
		xor	ecx, ecx
		push	ecx
		xor	eax, eax
		cmp	[ebp+var_188], eax
		setnz	al
		push	eax
		push	ecx
		push	ecx
		push	[ebp+arg_C]
		push	[ebp+var_180]
		push	[ebp+var_174]
		push	[ebp+var_184]
		push	[ebp+var_178]
		push	[ebp+var_16D]
		push	ebx
		mov	dl, byte ptr [ebp+arg_8]
		mov	ecx, edi
		call	_PspAllocateProcess@60 ; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_854999
		mov	[ebp+var_190], esi
		xor	ebx, ebx
		inc	ebx
		mov	eax, ebx
		cmp	[ebp+var_1B4], 0
		jnz	loc_9010AE

loc_85490D:				; CODE XREF: PspCreateProcess+AC9D9j
		lea	ecx, [ebp+var_169+1]
		push	ecx
		xor	ecx, ecx
		push	ecx
		push	eax
		push	[ebp+var_19C]
		push	[ebp+arg_C]
		push	[ebp+var_1AC]
		mov	edx, edi
		mov	ecx, [ebp+var_17C]
		call	PspInsertProcess
		mov	esi, eax
		test	esi, esi
		js	loc_9010DD
		push	ds:_PsProcessType
		lea	edx, [ebp+var_169+1]
		mov	ecx, [ebp+var_17C]
		call	PspCreateObjectHandle
		mov	esi, eax
		test	esi, esi
		js	short loc_854976
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+var_28]
		mov	ecx, [ebp+var_1A0]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_854970:				; CODE XREF: sub_9010BC+1Cj
		mov	esi, [ebp+var_190]

loc_854976:				; CODE XREF: PspCreateProcess+281j
		lea	ecx, [ebp+var_169+1]
		call	_PspDeleteObjectAccessState@4 ;	PspDeleteObjectAccessState(x)
		test	esi, esi
		js	loc_9010DD

loc_854989:				; CODE XREF: PspCreateProcess+ACA12j
		mov	edx, 72437350h
		mov	ecx, [ebp+var_17C]
		call	ObfDereferenceObjectWithTag

loc_854999:				; CODE XREF: PspCreateProcess+217j
					; PspCreateProcess+AC939j ...
		mov	ecx, [ebp+var_180]
		call	ObfDereferenceObject

loc_8549A4:				; CODE XREF: PspCreateProcess+16Ej
		test	edi, edi
		jz	short loc_8549B4
		mov	edx, 72437350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_8549B4:				; CODE XREF: PspCreateProcess+14Bj
					; PspCreateProcess+2CEj
		mov	eax, [ebp+var_174]
		test	eax, eax
		jnz	short loc_8549F8

loc_8549BE:				; CODE XREF: PspCreateProcess+327j
		mov	eax, esi

loc_8549C0:				; CODE XREF: PspCreateProcess+AC7C7j
					; sub_900F66+10j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_8549D2:				; CODE XREF: PspCreateProcess+176j
		mov	byte ptr [ebp+var_16D],	72h
		mov	ecx, ds:dword_A40CEE
		mov	al, cl
		or	al, 10h
		mov	byte ptr [ebp+var_178],	al
		mov	al, ch
		or	al, 10h
		mov	byte ptr [ebp+var_184],	al
		jmp	loc_854885
; 

loc_8549F8:				; CODE XREF: PspCreateProcess+2E4j
		mov	ecx, eax
		call	ObfDereferenceObject
		jmp	short loc_8549BE
PspCreateProcess endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDcHandleObjectEvent(x)
_PiDcHandleObjectEvent@4 proc near	; CODE XREF: PiPnpRtlObjectEventDispatch(x):loc_7FE973p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		xor	edx, edx
		test	byte ptr [ecx+4], 2
		jnz	short loc_854A24
		mov	eax, [ecx+8]
		mov	eax, [eax+14h]
		sub	eax, 1
		jnz	short loc_854A2A
		call	PiDcHandleDeviceEvent

loc_854A22:				; CODE XREF: PiDcHandleObjectEvent(x)+33j
					; PiDcHandleObjectEvent(x)+40j
		mov	edx, eax

loc_854A24:				; CODE XREF: PiDcHandleObjectEvent(x)+Ej
					; PiDcHandleObjectEvent(x)+39j
		mov	eax, edx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_854A2A:				; CODE XREF: PiDcHandleObjectEvent(x)+19j
		dec	eax
		sub	eax, 1
		jnz	short loc_854A37
		call	PiDcHandleInterfaceEvent
		jmp	short loc_854A22
; 

loc_854A37:				; CODE XREF: PiDcHandleObjectEvent(x)+2Cj
		dec	eax
		sub	eax, 1
		jnz	short loc_854A24
		call	_PiDcHandleContainerEvent@4 ; PiDcHandleContainerEvent(x)
		jmp	short loc_854A22
_PiDcHandleObjectEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDcHandleInterfaceEvent proc near	; CODE XREF: PiDcHandleObjectEvent(x)+2Ep

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009010EF SIZE 0000006C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_68]
		stosd
		xor	edx, edx
		test	byte ptr [ecx+4], 1
		mov	[ebp+var_70], edx
		mov	[ebp+var_6C], edx
		stosd
		stosd
		stosd
		jnz	loc_9010EF

loc_854A72:				; CODE XREF: PiDcHandleInterfaceEvent+AC6D8j
					; PiDcHandleInterfaceEvent+AC6E2j ...
		mov	ecx, [ebp+var_4]
		mov	eax, edx
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PiDcHandleInterfaceEvent endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpMapLegacyPortRemoteView(x, x, x)
_AlpcpMapLegacyPortRemoteView@12 proc near ; CODE XREF:	PAGE:0079A4C9p
					; PAGE:0079A51Dp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, [edx+14h]
		xor	edx, edx
		push	edi
		lea	edi, [ebx+0D0h]
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	ecx, [esi+8]
		call	AlpcpLockForCachedReferenceBlob
		mov	ecx, [esi+0Ch]
		cmp	ebx, ecx
		jz	short loc_854ACF
		mov	edx, esi
		call	_AlpcpRemoveResourcePort@8 ; AlpcpRemoveResourcePort(x,x)
		mov	ecx, [esi+0Ch]
		call	ObfDereferenceObject
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edx, esi
		mov	[esi+0Ch], ebx
		mov	ecx, ebx
		call	_AlpcpInsertResourcePort@8 ; AlpcpInsertResourcePort(x,x)

loc_854ACF:				; CODE XREF: AlpcpMapLegacyPortRemoteView(x,x,x)+29j
		mov	ecx, [ebp+arg_0]
		and	dword ptr [ecx+4], 0
		and	dword ptr [ecx+8], 0
		mov	dword ptr [ecx], 0Ch
		mov	eax, [esi+14h]
		mov	[ecx+8], eax
		mov	eax, [esi+18h]
		mov	[ecx+4], eax
		mov	ecx, [esi+8]
		call	AlpcpUnlockBlob
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_854B12

loc_854B02:				; CODE XREF: AlpcpMapLegacyPortRemoteView(x,x,x)+97j
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	4
; 

loc_854B12:				; CODE XREF: AlpcpMapLegacyPortRemoteView(x,x,x)+7Ej
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_854B02
_AlpcpMapLegacyPortRemoteView@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCommitRegistryTransaction proc near	; DATA XREF: .text:005812B8o

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090115B SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+30h+var_1C]
		rep stosd
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _CmpShutdownRundown
		mov	ecx, ebx
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_90115B
		cmp	[ebp+arg_4], 0
		jnz	loc_901171
		mov	eax, large fs:124h
		lea	ecx, [esp+30h+var_24]
		and	[esp+30h+var_24], 0
		push	0
		push	ecx
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+38h+var_20], al
		push	[esp+38h+var_20]
		mov	eax, _CmRegistryTransactionType
		push	eax
		push	8
		push	esi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [esp+30h+var_24]
		mov	esi, eax
		test	esi, esi
		js	short loc_854BCA
		lea	ecx, [esp+30h+var_1C]
		call	CmpAttachToRegistryProcess
		mov	ecx, edi
		call	_CmpCommitLightWeightTransaction@4 ; CmpCommitLightWeightTransaction(x)
		xor	edx, edx
		lea	ecx, [esp+30h+var_1C]
		mov	esi, eax
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		test	esi, esi
		js	short loc_854BCA
		xor	esi, esi

loc_854BCA:				; CODE XREF: NtCommitRegistryTransaction+89j
					; NtCommitRegistryTransaction+AAj
		test	edi, edi
		jz	short loc_854BD5
		mov	ecx, edi
		call	ObfDereferenceObject

loc_854BD5:				; CODE XREF: NtCommitRegistryTransaction+B0j
					; NtCommitRegistryTransaction+AC65Aj
		mov	ecx, ebx
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_854BE8:				; CODE XREF: NtCommitRegistryTransaction+AC650j
		mov	ecx, [esp+30h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
NtCommitRegistryTransaction endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCommitLightWeightTransaction(x)
_CmpCommitLightWeightTransaction@4 proc	near ; CODE XREF: NtCommitRegistryTransaction+96p
					; CmpTransMgrCommit(x,x,x)+DBp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		xor	eax, eax
		mov	esi, ecx
		push	edi
		lea	ecx, [ebp+var_14]
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_1], al
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		xor	edx, edx
		inc	edx
		lock cmpxchg [esi], edx
		test	eax, eax
		jz	short loc_854C40
		xor	ebx, ebx
		cmp	eax, 3
		setnz	bl
		dec	ebx
		and	ebx, 12h
		add	ebx, 0C0190003h
		jmp	loc_854D44
; 

loc_854C40:				; CODE XREF: CmpCommitLightWeightTransaction(x)+29j
		mov	edi, [esi+8]
		test	edi, edi
		jz	short loc_854C50
		mov	[ebp+var_1], 1
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()

loc_854C50:				; CODE XREF: CmpCommitLightWeightTransaction(x)+47j
		lea	edx, [ebp+var_14]
		mov	ecx, edi
		call	CmpPrepareLightWeightTransaction
		mov	ebx, eax
		xor	eax, eax
		inc	eax
		test	ebx, ebx
		jns	short loc_854CAF
		push	3
		pop	edx
		mov	ecx, edx
		lock cmpxchg [esi], ecx
		cmp	eax, 1
		jnz	short loc_854C87
		cmp	byte ptr [esi+0Ch], 0
		jnz	loc_854D2F
		mov	ecx, esi
		call	_CmpAbortLightWeightTransaction@4 ; CmpAbortLightWeightTransaction(x)
		jmp	loc_854D2F
; 

loc_854C87:				; CODE XREF: CmpCommitLightWeightTransaction(x)+71j
		push	4
		pop	eax
		lock cmpxchg [esi], edx
		and	[ebp+var_8], 0
		lea	ecx, [esi+4]
		xor	edx, edx
		lea	eax, [ebp+var_8]
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	loc_854D2F
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	loc_854D2F
; 

loc_854CAF:				; CODE XREF: CmpCommitLightWeightTransaction(x)+63j
		push	2
		pop	edx
		lock cmpxchg [esi], edx
		cmp	eax, 4
		jnz	short loc_854CEF
		lea	ecx, [ebp+var_14]
		push	ecx
		mov	ecx, edi
		call	_CmpCleanupLightWeightPrepare@12 ; CmpCleanupLightWeightPrepare(x,x,x)
		push	3
		pop	ecx
		push	4
		pop	eax
		lock cmpxchg [esi], ecx
		and	[ebp+var_C], 0
		lea	ecx, [esi+4]
		xor	edx, edx
		lea	eax, [ebp+var_C]
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	short loc_854CE8
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)

loc_854CE8:				; CODE XREF: CmpCommitLightWeightTransaction(x)+E3j
		mov	ebx, 0C0190003h
		jmp	short loc_854D2F
; 

loc_854CEF:				; CODE XREF: CmpCommitLightWeightTransaction(x)+BBj
		lea	edx, [ebp+var_14]
		mov	ecx, edi
		call	CmpCommitPreparedLightWeightTransaction
		cmp	[ebp+var_1], 0
		jz	short loc_854D2D
		lea	eax, [ebp+var_14]
		mov	ecx, edi
		push	eax
		call	_CmpCleanupLightWeightPrepare@12 ; CmpCleanupLightWeightPrepare(x,x,x)
		xor	dl, dl
		lea	ecx, [ebp+var_14]
		call	CmpDrainDelayDerefContext
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		cmp	byte ptr [esi+0Ch], 0
		mov	[ebp+var_1], 0
		jnz	short loc_854D2D
		push	4
		pop	edx
		mov	ecx, edi
		call	_CmpCleanupLightWeightTransaction@8 ; CmpCleanupLightWeightTransaction(x,x)

loc_854D2D:				; CODE XREF: CmpCommitLightWeightTransaction(x)+FFj
					; CmpCommitLightWeightTransaction(x)+123j
		xor	ebx, ebx

loc_854D2F:				; CODE XREF: CmpCommitLightWeightTransaction(x)+77j
					; CmpCommitLightWeightTransaction(x)+84j ...
		cmp	[ebp+var_1], 0
		jz	short loc_854D44
		xor	dl, dl
		lea	ecx, [ebp+var_14]
		call	CmpDrainDelayDerefContext
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_854D44:				; CODE XREF: CmpCommitLightWeightTransaction(x)+3Dj
					; CmpCommitLightWeightTransaction(x)+135j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_CmpCommitLightWeightTransaction@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCleanupLightWeightTransaction(x,	x)
_CmpCleanupLightWeightTransaction@8 proc near
					; CODE XREF: CmpCommitLightWeightTransaction(x)+12Ap
					; CmpAbortLightWeightTransaction(x)+61p

var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_1C]
		push	6
		pop	ecx
		xor	eax, eax
		mov	esi, edx
		rep stosd
		lea	ecx, [ebp+var_1C]
		call	CmpAttachToRegistryProcess
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		mov	edx, esi
		mov	ecx, ebx
		call	_CmpTransMgrFreeVolatileData@8 ; CmpTransMgrFreeVolatileData(x,x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _CmpTransactionListLock
		mov	ecx, esi
		call	ExAcquireFastMutexUnsafe
		mov	edx, [ebx]
		cmp	[edx+4], ebx
		jnz	short loc_854DF2
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jnz	short loc_854DF2
		mov	[eax], edx
		mov	ecx, esi
		mov	[edx+4], eax
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [ebx+1Ch]
		test	ecx, ecx
		jz	short loc_854DE3
		and	ecx, 0FFFFFFFEh
		call	ObfDereferenceObject

loc_854DE3:				; CODE XREF: CmpCleanupLightWeightTransaction(x,x)+8Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_854DF2:				; CODE XREF: CmpCleanupLightWeightTransaction(x,x)+67j
					; CmpCleanupLightWeightTransaction(x,x)+6Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_CmpCleanupLightWeightTransaction@8 endp


; __stdcall CmpTransMgrFreeVolatileData(x, x)
_CmpTransMgrFreeVolatileData@8:		; CODE XREF: CmpCleanupLightWeightTransaction(x,x)+34p
					; CmpCleanupTransactionState(x,x,x,x)+35p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp-0Ch], edx
		mov	ebx, ecx
		mov	[ebp-14h], esi
		push	edi
		lea	ecx, [ebp-14h]
		mov	[ebp-10h], esi
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)

loc_854E18:				; CODE XREF: PAGE:0085503Dj
		lea	eax, [ebx+8]
		cmp	[eax], eax
		jz	loc_855049
		mov	edi, [ebx+0Ch]
		mov	eax, [edi+18h]
		cmp	[eax+10h], esi
		jz	loc_854F18
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		mov	eax, [edi+24h]
		test	eax, eax
		jz	loc_854EFB
		cmp	eax, 3
		jle	loc_854F13
		cmp	eax, 5
		jle	loc_854EEB
		cmp	eax, 9
		jz	short loc_854E86
		cmp	eax, 0Ch
		jnz	loc_854F13
		mov	edx, [edi+34h]
		test	edx, edx
		jz	loc_854F13
		cmp	edx, 0FFFFFFFFh
		jz	loc_854F13
		mov	ecx, [edi+18h]
		mov	ecx, [ecx+10h]

loc_854E7C:				; CODE XREF: PAGE:00854EDBj
		call	HvFreeCell
		jmp	loc_854F13
; 

loc_854E86:				; CODE XREF: PAGE:00854E57j
		mov	eax, [edi+18h]
		lea	ecx, [ebp-1Ch]
		or	dword ptr [ebp-1Ch], 0FFFFFFFFh
		mov	[ebp-18h], esi
		push	ecx
		mov	esi, [eax+10h]
		mov	eax, [edi+34h]
		push	eax
		push	esi
		mov	[ebp-4], eax
		call	dword ptr [esi+4]
		mov	[ebp-8], eax
		test	eax, eax
		jz	short loc_854F13
		mov	edx, [ebp-4]
		mov	ecx, esi
		push	1
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jz	short loc_854EE1
		mov	ecx, [ebp-8]
		mov	eax, [ecx+0Ch]
		cmp	eax, 1
		jnz	short loc_854EDD
		lea	eax, [ebp-1Ch]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edx, [ebp-4]
		mov	ecx, esi
		call	_CmpRemoveSecurityCellList@8 ; CmpRemoveSecurityCellList(x,x)
		mov	edx, [ebp-4]
		mov	ecx, esi
		jmp	short loc_854E7C
; 

loc_854EDD:				; CODE XREF: PAGE:00854EC2j
		dec	eax
		mov	[ecx+0Ch], eax

loc_854EE1:				; CODE XREF: PAGE:00854EB7j
		lea	eax, [ebp-1Ch]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	short loc_854F13
; 

loc_854EEB:				; CODE XREF: PAGE:00854E4Ej
		mov	ecx, [edi+18h]
		mov	edx, [edi+34h]
		mov	ecx, [ecx+10h]
		call	_CmpFreeValue@8	; CmpFreeValue(x,x)
		jmp	short loc_854F13
; 

loc_854EFB:				; CODE XREF: PAGE:00854E3Cj
		mov	edx, [edi+30h]
		test	edx, edx
		jz	short loc_854F13
		cmp	edx, 0FFFFFFFFh
		jz	short loc_854F13
		mov	ecx, [edi+18h]
		push	esi
		mov	ecx, [ecx+10h]
		call	CmpFreeKeyByCell

loc_854F13:				; CODE XREF: PAGE:00854E45j
					; PAGE:00854E5Cj ...
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_854F18:				; CODE XREF: PAGE:00854E2Cj
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		mov	esi, [edi+18h]
		cmp	[esi+9Ch], ebx
		jnz	short loc_854F50
		mov	edx, [esi+98h]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_854F49
		mov	ecx, [esi+10h]
		call	HvFreeCell
		and	dword ptr [esi+94h], 0
		or	dword ptr [esi+98h], 0FFFFFFFFh

loc_854F49:				; CODE XREF: PAGE:00854F31j
		and	dword ptr [esi+9Ch], 0

loc_854F50:				; CODE XREF: PAGE:00854F26j
		mov	ecx, [esi+80h]
		mov	edx, ebx
		call	CmEqualTrans
		test	al, al
		jz	loc_854FF5
		cmp	dword ptr [edi+24h], 0
		jnz	loc_854FF5
		cmp	dword ptr [ebp-0Ch], 8
		jnz	short loc_854FEE
		push	0
		push	6
		pop	edx
		mov	ecx, esi
		call	_CmpPrepareToInvalidateAllHigherLayerKcbs@12 ; CmpPrepareToInvalidateAllHigherLayerKcbs(x,x,x)
		test	eax, eax
		js	loc_855042
		push	0
		push	4
		pop	edx
		mov	ecx, esi
		call	_CmpPrepareForSubtreeInvalidation@12 ; CmpPrepareForSubtreeInvalidation(x,x,x)
		test	eax, eax
		js	loc_85504E
		lea	eax, [ebp-14h]
		mov	ecx, esi
		push	eax
		push	6
		push	8
		pop	edx
		call	_CmpInvalidateAllHigherLayerKcbs@16 ; CmpInvalidateAllHigherLayerKcbs(x,x,x,x)
		push	0
		lea	eax, [ebp-14h]
		mov	ecx, esi
		push	eax
		push	4
		push	8
		pop	edx
		call	_CmpInvalidateSubtree@20 ; CmpInvalidateSubtree(x,x,x,x,x)
		push	0
		lea	eax, [ebp-14h]
		mov	ecx, esi
		push	eax
		push	8
		pop	edx
		call	CmpFlushNotifiesOnKeyBodyList
		or	word ptr [esi+4], 20h
		lea	edx, [ebp-14h]
		mov	ecx, esi
		call	_CmpMarkKeyUnbacked@8 ;	CmpMarkKeyUnbacked(x,x)
		test	dword ptr [esi+4], 20000h
		jnz	short loc_854FEE
		mov	ecx, esi
		call	_CmpDiscardKcb@4 ; CmpDiscardKcb(x)

loc_854FEE:				; CODE XREF: PAGE:00854F73j
					; PAGE:00854FE5j
		and	dword ptr [esi+80h], 0

loc_854FF5:				; CODE XREF: PAGE:00854F5Fj
					; PAGE:00854F69j
		cmp	dword ptr [esi+14h], 0FFFFFFFFh
		jz	short loc_85500B
		cmp	dword ptr [esi+10h], 0
		jz	short loc_85500B
		lea	edx, [ebp-14h]
		mov	ecx, esi
		call	_CmpRebuildKcbCache@8 ;	CmpRebuildKcbCache(x,x)

loc_85500B:				; CODE XREF: PAGE:00854FF9j
					; PAGE:00854FFFj
		mov	ecx, esi
		call	CmpReferenceKeyControlBlockUnsafe
		mov	ecx, edi
		call	CmpRundownUnitOfWork
		mov	ecx, edi
		call	_CmpFreeUnitOfWork@4 ; CmpFreeUnitOfWork(x)
		push	1
		lea	edx, [ebp-14h]
		mov	ecx, esi
		call	CmpDereferenceKeyControlBlockWithLock
		xor	dl, dl
		lea	ecx, [ebp-14h]
		call	CmpDrainDelayDerefContext
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	esi, esi
		jmp	loc_854E18
; 

loc_855042:				; CODE XREF: PAGE:00854F83j
		push	10000h
		jmp	short loc_855053
; 

loc_855049:				; CODE XREF: PAGE:00854E1Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_85504E:				; CODE XREF: PAGE:00854F97j
		push	10100h

loc_855053:				; CODE XREF: PAGE:00855047j
		push	esi
		push	ebx
		push	33h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 


CmpRundownUnitOfWork proc near		; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+CC7p
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+CE0p ...

; FUNCTION CHUNK AT 0090117B SIZE 000000AD BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, [edi+8]
		test	ebx, ebx
		jnz	short loc_8550CC

loc_85506E:				; CODE XREF: CmpRundownUnitOfWork+8Cj
					; CmpRundownUnitOfWork+AC15Aj ...
		mov	ebx, [edi+0Ch]
		test	ebx, ebx
		jnz	short loc_8550EE

loc_855075:				; CODE XREF: CmpRundownUnitOfWork+AEj
					; CmpRundownUnitOfWork+AC1AAj ...
		cmp	[edi], edi
		jz	short loc_8550A2
		call	_LOCK_TRANSACTION_LIST@0 ; LOCK_TRANSACTION_LIST()
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	loc_85511C
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	loc_85511C
		mov	[ecx], eax
		mov	[eax+4], ecx
		call	_UNLOCK_TRANSACTION_LIST@0 ; UNLOCK_TRANSACTION_LIST()
		and	dword ptr [edi+1Ch], 0

loc_8550A2:				; CODE XREF: CmpRundownUnitOfWork+17j
		lea	eax, [edi+10h]
		mov	edx, [eax]
		cmp	edx, eax
		jz	short loc_8550C8
		mov	ecx, [edi+18h]
		cmp	[edx+4], eax
		jnz	short loc_85511C
		mov	esi, [eax+4]
		cmp	[esi], eax
		jnz	short loc_85511C
		mov	[esi], edx
		mov	[edx+4], esi
		call	CmpDereferenceKeyControlBlockUnsafe
		and	dword ptr [edi+18h], 0

loc_8550C8:				; CODE XREF: CmpRundownUnitOfWork+49j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_8550CC:				; CODE XREF: CmpRundownUnitOfWork+Cj
		and	dword ptr [edi+8], 0
		mov	eax, [ebx]
		and	eax, 7FFFFFFFh
		cmp	eax, 1
		jnz	loc_901188
		cmp	[ebx+4], edi
		jnz	short loc_855113
		and	dword ptr [ebx], 0
		and	dword ptr [ebx+4], 0
		jmp	short loc_85506E
; 

loc_8550EE:				; CODE XREF: CmpRundownUnitOfWork+13j
		and	dword ptr [edi+0Ch], 0
		mov	eax, [ebx]
		and	eax, 7FFFFFFFh
		cmp	eax, 1
		jnz	loc_9011D8
		cmp	[ebx+4], edi
		jnz	short loc_855113
		and	dword ptr [ebx], 0
		and	dword ptr [ebx+4], 0
		jmp	loc_855075
; 

loc_855113:				; CODE XREF: CmpRundownUnitOfWork+83j
					; CmpRundownUnitOfWork+A5j
		push	edi
		push	ebx
		push	1
		jmp	loc_90117F
; 

loc_85511C:				; CODE XREF: CmpRundownUnitOfWork+23j
					; CmpRundownUnitOfWork+2Ej ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall CmpRebuildKcbCache(x, x)
_CmpRebuildKcbCache@8:			; CODE XREF: PAGE:00855006p
					; CmpSaveBootControlSet(x)+525p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		or	dword ptr [ebp-8], 0FFFFFFFFh
		and	dword ptr [ebp-4], 0
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	byte ptr [esi+4], 10h
		jnz	short loc_855187
		test	dword ptr [esi+68h], 400000h
		jnz	short loc_855187
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_85518D
		mov	ecx, [esi+14h]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_85518D
		lea	edx, [ebp-8]
		push	edx
		push	ecx
		push	eax
		call	dword ptr [eax+4]
		test	eax, eax
		jz	short loc_85518D
		add	dword ptr [esi+0A8h], 1
		mov	edx, eax
		push	1
		adc	dword ptr [esi+0ACh], 0
		mov	ecx, esi
		push	edi
		call	_CmpRebuildKcbCacheFromNode@16 ; CmpRebuildKcbCacheFromNode(x,x,x,x)
		mov	ecx, [esi+10h]
		lea	edx, [ebp-8]
		push	edx
		push	ecx
		call	dword ptr [ecx+8]

loc_855187:				; CODE XREF: CmpRundownUnitOfWork+DBj
					; CmpRundownUnitOfWork+E4j
		mov	al, 1

loc_855189:				; CODE XREF: CmpRundownUnitOfWork+12Fj
		pop	edi
		pop	esi
		leave
		retn
; 

loc_85518D:				; CODE XREF: CmpRundownUnitOfWork+EBj
					; CmpRundownUnitOfWork+F3j ...
		xor	al, al
		jmp	short loc_855189
CmpRundownUnitOfWork endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCleanupLightWeightPrepare(x, x, x)
_CmpCleanupLightWeightPrepare@12 proc near
					; CODE XREF: CmpCommitLightWeightTransaction(x)+C3p
					; CmpCommitLightWeightTransaction(x)+107p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		test	ecx, ecx
		jz	short loc_8551C1
		and	[ebp+var_4], 0
		lea	esi, [ecx+8]

loc_8551A5:				; CODE XREF: CmpCleanupLightWeightPrepare(x,x,x)+2Dj
		push	0
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jz	short loc_8551C1
		push	[ebp+arg_0]
		mov	ecx, eax
		call	_CmpCleanupLightWeightUoWData@12 ; CmpCleanupLightWeightUoWData(x,x,x)
		jmp	short loc_8551A5
; 

loc_8551C1:				; CODE XREF: CmpCleanupLightWeightPrepare(x,x,x)+Aj
					; CmpCleanupLightWeightPrepare(x,x,x)+21j
		pop	esi
		leave
		retn	4
_CmpCleanupLightWeightPrepare@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCleanupLightWeightUoWData(x, x, x)
_CmpCleanupLightWeightUoWData@12 proc near
					; CODE XREF: CmpCleanupLightWeightPrepare(x,x,x)+28p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi+40h]
		test	edi, edi
		jz	loc_8552C2
		mov	eax, [esi+24h]
		xor	ebx, ebx
		cmp	eax, 6
		jg	short loc_855247
		cmp	eax, 4
		jge	short loc_855209
		sub	eax, ebx
		jz	short loc_855257
		sub	eax, 1
		jz	short loc_855201
		sub	eax, 1
		jz	short loc_855275
		sub	eax, 1
		jnz	loc_8552C2

loc_855201:				; CODE XREF: CmpCleanupLightWeightUoWData(x,x,x)+2Bj
					; CmpCleanupLightWeightUoWData(x,x,x)+89j
		mov	[esi+40h], ebx
		jmp	loc_8552C2
; 

loc_855209:				; CODE XREF: CmpCleanupLightWeightUoWData(x,x,x)+22j
		mov	ecx, [esi+18h]
		mov	edx, edi
		mov	ecx, [ecx+10h]
		call	_CmpLightWeightCleanupSetValueKeyUoW@8 ; CmpLightWeightCleanupSetValueKeyUoW(x,x)
		mov	ecx, [esi+44h]
		xor	ebx, ebx
		mov	[esi+40h], ebx
		test	ecx, ecx
		jz	loc_8552C2
		mov	edx, [ecx]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_85523B
		mov	ecx, [esi+18h]
		mov	ecx, [ecx+10h]
		call	_CmpFreeValue@8	; CmpFreeValue(x,x)
		mov	ecx, [esi+44h]

loc_85523B:				; CODE XREF: CmpCleanupLightWeightUoWData(x,x,x)+65j
		mov	edx, 77554D43h
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
		jmp	short loc_8552A0
; 

loc_855247:				; CODE XREF: CmpCleanupLightWeightUoWData(x,x,x)+1Dj
		sub	eax, 9
		jz	short loc_8552A5
		sub	eax, 1
		jz	short loc_855201
		dec	eax
		sub	eax, 1
		jnz	short loc_8552C2

loc_855257:				; CODE XREF: CmpCleanupLightWeightUoWData(x,x,x)+26j
		mov	ecx, [esi+18h]
		push	ebx
		mov	edx, [ecx+14h]
		mov	ecx, [ecx+10h]
		call	CmpFreeKeyByCell
		mov	ecx, [esi+18h]
		mov	eax, [esi+30h]
		mov	[ecx+14h], eax
		mov	edi, [esi+40h]
		mov	[esi+30h], ebx

loc_855275:				; CODE XREF: CmpCleanupLightWeightUoWData(x,x,x)+30j
		test	edi, edi
		jz	short loc_855289
		mov	ecx, [esi+18h]
		mov	edx, edi
		mov	ecx, [ecx+10h]
		call	_CmpLightWeightCleanupModifyKeyDataUoW@8 ; CmpLightWeightCleanupModifyKeyDataUoW(x,x)
		mov	[esi+40h], ebx

loc_855289:				; CODE XREF: CmpCleanupLightWeightUoWData(x,x,x)+B1j
		mov	ecx, [esi+44h]
		test	ecx, ecx
		jz	short loc_8552C2
		mov	edx, [ebp+arg_0]
		call	CmpCleanupDiscardReplaceContext
		mov	ecx, [esi+44h]
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_8552A0:				; CODE XREF: CmpCleanupLightWeightUoWData(x,x,x)+7Fj
		mov	[esi+44h], ebx
		jmp	short loc_8552C2
; 

loc_8552A5:				; CODE XREF: CmpCleanupLightWeightUoWData(x,x,x)+84j
		mov	edx, [edi]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_8552B4
		mov	ecx, [edi+4]
		call	_CmpDereferenceSecurityNode@8 ;	CmpDereferenceSecurityNode(x,x)

loc_8552B4:				; CODE XREF: CmpCleanupLightWeightUoWData(x,x,x)+E4j
		push	77554D43h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[esi+40h], ebx

loc_8552C2:				; CODE XREF: CmpCleanupLightWeightUoWData(x,x,x)+Fj
					; CmpCleanupLightWeightUoWData(x,x,x)+35j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_CmpCleanupLightWeightUoWData@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCommitPreparedLightWeightTransaction	proc near
					; CODE XREF: CmpCommitLightWeightTransaction(x)+F6p

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00901228 SIZE 0000004C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	eax, eax
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_68], eax
		mov	[ebp+var_64], eax
		mov	esi, eax
		test	edi, edi
		jz	loc_855394
		cmp	dword_6B2348, 5
		jbe	short loc_855313
		push	eax
		push	1
		mov	ecx, offset dword_6B2348
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_901228

loc_855313:				; CODE XREF: CmpCommitPreparedLightWeightTransaction+32j
					; CmpCommitPreparedLightWeightTransaction+ABF77j
		lea	eax, [ebp+var_68]
		push	eax
		call	KeQuerySystemTime
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpTransactionListLock
		call	ExAcquireFastMutexUnsafe
		or	dword ptr [edi+18h], 4
		mov	ecx, offset _CmpTransactionListLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		and	[ebp+var_5C], esi

loc_855351:				; CODE XREF: CmpCommitPreparedLightWeightTransaction+A6j
		push	0
		lea	edx, [ebp+var_5C]
		lea	ecx, [edi+8]
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jz	short loc_855372
		push	ebx
		push	1
		lea	edx, [ebp+var_68]
		mov	ecx, eax
		call	_CmpProcessLightWeightUOW@16 ; CmpProcessLightWeightUOW(x,x,x,x)
		inc	esi
		jmp	short loc_855351
; 

loc_855372:				; CODE XREF: CmpCommitPreparedLightWeightTransaction+96j
		cmp	dword_6B2348, 5
		jbe	short loc_855394
		xor	ebx, ebx
		mov	edi, offset dword_6B2348
		push	ebx
		push	1
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_901246

loc_855394:				; CODE XREF: CmpCommitPreparedLightWeightTransaction+25j
					; CmpCommitPreparedLightWeightTransaction+AFj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpCommitPreparedLightWeightTransaction	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpPrepareLightWeightTransaction proc near
					; CODE XREF: CmpCommitLightWeightTransaction(x)+57p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00901274 SIZE 00000041 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, edx
		cmp	dword_6B2348, 5
		push	edi
		mov	edi, ecx
		jbe	short loc_8553DD
		push	esi
		push	1
		mov	ecx, offset dword_6B2348
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_901274

loc_8553DD:				; CODE XREF: CmpPrepareLightWeightTransaction+22j
					; CmpPrepareLightWeightTransaction+ABEE7j
		test	edi, edi
		jz	short loc_85541B
		call	_LOCK_TRANSACTION_LIST@0 ; LOCK_TRANSACTION_LIST()
		or	dword ptr [edi+18h], 1
		call	_UNLOCK_TRANSACTION_LIST@0 ; UNLOCK_TRANSACTION_LIST()
		mov	[ebp+var_2C], esi

loc_8553F2:				; CODE XREF: CmpPrepareLightWeightTransaction+75j
		push	esi
		lea	edx, [ebp+var_2C]
		lea	ecx, [edi+8]
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jz	short loc_85541B
		push	ebx
		push	esi
		xor	edx, edx
		mov	ecx, eax
		call	_CmpProcessLightWeightUOW@16 ; CmpProcessLightWeightUOW(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_901290
		xor	esi, esi
		jmp	short loc_8553F2
; 

loc_85541B:				; CODE XREF: CmpPrepareLightWeightTransaction+3Bj
					; CmpPrepareLightWeightTransaction+5Cj	...
		cmp	dword_6B2348, 5
		jbe	short loc_85543D
		xor	edi, edi
		mov	ebx, offset dword_6B2348
		push	edi
		push	1
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_90129D

loc_85543D:				; CODE XREF: CmpPrepareLightWeightTransaction+7Ej
					; CmpPrepareLightWeightTransaction+ABF0Cj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpPrepareLightWeightTransaction endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpProcessLightWeightUOW(x,	x, x, x)
_CmpProcessLightWeightUOW@16 proc near	; CODE XREF: CmpCommitPreparedLightWeightTransaction+A0p
					; CmpPrepareLightWeightTransaction+64p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], eax
		mov	esi, edx
		mov	[ebp+var_8], eax
		mov	eax, [edi+24h]
		cmp	eax, 0Eh
		ja	loc_85559B
		mov	ebx, [ebp+arg_0]
		jmp	ds:off_8555AA[eax*4]

loc_85547C:				; DATA XREF: PAGE:off_8555AAo
		test	ebx, ebx
		jnz	short loc_85548A
		call	_CmpLightWeightPrepareAddKeyUoW@4 ; CmpLightWeightPrepareAddKeyUoW(x)
		jmp	loc_855572
; 

loc_85548A:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+30j
		call	_CmpLightWeightCommitAddKeyUoW@8 ; CmpLightWeightCommitAddKeyUoW(x,x)

loc_85548F:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+94j
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		jmp	loc_855585
; 

loc_85549A:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+27j
					; DATA XREF: PAGE:008555B2o
		test	ebx, ebx
		jnz	short loc_8554AB
		mov	edx, [ebp+arg_4]
		call	_CmpLightWeightPrepareDeleteKeyUoW@8 ; CmpLightWeightPrepareDeleteKeyUoW(x,x)
		jmp	loc_855572
; 

loc_8554AB:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+4Ej
		mov	ecx, [edi+18h]
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		xor	edx, edx
		call	CmpReportNotify
		push	[ebp+arg_4]
		mov	edx, esi
		mov	ecx, edi
		call	_CmpLightWeightCommitDeleteKeyUoW@12 ; CmpLightWeightCommitDeleteKeyUoW(x,x,x)
		jmp	loc_85558F
; 

loc_8554CC:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+27j
					; DATA XREF: PAGE:008555E2o
		test	ebx, ebx
		jnz	short loc_8554DA
		call	_CmpLightWeightPrepareRecreateKeyUoW@4 ; CmpLightWeightPrepareRecreateKeyUoW(x)
		jmp	loc_855572
; 

loc_8554DA:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+80j
		push	[ebp+arg_4]
		call	_CmpLightWeightCommitRecreateKeyUoW@12 ; CmpLightWeightCommitRecreateKeyUoW(x,x,x)
		jmp	short loc_85548F
; 

loc_8554E4:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+27j
					; DATA XREF: PAGE:008555DAo
		test	ebx, ebx
		jnz	short loc_8554F2
		call	_CmpLightWeightPrepareRenameKeyUoW@4 ; CmpLightWeightPrepareRenameKeyUoW(x)
		jmp	loc_855572
; 

loc_8554F2:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+98j
		cmp	ebx, 1
		jnz	loc_85558F
		push	[ebp+arg_4]
		call	_CmpLightWeightCommitRenameKeyUoW@12 ; CmpLightWeightCommitRenameKeyUoW(x,x,x)
		jmp	loc_85558F
; 

loc_855508:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+27j
					; DATA XREF: PAGE:008555BAo ...
		test	ebx, ebx
		jnz	short loc_855513
		call	CmpLightWeightPrepareSetValueKeyUoW
		jmp	short loc_855572
; 

loc_855513:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+BCj
		push	[ebp+arg_4]
		call	CmpLightWeightCommitSetValueKeyUoW
		lea	eax, [ebp+var_8]
		push	eax
		push	4
		jmp	short loc_855585
; 

loc_855523:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+27j
					; DATA XREF: PAGE:008555C2o
		test	ebx, ebx
		jnz	short loc_855534
		call	_CmpLightWeightPrepareDeleteValueKeyUoW@4 ; CmpLightWeightPrepareDeleteValueKeyUoW(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8555A0
		jmp	short loc_855550
; 

loc_855534:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+D7j
		push	[ebp+arg_4]
		call	_CmpLightWeightCommitDeleteValueKeyUoW@12 ; CmpLightWeightCommitDeleteValueKeyUoW(x,x,x)
		mov	ecx, [edi+18h]
		lea	eax, [ebp+var_8]
		push	eax
		push	4
		xor	edx, edx
		call	CmpReportNotify

loc_85554C:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+27j
					; DATA XREF: PAGE:008555C6o
		test	ebx, ebx
		jnz	short loc_855559

loc_855550:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+E4j
		mov	ecx, edi
		call	_CmpLightWeightPrepareSetKeyUserFlags@4	; CmpLightWeightPrepareSetKeyUserFlags(x)
		jmp	short loc_855572
; 

loc_855559:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+100j
		cmp	ebx, 1
		jnz	short loc_85558F
		mov	edx, esi
		mov	ecx, edi
		call	_CmpLightWeightCommitSetUserFlagsUoW@8 ; CmpLightWeightCommitSetUserFlagsUoW(x,x)
		jmp	short loc_85558F
; 

loc_855569:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+27j
					; DATA XREF: PAGE:008555CEo
		test	ebx, ebx
		jnz	short loc_85557A
		call	_CmpLightWeightPrepareSetSecDescUoW@4 ;	CmpLightWeightPrepareSetSecDescUoW(x)

loc_855572:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+37j
					; CmpProcessLightWeightUOW(x,x,x,x)+58j ...
		mov	esi, eax
		test	esi, esi
		js	short loc_8555A0
		jmp	short loc_85558F
; 

loc_85557A:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+11Dj
		call	_CmpLightWeightCommitSetSecDescUoW@8 ; CmpLightWeightCommitSetSecDescUoW(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		push	0Ah

loc_855585:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+47j
					; CmpProcessLightWeightUOW(x,x,x,x)+D3j
		mov	ecx, [edi+18h]
		xor	edx, edx
		call	CmpReportNotify

loc_85558F:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+27j
					; CmpProcessLightWeightUOW(x,x,x,x)+79j ...
		lea	ecx, [ebp+var_8]
		xor	esi, esi
		call	_CmpSignalDeferredPosts@4 ; CmpSignalDeferredPosts(x)
		jmp	short loc_8555A0
; 

loc_85559B:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+1Ej
		mov	esi, 0C000000Dh

loc_8555A0:				; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+E2j
					; CmpProcessLightWeightUOW(x,x,x,x)+128j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_CmpProcessLightWeightUOW@16 endp

; 
		align 2
off_8555AA	dd offset loc_85547C	; DATA XREF: CmpProcessLightWeightUOW(x,x,x,x)+27r
		dd offset loc_85558F
		dd offset loc_85549A
		dd offset loc_85558F
		dd offset loc_855508
		dd offset loc_855508
		dd offset loc_855523
		dd offset loc_85554C
		dd offset loc_85558F
		dd offset loc_855569
		dd offset loc_85558F
		dd offset loc_85558F
		dd offset loc_8554E4
		dd offset loc_85558F
		dd offset loc_8554CC

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpReportNotify	proc near		; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+68p
					; CmpProcessLightWeightUOW(x,x,x,x)+F9p ...

var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009012B5 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		cmp	[ebp+arg_0], 1
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		mov	esi, edx
		stosd
		stosd
		stosd
		stosd
		jz	loc_9012B5

loc_855605:				; CODE XREF: CmpReportNotify+ABCDEj
		mov	edx, ecx
		lea	ecx, [ebp+var_10]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		push	[ebp+arg_4]
		mov	edx, esi
		lea	ecx, [ebp+var_10]
		push	[ebp+arg_0]
		call	_CmpReportNotifyForKcbStack@16 ; CmpReportNotifyForKcbStack(x,x,x,x)
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jnz	short loc_85562C

loc_855626:				; CODE XREF: CmpReportNotify+4Bj
		pop	edi
		pop	esi
		leave
		retn	8
; 

loc_85562C:				; CODE XREF: CmpReportNotify+3Ej
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	short loc_855626
CmpReportNotify	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpLightWeightCommitSetValueKeyUoW proc	near
					; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+C8p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009012C9 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		or	[ebp+var_18], 0FFFFFFFFh
		and	[ebp+var_14], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], edx
		mov	eax, [edi+18h]
		mov	ecx, [edi+40h]
		mov	[ebp+var_8], ecx
		lea	ecx, [ebp+var_18]
		push	ecx
		mov	esi, [eax+10h]
		mov	eax, [eax+14h]
		push	eax
		push	esi
		mov	[ebp+var_10], esi
		call	dword ptr [esi+4]
		mov	ebx, eax
		mov	eax, [edi+44h]
		movzx	ecx, word ptr [eax+8]
		cmp	[ebx+3Ch], ecx
		jb	loc_9012C9

loc_855679:				; CODE XREF: CmpLightWeightCommitSetValueKeyUoW+ABCA9j
		mov	eax, [eax+0Ch]
		cmp	[ebx+40h], eax
		jb	loc_9012E2

loc_855685:				; CODE XREF: CmpLightWeightCommitSetValueKeyUoW+ABCBDj
		mov	edx, [ebp+var_C]
		mov	eax, [edx]
		mov	[ebx+4], eax
		mov	eax, [edx+4]
		mov	[ebx+8], eax
		mov	ecx, [edi+18h]
		mov	eax, [edx]
		mov	[ecx+58h], eax
		mov	eax, [edx+4]
		mov	[ecx+5Ch], eax
		mov	eax, [edi+18h]
		add	dword ptr [eax+0A8h], 1
		adc	dword ptr [eax+0ACh], 0
		mov	ecx, [edi+44h]
		mov	edx, [ecx+4]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_8556C7
		mov	ecx, esi
		call	_CmpFreeValue@8	; CmpFreeValue(x,x)
		mov	ecx, [edi+44h]

loc_8556C7:				; CODE XREF: CmpLightWeightCommitSetValueKeyUoW+87j
		mov	edx, 77554D43h
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
		mov	edx, [ebp+var_8]
		and	dword ptr [edi+44h], 0
		cmp	dword ptr [edx], 1
		jnz	short loc_855718
		mov	esi, [ebp+var_8]
		mov	ecx, [ebx+24h]
		mov	edx, [ebx+28h]
		mov	eax, [esi+4]
		mov	[ebx+24h], eax
		mov	eax, [esi+8]
		mov	[ebx+28h], eax
		mov	[esi+8], edx
		mov	edx, [ebp+arg_0]
		mov	[esi+4], ecx
		mov	ecx, [edi+18h]
		call	_CmpCleanUpKcbCachedSymlink@8 ;	CmpCleanUpKcbCachedSymlink(x,x)
		mov	ecx, [edi+18h]
		mov	esi, [ebx+28h]
		mov	eax, [ebx+24h]
		mov	edx, [ebp+var_8]
		mov	[ecx+34h], esi
		mov	esi, [ebp+var_10]
		mov	[ecx+30h], eax

loc_855718:				; CODE XREF: CmpLightWeightCommitSetValueKeyUoW+A7j
		mov	ecx, esi
		call	_CmpLightWeightCleanupSetValueKeyUoW@8 ; CmpLightWeightCleanupSetValueKeyUoW(x,x)
		and	dword ptr [edi+40h], 0
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
CmpLightWeightCommitSetValueKeyUoW endp


;  S U B	R O U T	I N E 


; __stdcall CmpLightWeightCleanupSetValueKeyUoW(x, x)
_CmpLightWeightCleanupSetValueKeyUoW@8 proc near
					; CODE XREF: CmpCleanupLightWeightUoWData(x,x,x)+4Bp
					; CmpLightWeightCommitSetValueKeyUoW+E6p ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		sub	dword ptr [esi], 1
		jnz	short loc_855756
		mov	edx, [esi+8]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_855749
		call	HvFreeCell

loc_855749:				; CODE XREF: CmpLightWeightCleanupSetValueKeyUoW(x,x)+10j
		mov	ecx, esi
		mov	edx, 77554D43h
		pop	esi
		jmp	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
; 

loc_855756:				; CODE XREF: CmpLightWeightCleanupSetValueKeyUoW(x,x)+8j
		pop	esi
		retn
_CmpLightWeightCleanupSetValueKeyUoW@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpLightWeightPrepareSetValueKeyUoW proc near
					; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+BEp

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 009012F6 SIZE 000000A7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		or	eax, 0FFFFFFFFh
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_58], eax
		xor	ecx, ecx
		mov	[ebp+var_48], eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_40], eax
		mov	eax, [ebx+18h]
		push	esi
		mov	esi, [ebx+40h]
		mov	[ebp+var_54], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_2], cl
		mov	[ebp+var_28], ecx
		mov	[ebp+var_1C], esi
		push	edi
		mov	edi, [eax+10h]
		mov	eax, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_3], al
		mov	byte ptr [ebp+var_1], al
		test	esi, esi
		jnz	short loc_8557D5
		lea	edx, [ebp+var_1C]
		mov	ecx, ebx
		call	CmpLightWeightCreateSetValueData
		mov	esi, eax
		test	esi, esi
		js	loc_855A10
		mov	esi, [ebp+var_1C]
		mov	ecx, esi
		mov	edx, [ebx+18h]
		call	_CmpLightWeightUpdateSharedSetValueData@8 ; CmpLightWeightUpdateSharedSetValueData(x,x)
		dec	dword ptr [esi]

loc_8557D5:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+58j
		push	77554D43h
		push	10h
		xor	ecx, ecx
		pop	edx
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	loc_9012F6
		and	dword ptr [eax+8], 0
		lea	ecx, [ebp+var_58]
		and	dword ptr [eax+0Ch], 0
		or	dword ptr [eax], 0FFFFFFFFh
		or	dword ptr [eax+4], 0FFFFFFFFh
		mov	eax, [ebx+34h]
		push	ecx
		push	eax
		push	edi
		call	dword ptr [edi+4]
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jz	loc_901300
		mov	eax, [ecx+4]
		lea	edx, [eax-80000000h]
		cmp	eax, 80000000h
		jnb	short loc_85582A
		mov	edx, eax

loc_85582A:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+CEj
		mov	[ebp+var_8], edx
		mov	[ebp+var_20], edx
		test	edx, edx
		jz	short loc_855878
		cmp	eax, 80000000h
		jnb	loc_90130A
		mov	edx, [ebx+34h]
		lea	eax, [ebp+var_50]
		push	eax
		lea	eax, [ebp+var_1]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	ecx
		mov	ecx, edi
		call	CmpGetValueData
		test	al, al
		jz	loc_901315
		mov	eax, [ebp+var_18]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_20]
		mov	[ebp+var_8], eax
		mov	al, byte ptr [ebp+var_1]
		mov	[ebp+var_2], 1
		mov	[ebp+var_3], al

loc_855878:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+DAj
					; CmpLightWeightPrepareSetValueKeyUoW+ABBB8j
		mov	eax, [ebx+18h]
		mov	ecx, edi
		push	0
		push	0
		mov	edx, [eax+14h]
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_90131F
		mov	eax, [ebx+18h]
		lea	ecx, [ebp+var_48]
		push	ecx
		mov	eax, [eax+14h]
		push	eax
		push	edi
		call	dword ptr [edi+4]
		mov	[ebp+var_30], eax
		mov	eax, [ebx+18h]
		push	62534D43h
		push	8000h
		push	1
		mov	eax, [eax+14h]
		shr	eax, 1Fh
		mov	[ebx+28h], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_2C], eax
		test	eax, eax
		jz	loc_901329
		mov	ecx, [ebp+var_24]
		lea	edx, [ebp+var_38]
		push	eax
		call	_CmpInitializeValueNameString@12 ; CmpInitializeValueNameString(x,x,x)
		lea	ecx, [ebp+var_C]
		push	ecx
		lea	ecx, [ebp+var_14]
		push	ecx
		lea	eax, [esi+4]
		push	0
		lea	ecx, [ebp+var_38]
		mov	[ebp+var_20], eax
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	_CmpFindNameInList@24 ;	CmpFindNameInList(x,x,x,x,x,x)
		test	al, al
		jz	loc_901333
		push	dword ptr [ebx+28h] ; int
		mov	eax, [ebp+var_24]
		lea	edx, [ebp+var_38]
		push	[ebp+var_8]	; int
		mov	ecx, edi
		push	[ebp+var_10]	; void *
		push	dword ptr [eax+0Ch] ; int
		call	CmpAddValueKeyNew
		mov	esi, eax
		mov	[ebp+var_18], esi
		cmp	esi, 0FFFFFFFFh
		jz	loc_901333
		mov	eax, [ebp+var_C]
		mov	ecx, edi
		cmp	eax, 0FFFFFFFFh
		jz	loc_90135B
		push	0
		push	0
		mov	edx, eax
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_90133D
		lea	eax, [ebp+var_40]
		push	eax
		push	[ebp+var_C]
		push	edi
		call	dword ptr [edi+4]
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	loc_901347
		mov	edx, eax
		mov	ecx, edi
		call	_CmpMarkValueDataDirty@8 ; CmpMarkValueDataDirty(x,x)
		test	al, al
		jz	loc_901351
		push	[ebp+var_20]
		mov	edx, esi
		mov	ecx, edi
		push	[ebp+var_14]
		call	_CmpSwapValueInList@16 ; CmpSwapValueInList(x,x,x,x)

loc_85597A:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+ABC16j
		mov	esi, eax
		test	esi, esi
		js	short loc_8559AC
		mov	ecx, [ebp+var_1C]
		xor	esi, esi
		mov	eax, [ebp+var_18]
		mov	[ecx], eax
		mov	ax, word ptr [ebp+var_38]
		mov	[ecx+8], ax
		mov	eax, [ebp+var_8]
		mov	[ecx+0Ch], eax
		mov	eax, [ebp+var_C]
		mov	[ecx+4], eax
		mov	[ebx+44h], ecx
		xor	ecx, ecx
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], eax

loc_8559AC:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+226j
					; CmpLightWeightPrepareSetValueKeyUoW+ABBFEj
		cmp	[ebp+var_28], 0
		jz	short loc_8559BA
		lea	eax, [ebp+var_40]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_8559BA:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+258j
					; CmpLightWeightPrepareSetValueKeyUoW+ABBEAj ...
		mov	eax, [ebp+var_18]
		cmp	eax, 0FFFFFFFFh
		jnz	loc_901373

loc_8559C6:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+ABBE0j
					; CmpLightWeightPrepareSetValueKeyUoW+ABC24j
		push	0
		push	[ebp+var_2C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8559D0:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+ABBD6j
		cmp	[ebp+var_30], 0
		jz	short loc_8559DE
		lea	eax, [ebp+var_48]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_8559DE:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+27Cj
					; CmpLightWeightPrepareSetValueKeyUoW+ABBCCj
		cmp	[ebp+var_2], 0
		jz	short loc_8559FD
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_8559FD
		cmp	[ebp+var_3], 0
		jnz	loc_901381
		lea	eax, [ebp+var_50]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_8559FD:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+28Aj
					; CmpLightWeightPrepareSetValueKeyUoW+291j ...
		lea	eax, [ebp+var_58]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_855A05:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+ABBADj
		mov	ecx, [ebp+var_1C]
		test	ecx, ecx
		jnz	loc_90138E

loc_855A10:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+68j
					; CmpLightWeightPrepareSetValueKeyUoW+ABBA3j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
CmpLightWeightPrepareSetValueKeyUoW endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpInitializeValueNameString(x, x, x)
_CmpInitializeValueNameString@12 proc near
					; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+17Ap
					; CmpMergeKeyValues(x,x,x,x,x,x)+D9p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr [ecx+10h], 1
		push	edi
		mov	edi, edx
		movzx	edx, word ptr [ecx+2]
		jz	short loc_855A5B
		push	ebx
		add	edx, edx
		mov	ebx, 7FFFh
		mov	[edi], dx
		push	esi
		cmp	dx, bx
		ja	short loc_855A6D
		movzx	eax, word ptr [ecx+2]
		mov	edx, ebx
		mov	esi, [ebp+arg_0]
		push	eax
		lea	eax, [ecx+14h]
		mov	ecx, esi
		push	eax
		call	_CmpCopyCompressedName@16 ; CmpCopyCompressedName(x,x,x,x)
		mov	[edi+4], esi
		pop	esi
		mov	[edi+2], bx
		pop	ebx
		jmp	short loc_855A68
; 

loc_855A5B:				; CODE XREF: CmpInitializeValueNameString(x,x,x)+10j
		lea	eax, [ecx+14h]
		mov	[edi], dx
		mov	[edi+4], eax
		mov	[edi+2], dx

loc_855A68:				; CODE XREF: CmpInitializeValueNameString(x,x,x)+41j
		pop	edi
		pop	ebp
		retn	4
; 

loc_855A6D:				; CODE XREF: CmpInitializeValueNameString(x,x,x)+21j
		movzx	eax, dx
		xor	edx, edx
		push	eax
		push	ecx
		push	31h
		inc	edx
		pop	ecx
		call	_CmSiBugCheck@16 ; CmSiBugCheck(x,x,x,x)
		int	3		; Trap to Debugger
_CmpInitializeValueNameString@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLightWeightUpdateSharedSetValueData(x, x)
_CmpLightWeightUpdateSharedSetValueData@8 proc near
					; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+76p
					; CmpLightWeightPrepareDeleteValueKeyUoW(x)+56p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [edx+70h]

loc_855A8F:				; CODE XREF: CmpLightWeightUpdateSharedSetValueData(x,x)+2Aj
					; CmpLightWeightUpdateSharedSetValueData(x,x)+31j
		push	10h
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jz	short loc_855AB1
		mov	ecx, [eax+24h]
		add	ecx, 0FFFFFFFCh
		cmp	ecx, 2
		ja	short loc_855A8F
		mov	[eax+40h], esi
		inc	dword ptr [esi]
		jmp	short loc_855A8F
; 

loc_855AB1:				; CODE XREF: CmpLightWeightUpdateSharedSetValueData(x,x)+1Fj
		pop	edi
		pop	esi
		leave
		retn
_CmpLightWeightUpdateSharedSetValueData@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpLightWeightCreateSetValueData proc near
					; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+5Fp
					; CmpLightWeightPrepareDeleteValueKeyUoW(x)+3Fp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090139D SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		or	[ebp+var_10], 0FFFFFFFFh
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], eax
		xor	ecx, ecx
		mov	eax, [eax+18h]
		xor	esi, esi
		push	77554D43h
		push	0Ch
		mov	[ebp+var_8], edx
		inc	ecx
		mov	[ebp+var_C], esi
		mov	ebx, [eax+10h]
		pop	edx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_90139D
		mov	eax, [ebp+var_4]
		lea	ecx, [ebp+var_10]
		mov	[edi+4], esi
		mov	[edi+8], esi
		mov	dword ptr [edi], 1
		mov	eax, [eax+18h]
		push	ecx
		mov	eax, [eax+14h]
		push	eax
		push	ebx
		call	dword ptr [ebx+4]
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_855B72
		or	dword ptr [edi+8], 0FFFFFFFFh
		mov	[edi+4], esi
		mov	ecx, [eax+24h]
		test	ecx, ecx
		jz	short loc_855B54
		mov	[edi+4], ecx
		mov	ecx, ebx
		mov	edx, [eax+28h]
		mov	eax, edx
		shr	eax, 1Fh
		push	eax
		push	ebx
		call	_CmpCopyCell@16	; CmpCopyCell(x,x,x,x)
		mov	[edi+8], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_855B79
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		push	esi
		push	esi
		mov	edx, [edx+28h]
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_855B80

loc_855B54:				; CODE XREF: CmpLightWeightCreateSetValueData+6Dj
		mov	eax, [ebp+var_8]
		mov	[eax], edi
		mov	edi, esi

loc_855B5B:				; CODE XREF: CmpLightWeightCreateSetValueData+C8j
					; CmpLightWeightCreateSetValueData+CFj
		lea	eax, [ebp+var_10]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]

loc_855B63:				; CODE XREF: CmpLightWeightCreateSetValueData+C1j
		test	edi, edi
		jnz	loc_9013A7

loc_855B6B:				; CODE XREF: CmpLightWeightCreateSetValueData+AB8ECj
					; CmpLightWeightCreateSetValueData+AB90Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_855B72:				; CODE XREF: CmpLightWeightCreateSetValueData+5Fj
		mov	esi, 0C000009Ah
		jmp	short loc_855B63
; 

loc_855B79:				; CODE XREF: CmpLightWeightCreateSetValueData+89j
		mov	esi, 0C000009Ah
		jmp	short loc_855B5B
; 

loc_855B80:				; CODE XREF: CmpLightWeightCreateSetValueData+9Cj
		mov	esi, 0C000017Dh
		jmp	short loc_855B5B
CmpLightWeightCreateSetValueData endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCopyCell(x, x, x, x)
_CmpCopyCell@16	proc near		; CODE XREF: CmpLightWeightCreateSetValueData+7Ep
					; CmpCopyKeyPartial(x,x,x,x,x,x,x)+A4p	...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		or	[ebp+var_18], 0FFFFFFFFh
		xor	eax, eax
		or	[ebp+var_10], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_14], eax
		mov	esi, ecx
		mov	[ebp+var_C], eax
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	edx
		push	esi
		call	dword ptr [esi+4]
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_855C0A
		mov	edi, [ebp+arg_0]
		lea	ecx, [ebp+var_10]
		push	0FFFFFFFCh
		pop	eax
		sub	eax, [ebx-4]
		push	ecx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_8], eax
		push	ecx
		push	[ebp+arg_4]
		mov	edx, eax
		mov	ecx, edi
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	[ebp+arg_4], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_855BF1
		push	[ebp+var_8]	; size_t
		push	ebx		; void *
		push	[ebp+var_4]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_855BF1:				; CODE XREF: CmpCopyCell(x,x,x,x)+58j
		cmp	[ebp+var_4], 0
		jz	short loc_855BFF
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_855BFF:				; CODE XREF: CmpCopyCell(x,x,x,x)+6Dj
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edi, [ebp+arg_4]

loc_855C0A:				; CODE XREF: CmpCopyCell(x,x,x,x)+30j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_CmpCopyCell@16	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	NtOpenObjectAuditAlarm(int,int,int,int,size_t,int,int,int,void *,int,int,int)
NtOpenObjectAuditAlarm proc near	; DATA XREF: .text:00580F30o

var_64		= dword	ptr -64h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= byte ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h

; FUNCTION CHUNK AT 009013C7 SIZE 000000B2 BYTES
; FUNCTION CHUNK AT 0090149D SIZE 00000121 BYTES
; FUNCTION CHUNK AT 009015DE SIZE 00000029 BYTES

		push	54h
		push	offset dword_6A48C8
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_1B], cl
		xor	eax, eax
		lea	edi, [ebp+var_64]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_19], cl
		mov	[ebp+var_1A], cl
		mov	[ebp+var_40], ecx
		mov	[ebp+var_44], ecx
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	[ebp+var_3C], bl
		lea	eax, [ebp+var_64]
		push	eax
		call	SeCaptureSubjectContext
		mov	dl, bl
		lea	ecx, [ebp+var_64]
		call	_SeCheckAuditPrivilege@8 ; SeCheckAuditPrivilege(x,x)
		test	al, al
		jz	loc_9013C7
		mov	eax, ds:_SeTokenObjectType
		xor	ebx, ebx
		mov	[ebp+var_28], ebx
		push	ebx
		lea	ecx, [ebp+var_28]
		push	ecx
		push	dword ptr [ebp+var_3C]
		push	eax
		push	8
		push	[ebp+arg_14]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9013CE
		mov	esi, [ebp+var_28]
		cmp	dword ptr [esi+0A8h], 2
		jz	loc_855E1F

loc_855CAA:				; CODE XREF: NtOpenObjectAuditAlarm+212j
		cmp	[ebp+arg_10], ebx
		jz	loc_9013F7
		lea	eax, [ebp+var_20]
		push	eax		; int
		push	ebx		; int
		push	1		; int
		push	dword ptr [ebp+var_3C] ; char
		push	[ebp+arg_10]	; size_t
		call	SeCaptureSecurityDescriptor
		mov	[ebp+var_34], eax
		test	eax, eax
		js	loc_9015DE
		cmp	[ebp+var_20], ebx
		jz	loc_9015DE
		mov	[ebp+ms_exc.disabled], ebx
		cmp	byte ptr [ebp+arg_28], 0
		jz	short loc_855CED
		mov	eax, [ebp+arg_20]
		test	eax, eax
		jnz	loc_855E31

loc_855CED:				; CODE XREF: NtOpenObjectAuditAlarm+CCj
					; NtOpenObjectAuditAlarm+297j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_855D15
		test	al, 3
		jnz	loc_855F17
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	loc_90146B

loc_855D0A:				; CODE XREF: NtOpenObjectAuditAlarm+AB859j
		nop
		mov	al, [eax]
		mov	eax, [ebp+arg_4]
		mov	eax, [eax]
		mov	[ebp+var_40], eax

loc_855D15:				; CODE XREF: NtOpenObjectAuditAlarm+DEj
		mov	ecx, [ebp+arg_2C]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_901472

loc_855D25:				; CODE XREF: NtOpenObjectAuditAlarm+AB860j
		mov	al, [ecx]
		mov	[ecx], al
		lea	edx, [ebp+var_2C]
		mov	ecx, [ebp+arg_0]
		call	SepProbeAndCaptureString_U
		mov	esi, eax
		mov	[ebp+var_34], esi
		test	esi, esi
		js	short loc_855D61
		lea	edx, [ebp+var_38]
		mov	ecx, [ebp+arg_8]
		call	SepProbeAndCaptureString_U
		mov	esi, eax
		mov	[ebp+var_34], esi
		test	esi, esi
		js	short loc_855D61
		lea	edx, [ebp+var_30]
		mov	ecx, [ebp+arg_C]
		call	SepProbeAndCaptureString_U
		mov	esi, eax

loc_855D5E:				; CODE XREF: NtOpenObjectAuditAlarm+AB812j
		mov	[ebp+var_34], esi

loc_855D61:				; CODE XREF: NtOpenObjectAuditAlarm+127j
					; NtOpenObjectAuditAlarm+13Bj
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi

loc_855D67:				; CODE XREF: sub_901487+11j
		test	esi, esi
		js	loc_90149D
		lea	eax, [ebp+var_44]
		push	eax
		push	ebx
		lea	eax, [ebp+var_64]
		push	eax
		mov	ecx, [ebp+arg_28]
		test	cl, cl
		setz	al
		movzx	eax, al
		push	eax
		push	ecx
		mov	esi, [ebp+var_38]
		mov	edx, esi
		xor	ecx, ecx
		call	SepAdtAuditObjectAccessWithContext
		test	al, al
		jnz	loc_901501

loc_855D99:				; CODE XREF: NtOpenObjectAuditAlarm+AB94Fj
					; NtOpenObjectAuditAlarm+AB9A5j
		cmp	[ebp+arg_20], 0
		jnz	loc_855EB0

loc_855DA3:				; CODE XREF: NtOpenObjectAuditAlarm+2A0j
					; NtOpenObjectAuditAlarm+2AAj ...
		cmp	[ebp+var_20], 0
		jz	short loc_855DB5
		push	ebx
		push	dword ptr [ebp+var_3C]
		push	[ebp+var_20]
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)

loc_855DB5:				; CODE XREF: NtOpenObjectAuditAlarm+193j
		cmp	[ebp+var_2C], 0
		jz	short loc_855DC4
		push	ebx
		push	[ebp+var_2C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_855DC4:				; CODE XREF: NtOpenObjectAuditAlarm+1A5j
		test	esi, esi
		jz	short loc_855DCF
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_855DCF:				; CODE XREF: NtOpenObjectAuditAlarm+1B2j
		cmp	[ebp+var_30], 0
		jz	short loc_855DDE
		push	ebx
		push	[ebp+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_855DDE:				; CODE XREF: NtOpenObjectAuditAlarm+1BFj
		cmp	[ebp+var_24], 0
		jnz	loc_855F09

loc_855DE8:				; CODE XREF: NtOpenObjectAuditAlarm+2FEj
		mov	ecx, [ebp+var_28]
		call	ObfDereferenceObject
		lea	eax, [ebp+var_64]
		push	eax
		call	SeReleaseSubjectContext
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+arg_2C]
		mov	al, [ebp+var_1B]
		mov	[ecx], al
		mov	[ebp+ms_exc.disabled], edi
		xor	eax, eax

loc_855E0D:				; CODE XREF: NtOpenObjectAuditAlarm+AB852j
					; sub_9015CC+Dj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	30h
; 

loc_855E1F:				; CODE XREF: NtOpenObjectAuditAlarm+90j
		cmp	dword ptr [esi+0ACh], 1
		jge	loc_855CAA
		jmp	loc_9013E9
; 

loc_855E31:				; CODE XREF: NtOpenObjectAuditAlarm+D3j
		test	al, 3
		jnz	loc_855F17
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	loc_901411

loc_855E47:				; CODE XREF: NtOpenObjectAuditAlarm+AB7FFj
		nop
		mov	al, [eax]
		mov	eax, [ebp+arg_20]
		mov	edi, [eax]
		mov	[ebp+var_50], edi
		test	edi, edi
		jnz	loc_901418

loc_855E5A:				; CODE XREF: NtOpenObjectAuditAlarm+AB807j
		imul	esi, edi, 0Ch
		add	esi, 8
		mov	[ebp+var_54], esi
		jz	short loc_855E81
		mov	eax, [ebp+arg_20]
		lea	edx, [esi+eax]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		ja	loc_90142B
		cmp	edx, eax
		jb	loc_90142B

loc_855E81:				; CODE XREF: NtOpenObjectAuditAlarm+24Fj
					; NtOpenObjectAuditAlarm+AB819j
		push	72506553h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_24], eax
		test	eax, eax
		jz	loc_901432
		push	esi		; size_t
		push	[ebp+arg_20]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_24]
		mov	[eax], edi
		jmp	loc_855CED
; 

loc_855EB0:				; CODE XREF: NtOpenObjectAuditAlarm+189j
		cmp	[ebp+var_19], 0
		jnz	loc_855DA3
		cmp	[ebp+var_1A], 0
		jnz	loc_855DA3
		mov	ecx, [ebp+arg_28]
		test	cl, cl
		jz	loc_855DA3
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	ecx
		push	[ebp+var_24]
		push	[ebp+arg_18]
		push	dword ptr [eax+0E4h]
		push	[ebp+var_5C]
		push	[ebp+var_28]
		push	[ebp+var_40]
		push	[ebp+var_30]
		mov	esi, [ebp+var_38]
		mov	edx, esi
		mov	ecx, [ebp+var_2C]
		call	SepAdtPrivilegeObjectAuditAlarm
		mov	[ebp+var_1B], bl
		jmp	loc_855DA3
; 

loc_855F09:				; CODE XREF: NtOpenObjectAuditAlarm+1CEj
		push	ebx
		push	[ebp+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_855DE8
; 

loc_855F17:				; CODE XREF: NtOpenObjectAuditAlarm+E2j
					; NtOpenObjectAuditAlarm+21Fj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
NtOpenObjectAuditAlarm endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _SysCtxRegCreateKey(x, x, x, x, x, x, x, x,	x)
__SysCtxRegCreateKey@36	proc near	; CODE XREF: DrvDbAcquireDatabaseNodeBaseKey+114p
					; _PnpSetPropertyWorker+10Ep ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, edx
		test	ecx, ecx
		jz	short loc_855F4F
		mov	edx, [ecx+4]
		push	edx

loc_855F2E:				; CODE XREF: _SysCtxRegCreateKey(x,x,x,x,x,x,x,x,x)+35j
		push	[ebp+arg_18]
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		push	[ebp+arg_14]
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_RegRtlCreateKeyTransacted
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_855F4F:				; CODE XREF: _SysCtxRegCreateKey(x,x,x,x,x,x,x,x,x)+Cj
		push	0
		jmp	short loc_855F2E
__SysCtxRegCreateKey@36	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmAddLogForAction(x, x)
_CmAddLogForAction@8 proc near		; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+B99p
					; PAGE:0074BEC9p ...

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		or	[ebp+var_18], 0FFFFFFFFh
		or	[ebp+var_40], 0FFFFFFFFh
		or	[ebp+var_48], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		mov	eax, ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_44], ecx
		mov	ebx, ecx
		mov	[ebp+var_38], ecx
		mov	edx, [edi+1Ch]
		mov	[ebp+var_34], ecx
		mov	[ebp+var_2C], edi
		mov	[ebp+var_C], ecx
		test	byte ptr [edx+18h], 80h
		mov	[ebp+var_14], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_10], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ecx
		jnz	loc_856530
		mov	ecx, [edi+18h]
		xor	esi, esi
		mov	eax, [ecx+10h]
		mov	eax, [eax+9A0h]
		mov	[ebp+var_28], eax
		cmp	[eax+38h], esi
		jz	loc_856530
		cmp	[edx+1Ch], esi
		jz	loc_856530
		cmp	dword ptr [edi+24h], 0Dh
		jz	loc_856530
		lea	edx, [ebp+var_8]
		mov	[ebp+var_8], esi
		call	CmpConstructNameWithStatus
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jnz	short loc_855FED
		mov	eax, 0C000009Ah
		jmp	loc_856532
; 

loc_855FED:				; CODE XREF: CmAddLogForAction(x,x)+8Dj
		mov	edx, [edi+24h]
		cmp	edx, 7
		jg	loc_8560E5
		jz	loc_8560CF
		test	edx, edx
		jz	loc_8560BF
		cmp	edx, 2
		jz	loc_8560BF
		lea	eax, [edx-4]
		cmp	eax, 2
		ja	loc_8560D2
		push	3Ch
		pop	esi
		cmp	edx, 4
		jz	short loc_85604F
		cmp	edx, 5
		jz	short loc_85604F
		mov	eax, [edi+18h]
		lea	edx, [ebp+var_40]
		mov	ecx, [edi+30h]
		push	edx
		push	ecx
		mov	eax, [eax+10h]
		push	eax
		mov	[ebp+var_18], ecx
		call	dword ptr [eax+4]
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	short loc_856097

loc_856045:				; CODE XREF: CmAddLogForAction(x,x)+115j
					; CmAddLogForAction(x,x)+1BAj
		mov	esi, 0C000009Ah
		jmp	loc_85651F
; 

loc_85604F:				; CODE XREF: CmAddLogForAction(x,x)+CEj
					; CmAddLogForAction(x,x)+D3j
		mov	eax, [edi+18h]
		lea	edx, [ebp+var_40]
		mov	ecx, [edi+34h]
		push	edx
		push	ecx
		mov	eax, [eax+10h]
		push	eax
		mov	[ebp+var_18], ecx
		call	dword ptr [eax+4]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_856045
		mov	ecx, [eax+4]
		mov	[ebp+var_14], ecx
		cmp	ecx, 80000000h
		jb	short loc_856082
		add	ecx, 80000000h
		mov	[ebp+var_14], ecx

loc_856082:				; CODE XREF: CmAddLogForAction(x,x)+123j
		lea	esi, [ecx+3Ch]
		mov	[ebp+var_1C], ecx
		cmp	esi, 3Ch
		jnb	short loc_856097
		mov	esi, 0C0000095h
		jmp	loc_856501
; 

loc_856097:				; CODE XREF: CmAddLogForAction(x,x)+EFj
					; CmAddLogForAction(x,x)+137j
		test	byte ptr [eax+10h], 1
		movzx	ecx, word ptr [eax+2]
		mov	edx, ecx
		jz	short loc_8560AB
		lea	eax, [ecx+ecx]
		movzx	eax, ax
		jmp	short loc_8560AD
; 

loc_8560AB:				; CODE XREF: CmAddLogForAction(x,x)+14Dj
		mov	eax, edx

loc_8560AD:				; CODE XREF: CmAddLogForAction(x,x)+155j
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		movzx	eax, ax
		mov	[ebp+var_10], eax
		add	esi, eax
		jmp	loc_856142
; 

loc_8560BF:				; CODE XREF: CmAddLogForAction(x,x)+ADj
					; CmAddLogForAction(x,x)+B6j
		mov	eax, [edi+18h]
		push	34h
		mov	eax, [eax+2Ch]

loc_8560C7:				; CODE XREF: CmAddLogForAction(x,x)+1E7j
		mov	esi, [eax+10h]
		pop	edx
		add	esi, edx
		jmp	short loc_856142
; 

loc_8560CF:				; CODE XREF: CmAddLogForAction(x,x)+A5j
		push	2Ch
		pop	esi

loc_8560D2:				; CODE XREF: CmAddLogForAction(x,x)+C2j
					; CmAddLogForAction(x,x)+19Fj ...
		movzx	eax, word ptr [ecx]
		add	esi, eax
		cmp	esi, eax
		jnb	short loc_856150
		mov	esi, 0C0000106h
		jmp	loc_8564EA
; 

loc_8560E5:				; CODE XREF: CmAddLogForAction(x,x)+9Fj
		sub	edx, 8
		jz	short loc_85613D
		sub	edx, 1
		jz	short loc_856136
		dec	edx
		sub	edx, 1
		jnz	short loc_8560D2
		mov	eax, [edi+30h]
		lea	edx, [ebp+var_48]
		push	edx
		mov	ecx, [eax+14h]
		mov	eax, [eax+10h]
		push	ecx
		push	eax
		call	dword ptr [eax+4]
		mov	edx, eax
		mov	[ebp+var_24], edx
		test	edx, edx
		jz	loc_856045
		test	byte ptr [edx+2], 20h
		movzx	eax, word ptr [edx+48h]
		mov	ecx, eax
		jz	short loc_856125
		add	eax, eax
		movzx	eax, ax

loc_856125:				; CODE XREF: CmAddLogForAction(x,x)+1CAj
		mov	ecx, [ebp+var_8]
		movzx	eax, ax
		push	30h
		mov	[ebp+var_20], eax
		pop	edx
		lea	esi, [eax+30h]
		jmp	short loc_856142
; 

loc_856136:				; CODE XREF: CmAddLogForAction(x,x)+199j
		mov	eax, [edi+30h]
		push	30h
		jmp	short loc_8560C7
; 

loc_85613D:				; CODE XREF: CmAddLogForAction(x,x)+194j
		push	30h
		pop	edx
		mov	esi, edx

loc_856142:				; CODE XREF: CmAddLogForAction(x,x)+166j
					; CmAddLogForAction(x,x)+179j ...
		cmp	esi, edx
		jnb	short loc_8560D2
		mov	esi, 0C0000095h
		jmp	loc_8564EA
; 

loc_856150:				; CODE XREF: CmAddLogForAction(x,x)+185j
		push	20204D43h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_85616D

loc_856163:				; CODE XREF: CmAddLogForAction(x,x)+351j
		mov	esi, 0C000009Ah
		jmp	loc_8564EA
; 

loc_85616D:				; CODE XREF: CmAddLogForAction(x,x)+20Dj
		push	esi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	edx, [ebp+var_8]
		add	esp, 0Ch
		mov	[ebx+4], esi
		mov	dword ptr [ebx+8], 1
		mov	esi, [edi+1Ch]
		lea	edi, [ebx+10h]
		add	esi, 2Ch
		push	7
		movsd
		movsd
		movsd
		movsd
		mov	ax, [edx]
		mov	edi, [ebp+var_2C]
		mov	[ebx+20h], ax
		mov	ax, [edx+2]
		mov	[ebx+22h], ax
		mov	ecx, [edi+24h]
		pop	eax
		cmp	ecx, eax
		jg	loc_856364
		jz	loc_85633F
		test	ecx, ecx
		jz	loc_8562EE
		cmp	ecx, 2
		jz	loc_8562EE
		lea	eax, [ecx-4]
		cmp	eax, 2
		ja	loc_856456
		or	[ebp+var_30], 0FFFFFFFFh
		xor	eax, eax
		mov	[ebp+var_20], eax
		mov	byte ptr [ebp+var_1], al
		mov	[ebp+var_2C], eax
		cmp	ecx, 4
		jnz	short loc_8561F3
		mov	dword ptr [ebx+0Ch], 3
		jmp	short loc_856201
; 

loc_8561F3:				; CODE XREF: CmAddLogForAction(x,x)+294j
		xor	eax, eax
		cmp	ecx, 5
		setnz	al
		add	eax, 4
		mov	[ebx+0Ch], eax

loc_856201:				; CODE XREF: CmAddLogForAction(x,x)+29Dj
		mov	eax, [ebp+var_C]
		lea	esi, [ebx+3Ch]
		mov	eax, [eax+0Ch]
		mov	[ebx+30h], eax
		mov	[ebx+24h], esi
		movzx	eax, word ptr [edx]
		push	eax		; size_t
		push	dword ptr [edx+4] ; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		movzx	eax, word ptr [eax]
		add	esi, eax
		mov	eax, [ebp+var_C]
		mov	[ebx+2Ch], esi
		test	byte ptr [eax+10h], 1
		lea	ecx, [eax+14h]
		jz	short loc_856249
		movzx	eax, word ptr [eax+2]
		mov	edx, [ebp+var_10]
		push	eax
		push	ecx
		mov	ecx, esi
		call	_CmpCopyCompressedName@16 ; CmpCopyCompressedName(x,x,x,x)
		jmp	short loc_856256
; 

loc_856249:				; CODE XREF: CmAddLogForAction(x,x)+2E1j
		push	[ebp+var_10]	; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_856256:				; CODE XREF: CmAddLogForAction(x,x)+2F3j
		mov	eax, [ebp+var_10]
		and	dword ptr [ebx+2Ch], 0
		movzx	eax, ax
		mov	[ebx+2Ah], ax
		mov	[ebx+28h], ax
		cmp	dword ptr [edi+24h], 6
		jnz	short loc_85627B
		and	dword ptr [ebx+34h], 0
		and	dword ptr [ebx+38h], 0
		jmp	loc_856456
; 

loc_85627B:				; CODE XREF: CmAddLogForAction(x,x)+318j
		mov	eax, [ebp+var_14]
		mov	edx, [ebp+var_18]
		mov	[ebx+34h], eax
		lea	eax, [ebp+var_30]
		mov	ecx, [edi+18h]
		push	eax
		lea	eax, [ebp+var_1]
		push	eax
		mov	ecx, [ecx+10h]
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		mov	eax, [ebp+var_C]
		push	eax
		call	CmpGetValueData
		test	al, al
		jz	loc_856163
		push	[ebp+var_1C]	; size_t
		mov	eax, [ebp+var_10]
		push	[ebp+var_20]	; void *
		add	eax, esi
		push	eax		; void *
		mov	[ebx+38h], eax
		call	_memcpy
		and	dword ptr [ebx+38h], 0
		add	esp, 0Ch
		cmp	byte ptr [ebp+var_1], 1
		jnz	short loc_8562DB
		push	0
		push	[ebp+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_856456
; 

loc_8562DB:				; CODE XREF: CmAddLogForAction(x,x)+376j
		mov	eax, [edi+18h]
		lea	ecx, [ebp+var_30]
		push	ecx
		mov	eax, [eax+10h]
		push	eax
		call	dword ptr [eax+8]
		jmp	loc_856456
; 

loc_8562EE:				; CODE XREF: CmAddLogForAction(x,x)+267j
					; CmAddLogForAction(x,x)+270j
		xor	eax, eax
		lea	esi, [ebx+34h]
		test	ecx, ecx
		setnz	al
		inc	eax
		mov	[ebx+0Ch], eax
		mov	eax, [edi+28h]
		mov	[ebx+28h], eax
		mov	[ebx+24h], esi
		movzx	eax, word ptr [edx]
		push	eax		; size_t
		push	dword ptr [edx+4] ; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		movzx	ecx, word ptr [eax]
		add	ecx, esi
		mov	[ebx+30h], ecx
		mov	eax, [edi+18h]
		mov	eax, [eax+2Ch]
		push	dword ptr [eax+10h] ; size_t
		add	eax, 18h
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		and	dword ptr [ebx+30h], 0
		jmp	loc_856456
; 

loc_85633F:				; CODE XREF: CmAddLogForAction(x,x)+25Fj
		lea	ecx, [ebx+2Ch]
		mov	dword ptr [ebx+0Ch], 6
		mov	[ebx+24h], ecx
		movzx	eax, word ptr [edx]
		push	eax		; size_t
		push	dword ptr [edx+4] ; void *
		push	ecx		; void *
		call	_memcpy
		mov	eax, [edi+30h]
		mov	[ebx+28h], eax
		jmp	loc_856453
; 

loc_856364:				; CODE XREF: CmAddLogForAction(x,x)+259j
		sub	ecx, 8
		jz	loc_856431
		sub	ecx, 1
		jz	short loc_8563DE
		dec	ecx
		sub	ecx, 1
		jnz	loc_856456
		lea	esi, [ebx+30h]
		mov	dword ptr [ebx+0Ch], 9
		mov	[ebx+24h], esi
		movzx	eax, word ptr [edx]
		push	eax		; size_t
		push	dword ptr [edx+4] ; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		movzx	ecx, word ptr [eax]
		mov	eax, [ebp+var_24]
		add	ecx, esi
		mov	esi, [ebp+var_20]
		mov	[ebx+2Ch], ecx
		test	byte ptr [eax+2], 20h
		lea	edx, [eax+4Ch]
		jz	short loc_8563C2
		movzx	eax, word ptr [eax+48h]
		push	eax
		push	edx
		mov	edx, esi
		call	_CmpCopyCompressedName@16 ; CmpCopyCompressedName(x,x,x,x)
		jmp	short loc_8563CD
; 

loc_8563C2:				; CODE XREF: CmAddLogForAction(x,x)+45Dj
		push	esi		; size_t
		push	edx		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_8563CD:				; CODE XREF: CmAddLogForAction(x,x)+46Cj
		and	dword ptr [ebx+2Ch], 0
		movzx	eax, si
		mov	[ebx+2Ah], ax
		mov	[ebx+28h], ax
		jmp	short loc_856456
; 

loc_8563DE:				; CODE XREF: CmAddLogForAction(x,x)+41Cj
		xor	eax, eax
		lea	esi, [ebx+30h]
		cmp	[edi+38h], al
		setnz	al
		lea	eax, ds:8[eax*2]
		mov	[ebx+0Ch], eax
		mov	[ebx+24h], esi
		movzx	eax, word ptr [edx]
		push	eax		; size_t
		push	dword ptr [edx+4] ; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [edi+30h]
		add	esp, 0Ch
		mov	ecx, [eax+10h]
		mov	eax, [ebp+var_8]
		mov	[ebx+28h], ecx
		push	ecx		; size_t
		movzx	edx, word ptr [eax]
		add	edx, esi
		mov	[ebx+2Ch], edx
		mov	eax, [edi+30h]
		add	eax, 18h
		push	eax		; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		and	dword ptr [ebx+2Ch], 0
		jmp	short loc_856456
; 

loc_856431:				; CODE XREF: CmAddLogForAction(x,x)+413j
		lea	ecx, [ebx+30h]
		mov	[ebx+0Ch], eax
		mov	[ebx+24h], ecx
		movzx	eax, word ptr [edx]
		push	eax		; size_t
		push	dword ptr [edx+4] ; void *
		push	ecx		; void *
		call	_memcpy
		mov	eax, [edi+30h]
		mov	[ebx+28h], eax
		mov	eax, [edi+34h]
		mov	[ebx+2Ch], eax

loc_856453:				; CODE XREF: CmAddLogForAction(x,x)+40Bj
		add	esp, 0Ch

loc_856456:				; CODE XREF: CmAddLogForAction(x,x)+27Cj
					; CmAddLogForAction(x,x)+322j ...
		mov	edx, [ebx+4]
		mov	ecx, ebx
		and	dword ptr [ebx+24h], 0
		call	_HvBufferCheckSum@8 ; HvBufferCheckSum(x,x)
		mov	[ebx], eax
		mov	eax, [edi+1Ch]
		add	eax, 40h
		push	eax
		call	ds:__imp__ClfsLsnInvalid@4 ; ClfsLsnInvalid(x)
		movzx	eax, al
		lea	ecx, [ebp+var_38]
		neg	eax
		mov	edx, ebx
		push	ecx
		mov	ecx, [ebp+var_28]
		sbb	eax, eax
		and	eax, 2
		push	eax
		push	dword ptr [ebx+4]
		call	CmpTransWriteLog
		mov	esi, eax
		test	esi, esi
		js	short loc_8564B5
		mov	ecx, [edi+1Ch]
		add	ecx, 40h
		push	ecx
		call	ds:__imp__ClfsLsnInvalid@4 ; ClfsLsnInvalid(x)
		test	al, al
		jz	short loc_8564B5
		mov	ecx, [edi+1Ch]
		mov	eax, [ebp+var_38]
		mov	[ecx+40h], eax
		mov	eax, [ebp+var_34]
		mov	[ecx+44h], eax

loc_8564B5:				; CODE XREF: CmAddLogForAction(x,x)+53Fj
					; CmAddLogForAction(x,x)+550j
		push	78h
		pop	eax
		push	20204D43h
		push	eax
		push	1
		mov	[ebp+var_2C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	short loc_8564EA
		lea	ecx, [ebp+var_2C]
		push	ecx
		push	eax
		mov	eax, [ebp+var_28]
		push	dword ptr [eax+34h]
		call	ds:__imp__ClfsGetLogFileInformation@12 ; ClfsGetLogFileInformation(x,x,x)
		push	0
		push	[ebp+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8564EA:				; CODE XREF: CmAddLogForAction(x,x)+18Cj
					; CmAddLogForAction(x,x)+1F7j ...
		cmp	[ebp+var_24], 0
		jz	short loc_8564FE
		mov	eax, [edi+30h]
		lea	ecx, [ebp+var_48]
		push	ecx
		mov	eax, [eax+10h]
		push	eax
		call	dword ptr [eax+8]

loc_8564FE:				; CODE XREF: CmAddLogForAction(x,x)+59Aj
		mov	eax, [ebp+var_C]

loc_856501:				; CODE XREF: CmAddLogForAction(x,x)+13Ej
		test	eax, eax
		jz	short loc_856513
		mov	eax, [edi+18h]
		lea	ecx, [ebp+var_40]
		push	ecx
		mov	eax, [eax+10h]
		push	eax
		call	dword ptr [eax+8]

loc_856513:				; CODE XREF: CmAddLogForAction(x,x)+5AFj
		test	ebx, ebx
		jz	short loc_85651F
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_85651F:				; CODE XREF: CmAddLogForAction(x,x)+F6j
					; CmAddLogForAction(x,x)+5C1j
		mov	ecx, [ebp+var_8]
		mov	edx, 624E4D43h
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
		mov	eax, esi
		jmp	short loc_856532
; 

loc_856530:				; CODE XREF: CmAddLogForAction(x,x)+47j
					; CmAddLogForAction(x,x)+61j ...
		xor	eax, eax

loc_856532:				; CODE XREF: CmAddLogForAction(x,x)+94j
					; CmAddLogForAction(x,x)+5DAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmAddLogForAction@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpRealtimeSaveBuffer proc near	; CODE XREF: EtwpRealtimeSendEmptyMarker(x)+88p
					; EtwpFlushBufferToRealtime+49p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00901607 SIZE 0000011C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		and	[ebp+var_28], 0
		and	[ebp+var_24], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	eax, [esi+128h]
		mov	edi, [esi+124h]
		mov	edx, [esi+120h]
		mov	ecx, edx
		mov	[ebp+var_10], eax
		mov	eax, [esi+12Ch]
		mov	[ebp+var_C], eax
		mov	eax, [esi+130h]
		mov	[ebp+var_14], eax
		mov	eax, [esi+134h]
		mov	[ebp+var_18], eax
		mov	eax, edi
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], edi
		cmp	eax, [ebp+var_C]
		jg	short loc_856595
		jl	short loc_8565BF
		cmp	edx, [ebp+var_10]
		jb	short loc_8565BF

loc_856595:				; CODE XREF: EtwpRealtimeSaveBuffer+54j
		mov	eax, [ebx+30h]
		mov	[ebp+var_4], eax
		xor	eax, eax
		add	[ebp+var_4], edx
		adc	eax, edi
		cmp	eax, [esi+144h]
		jl	short loc_8565BF
		jg	loc_901607
		mov	eax, [ebp+var_4]
		cmp	eax, [esi+140h]
		ja	loc_901607

loc_8565BF:				; CODE XREF: EtwpRealtimeSaveBuffer+56j
					; EtwpRealtimeSaveBuffer+5Bj ...
		cmp	edi, [ebp+var_C]
		jg	short loc_8565D3
		jl	loc_901620
		cmp	ecx, [ebp+var_10]
		jb	loc_901620

loc_8565D3:				; CODE XREF: EtwpRealtimeSaveBuffer+8Aj
					; EtwpRealtimeSaveBuffer+AB0F4j ...
		xor	ecx, ecx
		lea	eax, [ebp+var_20]
		push	ecx
		push	eax
		push	dword ptr [ebx+30h]
		lea	eax, [ebp+var_28]
		push	ebx
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	dword ptr [esi+110h]
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9016D5
		mov	eax, [ebx+30h]
		add	eax, [ebp+var_20]
		push	0
		pop	ecx
		adc	ecx, [ebp+var_1C]
		mov	[esi+120h], eax
		mov	[esi+124h], ecx
		cmp	[ebp+var_18], ecx
		jl	short loc_856620
		mov	edx, [ebp+var_14]
		jg	short loc_85667F
		cmp	edx, eax
		ja	short loc_85667F

loc_856620:				; CODE XREF: EtwpRealtimeSaveBuffer+DDj
		mov	edx, eax
		mov	eax, ecx

loc_856624:				; CODE XREF: EtwpRealtimeSaveBuffer+14Aj
		mov	[esi+130h], edx
		mov	ecx, esi
		mov	[esi+134h], eax
		mov	eax, [ebx+30h]
		add	[esi+138h], eax
		adc	dword ptr [esi+13Ch], 0
		inc	dword ptr [esi+148h]
		call	_EtwpIsRealtimeLogfileSpaceAvailable@4 ; EtwpIsRealtimeLogfileSpaceAvailable(x)
		test	al, al
		jz	loc_901690

loc_856655:				; CODE XREF: EtwpRealtimeSaveBuffer+AB15Ej
					; EtwpRealtimeSaveBuffer+AB183j ...
		test	edi, edi
		jnz	short loc_85666E
		add	esi, 258h
		cmp	word ptr [ebx+36h], 6
		jz	short loc_856675
		mov	eax, 0EFFFFFFFh
		lock and [esi],	eax

loc_85666E:				; CODE XREF: EtwpRealtimeSaveBuffer+11Fj
					; EtwpRealtimeSaveBuffer+145j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_856675:				; CODE XREF: EtwpRealtimeSaveBuffer+12Cj
		mov	eax, 10000000h
		lock or	[esi], eax
		jmp	short loc_85666E
; 

loc_85667F:				; CODE XREF: EtwpRealtimeSaveBuffer+E2j
					; EtwpRealtimeSaveBuffer+E6j
		mov	eax, [ebp+var_18]
		jmp	short loc_856624
EtwpRealtimeSaveBuffer endp


;  S U B	R O U T	I N E 


; __stdcall EtwpIsRealtimeLogfileSpaceAvailable(x)
_EtwpIsRealtimeLogfileSpaceAvailable@4 proc near ; CODE	XREF: EtwpRealtimeSaveBuffer+110p
					; EtwpRealtimeRestoreState+209p ...
		mov	edx, [ecx+0A4h]
		imul	edx, [ecx+4]
		mov	eax, [ecx+144h]
		push	esi
		mov	esi, [ecx+140h]
		sub	esi, [ecx+138h]
		sbb	eax, [ecx+13Ch]
		test	eax, eax
		ja	short loc_8566B1
		jb	short loc_8566B5
		cmp	esi, edx
		jbe	short loc_8566B5

loc_8566B1:				; CODE XREF: EtwpIsRealtimeLogfileSpaceAvailable(x)+25j
		mov	al, 1
		pop	esi
		retn
; 

loc_8566B5:				; CODE XREF: EtwpIsRealtimeLogfileSpaceAvailable(x)+27j
					; EtwpIsRealtimeLogfileSpaceAvailable(x)+2Bj
		xor	al, al
		pop	esi
		retn
_EtwpIsRealtimeLogfileSpaceAvailable@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiAuDoesClientHaveAccess(x)
_PiAuDoesClientHaveAccess@4 proc near	; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+FFp
					; PiCMValidateDeviceInstance+189p ...

var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, _PiAuSecurityObject
		lea	eax, [ebp-1]
		push	ebx
		push	eax
		xor	ebx, ebx
		push	ebx
		push	offset _PiAuSecurityObjectMapping
		mov	[ebp+var_1], bl
		call	PiAuVerifyAccessToObject
		test	eax, eax
		js	short loc_8566E3
		movzx	ebx, [ebp+var_1]

loc_8566E3:				; CODE XREF: PiAuDoesClientHaveAccess(x)+23j
		mov	al, bl
		pop	ebx
		leave
		retn
_PiAuDoesClientHaveAccess@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopNotifySessionDisplayRequired	proc near
					; CODE XREF: PopPowerRequestExecuteCallbacks(x,x,x)+2Dp
					; DATA XREF: .data:off_6B146Co

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 00901723 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 28h
		xor	eax, eax
		xor	edx, edx
		mov	[esp+28h+var_14+1], ax
		mov	[esp+28h+var_11], dl
		mov	[esp+28h+var_20], edx
		cmp	_PsWin32CalloutsEstablished, al
		jz	short loc_856776
		cmp	ds:_TtmpEnabled, 1
		mov	ecx, [ebp+arg_0]
		mov	[esp+28h+var_1C], ecx
		jz	loc_901723
		cmp	[ebp+arg_8], al
		push	4
		setnz	al
		mov	[esp+2Ch+var_11], dl
		pop	ecx
		mov	byte ptr [esp+28h+var_14], dl
		lea	edx, [esp+28h+var_18]
		mov	[esp+28h+var_10], ecx
		lea	eax, ds:0FFFFFFFFh[eax*2]
		mov	[esp+28h+var_8], ecx
		mov	[esp+28h+var_24], eax
		xor	eax, eax
		mov	[esp+28h+var_14+1], ax
		lea	eax, [esp+28h+var_24]
		mov	[esp+28h+var_C], eax
		lea	eax, [esp+28h+var_20]
		mov	[esp+28h+var_4], eax
		lea	eax, [esp+28h+var_1C]
		push	eax
		push	1
		push	5
		pop	ecx
		mov	[esp+30h+var_18], 2
		call	PopInvokeWin32Callout

loc_856776:				; CODE XREF: PopNotifySessionDisplayRequired+22j
					; PopNotifySessionDisplayRequired+AB046j
		xor	eax, eax
		mov	esp, ebp
		pop	ebp
		retn	0Ch
PopNotifySessionDisplayRequired	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1901. PsSetCreateThreadNotifyRoutineEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsSetCreateThreadNotifyRoutineEx
PsSetCreateThreadNotifyRoutineEx proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00901733 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		sub	eax, 0
		jnz	loc_901733
		xor	esi, esi
		inc	esi

loc_856799:				; CODE XREF: PsSetCreateThreadNotifyRoutineEx+AAFC1j
		mov	ecx, [ebp+arg_4]
		call	_MmVerifyCallbackFunctionCheckFlags@8 ;	MmVerifyCallbackFunctionCheckFlags(x,x)
		test	eax, eax
		jz	short loc_8567B4
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	PspSetCreateThreadNotifyRoutine

loc_8567AF:				; CODE XREF: PsSetCreateThreadNotifyRoutineEx+35j
					; PsSetCreateThreadNotifyRoutineEx+AAFB9j
		pop	esi
		pop	ebp
		retn	8
; 

loc_8567B4:				; CODE XREF: PsSetCreateThreadNotifyRoutineEx+1Fj
		mov	eax, 0C0000022h
		jmp	short loc_8567AF
PsSetCreateThreadNotifyRoutineEx endp

; 
		align 10h
; Exported entry 1905. PsSetLoadImageNotifyRoutine

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSetLoadImageNotifyRoutine(x)
		public _PsSetLoadImageNotifyRoutine@4
_PsSetLoadImageNotifyRoutine@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	0
		push	[ebp+arg_0]
		call	PsSetLoadImageNotifyRoutineEx
		pop	ecx
		pop	ebp
		retn	4
_PsSetLoadImageNotifyRoutine@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1900. PsSetCreateThreadNotifyRoutine

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSetCreateThreadNotifyRoutine(x)
		public _PsSetCreateThreadNotifyRoutine@4
_PsSetCreateThreadNotifyRoutine@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	PspSetCreateThreadNotifyRoutine
		pop	ebp
		retn	4
_PsSetCreateThreadNotifyRoutine@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1906. PsSetLoadImageNotifyRoutineEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsSetLoadImageNotifyRoutineEx
PsSetLoadImageNotifyRoutineEx proc near	; CODE XREF: PsSetLoadImageNotifyRoutine(x)+Bp
					; EtwpCoverageSamplerStart(x)+16Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090174A SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		test	edx, 0FFFFFFFEh
		jnz	short loc_85687B
		mov	ecx, [ebp+arg_0]
		call	_ExAllocateCallBack@8 ;	ExAllocateCallBack(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_901751
		mov	eax, offset _PspLoadImageNotifyRoutine
		xor	esi, esi
		mov	[ebp+arg_4], eax
		mov	edi, esi

loc_856824:				; CODE XREF: PsSetLoadImageNotifyRoutineEx+76j
		push	esi
		mov	edx, ebx
		mov	ecx, eax
		call	ExCompareExchangeCallBack
		test	al, al
		jz	short loc_856856
		lock inc ds:_PspLoadImageNotifyRoutineCount
		mov	eax, ds:_PspNotifyEnableMask
		test	al, 1
		jz	short loc_85686F

loc_856842:				; CODE XREF: PsSetLoadImageNotifyRoutineEx+87j
					; PsSetLoadImageNotifyRoutineEx+AAF64j
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_PspLogAuditSetLoadImageNotifyRoutineEvent@8 ; PspLogAuditSetLoadImageNotifyRoutineEvent(x,x)
		mov	eax, esi

loc_85684E:				; CODE XREF: PsSetLoadImageNotifyRoutineEx+8Ej
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
; 

loc_856856:				; CODE XREF: PsSetLoadImageNotifyRoutineEx+3Ej
		mov	eax, [ebp+arg_4]
		add	edi, 4
		add	eax, 4
		mov	[ebp+arg_4], eax
		cmp	edi, 100h
		jb	short loc_856824
		jmp	loc_90174A
; 

loc_85686F:				; CODE XREF: PsSetLoadImageNotifyRoutineEx+4Ej
		mov	eax, offset _PspNotifyEnableMask
		lock bts dword ptr [eax], 0
		jmp	short loc_856842
; 

loc_85687B:				; CODE XREF: PsSetLoadImageNotifyRoutineEx+12j
		mov	eax, 0C00000F0h
		jmp	short loc_85684E
PsSetLoadImageNotifyRoutineEx endp

; 
		align 8
; Exported entry 1898. PsSetCreateProcessNotifyRoutineEx2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSetCreateProcessNotifyRoutineEx2(x, x, x)
		public _PsSetCreateProcessNotifyRoutineEx2@12
_PsSetCreateProcessNotifyRoutineEx2@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jnz	short loc_8568AA
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		cmp	[ebp+arg_8], dl
		setnz	dl
		add	edx, 6
		call	PspSetCreateProcessNotifyRoutine

loc_8568A6:				; CODE XREF: PsSetCreateProcessNotifyRoutineEx2(x,x,x)+27j
		pop	ebp
		retn	0Ch
; 

loc_8568AA:				; CODE XREF: PsSetCreateProcessNotifyRoutineEx2(x,x,x)+9j
		mov	eax, 0C000000Dh
		jmp	short loc_8568A6
_PsSetCreateProcessNotifyRoutineEx2@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSetCreateThreadNotifyRoutine	proc near ; CODE XREF: PsSetCreateThreadNotifyRoutineEx+26p
					; PsSetCreateThreadNotifyRoutine(x)+Ap

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090175B SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, edx
		push	ebx
		mov	[ebp+var_4], eax
		call	_ExAllocateCallBack@8 ;	ExAllocateCallBack(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_856939
		push	esi
		push	edi
		mov	edi, offset _PspCreateThreadNotifyRoutine
		xor	esi, esi

loc_8568D2:				; CODE XREF: PspSetCreateThreadNotifyRoutine+3Bj
		push	0
		mov	edx, ebx
		mov	ecx, edi
		call	ExCompareExchangeCallBack
		test	al, al
		jnz	short loc_8568F4
		add	esi, 4
		add	edi, 4
		cmp	esi, 100h
		jb	short loc_8568D2
		jmp	loc_90175B
; 

loc_8568F4:				; CODE XREF: PspSetCreateThreadNotifyRoutine+2Dj
		test	byte ptr [ebp+var_4], 1
		jnz	short loc_856911
		lock inc ds:_PspCreateThreadNotifyRoutineCount
		mov	eax, ds:_PspNotifyEnableMask
		test	al, 8
		jz	short loc_85692D

loc_85690A:				; CODE XREF: PspSetCreateThreadNotifyRoutine+6Dj
					; PspSetCreateThreadNotifyRoutine+79j ...
		xor	eax, eax

loc_85690C:				; CODE XREF: PspSetCreateThreadNotifyRoutine+AAEB6j
		pop	edi
		pop	esi

loc_85690E:				; CODE XREF: PspSetCreateThreadNotifyRoutine+8Cj
		pop	ebx
		leave
		retn
; 

loc_856911:				; CODE XREF: PspSetCreateThreadNotifyRoutine+46j
		lock inc ds:_PspCreateThreadNotifyRoutineNonSystemCount
		mov	eax, ds:_PspNotifyEnableMask
		test	al, 10h
		jnz	short loc_85690A
		mov	eax, offset _PspNotifyEnableMask
		lock bts dword ptr [eax], 4
		jmp	short loc_85690A
; 

loc_85692D:				; CODE XREF: PspSetCreateThreadNotifyRoutine+56j
		mov	eax, offset _PspNotifyEnableMask
		lock bts dword ptr [eax], 3
		jmp	short loc_85690A
; 

loc_856939:				; CODE XREF: PspSetCreateThreadNotifyRoutine+15j
		mov	eax, 0C000009Ah
		jmp	short loc_85690E
PspSetCreateThreadNotifyRoutine	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSetCreateProcessNotifyRoutine proc near
					; CODE XREF: PsSetCreateProcessNotifyRoutineEx2(x,x,x)+19p
					; PsSetCreateProcessNotifyRoutine(x,x)+10p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090176D SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ebx
		push	edi
		mov	edi, ecx
		and	esi, 2
		mov	[ebp+var_10], edi
		test	bl, 1
		jnz	loc_8569EC
		test	esi, esi
		jz	short loc_856971
		call	_MmVerifyCallbackFunctionCheckFlags@8 ;	MmVerifyCallbackFunctionCheckFlags(x,x)
		test	eax, eax
		jz	loc_90177F

loc_856971:				; CODE XREF: PspSetCreateProcessNotifyRoutine+22j
		mov	edx, ebx
		mov	ecx, edi
		call	_ExAllocateCallBack@8 ;	ExAllocateCallBack(x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_901789
		mov	ebx, offset _PspCreateProcessNotifyRoutine
		xor	edi, edi

loc_85698C:				; CODE XREF: PspSetCreateProcessNotifyRoutine+6Aj
		push	0
		mov	edx, eax
		mov	ecx, ebx
		call	ExCompareExchangeCallBack
		test	al, al
		jnz	short loc_8569B1
		mov	eax, [ebp+var_C]
		add	edi, 4
		add	ebx, 4
		cmp	edi, 100h
		jb	short loc_85698C
		jmp	loc_901793
; 

loc_8569B1:				; CODE XREF: PspSetCreateProcessNotifyRoutine+59j
		test	esi, esi
		jz	short loc_8569D0
		lock inc ds:_PspCreateProcessNotifyRoutineExCount
		mov	eax, ds:_PspNotifyEnableMask
		test	al, 4
		jz	loc_856A98

loc_8569C9:				; CODE XREF: PspSetCreateProcessNotifyRoutine+9Ej
					; PspSetCreateProcessNotifyRoutine+AAj	...
		xor	eax, eax

loc_8569CB:				; CODE XREF: PspSetCreateProcessNotifyRoutine+AAE3Aj
					; PspSetCreateProcessNotifyRoutine+AAE44j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8569D0:				; CODE XREF: PspSetCreateProcessNotifyRoutine+73j
		lock inc ds:_PspCreateProcessNotifyRoutineCount
		mov	eax, ds:_PspNotifyEnableMask
		test	al, 2
		jnz	short loc_8569C9
		mov	eax, offset _PspNotifyEnableMask
		lock bts dword ptr [eax], 1
		jmp	short loc_8569C9
; 

loc_8569EC:				; CODE XREF: PspSetCreateProcessNotifyRoutine+1Aj
		mov	eax, large fs:124h
		mov	[ebp+var_C], eax
		dec	word ptr [eax+13Ch]
		nop
		xor	eax, eax
		mov	[ebp+var_8], eax
		mov	eax, offset _PspCreateProcessNotifyRoutine
		mov	[ebp+var_4], eax

loc_856A0A:				; CODE XREF: PspSetCreateProcessNotifyRoutine+FFj
		mov	ecx, eax
		call	ExReferenceCallBackBlock
		mov	edi, eax
		test	edi, edi
		jz	short loc_856A2C
		mov	eax, [ebp+var_10]
		and	ebx, 0FFFFFFFEh
		cmp	[edi+4], eax
		jz	short loc_856A46

loc_856A22:				; CODE XREF: PspSetCreateProcessNotifyRoutine+109j
					; PspSetCreateProcessNotifyRoutine+118j
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		call	_ExDereferenceCallBackBlock@8 ;	ExDereferenceCallBackBlock(x,x)

loc_856A2C:				; CODE XREF: PspSetCreateProcessNotifyRoutine+D5j
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_4]
		inc	ecx
		add	eax, 4
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], eax
		cmp	ecx, 40h
		jb	short loc_856A0A
		jmp	loc_90176D
; 

loc_856A46:				; CODE XREF: PspSetCreateProcessNotifyRoutine+E0j
		cmp	[edi+8], ebx
		jnz	short loc_856A22
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		push	edi
		call	ExCompareExchangeCallBack
		test	al, al
		jz	short loc_856A22
		mov	eax, offset _PspCreateProcessNotifyRoutineCount
		test	esi, esi
		jz	short loc_856A68
		mov	eax, offset _PspCreateProcessNotifyRoutineExCount

loc_856A68:				; CODE XREF: PspSetCreateProcessNotifyRoutine+121j
		lock dec dword ptr [eax]
		mov	eax, [ebp+var_8]
		mov	edx, edi
		lea	ecx, _PspCreateProcessNotifyRoutine[eax*4]
		call	_ExDereferenceCallBackBlock@8 ;	ExDereferenceCallBackBlock(x,x)
		mov	ecx, [ebp+var_C]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, edi
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8569C9
; 

loc_856A98:				; CODE XREF: PspSetCreateProcessNotifyRoutine+83j
		mov	eax, offset _PspNotifyEnableMask
		lock bts dword ptr [eax], 2
		jmp	loc_8569C9
PspSetCreateProcessNotifyRoutine endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ExAllocateCallBack(x, x)
_ExAllocateCallBack@8 proc near		; CODE XREF: KeRegisterBoundCallback(x)+1Ap
					; PsSetLoadImageNotifyRoutineEx+17p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	62726243h
		push	0Ch
		push	200h
		mov	edi, edx
		mov	ebx, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_856AD5
		mov	ecx, esi
		mov	[esi+4], ebx
		mov	[esi+8], edi
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)

loc_856AD5:				; CODE XREF: ExAllocateCallBack(x,x)+1Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_ExAllocateCallBack@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspLogAuditSetLoadImageNotifyRoutineEvent(x, x)
_PspLogAuditSetLoadImageNotifyRoutineEvent@8 proc near
					; CODE XREF: PsSetLoadImageNotifyRoutineEx+55p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	[ebp+var_28], ecx
		mov	ecx, _EtwApiCallsProvRegHandle
		mov	eax, ecx
		mov	[ebp+var_2C], edx
		mov	edx, dword_6BC5D4
		or	eax, edx
		jz	short loc_856B40
		push	esi
		push	edi
		push	4
		pop	esi
		lea	eax, [ebp+var_28]
		mov	[ebp+var_1C], esi
		mov	[ebp+var_24], eax
		xor	edi, edi
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_20], edi
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edi
		push	offset _KERNEL_AUDIT_API_PSSETLOADIMAGENOTIFYROUTINE
		push	edx
		push	ecx
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	edi
		pop	esi

loc_856B40:				; CODE XREF: PspLogAuditSetLoadImageNotifyRoutineEvent(x,x)+28j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PspLogAuditSetLoadImageNotifyRoutineEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpRealtimeDisconnectConsumerByHandle(x)
_EtwpRealtimeDisconnectConsumerByHandle@4 proc near
					; CODE XREF: NtTraceControl(x,x,x,x,x,x)+418p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		lea	edx, [ebp+var_4]
		and	[ebp+var_4], 0
		push	esi
		push	0
		mov	al, [eax+15Ah]
		push	edx
		mov	byte ptr [ebp+var_8], al
		push	[ebp+var_8]
		mov	eax, ds:_EtwpRealTimeConnectionObjectType
		push	eax
		push	400h
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_856B98
		mov	ecx, [ebp+var_4]
		call	_EtwpRealtimeDisconnectConsumer@4 ; EtwpRealtimeDisconnectConsumer(x)
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject

loc_856B98:				; CODE XREF: EtwpRealtimeDisconnectConsumerByHandle(x)+3Aj
		mov	eax, esi
		pop	esi
		leave
		retn
_EtwpRealtimeDisconnectConsumerByHandle@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCloseRealTimeConnectionObject(x, x, x, x)
_EtwpCloseRealTimeConnectionObject@16 proc near
					; DATA XREF: EtwpInitializeRealTimeConnection()+60o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		call	_EtwpRealtimeDisconnectConsumer@4 ; EtwpRealtimeDisconnectConsumer(x)
		pop	ebp
		retn	10h
_EtwpCloseRealTimeConnectionObject@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall EtwpRealtimeDisconnectConsumer(x)
_EtwpRealtimeDisconnectConsumer@4 proc near
					; CODE XREF: EtwpRealtimeDisconnectConsumerByHandle(x)+3Fp
					; EtwpCloseRealTimeConnectionObject(x,x,x,x)+8p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		test	byte ptr [edi+32h], 5
		jnz	short loc_856C14
		movzx	edx, word ptr [edi+30h]
		mov	ecx, [edi+54h]
		push	1
		call	EtwpAcquireLoggerContextByLoggerId
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_856C1B
		lea	esi, [ebx+1F0h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		xor	edx, edx
		mov	[ebx+10Ch], edi
		mov	ecx, esi
		call	ExReleasePushLockEx
		push	10h
		pop	edx
		mov	ecx, ebx
		call	EtwpSynchronizeWithLogger
		push	4
		pop	edx
		mov	ecx, ebx
		mov	esi, eax
		call	EtwpSynchronizeWithLogger
		mov	dl, 1
		mov	ecx, ebx
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_856C0E:				; CODE XREF: EtwpRealtimeDisconnectConsumer(x)+69j
					; EtwpRealtimeDisconnectConsumer(x)+70j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_856C14:				; CODE XREF: EtwpRealtimeDisconnectConsumer(x)+Bj
		mov	esi, 80000025h
		jmp	short loc_856C0E
; 

loc_856C1B:				; CODE XREF: EtwpRealtimeDisconnectConsumer(x)+1Fj
		mov	esi, 0C000000Dh
		jmp	short loc_856C0E
_EtwpRealtimeDisconnectConsumer@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTransSearchAddTransFromKeyBody proc near ; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+122p
					; CmSetValueKey(x,x,x,x,x,x,x)+239p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009017A7 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, edx
		mov	edx, [ecx+20h]
		push	edi
		test	edx, edx
		jz	loc_9017A7

loc_856C3C:				; CODE XREF: CmpTransSearchAddTransFromKeyBody+AAB89j
		mov	eax, [ecx+8]
		test	al, 1
		jnz	short loc_856C88

loc_856C43:				; CODE XREF: CmpTransSearchAddTransFromKeyBody+69j
		mov	eax, [eax+10h]
		test	dl, 1
		jnz	short loc_856C76
		mov	edx, [eax+9A0h]
		test	edx, edx
		jz	short loc_856C8D
		lea	edi, [ebp+var_4]
		push	edi
		push	0
		push	eax
		push	dword ptr [ecx+20h]
		mov	ecx, [ecx+24h]
		call	CmpTransSearchAddTrans

loc_856C67:				; CODE XREF: CmpTransSearchAddTransFromKeyBody+64j
		test	eax, eax
		js	short loc_856C72
		mov	eax, [ebp+var_4]
		mov	[esi], eax
		xor	eax, eax

loc_856C72:				; CODE XREF: CmpTransSearchAddTransFromKeyBody+47j
					; CmpTransSearchAddTransFromKeyBody+70j ...
		pop	edi
		pop	esi
		leave
		retn
; 

loc_856C76:				; CODE XREF: CmpTransSearchAddTransFromKeyBody+27j
		lea	edx, [ebp+var_4]
		push	edx
		push	dword ptr [ecx+20h]
		xor	edx, edx
		mov	ecx, eax
		call	CmpTransSearchAddLightWeightTrans
		jmp	short loc_856C67
; 

loc_856C88:				; CODE XREF: CmpTransSearchAddTransFromKeyBody+1Fj
		xor	eax, 1
		jmp	short loc_856C43
; 

loc_856C8D:				; CODE XREF: CmpTransSearchAddTransFromKeyBody+31j
		mov	eax, 0C0190005h
		jmp	short loc_856C72
CmpTransSearchAddTransFromKeyBody endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTransSearchAddTransFromHive(x, x, x, x, x)
_CmpTransSearchAddTransFromHive@20 proc	near
					; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+8FFp
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+934p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	ecx, ecx
		jz	short loc_856CCA
		test	byte ptr [ebp+arg_0], 1
		push	[ebp+arg_8]
		jz	short loc_856CB7
		push	[ebp+arg_0]
		mov	edx, [ebp+arg_4]
		call	CmpTransSearchAddLightWeightTrans

loc_856CB2:				; CODE XREF: CmpTransSearchAddTransFromHive(x,x,x,x,x)+34j
					; CmpTransSearchAddTransFromHive(x,x,x,x,x)+3Bj
		pop	ecx
		pop	ebp
		retn	0Ch
; 

loc_856CB7:				; CODE XREF: CmpTransSearchAddTransFromHive(x,x,x,x,x)+11j
		push	[ebp+arg_4]
		mov	ecx, [ecx+9A0h]
		push	[ebp+arg_0]
		call	CmpTransSearchAddTransFromRm
		jmp	short loc_856CB2
; 

loc_856CCA:				; CODE XREF: CmpTransSearchAddTransFromHive(x,x,x,x,x)+8j
		mov	eax, 0C000000Dh
		jmp	short loc_856CB2
_CmpTransSearchAddTransFromHive@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTransSearchAddLightWeightTrans proc near
					; CODE XREF: CmpTransSearchAddTransFromKeyBody+5Fp
					; CmpTransSearchAddTransFromHive(x,x,x,x,x)+19p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009017BB SIZE 0000004F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		mov	eax, esi
		mov	[ebp+var_8], edx
		and	eax, 0FFFFFFFEh
		mov	[ebp+var_4], ecx
		push	esi
		mov	[ebp+arg_0], eax
		call	_CmpTransReferenceTransaction@4	; CmpTransReferenceTransaction(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_856D21
		mov	edi, [ebp+arg_0]
		add	edi, 8
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_856D2A
		mov	eax, [ebp+arg_4]
		mov	edi, ebx
		mov	[eax], ecx

loc_856D0F:				; CODE XREF: CmpTransSearchAddLightWeightTrans+62j
					; CmpTransSearchAddLightWeightTrans+D9j ...
		test	esi, esi
		jz	short loc_856D19
		push	esi
		call	_CmpTransDereferenceTransaction@4 ; CmpTransDereferenceTransaction(x)

loc_856D19:				; CODE XREF: CmpTransSearchAddLightWeightTrans+3Fj
		test	ebx, ebx
		jnz	loc_9017F0

loc_856D21:				; CODE XREF: CmpTransSearchAddLightWeightTrans+28j
					; CmpTransSearchAddLightWeightTrans+AAB23j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_856D2A:				; CODE XREF: CmpTransSearchAddLightWeightTrans+34j
		cmp	[ebp+var_8], ebx
		jnz	short loc_856D36
		mov	edi, 0C0190002h
		jmp	short loc_856D0F
; 

loc_856D36:				; CODE XREF: CmpTransSearchAddLightWeightTrans+5Bj
		push	[ebp+var_4]
		xor	edx, edx
		xor	ecx, ecx
		push	esi
		call	_CmpTransAllocateTrans@16 ; CmpTransAllocateTrans(x,x,x,x)
		mov	edx, eax
		mov	[ebp+arg_0], edx
		test	edx, edx
		jz	loc_9017BB
		mov	ecx, edx
		xor	eax, eax
		lock cmpxchg [edi], ecx
		mov	edi, eax
		test	edi, edi
		jnz	loc_9017C5
		mov	edi, edx
		mov	[ebp+arg_0], ebx
		mov	esi, ebx
		call	_LOCK_TRANSACTION_LIST@0 ; LOCK_TRANSACTION_LIST()
		test	byte ptr [edi+18h], 7
		jnz	loc_9017EB
		mov	dword ptr [edi+18h], 80h
		mov	ecx, offset _CmpLightTransactionList
		mov	eax, dword_6CDECC
		cmp	[eax], ecx
		jnz	short loc_856DB6
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	dword_6CDECC, edi
		call	_UNLOCK_TRANSACTION_LIST@0 ; UNLOCK_TRANSACTION_LIST()
		mov	eax, [ebp+arg_4]
		mov	[eax], edi
		mov	edi, ebx

loc_856DA6:				; CODE XREF: CmpTransSearchAddLightWeightTrans+AAB14j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	loc_856D0F
		jmp	loc_9017FA
; 

loc_856DB6:				; CODE XREF: CmpTransSearchAddLightWeightTrans+B9j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
CmpTransSearchAddLightWeightTrans endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTransReferenceTransaction(x)
_CmpTransReferenceTransaction@4	proc near ; CODE XREF: CmpCreateKeyBody+303p
					; CmpTransSearchAddLightWeightTrans+1Fp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		and	esi, 0FFFFFFFEh
		test	byte ptr [ebp+arg_0], 1
		mov	ecx, esi
		jnz	short loc_856DDA
		call	CmReferenceKtmTransaction

loc_856DD5:				; CODE XREF: CmpTransReferenceTransaction(x)+2Ej
		pop	esi
		pop	ebp
		retn	4
; 

loc_856DDA:				; CODE XREF: CmpTransReferenceTransaction(x)+12j
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [esi]
		neg	eax
		sbb	eax, eax
		and	eax, 0C0190003h
		jmp	short loc_856DD5
_CmpTransReferenceTransaction@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTransDereferenceTransaction(x)
_CmpTransDereferenceTransaction@4 proc near
					; CODE XREF: CmpTransSearchAddLightWeightTrans+42p
					; CmpTransInitializeTransaction+75AD0p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		and	ecx, 0FFFFFFFEh
		call	ObfDereferenceObject
		pop	ebp
		retn	4
_CmpTransDereferenceTransaction@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTransAllocateTrans(x, x,	x, x)
_CmpTransAllocateTrans@16 proc near	; CODE XREF: CmpTransSearchAddLightWeightTrans+6Cp
					; CmpTransSearchAddTrans+10Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	72544D43h
		push	70h
		push	1
		mov	edi, edx
		mov	esi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_856E91
		push	70h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		mov	[ebx+1Ch], ecx
		mov	eax, ds:_CLFS_LSN_INVALID_EXT
		mov	[ebx+40h], eax
		mov	eax, ds:dword_41105C
		mov	[ebx+44h], eax
		mov	eax, ecx
		mov	dword ptr [ebx+18h], 8
		mov	[ebx+20h], edi
		and	eax, 1
		jz	short loc_856E5B
		mov	dword ptr [ebx+18h], 88h

loc_856E5B:				; CODE XREF: CmpTransAllocateTrans(x,x,x,x)+52j
		test	esi, esi
		jnz	short loc_856E6B
		test	eax, eax
		jnz	short loc_856E72
		push	ecx
		call	_CmpTransGetUOW@4 ; CmpTransGetUOW(x)
		mov	esi, eax

loc_856E6B:				; CODE XREF: CmpTransAllocateTrans(x,x,x,x)+5Dj
		lea	edi, [ebx+2Ch]
		movsd
		movsd
		movsd
		movsd

loc_856E72:				; CODE XREF: CmpTransAllocateTrans(x,x,x,x)+61j
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebx+8]
		mov	[eax+4], eax
		mov	edx, ebx
		mov	[eax], eax
		lea	eax, [ebx+10h]
		mov	[ebx+4], ebx
		mov	[ebx], ebx
		mov	[eax+4], eax
		mov	[eax], eax
		call	_CmpBindHiveToTrans@8 ;	CmpBindHiveToTrans(x,x)

loc_856E91:				; CODE XREF: CmpTransAllocateTrans(x,x,x,x)+1Ej
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	8
_CmpTransAllocateTrans@16 endp


;  S U B	R O U T	I N E 


; __stdcall CmpBindHiveToTrans(x, x)
_CmpBindHiveToTrans@8 proc near		; CODE XREF: CmpTransAllocateTrans(x,x,x,x)+8Cp
					; CmpTransSearchAddTrans+89p ...
		test	byte ptr [edx+18h], 80h
		push	esi
		push	edi
		jnz	short loc_856ECD
		test	ecx, ecx
		jz	short loc_856EB6
		mov	eax, [edx+48h]
		xor	esi, esi
		test	eax, eax
		jz	short loc_856EC4
		lea	edi, [edx+4Ch]

loc_856EB2:				; CODE XREF: CmpBindHiveToTrans(x,x)+28j
		cmp	ecx, [edi]
		jnz	short loc_856EBC

loc_856EB6:				; CODE XREF: CmpBindHiveToTrans(x,x)+Aj
					; CmpBindHiveToTrans(x,x)+31j ...
		xor	eax, eax
		inc	eax

loc_856EB9:				; CODE XREF: CmpBindHiveToTrans(x,x)+45j
		pop	edi
		pop	esi
		retn
; 

loc_856EBC:				; CODE XREF: CmpBindHiveToTrans(x,x)+1Aj
		inc	esi
		add	edi, 4
		cmp	esi, eax
		jb	short loc_856EB2

loc_856EC4:				; CODE XREF: CmpBindHiveToTrans(x,x)+13j
		mov	[edx+eax*4+4Ch], ecx
		inc	dword ptr [edx+48h]
		jmp	short loc_856EB6
; 

loc_856ECD:				; CODE XREF: CmpBindHiveToTrans(x,x)+6j
		cmp	dword ptr [edx+48h], 0
		jnz	short loc_856ED8
		mov	[edx+4Ch], ecx
		jmp	short loc_856EB6
; 

loc_856ED8:				; CODE XREF: CmpBindHiveToTrans(x,x)+37j
		cmp	[edx+4Ch], ecx
		jz	short loc_856EB6
		xor	eax, eax
		jmp	short loc_856EB9
_CmpBindHiveToTrans@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpRealtimeRestoreBuffer proc near	; CODE XREF: EtwpRealtimeFlushSavedBuffers+79p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090180A SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		xor	ecx, ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		lea	esi, [edi+128h]
		mov	ebx, [esi]
		mov	eax, [esi+4]
		add	ebx, 48h
		adc	eax, ecx
		mov	[ebp+var_C], eax
		cmp	eax, [edi+134h]
		jl	short loc_856F27
		jg	loc_85701F
		cmp	ebx, [edi+130h]
		ja	loc_85701F

loc_856F27:				; CODE XREF: EtwpRealtimeRestoreBuffer+31j
		push	ecx
		push	esi
		push	48h
		push	edx
		lea	eax, [ebp+var_14]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	dword ptr [edi+110h]
		call	_ZwReadFile@36	; ZwReadFile(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_857002
		cmp	[ebp+var_14], 0
		jl	loc_857013
		cmp	[ebp+var_10], 48h
		jnz	loc_90180A
		mov	edx, [ebp+var_4]
		mov	ecx, [edi+4]
		mov	[ebp+var_8], ecx
		cmp	[edx], ecx
		jnz	loc_85701F
		mov	ecx, [edx+30h]
		cmp	ecx, 48h
		jb	loc_85701F
		cmp	ecx, [ebp+var_8]
		ja	loc_85701F
		or	word ptr [edx+34h], 10h
		add	ecx, 0FFFFFFB8h
		mov	[ebp+var_4], ecx
		mov	ecx, [ebp+var_C]
		mov	[esi], ebx
		mov	[esi+4], ecx
		jz	short loc_856FF0
		mov	eax, [ebp+var_4]
		add	eax, ebx
		mov	[ebp+var_C], eax
		push	0
		pop	eax
		adc	eax, ecx
		cmp	eax, [edi+134h]
		jl	short loc_856FB7
		jg	short loc_85701F
		mov	eax, [ebp+var_C]
		cmp	eax, [edi+130h]
		ja	short loc_85701F

loc_856FB7:				; CODE XREF: EtwpRealtimeRestoreBuffer+C6j
		mov	ebx, [ebp+var_4]
		lea	eax, [edx+48h]
		xor	ecx, ecx
		push	ecx
		push	esi
		push	ebx
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	dword ptr [edi+110h]
		call	_ZwReadFile@36	; ZwReadFile(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_856FE5
		mov	eax, [ebp+var_14]
		test	eax, eax
		js	short loc_856FE5
		cmp	[ebp+var_10], ebx
		jnz	short loc_857018

loc_856FE5:				; CODE XREF: EtwpRealtimeRestoreBuffer+F5j
					; EtwpRealtimeRestoreBuffer+FCj ...
		add	[esi], ebx
		mov	ebx, [esi]
		adc	dword ptr [esi+4], 0
		mov	ecx, [esi+4]

loc_856FF0:				; CODE XREF: EtwpRealtimeRestoreBuffer+B1j
		cmp	ecx, [edi+134h]
		jl	short loc_857002
		jg	short loc_857007
		cmp	ebx, [edi+130h]
		jnb	short loc_857007

loc_857002:				; CODE XREF: EtwpRealtimeRestoreBuffer+5Ej
					; EtwpRealtimeRestoreBuffer+114j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_857007:				; CODE XREF: EtwpRealtimeRestoreBuffer+116j
					; EtwpRealtimeRestoreBuffer+11Ej
		and	dword ptr [esi+4], 0
		mov	dword ptr [esi], 48h
		jmp	short loc_857002
; 

loc_857013:				; CODE XREF: EtwpRealtimeRestoreBuffer+68j
		mov	eax, [ebp+var_14]
		jmp	short loc_857002
; 

loc_857018:				; CODE XREF: EtwpRealtimeRestoreBuffer+101j
		mov	eax, 0C0000011h
		jmp	short loc_856FE5
; 

loc_85701F:				; CODE XREF: EtwpRealtimeRestoreBuffer+33j
					; EtwpRealtimeRestoreBuffer+3Fj ...
		mov	eax, 0C0000102h
		jmp	short loc_857002
EtwpRealtimeRestoreBuffer endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiResetProblemDevicesWorker proc near	; DATA XREF: PpProcessClearProblem(x)+4Do
					; PpResetProblemDevices(x,x)+33o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00901814 SIZE 00000059 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	dword ptr [esi+10Ch], 2000h
		jnz	loc_901814

loc_85703F:				; CODE XREF: PiResetProblemDevicesWorker+AA842j
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	8
PiResetProblemDevicesWorker endp


;  S U B	R O U T	I N E 


PiDqGetObjectManagerForPnpObjectType proc near
					; CODE XREF: PiPnpRtlObjectEventDispatch(x)+1Ep
					; PiPnpRtlObjectEventWorker+CDA2Dp

; FUNCTION CHUNK AT 0090186D SIZE 0000000F BYTES

		xor	eax, eax
		sub	ecx, 1
		jnz	short loc_857053
		mov	eax, offset _PiDqDeviceManager

locret_857052:				; CODE XREF: PiDqGetObjectManagerForPnpObjectType+AA82Aj
		retn
; 

loc_857053:				; CODE XREF: PiDqGetObjectManagerForPnpObjectType+5j
		sub	ecx, 1
		jz	short loc_85707D
		sub	ecx, 1
		jnz	short loc_857063
		mov	eax, offset _PiDqDeviceInterfaceManager
		retn
; 

loc_857063:				; CODE XREF: PiDqGetObjectManagerForPnpObjectType+15j
		sub	ecx, 1
		jz	short loc_857077
		sub	ecx, 1
		jnz	loc_90186D
		mov	eax, offset _PiDqDeviceContainerManager
		retn
; 

loc_857077:				; CODE XREF: PiDqGetObjectManagerForPnpObjectType+20j
		mov	eax, offset _PiDqDeviceInterfaceClassManager
		retn
; 

loc_85707D:				; CODE XREF: PiDqGetObjectManagerForPnpObjectType+10j
		mov	eax, offset _PiDqDeviceInstallerClassManager
		retn
PiDqGetObjectManagerForPnpObjectType endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpExpandFileName proc	near		; CODE XREF: EtwpCreateLogFile+273p
					; EtwpRealtimeCreateLogfile+10Bp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090187C SIZE 00000080 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_1], cl
		push	esi
		push	edi
		mov	[ebp+var_C], eax
		mov	ebx, edx
		mov	[ebp+var_3], al
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_18]
		push	offset ??_C@_1BK@HCAHJHON@?$AA?$CF?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?$CF@NNGAKEGL@ ; "%SystemRoot%"
		push	eax
		mov	[ebp+var_10], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	esi, word ptr [ebx]
		mov	edi, [ebp+var_18]
		mov	eax, esi
		movzx	ecx, di
		cmp	eax, ecx
		jbe	short loc_8570C4
		mov	eax, ecx

loc_8570C4:				; CODE XREF: EtwpExpandFileName+3Cj
		push	1
		shr	ecx, 1
		push	ecx
		push	[ebp+var_14]
		shr	eax, 1
		push	eax
		push	dword ptr [ebx+4]
		call	_RtlCompareUnicodeStrings@20 ; RtlCompareUnicodeStrings(x,x,x,x,x)
		test	eax, eax
		jnz	loc_90187C
		mov	[ebp+var_2], 1
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		movzx	ecx, word ptr [eax+26Ch]
		cmp	si, di
		jz	loc_857221
		movzx	edx, word ptr [ebx]
		movzx	eax, word ptr [ebp+var_18]
		sub	ecx, eax
		mov	eax, [ebx+4]
		lea	esi, [edx+2]
		shr	edx, 1
		add	esi, ecx
		mov	ecx, [ebp+arg_4]
		cmp	word ptr [eax+edx*2-2],	5Ch
		jnz	short loc_85711F
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_3], 1
		add	esi, eax

loc_85711F:				; CODE XREF: EtwpExpandFileName+90j
					; EtwpExpandFileName+1AAj
		mov	al, [ebp+var_2]
		mov	dl, [ebp+var_1]

loc_857125:				; CODE XREF: EtwpExpandFileName+AA813j
		cmp	dword ptr [ebp+arg_0], 0
		jnz	loc_857233

loc_85712F:				; CODE XREF: EtwpExpandFileName+1B2j
		test	dl, dl
		jnz	loc_8571C2

loc_857137:				; CODE XREF: EtwpExpandFileName+140j
					; EtwpExpandFileName+AA821j
		push	50777445h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9018F2
		cmp	[ebp+var_2], 0
		jz	loc_9018AA
		mov	cx, [ebx]
		cmp	cx, word ptr [ebp+var_18]
		jz	loc_85723B
		cmp	[ebp+var_3], 0
		jz	short loc_8571CF
		mov	edx, [ebp+arg_4]
		mov	eax, [edx+4]
		mov	[ebp+arg_4], eax

loc_857174:				; CODE XREF: EtwpExpandFileName+152j
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		movzx	ecx, word ptr [ebp+var_18]
		push	[ebp+arg_4]
		shr	ecx, 1
		lea	edx, [eax+26Ch]
		mov	eax, [ebx+4]
		lea	eax, [eax+ecx*2]
		push	eax
		push	dword ptr [edx+4] ; char
		push	offset ??_C@_1BE@MFOEGDMN@?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; wchar_t *
		push	esi		; int
		push	edi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 18h

loc_8571A1:				; CODE XREF: EtwpExpandFileName+1E1j
					; EtwpExpandFileName+AA852j ...
		cmp	dword ptr [ebp+arg_0], 0
		mov	ebx, eax
		jnz	short loc_8571D8

loc_8571A9:				; CODE XREF: EtwpExpandFileName+19Bj
		mov	esi, [ebp+var_10]
		push	esi
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		push	edi
		push	esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_8571B9:				; CODE XREF: EtwpExpandFileName+AA873j
		mov	eax, ebx

loc_8571BB:				; CODE XREF: EtwpExpandFileName+AA807j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_8571C2:				; CODE XREF: EtwpExpandFileName+ADj
		test	al, al
		jnz	loc_857137
		jmp	loc_90189C
; 

loc_8571CF:				; CODE XREF: EtwpExpandFileName+E5j
		mov	[ebp+arg_4], offset ??_C@_11LOCGONAA@@NNGAKEGL@
		jmp	short loc_857174
; 

loc_8571D8:				; CODE XREF: EtwpExpandFileName+123j
		mov	ecx, edi
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_8571DF:				; CODE XREF: EtwpExpandFileName+164j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_8571DF
		sub	ecx, edx
		mov	edx, edi
		sar	ecx, 1
		lea	ebx, [edx+2]

loc_8571F3:				; CODE XREF: EtwpExpandFileName+179j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [ebp+var_C]
		jnz	short loc_8571F3
		push	dword ptr [ebp+arg_0] ;	char
		sub	edx, ebx
		lea	eax, [ecx+ecx]
		sar	edx, 1
		sub	esi, eax
		push	offset ??_C@_1M@GPDJLPMI@?$AA?4?$AA?$CF?$AA0?$AA3?$AAd@NNGAKEGL@ ; ".%03d"
		push	esi		; int
		lea	eax, [edi+edx*2]
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 10h
		mov	ebx, eax
		jmp	short loc_8571A9
; 

loc_857221:				; CODE XREF: EtwpExpandFileName+6Ej
		mov	edx, [ebp+arg_4]
		movzx	esi, word ptr [edx]
		add	esi, 38h
		add	esi, ecx
		mov	ecx, edx
		jmp	loc_85711F
; 

loc_857233:				; CODE XREF: EtwpExpandFileName+A5j
		add	esi, 8
		jmp	loc_85712F
; 

loc_85723B:				; CODE XREF: EtwpExpandFileName+DBj
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	edx, [ebp+arg_4]
		push	offset ??_C@_19DEKJANFJ@?$AA?4?$AAe?$AAt?$AAl@NNGAKEGL@
		push	dword ptr [edx+4]
		push	offset ??_C@_1DA@PAFEKHDO@?$AA?2?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AA3?$AA2?$AA?2?$AAL?$AAo?$AAg?$AAf?$AAi@NNGAKEGL@ ; "\\system32\\Logfiles\\WMI\\"
		push	dword ptr [eax+270h] ; char
		push	offset ??_C@_1BK@GDKGNMAK@?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; wchar_t *
		push	esi		; int
		push	edi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 1Ch
		jmp	loc_8571A1
EtwpExpandFileName endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepImageVerificationCallbackWorker(x)
_SepImageVerificationCallbackWorker@4 proc near
					; DATA XREF: SepScheduleImageVerificationCallbacks(x,x)+24o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	ecx, _ExCbSeImageVerificationDriverInfo
		xor	edx, edx
		and	[ebp+var_C], 0
		inc	edx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	[ebp+var_10], offset _SepImageVerificationCallbackPreProcess@20	; SepImageVerificationCallbackPreProcess(x,x,x,x,x)
		mov	eax, [esi+10h]
		mov	[ebp+var_8], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [esi+18h]
		push	eax
		call	ExNotifyWithProcessing
		mov	edi, 63734943h
		push	edi
		push	dword ptr [esi+10h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		leave
		retn	4
_SepImageVerificationCallbackWorker@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmGetCmObjectListFromCache(x, x, x, x, x,	x)
_PiDmGetCmObjectListFromCache@24 proc near ; CODE XREF:	PiPnpRtlGetFilteredDeviceList+BCp
					; PiPnpRtlGetFilteredDeviceList+11Fp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	[ebp+arg_C]
		mov	eax, [ebp+arg_0]
		push	[ebp+arg_8]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_C]
		push	[ebp+arg_4]
		mov	[ebp+var_C], edx
		push	eax
		mov	[ebp+var_4], ecx
		call	_CmMapCmObjectTypeToPnpObjectType
		mov	edx, offset _PiDmCmObjectMatchCallback@12 ; PiDmCmObjectMatchCallback(x,x,x)
		mov	ecx, eax
		call	_PiDmGetObjectList@24 ;	PiDmGetObjectList(x,x,x,x,x,x)
		leave
		retn	10h
_PiDmGetCmObjectListFromCache@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmGetObjectList(x, x, x, x, x, x)
_PiDmGetObjectList@24 proc near		; CODE XREF: PiDmGetCmObjectListFromCache(x,x,x,x,x,x)+2Dp
					; PiPnpRtlObjectActionCallback+11892Cp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_4], 0
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], esi
		and	dword ptr [edi], 0
		mov	[ebp+var_8], ebx
		test	ebx, ebx
		jz	short loc_857329
		xor	eax, eax
		mov	[esi], ax

loc_857329:				; CODE XREF: PiDmGetObjectList(x,x,x,x,x,x)+2Cj
		lea	eax, [ebp+var_14]
		mov	edx, offset _PiDmGetObjectListCallback@12 ; PiDmGetObjectListCallback(x,x,x)
		push	eax
		call	_PiDmEnumObjectsWithCallback@12	; PiDmEnumObjectsWithCallback(x,x,x)
		test	eax, eax
		js	short loc_857356
		mov	ecx, [ebp+var_4]
		mov	[edi], ecx
		test	ecx, ecx
		jz	short loc_857356
		inc	ecx
		mov	[edi], ecx
		test	esi, esi
		jz	short loc_85735D
		cmp	ebx, ecx
		jb	short loc_85735D
		xor	edx, edx
		mov	[esi+ecx*2-2], dx

loc_857356:				; CODE XREF: PiDmGetObjectList(x,x,x,x,x,x)+43j
					; PiDmGetObjectList(x,x,x,x,x,x)+4Cj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_85735D:				; CODE XREF: PiDmGetObjectList(x,x,x,x,x,x)+53j
					; PiDmGetObjectList(x,x,x,x,x,x)+57j
		mov	eax, 0C0000023h
		jmp	short loc_857356
_PiDmGetObjectList@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiUEventGetDeviceInstanceIdFromUserHandle(x, x, x)
_PiUEventGetDeviceInstanceIdFromUserHandle@12 proc near
					; CODE XREF: PiUEventHandleRegistration+1BFp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	al, [eax+15Ah]
		xor	esi, esi
		mov	edi, [ebp+arg_0]
		mov	ebx, edx
		push	esi
		lea	edx, [ebp+arg_0]
		mov	byte ptr [ebp+var_8], al
		mov	eax, ds:_IoFileObjectType
		push	edx
		push	[ebp+var_8]
		mov	[ebp+var_4], esi
		push	eax
		push	esi
		push	ecx
		mov	[edi], esi
		mov	[ebp+arg_0], esi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8573E5
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_4]
		call	_PnpGetRelatedTargetDevice@8 ; PnpGetRelatedTargetDevice(x,x)
		mov	ecx, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	short loc_8573D9
		add	ecx, 14h
		mov	[ebx], ecx
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_PsIsProcessAppContainer@4 ; PsIsProcessAppContainer(x)
		mov	ecx, [ebp+var_4]
		test	al, al
		jnz	short loc_8573FA

loc_8573D9:				; CODE XREF: PiUEventGetDeviceInstanceIdFromUserHandle(x,x,x)+55j
					; PiUEventGetDeviceInstanceIdFromUserHandle(x,x,x)+9Bj
		test	ecx, ecx
		jz	short loc_8573E5
		mov	ecx, [ecx+10h]
		call	ObfDereferenceObject

loc_8573E5:				; CODE XREF: PiUEventGetDeviceInstanceIdFromUserHandle(x,x,x)+41j
					; PiUEventGetDeviceInstanceIdFromUserHandle(x,x,x)+77j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_8573F1
		call	ObfDereferenceObject

loc_8573F1:				; CODE XREF: PiUEventGetDeviceInstanceIdFromUserHandle(x,x,x)+86j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8573FA:				; CODE XREF: PiUEventGetDeviceInstanceIdFromUserHandle(x,x,x)+73j
		mov	eax, [ecx+10h]
		mov	[edi], eax
		jmp	short loc_8573D9
_PiUEventGetDeviceInstanceIdFromUserHandle@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 800. IoCreateSymbolicLink

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCreateSymbolicLink(x, x)
		public _IoCreateSymbolicLink@8
_IoCreateSymbolicLink@8	proc near	; CODE XREF: IopCreateArcName+2E2p
					; IopCreateArcName+37Ap ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		push	esi
		push	[ebp+arg_4]
		mov	[ebp+var_14], eax
		mov	eax, ds:_SePublicDefaultUnrestrictedSd
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	0F0001h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ecx
		push	eax
		mov	[ebp+var_1C], 18h
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], 250h
		mov	[ebp+var_8], ecx
		call	_ZwCreateSymbolicLinkObject@16 ; ZwCreateSymbolicLinkObject(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_857459
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_857459:				; CODE XREF: IoCreateSymbolicLink(x,x)+49j
		mov	eax, esi
		pop	esi
		leave
		retn	8
_IoCreateSymbolicLink@8	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1999. RtlCopyLuid

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCopyLuid(x, x)
		public _RtlCopyLuid@8
_RtlCopyLuid@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	eax, [edx]
		mov	[ecx], eax
		mov	eax, [edx+4]
		mov	[ecx+4], eax
		pop	ebp
		retn	8
_RtlCopyLuid@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtAreMappedFilesTheSame	proc near	; DATA XREF: .text:005811ECo

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009018FC SIZE 0000006C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		push	eax
		push	2
		pop	edx
		mov	[ebp+var_8], ebx
		call	MiObtainReferencedVadEx
		mov	esi, eax
		test	esi, esi
		jz	loc_9018FC
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	_MiUnlockVadShared@8 ; MiUnlockVadShared(x,x)
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	2
		pop	edx
		call	MiObtainReferencedVadEx
		mov	edi, eax
		test	edi, edi
		jz	loc_901906
		mov	ecx, esi
		cmp	esi, edi
		jz	loc_901920
		call	_MiVadIsCfgBitmap@4 ; MiVadIsCfgBitmap(x)
		cmp	eax, 1
		jz	loc_901947
		mov	ecx, edi
		call	_MiVadIsCfgBitmap@4 ; MiVadIsCfgBitmap(x)
		cmp	eax, 1
		jz	loc_901947
		mov	eax, [ebp+arg_4]
		cmp	[ebp+arg_0], eax
		jbe	loc_8575DD
		mov	ecx, esi

loc_857505:				; CODE XREF: NtAreMappedFilesTheSame+171j
		add	ecx, 18h
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	ecx, esi
		call	_MiVadDeleted@4	; MiVadDeleted(x)
		test	eax, eax
		jnz	loc_90193D
		mov	ecx, edi
		call	_MiVadDeleted@4	; MiVadDeleted(x)
		test	eax, eax
		jnz	loc_90193D
		mov	eax, 100000h
		test	[esi+1Ch], eax
		jnz	loc_901933
		test	[edi+1Ch], eax
		jnz	loc_901933
		mov	ebx, [esi+2Ch]
		test	ebx, ebx
		jz	loc_901933
		mov	eax, [edi+2Ch]
		test	eax, eax
		jz	loc_901933
		mov	ebx, [ebx]
		test	ebx, ebx
		jz	loc_901933
		mov	eax, [eax]
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	loc_901933
		cmp	dword ptr [ebx+20h], 0
		jz	loc_901933
		cmp	dword ptr [eax+20h], 0
		jz	loc_901933
		mov	ecx, eax
		call	MiReferenceControlAreaFile
		mov	ecx, [ebp+arg_4]
		mov	edx, [eax+14h]
		sub	ebx, [edx+8]
		mov	edx, eax
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 0C00000D4h
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)

loc_8575A6:				; CODE XREF: NtAreMappedFilesTheSame+AA4B8j
					; NtAreMappedFilesTheSame+AA4C2j
		push	11h
		lea	ecx, [edi+18h]
		xor	edx, edx
		pop	eax
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	short loc_8575F6

loc_8575B7:				; CODE XREF: NtAreMappedFilesTheSame+17Ej
		call	KeAbPostRelease
		mov	ecx, esi
		call	MiUnlockAndDereferenceVadShared
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_MiLockVadShared@8 ; MiLockVadShared(x,x)
		mov	ecx, edi
		call	MiUnlockAndDereferenceVadShared
		mov	eax, ebx

loc_8575D6:				; CODE XREF: NtAreMappedFilesTheSame+AA49Bj
					; NtAreMappedFilesTheSame+AA4AEj ...
		pop	edi

loc_8575D7:				; CODE XREF: NtAreMappedFilesTheSame+AA481j
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_8575DD:				; CODE XREF: NtAreMappedFilesTheSame+7Dj
		mov	edx, edi
		mov	ecx, ebx
		call	_MiUnlockVadShared@8 ; MiUnlockVadShared(x,x)
		mov	edx, esi
		mov	ecx, ebx
		call	_MiLockVadShared@8 ; MiLockVadShared(x,x)
		mov	ecx, edi
		jmp	loc_857505
; 

loc_8575F6:				; CODE XREF: NtAreMappedFilesTheSame+135j
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		lea	ecx, [edi+18h]
		jmp	short loc_8575B7
NtAreMappedFilesTheSame	endp


;  S U B	R O U T	I N E 


PopDirectedDripsRefreshDisengageState proc near
					; CODE XREF: PopDirectedDripsWorkerRoutine+A3p

; FUNCTION CHUNK AT 00901968 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		mov	ebx, [edi+74h]
		lea	esi, [edi+78h]
		mov	eax, [esi]

loc_857611:				; CODE XREF: PopDirectedDripsRefreshDisengageState+19j
		mov	edx, eax
		or	edx, ecx
		lock cmpxchg [esi], edx
		jnz	short loc_857611
		mov	esi, eax
		cmp	ebx, esi
		jz	short loc_85763A
		mov	edx, esi
		mov	ecx, ebx
		call	PopDirectedDripsDiagTraceDisengageReasonChange
		cmp	byte ptr [edi+80h], 0
		mov	[edi+74h], esi
		jnz	loc_901968

loc_85763A:				; CODE XREF: PopDirectedDripsRefreshDisengageState+1Fj
					; PopDirectedDripsRefreshDisengageState+AA37Aj
		pop	edi
		pop	esi
		pop	ebx
		retn
PopDirectedDripsRefreshDisengageState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDirectedDripsDiagTraceDisengageReasonChange proc near
					; CODE XREF: PopDirectedDripsRefreshDisengageState+25p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090198A SIZE 0000006A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		mov	[ebp+var_4C], esi
		mov	[ebp+var_48], edi
		jz	short loc_857689
		mov	eax, _PopDiagHandle
		push	ebx
		mov	ebx, dword_6C1D74
		push	offset _POP_ETW_EVENT_DIRECTED_DRIPS_DISENGAGE_MASK_CHANGED
		push	ebx
		push	eax
		mov	[ebp+var_58], eax
		call	EtwEventEnabled
		test	al, al
		jnz	loc_90198A

loc_857688:				; CODE XREF: PopDirectedDripsDiagTraceDisengageReasonChange+AA3B1j
		pop	ebx

loc_857689:				; CODE XREF: PopDirectedDripsDiagTraceDisengageReasonChange+25j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopDirectedDripsDiagTraceDisengageReasonChange endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2496. SeRegisterImageVerificationCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeRegisterImageVerificationCallback(x, x, x, x, x, x)
		public _SeRegisterImageVerificationCallback@24
_SeRegisterImageVerificationCallback@24	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 1
		jnz	short loc_8576DC
		cmp	[ebp+arg_4], 0
		jnz	short loc_8576E3
		cmp	[ebp+arg_10], 0
		jnz	short loc_8576EA
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	_ExCbSeImageVerificationDriverInfo
		call	ExRegisterCallback
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_8576F1
		lock inc dword_6FBAD0
		mov	eax, [ebp+arg_14]
		mov	[eax], ecx
		xor	eax, eax

loc_8576D8:				; CODE XREF: SeRegisterImageVerificationCallback(x,x,x,x,x,x)+45j
					; SeRegisterImageVerificationCallback(x,x,x,x,x,x)+4Cj	...
		pop	ebp
		retn	18h
; 

loc_8576DC:				; CODE XREF: SeRegisterImageVerificationCallback(x,x,x,x,x,x)+9j
		mov	eax, 0C00000EFh
		jmp	short loc_8576D8
; 

loc_8576E3:				; CODE XREF: SeRegisterImageVerificationCallback(x,x,x,x,x,x)+Fj
		mov	eax, 0C00000F0h
		jmp	short loc_8576D8
; 

loc_8576EA:				; CODE XREF: SeRegisterImageVerificationCallback(x,x,x,x,x,x)+15j
		mov	eax, 0C00000F3h
		jmp	short loc_8576D8
; 

loc_8576F1:				; CODE XREF: SeRegisterImageVerificationCallback(x,x,x,x,x,x)+2Cj
		mov	eax, 0C0000017h
		jmp	short loc_8576D8
_SeRegisterImageVerificationCallback@24	endp


;  S U B	R O U T	I N E 


; __stdcall SepScheduleImageVerificationCallbacks(x, x)
_SepScheduleImageVerificationCallbacks@8 proc near ; CODE XREF:	SeValidateImageHeader+86p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		push	63734943h
		lea	eax, [edi+18h]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_85773A
		push	1
		xor	esi, esi
		mov	dword ptr [eax+8], offset _SepImageVerificationCallbackWorker@4	; SepImageVerificationCallbackWorker(x)
		push	eax
		mov	[eax+0Ch], eax
		mov	[eax], esi
		mov	[eax+10h], ebx
		mov	[eax+14h], edi
		call	ExQueueWorkItem

loc_857734:				; CODE XREF: SepScheduleImageVerificationCallbacks(x,x)+47j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_85773A:				; CODE XREF: SepScheduleImageVerificationCallbacks(x,x)+1Ej
		mov	esi, 0C0000017h
		jmp	short loc_857734
_SepScheduleImageVerificationCallbacks@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCheckExeOwnerForPca proc near	; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+2116p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

; FUNCTION CHUNK AT 009019F4 SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], ebx
		cmp	ds:_CmpTrustedInstallerSid, ebx
		jz	loc_857800
		lea	eax, [ebp+var_10]
		push	eax
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		push	eax
		call	_PsReferenceProcessFilePointer@8 ; PsReferenceProcessFilePointer(x,x)
		test	eax, eax
		js	loc_857800
		lea	eax, [ebp+var_8]
		xor	edx, edx
		push	eax
		push	ebx
		push	ebx
		mov	ebx, [ebp+var_10]
		inc	edx
		mov	ecx, ebx
		call	_ObQuerySecurityObject@20 ; ObQuerySecurityObject(x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	loc_9019F4
		push	20204D43h
		push	[ebp+var_8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	ecx, ebx
		test	edi, edi
		jz	short loc_857812
		push	esi
		lea	eax, [ebp+var_8]
		xor	edx, edx
		push	eax
		push	[ebp+var_8]
		inc	edx
		push	edi
		call	_ObQuerySecurityObject@20 ; ObQuerySecurityObject(x,x,x,x,x)
		mov	ecx, ebx
		mov	esi, eax
		call	ObfDereferenceObject
		test	esi, esi
		pop	esi
		js	short loc_8577F8
		lea	eax, [ebp-1]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	edi
		call	_RtlGetOwnerSecurityDescriptor@12 ; RtlGetOwnerSecurityDescriptor(x,x,x)
		test	eax, eax
		js	short loc_8577F8
		cmp	[ebp+var_C], 0
		jz	short loc_857806
		push	[ebp+var_C]
		push	ds:_CmpTrustedInstallerSid
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	short loc_857806

loc_8577F8:				; CODE XREF: CmpCheckExeOwnerForPca+8Aj
					; CmpCheckExeOwnerForPca+9Cj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_857800:				; CODE XREF: CmpCheckExeOwnerForPca+1Bj
					; CmpCheckExeOwnerForPca+32j ...
		xor	al, al

loc_857802:				; CODE XREF: CmpCheckExeOwnerForPca+CEj
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_857806:				; CODE XREF: CmpCheckExeOwnerForPca+A2j
					; CmpCheckExeOwnerForPca+B4j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	al, 1
		jmp	short loc_857802
; 

loc_857812:				; CODE XREF: CmpCheckExeOwnerForPca+6Bj
					; CmpCheckExeOwnerForPca+AA2B4j
		call	ObfDereferenceObject
		jmp	short loc_857800
CmpCheckExeOwnerForPca endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUnlockDriverCode(x)
_MiUnlockDriverCode@4 proc near		; CODE XREF: MiUnloadSystemImage+2FCp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	[ebp+var_8], esi
		mov	edi, [esi+18h]
		mov	ecx, edi
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	short loc_85788D
		mov	ecx, edi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 1
		jz	short loc_85788D
		mov	ecx, edi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jz	short loc_85788D
		push	edi
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		xor	ecx, ecx
		mov	[ebp+var_C], eax
		xor	edx, edx
		mov	[ebp+var_4], ecx
		movzx	ebx, word ptr [eax+14h]
		add	ebx, 20h
		cmp	dx, [eax+6]
		jnb	short loc_85788D
		add	ebx, eax

loc_85786F:				; CODE XREF: MiUnlockDriverCode(x)+71j
		mov	eax, [esi+80h]
		cmp	dword ptr [eax+ecx*4], 0
		jnz	short loc_857892

loc_85787B:				; CODE XREF: MiUnlockDriverCode(x)+B1j
		mov	eax, [ebp+var_C]
		inc	ecx
		add	ebx, 28h
		mov	[ebp+var_4], ecx
		movzx	eax, word ptr [eax+6]
		cmp	ecx, eax
		jb	short loc_85786F

loc_85788D:				; CODE XREF: MiUnlockDriverCode(x)+1Cj
					; MiUnlockDriverCode(x)+28j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_857892:				; CODE XREF: MiUnlockDriverCode(x)+5Fj
		mov	eax, [ebx+8]
		mov	ecx, [ebx]
		cmp	eax, ecx
		jb	short loc_8578CD

loc_85789B:				; CODE XREF: MiUnlockDriverCode(x)+B5j
		mov	esi, [ebx+4]
		push	ecx
		lea	ecx, [eax+0FFFh]
		add	esi, edi
		add	ecx, esi
		and	ecx, 0FFFFF000h
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, esi
		lea	edx, [eax-8]
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, eax
		call	_MiUnlockCodePage@12 ; MiUnlockCodePage(x,x,x)
		mov	ecx, [ebp+var_4]
		mov	esi, [ebp+var_8]
		jmp	short loc_85787B
; 

loc_8578CD:				; CODE XREF: MiUnlockDriverCode(x)+7Fj
		mov	eax, ecx
		jmp	short loc_85789B
_MiUnlockDriverCode@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiFreeRotateVadEvent(x)
_MiFreeRotateVadEvent@4	proc near	; CODE XREF: MiReleaseVadEventBlocks+CCp
					; MiFreeRotateView(x)+13p
		mov	ecx, [ecx+4]
		test	ecx, ecx
		jz	short loc_8578DE
		call	_MiFreeInPageSupportBlock@4 ; MiFreeInPageSupportBlock(x)

loc_8578DE:				; CODE XREF: MiFreeRotateVadEvent(x)+5j
		mov	eax, large fs:124h
		push	130h
		push	dword ptr [eax+80h]
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		retn
_MiFreeRotateVadEvent@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDereferenceImports proc near		; CODE XREF: MiUnloadSystemImage+1D2p
					; MiUnloadSystemImage+231p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009019FB SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		inc	eax
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		cmp	ebx, 0FFFFFFFEh
		jz	short loc_857944
		cmp	ebx, eax
		jz	short loc_857944
		test	bl, al
		jnz	short loc_857948

loc_85791A:				; CODE XREF: MiDereferenceImports+5Ej
		cmp	[ebx], esi
		jbe	short loc_857944
		push	edi
		lea	edi, [ebx+4]

loc_857922:				; CODE XREF: MiDereferenceImports+4Bj
		mov	eax, [edi]
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_857943
		mov	ecx, eax
		call	MiUnloadApproved
		cmp	eax, 1
		jz	loc_9019FB

loc_85793B:				; CODE XREF: MiDereferenceImports+AA110j
		inc	esi
		add	edi, 4
		cmp	esi, [ebx]
		jb	short loc_857922

loc_857943:				; CODE XREF: MiDereferenceImports+33j
		pop	edi

loc_857944:				; CODE XREF: MiDereferenceImports+1Aj
					; MiDereferenceImports+1Ej ...
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_857948:				; CODE XREF: MiDereferenceImports+22j
		and	ebx, 0FFFFFFFEh
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], ebx
		lea	ebx, [ebp+var_C]
		jmp	short loc_85791A
MiDereferenceImports endp


;  S U B	R O U T	I N E 


MiUnloadApproved proc near		; CODE XREF: MiDereferenceImports+37p

; FUNCTION CHUNK AT 00901A0B SIZE 00000057 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi+18h]
		mov	ecx, edi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		xor	ebx, ebx
		inc	ebx
		cmp	eax, ebx
		jz	short loc_857992
		mov	ecx, edi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jz	short loc_857992
		movzx	eax, word ptr [esi+38h]
		cmp	ax, bx
		jz	loc_901A38
		dec	eax
		mov	[esi+38h], ax

loc_85798C:				; CODE XREF: MiUnloadApproved+5Cj
					; MiUnloadApproved+AA0CBj ...
		xor	eax, eax

loc_85798E:				; CODE XREF: MiUnloadApproved+AA107j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_857992:				; CODE XREF: MiUnloadApproved+16j
					; MiUnloadApproved+22j
		mov	ecx, edi
		call	_MiSessionLookupImage@4	; MiSessionLookupImage(x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_901A0B
		mov	eax, [ecx+20h]
		cmp	eax, ebx
		jz	loc_901A38
		dec	eax
		mov	[ecx+20h], eax
		jmp	short loc_85798C
MiUnloadApproved endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopDeleteDriver	proc near		; DATA XREF: IoCreateObjectTypes+112o

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00901A62 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		mov	eax, [edi+18h]
		mov	eax, [eax+14h]
		test	eax, eax
		jnz	loc_901A62

loc_8579CE:				; CODE XREF: IopDeleteDriver+AA0BFj
		test	dword ptr [edi+8], 200h
		jnz	short loc_857A3A

loc_8579D7:				; CODE XREF: IopDeleteDriver+8Cj
		cmp	[edi+14h], ebx
		jz	short loc_857A00
		call	KeFlushQueuedDpcs
		push	dword ptr [edi+14h]
		call	MmUnloadSystemImage
		mov	ecx, _IopRootDeviceNode
		push	ebx
		push	ebx
		push	ebx
		mov	ecx, [ecx+10h]
		push	26h
		push	ebx
		push	2
		pop	edx
		call	PnpRequestDeviceAction

loc_857A00:				; CODE XREF: IopDeleteDriver+26j
		mov	eax, [edi+20h]
		test	eax, eax
		jz	short loc_857A0E
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_857A0E:				; CODE XREF: IopDeleteDriver+51j
		mov	eax, [edi+18h]
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jz	short loc_857A22
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [edi+18h]

loc_857A22:				; CODE XREF: IopDeleteDriver+62j
		mov	ecx, [eax+18h]
		test	ecx, ecx
		jnz	loc_901A78

loc_857A2D:				; CODE XREF: IopDeleteDriver+AA0CEj
		mov	eax, [eax+1Ch]
		test	eax, eax
		jnz	short loc_857A42

loc_857A34:				; CODE XREF: IopDeleteDriver+95j
		pop	edi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_857A3A:				; CODE XREF: IopDeleteDriver+21j
		push	edi
		call	_IoUnregisterPriorityCallback@4	; IoUnregisterPriorityCallback(x)
		jmp	short loc_8579D7
; 

loc_857A42:				; CODE XREF: IopDeleteDriver+7Ej
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_857A34
IopDeleteDriver	endp

; 
		align 10h
; Exported entry 1476. MmUnloadSystemImage

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmUnloadSystemImage
MmUnloadSystemImage proc near		; CODE XREF: PAGE:007B3875p
					; PAGE:007B389Fp ...

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00901A87 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	[ebp+var_1], bl
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		cmp	[eax+2A4h], bl
		jnz	loc_901A87

loc_857A6E:				; CODE XREF: MmUnloadSystemImage+AA048j
		call	_MmAcquireLoadLock@0 ; MmAcquireLoadLock()
		mov	ecx, [ebp+arg_0]
		or	edx, 0FFFFFFFFh
		mov	esi, eax
		call	MiUnloadSystemImage
		mov	ecx, esi
		call	_MmReleaseLoadLock@4 ; MmReleaseLoadLock(x)
		cmp	[ebp+var_1], 0
		jnz	short loc_857A95

loc_857A8D:				; CODE XREF: MmUnloadSystemImage+4Bj
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	4		; struct _exception *
; 

loc_857A95:				; CODE XREF: MmUnloadSystemImage+3Bj
		push	ebx
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		jmp	short loc_857A8D
MmUnloadSystemImage endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtAlpcCancelMessage proc near		; DATA XREF: .text:00581248o

var_36		= byte ptr -36h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00901A9D SIZE 00000011 BYTES
; FUNCTION CHUNK AT 00901ACE SIZE 000000D2 BYTES

		push	24h
		push	offset dword_6A4910
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+var_1C], esi
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		test	[ebp+arg_4], 0FFFFFFF0h
		jnz	loc_901A9D
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_28], al
		test	al, al
		jz	loc_901ACE
		mov	[ebp+ms_exc.disabled], esi
		mov	ecx, [ebp+arg_8]
		mov	edx, ecx
		test	cl, 3
		jnz	loc_857BAD
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_901AA7

loc_857AFF:				; CODE XREF: NtAlpcCancelMessage+AA00Bj
		nop
		mov	al, [edx]
		mov	ebx, [ecx+0Ch]
		mov	[ebp+var_2C], ebx
		mov	edx, [ecx+10h]
		mov	[ebp+arg_8], edx
		mov	[ebp+var_30], edx
		mov	edi, [ecx+4]
		mov	[ebp+var_34], edi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_857B1E:				; CODE XREF: NtAlpcCancelMessage+AA03Fj
		test	ebx, ebx
		jz	loc_901AE2
		mov	eax, ds:_AlpcPortObjectType
		mov	[ebp+var_20], esi
		push	esi
		lea	ecx, [ebp+var_20]
		push	ecx
		push	[ebp+var_28]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_857B8D
		lea	eax, [ebp+var_1C]
		push	eax
		push	ecx
		push	[ebp+arg_8]
		mov	edx, ebx
		mov	ebx, [ebp+var_20]
		mov	ecx, ebx
		call	AlpcpLookupMessage
		mov	esi, eax
		test	esi, esi
		js	short loc_857B86
		mov	esi, [ebp+var_1C]
		test	byte ptr [ebp+arg_4], 8
		jnz	loc_901AEC

loc_857B6E:				; CODE XREF: NtAlpcCancelMessage+AA05Fj
					; NtAlpcCancelMessage+AA067j
		test	byte ptr [esi+14h], 80h
		jnz	loc_901B2C
		push	[ebp+arg_4]
		mov	edx, esi
		mov	ecx, ebx
		call	@AlpcpCancelMessage@12 ; AlpcpCancelMessage(x,x,x)
		mov	esi, eax

loc_857B86:				; CODE XREF: NtAlpcCancelMessage+C1j
					; NtAlpcCancelMessage+AA089j ...
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_857B8D:				; CODE XREF: NtAlpcCancelMessage+A7j
					; NtAlpcCancelMessage+AA004j ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_857BAD:				; CODE XREF: NtAlpcCancelMessage+4Ej
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

PopDiagTraceDirectedDripsWorker:	; CODE XREF: PopDirectedDripsWorkerRoutine+54p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+ms_exc.disabled], eax
		cmp	_PopDiagHandleRegistered, 0
		jz	short loc_857BF4
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_DIRECTED_DRIPS_WORKER
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_901B4D

loc_857BF1:				; CODE XREF: NtAlpcCancelMessage+AA0FDj
		pop	edi
		pop	esi
		pop	ebx

loc_857BF4:				; CODE XREF: NtAlpcCancelMessage+12Dj
		mov	ecx, [ebp+ms_exc.disabled]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
NtAlpcCancelMessage endp

; 
		align 8
; Exported entry 291. EtwRegisterClassicProvider

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwRegisterClassicProvider(void	*,int,int,int,int)
		public _EtwRegisterClassicProvider@20
_EtwRegisterClassicProvider@20 proc near ; CODE	XREF: WmipProcessLegacyEtwRegister(x,x)+70p

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_8], 0
		jz	short loc_857C33
		push	[ebp+arg_10]	; int
		mov	edx, [ebp+arg_0] ; void	*
		push	dword ptr [ebp+4] ; int
		mov	ecx, ds:_EtwpHostSiloState ; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		push	2		; int
		call	EtwpRegisterProvider

loc_857C2F:				; CODE XREF: EtwRegisterClassicProvider(x,x,x,x,x)+30j
		pop	ebp
		retn	14h
; 

loc_857C33:				; CODE XREF: EtwRegisterClassicProvider(x,x,x,x,x)+9j
		mov	eax, 0C000000Dh
		jmp	short loc_857C2F
_EtwRegisterClassicProvider@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiRememberUnloadedDriver proc near	; CODE XREF: MiUnloadSystemImage+29Fp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00901BA0 SIZE 00000009 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		xor	esi, esi
		cmp	[edi], si
		jz	loc_857D00
		mov	ebx, large fs:124h
		dec	word ptr [ebx+13Ch]
		nop
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceExclusiveLite
		mov	eax, _MmUnloadedDrivers
		test	eax, eax
		jz	loc_857D07
		mov	ecx, _MmLastUnloadedDriver
		cmp	ecx, 32h
		jnb	loc_857D22

loc_857C8B:				; CODE XREF: MiRememberUnloadedDriver+F0j
		imul	esi, ecx, 18h
		add	esi, eax
		push	esi
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		movzx	ecx, word ptr [edi]
		mov	edx, 54446D4Dh
		push	0
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		mov	[esi+4], ecx
		test	ecx, ecx
		jz	loc_901BA0
		movzx	eax, word ptr [edi]
		push	eax		; size_t
		push	dword ptr [edi+4] ; void *
		push	ecx		; void *
		call	_memcpy
		mov	ax, [edi]
		add	esp, 0Ch
		mov	edx, [ebp+var_4]
		mov	[esi], ax
		mov	ax, [edi+2]
		mov	[esi+2], ax
		mov	eax, [ebp+arg_0]
		add	eax, edx
		mov	[esi+8], edx
		mov	[esi+0Ch], eax
		lea	eax, [esi+10h]
		push	eax
		call	KeQuerySystemTime
		inc	_MmLastUnloadedDriver

loc_857CEF:				; CODE XREF: MiRememberUnloadedDriver+E6j
					; MiRememberUnloadedDriver+A9F6Aj
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite
		mov	ecx, ebx
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)

loc_857D00:				; CODE XREF: MiRememberUnloadedDriver+14j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_857D07:				; CODE XREF: MiRememberUnloadedDriver+3Cj
		push	esi
		push	40h
		mov	edx, 54446D4Dh
		mov	ecx, 4B0h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	_MmUnloadedDrivers, eax
		test	eax, eax
		jz	short loc_857CEF

loc_857D22:				; CODE XREF: MiRememberUnloadedDriver+4Bj
		mov	ecx, esi
		mov	_MmLastUnloadedDriver, ecx
		jmp	loc_857C8B
MiRememberUnloadedDriver endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCloneKCBValueListForTrans proc near	; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+3B5p
					; CmDeleteValueKey+1815E5p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00901BA9 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_0]
		or	[ebp+var_10], 0FFFFFFFFh
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_C], ebx
		mov	[eax], bl
		cmp	[esi+9Ch], ebx
		jz	short loc_857D5F

loc_857D56:				; CODE XREF: CmpCloneKCBValueListForTrans+8Ej
		mov	al, 1

loc_857D58:				; CODE XREF: CmpCloneKCBValueListForTrans+A9E86j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_857D5F:				; CODE XREF: CmpCloneKCBValueListForTrans+24j
		mov	eax, [esi+14h]
		lea	edx, [ebp+var_10]
		mov	ecx, [esi+10h]
		push	edx
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		mov	edi, eax
		test	edi, edi
		jz	loc_901BB4
		cmp	[edi+24h], ebx
		jz	short loc_857DC0
		mov	edx, [edi+28h]
		mov	ecx, [esi+10h]
		push	1
		push	1
		call	HvDuplicateCell
		mov	[esi+98h], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_901BA9
		mov	ebx, [edi+24h]

loc_857D9E:				; CODE XREF: CmpCloneKCBValueListForTrans+97j
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_10]
		mov	[esi+94h], ebx
		mov	[esi+9Ch], ecx
		mov	ecx, [ebp+arg_0]
		push	edx
		mov	byte ptr [ecx],	1
		mov	ecx, [esi+10h]
		push	ecx
		call	dword ptr [ecx+8]
		jmp	short loc_857D56
; 

loc_857DC0:				; CODE XREF: CmpCloneKCBValueListForTrans+4Bj
		or	dword ptr [esi+98h], 0FFFFFFFFh
		jmp	short loc_857D9E
CmpCloneKCBValueListForTrans endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvDuplicateCell	proc near		; CODE XREF: CmpCloneKCBValueListForTrans+57p
					; CmpDuplicateIndex(x,x,x)+53p	...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 00901BBB SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	eax, eax
		lea	ecx, [ebp+var_10]
		mov	[ebp+var_C], eax
		push	ecx
		push	edx
		or	ebx, 0FFFFFFFFh
		mov	[ebp+var_14], eax
		push	esi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_4], eax
		call	dword ptr [esi+4]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_857E54
		push	0FFFFFFFCh
		pop	edi
		sub	edi, [eax-4]
		mov	ecx, esi
		lea	eax, [ebp+var_18]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_0]
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		cmp	eax, ebx
		mov	[ebp+arg_0], eax
		mov	ebx, [ebp+var_4]
		jz	short loc_857E36
		cmp	[ebp+arg_4], 1
		push	edi		; size_t
		jnz	loc_901BBB
		push	[ebp+var_8]	; void *
		push	ebx		; void *
		call	_memcpy

loc_857E33:				; CODE XREF: HvDuplicateCell+A9DF9j
		add	esp, 0Ch

loc_857E36:				; CODE XREF: HvDuplicateCell+53j
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		test	ebx, ebx
		jz	short loc_857E4A
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_857E4A:				; CODE XREF: HvDuplicateCell+76j
		mov	eax, [ebp+arg_0]

loc_857E4D:				; CODE XREF: HvDuplicateCell+8Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_857E54:				; CODE XREF: HvDuplicateCell+2Fj
		mov	eax, ebx
		jmp	short loc_857E4D
HvDuplicateCell	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpAllocateGenericTableEntry(x, x)
_PnpAllocateGenericTableEntry@8	proc near ; DATA XREF: PiInitializeDDBCache()+7o
					; PnpInitializeDeviceReferenceTable()+2Bo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	75737050h
		push	[ebp+arg_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	8
_PnpAllocateGenericTableEntry@8	endp


;  S U B	R O U T	I N E 


; __stdcall CmpAllocateUnitOfWork()
_CmpAllocateUnitOfWork@0 proc near	; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+5E1p
					; CmpCreateChild(x,x,x,x,x,x,x,x,x):loc_732D54p ...
		mov	edi, edi
		push	esi
		push	77554D43h
		push	48h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_857EBA
		push	edi
		push	48h		; size_t
		xor	edi, edi
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+8], edi
		lea	eax, [esi+10h]
		mov	[esi+0Ch], edi
		mov	[esi+18h], edi
		mov	[esi+1Ch], edi
		mov	[esi+20h], edi
		mov	[esi+4], esi
		mov	[esi], esi
		mov	[eax+4], eax
		mov	[eax], eax
		mov	dword ptr [esi+24h], 0Fh
		pop	edi

loc_857EBA:				; CODE XREF: CmpAllocateUnitOfWork()+15j
		mov	eax, esi
		pop	esi
		retn
_CmpAllocateUnitOfWork@0 endp

; 

; __stdcall EtwpDisassociateConsumer(x,	x)
_EtwpDisassociateConsumer@8:		; CODE XREF: EtwpRealtimeDeliverBuffer+CFp
		mov	edi, edi
		push	esi
		mov	esi, edx
		mov	edx, [esi]
		cmp	[edx+4], esi
		jnz	short loc_857EF4
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_857EF4
		mov	[eax], edx
		push	0
		mov	[edx+4], eax
		dec	dword ptr [ecx+108h]
		or	byte ptr [esi+32h], 4
		push	0
		push	dword ptr [esi+18h]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, esi
		pop	esi
		jmp	ObfDereferenceObject
; 

loc_857EF4:				; CODE XREF: PAGE:00857EC8j
					; PAGE:00857ECFj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		db 2 dup(0CCh)
; Exported entry 1585. NtSetCachedSigningLevel

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSetCachedSigningLevel(x, x, x, x,	x)
		public _NtSetCachedSigningLevel@20
_NtSetCachedSigningLevel@20 proc near	; DATA XREF: .text:00580D0Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0		; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; void *
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		call	NtSetCachedSigningLevel2
		pop	ebp
		retn	14h
_NtSetCachedSigningLevel@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	NtSetCachedSigningLevel2(int,int,void *,int,int,int)
NtSetCachedSigningLevel2 proc near	; CODE XREF: NtSetCachedSigningLevel(x,x,x,x,x)+16p
					; DATA XREF: .text:00580D08o

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= dword	ptr -1Dh
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00901BC8 SIZE 00000155 BYTES
; FUNCTION CHUNK AT 00901D4A SIZE 00000021 BYTES

		push	28h
		push	offset dword_6A4930
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	edi, ecx
		mov	byte ptr [ebp+var_1D], cl
		mov	[ebp+var_24], ecx
		mov	eax, large fs:124h
		mov	dh, [eax+15Ah]
		mov	[ebp+var_19], dh
		mov	byte ptr [ebp+var_2C], dh
		cmp	dword_6BEA24, ecx
		jz	loc_901BC8
		test	byte ptr [ebp+arg_4], 30h
		jnz	loc_901BD2
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jz	loc_901D4A
		cmp	esi, 1000h
		ja	loc_901D4A
		mov	ebx, [ebp+arg_0]
		test	bl, 6
		jz	loc_901BDC

loc_857F7F:				; CODE XREF: NtSetCachedSigningLevel2+A9CC3j
		mov	eax, ebx
		and	eax, 3
		cmp	al, 3
		jz	loc_901BE6
		cmp	dh, 1
		jnz	loc_901C69
		test	bl, 2
		jnz	loc_901BE6
		or	ebx, 1
		test	bl, 4
		jz	loc_901BF0

loc_857FAA:				; CODE XREF: NtSetCachedSigningLevel2+A9D3Bj
					; NtSetCachedSigningLevel2+A9D46j ...
		shl	esi, 2
		push	63734943h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_30], edi
		xor	ecx, ecx
		test	edi, edi
		jz	loc_901C89
		mov	[ebp+ms_exc.disabled], ecx
		cmp	[ebp+var_19], 1
		jnz	short loc_85800B
		test	esi, esi
		jz	short loc_858000
		test	byte ptr [ebp+arg_8], 3
		jnz	loc_858092
		mov	edx, [ebp+arg_8]
		lea	eax, [esi+edx]
		mov	[ebp+arg_0], eax
		mov	eax, ds:_MmUserProbeAddress
		cmp	[ebp+arg_0], eax
		ja	loc_901C93
		cmp	[ebp+arg_0], edx
		jb	loc_901C93

loc_858000:				; CODE XREF: NtSetCachedSigningLevel2+B6j
					; NtSetCachedSigningLevel2+A9D77j
		mov	eax, [ebp+arg_14]
		test	eax, eax
		jnz	loc_901C9A

loc_85800B:				; CODE XREF: NtSetCachedSigningLevel2+B2j
					; NtSetCachedSigningLevel2+A9D98j ...
		push	esi		; size_t
		push	[ebp+arg_8]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+arg_14]
		test	eax, eax
		jnz	loc_901CC6

loc_858023:				; CODE XREF: NtSetCachedSigningLevel2+A9DFAj
		xor	ecx, ecx

loc_858025:				; CODE XREF: NtSetCachedSigningLevel2+A9DC7j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edx, [ebp+arg_C]
		test	bl, 6
		jz	short loc_858040
		cmp	edx, 1
		jnz	short loc_858097
		mov	eax, [ebp+arg_10]
		cmp	eax, [edi]
		jnz	short loc_85809F

loc_858040:				; CODE XREF: NtSetCachedSigningLevel2+114j
		push	[ebp+var_24]
		push	[ebp+arg_10]
		push	edx
		push	edi
		push	[ebp+var_1D]
		push	[ebp+arg_4]
		push	[ebp+var_2C]
		and	ebx, 807h
		push	ebx
		call	dword_6BEA24
		mov	esi, eax

loc_858060:				; CODE XREF: NtSetCachedSigningLevel2+A9DBCj
		xor	ecx, ecx

loc_858062:				; CODE XREF: NtSetCachedSigningLevel2+186j
					; NtSetCachedSigningLevel2+A9D70j
		mov	dh, [ebp+var_19]

loc_858065:				; CODE XREF: NtSetCachedSigningLevel2+A9CAFj
					; NtSetCachedSigningLevel2+A9CB9j ...
		cmp	[ebp+var_24], 0
		jnz	loc_901D54

loc_85806F:				; CODE XREF: NtSetCachedSigningLevel2+A9E39j
					; NtSetCachedSigningLevel2+A9E48j
		test	edi, edi
		jz	short loc_85807E
		push	63734943h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_85807E:				; CODE XREF: NtSetCachedSigningLevel2+153j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_858092:				; CODE XREF: NtSetCachedSigningLevel2+BCj
					; NtSetCachedSigningLevel2+A9D7Ej
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_858097:				; CODE XREF: NtSetCachedSigningLevel2+119j
		mov	dh, [ebp+var_19]
		jmp	loc_901D4A
; 

loc_85809F:				; CODE XREF: NtSetCachedSigningLevel2+120j
		mov	esi, 0C00000F3h
		jmp	short loc_858062
NtSetCachedSigningLevel2 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1643. ObRegisterCallbacks

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObRegisterCallbacks
ObRegisterCallbacks proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00901D6B SIZE 000000BE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, 0FF00h
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_8], ebx
		mov	ax, [esi]
		and	ax, cx
		mov	ecx, 100h
		cmp	ax, cx
		jnz	loc_901E1F
		movzx	eax, word ptr [esi+2]
		test	ax, ax
		jz	loc_901E1F
		imul	ecx, eax, 24h
		movzx	eax, word ptr [esi+4]
		add	eax, 10h
		push	6C46624Fh
		add	eax, ecx
		push	eax
		push	1
		mov	[ebp+var_C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_901D6B
		push	[ebp+var_C]	; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		mov	ecx, [ebp+var_C]
		mov	eax, 100h
		mov	[edi], ax
		mov	eax, [esi+0Ch]
		mov	[edi+4], eax
		movzx	eax, word ptr [esi+4]
		mov	edx, eax
		mov	[edi+0Ah], ax
		sub	ecx, eax
		mov	[edi+8], dx
		add	ecx, edi
		push	edx		; size_t
		mov	[edi+0Ch], ecx
		push	dword ptr [esi+8] ; void *
		push	ecx		; void *
		call	_memcpy
		xor	eax, eax
		mov	[ebp+var_C], ebx
		add	esp, 18h
		cmp	ax, [esi+2]
		jnb	loc_85821A
		mov	edx, ebx
		lea	eax, [edi+30h]
		mov	[ebp+var_10], edx
		mov	[ebp+var_4], eax

loc_858162:				; CODE XREF: ObRegisterCallbacks+168j
		mov	esi, [esi+10h]
		add	esi, edx
		mov	[ebp+var_8], esi
		cmp	[esi+4], ebx
		jz	loc_901E0D
		mov	eax, [esi]
		mov	eax, [eax]
		test	byte ptr [eax+2Ah], 40h
		jz	loc_901E0D
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	loc_901D75

loc_85818C:				; CODE XREF: ObRegisterCallbacks+A9CDAj
		call	_MmVerifyCallbackFunctionCheckFlags@8 ;	MmVerifyCallbackFunctionCheckFlags(x,x)
		test	eax, eax
		jz	loc_901D98

loc_858199:				; CODE XREF: ObRegisterCallbacks+A9CD4j
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jnz	loc_901D8B

loc_8581A4:				; CODE XREF: ObRegisterCallbacks+A9CE6j
		mov	eax, [ebp+var_4]
		mov	ecx, eax
		lea	esi, [eax-20h]
		mov	[eax-1Ch], esi
		mov	[esi], esi
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		mov	eax, [edx+4]
		mov	[ecx-18h], eax
		mov	[ecx-10h], edi
		mov	eax, [edx]
		mov	ecx, [eax]
		mov	eax, [ebp+var_4]
		mov	[eax-0Ch], ecx
		mov	eax, [edx+8]
		mov	edx, [ebp+var_4]
		mov	[edx-8], eax
		mov	edx, [ebp+var_8]
		mov	eax, [edx+0Ch]
		mov	edx, [ebp+var_4]
		mov	[edx-4], eax
		mov	edx, esi
		call	ObpInsertCallbackByAltitude
		mov	[ebp+var_8], eax
		test	eax, eax
		js	loc_901D9F
		mov	esi, [ebp+arg_0]
		inc	word ptr [edi+2]
		mov	edx, [ebp+var_10]
		inc	[ebp+var_C]
		add	edx, 10h
		movzx	ecx, word ptr [esi+2]
		add	[ebp+var_4], 24h
		mov	[ebp+var_10], edx
		cmp	[ebp+var_C], ecx
		jb	loc_858162

loc_85821A:				; CODE XREF: ObRegisterCallbacks+A5j
					; ObRegisterCallbacks+A9D69j
		test	eax, eax
		js	loc_901D9F
		xor	eax, eax
		cmp	ax, [edi+2]
		jnb	short loc_85823C
		lea	ecx, [edi+1Ch]

loc_85822D:				; CODE XREF: ObRegisterCallbacks+18Ej
		or	dword ptr [ecx], 1
		inc	ebx
		movzx	eax, word ptr [edi+2]
		lea	ecx, [ecx+24h]
		cmp	ebx, eax
		jb	short loc_85822D

loc_85823C:				; CODE XREF: ObRegisterCallbacks+17Cj
		mov	eax, [ebp+arg_4]
		mov	[eax], edi

loc_858241:				; CODE XREF: ObRegisterCallbacks+A9D5Cj
		mov	eax, [ebp+var_8]

loc_858244:				; CODE XREF: ObRegisterCallbacks+A9CC4j
					; ObRegisterCallbacks+A9D78j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
ObRegisterCallbacks endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpInsertCallbackByAltitude proc near	; CODE XREF: ObRegisterCallbacks+13Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

; FUNCTION CHUNK AT 00901E29 SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	ebx, ebx
		dec	word ptr [eax+13Eh]
		mov	esi, ecx
		mov	[ebp+var_8], edi
		nop
		lea	eax, [esi+80h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [esi+88h]
		mov	esi, [eax]
		cmp	esi, eax
		jnz	loc_901E29

loc_858290:				; CODE XREF: ObpInsertCallbackByAltitude+A9C04j
		mov	eax, [esi+4]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_8582C1
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[ecx+4], edi
		mov	[eax], edi

loc_8582A4:				; CODE XREF: ObpInsertCallbackByAltitude+A9C0Fj
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_8582C1:				; CODE XREF: ObpInsertCallbackByAltitude+4Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
ObpInsertCallbackByAltitude endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceSetThreadExecutionState(x, x)
_PopDiagTraceSetThreadExecutionState@8 proc near ; CODE	XREF: NtSetThreadExecutionState+108p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		push	ebx
		mov	[ebp+var_58], edx
		mov	ebx, ecx
		jz	loc_8583C0
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_STES
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	loc_8583BE
		mov	eax, [ebx+2ACh]
		xor	ecx, ecx
		mov	[ebp+var_60], eax
		mov	eax, [ebx+2B0h]
		mov	[ebp+var_64], eax
		mov	eax, [ebx+150h]
		mov	edx, [eax+1C0h]
		mov	ax, [edx]
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_50], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_38], ecx
		lea	ecx, [ebp+var_34]
		mov	[ebp+var_4C], 4
		mov	[ebp+var_44], eax
		mov	[ebp+var_3C], 2
		movzx	eax, word ptr [edx]
		mov	ebx, eax
		test	ax, ax
		jz	short loc_8583CD
		mov	eax, [edx+4]
		lea	ecx, [ebp+var_24]
		mov	[ebp+var_34], eax
		xor	edx, edx
		mov	eax, ebx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], edx

loc_858382:				; CODE XREF: PopDiagTraceSetThreadExecutionState(x,x)+109j
		push	4
		pop	ebx
		mov	[ecx+4], edx
		lea	eax, [ebp+var_60]
		mov	[ecx], eax
		lea	eax, [ebp+var_64]
		mov	[ecx+8], ebx
		mov	[ecx+0Ch], edx
		add	ecx, 10h
		mov	[ecx], eax
		lea	eax, [ebp+var_54]
		mov	[ecx+4], edx
		mov	[ecx+8], ebx
		mov	[ecx+0Ch], edx
		sub	ecx, eax
		push	eax
		add	ecx, 10h
		sar	ecx, 4
		push	ecx
		push	edx
		push	offset _POP_ETW_EVENT_STES
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_8583BE:				; CODE XREF: PopDiagTraceSetThreadExecutionState(x,x)+41j
		pop	edi
		pop	esi

loc_8583C0:				; CODE XREF: PopDiagTraceSetThreadExecutionState(x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_8583CD:				; CODE XREF: PopDiagTraceSetThreadExecutionState(x,x)+A4j
		xor	edx, edx
		jmp	short loc_858382
_PopDiagTraceSetThreadExecutionState@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopNotifyConsoleUserPresent proc near	; CODE XREF: NtSetThreadExecutionState+16Dp
					; PopDispatchFullWake(x)+15p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00901E60 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		xor	eax, eax
		push	ebx
		mov	bl, cl
		mov	[esp+28h+var_14+1], ax
		mov	[esp+28h+var_11], al
		mov	[esp+28h+var_20], eax
		mov	[esp+28h+var_1C], eax
		cmp	_PsWin32CalloutsEstablished, al
		jz	short loc_85845B
		call	_RtlGetActiveConsoleId@0 ; RtlGetActiveConsoleId()
		mov	[esp+28h+var_24], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_85845B
		xor	edx, edx
		inc	edx
		cmp	ds:_TtmpEnabled, edx
		jz	loc_901E60
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	[esp+28h+var_1C], eax
		lea	eax, [esp+28h+var_20]
		mov	[esp+28h+var_C], eax
		lea	eax, [esp+28h+var_24]
		push	eax
		push	edx
		push	5
		mov	byte ptr [esp+34h+var_20+1], cl
		mov	[esp+34h+var_18], edx
		lea	edx, [esp+34h+var_18]
		mov	byte ptr [esp+34h+var_14], cl
		mov	[esp+34h+var_8], ecx
		mov	[esp+34h+var_4], ecx
		pop	ecx
		mov	byte ptr [esp+30h+var_20], bl
		mov	[esp+30h+var_10], 8
		call	PopInvokeWin32Callout

loc_85845B:				; CODE XREF: PopNotifyConsoleUserPresent+27j
					; PopNotifyConsoleUserPresent+35j ...
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
PopNotifyConsoleUserPresent endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpDeleteRealTimeConnectionObject(x)
_EtwpDeleteRealTimeConnectionObject@4 proc near
					; DATA XREF: EtwpInitializeRealTimeConnection()+67o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	dword ptr [esi+8]
		call	_ZwClose@4	; ZwClose(x)
		mov	ecx, [esi+18h]
		call	ObfDereferenceObject
		mov	ecx, [esi+1Ch]
		call	ObfDereferenceObject
		pop	esi
		pop	ebp
		retn	4
_EtwpDeleteRealTimeConnectionObject@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtOpenKeyTransactedEx proc near		; CODE XREF: NtOpenKeyTransacted(x,x,x,x)+13p
					; DATA XREF: .text:00580F38o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00901E6F SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _CmpShutdownRundown
		mov	ecx, ebx
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_901E6F
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_4]
		and	[ebp+var_4], 0
		push	esi
		push	0
		mov	al, [eax+15Ah]
		push	ecx
		mov	byte ptr [ebp+var_8], al
		push	[ebp+var_8]
		mov	eax, _CmRegistryTransactionType
		push	eax
		push	4
		push	[ebp+arg_10]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, [ebp+var_4]
		mov	edi, eax
		cmp	edi, 0C0000024h
		jz	short loc_858536
		test	edi, edi
		js	short loc_85850C
		or	esi, 1

loc_8584F4:				; CODE XREF: NtOpenKeyTransactedEx+DFj
		test	edi, edi
		js	short loc_85850C
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	esi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	CmOpenKey
		mov	edi, eax

loc_85850C:				; CODE XREF: NtOpenKeyTransactedEx+67j
					; NtOpenKeyTransactedEx+6Ej
		test	esi, esi
		jz	short loc_85851A
		and	esi, 0FFFFFFFEh
		mov	ecx, esi
		call	ObfDereferenceObject

loc_85851A:				; CODE XREF: NtOpenKeyTransactedEx+86j
		mov	ecx, ebx
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	esi

loc_85852E:				; CODE XREF: NtOpenKeyTransactedEx+A99F8j
		mov	eax, edi
		pop	edi
		pop	ebx
		leave
		retn	14h
; 

loc_858536:				; CODE XREF: NtOpenKeyTransactedEx+63j
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_8]
		and	[ebp+var_8], 0
		push	0
		push	ecx
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_4], al
		push	[ebp+var_4]
		mov	eax, ds:_TmTransactionObjectType
		push	eax
		push	4
		push	[ebp+arg_10]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, [ebp+var_8]
		mov	edi, eax
		jmp	short loc_8584F4
NtOpenKeyTransactedEx endp

; 
		align 2

;  S U B	R O U T	I N E 


CmpLockIXLockIntent proc near		; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+681p
					; CmpUndoDeleteKeyForTransEx(x,x,x)+188p ...

; FUNCTION CHUNK AT 00901E85 SIZE 000000AA BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_8585A6
		js	loc_901E85
		cmp	eax, 1
		jnz	loc_901EC6
		mov	ebx, [esi+4]
		mov	edx, [edi+1Ch]
		mov	ecx, [ebx+1Ch]
		call	CmEqualTrans
		test	al, al
		jz	loc_901EA2

loc_85859E:				; CODE XREF: CmpLockIXLockIntent+48j
					; CmpLockIXLockIntent+A992Bj ...
		mov	al, 1

loc_8585A0:				; CODE XREF: CmpLockIXLockIntent+A9933j
		pop	edi
		pop	esi
		pop	ebx
		retn	4
; 

loc_8585A6:				; CODE XREF: CmpLockIXLockIntent+Dj
		mov	dword ptr [esi], 1
		mov	[esi+4], edi

loc_8585AF:				; CODE XREF: CmpLockIXLockIntent+A9957j
		mov	[edi+8], esi
		jmp	short loc_85859E
CmpLockIXLockIntent endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopWnfAudioCallback proc near		; DATA XREF: PopSetupAudioEventNotification()+9o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00901F2F SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_10]
		push	esi
		push	ecx		; int
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_10], 8
		push	ecx		; void *
		lea	ecx, [ebp+arg_C]
		push	ecx		; int
		push	eax		; int
		call	_ExQueryWnfStateData@16	; ExQueryWnfStateData(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_858618
		cmp	[ebp+var_10], 8
		jb	short loc_858646
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		test	byte ptr [ebp+var_C], 2
		jnz	short loc_858629
		xor	cl, cl
		mov	byte_6C2D4D, 0
		call	PopAudioAccountingCallback

loc_858608:				; CODE XREF: PopWnfAudioCallback+8Bj
					; PopWnfAudioCallback+A9987j
		mov	cl, byte_6C2D4D
		call	PopPowerRequestNotifyAudioStateChanged
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_858618:				; CODE XREF: PopWnfAudioCallback+33j
					; PopWnfAudioCallback+94j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_858629:				; CODE XREF: PopWnfAudioCallback+44j
		mov	cl, 1
		mov	byte_6C2D4D, 1
		call	PopAudioAccountingCallback
		call	PopGetDozeTimerSource
		cmp	eax, 2
		jnz	short loc_858608
		jmp	loc_901F2F
; 

loc_858646:				; CODE XREF: PopWnfAudioCallback+39j
		xor	esi, esi
		jmp	short loc_858618
PopWnfAudioCallback endp


;  S U B	R O U T	I N E 


PopPowerRequestNotifyAudioStateChanged proc near ; CODE	XREF: PopWnfAudioCallback+5Ap

; FUNCTION CHUNK AT 00901F40 SIZE 00000067 BYTES

		mov	eax, large fs:124h
		push	ebx
		push	edi
		mov	bl, cl
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopPowerRequestLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dl, bl
		xor	ecx, ecx
		mov	dword_6C3884, eax
		mov	byte_6C3862, bl
		call	_PopStatsScenarioStateChange@8 ; PopStatsScenarioStateChange(x,x)
		xor	bl, bl
		cmp	ds:_PopExecutionRequiredTimeout, 0
		jz	short loc_85869D
		cmp	byte_6C3863, bl
		jnz	loc_901F40

loc_85869B:				; CODE XREF: PopPowerRequestNotifyAudioStateChanged+A9905j
					; PopPowerRequestNotifyAudioStateChanged+A9911j
		mov	bl, 1

loc_85869D:				; CODE XREF: PopPowerRequestNotifyAudioStateChanged+43j
					; PopPowerRequestNotifyAudioStateChanged+A9946j
		cmp	_PopExecutionRequiredContext, bl
		jnz	loc_901F95

loc_8586A9:				; CODE XREF: PopPowerRequestNotifyAudioStateChanged+A9958j
		cmp	dword_6C3884, 0
		jz	short loc_8586B9
		and	dword_6C3884, 0

loc_8586B9:				; CODE XREF: PopPowerRequestNotifyAudioStateChanged+66j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		pop	edi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
PopPowerRequestNotifyAudioStateChanged endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopAudioAccountingCallback proc	near	; CODE XREF: PopWnfAudioCallback+4Fp
					; PopWnfAudioCallback+7Ep

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 00901FA7 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	[ebp+var_1], cl
		call	KeQueryInterruptTime
		cmp	[ebp+var_1], 0
		jnz	short loc_858708
		push	esi
		mov	esi, dword_6D44C8
		mov	ecx, esi
		push	edi
		mov	edi, dword_6D44CC
		or	ecx, edi
		jnz	loc_901FA7

loc_8586F6:				; CODE XREF: PopAudioAccountingCallback+A990Bj
		and	dword_6D4518, 0
		and	dword_6D451C, 0
		pop	edi
		pop	esi
		leave
		retn
; 

loc_858708:				; CODE XREF: PopAudioAccountingCallback+12j
		mov	dword_6D4518, eax
		mov	dword_6D451C, edx
		leave
		retn
PopAudioAccountingCallback endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopStatsScenarioStateChange(x, x)
_PopStatsScenarioStateChange@8 proc near
					; CODE XREF: PopPowerRequestNotifyAudioStateChanged+35p
					; PopPowerRequestNotifyMobileHotspotChanged(x)+36p
		mov	edi, edi
		push	ebx
		push	esi
		mov	bl, dl
		call	PopAvlFindOrMakeStatsForScenarioType
		mov	esi, eax
		test	esi, esi
		jz	short loc_858746
		push	1
		push	3
		pop	edx
		mov	ecx, esi
		call	_PopGetStopWatchByRequestType@12 ; PopGetStopWatchByRequestType(x,x,x)
		test	eax, eax
		jz	short loc_858746
		xor	ecx, ecx
		lock xadd [esi], ecx
		test	bl, bl
		jnz	short loc_858749
		cmp	ecx, 1
		jz	short loc_858759

loc_858746:				; CODE XREF: PopStatsScenarioStateChange(x,x)+Fj
					; PopStatsScenarioStateChange(x,x)+1Fj	...
		pop	esi
		pop	ebx
		retn
; 

loc_858749:				; CODE XREF: PopStatsScenarioStateChange(x,x)+29j
		test	ecx, ecx
		jnz	short loc_858746
		lock inc dword ptr [esi]
		pop	esi
		mov	ecx, eax
		pop	ebx
		jmp	_PoStartStopWatch@4 ; PoStartStopWatch(x)
; 

loc_858759:				; CODE XREF: PopStatsScenarioStateChange(x,x)+2Ej
		lock dec dword ptr [esi]
		pop	esi
		mov	ecx, eax
		pop	ebx
		jmp	_PoPauseStopWatch@4 ; PoPauseStopWatch(x)
_PopStatsScenarioStateChange@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopAvlFindOrMakeStatsForScenarioType proc near
					; CODE XREF: PopStatsScenarioStateChange(x,x)+6p

var_C2		= byte ptr -0C2h
var_C1		= byte ptr -0C1h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00901FDA SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0C4h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [esp+0D0h+var_B8]
		push	0B0h		; size_t
		push	ebx		; int
		push	eax		; void *
		mov	esi, ecx
		mov	[esp+0DCh+var_C1], bl
		call	_memset
		add	esp, 0Ch
		mov	[esp+0D0h+var_C0], ebx
		mov	[esp+0D0h+var_BC], ebx
		test	esi, esi
		jnz	loc_901FDA
		mov	eax, offset _AUDIO_STATS_ID ; "Audio"

loc_8587B5:				; CODE XREF: PopAvlFindOrMakeStatsForScenarioType+A9882j
		push	eax
		lea	eax, [esp+0D4h+var_C0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	54515750h
		push	1
		lea	edx, [esp+0D8h+var_C0]
		lea	ecx, [esp+0D8h+var_B4]
		call	PopUnicodeStringDeepCopy

loc_8587D4:				; CODE XREF: PopAvlFindOrMakeStatsForScenarioType+A9877j
		lea	eax, [esp+0D0h+var_B8]
		mov	edi, offset _PowerRequestStatsDatabase
		push	eax
		push	edi
		call	_RtlLookupElementGenericTableAvl@8 ; RtlLookupElementGenericTableAvl(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_85880A

loc_8587EA:				; CODE XREF: PopAvlFindOrMakeStatsForScenarioType+BDj
					; PopAvlFindOrMakeStatsForScenarioType+C3j ...
		lea	ecx, [esp+0D0h+var_B4]
		call	_PopFreeUnicodeString@4	; PopFreeUnicodeString(x)
		mov	ecx, [esp+0D0h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_85880A:				; CODE XREF: PopAvlFindOrMakeStatsForScenarioType+82j
		lea	eax, [esp+0Fh]
		push	eax		; int
		push	0B0h		; size_t
		lea	eax, [esp+0D8h+var_B8]
		push	eax		; void *
		push	edi		; int
		call	_RtlInsertElementGenericTableAvl@16 ; RtlInsertElementGenericTableAvl(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8587EA
		cmp	[esp+0D0h+var_C1], bl
		jz	short loc_8587EA
		push	0B0h		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [esi+4]
		lea	edx, [esp+0D0h+var_B4]
		push	54515750h
		push	1
		call	PopUnicodeStringDeepCopy
		test	eax, eax
		jns	short loc_8587EA
		jmp	loc_901FED
PopAvlFindOrMakeStatsForScenarioType endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpLockIXLockExclusive proc near	; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+6A6p
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+6CBp ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00901FFD SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_858883
		jns	loc_901FFD
		mov	ecx, [esi+4]
		mov	edx, [edx+1Ch]
		mov	ecx, [ecx+1Ch]
		call	CmEqualTrans
		test	al, al
		jz	short loc_8588A3

loc_85887C:				; CODE XREF: CmpLockIXLockExclusive+41j
					; CmpLockIXLockExclusive+46j ...
		mov	al, 1

loc_85887E:				; CODE XREF: CmpLockIXLockExclusive+4Fj
		pop	esi
		pop	ebp
		retn	4
; 

loc_858883:				; CODE XREF: CmpLockIXLockExclusive+Cj
		mov	dword ptr [esi], 80000001h
		mov	[esi+4], edx
		mov	eax, [ebp+arg_0]
		sub	eax, 0
		jz	short loc_85889E
		sub	eax, 1
		jnz	short loc_85887C
		mov	[edx+0Ch], esi
		jmp	short loc_85887C
; 

loc_85889E:				; CODE XREF: CmpLockIXLockExclusive+3Cj
		mov	[edx+8], esi
		jmp	short loc_85887C
; 

loc_8588A3:				; CODE XREF: CmpLockIXLockExclusive+24j
					; CmpLockIXLockExclusive+A97AAj ...
		xor	al, al
		jmp	short loc_85887E
CmpLockIXLockExclusive endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall KeSetDisableBoostThread(x, x)
_KeSetDisableBoostThread@8 proc	near	; CODE XREF: PAGE:007A7ED6p
					; NtSetInformationThread+945p
		add	ecx, 5Ch
		test	edx, edx
		jz	short loc_8588BB
		lock bts dword ptr [ecx], 3

loc_8588B4:				; CODE XREF: KeSetDisableBoostThread(x,x)+18j
		setb	al
		movzx	eax, al
		retn
; 

loc_8588BB:				; CODE XREF: KeSetDisableBoostThread(x,x)+5j
		lock btr dword ptr [ecx], 3
		jmp	short loc_8588B4
_KeSetDisableBoostThread@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpRealtimeZeroTruncateLogfile	proc near ; CODE XREF: EtwpRealtimeFlushSavedBuffers+D3p
					; EtwpRealtimeCreateLogfile+11F50Cp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00902027 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		push	48h
		pop	ebx
		push	14h
		push	8
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], ebx
		push	eax
		mov	edi, ecx
		lea	eax, [ebp+var_10]
		xor	esi, esi
		push	eax
		mov	[ebp+var_10], esi
		push	dword ptr [edi+110h]
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_14], esi
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		test	eax, eax
		js	loc_902027
		push	13h
		push	8
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], ebx
		push	eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_4], esi
		push	eax
		push	dword ptr [edi+110h]
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		test	eax, eax
		js	loc_902027

loc_85892A:				; CODE XREF: EtwpRealtimeZeroTruncateLogfile+A9778j
		mov	[edi+130h], ebx
		mov	[edi+134h], esi
		mov	[edi+128h], ebx
		mov	[edi+12Ch], esi
		mov	[edi+120h], ebx
		mov	[edi+124h], esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
EtwpRealtimeZeroTruncateLogfile	endp

; 
		align 4

;  S U B	R O U T	I N E 


EtwpCheckSecurityLoggerAccess proc near	; CODE XREF: EtwpQueryTrace(x,x)+95p
					; EtwpCheckNotificationAccess+1208E4p

; FUNCTION CHUNK AT 0090203F SIZE 00000022 BYTES

		mov	al, [ecx+3A6h]
		xor	edx, edx
		cmp	al, 31h
		jnz	loc_90203F

loc_858964:				; CODE XREF: EtwpCheckSecurityLoggerAccess+A96EDj
					; EtwpCheckSecurityLoggerAccess+A96F5j	...
		mov	eax, edx
		retn
EtwpCheckSecurityLoggerAccess endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2355. RtlSystemTimeToLocalTime

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSystemTimeToLocalTime(x,	x)
		public _RtlSystemTimeToLocalTime@8
_RtlSystemTimeToLocalTime@8 proc near

var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, [ebp+arg_4]
		lea	eax, [ebp+var_34]
		push	30h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_34]
		push	0
		push	30h
		push	eax
		push	3
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_8589BA
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		sub	ecx, [ebp+var_24]
		mov	eax, [eax+4]
		sbb	eax, [ebp+var_20]
		mov	[esi+4], eax
		xor	eax, eax
		mov	[esi], ecx

loc_8589BA:				; CODE XREF: RtlSystemTimeToLocalTime(x,x)+37j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_RtlSystemTimeToLocalTime@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 814. IoDeleteSymbolicLink

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoDeleteSymbolicLink(x)
		public _IoDeleteSymbolicLink@4
_IoDeleteSymbolicLink@4	proc near

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		push	esi
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	10000h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ecx
		push	eax
		mov	[ebp+var_1C], 18h
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], 240h
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		call	_ZwOpenSymbolicLinkObject@12 ; ZwOpenSymbolicLinkObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_858A18

loc_858A11:				; CODE XREF: IoDeleteSymbolicLink(x)+56j
					; IoDeleteSymbolicLink(x)+60j
		mov	eax, esi
		pop	esi
		leave
		retn	4
; 

loc_858A18:				; CODE XREF: IoDeleteSymbolicLink(x)+41j
		push	[ebp+var_4]
		call	_ZwMakeTemporaryObject@4 ; ZwMakeTemporaryObject(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_858A11
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_858A11
_IoDeleteSymbolicLink@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsIsSystemWideMitigationOptionSet(x, x)
_PsIsSystemWideMitigationOptionSet@8 proc near ; CODE XREF: PAGE:loc_7A95C6p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	6
		pop	ecx
		mov	esi, offset _PspSystemMitigationOptions
		lea	edi, [ebp+var_1C]
		rep movsd
		mov	ecx, [ebp+var_18]
		xor	eax, eax
		shr	ecx, 4
		and	cl, 0Fh
		cmp	cl, 6
		mov	ecx, [ebp+var_4]
		pop	edi
		setz	al
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PsIsSystemWideMitigationOptionSet@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCreateRegistryTransaction proc near	; DATA XREF: .text:005812B0o

var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00902061 SIZE 0000001B BYTES
; FUNCTION CHUNK AT 009020A1 SIZE 0000000A BYTES
; FUNCTION CHUNK AT 009020B9 SIZE 0000000D BYTES

		push	24h
		push	offset dword_6A4950
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+var_34], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], esi
		call	CmpAcquireShutdownRundown
		mov	bl, al
		mov	[ebp+var_19], bl
		test	bl, bl
		jz	loc_902061
		cmp	[ebp+arg_C], esi
		jnz	loc_90206B
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_C+3],	al
		mov	byte ptr [ebp+var_2C], al
		cmp	al, 1
		jnz	loc_9020A1
		mov	[ebp+ms_exc.disabled], esi
		mov	ebx, [ebp+arg_0]
		mov	ecx, ebx
		mov	edx, ds:_MmUserProbeAddress
		cmp	ebx, edx
		jnb	loc_902075

loc_858AD2:				; CODE XREF: NtCreateRegistryTransaction+A9607j
		mov	[ecx], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_858ADB:				; CODE XREF: NtCreateRegistryTransaction+A9636j
		mov	edx, _CmRegistryTransactionType
		push	esi
		lea	ecx, [ebp+var_24]
		push	ecx
		push	esi
		push	esi
		push	10h
		push	ecx
		push	[ebp+var_2C]
		push	[ebp+arg_8]
		mov	cl, al
		call	ObCreateObjectEx
		mov	esi, eax
		test	esi, esi
		js	short loc_858B46
		xor	eax, eax
		mov	ecx, [ebp+var_24]
		mov	edi, ecx
		stosd
		stosd
		stosd
		stosd
		xor	edi, edi
		mov	[ecx+4], edi
		lea	eax, [ebp+var_20]
		push	eax
		push	edi
		push	edi
		push	edi
		push	[ebp+arg_4]
		xor	edx, edx
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_24], edi
		test	esi, esi
		js	short loc_858B46
		cmp	byte ptr [ebp+arg_C+3],	1
		jnz	short loc_858B77
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_20]
		mov	[ebx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_858B41:				; CODE XREF: NtCreateRegistryTransaction+10Cj
		mov	[ebp+var_20], edi
		mov	esi, edi

loc_858B46:				; CODE XREF: NtCreateRegistryTransaction+8Cj
					; NtCreateRegistryTransaction+B6j ...
		mov	bl, [ebp+var_19]

loc_858B49:				; CODE XREF: NtCreateRegistryTransaction+A95F6j
					; NtCreateRegistryTransaction+A9600j
		cmp	[ebp+var_20], 0
		jnz	loc_9020B9

loc_858B53:				; CODE XREF: NtCreateRegistryTransaction+A9651j
		mov	ecx, [ebp+var_24]
		test	ecx, ecx
		jnz	short loc_858B7E

loc_858B5A:				; CODE XREF: NtCreateRegistryTransaction+113j
		test	bl, bl
		jz	short loc_858B63
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_858B63:				; CODE XREF: NtCreateRegistryTransaction+ECj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_858B77:				; CODE XREF: NtCreateRegistryTransaction+BCj
		mov	eax, [ebp+var_20]
		mov	[ebx], eax
		jmp	short loc_858B41
; 

loc_858B7E:				; CODE XREF: NtCreateRegistryTransaction+E8j
		call	ObfDereferenceObject
		jmp	short loc_858B5A
NtCreateRegistryTransaction endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmpInitializeLightWeightTransaction(x)
_CmpInitializeLightWeightTransaction@4 proc near ; CODE	XREF: CmpTransMgrCommit(x,x,x)+7Ap
		mov	edi, edi
		push	edi
		xor	eax, eax
		mov	edi, ecx
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		pop	edi
		retn
_CmpInitializeLightWeightTransaction@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


MiReturnSystemImageCommitment proc near	; CODE XREF: MiUnloadSystemImage+379p

; FUNCTION CHUNK AT 009020C6 SIZE 00000014 BYTES

		cmp	dword ptr [ecx], 0
		push	esi
		push	edi
		mov	edi, edx
		jz	loc_9020C6
		mov	edx, [ecx+74h]
		mov	esi, [ecx+78h]

loc_858BA9:				; CODE XREF: MiReturnSystemImageCommitment+A953Fj
		mov	eax, edx
		mov	ecx, offset unk_6D362C
		neg	eax
		lock xadd [ecx], eax
		sub	edx, [edi+4]
		mov	edi, offset _MiSystemPartition
		mov	ecx, edi
		call	MiReturnCommit
		test	esi, esi
		jz	short loc_858BD4
		mov	ecx, edi
		mov	edx, esi
		pop	edi
		pop	esi
		jmp	_MiReturnResident@8 ; MiReturnResident(x,x)
; 

loc_858BD4:				; CODE XREF: MiReturnSystemImageCommitment+31j
		pop	edi
		pop	esi
		retn
MiReturnSystemImageCommitment endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1799. PsGetProcessExitStatus

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetProcessExitStatus(x)
		public _PsGetProcessExitStatus@4
_PsGetProcessExitStatus@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+34Ch]
		pop	ebp
		retn	4
_PsGetProcessExitStatus@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1736. PoUnregisterPowerSettingCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoUnregisterPowerSettingCallback
PoUnregisterPowerSettingCallback proc near
					; CODE XREF: SSHSupportUnregisterPowerSettingCallback(x)+Dp
					; TtmCleanupCurrentSession()+9Dp ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009020DA SIZE 00000050 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		test	esi, esi
		jz	short loc_858C55
		cmp	dword ptr [esi+8], 74655350h
		jnz	short loc_858C55
		mov	edi, offset _PopSettingLock
		mov	ecx, edi
		call	ExAcquireFastMutex
		mov	al, [esi+11h]
		test	al, al
		jnz	short loc_858C4E
		mov	al, [esi+10h]
		test	al, al
		jnz	short loc_858C4E
		cmp	[esi], esi
		jz	short loc_858C4E
		mov	eax, [esi+0Ch]
		test	eax, eax
		jnz	loc_9020DA

loc_858C37:				; CODE XREF: PoUnregisterPowerSettingCallback+A9531j
		mov	ecx, esi
		call	PopUnregisterPowerSettingCallback

loc_858C3E:				; CODE XREF: PoUnregisterPowerSettingCallback+5Fj
					; PoUnregisterPowerSettingCallback+A94F6j
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, ebx

loc_858C47:				; CODE XREF: PoUnregisterPowerSettingCallback+66j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_858C4E:				; CODE XREF: PoUnregisterPowerSettingCallback+2Bj
					; PoUnregisterPowerSettingCallback+32j	...
		mov	ebx, 0C000000Dh
		jmp	short loc_858C3E
; 

loc_858C55:				; CODE XREF: PoUnregisterPowerSettingCallback+Fj
					; PoUnregisterPowerSettingCallback+18j
		mov	eax, 0C000000Dh
		jmp	short loc_858C47
PoUnregisterPowerSettingCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtDeletePrivateNamespace(x)
_NtDeletePrivateNamespace@4 proc near	; DATA XREF: .text:005810A8o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_10]
		push	edi
		push	ecx
		lea	ecx, [ebp+var_4]
		xor	edi, edi
		mov	al, [eax+15Ah]
		push	ecx
		mov	byte ptr [ebp+var_8], al
		push	[ebp+var_8]
		mov	eax, _ObpDirectoryObjectType
		push	eax
		push	10000h
		push	[ebp+arg_0]
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_4], edi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_858CD1
		push	esi
		mov	esi, [ebp+var_4]
		cmp	[esi+0A0h], edi
		jz	short loc_858CD6
		lea	ecx, [esi+0C8h]
		call	ObpVerifyCreatorAccessCheck
		mov	edi, eax
		test	edi, edi
		js	short loc_858CC7
		mov	ecx, esi
		call	_ObpRemoveNamespaceFromTable@4 ; ObpRemoveNamespaceFromTable(x)
		mov	edi, eax

loc_858CC7:				; CODE XREF: NtDeletePrivateNamespace(x)+60j
					; NtDeletePrivateNamespace(x)+7Fj
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, edi
		pop	esi

loc_858CD1:				; CODE XREF: NtDeletePrivateNamespace(x)+43j
		pop	edi
		leave
		retn	4
; 

loc_858CD6:				; CODE XREF: NtDeletePrivateNamespace(x)+4Fj
		mov	edi, 0C0000008h
		jmp	short loc_858CC7
_NtDeletePrivateNamespace@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiFreeLoadedImportList(x)
_MiFreeLoadedImportList@4 proc near	; CODE XREF: MiShutdownSystem()+119p
					; MiUnloadSystemImage+1DAp ...
		cmp	ecx, 0FFFFFFFEh
		jz	short locret_858CF5
		cmp	ecx, 1
		jz	short locret_858CF5
		test	cl, 1
		jnz	short locret_858CF5
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

locret_858CF5:				; CODE XREF: MiFreeLoadedImportList(x)+3j
					; MiFreeLoadedImportList(x)+8j	...
		retn
_MiFreeLoadedImportList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopMonitorInvocation proc near		; CODE XREF: NtPowerInformation+BC8p

; FUNCTION CHUNK AT 0090212A SIZE 000000AB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ebx
		push	edi
		mov	edi, [ecx+4]
		cmp	_PopPlatformAoAc, bl
		jnz	loc_90212A

loc_858D15:				; CODE XREF: PopMonitorInvocation+A9436j
					; PopMonitorInvocation+A9479j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
PopMonitorInvocation endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1421. MmIsDriverVerifyingByAddress

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmIsDriverVerifyingByAddress(x)
		public _MmIsDriverVerifyingByAddress@4
_MmIsDriverVerifyingByAddress@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		xor	esi, esi
		inc	esi
		dec	word ptr [edi+13Ch]
		nop
		push	esi
		mov	ebx, offset _PsLoadedModuleResource
		push	ebx
		call	ExAcquireResourceSharedLite
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	_MiLookupDataTableEntry@8 ; MiLookupDataTableEntry(x,x)
		test	eax, eax
		jz	short loc_858D61
		test	dword ptr [eax+34h], 2000000h
		jnz	short loc_858D63

loc_858D61:				; CODE XREF: MmIsDriverVerifyingByAddress(x)+32j
		xor	esi, esi

loc_858D63:				; CODE XREF: MmIsDriverVerifyingByAddress(x)+3Bj
		mov	ecx, ebx
		call	ExReleaseResourceLite
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_MmIsDriverVerifyingByAddress@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpGetImageSize proc near		; CODE XREF: EtwpLocateDbgIdForRegEntry+E3p

ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 009021D5 SIZE 00000013 BYTES

		push	0Ch
		push	offset dword_6A4978
		call	__SEH_prolog4
		test	ecx, ecx
		jz	short loc_858DCD
		xor	eax, eax
		mov	[edx], eax
		mov	[ebp+ms_exc.disabled], eax
		movzx	esi, word ptr [ecx+18h]
		mov	edi, 10Bh
		cmp	si, di
		jnz	loc_9021D5

loc_858DA3:				; CODE XREF: EtwpGetImageSize+A9469j
		mov	eax, [ecx+50h]
		mov	[edx], eax

loc_858DA8:				; CODE XREF: EtwpGetImageSize+A9463j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFF85h
		add	eax, 0C000007Bh

loc_858DBD:				; CODE XREF: EtwpGetImageSize+58j
					; sub_9021F6+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_858DCD:				; CODE XREF: EtwpGetImageSize+Ej
		mov	eax, 0C000000Dh
		jmp	short loc_858DBD
EtwpGetImageSize endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCloseLightWeightTransaction(x, x, x, x)
_CmpCloseLightWeightTransaction@16 proc	near
					; DATA XREF: CmpInitializeLightWeightTransactionType()+66o

arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 1
		jnz	short loc_858DE7
		mov	ecx, [ebp+arg_4]
		call	CmpRollbackLightWeightTransaction

loc_858DE7:				; CODE XREF: CmpCloseLightWeightTransaction(x,x,x,x)+9j
		pop	ebp
		retn	10h
_CmpCloseLightWeightTransaction@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpRollbackLightWeightTransaction proc near
					; CODE XREF: CmpCloseLightWeightTransaction(x,x,x,x)+Ep
					; NtRollbackRegistryTransaction(x,x)+ABp ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00902208 SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	3
		mov	esi, ecx
		xor	eax, eax
		pop	edx
		lock cmpxchg [esi], edx
		xor	ebx, ebx
		cmp	eax, 1
		jz	loc_902208
		test	eax, eax
		jz	short loc_858E2A
		cmp	eax, 3
		setnz	bl
		dec	ebx
		and	ebx, 12h
		add	ebx, 0C0190003h

loc_858E22:				; CODE XREF: CmpRollbackLightWeightTransaction+45j
					; CmpRollbackLightWeightTransaction+A9432j
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_858E2A:				; CODE XREF: CmpRollbackLightWeightTransaction+24j
					; CmpRollbackLightWeightTransaction+A944Cj
		mov	ecx, esi
		call	_CmpAbortLightWeightTransaction@4 ; CmpAbortLightWeightTransaction(x)
		jmp	short loc_858E22
CmpRollbackLightWeightTransaction endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDeleteLightWeightTransaction(x)
_CmpDeleteLightWeightTransaction@4 proc	near
					; DATA XREF: CmpInitializeLightWeightTransactionType()+6Do

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_858E4E
		push	72544D43h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_858E4E:				; CODE XREF: CmpDeleteLightWeightTransaction(x)+Dj
		pop	ebp
		retn	4
_CmpDeleteLightWeightTransaction@4 endp

; 
		align 8
; Exported entry 257. CmRegisterCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmRegisterCallback(x, x, x)
		public _CmRegisterCallback@12
_CmRegisterCallback@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	1
		push	offset _CmLegacyAltitude
		call	CmpRegisterCallbackInternal
		pop	ebp
		retn	0Ch
_CmRegisterCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpDispatchInstallerClass proc	near	; DATA XREF: _PnpCtxOpenMachine+14Eo

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00906AD7 SIZE 000000E8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_C]
		push	esi
		push	edi
		xor	edi, edi
		dec	eax
		mov	[ebp+var_8], edi
		mov	edx, edi
		mov	[ebp+var_4], edi
		cmp	eax, 8		; switch 9 cases
		ja	loc_906BB5	; default
		jmp	ds:off_858F18[eax*4] ; switch jump

loc_858EA0:				; DATA XREF: PAGE:off_858F18o
		mov	eax, [ebp+arg_10] ; case 0x7
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	dword ptr [eax+18h] ; int
		push	dword ptr [eax+14h] ; int
		push	dword ptr [eax+10h] ; int
		push	dword ptr [eax+0Ch] ; int
		push	dword ptr [eax+8] ; void *
		push	dword ptr [eax+4] ; void *
		push	dword ptr [eax]	; int
		call	_CmGetInstallerClassMappedProperty

loc_858EC2:				; CODE XREF: _PnpDispatchInstallerClass+70j
					; _PnpDispatchInstallerClass+9Cj ...
		mov	ecx, eax
		call	__PnpMapCmStatusToDispatchStatus@4 ; _PnpMapCmStatusToDispatchStatus(x)
		pop	edi
		pop	esi
		leave
		retn	14h
; 

loc_858ECF:				; CODE XREF: _PnpDispatchInstallerClass+21j
					; DATA XREF: PAGE:off_858F18o
		mov	ecx, [ebp+arg_4] ; case	0x0
		call	__PnpIsValidGuidString@4 ; _PnpIsValidGuidString(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFFCDh
		add	eax, 0C0000033h
		jmp	short loc_858EC2
; 

loc_858EEA:				; CODE XREF: _PnpDispatchInstallerClass+21j
					; DATA XREF: PAGE:off_858F18o
		mov	ecx, [ebp+arg_10] ; case 0x4
		mov	eax, [ecx]
		test	eax, eax
		jnz	loc_906B42

loc_858EF7:				; CODE XREF: _PnpDispatchInstallerClass+ADCDBj
		mov	eax, [ecx+14h]
		and	eax, 0FFFF0000h
		push	eax
		push	dword ptr [ecx+10h]
		push	dword ptr [ecx+0Ch]
		push	dword ptr [ecx+8]
		mov	ecx, [ebp+arg_0]
		push	edx
		mov	edx, edi
		call	__CmGetMatchingInstallerClassList@28 ; _CmGetMatchingInstallerClassList(x,x,x,x,x,x,x)
		jmp	short loc_858EC2
_PnpDispatchInstallerClass endp

; 
		align 4
off_858F18	dd offset loc_858ECF	; DATA XREF: _PnpDispatchInstallerClass+21r
		dd offset loc_906AD7	; jump table for switch	statement
		dd offset loc_906B01
		dd offset loc_906B27
		dd offset loc_858EEA
		dd offset loc_906B58
		dd offset loc_906B77
		dd offset loc_858EA0
		dd offset loc_906B91

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmGetInstallerClassMappedProperty(int,void *,void *,int,int,int,int)
_CmGetInstallerClassMappedProperty proc	near ; CODE XREF: _PnpDispatchInstallerClass+45p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 00906BBF SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_18]
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edx
		mov	ebx, 0C0000016h
		mov	[ebp+var_8], ecx
		mov	[eax], edi
		cmp	[ebp+arg_4], edi
		jnz	loc_85900A
		mov	esi, [ebp+arg_8]
		mov	ecx, edi
		mov	[ebp+arg_4], edi

loc_858F69:				; CODE XREF: _CmGetInstallerClassMappedProperty+4Fj
		mov	edx, ds:__CmClassRegPropMap[ecx]
		test	edx, edx
		jz	short loc_858F7F
		mov	eax, [esi+10h]
		cmp	eax, [edx+10h]
		jz	loc_859013

loc_858F7F:				; CODE XREF: _CmGetInstallerClassMappedProperty+35j
					; _CmGetInstallerClassMappedProperty+EEj
		add	ecx, 10h
		mov	[ebp+arg_4], ecx
		cmp	ecx, 90h
		jb	short loc_858F69

loc_858F8D:				; CODE XREF: _CmGetInstallerClassMappedProperty+ADCACj
		mov	edx, [esi+10h]
		mov	eax, edi
		mov	[ebp+arg_8], edx
		mov	[ebp+arg_4], edi

loc_858F98:				; CODE XREF: _CmGetInstallerClassMappedProperty+76j
		mov	ecx, ds:off_A42C38[eax]
		cmp	edx, [ecx+10h]
		jz	loc_85902F

loc_858FA7:				; CODE XREF: _CmGetInstallerClassMappedProperty+133j
		add	eax, 10h
		mov	[ebp+arg_4], eax
		cmp	eax, 0D0h
		jb	short loc_858F98

loc_858FB4:				; CODE XREF: _CmGetInstallerClassMappedProperty+128j
		cmp	dword ptr [esi+10h], 2
		jz	loc_859074

loc_858FBE:				; CODE XREF: _CmGetInstallerClassMappedProperty+14Aj
					; _CmGetInstallerClassMappedProperty+176j
		mov	ecx, [esi+10h]
		mov	[ebp+arg_4], ecx

loc_858FC4:				; CODE XREF: _CmGetInstallerClassMappedProperty+99j
		mov	eax, ds:off_A42F10[edi]
		cmp	ecx, [eax+10h]
		jz	short loc_858FD9

loc_858FCF:				; CODE XREF: _CmGetInstallerClassMappedProperty+ADCB4j
		add	edi, 8
		cmp	edi, 20h
		jb	short loc_858FC4
		jmp	short loc_85900A
; 

loc_858FD9:				; CODE XREF: _CmGetInstallerClassMappedProperty+91j
		push	10h		; size_t
		push	eax		; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_906BED
		push	[ebp+arg_18]	; int
		mov	edx, [ebp+var_4]
		push	[ebp+arg_14]	; int
		mov	ecx, [ebp+var_8]
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	esi		; void *
		push	[ebp+arg_0]	; int
		call	_CmGetInstallerClassMappedPropertyFromComposite
		mov	ebx, eax

loc_85900A:				; CODE XREF: _CmGetInstallerClassMappedProperty+1Fj
					; _CmGetInstallerClassMappedProperty+9Bj ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	1Ch
; 

loc_859013:				; CODE XREF: _CmGetInstallerClassMappedProperty+3Dj
		push	10h		; size_t
		push	edx		; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_906BBF
		mov	ecx, [ebp+arg_4]
		jmp	loc_858F7F
; 

loc_85902F:				; CODE XREF: _CmGetInstallerClassMappedProperty+65j
		push	10h		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_859069
		push	[ebp+arg_18]	; int
		mov	edx, [ebp+var_4]
		push	[ebp+arg_14]	; int
		mov	ecx, [ebp+var_8]
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	esi		; void *
		push	[ebp+arg_0]	; int
		call	_CmGetInstallerClassMappedPropertyFromRegValue
		mov	ebx, eax
		cmp	ebx, 0C0000016h
		jnz	short loc_85900A
		jmp	loc_858FB4
; 

loc_859069:				; CODE XREF: _CmGetInstallerClassMappedProperty+101j
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_8]
		jmp	loc_858FA7
; 

loc_859074:				; CODE XREF: _CmGetInstallerClassMappedProperty+7Cj
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_ClassCoInstallers ;	void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_858FBE
		push	[ebp+arg_18]
		mov	edx, [ebp+var_4]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	ecx
		mov	ecx, [ebp+var_8]
		call	_CmGetInstallerClassMappedPropertyFromCoInstallers
		mov	ebx, eax
		cmp	ebx, 0C0000016h
		jnz	loc_85900A
		jmp	loc_858FBE
_CmGetInstallerClassMappedProperty endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmGetInstallerClassMappedPropertyFromComposite(int,void	*,int,int,int,int)
_CmGetInstallerClassMappedPropertyFromComposite	proc near
					; CODE XREF: _CmGetInstallerClassMappedProperty+C7p
					; _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+1A1p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00906BF5 SIZE 000001A3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_14]
		mov	[esp+20h+var_C], edx
		xor	edx, edx
		mov	[esp+20h+var_8], ecx
		mov	esi, edx
		mov	ecx, [ebp+arg_C]
		mov	[eax], edx
		mov	[esp+20h+var_14], edx
		mov	[edi], edx
		test	ecx, ecx
		jz	short loc_8590F5
		mov	edx, [ebp+arg_10]
		mov	eax, edx
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+arg_C], eax

loc_8590F5:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromComposite+2Dj
		mov	ebx, [ebp+arg_4]
		mov	[esp+20h+var_10], edx
		mov	eax, [ebx+10h]
		mov	[esp+20h+var_4], eax
		cmp	eax, 2
		jb	loc_906BF5
		cmp	eax, 0Ah
		jz	loc_906BFF
		cmp	eax, 4
		jz	loc_906C9F
		cmp	eax, 14h
		jz	short loc_859165

loc_859123:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromComposite+C5j
		cmp	eax, 15h
		jnz	short loc_85915A
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_CompoundLowerFilters ; void	*
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_85915A

loc_85913C:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromComposite+BFj
		mov	edx, [esp+20h+var_C]
		mov	ecx, [esp+20h+var_8]
		push	edi
		push	[esp+24h+var_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	ebx
		push	[ebp+arg_0]
		call	_CmGetInstallerClassCompoundFilters
		mov	esi, eax

loc_85915A:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromComposite+6Ej
					; _CmGetInstallerClassMappedPropertyFromComposite+82j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_859165:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromComposite+69j
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_CompoundUpperFilters ; void	*
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_85913C
		mov	eax, [esp+20h+var_4]
		jmp	short loc_859123
_CmGetInstallerClassMappedPropertyFromComposite	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetInstallerClassCompoundFilters proc near
					; CODE XREF: _CmGetInstallerClassMappedPropertyFromComposite+9Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00906D98 SIZE 00000064 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_4]
		and	[ebp+var_4], 0
		and	[ebp+var_8], 0
		push	ebx
		cmp	dword ptr [eax+10h], 14h
		push	esi
		mov	esi, edx
		push	edi
		mov	[ebp+var_10], esi
		mov	edi, ecx
		jz	loc_859248

loc_8591A7:				; CODE XREF: _CmGetInstallerClassCompoundFilters+E7j
		mov	[ebp+var_C], offset _DEVPKEY_DeviceClass_LowerFilters

loc_8591AE:				; CODE XREF: _CmGetInstallerClassCompoundFilters+E1j
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jnz	loc_85926C
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	ecx
		push	eax
		push	ecx
		push	2000001h
		push	ecx
		push	20h
		mov	edx, esi
		mov	ecx, edi
		call	_CmOpenCommonClassRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_859223
		mov	edx, [ebp+var_4]

loc_8591DB:				; CODE XREF: _CmGetInstallerClassCompoundFilters+F1j
		test	edi, edi
		jz	loc_906D98
		mov	ecx, [edi+74h]

loc_8591E6:				; CODE XREF: _CmGetInstallerClassCompoundFilters+ADC1Aj
		lea	eax, [ebp+var_8]
		push	eax
		push	2001Fh
		push	0
		push	offset ??_C@_1BA@DJLBFCNB@?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@NNGAKEGL@	; "F"
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_906D9F

loc_859205:				; CODE XREF: _CmGetInstallerClassCompoundFilters+ADC46j
					; _CmGetInstallerClassCompoundFilters+ADC51j ...
		push	[ebp+arg_14]	; int
		mov	edx, [ebp+var_10]
		mov	ecx, edi
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		push	[ebp+var_C]	; void *
		push	[ebp+var_4]	; int
		call	_CmGetInstallerClassMappedPropertyFromRegProp

loc_859221:				; CODE XREF: _CmGetInstallerClassCompoundFilters+ADC6Aj
		mov	esi, eax

loc_859223:				; CODE XREF: _CmGetInstallerClassCompoundFilters+56j
					; _CmGetInstallerClassCompoundFilters+ADC64j
		cmp	[ebp+var_4], 0
		jz	short loc_859235
		test	ebx, ebx
		jnz	short loc_859235
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_859235:				; CODE XREF: _CmGetInstallerClassCompoundFilters+A7j
					; _CmGetInstallerClassCompoundFilters+ABj
		cmp	[ebp+var_8], 0
		jnz	loc_906DEF

loc_85923F:				; CODE XREF: _CmGetInstallerClassCompoundFilters+ADC77j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_859248:				; CODE XREF: _CmGetInstallerClassCompoundFilters+21j
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_CompoundUpperFilters ; void	*
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		mov	[ebp+var_C], offset _DEVPKEY_DeviceClass_UpperFilters
		test	eax, eax
		jz	loc_8591AE
		jmp	loc_8591A7
; 

loc_85926C:				; CODE XREF: _CmGetInstallerClassCompoundFilters+33j
		mov	edx, ebx
		mov	[ebp+var_4], edx
		jmp	loc_8591DB
_CmGetInstallerClassCompoundFilters endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmGetInstallerClassMappedPropertyFromRegProp(int,void *,int,int,int,int)
_CmGetInstallerClassMappedPropertyFromRegProp proc near
					; CODE XREF: _CmGetInstallerClassCompoundFilters+9Cp
					; _CmGetInstallerClassMappedProperty+ADC99p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00906DFC SIZE 00000125 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_8], edx
		xor	edx, edx
		push	ebx
		push	esi
		mov	[eax], edx
		mov	eax, [ebp+arg_14]
		push	edi
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_4], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_20], edx
		mov	[eax], edx
		test	edi, edi
		jz	loc_859382
		mov	ecx, [ebp+arg_10]
		mov	eax, ecx
		neg	eax
		mov	[ebp+var_14], ecx
		sbb	eax, eax
		and	edi, eax
		mov	[ebp+arg_C], edi

loc_8592BE:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegProp+10Fj
		mov	ebx, [ebp+arg_4]
		mov	ecx, edx
		mov	[ebp+arg_4], ecx
		mov	eax, [ebx+10h]
		mov	[ebp+arg_10], eax
		mov	eax, offset __CmClassRegPropMap
		mov	edi, [ebp+arg_10]
		mov	[ebp+var_18], eax

loc_8592D7:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegProp+84j
		mov	edx, [eax]
		mov	esi, eax
		mov	[ebp+arg_10], esi
		cmp	edi, [edx+10h]
		jz	short loc_8592FE

loc_8592E3:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegProp+ADB8Cj
		add	ecx, 10h
		xor	esi, esi
		add	eax, 10h
		mov	[ebp+arg_10], esi
		mov	[ebp+arg_4], ecx
		mov	[ebp+var_18], eax
		cmp	ecx, 90h
		jb	short loc_8592D7
		jmp	short loc_859312
; 

loc_8592FE:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegProp+6Bj
		push	10h		; size_t
		push	edx		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_906DFC

loc_859312:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegProp+86j
		mov	edi, [ebp+arg_C]
		mov	ebx, [ebp+var_20]
		test	esi, esi
		jz	loc_906E07
		mov	edx, [esi+8]
		mov	eax, edx
		mov	[ebp+arg_C], edx
		sub	eax, 19h
		jz	short loc_85938A
		dec	eax
		sub	eax, 1
		jz	loc_906EAD
		mov	eax, [ebp+arg_14]
		mov	ecx, [ebp+var_14]
		push	ecx
		push	eax
		mov	[eax], ecx
		lea	eax, [ebp+var_10]
		mov	ecx, [ebp+var_C]
		push	edi
		push	eax
		push	edx
		push	[ebp+arg_0]
		mov	edx, [ebp+var_8]
		call	__CmGetInstallerClassRegProp@32	; _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	edx, 0C0000023h
		test	esi, esi
		jz	short loc_85936D
		cmp	esi, edx
		jz	short loc_85936D

loc_859364:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegProp+105j
					; _CmGetInstallerClassMappedPropertyFromRegProp+119j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_85936D:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegProp+E8j
					; _CmGetInstallerClassMappedPropertyFromRegProp+ECj
		mov	ecx, [ebp+arg_10]
		mov	eax, [ebp+arg_8]
		mov	ecx, [ecx+4]
		mov	[eax], ecx
		cmp	ecx, 12h
		jnz	short loc_859364
		jmp	loc_906E11
; 

loc_859382:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegProp+31j
		mov	[ebp+var_14], edx
		jmp	loc_8592BE
; 

loc_85938A:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegProp+B5j
		mov	esi, 0C00000BBh
		jmp	short loc_859364
_CmGetInstallerClassMappedPropertyFromRegProp endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetInstallerClassRegProp(x, x, x, x, x, x, x, x)
__CmGetInstallerClassRegProp@32	proc near ; CODE XREF: _CmGetDeviceRegPropWorker+2A8p
					; _CmGetInstallerClassMappedPropertyFromRegProp+DAp ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_14], 0
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_34], edx
		mov	edx, ecx
		mov	[ebp+var_30], ebx
		mov	ecx, [ebp+arg_10]
		push	esi
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	ebx, [edx+100h]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_20], esi
		mov	esi, [ebp+var_34]
		mov	[ebp+var_38], edx
		mov	[ebp+var_24], eax
		mov	[ebp+var_18], ecx
		push	edi
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_1C], edi
		test	ebx, ebx
		jz	short loc_85940F
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	9
		push	2
		push	esi
		push	edx
		call	ebx
		cmp	eax, 0C0000002h
		jz	short loc_85946B
		cmp	eax, 0C0000120h
		jz	short loc_85946F
		test	eax, eax
		jnz	short loc_859474

loc_85940F:				; CODE XREF: _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)+5Bj
					; _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)+DBj
		push	[ebp+var_14]
		mov	edi, [ebp+var_38]
		mov	edx, esi
		push	[ebp+var_18]
		mov	ecx, edi
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	[ebp+var_24]
		push	[ebp+var_28]
		call	_CmGetInstallerClassRegPropWorker
		mov	esi, eax
		test	ebx, ebx
		jz	short loc_859458
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	9
		push	2
		push	[ebp+var_34]
		push	edi
		call	ebx
		cmp	eax, 0C0000002h
		jz	short loc_859458
		cmp	eax, 0C0000120h
		jz	short loc_85946F
		test	eax, eax
		jnz	short loc_859474

loc_859458:				; CODE XREF: _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)+9Fj
					; _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)+B9j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_85946B:				; CODE XREF: _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)+70j
		xor	ebx, ebx
		jmp	short loc_85940F
; 

loc_85946F:				; CODE XREF: _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)+77j
					; _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)+C0j
		mov	esi, [ebp+var_30]
		jmp	short loc_859458
; 

loc_859474:				; CODE XREF: _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)+7Bj
					; _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)+C4j
		mov	esi, 0C00000E5h
		jmp	short loc_859458
__CmGetInstallerClassRegProp@32	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetInstallerClassRegPropWorker proc near
					; CODE XREF: _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)+96p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= word ptr  1Ch

; FUNCTION CHUNK AT 00906F21 SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		xor	eax, eax
		mov	[ebp+var_C], ecx
		push	ebx
		push	esi
		mov	esi, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		movzx	eax, [ebp+arg_14]
		push	edi
		test	eax, eax
		jnz	loc_906F21
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	loc_906F49
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	loc_906F49
		mov	ebx, [eax]
		mov	[ebp+var_18], ebx
		test	ebx, ebx
		jz	loc_859671
		mov	ecx, [ebp+arg_C]
		mov	dword ptr [ebp+arg_14],	ecx
		test	ecx, ecx
		jz	loc_906F21
		mov	ecx, [ebp+var_C]

loc_8594DA:				; CODE XREF: _CmGetInstallerClassRegPropWorker+1F8j
		and	[eax], esi
		and	[edi], esi
		mov	edi, [ebp+arg_4]
		lea	eax, [edi-1]
		cmp	eax, 24h
		ja	loc_906F3F
		cmp	edi, 25h
		ja	loc_906F3F
		movzx	eax, ds:byte_8596A4[edi]
		jmp	ds:off_85969C[eax*4]

loc_859504:				; DATA XREF: PAGE:008596A0o
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jz	loc_8595EC

loc_85950F:				; CODE XREF: _CmGetInstallerClassRegPropWorker+189j
		cmp	edi, 8
		jz	short loc_85952B
		cmp	edi, 0Dh
		jz	short loc_85952B
		cmp	edi, 13h
		jg	loc_859639
		cmp	edi, 11h
		jle	loc_859639

loc_85952B:				; CODE XREF: _CmGetInstallerClassRegPropWorker+96j
					; _CmGetInstallerClassRegPropWorker+9Bj
		test	ebx, ebx
		jz	loc_859610

loc_859533:				; CODE XREF: _CmGetInstallerClassRegPropWorker+197j
					; _CmGetInstallerClassRegPropWorker+1E3j
		test	esi, esi
		js	short loc_859581
		mov	edx, edi
		call	__MapCmClassPropertyToRegValue@8 ; _MapCmClassPropertyToRegValue(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_906F2B
		mov	edx, [ebp+var_C]
		mov	eax, [ebp+var_18]
		mov	[ebp+var_10], eax
		mov	eax, [edx+108h]
		test	eax, eax
		jnz	short loc_859560
		mov	eax, offset _PnpRegQueryValueIndirect

loc_859560:				; CODE XREF: _CmGetInstallerClassRegPropWorker+DDj
		push	0
		lea	edi, [ebp+var_10]
		push	edi
		push	dword ptr [ebp+arg_14]
		lea	edi, [ebp+var_14]
		push	edi
		push	ecx
		push	ebx
		push	edx
		call	eax ; _PnpRegQueryValueIndirect
		mov	edi, [ebp+arg_4]
		cmp	eax, 0C0000034h
		jnz	short loc_85959E

loc_85957C:				; CODE XREF: _CmGetInstallerClassRegPropWorker+127j
					; _CmGetInstallerClassRegPropWorker+144j ...
		mov	esi, 0C0000225h

loc_859581:				; CODE XREF: _CmGetInstallerClassRegPropWorker+B9j
					; _CmGetInstallerClassRegPropWorker+16Aj ...
		cmp	[ebp+var_8], 0
		jnz	loc_859664

loc_85958B:				; CODE XREF: _CmGetInstallerClassRegPropWorker+1F0j
		cmp	[ebp+var_4], 0
		jnz	loc_859618

loc_859595:				; CODE XREF: _CmGetInstallerClassRegPropWorker+1A4j
					; _CmGetInstallerClassRegPropWorker+ADAAAj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_85959E:				; CODE XREF: _CmGetInstallerClassRegPropWorker+FEj
		cmp	eax, 0C000017Ch
		jz	short loc_85957C
		mov	ebx, 0C0000023h
		test	eax, eax
		js	loc_859679

loc_8595B2:				; CODE XREF: _CmGetInstallerClassRegPropWorker+1FFj
		mov	edx, [ebp+var_14]
		mov	ecx, [ebp+var_10]
		cmp	edx, 1
		jnz	short loc_8595C2
		cmp	ecx, 2
		jb	short loc_85957C

loc_8595C2:				; CODE XREF: _CmGetInstallerClassRegPropWorker+13Fj
		cmp	edx, 7
		jz	short loc_85962F

loc_8595C7:				; CODE XREF: _CmGetInstallerClassRegPropWorker+1B6j
		cmp	edx, 4
		jz	loc_859688

loc_8595D0:				; CODE XREF: _CmGetInstallerClassRegPropWorker+20Fj
		cmp	ecx, 40h
		ja	short loc_859625

loc_8595D5:				; CODE XREF: _CmGetInstallerClassRegPropWorker+1ACj
		mov	edi, [ebp+arg_10]
		mov	[edi], ecx
		mov	ecx, [ebp+arg_8]
		mov	[ecx], edx
		test	eax, eax
		jnz	short loc_8595E8
		cmp	[ebp+var_18], eax
		jnz	short loc_859581

loc_8595E8:				; CODE XREF: _CmGetInstallerClassRegPropWorker+165j
		mov	esi, ebx
		jmp	short loc_859581
; 

loc_8595EC:				; CODE XREF: _CmGetInstallerClassRegPropWorker+8Dj
		xor	esi, esi
		lea	eax, [ebp+var_4]
		push	esi
		push	eax
		push	esi
		push	2000001h
		push	esi
		push	20h
		call	_CmOpenCommonClassRegKey
		mov	esi, eax
		test	esi, esi
		jns	loc_85950F
		jmp	loc_859581
; 

loc_859610:				; CODE XREF: _CmGetInstallerClassRegPropWorker+B1j
		mov	ebx, [ebp+var_4]
		jmp	loc_859533
; 

loc_859618:				; CODE XREF: _CmGetInstallerClassRegPropWorker+113j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_859595
; 

loc_859625:				; CODE XREF: _CmGetInstallerClassRegPropWorker+157j
		cmp	edi, 8
		jnz	short loc_8595D5
		jmp	loc_906F35
; 

loc_85962F:				; CODE XREF: _CmGetInstallerClassRegPropWorker+149j
		cmp	ecx, 2
		jnb	short loc_8595C7
		jmp	loc_85957C
; 

loc_859639:				; CODE XREF: _CmGetInstallerClassRegPropWorker+A0j
					; _CmGetInstallerClassRegPropWorker+A9j
		test	ebx, ebx
		jz	short loc_859696

loc_85963D:				; CODE XREF: _CmGetInstallerClassRegPropWorker+21Dj
		lea	eax, [ebp+var_8]
		mov	edx, ebx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_C]
		push	0
		push	1
		push	0
		call	_PnpOpenPropertiesKey
		mov	esi, eax
		test	esi, esi
		js	loc_85957C
		mov	ebx, [ebp+var_8]
		jmp	loc_859533
; 

loc_859664:				; CODE XREF: _CmGetInstallerClassRegPropWorker+109j
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_85958B
; 

loc_859671:				; CODE XREF: _CmGetInstallerClassRegPropWorker+47j
		and	dword ptr [ebp+arg_14],	esi
		jmp	loc_8594DA
; 

loc_859679:				; CODE XREF: _CmGetInstallerClassRegPropWorker+130j
		cmp	eax, ebx
		jz	loc_8595B2
		mov	esi, eax
		jmp	loc_859581
; 

loc_859688:				; CODE XREF: _CmGetInstallerClassRegPropWorker+14Ej
		cmp	ecx, 4
		jz	loc_8595D0
		jmp	loc_85957C
; 

loc_859696:				; CODE XREF: _CmGetInstallerClassRegPropWorker+1BFj
		mov	ebx, [ebp+var_4]
		jmp	short loc_85963D
_CmGetInstallerClassRegPropWorker endp

; 
		align 4
off_85969C	dd offset loc_906F3F	; DATA XREF: _CmGetInstallerClassRegPropWorker+81r
		dd offset loc_859504
byte_8596A4	db 0			; DATA XREF: _CmGetInstallerClassRegPropWorker+7Ar
		align 4
		dd 0
		dd 1, 100h, 1010000h, 0
		dd 1010001h, 1,	0
		db 2 dup(0)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetDeviceCompoundFilters proc near	; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+20Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00913304 SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_10], edx
		cmp	dword ptr [eax+10h], 16h
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		jz	loc_85978D

loc_8596EF:				; CODE XREF: _CmGetDeviceCompoundFilters+E2j
		mov	[ebp+var_C], offset _DEVPKEY_Device_LowerFilters

loc_8596F6:				; CODE XREF: _CmGetDeviceCompoundFilters+DCj
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jnz	loc_8597B1
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_4]
		push	esi
		push	eax
		push	esi
		push	2000001h
		push	esi
		push	10h
		mov	ecx, edi
		call	_CmOpenDeviceRegKey
		test	eax, eax
		js	short loc_859766
		mov	edx, [ebp+var_4]

loc_859720:				; CODE XREF: _CmGetDeviceCompoundFilters+ECj
		mov	ecx, esi
		test	edi, edi
		jz	short loc_859729
		mov	ecx, [edi+74h]

loc_859729:				; CODE XREF: _CmGetDeviceCompoundFilters+5Aj
		lea	eax, [ebp+var_8]
		push	eax
		push	2001Fh
		push	esi
		push	offset ??_C@_1BA@DJLBFCNB@?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@NNGAKEGL@	; "F"
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_913304

loc_859745:				; CODE XREF: _CmGetDeviceCompoundFilters+B9C61j
					; _CmGetDeviceCompoundFilters+B9C6Cj ...
		mov	edx, [ebp+var_10]
		mov	ecx, edi
		push	esi		; int
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		push	[ebp+var_C]	; void *
		push	[ebp+var_4]	; int
		call	_CmGetDeviceMappedPropertyFromRegProp

loc_859762:				; CODE XREF: _CmGetDeviceCompoundFilters+B9C77j
		test	eax, eax
		jns	short loc_859768

loc_859766:				; CODE XREF: _CmGetDeviceCompoundFilters+51j
		mov	esi, eax

loc_859768:				; CODE XREF: _CmGetDeviceCompoundFilters+9Aj
		cmp	[ebp+var_8], 0
		jnz	loc_91334C

loc_859772:				; CODE XREF: _CmGetDeviceCompoundFilters+B9C8Aj
		cmp	[ebp+var_4], 0
		jz	short loc_859784
		test	ebx, ebx
		jnz	short loc_859784
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_859784:				; CODE XREF: _CmGetDeviceCompoundFilters+ACj
					; _CmGetDeviceCompoundFilters+B0j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_85978D:				; CODE XREF: _CmGetDeviceCompoundFilters+1Fj
		push	10h		; size_t
		push	offset _DEVPKEY_Device_CompoundUpperFilters ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		mov	[ebp+var_C], offset _DEVPKEY_Device_UpperFilters
		test	eax, eax
		jz	loc_8596F6
		jmp	loc_8596EF
; 

loc_8597B1:				; CODE XREF: _CmGetDeviceCompoundFilters+31j
		mov	edx, ebx
		mov	[ebp+var_4], edx
		jmp	loc_859720
_CmGetDeviceCompoundFilters endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiUEventNotifyDeviceInterfaceChange(x)
_PiUEventNotifyDeviceInterfaceChange@4 proc near
					; CODE XREF: PiUEventProcessNotifyEventEntry(x):loc_845289p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		xor	edi, edi
		push	10h		; size_t
		push	offset _GUID_DEVICE_INTERFACE_ARRIVAL ;	void *
		mov	[ebp+var_8], ebx
		lea	esi, [ebx+2Ch]
		mov	[ebp+var_C], edi
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_85987E

loc_8597EC:				; CODE XREF: PiUEventNotifyDeviceInterfaceChange(x)+D4j
		mov	ecx, offset _PiUEventClientRegistrationListLock
		call	ExAcquireFastMutex
		lea	eax, [ebx+50h]
		mov	ecx, eax
		mov	[ebp+var_10], eax
		call	_PiUEventHashGuidIntoBucket@4 ;	PiUEventHashGuidIntoBucket(x)
		mov	[ebp+var_14], offset unk_6CC6C8
		mov	esi, edi
		lea	eax, _PiUEventDevInterfaceClientList[eax*8]
		mov	[ebp+var_18], eax

loc_859816:				; CODE XREF: PiUEventNotifyDeviceInterfaceChange(x)+ACj
		mov	ebx, [ebp+esi*4+var_18]
		mov	edi, [ebx]
		jmp	short loc_85983D
; 

loc_85981E:				; CODE XREF: PiUEventNotifyDeviceInterfaceChange(x)+A6j
		mov	eax, [ebp+var_4]

loc_859821:				; CODE XREF: PiUEventNotifyDeviceInterfaceChange(x)+8Fj
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		call	PiUEventApplyAdditionalFilters
		test	al, al
		jz	short loc_85983D
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		call	PiUEventNotifyClient
		mov	[ebp+var_C], eax

loc_85983D:				; CODE XREF: PiUEventNotifyDeviceInterfaceChange(x)+60j
					; PiUEventNotifyDeviceInterfaceChange(x)+71j ...
		cmp	edi, ebx
		jz	short loc_859864
		mov	eax, edi
		mov	edi, [edi]
		mov	[ebp+var_4], eax
		cmp	esi, 1
		jnb	short loc_859821
		push	10h		; size_t
		add	eax, 0Ch
		push	eax		; void *
		push	[ebp+var_10]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_85983D
		jmp	short loc_85981E
; 

loc_859864:				; CODE XREF: PiUEventNotifyDeviceInterfaceChange(x)+83j
		inc	esi
		cmp	esi, 2
		jb	short loc_859816
		mov	ecx, offset _PiUEventClientRegistrationListLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	edi, [ebp+var_C]

loc_859877:				; CODE XREF: PiUEventNotifyDeviceInterfaceChange(x)+DAj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_85987E:				; CODE XREF: PiUEventNotifyDeviceInterfaceChange(x)+2Aj
		push	10h		; size_t
		push	(offset	loc_407DCD+3) ;	void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_8597EC
		jmp	short loc_859877
_PiUEventNotifyDeviceInterfaceChange@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 980. IoSetDeviceInterfaceState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetDeviceInterfaceState(x, x)
		public _IoSetDeviceInterfaceState@8
_IoSetDeviceInterfaceState@8 proc near	; CODE XREF: PiSwDeviceInterfaceSetState(x,x,x)+85p
					; PiSwDeviceInterfacesUpdateState+6Cp ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	edi, offset _PnpRegistryDeviceResource
		push	edi
		call	ExAcquireResourceExclusiveLite
		mov	bl, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	dl, bl
		push	1
		call	IopProcessSetInterfaceState
		mov	ecx, edi
		mov	esi, eax
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		js	short loc_8598F4

loc_8598EA:				; CODE XREF: IoSetDeviceInterfaceState(x,x)+5Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
; 

loc_8598F4:				; CODE XREF: IoSetDeviceInterfaceState(x,x)+4Aj
		movzx	ecx, bl
		neg	ecx
		sbb	ecx, ecx
		and	esi, ecx
		jmp	short loc_8598EA
_IoSetDeviceInterfaceState@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopProcessSetInterfaceState proc near	; CODE XREF: IoSetDeviceInterfaceState(x,x)+2Ep
					; IopDoDeferredSetInterfaceState(x)+50p

var_6C		= byte ptr -6Ch
var_6B		= byte ptr -6Bh
var_6A		= byte ptr -6Ah
var_69		= byte ptr -69h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 009277C7 SIZE 0000004E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+6Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[esp+78h+var_6B], dl
		mov	edx, ecx
		mov	[esp+78h+var_5C], edx
		xor	eax, eax
		lea	edi, [esp+78h+var_14]
		stosd
		xor	ecx, ecx
		mov	ebx, ecx
		mov	[esp+78h+var_50], ecx
		mov	[esp+78h+var_58], ecx
		mov	[esp+78h+var_64], ecx
		stosd
		mov	[esp+78h+var_34], ecx
		mov	[esp+78h+var_30], ecx
		mov	[esp+78h+var_48], ecx
		stosd
		mov	[esp+78h+var_44], ecx
		push	6
		pop	ecx
		stosd
		xor	eax, eax
		lea	edi, [esp+78h+var_2C]
		rep stosd
		xor	ecx, ecx
		mov	[esp+78h+var_60], ebx
		mov	[esp+78h+var_54], ecx
		mov	edi, ecx
		mov	[esp+78h+var_4C], ecx
		mov	[esp+78h+var_40], ecx
		mov	[esp+78h+var_68], edi
		mov	[esp+78h+var_69], al
		mov	[esp+78h+var_6A], cl
		mov	[esp+78h+var_3C], ecx
		mov	[esp+78h+var_38], ecx
		test	edx, edx
		jz	loc_92780B
		cmp	[edx+4], ecx
		jz	loc_92780B
		cmp	[edx], cx
		jz	loc_92780B
		push	edx
		xor	edx, edx
		lea	ecx, [esp+7Ch+var_68]
		call	PnpUnicodeStringToWstr
		mov	esi, eax
		test	esi, esi
		js	loc_859C30
		mov	edi, [esp+78h+var_68]
		lea	eax, [esp+78h+var_14]
		push	eax
		mov	edx, edi
		call	__CmGetDeviceInterfaceClassGuid@12 ; _CmGetDeviceInterfaceClassGuid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_859C30
		mov	ecx, [esp+78h+var_5C]
		lea	edx, [esp+78h+var_48]
		call	IopBuildGlobalSymbolicLinkString
		mov	esi, eax
		test	esi, esi
		js	loc_859C30
		push	20207050h
		mov	esi, 190h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+78h+var_50], eax
		test	eax, eax
		jz	loc_9277C7
		xor	edx, edx
		lea	ecx, [esp+78h+var_40]
		push	edx
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	esi
		push	eax
		lea	eax, [esp+88h+var_4C]
		push	eax
		push	offset _DEVPKEY_Device_InstanceId
		push	edx
		push	edx
		push	3
		mov	edx, edi
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000225h
		jz	loc_9277E0
		test	esi, esi
		js	loc_859C30
		cmp	[esp+78h+var_4C], 12h
		jnz	loc_9277E0
		mov	eax, [esp+78h+var_50]
		push	eax
		lea	eax, [esp+7Ch+var_3C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_859C30
		mov	edx, 49706E50h
		lea	ecx, [esp+78h+var_3C]
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	edx, eax
		mov	[esp+78h+var_54], edx
		test	edx, edx
		jz	loc_9277D1
		mov	eax, [edx+0B0h]
		mov	ecx, [eax+14h]
		mov	al, [esp+78h+var_6B]

loc_859A87:				; CODE XREF: IopProcessSetInterfaceState+CDEDBj
		test	al, al
		jz	short loc_859A98
		call	_PipCanEnableInterfaces@4 ; PipCanEnableInterfaces(x)
		test	al, al
		jz	loc_9277E0

loc_859A98:				; CODE XREF: IopProcessSetInterfaceState+189j
		cmp	[ebp+arg_0], bl
		jz	short loc_859AC7
		test	ecx, ecx
		jz	short loc_859AC7
		mov	eax, [edx+0B0h]
		test	byte ptr [eax+10h], 10h
		jz	short loc_859AC7
		mov	edx, [esp+78h+var_5C]
		cmp	[esp+78h+var_6B], bl
		jz	loc_859CA9
		call	PiDeferSetInterfaceState
		mov	esi, eax
		jmp	loc_859C30
; 

loc_859AC7:				; CODE XREF: IopProcessSetInterfaceState+19Bj
					; IopProcessSetInterfaceState+19Fj ...
		cmp	[esp+78h+var_6B], bl
		jz	loc_859CB0
		mov	[esp+78h+var_64], 200h

loc_859AD9:				; CODE XREF: IopProcessSetInterfaceState+21Ej
		mov	eax, [esp+78h+var_58]
		test	eax, eax
		jnz	loc_9277EA

loc_859AE5:				; CODE XREF: IopProcessSetInterfaceState+CDEF2j
		push	20207050h
		push	[esp+7Ch+var_64]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+78h+var_58], eax
		test	eax, eax
		jz	loc_9277F7
		lea	ecx, [esp+78h+var_64]
		push	ecx
		push	eax
		push	[esp+80h+var_64]
		push	0Bh
		push	[esp+88h+var_54]
		call	IoGetDeviceProperty
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_859AD9
		mov	eax, [esp+78h+var_58]

loc_859B24:				; CODE XREF: IopProcessSetInterfaceState+CDEFCj
		test	esi, esi
		js	loc_859C30
		cmp	[esp+78h+var_64], ebx
		jz	loc_859C30
		push	eax
		lea	eax, [esp+7Ch+var_34]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+78h+var_60]
		mov	edx, edi
		push	eax
		push	3
		pop	ecx
		call	PiDmAddCacheReferenceForObject
		mov	esi, eax
		test	esi, esi
		js	loc_859D13
		mov	ebx, [esp+78h+var_60]
		mov	ecx, ebx
		call	_KsepCacheLock@4 ; KsepCacheLock(x)
		test	byte ptr [ebx+18h], 1
		jz	loc_927801
		lea	edi, [ebx+1Ch]
		xor	ecx, ecx
		cmp	[edi], ecx
		jnz	loc_859CFA
		lea	eax, [esp+78h+var_48]
		mov	[esp+78h+var_2C], 18h
		mov	[esp+78h+var_24], eax
		mov	eax, ds:_SePublicDefaultUnrestrictedSd
		mov	[esp+78h+var_1C], eax
		lea	eax, [esp+78h+var_2C]
		push	eax
		push	0F0001h
		push	edi
		mov	[esp+84h+var_28], ecx
		mov	[esp+84h+var_20], 240h
		mov	[esp+84h+var_18], ecx
		call	_ZwOpenSymbolicLinkObject@12 ; ZwOpenSymbolicLinkObject(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_859BD6
		lea	eax, [esp+78h+var_34]
		push	eax
		lea	eax, [esp+7Ch+var_2C]
		push	eax
		push	0F0001h
		push	edi
		call	_ZwCreateSymbolicLinkObject@16 ; ZwCreateSymbolicLinkObject(x,x,x,x)
		mov	esi, eax

loc_859BD6:				; CODE XREF: IopProcessSetInterfaceState+2BDj
		test	esi, esi
		js	short loc_859BDF
		mov	[esp+78h+var_69], 1

loc_859BDF:				; CODE XREF: IopProcessSetInterfaceState+2D8j
					; IopProcessSetInterfaceState+404j
		mov	edi, [esp+78h+var_68]

loc_859BE3:				; CODE XREF: IopProcessSetInterfaceState+3EBj
					; IopProcessSetInterfaceState+40Ej
		mov	ecx, ebx
		call	_PiDmObjectReleaseLock@4 ; PiDmObjectReleaseLock(x)
		mov	edx, [esp+78h+var_5C]
		mov	al, [esp+78h+var_69]

loc_859BF2:				; CODE XREF: IopProcessSetInterfaceState+CDF10j
		test	al, al
		jz	short loc_859C29
		cmp	[esp+78h+var_6B], 0
		mov	ecx, offset _GUID_DEVICE_INTERFACE_ARRIVAL
		jz	loc_859CF0

loc_859C06:				; CODE XREF: IopProcessSetInterfaceState+3F5j
		push	edx
		lea	edx, [esp+7Ch+var_14]
		call	PnpSetDeviceClassChange
		push	ds:off_404754
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	0
		push	0
		push	3
		call	_PnpObjectRaisePropertyChangeEvent

loc_859C29:				; CODE XREF: IopProcessSetInterfaceState+2F4j
		cmp	[esp+78h+var_6A], 0
		jnz	short loc_859C9C

loc_859C30:				; CODE XREF: IopProcessSetInterfaceState+AAj
					; IopProcessSetInterfaceState+C4j ...
		lea	eax, [esp+78h+var_48]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	edx, [esp+78h+var_5C]
		mov	ecx, [esp+78h+var_68]
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)
		mov	eax, [esp+78h+var_54]
		test	eax, eax
		jz	short loc_859C5B
		mov	edx, 49706E50h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag

loc_859C5B:				; CODE XREF: IopProcessSetInterfaceState+34Dj
		mov	eax, [esp+78h+var_58]
		test	eax, eax
		jz	short loc_859C6B
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_859C6B:				; CODE XREF: IopProcessSetInterfaceState+361j
		mov	eax, [esp+78h+var_50]
		test	eax, eax
		jz	short loc_859C7B
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_859C7B:				; CODE XREF: IopProcessSetInterfaceState+371j
		test	ebx, ebx
		jz	short loc_859C86
		mov	ecx, ebx
		call	PiDmObjectRelease

loc_859C86:				; CODE XREF: IopProcessSetInterfaceState+37Dj
		mov	ecx, [esp+78h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_859C9C:				; CODE XREF: IopProcessSetInterfaceState+32Ej
		push	ecx
		push	3
		mov	edx, edi
		pop	ecx
		call	PiDmRemoveCacheReferenceForObject
		jmp	short loc_859C30
; 

loc_859CA9:				; CODE XREF: IopProcessSetInterfaceState+1B5j
		call	PiRemoveDeferredSetInterfaceState
		jmp	short loc_859C30
; 

loc_859CB0:				; CODE XREF: IopProcessSetInterfaceState+1CBj
		lea	eax, [esp+78h+var_60]
		mov	edx, edi
		push	eax
		push	3
		pop	ecx
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_859D13
		mov	ebx, [esp+78h+var_60]
		mov	ecx, ebx
		call	_KsepCacheLock@4 ; KsepCacheLock(x)
		mov	eax, [ebx+1Ch]
		test	eax, eax
		jz	short loc_859D09
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		and	dword ptr [ebx+1Ch], 0
		mov	[esp+78h+var_6A], 1
		mov	[esp+78h+var_69], 1
		jmp	loc_859BE3
; 

loc_859CF0:				; CODE XREF: IopProcessSetInterfaceState+300j
		mov	ecx, (offset loc_407DCD+3)
		jmp	loc_859C06
; 

loc_859CFA:				; CODE XREF: IopProcessSetInterfaceState+276j
		mov	[esp+78h+var_6A], 1
		mov	esi, 40000000h
		jmp	loc_859BDF
; 

loc_859D09:				; CODE XREF: IopProcessSetInterfaceState+3D5j
					; IopProcessSetInterfaceState+CDF06j
		mov	esi, 0C0000034h
		jmp	loc_859BE3
; 

loc_859D13:				; CODE XREF: IopProcessSetInterfaceState+254j
					; IopProcessSetInterfaceState+3C3j
		mov	ebx, [esp+78h+var_60]
		jmp	loc_859C30
IopProcessSetInterfaceState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopBuildGlobalSymbolicLinkString proc near ; CODE XREF:	IopProcessSetInterfaceState+D2p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00927815 SIZE 00000054 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	eax, ecx
		mov	ebx, edx
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], eax
		and	[ebp+var_8], edi
		lea	ecx, [ebp+var_8]
		push	eax
		xor	edx, edx
		call	PnpUnicodeStringToWstr
		mov	esi, eax
		test	esi, esi
		js	loc_859DCE
		push	20207050h
		push	400h
		mov	esi, 200h
		push	1
		mov	[ebp+var_4], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_927815
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		push	edi
		call	__CmGetDeviceInterfaceSymbolicLinkName@20 ; _CmGetDeviceInterfaceSymbolicLinkName(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	loc_92781F

loc_859D87:				; CODE XREF: IopBuildGlobalSymbolicLinkString+CDB34j
		test	esi, esi
		js	loc_927855
		mov	eax, [ebp+var_4]
		lea	eax, ds:14h[eax*2]
		cmp	eax, 0FFFFh
		ja	short loc_859DF4
		movzx	edx, ax
		mov	ecx, ebx
		call	IopAllocateUnicodeString
		mov	esi, eax
		test	esi, esi
		js	short loc_859DCE
		push	offset ??_C@_1BG@KEFMGHOI@?$AA?2?$AAG?$AAL?$AAO?$AAB?$AAA?$AAL?$AA?$DP?$AA?$DP?$AA?2@NNGAKEGL@ ; "\\"
		push	ebx		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_859DEC
		push	edi		; void *
		push	ebx		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_859DEC

loc_859DCE:				; CODE XREF: IopBuildGlobalSymbolicLinkString+26j
					; IopBuildGlobalSymbolicLinkString+92j	...
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)
		test	edi, edi
		jz	short loc_859DE5
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_859DE5:				; CODE XREF: IopBuildGlobalSymbolicLinkString+BFj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_859DEC:				; CODE XREF: IopBuildGlobalSymbolicLinkString+A3j
					; IopBuildGlobalSymbolicLinkString+B0j
		push	ebx
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	short loc_859DCE
; 

loc_859DF4:				; CODE XREF: IopBuildGlobalSymbolicLinkString+82j
		mov	esi, 0C0000095h
		jmp	short loc_859DCE
IopBuildGlobalSymbolicLinkString endp

; 
		align 4

;  S U B	R O U T	I N E 


IopAllocateUnicodeString proc near	; CODE XREF: IopBuildGlobalSymbolicLinkString+89p
					; PnpConcatenateUnicodeStrings(x,x,x)+Bp ...

; FUNCTION CHUNK AT 00927869 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		mov	eax, edx
		push	esi
		push	edi
		xor	ecx, ecx
		lea	edi, [ebx+2]
		mov	[ebx], cx
		push	edi
		push	2
		pop	edx
		mov	ecx, eax
		call	_RtlUShortAdd@12 ; RtlUShortAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_859E39
		movzx	ecx, word ptr [edi]
		push	75737050h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+4], eax
		test	eax, eax
		jz	loc_927869

loc_859E39:				; CODE XREF: IopAllocateUnicodeString+20j
					; IopAllocateUnicodeString+CDA77j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
IopAllocateUnicodeString endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetDeviceInterfaceSymbolicLinkName(x, x,	x, x, x)
__CmGetDeviceInterfaceSymbolicLinkName@20 proc near
					; CODE XREF: IopBuildGlobalSymbolicLinkString+58p
					; IopBuildGlobalSymbolicLinkString+CDB2Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	esi, edx
		call	__CmValidateDeviceInterfaceName@8 ; _CmValidateDeviceInterfaceName(x,x)
		test	eax, eax
		js	short loc_859EA5
		add	esi, 8
		push	5Ch		; wchar_t
		push	esi		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		mov	ecx, eax
		xor	edi, edi
		test	ecx, ecx
		jnz	short loc_859EAC
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_859E6D:				; CODE XREF: _CmGetDeviceInterfaceSymbolicLinkName(x,x,x,x,x)+36j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_859E6D
		sub	ecx, edx

loc_859E7A:				; CODE XREF: _CmGetDeviceInterfaceSymbolicLinkName(x,x,x,x,x)+6Ej
		sar	ecx, 1
		cmp	ecx, 27h
		jbe	short loc_859EB0
		mov	edx, [ebp+arg_8]
		lea	eax, [ecx+1]
		test	edx, edx
		jz	short loc_859E8D
		mov	[edx], eax

loc_859E8D:				; CODE XREF: _CmGetDeviceInterfaceSymbolicLinkName(x,x,x,x,x)+49j
		mov	edx, [ebp+arg_4]
		cmp	eax, edx
		ja	short loc_859EB7
		push	800h
		push	edi
		push	edi
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	esi
		call	RtlStringCchCopyNExW

loc_859EA5:				; CODE XREF: _CmGetDeviceInterfaceSymbolicLinkName(x,x,x,x,x)+11j
					; _CmGetDeviceInterfaceSymbolicLinkName(x,x,x,x,x)+75j	...
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	0Ch
; 

loc_859EAC:				; CODE XREF: _CmGetDeviceInterfaceSymbolicLinkName(x,x,x,x,x)+26j
		sub	ecx, esi
		jmp	short loc_859E7A
; 

loc_859EB0:				; CODE XREF: _CmGetDeviceInterfaceSymbolicLinkName(x,x,x,x,x)+3Fj
		mov	eax, 0C0000033h
		jmp	short loc_859EA5
; 

loc_859EB7:				; CODE XREF: _CmGetDeviceInterfaceSymbolicLinkName(x,x,x,x,x)+52j
		mov	eax, 0C0000023h
		jmp	short loc_859EA5
__CmGetDeviceInterfaceSymbolicLinkName@20 endp


;  S U B	R O U T	I N E 


; __stdcall PipCanEnableInterfaces(x)
_PipCanEnableInterfaces@4 proc near	; CODE XREF: IopProcessSetInterfaceState+18Bp
		mov	eax, [ecx+0ACh]
		add	eax, 0FFFFFCFFh
		cmp	eax, 13h
		ja	short loc_859EDF
		movzx	eax, ds:byte_859EEA[eax]
		jmp	ds:off_859EE2[eax*4]

loc_859EDC:				; DATA XREF: PAGE:00859EE6o
		mov	al, 1
		retn
; 

loc_859EDF:				; CODE XREF: PipCanEnableInterfaces(x)+Ej
					; PipCanEnableInterfaces(x)+17j
					; DATA XREF: ...
		xor	al, al
		retn
_PipCanEnableInterfaces@4 endp

; 
off_859EE2	dd offset loc_859EDF	; DATA XREF: PipCanEnableInterfaces(x)+17r
		dd offset loc_859EDC
byte_859EEA	db 0			; DATA XREF: PipCanEnableInterfaces(x)+10r
		db 1
		dd 2 dup(1010101h), 10101h, 100h
		db 2 dup(0)

;  S U B	R O U T	I N E 


; __stdcall PiDmObjectReleaseLock(x)
_PiDmObjectReleaseLock@4 proc near	; CODE XREF: IopProcessSetInterfaceState+2E5p
					; PiPnpRtlCmActionCallback+115B86p
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_PiDmObjectReleaseLock@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KsepCacheLock(x)
_KsepCacheLock@4 proc near		; CODE XREF: IopProcessSetInterfaceState+260p
					; IopProcessSetInterfaceState+3CBp ...
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		jmp	ExAcquirePushLockExclusiveEx
_KsepCacheLock@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpObjectRaisePropertyChangeEvent proc	near ; CODE XREF: IopProcessSetInterfaceState+324p
					; _PnpRaiseNtPlugPlayDevicePropertyChangeEvent+3Cp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00927878 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, [ecx+0FCh]
		test	esi, esi
		jz	short loc_859F52
		mov	eax, [ebp+arg_0]
		sub	eax, 1
		jnz	short loc_859F57
		push	esi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_PnpDeviceRaisePropertyChangeEventWorker

loc_859F52:				; CODE XREF: _PnpObjectRaisePropertyChangeEvent+11j
					; _PnpObjectRaisePropertyChangeEvent+4Cj ...
		pop	esi
		leave
		retn	10h
; 

loc_859F57:				; CODE XREF: _PnpObjectRaisePropertyChangeEvent+19j
		sub	eax, 1
		jz	loc_92788C
		sub	eax, 1
		jnz	short loc_859F76
		push	esi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	__PnpInterfaceRaisePropertyChangeEventWorker@24	; _PnpInterfaceRaisePropertyChangeEventWorker(x,x,x,x,x,x)
		jmp	short loc_859F52
; 

loc_859F76:				; CODE XREF: _PnpObjectRaisePropertyChangeEvent+3Bj
		sub	eax, 1
		jz	loc_927878
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_C]
		push	eax
		push	4
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	esi
		jmp	short loc_859F52
_PnpObjectRaisePropertyChangeEvent endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpInterfaceRaisePropertyChangeEventWorker(x, x, x, x, x, x)
__PnpInterfaceRaisePropertyChangeEventWorker@24	proc near
					; CODE XREF: _PnpObjectRaisePropertyChangeEvent+47p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_C], eax
		mov	edi, edx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_C]
		push	eax
		push	4
		push	3
		push	edi
		push	ebx
		mov	[ebp+var_4], esi
		call	[ebp+arg_C]
		push	[ebp+arg_C]
		lea	eax, [ebp+var_C]
		mov	edx, edi
		push	eax
		push	2
		push	offset off_401AF8
		push	esi
		push	3
		mov	ecx, ebx
		call	__PnpNotifyDerivedKeys@32 ; _PnpNotifyDerivedKeys(x,x,x,x,x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
__PnpInterfaceRaisePropertyChangeEventWorker@24	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpNotifyDerivedKeys(x, x,	x, x, x, x, x, x)
__PnpNotifyDerivedKeys@32 proc near	; CODE XREF: _PnpInterfaceRaisePropertyChangeEventWorker(x,x,x,x,x,x)+43p
					; _PnpDeviceRaisePropertyChangeEventWorker+C0p	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	edi
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], ecx
		test	edi, edi
		jz	short loc_85A065
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		add	esi, 8

loc_85A00E:				; CODE XREF: _PnpNotifyDerivedKeys(x,x,x,x,x,x,x,x)+71j
		mov	eax, [esi-4]
		xor	ebx, ebx
		mov	[ebp+arg_C], eax
		test	eax, eax
		jz	short loc_85A05B
		mov	edx, [ebp+arg_4]
		mov	ecx, [esi-8]
		mov	[ebp+var_4], ecx
		mov	eax, [edx+10h]
		mov	[ebp+arg_8], eax
		mov	eax, [ebp+arg_C]

loc_85A02C:				; CODE XREF: _PnpNotifyDerivedKeys(x,x,x,x,x,x,x,x)+52j
		mov	ecx, [ecx+ebx*4]
		mov	edx, [ebp+arg_8]
		cmp	edx, [ecx+10h]
		mov	edx, [ebp+arg_4]
		jz	short loc_85A06A

loc_85A03A:				; CODE XREF: _PnpNotifyDerivedKeys(x,x,x,x,x,x,x,x)+8Dj
		inc	ebx
		cmp	ebx, eax
		jnb	short loc_85A05B
		mov	ecx, [ebp+var_4]
		jmp	short loc_85A02C
; 

loc_85A044:				; CODE XREF: _PnpNotifyDerivedKeys(x,x,x,x,x,x,x,x)+88j
		mov	ecx, [ebp+arg_10]
		mov	eax, [esi]
		push	ecx
		push	4
		push	[ebp+arg_0]
		mov	[ecx+8], eax
		push	[ebp+var_8]
		push	[ebp+var_C]
		call	[ebp+arg_14]

loc_85A05B:				; CODE XREF: _PnpNotifyDerivedKeys(x,x,x,x,x,x,x,x)+28j
					; _PnpNotifyDerivedKeys(x,x,x,x,x,x,x,x)+4Dj
		add	esi, 0Ch
		sub	edi, 1
		jnz	short loc_85A00E
		pop	esi
		pop	ebx

loc_85A065:				; CODE XREF: _PnpNotifyDerivedKeys(x,x,x,x,x,x,x,x)+14j
		pop	edi
		leave
		retn	18h
; 

loc_85A06A:				; CODE XREF: _PnpNotifyDerivedKeys(x,x,x,x,x,x,x,x)+48j
		push	10h		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_85A044
		mov	eax, [ebp+arg_C]
		jmp	short loc_85A03A
__PnpNotifyDerivedKeys@32 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlObjectEventCallback(x, x, x, x, x)
_PiPnpRtlObjectEventCallback@20	proc near ; DATA XREF: PiPnpRtlInit+12Fo

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		push	0
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	PiPnpRtlObjectEventWorker
		pop	ebp
		retn	14h
_PiPnpRtlObjectEventCallback@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiPnpRtlObjectEventWorker proc near	; CODE XREF: PiPnpRtlObjectEventCallback(x,x,x,x,x)+13p
					; PiDqIrpPropertySet+8BE9Bp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_25		= dword	ptr -25h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 009278A0 SIZE 0000026C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	eax, eax
		push	esi
		mov	esi, edx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], esi
		mov	[ebp+var_30], eax
		mov	[ebp+var_25+1],	eax
		mov	byte ptr [ebp+var_25], al
		push	edi
		mov	edi, ecx
		cmp	esi, 7
		jge	loc_85A26C
		mov	esi, [ebp+arg_0]
		cmp	esi, 1
		jz	loc_927AC6
		lea	ecx, [ebp+var_30]
		call	PiPnpRtlBeginOperation
		test	eax, eax
		js	loc_927A5E
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PiPnpRtlRemoveOperationDispatchLock
		call	ExAcquireResourceSharedLite
		mov	edx, [ebp+var_38]
		lea	eax, [ebp+var_25+1]
		push	eax
		push	[ebp+var_30]
		mov	ecx, edi
		call	PiPnpRtlObjectEventCreate
		mov	ecx, offset _PiPnpRtlRemoveOperationDispatchLock
		mov	[ebp+var_34], eax
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	[ebp+var_34], 0
		jl	loc_927A5E
		mov	ecx, [ebp+var_25+1]
		test	ecx, ecx
		jz	loc_85A256
		dec	esi
		sub	esi, 1
		jz	loc_927A55
		sub	esi, 1
		jz	loc_927910
		sub	esi, 1
		jnz	loc_85A30A
		lea	eax, [ebp+var_25]
		mov	edx, edi
		push	eax		; int
		push	dword ptr [ebx+8] ; void *
		push	dword ptr [ebx+4] ; int
		push	dword ptr [ecx+8] ; int
		mov	ecx, [ebp+var_38]
		call	PiDmObjectProcessPropertyChange
		cmp	byte ptr [ebp+var_25], 0
		jnz	loc_85A253
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PiPnpRtlRemoveOperationDispatchLock
		call	ExAcquireResourceSharedLite
		mov	ebx, [ebp+var_25+1]
		xor	edx, edx
		cmp	[ebx+20h], edx
		jnz	loc_85A23D
		lea	edi, [ebp+var_20]
		mov	eax, [ebp+var_3C]
		push	5
		pop	ecx
		mov	[ebp+var_2C], edx
		mov	esi, [eax+8]
		rep movsd
		mov	ecx, [ebp+arg_8]
		mov	edi, [eax+4]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edi
		cmp	[ebx+2Ch], edx
		jbe	short loc_85A1EB
		mov	esi, edx
		mov	eax, edx
		mov	edx, [ebp+var_10]

loc_85A1D5:				; CODE XREF: PiPnpRtlObjectEventWorker+14Dj
		cmp	edx, [esi+ebx+40h]
		jz	loc_85A27D

loc_85A1DF:				; CODE XREF: PiPnpRtlObjectEventWorker+202j
		inc	eax
		add	esi, 1Ch
		mov	[ebp+var_2C], eax
		cmp	eax, [ebx+2Ch]
		jb	short loc_85A1D5

loc_85A1EB:				; CODE XREF: PiPnpRtlObjectEventWorker+130j
		cmp	ecx, 1
		jz	loc_9278CC

loc_85A1F4:				; CODE XREF: PiPnpRtlObjectEventWorker+CD835j
					; PiPnpRtlObjectEventWorker+CD863j
		mov	eax, [ebx+28h]
		mov	edi, 41706E50h
		cmp	[ebx+2Ch], eax
		jz	loc_85A2B6

loc_85A205:				; CODE XREF: PiPnpRtlObjectEventWorker+269j
		mov	ecx, [ebp+var_3C]
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		mov	edx, 7FFFFFFFh
		mov	ecx, [ecx+4]
		call	PnpAllocatePWSTR
		mov	ebx, eax
		mov	[ebp+var_34], ebx
		test	ebx, ebx
		js	short loc_85A23D
		mov	edx, [ebp+var_25+1]
		lea	esi, [ebp+var_20]
		push	7
		pop	ecx
		imul	eax, [edx+2Ch],	1Ch
		lea	edi, [edx+30h]
		add	edi, eax
		rep movsd
		mov	eax, [ebp+var_25+1]
		inc	dword ptr [eax+2Ch]

loc_85A23D:				; CODE XREF: PiPnpRtlObjectEventWorker+10Aj
					; PiPnpRtlObjectEventWorker+185j ...
		mov	ecx, offset _PiPnpRtlRemoveOperationDispatchLock
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_85A253:				; CODE XREF: PiPnpRtlObjectEventWorker+E2j
					; PiPnpRtlObjectEventWorker+27Bj ...
		mov	ecx, [ebp+var_25+1]

loc_85A256:				; CODE XREF: PiPnpRtlObjectEventWorker+A5j
					; PiPnpRtlObjectEventWorker+271j ...
		cmp	[ebp+var_34], 0
		jl	loc_927A61

loc_85A260:				; CODE XREF: PiPnpRtlObjectEventWorker+CDA34j
					; PiPnpRtlObjectEventWorker+CDA41j
		mov	ecx, [ebp+var_30]
		test	ecx, ecx
		jz	short loc_85A26C
		call	PiPnpRtlEndOperation

loc_85A26C:				; CODE XREF: PiPnpRtlObjectEventWorker+30j
					; PiPnpRtlObjectEventWorker+1C9j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_85A27D:				; CODE XREF: PiPnpRtlObjectEventWorker+13Dj
		lea	eax, [ebx+30h]
		add	eax, esi
		push	10h		; size_t
		push	eax		; void *
		lea	eax, [ebp+var_20]
		push	eax		; void *
		call	_memcmp
		mov	ecx, [ebp+arg_8]
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_85A2A3

loc_85A298:				; CODE XREF: PiPnpRtlObjectEventWorker+20Bj
					; PiPnpRtlObjectEventWorker+CD806j ...
		mov	eax, [ebp+var_2C]
		mov	edx, [ebp+var_10]
		jmp	loc_85A1DF
; 

loc_85A2A3:				; CODE XREF: PiPnpRtlObjectEventWorker+1FAj
		cmp	ecx, [esi+ebx+44h]
		jnz	short loc_85A298
		mov	eax, [esi+ebx+48h]
		cmp	edi, eax
		jz	short loc_85A23D
		jmp	loc_9278A0
; 

loc_85A2B6:				; CODE XREF: PiPnpRtlObjectEventWorker+163j
		imul	eax, 38h
		push	edi
		add	eax, 30h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_927904
		mov	ecx, [ebp+var_25+1]
		imul	eax, [ecx+2Ch],	1Ch
		add	eax, 30h
		push	eax		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcpy
		shl	dword ptr [esi+28h], 1
		lea	eax, [ebp+var_25+1]
		add	esp, 0Ch
		push	eax
		mov	eax, [ebp+var_30]
		add	eax, 0Ch
		push	eax
		call	_RtlLookupElementGenericTableAvl@8 ; RtlLookupElementGenericTableAvl(x,x)
		push	edi
		mov	[eax], esi
		push	[ebp+var_25+1]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+var_25+1],	esi
		jmp	loc_85A205
; 

loc_85A30A:				; CODE XREF: PiPnpRtlObjectEventWorker+C1j
		sub	esi, 1
		jnz	loc_85A256
		or	dword ptr [ecx+4], 8
		jmp	loc_85A253
PiPnpRtlObjectEventWorker endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiDmObjectProcessPropertyChange(int,int,void *,int)
PiDmObjectProcessPropertyChange	proc near ; CODE XREF: PiPnpRtlObjectEventWorker+D9p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00927B0C SIZE 00000048 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, [ebp+arg_C]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_2C], edx
		push	esi
		mov	esi, ebx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_1], bl
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_18], ebx
		mov	[eax], bl
		cmp	[ebp+arg_4], ebx
		jnz	short loc_85A386
		push	edi
		lea	eax, [ebp+var_20]
		push	eax
		lea	edx, [ebp+var_30]
		call	_PiDmGetCacheKeys@12 ; PiDmGetCacheKeys(x,x,x)
		mov	edi, [ebp+var_20]
		test	edi, edi
		jz	short loc_85A385
		mov	eax, [ebp+var_30]
		mov	edx, edi
		push	[ebp+arg_8]	; void *
		mov	ecx, eax
		mov	[ebp+arg_4], eax
		call	_PiDmGetCachedKeyIndex@12 ; PiDmGetCachedKeyIndex(x,x,x)
		mov	[ebp+var_34], eax
		cmp	eax, edi
		jb	short loc_85A38C

loc_85A385:				; CODE XREF: PiDmObjectProcessPropertyChange+4Ej
					; PiDmObjectProcessPropertyChange+209j	...
		pop	edi

loc_85A386:				; CODE XREF: PiDmObjectProcessPropertyChange+3Aj
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_85A38C:				; CODE XREF: PiDmObjectProcessPropertyChange+67j
		cmp	[ebp+arg_0], ebx
		jz	loc_927AE7

loc_85A395:				; CODE XREF: PiPnpRtlObjectEventWorker+CDA6Bj
		mov	edi, eax
		mov	eax, [ebp+arg_4]
		add	edi, edi
		cmp	dword ptr [eax+edi*8+0Ch], 1
		jnz	short loc_85A3DA
		push	10000h
		lea	eax, [ebp+var_24]
		mov	ecx, 5A706E50h
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_8]
		push	ebx
		push	ebx
		push	[ebp+var_28]
		push	[ebp+var_2C]
		push	10h
		pop	edx
		call	PnpGetObjectProperty
		mov	esi, eax
		cmp	esi, 0C0000225h
		jz	loc_927B0C

loc_85A3DA:				; CODE XREF: PiDmObjectProcessPropertyChange+85j
					; PiDmObjectProcessPropertyChange+CD7F8j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		imul	eax, [ebp+var_34], arg_C
		mov	ecx, [ebp+arg_0]
		add	ecx, 40h
		add	eax, ecx
		mov	[ebp+var_20], eax
		mov	eax, [eax]
		test	eax, eax
		jz	loc_927B19
		cmp	eax, 1
		jz	loc_85A530
		test	esi, esi
		js	loc_85A530
		mov	eax, [ebp+arg_4]
		cmp	[eax+edi*8+0Ch], ebx
		jz	loc_85A530
		mov	ecx, [ebp+var_20]
		lea	eax, [ebp+var_1C]
		push	eax
		push	ebx
		push	ebx
		lea	edx, [ebp+var_10]
		call	PiDmCacheDataDecode
		mov	esi, eax
		cmp	esi, 0C0000225h
		jz	loc_85A668
		test	esi, esi
		jns	short loc_85A458
		cmp	esi, 0C0000023h
		jnz	loc_85A530

loc_85A458:				; CODE XREF: PiDmObjectProcessPropertyChange+12Ej
		mov	esi, [ebp+var_1C]
		test	esi, esi
		jz	loc_927B35
		push	5A706E50h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_927B2B

loc_85A47B:				; CODE XREF: PiDmObjectProcessPropertyChange+CD81Bj
		lea	ecx, [ebp+var_1C]
		push	ecx
		mov	ecx, [ebp+var_20]
		lea	edx, [ebp+var_10]
		push	esi
		push	eax
		call	PiDmCacheDataDecode
		mov	esi, eax
		test	esi, esi
		js	loc_85A530
		mov	eax, [ebp+var_10]
		cmp	eax, [ebp+var_8]
		jnz	loc_85A530
		mov	eax, [ebp+var_1C]
		cmp	eax, [ebp+var_24]
		jnz	loc_85A530
		test	eax, eax
		jz	short loc_85A4C5
		push	eax		; size_t
		push	[ebp+var_C]	; void *
		push	[ebp+var_14]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax

loc_85A4C3:				; CODE XREF: PiDmObjectProcessPropertyChange+354j
		jnz	short loc_85A530

loc_85A4C5:				; CODE XREF: PiDmObjectProcessPropertyChange+194j
		mov	eax, [ebp+arg_C]
		mov	byte ptr [eax],	1

loc_85A4CB:				; CODE XREF: PiDmObjectProcessPropertyChange+21Ej
					; PiDmObjectProcessPropertyChange+228j	...
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [ebp+arg_4]
		cmp	[eax+edi*8+0Ch], ebx
		jz	short loc_85A4F1
		mov	eax, [ebp+arg_C]
		cmp	[eax], bl
		jz	short loc_85A56D

loc_85A4F1:				; CODE XREF: PiDmObjectProcessPropertyChange+1CCj
					; PiDmObjectProcessPropertyChange+270j	...
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_85A503
		push	5A706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_85A503:				; CODE XREF: PiDmObjectProcessPropertyChange+1DAj
		cmp	[ebp+var_C], 0
		jz	short loc_85A516
		push	5A706E50h
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_85A516:				; CODE XREF: PiDmObjectProcessPropertyChange+1EBj
		mov	ecx, [ebp+var_18]
		test	ecx, ecx
		jnz	loc_85A650

loc_85A521:				; CODE XREF: PiDmObjectProcessPropertyChange+339j
		cmp	[ebp+var_1], 0
		jz	loc_85A385
		jmp	loc_927B47
; 

loc_85A530:				; CODE XREF: PiDmObjectProcessPropertyChange+F2j
					; PiDmObjectProcessPropertyChange+FAj ...
		mov	ecx, [ebp+var_20]
		call	PiDmCacheDataFree
		test	esi, esi
		js	short loc_85A4CB
		mov	eax, [ebp+arg_4]
		cmp	dword ptr [eax+edi*8+0Ch], 1
		jnz	short loc_85A4CB
		cmp	[eax+edi*8+8], ebx
		jnz	loc_85A4CB
		push	[ebp+var_20]	; int
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		push	ebx		; int
		push	dword ptr [eax+edi*8+4]	; int
		push	[ebp+var_24]	; size_t
		call	PiDmCacheDataEncode
		mov	esi, eax
		jmp	loc_85A4CB
; 

loc_85A56D:				; CODE XREF: PiDmObjectProcessPropertyChange+1D3j
		mov	edx, [ebp+arg_8]
		mov	edi, ebx
		mov	ecx, [edx+10h]
		mov	[ebp+arg_C], ecx

loc_85A578:				; CODE XREF: PiDmObjectProcessPropertyChange+26Ej
		mov	eax, ds:off_401B14[edi]
		cmp	[eax+10h], ecx
		jz	short loc_85A591

loc_85A583:				; CODE XREF: PiDmObjectProcessPropertyChange+CD826j
		add	edi, 1Ch
		inc	ebx
		cmp	edi, 54h
		jb	short loc_85A578
		jmp	loc_85A4F1
; 

loc_85A591:				; CODE XREF: PiDmObjectProcessPropertyChange+265j
		push	10h		; size_t
		push	edx		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_927B3C
		mov	eax, [ebp+var_28]
		cmp	eax, ds:_PiDmAggregatedBooleanDefs[edi]
		jnz	loc_927B3C
		imul	edi, ebx, 1Ch
		add	edi, offset _PiDmAggregatedBooleanDefs
		jz	loc_85A4F1
		mov	edx, [ebp+var_2C]
		lea	ecx, [ebp+var_18]
		push	ecx		; int
		push	dword ptr [edi+0Ch] ; int
		push	dword ptr [edi+8] ; void *
		push	ecx		; int
		push	[ebp+arg_0]	; int
		mov	ecx, eax
		call	PiDmGetReferencedObjectFromProperty
		test	eax, eax
		js	loc_85A4F1
		mov	eax, large fs:124h
		mov	edi, [edi+18h]
		add	edi, [ebp+var_18]
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebp+var_18]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, 80000000h
		test	esi, esi
		js	short loc_85A675
		mov	eax, [edi]
		cmp	eax, ecx
		jz	short loc_85A675
		cmp	[ebp+var_10], 11h
		mov	ecx, [ebp+var_C]
		jnz	short loc_85A627
		mov	edx, [ebp+var_14]
		mov	dl, [edx]
		cmp	dl, 0FFh
		jz	short loc_85A65A

loc_85A623:				; CODE XREF: PiDmObjectProcessPropertyChange+347j
		test	dl, dl
		jnz	short loc_85A635

loc_85A627:				; CODE XREF: PiDmObjectProcessPropertyChange+2FBj
		cmp	[ebp+var_8], 11h
		jnz	short loc_85A635
		cmp	byte ptr [ecx],	0FFh
		jnz	short loc_85A635
		inc	eax

loc_85A633:				; CODE XREF: PiDmObjectProcessPropertyChange+34Aj
		mov	[edi], eax

loc_85A635:				; CODE XREF: PiDmObjectProcessPropertyChange+309j
					; PiDmObjectProcessPropertyChange+30Fj	...
		mov	ecx, [ebp+var_18]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_85A4F1
; 

loc_85A650:				; CODE XREF: PiDmObjectProcessPropertyChange+1FFj
		call	PiDmObjectRelease
		jmp	loc_85A521
; 

loc_85A65A:				; CODE XREF: PiDmObjectProcessPropertyChange+305j
		cmp	[ebp+var_8], 11h
		jnz	short loc_85A665
		cmp	byte ptr [ecx],	0
		jnz	short loc_85A623

loc_85A665:				; CODE XREF: PiDmObjectProcessPropertyChange+342j
		dec	eax
		jmp	short loc_85A633
; 

loc_85A668:				; CODE XREF: PiDmObjectProcessPropertyChange+126j
		cmp	[ebp+var_8], ebx
		mov	esi, ebx
		mov	[ebp+var_10], ebx
		jmp	loc_85A4C3
; 

loc_85A675:				; CODE XREF: PiDmObjectProcessPropertyChange+2ECj
					; PiDmObjectProcessPropertyChange+2F2j
		mov	[edi], ecx
		jmp	short loc_85A635
PiDmObjectProcessPropertyChange	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpSetDeviceClassChange	proc near	; CODE XREF: IopProcessSetInterfaceState+30Bp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00927B54 SIZE 0000000A BYTES

		push	14h
		push	offset dword_6A71B8
		call	__SEH_prolog4
		mov	[ebp+var_20], edx
		mov	esi, ecx
		cmp	dword_6CC5E4, 0
		jnz	loc_927B54
		and	[ebp+var_1C], 0
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [ebp+arg_0]
		movzx	ebx, word ptr [eax]
		add	ebx, 44h
		lea	ecx, [ebx+48h]
		call	_PnpCreateDeviceEventEntry@4 ; PnpCreateDeviceEventEntry(x)
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jz	short loc_85A71E
		lea	edi, [ecx+48h]
		movsd
		movsd
		movsd
		movsd
		mov	dword ptr [ecx+58h], 2
		mov	[ecx+64h], ebx
		lea	edi, [ecx+6Ch]
		mov	esi, [ebp+var_20]
		movsd
		movsd
		movsd
		movsd
		mov	ebx, [ebp+arg_0]
		movzx	eax, word ptr [ebx]
		push	eax		; size_t
		push	dword ptr [ebx+4] ; void *
		lea	eax, [ecx+7Ch]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		movzx	eax, word ptr [ebx]
		shr	eax, 1
		xor	edx, edx
		mov	ecx, [ebp+var_24]
		mov	[ecx+eax*2+7Ch], dx
		call	PnpInsertEventInQueue
		mov	[ebp+var_1C], eax

loc_85A702:				; CODE XREF: PnpSetDeviceClassChange+ABj
					; sub_927B62+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]

loc_85A70C:				; CODE XREF: PnpSetDeviceClassChange+CD4DFj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_85A71E:				; CODE XREF: PnpSetDeviceClassChange+3Ej
		mov	[ebp+var_1C], 0C0000017h
		jmp	short loc_85A702
PnpSetDeviceClassChange	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDmAddCacheReferenceForObject proc near ; CODE	XREF: PiPnpRtlCmActionCallback+2D2p
					; IopProcessSetInterfaceState+24Bp ...

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00927B6A SIZE 00000054 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		lea	eax, [ebp+var_4C]
		push	esi
		push	edi
		push	40h		; size_t
		xor	edi, edi
		mov	[ebp+var_54], edx
		mov	esi, ecx
		push	edi		; int
		push	eax		; void *
		mov	[ebp+var_64], esi
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_5C], edi
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_58], edi
		mov	ecx, esi
		mov	[ebp+var_60], eax
		mov	[ebp+var_50], edi
		call	PiDmGetObjectManagerForObjectType
		mov	ecx, large fs:124h
		mov	edi, eax
		mov	[ebp+var_68], edi
		dec	word ptr [ecx+13Ch]
		nop
		push	1
		push	edi
		call	ExAcquireResourceExclusiveLite
		mov	ecx, [ebp+var_54]
		lea	eax, [ebp+var_4C]
		push	eax
		mov	edx, esi
		call	PiDmInitializeComparisonObject
		mov	esi, eax
		test	esi, esi
		js	short loc_85A801
		lea	eax, [ebp+var_58]
		add	edi, 38h
		push	eax
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		push	edi
		call	_RtlLookupElementGenericTableFullAvl@16	; RtlLookupElementGenericTableFullAvl(x,x,x,x)
		test	eax, eax
		jz	short loc_85A7FD
		mov	eax, [eax]

loc_85A7BA:				; CODE XREF: PiDmAddCacheReferenceForObject+D7j
		mov	[ebp+var_50], eax
		test	eax, eax
		jz	loc_927B6A
		inc	dword ptr [eax+8]

loc_85A7C8:				; CODE XREF: PiDmAddCacheReferenceForObject+DCj
					; PiDmAddCacheReferenceForObject+CD47Dj ...
		test	ebx, ebx
		jz	short loc_85A7D6
		mov	[ebx], eax
		test	eax, eax
		jz	short loc_85A7D6
		lock inc dword ptr [eax+4]

loc_85A7D6:				; CODE XREF: PiDmAddCacheReferenceForObject+A2j
					; PiDmAddCacheReferenceForObject+A8j
		mov	ecx, [ebp+var_68]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_85A7FD:				; CODE XREF: PiDmAddCacheReferenceForObject+8Ej
		xor	eax, eax
		jmp	short loc_85A7BA
; 

loc_85A801:				; CODE XREF: PiDmAddCacheReferenceForObject+75j
					; PiDmAddCacheReferenceForObject+CD455j
		mov	eax, [ebp+var_50]
		jmp	short loc_85A7C8
PiDmAddCacheReferenceForObject endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDmRemoveCacheReferenceForObject proc near ; CODE XREF: PiPnpRtlCmActionCallback+394p
					; IopProcessSetInterfaceState+3A2p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00927BBE SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		xor	edi, edi
		call	PiDmGetObjectManagerForObjectType
		mov	ebx, eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	ebx
		call	ExAcquireResourceExclusiveLite
		mov	edx, esi
		mov	ecx, ebx
		call	_PiDmLookupObject@8 ; PiDmLookupObject(x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_85A86C
		dec	dword ptr [eax+8]
		mov	eax, [ebp+var_4]
		cmp	[eax+8], edi
		jz	loc_927BBE

loc_85A850:				; CODE XREF: PiDmRemoveCacheReferenceForObject+6Bj
					; PiDmRemoveCacheReferenceForObject+CD3CDj
		mov	ecx, ebx
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_85A86C:				; CODE XREF: PiDmRemoveCacheReferenceForObject+39j
		mov	edi, 0C0000034h
		jmp	short loc_85A850
PiDmRemoveCacheReferenceForObject endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopRecordSleepCheckpoint(x)
_PopRecordSleepCheckpoint@4 proc near	; CODE XREF: PopCheckpointSystemSleep+1Ap
					; PopCheckShutdownMarker+27367p
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	ebx, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopBsdUpdateLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		push	8
		pop	ecx
		mov	dword_6C3D9C, eax
		mov	byte_6D4C82, bl
		call	_PopBsdHandleRequest@4 ; PopBsdHandleRequest(x)
		cmp	dword_6C3D9C, 0
		jz	short loc_85A8BD
		and	dword_6C3D9C, 0

loc_85A8BD:				; CODE XREF: PopRecordSleepCheckpoint(x)+40j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopRecordSleepCheckpoint@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopNotifyCallbacksPreSleep()
_PopNotifyCallbacksPreSleep@0 proc near	; CODE XREF: PAGELK:0071EC03p
		mov	edi, edi
		push	ecx
		push	8
		pop	ecx
		call	PopCheckpointSystemSleep
		mov	ecx, offset _POP_ETW_EVENT_PRESLEEP_CALLBACKS_START
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		push	0
		push	3
		push	_ExCbPowerState
		call	_ExNotifyCallback@12 ; ExNotifyCallback(x,x,x)
		mov	ecx, offset _POP_ETW_EVENT_PRESLEEP_CALLBACKS_STOP
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		push	9
		pop	ecx
		call	PopCheckpointSystemSleep
		pop	ecx
		retn
_PopNotifyCallbacksPreSleep@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopDispatchSuperfetchNotification(x, x)
_PopDispatchSuperfetchNotification@8 proc near ; CODE XREF: PopIssueActionRequest+22Ep
		mov	edi, edi
		push	ecx
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, edx
		test	ecx, ecx
		jns	short loc_85A916
		push	2
		pop	esi

loc_85A916:				; CODE XREF: PopDispatchSuperfetchNotification(x,x)+Bj
		mov	ecx, offset _POP_ETW_EVENT_SUPERFETCH_START
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		push	6
		pop	ecx
		call	PopCheckpointSystemSleep
		xor	ecx, ecx
		mov	edx, esi
		push	edi
		inc	ecx
		call	PfPowerActionNotify
		mov	ecx, offset _POP_ETW_EVENT_SUPERFETCH_STOP
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		push	7
		pop	ecx
		call	PopCheckpointSystemSleep
		pop	edi
		pop	esi
		pop	ecx
		retn
_PopDispatchSuperfetchNotification@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopResumeServices(x, x)
_PopResumeServices@8 proc near		; CODE XREF: PopIssueActionRequest+26Cp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	edi
		mov	edi, ecx
		push	0
		mov	dword ptr [edi+10h], 6
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, offset _POP_ETW_EVENT_RESUMESERVICES
		mov	dword_6C28A0, eax
		mov	dword_6C28A4, edx
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		push	27h
		pop	ecx
		call	PopCheckpointSystemSleep
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	PopDispatchStateCallout
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, offset _POP_ETW_EVENT_RESUMESERVICES_END
		mov	dword_6C28A8, eax
		mov	dword_6C28AC, edx
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		push	28h
		pop	ecx
		call	PopCheckpointSystemSleep
		pop	edi
		leave
		retn
_PopResumeServices@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopResumeApps(x, x)
_PopResumeApps@8 proc near		; CODE XREF: PopIssueActionRequest+27Cp
		mov	edi, edi
		push	edi
		mov	edi, ecx
		mov	_PopHiberBootForceMonitorOff, 0
		push	0
		mov	dword ptr [edi+10h], 5
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, offset _POP_ETW_EVENT_RESUMEAPPS
		mov	dword_6C2890, eax
		mov	dword_6C2894, edx
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		push	25h
		pop	ecx
		call	PopCheckpointSystemSleep
		xor	edx, edx
		mov	ecx, edi
		call	PopDispatchStateCallout
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, offset _POP_ETW_EVENT_RESUMEAPPS_END
		mov	dword_6C2898, eax
		mov	dword_6C289C, edx
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		push	26h
		pop	ecx
		pop	edi
		jmp	PopCheckpointSystemSleep
_PopResumeApps@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSuspendServices(x, x)
_PopSuspendServices@8 proc near		; CODE XREF: PopIssueActionRequest+216p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx
		mov	ecx, offset _POP_ETW_EVENT_SUSPENDSERVICES
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		push	4
		pop	ecx
		call	PopCheckpointSystemSleep
		lea	edx, [ebp+var_4]
		mov	dword ptr [esi+10h], 3
		mov	ecx, esi
		call	PopDispatchStateCallout
		mov	ecx, offset _POP_ETW_EVENT_SUSPENDSERVICES_END
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		push	5
		pop	ecx
		call	PopCheckpointSystemSleep
		pop	esi
		leave
		retn
_PopSuspendServices@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopSuspendApps(x, x)
_PopSuspendApps@8 proc near		; CODE XREF: PopIssueActionRequest+20Dp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, offset _POP_ETW_EVENT_SUSPENDAPPS
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		push	2
		pop	ecx
		call	PopCheckpointSystemSleep
		xor	edx, edx
		mov	dword ptr [esi+10h], 2
		mov	ecx, esi
		call	PopDispatchStateCallout
		mov	ecx, offset _POP_ETW_EVENT_SUSPENDAPPS_END
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		push	3
		pop	ecx
		pop	esi
		jmp	PopCheckpointSystemSleep
_PopSuspendApps@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopIssueActionRequest proc near		; CODE XREF: PopPolicyWorkerAction+5Ap
					; sub_905DA0+2Ap

var_38		= byte ptr -38h
var_36		= byte ptr -36h
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090223D SIZE 00000151 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		mov	byte ptr [esp+40h+var_34], cl
		lea	edi, [esp+40h+var_1C]
		push	6
		pop	ecx
		xor	ebx, ebx
		mov	[esp+40h+var_30], edx
		rep stosd
		mov	[esp+40h+var_2C], esi
		mov	[esp+40h+var_28], ebx
		call	_PopAcquireAwaymodeLock@0 ; PopAcquireAwaymodeLock()
		call	PopReadSystemAwayModePolicy
		cmp	byte_6C2D10, bl
		jnz	loc_90223D
		cmp	byte_6C2D11, bl
		jnz	loc_90223D
		mov	edi, [esp+40h+var_30]

loc_85AAFD:				; CODE XREF: PopIssueActionRequest+A77A6j
					; PopIssueActionRequest+A77AFj	...
		call	_PopReleaseAwaymodeLock@0 ; PopReleaseAwaymodeLock()
		mov	eax, dword_6C26D4
		test	eax, eax
		jz	loc_9022C8
		cmp	eax, 5
		jg	loc_9022B3

loc_85AB18:				; CODE XREF: PopIssueActionRequest+A781Dj
		push	14h

loc_85AB1A:				; CODE XREF: PopIssueActionRequest+A7825j
		pop	esi

loc_85AB1B:				; CODE XREF: PopIssueActionRequest+A782Dj
		cmp	edi, 8
		jz	loc_9022D0
		xor	ecx, ecx
		inc	ecx
		call	PopSetPowerActionWatchdogState
		cmp	edi, 5
		jz	loc_9022FA
		cmp	edi, 4
		jz	loc_9022FA
		cmp	edi, 6
		jz	loc_9022FA
		mov	al, bl
		mov	byte ptr [esp+40h+var_34+1], bl

loc_85AB4D:				; CODE XREF: PopIssueActionRequest+A7862j
		cmp	_PsWin32CalloutsEstablished, bl
		jz	loc_902305
		test	al, al
		jnz	loc_902305
		mov	al, bl
		mov	byte ptr [esp+40h+var_34+2], bl

loc_85AB67:				; CODE XREF: PopIssueActionRequest+A786Dj
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jns	loc_902310
		and	edi, 0FFFFFFFEh

loc_85AB75:				; CODE XREF: PopIssueActionRequest+A7875j
		test	al, al
		jnz	loc_902318

loc_85AB7D:				; CODE XREF: PopIssueActionRequest+A7881j
		mov	al, byte_6C2768
		mov	byte ptr [esp+40h+var_34+3], al
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		call	_PpmBeginHighPerfRequest@0 ; PpmBeginHighPerfRequest()
		mov	_PopSleepStats,	bl
		cmp	byte ptr [esp+40h+var_34], bl
		jnz	short loc_85ABE5
		cmp	byte ptr [esp+40h+var_34+1], bl
		jnz	short loc_85ABF3
		push	278h		; size_t
		push	ebx		; int
		push	offset _PopSleepStats ;	void *
		call	_memset
		mov	edx, dword_6C26D8
		add	esp, 0Ch
		mov	ecx, dword_6C26D4
		call	_PopDiagTracePowerTransitionStart@8 ; PopDiagTracePowerTransitionStart(x,x)
		push	ebx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	dword_6C2848, eax
		mov	dword_6C284C, edx
		call	_PopEnableSystemSleepCheckpoint@0 ; PopEnableSystemSleepCheckpoint()
		xor	ecx, ecx
		inc	ecx
		call	PopCheckpointSystemSleep

loc_85ABE5:				; CODE XREF: PopIssueActionRequest+FCj
		cmp	[esp+0Dh], bl
		jnz	short loc_85ABF3
		xor	ecx, ecx
		inc	ecx
		call	_PopSetSleepMarker@4 ; PopSetSleepMarker(x)

loc_85ABF3:				; CODE XREF: PopIssueActionRequest+102j
					; PopIssueActionRequest+14Bj
		cmp	[esp+44h+var_36], bl
		jnz	loc_902324
		mov	al, [esp+44h+var_38]
		lea	ecx, [esp+44h+var_20]
		mov	byte ptr [esp+44h+var_20], al
		mov	eax, [esp+44h+var_34]
		mov	[esp+44h+var_1C], eax
		mov	eax, [esp+44h+var_30]
		mov	[esp+44h+var_18], eax
		mov	[esp+44h+var_14], edi
		mov	[esp+44h+var_C], esi
		call	_PoStartPowerStateTasks@4 ; PoStartPowerStateTasks(x)
		mov	esi, eax
		mov	al, [esp+44h+var_38]
		test	al, al
		jnz	short loc_85AC54
		test	esi, esi
		js	short loc_85AC43
		cmp	[esp+44h+var_35], bl
		jnz	short loc_85AC43
		lea	ecx, [esp+44h+var_20]
		call	_PopPrepareSleep@8 ; PopPrepareSleep(x,x)

loc_85AC43:				; CODE XREF: PopIssueActionRequest+194j
					; PopIssueActionRequest+19Aj
		lea	ecx, [esp+44h+var_20]
		call	PoBlockConsoleSwitch
		mov	[esp+44h+var_2C], eax
		mov	al, [esp+44h+var_38]

loc_85AC54:				; CODE XREF: PopIssueActionRequest+190j
		test	esi, esi
		js	loc_85AD2F
		test	al, al
		jnz	loc_85AD2F
		test	edi, edi
		jns	loc_90233B
		push	2
		pop	eax

loc_85AC6F:				; CODE XREF: PopIssueActionRequest+A789Fj
		mov	esi, edi
		and	esi, 8
		jz	short loc_85AC79
		or	eax, 4

loc_85AC79:				; CODE XREF: PopIssueActionRequest+1D6j
		push	[esp+44h+var_30]
		mov	edx, eax
		xor	ecx, ecx
		call	PfPowerActionNotify
		mov	_PopNoMoreInput, 1
		lea	eax, [esp+44h+var_28]
		mov	[esp+44h+var_28], ebx
		xor	ecx, ecx
		lock or	[eax], ecx
		cmp	[esp+44h+var_35], cl
		jnz	short loc_85ACB9
		mov	cl, 1
		call	_PopPowerAggregatorNotifySuspendResume@4 ; PopPowerAggregatorNotifySuspendResume(x)
		lea	ecx, [esp+44h+var_20]
		call	_PopSuspendApps@8 ; PopSuspendApps(x,x)
		lea	ecx, [esp+44h+var_20]
		call	_PopSuspendServices@8 ;	PopSuspendServices(x,x)

loc_85ACB9:				; CODE XREF: PopIssueActionRequest+200j
		test	esi, esi
		jz	short loc_85ACC4
		mov	cl, 1
		call	EtwShutdown

loc_85ACC4:				; CODE XREF: PopIssueActionRequest+21Dj
		mov	ebx, [esp+44h+var_30]
		mov	ecx, edi
		mov	edx, ebx
		call	_PopDispatchSuperfetchNotification@8 ; PopDispatchSuperfetchNotification(x,x)
		push	edi
		push	ebx
		push	[esp+4Ch+var_34]
		call	_ZwSetSystemPowerState@12 ; ZwSetSystemPowerState(x,x,x)
		mov	esi, eax
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	bl, byte_6C2768
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		xor	eax, eax
		xor	ecx, ecx
		mov	_PopNoMoreInput, al
		mov	[esp+44h+var_24], eax
		lea	eax, [esp+44h+var_24]
		lock or	[eax], ecx
		test	bl, bl
		jnz	short loc_85AD1F
		lea	ecx, [esp+44h+var_20]
		call	_PopResumeServices@8 ; PopResumeServices(x,x)
		xor	cl, cl
		call	_PopPowerAggregatorNotifySuspendResume@4 ; PopPowerAggregatorNotifySuspendResume(x)
		lea	ecx, [esp+44h+var_20]
		call	_PopResumeApps@8 ; PopResumeApps(x,x)

loc_85AD1F:				; CODE XREF: PopIssueActionRequest+266j
		push	[esp+44h+var_30]
		xor	edx, edx
		push	7
		pop	ecx
		call	PfPowerActionNotify
		xor	ebx, ebx

loc_85AD2F:				; CODE XREF: PopIssueActionRequest+1B8j
					; PopIssueActionRequest+1C0j
		lea	ecx, [esp+44h+var_20]
		call	_PoEndPowerStateTasks@4	; PoEndPowerStateTasks(x)
		call	_TtmIsEnabled@0	; TtmIsEnabled()
		test	al, al
		jnz	loc_902342

loc_85AD45:				; CODE XREF: PopIssueActionRequest+A78E4j
		cmp	[esp+44h+var_38], 0
		jnz	short loc_85ADC2

loc_85AD4C:				; CODE XREF: PopIssueActionRequest+A78EBj
		mov	edx, [esp+44h+var_2C]
		lea	ecx, [esp+44h+var_20]
		call	_PoUnblockConsoleSwitch@8 ; PoUnblockConsoleSwitch(x,x)

loc_85AD59:				; CODE XREF: PopIssueActionRequest+A7898j
		cmp	[esp+44h+var_38], 0
		jnz	short loc_85ADC2
		cmp	byte ptr [esp+0Dh], 0
		jnz	short loc_85ADC2
		test	esi, esi
		js	short loc_85ADB3
		push	ebx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	dword_6C2870, eax
		mov	dword_6C2874, edx
		call	PopDiagTraceHiberStats
		call	_PopDiagTracePowerTransitionTime@0 ; PopDiagTracePowerTransitionTime()
		mov	ecx, edi
		call	PopDiagTracePerfTrackData
		mov	eax, dword ptr [esp+48h+var_38]
		mov	dword_6C2AB0, eax
		mov	eax, [esp+48h+var_34]
		mov	_PopShutdownButtonPressTime, ebx
		mov	dword_6C362C, ebx
		mov	dword_6C2AB4, eax
		mov	_PopSleepStats,	1

loc_85ADB3:				; CODE XREF: PopIssueActionRequest+2CBj
		mov	ecx, esi
		call	_PopDiagTracePowerTransitionEnd@4 ; PopDiagTracePowerTransitionEnd(x)
		push	29h
		pop	ecx
		call	PopCheckpointSystemSleep

loc_85ADC2:				; CODE XREF: PopIssueActionRequest+2ACj
					; PopIssueActionRequest+2C0j ...
		push	2
		pop	ecx
		call	PpmEndHighPerfRequest
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		xor	ecx, ecx
		call	PopSetPowerActionWatchdogState
		mov	eax, esi

loc_85ADD8:				; CODE XREF: PopIssueActionRequest+A7810j
					; PopIssueActionRequest+A784Dj	...
		mov	ecx, [esp+48h+var_C]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
PopIssueActionRequest endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorNotifySuspendResume(x)
_PopPowerAggregatorNotifySuspendResume@4 proc near ; CODE XREF:	PopIssueActionRequest+204p
					; PopIssueActionRequest+273p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	bl, cl
		nop
		mov	edi, offset _PopPowerAggregatorLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	esi, esi
		mov	dword_6C09A4, eax
		mov	eax, dword_6C0AA8
		mov	[ebp+var_30], eax
		movzx	eax, bl
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_30]
		push	4
		pop	ecx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	2
		mov	[ebp+var_20], ecx
		mov	[ebp+var_10], ecx
		mov	ecx, offset _POP_ETW_EVENT_POWER_AGGREGATOR_SUSPEND_RESUME
		pop	edx
		mov	[ebp+var_24], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_C], esi
		call	PopPowerAggregatorDiagTraceEvent
		test	bl, bl
		jz	short loc_85AEC9
		mov	eax, dword_6C0AA8
		inc	eax
		mov	dword_6C0AA8, eax
		cmp	eax, 1
		jnz	short loc_85AE8C
		push	14h
		push	7

loc_85AE84:				; CODE XREF: PopPowerAggregatorNotifySuspendResume(x)+EAj
		xor	edx, edx
		pop	ecx
		call	_PopPowerAggregatorHandleIntentUnsafe@12 ; PopPowerAggregatorHandleIntentUnsafe(x,x,x)

loc_85AE8C:				; CODE XREF: PopPowerAggregatorNotifySuspendResume(x)+92j
					; PopPowerAggregatorNotifySuspendResume(x)+E4j
		cmp	dword_6C09A4, esi
		jz	short loc_85AE9A
		mov	dword_6C09A4, esi

loc_85AE9A:				; CODE XREF: PopPowerAggregatorNotifySuspendResume(x)+A6j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	bl, bl
		jz	short loc_85AEBA
		push	esi
		push	esi
		push	esi
		push	esi
		push	offset unk_6C0A98
		call	KeWaitForSingleObject

loc_85AEBA:				; CODE XREF: PopPowerAggregatorNotifySuspendResume(x)+BEj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_85AEC9:				; CODE XREF: PopPowerAggregatorNotifySuspendResume(x)+82j
		sub	dword_6C0AA8, 1
		jnz	short loc_85AE8C
		push	14h
		push	8
		jmp	short loc_85AE84
_PopPowerAggregatorNotifySuspendResume@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorHandleIntentUnsafe(x, x, x)
_PopPowerAggregatorHandleIntentUnsafe@12 proc near
					; CODE XREF: PopPowerAggregatorNotifySuspendResume(x)+9Bp
					; PopPowerAggregatorForceSessionSwitch(x)+3Ap ...

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[esp+70h+var_64], edx
		xor	edx, edx
		mov	[esp+70h+var_58], eax
		mov	eax, dword_6C09C4
		lea	edi, [esp+70h+var_30]
		push	0Ch
		pop	ecx
		mov	esi, offset dword_6C09D8
		mov	[esp+70h+var_54], edx
		rep movsd
		mov	ecx, _PopPowerAggregatorContext
		add	ecx, 1
		mov	[esp+70h+var_48], edx
		mov	[esp+70h+var_44], edx
		adc	eax, edx
		mov	[esp+70h+var_40], edx
		mov	dword_6C09C4, eax
		mov	[esp+70h+var_4C], eax
		lea	eax, [ebx-1]
		mov	[esp+70h+var_3C], edx
		mov	[esp+70h+var_38], edx
		mov	[esp+70h+var_34], edx
		mov	[esp+70h+var_60], 4
		mov	[esp+70h+var_5C], ebx
		mov	_PopPowerAggregatorContext, ecx
		mov	[esp+70h+var_50], ecx
		cmp	eax, 7
		ja	short loc_85AFCE
		cmp	[esp+70h+var_64], 2
		ja	short loc_85AFCE
		call	_PopPowerAggregatorCachePoPolicy@4 ; PopPowerAggregatorCachePoPolicy(x)
		mov	eax, ds:_PopPowerAggregatorIntentHandlers[ebx*4]
		test	eax, eax
		jz	short loc_85AFCE
		push	ebx
		lea	edx, [esp+74h+var_60]
		push	edx
		push	offset _PopPowerAggregatorContext
		call	eax
		mov	esi, eax
		test	esi, esi
		js	short loc_85AFA6
		push	0Ch
		pop	ecx
		lea	esi, [esp+7Ch+var_6C]
		mov	edi, offset dword_6C09D8
		rep movsd
		call	PopPowerAggregatorIsAtTargetState
		test	al, al
		jnz	short loc_85AFCA
		mov	ecx, offset _PopPowerAggregatorContext
		mov	esi, 103h
		call	_PopPowerAggregatorScheduleWorker@4 ; PopPowerAggregatorScheduleWorker(x)

loc_85AFA6:				; CODE XREF: PopPowerAggregatorHandleIntentUnsafe(x,x,x)+A6j
					; PopPowerAggregatorHandleIntentUnsafe(x,x,x)+F4j ...
		push	esi
		lea	eax, [esp+80h+var_6C]
		mov	edx, ebx
		push	eax
		lea	eax, [esp+84h+var_3C]
		push	eax
		push	[ebp+arg_0]
		push	[esp+8Ch+var_70]
		call	PopPowerAggregatorRecordIntent
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_85AFCA:				; CODE XREF: PopPowerAggregatorHandleIntentUnsafe(x,x,x)+BDj
		xor	esi, esi
		jmp	short loc_85AFA6
; 

loc_85AFCE:				; CODE XREF: PopPowerAggregatorHandleIntentUnsafe(x,x,x)+7Cj
					; PopPowerAggregatorHandleIntentUnsafe(x,x,x)+83j ...
		mov	esi, 0C000000Dh
		jmp	short loc_85AFA6
_PopPowerAggregatorHandleIntentUnsafe@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPowerAggregatorRecordIntent proc near
					; CODE XREF: PopPowerAggregatorHandleIntentUnsafe(x,x,x)+E2p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0090238E SIZE 0000006F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_10]
		push	esi
		push	edi
		push	ebx
		push	[ebp+arg_C]
		mov	edi, edx
		mov	edx, [ebp+arg_0]
		push	[ebp+arg_8]
		mov	ecx, edi
		push	[ebp+arg_4]
		call	_PopPowerAggregatorDiagTraceHandleIntent@24 ; PopPowerAggregatorDiagTraceHandleIntent(x,x,x,x,x,x)
		mov	eax, dword_6C0AAC
		dec	eax
		and	eax, 1Fh
		imul	esi, eax, 90h
		add	esi, offset unk_6C0AB0
		cmp	dword ptr [esi], 1
		jz	loc_90238E

loc_85B017:				; CODE XREF: PopPowerAggregatorRecordIntent+A73BBj
					; PopPowerAggregatorRecordIntent+A73C7j ...
		xor	edx, edx
		mov	ecx, offset _PopPowerAggregatorContext
		inc	edx
		call	_PopPowerAggregatorAllocateLogEntry@8 ;	PopPowerAggregatorAllocateLogEntry(x,x)
		mov	ecx, [ebp+arg_0]
		mov	esi, [ebp+arg_8]
		push	0Ch
		mov	[eax+1Ch], ecx
		mov	ecx, [ebp+arg_4]
		mov	[eax+18h], edi
		lea	edi, [eax+28h]
		mov	[eax+20h], ecx
		pop	ecx
		rep movsd
		mov	esi, [ebp+arg_C]
		lea	edi, [eax+58h]
		push	0Ch
		pop	ecx
		rep movsd
		mov	[eax+88h], ebx

loc_85B04F:				; CODE XREF: PopPowerAggregatorRecordIntent+A741Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
PopPowerAggregatorRecordIntent endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorSetCurrentState(x, x)
_PopPowerAggregatorSetCurrentState@8 proc near
					; CODE XREF: PopPowerAggregatorSystemTransitionEnterStateHandler+E5p
					; PopPowerAggregatorSystemTransitionExitStateHandler(x)+51p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		mov	[ebp+var_8], esi
		mov	eax, [esi+20h]
		lea	ebx, [esi+48h]
		mov	[edx+4], eax
		mov	ecx, ebx
		mov	eax, [esi+28h]
		mov	[edx+8], eax
		mov	eax, [esi+2Ch]
		mov	[edx+0Ch], eax
		call	_PopPowerAggregatorDiagTraceInternalStateChange@8 ; PopPowerAggregatorDiagTraceInternalStateChange(x,x)
		push	2
		pop	edx
		mov	ecx, esi
		call	_PopPowerAggregatorAllocateLogEntry@8 ;	PopPowerAggregatorAllocateLogEntry(x,x)
		push	8
		pop	ecx
		push	8
		lea	edi, [eax+18h]
		mov	esi, ebx
		rep movsd
		mov	esi, [ebp+var_4]
		lea	edi, [eax+38h]
		mov	eax, [ebp+var_8]
		pop	ecx
		rep movsd
		mov	esi, [ebp+var_4]
		mov	edi, ebx
		push	8
		pop	ecx
		rep movsd
		or	dword ptr [eax+14h], 2
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopPowerAggregatorSetCurrentState@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorDiagTraceInternalStateChange(x, x)
_PopPowerAggregatorDiagTraceInternalStateChange@8 proc near
					; CODE XREF: PopPowerAggregatorSetCurrentState(x,x)+29p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	4
		pop	eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_24], ecx
		xor	ecx, ecx
		push	eax
		push	2
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		mov	ecx, offset _POP_ETW_EVENT_POWER_AGGREGATOR_INTERNAL_STATE_CHANGE
		pop	edx
		call	PopPowerAggregatorDiagTraceEvent
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopPowerAggregatorDiagTraceInternalStateChange@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerAggregatorWorker(x)
_PopPowerAggregatorWorker@4 proc near	; DATA XREF: PopPowerAggregatorInitialize(x)+46o
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopPowerAggregatorLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	esi, esi
		push	esi
		xor	edx, edx
		mov	dword_6C09A4, eax
		mov	ecx, offset _POP_ETW_EVENT_POWER_AGGREGATOR_WORKER_START
		call	PopPowerAggregatorDiagTraceEvent
		mov	eax, large fs:124h
		mov	dword_6C1CC0, eax
		jmp	short loc_85B158
; 

loc_85B14B:				; CODE XREF: PopPowerAggregatorWorker(x)+59j
		and	eax, 0FFFFFFFDh
		mov	dword_6C09D4, eax
		call	_PopPowerAggregatorInvokeStateMachine@4	; PopPowerAggregatorInvokeStateMachine(x)

loc_85B158:				; CODE XREF: PopPowerAggregatorWorker(x)+43j
		mov	eax, dword_6C09D4
		test	al, 2
		jnz	short loc_85B14B
		and	eax, 0FFFFFFFEh
		mov	dword_6C1CC0, esi
		push	esi
		xor	edx, edx
		mov	dword_6C09D4, eax
		mov	ecx, offset _POP_ETW_EVENT_POWER_AGGREGATOR_WORKER_END
		call	PopPowerAggregatorDiagTraceEvent
		cmp	dword_6C09A4, esi
		jz	short loc_85B18A
		mov	dword_6C09A4, esi

loc_85B18A:				; CODE XREF: PopPowerAggregatorWorker(x)+7Cj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		retn	4
_PopPowerAggregatorWorker@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopPowerAggregatorInvokeStateMachine(x)
_PopPowerAggregatorInvokeStateMachine@4	proc near
					; CODE XREF: PopPowerAggregatorWorker(x)+4Dp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	3
		mov	ebx, offset _PopPowerAggregatorContext
		pop	edx
		mov	ecx, ebx
		call	_PopPowerAggregatorAllocateLogEntry@8 ;	PopPowerAggregatorAllocateLogEntry(x,x)
		push	0Ch
		pop	ecx
		mov	esi, offset dword_6C09D8
		mov	edx, offset dword_6C0A08
		lea	edi, [eax+18h]
		rep movsd
		push	8
		lea	edi, [eax+48h]
		mov	esi, offset dword_6C0A08
		pop	ecx
		rep movsd
		mov	ecx, offset dword_6C09D8
		call	_PopPowerAggregatorDiagTraceHandlerInvoke@8 ; PopPowerAggregatorDiagTraceHandlerInvoke(x,x)
		mov	edx, dword_6C0A08
		mov	eax, dword_6C09D8
		push	ebx
		lea	eax, [eax+edx*4]
		mov	eax, ds:_PopPowerAggregatorInternalStateContexts[eax*4]
		call	eax ; NtCompleteConnectPort(x) ; NtCompleteConnectPort(x)
		push	4
		pop	edx
		mov	ecx, ebx
		mov	esi, eax
		call	_PopPowerAggregatorAllocateLogEntry@8 ;	PopPowerAggregatorAllocateLogEntry(x,x)
		pop	edi
		mov	[eax+18h], esi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_PopPowerAggregatorInvokeStateMachine@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorAllocateLogEntry(x, x)
_PopPowerAggregatorAllocateLogEntry@8 proc near
					; CODE XREF: PopPowerAggregatorRecordIntent+49p
					; PopPowerAggregatorSetCurrentState(x,x)+33p ...

var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ecx+0ECh]
		push	ebx
		push	esi
		imul	esi, eax, 90h
		lea	ebx, [ecx+0F0h]
		push	edi
		push	8Ch		; size_t
		push	0		; int
		mov	edi, edx
		mov	[ebp+var_4], ecx
		add	ebx, esi
		inc	eax
		and	eax, 1Fh
		mov	[ecx+0ECh], eax
		lea	eax, [ecx+0F4h]
		add	eax, esi
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebx], edi
		lea	eax, [ebp+var_C]
		push	eax
		call	_KeQueryInterruptTimePrecise@4 ; KeQueryInterruptTimePrecise(x)
		mov	[ebx+8], eax
		mov	eax, [ebp+var_4]
		mov	[ebx+0Ch], edx
		pop	edi
		pop	esi
		mov	ecx, [eax]
		mov	[ebx+10h], ecx
		mov	ecx, [eax+4]
		mov	eax, ebx
		mov	[ebx+14h], ecx
		pop	ebx
		leave
		retn
_PopPowerAggregatorAllocateLogEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorDiagTraceHandlerInvoke(x,	x)
_PopPowerAggregatorDiagTraceHandlerInvoke@8 proc near
					; CODE XREF: PopPowerAggregatorInvokeStateMachine(x)+38p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	4
		pop	eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_24], ecx
		xor	ecx, ecx
		push	eax
		push	2
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		mov	ecx, offset _POP_ETW_EVENT_POWER_AGGREGATOR_HANDLER_INVOKE
		pop	edx
		call	PopPowerAggregatorDiagTraceEvent
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopPowerAggregatorDiagTraceHandlerInvoke@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPowerAggregatorDiagTraceEvent proc near
					; CODE XREF: PopPowerAggregatorDiagTraceHandleIntent(x,x,x,x,x,x)+83p
					; PopPowerAggregatorNotifySuspendResume(x)+7Bp	...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009023FD SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	_PopDiagHandleRegistered, 0
		push	esi
		mov	[ebp+var_4], edx
		mov	esi, ecx
		jz	short loc_85B2F5
		push	ebx
		mov	ebx, _PopDiagHandle
		push	edi
		mov	edi, dword_6C1D74
		push	esi
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_9023FD

loc_85B2F3:				; CODE XREF: PopPowerAggregatorDiagTraceEvent+A714Dj
		pop	edi
		pop	ebx

loc_85B2F5:				; CODE XREF: PopPowerAggregatorDiagTraceEvent+13j
		pop	esi
		leave
		retn	4
PopPowerAggregatorDiagTraceEvent endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPowerAggregatorSystemTransitionEnterStateHandler proc near
					; DATA XREF: PAGEDATA:00A934A4o
					; PAGEDATA:00A934C4o ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00902412 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		push	3
		pop	ebx
		mov	eax, [edi+48h]
		cmp	eax, ebx
		jz	loc_85B3B3
		test	eax, eax
		jz	loc_85B3B3
		cmp	eax, 2
		jz	loc_85B3B3
		mov	eax, [edi+58h]
		test	eax, eax
		js	short loc_85B3A8
		cmp	eax, 2
		jg	loc_902412

loc_85B33A:				; CODE XREF: PopPowerAggregatorSystemTransitionEnterStateHandler+A7121j
		xor	esi, esi
		cmp	dword_6C09A4, esi
		jz	short loc_85B34A
		mov	dword_6C09A4, esi

loc_85B34A:				; CODE XREF: PopPowerAggregatorSystemTransitionEnterStateHandler+48j
		xor	edx, edx
		mov	ecx, offset _PopPowerAggregatorLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, dword_6D6FC0
		test	eax, eax
		jz	short loc_85B368
		push	1
		call	eax

loc_85B368:				; CODE XREF: PopPowerAggregatorSystemTransitionEnterStateHandler+68j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopPowerAggregatorLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		push	esi
		mov	dword_6C09A4, eax
		lea	eax, [edi+0D8h]
		push	esi
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	edx, [edi+4Ch]
		mov	ecx, ebx
		call	_PopPowerAggregatorStartNextSession@8 ;	PopPowerAggregatorStartNextSession(x,x)
		mov	[edi+58h], ebx

loc_85B3A8:				; CODE XREF: PopPowerAggregatorSystemTransitionEnterStateHandler+35j
					; PopPowerAggregatorSystemTransitionEnterStateHandler+EAj ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_85B3B3:				; CODE XREF: PopPowerAggregatorSystemTransitionEnterStateHandler+19j
					; PopPowerAggregatorSystemTransitionEnterStateHandler+21j ...
		xor	esi, esi
		mov	[esp+30h+var_20], 5
		lea	edx, [esp+30h+var_20]
		mov	[esp+30h+var_1C], esi
		mov	ecx, edi
		mov	[esp+30h+var_18], esi
		mov	[esp+30h+var_14], esi
		mov	[esp+30h+var_10], esi
		mov	[esp+30h+var_8], esi
		mov	[esp+30h+var_4], esi
		mov	[esp+30h+var_C], ebx
		call	_PopPowerAggregatorSetCurrentState@8 ; PopPowerAggregatorSetCurrentState(x,x)
		jmp	short loc_85B3A8
PopPowerAggregatorSystemTransitionEnterStateHandler endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerAggregatorScheduleWorker(x)
_PopPowerAggregatorScheduleWorker@4 proc near
					; CODE XREF: PopPowerAggregatorHandleIntentUnsafe(x,x,x)+C9p
					; PopPowerAggregatorNotifyDisplayPoweredOn+A5DC1p ...
		or	dword ptr [ecx+14h], 2
		mov	eax, [ecx+14h]
		test	al, 1
		jnz	short locret_85B405
		or	eax, 1
		mov	[ecx+14h], eax
		lea	eax, [ecx+12F0h]
		push	1
		push	eax
		call	ExQueueWorkItem

locret_85B405:				; CODE XREF: PopPowerAggregatorScheduleWorker(x)+9j
		retn
_PopPowerAggregatorScheduleWorker@4 endp


;  S U B	R O U T	I N E 


PopPowerAggregatorIsAtTargetState proc near
					; CODE XREF: PopPowerAggregatorHandleIntentUnsafe(x,x,x)+B6p

; FUNCTION CHUNK AT 00902420 SIZE 0000002E BYTES

		mov	eax, dword_6C09D8
		xor	ecx, ecx
		sub	eax, ecx
		jz	short loc_85B431
		sub	eax, 1
		jz	loc_902420
		sub	eax, 1
		jz	short loc_85B431
		sub	eax, 1
		jnz	short loc_85B42E
		cmp	dword_6C0A08, 5
		setz	cl

loc_85B42E:				; CODE XREF: PopPowerAggregatorIsAtTargetState+1Cj
					; PopPowerAggregatorIsAtTargetState:loc_85B43Dj ...
		mov	al, cl
		retn
; 

loc_85B431:				; CODE XREF: PopPowerAggregatorIsAtTargetState+9j
					; PopPowerAggregatorIsAtTargetState+17j
		mov	eax, dword_6C0A08
		test	eax, eax
		jz	short loc_85B43F
		cmp	eax, 2

loc_85B43D:				; CODE XREF: PopPowerAggregatorIsAtTargetState+A7043j
		jnz	short loc_85B42E

loc_85B43F:				; CODE XREF: PopPowerAggregatorIsAtTargetState+32j
		mov	cl, 1
		jmp	short loc_85B42E
PopPowerAggregatorIsAtTargetState endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EmPowerPagingEnabled proc near		; CODE XREF: PoBroadcastSystemState+284p
					; PoBroadcastSystemState+47Ep

var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090244E SIZE 0000006E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	byte ptr [ebp+var_4], 0
		lea	edi, [ebp+var_14]
		mov	bl, cl
		stosd
		mov	esi, offset _EmpPagingLock
		xor	edx, edx
		mov	ecx, esi
		stosd
		stosd
		stosd
		call	ExAcquirePushLockExclusiveEx
		test	bl, bl
		jnz	short loc_85B4A6
		and	dword_6CDC44, 7FFFFFFFh
		jnz	loc_90244E

loc_85B480:				; CODE XREF: EmPowerPagingEnabled+6Cj
		mov	ebx, [ebp+var_4]

loc_85B483:				; CODE XREF: EmPowerPagingEnabled+A7021j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_90246A

loc_85B492:				; CODE XREF: EmPowerPagingEnabled+A7028j
					; EmPowerPagingEnabled+A7035j
		mov	ecx, esi
		call	KeAbPostRelease
		test	bl, bl
		jnz	loc_90247E

loc_85B4A1:				; CODE XREF: EmPowerPagingEnabled+A7073j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_85B4A6:				; CODE XREF: EmPowerPagingEnabled+2Aj
		or	dword_6CDC44, 80000000h
		jmp	short loc_85B480
EmPowerPagingEnabled endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceDevicesSuspend(x, x, x)
_PopDiagTraceDevicesSuspend@12 proc near ; CODE	XREF: PoBroadcastSystemState+13Ap

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		push	ebx
		mov	[ebp+var_3C], edx
		mov	bl, cl
		jz	short loc_85B53E
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_DEVICESSUSPEND
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_85B53C
		movzx	eax, bl
		xor	edx, edx
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_3C]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	offset _POP_ETW_EVENT_DEVICESSUSPEND
		push	esi
		push	edi
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_85B53C:				; CODE XREF: PopDiagTraceDevicesSuspend(x,x,x)+3Dj
		pop	edi
		pop	esi

loc_85B53E:				; CODE XREF: PopDiagTraceDevicesSuspend(x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDiagTraceDevicesSuspend@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


PopFxNotifySxTransitionState proc near	; CODE XREF: PoBroadcastSystemState+105p
					; PoBroadcastSystemState+4ABp

; FUNCTION CHUNK AT 009024BC SIZE 00000052 BYTES

		mov	edi, edi
		push	ecx
		push	esi
		xor	edx, edx
		mov	esi, offset _PopFxUpdateDripsConstraintContext
		test	cl, cl
		mov	ecx, esi
		push	edi
		jz	short loc_85B596
		call	ExAcquirePushLockExclusiveEx
		mov	byte_6C39EC, 1
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_9024BC

loc_85B57B:				; CODE XREF: PopFxNotifySxTransitionState+A6F70j
					; PopFxNotifySxTransitionState+A6F7Dj
		mov	ecx, esi
		call	KeAbPostRelease
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset unk_6C39F4
		call	KeWaitForSingleObject

loc_85B592:				; CODE XREF: PopFxNotifySxTransitionState+7Cj
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_85B596:				; CODE XREF: PopFxNotifySxTransitionState+10j
		call	ExAcquirePushLockExclusiveEx
		mov	byte_6C39EC, 0
		mov	edi, offset dword_6C39E4

loc_85B5A7:				; CODE XREF: PopFxNotifySxTransitionState+A6FA2j
		mov	eax, dword_6C39E4
		cmp	eax, edi
		jnz	loc_9024D0
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_9024FA

loc_85B5C3:				; CODE XREF: PopFxNotifySxTransitionState+A6FAEj
					; PopFxNotifySxTransitionState+A6FBBj
		mov	ecx, esi
		call	KeAbPostRelease
		jmp	short loc_85B592
PopFxNotifySxTransitionState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopNotifyTelemetryOsState proc near	; CODE XREF: PAGELK:0071EFD5p
					; PAGELK:0071F271p

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 0090250E SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, edx
		mov	esi, ecx
		cmp	dword_6B23F8, edi
		jbe	short loc_85B634
		push	8000h
		push	edi
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_85B634
		push	4
		pop	edx
		cmp	esi, edx
		jz	short loc_85B649
		cmp	esi, 5
		jz	short loc_85B649
		cmp	esi, 6
		jz	short loc_85B649
		push	3
		pop	eax
		push	2
		pop	ecx
		cmp	esi, ecx
		jnz	short loc_85B63D

loc_85B611:				; CODE XREF: PopNotifyTelemetryOsState+75j
		xor	ecx, ecx
		cmp	[ebp+arg_8], cl
		setz	cl
		add	ecx, eax
		cmp	[ebp+arg_0], 5
		jnz	short loc_85B643

loc_85B621:				; CODE XREF: PopNotifyTelemetryOsState+79j
		test	[ebp+arg_4], 8
		jz	loc_90250E
		mov	edx, eax

loc_85B62D:				; CODE XREF: PopNotifyTelemetryOsState+7Bj
					; PopNotifyTelemetryOsState+89j ...
		call	PopTransitionTelemetryOsState
		mov	edi, eax

loc_85B634:				; CODE XREF: PopNotifyTelemetryOsState+14j
					; PopNotifyTelemetryOsState+28j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_85B63D:				; CODE XREF: PopNotifyTelemetryOsState+43j
		cmp	esi, eax
		jnz	short loc_85B634
		jmp	short loc_85B611
; 

loc_85B643:				; CODE XREF: PopNotifyTelemetryOsState+53j
		cmp	esi, eax
		jz	short loc_85B621
		jmp	short loc_85B62D
; 

loc_85B649:				; CODE XREF: PopNotifyTelemetryOsState+2Fj
					; PopNotifyTelemetryOsState+34j ...
		xor	edx, edx
		cmp	esi, 5
		push	2
		setz	dl
		pop	ecx
		inc	edx
		jmp	short loc_85B62D
PopNotifyTelemetryOsState endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPolicyWorkerAction proc near

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00902523 SIZE 00000083 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	bl, bl
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	eax, large fs:124h
		cmp	byte_6C26C1, 1
		mov	dword_6C2828, eax
		jnz	short loc_85B6FF
		mov	ebx, dword_6C26C4
		mov	cl, 2
		push	esi
		mov	esi, dword_6C26CC
		push	edi
		mov	edi, dword_6C26C8
		mov	[ebp+var_1C], ebx
		call	_PopSetPowerActionState@4 ; PopSetPowerActionState(x)
		mov	eax, dword_6C26D4
		mov	edx, ebx
		push	esi
		push	edi
		xor	cl, cl
		mov	[ebp+var_18], eax
		call	PopIssueActionRequest
		mov	cl, _PopAction
		xor	ebx, ebx
		inc	ebx
		mov	edi, eax
		test	cl, 2
		jnz	loc_902523
		test	ds:dword_70EFD0, 8000h
		jnz	loc_90256A

loc_85B6DB:				; CODE XREF: PopPolicyWorkerAction+A6F49j
		xor	cl, cl
		mov	dword_6C26D0, edi
		call	_PopSetPowerActionState@4 ; PopSetPowerActionState(x)
		mov	esi, _PopActionWaiters

loc_85B6EE:				; CODE XREF: PopPolicyWorkerAction+ECj
		cmp	esi, offset _PopActionWaiters
		jnz	short loc_85B738
		mov	ecx, ebx

loc_85B6F8:				; CODE XREF: PopPolicyWorkerAction+A6F0Dj
		call	PopGetPolicyWorker
		pop	edi
		pop	esi

loc_85B6FF:				; CODE XREF: PopPolicyWorkerAction+2Cj
		and	dword_6C2828, 0
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		test	bl, bl
		pop	ebx
		jz	short loc_85B71B
		mov	eax, _PoPdcCallbacks
		test	eax, eax
		jz	short loc_85B71B
		call	eax

loc_85B71B:				; CODE XREF: PopPolicyWorkerAction+B6j
					; PopPolicyWorkerAction+BFj
		mov	eax, large fs:124h
		cmp	dword ptr [eax+13Ch], 0
		jnz	short loc_85B746
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_85B738:				; CODE XREF: PopPolicyWorkerAction+9Cj
		mov	ecx, [esi+8]
		mov	edx, edi
		call	_PopCompleteAction@8 ; PopCompleteAction(x,x)
		mov	esi, [esi]
		jmp	short loc_85B6EE
; 

loc_85B746:				; CODE XREF: PopPolicyWorkerAction+D0j
		push	20h
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PopPolicyWorkerAction endp


;  S U B	R O U T	I N E 


; __stdcall PopTransitionCheckpoint(x, x)
_PopTransitionCheckpoint@8 proc	near	; CODE XREF: PAGELK:0071EABEp
					; PAGELK:0071EFE2p ...
		mov	edi, edi
		push	ebx
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		push	eax
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jz	loc_85B838
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopTransitionCheckpointLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		cmp	_PopTransitionCheckpoints, offset _PopTransitionCheckpoints
		mov	dword_6C3CFC, eax
		jz	loc_85B826

loc_85B79C:				; CODE XREF: PopTransitionCheckpoint(x,x)+DDj
		push	esi
		push	50434B50h
		push	20h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_85B7E6
		mov	ecx, _PopTransitionCheckpointsSequenceNumber
		mov	[esi+8], ecx
		mov	[esi+0Ch], edi
		mov	[esi+10h], ebx
		call	KeQueryInterruptTime
		mov	[esi+18h], eax
		mov	ecx, offset _PopTransitionCheckpoints
		mov	[esi+1Ch], edx
		mov	eax, dword_6C3CEC
		cmp	[eax], ecx
		jnz	short loc_85B833
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6C3CEC, esi

loc_85B7E6:				; CODE XREF: PopTransitionCheckpoint(x,x)+63j
		mov	eax, _PopTransitionCheckpointsSequenceNumber
		mov	_PopBsdTransitionLatestCheckpointSeqNumber, eax
		inc	eax
		cmp	dword_6C3CFC, 0
		mov	_PopBsdTransitionLatestCheckpointId, edi
		mov	_PopBsdTransitionLatestCheckpointType, ebx
		mov	_PopTransitionCheckpointsSequenceNumber, eax
		pop	esi

loc_85B80A:				; CODE XREF: PopTransitionCheckpoint(x,x)+E5j
		jz	short loc_85B813
		and	dword_6C3CFC, 0

loc_85B813:				; CODE XREF: PopTransitionCheckpoint(x,x):loc_85B80Aj
		xor	edx, edx
		mov	ecx, offset _PopTransitionCheckpointLock
		call	ExReleasePushLockEx
		pop	edi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
; 

loc_85B826:				; CODE XREF: PopTransitionCheckpoint(x,x)+4Aj
		cmp	edi, 1
		jz	loc_85B79C
		test	eax, eax
		jmp	short loc_85B80A
; 

loc_85B833:				; CODE XREF: PopTransitionCheckpoint(x,x)+8Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_85B838:				; CODE XREF: PopTransitionCheckpoint(x,x)+15j
		pop	edi
		pop	ebx
		retn
_PopTransitionCheckpoint@8 endp	; sp = -4

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopDiagTracePrepareSleepEnd()
_PopDiagTracePrepareSleepEnd@0 proc near ; CODE	XREF: PopPrepareSleep(x,x)+22p
		mov	ecx, offset _POP_ETW_EVENT_PREPARESLEEP_END
		jmp	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
_PopDiagTracePrepareSleepEnd@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopDiagTracePrepareSleep()
_PopDiagTracePrepareSleep@0 proc near	; CODE XREF: PopPrepareSleep(x,x)+5p
		mov	ecx, offset _POP_ETW_EVENT_PREPARESLEEP
		jmp	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
_PopDiagTracePrepareSleep@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopDiagTraceDevicesWakeEnd()
_PopDiagTraceDevicesWakeEnd@0 proc near	; CODE XREF: PoBroadcastSystemState+36Dp
		mov	ecx, offset _POP_ETW_EVENT_DEVICESWAKE_END
		jmp	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
_PopDiagTraceDevicesWakeEnd@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorSystemTransitionExitStateHandler(x)
_PopPowerAggregatorSystemTransitionExitStateHandler@4 proc near
					; DATA XREF: PAGEDATA:00A934E8o
					; PAGEDATA:00A934ECo

var_20		= dword	ptr -20h
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 20h
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		xor	edi, edi
		inc	edi
		mov	eax, [esi+58h]
		test	eax, eax
		jz	short loc_85B884
		cmp	eax, edi
		jz	short loc_85B893
		add	eax, 0FFFFFFFEh
		cmp	eax, 2
		ja	loc_85B919

loc_85B884:				; CODE XREF: PopPowerAggregatorSystemTransitionExitStateHandler(x)+18j
		lea	eax, [esi+0D8h]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	[esi+58h], edi

loc_85B893:				; CODE XREF: PopPowerAggregatorSystemTransitionExitStateHandler(x)+1Cj
		push	8
		xor	eax, eax
		lea	edi, [esp+2Ch+var_20]
		pop	ecx
		rep stosd
		mov	eax, [esi+5Ch]
		lea	edx, [esp+28h+var_20]
		mov	ecx, esi
		mov	[esp+28h+var_20], eax
		call	_PopPowerAggregatorSetCurrentState@8 ; PopPowerAggregatorSetCurrentState(x,x)
		push	0Bh
		pop	edx
		xor	ecx, ecx
		call	_PopPowerAggregatorStartNextSession@8 ;	PopPowerAggregatorStartNextSession(x,x)
		cmp	dword_6C09A4, 0
		jz	short loc_85B8CA
		and	dword_6C09A4, 0

loc_85B8CA:				; CODE XREF: PopPowerAggregatorSystemTransitionExitStateHandler(x)+67j
		mov	esi, offset _PopPowerAggregatorLock
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, dword_6D6FC0
		test	eax, eax
		jz	short loc_85B8F7
		push	2
		call	eax
		mov	eax, dword_6D6FC0
		test	eax, eax
		jz	short loc_85B8F7
		push	3
		call	eax

loc_85B8F7:				; CODE XREF: PopPowerAggregatorSystemTransitionExitStateHandler(x)+8Aj
					; PopPowerAggregatorSystemTransitionExitStateHandler(x)+97j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C09A4, eax

loc_85B919:				; CODE XREF: PopPowerAggregatorSystemTransitionExitStateHandler(x)+24j
		pop	edi
		xor	eax, eax
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
_PopPowerAggregatorSystemTransitionExitStateHandler@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopPowerAggregatorStartNextSession(x, x)
_PopPowerAggregatorStartNextSession@8 proc near
					; CODE XREF: PopPowerAggregatorSystemTransitionEnterStateHandler+A6p
					; PopPowerAggregatorSystemTransitionExitStateHandler(x)+5Bp ...
		cmp	dword_6C09A4, 0
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jz	short loc_85B93B
		and	dword_6C09A4, 0

loc_85B93B:				; CODE XREF: PopPowerAggregatorStartNextSession(x,x)+Ej
		mov	ebx, offset _PopPowerAggregatorLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	edx, esi
		mov	ecx, edi
		call	PopSleepstudyStartNextSession
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		pop	edi
		pop	esi
		mov	dword_6C09A4, eax
		pop	ebx
		retn
_PopPowerAggregatorStartNextSession@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopSleepstudyStartNextSession proc near	; CODE XREF: PopPowerAggregatorStartNextSession(x,x)+2Ep
					; PopPowerAggregatorDisengageModernStandby(x)+8Dp

var_1D0		= dword	ptr -1D0h
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1B0		= dword	ptr -1B0h
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009025A6 SIZE 000001BB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1D4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	148h		; size_t
		lea	eax, [ebp+var_150]
		mov	[ebp+var_160], edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_158], ecx
		call	_memset
		add	esp, 0Ch
		lea	edi, [ebp+var_1D0]
		xor	eax, eax
		push	8
		pop	ecx
		rep stosd
		push	8
		pop	ecx
		lea	edi, [ebp+var_1B0]
		rep stosd
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopSleepstudySessionLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6BF3BC, eax
		mov	eax, dword_6BF0B0
		imul	edx, eax, 60h
		add	edx, offset dword_6BF0B8
		inc	eax
		and	eax, 7
		mov	[ebp+var_154], edx
		mov	dword_6BF0B0, eax
		imul	eax, 60h
		lea	eax, dword_6BF0B8[eax]
		mov	[ebp+var_15C], eax
		lea	eax, [ebp+var_178]
		push	eax
		call	_KeQueryInterruptTimePrecise@4 ; KeQueryInterruptTimePrecise(x)
		or	[ebp+var_17C], 0FFFFFFFFh
		lea	ecx, [ebp+var_180]
		mov	edi, edx
		mov	[ebp+var_180], 0FFD9DA60h
		mov	ebx, eax
		mov	[ebp+var_170], edi
		call	_PopBatteryUpdateCurrentState@4	; PopBatteryUpdateCurrentState(x)
		lea	ecx, [ebp+var_1D0]
		mov	esi, eax
		call	_PopCurrentPowerState@4	; PopCurrentPowerState(x)
		mov	ecx, [ebp+var_160]
		cmp	esi, 102h
		setz	al
		dec	al
		and	al, 1
		mov	byte ptr [ebp+var_164],	al
		call	_PopGetMonitorReasonFromPowerEventId@4 ; PopGetMonitorReasonFromPowerEventId(x)
		mov	esi, [ebp+var_1C8]
		mov	[ebp+var_168], eax
		mov	eax, [ebp+var_154]
		push	5Ch		; size_t
		push	0		; int
		mov	[eax+1Ch], edi
		mov	edi, [ebp+var_1C4]
		mov	[eax+18h], ebx
		mov	[eax+24h], ecx
		mov	[eax+2Ch], edi
		mov	[eax+34h], esi
		mov	eax, [ebp+var_15C]
		add	eax, 4
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_15C]
		add	esp, 0Ch
		mov	edx, [ebp+var_154]
		mov	ecx, [ebp+var_158]
		mov	[eax], ecx
		mov	ecx, [edx+8]
		add	ecx, 1
		mov	[ebp+var_16C], ecx
		mov	ecx, [edx+0Ch]
		mov	edx, [ebp+var_16C]
		adc	ecx, 0
		mov	[eax+10h], ebx
		mov	ebx, [ebp+var_15C]
		mov	[eax+0Ch], ecx
		mov	[eax+8], edx
		mov	eax, [ebp+var_170]
		mov	[ebx+30h], esi
		mov	esi, [ebp+var_154]
		mov	[ebx+14h], eax
		mov	[ebx+28h], edi
		mov	edi, offset _GUID_NULL
		mov	[ebp+var_174], ecx
		mov	eax, [esi]
		mov	ecx, [ebp+var_158]
		sub	eax, 1
		jz	loc_9025D4
		sub	eax, 1
		jz	loc_9025A6

loc_85BB30:				; CODE XREF: PopSleepstudyStartNextSession+A6C59j
					; PopSleepstudyStartNextSession+A6D3Dj
		sub	ecx, 1
		jz	loc_902716
		sub	ecx, 1
		jz	loc_9026C0

loc_85BB42:				; CODE XREF: PopSleepstudyStartNextSession+A6DDEj
		cmp	dword_6BF3BC, 0
		jz	short loc_85BB52
		and	dword_6BF3BC, 0

loc_85BB52:				; CODE XREF: PopSleepstudyStartNextSession+1CBj
		xor	edx, edx
		mov	ecx, offset _PopSleepstudySessionLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopSleepstudyStartNextSession endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorHandleSystemTransitionEndIntent(x, x, x)
_PopPowerAggregatorHandleSystemTransitionEndIntent@12 proc near
					; DATA XREF: PAGEDATA:00A93494o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	dword ptr [eax+18h], 3
		jnz	short loc_85BB8B
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		mov	[ecx], eax

loc_85BB87:				; CODE XREF: PopPowerAggregatorHandleSystemTransitionEndIntent(x,x,x)+1Ej
		pop	ebp
		retn	0Ch
; 

loc_85BB8B:				; CODE XREF: PopPowerAggregatorHandleSystemTransitionEndIntent(x,x,x)+Cj
		mov	eax, 0C000A003h
		jmp	short loc_85BB87
_PopPowerAggregatorHandleSystemTransitionEndIntent@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopCompleteAction(x, x)
_PopCompleteAction@8 proc near		; CODE XREF: PopPolicyWorkerAction+E5p
					; PopExecutePowerAction+A6BC2p
		mov	eax, [ecx+4]
		test	al, 20h
		jz	short locret_85BBAF
		and	eax, 0FFFFFFDFh
		mov	[ecx+4], eax
		mov	eax, [ecx+8]
		push	0
		push	0
		push	eax
		mov	[eax+10h], edx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

locret_85BBAF:				; CODE XREF: PopCompleteAction(x,x)+5j
		retn
_PopCompleteAction@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopUpdatePowerActionWatchdogTimeouts()
_PopUpdatePowerActionWatchdogTimeouts@0	proc near
					; CODE XREF: PopSetPowerActionWatchdogState:loc_552FC3p
		mov	edi, edi
		push	ecx
		call	_Feature_SleepReliabilityDetailedDiagnostics__private_IsEnabledDeviceUsage@0 ; Feature_SleepReliabilityDetailedDiagnostics__private_IsEnabledDeviceUsage()
		test	eax, eax
		jz	short loc_85BBD2
		mov	ds:_PopPowerActionTransitioningWatchdogTimeout,	14Ah
		mov	ds:_PopPowerActionResumingWatchdogTimeout, 96h
		pop	ecx
		retn
; 

loc_85BBD2:				; CODE XREF: PopUpdatePowerActionWatchdogTimeouts()+Aj
		mov	eax, ds:_PopPowerActionTransitioningWatchdogTimeoutDefault
		mov	ds:_PopPowerActionTransitioningWatchdogTimeout,	eax
		mov	eax, ds:_PopPowerActionResumingWatchdogTimeoutDefault
		mov	ds:_PopPowerActionResumingWatchdogTimeout, eax
		pop	ecx
		retn
_PopUpdatePowerActionWatchdogTimeouts@0	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1739. PoUserShutdownInitiated

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoUserShutdownInitiated
PoUserShutdownInitiated	proc near	; CODE XREF: PopPowerInformationInternal:loc_765EF0p

; FUNCTION CHUNK AT 00902761 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_85BCBA
		push	7
		xor	edx, edx
		pop	ecx
		call	_PopTransitionCheckpoint@8 ; PopTransitionCheckpoint(x,x)
		xor	ebx, ebx
		mov	ecx, offset _PopSetUserShutdownMarkerWorkItem
		inc	ebx
		mov	edx, ebx
		call	_PopQueueWorkItem@8 ; PopQueueWorkItem(x,x)
		cmp	dword_6D6FAC, 0
		jz	loc_85BCBA
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		cmp	_PopUserShutdownInProgress, 0
		jnz	loc_902761
		xor	esi, esi
		mov	_PopUserShutdownInProgress, bl
		cmp	byte_6C2EFC, 0
		mov	edi, offset _PopUserShutdownDelayTimer
		jnz	short loc_85BC88
		push	esi
		push	edi
		mov	dword_6C2F58, offset _PopUserShutdownDelayWorkerCallback@4 ; PopUserShutdownDelayWorkerCallback(x)
		mov	dword_6C2F5C, esi
		mov	_PopUserShutdownDelayWorker, esi
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	esi
		push	offset _PopUserShutdownDelayDpcCallback@16 ; PopUserShutdownDelayDpcCallback(x,x,x,x)
		push	offset _PopUserShutdownDelayDpc
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	byte_6C2EFC, bl

loc_85BC88:				; CODE XREF: PoUserShutdownInitiated+65j
		mov	_PopBsdShutdownInProgress, ebx
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		call	dword_6D6FAC
		push	0FFFFFFFFh
		push	0CA5B1700h
		push	offset _PopUserShutdownDelayDpc
		push	esi
		xor	edx, edx
		mov	ecx, edi
		mov	bl, al
		call	KiSetTimerEx
		test	bl, bl
		jz	short loc_85BCBA
		call	_PpmBeginHighPerfRequest@0 ; PpmBeginHighPerfRequest()

loc_85BCBA:				; CODE XREF: PoUserShutdownInitiated+13j
					; PoUserShutdownInitiated+39j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
PoUserShutdownInitiated	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopExecutePowerAction proc near		; CODE XREF: PopCheckAndHandleThermalConditions+82A2Dp
					; PAGELK:0071EC9Fp ...

var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_9E		= byte ptr -9Eh
var_9D		= dword	ptr -9Dh
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0090276B SIZE 00000260 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0E8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		lea	edi, [ebp+var_B8]
		mov	[ebp+var_AC], edx
		xor	ecx, ecx
		test	ds:dword_70EFD0, 8000h
		movsd
		mov	[ebp+var_A8], ecx
		movsd
		movsd
		mov	esi, [ebp+arg_4]
		mov	edi, [ebp+var_B8]
		jnz	loc_90276B

loc_85BD0F:				; CODE XREF: PopExecutePowerAction+A6AFAj
		cmp	_PopDiagHandleRegistered, 0
		mov	eax, [ebp+var_B0]
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebx+4]
		mov	[ebp+var_CC], eax
		mov	eax, [ebp+var_B4]
		mov	[ebp+var_C8], eax
		mov	eax, [ebp+var_AC]
		mov	[ebp+var_C0], eax
		mov	eax, [ebx]
		mov	[ebp+var_D4], edx
		mov	[ebp+var_D0], esi
		mov	[ebp+var_C4], edi
		mov	[ebp+var_BC], ecx
		mov	[ebp+var_A4], eax
		jz	short loc_85BD91
		mov	esi, dword_6C1D74
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_EXECUTE_POWER_ACTION
		push	esi
		push	edi
		mov	[ebp+var_D8], ecx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_9027C1
		mov	ecx, [ebp+var_D8]

loc_85BD8E:				; CODE XREF: PopExecutePowerAction+A6BB6j
		mov	edx, [ebp+arg_8]

loc_85BD91:				; CODE XREF: PopExecutePowerAction+9Ej
		test	cl, cl
		jns	loc_85C096
		lea	ecx, [ebp+arg_4]
		call	PopVerifySystemPowerState
		lea	ecx, [ebp+var_B8]
		call	PopVerifyPowerActionPolicy
		test	al, al
		jnz	loc_90287D
		mov	esi, [ebp+var_B8]
		cmp	esi, 2
		jz	short loc_85BDC8
		cmp	esi, 3
		jnz	loc_90288E

loc_85BDC8:				; CODE XREF: PopExecutePowerAction+FBj
		mov	edi, [ebp+var_B4]
		or	edi, 80000000h

loc_85BDD4:				; CODE XREF: PopExecutePowerAction+A6BD2j
		mov	eax, [ebx+4]
		mov	[ebp+var_9E], 0
		push	20h
		pop	ecx
		test	al, 2
		jnz	loc_85BFE6
		or	eax, 2
		mov	[ebx+4], eax
		cmp	esi, 6
		jz	loc_902899

loc_85BDF8:				; CODE XREF: PopExecutePowerAction+A6BDEj
					; PopExecutePowerAction+A6C43j
		mov	eax, [ebp+var_A8]

loc_85BDFE:				; CODE XREF: PopExecutePowerAction+A6C6Aj
		mov	[ebp+var_A4], edi
		cmp	esi, 4
		jge	loc_902931

loc_85BE0D:				; CODE XREF: PopExecutePowerAction+A6C37j
					; PopExecutePowerAction+A6C72j	...
		cmp	byte_6C26C1, 0
		jnz	short loc_85BE1B
		call	_PopResetActionDefaults@0 ; PopResetActionDefaults()

loc_85BE1B:				; CODE XREF: PopExecutePowerAction+152j
		test	esi, esi
		jz	loc_85BFE3
		mov	byte ptr [ebp+var_9D], 0
		cmp	esi, 7
		jz	loc_90294A
		mov	edi, [ebp+var_A4]

loc_85BE39:				; CODE XREF: PopExecutePowerAction+A6C8Ej
		cmp	esi, 3
		jnz	loc_85C057
		mov	[ebp+var_A4], 5

loc_85BE4C:				; CODE XREF: PopExecutePowerAction+39Ej
		cmp	esi, 4
		jz	loc_902955

loc_85BE55:				; CODE XREF: PopExecutePowerAction+A6C9Cj
		mov	edx, dword_6C26C4
		mov	ecx, esi
		call	_PopCompareActions@8 ; PopCompareActions(x,x)
		test	eax, eax
		js	short loc_85BED2
		push	1
		push	0
		xor	edx, edx
		lea	ecx, [ebp+var_9D]
		push	edi
		inc	edx
		call	_PopPromoteActionFlag@20 ; PopPromoteActionFlag(x,x,x,x,x)
		push	2
		push	0
		push	edi
		lea	ecx, [ebp+var_9D]
		call	_PopPromoteActionFlag@20 ; PopPromoteActionFlag(x,x,x,x,x)
		push	10000000h
		push	0
		push	edi
		push	4
		pop	edx
		lea	ecx, [ebp+var_9D]
		call	_PopPromoteActionFlag@20 ; PopPromoteActionFlag(x,x,x,x,x)
		cmp	esi, 2
		jnz	loc_85C065
		mov	eax, _PopPolicy
		mov	ecx, [eax+44h]
		mov	eax, [ebp+var_A4]
		cmp	eax, ecx
		jl	loc_902963

loc_85BEBE:				; CODE XREF: PopExecutePowerAction+3A9j
					; PopExecutePowerAction+A6CA3j
		cmp	eax, dword_6C26C8
		jle	short loc_85BED2
		or	byte ptr [ebp+var_9D], 4
		mov	dword_6C26C8, eax

loc_85BED2:				; CODE XREF: PopExecutePowerAction+1A2j
					; PopExecutePowerAction+202j
		push	4
		push	1
		xor	edx, edx
		lea	ecx, [ebp+var_9D]
		push	edi
		inc	edx
		call	_PopPromoteActionFlag@20 ; PopPromoteActionFlag(x,x,x,x,x)
		push	80000000h
		push	edx
		push	edi
		push	5
		pop	edx
		lea	ecx, [ebp+var_9D]
		call	_PopPromoteActionFlag@20 ; PopPromoteActionFlag(x,x,x,x,x)
		push	40000000h
		push	1
		push	edi
		xor	edx, edx
		lea	ecx, [ebp+var_9D]
		call	_PopPromoteActionFlag@20 ; PopPromoteActionFlag(x,x,x,x,x)
		push	8
		push	1
		push	edi
		lea	ecx, [ebp+var_9D]
		call	_PopPromoteActionFlag@20 ; PopPromoteActionFlag(x,x,x,x,x)
		push	20h
		push	1
		push	edi
		lea	ecx, [ebp+var_9D]
		call	_PopPromoteActionFlag@20 ; PopPromoteActionFlag(x,x,x,x,x)
		mov	edi, dword_6C26C4
		mov	ecx, esi
		mov	edx, edi
		call	_PopCompareActions@8 ; PopCompareActions(x,x)
		test	eax, eax
		jle	loc_85C070
		push	3
		pop	edx
		mov	ecx, esi
		call	_PopCompareActions@8 ; PopCompareActions(x,x)
		test	eax, eax
		js	loc_90296A
		or	byte ptr [ebp+var_9D], 2

loc_85BF5F:				; CODE XREF: PopExecutePowerAction+A6CB4j
		push	8
		pop	edx
		mov	ecx, edi
		call	_PopCompareActions@8 ; PopCompareActions(x,x)
		mov	cl, byte ptr [ebp+var_9D]
		test	eax, eax
		jz	loc_90297B

loc_85BF77:				; CODE XREF: PopExecutePowerAction+A6CBCj
		mov	edi, esi
		or	cl, 5
		mov	dword_6C26C4, edi
		mov	eax, [ebx]
		and	dword_6C26D8, 0
		mov	dword_6C26D4, eax
		cmp	dword ptr [ebx], 0
		jz	loc_902983

loc_85BF99:				; CODE XREF: PopExecutePowerAction+3B4j
					; PopExecutePowerAction+A6CC9j
		cmp	edi, 3
		jnz	short loc_85BFA8
		mov	dword_6C26C4, 2

loc_85BFA8:				; CODE XREF: PopExecutePowerAction+2DAj
		test	cl, cl
		jz	short loc_85BFE3
		cmp	ds:_TtmpEnabled, 1
		jz	loc_902990

loc_85BFB9:				; CODE XREF: PopExecutePowerAction+A6CD5j
		mov	al, byte_6C26C1
		mov	[ebp+var_9E], 1
		test	al, al
		jz	loc_85C07B
		cmp	al, 1
		jz	loc_85C07B
		or	_PopAction, cl
		xor	ecx, ecx
		inc	ecx

loc_85BFDE:				; CODE XREF: PopExecutePowerAction+3CAj
		call	PopGetPolicyWorker

loc_85BFE3:				; CODE XREF: PopExecutePowerAction+15Bj
					; PopExecutePowerAction+2E8j
		push	20h
		pop	ecx

loc_85BFE6:				; CODE XREF: PopExecutePowerAction+121j
		mov	eax, [ebx+4]
		test	al, 1
		jnz	short loc_85C018
		or	eax, 1
		mov	[ebx+4], eax
		mov	eax, [ebp+var_A8]
		cmp	eax, ecx
		jz	loc_90299C
		cmp	eax, 10h
		jz	loc_9029A7
		mov	ecx, [ebp+var_AC]

loc_85C010:				; CODE XREF: PopExecutePowerAction+A6CFBj
					; PopExecutePowerAction+A6D04j
		call	_PopSetNotificationWork@4 ; PopSetNotificationWork(x)
		mov	eax, [ebx+4]

loc_85C018:				; CODE XREF: PopExecutePowerAction+329j
		test	al, 20h
		jz	short loc_85C046
		cmp	[ebp+var_9E], 0
		jz	short loc_85C096
		mov	edx, dword_6C2BA4
		mov	esi, offset _PopActionWaiters
		mov	eax, [ebx+8]
		add	eax, 14h
		cmp	[edx], esi
		jnz	short loc_85C091
		mov	[eax], esi
		mov	[eax+4], edx
		mov	[edx], eax
		mov	dword_6C2BA4, eax

loc_85C046:				; CODE XREF: PopExecutePowerAction+358j
					; PopExecutePowerAction+A6BC7j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_85C057:				; CODE XREF: PopExecutePowerAction+17Aj
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_A4], eax
		jmp	loc_85BE4C
; 

loc_85C065:				; CODE XREF: PopExecutePowerAction+1E0j
		mov	eax, [ebp+var_A4]
		jmp	loc_85BEBE
; 

loc_85C070:				; CODE XREF: PopExecutePowerAction+27Ej
		mov	cl, byte ptr [ebp+var_9D]
		jmp	loc_85BF99
; 

loc_85C07B:				; CODE XREF: PopExecutePowerAction+305j
					; PopExecutePowerAction+30Dj
		mov	cl, 1
		call	_PopSetPowerActionState@4 ; PopSetPowerActionState(x)
		and	dword_6C26D0, 0
		push	2
		pop	ecx
		jmp	loc_85BFDE
; 

loc_85C091:				; CODE XREF: PopExecutePowerAction+376j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_85C096:				; CODE XREF: PopExecutePowerAction+D1j
					; PopExecutePowerAction+361j
		xor	edx, edx
		jmp	loc_902882
PopExecutePowerAction endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPromoteActionFlag(x, x, x, x, x)
_PopPromoteActionFlag@20 proc near	; CODE XREF: PopExecutePowerAction+1B2p
					; PopExecutePowerAction+1C2p ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_0]
		and	esi, eax
		cmp	[ebp+arg_4], 0
		push	edi
		mov	edi, ecx
		jz	short loc_85C0C7
		test	esi, esi
		jz	short loc_85C0E1
		mov	ecx, dword_6C26CC
		test	ecx, eax
		jnz	short loc_85C0E1
		or	ecx, eax
		jmp	short loc_85C0D9
; 

loc_85C0C7:				; CODE XREF: PopPromoteActionFlag(x,x,x,x,x)+15j
		test	esi, esi
		jnz	short loc_85C0E1
		mov	ecx, dword_6C26CC
		test	ecx, eax
		jz	short loc_85C0E1
		not	eax
		and	ecx, eax

loc_85C0D9:				; CODE XREF: PopPromoteActionFlag(x,x,x,x,x)+27j
		or	[edi], dl
		mov	dword_6C26CC, ecx

loc_85C0E1:				; CODE XREF: PopPromoteActionFlag(x,x,x,x,x)+19j
					; PopPromoteActionFlag(x,x,x,x,x)+23j ...
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
_PopPromoteActionFlag@20 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopCompareActions(x, x)
_PopCompareActions@8 proc near		; CODE XREF: PopExecutePowerAction+19Bp
					; PopExecutePowerAction+277p ...
		cmp	ecx, 7
		jz	short loc_85C103
		cmp	ecx, 2
		jl	short loc_85C0F3
		inc	ecx

loc_85C0F3:				; CODE XREF: PopCompareActions(x,x)+8j
					; PopCompareActions(x,x)+1Ej
		cmp	edx, 7
		jz	short loc_85C108
		cmp	edx, 2
		jl	short loc_85C0FE
		inc	edx

loc_85C0FE:				; CODE XREF: PopCompareActions(x,x)+13j
					; PopCompareActions(x,x)+23j
		sub	ecx, edx
		mov	eax, ecx
		retn
; 

loc_85C103:				; CODE XREF: PopCompareActions(x,x)+3j
		push	2
		pop	ecx
		jmp	short loc_85C0F3
; 

loc_85C108:				; CODE XREF: PopCompareActions(x,x)+Ej
		push	2
		pop	edx
		jmp	short loc_85C0FE
_PopCompareActions@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtInitiatePowerAction proc near		; CODE XREF: PopCheckPowerSourceAfterRtcWakeTimerWorker(x)+63p
					; IopWarmEjectDevice(x,x)+35p
					; DATA XREF: ...

var_2E		= byte ptr -2Eh
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 009029CB SIZE 000000A2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		mov	eax, large fs:124h
		or	[esp+34h+var_14], 0FFFFFFFFh
		push	ebx
		xor	ebx, ebx
		mov	[esp+38h+var_18], 0A697D100h
		and	[esp+38h+var_24], ebx
		and	[esp+38h+var_20], ebx
		mov	al, [eax+15Ah]
		push	esi
		xor	esi, esi
		mov	[esp+3Ch+var_2D], al
		mov	byte ptr [esp+3Ch+var_1C], al
		push	edi
		mov	edi, [ebp+arg_0]
		test	al, al
		jz	short loc_85C181
		cmp	edi, 7
		jz	loc_9029DE
		push	[esp+40h+var_1C]
		push	ds:dword_A949BC
		push	ds:_SeShutdownPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_9029CB

loc_85C181:				; CODE XREF: NtInitiatePowerAction+4Bj
		mov	ecx, [ebp+arg_4]
		cmp	ecx, 7
		jg	loc_9029DE
		cmp	edi, 7
		jg	loc_9029DE
		mov	eax, [ebp+arg_8]
		test	eax, 10000000h
		jnz	loc_9029DE
		cmp	edi, 2
		jz	loc_9029D5

loc_85C1AD:				; CODE XREF: NtInitiatePowerAction+A68CAj
		test	eax, 0CFFFFC0h
		jnz	loc_9029DE
		cmp	edi, 4
		jge	loc_9029E8

loc_85C1C1:				; CODE XREF: NtInitiatePowerAction+A68E3j
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_9029F6
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]

loc_85C1D4:				; CODE XREF: NtInitiatePowerAction+A68DDj
		xor	edx, edx
		mov	[esp+40h+var_10], edi
		mov	[esp+40h+var_8], edx
		mov	[esp+40h+var_C], eax
		mov	[esp+40h+var_24], edx
		mov	[esp+40h+var_20], edx
		mov	[esp+40h+var_28], 80h
		cmp	[esp+40h+var_2D], dl
		jz	loc_902A00

loc_85C1FC:				; CODE XREF: NtInitiatePowerAction+A68F5j
					; NtInitiatePowerAction+A6900j
		mov	edx, ecx
		mov	[esp+40h+var_2C], 4
		mov	ecx, edi
		call	_PopDiagTracePolicyInitiatePowerActionApiCall@8	; PopDiagTracePolicyInitiatePowerActionApiCall(x,x)

loc_85C20D:				; CODE XREF: NtInitiatePowerAction+A690Ej
		cmp	[ebp+arg_C], bl
		jnz	short loc_85C25B
		push	57634150h
		push	20h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_902A21
		xor	ecx, ecx
		lea	eax, [esp+40h+var_2C]
		mov	[esi], ecx
		mov	[esi+4], ecx
		mov	[esi+8], ecx
		mov	[esi+0Ch], ecx
		push	ecx
		mov	[esi+14h], ecx
		push	ecx
		mov	[esi+18h], ecx
		push	esi
		mov	[esi+10h], ecx
		mov	[esi+1Ch], eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		or	[esp+40h+var_28], 20h
		mov	[esp+40h+var_24], esi

loc_85C25B:				; CODE XREF: NtInitiatePowerAction+102j
		cmp	edi, 4
		jge	loc_902A2B

loc_85C264:				; CODE XREF: NtInitiatePowerAction+A6920j
					; NtInitiatePowerAction+A692Dj	...
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		push	1
		push	[ebp+arg_4]
		lea	eax, [esp+48h+var_10]
		xor	edx, edx
		push	eax
		lea	ecx, [esp+4Ch+var_2C]
		call	PopExecutePowerAction
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		test	esi, esi
		jz	short loc_85C2DF
		lea	edi, [esi+14h]
		cmp	[edi], ebx
		jz	short loc_85C2CE
		lea	eax, [esp+40h+var_18]
		push	eax
		push	1
		push	0
		push	5
		push	esi
		call	KeWaitForSingleObject
		mov	ebx, eax
		cmp	ebx, 102h
		jz	loc_902A4B

loc_85C2AD:				; CODE XREF: NtInitiatePowerAction+A6944j
					; NtInitiatePowerAction+A695Aj
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	ecx, [edi]
		cmp	[ecx+4], edi
		jnz	short loc_85C2F5
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	short loc_85C2F5
		mov	[eax], ecx
		mov	[ecx+4], eax
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		test	ebx, ebx
		js	short loc_85C2D7

loc_85C2CE:				; CODE XREF: NtInitiatePowerAction+17Ej
		mov	ebx, [esi+10h]
		test	ebx, ebx
		js	short loc_85C2D7
		xor	ebx, ebx

loc_85C2D7:				; CODE XREF: NtInitiatePowerAction+1BEj
					; NtInitiatePowerAction+1C5j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_85C2DF:				; CODE XREF: NtInitiatePowerAction+177j
		mov	eax, ebx

loc_85C2E1:				; CODE XREF: NtInitiatePowerAction+A68C2j
					; NtInitiatePowerAction+A68D5j	...
		mov	ecx, [esp+40h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_85C2F5:				; CODE XREF: NtInitiatePowerAction+1A9j
					; NtInitiatePowerAction+1B0j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
NtInitiatePowerAction endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTracePolicyInitiatePowerActionApiCall(x, x)
_PopDiagTracePolicyInitiatePowerActionApiCall@8	proc near
					; CODE XREF: NtInitiatePowerAction+FAp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		mov	edx, [eax+1C0h]
		mov	ax, [edx]
		shr	ax, 1
		cmp	_PopDiagHandleRegistered, 0
		movzx	eax, ax
		mov	[ebp+var_48], eax
		jz	short loc_85C39A
		push	esi
		xor	esi, esi
		mov	[ebp+var_3C], 2
		lea	eax, [ebp+var_48]
		mov	[ebp+var_40], esi
		mov	[ebp+var_44], eax
		mov	[ebp+var_38], esi
		movzx	ecx, word ptr [edx]
		mov	eax, [edx+4]
		mov	[ebp+var_34], eax
		mov	eax, ecx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_4C]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	esi
		push	offset _POP_ETW_EVENT_NTINITIATEPOWERACTION_API_CALL
		push	dword_6C1D74
		mov	[ebp+var_30], esi
		push	_PopDiagHandle
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	esi

loc_85C39A:				; CODE XREF: PopDiagTracePolicyInitiatePowerActionApiCall(x,x)+36j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTracePolicyInitiatePowerActionApiCall@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUmpoSendLegacyEvent(x)
_PopUmpoSendLegacyEvent@4 proc near	; CODE XREF: NtPowerInformation+104Bp
					; PopDirectedDripsSendSuspendResumeNotification(x,x)+50p ...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		push	44h		; size_t
		lea	eax, [ebp+var_44]
		mov	ebx, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	esi, ebx
		mov	[ebp+var_44], 7
		lea	edi, [ebp+var_40]
		add	esp, 0Ch
		cmp	byte ptr [ebx+0Ch], 0
		movsd
		movsd
		movsd
		movsd
		jnz	short loc_85C3EE

loc_85C3D9:				; CODE XREF: PopUmpoSendLegacyEvent(x)+4Cj
					; PopUmpoSendLegacyEvent(x)+5Aj
		movzx	eax, byte ptr [ebx+0Dh]
		lea	ecx, [ebp+var_44]
		push	eax
		push	44h
		pop	edx
		call	PopUmpoSendPowerMessage
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_85C3EE:				; CODE XREF: PopUmpoSendLegacyEvent(x)+31j
		cmp	dword ptr [ebx+4], 12h
		jnz	short loc_85C3D9
		push	0
		push	5
		xor	edx, edx
		pop	ecx
		call	PfPowerActionNotify
		jmp	short loc_85C3D9
_PopUmpoSendLegacyEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEnableSystemSleepCheckpoint()
_PopEnableSystemSleepCheckpoint@0 proc near ; CODE XREF: PopIssueActionRequest+13Ap

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		xor	ebx, ebx
		push	esi
		push	edi
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		call	_Feature_SleepReliabilityDetailedDiagnostics__private_IsEnabledDeviceUsage@0 ; Feature_SleepReliabilityDetailedDiagnostics__private_IsEnabledDeviceUsage()
		test	eax, eax
		mov	edi, offset _PopSleepCheckpointStatus
		setnz	_PopSleepReliabilityDetailedDiagEnabled
		mov	_PopCheckpointSystemSleepEnabled, ebx
		xor	eax, eax
		xchg	eax, [edi]
		cmp	_PopCheckpointSystemSleepEnabledReg, ebx
		jz	short loc_85C451

loc_85C44C:				; CODE XREF: PopEnableSystemSleepCheckpoint()+59j
		push	4
		pop	eax
		jmp	short loc_85C479
; 

loc_85C451:				; CODE XREF: PopEnableSystemSleepCheckpoint()+48j
		cmp	_PopSleepReliabilityDetailedDiagEnabled, bl
		jz	short loc_85C45D
		mov	bl, 1
		jmp	short loc_85C44C
; 

loc_85C45D:				; CODE XREF: PopEnableSystemSleepCheckpoint()+55j
		cmp	byte_6C2E34, bl
		jz	loc_85C53B
		test	byte_6D6F88, 0F0h
		jz	loc_85C53B
		xor	eax, eax
		inc	eax

loc_85C479:				; CODE XREF: PopEnableSystemSleepCheckpoint()+4Dj
		xchg	eax, [edi]
		cmp	dword_6BBFD0, 2
		jz	short loc_85C493
		mov	esi, 0C0000002h
		push	8

loc_85C48B:				; CODE XREF: PopEnableSystemSleepCheckpoint()+C9j
		pop	eax
		xchg	eax, [edi]
		jmp	loc_85C532
; 

loc_85C493:				; CODE XREF: PopEnableSystemSleepCheckpoint()+80j
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		push	1
		call	_NtQueryEnvironmentVariableInfoEx@16 ; NtQueryEnvironmentVariableInfoEx(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_85C4B3
		push	0Fh
		pop	ecx
		xchg	ecx, [edi]
		jmp	short loc_85C52E
; 

loc_85C4B3:				; CODE XREF: PopEnableSystemSleepCheckpoint()+A8j
		cmp	[ebp+var_C], 0
		ja	short loc_85C4CD
		jb	short loc_85C4C4
		cmp	[ebp+var_10], 400h
		ja	short loc_85C4CD

loc_85C4C4:				; CODE XREF: PopEnableSystemSleepCheckpoint()+B7j
		mov	esi, 0C0000454h
		push	9
		jmp	short loc_85C48B
; 

loc_85C4CD:				; CODE XREF: PopEnableSystemSleepCheckpoint()+B5j
					; PopEnableSystemSleepCheckpoint()+C0j
		lea	eax, [ebp+var_18]
		push	eax
		call	_KeQueryInterruptTimePrecise@4 ; KeQueryInterruptTimePrecise(x)
		xor	ecx, ecx
		mov	[ebp+var_4], edx
		mov	edi, eax
		call	_PopCheckpointSystemSleepUnsafe@4 ; PopCheckpointSystemSleepUnsafe(x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_85C4F4
		push	0Fh
		pop	eax
		mov	ecx, offset _PopSleepCheckpointStatus
		xchg	eax, [ecx]
		jmp	short loc_85C52E
; 

loc_85C4F4:				; CODE XREF: PopEnableSystemSleepCheckpoint()+E4j
		lea	eax, [ebp+var_18]
		push	eax
		call	_KeQueryInterruptTimePrecise@4 ; KeQueryInterruptTimePrecise(x)
		sub	eax, edi
		sbb	edx, [ebp+var_4]
		test	bl, bl
		jz	short loc_85C522
		test	edx, edx
		jnz	short loc_85C511
		cmp	eax, 186A0h
		jbe	short loc_85C522

loc_85C511:				; CODE XREF: PopEnableSystemSleepCheckpoint()+106j
		push	0Ah
		pop	eax
		mov	ecx, offset _PopSleepCheckpointStatus
		xchg	eax, [ecx]
		mov	esi, 102h
		jmp	short loc_85C540
; 

loc_85C522:				; CODE XREF: PopEnableSystemSleepCheckpoint()+102j
					; PopEnableSystemSleepCheckpoint()+10Dj
		mov	_PopCheckpointSystemSleepEnabled, 1
		xor	esi, esi

loc_85C52E:				; CODE XREF: PopEnableSystemSleepCheckpoint()+AFj
					; PopEnableSystemSleepCheckpoint()+F0j
		test	esi, esi
		jns	short loc_85C540

loc_85C532:				; CODE XREF: PopEnableSystemSleepCheckpoint()+8Cj
		mov	ecx, esi
		call	_PopTraceSleepCheckpointInitFailure@4 ;	PopTraceSleepCheckpointInitFailure(x)
		jmp	short loc_85C540
; 

loc_85C53B:				; CODE XREF: PopEnableSystemSleepCheckpoint()+61j
					; PopEnableSystemSleepCheckpoint()+6Ej
		mov	esi, 0C0000229h

loc_85C540:				; CODE XREF: PopEnableSystemSleepCheckpoint()+11Ej
					; PopEnableSystemSleepCheckpoint()+12Ej ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PopEnableSystemSleepCheckpoint@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoUnblockConsoleSwitch(x, x)
_PoUnblockConsoleSwitch@8 proc near	; CODE XREF: PoPowerOffMonitor()+69p
					; PnprWakeDevices(x)+44p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	[ebp+var_4], edx
		lea	edx, [ebp+var_4]
		mov	dword ptr [ecx+10h], 7
		call	PopDispatchStateCallout
		leave
		retn
_PoUnblockConsoleSwitch@8 endp


;  S U B	R O U T	I N E 


; __stdcall PoStartPowerStateTasks(x)
_PoStartPowerStateTasks@4 proc near	; CODE XREF: PoPowerOffMonitor()+3Cp
					; PnprQuiesceDevices(x)+55p ...
		mov	dword ptr [ecx+10h], 1
		xor	edx, edx
		jmp	PopDispatchStateCallout
_PoStartPowerStateTasks@4 endp


;  S U B	R O U T	I N E 


; __stdcall PoEndPowerStateTasks(x)
_PoEndPowerStateTasks@4	proc near	; CODE XREF: PoPowerOffMonitor()+5Cp
					; PnprWakeDevices(x)+3Ap ...
		mov	dword ptr [ecx+10h], 8
		xor	edx, edx
		jmp	PopDispatchStateCallout
_PoEndPowerStateTasks@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoBlockConsoleSwitch proc near		; CODE XREF: PoPowerOffMonitor()+2Fp
					; PnprQuiesceDevices(x)+4Bp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00902A6D SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		or	[ebp+var_C], 0FFFFFFFFh
		push	esi
		mov	esi, ecx
		mov	[ebp+var_10], 0FFFE7960h

loc_85C594:				; CODE XREF: PoBlockConsoleSwitch+A64FCj
		call	_RtlGetActiveConsoleId@0 ; RtlGetActiveConsoleId()
		mov	[ebp+var_4], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_902A6D
		and	dword ptr [esi+10h], 0
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	PopDispatchStateCallout
		test	eax, eax
		js	loc_902A6D
		call	_RtlGetActiveConsoleId@0 ; RtlGetActiveConsoleId()
		pop	esi
		leave
		retn
PoBlockConsoleSwitch endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDispatchStateCallout	proc near	; CODE XREF: PopPrepareSleep(x,x)+1Dp
					; PoPowerOffMonitor()+51p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00902A7F SIZE 0000008C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		test	ds:dword_70EFD0, 8000h
		push	edi
		mov	edi, edx
		jnz	loc_902A7F

loc_85C5F3:				; CODE XREF: PopDispatchStateCallout+A650Aj
		mov	eax, edi
		mov	edx, esi
		neg	eax
		sbb	eax, eax
		and	eax, edi
		push	eax
		xor	eax, eax
		test	edi, edi
		setz	al
		inc	eax
		push	eax
		push	4
		pop	edi
		mov	ecx, edi
		call	PopInvokeWin32Callout
		test	ds:dword_70EFD0, 8000h
		mov	esi, eax
		jnz	loc_902AD3

loc_85C623:				; CODE XREF: PopDispatchStateCallout+A6542j
		mov	ecx, [esp+38h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
PopDispatchStateCallout	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTracePowerTransitionEnd(x)
_PopDiagTracePowerTransitionEnd@4 proc near ; CODE XREF: PopIssueActionRequest+317p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		xor	esi, esi
		mov	[ebp+var_2C], ecx
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], esi
		jz	short loc_85C6AF
		lea	eax, [ebp+var_38]
		push	eax
		call	KeQuerySystemTime
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_24], esi
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	2
		push	offset _PopDiagActivityId
		push	offset _POP_ETW_EVENT_POWERTRANSITION_END
		push	dword_6C1D74
		mov	[ebp+var_20], 4
		push	_PopDiagHandle
		mov	[ebp+var_1C], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], 8
		mov	[ebp+var_C], esi
		call	_EtwWriteEndScenario@24	; EtwWriteEndScenario(x,x,x,x,x,x)

loc_85C6AF:				; CODE XREF: PopDiagTracePowerTransitionEnd(x)+25j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTracePowerTransitionEnd@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTracePerfTrackData proc near	; CODE XREF: PopIssueActionRequest+2EBp

var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B4		= dword	ptr -0B4h
var_AC		= dword	ptr -0ACh
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= word ptr -7Ch
var_7A		= word ptr -7Ah
var_78		= word ptr -78h
var_76		= word ptr -76h
var_74		= word ptr -74h
var_72		= word ptr -72h
var_70		= dword	ptr -70h
var_6C		= word ptr -6Ch
var_6A		= word ptr -6Ah
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00902B0B SIZE 00000626 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_88], 0
		xor	eax, eax
		and	[ebp+var_84], 0
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C0]
		mov	[ebp+var_A0], ecx
		stosd
		push	6
		pop	ecx
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_80]
		rep stosd
		cmp	_PopDiagHandleRegistered, al
		jz	loc_85C7F7
		push	offset _POP_ETW_EVENT_TRANSITIONTIMES
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_85C7F7
		xor	ecx, ecx
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	dl, 1
		mov	ecx, eax
		call	_KeQueryCycleCounterFrequency@8	; KeQueryCycleCounterFrequency(x,x)
		mov	ecx, eax
		mov	esi, 3E8h
		mov	eax, edx
		mul	esi
		mov	edi, eax
		mov	eax, ecx
		mul	esi
		mov	ecx, offset dword_6C28A0
		add	edi, edx
		mov	ebx, eax
		mov	edx, offset dword_6C28A8
		mov	[ebp+var_A4], edi
		mov	[ebp+var_8C], ebx
		call	PopQpcTimeInMs
		mov	edx, offset dword_6C2898
		mov	[ebp+var_CC], eax
		mov	ecx, offset dword_6C2890
		call	PopQpcTimeInMs
		mov	[ebp+var_C8], eax
		mov	eax, dword_6C2888
		or	eax, dword_6C288C
		jnz	loc_902B0B
		mov	eax, dword_6C2A90
		test	eax, eax
		jz	short loc_85C7F7
		mov	esi, dword_6C28F8
		push	edi
		push	ebx
		push	dword_6C28D4
		shl	eax, 0Ch
		push	dword_6C28D0
		shr	eax, 0Ah
		mov	[ebp+var_98], eax
		mov	[ebp+var_D4], esi
		call	__aulldiv
		test	byte ptr [ebp+var_A0], 8
		mov	[ebp+var_9C], eax
		mov	eax, dword_6C2AA0
		mov	[ebp+var_90], eax
		jz	loc_902E7F
		mov	eax, _PopShutdownButtonPressTime
		or	eax, dword_6C362C
		jnz	loc_902BB4

loc_85C7F7:				; CODE XREF: PopDiagTracePerfTrackData+48j
					; PopDiagTracePerfTrackData+66j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopDiagTracePerfTrackData endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceHiberStats proc near	; CODE XREF: PopIssueActionRequest+2DFp

var_4AC		= dword	ptr -4ACh
var_4A8		= dword	ptr -4A8h
var_4A4		= dword	ptr -4A4h
var_4A0		= dword	ptr -4A0h
var_49C		= dword	ptr -49Ch
var_498		= dword	ptr -498h
var_494		= dword	ptr -494h
var_490		= dword	ptr -490h
var_48C		= dword	ptr -48Ch
var_488		= dword	ptr -488h
var_484		= dword	ptr -484h
var_480		= dword	ptr -480h
var_470		= dword	ptr -470h
var_464		= dword	ptr -464h
var_180		= dword	ptr -180h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00903131 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4ACh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_480]
		stosd
		lea	ecx, [ebp+var_48C]
		xor	ebx, ebx
		mov	[ebp+var_48C], ebx
		mov	[ebp+var_494], ebx
		stosd
		mov	[ebp+var_490], ebx
		stosd
		stosd
		call	_PopOpenPowerKey@4 ; PopOpenPowerKey(x)
		test	eax, eax
		js	loc_903131
		mov	edi, [ebp+var_48C]

loc_85C857:				; CODE XREF: PopDiagTraceHiberStats+A6933j
		call	_PopCaptureTimeOnProcZero@0 ; PopCaptureTimeOnProcZero()
		mov	ecx, dword_6C2994
		mov	esi, dword_6C29B4
		mov	ebx, dword_6C2990
		mov	[ebp+var_49C], ecx
		mov	ecx, dword_6C29B0
		add	ecx, dword_6C29B8
		mov	[ebp+var_4AC], ebx
		adc	esi, dword_6C29BC
		sub	eax, ecx
		mov	dword_6C2998, eax
		mov	eax, dword_6C24D4
		sbb	edx, esi
		sub	dword_6C29D0, ecx
		mov	ecx, offset dword_6C2878
		mov	dword_6C299C, edx
		mov	edx, offset dword_6C2880
		sbb	dword_6C29D4, esi
		mov	dword_6C2A9C, eax
		mov	eax, dword_6C2518
		mov	dword_6C2A98, eax
		call	PopQpcTimeInMs
		mov	edx, offset dword_6C2900
		mov	dword_6C2A48, eax
		mov	ecx, offset dword_6C2848
		call	PopQpcTimeInMs
		push	[ebp+var_49C]
		and	dword_6C28FC, 0
		lea	edx, [ebp+var_480]
		push	ebx
		mov	ecx, offset dword_6C28B8
		mov	dword_6C28F8, eax
		call	PopComputeDerivedHiberStats
		xor	esi, esi
		mov	[ebp+var_4A8], 2Fh
		lea	ecx, [ebp+var_464]
		mov	[ebp+var_4A4], esi
		mov	edx, (offset loc_A40293+1)
		mov	[ebp+var_488], ecx
		mov	[ebp+var_498], edx

loc_85C92A:				; CODE XREF: PopDiagTraceHiberStats+244j
		mov	eax, [edx]
		mov	ebx, [edx+4]
		mov	[ebp+var_484], eax
		lea	eax, [ebp+var_480]
		test	ebx, 40000000h
		jnz	short loc_85C948
		mov	eax, offset dword_6C28B8

loc_85C948:				; CODE XREF: PopDiagTraceHiberStats+13Bj
		lea	esi, [ebp+esi*8+var_180]
		test	bl, 2
		jz	loc_85CC3B
		mov	ecx, [ebp+var_484]
		mov	ecx, [ecx+eax]
		mov	[ebp+var_4A0], ecx
		mov	ecx, [ebp+var_484]
		mov	eax, [ecx+eax+4]
		mov	[ebp+var_484], eax
		mov	eax, [ebp+var_4A0]

loc_85C97D:				; CODE XREF: PopDiagTraceHiberStats+44Bj
		mov	ecx, [ebp+var_484]
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	ecx, [ebp+var_488]
		test	ebx, ebx
		jns	short loc_85C9BB
		push	[ebp+var_49C]
		push	[ebp+var_4AC]
		push	[ebp+var_484]
		push	eax
		call	__aulldiv
		mov	ecx, [ebp+var_488]
		mov	[esi+4], edx
		mov	edx, [ebp+var_498]
		mov	[esi], eax

loc_85C9BB:				; CODE XREF: PopDiagTraceHiberStats+18Aj
		and	ebx, 20h
		push	0
		pop	eax
		setnz	al
		lea	eax, ds:4[eax*4]
		mov	[ebp+var_484], eax
		test	edi, edi
		jz	short loc_85CA17
		push	dword ptr [edx-4]
		lea	eax, [ebp+var_494]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	[ebp+var_484]
		neg	ebx
		lea	eax, [ebp+var_494]
		push	esi
		sbb	ebx, ebx
		and	ebx, 7
		add	ebx, 4
		push	ebx
		push	0
		push	eax
		push	edi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	eax, [ebp+var_484]
		mov	ecx, [ebp+var_488]
		mov	edx, [ebp+var_498]

loc_85CA17:				; CODE XREF: PopDiagTraceHiberStats+1CDj
		and	dword ptr [ecx-8], 0
		add	edx, 0Ch
		and	dword ptr [ecx], 0
		mov	[ecx-0Ch], esi
		mov	esi, [ebp+var_4A4]
		mov	[ecx-4], eax
		inc	esi
		add	ecx, 10h
		mov	[ebp+var_4A4], esi
		sub	[ebp+var_4A8], 1
		mov	[ebp+var_498], edx
		mov	[ebp+var_488], ecx
		jnz	loc_85C92A
		mov	esi, [ebp+var_49C]
		mov	ebx, [ebp+var_4AC]
		push	esi
		push	ebx
		push	dword_6C2A14
		push	dword_6C2A10
		call	__aulldiv
		push	esi
		push	ebx
		push	dword_6C28C4
		mov	dword_6C2A10, eax
		push	dword_6C28C0
		mov	dword_6C2A14, edx
		call	__aulldiv
		push	esi
		push	ebx
		push	dword_6C299C
		mov	dword_6C28C0, eax
		push	dword_6C2998
		mov	dword_6C28C4, edx
		call	__aulldiv
		sub	eax, dword_6C2908
		push	0
		pop	ebx
		sbb	edx, ebx
		sub	eax, dword_6C2910
		mov	dword_6C2AA0, eax
		sbb	edx, ebx
		mov	dword_6C2AA4, edx
		test	edi, edi
		jz	loc_85CBF1
		push	offset ??_C@_1CM@LNOAPIGD@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAI?$AAo?$AAC@NNGAKEGL@	; "KernelResumeIoCpuTime"
		lea	eax, [ebp+var_494]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		pop	esi
		push	esi
		push	offset dword_6C2A10
		push	esi
		push	ebx
		lea	eax, [ebp+var_494]
		push	eax
		push	edi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BO@GJIFCJPM@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAI?$AAo?$AAC?$AAp?$AAu?$AAT?$AAi?$AAm?$AAe@NNGAKEGL@ ; "HiberIoCpuTime"
		lea	eax, [ebp+var_494]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		push	offset dword_6C28C0
		push	esi
		push	ebx
		lea	eax, [ebp+var_494]
		push	eax
		push	edi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	eax, dword_6C2A38
		or	eax, dword_6C2A3C
		jz	short loc_85CB68
		mov	edx, offset dword_6C2A40
		mov	ecx, offset dword_6C2868
		call	PopQpcTimeInMs
		add	dword_6C24B8, eax
		lea	eax, [ebp+var_494]
		push	offset ??_C@_1DA@DMELBCDN@?$AAH?$AAy?$AAb?$AAr?$AAi?$AAd?$AAB?$AAo?$AAo?$AAt?$AAA?$AAn?$AAi?$AAm?$AAa@NNGAKEGL@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		push	offset dword_6C24B8
		push	esi
		push	ebx
		lea	eax, [ebp+var_494]
		push	eax
		push	edi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_85CB68:				; CODE XREF: PopDiagTraceHiberStats+325j
		mov	ebx, ds:0FFDF0004h
		mov	esi, 0FFDF0324h
		mov	[ebp+var_4A0], ebx
		mov	edx, [esi]
		lea	edi, [esi-4]
		mov	edi, [edi]
		lea	ecx, [esi+4]
		mov	eax, [ecx]
		cmp	edx, eax
		jnz	loc_90313E

loc_85CB8D:				; CODE XREF: PopDiagTraceHiberStats+A6954j
		mov	eax, edx
		mul	ebx
		push	offset ??_C@_1DA@NALLNOML@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAC?$AAo?$AAm?$AAp?$AAl?$AAe?$AAt?$AAe?$AAT@NNGAKEGL@	; "ResumeCompleteTimestamp"
		mov	ecx, eax
		mov	esi, edx
		mov	eax, edi
		mul	ebx
		shld	esi, ecx, 8
		shrd	eax, edx, 18h
		shl	ecx, 8
		shr	edx, 18h
		add	ecx, eax
		lea	eax, [ebp+var_494]
		mov	dword_6C2AA8, ecx
		adc	esi, edx
		push	eax
		mov	dword_6C2AAC, esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	8
		push	offset dword_6C2AA8
		push	0Bh
		xor	ebx, ebx
		lea	eax, [ebp+var_494]
		push	ebx
		push	eax
		push	[ebp+var_48C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[ebp+var_48C]
		call	_ZwClose@4	; ZwClose(x)

loc_85CBF1:				; CODE XREF: PopDiagTraceHiberStats+2C5j
		cmp	_PopDiagHandleRegistered, 0
		jz	short loc_85CC2C
		mov	esi, dword_6C1D74
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_HIBER_STATS
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_85CC2C
		lea	eax, [ebp+var_470]
		push	eax
		push	2Fh
		push	ebx
		push	offset _POP_ETW_EVENT_HIBER_STATS
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_85CC2C:				; CODE XREF: PopDiagTraceHiberStats+3F2j
					; PopDiagTraceHiberStats+40Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_85CC3B:				; CODE XREF: PopDiagTraceHiberStats+14Cj
		mov	edx, [ebp+var_484]
		and	[ebp+var_484], 0
		mov	eax, [edx+eax]
		mov	edx, [ebp+var_498]
		jmp	loc_85C97D
PopDiagTraceHiberStats endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTracePowerTransitionTime()
_PopDiagTracePowerTransitionTime@0 proc	near ; CODE XREF: PopIssueActionRequest+2E4p

var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_98], ebx
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_90], ebx
		mov	[ebp+var_94], ebx
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_88], ebx
		cmp	_PopDiagHandleRegistered, bl
		jz	loc_85CD97
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_TRANSITIONTIMES
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	loc_85CD95
		lea	eax, [ebp+var_9C]
		push	eax
		lea	eax, [ebp+var_98]
		push	eax
		lea	eax, [ebp+var_94]
		push	eax
		lea	eax, [ebp+var_90]
		push	eax
		lea	edx, [ebp+var_8C]
		lea	ecx, [ebp+var_88]
		call	_PopPowerTransitionTimesInMs@24	; PopPowerTransitionTimesInMs(x,x,x,x,x,x)
		lea	eax, [ebp+var_88]
		mov	[ebp+var_80], ebx
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_90]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_94]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_98]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_84]
		push	eax
		push	8
		push	ebx
		push	offset _POP_ETW_EVENT_TRANSITIONTIMES
		push	esi
		push	edi
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_78], ebx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], ebx
		mov	[ebp+var_64], offset dword_6C2A48
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], offset dword_6C2A90
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_85CD95:				; CODE XREF: PopDiagTracePowerTransitionTime()+64j
		pop	edi
		pop	esi

loc_85CD97:				; CODE XREF: PopDiagTracePowerTransitionTime()+42j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTracePowerTransitionTime@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopComputeDerivedHiberStats proc near	; CODE XREF: PopDiagTraceHiberStats+F6p
					; PopDiagTracePerfTrackData+A65C0p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090315F SIZE 0000003E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_4]
		xor	eax, eax
		mov	[ebp+var_4], edx
		push	[ebp+arg_0]
		mov	edi, edx
		mov	ebx, ecx
		stosd
		stosd
		stosd
		stosd
		mov	esi, [ebx+1B8h]
		add	esi, [ebx+1B0h]
		mov	eax, [ebx+1BCh]
		adc	eax, [ebx+1B4h]
		push	eax
		push	esi
		call	__allmul
		mov	ecx, eax
		mov	esi, 3E8h
		mov	eax, edx
		mul	esi
		push	0
		mov	edi, eax
		mov	eax, ecx
		mul	esi
		mov	esi, [ebx+4]
		add	edi, edx
		mov	[ebp+var_8], esi
		mov	edx, [ebx]
		mov	ecx, eax
		shrd	ecx, edi, 14h
		mov	eax, edx
		shr	edi, 14h
		or	eax, esi
		mov	[ebp+arg_4], ecx
		pop	esi
		jz	loc_90315F
		push	[ebp+var_8]
		push	edx
		push	edi
		push	ecx
		call	__aulldiv
		mov	ecx, [ebp+arg_4]
		mov	edx, eax

loc_85CE24:				; CODE XREF: PopComputeDerivedHiberStats+A63BDj
		mov	eax, [ebp+var_4]
		mov	[eax], edx
		mov	eax, [ebx+24h]
		mov	edx, [ebx+20h]
		mov	[ebp+var_8], eax
		mov	eax, edx
		or	eax, [ebp+var_8]
		jz	loc_903166
		push	[ebp+var_8]
		push	edx
		push	edi
		push	ecx
		call	__aulldiv
		mov	ecx, eax

loc_85CE4A:				; CODE XREF: PopComputeDerivedHiberStats+A63C4j
		mov	eax, [ebp+var_4]
		mov	[eax+8], ecx
		mov	edx, [ebx+90h]
		mov	eax, edx
		mov	ecx, [ebx+94h]
		or	eax, ecx
		mov	[ebp+var_8], ecx
		jz	loc_90316D

loc_85CE69:				; CODE XREF: PopComputeDerivedHiberStats+A63D5j
		mov	ecx, [ebx+130h]
		mov	eax, [ebx+134h]
		add	ecx, edx
		adc	eax, [ebp+var_8]
		push	eax
		push	ecx
		push	edi
		push	[ebp+arg_4]
		call	__aulldiv
		mov	ecx, eax

loc_85CE87:				; CODE XREF: PopComputeDerivedHiberStats+A63DDj
		mov	eax, [ebp+var_4]
		mov	[eax+4], ecx
		mov	edx, [ebx+98h]
		mov	eax, edx
		mov	ecx, [ebx+9Ch]
		or	eax, ecx
		mov	[ebp+var_8], ecx
		jz	loc_903186

loc_85CEA6:				; CODE XREF: PopComputeDerivedHiberStats+A63F4j
		mov	ecx, [ebx+128h]
		mov	eax, [ebx+12Ch]
		add	ecx, edx
		adc	eax, [ebp+var_8]
		push	eax
		push	ecx
		push	edi
		push	[ebp+arg_4]
		call	__aulldiv
		mov	esi, eax

loc_85CEC4:				; CODE XREF: PopComputeDerivedHiberStats+A63EEj
		mov	eax, [ebp+var_4]
		pop	edi
		mov	[eax+0Ch], esi
		pop	esi
		pop	ebx
		leave
		retn	8
PopComputeDerivedHiberStats endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwShutdown	proc near		; CODE XREF: PopGracefulShutdown(x)+199p
					; PopIssueActionRequest+221p ...

var_BE		= byte ptr -0BEh
var_BD		= byte ptr -0BDh
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B0		= word ptr -0B0h
var_A0		= dword	ptr -0A0h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090319D SIZE 00000079 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0C4h+var_4], eax
		push	ebx
		push	esi
		mov	bl, cl
		push	edi
		mov	[esp+0D0h+var_BE], bl
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	esi, [eax+1F0h]
		mov	[esp+0D0h+var_BC], esi
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		mov	[esp+0D0h+var_BD], al
		test	bl, bl
		jz	loc_90319D

loc_85CF17:				; CODE XREF: EtwShutdown+A62E2j
		test	al, al
		jnz	short loc_85CF20
		call	EtwpFlushCoverage

loc_85CF20:				; CODE XREF: EtwShutdown+47j
		mov	edi, 0B0h
		lea	eax, [esp+0D0h+var_B8]
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ax, [esi+8]
		add	esp, 0Ch
		dec	ax
		mov	[esp+0D0h+var_B8], edi
		mov	[esp+0D0h+var_8C], 20000h
		movzx	ebx, ax

loc_85CF4A:				; CODE XREF: EtwShutdown+8Ej
		test	bx, bx
		js	short loc_85CF90
		push	0
		movsx	edx, bx
		mov	ecx, esi
		call	EtwpAcquireLoggerContextByLoggerId
		test	eax, eax
		jnz	short loc_85CF62

loc_85CF5F:				; CODE XREF: EtwShutdown+BCj
					; EtwShutdown+A633Fj
		dec	ebx
		jmp	short loc_85CF4A
; 

loc_85CF62:				; CODE XREF: EtwShutdown+8Bj
		cmp	[esp+0D0h+var_BD], 0
		jnz	loc_9031C6
		cmp	[esp+0D0h+var_BE], 0
		jz	loc_9031B9
		test	dword ptr [eax+0Ch], 400000h
		jnz	loc_9031C6

loc_85CF85:				; CODE XREF: EtwShutdown+A62EEj
		xor	dl, dl
		mov	ecx, eax
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		jmp	short loc_85CF5F
; 

loc_85CF90:				; CODE XREF: EtwShutdown+7Bj
		cmp	[esp+0D0h+var_BE], 0
		jz	short loc_85CFAC

loc_85CF97:				; CODE XREF: EtwShutdown+E1j
		mov	ecx, [esp+0D0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_85CFAC:				; CODE XREF: EtwShutdown+C3j
		and	_EtwpStopTraceCount, 0
		jmp	short loc_85CF97
EtwShutdown	endp

; 
		align 2

;  S U B	R O U T	I N E 


EtwpFlushCoverage proc near		; CODE XREF: EtwShutdown+49p

; FUNCTION CHUNK AT 00903216 SIZE 00000014 BYTES

		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _EtwpCoverageLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, _EtwpCoverageContext
		mov	_EtwpCoverageLockOwner,	eax
		test	ecx, ecx
		jz	short loc_85CFED
		call	_EtwpCoverageFlushPending@4 ; EtwpCoverageFlushPending(x)

loc_85CFED:				; CODE XREF: EtwpFlushCoverage+30j
		and	_EtwpCoverageLockOwner,	0
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_903216

loc_85D003:				; CODE XREF: EtwpFlushCoverage+A6262j
					; EtwpFlushCoverage+A626Fj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		pop	esi
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
EtwpFlushCoverage endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopSetSleepMarker(x)
_PopSetSleepMarker@4 proc near		; CODE XREF: PAGELK:loc_71EF18p
					; PopIssueActionRequest+150p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		call	_PopGetTransitionsToOnCount@0 ;	PopGetTransitionsToOnCount()
		mov	esi, 0FFFFh
		cmp	eax, esi
		jnb	short loc_85D034
		call	_PopGetTransitionsToOnCount@0 ;	PopGetTransitionsToOnCount()
		mov	esi, eax

loc_85D034:				; CODE XREF: PopSetSleepMarker(x)+13j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopBsdUpdateLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, _PopSleepCheckpointStatus
		mov	dword_6C3D9C, eax
		and	cl, 0Fh
		mov	al, byte_6D4A00
		and	al, 0Fh
		shl	bl, 4
		or	al, bl
		mov	word_6D4A04, si
		mov	byte_6D4A00, al
		mov	al, byte_6D4A06
		and	al, 0F0h
		or	al, cl
		push	8
		pop	ecx
		mov	byte_6D4A06, al
		call	_PopBsdHandleRequest@4 ; PopBsdHandleRequest(x)
		cmp	dword_6C3D9C, 0
		jz	short loc_85D0A2
		and	dword_6C3D9C, 0

loc_85D0A2:				; CODE XREF: PopSetSleepMarker(x)+81j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopSetSleepMarker@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTracePowerTransitionStart(x,	x)
_PopDiagTracePowerTransitionStart@8 proc near ;	CODE XREF: PopIssueActionRequest+123p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		xor	esi, esi
		mov	[ebp+var_40], edx
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_48], esi
		mov	[ebp+var_44], esi
		jz	short loc_85D13C
		lea	eax, [ebp+var_48]
		mov	[ebp+var_3C], ecx
		push	eax
		call	KeQuerySystemTime
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_34], esi
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_40]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	3
		push	offset _PopDiagActivityId
		push	offset _POP_ETW_EVENT_POWERTRANSITION_START
		push	dword_6C1D74
		mov	[ebp+var_30], ecx
		push	_PopDiagHandle
		mov	[ebp+var_2C], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], 8
		mov	[ebp+var_C], esi
		call	EtwWriteStartScenario

loc_85D13C:				; CODE XREF: PopDiagTracePowerTransitionStart(x,x)+25j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTracePowerTransitionStart@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopReadSystemAwayModePolicy proc near	; CODE XREF: PopIssueActionRequest+3Ep

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090322A SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_28], ebx
		stosd
		mov	[ebp+var_24], ebx
		stosd
		stosd
		stosd
		cmp	dword_6B1478, ebx
		ja	loc_90322A

loc_85D182:				; CODE XREF: PopReadSystemAwayModePolicy+A60E6j
					; PopReadSystemAwayModePolicy+A60EEj
		lea	ecx, [ebp+var_1C]
		call	_PopOpenPowerKey@4 ; PopOpenPowerKey(x)
		test	eax, eax
		js	short loc_85D1CD
		cmp	byte_6C2D12, 0
		jz	short loc_85D1C5
		push	offset _PopAwayModePolicyRegName ; "AwayModeEnabled"
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_20]
		push	eax
		push	14h
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		lea	eax, [ebp+var_28]
		push	eax
		push	[ebp+var_1C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_90323D

loc_85D1C5:				; CODE XREF: PopReadSystemAwayModePolicy+4Bj
					; PopReadSystemAwayModePolicy+A60F7j ...
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_85D1CD:				; CODE XREF: PopReadSystemAwayModePolicy+42j
		mov	ecx, [ebp+var_4]
		pop	edi
		mov	byte_6C2D10, bl
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopReadSystemAwayModePolicy endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1431. MmLockPreChargedPagedPool

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmLockPreChargedPagedPool(x, x)
		public _MmLockPreChargedPagedPool@8
_MmLockPreChargedPagedPool@8 proc near	; CODE XREF: MiCreatePagingFileMap(x)+69Ap
					; PopAllocateHiberContext+73p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, edx
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, [ebp+arg_4]
		and	edx, 0FFFh
		add	ecx, 0FFFh
		add	ecx, edx
		mov	edx, eax
		shr	ecx, 0Ch
		dec	ecx
		push	1
		lea	ecx, [eax+ecx*8]
		push	ecx
		xor	ecx, ecx
		call	_MiLockCode@16	; MiLockCode(x,x,x,x)
		pop	ebp
		retn	8
_MmLockPreChargedPagedPool@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetDumpStack(x, x, x, x)
_IoGetDumpStack@16 proc	near		; CODE XREF: PopAllocateHiberContext+F8p

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, edx
		call	IopLoadCrashdumpDriver
		test	eax, eax
		js	short loc_85D243
		push	0
		push	[ebp+arg_4]
		push	2
		push	esi
		push	offset ??_C@_1O@LMKGIIBC@?$AAh?$AAi?$AAb?$AAe?$AAr?$AA_@NNGAKEGL@ ; "hiber_"
		call	dword_6D4AC8

loc_85D243:				; CODE XREF: IoGetDumpStack(x,x,x,x)+10j
		pop	esi
		pop	ecx
		pop	ebp
		retn	8
_IoGetDumpStack@16 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopGetHiberFlags()
_PopGetHiberFlags@0 proc near		; CODE XREF: PopAllocateHiberContext+10Dp
		xor	al, al
		test	dword_6C26CC, 80000000h
		jz	short loc_85D261
		cmp	dword_6C26D4, 2
		jz	short loc_85D264

loc_85D261:				; CODE XREF: PopGetHiberFlags()+Cj
					; PopGetHiberFlags()+1Cj
		or	al, 1
		retn
; 

loc_85D264:				; CODE XREF: PopGetHiberFlags()+15j
		mov	al, 2
		jmp	short loc_85D261
_PopGetHiberFlags@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopLoadResumeContext(x)
_PopLoadResumeContext@4	proc near	; CODE XREF: PopAllocateHiberContext+174p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_10], ecx
		push	edi
		push	2001Fh
		mov	edx, offset ??_C@_1CE@CKHKEBFM@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAW?$AAi?$AAn?$AAr?$AAe?$AAs?$AAu@NNGAKEGL@
		mov	[ebp+var_8], ebx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	edi, ebx
		mov	[ebp+var_4], ebx
		call	_PopOpenKey@12	; PopOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_85D389
		push	offset ??_C@_1BM@DBOPHHKE@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAC?$AAo?$AAn?$AAt?$AAe?$AAx?$AAt@NNGAKEGL@
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		push	ebx
		push	2
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+var_4]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_85D2FF
		push	78744352h
		push	[ebp+var_8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_85D390
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_8]
		lea	eax, [ebp+var_18]
		push	edi
		push	2
		push	eax
		push	[ebp+var_4]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax

loc_85D2FF:				; CODE XREF: PopLoadResumeContext(x)+64j
		test	esi, esi
		js	short loc_85D36C
		mov	ebx, [edi+8]
		add	ebx, 0FFFh
		push	78744352h
		and	ebx, 0FFFFF000h
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	short loc_85D390
		push	dword ptr [edi+8] ; size_t
		lea	eax, [edi+0Ch]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		mov	ecx, [edi+8]
		add	esp, 0Ch
		cmp	ebx, ecx
		jbe	short loc_85D357
		mov	eax, ebx
		sub	eax, ecx
		push	eax		; size_t
		mov	eax, [ebp+var_C]
		add	eax, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_85D357:				; CODE XREF: PopLoadResumeContext(x)+D8j
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_C]
		shr	ebx, 0Ch
		mov	[ecx+9Ch], eax
		mov	[ecx+0A0h], ebx

loc_85D36C:				; CODE XREF: PopLoadResumeContext(x)+99j
					; PopLoadResumeContext(x)+12Dj
		cmp	[ebp+var_4], 0
		jz	short loc_85D37A
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_85D37A:				; CODE XREF: PopLoadResumeContext(x)+108j
		test	edi, edi
		jz	short loc_85D389
		push	78744352h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_85D389:				; CODE XREF: PopLoadResumeContext(x)+34j
					; PopLoadResumeContext(x)+114j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_85D390:				; CODE XREF: PopLoadResumeContext(x)+79j
					; PopLoadResumeContext(x)+C1j
		mov	esi, 0C0000017h
		jmp	short loc_85D36C
_PopLoadResumeContext@4	endp

; 
		align 4

;  S U B	R O U T	I N E 


CmSetLazyFlushState proc near		; CODE XREF: PAGELK:0071EBFEp
					; PopUnlockAfterSleepWorker(x)+Dp

; FUNCTION CHUNK AT 00903262 SIZE 0000001F BYTES

		test	cl, cl
		jnz	short loc_85D3CC
		push	4
		pop	ecx
		call	_CmpDisableLazyFlush@4 ; CmpDisableLazyFlush(x)
		cmp	_CmpEnableLazyFlushTimerInitialized, 0
		jz	short loc_85D3BA
		mov	eax, _CmpHoldLazyFlush
		test	al, 1
		jnz	loc_903262

loc_85D3BA:				; CODE XREF: CmSetLazyFlushState+13j
					; CmSetLazyFlushState+A5ED6j ...
		mov	eax, _CmpDoIdleProcessing
		and	_CmpDoIdleProcessing, 0
		mov	_CmpPrevIdleProcessingState, eax
		retn
; 

loc_85D3CC:				; CODE XREF: CmSetLazyFlushState+2j
		cmp	_CmpEnableLazyFlushTimerInitialized, 0
		mov	eax, _CmpPrevIdleProcessingState
		mov	_CmpDoIdleProcessing, eax
		jz	short loc_85D401
		xor	ecx, ecx
		inc	ecx
		call	_CmpDisableLazyFlush@4 ; CmpDisableLazyFlush(x)
		push	0FFFFFFFFh
		push	0CA5B1700h
		push	offset _CmpEnableLazyFlushDpc
		push	0
		xor	edx, edx
		mov	ecx, offset _CmpEnableLazyFlushTimer
		call	KiSetTimerEx

loc_85D401:				; CODE XREF: CmSetLazyFlushState+45j
		push	4
		pop	ecx
		jmp	_CmpEnableLazyFlush@4 ;	CmpEnableLazyFlush(x)
CmSetLazyFlushState endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExSwapinWorkerThreads(x)
_ExSwapinWorkerThreads@4 proc near	; CODE XREF: PAGELK:0071EC0Ap
					; PopUnlockAfterSleepWorker(x)+14p ...

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_30		= dword	ptr -30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		xor	esi, esi
		mov	[esp+5Ch+var_48], ecx
		lea	eax, [esp+5Ch+var_30]
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	ebx, large fs:124h
		lea	edi, [esp+64h+var_40]
		xor	eax, eax
		mov	[esp+64h+var_4C], esi
		stosd
		add	esp, 0Ch
		stosd
		push	esi
		push	1
		stosd
		stosd
		lea	eax, [esp+60h+var_40]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	ecx, offset _ExpWorkerSwapinMutex
		call	ExAcquireFastMutex
		mov	al, byte ptr [esp+58h+var_48]
		xor	ecx, ecx
		mov	_ExpWorkersCanSwap, al
		lea	eax, [esp+58h+var_44]
		mov	[esp+58h+var_44], esi
		lock or	[eax], ecx

loc_85D470:				; CODE XREF: ExSwapinWorkerThreads(x)+FFj
		call	_PsGetNextPartitionUnsafe@4 ; PsGetNextPartitionUnsafe(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_85D50E
		lea	edx, [esp+58h+var_4C]
		mov	ecx, edi
		call	_PsReferencePartitionSystemProcess@8 ; PsReferencePartitionSystemProcess(x,x)
		test	eax, eax
		js	short loc_85D507
		jmp	short loc_85D4D6
; 

loc_85D490:				; CODE XREF: ExSwapinWorkerThreads(x)+E5j
		cmp	esi, ebx
		jz	short loc_85D4F1
		lea	eax, [esp+58h+var_48]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	offset _ExpSetSwappingKernelApc@20 ; ExpSetSwappingKernelApc(x,x,x,x,x)
		push	eax
		push	esi
		lea	eax, [esp+74h+var_30]
		push	eax
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		push	3
		push	0
		lea	eax, [esp+60h+var_40]
		push	eax
		lea	eax, [esp+64h+var_30]
		push	eax
		call	KeInsertQueueApc
		test	al, al
		jz	short loc_85D4D6
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+68h+var_40]
		push	eax
		call	KeWaitForSingleObject

loc_85D4D6:				; CODE XREF: ExSwapinWorkerThreads(x)+84j
					; ExSwapinWorkerThreads(x)+BAj	...
		push	esi
		push	[esp+5Ch+var_4C]
		call	_PsGetNextProcessThread@8 ; PsGetNextProcessThread(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_85D4FC
		test	byte ptr [esi+300h], 1
		jz	short loc_85D4D6
		jmp	short loc_85D490
; 

loc_85D4F1:				; CODE XREF: ExSwapinWorkerThreads(x)+88j
		push	[esp+58h+var_48]
		call	_KeSetKernelStackSwapEnable@4 ;	KeSetKernelStackSwapEnable(x)
		jmp	short loc_85D4D6
; 

loc_85D4FC:				; CODE XREF: ExSwapinWorkerThreads(x)+DAj
		mov	ecx, [esp+58h+var_4C]
		call	ObfDereferenceObject
		xor	esi, esi

loc_85D507:				; CODE XREF: ExSwapinWorkerThreads(x)+82j
		mov	ecx, edi
		jmp	loc_85D470
; 

loc_85D50E:				; CODE XREF: ExSwapinWorkerThreads(x)+6Fj
		mov	ecx, offset _ExpWorkerSwapinMutex
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_ExSwapinWorkerThreads@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PsReferencePartitionSystemProcess(x, x)
_PsReferencePartitionSystemProcess@8 proc near ; CODE XREF: ExSwapinWorkerThreads(x)+7Bp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	ebx, edx
		mov	edi, ecx
		nop
		lea	esi, [edi+30h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	ecx, [edi+34h]
		cmp	ecx, ds:_MmBadPointer
		jz	short loc_85D586
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [edi+34h]
		xor	edi, edi
		mov	[ebx], eax

loc_85D558:				; CODE XREF: PsReferencePartitionSystemProcess(x,x)+6Bj
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_85D56D
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_85D56D:				; CODE XREF: PsReferencePartitionSystemProcess(x,x)+44j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_85D586:				; CODE XREF: PsReferencePartitionSystemProcess(x,x)+2Aj
		mov	edi, 0C00004A0h
		jmp	short loc_85D558
_PsReferencePartitionSystemProcess@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopClearTransitionCheckpoints()
_PopClearTransitionCheckpoints@0 proc near ; CODE XREF:	PopUnlockAfterSleepWorker(x)+3Fp
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopTransitionCheckpointLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	esi, offset _PopTransitionCheckpoints
		mov	dword_6C3CFC, eax

loc_85D5BC:				; CODE XREF: PopClearTransitionCheckpoints()+57j
		mov	eax, _PopTransitionCheckpoints
		cmp	eax, esi
		jz	short loc_85D5E7
		cmp	[eax+4], esi
		jnz	short loc_85D607
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_85D607
		push	50434B50h
		mov	_PopTransitionCheckpoints, ecx
		push	eax
		mov	[ecx+4], esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_85D5BC
; 

loc_85D5E7:				; CODE XREF: PopClearTransitionCheckpoints()+35j
		cmp	dword_6C3CFC, 0
		jz	short loc_85D5F7
		and	dword_6C3CFC, 0

loc_85D5F7:				; CODE XREF: PopClearTransitionCheckpoints()+60j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		pop	edi
		pop	esi
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
; 

loc_85D607:				; CODE XREF: PopClearTransitionCheckpoints()+3Aj
					; PopClearTransitionCheckpoints()+41j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PopClearTransitionCheckpoints@0 endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall PopClearSleepMarker()
_PopClearSleepMarker@0 proc near	; CODE XREF: PopUnlockAfterSleepWorker(x)+44p
		mov	eax, large fs:124h
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopBsdUpdateLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		and	_PopBsdPowerTransition,	0
		and	dword_6D49FC, 0
		and	byte_6D4A00, 0Fh
		push	8
		pop	ecx
		mov	dword_6C3D9C, eax
		call	_PopBsdHandleRequest@4 ; PopBsdHandleRequest(x)
		cmp	dword_6C3D9C, 0
		jz	short loc_85D661
		and	dword_6C3D9C, 0

loc_85D661:				; CODE XREF: PopClearSleepMarker()+4Cj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		pop	edi
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopClearSleepMarker@0 endp


;  S U B	R O U T	I N E 


PopClearSystemSleepCheckpoint proc near	; CODE XREF: PopUnlockAfterSleepWorker(x)+4Bp
					; PopCheckShutdownMarker+27376p

; FUNCTION CHUNK AT 00903281 SIZE 00000031 BYTES

		mov	edi, edi
		push	esi
		xor	esi, esi
		mov	edx, esi
		cmp	_PopCheckpointSystemSleepEnabled, esi
		jnz	loc_903281
		test	cl, cl
		jnz	loc_903281

loc_85D68B:				; CODE XREF: PopClearSystemSleepCheckpoint+A5C18j
					; PopClearSystemSleepCheckpoint+A5C3Dj
		mov	_PopCheckpointSystemSleepEnabled, esi
		xor	ecx, ecx
		mov	_PopSleepCheckpoint, esi
		mov	eax, offset _PopSleepCheckpointStatus
		xchg	ecx, [eax]
		mov	eax, edx
		pop	esi
		retn
PopClearSystemSleepCheckpoint endp


;  S U B	R O U T	I N E 


; __stdcall PopClearSystemShutdownMarker()
_PopClearSystemShutdownMarker@0	proc near ; CODE XREF: PopUnlockAfterSleepWorker(x)+55p
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopBsdUpdateLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		and	byte_6D4A00, 0F7h
		push	8
		pop	ecx
		mov	dword_6C3D9C, eax
		mov	_PopBsdPowerTransitionExtension, 0FFh
		call	_PopBsdHandleRequest@4 ; PopBsdHandleRequest(x)
		cmp	dword_6C3D9C, 0
		jz	short loc_85D6F2
		and	dword_6C3D9C, 0

loc_85D6F2:				; CODE XREF: PopClearSystemShutdownMarker()+45j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		pop	esi
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopClearSystemShutdownMarker@0	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFreeHiberContext proc near		; CODE XREF: PopUnlockAfterSleepWorker(x)+5Ap
					; PopAllocateHiberContext:loc_85DF36p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, dword_6C26F8
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		push	edi
		test	esi, esi
		jz	loc_85D869
		lea	eax, [ebp+var_4]
		push	eax
		push	2
		pop	edx
		call	BcdOpenStore
		test	eax, eax
		js	short loc_85D73E
		mov	ecx, [ebp+var_4]
		call	_PopBcdClearPendingResume@4 ; PopBcdClearPendingResume(x)
		mov	ecx, [ebp+var_4]
		call	BcdCloseStore

loc_85D73E:				; CODE XREF: PopFreeHiberContext+2Aj
		mov	eax, [esi+9Ch]
		test	eax, eax
		jz	short loc_85D755
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+9Ch], ebx

loc_85D755:				; CODE XREF: PopFreeHiberContext+44j
					; PopFreeHiberContext+87j
		mov	edi, [esi+58h]
		test	edi, edi
		jz	short loc_85D78B
		mov	eax, [edi]
		mov	[esi+58h], eax
		mov	eax, [edi+14h]
		shr	eax, 0Ch
		sub	[esi+60h], eax
		sbb	[esi+64h], ebx
		test	byte ptr [edi+6], 1
		jz	short loc_85D77C
		push	edi
		push	dword ptr [edi+0Ch]
		call	MmUnmapLockedPages

loc_85D77C:				; CODE XREF: PopFreeHiberContext+6Fj
		push	edi
		call	_MmFreePagesFromMdl@4 ;	MmFreePagesFromMdl(x)
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_85D755
; 

loc_85D78B:				; CODE XREF: PopFreeHiberContext+58j
		mov	[esi+98h], ebx
		lea	edi, [esi+30h]
		mov	[esi+94h], ebx

loc_85D79A:				; CODE XREF: PopFreeHiberContext+C3j
		mov	eax, [edi]
		cmp	eax, edi
		jz	short loc_85D7C7
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_85D86E
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_85D86E
		push	ebx
		mov	[ecx], edx
		push	eax
		mov	[edx+4], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		dec	dword ptr [esi+38h]
		jmp	short loc_85D79A
; 

loc_85D7C7:				; CODE XREF: PopFreeHiberContext+9Cj
		mov	eax, [esi+74h]
		test	eax, eax
		jz	short loc_85D7E3
		cmp	_CrashdmpImageEntry, ebx
		jz	short loc_85D7E3
		mov	ecx, dword_6D4AD0
		test	ecx, ecx
		jz	short loc_85D7E3
		push	eax
		call	ecx

loc_85D7E3:				; CODE XREF: PopFreeHiberContext+CAj
					; PopFreeHiberContext+D2j ...
		mov	eax, [esi+60h]
		or	eax, [esi+64h]
		jnz	sub_9032B2
		cmp	dword ptr [esi+80h], 40000294h
		jnz	short loc_85D800
		call	_PopClearHiberFileSignature@0 ;	PopClearHiberFileSignature()

loc_85D800:				; CODE XREF: PopFreeHiberContext+F7j
		mov	[esi+1Ch], bl
		push	dword_6C24E0
		push	dword_6C24DC
		call	_MmUnlockPreChargedPagedPool@8 ; MmUnlockPreChargedPagedPool(x,x)
		mov	eax, [esi+0B8h]
		test	eax, eax
		jz	short loc_85D829
		push	72626968h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_85D829:				; CODE XREF: PopFreeHiberContext+11Aj
		mov	ecx, [esi+0C0h]
		test	ecx, ecx
		jz	short loc_85D841
		mov	edx, [esi+0A4h]
		shl	edx, 10h
		call	_MmReleaseDumpHibernateResources@8 ; MmReleaseDumpHibernateResources(x,x)

loc_85D841:				; CODE XREF: PopFreeHiberContext+12Fj
		cmp	_PopBgkResumePrepared, bl
		jz	short loc_85D854
		call	_BgkResumeFinished@0 ; BgkResumeFinished()
		mov	_PopBgkResumePrepared, bl

loc_85D854:				; CODE XREF: PopFreeHiberContext+145j
		push	138h		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword_6C26F8, ebx

loc_85D869:				; CODE XREF: PopFreeHiberContext+16j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_85D86E:				; CODE XREF: PopFreeHiberContext+A3j
					; PopFreeHiberContext+AEj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PopFreeHiberContext endp


;  S U B	R O U T	I N E 


; __stdcall MmReleaseDumpHibernateResources(x, x)
_MmReleaseDumpHibernateResources@8 proc	near ; CODE XREF: PopFreeHiberContext+13Ap
					; PopEnableHiberFile(x,x)+3FAp	...
		mov	eax, edx
		and	eax, 0FFFh
		neg	eax
		sbb	eax, eax
		shr	edx, 0Ch
		neg	eax
		add	eax, edx
		push	eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	edx, eax
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		retn
_MmReleaseDumpHibernateResources@8 endp	; sp = -4

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1479. MmUnlockPreChargedPagedPool

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmUnlockPreChargedPagedPool(x, x)
		public _MmUnlockPreChargedPagedPool@8
_MmUnlockPreChargedPagedPool@8 proc near
					; CODE XREF: MiDeleteSubsectionLargePages(x,x,x)+77p
					; PopFreeHiberContext+10Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, edx
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		push	ecx
		mov	ecx, [ebp+arg_4]
		and	edx, 0FFFh
		add	ecx, 0FFFh
		add	ecx, edx
		shr	ecx, 0Ch
		dec	ecx
		lea	edx, [eax+ecx*8]
		mov	ecx, eax
		call	_MiUnlockCodePage@12 ; MiUnlockCodePage(x,x,x)
		pop	ebp
		retn	8
_MmUnlockPreChargedPagedPool@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopAdjustHiberFile(x)
_PopAdjustHiberFile@4 proc near		; CODE XREF: PopUnlockAfterSleepWorker(x)+6Dp

var_12		= dword	ptr -12h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		xor	eax, eax
		lea	edx, [esp+18h+var_12+1]
		lea	ecx, [esp+18h+var_12+2]
		mov	[esp+18h+var_8], eax
		mov	[esp+18h+var_4], eax
		mov	[esp+18h+var_12+2], eax
		mov	[esp+18h+var_C], eax
		mov	byte ptr [esp+18h+var_12+1], al
		call	_PopCalculateHiberFileSize@8 ; PopCalculateHiberFileSize(x,x)
		push	[esp+18h+var_C]
		xor	edx, edx
		lea	ecx, [esp+1Ch+var_8]
		push	[esp+1Ch+var_12+2]
		call	PopResizeHiberFile
		test	eax, eax
		js	short loc_85D921
		mov	cl, byte ptr [esp+18h+var_12+1]
		mov	byte_6C2E36, cl

loc_85D921:				; CODE XREF: PopAdjustHiberFile(x)+43j
		mov	esp, ebp
		pop	ebp
		retn
_PopAdjustHiberFile@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopHiberInitializeResources proc near	; CODE XREF: PopAllocateHiberContext+1EFp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009032DE SIZE 00000057 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ds:_KeNumberProcessors
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], eax
		test	_PopSimulate, 10000000h
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], esi
		mov	[ebp+var_3C], edi
		mov	[ebp+var_10], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_20], esi
		jnz	loc_9032FD
		imul	eax, 70h
		mov	[ebp+var_34], eax
		lea	ebx, [eax+0FFFh]
		lea	eax, [ebp+var_10]
		and	ebx, 0FFFFF000h
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	104h
		call	_RtlGetCompressionWorkSpaceSize@12 ; RtlGetCompressionWorkSpaceSize(x,x,x)
		test	eax, eax
		js	loc_9032FD
		mov	ecx, [ebp+var_8]
		cmp	[ebp+var_10], ecx
		ja	loc_9032D3

loc_85D9A0:				; CODE XREF: sub_9032B2+27j
		mov	eax, [ebp+var_4]
		lea	edx, [ebp+var_1C]
		imul	eax, ecx
		lea	ecx, [ebp+var_2C]
		mov	[ebp+var_24], ebx
		add	ebx, eax
		call	IoGetDumpStackTransferSizes
		mov	eax, [ebp+var_1C]
		push	10h
		shr	eax, 0Ch
		pop	ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_28], ecx
		cmp	eax, ecx
		jb	loc_9032DE

loc_85D9CD:				; CODE XREF: PopHiberInitializeResources+A59BDj
		mov	ecx, 100h
		cmp	eax, ecx
		ja	loc_9032E8

loc_85D9DA:				; CODE XREF: PopHiberInitializeResources+A59C7j
		shl	eax, 0Ch
		mov	[ebp+var_18], eax
		cmp	ds:_PopHiberChecksummingEnabledReg, esi
		jz	short loc_85DA15
		add	ebx, 0FFFh
		lea	ecx, [ebp+var_50]
		and	ebx, 0FFFFF000h
		xor	edx, edx
		mov	[ebp+var_14], ebx
		call	_PopCalculateHiberFileSize@8 ; PopCalculateHiberFileSize(x,x)
		mov	ecx, [ebp+var_50]
		mov	eax, [ebp+var_4C]
		shrd	ecx, eax, 9
		mov	eax, [ebp+var_18]
		add	ecx, ecx
		mov	[ebp+var_20], ecx
		add	ebx, ecx

loc_85DA15:				; CODE XREF: PopHiberInitializeResources+C0j
		imul	ecx, [ebp+var_4], 10044h
		add	ebx, 0FFFh
		imul	eax, 11h
		and	ebx, 0FFFFF000h
		mov	[ebp+var_30], ebx
		push	72626968h
		dec	ecx
		add	ecx, eax
		mov	eax, [ebp+var_18]
		neg	eax
		and	ecx, eax
		mov	eax, [ebp+var_4]
		add	ebx, ecx
		shl	eax, 11h
		mov	[ebp+var_38], ebx
		add	ebx, eax
		push	ebx
		push	200h
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_44], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9032FD
		mov	eax, [ebp+var_4]
		shl	eax, 10h
		mov	ecx, eax
		mov	[ebp+var_40], eax
		call	_MmAllocateDumpHibernateResources@4 ; MmAllocateDumpHibernateResources(x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	loc_9032F2
		cmp	ds:_PopHiberChecksummingEnabledReg, esi
		jz	short loc_85DAA7
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+var_14]
		push	ecx		; size_t
		add	eax, ebx
		mov	[edi+12Ch], ecx
		push	esi		; int
		push	eax		; void *
		mov	[edi+128h], eax
		call	_memset
		add	esp, 0Ch

loc_85DAA7:				; CODE XREF: PopHiberInitializeResources+160j
		push	[ebp+var_34]	; size_t
		mov	eax, [ebp+var_30]
		add	eax, ebx
		push	esi		; int
		push	ebx		; void *
		mov	[ebp+var_20], eax
		call	_memset
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		test	ecx, ecx
		jz	short loc_85DB12
		mov	edi, [ebp+var_38]
		lea	edx, [ebx+4]
		mov	eax, [ebp+var_18]
		add	edi, ebx
		mov	[ebp+var_14], eax

loc_85DAD1:				; CODE XREF: PopHiberInitializeResources+1E7j
		lea	eax, [edi+10000h]
		mov	[edx-4], edi
		mov	[edx+8], eax
		mov	eax, [ebp+var_14]
		mov	[edx], eax
		cmp	[ebp+var_8], 0
		jbe	short loc_85DAF9
		mov	eax, esi
		imul	eax, [ebp+var_8]
		add	eax, [ebp+var_24]
		add	eax, ebx
		mov	[edx+4], eax
		mov	eax, [ebp+var_14]

loc_85DAF9:				; CODE XREF: PopHiberInitializeResources+1C0j
		inc	esi
		add	eax, 10000h
		add	edi, 20000h
		mov	[ebp+var_14], eax
		add	edx, 70h
		cmp	esi, ecx
		jb	short loc_85DAD1
		mov	edi, [ebp+var_3C]

loc_85DB12:				; CODE XREF: PopHiberInitializeResources+19Bj
		push	[ebp+var_40]
		mov	edx, [ebp+var_18]
		mov	ecx, edi
		call	_MmMarkHiberRange@12 ; MmMarkHiberRange(x,x,x)
		mov	ecx, [ebp+var_24]
		mov	esi, [ebp+var_44]
		mov	eax, esi
		push	72626968h
		sub	eax, ecx
		push	eax
		lea	eax, [ecx+ebx]
		push	eax
		push	8000h
		push	edi
		call	PoSetHiberRange
		mov	eax, [ebp+var_18]
		mov	[edi+0B8h], ebx
		mov	[edi+0BCh], esi
		mov	[edi+0C0h], eax
		mov	esi, [ebp+var_4C]

loc_85DB56:				; CODE XREF: PopHiberInitializeResources+A5A0Aj
		push	72626968h
		push	3000h
		push	dword_6C2504
		push	8000h
		push	edi
		call	PoSetHiberRange
		mov	eax, [ebp+var_4]
		mov	[edi+0A4h], eax
		mov	eax, [ebp+var_20]
		mov	[edi+0ACh], eax
		mov	eax, [ebp+var_28]
		mov	[edi+0B4h], eax
		mov	eax, [ebp+var_C]
		mov	[edi+0A8h], ebx
		mov	[edi+0B0h], esi
		mov	[edi+110h], eax
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PopHiberInitializeResources endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmMarkHiberRange(x,	x, x)
_MmMarkHiberRange@12 proc near		; CODE XREF: PopHiberInitializeResources+1F4p
					; PopAllocateHiberContext+22Bp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	ecx, edx
		push	edi
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, [ebp+arg_0]
		mov	edi, eax
		push	20657450h
		lea	ecx, [edx+ecx]
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		sub	eax, edi
		push	eax
		push	edi
		push	2
		push	ebx
		call	PoSetHiberRange
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_MmMarkHiberRange@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopAllocateHiberContext	proc near	; CODE XREF: PAGELK:0071EFABp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00903335 SIZE 000001C4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		xor	ebx, ebx
		xor	eax, eax
		cmp	dword_6C26E8, 5
		push	esi
		push	edi
		mov	[ebp+var_C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	word ptr [ebp+var_4], ax
		jnz	loc_85DF32
		xor	ecx, ecx
		mov	[ebp+var_8], ebx
		call	_MmGetHighestPhysicalPage@4 ; MmGetHighestPhysicalPage(x)
		mov	edi, dword_6C24D8
		add	eax, 20h
		shr	eax, 3
		add	eax, 0FFCh
		mov	dword_6C26F8, edi
		push	138h		; size_t
		shr	eax, 0Ch
		add	eax, _PopHiberLoaderScratchPages
		push	ebx		; int
		push	edi		; void *
		mov	_PopHiberScratchPages, eax
		call	_memset
		add	esp, 0Ch
		push	dword_6C24E0
		push	dword_6C24DC
		call	_MmLockPreChargedPagedPool@8 ; MmLockPreChargedPagedPool(x,x)
		mov	eax, dword_6C24EC
		lea	ecx, [edi+20h]
		mov	[edi+28h], eax
		mov	eax, dword_6C24F0
		mov	[edi+2Ch], eax
		mov	eax, dword_6C24E4
		mov	[edi+88h], eax
		mov	eax, dword_6C250C
		mov	[edi+0C8h], eax
		mov	eax, dword_6C24FC
		mov	[edi+90h], eax
		mov	eax, dword_6C2514
		mov	[edi+94h], eax
		mov	eax, dword_6C2510
		mov	[edi+98h], eax
		mov	eax, dword_6C24F4
		mov	[ecx], eax
		mov	eax, dword_6C24F8
		mov	[ecx+4], eax
		lea	eax, [edi+30h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	_PopNumberOfPagesForHibernateProcess, ebx
		cmp	dword_6C24A4, ebx
		jz	loc_903335
		mov	eax, _PopSimulate
		lea	edx, [edi+74h]
		and	eax, 10h
		push	eax
		push	ecx
		call	_IoGetDumpStack@16 ; IoGetDumpStack(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_903350
		mov	eax, [edi+74h]
		mov	[ebp+var_10], eax
		call	_PopGetHiberFlags@0 ; PopGetHiberFlags()
		mov	esi, [edi+90h]
		mov	[edi+1], al
		mov	edx, dword_6C24E8
		mov	ecx, edx
		and	ecx, 0FFFh
		and	[esi], ebx
		mov	ebx, 0FFFFF000h
		and	edx, ebx
		mov	[esi+18h], ecx
		mov	[esi+10h], edx
		lea	eax, [ecx+18FFFh]
		mov	dword ptr [esi+14h], 18000h
		shr	eax, 0Ch
		lea	eax, ds:1Ch[eax*4]
		mov	[esi+4], ax
		xor	eax, eax
		mov	[esi+6], ax
		push	dword ptr [edi+90h]
		call	MmBuildMdlForNonPagedPool
		mov	esi, [edi+94h]
		test	esi, esi
		jnz	loc_903367

loc_85DD4E:				; CODE XREF: PopAllocateHiberContext+A57D0j
		mov	ecx, edi
		call	_PopLoadResumeContext@4	; PopLoadResumeContext(x)
		mov	esi, eax
		test	esi, esi
		js	loc_9033B1
		lea	ecx, [ebp+var_C]
		call	_PopBcdOpen@4	; PopBcdOpen(x)
		mov	esi, eax
		test	esi, esi
		js	loc_9033B5
		mov	ebx, [ebp+var_C]
		lea	edx, [ebp+var_8]
		mov	ecx, ebx
		call	PopBcdEstablishResumeObject
		mov	esi, eax
		test	esi, esi
		js	loc_9033B9
		push	[ebp+var_8]
		push	ecx
		mov	ecx, ebx
		call	PopBcdSetPendingResume
		mov	ecx, [ebp+var_8]
		mov	esi, eax
		call	_BcdCloseObject@4 ; BcdCloseObject(x)
		mov	ecx, ebx
		test	esi, esi
		js	loc_9033C4
		call	BcdForciblyUnloadStore
		lea	eax, [edi+20h]
		push	eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		lea	eax, [edi+28h]
		push	eax
		call	_RtlSetAllBits@4 ; RtlSetAllBits(x)
		call	PopGetHwConfigurationSignature
		mov	ecx, edi
		mov	[edi+130h], eax
		call	PopHiberInitializeResources
		lea	ecx, [ebp+var_18]
		call	PopGetBitlockerKeyLocation
		test	eax, eax
		jns	loc_9033CD

loc_85DDE0:				; CODE XREF: PopAllocateHiberContext+A580Bj
		cmp	_KdPitchDebugger, 0
		jz	loc_9033EC
		cmp	_KdEventLoggingEnabled,	0
		jnz	loc_9033EC

loc_85DDFA:				; CODE XREF: PopAllocateHiberContext+A5835j
		mov	edx, dword_6C24BC
		mov	ecx, edi
		push	13000h
		call	_MmMarkHiberRange@12 ; MmMarkHiberRange(x,x,x)
		push	edi
		call	off_6B121C	; xHalLocateHiberRanges(x)
		mov	eax, _PopHiberScratchPages
		lea	eax, ds:0FFFh[eax*4]
		shr	eax, 0Ch
		cmp	dword ptr [edi+9Ch], 0
		mov	edx, eax
		mov	[edi+6Ch], eax
		jz	short loc_85DE3E
		mov	ecx, [edi+0A0h]
		cmp	ecx, eax
		ja	loc_903416

loc_85DE3E:				; CODE XREF: PopAllocateHiberContext+252j
					; PopAllocateHiberContext+A583Fj
		mov	ecx, edx
		call	PopAllocatePages
		mov	esi, [edi+80h]
		mov	[edi+68h], eax
		test	esi, esi
		js	loc_903420
		mov	eax, [edi+74h]
		cmp	byte ptr [eax+0CCh], 0
		jnz	loc_903427
		push	10h
		pop	ecx
		call	PopAllocatePages
		mov	ebx, [ebp+var_10]
		mov	[ebx+8], eax
		test	eax, eax
		jz	loc_903354
		push	6D656D44h
		push	0E000h
		add	eax, 2000h
		push	eax
		push	8000h
		push	edi
		call	PoSetHiberRange
		test	dword ptr [ebx+4Ch], 0FFFh
		jnz	loc_9034B7
		push	2
		pop	ecx
		lea	esi, [ebx+0Ch]
		mov	[ebp+var_10], ecx

loc_85DEAD:				; CODE XREF: PopAllocateHiberContext+2F7j
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_85DECA
		push	66756263h
		push	dword ptr [ebx+4Ch]
		push	eax
		push	8000h
		push	edi
		call	PoSetHiberRange
		mov	ecx, [ebp+var_10]

loc_85DECA:				; CODE XREF: PopAllocateHiberContext+2D5j
		add	esi, 4
		sub	ecx, 1
		mov	[ebp+var_10], ecx
		jnz	short loc_85DEAD

loc_85DED5:				; CODE XREF: PopAllocateHiberContext+A58ADj
		mov	ecx, edi
		call	_PopGenerateUnHibernatedMdl@8 ;	PopGenerateUnHibernatedMdl(x,x)
		mov	[edi+54h], eax
		test	eax, eax
		jz	loc_90333E
		push	0
		push	2
		lea	eax, [ebp+var_4]
		push	eax
		push	91h
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_85DF06
		mov	al, byte ptr [ebp+var_4]
		mov	[edi+134h], al

loc_85DF06:				; CODE XREF: PopAllocateHiberContext+31Fj
		mov	ecx, edi
		call	BgkResumePrepare
		test	eax, eax
		js	short loc_85DF18
		mov	_PopBgkResumePrepared, 1

loc_85DF18:				; CODE XREF: PopAllocateHiberContext+333j
		mov	eax, [edi+0A4h]
		dec	eax
		xor	esi, esi
		mov	[edi+84h], eax

loc_85DF27:				; CODE XREF: PopAllocateHiberContext+A5786j
		test	esi, esi
		js	short loc_85DF36

loc_85DF2B:				; CODE XREF: PopAllocateHiberContext+358j
					; PopAllocateHiberContext+35Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_85DF32:				; CODE XREF: PopAllocateHiberContext+23j
		mov	esi, ebx
		jmp	short loc_85DF2B
; 

loc_85DF36:				; CODE XREF: PopAllocateHiberContext+34Dj
					; PopAllocateHiberContext+A576Fj
		call	PopFreeHiberContext
		jmp	short loc_85DF2B
PopAllocateHiberContext	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiUpdateMirrorBitmaps()
_MiUpdateMirrorBitmaps@0 proc near	; CODE XREF: MmDuplicateMemory(x)+12Bp
					; MiInitializeMirroring+29712p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, offset dword_6D305C
		xor	esi, esi

loc_85DF49:				; CODE XREF: MiUpdateMirrorBitmaps()+21j
		xor	edx, edx
		mov	ecx, edi
		call	_MiActOnMirrorBitmap@8 ; MiActOnMirrorBitmap(x,x)
		test	eax, eax
		jz	short loc_85DF67
		add	esi, 8
		add	edi, 8
		cmp	esi, 10h
		jb	short loc_85DF49
		xor	eax, eax
		inc	eax

loc_85DF64:				; CODE XREF: MiUpdateMirrorBitmaps()+2Bj
		pop	edi
		pop	esi
		retn
; 

loc_85DF67:				; CODE XREF: MiUpdateMirrorBitmaps()+16j
		xor	eax, eax
		jmp	short loc_85DF64
_MiUpdateMirrorBitmaps@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiActOnMirrorBitmap(x, x)
_MiActOnMirrorBitmap@8 proc near	; CODE XREF: MmDuplicateMemory(x)+146p
					; MmDuplicateMemory(x)+204p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ds:_MmPhysicalMemoryBlock
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], edx
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		inc	esi
		mov	[ebp+var_C], eax
		cmp	[eax], ebx
		jbe	short loc_85DFBC
		push	edi
		lea	edi, [eax+8]

loc_85DF91:				; CODE XREF: MiActOnMirrorBitmap(x,x)+4Dj
		mov	eax, [edi+4]
		mov	ecx, [edi]
		test	edx, edx
		jz	short loc_85DFC2
		cmp	edx, esi
		jz	short loc_85DFD5
		cmp	edx, 2
		jnz	short loc_85DFB0
		push	eax
		push	ecx
		push	[ebp+var_4]
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)

loc_85DFAD:				; CODE XREF: MiActOnMirrorBitmap(x,x)+63j
					; MiActOnMirrorBitmap(x,x)+73j
		mov	edx, [ebp+var_8]

loc_85DFB0:				; CODE XREF: MiActOnMirrorBitmap(x,x)+35j
		mov	eax, [ebp+var_C]
		inc	ebx
		add	edi, 8
		cmp	ebx, [eax]
		jb	short loc_85DF91

loc_85DFBB:				; CODE XREF: MiActOnMirrorBitmap(x,x)+67j
		pop	edi

loc_85DFBC:				; CODE XREF: MiActOnMirrorBitmap(x,x)+1Fj
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_85DFC2:				; CODE XREF: MiActOnMirrorBitmap(x,x)+2Cj
		mov	edx, ecx
		mov	ecx, [ebp+var_4]
		push	eax
		call	_MiSplitMirrorBitMap@12	; MiSplitMirrorBitMap(x,x,x)
		test	eax, eax
		jnz	short loc_85DFAD
		xor	esi, esi
		jmp	short loc_85DFBB
; 

loc_85DFD5:				; CODE XREF: MiActOnMirrorBitmap(x,x)+30j
		push	eax
		push	ecx
		push	[ebp+var_4]
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		jmp	short loc_85DFAD
_MiActOnMirrorBitmap@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSplitMirrorBitMap(x, x, x)
_MiSplitMirrorBitMap@12	proc near	; CODE XREF: MiActOnMirrorBitmap(x,x)+5Cp
					; MiAddPhysicalMemory(x,x,x,x,x)+2E4p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_85E01C
		add	edi, [ebp+arg_0]
		shr	edx, 3
		add	edx, ecx
		lea	eax, [edi+7]
		shr	eax, 3
		sub	eax, edx
		add	eax, ecx
		shl	eax, 3
		push	eax
		push	9
		pop	ecx
		call	MiSplitBitmapPages
		test	eax, eax
		jz	short loc_85E025
		cmp	edi, [esi]
		jbe	short loc_85E01C
		mov	[esi], edi

loc_85E01C:				; CODE XREF: MiSplitMirrorBitMap(x,x,x)+10j
					; MiSplitMirrorBitMap(x,x,x)+36j
		xor	eax, eax
		inc	eax

loc_85E01F:				; CODE XREF: MiSplitMirrorBitMap(x,x,x)+45j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_85E025:				; CODE XREF: MiSplitMirrorBitMap(x,x,x)+32j
		xor	eax, eax
		jmp	short loc_85E01F
_MiSplitMirrorBitMap@12	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEnlargeHiberFile(x)
_PopEnlargeHiberFile@4 proc near	; CODE XREF: PopTransitionToSleep+44p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], eax
		lea	edx, [ebp+var_14]
		mov	[ebp+var_8], eax
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	eax, dword_6C24A8
		mov	dword_6C2FE8, eax
		mov	eax, dword_6C24AC
		mov	dword_6C2FEC, eax
		mov	eax, dword_6D3018
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax]
		xor	edi, edi
		mov	esi, [eax+0F48h]
		shld	edi, esi, 0Ch
		push	edi
		shl	esi, 0Ch
		push	esi
		call	PopResizeHiberFile
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_85E0E0
		cmp	[ebp+var_4], 0
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		mov	dword_6C2FF8, eax
		mov	eax, [ebp+var_8]
		mov	dword_6C2FFC, eax
		mov	eax, [ebp+var_14]
		mov	dword_6C2FF0, esi
		mov	dword_6C2FF4, edi
		mov	dword_6C3000, eax
		mov	dword_6C3004, ecx
		jz	short loc_85E0E0
		push	64h
		pop	ecx
		mov	eax, edi
		mul	ecx
		push	64h
		pop	edx
		push	[ebp+var_8]
		mov	ecx, eax
		mov	eax, esi
		push	[ebp+var_C]
		mul	edx
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		mov	ecx, [ebp+var_4]
		cmp	eax, 28h
		setb	al
		mov	[ecx], al

loc_85E0E0:				; CODE XREF: PopEnlargeHiberFile(x)+57j
					; PopEnlargeHiberFile(x)+8Aj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_PopEnlargeHiberFile@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopResizeHiberFile proc	near		; CODE XREF: PopAdjustHiberFile(x)+3Cp
					; PopEnlargeHiberFile(x)+4Ep

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009034F9 SIZE 00000043 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		mov	ebx, ecx
		xor	ecx, ecx
		push	esi
		push	edi
		mov	[esp+40h+var_20], ecx
		mov	[esp+40h+var_1C], ecx
		mov	[esp+40h+var_18], ecx
		mov	[esp+40h+var_14], ecx
		mov	[esp+40h+var_2C], ecx
		mov	[esp+40h+var_30], ecx
		cmp	dword_6C24A4, ecx
		jz	loc_9034EF
		mov	edi, [ebp+arg_0]
		mov	esi, [ebp+arg_4]
		cmp	dword_6C24A8, edi
		jnz	short loc_85E138
		cmp	dword_6C24AC, esi
		jz	loc_85E233

loc_85E138:				; CODE XREF: PopResizeHiberFile+42j
		push	esi
		push	edi
		lea	ecx, [esp+48h+var_18]
		call	PopValidateHiberFileSize
		test	eax, eax
		js	loc_9034F9

loc_85E14B:				; CODE XREF: PopResizeHiberFile+A5419j
		mov	[esp+40h+var_24], esi
		mov	[esp+40h+var_28], edi
		test	esi, esi
		jg	short loc_85E165
		jl	loc_9034EF
		test	edi, edi
		jz	loc_9034EF

loc_85E165:				; CODE XREF: PopResizeHiberFile+6Dj
		push	13h
		push	8
		lea	eax, [esp+48h+var_10]
		mov	[esp+48h+var_10], edi
		push	eax
		lea	eax, [esp+4Ch+var_20]
		mov	[esp+4Ch+var_C], esi
		push	eax
		push	_PopHiberInfo
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		mov	ecx, eax
		mov	edi, 103h
		xor	esi, esi
		cmp	ecx, edi
		jz	loc_903506

loc_85E197:				; CODE XREF: PopResizeHiberFile+A5434j
		test	ecx, ecx
		js	loc_85E233
		mov	eax, [esp+40h+var_28]
		mov	[esp+40h+var_8], eax
		mov	eax, [esp+40h+var_24]
		push	14h
		mov	[esp+44h+var_4], eax
		lea	eax, [esp+44h+var_8]
		push	8
		push	eax
		lea	eax, [esp+4Ch+var_20]
		push	eax
		push	_PopHiberInfo
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		mov	ecx, eax
		cmp	ecx, edi
		jz	loc_903521

loc_85E1D2:				; CODE XREF: PopResizeHiberFile+A544Fj
		test	ecx, ecx
		js	short loc_85E233
		mov	edx, dword_6C24A4
		lea	eax, [esp+40h+var_30]
		mov	ecx, _PopHiberInfo
		push	eax
		lea	eax, [esp+44h+var_2C]
		push	eax
		lea	eax, [esp+48h+var_28]
		push	eax
		call	PopSanityCheckHiberFile
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_85E233
		mov	edx, [esp+40h+var_30]
		mov	ecx, [esp+40h+var_2C]
		call	_PopSetHiberFileMcb@8 ;	PopSetHiberFileMcb(x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_85E233
		mov	eax, [esp+40h+var_28]
		mov	ecx, dword_6C24A4
		mov	dword_6C24A8, eax
		mov	eax, [esp+40h+var_24]
		push	offset _FILE_TYPE_NOTIFICATION_GUID_HIBERNATION_FILE
		mov	dword_6C24AC, eax
		call	FsRtlIssueFileNotificationFsctl
		mov	ecx, esi

loc_85E233:				; CODE XREF: PopResizeHiberFile+4Aj
					; PopResizeHiberFile+B1j ...
		mov	eax, dword_6C24A8
		mov	[ebx], eax
		mov	eax, dword_6C24AC
		pop	edi
		mov	[ebx+4], eax
		mov	eax, ecx
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
PopResizeHiberFile endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopValidateHiberFileSize proc near	; CODE XREF: PopResizeHiberFile+56p
					; PopSetHiberFileSize(x,x)+51p	...

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090353C SIZE 0000000B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_60], ecx
		lea	edi, [ebp+var_28]
		push	8
		pop	ecx
		xor	eax, eax
		xor	esi, esi
		mov	ebx, edx
		mov	[ebp+var_5C], esi
		rep stosd
		lea	edi, [ebp+var_40]
		mov	[ebp+var_58], esi
		push	6
		pop	ecx
		rep stosd
		mov	[ebp+var_44], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_54], esi
		cmp	dword_6C24A4, eax
		jz	loc_90353C
		push	5
		push	18h
		lea	eax, [ebp+var_40]
		push	eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	_PopHiberInfo
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_85E3A4
		mov	eax, [ebp+var_40]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_4C], eax

loc_85E2C4:				; CODE XREF: PopValidateHiberFileSize+A52F4j
		push	20h
		push	3
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_78], 18h
		push	eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_74], esi
		push	eax
		push	0C0000000h
		lea	eax, [ebp+var_44]
		mov	[ebp+var_6C], 240h
		push	eax
		mov	[ebp+var_70], offset _PoHiberFileRoot
		mov	[ebp+var_68], esi
		mov	[ebp+var_64], esi
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_85E3A4
		push	7
		push	20h
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	[ebp+var_44]
		call	_ZwQueryVolumeInformationFile@20 ; ZwQueryVolumeInformationFile(x,x,x,x,x)
		push	[ebp+var_44]
		mov	edi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	edi, edi
		js	short loc_85E3A4
		push	[ebp+var_14]
		mov	eax, [ebp+var_10]
		imul	eax, [ebp+var_C]
		push	[ebp+var_18]
		push	esi
		push	eax
		call	__allmul
		mov	edi, [ebp+arg_0]
		mov	ecx, eax
		sub	ecx, 10000000h
		mov	[ebp+var_54], edx
		mov	[ebp+var_50], eax
		mov	eax, [ebp+arg_4]
		sbb	edx, esi
		sub	edi, [ebp+var_48]
		sbb	eax, [ebp+var_4C]
		cmp	edx, eax
		jg	short loc_85E362
		jl	short loc_85E3A8
		cmp	ecx, edi
		jb	short loc_85E3A8

loc_85E362:				; CODE XREF: PopValidateHiberFileSize+10Cj
		mov	edi, esi

loc_85E364:				; CODE XREF: PopValidateHiberFileSize+15Fj
		cmp	edx, esi
		jg	short loc_85E36E
		jl	short loc_85E3AF
		cmp	ecx, esi
		jbe	short loc_85E3AF

loc_85E36E:				; CODE XREF: PopValidateHiberFileSize+118j
		mov	esi, edx

loc_85E370:				; CODE XREF: PopValidateHiberFileSize+163j
		add	ecx, [ebp+var_48]
		adc	esi, [ebp+var_4C]

loc_85E376:				; CODE XREF: PopValidateHiberFileSize+158j
		mov	eax, [ebp+var_60]
		test	eax, eax
		jz	short loc_85E382
		mov	[eax], ecx
		mov	[eax+4], esi

loc_85E382:				; CODE XREF: PopValidateHiberFileSize+12Dj
		test	ebx, ebx
		jz	short loc_85E391
		mov	eax, [ebp+var_50]
		mov	[ebx], eax
		mov	eax, [ebp+var_54]
		mov	[ebx+4], eax

loc_85E391:				; CODE XREF: PopValidateHiberFileSize+136j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_85E3A4:				; CODE XREF: PopValidateHiberFileSize+64j
					; PopValidateHiberFileSize+B2j	...
		mov	ecx, esi
		jmp	short loc_85E376
; 

loc_85E3A8:				; CODE XREF: PopValidateHiberFileSize+10Ej
					; PopValidateHiberFileSize+112j
		mov	edi, 0C0000001h
		jmp	short loc_85E364
; 

loc_85E3AF:				; CODE XREF: PopValidateHiberFileSize+11Aj
					; PopValidateHiberFileSize+11Ej
		mov	ecx, esi
		jmp	short loc_85E370
PopValidateHiberFileSize endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopBcdSetPendingResume proc near	; CODE XREF: PopAllocateHiberContext+1B2p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00903547 SIZE 00000009 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_1C], 0
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		mov	[ebp+var_20], ecx
		stosd
		push	ecx
		mov	ecx, ebx
		stosd
		stosd
		stosd
		call	PopBcdSetupResumeObject
		mov	esi, eax
		test	esi, esi
		js	loc_85E4B6
		xor	eax, eax
		mov	word ptr [ebp+var_18], ax
		cmp	_KdDebuggerEnabled, al
		jnz	loc_903547

loc_85E400:				; CODE XREF: PopBcdSetPendingResume+A5197j
		push	2
		lea	eax, [ebp+var_18]
		mov	edx, 26000006h
		push	eax
		push	ecx
		mov	ecx, ebx
		call	BcdSetElementDataWithFlags
		lea	eax, [ebp+var_14]
		xor	edx, edx
		push	eax
		push	0
		mov	ecx, ebx
		call	_BcdQueryObject@16 ; BcdQueryObject(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_85E4B6
		mov	ecx, [ebp+var_20]
		lea	eax, [ebp+var_1C]
		push	eax
		mov	edx, offset _GUID_WINDOWS_BOOTMGR
		call	BcdOpenObject
		mov	edi, [ebp+var_1C]
		mov	esi, eax
		test	esi, esi
		js	short loc_85E4AB
		push	10h
		lea	eax, [ebp+var_14]
		mov	edx, 23000006h
		push	eax
		push	ecx
		mov	ecx, edi
		call	BcdSetElementDataWithFlags
		mov	esi, eax
		test	esi, esi
		js	short loc_85E4AB
		xor	eax, eax
		mov	edx, 26000005h
		mov	word ptr [ebp+var_18], ax
		lea	eax, [ebp+var_18]
		push	2
		push	eax
		push	ecx
		mov	ecx, edi
		mov	byte ptr [ebp+var_18], 1
		call	BcdSetElementDataWithFlags
		mov	esi, eax
		test	esi, esi
		js	short loc_85E4AB
		xor	eax, eax
		mov	edx, 26000025h
		mov	word ptr [ebp+var_18], ax
		mov	al, byte_6C24D0
		mov	byte ptr [ebp+var_18], al
		lea	eax, [ebp+var_18]
		push	2
		push	eax
		push	ecx
		mov	ecx, edi
		call	BcdSetElementDataWithFlags
		mov	esi, eax
		test	esi, esi
		js	short loc_85E4AB
		xor	esi, esi

loc_85E4AB:				; CODE XREF: PopBcdSetPendingResume+90j
					; PopBcdSetPendingResume+A9j ...
		test	edi, edi
		jz	short loc_85E4B6
		mov	ecx, edi
		call	_BcdCloseObject@4 ; BcdCloseObject(x)

loc_85E4B6:				; CODE XREF: PopBcdSetPendingResume+34j
					; PopBcdSetPendingResume+72j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
PopBcdSetPendingResume endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PoClearBroadcast()
_PoClearBroadcast@0 proc near		; CODE XREF: PAGELK:0071EC60p
					; PAGELK:loc_71F29Cp ...
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, dword_6C231C
		push	edi
		test	esi, esi
		jz	short loc_85E504
		call	PopResumeDeviceIdle
		xor	eax, eax
		lea	ecx, [esi+1Ch]
		mov	edi, offset _PopCurrentBroadcast
		stosd
		stosd
		stosd
		stosd
		call	_IoFreePoDeviceNotifyList@4 ; IoFreePoDeviceNotifyList(x)
		push	2
		pop	ecx
		call	PpmEndHighPerfRequest
		push	73734450h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_85E504:				; CODE XREF: PoClearBroadcast()+Dj
		pop	edi
		pop	esi
		pop	ecx
		retn
_PoClearBroadcast@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoInitializeBroadcast proc near		; CODE XREF: PAGELK:0071EC11p
					; PnprQuiesceDevices(x)+BFp ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009055FC SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	73734450h
		mov	edi, 108h
		mov	[ebp+var_4], ecx
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_9055FC
		push	edi		; size_t
		xor	ebx, ebx
		push	ebx		; int
		push	esi		; void *
		call	_memset
		mov	eax, large fs:124h
		lea	ecx, [esi+38h]
		add	esp, 0Ch
		mov	[esi+0Ch], eax
		lea	eax, [esi+0F0h]
		mov	[eax+4], eax
		mov	[eax], eax
		push	5
		pop	edx

loc_85E55A:				; CODE XREF: PoInitializeBroadcast+77j
		lea	eax, [ecx-0Ch]
		mov	[ecx-8], eax
		mov	[eax], eax
		lea	eax, [ecx-4]
		mov	[ecx], eax
		mov	[eax], eax
		lea	eax, [ecx+4]
		mov	[ecx+8], eax
		mov	[eax], eax
		lea	eax, [ecx+0Ch]
		mov	[ecx+10h], eax
		lea	ecx, [ecx+28h]
		mov	[eax], eax
		sub	edx, 1
		jnz	short loc_85E55A
		call	_PpmBeginHighPerfRequest@0 ; PpmBeginHighPerfRequest()
		xor	eax, eax
		lea	ecx, [esi+1Ch]
		mov	edi, offset _PopCurrentBroadcast
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ebp+var_4]
		and	al, 1
		mov	dword_6C231C, esi
		movzx	edx, al
		neg	edx
		sbb	edx, edx
		and	edx, 3
		call	PopBuildDeviceNotifyList
		call	PopHaltDeviceIdle

loc_85E5B3:				; CODE XREF: PoInitializeBroadcast+A70F9j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
PoInitializeBroadcast endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiDereferenceSessionFinal proc near	; CODE XREF: MiDereferenceSession():loc_7D65A0p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00905606 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		xor	eax, eax
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		push	edi
		push	6
		pop	ecx
		lea	edi, [ebp+var_1C]
		rep stosd
		mov	edi, [ebx+80h]
		mov	esi, [edi+180h]
		mov	ecx, esi
		call	MiMarkSessionDeletePending
		cmp	dword ptr [esi+30h], 0
		jz	short loc_85E605
		push	0
		push	1
		push	dword ptr [esi+2Ch]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	0
		push	dword ptr [esi+30h]
		call	ObCloseHandle

loc_85E605:				; CODE XREF: MiDereferenceSessionFinal+33j
		mov	eax, [esi+1DCh]
		cmp	eax, 1
		jbe	short loc_85E614
		push	0
		call	eax

loc_85E614:				; CODE XREF: MiDereferenceSessionFinal+54j
		call	_MiSessionUnloadAllImages@0 ; MiSessionUnloadAllImages()
		mov	ecx, esi
		call	MiUnlinkSessionWorkingSet
		mov	eax, [esi+8]
		mov	[ebp+var_4], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	ecx
		xor	ecx, ecx
		lea	edx, [ebp+var_4]
		inc	ecx
		call	_ExpWnfDeleteScopeById@12 ; ExpWnfDeleteScopeById(x,x,x)
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		call	MiFreeSessionSpaceMap
		mov	eax, [esi+4]
		test	al, 1
		jz	short loc_85E665
		call	_ExCleanupSessionHeapManager@0 ; ExCleanupSessionHeapManager()
		or	dword ptr [esi+4], 100h
		call	_MiCheckSessionPoolAllocations@0 ; MiCheckSessionPoolAllocations()
		mov	eax, [esi+4]

loc_85E665:				; CODE XREF: MiDereferenceSessionFinal+95j
		and	eax, 180h
		cmp	eax, 80h
		jnz	short loc_85E676
		call	_ExCleanupSessionHeapManager@0 ; ExCleanupSessionHeapManager()

loc_85E676:				; CODE XREF: MiDereferenceSessionFinal+B5j
		dec	word ptr [ebx+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset dword_6D05C8
		call	ExAcquirePushLockExclusiveEx
		or	dword ptr [esi+4], 20h
		or	eax, 0FFFFFFFFh
		mov	ecx, offset dword_6D05C8
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_85E6AA
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset dword_6D05C8

loc_85E6AA:				; CODE XREF: MiDereferenceSessionFinal+E4j
		call	KeAbPostRelease
		mov	ecx, ebx
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		xor	ebx, ebx
		cmp	[edi+120h], ebx
		jz	short loc_85E6CD
		mov	edx, edi
		call	MiSessionUnlinkProcess
		mov	[edi+120h], ebx

loc_85E6CD:				; CODE XREF: MiDereferenceSessionFinal+104j
		lea	edx, [ebp+var_1C]
		mov	ecx, esi
		call	_MiDeleteSessionAddressSpace@8 ; MiDeleteSessionAddressSpace(x,x)
		xor	ecx, ecx
		call	MiDetachProcessFromSession
		mov	edx, [ebp+var_10]
		mov	edi, offset _MiSystemPartition
		sub	edx, [ebp+var_18]
		mov	ecx, edi
		call	MiReturnCommit
		mov	edx, [ebp+var_1C]
		mov	ecx, edi
		call	_MiReturnResident@8 ; MiReturnResident(x,x)
		mov	edx, [esi+0FCh]
		mov	ecx, edi
		call	_MiReturnResident@8 ; MiReturnResident(x,x)
		mov	ecx, [esi+2450h]
		test	ecx, ecx
		jnz	loc_905606

loc_85E715:				; CODE XREF: MiDereferenceSessionFinal+A7056j
		pop	edi
		mov	[esi+2450h], ebx
		pop	esi
		pop	ebx
		leave
		retn
MiDereferenceSessionFinal endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCheckSessionPoolAllocations()
_MiCheckSessionPoolAllocations@0 proc near ; CODE XREF:	MiDereferenceSessionFinal+A3p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, dword_6D05D4
		add	eax, 3000h
		push	ebx
		mov	[ebp+var_14], eax
		xor	ebx, ebx
		mov	eax, 155h
		bsr	ecx, eax
		push	esi
		jz	short loc_85E748
		xor	eax, eax
		inc	eax
		shl	eax, cl

loc_85E748:				; CODE XREF: MiCheckSessionPoolAllocations()+21j
		mov	[ebp+var_10], eax
		mov	ecx, ebx
		mov	eax, large fs:124h
		push	edi
		mov	eax, [eax+80h]
		mov	esi, [eax+180h]
		mov	eax, [esi+2424h]
		mov	[ebp+var_C], eax
		mov	eax, [esi+2428h]
		mov	[ebp+var_8], eax

loc_85E772:				; CODE XREF: MiCheckSessionPoolAllocations()+70j
		mov	edx, [ebp+ecx*8+var_14]
		test	edx, edx
		jz	short loc_85E78C
		mov	edi, [ebp+ecx*8+var_10]
		test	edi, edi
		jz	short loc_85E78C

loc_85E782:				; CODE XREF: MiCheckSessionPoolAllocations()+6Aj
		mov	eax, [edx]
		lea	edx, [edx+30h]
		sub	edi, 1
		jnz	short loc_85E782

loc_85E78C:				; CODE XREF: MiCheckSessionPoolAllocations()+58j
					; MiCheckSessionPoolAllocations()+60j
		inc	ecx
		cmp	ecx, 2
		jb	short loc_85E772
		mov	ecx, [ebp+var_C]
		pop	edi
		test	ecx, ecx
		jz	short loc_85E7BB
		imul	edx, [ebp+var_8], 30h
		add	edx, 0FFFh
		and	edx, 0FFFFF000h
		call	ExPoolCleanupExpansionTable
		mov	[esi+2424h], ebx
		mov	[esi+2428h], ebx

loc_85E7BB:				; CODE XREF: MiCheckSessionPoolAllocations()+78j
		mov	eax, [esi+242Ch]
		test	eax, eax
		jz	short loc_85E7D2
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+242Ch], ebx

loc_85E7D2:				; CODE XREF: MiCheckSessionPoolAllocations()+A3j
		pop	esi
		pop	ebx
		leave
		retn
_MiCheckSessionPoolAllocations@0 endp


;  S U B	R O U T	I N E 


; __stdcall MiSessionUnloadAllImages()
_MiSessionUnloadAllImages@0 proc near	; CODE XREF: MiDereferenceSessionFinal:loc_85E614p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		call	_MmAcquireLoadLock@0 ; MmAcquireLoadLock()
		mov	esi, _PsLoadedModuleList
		mov	edi, eax
		mov	ebx, offset _PsLoadedModuleList
		jmp	short loc_85E809
; 

loc_85E7EF:				; CODE XREF: MiSessionUnloadAllImages()+61j
		mov	ecx, edi
		call	_MmReleaseLoadLock@4 ; MmReleaseLoadLock(x)
		push	esi
		call	MmUnloadSystemImage
		call	_MmAcquireLoadLock@0 ; MmAcquireLoadLock()
		mov	esi, _PsLoadedModuleList
		mov	edi, eax

loc_85E809:				; CODE XREF: MiSessionUnloadAllImages()+17j
					; MiSessionUnloadAllImages()+54j
		cmp	esi, ebx
		jz	short loc_85E839
		mov	edx, [esi+18h]
		mov	ecx, edx
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 1
		jz	short loc_85E82C
		mov	ecx, edx
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jz	short loc_85E82C

loc_85E828:				; CODE XREF: MiSessionUnloadAllImages()+5Fj
		mov	esi, [esi]
		jmp	short loc_85E809
; 

loc_85E82C:				; CODE XREF: MiSessionUnloadAllImages()+44j
					; MiSessionUnloadAllImages()+50j
		mov	ecx, edx
		call	_MiSessionLookupImage@4	; MiSessionLookupImage(x)
		test	eax, eax
		jz	short loc_85E828
		jmp	short loc_85E7EF
; 

loc_85E839:				; CODE XREF: MiSessionUnloadAllImages()+35j
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_MmReleaseLoadLock@4 ; MmReleaseLoadLock(x)
_MiSessionUnloadAllImages@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopThermalUpdatePassiveTimeTracking(x, x)
_PopThermalUpdatePassiveTimeTracking@8 proc near ; CODE	XREF: PopThermalSxEntry()+CDp
					; PopCoolingSxTransition+5Fp ...
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		cmp	byte ptr [ebx],	0
		jnz	short loc_85E87A
		push	esi
		push	edi
		push	15h
		pop	edi

loc_85E853:				; CODE XREF: PopThermalUpdatePassiveTimeTracking(x,x)+3Bj
		cmp	dl, byte_6C209F[edi]
		jb	short loc_85E87C

loc_85E85B:				; CODE XREF: PopThermalUpdatePassiveTimeTracking(x,x)+3Dj
		call	KeQueryInterruptTime
		mov	esi, eax
		mov	ecx, edx
		sub	esi, [ebx+8]
		sbb	ecx, [ebx+0Ch]
		add	[ebx+edi*8+10h], esi
		adc	[ebx+edi*8+14h], ecx
		pop	edi
		mov	[ebx+8], eax
		mov	[ebx+0Ch], edx
		pop	esi

loc_85E87A:				; CODE XREF: PopThermalUpdatePassiveTimeTracking(x,x)+8j
		pop	ebx
		retn
; 

loc_85E87C:				; CODE XREF: PopThermalUpdatePassiveTimeTracking(x,x)+15j
		sub	edi, 1
		jnz	short loc_85E853
		jmp	short loc_85E85B
_PopThermalUpdatePassiveTimeTracking@8 endp

; 
		align 8
; Exported entry 820. IoDisconnectInterruptEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoDisconnectInterruptEx
IoDisconnectInterruptEx	proc near

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00905615 SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edx, [ecx]
		mov	eax, edx
		sub	eax, 1
		jz	short loc_85E8B3
		sub	eax, 1
		jz	short loc_85E8C2
		sub	eax, 1
		jz	loc_90562B
		sub	eax, 1
		jnz	loc_905615

loc_85E8B3:				; CODE XREF: IoDisconnectInterruptEx+12j
		push	dword ptr [ecx+4]
		call	IoDisconnectInterrupt

loc_85E8BB:				; CODE XREF: IoDisconnectInterruptEx+6Cj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_85E8C2:				; CODE XREF: IoDisconnectInterruptEx+17j
		mov	esi, [ecx+4]
		xor	edi, edi
		cmp	[esi+0D4h], edi
		jbe	short loc_85E8EC
		lea	ebx, [esi+0D8h]

loc_85E8D5:				; CODE XREF: IoDisconnectInterruptEx+62j
		mov	eax, [ebx]
		add	eax, 60h
		push	eax
		call	IoDisconnectInterrupt
		inc	edi
		lea	ebx, [ebx+4]
		cmp	edi, [esi+0D4h]
		jb	short loc_85E8D5

loc_85E8EC:				; CODE XREF: IoDisconnectInterruptEx+45j
					; IoDisconnectInterruptEx+A6DABj ...
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_85E8BB
IoDisconnectInterruptEx	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 819. IoDisconnectInterrupt

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoDisconnectInterrupt
IoDisconnectInterrupt proc near		; CODE XREF: IoDisconnectInterruptEx+2Ep
					; IoDisconnectInterruptEx+53p ...

var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00905651 SIZE 00000187 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		push	2Ch		; size_t
		push	eax		; int
		lea	eax, [ebp+var_30]
		push	eax		; void *
		call	_memset
		mov	edi, [ebp+arg_0]
		add	esp, 0Ch
		add	edi, 0FFFFFFA0h
		mov	[ebp+var_4], edi
		lea	eax, [edi+144h]
		push	eax
		call	_KeRemoveQueueDpc@4 ; KeRemoveQueueDpc(x)
		lea	ecx, [edi+8]
		lea	edx, [ebp+var_30]
		call	IopInitializeActiveConnectBlock
		mov	ebx, [edi+4]
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	bl, ds:_RtlpBitsClearTotal[ecx]
		add	bl, ds:_RtlpBitsClearTotal[eax]
		add	bl, dl
		cmp	[ebp+var_24], 0
		jz	short loc_85E97D
		push	0
		mov	dl, 1
		lea	ecx, [ebp+var_30]
		call	_IopAcquireReleaseConnectLockInternal@12 ; IopAcquireReleaseConnectLockInternal(x,x,x)

loc_85E97D:				; CODE XREF: IoDisconnectInterrupt+73j
		lea	eax, [edi+8]
		mov	dl, bl
		lea	esi, [edi+164h]
		push	eax
		mov	ecx, esi
		call	KeDisconnectInterrupt
		cmp	[ebp+var_24], 0
		jnz	loc_85EA52

loc_85E99A:				; CODE XREF: IoDisconnectInterrupt+162j
		cmp	byte ptr [edi+130h], 0
		jnz	loc_905651

loc_85E9A7:				; CODE XREF: IoDisconnectInterrupt+A6D5Fj
					; IoDisconnectInterrupt+A6D70j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		cmp	byte ptr [edi+130h], 0
		jnz	loc_905671

loc_85E9C2:				; CODE XREF: IoDisconnectInterrupt+A6D9Cj
					; IoDisconnectInterrupt+A6DB4j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	bh, bh
		test	bl, bl
		jle	short loc_85EA33

loc_85E9D4:				; CODE XREF: IoDisconnectInterrupt+135j
		movsx	eax, bh
		mov	eax, [edi+eax*4+164h]
		mov	[ebp+arg_0], eax
		mov	esi, [eax+0CCh]
		test	esi, esi
		jz	short loc_85EA26
		mov	ecx, [esi+0B0h]
		mov	eax, [ecx+14h]
		test	eax, eax
		jz	loc_9056B5
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_9056B5
		lock dec dword ptr [ecx+34h]
		mov	edx, 54706E50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax+0CCh], 0

loc_85EA26:				; CODE XREF: IoDisconnectInterrupt+EDj
		mov	ecx, eax
		call	_KeFreeInterrupt@4 ; KeFreeInterrupt(x)
		inc	bh
		cmp	bh, bl
		jl	short loc_85E9D4

loc_85EA33:				; CODE XREF: IoDisconnectInterrupt+D6j
		lea	ecx, [ebp+var_30]
		call	IopDestroyActiveConnectBlock
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	cl, cl
		call	PnpTraceInterruptConnection
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_85EA52:				; CODE XREF: IoDisconnectInterrupt+98j
		push	0
		xor	dl, dl
		lea	ecx, [ebp+var_30]
		call	_IopAcquireReleaseConnectLockInternal@12 ; IopAcquireReleaseConnectLockInternal(x,x,x)
		jmp	loc_85E99A
IoDisconnectInterrupt endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceServiceNotification(x)
_PopDiagTraceServiceNotification@4 proc	near ; CODE XREF: NtPowerInformation+B22p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		mov	esi, offset _POP_ETW_EVENT_SUSPENDSERVICE
		cmp	[edi], ebx
		jz	short loc_85EA8B
		mov	esi, offset _POP_ETW_EVENT_SUSPENDSERVICE_END

loc_85EA8B:				; CODE XREF: PopDiagTraceServiceNotification(x)+20j
		cmp	_PopDiagHandleRegistered, bl
		jz	short loc_85EB02
		push	esi
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_85EB02
		add	edi, 4
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_85EAB1:				; CODE XREF: PopDiagTraceServiceNotification(x)+56j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_85EAB1
		sub	ecx, edx
		mov	[ebp+var_20], ebx
		sar	ecx, 1
		movzx	ecx, cx
		mov	eax, ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_24], eax
		mov	eax, ecx
		push	2
		pop	edx
		add	eax, eax
		mov	[ebp+var_1C], edx
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	edx
		push	ebx
		push	esi
		push	dword_6C1D74
		mov	[ebp+var_14], edi
		push	_PopDiagHandle
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_85EB02:				; CODE XREF: PopDiagTraceServiceNotification(x)+2Dj
					; PopDiagTraceServiceNotification(x)+43j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceServiceNotification@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	WmipCopyFromEventQueues(void *,int,int,int,char)
WmipCopyFromEventQueues	proc near	; CODE XREF: WmipReceiveNotifications+2BCp
					; WmipReceiveNotifications+E3208p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	[ebp+var_C], edx
		mov	[ebp+var_4], ecx
		push	ebx
		push	esi
		push	edi
		test	edx, edx
		jz	short loc_85EB56
		mov	bl, [ebp+arg_10]
		lea	esi, [ecx+4]
		mov	edi, edx

loc_85EB2F:				; CODE XREF: WmipCopyFromEventQueues+3Cj
		mov	edx, [esi-4]
		test	bl, bl
		jnz	loc_9057A6
		mov	eax, [edx+50h]
		test	eax, eax
		jnz	loc_85EBFD

loc_85EB45:				; CODE XREF: WmipCopyFromEventQueues+EFj
					; IoDisconnectInterrupt+A6EAFj	...
		and	dword ptr [esi], 0

loc_85EB48:				; CODE XREF: WmipCopyFromEventQueues+10Dj
					; IoDisconnectInterrupt+A6ED7j
		add	esi, 8
		sub	edi, 1
		jnz	short loc_85EB2F
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_4]

loc_85EB56:				; CODE XREF: WmipCopyFromEventQueues+13j
		xor	esi, esi
		and	[ebp+var_1C], esi
		mov	[ebp+var_8], esi

loc_85EB5E:				; CODE XREF: WmipCopyFromEventQueues+C4j
		or	[ebp+var_14], 0FFFFFFFFh
		or	ebx, 0FFFFFFFFh
		xor	eax, eax
		mov	[ebp+var_18], 7FFFFFFFh
		test	edx, edx
		jz	loc_85EC24
		lea	esi, [ecx+4]

loc_85EB79:				; CODE XREF: WmipCopyFromEventQueues+73j
		mov	edi, [esi]
		test	edi, edi
		jnz	short loc_85EBD8

loc_85EB7F:				; CODE XREF: WmipCopyFromEventQueues+D4j
					; WmipCopyFromEventQueues+DCj ...
		inc	eax
		add	esi, 8
		cmp	eax, edx
		jb	short loc_85EB79
		mov	ecx, [ebp+var_4]
		cmp	ebx, 0FFFFFFFFh
		jz	loc_85EC24
		mov	edi, [ecx+ebx*8+4]
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_1C], ecx
		mov	eax, [edi]
		push	eax		; size_t
		push	edi		; void *
		push	ecx		; void *
		lea	esi, [eax+7]
		and	esi, 0FFFFFFF8h
		call	_memcpy
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		add	[ebp+var_8], esi
		mov	edx, [ebp+var_C]
		mov	[eax+0Ch], esi
		add	eax, esi
		mov	ecx, [edi+0Ch]
		mov	[ebp+arg_0], eax
		lea	eax, [ecx+edi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, [ebp+var_4]
		mov	[eax+ebx*8+4], ecx
		mov	ecx, eax
		jmp	short loc_85EB5E
; 

loc_85EBD8:				; CODE XREF: WmipCopyFromEventQueues+6Bj
		mov	ecx, [edi+10h]
		mov	edi, [edi+14h]
		mov	[ebp+var_10], ecx
		cmp	edi, [ebp+var_18]
		jl	short loc_85EBF0
		jg	short loc_85EB7F
		mov	ecx, [ebp+var_14]
		cmp	[ebp+var_10], ecx
		jnb	short loc_85EB7F

loc_85EBF0:				; CODE XREF: WmipCopyFromEventQueues+D2j
		mov	ecx, [ebp+var_10]
		mov	ebx, eax
		mov	[ebp+var_14], ecx
		mov	[ebp+var_18], edi
		jmp	short loc_85EB7F
; 

loc_85EBFD:				; CODE XREF: WmipCopyFromEventQueues+2Dj
		cmp	dword ptr [edx+5Ch], 0
		jz	loc_85EB45
		mov	[esi], eax
		xor	ecx, ecx
		mov	[eax+0Ah], cx
		mov	ecx, [esi]
		movzx	eax, word ptr [edx+60h]
		shl	eax, 10h
		or	[ecx+8], eax
		and	dword ptr [edx+60h], 0
		jmp	loc_85EB48
; 

loc_85EC24:				; CODE XREF: WmipCopyFromEventQueues+5Ej
					; WmipCopyFromEventQueues+7Bj
		mov	eax, [ebp+arg_C]
		xor	edi, edi
		mov	esi, [ebp+var_1C]
		mov	[eax], esi
		mov	eax, [ebp+arg_8]
		mov	esi, [ebp+var_8]
		mov	[eax], esi
		test	edx, edx
		jz	short loc_85EC60
		xor	ebx, ebx
		cmp	[ebp+arg_10], bl
		setnz	bl
		dec	ebx
		and	ebx, 14h

loc_85EC46:				; CODE XREF: WmipCopyFromEventQueues+14Cj
		mov	esi, [ecx+edi*8]
		mov	eax, [ebx+esi+3Ch]
		test	eax, eax
		jnz	short loc_85EC67

loc_85EC51:				; CODE XREF: WmipCopyFromEventQueues+16Bj
		push	esi
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	ecx, [ebp+var_4]
		inc	edi
		cmp	edi, [ebp+var_C]
		jb	short loc_85EC46

loc_85EC60:				; CODE XREF: WmipCopyFromEventQueues+126j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_85EC67:				; CODE XREF: WmipCopyFromEventQueues+13Dj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[ebx+esi+3Ch], eax
		mov	[ebx+esi+48h], eax
		mov	[ebx+esi+40h], eax
		jmp	short loc_85EC51
WmipCopyFromEventQueues	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	WmipQueueNotification(void *)
WmipQueueNotification proc near		; CODE XREF: WmipWriteWnodeToObject+D1p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009057D8 SIZE 0000004D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_14], ecx
		push	edi
		mov	edx, [esi+4]
		mov	edi, [esi]
		mov	eax, [esi+8]
		mov	[ebp+var_8], edx
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_4], eax
		mov	ecx, [edx]
		mov	edx, [esi+0Ch]
		mov	[ebp+var_10], ecx
		add	ecx, 7
		add	ecx, edx
		and	ecx, 0FFFFFFF8h
		mov	[ebp+var_C], ecx
		test	edi, edi
		jnz	loc_9057D8

loc_85ECBC:				; CODE XREF: WmipQueueNotification+A6B63j
		xor	ebx, ebx
		test	edi, edi
		jnz	short loc_85ED0A
		cmp	ecx, 80000h
		ja	short loc_85ED3B
		cmp	ecx, eax
		ja	loc_9057E8

loc_85ECD2:				; CODE XREF: WmipQueueNotification+A6B76j
		push	70696D57h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_85ED3B
		push	[ebp+var_4]	; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		mov	eax, [esi]
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_9057FB

loc_85ECFC:				; CODE XREF: WmipQueueNotification+A6BA0j
		mov	eax, [ebp+var_4]
		mov	edx, [esi+0Ch]
		mov	ecx, [ebp+var_C]
		mov	[esi], edi
		mov	[esi+8], eax

loc_85ED0A:				; CODE XREF: WmipQueueNotification+40j
		add	edx, edi
		mov	edi, [ebp+var_8]
		test	edi, edi
		jnz	short loc_85ED45

loc_85ED13:				; CODE XREF: WmipQueueNotification+CCj
		push	[ebp+var_10]	; size_t
		mov	[esi+4], edx
		push	[ebp+arg_0]	; void *
		mov	[esi+0Ch], ecx
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	ebx
		push	ebx
		push	[ebp+var_14]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_85ED32:				; CODE XREF: WmipQueueNotification+C3j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
; 

loc_85ED3B:				; CODE XREF: WmipQueueNotification+48j
					; WmipQueueNotification+63j
		inc	dword ptr [esi+10h]
		mov	ebx, 0C000009Ah
		jmp	short loc_85ED32
; 

loc_85ED45:				; CODE XREF: WmipQueueNotification+91j
		mov	eax, edx
		sub	eax, edi
		mov	[edi+0Ch], eax
		jmp	short loc_85ED13
WmipQueueNotification endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopWakeSourceTimeoutWorker(x)
_PopWakeSourceTimeoutWorker@4 proc near	; DATA XREF: PopWakeSourceTimeoutDpc(x,x,x,x)+11o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	PopTimeoutWakeTracking
		pop	ebp
		retn	4
_PopWakeSourceTimeoutWorker@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopGetWakeSource proc near		; CODE XREF: NtPowerInformation+10B4p
					; NtPowerInformation+10F5p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00905825 SIZE 00000076 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, edx
		push	ebx
		push	esi
		mov	[ebp+var_2C], eax
		xor	esi, esi
		mov	eax, [eax]
		mov	ebx, ecx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], esi
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	short loc_85ED8A
		test	ebx, ebx
		jz	loc_905825

loc_85ED8A:				; CODE XREF: PopGetWakeSource+20j
		push	edi
		push	esi
		push	esi
		push	esi
		push	esi
		push	offset _PopWakeSourceAvailable
		call	KeWaitForSingleObject
		lea	ecx, [ebp+var_8]
		call	PopGetCurrentWakeInfos
		mov	edi, eax
		mov	[ebp+var_14], esi
		mov	[ebp+var_20], edi
		lea	ecx, ds:4[edi*4]
		mov	[ebp+var_4], ecx
		test	edi, edi
		jz	short loc_85EDF2
		mov	ebx, esi

loc_85EDB9:				; CODE XREF: PopGetWakeSource+8Dj
		mov	eax, [ebp+var_8]
		mov	edx, [eax+ebx*4]
		mov	eax, [ebp+var_4]
		add	eax, 7
		and	eax, 0FFFFFFF8h
		mov	ecx, [edx+14h]
		add	eax, 4
		add	edx, 0Ch
		mov	[ebp+var_18], edx
		lea	ecx, [eax+ecx*4]
		mov	eax, [edx]
		mov	[ebp+var_4], ecx
		mov	[ebp+var_1C], eax
		cmp	eax, edx
		jnz	loc_90582F

loc_85EDE7:				; CODE XREF: PopGetWakeSource+A6AFBj
		inc	ebx
		mov	[ebp+var_14], ebx
		cmp	ebx, edi
		jb	short loc_85EDB9
		mov	ebx, [ebp+var_C]

loc_85EDF2:				; CODE XREF: PopGetWakeSource+55j
		cmp	ecx, [ebp+var_10]
		jbe	short loc_85EE19
		mov	esi, 0C0000023h

loc_85EDFC:				; CODE XREF: PopGetWakeSource+121j
		test	edi, edi
		jz	short loc_85EE0A
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		call	PopDereferenceWakeInfos

loc_85EE0A:				; CODE XREF: PopGetWakeSource+9Ej
					; PopGetWakeSource+C6j
		mov	ecx, [ebp+var_2C]
		mov	eax, [ebp+var_4]
		pop	edi
		mov	[ecx], eax
		mov	eax, esi

loc_85EE15:				; CODE XREF: PopGetWakeSource+A6ACAj
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_85EE19:				; CODE XREF: PopGetWakeSource+95j
		mov	[ebx], edi
		lea	ebx, [ebx+edi*4]
		add	ebx, 4
		mov	[ebp+var_10], esi
		test	edi, edi
		jz	short loc_85EE0A
		mov	edx, [ebp+var_C]
		lea	eax, [edx+4]
		mov	[ebp+var_14], eax

loc_85EE31:				; CODE XREF: PopGetWakeSource+11Dj
		mov	eax, [ebp+var_8]
		add	ebx, 7
		and	ebx, 0FFFFFFF8h
		mov	[ebp+var_18], ebx
		mov	ecx, [eax+esi*4]
		mov	eax, [ecx+14h]
		mov	[ebx], eax
		mov	eax, ebx
		mov	ebx, [ebp+var_14]
		sub	eax, edx
		mov	[ebx], eax
		mov	ebx, [ebp+var_18]
		lea	eax, [ebx+4]
		mov	[ebp+var_1C], eax
		mov	eax, [ecx+14h]
		add	ecx, 0Ch
		mov	[ebp+var_28], ecx
		lea	ebx, [ebx+eax*4]
		mov	eax, [ecx]
		add	ebx, 4
		mov	[ebp+var_24], eax
		cmp	eax, ecx
		jnz	loc_905860

loc_85EE73:				; CODE XREF: PopGetWakeSource+A6B36j
		add	[ebp+var_14], 4
		inc	esi
		mov	[ebp+var_10], esi
		cmp	esi, edi
		jb	short loc_85EE31
		xor	esi, esi
		jmp	loc_85EDFC
PopGetWakeSource endp


;  S U B	R O U T	I N E 


PopFinalizeWakeInfo proc near		; CODE XREF: PopTimeoutWakeTracking+12Fp
					; PopHandleWakeSources+71F6p

; FUNCTION CHUNK AT 0090589B SIZE 00000014 BYTES

		mov	edi, edi
		push	esi
		push	edi
		push	0
		push	0
		push	offset _PopWakeSourceAvailable
		mov	edi, ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		add	edi, 0Ch
		mov	esi, [edi]

loc_85EE9F:				; CODE XREF: PopFinalizeWakeInfo+A6A24j
		cmp	esi, edi
		jnz	loc_90589B
		pop	edi
		pop	esi
		retn
PopFinalizeWakeInfo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DbgkClearProcessDebugObject proc near	; CODE XREF: PspTerminateAllThreads+184p
					; NtRemoveProcessDebug(x,x)+86p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009058AF SIZE 000000CD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	ecx, offset _DbgkpProcessDebugPortMutex
		push	edi
		mov	edi, edx
		mov	[esp+20h+var_C], ebx
		call	ExAcquireFastMutex
		mov	esi, [ebx+190h]
		test	esi, esi
		jnz	loc_9058AF

loc_85EED8:				; CODE XREF: DbgkClearProcessDebugObject+A6A0Bj
		xor	esi, esi
		mov	edi, 0C0000353h

loc_85EEDF:				; CODE XREF: DbgkClearProcessDebugObject+A6A19j
		mov	ecx, offset _DbgkpProcessDebugPortMutex
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	edi, edi
		jns	short loc_85EEFE

loc_85EEED:				; CODE XREF: DbgkClearProcessDebugObject+5Bj
		test	esi, esi
		jnz	loc_9058C8

loc_85EEF5:				; CODE XREF: DbgkClearProcessDebugObject+A6AA2j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_85EEFE:				; CODE XREF: DbgkClearProcessDebugObject+41j
		mov	ecx, ebx
		call	_DbgkpMarkProcessPeb@4 ; DbgkpMarkProcessPeb(x)
		jmp	short loc_85EEED
DbgkClearProcessDebugObject endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopReadHiberbootPolicy proc near	; CODE XREF: NtPowerInformation+D8Bp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= dword	ptr -19h
var_C		= byte ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090597C SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, ecx
		mov	byte ptr [ebp+var_19], bl
		lea	ecx, [ebp+var_19]
		mov	[ebp+var_20], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ebx
		call	_PopReadHiberbootGroupPolicy@4 ; PopReadHiberbootGroupPolicy(x)
		test	eax, eax
		jns	loc_90597C

loc_85EF3F:				; CODE XREF: PopReadHiberbootPolicy+A6A79j
		lea	ecx, [ebp+var_20]
		call	_PopOpenPowerKey@4 ; PopOpenPowerKey(x)
		test	eax, eax
		js	short loc_85EF8C
		push	edi
		push	offset _PopHiberbootEnabledRegName
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		lea	edi, [ebp+var_19+1]
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_24]
		push	eax
		push	14h
		lea	eax, [ebp+var_19+1]
		push	eax
		push	2
		lea	eax, [ebp+var_2C]
		push	eax
		push	[ebp+var_20]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		pop	edi
		test	eax, eax
		js	short loc_85EF84
		mov	bl, [ebp+var_C]

loc_85EF84:				; CODE XREF: PopReadHiberbootPolicy+77j
		push	[ebp+var_20]
		call	_ZwClose@4	; ZwClose(x)

loc_85EF8C:				; CODE XREF: PopReadHiberbootPolicy+41j
					; PopReadHiberbootPolicy+A6A81j
		mov	ecx, [ebp+var_4]
		mov	[esi], bl
		xor	ecx, ebp
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopReadHiberbootPolicy endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopReadHiberbootGroupPolicy(x)
_PopReadHiberbootGroupPolicy@4 proc near ; CODE	XREF: PopReadHiberbootPolicy+2Ap

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_C		= byte ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		push	esi
		mov	[ebp+var_1C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebx], al
		lea	eax, [ebp+var_24]
		push	offset _PopHiberbootGroupPolicyRegKey
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_24]
		mov	[ebp+var_40], 18h
		mov	[ebp+var_38], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_40]
		mov	[ebp+var_3C], ecx
		push	eax
		push	20019h
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_34], 240h
		push	eax
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_85F047
		push	edi
		push	offset _PopHiberbootEnabledRegName
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_28]
		push	eax
		push	14h
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_1C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		pop	edi
		test	esi, esi
		jns	short loc_85F057

loc_85F03F:				; CODE XREF: PopReadHiberbootGroupPolicy(x)+C0j
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_85F047:				; CODE XREF: PopReadHiberbootGroupPolicy(x)+69j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_85F057:				; CODE XREF: PopReadHiberbootGroupPolicy(x)+A1j
		mov	al, [ebp+var_C]
		mov	[ebx], al
		jmp	short loc_85F03F
_PopReadHiberbootGroupPolicy@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopValidateServiceNotification(x, x)
_PopValidateServiceNotification@8 proc near ; CODE XREF: NtPowerInformation+B11p
		cmp	edx, 4
		jb	short loc_85F077
		push	0
		add	edx, 0FFFFFFFCh
		add	ecx, 4
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		test	eax, eax
		js	short locret_85F076
		xor	eax, eax

locret_85F076:				; CODE XREF: PopValidateServiceNotification(x,x)+14j
		retn
; 

loc_85F077:				; CODE XREF: PopValidateServiceNotification(x,x)+3j
		mov	eax, 0C000000Dh
		retn
_PopValidateServiceNotification@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpQueryScenarioInformation proc near	; CODE XREF: PAGE:0077D403p

var_44		= dword	ptr -44h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090598E SIZE 00000011 BYTES

		push	34h
		push	offset dword_6A4AB8
		call	__SEH_prolog4
		mov	al, dl
		mov	[ebp+var_1D], al
		mov	edx, ecx
		mov	[ebp+var_24], edx
		cmp	dword ptr [edx+10h], 18h
		jnz	loc_90598E
		xor	ebx, ebx
		mov	[ebp+ms_exc.disabled], ebx
		test	al, al
		jz	short loc_85F0C3
		mov	eax, [edx+0Ch]
		test	al, 3
		jnz	loc_85F142
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jnb	loc_905998

loc_85F0C0:				; CODE XREF: PfpQueryScenarioInformation+A691Cj
		nop
		mov	al, [eax]

loc_85F0C3:				; CODE XREF: PfpQueryScenarioInformation+27j
		push	6
		pop	ecx
		mov	esi, [edx+0Ch]
		lea	edi, [ebp+var_44]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+var_44], 4
		jnz	short loc_85F147
		lea	edx, [ebp+var_44]
		mov	ecx, offset unk_6D4870
		call	PfpScenCtxQueryScenarioInformation
		mov	[ebp+ms_exc.disabled], 1
		mov	edi, [ebp+var_24]
		cmp	[ebp+var_1D], 0
		jz	short loc_85F113
		mov	ecx, [edi+0Ch]
		test	cl, 3
		jnz	short loc_85F142
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_85F14E

loc_85F109:				; CODE XREF: PfpQueryScenarioInformation+D2j
		mov	al, [ecx]
		mov	[ecx], al
		mov	al, [ecx+14h]
		mov	[ecx+14h], al

loc_85F113:				; CODE XREF: PfpQueryScenarioInformation+78j
		push	6
		pop	ecx
		lea	esi, [ebp+var_44]
		mov	edi, [edi+0Ch]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 18h

loc_85F12E:				; CODE XREF: PfpQueryScenarioInformation+CEj
					; PfpQueryScenarioInformation+A6915j ...
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_85F142:				; CODE XREF: PfpQueryScenarioInformation+2Ej
					; PfpQueryScenarioInformation+80j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_85F147:				; CODE XREF: PfpQueryScenarioInformation+5Bj
		mov	ebx, 0C000000Dh
		jmp	short loc_85F12E
; 

loc_85F14E:				; CODE XREF: PfpQueryScenarioInformation+89j
		mov	[eax], bl
		jmp	short loc_85F109
PfpQueryScenarioInformation endp


;  S U B	R O U T	I N E 


; __stdcall CmpQuitNextHive(x)
_CmpQuitNextHive@4 proc	near		; CODE XREF: CmpDoFlushAll(x)+5Fp
					; CmLoadAppKey(x,x,x,x,x,x,x,x,x)+4E9p	...
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+9D8h], eax
		jz	_CmpDeleteHive@4 ; CmpDeleteHive(x)
		retn
_CmpQuitNextHive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceAppPowerMessage(x)
_PopDiagTraceAppPowerMessage@4 proc near ; CODE	XREF: NtPowerInformation+BFFp

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		cmp	_PopDiagHandleRegistered, bl
		jz	loc_85F241
		push	offset _POP_ETW_EVENT_SUSPENDAPP
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_85F241
		push	esi
		lea	eax, [ebp+var_38]
		push	eax
		push	dword ptr [edi]
		call	PsLookupProcessByProcessId
		mov	esi, [ebp+var_38]
		test	eax, eax
		js	short loc_85F230
		mov	edx, [esi+1C0h]
		mov	eax, [edi]
		mov	[ebp+var_3C], eax
		mov	ax, [edx]
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_24], eax
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], 4
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], 2
		mov	[ebp+var_18], ebx
		movzx	ecx, word ptr [edx]
		mov	eax, [edx+4]
		mov	[ebp+var_14], eax
		mov	eax, ecx
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	ebx
		push	offset _POP_ETW_EVENT_SUSPENDAPP
		push	dword_6C1D74
		mov	[ebp+var_10], ebx
		push	_PopDiagHandle
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_85F230:				; CODE XREF: PopDiagTraceAppPowerMessage(x)+5Cj
		test	esi, esi
		jz	short loc_85F240
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_85F240:				; CODE XREF: PopDiagTraceAppPowerMessage(x)+CEj
		pop	esi

loc_85F241:				; CODE XREF: PopDiagTraceAppPowerMessage(x)+27j
					; PopDiagTraceAppPowerMessage(x)+45j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceAppPowerMessage@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PopSessionClosed(x)
_PopSessionClosed@4 proc near		; CODE XREF: NtPowerInformation+130Dp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	esi
		push	offset ??_C@_0CD@NJJOGIFI@PopAdaptive?3?5Session?5?$CFu?5is?5clos@NNGAKEGL@ ; "PopAdaptive: Session %u is closed\n"
		push	3
		call	_PopPrintEx
		add	esp, 0Ch
		mov	edx, esi
		mov	ecx, offset _POP_ETW_ADPM_SESSION_CLOSED
		push	0
		call	_PopDiagTraceSessionState@12 ; PopDiagTraceSessionState(x,x,x)
		mov	ecx, esi
		pop	esi
		jmp	_PopFreeSessionState@4 ; PopFreeSessionState(x)
_PopSessionClosed@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopFreeSessionState(x)
_PopFreeSessionState@4 proc near	; CODE XREF: PopSessionClosed(x)+26j
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	ecx, offset _PopSettingLock
		push	edi
		call	ExAcquireFastMutex
		push	2
		mov	esi, offset _PopSessionSpecificLists
		pop	edi

loc_85F295:				; CODE XREF: PopFreeSessionState(x)+28j
		mov	edx, ebx
		mov	ecx, esi
		call	_PopFreeSessionStateInList@8 ; PopFreeSessionStateInList(x,x)
		add	esi, 8
		sub	edi, 1
		jnz	short loc_85F295
		pop	edi
		pop	esi
		mov	ecx, offset _PopSettingLock
		pop	ebx
		jmp	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
_PopFreeSessionState@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopFreeSessionStateInList(x, x)
_PopFreeSessionStateInList@8 proc near	; CODE XREF: PopFreeSessionState(x)+1Dp
		mov	edi, edi
		push	ebx
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	eax, [edi]
		cmp	eax, edi
		jz	short loc_85F2CF
		push	esi

loc_85F2C3:				; CODE XREF: PopFreeSessionStateInList(x,x)+18j
		cmp	[eax+20h], ebx
		jz	short loc_85F2D2
		mov	eax, [eax]

loc_85F2CA:				; CODE XREF: PopFreeSessionStateInList(x,x)+42j
		cmp	eax, edi
		jnz	short loc_85F2C3
		pop	esi

loc_85F2CF:				; CODE XREF: PopFreeSessionStateInList(x,x)+Cj
		pop	edi
		pop	ebx
		retn
; 

loc_85F2D2:				; CODE XREF: PopFreeSessionStateInList(x,x)+12j
		mov	ecx, [eax+24h]
		mov	esi, [eax]
		test	cl, 2
		jnz	short loc_85F2F8
		cmp	[esi+4], eax
		jnz	short loc_85F300
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_85F300
		mov	[ecx], esi
		mov	[esi+4], ecx
		mov	ecx, eax
		call	_PopFreeRegistration@4 ; PopFreeRegistration(x)

loc_85F2F4:				; CODE XREF: PopFreeSessionStateInList(x,x)+4Aj
		mov	eax, esi
		jmp	short loc_85F2CA
; 

loc_85F2F8:				; CODE XREF: PopFreeSessionStateInList(x,x)+26j
		or	ecx, 4
		mov	[eax+24h], ecx
		jmp	short loc_85F2F4
; 

loc_85F300:				; CODE XREF: PopFreeSessionStateInList(x,x)+2Bj
					; PopFreeSessionStateInList(x,x)+32j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_PopFreeSessionStateInList@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopFreeRegistration(x)
_PopFreeRegistration@4 proc near	; CODE XREF: PopFreeSessionStateInList(x,x)+3Bp
					; PopDispatchNotificationsToList+14AF00p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		push	3
		pop	ebx
		lea	esi, [edi+30h]

loc_85F313:				; CODE XREF: PopFreeRegistration(x)+29j
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_85F329
		sub	dword ptr [eax], 1
		jnz	short loc_85F329
		push	74655350h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_85F329:				; CODE XREF: PopFreeRegistration(x)+11j
					; PopFreeRegistration(x)+16j
		add	esi, 4
		sub	ebx, 1
		jnz	short loc_85F313
		lea	eax, [edi+28h]
		cmp	[eax], ebx
		jz	short loc_85F34D

loc_85F338:				; CODE XREF: PopFreeRegistration(x)+4Dj
		push	eax
		call	_ZwDeleteWnfStateName@4	; ZwDeleteWnfStateName(x)

loc_85F33E:				; CODE XREF: PopFreeRegistration(x)+4Bj
		push	74655350h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_85F34D:				; CODE XREF: PopFreeRegistration(x)+30j
		cmp	dword ptr [eax+4], 0
		jz	short loc_85F33E
		jmp	short loc_85F338
_PopFreeRegistration@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEsEnterSleepShutdown()
_PopEsEnterSleepShutdown@0 proc	near	; CODE XREF: PAGELK:loc_71F019p

var_20		= dword	ptr -20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		xor	eax, eax
		push	esi
		push	edi
		push	8
		pop	ecx
		lea	edi, [ebp+var_20]
		rep stosd
		lea	ecx, [ebp+var_20]
		call	_PopCurrentPowerState@4	; PopCurrentPowerState(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopEsLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_20]
		mov	dword_6BFD2C, eax
		call	PopEsSnapTelemetry
		xor	eax, eax
		mov	_PopEsLastStateChangeTimeStamp,	eax
		mov	dword_6D4B24, eax
		cmp	dword_6BFD2C, eax
		jz	short loc_85F3BA
		mov	dword_6BFD2C, eax

loc_85F3BA:				; CODE XREF: PopEsEnterSleepShutdown()+5Dj
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		leave
		retn
_PopEsEnterSleepShutdown@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopEsSnapTelemetry proc	near		; CODE XREF: PopEsUpdateState+81E5Fp
					; PopEsEnterSleepShutdown()+46p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009059D2 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ds:0FFDF0004h
		push	esi
		mov	esi, 0FFDF0324h
		mov	[ebp+var_8], ecx
		push	edi
		mov	[ebp+var_4], ebx
		mov	edx, [esi]
		lea	eax, [esi-4]
		mov	edi, [eax]
		add	eax, 8
		mov	eax, [eax]
		cmp	edx, eax
		jnz	loc_9059D2

loc_85F3FC:				; CODE XREF: PopEsSnapTelemetry+A6620j
		mov	eax, edx
		mul	ebx
		mov	esi, eax
		mov	ebx, edx
		mov	eax, edi
		mul	[ebp+var_4]
		shld	ebx, esi, 8
		shrd	eax, edx, 18h
		shl	esi, 8
		shr	edx, 18h
		add	esi, eax
		adc	ebx, edx
		xor	edi, edi
		cmp	byte ptr [ecx+1], 0
		jnz	short loc_85F489

loc_85F423:				; CODE XREF: PopEsSnapTelemetry+C0j
		mov	eax, _PopEsLastStateChangeTimeStamp
		mov	ecx, dword_6D4B24
		mov	[ebp+var_4], eax
		or	eax, ecx
		mov	[ebp+var_C], ecx
		jz	short loc_85F454
		sub	esp, 10h
		mov	edx, edi
		sub	edx, _PopEsLastBatteryCharge
		mov	ecx, esi
		sub	ecx, [ebp+var_4]
		mov	eax, ebx
		sbb	eax, [ebp+var_C]
		push	eax
		push	ecx
		call	_PopTraceEsState@32 ; PopTraceEsState(x,x,x,x,x,x,x,x)

loc_85F454:				; CODE XREF: PopEsSnapTelemetry+6Aj
		mov	eax, [ebp+var_8]
		mov	_PopEsLastBatteryCharge, edi
		pop	edi
		mov	_PopEsLastStateChangeTimeStamp,	esi
		mov	al, [eax]
		mov	_PopEsAcOnline,	al
		mov	eax, dword_6C2D50
		mov	_PopEsLastBatteryThreshold, eax
		mov	al, byte_6C2D55
		pop	esi
		mov	dword_6D4B24, ebx
		mov	_PopEsLastUserAwaySetting, al
		pop	ebx
		leave
		retn
; 

loc_85F489:				; CODE XREF: PopEsSnapTelemetry+55j
		mov	edi, [ecx+0Ch]
		jmp	short loc_85F423
PopEsSnapTelemetry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepRmInteractiveLogoffLogonSessionWrkr(x, x)
_SepRmInteractiveLogoffLogonSessionWrkr@8 proc near ; DATA XREF: PAGE:00A40D1Co

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		mov	eax, [ecx+1Ch]
		mov	[ebp+var_8], eax
		mov	eax, [ecx+20h]
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_4], eax
		call	SepDeleteLogonSessionTrack
		mov	ecx, [ebp+arg_4]
		mov	[ecx+18h], eax
		leave
		retn	8
_SepRmInteractiveLogoffLogonSessionWrkr@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepDeleteLogonSessionTrack proc	near	; CODE XREF: SepRmInteractiveLogoffLogonSessionWrkr(x,x)+1Bp
					; SeInitServerSilo(x)+64p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 009059F1 SIZE 000000D5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ds:_SepLogonSessions
		and	[ebp+var_C], 0
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_1], dl
		push	esi
		push	edi
		imul	esi, [ebx], 5B250A24h
		shr	esi, 1Ch
		lea	eax, [eax+esi*4]
		mov	[ebp+var_8], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		and	esi, 3
		imul	eax, esi, 38h
		push	1
		lea	edi, _SepRmDbLock[eax]
		push	edi
		call	ExAcquireResourceExclusiveLite
		mov	ecx, [ebp+var_8]
		mov	esi, [ecx]

loc_85F507:				; CODE XREF: SepDeleteLogonSessionTrack+A5j
		test	esi, esi
		jz	loc_905AA7
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		cmp	[esi+58h], eax
		jnz	short loc_85F558
		mov	eax, [ebx]
		cmp	eax, [esi+4]
		jnz	short loc_85F558
		mov	eax, [ebx+4]
		cmp	eax, [esi+8]
		jnz	short loc_85F558
		cmp	[ebp+var_1], 0
		jz	loc_9059F1
		or	dword ptr [esi+18h], 10h
		lea	ecx, [esi+48h]
		call	ObRevokeHandles
		mov	ecx, edi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_85F551:				; CODE XREF: SepDeleteLogonSessionTrack+A65EAj
		xor	eax, eax

loc_85F553:				; CODE XREF: SepDeleteLogonSessionTrack+A6609j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_85F558:				; CODE XREF: SepDeleteLogonSessionTrack+5Fj
					; SepDeleteLogonSessionTrack+66j ...
		mov	[ebp+var_8], esi
		mov	esi, [esi]
		jmp	short loc_85F507
SepDeleteLogonSessionTrack endp

; 
		align 10h

;  S U B	R O U T	I N E 


ObRevokeHandles	proc near		; CODE XREF: SepDeleteLogonSessionTrack+81p

; FUNCTION CHUNK AT 00905AC6 SIZE 00000014 BYTES

		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	edi, ecx
		nop
		xor	edx, edx
		lea	ecx, [edi+8]
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [edi]

loc_85F57F:				; CODE XREF: ObRevokeHandles+A6575j
		cmp	esi, edi
		jnz	loc_905AC6
		xor	edx, edx
		lea	ecx, [edi+8]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
ObRevokeHandles	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceAppPowerMessageEnd(x)
_PopDiagTraceAppPowerMessageEnd@4 proc near ; CODE XREF: NtPowerInformation:loc_764FF9p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		push	ebx
		mov	ebx, ecx
		jz	short loc_85F60B
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_SUSPENDAPP_END
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_85F609
		mov	eax, [ebx]
		xor	ecx, ecx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	1
		push	ecx
		push	offset _POP_ETW_EVENT_SUSPENDAPP_END
		push	esi
		push	edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_85F609:				; CODE XREF: PopDiagTraceAppPowerMessageEnd(x)+3Aj
		pop	edi
		pop	esi

loc_85F60B:				; CODE XREF: PopDiagTraceAppPowerMessageEnd(x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceAppPowerMessageEnd@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSuspendResumeInvocation(x)
_PopSuspendResumeInvocation@4 proc near	; CODE XREF: NtPowerInformation+C2Dp
					; PopDirectedDripsSendSuspendResumeNotification(x,x)+26p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	al, [ecx+4]
		mov	edx, [ecx]
		mov	byte ptr [ebp+var_C], al
		mov	al, [ecx+5]
		mov	byte ptr [ebp+var_8], al
		mov	al, [ecx+6]
		mov	ecx, dword_6D6FC4
		mov	byte ptr [ebp+var_4], al
		xor	eax, eax
		test	ecx, ecx
		jz	short locret_85F64C
		push	[ebp+var_4]
		push	[ebp+var_8]
		push	[ebp+var_C]
		push	edx
		call	ecx

locret_85F64C:				; CODE XREF: PopSuspendResumeInvocation(x)+26j
		leave
		retn
_PopSuspendResumeInvocation@4 endp


;  S U B	R O U T	I N E 


BcdForciblyUnloadStore proc near	; CODE XREF: PopAllocateHiberContext+1CBp
					; BiCleanupLoadedStores+A2D51p

; FUNCTION CHUNK AT 00905ADA SIZE 0000002C BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		call	_BiIsOfflineHandle@4 ; BiIsOfflineHandle(x)
		mov	bl, al
		mov	cl, al
		call	BiAcquireBcdSyncMutant
		mov	ecx, eax
		test	ecx, ecx
		js	loc_905ADA
		mov	ecx, edi
		xor	esi, esi
		call	_BiIsSystemStore@4 ; BiIsSystemStore(x)
		test	al, al
		jz	short loc_85F69D
		mov	ecx, edi
		call	_BiIsSynchFirmwareEntries@4 ; BiIsSynchFirmwareEntries(x)
		test	al, al
		jz	short loc_85F69D
		push	offset ??_C@_1EM@OIPDGHPJ@?$AAE?$AAx?$AAp?$AAo?$AAr?$AAt?$AAi?$AAn?$AAg?$AA?5?$AAf?$AAo?$AAr?$AAc?$AAi@NNGAKEGL@
		push	2
		call	_BiLogMessage
		add	esp, 8
		mov	ecx, edi
		call	BiExportStoreAlterationsToFirmware
		mov	esi, eax

loc_85F69D:				; CODE XREF: BcdForciblyUnloadStore+2Aj
					; BcdForciblyUnloadStore+35j
		mov	dl, 1
		mov	ecx, edi
		call	_BiUnloadHiveByHandle@8	; BiUnloadHiveByHandle(x,x)
		test	esi, esi
		js	loc_905AF1
		mov	esi, eax

loc_85F6B0:				; CODE XREF: BcdForciblyUnloadStore+A64B3j
		mov	cl, bl
		call	_BiReleaseBcdSyncMutant@4 ; BiReleaseBcdSyncMutant(x)
		mov	eax, esi

loc_85F6B9:				; CODE XREF: BcdForciblyUnloadStore+A649Ej
		pop	edi
		pop	esi
		pop	ebx
		retn
BcdForciblyUnloadStore endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiUnloadHiveByHandle(x, x)
_BiUnloadHiveByHandle@8	proc near	; CODE XREF: BcdForciblyUnloadStore+53p
					; BiCloseStore+38p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_4], 0
		lea	eax, [esp+0Ch+var_4]
		and	[esp+0Ch+var_8], 0
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [esp+1Ch+var_8]
		mov	ebx, edx
		push	eax
		push	1
		push	offset ??_C@_1BI@DLMANABL@?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		mov	edx, offset ??_C@_1BA@PCNMLPEP@?$AAK?$AAe?$AAy?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@ ; "KeyName"
		mov	esi, ecx
		call	BiGetRegistryValue
		mov	ecx, esi
		mov	edi, eax
		call	_BiCloseKey@4	; BiCloseKey(x)
		test	edi, edi
		js	short loc_85F729
		mov	edx, [esp+18h+var_4]
		mov	ecx, [esp+18h+var_8]
		push	ebx
		call	BiUnloadHiveByName
		push	4B444342h
		push	[esp+1Ch+var_8]
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi

loc_85F722:				; CODE XREF: BiUnloadHiveByHandle(x,x)+6Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_85F729:				; CODE XREF: BiUnloadHiveByHandle(x,x)+42j
		mov	eax, edi
		jmp	short loc_85F722
_BiUnloadHiveByHandle@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiUnloadHiveByName proc	near		; CODE XREF: BiUnloadHiveByHandle(x,x)+4Dp
					; BiAddStoreFromFile+A2FD4p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 00905B06 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		push	4B444342h
		xor	eax, eax
		lea	esi, [edx+26h]
		push	esi
		push	1
		mov	ebx, ecx
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_905B06
		push	ebx
		push	offset ??_C@_1CE@NMBJJGCH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\"
		push	offset ??_C@_1M@DFKENGJN@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@ ; "%s\\%s"
		shr	esi, 1
		push	esi
		push	edi
		call	_swprintf_s
		add	esp, 14h
		lea	eax, [ebp+var_C]
		push	edi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	ecx, ecx
		mov	[ebp+var_2C], 18h
		push	12h
		mov	[ebp+var_28], ecx
		lea	eax, [ebp+var_C]
		mov	[ebp+var_1C], ecx
		lea	edx, [ebp+var_14]
		mov	[ebp+var_18], ecx
		pop	ecx
		mov	[ebp+var_20], 240h
		mov	[ebp+var_24], eax
		call	BiAcquirePrivilege
		mov	esi, eax
		test	esi, esi
		js	short loc_85F7CF
		cmp	[ebp+arg_0], 0
		lea	eax, [ebp+var_2C]
		jz	short loc_85F7E3
		push	1
		push	eax
		call	_ZwUnloadKey2@8	; ZwUnloadKey2(x,x)

loc_85F7C5:				; CODE XREF: BiUnloadHiveByName+BBj
		lea	ecx, [ebp+var_14]
		mov	esi, eax
		call	_BiReleasePrivilege@4 ;	BiReleasePrivilege(x)

loc_85F7CF:				; CODE XREF: BiUnloadHiveByName+84j
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_85F7DA:				; CODE XREF: BiUnloadHiveByName+A63DDj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_85F7E3:				; CODE XREF: BiUnloadHiveByName+8Dj
		push	eax
		call	_ZwUnloadKey@4	; ZwUnloadKey(x)
		jmp	short loc_85F7C5
BiUnloadHiveByName endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiExportStoreAlterationsToFirmware proc	near ; CODE XREF: BcdForciblyUnloadStore+48p
					; BiCloseStore+A2FBAp

; FUNCTION CHUNK AT 00905B10 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	esi
		mov	esi, ecx
		call	_BiGetFirmwareType@0 ; BiGetFirmwareType()
		sub	eax, 1
		jnz	loc_905B10

loc_85F806:				; CODE XREF: BiExportStoreAlterationsToFirmware+A632Cj
		xor	eax, eax

loc_85F808:				; CODE XREF: BiExportStoreAlterationsToFirmware+A6337j
					; BiExportStoreAlterationsToFirmware+A6343j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
BiExportStoreAlterationsToFirmware endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpLogEventRequest proc	near		; CODE XREF: PfSetSuperfetchInformation+3B1p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00905B34 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	eax, [ebx]
		and	eax, 1Fh
		cmp	eax, 2
		jz	loc_905B34
		cmp	eax, 3
		jz	loc_905B34

loc_85F830:				; CODE XREF: PfpLogEventRequest+A6354j
		mov	eax, [ebx]
		and	eax, 1Fh
		cmp	al, 1Bh
		jnz	short loc_85F845
		mov	eax, [ebx+4]
		mov	eax, [eax+4]
		and	al, 3
		cmp	al, 1
		jz	short loc_85F895

loc_85F845:				; CODE XREF: PfpLogEventRequest+29j
					; PfpLogEventRequest+92j
		call	_PFP_GET_CURRENT_TIME@0	; PFP_GET_CURRENT_TIME()
		mov	esi, [ebx]
		mov	edi, eax
		mov	ecx, esi
		shr	ecx, 5
		test	cl, 1
		jz	short loc_85F87B
		shr	ecx, 1
		push	0
		and	ecx, 1
		push	4
		mov	[ebp+var_4], ecx
		lea	ecx, [ebp+var_4]
		pop	edx
		call	MmIssueMemoryListCommand
		xor	edx, edx
		mov	ecx, offset dword_6D42C0
		call	PfGenerateTrace
		mov	esi, [ebx]

loc_85F87B:				; CODE XREF: PfpLogEventRequest+48j
		mov	eax, esi
		mov	edx, edi
		shr	eax, 7
		and	esi, 1Fh
		push	eax		; size_t
		push	dword ptr [ebx+4] ; void *
		mov	ecx, esi
		call	PfLogEvent
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_85F895:				; CODE XREF: PfpLogEventRequest+35j
		push	0FFFFFFFEh
		pop	ecx
		mov	eax, offset byte_6FB62C
		lock and [eax],	ecx
		jmp	short loc_85F845
PfpLogEventRequest endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepRmInteractiveLogoffLogonSessionCompletedWrkr(x, x)
_SepRmInteractiveLogoffLogonSessionCompletedWrkr@8 proc	near ; DATA XREF: PAGE:00A40D20o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+1Ch]
		mov	[ebp+var_8], eax
		mov	eax, [ecx+20h]
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_4], eax
		call	_SepBlockAccessForLogonSession@4 ; SepBlockAccessForLogonSession(x)
		mov	ecx, [ebp+arg_4]
		mov	[ecx+18h], eax
		leave
		retn	8
_SepRmInteractiveLogoffLogonSessionCompletedWrkr@8 endp


;  S U B	R O U T	I N E 


; __stdcall SepBlockAccessForLogonSession(x)
_SepBlockAccessForLogonSession@4 proc near
					; CODE XREF: SepRmInteractiveLogoffLogonSessionCompletedWrkr(x,x)+19p
		mov	eax, ds:_SepLogonSessions
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		imul	edx, [edi], 5B250A24h
		shr	edx, 1Ch
		lea	esi, [eax+edx*4]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		and	edx, 3
		imul	eax, edx, 38h
		push	1
		lea	ebx, _SepRmDbLock[eax]
		push	ebx
		call	ExAcquireResourceExclusiveLite

loc_85F902:				; CODE XREF: SepBlockAccessForLogonSession(x)+46j
					; SepBlockAccessForLogonSession(x)+4Dj	...
		mov	esi, [esi]
		test	esi, esi
		jz	short loc_85F940
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		cmp	[esi+58h], eax
		jnz	short loc_85F902
		mov	eax, [edi]
		cmp	eax, [esi+4]
		jnz	short loc_85F902
		mov	eax, [edi+4]
		cmp	eax, [esi+8]
		jnz	short loc_85F902
		or	dword ptr [esi+18h], 20h
		xor	esi, esi

loc_85F927:				; CODE XREF: SepBlockAccessForLogonSession(x)+7Bj
		mov	ecx, ebx
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_85F940:				; CODE XREF: SepBlockAccessForLogonSession(x)+3Cj
		mov	esi, 0C000005Fh
		jmp	short loc_85F927
_SepBlockAccessForLogonSession@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopSymlinkSetFoExtension(x,	x)
_IopSymlinkSetFoExtension@8 proc near	; CODE XREF: IopSymlinkPropagateToExtensionIfNeeded+77p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		cmp	dword ptr [ecx+7Ch], 0
		push	esi
		mov	esi, edx
		jnz	short loc_85F976
		lea	edx, [ebp+var_4]
		call	IopAllocateFileObjectExtension
		test	eax, eax
		js	short loc_85F973

loc_85F967:				; CODE XREF: IopSymlinkSetFoExtension(x,x)+3Aj
		mov	ecx, [ebp+var_4]
		push	esi
		push	5
		pop	edx
		call	_IopSetTypeSpecificFoExtension@12 ; IopSetTypeSpecificFoExtension(x,x,x)

loc_85F973:				; CODE XREF: IopSymlinkSetFoExtension(x,x)+1Dj
		pop	esi
		leave
		retn
; 

loc_85F976:				; CODE XREF: IopSymlinkSetFoExtension(x,x)+11j
		lea	eax, [ebp+var_4]
		push	eax
		push	5
		pop	edx
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		jmp	short loc_85F967
_IopSymlinkSetFoExtension@8 endp


;  S U B	R O U T	I N E 


MiDeleteSessionDriverProtos proc near	; CODE XREF: MiUnloadSystemImage+4CCp
					; MiMapSystemImage+B1303p ...

; FUNCTION CHUNK AT 00905B67 SIZE 00000013 BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, [ecx]
		lea	esi, [ecx+50h]

loc_85F98D:				; CODE XREF: MiDeleteSessionDriverProtos+25j
		test	esi, esi
		jz	short loc_85F9AB
		test	byte ptr [esi+12h], 2
		jnz	short loc_85F9A6
		mov	ecx, esi
		call	_MiGetSubsectionDriverProtos@4 ; MiGetSubsectionDriverProtos(x)
		test	eax, eax
		jnz	loc_905B67

loc_85F9A6:				; CODE XREF: MiDeleteSessionDriverProtos+11j
					; MiDeleteSessionDriverProtos+A61F1j
		mov	esi, [esi+8]
		jmp	short loc_85F98D
; 

loc_85F9AB:				; CODE XREF: MiDeleteSessionDriverProtos+Bj
		mov	eax, 0F7FFh
		and	[edi+8], ax
		pop	edi
		pop	esi
		retn
MiDeleteSessionDriverProtos endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PerfDiagpSaveActiveDCLLogFileName proc near ; CODE XREF: PerfDiagpProxyWorker+F4p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00905B7A SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		push	64465250h
		push	20Ah
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_905B7A
		push	0B0h		; size_t
		push	0		; int
		push	offset dword_6BC748 ; void *
		call	_memset
		add	esp, 0Ch
		mov	dword_6BC774, 20000h
		mov	eax, offset unk_6BC728
		mov	esi, offset ??_C@_1BM@EGPIEMAI@?$AAW?$AAd?$AAi?$AAC?$AAo?$AAn?$AAt?$AAe?$AAx?$AAt?$AAL?$AAo?$AAg@NNGAKEGL@ ; "WdiContextLog"
		mov	edi, eax
		push	7
		pop	ecx
		push	eax
		rep movsd
		push	offset unk_6BC7D8
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, 208h
		mov	dword_6BC7CC, ebx
		mov	word_6BC7CA, ax
		mov	ecx, 0B0h
		lea	eax, [ebp+var_4]
		mov	dword_6BC748, ecx
		push	eax		; int
		push	ecx		; int
		mov	eax, offset dword_6BC748
		push	eax		; void *
		push	ecx		; int
		push	eax		; void *
		push	3		; int
		call	_NtTraceControl@24 ; NtTraceControl(x,x,x,x,x,x)
		push	2
		pop	esi
		test	eax, eax
		js	loc_905B90
		mov	ax, word_6BC7C8
		cmp	ax, si
		jb	loc_905B90
		shr	ax, 1
		xor	edx, edx
		movzx	ecx, ax
		mov	eax, ecx
		mov	[ebx+eax*2], dx
		lea	eax, [ecx+1]
		movzx	eax, ax
		add	eax, eax
		push	eax
		push	ebx
		push	1
		push	offset ??_C@_1CE@BPONIBHD@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AAS?$AAh?$AAu?$AAt?$AAd?$AAo?$AAw?$AAn?$AAD@NNGAKEGL@	; "ActiveShutdownDCL"
		push	offset ??_C@_1DA@EEFDJGGO@?$AAD?$AAi?$AAa?$AAg?$AAn?$AAo?$AAs?$AAt?$AAi?$AAc?$AAs?$AA?2?$AAP?$AAe?$AAr@NNGAKEGL@ ; "Diagnostics\\Performance"
		push	esi
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)

loc_85FA8E:				; CODE XREF: PerfDiagpSaveActiveDCLLogFileName+A61E8j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_85FA96:				; CODE XREF: PerfDiagpSaveActiveDCLLogFileName+A61D3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PerfDiagpSaveActiveDCLLogFileName endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiDeleteKey	proc near		; CODE XREF: BiDeleteElement+B7p
					; BcdSetElementDataWithFlags+A1D99p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00905BA5 SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		call	_BiSanitizeHandle@4 ; BiSanitizeHandle(x)
		mov	edi, eax
		mov	[ebp+var_C], esi
		lea	eax, [ebp+var_8]
		mov	ecx, edi
		push	eax
		lea	edx, [ebp+var_C]
		call	BiEnumerateSubKeys
		mov	ebx, [ebp+var_C]
		test	eax, eax
		js	short loc_85FAD7
		cmp	[ebp+var_8], esi
		ja	loc_905BA5

loc_85FAD7:				; CODE XREF: BiDeleteKey+30j
					; BiDeleteKey+A613Aj
		test	ebx, ebx
		jnz	loc_905BDB

loc_85FADF:				; CODE XREF: BiDeleteKey+A614Aj
		mov	ecx, edi
		call	_BiZwDeleteKey@4 ; BiZwDeleteKey(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_85FAF3
		mov	ecx, edi
		call	_BiZwClose@4	; BiZwClose(x)

loc_85FAF3:				; CODE XREF: BiDeleteKey+4Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
BiDeleteKey	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopInitSystemSleeperThread(x, x)
_PopInitSystemSleeperThread@8 proc near	; CODE XREF: PAGELK:0071F0B6p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 20h
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, edx
		push	edi
		push	1
		push	esi
		mov	[esp+34h+var_1C], edi
		mov	[esi+30h], ecx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	1
		lea	eax, [esi+10h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	1
		lea	eax, [esi+20h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		push	esi
		push	offset PopTransitionToSleep
		push	edi
		push	edi
		lea	eax, [esp+40h+var_18]
		mov	[esp+40h+var_18], 18h
		push	eax
		push	edi
		lea	eax, [esp+48h+var_1C]
		mov	[esp+48h+var_14], edi
		push	eax
		mov	[esp+4Ch+var_C], 200h
		mov	[esp+4Ch+var_10], edi
		mov	[esp+4Ch+var_8], edi
		mov	[esp+4Ch+var_4], edi
		call	PsCreateSystemThreadEx
		test	eax, eax
		js	short loc_85FB86
		push	[esp+28h+var_1C]
		call	_ZwClose@4	; ZwClose(x)
		push	edi
		push	edi
		push	edi
		push	edi
		push	esi
		call	KeWaitForSingleObject
		mov	eax, edi

loc_85FB86:				; CODE XREF: PopInitSystemSleeperThread(x,x)+75j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_PopInitSystemSleeperThread@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiReleaseSessionDriverCharges proc near	; CODE XREF: MiUnloadSystemImage+13Ap

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h

; FUNCTION CHUNK AT 00905BEB SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		lea	eax, [ebp+var_50]
		push	esi
		push	50h		; size_t
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		add	esp, 0Ch
		cmp	byte ptr [esi+25h], 1
		jz	loc_905BEB

loc_85FBB1:				; CODE XREF: MiReleaseSessionDriverCharges+A6067j
		mov	eax, [esi+2Ch]
		lea	edx, [esi+0Ch]
		push	4
		lea	ecx, [ebp+var_54]
		mov	[ebp+var_54], eax
		call	MiManageSubsectionView
		pop	esi
		leave
		retn
MiReleaseSessionDriverCharges endp

; 
		align 4

;  S U B	R O U T	I N E 


PopFastS4Check	proc near		; CODE XREF: PopActionRetrieveInitialState:loc_5588CDp
					; PAGELK:loc_71EEA9p

; FUNCTION CHUNK AT 00905BF8 SIZE 00000037 BYTES

		cmp	dword_6C26E0, 4
		jz	loc_905BF8

loc_85FBD5:				; CODE XREF: PopFastS4Check+A6037j
					; PopFastS4Check+A6044j ...
		xor	al, al
		retn
PopFastS4Check	endp


;  S U B	R O U T	I N E 


; __stdcall PopSessionDisconnected(x, x)
_PopSessionDisconnected@8 proc near	; CODE XREF: PopSessionConnectionChange(x,x,x)+68p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		push	0
		mov	edx, esi
		mov	ecx, offset _POP_ETW_ADPM_SESSION_DISCONNECTED
		call	_PopDiagTraceSessionState@12 ; PopDiagTraceSessionState(x,x,x)
		cmp	_PopConsoleContext, esi
		jnz	short loc_85FC19
		cmp	esi, 0FFFFFFFFh
		jz	short loc_85FC19
		push	0Ah
		xor	eax, eax
		mov	edi, offset _PopConsoleContext
		pop	ecx
		rep stosd
		or	_PopConsoleContext, 0FFFFFFFFh
		mov	dword_6BFBC0, 3

loc_85FC19:				; CODE XREF: PopSessionDisconnected(x,x)+1Dj
					; PopSessionDisconnected(x,x)+22j
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	_PopSetSessionDisplayStatus@12 ; PopSetSessionDisplayStatus(x,x,x)
		push	2
		pop	edx
		mov	ecx, esi
		call	_PopSetSessionUserStatus@8 ; PopSetSessionUserStatus(x,x)
		and	dword ptr [ebx+4], 0
		and	dword ptr [ebx], 0
		pop	edi
		pop	esi
		pop	ebx
		retn
_PopSessionDisconnected@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTracePreSleepNotification(x,	x, x, x, x)
_PopDiagTracePreSleepNotification@20 proc near ; CODE XREF: PAGELK:0071F007p

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_5C], edx
		mov	[ebp+var_58], ecx
		jz	short loc_85FCCE
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_4]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		push	edx
		push	offset _POP_ETW_EVENT_PRESLEEP_NOTIFICATION3
		push	dword_6C1D74
		mov	[ebp+var_50], edx
		push	_PopDiagHandle
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_85FCCE:				; CODE XREF: PopDiagTracePreSleepNotification(x,x,x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_PopDiagTracePreSleepNotification@20 endp


;  S U B	R O U T	I N E 


PopEnforceResiliencyScenarios proc near	; CODE XREF: PAGELK:0071ECB4p
					; NtPowerInformation+172480p

; FUNCTION CHUNK AT 00905C2F SIZE 0000004A BYTES

		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	ecx, [esi+4]
		call	PopEnforceDeepSleep
		mov	edi, offset _PopFxSystemLatencyLock
		mov	ecx, edi
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		call	PoFxSendSystemLatencyUpdate
		mov	ecx, edi
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		cmp	ds:_PopCurrentCoalescingSpindownTimeout, 0
		mov	ecx, [esi]
		setnz	al
		test	ecx, ecx
		jnz	loc_905C2F
		test	al, al
		jnz	loc_905C4D

loc_85FD1F:				; CODE XREF: PopEnforceResiliencyScenarios+A5F55j
					; PopEnforceResiliencyScenarios+A5F78j	...
		pop	edi
		pop	esi
		pop	ecx
		retn
PopEnforceResiliencyScenarios endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopEnforceDeepSleep proc near		; CODE XREF: PopEnforceResiliencyScenarios+Ap

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 00905C79 SIZE 0000007F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[esp+10h+var_1], 0
		xor	eax, eax
		xor	edx, edx
		mov	edi, offset _PopMaxDynamicTickDurationOriginalValue
		nop
		mov	ebx, ds:_KiMaxDynamicTickDuration
		mov	ecx, ds:dword_70505C
		lock cmpxchg8b qword ptr [edi]
		call	_PopDeepSleepEnabled@0 ; PopDeepSleepEnabled()
		test	al, al
		jz	short loc_85FD65
		cmp	_PopPdcIdleResiliency, 0
		mov	al, 1
		jnz	short loc_85FD69

loc_85FD65:				; CODE XREF: PopEnforceDeepSleep+34j
		mov	al, [esp+10h+var_1]

loc_85FD69:				; CODE XREF: PopEnforceDeepSleep+3Fj
		test	esi, esi
		jnz	loc_905C79
		test	al, al
		jnz	loc_905CB2

loc_85FD79:				; CODE XREF: PopEnforceDeepSleep+A5F5Fj
					; PopEnforceDeepSleep+A5F89j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
PopEnforceDeepSleep endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2042. RtlDestroyHeap

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlDestroyHeap
RtlDestroyHeap	proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00905CF8 SIZE 000000A8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		and	[ebp+var_8], 0
		push	edi
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	loc_905CF8
		cmp	dword ptr [edi+8], 0CCDDCCDDh
		jnz	loc_905D15

loc_85FDAE:				; CODE XREF: RtlDestroyHeap+A5F79j
					; RtlDestroyHeap+A6015j
		xor	eax, eax
		pop	edi
		leave
		retn	4
RtlDestroyHeap	endp

; 
		align 2

;  S U B	R O U T	I N E 


PopPolicyWorkerActionPromote proc near	; CODE XREF: PopPolicyWorkerThread+88p
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	eax, large fs:124h
		mov	dword_6C282C, eax
		mov	al, _PopAction
		test	al, al
		jnz	sub_905DA0

loc_85FDD3:				; CODE XREF: sub_905DA0+60j
		and	dword_6C282C, 0
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		mov	eax, large fs:124h
		cmp	dword ptr [eax+13Ch], 0
		jnz	short loc_85FDF1
		xor	eax, eax
		retn
; 

loc_85FDF1:				; CODE XREF: PopPolicyWorkerActionPromote+36j
		push	20h
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
PopPolicyWorkerActionPromote endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpServiceMainThreadBoostPrep proc near	; CODE XREF: PfpScenCtxScenarioSet+106p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00905E05 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		push	esi
		push	edi
		mov	eax, [ebx+2Ch]
		test	eax, eax
		jz	short loc_85FE68
		lea	ecx, [ebp+var_4]
		push	ecx
		push	eax
		call	_PsLookupThreadByThreadId@8 ; PsLookupThreadByThreadId(x,x)
		mov	edi, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	loc_905E0A
		mov	eax, [edi+280h]
		cmp	eax, [ebx+30h]
		jnz	short loc_85FE6F
		mov	eax, [edi+284h]
		cmp	eax, [ebx+34h]
		jnz	short loc_85FE6F
		push	44506650h
		push	60h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_905E05
		mov	ecx, [ebp+var_8]
		xor	esi, esi
		mov	[ecx], edi
		mov	[ecx+4], eax

loc_85FE61:				; CODE XREF: PfpServiceMainThreadBoostPrep+77j
					; PfpServiceMainThreadBoostPrep+A6016j	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_85FE68:				; CODE XREF: PfpServiceMainThreadBoostPrep+19j
		mov	esi, 80000022h
		jmp	short loc_85FE61
; 

loc_85FE6F:				; CODE XREF: PfpServiceMainThreadBoostPrep+3Bj
					; PfpServiceMainThreadBoostPrep+46j
		mov	esi, 0C0000059h
		jmp	loc_905E0A
PfpServiceMainThreadBoostPrep endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpDeleteCallback(x)
_ExpDeleteCallback@4 proc near		; DATA XREF: ExpInitializeCallbacks()+76o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		dec	word ptr [edi+13Eh]
		nop
		mov	ebx, offset _ExpCallbackListLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [ebp+arg_0]
		add	edx, 14h
		mov	esi, [edx]
		cmp	[esi+4], edx
		jnz	short loc_85FECF
		mov	eax, [edx+4]
		cmp	[eax], edx
		jnz	short loc_85FECF
		mov	[eax], esi
		xor	edx, edx
		mov	ecx, ebx
		mov	[esi+4], eax
		call	ExReleasePushLockEx
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_85FECF:				; CODE XREF: ExpDeleteCallback(x)+30j
					; ExpDeleteCallback(x)+37j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ExpDeleteCallback@4 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceKernelQueriesAllowed(x)
_PopDiagTraceKernelQueriesAllowed@4 proc near ;	CODE XREF: PAGELK:0071EF55p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		push	ebx
		mov	bl, cl
		jz	short loc_85FF40
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_KERNEL_QUERY_ALLOWED
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_85FF3E
		movzx	eax, bl
		xor	ecx, ecx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	1
		push	ecx
		push	offset _POP_ETW_EVENT_KERNEL_QUERY_ALLOWED
		push	esi
		push	edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_85FF3E:				; CODE XREF: PopDiagTraceKernelQueriesAllowed(x)+3Aj
		pop	edi
		pop	esi

loc_85FF40:				; CODE XREF: PopDiagTraceKernelQueriesAllowed(x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceKernelQueriesAllowed@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetDisplayStatus(x)
_PopSetDisplayStatus@4 proc near	; CODE XREF: NtPowerInformation+112Bp
					; PopPowerInformationInternal+1712EEp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	edi, ecx
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	cl, 1
		mov	esi, eax
		call	PopAcquireAdaptiveLock
		push	1
		mov	edx, edi
		mov	ecx, esi
		call	_PopSetSessionDisplayStatus@12 ; PopSetSessionDisplayStatus(x,x,x)
		call	PopReleaseAdaptiveLock
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_PopSetDisplayStatus@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopQueryPowerSettingUlong(x, x, x)
_PopQueryPowerSettingUlong@12 proc near	; CODE XREF: PAGELK:0071EE17p
					; PAGELK:0071F56Dp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		xor	bl, bl
		push	edi
		mov	ecx, offset _PopSettingLock
		mov	edi, edx
		call	ExAcquireFastMutex
		or	edx, 0FFFFFFFFh
		mov	ecx, esi
		call	_PopFindPowerSettingConfiguration@8 ; PopFindPowerSettingConfiguration(x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_85FFDB
		mov	eax, [edx+30h]
		test	eax, eax
		jz	short loc_85FFDB
		cmp	dword ptr [eax+4], 4
		jb	short loc_85FFDB
		mov	eax, [eax+0Ch]
		mov	[edi], eax
		mov	edx, [edx+34h]
		test	edx, edx
		jz	short loc_85FFDB
		cmp	dword ptr [edx+4], 4
		jb	short loc_85FFDB
		mov	eax, [ebp+arg_0]
		inc	bl
		mov	edx, [edx+0Ch]
		mov	[eax], edx

loc_85FFDB:				; CODE XREF: PopQueryPowerSettingUlong(x,x,x)+26j
					; PopQueryPowerSettingUlong(x,x,x)+2Dj	...
		mov	ecx, offset _PopSettingLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	4
_PopQueryPowerSettingUlong@12 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1738. PoUserShutdownCancelled

;  S U B	R O U T	I N E 


; __stdcall PoUserShutdownCancelled()
		public _PoUserShutdownCancelled@0
_PoUserShutdownCancelled@0 proc	near	; CODE XREF: PopPowerInformationInternal+47Ep
		mov	edi, edi
		push	ecx
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	short loc_860014
		xor	edx, edx
		mov	ecx, offset _PopClearUserShutdownMarkerWorkItem
		inc	edx
		call	_PopQueueWorkItem@8 ; PopQueueWorkItem(x,x)
		mov	cl, 1
		call	_PopUserShutdownCancelled@4 ; PopUserShutdownCancelled(x)

loc_860014:				; CODE XREF: PoUserShutdownCancelled()+Aj
		pop	ecx
		retn
_PoUserShutdownCancelled@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopUserShutdownCancelled(x)
_PopUserShutdownCancelled@4 proc near	; CODE XREF: PoUserShutdownCancelled()+1Bp
					; PopUserShutdownDelayWorkerCallback(x)+Bp
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	bl, bl
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		cmp	_PopUserShutdownInProgress, bl
		jz	short loc_860045
		push	offset _PopUserShutdownDelayTimer
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		mov	_PopUserShutdownInProgress, bl
		inc	bl
		and	_PopBsdShutdownInProgress, 0

loc_860045:				; CODE XREF: PopUserShutdownCancelled(x)+14j
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		mov	eax, dword_6D6FB0
		test	eax, eax
		jz	short loc_860058
		push	esi
		call	eax
		mov	bl, al

loc_860058:				; CODE XREF: PopUserShutdownCancelled(x)+3Bj
		test	bl, bl
		jz	short loc_860064
		push	3
		pop	ecx
		call	PpmEndHighPerfRequest

loc_860064:				; CODE XREF: PopUserShutdownCancelled(x)+44j
		pop	esi
		pop	ebx
		pop	ecx
		retn
_PopUserShutdownCancelled@4 endp


;  S U B	R O U T	I N E 


PopPowerAggregatorNotifyDisplayPoweredOn proc near ; CODE XREF:	NtPowerInformation+1142p
					; PopPowerInformationInternal+171301p

; FUNCTION CHUNK AT 00905E1D SIZE 00000016 BYTES

		mov	eax, dword_6D6FFC
		test	eax, eax
		jz	short loc_860073
		call	eax

loc_860073:				; CODE XREF: PopPowerAggregatorNotifyDisplayPoweredOn+7j
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopPowerAggregatorLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		cmp	dword_6C0A08, 2
		mov	dword_6C09A4, eax
		jz	loc_905E1D

loc_8600A8:				; CODE XREF: PopPowerAggregatorNotifyDisplayPoweredOn+A5DC6j
		cmp	dword_6C09A4, 0
		jz	short loc_8600B8
		and	dword_6C09A4, 0

loc_8600B8:				; CODE XREF: PopPowerAggregatorNotifyDisplayPoweredOn+47j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		pop	esi
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
PopPowerAggregatorNotifyDisplayPoweredOn endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDispatchFullWake(x)
_PopDispatchFullWake@4 proc near	; CODE XREF: PopPolicyWorkerNotify()+33p
					; DATA XREF: .text:_PopNotifyWorko
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		cmp	byte_6C26C1, 3
		jz	short loc_860113
		push	9
		xor	cl, cl
		call	PopNotifyConsoleUserPresent
		mov	eax, _PopFullWake
		and	al, 3
		cmp	al, 2
		jnz	short loc_860113
		xor	ecx, ecx
		mov	eax, offset _PopFullWake
		inc	ecx
		lock or	[eax], ecx
		xor	edx, edx
		xor	ecx, ecx
		call	PopEventCalloutDispatch
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		push	4
		pop	ecx
		call	PopInitSIdle
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_860113:				; CODE XREF: PopDispatchFullWake(x)+Fj
					; PopDispatchFullWake(x)+23j
		mov	eax, large fs:124h
		cmp	dword ptr [eax+13Ch], 0
		jnz	short loc_860128
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_860128:				; CODE XREF: PopDispatchFullWake(x)+58j
		push	20h
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall PopClearUserShutdownMarkerWorker(x)
_PopClearUserShutdownMarkerWorker@4:	; DATA XREF: PoInitSystem+152o
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopBsdUpdateLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		and	byte_6D4A00, 0FBh
		push	8
		pop	ecx
		mov	dword_6C3D9C, eax
		call	_PopBsdHandleRequest@4 ; PopBsdHandleRequest(x)
		mov	ecx, offset _PopClearUserShutdownMarkerWorkItem
		call	_PopOkayToQueueNextWorkItem@4 ;	PopOkayToQueueNextWorkItem(x)
		cmp	dword_6C3D9C, 0
		jz	short loc_86017F
		and	dword_6C3D9C, 0

loc_86017F:				; CODE XREF: PopDispatchFullWake(x)+AEj
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	esi
		retn	4
_PopDispatchFullWake@4 endp ; sp = -4

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopSetUserShutdownMarkerWorker(x)
_PopSetUserShutdownMarkerWorker@4 proc near ; DATA XREF: PoInitSystem+112o
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopBsdUpdateLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		or	byte_6D4A00, 4
		push	8
		pop	ecx
		mov	dword_6C3D9C, eax
		call	_PopBsdHandleRequest@4 ; PopBsdHandleRequest(x)
		mov	ecx, offset _PopSetUserShutdownMarkerWorkItem
		call	_PopOkayToQueueNextWorkItem@4 ;	PopOkayToQueueNextWorkItem(x)
		cmp	dword_6C3D9C, 0
		jz	short loc_8601E3
		and	dword_6C3D9C, 0

loc_8601E3:				; CODE XREF: PopSetUserShutdownMarkerWorker(x)+48j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	esi
		retn	4
_PopSetUserShutdownMarkerWorker@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopAdvanceSystemPowerState proc	near	; CODE XREF: PAGELK:0071EE7Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00905E33 SIZE 0000003D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_860235
		push	edi
		mov	edi, [esi]
		cmp	edi, 2
		jl	short loc_860234
		push	ebx
		xor	ebx, ebx
		inc	ebx
		cmp	edi, 6
		jge	short loc_860231
		sub	edx, 0
		jnz	loc_905E33
		lea	eax, [edi-1]

loc_86021F:				; CODE XREF: PopAdvanceSystemPowerState+A5C5Aj
		mov	[esi], eax
		call	PopVerifySystemPowerState

loc_860226:				; CODE XREF: PopAdvanceSystemPowerState+A5C45j
					; PopAdvanceSystemPowerState+A5C6Dj ...
		mov	eax, [esi]
		cmp	eax, ebx
		jz	short loc_860233
		cmp	eax, [ebp+arg_0]
		jge	short loc_86023A

loc_860231:				; CODE XREF: PopAdvanceSystemPowerState+1Bj
					; PopAdvanceSystemPowerState+49j ...
		mov	[esi], ebx

loc_860233:				; CODE XREF: PopAdvanceSystemPowerState+34j
					; PopAdvanceSystemPowerState+47j
		pop	ebx

loc_860234:				; CODE XREF: PopAdvanceSystemPowerState+12j
		pop	edi

loc_860235:				; CODE XREF: PopAdvanceSystemPowerState+Aj
		pop	esi
		pop	ebp
		retn	8
; 

loc_86023A:				; CODE XREF: PopAdvanceSystemPowerState+39j
		cmp	eax, [ebp+arg_4]
		jle	short loc_860233
		jmp	short loc_860231
PopAdvanceSystemPowerState endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopBootLoaderTraceProcess()
_PopBootLoaderTraceProcess@0 proc near	; CODE XREF: PAGELK:0071FAE9p
		mov	edi, edi
		push	esi
		mov	esi, dword_6C26F8
		test	esi, esi
		jz	short loc_86028A
		call	BapdRecordFirmwareBootStats
		mov	eax, dword_6B2B74
		xor	edx, edx
		mov	ecx, dword_6B2B70
		push	eax
		push	ecx
		mov	dword_6B2B58, edx
		mov	dword_6B2B70, edx
		mov	dword_6B2B74, edx
		call	EtwUnregister
		mov	ecx, [esi+90h]
		test	ecx, ecx
		jz	short loc_86028A
		pop	esi
		jmp	_PopBootLoaderTraceEtwEvents@4 ; PopBootLoaderTraceEtwEvents(x)
; 

loc_86028A:				; CODE XREF: PopBootLoaderTraceProcess()+Bj
					; PopBootLoaderTraceProcess()+40j
		pop	esi
		retn
_PopBootLoaderTraceProcess@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopBootLoaderTraceEtwEvents(x)
_PopBootLoaderTraceEtwEvents@4 proc near ; CODE	XREF: PopBootLoaderTraceProcess()+43j
		mov	edi, edi
		push	ecx
		mov	eax, [ecx+10h]
		cmp	dword ptr [eax], 4C626948h
		jnz	short loc_8602AB
		mov	edx, [eax+0Ch]
		test	edx, edx
		jz	short loc_8602AB
		mov	ecx, [eax+8]
		add	ecx, eax
		call	BapdWriteEtwEvents

loc_8602AB:				; CODE XREF: PopBootLoaderTraceEtwEvents(x)+Cj
					; PopBootLoaderTraceEtwEvents(x)+13j
		pop	ecx
		retn
_PopBootLoaderTraceEtwEvents@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopEsExitSleep()
_PopEsExitSleep@0 proc near		; CODE XREF: PAGELK:0071F2A7p
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopEsLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6BFD2C, eax
		call	PopEsStartTelemetry
		cmp	dword_6BFD2C, 0
		jz	short loc_8602EB
		and	dword_6BFD2C, 0

loc_8602EB:				; CODE XREF: PopEsExitSleep()+34j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		pop	esi
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopEsExitSleep@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipDoDisableRequest proc near		; CODE XREF: WmipSendDisableRequest(x,x)+39p
					; WmipEnableCollectionForNewGuid+9D039p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00905E70 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		mov	ebx, edx
		test	bl, bl
		push	esi
		setz	al
		mov	esi, ecx
		push	edi
		lea	eax, ds:5[eax*2]
		mov	[esp+10h+var_4], eax

loc_86031A:				; CODE XREF: WmipDoDisableRequest+A5B9Ej
		push	ebx
		mov	edx, esi
		mov	cl, al
		call	WmipSendEnableDisableRequest
		mov	edi, eax
		test	bl, bl
		jz	short loc_86034C
		mov	ecx, [esi+38h]

loc_86032D:				; CODE XREF: WmipDoDisableRequest+55j
		test	ecx, ecx
		jnz	loc_905E70

loc_860335:				; CODE XREF: WmipDoDisableRequest+A5BA4j
		mov	eax, [ebp+arg_0]
		not	eax
		and	[esi+8], eax
		test	bl, bl
		jz	short loc_860351

loc_860341:				; CODE XREF: WmipDoDisableRequest+5Ej
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_86034C:				; CODE XREF: WmipDoDisableRequest+2Ej
		mov	ecx, [esi+3Ch]
		jmp	short loc_86032D
; 

loc_860351:				; CODE XREF: WmipDoDisableRequest+45j
		mov	ecx, esi
		call	WmipReleaseCollectionEnabled
		jmp	short loc_860341
WmipDoDisableRequest endp


;  S U B	R O U T	I N E 


; __stdcall PopPolicyTimeChange()
_PopPolicyTimeChange@0 proc near
		mov	cl, 1
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	10h
		push	offset _PopTimeChangeInfo
		push	offset _WNF_PO_SYSTEM_TIME_CHANGED
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	ecx, offset _ExpTimeRefreshLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	3
		xor	edx, edx
		pop	ecx
		call	PopEventCalloutDispatch
		xor	eax, eax
		retn
_PopPolicyTimeChange@0 endp


;  S U B	R O U T	I N E 


BcdFlushStore	proc near		; CODE XREF: PopBcdClearPendingResume(x)+4Bp

; FUNCTION CHUNK AT 00905EA3 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		call	_BiIsOfflineHandle@4 ; BiIsOfflineHandle(x)
		mov	bl, al
		mov	cl, al
		call	BiAcquireBcdSyncMutant
		mov	edx, eax
		test	edx, edx
		js	loc_905EA3
		mov	ecx, esi
		call	_BiSanitizeHandle@4 ; BiSanitizeHandle(x)
		push	eax
		call	_ZwFlushKey@4	; ZwFlushKey(x)
		mov	cl, bl
		mov	esi, eax
		call	_BiReleaseBcdSyncMutant@4 ; BiReleaseBcdSyncMutant(x)
		mov	eax, esi

loc_8603CA:				; CODE XREF: BcdFlushStore+A5B21j
		pop	esi
		pop	ebx
		retn
BcdFlushStore	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUpdateSmbiosData(x, x, x, x, x)
_PopUpdateSmbiosData@20	proc near	; CODE XREF: PoBroadcastSystemState+469p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, ds:_WmipSMBiosTablePhysicalAddress
		push	esi
		mov	esi, ds:_WmipSMBiosTableLength
		mov	byte ptr ds:_WmipSMBiosVersionInfo+1, cl
		mov	ecx, [ebp+arg_4]
		mov	byte ptr ds:_WmipSMBiosVersionInfo+2, dl
		mov	edx, [ebp+arg_0]
		mov	ds:_WmipSMBiosTablePhysicalAddress, ecx
		mov	ds:_WmipSMBiosTableLength, edx
		push	edi
		mov	edi, ds:dword_A93DB4
		mov	ds:dword_A93DB4, eax
		cmp	ecx, ebx
		jnz	short loc_860421
		cmp	eax, edi
		jnz	short loc_860421
		cmp	edx, esi
		jnz	short loc_860421

loc_86041A:				; CODE XREF: PopUpdateSmbiosData(x,x,x,x,x)+5Ej
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_860421:				; CODE XREF: PopUpdateSmbiosData(x,x,x,x,x)+42j
					; PopUpdateSmbiosData(x,x,x,x,x)+46j ...
		push	eax
		push	ecx
		push	edi
		push	ebx
		mov	ecx, esi
		call	_PopTraceSmbiosChange@24 ; PopTraceSmbiosChange(x,x,x,x,x,x)
		jmp	short loc_86041A
_PopUpdateSmbiosData@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIsRunningAsLocalSystem()
_PopIsRunningAsLocalSystem@0 proc near	; CODE XREF: PopPowerInformationInternal:loc_765D5Ep
					; PopPowerInformationInternal:loc_8D6AD6p ...

var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		lea	eax, [ebp-1]
		mov	[ebp+var_1], 0
		push	eax
		push	_SeLocalSystemSid
		push	0
		call	_RtlCheckTokenMembership@12 ; RtlCheckTokenMembership(x,x,x)
		mov	al, [ebp+var_1]
		leave
		retn
_PopIsRunningAsLocalSystem@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall ExFreeCallBack(x)
_ExFreeCallBack@4 proc near		; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+314p
					; SmPerformStoreSwapOperation+FED4Fp ...
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
_ExFreeCallBack@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspClosePartitionHandle	proc near	; CODE XREF: KsepCacheDeviceInsertData+859BFp
					; DATA XREF: PspInitPhase0+4BDo

arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00905EBA SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+10h], eax
		dec	eax
		test	eax, eax
		jle	loc_905EBA

loc_860473:				; CODE XREF: PspClosePartitionHandle+A5A67j
					; PspClosePartitionHandle+A5A71j
		pop	ebp
		retn	10h
PspClosePartitionHandle	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1030. IoUnregisterPlugPlayNotification

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoUnregisterPlugPlayNotification(x)
		public _IoUnregisterPlugPlayNotification@4
_IoUnregisterPlugPlayNotification@4 proc near ;	CODE XREF: SmKmFileInfoCleanup(x)+1Bp
					; SbpWaitForVmbus()+5Fp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		xor	dl, dl
		call	PnpUnregisterPlugPlayNotification
		pop	ecx
		pop	ebp
		retn	4
_IoUnregisterPlugPlayNotification@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PpmPerfReApplyStates()
_PpmPerfReApplyStates@0	proc near	; CODE XREF: PAGELK:0071FB35p
		mov	edi, edi
		push	ecx
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		call	_PpmPerfSetAllDomainsToUpdate@0	; PpmPerfSetAllDomainsToUpdate()
		xor	edx, edx
		mov	ecx, offset _PpmAllowedActions
		call	PpmUpdateProcessorPolicy
		push	2
		pop	ecx
		call	_PpmCheckCustomRun@4 ; PpmCheckCustomRun(x)
		pop	ecx
		retn
_PpmPerfReApplyStates@0	endp


;  S U B	R O U T	I N E 


; __stdcall WmiReleaseSmbiosLockExclusive()
_WmiReleaseSmbiosLockExclusive@0 proc near ; CODE XREF:	PoBroadcastSystemState+477p
		mov	edi, edi
		push	ecx
		mov	ecx, offset _WmipSMBiosLock
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	ecx
		retn
_WmiReleaseSmbiosLockExclusive@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall WmiAcquireSmbiosLockExclusive()
_WmiAcquireSmbiosLockExclusive@0 proc near ; CODE XREF:	PoBroadcastSystemState+27Dp
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _WmipSMBiosLock
		call	ExAcquireResourceExclusiveLite
		retn
_WmiAcquireSmbiosLockExclusive@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PerfDiagpShutdownProxyCallback(x, x, x, x, x, x, x,	x, x)
_PerfDiagpShutdownProxyCallback@36 proc	near ; DATA XREF: PerfDiagInitialize()+6Co

arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		jz	short loc_86050B
		cmp	[ebp+arg_8], 55h
		jnz	short loc_86050B
		push	7
		pop	ecx
		call	_PerfDiagpRequestState@4 ; PerfDiagpRequestState(x)

loc_86050B:				; CODE XREF: PerfDiagpShutdownProxyCallback(x,x,x,x,x,x,x,x,x)+9j
					; PerfDiagpShutdownProxyCallback(x,x,x,x,x,x,x,x,x)+Fj
		pop	ebp
		retn	24h
_PerfDiagpShutdownProxyCallback@36 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PopSuspendResumePdc(x)
_PopSuspendResumePdc@4 proc near	; CODE XREF: NtPowerInformation+1326p
		mov	eax, dword_6D6FC0
		test	eax, eax
		jz	short locret_86051C
		push	ecx
		call	eax

locret_86051C:				; CODE XREF: PopSuspendResumePdc(x)+7j
		retn
_PopSuspendResumePdc@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall NtIsSystemResumeAutomatic()
_NtIsSystemResumeAutomatic@0 proc near	; DATA XREF: .text:00580FCCo
		mov	eax, _PopFullWake
		and	al, 3
		neg	al
		sbb	al, al
		inc	al
		retn
_NtIsSystemResumeAutomatic@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopSpoilEstimatesOnPowerStateTransitionWorker(x)
_PopSpoilEstimatesOnPowerStateTransitionWorker@4 proc near ; DATA XREF:	PAGELK:0071F2CBo
		xor	ecx, ecx
		xor	dl, dl
		inc	ecx
		call	_PopSpoilBatteryEstimate@8 ; PopSpoilBatteryEstimate(x,x)
		retn	4
_PopSpoilEstimatesOnPowerStateTransitionWorker@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiLoadSystemStore proc near		; CODE XREF: BiOpenSystemStore+EAp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00903550 SIZE 00000085 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], ecx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_8], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_4], edi
		call	BcdGetSystemStorePath
		mov	esi, eax
		test	esi, esi
		js	loc_860603
		mov	esi, [ebp+var_4]
		lea	ecx, [esi+2]

loc_86056E:				; CODE XREF: BiLoadSystemStore+3Dj
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, di
		jnz	short loc_86056E
		sub	esi, ecx
		sar	esi, 1
		push	4B444342h
		lea	ebx, ds:0Eh[esi*2]
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_903550
		lea	eax, ds:2[esi*2]
		mov	[edi+4], ebx
		push	eax		; size_t
		push	[ebp+var_4]	; void *
		lea	ebx, [edi+0Ch]
		mov	dword ptr [edi], 1
		push	ebx		; void *
		mov	dword ptr [edi+8], 3
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_8]
		xor	edx, edx
		mov	ecx, edi
		push	eax
		call	BiAddStoreFromFile
		mov	esi, eax
		test	esi, esi
		js	loc_90355A
		mov	ebx, [ebp+var_8]
		mov	dl, 1
		mov	ecx, ebx
		call	BiMarkTreatAsSystemStore
		mov	esi, eax
		test	esi, esi
		js	loc_903590
		mov	ecx, ebx
		call	_BiIsSystemStore@4 ; BiIsSystemStore(x)
		test	al, al
		jz	loc_9035B0
		mov	eax, [ebp+var_C]
		mov	[eax], ebx

loc_860603:				; CODE XREF: BiLoadSystemStore+28j
					; BiLoadSystemStore+A301Bj ...
		cmp	[ebp+var_4], 0
		jz	short loc_860616
		push	4B444342h
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_860616:				; CODE XREF: BiLoadSystemStore+CDj
		test	edi, edi
		jz	short loc_860625
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_860625:				; CODE XREF: BiLoadSystemStore+DEj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
BiLoadSystemStore endp


;  S U B	R O U T	I N E 


BiCloseStore	proc near		; CODE XREF: BcdCloseStore+58p
					; BiOpenSystemStore+A24EBp

; FUNCTION CHUNK AT 009035D5 SIZE 0000003F BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		xor	edi, edi
		call	_BiSanitizeHandle@4 ; BiSanitizeHandle(x)
		mov	esi, eax
		test	bl, 4
		jz	short loc_860650
		mov	ecx, esi
		call	BiWasFirmwareModified
		test	al, al
		jnz	loc_9035D5

loc_860650:				; CODE XREF: BiCloseStore+13j
					; BiCloseStore+A2FCEj ...
		mov	ecx, esi
		test	bl, 2
		jnz	short loc_860662
		call	_BiCloseKey@4	; BiCloseKey(x)

loc_86065C:				; CODE XREF: BiCloseStore+3Dj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_860662:				; CODE XREF: BiCloseStore+29j
		xor	dl, dl
		call	_BiUnloadHiveByHandle@8	; BiUnloadHiveByHandle(x,x)
		jmp	short loc_86065C
BiCloseStore	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBcdClearPendingResume(x)
_PopBcdClearPendingResume@4 proc near	; CODE XREF: PopFreeHiberContext+2Fp
					; PoInitHiberServices+92p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		push	eax
		mov	edx, offset _GUID_WINDOWS_BOOTMGR
		mov	edi, ecx
		call	BcdOpenObject
		test	eax, eax
		js	short loc_8606C6
		push	ecx
		mov	ecx, [ebp+var_4]
		mov	edx, 26000005h
		call	BiDeleteElement
		mov	esi, eax
		test	esi, esi
		js	short loc_8606BC
		push	ecx
		mov	ecx, [ebp+var_4]
		mov	edx, 26000025h
		call	BiDeleteElement
		mov	esi, eax
		test	esi, esi
		js	short loc_8606BC
		mov	ecx, edi
		call	BcdFlushStore

loc_8606BC:				; CODE XREF: PopBcdClearPendingResume(x)+33j
					; PopBcdClearPendingResume(x)+47j
		mov	ecx, [ebp+var_4]
		call	_BcdCloseObject@4 ; BcdCloseObject(x)
		mov	eax, esi

loc_8606C6:				; CODE XREF: PopBcdClearPendingResume(x)+1Fj
		pop	edi
		pop	esi
		leave
		retn
_PopBcdClearPendingResume@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiAddStoreFromFile proc	near		; CODE XREF: BiLoadSystemStore+90p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00903614 SIZE 000001AC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	[esp+3Ch+var_20], eax
		xor	eax, eax
		push	edi
		mov	[esp+40h+var_24], edx
		mov	edi, ecx
		mov	[esp+40h+var_28], eax
		mov	ebx, eax
		mov	[esp+40h+var_34], eax
		mov	[esp+40h+var_30], eax
		mov	[esp+40h+var_2C], eax

loc_860704:				; CODE XREF: BiAddStoreFromFile+A2F7Cj
		push	ebx
		push	(offset	loc_8C6C61+1)
		lea	eax, [esp+48h+var_1C]
		push	0Ch
		push	eax
		call	_swprintf_s
		add	esp, 10h
		lea	eax, [esp+40h+var_34]
		mov	edx, edi
		lea	ecx, [esp+40h+var_1C]
		push	eax
		call	BiLoadHive
		mov	esi, eax
		test	esi, esi
		js	loc_903614
		push	ebx
		push	offset ??_C@_1CO@NBIMBNIG@?$AAL?$AAo?$AAa?$AAd?$AAe?$AAd?$AA?5?$AAh?$AAi?$AAv?$AAe?$AA?5?$AAa?$AAt?$AA?5@NNGAKEGL@
		push	2
		call	_BiLogMessage
		add	esp, 0Ch
		test	byte ptr [esp+40h+var_24], 1
		jnz	loc_9036F1

loc_86074E:				; CODE XREF: BiAddStoreFromFile+A30A3j
		mov	ecx, [esp+40h+var_34]
		lea	eax, [esp+40h+var_28]
		push	eax
		push	2001Fh
		mov	edx, offset ??_C@_1BI@DLMANABL@?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		call	BiOpenKey
		mov	ebx, [esp+40h+var_28]
		mov	esi, eax
		test	esi, esi
		js	loc_903775
		push	18h
		lea	eax, [esp+44h+var_1C]
		mov	edx, offset ??_C@_1BA@PCNMLPEP@?$AAK?$AAe?$AAy?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@ ; "KeyName"
		push	eax
		push	1
		push	0
		mov	ecx, ebx
		call	BiSetRegistryValue
		mov	esi, eax
		test	esi, esi
		js	loc_9037A2
		mov	ecx, [esp+40h+var_20]
		mov	eax, [esp+40h+var_34]
		mov	[ecx], eax

loc_86079F:				; CODE XREF: BiAddStoreFromFile+A30F1j
		test	ebx, ebx
		jz	short loc_8607AA
		mov	ecx, ebx
		call	_BiCloseKey@4	; BiCloseKey(x)

loc_8607AA:				; CODE XREF: BiAddStoreFromFile+D7j
					; BiAddStoreFromFile+A3073j
		mov	ecx, [esp+40h+var_30]
		test	ecx, ecx
		jnz	short loc_8607D0

loc_8607B2:				; CODE XREF: BiAddStoreFromFile+10Bj
					; BiAddStoreFromFile+A3022j
		test	esi, esi
		js	loc_903669

loc_8607BA:				; CODE XREF: BiAddStoreFromFile+A2FA5j
					; BiAddStoreFromFile+A2FD9j
		mov	ecx, [esp+40h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_8607D0:				; CODE XREF: BiAddStoreFromFile+E6j
		call	_BiCloseKey@4	; BiCloseKey(x)
		jmp	short loc_8607B2
BiAddStoreFromFile endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiMarkTreatAsSystemStore proc near	; CODE XREF: BiLoadSystemStore+A6p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009037C0 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_C], 0
		lea	eax, [esp+0Ch+var_8]
		and	[esp+0Ch+var_8], 0
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [esp+1Ch+var_C]
		mov	bl, dl
		push	eax
		push	4
		push	offset ??_C@_1BI@DLMANABL@?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		mov	edx, offset ??_C@_1O@GINMMDNN@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm@NNGAKEGL@
		mov	edi, ecx
		call	BiGetRegistryValue
		test	eax, eax
		js	loc_9037C0
		mov	eax, [esp+18h+var_C]
		push	4B444342h
		push	eax
		mov	esi, [eax]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jz	loc_9037C0
		test	bl, bl
		jz	loc_9037C0
		push	4
		lea	eax, [esp+1Ch+var_4]
		mov	[esp+1Ch+var_4], 1
		push	eax
		push	4
		push	offset ??_C@_1BI@DLMANABL@?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		mov	edx, (offset loc_8C6C71+1)
		mov	ecx, edi
		call	BiSetRegistryValue
		mov	ecx, eax

loc_86085B:				; CODE XREF: BiMarkTreatAsSystemStore+A3005j
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
BiMarkTreatAsSystemStore endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiGetObjectDescription(x, x)
_BiGetObjectDescription@8 proc near	; CODE XREF: BcdQueryObject(x,x,x,x)+3Dp
					; BcdEnumerateObjects(x,x,x,x,x)+D1p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10h
		push	esi
		push	edi
		lea	eax, [esp+18h+var_C]
		mov	[esp+18h+var_4], edx
		push	eax
		xor	esi, esi
		mov	edx, offset ??_C@_1BI@DLMANABL@?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		push	20019h
		mov	[esp+20h+var_C], esi
		mov	[esp+20h+var_10], esi
		call	BiOpenKey
		mov	edi, eax
		test	edi, edi
		js	short loc_8608DC
		mov	eax, [esp+18h+var_4]
		mov	edx, offset ??_C@_19BIEPDBPA@?$AAT?$AAy?$AAp?$AAe@NNGAKEGL@
		mov	ecx, [esp+18h+var_C]
		mov	[esp+18h+var_8], esi
		mov	dword ptr [eax], 1
		lea	eax, [esp+18h+var_8]
		push	eax
		lea	eax, [esp+1Ch+var_10]
		push	eax
		push	4
		push	esi
		call	BiGetRegistryValue
		mov	esi, [esp+18h+var_10]
		mov	edi, eax
		test	edi, edi
		js	short loc_8608DC
		cmp	[esp+18h+var_8], 4
		jnz	short loc_860903
		mov	ecx, [esp+18h+var_4]
		mov	eax, [esi]
		mov	[ecx+4], eax

loc_8608DC:				; CODE XREF: BiGetObjectDescription(x,x)+33j
					; BiGetObjectDescription(x,x)+66j ...
		cmp	[esp+18h+var_C], 0
		jz	short loc_8608EC
		mov	ecx, [esp+18h+var_C]
		call	_BiCloseKey@4	; BiCloseKey(x)

loc_8608EC:				; CODE XREF: BiGetObjectDescription(x,x)+7Dj
		test	esi, esi
		jz	short loc_8608FB
		push	4B444342h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8608FB:				; CODE XREF: BiGetObjectDescription(x,x)+8Aj
		mov	eax, edi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_860903:				; CODE XREF: BiGetObjectDescription(x,x)+6Dj
		mov	edi, 0C0000024h
		jmp	short loc_8608DC
_BiGetObjectDescription@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiLoadHive	proc near		; CODE XREF: BiAddStoreFromFile+5Ap

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009037E2 SIZE 000000EE BYTES
; FUNCTION CHUNK AT 009038E6 SIZE 00000012 BYTES

		push	64h
		push	offset dword_6A49B8
		call	__SEH_prolog4
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], ecx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_74]
		rep stosd
		push	6
		pop	ecx
		lea	edi, [ebp+var_5C]
		rep stosd
		xor	edi, edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_2C], edi

loc_860945:				; CODE XREF: BiLoadHive+A2FE9j
		mov	ebx, edi
		mov	[ebp+var_20], ebx
		mov	ecx, [ebp+var_28]
		call	_BiDoesHiveExist@4 ; BiDoesHiveExist(x)
		test	al, al
		jz	loc_9037E2
		lea	eax, [ebp+var_20]
		push	eax
		push	0F003Fh
		mov	edx, offset ??_C@_1CE@NMBJJGCH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\"
		xor	ecx, ecx
		call	BiOpenKeyNonBcd
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	loc_9037EF
		push	[ebp+var_24]
		lea	eax, [ebp+var_3C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_5C], 18h
		mov	ebx, [ebp+var_20]
		mov	[ebp+var_58], ebx
		mov	esi, 240h
		mov	[ebp+var_50], esi
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_54], eax
		mov	[ebp+var_4C], edi
		mov	[ebp+var_48], edi
		mov	eax, [ebp+var_28]
		add	eax, 0Ch
		mov	[ebp+var_20], eax
		push	eax
		lea	eax, [ebp+var_44]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_74], 18h
		mov	[ebp+var_70], edi
		mov	[ebp+var_68], esi
		lea	eax, [ebp+var_44]
		mov	[ebp+var_6C], eax
		mov	[ebp+var_64], edi
		mov	[ebp+var_60], edi
		lea	edx, [ebp+var_34]
		push	12h
		pop	ecx
		call	BiAcquirePrivilege
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	loc_90380C
		mov	[ebp+var_1C], offset _ZwLoadKey2@12 ; ZwLoadKey2(x,x,x)
		push	1780h
		lea	eax, [ebp+var_74]
		push	eax
		lea	eax, [ebp+var_5C]
		push	eax
		call	_ZwLoadKey2@12	; ZwLoadKey2(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_903826

loc_860A10:				; CODE XREF: BiLoadHive+A2F32j
					; BiLoadHive+A2F47j
		mov	[ebp+var_1C], esi
		lea	ecx, [ebp+var_34]
		call	_BiReleasePrivilege@4 ;	BiReleasePrivilege(x)
		test	esi, esi
		js	loc_903856
		lea	eax, [ebp+var_5C]
		push	eax
		push	20019h
		push	[ebp+arg_0]
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	loc_903887

loc_860A41:				; CODE XREF: BiLoadHive+A2EE0j
					; BiLoadHive+A2EFDj ...
		test	ebx, ebx
		jz	short loc_860A4B
		push	ebx
		call	_ZwClose@4	; ZwClose(x)

loc_860A4B:				; CODE XREF: BiLoadHive+139j
		cmp	esi, 0C000017Dh
		jz	loc_9038C0

loc_860A57:				; CODE XREF: BiLoadHive+A2FDFj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
BiLoadHive	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiReleasePrivilege(x)
_BiReleasePrivilege@4 proc near		; CODE XREF: BiUnloadHiveByName+9Cp
					; BiLoadHive+10Cp ...

var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, ecx
		mov	byte ptr [ebp+var_1], 0
		cmp	byte ptr [esi+4], 0
		jnz	short loc_860A8E
		mov	ecx, [esi]
		lea	eax, [ebp+var_1]
		push	eax
		xor	dl, dl
		call	BiAdjustPrivilege

loc_860A8E:				; CODE XREF: BiReleasePrivilege(x)+13j
		cmp	byte ptr [esi+5], 0
		jnz	short loc_860AA7
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		push	4
		push	eax
		push	5
		push	0FFFFFFFEh
		call	_ZwSetInformationThread@16 ; ZwSetInformationThread(x,x,x,x)

loc_860AA7:				; CODE XREF: BiReleasePrivilege(x)+26j
		pop	esi
		leave
		retn
_BiReleasePrivilege@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiAcquirePrivilege proc	near		; CODE XREF: BiUnloadHiveByName+7Bp
					; BiLoadHive+D1p ...

var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 009038F8 SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	byte ptr [ebp+var_1], 0
		mov	edi, edx
		mov	[ebp+var_8], esi
		call	_BiIsImpersonating@0 ; BiIsImpersonating()
		mov	bl, al
		test	bl, bl
		jnz	short loc_860ADB
		push	0
		push	2
		xor	edx, edx
		pop	ecx
		call	_RtlImpersonateSelfEx@12 ; RtlImpersonateSelfEx(x,x,x)
		test	eax, eax
		js	short loc_860B02

loc_860ADB:				; CODE XREF: BiAcquirePrivilege+1Fj
		lea	eax, [ebp+var_1]
		mov	dl, 1
		push	eax
		mov	ecx, esi
		call	BiAdjustPrivilege
		mov	esi, eax
		test	esi, esi
		js	loc_9038F8
		mov	eax, [ebp+var_8]
		mov	[edi], eax
		mov	al, byte ptr [ebp+var_1]
		mov	[edi+5], bl
		mov	[edi+4], al

loc_860B00:				; CODE XREF: BiAcquirePrivilege+A2E50j
					; BiAcquirePrivilege+A2E69j
		mov	eax, esi

loc_860B02:				; CODE XREF: BiAcquirePrivilege+2Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
BiAcquirePrivilege endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiAdjustPrivilege proc near		; CODE XREF: BiReleasePrivilege(x)+1Dp
					; BiAcquirePrivilege+39p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_1C		= byte ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00903918 SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		and	[ebp+var_38], 0
		xor	eax, eax
		and	[ebp+var_C], 0
		or	[ebp+var_30], 0FFFFFFFFh
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		lea	edi, [ebp+var_28]
		mov	[ebp+var_29], dl
		stosd
		mov	[ebp+var_34], ecx
		stosd
		stosd
		stosd
		call	_BiIsImpersonating@0 ; BiIsImpersonating()
		test	al, al
		lea	eax, [ebp+var_30]
		push	eax
		jz	loc_90392A
		mov	edi, 200h
		push	edi
		push	1
		push	28h
		push	0FFFFFFFEh
		call	_ZwOpenThreadTokenEx@20	; ZwOpenThreadTokenEx(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_903918

loc_860B67:				; CODE XREF: BiAdjustPrivilege+A2E3Aj
		and	[ebp+var_C], 0
		and	[ebp+var_10], 0
		cmp	[ebp+var_29], 0
		mov	eax, [ebp+var_34]
		mov	[ebp+var_18], 1
		mov	[ebp+var_14], eax
		jz	short loc_860B89
		mov	[ebp+var_C], 2

loc_860B89:				; CODE XREF: BiAdjustPrivilege+78j
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		push	10h
		lea	eax, [ebp+var_18]
		push	eax
		push	0
		push	[ebp+var_30]
		call	_ZwAdjustPrivilegesToken@24 ; ZwAdjustPrivilegesToken(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 106h
		jz	short loc_860BDF

loc_860BAB:				; CODE XREF: BiAdjustPrivilege+DCj
		test	esi, esi
		js	short loc_860BBE
		cmp	[ebp+var_28], 0
		jz	short loc_860BE6
		mov	al, [ebp+var_1C]
		shr	al, 1
		and	al, 1

loc_860BBC:				; CODE XREF: BiAdjustPrivilege+E5j
		mov	[ebx], al

loc_860BBE:				; CODE XREF: BiAdjustPrivilege+A5j
		cmp	[ebp+var_30], 0FFFFFFFFh
		jz	short loc_860BCC
		push	[ebp+var_30]
		call	_ZwClose@4	; ZwClose(x)

loc_860BCC:				; CODE XREF: BiAdjustPrivilege+BAj
					; BiAdjustPrivilege+A2E34j
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_860BDF:				; CODE XREF: BiAdjustPrivilege+A1j
		mov	esi, 0C0000061h
		jmp	short loc_860BAB
; 

loc_860BE6:				; CODE XREF: BiAdjustPrivilege+ABj
		cmp	[ebp+var_29], 0
		setnz	al
		jmp	short loc_860BBC
BiAdjustPrivilege endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall BiIsImpersonating()
_BiIsImpersonating@0 proc near		; CODE XREF: BiAcquirePrivilege+16p
					; BiAdjustPrivilege+33p
		mov	eax, large fs:124h
		mov	eax, [eax+2FCh]
		shr	eax, 3
		and	al, 1
		retn
_BiIsImpersonating@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiCleanupLoadedStores proc near		; CODE XREF: BiOpenSystemStore+4Ap

var_16		= byte ptr -16h
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00903947 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		xor	esi, esi
		mov	[esp+24h+var_4], ecx
		push	edi
		mov	[esp+28h+var_14], esi
		mov	[esp+28h+var_10], esi
		mov	[esp+28h+var_8], esi
		mov	[esp+28h+var_C], esi
		call	_BiIsWinPEBoot@0 ; BiIsWinPEBoot()
		mov	[esp+28h+var_15], al
		mov	edx, offset ??_C@_1CE@NMBJJGCH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\"
		lea	eax, [esp+28h+var_C]
		xor	ecx, ecx
		push	eax
		push	0F003Fh
		call	BiOpenKeyNonBcd
		mov	ebx, [esp+28h+var_C]
		test	eax, eax
		js	short loc_860C97
		lea	eax, [esp+28h+var_10]
		mov	ecx, ebx
		push	eax
		lea	edx, [esp+2Ch+var_8]
		call	BiEnumerateSubKeys
		mov	edi, [esp+28h+var_8]
		test	eax, eax
		js	short loc_860C88
		cmp	[esp+28h+var_10], esi
		jbe	short loc_860C88

loc_860C6B:				; CODE XREF: BiCleanupLoadedStores+84j
		push	3		; size_t
		push	(offset	loc_8C7209+1) ;	wchar_t	*
		push	dword ptr [edi+esi*4] ;	wchar_t	*
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_860CA8

loc_860C81:				; CODE XREF: BiCleanupLoadedStores+BCj
					; BiCleanupLoadedStores+D4j ...
		inc	esi
		cmp	esi, [esp+28h+var_10]
		jb	short loc_860C6B

loc_860C88:				; CODE XREF: BiCleanupLoadedStores+61j
					; BiCleanupLoadedStores+67j
		test	edi, edi
		jz	short loc_860C97
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_860C97:				; CODE XREF: BiCleanupLoadedStores+49j
					; BiCleanupLoadedStores+88j
		test	ebx, ebx
		jz	short loc_860CA1
		push	ebx
		call	_ZwClose@4	; ZwClose(x)

loc_860CA1:				; CODE XREF: BiCleanupLoadedStores+97j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_860CA8:				; CODE XREF: BiCleanupLoadedStores+7Dj
		mov	eax, [edi+esi*4]
		push	0Ah		; int
		add	eax, 6
		push	0		; wchar_t **
		push	eax		; wchar_t *
		call	_wcstoul
		add	esp, 0Ch
		cmp	eax, 0FFFFFFFFh
		jz	short loc_860C81
		mov	edx, [edi+esi*4]
		lea	eax, [esp+28h+var_14]
		push	eax
		push	20019h
		mov	ecx, ebx
		call	BiOpenKey
		test	eax, eax
		js	short loc_860C81
		mov	ecx, [esp+28h+var_14]
		call	_BiIsSystemStore@4 ; BiIsSystemStore(x)
		mov	ecx, [esp+28h+var_4]
		test	cl, 10h
		jnz	loc_903947

loc_860CEE:				; CODE XREF: BiCleanupLoadedStores+A2D47j
		test	cl, 8
		jnz	short loc_860D0C
		cmp	[esp+28h+var_15], 0
		jnz	short loc_860D0C
		test	al, al
		jz	short loc_860D0C
		mov	ecx, [esp+28h+var_14]
		call	_BiCloseKey@4	; BiCloseKey(x)
		jmp	loc_860C81
; 

loc_860D0C:				; CODE XREF: BiCleanupLoadedStores+EFj
					; BiCleanupLoadedStores+F6j ...
		mov	ecx, [esp+28h+var_14]
		xor	dl, dl
		call	_BiUnloadHiveByHandle@8	; BiUnloadHiveByHandle(x,x)
		jmp	loc_860C81
BiCleanupLoadedStores endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiDeleteRegistryValue(x, x,	x)
_BiDeleteRegistryValue@12 proc near	; CODE XREF: BiSetFirmwareModified+20p
					; BiMarkTreatAsSystemStore+A2FF4p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		push	edx
		lea	eax, [ebp+var_10]
		xor	ebx, ebx
		push	eax
		mov	esi, ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, esi
		call	_BiSanitizeHandle@4 ; BiSanitizeHandle(x)
		mov	edx, [ebp+arg_0]
		mov	edi, eax
		mov	[ebp+var_8], ebx
		test	edx, edx
		jz	short loc_860D8B
		lea	eax, [ebp+var_8]
		mov	ecx, edi
		push	eax
		push	2001Fh
		call	BiOpenKey
		mov	esi, [ebp+var_8]
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_860D73

loc_860D67:				; CODE XREF: BiDeleteRegistryValue(x,x,x)+71j
		lea	edx, [ebp+var_10]
		mov	ecx, esi
		call	_BiZwDeleteValueKey@8 ;	BiZwDeleteValueKey(x,x)
		mov	ebx, eax

loc_860D73:				; CODE XREF: BiDeleteRegistryValue(x,x,x)+49j
		cmp	esi, edi
		jz	short loc_860D82
		test	esi, esi
		jz	short loc_860D82
		mov	ecx, esi
		call	_BiZwClose@4	; BiZwClose(x)

loc_860D82:				; CODE XREF: BiDeleteRegistryValue(x,x,x)+59j
					; BiDeleteRegistryValue(x,x,x)+5Dj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
; 

loc_860D8B:				; CODE XREF: BiDeleteRegistryValue(x,x,x)+30j
		mov	esi, edi
		jmp	short loc_860D67
_BiDeleteRegistryValue@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopBcdEstablishResumeObject proc near	; CODE XREF: PopAllocateHiberContext+19Dp
					; PoInitHiberServices+8Ap

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090395D SIZE 00000047 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[esp+38h+var_20], edx
		push	esi
		push	edi
		mov	word ptr [esp+40h+var_30], ax
		lea	edi, [esp+40h+var_14]
		stosd
		xor	edx, edx
		mov	[esp+40h+var_18], edx
		mov	[esp+40h+var_28], edx
		mov	[esp+40h+var_24], ecx
		stosd
		stosd
		stosd
		lea	eax, [esp+40h+var_28]
		mov	edi, edx
		mov	edx, offset _GUID_CURRENT_BOOT_ENTRY
		push	eax
		mov	[esp+44h+var_2C], edi
		call	BcdOpenObject
		mov	ebx, [esp+40h+var_28]
		mov	esi, eax
		test	esi, esi
		js	loc_860EBA
		lea	eax, [esp+40h+var_28]
		mov	[esp+40h+var_28], 10h
		push	eax
		lea	eax, [esp+44h+var_14]
		mov	edx, 23000003h
		push	eax
		push	ecx
		mov	ecx, ebx
		call	BcdGetElementDataWithFlags
		mov	esi, eax
		test	esi, esi
		js	loc_903973
		mov	ecx, [esp+40h+var_24]
		lea	eax, [esp+40h+var_2C]
		push	eax
		lea	edx, [esp+44h+var_14]
		call	BcdOpenObject
		mov	edi, [esp+40h+var_2C]
		mov	esi, eax
		test	esi, esi
		js	loc_903962
		push	0
		lea	eax, [esp+44h+var_1C]
		xor	edx, edx
		push	eax
		inc	edx
		mov	ecx, edi
		call	_BcdQueryObject@16 ; BcdQueryObject(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_903962
		mov	ecx, [esp+40h+var_18]
		mov	eax, ecx
		and	eax, 0F0000000h
		cmp	eax, 10000000h
		jnz	loc_90395D
		mov	eax, ecx
		and	eax, 0F00000h
		cmp	eax, 200000h
		jnz	loc_90395D
		and	ecx, 0FFFFFh
		cmp	ecx, 4
		jnz	loc_90395D
		lea	eax, [esp+40h+var_24]
		mov	[esp+40h+var_24], 2
		push	eax
		lea	eax, [esp+44h+var_30]
		mov	edx, 26000003h
		push	eax
		push	ecx
		mov	ecx, edi
		call	BcdGetElementDataWithFlags
		mov	esi, eax
		test	esi, esi
		jns	short loc_860EF0

loc_860EAD:				; CODE XREF: PopBcdEstablishResumeObject+167j
		push	ecx
		push	ecx
		mov	edx, ebx
		mov	ecx, edi
		call	PopBcdSetDefaultResumeObjectElements
		mov	esi, eax

loc_860EBA:				; CODE XREF: PopBcdEstablishResumeObject+57j
					; PopBcdEstablishResumeObject+165j ...
		test	ebx, ebx
		jz	short loc_860EC5
		mov	ecx, ebx
		call	_BcdCloseObject@4 ; BcdCloseObject(x)

loc_860EC5:				; CODE XREF: PopBcdEstablishResumeObject+12Cj
		test	esi, esi
		js	short loc_860EF9
		mov	eax, [esp+40h+var_20]
		test	eax, eax
		jz	short loc_860EE7
		mov	[eax], edi

loc_860ED3:				; CODE XREF: PopBcdEstablishResumeObject+15Ej
					; PopBcdEstablishResumeObject+16Bj
		mov	ecx, [esp+40h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_860EE7:				; CODE XREF: PopBcdEstablishResumeObject+13Fj
					; PopBcdEstablishResumeObject+16Dj
		mov	ecx, edi
		call	_BcdCloseObject@4 ; BcdCloseObject(x)
		jmp	short loc_860ED3
; 

loc_860EF0:				; CODE XREF: PopBcdEstablishResumeObject+11Bj
		cmp	byte ptr [esp+40h+var_30], 0
		jnz	short loc_860EBA
		jmp	short loc_860EAD
; 

loc_860EF9:				; CODE XREF: PopBcdEstablishResumeObject+137j
		test	edi, edi
		jz	short loc_860ED3
		jmp	short loc_860EE7
PopBcdEstablishResumeObject endp

; 
		align 10h

;  S U B	R O U T	I N E 


BcdCloseStore	proc near		; CODE XREF: WheaPersistBadPageToBcd(x)+189p
					; PopFreeHiberContext+37p ...

; FUNCTION CHUNK AT 009039A4 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		call	_BiIsOfflineHandle@4 ; BiIsOfflineHandle(x)
		mov	bl, al
		mov	cl, al
		call	BiAcquireBcdSyncMutant
		mov	edx, eax
		test	edx, edx
		js	loc_9039A4
		mov	ecx, edi
		call	_BiIsSystemStore@4 ; BiIsSystemStore(x)
		test	al, al
		jz	short loc_860F71
		mov	ecx, edi
		call	_BiIsSynchFirmwareEntries@4 ; BiIsSynchFirmwareEntries(x)
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 4
		call	_BiIsWinPEBoot@0 ; BiIsWinPEBoot()
		test	al, al
		jnz	short loc_860F6C

loc_860F44:				; CODE XREF: BcdCloseStore+6Fj
					; BcdCloseStore+74j
		push	esi
		push	offset ??_C@_1DG@JAFNKMKP@?$AAC?$AAl?$AAo?$AAs?$AAi?$AAn?$AAg?$AA?5?$AAs?$AAt?$AAo?$AAr?$AAe?$AA?4?$AA?5@NNGAKEGL@ ; "Closing store. Flags: 0x%x"
		push	2
		call	_BiLogMessage
		add	esp, 0Ch
		mov	edx, esi
		mov	ecx, edi
		call	BiCloseStore
		mov	cl, bl
		mov	esi, eax
		call	_BiReleaseBcdSyncMutant@4 ; BiReleaseBcdSyncMutant(x)
		mov	eax, esi

loc_860F68:				; CODE XREF: BcdCloseStore+A2AB6j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_860F6C:				; CODE XREF: BcdCloseStore+42j
		or	esi, 2
		jmp	short loc_860F44
; 

loc_860F71:				; CODE XREF: BcdCloseStore+28j
		push	2
		pop	esi
		jmp	short loc_860F44
BcdCloseStore	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BcdGetSystemStorePath proc near		; CODE XREF: BiLoadSystemStore+1Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009039BB SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], edi
		call	_BiGetFirmwareType@0 ; BiGetFirmwareType()
		cmp	eax, 1
		jnz	loc_9039BB
		mov	eax, offset ??_C@_1BE@FGPPDGFO@?$AA?2?$AAB?$AAo?$AAo?$AAt?$AA?2?$AAB?$AAC?$AAD@NNGAKEGL@ ; "\\Boot\\BCD"

loc_860F9C:				; CODE XREF: BcdGetSystemStorePath+A2A52j
		push	eax
		push	offset ??_C@_1CM@NIKLLOAB@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?5?$AAs?$AAt?$AAo?$AAr?$AAe?$AA?5?$AAp?$AAa@NNGAKEGL@
		push	2
		mov	[ebp+var_8], eax
		call	_BiLogMessage
		add	esp, 0Ch
		lea	ecx, [ebp+var_4]
		call	BiGetSystemPartition
		mov	ebx, eax
		test	ebx, ebx
		js	loc_9039E7
		push	[ebp+var_4]
		push	(offset	loc_8C7CE9+1)
		push	2
		call	_BiLogMessage
		mov	esi, [ebp+var_4]
		add	esp, 0Ch
		lea	ecx, [esi+2]

loc_860FD9:				; CODE XREF: BcdGetSystemStorePath+6Cj
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, di
		jnz	short loc_860FD9
		sub	esi, ecx
		mov	ecx, [ebp+var_8]
		sar	esi, 1
		lea	edx, [ecx+2]

loc_860FEE:				; CODE XREF: BcdGetSystemStorePath+81j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_860FEE
		sub	ecx, edx
		sar	ecx, 1
		add	esi, ecx
		push	4B444342h
		lea	eax, ds:2[esi*2]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_86105B
		push	[ebp+var_4]
		inc	esi
		push	esi
		push	edi
		call	_wcscpy_s
		add	esp, 0Ch
		push	[ebp+var_8]
		push	esi
		push	edi
		call	_wcscat_s
		mov	eax, [ebp+var_C]
		mov	[eax], edi

loc_861036:				; CODE XREF: BcdGetSystemStorePath+A2A7Ej
		add	esp, 0Ch

loc_861039:				; CODE XREF: BcdGetSystemStorePath+EAj
		cmp	[ebp+var_4], 0
		jz	short loc_86104C
		push	4B444342h
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_86104C:				; CODE XREF: BcdGetSystemStorePath+C7j
		test	ebx, ebx
		js	loc_9039F9

loc_861054:				; CODE XREF: BcdGetSystemStorePath+A2A6Cj
					; BcdGetSystemStorePath+A2A85j	...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_86105B:				; CODE XREF: BcdGetSystemStorePath+A1j
		mov	ebx, 0C0000017h
		jmp	short loc_861039
BcdGetSystemStorePath endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiConvertBootEnvironmentDeviceToNt proc	near ; CODE XREF: BiConvertRegistryDataToElement+B5p
					; BiConvertBootEnvironmentDeviceToNt+A2B1Dp ...

var_2E		= byte ptr -2Eh
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00903A11 SIZE 00000528 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[esp+3Ch+var_10], edx
		xor	ecx, ecx
		mov	[esp+3Ch+var_20], esi
		push	edi
		mov	edx, ecx
		mov	[esp+40h+var_4], ecx
		mov	eax, [esi]
		mov	ebx, ecx
		mov	[esp+40h+var_28], ecx
		mov	edi, ecx
		mov	[esp+40h+var_14], ecx
		mov	[esp+40h+var_C], ecx
		mov	[esp+40h+var_24], edx
		mov	[esp+40h+var_1C], edx
		mov	[esp+40h+var_2C], ecx
		mov	[esp+40h+var_2D], cl
		mov	[esp+40h+var_8], ebx
		mov	[esp+40h+var_18], edi
		sub	eax, ecx
		jz	loc_903D77
		dec	eax
		sub	eax, 1
		jz	short loc_8610CC
		sub	eax, 3
		jz	loc_903C8A
		sub	eax, 1
		jnz	loc_903A11

loc_8610CC:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+56j
		lea	eax, [esp+40h+var_C]
		xor	edx, edx
		push	eax
		push	ecx
		push	ecx
		push	ecx
		mov	ecx, esi
		call	BiVerifyBootPartition
		mov	esi, eax
		test	esi, esi
		js	loc_903EE4
		test	[ebp+arg_0], 20h
		jnz	loc_903CAA

loc_8610F1:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2C4Ej
		mov	ecx, [esp+40h+var_20]
		lea	edx, [esp+40h+var_1C]
		call	BiGetNtPartitionPath
		mov	esi, eax
		mov	eax, [esp+40h+var_1C]
		mov	[esp+40h+var_24], eax
		test	esi, esi
		js	loc_903CBD
		mov	ecx, eax
		mov	[esp+40h+var_2D], 1
		push	2
		pop	esi
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_86111F:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+C5j
		mov	ax, [ecx]
		add	ecx, esi
		cmp	ax, bx
		jnz	short loc_86111F
		sub	ecx, edx
		sar	ecx, 1
		push	4B444342h
		lea	eax, ds:2[ecx*2]
		lea	edi, [eax+14h]
		mov	[esp+44h+var_4], eax
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_8611AA
		push	edi		; size_t
		xor	eax, eax
		push	eax		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebx], esi
		lea	eax, [ebx+14h]
		push	[esp+40h+var_4]	; size_t
		push	[esp+44h+var_24] ; void	*

loc_861168:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2BCEj
		push	eax		; void *
		call	_memcpy

loc_86116E:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2A05j
		add	esp, 0Ch

loc_861171:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2BB7j
					; BiConvertBootEnvironmentDeviceToNt+A2E70j
		xor	eax, eax
		mov	esi, eax

loc_861175:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2C23j
					; BiConvertBootEnvironmentDeviceToNt+A2E7Cj ...
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx
		mov	eax, [ebp+arg_8]
		mov	[eax], edi

loc_86117F:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+14Dj
					; BiConvertBootEnvironmentDeviceToNt+A2EB9j
		cmp	[esp+40h+var_2C], 0
		jnz	loc_903F26

loc_86118A:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2ED2j
		cmp	[esp+40h+var_2D], 0
		jz	short loc_86119F

loc_861191:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2AB8j
		push	4B444342h
		push	[esp+44h+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_86119F:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+12Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_8611AA:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+EAj
					; BiConvertBootEnvironmentDeviceToNt+A29DDj ...
		mov	esi, 0C000009Ah
		jmp	short loc_86117F
BiConvertBootEnvironmentDeviceToNt endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiGetNtPartitionPath proc near		; CODE XREF: BiConvertBootEnvironmentDeviceToNt+97p
					; BiConvertBootEnvironmentDeviceToNt+A2A60p

var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00903F39 SIZE 00000213 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0BCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	esi, ecx
		mov	[ebp+var_74], edx
		xor	edx, edx
		lea	edi, [ebp+var_2C]
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_54], edx
		rep stosd
		push	6
		pop	ecx
		push	6
		lea	edi, [ebp+var_A4]
		mov	[ebp+var_64], edx
		rep stosd
		pop	ecx
		push	edx
		lea	edi, [ebp+var_BC]
		mov	[ebp+var_60], edx
		rep stosd
		lea	eax, [ebp+var_38]
		mov	[ebp+var_7C], edx
		push	eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_78], edx
		push	eax
		mov	edi, edx
		mov	[ebp+var_5C], edx
		lea	eax, [ebp+var_54]
		mov	[ebp+var_30], edx
		mov	[ebp+var_4C], edx
		mov	ebx, edx
		mov	[ebp+var_8C], edx
		mov	ecx, esi
		mov	[ebp+var_88], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_84], edx
		mov	[ebp+var_80], edx
		mov	[ebp+var_6C], edx
		mov	[ebp+var_38], edx
		lea	edx, [ebp+var_4C]
		push	eax
		mov	[ebp+var_44], edi
		call	BiVerifyBootPartition
		mov	esi, eax
		test	esi, esi
		js	loc_8614AE
		push	4B444342h
		push	58h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_903F39
		xor	eax, eax
		mov	[ebp+var_31], al
		cmp	[ebp+var_38], eax
		jnz	loc_903F43

loc_861275:				; CODE XREF: BiGetNtPartitionPath+A2D94j
					; BiGetNtPartitionPath+A2D9Dj ...
		push	offset ??_C@_1BA@CCLAPIHO@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@NNGAKEGL@
		lea	eax, [ebp+var_7C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_A4], 18h
		mov	[ebp+var_9C], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_A0], ecx
		push	eax
		push	1
		lea	eax, [ebp+var_60]
		mov	[ebp+var_98], 240h
		push	eax
		mov	[ebp+var_94], ecx
		mov	[ebp+var_90], ecx
		call	_ZwOpenDirectoryObject@12 ; ZwOpenDirectoryObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_904112
		mov	eax, 1000h
		push	4B444342h
		mov	ebx, eax
		push	eax
		jmp	short loc_861316
; 

loc_8612DF:				; CODE XREF: BiGetNtPartitionPath+170j
		xor	edx, edx
		lea	ecx, [ebp+var_5C]
		push	edx
		push	ecx
		push	1
		push	edx
		push	ebx
		push	eax
		push	[ebp+var_60]
		mov	[ebp+var_5C], edx
		call	_ZwQueryDirectoryObject@28 ; ZwQueryDirectoryObject(x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 105h
		jnz	short loc_861329
		mov	esi, 4B444342h
		push	esi
		push	[ebp+var_48]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		add	ebx, 1000h
		push	esi
		push	ebx

loc_861316:				; CODE XREF: BiGetNtPartitionPath+12Bj
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_48], eax
		test	eax, eax
		jnz	short loc_8612DF
		jmp	loc_90410A
; 

loc_861329:				; CODE XREF: BiGetNtPartitionPath+14Cj
		test	esi, esi
		js	loc_903F5E

loc_861331:				; CODE XREF: BiGetNtPartitionPath+A2DB2j
		mov	ebx, [ebp+var_48]
		xor	eax, eax
		cmp	[ebx], ax
		jz	loc_904103
		lea	esi, [ebx+4]
		mov	bh, [ebp+var_31]
		mov	[ebp+var_40], esi
		mov	bl, al

loc_86134A:				; CODE XREF: BiGetNtPartitionPath+1B2j
		mov	edx, [esi+8]
		mov	ecx, [esi]
		call	BiIsValidDiskDevice
		test	al, al
		jnz	short loc_86136B

loc_861358:				; CODE XREF: BiGetNtPartitionPath+1DEj
					; BiGetNtPartitionPath+A2DCDj ...
		xor	eax, eax

loc_86135A:				; CODE XREF: BiGetNtPartitionPath+A2F4Cj
		add	esi, 10h
		mov	[ebp+var_40], esi
		cmp	[esi-4], ax
		jnz	short loc_86134A
		jmp	loc_861464
; 

loc_86136B:				; CODE XREF: BiGetNtPartitionPath+1A4j
		xor	eax, eax
		push	eax
		push	dword ptr [esi]
		push	offset ??_C@_1DA@FBMBGMIJ@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AA?$CF?$AAs?$AA?2?$AAP?$AAa?$AAr?$AAt@NNGAKEGL@ ;	"\\"
		push	2Ch
		push	edi
		call	_swprintf_s
		add	esp, 14h
		lea	eax, [ebp+var_2C]
		lea	edx, [ebp+var_30]
		mov	ecx, edi
		push	eax
		call	BiGetDriveLayoutBlock
		test	eax, eax
		js	short loc_861358
		cmp	[ebp+var_38], 0
		jnz	short loc_8613B5
		push	14h		; size_t
		lea	eax, [ebp+var_28]
		push	eax		; void *
		mov	eax, [ebp+var_50]
		add	eax, 4
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_903F72

loc_8613B5:				; CODE XREF: BiGetNtPartitionPath+1E4j
		mov	eax, [ebp+var_50]
		mov	edx, [ebp+var_54]
		mov	eax, [eax+4]
		mov	[ebp+var_70], eax
		test	edx, edx
		jnz	loc_903F84
		cmp	eax, 1
		jnz	loc_904018

loc_8613D2:				; CODE XREF: BiGetNtPartitionPath+A2E6Ej
		xor	ecx, ecx
		mov	[ebp+var_58], ecx
		test	eax, eax
		jz	loc_904025

loc_8613DF:				; CODE XREF: BiGetNtPartitionPath+A2E7Cj
					; BiGetNtPartitionPath+A2E85j
		mov	eax, [ebp+var_30]
		xor	ecx, ecx
		mov	[ebp+var_68], ecx
		cmp	[eax+4], ecx
		jbe	short loc_86144F
		mov	esi, eax
		mov	ecx, eax
		add	esi, 38h

loc_8613F3:				; CODE XREF: BiGetNtPartitionPath+A2EF7j
		mov	eax, [esi+10h]
		test	eax, eax
		jz	loc_904099
		push	eax
		mov	eax, [ebp+var_40]
		push	dword ptr [eax]
		push	offset ??_C@_1DA@FBMBGMIJ@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AA?$CF?$AAs?$AA?2?$AAP?$AAa?$AAr?$AAt@NNGAKEGL@ ;	"\\"
		push	2Ch
		push	edi
		call	_swprintf_s
		add	esp, 14h
		test	bh, bh
		jnz	loc_90403C

loc_86141C:				; CODE XREF: BiGetNtPartitionPath+A2E96j
					; BiGetNtPartitionPath+A2EC2j
		cmp	[ebp+var_70], 1
		jnz	loc_904079
		mov	edx, [ebp+var_4C]
		test	edx, edx
		jz	loc_904096
		mov	eax, [edx]
		cmp	eax, [esi]
		jnz	loc_904096
		mov	eax, [edx+4]
		cmp	eax, [esi+4]

loc_861441:				; CODE XREF: BiGetNtPartitionPath+A2EDFj
		jnz	loc_904096

loc_861447:				; CODE XREF: BiGetNtPartitionPath+A2EA9j
		mov	bl, 1

loc_861449:				; CODE XREF: BiGetNtPartitionPath+A2EFDj
		mov	esi, [ebp+var_40]

loc_86144C:				; CODE XREF: BiGetNtPartitionPath+A2E51j
					; BiGetNtPartitionPath+A2E61j ...
		mov	eax, [ebp+var_30]

loc_86144F:				; CODE XREF: BiGetNtPartitionPath+238j
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[ebp+var_38], 0
		jnz	loc_9040B4

loc_861464:				; CODE XREF: BiGetNtPartitionPath+1B4j
					; BiGetNtPartitionPath+A2F0Cj ...
		test	bl, bl
		mov	ebx, [ebp+var_48]
		jz	loc_904103
		lea	edx, [ebp+var_6C]
		mov	ecx, edi
		call	BiTranslateSymbolicLink
		test	eax, eax
		js	short loc_86148B
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [ebp+var_6C]

loc_86148B:				; CODE XREF: BiGetNtPartitionPath+2C9j
		mov	eax, [ebp+var_74]
		mov	[eax], edi
		xor	eax, eax
		mov	esi, eax

loc_861494:				; CODE XREF: BiGetNtPartitionPath+A2DBBj
		test	esi, esi
		js	loc_904112

loc_86149C:				; CODE XREF: BiGetNtPartitionPath+A2F62j
					; BiGetNtPartitionPath+A2F73j
		test	ebx, ebx
		jz	short loc_8614AB
		push	4B444342h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8614AB:				; CODE XREF: BiGetNtPartitionPath+2ECj
		mov	edi, [ebp+var_44]

loc_8614AE:				; CODE XREF: BiGetNtPartitionPath+97j
		cmp	[ebp+var_38], 0
		jnz	loc_90412A

loc_8614B8:				; CODE XREF: BiGetNtPartitionPath+A2F85j
		test	edi, edi
		jnz	loc_90413C

loc_8614C0:				; CODE XREF: BiGetNtPartitionPath+A2F95j
		mov	eax, esi

loc_8614C2:				; CODE XREF: BiGetNtPartitionPath+A2D8Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
BiGetNtPartitionPath endp

; 
		align 2

;  S U B	R O U T	I N E 


BiIsValidDiskDevice proc near		; CODE XREF: BiGetNtPartitionPath+19Dp

; FUNCTION CHUNK AT 0090414C SIZE 00000030 BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		push	offset ??_C@_1BE@DNDHOCGP@?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt?$AAo?$AAr?$AAy@NNGAKEGL@ ; "Directory"
		push	edi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_861501
		push	offset ??_C@_1BK@KDPOKCA@?$AAS?$AAy?$AAm?$AAb?$AAo?$AAl?$AAi?$AAc?$AAL?$AAi?$AAn?$AAk@NNGAKEGL@	; wchar_t *
		push	edi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_861501

loc_8614FC:				; CODE XREF: BiIsValidDiskDevice+41j
					; BiIsValidDiskDevice+4Cj ...
		xor	al, al

loc_8614FE:				; CODE XREF: BiIsValidDiskDevice+5Fj
		pop	edi
		pop	esi
		retn
; 

loc_861501:				; CODE XREF: BiIsValidDiskDevice+17j
					; BiIsValidDiskDevice+28j
		push	8		; size_t
		push	offset ??_C@_1BC@PEHNMCKA@?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi?$AAs?$AAk@NNGAKEGL@ ; "Harddisk"
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_8614FC
		lea	ecx, [esi+10h]
		movzx	eax, word ptr [ecx]
		test	ax, ax
		jz	short loc_8614FC
		push	30h
		pop	edi
		cmp	ax, di
		jnz	short loc_861533
		cmp	word ptr [ecx+2], 0
		jnz	short loc_8614FC

loc_86152F:				; CODE XREF: BiIsValidDiskDevice+A2CA5j
		mov	al, 1
		jmp	short loc_8614FE
; 

loc_861533:				; CODE XREF: BiIsValidDiskDevice+54j
		xor	edx, edx
		mov	esi, eax
		jmp	loc_90414C
BiIsValidDiskDevice endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiTranslateSymbolicLink	proc near	; CODE XREF: BiGetNtPartitionPath+2C2p
					; BiTranslateSymbolicLinkFile(x,x)+65p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090417C SIZE 00000048 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		lea	eax, [ebp+var_18]
		push	ecx
		push	eax
		mov	ebx, edx
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_4], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_18]
		mov	[ebp+var_30], 18h
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		lea	eax, [ebp+var_4]
		mov	[ebp+var_2C], esi
		push	eax
		mov	[ebp+var_24], 240h
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		call	_ZwOpenSymbolicLinkObject@12 ; ZwOpenSymbolicLinkObject(x,x,x)
		test	eax, eax
		js	loc_861664
		push	esi
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edi, esi
		mov	[ebp+var_8], esi

loc_8615A7:				; CODE XREF: BiTranslateSymbolicLink+ABj
					; BiTranslateSymbolicLink+109j
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_4]
		call	_ZwQuerySymbolicLinkObject@12 ;	ZwQuerySymbolicLinkObject(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_8615EE
		cmp	[ebp+var_C], 0
		jnz	loc_90417C

loc_8615CB:				; CODE XREF: BiTranslateSymbolicLink+A2C4Dj
		mov	eax, [ebp+var_8]
		push	4B444342h
		mov	word ptr [ebp+var_10+2], ax
		lea	edi, [eax+2]
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	short loc_8615A7
		jmp	loc_90418E
; 

loc_8615EE:				; CODE XREF: BiTranslateSymbolicLink+83j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_4], 0
		mov	eax, [ebp+var_C]
		test	esi, esi
		js	loc_9041AC
		movzx	ecx, word ptr [ebp+var_10]
		xor	edx, edx
		shr	ecx, 1
		xor	esi, esi
		mov	[eax+ecx*2], dx
		lea	eax, [ebp+var_10]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		lea	eax, [ebp+var_4]
		mov	word ptr [ebp+var_10+2], di
		push	eax
		mov	[ebp+var_30], 18h
		mov	[ebp+var_2C], esi
		mov	[ebp+var_24], 240h
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		call	_ZwOpenSymbolicLinkObject@12 ; ZwOpenSymbolicLinkObject(x,x,x)
		test	eax, eax
		jns	loc_8615A7
		mov	eax, [ebp+var_C]
		mov	[ebx], eax

loc_861650:				; CODE XREF: BiTranslateSymbolicLink+A2C57j
		cmp	[ebp+var_4], 0
		jnz	loc_904198

loc_86165A:				; CODE XREF: BiTranslateSymbolicLink+A2C6Bj
		test	esi, esi
		js	loc_9041AC

loc_861662:				; CODE XREF: BiTranslateSymbolicLink+A2C72j
					; BiTranslateSymbolicLink+A2C83j
		mov	eax, esi

loc_861664:				; CODE XREF: BiTranslateSymbolicLink+56j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
BiTranslateSymbolicLink	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiGetDriveLayoutBlock proc near		; CODE XREF: BiGetNtPartitionPath+1D7p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009041C4 SIZE 00000074 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, ecx
		push	0Ah
		mov	esi, edx
		mov	[ebp+var_8], ebx
		pop	ecx
		rep stosd
		mov	ecx, ebx
		mov	[ebp+var_C], esi
		and	dword ptr [esi], 0
		call	_BiGetDriveLayoutInformation@8 ; BiGetDriveLayoutInformation(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_9041C4

loc_8616A1:				; CODE XREF: BiGetDriveLayoutBlock+A2B86j
		mov	ecx, [ebp+arg_0]
		mov	eax, [esi]
		and	dword ptr [ecx], 0
		mov	edx, [eax]
		test	edx, edx
		jnz	loc_904213
		mov	dword ptr [ecx+4], 1
		mov	eax, [eax+8]
		mov	[ecx+8], eax

loc_8616C0:				; CODE XREF: BiGetDriveLayoutBlock+A2BBFj
					; BiGetDriveLayoutBlock+A2BC9j
		test	ebx, ebx
		js	loc_9041F6

loc_8616C8:				; CODE XREF: BiGetDriveLayoutBlock+A2B90j
					; BiGetDriveLayoutBlock+A2BA4j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
BiGetDriveLayoutBlock endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiIsWinPEBoot()
_BiIsWinPEBoot@0 proc near		; CODE XREF: BiCleanupLoadedStores+24p
					; BcdCloseStore+3Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		lea	eax, [ebp+var_8]
		xor	ebx, ebx
		push	eax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ebx
		push	eax
		push	1
		push	(offset	loc_8C7FB5+1)
		mov	edx, offset ??_C@_1CG@BLIBLCJE@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAS?$AAt?$AAa?$AAr?$AAt?$AAO?$AAp?$AAt?$AAi@NNGAKEGL@
		mov	[ebp+var_8], ebx
		xor	ecx, ecx
		call	BiGetRegistryValue
		test	eax, eax
		js	short loc_861722
		push	(offset	loc_8C801B+1) ;	wchar_t	*
		push	[ebp+var_4]	; wchar_t *
		call	_wcsstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_861727

loc_861715:				; CODE XREF: BiIsWinPEBoot()+57j
		push	4B444342h
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_861722:				; CODE XREF: BiIsWinPEBoot()+2Ej
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_861727:				; CODE XREF: BiIsWinPEBoot()+41j
		mov	bl, 1
		jmp	short loc_861715
_BiIsWinPEBoot@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BcdOpenStore	proc near		; CODE XREF: WheaPersistBadPageToBcd(x)+24p
					; PopFreeHiberContext+23p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00904238 SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, edx
		push	ebx
		mov	bl, al
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, eax
		and	bl, 1
		mov	cl, bl
		and	esi, 2
		call	BiAcquireBcdSyncMutant
		mov	ecx, eax
		test	ecx, ecx
		js	loc_904238
		push	[ebp+var_4]
		xor	edx, edx
		push	offset ??_C@_1DG@IMJCJDCP@?$AAO?$AAp?$AAe?$AAn?$AAi?$AAn?$AAg?$AA?5?$AAs?$AAt?$AAo?$AAr?$AAe?$AA?4?$AA?5@NNGAKEGL@ ; "Opening store. Flags: 0x%x"
		push	2
		call	_BiLogMessage
		add	esp, 0Ch
		test	bl, bl
		jnz	short loc_8617A0
		test	esi, esi
		jz	short loc_8617A7
		push	(offset	loc_8C67FB+1)
		push	2
		call	_BiLogMessage
		add	esp, 8

loc_86177F:				; CODE XREF: BcdOpenStore+7Ej
		mov	ecx, [ebp+arg_0]
		call	BiOpenSystemStore
		mov	esi, eax
		test	esi, esi
		js	loc_904257

loc_861791:				; CODE XREF: BcdOpenStore+79j
					; BcdOpenStore+A2B3Bj
		mov	cl, bl
		call	_BiReleaseBcdSyncMutant@4 ; BiReleaseBcdSyncMutant(x)
		mov	eax, esi

loc_86179A:				; CODE XREF: BcdOpenStore+A2B26j
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8617A0:				; CODE XREF: BcdOpenStore+3Ej
		mov	esi, 0C000000Dh
		jmp	short loc_861791
; 

loc_8617A7:				; CODE XREF: BcdOpenStore+42j
		push	2
		pop	edx
		jmp	short loc_86177F
BcdOpenStore	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopBcdSetDefaultResumeObjectElements proc near ; CODE XREF: PopBcdEstablishResumeObject+123p
					; PopBcdRegenerateResumeObject(x,x,x)+E3p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090426C SIZE 0000006E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		push	ebx
		xor	eax, eax
		push	esi
		push	edi
		mov	word ptr [esp+58h+var_40], ax
		mov	edi, ecx
		xor	ecx, ecx
		mov	word ptr [esp+58h+var_48], ax
		mov	word ptr [esp+58h+var_44], ax
		mov	esi, edx
		lea	eax, [esp+58h+var_28]
		mov	[esp+58h+var_2C], ecx
		push	eax
		mov	ebx, ecx
		mov	[esp+5Ch+var_8], ecx
		lea	eax, [esp+5Ch+var_38]
		mov	[esp+5Ch+var_4], ecx
		mov	[esp+5Ch+var_38], ecx
		mov	edx, 11000001h
		mov	[esp+5Ch+var_28], ecx
		mov	[esp+5Ch+var_24], ecx
		mov	[esp+5Ch+var_30], ecx
		mov	ecx, esi
		push	eax
		mov	[esp+60h+var_3C], esi
		mov	[esp+60h+var_34], ebx
		call	PopBcdReadElement
		mov	esi, eax
		test	esi, esi
		js	loc_861A35
		mov	ebx, [esp+58h+var_3C]
		lea	eax, [esp+58h+var_24]
		push	eax
		lea	eax, [esp+5Ch+var_34]
		mov	edx, 12000002h
		push	eax
		mov	ecx, ebx
		call	PopBcdReadElement
		mov	esi, eax
		test	esi, esi
		js	loc_9042D1
		lea	eax, [esp+58h+var_24]
		mov	[esp+58h+var_24], 8
		push	eax
		lea	eax, [esp+5Ch+var_8]
		mov	edx, 15000052h
		push	eax
		push	ecx
		mov	ecx, ebx
		call	BcdGetElementDataWithFlags
		push	2
		pop	esi
		mov	[esp+58h+var_14], eax
		mov	edx, 16000054h
		lea	eax, [esp+58h+var_3C]
		mov	[esp+58h+var_3C], esi
		push	eax
		lea	eax, [esp+5Ch+var_48]
		push	eax
		push	ecx
		mov	ecx, ebx
		call	BcdGetElementDataWithFlags
		mov	[esp+58h+var_10], eax
		mov	edx, 16000046h
		lea	eax, [esp+58h+var_3C]
		mov	[esp+58h+var_3C], esi
		push	eax
		lea	eax, [esp+5Ch+var_44]
		push	eax
		push	ecx
		mov	ecx, ebx
		call	BcdGetElementDataWithFlags
		mov	ebx, [esp+58h+var_34]
		push	5Ch		; wchar_t
		push	ebx		; wchar_t *
		mov	[esp+60h+var_C], eax
		call	_wcsrchr
		mov	edx, eax
		pop	ecx
		pop	ecx
		test	edx, edx
		jz	loc_90426C
		mov	eax, offset ??_C@_1BM@OFPLGABH@?$AAw?$AAi?$AAn?$AAr?$AAe?$AAs?$AAu?$AAm?$AAe?$AA?4?$AAe?$AAf?$AAi@NNGAKEGL@ ; "winresume.efi"
		cmp	dword_6BBFD0, esi
		jz	short loc_8618C9
		mov	eax, offset ??_C@_1BM@JGPBLMEE@?$AAw?$AAi?$AAn?$AAr?$AAe?$AAs?$AAu?$AAm?$AAe?$AA?4?$AAe?$AAx?$AAe@NNGAKEGL@ ; "winresume.exe"

loc_8618C9:				; CODE XREF: PopBcdSetDefaultResumeObjectElements+116j
		sub	edx, ebx
		mov	[esp+58h+var_34], eax
		add	edx, esi
		mov	ecx, eax
		sar	edx, 1
		mov	[esp+58h+var_20], edx
		lea	esi, [ecx+2]

loc_8618DC:				; CODE XREF: PopBcdSetDefaultResumeObjectElements+13Bj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+58h+var_2C]
		jnz	short loc_8618DC
		sub	ecx, esi
		sar	ecx, 1
		push	64634250h
		lea	eax, [ecx+edx]
		lea	eax, ds:2[eax*2]
		push	eax
		push	1
		mov	[esp+64h+var_18], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[esp+58h+var_30], esi
		test	esi, esi
		jz	loc_904276
		mov	eax, [esp+58h+var_20]
		add	eax, eax
		push	eax		; size_t
		push	ebx		; void *
		push	esi		; void *
		mov	[esp+64h+var_1C], eax
		call	_memcpy
		mov	edx, [esp+64h+var_34]
		add	esp, 0Ch
		mov	ecx, edx
		lea	eax, [ecx+2]
		mov	[esp+58h+var_20], eax

loc_861938:				; CODE XREF: PopBcdSetDefaultResumeObjectElements+197j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+58h+var_2C]
		jnz	short loc_861938
		sub	ecx, [esp+58h+var_20]
		sar	ecx, 1
		lea	eax, ds:2[ecx*2]
		push	eax		; size_t
		mov	eax, [esp+5Ch+var_1C]
		push	edx		; void *
		add	eax, esi
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edx, 11000001h
		push	[esp+58h+var_28]
		push	[esp+5Ch+var_38]
		push	ecx
		mov	ecx, edi
		call	BcdSetElementDataWithFlags
		mov	esi, eax
		test	esi, esi
		js	loc_861A35
		push	[esp+58h+var_18]
		mov	eax, [esp+5Ch+var_30]
		mov	edx, 12000002h
		push	eax
		push	ecx
		mov	ecx, edi
		call	BcdSetElementDataWithFlags
		mov	esi, eax
		test	esi, esi
		js	loc_861A35
		cmp	[esp+58h+var_14], 0
		jge	loc_904280

loc_8619AD:				; CODE XREF: PopBcdSetDefaultResumeObjectElements+A2AEAj
		cmp	[esp+58h+var_10], 0
		jge	loc_90429B

loc_8619B8:				; CODE XREF: PopBcdSetDefaultResumeObjectElements+A2B05j
		cmp	[esp+58h+var_C], 0
		jge	loc_9042B6

loc_8619C3:				; CODE XREF: PopBcdSetDefaultResumeObjectElements+A2B20j
		push	ecx
		mov	ecx, edi
		call	PopBcdSetupResumeObject
		mov	esi, eax
		test	esi, esi
		js	short loc_861A35
		cmp	_KdDebuggerEnabled, 0
		jnz	short loc_861A2E

loc_8619DA:				; CODE XREF: PopBcdSetDefaultResumeObjectElements+287j
		push	2
		lea	eax, [esp+5Ch+var_40]
		mov	edx, 26000006h
		push	eax
		push	ecx
		mov	ecx, edi
		call	BcdSetElementDataWithFlags
		mov	esi, eax
		xor	edi, edi
		test	esi, esi
		js	short loc_8619F8
		mov	esi, edi

loc_8619F8:				; CODE XREF: PopBcdSetDefaultResumeObjectElements+248j
					; PopBcdSetDefaultResumeObjectElements+28Bj
		cmp	[esp+58h+var_38], 0
		jz	short loc_861A09
		push	edi
		push	[esp+5Ch+var_38]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_861A09:				; CODE XREF: PopBcdSetDefaultResumeObjectElements+251j
		test	ebx, ebx
		jz	short loc_861A14
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_861A14:				; CODE XREF: PopBcdSetDefaultResumeObjectElements+25Fj
		mov	eax, [esp+58h+var_30]
		test	eax, eax
		jz	short loc_861A23
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_861A23:				; CODE XREF: PopBcdSetDefaultResumeObjectElements+26Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_861A2E:				; CODE XREF: PopBcdSetDefaultResumeObjectElements+22Cj
		mov	byte ptr [esp+58h+var_40], 1
		jmp	short loc_8619DA
; 

loc_861A35:				; CODE XREF: PopBcdSetDefaultResumeObjectElements+65j
					; PopBcdSetDefaultResumeObjectElements+1D0j ...
		xor	edi, edi
		jmp	short loc_8619F8
PopBcdSetDefaultResumeObjectElements endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiDeleteElement	proc near		; CODE XREF: PopBcdClearPendingResume(x)+2Ap
					; PopBcdClearPendingResume(x)+3Ep ...

var_42		= byte ptr -42h
var_41		= byte ptr -41h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009042DA SIZE 00000045 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+44h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	[esp+50h+var_34], ebx
		mov	[esp+50h+var_38], edi
		call	_BiIsOfflineHandle@4 ; BiIsOfflineHandle(x)
		mov	cl, al
		mov	[esp+50h+var_41], al
		call	BiAcquireBcdSyncMutant
		test	eax, eax
		js	loc_861B37
		push	ebx
		push	offset ??_C@_1CM@NIKMCPNF@?$AAD?$AAe?$AAl?$AAe?$AAt?$AAi?$AAn?$AAg?$AA?5?$AAe?$AAl?$AAe?$AAm?$AAe?$AAn@NNGAKEGL@
		push	2
		call	_BiLogMessage
		and	[esp+5Ch+var_3C], 0
		lea	eax, [esp+5Ch+var_3C]
		and	[esp+5Ch+var_40], 0
		add	esp, 0Ch
		mov	edx, (offset loc_8C7715+1)
		mov	ecx, edi
		push	eax
		push	20019h
		call	BiOpenKey
		mov	ebx, [esp+50h+var_3C]
		mov	esi, eax
		test	esi, esi
		js	loc_9042DA
		push	10h
		push	16h
		lea	eax, [esp+58h+var_30]
		push	eax
		push	[esp+5Ch+var_34]
		call	__ultow_s
		add	esp, 10h
		test	eax, eax
		jnz	loc_9042EF
		lea	eax, [esp+50h+var_40]
		mov	ecx, ebx
		push	eax
		push	10000h
		lea	edx, [esp+58h+var_30]
		call	BiOpenKey
		test	eax, eax
		js	short loc_861B4B
		mov	edi, [esp+50h+var_40]
		mov	ecx, edi
		call	BiDeleteKey
		mov	esi, eax
		test	esi, esi
		js	loc_9042F9
		xor	edi, edi

loc_861B02:				; CODE XREF: BiDeleteElement+13Fj
					; BiDeleteElement+A28D4j
		test	edi, edi
		jnz	loc_904313

loc_861B0A:				; CODE XREF: BiDeleteElement+A28E0j
		mov	edi, [esp+50h+var_38]

loc_861B0E:				; CODE XREF: BiDeleteElement+A28B0j
					; BiDeleteElement+A28BAj
		test	ebx, ebx
		jz	short loc_861B19
		mov	ecx, ebx
		call	_BiCloseKey@4	; BiCloseKey(x)

loc_861B19:				; CODE XREF: BiDeleteElement+D6j
		test	esi, esi
		js	short loc_861B2C
		lea	edx, [esp+50h+var_34]
		mov	ecx, edi
		call	BiIsLinkedToFirmwareVariable
		test	al, al
		jnz	short loc_861B7B

loc_861B2C:				; CODE XREF: BiDeleteElement+E1j
					; BiDeleteElement+148j
		mov	cl, [esp+50h+var_41]
		call	_BiReleaseBcdSyncMutant@4 ; BiReleaseBcdSyncMutant(x)
		mov	eax, esi

loc_861B37:				; CODE XREF: BiDeleteElement+37j
		mov	ecx, [esp+50h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_861B4B:				; CODE XREF: BiDeleteElement+AFj
		xor	ecx, ecx
		cmp	eax, 0C0000034h
		push	eax
		setnz	cl
		lea	eax, [esp+54h+var_30]
		push	eax
		push	offset ??_C@_1GM@IPBIONFL@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAo?$AAp?$AAe?$AAn?$AA?5@NNGAKEGL@ ; "Failed to	open element %ws key for dele"...
		lea	ecx, ds:2[ecx*2]
		push	ecx
		call	_BiLogMessage
		mov	edi, [esp+60h+var_40]
		add	esp, 10h
		mov	esi, 0C0000225h
		jmp	short loc_861B02
; 

loc_861B7B:				; CODE XREF: BiDeleteElement+F0j
		mov	ecx, edi
		call	_BiSetFirmwareModifiedFromObject@8 ; BiSetFirmwareModifiedFromObject(x,x)
		jmp	short loc_861B2C
BiDeleteElement	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BcdQueryObject(x, x, x, x)
_BcdQueryObject@16 proc	near		; CODE XREF: PopBcdSetPendingResume+69p
					; PopBcdEstablishResumeObject+B2p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, ecx
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_861BE1
		cmp	edx, 1
		jnz	short loc_861BE5

loc_861BA1:				; CODE XREF: BcdQueryObject(x,x,x,x)+5Fj
		call	_BiIsOfflineHandle@4 ; BiIsOfflineHandle(x)
		mov	cl, al
		mov	byte ptr [ebp+arg_0+3],	al
		call	BiAcquireBcdSyncMutant
		test	eax, eax
		js	short loc_861BDA
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_861BEC
		mov	edx, ebx
		mov	ebx, [ebp+var_4]
		mov	ecx, ebx
		call	_BiGetObjectDescription@8 ; BiGetObjectDescription(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_861BD0

loc_861BCC:				; CODE XREF: BcdQueryObject(x,x,x,x)+6Bj
		test	edi, edi
		jnz	short loc_861BF1

loc_861BD0:				; CODE XREF: BcdQueryObject(x,x,x,x)+46j
					; BcdQueryObject(x,x,x,x)+78j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	_BiReleaseBcdSyncMutant@4 ; BiReleaseBcdSyncMutant(x)
		mov	eax, esi

loc_861BDA:				; CODE XREF: BcdQueryObject(x,x,x,x)+2Ej
					; BcdQueryObject(x,x,x,x)+66j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_861BE1:				; CODE XREF: BcdQueryObject(x,x,x,x)+16j
		test	edi, edi
		jnz	short loc_861BA1

loc_861BE5:				; CODE XREF: BcdQueryObject(x,x,x,x)+1Bj
		mov	eax, 0C000000Dh
		jmp	short loc_861BDA
; 

loc_861BEC:				; CODE XREF: BcdQueryObject(x,x,x,x)+34j
		mov	ebx, [ebp+var_4]
		jmp	short loc_861BCC
; 

loc_861BF1:				; CODE XREF: BcdQueryObject(x,x,x,x)+4Aj
		mov	edx, edi
		mov	ecx, ebx
		call	_BiGetObjectIdentifier@8 ; BiGetObjectIdentifier(x,x)
		mov	esi, eax
		jmp	short loc_861BD0
_BcdQueryObject@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiIsSystemStore(x)
_BiIsSystemStore@4 proc	near		; CODE XREF: BcdForciblyUnloadStore+23p
					; BiLoadSystemStore+B7p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ebx
		call	_BiIsSystemStoreCandidate@4 ; BiIsSystemStoreCandidate(x)
		test	al, al
		jz	short loc_861C4F
		lea	eax, [ebp+var_8]
		mov	edx, (offset loc_8C6C71+1)
		push	eax
		lea	eax, [ebp+var_4]
		mov	ecx, esi
		push	eax
		push	4
		push	offset ??_C@_1BI@DLMANABL@?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		call	BiGetRegistryValue
		test	eax, eax
		js	short loc_861C4F
		mov	eax, [ebp+var_4]
		push	4B444342h
		push	eax
		mov	esi, [eax]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jz	short loc_861C4F
		mov	bl, 1

loc_861C4F:				; CODE XREF: BiIsSystemStore(x)+1Aj
					; BiIsSystemStore(x)+39j ...
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_BiIsSystemStore@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiIsSystemStoreCandidate(x)
_BiIsSystemStoreCandidate@4 proc near	; CODE XREF: BiIsSystemStore(x)+13p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		lea	eax, [ebp+var_8]
		xor	ebx, ebx
		push	eax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ebx
		push	eax
		push	4
		push	offset ??_C@_1BI@DLMANABL@?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		mov	edx, offset ??_C@_1O@GINMMDNN@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm@NNGAKEGL@
		mov	[ebp+var_8], ebx
		call	BiGetRegistryValue
		test	eax, eax
		js	short loc_861C99
		mov	eax, [ebp+var_4]
		push	4B444342h
		push	eax
		mov	esi, [eax]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		setnz	bl

loc_861C99:				; CODE XREF: BiIsSystemStoreCandidate(x)+2Cj
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_BiIsSystemStoreCandidate@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopBcdReadElement proc near		; CODE XREF: PopBcdSetDefaultResumeObjectElements+5Cp
					; PopBcdSetDefaultResumeObjectElements+80p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090431F SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		and	[esp+4+var_4], 0
		lea	eax, [esp+4+var_4]
		push	ebx
		push	esi
		push	edi
		push	eax
		push	0
		push	ecx
		mov	esi, edx
		mov	ebx, ecx
		call	BcdGetElementDataWithFlags
		cmp	eax, 0C0000023h
		jnz	short loc_861D12
		push	64634250h
		push	[esp+14h+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_861D19
		lea	eax, [esp+10h+var_4]
		mov	edx, esi
		push	eax
		push	edi
		push	ecx
		mov	ecx, ebx
		call	BcdGetElementDataWithFlags
		mov	esi, eax
		test	esi, esi
		js	loc_90431F
		xor	esi, esi
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	[eax], edi
		mov	eax, [esp+10h+var_4]
		mov	[ecx], eax

loc_861D07:				; CODE XREF: PopBcdReadElement+77j
					; PopBcdReadElement+7Ej ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_861D12:				; CODE XREF: PopBcdReadElement+25j
		mov	esi, 0C0000225h
		jmp	short loc_861D07
; 

loc_861D19:				; CODE XREF: PopBcdReadElement+3Bj
		mov	esi, 0C000009Ah
		jmp	short loc_861D07
PopBcdReadElement endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiEnumerateSubKeys proc	near		; CODE XREF: BiDeleteKey+26p
					; BiCleanupLoadedStores+56p ...

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090432C SIZE 0000006A BYTES
; FUNCTION CHUNK AT 009043AC SIZE 00000015 BYTES

		push	74h
		push	offset dword_6A49D8
		call	__SEH_prolog4_GS
		mov	[ebp+var_70], ecx
		mov	[ebp+var_7C], edx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_80], eax
		xor	edi, edi
		mov	[ebp+var_60], edi
		push	30h		; size_t
		push	edi		; int
		lea	eax, [ebp+var_54]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_68], edi
		mov	[ebp+var_78], edi
		mov	[ebp+var_5C], edi
		mov	[ebp+var_84], edi

loc_861D5B:				; CODE XREF: BiEnumerateSubKeys+A269Cj
		mov	eax, [ebp+var_7C]
		mov	[eax], edi
		mov	eax, [ebp+var_80]
		mov	[eax], edi
		mov	ebx, edi
		mov	[ebp+var_6C], edi
		mov	ecx, [ebp+var_70]
		call	_BiSanitizeHandle@4 ; BiSanitizeHandle(x)
		mov	[ebp+var_70], eax
		lea	ecx, [ebp+var_78]
		push	ecx
		push	30h
		lea	ecx, [ebp+var_54]
		push	ecx
		push	2
		pop	edx
		mov	ecx, eax
		call	_BiZwQueryKey@20 ; BiZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_58], esi
		test	esi, esi
		js	loc_90432C

loc_861D96:				; CODE XREF: BiEnumerateSubKeys+A2618j
		mov	eax, [ebp+var_40]
		mov	[ebp+var_64], eax
		test	eax, eax
		jz	loc_861F4B
		mov	ecx, [ebp+var_3C]
		mov	[ebp+var_60], ecx
		lea	eax, [ebp+var_60]
		push	eax
		push	2
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		mov	[ebp+var_58], esi
		test	esi, esi
		js	short loc_861DD4
		mov	eax, [ebp+var_60]
		mul	[ebp+var_64]
		push	edx
		push	eax
		lea	ecx, [ebp+var_60]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		mov	[ebp+var_58], eax

loc_861DD4:				; CODE XREF: BiEnumerateSubKeys+9Dj
		mov	eax, edi
		mov	[ebp+var_5C], eax
		test	esi, esi
		js	loc_861F14
		mov	eax, [ebp+var_64]
		push	4
		pop	ecx
		mul	ecx
		push	edx
		push	eax
		lea	ecx, [ebp+var_5C]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		mov	[ebp+var_58], esi
		mov	eax, [ebp+var_5C]
		test	esi, esi
		js	loc_861F14
		push	ecx
		mov	edx, [ebp+var_60]
		mov	ecx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		mov	[ebp+var_58], esi
		mov	eax, [ebp+var_5C]
		test	esi, esi
		js	loc_861F14
		push	4B444342h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_6C], eax
		test	eax, eax
		jz	loc_90433D
		mov	ecx, [ebp+var_64]
		lea	eax, [eax+ecx*4]
		mov	[ebp+var_74], eax
		mov	[ebp+var_68], 1Ah
		lea	eax, [ebp+var_68]
		push	eax
		mov	edx, [ebp+var_3C]
		push	1Ah
		pop	ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		mov	[ebp+var_58], esi
		test	esi, esi
		js	loc_861F14
		push	4B444342h
		push	[ebp+var_68]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_5C], esi
		test	esi, esi
		jz	loc_904347
		mov	eax, [ebp+var_60]
		mov	[ebp+var_60], eax
		mov	ebx, edi
		cmp	[ebp+var_64], 0
		jbe	short loc_861EFF

loc_861E8C:				; CODE XREF: BiEnumerateSubKeys+1DDj
		lea	eax, [ebp+var_78]
		push	eax
		push	[ebp+var_68]
		push	esi
		push	ecx
		mov	edx, ebx
		mov	ecx, [ebp+var_70]
		call	_BiZwEnumerateKey@24 ; BiZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_58], esi
		cmp	esi, 8000001Ah
		jz	loc_90435B
		test	esi, esi
		js	short loc_861F11
		mov	esi, [ebp+var_5C]
		mov	eax, [esi+0Ch]
		add	eax, 2
		cmp	eax, [ebp+var_60]
		ja	loc_904351
		mov	ecx, [ebp+var_74]
		mov	eax, [ebp+var_6C]
		mov	[eax+ebx*4], ecx
		push	dword ptr [esi+0Ch] ; size_t
		lea	eax, [esi+10h]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_74]
		add	eax, [esi+0Ch]
		xor	ecx, ecx
		mov	[eax], cx
		add	eax, 2
		mov	[ebp+var_74], eax
		push	0FFFFFFFEh
		pop	eax
		sub	eax, [esi+0Ch]
		add	[ebp+var_60], eax
		inc	ebx
		cmp	ebx, [ebp+var_64]
		jb	short loc_861E8C

loc_861EFF:				; CODE XREF: BiEnumerateSubKeys+16Aj
					; BiEnumerateSubKeys+A2643j
		mov	eax, [ebp+var_7C]
		mov	ecx, [ebp+var_6C]
		mov	[eax], ecx
		mov	eax, [ebp+var_80]
		mov	[eax], ebx
		mov	esi, edi

loc_861F0E:				; CODE XREF: BiEnumerateSubKeys+A262Cj
					; BiEnumerateSubKeys+A2636j
		mov	[ebp+var_58], esi

loc_861F11:				; CODE XREF: BiEnumerateSubKeys+192j
					; BiEnumerateSubKeys+A263Dj
		mov	ebx, [ebp+var_5C]

loc_861F14:				; CODE XREF: BiEnumerateSubKeys+BBj
					; BiEnumerateSubKeys+DDj ...
		test	ebx, ebx
		jz	short loc_861F23
		push	4B444342h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_861F23:				; CODE XREF: BiEnumerateSubKeys+1F6j
		test	esi, esi
		js	loc_904368

loc_861F2B:				; CODE XREF: BiEnumerateSubKeys+A264Dj
					; BiEnumerateSubKeys+A265Ej
		cmp	esi, 0C000017Dh
		jz	loc_904383

loc_861F37:				; CODE XREF: BiEnumerateSubKeys+A268Fj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_861F4B:				; CODE XREF: BiEnumerateSubKeys+7Ej
		mov	esi, edi

loc_861F4D:				; CODE XREF: BiEnumerateSubKeys+A2622j
		mov	[ebp+var_58], esi
		jmp	short loc_861F14
BiEnumerateSubKeys endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiOpenSystemStore proc near		; CODE XREF: BcdOpenStore+56p
					; BcdOpenSystemStore(x)+2Ap

var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009043C1 SIZE 00000086 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[esp+30h+var_C], edx
		mov	eax, ecx
		mov	[esp+30h+var_10], ebx
		push	edx
		push	offset ??_C@_1EE@OJEMMLOB@?$AAO?$AAp?$AAe?$AAn?$AAi?$AAn?$AAg?$AA?5?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?5@NNGAKEGL@
		mov	edi, ebx
		mov	[esp+38h+var_4], eax
		push	2
		mov	[eax], ebx
		mov	[esp+3Ch+var_14], ebx
		mov	[esp+3Ch+var_1C], edi
		mov	[esp+3Ch+var_18], ebx
		mov	[esp+3Ch+var_8], ebx
		call	_BiLogMessage
		mov	ecx, edx
		add	esp, 0Ch
		and	ecx, 1
		shl	ecx, 4
		call	BiCleanupLoadedStores
		lea	eax, [esp+30h+var_14]
		mov	edx, offset ??_C@_1CE@NMBJJGCH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\"
		push	eax
		push	0F003Fh
		xor	ecx, ecx
		call	BiOpenKeyNonBcd
		mov	esi, eax
		test	esi, esi
		js	loc_8620C3
		mov	ecx, [esp+30h+var_14]
		lea	eax, [esp+30h+var_10]
		push	eax
		lea	edx, [esp+34h+var_18]
		call	BiEnumerateSubKeys
		mov	esi, eax
		test	esi, esi
		js	loc_8620B0
		mov	esi, 0C0000225h
		cmp	ebx, [esp+30h+var_10]
		jnb	short loc_862011

loc_861FE8:				; CODE XREF: BiOpenSystemStore+B9j
		mov	eax, [esp+30h+var_18]
		push	3		; size_t
		push	(offset	loc_8C7209+1) ;	wchar_t	*
		push	dword ptr [eax+ebx*4] ;	wchar_t	*
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_8620DC

loc_862006:				; CODE XREF: BiOpenSystemStore+1A4j
					; BiOpenSystemStore+1DEj ...
		inc	ebx
		cmp	ebx, [esp+30h+var_10]
		jb	short loc_861FE8

loc_86200D:				; CODE XREF: BiOpenSystemStore+20Bj
		cmp	ebx, [esp+30h+var_10]

loc_862011:				; CODE XREF: BiOpenSystemStore+94j
		jnz	loc_862162
		push	offset ??_C@_1EO@GNKAIEIC@?$AAT?$AAh?$AAe?$AA?5?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?5?$AAs?$AAt?$AAo?$AAr@NNGAKEGL@
		push	2
		call	_BiLogMessage
		and	[esp+38h+var_1C], 0
		add	esp, 8
		mov	ebx, [esp+30h+var_C]
		test	bl, 4
		jnz	loc_9043CD
		lea	ecx, [esp+30h+var_1C]
		call	BiLoadSystemStore
		mov	edi, [esp+30h+var_1C]
		mov	esi, eax
		test	esi, esi
		js	loc_90442D
		mov	[esp+30h+var_8], 1

loc_862057:				; CODE XREF: BiOpenSystemStore+214j
		test	bl, 2
		jnz	loc_904425
		push	(offset	loc_8C73D7+1)
		push	2
		call	_BiLogMessage
		add	esp, 8
		mov	ecx, edi
		call	BiWasFirmwareModified
		mov	[esp+30h+var_1D], al
		call	_BiGetFirmwareType@0 ; BiGetFirmwareType()
		sub	eax, 1
		jnz	loc_9043E6
		xor	esi, esi

loc_86208A:				; CODE XREF: BiOpenSystemStore+A24A3j
					; BiOpenSystemStore+A24B8j
		test	esi, esi
		js	loc_90440F

loc_862092:				; CODE XREF: BiOpenSystemStore+A24AAj
		cmp	[esp+30h+var_1D], 0
		jnz	short loc_8620A2
		xor	dl, dl
		mov	ecx, edi
		call	BiSetFirmwareModified

loc_8620A2:				; CODE XREF: BiOpenSystemStore+145j
					; BiOpenSystemStore+A24D6j
		mov	eax, [esp+30h+var_4]
		mov	[eax], edi

loc_8620A8:				; CODE XREF: BiOpenSystemStore+A24CEj
		test	esi, esi
		js	loc_90442D

loc_8620B0:				; CODE XREF: BiOpenSystemStore+85j
					; BiOpenSystemStore+A248Fj ...
		mov	eax, [esp+30h+var_18]
		test	eax, eax
		jz	short loc_8620C3
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8620C3:				; CODE XREF: BiOpenSystemStore+69j
					; BiOpenSystemStore+164j
		cmp	[esp+30h+var_14], 0
		jz	short loc_8620D3
		push	[esp+30h+var_14]
		call	_ZwClose@4	; ZwClose(x)

loc_8620D3:				; CODE XREF: BiOpenSystemStore+176j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8620DC:				; CODE XREF: BiOpenSystemStore+AEj
		mov	eax, [esp+30h+var_18]
		push	0Ah		; int
		push	0		; wchar_t **
		mov	eax, [eax+ebx*4]
		add	eax, 6
		push	eax		; wchar_t *
		call	_wcstoul
		add	esp, 0Ch
		cmp	eax, 0FFFFFFFFh
		jz	loc_862006
		mov	ecx, [esp+30h+var_18]
		push	dword ptr [ecx+ebx*4]
		push	(offset	loc_8C710D+1)
		push	2
		call	_BiLogMessage
		mov	edx, [ecx+ebx*4]
		lea	eax, [esp+3Ch+var_1C]
		mov	ecx, [esp+3Ch+var_14]
		add	esp, 0Ch
		push	eax
		push	20019h
		call	BiOpenKey
		mov	edi, [esp+30h+var_1C]
		mov	esi, eax
		test	esi, esi
		js	loc_862006
		mov	ecx, edi
		call	_BiIsSystemStore@4 ; BiIsSystemStore(x)
		test	al, al
		jz	loc_9043C1
		mov	eax, [esp+30h+var_18]
		push	dword ptr [eax+ebx*4]
		push	(offset	loc_8C741B+1)
		push	2
		call	_BiLogMessage
		add	esp, 0Ch
		xor	esi, esi
		jmp	loc_86200D
; 

loc_862162:				; CODE XREF: BiOpenSystemStore:loc_862011j
		mov	ebx, [esp+30h+var_C]
		jmp	loc_862057
BiOpenSystemStore endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BcdOpenObject	proc near		; CODE XREF: WheaPersistBadPageToBcd(x)+45p
					; PopBcdSetPendingResume+84p ...

var_2A		= byte ptr -2Ah
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00904447 SIZE 00000074 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		xor	eax, eax
		mov	[esp+30h+var_20], ecx
		push	esi
		push	edi
		mov	[esp+38h+var_18], eax
		lea	edi, [esp+38h+var_10]
		mov	[esp+38h+var_14], eax
		mov	esi, edx
		mov	[esp+38h+var_24], eax
		stosd
		mov	[esp+38h+var_1C], esi
		stosd
		stosd
		stosd
		call	_BiIsOfflineHandle@4 ; BiIsOfflineHandle(x)
		mov	cl, al
		mov	[esp+38h+var_29], al
		call	BiAcquireBcdSyncMutant
		test	eax, eax
		js	loc_86225C
		mov	ebx, [ebp+arg_0]
		lea	edx, [esp+38h+var_18]
		and	[esp+38h+var_28], 0
		mov	ecx, esi
		push	1
		and	dword ptr [ebx], 0
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_904447
		mov	edi, [esp+38h+var_14]
		push	edi
		push	(offset	loc_8C76F1+1)
		push	2
		call	_BiLogMessage
		mov	ecx, [esp+44h+var_20]
		lea	eax, [esp+44h+var_28]
		add	esp, 0Ch
		mov	edx, (offset loc_8C6F2D+1)
		push	eax
		push	20019h
		call	BiOpenKey
		mov	esi, eax
		test	esi, esi
		js	loc_904462
		mov	ecx, [esp+38h+var_1C] ;	void *
		lea	edx, [esp+38h+var_24]
		call	BiIsObjectAliased
		test	al, al
		jnz	short loc_862265

loc_86221B:				; CODE XREF: BcdOpenObject+155j
		mov	ecx, [esp+38h+var_28]
		mov	edx, edi
		push	ebx
		push	0F003Fh
		call	BiOpenKey
		mov	esi, eax
		test	esi, esi
		js	loc_904495

loc_862236:				; CODE XREF: BcdOpenObject+A234Aj
		test	edi, edi
		jz	short loc_862244
		lea	eax, [esp+38h+var_18]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_862244:				; CODE XREF: BcdOpenObject+CCj
		mov	ecx, [esp+38h+var_28]
		test	ecx, ecx
		jz	short loc_862251
		call	_BiCloseKey@4	; BiCloseKey(x)

loc_862251:				; CODE XREF: BcdOpenObject+DEj
		mov	cl, [esp+38h+var_29]
		call	_BiReleaseBcdSyncMutant@4 ; BiReleaseBcdSyncMutant(x)
		mov	eax, esi

loc_86225C:				; CODE XREF: BcdOpenObject+40j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_862265:				; CODE XREF: BcdOpenObject+ADj
		mov	eax, [esp+38h+var_24]
		sub	eax, 1
		jnz	loc_904474
		lea	ecx, [esp+38h+var_10]
		call	_BiGetCurrentBootEntryIdentifier@4 ; BiGetCurrentBootEntryIdentifier(x)

loc_86227B:				; CODE XREF: BcdOpenObject+A2324j
		mov	esi, eax

loc_86227D:				; CODE XREF: BcdOpenObject+A2312j
		test	esi, esi
		js	loc_90446A
		lea	eax, [esp+38h+var_18]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		and	[esp+38h+var_14], 0
		lea	edx, [esp+38h+var_18]
		push	1
		lea	ecx, [esp+3Ch+var_10]
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_90444F
		mov	edi, [esp+38h+var_14]
		push	edi
		push	(offset	loc_8C75A9+1)
		push	2
		call	_BiLogMessage
		add	esp, 0Ch
		jmp	loc_86221B
BcdOpenObject	endp


;  S U B	R O U T	I N E 


; __stdcall BcdCloseObject(x)
_BcdCloseObject@4 proc near		; CODE XREF: WheaPersistBadPageToBcd(x)+17Ap
					; PopAllocateHiberContext+1BCp	...
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		call	_BiIsOfflineHandle@4 ; BiIsOfflineHandle(x)
		mov	bl, al
		mov	cl, al
		call	BiAcquireBcdSyncMutant
		test	eax, eax
		js	short loc_8622ED
		mov	ecx, esi
		call	_BiCloseKey@4	; BiCloseKey(x)
		mov	cl, bl
		call	_BiReleaseBcdSyncMutant@4 ; BiReleaseBcdSyncMutant(x)

loc_8622ED:				; CODE XREF: BcdCloseObject(x)+17j
		pop	esi
		pop	ebx
		pop	ecx
		retn
_BcdCloseObject@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiCreateKey	proc near		; CODE XREF: BcdSetElementDataWithFlags+D4p
					; BiAddStoreFromFile+A303Ep ...

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 009044BB SIZE 0000002D BYTES
; FUNCTION CHUNK AT 009044FE SIZE 00000012 BYTES

		push	48h
		push	offset dword_6A49F8
		call	__SEH_prolog4
		mov	[ebp+var_38], edx
		mov	[ebp+var_28], ecx
		xor	ebx, ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ebx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_58]
		rep stosd
		mov	[ebp+var_34], ebx

loc_86231F:				; CODE XREF: BiCreateKey+A2219j
		mov	[ebp+var_20], ebx
		push	[ebp+var_38]
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, [ebp+var_28]
		call	_BiSanitizeHandle@4 ; BiSanitizeHandle(x)
		mov	[ebp+var_28], eax
		mov	esi, [ebp+arg_0]
		or	esi, 40000h
		mov	[ebp+arg_0], esi
		push	40h
		pop	ecx
		mov	[ebp+var_19], bl
		test	[ebp+arg_4], 1
		jz	short loc_86236A
		mov	ecx, 0C0h
		mov	eax, esi
		and	eax, 60019h
		cmp	eax, esi
		jz	short loc_86236A
		mov	esi, 40000h
		mov	[ebp+var_19], 1

loc_86236A:				; CODE XREF: BiCreateKey+5Dj
					; BiCreateKey+6Dj
		or	ecx, 200h
		mov	[ebp+var_24], ecx
		mov	ecx, 0F003Fh
		call	_BiCreateKeySecurityDescriptor@4 ; BiCreateKeySecurityDescriptor(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9044BB
		mov	[ebp+var_58], 18h
		mov	eax, [ebp+var_28]
		mov	[ebp+var_54], eax
		mov	eax, [ebp+var_24]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_50], eax
		mov	[ebp+var_48], edi
		mov	[ebp+var_44], ebx
		lea	eax, [ebp+var_30]
		push	eax
		mov	eax, dword ptr [ebp+arg_4]
		shr	eax, 1
		and	eax, 1
		push	eax
		push	ecx
		push	ecx
		lea	eax, [ebp+var_58]
		push	eax
		mov	edx, esi
		lea	ecx, [ebp+var_20]
		call	_BiZwCreateKey@28 ; BiZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		js	loc_9044C3
		cmp	[ebp+var_19], 0
		jz	short loc_862416
		push	edi
		mov	ecx, [ebp+var_20]
		call	_BiZwSetSecurityObject@12 ; BiZwSetSecurityObject(x,x,x)
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		js	loc_9044C3
		lea	eax, [ebp+var_58]
		push	eax
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_2C]
		call	_BiZwOpenKey@12	; BiZwOpenKey(x,x,x)
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		js	loc_9044C3
		mov	ecx, [ebp+var_20]
		call	_BiZwClose@4	; BiZwClose(x)
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_20], eax

loc_862416:				; CODE XREF: BiCreateKey+E2j
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	short loc_862426
		cmp	[ebp+var_30], 1
		setz	al
		mov	[ecx], al

loc_862426:				; CODE XREF: BiCreateKey+129j
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		test	esi, esi
		js	loc_9044C3

loc_862436:				; CODE XREF: BiCreateKey+A21D6j
					; BiCreateKey+A21E1j
		test	edi, edi
		jz	short loc_862445
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_862445:				; CODE XREF: BiCreateKey+146j
		cmp	esi, 0C000017Dh
		jz	loc_9044D8

loc_862451:				; CODE XREF: BiCreateKey+A220Fj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
BiCreateKey	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiGetRegistryValue proc	near		; CODE XREF: BiWasFirmwareModified+25p
					; BiUnloadHiveByHandle(x,x)+32p ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00904510 SIZE 00000024 BYTES
; FUNCTION CHUNK AT 0090454A SIZE 00000015 BYTES

		push	30h
		push	offset dword_6A4A18
		call	__SEH_prolog4
		mov	[ebp+var_34], edx
		mov	ebx, ecx
		xor	edi, edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], edi
		mov	[ebp+var_30], edi

loc_862488:				; CODE XREF: BiGetRegistryValue+A20F4j
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], edi
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		mov	eax, [ebp+arg_C]
		mov	[eax], edi
		push	[ebp+var_34]
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, ebx
		call	_BiSanitizeHandle@4 ; BiSanitizeHandle(x)
		mov	[ebp+var_2C], eax
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	loc_8625C4
		lea	ecx, [ebp+var_24]
		push	ecx
		push	20019h
		mov	ecx, eax
		call	BiOpenKey
		mov	esi, eax
		mov	[ebp+var_20], esi
		mov	ebx, [ebp+var_24]
		test	esi, esi
		js	loc_862582

loc_8624D9:				; CODE XREF: BiGetRegistryValue+160j
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		push	edi
		push	ecx
		lea	edx, [ebp+var_40]
		mov	ecx, ebx
		call	_BiZwQueryValueKey@24 ;	BiZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		cmp	esi, 0C0000023h
		jnz	loc_862582
		push	4B444342h
		push	[ebp+var_1C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	loc_904510
		lea	ecx, [ebp+var_38]
		push	ecx
		push	[ebp+var_1C]
		push	eax
		push	ecx
		lea	edx, [ebp+var_40]
		mov	ecx, ebx
		call	_BiZwQueryValueKey@24 ;	BiZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		js	short loc_862582
		mov	esi, [ebp+var_28]
		mov	eax, [esi+4]
		cmp	eax, [ebp+arg_4]
		jnz	loc_904517
		mov	eax, [ebp+var_1C]
		sub	eax, 0Ch
		mov	[ebp+var_1C], eax
		push	4B444342h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	ecx, [ebp+arg_8]
		mov	[ecx], edx
		test	edx, edx
		jz	loc_904510
		push	[ebp+var_1C]	; size_t
		lea	eax, [esi+0Ch]
		push	eax		; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		mov	esi, edi
		mov	[ebp+var_20], edi

loc_862582:				; CODE XREF: BiGetRegistryValue+6Dj
					; BiGetRegistryValue+8Fj ...
		cmp	ebx, [ebp+var_2C]
		jz	short loc_862592
		test	ebx, ebx
		jz	short loc_862592
		mov	ecx, ebx
		call	_BiZwClose@4	; BiZwClose(x)

loc_862592:				; CODE XREF: BiGetRegistryValue+11Fj
					; BiGetRegistryValue+123j
		mov	eax, [ebp+var_28]
		test	eax, eax
		jz	short loc_8625A4
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8625A4:				; CODE XREF: BiGetRegistryValue+131j
		cmp	esi, 0C000017Dh
		jz	loc_904524

loc_8625B0:				; CODE XREF: BiGetRegistryValue+A20E7j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_8625C4:				; CODE XREF: BiGetRegistryValue+4Dj
		mov	ebx, eax
		jmp	loc_8624D9
BiGetRegistryValue endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BcdGetElementDataWithFlags proc	near	; CODE XREF: PopBcdEstablishResumeObject+77p
					; PopBcdEstablishResumeObject+112p ...

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_34		= dword	ptr -34h
var_8		= dword	ptr -8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0090455F SIZE 00000050 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 78h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_58], edx
		mov	edx, [ebp+arg_4]
		lea	edi, [ebp+var_44]
		stosd
		xor	ebx, ebx
		mov	esi, ecx
		mov	[ebp+var_70], edx
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_74], esi
		stosd
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], ebx
		stosd
		mov	[ebp+var_5C], ebx
		stosd
		test	ecx, ecx
		jz	loc_86279D
		test	edx, edx
		jz	loc_862795

loc_862619:				; CODE XREF: BcdGetElementDataWithFlags+1CBj
		mov	ecx, esi
		call	_BiIsOfflineHandle@4 ; BiIsOfflineHandle(x)
		mov	cl, al
		mov	[ebp+var_45], al
		call	BiAcquireBcdSyncMutant
		mov	ecx, eax
		test	ecx, ecx
		js	loc_90455F
		push	ebx
		lea	eax, [ebp+var_64]
		mov	[ebp+var_50], ebx
		mov	edi, ebx
		mov	[ebp+var_4C], ebx
		push	eax
		mov	[ebp+var_54], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	edx, [ebp+var_44]
		mov	ecx, esi
		mov	ebx, offset ??_C@_17HDJIHIPC@?$AAN?$AA?1?$AAA@NNGAKEGL@
		call	_BiGetObjectIdentifier@8 ; BiGetObjectIdentifier(x,x)
		test	eax, eax
		js	short loc_862670
		push	1
		lea	edx, [ebp+var_64]
		lea	ecx, [ebp+var_44]
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		test	eax, eax
		js	short loc_862670
		mov	ebx, [ebp+var_60]

loc_862670:				; CODE XREF: BcdGetElementDataWithFlags+8Ej
					; BcdGetElementDataWithFlags+9Fj
		lea	eax, [ebp+var_50]
		mov	edx, (offset loc_8C7715+1)
		push	eax
		push	20019h
		mov	ecx, esi
		call	BiOpenKey
		mov	esi, eax
		test	esi, esi
		js	loc_904576
		mov	esi, [ebp+var_58]
		lea	eax, [ebp+var_34]
		push	10h
		push	16h
		push	eax
		push	esi
		call	__ultow_s
		add	esp, 10h
		test	eax, eax
		jnz	loc_90458C
		mov	ecx, [ebp+var_50]
		lea	eax, [ebp+var_54]
		push	eax
		push	20019h
		lea	edx, [ebp+var_34]
		call	BiOpenKey
		test	eax, eax
		js	loc_862766
		mov	ecx, esi
		shr	ecx, 18h
		and	ecx, 0Fh
		call	_BiConvertElementFormatToValueType@4 ; BiConvertElementFormatToValueType(x)
		mov	edi, [ebp+var_54]
		lea	ecx, [ebp+var_5C]
		push	ecx
		lea	ecx, [ebp+var_4C]
		mov	[ebp+var_68], eax
		push	ecx
		push	eax
		push	0
		mov	edx, offset ??_C@_1BA@DLALOCKE@?$AAE?$AAl?$AAe?$AAm?$AAe?$AAn?$AAt@NNGAKEGL@ ; "Element"
		mov	ecx, edi
		call	BiGetRegistryValue
		mov	esi, eax
		test	esi, esi
		js	loc_904596
		push	[ebp+var_6C]	; int
		mov	edx, [ebp+var_4C]
		push	[ebp+var_70]	; void *
		mov	ecx, [ebp+var_74]
		push	0		; int
		push	[ebp+var_58]	; int
		push	[ebp+var_5C]	; size_t
		call	BiConvertRegistryDataToElement
		mov	esi, eax

loc_862716:				; CODE XREF: BcdGetElementDataWithFlags+A1FDEj
		cmp	[ebp+var_4C], 0
		jz	short loc_862729
		push	4B444342h
		push	[ebp+var_4C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_862729:				; CODE XREF: BcdGetElementDataWithFlags+14Ej
					; BcdGetElementDataWithFlags+1C7j ...
		lea	eax, [ebp+var_64]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	edi, edi
		jz	short loc_86273D
		mov	ecx, edi
		call	_BiCloseKey@4	; BiCloseKey(x)

loc_86273D:				; CODE XREF: BcdGetElementDataWithFlags+168j
		cmp	[ebp+var_50], 0
		jz	short loc_86274B
		mov	ecx, [ebp+var_50]
		call	_BiCloseKey@4	; BiCloseKey(x)

loc_86274B:				; CODE XREF: BcdGetElementDataWithFlags+175j
		mov	cl, [ebp+var_45]
		call	_BiReleaseBcdSyncMutant@4 ; BiReleaseBcdSyncMutant(x)
		mov	eax, esi

loc_862755:				; CODE XREF: BcdGetElementDataWithFlags+1D6j
					; BcdGetElementDataWithFlags+A1FA5j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_862766:				; CODE XREF: BcdGetElementDataWithFlags+F5j
		push	eax
		xor	ecx, ecx
		cmp	eax, 0C0000034h
		lea	eax, [ebp+var_34]
		push	eax
		setnz	cl
		push	ebx
		push	offset ??_C@_1KA@HLCLNLCE@?$AAB?$AAc?$AAd?$AAG?$AAe?$AAt?$AAE?$AAl?$AAe?$AAm?$AAe?$AAn?$AAt?$AAD?$AAa@NNGAKEGL@
		lea	ecx, ds:2[ecx*2]
		push	ecx
		call	_BiLogMessage
		mov	edi, [ebp+var_54]
		add	esp, 14h
		mov	esi, 0C0000225h
		jmp	short loc_862729
; 

loc_862795:				; CODE XREF: BcdGetElementDataWithFlags+47j
		cmp	[ecx], ebx
		jz	loc_862619

loc_86279D:				; CODE XREF: BcdGetElementDataWithFlags+3Fj
		mov	eax, 0C000000Dh
		jmp	short loc_862755
BcdGetElementDataWithFlags endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiOpenKey	proc near		; CODE XREF: BiOpenStoreKeyFromObject(x,x)+82p
					; BiAddStoreFromFile+97p ...

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009045AF SIZE 0000001A BYTES
; FUNCTION CHUNK AT 009045DF SIZE 00000012 BYTES

		push	48h
		push	offset dword_6A4A38
		call	__SEH_prolog4
		mov	[ebp+var_34], edx
		mov	[ebp+var_20], ecx
		xor	ebx, ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ebx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_58]
		rep stosd
		mov	[ebp+var_30], ebx

loc_8627CE:				; CODE XREF: BiOpenKey+A1E48j
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_2C], ebx
		push	[ebp+var_34]
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, [ebp+var_20]
		call	_BiSanitizeHandle@4 ; BiSanitizeHandle(x)
		mov	[ebp+var_20], eax
		mov	edi, [ebp+arg_0]
		or	edi, 40000h
		mov	[ebp+arg_0], edi
		mov	edx, edi
		mov	eax, edi
		and	eax, 60019h
		mov	[ebp+var_38], eax
		cmp	eax, edi
		jnz	short loc_86287C

loc_862807:				; CODE XREF: BiOpenKey+DDj
		mov	[ebp+var_58], 18h
		mov	eax, [ebp+var_20]
		mov	[ebp+var_54], eax
		mov	[ebp+var_4C], 240h
		lea	eax, [ebp+var_40]
		mov	[ebp+var_50], eax
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ebx
		lea	eax, [ebp+var_58]
		push	eax
		lea	ecx, [ebp+var_1C]
		call	_BiZwOpenKey@12	; BiZwOpenKey(x,x,x)
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		js	loc_8628DA
		cmp	[ebp+var_38], edi
		jnz	short loc_862883

loc_862845:				; CODE XREF: BiOpenKey+124j
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		test	esi, esi
		js	loc_8628DA

loc_862855:				; CODE XREF: BiOpenKey+13Bj
					; BiOpenKey+A1E10j
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jnz	short loc_8628CD

loc_86285C:				; CODE XREF: BiOpenKey+134j
		cmp	esi, 0C000017Dh
		jz	loc_9045B9

loc_862868:				; CODE XREF: BiOpenKey+A1E3Ej
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_86287C:				; CODE XREF: BiOpenKey+61j
		mov	edx, 40000h
		jmp	short loc_862807
; 

loc_862883:				; CODE XREF: BiOpenKey+9Fj
		mov	ecx, 0F003Fh
		call	_BiCreateKeySecurityDescriptor@4 ; BiCreateKeySecurityDescriptor(x)
		mov	[ebp+var_2C], eax
		push	eax
		mov	ecx, [ebp+var_1C]
		call	_BiZwSetSecurityObject@12 ; BiZwSetSecurityObject(x,x,x)
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		js	short loc_8628DA
		lea	eax, [ebp+var_58]
		push	eax
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_28]
		call	_BiZwOpenKey@12	; BiZwOpenKey(x,x,x)
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		js	short loc_8628DA
		mov	ecx, [ebp+var_1C]
		call	_BiZwClose@4	; BiZwClose(x)
		mov	eax, [ebp+var_28]
		mov	[ebp+var_1C], eax
		jmp	loc_862845
; 

loc_8628CD:				; CODE XREF: BiOpenKey+B6j
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_86285C
; 

loc_8628DA:				; CODE XREF: BiOpenKey+96j
					; BiOpenKey+ABj ...
		mov	ecx, [ebp+var_1C]
		test	ecx, ecx
		jz	loc_862855
		jmp	loc_9045AF
BiOpenKey	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BcdSetElementDataWithFlags proc	near	; CODE XREF: PopBcdSetPendingResume+5Ap
					; PopBcdSetPendingResume+A0p ...

var_4E		= byte ptr -4Eh
var_4D		= byte ptr -4Dh
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 009045F1 SIZE 0000009E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[esp+5Ch+var_3C], eax
		xor	ecx, ecx
		mov	[esp+5Ch+var_34], esi
		mov	ebx, edx
		mov	[esp+5Ch+var_40], ecx
		test	eax, eax
		mov	[esp+5Ch+var_38], ebx
		mov	eax, [ebp+arg_8]
		push	edi
		jz	loc_9045F1

loc_862927:				; CODE XREF: BcdSetElementDataWithFlags+A1D09j
		mov	[esp+60h+var_48], ecx
		mov	edi, ecx
		mov	[esp+60h+var_4E], cl
		mov	[esp+60h+var_44], edi
		mov	[esp+60h+var_4C], ecx
		test	eax, eax
		jz	loc_904603
		mov	ecx, esi
		call	_BiIsOfflineHandle@4 ; BiIsOfflineHandle(x)
		mov	cl, al
		mov	[esp+60h+var_4D], al
		call	BiAcquireBcdSyncMutant
		test	eax, eax
		js	loc_862A7C
		push	ebx
		push	(offset	loc_8C7C55+1)
		push	2
		call	_BiLogMessage
		add	esp, 0Ch
		lea	eax, [esp+60h+var_48]
		mov	edx, (offset loc_8C7715+1)
		mov	ecx, esi
		push	eax
		push	2001Dh
		call	BiOpenKey
		mov	esi, eax
		test	esi, esi
		js	loc_904612
		push	10h
		push	16h
		lea	eax, [esp+68h+var_30]
		push	eax
		push	ebx
		call	__ultow_s
		add	esp, 10h
		test	eax, eax
		jnz	loc_904627
		mov	ecx, [esp+60h+var_48]
		lea	eax, [esp+60h+var_4E]
		push	eax
		lea	eax, [esp+64h+var_44]
		push	eax
		push	1
		push	10002h
		lea	edx, [esp+70h+var_30]
		call	BiCreateKey
		mov	esi, eax
		test	esi, esi
		js	loc_904631
		mov	edx, [esp+60h+var_3C]
		lea	eax, [esp+60h+var_40]
		push	eax		; int
		lea	eax, [esp+64h+var_4C]
		push	eax		; int
		push	ecx		; int
		push	[ebp+arg_8]	; void *
		mov	ecx, ebx
		call	BiConvertElementToRegistryData
		mov	edi, [esp+60h+var_44]
		mov	esi, eax
		test	esi, esi
		js	loc_90464F
		push	[esp+60h+var_40]
		shr	ebx, 18h
		push	[esp+64h+var_4C]
		and	ebx, 0Fh
		mov	ecx, ebx
		call	_BiConvertElementFormatToValueType@4 ; BiConvertElementFormatToValueType(x)
		push	eax
		push	0
		mov	edx, offset ??_C@_1BA@DLALOCKE@?$AAE?$AAl?$AAe?$AAm?$AAe?$AAn?$AAt@NNGAKEGL@ ; "Element"
		mov	ecx, edi
		call	BiSetRegistryValue
		mov	esi, eax
		test	esi, esi
		js	loc_90465C

loc_862A22:				; CODE XREF: BcdSetElementDataWithFlags+A1D87j
		cmp	[esp+60h+var_4C], 0
		jz	short loc_862A37
		push	4B444342h
		push	[esp+64h+var_4C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_862A37:				; CODE XREF: BcdSetElementDataWithFlags+13Dj
					; BcdSetElementDataWithFlags+A1D38j ...
		test	esi, esi
		js	loc_904676

loc_862A3F:				; CODE XREF: BcdSetElementDataWithFlags+A1D91j
					; BcdSetElementDataWithFlags+A1DA0j
		test	edi, edi
		jz	short loc_862A4A
		mov	ecx, edi
		call	_BiCloseKey@4	; BiCloseKey(x)

loc_862A4A:				; CODE XREF: BcdSetElementDataWithFlags+157j
					; BcdSetElementDataWithFlags+A1D42j
		cmp	[esp+60h+var_48], 0
		jz	short loc_862A5A
		mov	ecx, [esp+60h+var_48]
		call	_BiCloseKey@4	; BiCloseKey(x)

loc_862A5A:				; CODE XREF: BcdSetElementDataWithFlags+165j
		test	esi, esi
		js	short loc_862A71
		mov	edi, [esp+60h+var_34]
		lea	edx, [esp+60h+var_38]
		mov	ecx, edi
		call	BiIsLinkedToFirmwareVariable
		test	al, al
		jnz	short loc_862A90

loc_862A71:				; CODE XREF: BcdSetElementDataWithFlags+172j
					; BcdSetElementDataWithFlags+1ADj
		mov	cl, [esp+60h+var_4D]
		call	_BiReleaseBcdSyncMutant@4 ; BiReleaseBcdSyncMutant(x)
		mov	eax, esi

loc_862A7C:				; CODE XREF: BcdSetElementDataWithFlags+6Bj
					; BcdSetElementDataWithFlags+A1D14j ...
		mov	ecx, [esp+60h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_862A90:				; CODE XREF: BcdSetElementDataWithFlags+185j
		mov	ecx, edi
		call	_BiSetFirmwareModifiedFromObject@8 ; BiSetFirmwareModifiedFromObject(x,x)
		jmp	short loc_862A71
BcdSetElementDataWithFlags endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall BiCloseKey(x)
_BiCloseKey@4	proc near		; CODE XREF: BiOpenStoreKeyFromObject(x,x)+93p
					; BiSetFirmwareModifiedFromObject(x,x)+2Cp ...
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, 60019h
		call	_BiCreateKeySecurityDescriptor@4 ; BiCreateKeySecurityDescriptor(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_862AC4
		push	esi
		mov	ecx, edi
		call	_BiZwSetSecurityObject@12 ; BiZwSetSecurityObject(x,x,x)
		push	4B444342h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_862AC4:				; CODE XREF: BiCloseKey(x)+15j
		mov	ecx, edi
		call	_BiZwClose@4	; BiZwClose(x)
		pop	edi
		pop	esi
		pop	ecx
		retn
_BiCloseKey@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiCreateKeySecurityDescriptor(x)
_BiCreateKeySecurityDescriptor@4 proc near ; CODE XREF:	BiCreateKey+86p
					; BiOpenKey+E4p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ds:_SeExports
		push	ebx
		push	esi
		push	edi
		mov	ebx, [eax+0E4h]
		mov	eax, [eax+0E0h]
		push	eax
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	ebx
		mov	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	eax, 18h
		add	esi, eax
		push	ebx
		mov	[ebp+var_4], esi
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	eax, 14h
		add	eax, esi
		push	4B444342h
		push	eax
		push	1
		mov	[ebp+var_10], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_862BDC
		push	2		; int
		push	[ebp+var_4]	; size_t
		lea	esi, [edi+14h]
		push	esi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		test	eax, eax
		js	loc_862BD1
		push	0
		push	ebx
		push	[ebp+var_8]
		mov	ecx, esi
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		test	eax, eax
		js	short loc_862BD1
		push	0
		push	[ebp+var_C]
		mov	ecx, esi
		push	0F003Fh
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		test	eax, eax
		js	short loc_862BD1
		push	1
		push	edi
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		test	eax, eax
		js	short loc_862BD1
		push	0
		push	esi
		push	1
		push	edi
		call	RtlSetDaclSecurityDescriptor
		test	eax, eax
		js	short loc_862BD1
		push	edi
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		push	ebx
		mov	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	esi, eax
		cmp	esi, [ebp+var_10]
		jb	short loc_862BD1
		push	edi
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		push	ebx
		lea	esi, [edi+eax]
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	eax		; size_t
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	0
		push	esi
		push	edi
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		test	eax, eax
		js	short loc_862BD1
		mov	eax, edi

loc_862BCC:				; CODE XREF: BiCreateKeySecurityDescriptor(x)+10Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_862BD1:				; CODE XREF: BiCreateKeySecurityDescriptor(x)+6Dj
					; BiCreateKeySecurityDescriptor(x)+87j	...
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_862BDC:				; CODE XREF: BiCreateKeySecurityDescriptor(x)+57j
		xor	eax, eax
		jmp	short loc_862BCC
_BiCreateKeySecurityDescriptor@4 endp


;  S U B	R O U T	I N E 


; __stdcall BiReleaseBcdSyncMutant(x)
_BiReleaseBcdSyncMutant@4 proc near	; CODE XREF: BcdForciblyUnloadStore+64p
					; BcdFlushStore+2Fp ...
		test	cl, cl
		jnz	short locret_862BF6
		mov	eax, _BcdMutantHandle
		cmp	eax, 0FFFFFFFFh
		jz	short locret_862BF6
		push	0
		push	eax
		call	_ZwReleaseMutant@8 ; ZwReleaseMutant(x,x)

locret_862BF6:				; CODE XREF: BiReleaseBcdSyncMutant(x)+2j
					; BiReleaseBcdSyncMutant(x)+Cj
		retn
_BiReleaseBcdSyncMutant@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


BiIsLinkedToFirmwareVariable proc near	; CODE XREF: BiDeleteElement+E9p
					; BcdSetElementDataWithFlags+17Ep ...

; FUNCTION CHUNK AT 0090468F SIZE 0000000E BYTES

		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	_BiGetFirmwareType@0 ; BiGetFirmwareType()
		dec	eax
		sub	eax, 1
		jz	loc_90468F
		xor	al, al

loc_862C12:				; CODE XREF: BiIsLinkedToFirmwareVariable+A1AA0j
		pop	edi
		pop	esi
		pop	ecx
		retn
BiIsLinkedToFirmwareVariable endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiGetFirmwareType()
_BiGetFirmwareType@0 proc near		; CODE XREF: BiExportStoreAlterationsToFirmware+Cp
					; BcdGetSystemStorePath+13p ...

var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	8
		xor	eax, eax
		lea	edi, [ebp+var_28]
		pop	ecx
		rep stosd
		cmp	byte_6D4B30, al
		jz	short loc_862C4F
		mov	eax, dword_6B3EA8

loc_862C41:				; CODE XREF: BiGetFirmwareType()+66j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_862C4F:				; CODE XREF: BiGetFirmwareType()+24j
		push	0
		push	20h
		lea	eax, [ebp+var_28]
		xor	esi, esi
		push	eax
		push	5Ah
		inc	esi
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_862C6D
		mov	esi, [ebp+var_18]
		cmp	esi, 3
		jge	short loc_862C7E

loc_862C6D:				; CODE XREF: BiGetFirmwareType()+4Dj
					; BiGetFirmwareType()+6Aj
		mov	dword_6B3EA8, esi
		mov	eax, esi
		mov	byte_6D4B30, 1
		jmp	short loc_862C41
; 

loc_862C7E:				; CODE XREF: BiGetFirmwareType()+55j
		xor	esi, esi
		jmp	short loc_862C6D
_BiGetFirmwareType@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiSetRegistryValue proc	near		; CODE XREF: BiSetFirmwareModified+86464p
					; BiAddStoreFromFile+BCp ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0090469D SIZE 0000000E BYTES
; FUNCTION CHUNK AT 009046BF SIZE 0000000F BYTES

		push	20h
		push	offset dword_6A4A58
		call	__SEH_prolog4
		mov	[ebp+var_24], edx
		mov	esi, ecx
		and	[ebp+var_30], 0
		and	[ebp+var_2C], 0
		xor	edi, edi

loc_862C9D:				; CODE XREF: BiSetRegistryValue+A1A47j
		push	[ebp+var_24]
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, esi
		call	_BiSanitizeHandle@4 ; BiSanitizeHandle(x)
		mov	esi, eax
		mov	[ebp+var_28], esi
		and	[ebp+var_1C], 0
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_862D04
		mov	[ebp+var_1C], esi

loc_862CC3:				; CODE XREF: BiSetRegistryValue+97j
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	ecx
		lea	edx, [ebp+var_30]
		mov	ecx, [ebp+var_1C]
		call	_BiZwSetValueKey@24 ; BiZwSetValueKey(x,x,x,x,x,x)
		mov	[ebp+var_20], eax

loc_862CDB:				; CODE XREF: BiSetRegistryValue+99j
		mov	ecx, [ebp+var_1C]
		cmp	ecx, esi
		jnz	short loc_862D1D

loc_862CE2:				; CODE XREF: BiSetRegistryValue+9Dj
					; BiSetRegistryValue+A4j
		cmp	[ebp+var_20], 0C000017Dh
		jz	loc_90469D

loc_862CEF:				; CODE XREF: BiSetRegistryValue+A1A40j
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_862D04:				; CODE XREF: BiSetRegistryValue+3Cj
		lea	eax, [ebp+var_1C]
		push	eax
		push	2001Fh
		mov	ecx, esi
		call	BiOpenKey
		mov	[ebp+var_20], eax
		test	eax, eax
		jns	short loc_862CC3
		jmp	short loc_862CDB
; 

loc_862D1D:				; CODE XREF: BiSetRegistryValue+5Ej
		test	ecx, ecx
		jz	short loc_862CE2
		call	_BiCloseKey@4	; BiCloseKey(x)
		jmp	short loc_862CE2
BiSetRegistryValue endp


;  S U B	R O U T	I N E 


; __stdcall BiConvertElementFormatToValueType(x)
_BiConvertElementFormatToValueType@4 proc near ; CODE XREF: BcdGetElementDataWithFlags+103p
					; BcdSetElementDataWithFlags+11Ap
		xor	eax, eax
		inc	eax
		cmp	ecx, eax
		jbe	short loc_862D39
		cmp	ecx, 3
		jbe	short locret_862D3C
		cmp	ecx, 4
		jz	short loc_862D3D

loc_862D39:				; CODE XREF: BiConvertElementFormatToValueType(x)+5j
		push	3
		pop	eax

locret_862D3C:				; CODE XREF: BiConvertElementFormatToValueType(x)+Aj
		retn
; 

loc_862D3D:				; CODE XREF: BiConvertElementFormatToValueType(x)+Fj
		push	7
		pop	eax
		retn
_BiConvertElementFormatToValueType@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	BiConvertElementToRegistryData(void *,int,int,int)
BiConvertElementToRegistryData proc near ; CODE	XREF: BcdSetElementDataWithFlags+F7p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 009046CE SIZE 000001CD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, edx
		shr	ecx, 18h
		xor	edx, edx
		mov	[ebp+var_C], esi
		mov	eax, edx
		mov	[ebp+var_20], edx
		and	ecx, 0Fh
		mov	[ebp+var_1C], edx
		mov	[ebp+var_8], eax
		mov	ebx, edx
		mov	[ebp+var_10], eax
		push	edi
		mov	edi, 4B444342h
		sub	ecx, 1
		jz	loc_862E7D
		sub	ecx, 1
		jz	loc_862E4D
		sub	ecx, 1
		jz	loc_862F00
		sub	ecx, 1
		jz	loc_904734
		sub	ecx, 1
		jz	loc_90470E
		sub	ecx, 1
		jnz	loc_9046CE
		mov	eax, [ebp+arg_0]
		dec	eax
		cmp	eax, 1
		ja	loc_904704
		push	edi
		push	1
		push	1
		inc	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9046FA
		cmp	byte ptr [esi],	0
		setnz	al
		mov	[edi], al

loc_862DCF:				; CODE XREF: BiConvertElementToRegistryData+A19B3j
					; BiConvertElementToRegistryData+A19EDj
		mov	esi, [ebp+var_8]
		jmp	short loc_862E29
; 

loc_862DD4:				; CODE XREF: BiConvertElementToRegistryData+128j
		mov	dl, 1
		mov	[ebp+var_1], dl

loc_862DD9:				; CODE XREF: BiConvertElementToRegistryData+136j
		mov	edi, 4B444342h

loc_862DDE:				; CODE XREF: BiConvertElementToRegistryData+11Dj
		mov	esi, eax
		mov	[ebp+var_10], esi
		mov	[ebp+var_18], esi
		test	dl, dl
		jz	loc_90481C

loc_862DEE:				; CODE XREF: BiConvertElementToRegistryData+A1AF8j
		push	edi
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9046FA
		push	[ebp+arg_0]	; size_t
		mov	ecx, [ebp+var_C]
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	[ebp+var_1], 0
		jz	loc_90483F

loc_862E1B:				; CODE XREF: BiConvertElementToRegistryData+1EBj
					; BiConvertElementToRegistryData+A1AD5j ...
		mov	esi, [ebp+var_8]

loc_862E1E:				; CODE XREF: BiConvertElementToRegistryData+1B9j
		test	ebx, ebx
		js	loc_90486F
		mov	ebx, [ebp+var_10]

loc_862E29:				; CODE XREF: BiConvertElementToRegistryData+90j
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		mov	eax, [ebp+arg_C]
		mov	[eax], ebx
		xor	eax, eax
		mov	ebx, eax

loc_862E37:				; CODE XREF: BiConvertElementToRegistryData+A1B40j
		mov	edi, 4B444342h

loc_862E3C:				; CODE XREF: BiConvertElementToRegistryData+A1B25j
					; BiConvertElementToRegistryData+A1B48j
		test	esi, esi
		jnz	loc_90488F

loc_862E44:				; CODE XREF: BiConvertElementToRegistryData+1D8j
					; BiConvertElementToRegistryData+A19BDj ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
; 

loc_862E4D:				; CODE XREF: BiConvertElementToRegistryData+39j
		mov	eax, [ebp+arg_0]
		test	al, 1
		jnz	loc_904704
		mov	ecx, eax
		mov	[ebp+var_1], dl
		shr	ecx, 1
		jz	loc_862DDE
		xor	edi, edi

loc_862E67:				; CODE XREF: BiConvertElementToRegistryData+134j
		cmp	[esi], di
		jz	loc_862DD4
		add	esi, 2
		sub	ecx, 1
		jnz	short loc_862E67
		jmp	loc_862DD9
; 

loc_862E7D:				; CODE XREF: BiConvertElementToRegistryData+30j
		cmp	dword ptr [esi], 6
		lea	eax, [ebp+var_10]
		mov	ecx, esi
		push	eax
		jz	loc_90484B
		push	edx
		mov	edx, [ebp+arg_0]
		call	BiConvertNtDeviceToBootEnvironment

loc_862E95:				; CODE XREF: BiConvertElementToRegistryData+A1B11j
		mov	ebx, eax
		test	ebx, ebx
		js	loc_904887
		mov	eax, [ebp+var_10]
		mov	[ebp+var_8], eax
		mov	esi, [eax+8]
		add	esi, 10h
		mov	[ebp+var_10], esi
		cmp	esi, 10h
		jb	loc_904858
		push	edi
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	loc_90485F
		mov	esi, [ebp+var_C]
		mov	edi, eax
		lea	esi, [esi+4]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_8]
		mov	edi, eax
		push	dword ptr [esi+8] ; size_t
		lea	eax, [edi+10h]
		push	esi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		push	4B444342h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	esi, eax
		jmp	loc_862E1E
; 

loc_862F00:				; CODE XREF: BiConvertElementToRegistryData+42j
		cmp	[ebp+arg_0], 10h
		jnz	loc_904704
		push	1
		lea	edx, [ebp+var_20]
		mov	ecx, esi
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_862E44
		movzx	esi, word ptr [ebp+var_20]
		mov	edi, [ebp+var_1C]
		add	esi, 2
		mov	[ebp+var_10], esi
		jmp	loc_862E1B
BiConvertElementToRegistryData endp


;  S U B	R O U T	I N E 


_BiLogMessage	proc near		; CODE XREF: BiLogFileOwnerProcess(x,x)+54p
					; BiLogFileOwnerProcess(x,x)+E8p ...
		mov	edi, edi
		xor	eax, eax
		retn
_BiLogMessage	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiAcquireBcdSyncMutant proc near	; CODE XREF: BcdForciblyUnloadStore+10p
					; BcdFlushStore+Fp ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090489B SIZE 00000073 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	esi
		test	cl, cl
		jnz	short loc_862F85
		mov	eax, _BcdMutantHandle
		xor	esi, esi
		mov	[ebp+var_4], esi
		test	eax, eax
		jz	loc_90489B

loc_862F57:				; CODE XREF: BiAcquireBcdSyncMutant+A19D1j
		mov	ecx, eax
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_862F85
		or	[ebp+var_C], 0FFFFFFFFh
		lea	ecx, [ebp+var_10]
		push	ecx
		push	esi
		push	eax
		mov	[ebp+var_10], 0DC3CBA00h
		call	_ZwWaitForSingleObject@12 ; ZwWaitForSingleObject(x,x,x)
		cmp	eax, 102h
		jz	short loc_862F7E

loc_862F7B:				; CODE XREF: BiAcquireBcdSyncMutant+4Bj
					; BiAcquireBcdSyncMutant+4Fj ...
		pop	esi
		leave
		retn
; 

loc_862F7E:				; CODE XREF: BiAcquireBcdSyncMutant+41j
		mov	eax, 0C0000001h
		jmp	short loc_862F7B
; 

loc_862F85:				; CODE XREF: BiAcquireBcdSyncMutant+Bj
					; BiAcquireBcdSyncMutant+24j
		xor	eax, eax
		jmp	short loc_862F7B
BiAcquireBcdSyncMutant endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiGetObjectIdentifier(x, x)
_BiGetObjectIdentifier@8 proc near	; CODE XREF: BcdQueryObject(x,x,x,x)+71p
					; BcdGetElementDataWithFlags+87p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], eax
		lea	edx, [ebp+var_4]
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		call	BiGetKeyName
		test	eax, eax
		js	short loc_862FD3
		push	[ebp+var_4]
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		push	4B444342h
		push	[ebp+var_4]
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi

loc_862FD3:				; CODE XREF: BiGetObjectIdentifier(x,x)+20j
		pop	esi
		leave
		retn
_BiGetObjectIdentifier@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiGetKeyName	proc near		; CODE XREF: BiGetObjectIdentifier(x,x)+19p
					; BiBindEfiEntryToBcdObject(x,x)+61p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 0090490E SIZE 0000002A BYTES
; FUNCTION CHUNK AT 0090494C SIZE 0000000F BYTES

		push	1Ch
		push	offset dword_6A4A78
		call	__SEH_prolog4
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], ecx
		xor	ebx, ebx

loc_862FEA:				; CODE XREF: BiGetKeyName+A1980j
		mov	ecx, [ebp+var_24]
		call	_BiSanitizeHandle@4 ; BiSanitizeHandle(x)
		mov	[ebp+var_24], eax
		xor	edi, edi
		and	[ebp+var_20], edi
		lea	ecx, [ebp+var_20]
		push	ecx
		push	edi
		push	edi
		xor	edx, edx
		mov	ecx, eax
		call	_BiZwQueryKey@20 ; BiZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_1C], esi
		cmp	esi, 0C0000023h
		jnz	loc_90490E
		push	4B444342h
		push	[ebp+var_20]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_90491D
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_20]
		push	edi
		xor	edx, edx
		mov	ecx, [ebp+var_24]
		call	_BiZwQueryKey@20 ; BiZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	short loc_863091
		push	4B444342h
		mov	eax, [edi+0Ch]
		add	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		jz	loc_90491D
		push	dword ptr [edi+0Ch] ; size_t
		lea	eax, [edi+10h]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [edi+0Ch]
		shr	eax, 1
		xor	edx, edx
		mov	ecx, [ebp+var_28]
		mov	[ecx+eax*2], dx
		mov	eax, [ebp+var_2C]
		mov	[eax], ecx

loc_863091:				; CODE XREF: BiGetKeyName+76j
					; BiGetKeyName+A193Aj ...
		test	edi, edi
		jz	short loc_8630A0
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8630A0:				; CODE XREF: BiGetKeyName+BDj
		cmp	esi, 0C000017Dh
		jz	loc_90492A

loc_8630AC:				; CODE XREF: BiGetKeyName+A1979j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
BiGetKeyName	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	BiConvertRegistryDataToElement(size_t,int,int,void *,int)
BiConvertRegistryDataToElement proc near ; CODE	XREF: BcdGetElementDataWithFlags+143p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0090495B SIZE 000001CB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, [ebp+arg_4]
		push	ebx
		shr	eax, 18h
		mov	[ebp+var_18], ecx
		and	eax, 0Fh
		xor	ecx, ecx
		mov	[ebp+var_10], edx
		mov	[ebp+var_14], ecx
		mov	ebx, ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_10]
		sub	eax, 1
		jz	short loc_863135
		sub	eax, 1
		jnz	loc_8631AD
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	loc_904989
		test	al, 1
		jnz	loc_904989
		xor	esi, esi
		mov	byte ptr [ebp+arg_8+3],	cl
		mov	ebx, eax
		mov	ecx, eax
		cmp	[edx+eax-2], si
		jnz	loc_904ABC

loc_863123:				; CODE XREF: BiConvertRegistryDataToElement+A1A07j
		cmp	ecx, [edi]
		jbe	loc_863209

loc_86312B:				; CODE XREF: BiConvertRegistryDataToElement+FDj
					; BiConvertRegistryDataToElement+A18BEj ...
		mov	esi, 0C0000023h
		jmp	loc_8631FE
; 

loc_863135:				; CODE XREF: BiConvertRegistryDataToElement+33j
		cmp	[ebp+arg_0], 1Ch
		jb	loc_904989
		lea	ecx, [edx+10h]
		mov	eax, [ecx+8]
		add	eax, 10h
		cmp	eax, [ebp+arg_0]
		jnz	loc_904989
		test	byte ptr [ebp+arg_8], 1
		lea	eax, [ebp+var_C]
		push	eax
		jnz	loc_904AD8
		test	byte ptr [ebp+arg_8], 2
		jnz	loc_904AE5
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_8]
		call	BiConvertBootEnvironmentDeviceToNt

loc_863178:				; CODE XREF: BiConvertRegistryDataToElement+A1A22j
					; BiConvertRegistryDataToElement+A1A2Fj
		mov	esi, eax
		test	esi, esi
		js	loc_904B1E
		mov	esi, [ebp+var_8]
		cmp	dword ptr [esi], 8
		jz	loc_904AF2

loc_86318E:				; CODE XREF: BiConvertRegistryDataToElement+A1A40j
		mov	ebx, [ebp+var_C]

loc_863191:				; CODE XREF: BiConvertRegistryDataToElement+A1A5Bj
		cmp	ebx, [edi]
		jbe	loc_863222
		push	4B444342h
		push	[ebp+var_8]
		mov	esi, 0C0000023h
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_8631FE
; 

loc_8631AD:				; CODE XREF: BiConvertRegistryDataToElement+38j
		sub	eax, 1
		jnz	loc_90495B
		push	10h
		pop	ebx
		cmp	[edi], ebx
		jb	loc_86312B
		mov	eax, [ebp+arg_0]
		cmp	eax, 2
		jb	loc_904989
		test	al, 1
		jnz	loc_904989
		shr	eax, 1
		xor	ecx, ecx
		push	edx
		mov	[edx+eax*2-2], cx
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	[ebp+arg_C]
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_863254

loc_8631FA:				; CODE XREF: BiConvertRegistryDataToElement+15Dj
					; BiConvertRegistryDataToElement+A18EAj ...
		xor	eax, eax
		mov	esi, eax

loc_8631FE:				; CODE XREF: BiConvertRegistryDataToElement+72j
					; BiConvertRegistryDataToElement+EDj ...
		mov	[edi], ebx

loc_863200:				; CODE XREF: BiConvertRegistryDataToElement+19Cj
					; BiConvertRegistryDataToElement+A18D0j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_863209:				; CODE XREF: BiConvertRegistryDataToElement+67j
		mov	esi, [ebp+arg_C]
		push	eax		; size_t
		push	edx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	byte ptr [ebp+arg_8+3],	0
		jz	short loc_8631FA
		jmp	loc_904ACA
; 

loc_863222:				; CODE XREF: BiConvertRegistryDataToElement+D5j
		mov	edi, [ebp+arg_C]
		push	ebx		; size_t
		push	esi		; void *
		push	edi		; void *
		call	_memcpy
		mov	esi, [ebp+var_10]
		add	edi, 4
		add	esp, 0Ch
		movsd
		push	4B444342h
		push	[ebp+var_8]
		movsd
		movsd
		movsd
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	esi, eax

loc_86324B:				; CODE XREF: BiConvertRegistryDataToElement+A19EEj
		test	esi, esi
		js	short loc_863254

loc_86324F:				; CODE XREF: BiConvertRegistryDataToElement+19Ej
					; BiConvertRegistryDataToElement+A19F9j
		mov	edi, [ebp+arg_10]
		jmp	short loc_8631FE
; 

loc_863254:				; CODE XREF: BiConvertRegistryDataToElement+13Aj
					; BiConvertRegistryDataToElement+18Fj ...
		cmp	esi, 0C0000023h
		jnz	short loc_863200
		jmp	short loc_86324F
BiConvertRegistryDataToElement endp


;  S U B	R O U T	I N E 


; int __fastcall BiIsObjectAliased(void	*)
BiIsObjectAliased proc near		; CODE XREF: BcdOpenObject+A6p
					; BiCreateObject(x,x,x,x,x)+89p

; FUNCTION CHUNK AT 00904B26 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		push	10h		; size_t
		push	offset _GUID_CURRENT_BOOT_ENTRY	; void *
		xor	ebx, ebx
		push	edi		; void *
		mov	[esi], ebx
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_86329D
		push	10h		; size_t
		push	offset _GUID_DEFAULT_BOOT_ENTRY	; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_904B26

loc_863297:				; CODE XREF: BiIsObjectAliased+44j
					; BiIsObjectAliased+A18D0j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		retn
; 

loc_86329D:				; CODE XREF: BiIsObjectAliased+1Fj
		xor	ebx, ebx
		inc	ebx
		mov	[esi], ebx
		jmp	short loc_863297
BiIsObjectAliased endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiConvertNtDeviceToBootEnvironment proc	near
					; CODE XREF: BiConvertElementToRegistryData+14Ep
					; BiConvertNtDeviceToBootEnvironment+A193Ep ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00904B33 SIZE 00000455 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		xor	edx, edx
		mov	[esp+20h+var_4], edi
		mov	ebx, edx
		mov	[esp+20h+var_8], edx
		mov	[esp+20h+var_C], edx
		mov	eax, [edi]
		dec	eax
		mov	[esp+20h+var_14], edx
		mov	[esp+20h+var_10], ebx
		cmp	eax, 8		; switch 9 cases
		ja	short loc_86333A ; default
		jmp	ds:off_863344[eax*4] ; switch jump

loc_8632DD:				; DATA XREF: PAGE:off_863344o
		cmp	esi, 16h	; case 0x1
		jb	short loc_86332C
		lea	ecx, [edi+14h]
		call	BiIsVolumePartitionInformationRetained
		test	al, al
		jz	short loc_863333
		mov	edx, [ebp+arg_0]
		lea	eax, [esp+20h+var_C]
		push	eax
		lea	eax, [esp+24h+var_10]
		push	eax
		lea	ecx, [edi+14h]
		call	BiCreatePartitionDevice
		mov	ebx, [esp+20h+var_10]
		mov	esi, eax
		test	esi, esi
		js	short loc_863311

loc_86330D:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+A1B5Ej
					; BiConvertNtDeviceToBootEnvironment+A1C15j ...
		xor	eax, eax
		mov	esi, eax

loc_863311:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+67j
					; BiConvertNtDeviceToBootEnvironment+94j ...
		cmp	[esp+20h+var_14], 0
		jnz	loc_904F75

loc_86331C:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+8Dj
					; BiConvertNtDeviceToBootEnvironment+A1CDFj
		mov	eax, [ebp+arg_4]
		pop	edi
		mov	[eax], ebx
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_86332C:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+3Cj
					; BiConvertNtDeviceToBootEnvironment+A1892j ...
		mov	esi, 0C000000Dh
		jmp	short loc_86331C
; 

loc_863333:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+48j
					; BiConvertNtDeviceToBootEnvironment+A190Aj
		mov	esi, 0C00000BBh
		jmp	short loc_863311
; 

loc_86333A:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+30j
					; BiConvertNtDeviceToBootEnvironment+32j
					; DATA XREF: ...
		mov	esi, 0C000000Dh	; default
		jmp	short loc_863311
BiConvertNtDeviceToBootEnvironment endp

; 
		align 4
off_863344	dd offset loc_904D26	; DATA XREF: BiConvertNtDeviceToBootEnvironment+32r
		dd offset loc_8632DD	; jump table for switch	statement
		dd offset loc_904D4B
		dd offset loc_904E07
		dd offset loc_904EBE
		dd offset loc_86333A
		dd offset loc_904E66
		dd offset loc_904B33
		dd offset loc_904F3B

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiCreatePartitionDevice	proc near	; CODE XREF: BiConvertNtDeviceToBootEnvironment+5Ap

var_138		= dword	ptr -138h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_108		= dword	ptr -108h
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00904F88 SIZE 0000017D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 13Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_7C], eax
		lea	edi, [ebp+var_A8]
		mov	eax, [ebp+arg_4]
		mov	ebx, ecx
		push	6
		pop	ecx
		mov	[ebp+var_80], eax
		xor	esi, esi
		xor	eax, eax
		mov	[ebp+var_78], edx
		push	90h		; size_t
		rep stosd
		lea	eax, [ebp+var_138]
		mov	[ebp+var_60], ebx
		push	esi		; int
		push	eax		; void *
		mov	[ebp+var_90], esi
		mov	[ebp+var_8C], esi
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_88], esi
		mov	eax, esi
		mov	[ebp+var_84], esi
		mov	[ebp+var_68], eax
		mov	edi, esi
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_50]
		push	48h		; size_t
		push	esi		; int
		push	eax		; void *
		mov	[ebp+var_54], esi
		mov	[ebp+var_64], esi
		mov	[ebp+var_5C], esi
		mov	[ebp+var_6C], esi
		mov	[ebp+var_58], edi
		mov	[ebp+var_70], esi
		call	_memset
		add	esp, 0Ch
		lea	edx, [ebp+var_54]
		mov	ecx, ebx
		call	_BiGetDriveLayoutInformation@8 ; BiGetDriveLayoutInformation(x,x)
		test	eax, eax
		js	loc_904F88

loc_86340D:				; CODE XREF: BiCreatePartitionDevice+A1C44j
		test	byte ptr [ebp+var_78], 40h
		jnz	short loc_863427
		mov	ecx, ebx
		call	_BiGetPartitionVhdFilePath@4 ; BiGetPartitionVhdFilePath(x)
		mov	edi, eax
		mov	[ebp+var_58], edi
		test	edi, edi
		jnz	loc_904FB1

loc_863427:				; CODE XREF: BiCreatePartitionDevice+A9j
					; BiCreatePartitionDevice+A1CE1j
		mov	esi, [ebp+var_54]
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_90504E
		mov	eax, [esi+8]
		mov	[ebp+var_2C], 1
		mov	[ebp+var_28], eax

loc_863441:				; CODE XREF: BiCreatePartitionDevice+A1CFCj
		push	[ebp+var_60]
		lea	eax, [ebp+var_88]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	20h
		lea	eax, [ebp+var_88]
		mov	[ebp+var_A8], 18h
		mov	[ebp+var_A0], eax
		xor	ecx, ecx
		push	3
		lea	eax, [ebp+var_90]
		mov	[ebp+var_A4], ecx
		push	eax
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_9C], 240h
		push	eax
		push	80100000h
		lea	eax, [ebp+var_64]
		mov	[ebp+var_98], ecx
		push	eax
		mov	[ebp+var_94], ecx
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_905090
		mov	edx, [esi]
		lea	eax, [ebp+var_138]
		mov	ecx, [ebp+var_64]
		push	eax
		call	BiGetPartitionInformation
		mov	ebx, eax
		test	ebx, ebx
		js	loc_905090
		cmp	[ebp+var_138], 0
		jnz	loc_905069
		mov	eax, [ebp+var_130]
		mov	[ebp+var_40], eax
		mov	eax, [ebp+var_12C]
		mov	[ebp+var_3C], eax

loc_8634E8:				; CODE XREF: BiCreatePartitionDevice+A1D17j
		mov	esi, [ebp+var_68]
		add	esi, 38h
		cmp	esi, 48h
		ja	loc_905084
		push	48h
		pop	eax

loc_8634FA:				; CODE XREF: BiCreatePartitionDevice+A1D1Ej
		push	4B444342h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_60], edi
		test	edi, edi
		jz	loc_90508B
		cmp	esi, 48h
		ja	loc_905095
		push	48h
		pop	eax

loc_863520:				; CODE XREF: BiCreatePartitionDevice+A1D2Fj
		push	eax		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_50], 6
		mov	[ebp+var_48], esi
		push	48h
		pop	eax
		cmp	esi, eax
		ja	short loc_863540
		mov	[ebp+var_48], eax

loc_863540:				; CODE XREF: BiCreatePartitionDevice+1D3j
		push	12h
		pop	ecx
		lea	esi, [ebp+var_50]
		rep movsd
		mov	edi, [ebp+var_58]
		mov	esi, [ebp+var_60]
		test	edi, edi
		jnz	loc_90509C

loc_863556:				; CODE XREF: BiCreatePartitionDevice+A1D46j
		mov	eax, [ebp+var_7C]
		mov	ecx, [ebp+var_80]
		mov	[eax], esi
		mov	esi, [ebp+var_54]
		mov	eax, [esi+4]
		mov	[ecx], eax

loc_863566:				; CODE XREF: BiCreatePartitionDevice+A1D56j
		mov	eax, [ebp+var_6C]
		test	eax, eax
		jnz	loc_9050C3

loc_863571:				; CODE XREF: BiCreatePartitionDevice+A1C98j
					; BiCreatePartitionDevice+A1D66j
		cmp	[ebp+var_5C], 0
		jnz	loc_9050D3

loc_86357B:				; CODE XREF: BiCreatePartitionDevice+A1D78j
		test	edi, edi
		jnz	loc_9050E5

loc_863583:				; CODE XREF: BiCreatePartitionDevice+A1D88j
		mov	eax, [ebp+var_70]
		test	eax, eax
		jnz	loc_9050F5

loc_86358E:				; CODE XREF: BiCreatePartitionDevice+A1D98j
		cmp	[ebp+var_64], 0
		jz	short loc_86359C
		push	[ebp+var_64]
		call	_ZwClose@4	; ZwClose(x)

loc_86359C:				; CODE XREF: BiCreatePartitionDevice+22Aj
		test	esi, esi
		jz	short loc_8635AB
		push	4B444342h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8635AB:				; CODE XREF: BiCreatePartitionDevice+236j
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
BiCreatePartitionDevice	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiGetPartitionInformation proc near	; CODE XREF: BiCreatePartitionDevice+152p

var_CC		= dword	ptr -0CCh
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= byte ptr -0B0h
var_AC		= byte ptr -0ACh
var_AB		= byte ptr -0ABh
var_AA		= byte ptr -0AAh
var_A8		= dword	ptr -0A8h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= byte ptr -14h
var_13		= byte ptr -13h
var_12		= byte ptr -12h
var_11		= byte ptr -11h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00905105 SIZE 00000099 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_30], eax
		mov	ebx, edx
		xor	eax, eax
		mov	esi, ecx
		push	90h		; size_t
		push	eax		; int
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_CC]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	edi, [ebp+var_2C]
		xor	eax, eax
		push	8
		pop	ecx
		push	90h
		rep stosd
		xor	edi, edi
		lea	eax, [ebp+var_CC]
		push	eax
		push	edi
		push	edi
		push	70048h
		lea	eax, [ebp+var_38]
		push	eax
		push	edi
		push	edi
		push	edi
		push	esi
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	loc_905105

loc_863633:				; CODE XREF: BiGetPartitionInformation+A1BDBj
		mov	edi, [ebp+var_30]
		lea	esi, [ebp+var_CC]
		push	24h
		pop	ecx
		rep movsd

loc_863641:				; CODE XREF: BiGetPartitionInformation+A1B6Dj
					; BiGetPartitionInformation+A1BD5j
		mov	ecx, [ebp+var_8]
		mov	eax, edx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
BiGetPartitionInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiGetPartitionVhdFilePath(x)
_BiGetPartitionVhdFilePath@4 proc near	; CODE XREF: BiCreatePartitionDevice+ADp
					; BiGetNtPartitionPath+A2E8Cp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	ecx
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	ecx, [ebp+var_8]
		call	BiGetPartitionVhdFilePathFromUnicodeString
		leave
		retn
_BiGetPartitionVhdFilePath@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiGetPartitionVhdFilePathFromUnicodeString proc	near
					; CODE XREF: BiGetPartitionVhdFilePath(x)+1Cp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090519E SIZE 00000043 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		xor	eax, eax
		mov	[ebp+var_2C], 18h
		push	esi
		push	edi
		push	20h
		mov	[ebp+var_14], eax
		mov	esi, eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_14]
		push	3
		push	eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_20], 240h
		push	eax
		push	0C0100000h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_24], ecx
		push	eax
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_863733
		xor	ebx, ebx
		mov	edi, 208h
		inc	ebx

loc_8636D6:				; CODE XREF: BiGetPartitionVhdFilePathFromUnicodeString+A1B3Fj
		push	4B444342h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_863748
		push	edi
		push	esi
		push	4
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], 1
		push	eax
		push	2D5928h
		lea	eax, [ebp+var_14]
		push	eax
		push	0
		push	0
		push	0
		push	[ebp+var_4]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jz	loc_90519E

loc_86371A:				; CODE XREF: BiGetPartitionVhdFilePathFromUnicodeString+D5j
		test	eax, eax
		jns	loc_9051BC

loc_863722:				; CODE XREF: BiGetPartitionVhdFilePathFromUnicodeString+A1B29j
		test	esi, esi
		jz	short loc_863733
		push	4B444342h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi

loc_863733:				; CODE XREF: BiGetPartitionVhdFilePathFromUnicodeString+54j
					; BiGetPartitionVhdFilePathFromUnicodeString+ACj ...
		cmp	[ebp+var_4], 0
		jz	short loc_863741
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_863741:				; CODE XREF: BiGetPartitionVhdFilePathFromUnicodeString+BFj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_863748:				; CODE XREF: BiGetPartitionVhdFilePathFromUnicodeString+6Fj
		mov	eax, 0C0000017h
		jmp	short loc_86371A
BiGetPartitionVhdFilePathFromUnicodeString endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiGetDriveLayoutInformation(x, x)
_BiGetDriveLayoutInformation@8 proc near ; CODE	XREF: BiGetDriveLayoutBlock+28p
					; BiCreatePartitionDevice+98p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	esi
		push	edi
		xor	esi, esi
		lea	eax, [ebp+var_C]
		push	ecx
		push	eax
		mov	edi, edx
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	20h
		lea	eax, [ebp+var_C]
		mov	[ebp+var_2C], 18h
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_14]
		push	3
		push	eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_28], esi
		push	eax
		push	80100000h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_20], 240h
		push	eax
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8637C0
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		call	BiIssueGetDriveLayoutIoctl
		mov	esi, eax

loc_8637C0:				; CODE XREF: BiGetDriveLayoutInformation(x,x)+62j
		cmp	[ebp+var_4], 0
		jz	short loc_8637CE
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_8637CE:				; CODE XREF: BiGetDriveLayoutInformation(x,x)+74j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_BiGetDriveLayoutInformation@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiIssueGetDriveLayoutIoctl proc	near	; CODE XREF: BiGetDriveLayoutInformation(x,x)+69p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009051E1 SIZE 0000017F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_14], 0
		and	[ebp+var_10], 0
		push	ebx
		push	esi
		push	edi
		push	4B444342h
		mov	esi, 4830h
		mov	[ebp+var_C], edx
		push	esi
		push	1
		mov	[ebp+var_4], ecx
		xor	ebx, ebx
		mov	[ebp+var_8], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_863856

loc_86380A:				; CODE XREF: BiIssueGetDriveLayoutIoctl+A1A35j
		push	esi
		push	edi
		xor	ecx, ecx
		lea	eax, [ebp+var_14]
		push	ecx
		push	ecx
		push	70050h
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+var_4]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	loc_9051E1
		test	esi, esi
		js	loc_905219

loc_86383A:				; CODE XREF: BiIssueGetDriveLayoutIoctl+A1B19j
					; BiIssueGetDriveLayoutIoctl+A1B77j
		mov	eax, [ebp+var_C]
		mov	[eax], edi

loc_86383F:				; CODE XREF: BiIssueGetDriveLayoutIoctl+A1A40j
					; BiIssueGetDriveLayoutIoctl+A1AB9j
		test	ebx, ebx
		jnz	loc_905350

loc_863847:				; CODE XREF: BiIssueGetDriveLayoutIoctl+A1B87j
		test	esi, esi
		js	loc_905225

loc_86384F:				; CODE XREF: BiIssueGetDriveLayoutIoctl+87j
					; BiIssueGetDriveLayoutIoctl+A1A53j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_863856:				; CODE XREF: BiIssueGetDriveLayoutIoctl+34j
		mov	esi, 0C000009Ah
		jmp	short loc_86384F
BiIssueGetDriveLayoutIoctl endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiIsVolumePartitionInformationRetained proc near
					; CODE XREF: BiConvertNtDeviceToBootEnvironment+41p

var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00905360 SIZE 000000A3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 174h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	8
		mov	edx, ecx
		lea	edi, [ebp+var_28]
		pop	ecx
		xor	eax, eax
		xor	esi, esi
		rep stosd
		push	edx
		lea	eax, [ebp+var_15C]
		mov	[ebp+var_15C], esi
		push	eax
		mov	[ebp+var_158], esi
		mov	[ebp+var_14C], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	20h
		lea	eax, [ebp+var_15C]
		mov	[ebp+var_174], 18h
		mov	[ebp+var_16C], eax
		lea	eax, [ebp+var_154]
		push	3
		push	eax
		lea	eax, [ebp+var_174]
		mov	[ebp+var_170], esi
		push	eax
		push	80100000h
		lea	eax, [ebp+var_14C]
		mov	[ebp+var_168], 240h
		push	eax
		mov	[ebp+var_164], esi
		mov	[ebp+var_160], esi
		mov	[ebp+var_154], esi
		mov	[ebp+var_150], esi
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_86393E
		push	esi
		push	esi
		push	esi
		push	esi
		push	(offset	loc_560023+5)
		lea	eax, [ebp+var_154]
		mov	[ebp+var_154], esi
		push	eax
		push	esi
		push	esi
		push	esi
		push	[ebp+var_14C]
		mov	[ebp+var_150], esi
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_905360

loc_86393E:				; CODE XREF: BiIsVolumePartitionInformationRetained+AAj
					; BiIsVolumePartitionInformationRetained+A1B74j ...
		shr	ebx, 1Fh
		xor	bl, 1
		cmp	[ebp+var_14C], esi
		jz	short loc_863957
		push	[ebp+var_14C]
		call	_ZwClose@4	; ZwClose(x)

loc_863957:				; CODE XREF: BiIsVolumePartitionInformationRetained+ECj
		mov	ecx, [ebp+var_4]
		mov	al, bl
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
BiIsVolumePartitionInformationRetained endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiVerifyBootPartition proc near		; CODE XREF: BiConvertBootEnvironmentDeviceToNt+76p
					; BiGetNtPartitionPath+8Ep

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00905403 SIZE 00000160 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, [ecx]
		push	ebx
		push	esi
		mov	[ebp+var_20], edx
		xor	edx, edx
		mov	[ebp+var_14], edx
		mov	ebx, edx
		mov	[ebp+var_18], edx
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], edi
		cmp	eax, 2
		jz	loc_905403
		cmp	eax, 6
		jnz	loc_905411
		lea	esi, [ecx+10h]
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], esi

loc_8639A2:				; CODE XREF: BiVerifyBootPartition+A1AA4j
		push	20h
		lea	edx, [esi+10h]
		pop	eax

loc_8639A8:				; CODE XREF: BiVerifyBootPartition+A1AC9j
		mov	[ebp+var_10], edx
		mov	edx, [edx]
		test	edx, edx
		jnz	loc_905436

loc_8639B5:				; CODE XREF: BiVerifyBootPartition+A1BCCj
		mov	ecx, [ebp+var_20]
		xor	edx, edx
		mov	esi, edx
		test	ecx, ecx
		jz	short loc_8639C5
		mov	eax, [ebp+var_8]
		mov	[ecx], eax

loc_8639C5:				; CODE XREF: BiVerifyBootPartition+56j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_8639D1
		mov	ecx, [ebp+var_C]
		mov	[eax], ecx

loc_8639D1:				; CODE XREF: BiVerifyBootPartition+62j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_8639DD
		mov	ecx, [ebp+var_10]
		mov	[eax], ecx

loc_8639DD:				; CODE XREF: BiVerifyBootPartition+6Ej
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_8639E9
		mov	ecx, [ebp+var_18]
		mov	[eax], ecx

loc_8639E9:				; CODE XREF: BiVerifyBootPartition+7Aj
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_8639F4
		mov	[eax], ebx
		mov	ebx, edx

loc_8639F4:				; CODE XREF: BiVerifyBootPartition+86j
					; BiVerifyBootPartition+A1B28j	...
		test	edi, edi
		jnz	loc_905539

loc_8639FC:				; CODE XREF: BiVerifyBootPartition+A1BDCj
		test	ebx, ebx
		jnz	loc_905549

loc_863A04:				; CODE XREF: BiVerifyBootPartition+A1BECj
					; BiVerifyBootPartition+A1BF6j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
BiVerifyBootPartition endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiOpenKeyNonBcd	proc near		; CODE XREF: BiLoadHive+60p
					; BiCleanupLoadedStores+3Ep ...

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00905563 SIZE 00000024 BYTES
; FUNCTION CHUNK AT 0090559A SIZE 0000000F BYTES

		push	38h
		push	offset dword_6A4A98
		call	__SEH_prolog4
		mov	[ebp+var_24], edx
		mov	[ebp+var_28], ecx
		xor	esi, esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		mov	edi, esi

loc_863A2A:				; CODE XREF: BiOpenKeyNonBcd+A1B96j
		mov	[ebp+var_1C], esi
		push	[ebp+var_24]
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_48], 18h
		mov	eax, [ebp+var_28]
		mov	[ebp+var_44], eax
		mov	[ebp+var_3C], 240h
		lea	eax, [ebp+var_30]
		mov	[ebp+var_40], eax
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], esi
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+arg_0]
		lea	eax, [ebp+var_1C]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		js	short loc_863A78
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_1C]
		mov	[ecx], eax

loc_863A78:				; CODE XREF: BiOpenKeyNonBcd+60j
		cmp	[ebp+var_20], 0
		jl	loc_905563

loc_863A82:				; CODE XREF: BiOpenKeyNonBcd+A1B59j
					; BiOpenKeyNonBcd+A1B67j
		cmp	[ebp+var_20], 0C000017Dh
		jz	loc_90557A

loc_863A8F:				; CODE XREF: BiOpenKeyNonBcd+A1B8Fj
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
BiOpenKeyNonBcd	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiDoesHiveExist(x)
_BiDoesHiveExist@4 proc	near		; CODE XREF: BiLoadHive+43p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_10		= byte ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	edx, ecx
		lea	edi, [ebp+var_30]
		push	0Ah
		pop	ecx
		xor	eax, eax
		xor	esi, esi
		rep stosd
		lea	eax, [edx+0Ch]
		mov	[ebp+var_38], esi
		push	eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_34], esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_38]
		mov	[ebp+var_50], 18h
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_4C], esi
		push	eax
		mov	[ebp+var_44], 240h
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], esi
		call	_ZwQueryAttributesFile@8 ; ZwQueryAttributesFile(x,x)
		test	eax, eax
		js	short loc_863B1D
		test	[ebp+var_10], 10h
		jnz	short loc_863B1D
		mov	al, 1

loc_863B0F:				; CODE XREF: BiDoesHiveExist(x)+7Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_863B1D:				; CODE XREF: BiDoesHiveExist(x)+61j
					; BiDoesHiveExist(x)+67j
		xor	al, al
		jmp	short loc_863B0F
_BiDoesHiveExist@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiGetCurrentBootEntryIdentifier(x)
_BiGetCurrentBootEntryIdentifier@4 proc	near ; CODE XREF: BcdOpenObject+10Ap

var_28		= dword	ptr -28h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	8
		mov	ebx, ecx
		lea	edi, [ebp+var_28]
		pop	ecx
		xor	eax, eax
		push	eax
		rep stosd
		push	20h
		lea	eax, [ebp+var_28]
		push	eax
		push	5Ah
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_863B5E
		mov	edi, ebx
		lea	esi, [ebp+var_28]
		movsd
		movsd
		movsd
		movsd

loc_863B5E:				; CODE XREF: BiGetCurrentBootEntryIdentifier(x)+31j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_BiGetCurrentBootEntryIdentifier@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BiGetSystemPartition proc near		; CODE XREF: BcdGetSystemStorePath+3Cp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009055A9 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		xor	edx, edx
		push	eax
		xor	ecx, ecx
		call	SyspartGetFirmwarePartition
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	loc_9055A9
		push	4B444342h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_863BCE
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, edi
		call	SyspartGetFirmwarePartition
		mov	esi, eax
		test	esi, esi
		js	loc_9055BB
		mov	[ebx], edi

loc_863BC7:				; CODE XREF: BiGetSystemPartition+65j
					; BiGetSystemPartition+A1A3Dj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_863BCE:				; CODE XREF: BiGetSystemPartition+3Dj
		mov	esi, 0C0000017h
		jmp	short loc_863BC7
BiGetSystemPartition endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SyspartGetFirmwarePartition proc near	; CODE XREF: BiGetSystemPartition+17p
					; BiGetSystemPartition+48p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009055CB SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		push	[ebp+arg_0]
		mov	esi, edx
		mov	edi, ecx
		push	esi
		mov	edx, edi
		mov	ecx, 0C8h
		call	SiQuerySystemInformationString
		test	eax, eax
		jns	short loc_863C01
		cmp	eax, 0C0000023h
		jnz	loc_9055CB

loc_863C01:				; CODE XREF: SyspartGetFirmwarePartition+1Ej
					; SyspartGetFirmwarePartition+A1A05j
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
SyspartGetFirmwarePartition endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SiQuerySystemInformationString proc near ; CODE	XREF: SyspartGetFirmwarePartition+17p
					; SyspartGetSystemPartition(x,x,x)+15p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009055E0 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		push	ecx
		push	ebx
		mov	[ebp+var_4], ecx
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	loc_9055E0
		push	4B505953h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_863C96
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_4]
		push	edi
		push	ebx
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_863C74
		movzx	ecx, word ptr [edi]
		mov	eax, [ebp+arg_4]
		add	ecx, 2
		mov	[eax], ecx
		cmp	ecx, [ebp+arg_0]
		jbe	short loc_863C85
		mov	esi, 0C0000023h

loc_863C74:				; CODE XREF: SiQuerySystemInformationString+55j
					; SiQuerySystemInformationString+8Cj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_863C7C:				; CODE XREF: SiQuerySystemInformationString+93j
					; SiQuerySystemInformationString+A19DAj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_863C85:				; CODE XREF: SiQuerySystemInformationString+65j
		push	ecx		; size_t
		push	dword ptr [edi+4] ; void *
		push	[ebp+var_8]	; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_863C74
; 

loc_863C96:				; CODE XREF: SiQuerySystemInformationString+41j
		mov	esi, 0C000009Ah
		jmp	short loc_863C7C
SiQuerySystemInformationString endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopBcdSetupResumeObject	proc near	; CODE XREF: PopBcdSetPendingResume+2Bp
					; PopBcdSetDefaultResumeObjectElements+21Ap

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

; FUNCTION CHUNK AT 009055F2 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		movzx	esi, word ptr _PoHiberFileRoot
		xor	eax, eax
		and	[ebp+var_10], eax
		add	esi, 16h
		and	[ebp+var_C], eax
		mov	ebx, ecx
		push	edi
		push	64634250h
		push	esi
		push	1
		mov	word ptr [ebp+var_8], ax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9055F2
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [edi], 2
		movzx	eax, word ptr _PoHiberFileRoot
		push	eax		; size_t
		push	dword_6C2ED4	; void *
		lea	eax, [edi+14h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edx, 21000001h
		push	esi
		push	edi
		push	ecx
		mov	ecx, ebx
		call	BcdSetElementDataWithFlags
		mov	esi, eax
		test	esi, esi
		js	short loc_863D69
		push	offset ??_C@_1BM@HAIPEBMH@?$AA?2?$AAh?$AAi?$AAb?$AAe?$AAr?$AAf?$AAi?$AAl?$AA?4?$AAs?$AAy?$AAs@NNGAKEGL@	; "\\hiberfil.sys"
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	eax, word ptr [ebp+var_10]
		mov	edx, 22000002h
		add	eax, 2
		push	eax
		push	[ebp+var_C]
		push	ecx
		mov	ecx, ebx
		call	BcdSetElementDataWithFlags
		mov	esi, eax
		test	esi, esi
		js	short loc_863D69
		push	9
		call	_ExIsProcessorFeaturePresent@4 ; ExIsProcessorFeaturePresent(x)
		test	al, al
		jz	short loc_863D54
		mov	byte ptr [ebp+var_8], 1

loc_863D54:				; CODE XREF: PopBcdSetupResumeObject+B0j
		push	2
		lea	eax, [ebp+var_8]
		mov	edx, 26000004h
		push	eax
		push	ecx
		mov	ecx, ebx
		call	BcdSetElementDataWithFlags
		mov	esi, eax

loc_863D69:				; CODE XREF: PopBcdSetupResumeObject+79j
					; PopBcdSetupResumeObject+A5j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_863D71:				; CODE XREF: PopBcdSetupResumeObject+A1959j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
PopBcdSetupResumeObject	endp


;  S U B	R O U T	I N E 


; __stdcall PiSwValidatePropertyArray(x, x)
_PiSwValidatePropertyArray@8 proc near	; CODE XREF: PiSwIrpPropertySet+97p
					; PiSwIrpInterfaceRegister:loc_891290p	...
		mov	edi, edi
		push	ebx
		push	edi
		mov	ebx, edx
		xor	eax, eax
		xor	edi, edi
		test	ebx, ebx
		jz	short loc_863DAC
		push	esi
		lea	esi, [ecx+1Ch]

loc_863D8C:				; CODE XREF: PiSwValidatePropertyArray(x,x)+2Fj
		cmp	dword ptr [esi-8], 0
		jnz	short loc_863DAF
		push	dword ptr [esi]
		mov	edx, [esi+4]
		mov	ecx, [esi+8]
		call	_PnpValidatePropertyData
		test	eax, eax
		js	short loc_863DAF
		inc	edi
		add	esi, 28h
		cmp	edi, ebx
		jb	short loc_863D8C

loc_863DAB:				; CODE XREF: PiSwValidatePropertyArray(x,x)+3Aj
		pop	esi

loc_863DAC:				; CODE XREF: PiSwValidatePropertyArray(x,x)+Cj
		pop	edi
		pop	ebx
		retn
; 

loc_863DAF:				; CODE XREF: PiSwValidatePropertyArray(x,x)+16j
					; PiSwValidatePropertyArray(x,x)+27j
		mov	eax, 0C000000Dh
		jmp	short loc_863DAB
_PiSwValidatePropertyArray@8 endp


;  S U B	R O U T	I N E 


; __stdcall PiSwDeviceOperationsAllowed(x)
_PiSwDeviceOperationsAllowed@4 proc near ; CODE	XREF: PiSwIrpPropertySet+C4p
					; PiSwIrpInterfaceSetState+A1p	...
		mov	al, 1
		test	ecx, ecx
		jz	short loc_863DCF
		cmp	dword ptr [ecx+2Ch], 0
		jz	short loc_863DCF
		test	byte ptr [ecx+4], 4
		jz	short loc_863DCF
		cmp	dword ptr [ecx+30h], 0
		jnz	short loc_863DCF
		retn
; 

loc_863DCF:				; CODE XREF: PiSwDeviceOperationsAllowed(x)+4j
					; PiSwDeviceOperationsAllowed(x)+Aj ...
		xor	al, al
		retn
_PiSwDeviceOperationsAllowed@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiSwUpdateArrayProperties proc near	; CODE XREF: PiSwIrpPropertySet+FDp
					; PiSwIrpInterfacePropertySet+FAp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00905ED0 SIZE 0000007F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		xor	ecx, ecx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ecx
		cmp	[ebp+arg_4], ecx
		jbe	loc_863E97
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, ecx
		add	esi, 20h

loc_863DFA:				; CODE XREF: PiSwUpdateArrayProperties+BEj
		mov	[ebp+arg_0], ecx
		test	ebx, ebx
		jz	loc_863E86
		mov	ecx, [ebp+var_4]
		lea	ebx, [edi+14h]

loc_863E0B:				; CODE XREF: PiSwUpdateArrayProperties+4Dj
		mov	eax, [esi-10h]
		cmp	eax, [ebx-4]
		jz	short loc_863E23

loc_863E13:				; CODE XREF: PiSwUpdateArrayProperties+6Aj
		mov	eax, [ebp+arg_0]
		add	ebx, 28h
		inc	eax
		mov	[ebp+arg_0], eax
		cmp	eax, ecx
		jb	short loc_863E0B
		jmp	short loc_863E7E
; 

loc_863E23:				; CODE XREF: PiSwUpdateArrayProperties+3Fj
		push	10h		; size_t
		lea	eax, [ebx-14h]
		push	eax		; void *
		lea	eax, [esi-20h]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_863E3E

loc_863E39:				; CODE XREF: PiSwUpdateArrayProperties+71j
					; PiSwUpdateArrayProperties+A2100j ...
		mov	ecx, [ebp+var_4]
		jmp	short loc_863E13
; 

loc_863E3E:				; CODE XREF: PiSwUpdateArrayProperties+65j
		mov	eax, [esi-0Ch]
		cmp	eax, [ebx]
		jnz	short loc_863E39
		mov	eax, [esi-8]
		mov	ecx, [ebx+4]
		cmp	eax, ecx
		jnz	loc_905ED0

loc_863E53:				; CODE XREF: PiSwUpdateArrayProperties+A2119j
		imul	ebx, [ebp+arg_0], 28h
		mov	ecx, [ebx+edi+20h]
		cmp	[esi], ecx
		jnz	loc_905EF6

loc_863E63:				; CODE XREF: PiSwUpdateArrayProperties+A2163j
		mov	eax, [esi-4]
		mov	[ebx+edi+1Ch], eax
		test	ecx, ecx
		jz	short loc_863E7E
		push	ecx		; size_t
		push	dword ptr [esi+4] ; void *
		push	dword ptr [ebx+edi+24h]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_863E7E:				; CODE XREF: PiSwUpdateArrayProperties+4Fj
					; PiSwUpdateArrayProperties+9Aj
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		mov	ebx, [ebp+var_4]

loc_863E86:				; CODE XREF: PiSwUpdateArrayProperties+2Dj
		inc	eax
		add	esi, 28h
		mov	[ebp+var_8], eax
		cmp	eax, [ebp+arg_4]
		jb	loc_863DFA

loc_863E96:				; CODE XREF: PiSwUpdateArrayProperties+A2178j
		pop	esi

loc_863E97:				; CODE XREF: PiSwUpdateArrayProperties+19j
		pop	edi
		mov	eax, ecx
		pop	ebx
		leave
		retn	8
PiSwUpdateArrayProperties endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiSwDispatch	proc near		; DATA XREF: .text:00403F38o

arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00905F4F SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ebx, [edi+60h]
		mov	esi, [edi+18h]
		movzx	eax, byte ptr [ebx]
		sub	eax, 0
		jz	short loc_863EFF
		dec	eax
		sub	eax, 1
		jz	loc_863F5D
		sub	eax, 0Ch
		jnz	loc_863F7A
		mov	eax, [ebx+0Ch]
		sub	eax, offset loc_470400
		jz	short loc_863F31
		push	4
		pop	ecx
		sub	eax, ecx
		jz	short loc_863F54
		sub	eax, ecx
		jz	short loc_863F4B
		sub	eax, ecx
		jz	loc_863F94
		sub	eax, ecx
		jnz	short loc_863F3A
		mov	ecx, edi
		call	PiSwIrpInterfacePropertySet

loc_863EF4:				; CODE XREF: PiSwDispatch+98j
					; PiSwDispatch+A9j ...
		mov	esi, eax

loc_863EF6:				; CODE XREF: PiSwDispatch+8Fj
					; PiSwDispatch+DDj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_863EFF:				; CODE XREF: PiSwDispatch+17j
		mov	eax, [ebx+18h]
		mov	ecx, 80h
		and	dword ptr [eax+10h], 0
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 3FFFFFDEh
		add	esi, 0C0000022h
		mov	[edi+18h], esi

loc_863F26:				; CODE XREF: PiSwDispatch+D8j
		mov	ecx, edi

loc_863F28:				; CODE XREF: PiSwDispatch+A20BDj
		xor	dl, dl
		call	IofCompleteRequest
		jmp	short loc_863EF6
; 

loc_863F31:				; CODE XREF: PiSwDispatch+34j
		mov	ecx, edi
		call	PiSwIrpStartCreate
		jmp	short loc_863EF4
; 

loc_863F3A:				; CODE XREF: PiSwDispatch+4Bj
		sub	eax, ecx
		jnz	loc_905F4F
		mov	ecx, edi
		call	_PiSwIrpSetLifetime@4 ;	PiSwIrpSetLifetime(x)
		jmp	short loc_863EF4
; 

loc_863F4B:				; CODE XREF: PiSwDispatch+3Fj
		mov	ecx, edi
		call	PiSwIrpInterfaceRegister
		jmp	short loc_863EF4
; 

loc_863F54:				; CODE XREF: PiSwDispatch+3Bj
		mov	ecx, edi
		call	PiSwIrpPropertySet
		jmp	short loc_863EF4
; 

loc_863F5D:				; CODE XREF: PiSwDispatch+1Dj
		mov	eax, [ebx+18h]
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jz	short loc_863F73
		call	PiSwDeviceDereference
		mov	eax, [ebx+18h]
		and	dword ptr [eax+10h], 0

loc_863F73:				; CODE XREF: PiSwDispatch+C5j
					; PiSwDispatch+EBj ...
		xor	esi, esi
		and	[edi+18h], esi
		jmp	short loc_863F26
; 

loc_863F7A:				; CODE XREF: PiSwDispatch+26j
		sub	eax, 4
		jnz	loc_863EF6
		mov	eax, [ebx+18h]
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jz	short loc_863F73
		call	PiSwIrpCleanup
		jmp	short loc_863F73
; 

loc_863F94:				; CODE XREF: PiSwDispatch+43j
		mov	ecx, edi
		call	PiSwIrpInterfaceSetState
		jmp	loc_863EF4
PiSwDispatch	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiSwIrpPropertySet proc	near		; CODE XREF: PiSwDispatch+B6p

var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
Handle		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 00905F8D SIZE 00000014 BYTES

		push	20h
		push	offset dword_6A4B00
		call	__SEH_prolog4
		mov	[ebp+var_30], ecx
		mov	edx, [ecx+60h]
		mov	eax, [edx+18h]
		mov	eax, [eax+10h]
		mov	[ebp+var_28], eax
		xor	edi, edi
		mov	[ebp+Handle], edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_20], edi
		mov	eax, [ecx+0Ch]
		test	eax, eax
		jz	loc_905F97
		lea	ecx, [ebp+Handle]
		push	ecx		; pHandle
		push	dword ptr [edx+8] ; BufferSize
		push	eax		; pBuffer
		call	ds:__imp__MesDecodeBufferHandleCreate@12 ; MesDecodeBufferHandleCreate(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8640D0
		mov	[ebp+ms_exc.disabled], edi
		lea	eax, [ebp+var_1C]
		push	eax
		push	offset dword_A3FF88
		push	(offset	loc_A400C7+1)
		push	offset dword_A3FCB4
		push	[ebp+Handle]
		call	ds:__imp__NdrMesTypeDecode2@20 ; NdrMesTypeDecode2(x,x,x,x,x)

loc_864008:				; CODE XREF: sub_905F7E+Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	esi, esi
		js	loc_8640D0
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	loc_905F97
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	loc_905F97
		mov	edx, [eax]
		test	edx, edx
		jz	loc_905F97
		call	_PiSwValidatePropertyArray@8 ; PiSwValidatePropertyArray(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8640D0
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	ebx, offset _PiSwLockObj
		push	ebx
		call	ExAcquireResourceExclusiveLite
		mov	ecx, [ebp+var_28]
		call	_PiSwDeviceOperationsAllowed@4 ; PiSwDeviceOperationsAllowed(x)
		test	al, al
		jz	loc_905F8D
		lea	eax, [ebp+var_20]
		push	eax
		push	57706E50h
		mov	edx, 0C8h
		mov	edi, ecx
		mov	ecx, [edi+2Ch]
		call	PnpAllocatePWSTR
		mov	esi, eax
		test	esi, esi
		js	short loc_8640A4
		mov	eax, [ebp+var_1C]
		push	dword ptr [eax]
		push	dword ptr [eax+4]
		mov	edx, [edi+5Ch]
		mov	ecx, [edi+58h]
		call	PiSwUpdateArrayProperties
		mov	esi, eax

loc_8640A4:				; CODE XREF: PiSwIrpPropertySet+EDj
					; PiSwIrpPropertySet+A1FF2j
		mov	ecx, ebx
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		js	short loc_8640D0
		mov	eax, [ebp+var_1C]
		push	dword ptr [eax]
		push	dword ptr [eax+4]
		xor	edx, edx
		inc	edx
		mov	ecx, [ebp+var_20]
		call	PiSwPropertySet
		mov	esi, eax

loc_8640D0:				; CODE XREF: PiSwIrpPropertySet+43j
					; PiSwIrpPropertySet+71j ...
		cmp	[ebp+var_20], 0
		jz	short loc_8640E3
		push	57706E50h
		push	[ebp+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8640E3:				; CODE XREF: PiSwIrpPropertySet+134j
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_8640F5
		push	6370726Bh
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8640F5:				; CODE XREF: PiSwIrpPropertySet+148j
		cmp	[ebp+Handle], 0
		jz	short loc_864104
		push	[ebp+Handle]	; Handle
		call	ds:__imp__MesHandleFree@4 ; MesHandleFree(x)

loc_864104:				; CODE XREF: PiSwIrpPropertySet+159j
		mov	ecx, [ebp+var_30]
		mov	[ecx+18h], esi
		xor	dl, dl
		call	IofCompleteRequest
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PiSwIrpPropertySet endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiProcessReenumeration proc near	; CODE XREF: .text:0054F1F4p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00905FA1 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	ecx, [esi+8]
		mov	eax, [ecx+0B0h]
		mov	edi, [eax+14h]
		mov	eax, [edi+0ACh]
		cmp	eax, 313h
		jz	short loc_8641A7
		cmp	eax, 314h
		jz	short loc_8641A7
		cmp	dword ptr [esi+0Ch], 8
		jz	short loc_864198
		push	2
		pop	ebx

loc_864162:				; CODE XREF: PiProcessReenumeration+81j
		cmp	ebx, 1
		mov	ecx, edi
		setnz	dl
		call	_PiMarkDeviceTreeForReenumeration@8 ; PiMarkDeviceTreeForReenumeration(x,x)
		mov	al, _PnPBootDriversInitialized
		mov	edx, esi
		mov	byte ptr [ebp+var_4], al
		mov	ecx, edi
		xor	eax, eax
		mov	[ebp+var_8], 3
		push	eax
		push	eax
		push	eax
		push	ebx
		lea	eax, [ebp+var_8]
		push	eax
		call	PipProcessDevNodeTree
		xor	eax, eax

loc_864193:				; CODE XREF: PiProcessReenumeration+8Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_864198:				; CODE XREF: PiProcessReenumeration+39j
		cmp	byte ptr [esi+14h], 0
		jnz	loc_905FA1

loc_8641A2:				; CODE XREF: PiProcessReenumeration+A1E89j
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_864162
; 

loc_8641A7:				; CODE XREF: PiProcessReenumeration+2Cj
					; PiProcessReenumeration+33j
		call	ObfDereferenceObject
		mov	eax, 0C0000056h
		jmp	short loc_864193
PiProcessReenumeration endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PiMarkDeviceTreeForReenumeration(x,	x)
_PiMarkDeviceTreeForReenumeration@8 proc near ;	CODE XREF: PiCollapseEnumRequests(x)+57p
					; PiProcessReenumeration+46p
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		cmp	dword ptr [esi+0ACh], 308h
		jnz	short loc_8641D1
		push	8
		pop	edx
		call	PipSetDevNodeFlags

loc_8641D1:				; CODE XREF: PiMarkDeviceTreeForReenumeration(x,x)+13j
		test	bl, bl
		jz	short loc_8641E3
		push	0
		mov	edx, offset _PiMarkDeviceTreeForReenumerationWorker@8 ;	PiMarkDeviceTreeForReenumerationWorker(x,x)
		mov	ecx, esi
		call	_PipForDeviceNodeSubtree@12 ; PipForDeviceNodeSubtree(x,x,x)

loc_8641E3:				; CODE XREF: PiMarkDeviceTreeForReenumeration(x,x)+1Fj
		pop	esi
		pop	ebx
		pop	ecx
		retn
_PiMarkDeviceTreeForReenumeration@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiMarkDeviceTreeForReenumerationWorker(x, x)
_PiMarkDeviceTreeForReenumerationWorker@8 proc near
					; DATA XREF: PiMarkDeviceTreeForReenumeration(x,x)+23o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		cmp	dword ptr [ecx+0ACh], 308h
		jnz	short loc_864204
		push	8
		pop	edx
		call	PipSetDevNodeFlags

loc_864204:				; CODE XREF: PiMarkDeviceTreeForReenumerationWorker(x,x)+12j
		xor	eax, eax
		pop	ebp
		retn	8
_PiMarkDeviceTreeForReenumerationWorker@8 endp


;  S U B	R O U T	I N E 


PiProcessRequeryDeviceState proc near	; CODE XREF: .text:0054F024p

; FUNCTION CHUNK AT 00905FB2 SIZE 0000001C BYTES

		mov	ecx, [ecx+8]
		push	esi
		xor	esi, esi
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		mov	eax, [eax+0ACh]
		cmp	eax, 308h
		jnz	loc_905FB2
		call	PiProcessQueryDeviceState

loc_86422F:				; CODE XREF: PiProcessRequeryDeviceState+A1DB4j
					; PiProcessRequeryDeviceState+A1DBFj
		mov	eax, esi
		pop	esi
		retn
PiProcessRequeryDeviceState endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiProcessQueryDeviceState proc near	; CODE XREF: PiProcessRequeryDeviceState+20p
					; PipProcessStartPhase3+73p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00905FCE SIZE 00000078 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		and	[ebp+var_8], 0
		push	ebx
		mov	ebx, ecx
		lea	ecx, [ebp+var_8]
		push	esi
		push	edi
		mov	[ebp+var_C], ebx
		mov	eax, [ebx+0B0h]
		mov	esi, [eax+14h]
		call	PiPnpRtlBeginOperation
		mov	ecx, [esi+10h]
		call	_PoFxActivateDevice@4 ;	PoFxActivateDevice(x)
		or	dword ptr [esi+1C8h], 100h
		lea	edx, [ebp+var_4]
		mov	ecx, ebx
		call	_IopQueryDeviceState@8 ; IopQueryDeviceState(x,x)
		test	eax, eax
		js	loc_864348
		mov	ebx, [ebp+var_4]
		mov	ecx, esi
		push	2
		pop	edx
		test	bl, 2
		jnz	loc_86433E
		call	PipClearDevNodeUserFlags

loc_864297:				; CODE XREF: PiProcessQueryDeviceState+10Fj
		mov	ecx, esi
		push	40h
		pop	edx
		test	bl, 40h
		jnz	loc_905FCE
		call	PipClearDevNodeUserFlags

loc_8642AA:				; CODE XREF: PiProcessQueryDeviceState+A1D9Fj
		mov	eax, [esi+110h]
		and	eax, 8
		test	bl, 20h
		jz	short loc_8642CF
		test	eax, eax
		jnz	short loc_8642D3
		push	8
		pop	edx
		mov	ecx, esi
		call	PipSetDevNodeUserFlags
		mov	ecx, esi
		call	_IopIncDisableableDepends@4 ; IopIncDisableableDepends(x)
		jmp	short loc_8642D3
; 

loc_8642CF:				; CODE XREF: PiProcessQueryDeviceState+82j
		test	eax, eax
		jnz	short loc_86434C

loc_8642D3:				; CODE XREF: PiProcessQueryDeviceState+86j
					; PiProcessQueryDeviceState+99j ...
		mov	edx, ebx
		mov	ecx, esi
		shr	edx, 8
		and	dl, 1
		call	PiUpdateGuestAssignedState
		mov	edi, eax
		mov	eax, ebx
		and	eax, 9
		mov	[ebp+var_4], eax
		jnz	loc_905FE1
		test	bl, 4
		jnz	loc_905FD8

loc_8642FB:				; CODE XREF: PiProcessQueryDeviceState+A1DA7j
					; PiProcessQueryDeviceState+A1DD5j
		test	eax, eax
		jnz	loc_90600E
		test	bl, 10h
		jnz	loc_906023
		test	bl, 4
		jnz	short loc_864362
		test	bl, bl
		js	loc_906038

loc_864319:				; CODE XREF: PiProcessQueryDeviceState+116j
					; PiProcessQueryDeviceState+A1DCDj ...
		mov	ecx, [esi+10h]
		call	PoFxIdleDevice
		and	dword ptr [esi+1C8h], 0FFFFFEFFh
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_864337
		call	PiPnpRtlEndOperation

loc_864337:				; CODE XREF: PiProcessQueryDeviceState+FCj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_86433E:				; CODE XREF: PiProcessQueryDeviceState+58j
		call	PipSetDevNodeUserFlags
		jmp	loc_864297
; 

loc_864348:				; CODE XREF: PiProcessQueryDeviceState+47j
		xor	edi, edi
		jmp	short loc_864319
; 

loc_86434C:				; CODE XREF: PiProcessQueryDeviceState+9Dj
		mov	ecx, esi
		call	IopDecDisableableDepends
		push	8
		pop	edx
		mov	ecx, esi
		call	PipClearDevNodeUserFlags
		jmp	loc_8642D3
; 

loc_864362:				; CODE XREF: PiProcessQueryDeviceState+DBj
		push	0
		push	2Bh
		jmp	loc_905FF3
PiProcessQueryDeviceState endp

; 
		align 4

;  S U B	R O U T	I N E 


PipClearDevNodeUserFlags proc near	; CODE XREF: PiProcessQueryDeviceState+5Ep
					; PiProcessQueryDeviceState+71p ...

; FUNCTION CHUNK AT 00906046 SIZE 0000004A BYTES

		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		not	edx
		push	edi
		mov	edi, [esi+110h]
		and	edx, edi
		mov	[esi+110h], edx
		xor	edx, edi
		test	edx, 347h
		jnz	loc_906046

loc_864391:				; CODE XREF: PipClearDevNodeUserFlags+A1CDFj
					; PipClearDevNodeUserFlags+A1D0Fj ...
		pop	edi
		pop	esi
		pop	ecx
		retn
PipClearDevNodeUserFlags endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipEnumerateDevice proc	near		; CODE XREF: PipProcessDevNodeTree+1E7p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00906090 SIZE 000000BC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, (offset loc_7FFFFF+1)
		test	edx, edx
		jnz	loc_9060BF
		test	byte ptr _PnpAsyncOptions, 2
		jz	loc_9060BF
		test	[ebx+10Ch], edi
		jnz	loc_9060BF
		cmp	_InitSafeBootMode, edx
		jnz	loc_9060BF
		push	ecx
		mov	edx, 30Dh
		call	_PnpDeviceCompletionRequestCreate@12 ; PnpDeviceCompletionRequestCreate(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_9060BF
		push	ecx
		mov	edx, 30Ch
		mov	ecx, ebx
		call	PipSetDevNodeState
		mov	edx, esi
		mov	dword ptr [ebx+108h], 103h
		call	PnpDeviceCompletionQueueAddDispatchedRequest
		lea	edi, [ebx+14h]
		mov	ecx, offset _KMPnPEvt_DeviceEnum_Start
		mov	edx, edi
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)
		push	8
		pop	edx
		mov	ecx, ebx
		call	PipClearDevNodeFlags
		mov	ecx, [ebx+10h]
		call	_PoFxActivateDevice@4 ;	PoFxActivateDevice(x)
		mov	ecx, [ebx+10h]
		xor	edx, edx
		or	dword ptr [ebx+1C8h], 80h
		push	esi
		push	offset _PnpDeviceCompletionRoutine@12 ;	PnpDeviceCompletionRoutine(x,x,x)
		call	_PnpQueryDeviceRelations@16 ; PnpQueryDeviceRelations(x,x,x,x)
		mov	[ebp+arg_0], eax
		cmp	eax, 103h
		jz	loc_906090
		cmp	[esi+18h], eax
		jnz	loc_9060A4

loc_864457:				; CODE XREF: PipEnumerateDevice+A1D24j
		mov	edx, esi
		call	PnpDeviceCompletionQueueRemoveCompletedRequest
		mov	ecx, esi
		call	PnpDeviceCompletionProcessCompletedRequest

loc_864465:				; CODE XREF: PipEnumerateDevice+A1DB1j
		xor	eax, eax

loc_864467:				; CODE XREF: PipEnumerateDevice+A1D09j
					; PipEnumerateDevice+A1D3Cj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
PipEnumerateDevice endp


;  S U B	R O U T	I N E 


PnpDeviceCompletionProcessCompletedRequest proc	near ; CODE XREF: PipEnumerateDevice+CAp
					; PnpDeviceCompletionProcessCompletedRequests(x,x,x)+47p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		push	ecx
		mov	esi, [edi+8]
		mov	ecx, esi
		mov	eax, [edi+1Ch]
		mov	[esi+160h], eax
		mov	eax, [edi+18h]
		mov	[esi+108h], eax
		mov	edx, [edi+10h]
		call	PipSetDevNodeState
		xor	ebx, ebx
		cmp	[edi+18h], ebx
		jl	short loc_8644AD
		mov	eax, [edi+10h]
		cmp	eax, 306h
		jz	short loc_8644E6
		cmp	eax, 30Bh
		jz	short loc_8644E6

loc_8644AD:				; CODE XREF: PnpDeviceCompletionProcessCompletedRequest+2Cj
					; PnpDeviceCompletionProcessCompletedRequest+A3j
		cmp	dword ptr [edi+10h], 30Dh
		jnz	short loc_8644D5
		test	byte ptr [esi+1C8h], 80h
		jz	sub_90614C
		mov	ecx, [esi+10h]
		call	PoFxIdleDevice
		and	dword ptr [esi+1C8h], 0FFFFFF7Fh

loc_8644D5:				; CODE XREF: PnpDeviceCompletionProcessCompletedRequest+46j
		mov	ecx, edi
		call	_PnpDeviceCompletionRequestDestroy@4 ; PnpDeviceCompletionRequestDestroy(x)
		mov	eax, [esi+108h]
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_8644E6:				; CODE XREF: PnpDeviceCompletionProcessCompletedRequest+36j
					; PnpDeviceCompletionProcessCompletedRequest+3Dj
		mov	ecx, [esi+10h]
		call	PipUpdatePostStartCharacteristics
		mov	edx, [esi+18h]
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _DEVPKEY_Device_DriverProblemDesc ; "~\vT@Ej\vL\v"
		push	ebx
		push	ebx
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [esi+10h]
		call	PiSwProcessParentStartIrp
		jmp	short loc_8644AD
PnpDeviceCompletionProcessCompletedRequest endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipEnumerateCompleted proc near		; CODE XREF: PipProcessDevNodeTree+271p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 00906184 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_8], ebx
		mov	edi, [esi+4]
		cmp	[esi+160h], ebx
		jz	loc_864630
		jmp	short loc_864543
; 

loc_864537:				; CODE XREF: PipEnumerateCompleted+31j
		push	10h
		pop	edx
		mov	ecx, edi
		call	PipClearDevNodeFlags
		mov	edi, [edi]

loc_864543:				; CODE XREF: PipEnumerateCompleted+21j
		test	edi, edi
		jnz	short loc_864537

loc_864547:				; CODE XREF: PipEnumerateCompleted+11Ej
		mov	eax, [esi+160h]
		test	eax, eax
		jz	short loc_864580
		mov	edi, ebx
		cmp	[eax], ebx
		jbe	short loc_864573

loc_864557:				; CODE XREF: PipEnumerateCompleted+5Dj
		mov	edx, [esi+160h]
		mov	ecx, esi
		mov	edx, [edx+edi*4+4]
		call	PipProcessEnumeratedChildDevice
		mov	eax, [esi+160h]
		inc	edi
		cmp	edi, [eax]
		jb	short loc_864557

loc_864573:				; CODE XREF: PipEnumerateCompleted+41j
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+160h], ebx

loc_864580:				; CODE XREF: PipEnumerateCompleted+3Bj
		call	_PiSwLock@0	; PiSwLock()
		lea	ecx, [esi+14h]
		call	_PiSwFindChildren@4 ; PiSwFindChildren(x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	loc_86463A

loc_864598:				; CODE XREF: PipEnumerateCompleted+12Aj
					; PipEnumerateCompleted+152j
		call	_PiSwUnlock@0	; PiSwUnlock()
		mov	edi, [esi+4]
		mov	[ebp+var_1], bl
		test	edi, edi
		jnz	short loc_8645F9

loc_8645A7:				; CODE XREF: PipEnumerateCompleted+100j
		push	ecx
		mov	edx, 308h
		mov	ecx, esi
		call	PipSetDevNodeState
		cmp	[ebp+var_1], 0
		jnz	loc_906184

loc_8645BE:				; CODE XREF: PipEnumerateCompleted+A1C76j
					; PipEnumerateCompleted+A1C81j
		lea	ecx, [ebp+var_8]
		call	PiPnpRtlBeginOperation
		mov	edx, _IopRootDeviceNode
		push	0Fh
		mov	edx, [edx+18h]
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		mov	edx, _IopRootDeviceNode
		push	14h
		mov	edx, [edx+18h]
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_8645F2
		call	PiPnpRtlEndOperation

loc_8645F2:				; CODE XREF: PipEnumerateCompleted+D7j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_8645F9:				; CODE XREF: PipEnumerateCompleted+91j
					; PipEnumerateCompleted+FEj
		test	dword ptr [edi+10Ch], 10010h
		mov	eax, [edi]
		mov	[ebp+var_C], eax
		jz	loc_906160

loc_86460E:				; CODE XREF: sub_90614C+33j
		mov	edi, eax
		test	eax, eax
		jnz	short loc_8645F9
		jmp	short loc_8645A7
; 

loc_864616:				; CODE XREF: PipEnumerateCompleted+124j
		mov	eax, [edi+10h]
		mov	eax, [eax+8]
		cmp	eax, _PiSwDeviceDriverObject
		jnz	short loc_86462E
		push	10h
		pop	edx
		mov	ecx, edi
		call	PipClearDevNodeFlags

loc_86462E:				; CODE XREF: PipEnumerateCompleted+10Ej
		mov	edi, [edi]

loc_864630:				; CODE XREF: PipEnumerateCompleted+1Bj
		test	edi, edi
		jz	loc_864547
		jmp	short loc_864616
; 

loc_86463A:				; CODE XREF: PipEnumerateCompleted+7Ej
		mov	edi, [eax]
		cmp	edi, eax
		jz	loc_864598
		mov	ebx, [ebp+var_C]

loc_864647:				; CODE XREF: PipEnumerateCompleted+14Ej
		mov	ecx, [esi+10h]
		mov	edx, edi
		call	PiSwGetChildPdo
		test	eax, eax
		jz	short loc_86465E
		mov	edx, eax
		mov	ecx, esi
		call	PipProcessEnumeratedChildDevice

loc_86465E:				; CODE XREF: PipEnumerateCompleted+13Fj
		mov	edi, [edi]
		cmp	edi, ebx
		jnz	short loc_864647
		xor	ebx, ebx
		jmp	loc_864598
PipEnumerateCompleted endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpRaiseNtPlugPlayDevicePropertyChangeEvent proc near ; CODE XREF: PipSetDevNodeState+F3p
					; PipSetDevNodeState+108p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090619A SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, _PiPnpRtlCtx
		lea	eax, [ecx-1]
		mov	esi, edx
		cmp	eax, 1Dh
		ja	short loc_8646AD
		mov	ebx, ds:dword_4047A8[ecx*4]
		mov	edx, ebx
		call	__CmMapPropertyKeyToRegProp@8 ;	_CmMapPropertyKeyToRegProp(x,x)
		mov	edx, esi
		mov	ecx, edi
		test	eax, eax
		jnz	loc_90619A
		push	ebx
		push	eax
		push	eax
		push	1
		call	_PnpObjectRaisePropertyChangeEvent

loc_8646AD:				; CODE XREF: _PnpRaiseNtPlugPlayDevicePropertyChangeEvent+1Bj
					; _PnpRaiseNtPlugPlayDevicePropertyChangeEvent+A1B38j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PnpRaiseNtPlugPlayDevicePropertyChangeEvent endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmMapPropertyKeyToRegProp(x, x)
__CmMapPropertyKeyToRegProp@8 proc near	; CODE XREF: _PnpRaiseNtPlugPlayDevicePropertyChangeEvent+26p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [edx+10h]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], eax
		push	edi
		mov	[ebp+var_4], edx
		mov	ebx, offset __CmDeviceRegPropMap
		mov	eax, esi
		mov	[ebp+var_8], esi

loc_8646D4:				; CODE XREF: _CmMapPropertyKeyToRegProp(x,x)+3Fj
		mov	ecx, [ebx]
		mov	edi, ebx
		mov	edx, [ebp+var_C]
		cmp	edx, [ecx+10h]
		mov	edx, [ebp+var_4]
		jz	short loc_864700

loc_8646E3:				; CODE XREF: _CmMapPropertyKeyToRegProp(x,x)+5Fj
		add	eax, 10h
		add	ebx, 10h
		mov	[ebp+var_8], eax
		mov	edi, esi
		cmp	eax, 210h
		jb	short loc_8646D4

loc_8646F5:				; CODE XREF: _CmMapPropertyKeyToRegProp(x,x)+5Aj
		test	edi, edi
		jnz	short loc_864715

loc_8646F9:				; CODE XREF: _CmMapPropertyKeyToRegProp(x,x)+64j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_864700:				; CODE XREF: _CmMapPropertyKeyToRegProp(x,x)+2Dj
		push	10h		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_8646F5
		mov	eax, [ebp+var_8]
		jmp	short loc_8646E3
; 

loc_864715:				; CODE XREF: _CmMapPropertyKeyToRegProp(x,x)+43j
		mov	esi, [edi+8]
		jmp	short loc_8646F9
__CmMapPropertyKeyToRegProp@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipProcessEnumeratedChildDevice	proc near ; CODE XREF: PipEnumerateCompleted+4Fp
					; PipEnumerateCompleted+145p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009061A9 SIZE 000000FC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_8], ecx
		push	edi
		mov	edi, [esi+0B0h]
		test	byte ptr [edi+10h], 2
		jnz	loc_9061A9
		mov	edi, [edi+14h]
		mov	[ebp+var_4], edi
		test	edi, edi
		jz	short loc_864763
		push	10h
		pop	edx
		mov	ecx, edi
		call	PipSetDevNodeFlags
		cmp	dword ptr [edi+174h], 4
		jz	short loc_86479F

loc_864757:				; CODE XREF: PipProcessEnumeratedChildDevice+5Aj
					; PipProcessEnumeratedChildDevice+8Cj
		mov	ecx, esi
		call	ObfDereferenceObject

loc_86475E:				; CODE XREF: PipProcessEnumeratedChildDevice+7Ej
					; PipProcessEnumeratedChildDevice+A1B86j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_864763:				; CODE XREF: PipProcessEnumeratedChildDevice+28j
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	PipAllocateDeviceNode
		mov	edi, [ebp+var_4]
		mov	ebx, eax
		test	edi, edi
		jz	short loc_864757
		push	10h
		pop	edx
		mov	ecx, edi
		call	PipSetDevNodeFlags
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		or	dword ptr [esi+1Ch], 1000h
		call	PpDevNodeInsertIntoTree
		mov	eax, 0C000036Eh
		cmp	ebx, eax
		jnz	short loc_86475E
		jmp	loc_906295
; 

loc_86479F:				; CODE XREF: PipProcessEnumeratedChildDevice+3Bj
		mov	ecx, edi
		call	_PpProfileCancelTransitioningDock@8 ; PpProfileCancelTransitioningDock(x,x)
		jmp	short loc_864757
PipProcessEnumeratedChildDevice	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipProcessDevNodeTree proc near		; CODE XREF: .text:0054F1D2p
					; PnpProcessRebalance(x)+F4p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_6		= byte ptr -6
var_5		= byte ptr -5
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

; FUNCTION CHUNK AT 009062A5 SIZE 000001BD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		xor	eax, eax
		mov	ebx, edx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_2], al
		push	edi
		mov	edi, ecx
		mov	[ebp+var_14], edi
		mov	[ebp+var_C], edi
		test	ebx, ebx
		jnz	loc_864B49
		mov	al, [ebp+arg_10]

loc_8647D6:				; CODE XREF: PipProcessDevNodeTree+3A7j
					; PipProcessDevNodeTree+3B1j ...
		xor	ecx, ecx
		xor	ah, ah
		mov	[ebp+var_18], ecx
		xor	cl, cl
		mov	[ebp+var_3], ah
		mov	[ebp+var_1], cl
		mov	[ebp+var_6], cl

loc_8647E8:				; CODE XREF: PipProcessDevNodeTree+39Cj
		test	al, al
		jnz	short loc_864828
		test	byte_6CD8BB, 8
		jnz	loc_9062A5

loc_8647F9:				; CODE XREF: PipProcessDevNodeTree+A1B0Bj
		mov	dl, byte ptr [ebp+arg_8]
		lea	eax, [ebp-5]
		push	eax
		mov	ecx, edi
		mov	[ebp+var_5], 0
		call	PnpProcessAssignResources
		test	byte_6CD8BB, 8
		mov	[ebp+var_6], al
		jnz	loc_9062B8

loc_86481B:				; CODE XREF: PipProcessDevNodeTree+A1B1Ej
		cmp	[ebp+var_5], 0
		jnz	loc_9062CB

loc_864825:				; CODE XREF: PipProcessDevNodeTree+A1B41j
		mov	ah, [ebp+var_3]

loc_864828:				; CODE XREF: PipProcessDevNodeTree+42j
					; PipProcessDevNodeTree+A1B4Cj
		mov	[ebp+var_4], 0
		mov	esi, edi
		mov	[ebp+var_5], 1

loc_864832:				; CODE XREF: PipProcessDevNodeTree+187j
		xor	ebx, ebx
		inc	ebx
		test	ah, ah
		jnz	loc_90639F
		cmp	dword ptr [esi+0ACh], 301h
		jz	short loc_864867
		test	dword ptr [esi+10Ch], 6000h
		jnz	short loc_864867
		push	2
		pop	edx
		mov	ecx, esi
		call	_PnpCheckForActiveDependencies@8 ; PnpCheckForActiveDependencies(x,x)
		test	al, al
		jnz	loc_9062F9

loc_864867:				; CODE XREF: PipProcessDevNodeTree+9Fj
					; PipProcessDevNodeTree+ABj ...
		mov	ecx, [esi+10Ch]
		test	ecx, 6000h
		jnz	short loc_8648EA
		mov	eax, [esi+0ACh]
		add	eax, 0FFFFFCFFh	; switch 13 cases
		cmp	eax, 0Ch
		ja	short loc_8648B2 ; default
		jmp	ds:off_864B88[eax*4] ; switch jump

loc_86488C:				; DATA XREF: PAGE:off_864B88o
		cmp	[ebp+arg_10], 0	; case 0x302
		jnz	short loc_8648B2 ; default
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	PipCallDriverAddDevice
		mov	edi, eax
		test	edi, edi
		jns	loc_864AE4

loc_8648A6:				; CODE XREF: PipProcessDevNodeTree+1FCj
					; PipProcessDevNodeTree+204j ...
		cmp	edi, 0C00002CEh
		jz	loc_906363

loc_8648B2:				; CODE XREF: PipProcessDevNodeTree+DBj
					; PipProcessDevNodeTree+DDj ...
		lea	eax, [ebp+var_2] ; default
		mov	[ebp+var_2], 0
		push	eax
		xor	edx, edx
		xor	ecx, ecx
		call	_PnpDeviceCompletionProcessCompletedRequests@12	; PnpDeviceCompletionProcessCompletedRequests(x,x,x)
		mov	edi, eax
		cmp	edi, 0C00002CEh
		jz	loc_906363
		cmp	[ebp+var_4], 0
		jnz	loc_864B0F

loc_8648DB:				; CODE XREF: PipProcessDevNodeTree+36Bj
					; PipProcessDevNodeTree+394j
		cmp	edi, 0C00002CEh
		jz	loc_906363
		mov	edi, [ebp+var_14]

loc_8648EA:				; CODE XREF: PipProcessDevNodeTree+CBj
		mov	al, [ebp+arg_10]

loc_8648ED:				; CODE XREF: PipProcessDevNodeTree+A1BC8j
		test	al, al
		jnz	short loc_8648FE
		test	byte ptr [esi+1C8h], 1
		jnz	loc_906375

loc_8648FE:				; CODE XREF: PipProcessDevNodeTree+147j
					; PipProcessDevNodeTree+A1BD4j
		mov	cl, [ebp+var_1]
		test	cl, cl
		jnz	loc_8649B1

loc_864909:				; CODE XREF: PipProcessDevNodeTree+20Bj
					; PipProcessDevNodeTree+21Bj ...
		sub	ebx, 1
		jnz	short loc_864958

loc_86490E:				; CODE XREF: PipProcessDevNodeTree+1BAj
					; PipProcessDevNodeTree+22Fj ...
		cmp	esi, edi
		jz	loc_8649F1
		mov	eax, [esi]
		test	eax, eax
		jz	loc_8649CE

loc_864920:				; CODE XREF: PipProcessDevNodeTree+1BCj
		mov	esi, eax

loc_864922:				; CODE XREF: PipProcessDevNodeTree+1B3j
					; PipProcessDevNodeTree+25Aj ...
		mov	ebx, [ebp+var_10]
		mov	edx, [ebp+var_C]

loc_864928:				; CODE XREF: PipProcessDevNodeTree+A1C99j
		cmp	[ebp+var_5], 0
		mov	ah, [ebp+var_3]
		jnz	loc_864832
		mov	al, [ebp+var_6]
		test	al, al
		jnz	loc_864B41
		cmp	[ebp+arg_10], 0
		jnz	short loc_86494E
		mov	ecx, [edx+10h]
		call	ObfDereferenceObject

loc_86494E:				; CODE XREF: PipProcessDevNodeTree+19Cj
		mov	eax, [ebp+var_18]

loc_864951:				; CODE XREF: PipProcessDevNodeTree+A1CA3j
					; PipProcessDevNodeTree+A1CB5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_864958:				; CODE XREF: PipProcessDevNodeTree+164j
		sub	ebx, 1
		jnz	short loc_864922
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_86490E
		jmp	short loc_864920
; 

loc_864966:				; CODE XREF: PipProcessDevNodeTree+DDj
					; DATA XREF: PAGE:off_864B88o
		cmp	[ebp+arg_4], 1	; case 0x308
		jz	short loc_8649E4

loc_86496C:				; CODE XREF: PipProcessDevNodeTree+244j
		cmp	[ebp+arg_10], 0
		push	2
		pop	ebx
		jnz	loc_8648B2	; default
		test	cl, 8
		jz	loc_8648B2	; default
		movzx	eax, [ebp+var_1]
		mov	ecx, esi
		push	eax
		mov	eax, [ebp+arg_C]
		movzx	edx, al
		call	PipEnumerateDevice
		mov	edi, eax
		cmp	edi, 103h
		jz	loc_90632A

loc_8649A2:				; CODE XREF: PipProcessDevNodeTree+2E6j
		test	edi, edi
		js	loc_8648A6

loc_8649AA:				; CODE XREF: PipProcessDevNodeTree+2ACj
					; PipProcessDevNodeTree+321j
		xor	ebx, ebx
		jmp	loc_8648A6
; 

loc_8649B1:				; CODE XREF: PipProcessDevNodeTree+15Bj
		test	ebx, ebx
		jz	loc_864909
		test	_PnpAsyncOptions, 80000000h
		jnz	loc_864909
		jmp	loc_906381
; 

loc_8649CE:				; CODE XREF: PipProcessDevNodeTree+172j
		test	cl, cl
		jnz	short loc_864A28

loc_8649D2:				; CODE XREF: PipProcessDevNodeTree+287j
					; PipProcessDevNodeTree+289j
		mov	eax, [esi+8]
		test	eax, eax
		jz	loc_86490E
		mov	esi, eax
		jmp	loc_86490E
; 

loc_8649E4:				; CODE XREF: PipProcessDevNodeTree+1C2j
		cmp	esi, edi
		jnz	loc_8648B2	; default
		jmp	loc_86496C
; 

loc_8649F1:				; CODE XREF: PipProcessDevNodeTree+168j
		test	cl, cl
		mov	[ebp+var_4], 1
		setz	al
		dec	al
		and	al, [ebp+var_5]
		mov	[ebp+var_5], al
		jmp	loc_864922
; 

loc_864A07:				; CODE XREF: PipProcessDevNodeTree+DDj
					; DATA XREF: PAGE:off_864B88o
		test	dword ptr [esi+1C8h], 200h ; case 0x30D
		jnz	loc_864AF8

loc_864A17:				; CODE XREF: PipProcessDevNodeTree+362j
		mov	ecx, esi
		call	PipEnumerateCompleted
		push	2
		mov	edi, eax
		pop	ebx
		jmp	loc_8648A6
; 

loc_864A28:				; CODE XREF: PipProcessDevNodeTree+228j
		mov	eax, _PnpAsyncOptions
		test	eax, eax
		jz	short loc_8649D2
		js	short loc_8649D2
		jmp	loc_906389
; 

loc_864A38:				; CODE XREF: PipProcessDevNodeTree+DDj
					; DATA XREF: PAGE:off_864B88o
		test	ecx, ecx	; case 0x307
		js	loc_90632E
		xor	edx, edx
		mov	ecx, esi
		cmp	[ebp+arg_4], 1
		setnz	dl
		call	PipProcessStartPhase3

loc_864A50:				; CODE XREF: PipProcessDevNodeTree+337j
					; PipProcessDevNodeTree+A1BACj
		mov	edi, eax
		test	edi, edi
		jns	loc_8649AA
		jmp	loc_906359
; 

loc_864A5F:				; CODE XREF: PipProcessDevNodeTree+DDj
					; DATA XREF: PAGE:off_864B88o
		cmp	[ebp+arg_4], 3	; case 0x301
		jz	loc_90630A

loc_864A69:				; CODE XREF: PipProcessDevNodeTree+A1B6Ej
		cmp	[ebp+arg_10], 0
		jnz	loc_8648B2	; default
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_PnpCheckForActiveDependencies@8 ; PnpCheckForActiveDependencies(x,x)
		mov	ecx, esi
		test	al, al
		jnz	loc_90631B
		call	PiProcessNewDeviceNode
		mov	edi, eax
		jmp	loc_8649A2
; 

loc_864A93:				; CODE XREF: PipProcessDevNodeTree+DDj
					; DATA XREF: PAGE:off_864B88o
		cmp	[ebp+arg_10], 0	; case 0x304
		jnz	loc_8648B2	; default
		mov	ecx, [esi+10h]
		call	_PoFxActivateDevice@4 ;	PoFxActivateDevice(x)
		movzx	eax, [ebp+var_1]
		mov	ecx, esi
		or	dword ptr [esi+1C8h], 200h
		push	eax
		mov	eax, [ebp+arg_C]
		movzx	edx, al
		call	PipProcessStartPhase1

loc_864AC1:				; CODE XREF: PipProcessDevNodeTree+A1BA0j
		mov	edi, eax
		cmp	edi, 103h
		jnz	loc_8649AA
		mov	[ebp+var_1], 1
		jmp	loc_8648B2	; default
; 

loc_864AD8:				; CODE XREF: PipProcessDevNodeTree+DDj
					; DATA XREF: PAGE:off_864B88o
		mov	ecx, esi	; case 0x306
		call	PipProcessStartPhase2
		jmp	loc_864A50
; 

loc_864AE4:				; CODE XREF: PipProcessDevNodeTree+F8j
		xor	dl, dl
		mov	ecx, esi
		call	_PoFxPrepareDevice@8 ; PoFxPrepareDevice(x,x)
		xor	ebx, ebx
		mov	[ebp+var_6], 1
		jmp	loc_8648A6
; 

loc_864AF8:				; CODE XREF: PipProcessDevNodeTree+269j
		mov	ecx, [esi+10h]
		call	PoFxIdleDevice
		and	dword ptr [esi+1C8h], 0FFFFFDFFh
		jmp	loc_864A17
; 

loc_864B0F:				; CODE XREF: PipProcessDevNodeTree+12Dj
		cmp	[ebp+var_2], 0
		jnz	loc_8648DB
		lea	eax, [ebp+var_2]
		mov	[ebp+var_4], 0
		xor	edx, edx
		xor	ecx, ecx
		push	eax
		inc	edx
		call	_PnpDeviceCompletionProcessCompletedRequests@12	; PnpDeviceCompletionProcessCompletedRequests(x,x,x)
		cmp	[ebp+var_2], 0
		mov	edi, eax
		setz	al
		dec	al
		and	al, [ebp+var_1]
		mov	[ebp+var_1], al
		jmp	loc_8648DB
; 

loc_864B41:				; CODE XREF: PipProcessDevNodeTree+192j
		mov	al, [ebp+arg_10]
		jmp	loc_8647E8
; 

loc_864B49:				; CODE XREF: PipProcessDevNodeTree+25j
		cmp	[ebx+10h], al
		mov	al, [ebp+arg_10]
		jnz	loc_8647D6
		cmp	[ebp+arg_4], 1
		jz	loc_8647D6
		test	al, al
		jnz	loc_8647D6
		mov	ecx, ebx
		call	_PiCollapseEnumRequests@4 ; PiCollapseEnumRequests(x)
		test	al, al
		mov	al, [ebp+arg_10]
		jz	loc_8647D6
		mov	edi, _IopRootDeviceNode
		mov	[ebp+var_14], edi
		jmp	loc_8647D6
PipProcessDevNodeTree endp

; 
		align 4
off_864B88	dd offset loc_864A5F	; DATA XREF: PipProcessDevNodeTree+DDr
		dd offset loc_86488C	; jump table for switch	statement
		dd offset loc_8648B2
		dd offset loc_864A93
		dd offset loc_8648B2
		dd offset loc_864AD8
		dd offset loc_864A38
		dd offset loc_864966
		dd offset loc_8648B2
		dd offset loc_906336
		dd offset loc_90634D
		dd offset loc_8648B2
		dd offset loc_864A07

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDeviceCompletionProcessCompletedRequests(x, x, x)
_PnpDeviceCompletionProcessCompletedRequests@12	proc near
					; CODE XREF: PipProcessDevNodeTree+116p
					; PipProcessDevNodeTree+37Ep ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		mov	[esi], bl

loc_864BD2:				; CODE XREF: PnpDeviceCompletionProcessCompletedRequests(x,x,x)+58j
		call	PnpDeviceCompletionQueueIsEmpty
		test	eax, eax
		jz	short loc_864BE4

loc_864BDB:				; CODE XREF: PnpDeviceCompletionProcessCompletedRequests(x,x,x)+33j
					; PnpDeviceCompletionProcessCompletedRequests(x,x,x)+3Ej
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
; 

loc_864BE4:				; CODE XREF: PnpDeviceCompletionProcessCompletedRequests(x,x,x)+1Dj
		cmp	dword_6CC458, 0
		jnz	short loc_864BFC
		test	edi, edi
		jz	short loc_864BDB
		cmp	[ebp+var_4], 0
		jnz	short loc_864BFC
		cmp	byte ptr [esi],	0
		jnz	short loc_864BDB

loc_864BFC:				; CODE XREF: PnpDeviceCompletionProcessCompletedRequests(x,x,x)+2Fj
					; PnpDeviceCompletionProcessCompletedRequests(x,x,x)+39j
		call	PnpDeviceCompletionQueueGetCompletedRequest
		mov	ecx, eax
		call	PnpDeviceCompletionProcessCompletedRequest
		mov	ecx, 0C00002CEh
		cmp	eax, ecx
		jz	short loc_864C16

loc_864C11:				; CODE XREF: PnpDeviceCompletionProcessCompletedRequests(x,x,x)+5Cj
		mov	byte ptr [esi],	1
		jmp	short loc_864BD2
; 

loc_864C16:				; CODE XREF: PnpDeviceCompletionProcessCompletedRequests(x,x,x)+53j
		mov	ebx, ecx
		jmp	short loc_864C11
_PnpDeviceCompletionProcessCompletedRequests@12	endp


;  S U B	R O U T	I N E 


; __stdcall PnpCheckForActiveDependencies(x, x)
_PnpCheckForActiveDependencies@8 proc near ; CODE XREF:	PipProcessDevNodeTree+B2p
					; PipProcessDevNodeTree+2D0p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_PipIsDevNodeDNStarted@4 ; PipIsDevNodeDNStarted(x)
		test	eax, eax
		jnz	short loc_864C55
		xor	cl, cl
		call	_PnpAcquireDependencyRelationsLock@4 ; PnpAcquireDependencyRelationsLock(x)
		mov	edx, edi
		mov	ecx, esi
		call	PipCheckForUnsatisfiedDependencies
		mov	ecx, offset _PiDependencyRelationsLock
		mov	bl, al
		call	ExReleaseResourceLite
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		mov	al, bl

loc_864C51:				; CODE XREF: PnpCheckForActiveDependencies(x,x)+3Dj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_864C55:				; CODE XREF: PnpCheckForActiveDependencies(x,x)+10j
		xor	al, al
		jmp	short loc_864C51
_PnpCheckForActiveDependencies@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipCheckForUnsatisfiedDependencies proc	near
					; CODE XREF: PnpCheckForActiveDependencies(x,x)+1Dp
					; PipAttemptDependentStart(x)+38p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00906462 SIZE 0000004E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	ecx, [ecx+10h]
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_C], edx
		push	edi
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	_PiGetProviderList@4 ; PiGetProviderList(x)
		mov	edi, eax
		mov	esi, [edi]

loc_864C7C:				; CODE XREF: PipCheckForUnsatisfiedDependencies+A183Cj
					; PipCheckForUnsatisfiedDependencies+A1849j
		cmp	esi, edi
		jnz	loc_906462

loc_864C84:				; CODE XREF: PipCheckForUnsatisfiedDependencies+A1851j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
PipCheckForUnsatisfiedDependencies endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PiGetProviderList(x)
_PiGetProviderList@4 proc near		; CODE XREF: PipCheckForUnsatisfiedDependencies+19p
					; PipNotifyDeviceDependencyList+17p ...
		test	ecx, ecx
		jz	short loc_864CA7
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+2Ch]

loc_864C99:				; CODE XREF: PiGetProviderList(x)+1Dj
		test	eax, eax
		jz	short loc_864CA1
		add	eax, 8
		retn
; 

loc_864CA1:				; CODE XREF: PiGetProviderList(x)+Fj
		mov	eax, offset _PiDependencyNodeEmptyList
		retn
; 

loc_864CA7:				; CODE XREF: PiGetProviderList(x)+2j
		xor	eax, eax
		jmp	short loc_864C99
_PiGetProviderList@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipCallDriverAddDevice proc near	; CODE XREF: PipProcessDevNodeTree+EFp
					; PiProcessAddBootDevices(x)+52p

var_E4		= dword	ptr -0E4h
var_DC		= dword	ptr -0DCh
var_D6		= byte ptr -0D6h
var_D5		= byte ptr -0D5h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_64		= dword	ptr -64h
var_58		= dword	ptr -58h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009064B0 SIZE 000004D8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0DCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0DCh+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[esp+0E0h+var_A8], edx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	byte ptr [esp+0E8h+var_C8], al
		push	8
		pop	ecx
		lea	edi, [esp+0E8h+var_78]
		mov	[esp+0E8h+var_B8], eax
		rep stosd
		xor	ecx, ecx
		mov	[esp+0E8h+var_C0], eax
		push	4
		mov	byte ptr [esp+0ECh+var_B0], al
		mov	[esp+0ECh+var_B4], eax
		mov	[esp+0ECh+var_D0], eax
		mov	[esp+0ECh+var_84], eax
		mov	[esp+0ECh+var_80], eax
		mov	[esp+0ECh+var_7C], eax
		mov	[esp+0ECh+var_D4], eax
		mov	[esp+0ECh+var_BC], eax
		mov	[esp+0ECh+var_98], eax
		mov	[esp+0ECh+var_CC], ecx
		mov	[esp+0ECh+var_90], ecx
		mov	[esp+0ECh+var_8C], ecx
		mov	[esp+0ECh+var_AC], ecx
		mov	[esp+0ECh+var_A0], ecx
		mov	[esp+0ECh+var_9C], ecx
		mov	word ptr [esp+0ECh+var_58], ax
		mov	[esp+0ECh+var_C4], ecx
		mov	[esp+0ECh+var_A4], ecx
		mov	[esp+0ECh+var_94], ecx
		pop	edi
		cmp	[ebx+1C0h], al
		jz	short loc_864DC1
		cmp	[edx+4], al
		jnz	short loc_864DC1

loc_864D4A:				; CODE XREF: PipCallDriverAddDevice+326j
					; PipCallDriverAddDevice+A191Ej ...
		mov	esi, 0C0000001h

loc_864D4F:				; CODE XREF: PipCallDriverAddDevice+13Cj
					; PipCallDriverAddDevice+316j ...
		push	6
		pop	eax
		lea	ebx, [esp+0E8h+var_70]
		mov	[esp+0E8h+var_C8], eax

loc_864D5A:				; CODE XREF: PipCallDriverAddDevice+C2j
		mov	edi, [ebx]
		test	edi, edi
		jnz	loc_8650B0

loc_864D64:				; CODE XREF: PipCallDriverAddDevice+434j
		add	ebx, 4
		sub	eax, 1
		mov	[esp+0E8h+var_C8], eax
		jnz	short loc_864D5A
		cmp	[esp+0E8h+var_D0], 0
		jnz	loc_864FF1

loc_864D7B:				; CODE XREF: PipCallDriverAddDevice+34Ej
		cmp	[esp+0E8h+var_B8], 0
		jnz	loc_864FFF

loc_864D86:				; CODE XREF: PipCallDriverAddDevice+35Cj
		mov	eax, [esp+0E8h+var_A4]
		test	eax, eax
		jnz	loc_86519A

loc_864D92:				; CODE XREF: PipCallDriverAddDevice+4FAj
		mov	eax, [esp+0E8h+var_94]
		test	eax, eax
		jnz	loc_8651AB

loc_864D9E:				; CODE XREF: PipCallDriverAddDevice+50Bj
		mov	eax, [esp+0E8h+var_C4]
		test	eax, eax
		jnz	loc_86500D

loc_864DAA:				; CODE XREF: PipCallDriverAddDevice+369j
		mov	ecx, [esp+0E8h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_864DC1:				; CODE XREF: PipCallDriverAddDevice+97j
					; PipCallDriverAddDevice+9Cj
		mov	edx, [ebx+18h]
		lea	eax, [esp+0E8h+var_D0]
		push	ecx
		push	eax
		push	ecx
		push	20019h
		push	ecx
		mov	[ebx+1C0h], cl
		mov	ecx, _PiPnpRtlCtx
		push	10h
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_864D4F
		mov	eax, [ebx+10h]
		xor	ecx, ecx
		inc	ecx
		test	dword ptr [eax+1Ch], 2000000h
		jnz	loc_9064B0

loc_864E01:				; CODE XREF: PipCallDriverAddDevice+A184Bj
		cmp	dword ptr [ebx+1A4h], 0FFFFFFFFh
		jz	loc_8650E5

loc_864E0E:				; CODE XREF: PipCallDriverAddDevice+49Dj
					; PipCallDriverAddDevice+A18D7j
		mov	edx, [ebx+18h]
		lea	eax, [esp+0E8h+var_CC]
		mov	ecx, _PiPnpRtlCtx
		mov	edi, offset _DEVPKEY_Device_PreventDriverLoad
		push	0
		push	eax
		push	8
		lea	eax, [esp+0F4h+var_80]
		push	eax
		lea	eax, [esp+0F8h+var_AC]
		push	eax
		push	edi
		push	0
		push	[esp+104h+var_D0]
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_906588
		cmp	esi, 0C0000023h
		jz	loc_906588

loc_864E53:				; CODE XREF: PipCallDriverAddDevice+A18E7j
					; PipCallDriverAddDevice+A1940j
		mov	edx, [ebx+18h]
		lea	eax, [esp+0E8h+var_D4]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	eax
		lea	eax, [esp+0F0h+var_58]
		mov	[esp+0F0h+var_D4], 4Eh
		push	eax
		lea	eax, [esp+0F4h+var_BC]
		push	eax
		push	9
		push	[esp+0FCh+var_D0]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_864ED7
		cmp	[esp+0E8h+var_BC], 1
		jnz	short loc_864ED7
		cmp	[esp+0E8h+var_D4], 0
		jz	short loc_864ED7
		lea	eax, [esp+0E8h+var_58]
		push	eax
		lea	eax, [esp+0ECh+var_A0]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		cmp	_InitSafeBootMode, 0
		jnz	loc_9065F1

loc_864EB4:				; CODE XREF: PipCallDriverAddDevice+A1954j
		xor	ecx, ecx
		lea	eax, [esp+0E8h+var_B8]
		push	ecx
		push	eax
		push	ecx
		push	20019h
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	edx, [esp+0FCh+var_58]
		push	20h
		call	_CmOpenCommonClassRegKey

loc_864ED7:				; CODE XREF: PipCallDriverAddDevice+1D9j
					; PipCallDriverAddDevice+1E0j ...
		mov	edx, [ebx+18h]
		lea	eax, [esp+0E8h+var_D4]
		mov	ecx, _PiPnpRtlCtx
		push	4
		pop	esi
		push	0
		push	eax
		lea	eax, [esp+0F0h+var_C0]
		mov	[esp+0F0h+var_D4], esi
		push	eax
		lea	eax, [esp+0F4h+var_BC]
		push	eax
		push	0Bh
		push	[esp+0FCh+var_D0]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_90669C
		cmp	[esp+0E8h+var_BC], esi
		jnz	loc_90669C
		cmp	[esp+0E8h+var_D4], esi
		jnz	loc_90669C

loc_864F1F:				; CODE XREF: PipCallDriverAddDevice+A19F5j
		mov	eax, [esp+0E8h+var_A8]
		mov	edi, 6E657050h
		mov	[esp+0E8h+var_74], eax
		xor	esi, esi
		mov	eax, 200h
		mov	[esp+0E8h+var_78], ebx
		push	edi
		push	eax
		push	1
		mov	[esp+0F4h+var_D4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+0E8h+var_C4], eax
		test	eax, eax
		jz	loc_9066A6
		test	[esp+0E8h+var_C0], 80000h
		jnz	loc_9066B0

loc_864F5E:				; CODE XREF: PipCallDriverAddDevice+A1AFEj
					; PipCallDriverAddDevice+A1B32j ...
		mov	edi, 4000000h
		test	[ebx+10Ch], edi
		jz	loc_865154

loc_864F6F:				; CODE XREF: PipCallDriverAddDevice+4E9j
					; PipCallDriverAddDevice+A1BF3j
		test	esi, esi
		js	short loc_864FA2
		mov	eax, [esp+0E8h+var_B8]
		test	eax, eax
		jz	short loc_864F8C
		mov	edi, 8000000h
		test	[ebx+10Ch], edi
		jz	loc_865068

loc_864F8C:				; CODE XREF: PipCallDriverAddDevice+2CDj
					; PipCallDriverAddDevice+3FFj ...
		test	esi, esi
		js	short loc_864FA2
		mov	edi, 10000000h
		test	[ebx+10Ch], edi
		jz	short loc_86501A
		mov	esi, 0C0000034h

loc_864FA2:				; CODE XREF: PipCallDriverAddDevice+2C5j
					; PipCallDriverAddDevice+2E2j ...
		mov	ecx, [ebx+10Ch]
		test	ecx, 1000h
		jnz	loc_9068A4
		test	esi, esi
		jns	loc_8651BC
		cmp	esi, 0C0000034h
		jnz	loc_864D4F
		test	dword ptr [ebx+170h], 100h
		jz	loc_864D4A
		mov	ecx, ebx
		call	PipClearDevNodeProblem
		mov	ecx, [ebx+10Ch]
		xor	esi, esi
		mov	byte ptr [esp+0E8h+var_B0], 1
		jmp	loc_8651CD
; 

loc_864FF1:				; CODE XREF: PipCallDriverAddDevice+C9j
		push	[esp+0E8h+var_D0]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_864D7B
; 

loc_864FFF:				; CODE XREF: PipCallDriverAddDevice+D4j
		push	[esp+0E8h+var_B8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_864D86
; 

loc_86500D:				; CODE XREF: PipCallDriverAddDevice+F8j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_864DAA
; 

loc_86501A:				; CODE XREF: PipCallDriverAddDevice+2EFj
		lea	eax, [esp+0E8h+var_78]
		push	eax
		push	[esp+0ECh+var_C8]
		lea	edx, [esp+0F0h+var_D4]
		push	3
		push	0
		push	[esp+0F8h+var_D0]
		lea	ecx, [esp+0FCh+var_C4]
		push	dword ptr [ebx+18h]
		push	0
		push	5
		call	PnpCallDriverQueryServiceHelper
		mov	esi, eax
		cmp	esi, 0C0000225h
		jz	short loc_865055
		cmp	esi, 0C0000034h
		jnz	loc_864FA2

loc_865055:				; CODE XREF: PipCallDriverAddDevice+39Bj
		mov	edx, edi
		mov	ecx, ebx
		mov	esi, 0C0000034h
		call	PipSetDevNodeFlags
		jmp	loc_864FA2
; 

loc_865068:				; CODE XREF: PipCallDriverAddDevice+2DAj
		lea	ecx, [esp+0E8h+var_78]
		push	ecx
		push	[esp+0ECh+var_C8]
		lea	edx, [esp+0F0h+var_D4]
		push	2
		push	1
		push	eax
		lea	eax, [esp+0FCh+var_58]
		push	eax
		push	offset _DEVPKEY_DeviceClass_CompoundLowerFilters
		push	13h
		lea	ecx, [esp+108h+var_C4]
		call	PnpCallDriverQueryServiceHelper
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	loc_86542F

loc_8650A0:				; CODE XREF: PipCallDriverAddDevice+78Fj
		mov	edx, edi
		mov	ecx, ebx
		call	PipSetDevNodeFlags
		xor	esi, esi
		jmp	loc_864F8C
; 

loc_8650B0:				; CODE XREF: PipCallDriverAddDevice+B2j
					; PipCallDriverAddDevice+42Ej
		cmp	_PnPBootDriversInitialized, 0
		mov	eax, edi
		mov	edi, [edi+4]
		mov	[esp+0E8h+var_B0], eax
		jnz	loc_86541F

loc_8650C6:				; CODE XREF: PipCallDriverAddDevice+77Ej
		mov	ecx, [eax]
		call	ObfDereferenceObject
		push	0
		push	[esp+0ECh+var_B0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		jnz	short loc_8650B0
		mov	eax, [esp+0E8h+var_C8]
		jmp	loc_864D64
; 

loc_8650E5:				; CODE XREF: PipCallDriverAddDevice+15Cj
		cmp	_PnpQueryProximityNode,	0
		jz	short loc_865122
		mov	edx, [ebx+18h]
		lea	eax, [esp+0E8h+var_CC]
		push	0
		push	eax
		push	edi
		lea	eax, [esp+0F4h+var_B4]
		push	eax
		lea	eax, [esp+0F8h+var_AC]
		push	eax
		push	(offset	loc_406997+1)
		push	0
		push	[esp+104h+var_D0]
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	loc_906518

loc_865122:				; CODE XREF: PipCallDriverAddDevice+440j
					; PipCallDriverAddDevice+A1874j ...
		mov	eax, [ebx+1A4h]
		push	0FFFFFFFEh
		pop	ecx
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_865147
		mov	eax, [ebx+8]
		test	eax, eax
		jz	loc_90654D
		mov	eax, [eax+1A4h]
		mov	[ebx+1A4h], eax

loc_865147:				; CODE XREF: PipCallDriverAddDevice+482j
					; PipCallDriverAddDevice+A18A9j
		cmp	eax, ecx
		jz	loc_864E0E
		jmp	loc_90655A
; 

loc_865154:				; CODE XREF: PipCallDriverAddDevice+2BDj
		lea	eax, [esp+0E8h+var_78]
		push	eax
		push	[esp+0ECh+var_C8]
		lea	edx, [esp+0F0h+var_D4]
		push	1
		push	0
		push	[esp+0F8h+var_D0]
		lea	ecx, [esp+0FCh+var_C4]
		push	dword ptr [ebx+18h]
		push	offset _DEVPKEY_Device_CompoundLowerFilters
		push	13h
		call	PnpCallDriverQueryServiceHelper
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	loc_906893

loc_86518A:				; CODE XREF: PipCallDriverAddDevice+A1BEDj
		mov	edx, edi
		mov	ecx, ebx
		call	PipSetDevNodeFlags
		xor	esi, esi
		jmp	loc_864F6F
; 

loc_86519A:				; CODE XREF: PipCallDriverAddDevice+E0j
		mov	edx, 65706E50h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag
		jmp	loc_864D92
; 

loc_8651AB:				; CODE XREF: PipCallDriverAddDevice+ECj
		mov	edx, 65706E50h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag
		jmp	loc_864D9E
; 

loc_8651BC:				; CODE XREF: PipCallDriverAddDevice+30Aj
		mov	eax, [esp+0E8h+var_64]
		cmp	dword ptr [eax+4], 0
		jnz	loc_9068AB

loc_8651CD:				; CODE XREF: PipCallDriverAddDevice+340j
		mov	edi, 20000000h
		test	ecx, edi
		jnz	short loc_865217
		lea	eax, [esp+0E8h+var_78]
		push	eax
		push	[esp+0ECh+var_C8]
		lea	edx, [esp+0F0h+var_D4]
		push	4
		push	0
		push	[esp+0F8h+var_D0]
		lea	ecx, [esp+0FCh+var_C4]
		push	dword ptr [ebx+18h]
		push	offset _DEVPKEY_Device_CompoundUpperFilters
		push	12h
		call	PnpCallDriverQueryServiceHelper
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	loc_865491

loc_86520C:				; CODE XREF: PipCallDriverAddDevice+7F1j
		mov	edx, edi
		mov	ecx, ebx
		call	PipSetDevNodeFlags
		xor	esi, esi

loc_865217:				; CODE XREF: PipCallDriverAddDevice+528j
					; PipCallDriverAddDevice+7EBj
		test	esi, esi
		js	loc_864D4F
		mov	eax, [esp+0E8h+var_B8]
		test	eax, eax
		jz	short loc_865277
		mov	edi, 40000000h
		test	[ebx+10Ch], edi
		jnz	short loc_865277
		lea	ecx, [esp+0E8h+var_78]
		push	ecx
		push	[esp+0ECh+var_C8]
		lea	edx, [esp+0F0h+var_D4]
		push	5
		push	1
		push	eax
		lea	eax, [esp+0FCh+var_58]
		push	eax
		push	offset _DEVPKEY_DeviceClass_CompoundUpperFilters
		push	12h
		lea	ecx, [esp+108h+var_C4]
		call	PnpCallDriverQueryServiceHelper
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	loc_865468

loc_86526C:				; CODE XREF: PipCallDriverAddDevice+7C8j
		mov	edx, edi
		mov	ecx, ebx
		call	PipSetDevNodeFlags
		xor	esi, esi

loc_865277:				; CODE XREF: PipCallDriverAddDevice+579j
					; PipCallDriverAddDevice+586j ...
		test	esi, esi
		js	loc_864D4F
		mov	edx, [esp+0E8h+var_D0]
		lea	ecx, [esp+0E8h+var_78]
		call	_PiDmaGuardProcessPreAddDevice@8 ; PiDmaGuardProcessPreAddDevice(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_864D4F
		mov	ecx, [ebx+10h]
		xor	edi, edi
		mov	edx, 65706E50h
		mov	[esp+0E8h+var_C8], edi
		call	IoGetAttachedDeviceReferenceWithTag
		mov	[esp+0E8h+var_A4], eax
		xor	al, al
		mov	[esp+0E8h+var_D5], al

loc_8652B3:				; CODE XREF: PipCallDriverAddDevice+638j
		cmp	al, 3
		jz	loc_865392

loc_8652BB:				; CODE XREF: PipCallDriverAddDevice+706j
		movzx	edi, al
		mov	[esp+0E8h+var_A8], edi
		mov	ecx, [esp+edi*4+0E8h+var_70]
		mov	esi, ecx
		mov	[esp+0E8h+var_90], ecx
		test	esi, esi
		jnz	loc_8653C4

loc_8652D4:				; CODE XREF: PipCallDriverAddDevice+76Ej
		test	al, al
		jz	loc_8653B7

loc_8652DC:				; CODE XREF: PipCallDriverAddDevice+70Dj
					; PipCallDriverAddDevice+A1CB3j
		inc	al
		mov	[esp+0E8h+var_D5], al
		cmp	al, 6
		jb	short loc_8652B3
		mov	edi, [esp+0E8h+var_C8]
		test	edi, edi
		jz	loc_865460
		cmp	byte ptr [esp+0E8h+var_B0], 0
		jnz	loc_865460
		xor	eax, eax

loc_8652FF:				; CODE XREF: PipCallDriverAddDevice+7B7j
		mov	ecx, [ebx+10h]
		push	eax
		mov	eax, [esp+0ECh+var_A4]
		push	edi
		mov	edx, [eax+10h]
		call	IovUtilMarkStack
		push	[esp+0E8h+var_B0]
		mov	edx, [esp+0ECh+var_D0]
		lea	eax, [esp+0ECh+var_58]
		push	[esp+0ECh+var_B8]
		mov	ecx, [ebx+10h]
		push	eax
		call	PipChangeDeviceObjectFromRegistryProperties
		test	eax, eax
		js	loc_906502
		mov	ecx, [ebx+10h]
		lea	eax, [ebx+130h]
		push	eax
		lea	eax, [ebx+12Ch]
		push	eax
		call	IopQueryLegacyBusInformation
		test	eax, eax
		jns	loc_865479
		or	dword ptr [ebx+12Ch], 0FFFFFFFFh
		mov	dword ptr [ebx+130h], 0FFFFFFF0h

loc_865363:				; CODE XREF: PipCallDriverAddDevice+7E0j
		mov	edx, [ebx+18h]
		push	17h
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		test	dword ptr [ebx+170h], 100000h
		jnz	loc_906964
		xor	ecx, ecx
		cmp	_PipDmaGuardPolicy, ecx
		jnz	loc_90696E

loc_86538B:				; CODE XREF: PipCallDriverAddDevice+A1CC8j
		mov	esi, ecx
		jmp	loc_864D4F
; 

loc_865392:				; CODE XREF: PipCallDriverAddDevice+609j
		mov	ecx, [ebx+10h]
		mov	edx, 65706E50h
		call	IoGetAttachedDeviceReferenceWithTag
		cmp	byte ptr [esp+0E8h+var_B0], 0
		mov	[esp+0E8h+var_94], eax
		jnz	loc_865440

loc_8653AE:				; CODE XREF: PipCallDriverAddDevice+79Cj
					; PipCallDriverAddDevice+7AFj
		mov	al, [esp+0E8h+var_D5]
		jmp	loc_8652BB
; 

loc_8653B7:				; CODE XREF: PipCallDriverAddDevice+62Aj
		test	ecx, ecx
		jz	loc_8652DC
		jmp	loc_9068EE
; 

loc_8653C4:				; CODE XREF: PipCallDriverAddDevice+622j
					; PipCallDriverAddDevice+768j
		mov	edx, [esi]
		mov	ecx, ebx
		push	edi
		mov	eax, [edx+18h]
		mov	eax, [eax+4]
		push	eax
		call	PnpCallAddDevice
		mov	ecx, [esi]
		mov	edi, eax
		or	dword ptr [ecx+8], 400h
		test	edi, edi
		js	loc_9068BF
		cmp	[esp+0E8h+var_D5], 3
		jnz	short loc_8653FA
		mov	eax, [esp+0E8h+var_94]
		mov	eax, [eax+10h]
		mov	[esp+0E8h+var_C8], eax

loc_8653FA:				; CODE XREF: PipCallDriverAddDevice+741j
		push	ecx
		mov	edx, 303h
		mov	ecx, ebx
		call	PipSetDevNodeState
		mov	al, [esp+0E8h+var_D5]

loc_86540B:				; CODE XREF: PipCallDriverAddDevice+A1C19j
		mov	esi, [esi+4]
		mov	edi, [esp+0E8h+var_A8]
		test	esi, esi
		jnz	short loc_8653C4
		mov	ecx, [esp+0E8h+var_90]
		jmp	loc_8652D4
; 

loc_86541F:				; CODE XREF: PipCallDriverAddDevice+414j
		mov	ecx, [eax]
		call	PnpUnloadAttachedDriver
		mov	eax, [esp+0E8h+var_B0]
		jmp	loc_8650C6
; 

loc_86542F:				; CODE XREF: PipCallDriverAddDevice+3EEj
		cmp	esi, 0C0000034h
		jnz	loc_864F8C
		jmp	loc_8650A0
; 

loc_865440:				; CODE XREF: PipCallDriverAddDevice+6FCj
		cmp	[esp+0E8h+var_64], 0
		jnz	loc_8653AE
		push	ecx
		mov	edx, 303h
		mov	ecx, ebx
		call	PipSetDevNodeState
		jmp	loc_8653AE
; 

loc_865460:				; CODE XREF: PipCallDriverAddDevice+640j
					; PipCallDriverAddDevice+64Bj
		xor	eax, eax
		inc	eax
		jmp	loc_8652FF
; 

loc_865468:				; CODE XREF: PipCallDriverAddDevice+5BAj
		cmp	esi, 0C0000034h
		jnz	loc_865277
		jmp	loc_86526C
; 

loc_865479:				; CODE XREF: PipCallDriverAddDevice+6A0j
		push	dword ptr [ebx+130h]
		mov	edx, [ebx+12Ch]
		mov	ecx, ebx
		call	IopInsertLegacyBusDeviceNode
		jmp	loc_865363
; 

loc_865491:				; CODE XREF: PipCallDriverAddDevice+55Aj
		cmp	esi, 0C0000034h
		jnz	loc_865217
		jmp	loc_86520C
PipCallDriverAddDevice endp


;  S U B	R O U T	I N E 


PipSetDevNodeFlags proc	near		; CODE XREF: PiMarkDeviceTreeForReenumeration(x,x)+18p
					; PiMarkDeviceTreeForReenumerationWorker(x,x)+17p ...

; FUNCTION CHUNK AT 00906988 SIZE 00000050 BYTES

		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi+10Ch]
		mov	eax, edi
		or	eax, edx
		mov	[esi+10Ch], eax
		xor	eax, edi
		test	eax, 307000h
		jnz	loc_906988

loc_8654C6:				; CODE XREF: PipSetDevNodeFlags+A14EBj
					; PipSetDevNodeFlags+A1521j ...
		pop	edi
		pop	esi
		pop	ecx
		retn
PipSetDevNodeFlags endp


;  S U B	R O U T	I N E 


PipClearDevNodeFlags proc near		; CODE XREF: PipEnumerateDevice+83p
					; PipEnumerateCompleted+28p ...

; FUNCTION CHUNK AT 009069D8 SIZE 00000050 BYTES

		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		not	edx
		push	edi
		mov	edi, [esi+10Ch]
		and	edx, edi
		mov	[esi+10Ch], edx
		xor	edx, edi
		test	edx, 307000h
		jnz	loc_9069D8

loc_8654EF:				; CODE XREF: PipClearDevNodeFlags+A1513j
					; PipClearDevNodeFlags+A1549j ...
		pop	edi
		pop	esi
		pop	ecx
		retn
PipClearDevNodeFlags endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpQueryDeviceRelations(x, x, x, x)
_PnpQueryDeviceRelations@16 proc near	; CODE XREF: PipEnumerateDevice+A5p
					; PAGE:0087811Cp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		push	edi
		push	9
		mov	esi, ecx
		lea	edi, [ebp+var_24]
		pop	ecx
		push	[ebp+arg_4]
		xor	eax, eax
		push	[ebp+arg_0]
		rep stosd
		mov	[ebp+var_20], edx
		lea	edx, [ebp+var_24]
		push	ecx
		mov	ecx, esi
		mov	word ptr [ebp+var_24], 71Bh
		call	PnpSendIrp
		pop	edi
		pop	esi
		leave
		retn	8
_PnpQueryDeviceRelations@16 endp


;  S U B	R O U T	I N E 


; __stdcall PnpDeviceCompletionRequestCreate(x,	x, x)
_PnpDeviceCompletionRequestCreate@12 proc near ; CODE XREF: PipEnumerateDevice+42p
					; PnpStartDeviceNode+84p
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	31706E50h
		push	28h
		push	200h
		mov	edi, edx
		mov	ebx, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_86557C
		xor	eax, eax
		mov	[esi+4], esi
		push	2
		mov	edx, esi
		mov	[esi], esi
		pop	ecx
		mov	dword ptr [esi+20h], 1
		mov	[esi+14h], eax
		mov	[esi+0Ch], eax
		mov	[esi+8], ebx
		mov	[esi+10h], edi
		mov	dword ptr [esi+18h], 0C00000E5h
		mov	[esi+1Ch], eax
		call	_PnpEnableWatchdog@8 ; PnpEnableWatchdog(x,x)
		mov	[esi+24h], eax

loc_86557C:				; CODE XREF: PnpDeviceCompletionRequestCreate(x,x,x)+1Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ecx
		retn	4
_PnpDeviceCompletionRequestCreate@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopQueryDeviceState(x, x)
_IopQueryDeviceState@8 proc near	; CODE XREF: PiProcessQueryDeviceState+40p
					; PiProcessCanceledRemoveForReset(x,x,x,x)+ADp	...

var_28		= dword	ptr -28h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		and	[ebp+var_4], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		push	9
		mov	esi, ecx
		lea	edi, [ebp+var_28]
		pop	ecx
		rep stosd
		lea	eax, [ebp+var_4]
		mov	word ptr [ebp+var_28], 141Bh
		push	eax
		push	0
		mov	ebx, edx
		mov	ecx, esi
		push	0C00000BBh
		lea	edx, [ebp+var_28]
		call	IopSynchronousCall
		test	eax, eax
		js	short loc_8655CB
		test	ebx, ebx
		jz	short loc_8655CB
		mov	ecx, [ebp+var_4]
		mov	[ebx], ecx

loc_8655CB:				; CODE XREF: IopQueryDeviceState(x,x)+3Aj
					; IopQueryDeviceState(x,x)+3Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopQueryDeviceState@8 endp


;  S U B	R O U T	I N E 


; __stdcall PiSwUnlock()
_PiSwUnlock@0	proc near		; CODE XREF: PiSwStopDestroy(x,x,x,x):loc_736797p
					; PipEnumerateCompleted:loc_864598p ...
		mov	edi, edi
		push	ecx
		mov	ecx, offset _PiSwLockObj
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	ecx
		retn
_PiSwUnlock@0	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PiSwFindChildren(x)
_PiSwFindChildren@4 proc near		; CODE XREF: PiSwStopDestroy(x,x,x,x)+32p
					; PipEnumerateCompleted+74p
		call	_PiSwFindBusRelations@4	; PiSwFindBusRelations(x)
		test	eax, eax
		jnz	short loc_8655F6
		retn
; 

loc_8655F6:				; CODE XREF: PiSwFindChildren(x)+7j
		add	eax, 8
		retn
_PiSwFindChildren@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiSwFindBusRelations(x)
_PiSwFindBusRelations@4	proc near	; CODE XREF: PiSwCloseDescendants(x,x)+10p
					; PiSwFindChildren(x)p	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		cmp	[ecx+4], eax
		jz	short loc_86562A
		mov	eax, [ecx]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_10]
		push	eax
		push	offset _PiSwBusRelationsTable
		call	_RtlLookupElementGenericTableAvl@8 ; RtlLookupElementGenericTableAvl(x,x)
		leave
		retn
; 

loc_86562A:				; CODE XREF: PiSwFindBusRelations(x)+13j
		xor	eax, eax
		leave
		retn
_PiSwFindBusRelations@4	endp


;  S U B	R O U T	I N E 


; __stdcall PiSwLock()
_PiSwLock@0	proc near		; CODE XREF: PiSwStopDestroy(x,x,x,x)+1Ep
					; PipEnumerateCompleted:loc_864580p ...
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PiSwLockObj
		call	ExAcquireResourceExclusiveLite
		retn
_PiSwLock@0	endp

; 
		align 2

;  S U B	R O U T	I N E 


PiUpdateGuestAssignedState proc	near	; CODE XREF: PiProcessQueryDeviceState+A9p
					; PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+C1p

; FUNCTION CHUNK AT 00906A28 SIZE 00000031 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	bl, dl
		mov	eax, [edi+1C8h]
		mov	ecx, eax
		shr	ecx, 0Dh
		and	cl, 1
		test	bl, bl
		jnz	short loc_865680
		and	eax, 0FFFFDFFFh

loc_86566A:				; CODE XREF: PiUpdateGuestAssignedState+3Bj
		mov	[edi+1C8h], eax
		cmp	cl, bl
		jnz	loc_906A28
		xor	esi, esi

loc_86567A:				; CODE XREF: PiUpdateGuestAssignedState+A13F8j
					; PiUpdateGuestAssignedState+A140Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_865680:				; CODE XREF: PiUpdateGuestAssignedState+19j
		or	eax, 2000h
		jmp	short loc_86566A
PiUpdateGuestAssignedState endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpProcessAssignResources proc near	; CODE XREF: PipProcessDevNodeTree+5Ep

var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00906A59 SIZE 00000059 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, _IopNumberDeviceNodes
		push	ebx
		push	esi
		push	edi
		push	35706E50h
		lea	esi, ds:8[eax*4]
		mov	[ebp+var_10], ecx
		push	esi
		push	1
		mov	bl, dl
		mov	[ebp+var_1], 0
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_C], edi
		test	edi, edi
		jz	short loc_8656EE
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	ecx, [ebp+var_10]
		add	esp, 0Ch
		movzx	eax, bl
		mov	edx, edi
		mov	[edi], eax
		call	PnpProcessAssignResourcesWorker
		mov	ebx, [edi+4]
		mov	[ebp+var_18], ebx
		test	ebx, ebx
		jnz	short loc_8656F8

loc_8656E3:				; CODE XREF: PnpProcessAssignResources+7Ej
					; PnpProcessAssignResources+129j
		push	35706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8656EE:				; CODE XREF: PnpProcessAssignResources+34j
		mov	al, [ebp+var_1]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8656F8:				; CODE XREF: PnpProcessAssignResources+59j
		mov	ecx, ebx
		call	_PnpCreateResourceRequest@4 ; PnpCreateResourceRequest(x)
		mov	esi, eax
		mov	[ebp+var_10], esi
		test	esi, esi
		jz	short loc_8656E3
		test	ebx, ebx
		jz	short loc_86573E
		add	edi, 8
		mov	[ebp+var_8], ebx
		mov	ebx, edi

loc_865714:				; CODE XREF: PnpProcessAssignResources+ABj
		mov	edx, [ebx]
		xor	eax, eax
		push	0Ah
		pop	ecx
		mov	edi, esi
		rep stosd
		and	[esi+14h], eax
		push	4
		pop	eax
		mov	[esi], edx
		add	ebx, eax
		mov	[esi+8], eax
		add	esi, 28h
		sub	[ebp+var_8], 1
		jnz	short loc_865714
		mov	ebx, [ebp+var_18]
		mov	edi, [ebp+var_C]
		mov	esi, [ebp+var_10]

loc_86573E:				; CODE XREF: PnpProcessAssignResources+82j
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, ebx
		call	_PnpAssignResourcesToDevices@12	; PnpAssignResourcesToDevices(x,x,x)
		test	ebx, ebx
		jz	short loc_8657A6
		lea	edi, [esi+1Ch]

loc_865751:				; CODE XREF: PnpProcessAssignResources+116j
		mov	eax, [edi-1Ch]
		test	eax, eax
		jz	loc_906A59
		mov	eax, [eax+0B0h]
		mov	esi, [eax+14h]

loc_865765:				; CODE XREF: PnpProcessAssignResources+A13D3j
		mov	eax, [edi+8]
		test	eax, eax
		js	short loc_8657DD
		cmp	dword ptr [edi], 0
		mov	[ebp+var_1], 1
		jnz	short loc_8657B6
		mov	edx, 100h
		mov	ecx, esi
		call	PipSetDevNodeFlags

loc_865781:				; CODE XREF: PnpProcessAssignResources+153j
		push	ecx
		mov	edx, 304h
		mov	ecx, esi
		call	PipSetDevNodeState
		push	4
		pop	edx
		mov	ecx, esi
		call	PipClearDevNodeUserFlags

loc_865798:				; CODE XREF: PnpProcessAssignResources+15Aj
					; PnpProcessAssignResources+A1425j
		add	edi, 28h
		sub	ebx, 1
		jnz	short loc_865751
		mov	edi, [ebp+var_C]
		mov	esi, [ebp+var_10]

loc_8657A6:				; CODE XREF: PnpProcessAssignResources+C4j
		push	36706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8656E3
; 

loc_8657B6:				; CODE XREF: PnpProcessAssignResources+EBj
		mov	ecx, offset _PiResourceListLock
		call	@KeAcquireGuardedMutex@4 ; KeAcquireGuardedMutex(x)
		mov	eax, [edi]
		mov	ecx, offset _PiResourceListLock
		mov	[esi+11Ch], eax
		mov	eax, [edi+4]
		mov	[esi+120h], eax
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	short loc_865781
; 

loc_8657DD:				; CODE XREF: PnpProcessAssignResources+E2j
		cmp	eax, 0C000022Dh
		jz	short loc_865798
		jmp	loc_906A60
PnpProcessAssignResources endp

; 
		align 2

;  S U B	R O U T	I N E 


PnpProcessAssignResourcesWorker	proc near ; CODE XREF: PnpProcessAssignResources+4Cp

; FUNCTION CHUNK AT 00906AB2 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		mov	esi, ebx

loc_8657F5:				; CODE XREF: PnpProcessAssignResourcesWorker+3Bj
		cmp	dword ptr [edi], 0
		jnz	short loc_865832

loc_8657FA:				; CODE XREF: PnpProcessAssignResourcesWorker+52j
					; PnpProcessAssignResourcesWorker+A12DBj ...
		test	dword ptr [esi+10Ch], 6000h
		jnz	short loc_865812
		cmp	dword ptr [esi+0ACh], 303h
		jz	short loc_865849

loc_865812:				; CODE XREF: PnpProcessAssignResourcesWorker+1Aj
					; PnpProcessAssignResourcesWorker+6Cj
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_865823

loc_865819:				; CODE XREF: PnpProcessAssignResourcesWorker+42j
					; PnpProcessAssignResourcesWorker+46j
		cmp	esi, ebx
		jz	short loc_865843
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_865827

loc_865823:				; CODE XREF: PnpProcessAssignResourcesWorker+2Dj
		mov	esi, eax
		jmp	short loc_8657F5
; 

loc_865827:				; CODE XREF: PnpProcessAssignResourcesWorker+37j
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_865819
		mov	esi, eax
		jmp	short loc_865819
; 

loc_865832:				; CODE XREF: PnpProcessAssignResourcesWorker+Ej
		test	dword ptr [esi+10Ch], 2000h
		jz	short loc_8657FA
		jmp	loc_906AB2
; 

loc_865843:				; CODE XREF: PnpProcessAssignResourcesWorker+31j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		retn
; 

loc_865849:				; CODE XREF: PnpProcessAssignResourcesWorker+26j
		mov	ecx, [edi+4]
		mov	eax, [esi+10h]
		mov	[edi+ecx*4+8], eax
		inc	dword ptr [edi+4]
		jmp	short loc_865812
PnpProcessAssignResourcesWorker	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCMSetObjectProperty proc near		; CODE XREF: PiCMHandleIoctl+D5p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00906F53 SIZE 0000010C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		push	38h		; size_t
		mov	[ebp+var_44], eax
		mov	esi, edx
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_58], ebx
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		and	dword ptr [ebx], 0
		lea	eax, [ebp+var_3C]
		add	esp, 0Ch
		mov	edx, esi
		push	eax
		push	ecx
		mov	ecx, edi
		call	PiCMCapturePropertyInputData
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8659B6
		mov	eax, [ebp+var_14]
		mov	edi, [ebp+var_18]
		mov	esi, [ebp+var_34]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+var_30]
		mov	[ebp+var_40], eax
		mov	eax, [ebp+var_10]
		mov	[ebp+var_54], eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_50], eax
		cmp	edi, 0Eh
		jz	loc_906F53

loc_8658CF:				; CODE XREF: PiCMSetObjectProperty+A1712j
		cmp	edi, 3
		jz	loc_906F6F

loc_8658D8:				; CODE XREF: PiCMSetObjectProperty+A172Ej
		cmp	edi, 4
		jz	loc_906F8B

loc_8658E1:				; CODE XREF: PiCMSetObjectProperty+A174Aj
		cmp	edi, 2
		jz	loc_906FA7

loc_8658EA:				; CODE XREF: PiCMSetObjectProperty+A1764j
		xor	ecx, ecx

loc_8658EC:				; CODE XREF: PiCMSetObjectProperty+A176Dj
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 3Eh
		add	ecx, 2
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jz	loc_906FCA
		mov	ecx, [ebp+var_40]
		test	ecx, ecx
		jz	loc_907055
		cmp	[ebp+var_38], 0
		jnz	loc_907055
		cmp	[ebp+var_44], 0
		jz	loc_907055
		push	8
		pop	eax
		cmp	[ebp+arg_4], eax
		jb	loc_907055
		xor	edi, edi
		cmp	esi, 6
		jg	loc_8659F6
		jz	loc_906FF2
		sub	esi, 1
		jz	loc_8659D1
		sub	esi, 1
		jz	loc_906FEB
		sub	esi, 1
		jz	loc_906FE4
		sub	esi, 1
		jnz	loc_906FD4
		push	3

loc_865965:				; CODE XREF: PiCMSetObjectProperty+A1787j
					; PiCMSetObjectProperty+A178Ej	...
		pop	edi

loc_865966:				; CODE XREF: PiCMSetObjectProperty+17Cj
					; PiCMSetObjectProperty+1BDj ...
		test	ebx, ebx
		js	short loc_8659A1
		xor	esi, esi
		lea	eax, [ebp+var_28]
		push	esi
		push	[ebp+var_50]
		mov	edx, ecx
		mov	ecx, _PiPnpRtlCtx
		push	[ebp+var_54]
		push	[ebp+var_48]
		push	eax
		push	esi
		push	esi
		push	edi
		call	PiPnpRtlSetObjectProperty
		mov	ebx, eax
		cmp	ebx, 0C0000022h
		jz	loc_907026

loc_865998:				; CODE XREF: PiCMSetObjectProperty+A17F8j
		test	ebx, ebx
		js	short loc_8659A1
		cmp	edi, 1
		jz	short loc_8659D6

loc_8659A1:				; CODE XREF: PiCMSetObjectProperty+110j
					; PiCMSetObjectProperty+142j ...
		push	[ebp+var_58]
		mov	edx, [ebp+var_8]
		mov	ecx, ebx
		push	[ebp+arg_4]
		push	[ebp+var_44]
		call	PiCMReturnBasicResultData
		mov	ebx, eax

loc_8659B6:				; CODE XREF: PiCMSetObjectProperty+4Aj
		lea	ecx, [ebp+var_3C]
		call	_PiCMReleasePropertyInputData@8	; PiCMReleasePropertyInputData(x,x)
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_8659D1:				; CODE XREF: PiCMSetObjectProperty+EAj
		xor	edi, edi
		inc	edi
		jmp	short loc_865966
; 

loc_8659D6:				; CODE XREF: PiCMSetObjectProperty+147j
		push	[ebp+var_40]
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_4C], esi
		push	eax
		mov	[ebp+var_48], esi
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_8659A1
		lea	ecx, [ebp+var_4C]
		call	PnpSetDeviceInstancePropertyChangeEventFromDeviceInstance
		jmp	short loc_8659A1
; 

loc_8659F6:				; CODE XREF: PiCMSetObjectProperty+DBj
		sub	esi, 10001h
		jz	short loc_865A20
		sub	esi, 1
		jnz	loc_906FF9

loc_865A07:				; CODE XREF: PiCMSetObjectProperty+A17BFj
		mov	edi, _PiDrvDbCtx
		neg	edi
		sbb	edi, edi
		and	edi, eax

loc_865A13:				; CODE XREF: PiCMSetObjectProperty+A177Fj
					; PiCMSetObjectProperty+A17AEj
		test	edi, edi
		jnz	loc_865966
		jmp	loc_90701C
; 

loc_865A20:				; CODE XREF: PiCMSetObjectProperty+1A4j
		push	7
		jmp	loc_907016
PiCMSetObjectProperty endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiSwPropertySet	proc near		; CODE XREF: PiSwIrpPropertySet+129p
					; PiSwIrpInterfaceRegister+1B5p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090705F SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		and	[esp+14h+var_C], 0
		and	[esp+14h+var_10], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		lea	ecx, [esp+20h+var_C]
		mov	[esp+20h+var_8], ebx
		mov	[esp+20h+var_4], edi
		call	PiPnpRtlBeginOperation
		mov	esi, eax
		test	esi, esi
		js	short loc_865ACB
		xor	ecx, ecx
		lea	eax, [esp+20h+var_10]
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	7
		push	ebx
		call	_PnpOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_865ACB
		xor	ebx, ebx
		cmp	[ebp+arg_4], ebx
		jbe	short loc_865ACB
		mov	edi, [ebp+arg_0]
		add	edi, 24h

loc_865A88:				; CODE XREF: PiSwPropertySet+A1j
		mov	edx, [esp+20h+var_4]
		lea	eax, [edi-24h]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	dword ptr [edi-4]
		push	dword ptr [edi]
		push	dword ptr [edi-8]
		push	eax
		push	dword ptr [edi-0Ch]
		push	[esp+38h+var_10]
		push	[esp+3Ch+var_8]
		call	PiPnpRtlSetObjectProperty
		mov	esi, eax
		cmp	esi, 0C0000225h
		jz	loc_90705F

loc_865ABE:				; CODE XREF: PiSwPropertySet+A1643j
		test	esi, esi
		js	short loc_865ACB
		inc	ebx
		add	edi, 28h
		cmp	ebx, [ebp+arg_4]
		jb	short loc_865A88

loc_865ACB:				; CODE XREF: PiSwPropertySet+31j
					; PiSwPropertySet+51j ...
		cmp	[esp+20h+var_10], 0
		jz	short loc_865ADB
		push	[esp+20h+var_10]
		call	_ZwClose@4	; ZwClose(x)

loc_865ADB:				; CODE XREF: PiSwPropertySet+A8j
		mov	ecx, [esp+20h+var_C]
		test	ecx, ecx
		jz	short loc_865AE8
		call	PiPnpRtlEndOperation

loc_865AE8:				; CODE XREF: PiSwPropertySet+B9j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
PiSwPropertySet	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiPnpRtlSetObjectProperty proc near	; CODE XREF: PiCMSetObjectProperty+12Dp
					; PiSwPropertySet+83p ...

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_59		= byte ptr -59h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 00907070 SIZE 000002BA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+64h+var_4], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+64h+var_54], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+64h+var_4C], eax
		mov	eax, [ebp+arg_14]
		mov	[esp+64h+var_64], eax
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+70h+var_24]
		mov	ebx, [ebp+arg_C]
		stosd
		mov	esi, edx
		mov	[esp+70h+var_50], ecx
		xor	ecx, ecx
		mov	[esp+70h+var_60], esi
		mov	[esp+70h+var_34], ecx
		stosd
		mov	[esp+70h+var_30], ecx
		mov	[esp+70h+var_28], ecx
		mov	[esp+70h+var_2C], ecx
		stosd
		mov	[esp+70h+var_58], ecx
		mov	[esp+70h+var_38], ecx
		mov	[esp+70h+var_44], ecx
		stosd
		xor	eax, eax
		lea	edi, [esp+70h+var_14]
		mov	[esp+70h+var_48], ecx
		stosd
		mov	[esp+70h+var_3C], ecx
		mov	[esp+70h+var_40], ecx
		mov	[esp+70h+var_59], cl
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		sub	eax, 1
		jnz	loc_865C4D
		mov	esi, [ebx+10h]
		mov	edi, ecx

loc_865B81:				; CODE XREF: PiPnpRtlSetObjectProperty+A2j
		mov	eax, ds:_PiPnpRtlDeviceReadOnlyProps[edi]
		cmp	esi, [eax+10h]
		jz	loc_865C7A

loc_865B90:				; CODE XREF: PiPnpRtlSetObjectProperty+194j
		add	edi, 4
		cmp	edi, 34h
		jb	short loc_865B81
		cmp	esi, 0Ch
		jz	loc_865DB0
		cmp	esi, 3
		jz	loc_865D23

loc_865BAA:				; CODE XREF: PiPnpRtlSetObjectProperty+241j
		cmp	esi, 4
		jz	loc_865D7A
		cmp	esi, 2
		jz	loc_865D06

loc_865BBC:				; CODE XREF: PiPnpRtlSetObjectProperty+1E5j
					; PiPnpRtlSetObjectProperty+1FDj ...
		mov	esi, [esp+70h+var_60]

loc_865BC0:				; CODE XREF: PiPnpRtlSetObjectProperty+166j
					; PiPnpRtlSetObjectProperty+1C0j ...
		xor	edi, edi

loc_865BC2:				; CODE XREF: PiPnpRtlSetObjectProperty+A165Bj
		mov	eax, [ebp+arg_0]
		sub	eax, 1
		jnz	short loc_865BE8
		mov	eax, [ebx+10h]
		cmp	eax, 0Ah
		jz	loc_865C93
		cmp	eax, 0Ch
		jz	loc_865DCD
		cmp	eax, 5
		jz	loc_865D40

loc_865BE8:				; CODE XREF: PiPnpRtlSetObjectProperty+D4j
					; PiPnpRtlSetObjectProperty+1B1j ...
		mov	eax, [esp+70h+var_64]

loc_865BEC:				; CODE XREF: PiPnpRtlSetObjectProperty+A16E8j
					; PiPnpRtlSetObjectProperty+A175Cj
		push	[ebp+arg_1C]
		mov	ecx, [esp+74h+var_50]
		mov	edx, esi
		push	[ebp+arg_18]
		push	eax
		push	[ebp+arg_10]
		push	ebx
		push	[esp+84h+var_4C]
		push	[esp+88h+var_54]
		push	[ebp+arg_0]
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+arg_0]
		sub	eax, 1
		jnz	short loc_865C65
		mov	eax, [ebx+10h]
		cmp	eax, 0Ch
		jz	loc_865DEA
		cmp	eax, 5
		jz	loc_865D5D

loc_865C2C:				; CODE XREF: PiPnpRtlSetObjectProperty+175j
					; PiPnpRtlSetObjectProperty+179j ...
		cmp	[esp+70h+var_59], 0
		jnz	loc_90730F

loc_865C37:				; CODE XREF: PiPnpRtlSetObjectProperty+A15A8j
					; PiPnpRtlSetObjectProperty+A1666j ...
		mov	ecx, [esp+70h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_865C4D:				; CODE XREF: PiPnpRtlSetObjectProperty+82j
		dec	eax
		sub	eax, 1
		jnz	short loc_865CB0
		cmp	dword ptr [ebx+10h], 100h
		jnz	loc_865BC0
		jmp	loc_907070
; 

loc_865C65:				; CODE XREF: PiPnpRtlSetObjectProperty+121j
		dec	eax
		sub	eax, 1
		jnz	short loc_865C2C
		test	esi, esi
		js	short loc_865C2C
		cmp	dword ptr [ebx+10h], 9
		jnz	short loc_865C2C
		jmp	loc_90725E
; 

loc_865C7A:				; CODE XREF: PiPnpRtlSetObjectProperty+96j
		push	10h		; size_t
		push	eax		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_865B90
		jmp	loc_907097
; 

loc_865C93:				; CODE XREF: PiPnpRtlSetObjectProperty+DCj
		push	10h		; size_t
		push	offset _DEVPKEY_Device_ClassGuid ; void	*
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_865BE8
		jmp	loc_90715F
; 

loc_865CB0:				; CODE XREF: PiPnpRtlSetObjectProperty+15Dj
		dec	eax
		sub	eax, 1
		jnz	loc_865BC0
		mov	edi, [ebx+10h]
		mov	esi, ecx

loc_865CBF:				; CODE XREF: PiPnpRtlSetObjectProperty+1E0j
		mov	eax, ds:_PiPnpRtlContainerReadOnlyProps[esi]
		cmp	edi, [eax+10h]
		jz	loc_865D97

loc_865CCE:				; CODE XREF: PiPnpRtlSetObjectProperty+2B1j
		add	esi, 4
		cmp	esi, 8
		jb	short loc_865CBF
		cmp	edi, 69h
		jnz	loc_865BBC
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceContainer_ConfigFlags ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_865BBC
		cmp	[ebp+arg_10], 7

loc_865CFB:				; CODE XREF: PiPnpRtlSetObjectProperty+A15BCj
		jz	loc_865BBC
		jmp	loc_907155
; 

loc_865D06:				; CODE XREF: PiPnpRtlSetObjectProperty+C2j
		push	10h		; size_t
		push	offset _DEVPKEY_Device_PanelId ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_865BBC
		jmp	loc_9070B5
; 

loc_865D23:				; CODE XREF: PiPnpRtlSetObjectProperty+B0j
		push	10h		; size_t
		push	(offset	loc_4069E3+5) ;	void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_865BAA
		jmp	loc_907084
; 

loc_865D40:				; CODE XREF: PiPnpRtlSetObjectProperty+EEj
		push	10h		; size_t
		push	offset _DEVPKEY_Device_InstallError ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_865BE8
		jmp	loc_9071E1
; 

loc_865D5D:				; CODE XREF: PiPnpRtlSetObjectProperty+132j
		push	10h		; size_t
		push	offset _DEVPKEY_Device_InstallError ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_865C2C
		jmp	loc_9072CC
; 

loc_865D7A:				; CODE XREF: PiPnpRtlSetObjectProperty+B9j
		push	10h		; size_t
		push	offset _DEVPKEY_Device_CompatibleIds ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_865BBC
		jmp	loc_907084
; 

loc_865D97:				; CODE XREF: PiPnpRtlSetObjectProperty+1D4j
		push	10h		; size_t
		push	eax		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_865CCE
		jmp	loc_907097
; 

loc_865DB0:				; CODE XREF: PiPnpRtlSetObjectProperty+A7j
		push	10h		; size_t
		push	offset _DEVPKEY_Device_ConfigFlags ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_865BBC
		jmp	loc_9070A1
; 

loc_865DCD:				; CODE XREF: PiPnpRtlSetObjectProperty+E5j
		push	10h		; size_t
		push	offset _DEVPKEY_Device_ConfigFlags ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_865BE8
		jmp	loc_907183
; 

loc_865DEA:				; CODE XREF: PiPnpRtlSetObjectProperty+129j
		push	10h		; size_t
		push	offset _DEVPKEY_Device_ConfigFlags ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_865C2C
		jmp	loc_90728C
PiPnpRtlSetObjectProperty endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpSetObjectProperty(x, x,	x, x, x, x, x, x, x, x)
__PnpSetObjectProperty@40 proc near	; CODE XREF: PnpDeviceCompletionProcessCompletedRequest+96p
					; PiPnpRtlSetObjectProperty+114p ...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		xor	eax, eax
		mov	[esp+2Ch+var_28], eax
		mov	[esp+2Ch+var_24], eax
		mov	[esp+2Ch+var_4], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+2Ch+var_20], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+2Ch+var_1C], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+2Ch+var_18], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	[esp+30h+var_14], eax
		mov	ebx, ecx
		mov	eax, [ebp+arg_14]
		push	esi
		mov	[esp+34h+var_10], eax
		mov	esi, edx
		mov	eax, [ebp+arg_18]
		push	edi
		mov	edi, [ebx+0F8h]
		mov	[esp+38h+var_C], eax
		mov	eax, [ebp+arg_1C]
		mov	[esp+38h+var_2C], esi
		mov	[esp+38h+var_8], eax
		test	edi, edi
		jz	short loc_865E98
		lea	eax, [esp+38h+var_28]
		push	eax
		push	1
		push	9
		push	[ebp+arg_0]
		push	esi
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_865EF6
		cmp	eax, 0C0000120h
		jnz	short loc_865E94

loc_865E85:				; CODE XREF: _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)+E1j
		mov	esi, [esp+50h+var_40]

loc_865E89:				; CODE XREF: _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)+BCj
					; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)+DAj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_865E94:				; CODE XREF: _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)+7Bj
		test	eax, eax
		jnz	short loc_865EEF

loc_865E98:				; CODE XREF: _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)+5Dj
					; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)+F0j
		push	[esp+50h+var_20]
		mov	edx, esi
		mov	ecx, ebx
		push	[esp+54h+var_24]
		push	[esp+58h+var_28]
		push	[esp+5Ch+var_2C]
		push	[esp+60h+var_30]
		push	[esp+64h+var_34]
		push	[esp+68h+var_38]
		push	[ebp+arg_0]
		call	_PnpSetObjectPropertyWorker
		mov	esi, eax
		test	edi, edi
		jz	short loc_865E89
		lea	eax, [esp+50h+var_40]
		mov	[esp+50h+var_40], esi
		push	eax
		push	2
		push	9
		push	[ebp+arg_0]
		push	[esp+60h+var_44]
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_865E89
		cmp	eax, 0C0000120h
		jz	short loc_865E85
		test	eax, eax
		jz	short loc_865E89

loc_865EEF:				; CODE XREF: _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)+8Ej
		mov	esi, 0C00000E5h
		jmp	short loc_865E89
; 

loc_865EF6:				; CODE XREF: _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)+74j
		xor	edi, edi
		jmp	short loc_865E98
__PnpSetObjectProperty@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpSetObjectPropertyWorker proc near	; CODE XREF: _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)+B3p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 0090732A SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_1C]
		and	[ebp+var_4], 0
		push	ebx
		movzx	eax, ax
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ecx
		push	esi
		push	edi
		test	eax, eax
		jnz	loc_865FC9
		mov	edi, [ebp+arg_18]
		cmp	[ebp+arg_14], eax
		jz	loc_865FC1

loc_865F29:				; CODE XREF: _PnpSetObjectPropertyWorker+C9j
		push	[ebp+arg_10]
		mov	ebx, edi
		mov	edx, edi
		neg	ebx
		sbb	ebx, ebx
		and	ebx, [ebp+arg_14]
		mov	ecx, ebx
		call	_PnpValidatePropertyData
		mov	esi, eax
		test	esi, esi
		js	short loc_865FB2
		push	[ebp+arg_1C]
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		push	edi
		mov	edi, [ebp+arg_4]
		push	ebx
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	edi
		push	[ebp+arg_0]
		call	__PnpSetMappedPropertyDispatch@40 ; _PnpSetMappedPropertyDispatch(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_90732A

loc_865F6E:				; CODE XREF: _PnpSetObjectPropertyWorker+A1434j
					; _PnpSetObjectPropertyWorker+A144Fj
		cmp	esi, 0C0000016h
		jnz	short loc_865FB2
		test	edi, edi
		jz	short loc_865FD0
		mov	edx, edi

loc_865F7C:				; CODE XREF: _PnpSetObjectPropertyWorker+FBj
		push	ecx
		push	[ebp+arg_18]
		push	ebx
		push	[ebp+arg_10]
		mov	ebx, [ebp+var_8]
		mov	ecx, ebx
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	__PnpSetGenericStoreProperty@32	; _PnpSetGenericStoreProperty(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_865FB2
		test	edi, edi
		jz	short loc_865FF7

loc_865F9E:				; CODE XREF: _PnpSetObjectPropertyWorker+100j
		push	[ebp+arg_C]
		mov	edx, [ebp+var_C]
		mov	ecx, ebx
		push	[ebp+arg_8]
		push	edi
		push	[ebp+arg_0]
		call	_PnpObjectRaisePropertyChangeEvent

loc_865FB2:				; CODE XREF: _PnpSetObjectPropertyWorker+48j
					; _PnpSetObjectPropertyWorker+7Aj ...
		cmp	[ebp+var_4], 0
		jnz	short loc_865FFC

loc_865FB8:				; CODE XREF: _PnpSetObjectPropertyWorker+D4j
					; _PnpSetObjectPropertyWorker+10Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	20h
; 

loc_865FC1:				; CODE XREF: _PnpSetObjectPropertyWorker+29j
		test	edi, edi
		jz	loc_865F29

loc_865FC9:				; CODE XREF: _PnpSetObjectPropertyWorker+1Dj
		mov	esi, 0C000000Dh
		jmp	short loc_865FB8
; 

loc_865FD0:				; CODE XREF: _PnpSetObjectPropertyWorker+7Ej
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_8]
		push	2000007h
		push	[ebp+arg_0]
		call	_PnpOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_865FB2
		mov	edx, [ebp+var_4]
		jmp	short loc_865F7C
; 

loc_865FF7:				; CODE XREF: _PnpSetObjectPropertyWorker+A2j
		mov	edi, [ebp+var_4]
		jmp	short loc_865F9E
; 

loc_865FFC:				; CODE XREF: _PnpSetObjectPropertyWorker+BCj
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_865FB8
_PnpSetObjectPropertyWorker endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpSetMappedPropertyDispatch(x, x,	x, x, x, x, x, x, x, x)
__PnpSetMappedPropertyDispatch@40 proc near ; CODE XREF: _PnpSetObjectPropertyWorker+65p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		and	[ebp+var_8], 0
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	edx, [ebp+arg_0]
		push	eax
		call	__PnpCtxGetObjectDispatchCallback@12 ; _PnpCtxGetObjectDispatchCallback(x,x,x)
		test	eax, eax
		js	short loc_866068
		cmp	[ebp+var_4], 0
		jz	short loc_86606E
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	9
		push	edx
		push	edi
		push	esi
		call	[ebp+var_4]

loc_866068:				; CODE XREF: _PnpSetMappedPropertyDispatch(x,x,x,x,x,x,x,x,x,x)+24j
					; _PnpSetMappedPropertyDispatch(x,x,x,x,x,x,x,x,x,x)+6Dj
		pop	edi
		pop	esi
		leave
		retn	20h
; 

loc_86606E:				; CODE XREF: _PnpSetMappedPropertyDispatch(x,x,x,x,x,x,x,x,x,x)+2Aj
		mov	eax, 0C0000002h
		jmp	short loc_866068
__PnpSetMappedPropertyDispatch@40 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpSetGenericStoreProperty(x, x, x, x, x, x, x, x)
__PnpSetGenericStoreProperty@32	proc near ; CODE XREF: _PnpSetObjectPropertyWorker+95p
					; PiDqIrpPropertySet+8BE6Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_8], 0
		jz	short loc_866087
		pop	ebp
		jmp	_PnpSetPropertyWorker
; 

loc_866087:				; CODE XREF: _PnpSetGenericStoreProperty(x,x,x,x,x,x,x,x)+9j
		push	ecx
		push	[ebp+arg_10]
		push	ecx
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PnpDeletePropertyWorker
		pop	ebp
		retn	18h
__PnpSetGenericStoreProperty@32	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpSetPropertyWorker proc near		; CODE XREF: _PnpSetGenericStoreProperty(x,x,x,x,x,x,x,x)+Cj

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0090734E SIZE 000000BD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_78], eax
		mov	ecx, [ebp+arg_C]
		mov	esi, edx
		mov	[ebp+var_88], ecx
		xor	ecx, ecx
		cmp	[ebp+arg_10], 7FFFFFFFh
		mov	[ebp+var_84], esi
		mov	[ebp+var_80], ecx
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_70], ecx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_74], ecx
		ja	loc_90734E
		test	eax, eax
		jnz	loc_907358

loc_8660F8:				; CODE XREF: _PnpSetPropertyWorker+A12DEj
		cmp	[ebp+arg_8], 19h
		jz	loc_907381

loc_866102:				; CODE XREF: _PnpSetPropertyWorker+A12EEj
		movzx	eax, byte ptr [ebx+0Fh]
		push	eax
		movzx	eax, byte ptr [ebx+0Eh]
		push	eax
		movzx	eax, byte ptr [ebx+0Dh]
		push	eax
		movzx	eax, byte ptr [ebx+0Ch]
		push	eax
		movzx	eax, byte ptr [ebx+0Bh]
		push	eax
		movzx	eax, byte ptr [ebx+0Ah]
		push	eax
		movzx	eax, byte ptr [ebx+9]
		push	eax
		movzx	eax, byte ptr [ebx+8]
		push	eax
		movzx	eax, word ptr [ebx+6]
		push	eax
		movzx	eax, word ptr [ebx+4]
		push	eax
		push	dword ptr [ebx]	; char
		lea	eax, [ebp+var_68]
		push	offset ??_C@_1GI@JHCBPFLC@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAx?$AA?9?$AA?$CF?$AA0?$AA4@NNGAKEGL@ ;	wchar_t	*
		push	800h		; int
		push	0		; int
		push	0		; int
		push	27h		; int
		push	eax		; void *
		call	RtlStringCchPrintfExW
		add	esp, 44h
		test	eax, eax
		js	loc_907391
		push	dword ptr [ebx+10h]
		lea	eax, [ebp+var_18]
		push	offset ??_C@_1M@BMEDKCKL@?$AA?$CF?$AA0?$AA4?$AAl?$AAX@NNGAKEGL@	; "%04lX"
		push	9
		push	eax
		call	_swprintf_s
		add	esp, 10h
		lea	eax, [ebp+var_70]
		xor	ebx, ebx
		mov	edx, esi
		push	eax
		push	ecx
		push	1
		push	4
		push	ebx
		mov	ecx, edi
		call	_PnpOpenPropertiesKey
		mov	esi, eax
		test	esi, esi
		js	loc_866271
		mov	ecx, ebx
		test	edi, edi
		jz	short loc_866198
		mov	ecx, [edi+74h]

loc_866198:				; CODE XREF: _PnpSetPropertyWorker+F5j
		mov	edx, [ebp+var_70]
		lea	eax, [ebp+var_80]
		push	eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	ecx
		push	ebx
		push	4
		push	ebx
		lea	eax, [ebp+var_68]
		push	eax
		call	__SysCtxRegCreateKey@36	; _SysCtxRegCreateKey(x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jz	loc_866276
		test	eax, eax
		js	loc_90739D
		mov	ecx, ebx
		test	edi, edi
		jz	short loc_8661CD
		mov	ecx, [edi+74h]

loc_8661CD:				; CODE XREF: _PnpSetPropertyWorker+12Aj
		mov	edx, [ebp+var_6C]
		lea	eax, [ebp+var_7C]
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		push	ecx
		push	ebx
		push	10006h
		push	ebx
		lea	eax, [ebp+var_18]
		push	eax
		call	__SysCtxRegCreateKey@36	; _SysCtxRegCreateKey(x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jz	loc_866276
		test	eax, eax
		js	loc_9073A5
		push	[ebp+arg_10]
		mov	eax, [ebp+arg_8]
		push	[ebp+var_88]
		mov	edx, [ebp+var_78]
		or	eax, 0FFFF0000h
		mov	ecx, [ebp+var_74]
		push	eax
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jz	short loc_866276
		test	eax, eax
		js	short loc_86627D

loc_866224:				; CODE XREF: _PnpSetPropertyWorker+1D6j
					; _PnpSetPropertyWorker+1DDj ...
		cmp	[ebp+var_74], 0
		jz	short loc_86623A
		push	[ebp+var_74]
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	loc_9073AF

loc_86623A:				; CODE XREF: _PnpSetPropertyWorker+18Aj
					; _PnpSetPropertyWorker+A130Cj	...
		cmp	[ebp+var_6C], 0
		jz	short loc_866250
		push	[ebp+var_6C]
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	loc_9073DD

loc_866250:				; CODE XREF: _PnpSetPropertyWorker+1A0j
					; _PnpSetPropertyWorker+A1343j	...
		cmp	[ebp+var_70], 0
		jz	short loc_86625E
		push	[ebp+var_70]
		call	_ZwClose@4	; ZwClose(x)

loc_86625E:				; CODE XREF: _PnpSetPropertyWorker+1B6j
					; _PnpSetPropertyWorker+A12B5j	...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_866271:				; CODE XREF: _PnpSetPropertyWorker+EBj
		mov	[ebp+var_70], ebx
		jmp	short loc_866224
; 

loc_866276:				; CODE XREF: _PnpSetPropertyWorker+118j
					; _PnpSetPropertyWorker+150j ...
		mov	esi, 0C00000E5h
		jmp	short loc_866224
; 

loc_86627D:				; CODE XREF: _PnpSetPropertyWorker+184j
					; _PnpSetPropertyWorker+A1302j
		mov	esi, eax
		jmp	short loc_866224
_PnpSetPropertyWorker endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiSwGetChildPdo	proc near		; CODE XREF: PipEnumerateCompleted+138p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090740B SIZE 0000009B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	eax, ecx
		lea	edi, [edx-34h]
		xor	ebx, ebx
		mov	[ebp+var_8], eax
		and	[ebp+var_14], ebx
		xor	esi, esi
		and	[ebp+var_10], ebx
		mov	edx, eax
		push	1
		mov	ecx, edi
		mov	[ebp+var_C], esi
		mov	[ebp+var_4], ebx
		call	_PiSwFindPdoAssociation@12 ; PiSwFindPdoAssociation(x,x,x)
		test	byte ptr [edi+4], 2
		mov	ecx, eax
		jnz	loc_90747A
		test	ecx, ecx
		jz	short loc_8662DC
		mov	esi, [ecx+14h]
		mov	eax, [esi+28h]
		or	dword ptr [eax+4], 8

loc_8662CA:				; CODE XREF: PiSwGetChildPdo+E7j
					; PiSwGetChildPdo+F8j
		test	esi, esi
		jz	short loc_8662D5
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_8662D5:				; CODE XREF: PiSwGetChildPdo+4Aj
					; PiSwGetChildPdo+A11FAj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8662DC:				; CODE XREF: PiSwGetChildPdo+3Cj
		mov	eax, _IopRootDeviceNode
		mov	ecx, [ebp+var_8]
		cmp	ecx, [eax+10h]
		jz	loc_86637F

loc_8662ED:				; CODE XREF: PiSwGetChildPdo+12Ej
					; PiSwGetChildPdo+140j	...
		xor	eax, eax
		mov	[edi+6Ch], ax
		mov	eax, [edi+40h]
		test	eax, eax
		jnz	loc_907457

loc_8662FE:				; CODE XREF: PiSwGetChildPdo+A11E6j
		lea	eax, [ebp+var_C]
		push	eax
		push	0
		push	80h
		push	22h
		push	0
		push	8
		push	_PiSwDeviceDriverObject
		call	IoCreateDevice
		mov	esi, [ebp+var_C]
		test	eax, eax
		js	short loc_866367
		mov	eax, [esi+28h]
		mov	[ebp+var_C], eax
		and	dword ptr [eax], 0
		and	dword ptr [eax+4], 0
		mov	ecx, [edi+50h]
		test	ecx, ecx
		jz	short loc_866349
		push	ecx
		push	1Ch
		push	esi
		call	_ObSetSecurityObjectByPointer@12 ; ObSetSecurityObjectByPointer(x,x,x)
		test	eax, eax
		js	loc_90746D
		mov	eax, [ebp+var_C]

loc_866349:				; CODE XREF: PiSwGetChildPdo+B1j
		mov	[eax], edi
		lock inc dword ptr [edi]
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		mov	[edi+40h], esi
		or	dword ptr [eax+4], 8
		and	dword ptr [esi+1Ch], 0FFFFFF7Fh
		push	esi
		call	_PiSwAddPdoAssociation@12 ; PiSwAddPdoAssociation(x,x,x)

loc_866367:				; CODE XREF: PiSwGetChildPdo+9Dj
					; PiSwGetChildPdo+A11C3j ...
		test	ebx, ebx
		jz	loc_8662CA
		push	57706E50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8662CA
; 

loc_86637F:				; CODE XREF: PiSwGetChildPdo+65j
		cmp	[edi+2Ch], ebx
		jnz	loc_90740B

loc_866388:				; CODE XREF: PiSwGetChildPdo+A1196j
		push	dword ptr [edi+0Ch]
		lea	eax, [ebp+var_4]
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@
		push	dword ptr [edi+8]
		push	3
		push	eax
		push	57706E50h
		push	0C8h
		call	PnpConcatPWSTR
		mov	ebx, [ebp+var_4]
		add	esp, 1Ch
		test	eax, eax
		js	loc_8662ED
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	loc_8662ED
		lea	ecx, [ebp+var_14]

loc_8663CB:				; CODE XREF: PiSwGetChildPdo+A1190j
		mov	edx, 746C6644h
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		test	eax, eax
		jz	loc_8662ED
		jmp	loc_90741D
PiSwGetChildPdo	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiSwFindPdoAssociation(x, x, x)
_PiSwFindPdoAssociation@12 proc	near	; CODE XREF: PiSwStopDestroy(x,x,x,x)+A0p
					; PiSwGetChildPdo+29p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		lea	esi, [ecx+44h]
		mov	eax, [esi]
		push	edi
		mov	edi, edx
		xor	edx, edx
		mov	bl, dl
		cmp	eax, esi
		jz	short loc_86640B
		mov	bh, [ebp+arg_0]

loc_8663FC:				; CODE XREF: PiSwFindPdoAssociation(x,x,x)+42j
		mov	edx, eax
		test	bh, bh
		jz	short loc_86641B
		mov	ecx, [eax+10h]

loc_866405:				; CODE XREF: PiSwFindPdoAssociation(x,x,x)+3Cj
		cmp	ecx, edi
		jnz	short loc_866420
		mov	bl, 1

loc_86640B:				; CODE XREF: PiSwFindPdoAssociation(x,x,x)+15j
					; PiSwFindPdoAssociation(x,x,x)+44j
		movzx	eax, bl
		neg	eax
		pop	edi
		sbb	eax, eax
		pop	esi
		and	eax, edx
		pop	ebx
		pop	ebp
		retn	4
; 

loc_86641B:				; CODE XREF: PiSwFindPdoAssociation(x,x,x)+1Ej
		mov	ecx, [eax+14h]
		jmp	short loc_866405
; 

loc_866420:				; CODE XREF: PiSwFindPdoAssociation(x,x,x)+25j
		mov	eax, [eax]
		cmp	eax, esi
		jnz	short loc_8663FC
		jmp	short loc_86640B
_PiSwFindPdoAssociation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDcHandleContainerEvent(x)
_PiDcHandleContainerEvent@4 proc near	; CODE XREF: PiDcHandleObjectEvent(x)+3Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		xor	edi, edi
		mov	eax, edi
		mov	ecx, [ebx+2Ch]
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jz	short loc_866463
		lea	esi, [ebx+48h]

loc_866449:				; CODE XREF: PiDcHandleContainerEvent(x)+39j
		cmp	[esi-4], edi
		jnz	short loc_866458
		cmp	[esi], edi
		jnz	short loc_866458
		cmp	dword ptr [esi-8], 37h
		jz	short loc_86646A

loc_866458:				; CODE XREF: PiDcHandleContainerEvent(x)+24j
					; PiDcHandleContainerEvent(x)+28j ...
		inc	eax
		add	esi, 1Ch
		mov	[ebp+var_4], eax
		cmp	eax, ecx
		jb	short loc_866449

loc_866463:				; CODE XREF: PiDcHandleContainerEvent(x)+1Cj
					; PiDcHandleContainerEvent(x)+66j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_86646A:				; CODE XREF: PiDcHandleContainerEvent(x)+2Ej
		push	10h		; size_t
		lea	eax, [esi-18h]
		push	offset _DEVPKEY_DeviceContainer_IsConnected ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_866490
		mov	ecx, [ebx+8]
		mov	ecx, [ecx+0Ch]
		call	PiDcGenerateConfigNotificationIfContainerRequiresConfiguration
		mov	edi, eax
		jmp	short loc_866463
; 

loc_866490:				; CODE XREF: PiDcHandleContainerEvent(x)+57j
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		jmp	short loc_866458
_PiDcHandleContainerEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IopConnectLineBasedInterrupt(int,int,int,size_t,int)
IopConnectLineBasedInterrupt proc near	; CODE XREF: IoConnectInterruptEx+8Bp
					; IoConnectInterruptEx+211p

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00907F45 SIZE 00000076 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		and	[ebp+var_8], 0
		mov	eax, edx
		push	ebx
		push	esi
		push	edi
		and	dword ptr [eax], 0
		xor	ebx, ebx
		xor	edi, edi
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_C], edi
		test	ecx, ecx
		jz	loc_907FB1
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_907FB1
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_907FB1
		cmp	[ebp+arg_0], ebx
		jz	loc_907FB1
		lea	edx, [ebp+var_8]
		call	IopGetInterruptConnectionData
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		js	loc_86665F
		cmp	[ebp+var_8], ebx
		jz	loc_86665F
		mov	esi, [ebp+var_8]
		xor	al, al
		xor	ecx, ecx
		mov	byte ptr [ebp+var_10], al
		mov	edx, [esi]
		mov	[ebp+var_14], edx
		test	edx, edx
		jz	loc_907F6F
		lea	edx, [esi+8]
		mov	[ebp+var_1C], edx

loc_86652C:				; CODE XREF: IopConnectLineBasedInterrupt+ACj
		cmp	[edx], ebx
		jnz	short loc_86653D
		mov	ah, [edx+8]
		inc	ecx
		cmp	al, ah
		jnb	short loc_86653D
		mov	al, ah
		mov	byte ptr [ebp+var_10], al

loc_86653D:				; CODE XREF: IopConnectLineBasedInterrupt+96j
					; IopConnectLineBasedInterrupt+9Ej
		add	edx, 50h
		sub	[ebp+var_14], 1
		jnz	short loc_86652C
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jz	loc_907F6F
		mov	dl, byte ptr [ebp+arg_C]
		test	dl, dl
		jz	short loc_866563
		cmp	dl, al
		jb	loc_907F6F
		mov	byte ptr [ebp+var_10], dl

loc_866563:				; CODE XREF: IopConnectLineBasedInterrupt+BEj
		lea	eax, ds:0DCh[ecx*4]
		push	6E696F49h
		push	eax
		push	200h
		mov	[ebp+arg_C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_24], ebx
		test	ebx, ebx
		jz	loc_907F45
		push	[ebp+arg_C]	; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	al, byte ptr [ebp+var_10]
		add	esp, 0Ch
		mov	[ebx+0D0h], al
		mov	eax, [ebp+var_14]
		mov	[ebx+0D4h], eax
		lea	eax, [ebp+var_80]
		push	54h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		xor	ecx, ecx
		mov	[ebp+var_84], 1
		add	esp, 0Ch
		mov	[ebp+var_18], ecx
		cmp	[esi], ecx
		jbe	short loc_866630
		lea	eax, [ebx+0D8h]
		mov	[ebp+arg_C], eax
		lea	eax, [esi+8]

loc_8665D9:				; CODE XREF: IopConnectLineBasedInterrupt+A1ACCj
		cmp	dword ptr [eax], 0
		jnz	loc_907F58
		push	14h
		pop	ecx
		mov	edx, [ebp+var_28]
		lea	edi, [ebp+var_7C]
		mov	esi, eax
		lea	eax, [ebp+var_84]
		push	eax
		push	[ebp+arg_10]
		rep movsd
		mov	ecx, [ebp+arg_C]
		push	1
		push	[ebp+var_10]
		push	[ebp+arg_8]
		push	0
		push	[ebp+arg_4]
		push	0
		push	[ebp+arg_0]
		call	IopConnectInterrupt
		mov	edi, [ebp+var_C]
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		js	short loc_86664B
		add	[ebp+arg_C], 4
		inc	edi
		mov	[ebp+var_C], edi
		cmp	edi, [ebp+var_14]
		jb	loc_907F4F

loc_866630:				; CODE XREF: IopConnectLineBasedInterrupt+133j
					; IopConnectLineBasedInterrupt+A1AD2j
		mov	esi, [ebx+0D8h]
		mov	edi, ebx
		mov	eax, [ebp+var_2C]
		add	esi, 60h
		push	34h
		pop	ecx
		rep movsd
		mov	esi, [ebp+var_20]
		mov	edi, [ebp+var_C]
		mov	[eax], ebx

loc_86664B:				; CODE XREF: IopConnectLineBasedInterrupt+185j
					; IopConnectLineBasedInterrupt+A1AB2j ...
		push	0
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		js	loc_907F79

loc_86665D:				; CODE XREF: IopConnectLineBasedInterrupt+A1AE3j
					; IopConnectLineBasedInterrupt+A1B14j
		mov	eax, esi

loc_86665F:				; CODE XREF: IopConnectLineBasedInterrupt+68j
					; IopConnectLineBasedInterrupt+71j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
IopConnectLineBasedInterrupt endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 783. IoConnectInterruptEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoConnectInterruptEx
IoConnectInterruptEx proc near

var_7A		= byte ptr -7Ah
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_1C		= byte ptr -1Ch
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090806E SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		push	ebx
		push	esi
		mov	esi, ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		xor	ebx, ebx
		push	edi
		mov	[esp+88h+var_70], ebx
		mov	[esp+88h+var_6C], ebx
		call	esi
		test	al, al
		jnz	sub_907FBB
		mov	ebx, [ebp+arg_0]
		mov	ecx, [ebx]
		mov	eax, ecx
		sub	eax, 1
		jz	short loc_866712
		sub	eax, 1
		jz	loc_866864
		sub	eax, 1
		jnz	short loc_866709

loc_8666AE:				; CODE XREF: sub_907FBB+17j
		movzx	eax, byte ptr [ebx+19h]
		mov	edx, [ebx+4]
		push	eax
		movzx	eax, byte ptr [ebx+18h]
		push	eax
		push	dword ptr [ebx+14h]
		push	dword ptr [ebx+10h]
		push	dword ptr [ebx+0Ch]
		push	dword ptr [ebx+8]
		call	IopConnectMessageBasedInterrupt
		test	eax, eax
		jns	loc_866848
		cmp	dword ptr [ebx+1Ch], 0
		jz	loc_908064
		movzx	eax, byte ptr [ebx+19h]
		mov	edx, [ebx+8]
		mov	ecx, [ebx+4]
		push	eax		; int
		movzx	eax, byte ptr [ebx+18h]
		push	eax		; size_t
		push	dword ptr [ebx+14h] ; int
		push	dword ptr [ebx+10h] ; int
		push	dword ptr [ebx+1Ch] ; int
		call	IopConnectLineBasedInterrupt
		mov	esi, eax
		mov	dword ptr [ebx], 2
		jmp	loc_866846
; 

loc_866709:				; CODE XREF: IoConnectInterruptEx+40j
		sub	eax, 1
		jnz	loc_907FCF

loc_866712:				; CODE XREF: IoConnectInterruptEx+32j
		mov	esi, [ebx+4]
		test	esi, esi
		jz	loc_907FFA
		cmp	dword ptr [ebx+0Ch], 0
		jz	loc_907FFA
		mov	al, [ebx+18h]
		mov	dl, [ebx+20h]
		cmp	al, dl
		jb	loc_907FFA
		test	al, al
		jz	loc_907FE3

loc_86673D:				; CODE XREF: sub_907FBB+2Aj
		mov	byte ptr [esp+0Fh], 0

loc_866742:				; CODE XREF: sub_907FBB+39j
		cmp	ecx, 4
		jnz	loc_866851
		movzx	edi, word ptr [ebx+2Ch]

loc_86674F:				; CODE XREF: IoConnectInterruptEx+1E7j
		lea	edx, [esp+88h+var_70]
		mov	[esp+88h+var_74], edi
		mov	ecx, esi
		call	IopGetInterruptConnectionData
		test	eax, eax
		js	loc_908004
		push	54h		; size_t
		lea	eax, [esp+8Ch+var_54]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	edx, [esp+94h+var_70]
		add	esp, 0Ch
		and	[esp+88h+var_58], 0
		xor	esi, esi
		mov	ecx, [edx]
		mov	[esp+88h+var_78], ecx
		test	ecx, ecx
		jz	loc_90805C
		mov	eax, [ebx+1Ch]
		lea	ecx, [edx+10h]
		mov	[esp+88h+var_68], eax
		mov	eax, [esp+88h+var_78]

loc_86679E:				; CODE XREF: IoConnectInterruptEx+A1A14j
		mov	edi, [esp+88h+var_68]
		cmp	[ecx-4], edi
		mov	edi, [esp+88h+var_74]
		jnz	loc_90807A
		mov	al, [ebx+20h]
		cmp	[ecx], al
		jnz	loc_90806E

loc_8667BA:				; CODE XREF: IoConnectInterruptEx+A1A04j
		mov	eax, [ecx+8]
		cmp	eax, [ebx+24h]
		jnz	loc_908076
		cmp	[ecx+10h], di
		jnz	loc_908076
		mov	eax, [ecx+0Ch]
		cmp	eax, [ebx+28h]
		jnz	loc_908076
		imul	eax, esi, 50h
		lea	edi, [esp+88h+var_50]
		lea	esi, [edx+8]
		mov	[esp+88h+var_58], 1
		push	14h
		pop	ecx
		add	esi, eax
		rep movsd
		cmp	[esp+88h+var_50], 0
		jz	short loc_866858

loc_8667FC:				; CODE XREF: IoConnectInterruptEx+1F1j
					; IoConnectInterruptEx+A1A20j
		mov	edx, [ebx+4]
		lea	eax, [esp+88h+var_58]
		push	eax
		movzx	eax, byte ptr [ebx+19h]
		lea	ecx, [esp+8Ch+var_6C]
		push	eax
		movzx	eax, byte ptr [ebx+1Ah]
		push	eax
		movzx	eax, byte ptr [ebx+18h]
		push	eax
		push	dword ptr [ebx+14h]
		push	0
		push	dword ptr [ebx+10h]
		push	0
		push	dword ptr [ebx+0Ch]
		call	IopConnectInterrupt
		mov	esi, eax
		test	esi, esi
		js	short loc_86683B
		mov	eax, [ebx+8]
		mov	ecx, [esp+88h+var_6C]
		add	ecx, 60h
		mov	[eax], ecx

loc_86683B:				; CODE XREF: IoConnectInterruptEx+1C1j
		push	0
		push	[esp+8Ch+var_70]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_866846:				; CODE XREF: IoConnectInterruptEx+98j
					; IoConnectInterruptEx+218j
		mov	eax, esi

loc_866848:				; CODE XREF: IoConnectInterruptEx+62j
					; sub_907FBB+44j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_866851:				; CODE XREF: IoConnectInterruptEx+D9j
		xor	edi, edi
		jmp	loc_86674F
; 

loc_866858:				; CODE XREF: IoConnectInterruptEx+18Ej
		test	[esp+88h+var_1C], 1
		jz	short loc_8667FC
		jmp	loc_908088
; 

loc_866864:				; CODE XREF: IoConnectInterruptEx+37j
		movzx	eax, byte ptr [ebx+19h]
		mov	edx, [ebx+8]
		mov	ecx, [ebx+4]
		push	eax		; int
		movzx	eax, byte ptr [ebx+18h]
		push	eax		; size_t
		push	dword ptr [ebx+14h] ; int
		push	dword ptr [ebx+10h] ; int
		push	dword ptr [ebx+0Ch] ; int
		call	IopConnectLineBasedInterrupt

loc_866882:				; CODE XREF: sub_907FBB+9Cj
		mov	esi, eax
		jmp	short loc_866846
IoConnectInterruptEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopConnectMessageBasedInterrupt	proc near ; CODE XREF: IoConnectInterruptEx+5Bp

var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8A		= byte ptr -8Ah
var_89		= byte ptr -89h
var_88		= dword	ptr -88h
var_80		= dword	ptr -80h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00908091 SIZE 0000006D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_A0], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	[ebp+var_9C], ecx
		lea	edi, [ebp+var_2C]
		pop	ecx
		rep stosd
		xor	ecx, ecx
		lea	eax, [ebp+var_88]
		mov	esi, edx
		mov	[ebp+var_94], ecx
		mov	edx, [ebp+arg_0]
		mov	edi, ecx
		push	58h		; size_t
		push	ecx		; int
		push	eax		; void *
		mov	[ebp+var_A4], esi
		mov	ebx, ecx
		mov	[ebp+var_B0], edx
		mov	[edx], ecx
		mov	[ebp+var_8A], cl
		mov	[ebp+var_89], cl
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		jz	loc_9080F4
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_9080F4
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_9080F4
		cmp	[ebp+arg_4], ebx
		jz	loc_9080F4
		lea	edx, [ebp+var_94]
		mov	ecx, esi
		call	IopGetInterruptConnectionData
		mov	esi, eax
		mov	[ebp+var_90], esi
		test	esi, esi
		js	loc_866B71
		mov	esi, [ebp+var_94]
		xor	edx, edx
		mov	eax, [esi]
		mov	[ebp+var_98], eax
		test	eax, eax
		jz	loc_866BC2
		lea	ecx, [esi+10h]

loc_86695C:				; CODE XREF: IopConnectMessageBasedInterrupt+125j
		mov	eax, [ecx-8]
		cmp	eax, 3
		jnz	loc_866B9A

loc_866968:				; CODE XREF: IopConnectMessageBasedInterrupt+317j
					; IopConnectMessageBasedInterrupt+326j
		mov	eax, [ebp+var_9C]
		inc	edi
		cmp	eax, 5
		jz	loc_908091
		cmp	eax, 3
		jnz	short loc_8669A1
		mov	al, byte ptr [ebp+arg_10]
		test	al, al
		jnz	loc_866BBA
		cmp	[ebp+arg_C], ebx
		jz	loc_866BC9
		mov	al, [ecx]
		cmp	al, [ebp+var_89]
		jbe	short loc_8669A1

loc_86699B:				; CODE XREF: IopConnectMessageBasedInterrupt+336j
					; IopConnectMessageBasedInterrupt+345j
		mov	[ebp+var_89], al

loc_8669A1:				; CODE XREF: IopConnectMessageBasedInterrupt+F5j
					; IopConnectMessageBasedInterrupt+113j	...
		inc	edx
		add	ecx, 50h
		cmp	edx, [ebp+var_98]
		jb	short loc_86695C
		test	edi, edi
		jz	loc_866BC2
		imul	edi, 28h
		push	6E696F49h
		add	edi, 8
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_90809D
		push	edi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	cl, [ebp+var_89]
		add	esp, 0Ch
		and	[ebp+var_9C], 0
		mov	[ebx], cl
		cmp	dword ptr [esi], 0
		jbe	loc_866B61
		mov	eax, [ebp+var_94]
		lea	edx, [esi+1Ch]
		mov	[ebp+var_98], edx

loc_866A08:				; CODE XREF: IopConnectMessageBasedInterrupt+2D5j
		lea	esi, [edx-14h]
		mov	edi, [esi]
		mov	[ebp+var_A8], esi
		cmp	edi, 3
		jnz	loc_9080A7

loc_866A1C:				; CODE XREF: IopConnectMessageBasedInterrupt+A1824j
					; IopConnectMessageBasedInterrupt+A182Dj
		cmp	[ebp+var_8A], 0
		jnz	loc_9080BE
		test	cl, cl
		jz	loc_866BD0
		mov	byte ptr [ebp+arg_10], cl

loc_866A34:				; CODE XREF: IopConnectMessageBasedInterrupt+350j
					; IopConnectMessageBasedInterrupt+A183Cj
		push	14h
		pop	ecx
		lea	eax, [ebp+var_88]
		xor	edx, edx
		push	eax
		push	[ebp+arg_14]
		inc	edx
		lea	edi, [ebp+var_80]
		push	edx
		push	[ebp+arg_10]
		mov	[ebp+var_88], edx
		push	[ebp+arg_C]
		mov	edx, [ebp+var_A4]
		rep movsd
		push	dword ptr [ebx+4]
		lea	ecx, [ebp+var_A0]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	0
		call	IopConnectInterrupt
		mov	esi, eax
		mov	[ebp+var_90], esi
		test	esi, esi
		js	loc_866B71
		imul	edx, [ebx+4], 28h
		mov	ecx, [ebp+var_A8]
		cmp	dword ptr [ecx], 3
		mov	[ebp+var_AC], edx
		jnz	short loc_866AE9
		and	[ebp+var_2C], 0
		lea	edi, [ebp+var_24]
		mov	ecx, [ebp+var_98]
		mov	esi, ecx
		movsd
		movsd
		movsd
		mov	eax, [ecx-10h]
		lea	esi, [ecx+0Ch]
		mov	[ebp+var_28], eax
		lea	edi, [ebp+var_14]
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ecx+2Ch]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_88]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		call	ds:__imp__HalGetMessageRoutingInfo@8 ; HalGetMessageRoutingInfo(x,x)
		mov	esi, eax
		mov	[ebp+var_90], esi
		test	esi, esi
		js	loc_866B71
		mov	edx, [ebp+var_AC]
		lea	ecx, [ebp+var_80]

loc_866AE9:				; CODE XREF: IopConnectMessageBasedInterrupt+20Fj
		mov	eax, [ecx+40h]
		mov	[edx+ebx+8], eax
		mov	eax, [ecx+44h]
		mov	[edx+ebx+0Ch], eax
		mov	eax, [ecx+48h]
		mov	[edx+ebx+18h], eax
		mov	eax, [ecx+14h]
		mov	[edx+ebx+10h], eax
		mov	eax, [ebp+var_A0]
		add	eax, 60h
		mov	[edx+ebx+14h], eax
		mov	eax, [ecx+4]
		mov	[edx+ebx+1Ch], eax
		mov	al, [ecx+8]
		mov	[edx+ebx+20h], al
		mov	eax, [ecx+10h]
		mov	[edx+ebx+24h], eax
		mov	eax, [ecx+0Ch]
		mov	cl, [ebp+var_89]
		mov	[edx+ebx+28h], eax
		inc	dword ptr [ebx+4]
		mov	eax, [ebp+var_94]
		mov	edx, [ebp+var_98]

loc_866B43:				; CODE XREF: IopConnectMessageBasedInterrupt+A1833j
		mov	esi, [ebp+var_9C]
		add	edx, 50h
		inc	esi
		mov	[ebp+var_98], edx
		mov	[ebp+var_9C], esi
		cmp	esi, [eax]
		jb	loc_866A08

loc_866B61:				; CODE XREF: IopConnectMessageBasedInterrupt+16Dj
		mov	eax, [ebp+var_B0]
		xor	esi, esi
		mov	[eax], ebx

loc_866B6B:				; CODE XREF: IopConnectMessageBasedInterrupt+341j
					; IopConnectMessageBasedInterrupt+A181Cj
		mov	[ebp+var_90], esi

loc_866B71:				; CODE XREF: IopConnectMessageBasedInterrupt+B5j
					; IopConnectMessageBasedInterrupt+1F6j	...
		mov	eax, [ebp+var_94]
		test	eax, eax
		jz	short loc_866B83
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_866B83:				; CODE XREF: IopConnectMessageBasedInterrupt+2F3j
		test	esi, esi
		js	short loc_866BB1

loc_866B87:				; CODE XREF: IopConnectMessageBasedInterrupt+32Dj
					; IopConnectMessageBasedInterrupt+A1869j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_866B9A:				; CODE XREF: IopConnectMessageBasedInterrupt+DCj
		cmp	eax, 1
		jz	loc_866968
		cmp	eax, 2
		jnz	loc_8669A1
		jmp	loc_866968
; 

loc_866BB1:				; CODE XREF: IopConnectMessageBasedInterrupt+2FFj
		test	ebx, ebx
		jz	short loc_866B87
		jmp	loc_9080C7
; 

loc_866BBA:				; CODE XREF: IopConnectMessageBasedInterrupt+FCj
		cmp	al, [ecx]
		jnb	loc_86699B

loc_866BC2:				; CODE XREF: IopConnectMessageBasedInterrupt+CDj
					; IopConnectMessageBasedInterrupt+129j
		mov	esi, 0C000000Dh
		jmp	short loc_866B6B
; 

loc_866BC9:				; CODE XREF: IopConnectMessageBasedInterrupt+105j
		xor	al, al
		jmp	loc_86699B
; 

loc_866BD0:				; CODE XREF: IopConnectMessageBasedInterrupt+1A5j
		mov	al, [edx-0Ch]
		mov	byte ptr [ebp+arg_10], al
		jmp	loc_866A34
IopConnectMessageBasedInterrupt	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopGetInterruptConnectionData proc near	; CODE XREF: IopConnectLineBasedInterrupt+5Cp
					; IoConnectInterruptEx+EDp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090822A SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_8]
		mov	edi, ecx
		push	eax
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		push	offset _INTERRUPT_CONNECTION_DATA_PKEY
		push	edi
		mov	[ebp+var_8], ecx
		mov	[ebx], ecx
		call	IoGetDevicePropertyData
		cmp	eax, 0C0000023h
		jnz	short loc_866C69
		cmp	[ebp+var_4], 58h
		jb	short loc_866C69
		push	6F697050h
		push	[ebp+var_4]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_866C6E
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		push	[ebp+var_4]
		push	0
		push	0
		push	offset _INTERRUPT_CONNECTION_DATA_PKEY
		push	edi
		call	IoGetDevicePropertyData
		mov	edi, eax
		test	edi, edi
		js	loc_90822F
		imul	ecx, [esi], 50h
		add	ecx, 8
		cmp	[ebp+var_4], ecx
		jb	loc_90822A
		mov	[ebx], esi

loc_866C67:				; CODE XREF: IopGetInterruptConnectionData+A165Bj
		mov	eax, edi

loc_866C69:				; CODE XREF: IopGetInterruptConnectionData+35j
					; IopGetInterruptConnectionData+3Bj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_866C6E:				; CODE XREF: IopGetInterruptConnectionData+53j
		mov	eax, 0C000009Ah
		jmp	short loc_866C69
IopGetInterruptConnectionData endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopConnectInterrupt proc near		; CODE XREF: IopConnectLineBasedInterrupt+176p
					; IoConnectInterruptEx+1B8p ...

var_68		= dword	ptr -68h
var_5C		= dword	ptr -5Ch
var_3C		= dword	ptr -3Ch
var_38		= word ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= byte ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= byte ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 0090829C SIZE 000001A2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_28], edx
		push	2Ch		; size_t
		push	eax		; int
		lea	eax, [ebp+var_68]
		mov	ebx, ecx
		push	eax		; void *
		mov	[ebp+var_30], ebx
		call	_memset
		xor	eax, eax
		lea	edx, [ebp+var_68]
		add	esp, 0Ch
		mov	[ebx], eax
		mov	ebx, [ebp+arg_20]
		mov	ecx, ebx
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], al
		mov	[ebp+var_14], eax
		call	IopInitializeActiveConnectBlock
		mov	eax, [ebx+0Ch]
		lea	esi, [ebx+1Ch]
		lea	edi, [ebp+var_3C]
		mov	[ebp+var_1C], eax
		mov	eax, [ebx+18h]
		movsd
		mov	[ebp+var_C], eax
		movsd
		movsd
		movzx	eax, [ebp+var_38]
		xor	edi, edi
		mov	esi, ds:dword_70E328[eax*4]
		and	esi, [ebp+var_3C]
		mov	al, [ebx+10h]
		mov	[ebp+var_18], esi
		mov	[ebp+var_3C], esi
		mov	[ebp+var_24], al
		cmp	[ebx+8], edi
		jz	loc_866F51

loc_866CEE:				; CODE XREF: IopConnectInterrupt+2E7j
					; IopConnectInterrupt+2F8j ...
		cmp	[ebp+arg_14], 0
		lea	ecx, [ebp+var_3C]
		setz	[ebp+var_2]
		xor	dl, dl
		call	_KeVerifyGroupAffinity@8 ; KeVerifyGroupAffinity(x,x)
		test	al, al
		jz	loc_90829C
		mov	ebx, esi
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		mov	[ebp+var_1], cl
		jz	loc_90829C
		movsx	eax, cl
		push	6E696F49h
		lea	esi, ds:164h[eax*4]
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_2C], ebx
		test	ebx, ebx
		jz	loc_9082A6
		push	esi		; size_t
		push	edi		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebx+144h]
		push	edi
		push	edi
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		cmp	[ebp+arg_10], 0
		lea	edi, [ebx+8]
		mov	esi, [ebp+arg_20]
		mov	eax, [ebp+var_C]
		push	16h
		pop	ecx
		rep movsd
		lea	edi, [ebx+24h]
		mov	[ebx+20h], eax
		lea	esi, [ebp+var_3C]
		movsd
		movsd
		movsd
		jz	loc_866FA2

loc_866DA7:				; CODE XREF: IopConnectInterrupt+32Fj
		cmp	[ebp+arg_14], 0
		mov	al, [ebp+var_2]
		mov	[ebx+130h], al
		jz	loc_9082B0

loc_866DBA:				; CODE XREF: IopConnectInterrupt+A1643j
		mov	ax, [ebp+var_38]
		lea	edi, [ebx+8]
		mov	esi, [ebp+var_18]
		mov	word ptr [ebp+var_8], ax
		xor	eax, eax
		mov	dl, al
		mov	[ebx+4], esi
		mov	cl, al
		mov	byte ptr [ebp+var_8+3],	al
		mov	byte ptr [ebp+arg_20+3], dl
		mov	[ebp+var_2], al
		cmp	[ebp+var_1], al
		jle	loc_866E7F

loc_866DE3:				; CODE XREF: IopConnectInterrupt+203j
		xor	eax, eax
		inc	eax
		shl	eax, cl
		test	eax, esi
		jz	loc_866E71
		lea	eax, [ebp+var_8]
		mov	byte ptr [ebp+var_8+2],	cl
		push	eax
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		mov	[ebp+var_20], eax
		mov	ecx, ds:_KiProcessorBlock[eax*4]
		call	_KeAllocateInterrupt@4 ; KeAllocateInterrupt(x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	loc_9082BE
		push	0D0h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	edx, [ebp+arg_0] ; int
		mov	ecx, [ebp+var_18] ; void *
		push	edi		; int
		push	dword ptr [ebp+var_10] ; char
		push	[ebp+arg_1C]	; int
		push	[ebp+var_20]	; int
		push	dword ptr [ebp+arg_18] ; char
		push	[ebp+var_C]	; int
		push	dword ptr [ebp+arg_14] ; char
		push	dword ptr [ebp+var_24] ; char
		push	[ebp+var_1C]	; int
		push	[ebp+var_14]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		push	[ebp+arg_4]	; int
		call	KeInitializeInterruptEx
		mov	dl, byte ptr [ebp+arg_20+3]
		mov	ecx, [ebp+var_18]
		movsx	eax, dl
		inc	dl
		mov	byte ptr [ebp+arg_20+3], dl
		mov	[ebx+eax*4+164h], ecx
		mov	cl, [ebp+var_2]

loc_866E71:				; CODE XREF: IopConnectInterrupt+174j
		inc	cl
		mov	[ebp+var_2], cl
		cmp	dl, [ebp+var_1]
		jl	loc_866DE3

loc_866E7F:				; CODE XREF: IopConnectInterrupt+167j
		cmp	[ebp+arg_14], 0
		jz	loc_9082FF

loc_866E89:				; CODE XREF: IopConnectInterrupt+A1699j
		cmp	[ebp+var_5C], 0
		jnz	loc_866F80

loc_866E93:				; CODE XREF: IopConnectInterrupt+316j
		mov	dl, [ebp+var_1]
		lea	eax, [ebx+8]
		lea	edi, [ebx+164h]
		push	eax
		mov	ecx, edi
		call	KeConnectInterrupt
		cmp	[ebp+var_5C], 0
		mov	esi, eax
		jnz	loc_866F91

loc_866EB3:				; CODE XREF: IopConnectInterrupt+327j
		test	esi, esi
		js	loc_908314
		mov	ebx, [ebp+var_28]
		test	ebx, ebx
		jz	short loc_866F17
		mov	eax, [ebx+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_90833E
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_90833E
		mov	al, [ebp+var_1]
		test	al, al
		jle	short loc_866F17
		mov	esi, edi
		movzx	edi, al

loc_866EEF:				; CODE XREF: IopConnectInterrupt+29Fj
		mov	edx, 54706E50h
		mov	ecx, ebx
		call	ObfReferenceObjectWithTag
		mov	eax, [esi]
		mov	[eax+0CCh], ebx
		mov	eax, [ebx+0B0h]
		add	eax, 34h
		lock inc dword ptr [eax]
		lea	esi, [esi+4]
		sub	edi, 1
		jnz	short loc_866EEF

loc_866F17:				; CODE XREF: IopConnectInterrupt+24Aj
					; IopConnectInterrupt+272j
		mov	ebx, [ebp+var_2C]
		mov	eax, [ebp+var_30]
		push	34h
		pop	ecx
		mov	esi, [ebx+164h]
		lea	edi, [ebx+60h]
		rep movsd
		mov	[eax], ebx
		mov	cl, 1
		xor	eax, eax
		mov	esi, eax
		call	PnpTraceInterruptConnection

loc_866F38:				; CODE XREF: IopConnectInterrupt+A16A2j
					; IopConnectInterrupt+A16B2j ...
		test	esi, esi
		js	loc_9082C3

loc_866F40:				; CODE XREF: IopConnectInterrupt+A162Bj
					; IopConnectInterrupt+A1635j ...
		lea	ecx, [ebp+var_68]
		call	IopDestroyActiveConnectBlock
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_866F51:				; CODE XREF: IopConnectInterrupt+72j
		push	dword ptr [ebx+38h]
		push	edi
		call	off_6B1308	; xHalpIsInterruptTypeSecondary(x,x)
		test	al, al
		jnz	loc_866CEE
		mov	eax, [ebx+14h]
		cmp	eax, 3
		jz	short loc_866F74
		cmp	eax, 4
		jnz	loc_866CEE

loc_866F74:				; CODE XREF: IopConnectInterrupt+2F3j
		mov	[ebp+var_10], 1
		mov	[ebp+var_C], edi
		jmp	loc_866CEE
; 

loc_866F80:				; CODE XREF: IopConnectInterrupt+217j
		push	0
		mov	dl, 1
		lea	ecx, [ebp+var_68]
		call	_IopAcquireReleaseConnectLockInternal@12 ; IopAcquireReleaseConnectLockInternal(x,x,x)
		jmp	loc_866E93
; 

loc_866F91:				; CODE XREF: IopConnectInterrupt+237j
		push	0
		xor	dl, dl
		lea	ecx, [ebp+var_68]
		call	_IopAcquireReleaseConnectLockInternal@12 ; IopAcquireReleaseConnectLockInternal(x,x,x)
		jmp	loc_866EB3
; 

loc_866FA2:				; CODE XREF: IopConnectInterrupt+12Bj
		mov	[ebp+arg_10], ebx
		jmp	loc_866DA7
IopConnectInterrupt endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopDestroyActiveConnectBlock proc near	; CODE XREF: IoDisconnectInterrupt+13Ap
					; IopConnectInterrupt+2CDp

var_12		= byte ptr -12h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h

; FUNCTION CHUNK AT 0090843E SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+20h+var_10]
		mov	esi, ecx
		stosd
		cmp	dword ptr [esi+0Ch], 0
		stosd
		stosd
		stosd
		jnz	short loc_866FD1

loc_866FCA:				; CODE XREF: IopDestroyActiveConnectBlock+B1j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_866FD1:				; CODE XREF: IopDestroyActiveConnectBlock+1Ej
		mov	ebx, [esi+10h]
		lea	eax, [esp+20h+var_10]
		push	0
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	2
		mov	dl, 1
		mov	[esp+24h+var_11], 0
		xor	ecx, ecx
		xor	edi, edi
		call	_IopAcquireReleaseConnectLockInternal@12 ; IopAcquireReleaseConnectLockInternal(x,x,x)
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		dec	eax
		lea	ecx, [esi+24h]
		cmp	ebx, ecx
		jnz	loc_90842F
		test	eax, eax
		jnz	loc_90843E

loc_86700F:				; CODE XREF: IopConnectInterrupt+A17C3j
		mov	bl, [esp+20h+var_11]

loc_867013:				; CODE XREF: IopDestroyActiveConnectBlock+A149Dj
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_867060
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_867060
		mov	[ecx], eax
		xor	dl, dl
		mov	[eax+4], ecx
		xor	ecx, ecx
		push	2
		call	_IopAcquireReleaseConnectLockInternal@12 ; IopAcquireReleaseConnectLockInternal(x,x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		test	bl, bl
		jnz	loc_90844C
		test	edi, edi
		jnz	loc_908461

loc_86704F:				; CODE XREF: IopDestroyActiveConnectBlock+A14B2j
					; IopDestroyActiveConnectBlock+A14C1j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_866FCA
; 

loc_867060:				; CODE XREF: IopDestroyActiveConnectBlock+6Ej
					; IopDestroyActiveConnectBlock+75j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

IopInitializeActiveConnectBlock:	; CODE XREF: IoDisconnectInterrupt+37p
					; IopConnectInterrupt+39p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	2Ch		; size_t
		mov	edi, edx
		mov	esi, ecx
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		cmp	dword ptr [esi+8], 0
		jz	short loc_867086

loc_867082:				; CODE XREF: IopDestroyActiveConnectBlock+130j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_867086:				; CODE XREF: IopDestroyActiveConnectBlock+D6j
		push	1
		push	1
		lea	ebx, [edi+14h]
		mov	[edi+4], edi
		push	ebx
		mov	[edi], edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	dword ptr [edi+24h], 1
		mov	dl, 1
		mov	esi, [esi+38h]
		xor	ecx, ecx
		push	2
		mov	[edi+8], esi
		call	_IopAcquireReleaseConnectLockInternal@12 ; IopAcquireReleaseConnectLockInternal(x,x,x)
		mov	ecx, esi
		call	_IopFindActiveConnectBlockLocked@4 ; IopFindActiveConnectBlockLocked(x)
		test	eax, eax
		jnz	loc_908470
		lea	eax, [edi+24h]
		mov	[edi+0Ch], ebx
		mov	[edi+10h], eax

loc_8670C8:				; CODE XREF: IopDestroyActiveConnectBlock+A14D8j
		mov	ecx, edi
		call	_IopInsertActiveConnectListLocked@4 ; IopInsertActiveConnectListLocked(x)
		push	2
		xor	dl, dl
		xor	ecx, ecx
		call	_IopAcquireReleaseConnectLockInternal@12 ; IopAcquireReleaseConnectLockInternal(x,x,x)
		jmp	short loc_867082
IopDestroyActiveConnectBlock endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAcquireReleaseConnectLockInternal(x, x, x)
_IopAcquireReleaseConnectLockInternal@12 proc near ; CODE XREF:	IoDisconnectInterrupt+7Cp
					; IoDisconnectInterrupt+15Dp ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_0], 1
		jnz	short loc_867131
		test	[ebp+arg_0], 2
		jz	short loc_86712C
		mov	ecx, offset _ActiveConnectListLock

loc_8670F2:				; CODE XREF: IopAcquireReleaseConnectLockInternal(x,x,x)+53j
					; IopAcquireReleaseConnectLockInternal(x,x,x)+58j
		test	dl, dl
		jz	short loc_867114
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	ecx
		call	KeWaitForSingleObject

loc_867110:				; CODE XREF: IopAcquireReleaseConnectLockInternal(x,x,x)+4Ej
		pop	ebp
		retn	4
; 

loc_867114:				; CODE XREF: IopAcquireReleaseConnectLockInternal(x,x,x)+18j
		xor	eax, eax
		push	eax
		push	eax
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	short loc_867110
; 

loc_86712C:				; CODE XREF: IopAcquireReleaseConnectLockInternal(x,x,x)+Fj
		mov	ecx, [ecx+0Ch]
		jmp	short loc_8670F2
; 

loc_867131:				; CODE XREF: IopAcquireReleaseConnectLockInternal(x,x,x)+9j
		add	ecx, 14h
		jmp	short loc_8670F2
_IopAcquireReleaseConnectLockInternal@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpTraceInterruptConnection proc near	; CODE XREF: IoDisconnectInterrupt+14Ap
					; IopConnectInterrupt+2BDp

var_69		= byte ptr -69h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00908487 SIZE 00000073 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+6Ch+var_4], eax
		cmp	dword_6B2B18, 5
		push	ebx
		push	esi
		push	edi
		mov	bl, cl
		jbe	short loc_867176
		push	4000h
		xor	esi, esi
		mov	edi, offset dword_6B2B18
		push	esi
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_908487

loc_867176:				; CODE XREF: PnpTraceInterruptConnection+22j
					; PnpTraceInterruptConnection+A13BFj
		mov	ecx, [esp+78h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
PnpTraceInterruptConnection endp


;  S U B	R O U T	I N E 


; __stdcall IopInsertActiveConnectListLocked(x)
_IopInsertActiveConnectListLocked@4 proc near ;	CODE XREF: IopDestroyActiveConnectBlock+120p
		mov	eax, _ActiveConnectList
		push	esi
		mov	esi, offset _ActiveConnectList
		cmp	eax, esi
		jnz	short loc_8671AF

loc_867197:				; CODE XREF: IopInsertActiveConnectListLocked(x)+44j
		mov	eax, dword_6CC9F4
		cmp	[eax], esi
		jnz	short loc_8671D6
		mov	[ecx], esi
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	dword_6CC9F4, ecx

loc_8671AD:				; CODE XREF: IopInsertActiveConnectListLocked(x)+42j
		pop	esi
		retn
; 

loc_8671AF:				; CODE XREF: IopInsertActiveConnectListLocked(x)+Dj
		mov	edx, [ecx+8]

loc_8671B2:				; CODE XREF: IopInsertActiveConnectListLocked(x)+4Aj
		cmp	[eax+8], edx
		jbe	short loc_8671CE
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_8671D6
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx

loc_8671C8:				; CODE XREF: IopInsertActiveConnectListLocked(x)+4Cj
		cmp	eax, esi
		jnz	short loc_8671AD
		jmp	short loc_867197
; 

loc_8671CE:				; CODE XREF: IopInsertActiveConnectListLocked(x)+2Dj
		mov	eax, [eax]
		cmp	eax, esi
		jnz	short loc_8671B2
		jmp	short loc_8671C8
; 

loc_8671D6:				; CODE XREF: IopInsertActiveConnectListLocked(x)+16j
					; IopInsertActiveConnectListLocked(x)+34j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_IopInsertActiveConnectListLocked@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopFindActiveConnectBlockLocked(x)
_IopFindActiveConnectBlockLocked@4 proc	near ; CODE XREF: IopDestroyActiveConnectBlock+108p
		mov	eax, _ActiveConnectList
		xor	edx, edx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, offset _ActiveConnectList

loc_8671EC:				; CODE XREF: IopFindActiveConnectBlockLocked(x)+26j
		cmp	eax, edi
		jnz	short loc_8671F5

loc_8671F0:				; CODE XREF: IopFindActiveConnectBlockLocked(x)+1Cj
					; IopFindActiveConnectBlockLocked(x)+22j
		pop	edi
		mov	eax, edx
		pop	esi
		retn
; 

loc_8671F5:				; CODE XREF: IopFindActiveConnectBlockLocked(x)+12j
		cmp	[eax+8], esi
		ja	short loc_8671F0
		jnz	short loc_867200
		mov	edx, eax
		jmp	short loc_8671F0
; 

loc_867200:				; CODE XREF: IopFindActiveConnectBlockLocked(x)+1Ej
		mov	eax, [eax]
		jmp	short loc_8671EC
_IopFindActiveConnectBlockLocked@4 endp


;  S U B	R O U T	I N E 


MiSessionCreate	proc near		; CODE XREF: MiMapProcessExecutable:loc_761695p
					; MmInitializeProcessAddressSpace:loc_8D4D38p

; FUNCTION CHUNK AT 009084FA SIZE 0000000A BYTES

		mov	edi, edi
		push	esi
		push	edi
		call	MiInitializeSessionGlobals
		test	eax, eax
		js	loc_867304
		mov	eax, large fs:124h
		mov	esi, [eax+80h]
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	edi, eax
		mov	ecx, edi
		call	_MiSessionCreateInternal@4 ; MiSessionCreateInternal(x)
		test	eax, eax
		js	loc_867304
		mov	esi, [esi+180h]
		mov	ecx, dword_6D05D4
		lea	eax, [esi+0C0h]
		push	eax
		push	0Bh
		lea	edx, [ecx+7FFFh]
		push	1
		call	_MiCreateSystemWsles@20	; MiCreateSystemWsles(x,x,x,x,x)
		test	eax, eax
		jz	loc_9084FA
		mov	edx, dword_6D05BC
		lea	ecx, [esi+23F0h]
		push	0
		push	7FC0h
		call	MiInitializeDynamicBitmap
		test	eax, eax
		jz	loc_9084FA
		or	dword ptr [esi+4], 10h
		lea	edx, [esi+0C0h]
		push	0
		push	1
		mov	ecx, edi
		call	MiInitializeSystemWorkingSetList
		mov	eax, dword_6D07D0
		mov	edx, 0FFBFFFFFh
		mov	ecx, eax
		mov	[esi+24h], eax
		mov	[esi+28h], edx
		call	ExInitializeSessionHeapManager
		test	eax, eax
		js	short loc_867304
		or	dword ptr [esi+4], 80h
		call	_MiInitializeSessionPool@0 ; MiInitializeSessionPool()
		mov	edi, eax
		test	edi, edi
		js	short loc_86730E
		push	0
		xor	ecx, ecx
		mov	edx, 6C6F6F50h
		push	104h
		inc	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		test	eax, eax
		jz	short loc_8672E3
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8672E3:				; CODE XREF: MiSessionCreate+D5j
		or	dword ptr [esi+4], 1
		lea	ecx, [esi+70h]
		call	_MiInitializeSystemSpaceMap@4 ;	MiInitializeSystemSpaceMap(x)
		test	eax, eax
		jz	loc_9084FA
		call	MiSessionObjectCreate
		mov	esi, eax
		test	esi, esi
		js	short loc_867307

loc_867302:				; CODE XREF: MiSessionCreate+108j
		mov	eax, esi

loc_867304:				; CODE XREF: MiSessionCreate+Bj
					; MiSessionCreate+2Dj ...
		pop	edi
		pop	esi
		retn
; 

loc_867307:				; CODE XREF: MiSessionCreate+FCj
		call	_MiDereferenceSession@0	; MiDereferenceSession()
		jmp	short loc_867302
; 

loc_86730E:				; CODE XREF: MiSessionCreate+BDj
					; MiSessionCreate+A12FBj
		call	_MiDereferenceSession@0	; MiDereferenceSession()
		mov	eax, edi
		jmp	short loc_867304
MiSessionCreate	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSessionObjectCreate proc near		; CODE XREF: MiSessionCreate+F3p

var_148		= dword	ptr -148h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= word ptr -108h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00908504 SIZE 00000075 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_148]
		stosd
		xor	ebx, ebx
		push	1
		mov	[ebp+var_114], ebx
		mov	[ebp+var_11C], ebx
		stosd
		mov	[ebp+var_118], ebx
		mov	[ebp+var_10C], ebx
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_148]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		test	eax, eax
		js	loc_86753C
		push	ds:_SeAliasAdminsSid
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	_SeLocalSystemSid
		mov	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	ebx
		push	100h
		mov	edx, 6C636144h
		lea	edi, [eax+20h]
		add	edi, esi
		mov	ecx, edi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_90850B
		push	2		; int
		push	edi		; size_t
		push	esi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	edi, eax
		push	ebx
		test	edi, edi
		js	loc_908516
		mov	eax, ds:_SeAliasAdminsSid
		mov	ecx, esi
		push	eax
		push	0F0003h
		push	ebx
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	edi, eax
		push	ebx
		test	edi, edi
		js	loc_908516
		mov	eax, _SeLocalSystemSid
		mov	ecx, esi
		push	eax
		push	0F0003h
		push	ebx
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	edi, eax
		push	ebx
		push	esi
		test	edi, edi
		js	loc_908517
		push	1
		lea	eax, [ebp+var_148]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	edi, eax
		test	edi, edi
		js	loc_908515
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	edi, [eax+180h]
		lea	eax, [ebp+var_108]
		push	dword ptr [edi+8] ; char
		push	offset ??_C@_1DC@IFGNMEPF@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@ ; wchar_t *
		push	80h		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		mov	ebx, eax
		add	esp, 10h
		test	ebx, ebx
		js	loc_908523
		lea	eax, [ebp+var_108]
		push	eax
		lea	eax, [ebp+var_11C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, ds:_MmSessionObjectType
		lea	eax, [ebp+var_11C]
		push	18h
		pop	ecx
		xor	ebx, ebx
		mov	[ebp+var_12C], eax
		push	ebx
		lea	eax, [ebp+var_148]
		mov	[ebp+var_134], ecx
		mov	[ebp+var_124], eax
		lea	eax, [ebp+var_10C]
		push	eax
		push	ebx
		push	ebx
		push	ecx
		push	ecx
		push	ebx
		lea	eax, [ebp+var_134]
		mov	[ebp+var_130], ebx
		push	eax
		xor	cl, cl
		mov	[ebp+var_128], 200h
		mov	[ebp+var_120], ebx
		call	ObCreateObjectEx
		push	0
		push	esi
		mov	ebx, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		js	short loc_86753A
		mov	esi, [ebp+var_10C]
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	esi
		mov	[esi+10h], edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	[esi+14h], ebx
		cmp	ds:_PsCpuFairShareEnabled, bl
		jnz	loc_908530

loc_8674EA:				; CODE XREF: MiSessionObjectCreate+A121Bj
					; MiSessionObjectCreate+A125Cj
		lea	eax, [ebp+var_114]
		xor	edx, edx
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	1
		mov	ecx, esi
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_86753A
		or	dword ptr [edi+4], 40h
		lock inc dword ptr [edi+0Ch]
		mov	eax, [ebp+var_114]
		mov	[edi+30h], eax
		xor	eax, eax
		inc	eax
		mov	[edi+2Ch], esi
		push	eax
		push	eax
		mov	[edi+243Ch], eax
		lea	eax, [edi+2440h]
		push	eax
		mov	dword ptr [edi+2438h], 2
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)

loc_86753A:				; CODE XREF: MiSessionObjectCreate+1AEj
					; MiSessionObjectCreate+1EBj ...
		mov	eax, ebx

loc_86753C:				; CODE XREF: MiSessionObjectCreate+4Fj
					; MiSessionObjectCreate+A11F8j	...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
MiSessionObjectCreate endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiInitializeSystemSpaceMap(x)
_MiInitializeSystemSpaceMap@4 proc near	; CODE XREF: MiSessionCreate+E6p
					; MiInitSystem+343p
		mov	edi, edi
		push	ecx
		xor	edx, edx
		mov	[ecx+4], ecx
		xor	eax, eax
		mov	[ecx], edx
		inc	eax
		mov	[ecx+8], edx
		cmp	ecx, offset unk_6CF5A4
		jz	short loc_867566
		pop	ecx
		retn
; 

loc_867566:				; CODE XREF: MiInitializeSystemSpaceMap(x)+16j
		mov	ecx, dword_6D07D0
		mov	eax, ds:_MiLowHalVa
		push	10h
		sub	eax, ecx
		push	eax
		push	ecx
		push	3
		push	edx
		push	0Ch
		pop	edx
		mov	ecx, offset unk_6D339C
		call	MiInitializePteInfo
		pop	ecx
		retn
_MiInitializeSystemSpaceMap@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiInitializeSessionPool()
_MiInitializeSessionPool@0 proc	near	; CODE XREF: MiSessionCreate+B4p
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		and	dword ptr [eax+64h], 0
		mov	dword ptr [eax+68h], 7FC00h
		or	dword ptr [eax+4], 4
		xor	eax, eax
		retn
_MiInitializeSessionPool@0 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2321. RtlRunOnceInitialize

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlRunOnceInitialize(x)
		public _RtlRunOnceInitialize@4
_RtlRunOnceInitialize@4	proc near	; CODE XREF: RtlHpHeapManagerInitialize(x,x)+5Dp
					; RtlpHpHeapCreate+17Bp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax], 0
		pop	ebp
		retn	4
_RtlRunOnceInitialize@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeSystemWorkingSetList proc near ; CODE XREF:	MiSessionCreate+8Dp
					; MiInitializeSystemCache(x)+52p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00908579 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		cmp	[ebp+arg_0], 1
		push	esi
		mov	esi, edx
		mov	edx, ecx
		push	edi
		mov	[ebp+var_4], edx
		jz	short loc_86763F
		mov	ecx, [ebp+arg_0]
		call	_MiTranslateWsType@4 ; MiTranslateWsType(x)
		mov	edi, eax
		cmp	edi, 2
		jg	short loc_867666
		mov	ecx, [ebp+var_4]
		imul	eax, edi, 18h
		cmp	dword ptr [edx+0F48h], 4000h
		push	14h
		mov	[ebp+var_8], eax
		lea	eax, dword_6D2EAC[eax]
		mov	[ebp+var_C], eax
		sbb	eax, eax
		and	eax, 0FFFFFF20h
		add	eax, 100h
		mov	edx, eax
		mov	[ebp+var_10], eax
		call	_MiChargeResident@12 ; MiChargeResident(x,x,x)
		test	eax, eax
		jz	short loc_867677
		mov	ecx, [ebp+var_4]
		cmp	ecx, offset _MiSystemPartition
		jnz	loc_908579
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+var_C]

loc_867637:				; CODE XREF: MiInitializeSystemWorkingSetList+A0FC9j
		mov	ecx, [ebp+var_10]
		mov	[esi+3Ch], ecx
		jmp	short loc_867648
; 

loc_86763F:				; CODE XREF: MiInitializeSystemWorkingSetList+15j
		mov	edx, dword_6D05CC
		mov	eax, [ebp+arg_4]

loc_867648:				; CODE XREF: MiInitializeSystemWorkingSetList+79j
		and	dword ptr [esi], 0
		mov	ecx, esi
		push	eax
		push	[ebp+arg_0]
		call	_MiInitializeWorkingSetList@16 ; MiInitializeWorkingSetList(x,x,x,x)
		mov	ecx, esi
		call	MiAllowWorkingSetExpansion

loc_86765D:				; CODE XREF: MiInitializeSystemWorkingSetList+B1j
		xor	eax, eax
		inc	eax

loc_867660:				; CODE XREF: MiInitializeSystemWorkingSetList+B5j
		pop	edi
		pop	esi
		leave
		retn	8
; 

loc_867666:				; CODE XREF: MiInitializeSystemWorkingSetList+24j
		mov	cl, [esi+60h]
		xor	cl, byte ptr [ebp+arg_0]
		and	cl, 7
		xor	[esi+60h], cl
		and	dword ptr [esi], 0
		jmp	short loc_86765D
; 

loc_867677:				; CODE XREF: MiInitializeSystemWorkingSetList+5Cj
		xor	eax, eax
		jmp	short loc_867660
MiInitializeSystemWorkingSetList endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeDynamicBitmap proc near	; CODE XREF: MiSessionCreate+70p
					; MiCreatePfnBitMaps+93p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00908592 SIZE 0000006B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_10], ecx
		push	edi
		mov	ecx, ebx
		mov	[ebp+var_14], ebx
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	esi, [ebp+arg_0]
		mov	edi, eax
		mov	eax, 0FFFh
		mov	ecx, ebx
		and	ecx, eax
		add	ecx, eax
		lea	esi, [esi+7]
		shr	esi, 3
		mov	edx, esi
		shr	esi, 0Ch
		and	edx, eax
		add	edx, ecx
		mov	ecx, ebx
		shr	edx, 0Ch
		add	edx, esi
		mov	[ebp+var_C], edx
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jz	loc_867774
		cmp	eax, 1
		jz	loc_867774
		push	9
		pop	eax

loc_8676D9:				; CODE XREF: MiInitializeDynamicBitmap+FBj
		mov	ebx, [ebp+arg_4]
		test	bl, 2
		jnz	short loc_8676F7
		dec	edx
		mov	ecx, edi
		push	eax
		push	1
		lea	edx, [edi+edx*8]
		call	_MiMakeZeroedPageTables@16 ; MiMakeZeroedPageTables(x,x,x,x)
		test	eax, eax
		jz	loc_86777C

loc_8676F7:				; CODE XREF: MiInitializeDynamicBitmap+63j
		mov	edx, dword_6D34F0
		test	bl, 4
		jnz	short loc_867708
		mov	edx, dword_6D34E4

loc_867708:				; CODE XREF: MiInitializeDynamicBitmap+84j
		and	ebx, 1
		mov	ecx, edi
		shl	ebx, 1Dh
		inc	ebx
		push	ebx
		call	MiMakeValidPte
		mov	esi, [ebp+var_C]
		mov	ecx, edx
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], ecx
		test	esi, esi
		jz	short loc_86775C

loc_867726:				; CODE XREF: MiInitializeDynamicBitmap+DEj
		and	[ebp+arg_4], 0
		mov	edx, ecx
		mov	ecx, edi
		mov	ebx, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_908592

loc_86773D:				; CODE XREF: MiInitializeDynamicBitmap+A0F6Ej
		mov	eax, [ebp+arg_4]

loc_867740:				; CODE XREF: MiInitializeDynamicBitmap+A0F2Cj
					; MiInitializeDynamicBitmap+A0F40j ...
		mov	[edi+4], edx
		nop
		mov	[edi], ebx
		test	eax, eax
		jnz	loc_9085EF

loc_86774E:				; CODE XREF: MiInitializeDynamicBitmap+A0F7Cj
		mov	eax, [ebp+var_4]
		add	edi, 8
		mov	ecx, [ebp+var_8]
		sub	esi, 1
		jnz	short loc_867726

loc_86775C:				; CODE XREF: MiInitializeDynamicBitmap+A8j
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+arg_0]
		mov	[eax], ecx
		mov	ecx, [ebp+var_14]
		mov	[eax+4], ecx
		xor	eax, eax
		inc	eax

loc_86776D:				; CODE XREF: MiInitializeDynamicBitmap+102j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_867774:				; CODE XREF: MiInitializeDynamicBitmap+4Bj
					; MiInitializeDynamicBitmap+54j
		xor	eax, eax
		inc	eax
		jmp	loc_8676D9
; 

loc_86777C:				; CODE XREF: MiInitializeDynamicBitmap+75j
		xor	eax, eax
		jmp	short loc_86776D
MiInitializeDynamicBitmap endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSessionCreateInternal(x)
_MiSessionCreateInternal@4 proc	near	; CODE XREF: MiSessionCreate+26p

var_58		= dword	ptr -58h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, dword_6D05D4
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	[ebp+var_3C], eax
		mov	[ebp+var_24], ecx
		mov	[ebp+var_34], edi
		mov	eax, [edi+80h]
		dec	word ptr [edi+13Eh]
		mov	[ebp+var_44], eax
		nop
		xor	edx, edx
		mov	ecx, offset dword_6D05C0
		call	ExAcquirePushLockExclusiveEx
		push	0
		push	1
		push	dword_6D35C8
		call	RtlFindClearBitsAndSet
		mov	ecx, eax
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_1C], ecx
		cmp	ecx, esi
		jnz	loc_86789F
		mov	eax, dword_6D35C8
		mov	ecx, 7FFFFh
		mov	eax, [eax]
		add	eax, 40h
		mov	[ebp+var_1C], eax
		cmp	eax, ecx
		jbe	short loc_867812
		mov	eax, ecx
		mov	[ebp+var_1C], eax

loc_867812:				; CODE XREF: MiSessionCreateInternal(x)+8Bj
		push	0
		pop	ecx
		test	al, 1Fh
		mov	edx, 20206D4Dh
		push	0
		setnz	cl
		shr	eax, 5
		add	ecx, 2
		add	ecx, eax
		shl	ecx, 2
		push	100h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	loc_867996
		mov	ecx, [ebp+var_1C]
		mov	[eax], ecx
		lea	ecx, [eax+8]
		push	eax
		mov	[eax+4], ecx
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		mov	edx, dword_6D35C8
		push	0
		pop	eax
		mov	ecx, [edx]
		test	cl, 1Fh
		setnz	al
		shr	ecx, 5
		add	eax, ecx
		shl	eax, 2
		push	eax		; size_t
		mov	eax, [ebp+var_20]
		push	dword ptr [edx+4] ; void *
		push	dword ptr [eax+4] ; void *
		call	_memcpy
		add	esp, 0Ch
		push	0
		push	dword_6D35C8
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_20]
		push	0
		push	1
		push	eax
		mov	dword_6D35C8, eax
		call	RtlFindClearBitsAndSet
		mov	[ebp+var_1C], eax

loc_86789F:				; CODE XREF: MiSessionCreateInternal(x)+71j
		mov	eax, esi
		mov	ecx, offset dword_6D05C0
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8678BA
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset dword_6D05C0

loc_8678BA:				; CODE XREF: MiSessionCreateInternal(x)+12Ej
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [ebp+var_24]
		push	0
		push	8
		pop	edx
		call	MiChargeCommit
		test	eax, eax
		jz	loc_867B4C
		push	3
		pop	edx
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	loc_867B2E
		mov	ecx, [ebp+var_24]
		mov	edi, eax
		mov	eax, [ebp+var_1C]
		shl	edi, 9
		neg	eax
		push	0
		sbb	eax, eax
		mov	[ebp+var_40], edi
		and	eax, 3ECh
		add	eax, 14h
		mov	[ebp+var_2C], eax
		lea	edx, [eax+8]
		call	_MiChargeResident@12 ; MiChargeResident(x,x,x)
		test	eax, eax
		jz	loc_867B2B
		mov	ecx, edi
		call	MiMapNewSession
		mov	ecx, ds:_PsDefaultSystemLocaleId
		and	dword ptr [edi+4], 0
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_1C]
		mov	[edi+8], eax
		lea	eax, [ebp+var_38]
		push	eax
		mov	dword ptr [edi], 1
		mov	[edi+38h], ecx
		call	_KeQueryInterruptTimePrecise@4 ; KeQueryInterruptTimePrecise(x)
		mov	ecx, [ebp+var_3C]
		mov	[edi+2458h], eax
		mov	[edi+245Ch], edx
		call	_MiGetPdeAddress@4 ; MiGetPdeAddress(x)
		mov	ecx, eax
		call	_MI_READ_PTE_LOCK_FREE@4 ; MI_READ_PTE_LOCK_FREE(x)
		mov	ecx, edx
		mov	[ebp+var_28], eax
		mov	[ebp+var_34], ecx
		mov	edx, eax
		nop
		mov	[ebp+var_20], ecx
		lea	ecx, [ebp+var_58]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_8679A0
		push	[ebp+var_20]
		push	edx
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	[ebp+var_20], eax
		mov	eax, edx
		mov	edx, [ebp+var_20]
		jmp	short loc_8679A3
; 

loc_867996:				; CODE XREF: MiSessionCreateInternal(x)+BBj
		mov	esi, offset dword_6D05C0
		jmp	loc_867B7D
; 

loc_8679A0:				; CODE XREF: MiSessionCreateInternal(x)+201j
		mov	eax, [ebp+var_20]

loc_8679A3:				; CODE XREF: MiSessionCreateInternal(x)+214j
		shrd	edx, eax, 0Ch
		mov	eax, [ebp+var_2C]
		mov	[edi+0FCh], eax
		and	edx, 1FFFFFFh
		mov	eax, [ebp+var_24]
		movzx	eax, ax
		mov	[edi+0C0h], eax
		push	8
		pop	eax
		mov	[edi+1Ch], eax
		mov	[edi+20h], eax
		mov	[edi+18h], edx
		mov	ecx, dword_6D05D4
		call	_MiGetSystemRegionIndex@4 ; MiGetSystemRegionIndex(x)
		mov	ecx, [ebp+var_28]
		mov	[edi+eax*8+3E0h], ecx
		mov	ecx, [ebp+var_34]
		mov	[edi+eax*8+3E4h], ecx
		lea	eax, [edi+10h]
		and	dword ptr [edi+34h], 0
		and	dword ptr [edi+23E0h], 0
		mov	[eax+4], eax
		mov	[eax], eax
		mov	dword ptr [edi+0Ch], 1

loc_867A07:				; CODE XREF: MiSessionCreateInternal(x)+2BBj
					; MiSessionCreateInternal(x)+2C2j
		mov	eax, _PsNextSecurityDomain
		mov	edi, eax
		mov	edx, dword_6B5BC4
		add	edi, 1
		mov	ecx, edx
		mov	[ebp+var_28], eax
		mov	[ebp+var_2C], edx
		adc	ecx, 0
		mov	[ebp+var_34], offset _PsNextSecurityDomain
		nop
		push	ebx
		mov	ebx, edi
		mov	edi, [ebp+var_34]
		lock cmpxchg8b qword ptr [edi]
		pop	ebx
		nop
		mov	ecx, [ebp+var_28]
		cmp	eax, ecx
		jnz	short loc_867A07
		mov	eax, [ebp+var_2C]
		cmp	edx, eax
		jnz	short loc_867A07
		mov	edi, [ebp+var_40]
		add	ecx, 1
		adc	eax, 0
		mov	[edi+88h], ecx
		mov	[edi+8Ch], eax
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		mov	[edi+2450h], eax
		test	eax, eax
		jz	short loc_867A8E
		mov	edx, 73536D4Dh
		mov	ecx, eax
		call	ObfReferenceObjectWithTag
		mov	edx, [ebp+var_1C]
		mov	ecx, [edi+2450h]
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	ecx, [eax+28Ch]
		mov	eax, esi
		lock cmpxchg [ecx], edx

loc_867A8E:				; CODE XREF: MiSessionCreateInternal(x)+2E6j
		mov	ecx, [ebp+var_44]
		mov	edx, edi
		call	MiMarkSessionMasterProcess
		mov	dword ptr [edi+23FCh], 4
		mov	ecx, dword_6D07D0
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	[edi+23F8h], eax
		xor	ecx, ecx
		mov	eax, [ebp+var_3C]
		inc	ecx
		sub	eax, 0FFFFFF80h
		mov	[edi+2400h], ecx
		mov	[edi+2404h], eax
		lea	eax, [edi+23E0h]
		mov	[edi+240Ch], eax
		mov	al, [edi+120h]
		and	al, 0F9h
		or	al, cl
		mov	[edi+120h], al
		test	dword ptr ds:byte_70EFC4, 400000h
		jz	short loc_867B27
		mov	eax, [ebp+var_1C]
		mov	edx, ecx
		and	[ebp+var_14], 0
		lea	ecx, [ebp+var_18]
		and	[ebp+var_C], 0
		push	offset byte_401803
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_4C]
		push	24Bh
		push	20400000h
		mov	[ebp+var_4C], edi
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], 8
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_867B27:				; CODE XREF: MiSessionCreateInternal(x)+36Ej
		xor	eax, eax
		jmp	short loc_867BA4
; 

loc_867B2B:				; CODE XREF: MiSessionCreateInternal(x)+19Cj
		mov	edi, [ebp+var_34]

loc_867B2E:				; CODE XREF: MiSessionCreateInternal(x)+16Dj
		mov	ecx, [ebp+var_24]
		push	8
		pop	edx
		call	MiReturnCommit
		mov	edx, [ebp+var_28]
		test	edx, edx
		jz	short loc_867B4C
		push	3
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_867B4C:				; CODE XREF: MiSessionCreateInternal(x)+155j
					; MiSessionCreateInternal(x)+3BEj
		dec	word ptr [edi+13Eh]
		nop
		mov	esi, offset dword_6D05C0
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, dword_6D35C8
		mov	edx, [ebp+var_1C]
		mov	ecx, edx
		shr	ecx, 3
		and	edx, 7
		add	ecx, [eax+4]
		movsx	eax, byte ptr [ecx]
		btr	eax, edx
		mov	[ecx], al

loc_867B7D:				; CODE XREF: MiSessionCreateInternal(x)+21Bj
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_867B91
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_867B91:				; CODE XREF: MiSessionCreateInternal(x)+408j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, 0C0000017h

loc_867BA4:				; CODE XREF: MiSessionCreateInternal(x)+3A9j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_MiSessionCreateInternal@4 endp	; sp =	4

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapNewSession	proc near		; CODE XREF: MiSessionCreateInternal(x)+1A4p

var_3C		= dword	ptr -3Ch
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009085FD SIZE 00000124 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_18], ecx
		lea	edi, [ebp+var_3C]
		xor	esi, esi
		stosd
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		stosd
		stosd
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	[ebp+var_28], eax
		mov	ebx, esi
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		push	esi
		lea	edx, [ebp+var_3C]
		mov	[ebp+var_C], eax
		xor	ecx, ecx
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		push	8
		pop	esi

loc_867BF6:				; CODE XREF: MiMapNewSession+59j
		mov	ecx, [ebp+var_28]
		lea	edx, [ebp+var_3C]
		call	MiGetSystemPage
		mov	edi, eax
		mov	edx, ebx
		mov	ecx, edi
		call	_MiSetPfnLink@8	; MiSetPfnLink(x,x)
		mov	ebx, edi
		sub	esi, 1
		jnz	short loc_867BF6
		mov	ecx, dword_6D05D4
		lea	edx, [ebp+var_30]
		push	2
		mov	[ebp+var_14], ebx
		pop	ebx
		call	_MiFillPteHierarchy@8 ;	MiFillPteHierarchy(x,x)
		sub	edi, ds:_MmPfnDatabase
		mov	eax, edi
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		mov	[ebp+var_4], eax

loc_867C38:				; CODE XREF: MiMapNewSession+10Dj
		mov	ecx, [ebp+var_14]
		dec	ebx
		mov	[ebp+var_8], ebx
		mov	edi, ecx
		mov	ebx, [ebp+ebx*4+var_30]
		call	_MiGetPfnLink@4	; MiGetPfnLink(x)
		cmp	[ebp+var_8], 1
		mov	[ebp+var_14], eax
		mov	[edi], esi
		jnz	short loc_867C6E
		mov	ecx, dword_6D05D4
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	edx, [ebp+var_18]
		mov	ecx, edi
		push	esi
		mov	[edi+4], eax
		call	_MiSetPageTablePfnBuddy@12 ; MiSetPageTablePfnBuddy(x,x,x)

loc_867C6E:				; CODE XREF: MiMapNewSession+9Bj
		sub	edi, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		mov	eax, edi
		cdq
		idiv	ecx
		push	90000006h
		mov	edx, eax
		mov	[ebp+var_28], eax
		xor	ecx, ecx
		call	MiMakeValidPte
		mov	edi, eax
		mov	ecx, ebx
		and	edi, 0FFFFFEFFh
		cmp	[ebp+var_8], 1
		jnz	loc_9085FD
		push	edx
		push	edi
		call	MiWriteTopLevelPxe

loc_867CA8:				; CODE XREF: MiMapNewSession+A0A9Aj
					; MiMapNewSession+A0AA9j
		mov	edi, [ebp+var_28]
		mov	edx, ebx
		push	200h
		push	[ebp+var_4]
		mov	ecx, edi
		call	MiInitializePfnForOtherProcess
		mov	ebx, [ebp+var_8]
		mov	[ebp+var_4], edi
		cmp	ebx, 1
		jnz	loc_867C38
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		push	0A0000004h
		call	MiMakeValidPte
		mov	ecx, dword_6D05D4
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], edx
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ebx, eax
		mov	edi, esi
		sub	[ebp+var_C], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_28], edi

loc_867CF8:				; CODE XREF: MiMapNewSession+1C0j
		mov	edx, [ebp+var_14]
		mov	ecx, edx
		mov	[ebp+var_24], edx
		call	_MiGetPfnLink@4	; MiGetPfnLink(x)
		mov	[ebp+var_14], eax
		mov	eax, edx
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		mov	[ebp+var_20], eax
		cmp	edi, 3
		jb	short loc_867D8B

loc_867D1E:				; CODE XREF: MiMapNewSession+246j
		push	80000004h
		mov	edx, eax
		xor	ecx, ecx
		call	MiMakeValidPte
		mov	ecx, [ebp+var_24]
		mov	ebx, eax
		push	4
		mov	edi, edx
		and	ebx, 0FFFFFEFFh
		mov	edx, [ebp+var_10]
		push	4
		call	_MiInitializePfn@16 ; MiInitializePfn(x,x,x,x)
		mov	ecx, [ebp+var_10]
		mov	edx, esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_9086C1

loc_867D57:				; CODE XREF: MiMapNewSession+A0B1Cj
					; MiMapNewSession+A0B3Aj ...
		mov	[ecx+4], edi
		nop
		mov	[ecx], ebx
		test	edx, edx
		jnz	loc_908710
		mov	ebx, [ebp+var_10]

loc_867D68:				; CODE XREF: MiMapNewSession+A0B64j
		mov	edi, [ebp+var_28]
		add	ebx, 8
		inc	edi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_28], edi
		cmp	edi, 7
		jb	loc_867CF8
		lea	ecx, [ebp+var_3C]
		call	_MiGetNextPageColor@4 ;	MiGetNextPageColor(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_867D8B:				; CODE XREF: MiMapNewSession+164j
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		mov	eax, [ebp+var_4]
		and	edx, 1FFFFFFh
		xor	edi, edi
		and	ecx, 0FFFFFFE0h
		shld	edi, edx, 0Ch
		and	eax, 0FFFh
		shl	edx, 0Ch
		or	edi, ecx
		mov	ecx, dword_6D05D4
		or	edx, eax
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], edi
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, [ebp+var_24]
		mov	edx, [ebp+var_18]
		push	esi
		mov	[ecx+4], eax
		call	_MiSetPageTablePfnBuddy@12 ; MiSetPageTablePfnBuddy(x,x,x)
		mov	ecx, [ebp+var_C]
		mov	edi, [ebp+var_4]
		add	ecx, ebx
		mov	edx, [ebp+var_8]
		mov	[ebp+var_1C], esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_908666

loc_867DE9:				; CODE XREF: MiMapNewSession+A0AC5j
					; MiMapNewSession+A0AE3j ...
		mov	eax, [ebp+var_C]
		mov	[ebx+eax+4], edx
		nop
		lea	ecx, [eax+ebx]
		mov	[ecx], edi
		cmp	[ebp+var_1C], esi
		jnz	short loc_867E03

loc_867DFB:				; CODE XREF: MiMapNewSession+252j
		mov	eax, [ebp+var_20]
		jmp	loc_867D1E
; 

loc_867E03:				; CODE XREF: MiMapNewSession+241j
		push	edx
		push	edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	short loc_867DFB
MiMapNewSession	endp


;  S U B	R O U T	I N E 


MiInitializeSessionGlobals proc	near	; CODE XREF: MiSessionCreate+4p

; FUNCTION CHUNK AT 00908721 SIZE 000000F4 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	eax, [edi+80h]
		mov	ebx, [edi+150h]
		test	dword ptr [eax+0FCh], 10000h
		jnz	loc_908721
		mov	ecx, ebx
		call	_MmIsSessionLeaderProcess@4 ; MmIsSessionLeaderProcess(x)
		test	eax, eax
		jz	short loc_867E45

loc_867E3F:				; CODE XREF: MiInitializeSessionGlobals+E5j
					; MiInitializeSessionGlobals+A0989j ...
		xor	eax, eax

loc_867E41:				; CODE XREF: MiInitializeSessionGlobals+A091Aj
					; MiInitializeSessionGlobals+A09C4j ...
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_867E45:				; CODE XREF: MiInitializeSessionGlobals+31j
		cmp	dword_6D05C4, 0
		jnz	loc_90872B
		dec	word ptr [edi+13Eh]
		nop
		mov	esi, offset dword_6D05C8
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		cmp	dword_6D05C4, 0
		jnz	loc_90879D
		push	0Bh
		xor	ecx, ecx
		pop	edx
		inc	ecx
		call	MiObtainSystemVa
		test	eax, eax
		jz	loc_9087D5
		xor	ecx, ecx
		mov	edx, eax
		inc	ecx
		call	_MiInitializeWsleBase@8	; MiInitializeWsleBase(x,x)
		mov	ecx, dword_6D2E6C
		add	ecx, 100000h
		mov	dword_6D05C4, ebx
		mov	dword_6D05D4, ecx
		lea	eax, [ecx+7000h]
		mov	dword_6D05BC, eax
		lea	eax, [ecx+1C0h]
		xor	ecx, ecx
		mov	dword_6D05CC, eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	[eax+1F4h], ebx
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_908801

loc_867EDC:				; CODE XREF: MiInitializeSessionGlobals+A09F7j
					; MiInitializeSessionGlobals+A0A04j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		jmp	loc_867E3F
MiInitializeSessionGlobals endp


;  S U B	R O U T	I N E 


; __stdcall MmIsSessionLeaderProcess(x)
_MmIsSessionLeaderProcess@4 proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B9Fp
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+15A8p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		xor	edx, edx
		cmp	esi, [eax+1F4h]
		pop	esi
		setz	dl
		mov	eax, edx
		retn
_MmIsSessionLeaderProcess@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpDeviceRaisePropertyChangeEventWorker proc near
					; CODE XREF: _PnpObjectRaisePropertyChangeEvent+25p

var_B6		= byte ptr -0B6h
var_B5		= byte ptr -0B5h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A2		= byte ptr -0A2h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
Source2		= dword	ptr -7Ch
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00908815 SIZE 00000064 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0A4h+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+0A4h+var_8C], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+0A4h+var_90], eax
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+0B0h+var_68]
		mov	ebx, [ebp+arg_8]
		stosd
		mov	esi, ecx
		mov	ecx, [ebp+arg_4]
		mov	[esp+0B0h+var_A0], edx
		xor	edx, edx
		mov	[esp+0B0h+var_84], ecx
		stosd
		mov	[esp+0B0h+var_98], edx
		mov	[esp+0B0h+var_94], edx
		mov	[esp+0B0h+var_80], edx
		stosd
		mov	[esp+0B0h+var_88], edx
		stosd
		xor	eax, eax
		lea	edi, [esp+0B0h+Source2]
		stosd
		stosd
		stosd
		stosd
		stosd
		test	ecx, ecx
		jnz	short loc_867F8D
		mov	edi, [ebx+10h]
		cmp	edi, 6
		jz	loc_8680DA

loc_867F84:				; CODE XREF: _PnpDeviceRaisePropertyChangeEventWorker+1DCj
		cmp	edi, 64h
		jz	loc_908815

loc_867F8D:				; CODE XREF: _PnpDeviceRaisePropertyChangeEventWorker+66j
					; _PnpDeviceRaisePropertyChangeEventWorker+A0917j
		mov	edi, [esp+0B0h+var_90]
		mov	[esp+0B0h+var_A2], 0

loc_867F96:				; CODE XREF: _PnpDeviceRaisePropertyChangeEventWorker+200j
		mov	eax, [esp+0B0h+var_8C]
		mov	[esp+0B0h+var_9C], eax
		mov	eax, [esp+0B0h+var_84]
		mov	[esp+0B0h+var_98], eax
		lea	eax, [esp+0B0h+var_9C]
		push	eax
		push	4
		push	1
		push	[esp+0BCh+var_A0]
		mov	[esp+0C0h+var_94], ebx
		push	esi
		call	edi
		mov	edx, [esp+0C4h+var_B4]
		lea	eax, [esp+0C4h+var_B0]
		push	edi
		push	eax
		push	0Ch
		push	offset off_4015B0
		push	ebx
		push	1
		mov	ecx, esi
		call	__PnpNotifyDerivedKeys@32 ; _PnpNotifyDerivedKeys(x,x,x,x,x,x,x,x)
		push	3
		mov	edx, offset off_40157C
		mov	ecx, ebx
		call	__PnpHasDerivedKeys@12 ; _PnpHasDerivedKeys(x,x,x)
		cmp	[esp+0C4h+var_B6], 0
		mov	[esp+0C4h+var_B5], al
		jnz	short loc_86802D
		test	al, al
		jnz	short loc_86802D

loc_867FF2:				; CODE XREF: _PnpDeviceRaisePropertyChangeEventWorker+14Dj
					; _PnpDeviceRaisePropertyChangeEventWorker+154j ...
		push	1
		mov	edx, offset off_4015A0
		mov	ecx, ebx
		call	__PnpHasDerivedKeys@12 ; _PnpHasDerivedKeys(x,x,x)
		mov	cl, al
		mov	al, [esp+0C4h+var_B6]
		test	al, al
		jnz	loc_868130
		test	cl, cl
		jnz	loc_868130

loc_868016:				; CODE XREF: _PnpDeviceRaisePropertyChangeEventWorker+254j
					; _PnpDeviceRaisePropertyChangeEventWorker+A0964j
		mov	ecx, [esp+0C4h+var_18]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_86802D:				; CODE XREF: _PnpDeviceRaisePropertyChangeEventWorker+DCj
					; _PnpDeviceRaisePropertyChangeEventWorker+E0j
		mov	edx, [esp+0C4h+var_B4]
		lea	eax, [esp+0C4h+var_9C]
		push	0
		push	eax
		push	10h
		lea	eax, [esp+0D0h+Source2]
		mov	ecx, esi
		push	eax
		lea	eax, [esp+0D4h+var_94]
		push	eax
		push	offset _DEVPKEY_Device_ContainerId
		push	0
		push	[esp+0E0h+var_A0]
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000225h
		jz	short loc_867FF2
		cmp	eax, 0C0000034h
		jz	short loc_867FF2
		test	eax, eax
		js	loc_908832
		push	10h		; Length
		lea	eax, [esp+0C8h+Source2]
		push	eax		; Source2
		push	offset dword_40727C ; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 10h
		jz	loc_867FF2
		push	ecx		; int
		lea	edx, [esp+0C8h+var_6C] ; void *
		lea	ecx, [esp+0C8h+Source2]	; int
		call	_PnpStringFromGuid@12 ;	PnpStringFromGuid(x,x,x)
		test	eax, eax
		js	loc_908832
		cmp	[esp+0C4h+var_B6], 0
		jnz	short loc_868115

loc_8680A5:				; CODE XREF: _PnpDeviceRaisePropertyChangeEventWorker+21Bj
		cmp	[esp+0C4h+var_B5], 0
		jz	loc_867FF2
		and	[esp+0C4h+var_B0], 0
		lea	eax, [esp+0C4h+var_B0]
		and	[esp+0C4h+var_AC], 0
		lea	edx, [esp+0C4h+var_6C]
		push	edi
		push	eax
		push	3
		push	offset off_40157C
		push	ebx
		push	5
		mov	ecx, esi
		call	__PnpNotifyDerivedKeys@32 ; _PnpNotifyDerivedKeys(x,x,x,x,x,x,x,x)
		jmp	loc_867FF2
; 

loc_8680DA:				; CODE XREF: _PnpDeviceRaisePropertyChangeEventWorker+6Ej
		push	10h		; size_t
		push	offset _DEVPKEY_Device_SessionId ; void	*
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_867F84

loc_8680F2:				; CODE XREF: _PnpDeviceRaisePropertyChangeEventWorker+A091Dj
		and	[esp+0B0h+var_9C], 0
		lea	eax, [esp+0B0h+var_9C]
		mov	edi, [esp+0B0h+var_90]
		push	eax
		push	5
		push	1
		push	[esp+0BCh+var_A0]
		mov	[esp+0C0h+var_A2], 1
		push	esi
		call	edi
		jmp	loc_867F96
; 

loc_868115:				; CODE XREF: _PnpDeviceRaisePropertyChangeEventWorker+193j
		and	[esp+0C4h+var_B0], 0
		lea	eax, [esp+0C4h+var_B0]
		push	eax
		push	5
		push	5
		lea	eax, [esp+0D0h+var_6C]
		push	eax
		push	esi
		call	edi
		jmp	loc_8680A5
; 

loc_868130:				; CODE XREF: _PnpDeviceRaisePropertyChangeEventWorker+F8j
					; _PnpDeviceRaisePropertyChangeEventWorker+100j
		mov	[esp+0C4h+var_90], edi
		mov	byte ptr [esp+0C4h+var_80], al
		test	cl, cl
		jnz	loc_90884A

loc_868140:				; CODE XREF: _PnpDeviceRaisePropertyChangeEventWorker+A094Ej
		xor	ebx, ebx
		lea	eax, [esp+0C4h+var_9C]
		push	ebx
		push	eax
		push	ebx
		push	ebx
		lea	eax, [esp+0D4h+var_90]
		xor	edx, edx
		push	eax
		push	offset _PnpUpdateInterfacesCallback
		push	ebx
		push	[esp+0E0h+var_B4]
		mov	ecx, esi
		call	_CmGetMatchingFilteredDeviceInterfaceList
		test	eax, eax
		jns	loc_868016
		jmp	loc_908863
_PnpDeviceRaisePropertyChangeEventWorker endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpHasDerivedKeys(x, x, x)
__PnpHasDerivedKeys@12 proc near	; CODE XREF: _PnpDeviceRaisePropertyChangeEventWorker+CEp
					; _PnpDeviceRaisePropertyChangeEventWorker+EBp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		xor	edi, edi
		mov	edx, ecx
		mov	[ebp+var_8], edx
		cmp	[ebp+arg_0], edi
		jbe	short loc_8681C2

loc_868189:				; CODE XREF: _PnpHasDerivedKeys(x,x,x)+50j
		mov	eax, [esi+4]
		xor	ebx, ebx
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_8681B9
		mov	eax, [edx+10h]
		mov	ecx, [esi]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_4]
		mov	[ebp+var_10], ecx

loc_8681A3:				; CODE XREF: _PnpHasDerivedKeys(x,x,x)+47j
		mov	ecx, [ecx+ebx*4]
		mov	edx, [ebp+var_C]
		cmp	edx, [ecx+10h]
		mov	edx, [ebp+var_8]
		jz	short loc_8681CB

loc_8681B1:				; CODE XREF: _PnpHasDerivedKeys(x,x,x)+71j
		mov	ecx, [ebp+var_10]
		inc	ebx
		cmp	ebx, eax
		jb	short loc_8681A3

loc_8681B9:				; CODE XREF: _PnpHasDerivedKeys(x,x,x)+23j
		inc	edi
		add	esi, 0Ch
		cmp	edi, [ebp+arg_0]
		jb	short loc_868189

loc_8681C2:				; CODE XREF: _PnpHasDerivedKeys(x,x,x)+17j
		xor	al, al

loc_8681C4:				; CODE XREF: _PnpHasDerivedKeys(x,x,x)+75j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8681CB:				; CODE XREF: _PnpHasDerivedKeys(x,x,x)+3Fj
		push	10h		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_8681E3
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+var_8]
		jmp	short loc_8681B1
; 

loc_8681E3:				; CODE XREF: _PnpHasDerivedKeys(x,x,x)+69j
		mov	al, 1
		jmp	short loc_8681C4
__PnpHasDerivedKeys@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; int __fastcall PnpStringFromGuid(int,void *,int)
_PnpStringFromGuid@12 proc near		; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+1BEp
					; IopGetDeviceInterfaces+90p ...
		movzx	eax, byte ptr [ecx+0Fh]
		push	eax
		movzx	eax, byte ptr [ecx+0Eh]
		push	eax
		movzx	eax, byte ptr [ecx+0Dh]
		push	eax
		movzx	eax, byte ptr [ecx+0Ch]
		push	eax
		movzx	eax, byte ptr [ecx+0Bh]
		push	eax
		movzx	eax, byte ptr [ecx+0Ah]
		push	eax
		movzx	eax, byte ptr [ecx+9]
		push	eax
		movzx	eax, byte ptr [ecx+8]
		push	eax
		movzx	eax, word ptr [ecx+6]
		push	eax
		movzx	eax, word ptr [ecx+4]
		push	eax
		push	dword ptr [ecx]	; char
		push	offset ??_C@_1GI@JHCBPFLC@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAx?$AA?9?$AA?$CF?$AA0?$AA4@NNGAKEGL@ ;	wchar_t	*
		push	800h		; int
		push	0		; int
		push	0		; int
		push	27h		; int
		push	edx		; void *
		call	RtlStringCchPrintfExW
		add	esp, 44h
		retn	4
_PnpStringFromGuid@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopErrorLogThread proc near		; DATA XREF: .text:0056480Co
					; IopErrorLogDpc(x,x,x,x)+2Ao ...

var_652		= byte ptr -652h
var_651		= byte ptr -651h
var_650		= dword	ptr -650h
var_642		= byte ptr -642h
var_641		= byte ptr -641h
var_640		= dword	ptr -640h
var_63C		= dword	ptr -63Ch
var_638		= dword	ptr -638h
var_634		= dword	ptr -634h
var_630		= dword	ptr -630h
var_62C		= dword	ptr -62Ch
var_628		= dword	ptr -628h
var_624		= dword	ptr -624h
var_620		= dword	ptr -620h
var_61C		= dword	ptr -61Ch
var_618		= dword	ptr -618h
var_614		= dword	ptr -614h
var_510		= dword	ptr -510h
var_408		= word ptr -408h
var_208		= dword	ptr -208h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00908879 SIZE 00000133 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 644h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+644h+var_4], eax
		push	ebx
		xor	ebx, ebx
		push	esi
		push	edi
		mov	[esp+650h+var_63C], ebx
		mov	[esp+650h+var_638], ebx
		mov	[esp+650h+var_62C], ebx
		mov	[esp+650h+var_628], ebx
		mov	[esp+650h+var_634], ebx
		mov	[esp+650h+var_630], ebx
		call	_IopErrorLogConnectSession@0 ; IopErrorLogConnectSession()
		test	al, al
		jz	loc_868432
		mov	[esp+650h+var_640], ebx

loc_868282:				; CODE XREF: IopErrorLogThread+1F5j
		call	IopErrorLogGetEntry
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_868432
		mov	edi, [ebx+0Ch]
		lea	eax, [ebx+1Ch]
		mov	[esp+650h+var_624], eax
		movzx	eax, word ptr [ebx-2]
		sub	eax, 20h
		mov	[esp+650h+var_61C], edi
		mov	[esp+650h+var_620], eax
		lea	eax, [esp+650h+var_63C]
		test	edi, edi
		jz	loc_9088C4
		push	0
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		cmp	dword ptr [edi+20h], 0
		jz	loc_908879
		mov	eax, [edi+1Ch]
		mov	[esp+650h+var_63C], eax
		mov	ecx, [edi+20h]
		mov	[esp+650h+var_638], ecx

loc_8682D6:				; CODE XREF: IopErrorLogThread+A0645j
		mov	dx, word ptr [esp+650h+var_63C]
		test	dx, dx
		jz	loc_908882

loc_8682E4:				; CODE XREF: IopErrorLogThread+A06A9j
		movzx	eax, dx
		shr	eax, 1
		dec	eax
		push	5Ch
		pop	edi
		lea	eax, [ecx+eax*2]
		cmp	[eax], di
		jz	short loc_868306

loc_8682F5:				; CODE XREF: IopErrorLogThread+C7j
		cmp	eax, ecx
		jz	short loc_868301
		sub	eax, 2
		cmp	[eax], di
		jnz	short loc_8682F5

loc_868301:				; CODE XREF: IopErrorLogThread+BFj
		cmp	[eax], di
		jnz	short loc_868309

loc_868306:				; CODE XREF: IopErrorLogThread+BBj
		add	eax, 2

loc_868309:				; CODE XREF: IopErrorLogThread+CCj
		sub	ecx, eax
		mov	[esp+650h+var_638], eax
		add	dx, cx
		mov	word ptr [esp+650h+var_63C], dx

loc_868317:				; CODE XREF: IopErrorLogThread+A06A3j
		and	[esp+650h+var_640], 0
		lea	edi, [esp+650h+var_510]
		mov	eax, [ebx+8]
		mov	[esp+650h+var_641], 0
		test	eax, eax
		jnz	loc_9088E6

loc_868333:				; CODE XREF: IopErrorLogThread+A06FFj
					; IopErrorLogThread+A070Aj
		push	offset ??_C@_11LOCGONAA@@NNGAKEGL@
		lea	eax, [esp+654h+var_62C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, [esp+650h+var_628]

loc_868346:				; CODE XREF: IopErrorLogThread+A071Dj
		xor	eax, eax
		mov	[esp+650h+var_408], ax
		mov	word ptr [esp+650h+var_208], ax
		cmp	[esp+650h+var_638], eax
		jz	short loc_86837F
		movzx	eax, word ptr [esp+650h+var_63C]
		lea	ecx, [esp+650h+var_408]
		shr	eax, 1
		mov	edx, 100h
		push	eax
		push	[esp+654h+var_638]
		call	RtlStringCchCopyNW
		mov	ecx, [esp+650h+var_628]

loc_86837F:				; CODE XREF: IopErrorLogThread+124j
		test	ecx, ecx
		jz	short loc_86839D
		movzx	eax, word ptr [esp+650h+var_62C]
		mov	edx, 100h
		shr	eax, 1
		push	eax
		push	ecx
		lea	ecx, [esp+658h+var_208]
		call	RtlStringCchCopyNW

loc_86839D:				; CODE XREF: IopErrorLogThread+149j
		cmp	[esp+650h+var_641], 1
		jz	loc_90895A

loc_8683A8:				; CODE XREF: IopErrorLogThread+A072Aj
		mov	edi, [esp+650h+var_624]
		mov	eax, [edi+0Ch]
		cmp	eax, 40040025h
		jz	loc_908967
		cmp	eax, 40040024h
		jz	loc_908967

loc_8683C5:				; CODE XREF: IopErrorLogThread+A0745j
		mov	ecx, [esp+650h+var_630]
		mov	eax, [esp+650h+var_634]

loc_8683CD:				; CODE XREF: IopErrorLogThread+A075Ej
		mov	edx, [esp+650h+var_620]
		lea	esi, [ebx-4]
		push	ecx
		push	eax
		lea	eax, [esp+658h+var_208]
		push	eax
		lea	eax, [esp+65Ch+var_408]
		push	eax
		lea	eax, [esi+18h]
		push	eax
		push	ecx
		push	ecx
		mov	ecx, edi
		call	EtwWriteErrorLogEntry
		test	eax, eax
		js	loc_90899B
		movzx	eax, word ptr [esi+2]
		mov	ecx, offset _IopErrorLogAllocation
		neg	eax
		lock xadd [ecx], eax
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jnz	short loc_868449

loc_868411:				; CODE XREF: IopErrorLogThread+216j
		cmp	[esp+650h+var_61C], 0
		jz	short loc_868420
		mov	ecx, [esi+10h]
		call	ObfDereferenceObject

loc_868420:				; CODE XREF: IopErrorLogThread+1DEj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[esp+650h+var_640], 0
		jmp	loc_868282
; 

loc_868432:				; CODE XREF: IopErrorLogThread+40j
					; IopErrorLogThread+53j ...
		mov	ecx, [esp+650h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_868449:				; CODE XREF: IopErrorLogThread+1D7j
		call	ObfDereferenceObject
		jmp	short loc_868411
IopErrorLogThread endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwWriteErrorLogEntry proc near		; CODE XREF: IopErrorLogThread+1B6p

var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_27C		= dword	ptr -27Ch
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_240		= dword	ptr -240h
var_1F4		= dword	ptr -1F4h
var_1F0		= byte ptr -1F0h
var_1EE		= word ptr -1EEh
var_1EC		= dword	ptr -1ECh
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_F0		= dword	ptr -0F0h
var_DC		= dword	ptr -0DCh
var_D8		= byte ptr -0D8h
var_D7		= byte ptr -0D7h
var_D6		= word ptr -0D6h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_8		= dword	ptr -8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= word ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 009089AC SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 288h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		xor	eax, eax
		mov	[ebp+var_264], edx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_27C], eax
		mov	[ebp+var_278], eax
		movzx	eax, _IopErrorLogSession
		mov	[ebp+var_284], eax
		lea	ecx, [ebx+0Ch]
		mov	[ebp+var_260], ebx
		mov	eax, [ecx]
		shr	eax, 1Eh
		push	esi
		push	edi
		cmp	eax, 1
		jnz	loc_86881E
		mov	al, 4

loc_8684A4:				; CODE XREF: EtwWriteErrorLogEntry+3D6j
		xor	edx, edx
		mov	[ebp+var_D8], al
		mov	ax, [ebx+8]
		xor	edi, edi
		mov	[ebp+var_DC], edx
		mov	[ebp+var_D7], dl
		mov	[ebp+var_D4], edx
		mov	[ebp+var_D0], edx
		mov	[ebp+var_C8], edx
		mov	[ebp+var_C0], edx
		mov	[ebp+var_B8], edx
		mov	[ebp+var_B0], edx
		mov	edx, [ebp+arg_C]
		mov	[ebp+var_BC], ecx
		mov	ecx, edx
		mov	[ebp+var_D6], ax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_CC], eax
		mov	[ebp+var_C4], 8
		lea	esi, [ecx+2]
		mov	[ebp+var_B4], 4

loc_868514:				; CODE XREF: EtwWriteErrorLogEntry+CDj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_868514
		mov	edi, [ebp+var_264]
		sub	ecx, esi
		sar	ecx, 1
		inc	ecx
		mov	[ebp+var_9C], edx
		movzx	eax, cx
		xor	edx, edx
		mov	[ebp+var_270], eax
		lea	eax, [ebp+var_270]
		mov	[ebp+var_AC], eax
		xor	eax, eax
		mov	[ebp+var_A8], eax
		mov	[ebp+var_A0], eax
		push	2
		movzx	eax, cx
		mov	cx, [ebp+arg_14]
		add	eax, eax
		mov	[ebp+var_94], eax
		lea	eax, [ebp+arg_14]
		mov	[ebp+var_98], edx
		mov	[ebp+var_90], edx
		mov	[ebp+var_8C], eax
		mov	[ebp+var_88], edx
		mov	[ebp+var_80], edx
		pop	esi
		mov	[ebp+var_A4], esi
		mov	[ebp+var_84], esi
		push	5
		pop	esi
		test	cx, cx
		jnz	loc_9089AC

loc_86859D:				; CODE XREF: EtwWriteErrorLogEntry+A0571j
		movzx	edx, word ptr [ebx+2]
		add	edx, 28h
		mov	[ebp+var_280], esi
		mov	[ebp+var_25C], edx
		mov	[ebp+var_26C], edx
		cmp	edx, edi
		ja	loc_9089C6

loc_8685BE:				; CODE XREF: EtwWriteErrorLogEntry+A0584j
		movzx	ecx, word ptr [ebx+4]
		test	cx, cx
		jz	short loc_8685D3
		movzx	eax, word ptr [ebx+6]
		cmp	eax, edx
		jb	loc_9089D9

loc_8685D3:				; CODE XREF: EtwWriteErrorLogEntry+175j
					; EtwWriteErrorLogEntry+A058Dj
		mov	edi, esi
		mov	[ebp+var_268], ecx
		add	edi, edi
		lea	eax, [ecx+1]
		xor	ecx, ecx
		mov	[ebx+4], ax
		mov	[ebp+var_258], ecx
		lea	eax, [ebp+var_258]
		xor	edx, edx
		mov	[ebp+edi*8+var_C8], ecx
		mov	[ebp+edi*8+var_C0], ecx
		mov	ecx, [ebp+arg_10]
		mov	[ebp+edi*8+var_CC], eax
		mov	[ebp+edi*8+var_C4], 2
		lea	eax, [ecx+2]
		mov	[ebp+var_274], eax

loc_868620:				; CODE XREF: EtwWriteErrorLogEntry+1D9j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, dx
		jnz	short loc_868620
		sub	ecx, [ebp+var_274]
		add	esi, 2
		mov	eax, [ebp+arg_10]
		mov	edx, [ebp+var_25C]
		mov	[ebp+edi*8+var_BC], eax
		xor	eax, eax
		sar	ecx, 1
		mov	[ebp+edi*8+var_B8], eax
		lea	eax, [ecx+1]
		movzx	eax, ax
		add	eax, eax
		mov	[ebp+edi*8+var_B4], eax
		xor	eax, eax
		mov	[ebp+edi*8+var_B0], eax
		cmp	[ebp+var_268], eax
		jbe	loc_8686F6
		movzx	eax, word ptr [ebx+6]
		lea	esi, [ebx+1]
		mov	edi, [ebp+var_264]
		add	esi, eax
		mov	ecx, [ebp+var_278]
		and	esi, 0FFFFFFFEh
		mov	edx, [ebp+var_27C]
		add	edi, ebx

loc_868693:				; CODE XREF: EtwWriteErrorLogEntry+268j
		movzx	eax, cx
		lea	eax, [esi+eax*2]
		cmp	eax, edi
		jnb	short loc_8686BA
		xor	ebx, ebx
		cmp	[eax], bx
		mov	ebx, [ebp+var_258]
		jz	loc_86880C

loc_8686AE:				; CODE XREF: EtwWriteErrorLogEntry+3C9j
		movzx	eax, bx
		inc	ecx
		cmp	eax, [ebp+var_268]
		jb	short loc_868693

loc_8686BA:				; CODE XREF: EtwWriteErrorLogEntry+24Bj
		mov	edi, [ebp+var_280]
		xor	ebx, ebx
		mov	ecx, edi
		movzx	eax, dx
		mov	edx, [ebp+var_25C]
		add	ecx, ecx
		add	eax, eax
		mov	[ebp+ecx*8+var_AC], esi
		lea	esi, [edi+3]
		mov	[ebp+ecx*8+var_A8], ebx
		mov	[ebp+ecx*8+var_A0], ebx
		mov	ebx, [ebp+var_260]
		mov	[ebp+ecx*8+var_A4], eax

loc_8686F6:				; CODE XREF: EtwWriteErrorLogEntry+21Dj
		inc	[ebp+var_258]
		lea	ecx, [ebp+var_26C]
		mov	eax, esi
		add	eax, eax
		push	178h		; size_t
		mov	[ebp+eax*8+var_CC], ecx
		xor	ecx, ecx
		mov	[ebp+eax*8+var_C8], ecx
		inc	esi
		mov	[ebp+eax*8+var_C4], 4
		mov	[ebp+eax*8+var_C0], ecx
		mov	eax, esi
		add	eax, eax
		mov	[ebp+var_260], esi
		push	ecx		; int
		mov	[ebp+eax*8+var_CC], ebx
		mov	[ebp+eax*8+var_C8], ecx
		mov	[ebp+eax*8+var_C4], edx
		mov	[ebp+eax*8+var_C0], ecx
		lea	eax, [ebp+var_254]
		push	eax		; void *
		call	_memset
		mov	eax, ds:_EtwpHostSiloState
		lea	edi, [ebp+var_240]
		add	esp, 0Ch
		xor	ecx, ecx
		mov	esi, offset _LegacyEventLogGuid
		mov	dl, 1
		push	ecx
		movsd
		push	ecx
		push	ecx
		push	ecx
		movsd
		push	ecx
		push	ecx
		movsd
		movsd
		or	[ebp+var_1E4], 0FFFFFFFFh
		or	[ebp+var_1E0], 0FFFFFFFFh
		mov	[ebp+var_F0], eax
		mov	eax, [ebp+var_284]
		mov	[ebp+var_1EE], ax
		lea	eax, [ebp+var_CC]
		push	eax
		mov	eax, [ebp+var_260]
		inc	eax
		mov	[ebp+var_1DC], ecx
		push	eax
		push	ecx
		push	ecx
		push	4
		push	ecx
		lea	eax, [ebp+var_DC]
		mov	[ebp+var_1D8], ecx
		push	eax
		push	ecx
		push	ecx
		push	ecx
		lea	ecx, [ebp+var_254]
		mov	[ebp+var_1F4], 1
		mov	[ebp+var_1F0], 0FFh
		mov	[ebp+var_1EC], 40h
		call	_EtwpEventWriteFull@72 ; EtwpEventWriteFull(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_9089E2

loc_8687FB:				; CODE XREF: EtwWriteErrorLogEntry+A059Bj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
; 

loc_86880C:				; CODE XREF: EtwWriteErrorLogEntry+258j
		inc	ebx
		lea	eax, [ecx+1]
		mov	[ebp+var_258], ebx
		movzx	edx, ax
		jmp	loc_8686AE
; 

loc_86881E:				; CODE XREF: EtwWriteErrorLogEntry+4Cj
		cmp	eax, 2
		setz	al
		add	al, 2
		jmp	loc_8684A4
EtwWriteErrorLogEntry endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopErrorLogConnectSession()
_IopErrorLogConnectSession@0 proc near	; CODE XREF: IopErrorLogThread+39p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		cmp	_ErrorLogSessionOpened,	0
		jz	short loc_868848

loc_868844:				; CODE XREF: IopErrorLogConnectSession()+42j
		mov	al, 1
		leave
		retn
; 

loc_868848:				; CODE XREF: IopErrorLogConnectSession()+16j
		push	offset ??_C@_1CA@KOKODHP@?$AAE?$AAv?$AAe?$AAn?$AAt?$AAl?$AAo?$AAg?$AA?9?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm@NNGAKEGL@
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, offset _IopErrorLogSession
		lea	ecx, [ebp+var_8]
		call	_EtwQueryTraceHandleByLoggerName@8 ; EtwQueryTraceHandleByLoggerName(x,x)
		test	eax, eax
		js	short loc_868870
		mov	_ErrorLogSessionOpened,	1
		jmp	short loc_868844
; 

loc_868870:				; CODE XREF: IopErrorLogConnectSession()+39j
		call	_IopErrorLogQueueRequest@0 ; IopErrorLogQueueRequest()
		xor	al, al
		leave
		retn
_IopErrorLogConnectSession@0 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2292. RtlQueryModuleInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlQueryModuleInformation
RtlQueryModuleInformation proc near

var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 009089F0 SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 144h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+144h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	esi, 120h
		mov	[esp+150h+var_134], eax
		push	esi		; size_t
		lea	eax, [esp+154h+var_128]
		mov	[esp+154h+var_13C], ebx
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		cmp	[ebp+arg_4], 10Ch
		jnz	loc_9089F0
		mov	eax, ebx
		and	al, 3
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 0C00000F1h

loc_8688DD:				; CODE XREF: RtlQueryModuleInformation+A0190j
		test	eax, eax
		js	loc_8689CB

loc_8688E5:				; CODE XREF: RtlQueryModuleInformation+A0185j
		lea	ebx, [esp+150h+var_128]

loc_8688E9:				; CODE XREF: RtlQueryModuleInformation+18Aj
		and	[esp+150h+var_144], 0
		lea	eax, [esp+150h+var_144]
		push	eax
		push	esi
		push	ebx
		push	0Bh
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		mov	esi, eax
		mov	[esp+150h+var_130], esi
		test	esi, esi
		jns	short loc_868912
		cmp	esi, 0C0000004h
		jnz	loc_8689B9

loc_868912:				; CODE XREF: RtlQueryModuleInformation+86j
		mov	ecx, [esp+150h+var_13C]
		test	ecx, ecx
		jz	loc_868A0D
		test	esi, esi
		js	loc_8689E2
		mov	eax, [ebx]
		mov	edx, eax
		imul	edx, [ebp+arg_4]
		mov	edi, [esp+150h+var_134]
		mov	[esp+150h+var_12C], edx
		cmp	[edi], edx
		jb	loc_868A27
		xor	edi, edi
		mov	[esp+150h+var_138], edi
		test	eax, eax
		jz	short loc_8689B3
		lea	esi, [ecx+8]
		mov	[esp+150h+var_140], esi
		lea	edx, [ebx+1Eh]

loc_868952:				; CODE XREF: RtlQueryModuleInformation+12Bj
		cmp	[ebp+arg_4], 4
		jz	loc_908A20
		cmp	[ebp+arg_4], 10Ch
		jnz	short loc_868992
		mov	eax, [edx-12h]
		mov	edi, [esp+150h+var_140]
		mov	[esi-8], eax
		add	edi, 2
		mov	eax, [edx-0Eh]
		mov	[esi-4], eax
		mov	ax, [edx]
		mov	[esi], ax
		lea	esi, [edx+2]
		push	40h
		pop	ecx
		rep movsd
		mov	ecx, [esp+150h+var_13C]
		mov	edi, [esp+150h+var_138]
		mov	esi, [esp+150h+var_140]

loc_868992:				; CODE XREF: RtlQueryModuleInformation+E5j
					; RtlQueryModuleInformation+A01A8j
		inc	edi
		add	esi, 10Ch
		add	edx, 11Ch
		mov	[esp+150h+var_138], edi
		mov	[esp+150h+var_140], esi
		cmp	edi, [ebx]
		jb	short loc_868952
		mov	esi, [esp+150h+var_130]
		mov	edx, [esp+150h+var_12C]

loc_8689B3:				; CODE XREF: RtlQueryModuleInformation+C8j
					; RtlQueryModuleInformation+1A7j ...
		mov	eax, [esp+150h+var_134]
		mov	[eax], edx

loc_8689B9:				; CODE XREF: RtlQueryModuleInformation+8Ej
		lea	eax, [esp+150h+var_128]
		cmp	ebx, eax
		jz	short loc_8689C9
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8689C9:				; CODE XREF: RtlQueryModuleInformation+141j
		mov	eax, esi

loc_8689CB:				; CODE XREF: RtlQueryModuleInformation+61j
					; RtlQueryModuleInformation+1B5j ...
		mov	ecx, [esp+150h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_8689E2:				; CODE XREF: RtlQueryModuleInformation+A2j
		lea	eax, [esp+150h+var_128]
		cmp	ebx, eax
		jnz	loc_908A13

loc_8689EE:				; CODE XREF: RtlQueryModuleInformation+A019Dj
		push	546C7452h
		push	[esp+154h+var_144]
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_868A2E
		mov	esi, [esp+150h+var_144]
		jmp	loc_8688E9
; 

loc_868A0D:				; CODE XREF: RtlQueryModuleInformation+9Aj
		mov	eax, [esp+150h+var_144]
		xor	edx, edx
		add	eax, 0FFFFFFFCh
		mov	ecx, 11Ch
		div	ecx
		mov	edx, eax
		imul	edx, [ebp+arg_4]
		xor	esi, esi
		jmp	short loc_8689B3
; 

loc_868A27:				; CODE XREF: RtlQueryModuleInformation+BAj
		mov	esi, 0C0000023h
		jmp	short loc_8689B3
; 

loc_868A2E:				; CODE XREF: RtlQueryModuleInformation+184j
		mov	eax, 0C000009Ah
		jmp	short loc_8689CB
RtlQueryModuleInformation endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopCurrentPowerStatePrecise(x, x)
_PopCurrentPowerStatePrecise@8 proc near
					; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+89p
					; PAGELK:0071F2B4p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, edx
		call	_PopBatteryUpdateCurrentState@4	; PopBatteryUpdateCurrentState(x)
		mov	ecx, edi
		mov	esi, eax
		call	_PopCurrentPowerState@4	; PopCurrentPowerState(x)
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_PopCurrentPowerStatePrecise@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBatteryUpdateCurrentState(x)
_PopBatteryUpdateCurrentState@4	proc near ; CODE XREF: PopSleepstudyStartNextSession+D0p
					; PopCurrentPowerStatePrecise(x,x)+8p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	[esp+20h+var_C], ecx
		xor	esi, esi
		call	KeQueryInterruptTime
		mov	edi, dword_6C2660
		mov	ebx, eax
		mov	eax, dword_6C2664
		mov	ecx, edx
		mov	[esp+20h+var_8], edi
		add	edi, 2FAF080h
		mov	[esp+20h+var_4], eax
		adc	eax, esi
		cmp	eax, ecx
		ja	short loc_868A94
		jb	short loc_868A9D
		cmp	edi, ebx
		jbe	short loc_868A9D

loc_868A94:				; CODE XREF: PopBatteryUpdateCurrentState(x)+3Aj
					; PopBatteryUpdateCurrentState(x)+77j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_868A9D:				; CODE XREF: PopBatteryUpdateCurrentState(x)+3Cj
					; PopBatteryUpdateCurrentState(x)+40j
		mov	edi, ecx

loc_868A9F:				; CODE XREF: PopBatteryUpdateCurrentState(x)+98j
					; PopBatteryUpdateCurrentState(x)+A0j
		push	20h
		pop	ecx
		call	_PopBatteryQueueWork@4 ; PopBatteryQueueWork(x)
		push	[esp+20h+var_C]
		lea	eax, [esp+24h+var_8]
		mov	edx, offset dword_6C2660
		push	8
		push	eax
		mov	ecx, offset dword_6C2668
		call	ExBlockOnAddressPushLock
		mov	esi, eax
		cmp	esi, 102h
		jz	short loc_868A94
		mov	edx, dword_6C2660
		mov	ecx, dword_6C2664
		mov	[esp+20h+var_8], edx
		add	edx, 2FAF080h
		mov	[esp+20h+var_4], ecx
		adc	ecx, 0
		cmp	ecx, edi
		jb	short loc_868A9F
		ja	short loc_868A94
		cmp	edx, ebx
		ja	short loc_868A94
		jmp	short loc_868A9F
_PopBatteryUpdateCurrentState@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUpdateConsoleDisplayState(x)
_PopUpdateConsoleDisplayState@4	proc near ; CODE XREF: NtPowerInformation+1133p
					; PopPowerInformationInternal+1712F5p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		cmp	_PopConsoleDisplayState, esi
		jz	short loc_868B82
		mov	_PopConsoleDisplayState, esi
		call	_PopDiagTraceConsoleDisplayState@4 ; PopDiagTraceConsoleDisplayState(x)
		call	PopCheckResiliencyScenarios
		mov	eax, _PopConsoleDisplayState
		mov	ecx, offset _GUID_CONSOLE_DISPLAY_STATE	; "VoJpG$oG"
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	eax		; void *
		push	4
		pop	edx
		call	_PopSetPowerSettingValueAcDc@12	; PopSetPowerSettingValueAcDc(x,x,x)
		mov	ecx, esi
		call	_PopRecordDisplayState@4 ; PopRecordDisplayState(x)
		xor	eax, eax
		mov	ecx, offset _GUID_MONITOR_POWER_ON ; int
		cmp	_PopConsoleDisplayState, eax
		setnz	al
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	eax		; void *
		push	4
		pop	edx
		call	_PopSetPowerSettingValueAcDc@12	; PopSetPowerSettingValueAcDc(x,x,x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	4
		lea	eax, [ebp+var_4]
		push	eax
		push	offset _WNF_UBPM_CONSOLE_MONITOR
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		cmp	_PopConsoleDisplayState, 0
		setz	dl
		xor	ecx, ecx
		call	_PopSpoilBatteryEstimate@8 ; PopSpoilBatteryEstimate(x,x)
		mov	ecx, esi
		call	_PopUpdateSystemIdleConsoleDisplayState@4 ; PopUpdateSystemIdleConsoleDisplayState(x)

loc_868B82:				; CODE XREF: PopUpdateConsoleDisplayState(x)+Fj
		pop	esi
		leave
		retn
_PopUpdateConsoleDisplayState@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopConnectedStandbySettingCallback(void	*,int,int,int)
PopConnectedStandbySettingCallback proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00908A2B SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	offset _GUID_CONSOLE_DISPLAY_STATE ; "VoJpG$oG"
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_868BCA
		cmp	[ebp+arg_8], 4
		jnz	short loc_868BCA
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_868BCA
		cmp	_PopPlatformAoAc, 0
		mov	eax, [eax]
		jnz	loc_908A2B
		mov	ebx, 0C00000BBh

loc_868BC3:				; CODE XREF: PopConnectedStandbySettingCallback+46j
					; PopConnectedStandbySettingCallback+9FEB9j ...
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_868BCA:				; CODE XREF: PopConnectedStandbySettingCallback+1Aj
					; PopConnectedStandbySettingCallback+20j ...
		xor	ebx, ebx
		jmp	short loc_868BC3
PopConnectedStandbySettingCallback endp


;  S U B	R O U T	I N E 


; __stdcall PopUpdateSystemIdleConsoleDisplayState(x)
_PopUpdateSystemIdleConsoleDisplayState@4 proc near
					; CODE XREF: PopUpdateConsoleDisplayState(x)+89p
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopSystemIdleLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C00E4, eax
		call	_PopUpdateLastUserInputTime@0 ;	PopUpdateLastUserInputTime()
		cmp	dword_6C00E4, 0
		mov	dword_6B3D48, esi
		jz	short loc_868C14
		and	dword_6C00E4, 0

loc_868C14:				; CODE XREF: PopUpdateSystemIdleConsoleDisplayState(x)+3Dj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		pop	edi
		pop	esi
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopUpdateSystemIdleConsoleDisplayState@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopUpdateLastUserInputTime()
_PopUpdateLastUserInputTime@0 proc near	; CODE XREF: PopUpdateSystemIdleConsoleDisplayState(x)+2Bp
					; PopSystemIdleWorker()+4Fp
		mov	ecx, 0FFDF02E4h
		xor	edx, edx
		mov	ecx, [ecx]
		cmp	dword_6B3D48, edx
		jnz	short loc_868C47
		mov	eax, offset unk_6B3D40

loc_868C3A:				; CODE XREF: PopUpdateLastUserInputTime()+29j
		cmp	[eax], ecx
		jz	short locret_868C4F
		mov	[eax], ecx
		mov	ecx, edx
		jmp	_PopPulseSystemIdleEvent@4 ; PopPulseSystemIdleEvent(x)
; 

loc_868C47:				; CODE XREF: PopUpdateLastUserInputTime()+Fj
		inc	edx
		mov	eax, offset unk_6B3D44
		jmp	short loc_868C3A
; 

locret_868C4F:				; CODE XREF: PopUpdateLastUserInputTime()+18j
		retn
_PopUpdateLastUserInputTime@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSpoilBatteryEstimate(x, x)
_PopSpoilBatteryEstimate@8 proc	near	; CODE XREF: PopSpoilEstimatesOnPowerStateTransitionWorker(x)+5p
					; PopUpdateConsoleDisplayState(x)+82p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		push	edi
		cmp	esi, 2
		jge	loc_868D18
		mov	al, 1
		shl	al, cl
		mov	ecx, offset _PopEstimateSpoilerMask
		movzx	eax, al
		test	bl, bl
		jnz	loc_868D2A
		not	eax
		lock and [ecx],	eax

loc_868C8F:				; CODE XREF: PopSpoilBatteryEstimate(x,x)+DDj
		push	4
		pop	edi
		mov	ecx, edi
		call	_PopBatteryQueueWork@4 ; PopBatteryQueueWork(x)
		mov	eax, offset ??_C@_0N@MEHIGHAC@indefinitely@NNGAKEGL@
		test	bl, bl
		jnz	short loc_868CA7
		mov	eax, (offset loc_8BD0ED+7)

loc_868CA7:				; CODE XREF: PopSpoilBatteryEstimate(x,x)+50j
		push	_PopEstimateSpoilerMask
		push	esi
		push	eax		; char
		push	(offset	loc_8BD11E+4) ;	char *
		push	3		; int
		push	92h		; int
		call	_DbgPrintEx
		add	esp, 18h
		cmp	dword_6B23F8, 5
		jbe	short loc_868D18
		movzx	eax, bl
		xor	ecx, ecx
		mov	[esp+60h+var_50], eax
		lea	eax, [esp+60h+var_50]
		mov	[esp+60h+var_28], eax
		lea	eax, [esp+60h+var_4C]
		mov	[esp+60h+var_18], eax
		lea	eax, [esp+60h+var_48]
		push	eax
		push	edi
		push	ecx
		push	ecx
		push	(offset	loc_41FDFC+4)
		push	offset dword_6B23F8
		mov	[esp+78h+var_24], ecx
		mov	[esp+78h+var_20], edi
		mov	[esp+78h+var_1C], ecx
		mov	[esp+78h+var_4C], esi
		mov	[esp+78h+var_14], ecx
		mov	[esp+78h+var_10], edi
		mov	[esp+78h+var_C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_868D18:				; CODE XREF: PopSpoilBatteryEstimate(x,x)+20j
					; PopSpoilBatteryEstimate(x,x)+7Aj
		mov	ecx, [esp+60h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_868D2A:				; CODE XREF: PopSpoilBatteryEstimate(x,x)+34j
		lock or	[ecx], eax
		jmp	loc_868C8F
_PopSpoilBatteryEstimate@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopBatteryWorker proc near		; DATA XREF: PopBatteryInit()+5o

var_2A8		= byte ptr -2A8h
var_2A7		= byte ptr -2A7h
var_2A6		= byte ptr -2A6h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_299		= dword	ptr -299h
var_294		= dword	ptr -294h
var_290		= dword	ptr -290h
var_28C		= dword	ptr -28Ch
var_285		= byte ptr -285h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_27C		= dword	ptr -27Ch
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_1E0		= dword	ptr -1E0h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_188		= dword	ptr -188h
var_178		= dword	ptr -178h
var_168		= dword	ptr -168h
var_158		= dword	ptr -158h
var_148		= dword	ptr -148h
var_138		= dword	ptr -138h
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00908A9A SIZE 00000984 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2ACh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2ACh+var_4], eax
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	eax, [esp+2B4h+var_204]
		push	edi
		push	3Ch		; size_t
		push	ebx		; int
		push	eax		; void *
		mov	[esp+2C4h+var_268], ebx
		mov	[esp+2C4h+var_264], ebx
		mov	[esp+2C4h+var_260], ebx
		mov	[esp+2C4h+var_25C], ebx
		mov	[esp+2C4h+var_220], ebx
		mov	[esp+2C4h+var_21C], ebx
		mov	[esp+2C4h+var_2A6], bl
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopPolicyDeviceLock
		call	ExAcquirePushLockSharedEx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopCB
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C2524, eax
		call	PopGetDischargeStartStatus
		mov	esi, dword_6C253C
		mov	edi, offset dword_6C253C
		mov	[esp+2B8h+var_280], eax

loc_868DDB:				; CODE XREF: PopBatteryWorker+9FD72j
		cmp	esi, edi
		jnz	loc_908A9A
		mov	esi, dword_6C253C

loc_868DE9:				; CODE XREF: PopBatteryWorker+9FD86j
		cmp	esi, edi
		jnz	loc_908AA9
		mov	bh, bl
		mov	[esp+13h], bl
		mov	[esp+2B8h+var_2A7], bh
		mov	esi, offset dword_6C2650
		xor	edi, edi

loc_868E02:				; CODE XREF: PopBatteryWorker+25Ej
		mov	ecx, offset _PopBatteryWorkRequests
		mov	eax, 80000000h
		xchg	eax, [ecx]
		mov	ebx, eax
		mov	[esp+2B8h+var_284], eax
		shr	ebx, 1
		and	ebx, 0FFFFFF01h
		mov	[esp+2B8h+var_2A4], ebx
		test	al, 8
		jnz	loc_908ABD

loc_868E28:				; CODE XREF: PopBatteryWorker+9FD90j
		test	al, 10h
		jnz	loc_8690B8

loc_868E30:				; CODE XREF: PopBatteryWorker+39Bj
		test	al, 40h
		jnz	loc_908AC7

loc_868E38:				; CODE XREF: PopBatteryWorker+9FDF2j
		mov	eax, dword_6C253C
		mov	edi, offset dword_6C253C
		cmp	eax, edi
		jnz	loc_908B29

loc_868E4A:				; CODE XREF: PopBatteryWorker+9FE57j
		mov	esi, dword_6C2534
		mov	ebx, offset dword_6C2534

loc_868E55:				; CODE XREF: PopBatteryWorker+9FE8Cj
		cmp	esi, ebx
		jnz	loc_908B8E
		mov	ebx, dword_6C253C
		cmp	ebx, edi
		jnz	loc_908BC3

loc_868E6B:				; CODE XREF: PopBatteryWorker+9FF49j
		cmp	byte ptr [esp+2B8h+var_2A4], 0
		jnz	loc_908C80
		mov	al, [esp+2B8h+var_2A7]
		xor	ebx, ebx

loc_868E7C:				; CODE XREF: PopBatteryWorker+9FF67j
		test	byte ptr [esp+2B8h+var_284], 4
		jnz	loc_86905E
		test	al, al
		jnz	loc_86905E

loc_868E8F:				; CODE XREF: PopBatteryWorker+364j
					; PopBatteryWorker+381j
		or	[esp+2B8h+var_268], 0FFFFFFFFh
		lea	edi, [esp+2B8h+var_278]
		or	[esp+2B8h+var_264], 0FFFFFFFFh
		xor	eax, eax
		or	[esp+2B8h+var_284], 0FFFFFFFFh
		or	esi, 0FFFFFFFFh
		stosd
		stosd
		stosd
		stosd
		or	eax, 0FFFFFFFFh
		cmp	dword_6C252C, 0
		mov	edi, 80000000h
		mov	[esp+2B8h+var_26C], edi
		mov	[esp+2B8h+var_270], esi
		mov	[esp+2B8h+var_2A4], eax
		mov	[esp+2B8h+var_274], eax
		jnz	loc_908CC1
		xor	ebx, ebx
		inc	ebx
		cmp	[esp+2B8h+var_280], 3
		mov	[esp+2B8h+var_278], ebx
		jz	loc_908C9E

loc_868EE2:				; CODE XREF: PopBatteryWorker+9FF7Cj
					; PopBatteryWorker+9FF8Aj ...
		mov	ecx, [esp+2B8h+var_280]
		mov	al, bl
		and	al, 1
		mov	[esp+2B8h+var_285], al
		cmp	ecx, 2
		jz	loc_908E03

loc_868EF7:				; CODE XREF: PopBatteryWorker+A00D5j
		cmp	ecx, 3
		jz	loc_908E0C

loc_868F00:				; CODE XREF: PopBatteryWorker+A00DCj
					; PopBatteryWorker+A00EAj
		mov	eax, dword_6C2544
		mov	ecx, ebx
		and	ecx, 10h
		and	eax, 10h
		cmp	eax, ecx
		jnz	loc_908E21

loc_868F15:				; CODE XREF: PopBatteryWorker+A0116j
					; PopBatteryWorker+A0195j
		mov	eax, ebx
		and	eax, 40h
		test	bl, 20h
		jnz	loc_908ECC
		xor	ebx, ebx

loc_868F25:				; CODE XREF: PopBatteryWorker+A01A2j
		cmp	dword_6C2648, ebx
		jnz	loc_908ED9
		mov	esi, offset dword_6C2650

loc_868F36:				; CODE XREF: PopBatteryWorker+A0269j
		mov	ebx, [esp+2B8h+var_284]
		lea	ecx, [esp+2B8h+var_278]
		mov	edx, ebx
		call	PopBatteryApplyCompositeState
		push	0FFFFFFDFh
		pop	eax
		mov	ecx, offset _PopBatteryWorkRequests
		lock and [ecx],	eax
		call	KeQueryInterruptTime
		xor	edi, edi
		mov	dword_6C2660, eax
		mov	dword_6C2664, edx
		lea	eax, [esp+2B8h+var_27C]
		mov	[esp+2B8h+var_27C], edi
		xor	ecx, ecx
		lock or	[eax], ecx
		cmp	dword_6C2668, ecx
		jnz	loc_8690D2

loc_868F7B:				; CODE XREF: PopBatteryWorker+3ACj
		xor	ecx, ecx
		mov	eax, 80000000h
		mov	edx, offset _PopBatteryWorkRequests
		lock cmpxchg [edx], ecx
		cmp	eax, 80000000h
		jnz	loc_868E02
		mov	esi, dword_6C253C

loc_868F9C:				; CODE XREF: PopBatteryWorker+A027Fj
		cmp	esi, offset dword_6C253C
		jnz	loc_908FA5
		cmp	_PopUserBatteryChargingEstimator, edi
		jnz	short loc_868FC5
		push	edi
		push	edi
		push	edi
		push	edi
		push	8
		lea	eax, [esp+2CCh+var_268]
		push	eax
		push	offset _WNF_PO_CHARGE_ESTIMATE
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)

loc_868FC5:				; CODE XREF: PopBatteryWorker+27Cj
		cmp	_PopDisableBatteryDischargeEstimator, edi
		jnz	short loc_868FF9
		cmp	ebx, 0FFFFFFFFh
		jnz	loc_908FB6

loc_868FD6:				; CODE XREF: PopBatteryWorker+A028Bj
		or	ebx, 0FFFFFFFFh
		or	eax, 0FFFFFFFFh

loc_868FDC:				; CODE XREF: PopBatteryWorker+A0293j
		push	edi
		push	edi
		push	edi
		push	edi
		mov	[esp+2C8h+var_25C], eax
		lea	eax, [esp+2C8h+var_260]
		push	8
		push	eax
		push	offset _WNF_PO_DISCHARGE_ESTIMATE
		mov	[esp+2D4h+var_260], ebx
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)

loc_868FF9:				; CODE XREF: PopBatteryWorker+299j
		mov	al, [esp+13h]
		mov	bh, [esp+2B8h+var_2A7]
		or	al, bh
		jnz	loc_908FCA

loc_869009:				; CODE XREF: PopBatteryWorker+A0664j
					; PopBatteryWorker+A0691j ...
		cmp	dword_6C2524, 0
		jz	short loc_869018
		mov	dword_6C2524, edi

loc_869018:				; CODE XREF: PopBatteryWorker+2DEj
		xor	edx, edx
		mov	ecx, offset _PopCB
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	dword_6C2044, 0
		jnz	loc_909413

loc_869036:				; CODE XREF: PopBatteryWorker+A06E7j
		xor	edx, edx
		mov	ecx, offset _PopPolicyDeviceLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [esp+2B8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_86905E:				; CODE XREF: PopBatteryWorker+14Fj
					; PopBatteryWorker+157j
		cmp	_PopEstimateSpoilerMask, ebx
		jnz	short loc_86909B
		call	KeQueryInterruptTime
		push	0FFFFFFFFh
		add	eax, 11E1A300h
		mov	ecx, offset unk_6C1D20
		push	0EE1E5D00h
		adc	edx, ebx
		mov	_PopEstimateSpoiledUntilTime, eax
		push	offset _PopPostSpoilingRefresh
		mov	dword_6B3F34, edx
		xor	edx, edx
		push	ebx
		call	KiSetTimerEx
		jmp	loc_868E8F
; 

loc_86909B:				; CODE XREF: PopBatteryWorker+332j
		or	_PopEstimateSpoiledUntilTime, 0FFFFFFFFh
		or	dword_6B3F34, 0FFFFFFFFh
		push	offset unk_6C1D20
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		jmp	loc_868E8F
; 

loc_8690B8:				; CODE XREF: PopBatteryWorker+F8j
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	cl, 80h
		call	_PopResetCBTriggers@4 ;	PopResetCBTriggers(x)
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		mov	eax, [esp+2B8h+var_284]
		jmp	loc_868E30
; 

loc_8690D2:				; CODE XREF: PopBatteryWorker+243j
		xor	edx, edx
		mov	ecx, offset dword_6C2668
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	loc_868F7B
PopBatteryWorker endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopBatteryApplyCompositeState proc near	; CODE XREF: PopBatteryWorker+20Ep

var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8A		= byte ptr -8Ah
var_89		= byte ptr -89h
var_88		= dword	ptr -88h
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090941E SIZE 00000440 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0BCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_98], edx
		xor	ebx, ebx
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_94], ebx
		mov	esi, [edi]
		not	esi
		mov	[ebp+var_9C], ebx
		and	esi, 1
		mov	[ebp+var_B0], ebx
		mov	[ebp+var_A8], ebx
		mov	[ebp+var_89], bl
		mov	[ebp+var_B8], esi
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	ecx, esi
		call	PopUpdateAcDcState
		test	al, al
		jnz	loc_90941E

loc_86914B:				; CODE XREF: PopBatteryApplyCompositeState+A037Cj
		cmp	byte_6C2530, bl
		jnz	loc_909465

loc_869157:				; CODE XREF: PopBatteryApplyCompositeState+A03DDj
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		lea	eax, [ebp+var_9C]
		mov	edx, esi
		push	eax
		mov	ecx, edi
		call	PopBatteryCheckCompositeCapacity
		mov	eax, [edi]
		xor	eax, dword_6C2544
		test	al, 0Fh
		jnz	loc_869329
		cmp	byte_6C2530, bl
		jnz	loc_869329

loc_869188:				; CODE XREF: PopBatteryApplyCompositeState+253j
		mov	ecx, [ebp+var_98]
		mov	esi, edi
		mov	edi, offset dword_6C2544
		lea	eax, [ecx+1]
		movsd
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		movsd
		push	eax
		movsd
		movsd
		push	dword_6C2550
		mov	dword_6C2554, ecx
		push	dword_6C254C
		push	dword_6C2548
		push	dword_6C2544	; char
		push	offset ??_C@_0HL@GFDDDPIA@?6Composite?5Status?6?$HM?9?9?5PowerStat@NNGAKEGL@ ; "\nComposite Status\n|--	PowerState = 0x%0"...
		push	3		; int
		push	92h		; int
		call	_DbgPrintEx
		add	esp, 20h
		cmp	dword_6C2568, ebx
		ja	loc_9094C6

loc_8691E1:				; CODE XREF: PopBatteryApplyCompositeState+A03E7j
		xor	cl, cl
		call	PopBatteryTraceSystemBatteryStatus
		call	_PopBatteryCheckTriggerArmed@0 ; PopBatteryCheckTriggerArmed()
		test	al, al
		jnz	loc_9094D0

loc_8691F5:				; CODE XREF: PopBatteryApplyCompositeState+A03FBj
					; PopBatteryApplyCompositeState+A0408j	...
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	esi, dword_6C252C
		mov	edi, ebx
		neg	esi
		mov	[ebp+var_90], edi
		sbb	esi, esi
		and	esi, 3

loc_86920F:				; CODE XREF: PopBatteryApplyCompositeState+180j
		mov	eax, ebx
		shl	eax, 4
		lea	eax, dword_6C25F0[eax]
		mov	ecx, eax
		mov	[ebp+var_94], eax
		call	PopBatteryCheckTrigger
		test	al, al
		jnz	loc_909504
		or	_PopBatteryCachedFlags[edi*4], 0FFFFFFFFh
		lea	ecx, [ebp+var_90]
		mov	edx, [ebp+var_94]
		shl	edi, 4
		and	dword_6C25F4[edi], 0FFFFFFFCh
		call	PopDiagTraceBatteryTriggerFlags
		mov	edi, [ebp+var_90]

loc_869258:				; CODE XREF: PopBatteryApplyCompositeState+A04C7j
					; PopBatteryApplyCompositeState+A04D4j	...
		inc	edi
		mov	[ebp+var_90], edi
		mov	ebx, edi
		cmp	edi, 4
		jb	short loc_86920F
		push	0
		pop	ebx
		cmp	dword_6C2580, esi
		jnz	loc_9095CE

loc_869275:				; CODE XREF: PopBatteryApplyCompositeState+A0634j
		cmp	[ebp+var_89], 0
		jnz	loc_90971D

loc_869282:				; CODE XREF: PopBatteryApplyCompositeState+A063Ej
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset dword_6C266C
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	edi, offset byte_6C2674
		mov	dword_6C2670, eax
		xor	eax, eax
		push	8
		pop	ecx
		rep stosd
		mov	al, byte ptr dword_6C257C
		mov	cl, byte ptr dword_6C2544
		mov	byte_6C267B, al
		mov	al, cl
		and	al, 1
		cmp	dword_6C252C, 0
		mov	byte_6C2674, al
		ja	loc_909727

loc_8692E0:				; CODE XREF: PopBatteryApplyCompositeState+A06A9j
		call	PopAccountCbEnergyChange
		cmp	dword_6C2670, 0
		jz	short loc_8692F4
		mov	dword_6C2670, ebx

loc_8692F4:				; CODE XREF: PopBatteryApplyCompositeState+208j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	[ebp+var_9C], 0
		jnz	loc_909792

loc_86930F:				; CODE XREF: PopBatteryApplyCompositeState+A0775j
		mov	cl, [ebp+var_89]
		call	_PopEsQueueStateEvaluation@4 ; PopEsQueueStateEvaluation(x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_869329:				; CODE XREF: PopBatteryApplyCompositeState+92j
					; PopBatteryApplyCompositeState+9Ej
		push	8
		pop	ecx
		call	_PopSetNotificationWork@4 ; PopSetNotificationWork(x)
		mov	byte_6C2530, bl
		jmp	loc_869188
PopBatteryApplyCompositeState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceBatteryTriggerFlags	proc near ; CODE XREF: PopBatteryApplyCompositeState+169p
					; PopResetCBTriggers(x)+23p ...

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= byte ptr -8Ch
var_8B		= dword	ptr -8Bh
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090985E SIZE 000000B9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	al, byte ptr dword_6C2544
		and	al, 1
		push	ebx
		push	esi
		mov	esi, dword_6C2634
		mov	byte ptr [ebp+var_8B+2], al
		mov	eax, [ecx]
		push	edi
		cmp	eax, 4
		jnb	short loc_869388
		mov	ecx, ds:_IndexToActionName[eax*4]
		xor	edi, edi
		inc	edi
		cmp	eax, edi
		ja	short loc_869388
		mov	ebx, [edx+4]
		cmp	ebx, _PopBatteryTriggerCachedFlags[eax*4]
		jnz	short loc_869397

loc_869388:				; CODE XREF: PopDiagTraceBatteryTriggerFlags+30j
					; PopDiagTraceBatteryTriggerFlags+3Ej ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_869397:				; CODE XREF: PopDiagTraceBatteryTriggerFlags+4Aj
		mov	_PopBatteryTriggerCachedFlags[eax*4], ebx
		mov	eax, ebx
		shr	eax, 7
		and	eax, 0FFFFFF01h
		mov	[ebp+var_94], eax
		mov	eax, ebx
		shr	eax, 1
		and	bl, 1
		and	eax, 0FFFFFF01h
		cmp	dword_6B23F8, 5
		mov	[ebp+var_90], eax
		jbe	short loc_869388
		jmp	loc_90985E
PopDiagTraceBatteryTriggerFlags	endp


;  S U B	R O U T	I N E 


PopBatteryCheckTrigger proc near	; CODE XREF: PopBatteryApplyCompositeState+13Ep
					; PopRecalculateCBTriggerLevels(x)+68p

; FUNCTION CHUNK AT 00909917 SIZE 00000012 BYTES

		call	_PopBatteryCheckTriggerArmed@0 ; PopBatteryCheckTriggerArmed()
		test	al, al
		jnz	loc_909917

loc_8693DB:				; CODE XREF: PopBatteryCheckTrigger+A0552j
		xor	al, al
		retn
PopBatteryCheckTrigger endp


;  S U B	R O U T	I N E 


; __stdcall PopEsQueueStateEvaluation(x)
_PopEsQueueStateEvaluation@4 proc near	; CODE XREF: PopBatteryApplyCompositeState+231p
		xor	eax, eax
		test	cl, cl
		setnz	al
		lea	ecx, ds:4[eax*8]
		jmp	_PopEsWorkItemSchedule@4 ; PopEsWorkItemSchedule(x)
_PopEsQueueStateEvaluation@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopEsWorkItemSchedule(x)
_PopEsWorkItemSchedule@4 proc near	; CODE XREF: PopEsQueueStateEvaluation(x)+Ej
					; PopEsPowerSettingBatteryThresholdCallback(x,x,x,x)+6Ep ...
		mov	edi, edi
		push	esi
		or	ecx, 80000000h
		mov	esi, offset _PopEsWorkItemDue
		mov	eax, [esi]

loc_869402:				; CODE XREF: PopEsWorkItemSchedule(x)+18j
		mov	edx, eax
		or	edx, ecx
		lock cmpxchg [esi], edx
		jnz	short loc_869402
		pop	esi
		test	eax, eax
		js	short locret_86941D
		push	1
		push	offset _PopEsWorkItem
		call	ExQueueWorkItem

locret_86941D:				; CODE XREF: PopEsWorkItemSchedule(x)+1Dj
		retn
_PopEsWorkItemSchedule@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopAccountCbEnergyChange proc near	; CODE XREF: PopBatteryApplyCompositeState:loc_8692E0p

var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_128		= dword	ptr -128h
var_118		= dword	ptr -118h
var_108		= dword	ptr -108h
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_C8		= dword	ptr -0C8h
var_B8		= dword	ptr -0B8h
var_A8		= dword	ptr -0A8h
var_98		= dword	ptr -98h
var_88		= dword	ptr -88h
var_78		= dword	ptr -78h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00909929 SIZE 0000030F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1A4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, dword_6C2534
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_180]
		xor	edx, edx
		stosd
		xor	esi, esi
		stosd
		stosd
		stosd
		mov	edi, offset dword_6C2534
		mov	[ebp+var_178], edx
		mov	[ebp+var_174], esi
		cmp	ecx, edi
		jnz	loc_909929

loc_869465:				; CODE XREF: PopAccountCbEnergyChange+A0529j
		mov	eax, dword_6C253C
		xor	ebx, ebx
		mov	ecx, offset dword_6C253C
		mov	[ebp+var_180], ebx
		cmp	eax, ecx
		jnz	loc_90994C

loc_86947F:				; CODE XREF: PopAccountCbEnergyChange+A053Dj
		cmp	ebx, dword_6C2698
		jnz	loc_909960
		cmp	edx, dword_6C26A0
		jnz	loc_909960
		cmp	esi, dword_6C26A4
		jnz	loc_909960

loc_8694A3:				; CODE XREF: PopAccountCbEnergyChange+A0572j
					; PopAccountCbEnergyChange+A0815j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopAccountCbEnergyChange endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopBatteryCheckCompositeCapacity proc near ; CODE XREF:	PopBatteryApplyCompositeState+83p

var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_12C		= dword	ptr -12Ch
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_DC		= dword	ptr -0DCh
var_CC		= dword	ptr -0CCh
var_BC		= dword	ptr -0BCh
var_AC		= dword	ptr -0ACh
var_9C		= dword	ptr -9Ch
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00909C38 SIZE 00000637 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 178h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	[ebp+var_14C], edx
		mov	esi, ecx
		and	dword ptr [eax], 0
		mov	edx, 186A0h
		cmp	dword_6C252C, 0
		push	edi
		mov	[ebp+var_148], eax
		jnz	loc_909C38
		xor	bl, bl
		mov	byte ptr [ebp+var_140],	bl

loc_8694F8:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0823j
		and	dword_6C2640, 0
		and	dword_6C2658, 0

loc_869506:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0892j
					; PopBatteryCheckCompositeCapacity+A08AAj
		mov	edi, offset ??_C@_08KKBGCHG@AC?5Power@NNGAKEGL@
		cmp	byte_6C2644, bl
		jnz	loc_909D61

loc_869517:				; CODE XREF: PopBatteryCheckCompositeCapacity+A08E4j
					; PopBatteryCheckCompositeCapacity+A08FCj ...
		mov	eax, [ebp+var_140]
		cmp	byte_6C2630, al
		jnz	loc_909FFD

loc_869529:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0B7Fj
					; PopBatteryCheckCompositeCapacity+A0B97j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
PopBatteryCheckCompositeCapacity endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopGetDischargeStartStatus proc	near	; CODE XREF: PopBatteryWorker+95p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090A26F SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], 8
		push	eax
		lea	eax, [ebp+var_10]
		xor	esi, esi
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_10], esi
		push	eax
		push	esi
		push	esi
		push	offset _WNF_PO_DISCHARGE_START_FILETIME
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		call	_ZwQueryWnfStateData@24	; ZwQueryWnfStateData(x,x,x,x,x,x)
		cmp	eax, 0C000009Ah
		jz	short loc_86958C
		cmp	eax, 0C0000189h
		jz	short loc_86958C
		test	eax, eax
		jnz	short loc_869589
		cmp	[ebp+var_4], 8
		jz	loc_90A26F

loc_869589:				; CODE XREF: PopGetDischargeStartStatus+43j
		xor	esi, esi
		inc	esi

loc_86958C:				; CODE XREF: PopGetDischargeStartStatus+38j
					; PopGetDischargeStartStatus+3Fj ...
		mov	eax, esi
		pop	esi
		leave
		retn
PopGetDischargeStartStatus endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopRecordDisplayState(x)
_PopRecordDisplayState@4 proc near	; CODE XREF: PopUpdateConsoleDisplayState(x)+3Cp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		lea	ebx, [ecx+1]
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopBsdUpdateLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	ecx, ecx
		mov	dword_6C3D9C, eax
		inc	ecx
		mov	al, byte_6D4A06
		and	al, 3Fh
		shl	bl, 6
		or	bl, al
		mov	byte_6D4A06, bl
		call	_PopBsdHandleRequest@4 ; PopBsdHandleRequest(x)
		cmp	dword_6C3D9C, 0
		jz	short loc_8695E8
		and	dword_6C3D9C, 0

loc_8695E8:				; CODE XREF: PopRecordDisplayState(x)+4Dj
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopRecordDisplayState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceConsoleDisplayState(x)
_PopDiagTraceConsoleDisplayState@4 proc	near
					; CODE XREF: PopUpdateConsoleDisplayState(x)+17p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_18], ecx
		jz	short loc_86965D
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_CONSOLE_DISPLAY_STATE
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_86965A
		lea	eax, [ebp+var_18]
		mov	[ebp+var_C], 4
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], ecx
		push	eax
		push	1
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_86965A:				; CODE XREF: PopDiagTraceConsoleDisplayState(x)+3Cj
		pop	edi
		pop	esi
		pop	ebx

loc_86965D:				; CODE XREF: PopDiagTraceConsoleDisplayState(x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceConsoleDisplayState@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopPulseSystemIdleEvent(x)
_PopPulseSystemIdleEvent@4 proc	near	; CODE XREF: PopUpdateLastUserInputTime()+1Ej
					; PopProcessPendingSystemIdleResets()+1Cp ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		cmp	edi, 3
		ja	short loc_86969D
		call	KeQueryInterruptTime
		push	esi
		push	(offset	loc_98967E+2)
		push	edx
		push	eax
		call	__aulldiv
		imul	ecx, edi, 38h
		mov	dword_6B3D58[ecx], eax
		mov	dword_6B3D5C[ecx], edx

loc_869698:				; CODE XREF: PopPulseSystemIdleEvent(x)+38j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_86969D:				; CODE XREF: PopPulseSystemIdleEvent(x)+Bj
		mov	esi, 0C000000Dh
		jmp	short loc_869698
_PopPulseSystemIdleEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmSetDeviceMappedProperty(void *,void *,void *,int,int,int)
_CmSetDeviceMappedProperty proc	near	; CODE XREF: _PnpDispatchDevice+A2p
					; _CmDeleteDeviceWorker(x,x,x)+4F9p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0090A283 SIZE 000000BE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		cmp	[ebp+arg_4], 0
		mov	eax, edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], eax
		mov	esi, 0C0000016h
		mov	[ebp+var_8], ecx
		jnz	loc_869767
		mov	ecx, eax
		call	__CmIsRootDevice@4 ; _CmIsRootDevice(x)
		test	al, al
		jnz	loc_8697C0
		mov	edi, [ebp+arg_8]
		xor	ebx, ebx
		mov	ecx, ebx
		mov	[ebp+arg_4], ebx

loc_8696DF:				; CODE XREF: _CmSetDeviceMappedProperty+5Dj
		mov	edx, ds:__CmDeviceRegPropMap[ecx]
		test	edx, edx
		jz	short loc_8696F5
		mov	eax, [edi+10h]
		cmp	eax, [edx+10h]
		jz	loc_8697A4

loc_8696F5:				; CODE XREF: _CmSetDeviceMappedProperty+43j
					; _CmSetDeviceMappedProperty+117j
		add	ecx, 10h
		mov	[ebp+arg_4], ecx
		cmp	ecx, 210h
		jb	short loc_8696DF

loc_869703:				; CODE XREF: _CmSetDeviceMappedProperty+A0C05j
		mov	edx, [edi+10h]
		mov	eax, ebx
		mov	[ebp+arg_8], edx
		mov	[ebp+arg_4], ebx

loc_86970E:				; CODE XREF: _CmSetDeviceMappedProperty+80j
		mov	ecx, ds:off_A42D08[eax]
		cmp	edx, [ecx+10h]
		jz	short loc_869785

loc_869719:				; CODE XREF: _CmSetDeviceMappedProperty+FBj
		add	eax, 10h
		mov	[ebp+arg_4], eax
		cmp	eax, 0D0h
		jb	short loc_86970E

loc_869726:				; CODE XREF: _CmSetDeviceMappedProperty+A0C3Cj
		mov	edx, [edi+10h]
		mov	eax, ebx
		mov	[ebp+arg_8], edx
		mov	[ebp+arg_4], ebx

loc_869731:				; CODE XREF: _CmSetDeviceMappedProperty+A5j
		mov	ecx, ds:off_A42DF0[eax]
		cmp	edx, [ecx+10h]
		jz	loc_8697C7

loc_869740:				; CODE XREF: _CmSetDeviceMappedProperty+13Dj
		add	eax, 10h
		mov	[ebp+arg_4], eax
		cmp	eax, 20h
		jb	short loc_869731

loc_86974B:				; CODE XREF: _CmSetDeviceMappedProperty+A0C98j
		mov	ecx, [edi+10h]
		mov	[ebp+arg_0], ecx

loc_869751:				; CODE XREF: _CmSetDeviceMappedProperty+C1j
		mov	eax, ds:off_A42E10[ebx]
		cmp	ecx, [eax+10h]
		jz	short loc_869770

loc_86975C:				; CODE XREF: _CmSetDeviceMappedProperty+DFj
		add	ebx, 8
		cmp	ebx, 0D8h
		jb	short loc_869751

loc_869767:				; CODE XREF: _CmSetDeviceMappedProperty+1Cj
					; _CmSetDeviceMappedProperty+121j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_869770:				; CODE XREF: _CmSetDeviceMappedProperty+B6j
		push	10h		; size_t
		push	eax		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_8697C0
		mov	ecx, [ebp+arg_0]
		jmp	short loc_86975C
; 

loc_869785:				; CODE XREF: _CmSetDeviceMappedProperty+73j
		push	10h		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_90A2AE
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_8]
		jmp	loc_869719
; 

loc_8697A4:				; CODE XREF: _CmSetDeviceMappedProperty+4Bj
		push	10h		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_90A283
		mov	ecx, [ebp+arg_4]
		jmp	loc_8696F5
; 

loc_8697C0:				; CODE XREF: _CmSetDeviceMappedProperty+2Bj
					; _CmSetDeviceMappedProperty+DAj
		mov	esi, 0C0000022h
		jmp	short loc_869767
; 

loc_8697C7:				; CODE XREF: _CmSetDeviceMappedProperty+96j
		push	10h		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_90A2E5
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_8]
		jmp	loc_869740
_CmSetDeviceMappedProperty endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwpQueryRegistryCallback(int,int,void *,int,int,int)
EtwpQueryRegistryCallback proc near	; DATA XREF: EtwpQueryPartitionRegistryInformation+E9o
					; EtwpReadPerSiloConfigParameters(x)+84o ...

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0090A341 SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_14]
		xor	ecx, ecx
		mov	ebx, ecx
		test	esi, esi
		jz	short loc_869823
		mov	edx, [ebp+arg_8]
		push	edi
		test	edx, edx
		jz	short loc_86983F
		mov	edi, [ebp+arg_C]
		test	edi, edi
		jz	short loc_86983F
		mov	eax, [ebp+arg_4]
		cmp	eax, [esi]
		jnz	loc_90A357
		cmp	eax, 4
		jnz	short loc_86982B
		cmp	edi, eax
		jb	short loc_869822
		mov	ecx, [esi+4]
		mov	eax, [edx]
		mov	[ecx], eax

loc_869822:				; CODE XREF: EtwpQueryRegistryCallback+33j
					; EtwpQueryRegistryCallback+57j ...
		pop	edi

loc_869823:				; CODE XREF: EtwpQueryRegistryCallback+10j
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	18h
; 

loc_86982B:				; CODE XREF: EtwpQueryRegistryCallback+2Fj
		cmp	eax, 0Bh
		jnz	short loc_869851
		mov	ecx, [esi+4]
		mov	eax, [edx]
		mov	[ecx], eax
		mov	eax, [edx+4]
		mov	[ecx+4], eax
		jmp	short loc_869822
; 

loc_86983F:				; CODE XREF: EtwpQueryRegistryCallback+18j
					; EtwpQueryRegistryCallback+1Fj
		cmp	[ebp+arg_4], 3
		jnz	short loc_869822
		cmp	dword ptr [esi], 3
		jnz	short loc_869822
		mov	ecx, [esi+4]
		and	[ecx], ebx
		jmp	short loc_869822
; 

loc_869851:				; CODE XREF: EtwpQueryRegistryCallback+48j
		cmp	eax, 1
		jnz	short loc_869875
		mov	eax, [esi+4]
		cmp	edi, 2
		ja	short loc_869865
		mov	[eax], ecx
		mov	[eax+4], ecx
		jmp	short loc_869822
; 

loc_869865:				; CODE XREF: EtwpQueryRegistryCallback+76j
		push	edx		; void *
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jnz	short loc_869822
		jmp	loc_90A341
; 

loc_869875:				; CODE XREF: EtwpQueryRegistryCallback+6Ej
		cmp	eax, 3
		jnz	short loc_869822
		cmp	edi, 4
		jb	short loc_869822
		mov	eax, [esi+4]
		cmp	edi, [eax]
		ja	loc_90A34B
		push	edi		; size_t
		push	edx		; void *
		push	dword ptr [eax+4] ; void *
		call	_memmove
		mov	eax, [esi+4]
		add	esp, 0Ch
		mov	[eax], edi
		jmp	short loc_869822
EtwpQueryRegistryCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDcHandleDeviceEvent proc near		; CODE XREF: PiDcHandleObjectEvent(x)+1Bp

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_81		= dword	ptr -81h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090A361 SIZE 000000E4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_98], ecx
		lea	edi, [ebp+var_68]
		xor	edx, edx
		mov	ebx, edx
		stosd
		mov	byte ptr [ebp+var_81], dl
		mov	[ebp+var_8C], edx
		mov	[ebp+var_88], edx
		stosd
		mov	[ebp+var_6C], edx
		mov	[ebp+var_90], edx
		stosd
		stosd
		cmp	[ecx+2Ch], edx
		jbe	short loc_869947
		lea	eax, [ecx+44h]
		mov	[ebp+var_94], eax

loc_8698F2:				; CODE XREF: PiDcHandleDeviceEvent+A7j
		push	5
		lea	esi, [eax-14h]
		pop	ecx
		lea	eax, [ebp+var_81+1]
		push	eax
		lea	edi, [ebp+var_81+1]
		rep movsd
		push	offset _PiDcUpdateProperties
		call	_RtlLookupElementGenericTableAvl@8 ; RtlLookupElementGenericTableAvl(x,x)
		mov	esi, eax
		xor	edi, edi
		mov	eax, [ebp+var_94]
		cmp	[eax], edi
		jnz	short loc_869926
		cmp	[eax+4], edi
		jnz	short loc_869926
		test	esi, esi
		jnz	loc_90A361

loc_869926:				; CODE XREF: PiDcHandleDeviceEvent+79j
					; PiDcHandleDeviceEvent+7Ej
		mov	ecx, [ebp+var_90]
		add	eax, 1Ch
		mov	edx, [ebp+var_98]
		inc	ecx
		mov	[ebp+var_90], ecx
		mov	[ebp+var_94], eax
		cmp	ecx, [edx+2Ch]
		jb	short loc_8698F2

loc_869947:				; CODE XREF: PiDcHandleDeviceEvent+49j
					; PiDcHandleDeviceEvent+A0AFCj	...
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PiDcHandleDeviceEvent endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmIsDeviceSafeRemovalRequired proc near
					; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+66Cp

var_350		= dword	ptr -350h
var_34C		= dword	ptr -34Ch
var_348		= dword	ptr -348h
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_33C		= dword	ptr -33Ch
var_338		= dword	ptr -338h
var_334		= dword	ptr -334h
var_32F		= byte ptr -32Fh
var_32E		= byte ptr -32Eh
var_32D		= byte ptr -32Dh
var_32C		= dword	ptr -32Ch
var_19C		= dword	ptr -19Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090A445 SIZE 00000050 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 350h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		mov	[ebp+var_344], eax
		mov	esi, edx
		mov	[ebp+var_348], eax
		mov	edi, ecx
		mov	[ebp+var_32D], al
		mov	[ebp+var_338], eax
		mov	[ebp+var_32F], al
		mov	[ebp+var_340], eax
		mov	[ebp+var_350], eax
		mov	[ebp+var_34C], eax
		lea	eax, [ebp+var_34C]
		push	ecx
		push	eax
		lea	eax, [ebp+var_350]
		mov	[ebp+var_33C], ebx
		push	eax
		lea	eax, [ebp+var_340]
		push	eax
		push	ebx
		call	__CmGetDeviceStatus@28 ; _CmGetDeviceStatus(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_869AAC
		mov	al, byte ptr [ebp+var_340]
		mov	edx, esi
		and	al, 8
		mov	[ebp+var_334], 4
		push	0
		mov	[ebp+var_32E], al
		mov	ecx, edi
		lea	eax, [ebp+var_334]
		push	eax
		lea	eax, [ebp+var_338]
		push	eax
		lea	eax, [ebp+var_348]
		push	eax
		push	10h
		push	ebx
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_90A445
		mov	eax, [ebp+var_338]

loc_869A1C:				; CODE XREF: _CmIsDeviceSafeRemovalRequired+A0AF5j
		mov	bl, al
		mov	cl, al
		and	bl, 4
		and	cl, 80h
		cmp	[ebp+var_32E], 0
		jz	short loc_869AA8

loc_869A2F:				; CODE XREF: _CmIsDeviceSafeRemovalRequired+152j
		test	cl, cl
		mov	edx, esi
		push	0
		setz	al
		xor	ecx, ecx
		mov	[ebp+var_32E], al
		inc	ecx
		mov	[ebp+var_32D], al
		lea	eax, [ebp+var_334]
		push	eax
		push	ecx
		lea	eax, [ebp+var_32F]
		mov	[ebp+var_334], ecx
		push	eax
		lea	eax, [ebp+var_344]
		push	eax
		push	offset _DEVPKEY_Device_SafeRemovalRequiredOverride
		push	0
		push	[ebp+var_33C]
		push	ecx
		mov	ecx, edi
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	loc_90A452
		mov	al, [ebp+var_32D]

loc_869A86:				; CODE XREF: _CmIsDeviceSafeRemovalRequired+A0B0Fj
					; _CmIsDeviceSafeRemovalRequired+A0B22j ...
		test	bl, bl
		jnz	short loc_869AAC
		test	al, al
		jz	short loc_869AAC
		xor	eax, eax
		push	800h
		push	eax
		push	eax
		push	esi
		mov	[ebp+var_32D], al
		mov	esi, 0C8h
		jmp	loc_869B39
; 

loc_869AA8:				; CODE XREF: _CmIsDeviceSafeRemovalRequired+D5j
		test	al, 2
		jnz	short loc_869A2F

loc_869AAC:				; CODE XREF: _CmIsDeviceSafeRemovalRequired+75j
					; _CmIsDeviceSafeRemovalRequired+130j ...
		mov	al, [ebp+var_32D]

loc_869AB2:				; CODE XREF: _CmIsDeviceSafeRemovalRequired+1FDj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_869AC3:				; CODE XREF: _CmIsDeviceSafeRemovalRequired+1F0j
		lea	eax, [ebp+var_33C]
		mov	[ebp+var_33C], esi
		push	eax
		lea	eax, [ebp+var_19C]
		mov	ecx, edi
		push	eax
		lea	edx, [ebp+var_32C]
		call	_CmGetDeviceParent
		test	eax, eax
		js	short loc_869B53
		push	0
		lea	eax, [ebp+var_334]
		mov	[ebp+var_334], 4
		push	eax
		lea	eax, [ebp+var_338]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_348]
		push	eax
		push	10h
		push	0
		lea	edx, [ebp+var_19C]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_869B5A
		mov	ebx, [ebp+var_338]

loc_869B24:				; CODE XREF: _CmIsDeviceSafeRemovalRequired+20Aj
		and	bl, 4
		jnz	short loc_869B53
		push	800h
		push	0
		push	0
		lea	eax, [ebp+var_19C]
		push	eax

loc_869B39:				; CODE XREF: _CmIsDeviceSafeRemovalRequired+14Bj
		mov	edx, esi
		lea	ecx, [ebp+var_32C]
		call	RtlStringCchCopyExW
		test	eax, eax
		jns	loc_869AC3
		jmp	loc_869AAC
; 

loc_869B53:				; CODE XREF: _CmIsDeviceSafeRemovalRequired+18Ej
					; _CmIsDeviceSafeRemovalRequired+1CFj
		mov	al, bl
		jmp	loc_869AB2
; 

loc_869B5A:				; CODE XREF: _CmIsDeviceSafeRemovalRequired+1C4j
		xor	ebx, ebx
		mov	[ebp+var_338], ebx
		jmp	short loc_869B24
_CmIsDeviceSafeRemovalRequired endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiDmCacheDataEncode(size_t,int,int,int)
PiDmCacheDataEncode proc near		; CODE XREF: PiDmObjectUpdateCachedObjectProperty+C0p
					; PiDmObjectProcessPropertyChange+245p	...

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0090A495 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_5C], 0
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_60], edx
		push	edi
		mov	edi, [ebp+arg_0]
		test	esi, esi
		jz	loc_869C23
		cmp	[ebp+arg_8], 0
		jnz	short loc_869BDB

loc_869B96:				; CODE XREF: PiDmCacheDataEncode+7Aj
					; PiDmCacheDataEncode+84j ...
		mov	eax, [ebp+var_5C]

loc_869B99:				; CODE XREF: PiDmCacheDataEncode+A0936j
		cmp	esi, 0Dh
		jz	loc_90A49F
		lea	eax, [ebx+0Ch]
		cmp	edi, 4
		ja	loc_869C43
		push	edi		; size_t
		push	[ebp+var_60]	; void *
		push	eax		; void *
		call	_memcpy
		mov	dword ptr [ebx], 3

loc_869BBE:				; CODE XREF: PiDmCacheDataEncode+107j
		mov	[ebx+4], esi
		add	esp, 0Ch
		mov	[ebx+8], edi

loc_869BC7:				; CODE XREF: PiDmCacheDataEncode+C5j
		mov	eax, [ebp+var_5C]

loc_869BCA:				; CODE XREF: PiDmCacheDataEncode+B2j
					; PiDmCacheDataEncode+BDj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_869BDB:				; CODE XREF: PiDmCacheDataEncode+30j
		cmp	esi, [ebp+arg_4]
		jnz	short loc_869B96
		cmp	esi, 0Dh
		jz	short loc_869C2B
		cmp	esi, 12h
		jnz	short loc_869B96
		test	edx, edx
		jz	short loc_869B96
		mov	eax, edi
		shr	eax, 1
		xor	ecx, ecx
		mov	[edx+eax*2-2], cx

loc_869BF9:				; CODE XREF: PiDmCacheDataEncode+DDj
		test	edx, edx
		jz	short loc_869B96
		mov	ecx, [ebp+arg_8]
		lea	eax, [ebx+8]
		push	eax
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		cmp	eax, 0C0000034h
		jz	loc_90A495
		test	eax, eax
		js	short loc_869BCA
		mov	[ebx+4], esi
		mov	dword ptr [ebx], 6
		jmp	short loc_869BCA
; 

loc_869C23:				; CODE XREF: PiDmCacheDataEncode+26j
		mov	dword ptr [ebx], 2
		jmp	short loc_869BC7
; 

loc_869C2B:				; CODE XREF: PiDmCacheDataEncode+7Fj
		push	ecx		; int
		mov	ecx, [ebp+var_60] ; int
		lea	edx, [ebp+var_58] ; void *
		call	_PnpStringFromGuid@12 ;	PnpStringFromGuid(x,x,x)
		mov	[ebp+var_5C], eax
		test	eax, eax
		js	short loc_869BCA
		lea	edx, [ebp+var_58]
		jmp	short loc_869BF9
; 

loc_869C43:				; CODE XREF: PiDmCacheDataEncode+44j
		push	5A706E50h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+0Ch], eax
		test	eax, eax
		jz	loc_90A4B4
		push	edi		; size_t
		push	[ebp+var_60]	; void *
		push	eax		; void *
		call	_memcpy
		mov	dword ptr [ebx], 5
		jmp	loc_869BBE
PiDmCacheDataEncode endp


;  S U B	R O U T	I N E 


; __stdcall PerfDiagpStartPerfDiagLogger(x)
_PerfDiagpStartPerfDiagLogger@4	proc near ; CODE XREF: PerfDiagpProxyWorker:loc_7DFE08p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		mov	edx, edi
		lea	ecx, [edx+2]

loc_869C7E:				; CODE XREF: PerfDiagpStartPerfDiagLogger(x)+17j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, bx
		jnz	short loc_869C7E
		sub	edx, ecx
		sar	edx, 1
		push	64465250h
		lea	esi, ds:68h[edx*2]
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_869CF4
		push	offset ??_C@_1GI@CKLLCKKA@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\Registry\\Machine\\System\\CurrentControl"...
		mov	edx, esi
		mov	ecx, ebx
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	_RtlStringCbCatW@12 ; RtlStringCbCatW(x,x,x)
		call	_PerfDiagpIsTracingAllowed@0 ; PerfDiagpIsTracingAllowed()
		test	eax, eax
		jz	short loc_869CFB
		push	8
		mov	eax, offset unk_6BC728
		mov	esi, offset ??_C@_1CA@DEFPGLJP@?$AAP?$AAe?$AAr?$AAf?$AAD?$AAi?$AAa?$AAg?$AA?5?$AAL?$AAo?$AAg?$AAg?$AAe?$AAr@NNGAKEGL@
		pop	ecx
		mov	edi, eax
		mov	edx, ebx
		rep movsd
		push	0
		mov	ecx, eax
		call	EtwStartAutoLogger
		mov	esi, eax

loc_869CE6:				; CODE XREF: PerfDiagpStartPerfDiagLogger(x)+90j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_869CEE:				; CODE XREF: PerfDiagpStartPerfDiagLogger(x)+89j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_869CF4:				; CODE XREF: PerfDiagpStartPerfDiagLogger(x)+35j
		mov	esi, 0C0000017h
		jmp	short loc_869CEE
; 

loc_869CFB:				; CODE XREF: PerfDiagpStartPerfDiagLogger(x)+56j
		mov	esi, 0C0000001h
		jmp	short loc_869CE6
_PerfDiagpStartPerfDiagLogger@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwStartAutoLogger proc	near		; CODE XREF: PerfDiagpStartPerfDiagLogger(x)+6Fp
					; EtwpInitializeAutoLoggers+107p ...

var_3C4		= dword	ptr -3C4h
var_3C0		= dword	ptr -3C0h
var_3BC		= dword	ptr -3BCh
var_3B8		= dword	ptr -3B8h
var_3B4		= dword	ptr -3B4h
var_3B0		= dword	ptr -3B0h
var_3AC		= dword	ptr -3ACh
var_3A8		= dword	ptr -3A8h
var_3A4		= dword	ptr -3A4h
var_3A0		= dword	ptr -3A0h
var_39C		= dword	ptr -39Ch
var_398		= dword	ptr -398h
var_394		= dword	ptr -394h
var_390		= dword	ptr -390h
var_38C		= dword	ptr -38Ch
var_388		= dword	ptr -388h
var_384		= dword	ptr -384h
var_380		= dword	ptr -380h
var_37C		= dword	ptr -37Ch
var_378		= dword	ptr -378h
var_374		= dword	ptr -374h
var_370		= dword	ptr -370h
var_36C		= dword	ptr -36Ch
var_368		= dword	ptr -368h
var_364		= dword	ptr -364h
var_360		= dword	ptr -360h
var_35C		= dword	ptr -35Ch
var_358		= dword	ptr -358h
var_354		= dword	ptr -354h
var_350		= dword	ptr -350h
var_34C		= dword	ptr -34Ch
var_348		= dword	ptr -348h
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_33C		= dword	ptr -33Ch
var_338		= dword	ptr -338h
var_334		= dword	ptr -334h
var_330		= dword	ptr -330h
var_32C		= dword	ptr -32Ch
var_328		= dword	ptr -328h
var_324		= dword	ptr -324h
var_320		= dword	ptr -320h
var_31C		= dword	ptr -31Ch
var_318		= dword	ptr -318h
var_314		= dword	ptr -314h
var_304		= dword	ptr -304h
var_2FC		= dword	ptr -2FCh
var_2F8		= dword	ptr -2F8h
var_2F4		= dword	ptr -2F4h
var_2F0		= dword	ptr -2F0h
var_2E8		= dword	ptr -2E8h
var_2E0		= dword	ptr -2E0h
var_2DC		= dword	ptr -2DCh
var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2CC		= dword	ptr -2CCh
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B0		= dword	ptr -2B0h
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_294		= dword	ptr -294h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_278		= dword	ptr -278h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B4		= dword	ptr -1B4h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_17C		= dword	ptr -17Ch
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_160		= dword	ptr -160h
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_10C		= dword	ptr -10Ch
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_D8		= dword	ptr -0D8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090A4BE SIZE 0000055E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3C8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_3C4], esi
		mov	[ebp+var_338], ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_370], eax
		xor	eax, eax
		mov	[ebp+var_398], eax
		lea	edi, [ebp+var_314]
		mov	[ebp+var_394], eax
		mov	ebx, eax
		mov	[ebp+var_32C], eax
		mov	[ebp+var_320], eax
		mov	[ebp+var_374], eax
		mov	[ebp+var_368], eax
		mov	[ebp+var_384], eax
		mov	[ebp+var_380], eax
		mov	[ebp+var_38C], eax
		mov	[ebp+var_388], eax
		mov	[ebp+var_34C], eax
		mov	[ebp+var_348], eax
		mov	[ebp+var_37C], eax
		mov	[ebp+var_378], eax
		mov	[ebp+var_35C], eax
		mov	[ebp+var_358], eax
		mov	[ebp+var_354], eax
		mov	[ebp+var_350], eax
		mov	[ebp+var_340], eax
		mov	[ebp+var_36C], eax
		mov	[ebp+var_344], eax
		mov	[ebp+var_330], eax
		mov	[ebp+var_33C], eax
		mov	[ebp+var_3C0], eax
		mov	[ebp+var_360], eax
		stosd
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_3B8], ecx
		stosd
		mov	[ebp+var_3BC], 64h
		stosd
		stosd
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		push	esi
		mov	eax, [eax+1F0h]
		mov	[ebp+var_334], eax
		lea	eax, [ebp+var_398]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_398]
		mov	[ebp+var_3B4], 18h
		mov	[ebp+var_3AC], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_3B4]
		mov	[ebp+var_3B0], ecx
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_32C]
		mov	[ebp+var_3A8], 240h
		push	eax
		mov	[ebp+var_3A4], ecx
		mov	[ebp+var_3A0], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_86A81C
		push	50777445h
		xor	esi, esi
		push	2000h
		inc	esi
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_31C], edi
		test	edi, edi
		jz	loc_90A4BE
		push	50777445h
		push	504h
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_90A4BE
		push	504h		; size_t
		xor	esi, esi
		push	esi		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [ebx+2Ch], 20000h
		lea	eax, [ebx+90h]
		push	4
		pop	edx
		push	[ebp+var_338]
		mov	[ebx+30h], edx
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	dword ptr [ebx+48h], 80000000h
		lea	edi, [ebx+0B4h]
		mov	eax, 0B0h
		mov	byte ptr [ebx+4Ah], 0FFh
		mov	[ebx+48h], ax
		xor	ecx, ecx
		xor	eax, eax
		mov	[ebp+var_318], 0B4h
		mov	[ebx+0B2h], ax
		inc	ecx
		lea	eax, [edi+2Ch]
		mov	[ebx+0B0h], cx
		mov	[ebp+var_324], eax
		add	eax, 418h
		push	24Ch		; size_t
		mov	[ebp+var_390], eax
		lea	eax, [ebp+var_304]
		push	esi		; int
		push	eax		; void *
		call	_memset
		lea	eax, [ebp+var_B4]
		mov	[ebp+var_2FC], offset ??_C@_1M@IOJLKPKK@?$AAS?$AAt?$AAa?$AAr?$AAt@NNGAKEGL@
		mov	[ebp+var_2F8], eax
		add	esp, 0Ch
		lea	eax, [ebp+var_368]
		mov	[ebp+var_2E0], offset ??_C@_1BE@IPKAIGMO@?$AAI?$AAm?$AAm?$AAu?$AAt?$AAa?$AAb?$AAl?$AAe@NNGAKEGL@ ; "Immutable"
		mov	[ebp+var_B0], eax
		mov	edx, offset EtwpQueryRegistryCallback
		lea	eax, [ebp+var_AC]
		mov	[ebp+var_304], edx
		mov	[ebp+var_2DC], eax
		lea	eax, [ebp+var_330]
		push	4
		pop	ecx
		mov	[ebp+var_A8], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_2F4], ecx
		push	eax
		push	ecx
		push	esi
		lea	eax, [ebp+var_304]
		mov	[ebp+var_B4], ecx
		mov	[ebp+var_2E8], edx
		mov	edx, [ebp+var_32C]
		mov	[ebp+var_2D8], ecx
		mov	[ebp+var_AC], ecx
		mov	ecx, 40000000h
		push	eax
		call	RtlpQueryRegistryValues
		mov	esi, eax
		test	esi, esi
		js	loc_86A660
		mov	eax, [ebp+var_370]
		test	eax, eax
		jnz	loc_90A4C8

loc_869FCE:				; CODE XREF: EtwStartAutoLogger+A0885j
					; EtwStartAutoLogger+A0891j
		cmp	[ebp+var_330], 0
		jnz	short loc_869FE5
		mov	edx, [ebp+var_320]
		test	edx, edx
		jnz	loc_90A598

loc_869FE5:				; CODE XREF: EtwStartAutoLogger+2D3j
		xor	ecx, ecx

loc_869FE7:				; CODE XREF: EtwStartAutoLogger+A08D4j
					; EtwStartAutoLogger+A08DCj
		cmp	[ebp+var_368], 0
		jz	loc_86A660
		lea	eax, [ebp+var_B4]
		mov	[ebp+var_2FC], offset ??_C@_1BO@HOFFIHNI@?$AAF?$AAl?$AAu?$AAs?$AAh?$AAT?$AAh?$AAr?$AAe?$AAs?$AAh?$AAo?$AAl?$AAd@NNGAKEGL@ ; "FlushThreshold"
		mov	[ebp+var_2F8], eax
		mov	esi, offset EtwpQueryRegistryCallback
		lea	eax, [ebx+4Ch]
		mov	[ebp+var_304], esi
		mov	[ebp+var_B0], eax
		lea	eax, [ebp+var_AC]
		mov	[ebp+var_2DC], eax
		lea	eax, [ebx+30h]
		mov	[ebp+var_A8], eax
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_2C0], eax
		lea	eax, [ebx+34h]
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_2A4], eax
		lea	eax, [ebx+44h]
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_94]
		mov	[ebp+var_288], eax
		lea	eax, [ebx+38h]
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_26C], eax
		lea	eax, [ebp+var_33C]
		mov	[ebp+var_264], eax
		lea	eax, [ebx+80h]
		mov	[ebp+var_88], eax
		lea	eax, [edi+4]
		mov	[ebp+var_378], eax
		lea	eax, [ebp+var_84]
		push	4
		pop	edx
		mov	[ebp+var_250], eax
		push	3
		pop	eax
		mov	[ebp+var_24C], eax
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_37C]
		mov	[ebp+var_80], eax
		mov	eax, [ebp+var_324]
		mov	[ebp+var_2E8], esi
		mov	[ebp+var_2CC], esi
		mov	[ebp+var_2B0], esi
		mov	[ebp+var_294], esi
		mov	[ebp+var_278], esi
		xor	esi, esi
		inc	esi
		mov	[ebp+var_2F4], edx
		add	eax, edx
		mov	[ebp+var_B4], edx
		mov	[ebp+var_350], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_234], eax
		push	3
		pop	eax
		mov	[ebp+var_230], eax
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_354]
		mov	[ebp+var_2E0], offset ??_C@_1BG@CPCOOOKL@?$AAB?$AAu?$AAf?$AAf?$AAe?$AAr?$AAS?$AAi?$AAz?$AAe@NNGAKEGL@
		mov	[ebp+var_2D8], edx
		mov	[ebp+var_AC], edx
		mov	[ebp+var_2C4], offset ??_C@_1BO@NEHDJPKH@?$AAM?$AAi?$AAn?$AAi?$AAm?$AAu?$AAm?$AAB?$AAu?$AAf?$AAf?$AAe?$AAr?$AAs@NNGAKEGL@ ; "MinimumBuffers"
		mov	[ebp+var_2BC], edx
		mov	[ebp+var_A4], edx
		mov	[ebp+var_2A8], offset ??_C@_1BG@LHINJEKI@?$AAF?$AAl?$AAu?$AAs?$AAh?$AAT?$AAi?$AAm?$AAe?$AAr@NNGAKEGL@ ;	"F"
		mov	[ebp+var_2A0], edx
		mov	[ebp+var_9C], edx
		mov	[ebp+var_28C], offset ??_C@_1BO@EMFAPBIG@?$AAM?$AAa?$AAx?$AAi?$AAm?$AAu?$AAm?$AAB?$AAu?$AAf?$AAf?$AAe?$AAr?$AAs@NNGAKEGL@ ; "M"
		mov	[ebp+var_284], edx
		mov	[ebp+var_94], edx
		mov	[ebp+var_270], offset ??_C@_1BC@PKFGPGJB@?$AAF?$AAi?$AAl?$AAe?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@ ; "FileName"
		mov	[ebp+var_268], esi
		mov	[ebp+var_8C], esi
		mov	[ebp+var_37C], 28h
		mov	[ebp+var_25C], offset EtwpQueryRegistryCallback
		mov	[ebp+var_254], offset ??_C@_1CE@MEENLKDH@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAF?$AAl?$AAa@NNGAKEGL@ ; "EnableKernelFlags"
		mov	[ebp+var_354], 400h
		mov	[ebp+var_240], offset EtwpQueryRegistryCallback
		mov	[ebp+var_238], offset ??_C@_1CG@MJEJKPEK@?$AAS?$AAt?$AAa?$AAc?$AAk?$AAW?$AAa?$AAl?$AAk?$AAi?$AAn?$AAg?$AAF?$AAi?$AAl@NNGAKEGL@
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_74]
		mov	[ebp+var_218], eax
		lea	eax, [ebp+var_3B8]
		mov	[ebp+var_210], eax
		lea	eax, [ebx+28h]
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_1FC], eax
		lea	eax, [ebp+var_3BC]
		mov	[ebp+var_1F4], eax
		lea	eax, [ebx+3Ch]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_1E0], eax
		lea	eax, [ebp+var_3C0]
		mov	[ebp+var_1D8], eax
		lea	eax, [ebx+40h]
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_1C4], eax
		lea	eax, [ebp+var_36C]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_54]
		mov	[ebp+var_1A8], eax
		lea	eax, [ebp+var_33C]
		mov	[ebp+var_1A0], eax
		lea	eax, [ebp+var_384]
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_18C], eax
		lea	eax, [ebx+60h]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_44]
		mov	[ebp+var_170], eax
		lea	eax, [ebp+var_340]
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_154], eax
		lea	eax, [ebp+var_33C]
		mov	[ebp+var_14C], eax
		lea	eax, [ebp+var_38C]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_390]
		mov	[ebp+var_224], offset EtwpQueryRegistryCallback
		add	eax, edx
		mov	[ebp+var_21C], offset ??_C@_1BE@ILKEBGME@?$AAC?$AAl?$AAo?$AAc?$AAk?$AAT?$AAy?$AAp?$AAe@NNGAKEGL@ ; "ClockType"
		mov	[ebp+var_214], edx
		mov	[ebp+var_20C], edx
		mov	[ebp+var_74], edx
		mov	[ebp+var_208], offset EtwpQueryRegistryCallback
		mov	[ebp+var_200], offset ??_C@_1BI@DKPILFAP@?$AAM?$AAa?$AAx?$AAF?$AAi?$AAl?$AAe?$AAS?$AAi?$AAz?$AAe@NNGAKEGL@ ; "MaxFileSize"
		mov	[ebp+var_1F8], edx
		mov	[ebp+var_1F0], edx
		mov	[ebp+var_6C], edx
		mov	[ebp+var_1EC], offset EtwpQueryRegistryCallback
		mov	[ebp+var_1E4], offset ??_C@_1BI@CKOCKMJL@?$AAL?$AAo?$AAg?$AAF?$AAi?$AAl?$AAe?$AAM?$AAo?$AAd?$AAe@NNGAKEGL@ ; "LogFileMode"
		mov	[ebp+var_1DC], edx
		mov	[ebp+var_1D4], edx
		mov	[ebp+var_64], edx
		mov	[ebp+var_1D0], offset EtwpQueryRegistryCallback
		mov	[ebp+var_1C8], offset ??_C@_1DG@KDJAEHHA@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAR?$AAe?$AAa?$AAl?$AAt?$AAi?$AAm?$AAe@NNGAKEGL@
		mov	[ebp+var_1C0], edx
		mov	[ebp+var_5C], edx
		mov	[ebp+var_1B4], offset EtwpQueryRegistryCallback
		mov	[ebp+var_1AC], offset ??_C@_19BPBMCKGC@?$AAG?$AAu?$AAi?$AAd@NNGAKEGL@
		mov	[ebp+var_1A4], esi
		mov	[ebp+var_54], esi
		mov	[ebp+var_198], offset EtwpQueryRegistryCallback
		mov	[ebp+var_190], offset ??_C@_1BI@MGELNINL@?$AAF?$AAi?$AAl?$AAe?$AAC?$AAo?$AAu?$AAn?$AAt?$AAe?$AAr@NNGAKEGL@
		mov	[ebp+var_188], edx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_17C], offset EtwpQueryRegistryCallback
		mov	[ebp+var_174], offset ??_C@_1BA@IJANDGNA@?$AAF?$AAi?$AAl?$AAe?$AAM?$AAa?$AAx@NNGAKEGL@ ; "F"
		mov	[ebp+var_16C], edx
		mov	[ebp+var_44], edx
		mov	[ebp+var_160], offset EtwpQueryRegistryCallback
		mov	[ebp+var_158], offset ??_C@_1BM@HCNKBIBB@?$AAP?$AAo?$AAo?$AAl?$AAT?$AAa?$AAg?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr@NNGAKEGL@ ; "PoolTagFilter"
		mov	[ebp+var_150], esi
		mov	[ebp+var_3C], esi
		mov	[ebp+var_35C], 8
		mov	[ebp+var_358], eax
		lea	eax, [ebp+var_34]
		mov	[ebp+var_138], eax
		push	3
		pop	eax
		mov	[ebp+var_134], eax
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_35C]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_11C], eax
		lea	eax, [ebp+var_344]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_100], eax
		lea	eax, [ebp+var_33C]
		mov	[ebp+var_F8], eax
		lea	eax, [ebp+var_34C]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_1C]
		push	0Bh
		mov	[ebp+var_E4], eax
		pop	eax
		push	esi
		mov	[ebp+var_E0], eax
		mov	[ebp+var_1C], eax
		lea	eax, [ebx+50h]
		push	ecx
		mov	[ebp+var_118], edx
		mov	[ebp+var_2C], edx
		mov	edx, offset EtwpQueryRegistryCallback
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_304]
		push	ecx
		mov	[ebp+var_10C], edx
		mov	ecx, 40000000h
		mov	[ebp+var_F0], edx
		mov	edx, [ebp+var_32C]
		push	eax
		mov	[ebp+var_144], offset EtwpQueryRegistryCallback
		mov	[ebp+var_13C], offset ??_C@_1BK@BNNAGKMF@?$AAS?$AAt?$AAa?$AAc?$AAk?$AAC?$AAa?$AAc?$AAh?$AAi?$AAn?$AAg@NNGAKEGL@
		mov	[ebp+var_128], offset EtwpQueryRegistryCallback
		mov	[ebp+var_120], offset ??_C@_1CO@GGLLDGKO@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AAP@NNGAKEGL@ ; "EnableSecurityProvider"
		mov	[ebp+var_104], (offset loc_8C0D09+1)
		mov	[ebp+var_FC], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_E8], offset ??_C@_1BE@NFPMBJME@?$AAV?$AA2?$AAO?$AAp?$AAt?$AAi?$AAo?$AAn?$AAs@NNGAKEGL@
		mov	[ebp+var_D8], 8
		call	RtlpQueryRegistryValues
		mov	esi, eax
		mov	[ebp+var_328], eax
		test	esi, esi
		js	loc_86A660
		mov	edx, [ebp+var_320]
		test	edx, edx
		jnz	loc_90A5E3

loc_86A4A5:				; CODE XREF: EtwStartAutoLogger+A0A73j
		mov	eax, [ebx+70h]
		xor	ecx, ecx
		or	eax, 2
		inc	ecx
		mov	[ebx+70h], eax
		cmp	[ebp+var_36C], 0
		jnz	short loc_86A4BF
		or	eax, ecx
		mov	[ebx+70h], eax

loc_86A4BF:				; CODE XREF: EtwStartAutoLogger+7B6j
		mov	eax, [ebp+var_37C]
		shr	eax, 2
		movzx	eax, ax
		mov	[ebp+var_39C], eax
		test	ax, ax
		jnz	loc_86A718

loc_86A4DA:				; CODE XREF: EtwStartAutoLogger+A3Fj
		mov	ecx, [ebp+var_354]
		test	ecx, ecx
		jnz	loc_90A77A

loc_86A4E8:				; CODE XREF: EtwStartAutoLogger+A0AEFj
		mov	ecx, [ebp+var_324]

loc_86A4EE:				; CODE XREF: EtwStartAutoLogger+A0AD4j
		cmp	[ebp+var_388], 0
		jnz	loc_90A7F6

loc_86A4FB:				; CODE XREF: EtwStartAutoLogger+A0B27j
					; EtwStartAutoLogger+A0B83j
		mov	edx, [ebp+var_318]

loc_86A501:				; CODE XREF: EtwStartAutoLogger+A0B63j
		cmp	[ebp+var_35C], 8
		jz	loc_90A88A

loc_86A50E:				; CODE XREF: EtwStartAutoLogger+A0BC7j
					; EtwStartAutoLogger+A0BD9j
		xor	edi, edi
		cmp	word ptr [ebp+var_39C],	di
		jnz	short loc_86A535
		cmp	[ebp+var_354], edi
		jnz	short loc_86A535
		cmp	[ebp+var_35C], edi
		jnz	short loc_86A535
		cmp	word ptr [ebp+var_360],	di
		jnz	short loc_86A535
		mov	[ebx+48h], edi

loc_86A535:				; CODE XREF: EtwStartAutoLogger+815j
					; EtwStartAutoLogger+81Dj ...
		lea	ecx, [ebx+40h]
		mov	eax, [ecx]
		test	eax, 500h
		jz	short loc_86A548
		test	eax, 200h
		jz	short loc_86A554

loc_86A548:				; CODE XREF: EtwStartAutoLogger+83Dj
		cmp	[ebx+84h], edi
		jz	loc_86A746

loc_86A554:				; CODE XREF: EtwStartAutoLogger+844j
					; EtwStartAutoLogger+A68j
		test	esi, esi
		js	loc_86A660
		cmp	[ebp+var_344], 0
		jnz	loc_86A7E4

loc_86A569:				; CODE XREF: EtwStartAutoLogger+AFEj
					; EtwStartAutoLogger+B2Cj
		test	esi, esi
		js	loc_86A660
		cmp	[ebp+var_340], 0
		jnz	loc_86A76F
		push	4
		pop	esi

loc_86A581:				; CODE XREF: EtwStartAutoLogger+AAEj
		mov	edx, [ebp+var_338]
		mov	eax, offset ??_C@_1BK@IDOACBDN@?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AAL?$AAo?$AAg?$AAg?$AAe?$AAr@NNGAKEGL@

loc_86A58C:				; CODE XREF: EtwStartAutoLogger+8B0j
		mov	cx, [edx]
		cmp	cx, [eax]
		jnz	loc_86A7B5
		test	cx, cx
		jz	short loc_86A5B4
		mov	cx, [edx+2]
		cmp	cx, [eax+2]
		jnz	loc_86A7B5
		add	edx, esi
		add	eax, esi
		test	cx, cx
		jnz	short loc_86A58C

loc_86A5B4:				; CODE XREF: EtwStartAutoLogger+899j
		mov	eax, edi

loc_86A5B6:				; CODE XREF: EtwStartAutoLogger+ABAj
		test	eax, eax
		jz	loc_90A8FF
		cmp	[ebp+var_380], 0
		jz	loc_90A8F5
		lea	eax, [ebp+var_314]
		push	eax
		lea	eax, [ebp+var_384]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	esi, eax

loc_86A5E0:				; CODE XREF: EtwStartAutoLogger+A0BF8j
					; EtwStartAutoLogger+A0C12j
		test	esi, esi
		js	short loc_86A660
		mov	eax, [ebp+var_318]
		lea	edi, [ebx+18h]
		lea	esi, [ebp+var_314]
		mov	edx, ebx
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_334]
		mov	ecx, edi
		mov	[ebx], eax
		call	EtwpStartLogger
		mov	esi, eax
		movzx	eax, word ptr [ebx+8]
		mov	[ebp+var_318], eax
		mov	edx, eax
		test	esi, esi
		js	short loc_86A660
		test	eax, eax
		jz	short loc_86A62B
		cmp	[ebp+var_344], 0
		jnz	loc_86A7C1

loc_86A62B:				; CODE XREF: EtwStartAutoLogger+91Aj
					; EtwStartAutoLogger+ADDj ...
		mov	eax, [ebp+var_34C]
		test	ax, ax
		jnz	loc_90A919
		mov	edi, edx

loc_86A63C:				; CODE XREF: EtwStartAutoLogger+A0CD3j
					; EtwStartAutoLogger+A0CDEj
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		push	[ebp+var_330]
		mov	edx, edi
		push	[ebp+var_370]
		mov	ecx, [eax+1F0h]
		push	[ebp+var_3C4]
		call	EtwpEnableKeyProviders

loc_86A660:				; CODE XREF: EtwStartAutoLogger+2B8j
					; EtwStartAutoLogger+2ECj ...
		mov	edi, [ebp+var_31C]

loc_86A666:				; CODE XREF: EtwStartAutoLogger+B1Cj
					; EtwStartAutoLogger+A07C1j
		mov	eax, [ebp+var_32C]
		test	eax, eax
		jz	short loc_86A6AD
		test	esi, esi
		js	loc_90A9E5

loc_86A678:				; CODE XREF: EtwStartAutoLogger+A0CF5j
		mov	edx, [ebp+var_320]
		push	4
		test	edx, edx
		jnz	loc_90A9FC
		pop	edx
		push	edx
		lea	ecx, [ebp+var_374]
		push	ecx
		push	edx
		push	(offset	loc_8BA67D+1)
		push	eax

loc_86A698:				; CODE XREF: EtwStartAutoLogger+A0D0Aj
		push	40000000h
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)
		push	[ebp+var_32C]
		call	_ZwClose@4	; ZwClose(x)

loc_86A6AD:				; CODE XREF: EtwStartAutoLogger+96Cj
		mov	edx, [ebp+var_320]
		test	edx, edx
		jnz	loc_90AA11

loc_86A6BB:				; CODE XREF: EtwStartAutoLogger+A0D15j
		test	ebx, ebx
		jz	short loc_86A6D4
		lea	eax, [ebx+80h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_86A6D4:				; CODE XREF: EtwStartAutoLogger+9BBj
		test	edi, edi
		jz	short loc_86A6E1
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_86A6E1:				; CODE XREF: EtwStartAutoLogger+9D4j
		lea	eax, [ebp+var_384]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_38C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_34C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_86A718:				; CODE XREF: EtwStartAutoLogger+7D2j
		inc	eax
		mov	[edi+2], cx
		mov	[edi], ax
		inc	word ptr [ebx+0B2h]
		mov	ax, [edi]
		add	[ebx+0B0h], ax
		movzx	eax, word ptr [edi]
		lea	eax, ds:0B4h[eax*4]
		mov	[ebp+var_318], eax
		jmp	loc_86A4DA
; 

loc_86A746:				; CODE XREF: EtwStartAutoLogger+84Cj
		push	offset ??_C@_1BK@HCAHJHON@?$AA?$CF?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?$CF@NNGAKEGL@ ; "%SystemRoot%"
		lea	eax, [ebx+80h]
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jz	loc_90A8E0
		mov	esi, edi
		lea	ecx, [ebx+40h]
		mov	[ebp+var_328], esi
		jmp	loc_86A554
; 

loc_86A76F:				; CODE XREF: EtwStartAutoLogger+876j
		lea	ecx, [ebx+60h]
		mov	eax, [ecx]
		inc	eax
		mov	[ecx], eax
		cmp	eax, [ebp+var_340]
		ja	loc_86A805
		cmp	eax, 10h
		ja	short loc_86A805

loc_86A788:				; CODE XREF: EtwStartAutoLogger+B08j
		cmp	[ebp+var_320], 0
		push	4
		pop	esi
		push	esi
		push	ecx
		push	esi
		push	offset ??_C@_1BI@MGELNINL@?$AAF?$AAi?$AAl?$AAe?$AAC?$AAo?$AAu?$AAn?$AAt?$AAe?$AAr@NNGAKEGL@
		jnz	loc_90A8EA
		push	[ebp+var_32C]

loc_86A7A6:				; CODE XREF: EtwStartAutoLogger+A0BEEj
		push	40000000h
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)
		jmp	loc_86A581
; 

loc_86A7B5:				; CODE XREF: EtwStartAutoLogger+890j
					; EtwStartAutoLogger+8A3j
		sbb	eax, eax
		xor	ecx, ecx
		inc	ecx
		or	eax, ecx
		jmp	loc_86A5B6
; 

loc_86A7C1:				; CODE XREF: EtwStartAutoLogger+923j
		xor	eax, eax
		lea	ecx, [edi+890h]

loc_86A7C9:				; CODE XREF: EtwStartAutoLogger+ADBj
		xor	edi, edi
		cmp	[ecx], di
		mov	edi, [ebp+var_334]
		jz	short loc_86A80F
		inc	eax
		add	ecx, 2
		cmp	eax, 8
		jb	short loc_86A7C9
		jmp	loc_86A62B
; 

loc_86A7E4:				; CODE XREF: EtwStartAutoLogger+861j
		mov	eax, [ecx]
		test	al, al
		jns	short loc_86A823
		test	eax, 100h
		jz	short loc_86A823
		cmp	[ebx+84h], edi
		jnz	short loc_86A823
		or	dword ptr [ebx+70h], 8004000h
		jmp	loc_86A569
; 

loc_86A805:				; CODE XREF: EtwStartAutoLogger+A7Bj
					; EtwStartAutoLogger+A84j
		xor	eax, eax
		inc	eax
		mov	[ecx], eax
		jmp	loc_86A788
; 

loc_86A80F:				; CODE XREF: EtwStartAutoLogger+AD2j
		mov	[edi+eax*2+890h], dx
		jmp	loc_86A62B
; 

loc_86A81C:				; CODE XREF: EtwStartAutoLogger+154j
		mov	edi, ebx
		jmp	loc_86A666
; 

loc_86A823:				; CODE XREF: EtwStartAutoLogger+AE6j
					; EtwStartAutoLogger+AEDj ...
		mov	esi, 0C0000022h
		mov	[ebp+var_328], esi
		jmp	loc_86A569
EtwStartAutoLogger endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpEnableKeyProviders proc near	; CODE XREF: EtwStartAutoLogger+959p

var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_40		= dword	ptr -40h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0090AA1C SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 168h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [ebp+var_40]
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ebx, edx
		push	38h		; size_t
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_168], ecx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_164]
		push	120h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_40]
		push	0		; int
		push	offset _EtwpFreeKeyNameEntry@8 ; int
		push	offset _EtwpAllocateKeyNameEntry@8 ; int
		push	offset _EtwpAvlCompareKeyNames@12 ; int
		push	eax		; void *
		call	_RtlInitializeGenericTableAvl@20 ; RtlInitializeGenericTableAvl(x,x,x,x,x)
		push	[ebp+arg_8]
		lea	eax, [ebp+var_40]
		mov	edx, ebx
		push	eax
		push	ecx
		lea	eax, [ebp+var_164]
		push	eax
		push	edi
		push	esi
		mov	esi, [ebp+var_168]
		mov	ecx, esi
		call	EtwpEnumerateKeyProviders
		test	edi, edi
		jnz	loc_90AA1C

loc_86A8C2:				; CODE XREF: EtwpEnableKeyProviders+A0203j
		lea	ecx, [ebp+var_40]
		call	_EtwpFreeKeyNameList@4 ; EtwpFreeKeyNameList(x)
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
EtwpEnableKeyProviders endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall EtwpFreeKeyNameList(x)
_EtwpFreeKeyNameList@4 proc near	; CODE XREF: EtwpEnableKeyProviders+91p
					; EtwpInitializeAutoLoggers+130p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		jmp	short loc_86A8EA
; 

loc_86A8E3:				; CODE XREF: EtwpFreeKeyNameList(x)+18j
		push	eax
		push	esi
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)

loc_86A8EA:				; CODE XREF: EtwpFreeKeyNameList(x)+5j
		push	1
		push	esi
		call	_RtlEnumerateGenericTableAvl@8 ; RtlEnumerateGenericTableAvl(x,x)
		test	eax, eax
		jnz	short loc_86A8E3
		pop	esi
		retn
_EtwpFreeKeyNameList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpEnumerateKeyProviders proc near	; CODE XREF: EtwpEnableKeyProviders+81p
					; EtwpEnableKeyProviders+A01FEp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0090AA3C SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_0]
		xor	ebx, ebx
		mov	[ebp+var_14], edx
		lea	eax, [ebp+var_20]
		mov	[ebp+var_18], ecx
		push	eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_10], ebx
		mov	byte ptr [ebp+var_1], bl
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_20]
		mov	[ebp+var_38], 18h
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	20019h
		lea	eax, [ebp+var_C]
		mov	[ebp+var_34], ebx
		push	eax
		mov	[ebp+var_2C], 240h
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_86A9DA
		mov	ecx, [ebp+arg_8]
		mov	edi, ebx
		mov	ebx, [ebp+arg_4]

loc_86A964:				; CODE XREF: EtwpEnumerateKeyProviders+D8j
		lea	eax, [ebp+var_10]
		push	eax
		push	11Eh
		push	ecx
		push	0
		push	edi
		push	[ebp+var_C]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	ecx, [ebp+arg_8]
		mov	esi, eax
		mov	eax, [ecx+0Ch]
		cmp	eax, 108h
		jnb	short loc_86A9EE

loc_86A988:				; CODE XREF: EtwpEnumerateKeyProviders+FBj
		test	esi, esi
		js	short loc_86A9E1
		shr	eax, 1
		xor	edx, edx
		mov	[ecx+eax*2+10h], dx
		lea	eax, [ebp+var_1]
		push	eax		; int
		mov	eax, [ecx+0Ch]
		lea	edx, [ecx+10h]
		add	eax, 2
		mov	[ebp+arg_4], edx
		push	eax		; size_t
		push	edx		; void *
		push	[ebp+arg_10]	; int
		call	_RtlInsertElementGenericTableAvl@16 ; RtlInsertElementGenericTableAvl(x,x,x,x)
		cmp	byte ptr [ebp+var_1], 0
		jz	short loc_86A9CA
		push	[ebp+arg_14]
		mov	edx, [ebp+var_14]
		mov	ecx, [ebp+var_18]
		push	ebx
		push	[ebp+arg_0]
		push	[ebp+arg_4]
		call	EtwpEnableAutoLoggerProvider

loc_86A9CA:				; CODE XREF: EtwpEnumerateKeyProviders+BBj
					; EtwpEnumerateKeyProviders+A016Bj
		mov	ecx, [ebp+arg_8]

loc_86A9CD:				; CODE XREF: EtwpEnumerateKeyProviders+EFj
		inc	edi
		test	esi, esi
		jns	short loc_86A964
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_86A9DA:				; CODE XREF: EtwpEnumerateKeyProviders+62j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_86A9E1:				; CODE XREF: EtwpEnumerateKeyProviders+92j
		cmp	esi, 8000001Ah
		jz	short loc_86A9CD
		jmp	loc_90AA3C
; 

loc_86A9EE:				; CODE XREF: EtwpEnumerateKeyProviders+8Ej
		mov	esi, 80000005h
		jmp	short loc_86A988
EtwpEnumerateKeyProviders endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiDcCompareUpdateProperties(int,void *,void *)
_PiDcCompareUpdateProperties@12	proc near ; DATA XREF: PiDcInit(x)+34o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	14h		; size_t
		push	[ebp+arg_8]	; void *
		push	[ebp+arg_4]	; void *
		call	_memcmp
		mov	ecx, eax
		add	esp, 0Ch
		xor	eax, eax
		test	ecx, ecx
		jns	short loc_86AA17

loc_86AA13:				; CODE XREF: PiDcCompareUpdateProperties(x,x,x)+25j
		pop	ebp
		retn	0Ch
; 

loc_86AA17:				; CODE XREF: PiDcCompareUpdateProperties(x,x,x)+1Bj
		setle	al
		inc	eax
		jmp	short loc_86AA13
_PiDcCompareUpdateProperties@12	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLogPinDriverAddressesWorker proc near	; DATA XREF: MiCheckLogPinDriverAddresses+E3o

var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090AA68 SIZE 00000118 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0A4h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	esi, esi

loc_86AA3F:				; CODE XREF: MiLogPinDriverAddressesWorker+37j
		mov	eax, _MiPinDriverAddressLog[esi*4]
		mov	[esp+0B0h+var_A0], eax
		test	al, 1
		jnz	short loc_86AAB8

loc_86AA4E:				; CODE XREF: MiLogPinDriverAddressesWorker+BEj
		inc	esi
		cmp	esi, 800h
		jb	short loc_86AA3F
		xor	ebx, ebx
		mov	esi, offset unk_6C686C

loc_86AA5E:				; CODE XREF: MiLogPinDriverAddressesWorker+77j
		and	[esp+0B0h+var_9C], 0

loc_86AA63:				; CODE XREF: MiLogPinDriverAddressesWorker+71j
		xor	edi, edi

loc_86AA65:				; CODE XREF: MiLogPinDriverAddressesWorker+63j
		mov	eax, [esi-4]
		mov	ecx, [esi]
		mov	[esp+0B0h+var_A0], eax
		mov	[esp+0B0h+var_98], ecx
		cmp	eax, ecx
		jnz	loc_90AA68

loc_86AA7A:				; CODE XREF: MiLogPinDriverAddressesWorker+A015Dj
		inc	edi
		add	esi, 8
		cmp	edi, 2
		jb	short loc_86AA65
		mov	eax, [esp+0B0h+var_9C]
		inc	eax
		mov	[esp+0B0h+var_9C], eax
		cmp	eax, 2
		jb	short loc_86AA63
		inc	ebx
		cmp	ebx, 2
		jb	short loc_86AA5E
		xor	eax, eax
		mov	ecx, offset unk_6C68B8
		xchg	ax, [ecx]
		mov	ecx, [esp+0B0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_86AAB8:				; CODE XREF: MiLogPinDriverAddressesWorker+2Ej
		push	1
		and	eax, 0FFFFFFFEh
		push	esi
		mov	[esp+0B8h+var_A0], eax
		push	offset dword_6C6760
		mov	_MiPinDriverAddressLog[esi*4], eax
		call	RtlInterlockedClearBitRun
		lea	ecx, [esp+0B0h+var_A0]
		call	MiLogPinDriverAddress
		jmp	loc_86AA4E
MiLogPinDriverAddressesWorker endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLogPinDriverAddress proc near		; CODE XREF: MiLogPinDriverAddressesWorker+B9p

var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090AB80 SIZE 0000022F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 154h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	eax, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, large fs:124h
		mov	[ebp+var_13C], ebx
		mov	esi, [eax]
		mov	[ebp+var_138], ebx
		and	esi, 0FFFFF000h
		dec	word ptr [edi+13Ch]
		mov	[ebp+var_114], eax
		nop
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceSharedLite
		xor	edx, edx
		mov	ecx, esi
		call	_MiLookupDataTableEntry@8 ; MiLookupDataTableEntry(x,x)
		test	eax, eax
		jz	short loc_86AB96
		mov	ecx, [eax+40h]
		lea	ebx, [eax+2Ch]
		mov	[ebp+var_10C], ecx
		mov	ecx, [eax+58h]
		mov	[ebp+var_110], ecx

loc_86AB55:				; CODE XREF: MiLogPinDriverAddress+D3j
		mov	esi, dword_6D35BC
		cmp	dword ptr [esi], 5
		jbe	short loc_86AB76
		push	4000h
		push	0
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_90AB80

loc_86AB76:				; CODE XREF: MiLogPinDriverAddress+7Cj
					; MiLogPinDriverAddress+A02C8j
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_86AB96:				; CODE XREF: MiLogPinDriverAddress+5Cj
		mov	[ebp+var_10C], ebx
		mov	[ebp+var_110], ebx
		lea	ebx, [ebp+var_13C]
		push	offset ??_C@_1CA@JICPFAMK@?$AAI?$AAm?$AAa?$AAg?$AAe?$AA?5?$AAn?$AAo?$AAt?$AA?5?$AAf?$AAo?$AAu?$AAn?$AAd@NNGAKEGL@ ; "Image not found"
		mov	eax, ebx
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	short loc_86AB55
MiLogPinDriverAddress endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpAsynchronousCall proc near		; CODE XREF: PnpSendIrp+6Ap
					; PiIrpQueryRemoveDevice(x,x)+A5p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090ADAF SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	[ebp+var_8], edx
		mov	esi, ecx
		push	edi
		mov	edx, 69706E50h
		call	IoGetAttachedDeviceReferenceWithTag
		push	0
		mov	[ebp+var_4], eax
		movzx	edx, byte ptr [eax+30h]
		push	edx
		call	IoAllocateIrp
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_90ADAF
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	_IovUtilWatermarkIrp@8 ; IovUtilWatermarkIrp(x,x)
		test	esi, esi
		jz	short loc_86AC6D
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]

loc_86AC02:				; CODE XREF: PnpAsynchronousCall+B7j
		test	eax, eax
		jz	short loc_86AC09
		mov	[eax+24h], ebx

loc_86AC09:				; CODE XREF: PnpAsynchronousCall+4Cj
		mov	eax, large fs:124h
		mov	edx, ebx
		mov	edi, [ebx+60h]
		and	dword ptr [ebx+1Ch], 0
		sub	edi, 24h
		and	dword ptr [ebx+28h], 0
		and	dword ptr [ebx+2Ch], 0
		mov	esi, [ebp+var_8]
		mov	[ebx+50h], eax
		mov	eax, [ebp+arg_0]
		mov	dword ptr [ebx+18h], 0C00000BBh
		mov	byte ptr [ebx+20h], 0
		push	9
		pop	ecx
		rep movsd
		mov	ecx, [ebx+60h]
		mov	edi, [ebp+var_4]
		mov	[ecx-8], eax
		mov	eax, [ebp+arg_4]
		mov	[ecx-4], eax
		mov	byte ptr [ecx-21h], 0E0h
		mov	ecx, edi
		call	IofCallDriver
		mov	esi, eax

loc_86AC58:				; CODE XREF: PnpAsynchronousCall+A01FFj
		mov	edx, 69706E50h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_86AC6D:				; CODE XREF: PnpAsynchronousCall+3Fj
		xor	eax, eax
		jmp	short loc_86AC02
PnpAsynchronousCall endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtGetNextProcess proc near		; DATA XREF: .text:00581000o

var_174		= dword	ptr -174h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_155		= byte ptr -155h
var_154		= dword	ptr -154h
var_90		= dword	ptr -90h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0090ADBC SIZE 00000053 BYTES
; FUNCTION CHUNK AT 0090AE3D SIZE 00000012 BYTES

		push	168h
		push	offset dword_6A4BB0
		call	__SEH_prolog4_GS
		mov	edi, [ebp+arg_0]
		mov	esi, [ebp+arg_10]
		mov	[ebp+var_16C], esi
		xor	ebx, ebx
		mov	[ebp+var_15C], ebx
		push	74h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_90]
		push	eax		; void *
		call	_memset
		push	0C4h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_154]
		push	eax		; void *
		call	_memset
		add	esp, 18h
		mov	[ebp+var_168], ebx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_164],	al
		mov	[ebp+ms_exc.disabled], ebx
		test	al, al
		setz	bl
		dec	ebx
		and	ebx, 0FFFEFE00h
		add	ebx, 11FF2h
		and	ebx, [ebp+arg_8]
		test	al, al
		jz	short loc_86AD00
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jnb	loc_90ADBC

loc_86ACFC:				; CODE XREF: NtGetNextProcess+A014Cj
		mov	eax, [ecx]
		mov	[ecx], eax

loc_86AD00:				; CODE XREF: NtGetNextProcess+79j
		xor	ecx, ecx
		mov	[esi], ecx
		push	0FFFFFFFEh
		pop	eax
		mov	[ebp+ms_exc.disabled], eax
		mov	esi, [ebp+arg_C]
		test	esi, eax
		jnz	loc_90ADC3
		test	edi, edi
		jz	short loc_86AD41
		push	ecx
		lea	eax, [ebp+var_15C]
		push	eax
		push	6E457350h
		push	[ebp+var_164]
		push	ds:_PsProcessType
		push	ecx
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_86AE67

loc_86AD41:				; CODE XREF: NtGetNextProcess+A5j
		and	esi, 1
		mov	[ebp+arg_C], esi
		mov	ecx, [ebp+var_15C]
		jnz	loc_90ADCD
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	esi, eax
		mov	[ebp+var_160], esi

loc_86AD60:				; CODE XREF: NtGetNextProcess+A0168j
		test	esi, esi
		jz	loc_86AEB5
		push	[ebp+var_164]
		push	ds:dword_A94A14
		push	ds:_SeDebugPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		setnz	[ebp+var_155]
		mov	edi, large fs:124h
		mov	[ebp+var_174], edi
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		mov	[ebp+var_15C], eax

loc_86ADA0:				; CODE XREF: NtGetNextProcess+236j
		test	dword ptr [esi+0FCh], 4000000h
		jz	loc_90ADDF

loc_86ADB0:				; CODE XREF: NtGetNextProcess+A018Cj
		mov	edx, eax
		mov	ecx, esi
		call	_PsIsProcessInSilo@8 ; PsIsProcessInSilo(x,x)
		test	al, al
		jz	loc_86AE87
		mov	eax, ds:_PsProcessType
		add	eax, 34h
		push	eax		; int
		push	[ebp+arg_4]	; int
		lea	eax, [ebp+var_154]
		push	eax		; void *
		lea	eax, [ebp+var_90]
		push	eax		; void *
		call	SeCreateAccessState
		mov	edi, eax
		test	edi, edi
		js	short loc_86AE55
		cmp	[ebp+var_155], 0
		jz	short loc_86AE04
		mov	eax, [ebp+var_80]
		test	eax, 2000000h
		jnz	loc_90AE03
		or	[ebp+var_7C], eax

loc_86AE00:				; CODE XREF: NtGetNextProcess+A0198j
		and	[ebp+var_80], 0

loc_86AE04:				; CODE XREF: NtGetNextProcess+17Bj
		lea	eax, [ebp+var_168]
		push	eax
		push	[ebp+var_164]
		push	ds:_PsProcessType
		push	0
		lea	eax, [ebp+var_90]
		push	eax
		push	ebx
		push	esi
		call	ObOpenObjectByPointer
		mov	edi, eax
		lea	eax, [ebp+var_90]
		push	eax
		call	SeDeleteAccessState
		test	edi, edi
		js	short loc_86AE79
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_168]
		mov	ecx, [ebp+var_16C]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_86AE55:				; CODE XREF: NtGetNextProcess+172j
					; NtGetNextProcess+20Dj ...
		test	esi, esi
		jz	short loc_86AE65
		mov	edx, 6E457350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_86AE65:				; CODE XREF: NtGetNextProcess+1E5j
		mov	eax, edi

loc_86AE67:				; CODE XREF: NtGetNextProcess+C9j
					; NtGetNextProcess+248j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_86AE79:				; CODE XREF: NtGetNextProcess+1C5j
		cmp	edi, 0C0000022h
		jnz	short loc_86AE55
		mov	edi, [ebp+var_174]

loc_86AE87:				; CODE XREF: NtGetNextProcess+149j
					; NtGetNextProcess+A0180j
		mov	ecx, esi
		cmp	[ebp+arg_C], 0
		jnz	loc_90AE3D
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	esi, eax
		mov	[ebp+var_160], esi

loc_86AEA0:				; CODE XREF: NtGetNextProcess+A01D8j
		test	esi, esi
		mov	eax, [ebp+var_15C]
		jnz	loc_86ADA0
		mov	edi, 8000001Ah
		jmp	short loc_86AE55
; 

loc_86AEB5:				; CODE XREF: NtGetNextProcess+F0j
		mov	eax, 8000001Ah
		jmp	short loc_86AE67
NtGetNextProcess endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPerfBoostPowerRequest(x,	x, x)
_PopPerfBoostPowerRequest@12 proc near	; DATA XREF: .data:006B148Co

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		cmp	[ebp+arg_8], bl
		jz	short loc_86AF1E
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		xor	cl, cl
		mov	_PpmPerfMaxOverrideEnabled, 1
		call	PpmPerfUpdateDomainPolicy
		push	3
		pop	esi
		push	esi
		call	PoLatencySensitivityHint

loc_86AEF3:				; CODE XREF: PopPerfBoostPowerRequest(x,x,x)+81j
		mov	eax, [ebp+var_8]
		or	[ebp+var_4], 0FFFFFFFFh
		and	eax, 0FFFFFFFDh
		push	ebx
		push	ebx
		push	ebx
		or	eax, esi
		push	ebx
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		push	8
		push	eax
		push	(offset	loc_407343+1)
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	0Ch
; 

loc_86AF1E:				; CODE XREF: PopPerfBoostPowerRequest(x,x,x)+14j
		call	PpmPerfClearBootOverrides
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		xor	cl, cl
		mov	_PpmPerfMaxOverrideEnabled, bl
		call	PpmPerfUpdateDomainPolicy
		xor	esi, esi
		inc	esi
		jmp	short loc_86AEF3
_PopPerfBoostPowerRequest@12 endp

; 
		align 10h
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmPerfUpdateDomainPolicy proc near	; CODE XREF: PopPerfBoostPowerRequest(x,x,x)+29p
					; PopPerfBoostPowerRequest(x,x,x)+79p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 0090AE77 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	[ebp+var_2], cl
		xor	ebx, ebx
		push	esi
		mov	esi, ds:_PpmPerfDomainHead
		mov	ecx, offset _PpmPerfDomainHead
		mov	[ebp+var_4], bl
		mov	[ebp+var_3], bl
		mov	[ebp+var_C], esi
		cmp	esi, ecx
		jz	loc_86B036
		push	edi
		mov	edi, ebx
		mov	[ebp+var_1], bl
		mov	[ebp+var_8], edi
		jz	short loc_86AFEC

loc_86AF78:				; CODE XREF: PpmPerfUpdateDomainPolicy+A0j
		mov	ecx, esi
		call	PpmPerfCalculateQosClassPolicies
		test	al, al
		jz	short loc_86AF87
		mov	[ebp+var_4], 1

loc_86AF87:				; CODE XREF: PpmPerfUpdateDomainPolicy+3Fj
		test	byte ptr [esi+128h], 0Fh
		jz	loc_90AE77

loc_86AF94:				; CODE XREF: PpmPerfUpdateDomainPolicy+9FF39j
		cmp	byte ptr [esi+13Ah], 0
		jnz	loc_90AE80
		push	4
		mov	edx, ebx
		lea	edi, [esi+120h]
		mov	bl, 1
		pop	esi

loc_86AFAE:				; CODE XREF: PpmPerfUpdateDomainPolicy+80j
		mov	ecx, [edi]
		mov	eax, ecx
		and	al, 2
		lea	edi, [edi+4]
		neg	al
		sbb	al, al
		or	edx, ecx
		and	bl, al
		sub	esi, 1
		jnz	short loc_86AFAE
		push	esi
		mov	esi, [ebp+var_C]
		test	bl, bl
		pop	ebx
		jz	loc_90AE8A

loc_86AFD1:				; CODE XREF: PpmPerfUpdateDomainPolicy+9FF4Bj
		or	[ebp+var_8], edx
		mov	al, [ebp+var_1]

loc_86AFD7:				; CODE XREF: PpmPerfUpdateDomainPolicy+9FF43j
		mov	esi, [esi]
		mov	[ebp+var_C], esi
		cmp	esi, offset _PpmPerfDomainHead
		jnz	short loc_86AF78
		test	al, al
		jnz	loc_90AE92

loc_86AFEC:				; CODE XREF: PpmPerfUpdateDomainPolicy+34j
					; PpmPerfUpdateDomainPolicy+9FF53j
		pop	edi

loc_86AFED:				; CODE XREF: PpmPerfUpdateDomainPolicy+107j
		lea	ecx, [ebp+var_8]
		call	PpmPerfUpdateQosDisableReasons
		test	al, al
		jz	short loc_86AFFB
		mov	bl, 1

loc_86AFFB:				; CODE XREF: PpmPerfUpdateDomainPolicy+B5j
		mov	al, [ebp+var_1]
		cmp	al, ds:_PpmPerfQosEnabled
		jnz	loc_90AE9A

loc_86B00A:				; CODE XREF: PpmPerfUpdateDomainPolicy+9FF63j
		mov	al, [ebp+var_3]
		test	bl, bl
		pop	esi
		mov	_PpmPerfMultimediaQosSupported,	al
		pop	ebx
		jz	short loc_86B01F
		xor	cl, cl
		call	PpmEventQosSupport

loc_86B01F:				; CODE XREF: PpmPerfUpdateDomainPolicy+D4j
		cmp	[ebp+var_4], 0
		mov	dl, [ebp+var_2]
		jz	short loc_86B04B

loc_86B028:				; CODE XREF: PpmPerfUpdateDomainPolicy+10Bj
		call	_PpmPerfSetAllDomainsToUpdate@0	; PpmPerfSetAllDomainsToUpdate()
		mov	cl, dl
		call	_PpmCheckApplyPerfConstraints@4	; PpmCheckApplyPerfConstraints(x)
		leave
		retn
; 

loc_86B036:				; CODE XREF: PpmPerfUpdateDomainPolicy+25j
		cmp	ds:_PpmPerfVmQosSupported, bl
		jnz	short loc_86B05B
		mov	[ebp+var_1], bl
		mov	eax, 80h

loc_86B046:				; CODE XREF: PpmPerfUpdateDomainPolicy+11Fj
		mov	[ebp+var_8], eax
		jmp	short loc_86AFED
; 

loc_86B04B:				; CODE XREF: PpmPerfUpdateDomainPolicy+E4j
		test	dl, dl
		jnz	short loc_86B028
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		leave
		retn
; 

loc_86B05B:				; CODE XREF: PpmPerfUpdateDomainPolicy+FAj
		mov	[ebp+var_1], 1
		mov	eax, ebx
		jmp	short loc_86B046
PpmPerfUpdateDomainPolicy endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PpmCheckApplyPerfConstraints(x)
_PpmCheckApplyPerfConstraints@4	proc near ; CODE XREF: PpmRegisterPerfCap(x)+E0p
					; PpmPerfUpdateDomainPolicy+EDp
		xor	eax, eax
		test	cl, cl
		setnz	al
		lea	ecx, [eax+1]
		jmp	_PpmCheckCustomRun@4 ; PpmCheckCustomRun(x)
_PpmCheckApplyPerfConstraints@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmEventQosSupport proc	near		; CODE XREF: PpmPerfUpdateDomainPolicy+D8p
					; PpmEventTraceControlCallback+82E82p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090AEAA SIZE 00000063 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, offset _PPM_ETW_QOS_SUPPORT_RUNDOWN
		test	cl, cl
		jnz	short loc_86B095
		mov	esi, offset _PPM_ETW_QOS_SUPPORT_CHANGED

loc_86B095:				; CODE XREF: PpmEventQosSupport+1Aj
		cmp	_PpmEtwRegistered, 0
		jz	short loc_86B0BE
		push	ebx
		mov	ebx, _PpmEtwHandle
		push	edi
		mov	edi, dword_6BFD04
		push	esi
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_90AEAA

loc_86B0BC:				; CODE XREF: PpmEventQosSupport+9FE94j
		pop	edi
		pop	ebx

loc_86B0BE:				; CODE XREF: PpmEventQosSupport+28j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PpmEventQosSupport endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

pIoQueryDeviceDescription proc near	; CODE XREF: pIoQueryBusDescription+29Ep

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0090AF0D SIZE 00000062 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_64], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_40], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	[ebp+var_3C], eax
		mov	ebx, ecx
		xor	eax, eax
		push	esi
		push	edi
		mov	[ebp+var_44], eax
		lea	edi, [ebp+var_2C]
		mov	[ebp+var_48], eax
		mov	[ebp+var_4C], eax
		mov	[ebp+var_54], eax
		stosd
		push	1Ch
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_38]
		stosd
		stosd
		stosd
		pop	eax
		mov	word ptr [ebp+var_60+2], ax
		lea	eax, [ebp+var_20]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_40]
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@ ; void	*
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_86B358
		mov	eax, [ebx+8]
		mov	eax, [eax]
		push	ds:_CmTypeString[eax*4]	; void *
		lea	eax, [ebp+var_40]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_86B358
		mov	edi, [ebx+0Ch]
		test	edi, edi
		jnz	loc_90AF0D
		push	edi
		push	20019h
		lea	eax, [ebp+var_40]
		xor	edx, edx
		push	eax
		lea	ecx, [ebp+var_44]
		call	IopOpenRegistryKey
		mov	esi, eax
		test	esi, esi
		js	loc_86B358
		mov	ecx, [ebp+var_44]
		lea	edx, [ebp+var_4C]
		call	IopGetRegistryKeyInformation
		push	[ebp+var_44]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_44], edi
		test	esi, esi
		js	loc_86B358
		mov	eax, [ebp+var_4C]
		push	edi
		push	eax
		mov	ecx, [eax+14h]
		mov	[ebp+var_4C], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_4C]

loc_86B1B1:				; CODE XREF: pIoQueryDeviceDescription+9FE49j
		mov	ecx, [ebp+var_40]
		mov	edx, [ebp+var_3C]
		mov	[ebp+var_70], ecx
		mov	[ebp+var_74], edx
		cmp	edi, eax
		jnb	loc_86B358
		push	1Ah
		pop	eax

loc_86B1C8:				; CODE XREF: pIoQueryDeviceDescription+286j
		mov	word ptr [ebp+var_60], ax
		lea	eax, [ebp+var_60]
		push	eax
		push	0Ah
		push	edi
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], edx
		call	_RtlIntegerToUnicodeString@12 ;	RtlIntegerToUnicodeString(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_86B358
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@ ; void	*
		lea	eax, [ebp+var_40]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_86B358
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_86B358
		push	0
		push	20019h
		lea	eax, [ebp+var_40]
		xor	edx, edx
		push	eax
		lea	ecx, [ebp+var_44]
		call	IopOpenRegistryKey
		mov	esi, eax
		test	esi, esi
		js	loc_86B345
		push	ecx
		mov	ecx, [ebp+var_44]
		lea	edx, [ebp+var_2C]
		call	_IopGetRegistryValues@12 ; IopGetRegistryValues(x,x,x)
		push	[ebp+var_44]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_44], 0
		test	esi, esi
		js	loc_86B345
		cmp	dword ptr [ebx+10h], 0
		jz	loc_90AF1A
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@ ; void	*
		lea	eax, [ebp+var_40]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_86B30F
		mov	eax, [ebx+10h]
		mov	eax, [eax]
		push	ds:_CmTypeString[eax*4]	; void *
		lea	eax, [ebp+var_40]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_86B30F
		mov	eax, [ebx+14h]
		test	eax, eax
		jnz	loc_90AF45
		push	eax
		push	20019h
		lea	eax, [ebp+var_40]
		xor	edx, edx
		push	eax
		lea	ecx, [ebp+var_48]
		call	IopOpenRegistryKey
		test	eax, eax
		js	loc_90AF55
		mov	ecx, [ebp+var_48]
		lea	edx, [ebp+var_54]
		call	IopGetRegistryKeyInformation
		push	[ebp+var_48]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_48], 0
		test	esi, esi
		js	loc_90AF55
		mov	eax, [ebp+var_54]
		mov	ecx, [eax+14h]
		mov	[ebp+var_58], ecx
		xor	ecx, ecx
		push	ecx
		push	eax
		mov	[ebp+var_50], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[ebp+var_54], 0
		mov	eax, [ebp+var_50]
		mov	ecx, [ebp+var_58]

loc_86B2FC:				; CODE XREF: pIoQueryDeviceDescription+9FE84j
		mov	edx, [ebp+var_40]
		cmp	eax, ecx
		mov	[ebp+var_68], edx
		mov	edx, [ebp+var_3C]
		mov	[ebp+var_6C], edx

loc_86B30A:				; CODE XREF: pIoQueryDeviceDescription+3A8j
		mov	edx, [ebp+var_68]
		jb	short loc_86B36B

loc_86B30F:				; CODE XREF: pIoQueryDeviceDescription+1A8j
					; pIoQueryDeviceDescription+1C7j ...
		cmp	[ebp+var_2C], 0
		jnz	loc_90AF5C

loc_86B319:				; CODE XREF: pIoQueryDeviceDescription+9FE9Ej
		cmp	[ebp+var_28], 0
		jz	short loc_86B32D
		push	0
		push	[ebp+var_28]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[ebp+var_28], 0

loc_86B32D:				; CODE XREF: pIoQueryDeviceDescription+251j
		cmp	[ebp+var_24], 0
		jz	short loc_86B341
		push	0
		push	[ebp+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[ebp+var_24], 0

loc_86B341:				; CODE XREF: pIoQueryDeviceDescription+265j
		test	esi, esi
		js	short loc_86B358

loc_86B345:				; CODE XREF: pIoQueryDeviceDescription+164j
					; pIoQueryDeviceDescription+186j
		mov	ecx, [ebp+var_70]
		inc	edi
		mov	edx, [ebp+var_74]
		push	1Ah
		pop	eax
		cmp	edi, [ebp+var_4C]
		jb	loc_86B1C8

loc_86B358:				; CODE XREF: pIoQueryDeviceDescription+64j
					; pIoQueryDeviceDescription+83j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_86B36B:				; CODE XREF: pIoQueryDeviceDescription+241j
		mov	ecx, [ebp+var_6C]
		push	1Ah
		mov	[ebp+var_3C], ecx
		pop	ecx
		mov	word ptr [ebp+var_60], cx
		lea	ecx, [ebp+var_60]
		push	ecx
		push	0Ah
		push	eax
		mov	[ebp+var_40], edx
		call	_RtlIntegerToUnicodeString@12 ;	RtlIntegerToUnicodeString(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_86B30F
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@ ; void	*
		lea	eax, [ebp+var_40]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_86B30F
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_86B30F
		push	0
		push	20019h
		lea	eax, [ebp+var_40]
		xor	edx, edx
		push	eax
		lea	ecx, [ebp+var_48]
		call	IopOpenRegistryKey
		mov	esi, eax
		test	esi, esi
		js	loc_86B46A
		push	ecx
		mov	ecx, [ebp+var_48]
		lea	edx, [ebp+var_38]
		call	_IopGetRegistryValues@12 ; IopGetRegistryValues(x,x,x)
		push	[ebp+var_48]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_48], 0
		test	esi, esi
		js	short loc_86B46A
		mov	ecx, [ebp+var_50]
		lea	eax, [ebp+var_38]
		push	eax
		mov	eax, [ebx+10h]
		push	ecx
		push	dword ptr [eax]
		lea	eax, [ebp+var_2C]
		push	eax
		mov	eax, [ebx+8]
		push	edi
		push	dword ptr [eax]
		mov	eax, [ebx]
		push	[ebp+var_64]
		push	[ebp+arg_0]
		push	dword ptr [eax]
		lea	eax, [ebp+var_40]
		push	eax
		push	dword ptr [ebx+1Ch]
		call	dword ptr [ebx+18h]
		cmp	[ebp+var_38], 0
		mov	esi, eax
		jz	short loc_86B43A
		push	0
		push	[ebp+var_38]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[ebp+var_38], 0

loc_86B43A:				; CODE XREF: pIoQueryDeviceDescription+35Ej
		cmp	[ebp+var_34], 0
		jz	short loc_86B44E
		push	0
		push	[ebp+var_34]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[ebp+var_34], 0

loc_86B44E:				; CODE XREF: pIoQueryDeviceDescription+372j
		cmp	[ebp+var_30], 0
		jz	short loc_86B462
		push	0
		push	[ebp+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[ebp+var_30], 0

loc_86B462:				; CODE XREF: pIoQueryDeviceDescription+386j
		test	esi, esi
		js	loc_86B30F

loc_86B46A:				; CODE XREF: pIoQueryDeviceDescription+309j
					; pIoQueryDeviceDescription+32Bj
		mov	eax, [ebp+var_50]
		inc	eax
		cmp	eax, [ebp+var_58]
		mov	[ebp+var_50], eax
		jmp	loc_86B30A
pIoQueryDeviceDescription endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 916. IoQueryDeviceDescription

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoQueryDeviceDescription
IoQueryDeviceDescription proc near

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 0090AF6F SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 30h
		or	[esp+30h+var_2C], 0FFFFFFFFh
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+38h+var_28], edi
		mov	[esp+38h+var_24], edi
		mov	[esp+38h+var_30], edi
		test	eax, eax
		jz	loc_90AF6F
		mov	[esp+38h+var_20], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+38h+var_1C], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+38h+var_18], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+38h+var_14], eax
		mov	eax, [ebp+arg_10]
		mov	[esp+38h+var_10], eax
		mov	eax, [ebp+arg_14]
		mov	[esp+38h+var_C], eax
		mov	eax, [ebp+arg_18]
		mov	[esp+38h+var_8], eax
		mov	eax, [ebp+arg_1C]
		mov	[esp+38h+var_4], eax
		mov	eax, 800h
		push	4E526F49h
		push	eax
		push	1
		mov	word ptr [esp+44h+var_28+2], ax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+38h+var_24], eax
		test	eax, eax
		jz	short loc_86B572
		push	offset _CmRegistryMachineHardwareDescriptionSystemName
		lea	eax, [esp+3Ch+var_28]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	edi
		push	20019h
		lea	eax, [esp+40h+var_28]
		xor	edx, edx
		push	eax
		lea	ecx, [esp+44h+var_30]
		call	IopOpenRegistryKey
		mov	esi, eax
		test	esi, esi
		js	short loc_86B54F
		push	[esp+38h+var_24]
		mov	edx, [esp+3Ch+var_30]
		lea	eax, [esp+3Ch+var_2C]
		push	[esp+3Ch+var_28]
		lea	ecx, [esp+40h+var_20]
		push	1
		push	eax
		call	pIoQueryBusDescription
		push	[esp+38h+var_30]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)

loc_86B54F:				; CODE XREF: IoQueryDeviceDescription+A8j
		push	edi
		push	[esp+3Ch+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C0000034h
		cmp	esi, 8000001Ah
		jnz	short loc_86B56E

loc_86B566:				; CODE XREF: IoQueryDeviceDescription+F2j
					; IoQueryDeviceDescription+F9j	...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_86B56E:				; CODE XREF: IoQueryDeviceDescription+E6j
		mov	eax, esi
		jmp	short loc_86B566
; 

loc_86B572:				; CODE XREF: IoQueryDeviceDescription+7Dj
		mov	eax, 0C000009Ah
		jmp	short loc_86B566
IoQueryDeviceDescription endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

pIoQueryBusDescription proc near	; CODE XREF: IoQueryDeviceDescription+C1p
					; pIoQueryBusDescription+1BDp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0090AF79 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[ebp+var_24], eax
		mov	ebx, edx
		xor	eax, eax
		mov	[ebp+var_38], ecx
		push	esi
		push	edi
		mov	[ebp+var_30], eax
		lea	edi, [ebp+var_10]
		mov	[ebp+var_2C], eax
		lea	edx, [ebp+var_18]
		mov	[ebp+var_20], eax
		mov	ecx, ebx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_3C], eax
		stosd
		mov	[ebp+var_34], ebx
		stosd
		stosd
		call	IopGetRegistryKeyInformation
		test	eax, eax
		js	loc_86B76D
		mov	ebx, [ebp+var_18]
		lea	eax, [ebp+var_28]
		push	eax
		push	20h
		pop	edx
		mov	ecx, [ebx+18h]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_86B76D
		push	424B6F49h
		push	[ebp+var_28]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	0
		push	ebx
		mov	edi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		jz	loc_90AF79
		mov	ebx, [ebp+var_38]
		xor	ecx, ecx
		mov	[ebp+var_18], ecx

loc_86B614:				; CODE XREF: pIoQueryBusDescription+1E3j
		mov	eax, [ebx+4]
		test	eax, eax
		jnz	loc_86B7E3

loc_86B61F:				; CODE XREF: pIoQueryBusDescription+270j
		lea	eax, [ebp+var_3C]
		push	eax
		push	[ebp+var_28]
		push	edi
		push	0
		push	ecx
		push	[ebp+var_34]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_86B763
		cmp	[ebp+arg_4], 0
		jnz	loc_86B77E

loc_86B646:				; CODE XREF: pIoQueryBusDescription+21Ej
					; pIoQueryBusDescription+23Ej ...
		mov	edx, [ebp+var_34]
		lea	eax, [edi+10h]
		mov	[ebp+var_2C], eax
		lea	ecx, [ebp+var_14]
		mov	ax, [edi+0Ch]
		mov	word ptr [ebp+var_30], ax
		mov	ax, [edi+0Ch]
		push	0
		mov	word ptr [ebp+var_30+2], ax
		lea	eax, [ebp+var_30]
		push	20019h
		push	eax
		call	IopOpenRegistryKey
		test	eax, eax
		js	loc_86B754
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_20]
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@ ; void	*
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	al, [ebp+arg_4]
		test	al, al
		jnz	short loc_86B720
		push	ecx
		mov	ecx, [ebp+var_14]
		lea	edx, [ebp+var_10]
		call	_IopGetRegistryValues@12 ; IopGetRegistryValues(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_86B712
		mov	edx, [ebp+var_C]
		test	edx, edx
		jz	short loc_86B6D7
		cmp	dword ptr [edx+0Ch], 0
		jz	short loc_86B6D7
		mov	eax, [edx+8]
		mov	ecx, [ebx]
		mov	eax, [edx+eax]
		cmp	eax, [ecx]
		jz	loc_86B7F5

loc_86B6D7:				; CODE XREF: pIoQueryBusDescription+145j
					; pIoQueryBusDescription+14Bj ...
		cmp	[ebp+var_10], 0
		jz	short loc_86B6EE
		push	0
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[ebp+var_10], 0
		mov	edx, [ebp+var_C]

loc_86B6EE:				; CODE XREF: pIoQueryBusDescription+161j
		test	edx, edx
		jz	short loc_86B6FE
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[ebp+var_C], 0

loc_86B6FE:				; CODE XREF: pIoQueryBusDescription+176j
		cmp	[ebp+var_8], 0
		jz	short loc_86B712
		push	0
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[ebp+var_8], 0

loc_86B712:				; CODE XREF: pIoQueryBusDescription+13Ej
					; pIoQueryBusDescription+188j
		mov	eax, [ebx+4]
		test	eax, eax
		jnz	loc_86B84B

loc_86B71D:				; CODE XREF: pIoQueryBusDescription+2DEj
		mov	al, [ebp+arg_4]

loc_86B720:				; CODE XREF: pIoQueryBusDescription+12Cj
		push	[ebp+var_1C]
		mov	edx, [ebp+var_14]
		test	al, al
		push	[ebp+var_20]
		setz	al
		mov	ecx, ebx
		movzx	eax, al
		push	eax
		push	[ebp+var_24]
		call	pIoQueryBusDescription
		lea	esi, [eax+7FFFFFE6h]
		neg	esi
		sbb	esi, esi
		and	esi, eax

loc_86B748:				; CODE XREF: pIoQueryBusDescription+2D8j
		push	[ebp+var_14]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_14], 0

loc_86B754:				; CODE XREF: pIoQueryBusDescription+FAj
					; pIoQueryBusDescription+25Ej
		mov	ecx, [ebp+var_18]
		inc	ecx
		mov	[ebp+var_18], ecx
		test	esi, esi
		jns	loc_86B614

loc_86B763:				; CODE XREF: pIoQueryBusDescription+BCj
					; pIoQueryBusDescription+276j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi

loc_86B76D:				; CODE XREF: pIoQueryBusDescription+4Fj
					; pIoQueryBusDescription+6Bj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_86B77E:				; CODE XREF: pIoQueryBusDescription+C6j
		mov	eax, [edi+0Ch]
		lea	ecx, [edi+10h]
		shr	eax, 1
		push	eax		; size_t
		push	ds:off_A3F558	; wchar_t *
		push	ecx		; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_86B646
		mov	eax, [edi+0Ch]
		shr	eax, 1
		push	eax		; size_t
		push	ds:off_A3F548	; wchar_t *
		lea	eax, [edi+10h]
		push	eax		; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_86B646
		mov	eax, [edi+0Ch]
		shr	eax, 1
		push	eax		; size_t
		push	ds:off_A3F54C	; wchar_t *
		lea	eax, [edi+10h]
		push	eax		; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_86B754
		jmp	loc_86B646
; 

loc_86B7E3:				; CODE XREF: pIoQueryBusDescription+9Fj
		mov	edx, [ebp+var_24]
		mov	eax, [eax]
		cmp	eax, [edx]
		jnz	loc_86B61F
		jmp	loc_86B763
; 

loc_86B7F5:				; CODE XREF: pIoQueryBusDescription+157j
		mov	ecx, [ebp+var_24]
		mov	eax, [ecx]
		inc	eax
		mov	[ecx], eax
		mov	ecx, [ebx+4]
		test	ecx, ecx
		jnz	short loc_86B827

loc_86B804:				; CODE XREF: pIoQueryBusDescription+2AFj
		xor	ecx, ecx
		cmp	[ebx+8], ecx
		jz	short loc_86B830
		push	[ebp+var_1C]
		lea	ecx, [ebp+var_10]
		push	[ebp+var_20]
		push	ecx
		push	eax
		mov	ecx, ebx
		call	pIoQueryDeviceDescription

loc_86B81D:				; CODE XREF: pIoQueryBusDescription+2CFj
		mov	edx, [ebp+var_C]
		mov	esi, eax
		jmp	loc_86B6D7
; 

loc_86B827:				; CODE XREF: pIoQueryBusDescription+288j
		cmp	[ecx], eax
		jz	short loc_86B804
		jmp	loc_86B6D7
; 

loc_86B830:				; CODE XREF: pIoQueryBusDescription+28Fj
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		lea	ecx, [ebp+var_10]
		push	ecx
		push	eax
		mov	eax, [ebx]
		push	dword ptr [eax]
		lea	eax, [ebp+var_20]
		push	eax
		push	dword ptr [ebx+1Ch]
		call	dword ptr [ebx+18h]
		jmp	short loc_86B81D
; 

loc_86B84B:				; CODE XREF: pIoQueryBusDescription+19Dj
		mov	ecx, [ebp+var_24]
		mov	eax, [eax]
		cmp	eax, [ecx]
		jz	loc_86B748
		jmp	loc_86B71D
pIoQueryBusDescription endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopGetRegistryKeyInformation proc near	; CODE XREF: pIoQueryDeviceDescription+B8p
					; pIoQueryDeviceDescription+1F6p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090AF83 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		mov	edi, ecx
		lea	eax, [ebp+var_4]
		push	eax
		xor	ecx, ecx
		mov	ebx, edx
		push	ecx
		push	ecx
		push	2
		push	edi
		mov	[ebp+var_4], ecx
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_86B8BB

loc_86B884:				; CODE XREF: IopGetRegistryKeyInformation+62j
		mov	edx, [ebp+var_4]
		mov	ecx, 200h
		push	esi
		call	IopVerifierExAllocatePool
		mov	esi, eax
		test	esi, esi
		jz	short loc_86B8C4
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_4]
		push	esi
		push	2
		push	edi
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_90AF83
		mov	[ebx], esi
		xor	eax, eax

loc_86B8B6:				; CODE XREF: IopGetRegistryKeyInformation+6Bj
					; IopGetRegistryKeyInformation+9F72Fj
		pop	esi

loc_86B8B7:				; CODE XREF: IopGetRegistryKeyInformation+64j
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_86B8BB:				; CODE XREF: IopGetRegistryKeyInformation+24j
		cmp	eax, 80000005h
		jz	short loc_86B884
		jmp	short loc_86B8B7
; 

loc_86B8C4:				; CODE XREF: IopGetRegistryKeyInformation+38j
		mov	eax, 0C000009Ah
		jmp	short loc_86B8B6
IopGetRegistryKeyInformation endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall IopGetRegistryValues(x, x, x)
_IopGetRegistryValues@12 proc near	; CODE XREF: pIoQueryDeviceDescription+171p
					; pIoQueryDeviceDescription+316p ...
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [edx+4]
		push	edx
		mov	[edx], eax
		mov	esi, ecx
		mov	[edx+8], eax
		mov	edx, offset ??_C@_1BG@IEICLFFJ@?$AAI?$AAd?$AAe?$AAn?$AAt?$AAi?$AAf?$AAi?$AAe?$AAr@NNGAKEGL@ ; "Identifier"
		push	28h
		mov	[edi], eax
		call	IopGetRegistryValue
		mov	ebx, 0C0000034h
		test	eax, eax
		js	short loc_86B928

loc_86B8F6:				; CODE XREF: IopGetRegistryValues(x,x,x)+5Ej
		push	edi
		push	20h
		mov	edx, offset ??_C@_1CG@CDEDNCMF@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn?$AA?5?$AAD@NNGAKEGL@
		mov	ecx, esi
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_86B92E

loc_86B909:				; CODE XREF: IopGetRegistryValues(x,x,x)+66j
		lea	eax, [edi+4]
		mov	edx, offset ??_C@_1CM@ODEMAHPH@?$AAC?$AAo?$AAm?$AAp?$AAo?$AAn?$AAe?$AAn?$AAt?$AA?5?$AAI?$AAn?$AAf?$AAo?$AAr@NNGAKEGL@
		push	eax
		push	10h
		mov	ecx, esi
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_86B934

loc_86B91F:				; CODE XREF: IopGetRegistryValues(x,x,x)+6Cj
		xor	eax, eax

loc_86B921:				; CODE XREF: IopGetRegistryValues(x,x,x)+60j
					; IopGetRegistryValues(x,x,x)+64j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		retn	4
; 

loc_86B928:				; CODE XREF: IopGetRegistryValues(x,x,x)+28j
		cmp	eax, ebx
		jz	short loc_86B8F6
		jmp	short loc_86B921
; 

loc_86B92E:				; CODE XREF: IopGetRegistryValues(x,x,x)+3Bj
		cmp	eax, ebx
		jnz	short loc_86B921
		jmp	short loc_86B909
; 

loc_86B934:				; CODE XREF: IopGetRegistryValues(x,x,x)+51j
		cmp	eax, ebx
		jnz	short loc_86B921
		jmp	short loc_86B91F
_IopGetRegistryValues@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipSendEnableDisableRequest proc near	; CODE XREF: WmipSendEnableRequest+51p
					; WmipDoDisableRequest+25p ...

var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_13E		= byte ptr -13Eh
var_13D		= byte ptr -13Dh
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_8		= dword	ptr -8
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 0090AF92 SIZE 0000003D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 158h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		push	100h		; size_t
		lea	eax, [ebp+var_10C]
		mov	esi, edx
		mov	bl, cl
		mov	[ebp+var_148], esi
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_13E], bl
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_13C]
		push	30h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		test	byte ptr [esi+8], 1
		jnz	loc_86BA15
		cmp	bl, 4
		jnz	loc_86BB76

loc_86B99E:				; CODE XREF: WmipSendEnableDisableRequest+24Cj
		mov	[ebp+var_13D], 1

loc_86B9A5:				; CODE XREF: WmipSendEnableDisableRequest+246j
		xor	ebx, ebx
		mov	eax, 2000h
		cmp	[ebp+arg_0], bl
		setnz	bl
		xor	edx, edx
		dec	ebx
		mov	[ebp+var_144], edx
		and	ebx, eax
		add	ebx, eax
		mov	eax, [esi+14h]
		cmp	eax, 40h
		ja	loc_90AF92
		lea	edi, [ebp+var_10C]
		mov	[ebp+var_14C], edi

loc_86B9D7:				; CODE XREF: WmipSendEnableDisableRequest+9F684j
		lea	eax, [esi+20h]
		mov	esi, [eax]
		cmp	esi, eax
		jnz	short loc_86BA28

loc_86B9E0:				; CODE XREF: WmipSendEnableDisableRequest+F7j
					; WmipSendEnableDisableRequest+182j
		xor	ebx, ebx
		push	ebx
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		cmp	[ebp+var_144], ebx
		ja	loc_86BAC1

loc_86B9F9:				; CODE XREF: WmipSendEnableDisableRequest+213j
		lea	eax, [ebp+var_10C]
		cmp	edi, eax
		jnz	loc_90AFC3

loc_86BA07:				; CODE XREF: WmipSendEnableDisableRequest+9F690j
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject

loc_86BA15:				; CODE XREF: WmipSendEnableDisableRequest+55j
		xor	eax, eax

loc_86BA17:				; CODE XREF: WmipSendEnableDisableRequest+9F679j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_86BA28:				; CODE XREF: WmipSendEnableDisableRequest+A4j
		mov	eax, [ebp+var_148]

loc_86BA2E:				; CODE XREF: WmipSendEnableDisableRequest+17Cj
		cmp	edx, [eax+14h]
		jnb	short loc_86B9E0
		mov	ecx, [esi+8]
		test	ecx, 1000h
		jnz	short loc_86BAAF
		cmp	[ebp+arg_0], 0
		jz	loc_86BB68

loc_86BA48:				; CODE XREF: WmipSendEnableDisableRequest+231j
		mov	edi, [esi+20h]
		mov	[ebp+var_150], edi
		test	dword ptr [edi+8], 20000000h
		mov	edi, [ebp+var_14C]
		jnz	short loc_86BAAF
		mov	eax, ecx
		and	eax, ebx
		cmp	[ebp+var_13D], 0
		jz	loc_86BB52
		test	eax, eax
		jnz	short loc_86BA95

loc_86BA75:				; CODE XREF: WmipSendEnableDisableRequest+21Aj
		mov	eax, [ebp+var_150]
		mov	ecx, eax
		mov	[edi+edx*4], eax
		call	WmipReferenceEntry
		mov	edx, [ebp+var_144]
		mov	ecx, [esi+8]
		inc	edx
		mov	[ebp+var_144], edx

loc_86BA95:				; CODE XREF: WmipSendEnableDisableRequest+139j
					; WmipSendEnableDisableRequest+220j
		cmp	[ebp+var_13D], 0
		mov	eax, ebx
		jz	loc_86BB5F
		or	eax, ecx

loc_86BAA6:				; CODE XREF: WmipSendEnableDisableRequest+229j
		mov	[esi+8], eax
		mov	eax, [ebp+var_148]

loc_86BAAF:				; CODE XREF: WmipSendEnableDisableRequest+102j
					; WmipSendEnableDisableRequest+124j ...
		mov	esi, [esi]
		lea	ecx, [eax+20h]
		cmp	esi, ecx
		jnz	loc_86BA2E
		jmp	loc_86B9E0
; 

loc_86BAC1:				; CODE XREF: WmipSendEnableDisableRequest+B9j
		mov	esi, [ebp+var_148]
		lea	edi, [ebp+var_124]
		mov	[ebp+var_138], ebx
		mov	[ebp+var_134], ebx
		mov	[ebp+var_130], ebx
		lea	esi, [esi+28h]
		mov	[ebp+var_12C], ebx
		mov	[ebp+var_128], ebx
		mov	[ebp+var_114], ebx
		mov	[ebp+var_110], ebx
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_14C]
		mov	[ebp+var_13C], 30h

loc_86BB0E:				; CODE XREF: WmipSendEnableDisableRequest+20Fj
		mov	esi, [edi+ebx*4]
		lea	eax, [ebp+var_154]
		mov	cl, [ebp+var_13E]
		push	eax
		lea	eax, [ebp+var_13C]
		mov	edx, [esi+1Ch]
		push	eax
		push	30h
		lea	eax, [ebp+var_124]
		push	eax
		call	_WmipSendWmiIrp@24 ; WmipSendWmiIrp(x,x,x,x,x,x)
		mov	edx, esi
		mov	ecx, offset _WmipDSChunkInfo
		call	WmipUnreferenceEntry
		inc	ebx
		cmp	ebx, [ebp+var_144]
		jb	short loc_86BB0E
		xor	ebx, ebx
		jmp	loc_86B9F9
; 

loc_86BB52:				; CODE XREF: WmipSendEnableDisableRequest+131j
		test	eax, eax
		jnz	loc_86BA75
		jmp	loc_86BA95
; 

loc_86BB5F:				; CODE XREF: WmipSendEnableDisableRequest+164j
		not	eax
		and	eax, ecx
		jmp	loc_86BAA6
; 

loc_86BB68:				; CODE XREF: WmipSendEnableDisableRequest+108j
		test	cl, 4
		jnz	loc_86BA48
		jmp	loc_86BAAF
; 

loc_86BB76:				; CODE XREF: WmipSendEnableDisableRequest+5Ej
		mov	[ebp+var_13D], 0
		cmp	bl, 6
		jnz	loc_86B9A5
		jmp	loc_86B99E
WmipSendEnableDisableRequest endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipSendWmiIrp(x, x, x, x, x, x)
_WmipSendWmiIrp@24 proc	near		; CODE XREF: WmipQueryAllData+421p
					; WmipQuerySetExecuteSI+1F5p ...

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_1], cl
		mov	[ebp+var_8], edi

loc_86BBA2:				; CODE XREF: WmipSendWmiIrp(x,x,x,x,x,x)+8Cj
		mov	eax, _WmipServiceDeviceObject
		push	0
		mov	al, [eax+30h]
		inc	al
		movzx	eax, al
		push	eax
		call	IoAllocateIrp
		mov	esi, eax
		test	esi, esi
		jz	short loc_86BC1A
		add	dword ptr [esi+60h], 0FFFFFFDCh
		mov	edx, [esi+60h]
		dec	byte ptr [esi+23h]
		mov	ecx, _WmipServiceDeviceObject
		mov	eax, large fs:124h
		mov	[edx+14h], ecx
		mov	ecx, esi
		mov	dl, [ebp+var_1]
		mov	[esi+50h], eax
		mov	eax, [ebp+arg_8]
		push	eax
		push	[ebp+arg_4]
		mov	[esi+0Ch], eax
		push	[ebp+arg_0]
		push	edi
		call	WmipForwardWmiIrp
		mov	ecx, [esi+18h]
		mov	edi, eax
		mov	[ebx], ecx
		mov	ecx, [esi+1Ch]
		push	esi
		mov	[ebx+4], ecx
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		cmp	edi, 0C0000298h
		jz	short loc_86BC15
		mov	eax, edi

loc_86BC0E:				; CODE XREF: WmipSendWmiIrp(x,x,x,x,x,x)+93j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_86BC15:				; CODE XREF: WmipSendWmiIrp(x,x,x,x,x,x)+7Ej
		mov	edi, [ebp+var_8]
		jmp	short loc_86BBA2
; 

loc_86BC1A:				; CODE XREF: WmipSendWmiIrp(x,x,x,x,x,x)+2Fj
		mov	eax, 0C000009Ah
		jmp	short loc_86BC0E
_WmipSendWmiIrp@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopVerifyPowerActionPolicy proc	near	; CODE XREF: PopExecutePowerAction+E5p
					; PopVerifySystemPowerPolicy+CDp ...

var_58		= dword	ptr -58h
var_54		= byte ptr -54h
var_53		= byte ptr -53h
var_52		= byte ptr -52h
var_51		= byte ptr -51h
var_50		= byte ptr -50h
var_44		= byte ptr -44h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090AFCF SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		lea	eax, [ebp+var_58]
		push	ebx
		push	esi
		push	edi
		push	4Ch		; size_t
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		xor	bh, bh
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		jz	loc_90B01D
		mov	eax, [esi+4]
		test	eax, 0CFFFFC0h
		jnz	loc_90B01D
		test	eax, eax
		js	loc_86BD24

loc_86BC5F:				; CODE XREF: PopVerifyPowerActionPolicy+10Bj
		lea	edx, [ebp+var_58]
		mov	ecx, offset _PopCapabilities
		call	PopFilterCapabilities
		test	eax, eax
		js	loc_90AFCF
		xor	edx, edx
		cmp	byte ptr [ebp+var_58+3], dl
		jnz	loc_90AFD6

loc_86BC7F:				; CODE XREF: PopVerifyPowerActionPolicy+9F3B7j
		cmp	[ebp+var_54], 0
		jnz	loc_90AFDE

loc_86BC89:				; CODE XREF: PopVerifyPowerActionPolicy+9F3BDj
		cmp	[ebp+var_53], 0
		jz	short loc_86BC90
		inc	edx

loc_86BC90:				; CODE XREF: PopVerifyPowerActionPolicy+6Bj
		test	byte ptr [esi+4], 8
		jnz	short loc_86BD11
		lea	ecx, [ebp+var_58]
		call	_PopIsHibernateSupported@4 ; PopIsHibernateSupported(x)
		mov	bl, al

loc_86BCA0:				; CODE XREF: PopVerifyPowerActionPolicy+F4j
					; PopVerifyPowerActionPolicy+F9j ...
		mov	edi, [esi]

loc_86BCA2:				; CODE XREF: PopVerifyPowerActionPolicy+AFj
		mov	ecx, edi
		mov	[ebp+var_4], edi
		mov	eax, edi
		sub	ecx, 1
		jz	loc_90AFFA
		sub	ecx, 1
		jz	short loc_86BCDA
		sub	ecx, 1
		jz	short loc_86BCF2
		sub	ecx, 3
		jz	short loc_86BCE5
		push	2
		pop	edi
		sub	ecx, edi
		jz	loc_90AFE4

loc_86BCCC:				; CODE XREF: PopVerifyPowerActionPolicy+BCj
					; PopVerifyPowerActionPolicy+CAj ...
		mov	edi, eax
		cmp	[ebp+var_4], eax
		jnz	short loc_86BCA2
		mov	al, bh

loc_86BCD5:				; CODE XREF: PopVerifyPowerActionPolicy+9F3AFj
					; PopVerifyPowerActionPolicy+9F3FDj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_86BCDA:				; CODE XREF: PopVerifyPowerActionPolicy+93j
					; PopVerifyPowerActionPolicy+9F3DFj
		mov	eax, edi
		test	edx, edx
		jnz	short loc_86BCCC
		jmp	loc_90B006
; 

loc_86BCE5:				; CODE XREF: PopVerifyPowerActionPolicy+9Dj
		cmp	[ebp+var_51], 0
		push	6
		pop	eax
		jnz	short loc_86BCCC

loc_86BCEE:				; CODE XREF: PopVerifyPowerActionPolicy+DEj
		push	4
		jmp	short loc_86BD0C
; 

loc_86BCF2:				; CODE XREF: PopVerifyPowerActionPolicy+98j
		push	3
		pop	eax
		test	bl, bl
		jnz	short loc_86BCCC
		cmp	ds:_PopPromoteHibernateToShutdown, 0
		jnz	short loc_86BCEE
		test	edx, edx
		jz	loc_90B011
		push	2

loc_86BD0C:				; CODE XREF: PopVerifyPowerActionPolicy+CEj
					; PopVerifyPowerActionPolicy+9F3EAj
		pop	eax
		mov	[esi], eax
		jmp	short loc_86BCCC
; 

loc_86BD11:				; CODE XREF: PopVerifyPowerActionPolicy+72j
		xor	bl, bl
		cmp	[ebp+var_52], bl
		jz	short loc_86BCA0
		cmp	[ebp+var_50], bl
		jz	short loc_86BCA0
		inc	bl
		jmp	loc_86BCA0
; 

loc_86BD24:				; CODE XREF: PopVerifyPowerActionPolicy+37j
		and	eax, 0FFFFFFFCh
		or	eax, 4
		mov	[esi+4], eax
		jmp	loc_86BC5F
PopVerifyPowerActionPolicy endp

; 
		align 8
; Exported entry 529. FsRtlGetNextExtraCreateParameter

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlGetNextExtraCreateParameter(x,	x, x, x, x)
		public _FsRtlGetNextExtraCreateParameter@20
_FsRtlGetNextExtraCreateParameter@20 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		add	ecx, 8
		push	esi
		push	edi
		test	eax, eax
		jz	short loc_86BD8D
		mov	eax, [eax-2Ch]

loc_86BD4F:				; CODE XREF: FsRtlGetNextExtraCreateParameter(x,x,x,x,x)+57j
		cmp	eax, ecx
		jz	short loc_86BD91
		lea	esi, [eax-8]
		test	esi, esi
		jz	short loc_86BD91
		mov	ecx, [ebp+arg_C]
		xor	edx, edx
		test	ecx, ecx
		jz	short loc_86BD68
		lea	eax, [esi+34h]
		mov	[ecx], eax

loc_86BD68:				; CODE XREF: FsRtlGetNextExtraCreateParameter(x,x,x,x,x)+29j
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	short loc_86BD77
		mov	eax, [esi+28h]
		sub	eax, 34h
		mov	[ecx], eax

loc_86BD77:				; CODE XREF: FsRtlGetNextExtraCreateParameter(x,x,x,x,x)+35j
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	short loc_86BD85
		add	esi, 10h
		movsd
		movsd
		movsd
		movsd

loc_86BD85:				; CODE XREF: FsRtlGetNextExtraCreateParameter(x,x,x,x,x)+44j
					; FsRtlGetNextExtraCreateParameter(x,x,x,x,x)+77j ...
		pop	edi
		mov	eax, edx
		pop	esi
		pop	ebp
		retn	14h
; 

loc_86BD8D:				; CODE XREF: FsRtlGetNextExtraCreateParameter(x,x,x,x,x)+12j
		mov	eax, [ecx]
		jmp	short loc_86BD4F
; 

loc_86BD91:				; CODE XREF: FsRtlGetNextExtraCreateParameter(x,x,x,x,x)+19j
					; FsRtlGetNextExtraCreateParameter(x,x,x,x,x)+20j
		mov	eax, [ebp+arg_C]
		mov	edx, 0C0000225h
		test	eax, eax
		jz	short loc_86BDA0
		and	dword ptr [eax], 0

loc_86BDA0:				; CODE XREF: FsRtlGetNextExtraCreateParameter(x,x,x,x,x)+63j
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_86BDAA
		and	dword ptr [eax], 0

loc_86BDAA:				; CODE XREF: FsRtlGetNextExtraCreateParameter(x,x,x,x,x)+6Dj
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	short loc_86BD85
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		jmp	short loc_86BD85
_FsRtlGetNextExtraCreateParameter@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpRecordBlackboxDeviceCompletionQueueInformation proc near
					; CODE XREF: PnpRecordBlackbox(x,x)+14p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090B024 SIZE 0000009E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_14], 0
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		xor	edi, edi
		xor	esi, esi
		call	KeQueryInterruptTime
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], edx
		test	ebx, ebx
		jnz	loc_90B024

loc_86BDE6:				; CODE XREF: PnpRecordBlackboxDeviceCompletionQueueInformation+9F281j
		xor	ecx, ecx

loc_86BDE8:				; CODE XREF: PnpRecordBlackboxDeviceCompletionQueueInformation+9F2F3j
		push	ecx
		push	ecx
		push	14h
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_14], ecx
		push	eax
		push	5Eh
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], 0Ah
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], edi
		call	NtPowerInformation
		test	esi, esi
		jnz	loc_90B0B2

loc_86BE12:				; CODE XREF: PnpRecordBlackboxDeviceCompletionQueueInformation+9F303j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PnpRecordBlackboxDeviceCompletionQueueInformation endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LocalGetSidForString proc near		; CODE XREF: LocalConvertStringSDToSD_Rev1+240p
					; LocalConvertStringSDToSD_Rev1+28Ep ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090B0C2 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		xor	edx, edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edx
		test	edi, edi
		jz	short loc_86BEAD
		test	esi, esi
		jz	short loc_86BEAD
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_86BEAD
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_86BEAD
		mov	[ebx], dl
		cmp	[edi], dx
		jz	short loc_86BEA6
		cmp	[edi+2], dx
		jz	short loc_86BEA6
		lea	eax, [edi+4]
		mov	[ecx], eax
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	edx		; size_t
		push	ecx		; int
		push	ecx		; int
		push	edx		; int
		mov	ecx, edi
		call	LookupSidInTable
		test	eax, eax
		jz	short loc_86BE78
		mov	eax, [eax+10h]

loc_86BE6C:				; CODE XREF: LocalGetSidForString+8Cj
		mov	[esi], eax

loc_86BE6E:				; CODE XREF: LocalGetSidForString+82j
					; LocalGetSidForString+87j ...
		mov	eax, [ebp+var_8]

loc_86BE71:				; CODE XREF: LocalGetSidForString+93j
					; LocalGetSidForString+98j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_86BE78:				; CODE XREF: LocalGetSidForString+4Fj
		mov	eax, [ebp+var_4]
		test	eax, eax
		jnz	short loc_86BEA1
		mov	eax, [ebp+arg_0]
		mov	edx, esi
		push	eax
		mov	ecx, edi
		add	dword ptr [eax], 0FFFFFFFCh
		call	LocalpConvertStringSidToSid
		test	eax, eax
		js	loc_90B0C2

loc_86BE97:				; CODE XREF: LocalGetSidForString+9F2BBj
		cmp	dword ptr [esi], 0
		jz	short loc_86BE6E
		mov	byte ptr [ebx],	1
		jmp	short loc_86BE6E
; 

loc_86BEA1:				; CODE XREF: LocalGetSidForString+65j
		mov	byte ptr [ebx],	1
		jmp	short loc_86BE6C
; 

loc_86BEA6:				; CODE XREF: LocalGetSidForString+31j
					; LocalGetSidForString+37j
		mov	eax, 534h
		jmp	short loc_86BE71
; 

loc_86BEAD:				; CODE XREF: LocalGetSidForString+18j
					; LocalGetSidForString+1Cj ...
		push	57h
		pop	eax
		jmp	short loc_86BE71
LocalGetSidForString endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiSwPdoPnPDispatch proc	near		; DATA XREF: PiSwPdoDriverEntry(x,x)+1Ao

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090B0D8 SIZE 00000116 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+28h]
		mov	edx, [eax+60h]
		mov	esi, [eax+18h]
		mov	[esp+18h+var_4], edi
		test	byte ptr [edi+4], 10h
		mov	[esp+18h+var_8], edx
		jnz	loc_90B0D8
		movzx	eax, byte ptr [edx+1]
		cmp	eax, 0Ch
		ja	loc_86BFDD
		jz	loc_86C0EE
		test	eax, eax
		jz	loc_86C13D
		xor	ebx, ebx
		inc	ebx
		cmp	eax, ebx
		jz	loc_86C011
		cmp	eax, 2
		jz	loc_90B113
		jbe	loc_86C043
		cmp	eax, 6
		jbe	loc_86C011
		cmp	eax, 7
		jz	loc_86C230
		cmp	eax, 9
		jnz	loc_86C043
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	ebx
		mov	ebx, offset _PiSwLockObj
		push	ebx
		call	ExAcquireResourceExclusiveLite
		xor	ecx, ecx
		cmp	[edi], ecx
		jz	loc_90B1E4
		mov	eax, [esp+18h+var_8]
		push	4
		mov	esi, [eax+4]
		pop	eax
		mov	[esi+10h], ecx
		lea	edi, [esi+18h]
		mov	dword ptr [esi+14h], 1
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	edi, [esp+18h+var_4]
		mov	[esi+2Ch], ecx
		mov	[esi+30h], ecx
		mov	ecx, [esi+4]
		or	ecx, 240h
		mov	[esi+4], ecx
		mov	eax, [edi]
		mov	edx, [eax+24h]
		shl	edx, 4
		xor	edx, ecx
		and	edx, 10h
		xor	edx, ecx
		mov	[esi+4], edx
		mov	eax, [edi]
		mov	ecx, [eax+24h]
		shl	ecx, 6
		xor	ecx, edx
		and	ecx, 80h
		xor	ecx, edx
		mov	[esi+4], ecx
		mov	eax, [edi]
		mov	edx, [eax+24h]
		shl	edx, 0Fh
		xor	edx, ecx
		and	edx, 20000h
		xor	edx, ecx
		mov	[esi+4], edx
		mov	eax, [edi]
		mov	eax, [eax+24h]
		shl	eax, 5
		not	eax
		xor	eax, edx
		and	eax, 100h
		xor	eax, edx
		mov	[esi+4], eax

loc_86BFD9:				; CODE XREF: PiSwPdoPnPDispatch+2AAj
					; PiSwPdoPnPDispatch+33Fj
		xor	esi, esi
		jmp	short loc_86C030
; 

loc_86BFDD:				; CODE XREF: PiSwPdoPnPDispatch+36j
		sub	eax, 13h
		jz	short loc_86C05D
		sub	eax, 1
		jz	loc_86C1BA
		sub	eax, 1
		jz	loc_86C183
		sub	eax, 1
		jz	loc_90B1BD
		sub	eax, 1
		jz	loc_90B164
		dec	eax
		sub	eax, 1
		jnz	short loc_86C043
		call	PiSwCompleteCreate

loc_86C011:				; CODE XREF: PiSwPdoPnPDispatch+4Fj
					; PiSwPdoPnPDispatch+67j ...
		xor	esi, esi
		jmp	short loc_86C043
; 

loc_86C015:				; CODE XREF: PiSwPdoPnPDispatch+1F5j
		mov	ecx, [ecx+0Ch]

loc_86C018:				; CODE XREF: PiSwPdoPnPDispatch+379j
		mov	edx, 0C8h

loc_86C01D:				; CODE XREF: PiSwPdoPnPDispatch+286j
		mov	eax, [ebp+arg_4]
		add	eax, 1Ch
		push	eax
		push	57706E50h
		call	PnpAllocatePWSTR

loc_86C02E:				; CODE XREF: PiSwPdoPnPDispatch+237j
					; PiSwPdoPnPDispatch+34Fj ...
		mov	esi, eax

loc_86C030:				; CODE XREF: PiSwPdoPnPDispatch+129j
					; PiSwPdoPnPDispatch+1FFj ...
		mov	ecx, ebx
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_86C043:				; CODE XREF: PiSwPdoPnPDispatch+5Ej
					; PiSwPdoPnPDispatch+79j ...
		mov	edi, [ebp+arg_4]
		xor	dl, dl
		mov	ecx, edi
		mov	[edi+18h], esi
		call	IofCompleteRequest
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_86C05D:				; CODE XREF: PiSwPdoPnPDispatch+12Ej
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	ebx, offset _PiSwLockObj
		push	ebx
		call	ExAcquireResourceExclusiveLite
		mov	ecx, [edi]
		test	ecx, ecx
		jz	loc_90B1E4
		mov	eax, [esp+18h+var_8]
		mov	eax, [eax+4]
		sub	eax, 0
		jz	loc_86C228
		sub	eax, 1
		jz	loc_86C206
		sub	eax, 1
		jz	loc_86C1F6
		sub	eax, 1
		jz	loc_86C015
		dec	eax
		sub	eax, 1
		jnz	loc_86C030
		cmp	[ecx+18h], eax
		jz	loc_86C030
		push	57706E50h
		push	4Eh
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax	; void *
		mov	eax, [ebp+arg_4]
		mov	[eax+1Ch], edx
		test	edx, edx
		jz	loc_90B1DA
		push	ecx		; int
		mov	ecx, [edi]
		mov	ecx, [ecx+18h]	; int
		call	_PnpStringFromGuid@12 ;	PnpStringFromGuid(x,x,x)
		jmp	loc_86C02E
; 

loc_86C0EE:				; CODE XREF: PiSwPdoPnPDispatch+3Cj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	ebx, offset _PiSwLockObj
		push	ebx
		call	ExAcquireResourceExclusiveLite
		mov	ecx, [edi]
		test	ecx, ecx
		jz	loc_90B1E4
		mov	eax, [esp+18h+var_8]
		mov	eax, [eax+4]
		sub	eax, 0
		jz	short loc_86C17E
		sub	eax, 1
		jnz	loc_86C030
		mov	ecx, [ecx+20h]

loc_86C12B:				; CODE XREF: PiSwPdoPnPDispatch+2CFj
		test	ecx, ecx
		jz	loc_86C030
		mov	edx, 7FFFFFFFh
		jmp	loc_86C01D
; 

loc_86C13D:				; CODE XREF: PiSwPdoPnPDispatch+44j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	ebx, offset _PiSwLockObj
		push	ebx
		call	ExAcquireResourceExclusiveLite
		test	byte ptr [edi+4], 1
		jnz	loc_86BFD9
		mov	ecx, [edi]
		mov	dl, 1
		call	PiSwDeviceInterfacesUpdateState
		mov	esi, eax
		test	esi, esi
		js	loc_90B1AF
		or	dword ptr [edi+4], 1
		jmp	loc_86C030
; 

loc_86C17E:				; CODE XREF: PiSwPdoPnPDispatch+26Bj
		mov	ecx, [ecx+1Ch]
		jmp	short loc_86C12B
; 

loc_86C183:				; CODE XREF: PiSwPdoPnPDispatch+13Cj
		push	57706E50h
		push	18h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_90B1D0
		and	dword ptr [eax+14h], 0
		mov	esi, offset _GUID_BUS_TYPE_SW_DEVICE
		mov	edi, eax
		mov	dword ptr [eax+10h], 0Fh
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+arg_4]
		mov	[esi+1Ch], eax
		jmp	loc_86C011
; 

loc_86C1BA:				; CODE XREF: PiSwPdoPnPDispatch+133j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	ebx, offset _PiSwLockObj
		push	ebx
		call	ExAcquireResourceExclusiveLite
		mov	edx, [edi]
		test	edx, edx
		jz	loc_90B1E4
		test	byte ptr [edx+24h], 4
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax+1Ch]
		jnz	short loc_86C23F
		and	ecx, 0FFFFFFFDh

loc_86C1EE:				; CODE XREF: PiSwPdoPnPDispatch+390j
		mov	[eax+1Ch], ecx
		jmp	loc_86BFD9
; 

loc_86C1F6:				; CODE XREF: PiSwPdoPnPDispatch+1ECj
		mov	edx, [ebp+arg_4]
		add	edx, 1Ch
		call	PiSwDeviceMakeCompatibleIds
		jmp	loc_86C02E
; 

loc_86C206:				; CODE XREF: PiSwPdoPnPDispatch+1E3j
		mov	ecx, [ecx+10h]
		test	ecx, ecx
		jz	loc_86C030
		mov	eax, [ebp+arg_4]
		mov	edx, 7FFFFFFFh
		add	eax, 1Ch
		push	eax
		push	ecx
		call	_PnpAllocateMultiSZ@16 ; PnpAllocateMultiSZ(x,x,x,x)
		jmp	loc_86C02E
; 

loc_86C228:				; CODE XREF: PiSwPdoPnPDispatch+1DAj
		mov	ecx, [ecx+8]
		jmp	loc_86C018
; 

loc_86C230:				; CODE XREF: PiSwPdoPnPDispatch+70j
		cmp	dword ptr [edx+4], 4
		jnz	loc_86C043
		jmp	loc_90B0E2
; 

loc_86C23F:				; CODE XREF: PiSwPdoPnPDispatch+337j
		or	ecx, 2
		jmp	short loc_86C1EE
PiSwPdoPnPDispatch endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepDeReferenceLogonSession proc	near	; CODE XREF: SepDeReferenceLogonSessionDirect(x)+40p
					; SepDeReferenceLogonSession+15Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090B1EE SIZE 00000070 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	eax, ds:_SepLogonSessions
		push	ebx
		mov	ebx, ecx
		mov	[esp+10h+var_8], edx
		push	esi
		push	edi
		imul	esi, [ebx], 5B250A24h
		shr	esi, 1Ch
		lea	eax, [eax+esi*4]
		mov	[esp+18h+var_4], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		and	esi, 3
		imul	eax, esi, 38h
		push	1
		lea	edi, _SepRmDbLock[eax]
		push	edi
		call	ExAcquireResourceExclusiveLite
		mov	edx, [esp+18h+var_4]
		mov	esi, [edx]
		test	esi, esi
		jz	loc_90B213
		mov	ecx, [esp+18h+var_8]

loc_86C2A1:				; CODE XREF: SepDeReferenceLogonSession+137j
		cmp	[esi+58h], ecx
		jnz	loc_86C375
		mov	eax, [ebx]
		cmp	eax, [esi+4]
		jnz	loc_86C375
		mov	eax, [ebx+4]
		cmp	eax, [esi+8]
		jnz	loc_86C375
		or	eax, 0FFFFFFFFh
		lock xadd [esi+14h], eax
		dec	eax
		test	eax, eax
		jg	loc_86C3AB
		jnz	loc_90B1EE
		mov	eax, [esi]
		mov	ecx, edi
		mov	[edx], eax
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	edi, edi
		test	byte ptr [esi+18h], 4
		jnz	loc_86C393

loc_86C2F4:				; CODE XREF: SepDeReferenceLogonSession+162j
					; SepDeReferenceLogonSession+9EFB7j
		mov	ecx, [esi+20h]
		test	ecx, ecx
		jnz	loc_86C386

loc_86C2FF:				; CODE XREF: SepDeReferenceLogonSession+14Aj
		mov	eax, [esi+1Ch]
		mov	[esp+18h+var_4], eax
		test	eax, eax
		jz	short loc_86C321
		mov	edx, [esp+18h+var_8]
		mov	ecx, ebx
		mov	[esi+1Ch], edi
		call	SepCleanupLUIDDeviceMapDirectory
		mov	ecx, [esp+18h+var_4]
		call	ObfDereferenceDeviceMap

loc_86C321:				; CODE XREF: SepDeReferenceLogonSession+C4j
		test	byte ptr [esi+18h], 1
		jnz	short loc_86C368

loc_86C327:				; CODE XREF: SepDeReferenceLogonSession+12Fj
		mov	eax, [esi+28h]
		test	eax, eax
		jz	short loc_86C335
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_86C335:				; CODE XREF: SepDeReferenceLogonSession+E8j
		mov	ecx, [esi+40h]
		test	ecx, ecx
		jnz	loc_90B206

loc_86C340:				; CODE XREF: SepDeReferenceLogonSession+9EFCAj
		cmp	_SepTokenSidSharingEnabled, 0
		jnz	short loc_86C3B9

loc_86C349:				; CODE XREF: SepDeReferenceLogonSession+17Cj
		lea	ecx, [esi+48h]
		call	ObDestroyHandleRevocationBlock
		mov	edx, [esi+58h]
		mov	ecx, ebx
		push	esi
		call	SepInformLsaOfDeletedLogon
		call	SepDeleteSessionLowboxEntries

loc_86C361:				; CODE XREF: SepDeReferenceLogonSession+173j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_86C368:				; CODE XREF: SepDeReferenceLogonSession+E1j
		mov	edx, [esp+18h+var_8]
		mov	ecx, ebx
		call	SepInformFileSystemsOfDeletedLogon
		jmp	short loc_86C327
; 

loc_86C375:				; CODE XREF: SepDeReferenceLogonSession+60j
					; SepDeReferenceLogonSession+6Bj ...
		mov	edx, esi
		mov	esi, [esi]
		test	esi, esi
		jnz	loc_86C2A1
		jmp	loc_90B213
; 

loc_86C386:				; CODE XREF: SepDeReferenceLogonSession+B5j
		call	ObfDereferenceObject
		mov	[esi+20h], edi
		jmp	loc_86C2FF
; 

loc_86C393:				; CODE XREF: SepDeReferenceLogonSession+AAj
		lea	ecx, [esi+0Ch]
		cmp	[ecx], edi
		jz	loc_90B1F8

loc_86C39E:				; CODE XREF: SepDeReferenceLogonSession+9EFBDj
		mov	edx, [esi+58h]
		call	SepDeReferenceLogonSession
		jmp	loc_86C2F4
; 

loc_86C3AB:				; CODE XREF: SepDeReferenceLogonSession+88j
					; SepDeReferenceLogonSession+9EFAFj
		mov	ecx, edi
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	short loc_86C361
; 

loc_86C3B9:				; CODE XREF: SepDeReferenceLogonSession+103j
		mov	ecx, esi
		call	_SepDeleteLogonSessionSidValues@4 ; SepDeleteLogonSessionSidValues(x)
		jmp	short loc_86C349
SepDeReferenceLogonSession endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepInformLsaOfDeletedLogon proc	near	; CODE XREF: SepDeReferenceLogonSession+113p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090B25E SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	loc_90B22D

loc_86C3D9:				; CODE XREF: SepDeReferenceLogonSession+9EFFBj
		mov	eax, [ebx]
		mov	edx, esi
		mov	[esi+10h], eax
		mov	ecx, offset _SepLsaDeletedLogonQueueInfo
		mov	eax, [ebx+4]
		xor	ebx, ebx
		push	ebx
		mov	[esi+14h], eax
		mov	dword ptr [esi+18h], 3
		mov	dword ptr [esi+1Ch], 8
		mov	[esi+20h], ebx
		mov	[esi+24h], ebx
		mov	[esi+0Ch], ebx
		mov	dword ptr [esi+8], 1
		mov	[esi+2Ch], edi
		call	SepQueueWorkItem
		test	al, al
		jz	loc_90B25E

loc_86C41C:				; CODE XREF: SepDeReferenceLogonSession+9F003j
					; SepDeReferenceLogonSession+9F015j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
SepInformLsaOfDeletedLogon endp

; 
		align 4

;  S U B	R O U T	I N E 


ObDestroyHandleRevocationBlock proc near ; CODE	XREF: SepDeReferenceLogonSession+108p
					; SepDeleteLogonSessionTrack+A65D8p

; FUNCTION CHUNK AT 0090B27A SIZE 00000014 BYTES

		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	esi, ecx
		nop
		xor	edx, edx
		lea	ecx, [esi+8]
		call	ExAcquirePushLockExclusiveEx
		mov	edi, [esi]

loc_86C443:				; CODE XREF: ObDestroyHandleRevocationBlock+9EE65j
		cmp	edi, esi
		jnz	loc_90B27A
		xor	edx, edx
		lea	ecx, [esi+8]
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		lea	ecx, [esi+0Ch]
		pop	esi
		pop	ebx
		jmp	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
ObDestroyHandleRevocationBlock endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepCleanupLUIDDeviceMapDirectory proc near ; CODE XREF:	SepDeReferenceLogonSession+CFp
					; SepDeleteLogonSessionTrack+A6589p

var_EE		= byte ptr -0EEh
var_ED		= byte ptr -0EDh
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_88		= dword	ptr -88h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090B28E SIZE 000000E7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0F4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0F4h+var_4], eax
		push	ebx
		push	esi
		xor	eax, eax
		mov	[esp+0FCh+var_D8], edx
		push	edi
		mov	esi, ecx
		mov	[esp+100h+var_A8], eax
		mov	[esp+100h+var_A4], eax
		lea	edi, [esp+100h+var_A0]
		mov	[esp+100h+var_E4], eax
		mov	ebx, eax
		mov	[esp+100h+var_AC], eax
		mov	[esp+100h+var_CC], eax
		mov	[esp+100h+var_EC], eax
		mov	[esp+100h+var_D4], 64h
		mov	[esp+100h+var_C8], eax
		push	6
		pop	ecx
		rep stosd
		test	esi, esi
		jz	loc_90B28E
		mov	eax, large fs:124h
		mov	edi, 4D526553h
		mov	edx, edi
		mov	ecx, [eax+80h]
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		mov	[esp+100h+var_ED], al
		test	al, al
		jz	loc_90B298
		mov	ecx, large fs:124h
		mov	edx, edi
		mov	ecx, [ecx+80h]
		call	ObfDereferenceObjectWithTag

loc_86C4FC:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+9EE44j
		push	dword ptr [esi]
		push	dword ptr [esi+4]
		mov	esi, [esp+108h+var_D8]
		push	esi
		call	_PsGetServerSiloServiceSessionId@4 ; PsGetServerSiloServiceSessionId(x)
		push	eax
		push	offset ??_C@_1EE@FDNCMIA@?$AA?2?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAs?$AA?2?$AA?$CF?$AAd?$AA?2?$AAD?$AAo@NNGAKEGL@ ; "\\Sessions\\%d\\DosDevices\\%08x-%08x"
		lea	eax, [esp+110h+var_88]
		push	40h
		push	eax
		call	_swprintf_s
		add	esp, 18h
		lea	eax, [esp+100h+var_88]
		push	eax
		lea	eax, [esp+104h+var_A8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	ecx, ecx
		mov	[esp+100h+var_C4], 18h
		lea	eax, [esp+100h+var_A8]
		mov	[esp+100h+var_C0], ecx
		push	esi
		mov	[esp+104h+var_B8], 240h
		mov	[esp+104h+var_BC], eax
		mov	[esp+104h+var_B4], ecx
		mov	[esp+104h+var_B0], ecx
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	edi, eax
		lea	eax, [esp+100h+var_C4]
		push	eax
		push	1
		lea	eax, [esp+108h+var_EC]
		mov	[esp+108h+var_D8], edi
		push	eax
		call	_ZwOpenDirectoryObject@12 ; ZwOpenDirectoryObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_90B2AF
		push	61486553h
		push	190h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[esp+100h+var_E8], esi
		test	esi, esi
		jz	loc_90B33E

loc_86C59E:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+9EECEj
		and	[esp+100h+var_E0], 0
		mov	byte ptr [esp+100h+var_DC], 1

loc_86C5A8:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+229j
		mov	esi, [esp+100h+var_C8]

loc_86C5AC:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+2DFj
		lea	eax, [esp+100h+var_CC]
		push	eax
		lea	eax, [esp+104h+var_AC]
		push	eax
		push	[esp+108h+var_DC]
		push	1
		push	esi
		push	ebx
		push	[esp+118h+var_EC]
		call	_ZwQueryDirectoryObject@28 ; ZwQueryDirectoryObject(x,x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000023h
		jz	loc_86C720

loc_86C5D5:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+2E5j
		mov	[esp+100h+var_C8], esi
		mov	esi, [esp+100h+var_E8]
		mov	[esp+100h+var_D0], ebx
		test	edi, edi
		js	loc_86C694
		mov	eax, [ebx+0Ch]
		mov	ecx, offset ??_C@_1BK@KDPOKCA@?$AAS?$AAy?$AAm?$AAb?$AAo?$AAl?$AAi?$AAc?$AAL?$AAi?$AAn?$AAk@NNGAKEGL@

loc_86C5F1:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+1B3j
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	loc_86C750
		test	dx, dx
		jz	short loc_86C61B
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	loc_86C750
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_86C5F1

loc_86C61B:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+19Aj
		xor	eax, eax

loc_86C61D:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+2EFj
		test	eax, eax
		jnz	short loc_86C68A
		mov	edi, [esp+100h+var_E0]
		cmp	edi, [esp+100h+var_D4]
		jnb	loc_90B2E9
		mov	eax, [esp+100h+var_EC]
		and	[esp+100h+var_B4], 0
		and	[esp+100h+var_B0], 0
		mov	[esp+100h+var_C0], eax
		lea	eax, [esp+100h+var_C4]
		push	eax
		push	0F0001h
		lea	eax, [esp+108h+var_E4]
		mov	[esp+108h+var_C4], 18h
		push	eax
		mov	[esp+10Ch+var_B8], 240h
		mov	[esp+10Ch+var_BC], ebx
		call	_ZwOpenSymbolicLinkObject@12 ; ZwOpenSymbolicLinkObject(x,x,x)
		test	eax, eax
		js	short loc_86C68A
		push	[esp+100h+var_E4]
		call	_ZwMakeTemporaryObject@4 ; ZwMakeTemporaryObject(x)
		test	eax, eax
		js	loc_90B2DB
		mov	eax, [esp+100h+var_E4]
		mov	[esi+edi*4], eax
		inc	edi
		mov	[esp+100h+var_E0], edi

loc_86C68A:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+1B9j
					; SepCleanupLUIDDeviceMapDirectory+205j ...
		mov	byte ptr [esp+100h+var_DC], 0
		jmp	loc_86C5A8
; 

loc_86C694:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+17Dj
		lea	esi, [edi+7FFFFFE6h]
		neg	esi
		sbb	esi, esi
		and	esi, edi
		xor	edi, edi
		mov	[esp+100h+var_DC], esi
		cmp	[esp+100h+var_E0], edi
		jbe	short loc_86C6C9
		mov	esi, [esp+100h+var_E8]
		mov	ebx, [esp+100h+var_E0]

loc_86C6B4:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+259j
		push	dword ptr [esi+edi*4]
		call	_ZwClose@4	; ZwClose(x)
		inc	edi
		cmp	edi, ebx
		jb	short loc_86C6B4
		mov	esi, [esp+100h+var_DC]
		mov	ebx, [esp+100h+var_D0]

loc_86C6C9:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+244j
		mov	eax, [esp+100h+var_E8]
		test	eax, eax
		jz	short loc_86C6D9
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_86C6D9:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+269j
		test	ebx, ebx
		jz	short loc_86C6E5
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_86C6E5:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+275j
		cmp	[esp+100h+var_EC], 0
		jz	short loc_86C6F5
		push	[esp+100h+var_EC]
		call	_ZwClose@4	; ZwClose(x)

loc_86C6F5:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+284j
		push	[esp+100h+var_D8]
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		cmp	[esp+100h+var_ED], 0

loc_86C703:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+9EE53j
		jz	loc_90B2BE

loc_86C709:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+9EE63j
		mov	eax, esi

loc_86C70B:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+9EE2Dj
					; SepCleanupLUIDDeviceMapDirectory+9EF0Aj
		mov	ecx, [esp+100h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_86C720:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+169j
		mov	esi, [esp+100h+var_CC]
		test	ebx, ebx
		jnz	loc_90B2CE

loc_86C72C:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+9EE70j
		push	62446553h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_86C75A

loc_86C73F:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+2F9j
		cmp	edi, 0C0000023h
		jz	loc_86C5AC
		jmp	loc_86C5D5
; 

loc_86C750:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+191j
					; SepCleanupLUIDDeviceMapDirectory+1A4j
		sbb	eax, eax
		or	eax, 1
		jmp	loc_86C61D
; 

loc_86C75A:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+2D7j
		mov	edi, 0C000009Ah
		jmp	short loc_86C73F
SepCleanupLUIDDeviceMapDirectory endp

; 
		align 2

;  S U B	R O U T	I N E 


SepInformFileSystemsOfDeletedLogon proc	near ; CODE XREF: SepDeReferenceLogonSession+12Ap

; FUNCTION CHUNK AT 0090B375 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	53466553h
		push	1Ch
		push	200h
		mov	edi, edx
		mov	ebx, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_86C7AD
		mov	ecx, [ebx]
		mov	[esi+10h], ecx
		mov	ecx, [ebx+4]
		mov	[esi+14h], ecx
		mov	[esi+18h], edi
		test	edi, edi
		jnz	loc_90B375

loc_86C798:				; CODE XREF: SepInformFileSystemsOfDeletedLogon+9EC1Fj
		and	dword ptr [esi], 0
		push	1
		push	esi
		mov	dword ptr [esi+8], offset SepNotifyFileSystems
		mov	[esi+0Ch], esi
		call	ExQueueWorkItem

loc_86C7AD:				; CODE XREF: SepInformFileSystemsOfDeletedLogon+1Ej
		pop	edi
		pop	esi
		pop	ebx
		retn
SepInformFileSystemsOfDeletedLogon endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemStartScenario(x, x, x)
_WdipSemStartScenario@12 proc near	; CODE XREF: WdipStartEndScenario:loc_7DA459p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	ecx, ecx
		jz	short loc_86C7D8
		cmp	[ebp+arg_0], 0
		jz	short loc_86C7D8
		cmp	_WdipSemEnabled, 0
		jz	short loc_86C7DF
		push	[ebp+arg_0]
		call	WdipSemEnableScenario

loc_86C7D3:				; CODE XREF: WdipSemStartScenario(x,x,x)+2Bj
					; WdipSemStartScenario(x,x,x)+32j
		pop	ecx
		pop	ebp
		retn	4
; 

loc_86C7D8:				; CODE XREF: WdipSemStartScenario(x,x,x)+8j
					; WdipSemStartScenario(x,x,x)+Ej
		mov	eax, 0C000000Dh
		jmp	short loc_86C7D3
; 

loc_86C7DF:				; CODE XREF: WdipSemStartScenario(x,x,x)+17j
		mov	eax, 0C0000001h
		jmp	short loc_86C7D3
_WdipSemStartScenario@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WdipSemEnableScenario proc near		; CODE XREF: WdipSemStartScenario(x,x,x)+1Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090B386 SIZE 00000075 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_8], edx
		dec	word ptr [eax+13Ch]
		mov	esi, ecx
		push	edi
		mov	[ebp+var_C], esi
		mov	[ebp+var_1], bl
		nop
		xor	edx, edx
		mov	ecx, offset _WdipSemPushLock
		call	ExAcquirePushLockSharedEx
		mov	edi, [ebp+arg_0]
		test	esi, esi
		jz	loc_90B386
		test	edi, edi
		jz	loc_90B386
		cmp	_WdipSemEnabled, bl
		jz	loc_86C8C7
		call	_WdipSemGetLoggerIds@0 ; WdipSemGetLoggerIds()
		mov	esi, eax
		test	esi, esi
		js	loc_90B390
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_C] ; void	*
		call	_WdipSemQueryScenarioTable@8 ; WdipSemQueryScenarioTable(x,x)
		test	eax, eax
		jz	short loc_86C8C7
		mov	edx, edi
		mov	ecx, eax
		call	WdipSemReserveInstanceTableEntry
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_86C8C7
		mov	ecx, ebx
		call	_WdipSemEnableContextProviders@4 ; WdipSemEnableContextProviders(x)

loc_86C86B:				; CODE XREF: WdipSemEnableScenario+9EBAEj
		test	esi, esi
		js	short loc_86C8CC
		mov	edi, offset _WDI_SEM_EVENT_SCENARIO_START
		push	edi
		push	dword_6BCB74
		push	_WdipSemRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_86C893
		mov	edx, ebx
		mov	ecx, edi
		call	WdipSemWriteSemActionsEvent

loc_86C893:				; CODE XREF: WdipSemEnableScenario+A2j
		mov	ecx, ebx
		call	_WdipSemActivateInstance@4 ; WdipSemActivateInstance(x)

loc_86C89A:				; CODE XREF: WdipSemEnableScenario+106j
					; WdipSemEnableScenario+9EBD1j
		mov	edi, offset _WdipSemPushLock
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	[ebp+var_1], 0
		jnz	loc_90B3BC

loc_86C8BE:				; CODE XREF: WdipSemEnableScenario+9EC10j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_86C8C7:				; CODE XREF: WdipSemEnableScenario+4Bj
					; WdipSemEnableScenario+6Dj ...
		mov	esi, 0C0000001h

loc_86C8CC:				; CODE XREF: WdipSemEnableScenario+87j
					; WdipSemEnableScenario+9EBA5j
		push	offset _WDI_SEM_EVENT_SCENARIO_START_FAILED
		push	dword_6BCB74
		push	_WdipSemRegHandle
		call	EtwEventEnabled
		test	al, al
		jnz	loc_90B399

loc_86C8EA:				; CODE XREF: WdipSemEnableScenario+9EBC5j
		test	ebx, ebx
		jz	short loc_86C89A
		jmp	loc_90B3B0
WdipSemEnableScenario endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall WdipSemQueryScenarioTable(void	*)
_WdipSemQueryScenarioTable@8 proc near	; CODE XREF: WdipSemEnableScenario+66p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= word ptr -2

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	edi
		xor	edi, edi
		mov	[ebp+var_2], dx
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	short loc_86C94A
		mov	eax, dword_6BCB60
		mov	[ebp+var_8], eax
		push	esi
		mov	esi, edi
		test	eax, eax
		jz	short loc_86C949
		push	ebx

loc_86C91A:				; CODE XREF: WdipSemQueryScenarioTable(x,x)+46j
		mov	ebx, _WdipSemScenarioTable[esi*4]
		push	10h		; size_t
		push	ebx		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_86C93C

loc_86C931:				; CODE XREF: WdipSemQueryScenarioTable(x,x)+50j
		inc	esi
		cmp	esi, [ebp+var_8]
		jnb	short loc_86C948
		mov	ecx, [ebp+var_C]
		jmp	short loc_86C91A
; 

loc_86C93C:				; CODE XREF: WdipSemQueryScenarioTable(x,x)+3Bj
		mov	ax, [ebp+var_2]
		cmp	ax, [ebx+10h]
		jnz	short loc_86C931
		mov	edi, ebx

loc_86C948:				; CODE XREF: WdipSemQueryScenarioTable(x,x)+41j
		pop	ebx

loc_86C949:				; CODE XREF: WdipSemQueryScenarioTable(x,x)+23j
		pop	esi

loc_86C94A:				; CODE XREF: WdipSemQueryScenarioTable(x,x)+14j
		mov	eax, edi
		pop	edi
		leave
		retn
_WdipSemQueryScenarioTable@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall WdipSemActivateInstance(x)
_WdipSemActivateInstance@4 proc	near	; CODE XREF: WdipSemEnableScenario+AFp
					; WdipSemDisableScenario+11CF3Dp
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset dword_6BDB9C
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		and	dword ptr [esi+20h], 0
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		pop	edi
		pop	esi
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_WdipSemActivateInstance@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemEnableContextProviders(x)
_WdipSemEnableContextProviders@4 proc near ; CODE XREF:	WdipSemEnableScenario+80p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	short loc_86C9C7
		mov	edi, [ecx+18h]
		xor	esi, esi
		cmp	[edi+30h], esi
		jbe	short loc_86C9C7
		lea	eax, [edi+38h]
		lea	ebx, [ecx+24h]
		mov	[ebp+var_4], eax

loc_86C9AC:				; CODE XREF: WdipSemEnableContextProviders(x)+39j
		mov	ecx, [eax]
		call	WdipSemEnableContextProvider
		mov	[ebx], eax
		inc	esi
		mov	eax, [ebp+var_4]
		lea	ebx, [ebx+4]
		add	eax, 4
		mov	[ebp+var_4], eax
		cmp	esi, [edi+30h]
		jb	short loc_86C9AC

loc_86C9C7:				; CODE XREF: WdipSemEnableContextProviders(x)+Bj
					; WdipSemEnableContextProviders(x)+15j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_WdipSemEnableContextProviders@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WdipSemEnableContextProvider proc near	; CODE XREF: WdipSemEnableContextProviders(x)+22p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090B3FB SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, large fs:124h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		dec	word ptr [eax+13Ch]
		push	edi
		mov	edi, ecx
		nop
		xor	edx, edx
		mov	ecx, offset dword_6BDB84
		call	ExAcquirePushLockExclusiveEx
		test	edi, edi
		jz	loc_90B3FB
		cmp	dword ptr [edi+20h], 1
		jz	loc_86CA93
		mov	esi, [edi+28h]
		mov	bl, [edi+12h]
		mov	al, [esi+30h]
		cmp	bl, al
		jbe	loc_86CAB3

loc_86CA1A:				; CODE XREF: WdipSemEnableContextProvider+E9j
		mov	ecx, [esi+3Ch]
		mov	edx, [esi+38h]
		mov	[ebp+var_C], ecx
		mov	ecx, [edi+18h]
		or	ecx, edx
		mov	[ebp+var_1C], edx
		mov	edx, [esi+40h]
		mov	[ebp+var_4], ecx
		mov	ecx, [edi+1Ch]
		or	ecx, [ebp+var_C]
		mov	[ebp+var_10], edx
		mov	edx, [edi+24h]
		or	edx, [ebp+var_10]
		cmp	byte ptr [esi+45h], 0
		mov	byte ptr [ebp+var_14], bl
		mov	[ebp+var_18], ecx
		mov	[ebp+var_20], edx
		jnz	short loc_86CABA

loc_86CA4F:				; CODE XREF: WdipSemEnableContextProvider+F0j
					; WdipSemEnableContextProvider+F8j ...
		mov	ecx, _WdipContextLoggerId
		mov	eax, offset _WdipContextLoggerId
		xchg	ecx, [eax]
		mov	eax, [ebp+var_4]
		push	1
		push	edx
		push	[ebp+var_18]
		mov	edx, edi
		push	eax
		push	[ebp+var_14]
		call	_WdipSemEnableDisableTrace@28 ;	WdipSemEnableDisableTrace(x,x,x,x,x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		js	short loc_86CA93
		mov	eax, [ebp+var_4]
		mov	[esi+38h], eax
		mov	eax, [ebp+var_18]
		mov	[esi+3Ch], eax
		mov	eax, [ebp+var_20]
		mov	byte ptr [esi+45h], 1
		mov	[esi+30h], bl
		mov	[esi+40h], eax

loc_86CA90:				; CODE XREF: WdipSemEnableContextProvider+9EA3Ej
		inc	dword ptr [esi+48h]

loc_86CA93:				; CODE XREF: WdipSemEnableContextProvider+37j
					; WdipSemEnableContextProvider+A9j ...
		xor	edx, edx
		mov	ecx, offset dword_6BDB84
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_86CAB3:				; CODE XREF: WdipSemEnableContextProvider+48j
		mov	bl, al
		jmp	loc_86CA1A
; 

loc_86CABA:				; CODE XREF: WdipSemEnableContextProvider+81j
		cmp	bl, al
		jnz	short loc_86CA4F
		mov	eax, [ebp+var_4]
		cmp	eax, [ebp+var_1C]
		jnz	short loc_86CA4F
		cmp	ecx, [ebp+var_C]
		jnz	short loc_86CA4F
		jmp	loc_90B407
WdipSemEnableContextProvider endp


;  S U B	R O U T	I N E 


WdipSemReserveInstanceTableEntry proc near ; CODE XREF:	WdipSemEnableScenario+73p

; FUNCTION CHUNK AT 0090B415 SIZE 00000011 BYTES

		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, edx
		dec	word ptr [eax+13Ch]
		mov	ebx, ecx
		nop
		xor	edx, edx
		mov	ecx, offset dword_6BDB9C
		call	ExAcquirePushLockExclusiveEx
		test	ebx, ebx
		jz	short loc_86CB46
		test	edi, edi
		jz	short loc_86CB46
		cmp	dword_6BDB98, 80h
		jnb	loc_90B415
		mov	ecx, edi	; void *
		call	_WdipSemQueryEnabledInstanceTable@4 ; WdipSemQueryEnabledInstanceTable(x)
		test	eax, eax
		jnz	short loc_86CB46
		mov	edx, edi
		mov	ecx, ebx
		call	_WdipSemBuildScenarioInstance@8	; WdipSemBuildScenarioInstance(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_86CB46
		mov	eax, dword_6BDB94
		mov	ecx, offset _WdipSemEnabledInstanceTable
		cmp	[eax], ecx
		jnz	short loc_86CB64
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		inc	dword_6BDB98
		mov	dword_6BDB94, esi

loc_86CB46:				; CODE XREF: WdipSemReserveInstanceTableEntry+25j
					; WdipSemReserveInstanceTableEntry+29j	...
		xor	edx, edx
		mov	ecx, offset dword_6BDB9C
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_86CB64:				; CODE XREF: WdipSemReserveInstanceTableEntry+61j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
WdipSemReserveInstanceTableEntry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemBuildScenarioInstance(x, x)
_WdipSemBuildScenarioInstance@8	proc near ; CODE XREF: WdipSemReserveInstanceTableEntry+4Ap

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	eax, ecx
		xor	ebx, ebx
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, edx
		test	eax, eax
		jz	short loc_86CBC7
		test	esi, esi
		jz	short loc_86CBC7
		push	edi
		mov	ecx, offset unk_6BDBF0
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	ebx, eax
		mov	edi, 214h
		test	ebx, ebx
		jnz	short loc_86CBA6
		mov	ecx, edi
		call	_WdipSemAllocatePool@4 ; WdipSemAllocatePool(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_86CBC6

loc_86CBA6:				; CODE XREF: WdipSemBuildScenarioInstance(x,x)+2Dj
		push	edi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [ebp+var_4]
		lea	edi, [ebx+8]
		movsd
		add	esp, 0Ch
		movsd
		movsd
		movsd
		mov	[ebx+18h], eax
		mov	dword ptr [ebx+20h], 1

loc_86CBC6:				; CODE XREF: WdipSemBuildScenarioInstance(x,x)+3Aj
		pop	edi

loc_86CBC7:				; CODE XREF: WdipSemBuildScenarioInstance(x,x)+13j
					; WdipSemBuildScenarioInstance(x,x)+17j
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_WdipSemBuildScenarioInstance@8	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall WdipSemAllocatePool(x)
_WdipSemAllocatePool@4 proc near	; CODE XREF: WdipSemWriteSemActionsEvent+22Fp
					; WdipSemBuildScenarioInstance(x,x)+31p ...
		mov	eax, large fs:124h
		push	ebx
		push	esi
		lea	esi, [ecx+7]
		push	edi
		and	esi, 0FFFFFFF8h
		xor	edi, edi
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset dword_6BDBD0
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, dword_6BDBC8
		cmp	esi, ecx
		ja	short loc_86CC30

loc_86CBFF:				; CODE XREF: WdipSemAllocatePool(x)+9Fj
		mov	edi, dword_6BDBCC
		sub	ecx, esi
		mov	dword_6BDBC8, ecx
		lea	eax, [edi+esi]
		mov	dword_6BDBCC, eax

loc_86CC15:				; CODE XREF: WdipSemAllocatePool(x)+75j
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_86CC30:				; CODE XREF: WdipSemAllocatePool(x)+2Fj
		push	73494457h
		push	1000h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_86CC15
		mov	ecx, dword_6BDBC4
		mov	edx, offset _WdipSemPool
		cmp	[ecx], edx
		jnz	short loc_86CC6F
		mov	[eax+4], ecx
		mov	[eax], edx
		mov	[ecx], eax
		mov	ecx, 0FF8h
		mov	dword_6BDBC4, eax
		add	eax, 8
		mov	dword_6BDBCC, eax
		jmp	short loc_86CBFF
; 

loc_86CC6F:				; CODE XREF: WdipSemAllocatePool(x)+84j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_WdipSemAllocatePool@4 endp		; AL = character to display


;  S U B	R O U T	I N E 


PopVerifySystemPowerState proc near	; CODE XREF: PopActionRetrieveInitialState+884A9p
					; PopExecutePowerAction+DAp ...

; FUNCTION CHUNK AT 0090B426 SIZE 00000077 BYTES

		mov	edi, edi
		push	edi
		mov	edi, ecx
		test	edi, edi
		jz	short loc_86CCBF
		push	esi
		mov	esi, [edi]
		test	esi, esi
		jz	short loc_86CCBE
		cmp	esi, 6
		jge	short loc_86CCBE
		push	ebx
		xor	ebx, ebx
		inc	ebx
		cmp	esi, ebx
		jz	short loc_86CCBD
		mov	al, bl
		test	edx, edx
		js	short loc_86CCBB
		mov	ecx, offset _PopCapabilities
		cmp	edx, ebx
		jg	loc_90B426
		cmp	esi, 5
		jz	short loc_86CCC1

loc_86CCA9:				; CODE XREF: PopVerifySystemPowerState+9E7D0j
		cmp	esi, 4
		jnz	short loc_86CCDC
		cmp	byte ptr word_6C2E24+1,	0
		jz	loc_90B449

loc_86CCBB:				; CODE XREF: PopVerifySystemPowerState+21j
					; PopVerifySystemPowerState+61j ...
		mov	[edi], esi

loc_86CCBD:				; CODE XREF: PopVerifySystemPowerState+1Bj
		pop	ebx

loc_86CCBE:				; CODE XREF: PopVerifySystemPowerState+Ej
					; PopVerifySystemPowerState+13j
		pop	esi

loc_86CCBF:				; CODE XREF: PopVerifySystemPowerState+7j
		pop	edi
		retn
; 

loc_86CCC1:				; CODE XREF: PopVerifySystemPowerState+33j
		cmp	byte_6C2E26, 0
		jz	loc_90B434
		cmp	byte_6C2E28, 0
		jnz	short loc_86CCBB
		jmp	loc_90B434
; 

loc_86CCDC:				; CODE XREF: PopVerifySystemPowerState+38j
					; PopVerifySystemPowerState+9E7D8j
		cmp	esi, 3
		jz	loc_90B451

loc_86CCE5:				; CODE XREF: PopVerifySystemPowerState+9E7EDj
		cmp	esi, 2
		jnz	short loc_86CCF5
		cmp	byte_6C2E23, 0
		jnz	short loc_86CCBB
		mov	esi, ebx

loc_86CCF5:				; CODE XREF: PopVerifySystemPowerState+74j
		cmp	esi, ebx
		jnz	short loc_86CCBB
		cmp	edx, ebx
		jnz	short loc_86CCBB
		push	2
		pop	esi
		xor	al, al

loc_86CD02:				; CODE XREF: PopVerifySystemPowerState+9E7B5j
		cmp	esi, 2
		jnz	short loc_86CD13
		cmp	byte_6C2E23, 0
		jnz	short loc_86CCBB
		push	3
		pop	esi

loc_86CD13:				; CODE XREF: PopVerifySystemPowerState+91j
		cmp	esi, 3
		jnz	short loc_86CD24
		cmp	byte ptr word_6C2E24, 0
		jnz	short loc_86CCBB
		push	4
		pop	esi

loc_86CD24:				; CODE XREF: PopVerifySystemPowerState+A2j
		cmp	esi, 4
		jnz	loc_90B466
		cmp	byte ptr word_6C2E24+1,	0
		jnz	short loc_86CCBB
		push	5
		pop	esi
		jmp	loc_90B466
PopVerifySystemPowerState endp


;  S U B	R O U T	I N E 


; __stdcall WmipEventNotification(x)
_WmipEventNotification@4 proc near	; DATA XREF: WmipDriverEntry+3Do
		mov	edi, edi
		push	esi

loc_86CD41:				; CODE XREF: PAGE:0086CD8Bj
		mov	edx, offset _WmipNPNotificationSpinlock
		mov	ecx, offset _WmipNPEvent
		call	@ExfInterlockedRemoveHeadList@8	; ExfInterlockedRemoveHeadList(x,x)
		mov	esi, eax
		push	1
		mov	ecx, [esi+0Ch]
		mov	edx, [ecx+28h]
		and	dword ptr [ecx+28h], 0
		and	dword ptr [ecx+0Ch], 0
		mov	[ecx+8], edx
		xor	dl, dl
		call	WmipProcessEvent
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_86CD78
		call	WmipUnreferenceRegEntry

loc_86CD78:				; CODE XREF: WmipEventNotification(x)+33j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		or	eax, 0FFFFFFFFh
		lock xadd _WmipEventWorkItems, eax
_WmipEventNotification@4 endp

		jnz	short loc_86CD41
		pop	esi
		retn	4
; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipProcessEvent proc near		; CODE XREF: WmipEventNotification(x)+29p
					; WmipSendGuidUpdateNotifications(x,x,x)+D5p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 0090B49D SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_1C], edi
		test	dword ptr [edi+2Ch], 2000h
		jnz	loc_90B49D
		xor	ebx, ebx
		mov	esi, edi
		mov	[ebp+var_C], ebx

loc_86CDB9:				; CODE XREF: WmipProcessEvent+9E731j
		test	byte ptr [esi+2Ch], 80h
		jnz	loc_90B4C8

loc_86CDC3:				; CODE XREF: WmipProcessEvent+9E741j
		lea	ecx, [esi+18h]
		mov	dl, 1
		call	_WmipFindGEByGuid@8 ; WmipFindGEByGuid(x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	short loc_86CE05
		mov	[ebp+var_8], 0C0000295h

loc_86CDDB:				; CODE XREF: WmipProcessEvent+B1j
		cmp	[ebp+arg_0], 0
		jnz	short loc_86CDFB

loc_86CDE1:				; CODE XREF: WmipProcessEvent+71j
		cmp	esi, edi
		jnz	loc_90B4D8

loc_86CDE9:				; CODE XREF: WmipProcessEvent+9E748j
					; WmipProcessEvent+9E756j
		test	ebx, ebx
		jnz	loc_90B4ED

loc_86CDF1:				; CODE XREF: WmipProcessEvent+9E763j
		mov	eax, [ebp+var_8]

loc_86CDF4:				; CODE XREF: WmipProcessEvent+9E72Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_86CDFB:				; CODE XREF: WmipProcessEvent+4Dj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_86CDE1
; 

loc_86CE05:				; CODE XREF: WmipProcessEvent+40j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		mov	[ebp+var_8], eax
		call	KeWaitForSingleObject
		mov	ecx, [ebp+var_10]
		add	ecx, 18h
		mov	[ebp+var_14], ecx
		mov	eax, [ecx]
		mov	[ebp+var_4], eax
		cmp	eax, ecx
		jnz	short loc_86CE45

loc_86CE2A:				; CODE XREF: WmipProcessEvent+F9j
		push	0
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	edx, [ebp+var_10]
		mov	ecx, offset _WmipGEChunkInfo
		call	WmipUnreferenceEntry
		jmp	short loc_86CDDB
; 

loc_86CE45:				; CODE XREF: WmipProcessEvent+96j
		mov	edi, [ebp+var_4]
		mov	ebx, [ebp+var_14]

loc_86CE4B:				; CODE XREF: WmipProcessEvent+F1j
		lea	eax, [edi-20h]
		mov	edi, [edi]
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		test	al, al
		jz	short loc_86CE81
		mov	eax, [ebp+var_4]
		test	byte ptr [eax+68h], 2
		jnz	short loc_86CE8D
		push	[ebp+var_18]
		mov	edx, esi
		mov	ecx, eax
		call	WmipWriteWnodeToObject
		test	eax, eax
		js	short loc_86CE9C

loc_86CE77:				; CODE XREF: WmipProcessEvent+108j
					; WmipProcessEvent+111j
		mov	eax, [ebp+var_4]

loc_86CE7A:				; CODE XREF: WmipProcessEvent+100j
		mov	ecx, eax
		call	ObfDereferenceObject

loc_86CE81:				; CODE XREF: WmipProcessEvent+CAj
		cmp	edi, ebx
		jnz	short loc_86CE4B
		mov	edi, [ebp+var_1C]
		mov	ebx, [ebp+var_C]
		jmp	short loc_86CE2A
; 

loc_86CE8D:				; CODE XREF: WmipProcessEvent+D3j
		mov	ecx, [eax+30h]
		test	ecx, ecx
		jz	short loc_86CE7A
		push	dword ptr [eax+34h]
		push	esi
		call	ecx
		jmp	short loc_86CE77
; 

loc_86CE9C:				; CODE XREF: WmipProcessEvent+E3j
		mov	[ebp+var_8], 0C0000001h
		jmp	short loc_86CE77
WmipProcessEvent endp

; 
		align 2

;  S U B	R O U T	I N E 


PiDmCacheDataFree proc near		; CODE XREF: PiDmObjectProcessPropertyChange+217p
					; PiDmObjectRelease+118553p ...

; FUNCTION CHUNK AT 0090B4FA SIZE 0000001F BYTES

		mov	edi, edi
		push	edi
		mov	edi, ecx
		mov	eax, [edi]
		sub	eax, 5
		jz	loc_90B507
		sub	eax, 1
		jz	loc_90B4FA

loc_86CEBF:				; CODE XREF: PiDmCacheDataFree+9E65Cj
					; PiDmCacheDataFree+9E66Ej
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		stosd
		pop	edi
		retn
PiDmCacheDataFree endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1049. IoWMIOpenBlock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoWMIOpenBlock(x, x, x)
		public _IoWMIOpenBlock@12
_IoWMIOpenBlock@12 proc	near

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_56		= word ptr -56h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+8Ch+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	ecx, [esp+94h+var_68]
		push	edi
		mov	edi, [ebp+arg_8]
		xor	ebx, ebx
		push	offset ??_C@_1BE@BICDJNGE@?$AA?2?$AAW?$AAm?$AAi?$AAG?$AAu?$AAi?$AAd?$AA?2@NNGAKEGL@ ; "\\WmiGuid\\"
		push	2Eh
		pop	edx
		mov	[esp+9Ch+var_88], ebx
		mov	[esp+9Ch+var_84], ebx
		mov	[esp+9Ch+var_8C], ebx
		call	RtlStringCchCopyW
		movzx	eax, byte ptr [esi+0Fh]
		push	eax
		movzx	eax, byte ptr [esi+0Eh]
		push	eax
		movzx	eax, byte ptr [esi+0Dh]
		push	eax
		movzx	eax, byte ptr [esi+0Ch]
		push	eax
		movzx	eax, byte ptr [esi+0Bh]
		push	eax
		movzx	eax, byte ptr [esi+0Ah]
		push	eax
		movzx	eax, byte ptr [esi+9]
		push	eax
		movzx	eax, byte ptr [esi+8]
		push	eax
		movzx	eax, word ptr [esi+6]
		push	eax
		movzx	eax, word ptr [esi+4]
		push	eax
		push	dword ptr [esi]	; char
		lea	eax, [esp+0C4h+var_56]
		push	offset ??_C@_1GC@MIJCAPDC@?$AA?$CF?$AA0?$AA8?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAx?$AA?9@NNGAKEGL@ ; wchar_t *
		push	25h		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 38h
		lea	eax, [esp+98h+var_68]
		push	eax
		lea	eax, [esp+9Ch+var_88]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		test	byte ptr [ebp+arg_4], 4
		lea	eax, [esp+98h+var_88]
		mov	[esp+98h+var_7C], ebx
		mov	[esp+98h+var_70], ebx
		mov	[esp+98h+var_6C], ebx
		mov	[esp+98h+var_80], 18h
		mov	[esp+98h+var_78], eax
		mov	[esp+98h+var_74], 200h
		jnz	short loc_86CFE0
		mov	ecx, [ebp+arg_4]
		and	ecx, 40000h
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 0FFFFFFCCh
		add	ecx, 22413Ch

loc_86CFA9:				; CODE XREF: IoWMIOpenBlock(x,x,x)+117j
		lea	eax, [esp+98h+var_8C]
		xor	dl, dl
		push	eax
		push	[ebp+arg_4]
		lea	eax, [esp+0A0h+var_80]
		push	eax
		call	WmipOpenBlock
		test	eax, eax
		js	short loc_86CFC9
		mov	eax, [esp+98h+var_8C]
		mov	[edi], eax
		mov	eax, ebx

loc_86CFC9:				; CODE XREF: IoWMIOpenBlock(x,x,x)+F1j
		mov	ecx, [esp+98h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_86CFE0:				; CODE XREF: IoWMIOpenBlock(x,x,x)+C3j
		mov	ecx, 224140h
		jmp	short loc_86CFA9
_IoWMIOpenBlock@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LdrResGetRCConfig proc near		; CODE XREF: LdrpResSearchResourceMappedFile+4B4p
					; LdrpVerifyAlternateResourceModuleEx+7EBE2p ...

var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 0090B519 SIZE 000001CF BYTES
; FUNCTION CHUNK AT 0090B713 SIZE 00000042 BYTES

		push	3Ch
		push	offset dword_6A4BD8
		call	__SEH_prolog4_GS
		mov	edi, edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_4C], ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_44], eax
		mov	[ebp+var_28], offset ??_C@_17JCBKHJFJ@?$AAM?$AAU?$AAI@NNGAKEGL@
		mov	[ebp+var_24], 1
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_38], edi
		mov	[ebp+var_2C], ebx
		mov	eax, [ebp+arg_4]
		and	eax, 2000h
		mov	[ebp+var_34], eax
		mov	esi, eax
		neg	esi
		sbb	esi, esi
		mov	edx, 1000h
		and	esi, edx
		add	esi, edx
		test	ecx, ecx
		jz	short loc_86D07C
		cmp	[ebp+arg_8], bl
		jz	loc_90B51F
		push	8
		push	ebx
		xor	edx, edx
		call	LdrpGetFromMUIMemCache
		mov	[ebp+var_2C], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_86D083
		test	eax, eax
		jz	loc_90B519
		mov	edi, ebx
		mov	ecx, [ebp+var_44]
		test	ecx, ecx
		jnz	short loc_86D08A

loc_86D068:				; CODE XREF: LdrResGetRCConfig+99j
					; LdrResGetRCConfig+A0j ...
		mov	eax, edi

loc_86D06A:				; CODE XREF: LdrResGetRCConfig+9E54Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_86D07C:				; CODE XREF: LdrResGetRCConfig+52j
		mov	edi, 0C000000Dh
		jmp	short loc_86D068
; 

loc_86D083:				; CODE XREF: LdrResGetRCConfig+6Dj
		mov	edi, 0C000008Ah
		jmp	short loc_86D068
; 

loc_86D08A:				; CODE XREF: LdrResGetRCConfig+7Ej
		mov	[ecx], eax
		jmp	short loc_86D068
LdrResGetRCConfig endp

; 

NtPrivilegeObjectAuditAlarm:		; DATA XREF: .text:00580EC8o
		push	34h
		push	offset dword_6A4BF8
		call	__SEH_prolog4
		and	dword ptr [ebp-28h], 0
		and	dword ptr [ebp-24h], 0
		xor	eax, eax
		lea	edi, [ebp-44h]
		stosd
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	[ebp-2Ch], bl
		lea	eax, [ebp-44h]
		push	eax
		call	SeCaptureSubjectContext
		mov	dl, bl
		lea	ecx, [ebp-44h]
		call	_SeCheckAuditPrivilege@8 ; SeCheckAuditPrivilege(x,x)
		test	al, al
		jz	loc_90B755
		mov	eax, ds:_SeTokenObjectType
		xor	ebx, ebx
		mov	[ebp-1Ch], ebx
		push	ebx
		lea	ecx, [ebp-1Ch]
		push	ecx
		push	dword ptr [ebp-2Ch]
		push	eax
		push	8
		push	dword ptr [ebp+10h]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_90B75C
		mov	ecx, [ebp-1Ch]
		cmp	dword ptr [ecx+0A8h], 2
		jnz	short loc_86D115
		cmp	dword ptr [ecx+0ACh], 1
		jl	loc_90B77C

loc_86D115:				; CODE XREF: PAGE:0086D106j
		mov	[ebp-4], ebx
		lea	edx, [ebp-28h]
		mov	ecx, [ebp+8]
		call	SepProbeAndCaptureString_U
		mov	esi, eax
		mov	[ebp-20h], esi
		test	esi, esi
		js	loc_86D1B5
		mov	ecx, [ebp+18h]
		mov	edx, ecx
		test	cl, 3
		jnz	loc_86D222
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_90B796

loc_86D14B:				; CODE XREF: PAGE:0090B798j
		nop
		mov	al, [edx]
		mov	esi, [ecx]
		mov	[ebp-2Ch], esi
		test	esi, esi
		jz	short loc_86D160
		cmp	esi, 42h
		ja	loc_90B79D

loc_86D160:				; CODE XREF: PAGE:0086D155j
		imul	eax, esi, 0Ch
		add	eax, 8
		mov	[ebp+10h], eax
		mov	[ebp-34h], eax
		jz	short loc_86D187
		lea	edi, [eax+ecx]
		mov	edx, ds:_MmUserProbeAddress
		cmp	edi, edx
		ja	loc_90B7B1
		cmp	edi, ecx
		jb	loc_90B7B1

loc_86D187:				; CODE XREF: PAGE:0086D16Cj
					; PAGE:0090B7B3j
		push	72506553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp-24h], edi
		test	edi, edi
		jz	loc_90B7A4
		push	dword ptr [ebp+10h]
		push	dword ptr [ebp+18h]
		push	edi
		call	_memcpy
		add	esp, 0Ch
		mov	[edi], esi
		mov	esi, [ebp-20h]

loc_86D1B5:				; CODE XREF: PAGE:0086D12Aj
					; PAGE:0090B7ACj
		mov	dword ptr [ebp-4], 0FFFFFFFEh

loc_86D1BC:				; CODE XREF: PAGE:0090B7D8j
		mov	edi, [ebp-24h]
		test	esi, esi
		js	loc_90B7DD
		push	dword ptr [ebp+1Ch]
		push	edi
		push	dword ptr [ebp+14h]
		push	dword ptr [ebp-38h]
		push	dword ptr [ebp-3Ch]
		push	dword ptr [ebp-1Ch]
		push	dword ptr [ebp+0Ch]
		push	ebx
		xor	edx, edx
		mov	esi, [ebp-28h]
		mov	ecx, esi
		call	SepAdtPrivilegeObjectAuditAlarm
		test	edi, edi
		jz	short loc_86D1F2
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_86D1F2:				; CODE XREF: PAGE:0086D1E9j
		test	esi, esi
		jz	short loc_86D1FD
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_86D1FD:				; CODE XREF: PAGE:0086D1F4j
		lea	eax, [ebp-44h]
		push	eax
		call	SeReleaseSubjectContext
		mov	ecx, [ebp-1Ch]
		call	ObfDereferenceObject
		xor	eax, eax

loc_86D210:				; CODE XREF: PAGE:0090B791j
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_86D222:				; CODE XREF: PAGE:0086D138j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
; 
		db 0CCh
		dd 0CCCCCCCCh
; Exported entry 1666. PoCreatePowerRequest

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoCreatePowerRequest
PoCreatePowerRequest proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0090B819 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	ecx, ecx
		push	esi
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], ecx
		mov	[ebx], ecx
		cmp	[ebp+arg_4], ecx
		jz	short loc_86D287
		lea	eax, [ebp+var_4]
		xor	dl, dl
		push	eax
		push	ecx
		mov	ecx, [ebp+arg_8]
		push	1
		push	[ebp+arg_4]
		call	_PoCaptureReasonContext@24 ; PoCaptureReasonContext(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_90B819
		mov	edx, [ebp+var_4]
		lea	ecx, [ebp+var_8]
		call	_PopCreateKernelPowerRequest@8 ; PopCreateKernelPowerRequest(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_90B819
		mov	eax, [ebp+var_8]
		mov	[ebx], eax

loc_86D27F:				; CODE XREF: PoCreatePowerRequest+60j
					; PoCreatePowerRequest+9E5F1j ...
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_86D287:				; CODE XREF: PoCreatePowerRequest+19j
		mov	esi, 0C000000Dh
		jmp	short loc_86D27F
PoCreatePowerRequest endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCreateKernelPowerRequest(x, x)
_PopCreateKernelPowerRequest@8 proc near ; CODE	XREF: PoRegisterSystemState(x,x)+5Dp
					; PoCreatePowerRequest+3Fp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		and	[esp+4+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	ecx, [esp+10h+var_4]
		call	PopCreatePowerRequestObject
		test	eax, eax
		js	short loc_86D31E
		mov	eax, [esp+10h+var_4]
		mov	dword ptr [eax+0Ch], 12h
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _PopPowerRequestLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	dl, dl
		mov	esi, [esp+10h+var_4]
		mov	ecx, esi
		mov	dword_6C3884, eax
		call	PopInsertPowerRequestObject
		mov	ecx, esi
		call	_PopUmpoSendPowerRequestOverrideQuery@4	; PopUmpoSendPowerRequestOverrideQuery(x)
		cmp	dword_6C3884, 0
		jz	short loc_86D303
		and	dword_6C3884, 0

loc_86D303:				; CODE XREF: PopCreateKernelPowerRequest(x,x)+6Cj
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	edx, esi
		xor	cl, cl
		call	_PopDiagTracePowerRequestCreate@8 ; PopDiagTracePowerRequestCreate(x,x)
		mov	[edi], esi
		xor	eax, eax

loc_86D31E:				; CODE XREF: PopCreateKernelPowerRequest(x,x)+1Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PopCreateKernelPowerRequest@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PnpConcatenateUnicodeStrings(x, x, x)
_PnpConcatenateUnicodeStrings@12 proc near ; CODE XREF:	IoGetDeviceInstanceName+3Ap
					; PiDeviceRegistration+E1p ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		movzx	edx, word ptr [esi]
		call	IopAllocateUnicodeString
		test	eax, eax
		js	short loc_86D343
		push	esi
		push	edi
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		xor	eax, eax

loc_86D343:				; CODE XREF: PnpConcatenateUnicodeStrings(x,x,x)+12j
		pop	edi
		pop	esi
		retn	4
_PnpConcatenateUnicodeStrings@12 endp


;  S U B	R O U T	I N E 


; __stdcall PnpDisableWatchdog(x)
_PnpDisableWatchdog@4 proc near		; CODE XREF: PnpDeviceCompletionRequestDestroyWorkItem(x,x,x)+10p
					; PnpProcessCompletedEject(x)+CFp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	PnpCancelWatchdog
		mov	ecx, esi
		pop	esi
		jmp	_PnpFreeWatchdog@4 ; PnpFreeWatchdog(x)
_PnpDisableWatchdog@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtOpenSession	proc near		; CODE XREF: PfpSourceGetPrefetchSupport+135A4Dp
					; DATA XREF: .text:00580F0Co

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	14h
		push	offset dword_6A4C18
		call	__SEH_prolog4
		xor	edi, edi
		mov	[ebp+var_1C], edi
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		test	al, al
		jz	short loc_86D398
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_86D3E7

loc_86D38D:				; CODE XREF: NtOpenSession+8Fj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_86D398:				; CODE XREF: NtOpenSession+22j
		mov	esi, ds:_MmSessionObjectType
		lea	eax, [ebp+var_1C]
		push	eax
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		push	edi
		push	[ebp+arg_4]
		push	edi
		push	[ebp+var_24]
		push	esi
		push	[ebp+arg_8]
		call	ObOpenObjectByNameEx
		mov	[ebp+arg_4], eax
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_86D3CB:				; CODE XREF: sub_90B856+3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+arg_4]

loc_86D3D5:				; CODE XREF: sub_90B83E+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_86D3E7:				; CODE XREF: NtOpenSession+31j
		mov	ecx, eax
		jmp	short loc_86D38D
NtOpenSession	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _RegRtlSetValue(x, x, x, x,	x)
__RegRtlSetValue@20 proc near		; CODE XREF: _PnpSetPropertyWorker+176p
					; _CmSetDeviceRegPropWorker+D9p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	esi
		push	edx
		push	eax
		mov	esi, ecx
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_86D421
		push	[ebp+arg_8]
		lea	eax, [ebp+var_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	0
		push	eax
		push	esi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_86D421:				; CODE XREF: _RegRtlSetValue(x,x,x,x,x)+1Ej
		pop	esi
		leave
		retn	0Ch
__RegRtlSetValue@20 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2272. RtlOemStringToUnicodeString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlOemStringToUnicodeString
RtlOemStringToUnicodeString proc near

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 0090B85E SIZE 0000000A BYTES
; FUNCTION CHUNK AT 0090B88A SIZE 0000000A BYTES

		push	10h
		push	offset dword_6A4C40
		call	__SEH_prolog4
		and	[ebp+var_20], 0
		mov	ebx, [ebp+arg_4]
		push	ebx
		call	_RtlxOemStringToUnicodeSize@4 ;	RtlxOemStringToUnicodeSize(x)
		cmp	eax, 0FFFEh
		ja	loc_90B85E
		movzx	ecx, ax
		lea	edx, [ecx-2]
		mov	edi, [ebp+arg_0]
		mov	[edi], dx
		cmp	[ebp+arg_8], 0
		jnz	loc_86D4EA
		movzx	ecx, dx
		add	ecx, 2
		movzx	eax, word ptr [edi+2]
		cmp	ecx, eax
		ja	loc_90B88A
		cmp	ecx, 2
		jb	loc_90B88A

loc_86D481:				; CODE XREF: RtlOemStringToUnicodeString+CDj
		and	[ebp+var_1C], 0
		and	[ebp+ms_exc.disabled], 0
		mov	[ebp+arg_4], 1
		movzx	eax, word ptr [ebx]
		push	eax
		push	dword ptr [ebx+4]
		lea	eax, [ebp+var_20]
		push	eax
		movzx	eax, word ptr [edi]
		push	eax
		push	dword ptr [edi+4]
		call	RtlOemToUnicodeN
		mov	ebx, eax
		mov	[ebp+var_1C], ebx
		test	ebx, ebx
		js	short loc_86D4C3
		mov	ecx, [ebp+var_20]
		shr	ecx, 1
		mov	eax, [edi+4]
		xor	edx, edx
		mov	[eax+ecx*2], dx
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx

loc_86D4C3:				; CODE XREF: RtlOemStringToUnicodeString+82j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+arg_4], 0
		call	sub_86D502
		mov	eax, ebx

loc_86D4D8:				; CODE XREF: RtlOemStringToUnicodeString+D4j
					; RtlOemStringToUnicodeString+9E437j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_86D4EA:				; CODE XREF: RtlOemStringToUnicodeString+34j
		mov	[edi+2], cx
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[edi+4], eax
		test	eax, eax
		jnz	short loc_86D481
		mov	eax, 0C0000017h
		jmp	short loc_86D4D8
RtlOemStringToUnicodeString endp


;  S U B	R O U T	I N E 


sub_86D502	proc near		; CODE XREF: RtlOemStringToUnicodeString+A5p
					; sub_90B868+6j

; FUNCTION CHUNK AT 0090B873 SIZE 00000017 BYTES

		cmp	dword ptr [ebp+0Ch], 0
		jnz	loc_90B873
		test	ebx, ebx
		js	loc_90B873

locret_86D514:				; CODE XREF: sub_86D502+9E375j
		retn
sub_86D502	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2273. RtlOemToUnicodeN

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlOemToUnicodeN
RtlOemToUnicodeN proc near		; CODE XREF: RtlOemStringToUnicodeString+76p
					; FsRtlNotifyUpdateBuffer+12BC01p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0090B894 SIZE 000000C0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	cl, 1
		call	RtlpIsUtf8Process
		test	al, al
		jnz	loc_90B894
		mov	edx, [ebp+arg_10]
		push	ebx
		push	edi
		mov	edi, [ebp+arg_4]
		shr	edi, 1
		mov	[ebp+arg_4], edi
		cmp	ds:_NlsMbOemCodePageTag, al
		jnz	loc_90B8CE
		mov	ecx, edi
		cmp	edi, edx
		jb	short loc_86D551
		mov	ecx, edx

loc_86D551:				; CODE XREF: RtlOemToUnicodeN+33j
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jz	short loc_86D55D
		lea	eax, [ecx+ecx]
		mov	[esi], eax

loc_86D55D:				; CODE XREF: RtlOemToUnicodeN+3Cj
		mov	ebx, ds:_NlsOemToUnicodeData
		xor	esi, esi
		test	ecx, ecx
		jz	short loc_86D586
		mov	edx, [ebp+arg_0]
		mov	edi, [ebp+arg_C]

loc_86D56F:				; CODE XREF: RtlOemToUnicodeN+64j
		movzx	eax, byte ptr [esi+edi]
		mov	ax, [ebx+eax*2]
		mov	[edx+esi*2], ax
		inc	esi
		cmp	esi, ecx
		jb	short loc_86D56F
		mov	edx, [ebp+arg_10]
		mov	edi, [ebp+arg_4]

loc_86D586:				; CODE XREF: RtlOemToUnicodeN+4Dj
					; RtlOemToUnicodeN+9E42Bj ...
		cmp	edi, edx
		pop	edi
		sbb	eax, eax
		and	eax, 80000005h
		pop	ebx

loc_86D591:				; CODE XREF: RtlOemToUnicodeN+9E3AFj
		pop	esi
		leave
		retn	14h
RtlOemToUnicodeN endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2271. RtlOemStringToUnicodeSize
; Exported entry 2414. RtlxOemStringToUnicodeSize

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlxOemStringToUnicodeSize(x)
		public _RtlxOemStringToUnicodeSize@4
_RtlxOemStringToUnicodeSize@4 proc near	; CODE XREF: FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+3CBp
					; FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)+412p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi	; RtlOemStringToUnicodeSize
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		and	[ebp+var_4], 0
		movzx	eax, word ptr [ecx]
		push	eax
		push	dword ptr [ecx+4]
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlMultiByteToUnicodeSize
		mov	eax, [ebp+var_4]
		add	eax, 2
		leave
		retn	4
_RtlxOemStringToUnicodeSize@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmSetDeviceInterfaceMappedProperty proc near ;	CODE XREF: _PnpDispatchDeviceInterface+8Fp
					; _CmDeleteDeviceInterfaceWorker(x,x,x)+16Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0090B954 SIZE 0000005C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		cmp	[ebp+arg_4], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	esi, 0C0000016h
		mov	[ebp+var_8], ecx
		jnz	short loc_86D620
		mov	ebx, [ebp+arg_8]
		xor	edi, edi
		mov	ecx, edi
		mov	[ebp+arg_4], edi

loc_86D5EA:				; CODE XREF: _CmSetDeviceInterfaceMappedProperty+41j
		mov	edx, ds:off_A42DD8[ecx]
		test	edx, edx
		jz	short loc_86D5FC
		mov	eax, [ebx+10h]
		cmp	eax, [edx+10h]
		jz	short loc_86D63E

loc_86D5FC:				; CODE XREF: _CmSetDeviceInterfaceMappedProperty+2Ej
					; _CmSetDeviceInterfaceMappedProperty+91j
		add	ecx, 8
		mov	[ebp+arg_4], ecx
		cmp	ecx, 18h
		jb	short loc_86D5EA

loc_86D607:				; CODE XREF: _CmSetDeviceInterfaceMappedProperty+9E3E7j
		mov	ecx, [ebx+10h]
		mov	[ebp+arg_0], ecx

loc_86D60D:				; CODE XREF: _CmSetDeviceInterfaceMappedProperty+5Aj
		mov	eax, ds:off_A42EF0[edi]
		cmp	ecx, [eax+10h]
		jz	short loc_86D629

loc_86D618:				; CODE XREF: _CmSetDeviceInterfaceMappedProperty+78j
		add	edi, 8
		cmp	edi, 20h
		jb	short loc_86D60D

loc_86D620:				; CODE XREF: _CmSetDeviceInterfaceMappedProperty+1Aj
					; _CmSetDeviceInterfaceMappedProperty+98j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_86D629:				; CODE XREF: _CmSetDeviceInterfaceMappedProperty+52j
		push	10h		; size_t
		push	eax		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_86D657
		mov	ecx, [ebp+arg_0]
		jmp	short loc_86D618
; 

loc_86D63E:				; CODE XREF: _CmSetDeviceInterfaceMappedProperty+36j
		push	10h		; size_t
		push	edx		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_90B954
		mov	ecx, [ebp+arg_4]
		jmp	short loc_86D5FC
; 

loc_86D657:				; CODE XREF: _CmSetDeviceInterfaceMappedProperty+73j
		mov	esi, 0C0000022h
		jmp	short loc_86D620
_CmSetDeviceInterfaceMappedProperty endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepRmCreateLogonSessionWrkr(x, x)
_SepRmCreateLogonSessionWrkr@8 proc near ; DATA	XREF: PAGE:00A40D04o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+1Ch]
		mov	[ebp+var_8], eax
		mov	eax, [ecx+20h]
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_4], eax
		call	SepCreateLogonSessionTrack
		mov	ecx, [ebp+arg_4]
		mov	[ecx+18h], eax
		leave
		retn	8
_SepRmCreateLogonSessionWrkr@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepCreateLogonSessionTrack proc	near	; CODE XREF: SepRmCreateLogonSessionWrkr(x,x)+19p
					; SeInitServerSilo(x)+39p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090B9B0 SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		push	734C6553h
		xor	edi, edi
		mov	ebx, ecx
		push	6Ch
		inc	edi
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_90B9B0
		push	6Ch		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebx]
		lea	ecx, [esi+48h]
		mov	[esi+4], eax
		add	esp, 0Ch
		mov	eax, [ebx+4]
		mov	[esi+8], eax
		mov	[esi+14h], edi
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		and	dword ptr [ecx+8], 0
		add	ecx, 0Ch
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		cmp	ds:_SeTokenLeakTracking, 0
		jnz	loc_90B9BA

loc_86D6E9:				; CODE XREF: SepCreateLogonSessionTrack+9E33Cj
		imul	ecx, [ebx], 5B250A24h
		mov	eax, ds:_SepLogonSessions
		shr	ecx, 1Ch
		lea	edi, [eax+ecx*4]
		mov	eax, large fs:124h
		mov	[ebp+var_C], edi
		dec	word ptr [eax+13Ch]
		nop
		and	ecx, 3
		imul	eax, ecx, 38h
		push	1
		lea	eax, _SepRmDbLock[eax]
		push	eax
		mov	[ebp+var_8], eax
		call	ExAcquireResourceExclusiveLite
		mov	edi, [edi]
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		mov	[ebp+var_4], eax

loc_86D72C:				; CODE XREF: SepCreateLogonSessionTrack+EEj
		test	edi, edi
		jnz	short loc_86D75F
		test	eax, eax
		jnz	loc_90B9F9

loc_86D738:				; CODE XREF: SepCreateLogonSessionTrack+9E382j
		mov	ecx, [ebp+var_C]
		mov	[esi+58h], eax
		mov	eax, [ecx]
		mov	[esi], eax
		mov	[ecx], esi
		mov	ecx, [ebp+var_8]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	eax, eax

loc_86D75A:				; CODE XREF: SepCreateLogonSessionTrack+9E32Fj
					; SepCreateLogonSessionTrack+9E36Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_86D75F:				; CODE XREF: SepCreateLogonSessionTrack+A8j
		cmp	eax, [edi+58h]
		jnz	short loc_86D772
		mov	eax, [ebx]
		cmp	eax, [edi+4]
		jz	loc_90B9C7

loc_86D76F:				; CODE XREF: SepCreateLogonSessionTrack+9E347j
		mov	eax, [ebp+var_4]

loc_86D772:				; CODE XREF: SepCreateLogonSessionTrack+DCj
		mov	edi, [edi]
		jmp	short loc_86D72C
SepCreateLogonSessionTrack endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1957. RtlAppendStringToString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlAppendStringToString(x, x)
		public _RtlAppendStringToString@8
_RtlAppendStringToString@8 proc	near	; CODE XREF: PAGE:00888C3Ep
					; PAGE:00888CBDp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		movzx	esi, word ptr [edx]
		test	si, si
		jz	short loc_86D7B7
		mov	edi, [ebp+arg_0]
		mov	eax, esi
		movzx	ebx, word ptr [edi]
		lea	ecx, [eax+ebx]
		movzx	eax, word ptr [edi+2]
		cmp	ecx, eax
		ja	short loc_86D7C0
		mov	eax, [edi+4]
		push	esi		; size_t
		push	dword ptr [edx+4] ; void *
		add	eax, ebx
		push	eax		; void *
		call	_memmove
		add	esp, 0Ch
		add	[edi], si

loc_86D7B7:				; CODE XREF: RtlAppendStringToString(x,x)+11j
		xor	eax, eax

loc_86D7B9:				; CODE XREF: RtlAppendStringToString(x,x)+49j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_86D7C0:				; CODE XREF: RtlAppendStringToString(x,x)+24j
		mov	eax, 0C0000023h
		jmp	short loc_86D7B9
_RtlAppendStringToString@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtNotifyChangeSession proc near		; DATA XREF: .text:00580F68o

var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_11F		= byte ptr -11Fh
var_11E		= byte ptr -11Eh
var_11D		= byte ptr -11Dh
var_11C		= dword	ptr -11Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 0090BA0D SIZE 00000041 BYTES
; FUNCTION CHUNK AT 0090BA83 SIZE 00000067 BYTES

		push	154h
		push	offset dword_6A4C60
		call	__SEH_prolog4_GS
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_128], eax
		mov	esi, [ebp+arg_1C]
		mov	[ebp+var_138], esi
		xor	ebx, ebx
		mov	[ebp+var_11D], bl
		mov	[ebp+var_164], ebx
		mov	[ebp+var_160], ebx
		mov	[ebp+var_15C], ebx
		mov	[ebp+var_158], ebx
		mov	[ebp+var_134], ebx
		mov	[ebp+var_11E], bl
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_11F], al
		mov	byte ptr [ebp+var_130],	al
		cmp	esi, 100h
		ja	loc_90BA0D
		mov	eax, ds:_MmSessionObjectType
		mov	[ebp+var_124], ebx
		push	ebx
		lea	edx, [ebp+var_124]
		push	edx
		push	[ebp+var_130]
		push	eax
		push	2
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	[ebp+var_130], eax
		test	eax, eax
		js	loc_86D9A7
		mov	edi, [ebp+var_124]
		mov	eax, [edi+10h]
		add	eax, 2440h
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	eax
		call	KeWaitForSingleObject
		mov	ecx, [edi+10h]
		mov	eax, [ecx+243Ch]
		mov	edi, [ebp+arg_4]
		cmp	eax, edi
		jnz	loc_86DA1E
		inc	eax

loc_86D899:				; CODE XREF: NtNotifyChangeSession+2CAj
		mov	[ecx+243Ch], eax

loc_86D89F:				; CODE XREF: NtNotifyChangeSession+9E254j
		mov	eax, [ebp+var_124]
		mov	ecx, [eax+10h]
		cmp	[ebp+arg_C], ebx
		jz	loc_86D954
		mov	eax, [ebp+arg_10]
		mov	[ecx+2438h], eax
		mov	edi, ebx
		mov	[ebp+var_12C], edi
		test	esi, esi
		jnz	loc_86D9AF

loc_86D8CA:				; CODE XREF: NtNotifyChangeSession+251j
					; NtNotifyChangeSession+9E2F2j	...
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_154], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_150], eax
		mov	[ebp+var_14C], esi
		mov	[ebp+var_148], edi
		mov	eax, [ebp+var_124]
		mov	[ebp+var_144], eax
		cmp	[ebp+var_11E], 0
		jnz	short loc_86D96F
		mov	eax, [ebp+arg_C]
		cmp	eax, 1
		jz	short loc_86D96F
		cmp	eax, 2
		jz	short loc_86D96F
		push	6E536F49h
		push	24h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_86D96F
		push	9
		pop	ecx
		lea	esi, [ebp+var_164]
		mov	edi, eax
		rep movsd
		mov	dword ptr [eax+8], offset _IopSessionChangeWorker@4 ; IopSessionChangeWorker(x)
		mov	[eax+0Ch], eax
		mov	[eax], ebx
		push	1
		push	eax
		call	ExQueueWorkItem

loc_86D940:				; CODE XREF: NtNotifyChangeSession+1A5j
		xor	eax, eax

loc_86D942:				; CODE XREF: NtNotifyChangeSession+1E5j
					; NtNotifyChangeSession+9E24Aj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
; 

loc_86D954:				; CODE XREF: NtNotifyChangeSession+E3j
		push	ebx
		push	ebx
		lea	eax, [ecx+2440h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [ebp+var_124]
		call	ObfDereferenceObject
		jmp	short loc_86D940
; 

loc_86D96F:				; CODE XREF: NtNotifyChangeSession+133j
					; NtNotifyChangeSession+13Bj ...
		push	ebx
		lea	eax, [ebp+var_164]
		push	eax
		push	_IopSessionCallbackObject
		call	_ExNotifyCallback@12 ; ExNotifyCallback(x,x,x)
		push	ebx
		push	ebx
		mov	esi, [ebp+var_124]
		mov	eax, [esi+10h]
		add	eax, 2440h
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, esi
		call	ObfDereferenceObject
		test	edi, edi
		jnz	loc_90BAD1

loc_86D9A7:				; CODE XREF: NtNotifyChangeSession+9Ej
					; NtNotifyChangeSession+9E310j	...
		mov	eax, [ebp+var_130]
		jmp	short loc_86D942
; 

loc_86D9AF:				; CODE XREF: NtNotifyChangeSession+FCj
		cmp	[ebp+var_11F], 1
		jnz	loc_90BA83
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+var_128]
		lea	ecx, [esi+eax]
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		ja	loc_90BA27
		cmp	ecx, eax
		jb	loc_90BA27

loc_86D9DE:				; CODE XREF: NtNotifyChangeSession+9E261j
		push	6E536F49h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_12C], edi
		push	esi		; size_t
		push	[ebp+var_128]	; void *
		test	edi, edi
		jz	loc_90BA2E
		mov	[ebp+var_11D], 1
		push	edi		; void *
		call	_memcpy

loc_86DA0F:				; CODE XREF: NtNotifyChangeSession+9E281j
		add	esp, 0Ch

loc_86DA12:				; CODE XREF: sub_90BA52+2Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_86D8CA
; 

loc_86DA1E:				; CODE XREF: NtNotifyChangeSession+CAj
		ja	loc_90BA17

loc_86DA24:				; CODE XREF: NtNotifyChangeSession+9E25Aj
		mov	[ebp+var_140], 0FFF0BDC0h
		or	[ebp+var_13C], 0FFFFFFFFh
		mov	esi, [ebp+var_124]

loc_86DA3B:				; CODE XREF: NtNotifyChangeSession+2BFj
		lea	eax, [ecx+2440h]
		push	ebx
		push	ebx
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		lea	eax, [ebp+var_140]
		push	eax
		push	ebx
		push	ebx
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	eax, [esi+10h]
		add	eax, 2440h
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [ebp+var_134]
		inc	eax
		mov	[ebp+var_134], eax
		mov	ecx, [esi+10h]
		mov	edx, [ecx+243Ch]
		cmp	ax, 0Ah
		ja	short loc_86DA89
		cmp	edx, edi
		jnz	short loc_86DA3B

loc_86DA89:				; CODE XREF: NtNotifyChangeSession+2BBj
		lea	eax, [edi+1]
		mov	esi, [ebp+var_138]
		jmp	loc_86D899
NtNotifyChangeSession endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpSetDeviceMap	proc near		; CODE XREF: SeGetTokenDeviceMap+12Fp
					; ObpSetSiloDeviceMap+30p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0090BAEA SIZE 0000008C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, _ObpDirectoryObjectType
		push	ebx
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		push	ebx
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_C], edx
		push	ecx
		push	[ebp+arg_4]
		mov	[ebp+var_8], ebx
		push	eax
		push	2
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [ebp+var_8]
		test	eax, eax
		js	loc_86DBD4
		test	[ebp+arg_8], 4
		push	esi
		jnz	short loc_86DAE4
		test	byte ptr [edi+0A8h], 4
		jnz	loc_90BAEA

loc_86DAE4:				; CODE XREF: ObpSetDeviceMap+3Dj
		push	6D44624Fh
		push	38h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_90BAF1
		push	38h		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [esi+0Ch], 1
		lea	eax, [esi+8]
		mov	[esi], edi
		push	eax
		push	ebx
		push	_ObpDirectoryObjectType
		push	0F000Fh
		push	ebx
		push	200h
		push	edi
		call	ObOpenObjectByPointer
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	loc_90BB04
		mov	eax, [ebp+var_4]
		mov	ecx, eax
		test	eax, eax
		jnz	loc_90BB1E

loc_86DB45:				; CODE XREF: ObpSetDeviceMap+9E096j
		mov	[ebp+arg_4], ebx
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	ecx, large fs:124h
		mov	[ebp+arg_0], eax
		dec	word ptr [ecx+13Eh]
		nop
		add	eax, 70h
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [edi+98h]
		test	ecx, ecx
		jnz	loc_90BB33
		test	[ebp+arg_8], 1
		mov	eax, [ebp+arg_0]
		jnz	short loc_86DBDA

loc_86DB85:				; CODE XREF: ObpSetDeviceMap+144j
		test	[ebp+arg_8], 2
		mov	[edi+98h], esi
		jz	short loc_86DB9C
		mov	eax, [eax]
		mov	eax, [eax]
		cmp	edi, eax
		jz	short loc_86DB9C
		mov	[esi+4], eax

loc_86DB9C:				; CODE XREF: ObpSetDeviceMap+F7j
					; ObpSetDeviceMap+FFj ...
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_86DBDE

loc_86DBA3:				; CODE XREF: ObpSetDeviceMap+152j
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	loc_90BB41

loc_86DBC4:				; CODE XREF: ObpSetDeviceMap+9E0D9j
		test	ebx, ebx
		jnz	short loc_86DBEC

loc_86DBC8:				; CODE XREF: ObpSetDeviceMap+15Bj
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_86DBD1
		mov	[eax], esi

loc_86DBD1:				; CODE XREF: ObpSetDeviceMap+135j
		xor	eax, eax

loc_86DBD3:				; CODE XREF: ObpSetDeviceMap+9E067j
					; ObpSetDeviceMap+9E081j
		pop	esi

loc_86DBD4:				; CODE XREF: ObpSetDeviceMap+32j
		pop	edi
		pop	ebx
		leave
		retn	10h
; 

loc_86DBDA:				; CODE XREF: ObpSetDeviceMap+EBj
		mov	[eax], esi
		jmp	short loc_86DB85
; 

loc_86DBDE:				; CODE XREF: ObpSetDeviceMap+109j
		mov	ebx, [eax+198h]
		mov	[eax+198h], esi
		jmp	short loc_86DBA3
; 

loc_86DBEC:				; CODE XREF: ObpSetDeviceMap+12Ej
		mov	ecx, ebx
		call	ObfDereferenceDeviceMap
		jmp	short loc_86DBC8
ObpSetDeviceMap	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1347. LdrResFindResource

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LdrResFindResource(x, x, x,	x, x, x, x, x, x)
		public _LdrResFindResource@36
_LdrResFindResource@36 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		test	[ebp+arg_20], 0C02h
		jnz	short loc_86DC3E
		push	[ebp+arg_1C]
		mov	eax, [ebp+arg_4]
		push	[ebp+arg_18]
		mov	[ebp+var_C], eax
		push	[ebp+arg_14]
		mov	eax, [ebp+arg_8]
		push	[ebp+arg_10]
		mov	[ebp+var_8], eax
		push	[ebp+arg_20]
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_C]
		push	3
		push	eax
		push	[ebp+arg_0]
		call	_LdrResSearchResource@32 ; LdrResSearchResource(x,x,x,x,x,x,x,x)

locret_86DC3A:				; CODE XREF: LdrResFindResource(x,x,x,x,x,x,x,x,x)+49j
		leave
		retn	24h
; 

loc_86DC3E:				; CODE XREF: LdrResFindResource(x,x,x,x,x,x,x,x,x)+Fj
		mov	eax, 0C000000Dh
		jmp	short locret_86DC3A
_LdrResFindResource@36 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1052. IoWMIQuerySingleInstance

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IoWMIQuerySingleInstance(int,int,int,void *)
		public IoWMIQuerySingleInstance
IoWMIQuerySingleInstance proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0090BB76 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		movzx	edi, word ptr [eax]
		mov	esi, ebx
		mov	eax, [ebp+arg_8]
		add	edi, 49h
		and	edi, 0FFFFFFF8h
		mov	eax, [eax]
		mov	[ebp+var_4], eax
		test	ebx, ebx
		jz	loc_86DD02
		cmp	eax, edi
		jb	loc_86DD02

loc_86DC7C:				; CODE XREF: IoWMIQuerySingleInstance+CDj
		test	esi, esi
		jz	loc_90BB76
		push	40h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	ecx, [ebp+arg_4]
		mov	dword ptr [esi+2Ch], 2
		mov	[esi], edi
		mov	dword ptr [esi+30h], 40h
		mov	[esi+38h], edi
		mov	ax, [ecx]
		mov	[esi+40h], ax
		movzx	eax, word ptr [ecx]
		push	eax		; size_t
		push	dword ptr [ecx+4] ; void *
		lea	eax, [esi+42h]
		push	eax		; void *
		call	_memcpy
		mov	eax, [esi]
		add	esp, 18h
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	[ebp+arg_4], eax
		lea	eax, [ebp+arg_4]
		push	eax
		push	[ebp+var_4]
		push	esi
		push	1
		push	0
		call	WmipQuerySetExecuteSI
		mov	edi, eax
		test	edi, edi
		js	short loc_86DD26
		mov	eax, [esi+2Ch]
		test	eax, 100h
		jnz	short loc_86DD34
		mov	ecx, [ebp+arg_8]
		test	al, 20h
		jnz	short loc_86DD1C
		mov	eax, [ebp+arg_4]
		mov	[ecx], eax
		cmp	esi, ebx
		jnz	short loc_86DD21

loc_86DCF9:				; CODE XREF: IoWMIQuerySingleInstance+DEj
					; IoWMIQuerySingleInstance+E8j	...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_86DD02:				; CODE XREF: IoWMIQuerySingleInstance+24j
					; IoWMIQuerySingleInstance+2Cj
		push	70696D57h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_4], edi
		jmp	loc_86DC7C
; 

loc_86DD1C:				; CODE XREF: IoWMIQuerySingleInstance+A4j
		mov	eax, [esi+30h]
		mov	[ecx], eax

loc_86DD21:				; CODE XREF: IoWMIQuerySingleInstance+ADj
		mov	edi, 0C0000023h

loc_86DD26:				; CODE XREF: IoWMIQuerySingleInstance+93j
					; IoWMIQuerySingleInstance+EFj
		cmp	esi, ebx
		jz	short loc_86DCF9
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_86DCF9
; 

loc_86DD34:				; CODE XREF: IoWMIQuerySingleInstance+9Dj
		mov	edi, 0C00000BBh
		jmp	short loc_86DD26
IoWMIQuerySingleInstance endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopInitSIdle	proc near		; CODE XREF: PAGELK:0071F305p
					; PopDispatchFullWake(x)+41p ...

var_C0		= dword	ptr -0C0h
var_BC		= byte ptr -0BCh
var_BB		= byte ptr -0BBh
var_AC		= byte ptr -0ACh
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_5C		= dword	ptr -5Ch
Source2		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090BB80 SIZE 000000CE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	60h		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_68]
		mov	esi, ecx
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_70], esi
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_C0]
		push	4Ch		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		cmp	_PopPlatformAoAc, bl
		jnz	loc_90BB80
		mov	eax, _PopPolicy
		or	[ebp+var_5C], 0FFFFFFFFh
		mov	ecx, dword_6C2D20
		push	2
		mov	eax, [eax+38h]
		mov	[ebp+var_4C], eax
		mov	eax, _PopFullWake
		mov	[ebp+var_50], 1
		mov	[ebp+var_6C], 5
		pop	edi
		mov	[ebp+var_48], edi
		test	al, 3
		jz	short loc_86DE39

loc_86DDBA:				; CODE XREF: PopInitSIdle+FFj
					; PopInitSIdle+9DE5Aj
		lea	edx, [ebp+var_C0]
		mov	ecx, offset _PopCapabilities
		call	PopFilterCapabilities
		mov	esi, _PopPolicy
		mov	eax, [esi+3Ch]
		test	eax, eax
		jnz	loc_90BBD7
		cmp	[esi+58h], ebx
		ja	loc_90BBD3

loc_86DDE4:				; CODE XREF: PopInitSIdle+9DE92j
					; PopInitSIdle+9DEE8j ...
		push	0Ch		; Length
		lea	eax, [ebp+Source2]
		push	eax		; Source2
		push	offset Source1	; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 0Ch
		jnz	short loc_86DE46
		mov	ecx, dword_6C22C0
		cmp	ecx, [ebp+var_48]
		jnz	short loc_86DE46
		mov	edx, dword_6C22AC
		cmp	edx, [ebp+var_5C]
		jnz	short loc_86DE46

loc_86DE0F:				; CODE XREF: PopInitSIdle+154j
					; PopInitSIdle+16Bj
		push	[ebp+var_70]
		push	dword_6C22B8
		push	edx
		mov	edx, [ebp+var_6C]
		push	ecx
		push	Source1
		mov	cl, bl
		call	_PopTraceSystemIdleTimeoutInitialization@28 ; PopTraceSystemIdleTimeoutInitialization(x,x,x,x,x,x,x)

loc_86DE2A:				; CODE XREF: PopInitSIdle+9DE4Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_86DE39:				; CODE XREF: PopInitSIdle+7Cj
		test	ecx, ecx
		jz	loc_86DDBA
		jmp	loc_90BB8C
; 

loc_86DE46:				; CODE XREF: PopInitSIdle+BBj
					; PopInitSIdle+C6j ...
		push	4
		pop	ecx
		mov	bl, 1
		call	_PopResetIdleTime@4 ; PopResetIdleTime(x)
		cmp	dword_6B1470, 0
		lea	esi, [ebp+Source2]
		mov	ecx, [ebp+var_48]
		mov	edi, offset Source1
		mov	edx, [ebp+var_5C]
		mov	byte_6C22D4, bl
		movsd
		movsd
		movsd
		mov	eax, dword_6C22C4
		mov	dword_6C22C0, ecx
		mov	dword_6C22AC, edx
		jnz	short loc_86DEAC
		and	eax, 0FFFFFFFEh

loc_86DE84:				; CODE XREF: PopInitSIdle+173j
		cmp	byte_6C2E34, 0
		mov	dword_6C22C4, eax
		jnz	loc_86DE0F
		cmp	dword_6B1480, 0
		jnz	short loc_86DEB1
		and	eax, 0FFFFFFFDh

loc_86DEA2:				; CODE XREF: PopInitSIdle+178j
		mov	dword_6C22C4, eax
		jmp	loc_86DE0F
; 

loc_86DEAC:				; CODE XREF: PopInitSIdle+143j
		or	eax, 1
		jmp	short loc_86DE84
; 

loc_86DEB1:				; CODE XREF: PopInitSIdle+161j
		or	eax, 2
		jmp	short loc_86DEA2
PopInitSIdle	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceSystemIdleTimeoutInitialization(x, x, x, x,	x, x, x)
_PopTraceSystemIdleTimeoutInitialization@28 proc near ;	CODE XREF: PopInitSIdle+E9p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		push	ebx
		mov	[ebp+var_7C], edx
		mov	bl, cl
		jz	short loc_86DEF7
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_SYSTEM_IDLE_TIMEOUT_INITIALIZED
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	short loc_86DF06

loc_86DEF5:				; CODE XREF: PopTraceSystemIdleTimeoutInitialization(x,x,x,x,x,x,x)+D7j
		pop	edi
		pop	esi

loc_86DEF7:				; CODE XREF: PopTraceSystemIdleTimeoutInitialization(x,x,x,x,x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
; 

loc_86DF06:				; CODE XREF: PopTraceSystemIdleTimeoutInitialization(x,x,x,x,x,x,x)+3Dj
		movzx	eax, bl
		xor	edx, edx
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_C]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_10]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	7
		push	edx
		push	offset _POP_ETW_EVENT_SYSTEM_IDLE_TIMEOUT_INITIALIZED
		push	esi
		push	edi
		mov	[ebp+var_70], edx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_86DEF5
_PopTraceSystemIdleTimeoutInitialization@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopEsWorker	proc near		; DATA XREF: PoInitSystem+544o
					; PopEsInit+Co

var_16		= byte ptr -16h
var_15		= byte ptr -15h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090BC4E SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, offset _PopEsWorkItemDue

loc_86DFB0:				; CODE XREF: PopEsWorker+6Aj
					; PopEsWorker+87j
		mov	[esp+28h+var_15], 0
		xor	edx, edx
		mov	eax, [esi]

loc_86DFB9:				; CODE XREF: PopEsWorker+2Fj
		mov	ecx, eax
		or	ecx, edx
		lock cmpxchg [esi], ecx
		jnz	short loc_86DFB9
		mov	esi, eax
		bsf	ecx, esi
		inc	edx
		shl	edx, cl
		mov	ebx, edx
		not	ebx
		and	ebx, esi
		test	bl, 8
		jnz	loc_90BC4E

loc_86DFDA:				; CODE XREF: PopEsWorker+9DCD2j
		cmp	edx, 2
		jz	loc_86E07A

loc_86DFE3:				; CODE XREF: PopEsWorker+EBj
					; PopEsWorker+9DCC4j
		mov	ecx, ebx
		mov	eax, esi
		mov	edi, offset _PopEsWorkItemDue
		lock cmpxchg [edi], ecx
		cmp	eax, esi
		mov	edi, offset _PopEsLock
		mov	esi, offset _PopEsWorkItemDue
		jnz	short loc_86DFB0
		sub	edx, 1
		jz	loc_86E0F0
		sub	edx, 1
		jz	short loc_86E082
		dec	edx
		sub	edx, 1
		jz	short loc_86E02F

loc_86E012:				; CODE XREF: PopEsWorker+E6j
					; PopEsWorker+1C2j
		mov	esi, offset _PopEsWorkItemDue
		test	ebx, ebx
		jnz	short loc_86DFB0
		mov	ecx, [esp+28h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_86E02F:				; CODE XREF: PopEsWorker+7Ej
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6BFD2C, eax

loc_86E051:				; CODE XREF: PopEsWorker+159j
		mov	cl, [esp+28h+var_15]
		call	PopEsUpdateState
		cmp	dword_6BFD2C, 0
		jz	short loc_86E06A
		and	dword_6BFD2C, 0

loc_86E06A:				; CODE XREF: PopEsWorker+CFj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	short loc_86E012
; 

loc_86E07A:				; CODE XREF: PopEsWorker+4Bj
		and	ebx, 0FFFFFFFBh
		jmp	loc_86DFE3
; 

loc_86E082:				; CODE XREF: PopEsWorker+78j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6BFD2C, eax
		mov	eax, _PopEsMode
		mov	[esp+28h+var_10], eax
		movzx	eax, byte_6C2D55
		mov	[esp+28h+var_8], eax
		mov	eax, dword_6C2D50
		mov	[esp+28h+var_C], eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	0Ch
		lea	eax, [esp+3Ch+var_10]
		push	eax
		push	offset _WNF_PO_ENERGY_SAVER_SETTING
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		movzx	eax, byte_6C2D55
		mov	edx, dword_6C2D50
		push	eax
		call	_PopTraceEsSetting@12 ;	PopTraceEsSetting(x,x,x)
		jmp	loc_86E051
; 

loc_86E0F0:				; CODE XREF: PopEsWorker+6Fj
		call	_PopEsPublishState@0 ; PopEsPublishState()
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6BFD2C, eax
		call	PopEsStartTelemetry
		cmp	dword_6BFD2C, 0
		jz	short loc_86E12C
		and	dword_6BFD2C, 0

loc_86E12C:				; CODE XREF: PopEsWorker+191j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	0
		push	offset _PopEsWnfSubscriptionOverrideCallback@24	; PopEsWnfSubscriptionOverrideCallback(x,x,x,x,x,x)
		push	0
		push	1
		push	offset _WNF_PO_ENERGY_SAVER_OVERRIDE
		push	offset _PopEsWnfSubscriptionOverride
		call	_ExSubscribeWnfStateChange@24 ;	ExSubscribeWnfStateChange(x,x,x,x,x,x)
		jmp	loc_86E012
PopEsWorker	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopEsEvaluateNextState proc near	; CODE XREF: PopEsUpdateState+34p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090BC69 SIZE 00000068 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, _PopEsMode
		push	esi
		push	edi
		mov	edi, edx
		xor	esi, esi
		xor	edx, edx
		inc	edx
		mov	[edi], esi
		cmp	eax, edx
		jz	short loc_86E1AB
		push	ebx
		cmp	eax, 2
		jnz	short loc_86E18A
		mov	eax, dword_6C2D50
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	loc_90BC69

loc_86E18A:				; CODE XREF: PopEsEvaluateNextState+1Ej
					; PopEsEvaluateNextState+9DB13j ...
		cmp	byte_6C2D54, 0
		jnz	loc_90BCA4

loc_86E197:				; CODE XREF: PopEsEvaluateNextState+9DB50j
					; PopEsEvaluateNextState+9DB5Cj
		cmp	_PopEsEnabledOnHost, 0
		jnz	loc_90BCC4

loc_86E1A4:				; CODE XREF: PopEsEvaluateNextState+9DB3Dj
					; PopEsEvaluateNextState+9DB72j
		pop	ebx

loc_86E1A5:				; CODE XREF: PopEsEvaluateNextState+55j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_86E1AB:				; CODE XREF: PopEsEvaluateNextState+18j
		mov	esi, edx
		mov	[edi], edx
		jmp	short loc_86E1A5
PopEsEvaluateNextState endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopEsStartTelemetry proc near		; CODE XREF: PopEsExitSleep()+28p
					; PopEsWorker+185p

var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090BCD1 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_24]
		mov	esi, 0FFDF0324h
		push	8
		pop	ecx
		rep stosd
		mov	edx, [esi]
		lea	edi, [esi-4]
		mov	ebx, [edi]
		lea	eax, [esi+4]
		mov	eax, [eax]
		mov	ecx, ds:0FFDF0004h
		mov	[ebp+var_4], ecx
		cmp	edx, eax
		jnz	loc_90BCD1

loc_86E1E9:				; CODE XREF: PopEsStartTelemetry+9DB33j
		mov	eax, edx
		mul	ecx
		mov	esi, eax
		mov	edi, edx
		mov	eax, ebx
		mul	ecx
		shld	edi, esi, 8
		shrd	eax, edx, 18h
		shl	esi, 8
		lea	ecx, [ebp+var_24]
		shr	edx, 18h
		add	esi, eax
		adc	edi, edx
		call	_PopCurrentPowerState@4	; PopCurrentPowerState(x)
		xor	ecx, ecx
		cmp	byte ptr [ebp+var_24+1], cl
		jnz	short loc_86E249

loc_86E216:				; CODE XREF: PopEsStartTelemetry+9Aj
		mov	al, byte ptr [ebp+var_24]
		mov	_PopEsAcOnline,	al
		mov	eax, dword_6C2D50
		mov	dword_6D4B24, edi
		pop	edi
		mov	_PopEsLastStateChangeTimeStamp,	esi
		mov	_PopEsLastBatteryThreshold, eax
		mov	al, byte_6C2D55
		pop	esi
		mov	_PopEsLastBatteryCharge, ecx
		mov	_PopEsLastUserAwaySetting, al
		pop	ebx
		leave
		retn
; 

loc_86E249:				; CODE XREF: PopEsStartTelemetry+62j
		mov	ecx, [ebp+var_18]
		jmp	short loc_86E216
PopEsStartTelemetry endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2476. SeMarkLogonSessionForTerminationNotification

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeMarkLogonSessionForTerminationNotification(x)
		public _SeMarkLogonSessionForTerminationNotification@4
_SeMarkLogonSessionForTerminationNotification@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_0]
		call	_SeMarkLogonSessionForTerminationNotificationEx@8 ; SeMarkLogonSessionForTerminationNotificationEx(x,x)
		pop	ebp
		retn	4
_SeMarkLogonSessionForTerminationNotification@4	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2477. SeMarkLogonSessionForTerminationNotificationEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeMarkLogonSessionForTerminationNotificationEx(x, x)
		public _SeMarkLogonSessionForTerminationNotificationEx@8
_SeMarkLogonSessionForTerminationNotificationEx@8 proc near
					; CODE XREF: SeMarkLogonSessionForTerminationNotification(x)+Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:_SepLogonSessions
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		imul	ecx, [edi], 5B250A24h
		shr	ecx, 1Ch
		lea	esi, [eax+ecx*4]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		and	ecx, 3
		imul	eax, ecx, 38h
		push	1
		lea	ebx, _SepRmDbLock[eax]
		push	ebx
		call	ExAcquireResourceExclusiveLite
		mov	esi, [esi]
		test	esi, esi
		jz	short loc_86E2D3
		mov	ecx, [ebp+arg_4]

loc_86E2B3:				; CODE XREF: SeMarkLogonSessionForTerminationNotificationEx(x,x)+57j
		cmp	[esi+58h], ecx
		jnz	short loc_86E2FD

loc_86E2B8:				; CODE XREF: SeMarkLogonSessionForTerminationNotificationEx(x,x)+95j
		mov	eax, [edi]
		cmp	eax, [esi+4]
		jz	short loc_86E2C7

loc_86E2BF:				; CODE XREF: SeMarkLogonSessionForTerminationNotificationEx(x,x)+61j
					; SeMarkLogonSessionForTerminationNotificationEx(x,x)+93j
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_86E2B3
		jmp	short loc_86E2D3
; 

loc_86E2C7:				; CODE XREF: SeMarkLogonSessionForTerminationNotificationEx(x,x)+51j
		mov	eax, [edi+4]
		cmp	eax, [esi+8]
		jnz	short loc_86E2BF
		or	dword ptr [esi+18h], 1

loc_86E2D3:				; CODE XREF: SeMarkLogonSessionForTerminationNotificationEx(x,x)+42j
					; SeMarkLogonSessionForTerminationNotificationEx(x,x)+59j
		mov	ecx, ebx
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		neg	esi
		pop	edi
		sbb	esi, esi
		and	esi, 3FFFFDDBh
		lea	eax, [esi-3FFFFDDBh]
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_86E2FD:				; CODE XREF: SeMarkLogonSessionForTerminationNotificationEx(x,x)+4Aj
		test	ecx, ecx
		jnz	short loc_86E2BF
		jmp	short loc_86E2B8
_SeMarkLogonSessionForTerminationNotificationEx@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


PsChangeQuantumTable proc near		; CODE XREF: PAGE:007B3701p
					; PspInitPhase0+1DBp

; FUNCTION CHUNK AT 0090BCEA SIZE 00000019 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	bl, cl
		mov	eax, edi
		push	2
		and	eax, 3
		pop	edx
		cmp	eax, edx
		jb	loc_90BCEA

loc_86E31D:				; CODE XREF: PsChangeQuantumTable+9D9E8j
		mov	eax, edi
		mov	ds:_PsPrioritySeparation, edx
		and	eax, 0Ch
		cmp	eax, 4
		jz	short loc_86E343
		cmp	eax, 8
		jz	loc_90BCF1
		call	_MmIsThisAnNtAsSystem@0	; MmIsThisAnNtAsSystem()
		test	al, al
		jnz	loc_90BCF1

loc_86E343:				; CODE XREF: PsChangeQuantumTable+27j
		mov	esi, offset _PspVariableQuantums

loc_86E348:				; CODE XREF: PsChangeQuantumTable+9D9F2j
		and	edi, 30h
		cmp	edi, 10h
		jz	loc_90BCFB
		cmp	edi, 20h
		jz	short loc_86E366
		call	_MmIsThisAnNtAsSystem@0	; MmIsThisAnNtAsSystem()
		test	al, al
		jnz	loc_90BCFB

loc_86E366:				; CODE XREF: PsChangeQuantumTable+53j
					; PsChangeQuantumTable+9D9FAj
		mov	ax, [esi]
		cmp	esi, (offset loc_A40556+1)
		mov	ds:_PspForegroundQuantum, ax
		mov	al, [esi+2]
		setz	ds:_PspUseJobSchedulingClasses
		mov	ds:byte_A94526,	al
		test	bl, bl
		jz	short loc_86E406
		mov	edi, large fs:124h
		dec	word ptr [edi+13Eh]
		nop
		mov	esi, offset _PspActiveProcessLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	ebx, _PsActiveProcessHead
		cmp	ebx, offset _PsActiveProcessHead
		jz	short loc_86E3DE

loc_86E3B3:				; CODE XREF: PsChangeQuantumTable+D3j
		lea	esi, [ebx-0E8h]
		mov	dl, [esi+2A2h]
		mov	ecx, esi
		call	PspComputeQuantum
		mov	dl, al
		mov	ecx, esi
		call	_KeSetQuantumProcess@8 ; KeSetQuantumProcess(x,x)
		mov	ebx, [ebx]
		cmp	ebx, offset _PsActiveProcessHead
		jnz	short loc_86E3B3
		mov	esi, offset _PspActiveProcessLock

loc_86E3DE:				; CODE XREF: PsChangeQuantumTable+ADj
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jnz	short loc_86E3FD

loc_86E3EC:				; CODE XREF: PsChangeQuantumTable+100j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
; 

loc_86E3FD:				; CODE XREF: PsChangeQuantumTable+E6j
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_86E3EC
; 

loc_86E406:				; CODE XREF: PsChangeQuantumTable+82j
		pop	edi
		pop	esi
		pop	ebx
		retn
PsChangeQuantumTable endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopTransitionTelemetryOsState proc near	; CODE XREF: PopNotifyTelemetryOsState:loc_85B62Dp
					; PopDiagTraceControlCallback+E5071p ...

var_238		= dword	ptr -238h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_218		= dword	ptr -218h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090BD03 SIZE 000002DC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 23Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_238]
		mov	esi, ecx
		mov	ebx, edx
		push	8
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_218]
		stosd
		stosd
		stosd
		stosd
		xor	edi, edi
		cmp	dword_6B23F8, edi
		jbe	loc_86EA01
		push	8000h
		push	edi
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_86EA01
		cmp	byte_6C1F64, 0
		jz	loc_86EA01
		push	2
		mov	eax, esi
		pop	ecx
		sub	eax, ecx
		jz	loc_90BF01
		sub	eax, 1
		jz	loc_86EA12
		sub	eax, 1
		jnz	short loc_86E4CB
		mov	eax, ebx
		sub	eax, 3
		jnz	loc_90BD03
		mov	eax, dword_6B2B08
		cmp	eax, ds:0FFDF037Ch
		jnb	short loc_86E4CB
		cmp	dword_6B2B04, edi
		jnz	short loc_86E4C1
		mov	ecx, off_6B2B00
		lea	edx, [ebp+var_18C]
		call	_TelemetryCoverageStringHashInternal@8 ; TelemetryCoverageStringHashInternal(x,x)
		mov	dword_6B2B04, eax

loc_86E4C1:				; CODE XREF: PopTransitionTelemetryOsState+9Fj
		push	offset off_6B2B00

loc_86E4C6:				; CODE XREF: PopTransitionTelemetryOsState+647j
					; PopTransitionTelemetryOsState+9D948j	...
		call	_EtwTelemetryCoverageReport@4 ;	EtwTelemetryCoverageReport(x)

loc_86E4CB:				; CODE XREF: PopTransitionTelemetryOsState+7Fj
					; PopTransitionTelemetryOsState+97j ...
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopTelemetryOsState
		call	ExAcquirePushLockExclusiveEx
		mov	edx, large fs:124h
		mov	edi, dword_6C1F60
		mov	dword_6C1F24, edx
		cmp	esi, 5
		jz	loc_90BF77

loc_86E501:				; CODE XREF: PopTransitionTelemetryOsState+9DB75j
					; PopTransitionTelemetryOsState+9DB7Ej	...
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		sub	eax, dword_6C1F40
		push	0
		sbb	edx, dword_6C1F44
		push	2710h
		push	edx
		push	eax
		call	__aulldiv
		mov	edi, eax
		mov	[ebp+var_184], edx
		mov	[ebp+var_17C], edi
		call	KeQueryInterruptTime
		sub	eax, dword_6C1F38
		push	0
		sbb	edx, dword_6C1F3C
		push	2710h
		push	edx
		push	eax
		call	__aulldiv
		mov	ecx, edx
		mov	[ebp+var_174], eax
		sub	eax, dword_6C1F48
		mov	[ebp+var_178], ecx
		mov	ecx, edi
		sbb	edx, dword_6C1F4C
		sub	ecx, dword_6C1F50
		mov	edi, [ebp+var_184]
		sbb	edi, dword_6C1F54
		mov	[ebp+var_188], eax
		mov	[ebp+var_18C], edx
		mov	[ebp+var_16C], ecx
		mov	[ebp+var_170], edi
		cmp	edi, edx
		jb	short loc_86E5A7
		ja	loc_90BFB8
		cmp	ecx, eax
		ja	loc_90BFB8

loc_86E5A7:				; CODE XREF: PopTransitionTelemetryOsState+18Dj
					; PopTransitionTelemetryOsState+9DBBAj
		mov	eax, dword_6C1F58
		inc	eax
		mov	[ebp+var_198], eax
		mov	dword_6C1F58, eax
		mov	eax, dword_6C1F28
		mov	[ebp+var_190], eax
		mov	eax, dword_6C1F2C
		mov	[ebp+var_194], eax
		mov	eax, [ebp+var_174]
		mov	dword_6C1F48, eax
		mov	eax, [ebp+var_178]
		mov	dword_6C1F4C, eax
		mov	eax, [ebp+var_17C]
		mov	dword_6C1F50, eax
		mov	eax, [ebp+var_184]
		mov	dword_6C1F54, eax
		cmp	esi, 5
		jz	short loc_86E611
		inc	dword_6C1F5C
		mov	dword_6C1F28, esi
		mov	dword_6C1F2C, ebx

loc_86E611:				; CODE XREF: PopTransitionTelemetryOsState+1F3j
		cmp	esi, 1
		jz	short loc_86E61B
		cmp	esi, 4
		jnz	short loc_86E621

loc_86E61B:				; CODE XREF: PopTransitionTelemetryOsState+20Aj
		inc	dword_6C1F60

loc_86E621:				; CODE XREF: PopTransitionTelemetryOsState+20Fj
		cmp	dword_6C1F24, 0
		mov	eax, dword_6C1F5C
		mov	edi, dword_6C1F60
		mov	[ebp+var_19C], eax
		jz	short loc_86E642
		and	dword_6C1F24, 0

loc_86E642:				; CODE XREF: PopTransitionTelemetryOsState+22Fj
		xor	edx, edx
		mov	ecx, offset _PopTelemetryOsState
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		lea	ecx, [ebp+var_238]
		call	_PopCurrentPowerState@4	; PopCurrentPowerState(x)
		and	[ebp+var_180], 0
		mov	ecx, [ebp+var_230]
		test	ecx, ecx
		jnz	loc_90BFC9

loc_86E673:				; CODE XREF: PopTransitionTelemetryOsState+9DBD0j
		mov	edx, offset _OsStateChangeEnergyCounter
		lea	ecx, [ebp+var_218]
		call	PopMeasureEnergyChange
		cmp	dword_6B23F8, 5
		mov	eax, dword_6C1F34
		mov	[ebp+var_1DC], eax
		mov	eax, dword_6C1F30
		mov	[ebp+var_1E0], eax
		jbe	loc_86EA01
		push	8000h
		push	0
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_86EA01
		movzx	eax, si
		xor	ecx, ecx
		mov	[ebp+var_1A0], eax
		lea	eax, [ebp+var_1A0]
		mov	[ebp+var_148], eax
		movzx	eax, bx
		mov	[ebp+var_1A4], eax
		lea	eax, [ebp+var_1A4]
		mov	[ebp+var_138], eax
		mov	eax, [ebp+var_188]
		mov	[ebp+var_1D8], eax
		mov	eax, [ebp+var_18C]
		mov	[ebp+var_1D4], eax
		lea	eax, [ebp+var_1D8]
		mov	[ebp+var_128], eax
		push	2
		pop	edx
		push	8
		pop	esi
		mov	[ebp+var_144], ecx
		mov	[ebp+var_140], edx
		mov	[ebp+var_13C], ecx
		mov	[ebp+var_134], ecx
		mov	[ebp+var_130], edx
		mov	[ebp+var_12C], ecx
		mov	[ebp+var_124], ecx
		mov	[ebp+var_120], esi
		mov	[ebp+var_11C], ecx
		mov	eax, ds:0FFDF02C4h
		mov	[ebp+var_1A8], eax
		lea	eax, [ebp+var_1A8]
		mov	[ebp+var_118], eax
		lea	eax, [ebp+var_1E0]
		mov	[ebp+var_108], eax
		mov	eax, [ebp+var_16C]
		mov	[ebp+var_1E8], eax
		mov	eax, [ebp+var_170]
		mov	[ebp+var_1E4], eax
		lea	eax, [ebp+var_1E8]
		mov	[ebp+var_F8], eax
		mov	eax, [ebp+var_174]
		mov	[ebp+var_1F0], eax
		mov	eax, [ebp+var_178]
		mov	[ebp+var_1EC], eax
		lea	eax, [ebp+var_1F0]
		mov	[ebp+var_E8], eax
		mov	eax, [ebp+var_17C]
		mov	[ebp+var_1F8], eax
		mov	eax, [ebp+var_184]
		mov	[ebp+var_1F4], eax
		lea	eax, [ebp+var_1F8]
		mov	[ebp+var_D8], eax
		mov	eax, [ebp+var_190]
		movzx	eax, ax
		mov	[ebp+var_1AC], eax
		lea	eax, [ebp+var_1AC]
		mov	[ebp+var_C8], eax
		mov	eax, [ebp+var_194]
		push	4
		movzx	eax, ax
		pop	ebx
		mov	[ebp+var_1B0], eax
		lea	eax, [ebp+var_1B0]
		mov	[ebp+var_114], ecx
		mov	[ebp+var_110], ebx
		mov	[ebp+var_10C], ecx
		mov	[ebp+var_104], ecx
		mov	[ebp+var_100], esi
		mov	[ebp+var_FC], ecx
		mov	[ebp+var_F4], ecx
		mov	[ebp+var_F0], esi
		mov	[ebp+var_EC], ecx
		mov	[ebp+var_E4], ecx
		mov	[ebp+var_E0], esi
		mov	[ebp+var_DC], ecx
		mov	[ebp+var_D4], ecx
		mov	[ebp+var_D0], esi
		mov	[ebp+var_CC], ecx
		mov	[ebp+var_C4], ecx
		mov	[ebp+var_C0], edx
		mov	[ebp+var_BC], ecx
		mov	[ebp+var_B8], eax
		mov	eax, [ebp+var_198]
		mov	[ebp+var_1B4], eax
		lea	eax, [ebp+var_1B4]
		mov	[ebp+var_A8], eax
		mov	eax, [ebp+var_19C]
		mov	[ebp+var_1B8], eax
		lea	eax, [ebp+var_1B8]
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_1BC]
		mov	[ebp+var_88], eax
		mov	eax, [ebp+var_230]
		mov	[ebp+var_1C0], eax
		lea	eax, [ebp+var_1C0]
		mov	[ebp+var_78], eax
		mov	eax, [ebp+var_180]
		mov	[ebp+var_1C4], eax
		lea	eax, [ebp+var_1C4]
		mov	[ebp+var_68], eax
		mov	eax, [ebp+var_210]
		mov	[ebp+var_200], eax
		mov	eax, [ebp+var_20C]
		mov	[ebp+var_1FC], eax
		lea	eax, [ebp+var_200]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+var_218]
		mov	[ebp+var_1C8], eax
		lea	eax, [ebp+var_1C8]
		mov	[ebp+var_48], eax
		movzx	eax, byte ptr [ebp+var_238]
		mov	[ebp+var_1CC], eax
		lea	eax, [ebp+var_1CC]
		mov	[ebp+var_38], eax
		movzx	eax, byte ptr [ebp+var_238+3]
		mov	[ebp+var_1D0], eax
		lea	eax, [ebp+var_1D0]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_208]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_168]
		push	eax
		push	16h
		push	ecx
		push	ecx
		mov	[ebp+var_B4], ecx
		mov	[ebp+var_B0], edx
		mov	[ebp+var_AC], ecx
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_94], ecx
		mov	[ebp+var_90], ebx
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_1BC], edi
		mov	[ebp+var_84], ecx
		mov	[ebp+var_80], ebx
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_208], 1000000h
		mov	[ebp+var_204], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], ecx
		push	offset loc_41E6C9
		push	offset dword_6B23F8
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_86EA01:				; CODE XREF: PopTransitionTelemetryOsState+3Bj
					; PopTransitionTelemetryOsState+53j ...
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_86EA12:				; CODE XREF: PopTransitionTelemetryOsState+76j
		mov	eax, ebx
		sub	eax, 3
		jnz	loc_90BE02
		mov	eax, dword_6B2AF8
		cmp	eax, ds:0FFDF037Ch
		jnb	loc_86E4CB
		cmp	dword_6B2AF4, edi
		jnz	short loc_86EA4C
		mov	ecx, off_6B2AF0
		lea	edx, [ebp+var_174]
		call	_TelemetryCoverageStringHashInternal@8 ; TelemetryCoverageStringHashInternal(x,x)
		mov	dword_6B2AF4, eax

loc_86EA4C:				; CODE XREF: PopTransitionTelemetryOsState+62Aj
		push	offset off_6B2AF0
		jmp	loc_86E4C6
PopTransitionTelemetryOsState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopMeasureEnergyChange proc near	; CODE XREF: PopCalculateCsSummary(x,x)+11Ap
					; PopTransitionTelemetryOsState+274p

var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090BFDF SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		mov	esi, ecx
		stosd
		lea	ecx, [ebp+var_10]
		mov	ebx, edx
		stosd
		stosd
		stosd
		call	_PopGetEnergyCounter@4 ; PopGetEnergyCounter(x)
		mov	eax, [ebx+8]
		or	eax, [ebx+0Ch]
		jnz	loc_90BFDF
		mov	dword ptr [esi], 1
		mov	ecx, eax

loc_86EA8A:				; CODE XREF: PopMeasureEnergyChange+9D59Cj
		mov	[esi+8], eax
		mov	edi, ebx
		mov	[esi+0Ch], ecx
		lea	esi, [ebp+var_10]
		movsd
		movsd
		movsd
		movsd
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PopMeasureEnergyChange endp


;  S U B	R O U T	I N E 


; __stdcall PopGetEnergyCounter(x)
_PopGetEnergyCounter@4 proc near	; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+28Bp
					; PopMeasureEnergyChange+1Bp ...
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	edi, ecx
		nop
		mov	ebx, offset dword_6C266C
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	esi, offset dword_6C2698
		movsd
		movsd
		movsd
		movsd
		cmp	dword_6C2670, 0
		jnz	short loc_86EAE2

loc_86EAD1:				; CODE XREF: PopGetEnergyCounter(x)+4Bj
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
; 

loc_86EAE2:				; CODE XREF: PopGetEnergyCounter(x)+31j
		and	dword_6C2670, 0
		jmp	short loc_86EAD1
_PopGetEnergyCounter@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiSwBusRelationsCompareInstancePath(x, x, x)
_PiSwBusRelationsCompareInstancePath@12	proc near ; DATA XREF: PiSwInit()+2Ao

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	1
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		mov	ecx, eax
		xor	eax, eax
		test	ecx, ecx
		js	short loc_86EB0A
		setle	al
		inc	eax

loc_86EB0A:				; CODE XREF: PiSwBusRelationsCompareInstancePath(x,x,x)+18j
		pop	ebp
		retn	0Ch
_PiSwBusRelationsCompareInstancePath@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwpGetTraceGuidInfo(void *,int)
_EtwpGetTraceGuidInfo@16 proc near	; CODE XREF: NtTraceControl(x,x,x,x,x,x)+4F3p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	eax, ecx
		xor	ebx, ebx
		mov	[ebp+var_2C], edx
		push	edi
		mov	[ebp+var_34], eax
		mov	esi, [esi]
		mov	[ebp+var_8], 8
		mov	[ebp+var_10], esi
		mov	[ebp+var_28], ebx
		cmp	eax, ds:_EtwpHostSiloState
		jnz	short loc_86EB44
		mov	edi, 7FFE0380h
		jmp	short loc_86EB53
; 

loc_86EB44:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+2Dj
		mov	eax, [eax+4]
		mov	edi, [eax+28Ch]
		add	edi, 226h

loc_86EB53:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+34j
		mov	ecx, ebx
		mov	[ebp+var_30], ebx

loc_86EB58:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+76j
		mov	eax, ds:_EtwpUmglProviders[ecx*8]
		mov	edx, ebx
		mov	[ebp+var_38], eax

loc_86EB64:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+6Dj
		mov	esi, [ebp+var_2C]
		mov	eax, [eax+edx*4]
		cmp	eax, [esi+edx*4]
		mov	esi, [ebp+var_10]
		jnz	short loc_86EB7D
		inc	edx
		cmp	edx, 4
		jz	short loc_86EBA9
		mov	eax, [ebp+var_38]
		jmp	short loc_86EB64
; 

loc_86EB7D:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+62j
		inc	ecx
		mov	[ebp+var_30], ecx
		cmp	ecx, 0Ah
		jb	short loc_86EB58
		mov	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_34]
		push	ebx
		call	_EtwpFindGuidEntryByGuid@12 ; EtwpFindGuidEntryByGuid(x,x,x)
		mov	esi, eax
		mov	[ebp+var_C], esi
		test	esi, esi
		jnz	loc_86EC28
		mov	eax, 0C0000295h
		jmp	loc_86F049
; 

loc_86EBA9:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+68j
		push	esi		; size_t
		mov	esi, [ebp+arg_0]
		push	ebx		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_30]
		add	esp, 0Ch
		movzx	edx, ds:byte_A41114[eax*8]
		xor	eax, eax
		push	18h
		inc	eax
		mov	[ebp+arg_0], edx
		pop	ecx
		cmp	[edi+edx*2], bl
		mov	edx, [ebp+var_10]
		jz	short loc_86EBFF
		push	38h
		pop	ecx
		cmp	edx, ecx
		jb	short loc_86EC06
		mov	edx, [ebp+arg_0]
		mov	[esi+0Ch], eax
		mov	[esi+18h], eax
		movzx	eax, byte ptr [edi+edx*2]
		mov	[esi+1Eh], ax
		movzx	eax, byte ptr [edi+edx*2+1]
		cdq
		mov	[esi+28h], eax
		xor	eax, eax
		mov	[esi+2Ch], edx
		inc	eax
		mov	edx, [ebp+var_10]
		jmp	short loc_86EC06
; 

loc_86EBFF:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+C3j
		cmp	edx, ecx
		jb	short loc_86EC19
		mov	[esi+0Ch], ebx

loc_86EC06:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+CAj
					; EtwpGetTraceGuidInfo(x,x,x,x)+EFj
		mov	edi, ecx
		cmp	edi, edx
		ja	short loc_86EC19
		mov	[esi], eax
		mov	[esi+14h], eax
		mov	[esi+10h], ebx
		mov	[esi+8], ebx
		jmp	short loc_86EC1E
; 

loc_86EC19:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+F3j
					; EtwpGetTraceGuidInfo(x,x,x,x)+FCj
		mov	ebx, 0C0000023h

loc_86EC1E:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+109j
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		jmp	loc_86F047
; 

loc_86EC28:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+8Bj
		mov	eax, [ebp+arg_4]
		mov	edi, [ebp+arg_0]
		push	dword ptr [eax]	; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+16Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+170h], eax
		lea	eax, [esi+24h]
		mov	ecx, [eax]
		mov	esi, [ebp+var_8]
		mov	[ebp+var_38], eax
		mov	[ebp+var_20], ecx
		cmp	ecx, eax
		jz	loc_86EEAE

loc_86EC77:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+36Cj
		lea	eax, [esi+edi]
		mov	[ebp+var_1], bl
		mov	[ebp+var_34], eax
		mov	ecx, esi
		lea	eax, [ebp+var_8]
		mov	[ebp+var_44], esi
		push	eax
		push	10h
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_86EE86
		mov	esi, [ebp+var_8]
		mov	edx, [ebp+var_20]
		inc	[ebp+var_28]
		mov	[ebp+var_18], esi
		lea	eax, [esi+edi]
		mov	[ebp+var_24], ebx
		mov	[ebp+var_14], eax
		lea	eax, [edx+32h]
		test	byte ptr [eax],	8
		mov	[ebp+var_40], edx
		mov	[ebp+var_30], eax
		jz	loc_86ED66
		mov	eax, [ebp+var_C]
		mov	[ebp+var_1], 1
		test	byte ptr [eax+3Bh], 1
		jz	loc_86EE4B
		lea	eax, [ebp+var_8]
		mov	[ebp+var_24], 1
		push	eax
		push	20h
		pop	edx
		mov	ecx, esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_86EE86
		mov	esi, [ebp+var_8]
		mov	edx, [ebp+var_10]
		mov	[ebp+var_18], esi
		cmp	esi, edx
		ja	short loc_86ED29
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_14]
		mov	edi, [ebp+var_14]
		mov	dword ptr [eax], 1
		mov	al, [ecx+3Ah]
		mov	[edi+4], al
		mov	eax, [ecx+30h]
		mov	[edi+10h], eax
		mov	eax, [ecx+34h]
		mov	[edi+14h], eax
		mov	ax, [ecx+38h]
		mov	ecx, edi
		mov	edi, [ebp+arg_0]
		mov	[ecx+6], ax

loc_86ED29:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+1EBj
					; EtwpGetTraceGuidInfo(x,x,x,x)+340j
		mov	eax, [ebp+var_30]

loc_86ED2C:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+34Dj
		mov	ecx, [ebp+var_20]
		mov	ecx, [ecx]
		mov	[ebp+var_20], ecx
		cmp	esi, edx
		ja	loc_86EE77
		cmp	[ebp+var_1], 1
		mov	edx, [ebp+var_34]
		jnz	short loc_86ED4C
		mov	dword ptr [edx+0Ch], 1

loc_86ED4C:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+235j
		test	byte ptr [eax],	2
		jz	loc_86EE60
		mov	eax, [ebp+var_40]
		mov	eax, [eax+28h]
		mov	eax, [eax+0E4h]
		jmp	loc_86EE62
; 

loc_86ED66:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+1ACj
		cmp	[edx+34h], bl
		jnz	short loc_86ED74
		cmp	[edx+35h], bl
		jz	loc_86EE58

loc_86ED74:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+25Bj
		push	60h
		pop	ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_1C], ecx

loc_86ED7D:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+334j
		mov	eax, [ebp+var_C]
		add	eax, ecx
		mov	[ebp+var_3C], eax
		cmp	[eax], ebx
		jz	loc_86EE53
		mov	cl, byte ptr [ebp+var_2C]
		xor	eax, eax
		inc	eax
		shl	eax, cl
		test	[edx+34h], al
		jz	short loc_86EDD5
		inc	[ebp+var_24]
		lea	eax, [ebp+var_8]
		push	eax
		push	20h
		pop	edx
		mov	ecx, esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_86EE86
		mov	esi, [ebp+var_8]
		mov	edi, [ebp+var_10]
		mov	edx, [ebp+var_20]
		mov	[ebp+var_18], esi
		cmp	esi, edi
		ja	short loc_86EDD8
		mov	edi, [ebp+var_14]
		mov	esi, [ebp+var_3C]
		add	[ebp+var_14], 20h
		push	8
		pop	ecx
		rep movsd
		mov	esi, [ebp+var_18]

loc_86EDD5:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+28Aj
		mov	edi, [ebp+var_10]

loc_86EDD8:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+2B3j
		mov	ecx, [ebp+var_1C]

loc_86EDDB:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+348j
		mov	eax, [edx+14h]
		test	eax, eax
		jz	short loc_86EE33
		add	eax, ecx
		mov	[ebp+var_3C], eax
		cmp	[eax], ebx
		jz	short loc_86EE33
		mov	cl, byte ptr [ebp+var_2C]
		xor	eax, eax
		inc	eax
		shl	eax, cl
		test	[edx+35h], al
		jz	short loc_86EE30
		inc	[ebp+var_24]
		lea	eax, [ebp+var_8]
		push	eax
		push	20h
		pop	edx
		mov	ecx, esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_86EE86
		mov	esi, [ebp+var_8]
		mov	edx, [ebp+var_20]
		mov	[ebp+var_18], esi
		cmp	esi, edi
		ja	short loc_86EE30
		mov	eax, [ebp+var_14]
		mov	edi, eax
		mov	esi, [ebp+var_3C]
		add	eax, 20h
		push	8
		pop	ecx
		rep movsd
		mov	esi, [ebp+var_18]
		mov	[ebp+var_14], eax

loc_86EE30:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+2E8j
					; EtwpGetTraceGuidInfo(x,x,x,x)+30Aj
		mov	ecx, [ebp+var_1C]

loc_86EE33:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+2D2j
					; EtwpGetTraceGuidInfo(x,x,x,x)+2DBj
		inc	[ebp+var_2C]
		add	ecx, 20h
		mov	[ebp+var_1C], ecx
		cmp	ecx, 160h
		jb	loc_86ED7D
		mov	edi, [ebp+arg_0]

loc_86EE4B:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+1BDj
		mov	edx, [ebp+var_10]
		jmp	loc_86ED29
; 

loc_86EE53:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+279j
		mov	edi, [ebp+var_10]
		jmp	short loc_86EDDB
; 

loc_86EE58:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+260j
		mov	edx, [ebp+var_10]
		jmp	loc_86ED2C
; 

loc_86EE60:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+241j
		mov	eax, ebx

loc_86EE62:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+253j
		mov	[edx+8], eax
		mov	eax, [ebp+var_24]
		mov	[edx+4], eax
		cmp	ecx, [ebp+var_38]
		jz	short loc_86EE82
		mov	eax, esi
		sub	eax, [ebp+var_44]
		mov	[edx], eax

loc_86EE77:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+228j
		cmp	ecx, [ebp+var_38]
		jnz	loc_86EC77
		jmp	short loc_86EEB1
; 

loc_86EE82:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+360j
		mov	[edx], ebx
		jmp	short loc_86EEB1
; 

loc_86EE86:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+185j
					; EtwpGetTraceGuidInfo(x,x,x,x)+1DAj ...
		mov	eax, [ebp+var_C]
		xor	edx, edx
		lea	ecx, [eax+16Ch]
		mov	[eax+170h], ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_86EEA1:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+3DEj
					; EtwpGetTraceGuidInfo(x,x,x,x)+416j ...
		mov	esi, [ebp+var_8]
		mov	ebx, 80000005h
		jmp	loc_86F020
; 

loc_86EEAE:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+163j
		mov	[ebp+var_18], esi

loc_86EEB1:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+372j
					; EtwpGetTraceGuidInfo(x,x,x,x)+376j
		mov	eax, [ebp+var_C]
		xor	edx, edx
		lea	ecx, [eax+16Ch]
		mov	[eax+170h], ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	[ebp+var_28], ebx
		jnz	loc_86F01D
		lea	eax, [ebp+var_8]
		mov	[ebp+var_28], 2
		push	eax
		push	10h
		pop	edx
		mov	ecx, esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_86EEA1
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		mov	esi, [ebp+var_C]
		add	esi, 60h
		mov	[ebp+var_30], ecx
		mov	[ebp+var_24], esi
		lea	eax, [ecx+edi]
		mov	edi, ebx
		mov	[ebp+var_38], eax
		mov	[ebp+var_2C], edi

loc_86EF0A:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+452j
		cmp	[esi], ebx
		jz	loc_86EFB6
		lea	eax, [ebp+var_8]
		inc	edx
		push	eax
		push	20h
		mov	[ebp+var_34], edx
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_86EEA1
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_10]
		mov	[ebp+var_30], ecx
		cmp	ecx, eax
		ja	short loc_86EF50
		mov	edx, [ebp+var_38]
		mov	edi, edx
		push	8
		pop	ecx
		rep movsd
		mov	ecx, [ebp+var_30]
		add	edx, 20h
		mov	esi, [ebp+var_24]
		mov	edi, [ebp+var_2C]
		mov	[ebp+var_38], edx

loc_86EF50:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+427j
		mov	edx, [ebp+var_34]

loc_86EF53:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+4ABj
		inc	edi
		add	esi, 20h
		mov	[ebp+var_2C], edi
		mov	[ebp+var_24], esi
		cmp	edi, 8
		jb	short loc_86EF0A
		mov	edi, [ebp+arg_0]
		cmp	ecx, eax
		ja	short loc_86EF82
		mov	esi, [ebp+var_18]
		mov	eax, ecx
		sub	eax, esi
		mov	[esi+edi], eax
		mov	eax, [ebp+var_28]
		mov	[esi+edi+8], ebx
		mov	[esi+edi+4], edx
		mov	[esi+edi+0Ch], eax

loc_86EF82:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+459j
		lea	eax, [ebp+var_8]
		push	eax
		push	10h
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_86EEA1
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_8]
		push	eax
		push	20h
		pop	edx
		mov	[ebp+var_44], ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, [ebp+var_8]
		test	eax, eax
		jns	short loc_86EFBB
		mov	ebx, 80000005h
		jmp	short loc_86F020
; 

loc_86EFB6:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+3FEj
		mov	eax, [ebp+var_10]
		jmp	short loc_86EF53
; 

loc_86EFBB:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+49Fj
		cmp	esi, [ebp+var_10]
		ja	short loc_86F020
		mov	ecx, [ebp+var_30]
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+var_44]
		mov	[ecx+edi+8], ebx
		mov	[ecx+edi+4], ebx
		mov	[ecx+edi], ebx
		mov	dword ptr [ecx+edi+0Ch], 3
		movzx	eax, byte ptr [eax+3Bh]
		and	eax, 1
		mov	[edx+edi], eax
		mov	eax, [ebp+var_C]
		test	byte ptr [eax+3Bh], 1
		jz	short loc_86F023
		mov	dword ptr [ecx+edi+4], 1
		mov	ecx, eax
		mov	al, [ecx+3Ah]
		mov	[edx+edi+4], al
		mov	eax, [ecx+30h]
		mov	[edx+edi+10h], eax
		mov	eax, [ecx+34h]
		mov	[edx+edi+14h], eax
		mov	eax, ecx
		mov	ax, [eax+38h]
		mov	[edx+edi+6], ax
		mov	eax, ecx
		jmp	short loc_86F023
; 

loc_86F01D:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+3C1j
		mov	esi, [ebp+var_18]

loc_86F020:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+39Bj
					; EtwpGetTraceGuidInfo(x,x,x,x)+4A6j ...
		mov	eax, [ebp+var_C]

loc_86F023:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+4DFj
					; EtwpGetTraceGuidInfo(x,x,x,x)+50Dj
		mov	ecx, eax
		call	EtwpUnreferenceGuidEntry
		test	ebx, ebx
		js	short loc_86F042
		cmp	esi, [ebp+var_10]
		ja	short loc_86F03D
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_28]
		mov	[eax], ecx
		jmp	short loc_86F042
; 

loc_86F03D:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+523j
		mov	ebx, 0C0000023h

loc_86F042:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+51Ej
					; EtwpGetTraceGuidInfo(x,x,x,x)+52Dj
		mov	eax, [ebp+arg_4]
		mov	[eax], esi

loc_86F047:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+115j
		mov	eax, ebx

loc_86F049:				; CODE XREF: EtwpGetTraceGuidInfo(x,x,x,x)+96j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_EtwpGetTraceGuidInfo@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x, x, x)
_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 proc near
					; CODE XREF: IopInitializeSystemVariableService+26p
					; IoInitializeLiveDump()+22p ...

var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+14h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		lea	edi, [esp+20h+var_14]
		mov	esi, [ebx+4]
		sub	esi, 10h
		movsd
		movsd
		movsd
		movsd
		mov	[ebx+20h], edx
		mov	[ebx+24h], eax
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		lea	esi, [ebx+18h]
		push	esi		; int
		push	dword ptr [ebp+4] ; int
		mov	ecx, [eax+1F0h]	; int
		lea	edx, [esp+28h+var_14] ;	void *
		push	ebx		; int
		push	offset __tlgEnableCallback@36 ;	int
		push	3		; int
		call	EtwpRegisterProvider
		mov	edi, eax
		test	edi, edi
		jnz	short loc_86F0BF
		mov	edx, [ebx+4]
		movzx	ecx, word ptr [edx]
		push	ecx
		push	edx
		push	2
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		call	EtwSetInformation

loc_86F0BF:				; CODE XREF: TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)+59j
		mov	ecx, [esp+20h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeCheckPrivilegedObject(x, x, x, x,	x)
_SeCheckPrivilegedObject@20 proc near	; CODE XREF: PAGE:007A7224p
					; PAGE:007A83EEp ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+30h+var_4], eax
		xor	eax, eax
		and	[esp+30h+var_8], 0
		push	esi
		push	edi
		lea	edi, [esp+38h+var_28]
		mov	[esp+38h+var_2C], ecx
		stosd
		mov	esi, edx
		stosd
		stosd
		stosd
		xor	eax, eax
		inc	eax
		mov	[esp+38h+var_18], eax
		mov	[esp+38h+var_14], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+38h+var_10], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+38h+var_C], eax
		lea	eax, [esp+38h+var_28]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		push	[ebp+arg_0]
		lea	eax, [esp+3Ch+var_28]
		push	eax
		lea	eax, [esp+40h+var_18]
		push	eax
		call	_SePrivilegeCheck@12 ; SePrivilegeCheck(x,x,x)
		cmp	byte ptr [ebp+arg_0], 0
		mov	byte ptr [esp+38h+var_30], al
		jz	short loc_86F170
		push	[ebp+arg_0]
		lea	eax, [esp+3Ch+var_18]
		push	[esp+3Ch+var_30]
		push	eax
		push	esi
		lea	eax, [esp+48h+var_28]
		push	eax
		push	[esp+4Ch+var_2C]
		call	_SePrivilegeObjectAuditAlarm@24	; SePrivilegeObjectAuditAlarm(x,x,x,x,x,x)

loc_86F170:				; CODE XREF: SeCheckPrivilegedObject(x,x,x,x,x)+7Dj
		lea	eax, [esp+38h+var_28]
		push	eax
		call	SeReleaseSubjectContext
		mov	ecx, [esp+38h+var_4]
		mov	al, byte ptr [esp+38h+var_30]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_SeCheckPrivilegedObject@20 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2484. SePrivilegeObjectAuditAlarm

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SePrivilegeObjectAuditAlarm(x, x, x, x, x, x)
		public _SePrivilegeObjectAuditAlarm@24
_SePrivilegeObjectAuditAlarm@24	proc near
					; CODE XREF: SeCheckPrivilegedObject(x,x,x,x,x)+95p
					; PspCreateObjectHandle+168781p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_14], 0
		jz	short loc_86F1C6
		push	[ebp+arg_10]
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		push	[ebp+arg_C]
		mov	ecx, offset _SeSubsystemName
		push	[ebp+arg_8]
		push	dword ptr [eax+0Ch]
		push	dword ptr [eax+8]
		push	dword ptr [eax]
		push	[ebp+arg_0]
		push	0
		call	SepAdtPrivilegeObjectAuditAlarm

loc_86F1C6:				; CODE XREF: SePrivilegeObjectAuditAlarm(x,x,x,x,x,x)+9j
		pop	ebp
		retn	18h
_SePrivilegeObjectAuditAlarm@24	endp

; 
		align 10h
; Exported entry 900. IoIsFileObjectIgnoringSharing

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoIsFileObjectIgnoringSharing(x)
		public _IoIsFileObjectIgnoringSharing@4
_IoIsFileObjectIgnoringSharing@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+7Ch]
		test	eax, eax
		jz	short loc_86F1E4
		test	byte ptr [eax],	1
		jnz	short loc_86F1EA

loc_86F1E4:				; CODE XREF: IoIsFileObjectIgnoringSharing(x)+Dj
		xor	al, al

loc_86F1E6:				; CODE XREF: IoIsFileObjectIgnoringSharing(x)+1Cj
		pop	ebp
		retn	4
; 

loc_86F1EA:				; CODE XREF: IoIsFileObjectIgnoringSharing(x)+12j
		mov	al, 1
		jmp	short loc_86F1E6
_IoIsFileObjectIgnoringSharing@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmUpdateProcessorPolicy proc near	; CODE XREF: PpmPerfReApplyStates()+19p
					; PpmRegisterPerfStates+6ACp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090BFF7 SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		mov	ebx, _PpmCurrentProfile
		imul	eax, dword_6C2D0C, 0F0h
		add	ebx, 20h
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, edx
		mov	[esp+20h+var_10], edi
		add	ebx, eax
		mov	ax, [ecx]
		and	ax, word ptr _PpmAllowedActions
		mov	word ptr [esp+20h+var_10], ax
		test	esi, esi
		jnz	short loc_86F23A
		test	[esp+20h+var_10], 400h
		jnz	loc_90BFF7

loc_86F23A:				; CODE XREF: PpmUpdateProcessorPolicy+3Cj
					; PpmUpdateProcessorPolicy+9CE1Cj ...
		and	[esp+20h+var_10], 0FFFFFBFFh
		cmp	word ptr [esp+20h+var_10], di
		jnz	short loc_86F250

loc_86F249:				; CODE XREF: PpmUpdateProcessorPolicy+EBj
					; PpmUpdateProcessorPolicy+F3j	...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_86F250:				; CODE XREF: PpmUpdateProcessorPolicy+59j
		imul	ecx, [ebx+14h],	2710h
		mov	eax, ds:_KeMaximumIncrement
		cmp	ecx, eax
		jbe	loc_86F2E6
		sub	ecx, eax
		mov	eax, edi
		push	edi
		push	2710h
		sbb	eax, edi
		push	eax
		push	ecx
		call	__aulldiv

loc_86F277:				; CODE XREF: PpmUpdateProcessorPolicy+FAj
		mov	_PpmPerfTimeWindow, eax
		mov	eax, _PpmPerfControlStartPolicyUpdate
		test	eax, eax
		jnz	loc_90C02C

loc_86F289:				; CODE XREF: PpmUpdateProcessorPolicy+9CE48j
		test	esi, esi
		jz	short loc_86F2EA
		mov	edi, [esi]

loc_86F28F:				; CODE XREF: PpmUpdateProcessorPolicy+107j
		and	[esp+20h+var_8], 0
		xor	eax, eax
		inc	eax
		and	[esp+20h+var_4], 0
		mov	word ptr [esp+20h+var_C], ax
		mov	word ptr [esp+20h+var_C+2], ax
		jmp	short loc_86F2B9
; 

loc_86F2A8:				; CODE XREF: PpmUpdateProcessorPolicy+CDj
		lea	eax, [esp+20h+var_C]
		push	eax
		push	eax
		lea	eax, [esi+0Ch]
		push	eax
		call	_KeOrAffinityEx@12 ; KeOrAffinityEx(x,x,x)
		mov	esi, [esi]

loc_86F2B9:				; CODE XREF: PpmUpdateProcessorPolicy+B8j
		cmp	esi, edi
		jnz	short loc_86F2A8
		push	ebx
		lea	eax, [esp+24h+var_10]
		mov	edx, offset _PpmUpdateProcessorPolicyCallback@12 ; PpmUpdateProcessorPolicyCallback(x,x,x)
		push	eax
		mov	ecx, offset _PpmPerfStatesRegistered
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)
		mov	eax, _PpmPerfControlCompletePolicyUpdate
		test	eax, eax
		jz	loc_86F249
		call	eax
		jmp	loc_86F249
; 

loc_86F2E6:				; CODE XREF: PpmUpdateProcessorPolicy+70j
		mov	eax, edi
		jmp	short loc_86F277
; 

loc_86F2EA:				; CODE XREF: PpmUpdateProcessorPolicy+9Dj
		mov	esi, ds:_PpmPerfDomainHead
		mov	edi, offset _PpmPerfDomainHead
		jmp	short loc_86F28F
PpmUpdateProcessorPolicy endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _tlgEnableCallback(x, x, x,	x, x, x, x, x, x)
__tlgEnableCallback@36 proc near	; DATA XREF: TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)+49o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_20]
		test	eax, eax
		jz	short loc_86F343
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_10]
		push	esi
		mov	esi, [ebp+arg_18]
		push	edi
		mov	edi, [ebp+arg_14]
		sub	ecx, 0
		jz	short loc_86F365
		sub	ecx, 1
		jnz	short loc_86F339
		test	dl, dl
		jz	short loc_86F35E
		movzx	ecx, dl
		inc	ecx

loc_86F328:				; CODE XREF: _tlgEnableCallback(x,x,x,x,x,x,x,x,x)+6Bj
		mov	[eax], ecx
		mov	ecx, [ebp+arg_C]
		mov	[eax+8], ecx
		mov	[eax+0Ch], ebx
		mov	[eax+10h], edi
		mov	[eax+14h], esi

loc_86F339:				; CODE XREF: _tlgEnableCallback(x,x,x,x,x,x,x,x,x)+26j
					; _tlgEnableCallback(x,x,x,x,x,x,x,x,x)+70j
		mov	ecx, [eax+20h]
		test	ecx, ecx
		jnz	short loc_86F347

loc_86F340:				; CODE XREF: _tlgEnableCallback(x,x,x,x,x,x,x,x,x)+64j
		pop	edi
		pop	esi
		pop	ebx

loc_86F343:				; CODE XREF: _tlgEnableCallback(x,x,x,x,x,x,x,x,x)+Aj
		pop	ebp
		retn	24h
; 

loc_86F347:				; CODE XREF: _tlgEnableCallback(x,x,x,x,x,x,x,x,x)+46j
		push	dword ptr [eax+24h]
		push	[ebp+arg_1C]
		push	esi
		push	edi
		push	ebx
		push	[ebp+arg_C]
		push	edx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ecx
		jmp	short loc_86F340
; 

loc_86F35E:				; CODE XREF: _tlgEnableCallback(x,x,x,x,x,x,x,x,x)+2Aj
		mov	ecx, 100h
		jmp	short loc_86F328
; 

loc_86F365:				; CODE XREF: _tlgEnableCallback(x,x,x,x,x,x,x,x,x)+21j
		and	dword ptr [eax], 0
		jmp	short loc_86F339
__tlgEnableCallback@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmcProcessListRequest proc near		; CODE XREF: SmQueryStoreInformation+A5p

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 0090C03B SIZE 0000000A BYTES

		push	60h
		push	offset dword_6A4C80
		call	__SEH_prolog4_GS
		mov	ebx, edx
		mov	[ebp+var_64], ecx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_68], eax
		push	44h		; size_t
		push	0		; int
		lea	eax, [ebp+var_60]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		cmp	[ebp+arg_0], 44h
		jnz	loc_90C03B
		and	[ebp+ms_exc.disabled], 0
		cmp	[ebp+arg_8], 0
		jz	short loc_86F3BD
		test	bl, 3
		jnz	short loc_86F41F
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	short loc_86F424

loc_86F3B3:				; CODE XREF: SmcProcessListRequest+BDj
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+40h]
		mov	[ebx+40h], al

loc_86F3BD:				; CODE XREF: SmcProcessListRequest+39j
		push	11h
		pop	ecx
		mov	esi, ebx
		lea	edi, [ebp+var_60]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	byte ptr [ebp+var_60], 1
		jnz	short loc_86F429
		test	[ebp+var_60], 0FFFFFF00h
		jnz	short loc_86F429
		lea	edx, [ebp+var_60]
		mov	ecx, [ebp+var_64]
		call	SmcGetCacheList
		test	eax, eax
		js	short loc_86F40D
		mov	[ebp+ms_exc.disabled], 1
		push	11h
		pop	ecx
		lea	esi, [ebp+var_60]
		mov	edi, ebx
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_68]
		mov	dword ptr [ecx], 44h

loc_86F40D:				; CODE XREF: SmcProcessListRequest+80j
					; SmcProcessListRequest+C4j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_86F41F:				; CODE XREF: SmcProcessListRequest+3Ej
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_86F424:				; CODE XREF: SmcProcessListRequest+47j
		mov	byte ptr [eax],	0
		jmp	short loc_86F3B3
; 

loc_86F429:				; CODE XREF: SmcProcessListRequest+68j
					; SmcProcessListRequest+71j
		mov	eax, 0C000000Dh
		jmp	short loc_86F40D
SmcProcessListRequest endp


;  S U B	R O U T	I N E 


SmcGetCacheList	proc near		; CODE XREF: SmcProcessListRequest+79p

; FUNCTION CHUNK AT 0090C078 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, edx
		xor	edx, edx
		push	esi
		push	edi
		xor	esi, esi
		lea	edi, [ebx+4]

loc_86F43E:				; CODE XREF: SmcGetCacheList+1Ej
		cmp	dword ptr [ecx], 0
		jnz	loc_90C078

loc_86F447:				; CODE XREF: SmcGetCacheList+9CC5Bj
		inc	esi
		add	ecx, 10h
		cmp	esi, 10h
		jb	short loc_86F43E
		pop	edi
		pop	esi
		mov	[ebx+1], dl
		xor	eax, eax
		pop	ebx
		retn
SmcGetCacheList	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PnpCompareInterruptInformation(int,void *Source2,SIZE_T Length)
PnpCompareInterruptInformation proc near ; CODE	XREF: PnpGetDevicePropertyData+143p

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_5C		= dword	ptr -5Ch
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
Length		= dword	ptr  8

; FUNCTION CHUNK AT 0090C090 SIZE 0000018F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ecx+0B0h]
		push	ebx
		push	esi
		push	edi
		mov	ecx, [eax+30h]
		mov	ebx, [eax+14h]
		mov	[ebp+var_80], ecx
		mov	[ebp+var_88], ebx
		test	ecx, ecx
		jz	loc_90C090
		mov	ebx, [ebp+Length]
		cmp	[ecx], ebx
		jnz	loc_90C0EB
		push	ebx		; Length
		push	edx		; Source2
		lea	eax, [ecx+4]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		mov	[ebp+var_84], eax
		cmp	eax, ebx
		jnz	loc_90C172

loc_86F4B3:				; CODE XREF: PnpCompareInterruptInformation+9CC3Dj
					; PnpCompareInterruptInformation+9CC59j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
PnpCompareInterruptInformation endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1580. NtRequestPort

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtRequestPort(x, x)
		public _NtRequestPort@8
_NtRequestPort@8 proc near		; DATA XREF: .text:00580D58o

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_4]
		push	esi
		push	edi
		xor	edi, edi
		mov	al, [eax+15Ah]
		push	edi
		push	ecx
		mov	byte ptr [ebp+var_8], al
		push	[ebp+var_8]
		mov	eax, ds:_AlpcPortObjectType
		push	eax
		push	1
		push	[ebp+arg_0]
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_4], edi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_86F56A
		mov	eax, [ebp+var_4]
		mov	[ebp+var_2C], eax
		mov	eax, large fs:124h
		mov	[ebp+var_14], 10000h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_2C]
		mov	edx, [ebp+arg_4]
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_0], al
		push	[ebp+arg_0]
		push	edi
		call	@AlpcpSendMessage@16 ; AlpcpSendMessage(x,x,x,x)
		mov	ecx, large fs:124h
		mov	esi, eax
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject

loc_86F56A:				; CODE XREF: NtRequestPort(x,x)+4Fj
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	8
_NtRequestPort@8 endp

; 
		align 8
; Exported entry 1031. IoUnregisterPlugPlayNotificationEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoUnregisterPlugPlayNotificationEx(x)
		public _IoUnregisterPlugPlayNotificationEx@4
_IoUnregisterPlugPlayNotificationEx@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		call	PnpUnregisterPlugPlayNotification
		pop	ecx
		pop	ebp
		retn	4
_IoUnregisterPlugPlayNotificationEx@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSessionConnectionChange(x, x, x)
_PopSessionConnectionChange@12 proc near ; CODE	XREF: NtPowerInformation+CFBp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ebx
		mov	bh, [edx]
		mov	bl, [edx+1]
		push	esi
		mov	esi, ecx
		mov	cl, 1
		call	PopAcquireAdaptiveLock
		mov	eax, offset ??_C@_09NJLBODLJ@Connected@NNGAKEGL@ ; "Connected"
		test	bh, bh
		jz	short loc_86F5EC

loc_86F5AF:				; CODE XREF: PopSessionConnectionChange(x,x,x)+63j
		mov	ecx, offset ??_C@_07PGLPGHFC@Console@NNGAKEGL@ ; "Console"
		test	bl, bl
		jnz	short loc_86F5BD
		mov	ecx, offset ??_C@_06MHHFENDB@Remote@NNGAKEGL@ ;	"Remote"

loc_86F5BD:				; CODE XREF: PopSessionConnectionChange(x,x,x)+28j
		push	eax
		push	esi
		push	ecx
		push	offset ??_C@_0CG@IDDEKBJG@PopAdaptive?3?$DO?$DO?$DO?$DO?$DO?$CFs?5session?5?$CFu?5@NNGAKEGL@ ; "PopAdaptive:>>>>>%s session %u is %s\n"
		push	3
		call	_PopPrintEx
		add	esp, 14h
		mov	ecx, esi
		test	bh, bh
		jz	short loc_86F5F3
		push	[ebp+arg_0]
		mov	dl, bl
		call	_PopSessionConnected@12	; PopSessionConnected(x,x,x)

loc_86F5DF:				; CODE XREF: PopSessionConnectionChange(x,x,x)+6Dj
		call	PopReleaseAdaptiveLock
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_86F5EC:				; CODE XREF: PopSessionConnectionChange(x,x,x)+1Fj
		mov	eax, offset ??_C@_0N@NFBNFHML@Disconnected@NNGAKEGL@ ; "Disconnected"
		jmp	short loc_86F5AF
; 

loc_86F5F3:				; CODE XREF: PopSessionConnectionChange(x,x,x)+45j
		mov	edx, [ebp+arg_0]
		call	_PopSessionDisconnected@8 ; PopSessionDisconnected(x,x)
		jmp	short loc_86F5DF
_PopSessionConnectionChange@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSessionConnected(x, x, x)
_PopSessionConnected@12	proc near	; CODE XREF: PopSessionConnectionChange(x,x,x)+4Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	bl, dl
		mov	esi, ecx
		push	edi
		movzx	eax, bl
		mov	edx, esi
		push	eax
		mov	ecx, offset _POP_ETW_ADPM_SESSION_CONNECTED
		mov	[ebp+var_4], esi
		call	_PopDiagTraceSessionState@12 ; PopDiagTraceSessionState(x,x,x)
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		push	0
		test	bl, bl
		jz	short loc_86F693
		mov	_PopConsoleSession, 1
		call	_PopSetSessionDisplayStatus@12 ; PopSetSessionDisplayStatus(x,x,x)
		mov	edx, 0FFDF0324h
		mov	_PopConsoleContext, esi
		mov	ecx, ds:0FFDF0004h
		mov	[ebp+var_8], ecx
		mov	edi, [edx]
		lea	ebx, [edx-4]
		mov	eax, [ebx]
		mov	[ebp+var_C], eax
		lea	eax, [edx+4]
		mov	eax, [eax]
		cmp	edi, eax
		jz	short loc_86F675
		lea	esi, [edx+4]

loc_86F661:				; CODE XREF: PopSessionConnected(x,x,x)+6Dj
		pause
		mov	edi, [edx]
		mov	eax, [ebx]
		mov	ecx, [esi]
		cmp	edi, ecx
		jnz	short loc_86F661
		mov	esi, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		jmp	short loc_86F678
; 

loc_86F675:				; CODE XREF: PopSessionConnected(x,x,x)+5Ej
		mov	eax, [ebp+var_C]

loc_86F678:				; CODE XREF: PopSessionConnected(x,x,x)+75j
		push	[ebp+arg_0]
		mul	ecx
		shl	edi, 8
		imul	edi, ecx
		mov	ecx, esi
		shrd	eax, edx, 18h
		lea	edx, [edi+eax]
		call	_PopConsoleSessionActiveInput@12 ; PopConsoleSessionActiveInput(x,x,x)
		jmp	short loc_86F6CE
; 

loc_86F693:				; CODE XREF: PopSessionConnected(x,x,x)+2Bj
		call	_PopSetSessionDisplayStatus@12 ; PopSetSessionDisplayStatus(x,x,x)
		mov	edx, 0FFDF0324h
		lea	ebx, [edx-4]
		lea	edi, [edx+4]
		jmp	short loc_86F6A7
; 

loc_86F6A5:				; CODE XREF: PopSessionConnected(x,x,x)+B1j
		pause

loc_86F6A7:				; CODE XREF: PopSessionConnected(x,x,x)+A5j
		mov	ecx, [edx]
		mov	eax, [ebx]
		mov	eax, [edi]
		cmp	ecx, eax
		jnz	short loc_86F6A5
		xor	edx, edx
		mov	ecx, esi
		call	_PopSetSessionUserStatus@8 ; PopSetSessionUserStatus(x,x)
		mov	ecx, esi
		call	_PopGetDisplayTimeout@4	; PopGetDisplayTimeout(x)
		mov	ecx, [ebp+arg_0]
		mov	[ecx+4], eax
		mov	eax, _PopInputTimeout
		mov	[ecx], eax

loc_86F6CE:				; CODE XREF: PopSessionConnected(x,x,x)+93j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopSessionConnected@12	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetSessionDisplayStatus(x, x, x)
_PopSetSessionDisplayStatus@12 proc near ; CODE	XREF: PopSessionDisconnected(x,x)+47p
					; PopSetDisplayStatus(x)+2Cp ...

var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		push	esi
		mov	edx, edi
		mov	[ebp+var_4], esi
		mov	ecx, offset _POP_ETW_ADPM_SESSION_DISPLAY_STATE
		call	_PopDiagTraceSessionState@12 ; PopDiagTraceSessionState(x,x,x)
		cmp	[ebp+arg_0], 0
		mov	eax, offset ??_C@_05BBJIGCBD@?$DO?$DO?$DO?$DO?$DO@NNGAKEGL@
		jnz	short loc_86F702
		mov	eax, offset ??_C@_00CNPNBAHC@@NNGAKEGL@

loc_86F702:				; CODE XREF: PopSetSessionDisplayStatus(x,x,x)+25j
		push	esi
		push	edi
		push	eax
		push	offset ??_C@_0CN@FOABAFD@PopAdaptive?3?5?$CFsSession?5?$CFu?5displ@NNGAKEGL@
		push	3
		call	_PopPrintEx
		add	esp, 14h
		lea	eax, [ebp+var_4]
		mov	esi, offset _GUID_SESSION_DISPLAY_STATUS
		mov	edx, edi
		mov	ecx, esi
		push	eax		; void *
		push	4		; Length
		push	0		; int
		call	PopSetPowerSettingValue
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax		; void *
		push	4		; Length
		push	1		; int
		mov	ecx, esi
		call	PopSetPowerSettingValue
		pop	edi
		pop	esi
		leave
		retn	4
_PopSetSessionDisplayStatus@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopConsoleSessionActiveInput(x, x, x)
_PopConsoleSessionActiveInput@12 proc near ; CODE XREF:	PopSessionInputChange(x,x,x)+AAp
					; PopSessionConnected(x,x,x)+8Ep ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		xor	eax, eax
		mov	ebx, edx
		mov	esi, ecx
		mov	[ebp+var_C], eax
		push	edi
		xor	edx, edx
		mov	[ebp+var_8], esi
		mov	[ebp+var_14], eax
		call	_PopSetSessionUserStatus@8 ; PopSetSessionUserStatus(x,x)
		mov	ecx, esi
		call	_PopGetDisplayTimeout@4	; PopGetDisplayTimeout(x)
		mov	edi, [ebp+arg_0]
		lea	edx, [ebp+var_10]
		mov	ecx, _PopInputTimeout
		mov	esi, ecx
		mov	[ebp+var_10], eax
		test	esi, esi
		mov	[ebp+var_18], esi
		mov	[edi+4], eax
		lea	eax, [ebp+var_18]
		mov	[edi], ecx
		setnz	byte_6BFBC4
		mov	ecx, [ebp+var_8]
		push	eax
		mov	dword_6BFBB8, ebx
		call	_PopUpdateTimeouts@12 ;	PopUpdateTimeouts(x,x,x)
		mov	eax, [ebp+var_10]
		mov	[edi], esi
		mov	[edi+4], eax
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopConsoleSessionActiveInput@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopGetDisplayTimeout(x)
_PopGetDisplayTimeout@4	proc near	; CODE XREF: PopSessionInputChange(x,x,x)+BBp
					; PopSessionConnected(x,x,x)+BEp ...
		mov	edi, edi
		push	ecx
		cmp	_PopConsoleContext, ecx
		jnz	short loc_86F7CE
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_86F7CE
		call	PopGetLockConsoleTimeout
		test	eax, eax
		jnz	short loc_86F7CC
		mov	eax, _PopDisplayTimeout

loc_86F7CC:				; CODE XREF: PopGetDisplayTimeout(x)+17j
		pop	ecx
		retn
; 

loc_86F7CE:				; CODE XREF: PopGetDisplayTimeout(x)+9j
					; PopGetDisplayTimeout(x)+Ej
		xor	eax, eax
		pop	ecx
		retn
_PopGetDisplayTimeout@4	endp

; 
		align 8
; Exported entry 2379. RtlUnicodeStringToOemString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlUnicodeStringToOemString
RtlUnicodeStringToOemString proc near	; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+4C5p
					; ExpSystemErrorHandler(x,x,x,x,x)+5DCp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 0090C21F SIZE 00000014 BYTES

		push	10h
		push	offset dword_6A4CA8
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	edi, [ebp+arg_4]
		push	edi
		call	_RtlxUnicodeStringToOemSize@4 ;	RtlxUnicodeStringToOemSize(x)
		cmp	eax, 0FFFFh
		ja	loc_90C21F
		movzx	edx, ax
		lea	ecx, [edx-1]
		mov	esi, [ebp+arg_0]
		mov	[esi], cx
		cmp	[ebp+arg_8], bl
		jnz	short loc_86F87A
		cmp	cx, [esi+2]
		jnb	loc_90C229

loc_86F818:				; CODE XREF: RtlUnicodeStringToOemString+B1j
		mov	[ebp+var_1C], ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	[ebp+arg_4], 1
		movzx	eax, word ptr [edi]
		push	eax
		push	dword ptr [edi+4]
		lea	eax, [ebp+var_20]
		push	eax
		movzx	eax, word ptr [esi]
		push	eax
		push	dword ptr [esi+4]
		call	RtlUnicodeToOemN
		mov	edi, eax
		mov	[ebp+var_1C], edi
		test	edi, edi
		js	short loc_86F853
		mov	ecx, [esi+4]
		mov	eax, [ebp+var_20]
		mov	[eax+ecx], bl
		mov	edi, ebx
		mov	[ebp+var_1C], edi

loc_86F853:				; CODE XREF: RtlUnicodeStringToOemString+6Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+arg_4], 0
		call	sub_86F892
		mov	eax, edi

loc_86F868:				; CODE XREF: RtlUnicodeStringToOemString+B8j
					; RtlUnicodeStringToOemString+9CA4Cj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_86F87A:				; CODE XREF: RtlUnicodeStringToOemString+34j
		mov	[esi+2], dx
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[esi+4], eax
		test	eax, eax
		jnz	short loc_86F818
		mov	eax, 0C0000017h
		jmp	short loc_86F868
RtlUnicodeStringToOemString endp


;  S U B	R O U T	I N E 


sub_86F892	proc near		; CODE XREF: RtlUnicodeStringToOemString+89p
					; sub_90C233+8j

; FUNCTION CHUNK AT 0090C240 SIZE 00000016 BYTES

		cmp	[ebp+0Ch], ebx
		jnz	loc_90C240
		test	edi, edi
		js	loc_90C240

locret_86F8A3:				; CODE XREF: sub_86F892+9C9B2j
		retn
sub_86F892	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1048. IoWMIHandleToInstanceName

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoWMIHandleToInstanceName(x, x, x)
		public _IoWMIHandleToInstanceName@12
_IoWMIHandleToInstanceName@12 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		xor	dl, dl
		push	esi
		push	eax
		call	_WmipGetFilePDO@12 ; WmipGetFilePDO(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_86F8ED
		push	[ebp+arg_8]
		push	[ebp+var_4]
		push	[ebp+arg_0]
		call	_IoWMIDeviceObjectToInstanceName@12 ; IoWMIDeviceObjectToInstanceName(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_86F8DF
		xor	esi, esi

loc_86F8DF:				; CODE XREF: IoWMIHandleToInstanceName(x,x,x)+31j
		cmp	[ebp+var_4], 0
		jz	short loc_86F8ED
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject

loc_86F8ED:				; CODE XREF: IoWMIHandleToInstanceName(x,x,x)+1Dj
					; IoWMIHandleToInstanceName(x,x,x)+39j
		mov	eax, esi
		pop	esi
		leave
		retn	0Ch
_IoWMIHandleToInstanceName@12 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1046. IoWMIDeviceObjectToInstanceName

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoWMIDeviceObjectToInstanceName(x, x, x)
		public _IoWMIDeviceObjectToInstanceName@12
_IoWMIDeviceObjectToInstanceName@12 proc near
					; CODE XREF: IoWMIHandleToInstanceName(x,x,x)+28p

var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_4]
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_C], ebx
		mov	dword ptr [ebp+var_8], ebx
		call	_IoGetDeviceAttachmentBaseRef@4	; IoGetDeviceAttachmentBaseRef(x)
		mov	ecx, [ebp+arg_0]
		mov	edi, eax
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	WmipGetGuidObjectInstanceInfo
		mov	esi, eax
		test	esi, esi
		js	short loc_86F99C
		mov	esi, [ebp+arg_8]
		mov	eax, [ebp+var_C]
		add	eax, 20h
		push	49696D57h
		mov	[esi+2], ax
		movzx	eax, ax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esi+4], ecx
		test	ecx, ecx
		jz	short loc_86F9AC
		push	[ebp+var_4]
		movzx	eax, word ptr [esi+2]
		push	dword ptr [ebp+var_8] ;	char
		push	offset ??_C@_1O@EFAMNDNG@?$AA?$CF?$AAw?$AAs?$AA_?$AA?$CF?$AAd@NNGAKEGL@	; wchar_t *
		push	eax		; int
		push	ecx		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	ecx, [esi+4]
		add	esp, 14h
		lea	edx, [ecx+2]

loc_86F977:				; CODE XREF: IoWMIDeviceObjectToInstanceName(x,x,x)+86j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_86F977
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, [ecx+ecx]
		mov	[esi], ax
		mov	esi, ebx

loc_86F98E:				; CODE XREF: IoWMIDeviceObjectToInstanceName(x,x,x)+B7j
		cmp	dword ptr [ebp+var_8], ebx
		jz	short loc_86F99C
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_86F99C:				; CODE XREF: IoWMIDeviceObjectToInstanceName(x,x,x)+36j
					; IoWMIDeviceObjectToInstanceName(x,x,x)+97j
		mov	ecx, edi
		call	ObfDereferenceObject
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_86F9AC:				; CODE XREF: IoWMIDeviceObjectToInstanceName(x,x,x)+5Cj
		mov	esi, 0C000009Ah
		jmp	short loc_86F98E
_IoWMIDeviceObjectToInstanceName@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipGetGuidObjectInstanceInfo proc near	; CODE XREF: IoWMIDeviceObjectToInstanceName(x,x,x)+2Dp
					; WmipTranslateFileHandle(x,x)+6Ap

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090C256 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	eax, edx
		xor	ecx, ecx
		lea	edx, [ebp+var_1C]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ecx
		mov	ecx, eax
		push	edi
		call	IoGetDeviceInstanceName
		mov	edi, eax
		test	edi, edi
		js	loc_86FAB5
		mov	ax, word ptr [ebp+var_1C]
		mov	edi, 0C0000296h
		mov	esi, [esi+28h]
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_8], eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		mov	ebx, eax
		push	offset _WmipSMMutex
		mov	[ebp+var_14], ebx
		call	KeWaitForSingleObject
		xor	ecx, ecx
		cmp	[esi+14h], ecx
		jbe	short loc_86FA82
		add	esi, 20h
		mov	[ebp+var_4], esi
		mov	eax, esi
		mov	esi, [esi]
		cmp	esi, eax
		jz	short loc_86FA82

loc_86FA21:				; CODE XREF: WmipGetGuidObjectInstanceInfo+9C8A6j
		test	byte ptr [esi+8], 1
		jz	loc_90C256
		mov	ecx, [esi+30h]
		add	ecx, 4
		mov	ebx, ecx
		mov	[ebp+var_10], ecx
		lea	edx, [ebx+2]

loc_86FA39:				; CODE XREF: WmipGetGuidObjectInstanceInfo+8Fj
		mov	ax, [ebx]
		add	ebx, 2
		cmp	ax, word ptr [ebp+var_C]
		jnz	short loc_86FA39
		mov	eax, [ebp+var_8]
		sub	ebx, edx
		movzx	eax, ax
		push	eax		; size_t
		push	[ebp+var_18]	; wchar_t *
		sar	ebx, 1
		push	ecx		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_86FABE
		mov	edx, [ebp+var_8]
		movzx	eax, dx
		movzx	ecx, bx
		inc	eax
		cmp	ecx, eax
		jnz	short loc_86FABE
		mov	eax, [ebp+var_10]
		cmp	word ptr [eax+ecx*2-2],	5Fh
		jnz	short loc_86FABE
		mov	eax, [esi+30h]
		xor	ecx, ecx
		mov	edi, ecx
		mov	ebx, [eax]

loc_86FA82:				; CODE XREF: WmipGetGuidObjectInstanceInfo+5Dj
					; WmipGetGuidObjectInstanceInfo+6Bj ...
		push	ecx
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		test	edi, edi
		js	short loc_86FAC6
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_1C]
		mov	[eax], ecx
		mov	ecx, [ebp+var_18]
		mov	[eax+4], ecx
		xor	ecx, ecx
		mov	eax, [ebp+arg_4]
		mov	edi, ecx
		mov	[eax], ebx
		mov	eax, ecx
		mov	[ebp+var_18], eax

loc_86FAAD:				; CODE XREF: WmipGetGuidObjectInstanceInfo+115j
		test	eax, eax
		jnz	loc_90C26A

loc_86FAB5:				; CODE XREF: WmipGetGuidObjectInstanceInfo+28j
					; WmipGetGuidObjectInstanceInfo+9C8BFj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_86FABE:				; CODE XREF: WmipGetGuidObjectInstanceInfo+AAj
					; WmipGetGuidObjectInstanceInfo+B8j ...
		mov	eax, [ebp+var_4]
		jmp	loc_90C256
; 

loc_86FAC6:				; CODE XREF: WmipGetGuidObjectInstanceInfo+DBj
		mov	eax, [ebp+var_18]
		jmp	short loc_86FAAD
WmipGetGuidObjectInstanceInfo endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipGetFilePDO(x, x, x)
_WmipGetFilePDO@12 proc	near		; CODE XREF: IoWMIHandleToInstanceName(x,x,x)+14p
					; WmipTranslateFileHandle(x,x)+26p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ds:_IoFileObjectType
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	esi, [ebp+var_4]
		push	edi
		push	esi
		push	edx
		push	eax
		push	edi
		push	ecx
		mov	[ebp+var_4], edi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_86FB6E
		mov	ebx, [ebp+var_4]
		push	ebx
		call	IoGetRelatedDeviceObject
		push	eax
		call	IoGetAttachedDeviceReference
		mov	esi, eax
		push	edi
		mov	[ebp+var_4], esi
		movzx	eax, byte ptr [esi+30h]
		push	eax
		call	IoAllocateIrp
		mov	edi, eax
		test	edi, edi
		jz	short loc_86FB77
		mov	eax, [edi+60h]
		push	edi
		push	esi
		mov	word ptr [eax-24h], 71Bh
		mov	dword ptr [eax-20h], 4
		mov	[eax-0Ch], ebx
		mov	dword ptr [edi+18h], 0C00000BBh
		call	_IoSynchronousCallDriver@8 ; IoSynchronousCallDriver(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_86FB55
		mov	edx, [edi+1Ch]
		mov	eax, [ebp+arg_0]
		push	0
		push	edx
		mov	ecx, [edx+4]
		mov	[eax], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi

loc_86FB55:				; CODE XREF: WmipGetFilePDO(x,x,x)+72j
		push	edi
		call	_IoFreeIrp@4	; IoFreeIrp(x)

loc_86FB5B:				; CODE XREF: WmipGetFilePDO(x,x,x)+B0j
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject
		test	ebx, ebx
		jz	short loc_86FB6E
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_86FB6E:				; CODE XREF: WmipGetFilePDO(x,x,x)+26j
					; WmipGetFilePDO(x,x,x)+99j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_86FB77:				; CODE XREF: WmipGetFilePDO(x,x,x)+4Bj
		mov	esi, 0C000009Ah
		jmp	short loc_86FB5B
_WmipGetFilePDO@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmIsLocalMachineContainer(x, x)
__CmIsLocalMachineContainer@8 proc near	; CODE XREF: _CmGetDeviceContainerMappedProperty+94p
					; PiDcHandleCustomDeviceEvent+11BD4Ep

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= word ptr -58h
var_C		= word ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_5C], 4Eh
		push	ebx
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_60], ebx
		push	eax
		lea	eax, [ebp+var_58]
		mov	esi, edx
		push	eax
		lea	eax, [ebp+var_60]
		mov	edx, offset ??_C@_1BK@CCOOHMCM@?$AAH?$AAT?$AAR?$AAE?$AAE?$AA?2?$AAR?$AAO?$AAO?$AAT?$AA?2?$AA0@NNGAKEGL@
		push	eax
		push	25h
		push	ebx
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_86FBD7
		xor	eax, eax
		mov	[ebp+var_C], ax
		lea	eax, [ebp+var_58]
		push	esi		; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		neg	eax
		pop	ecx
		sbb	al, al
		pop	ecx
		lea	ebx, [eax+1]

loc_86FBD7:				; CODE XREF: _CmIsLocalMachineContainer(x,x)+3Ej
		mov	ecx, [ebp+var_4]
		mov	al, bl
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
__CmIsLocalMachineContainer@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpCheckIRTimerAccess proc near		; CODE XREF: NtCreateTimer2+135p

var_60		= dword	ptr -60h
var_2		= byte ptr -2
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090C278 SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	dl, cl
		movzx	eax, si
		push	edi
		cmp	eax, 10h
		jnb	short loc_86FC74
		test	eax, eax
		jz	short loc_86FC74
		imul	edi, eax, 0Ch
		mov	eax, esi
		shr	eax, 10h
		movzx	ecx, ds:byte_403D40[edi]
		cmp	ax, cx
		ja	short loc_86FC74
		mov	eax, ds:dword_403D3C[edi]
		test	dl, dl
		jz	loc_90C278
		push	ebx
		xor	ebx, ebx
		mov	byte ptr [ebp+var_1], bl
		test	eax, eax
		jz	short loc_86FC4C
		lea	ecx, [ebp+var_1]
		push	ecx
		push	eax
		push	ebx
		call	_RtlCheckTokenMembership@12 ; RtlCheckTokenMembership(x,x,x)
		test	eax, eax
		js	short loc_86FC69
		mov	al, byte ptr [ebp+var_1]

loc_86FC3F:				; CODE XREF: ExpCheckIRTimerAccess+7Fj
					; ExpCheckIRTimerAccess+83j
		test	al, al
		jz	short loc_86FC6D

loc_86FC43:				; CODE XREF: ExpCheckIRTimerAccess+8Aj
		mov	eax, ebx
		pop	ebx

loc_86FC46:				; CODE XREF: ExpCheckIRTimerAccess+91j
					; ExpCheckIRTimerAccess+9C6A4j
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_86FC4C:				; CODE XREF: ExpCheckIRTimerAccess+43j
		mov	cl, dl
		call	_ExpCheckWakeTimerAccess@4 ; ExpCheckWakeTimerAccess(x)
		test	eax, eax
		js	short loc_86FC6D
		mov	edx, [ebp+arg_0+2]
		mov	ecx, esi
		call	_ExCheckValidIRTimerId@8 ; ExCheckValidIRTimerId(x,x)
		test	al, al
		jz	short loc_86FC6D
		mov	al, 1
		jmp	short loc_86FC3F
; 

loc_86FC69:				; CODE XREF: ExpCheckIRTimerAccess+52j
		mov	al, bl
		jmp	short loc_86FC3F
; 

loc_86FC6D:				; CODE XREF: ExpCheckIRTimerAccess+59j
					; ExpCheckIRTimerAccess+6Dj ...
		mov	ebx, 0C0000022h
		jmp	short loc_86FC43
; 

loc_86FC74:				; CODE XREF: ExpCheckIRTimerAccess+13j
					; ExpCheckIRTimerAccess+17j ...
		mov	eax, 0C000000Dh
		jmp	short loc_86FC46
ExpCheckIRTimerAccess endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCheckWakeTimerAccess(x)
_ExpCheckWakeTimerAccess@4 proc	near	; CODE XREF: .text:005F28C1p
					; ExpCheckIRTimerAccess+66p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+20h+var_10]
		stosd
		xor	esi, esi
		mov	[esp+20h+var_14], esi
		mov	[esp+20h+var_18], esi
		stosd
		stosd
		stosd
		test	cl, cl
		jz	short loc_86FCF7
		lea	eax, [esp+20h+var_10]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		push	esi
		call	SeCaptureSubjectContextEx
		lea	eax, [esp+20h+var_18]
		push	eax
		lea	eax, [esp+24h+var_14]
		push	eax
		mov	eax, ds:_ExTimerObjectType
		push	1
		add	eax, 34h
		push	eax
		push	esi
		push	esi
		push	1
		push	esi
		lea	eax, [esp+40h+var_10]
		push	eax
		push	7
		push	offset _ExpWakeTimerSecurityDescriptor
		call	_SeAccessCheckWithHint@44 ; SeAccessCheckWithHint(x,x,x,x,x,x,x,x,x,x,x)
		lea	eax, [esp+20h+var_10]
		push	eax
		call	SeReleaseSubjectContext
		mov	eax, [esp+20h+var_18]

loc_86FCF1:				; CODE XREF: ExpCheckWakeTimerAccess(x)+80j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_86FCF7:				; CODE XREF: ExpCheckWakeTimerAccess(x)+23j
		mov	eax, 0C0000022h
		jmp	short loc_86FCF1
_ExpCheckWakeTimerAccess@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpPublishEventForPcaResolver proc near	; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+2123p

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090C2A3 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, _EtwAppCompatProvRegHandle
		mov	ebx, ecx
		push	edi
		push	6
		xor	eax, eax
		mov	[ebp+var_68], edx
		pop	ecx
		lea	edi, [ebp+var_60]
		rep stosd
		mov	edi, dword_6BC5CC
		mov	eax, esi
		or	eax, edi
		jz	loc_86FDF6
		push	offset _APPCOMPAT_REG_WRP_ACCESS_DENIED
		push	edi
		push	esi
		call	EtwEventEnabled
		test	al, al
		jz	loc_86FDF6
		mov	ebx, [ebx+60h]
		and	ebx, 1
		jz	loc_90C296

loc_86FD58:				; CODE XREF: ExpCheckIRTimerAccess+9C6B6j
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		mov	edi, [ebp+var_68]
		mov	edx, [eax+1C0h]
		movzx	esi, word ptr [edi]
		mov	ax, [edx]
		and	[ebp+var_44], 0
		and	[ebp+var_3C], 0
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_6C], eax
		mov	ax, si
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_48], eax
		mov	[ebp+var_40], 2
		movzx	ecx, word ptr [edx]
		mov	eax, [edx+4]
		xor	edx, edx
		mov	[ebp+var_38], eax
		mov	eax, ecx
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_28], eax
		mov	eax, [edi+4]
		mov	[ebp+var_18], eax
		mov	eax, esi
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	4
		push	edx
		push	offset _APPCOMPAT_REG_WRP_ACCESS_DENIED
		push	dword_6BC5CC
		mov	[ebp+var_34], edx
		push	_EtwAppCompatProvRegHandle
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], 2
		mov	[ebp+var_1C], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_C], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		xor	bl, 1
		jnz	loc_90C2A3

loc_86FDF6:				; CODE XREF: CmpPublishEventForPcaResolver+34j
					; CmpPublishEventForPcaResolver+48j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpPublishEventForPcaResolver endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCreateMailslotFile proc near		; DATA XREF: .text:00581140o

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= byte ptr -24h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 0090C2D2 SIZE 00000010 BYTES

		push	30h
		push	offset dword_6A4CE8
		call	__SEH_prolog4_GS
		mov	ebx, [ebp+arg_0]
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_40], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_3C], eax
		mov	edx, [ebp+arg_1C]
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		xor	ecx, ecx
		test	edx, edx
		jz	short loc_86FE74
		mov	[ebp+var_24], 1
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	loc_90C2D2
		mov	[ebp+ms_exc.disabled], ecx
		mov	esi, edx
		test	dl, 3
		jnz	short loc_86FEB6
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jnb	short loc_86FEBB

loc_86FE5F:				; CODE XREF: NtCreateMailslotFile+B7j
		nop
		mov	al, [esi]
		mov	eax, [edx]
		mov	[ebp+var_2C], eax
		mov	eax, [edx+4]
		mov	[ebp+var_28], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_86FE74:				; CODE XREF: NtCreateMailslotFile+2Cj
					; NtCreateMailslotFile+9C4D7j
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_30], eax
		push	ecx		; void *
		push	ecx		; int
		push	ecx		; int
		lea	eax, [ebp+var_34]
		push	eax		; int
		push	2		; int
		push	ecx		; int
		push	ecx		; void *
		push	[ebp+arg_10]	; int
		push	2		; int
		push	3		; int
		push	ecx		; int
		push	ecx		; int
		push	[ebp+var_3C]	; int
		push	[ebp+var_40]	; int
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		call	_IopCreateFile@64 ; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)

loc_86FEA4:				; CODE XREF: sub_90C2C0+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
; 

loc_86FEB6:				; CODE XREF: NtCreateMailslotFile+4Ej
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_86FEBB:				; CODE XREF: NtCreateMailslotFile+57j
		mov	esi, eax
		jmp	short loc_86FE5F
NtCreateMailslotFile endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlIssueFileNotificationFsctl	proc near ; CODE XREF: PopResizeHiberFile+144p
					; PopCreateHiberFile(x,x)+3A8p	...

var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090C2E2 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_3C]
		stosd
		xor	esi, esi
		push	esi
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_2C], esi
		stosd
		mov	[ebp+var_28], esi
		stosd
		stosd
		lea	eax, [ebp+var_3C]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	ebx
		call	IoGetRelatedDeviceObject
		lea	ecx, [ebp+var_2C]
		mov	[ebp+var_24], eax
		push	ecx
		lea	ecx, [ebp+var_3C]
		push	ecx
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	eax
		push	90204h
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_86FF68
		mov	esi, [ebp+arg_0]
		lea	edi, [ebp+var_18]
		mov	ecx, [ebp+var_24]
		xor	eax, eax
		inc	eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_20]
		movsd
		movsd
		movsd
		movsd
		mov	[edx+0Ch], eax
		mov	eax, [edx+60h]
		mov	[eax-0Ch], ebx
		mov	byte ptr [eax-24h], 0Dh
		mov	dword ptr [eax-1Ch], 18h
		call	IofCallDriver
		cmp	eax, 103h
		jz	loc_90C2E2

loc_86FF57:				; CODE XREF: FsRtlIssueFileNotificationFsctl+ADj
					; FsRtlIssueFileNotificationFsctl+9C434j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_86FF68:				; CODE XREF: FsRtlIssueFileNotificationFsctl+58j
		mov	eax, 0C000009Ah
		jmp	short loc_86FF57
FsRtlIssueFileNotificationFsctl	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 795. IoCreateNotificationEvent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCreateNotificationEvent(x, x)
		public _IoCreateNotificationEvent@8
_IoCreateNotificationEvent@8 proc near	; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+162p
					; IoCaptureLiveDump(x,x,x,x,x,x,x)+182p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_14], eax
		push	1
		push	edi
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_4], edi
		push	eax
		push	1F0003h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_1C], 18h
		push	eax
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], 280h
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		call	_ZwCreateEvent@20 ; ZwCreateEvent(x,x,x,x,x)
		test	eax, eax
		js	short loc_86FFEF
		mov	eax, ds:_ExEventObjectType
		lea	ecx, [ebp+arg_0]
		push	edi
		push	ecx
		push	edi
		push	eax
		push	edi
		push	[ebp+var_4]
		mov	[ebp+arg_0], edi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, [ebp+arg_0]
		test	eax, eax
		js	short loc_86FFF3
		mov	ecx, esi
		call	ObfDereferenceObject

loc_86FFDF:				; CODE XREF: IoCreateNotificationEvent(x,x)+81j
		mov	edx, [ebp+arg_4]
		mov	eax, esi
		mov	ecx, [ebp+var_4]
		mov	[edx], ecx

loc_86FFE9:				; CODE XREF: IoCreateNotificationEvent(x,x)+7Dj
		pop	edi
		pop	esi
		leave
		retn	8
; 

loc_86FFEF:				; CODE XREF: IoCreateNotificationEvent(x,x)+43j
		xor	eax, eax
		jmp	short loc_86FFE9
; 

loc_86FFF3:				; CODE XREF: IoCreateNotificationEvent(x,x)+62j
		mov	esi, edi
		jmp	short loc_86FFDF
_IoCreateNotificationEvent@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtInitializeRegistry proc near		; DATA XREF: .text:00580FD8o

var_4		= dword	ptr -4
arg_0		= word ptr  8

; FUNCTION CHUNK AT 0090C2F9 SIZE 00000041 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+8+var_4],	al
		test	al, al
		jz	short loc_870033
		mov	eax, 13E8h
		cmp	[ebp+arg_0], ax
		jz	loc_90C2F9
		push	dword ptr [ebp+arg_0]
		call	_ZwInitializeRegistry@4	; ZwInitializeRegistry(x)

loc_87002D:				; CODE XREF: NtInitializeRegistry+53j
					; NtInitializeRegistry+60j ...
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_870033:				; CODE XREF: NtInitializeRegistry+1Cj
		mov	ecx, dword ptr [ebp+arg_0]
		mov	edx, 3E7h
		lea	eax, [ecx-1000h]
		cmp	ax, dx
		ja	short loc_87004D
		call	CmpAcceptBoot
		jmp	short loc_87002D
; 

loc_87004D:				; CODE XREF: NtInitializeRegistry+4Cj
		cmp	cx, 2
		jnz	short loc_87005A
		call	CmpHandlePageFileOpenNotification
		jmp	short loc_87002D
; 

loc_87005A:				; CODE XREF: NtInitializeRegistry+59j
		test	cx, cx
		jnz	loc_90C326

loc_870063:				; CODE XREF: NtInitializeRegistry+9C332j
		call	CmCompleteRegistryInitialization
		jmp	short loc_87002D
NtInitializeRegistry endp


;  S U B	R O U T	I N E 


CmpAcceptBoot	proc near		; CODE XREF: NtInitializeRegistry+4Ep

; FUNCTION CHUNK AT 0090C33A SIZE 0000000E BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	KvfCommitFeatureStates
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	short loc_8700BA
		xor	eax, eax
		mov	ecx, offset _CmBootAcceptFirstTime
		xchg	eax, [ecx]
		test	eax, eax
		jnz	short loc_870093
		mov	esi, 0C0000022h

loc_87008F:				; CODE XREF: CmpAcceptBoot+4Ej
					; CmpAcceptBoot+52j ...
		mov	eax, esi
		pop	esi
		retn
; 

loc_870093:				; CODE XREF: CmpAcceptBoot+1Ej
		add	esi, 0F000h
		test	si, si
		jz	short loc_8700BE
		cmp	ds:_CmpLKGEnabled, 0
		jnz	loc_90C33A
		xor	esi, esi

loc_8700AD:				; CODE XREF: CmpAcceptBoot+9C2D9j
		call	off_6B2C0C	; xHalSaveAndDisableHvEnlightenment()
		call	_CmpUpdatePhaseAccessBit@0 ; CmpUpdatePhaseAccessBit()
		jmp	short loc_87008F
; 

loc_8700BA:				; CODE XREF: CmpAcceptBoot+11j
		xor	esi, esi
		jmp	short loc_87008F
; 

loc_8700BE:				; CODE XREF: CmpAcceptBoot+32j
		mov	esi, 0C000000Dh
		jmp	short loc_87008F
CmpAcceptBoot	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1358. LsaFreeReturnBuffer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; NTSTATUS __stdcall LsaFreeReturnBuffer(PVOID Buffer)
		public _LsaFreeReturnBuffer@4
_LsaFreeReturnBuffer@4 proc near

Buffer		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, _SepAuthExtensionHost
		push	esi
		mov	esi, 0C0000002h
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_8700F7
		push	[ebp+Buffer]
		call	dword ptr [eax+8]
		mov	ecx, _SepAuthExtensionHost
		mov	esi, eax
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_8700F7:				; CODE XREF: LsaFreeReturnBuffer(x)+18j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_LsaFreeReturnBuffer@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCalculateHiberFileSize(x, x)
_PopCalculateHiberFileSize@8 proc near	; CODE XREF: PopAdjustHiberFile(x)+29p
					; PopHiberInitializeResources+D6p ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, dword_6D3018
		push	ebx
		mov	[ebp+var_34], ecx
		mov	bl, 2
		xor	ecx, ecx
		mov	[ebp+var_38], edx
		mov	eax, [eax]
		push	esi
		push	edi
		push	64h
		mov	eax, [eax+0F48h]
		mov	[ebp+var_30], eax
		shld	ecx, eax, 0Ch
		shl	eax, 0Ch
		mov	[ebp+var_28], ecx
		mov	ecx, ds:_PopHiberFileSizePercent
		mov	[ebp+var_2C], eax
		pop	eax
		cmp	ecx, 28h
		jnb	loc_8701D8
		mov	ecx, ds:_PopHiberFileType
		test	ecx, ecx
		jz	short loc_87015D
		cmp	ecx, 3
		jnb	short loc_87015D
		mov	bl, cl

loc_87015D:				; CODE XREF: PopCalculateHiberFileSize(x,x)+56j
					; PopCalculateHiberFileSize(x,x)+5Bj
		mov	esi, offset _PopHiberFileBucket
		xor	edx, edx
		mov	[ebp+var_24], esi

loc_870167:				; CODE XREF: PopCalculateHiberFileSize(x,x)+95j
		push	6
		pop	ecx
		lea	edi, [ebp+var_20]
		rep movsd
		mov	ecx, [ebp+var_28]
		cmp	ecx, [ebp+var_1C]
		jb	short loc_870197
		ja	short loc_870181
		mov	ecx, [ebp+var_2C]
		cmp	ecx, [ebp+var_20]
		jbe	short loc_870197

loc_870181:				; CODE XREF: PopCalculateHiberFileSize(x,x)+79j
		mov	esi, [ebp+var_24]
		add	edx, 18h
		add	esi, 18h
		mov	[ebp+var_24], esi
		cmp	edx, 0A8h
		jb	short loc_870167
		jmp	short loc_8701A3
; 

loc_870197:				; CODE XREF: PopCalculateHiberFileSize(x,x)+77j
					; PopCalculateHiberFileSize(x,x)+81j
		movzx	eax, bl
		mov	eax, [ebp+eax*4+var_18]
		cmp	eax, 64h
		jnb	short loc_8701DC

loc_8701A3:				; CODE XREF: PopCalculateHiberFileSize(x,x)+97j
					; PopCalculateHiberFileSize(x,x)+DCj ...
		mul	[ebp+var_30]
		push	0
		push	64h
		push	edx
		push	eax
		call	__aulldiv
		mov	ecx, [ebp+var_34]
		shld	edx, eax, 0Ch
		shl	eax, 0Ch
		mov	[ecx], eax
		mov	eax, [ebp+var_38]
		mov	[ecx+4], edx
		test	eax, eax
		jz	short loc_8701C9
		mov	[eax], bl

loc_8701C9:				; CODE XREF: PopCalculateHiberFileSize(x,x)+C7j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_8701D8:				; CODE XREF: PopCalculateHiberFileSize(x,x)+48j
		mov	eax, ecx
		jmp	short loc_8701A3
; 

loc_8701DC:				; CODE XREF: PopCalculateHiberFileSize(x,x)+A3j
		push	64h
		pop	eax
		jmp	short loc_8701A3
_PopCalculateHiberFileSize@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 496. FsRtlCheckUpperOplock

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlCheckUpperOplock
FsRtlCheckUpperOplock proc near

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_43		= byte ptr -43h
var_42		= byte ptr -42h
var_41		= dword	ptr -41h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0090C348 SIZE 000001C8 BYTES

		push	54h
		push	offset dword_6A4D08
		call	__SEH_prolog4_GS
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_54], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+arg_4]
		mov	edx, eax
		and	edx, 1
		shl	edx, 0Ch
		and	eax, 6
		shl	eax, 0Ch
		or	edx, eax
		mov	[ebp+var_58], edx
		mov	ebx, [ecx]
		mov	[ebp+var_64], ebx
		xor	edx, edx
		mov	byte ptr [ebp+var_41], dl
		mov	byte ptr [ebp+var_60], dl
		mov	[ebp+var_42], dl
		mov	eax, edx
		mov	[ebp+var_5C], eax
		mov	[ebp+var_43], dl
		push	9
		pop	ecx
		lea	edi, [ebp+var_41+1]
		rep stosd
		mov	esi, edx
		mov	[ebp+var_48], esi
		test	ebx, ebx
		jnz	loc_90C348

loc_87024A:				; CODE XREF: FsRtlCheckUpperOplock+9C325j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
FsRtlCheckUpperOplock endp

; [00000001 BYTES: COLLAPSED FUNCTION nullsub_8. PRESS KEYPAD "+" TO EXPAND]
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PopAcquireTransitionLock(x)
_PopAcquireTransitionLock@4 proc near	; CODE XREF: PAGELK:0071EBD1p
					; PoInitHiberServices+10Cp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	esi, 7
		jz	short loc_870274
		push	8
		xor	edx, edx
		pop	ecx
		call	PopDirectedDripsNotify

loc_870274:				; CODE XREF: PopAcquireTransitionLock(x)+8j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	7
		push	offset _PopTransitionLock
		call	KeWaitForSingleObject
		mov	_PopTransitionLockAcquireReason, esi
		cmp	esi, 1
		jz	short loc_87029B
		mov	eax, large fs:124h
		mov	_PopTransitionLockOwnerThread, eax

loc_87029B:				; CODE XREF: PopAcquireTransitionLock(x)+2Ej
		pop	esi
		retn
_PopAcquireTransitionLock@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopReleaseTransitionLock(x)
_PopReleaseTransitionLock@4 proc near	; CODE XREF: PopUnlockAfterSleepWorker(x)+86p
					; PoInitHiberServices+12Ap ...
		mov	edi, edi
		push	esi
		xor	eax, eax
		mov	esi, ecx
		push	eax
		push	eax
		push	offset _PopTransitionLock
		mov	_PopTransitionLockOwnerThread, eax
		mov	_PopTransitionLockAcquireReason, eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		cmp	esi, 7
		jz	short loc_8702CB
		push	9
		xor	edx, edx
		pop	ecx
		pop	esi
		jmp	PopDirectedDripsNotify
; 

loc_8702CB:				; CODE XREF: PopReleaseTransitionLock(x)+20j
		pop	esi
		retn
_PopReleaseTransitionLock@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDirectedDripsNotify proc near	; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+4C1p
					; PopCaptureSleepStudyStatistics(x,x,x,x)+501p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090C529 SIZE 0000014B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+18h+var_4], edx
		mov	[esp+18h+var_8], edi
		xor	edx, edx
		mov	ebx, offset _PopDirectedDripsState
		mov	eax, [ebx]

loc_8702EF:				; CODE XREF: PopDirectedDripsNotify+29j
		mov	esi, eax
		or	esi, edx
		lock cmpxchg [ebx], esi
		jnz	short loc_8702EF
		mov	ebx, [esp+18h+var_4]
		test	al, 1
		jz	short loc_870340 ; default
		mov	esi, edi
		cmp	ecx, 9		; switch 10 cases
		ja	short loc_870340 ; default
		jmp	ds:off_870376[ecx*4] ; switch jump

loc_87030F:				; DATA XREF: PAGE:off_870376o
		mov	edi, offset dword_6C371C ; case	0x9
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		sub	dword_6C3740, 1
		jnz	short loc_87032E
		xor	ecx, ecx
		inc	ecx
		call	_PopDirectedDripsClearDisengageReason@4	; PopDirectedDripsClearDisengageReason(x)

loc_87032E:				; CODE XREF: PopDirectedDripsNotify+56j
					; PopDirectedDripsNotify+97j ...
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		test	al, 2
		jnz	short loc_87036E

loc_870339:				; CODE XREF: PopDirectedDripsNotify:loc_90C662j
					; PopDirectedDripsNotify+9C3A1j
		mov	ecx, edi
		call	KeAbPostRelease

loc_870340:				; CODE XREF: PopDirectedDripsNotify+31j
					; PopDirectedDripsNotify+38j ...
		pop	edi		; default
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_870347:				; CODE XREF: PopDirectedDripsNotify+3Aj
					; DATA XREF: PAGE:off_870376o
		mov	edi, offset dword_6C371C ; case	0x8
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, dword_6C3740
		xor	ecx, ecx
		inc	eax
		inc	ecx
		mov	dword_6C3740, eax
		cmp	eax, ecx
		jnz	short loc_87032E
		call	_PopDirectedDripsSetDisengageReason@4 ;	PopDirectedDripsSetDisengageReason(x)
		jmp	short loc_87032E
; 

loc_87036E:				; CODE XREF: PopDirectedDripsNotify+69j
		test	al, 4
		jmp	loc_90C662
PopDirectedDripsNotify endp

; 
		align 2
off_870376	dd offset loc_90C529	; DATA XREF: PopDirectedDripsNotify+3Ar
		dd offset loc_90C587	; jump table for switch	statement
		dd offset loc_90C5EB
		dd offset loc_90C5FB
		dd offset loc_90C5EB
		dd offset loc_90C5F6
		dd offset loc_90C5D5
		dd offset loc_90C5E1
		dd offset loc_870347
		dd offset loc_87030F

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopInitializePowerPolicySimulate proc near ; CODE XREF:	PAGELK:loc_71EE50p
					; PoInitSystem+726p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090C674 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_38], 240h
		lea	edi, [ebp+var_18]
		mov	[ebp+var_3C], offset _CmRegistryMachineSystemCurrentControlSet
		stosd
		xor	esi, esi
		push	18h
		mov	[ebp+var_20], esi
		mov	[ebp+var_48], esi
		stosd
		mov	[ebp+var_1C], esi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_28], esi
		stosd
		mov	[ebp+var_24], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_34], esi
		stosd
		mov	[ebp+var_30], esi
		stosd
		mov	eax, _PopSimulateManual
		pop	edi
		mov	_PopSimulate, eax
		lea	eax, [ebp+var_44]
		push	eax
		push	20019h
		lea	eax, [ebp+var_20]
		mov	[ebp+var_44], edi
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_8704D3
		push	offset _PopSimulateRegKey ; "Control\\Session Manager"
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_20]
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	esi
		push	esi
		push	esi
		lea	eax, [ebp+var_44]
		mov	[ebp+var_44], edi
		push	eax
		push	20019h
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_38], 240h
		push	eax
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		push	[ebp+var_20]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_8704D3
		push	offset _PopSimulateHiberBugcheckRegName	; "PowerSimulateHiberBugcheck"
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_2C]
		push	eax
		push	14h
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		lea	eax, [ebp+var_28]
		push	eax
		push	[ebp+var_1C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_90C674

loc_870490:				; CODE XREF: PopInitializePowerPolicySimulate+9C2DAj
					; PopInitializePowerPolicySimulate+9C2E8j
		push	offset _PopSimulateRegName ; "PowerPolicySimulate"
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_2C]
		push	eax
		push	14h
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		lea	eax, [ebp+var_28]
		push	eax
		push	[ebp+var_1C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		push	[ebp+var_1C]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_8704D3
		cmp	[ebp+var_10], 4
		jnz	short loc_8704D3
		mov	eax, [ebp+var_C]
		or	_PopSimulate, eax

loc_8704D3:				; CODE XREF: PopInitializePowerPolicySimulate+6Dj
					; PopInitializePowerPolicySimulate+C2j	...
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopInitializePowerPolicySimulate endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopSanityCheckHiberFile	proc near	; CODE XREF: PopResizeHiberFile+109p
					; PopCreateHiberFile(x,x)+360p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, [ebp+var_C]
		push	4
		push	eax
		push	8
		push	edi
		push	9003Bh
		xor	ebx, ebx
		lea	eax, [ebp+var_18]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	ecx
		mov	esi, edx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], ebx
		call	_ZwFsControlFile@40 ; ZwFsControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	edx, eax
		cmp	edx, 103h
		jz	sub_90C68B

loc_870526:				; CODE XREF: sub_90C68B+10j
		test	edx, edx
		js	short loc_870592
		mov	esi, [ebp+var_C]
		xor	ecx, ecx
		and	[ebp+var_8], ebx
		mov	eax, [esi]
		or	eax, [esi+4]
		jz	short loc_870573
		mov	eax, [esi]
		mov	[ebp+var_4], eax
		mov	eax, [esi+4]
		mov	[ebp+var_10], eax
		mov	eax, esi

loc_870546:				; CODE XREF: PopSanityCheckHiberFile+8Fj
		add	ebx, [ebp+var_4]
		mov	edi, [ebp+var_10]
		adc	[ebp+var_8], edi
		cmp	dword ptr [eax+0Ch], 0
		jl	short loc_87059B
		add	ecx, 2
		lea	eax, [esi+ecx*8]
		mov	edi, [eax]
		mov	[ebp+var_4], edi
		mov	edi, [eax+4]
		mov	eax, [ebp+var_4]
		or	eax, edi
		mov	[ebp+var_10], edi
		mov	edi, [ebp+arg_0]
		lea	eax, [esi+ecx*8]
		jnz	short loc_870546

loc_870573:				; CODE XREF: PopSanityCheckHiberFile+55j
		mov	eax, [ebp+var_8]
		cmp	eax, [edi+4]
		jg	short loc_870581
		jl	short loc_87059B
		cmp	ebx, [edi]
		jb	short loc_87059B

loc_870581:				; CODE XREF: PopSanityCheckHiberFile+97j
		mov	eax, [ebp+arg_8]
		lea	ecx, ds:10h[ecx*8]
		mov	[eax], ecx
		mov	eax, [ebp+arg_4]
		mov	[eax], esi

loc_870592:				; CODE XREF: PopSanityCheckHiberFile+46j
					; PopSanityCheckHiberFile+BEj
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	0Ch
; 

loc_87059B:				; CODE XREF: PopSanityCheckHiberFile+71j
					; PopSanityCheckHiberFile+99j ...
		mov	edx, 0C0000001h
		jmp	short loc_870592
PopSanityCheckHiberFile	endp

; 
		align 8
; Exported entry 1348. LdrResFindResourceDirectory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LdrResFindResourceDirectory(x, x, x, x, x, x, x)
		public _LdrResFindResourceDirectory@28
_LdrResFindResourceDirectory@28	proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_18]
		test	ecx, 0C00h
		jnz	short loc_8705F2
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_8705C4
		mov	[ebp+var_8], eax

loc_8705C4:				; CODE XREF: LdrResFindResourceDirectory(x,x,x,x,x,x,x)+17j
		xor	edx, edx
		test	eax, eax
		mov	eax, [ebp+arg_8]
		setnz	dl
		test	eax, eax
		jnz	short loc_8705F9

loc_8705D2:				; CODE XREF: LdrResFindResourceDirectory(x,x,x,x,x,x,x)+57j
		push	[ebp+arg_14]
		or	ecx, 2
		lea	eax, [ebp+var_8]
		push	[ebp+arg_10]
		push	0
		push	[ebp+arg_C]
		push	ecx
		push	edx
		push	eax
		push	[ebp+arg_0]
		call	_LdrResSearchResource@32 ; LdrResSearchResource(x,x,x,x,x,x,x,x)

locret_8705EE:				; CODE XREF: LdrResFindResourceDirectory(x,x,x,x,x,x,x)+4Fj
		leave
		retn	1Ch
; 

loc_8705F2:				; CODE XREF: LdrResFindResourceDirectory(x,x,x,x,x,x,x)+10j
		mov	eax, 0C000000Dh
		jmp	short locret_8705EE
; 

loc_8705F9:				; CODE XREF: LdrResFindResourceDirectory(x,x,x,x,x,x,x)+28j
		push	2
		mov	[ebp+var_4], eax
		pop	edx
		jmp	short loc_8705D2
_LdrResFindResourceDirectory@28	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MmSetSessionObjectIoEvent(x)
_MmSetSessionObjectIoEvent@4 proc near	; CODE XREF: IopSessionChangeWorker(x)+1Ap
		mov	eax, [ecx+10h]
		push	0
		push	0
		add	eax, 2440h
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		retn
_MmSetSessionObjectIoEvent@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepNotifyFileSystems proc near		; DATA XREF: SepInformFileSystemsOfDeletedLogon+3Co

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090C6AF SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _SepRmNotifyMutex
		call	ExAcquireFastMutexUnsafe
		mov	esi, ds:_SeFileSystemNotifyRoutinesHead
		mov	edi, [ebp+arg_0]
		test	esi, esi
		jnz	short loc_870690

loc_870643:				; CODE XREF: sub_90C6A0+Aj
		mov	esi, ds:_SeFileSystemNotifyRoutinesExHead
		test	esi, esi
		jz	short loc_870660
		lea	ebx, [edi+10h]

loc_870650:				; CODE XREF: SepNotifyFileSystems+48j
		push	dword ptr [esi+8]
		push	dword ptr [edi+18h]
		push	ebx
		call	dword ptr [esi+4]
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_870650

loc_870660:				; CODE XREF: SepNotifyFileSystems+35j
		mov	ecx, offset _SepRmNotifyMutex
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [edi+18h]
		test	ecx, ecx
		jnz	loc_90C6AF

loc_870681:				; CODE XREF: SepNotifyFileSystems+9C0A3j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_870690:				; CODE XREF: SepNotifyFileSystems+2Bj
		lea	ebx, [edi+10h]
		jmp	sub_90C6A0
SepNotifyFileSystems endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageUserIsAdmin()
_EtwpCoverageUserIsAdmin@0 proc	near	; CODE XREF: NtPowerInformation:loc_76507Ap
					; NtPowerInformation:loc_7654E1p ...

var_10		= dword	ptr -10h
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10h
		push	ebx
		push	edi
		xor	eax, eax
		lea	edi, [esp+18h+var_10]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esp+18h+var_10]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		lea	eax, [esp+18h+var_10]
		push	eax
		call	_SeLockSubjectContext@4	; SeLockSubjectContext(x)
		mov	eax, [esp+18h+var_10]
		test	eax, eax
		jnz	short loc_8706E2
		mov	eax, [esp+18h+var_8]

loc_8706E2:				; CODE XREF: EtwpCoverageUserIsAdmin()+44j
		push	eax
		call	SeTokenIsAdmin
		mov	bl, al
		lea	eax, [esp+18h+var_10]
		push	eax
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)
		lea	eax, [esp+18h+var_10]
		push	eax
		call	SeReleaseSubjectContext
		pop	edi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_EtwpCoverageUserIsAdmin@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpInitializeSessionDriver(x, x)
_ExpInitializeSessionDriver@8 proc near	; CODE XREF: PAGE:007B388Dp

var_B0		= dword	ptr -0B0h
var_A8		= dword	ptr -0A8h
var_9C		= dword	ptr -9Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0A8h
		push	esi
		push	edi
		push	0A8h		; size_t
		lea	eax, [esp+0B4h+var_A8]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		add	esp, 0Ch
		mov	[esp+0B0h+var_9C], esi
		lea	eax, [esp+0B0h+var_A8]
		push	0
		push	eax
		call	edi
		mov	esi, eax
		test	esi, esi
		js	short loc_87074A
		lea	ecx, [esp+0B8h+var_B0]
		call	MmSessionSetUnloadAddress

loc_87074A:				; CODE XREF: ExpInitializeSessionDriver(x,x)+39j
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_ExpInitializeSessionDriver@8 endp

; 
		align 8
; Exported entry 299. EtwWriteStartScenario

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public EtwWriteStartScenario
EtwWriteStartScenario proc near		; CODE XREF: PnpDiagnosticTraceDriverInitPhaseStart(x)+22p
					; PopDiagTracePowerTransitionStart(x,x)+83p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0090C6BE SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1Ch+var_4], eax
		mov	eax, [ebp+arg_14]
		and	[esp+1Ch+var_1C], 0
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		mov	[esp+28h+var_18], eax
		lea	edi, [esp+28h+var_14]
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		test	ebx, ebx
		jz	loc_90C6BE
		test	esi, esi
		jz	loc_90C6BE
		push	ebx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	EtwEventEnabled
		test	al, al
		jz	loc_90C6C8
		push	[ebp+arg_4]
		lea	edx, [esp+2Ch+var_14]
		xor	cl, cl
		push	[ebp+arg_0]
		call	_EtwGetProviderIdFromHandle@16 ; EtwGetProviderIdFromHandle(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_8707F1
		xor	ecx, ecx
		cmp	[esi], ecx
		jz	short loc_870807

loc_8707CD:				; CODE XREF: EtwWriteStartScenario+B3j
					; EtwWriteStartScenario+B9j ...
		push	[esp+28h+var_18]
		push	[ebp+arg_10]
		push	esi
		push	ebx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		push	0Ah
		push	ebx
		mov	edx, esi
		lea	ecx, [esp+30h+var_14]
		mov	edi, eax
		call	WdipStartEndScenario

loc_8707F1:				; CODE XREF: EtwWriteStartScenario+6Dj
					; EtwWriteStartScenario+FEj ...
		mov	ecx, [esp+28h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_870807:				; CODE XREF: EtwWriteStartScenario+73j
		cmp	[esi+4], cx
		jnz	short loc_8707CD
		cmp	[esi+6], cx
		jnz	short loc_8707CD
		cmp	[esi+8], cl
		jnz	short loc_8707CD
		cmp	[esi+9], cl
		jnz	short loc_8707CD
		cmp	[esi+0Ah], cl
		jnz	short loc_8707CD
		cmp	[esi+0Bh], cl
		jnz	short loc_8707CD
		cmp	[esi+0Ch], cl
		jnz	short loc_8707CD
		cmp	[esi+0Dh], cl
		jnz	short loc_8707CD
		cmp	[esi+0Eh], cl
		jnz	short loc_8707CD
		cmp	[esi+0Fh], cl
		jnz	short loc_8707CD
		lea	eax, [esp+28h+var_1C]
		push	eax
		push	10h
		push	esi
		push	ecx
		push	ecx
		push	0Ch
		call	_ZwTraceControl@24 ; ZwTraceControl(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	loc_8707CD
		jmp	short loc_8707F1
EtwWriteStartScenario endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmManagePartitionGetMemoryEvents proc near ; CODE XREF:	sub_7B76AF+Dp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090C6D2 SIZE 0000003D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx]
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	loc_90C705
		cmp	ecx, 2
		jnb	loc_90C705
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		mov	edx, [esi+4]
		test	bl, bl
		setz	al
		dec	eax
		and	eax, 0FFFEFE00h
		add	eax, 11FF2h
		and	eax, edx
		cmp	eax, edx
		jnz	loc_90C705
		push	edi
		xor	edi, edi
		mov	[esi+0Ch], edi
		mov	[esi+10h], edi
		mov	[esi+14h], edi
		test	cl, 1
		jz	loc_870932
		mov	eax, [ebp+var_4]
		lea	ecx, [esi+0Ch]
		push	ecx
		push	ebx
		push	ds:_ExEventObjectType
		mov	eax, [eax+0A8h]
		push	dword ptr [esi+8]
		push	edi
		push	edx
		push	eax
		call	ObOpenObjectByPointer
		mov	edi, eax
		test	edi, edi
		js	loc_90C6D2
		mov	eax, [ebp+var_4]
		lea	ecx, [esi+10h]
		push	ecx
		push	ebx
		push	ds:_ExEventObjectType
		mov	eax, [eax+0ACh]
		push	dword ptr [esi+8]
		push	0
		push	dword ptr [esi+4]
		push	eax
		call	ObOpenObjectByPointer
		mov	edi, eax
		test	edi, edi
		js	loc_90C6D2
		mov	eax, [ebp+var_4]
		lea	ecx, [esi+14h]
		push	ecx
		push	ebx
		push	ds:_ExEventObjectType
		mov	eax, [eax+0B0h]
		push	dword ptr [esi+8]
		push	0
		push	dword ptr [esi+4]
		push	eax
		call	ObOpenObjectByPointer
		mov	edi, eax
		test	edi, edi
		js	loc_90C6D2

loc_870932:				; CODE XREF: MmManagePartitionGetMemoryEvents+53j
					; MmManagePartitionGetMemoryEvents+9BE9Bj ...
		mov	eax, edi
		pop	edi

loc_870935:				; CODE XREF: MmManagePartitionGetMemoryEvents+9BEB2j
		pop	esi
		pop	ebx
		leave
		retn	4
MmManagePartitionGetMemoryEvents endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpCheckForPoolTagFilterExtension proc	near ; CODE XREF: EtwpStartLogger+A0Ap
					; EtwpUpdateTrace+1A7p

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 0090C70F SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		movzx	edi, byte ptr [ecx+25Ah]
		mov	eax, edx
		push	4
		pop	ebx
		mov	edx, ebx
		mov	ecx, eax
		call	_EtwpGetFlagExtension@8	; EtwpGetFlagExtension(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_90C70F
		cmp	[ebp+arg_0], al
		jz	short loc_87097D
		imul	eax, edi, 14h
		add	eax, offset _EtwpPoolTagFilter
		xor	ecx, ecx
		mov	dword ptr [eax+4], 2Ah
		inc	ecx
		mov	[eax], cx

loc_87097D:				; CODE XREF: EtwpCheckForPoolTagFilterExtension+2Aj
					; EtwpCheckForPoolTagFilterExtension+9BE04j
		xor	eax, eax

loc_87097F:				; CODE XREF: EtwpCheckForPoolTagFilterExtension+9BDEEj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
EtwpCheckForPoolTagFilterExtension endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpUpdateTagFilter proc near		; CODE XREF: EtwpCheckForPoolTagFilterExtension+9BDFFp
					; EtwSetPerformanceTraceInformation(x,x,x)+806p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090C745 SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	dx, dx
		jnz	loc_90C745

loc_87099A:				; CODE XREF: EtwpUpdateTagFilter+9BDCCj
					; EtwpUpdateTagFilter+9BDDDj
		xor	eax, eax
		mov	dword ptr [esi+4], 2Ah
		inc	eax

loc_8709A4:				; CODE XREF: EtwpUpdateTagFilter+9BDF6j
		pop	edi
		mov	[esi], ax
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
EtwpUpdateTagFilter endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2119. RtlGetDefaultCodePage

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetDefaultCodePage(x, x)
		public _RtlGetDefaultCodePage@8
_RtlGetDefaultCodePage@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	ax, ds:_NlsAnsiCodePage
		mov	[ecx], ax
		mov	ecx, [ebp+arg_4]
		mov	ax, ds:_NlsOemCodePage
		mov	[ecx], ax
		pop	ebp
		retn	8
_RtlGetDefaultCodePage@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopValidateContextMembership(x)
_PopValidateContextMembership@4	proc near ; CODE XREF: PopGetSettingNotificationName+189p
					; PopGetSettingNotificationName+1C3p

var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		lea	eax, [ebp-1]
		mov	[ebp+var_1], 0
		push	eax
		push	ecx
		push	0
		call	_RtlCheckTokenMembership@12 ; RtlCheckTokenMembership(x,x,x)
		test	eax, eax
		js	short loc_8709F8
		cmp	[ebp+var_1], 0
		jz	short loc_8709F8
		leave
		retn
; 

loc_8709F8:				; CODE XREF: PopValidateContextMembership(x)+18j
					; PopValidateContextMembership(x)+1Ej
		mov	eax, 0C0000022h
		leave
		retn
_PopValidateContextMembership@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmIssueMemoryListCommand proc near	; CODE XREF: PAGE:007B4080p
					; PfpLogEventRequest+5Ap

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	14h
		push	offset dword_6A4D28
		call	__SEH_prolog4
		mov	eax, ecx
		cmp	edx, 4
		jb	short loc_870A6D
		xor	ecx, ecx
		mov	[ebp+var_1C], 6
		mov	[ebp+ms_exc.disabled], ecx
		mov	eax, [eax]
		mov	[ebp+var_1C], eax

loc_870A24:				; CODE XREF: sub_90C78F+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	ecx, ecx
		js	short loc_870A74
		cmp	[ebp+var_1C], 5
		ja	short loc_870A7F
		cmp	[ebp+var_1C], 3
		jz	short loc_870A53
		push	[ebp+arg_0]
		push	ds:dword_A949EC
		push	ds:_SeProfileSingleProcessPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	short loc_870A78

loc_870A53:				; CODE XREF: MmIssueMemoryListCommand+39j
		mov	ecx, [ebp+var_1C]
		call	MmPerformMemoryListCommand

loc_870A5B:				; CODE XREF: MmIssueMemoryListCommand+72j
					; MmIssueMemoryListCommand+76j	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_870A6D:				; CODE XREF: MmIssueMemoryListCommand+11j
		mov	eax, 0C0000004h
		jmp	short loc_870A5B
; 

loc_870A74:				; CODE XREF: MmIssueMemoryListCommand+2Dj
		mov	eax, ecx
		jmp	short loc_870A5B
; 

loc_870A78:				; CODE XREF: MmIssueMemoryListCommand+51j
		mov	eax, 0C0000061h
		jmp	short loc_870A5B
; 

loc_870A7F:				; CODE XREF: MmIssueMemoryListCommand+33j
		mov	eax, 0C000000Dh
		jmp	short loc_870A5B
MmIssueMemoryListCommand endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2257. RtlNextUnicodePrefix

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlNextUnicodePrefix
RtlNextUnicodePrefix proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 0090C79A SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		jnz	short loc_870AA3
		mov	esi, [edi+8]
		test	esi, esi
		jnz	short loc_870ACA

loc_870AA3:				; CODE XREF: RtlNextUnicodePrefix+Ej
		mov	eax, [edi+4]
		mov	ecx, 800h
		cmp	[eax], cx
		jz	short loc_870AC6
		add	eax, 0Ch

loc_870AB3:				; CODE XREF: RtlNextUnicodePrefix+7Fj
		mov	ecx, [eax+4]
		test	ecx, ecx
		jnz	short loc_870B09

loc_870ABA:				; CODE XREF: RtlNextUnicodePrefix+56j
					; RtlNextUnicodePrefix+77j
		add	eax, 0FFFFFFF4h

loc_870ABD:				; CODE XREF: RtlNextUnicodePrefix+49j
		mov	[edi+8], eax

loc_870AC0:				; CODE XREF: RtlNextUnicodePrefix+3Cj
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_870AC6:				; CODE XREF: RtlNextUnicodePrefix+22j
					; RtlNextUnicodePrefix+6Dj
		xor	eax, eax
		jmp	short loc_870AC0
; 

loc_870ACA:				; CODE XREF: RtlNextUnicodePrefix+15j
		mov	eax, [esi+8]
		mov	ecx, 803h
		cmp	[eax], cx
		jz	short loc_870ABD
		add	eax, 0Ch
		push	eax
		call	_RtlRealSuccessor@4 ; RtlRealSuccessor(x)
		test	eax, eax
		jnz	short loc_870ABA
		lea	ecx, [esi+0Ch]
		mov	edx, [ecx]
		cmp	edx, ecx
		jnz	loc_90C79A

loc_870AF1:				; CODE XREF: RtlNextUnicodePrefix+9BD18j
		mov	eax, [ecx-8]
		cmp	word ptr [eax+2], 0
		jle	short loc_870AC6
		add	eax, 0Ch

loc_870AFE:				; CODE XREF: RtlNextUnicodePrefix+7Bj
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_870ABA
		mov	eax, ecx
		jmp	short loc_870AFE
; 

loc_870B09:				; CODE XREF: RtlNextUnicodePrefix+2Cj
		mov	eax, ecx
		jmp	short loc_870AB3
RtlNextUnicodePrefix endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopPowerAggregatorCachePoPolicy(x)
_PopPowerAggregatorCachePoPolicy@4 proc	near
					; CODE XREF: PopPowerAggregatorHandleIntentUnsafe(x,x,x)+85p
					; PopPowerAggregatorInitialize(x)+99p
		mov	edi, edi
		push	edi
		xor	eax, eax
		mov	edi, offset dword_6C09C8
		stosd
		stosd
		stosd
		mov	eax, dword_6C2D5C
		mov	dword_6C09C8, eax
		mov	eax, _PopPolicy
		test	eax, eax
		jz	short loc_870B71
		mov	eax, [eax+28h]
		mov	dword_6C09CC, eax

loc_870B36:				; CODE XREF: PopPowerAggregatorCachePoPolicy(x)+6Aj
		cmp	byte_6C2D4D, 0
		jnz	short loc_870B7A

loc_870B3F:				; CODE XREF: PopPowerAggregatorCachePoPolicy(x)+73j
		call	_PopNetCheckUserConnectivityPolicy@0 ; PopNetCheckUserConnectivityPolicy()
		test	al, al
		jz	short loc_870B4F
		or	dword_6C09D0, 2

loc_870B4F:				; CODE XREF: PopPowerAggregatorCachePoPolicy(x)+38j
		call	PopNetCheckOpportunisticDs
		test	al, al
		jnz	short loc_870B83

loc_870B58:				; CODE XREF: PopPowerAggregatorCachePoPolicy(x)+7Cj
		mov	ecx, dword_6C09D0
		mov	eax, ecx
		and	al, 6
		cmp	al, 2
		jz	short loc_870B6F
		or	ecx, 8
		mov	dword_6C09D0, ecx

loc_870B6F:				; CODE XREF: PopPowerAggregatorCachePoPolicy(x)+56j
		pop	edi
		retn
; 

loc_870B71:				; CODE XREF: PopPowerAggregatorCachePoPolicy(x)+1Ej
		and	dword_6C09CC, 0
		jmp	short loc_870B36
; 

loc_870B7A:				; CODE XREF: PopPowerAggregatorCachePoPolicy(x)+2Fj
		or	dword_6C09D0, 1
		jmp	short loc_870B3F
; 

loc_870B83:				; CODE XREF: PopPowerAggregatorCachePoPolicy(x)+48j
		or	dword_6C09D0, 4
		jmp	short loc_870B58
_PopPowerAggregatorCachePoPolicy@4 endp


;  S U B	R O U T	I N E 


PopNetCheckOpportunisticDs proc	near	; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+2DCp
					; PopPowerAggregatorCachePoPolicy(x):loc_870B4Fp

; FUNCTION CHUNK AT 0090C7A9 SIZE 0000001E BYTES

		mov	edi, edi
		push	ecx
		cmp	dword_6C2D58, 2
		jz	loc_90C7A9

loc_870B9C:				; CODE XREF: PopNetCheckOpportunisticDs+9BC24j
					; PopNetCheckOpportunisticDs+9BC31j
		xor	al, al
		pop	ecx
		retn
PopNetCheckOpportunisticDs endp


;  S U B	R O U T	I N E 


; __stdcall PopNetCheckUserConnectivityPolicy()
_PopNetCheckUserConnectivityPolicy@0 proc near
					; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+2D3p
					; PopPowerAggregatorCachePoPolicy(x):loc_870B3Fp
		cmp	dword_6C2D58, 0
		mov	cl, 1
		setz	al
		dec	al
		and	al, cl
		retn
_PopNetCheckUserConnectivityPolicy@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCreatePort(x, x, x, x, x)
_NtCreatePort@20 proc near		; DATA XREF: .text:00581130o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	1
		push	0
		push	[ebp+arg_C]
		push	0
		call	AlpcpCreateConnectionPort
		mov	ecx, large fs:124h
		mov	esi, eax
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	14h
_NtCreatePort@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopThermalUpdateActiveTimeTracking(x, x)
_PopThermalUpdateActiveTimeTracking@8 proc near	; CODE XREF: PopThermalSxEntry()+EAp
					; PopCoolingSxTransition+898F0p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1], dl
		cmp	byte ptr [esi],	0
		jnz	short loc_870C42
		push	ebx
		push	edi
		call	KeQueryInterruptTime
		movzx	edi, [ebp+var_1]
		mov	ecx, edx
		mov	edx, eax
		mov	[ebp+var_8], eax
		sub	edx, [esi+10h]
		mov	ebx, ecx
		movzx	eax, byte ptr [esi+1]
		sbb	ebx, [esi+14h]
		mov	[ebp+var_C], ecx
		cmp	edi, eax
		jb	short loc_870C45

loc_870C28:				; CODE XREF: PopThermalUpdateActiveTimeTracking(x,x)+6Cj
		add	[esi+208h], edx
		mov	eax, [ebp+var_8]
		adc	[esi+20Ch], ebx
		mov	[esi+10h], eax
		mov	eax, [ebp+var_C]
		pop	edi
		mov	[esi+14h], eax
		pop	ebx

loc_870C42:				; CODE XREF: PopThermalUpdateActiveTimeTracking(x,x)+11j
		pop	esi
		leave
		retn
; 

loc_870C45:				; CODE XREF: PopThermalUpdateActiveTimeTracking(x,x)+36j
		lea	ecx, [edi+2Dh]
		lea	ecx, [esi+ecx*8]

loc_870C4B:				; CODE XREF: PopThermalUpdateActiveTimeTracking(x,x)+6Aj
		add	[ecx], edx
		adc	[ecx+4], ebx
		inc	edi
		movzx	eax, byte ptr [esi+1]
		lea	ecx, [ecx+8]
		cmp	edi, eax
		jb	short loc_870C4B
		jmp	short loc_870C28
_PopThermalUpdateActiveTimeTracking@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopWnfSprActiveSessionChangeCallback(x, x, x, x, x,	x)
_PopWnfSprActiveSessionChangeCallback@24 proc near
					; DATA XREF: PopSetupSprActiveSessionChangeNotification()+9o

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		mov	ecx, [ebp+arg_0]
		lea	edi, [ebp+var_18]
		stosd
		push	14h
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_1C]
		pop	edi
		push	eax		; int
		lea	eax, [ebp+var_18]
		mov	[ebp+var_1C], edi
		push	eax		; void *
		lea	eax, [ebp+arg_C]
		push	eax		; int
		push	ecx		; int
		call	_ExQueryWnfStateData@16	; ExQueryWnfStateData(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_870CBC
		cmp	[ebp+var_1C], edi
		jnz	short loc_870CBC
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		lea	eax, [ebp+var_18]
		mov	edx, edi	; Length
		push	eax		; void *
		mov	ecx, (offset loc_4074DF+1) ; int
		call	_PopSetPowerSettingValueAcDc@12	; PopSetPowerSettingValueAcDc(x,x,x)
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_870CBC:				; CODE XREF: PopWnfSprActiveSessionChangeCallback(x,x,x,x,x,x)+3Dj
					; PopWnfSprActiveSessionChangeCallback(x,x,x,x,x,x)+42j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_PopWnfSprActiveSessionChangeCallback@24 endp


;  S U B	R O U T	I N E 


SepInitializeLowBoxNumberTable proc near ; CODE	XREF: SepSetTokenLowboxNumber+DBp

; FUNCTION CHUNK AT 0090C7C7 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		xor	esi, esi
		push	esi
		push	esi
		lea	edi, [ebx+0Ch]
		push	edi
		mov	[edi], esi
		call	_RtlCreateHashTable@12 ; RtlCreateHashTable(x,x,x)
		test	al, al
		jz	short loc_870D1F
		push	734C6553h
		push	80h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_90C7C7
		lea	eax, [ebx+4]
		push	eax
		mov	dword ptr [eax], 400h
		mov	[eax+4], ecx
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		mov	byte ptr [ebx+10h], 1

loc_870D19:				; CODE XREF: SepInitializeLowBoxNumberTable+9BB05j
		mov	eax, esi

loc_870D1B:				; CODE XREF: SepInitializeLowBoxNumberTable+56j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_870D1F:				; CODE XREF: SepInitializeLowBoxNumberTable+18j
		mov	eax, 0C000009Ah
		jmp	short loc_870D1B
SepInitializeLowBoxNumberTable endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeQueryHSTIResults proc	near		; CODE XREF: PAGE:00781DB6p

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090C7D8 SIZE 0000002F BYTES

		push	0Ch
		push	offset dword_6A4D48
		call	__SEH_prolog4
		mov	edi, ds:dword_A9AC34
		mov	eax, [ebp+arg_0]
		mov	[eax], edi
		test	edi, edi
		jnz	loc_90C7D8
		mov	esi, 0C0000225h

loc_870D4A:				; CODE XREF: SeQueryHSTIResults+9BABBj
					; SeQueryHSTIResults+9BADCj ...
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
SeQueryHSTIResults endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpUpdateInterfacesCallback proc near	; DATA XREF: _PnpDeviceRaisePropertyChangeEventWorker+241o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0090C828 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edi
		cmp	byte ptr [esi+10h], 0
		mov	[ebp+var_4], edi
		jz	short loc_870D8C
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], edi
		push	eax
		push	5
		push	3
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	dword ptr [esi]

loc_870D8C:				; CODE XREF: _PnpUpdateInterfacesCallback+19j
		mov	eax, [esi+4]
		test	eax, eax
		jnz	loc_90C828

loc_870D97:				; CODE XREF: _PnpUpdateInterfacesCallback+9BAEAj
		pop	edi
		xor	al, al
		pop	esi
		leave
		retn	10h
_PnpUpdateInterfacesCallback endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopClearHiberFileSignature()
_PopClearHiberFileSignature@0 proc near	; CODE XREF: PopFreeHiberContext+F9p
					; PopEnableHiberFile(x,x)+3E8p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		xor	esi, esi
		test	_PopSimulateHiberBugcheck, 200h
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		jnz	short loc_870E26
		cmp	dword_6C24A4, esi
		jz	short loc_870E26
		or	[ebp+var_C], 0FFFFFFFFh
		lea	eax, [ebp+var_20]
		push	esi
		push	esi
		push	18h
		push	eax
		push	98208h
		lea	eax, [ebp+var_28]
		mov	[ebp+var_20], esi
		push	eax
		push	esi
		push	esi
		push	esi
		push	_PopHiberInfo
		mov	[ebp+var_1C], 1
		mov	[ebp+var_18], 1000h
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], 0FFFFEFFFh
		call	_ZwFsControlFile@40 ; ZwFsControlFile(x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 103h
		jnz	short loc_870E26
		mov	eax, dword_6C24A4
		push	esi
		push	esi
		push	esi
		push	esi
		add	eax, 5Ch
		push	eax
		call	KeWaitForSingleObject

loc_870E26:				; CODE XREF: PopClearHiberFileSignature()+25j
					; PopClearHiberFileSignature()+2Dj ...
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopClearHiberFileSignature@0 endp

; 
		align 8
; Exported entry 297. EtwWriteEndScenario

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwWriteEndScenario(x, x, x, x, x, x)
		public _EtwWriteEndScenario@24
_EtwWriteEndScenario@24	proc near	; CODE XREF: PnpCompleteSystemStartProcess()+82p
					; PopGracefulShutdown(x)+192p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1Ch+var_4], eax
		mov	eax, [ebp+arg_14]
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	[esp+28h+var_18], eax
		lea	edi, [esp+28h+var_14]
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		test	esi, esi
		jz	short loc_870ECB
		test	ebx, ebx
		jz	short loc_870ECB
		push	esi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	EtwEventEnabled
		test	al, al
		jz	short loc_870ED2
		push	[ebp+arg_4]
		lea	edx, [esp+2Ch+var_14]
		xor	cl, cl
		push	[ebp+arg_0]
		call	_EtwGetProviderIdFromHandle@16 ; EtwGetProviderIdFromHandle(x,x,x,x)
		test	eax, eax
		js	short loc_870EB7
		push	0Bh
		push	esi
		mov	edx, ebx
		lea	ecx, [esp+30h+var_14]
		call	WdipStartEndScenario
		push	[esp+28h+var_18]
		push	[ebp+arg_10]
		push	ebx
		push	esi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_870EB7:				; CODE XREF: EtwWriteEndScenario(x,x,x,x,x,x)+5Bj
					; EtwWriteEndScenario(x,x,x,x,x,x)+98j	...
		mov	ecx, [esp+28h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_870ECB:				; CODE XREF: EtwWriteEndScenario(x,x,x,x,x,x)+32j
					; EtwWriteEndScenario(x,x,x,x,x,x)+36j
		mov	eax, 0C000000Dh
		jmp	short loc_870EB7
; 

loc_870ED2:				; CODE XREF: EtwWriteEndScenario(x,x,x,x,x,x)+46j
		mov	eax, 0C0000008h
		jmp	short loc_870EB7
_EtwWriteEndScenario@24	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopEsGetState()
_PopEsGetState@0 proc near		; CODE XREF: NtPowerInformation+F5Fp
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopEsLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	esi, _PopEsState
		mov	dword_6BFD2C, eax
		test	eax, eax
		jz	short loc_870F14
		and	dword_6BFD2C, 0

loc_870F14:				; CODE XREF: PopEsGetState()+31j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_PopEsGetState@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLoadCrashdmpImage(x, x, x, x, x,	x)
_IopLoadCrashdmpImage@24 proc near	; DATA XREF: IopLoadCrashdumpDriver+93o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_14]
		mov	eax, [ebp+arg_C]
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_4]
		or	eax, 20h
		mov	ecx, [ebp+arg_0]
		push	eax
		push	[ebp+arg_8]
		call	_MmLoadSystemImageEx@24	; MmLoadSystemImageEx(x,x,x,x,x,x)
		pop	ebp
		retn	18h
_IopLoadCrashdmpImage@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspOpenPartitionHandle proc near	; DATA XREF: PspInitPhase0+4B3o

arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0090C84D SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_C]
		add	esi, 10h
		mov	edx, [esi]
		lea	ecx, [edx+1]

loc_870F5D:				; CODE XREF: PspOpenPartitionHandle+30j
		cmp	ecx, 1
		jbe	loc_90C84D
		mov	eax, edx
		lock cmpxchg [esi], ecx
		mov	ecx, eax
		cmp	ecx, edx
		jnz	short loc_870F79
		xor	eax, eax

loc_870F74:				; CODE XREF: PspOpenPartitionHandle+9B910j
		pop	esi
		pop	ebp
		retn	18h
; 

loc_870F79:				; CODE XREF: PspOpenPartitionHandle+24j
		mov	edx, ecx
		inc	ecx
		jmp	short loc_870F5D
PspOpenPartitionHandle endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTryAcquireKcbIXLocks	proc near	; CODE XREF: CmpPerformUnloadKey+297p
					; CmpSaveBootControlSet(x)+2B5p ...

arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090C861 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		push	edi
		push	[ebp+arg_4]
		lea	ecx, [esi+84h]
		call	_CmpTryAcquireIXLockWithRollbackPacket@12 ; CmpTryAcquireIXLockWithRollbackPacket(x,x,x)
		push	[ebp+arg_4]
		lea	ecx, [esi+8Ch]
		mov	dl, 1
		mov	edi, eax
		call	_CmpTryAcquireIXLockWithRollbackPacket@12 ; CmpTryAcquireIXLockWithRollbackPacket(x,x,x)
		mov	ecx, 0C000022Dh
		test	edi, edi
		js	loc_90C861
		test	eax, eax
		js	short loc_870FC0
		xor	eax, eax

loc_870FBA:				; CODE XREF: CmpTryAcquireKcbIXLocks+44j
					; CmpTryAcquireKcbIXLocks+9B8E9j ...
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_870FC0:				; CODE XREF: CmpTryAcquireKcbIXLocks+38j
					; CmpTryAcquireKcbIXLocks+9B8F0j
		cmp	eax, ecx
		jnz	short loc_870FBA
		jmp	loc_90C874
CmpTryAcquireKcbIXLocks	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTryAcquireIXLockWithRollbackPacket(x, x,	x)
_CmpTryAcquireIXLockWithRollbackPacket@12 proc near ; CODE XREF: CmpTryAcquireKcbIXLocks+12p
					; CmpTryAcquireKcbIXLocks+24p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		mov	eax, [esi]
		test	dl, dl
		jnz	short loc_870FE1
		shr	eax, 1Fh
		xor	al, 1
		jmp	short loc_870FE7
; 

loc_870FE1:				; CODE XREF: CmpTryAcquireIXLockWithRollbackPacket(x,x,x)+Ej
		test	eax, eax
		jz	short loc_87100B
		mov	al, cl

loc_870FE7:				; CODE XREF: CmpTryAcquireIXLockWithRollbackPacket(x,x,x)+15j
		test	al, al
		jnz	short loc_87100B
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_870FF9
		mov	ecx, 0C0190001h
		jmp	short loc_87100B
; 

loc_870FF9:				; CODE XREF: CmpTryAcquireIXLockWithRollbackPacket(x,x,x)+26j
		mov	ecx, esi
		call	_CmpSnapshotTxOwnerArrayToRollbackPacket@8 ; CmpSnapshotTxOwnerArrayToRollbackPacket(x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_87100B
		mov	ecx, 0C000022Dh

loc_87100B:				; CODE XREF: CmpTryAcquireIXLockWithRollbackPacket(x,x,x)+19j
					; CmpTryAcquireIXLockWithRollbackPacket(x,x,x)+1Fj ...
		mov	eax, ecx
		pop	esi
		pop	ebp
		retn	4
_CmpTryAcquireIXLockWithRollbackPacket@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipCslStateChangeCallback proc near	; DATA XREF: PiCslInitialize()+1Ao

arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0090C87B SIZE 00000058 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	_PipCslInitialized, 0
		jz	loc_90C87B
		mov	eax, [ebp+arg_4]
		cmp	byte ptr [eax],	0
		jz	short loc_871038
		xor	ecx, ecx
		inc	ecx

loc_87102F:				; CODE XREF: PipCslStateChangeCallback+29j
		call	_PipCslUpdateState@4 ; PipCslUpdateState(x)
		pop	ebp
		retn	0Ch
; 

loc_871038:				; CODE XREF: PipCslStateChangeCallback+18j
		push	2
		pop	ecx
		jmp	short loc_87102F
PipCslStateChangeCallback endp

; 
		align 2

; __stdcall PipCslUpdateState(x)
_PipCslUpdateState@4:			; CODE XREF: PipCslStateChangeCallback:loc_87102Fp
		mov	eax, ecx
		mov	edx, offset _PipCslConsoleLockState
		xchg	eax, [edx]
		cmp	eax, ecx
		jz	short locret_871055
		sub	ecx, 1
		jz	short loc_871056
		sub	ecx, 1
		jnz	short loc_871061

locret_871055:				; CODE XREF: PAGE:00871049j
					; PAGE:0087105Dj
		retn
; 

loc_871056:				; CODE XREF: PAGE:0087104Ej
		mov	eax, _PipCslUnlockCallback
		test	eax, eax
		jz	short locret_871055
		jmp	eax
; 

loc_871061:				; CODE XREF: PAGE:00871053j
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dw 0CCCCh
		dd 0CCCCCCCCh
; Exported entry 2101. RtlFreeOemString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlFreeOemString(x)
		public _RtlFreeOemString@4
_RtlFreeOemString@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+4]
		test	eax, eax
		jz	short loc_871081
		push	eax
		call	_ExFreePool@4	; ExFreePool(x)

loc_871081:				; CODE XREF: RtlFreeOemString(x)+Dj
		pop	ebp
		retn	4
_RtlFreeOemString@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopSetHiberFileMcb(x, x)
_PopSetHiberFileMcb@8 proc near		; CODE XREF: PopResizeHiberFile+11Cp
					; PopCreateHiberFile(x,x)+377p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		test	edi, edi
		jz	short loc_8710CD
		push	72626968h
		push	edx
		push	200h
		mov	dword_6C24B4, edx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	dword_6C24B0, eax
		test	eax, eax
		jz	short loc_8710D4
		push	dword_6C24B4	; size_t
		push	edi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	esi, esi
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8710C8:				; CODE XREF: PopSetHiberFileMcb(x,x)+4Cj
					; PopSetHiberFileMcb(x,x)+53j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_8710CD:				; CODE XREF: PopSetHiberFileMcb(x,x)+8j
		mov	esi, 0C000000Dh
		jmp	short loc_8710C8
; 

loc_8710D4:				; CODE XREF: PopSetHiberFileMcb(x,x)+27j
		mov	esi, 0C000009Ah
		jmp	short loc_8710C8
_PopSetHiberFileMcb@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCreateWaitablePort(x, x, x, x, x)
_NtCreateWaitablePort@20 proc near	; DATA XREF: .text:005810E0o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	1
		push	1
		push	[ebp+arg_C]
		push	0
		call	AlpcpCreateConnectionPort
		mov	ecx, large fs:124h
		mov	esi, eax
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	14h
_NtCreateWaitablePort@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopWnfMixedRealityCallback(x, x, x,	x, x, x)
_PopWnfMixedRealityCallback@24 proc near
					; DATA XREF: PopSetupMixedRealitytNotification()+34o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_10]
		push	esi
		push	ecx		; int
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_10], 8
		push	ecx		; void *
		lea	ecx, [ebp+arg_C]
		push	ecx		; int
		push	eax		; int
		call	_ExQueryWnfStateData@16	; ExQueryWnfStateData(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_871171
		cmp	[ebp+var_10], 8
		jb	short loc_871182
		mov	eax, [ebp+var_C]
		mov	ecx, offset _GUID_MIXED_REALITY_MODE ; int
		shr	eax, 1
		and	eax, 1
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_10]
		push	eax		; void *
		push	4
		pop	edx
		call	_PopSetPowerSettingValueAcDc@12	; PopSetPowerSettingValueAcDc(x,x,x)

loc_871171:				; CODE XREF: PopWnfMixedRealityCallback(x,x,x,x,x,x)+33j
					; PopWnfMixedRealityCallback(x,x,x,x,x,x)+6Aj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_871182:				; CODE XREF: PopWnfMixedRealityCallback(x,x,x,x,x,x)+39j
		xor	esi, esi
		jmp	short loc_871171
_PopWnfMixedRealityCallback@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopUserPresentSetWorker	proc near	; DATA XREF: PopUserPresentSet+61o

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090C8D3 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	byte_6C2D11, 0
		push	esi
		mov	esi, [ebp+arg_0]
		jnz	loc_90C88D

loc_87119C:				; CODE XREF: PipCslStateChangeCallback+9B8BCj
		push	esi
		xor	cl, cl
		call	PopNotifyConsoleUserPresent
		xor	eax, eax
		mov	ecx, offset _PopUserPresentSetStatus
		xchg	eax, [ecx]
		xor	ecx, ecx
		mov	edx, offset unk_6C2D14
		xor	eax, eax
		lock cmpxchg [edx], ecx
		pop	esi
		test	eax, eax
		jnz	loc_90C8D3

loc_8711C3:				; CODE XREF: PopUserPresentSetWorker+9B75Bj
		pop	ebp
		retn	4
PopUserPresentSetWorker	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopResetActionDefaults()
_PopResetActionDefaults@0 proc near	; CODE XREF: PAGELK:loc_71EC7Bp
					; PAGELK:0071FAFAp ...
		xor	eax, eax
		mov	dword_6C26EC, 1
		test	_PopAction, 2
		mov	dword_6C26E0, eax
		mov	dword_6C26E8, eax
		mov	byte_6C26DD, al
		jnz	short locret_87121E
		mov	_PopAction, al
		mov	byte_6C26C2, al
		mov	dword_6C26C4, eax
		mov	dword_6C26C8, eax
		mov	dword_6C26D0, eax
		mov	byte_6C26DC, al
		mov	dword_6C26D4, 10h
		mov	dword_6C26CC, 10000003h

locret_87121E:				; CODE XREF: PopResetActionDefaults()+22j
		retn
_PopResetActionDefaults@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SyspartDirectGetFirmwareSystemPartition(x, x, x)
_SyspartDirectGetFirmwareSystemPartition@12 proc near
					; DATA XREF: IoQuerySystemDeviceName+46o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		mov	ecx, offset SiGetFirmwareSystemPartition
		push	[ebp+arg_4]
		call	SiGetSystemDeviceName
		pop	ecx
		pop	ebp
		retn	0Ch
_SyspartDirectGetFirmwareSystemPartition@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtLoadKey2(x, x, x)
_NtLoadKey2@12	proc near		; DATA XREF: .text:00580FB4o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_4], al
		xor	eax, eax
		push	[ebp+var_4]
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_8]
		call	CmLoadDifferencingKey
		leave
		retn	0Ch
_NtLoadKey2@12	endp

; 
		align 8
; Exported entry 2326. RtlSetActiveConsoleId

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlSetActiveConsoleId
RtlSetActiveConsoleId proc near

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090C8E6 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_90C8E6
		mov	eax, [ebp+arg_0]
		mov	ds:0FFDF02D8h, eax

loc_871292:				; CODE XREF: RtlSetActiveConsoleId+9B67Fj
		pop	ebp
		retn	4
RtlSetActiveConsoleId endp


;  S U B	R O U T	I N E 


; __stdcall PopQueueBatteryStatusTimeout()
_PopQueueBatteryStatusTimeout@0	proc near ; CODE XREF: PAGELK:0071F279p
					; PoEnableCriticalShutdown+28p
		push	offset unk_6C25D8
		call	_KeResetEvent@4	; KeResetEvent(x)
		xor	eax, eax
		mov	ecx, offset unk_6C2588
		inc	eax
		xchg	eax, [ecx]
		push	0FFFFFFFFh
		push	0EE1E5D00h
		push	offset unk_6C25B8
		push	0
		xor	edx, edx
		mov	ecx, offset unk_6C2590
		call	KiSetTimerEx
		retn
_PopQueueBatteryStatusTimeout@0	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1691. PoFxRegisterCrashdumpDevice

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoFxRegisterCrashdumpDevice
PoFxRegisterCrashdumpDevice proc near

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090C8FC SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_8712EA
		mov	ecx, [eax+24h]
		test	ecx, ecx
		jnz	loc_90C8FC
		mov	eax, 0C00000BBh

loc_8712E6:				; CODE XREF: PoFxRegisterCrashdumpDevice+25j
					; PoFxRegisterCrashdumpDevice+9B63Bj
		pop	ebp
		retn	4
; 

loc_8712EA:				; CODE XREF: PoFxRegisterCrashdumpDevice+Aj
		mov	eax, 0C000000Dh
		jmp	short loc_8712E6
PoFxRegisterCrashdumpDevice endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopSessionCreated(x)
_PopSessionCreated@4 proc near		; CODE XREF: NtPowerInformation+1026p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	esi
		push	offset ??_C@_0CE@KAAOFAEO@PopAdaptive?3?5Session?5?$CFu?5is?5star@NNGAKEGL@ ; "PopAdaptive: Session %u is started\n"
		push	3
		call	_PopPrintEx
		add	esp, 0Ch
		mov	edx, esi
		mov	ecx, offset _POP_ETW_ADPM_SESSION_CREATED
		push	0
		call	_PopDiagTraceSessionState@12 ; PopDiagTraceSessionState(x,x,x)
		pop	esi
		retn
_PopSessionCreated@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpUmdfSidCheck()
_ExpUmdfSidCheck@0 proc	near		; CODE XREF: NtQuerySystemEnvironmentValueEx+C0p

var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		lea	eax, [ebp-1]
		xor	ecx, ecx
		push	eax
		mov	eax, ds:_SeExports
		push	ecx
		mov	[ebp+var_1], cl
		push	dword ptr [eax+190h]
		push	ecx
		call	_RtlCheckTokenMembershipEx@16 ;	RtlCheckTokenMembershipEx(x,x,x,x)
		test	eax, eax
		sets	al
		dec	al
		and	al, [ebp+var_1]
		leave
		retn
_ExpUmdfSidCheck@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpPowerStateCallback(x, x, x)
_EtwpPowerStateCallback@12 proc	near	; DATA XREF: EtwpInitialize+19Bo

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 3
		jz	short loc_871355

loc_871351:				; CODE XREF: EtwpPowerStateCallback(x,x,x)+1Aj
					; EtwpPowerStateCallback(x,x,x)+21j ...
		pop	ebp
		retn	0Ch
; 

loc_871355:				; CODE XREF: EtwpPowerStateCallback(x,x,x)+9j
		mov	eax, [ebp+arg_8]
		sub	eax, 0
		jz	short loc_871369
		sub	eax, 1
		jnz	short loc_871351
		mov	_EtwpPagingDisabled, al
		jmp	short loc_871351
; 

loc_871369:				; CODE XREF: EtwpPowerStateCallback(x,x,x)+15j
		mov	_EtwpPagingDisabled, 1
		jmp	short loc_871351
_EtwpPowerStateCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCreateIRTimer(x, x, x)
_NtCreateIRTimer@12 proc near		; DATA XREF: .text:00581158o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	2
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	NtCreateTimer2
		pop	ebp
		retn	0Ch
_NtCreateIRTimer@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MmAllocateDumpHibernateResources(x)
_MmAllocateDumpHibernateResources@4 proc near ;	CODE XREF: PopHiberInitializeResources+14Ap
					; PopEnableHiberFile(x,x)+2D8p	...
		mov	edx, ecx
		and	edx, 0FFFh
		neg	edx
		sbb	edx, edx
		shr	ecx, 0Ch
		neg	edx
		add	edx, ecx
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		test	eax, eax
		jz	short loc_8713B3
		shl	eax, 9
		retn
; 

loc_8713B3:				; CODE XREF: MmAllocateDumpHibernateResources(x)+1Fj
		xor	eax, eax
		retn
_MmAllocateDumpHibernateResources@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 442. ExSystemExceptionFilter

;  S U B	R O U T	I N E 


; __stdcall ExSystemExceptionFilter()
		public _ExSystemExceptionFilter@0
_ExSystemExceptionFilter@0 proc	near	; CODE XREF: .text:loc_52A324p
					; .text:0052A74Ep ...
		mov	ecx, large fs:124h
		xor	eax, eax
		cmp	[ecx+15Ah], al
		setnz	al
		retn
_ExSystemExceptionFilter@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQueryDefaultUILanguage(x)
_NtQueryDefaultUILanguage@4 proc near	; DATA XREF: .text:00580EA0o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	NtQueryInstallUILanguage
_NtQueryDefaultUILanguage@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopBroadcastInputSuppressionCallback(void *,int,int,int)
PopBroadcastInputSuppressionCallback proc near

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090C90A SIZE 00000050 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	_PopPlatformAoAc, 0
		jnz	loc_90C90A

loc_8713EE:				; CODE XREF: PopBroadcastInputSuppressionCallback+9B56Ej
					; PopBroadcastInputSuppressionCallback+9B579j
		xor	eax, eax
		pop	ebp
		retn	10h
PopBroadcastInputSuppressionCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtUnloadKey2(x, x)
_NtUnloadKey2@8	proc near		; DATA XREF: .text:00580BE8o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	0
		call	CmUnloadKey
		pop	ebp
		retn	8
_NtUnloadKey2@8	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 945. IoRegisterPlugPlayNotification

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoRegisterPlugPlayNotification
IoRegisterPlugPlayNotification proc near ; CODE	XREF: PopConnectToPolicyDevice+B8p
					; PopOrphanCoolingExtension(x)+205p ...

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 00927736 SIZE 00000087 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_C]
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_18]
		push	edi
		mov	edi, [ebp+arg_8]
		push	4E706E50h
		push	eax
		mov	[esi], eax
		push	ds:_IoDriverObjectType
		mov	[esp+64h+var_40], edi
		push	eax
		push	ebx
		mov	[esp+6Ch+var_3C], ebx
		mov	[esp+6Ch+var_44], esi
		call	ObReferenceObjectByPointerWithTag
		test	eax, eax
		js	loc_871591
		mov	eax, [ebp+arg_0]
		sub	eax, 1
		jz	loc_8716CA
		sub	eax, 1
		jnz	loc_8715A5
		push	44706E50h
		push	3Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_87173A
		push	offset _PnpDeviceClassNotifyLock
		push	[esp+5Ch+var_3C]
		mov	ecx, ebx
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	2
		pop	edx
		call	PnpInitializeNotifyEntry
		mov	esi, eax
		test	esi, esi
		js	loc_87173F
		mov	esi, edi
		mov	ecx, ebx
		lea	edi, [ebx+2Ch]
		movsd
		movsd
		movsd
		movsd
		call	_PnpDeferNotification@4	; PnpDeferNotification(x)
		mov	esi, eax
		test	esi, esi
		js	loc_927797
		mov	edi, offset _PnpDeviceClassNotifyLock
		mov	ecx, edi
		call	@KeAcquireGuardedMutex@4 ; KeAcquireGuardedMutex(x)
		mov	eax, [ebx+38h]
		xor	edx, edx
		add	eax, [ebx+34h]
		add	eax, [ebx+30h]
		add	eax, [ebx+2Ch]
		push	0Dh
		pop	ecx
		div	ecx
		lea	eax, _PnpDeviceClassNotifyList[edx*8]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_871752
		mov	[ebx+4], ecx
		mov	[ebx], eax
		mov	[ecx], ebx
		mov	ecx, edi
		mov	[eax+4], ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	[ebp+arg_4], 1
		jz	short loc_871581
		xor	edx, edx	; int
		lea	edi, [esp+58h+var_28]
		xor	eax, eax
		mov	[esp+58h+var_8], edx
		push	28h
		inc	eax
		mov	[esp+5Ch+var_48], edx
		mov	word ptr [esp+5Ch+var_2C], ax
		lea	ecx, [esp+5Ch+var_48]
		pop	eax
		mov	word ptr [esp+58h+var_2C+2], ax
		mov	esi, offset _GUID_DEVICE_INTERFACE_ARRIVAL
		push	edx		; int
		push	ecx		; int
		push	edx		; char
		movsd
		lea	ecx, [ebx+2Ch]	; int
		push	edx		; int
		mov	[esp+68h+var_38], edx
		mov	[esp+68h+var_34], edx
		movsd
		movsd
		movsd
		lea	esi, [ebx+2Ch]
		lea	edi, [esp+68h+var_18]
		movsd
		movsd
		movsd
		movsd
		call	IopGetDeviceInterfaces
		mov	esi, eax
		mov	[esp+58h+var_30], esi
		test	esi, esi
		js	loc_87173F
		mov	eax, [esp+58h+var_48]
		xor	ecx, ecx
		mov	edi, eax
		cmp	[eax], cx
		jnz	loc_87165D

loc_87157A:				; CODE XREF: IoRegisterPlugPlayNotification+2A0j
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_871581:				; CODE XREF: IoRegisterPlugPlayNotification+FDj
		mov	eax, [esp+58h+var_44]
		mov	[eax], ebx

loc_871587:				; CODE XREF: IoRegisterPlugPlayNotification+246j
					; IoRegisterPlugPlayNotification+B6343j ...
		test	esi, esi
		js	loc_87173F

loc_87158F:				; CODE XREF: IoRegisterPlugPlayNotification+33Bj
		mov	eax, esi

loc_871591:				; CODE XREF: IoRegisterPlugPlayNotification+47j
		mov	ecx, [esp+58h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_8715A5:				; CODE XREF: IoRegisterPlugPlayNotification+5Cj
		sub	eax, 1
		jnz	loc_927736
		xor	ecx, ecx
		lea	edx, [esp+58h+var_48]
		mov	[esp+58h+var_48], ecx
		mov	ecx, edi
		call	_PnpGetRelatedTargetDevice@8 ; PnpGetRelatedTargetDevice(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87173F
		push	43706E50h
		push	3Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_92775A
		push	offset _PnpTargetDeviceNotifyLock
		push	ebx
		push	[ebp+arg_14]
		mov	ecx, edi
		push	[ebp+arg_10]
		push	3
		pop	edx
		call	PnpInitializeNotifyEntry
		mov	esi, eax
		test	esi, esi
		js	loc_92776B
		mov	ebx, [esp+58h+var_48]
		mov	ecx, edi
		mov	eax, [esp+58h+var_40]
		mov	[edi+2Ch], eax
		mov	eax, [ebx+10h]
		mov	[edi+30h], eax
		call	_PnpDeferNotification@4	; PnpDeferNotification(x)
		mov	esi, eax
		test	esi, esi
		js	loc_92777F
		mov	ecx, offset _PnpTargetDeviceNotifyLock
		call	@KeAcquireGuardedMutex@4 ; KeAcquireGuardedMutex(x)
		lea	eax, [ebx+140h]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_871752
		mov	[edi+4], ecx
		mov	[edi], eax
		mov	[ecx], edi
		mov	ecx, offset _PnpTargetDeviceNotifyLock
		mov	[eax+4], edi

loc_87164D:				; CODE XREF: IoRegisterPlugPlayNotification+323j
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, [esp+58h+var_44]
		mov	[eax], edi
		jmp	loc_871587
; 

loc_87165D:				; CODE XREF: IoRegisterPlugPlayNotification+162j
		xor	esi, esi

loc_87165F:				; CODE XREF: IoRegisterPlugPlayNotification+294j
		push	edi
		lea	eax, [esp+5Ch+var_38]
		mov	[esp+5Ch+var_40], esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+58h+var_38]
		mov	[esp+58h+var_8], eax
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		push	eax
		call	_PsGetServerSiloServiceSessionId@4 ; PsGetServerSiloServiceSessionId(x)
		cmp	[ebx+0Ch], eax
		jnz	short loc_8716B7

loc_871686:				; CODE XREF: IoRegisterPlugPlayNotification+2B1j
					; IoRegisterPlugPlayNotification+B6396j
		lea	eax, [esp+58h+var_40]
		mov	ecx, ebx
		push	eax
		lea	edx, [esp+5Ch+var_2C]
		call	PnpNotifyDriverCallback

loc_871696:				; CODE XREF: IoRegisterPlugPlayNotification+B6390j
		movzx	eax, word ptr [esp+58h+var_38]
		shr	eax, 1
		lea	edi, [edi+eax*2]
		add	edi, 2
		cmp	[edi], si
		jnz	short loc_87165F
		mov	esi, [esp+58h+var_30]
		xor	ecx, ecx
		mov	eax, [esp+58h+var_48]
		jmp	loc_87157A
; 

loc_8716B7:				; CODE XREF: IoRegisterPlugPlayNotification+272j
		mov	ecx, [esp+58h+var_8]
		call	_IopGetSessionIdFromSymbolicName@4 ; IopGetSessionIdFromSymbolicName(x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_871686
		jmp	loc_92779F
; 

loc_8716CA:				; CODE XREF: IoRegisterPlugPlayNotification+53j
		push	39706E50h
		xor	esi, esi
		push	2Ch
		inc	esi
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_87173A
		push	offset _PnpHwProfileNotifyLock
		push	ebx
		push	[ebp+arg_14]
		mov	edx, esi
		mov	ecx, edi
		push	[ebp+arg_10]
		call	PnpInitializeNotifyEntry
		mov	esi, eax
		test	esi, esi
		js	short loc_87173F
		mov	ecx, edi
		call	_PnpDeferNotification@4	; PnpDeferNotification(x)
		mov	esi, eax
		test	esi, esi
		js	loc_9277AD
		mov	ebx, offset _PnpHwProfileNotifyLock
		mov	ecx, ebx
		call	@KeAcquireGuardedMutex@4 ; KeAcquireGuardedMutex(x)
		mov	eax, ds:dword_A94434
		mov	ecx, offset _PnpProfileNotifyList
		cmp	[eax], ecx
		jnz	short loc_871752
		mov	[edi], ecx
		mov	ecx, ebx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	ds:dword_A94434, edi
		jmp	loc_87164D
; 

loc_87173A:				; CODE XREF: IoRegisterPlugPlayNotification+74j
					; IoRegisterPlugPlayNotification+2CCj ...
		mov	esi, 0C000009Ah

loc_87173F:				; CODE XREF: IoRegisterPlugPlayNotification+97j
					; IoRegisterPlugPlayNotification+151j ...
		mov	ecx, [esp+58h+var_3C]
		mov	edx, 4E706E50h
		call	ObfDereferenceObjectWithTag
		jmp	loc_87158F
; 

loc_871752:				; CODE XREF: IoRegisterPlugPlayNotification+E2j
					; IoRegisterPlugPlayNotification+226j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
IoRegisterPlugPlayNotification endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDeferNotification(x)
_PnpDeferNotification@4	proc near	; CODE XREF: IoRegisterPlugPlayNotification+A8p
					; IoRegisterPlugPlayNotification+202p ...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_1], 0
		push	edi
		mov	ecx, offset _PnpNotificationInProgressLock
		xor	edi, edi
		call	ExAcquireFastMutex
		cmp	ds:_PnpNotificationInProgress, 0
		jnz	short loc_871782
		cmp	dword ptr [ebx+8], 3
		jnz	short loc_8717E8

loc_871782:				; CODE XREF: PnpDeferNotification(x)+22j
		push	37706E50h
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8717E3
		mov	[esi+8], ebx
		inc	word ptr [ebx+20h]
		mov	byte ptr [ebx+22h], 1
		mov	ebx, offset _PnpDeferredRegistrationLock
		mov	ecx, ebx
		call	ExAcquireFastMutex
		mov	eax, ds:dword_A9442C
		mov	ecx, offset _PnpDeferredRegistrationList
		cmp	[eax], ecx
		jz	short loc_8717C0
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8717C0:				; CODE XREF: PnpDeferNotification(x)+61j
		mov	[esi], ecx
		mov	ecx, ebx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	ds:dword_A9442C, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		cmp	ds:_PnpNotificationInProgress, 0
		jnz	short loc_8717E8
		mov	[ebp+var_1], 1
		jmp	short loc_8717E8
; 

loc_8717E3:				; CODE XREF: PnpDeferNotification(x)+3Cj
		mov	edi, 0C000009Ah

loc_8717E8:				; CODE XREF: PnpDeferNotification(x)+28j
					; PnpDeferNotification(x)+83j ...
		mov	ecx, offset _PnpNotificationInProgressLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		cmp	[ebp+var_1], 0
		jz	short loc_871803
		xor	edx, edx
		xor	ecx, ecx
		call	_PnpInsertNoopEvent@8 ;	PnpInsertNoopEvent(x,x)
		xor	edi, edi

loc_871803:				; CODE XREF: PnpDeferNotification(x)+9Ej
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PnpDeferNotification@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpInitializeNotifyEntry proc near	; CODE XREF: IoRegisterPlugPlayNotification+8Ep
					; IoRegisterPlugPlayNotification+1E0p ...

var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 009277BD SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 234h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_214], edx
		mov	ebx, ecx
		mov	[ebp+var_21C], eax
		push	6
		pop	ecx
		lea	edi, [ebp+var_234]
		mov	[ebp+var_218], eax
		rep stosd
		mov	ecx, [ebp+arg_0]
		mov	edi, eax
		mov	[ebp+var_210], eax
		mov	esi, eax
		mov	[ebp+var_20C], edi
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		test	eax, eax
		jnz	short loc_8718D1

loc_87185F:				; CODE XREF: PnpInitializeNotifyEntry+16Bj
		mov	eax, [ebp+var_214]
		mov	[ebx+8], eax
		mov	eax, [ebp+var_210]
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+arg_0]
		mov	[ebx+14h], eax
		mov	eax, [ebp+arg_4]
		mov	[ebx+18h], eax
		mov	eax, [ebp+arg_8]
		mov	[ebx+1Ch], eax
		xor	eax, eax
		push	56706E50h
		inc	eax
		mov	[ebx+4], ebx
		push	38h
		mov	[ebx+20h], ax
		mov	eax, [ebp+arg_C]
		push	200h
		mov	[ebx], ebx
		mov	[ebx+10h], edi
		mov	byte ptr [ebx+22h], 0
		mov	[ebx+24h], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+28h], eax
		test	eax, eax
		jz	loc_9277BD
		push	eax
		call	ExInitializeResourceLite

loc_8718BE:				; CODE XREF: PnpInitializeNotifyEntry+176j
					; PnpInitializeNotifyEntry+B5FB8j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_8718D1:				; CODE XREF: PnpInitializeNotifyEntry+53j
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[ebp+var_210], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_87197B
		push	eax
		push	offset ??_C@_1DC@IFGNMEPF@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@
		lea	eax, [ebp+var_208]
		push	100h
		push	eax
		call	_swprintf_s
		add	esp, 10h
		lea	eax, [ebp+var_208]
		push	eax
		lea	eax, [ebp+var_21C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_21C]
		mov	[ebp+var_234], 18h
		mov	[ebp+var_22C], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_234]
		mov	[ebp+var_230], ecx
		push	eax
		push	ecx
		lea	eax, [ebp+var_20C]
		mov	[ebp+var_228], 200h
		push	eax
		mov	[ebp+var_224], ecx
		mov	[ebp+var_220], ecx
		call	_ZwOpenSession@12 ; ZwOpenSession(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_87197B
		mov	edi, [ebp+var_20C]
		test	edi, edi
		jnz	loc_87185F

loc_87197B:				; CODE XREF: PnpInitializeNotifyEntry+E2j
					; PnpInitializeNotifyEntry+161j
		mov	esi, 0C000000Dh
		jmp	loc_8718BE
PnpInitializeNotifyEntry endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpNotifyDriverCallback	proc near	; CODE XREF: PnpNotifyTargetDeviceChangeNotifyEntry(x,x,x,x)+56p
					; PnpNotifyTargetDeviceChange+136p ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_22		= byte ptr -22h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00927BD8 SIZE 000000E8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_34], eax
		push	6
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_28], edx
		lea	edi, [ebp+var_20]
		rep stosd
		mov	ecx, [ebx+14h]
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		xor	edx, edx
		test	eax, eax
		jnz	loc_871A4B

loc_8719C2:				; CODE XREF: PnpNotifyDriverCallback+C8j
		mov	[ebp+var_22], dl
		mov	[ebp+var_21], dl
		mov	[ebp+var_2C], edx
		mov	[ebp+var_30], edx
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		test	eax, eax
		jnz	loc_871A5B

loc_8719DB:				; CODE XREF: PnpNotifyDriverCallback+F9j
		mov	esi, ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		call	esi
		mov	[ebp+var_22], al
		mov	eax, large fs:124h
		push	dword ptr [ebx+18h]
		push	[ebp+var_28]
		mov	eax, [eax+13Ch]
		mov	[ebp+var_2C], eax
		call	dword ptr [ebx+14h]
		mov	[ebp+var_28], eax
		call	esi
		mov	ecx, large fs:124h
		mov	[ebp+var_21], al
		mov	eax, [ebp+var_34]
		mov	edi, [ecx+13Ch]
		test	eax, eax
		jz	short loc_871A1F
		mov	ecx, [ebp+var_28]
		mov	[eax], ecx

loc_871A1F:				; CODE XREF: PnpNotifyDriverCallback+92j
		xor	eax, eax
		mov	esi, eax

loc_871A23:				; CODE XREF: PnpNotifyDriverCallback+B62CEj
		mov	al, [ebp+var_22]
		cmp	al, [ebp+var_21]
		jnz	loc_927C63
		cmp	[ebp+var_2C], edi
		jnz	loc_927C63

loc_871A38:				; CODE XREF: PnpNotifyDriverCallback+B62D8j
		mov	eax, esi

loc_871A3A:				; CODE XREF: PnpNotifyDriverCallback+D3j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_871A4B:				; CODE XREF: PnpNotifyDriverCallback+36j
		cmp	[ebx+10h], edx
		jnz	loc_8719C2
		mov	eax, 0C000000Dh
		jmp	short loc_871A3A
; 

loc_871A5B:				; CODE XREF: PnpNotifyDriverCallback+4Fj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+0FCh], 10000h
		jz	loc_927BD8
		call	_PsGetCurrentProcessSessionId@0	; PsGetCurrentProcessSessionId()
		cmp	[ebx+0Ch], eax
		jz	loc_8719DB
		jmp	loc_927BD8
PnpNotifyDriverCallback	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSetDefaultUILanguage(x)
_NtSetDefaultUILanguage@4 proc near	; DATA XREF: .text:00580CF4o

arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jnz	short loc_871A9F
		call	ExpSetPendingUILanguage

loc_871A9B:				; CODE XREF: NtSetDefaultUILanguage(x)+17j
		pop	ebp
		retn	4
; 

loc_871A9F:				; CODE XREF: NtSetDefaultUILanguage(x)+Aj
		xor	eax, eax
		jmp	short loc_871A9B
_NtSetDefaultUILanguage@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtSetDefaultLocale proc	near		; DATA XREF: .text:00580CF8o

var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092C2EA SIZE 00000154 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 144h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+144h+var_4], eax
		push	ebx
		push	esi
		xor	esi, esi
		cmp	[ebp+arg_0], 0
		push	edi
		mov	[esp+150h+var_12C], esi
		mov	[esp+150h+var_128], esi
		mov	[esp+150h+var_134], esi
		mov	[esp+150h+var_130], esi
		mov	[esp+150h+var_138], esi
		mov	[esp+150h+var_140], esi
		mov	[esp+150h+var_124], esi
		jz	loc_92C2EA
		lea	eax, [esp+150h+var_138]
		push	eax
		call	OpenGlobalizationUserSettingsKey
		test	eax, eax
		js	loc_871C1B
		mov	edi, 640h
		mov	[esp+150h+var_13C], offset ??_C@_1DI@HFDNKLGP@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?5?$AAP?$AAa?$AAn?$AAe?$AAl?$AA?2?$AAI@NNGAKEGL@ ;	"Control Panel\\International"
		mov	ecx, offset ??_C@_1O@EKJBMENL@?$AAL?$AAo?$AAc?$AAa?$AAl?$AAe@NNGAKEGL@

loc_871B0F:				; CODE XREF: NtSetDefaultLocale+BA871j
		lea	eax, [esp+150h+var_134]
		push	ecx
		push	eax
		lea	ebx, [esp+158h+var_12C]
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	[esp+150h+var_13C]
		push	ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [esp+150h+var_138]
		mov	[esp+150h+var_11C], eax
		mov	eax, ebx
		mov	ebx, [ebp+arg_4]
		mov	[esp+150h+var_120], 18h
		mov	[esp+150h+var_114], edi
		mov	[esp+150h+var_118], eax
		mov	[esp+150h+var_110], esi
		mov	[esp+150h+var_10C], esi
		test	ebx, ebx
		jnz	loc_92C35D
		lea	eax, [esp+150h+var_120]
		push	eax
		push	80000000h
		lea	eax, [esp+158h+var_140]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_871BF8
		lea	eax, [esp+150h+var_124]
		push	eax
		push	100h
		lea	eax, [esp+158h+var_108]
		push	eax
		push	2
		lea	eax, [esp+160h+var_134]
		push	eax
		push	[esp+164h+var_140]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_871BEF
		cmp	[esp+150h+var_104], 1
		jnz	loc_92C33C
		lea	edx, [esp+150h+var_FC]
		cmp	[esp+150h+var_100], esi
		jbe	short loc_871BEF
		mov	[esp+150h+var_13C], 9

loc_871BB5:				; CODE XREF: NtSetDefaultLocale+135j
		movzx	ecx, word ptr [edx]
		lea	edx, [edx+2]
		lea	eax, [ecx-30h]
		cmp	ax, word ptr [esp+150h+var_13C]
		ja	short loc_871BDD
		lea	eax, [ecx-30h]

loc_871BC8:				; CODE XREF: NtSetDefaultLocale+BA882j
					; NtSetDefaultLocale+BA893j
		cmp	eax, 10h
		jnb	short loc_871BEF
		shl	ebx, 4
		add	esi, 2
		or	ebx, eax
		cmp	esi, [esp+150h+var_100]
		jb	short loc_871BB5
		jmp	short loc_871BEF
; 

loc_871BDD:				; CODE XREF: NtSetDefaultLocale+11Fj
		cmp	ecx, 41h
		jnb	loc_92C31A

loc_871BE6:				; CODE XREF: NtSetDefaultLocale+BA879j
		cmp	ecx, 61h
		jnb	loc_92C32B

loc_871BEF:				; CODE XREF: NtSetDefaultLocale+F2j
					; NtSetDefaultLocale+107j ...
		push	[esp+150h+var_140]
		call	_ZwClose@4	; ZwClose(x)

loc_871BF8:				; CODE XREF: NtSetDefaultLocale+C9j
					; NtSetDefaultLocale+BA8E0j ...
		cmp	[esp+150h+var_138], 0
		jz	short loc_871C08
		push	[esp+150h+var_138]
		call	_ZwClose@4	; ZwClose(x)

loc_871C08:				; CODE XREF: NtSetDefaultLocale+159j
		test	edi, edi
		js	short loc_871C19
		cmp	[ebp+arg_0], 0
		jz	short loc_871C32
		mov	ecx, ebx
		call	_MmSetSessionLocaleId@4	; MmSetSessionLocaleId(x)

loc_871C19:				; CODE XREF: NtSetDefaultLocale+166j
					; NtSetDefaultLocale+194j
		mov	eax, edi

loc_871C1B:				; CODE XREF: NtSetDefaultLocale+53j
					; NtSetDefaultLocale+BA859j
		mov	ecx, [esp+150h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_871C32:				; CODE XREF: NtSetDefaultLocale+16Cj
		mov	ds:_PsDefaultSystemLocaleId, ebx
		jmp	short loc_871C19
NtSetDefaultLocale endp


;  S U B	R O U T	I N E 


; __stdcall MmSetSessionLocaleId(x)
_MmSetSessionLocaleId@4	proc near	; CODE XREF: NtSetDefaultLocale+170p
		mov	eax, large fs:124h
		mov	edx, [eax+80h]
		mov	eax, [edx+180h]
		test	eax, eax
		jz	short loc_871C60
		test	dword ptr [edx+3A8h], 1000h
		jnz	short loc_871C60
		mov	[eax+38h], ecx
		retn
; 

loc_871C60:				; CODE XREF: MmSetSessionLocaleId(x)+14j
					; MmSetSessionLocaleId(x)+20j
		mov	ds:_PsDefaultThreadLocaleId, ecx
		retn
_MmSetSessionLocaleId@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpSetPendingUILanguage	proc near	; CODE XREF: NtSetDefaultUILanguage(x)+Cp

var_478		= dword	ptr -478h
var_474		= dword	ptr -474h
var_470		= dword	ptr -470h
var_46C		= dword	ptr -46Ch
var_468		= dword	ptr -468h
var_464		= dword	ptr -464h
var_460		= dword	ptr -460h
var_45C		= dword	ptr -45Ch
var_458		= dword	ptr -458h
var_454		= dword	ptr -454h
var_450		= dword	ptr -450h
var_44C		= dword	ptr -44Ch
var_448		= dword	ptr -448h
var_444		= dword	ptr -444h
var_440		= dword	ptr -440h
var_43C		= dword	ptr -43Ch
var_438		= dword	ptr -438h
var_434		= dword	ptr -434h
var_430		= dword	ptr -430h
var_42C		= dword	ptr -42Ch
var_426		= byte ptr -426h
var_425		= byte ptr -425h
var_424		= dword	ptr -424h
var_420		= dword	ptr -420h
var_41C		= dword	ptr -41Ch
var_418		= dword	ptr -418h
var_414		= dword	ptr -414h
var_410		= dword	ptr -410h
var_40C		= dword	ptr -40Ch
var_200		= dword	ptr -200h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092C43E SIZE 000005A4 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFE0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A72E0
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		push	ecx
		push	ecx
		push	ebx
		sub	esp, 478h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_24], eax
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		xor	eax, eax
		mov	[ebp+var_450], eax
		mov	[ebp+var_44C], eax
		mov	[ebp+var_458], eax
		mov	[ebp+var_454], eax
		mov	[ebp+var_478], eax
		mov	[ebp+var_474], eax
		mov	[ebp+var_464], eax
		mov	[ebp+var_42C], eax
		push	0AAh		; size_t
		push	eax		; int
		lea	eax, [ebp+var_200]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		mov	[ebp+var_45C], eax
		mov	[ebp+var_46C], eax
		mov	[ebp+var_460], eax
		mov	[ebp+var_424], eax
		mov	[ebp+var_430], eax
		mov	[ebp+var_425], 1
		mov	[ebp+var_426], al
		lea	eax, [ebp+var_464]
		push	eax
		call	OpenGlobalizationUserSettingsKey
		test	eax, eax
		js	loc_872175
		push	offset ??_C@_1CM@FDDKAFMM@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?5?$AAP?$AAa?$AAn?$AAe?$AAl?$AA?2?$AAD@NNGAKEGL@ ; "Control Panel\\Desktop"
		lea	eax, [ebp+var_450]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	18h
		pop	edi
		mov	[ebp+var_448], edi
		mov	eax, [ebp+var_464]
		mov	[ebp+var_444], eax
		mov	[ebp+var_43C], 640h
		lea	eax, [ebp+var_450]
		mov	[ebp+var_440], eax
		and	[ebp+var_438], 0
		and	[ebp+var_434], 0
		lea	eax, [ebp+var_448]
		push	eax
		push	40000000h
		lea	eax, [ebp+var_46C]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		mov	[ebp+var_468], esi
		test	esi, esi
		js	loc_8720D8
		mov	esi, offset ??_C@_1DI@FJENBGDK@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAr?$AAr?$AAe?$AAd?$AAU?$AAI?$AAL?$AAa?$AAn?$AAg@NNGAKEGL@ ; "PreferredUILanguagesPending"
		push	esi
		lea	eax, [ebp+var_458]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_45C]
		push	eax
		push	100h
		lea	eax, [ebp+var_140]
		push	eax
		push	2
		lea	eax, [ebp+var_458]
		push	eax
		push	[ebp+var_46C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_92C43E

loc_871DF2:				; CODE XREF: ExpSetPendingUILanguage+BA7DDj
					; ExpSetPendingUILanguage+BA7EAj ...
		mov	edi, offset ??_C@_1EA@FMIONCIH@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?5?$AAP?$AAa?$AAn?$AAe?$AAl?$AA?2?$AAD@NNGAKEGL@ ; "Control Panel\\Desktop\\MuiCached"
		push	edi
		lea	eax, [ebp+var_450]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_448], 18h
		mov	eax, [ebp+var_464]
		mov	[ebp+var_444], eax
		mov	[ebp+var_43C], 640h
		lea	eax, [ebp+var_450]
		mov	[ebp+var_440], eax
		and	[ebp+var_438], 0
		and	[ebp+var_434], 0
		lea	eax, [ebp+var_448]
		push	eax
		push	40000000h
		lea	eax, [ebp+var_424]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		push	offset ??_C@_1IA@GPBHBJN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\Registry\\Machine\\System\\CurrentControl"...
		lea	eax, [ebp+var_450]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_448], 18h
		xor	ecx, ecx
		mov	[ebp+var_444], ecx
		mov	[ebp+var_43C], 640h
		lea	eax, [ebp+var_450]
		mov	[ebp+var_440], eax
		mov	[ebp+var_438], ecx
		mov	[ebp+var_434], ecx
		lea	eax, [ebp+var_448]
		push	eax
		push	80000000h
		lea	eax, [ebp+var_42C]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_92C641
		push	offset ??_C@_1CK@CDBMDBEP@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAr?$AAr?$AAe?$AAd?$AAU?$AAI?$AAL?$AAa?$AAn?$AAg@NNGAKEGL@
		lea	eax, [ebp+var_458]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_45C]
		push	eax
		push	100h
		lea	eax, [ebp+var_140]
		push	eax
		push	2
		lea	eax, [ebp+var_458]
		push	eax
		push	[ebp+var_42C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_92C676

loc_871EFB:				; CODE XREF: ExpSetPendingUILanguage+BAA15j
					; ExpSetPendingUILanguage+BAA28j
		and	[ebp+var_470], 0
		and	[ebp+var_138], 0
		lea	eax, [ebp+var_470]
		push	eax
		call	NtQueryInstallUILanguage
		mov	esi, eax
		test	esi, esi
		js	loc_92C69A
		push	0
		push	80h
		lea	edx, [ebp+var_134]
		mov	ecx, [ebp+var_470]
		call	DownLevelLangIDToLanguageName
		mov	[ebp+var_138], eax
		test	eax, eax
		jz	loc_92C695
		add	eax, eax
		mov	[ebp+var_138], eax
		test	esi, esi
		js	loc_92C69A

loc_871F55:				; CODE XREF: ExpSetPendingUILanguage+BAA22j
		cmp	[ebp+var_424], 0
		jz	loc_872193

loc_871F62:				; CODE XREF: ExpSetPendingUILanguage+599j
		push	offset ??_C@_1DI@CNCPGFIN@?$AAM?$AAa?$AAc?$AAh?$AAi?$AAn?$AAe?$AAP?$AAr?$AAe?$AAf?$AAe?$AAr?$AAr?$AAe@NNGAKEGL@	; "MachinePreferredUILanguages"
		lea	eax, [ebp+var_458]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	[ebp+var_138]
		lea	eax, [ebp+var_134]
		push	eax
		push	7
		push	0
		lea	eax, [ebp+var_458]
		push	eax
		push	[ebp+var_424]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_92C6D0

loc_871F9E:				; CODE XREF: ExpSetPendingUILanguage+BAA4Bj
					; ExpSetPendingUILanguage+BAA63j ...
		push	[ebp+var_42C]
		call	_ZwClose@4	; ZwClose(x)

loc_871FA9:				; CODE XREF: ExpSetPendingUILanguage+BA9E0j
					; ExpSetPendingUILanguage+BAA09j
		push	offset ??_C@_1DK@EOBOFKDB@?$AAM?$AAa?$AAc?$AAh?$AAi?$AAn?$AAe?$AAL?$AAa?$AAn?$AAg?$AAu?$AAa?$AAg?$AAe@NNGAKEGL@	; "MachineLanguageConfiguration"
		lea	eax, [ebp+var_450]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_448], 18h
		mov	eax, [ebp+var_424]
		mov	[ebp+var_444], eax
		mov	[ebp+var_43C], 640h
		lea	eax, [ebp+var_450]
		mov	[ebp+var_440], eax
		and	[ebp+var_438], 0
		and	[ebp+var_434], 0
		lea	eax, [ebp+var_448]
		push	eax
		push	40000000h
		lea	eax, [ebp+var_430]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		jns	loc_92C6E6

loc_872014:				; CODE XREF: ExpSetPendingUILanguage+BAABBj
					; ExpSetPendingUILanguage+BAB06j
		push	offset ??_C@_1KM@IAIDLDJP@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\Registry\\Machine\\System\\CurrentControl"...
		lea	eax, [ebp+var_450]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_448], 18h
		xor	ecx, ecx
		mov	[ebp+var_444], ecx
		mov	[ebp+var_43C], 640h
		lea	eax, [ebp+var_450]
		mov	[ebp+var_440], eax
		mov	[ebp+var_438], ecx
		mov	[ebp+var_434], ecx
		lea	eax, [ebp+var_448]
		push	eax
		push	80000000h
		lea	eax, [ebp+var_42C]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		xor	esi, esi
		test	eax, eax
		js	loc_92C773

loc_87207B:				; CODE XREF: ExpSetPendingUILanguage+BAB1Cj
		mov	edi, esi
		push	210h		; size_t
		push	0		; int
		lea	eax, [ebp+var_420]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, esi
		inc	esi
		mov	[ebp+var_470], esi
		lea	ecx, [ebp+var_45C]
		push	ecx
		push	20Eh
		lea	ecx, [ebp+var_420]
		push	ecx
		push	1
		push	eax
		push	[ebp+var_42C]
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_468], esi
		test	esi, esi
		jns	loc_92C789

loc_8720CD:				; CODE XREF: ExpSetPendingUILanguage+BAC93j
		push	[ebp+var_42C]
		call	_ZwClose@4	; ZwClose(x)

loc_8720D8:				; CODE XREF: ExpSetPendingUILanguage+143j
					; ExpSetPendingUILanguage+59Fj	...
		cmp	[ebp+var_46C], 0
		jz	short loc_8720EC
		push	[ebp+var_46C]
		call	_ZwClose@4	; ZwClose(x)

loc_8720EC:				; CODE XREF: ExpSetPendingUILanguage+477j
		cmp	[ebp+var_460], 0
		jnz	loc_92C90D
		mov	edi, 8000001Ah

loc_8720FE:				; CODE XREF: ExpSetPendingUILanguage+BACDCj
		cmp	[ebp+var_424], 0
		jz	short loc_87214E
		mov	eax, [ebp+var_430]
		test	eax, eax
		jnz	loc_92C949

loc_872115:				; CODE XREF: ExpSetPendingUILanguage+BAD09j
		mov	eax, [ebp+var_430]
		test	eax, eax
		jnz	loc_92C976

loc_872123:				; CODE XREF: ExpSetPendingUILanguage+BAD14j
		lea	eax, [ebp+var_45C]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	[ebp+var_424]
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		cmp	eax, edi
		jz	loc_92C981

loc_872143:				; CODE XREF: ExpSetPendingUILanguage+BACE8j
					; ExpSetPendingUILanguage+BAD03j ...
		push	[ebp+var_424]
		call	_ZwClose@4	; ZwClose(x)

loc_87214E:				; CODE XREF: ExpSetPendingUILanguage+49Dj
		cmp	[ebp+var_430], 0
		jnz	loc_92C991

loc_87215B:				; CODE XREF: ExpSetPendingUILanguage+BAD34j
		push	[ebp+var_464]
		call	_ZwClose@4	; ZwClose(x)
		cmp	[ebp+var_426], 1
		jz	loc_92C9A1

loc_872173:				; CODE XREF: ExpSetPendingUILanguage+BAD5Dj
					; ExpSetPendingUILanguage+BAD75j ...
		mov	eax, esi

loc_872175:				; CODE XREF: ExpSetPendingUILanguage+D1j
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		mov	ecx, [ebp+var_24]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn			; char
; 

loc_872193:				; CODE XREF: ExpSetPendingUILanguage+2F4j
		push	edi
		lea	eax, [ebp+var_450]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_448], 18h
		mov	eax, [ebp+var_464]
		mov	[ebp+var_444], eax
		mov	[ebp+var_43C], 640h
		lea	eax, [ebp+var_450]
		mov	[ebp+var_440], eax
		xor	eax, eax
		mov	[ebp+var_438], eax
		mov	[ebp+var_434], eax
		push	eax
		push	1
		push	eax
		push	eax
		lea	eax, [ebp+var_448]
		push	eax
		push	40000000h
		lea	eax, [ebp+var_424]
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_468], esi
		test	esi, esi
		jns	loc_871F62
		jmp	loc_8720D8
ExpSetPendingUILanguage	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2274. RtlOpenCurrentUser

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlOpenCurrentUser
RtlOpenCurrentUser proc	near		; CODE XREF: OpenGlobalizationUserSettingsKey+1Ep

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092CA2C SIZE 0000003E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_20]
		rep stosd
		lea	eax, [ebp+var_8]
		xor	ebx, ebx
		push	eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	_RtlFormatCurrentUserKeyPath@4 ; RtlFormatCurrentUserKeyPath(x)
		mov	esi, eax
		push	18h
		pop	edi
		test	esi, esi
		js	short loc_872274
		lea	eax, [ebp+var_8]
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+arg_0]
		mov	[ebp+var_1C], ebx
		push	[ebp+arg_4]
		mov	[ebp+var_14], 640h
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_872274:				; CODE XREF: RtlOpenCurrentUser+2Dj
		cmp	esi, 0C0000034h
		jz	loc_92CA2C

loc_872280:				; CODE XREF: RtlOpenCurrentUser+BA853j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
RtlOpenCurrentUser endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 293. EtwSetInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public EtwSetInformation
EtwSetInformation proc near		; CODE XREF: BapdWriteEtwEvents+24Fp
					; BapdWriteEtwEvents+2AFp ...

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0092F072 SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_8722CE
		mov	eax, [ebp+arg_8]
		dec	eax
		sub	eax, 1
		jnz	loc_92F072
		mov	edx, [ebp+arg_C]
		test	edx, edx
		jz	short loc_8722D5
		cmp	[ebp+arg_10], 3
		jb	short loc_8722D5
		cmp	[ebp+arg_10], 7FFFh
		ja	short loc_8722D5
		push	[ebp+arg_10]
		call	_EtwpSetProviderTraitsKm@12 ; EtwpSetProviderTraitsKm(x,x,x)

loc_8722C8:				; CODE XREF: EtwSetInformation+45j
					; EtwSetInformation+4Cj ...
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8722CE:				; CODE XREF: EtwSetInformation+Dj
		mov	eax, 0C0000008h
		jmp	short loc_8722C8
; 

loc_8722D5:				; CODE XREF: EtwSetInformation+21j
					; EtwSetInformation+27j ...
		mov	eax, 0C000000Dh
		jmp	short loc_8722C8
EtwSetInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpSetProviderTraitsKm(x, x, x)
_EtwpSetProviderTraitsKm@12 proc near	; CODE XREF: EtwSetInformation+35p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		movzx	eax, word ptr [edi+32h]
		test	al, 8
		jnz	short loc_87235A
		test	al, 1
		jz	short loc_87235A
		cmp	dword ptr [edi+38h], 0
		jz	short loc_872308
		mov	esi, 0C0000001h
		jmp	short loc_872363
; 

loc_872308:				; CODE XREF: EtwpSetProviderTraitsKm(x,x,x)+23j
		movzx	esi, [ebp+arg_0]
		push	54777445h
		lea	eax, [esi+10h]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_87232C
		mov	esi, 0C000009Ah
		jmp	short loc_872363
; 

loc_87232C:				; CODE XREF: EtwpSetProviderTraitsKm(x,x,x)+47j
		push	esi		; size_t
		push	[ebp+var_4]	; void *
		lea	eax, [ebx+10h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_8]
		xor	edx, edx
		xor	ecx, ecx
		push	offset _EtwpProviderTraitsKmTree
		push	offset _EtwpProviderTraitsKmMutex
		push	esi
		push	ebx
		push	edi
		push	eax
		call	EtwpSetProviderTraitsCommon
		mov	esi, eax
		jmp	short loc_87235F
; 

loc_87235A:				; CODE XREF: EtwpSetProviderTraitsKm(x,x,x)+19j
					; EtwpSetProviderTraitsKm(x,x,x)+1Dj
		mov	esi, 0C000000Dh

loc_87235F:				; CODE XREF: EtwpSetProviderTraitsKm(x,x,x)+7Cj
		test	esi, esi
		jz	short loc_872386

loc_872363:				; CODE XREF: EtwpSetProviderTraitsKm(x,x,x)+2Aj
					; EtwpSetProviderTraitsKm(x,x,x)+4Ej
		push	offset _ETW_EVENT_SET_TRAITS_FAILED
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_872386
		push	esi
		push	edi
		push	ecx
		push	ecx
		call	_EtwpEventWriteRegistrationStatus@24 ; EtwpEventWriteRegistrationStatus(x,x,x,x,x,x)

loc_872386:				; CODE XREF: EtwpSetProviderTraitsKm(x,x,x)+85j
					; EtwpSetProviderTraitsKm(x,x,x)+9Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpSetProviderTraitsKm@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipGenerateContainerID proc near	; CODE XREF: PiProcessNewDeviceNode+5D5p

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
Source2		= dword	ptr -6Ch
var_5C		= dword	ptr -5Ch
var_8		= dword	ptr -8
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E0798 SIZE 00000072 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	[ebp+var_80], eax
		mov	ebx, ecx
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+Source2]
		mov	[ebp+var_84], edx
		stosd
		xor	esi, esi
		mov	[ebp+var_78], esi
		mov	[ebp+var_7C], esi
		mov	[ebp+var_70], esi
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	edi, [ebp+var_80]
		mov	[ebp+var_74], eax
		mov	[edi], esi
		cmp	[ebp+arg_0], al
		jnz	short loc_872446
		mov	ecx, [ebx+8]
		add	ecx, 1A8h

loc_8723E5:				; CODE XREF: PipGenerateContainerID+6E46Bj
		push	1
		lea	edx, [ebp+var_74]
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	esi, eax

loc_8723F1:				; CODE XREF: PipGenerateContainerID+163j
		test	esi, esi
		js	short loc_872433
		mov	edi, [ebp+var_80]

loc_8723F8:				; CODE XREF: PipGenerateContainerID+6E414j
		cmp	[ebp+var_70], 0
		jz	short loc_872433
		movzx	eax, word ptr [ebp+var_74+2]
		push	6E657050h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi], eax
		test	eax, eax
		jz	loc_8E0800
		movzx	ecx, word ptr [ebp+var_74+2]
		push	ecx		; size_t
		push	[ebp+var_70]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_87242A:				; CODE XREF: PipGenerateContainerID+6E475j
		lea	eax, [ebp+var_74]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_872433:				; CODE XREF: PipGenerateContainerID+63j
					; PipGenerateContainerID+6Cj ...
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_872446:				; CODE XREF: PipGenerateContainerID+4Aj
		test	ecx, ecx
		jnz	loc_8E0798
		test	edx, edx
		jz	loc_8E07E5
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	edi, offset _PnpRegistryDeviceResource
		push	edi
		call	ExAcquireResourceSharedLite
		mov	edx, [ebx+18h]
		lea	eax, [ebp+var_78]
		mov	ecx, _PiPnpRtlCtx
		push	esi
		push	eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_78], 4Eh
		push	eax
		lea	eax, [ebp+var_7C]
		push	eax
		push	25h
		push	[ebp+var_84]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	ecx, edi
		mov	esi, eax
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		js	loc_8E07C6
		cmp	[ebp+var_7C], 1
		jnz	loc_8E07CE
		lea	eax, [ebp+var_5C]
		push	eax		; void *
		lea	eax, [ebp+var_74]
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jz	loc_8E07BF
		lea	eax, [ebp+Source2]
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8E07B4

loc_8724EE:				; CODE XREF: PipGenerateContainerID+6E447j
		mov	edi, [ebx+8]

loc_8724F1:				; CODE XREF: PipGenerateContainerID+18Fj
		test	edi, edi
		jz	loc_8723F1
		lea	eax, [edi+1A8h]
		lea	ecx, [ebp+Source2]
		cmp	eax, ecx
		jz	loc_8E07DC
		push	10h		; Length
		push	ecx		; Source2
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 10h
		jz	loc_8E07DC
		mov	edi, [edi+8]
		jmp	short loc_8724F1
PipGenerateContainerID endp

; 
		align 2

;  S U B	R O U T	I N E 


PipProcessStartPhase2 proc near		; CODE XREF: PipProcessDevNodeTree+332p

; FUNCTION CHUNK AT 008E084F SIZE 0000008C BYTES

		test	byte_6CD8BB, 10h
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jnz	loc_8E084F

loc_872534:				; CODE XREF: PipProcessStartPhase2+6E33Dj
		cmp	dword ptr [esi+174h], 0
		mov	edi, [esi+108h]
		jnz	loc_8E0864

loc_872547:				; CODE XREF: PipProcessStartPhase2+6E350j
					; PipProcessStartPhase2+6E35Aj
		test	edi, edi
		js	loc_8E0881
		mov	ecx, esi
		call	_IopDoDeferredSetInterfaceState@4 ; IopDoDeferredSetInterfaceState(x)
		cmp	_IopBootConfigsReserved, 0
		jz	short loc_87257F

loc_87255F:				; CODE XREF: PipProcessStartPhase2+66j
					; PipProcessStartPhase2+78j
		push	ecx
		mov	edx, 307h
		mov	ecx, esi
		call	PipSetDevNodeState

loc_87256C:				; CODE XREF: PipProcessStartPhase2+6E391j
					; PipProcessStartPhase2+6E39Fj
		test	byte_6CD8BB, 10h
		jnz	loc_8E08C6

loc_872579:				; CODE XREF: PipProcessStartPhase2+6E3B4j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_87257F:				; CODE XREF: PipProcessStartPhase2+3Bj
		mov	ecx, [esi+12Ch]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_87255F
		cmp	ecx, 1
		jz	short loc_87259C

loc_87258F:				; CODE XREF: PipProcessStartPhase2+8Ej
		mov	edx, [esi+130h]
		call	IopAllocateLegacyBootResources
		jmp	short loc_87255F
; 

loc_87259C:				; CODE XREF: PipProcessStartPhase2+6Bj
		mov	edx, [esi+130h]
		push	2
		pop	ecx
		call	IopAllocateLegacyBootResources
		mov	ecx, [esi+12Ch]
		jmp	short loc_87258F
PipProcessStartPhase2 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiBuildDeviceNodeInstancePath proc near	; CODE XREF: PiProcessNewDeviceNode+270p

var_8		= byte ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E08DB SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	ebx, edx
		xor	esi, esi
		mov	dword ptr [ebp+var_8], ebx
		push	edi
		mov	edi, ecx
		test	ebx, ebx
		jz	loc_8E0913
		cmp	[ebp+arg_0], esi
		jz	loc_8E0913
		cmp	[ebp+arg_4], esi
		jz	loc_8E0913
		cmp	[edi+18h], esi
		jnz	loc_8E08DB

loc_8725E9:				; CODE XREF: PiBuildDeviceNodeInstancePath+6E33Cj
					; PiBuildDeviceNodeInstancePath+6E34Aj
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_8725EE:				; CODE XREF: PiBuildDeviceNodeInstancePath+45j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_8725EE
		sub	ecx, edx
		mov	edx, [ebp+arg_0]
		sar	ecx, 1
		lea	ebx, [edx+2]

loc_872603:				; CODE XREF: PiBuildDeviceNodeInstancePath+5Aj
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, si
		jnz	short loc_872603
		sub	edx, ebx
		mov	ebx, [ebp+arg_4]
		sar	edx, 1
		lea	eax, [ebx+2]
		mov	[ebp+var_4], eax

loc_87261B:				; CODE XREF: PiBuildDeviceNodeInstancePath+72j
		mov	ax, [ebx]
		add	ebx, 2
		cmp	ax, si
		jnz	short loc_87261B
		sub	ebx, [ebp+var_4]
		sar	ebx, 1
		push	49706E50h
		lea	eax, [ebx+edx]
		add	eax, ecx
		lea	ebx, ds:6[eax*2]
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_872694
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	dword ptr [ebp+var_8] ;	char
		push	offset ??_C@_1BC@GLIGFLDD@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@	; "%s\\%s\\%s"
		push	ebx		; int
		push	esi		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	ebx, eax
		add	esp, 18h
		test	ebx, ebx
		js	loc_8E0918
		mov	eax, [edi+18h]
		test	eax, eax
		jnz	loc_8E0901

loc_87267A:				; CODE XREF: PiBuildDeviceNodeInstancePath+6E35Cj
		mov	ecx, edi
		call	PnpFreeDeviceInstancePath
		push	esi
		lea	eax, [edi+14h]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_87268B:				; CODE XREF: PiBuildDeviceNodeInstancePath+E7j
					; PiBuildDeviceNodeInstancePath+6E368j	...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_872694:				; CODE XREF: PiBuildDeviceNodeInstancePath+99j
		mov	ebx, 0C000009Ah
		jmp	short loc_87268B
PiBuildDeviceNodeInstancePath endp

; 
		align 4

;  S U B	R O U T	I N E 


PnpFreeDeviceInstancePath proc near	; CODE XREF: PiBuildDeviceNodeInstancePath+CAp
					; IopDestroyDeviceNode+14A6EAp

; FUNCTION CHUNK AT 008E0930 SIZE 00000010 BYTES

		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, offset _PnpDeviceReferenceTableLock
		mov	ecx, edi
		call	ExAcquireFastMutex
		mov	eax, [esi+18h]
		test	eax, eax
		jnz	loc_8E0930

loc_8726BA:				; CODE XREF: PnpFreeDeviceInstancePath+6E29Fj
		xor	eax, eax
		mov	ecx, edi
		and	[esi+18h], eax
		mov	[esi+14h], eax
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		pop	esi
		pop	ecx
		retn
PnpFreeDeviceInstancePath endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCreateDeviceInstanceKey(x, x, x)
_PiCreateDeviceInstanceKey@12 proc near	; CODE XREF: PiProcessNewDeviceNode+29Bp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		mov	esi, edx
		mov	byte ptr [ebp+arg_0+3],	al
		push	edi
		mov	[ebx], eax
		mov	edi, ecx
		mov	[esi], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceSharedLite
		mov	edx, [edi+18h]
		lea	eax, [ebp+arg_0+3]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	eax
		push	esi
		push	0F003Fh
		call	_CmCreateDevice
		mov	esi, eax
		test	esi, esi
		js	short loc_87272B
		xor	edx, edx
		cmp	byte ptr [ebp+arg_0+3],	dl
		setz	dl
		inc	edx
		mov	[ebx], edx

loc_87272B:				; CODE XREF: PiCreateDeviceInstanceKey(x,x,x)+50j
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PiCreateDeviceInstanceKey@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmCreateDevice	proc near		; CODE XREF: PiCreateDeviceInstanceKey(x,x,x)+47p
					; IoReportDetectedDevice+1F0p ...

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E0940 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		push	2Ch		; size_t
		mov	[ebp+var_3C], eax
		mov	esi, ecx
		lea	eax, [ebp+var_30]
		mov	[ebp+var_34], edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_38], esi
		call	_memset
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	edi, [esi+100h]
		add	esp, 0Ch
		inc	ecx
		test	eax, eax
		jz	loc_8E0940

loc_872794:				; CODE XREF: _CmCreateDevice+6E201j
		mov	[ebp+var_28], eax

loc_872797:				; CODE XREF: _CmCreateDevice+6E1FBj
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_1C], eax
		test	edi, edi
		jz	short loc_8727CD
		lea	eax, [ebp+var_30]
		push	eax
		push	ecx
		push	2
		push	ecx
		push	[ebp+var_34]
		push	esi
		call	edi
		cmp	eax, 0C0000002h
		jz	loc_8E0950
		cmp	eax, 0C0000120h
		jz	loc_87284A
		test	eax, eax
		jnz	loc_8E0957

loc_8727CD:				; CODE XREF: _CmCreateDevice+55j
					; _CmCreateDevice+6E208j
		push	[ebp+var_1C]
		mov	edx, [ebp+var_34]
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_24]
		mov	ecx, esi
		push	eax
		push	[ebp+var_28]
		call	_CmCreateDeviceWorker
		mov	esi, eax
		test	edi, edi
		jz	short loc_872812
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	2
		push	1
		push	[ebp+var_34]
		push	[ebp+var_38]
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_872812
		cmp	eax, 0C0000120h
		jz	short loc_87284A
		test	eax, eax
		jnz	short loc_87284F

loc_872812:				; CODE XREF: _CmCreateDevice+9Fj
					; _CmCreateDevice+BBj ...
		test	esi, esi
		js	loc_8E095C
		test	ebx, ebx
		jz	loc_8E095C
		mov	eax, [ebp+var_24]
		mov	[ebx], eax

loc_872827:				; CODE XREF: _CmCreateDevice+6E216j
					; _CmCreateDevice+6E224j
		test	esi, esi
		js	short loc_872837
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jz	short loc_872837
		mov	al, byte ptr [ebp+var_20]
		mov	[ecx], al

loc_872837:				; CODE XREF: _CmCreateDevice+DFj
					; _CmCreateDevice+E6j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_87284A:				; CODE XREF: _CmCreateDevice+75j
					; _CmCreateDevice+C2j
		mov	esi, [ebp+var_30]
		jmp	short loc_872812
; 

loc_87284F:				; CODE XREF: _CmCreateDevice+C6j
		mov	esi, 0C00000E5h
		jmp	short loc_872812
_CmCreateDevice	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmCreateDeviceWorker proc near		; CODE XREF: _CmCreateDevice+96p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= word ptr  14h

; FUNCTION CHUNK AT 008E0973 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		movzx	eax, [ebp+arg_C]
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		test	eax, eax
		jnz	short loc_8728A7
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		push	1
		push	[ebp+arg_0]
		push	0
		push	10h
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_87289E
		cmp	[ebp+var_4], 1
		mov	ecx, [ebp+arg_8]
		setz	dl
		mov	[ecx], dl
		test	dl, dl
		jnz	loc_8E0973

loc_87289E:				; CODE XREF: _CmCreateDeviceWorker+32j
					; _CmCreateDeviceWorker+56j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_8728A7:				; CODE XREF: _CmCreateDeviceWorker+17j
		mov	esi, 0C000000Dh
		jmp	short loc_87289E
_CmCreateDeviceWorker endp


;  S U B	R O U T	I N E 


; __stdcall IopDoDeferredSetInterfaceState(x)
_IopDoDeferredSetInterfaceState@4 proc near ; CODE XREF: PipProcessStartPhase2+2Fp
					; IoReportDetectedDevice+302p
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	esi, ecx
		nop
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceExclusiveLite
		mov	ecx, [esi+10h]
		xor	ebx, ebx
		push	ebx
		push	10h
		pop	edx
		call	PpMarkDeviceStackExtensionFlag
		lea	edi, [esi+188h]

loc_8728E1:				; CODE XREF: IopDoDeferredSetInterfaceState(x)+65j
		mov	esi, [edi]
		cmp	esi, edi
		jz	short loc_872915
		cmp	[esi+4], edi
		jnz	short loc_872931
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_872931
		mov	[edi], eax
		lea	ecx, [esi+8]
		push	ebx
		mov	dl, 1
		mov	[eax+4], edi
		call	IopProcessSetInterfaceState
		push	ebx
		push	dword ptr [esi+0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_8728E1
; 

loc_872915:				; CODE XREF: IopDoDeferredSetInterfaceState(x)+37j
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		retn
; 

loc_872931:				; CODE XREF: IopDoDeferredSetInterfaceState(x)+3Cj
					; IopDoDeferredSetInterfaceState(x)+43j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_IopDoDeferredSetInterfaceState@4 endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall PnpClearDeviceTemporaryProperties(x, x)
_PnpClearDeviceTemporaryProperties@8 proc near ; CODE XREF: PiProcessNewDeviceNode+356p
					; IopInitializeDeviceInstanceKey+1D9p
		mov	edi, edi
		push	ebx
		push	esi
		xor	eax, eax
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		mov	esi, eax

loc_872943:				; CODE XREF: PnpClearDeviceTemporaryProperties(x,x)+31j
		mov	ecx, _PiPnpRtlCtx
		mov	edx, ebx
		push	eax
		push	eax
		push	eax
		push	eax
		push	ds:off_404850[esi]
		push	eax
		push	edi
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		add	esi, 4
		push	0
		pop	eax
		cmp	esi, 8
		jb	short loc_872943
		pop	edi
		pop	esi
		pop	ebx
		retn
_PnpClearDeviceTemporaryProperties@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpMapDeviceObjectToDeviceInstance(x, x)
_PnpMapDeviceObjectToDeviceInstance@8 proc near	; CODE XREF: PiProcessNewDeviceNode+4D5p
					; IopInitializeDeviceInstanceKey+24Cp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	[ebp+var_8], ecx
		mov	edi, offset _PnpDeviceReferenceTableLock
		mov	ecx, edi
		mov	[ebp+var_4], edx
		call	ExAcquireFastMutex
		push	0		; int
		push	8		; size_t
		lea	eax, [ebp+var_8]
		push	eax		; void *
		push	offset _PnpDeviceReferenceTable	; int
		call	_RtlInsertElementGenericTableAvl@16 ; RtlInsertElementGenericTableAvl(x,x,x,x)
		neg	eax
		mov	ecx, edi
		sbb	esi, esi
		and	esi, 3FFFFFFFh
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		lea	eax, [esi-3FFFFFFFh]
		pop	esi
		leave
		retn
_PnpMapDeviceObjectToDeviceInstance@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpQueryDeviceID(x,	x, x)
_PnpQueryDeviceID@12 proc near		; CODE XREF: PiProcessNewDeviceNode+136p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		xor	edx, edx
		mov	[ebx], eax
		mov	[edi], eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	PnpQueryID
		mov	esi, eax
		test	esi, esi
		js	short loc_8729FF
		mov	ecx, [ebp+var_4]
		push	5Ch		; wchar_t
		push	ecx		; wchar_t *
		mov	[edi], ecx
		call	_wcschr
		pop	ecx
		pop	ecx
		xor	ecx, ecx
		mov	[eax], cx
		add	eax, 2
		mov	[ebx], eax

loc_8729FF:				; CODE XREF: PnpQueryDeviceID(x,x,x)+2Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_PnpQueryDeviceID@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpNewDeviceNodeDependencyCheck(x)
_PnpNewDeviceNodeDependencyCheck@4 proc	near ; CODE XREF: PiProcessNewDeviceNode+95Bp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx
		mov	cl, 1
		call	_PnpAcquireDependencyRelationsLock@4 ; PnpAcquireDependencyRelationsLock(x)
		mov	ecx, [esi+10h]
		call	_PipAddtoRebuildPowerRelationsQueue@4 ;	PipAddtoRebuildPowerRelationsQueue(x)
		mov	ecx, offset _PiDependencyRelationsLock
		call	ExReleaseResourceLite
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		call	_PipProcessRebuildPowerRelationsQueue@0	; PipProcessRebuildPowerRelationsQueue()
		lea	ecx, [ebp+var_4]
		call	PiPnpRtlBeginOperation
		xor	edx, edx
		mov	ecx, esi
		call	PipNotifyDeviceDependencyList
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	PipNotifyDeviceDependencyList
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_872A61
		call	PiPnpRtlEndOperation

loc_872A61:				; CODE XREF: PnpNewDeviceNodeDependencyCheck(x)+52j
		pop	esi
		leave
		retn
_PnpNewDeviceNodeDependencyCheck@4 endp


;  S U B	R O U T	I N E 


PipNotifyDeviceDependencyList proc near	; CODE XREF: PnpNewDeviceNodeDependencyCheck(x)+3Ep
					; PnpNewDeviceNodeDependencyCheck(x)+48p

; FUNCTION CHUNK AT 008E0988 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, [ecx+10h]
		mov	ebx, edx
		push	edi
		xor	cl, cl
		call	_PnpAcquireDependencyRelationsLock@4 ; PnpAcquireDependencyRelationsLock(x)
		test	ebx, ebx
		jnz	short loc_872AA0
		mov	ecx, esi
		call	_PiGetProviderList@4 ; PiGetProviderList(x)

loc_872A80:				; CODE XREF: PipNotifyDeviceDependencyList+48j
		mov	esi, eax
		mov	edi, [esi]

loc_872A84:				; CODE XREF: PipNotifyDeviceDependencyList+6DF44j
		cmp	edi, esi
		jnz	loc_8E0988

loc_872A8C:				; CODE XREF: PipNotifyDeviceDependencyList+3Fj
		mov	ecx, offset _PiDependencyRelationsLock
		call	ExReleaseResourceLite
		xor	ecx, ecx
		pop	edi
		pop	esi
		pop	ebx
		jmp	PpDevNodeUnlockTree
; 

loc_872AA0:				; CODE XREF: PipNotifyDeviceDependencyList+13j
		cmp	ebx, 1
		jnz	short loc_872A8C
		mov	ecx, esi
		call	_PiGetDependentList@4 ;	PiGetDependentList(x)
		jmp	short loc_872A80
PipNotifyDeviceDependencyList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCreateDriverSwDevices	proc near	; CODE XREF: PipProcessStartPhase3+B9p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E09AD SIZE 00000045 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	edx, [ebp+var_8]
		xor	ebx, ebx
		push	20019h
		mov	[ebp+var_8], ebx
		mov	ecx, [edi+10h]
		mov	[ebp+var_4], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		call	_PnpDeviceObjectToDeviceInstance@12 ; PnpDeviceObjectToDeviceInstance(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_872B18
		mov	eax, _PiPnpRtlCtx
		mov	ecx, ebx
		test	eax, eax
		jz	short loc_872AED
		mov	ecx, [eax+74h]

loc_872AED:				; CODE XREF: PiCreateDriverSwDevices+3Aj
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	20019h
		push	ebx
		push	offset ??_C@_1BA@HICHNCPO@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAs@NNGAKEGL@	; "Devices"
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_8E09AD
		cmp	esi, 0C0000034h
		jnz	short loc_872B18
		mov	esi, ebx

loc_872B18:				; CODE XREF: PiCreateDriverSwDevices+2Fj
					; PiCreateDriverSwDevices+66j ...
		cmp	[ebp+var_4], ebx
		jnz	loc_8E09E5

loc_872B21:				; CODE XREF: PiCreateDriverSwDevices+6DF3Fj
		cmp	[ebp+var_8], ebx
		jz	short loc_872B2E
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_872B2E:				; CODE XREF: PiCreateDriverSwDevices+76j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
PiCreateDriverSwDevices	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipProcessStartPhase3 proc near		; CODE XREF: PipProcessDevNodeTree+2A3p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 008E09F2 SIZE 000000C8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		and	[ebp+var_8], 0
		and	[ebp+var_20], 0
		test	byte_6CD8BB, 10h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_28], edx
		mov	esi, ecx
		jnz	loc_8E09F2

loc_872B5B:				; CODE XREF: PipProcessStartPhase3+6DECCj
		lea	ecx, [ebp+var_20]
		call	PiPnpRtlBeginOperation
		mov	edi, eax
		test	edi, edi
		js	loc_872C03
		test	byte ptr [esi+10Ch], 20h
		mov	ebx, [esi+10h]
		mov	[ebp+var_24], ebx
		jz	loc_872C23

loc_872B80:				; CODE XREF: PipProcessStartPhase3+112j
					; PipProcessStartPhase3+304j
		test	dword ptr [esi+10Ch], 2000h
		jnz	loc_8E0A81

loc_872B90:				; CODE XREF: PipProcessStartPhase3+6DF52j
		cmp	[ebp+var_28], 0
		jz	short loc_872BA0
		push	8
		pop	edx
		mov	ecx, esi
		call	PipSetDevNodeFlags

loc_872BA0:				; CODE XREF: PipProcessStartPhase3+5Ej
		mov	ecx, esi
		call	_PnpQueryAndSaveDeviceNodeCapabilities@4 ; PnpQueryAndSaveDeviceNodeCapabilities(x)
		mov	ecx, ebx
		call	PiProcessQueryDeviceState
		push	ecx
		xor	edx, edx
		mov	ecx, esi
		mov	edi, eax
		call	_PiUpdateDevicePanel@12	; PiUpdateDevicePanel(x,x,x)
		mov	edx, [esi+10h]
		mov	ecx, offset _GUID_DEVICE_ARRIVAL
		call	PnpSetPlugPlayEvent
		mov	ecx, esi
		call	_PnpSetDeviceInstanceStartedEvent@4 ; PnpSetDeviceInstanceStartedEvent(x)
		test	edi, edi
		js	short loc_872C03
		mov	ecx, ebx
		call	@PpvUtilTestStartedPdoStack@4 ;	PpvUtilTestStartedPdoStack(x)
		push	ecx
		mov	edx, 308h
		mov	ecx, esi
		call	PipSetDevNodeState
		mov	ecx, esi
		call	_PnpStartedDeviceNodeDependencyCheck@4 ; PnpStartedDeviceNodeDependencyCheck(x)
		mov	ecx, esi
		call	PiCreateDriverSwDevices
		call	_SeAuditingPlugAndPlayEvents@0 ; SeAuditingPlugAndPlayEvents()
		test	al, al
		jnz	loc_8E0A98

loc_872C01:				; CODE XREF: PipProcessStartPhase3+6DF6Aj
		xor	edi, edi

loc_872C03:				; CODE XREF: PipProcessStartPhase3+31j
					; PipProcessStartPhase3+9Aj ...
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jz	short loc_872C0F
		call	PiPnpRtlEndOperation

loc_872C0F:				; CODE XREF: PipProcessStartPhase3+D2j
		test	byte_6CD8BB, 10h
		jnz	loc_8E0AA5

loc_872C1C:				; CODE XREF: PipProcessStartPhase3+6DF7Fj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_872C23:				; CODE XREF: PipProcessStartPhase3+44j
		xor	eax, eax
		lea	edx, [ebp+var_8]
		push	20019h
		mov	ecx, ebx
		mov	[ebp+var_C], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		call	_PnpDeviceObjectToDeviceInstance@12 ; PnpDeviceObjectToDeviceInstance(x,x,x)
		test	eax, eax
		js	loc_872B80
		lea	eax, [ebp+var_10]
		xor	edx, edx
		push	eax
		lea	eax, [ebp+var_18]
		inc	edx
		push	eax
		mov	ecx, esi
		call	PnpQueryID
		lea	eax, [ebp+var_14]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	2
		pop	edx
		call	PnpQueryID
		mov	edi, [ebp+var_C]
		lea	eax, [esi+1BCh]
		mov	ebx, [ebp+var_18]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	_PnpGenerateDeviceIdsHash@12 ; PnpGenerateDeviceIdsHash(x,x,x)
		test	ebx, ebx
		jz	loc_8E0A07

loc_872C90:				; CODE XREF: PipProcessStartPhase3+6DED3j
		xor	eax, eax
		mov	[ebp+var_2], al
		mov	[ebp+var_C], eax
		mov	byte ptr [ebp+var_1], al
		mov	[ebp+var_18], eax
		mov	[ebp+var_3], al
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceSharedLite
		mov	edx, [esi+18h]
		lea	eax, [ebp+var_1C]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_1C], 4
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	0Bh
		push	[ebp+var_8]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_8E0A23
		cmp	[ebp+var_18], 4
		jnz	loc_8E0A23
		cmp	[ebp+var_1C], 4
		jnz	loc_8E0A23
		mov	eax, [ebp+var_C]
		test	al, 20h
		jnz	loc_8E0A19

loc_872D01:				; CODE XREF: PipProcessStartPhase3+6DEE5j
					; PipProcessStartPhase3+6DEF6j
		test	eax, 400h
		jnz	short loc_872D46
		xor	ecx, ecx
		test	ebx, ebx
		jz	loc_8E0A31
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_1]
		push	eax
		push	1
		push	[ebp+var_10]
		mov	ecx, esi
		push	ebx
		call	PnpCheckDeviceIdsChanged
		mov	dl, byte ptr [ebp+var_1]
		mov	ecx, eax
		mov	eax, [ebp+var_C]
		test	dl, dl
		jnz	short loc_872D3A

loc_872D32:				; CODE XREF: PipProcessStartPhase3+6DEFEj
		test	edi, edi
		jnz	loc_872E3F

loc_872D3A:				; CODE XREF: PipProcessStartPhase3+1FAj
					; PipProcessStartPhase3+325j
		test	ecx, ecx
		js	short loc_872D46
		test	dl, dl
		jnz	loc_8E0A39

loc_872D46:				; CODE XREF: PipProcessStartPhase3+1D0j
					; PipProcessStartPhase3+206j ...
		test	ebx, ebx
		jz	short loc_872D6D
		mov	edx, [esi+18h]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	[ebp+var_10]
		push	ebx
		push	7
		push	2
		push	[ebp+var_8]
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_872D6D:				; CODE XREF: PipProcessStartPhase3+212j
		test	edi, edi
		jnz	loc_872E60

loc_872D75:				; CODE XREF: PipProcessStartPhase3+34Dj
		cmp	[ebp+var_3], 0
		jnz	loc_8E0A4E

loc_872D7F:				; CODE XREF: PipProcessStartPhase3+6DF35j
		mov	ebx, offset _PnpRegistryDeviceResource
		mov	ecx, ebx
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	[ebp+var_2], 0
		jnz	loc_8E0A70

loc_872D9A:				; CODE XREF: PipProcessStartPhase3+6DEDEj
					; PipProcessStartPhase3+6DF46j
		mov	edx, [esi+18h]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	4
		push	offset _PnpCurrentHardwareConfigurationIndex
		push	7
		push	offset _DEVPKEY_Device_HardwareConfigurationIndex
		push	0
		push	[ebp+var_8]
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	edi, offset ??_C@_1EO@EKIIDBMB@?$AA?$HL?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA?9?$AA0?$AA0?$AA0?$AA0?$AA?9@NNGAKEGL@ ; "{00000000-0000-0000-FFFF-FFFFFFFFFFFF}"
		lea	eax, [ebp+var_30]
		push	edi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esi+1A8h]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		push	20h
		pop	edx
		mov	ecx, esi
		call	PipSetDevNodeFlags
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	ebx
		call	ExAcquireResourceSharedLite
		mov	edx, [ebp+var_8]
		mov	ecx, [esi+18h]
		push	edi
		call	PiDcUpdateDeviceContainerMembership
		mov	ecx, ebx
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	edx, [ebp+var_8]
		push	ecx
		mov	ecx, esi
		call	_PiUpdateDevicePanel@12	; PiUpdateDevicePanel(x,x,x)
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		mov	edx, [esi+18h]
		push	1
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		mov	edx, [esi+10h]
		mov	ecx, offset _GUID_DEVICE_ENUMERATED
		call	PnpSetPlugPlayEvent
		mov	ebx, [ebp+var_24]
		jmp	loc_872B80
; 

loc_872E3F:				; CODE XREF: PipProcessStartPhase3+1FEj
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_1]
		push	eax
		push	0
		push	[ebp+var_14]
		mov	ecx, esi
		push	edi
		call	PnpCheckDeviceIdsChanged
		mov	dl, byte ptr [ebp+var_1]
		mov	ecx, eax
		mov	eax, [ebp+var_C]
		jmp	loc_872D3A
; 

loc_872E60:				; CODE XREF: PipProcessStartPhase3+239j
		mov	edx, [esi+18h]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	[ebp+var_14]
		push	edi
		push	7
		push	3
		push	[ebp+var_8]
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_872D75
PipProcessStartPhase3 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpSetPlugPlayEvent proc near		; CODE XREF: PipProcessStartPhase3+8Cp
					; PipProcessStartPhase3+2FCp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E0ABA SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		cmp	dword_6CC5E4, 0
		mov	eax, edx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_10], eax
		push	edi
		mov	[ebp+var_C], esi
		jnz	loc_872F45
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_872F45
		movzx	eax, word ptr [eax+14h]
		add	eax, 44h
		mov	[ebp+var_8], eax
		lea	ecx, [eax+48h]
		call	_PnpCreateDeviceEventEntry@4 ; PnpCreateDeviceEventEntry(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_872F45
		mov	eax, [ebp+var_8]
		lea	edi, [ebx+48h]
		movsd
		push	10h		; size_t
		push	offset _GUID_DEVICE_ENUMERATED ; void *
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_C]
		push	edi		; void *
		mov	[ebx+64h], eax
		call	_memcmp
		mov	esi, [ebp+var_4]
		lea	ecx, [ebx+6Ch]
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_872F4A
		mov	dword ptr [ebx+58h], 4

loc_872F07:				; CODE XREF: PnpSetPlugPlayEvent+C9j
		movzx	eax, word ptr [esi+14h]
		push	eax		; size_t
		push	dword ptr [esi+18h] ; void *
		push	ecx		; void *
		call	_memcpy
		movzx	eax, word ptr [esi+14h]
		add	esp, 0Ch
		shr	eax, 1
		xor	ecx, ecx
		push	10h		; size_t
		push	offset _GUID_DEVICE_ENUMERATED ; void *
		push	edi		; void *
		mov	[ebx+eax*2+6Ch], cx
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_872F53

loc_872F39:				; CODE XREF: PnpSetPlugPlayEvent+DDj
		xor	esi, esi

loc_872F3B:				; CODE XREF: PnpSetPlugPlayEvent+6DC41j
		mov	ecx, ebx
		mov	[ebx+68h], esi
		call	PnpInsertEventInQueue

loc_872F45:				; CODE XREF: PnpSetPlugPlayEvent+1Cj
					; PnpSetPlugPlayEvent+30j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_872F4A:				; CODE XREF: PnpSetPlugPlayEvent+76j
		mov	dword ptr [ebx+58h], 1
		jmp	short loc_872F07
; 

loc_872F53:				; CODE XREF: PnpSetPlugPlayEvent+AFj
		push	10h		; size_t
		push	offset _GUID_DEVICE_ARRIVAL ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_872F39
		jmp	loc_8E0ABA
PnpSetPlugPlayEvent endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiUpdateDevicePanel(x, x, x)
_PiUpdateDevicePanel@12	proc near	; CODE XREF: PipProcessStartPhase3+7Fp
					; PipProcessStartPhase3+2DDp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		test	esi, esi
		jz	short loc_872FDC
		mov	[ebp+var_4], esi

loc_872F85:				; CODE XREF: PiUpdateDevicePanel(x,x,x)+84j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceSharedLite
		push	[ebp+var_4]
		mov	edx, [ebx+18h]
		mov	ecx, _PiPnpRtlCtx
		call	_CmUpdateDevicePanel
		mov	ecx, offset _PnpRegistryDeviceResource
		mov	edi, eax
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_872FC8:				; CODE XREF: PiUpdateDevicePanel(x,x,x)+86j
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_872FD3
		cmp	eax, esi
		jnz	short loc_872FF4

loc_872FD3:				; CODE XREF: PiUpdateDevicePanel(x,x,x)+61j
					; PiUpdateDevicePanel(x,x,x)+8Ej
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_872FDC:				; CODE XREF: PiUpdateDevicePanel(x,x,x)+14j
		mov	ecx, [ebx+10h]
		lea	edx, [ebp+var_4]
		push	20019h
		call	_PnpDeviceObjectToDeviceInstance@12 ; PnpDeviceObjectToDeviceInstance(x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_872F85
		jmp	short loc_872FC8
; 

loc_872FF4:				; CODE XREF: PiUpdateDevicePanel(x,x,x)+65j
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_872FD3
_PiUpdateDevicePanel@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmUpdateDevicePanel proc near		; CODE XREF: PiUpdateDevicePanel(x,x,x)+3Fp

var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6A		= byte ptr -6Ah
var_69		= byte ptr -69h
var_68		= dword	ptr -68h
var_61		= byte ptr -61h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_51		= dword	ptr -51h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E0ACE SIZE 00001221 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		xor	eax, eax
		mov	[ebp+var_90], edx
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	esi, [ebp+arg_0]
		stosd
		xor	ecx, ecx
		mov	ebx, _PiPnpRtlCtx
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_88], ecx
		stosd
		mov	[ebp+var_A0], ecx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_9C], ecx
		stosd
		mov	[ebp+var_68], ecx
		mov	[ebp+var_80], ecx
		mov	[ebp+var_5C], ecx
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		mov	[ebp+var_69], cl
		stosd
		mov	[ebp+var_78], ecx
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_58], ecx
		stosd
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_84], ecx
		mov	[ebp+var_61], cl
		stosd
		mov	[ebp+var_48], ecx
		mov	byte ptr [ebp+var_51], cl
		mov	[ebp+var_44], ecx
		stosd
		mov	[ebp+var_94], ecx
		mov	[ebp+var_98], ecx
		mov	[ebp+var_6A], cl
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_40]
		mov	[ebp+var_70], ecx
		stosd
		mov	[ebp+var_51+1],	esi
		mov	[ebp+var_74], 1
		stosd
		stosd
		stosd
		stosd
		mov	edi, edx
		mov	ecx, edi
		call	__CmIsRootDevice@4 ; _CmIsRootDevice(x)
		test	al, al
		jnz	loc_8E0ACE
		lea	eax, [ebp+var_9C]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_60]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_A0]
		push	eax
		lea	eax, [ebp+var_88]
		push	eax
		push	offset _DEVPKEY_Device_PhysicalDeviceLocation ;	"~\vT@Ej\vL\t"
		push	esi
		push	1
		call	_CmQueryDevicePanelPldProperty
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	loc_8E0AD8
		xor	esi, esi
		mov	[ebp+var_60], esi

loc_8730F1:				; CODE XREF: _CmUpdateDevicePanel+6DBF7j
					; _CmUpdateDevicePanel+6DC1Fj
		push	52504E50h
		push	72h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_58], eax
		test	eax, eax
		jz	loc_8E0BCD
		push	esi
		lea	ecx, [ebp+var_70]
		mov	edx, edi
		push	ecx
		push	72h
		push	eax
		lea	eax, [ebp+var_74]
		mov	ecx, ebx
		push	eax
		push	offset _DEVPKEY_Device_PanelId
		push	esi
		push	[ebp+var_51+1]
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	loc_8E0C20

loc_873138:				; CODE XREF: _CmUpdateDevicePanel+6DC30j
					; _CmUpdateDevicePanel+6DC3Aj
		mov	eax, [ebp+var_58]
		xor	esi, esi
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		mov	[ebp+var_58], eax

loc_873149:				; CODE XREF: _CmUpdateDevicePanel+6DC43j
		mov	esi, [ebp+var_4C]
		test	esi, esi
		jnz	loc_8E0C44
		test	eax, eax
		jnz	loc_8E0C5D

loc_87315C:				; CODE XREF: _CmUpdateDevicePanel+6DD2Ej
		mov	ecx, [ebp+var_60]

loc_87315F:				; CODE XREF: _CmUpdateDevicePanel+6DF08j
					; _CmUpdateDevicePanel+6DF10j ...
		mov	edx, [ebp+var_5C]
		test	edx, edx
		jnz	loc_8E0F30
		test	eax, eax
		jnz	loc_8E104C

loc_873172:				; CODE XREF: _CmUpdateDevicePanel+6DFD5j
		mov	esi, [ebp+var_51+1]

loc_873175:				; CODE XREF: _CmUpdateDevicePanel+6E09Ej
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_8C], 168h
		test	eax, eax
		jnz	loc_8E109F

loc_87318A:				; CODE XREF: _CmUpdateDevicePanel+6E0A8j
		mov	ecx, [ebp+var_58]
		test	ecx, ecx
		jnz	loc_8E1170

loc_873195:				; CODE XREF: _CmUpdateDevicePanel+6E1C2j
		mov	esi, [ebp+var_51+1]

loc_873198:				; CODE XREF: _CmUpdateDevicePanel+6E246j
					; _CmUpdateDevicePanel+6E24Ej
		test	eax, eax
		jnz	loc_8E124F

loc_8731A0:				; CODE XREF: _CmUpdateDevicePanel+6E258j
					; _CmUpdateDevicePanel+6E262j
		test	ecx, ecx
		jnz	loc_8E12B2

loc_8731A8:				; CODE XREF: _CmUpdateDevicePanel+6E2D1j
		cmp	[ebp+var_4C], 0
		jnz	loc_8E12D2

loc_8731B2:				; CODE XREF: _CmUpdateDevicePanel+6E2DBj
		test	ecx, ecx
		jnz	loc_8E1328

loc_8731BA:				; CODE XREF: _CmUpdateDevicePanel+6E327j
		mov	esi, [ebp+var_51+1]

loc_8731BD:				; CODE XREF: _CmUpdateDevicePanel+6E34Aj
		cmp	[ebp+var_4C], 0
		jnz	loc_8E134B

loc_8731C7:				; CODE XREF: _CmUpdateDevicePanel+6E354j
		test	ecx, ecx
		jnz	loc_8E138E

loc_8731CF:				; CODE XREF: _CmUpdateDevicePanel+6E38Dj
					; _CmUpdateDevicePanel+6E3AAj
		mov	esi, [ebp+var_4C]
		test	esi, esi
		jnz	loc_8E13AB

loc_8731DA:				; CODE XREF: _CmUpdateDevicePanel+6E3B3j
					; _CmUpdateDevicePanel+6E3CEj
		push	5
		pop	ecx
		mov	esi, offset _DEVPKEY_Device_PhysicalDeviceLocationPanel
		lea	edi, [ebp+var_2C]
		rep movsd
		push	5
		pop	ecx
		mov	esi, (offset loc_412D7F+1)
		lea	edi, [ebp+var_40]
		rep movsd
		mov	edi, [ebp+var_90]

loc_8731FA:				; CODE XREF: _CmUpdateDevicePanel+6ECE4j
		lea	eax, [ebp+var_9C]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_60]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_A0]
		push	eax
		lea	eax, [ebp+var_88]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	[ebp+var_51+1]
		push	1
		call	_CmQueryDevicePanelPldProperty
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	loc_8E13CF
		xor	eax, eax
		mov	esi, eax

loc_873237:				; CODE XREF: _CmUpdateDevicePanel+6E3D5j
					; _CmUpdateDevicePanel+6E3F2j ...
		mov	eax, [ebp+var_48]
		test	eax, eax
		jnz	short loc_873291

loc_87323E:				; CODE XREF: _CmUpdateDevicePanel+29Bj
					; _CmUpdateDevicePanel+6DB61j ...
		mov	eax, [ebp+var_4C]
		xor	ebx, ebx
		test	eax, eax
		jnz	short loc_873299

loc_873247:				; CODE XREF: _CmUpdateDevicePanel+2A4j
		mov	eax, [ebp+var_58]
		test	eax, eax
		jnz	short loc_8732A2

loc_87324E:				; CODE XREF: _CmUpdateDevicePanel+2ADj
		mov	eax, [ebp+var_84]
		test	eax, eax
		jnz	short loc_8732AB

loc_873258:				; CODE XREF: _CmUpdateDevicePanel+2B6j
					; _CmUpdateDevicePanel+6DADEj ...
		xor	ebx, ebx
		cmp	[ebp+var_88], ebx
		jnz	short loc_873283

loc_873262:				; CODE XREF: _CmUpdateDevicePanel+293j
		mov	eax, [ebp+var_5C]
		test	eax, eax
		jnz	short loc_8732B4

loc_873269:				; CODE XREF: _CmUpdateDevicePanel+2BFj
		mov	eax, [ebp+var_68]
		test	eax, eax
		jnz	short loc_8732BD

loc_873270:				; CODE XREF: _CmUpdateDevicePanel+2C8j
					; _CmUpdateDevicePanel+6DAD7j
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_873283:				; CODE XREF: _CmUpdateDevicePanel+264j
		push	ebx
		push	[ebp+var_88]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_873262
; 

loc_873291:				; CODE XREF: _CmUpdateDevicePanel+240j
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_87323E
; 

loc_873299:				; CODE XREF: _CmUpdateDevicePanel+249j
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_873247
; 

loc_8732A2:				; CODE XREF: _CmUpdateDevicePanel+250j
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_87324E
; 

loc_8732AB:				; CODE XREF: _CmUpdateDevicePanel+25Aj
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_873258
; 

loc_8732B4:				; CODE XREF: _CmUpdateDevicePanel+26Bj
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_873269
; 

loc_8732BD:				; CODE XREF: _CmUpdateDevicePanel+272j
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_873270
_CmUpdateDevicePanel endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmQueryDevicePanelPldProperty proc near ; CODE	XREF: _CmUpdateDevicePanel+DDp
					; _CmUpdateDevicePanel+224p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008E1CEF SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_18]
		push	ebx
		mov	ebx, [ebp+arg_14]
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], edx
		mov	[eax], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		mov	[ebx], esi
		mov	esi, [ebp+arg_C]
		push	edi
		mov	edi, [ebp+arg_10]
		mov	[ebp+var_10], ecx
		mov	eax, [esi]

loc_8732F1:				; CODE XREF: _CmQueryDevicePanelPldProperty+92j
		push	0
		lea	ebx, [ebp+var_4]
		push	ebx
		push	dword ptr [edi]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_8]
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, [ebp+arg_14]
		mov	ecx, eax
		cmp	ecx, 0C0000023h
		jz	short loc_873328

loc_87331B:				; CODE XREF: _CmQueryDevicePanelPldProperty+6EA3Ej
		test	ecx, ecx
		jns	short loc_87335A

loc_87331F:				; CODE XREF: _CmQueryDevicePanelPldProperty+D0j
					; _CmQueryDevicePanelPldProperty+DEj ...
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	1Ch
; 

loc_873328:				; CODE XREF: _CmQueryDevicePanelPldProperty+53j
		mov	eax, [ebp+var_4]
		cmp	eax, [edi]
		jbe	short loc_87339F
		mov	ecx, [esi]
		test	ecx, ecx
		jnz	loc_8E1CEF

loc_873339:				; CODE XREF: _CmQueryDevicePanelPldProperty+6EA34j
		push	52504E50h
		push	eax
		push	1
		mov	[edi], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi], eax
		test	eax, eax
		jz	loc_8E1CFF
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		jmp	short loc_8732F1
; 

loc_87335A:				; CODE XREF: _CmQueryDevicePanelPldProperty+57j
		cmp	[ebp+var_8], 1003h
		jnz	short loc_87339F
		mov	edx, [ebp+var_4]
		cmp	edx, 1
		jb	short loc_87339F
		mov	esi, [esi]
		mov	eax, [esi]
		and	eax, 7Fh
		cmp	eax, 1
		jb	short loc_873391
		jnz	short loc_87337E
		cmp	edx, 10h
		jb	short loc_873391

loc_87337E:				; CODE XREF: _CmQueryDevicePanelPldProperty+B1j
		cmp	eax, 2
		jnb	short loc_873398

loc_873383:				; CODE XREF: _CmQueryDevicePanelPldProperty+D7j
		mov	eax, [esi+8]
		and	eax, 38h
		cmp	al, 30h
		jb	loc_8E1D09

loc_873391:				; CODE XREF: _CmQueryDevicePanelPldProperty+AFj
					; _CmQueryDevicePanelPldProperty+B6j ...
		mov	ecx, 0C0000225h
		jmp	short loc_87331F
; 

loc_873398:				; CODE XREF: _CmQueryDevicePanelPldProperty+BBj
		cmp	edx, 14h
		jb	short loc_873391
		jmp	short loc_873383
; 

loc_87339F:				; CODE XREF: _CmQueryDevicePanelPldProperty+67j
					; _CmQueryDevicePanelPldProperty+9Bj ...
		mov	ecx, 0C0000001h
		jmp	loc_87331F
_CmQueryDevicePanelPldProperty endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDcUpdateDeviceContainerMembership proc near ;	CODE XREF: PipProcessStartPhase3+2C6p
					; PiProcessNewDeviceNode+671p

var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_F9		= dword	ptr -0F9h
var_A8		= dword	ptr -0A8h
var_58		= word ptr -58h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E1D15 SIZE 00000066 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 110h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_104], edx
		lea	ecx, [ebp+var_108]
		mov	byte ptr [ebp+var_F9], al
		mov	[ebp+var_108], eax
		mov	[ebp+var_10C], eax
		mov	[ebp+var_100], eax
		call	PiPnpRtlBeginOperation
		mov	esi, eax
		test	esi, esi
		js	loc_8734F8
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_100]
		push	0
		push	eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_100], 4Eh
		push	eax
		lea	eax, [ebp+var_10C]
		mov	edx, edi
		push	eax
		push	25h
		push	[ebp+var_104]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	[ebp+var_110], eax
		test	eax, eax
		js	short loc_873453
		lea	eax, [ebp+var_58]
		push	eax		; wchar_t *
		push	ebx		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_8E1D15
		mov	eax, [ebp+var_110]

loc_873453:				; CODE XREF: PiDcUpdateDeviceContainerMembership+8Dj
		lea	esi, [eax+3FFFFDDBh]
		neg	esi
		sbb	esi, esi
		and	esi, eax

loc_87345F:				; CODE XREF: PiDcUpdateDeviceContainerMembership+6E9BCj
		test	esi, esi
		js	loc_8734F8
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_F9+1]
		push	eax
		push	ebx
		mov	edx, edi
		call	_CmGetDeviceContainerIdFromBase
		mov	esi, eax
		test	esi, esi
		js	short loc_8734F8
		mov	ecx, ebx
		xor	esi, esi
		lea	edx, [ecx+2]

loc_87348A:				; CODE XREF: PiDcUpdateDeviceContainerMembership+E9j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_87348A
		sub	ecx, edx
		mov	edx, edi
		sar	ecx, 1
		push	esi
		lea	eax, ds:2[ecx*2]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	ebx
		push	1
		push	25h
		push	[ebp+var_104]
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8734F8
		mov	ecx, ebx
		call	_PnpIsNullGuidString@4 ; PnpIsNullGuidString(x)
		test	al, al
		jnz	short loc_8734F8
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_F9]
		push	eax
		push	edi
		push	ebx
		lea	edx, [ebp+var_F9+1]
		call	_CmAddDeviceToContainer
		mov	esi, eax
		test	esi, esi
		js	short loc_8734F8
		cmp	byte ptr [ebp+var_F9], 0
		jz	loc_8E1D6B

loc_8734F8:				; CODE XREF: PiDcUpdateDeviceContainerMembership+4Cj
					; PiDcUpdateDeviceContainerMembership+B7j ...
		mov	ecx, [ebp+var_108]
		test	ecx, ecx
		jz	short loc_873507
		call	PiPnpRtlEndOperation

loc_873507:				; CODE XREF: PiDcUpdateDeviceContainerMembership+156j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
PiDcUpdateDeviceContainerMembership endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmAddDeviceToContainer	proc near	; CODE XREF: PiDcUpdateDeviceContainerMembership+136p
					; _CmMoveBaseContainer(x,x,x,x)+62p ...

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E1D7B SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		mov	edi, [ebp+arg_4]
		push	2Ch		; size_t
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_30]
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_34], edx
		mov	[ebp+var_38], ebx
		call	_memset
		mov	ebx, [ebx+100h]
		add	esp, 0Ch
		mov	[ebp+var_28], esi
		mov	esi, [ebp+var_34]
		mov	[ebp+var_24], edi
		mov	edi, [ebp+var_38]
		test	ebx, ebx
		jz	short loc_87358D
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	0Dh
		push	5
		push	esi
		push	edi
		call	ebx
		cmp	eax, 0C0000002h
		jz	loc_8E1D7B
		cmp	eax, 0C0000120h
		jz	short loc_8735F8
		test	eax, eax
		jnz	short loc_8735FD

loc_87358D:				; CODE XREF: _CmAddDeviceToContainer+4Dj
					; _CmAddDeviceToContainer+6E863j
		lea	eax, [ebp+var_20]
		mov	edx, esi
		push	eax
		push	[ebp+var_24]
		mov	ecx, edi
		push	[ebp+var_28]
		call	_CmAddDeviceToContainerWorker
		mov	esi, eax
		test	ebx, ebx
		jz	short loc_8735CB
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	0Dh
		push	5
		push	[ebp+var_34]
		push	edi
		call	ebx
		cmp	eax, 0C0000002h
		jz	short loc_8735CB
		cmp	eax, 0C0000120h
		jz	short loc_8735F8
		test	eax, eax
		jnz	short loc_8735FD

loc_8735CB:				; CODE XREF: _CmAddDeviceToContainer+8Aj
					; _CmAddDeviceToContainer+A4j
		cmp	byte ptr [ebp+var_20], 0
		jz	loc_8E1D82

loc_8735D5:				; CODE XREF: _CmAddDeviceToContainer+E1j
					; _CmAddDeviceToContainer+6E874j
		test	esi, esi
		js	short loc_8735E5
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jz	short loc_8735E5
		mov	al, byte ptr [ebp+var_20]
		mov	[ecx], al

loc_8735E5:				; CODE XREF: _CmAddDeviceToContainer+BDj
					; _CmAddDeviceToContainer+C4j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_8735F8:				; CODE XREF: _CmAddDeviceToContainer+6Dj
					; _CmAddDeviceToContainer+ABj
		mov	esi, [ebp+var_30]
		jmp	short loc_8735D5
; 

loc_8735FD:				; CODE XREF: _CmAddDeviceToContainer+71j
					; _CmAddDeviceToContainer+AFj
		mov	esi, 0C00000E5h
		jmp	short loc_8735E5
_CmAddDeviceToContainer	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmAddDeviceToContainerWorker proc near	; CODE XREF: _CmAddDeviceToContainer+81p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E1D93 SIZE 000000B8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	eax, edx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1C], eax
		xor	ecx, ecx
		push	ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		mov	byte ptr [ebp+var_1], cl
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		mov	[ebx], cl
		lea	ecx, [ebp+var_1]
		push	ecx
		lea	ecx, [ebp+var_10]
		push	ecx
		push	ecx
		mov	ecx, edi
		call	_CmCreateDeviceContainer
		mov	esi, eax
		test	esi, esi
		js	loc_8E1DD6
		test	edi, edi
		jz	loc_8E1D93
		mov	ecx, [edi+74h]

loc_873655:				; CODE XREF: _CmAddDeviceToContainerWorker+6E791j
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	ecx
		push	0
		push	4
		push	0
		push	offset ??_C@_1BO@HPNNFMNF@?$AAB?$AAa?$AAs?$AAe?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAs@NNGAKEGL@ ; "BaseContainers"
		call	__SysCtxRegCreateKey@36	; _SysCtxRegCreateKey(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8E1DD6
		test	edi, edi
		jz	loc_8E1D9A
		mov	ecx, [edi+74h]

loc_873686:				; CODE XREF: _CmAddDeviceToContainerWorker+6E798j
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	ecx
		push	0
		push	3
		push	0
		push	[ebp+arg_0]
		call	__SysCtxRegCreateKey@36	; _SysCtxRegCreateKey(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8E1DD6
		cmp	[ebp+var_14], 2
		jnz	loc_8E1DA1
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+arg_8]
		xor	ecx, ecx
		push	eax
		push	ecx
		mov	[ebp+arg_8], ecx
		push	ecx
		mov	ecx, [ebp+var_8]
		call	_RegRtlQueryValue
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_87371A
		cmp	esi, 0C000017Ch
		jz	short loc_87371A
		test	esi, esi
		jnz	loc_8E1DA3
		mov	byte ptr [ebx],	1

loc_8736E7:				; CODE XREF: _CmAddDeviceToContainerWorker+6E7E1j
					; _CmAddDeviceToContainerWorker+6E831j	...
		cmp	[ebp+var_8], 0
		jz	short loc_8736F5
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_8736F5:				; CODE XREF: _CmAddDeviceToContainerWorker+E7j
		cmp	[ebp+var_C], 0
		jz	short loc_873703
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_873703:				; CODE XREF: _CmAddDeviceToContainerWorker+F5j
		cmp	[ebp+var_10], 0
		jz	short loc_873711
		push	[ebp+var_10]
		call	_ZwClose@4	; ZwClose(x)

loc_873711:				; CODE XREF: _CmAddDeviceToContainerWorker+103j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_87371A:				; CODE XREF: _CmAddDeviceToContainerWorker+CEj
					; _CmAddDeviceToContainerWorker+D6j
		xor	esi, esi
		jmp	loc_8E1DA1
_CmAddDeviceToContainerWorker endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmCreateDeviceContainer proc near	; CODE XREF: _CmAddDeviceToContainerWorker+37p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E1E4B SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		push	2Ch		; size_t
		mov	[ebp+var_3C], eax
		mov	esi, ecx
		lea	eax, [ebp+var_30]
		mov	[ebp+var_34], edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_38], esi
		call	_memset
		mov	edi, [esi+100h]
		add	esp, 0Ch
		and	[ebp+var_1C], 0
		mov	[ebp+var_28], 4
		test	edi, edi
		jz	short loc_87379B
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	2
		push	5
		push	[ebp+var_34]
		push	esi
		call	edi
		cmp	eax, 0C0000002h
		jz	loc_8E1E4B
		cmp	eax, 0C0000120h
		jz	loc_873818
		test	eax, eax
		jnz	loc_8E1E52

loc_87379B:				; CODE XREF: _CmCreateDeviceContainer+49j
					; _CmCreateDeviceContainer+6E72Bj
		push	[ebp+var_1C]
		mov	edx, [ebp+var_34]
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_24]
		mov	ecx, esi
		push	eax
		push	[ebp+var_28]
		call	_CmCreateDeviceContainerWorker
		mov	esi, eax
		test	edi, edi
		jz	short loc_8737E0
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	2
		push	5
		push	[ebp+var_34]
		push	[ebp+var_38]
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_8737E0
		cmp	eax, 0C0000120h
		jz	short loc_873818
		test	eax, eax
		jnz	short loc_87381D

loc_8737E0:				; CODE XREF: _CmCreateDeviceContainer+95j
					; _CmCreateDeviceContainer+B1j	...
		test	esi, esi
		js	loc_8E1E57
		test	ebx, ebx
		jz	loc_8E1E57
		mov	eax, [ebp+var_24]
		mov	[ebx], eax

loc_8737F5:				; CODE XREF: _CmCreateDeviceContainer+6E739j
					; _CmCreateDeviceContainer+6E747j
		test	esi, esi
		js	short loc_873805
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jz	short loc_873805
		mov	al, byte ptr [ebp+var_20]
		mov	[ecx], al

loc_873805:				; CODE XREF: _CmCreateDeviceContainer+D5j
					; _CmCreateDeviceContainer+DCj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_873818:				; CODE XREF: _CmCreateDeviceContainer+6Bj
					; _CmCreateDeviceContainer+B8j
		mov	esi, [ebp+var_30]
		jmp	short loc_8737E0
; 

loc_87381D:				; CODE XREF: _CmCreateDeviceContainer+BCj
		mov	esi, 0C00000E5h
		jmp	short loc_8737E0
_CmCreateDeviceContainer endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmCreateDeviceContainerWorker proc near ; CODE	XREF: _CmCreateDeviceContainer+8Cp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= word ptr  14h

; FUNCTION CHUNK AT 008E1E6E SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		movzx	eax, [ebp+arg_C]
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		test	eax, eax
		jnz	short loc_873873
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		push	1
		push	[ebp+arg_0]
		push	ecx
		push	ecx
		call	_CmOpenDeviceContainerRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_87386A
		cmp	[ebp+var_4], 1
		mov	ecx, [ebp+arg_8]
		setz	dl
		mov	[ecx], dl
		test	dl, dl
		jnz	loc_8E1E6E

loc_87386A:				; CODE XREF: _CmCreateDeviceContainerWorker+30j
					; _CmCreateDeviceContainerWorker+54j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_873873:				; CODE XREF: _CmCreateDeviceContainerWorker+17j
		mov	esi, 0C000000Dh
		jmp	short loc_87386A
_CmCreateDeviceContainerWorker endp


;  S U B	R O U T	I N E 


; __stdcall PnpIsNullGuidString(x)
_PnpIsNullGuidString@4 proc near	; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+A76p
					; _CmValidateDeviceContainerName(x,x)+12p ...
		mov	eax, offset ??_C@_1EO@NFBNALDE@?$AA?$HL?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA?9?$AA0?$AA0?$AA0?$AA0?$AA?9@NNGAKEGL@

loc_87387F:				; CODE XREF: PnpIsNullGuidString(x)+25j
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	short loc_8738A9
		test	dx, dx
		jz	short loc_8738A1
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	short loc_8738A9
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_87387F

loc_8738A1:				; CODE XREF: PnpIsNullGuidString(x)+10j
		xor	eax, eax

loc_8738A3:				; CODE XREF: PnpIsNullGuidString(x)+34j
		test	eax, eax
		setz	al
		retn
; 

loc_8738A9:				; CODE XREF: PnpIsNullGuidString(x)+Bj
					; PnpIsNullGuidString(x)+1Aj
		sbb	eax, eax
		or	eax, 1
		jmp	short loc_8738A3
_PnpIsNullGuidString@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpQueryAndSaveDeviceNodeCapabilities(x)
_PnpQueryAndSaveDeviceNodeCapabilities@4 proc near ; CODE XREF:	PipProcessStartPhase3+6Cp
					; IopInitializeDeviceInstanceKey+197p ...

var_48		= dword	ptr -48h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	40h		; size_t
		lea	eax, [ebp+var_48]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [esi+10h]
		lea	edx, [ebp+var_48]
		add	esp, 0Ch
		call	_PpIrpQueryCapabilities@8 ; PpIrpQueryCapabilities(x,x)
		test	eax, eax
		js	short loc_8738F0
		push	0
		lea	edx, [ebp+var_48]
		mov	ecx, esi
		call	_PnpSaveDeviceCapabilities@12 ;	PnpSaveDeviceCapabilities(x,x,x)

loc_8738F0:				; CODE XREF: PnpQueryAndSaveDeviceNodeCapabilities(x)+32j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PnpQueryAndSaveDeviceNodeCapabilities@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiProcessNewDeviceNode proc near	; CODE XREF: PipProcessDevNodeTree+2DFp

var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_69		= byte ptr -69h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= byte ptr -5Ch
var_5B		= byte ptr -5Bh
var_5A		= dword	ptr -5Ah
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E1E94 SIZE 0000074F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 104h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	eax, eax
		mov	ebx, ecx
		push	edi
		push	40h		; size_t
		push	eax		; int
		mov	[ebp+var_A8], eax
		mov	[ebp+var_BC], eax
		mov	[ebp+var_9C], eax
		lea	eax, [ebp+var_48]
		push	eax		; void *
		call	_memset
		xor	ecx, ecx
		lea	edi, [ebp+var_5A+2]
		xor	eax, eax
		mov	[ebp+var_80], ecx
		stosd
		add	esp, 0Ch
		test	byte_6CD8BB, 8
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_84], ecx
		stosd
		mov	[ebp+var_E4], ecx
		mov	[ebp+var_F0], ecx
		mov	[ebp+var_EC], ecx
		stosd
		mov	[ebp+var_C8], ecx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_AC], ecx
		stosd
		mov	[ebp+var_70], ecx
		mov	[ebp+var_68], ecx
		mov	[ebp+var_98], ecx
		mov	[ebp+var_C0], ecx
		mov	[ebp+var_B8], ecx
		mov	[ebp+var_E8], ecx
		mov	byte ptr [ebp+var_B0], cl
		mov	[ebp+var_E0], ecx
		mov	[ebp+var_DC], ecx
		mov	[ebp+var_78], ecx
		jnz	sub_8E1E83

loc_8739B6:				; CODE XREF: sub_8E1E83+Cj
		lea	eax, [ebp+var_F0]
		push	eax
		call	KeQuerySystemTime
		mov	esi, [ebx+10h]
		xor	ecx, ecx
		mov	eax, ecx
		mov	[ebp+var_69], cl
		mov	[ebp+var_60], ecx
		mov	byte ptr [ebp+var_5A+1], cl
		mov	[ebp+var_B4], ecx
		mov	[ebp+var_88], ecx
		mov	[ebp+var_7C], ecx
		lea	ecx, [ebp+var_C8]
		mov	[ebp+var_A0], eax
		mov	[ebp+var_C4], eax
		mov	[ebp+var_64], eax
		mov	[ebp+var_CC], eax
		mov	[ebp+var_5C], al
		mov	byte ptr [ebp+var_5A], al
		mov	[ebp+var_90], eax
		mov	[ebp+var_A4], eax
		mov	[ebp+var_94], esi
		call	PiPnpRtlBeginOperation
		mov	edx, 2000000h
		mov	ecx, ebx
		call	PipClearDevNodeFlags
		lea	eax, [ebp+var_E4]
		mov	ecx, ebx
		push	eax
		lea	edx, [ebp+var_9C]
		call	_PnpQueryDeviceID@12 ; PnpQueryDeviceID(x,x,x)
		test	eax, eax
		js	loc_8E1E94

loc_873A41:				; CODE XREF: PiProcessNewDeviceNode+6E5A5j
					; PiProcessNewDeviceNode+6E5B1j
		lea	edx, [ebp+var_48]
		mov	ecx, esi
		call	_PpIrpQueryCapabilities@8 ; PpIrpQueryCapabilities(x,x)
		push	2
		pop	edx
		mov	ecx, ebx
		mov	esi, eax
		call	PipClearDevNodeUserFlags
		mov	eax, [ebp+var_44]
		xor	edx, edx
		xor	ecx, ecx
		inc	edx
		mov	[ebp+var_5B], cl
		test	esi, esi
		js	short loc_873A79
		test	eax, 20000h
		jnz	loc_8743F4

loc_873A71:				; CODE XREF: PiProcessNewDeviceNode+B08j
		test	al, 40h
		jnz	loc_87431A

loc_873A79:				; CODE XREF: PiProcessNewDeviceNode+166j
					; PiProcessNewDeviceNode+A1Fj
		test	al, 20h
		jnz	loc_8E1EB4
		mov	eax, ecx

loc_873A83:				; CODE XREF: PiProcessNewDeviceNode+6E5CDj
		mov	[ebx+174h], eax
		lea	edi, [ebp+var_104]
		xor	eax, eax
		or	[ebp+var_D8], 0FFFFFFFFh
		stosd
		or	[ebp+var_D4], 0FFFFFFFFh
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_104]
		push	eax		; void *
		push	ecx		; int
		mov	ecx, [ebp+var_94]
		push	14h		; __int16
		push	edx		; __int16
		mov	edx, offset _GUID_PNP_EXTENDED_ADDRESS_INTERFACE
		call	PnpQueryInterface
		test	eax, eax
		jns	loc_8E1ED0

loc_873AC7:				; CODE XREF: PiProcessNewDeviceNode+6E5DAj
					; PiProcessNewDeviceNode+6E5EAj ...
		lea	eax, [ebp+var_84]
		xor	edx, edx
		push	eax
		push	ecx
		mov	ecx, [ebx+10h]
		call	_PnpQueryDeviceText@16 ; PnpQueryDeviceText(x,x,x,x)
		lea	eax, [ebp+var_98]
		push	eax
		xor	eax, eax
		push	ecx
		mov	ecx, [ebx+10h]
		lea	edx, [eax+1]
		call	_PnpQueryDeviceText@16 ; PnpQueryDeviceText(x,x,x,x)
		lea	eax, [ebp+var_68]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_70]
		push	eax
		push	3
		pop	edx
		call	PnpQueryID
		cmp	[ebp+var_5B], 0
		mov	esi, eax
		jnz	loc_874322
		test	dword ptr [ebx+10Ch], 2000h
		jnz	loc_8E1F18

loc_873B1C:				; CODE XREF: PiProcessNewDeviceNode+6E627j
		mov	ecx, [ebx+8]
		cmp	ecx, _IopRootDeviceNode
		jz	loc_87432F
		mov	edi, [ebp+var_70]
		lea	eax, [ebp+var_78]
		mov	ecx, [ecx+10h]
		mov	edx, edi
		push	eax
		call	PipMakeGloballyUniqueId
		mov	esi, eax
		test	edi, edi
		jz	short loc_873B4B
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_873B4B:				; CODE XREF: PiProcessNewDeviceNode+242j
		mov	eax, [ebp+var_78]

loc_873B4E:				; CODE XREF: PiProcessNewDeviceNode+A34j
		mov	edi, [ebp+var_90]
		mov	[ebp+var_68], eax

loc_873B57:				; CODE XREF: PiProcessNewDeviceNode+6E78Ej
		test	esi, esi
		js	loc_8E1F52

loc_873B5F:				; CODE XREF: PiProcessNewDeviceNode+6E66Dj
					; PiProcessNewDeviceNode+6E68Ej
		mov	edx, [ebp+var_9C]
		mov	ecx, ebx
		push	eax
		push	[ebp+var_E4]
		call	PiBuildDeviceNodeInstancePath
		mov	esi, eax
		test	esi, esi
		js	loc_8E1FB0
		test	byte_6CD8BB, 8
		jnz	loc_8E1F91

loc_873B8A:				; CODE XREF: PiProcessNewDeviceNode+6E69Dj
		lea	eax, [ebp+var_CC]
		mov	ecx, ebx
		push	eax
		lea	edx, [ebp+var_A4]
		call	_PiCreateDeviceInstanceKey@12 ;	PiCreateDeviceInstanceKey(x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_CC]
		mov	[ebp+var_64], eax
		test	esi, esi
		js	loc_8E1FA0
		dec	eax
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFE0000h
		add	eax, 20000h
		mov	[ebp+var_7C], eax

loc_873BC3:				; CODE XREF: PiProcessNewDeviceNode+6E6ADj
		mov	edi, [ebp+var_A4]
		mov	[ebp+var_90], edi
		test	esi, esi
		js	loc_8E1FB0

loc_873BD7:				; CODE XREF: PiProcessNewDeviceNode+6E6B8j
		mov	ecx, [ebp+var_94]
		xor	eax, eax
		inc	eax
		push	eax
		push	10h
		pop	edx
		call	PpMarkDeviceStackExtensionFlag
		push	ecx
		mov	edx, 302h
		mov	ecx, ebx
		call	PipSetDevNodeState
		test	dword ptr [ebx+10Ch], 2000h
		mov	esi, [ebp+var_84]
		jnz	loc_8E1FBB

loc_873C0C:				; CODE XREF: PiProcessNewDeviceNode+6E6DEj
		xor	eax, eax
		inc	eax
		cmp	[ebp+var_64], eax
		jz	loc_8E2293
		lea	ecx, [ebx+14h]
		mov	edx, 65706E50h
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_8E1FE1

loc_873C2F:				; CODE XREF: PiProcessNewDeviceNode+6E990j
					; PiProcessNewDeviceNode+6E9F7j
		test	dword ptr [ebx+10Ch], 2000h
		jnz	loc_8E22FA

loc_873C3F:				; CODE XREF: PiProcessNewDeviceNode+6E6C6j
					; PiProcessNewDeviceNode+6E6CFj ...
		test	edi, edi
		jz	loc_8E2313
		xor	eax, eax
		inc	eax
		cmp	[ebp+var_64], eax
		jz	short loc_873C59
		mov	ecx, [ebx+18h]
		mov	edx, edi
		call	_PnpClearDeviceTemporaryProperties@8 ; PnpClearDeviceTemporaryProperties(x,x)

loc_873C59:				; CODE XREF: PiProcessNewDeviceNode+34Fj
		mov	ecx, [ebx+8]
		mov	esi, [ebp+var_7C]
		mov	edx, [ebx+18h]
		push	esi
		movzx	eax, word ptr [ecx+14h]
		add	eax, 2
		push	eax
		push	dword ptr [ecx+18h]
		mov	ecx, _PiPnpRtlCtx
		xor	eax, eax
		push	12h
		push	offset _DEVPKEY_Device_LastKnownParent ; "&cڃ@S?W;)\n"
		push	eax
		push	edi
		inc	eax
		push	eax
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	edx, [ebx+18h]
		lea	eax, [ebp+var_F0]
		mov	ecx, _PiPnpRtlCtx
		push	esi
		push	8
		push	eax
		push	10h
		push	offset _DEVPKEY_Device_LastArrivalDate ; "&cڃ@S?W;)f"
		xor	eax, eax
		push	eax
		push	edi
		inc	eax
		push	eax
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	edx, [ebx+18h]
		xor	eax, eax
		mov	ecx, _PiPnpRtlCtx
		push	esi
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_LastRemovalDate ; "&cڃ@S?W;)g"
		push	eax
		push	edi
		inc	eax
		push	eax
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	edx, [ebx+18h]
		xor	eax, eax
		mov	ecx, _PiPnpRtlCtx
		push	esi
		push	4
		push	offset _PnpCurrentHardwareConfigurationIndex
		push	7
		push	offset _DEVPKEY_Device_HardwareConfigurationIndex
		push	eax
		push	edi
		inc	eax
		push	eax
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)

loc_873CEB:				; CODE XREF: PiProcessNewDeviceNode+6EA18j
		test	[ebp+var_44], 4000h
		jnz	loc_8E231B

loc_873CF8:				; CODE XREF: PiProcessNewDeviceNode+6EA34j
					; PiProcessNewDeviceNode+6EA3Dj ...
		test	dword ptr [ebx+10Ch], 2000h
		jnz	loc_8E2350

loc_873D08:				; CODE XREF: PiProcessNewDeviceNode+6EA73j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	eax, eax
		inc	eax
		push	eax
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceSharedLite
		test	edi, edi
		jz	short loc_873D2C
		cmp	[ebp+var_98], 0
		jnz	loc_87438A

loc_873D2C:				; CODE XREF: PiProcessNewDeviceNode+41Fj
					; PiProcessNewDeviceNode+ACCj
		xor	eax, eax
		lea	edx, [ebp+var_48]
		inc	eax
		mov	ecx, ebx
		cmp	[ebp+var_64], eax
		setz	byte ptr [ebp+var_A8]
		push	[ebp+var_A8]
		call	_PnpSaveDeviceCapabilities@12 ;	PnpSaveDeviceCapabilities(x,x,x)
		mov	eax, [ebp+var_D8]
		and	eax, [ebp+var_D4]
		cmp	eax, 0FFFFFFFFh
		jnz	loc_8E2376

loc_873D5E:				; CODE XREF: PiProcessNewDeviceNode+6EA9Dj
		mov	edx, [ebx+18h]
		xor	eax, eax
		mov	ecx, _PiPnpRtlCtx
		inc	eax
		cmp	[ebp+var_64], eax
		mov	[ebp+var_B8], 4
		setz	byte ptr [ebp+var_5A+1]
		xor	eax, eax
		push	eax
		lea	eax, [ebp+var_B8]
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_E8]
		push	eax
		push	0Bh
		push	edi
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_8E23E4
		cmp	[ebp+var_E8], 4
		jnz	loc_8E23E4
		cmp	[ebp+var_B8], 4
		jnz	loc_8E23E4
		mov	eax, [ebp+var_60]
		test	al, 20h
		jnz	loc_8E23A0
		test	al, 40h
		jnz	loc_8E23DF

loc_873DCD:				; CODE XREF: PiProcessNewDeviceNode+6EADCj
					; PiProcessNewDeviceNode+6EB12j
		mov	ecx, [ebx+10h]
		lea	edx, [ebx+14h]
		call	_PnpMapDeviceObjectToDeviceInstance@8 ;	PnpMapDeviceObjectToDeviceInstance(x,x)
		test	eax, eax
		js	loc_8E2415

loc_873DE0:				; CODE XREF: PiProcessNewDeviceNode+6EB1Dj
		cmp	_PnpBootMode, 0
		jz	loc_8743E2
		or	dword ptr [ebx+1C8h], 1000h
		push	2
		pop	eax
		mov	[ebp+var_B4], eax

loc_873E00:				; CODE XREF: PiProcessNewDeviceNode+AEBj
					; PiProcessNewDeviceNode+6EB28j
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_873E0F:				; CODE XREF: PiProcessNewDeviceNode+6EA5Bj
					; PiProcessNewDeviceNode+6EA64j ...
		lea	eax, [ebp+var_AC]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		xor	eax, eax
		lea	edx, [eax+1]
		call	PnpQueryID
		mov	ecx, [ebp+var_74]
		call	KseAddHardwareId
		lea	eax, [ebp+var_8C]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_80]
		push	eax
		push	2
		pop	edx
		call	PnpQueryID
		mov	edx, [ebp+var_80]
		lea	eax, [ebx+1BCh]
		mov	ecx, [ebp+var_74]
		push	eax
		call	_PnpGenerateDeviceIdsHash@12 ; PnpGenerateDeviceIdsHash(x,x,x)
		mov	ecx, [ebx+10h]
		lea	eax, [ebp+var_BC]
		push	eax
		push	5
		pop	edx
		call	_PnpIrpQueryID@12 ; PnpIrpQueryID(x,x,x)
		mov	esi, [ebp+var_BC]
		mov	[ebp+var_70], esi
		test	esi, esi
		jnz	loc_87440B

loc_873E78:				; CODE XREF: PiProcessNewDeviceNode+B2Cj
					; PiProcessNewDeviceNode+6EB3Dj
		mov	edx, [ebp+var_74]
		lea	eax, [ebp+var_B0]
		push	eax
		push	[ebp+var_80]
		mov	ecx, ebx
		call	PiQueryRemovableDeviceOverride
		test	eax, eax
		jns	short loc_873EB9
		test	byte ptr [ebp+var_44], 20h
		jnz	short loc_873EA9
		test	[ebp+var_44], 40000h
		jnz	short loc_873EA9
		test	byte ptr [ebp+var_44], 10h
		jnz	loc_87443D

loc_873EA9:				; CODE XREF: PiProcessNewDeviceNode+596j
					; PiProcessNewDeviceNode+59Fj
		xor	eax, eax

loc_873EAB:				; CODE XREF: PiProcessNewDeviceNode+B42j
		mov	byte ptr [ebp+var_B0], al
		test	esi, esi
		jnz	loc_874435

loc_873EB9:				; CODE XREF: PiProcessNewDeviceNode+590j
		mov	edx, [ebp+var_64]
		lea	eax, [ebp+var_C0]
		dec	edx
		mov	ecx, ebx
		neg	edx
		push	eax
		push	esi
		push	[ebp+var_B0]
		sbb	edx, edx
		and	edx, edi
		call	PipGenerateContainerID
		test	eax, eax
		js	loc_874435
		test	esi, esi
		jnz	loc_8E2440

loc_873EE8:				; CODE XREF: PiProcessNewDeviceNode+6EB4Bj
		mov	eax, [ebp+var_C0]
		mov	[ebp+var_70], eax

loc_873EF1:				; CODE XREF: PiProcessNewDeviceNode+B3Aj
		lea	esi, [ebx+1A8h]
		test	eax, eax
		jz	loc_8E244E
		push	eax
		lea	eax, [ebp+var_E0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_E0]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		test	eax, eax
		js	loc_8E244E

loc_873F21:				; CODE XREF: PiProcessNewDeviceNode+6EB5Ej
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	eax, eax
		mov	esi, offset _PnpRegistryDeviceResource
		inc	eax
		push	eax
		push	esi
		call	ExAcquireResourceSharedLite
		push	20h
		pop	edx
		mov	ecx, ebx
		call	PipSetDevNodeFlags
		mov	ecx, esi
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	edi, edi
		jz	short loc_873F83
		mov	esi, [ebp+var_70]
		test	esi, esi
		jz	short loc_873F83
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	eax, eax
		inc	eax
		push	eax
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceExclusiveLite
		mov	ecx, [ebx+18h]
		mov	edx, edi
		push	esi
		call	PiDcUpdateDeviceContainerMembership
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_873F83:				; CODE XREF: PiProcessNewDeviceNode+64Fj
					; PiProcessNewDeviceNode+656j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	eax, eax
		inc	eax
		push	eax
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceSharedLite
		test	edi, edi
		jz	loc_874058
		cmp	byte ptr [ebp+var_5A+1], 0
		jnz	short loc_873FFB
		xor	ecx, ecx
		inc	ecx
		cmp	[ebp+var_64], ecx
		jz	short loc_873FFB
		lea	eax, [ebp+var_5A]
		mov	edx, edi
		push	eax
		push	ecx
		push	[ebp+var_AC]
		mov	ecx, ebx
		push	[ebp+var_74]
		call	PnpCheckDeviceIdsChanged
		test	eax, eax
		sets	al
		dec	al
		and	al, byte ptr [ebp+var_5A]
		mov	[ebp+var_5C], al
		mov	byte ptr [ebp+var_5A], al
		jnz	short loc_873FFB
		lea	eax, [ebp+var_5A]
		mov	edx, edi
		push	eax
		xor	eax, eax
		mov	ecx, ebx
		push	eax
		push	[ebp+var_8C]
		push	[ebp+var_80]
		call	PnpCheckDeviceIdsChanged
		test	eax, eax
		sets	al
		dec	al
		and	al, byte ptr [ebp+var_5A]
		mov	[ebp+var_5C], al

loc_873FFB:				; CODE XREF: PiProcessNewDeviceNode+6A4j
					; PiProcessNewDeviceNode+6ACj ...
		cmp	[ebp+var_74], 0
		mov	esi, [ebp+var_7C]
		jz	short loc_874021
		mov	edx, [ebx+18h]
		mov	ecx, _PiPnpRtlCtx
		push	esi
		push	[ebp+var_AC]
		push	[ebp+var_74]
		push	7
		push	2
		push	edi
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)

loc_874021:				; CODE XREF: PiProcessNewDeviceNode+704j
		cmp	[ebp+var_80], 0
		jz	short loc_874044
		mov	edx, [ebx+18h]
		mov	ecx, _PiPnpRtlCtx
		push	esi
		push	[ebp+var_8C]
		push	[ebp+var_80]
		push	7
		push	3
		push	edi
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)

loc_874044:				; CODE XREF: PiProcessNewDeviceNode+727j
		cmp	[ebp+var_5C], 0
		jnz	loc_8E2461
		cmp	[ebp+var_69], 0
		jnz	loc_8E2461

loc_874058:				; CODE XREF: PiProcessNewDeviceNode+69Aj
					; PiProcessNewDeviceNode+6EBD4j ...
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	edi, edi
		jz	loc_874105
		xor	ecx, ecx
		mov	eax, ecx
		mov	[ebp+var_78], ecx
		mov	esi, ecx
		mov	[ebp+var_8C], ecx
		cmp	[ebp+var_84], eax
		jnz	loc_874337

loc_87408A:				; CODE XREF: PiProcessNewDeviceNode+A74j
		push	[ebp+var_7C]
		mov	edx, [ebx+18h]
		neg	eax
		push	esi
		push	[ebp+var_84]
		sbb	eax, eax
		and	eax, 7
		add	eax, 12h
		push	eax
		push	(offset	loc_4058A5+3)
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		xor	eax, eax
		push	edi
		inc	eax
		push	eax
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		lea	eax, [ebp+var_8C]
		mov	ecx, ebx
		push	eax
		lea	edx, [ebp+var_78]
		call	PnpGetDeviceLocationStrings
		test	eax, eax
		js	short loc_874105
		push	[ebp+var_7C]
		mov	eax, [ebp+var_8C]
		mov	edx, [ebx+18h]
		add	eax, eax
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	[ebp+var_78]
		xor	eax, eax
		push	2012h
		push	offset _DEVPKEY_Device_LocationPaths
		push	eax
		push	edi
		inc	eax
		push	eax
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		push	eax
		push	[ebp+var_78]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_874105:				; CODE XREF: PiProcessNewDeviceNode+76Bj
					; PiProcessNewDeviceNode+7CDj
		mov	ecx, ebx
		call	_PnpQueryBusInformation@4 ; PnpQueryBusInformation(x)
		mov	ecx, ebx
		call	PiDmaGuardProcessNewDeviceNode
		test	eax, eax
		js	loc_8E24F0

loc_87411B:				; CODE XREF: PiProcessNewDeviceNode+6EBF8j
		test	[ebp+var_44], 4000h
		jnz	short loc_87414B
		test	dword ptr [ebx+10Ch], 2000h
		jnz	loc_8E24FB

loc_874134:				; CODE XREF: PiProcessNewDeviceNode+6EC0Aj
		cmp	byte ptr [ebp+var_5A+1], 0
		jnz	loc_8E250D
		test	edi, edi
		jz	short loc_87414B
		mov	edx, edi
		mov	ecx, ebx
		call	PpDevCfgProcessDeviceOperations

loc_87414B:				; CODE XREF: PiProcessNewDeviceNode+824j
					; PiProcessNewDeviceNode+842j ...
		mov	esi, [ebp+var_64]

loc_87414E:				; CODE XREF: PiProcessNewDeviceNode+6EC2Bj
		mov	ecx, ebx
		call	PiQueryResourceRequirements
		test	dword ptr [ebx+10Ch], 2000h
		jnz	loc_8E252E

loc_874165:				; CODE XREF: PiProcessNewDeviceNode+6EC6Cj
		xor	eax, eax
		lea	edx, [ebx+14h]
		inc	eax
		mov	ecx, edi
		push	eax
		call	PnpIsDeviceInstanceEnabled

loc_874173:				; CODE XREF: PiProcessNewDeviceNode+6EC39j
					; PiProcessNewDeviceNode+6EC42j ...
		test	edi, edi
		jz	short loc_874192
		xor	eax, eax
		mov	edx, edi
		inc	eax
		mov	ecx, ebx
		cmp	esi, eax
		setz	byte ptr [ebp+var_A0]
		push	[ebp+var_A0]
		call	PnpInitializeSessionId

loc_874192:				; CODE XREF: PiProcessNewDeviceNode+877j
		mov	ecx, ebx
		call	PiQueryAndAllocateBootResources
		test	dword ptr [ebx+10Ch], 2000h
		jnz	loc_8E256F

loc_8741A9:				; CODE XREF: PiProcessNewDeviceNode+6EC92j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	eax, eax
		inc	eax
		push	eax
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceSharedLite
		xor	eax, eax
		lea	edx, [ebp+var_48]
		inc	eax
		mov	ecx, ebx
		cmp	esi, eax
		setz	byte ptr [ebp+var_A0]
		push	[ebp+var_A0]
		call	_PnpSaveDeviceCapabilities@12 ;	PnpSaveDeviceCapabilities(x,x,x)
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, ebx
		call	PpHotSwapUpdateRemovalPolicy
		xor	eax, eax
		lea	ecx, [ebx+14h]
		push	eax
		lea	eax, [ebx+1Ch]
		push	eax
		xor	eax, eax
		lea	edx, [eax+1]
		call	_PpDeviceRegistration@16 ; PpDeviceRegistration(x,x,x,x)
		test	eax, eax
		js	loc_8E2595

loc_87420A:				; CODE XREF: PiProcessNewDeviceNode+6EC7Aj
					; PiProcessNewDeviceNode+6EC83j ...
		test	dword ptr [ebx+10Ch], 2000h
		jnz	loc_8E25A5

loc_87421A:				; CODE XREF: PiProcessNewDeviceNode+6ECBFj
		mov	esi, [ebp+var_94]
		mov	ecx, esi
		call	_PnpIrpDeviceEnumerated@4 ; PnpIrpDeviceEnumerated(x)
		test	edi, edi
		jz	short loc_874235
		push	ecx
		mov	edx, edi
		mov	ecx, ebx
		call	_PiUpdateDevicePanel@12	; PiUpdateDevicePanel(x,x,x)

loc_874235:				; CODE XREF: PiProcessNewDeviceNode+92Bj
		mov	edx, [ebx+18h]
		xor	eax, eax
		inc	eax
		push	eax
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		mov	edx, [ebx+18h]
		push	0Eh
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		mov	edx, esi
		mov	ecx, offset _GUID_DEVICE_ENUMERATED
		call	PnpSetPlugPlayEvent
		mov	ecx, ebx
		call	_PnpNewDeviceNodeDependencyCheck@4 ; PnpNewDeviceNodeDependencyCheck(x)

loc_87425E:				; CODE XREF: PiProcessNewDeviceNode+6ECB0j
					; PiProcessNewDeviceNode+6ECB9j
		cmp	[ebp+var_74], 0
		jz	short loc_87426F
		xor	eax, eax
		push	eax
		push	[ebp+var_74]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_87426F:				; CODE XREF: PiProcessNewDeviceNode+964j
		cmp	[ebp+var_80], 0
		jz	short loc_874280
		xor	eax, eax
		push	eax
		push	[ebp+var_80]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_874280:				; CODE XREF: PiProcessNewDeviceNode+975j
		mov	eax, [ebp+var_70]
		xor	esi, esi
		test	eax, eax
		jz	short loc_874290
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_874290:				; CODE XREF: PiProcessNewDeviceNode+989j
		test	edi, edi
		jz	short loc_87429A
		push	edi
		call	_ZwClose@4	; ZwClose(x)

loc_87429A:				; CODE XREF: PiProcessNewDeviceNode+994j
		mov	eax, [ebp+var_68]
		test	eax, eax
		jz	short loc_8742A8
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8742A8:				; CODE XREF: PiProcessNewDeviceNode+9A1j
		cmp	[ebp+var_98], 0
		jnz	loc_8743CF

loc_8742B5:				; CODE XREF: PiProcessNewDeviceNode+ADFj
		cmp	[ebp+var_84], 0
		jnz	loc_874377

loc_8742C2:				; CODE XREF: PiProcessNewDeviceNode+A87j
		cmp	[ebp+var_9C], 0
		jz	short loc_8742D9
		xor	eax, eax
		push	eax
		push	[ebp+var_9C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8742D9:				; CODE XREF: PiProcessNewDeviceNode+9CBj
		mov	ecx, [ebp+var_C8]
		test	ecx, ecx
		jz	short loc_8742E8
		call	PiPnpRtlEndOperation

loc_8742E8:				; CODE XREF: PiProcessNewDeviceNode+9E3j
		test	byte_6CD8BB, 8
		jnz	loc_8E25C2

loc_8742F5:				; CODE XREF: PiProcessNewDeviceNode+6ECD2j
		mov	esi, [ebp+var_88]
		xor	eax, eax
		cmp	[ebx+174h], eax
		jnz	loc_8E25D5

loc_874309:				; CODE XREF: PiProcessNewDeviceNode+6ECE0j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_87431A:				; CODE XREF: PiProcessNewDeviceNode+175j
		mov	[ebp+var_5B], dl
		jmp	loc_873A79
; 

loc_874322:				; CODE XREF: PiProcessNewDeviceNode+208j
		mov	eax, 0C00000BBh
		cmp	esi, eax
		jz	loc_8E1F2A

loc_87432F:				; CODE XREF: PiProcessNewDeviceNode+227j
					; PiProcessNewDeviceNode+6E621j ...
		mov	eax, [ebp+var_70]
		jmp	loc_873B4E
; 

loc_874337:				; CODE XREF: PiProcessNewDeviceNode+786j
		mov	ecx, [ebp+var_84]
		xor	esi, esi
		lea	edx, [ecx+2]

loc_874342:				; CODE XREF: PiProcessNewDeviceNode+A4Dj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_874342
		sub	ecx, edx
		lea	eax, [ebp+var_8C]
		sar	ecx, 1
		push	eax
		lea	eax, [ebp+var_78]
		push	eax
		lea	esi, ds:2[ecx*2]
		mov	ecx, [ebp+var_84]
		mov	edx, esi
		call	PnpFindAlternateStringData
		xor	ecx, ecx
		jmp	loc_87408A
; 

loc_874377:				; CODE XREF: PiProcessNewDeviceNode+9BEj
		xor	eax, eax
		push	eax
		push	[ebp+var_84]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8742C2
; 

loc_87438A:				; CODE XREF: PiProcessNewDeviceNode+428j
		mov	ecx, [ebp+var_98]
		lea	edx, [ecx+2]

loc_874393:				; CODE XREF: PiProcessNewDeviceNode+AA2j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_A8]
		jnz	short loc_874393
		sub	ecx, edx
		mov	edx, [ebx+18h]
		sar	ecx, 1
		push	esi
		lea	eax, ds:2[ecx*2]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	[ebp+var_98]
		xor	eax, eax
		inc	eax
		push	eax
		push	0Eh
		push	edi
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		jmp	loc_873D2C
; 

loc_8743CF:				; CODE XREF: PiProcessNewDeviceNode+9B1j
		xor	eax, eax
		push	eax
		push	[ebp+var_98]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8742B5
; 

loc_8743E2:				; CODE XREF: PiProcessNewDeviceNode+4E9j
		test	[ebp+var_60], 40000h
		jz	loc_873E00
		jmp	loc_8E2420
; 

loc_8743F4:				; CODE XREF: PiProcessNewDeviceNode+16Dj
		push	2
		pop	edx
		mov	ecx, ebx
		call	PipSetDevNodeUserFlags
		mov	eax, [ebp+var_44]
		xor	edx, edx
		xor	ecx, ecx
		inc	edx
		jmp	loc_873A71
; 

loc_87440B:				; CODE XREF: PiProcessNewDeviceNode+574j
		push	esi
		lea	eax, [ebp+var_E0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_5A+2]
		push	eax
		lea	eax, [ebp+var_E0]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		test	eax, eax
		jns	loc_873E78
		jmp	loc_8E242B
; 

loc_874435:				; CODE XREF: PiProcessNewDeviceNode+5B5j
					; PiProcessNewDeviceNode+5DCj
		mov	eax, [ebp+var_70]
		jmp	loc_873EF1
; 

loc_87443D:				; CODE XREF: PiProcessNewDeviceNode+5A5j
		xor	eax, eax
		inc	eax
		jmp	loc_873EAB
PiProcessNewDeviceNode endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpQueryID	proc near		; CODE XREF: PnpQueryDeviceID(x,x,x)+25p
					; PipProcessStartPhase3+125p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E25E3 SIZE 00000099 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		sub	esp, 0Ch
		and	dword ptr [eax], 0
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		push	eax
		mov	edi, edx
		mov	ecx, [ebx+10h]
		call	_PnpIrpQueryID@12 ; PnpIrpQueryID(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8744D2
		test	edi, edi
		jz	short loc_8744B0
		jle	loc_874516
		cmp	edi, 2
		jg	short loc_8744C2
		mov	eax, [ebx+8]
		mov	edx, 400h
		add	eax, 1Ch
		push	eax
		push	0FFFFFFFFh
		push	1

loc_87448C:				; CODE XREF: PnpQueryID+7Aj
		mov	ecx, [ebp+arg_0]
		mov	ecx, [ecx]
		call	PnpFixupID

loc_874496:				; CODE XREF: PnpQueryID+D2j
		mov	ecx, [ebp+arg_4]
		add	eax, eax
		mov	[ecx], eax
		jz	loc_8E25E3

loc_8744A3:				; CODE XREF: PnpQueryID+6E1A2j
		test	esi, esi
		js	short loc_8744D2

loc_8744A7:				; CODE XREF: PnpQueryID+BCj
					; PnpQueryID+6E231j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_8744B0:				; CODE XREF: PnpQueryID+29j
		mov	eax, [ebx+8]
		add	eax, 1Ch
		push	eax
		push	1

loc_8744B9:				; CODE XREF: PnpQueryID+8Aj
		push	0
		mov	edx, 0C8h
		jmp	short loc_87448C
; 

loc_8744C2:				; CODE XREF: PnpQueryID+34j
		cmp	edi, 3
		jnz	short loc_874516
		mov	eax, [ebx+8]
		add	eax, 1Ch
		push	eax
		push	0
		jmp	short loc_8744B9
; 

loc_8744D2:				; CODE XREF: PnpQueryID+25j
					; PnpQueryID+5Fj
		cmp	esi, 0C0040038h
		jz	loc_8E25ED
		test	edi, edi
		jz	loc_8E25ED
		cmp	edi, 3
		jz	short loc_874509

loc_8744EB:				; CODE XREF: PnpQueryID+C9j
					; PnpQueryID+6E1C0j ...
		cmp	esi, 0C0040038h
		jz	short loc_8744FB
		test	edi, edi
		jz	loc_8E2621

loc_8744FB:				; CODE XREF: PnpQueryID+ABj
					; PnpQueryID+6E1E1j ...
		mov	ebx, [ebp+arg_0]
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_8744A7
		jmp	loc_8E2666
; 

loc_874509:				; CODE XREF: PnpQueryID+A3j
		cmp	esi, 0C000009Ah
		jnz	short loc_8744EB
		jmp	loc_8E25ED
; 

loc_874516:				; CODE XREF: PnpQueryID+2Bj
					; PnpQueryID+7Fj
		xor	eax, eax
		jmp	loc_874496
PnpQueryID	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpIrpQueryID(x, x,	x)
_PnpIrpQueryID@12 proc near		; CODE XREF: PiProcessNewDeviceNode+564p
					; PnpQueryID+1Cp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		push	9
		and	dword ptr [ebx], 0
		lea	edi, [ebp+var_24]
		mov	esi, ecx
		pop	ecx
		rep stosd
		push	ebx
		xor	edi, edi
		mov	[ebp+var_20], edx
		push	edi
		push	0C00000BBh
		lea	edx, [ebp+var_24]
		mov	word ptr [ebp+var_24], 131Bh
		mov	ecx, esi
		call	IopSynchronousCall
		test	eax, eax
		js	short loc_874566
		cmp	[ebx], edi
		jz	short loc_87456A

loc_87455F:				; CODE XREF: PnpIrpQueryID(x,x,x)+4Aj
					; PnpIrpQueryID(x,x,x)+51j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_874566:				; CODE XREF: PnpIrpQueryID(x,x,x)+3Bj
		mov	[ebx], edi
		jmp	short loc_87455F
; 

loc_87456A:				; CODE XREF: PnpIrpQueryID(x,x,x)+3Fj
		mov	eax, 0C00000BBh
		jmp	short loc_87455F
_PnpIrpQueryID@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpFixupID	proc near		; CODE XREF: PnpQueryID+4Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E267C SIZE 00000075 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, ecx
		xor	eax, eax
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], eax
		lea	edx, [ebx+edx*2]
		mov	esi, ebx
		cmp	ebx, edx
		jnb	loc_8E26BD
		mov	[ebp+var_8], 5Fh

loc_87459A:				; CODE XREF: PnpFixupID+58j
		movzx	ecx, word ptr [esi]
		test	cx, cx
		jz	short loc_8745F1
		cmp	ecx, 20h
		jz	short loc_874617
		lea	eax, [ecx-20h]
		cmp	ax, word ptr [ebp+var_8]
		ja	loc_8E26A0
		cmp	ecx, 2Ch
		jz	loc_8E26A0
		cmp	ecx, 5Ch
		jz	short loc_874609

loc_8745C2:				; CODE XREF: PnpFixupID+9Ej
		mov	eax, [ebp+var_4]

loc_8745C5:				; CODE XREF: PnpFixupID+95j
					; PnpFixupID+ABj
		add	esi, 2
		cmp	esi, edx
		jb	short loc_87459A

loc_8745CC:				; CODE XREF: PnpFixupID+83j
					; PnpFixupID+8Ej
		cmp	esi, edx
		jnb	loc_8E26BD
		cmp	[ebp+arg_4], 0FFFFFFFFh
		jz	short loc_8745E3
		cmp	edi, [ebp+arg_4]
		jnz	loc_8E26BD

loc_8745E3:				; CODE XREF: PnpFixupID+66j
		sub	esi, ebx
		sar	esi, 1
		lea	eax, [esi+1]

loc_8745EA:				; CODE XREF: PnpFixupID+6E17Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_8745F1:				; CODE XREF: PnpFixupID+2Ej
		cmp	[ebp+arg_0], 0
		jz	short loc_8745CC
		test	eax, eax
		jz	short loc_874602
		add	eax, 2
		cmp	esi, eax
		jz	short loc_8745CC

loc_874602:				; CODE XREF: PnpFixupID+87j
		mov	eax, esi
		mov	[ebp+var_4], eax
		jmp	short loc_8745C5
; 

loc_874609:				; CODE XREF: PnpFixupID+4Ej
		inc	edi
		mov	[ebp+var_10], edi
		cmp	edi, [ebp+arg_4]
		jbe	short loc_8745C2
		jmp	loc_8E267C
; 

loc_874617:				; CODE XREF: PnpFixupID+33j
		push	5Fh
		pop	ecx
		mov	[esi], cx
		jmp	short loc_8745C5
PnpFixupID	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpCheckDeviceIdsChanged proc near	; CODE XREF: PipProcessStartPhase3+1EBp
					; PipProcessStartPhase3+318p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E26F1 SIZE 00000115 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_14], edx
		xor	edx, edx
		mov	[ebp+var_18], ecx
		xor	ebx, ebx
		mov	[ebp+var_1C], edx
		cmp	byte ptr [ebp+arg_8], dl
		push	edi
		setz	bl
		mov	[ebp+var_8], edx
		add	ebx, 2
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edx
		mov	[eax], dl
		test	esi, esi
		jz	loc_8E26F1

loc_874659:				; CODE XREF: PnpCheckDeviceIdsChanged+6E0FDj
		mov	eax, 200h
		push	75737050h
		push	eax
		push	1
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_4], edi
		test	edi, edi
		jz	loc_8E2722
		mov	edx, [ebp+var_18]
		xor	eax, eax
		mov	ecx, _PiPnpRtlCtx
		push	eax
		lea	eax, [ebp+var_8]
		mov	edx, [edx+18h]
		push	eax
		push	edi
		lea	eax, [ebp+var_10]
		push	eax
		push	ebx
		push	esi
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	loc_8747DA

loc_8746A8:				; CODE XREF: PnpCheckDeviceIdsChanged+200j
		test	esi, esi
		js	loc_8747BE
		cmp	[ebp+var_10], 7
		jnz	loc_8E27C4
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	loc_8E274E
		mov	eax, [ebp+var_8]
		cmp	[ebp+arg_4], eax
		jnz	loc_8E274E
		mov	ebx, [ebp+var_4]
		xor	eax, eax
		mov	edx, edi
		mov	[ebp+arg_4], edi
		mov	ecx, ebx
		mov	[ebp+arg_8], ebx
		cmp	[edi], ax
		jz	loc_874776

loc_8746E9:				; CODE XREF: PnpCheckDeviceIdsChanged+150j
		cmp	[ecx], ax
		jz	loc_874776
		mov	ecx, edx
		xor	ebx, ebx
		lea	eax, [ecx+2]
		mov	[ebp+var_18], eax

loc_8746FC:				; CODE XREF: PnpCheckDeviceIdsChanged+E5j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_8746FC
		sub	ecx, [ebp+var_18]
		sar	ecx, 1
		xor	ebx, ebx
		lea	eax, [ecx+1]
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_18], eax
		lea	eax, [ecx+2]
		mov	[ebp+var_14], eax

loc_87471D:				; CODE XREF: PnpCheckDeviceIdsChanged+106j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_87471D
		sub	ecx, [ebp+var_14]
		sar	ecx, 1
		lea	eax, [ecx+1]
		mov	ecx, [ebp+var_18]
		mov	[ebp+var_14], eax
		cmp	ecx, eax
		jnz	loc_8E272C
		push	1
		push	eax
		push	[ebp+arg_8]
		push	ecx
		push	edx
		call	_RtlCompareUnicodeStrings@20 ; RtlCompareUnicodeStrings(x,x,x,x,x)
		mov	edx, [ebp+arg_4]
		test	eax, eax
		jnz	loc_8E272C
		mov	eax, [ebp+var_18]
		mov	ecx, [ebp+arg_8]
		lea	edx, [edx+eax*2]
		mov	eax, [ebp+var_14]
		mov	[ebp+arg_4], edx
		lea	ecx, [ecx+eax*2]
		xor	eax, eax
		mov	[ebp+arg_8], ecx
		cmp	[edx], ax
		jnz	loc_8746E9

loc_874776:				; CODE XREF: PnpCheckDeviceIdsChanged+C3j
					; PnpCheckDeviceIdsChanged+CCj
		mov	eax, [ebp+arg_C]

loc_874779:				; CODE XREF: PnpCheckDeviceIdsChanged+6E115j
		mov	bl, [eax]
		mov	byte ptr [ebp+arg_8+3],	bl
		test	bl, bl
		mov	ebx, [ebp+var_4]
		jnz	loc_8E2741
		xor	ebx, ebx
		cmp	[edx], bx
		mov	ebx, [ebp+var_4]
		jnz	loc_8E273A
		xor	edx, edx
		cmp	[ecx], dx
		jnz	loc_8E273A

loc_8747A2:				; CODE XREF: PnpCheckDeviceIdsChanged+1B8j
					; PnpCheckDeviceIdsChanged+6E126j ...
		xor	edi, edi
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8747AB:				; CODE XREF: PnpCheckDeviceIdsChanged+6E0F1j
					; PnpCheckDeviceIdsChanged+6E107j
		cmp	[ebp+var_C], 0
		jnz	loc_8E27F9

loc_8747B5:				; CODE XREF: PnpCheckDeviceIdsChanged+6E1E1j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_8747BE:				; CODE XREF: PnpCheckDeviceIdsChanged+8Aj
		cmp	esi, 0C0000225h
		jnz	short loc_8747D5
		mov	edx, [ebp+arg_0]
		xor	ebx, ebx
		mov	esi, ebx
		test	edx, edx
		jnz	loc_8E27CE

loc_8747D5:				; CODE XREF: PnpCheckDeviceIdsChanged+1A4j
					; PnpCheckDeviceIdsChanged+6E1A9j ...
		mov	ebx, [ebp+var_4]
		jmp	short loc_8747A2
; 

loc_8747DA:				; CODE XREF: PnpCheckDeviceIdsChanged+82j
		xor	esi, esi
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	75737050h
		push	[ebp+var_8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_4], eax
		test	edi, edi
		jz	loc_8E2722
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_8]
		push	esi
		push	eax
		push	edi
		lea	eax, [ebp+var_10]
		push	eax
		mov	eax, [ebp+var_18]
		push	ebx
		push	[ebp+var_14]
		mov	edx, [eax+18h]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		jmp	loc_8746A8
PnpCheckDeviceIdsChanged endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpSaveDeviceCapabilities(x, x, x)
_PnpSaveDeviceCapabilities@12 proc near	; CODE XREF: PnpQueryAndSaveDeviceNodeCapabilities(x)+3Bp
					; PiProcessNewDeviceNode+446p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		movzx	esi, [ebp+arg_0]
		mov	ebx, ecx
		neg	esi
		push	edi
		sbb	esi, esi
		mov	edi, edx
		mov	ecx, [ebx+10h]
		lea	edx, [ebp+arg_0]
		and	dword ptr [ebp+arg_0], 0
		and	esi, 20000h
		push	0F003Fh
		call	_PnpDeviceObjectToDeviceInstance@12 ; PnpDeviceObjectToDeviceInstance(x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		js	loc_87492E
		mov	edx, [edi+4]
		mov	ecx, ebx
		call	_PnpClearDeviceSurpriseRemoveOk@4 ; PnpClearDeviceSurpriseRemoveOk(x)
		test	al, al
		jnz	loc_874946

loc_874877:				; CODE XREF: PnpSaveDeviceCapabilities(x,x,x)+129j
		mov	[ebx+170h], edx
		mov	ecx, [edi+4]
		mov	edx, ecx
		shr	edx, 4
		mov	eax, ecx
		and	eax, 0C000h
		and	edx, 10000h
		or	edx, eax
		mov	eax, ecx
		shr	eax, 0Dh
		and	eax, 8
		shr	edx, 4
		or	eax, ecx
		mov	ecx, _PiPnpRtlCtx
		push	esi
		and	eax, 3FCh
		or	edx, eax
		lea	eax, [ebp+var_4]
		push	4
		push	eax
		push	4
		shr	edx, 2
		push	10h
		push	dword ptr [ebp+arg_0]
		mov	[ebp+var_4], edx
		mov	edx, [ebx+18h]
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	ecx, [edi+0Ch]
		mov	edx, [ebx+18h]
		mov	[ebp+var_4], ecx
		push	esi
		lea	eax, [ecx+1]
		neg	eax
		sbb	eax, eax
		and	eax, 4
		inc	ecx
		push	eax
		neg	ecx
		lea	eax, [ebp+var_4]
		sbb	ecx, ecx
		and	ecx, eax
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	4
		push	11h
		push	dword ptr [ebp+arg_0]
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	ecx, [edi+8]
		mov	edx, [ebx+18h]
		mov	[ebp+var_4], ecx
		push	esi
		lea	eax, [ecx+1]
		neg	eax
		sbb	eax, eax
		and	eax, 4
		inc	ecx
		push	eax
		neg	ecx
		lea	eax, [ebp+var_4]
		sbb	ecx, ecx
		and	ecx, eax
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	4
		push	1Dh
		push	dword ptr [ebp+arg_0]
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)

loc_87492E:				; CODE XREF: PnpSaveDeviceCapabilities(x,x,x)+39j
		cmp	dword ptr [ebp+arg_0], 0
		jz	short loc_87493C
		push	dword ptr [ebp+arg_0]
		call	_ZwClose@4	; ZwClose(x)

loc_87493C:				; CODE XREF: PnpSaveDeviceCapabilities(x,x,x)+10Cj
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_874946:				; CODE XREF: PnpSaveDeviceCapabilities(x,x,x)+4Bj
		and	edx, 0FFFFFDFFh
		mov	[edi+4], edx
		jmp	loc_874877
_PnpSaveDeviceCapabilities@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmSetDeviceRegProp(x, x, x, x, x, x, x, x)
__CmSetDeviceRegProp@32	proc near	; CODE XREF: PipProcessStartPhase3+22Ap
					; PipProcessStartPhase3+340p ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		push	esi
		mov	esi, [ebp+arg_C]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_10]
		push	edi
		mov	edi, [ebx+100h]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_1C], esi
		mov	esi, edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_14], eax
		test	edi, edi
		jz	short loc_8749E5
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	0Ah
		push	1
		push	esi
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_874A32
		cmp	eax, 0C0000120h
		jnz	short loc_8749E1

loc_8749CB:				; CODE XREF: _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)+D1j
		mov	esi, [ebp+var_30]

loc_8749CE:				; CODE XREF: _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)+B0j
					; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)+CAj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_8749E1:				; CODE XREF: _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)+75j
		test	eax, eax
		jnz	short loc_874A2B

loc_8749E5:				; CODE XREF: _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)+59j
					; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)+E0j
		push	[ebp+var_14]
		mov	edx, esi
		mov	ecx, ebx
		push	[ebp+var_18]
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	[ebp+var_24]
		push	[ebp+var_28]
		call	_CmSetDeviceRegPropWorker
		mov	esi, eax
		test	edi, edi
		jz	short loc_8749CE
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	0Ah
		push	1
		push	[ebp+var_34]
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_8749CE
		cmp	eax, 0C0000120h
		jz	short loc_8749CB
		test	eax, eax
		jz	short loc_8749CE

loc_874A2B:				; CODE XREF: _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)+8Fj
		mov	esi, 0C00000E5h
		jmp	short loc_8749CE
; 

loc_874A32:				; CODE XREF: _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)+6Ej
		xor	edi, edi
		jmp	short loc_8749E5
__CmSetDeviceRegProp@32	endp


;  S U B	R O U T	I N E 


; __stdcall PnpClearDeviceSurpriseRemoveOk(x)
_PnpClearDeviceSurpriseRemoveOk@4 proc near
					; CODE XREF: PnpSaveDeviceCapabilities(x,x,x)+44p
		test	byte ptr [ecx+10Ch], 40h
		jnz	short loc_874A42

loc_874A3F:				; CODE XREF: PnpClearDeviceSurpriseRemoveOk(x)+1Aj
		xor	al, al
		retn
; 

loc_874A42:				; CODE XREF: PnpClearDeviceSurpriseRemoveOk(x)+7j
		mov	eax, [ecx+1D0h]
		test	eax, eax
		jz	short loc_874A52
		test	byte ptr [eax+8], 4
		jnz	short loc_874A3F

loc_874A52:				; CODE XREF: PnpClearDeviceSurpriseRemoveOk(x)+14j
		mov	al, 1
		retn
_PnpClearDeviceSurpriseRemoveOk@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDeviceObjectToDeviceInstance(x, x, x)
_PnpDeviceObjectToDeviceInstance@12 proc near ;	CODE XREF: PiCreateDriverSwDevices+26p
					; PipProcessStartPhase3+10Bp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+0B0h]
		push	esi
		mov	esi, edx
		mov	edx, [eax+14h]
		test	edx, edx
		jz	short loc_874A8D
		mov	edx, [edx+18h]
		test	edx, edx
		jz	short loc_874A8D
		mov	ecx, _PiPnpRtlCtx
		xor	eax, eax
		push	eax
		push	esi
		push	eax
		push	[ebp+arg_0]
		push	eax
		push	10h
		call	_CmOpenDeviceRegKey

loc_874A88:				; CODE XREF: PnpDeviceObjectToDeviceInstance(x,x,x)+3Cj
		pop	esi
		pop	ebp
		retn	4
; 

loc_874A8D:				; CODE XREF: PnpDeviceObjectToDeviceInstance(x,x,x)+13j
					; PnpDeviceObjectToDeviceInstance(x,x,x)+1Aj
		mov	eax, 0C0000010h
		jmp	short loc_874A88
_PnpDeviceObjectToDeviceInstance@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpQueryDeviceText(x, x, x,	x)
_PnpQueryDeviceText@16 proc near	; CODE XREF: PiProcessNewDeviceNode+1D6p
					; PiProcessNewDeviceNode+1EBp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ds:_PsDefaultSystemLocaleId
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		xor	esi, esi
		mov	[ebp+var_24], eax
		push	edi
		lea	eax, [ebp+var_4]
		mov	[ebp+var_28], edx
		push	eax
		push	esi
		push	0C00000BBh
		lea	edx, [ebp+var_2C]
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		mov	[ebx], esi
		mov	[ebp+var_2C], 0C1Bh
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		call	IopSynchronousCall
		mov	edi, [ebp+var_4]
		mov	esi, eax
		test	edi, edi
		jnz	short loc_874AF0
		mov	esi, 0C00000BBh

loc_874AF0:				; CODE XREF: PnpQueryDeviceText(x,x,x,x)+55j
		test	esi, esi
		jns	short loc_874AFD

loc_874AF4:				; CODE XREF: PnpQueryDeviceText(x,x,x,x)+77j
					; PnpQueryDeviceText(x,x,x,x)+7Ej ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_874AFD:				; CODE XREF: PnpQueryDeviceText(x,x,x,x)+5Ej
		lea	edx, [ebp+var_8]
		mov	[ebx], edi
		mov	ecx, edi
		call	PiNormalizeDeviceText
		test	eax, eax
		js	short loc_874AF4
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_874AF4
		push	0
		push	edi
		mov	[ebx], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_874AF4
_PnpQueryDeviceText@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpIrpQueryCapabilities(x, x)
_PpIrpQueryCapabilities@8 proc near	; CODE XREF: IoGetDeviceProperty+267p
					; PnpQueryAndSaveDeviceNodeCapabilities(x)+2Bp	...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		push	40h
		pop	edi
		push	edi		; size_t
		mov	esi, edx
		mov	ebx, ecx
		push	0		; int
		push	esi		; void *
		call	_memset
		or	dword ptr [esi+0Ch], 0FFFFFFFFh
		lea	edx, [ebp+var_24]
		or	dword ptr [esi+8], 0FFFFFFFFh
		add	esp, 0Ch
		xor	eax, eax
		mov	[esi], di
		inc	eax
		lea	edi, [ebp+var_24]
		mov	[esi+2], ax
		xor	eax, eax
		push	9
		pop	ecx
		push	eax
		rep stosd
		push	eax
		push	0C00000BBh
		mov	ecx, ebx
		mov	word ptr [ebp+var_24], 91Bh
		mov	[ebp+var_20], esi
		call	IopSynchronousCall
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PpIrpQueryCapabilities@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetDeviceContainerIdFromBase	proc near
					; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+AB6p
					; PiDcUpdateDeviceContainerMembership+CEp ...

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5A		= dword	ptr -5Ah
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E2806 SIZE 000000A8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_64], edx
		xor	ecx, ecx
		mov	[ebp+var_6C], edi
		push	ebx
		push	27h
		mov	[ebp+var_60], ecx
		mov	byte ptr [ebp+var_5A], cl
		mov	byte ptr [ebp+var_5A+1], cl
		mov	ecx, eax
		pop	edx
		mov	[ebp+var_70], eax
		call	RtlStringCchCopyW
		mov	esi, eax
		test	esi, esi
		js	short loc_874BFE
		mov	ecx, ebx
		call	_PnpIsNullGuidString@4 ; PnpIsNullGuidString(x)
		test	al, al
		jnz	short loc_874BFE
		lea	eax, [ebp+var_60]
		mov	ecx, edi
		push	eax
		push	0Ah
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_874BFE
		mov	edx, [ebp+var_60]
		lea	eax, [ebp+var_5A+1]
		push	eax
		lea	eax, [ebp+var_5A]
		mov	ecx, edi
		push	eax
		push	[ebp+var_64]
		push	ebx
		push	ebx
		call	_CmIsDeviceInContainer
		mov	esi, eax
		test	esi, esi
		js	short loc_874BFE
		cmp	byte ptr [ebp+var_5A+1], 0
		jz	short loc_874C11

loc_874BFE:				; CODE XREF: _CmGetDeviceContainerIdFromBase+40j
					; _CmGetDeviceContainerIdFromBase+4Bj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_874C11:				; CODE XREF: _CmGetDeviceContainerIdFromBase+82j
		xor	edi, edi
		jmp	loc_8E2806
_CmGetDeviceContainerIdFromBase	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmIsDeviceInContainer proc near	; CODE XREF: _CmGetDeviceContainerIdFromBase+73p
					; _CmGetDeviceContainerIdFromBase+6DCEFp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008E28AE SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+arg_10]
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_10], ecx
		mov	[eax], cl
		mov	[ebx], cl
		test	edi, edi
		jz	short loc_874C44
		mov	ecx, [edi+74h]

loc_874C44:				; CODE XREF: _CmIsDeviceInContainer+27j
		lea	eax, [ebp+var_C]
		push	eax
		push	1
		push	0
		push	[ebp+arg_0]
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_874CC6
		test	edi, edi
		jz	loc_8E28AE
		mov	ecx, [edi+74h]

loc_874C65:				; CODE XREF: _CmIsDeviceInContainer+6DC98j
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		push	0
		push	offset ??_C@_1BO@HPNNFMNF@?$AAB?$AAa?$AAs?$AAe?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAs@NNGAKEGL@ ; "BaseContainers"
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_874CC6
		test	edi, edi
		jz	loc_8E28B5
		mov	ecx, [edi+74h]

loc_874C8B:				; CODE XREF: _CmIsDeviceInContainer+6DC9Fj
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		push	0
		push	[ebp+arg_4]
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_874CC6
		mov	eax, [ebp+arg_C]
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+var_4]
		mov	byte ptr [eax],	1
		lea	eax, [ebp+var_10]
		push	eax
		push	0
		push	0
		call	_RegRtlQueryValue
		mov	esi, eax
		test	esi, esi
		js	short loc_874CC6
		mov	byte ptr [ebx],	1

loc_874CC6:				; CODE XREF: _CmIsDeviceInContainer+40j
					; _CmIsDeviceInContainer+66j ...
		cmp	esi, 0C0000034h
		jz	short loc_874D09
		cmp	esi, 0C000017Ch
		jz	short loc_874D09

loc_874CD6:				; CODE XREF: _CmIsDeviceInContainer+F3j
		cmp	[ebp+var_4], 0
		jz	short loc_874CE4
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_874CE4:				; CODE XREF: _CmIsDeviceInContainer+C2j
		cmp	[ebp+var_8], 0
		jz	short loc_874CF2
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_874CF2:				; CODE XREF: _CmIsDeviceInContainer+D0j
		cmp	[ebp+var_C], 0
		jz	short loc_874D00
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_874D00:				; CODE XREF: _CmIsDeviceInContainer+DEj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_874D09:				; CODE XREF: _CmIsDeviceInContainer+B4j
					; _CmIsDeviceInContainer+BCj
		xor	esi, esi
		jmp	short loc_874CD6
_CmIsDeviceInContainer endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpProcessTargetDeviceEvent proc near	; CODE XREF: PAGE:00763FCEp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E28BC SIZE 0000006A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ecx
		push	ebx
		push	esi
		mov	[ebp+var_4], eax
		xor	esi, esi
		mov	ebx, [eax]
		push	edi
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], ebx
		mov	eax, [ebx+68h]
		test	eax, eax
		jnz	loc_8E28BC
		mov	edi, esi

loc_874D35:				; CODE XREF: PnpProcessTargetDeviceEvent+6DBB7j
		lea	ecx, [ebp+var_8]
		call	PiPnpRtlBeginOperation
		push	10h		; size_t
		add	ebx, 48h
		push	offset _GUID_DEVICE_QUERY_AND_REMOVE ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_8E28CA
		push	10h		; size_t
		push	offset _GUID_DEVICE_EJECT ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_8E28CA
		push	10h		; size_t
		push	offset _GUID_DEVICE_ARRIVAL ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8E290B
		mov	ecx, [ebp+var_C]
		call	PiUEventNotifyUserMode

loc_874D90:				; CODE XREF: PnpProcessTargetDeviceEvent+6DBE4j
					; PnpProcessTargetDeviceEvent+6DBF8j ...
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_874D9C
		call	PiPnpRtlEndOperation

loc_874D9C:				; CODE XREF: PnpProcessTargetDeviceEvent+87j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
PnpProcessTargetDeviceEvent endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PnpStartedDeviceNodeDependencyCheck(x)
_PnpStartedDeviceNodeDependencyCheck@4 proc near ; CODE	XREF: PipProcessStartPhase3+B2p
					; PipProcessRestartPhase2(x)+8Dp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	cl, cl
		call	_PnpAcquireDependencyRelationsLock@4 ; PnpAcquireDependencyRelationsLock(x)
		mov	ecx, esi
		call	PipAttemptDependentsStart
		mov	ecx, offset _PiDependencyRelationsLock
		call	ExReleaseResourceLite
		xor	ecx, ecx
		pop	esi
		jmp	PpDevNodeUnlockTree
_PnpStartedDeviceNodeDependencyCheck@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipAttemptDependentsStart proc near	; CODE XREF: IoResolveDependency+5EF00p
					; PnpStartedDeviceNodeDependencyCheck(x)+Ep ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E2926 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		mov	ecx, [ecx+10h]
		push	esi
		push	edi
		call	_PiGetDependentList@4 ;	PiGetDependentList(x)
		mov	edi, eax
		mov	esi, [edi]

loc_874DE3:				; CODE XREF: PipAttemptDependentsStart+6DB71j
					; PipAttemptDependentsStart+6DB7Cj
		cmp	esi, edi
		jnz	loc_8E2926
		pop	edi
		pop	esi
		leave
		retn
PipAttemptDependentsStart endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PiGetDependentList(x)
_PiGetDependentList@4 proc near		; CODE XREF: PipNotifyDeviceDependencyList+43p
					; PipAttemptDependentsStart+10p ...
		test	ecx, ecx
		jz	short loc_874E0B
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+2Ch]

loc_874DFD:				; CODE XREF: PiGetDependentList(x)+1Dj
		test	eax, eax
		jz	short loc_874E05
		add	eax, 10h
		retn
; 

loc_874E05:				; CODE XREF: PiGetDependentList(x)+Fj
		mov	eax, offset _PiDependencyNodeEmptyList
		retn
; 

loc_874E0B:				; CODE XREF: PiGetDependentList(x)+2j
		xor	eax, eax
		jmp	short loc_874DFD
_PiGetDependentList@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipProcessRebuildPowerRelationsQueue()
_PipProcessRebuildPowerRelationsQueue@0	proc near ; CODE XREF: IoResolveDependency+A7p
					; PnpDeleteAllDependencyRelations:loc_795603p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ecx, offset _PnpRebuildPowerRelationsQueueLock
		call	ExAcquireFastMutex
		jmp	short loc_874E9B
; 

loc_874E25:				; CODE XREF: PipProcessRebuildPowerRelationsQueue()+9Ej
		lea	ebx, [edi-24h]
		mov	esi, edi
		mov	eax, [ebx+18h]
		mov	edi, [edi]
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_874EC8
		mov	ecx, eax
		call	_PipIsDeviceReadyForPowerRelations@4 ; PipIsDeviceReadyForPowerRelations(x)
		test	al, al
		jz	short loc_874EA8
		mov	ecx, ebx
		call	PipCheckIfAllProvidersHaveDevnodes
		test	al, al
		jz	short loc_874EA8
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_874EE7
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_874EE7
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	ecx, ebx
		mov	[esi+4], esi
		mov	[esi], esi
		call	_PipDereferenceDependencyNode@4	; PipDereferenceDependencyNode(x)
		call	_PnpReleaseDependencyRelationsLock@0 ; PnpReleaseDependencyRelationsLock()
		mov	esi, [ebp+var_4]
		mov	dl, 1
		mov	ecx, [esi+0B0h]
		mov	ecx, [ecx+14h]
		call	_PiQueryPowerRelations@8 ; PiQueryPowerRelations(x,x)
		mov	edx, 44706E50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_874E9B:				; CODE XREF: PipProcessRebuildPowerRelationsQueue()+13j
		mov	cl, 1
		call	_PnpAcquireDependencyRelationsLock@4 ; PnpAcquireDependencyRelationsLock(x)
		mov	edi, _PiRebuildPowerRelationsQueue

loc_874EA8:				; CODE XREF: PipProcessRebuildPowerRelationsQueue()+33j
					; PipProcessRebuildPowerRelationsQueue()+3Ej
		cmp	edi, offset _PiRebuildPowerRelationsQueue
		jnz	loc_874E25

loc_874EB4:				; CODE XREF: PipProcessRebuildPowerRelationsQueue()+D5j
		call	_PnpReleaseDependencyRelationsLock@0 ; PnpReleaseDependencyRelationsLock()
		mov	ecx, offset _PnpRebuildPowerRelationsQueueLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_874EC8:				; CODE XREF: PipProcessRebuildPowerRelationsQueue()+24j
		cmp	[edi+4], esi
		jnz	short loc_874EE7
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_874EE7
		mov	[eax], edi
		mov	ecx, ebx
		mov	[edi+4], eax
		mov	[esi+4], esi
		mov	[esi], esi
		call	_PipDereferenceDependencyNode@4	; PipDereferenceDependencyNode(x)
		jmp	short loc_874EB4
; 

loc_874EE7:				; CODE XREF: PipProcessRebuildPowerRelationsQueue()+45j
					; PipProcessRebuildPowerRelationsQueue()+50j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PipProcessRebuildPowerRelationsQueue@0	endp ; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall PipAddtoRebuildPowerRelationsQueue(x)
_PipAddtoRebuildPowerRelationsQueue@4 proc near	; CODE XREF: IoResolveDependency+96p
					; PipAddDependencyEdgeBetweenNodes(x,x,x)+67p ...
		call	_PipIsDeviceReadyForPowerRelations@4 ; PipIsDeviceReadyForPowerRelations(x)
		test	al, al
		jz	short locret_874F40
		push	edi
		test	ecx, ecx
		jz	short loc_874F41
		mov	eax, [ecx+0B0h]
		mov	edi, [eax+2Ch]

loc_874F03:				; CODE XREF: PipAddtoRebuildPowerRelationsQueue(x)+57j
		test	edi, edi
		jz	short loc_874F3F
		mov	ecx, [edi+18h]
		test	ecx, ecx
		jz	short loc_874F3F
		push	esi
		lea	esi, [edi+24h]
		cmp	[esi], esi
		jnz	short loc_874F3E
		mov	edx, 44706E50h
		call	ObfReferenceObjectWithTag
		inc	dword ptr [edi+2Ch]
		mov	ecx, offset _PiRebuildPowerRelationsQueue
		mov	eax, dword_6CCB04
		cmp	[eax], ecx
		jnz	short loc_874F45
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6CCB04, esi

loc_874F3E:				; CODE XREF: PipAddtoRebuildPowerRelationsQueue(x)+28j
		pop	esi

loc_874F3F:				; CODE XREF: PipAddtoRebuildPowerRelationsQueue(x)+19j
					; PipAddtoRebuildPowerRelationsQueue(x)+20j
		pop	edi

locret_874F40:				; CODE XREF: PipAddtoRebuildPowerRelationsQueue(x)+7j
		retn
; 

loc_874F41:				; CODE XREF: PipAddtoRebuildPowerRelationsQueue(x)+Cj
		xor	edi, edi
		jmp	short loc_874F03
; 

loc_874F45:				; CODE XREF: PipAddtoRebuildPowerRelationsQueue(x)+43j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PipAddtoRebuildPowerRelationsQueue@4 endp ; AL	= character to display


;  S U B	R O U T	I N E 


; __stdcall PipIsDeviceReadyForPowerRelations(x)
_PipIsDeviceReadyForPowerRelations@4 proc near
					; CODE XREF: PipProcessRebuildPowerRelationsQueue()+2Cp
					; PipAddtoRebuildPowerRelationsQueue(x)p ...
		test	ecx, ecx
		jz	short loc_874F6A
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_874F6A
		cmp	dword ptr [eax+0ACh], 301h
		jz	short loc_874F6A
		mov	al, 1
		retn
; 

loc_874F6A:				; CODE XREF: PipIsDeviceReadyForPowerRelations(x)+2j
					; PipIsDeviceReadyForPowerRelations(x)+Fj ...
		xor	al, al
		retn
_PipIsDeviceReadyForPowerRelations@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDmaGuardProcessNewDeviceNode proc near ; CODE	XREF: PiProcessNewDeviceNode+810p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch

; FUNCTION CHUNK AT 008E294B SIZE 00000173 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_28]
		push	0Ah
		pop	ecx
		rep stosd
		lea	ebx, [esi+1D0h]
		xor	edi, edi
		mov	ecx, [ebx]
		test	ecx, ecx
		jnz	short loc_874FCA

loc_874F93:				; CODE XREF: PiDmaGuardProcessNewDeviceNode+63j
		mov	ecx, [esi+10h]
		lea	edx, [ebp+var_28]
		call	PiIommuGetInterface
		test	eax, eax
		js	short loc_874FC3
		mov	ecx, esi
		cmp	[ebx], edi
		jnz	loc_8E294B
		push	ebx
		lea	edx, [ebp+var_28]
		call	PiIommuAllocateExtension
		mov	edi, eax
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_874FC3
		push	[ebp+var_24]
		call	eax

loc_874FC3:				; CODE XREF: PiDmaGuardProcessNewDeviceNode+32j
					; PiDmaGuardProcessNewDeviceNode+4Ej
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_874FCA:				; CODE XREF: PiDmaGuardProcessNewDeviceNode+23j
		call	_PiIommuFreeExtension@4	; PiIommuFreeExtension(x)
		mov	[ebx], edi
		jmp	short loc_874F93
PiDmaGuardProcessNewDeviceNode endp

; 
		align 4

;  S U B	R O U T	I N E 


PiIommuGetInterface proc near		; CODE XREF: PiDmaGuardProcessNewDeviceNode+2Bp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	loc_8E2AA4
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_8E29CB
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_8E29CB
		push	edi		; void *
		push	esi		; int
		push	28h		; __int16
		push	2		; __int16
		mov	edx, offset _GUID_IOMMU_BUS_INTERFACE
		call	PnpQueryInterface
		mov	esi, eax
		test	esi, esi
		js	short loc_87502B
		mov	ecx, edi
		call	_PiIommuValidateInterface@4 ; PiIommuValidateInterface(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_875031

loc_87502B:				; CODE XREF: PiIommuGetInterface+48j
					; PiIommuGetInterface+62j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_875031:				; CODE XREF: PiIommuGetInterface+55j
		call	_PiIommuPutInterface@4 ; PiIommuPutInterface(x)
		jmp	short loc_87502B
PiIommuGetInterface endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpGetDeviceLocationStrings proc near	; CODE XREF: PiProcessNewDeviceNode+7C6p
					; PiQueryRemovableDeviceOverride+6C875p

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E2ABE SIZE 00000076 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		push	ebx
		or	[ebp+var_38], 0FFFFFFFFh
		xor	eax, eax
		or	[ebp+var_1C], 0FFFFFFFFh
		xor	ebx, ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_6C]
		mov	[ebp+var_58], edx
		stosd
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_C], ebx
		stosd
		mov	[ebp+var_4], bl
		mov	[ebp+var_10], ebx
		stosd
		stosd
		stosd
		mov	edi, ecx
		test	edi, edi
		jz	loc_8E2B2A
		test	edx, edx
		jz	loc_8E2B2A
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	loc_8E2B2A
		mov	ecx, _IopRootDeviceNode
		mov	[edx], ebx
		mov	[eax], ebx
		cmp	edi, ecx
		jz	loc_8E2AB4
		mov	edx, ebx
		mov	eax, edi

loc_87509C:				; CODE XREF: PnpGetDeviceLocationStrings+6Aj
		mov	eax, [eax+8]
		inc	edx
		cmp	eax, ecx
		jnz	short loc_87509C
		mov	esi, edx
		mov	[ebp+var_3C], edx
		push	75737050h
		shl	esi, 2
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_40], ebx
		test	ebx, ebx
		jz	loc_8E2ABE
		push	esi		; size_t
		xor	eax, eax
		push	eax		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		push	75737050h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_44], eax
		test	eax, eax
		jz	loc_8E2AC8
		push	esi		; size_t
		xor	ecx, ecx
		push	ecx		; int
		push	eax		; void *
		call	_memset
		xor	ecx, ecx
		mov	[ebp+var_50], 21h
		xor	eax, eax
		mov	[ebp+var_20], ecx
		inc	eax
		mov	[ebp+var_28], ecx
		add	esp, 0Ch
		mov	[ebp+var_24], eax
		mov	esi, ecx
		mov	[ebp+var_4C], 40h
		cmp	edi, _IopRootDeviceNode
		jz	loc_875345
		mov	eax, [ebp+var_44]
		sub	eax, ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_48], eax

loc_87512D:				; CODE XREF: PnpGetDeviceLocationStrings+2E8j
		lea	eax, [ebp+var_6C]
		mov	edx, offset _GUID_PNP_LOCATION_INTERFACE
		push	eax		; void *
		push	ecx		; int
		mov	ecx, [edi+10h]
		push	14h		; __int16
		push	1		; __int16
		call	PnpQueryInterface
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		test	ebx, ebx
		js	loc_87554B
		mov	eax, [ebp+var_5C]
		test	eax, eax
		jz	loc_8E2B02
		xor	ecx, ecx
		mov	[ebp+var_C], ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		push	[ebp+var_68]
		call	eax
		mov	ebx, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_8], ebx
		test	ebx, ebx
		js	loc_87560D
		test	eax, eax
		jz	loc_8E2AD5

loc_875181:				; CODE XREF: PnpGetDeviceLocationStrings+6DAA5j
		test	ebx, ebx
		js	loc_87560D
		mov	eax, [ebp+var_14]
		xor	edx, edx
		mov	ecx, [ebp+var_48]
		mov	esi, edx
		xor	ebx, ebx
		mov	[ecx+eax], edx
		mov	ecx, edx
		mov	eax, edx
		mov	[ebp+var_34], ecx
		mov	edx, [ebp+var_C]
		cmp	[edx], bx
		mov	ebx, [ebp+var_8]
		jz	short loc_875220
		mov	ebx, eax

loc_8751AC:				; CODE XREF: PnpGetDeviceLocationStrings+1D7j
		mov	ecx, [ebp+var_48]
		inc	esi
		mov	eax, [ebp+var_14]
		mov	[ecx+eax], esi
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_8751BB:				; CODE XREF: PnpGetDeviceLocationStrings+18Dj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_18]
		jnz	short loc_8751BB
		mov	eax, [ebp+var_34]
		sub	ecx, edi
		sar	ecx, 1
		inc	eax
		add	eax, ecx
		mov	ecx, edx
		mov	[ebp+var_34], eax
		lea	edi, [ecx+2]

loc_8751D9:				; CODE XREF: PnpGetDeviceLocationStrings+1ABj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_18]
		jnz	short loc_8751D9
		sub	ecx, edi
		sar	ecx, 1
		cmp	ecx, ebx
		jbe	short loc_8751EF
		mov	ebx, ecx

loc_8751EF:				; CODE XREF: PnpGetDeviceLocationStrings+1B3j
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_8751F4:				; CODE XREF: PnpGetDeviceLocationStrings+1C6j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_18]
		jnz	short loc_8751F4
		sub	ecx, edi
		xor	eax, eax
		sar	ecx, 1
		lea	edx, [edx+ecx*2]
		add	edx, 2
		cmp	[edx], ax
		jnz	short loc_8751AC
		mov	edi, [ebp+var_2C]
		mov	ecx, [ebp+var_34]
		mov	[ebp+var_30], ebx
		mov	ebx, [ebp+var_8]
		mov	eax, [ebp+var_30]

loc_875220:				; CODE XREF: PnpGetDeviceLocationStrings+170j
		imul	esi, [ebp+var_24]
		add	[ebp+var_28], eax
		push	75737050h
		mov	[ebp+var_24], esi
		lea	esi, ds:2[ecx*2]
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+var_14]
		mov	[ecx], eax
		test	eax, eax
		jz	loc_8E2AE2
		push	esi		; size_t
		push	[ebp+var_C]	; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_14]
		xor	ecx, ecx
		add	esp, 0Ch
		mov	edx, [eax]
		cmp	[edx], cx
		jz	short loc_8752CC
		mov	edi, [ebp+var_20]
		xor	eax, eax
		mov	ebx, [ebp+var_38]

loc_87526C:				; CODE XREF: PnpGetDeviceLocationStrings+286j
		push	21h
		mov	ch, al
		mov	cl, al
		pop	esi

loc_875273:				; CODE XREF: PnpGetDeviceLocationStrings+2F5j
		movzx	eax, word ptr [edx]
		cmp	ax, si
		jz	loc_875328
		cmp	ax, word ptr [ebp+var_4C]
		jz	loc_8755DE
		test	cl, cl
		jnz	loc_8755E5

loc_875291:				; CODE XREF: PnpGetDeviceLocationStrings+5B1j
		test	ch, ch
		jz	short loc_87529E
		cmp	ebx, 0FFFFFFFFh
		jz	loc_8755D7

loc_87529E:				; CODE XREF: PnpGetDeviceLocationStrings+25Bj
					; PnpGetDeviceLocationStrings+5A1j
		mov	ecx, edx
		lea	esi, [ecx+2]

loc_8752A3:				; CODE XREF: PnpGetDeviceLocationStrings+275j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_18]
		jnz	short loc_8752A3
		sub	ecx, esi
		xor	eax, eax
		sar	ecx, 1
		lea	edx, [edx+ecx*2]
		add	edx, 2
		cmp	[edx], ax
		jnz	short loc_87526C
		mov	edi, [ebp+var_2C]
		mov	eax, [ebp+var_14]
		mov	[ebp+var_38], ebx
		mov	ebx, [ebp+var_8]

loc_8752CC:				; CODE XREF: PnpGetDeviceLocationStrings+22Aj
		inc	[ebp+var_20]
		add	eax, 4
		mov	[ebp+var_14], eax

loc_8752D5:				; CODE XREF: PnpGetDeviceLocationStrings+6DAB2j
		xor	eax, eax
		push	eax
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_28]
		xor	eax, eax
		mov	[ebp+var_C], eax

loc_8752E8:				; CODE XREF: PnpGetDeviceLocationStrings+5D7j
					; PnpGetDeviceLocationStrings+6DAC5j ...
		mov	eax, [ebp+var_60]
		test	eax, eax
		jz	short loc_8752F4
		push	[ebp+var_68]
		call	eax

loc_8752F4:				; CODE XREF: PnpGetDeviceLocationStrings+2B5j
		test	ebx, ebx
		js	loc_87554B
		mov	ecx, 120h
		cmp	ebx, ecx
		jz	short loc_875332
		mov	eax, [ebp+var_3C]
		cmp	[ebp+var_20], eax
		jz	short loc_875332
		mov	edi, [edi+8]
		inc	esi
		push	0
		mov	[ebp+var_28], esi
		mov	[ebp+var_2C], edi
		pop	ecx
		cmp	edi, _IopRootDeviceNode
		jnz	loc_87512D
		jmp	short loc_875338
; 

loc_875328:				; CODE XREF: PnpGetDeviceLocationStrings+241j
		mov	ch, 1

loc_87532A:				; CODE XREF: PnpGetDeviceLocationStrings+5A8j
		add	edx, 2
		jmp	loc_875273
; 

loc_875332:				; CODE XREF: PnpGetDeviceLocationStrings+2CBj
					; PnpGetDeviceLocationStrings+2D3j
		mov	ebx, ecx
		inc	esi
		mov	[ebp+var_8], ebx

loc_875338:				; CODE XREF: PnpGetDeviceLocationStrings+2EEj
		test	ebx, ebx
		js	loc_87554B
		mov	eax, [ebp+var_24]
		xor	ecx, ecx

loc_875345:				; CODE XREF: PnpGetDeviceLocationStrings+E4j
		imul	esi, eax
		mov	ebx, ecx
		push	75737050h
		mov	[ebp+var_8], ebx
		lea	esi, ds:2[esi*2]
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_10], edi
		test	edi, edi
		jz	loc_8E2B0F
		push	esi		; size_t
		xor	eax, eax
		push	eax		; int
		push	edi		; void *
		call	_memset
		mov	eax, [ebp+var_20]
		add	esp, 0Ch
		mov	esi, [ebp+var_24]
		dec	eax
		mov	[ebp+var_48], eax
		xor	eax, eax
		mov	[ebp+var_30], eax
		test	esi, esi
		jz	loc_875532
		mov	ecx, [ebp+var_44]
		mov	ebx, [ebp+var_48]
		mov	eax, [ebp+var_40]
		sub	eax, ecx
		mov	[ebp+var_14], eax
		lea	edx, [ecx+ebx*4]
		mov	[ebp+var_54], edx

loc_8753A6:				; CODE XREF: PnpGetDeviceLocationStrings+4F1j
		xor	ecx, ecx
		mov	[ebp+var_28], ebx
		mov	eax, esi
		mov	[ebp+var_2C], edi
		mov	[ebp+var_3], cl
		mov	esi, edx
		mov	[ebp+var_2], cl
		mov	[ebp+var_1], cl
		mov	[ebp+var_34], edx

loc_8753BE:				; CODE XREF: PnpGetDeviceLocationStrings+476j
		mov	esi, [esi]
		xor	edx, edx
		mov	[ebp+var_20], eax
		div	esi
		xor	edx, edx
		mov	ecx, eax
		mov	eax, [ebp+var_30]
		div	ecx
		xor	edx, edx
		mov	ecx, [ebp+var_14]
		div	esi
		mov	esi, [ebp+var_34]
		mov	eax, edx
		mov	[ebp+var_48], eax
		mov	esi, [ecx+esi]
		test	eax, eax
		jnz	loc_8754C6

loc_8753EA:				; CODE XREF: PnpGetDeviceLocationStrings+4ADj
		xor	eax, eax
		mov	cl, al
		mov	dl, al

loc_8753F0:				; CODE XREF: PnpGetDeviceLocationStrings+480j
		movzx	eax, word ptr [esi]
		cmp	ax, word ptr [ebp+var_50]
		jz	loc_8754B3
		cmp	ax, word ptr [ebp+var_4C]
		jz	loc_8755B7
		mov	eax, [ebp+var_28]
		cmp	eax, ebx
		jz	loc_8754ED
		mov	ch, [ebp+var_1]

loc_875415:				; CODE XREF: PnpGetDeviceLocationStrings+4CBj
					; PnpGetDeviceLocationStrings+5D0j
		test	cl, cl
		jz	loc_8754BD
		cmp	[ebp+var_4], 0
		jz	loc_8755EE

loc_875427:				; CODE XREF: PnpGetDeviceLocationStrings+5B8j
		cmp	[ebp+var_2], 0
		mov	dh, 1
		mov	[ebp+var_1C], eax
		setz	al
		mov	[ebp+var_3], dh
		dec	al
		and	al, ch
		mov	[ebp+var_1], al
		mov	eax, [ebp+var_28]

loc_875440:				; CODE XREF: PnpGetDeviceLocationStrings+489j
		test	dl, dl
		jnz	loc_8755BE

loc_875448:				; CODE XREF: PnpGetDeviceLocationStrings+59Aj
					; PnpGetDeviceLocationStrings+5E5j
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_87544D:				; CODE XREF: PnpGetDeviceLocationStrings+41Fj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_18]
		jnz	short loc_87544D
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, [ecx+ecx]
		push	eax		; size_t
		push	esi		; void *
		push	[ebp+var_2C]	; void *
		call	_memcpy
		add	esp, 0Ch
		lea	ecx, [esi+2]
		xor	edx, edx

loc_875472:				; CODE XREF: PnpGetDeviceLocationStrings+443j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, dx
		jnz	short loc_875472
		mov	eax, [ebp+var_2C]
		sub	esi, ecx
		mov	ecx, [ebp+var_28]
		sar	esi, 1
		lea	eax, [eax+esi*2]
		test	ecx, ecx
		jz	short loc_875508
		mov	esi, [ebp+var_34]
		push	23h
		pop	edx
		mov	[eax], dx
		add	eax, 2
		mov	[ebp+var_2C], eax
		xor	edx, edx
		mov	eax, [ebp+var_20]
		div	dword ptr [esi]
		dec	ecx
		sub	esi, 4
		mov	[ebp+var_28], ecx
		mov	[ebp+var_34], esi
		jmp	loc_8753BE
; 

loc_8754B3:				; CODE XREF: PnpGetDeviceLocationStrings+3BFj
		mov	cl, 1

loc_8754B5:				; CODE XREF: PnpGetDeviceLocationStrings+581j
		add	esi, 2
		jmp	loc_8753F0
; 

loc_8754BD:				; CODE XREF: PnpGetDeviceLocationStrings+3DFj
		mov	[ebp+var_2], 0
		jmp	loc_875440
; 

loc_8754C6:				; CODE XREF: PnpGetDeviceLocationStrings+3ACj
					; PnpGetDeviceLocationStrings+4B3j
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_8754CB:				; CODE XREF: PnpGetDeviceLocationStrings+49Dj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_18]
		jnz	short loc_8754CB
		sub	ecx, edx
		sar	ecx, 1
		lea	esi, [esi+ecx*2]
		add	esi, 2
		sub	[ebp+var_48], 1
		jz	loc_8753EA
		jmp	short loc_8754C6
; 

loc_8754ED:				; CODE XREF: PnpGetDeviceLocationStrings+3D4j
		mov	[ebp+var_3], cl
		mov	ch, cl
		mov	[ebp+var_2], cl
		mov	[ebp+var_1], ch
		test	cl, cl
		jz	loc_875604
		mov	[ebp+var_1C], eax
		jmp	loc_875415
; 

loc_875508:				; CODE XREF: PnpGetDeviceLocationStrings+454j
		cmp	[ebp+var_3], dl
		jz	loc_8755AA
		cmp	[ebp+var_1], dl
		jnz	loc_87559E

loc_87551A:				; CODE XREF: PnpGetDeviceLocationStrings+56Cj
					; PnpGetDeviceLocationStrings+57Aj ...
		mov	eax, [ebp+var_30]
		mov	esi, [ebp+var_24]
		inc	eax
		mov	edx, [ebp+var_54]
		mov	[ebp+var_30], eax
		cmp	eax, esi
		jb	loc_8753A6
		mov	ebx, [ebp+var_8]

loc_875532:				; CODE XREF: PnpGetDeviceLocationStrings+354j
		mov	ecx, [ebp+var_58]
		xor	eax, eax
		mov	[edi], ax
		mov	eax, [ebp+var_10]
		sub	edi, eax
		add	edi, 2
		mov	[ecx], eax
		mov	eax, [ebp+arg_0]
		sar	edi, 1
		mov	[eax], edi

loc_87554B:				; CODE XREF: PnpGetDeviceLocationStrings+112j
					; PnpGetDeviceLocationStrings+2BEj ...
		mov	edi, [ebp+var_10]

loc_87554E:				; CODE XREF: PnpGetDeviceLocationStrings+6DADFj
		xor	ecx, ecx
		mov	esi, ecx
		cmp	[ebp+var_3C], ecx
		jbe	short loc_875578
		mov	edi, [ebp+var_40]
		mov	ebx, [ebp+var_3C]

loc_87555D:				; CODE XREF: PnpGetDeviceLocationStrings+538j
		mov	eax, [edi+esi*4]
		test	eax, eax
		jz	short loc_87556D
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ecx, ecx

loc_87556D:				; CODE XREF: PnpGetDeviceLocationStrings+52Aj
		inc	esi
		cmp	esi, ebx
		jb	short loc_87555D
		mov	ebx, [ebp+var_8]
		mov	edi, [ebp+var_10]

loc_875578:				; CODE XREF: PnpGetDeviceLocationStrings+51Dj
		push	ecx
		push	[ebp+var_40]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_44]
		test	eax, eax
		jz	short loc_875591
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_875591:				; CODE XREF: PnpGetDeviceLocationStrings+54Ej
		test	ebx, ebx
		js	short loc_8755FB

loc_875595:				; CODE XREF: PnpGetDeviceLocationStrings+5C5j
					; PnpGetDeviceLocationStrings+6DA8Bj ...
		mov	eax, ebx

loc_875597:				; CODE XREF: PiDmaGuardProcessNewDeviceNode+6DB4Bj
					; PnpGetDeviceLocationStrings+6DAF7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_87559E:				; CODE XREF: PnpGetDeviceLocationStrings+4DCj
		mov	ecx, [ebp+var_38]
		cmp	[ebp+var_1C], ecx
		ja	loc_87551A

loc_8755AA:				; CODE XREF: PnpGetDeviceLocationStrings+4D3j
		xor	ecx, ecx
		lea	edi, [eax+2]
		mov	[eax], cx
		jmp	loc_87551A
; 

loc_8755B7:				; CODE XREF: PnpGetDeviceLocationStrings+3C9j
		mov	dl, 1
		jmp	loc_8754B5
; 

loc_8755BE:				; CODE XREF: PnpGetDeviceLocationStrings+40Aj
		mov	[ebp+var_2C], edi
		mov	[ebp+var_3], cl
		mov	[ebp+var_2], cl
		mov	[ebp+var_1], cl
		test	cl, cl
		jnz	short loc_87561A
		or	[ebp+var_1C], 0FFFFFFFFh
		jmp	loc_875448
; 

loc_8755D7:				; CODE XREF: PnpGetDeviceLocationStrings+260j
		mov	ebx, edi
		jmp	loc_87529E
; 

loc_8755DE:				; CODE XREF: PnpGetDeviceLocationStrings+24Bj
		mov	cl, 1
		jmp	loc_87532A
; 

loc_8755E5:				; CODE XREF: PnpGetDeviceLocationStrings+253j
		mov	[ebp+var_4], 1
		jmp	loc_875291
; 

loc_8755EE:				; CODE XREF: PnpGetDeviceLocationStrings+3E9j
		test	ch, ch
		jnz	loc_875427
		jmp	loc_87551A
; 

loc_8755FB:				; CODE XREF: PnpGetDeviceLocationStrings+55Bj
		test	edi, edi
		jz	short loc_875595
		jmp	loc_8E2B1C
; 

loc_875604:				; CODE XREF: PnpGetDeviceLocationStrings+4C2j
		or	[ebp+var_1C], 0FFFFFFFFh
		jmp	loc_875415
; 

loc_87560D:				; CODE XREF: PnpGetDeviceLocationStrings+13Bj
					; PnpGetDeviceLocationStrings+14Bj
		test	eax, eax
		jz	loc_8752E8
		jmp	loc_8E2AEF
; 

loc_87561A:				; CODE XREF: PnpGetDeviceLocationStrings+594j
		mov	[ebp+var_1C], eax
		jmp	loc_875448
PnpGetDeviceLocationStrings endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PnpQueryInterface(__int16,__int16,int,void *)
PnpQueryInterface proc near		; CODE XREF: PnprQueryReplaceFeatures(x,x)+52p
					; PiProcessNewDeviceNode+1BCp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= word ptr  8
arg_4		= word ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E2B34 SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		mov	si, [ebp+arg_4]
		xor	eax, eax
		push	edi
		lea	edi, [esp+30h+var_10]
		mov	[esp+30h+var_20], ecx
		stosd
		xor	ecx, ecx
		mov	[esp+30h+var_1C], edx
		mov	[esp+30h+var_18], ecx
		mov	[esp+30h+var_14], ecx
		stosd
		stosd
		stosd
		cmp	si, 10h
		jb	loc_8E2B34
		mov	ebx, [ebp+arg_C]
		movzx	eax, si
		push	eax		; size_t
		push	ecx		; int
		push	ebx		; void *
		call	_memset
		mov	ax, [ebp+arg_0]
		add	esp, 0Ch
		mov	[ebx+2], ax
		lea	eax, [esp+30h+var_10]
		mov	[ebx], si
		push	0
		push	0
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	ecx, [esp+30h+var_20]
		mov	edx, 49706E50h
		call	IoGetAttachedDeviceReferenceWithTag
		push	dword ptr [ebp+4] ; int
		mov	edi, eax
		lea	eax, [esp+34h+var_18]
		push	eax		; int
		lea	eax, [esp+38h+var_10]
		push	eax		; int
		xor	eax, eax
		push	eax		; int
		push	eax		; size_t
		push	eax		; void *
		push	edi		; int
		push	1Bh		; int
		call	_IopBuildSynchronousFsdRequest@32 ; IopBuildSynchronousFsdRequest(x,x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_87570E
		mov	ecx, [edx+60h]
		mov	eax, [esp+30h+var_1C]
		mov	byte ptr [edx+20h], 0
		mov	dword ptr [edx+18h], 0C00000BBh
		mov	[ecx-20h], eax
		mov	ax, [ebp+arg_0]
		mov	[ecx-1Ah], ax
		mov	eax, [ebp+arg_8]
		mov	byte ptr [ecx-23h], 8
		mov	[ecx-1Ch], si
		mov	[ecx-18h], ebx
		mov	[ecx-14h], eax
		mov	ecx, edi
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jz	loc_8E2B3E

loc_8756F7:				; CODE XREF: PnpQueryInterface+F1j
					; PnpQueryInterface+6D530j
		mov	edx, 49706E50h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi

loc_875705:				; CODE XREF: PnpQueryInterface+6D517j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_87570E:				; CODE XREF: PnpQueryInterface+90j
		mov	esi, 0C000009Ah
		jmp	short loc_8756F7
PnpQueryInterface endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpDeviceRegistration(x, x, x, x)
_PpDeviceRegistration@16 proc near	; CODE XREF: PiProcessNewDeviceNode+8FFp
					; IopInitializeDeviceInstanceKey+241p ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	bl, [ebp+arg_4]
		mov	bh, dl
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, offset _PnpRegistryDeviceResource
		test	bl, bl
		jnz	short loc_875745
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	edi
		call	ExAcquireResourceExclusiveLite

loc_875745:				; CODE XREF: PpDeviceRegistration(x,x,x,x)+17j
		push	[ebp+arg_0]
		mov	dl, bh
		mov	ecx, esi
		call	PiDeviceRegistration
		mov	esi, eax
		test	bl, bl
		jnz	short loc_87576A
		mov	ecx, edi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_87576A:				; CODE XREF: PpDeviceRegistration(x,x,x,x)+3Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
_PpDeviceRegistration@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDeviceRegistration proc near		; CODE XREF: PpDeviceRegistration(x,x,x,x)+36p
					; PpDevCfgProcessDevices+A1C96p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E2B57 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, ecx
		xor	ecx, ecx
		mov	[ebp+var_5], dl
		mov	[ebp+var_C], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_14], ecx
		test	edi, edi
		jz	short loc_8757A6
		xor	eax, eax
		mov	[edi+4], ecx
		mov	[edi], eax

loc_8757A6:				; CODE XREF: PiDeviceRegistration+29j
		movzx	edx, word ptr [ebx]
		push	2
		pop	eax
		cmp	dx, ax
		jbe	loc_8E2B57
		mov	eax, [ebx+4]
		mov	ecx, edx
		shr	ecx, 1
		cmp	word ptr [eax+ecx*2-2],	5Ch
		jz	loc_8E2B61

loc_8757C8:				; CODE XREF: PiDeviceRegistration+6D3F3j
		push	ebx
		xor	edx, edx
		lea	ecx, [ebp+var_C]
		call	PnpUnicodeStringToWstr
		mov	esi, eax
		test	esi, esi
		js	loc_8758B4
		mov	eax, 200h
		push	20207050h
		push	eax
		push	1
		mov	[ebp+var_10], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_8E2B6C
		mov	edx, [ebp+var_C]
		lea	ecx, [ebp+var_10]
		push	0
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	5
		push	0
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_C]
		mov	esi, eax
		mov	edx, ebx
		mov	[ebp+arg_0], esi
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)
		test	esi, esi
		js	short loc_875890
		cmp	[ebp+var_18], 1
		mov	esi, 0C0000034h
		jnz	short loc_8758B4
		cmp	[ebp+var_10], 2
		jbe	short loc_8758B4
		mov	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	edi, edi
		jz	short loc_875860
		push	ecx
		lea	edx, [ebp+var_20]
		mov	ecx, edi
		call	_PnpConcatenateUnicodeStrings@12 ; PnpConcatenateUnicodeStrings(x,x,x)
		mov	esi, eax

loc_87585C:				; CODE XREF: PiDeviceRegistration+129j
		test	esi, esi
		js	short loc_8758B4

loc_875860:				; CODE XREF: PiDeviceRegistration+D9j
		mov	al, [ebp+var_5]
		mov	ecx, ebx
		mov	byte ptr [ebp+arg_0+3],	al
		lea	eax, [ebp+arg_0+3]
		push	eax
		call	PpForEachDeviceInstanceDriver
		mov	esi, eax
		test	esi, esi
		js	short loc_87589F

loc_875877:				; CODE XREF: PiDeviceRegistration+144j
					; PiDeviceRegistration+149j
		xor	ecx, ecx

loc_875879:				; CODE XREF: PiDeviceRegistration+15Dj
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_875887
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_875887:				; CODE XREF: PiDeviceRegistration+10Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_875890:				; CODE XREF: PiDeviceRegistration+B7j
		sub	esi, 0C0000225h
		neg	esi
		sbb	esi, esi
		and	esi, [ebp+arg_0]
		jmp	short loc_87585C
; 

loc_87589F:				; CODE XREF: PiDeviceRegistration+101j
		cmp	[ebp+var_5], 0
		jz	short loc_8758B4
		lea	eax, [ebp+arg_0+3]
		mov	byte ptr [ebp+arg_0+3],	0
		push	eax
		mov	ecx, ebx
		call	PpForEachDeviceInstanceDriver

loc_8758B4:				; CODE XREF: PiDeviceRegistration+63j
					; PiDeviceRegistration+C2j ...
		xor	ecx, ecx

loc_8758B6:				; CODE XREF: PiDeviceRegistration+6D3E8j
		test	edi, edi
		jz	short loc_875877
		cmp	[edi], cx
		jz	short loc_875877
		push	ecx
		push	dword ptr [edi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ecx, ecx
		xor	eax, eax
		mov	[edi+4], ecx
		mov	[edi], eax
		jmp	short loc_875879
PiDeviceRegistration endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpForEachDeviceInstanceDriver proc near	; CODE XREF: PiDeviceRegistration+F8p
					; PiDeviceRegistration+13Bp

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E2B76 SIZE 000000F8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_74], eax
		push	edi
		push	eax
		xor	edx, edx
		mov	[ebp+var_68], esi
		lea	ecx, [ebp+var_60]
		mov	[ebp+var_6C], esi
		mov	[ebp+var_60], esi
		mov	edi, esi
		mov	[ebp+var_64], esi
		mov	[ebp+var_70], esi
		mov	[ebp+var_5C], esi
		mov	[ebp+var_78], esi
		call	PnpUnicodeStringToWstr
		test	eax, eax
		js	loc_875A7D
		mov	edx, [ebp+var_60]
		lea	eax, [ebp+var_6C]
		mov	ecx, _PiPnpRtlCtx
		push	esi
		push	eax
		push	esi
		push	20019h
		push	esi
		push	10h
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_875A40
		mov	edx, [ebp+var_60]
		lea	eax, [ebp+var_64]
		mov	ecx, _PiPnpRtlCtx
		push	edi
		push	eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_64], 4Eh
		push	eax
		lea	eax, [ebp+var_70]
		push	eax
		push	9
		push	[ebp+var_6C]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_87599C
		cmp	[ebp+var_70], 1
		jnz	short loc_87599C
		cmp	[ebp+var_64], edi
		jz	short loc_87599C
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_68]
		push	edi
		push	eax
		push	edi
		push	20019h
		push	edi
		push	20h
		lea	edx, [ebp+var_58]
		call	_CmOpenCommonClassRegKey
		mov	esi, eax

loc_87599C:				; CODE XREF: PpForEachDeviceInstanceDriver+9Dj
					; PpForEachDeviceInstanceDriver+A3j ...
		mov	eax, 0AAh
		mov	[ebp+var_7C], ebx
		mov	ebx, [ebp+var_74]
		push	20207050h
		push	eax
		push	1
		mov	[ebp+var_84], ebx
		mov	[ebp+var_80], offset PiProcessDriverInstance
		mov	[ebp+var_64], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8E2B76
		xor	ebx, ebx

loc_8759D0:				; CODE XREF: PpForEachDeviceInstanceDriver+16Aj
		mov	cl, ds:byte_404860[ebx]
		test	cl, cl
		jnz	loc_875A8E

loc_8759DE:				; CODE XREF: PpForEachDeviceInstanceDriver+1BEj
		mov	edx, [ebp+var_64]
		mov	eax, ds:off_40485C[ebx]
		mov	[ebp+var_5C], edx
		test	cl, cl
		jnz	loc_875A9A
		push	0
		test	eax, eax
		jz	loc_875ABE
		lea	ecx, [ebp+var_5C]
		push	ecx
		push	edx
		mov	edx, [ebp+var_60]
		lea	ecx, [ebp+var_78]
		push	edi
		push	ecx
		push	eax
		push	0
		push	[ebp+var_6C]
		push	1

loc_875A11:				; CODE XREF: PpForEachDeviceInstanceDriver+1E5j
		mov	ecx, _PiPnpRtlCtx
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)

loc_875A1C:				; CODE XREF: PpForEachDeviceInstanceDriver+20Aj
					; PpForEachDeviceInstanceDriver+6D2CDj
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	loc_8E2BA6

loc_875A2A:				; CODE XREF: PpForEachDeviceInstanceDriver+6D38Bj
		cmp	esi, 0C0000225h
		jnz	loc_875AE3
		xor	esi, esi

loc_875A38:				; CODE XREF: PpForEachDeviceInstanceDriver+1C4j
					; PpForEachDeviceInstanceDriver+22Fj
		add	ebx, 0Ch
		cmp	ebx, 3Ch
		jb	short loc_8759D0

loc_875A40:				; CODE XREF: PpForEachDeviceInstanceDriver+6Cj
					; PpForEachDeviceInstanceDriver+211j ...
		mov	ebx, [ebp+var_74]

loc_875A43:				; CODE XREF: PpForEachDeviceInstanceDriver+6D2A7j
		cmp	[ebp+var_60], 0
		jz	short loc_875A53
		mov	ecx, [ebp+var_60]
		mov	edx, ebx
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)

loc_875A53:				; CODE XREF: PpForEachDeviceInstanceDriver+173j
		test	edi, edi
		jz	short loc_875A5F
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_875A5F:				; CODE XREF: PpForEachDeviceInstanceDriver+181j
		cmp	[ebp+var_68], 0
		jz	short loc_875A6D
		push	[ebp+var_68]
		call	_ZwClose@4	; ZwClose(x)

loc_875A6D:				; CODE XREF: PpForEachDeviceInstanceDriver+18Fj
		cmp	[ebp+var_6C], 0
		jz	short loc_875A7B
		push	[ebp+var_6C]
		call	_ZwClose@4	; ZwClose(x)

loc_875A7B:				; CODE XREF: PpForEachDeviceInstanceDriver+19Dj
		mov	eax, esi

loc_875A7D:				; CODE XREF: PpForEachDeviceInstanceDriver+46j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_875A8E:				; CODE XREF: PpForEachDeviceInstanceDriver+104j
		cmp	[ebp+var_68], 0
		jnz	loc_8759DE
		jmp	short loc_875A38
; 

loc_875A9A:				; CODE XREF: PpForEachDeviceInstanceDriver+118j
		test	eax, eax
		jz	loc_8E2B80
		push	0
		lea	ecx, [ebp+var_5C]
		push	ecx
		push	edx
		push	edi
		lea	ecx, [ebp+var_78]
		push	ecx
		push	eax
		push	0
		push	[ebp+var_68]
		lea	edx, [ebp+var_58]
		push	2
		jmp	loc_875A11
; 

loc_875ABE:				; CODE XREF: PpForEachDeviceInstanceDriver+122j
		mov	edx, [ebp+var_60]
		lea	eax, [ebp+var_5C]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	edi
		lea	eax, [ebp+var_70]
		push	eax
		push	ds:dword_404858[ebx]
		push	[ebp+var_6C]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		jmp	loc_875A1C
; 

loc_875AE3:				; CODE XREF: PpForEachDeviceInstanceDriver+15Cj
		test	esi, esi
		js	loc_875A40
		mov	ecx, [ebp+var_70]
		lea	eax, [ebp+var_84]
		push	eax
		push	[ebp+var_5C]
		mov	edx, edi
		call	PiForEachDriverQueryRoutine
		mov	esi, eax
		test	esi, esi
		jns	loc_875A38
		jmp	loc_875A40
PpForEachDeviceInstanceDriver endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiForEachDriverQueryRoutine proc near	; CODE XREF: PpForEachDeviceInstanceDriver+226p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E2C6E SIZE 0000007C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, edx
		xor	edx, edx
		mov	[ebp+var_4], edx
		mov	eax, edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edx
		push	edi
		cmp	ecx, 1
		jnz	short loc_875B5E

loc_875B2D:				; CODE XREF: PiForEachDriverQueryRoutine+55j
		mov	edi, [ebp+arg_0]
		cmp	edi, 2
		jbe	short loc_875B57
		cmp	ecx, 1
		jnz	loc_8E2C6E
		push	esi
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+arg_4]
		lea	ecx, [ebp+var_C]
		push	dword ptr [eax+8]
		push	ecx
		push	dword ptr [eax]
		call	dword ptr [eax+4]

loc_875B57:				; CODE XREF: PiForEachDriverQueryRoutine+25j
					; PiForEachDriverQueryRoutine+53j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_875B5E:				; CODE XREF: PiForEachDriverQueryRoutine+1Dj
		cmp	ecx, 7
		jnz	short loc_875B57
		jmp	short loc_875B2D
PiForEachDriverQueryRoutine endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiProcessDriverInstance	proc near	; DATA XREF: PpForEachDeviceInstanceDriver+E1o

var_38		= dword	ptr -38h
var_34		= byte ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E2CEA SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		mov	ecx, [ebp+arg_4]
		lea	eax, [esp+3Ch+var_28]
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	edx, edx
		push	esi
		push	edi
		push	1
		push	eax
		mov	dword ptr [esp+50h+var_34], edx
		mov	[esp+50h+var_38], edx
		mov	[esp+50h+var_24], edx
		mov	[esp+50h+var_20], edx
		mov	[esp+50h+var_28], edx
		mov	[esp+50h+var_30], edx
		mov	[esp+50h+var_2C], edx
		push	edx
		mov	edx, 0F003Fh
		call	PipOpenServiceEnumKeys
		mov	edi, eax
		test	edi, edi
		js	loc_875D45
		mov	esi, [esp+48h+var_28]
		lea	eax, [esp+48h+var_38]
		push	eax
		lea	eax, [esp+4Ch+var_24]
		mov	edx, ebx
		push	eax
		lea	eax, [esp+50h+var_34]
		mov	ecx, esi
		push	eax
		call	PiFindDevInstMatch
		mov	edi, eax
		test	edi, edi
		js	loc_875D3F
		mov	eax, [ebp+arg_8]
		mov	cl, [eax]
		mov	eax, [esp+48h+var_20]
		test	eax, eax
		jnz	loc_8E2D04
		test	cl, cl
		jz	loc_875D3D
		mov	ecx, [ebx+4]
		xor	edx, edx
		movzx	eax, word ptr [ebx]
		mov	edi, edx
		mov	ebx, eax
		mov	[esp+48h+var_28], ecx
		and	ebx, 0FFFFFFFEh
		mov	[esp+48h+var_38], eax
		cmp	[ebx+ecx-2], dx
		jz	loc_8E2CEA
		add	eax, 2
		push	20207050h
		push	eax
		push	1
		mov	[esp+54h+var_1C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8E2CF1
		push	[esp+48h+var_38] ; size_t
		push	[esp+4Ch+var_28] ; void	*
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[esp+48h+var_28], edi
		xor	eax, eax
		mov	[ebx+edi], ax
		mov	ebx, [esp+48h+var_1C]

loc_875C5D:				; CODE XREF: PiProcessDriverInstance+6D186j
					; PiProcessDriverInstance+6D18Fj
		push	dword ptr [esp+48h+var_34] ; char
		lea	eax, [esp+4Ch+var_18]
		mov	[esp+4Ch+var_38], eax
		xor	eax, eax
		push	offset ??_C@_15EFLNJKHH@?$AA?$CF?$AAu@NNGAKEGL@	; wchar_t *
		push	eax		; int
		push	eax		; int
		lea	eax, [esp+58h+var_38]
		push	eax		; int
		lea	eax, [esp+5Ch+var_18]
		push	0Ah		; int
		push	eax		; void *
		call	RtlStringCchPrintfExW
		mov	eax, [esp+64h+var_38]
		lea	ecx, [esp+64h+var_18]
		add	esp, 1Ch
		sub	eax, ecx
		sar	eax, 1
		push	14h
		pop	ecx
		mov	word ptr [esp+48h+var_30+2], cx
		cmp	eax, 0FFFFFFFFh
		jz	loc_8E2CFA
		add	eax, eax
		mov	word ptr [esp+48h+var_30], ax

loc_875CAA:				; CODE XREF: PiProcessDriverInstance+6D199j
		push	ebx
		push	[esp+4Ch+var_28]
		lea	eax, [esp+50h+var_18]
		push	1
		mov	[esp+54h+var_2C], eax
		lea	eax, [esp+54h+var_30]
		push	0
		push	eax
		push	esi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		test	edi, edi
		jz	short loc_875CD2
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_875CD2:				; CODE XREF: PiProcessDriverInstance+162j
		inc	dword ptr [esp+48h+var_34]

loc_875CD6:				; CODE XREF: PiProcessDriverInstance+6D1BCj
					; PiProcessDriverInstance+6D1CDj
		push	0Ch
		pop	eax
		push	0Ah
		mov	word ptr [esp+4Ch+var_30+2], ax
		pop	eax
		push	4
		pop	edi
		push	edi
		mov	word ptr [esp+4Ch+var_30], ax
		lea	eax, [esp+4Ch+var_34]
		push	eax
		push	edi
		push	0
		lea	eax, [esp+58h+var_30]
		mov	[esp+58h+var_2C], offset ??_C@_1M@NBCIMFHI@?$AAC?$AAo?$AAu?$AAn?$AAt@NNGAKEGL@ ; "C"
		push	eax
		push	esi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	1Ah
		pop	eax
		push	18h
		mov	word ptr [esp+4Ch+var_30+2], ax
		pop	eax
		push	edi
		mov	word ptr [esp+4Ch+var_30], ax
		lea	eax, [esp+4Ch+var_34]
		push	eax
		push	edi
		push	0
		lea	eax, [esp+58h+var_30]
		mov	[esp+58h+var_2C], offset ??_C@_1BK@IOIONMMG@?$AAN?$AAe?$AAx?$AAt?$AAI?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe@NNGAKEGL@
		push	eax
		push	esi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	eax, [esp+48h+var_20]

loc_875D35:				; CODE XREF: PiProcessDriverInstance+6D1A0j
		test	eax, eax
		jnz	loc_8E2D38

loc_875D3D:				; CODE XREF: PiProcessDriverInstance+92j
					; PiProcessDriverInstance+6D1DCj
		xor	edi, edi

loc_875D3F:				; CODE XREF: PiProcessDriverInstance+79j
		push	esi
		call	_ZwClose@4	; ZwClose(x)

loc_875D45:				; CODE XREF: PiProcessDriverInstance+53j
		mov	ecx, [esp+48h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
PiProcessDriverInstance	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpCallDriverQueryServiceHelper	proc near ; CODE XREF: PipCallDriverAddDevice+38Ep
					; PipCallDriverAddDevice+3E1p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 008E2D47 SIZE 000000E5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	eax, edx
		mov	ebx, ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_14], eax
		mov	ecx, [eax]
		mov	edx, [ebx]
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_4], ecx
		cmp	[ebp+arg_4], edi
		jnz	short loc_875DE7
		cmp	[ebp+arg_10], 0
		lea	eax, [ebp+var_4]
		mov	esi, [ebp+arg_C]
		jnz	loc_8E2D47
		mov	ecx, _PiPnpRtlCtx
		push	edi
		mov	edi, [ebp+arg_8]
		push	eax
		push	edx
		lea	eax, [ebp+var_8]
		mov	edx, edi
		push	eax
		push	[ebp+arg_0]
		push	esi
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)

loc_875DB0:				; CODE XREF: PnpCallDriverQueryServiceHelper+BBj
					; PnpCallDriverQueryServiceHelper+6D006j
		cmp	eax, 0C0000023h
		jz	loc_8E2D67

loc_875DBB:				; CODE XREF: PnpCallDriverQueryServiceHelper+6D063j
					; PnpCallDriverQueryServiceHelper+6D087j ...
		test	eax, eax
		js	short loc_875DE0
		cmp	[ebp+arg_4], 0
		jnz	short loc_875E19
		mov	ecx, [ebp+var_8]

loc_875DC8:				; CODE XREF: PnpCallDriverQueryServiceHelper+6D0C1j
		cmp	ecx, 7
		jz	short loc_875E2D

loc_875DCD:				; CODE XREF: PnpCallDriverQueryServiceHelper+6D0B6j
		push	[ebp+arg_18]
		mov	edx, [ebx]
		push	[ebp+arg_14]
		push	[ebp+arg_1C]
		push	[ebp+var_4]
		call	PipCallDriverAddDeviceQueryRoutine

loc_875DE0:				; CODE XREF: PnpCallDriverQueryServiceHelper+61j
					; PnpCallDriverQueryServiceHelper+12Fj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
; 

loc_875DE7:				; CODE XREF: PnpCallDriverQueryServiceHelper+27j
		push	edi
		lea	esi, [ebp+var_4]
		xor	eax, eax
		cmp	[ebp+arg_10], al
		push	esi
		mov	esi, [ebp+arg_C]
		setnz	al
		push	ecx
		push	edx
		lea	ecx, [ebp+var_C]
		inc	eax
		push	ecx
		push	[ebp+arg_4]
		mov	ecx, _PiPnpRtlCtx
		push	edi
		mov	edi, [ebp+arg_8]
		mov	edx, edi
		push	esi
		push	eax
		mov	[ebp+var_10], eax
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		jmp	short loc_875DB0
; 

loc_875E19:				; CODE XREF: PnpCallDriverQueryServiceHelper+67j
		cmp	[ebp+var_C], 2012h
		jnz	loc_8E2E07
		mov	[ebp+var_8], 7

loc_875E2D:				; CODE XREF: PnpCallDriverQueryServiceHelper+6Fj
		mov	ecx, [ebp+var_14]
		cmp	dword ptr [ecx], 2
		jb	loc_8E2E22
		mov	ecx, [ebp+var_4]
		cmp	ecx, 2
		jb	loc_8E2E22
		mov	esi, [ebx]
		xor	ebx, ebx
		jmp	short loc_875E9F
; 

loc_875E4B:				; CODE XREF: PnpCallDriverQueryServiceHelper+146j
		mov	edx, esi
		lea	edi, [edx+2]

loc_875E50:				; CODE XREF: PnpCallDriverQueryServiceHelper+FDj
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, bx
		jnz	short loc_875E50
		sub	edx, edi
		lea	eax, [ebp+var_4]
		sar	edx, 1
		push	eax
		lea	edi, ds:2[edx*2]
		mov	edx, edi
		call	_RtlULongPtrSub@12 ; RtlULongPtrSub(x,x,x)
		test	eax, eax
		js	short loc_875EA9
		push	[ebp+arg_18]
		xor	ecx, ecx
		mov	edx, esi
		push	[ebp+arg_14]
		inc	ecx
		push	[ebp+arg_1C]
		push	edi
		call	PipCallDriverAddDeviceQueryRoutine
		test	eax, eax
		js	loc_875DE0
		mov	ecx, [ebp+var_4]
		cmp	ecx, 2
		jb	loc_875DE0
		add	esi, edi

loc_875E9F:				; CODE XREF: PnpCallDriverQueryServiceHelper+EDj
		cmp	[esi], bx
		jnz	short loc_875E4B
		jmp	loc_875DE0
; 

loc_875EA9:				; CODE XREF: PnpCallDriverQueryServiceHelper+117j
		mov	eax, ebx
		jmp	loc_875DE0
PnpCallDriverQueryServiceHelper	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipCallDriverAddDeviceQueryRoutine proc	near
					; CODE XREF: PnpCallDriverQueryServiceHelper+7Fp
					; PnpCallDriverQueryServiceHelper+128p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

; FUNCTION CHUNK AT 008E2E2C SIZE 000002FE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		xor	eax, eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_1], al
		push	ebx
		mov	ebx, eax
		push	esi
		mov	esi, eax
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], esi
		push	edi
		mov	edi, offset ??_C@_1BC@PAOLLJBM@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?2@NNGAKEGL@
		cmp	ecx, 1
		jnz	loc_8E3123
		cmp	[ebp+arg_0], 2
		jbe	loc_8E3123
		push	edx
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, [ebp+var_20]
		mov	dl, 1
		push	5Ch
		mov	byte ptr [ebp+arg_0+3],	dl
		pop	eax

loc_875F0C:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+227j
		cmp	[ecx], ax
		jz	loc_8760C3
		xor	eax, eax
		mov	dl, al
		mov	byte ptr [ebp+arg_0+3],	al

loc_875F1C:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+22Fj
		mov	edi, [ebp+arg_4]
		test	dl, dl
		jnz	loc_87613D
		mov	ecx, [edi]
		cmp	[ecx+1Ch], ax
		jz	loc_8E2E2C

loc_875F33:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6CFBAj
		push	eax
		push	eax
		lea	eax, [ebp+var_C]
		mov	edx, 20019h
		push	eax
		lea	ecx, [ebp+var_24]
		call	PipOpenServiceEnumKeys
		mov	esi, eax
		test	esi, esi
		js	loc_8E2E8A
		mov	eax, [ebp+var_C]
		lea	edx, [ebp+var_2C]
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	IopGetDriverNameFromKeyNode
		mov	esi, eax
		test	esi, esi
		js	loc_8E2EAE
		mov	esi, [ebp+var_8]
		mov	[ebp+var_1], 1

loc_875F71:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+299j
		lea	ecx, [ebp+var_2C]
		call	_IopReferenceDriverObjectByName@4 ; IopReferenceDriverObjectByName(x)
		mov	ebx, eax
		mov	[ebp+arg_4], ebx
		test	ebx, ebx
		jnz	loc_876051
		cmp	byte ptr [ebp+arg_0+3],	al
		jnz	short loc_875FD7
		mov	ecx, [ebp+var_20]
		lea	eax, [ebp+var_14]
		push	eax
		mov	edx, esi
		call	PnpGetServiceStartType
		test	eax, eax
		js	loc_8E2EC3
		mov	eax, [ebp+var_14]

loc_875FA4:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6D016j
		mov	edx, [ebp+arg_8]
		mov	[ebp+arg_0], eax
		cmp	edx, 3
		jnz	loc_8760E4

loc_875FB3:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+23Bj
		mov	ecx, [edi+4]
		cmp	eax, [ecx]
		ja	loc_8E2F0F
		cmp	byte ptr [ecx+4], 0
		jnz	short loc_876009
		test	eax, eax
		jz	short loc_875FD7
		mov	ecx, esi
		call	_PnpCheckPossibleBootStartDriver@4 ; PnpCheckPossibleBootStartDriver(x)
		test	al, al
		jz	loc_8760B5

loc_875FD7:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+D9j
					; PipCallDriverAddDeviceQueryRoutine+116j ...
		mov	esi, 0C0000001h

loc_875FDC:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+200j
					; PipCallDriverAddDeviceQueryRoutine+6D00Ej ...
		mov	eax, [ebp+var_8]

loc_875FDF:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6CFF9j
		test	eax, eax
		jz	short loc_875FE9
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_875FE9:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+131j
		cmp	[ebp+var_1], 0
		jz	short loc_875FF8
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_875FF8:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+13Dj
		test	ebx, ebx
		jnz	loc_8E3117

loc_876000:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6CFD5j
					; PipCallDriverAddDeviceQueryRoutine+6D26Ej
		mov	eax, esi

loc_876002:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6D275j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_876009:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+112j
		lea	eax, [ebp+var_10]
		cmp	edx, 3
		mov	dl, [ebp+arg_C]
		mov	ecx, esi
		push	eax
		setnz	al
		movzx	eax, al
		push	eax
		call	IopLoadDriver
		and	[ebp+var_8], 0
		mov	esi, eax
		mov	[ebp+var_18], esi
		test	esi, esi
		js	loc_8E2F39

loc_876032:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6D099j
					; PipCallDriverAddDeviceQueryRoutine+6D0A1j ...
		cmp	_PnPInitialized, 0
		jnz	loc_876131

loc_87603F:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+288j
		lea	ecx, [ebp+var_2C]
		call	_IopReferenceDriverObjectByName@4 ; IopReferenceDriverObjectByName(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8E2FB4

loc_876051:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+D0j
					; PipCallDriverAddDeviceQueryRoutine+276j
		test	byte ptr [ebx+8], 10h
		jz	short loc_875FD7
		mov	ecx, ebx
		call	_PnpIsLegacyDriver@4 ; PnpIsLegacyDriver(x)
		test	eax, eax
		jnz	loc_8E30D9
		mov	eax, [edi]
		mov	eax, [eax+0ACh]
		cmp	eax, 302h
		jnz	loc_8E30FD

loc_876079:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6D258j
		mov	eax, [ebp+arg_8]
		xor	esi, esi
		push	6E657050h
		push	8
		push	1
		lea	edi, [edi+eax*4]
		add	edi, 8
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8E310D
		mov	[ecx], ebx
		xor	ebx, ebx
		and	[ecx+4], ebx
		jmp	short loc_8760A8
; 

loc_8760A5:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+1FCj
		lea	edi, [eax+4]

loc_8760A8:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+1F3j
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_8760A5
		mov	[edi], ecx
		jmp	loc_875FDC
; 

loc_8760B5:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+121j
		mov	eax, [edi]
		mov	byte ptr [eax+1C0h], 1
		jmp	loc_875FD7
; 

loc_8760C3:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+5Fj
		add	edi, 2
		add	ecx, 2
		movzx	eax, word ptr [edi]
		mov	esi, eax
		mov	[ebp+var_1C], esi
		mov	esi, [ebp+var_8]
		test	ax, ax
		jnz	loc_875F0C
		xor	eax, eax
		jmp	loc_875F1C
; 

loc_8760E4:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+FDj
		cmp	_PnPBootDriversInitialized, 0
		jnz	loc_875FB3
		mov	ecx, esi
		call	PpInitGetGroupOrderIndex
		lea	ecx, [ebp+arg_4]
		movzx	eax, ax
		push	ecx
		push	eax
		lea	edx, [ebp+var_2C]
		call	PnpLoadBootFilterDriver
		mov	esi, eax
		test	esi, esi
		js	loc_8E2ECB
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	loc_8E2FEF
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_876124:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6D05Aj
					; PipCallDriverAddDeviceQueryRoutine+6D13Aj
		test	ebx, ebx
		jnz	loc_876051
		jmp	loc_8E2FEF
; 

loc_876131:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+189j
		xor	cl, cl
		call	_IopCallDriverReinitializationRoutines@4 ; IopCallDriverReinitializationRoutines(x)
		jmp	loc_87603F
; 

loc_87613D:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+71j
		push	[ebp+var_20]
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	loc_875F71
PipCallDriverAddDeviceQueryRoutine endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopReferenceDriverObjectByName(x)
_IopReferenceDriverObjectByName@4 proc near
					; CODE XREF: PipCallDriverAddDeviceQueryRoutine+C4p
					; PipCallDriverAddDeviceQueryRoutine+192p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edi
		cmp	[ecx], di
		jz	short loc_8761A2
		mov	esi, ds:_IoDriverObjectType
		lea	eax, [ebp+var_4]
		push	eax
		mov	[ebp+var_20], 18h
		mov	[ebp+var_1C], edi
		mov	[ebp+var_14], 240h
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		push	edi
		push	80h
		push	edi
		push	edi
		push	esi
		lea	eax, [ebp+var_20]
		push	eax
		call	ObOpenObjectByNameEx
		test	eax, eax
		jns	short loc_8761A8

loc_8761A2:				; CODE XREF: IopReferenceDriverObjectByName(x)+12j
					; IopReferenceDriverObjectByName(x)+7Ej
		xor	eax, eax

loc_8761A4:				; CODE XREF: IopReferenceDriverObjectByName(x)+83j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_8761A8:				; CODE XREF: IopReferenceDriverObjectByName(x)+52j
		mov	eax, ds:_IoDriverObjectType
		lea	ecx, [ebp+var_8]
		push	edi
		push	ecx
		push	edi
		push	eax
		push	edi
		push	[ebp+var_4]
		mov	[ebp+var_8], edi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_8761A2
		mov	eax, [ebp+var_8]
		jmp	short loc_8761A4
_IopReferenceDriverObjectByName@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipOpenServiceEnumKeys proc near	; CODE XREF: PiProcessDriverInstance+4Ap
					; PipCallDriverAddDeviceQueryRoutine+91p ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 008E312A SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_C]
		xor	esi, esi
		push	eax
		push	6
		mov	edi, edx
		mov	[ebp+var_10], esi
		mov	ebx, ecx
		mov	[ebp+var_18], esi
		mov	ecx, _PiPnpRtlCtx
		pop	edx
		mov	[ebp+var_14], esi
		mov	[ebp+var_C], esi
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		test	eax, eax
		js	short loc_876260
		mov	[ebp+var_8], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi

loc_876210:				; CODE XREF: PipOpenServiceEnumKeys+6CF8Cj
		mov	eax, [ebp+var_C]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_30]
		push	eax
		push	edi
		lea	eax, [ebp+var_8]
		mov	[ebp+var_30], 18h
		push	eax
		mov	[ebp+var_24], 240h
		mov	[ebp+var_28], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		cmp	eax, 0C0000034h
		jz	loc_8E312A

loc_876240:				; CODE XREF: PipOpenServiceEnumKeys+6CF96j
					; PipOpenServiceEnumKeys+6CFA1j
		test	eax, eax
		js	short loc_876260
		mov	esi, [ebp+arg_4]
		mov	al, [ebp+arg_8]
		test	esi, esi
		jnz	short loc_876267
		test	al, al
		jnz	short loc_876267

loc_876252:				; CODE XREF: PipOpenServiceEnumKeys+D3j
					; PipOpenServiceEnumKeys+6CFAEj
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_8762A9
		mov	eax, [ebp+var_8]
		mov	[ecx], eax

loc_87625E:				; CODE XREF: PipOpenServiceEnumKeys+DDj
		xor	eax, eax

loc_876260:				; CODE XREF: PipOpenServiceEnumKeys+31j
					; PipOpenServiceEnumKeys+6Ej ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_876267:				; CODE XREF: PipOpenServiceEnumKeys+78j
					; PipOpenServiceEnumKeys+7Cj
		mov	[ebp+var_14], offset ??_C@_19DDCEFKEI@?$AAE?$AAn?$AAu?$AAm@NNGAKEGL@ ; "Enum"
		push	0Ah
		pop	ecx
		mov	word ptr [ebp+var_18+2], cx
		push	8
		pop	ecx
		mov	word ptr [ebp+var_18], cx
		test	al, al
		jz	short loc_8762B3
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_18]
		push	0
		push	1
		push	edi
		push	eax
		lea	ecx, [ebp+var_10]
		call	IopCreateRegistryKeyEx

loc_876294:				; CODE XREF: PipOpenServiceEnumKeys+10Fj
		mov	edi, eax
		test	edi, edi
		js	short loc_8762E5
		test	esi, esi
		jz	loc_8E317A
		mov	eax, [ebp+var_10]
		mov	[esi], eax
		jmp	short loc_876252
; 

loc_8762A9:				; CODE XREF: PipOpenServiceEnumKeys+83j
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_87625E
; 

loc_8762B3:				; CODE XREF: PipOpenServiceEnumKeys+AAj
		mov	eax, [ebp+var_8]
		and	[ebp+var_20], 0
		and	[ebp+var_1C], 0
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_30]
		push	eax
		push	edi
		lea	eax, [ebp+var_10]
		mov	[ebp+var_30], 18h
		push	eax
		mov	[ebp+var_24], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		jmp	short loc_876294
; 

loc_8762E5:				; CODE XREF: PipOpenServiceEnumKeys+C4j
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, edi
		jmp	loc_876260
PipOpenServiceEnumKeys endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpGetServiceStartType proc near	; CODE XREF: PipCallDriverAddDeviceQueryRoutine+E4p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E3187 SIZE 0000014F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], edx
		push	edi
		mov	dword ptr [ebx], 4
		mov	edi, ecx
		test	byte ptr _ExpManufacturingInformation, 1
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		jnz	loc_8E3187

loc_876322:				; CODE XREF: PnpGetServiceStartType+6CEE2j
					; PnpGetServiceStartType+6CEECj ...
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+arg_0]
		push	eax
		push	ebx
		lea	eax, [ebp+var_4]
		mov	[ebp+arg_0], 4
		push	eax
		mov	edx, offset ??_C@_1M@IOJLKPKK@?$AAS?$AAt?$AAa?$AAr?$AAt@NNGAKEGL@
		call	_RegRtlQueryValue
		mov	edi, eax
		test	edi, edi
		js	short loc_87634D
		push	4
		pop	eax
		cmp	[ebp+var_4], eax
		jnz	short loc_876360

loc_87634D:				; CODE XREF: PnpGetServiceStartType+4Fj
					; PnpGetServiceStartType+73j ...
		cmp	[ebp+var_8], 0
		jnz	loc_8E32C9

loc_876357:				; CODE XREF: PnpGetServiceStartType+6CFDDj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_876360:				; CODE XREF: PnpGetServiceStartType+57j
		mov	edi, 0C0000034h
		mov	[ebx], eax
		jmp	short loc_87634D
PnpGetServiceStartType endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpCheckPossibleBootStartDriver(x)
_PnpCheckPossibleBootStartDriver@4 proc	near
					; CODE XREF: PipCallDriverAddDeviceQueryRoutine+11Ap
					; PipCallDriverAddDeviceQueryRoutine+6D03Dp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		push	eax
		push	0
		mov	edx, (offset loc_8B9937+1)
		xor	bl, bl
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_8763AD
		mov	ecx, [ebp+var_4]
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_8763A5
		cmp	dword ptr [ecx+0Ch], 4
		jnz	short loc_8763A5
		mov	eax, [ecx+8]
		cmp	dword ptr [ecx+eax], 0
		jz	short loc_8763A5
		inc	bl

loc_8763A5:				; CODE XREF: PnpCheckPossibleBootStartDriver(x)+28j
					; PnpCheckPossibleBootStartDriver(x)+2Ej ...
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8763AD:				; CODE XREF: PnpCheckPossibleBootStartDriver(x)+1Fj
		mov	al, bl
		pop	ebx
		leave
		retn
_PnpCheckPossibleBootStartDriver@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpHotSwapUpdateRemovalPolicy proc near	; CODE XREF: PiProcessNewDeviceNode+8EBp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E32D6 SIZE 00000053 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	edx, [ebp+var_8]
		push	edi
		mov	esi, ecx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_C], ebx
		call	_PiHotSwapGetDetachableNode@8 ;	PiHotSwapGetDetachableNode(x,x)
		mov	edi, [ebp+var_8]
		test	edi, edi
		jnz	short loc_8763E7
		mov	word ptr [esi+13Eh], 101h

loc_8763E2:				; CODE XREF: PpHotSwapUpdateRemovalPolicy+AAj
					; PpHotSwapUpdateRemovalPolicy+6CF55j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8763E7:				; CODE XREF: PpHotSwapUpdateRemovalPolicy+25j
		mov	eax, [esi+10h]
		mov	edx, 300h
		mov	ecx, [eax+20h]
		mov	eax, ecx
		and	eax, edx
		test	ecx, 4000h
		jnz	short loc_876471
		test	ecx, 8000h
		jnz	short loc_87646A
		cmp	eax, 200h
		jz	short loc_876471
		cmp	eax, edx
		jz	short loc_87646A
		cmp	esi, edi
		jnz	short loc_876463
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	PiHotSwapGetDefaultBusRemovalPolicy
		mov	ecx, [ebp+var_4]

loc_876422:				; CODE XREF: PpHotSwapUpdateRemovalPolicy+6CF28j
		cmp	esi, edi
		jnz	loc_8E32DF

loc_87642A:				; CODE XREF: PpHotSwapUpdateRemovalPolicy+6CF39j
					; PpHotSwapUpdateRemovalPolicy+6CF44j
		mov	edx, [esi+18h]
		lea	eax, [ebp+var_10]
		push	4
		pop	edi
		push	ebx
		push	eax
		lea	eax, [ebp+var_4]
		mov	[esi+13Eh], cl
		push	eax
		lea	eax, [ebp+var_C]
		mov	[esi+13Fh], cl
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	22h
		push	ebx
		mov	[ebp+var_10], edi
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8763E2
		jmp	loc_8E32FB
; 

loc_876463:				; CODE XREF: PpHotSwapUpdateRemovalPolicy+61j
		push	6
		jmp	loc_8E32D6
; 

loc_87646A:				; CODE XREF: PpHotSwapUpdateRemovalPolicy+52j
					; PpHotSwapUpdateRemovalPolicy+5Dj
		push	3
		jmp	loc_8E32D6
; 

loc_876471:				; CODE XREF: PpHotSwapUpdateRemovalPolicy+4Aj
					; PpHotSwapUpdateRemovalPolicy+59j
		push	2
		jmp	loc_8E32D6
PpHotSwapUpdateRemovalPolicy endp


;  S U B	R O U T	I N E 


; __stdcall PiHotSwapGetDetachableNode(x, x)
_PiHotSwapGetDetachableNode@8 proc near	; CODE XREF: PpHotSwapUpdateRemovalPolicy+1Bp
					; PpHotSwapGetDevnodeRemovalPolicy+14A5FEp
		jmp	short loc_876486
; 

loc_87647A:				; CODE XREF: PiHotSwapGetDetachableNode(x,x)+10j
		test	byte ptr [ecx+170h], 18h
		jnz	short loc_87648A
		mov	ecx, [ecx+8]

loc_876486:				; CODE XREF: PiHotSwapGetDetachableNode(x,x)j
		test	ecx, ecx
		jnz	short loc_87647A

loc_87648A:				; CODE XREF: PiHotSwapGetDetachableNode(x,x)+9j
		mov	[edx], ecx
		retn
_PiHotSwapGetDetachableNode@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiQueryAndAllocateBootResources	proc near ; CODE XREF: PiProcessNewDeviceNode+896p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E3329 SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		mov	esi, ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		mov	ebx, ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], esi
		mov	byte ptr [ebp+var_10], cl
		mov	[ebp+var_4], ecx
		cmp	[edi+168h], ecx
		jnz	short loc_8764DC
		mov	ecx, [edi+10h]
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_8]
		xor	edx, edx
		push	eax
		call	IopQueryDeviceResources
		mov	ebx, eax
		xor	ecx, ecx
		test	ebx, ebx
		js	loc_8E3329
		mov	esi, [ebp+var_8]

loc_8764DC:				; CODE XREF: PiQueryAndAllocateBootResources+2Bj
					; PiQueryAndAllocateBootResources+6CEA1j
		mov	eax, [edi+10Ch]
		and	eax, 2000h
		jnz	loc_8E3334

loc_8764ED:				; CODE XREF: PiQueryAndAllocateBootResources+6CEB3j
		test	eax, eax
		jnz	loc_8E3346

loc_8764F5:				; CODE XREF: PiQueryAndAllocateBootResources+6CEC7j
					; PiQueryAndAllocateBootResources+6CEDAj
		test	esi, esi
		jnz	loc_8765E5

loc_8764FD:				; CODE XREF: PiQueryAndAllocateBootResources+15Bj
		mov	edx, [edi+18h]
		lea	eax, [ebp+var_4]
		push	ecx
		push	eax
		push	[ebp+var_10]
		push	0F003Fh
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	14h
		pop	eax
		push	eax
		call	_CmOpenDeviceRegKey
		test	eax, eax
		jns	short loc_876525
		and	[ebp+var_4], 0

loc_876525:				; CODE XREF: PiQueryAndAllocateBootResources+91j
		cmp	[ebp+var_4], 0
		jnz	short loc_876544

loc_87652B:				; CODE XREF: PiQueryAndAllocateBootResources+BDj
					; PiQueryAndAllocateBootResources+135j	...
		test	esi, esi
		jnz	loc_8765EE

loc_876533:				; CODE XREF: PiQueryAndAllocateBootResources+123j
					; PiQueryAndAllocateBootResources+168j
		cmp	[ebp+var_4], 0
		jnz	loc_8765D8

loc_87653D:				; CODE XREF: PiQueryAndAllocateBootResources+152j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_876544:				; CODE XREF: PiQueryAndAllocateBootResources+9Bj
		cmp	dword ptr [edi+168h], 0
		jnz	short loc_87652B
		push	16h
		pop	eax
		mov	word ptr [ebp+var_18+2], ax
		push	14h
		pop	eax
		mov	word ptr [ebp+var_18], ax
		mov	eax, large fs:124h
		mov	[ebp+var_14], offset ??_C@_1BG@MNAOJKEG@?$AAB?$AAo?$AAo?$AAt?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg@NNGAKEGL@ ; "B"
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	esi, offset _PnpRegistryDeviceResource
		push	esi
		call	ExAcquireResourceSharedLite
		cmp	[ebp+var_8], 0
		lea	eax, [ebp+var_18]
		jz	short loc_8765FB
		push	[ebp+var_C]
		push	[ebp+var_8]
		push	8
		push	0
		push	eax
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_876599:				; CODE XREF: PiQueryAndAllocateBootResources+176j
		mov	ecx, esi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	esi, [ebp+var_8]
		test	esi, esi
		jz	short loc_876533
		push	esi
		push	dword ptr [edi+10h]
		push	4
		call	_IopAllocateBootResourcesRoutine
		mov	ebx, eax
		test	ebx, ebx
		js	loc_87652B
		push	40h
		pop	edx
		mov	ecx, edi
		call	PipSetDevNodeFlags
		jmp	loc_87652B
; 

loc_8765D8:				; CODE XREF: PiQueryAndAllocateBootResources+A9j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_87653D
; 

loc_8765E5:				; CODE XREF: PiQueryAndAllocateBootResources+69j
		mov	byte ptr [ebp+var_10], 1
		jmp	loc_8764FD
; 

loc_8765EE:				; CODE XREF: PiQueryAndAllocateBootResources+9Fj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_876533
; 

loc_8765FB:				; CODE XREF: PiQueryAndAllocateBootResources+F6j
		push	eax
		push	[ebp+var_4]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		jmp	short loc_876599
PiQueryAndAllocateBootResources	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopQueryDeviceResources	proc near	; CODE XREF: PiQueryAndAllocateBootResources+3Ap
					; PnpGetResourceRequirementsForAssignTable+9Cp	...

var_48		= dword	ptr -48h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E336D SIZE 000000A3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	[ebp+var_1C], ecx
		xor	ecx, ecx
		push	edi
		mov	[ebx], ecx
		lea	edi, [ebp+var_48]
		mov	[eax], ecx
		mov	esi, ecx
		mov	[ebp+var_8], ecx
		xor	eax, eax
		mov	[ebp+var_14], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_4], esi
		push	9
		pop	ecx
		rep stosd
		mov	edi, [ebp+var_1C]
		mov	ecx, edi
		mov	eax, [edi+0B0h]
		mov	eax, [eax+14h]
		mov	[ebp+arg_0], eax
		test	edx, edx
		jnz	short loc_87669D
		test	byte ptr [eax+10Ch], 1
		jnz	loc_8E336D
		push	ebx
		push	edx
		push	0C00000BBh
		lea	edx, [ebp+var_48]
		mov	word ptr [ebp+var_48], 0A1Bh
		call	IopSynchronousCall
		mov	esi, eax
		cmp	esi, 0C00000BBh
		jnz	short loc_876684
		and	dword ptr [ebx], 0
		xor	esi, esi

loc_876684:				; CODE XREF: IopQueryDeviceResources+77j
		test	esi, esi
		js	short loc_876694
		mov	ecx, [ebx]
		call	_PnpDetermineResourceListSize@4	; PnpDetermineResourceListSize(x)
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax

loc_876694:				; CODE XREF: IopQueryDeviceResources+80j
		mov	eax, esi

loc_876696:				; CODE XREF: IopQueryDeviceResources+106j
					; IopQueryDeviceResources+146j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_87669D:				; CODE XREF: IopQueryDeviceResources+4Bj
		lea	eax, [ebp+var_C]
		xor	edx, edx
		push	eax
		push	ebx
		push	2
		call	PnpGetDeviceResourcesFromRegistry
		cmp	eax, 0C0000034h
		jnz	loc_8E33B5
		lea	eax, [ebp+var_C]
		xor	edx, edx
		push	eax
		lea	eax, [ebp+var_4]
		inc	edx
		push	eax
		push	1
		mov	ecx, edi
		call	PnpGetDeviceResourcesFromRegistry
		mov	esi, 0C0000034h
		cmp	eax, esi
		jnz	loc_8E3395
		mov	eax, [ebp+arg_0]
		test	byte ptr [eax+10Ch], 1
		jnz	loc_87688C
		mov	eax, [eax+128h]
		test	eax, eax
		jnz	short loc_876751
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	_PpIrpQueryResourceRequirements@8 ; PpIrpQueryResourceRequirements(x,x)
		cmp	eax, 0C00000BBh
		jnz	loc_8768E5
		xor	esi, esi
		xor	eax, eax

loc_87670A:				; CODE XREF: IopQueryDeviceResources+2A2j
					; IopQueryDeviceResources+2E2j
		test	eax, eax
		js	short loc_876696

loc_87670E:				; CODE XREF: IopQueryDeviceResources+178j
					; IopQueryDeviceResources+6CD92j
		lea	eax, [ebp+var_C]
		xor	edx, edx
		push	eax
		lea	eax, [ebp+var_10]
		mov	ecx, edi
		push	eax
		push	4
		call	PnpGetDeviceResourcesFromRegistry
		test	eax, eax
		jns	loc_87681F

loc_876729:				; CODE XREF: IopQueryDeviceResources+229j
					; IopQueryDeviceResources+281j	...
		mov	edi, [ebp+arg_4]

loc_87672C:				; CODE XREF: IopQueryDeviceResources+6CDD8j
		mov	ecx, [ebp+var_1C]
		lea	eax, [ebp+var_20]
		push	eax
		mov	edx, esi
		call	IopFilterResourceRequirementsCall
		test	eax, eax
		jns	short loc_876780
		mov	[ebx], esi
		test	esi, esi
		jnz	loc_8E3407
		and	[edi], esi

loc_87674A:				; CODE XREF: IopQueryDeviceResources+1DDj
					; IopQueryDeviceResources+214j	...
		xor	eax, eax
		jmp	loc_876696
; 

loc_876751:				; CODE XREF: IopQueryDeviceResources+E9j
		push	20207050h
		push	dword ptr [eax]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8E338B
		mov	ecx, [ebp+arg_0]
		mov	ecx, [ecx+128h]
		push	dword ptr [ecx]	; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_87670E
; 

loc_876780:				; CODE XREF: IopQueryDeviceResources+136j
		mov	esi, [ebp+var_20]
		xor	ecx, ecx
		mov	[ebp+arg_4], ecx
		test	esi, esi
		jz	loc_8E33FE
		mov	eax, [esi]
		push	20207050h
		push	eax
		push	1
		mov	[edi], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx], eax
		test	eax, eax
		jz	loc_8E33EC
		push	dword ptr [edi]	; size_t
		push	esi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ecx, ecx

loc_8767C1:				; CODE XREF: IopQueryDeviceResources+6CDFCj
		push	ecx
		lea	eax, [ebp+arg_4]
		push	eax
		mov	eax, [ebp+arg_0]
		push	1
		push	20019h
		push	ecx
		mov	edx, [eax+18h]
		mov	ecx, _PiPnpRtlCtx
		push	13h
		call	_CmOpenDeviceRegKey
		test	eax, eax
		js	loc_87674A
		push	2Ah
		pop	eax
		push	28h
		mov	word ptr [ebp+var_24+2], ax
		pop	eax
		push	dword ptr [edi]
		mov	word ptr [ebp+var_24], ax
		lea	eax, [ebp+var_24]
		push	dword ptr [ebx]
		mov	[ebp+var_20], offset ??_C@_1CK@GIAJHCOH@?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAe?$AAd?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAV@NNGAKEGL@
		push	0Ah
		push	0
		push	eax
		push	[ebp+arg_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[ebp+arg_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_87674A
; 

loc_87681F:				; CODE XREF: IopQueryDeviceResources+11Dj
		mov	edi, [ebp+var_10]
		test	edi, edi
		jz	short loc_876835
		cmp	dword ptr [edi], 0
		jz	short loc_876835
		cmp	dword ptr [edi+4], 5
		jz	loc_876729

loc_876835:				; CODE XREF: IopQueryDeviceResources+21Ej
					; IopQueryDeviceResources+223j
		lea	eax, [ebp+var_14]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_8]
		mov	ecx, esi
		push	eax
		call	PnpFilterResourceRequirementsList
		mov	[ebp+var_10], eax
		test	edi, edi
		jz	short loc_876858
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_10]

loc_876858:				; CODE XREF: IopQueryDeviceResources+245j
		test	eax, eax
		js	loc_8E339D
		mov	eax, [ebp+arg_0]
		test	byte ptr [eax+10Ch], 1
		jnz	short loc_876878
		cmp	[ebp+var_14], 0
		jz	short loc_8768AD
		cmp	dword ptr [esi+1Ch], 1
		ja	short loc_8768AD

loc_876878:				; CODE XREF: IopQueryDeviceResources+264j
		test	esi, esi
		jz	short loc_876884
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_876884:				; CODE XREF: IopQueryDeviceResources+274j
		mov	esi, [ebp+var_8]
		jmp	loc_876729
; 

loc_87688C:				; CODE XREF: IopQueryDeviceResources+DBj
		lea	eax, [ebp+var_C]
		xor	edx, edx
		push	eax
		lea	eax, [ebp+var_4]
		inc	edx
		push	eax
		push	2
		mov	ecx, edi
		call	PnpGetDeviceResourcesFromRegistry
		cmp	eax, esi
		jnz	short loc_8768E5
		xor	eax, eax
		xor	esi, esi
		jmp	loc_87670A
; 

loc_8768AD:				; CODE XREF: IopQueryDeviceResources+26Aj
					; IopQueryDeviceResources+270j
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_18]
		push	eax
		mov	edx, esi
		call	PnpMergeFilteredResourceRequirementsList
		mov	edi, eax
		test	esi, esi
		jz	short loc_8768C9
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8768C9:				; CODE XREF: IopQueryDeviceResources+2B9j
		cmp	[ebp+var_8], 0
		jz	short loc_8768D9
		push	0
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8768D9:				; CODE XREF: IopQueryDeviceResources+2C7j
		test	edi, edi
		js	short loc_8768ED
		mov	esi, [ebp+var_18]
		jmp	loc_876729
; 

loc_8768E5:				; CODE XREF: IopQueryDeviceResources+FAj
					; IopQueryDeviceResources+29Cj
		mov	esi, [ebp+var_4]
		jmp	loc_87670A
; 

loc_8768ED:				; CODE XREF: IopQueryDeviceResources+2D5j
		mov	eax, edi
		jmp	loc_876696
IopQueryDeviceResources	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpGetDeviceResourcesFromRegistry proc near ; CODE XREF: IopQueryDeviceResources+A0p
					; IopQueryDeviceResources+BFp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E3410 SIZE 000000E2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		mov	[ebx], ecx
		mov	esi, ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], ecx
		mov	[eax], ecx
		test	edx, edx
		jnz	short loc_876996
		test	[ebp+arg_0], 1
		jnz	loc_8E3410

loc_876922:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+6CB72j
		test	[ebp+arg_0], 2
		mov	eax, ecx
		mov	[ebp+var_4], eax
		jnz	loc_8769F5

loc_876931:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+14Cj
		test	[ebp+arg_0], 4
		jz	short loc_876983
		test	eax, eax
		jnz	short loc_87696F
		test	edi, edi
		jz	loc_8E346B
		mov	eax, [edi+0B0h]
		mov	edx, [eax+14h]

loc_87694C:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+6CB79j
		mov	edx, [edx+18h]
		lea	eax, [ebp+var_4]
		push	ecx
		push	eax
		push	ecx
		push	20019h
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	14h
		call	_CmOpenDeviceRegKey
		test	eax, eax
		js	short loc_87698F
		mov	eax, [ebp+var_4]

loc_87696F:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+45j
		mov	ecx, [ebp+arg_8]
		push	ecx
		push	ebx
		push	4
		pop	edx
		mov	ecx, eax
		call	PnpReadDeviceConfiguration
		mov	esi, eax
		mov	eax, [ebp+var_4]

loc_876983:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+41j
		test	eax, eax
		jz	short loc_87698D
		push	eax

loc_876988:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+FFj
		call	_ZwClose@4	; ZwClose(x)

loc_87698D:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+91j
					; PnpGetDeviceResourcesFromRegistry+D3j ...
		mov	eax, esi

loc_87698F:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+76j
					; PnpGetDeviceResourcesFromRegistry+12Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_876996:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+22j
		test	edi, edi
		jz	loc_8E3472
		mov	eax, [edi+0B0h]
		mov	edx, [eax+14h]

loc_8769A7:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+6CB80j
		mov	edx, [edx+18h]
		lea	eax, [ebp+var_4]
		push	ecx
		push	eax
		push	ecx
		push	20019h
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	14h
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_87698D
		test	[ebp+arg_0], 1
		jz	loc_8E3479
		mov	edx, offset ??_C@_1CK@JHJFKBFG@?$AAO?$AAv?$AAe?$AAr?$AAr?$AAi?$AAd?$AAe?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAV@NNGAKEGL@

loc_8769D8:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+6CB94j
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		push	0
		call	IopGetRegistryValue
		mov	esi, eax
		test	esi, esi
		jns	loc_8E348D

loc_8769F0:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+145j
					; PnpGetDeviceResourcesFromRegistry+6CB89j ...
		push	[ebp+var_4]
		jmp	short loc_876988
; 

loc_8769F5:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+37j
		test	edi, edi
		jz	short loc_876A45
		mov	eax, [edi+0B0h]
		mov	edx, [eax+14h]

loc_876A02:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+153j
		mov	edx, [edx+18h]
		lea	eax, [ebp+var_4]
		push	ecx
		push	eax
		push	ecx
		push	20019h
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	14h
		call	_CmOpenDeviceRegKey
		test	eax, eax
		js	loc_87698F
		push	[ebp+arg_8]
		mov	ecx, [ebp+var_4]
		push	ebx
		push	2
		pop	edx
		call	PnpReadDeviceConfiguration
		mov	esi, eax
		test	esi, esi
		jns	short loc_8769F0
		mov	eax, [ebp+var_4]
		xor	ecx, ecx
		jmp	loc_876931
; 

loc_876A45:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+103j
		mov	edx, ecx
		jmp	short loc_876A02
PnpGetDeviceResourcesFromRegistry endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDetermineResourceListSize(x)
_PnpDetermineResourceListSize@4	proc near ; CODE XREF: IoGetDeviceProperty+227p
					; IoGetDeviceProperty+236p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		test	ecx, ecx
		jz	short loc_876A9E
		push	edi
		mov	edi, [ecx]
		lea	edx, [ecx+4]
		push	4
		pop	eax
		mov	[ebp+var_4], eax
		test	edi, edi
		jz	short loc_876A9B
		push	ebx
		push	esi

loc_876A67:				; CODE XREF: PnpDetermineResourceListSize(x)+4Dj
		mov	ecx, [edx+0Ch]
		lea	ebx, [edx+10h]
		mov	[ebp+var_8], ecx
		push	10h
		pop	esi
		test	ecx, ecx
		jz	short loc_876A8D
		mov	eax, ecx

loc_876A79:				; CODE XREF: PnpDetermineResourceListSize(x)+3Ej
		cmp	byte ptr [ebx],	5
		push	10h
		pop	ecx
		jz	short loc_876AA2

loc_876A81:				; CODE XREF: PnpDetermineResourceListSize(x)+5Ej
		add	esi, ecx
		add	ebx, ecx
		sub	eax, 1
		jnz	short loc_876A79
		mov	eax, [ebp+var_4]

loc_876A8D:				; CODE XREF: PnpDetermineResourceListSize(x)+2Bj
		add	eax, esi
		add	edx, esi
		mov	[ebp+var_4], eax
		sub	edi, 1
		jnz	short loc_876A67
		pop	esi
		pop	ebx

loc_876A9B:				; CODE XREF: PnpDetermineResourceListSize(x)+19j
		pop	edi
		leave
		retn
; 

loc_876A9E:				; CODE XREF: PnpDetermineResourceListSize(x)+9j
		xor	eax, eax
		leave
		retn
; 

loc_876AA2:				; CODE XREF: PnpDetermineResourceListSize(x)+35j
		mov	ecx, [ebx+4]
		add	ecx, 10h
		jmp	short loc_876A81
_PnpDetermineResourceListSize@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpInitializeSessionId proc near	; CODE XREF: PiProcessNewDeviceNode+88Fp

var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008E34F2 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		or	esi, 0FFFFFFFFh
		mov	ebx, edx
		mov	[ebp+var_4], esi
		mov	eax, [edi+8]
		test	eax, eax
		jz	short loc_876ADB
		mov	ecx, [eax+10h]
		mov	eax, [ecx+0B0h]
		test	dword ptr [eax+10h], 400h
		jnz	loc_8E34F2

loc_876ADB:				; CODE XREF: PnpInitializeSessionId+19j
					; PnpInitializeSessionId+6CA52j
		mov	al, [ebp+arg_0]
		test	al, al
		jnz	short loc_876B20

loc_876AE2:				; CODE XREF: PnpInitializeSessionId+7Bj
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 20000h
		cmp	esi, 0FFFFFFFFh
		jnz	loc_8E3501
		xor	ecx, ecx
		xor	edx, edx
		xor	esi, esi

loc_876AFD:				; CODE XREF: PnpInitializeSessionId+6CA60j
		push	eax
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	edx
		mov	edx, [edi+18h]
		push	esi
		push	offset _DEVPKEY_Device_SessionId
		push	0
		push	ebx
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)

loc_876B19:				; CODE XREF: PnpInitializeSessionId+79j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_876B20:				; CODE XREF: PnpInitializeSessionId+36j
		cmp	esi, 0FFFFFFFFh
		jz	short loc_876B19
		jmp	short loc_876AE2
PnpInitializeSessionId endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpIsDeviceInstanceEnabled proc	near	; CODE XREF: PiProcessNewDeviceNode+870p
					; IopInitializeDeviceInstanceKey+229p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E350F SIZE 0000008C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], ecx
		mov	eax, edx
		mov	[ebp+var_4], esi
		push	edi
		mov	ebx, esi
		mov	[ebp+var_14], eax
		xor	edi, edi
		mov	[ebp+var_10], esi
		mov	edx, 55706E50h
		mov	[ebp+var_18], esi
		mov	ecx, eax
		mov	[ebp+var_1C], esi
		mov	[ebp+var_C], ebx
		inc	edi
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	short loc_876B6D
		mov	eax, [eax+0B0h]
		mov	esi, [eax+14h]

loc_876B6D:				; CODE XREF: PnpIsDeviceInstanceEnabled+3Aj
		test	esi, esi
		jz	short loc_876B81
		test	dword ptr [esi+10Ch], 2000h
		jnz	loc_8E350F

loc_876B81:				; CODE XREF: PnpIsDeviceInstanceEnabled+47j
					; PnpIsDeviceInstanceEnabled+6C9F9j
		push	[ebp+var_14]
		xor	edx, edx
		lea	ecx, [ebp+var_C]
		call	PnpUnicodeStringToWstr
		mov	ebx, [ebp+var_C]
		test	eax, eax
		js	loc_876C29
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	loc_8E352C

loc_876BA4:				; CODE XREF: PnpIsDeviceInstanceEnabled+6CA2Fj
		push	0
		lea	ecx, [ebp+var_10]
		mov	[ebp+var_10], 4
		push	ecx
		lea	ecx, [ebp+var_4]
		mov	edx, ebx
		push	ecx
		lea	ecx, [ebp+var_18]
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	0Bh
		push	eax
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_876BD9
		cmp	[ebp+var_18], 4
		jnz	short loc_876C2D
		cmp	[ebp+var_10], 4
		jnz	short loc_876C2D

loc_876BD9:				; CODE XREF: PnpIsDeviceInstanceEnabled+A3j
		mov	eax, [ebp+var_4]

loc_876BDC:				; CODE XREF: PnpIsDeviceInstanceEnabled+10Aj
		test	al, 1
		jnz	short loc_876C34
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_4]
		push	eax
		call	PnpGetDeviceInstanceCsConfigFlags
		mov	eax, [ebp+var_4]

loc_876BEF:				; CODE XREF: PnpIsDeviceInstanceEnabled+111j
		test	al, 7
		jnz	loc_8E355C

loc_876BF7:				; CODE XREF: PnpIsDeviceInstanceEnabled+103j
					; PnpIsDeviceInstanceEnabled+6CA39j ...
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jz	short loc_876C08
		mov	edx, 55706E50h
		call	ObfDereferenceObjectWithTag

loc_876C08:				; CODE XREF: PnpIsDeviceInstanceEnabled+D4j
		cmp	[ebp+var_1C], 0
		jnz	loc_8E358E

loc_876C12:				; CODE XREF: PnpIsDeviceInstanceEnabled+6CA6Ej
		test	ebx, ebx
		jz	short loc_876C20
		mov	edx, [ebp+var_14]
		mov	ecx, ebx
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)

loc_876C20:				; CODE XREF: PnpIsDeviceInstanceEnabled+ECj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_876C29:				; CODE XREF: PnpIsDeviceInstanceEnabled+6Bj
					; PnpIsDeviceInstanceEnabled+6C9F0j ...
		xor	edi, edi
		jmp	short loc_876BF7
; 

loc_876C2D:				; CODE XREF: PnpIsDeviceInstanceEnabled+A9j
					; PnpIsDeviceInstanceEnabled+AFj
		xor	eax, eax
		mov	[ebp+var_4], eax
		jmp	short loc_876BDC
; 

loc_876C34:				; CODE XREF: PnpIsDeviceInstanceEnabled+B6j
		mov	eax, edi
		mov	[ebp+var_4], eax
		jmp	short loc_876BEF
PnpIsDeviceInstanceEnabled endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpGetDeviceInstanceCsConfigFlags proc near ; CODE XREF: PnpIsDeviceInstanceEnabled+BFp
					; PiCMCreateDevice(x,x,x,x,x,x)+413p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E359B SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, ecx
		xor	esi, esi
		lea	ecx, [ebp+var_4]
		push	ebx
		xor	edx, edx
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_4], esi
		mov	[edi], esi
		call	PnpUnicodeStringToWstr
		test	eax, eax
		js	short loc_876C9D
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		mov	ecx, _PiPnpRtlCtx
		push	esi
		push	eax
		push	esi
		push	20019h
		push	esi
		push	210h
		call	_CmOpenDeviceRegKey
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		mov	esi, eax
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)
		test	esi, esi
		jns	loc_8E359B

loc_876C9B:				; CODE XREF: PnpGetDeviceInstanceCsConfigFlags+6C97Ej
					; PnpGetDeviceInstanceCsConfigFlags+6C9A3j
		mov	eax, esi

loc_876C9D:				; CODE XREF: PnpGetDeviceInstanceCsConfigFlags+2Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
PnpGetDeviceInstanceCsConfigFlags endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiQueryResourceRequirements proc near	; CODE XREF: PiProcessNewDeviceNode+852p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E35E4 SIZE 00000054 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	edx, [ebp+var_8]
		xor	ebx, ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_18], ebx
		mov	ecx, [edi+10h]
		mov	[ebp+var_14], ebx
		mov	byte ptr [ebp+var_C], bl
		mov	[ebp+var_4], ebx
		call	_PpIrpQueryResourceRequirements@8 ; PpIrpQueryResourceRequirements(x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jns	short loc_876D42
		mov	esi, ebx
		mov	[ebp+var_8], esi

loc_876CD9:				; CODE XREF: PiQueryResourceRequirements+A1j
		test	esi, esi
		jnz	short loc_876D47

loc_876CDD:				; CODE XREF: PiQueryResourceRequirements+A5j
		mov	eax, [edi+10Ch]
		and	eax, 2000h
		jnz	loc_8E35E4

loc_876CEE:				; CODE XREF: PiQueryResourceRequirements+6C94Dj
		test	eax, eax
		jnz	loc_8E35F6

loc_876CF6:				; CODE XREF: PiQueryResourceRequirements+6C961j
					; PiQueryResourceRequirements+6C974j
		test	esi, esi
		jnz	short loc_876D4B

loc_876CFA:				; CODE XREF: PiQueryResourceRequirements+ABj
		mov	edx, [edi+18h]
		lea	eax, [ebp+var_4]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	eax
		push	[ebp+var_C]
		push	0F003Fh
		push	0
		push	14h
		call	_CmOpenDeviceRegKey
		test	eax, eax
		jns	short loc_876D22
		and	[ebp+var_4], 0

loc_876D22:				; CODE XREF: PiQueryResourceRequirements+78j
		cmp	[ebp+var_4], 0
		jnz	short loc_876D51

loc_876D28:				; CODE XREF: PiQueryResourceRequirements+13Bj
					; PiQueryResourceRequirements+6C947j ...
		test	esi, esi
		jnz	loc_8E362B

loc_876D30:				; CODE XREF: PiQueryResourceRequirements+6C98Fj
		cmp	[ebp+var_4], 0
		jnz	loc_876DE4

loc_876D3A:				; CODE XREF: PiQueryResourceRequirements+148j
		mov	eax, [ebp+var_10]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_876D42:				; CODE XREF: PiQueryResourceRequirements+2Ej
		mov	esi, [ebp+var_8]
		jmp	short loc_876CD9
; 

loc_876D47:				; CODE XREF: PiQueryResourceRequirements+37j
		mov	ebx, [esi]
		jmp	short loc_876CDD
; 

loc_876D4B:				; CODE XREF: PiQueryResourceRequirements+54j
		mov	byte ptr [ebp+var_C], 1
		jmp	short loc_876CFA
; 

loc_876D51:				; CODE XREF: PiQueryResourceRequirements+82j
		push	24h
		pop	eax
		mov	word ptr [ebp+var_18+2], ax
		push	22h
		pop	eax
		mov	word ptr [ebp+var_18], ax
		mov	eax, large fs:124h
		mov	[ebp+var_14], offset ??_C@_1CE@CAEIBNIA@?$AAB?$AAa?$AAs?$AAi?$AAc?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAV?$AAe?$AAc?$AAt@NNGAKEGL@ ;	"B"
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceSharedLite
		mov	esi, [ebp+var_8]
		lea	eax, [ebp+var_18]
		test	esi, esi
		jz	loc_8E361D
		push	ebx
		push	esi
		push	0Ah
		push	0
		push	eax
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	ebx, offset _PiResourceListLock
		mov	ecx, ebx
		call	ExAcquireFastMutex
		mov	ecx, ebx
		mov	[edi+128h], esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	edx, 200h
		mov	ecx, edi
		call	PipSetDevNodeFlags
		and	[ebp+var_8], 0

loc_876DC6:				; CODE XREF: PiQueryResourceRequirements+6C982j
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	esi, [ebp+var_8]
		jmp	loc_876D28
; 

loc_876DE4:				; CODE XREF: PiQueryResourceRequirements+90j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_876D3A
PiQueryResourceRequirements endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpIrpQueryResourceRequirements(x, x)
_PpIrpQueryResourceRequirements@8 proc near ; CODE XREF: IopQueryDeviceResources+F0p
					; PiQueryResourceRequirements+24p

var_24		= dword	ptr -24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		push	9
		mov	esi, ecx
		lea	edi, [ebp+var_24]
		pop	ecx
		mov	ebx, edx
		xor	eax, eax
		rep stosd
		and	dword ptr [ebx], 0
		lea	edx, [ebp+var_24]
		push	ebx
		push	eax
		mov	edi, 0C00000BBh
		mov	word ptr [ebp+var_24], 0B1Bh
		push	edi
		mov	ecx, esi
		call	IopSynchronousCall
		test	eax, eax
		js	short loc_876E36
		cmp	dword ptr [ebx], 0
		jnz	short loc_876E31
		mov	eax, edi

loc_876E31:				; CODE XREF: PpIrpQueryResourceRequirements(x,x)+3Bj
					; PpIrpQueryResourceRequirements(x,x)+47j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_876E36:				; CODE XREF: PpIrpQueryResourceRequirements(x,x)+36j
		and	dword ptr [ebx], 0
		jmp	short loc_876E31
_PpIrpQueryResourceRequirements@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpDevCfgProcessDeviceOperations	proc near ; CODE XREF: PiProcessNewDeviceNode+848p
					; IopInitializeDeviceInstanceKey+204p

var_5C		= dword	ptr -5Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E3638 SIZE 000000D3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], edx
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_8], esi
		push	9
		xor	eax, eax
		mov	[ebp+var_20], esi
		pop	ecx
		lea	edi, [ebp+var_5C]
		mov	[ebp+var_1C], esi
		rep stosd
		mov	[ebp+var_4], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		cmp	[ebx+18h], esi
		jz	short loc_876EDF
		push	2Ah
		pop	eax
		push	28h
		mov	word ptr [ebp+var_20+2], ax
		pop	eax
		mov	word ptr [ebp+var_20], ax
		lea	eax, [ebp+var_20]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	20019h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_1C], offset ??_C@_1CK@LLHOGJK@?$AAP?$AAe?$AAn?$AAd?$AAi?$AAn?$AAg?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr@NNGAKEGL@ ; "PendingConfiguration"
		push	eax
		mov	[ebp+var_38], 18h
		mov	[ebp+var_34], edx
		mov	[ebp+var_2C], 240h
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000034h
		jnz	loc_8E3638
		mov	edi, esi

loc_876EC6:				; CODE XREF: PpDevCfgProcessDeviceOperations+6C7FEj
					; PpDevCfgProcessDeviceOperations+6C817j ...
		cmp	[ebp+var_8], 0
		jnz	loc_8E36FE

loc_876ED0:				; CODE XREF: PpDevCfgProcessDeviceOperations+A8j
					; PpDevCfgProcessDeviceOperations+6C8CAj
		lea	ecx, [ebp+var_5C]
		call	PiDevCfgFreeDeviceContext
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_876EDF:				; CODE XREF: PpDevCfgProcessDeviceOperations+34j
		mov	edi, 0C0000010h
		jmp	short loc_876ED0
PpDevCfgProcessDeviceOperations	endp


;  S U B	R O U T	I N E 


PiDevCfgFreeDeviceContext proc near	; CODE XREF: PpDevCfgProcessDeviceOperations+97p
					; PiDevCfgProcessDeviceCallback+DDp ...

; FUNCTION CHUNK AT 008E370B SIZE 00000016 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		cmp	dword ptr [esi], 0
		jl	loc_8E370B

loc_876EF5:				; CODE XREF: PiDevCfgFreeDeviceContext+6C82Aj
					; PiDevCfgFreeDeviceContext+6C836j
		push	3
		add	esi, 0Ch
		pop	edi

loc_876EFB:				; CODE XREF: PiDevCfgFreeDeviceContext+21j
		push	esi
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		add	esi, 8
		sub	edi, 1
		jnz	short loc_876EFB
		pop	edi
		pop	esi
		retn
PiDevCfgFreeDeviceContext endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpQueryBusInformation(x)
_PnpQueryBusInformation@4 proc near	; CODE XREF: PiProcessNewDeviceNode+809p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	edx, [ebp+var_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, [edi+10h]
		call	_PpIrpQueryBusInformation@8 ; PpIrpQueryBusInformation(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_876F5E
		mov	esi, [ebp+var_4]
		mov	ecx, esi
		call	PnpBusTypeGuidGetIndex
		mov	[edi+13Ch], ax
		mov	eax, [esi+10h]
		push	0
		mov	[edi+134h], eax
		mov	eax, [esi+14h]
		push	esi
		mov	[edi+138h], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_876F57:				; CODE XREF: PnpQueryBusInformation(x)+6Fj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_876F5E:				; CODE XREF: PnpQueryBusInformation(x)+1Ej
		or	dword ptr [edi+134h], 0FFFFFFFFh
		mov	eax, 0FFFFh
		mov	[edi+13Ch], ax
		mov	dword ptr [edi+138h], 0FFFFFFF0h
		jmp	short loc_876F57
_PnpQueryBusInformation@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpIrpQueryBusInformation(x,	x)
_PpIrpQueryBusInformation@8 proc near	; CODE XREF: PnpQueryBusInformation(x)+15p

var_24		= dword	ptr -24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		push	9
		mov	esi, ecx
		lea	edi, [ebp+var_24]
		pop	ecx
		mov	ebx, edx
		xor	eax, eax
		push	ebx
		rep stosd
		and	dword ptr [ebx], 0
		lea	edx, [ebp+var_24]
		push	eax
		push	0C00000BBh
		mov	ecx, esi
		mov	word ptr [ebp+var_24], 151Bh
		call	IopSynchronousCall
		test	eax, eax
		js	short loc_876FBA

loc_876FB5:				; CODE XREF: PpIrpQueryBusInformation(x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_876FBA:				; CODE XREF: PpIrpQueryBusInformation(x,x)+35j
		and	dword ptr [ebx], 0
		jmp	short loc_876FB5
_PpIrpQueryBusInformation@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiQueryRemovableDeviceOverride proc near ; CODE	XREF: PiProcessNewDeviceNode+589p

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E3721 SIZE 0000020C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_58], ecx
		mov	ecx, ebx
		mov	[ebp+var_5C], eax
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, 0C0000034h
		mov	[ebp+var_28], edx
		push	edi
		mov	[ebp+var_88], eax
		mov	[ebp+var_48], ebx
		mov	[ebp+var_84], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_80], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_24], ecx
		cmp	_PnpDeviceOverrideHashList, ecx
		jz	loc_877261
		xor	eax, eax
		mov	[ebp+var_1C], esi
		lea	edi, [ebp+var_44]
		mov	[ebp+var_60], 26h
		stosd
		mov	[ebp+var_4C], 24h
		stosd
		stosd
		stosd
		mov	edi, [ebp+var_58]
		mov	al, [edi+1B8h]
		mov	cl, al
		test	al, 1
		jnz	loc_8E373D
		mov	ecx, [ebp+var_60]
		mov	dl, al
		mov	word ptr [ebp+var_44+2], cx
		mov	ecx, [ebp+var_4C]
		mov	word ptr [ebp+var_44], cx
		mov	cl, al
		mov	eax, [ebp+var_28]
		mov	[ebp+var_40], offset ??_C@_1CG@LEOIEOED@?$AAC?$AAh?$AAi?$AAl?$AAd?$AAL?$AAo?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AAP?$AAa@NNGAKEGL@ ;	"ChildLocationPaths"
		test	eax, eax
		jz	short loc_877084
		push	ecx
		lea	ecx, [ebp+var_44]
		push	ecx
		mov	ecx, eax
		call	PipFindDeviceOverrideEntry
		mov	cl, [edi+1B8h]
		mov	[ebp+var_1C], eax
		mov	dl, cl

loc_877084:				; CODE XREF: PiQueryRemovableDeviceOverride+ABj
		mov	al, dl
		cmp	[ebp+var_1C], ebx
		jge	loc_8E3721
		mov	edx, [ebp+var_5C]
		test	edx, edx
		jz	short loc_8770AD
		push	ecx
		lea	eax, [ebp+var_44]
		mov	ecx, edx
		push	eax
		call	PipFindDeviceOverrideEntry
		mov	[ebp+var_1C], eax
		mov	al, [edi+1B8h]
		mov	cl, al

loc_8770AD:				; CODE XREF: PiQueryRemovableDeviceOverride+D4j
		cmp	[ebp+var_1C], ebx
		jge	loc_8E3721

loc_8770B6:				; CODE XREF: PiQueryRemovableDeviceOverride+6C778j
		mov	edx, [ebp+var_28]
		test	al, 1
		jnz	loc_8E373D

loc_8770C1:				; CODE XREF: PiQueryRemovableDeviceOverride+6C785j
		mov	[ebp+var_40], offset ??_C@_1BM@NDODFCEE@?$AAL?$AAo?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AAP?$AAa?$AAt?$AAh?$AAs@NNGAKEGL@ ; "LocationPaths"
		push	1Ch
		pop	edi
		mov	word ptr [ebp+var_44+2], di
		push	1Ah
		pop	edi
		mov	word ptr [ebp+var_44], di
		mov	edi, [ebp+var_58]
		test	edx, edx
		jz	short loc_8770F3
		push	ecx
		lea	eax, [ebp+var_44]
		mov	ecx, edx
		push	eax
		call	PipFindDeviceOverrideEntry
		mov	esi, eax
		mov	al, [edi+1B8h]
		mov	cl, al

loc_8770F3:				; CODE XREF: PiQueryRemovableDeviceOverride+11Bj
		test	esi, esi
		jns	loc_8E374A
		mov	edx, [ebp+var_5C]
		test	edx, edx
		jz	short loc_877118
		push	ecx
		lea	eax, [ebp+var_44]
		mov	ecx, edx
		push	eax
		call	PipFindDeviceOverrideEntry
		mov	esi, eax
		mov	al, [edi+1B8h]
		mov	cl, al

loc_877118:				; CODE XREF: PiQueryRemovableDeviceOverride+140j
		test	esi, esi
		jns	loc_8E374A

loc_877120:				; CODE XREF: PiQueryRemovableDeviceOverride+6C77Fj
					; PiQueryRemovableDeviceOverride+6C78Ej
		or	al, 1
		mov	[edi+1B8h], al
		push	2
		pop	ecx
		test	esi, esi
		jns	loc_8E37D5
		mov	ecx, [edi+8]
		mov	al, [ecx+1B8h]
		and	al, 5
		cmp	al, 1
		jz	loc_87725D
		mov	eax, [ebp+var_60]
		lea	edx, [ebp+var_48]
		mov	word ptr [ebp+var_44+2], ax
		mov	eax, [ebp+var_4C]
		mov	word ptr [ebp+var_44], ax
		mov	[ebp+var_40], offset ??_C@_1CG@LEOIEOED@?$AAC?$AAh?$AAi?$AAl?$AAd?$AAL?$AAo?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AAP?$AAa@NNGAKEGL@ ;	"ChildLocationPaths"
		mov	ecx, [ecx+10h]
		push	20019h
		call	_PnpDeviceObjectToDeviceInstance@12 ; PnpDeviceObjectToDeviceInstance(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_877261
		mov	eax, 100h
		mov	[ebp+var_64], 2
		mov	edx, ebx
		mov	[ebp+var_60], 3
		mov	[ebp+var_20], eax
		mov	ecx, ebx
		mov	[ebp+var_28], edx

loc_877192:				; CODE XREF: PiQueryRemovableDeviceOverride+267j
		mov	esi, ebx
		test	ecx, ecx
		jnz	short loc_8771B8
		push	6E697050h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, [ebp+var_28]
		mov	ecx, eax
		mov	eax, [ebp+var_20]
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jz	loc_8E3753

loc_8771B8:				; CODE XREF: PiQueryRemovableDeviceOverride+1D6j
					; PiQueryRemovableDeviceOverride+6C798j
		mov	[ebp+var_1C], eax
		test	esi, esi
		js	short loc_877216
		mov	eax, [ebp+edx*4+var_64]
		lea	edx, [ebp+var_20]
		push	ebx
		push	edx
		mov	edx, [edi+8]
		push	ecx
		lea	ecx, [ebp+var_50]
		mov	[ebp+var_4C], eax
		push	ecx
		mov	edx, [edx+18h]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	[ebp+var_48]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	loc_8E375D

loc_8771F3:				; CODE XREF: PiQueryRemovableDeviceOverride+6C7F5j
		test	esi, esi
		js	short loc_877210
		cmp	[ebp+var_50], 7
		jnz	loc_8E37BA
		push	ecx
		mov	ecx, [ebp+var_24]
		lea	eax, [ebp+var_44]
		push	eax
		call	PipFindDeviceOverrideEntry
		mov	esi, eax

loc_877210:				; CODE XREF: PiQueryRemovableDeviceOverride+235j
					; PiQueryRemovableDeviceOverride+6C7FFj
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_24]

loc_877216:				; CODE XREF: PiQueryRemovableDeviceOverride+1FDj
					; PiQueryRemovableDeviceOverride+6C7CCj
		mov	[ebp+var_20], eax
		test	esi, esi
		jns	short loc_87722D
		mov	edx, [ebp+var_28]
		inc	edx
		mov	[ebp+var_28], edx
		cmp	edx, 2
		jb	loc_877192

loc_87722D:				; CODE XREF: PiQueryRemovableDeviceOverride+25Bj
		test	ecx, ecx
		jz	short loc_877238
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_877238:				; CODE XREF: PiQueryRemovableDeviceOverride+26Fj
		push	[ebp+var_48]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [edi+8]
		mov	cl, [eax+1B8h]
		test	cl, 1
		jnz	short loc_87725D
		test	esi, esi
		jns	loc_8E37C4

loc_877256:				; CODE XREF: PiQueryRemovableDeviceOverride+6C810j
		or	byte ptr [eax+1B8h], 1

loc_87725D:				; CODE XREF: PiQueryRemovableDeviceOverride+180j
					; PiQueryRemovableDeviceOverride+28Cj
		test	esi, esi
		jns	short loc_877274

loc_877261:				; CODE XREF: PiQueryRemovableDeviceOverride+5Aj
					; PiQueryRemovableDeviceOverride+1AFj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_877274:				; CODE XREF: PiQueryRemovableDeviceOverride+29Fj
		push	2
		pop	ecx
		jmp	loc_8E37D5
PiQueryRemovableDeviceOverride endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipFindDeviceOverrideEntry proc	near	; CODE XREF: PiQueryRemovableDeviceOverride+B4p
					; PiQueryRemovableDeviceOverride+DDp ...

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E392D SIZE 000000E7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		push	ebx
		xor	ebx, ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ebx
		cmp	[edi], bx
		jz	loc_8773CE
		mov	esi, ebx

loc_8772AE:				; CODE XREF: PipFindDeviceOverrideEntry+4Dj
		lea	edx, [ecx+2]

loc_8772B1:				; CODE XREF: PipFindDeviceOverrideEntry+3Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_8772B1
		sub	ecx, edx
		sar	ecx, 1
		inc	ecx
		add	esi, ecx
		lea	ecx, [edi+esi*2]
		cmp	[ecx], bx
		jnz	short loc_8772AE
		inc	esi
		push	6E697050h
		lea	eax, [esi+esi]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8E392D
		lea	eax, [esi+esi]
		push	eax		; size_t
		push	edi		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_1C], ebx
		lea	eax, [esi+esi]
		lea	edx, [ebp+var_20]
		mov	word ptr [ebp+var_20], ax
		mov	ecx, edx
		mov	word ptr [ebp+var_20+2], ax
		call	_IopReplaceSeperatorWithPound@8	; IopReplaceSeperatorWithPound(x,x)
		xor	edi, edi
		mov	[ebp+var_10], ebx
		mov	esi, 0C0000034h
		mov	edx, ebx
		cmp	[ebx], di
		jz	short loc_877390

loc_87731D:				; CODE XREF: PipFindDeviceOverrideEntry+10Aj
		push	edx
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_C]
		push	eax
		push	edi
		push	1
		lea	eax, [ebp+var_28]
		push	eax
		call	RtlHashUnicodeString
		test	eax, eax
		js	loc_8E3939
		mov	eax, [ebp+var_C]

loc_877342:				; CODE XREF: PipFindDeviceOverrideEntry+6C6C2j
		xor	edx, edx
		mov	esi, 0C0000034h
		div	_PnpDeviceOverrideHashListSize
		mov	eax, _PnpDeviceOverrideHashList
		lea	eax, [eax+edx*8]
		mov	edi, [eax]
		mov	[ebp+var_14], eax
		cmp	edi, eax
		jnz	short loc_8773AE

loc_877360:				; CODE XREF: PipFindDeviceOverrideEntry+14Ej
					; PipFindDeviceOverrideEntry+6C753j ...
		mov	edx, [ebp+var_10]
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_877368:				; CODE XREF: PipFindDeviceOverrideEntry+F6j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_18]
		jnz	short loc_877368
		sub	ecx, edi
		xor	edi, edi
		sar	ecx, 1
		lea	edx, [edx+ecx*2]
		add	edx, 2
		mov	[ebp+var_10], edx
		cmp	[edx], di
		jnz	short loc_87731D

loc_877388:				; CODE XREF: PipFindDeviceOverrideEntry+6C766j
		test	esi, esi
		jns	loc_8E39FA

loc_877390:				; CODE XREF: PipFindDeviceOverrideEntry+9Fj
					; PipFindDeviceOverrideEntry+6C6B8j ...
		cmp	[ebp+var_4], 0
		jnz	loc_8E3A07

loc_87739A:				; CODE XREF: PipFindDeviceOverrideEntry+6C793j
		test	ebx, ebx
		jz	short loc_8773A5
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8773A5:				; CODE XREF: PipFindDeviceOverrideEntry+120j
					; PipFindDeviceOverrideEntry+157j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_8773AE:				; CODE XREF: PipFindDeviceOverrideEntry+E2j
					; PipFindDeviceOverrideEntry+150j
		push	1
		lea	eax, [edi+8]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	loc_8E3943
		mov	edi, [edi]
		cmp	edi, [ebp+var_14]
		jz	short loc_877360
		jmp	short loc_8773AE
; 

loc_8773CE:				; CODE XREF: PipFindDeviceOverrideEntry+2Aj
		mov	esi, 0C0000034h
		jmp	short loc_8773A5
PipFindDeviceOverrideEntry endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopReplaceSeperatorWithPound(x, x)
_IopReplaceSeperatorWithPound@8	proc near ; CODE XREF: PipFindDeviceOverrideEntry+8Bp
					; PiDevCfgConfigureDeviceLocation(x,x,x,x)+170p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		movzx	esi, word ptr [edx]
		cmp	si, [ecx+2]
		ja	short loc_877437
		mov	eax, [ecx+4]
		mov	[ebp+var_4], eax
		mov	ax, si
		push	ebx
		mov	ebx, [edx+4]
		shr	ax, 1
		push	edi
		movzx	edi, ax
		mov	eax, esi
		test	di, di
		jz	short loc_877428
		mov	esi, [ebp+var_4]

loc_877404:				; CODE XREF: IopReplaceSeperatorWithPound(x,x)+4Dj
		movzx	eax, word ptr [ebx]
		add	edi, 0FFFFh
		cmp	eax, 5Ch
		jz	short loc_877432
		cmp	eax, 2Fh
		jz	short loc_877432

loc_877417:				; CODE XREF: IopReplaceSeperatorWithPound(x,x)+5Fj
		mov	[esi], ax
		add	ebx, 2
		add	esi, 2
		test	di, di
		jnz	short loc_877404
		movzx	eax, word ptr [edx]

loc_877428:				; CODE XREF: IopReplaceSeperatorWithPound(x,x)+29j
		pop	edi
		mov	[ecx], ax
		xor	eax, eax
		pop	ebx

loc_87742F:				; CODE XREF: IopReplaceSeperatorWithPound(x,x)+66j
		pop	esi
		leave
		retn
; 

loc_877432:				; CODE XREF: IopReplaceSeperatorWithPound(x,x)+3Aj
					; IopReplaceSeperatorWithPound(x,x)+3Fj
		push	23h
		pop	eax
		jmp	short loc_877417
; 

loc_877437:				; CODE XREF: IopReplaceSeperatorWithPound(x,x)+Ej
		mov	eax, 0C0000023h
		jmp	short loc_87742F
_IopReplaceSeperatorWithPound@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpGenerateDeviceIdsHash(x,	x, x)
_PnpGenerateDeviceIdsHash@12 proc near	; CODE XREF: PipProcessStartPhase3+14Dp
					; PiProcessNewDeviceNode+552p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_20], edx
		push	esi
		mov	edx, ebx
		mov	[ebp+var_10], ebx
		push	edi
		mov	edi, ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_8], ebx
		mov	[eax], ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_C], edx

loc_877469:				; CODE XREF: PnpGenerateDeviceIdsHash(x,x,x)+94j
		mov	esi, [ebp+ebx*4+var_24]
		test	esi, esi
		jz	short loc_8774CA

loc_877471:				; CODE XREF: PnpGenerateDeviceIdsHash(x,x,x)+8Aj
		xor	eax, eax
		cmp	[esi], ax
		jz	short loc_8774CA
		push	esi
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_8774D9
		lea	eax, [ebp+var_8]
		push	eax
		xor	eax, eax
		push	eax
		push	1
		lea	eax, [ebp+var_1C]
		push	eax
		call	RtlHashUnicodeString
		mov	edi, eax
		test	edi, edi
		js	short loc_8774D9
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		add	edx, [ebp+var_8]
		mov	[ebp+var_C], edx
		lea	eax, [ecx+2]
		mov	[ebp+var_14], eax

loc_8774B1:				; CODE XREF: PnpGenerateDeviceIdsHash(x,x,x)+7Dj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_10]
		jnz	short loc_8774B1
		sub	ecx, [ebp+var_14]
		sar	ecx, 1
		lea	esi, [esi+ecx*2]
		add	esi, 2
		jnz	short loc_877471

loc_8774CA:				; CODE XREF: PnpGenerateDeviceIdsHash(x,x,x)+31j
					; PnpGenerateDeviceIdsHash(x,x,x)+38j
		test	edi, edi
		js	short loc_8774D9
		inc	ebx
		cmp	ebx, 2
		jb	short loc_877469
		mov	eax, [ebp+arg_0]
		mov	[eax], edx

loc_8774D9:				; CODE XREF: PnpGenerateDeviceIdsHash(x,x,x)+48j
					; PnpGenerateDeviceIdsHash(x,x,x)+60j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PnpGenerateDeviceIdsHash@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KseAddHardwareId proc near		; CODE XREF: PiProcessNewDeviceNode+52Bp

var_20		= dword	ptr -20h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E3A14 SIZE 00000089 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		mov	ebx, dword_6D4AA0
		mov	edx, ecx
		push	esi
		push	edi
		push	7
		xor	eax, eax
		mov	[ebp+var_4], edx
		cmp	dword_6D4A78, 2
		lea	edi, [ebp+var_20]
		pop	ecx
		rep stosd
		jnz	loc_8E3A14
		test	edx, edx
		jz	loc_8775A1
		push	edx
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		lea	edx, [ebp+var_20]
		mov	ecx, ebx
		call	_KsepCacheLookup@8 ; KsepCacheLookup(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_87756E
		push	1Ch
		pop	ecx
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8775A5
		mov	edx, [ebp+var_4]
		lea	ecx, [esi+14h]
		call	KsepStringDuplicate
		test	eax, eax
		js	short loc_8775A5
		mov	edx, esi
		mov	ecx, ebx
		call	KsepCacheInsert

loc_87756E:				; CODE XREF: KseAddHardwareId+64j
		xor	edi, edi

loc_877570:				; CODE XREF: KseAddHardwareId+C8j
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		test	al, 2
		jnz	loc_8E3A6D

loc_87757F:				; CODE XREF: KseAddHardwareId+6C58Dj
					; KseAddHardwareId+6C59Aj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	edi, edi
		js	loc_8E3A81

loc_87759A:				; CODE XREF: KseAddHardwareId+6C5A1j
					; KseAddHardwareId+6C5B6j
		mov	eax, edi

loc_87759C:				; CODE XREF: KseAddHardwareId+C1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn			; char
; 

loc_8775A1:				; CODE XREF: KseAddHardwareId+2Fj
					; KseAddHardwareId+6C586j
		xor	eax, eax
		jmp	short loc_87759C
; 

loc_8775A5:				; CODE XREF: KseAddHardwareId+72j
					; KseAddHardwareId+81j
		mov	edi, 0C0000017h
		jmp	short loc_877570
KseAddHardwareId endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiFindDevInstMatch proc	near		; CODE XREF: PiProcessDriverInstance+70p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E3AAE SIZE 0000005F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, [ebp+arg_4]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_1C], edx
		xor	edx, edx
		mov	[ebp+var_18], ecx
		mov	[eax], dx
		mov	edx, offset ??_C@_1M@NBCIMFHI@?$AAC?$AAo?$AAu?$AAn?$AAt@NNGAKEGL@ ; "C"
		mov	[eax+4], ebx
		mov	eax, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		or	dword ptr [eax], 0FFFFFFFFh
		mov	edi, 100h
		lea	eax, [ebp+var_C]
		mov	[ebp+var_14], edi
		push	eax
		push	ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[esi], ebx
		call	IopGetRegistryValue
		test	eax, eax
		jns	short loc_877615
		cmp	eax, 0C0000034h
		jnz	short loc_87760E

loc_87760C:				; CODE XREF: PiFindDevInstMatch+189j
					; PiFindDevInstMatch+196j
		xor	eax, eax

loc_87760E:				; CODE XREF: PiFindDevInstMatch+5Ej
					; sub_8E3A9D+Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_877615:				; CODE XREF: PiFindDevInstMatch+57j
		mov	ecx, [ebp+var_C]
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_877631
		cmp	dword ptr [ecx+0Ch], 4
		jb	short loc_877631
		mov	eax, [ecx+8]
		mov	ebx, [ecx+eax]
		mov	[ebp+var_8], ebx
		mov	[esi], ebx
		xor	ebx, ebx

loc_877631:				; CODE XREF: PiFindDevInstMatch+70j
					; PiFindDevInstMatch+76j
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	20207050h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8E3AA4
		push	20207050h
		push	14h
		pop	eax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	sub_8E3A9D
		cmp	[ebp+var_8], 0
		jbe	loc_877726

loc_877673:				; CODE XREF: PiFindDevInstMatch+174j
		push	ebx		; char
		push	offset ??_C@_15EFLNJKHH@?$AA?$CF?$AAu@NNGAKEGL@	; wchar_t *
		push	0		; int
		push	0		; int
		lea	eax, [ebp+arg_0]
		mov	[ebp+arg_0], edi
		push	eax		; int
		push	0Ah		; int
		push	edi		; void *
		call	RtlStringCchPrintfExW
		mov	eax, [ebp+arg_0]
		add	esp, 1Ch
		sub	eax, edi
		sar	eax, 1
		push	14h
		pop	ecx
		mov	word ptr [ebp+var_24+2], cx
		cmp	eax, 0FFFFFFFFh
		jz	loc_8E3AAE
		add	eax, eax
		mov	word ptr [ebp+var_24], ax

loc_8776AC:				; CODE XREF: PiFindDevInstMatch+6C506j
		lea	eax, [ebp+var_10]
		mov	[ebp+var_20], edi
		push	eax
		push	[ebp+var_14]
		lea	eax, [ebp+var_24]
		push	esi
		push	1
		push	eax
		push	[ebp+var_18]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_8E3AB7
		cmp	dword ptr [esi+4], 1
		jnz	short loc_87771C
		mov	edx, [esi+0Ch]
		cmp	edx, 2
		jbe	short loc_87771C
		and	[ebp+arg_0], 0
		lea	eax, [ebp+arg_0]
		push	ecx
		mov	ecx, [esi+8]
		push	eax
		add	ecx, esi
		call	_PnpRegSzToString@16 ; PnpRegSzToString(x,x,x,x)
		mov	ax, word ptr [ebp+arg_0]
		mov	word ptr [ebp+var_2C], ax
		mov	ax, [esi+0Ch]
		mov	word ptr [ebp+var_2C+2], ax
		mov	eax, [esi+8]
		add	eax, esi
		push	1
		push	[ebp+var_1C]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	loc_8E3AF5

loc_87771C:				; CODE XREF: PiFindDevInstMatch+125j
					; PiFindDevInstMatch+12Dj ...
		inc	ebx
		cmp	ebx, [ebp+var_8]
		jb	loc_877673

loc_877726:				; CODE XREF: PiFindDevInstMatch+C1j
					; PiFindDevInstMatch+6C55Cj
		xor	ebx, ebx
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_4]
		cmp	[eax], bx
		jnz	loc_87760C
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_87760C
PiFindDevInstMatch endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpRegSzToString(x,	x, x, x)
_PnpRegSzToString@16 proc near		; CODE XREF: PiFindDevInstMatch+13Dp
					; PipApplyFunctionToServiceInstances+F8p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		shr	edx, 1
		mov	eax, ecx
		lea	edx, [ecx+edx*2]
		cmp	ecx, edx
		jnb	short loc_877765

loc_877758:				; CODE XREF: PnpRegSzToString(x,x,x,x)+1Bj
		cmp	word ptr [eax],	0
		jz	short loc_877765
		add	eax, 2
		cmp	eax, edx
		jb	short loc_877758

loc_877765:				; CODE XREF: PnpRegSzToString(x,x,x,x)+Ej
					; PnpRegSzToString(x,x,x,x)+14j
		sub	eax, ecx
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_877770
		mov	[ecx], eax

loc_877770:				; CODE XREF: PnpRegSzToString(x,x,x,x)+24j
		xor	eax, eax
		inc	eax
		pop	ebp
		retn	8
_PnpRegSzToString@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDevCfgProcessDeviceCallback proc near	; DATA XREF: PpDevCfgProcessDevices+35o

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E3B0D SIZE 00000151 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		push	9
		xor	eax, eax
		mov	[esp+4Ch+var_30], 1
		pop	ecx
		lea	edi, [esp+48h+var_24]
		xor	edx, edx
		rep stosd
		mov	edi, [ebp+arg_0]
		mov	esi, edx
		mov	[esp+48h+var_38], edx
		mov	[esp+48h+var_3C], edx
		mov	[esp+48h+var_2C], edx
		test	dword ptr [edi+1C8h], 1000h
		mov	[esp+48h+var_34], edx
		jz	loc_877851
		cmp	[edi+18h], edx
		jz	loc_877851
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [esp+48h+var_38]
		push	edx
		push	eax
		push	edx
		push	0F003Fh
		push	edx
		lea	ebx, [edi+14h]
		mov	edx, [ebx+4]
		push	10h
		mov	[esp+60h+var_28], ebx
		call	_CmOpenDeviceRegKey
		test	eax, eax
		js	short loc_877851
		mov	edx, [ebx+4]
		lea	eax, [esp+48h+var_34]
		mov	ecx, _PiPnpRtlCtx
		push	esi
		push	eax
		lea	eax, [esp+50h+var_3C]
		mov	[esp+50h+var_34], 4
		push	eax
		lea	eax, [esp+54h+var_30]
		push	eax
		push	0Bh
		push	[esp+5Ch+var_38]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_877875
		cmp	[esp+48h+var_30], 4
		jnz	short loc_877875
		cmp	[esp+48h+var_34], 4
		jnz	short loc_877875
		mov	ebx, [esp+48h+var_3C]

loc_877833:				; CODE XREF: PiDevCfgProcessDeviceCallback+103j
		test	ebx, 40000h
		jnz	loc_8E3B0D

loc_87783F:				; CODE XREF: PiDevCfgProcessDeviceCallback+6C408j
		test	bl, 2
		jnz	loc_8E3B85
		test	bl, 20h
		jnz	loc_8E3BFF

loc_877851:				; CODE XREF: PiDevCfgProcessDeviceCallback+42j
					; PiDevCfgProcessDeviceCallback+4Bj ...
		lea	ecx, [esp+48h+var_24]
		call	PiDevCfgFreeDeviceContext
		cmp	[esp+48h+var_38], 0
		jz	short loc_87786A
		push	[esp+48h+var_38]
		call	_ZwClose@4	; ZwClose(x)

loc_87786A:				; CODE XREF: PiDevCfgProcessDeviceCallback+E7j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_877875:				; CODE XREF: PiDevCfgProcessDeviceCallback+A7j
					; PiDevCfgProcessDeviceCallback+AEj ...
		xor	ebx, ebx
		mov	[esp+48h+var_3C], ebx
		jmp	short loc_877833
PiDevCfgProcessDeviceCallback endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopWriteResourceList proc near		; CODE XREF: PnpBuildCmResourceList+43Ep
					; PnpBuildCmResourceList+48Cp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E3C5E SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	ebx, 2001Fh
		push	esi
		push	1
		push	ebx
		push	edx
		mov	edx, ecx
		mov	[ebp+var_4], esi
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_8], esi
		call	IopCreateRegistryKeyEx
		mov	edi, eax
		test	edi, edi
		js	short loc_8778F1
		mov	edx, [ebp+var_4]
		lea	ecx, [ebp+var_8]
		push	esi
		push	1
		push	ebx
		push	[ebp+arg_0]
		call	IopCreateRegistryKeyEx
		push	[ebp+var_4]
		mov	edi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	edi, edi
		js	short loc_8778F1
		mov	eax, [ebp+arg_8]
		cmp	[eax], esi
		jz	loc_8E3C5E
		push	[ebp+arg_C]
		push	eax
		push	8
		push	esi
		push	[ebp+arg_4]
		mov	esi, [ebp+var_8]
		push	esi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_8778E9:				; CODE XREF: IopWriteResourceList+6C3ECj
		push	esi
		mov	edi, eax
		call	_ZwClose@4	; ZwClose(x)

loc_8778F1:				; CODE XREF: IopWriteResourceList+2Bj
					; IopWriteResourceList+4Bj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
IopWriteResourceList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCreateRegistryKeyEx proc near	; CODE XREF: PipOpenServiceEnumKeys+BBp
					; IopWriteResourceList+22p ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E3C6F SIZE 0000010B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		mov	eax, ecx
		mov	[ebp+var_40], 18h
		xor	ecx, ecx
		mov	[ebp+var_18], eax
		push	esi
		push	edi
		mov	[eax], ecx
		mov	esi, edx
		mov	eax, [ebp+arg_0]
		xor	ebx, ebx
		mov	[ebp+var_38], eax
		inc	ebx
		lea	eax, [ebp+var_10]
		mov	[ebp+var_10], ecx
		push	eax
		push	[ebp+arg_8]
		lea	eax, [ebp+var_40]
		mov	[ebp+var_C], ecx
		push	ecx
		push	ecx
		push	eax
		push	[ebp+arg_4]
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_20], ecx
		push	eax
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_3C], esi
		mov	[ebp+var_34], 240h
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ecx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000034h
		jz	loc_8E3C6F

loc_877969:				; CODE XREF: IopCreateRegistryKeyEx+6C469j
					; IopCreateRegistryKeyEx+6C47Bj
		test	edi, edi
		js	short loc_87797D
		mov	ecx, [ebp+var_18]
		mov	eax, [ebp+ebx*4+var_20]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jnz	short loc_877986

loc_87797D:				; CODE XREF: IopCreateRegistryKeyEx+71j
					; IopCreateRegistryKeyEx+91j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_877986:				; CODE XREF: IopCreateRegistryKeyEx+81j
		mov	eax, [ebp+var_10]
		mov	[ecx], eax
		jmp	short loc_87797D
IopCreateRegistryKeyEx endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepCacheLookup(x, x)
_KsepCacheLookup@8 proc	near		; CODE XREF: KseAddHardwareId+5Bp
					; KsepDbCacheQueryDevice+4Dp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	eax, edx
		mov	esi, ecx
		push	edi
		push	eax
		mov	[ebp+var_8], eax
		call	dword ptr [esi+34h]
		xor	edx, edx
		mov	[ebp+var_4], eax
		div	dword ptr [esi+8]
		mov	ecx, [esi+0Ch]
		lea	ecx, [ecx+edx*8]
		mov	ebx, [ecx]
		cmp	ebx, ecx
		jnz	short loc_8779C1

loc_8779B7:				; CODE XREF: KsepCacheLookup(x,x)+88j
		inc	dword ptr [esi+20h]
		xor	eax, eax

loc_8779BC:				; CODE XREF: KsepCacheLookup(x,x)+77j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8779C1:				; CODE XREF: KsepCacheLookup(x,x)+27j
					; KsepCacheLookup(x,x)+8Aj
		mov	eax, [ebp+var_4]
		lea	edi, [ebx-4]
		cmp	eax, [edi]
		jnz	short loc_877A07
		push	edi
		push	[ebp+var_8]
		call	dword ptr [esi+30h]
		test	eax, eax
		jz	short loc_877A1A
		lea	ecx, [edi+0Ch]
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_877A1F
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_877A1F
		mov	[edx], eax
		mov	[eax+4], edx
		lea	eax, [esi+14h]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_877A1F
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		mov	eax, edi
		inc	dword ptr [esi+1Ch]
		jmp	short loc_8779BC
; 

loc_877A07:				; CODE XREF: KsepCacheLookup(x,x)+3Bj
					; KsepCacheLookup(x,x)+8Fj
		xor	edx, edx
		mov	ebx, [ebx]
		div	dword ptr [esi+8]
		mov	eax, [esi+0Ch]
		lea	eax, [eax+edx*8]
		cmp	ebx, eax
		jz	short loc_8779B7
		jmp	short loc_8779C1
; 

loc_877A1A:				; CODE XREF: KsepCacheLookup(x,x)+46j
		mov	eax, [ebp+var_4]
		jmp	short loc_877A07
; 

loc_877A1F:				; CODE XREF: KsepCacheLookup(x,x)+50j
					; KsepCacheLookup(x,x)+57j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_KsepCacheLookup@8 endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopFilterResourceRequirementsCall proc near ; CODE XREF: IopQueryDeviceResources+12Fp

var_1C		= dword	ptr -1Ch
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E3D7A SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		stosd
		xor	esi, esi
		push	ecx
		mov	ebx, edx
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		stosd
		stosd
		stosd
		call	IoGetAttachedDeviceReference
		mov	edi, eax
		push	esi
		movzx	ecx, byte ptr [edi+30h]
		push	ecx
		call	IoAllocateIrp
		mov	esi, eax
		test	esi, esi
		jz	loc_8E3D91
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_IovUtilWatermarkIrp@8 ; IovUtilWatermarkIrp(x,x)
		test	ebx, ebx
		jnz	short loc_877ADC
		mov	eax, 0C00000BBh
		mov	[ebp+var_C], eax
		mov	[esi+18h], eax

loc_877A78:				; CODE XREF: IopFilterResourceRequirementsCall+C2j
		push	0
		push	1
		lea	eax, [ebp+var_1C]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [ebp+var_C]
		mov	ecx, esi
		mov	[esi+28h], eax
		lea	eax, [ebp+var_1C]
		mov	[esi+2Ch], eax
		mov	eax, large fs:124h
		mov	[esi+50h], eax
		call	IopQueueThreadIrp
		mov	eax, [esi+60h]
		mov	edx, esi
		mov	ecx, edi
		mov	word ptr [eax-24h], 0D1Bh
		mov	[eax-20h], ebx
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jz	loc_8E3D7A

loc_877AC4:				; CODE XREF: IopFilterResourceRequirementsCall+6C368j
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_8]
		mov	[ecx], eax

loc_877ACC:				; CODE XREF: IopFilterResourceRequirementsCall+6C372j
		mov	ecx, edi
		call	ObfDereferenceObject
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_877ADC:				; CODE XREF: IopFilterResourceRequirementsCall+47j
		and	dword ptr [esi+18h], 0
		mov	[ebp+var_8], ebx
		mov	[esi+1Ch], ebx
		jmp	short loc_877A78
IopFilterResourceRequirementsCall endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpGetResourceRequirementsForAssignTable proc near ; CODE XREF:	PnpAllocateResources+58p
					; PnpReallocateResources(x)+A2p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E3D9B SIZE 00000082 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_8], esi
		mov	[eax], esi
		push	edi
		cmp	ecx, edx
		jnb	loc_877BAF
		sub	edx, ecx
		lea	edi, [ecx+14h]
		push	28h
		pop	ecx
		lea	eax, [edx-1]
		xor	edx, edx
		div	ecx
		inc	eax
		mov	[ebp+var_4], eax
		mov	ecx, eax

loc_877B20:				; CODE XREF: PnpGetResourceRequirementsForAssignTable+BFj
		test	byte ptr [edi-10h], 20h
		mov	[edi+4], esi
		jnz	short loc_877B9B
		mov	eax, [edi-14h]
		mov	[edi+8], esi
		mov	[edi+0Ch], esi
		test	eax, eax
		jz	loc_8E3D9B
		mov	eax, [eax+0B0h]
		mov	ebx, [eax+14h]

loc_877B43:				; CODE XREF: PnpGetResourceRequirementsForAssignTable+6C2B5j
		mov	ecx, offset _PiResourceListLock
		call	ExAcquireFastMutex
		test	dword ptr [ebx+10Ch], 400h
		jnz	loc_8E3DA2

loc_877B5D:				; CODE XREF: PnpGetResourceRequirementsForAssignTable+6C2C2j
					; PnpGetResourceRequirementsForAssignTable+6C2E8j
		mov	ecx, offset _PiResourceListLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		cmp	[edi], esi
		jnz	loc_877C16
		mov	eax, [ebx+128h]
		test	eax, eax
		jnz	short loc_877BC6

loc_877B79:				; CODE XREF: PnpGetResourceRequirementsForAssignTable+E8j
		mov	ecx, [edi-14h]
		lea	eax, [ebp+var_C]
		push	eax
		xor	edx, edx
		push	edi
		inc	edx
		call	IopQueryDeviceResources
		test	eax, eax
		js	short loc_877B91
		cmp	[edi], esi
		jnz	short loc_877BDD

loc_877B91:				; CODE XREF: PnpGetResourceRequirementsForAssignTable+A3j
					; PnpGetResourceRequirementsForAssignTable+14Bj ...
		mov	ecx, [ebp+var_4]
		or	dword ptr [edi-10h], 20h
		mov	[edi+10h], eax

loc_877B9B:				; CODE XREF: PnpGetResourceRequirementsForAssignTable+3Fj
		mov	eax, [ebp+arg_0]

loc_877B9E:				; CODE XREF: PnpGetResourceRequirementsForAssignTable+189j
		add	edi, 28h
		sub	ecx, 1
		mov	[ebp+var_4], ecx
		jnz	loc_877B20
		mov	esi, [eax]

loc_877BAF:				; CODE XREF: PnpGetResourceRequirementsForAssignTable+1Dj
		neg	esi
		pop	edi
		sbb	esi, esi
		and	esi, 3FFFFFFFh
		lea	eax, [esi-3FFFFFFFh]
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_877BC6:				; CODE XREF: PnpGetResourceRequirementsForAssignTable+8Fj
		test	dword ptr [ebx+10Ch], 200h
		jnz	short loc_877B79
		mov	[edi], eax
		mov	dword ptr [edi-0Ch], 4
		jmp	short loc_877C16
; 

loc_877BDD:				; CODE XREF: PnpGetResourceRequirementsForAssignTable+A7j
		mov	ecx, offset _PiResourceListLock
		call	ExAcquireFastMutex
		mov	eax, [ebx+128h]
		test	eax, eax
		jz	short loc_877C04
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, 200h
		mov	ecx, ebx
		call	PipClearDevNodeFlags

loc_877C04:				; CODE XREF: PnpGetResourceRequirementsForAssignTable+107j
		mov	eax, [edi]
		mov	ecx, offset _PiResourceListLock
		mov	[ebx+128h], eax
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_877C16:				; CODE XREF: PnpGetResourceRequirementsForAssignTable+81j
					; PnpGetResourceRequirementsForAssignTable+F3j
		test	dword ptr [edi-10h], 200h
		jnz	loc_8E3DD5

loc_877C23:				; CODE XREF: PnpGetResourceRequirementsForAssignTable+6C30Fj
					; PnpGetResourceRequirementsForAssignTable+6C31Bj
		lea	edx, [edi+4]
		lea	ecx, [edi-14h]
		call	IopResourceRequirementsListToReqList
		mov	[ebp+var_14], eax
		test	eax, eax
		js	loc_877B91
		mov	ebx, [edi+4]
		test	ebx, ebx
		jz	loc_877B91
		mov	ecx, ebx
		call	_IopRearrangeReqList@4 ; IopRearrangeReqList(x)
		cmp	[ebx+10h], esi
		jz	loc_8E3E08
		mov	ecx, [ebx+14h]
		cmp	ecx, 3
		sbb	eax, eax
		not	eax
		and	eax, ecx
		mov	ecx, [ebp+var_4]
		mov	[edi-8], eax
		mov	eax, [ebp+var_14]
		mov	[edi+10h], eax
		mov	eax, [ebp+arg_0]
		inc	dword ptr [eax]
		jmp	loc_877B9E
PnpGetResourceRequirementsForAssignTable endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpBusTypeGuidGetIndex proc near	; CODE XREF: PnpQueryBusInformation(x)+25p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E3E1D SIZE 00000057 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, offset _PnpBusTypeGuidLock
		mov	[ebp+var_4], edi
		call	ExAcquireFastMutex
		xor	ebx, ebx
		cmp	ebx, _PnpBusTypeGuidCount
		jz	short loc_877CD9
		xor	esi, esi

loc_877C9A:				; CODE XREF: PnpBusTypeGuidGetIndex+47j
		mov	eax, _PnpBusTypeGuidArray
		add	eax, esi
		cmp	edi, eax
		jz	short loc_877CBF
		push	10h		; Length
		push	eax		; Source2
		push	edi		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 10h
		jz	short loc_877CBF
		inc	ebx
		add	esi, 10h
		cmp	ebx, _PnpBusTypeGuidCount
		jb	short loc_877C9A

loc_877CBF:				; CODE XREF: PnpBusTypeGuidGetIndex+2Dj
					; PnpBusTypeGuidGetIndex+3Bj
		cmp	ebx, _PnpBusTypeGuidCount
		jz	short loc_877CD9

loc_877CC7:				; CODE XREF: PnpBusTypeGuidGetIndex+72j
					; PnpBusTypeGuidGetIndex+93j
		mov	ecx, offset _PnpBusTypeGuidLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		pop	esi
		mov	ax, bx
		pop	ebx
		leave
		retn
; 

loc_877CD9:				; CODE XREF: PnpBusTypeGuidGetIndex+20j
					; PnpBusTypeGuidGetIndex+4Fj
		cmp	ebx, _PnpBusTypeGuidCountMax
		jz	loc_8E3E1D

loc_877CE5:				; CODE XREF: PnpBusTypeGuidGetIndex+6C1F1j
					; PnpBusTypeGuidGetIndex+6C1F9j
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_877CC7
		mov	edx, _PnpBusTypeGuidCount
		mov	edi, edx
		mov	esi, [ebp+var_4]
		shl	edi, 4
		add	edi, _PnpBusTypeGuidArray
		inc	edx
		mov	_PnpBusTypeGuidCount, edx
		movsd
		movsd
		movsd
		movsd
		jmp	short loc_877CC7
PnpBusTypeGuidGetIndex endp

; 
		align 4

;  S U B	R O U T	I N E 


KsepCacheInsert	proc near		; CODE XREF: KseAddHardwareId+87p
					; SleepstudyHelperCreateLibrary+101p

; FUNCTION CHUNK AT 008E3E74 SIZE 0000004D BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		push	edi
		call	dword ptr [esi+34h]
		xor	edx, edx
		mov	ecx, [esi+0Ch]
		mov	ebx, eax
		div	dword ptr [esi+8]
		lea	ecx, [ecx+edx*8]
		cmp	[ecx], ecx
		jnz	short loc_877D7A

loc_877D2A:				; CODE XREF: KsepCacheInsert+71j
		mov	[edi], ebx
		lea	ecx, [edi+4]
		xor	edx, edx
		mov	eax, ebx
		div	dword ptr [esi+8]
		mov	eax, [esi+0Ch]
		lea	eax, [eax+edx*8]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_877D7F
		mov	[ecx+4], eax
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	[eax], ecx
		lea	ecx, [esi+14h]
		mov	edx, [ecx+4]
		lea	eax, [edi+0Ch]
		cmp	[edx], ecx
		jnz	short loc_877D7F
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		inc	dword ptr [esi+28h]
		inc	dword ptr [esi+4]
		mov	eax, [esi+4]
		cmp	eax, [esi+10h]
		ja	loc_8E3E74

loc_877D76:				; CODE XREF: KsepCacheInsert+6C1B0j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_877D7A:				; CODE XREF: KsepCacheInsert+1Cj
		inc	dword ptr [esi+24h]
		jmp	short loc_877D2A
; 

loc_877D7F:				; CODE XREF: KsepCacheInsert+35j
					; KsepCacheInsert+4Cj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
KsepCacheInsert	endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KsepStringDuplicate proc near		; CODE XREF: KsepRegistryOpenKey:loc_84ED4Bp
					; KseAddHardwareId+7Ap	...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E3EC1 SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], ebx
		test	ebx, ebx
		jz	loc_8E3EC1

loc_877D9E:				; CODE XREF: KsepStringDuplicate+6C176j
					; KsepStringDuplicate+6C18Dj
		mov	ecx, ebx
		mov	[esi], edi
		mov	[esi+4], edi
		lea	edx, [ecx+2]

loc_877DA8:				; CODE XREF: KsepStringDuplicate+2Dj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_877DA8
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, ds:2[ecx*2]
		cmp	edi, 0FFFEh
		ja	short loc_877DF7
		mov	ecx, edi
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_877DFE
		push	edi		; size_t
		push	[ebp+var_4]	; void *
		push	ebx		; void *
		call	_memcpy
		movzx	ecx, di
		add	esp, 0Ch
		mov	[esi+4], ebx
		mov	[esi+2], cx
		lea	eax, [ecx-2]
		mov	[esi], ax
		xor	eax, eax

loc_877DF2:				; CODE XREF: KsepStringDuplicate+78j
					; KsepStringDuplicate+7Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_877DF7:				; CODE XREF: KsepStringDuplicate+40j
		mov	eax, 0C0000206h
		jmp	short loc_877DF2
; 

loc_877DFE:				; CODE XREF: KsepStringDuplicate+4Dj
		mov	eax, 0C0000017h
		jmp	short loc_877DF2
KsepStringDuplicate endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PiIommuValidateInterface(x)
_PiIommuValidateInterface@4 proc near	; CODE XREF: PiIommuGetInterface+4Cp
		xor	eax, eax
		cmp	[ecx+8], eax
		jz	short loc_877E1D
		cmp	[ecx+0Ch], eax
		jz	short loc_877E1D
		cmp	[ecx+20h], eax
		jz	short loc_877E1D
		cmp	[ecx+1Ch], eax
		jz	short loc_877E1D
		retn
; 

loc_877E1D:				; CODE XREF: PiIommuValidateInterface(x)+5j
					; PiIommuValidateInterface(x)+Aj ...
		mov	eax, 0C00000BBh
		retn
_PiIommuValidateInterface@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiIommuAllocateExtension proc near	; CODE XREF: PiDmaGuardProcessNewDeviceNode+42p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E3F16 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		push	64706E50h
		push	14h
		push	1
		mov	ebx, edx
		mov	[ebp+var_8], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8E3F16
		xor	eax, eax
		mov	edi, esi
		mov	edx, esi
		mov	ecx, ebx
		stosd
		stosd
		stosd
		stosd
		stosd
		call	PipIommuRetrieveDeviceId
		mov	edi, eax
		test	edi, edi
		js	loc_8E3F2A
		mov	eax, [ebx+1Ch]
		test	eax, eax
		jz	loc_8E3F20
		lea	ecx, [ebp+var_4]
		push	ecx
		push	dword ptr [ebx+4]
		call	eax
		mov	edi, eax

loc_877E81:				; CODE XREF: PiIommuAllocateExtension+6C101j
		test	edi, edi
		js	loc_8E3F2A
		mov	eax, [ebp+var_4]
		shr	eax, 1
		shl	al, 3
		xor	al, [esi+8]
		and	al, 8
		xor	[esi+8], al
		mov	al, [esi+8]
		mov	cl, byte ptr [ebp+var_4]
		shl	cl, 2
		xor	cl, al
		and	cl, 4
		xor	cl, al
		mov	[esi+8], cl
		mov	edx, [ebp+var_4]
		shr	edx, 3
		shl	dl, 5
		xor	dl, cl
		and	dl, 20h
		xor	dl, cl
		mov	[esi+8], dl
		mov	eax, [ebp+var_4]
		shr	eax, 2
		shl	al, 4
		xor	al, dl
		and	al, 10h
		xor	al, dl
		mov	[esi+8], al
		test	al, 24h
		jz	short loc_877EE0
		push	[ebp+var_4]
		mov	ecx, [ebp+var_8]
		call	_PnpTraceIommuDeviceProperties@8 ; PnpTraceIommuDeviceProperties(x,x)

loc_877EE0:				; CODE XREF: PiIommuAllocateExtension+AFj
					; PiIommuAllocateExtension+6C0F7j ...
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
PiIommuAllocateExtension endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipIommuRetrieveDeviceId proc near	; CODE XREF: PiIommuAllocateExtension+38p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E3F38 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		push	esi
		push	edi
		xor	edi, edi
		mov	eax, [ebx+20h]
		mov	esi, edi
		mov	[ebp+var_4], edi
		test	eax, eax
		jz	loc_8E3F38
		lea	ecx, [ebp+var_4]
		push	ecx
		push	edi
		push	edi
		push	dword ptr [ebx+4]
		call	eax
		cmp	eax, 0C0000023h
		jnz	short loc_877F84
		cmp	[ebp+var_4], esi
		jz	short loc_877F84
		push	64706E50h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_877F7D
		push	[ebp+var_4]	; size_t
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		push	edi
		push	esi
		push	[ebp+var_4]
		push	dword ptr [ebx+4]
		call	dword ptr [ebx+20h]
		mov	edi, eax
		test	edi, edi
		js	loc_8E3F42
		push	[ebp+var_4]
		mov	edx, esi
		mov	ecx, ebx
		call	PipIommuValidateDeviceId

loc_877F69:				; CODE XREF: PipIommuRetrieveDeviceId+9Bj
		test	edi, edi
		js	loc_8E3F42

loc_877F71:				; CODE XREF: PipIommuRetrieveDeviceId+94j
					; PipIommuRetrieveDeviceId+6C04Fj ...
		mov	eax, [ebp+var_8]
		mov	[eax], esi
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_877F7D:				; CODE XREF: PipIommuRetrieveDeviceId+4Bj
		mov	edi, 0C000009Ah
		jmp	short loc_877F71
; 

loc_877F84:				; CODE XREF: PipIommuRetrieveDeviceId+31j
					; PipIommuRetrieveDeviceId+36j
		mov	edi, 0C0000001h
		jmp	short loc_877F69
PipIommuRetrieveDeviceId endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipIommuValidateDeviceId proc near	; CODE XREF: PipIommuRetrieveDeviceId+76p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E3F5C SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	esi, [edi]
		lea	eax, [esi-1]
		cmp	eax, 5
		ja	short loc_877FD1
		sub	esi, 1
		jz	short loc_877FC5
		sub	esi, 1
		jnz	short loc_877FBE
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_IdpValidateAcpiName@8 ; IdpValidateAcpiName(x,x)

loc_877FB6:				; CODE XREF: PipIommuValidateDeviceId+43j
					; PipIommuValidateDeviceId+4Aj
		test	eax, eax
		js	loc_8E3F5C

loc_877FBE:				; CODE XREF: PipIommuValidateDeviceId+1Ej
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_877FC5:				; CODE XREF: PipIommuValidateDeviceId+19j
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_IdpValidatePciPath@8 ;	IdpValidatePciPath(x,x)
		jmp	short loc_877FB6
; 

loc_877FD1:				; CODE XREF: PipIommuValidateDeviceId+14j
		mov	eax, 0C000000Dh
		jmp	short loc_877FB6
PipIommuValidateDeviceId endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipAddDependentsToRebuildPowerRelationsQueue proc near ; CODE XREF: IoResolveDependency+9Dp
					; PnpDeleteAllDependencyRelations+14A777p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		call	_PiGetDependentList@4 ;	PiGetDependentList(x)
		mov	edi, eax
		mov	esi, [edi]

loc_877FED:				; CODE XREF: PipIommuValidateDeviceId+6BFF3j
					; PipIommuValidateDeviceId+6BFFEj
		cmp	esi, edi
		jnz	loc_8E3F6C
		pop	edi
		pop	esi
		leave
		retn
PipAddDependentsToRebuildPowerRelationsQueue endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PipAddBindingId(x, x)
_PipAddBindingId@8 proc	near		; CODE XREF: IoResolveDependency+69p
					; IoResolveDependency+C7p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	53706E50h
		push	10h
		push	1
		mov	edi, edx
		mov	ebx, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_87803F
		lea	eax, [esi+8]
		push	eax
		push	edi
		push	0
		call	RtlDuplicateUnicodeString
		test	eax, eax
		js	short loc_87803B
		lea	ecx, [ebx+1Ch]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_878046
		mov	[esi], ecx
		mov	[esi+4], edx
		mov	[edx], esi
		mov	[ecx+4], esi

loc_87803B:				; CODE XREF: PipAddBindingId(x,x)+2Bj
					; PipAddBindingId(x,x)+4Aj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_87803F:				; CODE XREF: PipAddBindingId(x,x)+1Bj
		mov	eax, 0C000009Ah
		jmp	short loc_87803B
; 

loc_878046:				; CODE XREF: PipAddBindingId(x,x)+35j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_PipAddBindingId@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipQueryBindingResolution proc near	; CODE XREF: IoResolveDependency+25p
					; IoDuplicateDependency(x,x)+46p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E3F8F SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ecx]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], ecx
		push	edi
		sub	eax, esi
		jz	loc_8E3F8F
		sub	eax, 1
		jnz	short loc_8780B8
		mov	edi, _PiDependencyNodeListHead

loc_878071:				; CODE XREF: PipQueryBindingResolution+3Bj
					; PipQueryBindingResolution+67j
		cmp	edi, offset _PiDependencyNodeListHead
		jz	short loc_8780B8
		mov	eax, edi
		mov	edi, [edi]
		mov	[ebp+var_4], eax
		add	eax, 1Ch
		mov	ebx, [eax]
		cmp	ebx, eax
		jz	short loc_878071
		mov	ecx, [ecx+4]
		mov	[ebp+var_8], ecx

loc_87808F:				; CODE XREF: PipQueryBindingResolution+62j
		push	1
		mov	eax, ebx
		mov	ebx, [ebx]
		push	ecx
		add	eax, 8
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_8780B5
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		add	eax, 1Ch
		cmp	ebx, eax
		jnz	short loc_87808F
		mov	ecx, [ebp+var_C]
		jmp	short loc_878071
; 

loc_8780B5:				; CODE XREF: PipQueryBindingResolution+55j
		mov	esi, [ebp+var_4]

loc_8780B8:				; CODE XREF: PipQueryBindingResolution+1Dj
					; PipQueryBindingResolution+2Bj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
PipQueryBindingResolution endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepCacheDeviceHash(x)
_KsepCacheDeviceHash@4 proc near	; DATA XREF: KsepEngineInitialize+2Bo

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		mov	eax, [ebp+arg_0]
		push	0
		push	1
		add	eax, 14h
		push	eax
		call	RtlHashUnicodeString
		mov	eax, [ebp+var_4]
		leave
		retn	4
_KsepCacheDeviceHash@4 endp

; 
		align 2

; __stdcall PiQueryPowerRelations(x, x)
_PiQueryPowerRelations@8:		; CODE XREF: .text:0054F25Ap
					; PipProcessRebuildPowerRelationsQueue()+7Ap
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		xor	ecx, ecx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp-4], ecx
		cmp	[ebx+8], ecx
		jnz	short loc_878109
		mov	eax, 0C0000189h
		jmp	loc_8782D8
; 

loc_878109:				; CODE XREF: PAGE:008780FDj
		test	dl, dl
		jnz	loc_87825A
		lea	eax, [ebp-4]
		push	eax
		push	ecx
		mov	ecx, [ebx+10h]
		push	2
		pop	edx
		call	_PnpQueryDeviceRelations@16 ; PnpQueryDeviceRelations(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_878131
		xor	ecx, ecx
		mov	[ebp-4], ecx
		jmp	loc_87825A
; 

loc_878131:				; CODE XREF: PAGE:00878125j
		lea	eax, [ebx+6Ch]
		mov	esi, [eax]
		jmp	short loc_878189
; 

loc_878138:				; CODE XREF: PAGE:0087818Bj
		mov	ecx, [esi]
		mov	eax, esi
		mov	esi, ecx
		cmp	[ecx+4], eax
		jnz	loc_87824A
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_87824A
		mov	[edx], ecx
		mov	[ecx+4], edx
		lea	ecx, [eax+0Ch]
		mov	edx, [ecx]
		mov	[ebp-8], edx
		cmp	[edx+4], ecx
		jnz	loc_87824A
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_87824A
		mov	ecx, [ebp-8]
		push	72775044h
		mov	[edx], ecx
		push	eax
		mov	[ecx+4], edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lea	eax, [ebx+6Ch]

loc_878189:				; CODE XREF: PAGE:00878136j
		cmp	esi, eax
		jnz	short loc_878138
		mov	ecx, [ebp-4]
		test	ecx, ecx
		jz	loc_878256
		mov	eax, [ecx]
		test	eax, eax
		jz	loc_878256
		xor	edx, edx
		mov	esi, edx
		test	eax, eax
		jz	loc_87825A

loc_8781AE:				; CODE XREF: PAGE:00878242j
		mov	eax, [ecx+esi*4+4]
		test	eax, eax
		jz	loc_8782DD
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		mov	[ebp-8], eax
		test	eax, eax
		jz	loc_8782DD
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_8782DD
		cmp	[eax+8], edx
		jz	short loc_87823F
		push	72775044h
		push	1Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_87824F
		xor	ecx, ecx
		mov	[eax+18h], cl
		lea	ecx, [ebx+5Ch]
		mov	[eax+8], ecx
		mov	ecx, [ebp-8]
		add	ecx, 5Ch
		mov	[eax+14h], ecx
		lea	ecx, [ebx+6Ch]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_87824A
		mov	[eax+4], edx
		mov	[eax], ecx
		mov	[edx], eax
		mov	edx, [ebp-8]
		add	edx, 64h
		mov	[ecx+4], eax
		add	eax, 0Ch
		mov	ecx, [edx+4]
		cmp	[ecx], edx
		jnz	short loc_87824A
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[edx+4], eax
		xor	edx, edx
		mov	ecx, [ebp-4]

loc_87823F:				; CODE XREF: PAGE:008781E1j
		inc	esi
		cmp	esi, [ecx]
		jb	loc_8781AE
		jmp	short loc_87825A
; 

loc_87824A:				; CODE XREF: PAGE:00878141j
					; PAGE:0087814Cj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_87824F:				; CODE XREF: PAGE:008781F6j
		mov	edi, 0C000009Ah
		jmp	short loc_87825A
; 

loc_878256:				; CODE XREF: PAGE:00878192j
					; PAGE:0087819Cj
		xor	ecx, ecx
		mov	edi, ecx

loc_87825A:				; CODE XREF: PAGE:0087810Bj
					; PAGE:0087812Cj ...
		mov	ecx, ebx
		call	PiQueryPowerDependencyRelations
		test	edi, edi
		js	short loc_87826B
		test	eax, eax
		jns	short loc_87826B
		mov	edi, eax

loc_87826B:				; CODE XREF: PAGE:00878263j
					; PAGE:00878267j
		mov	ecx, ebx
		call	PiValidatePowerRelations
		mov	eax, [ebp-4]
		test	eax, eax
		jz	short loc_87829B
		xor	ecx, ecx
		mov	esi, ecx
		cmp	[eax], ecx
		jbe	short loc_878294

loc_878281:				; CODE XREF: PAGE:00878290j
		mov	ecx, [eax+esi*4+4]
		call	ObfDereferenceObject
		mov	eax, [ebp-4]
		inc	esi
		cmp	esi, [eax]
		jb	short loc_878281
		xor	ecx, ecx

loc_878294:				; CODE XREF: PAGE:0087827Fj
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_87829B:				; CODE XREF: PAGE:00878277j
		xor	ecx, ecx
		call	PpDevNodeLockTree
		mov	eax, [ebx+0ACh]
		cmp	eax, 300h
		jz	short loc_8782CF
		cmp	eax, 301h
		jz	short loc_8782CF
		cmp	eax, 313h
		jz	short loc_8782CF
		cmp	eax, 314h
		jz	short loc_8782CF
		mov	ecx, [ebx+10h]
		push	13h
		pop	edx
		call	PiPnpRtlPdoRaiseNtPlugPlayPropertyChangeEvent

loc_8782CF:				; CODE XREF: PAGE:008782ADj
					; PAGE:008782B4j ...
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		mov	eax, edi

loc_8782D8:				; CODE XREF: PAGE:00878104j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8782DD:				; CODE XREF: PAGE:008781B4j
					; PAGE:008781C8j ...
		mov	eax, [ecx+esi*4+4]
		test	eax, eax
		jz	loc_8784B0
		movzx	edx, word ptr [eax+2]
		mov	ecx, eax
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebp-4]
		mov	eax, [ecx+esi*4+4]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_878345
		movsx	edx, word ptr [eax+2]
		mov	ecx, eax
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebp-4]
		xor	ebx, ebx
		mov	eax, [ecx+esi*4+4]
		mov	eax, [eax+8]
		cmp	[eax+1Ch], bx
		jz	short loc_878347
		push	2
		pop	edx
		lea	ecx, [eax+1Ch]
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebp-4]
		mov	eax, [eax+esi*4+4]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebp-4]
		jmp	short loc_878347
; 

loc_878345:				; CODE XREF: PAGE:00878300j
		xor	ebx, ebx

loc_878347:				; CODE XREF: PAGE:0087831Dj
					; PAGE:00878343j
		mov	edx, [ecx+esi*4+4]
		test	edx, edx
		jz	short loc_87835A
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_87835C
; 

loc_87835A:				; CODE XREF: PAGE:0087834Dj
		mov	eax, ebx

loc_87835C:				; CODE XREF: PAGE:00878358j
		test	eax, eax
		jz	loc_8784B0
		test	edx, edx
		jz	short loc_878373
		mov	eax, [edx+0B0h]
		mov	edi, [eax+14h]
		jmp	short loc_878375
; 

loc_878373:				; CODE XREF: PAGE:00878366j
		mov	edi, ebx

loc_878375:				; CODE XREF: PAGE:00878371j
		test	edx, edx
		jz	short loc_878384
		mov	eax, [edx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_878386
; 

loc_878384:				; CODE XREF: PAGE:00878377j
		mov	ecx, ebx

loc_878386:				; CODE XREF: PAGE:00878382j
		mov	edx, 1F4h
		call	IoAddTriageDumpDataBlock
		cmp	[edi+14h], bx
		jz	short loc_8783AD
		push	2
		pop	edx
		lea	ecx, [edi+14h]
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi+14h]
		mov	ecx, [edi+18h]
		call	IoAddTriageDumpDataBlock

loc_8783AD:				; CODE XREF: PAGE:00878394j
		mov	ecx, [ebp-4]
		mov	edx, [ecx+esi*4+4]
		test	edx, edx
		jz	short loc_8783C3
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_8783C5
; 

loc_8783C3:				; CODE XREF: PAGE:008783B6j
		mov	eax, ebx

loc_8783C5:				; CODE XREF: PAGE:008783C1j
		cmp	[eax+1Ch], bx
		jz	short loc_87841F
		test	edx, edx
		jz	short loc_8783DA
		mov	eax, [edx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_8783DC
; 

loc_8783DA:				; CODE XREF: PAGE:008783CDj
		mov	ecx, ebx

loc_8783DC:				; CODE XREF: PAGE:008783D8j
		push	2
		add	ecx, 1Ch
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebp-4]
		mov	ecx, [eax+esi*4+4]
		test	ecx, ecx
		jz	short loc_8783FD
		mov	eax, [ecx+0B0h]
		mov	edx, [eax+14h]
		jmp	short loc_8783FF
; 

loc_8783FD:				; CODE XREF: PAGE:008783F0j
		mov	edx, ebx

loc_8783FF:				; CODE XREF: PAGE:008783FBj
		test	ecx, ecx
		jz	short loc_87840E
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_878410
; 

loc_87840E:				; CODE XREF: PAGE:00878401j
		mov	ecx, ebx

loc_878410:				; CODE XREF: PAGE:0087840Cj
		movzx	edx, word ptr [edx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebp-4]

loc_87841F:				; CODE XREF: PAGE:008783C9j
		mov	edx, [ecx+esi*4+4]
		test	edx, edx
		jz	short loc_878432
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_878434
; 

loc_878432:				; CODE XREF: PAGE:00878425j
		mov	eax, ebx

loc_878434:				; CODE XREF: PAGE:00878430j
		cmp	[eax+8], ebx
		jz	short loc_8784B0
		test	edx, edx
		jz	short loc_878448
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_87844A
; 

loc_878448:				; CODE XREF: PAGE:0087843Bj
		mov	eax, ebx

loc_87844A:				; CODE XREF: PAGE:00878446j
		mov	eax, [eax+8]
		cmp	[eax+1Ch], bx
		jz	short loc_8784B0
		test	edx, edx
		jz	short loc_878462
		mov	eax, [edx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_878464
; 

loc_878462:				; CODE XREF: PAGE:00878455j
		mov	ecx, ebx

loc_878464:				; CODE XREF: PAGE:00878460j
		mov	ecx, [ecx+8]
		push	2
		add	ecx, 1Ch
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebp-4]
		mov	ecx, [eax+esi*4+4]
		test	ecx, ecx
		jz	short loc_878488
		mov	eax, [ecx+0B0h]
		mov	edx, [eax+14h]
		jmp	short loc_87848A
; 

loc_878488:				; CODE XREF: PAGE:0087847Bj
		mov	edx, ebx

loc_87848A:				; CODE XREF: PAGE:00878486j
		test	ecx, ecx
		jz	short loc_878499
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_87849B
; 

loc_878499:				; CODE XREF: PAGE:0087848Cj
		mov	ecx, ebx

loc_87849B:				; CODE XREF: PAGE:00878497j
		mov	eax, [edx+8]
		mov	ecx, [ecx+8]
		movzx	edx, word ptr [eax+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebp-4]

loc_8784B0:				; CODE XREF: PAGE:008782E3j
					; PAGE:0087835Ej ...
		xor	eax, eax
		push	eax
		push	eax
		push	dword ptr [ecx+esi*4+4]
		push	2
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 


PiPnpRtlPdoRaiseNtPlugPlayPropertyChangeEvent proc near	; CODE XREF: .text:005DD7DDp
					; .text:005DD7F5p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	loc_8E2AA4
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_8E29CB
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_8E29CB
		lea	edx, [eax+14h]
		test	edx, edx
		jz	short loc_87850A
		mov	edx, [edx+4]
		push	edi
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent

loc_87850A:				; CODE XREF: PiPnpRtlPdoRaiseNtPlugPlayPropertyChangeEvent+39j
		pop	edi
		pop	esi
		pop	ebx
		retn
PiPnpRtlPdoRaiseNtPlugPlayPropertyChangeEvent endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiValidatePowerRelations proc near	; CODE XREF: PAGE:0087826Dp

var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E3FA8 SIZE 000000DB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	eax, [esp+18h+var_8]
		mov	[esp+18h+var_4], eax
		mov	[esp+18h+var_8], eax
		lea	edx, [edi+6Ch]

loc_87852D:				; CODE XREF: PiValidatePowerRelations+A0j
		mov	eax, [edx]
		cmp	eax, edx
		jnz	short loc_878586
		mov	eax, [esp+18h+var_8]
		lea	ecx, [esp+18h+var_8]
		cmp	eax, ecx
		jnz	short loc_87854E

loc_87853F:				; CODE XREF: PiValidatePowerRelations+76j
		lea	ecx, [esp+18h+var_8]
		cmp	eax, ecx
		jnz	short loc_8785B3
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_87854E:				; CODE XREF: PiValidatePowerRelations+2Fj
					; PiValidatePowerRelations+70j
		mov	ecx, [eax+14h]
		sub	ecx, 5Ch

loc_878554:				; CODE XREF: PiValidatePowerRelations+6BACEj
		lea	esi, [ecx+6Ch]
		mov	edx, [esi]
		cmp	edx, esi
		jnz	loc_8E3FA8
		mov	edx, ecx
		test	ecx, ecx
		jz	short loc_878576

loc_878567:				; CODE XREF: PiValidatePowerRelations+66j
		cmp	edx, edi
		jz	loc_8E3FE1
		mov	edx, [edx+8]
		test	edx, edx
		jnz	short loc_878567

loc_878576:				; CODE XREF: PiValidatePowerRelations+57j
		mov	eax, [eax]
		lea	ecx, [esp+18h+var_8]
		cmp	eax, ecx
		jnz	short loc_87854E

loc_878580:				; CODE XREF: PiValidatePowerRelations+D7j
		mov	eax, [esp+18h+var_8]
		jmp	short loc_87853F
; 

loc_878586:				; CODE XREF: PiValidatePowerRelations+23j
		cmp	[eax+4], edx
		jnz	short loc_8785E7
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_8785E7
		mov	[edx], ecx
		lea	esi, [esp+18h+var_8]
		mov	[ecx+4], edx
		mov	ecx, [esp+18h+var_4]
		cmp	[ecx], esi
		jnz	short loc_8785E7
		mov	[eax], esi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[esp+18h+var_4], eax
		jmp	loc_87852D
; 

loc_8785B3:				; CODE XREF: PiValidatePowerRelations+37j
		lea	ecx, [esp+18h+var_8]
		cmp	[eax+4], ecx
		jnz	short loc_8785E7
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_8785E7
		mov	[esp+18h+var_8], ecx
		lea	edx, [esp+18h+var_8]
		mov	[ecx+4], edx
		mov	ecx, [eax+8]
		add	ecx, 10h
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_8785E7
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		jmp	short loc_878580
; 

loc_8785E7:				; CODE XREF: PiValidatePowerRelations+7Bj
					; PiValidatePowerRelations+82j	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
PiValidatePowerRelations endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiQueryPowerDependencyRelations	proc near ; CODE XREF: PAGE:0087825Cp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E4083 SIZE 000000B1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		xor	eax, eax
		mov	esi, ecx
		push	edi
		xor	cl, cl
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		call	_PnpAcquireDependencyRelationsLock@4 ; PnpAcquireDependencyRelationsLock(x)
		mov	ecx, [esi+10h]
		call	_PiGetProviderList@4 ; PiGetProviderList(x)
		lea	ecx, [esi+5Ch]
		mov	[ebp+var_4], eax
		lea	edi, [ecx+10h]
		mov	[ebp+var_18], ecx
		mov	ecx, [edi]
		mov	[ebp+var_14], edi

loc_878621:				; CODE XREF: PiQueryPowerDependencyRelations+63j
					; PiValidatePowerRelations+6BB70j
		cmp	ecx, edi
		jnz	short loc_878644
		mov	ebx, [eax]
		cmp	ebx, eax
		jnz	short loc_878656

loc_87862B:				; CODE XREF: PiQueryPowerDependencyRelations+6BB32j
					; PiQueryPowerDependencyRelations+6BB43j
		mov	ecx, offset _PiDependencyRelationsLock
		call	ExReleaseResourceLite
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		mov	eax, [ebp+var_10]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_878644:				; CODE XREF: PiQueryPowerDependencyRelations+37j
		mov	esi, ecx
		mov	ecx, [ecx]
		mov	[ebp+var_C], ecx
		cmp	byte ptr [esi+18h], 0
		jz	short loc_878621
		jmp	loc_8E3FF6
; 

loc_878656:				; CODE XREF: PiQueryPowerDependencyRelations+3Dj
		mov	esi, [ebp+var_4]
		jmp	loc_8E4083
PiQueryPowerDependencyRelations	endp


;  S U B	R O U T	I N E 


; __stdcall PipDereferenceDependencyNode(x)
_PipDereferenceDependencyNode@4	proc near ; CODE XREF: IoResolveDependency+7Ap
					; IoResolveDependency+5EED9p ...
		sub	dword ptr [ecx+2Ch], 1
		jz	_PipDeleteDependencyNode@4 ; PipDeleteDependencyNode(x)
		retn
_PipDereferenceDependencyNode@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipCheckIfAllProvidersHaveDevnodes proc	near
					; CODE XREF: PipProcessRebuildPowerRelationsQueue()+37p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E4134 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		mov	ecx, [ecx+18h]
		push	esi
		push	edi
		call	_PiGetProviderList@4 ; PiGetProviderList(x)
		mov	edi, eax
		mov	esi, [edi]

loc_878682:				; CODE XREF: PipCheckIfAllProvidersHaveDevnodes+6BAE4j
		cmp	esi, edi
		jnz	loc_8E4134
		mov	al, 1

loc_87868C:				; CODE XREF: PipCheckIfAllProvidersHaveDevnodes+6BAEBj
		pop	edi
		pop	esi
		leave
		retn
PipCheckIfAllProvidersHaveDevnodes endp


;  S U B	R O U T	I N E 


PipCreateDependencyNode	proc near	; CODE XREF: IoResolveDependency+55p
					; IoDuplicateDependency(x,x)+54p ...

; FUNCTION CHUNK AT 008E415A SIZE 00000022 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	53706E50h
		push	34h
		push	200h
		mov	ebx, ecx
		xor	edi, edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_878722
		lea	eax, [esi+1Ch]
		mov	ecx, offset _PiDependencyNodeListHead
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+10h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+8]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+24h]
		mov	[eax+4], eax
		mov	[eax], eax
		xor	eax, eax
		mov	[esi+2Ch], eax
		mov	[esi+18h], eax
		mov	[esi+30h], eax
		mov	eax, dword_6CCAAC
		cmp	[eax], ecx
		jnz	short loc_878728
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6CCAAC, esi
		mov	eax, [ebx]
		cmp	eax, 1
		jz	loc_8E415A
		test	eax, eax
		jnz	short loc_878717
		mov	eax, [ebx+4]
		inc	dword ptr [esi+2Ch]
		mov	[esi+18h], eax
		mov	eax, [eax+0B0h]
		mov	[eax+2Ch], esi

loc_878717:				; CODE XREF: PipCreateDependencyNode+73j
					; PipCreateDependencyNode+6BAD8j
		inc	dword ptr [esi+2Ch]
		test	edi, edi
		js	loc_8E416E

loc_878722:				; CODE XREF: PipCreateDependencyNode+1Ej
					; PipCreateDependencyNode+6BAE7j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_878728:				; CODE XREF: PipCreateDependencyNode+57j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall IopUpdateSecureDeviceClassState(x, x)
_IopUpdateSecureDeviceClassState@8:	; CODE XREF: IoCreateDeviceSecure+E1p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp-1Ch], ecx
		push	6
		pop	ecx
		lea	edi, [ebp-44h]
		mov	[ebp-24h], eax
		rep stosd
		mov	ebx, eax
		mov	[ebp-20h], eax
		mov	edi, eax
		mov	[ebp-2Ch], eax
		mov	[ebp-28h], eax
		mov	[ebp-4], eax
		mov	[ebp-8], eax
		mov	[ebp-0Ch], eax
		lea	eax, [ebp-0Ch]
		push	ecx
		push	eax
		mov	[ebp-18h], edx
		mov	edx, offset ??_C@_1HC@DKINPPAJ@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@

loc_87876C:				; CODE XREF: .text:004295C8j
		push	ecx
		mov	[ebp-10h], ebx
		mov	[ebp-14h], edi
		call	IopGetPersistedStateLocation
		mov	esi, eax
		test	esi, esi
		js	loc_8788A2
		push	dword ptr [ebp-0Ch]
		lea	eax, [ebp-24h]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8788A2
		lea	eax, [ebp-24h]
		mov	dword ptr [ebp-5Ch], 18h
		mov	[ebp-54h], eax
		xor	ecx, ecx
		lea	eax, [ebp-5Ch]
		mov	[ebp-58h], ecx
		push	eax
		push	0F003Fh
		lea	eax, [ebp-4]
		mov	dword ptr [ebp-50h], 240h
		push	eax
		mov	[ebp-4Ch], ecx
		mov	[ebp-48h], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8788A2
		mov	ecx, [ebp-1Ch]
		lea	edx, [ebp-2Ch]
		push	1
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8788A2
		mov	edx, [ebp-4]
		lea	eax, [ebp-2Ch]
		push	edi
		push	edi
		push	0F003Fh
		push	eax
		lea	ecx, [ebp-10h]
		call	IopCreateRegistryKeyEx
		mov	esi, eax
		test	esi, esi
		js	loc_8788F4
		xor	esi, esi
		lea	eax, [ebp-14h]
		push	esi
		push	eax
		push	1
		push	offset ??_C@_1CM@HAEMEGGB@?$AAD?$AA?3?$AAP?$AAA?$AAI?$AA?$CI?$AAA?$AA?$DL?$AAO?$AAI?$AAC?$AAI?$AA?$DL?$AAG?$AAA@NNGAKEGL@
		call	SeConvertStringSecurityDescriptorToSecurityDescriptor
		test	eax, eax
		js	short loc_878824
		mov	edi, [ebp-14h]

loc_878824:				; CODE XREF: PipCreateDependencyNode+18Fj
		push	offset ??_C@_1BG@COALCEMK@?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAi?$AAe?$AAs@NNGAKEGL@
		lea	eax, [ebp-24h]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ebx, [ebp-10h]
		lea	eax, [ebp-24h]
		push	esi
		push	esi
		push	esi
		mov	[ebp-3Ch], eax
		lea	eax, [ebp-44h]
		push	esi
		push	eax
		push	0F003Fh
		lea	eax, [ebp-8]
		mov	dword ptr [ebp-44h], 18h
		push	eax
		mov	[ebp-40h], ebx
		mov	dword ptr [ebp-38h], 240h
		mov	[ebp-34h], edi
		mov	[ebp-30h], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8788A2
		mov	eax, [ebp-18h]
		push	dword ptr [eax+8]
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		mov	esi, eax
		lea	eax, [ebp-24h]
		push	offset ??_C@_1BC@FCJNIDNL@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy@NNGAKEGL@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp-18h]
		push	esi
		push	dword ptr [eax+8]
		lea	eax, [ebp-24h]
		push	3
		push	0
		push	eax
		push	dword ptr [ebp-8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax

loc_8788A2:				; CODE XREF: PipCreateDependencyNode+ECj
					; PipCreateDependencyNode+102j	...
		cmp	dword ptr [ebp-4], 0
		jz	short loc_8788B0
		push	dword ptr [ebp-4]
		call	_ZwClose@4	; ZwClose(x)

loc_8788B0:				; CODE XREF: PipCreateDependencyNode+216j
		test	ebx, ebx
		jz	short loc_8788BA
		push	ebx
		call	_ZwClose@4	; ZwClose(x)

loc_8788BA:				; CODE XREF: PipCreateDependencyNode+222j
		cmp	dword ptr [ebp-8], 0
		jz	short loc_8788C8
		push	dword ptr [ebp-8]
		call	_ZwClose@4	; ZwClose(x)

loc_8788C8:				; CODE XREF: PipCreateDependencyNode+22Ej
		cmp	dword ptr [ebp-0Ch], 0
		jz	short loc_8788D8
		push	0
		push	dword ptr [ebp-0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8788D8:				; CODE XREF: PipCreateDependencyNode+23Cj
		test	edi, edi
		jz	short loc_8788E4
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8788E4:				; CODE XREF: PipCreateDependencyNode+24Aj
		lea	eax, [ebp-2Ch]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8788F4:				; CODE XREF: PipCreateDependencyNode+174j
		mov	ebx, [ebp-10h]
		jmp	short loc_8788A2
PipCreateDependencyNode	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCreateSecureDeviceClassSettings proc	near ; CODE XREF: IoCreateDeviceSecure+52p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E417C SIZE 0000019E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		and	[ebp+var_14], 0
		and	[ebp+var_24], 0
		and	[ebp+var_20], 0
		and	[ebp+var_2C], 0
		and	[ebp+var_28], 0
		and	[ebp+var_8], 0
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		push	edi
		push	70h
		pop	eax
		push	72h
		mov	word ptr [ebp+var_34], ax
		xor	edi, edi
		pop	eax
		mov	word ptr [ebp+var_34+2], ax
		mov	esi, ecx
		push	edi
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_1C], edx
		push	eax
		mov	[ebp+var_30], offset ??_C@_1HC@DKINPPAJ@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		mov	[ebp+var_18], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	1
		lea	edx, [ebp+var_2C]
		mov	ecx, esi
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_878A89
		and	[ebp+var_48], edi
		lea	eax, [ebp+var_34]
		and	[ebp+var_3C], edi
		and	[ebp+var_38], edi
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_10]
		mov	[ebp+var_4C], 18h
		push	eax
		mov	[ebp+var_40], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	ebx, [ebp+arg_0]
		mov	esi, eax
		test	esi, esi
		js	loc_8E417C
		mov	eax, [ebp+var_10]
		and	[ebp+var_3C], edi
		and	[ebp+var_38], edi
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4C], 18h
		push	eax
		mov	[ebp+var_40], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8E417C
		push	offset ??_C@_1BG@COALCEMK@?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAi?$AAe?$AAs@NNGAKEGL@
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_8]
		and	[ebp+var_3C], edi
		and	[ebp+var_38], edi
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_C]
		mov	[ebp+var_4C], 18h
		push	eax
		mov	[ebp+var_40], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8E417C
		mov	ecx, [ebp+var_C]
		mov	edx, ebx
		call	IopQuerySecureDeviceClassState
		mov	esi, eax
		test	esi, esi
		js	short loc_878A89
		mov	eax, [ebx]
		and	eax, 0Fh
		cmp	al, 0Fh
		jz	short loc_878A87

loc_878A3F:				; CODE XREF: IopCreateSecureDeviceClassSettings+6B88Ej
		mov	edx, [ebp+var_30]
		lea	eax, [ebp+var_18]
		push	ecx
		push	eax
		push	ecx
		call	IopGetPersistedStateLocation
		mov	edi, [ebp+var_18]
		mov	esi, eax
		test	esi, esi
		js	short loc_878A89
		push	edi
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_878A89
		push	1
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	loc_8E418D
		cmp	[ebp+var_8], 0
		jz	loc_8E41D4

loc_878A87:				; CODE XREF: IopCreateSecureDeviceClassSettings+143j
					; IopCreateSecureDeviceClassSettings+6B97Cj
		xor	esi, esi

loc_878A89:				; CODE XREF: IopCreateSecureDeviceClassSettings+64j
					; IopCreateSecureDeviceClassSettings+13Aj ...
		cmp	[ebp+var_10], 0
		jz	short loc_878A97
		push	[ebp+var_10]
		call	_ZwClose@4	; ZwClose(x)

loc_878A97:				; CODE XREF: IopCreateSecureDeviceClassSettings+193j
		cmp	[ebp+var_8], 0
		jz	short loc_878AA5
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_878AA5:				; CODE XREF: IopCreateSecureDeviceClassSettings+1A1j
		cmp	[ebp+var_C], 0
		jz	short loc_878AB3
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_878AB3:				; CODE XREF: IopCreateSecureDeviceClassSettings+1AFj
		test	edi, edi
		jz	short loc_878ABF
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_878ABF:				; CODE XREF: IopCreateSecureDeviceClassSettings+1BBj
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
IopCreateSecureDeviceClassSettings endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopGetPersistedStateLocation proc near	; CODE XREF: PipCreateDependencyNode+E3p
					; IopCreateSecureDeviceClassSettings+14Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E431A SIZE 0000004B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		push	63466F49h
		mov	ebx, 100h
		mov	edi, edx
		push	ebx
		push	1
		mov	[ebp+var_8], edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)

loc_878AF7:				; CODE XREF: IopGetPersistedStateLocation+6B868j
		mov	esi, eax
		test	esi, esi
		jz	loc_8E4349
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	ebx		; int
		push	esi		; void *
		push	0		; int
		push	edi		; void *
		push	0		; int
		push	offset ??_C@_1CE@CBJLLHKI@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAe?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC?$AAl?$AAa@NNGAKEGL@	; int
		call	RtlGetPersistedStateLocation
		mov	edi, eax
		cmp	edi, 80000005h
		jz	loc_8E431A

loc_878B24:				; CODE XREF: IopGetPersistedStateLocation+6B872j
		test	edi, edi
		js	loc_8E434E

loc_878B2C:				; CODE XREF: IopGetPersistedStateLocation+6B87Ej
					; IopGetPersistedStateLocation+6B88Ej
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
IopGetPersistedStateLocation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopQuerySecureDeviceClassState proc near
					; CODE XREF: IopCreateSecureDeviceClassSettings+131p
					; IopCreateSecureDeviceClassSettings+6B966p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 008E4365 SIZE 000000DE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_10], edx
		mov	edi, edx
		mov	[ebp+var_14], ecx
		xor	ebx, ebx
		mov	edx, offset ??_C@_1BC@FCJNIDNL@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy@NNGAKEGL@
		mov	byte ptr [ebp+var_1], bl
		mov	[ebp+var_18], ebx
		stosd
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		call	IopGetRegistryValue
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8E436F
		mov	esi, [ebp+var_8]
		cmp	dword ptr [esi+4], 3
		jnz	loc_8E4365
		mov	eax, [esi+8]
		lea	ecx, [ebp+var_C]
		push	ecx		; int
		push	1		; int
		push	1		; int
		add	eax, esi
		push	0		; char
		push	eax		; size_t
		call	SeCaptureSecurityDescriptor
		mov	ebx, eax
		test	ebx, ebx
		js	loc_878C6F
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_C]
		xor	esi, esi
		mov	[ebp+var_8], esi
		test	eax, eax
		jz	loc_8E4380
		lea	ecx, [ebp+var_18]
		push	ecx
		lea	edx, [ebp+var_1]
		mov	ecx, eax
		call	IopGetSecurityDescriptorInformation
		mov	ebx, eax
		test	ebx, ebx
		js	loc_878C6F
		cmp	byte ptr [ebp+var_1], 0
		mov	edi, [ebp+var_10]
		jz	loc_878C95

loc_878BE4:				; CODE XREF: IopQuerySecureDeviceClassState+167j
					; IopQuerySecureDeviceClassState+6B849j
		test	byte ptr [edi],	1
		jnz	short loc_878C11
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_8]
		push	eax
		push	0
		mov	edx, offset ??_C@_1BG@KCOOGCNN@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAT?$AAy?$AAp?$AAe@NNGAKEGL@ ; "DeviceType"
		call	IopGetRegistryValue
		mov	ebx, eax
		test	ebx, ebx
		jns	loc_8E4388
		cmp	ebx, 0C0000034h
		jnz	short loc_878C6C
		mov	esi, [ebp+var_8]

loc_878C11:				; CODE XREF: IopQuerySecureDeviceClassState+ADj
					; IopQuerySecureDeviceClassState+6B87Aj
		test	byte ptr [edi],	4
		jnz	short loc_878C3E
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_8]
		push	eax
		push	0
		mov	edx, offset ??_C@_1CM@DIJFBEC@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC?$AAh?$AAa?$AAr?$AAa?$AAc?$AAt?$AAe?$AAr@NNGAKEGL@ ; "D"
		call	IopGetRegistryValue
		mov	ebx, eax
		test	ebx, ebx
		jns	loc_8E43B9
		cmp	ebx, 0C0000034h
		jnz	short loc_878C6C
		mov	esi, [ebp+var_8]

loc_878C3E:				; CODE XREF: IopQuerySecureDeviceClassState+DAj
					; IopQuerySecureDeviceClassState+6B8ABj
		test	byte ptr [edi],	8
		jnz	short loc_878C6F
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_8]
		push	eax
		push	0
		mov	edx, offset ??_C@_1BE@DJHAJDEM@?$AAE?$AAx?$AAc?$AAl?$AAu?$AAs?$AAi?$AAv?$AAe@NNGAKEGL@
		call	IopGetRegistryValue
		mov	ebx, eax
		test	ebx, ebx
		jns	loc_8E43EA
		lea	eax, [ebx+3FFFFFCCh]
		neg	eax
		sbb	eax, eax
		and	ebx, eax

loc_878C6C:				; CODE XREF: IopQuerySecureDeviceClassState+D2j
					; IopQuerySecureDeviceClassState+FFj ...
		mov	esi, [ebp+var_8]

loc_878C6F:				; CODE XREF: IopQuerySecureDeviceClassState+67j
					; IopQuerySecureDeviceClassState+97j ...
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_878C7E
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_878C7E:				; CODE XREF: IopQuerySecureDeviceClassState+13Aj
		test	ebx, ebx
		js	loc_8E4418

loc_878C86:				; CODE XREF: IopQuerySecureDeviceClassState+6B8F7j
		test	esi, esi
		jnz	loc_8E4436

loc_878C8E:				; CODE XREF: IopQuerySecureDeviceClassState+6B904j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_878C95:				; CODE XREF: IopQuerySecureDeviceClassState+A4j
		mov	eax, [ebp+var_C]
		or	dword ptr [edi], 2
		and	[ebp+var_C], esi
		mov	[edi+8], eax
		jmp	loc_878BE4
IopQuerySecureDeviceClassState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KsepStringTransform proc near		; CODE XREF: KsepDbQueryRegistryDeviceData+29p
					; KseSetDeviceFlags(x,x,x,x)+5Ap ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E4443 SIZE 000000A5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_4], edx
		mov	edi, ecx
		xor	esi, esi
		inc	ebx
		push	3
		pop	ecx
		test	edi, edi
		jz	loc_8E4443

loc_878CC4:				; CODE XREF: KsepStringTransform+6B7EBj
		test	edx, edx
		jz	loc_8E4496

loc_878CCC:				; CODE XREF: KsepStringTransform+6B823j
					; KsepStringTransform+6B83Dj
		mov	ecx, edi
		call	KsepStringDuplicate
		test	eax, eax
		js	short loc_878D04
		mov	ax, [edi]
		mov	ecx, 0FFFEh
		and	ax, cx
		xor	ecx, ecx
		cmp	cx, ax
		jnb	short loc_878D02

loc_878CE9:				; CODE XREF: KsepStringTransform+5Aj
		mov	ecx, [edi+4]
		movzx	eax, si
		cmp	word ptr [ecx+eax*2], 5Ch
		jz	short loc_878D0B

loc_878CF6:				; CODE XREF: KsepStringTransform+6Cj
		mov	ax, [edi]
		inc	esi
		shr	ax, 1
		cmp	si, ax
		jb	short loc_878CE9

loc_878D02:				; CODE XREF: KsepStringTransform+41j
		xor	eax, eax

loc_878D04:				; CODE XREF: KsepStringTransform+2Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_878D0B:				; CODE XREF: KsepStringTransform+4Ej
		push	21h
		pop	edx
		mov	[ecx+eax*2], dx
		jmp	short loc_878CF6
KsepStringTransform endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KsepDbQueryRegistryDeviceData proc near	; CODE XREF: KseQueryDeviceData+5Fp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E44E8 SIZE 0000006F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		push	esi
		push	edi
		push	ecx
		mov	[esp+24h+var_C], edx
		xor	eax, eax
		xor	esi, esi
		mov	[esp+24h+var_8], eax
		push	ecx
		mov	edx, ecx
		mov	[esp+28h+var_4], esi
		lea	ecx, [esp+28h+var_8]
		mov	[esp+28h+var_18], esi
		call	KsepStringTransform
		mov	edi, eax
		test	edi, edi
		js	short loc_878D73
		mov	edx, [esp+20h+var_4] ; void *
		lea	eax, [esp+20h+var_18]
		push	eax		; int
		mov	ecx, offset ??_C@_1JA@BMMOANL@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ;	int
		call	KsepRegistryOpenKey
		test	eax, eax
		jns	loc_8E44E8

loc_878D63:				; CODE XREF: KsepDbQueryRegistryDeviceData+6B80Aj
		mov	edi, 0C0000225h

loc_878D68:				; CODE XREF: KsepDbQueryRegistryDeviceData+6B812j
					; KsepDbQueryRegistryDeviceData+6B829j
		cmp	[esp+20h+var_18], 0
		jnz	loc_8E4542

loc_878D73:				; CODE XREF: KsepDbQueryRegistryDeviceData+32j
					; KsepDbQueryRegistryDeviceData+6B83Ej
		lea	ecx, [esp+20h+var_8]
		call	KsepStringFree
		mov	eax, edi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
KsepDbQueryRegistryDeviceData endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	KsepDbCacheQueryDevice(int,int,void *)
KsepDbCacheQueryDevice proc near	; CODE XREF: KseQueryDeviceData+88p

var_28		= dword	ptr -28h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E4557 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		push	9
		mov	esi, ecx
		mov	[ebp+var_4], edx
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_28]
		rep stosd
		push	esi
		lea	eax, [ebp+var_14]
		mov	ebx, 0C0000225h
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, large fs:124h
		mov	ecx, dword_6D4A9C
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, dword_6D4A9C
		lea	edx, [ebp+var_28]
		call	_KsepCacheLookup@8 ; KsepCacheLookup(x,x)
		test	eax, eax
		jnz	short loc_878E0E

loc_878DDC:				; CODE XREF: KsepDbCacheQueryDevice+9Dj
		mov	esi, dword_6D4A9C
		or	edx, 0FFFFFFFFh
		lock xadd [esi], edx
		test	dl, 2
		jnz	loc_8E4557

loc_878DF2:				; CODE XREF: KsepDbCacheQueryDevice+6B7D4j
					; KsepDbCacheQueryDevice+6B7E1j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
; 

loc_878E0E:				; CODE XREF: KsepDbCacheQueryDevice+54j
		push	[ebp+arg_8]	; void *
		mov	edx, [ebp+var_4]
		mov	ecx, eax
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		call	_KsepDbCacheQueryDeviceData@20 ; KsepDbCacheQueryDeviceData(x,x,x,x,x)
		mov	ebx, eax
		jmp	short loc_878DDC
KsepDbCacheQueryDevice endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1335. KseQueryDeviceData

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	KseQueryDeviceData(int,int,int,int,void	*)
		public KseQueryDeviceData
KseQueryDeviceData proc	near		; CODE XREF: KseQueryDeviceFlags+79p
					; ExpGetDeviceDataInformation(x,x,x)+FEp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008E456C SIZE 00000043 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		cmp	dword_6D4A78, 2
		push	ebx
		push	esi
		push	edi
		jnz	loc_8E45A5
		test	byte ptr _KseEngine, 2
		jnz	loc_8E45A5
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	loc_8E459B
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		jz	loc_8E459B
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jz	loc_8E459B
		mov	eax, [ebx]
		and	dword ptr [ebx], 0
		test	eax, 20000000h
		jnz	short loc_878E9B
		push	[ebp+arg_10]
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		push	esi
		push	ebx
		call	KsepDbQueryRegistryDeviceData
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	short loc_878F01
		mov	esi, [ebp+arg_C]

loc_878E9B:				; CODE XREF: KseQueryDeviceData+53j
		call	KsepShimDbChanged
		test	eax, eax
		jnz	loc_8E456C
		push	[ebp+arg_10]	; void *
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		push	esi		; int
		push	ebx		; int
		call	KsepDbCacheQueryDevice
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	short loc_878F01

loc_878EC1:				; CODE XREF: KseQueryDeviceData+6B747j
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_4]
		call	KsepDbCacheReadDevice
		mov	esi, eax
		test	esi, esi
		jns	short loc_878EDB

loc_878ED2:				; CODE XREF: KseQueryDeviceData+D9j
					; KseQueryDeviceData+132j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_878EDB:				; CODE XREF: KseQueryDeviceData+A6j
		push	[ebp+arg_10]	; void *
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		push	[ebp+arg_C]	; int
		push	ebx		; int
		call	_KsepDbCacheQueryDeviceData@20 ; KsepDbCacheQueryDeviceData(x,x,x,x,x)
		mov	edx, [ebp+var_4]
		mov	esi, eax
		mov	ecx, [ebp+arg_0]
		call	KsepDbCacheInsertDevice
		test	eax, eax
		js	loc_8E4576

loc_878F01:				; CODE XREF: KseQueryDeviceData+6Cj
					; KseQueryDeviceData+95j ...
		test	esi, esi
		js	short loc_878ED2
		mov	eax, [ebp+arg_C]
		xor	ebx, ebx
		cmp	[eax], ebx
		jz	short loc_878F61

loc_878F0E:				; CODE XREF: KseQueryDeviceData+13Cj
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryMessagesIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	1
		push	9
		pop	ecx
		mov	word_6C7242[eax*8], cx
		mov	ecx, 8E5h
		mov	dword_6C7244[eax*8], ebx
		mov	_KsepHistoryMessages[eax*8], cx
		jnz	loc_8E4583

loc_878F49:				; CODE XREF: KseQueryDeviceData+6B76Cj
		push	esi
		push	[ebp+arg_0]
		push	edi
		push	offset ??_C@_0DD@IINLDOPB@KSE?3?5Query?5device?5?$FL?$CFws?0?5?$CFws?$FN?3?5f@NNGAKEGL@	; "KSE:	Query device [%ws, %ws]: found in "...
		push	ebx
		call	_KsepLogInfo
		add	esp, 14h
		jmp	loc_878ED2
; 

loc_878F61:				; CODE XREF: KseQueryDeviceData+E2j
		mov	esi, 0C0000225h
		jmp	short loc_878F0E
KseQueryDeviceData endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1337. KseQueryDeviceFlags

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KseQueryDeviceFlags
KseQueryDeviceFlags proc near

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E45AF SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		xor	ecx, ecx
		cmp	dword_6D4A78, 2
		push	esi
		push	edi
		mov	[esp+30h+var_18], ecx
		mov	[esp+30h+var_14], ecx
		jnz	loc_879062
		test	byte ptr _KseEngine, 2
		jnz	loc_879062
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	loc_8E45AF
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	loc_8E45AF
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	loc_8E45AF
		mov	[eax], ecx
		mov	[eax+4], ecx
		lea	eax, [esp+30h+var_18]
		push	eax		; void *
		lea	eax, [esp+34h+var_1C]
		mov	[esp+34h+var_20], 0Bh
		push	eax		; int
		lea	eax, [esp+38h+var_20]
		mov	[esp+38h+var_1C], 8
		push	eax		; int
		push	edi		; int
		push	esi		; int
		call	KseQueryDeviceData
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_878FFD

loc_878FF2:				; CODE XREF: KseQueryDeviceFlags+F2j
					; KseQueryDeviceFlags+F9j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_878FFD:				; CODE XREF: KseQueryDeviceFlags+82j
		mov	ecx, [esp+30h+var_20]
		and	ecx, 0CFFFFFFFh
		cmp	ecx, 0Bh
		jnz	short loc_879062
		xor	eax, eax
		mov	[esp+30h+var_8], eax
		mov	[esp+30h+var_4], eax
		mov	[esp+30h+var_10], eax
		mov	[esp+30h+var_C], eax
		lea	eax, [esp+30h+var_8]
		push	esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		lea	eax, [esp+34h+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [esp+30h+var_20]
		lea	edx, [esp+30h+var_10]
		mov	edi, [esp+30h+var_14]
		lea	ecx, [esp+30h+var_8]
		mov	esi, [esp+30h+var_18]
		shr	eax, 1Ch
		push	edi
		not	eax
		push	esi
		and	eax, 1
		push	eax
		call	_KsepEvntLogFlagsApplied@20 ; KsepEvntLogFlagsApplied(x,x,x,x,x)
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		mov	[eax+4], edi
		jmp	short loc_878FF2
; 

loc_879062:				; CODE XREF: KseQueryDeviceFlags+1Fj
					; KseQueryDeviceFlags+2Cj ...
		mov	ebx, 0C0000225h
		jmp	short loc_878FF2
KseQueryDeviceFlags endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpBuildCmResourceList proc near	; CODE XREF: IopAllocateBootResourcesInternal+92p
					; PnpBuildCmResourceLists+70p

var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_24C], edx
		xor	ebx, ebx
		mov	[ebp+var_228], esi
		push	edi
		mov	[ebp+var_230], ebx
		mov	ecx, ebx
		mov	eax, [esi+18h]
		mov	[ebp+var_20C], eax
		mov	[ebp+var_23C], ebx
		mov	eax, [eax+0Ch]
		mov	eax, [eax]
		mov	[ebp+var_218], eax
		mov	edi, [eax+10h]
		test	edi, edi
		jz	loc_8E461D
		add	eax, 14h
		mov	[ebp+var_240], eax
		mov	edx, eax

loc_8790CA:				; CODE XREF: PnpBuildCmResourceList+71j
		mov	eax, [edx]
		inc	ecx
		lea	edx, [edx+4]
		mov	eax, [eax+0A8h]
		add	ecx, eax
		sub	edi, 1
		jnz	short loc_8790CA
		mov	[ebp+var_234], ecx
		test	ecx, ecx
		jz	loc_8E461D
		lea	eax, [ecx-1]
		shl	eax, 4
		add	eax, 24h
		push	20207050h
		push	eax
		mov	[ebp+var_22C], eax
		xor	eax, eax
		inc	eax
		push	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_244], edi
		test	edi, edi
		jz	loc_8E45C0
		push	[ebp+var_22C]	; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		inc	eax
		push	20207050h
		push	[ebp+var_22C]
		push	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_214], eax
		test	eax, eax
		jz	sub_8E45B9
		push	[ebp+var_22C]	; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	esi, [ebp+var_20C]
		lea	edx, [edi+14h]
		xor	ecx, ecx
		mov	[ebp+var_210], edx
		inc	ecx
		add	esp, 0Ch
		mov	[edi], ecx
		mov	eax, [esi]
		mov	[edi+4], eax
		mov	eax, [esi+4]
		mov	[edi+8], eax
		mov	eax, [ebp+var_214]
		mov	[edi+0Ch], cx
		mov	[edi+0Eh], cx
		mov	ecx, [ebp+var_234]
		mov	[edi+10h], ecx
		mov	dword ptr [eax], 1
		mov	eax, [esi]
		mov	esi, [ebp+var_214]
		mov	[ebp+var_234], ebx
		mov	[esi+4], eax
		mov	eax, [ebp+var_20C]
		mov	eax, [eax+4]
		mov	[esi+8], eax
		mov	eax, esi
		xor	esi, esi
		inc	esi
		mov	[eax+0Ch], si
		mov	[eax+0Eh], si
		mov	esi, [ebp+var_228]
		mov	[eax+10h], ecx
		add	eax, 14h
		mov	[ebp+var_20C], eax
		mov	eax, [ebp+var_218]
		cmp	[eax+10h], ebx
		jbe	loc_87930C
		mov	eax, [ebp+var_240]

loc_8791E8:				; CODE XREF: PnpBuildCmResourceList+290j
		mov	ecx, [eax]
		mov	[ebp+var_220], ecx
		cmp	byte ptr [ecx+8], 0
		jz	loc_879521
		mov	eax, [ecx+14h]
		mov	[ebp+var_248], eax
		cmp	dword ptr [eax+4Ch], 2
		jz	loc_879519
		mov	ecx, eax
		call	_IopParentToRawTranslation@4 ; IopParentToRawTranslation(x)
		mov	esi, eax
		test	esi, esi
		js	loc_8E45D0
		mov	ecx, [ebp+var_220]
		mov	edx, [ebp+var_210]
		mov	eax, [ebp+var_248]
		mov	esi, [ecx+44h]

loc_879233:				; CODE XREF: PnpBuildCmResourceList+4B2j
		mov	edi, [ebp+var_20C]
		movsd
		movsd
		movsd
		movsd
		cmp	dword ptr [eax+4Ch], 2
		jz	loc_87950B
		mov	eax, [ecx+28h]
		test	eax, eax
		jz	loc_8E45C9
		mov	eax, [eax+0B0h]
		mov	esi, [eax+14h]

loc_87925B:				; CODE XREF: sub_8E45B9+12j
		mov	edx, [ecx]
		lea	eax, [ebp+var_23C]
		push	eax
		lea	eax, [ecx+50h]
		push	eax
		push	dword ptr [ecx+2Ch]
		push	dword ptr [ecx+4]
		mov	ecx, esi
		call	IopChildToRootTranslation
		mov	esi, eax
		push	ebx
		test	esi, esi
		js	loc_8E45D1
		mov	esi, [ebp+var_23C]
		mov	edi, [ebp+var_210]
		push	[ebp+var_23C]
		movsd
		movsd
		movsd
		movsd
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, [ebp+var_210]

loc_8792A1:				; CODE XREF: PnpBuildCmResourceList+4AAj
		mov	eax, [ebp+var_220]
		add	edx, 10h
		mov	esi, [ebp+var_20C]
		add	esi, 10h
		mov	[ebp+var_210], edx
		mov	[ebp+var_20C], esi
		mov	edi, [eax+0ACh]
		mov	eax, [eax+0A8h]
		mov	[ebp+var_220], eax
		test	eax, eax
		jnz	short loc_879334

loc_8792D5:				; CODE XREF: PnpBuildCmResourceList+332j
		mov	esi, [ebp+var_234]
		mov	ecx, [ebp+var_218]
		inc	esi
		mov	eax, [ebp+var_240]
		add	eax, 4
		mov	[ebp+var_234], esi
		mov	[ebp+var_240], eax
		cmp	esi, [ecx+10h]
		jb	loc_8791E8
		mov	esi, [ebp+var_228]
		mov	edi, [ebp+var_244]

loc_87930C:				; CODE XREF: PnpBuildCmResourceList+172j
		cmp	[ebp+var_24C], 0
		jnz	loc_8793A1

loc_879319:				; CODE XREF: PnpBuildCmResourceList+35Dj
					; PnpBuildCmResourceList+49Cj
		mov	ebx, [ebp+var_214]
		mov	[esi+20h], edi

loc_879322:				; CODE XREF: sub_8E45B9+4Ej
					; sub_8E45B9+6Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		mov	[esi+1Ch], ebx
		xor	ecx, ebp
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_879334:				; CODE XREF: PnpBuildCmResourceList+269j
		mov	ebx, [ebp+var_210]
		add	edi, 8

loc_87933D:				; CODE XREF: PnpBuildCmResourceList+31Cj
		xor	eax, eax
		mov	byte ptr [esi],	81h
		inc	eax
		mov	byte ptr [ebx],	81h
		mov	[esi+1], al
		mov	[ebx+1], al
		movzx	eax, word ptr [edi-4]
		mov	[esi+2], ax
		push	0Ch		; size_t
		mov	[ebx+2], ax
		lea	eax, [esi+4]
		push	edi		; void *
		push	eax		; void *
		call	_memmove
		add	esp, 0Ch
		lea	eax, [ebx+4]
		push	0Ch		; size_t
		push	edi		; void *
		push	eax		; void *
		call	_memmove
		add	esp, 0Ch
		add	edi, 20h
		add	esi, 10h
		add	ebx, 10h
		sub	[ebp+var_220], 1
		jnz	short loc_87933D
		mov	[ebp+var_210], ebx
		xor	ebx, ebx
		mov	edx, [ebp+var_210]
		mov	[ebp+var_20C], esi
		jmp	loc_8792D5
; 

loc_8793A1:				; CODE XREF: PnpBuildCmResourceList+2A9j
		mov	eax, [esi]
		lea	ecx, [ebp+var_230]
		mov	[ebp+var_248], eax
		xor	edx, edx
		push	ebx
		xor	eax, eax
		inc	eax
		push	eax
		push	2001Fh
		push	offset _CmRegistryMachineHardwareResourceMapName
		call	IopCreateRegistryKeyEx
		test	eax, eax
		js	loc_879319
		mov	ecx, [ebp+var_248]
		lea	edx, [ebp+var_208]
		push	18h
		pop	eax
		push	16h
		mov	word ptr [ebp+var_224+2], ax
		pop	eax
		push	14h
		mov	word ptr [ebp+var_224],	ax
		mov	word ptr [ebp+var_238+2], ax
		pop	eax
		mov	word ptr [ebp+var_238],	ax
		lea	eax, [ebp+var_24C]
		push	ebx
		push	eax
		push	200h
		mov	[ebp+var_24C], ebx
		mov	[ebp+var_21C], ebx
		mov	[ebp+var_218], ebx
		mov	[ebp+var_220], offset ??_C@_1BI@IOBDJLCI@?$AAP?$AAn?$AAP?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@NNGAKEGL@ ; "PnP Manager"
		mov	[ebp+var_234], offset ??_C@_1BG@EBHKFNFD@?$AAP?$AAn?$AAp?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@NNGAKEGL@ ;	"PnpManager"
		call	ObQueryNameStringMode
		test	eax, eax
		js	loc_8794FB
		cmp	word ptr [ebp+var_208],	0
		mov	eax, 1F8h
		mov	word ptr [ebp+var_208+2], ax
		jz	loc_8E460C
		mov	ecx, [ebp+var_204]

loc_87945E:				; CODE XREF: sub_8E45B9+5Fj
		mov	eax, [ebp+var_208]
		mov	[ebp+var_21C], eax
		lea	eax, [ebp+var_21C]
		push	offset _PnpWstrRaw ; void *
		push	eax		; int
		mov	[ebp+var_218], ecx
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	ebx, [ebp+var_22C]
		lea	eax, [ebp+var_21C]
		mov	ecx, [ebp+var_230]
		lea	edx, [ebp+var_224]
		push	ebx
		push	[ebp+var_214]
		push	eax
		lea	eax, [ebp+var_238]
		push	eax
		call	IopWriteResourceList
		test	eax, eax
		js	short loc_8794FB
		mov	eax, [ebp+var_208]
		mov	[ebp+var_21C], eax
		mov	eax, [ebp+var_204]
		mov	[ebp+var_218], eax
		lea	eax, [ebp+var_21C]
		push	offset _PnpWstrTranslated ; void *
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	ecx, [ebp+var_230]
		lea	eax, [ebp+var_21C]
		push	ebx
		push	edi
		push	eax
		lea	eax, [ebp+var_238]
		push	eax
		lea	edx, [ebp+var_224]
		call	IopWriteResourceList

loc_8794FB:				; CODE XREF: PnpBuildCmResourceList+3CEj
					; PnpBuildCmResourceList+445j
		push	[ebp+var_230]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_879319
; 

loc_87950B:				; CODE XREF: PnpBuildCmResourceList+1D7j
		mov	esi, [eax+44h]

loc_87950E:				; CODE XREF: PnpBuildCmResourceList+4C7j
		mov	edi, edx
		movsd
		movsd
		movsd
		movsd
		jmp	loc_8792A1
; 

loc_879519:				; CODE XREF: PnpBuildCmResourceList+19Dj
		mov	esi, [eax+44h]
		jmp	loc_879233
; 

loc_879521:				; CODE XREF: PnpBuildCmResourceList+18Aj
		mov	edi, [ebp+var_20C]
		lea	esi, [ecx+50h]
		movsd
		movsd
		movsd
		movsd
		lea	esi, [ecx+50h]
		jmp	short loc_87950E
PnpBuildCmResourceList endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopChildToRootTranslation proc near	; CODE XREF: PnpBuildCmResourceList+206p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E462C SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_18], 0
		cmp	[ebp+arg_4], 1
		push	ebx
		push	esi
		push	edi
		mov	esi, 20207050h
		mov	[ebp+var_C], edx
		push	esi
		push	10h
		push	1
		mov	ebx, ecx
		mov	[ebp+var_1], 0
		setz	byte ptr [ebp+arg_4+3]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_14], edi
		test	edi, edi
		jz	loc_8E4634
		push	esi
		push	10h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jz	loc_8E462C
		mov	esi, [ebp+arg_8]
		movsd
		movsd
		movsd
		movsd
		test	ebx, ebx
		jz	loc_8E463E
		mov	eax, [ebx+10h]
		mov	[ebp+var_10], eax

loc_87959C:				; CODE XREF: IopChildToRootTranslation+6B11Ej
		mov	esi, [ebp+var_14]
		jmp	short loc_8795BF
; 

loc_8795A1:				; CODE XREF: IopChildToRootTranslation+B6j
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+arg_0]
		mov	byte ptr [ebp+arg_4+3],	1
		call	_IopFindLegacyBusDeviceNode@8 ;	IopFindLegacyBusDeviceNode(x,x)
		cmp	[ebp+var_C], 0
		mov	ebx, eax
		jz	loc_879658

loc_8795BC:				; CODE XREF: IopChildToRootTranslation+126j
					; IopChildToRootTranslation+6B12Fj
		mov	ecx, [ebp+var_8]

loc_8795BF:				; CODE XREF: IopChildToRootTranslation+6Bj
					; IopChildToRootTranslation+AEj
		test	ebx, ebx
		jz	short loc_879639
		cmp	[ebp+var_1], 0
		jnz	short loc_879639
		mov	edi, _IopRootDeviceNode
		cmp	ebx, edi
		jz	short loc_8795E4

loc_8795D3:				; CODE XREF: IopChildToRootTranslation+B4j
		lea	edx, [ebx+150h]
		mov	eax, [edx]
		cmp	eax, edx
		jnz	short loc_8795EC

loc_8795DF:				; CODE XREF: IopChildToRootTranslation+D0j
					; IopChildToRootTranslation+FDj ...
		mov	ebx, [ebx+8]
		jmp	short loc_8795BF
; 

loc_8795E4:				; CODE XREF: IopChildToRootTranslation+9Dj
		cmp	byte ptr [ebp+arg_4+3],	0
		jnz	short loc_8795D3
		jmp	short loc_8795A1
; 

loc_8795EC:				; CODE XREF: IopChildToRootTranslation+A9j
		mov	ecx, [ebp+arg_8]
		mov	cl, [ecx]
		mov	[ebp+var_2], cl

loc_8795F4:				; CODE XREF: IopChildToRootTranslation+120j
		mov	cl, [ebp+var_2]
		cmp	[eax+8], cl
		mov	ecx, [ebp+var_8]
		jnz	short loc_879650
		mov	eax, [eax+0Ch]
		test	eax, eax
		jz	short loc_8795DF
		push	ecx
		push	[ebp+var_10]
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	esi
		push	dword ptr [eax+4]
		call	dword ptr [eax+10h]
		mov	edi, eax
		mov	[ebp+var_18], edi
		test	edi, edi
		js	loc_8E4668
		mov	ecx, esi
		mov	esi, [ebp+var_8]
		mov	[ebp+var_8], ecx
		cmp	edi, 120h
		jnz	short loc_8795DF
		mov	[ebp+var_1], 1
		jmp	short loc_8795DF
; 

loc_879639:				; CODE XREF: IopChildToRootTranslation+8Dj
					; IopChildToRootTranslation+93j
		mov	eax, [ebp+arg_C]
		push	0
		push	ecx
		mov	[eax], esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_18]

loc_879649:				; CODE XREF: IopChildToRootTranslation+6B105j
					; IopChildToRootTranslation+6B148j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_879650:				; CODE XREF: IopChildToRootTranslation+C9j
		mov	eax, [eax]
		cmp	eax, edx
		jnz	short loc_8795F4
		jmp	short loc_8795DF
; 

loc_879658:				; CODE XREF: IopChildToRootTranslation+82j
		cmp	ebx, edi
		jnz	loc_8795BC
		jmp	loc_8E4657
IopChildToRootTranslation endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IopParentToRawTranslation(x)
_IopParentToRawTranslation@4 proc near	; CODE XREF: PnpBuildCmResourceList+1A5p
					; IopParentToRawTranslation(x)+3Ej
		xor	eax, eax
		cmp	[ecx+20h], eax
		jz	short loc_8796AB
		cmp	byte ptr [ecx+50h], 8
		jz	short loc_8796AB
		cmp	[ecx+0Ch], eax
		jz	short loc_879679
		retn
; 

loc_879679:				; CODE XREF: IopParentToRawTranslation(x)+10j
		mov	eax, [ecx+0B0h]
		push	esi
		mov	esi, [ecx+14h]
		mov	eax, [eax+0Ch]
		push	dword ptr [esi+44h]
		push	dword ptr [esi+28h]
		push	dword ptr [esi+24h]
		push	dword ptr [esi+20h]
		push	1
		push	dword ptr [ecx+44h]
		push	dword ptr [eax+4]
		call	dword ptr [eax+10h]
		test	eax, eax
		js	short loc_8796A9
		mov	ecx, esi
		pop	esi
		jmp	_IopParentToRawTranslation@4 ; IopParentToRawTranslation(x)
; 

loc_8796A9:				; CODE XREF: IopParentToRawTranslation(x)+39j
		pop	esi
		retn
; 

loc_8796AB:				; CODE XREF: IopParentToRawTranslation(x)+5j
					; IopParentToRawTranslation(x)+Bj
		mov	eax, 0C000000Dh
		retn
_IopParentToRawTranslation@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopResourceRequirementsListToReqList proc near ; CODE XREF: .text:0057244Cp
					; PnpGetResourceRequirementsForAssignTable+141p ...

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E4681 SIZE 0000008F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		and	[ebp+var_20], 0
		mov	eax, edx
		push	ebx
		push	esi
		push	edi
		and	dword ptr [eax], 0
		mov	esi, [ecx+14h]
		mov	[ebp+var_48], eax
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_14], esi
		mov	edi, [esi+1Ch]
		mov	edx, edi
		mov	[ebp+var_24], edi
		test	edx, edx
		jz	loc_8E4709
		mov	ebx, [esi]
		lea	eax, [esi+20h]
		add	ebx, esi
		mov	[ebp+var_8], eax
		mov	ecx, eax
		mov	[ebp+var_34], ebx
		xor	eax, eax
		xor	esi, esi
		sub	edx, 1
		mov	[ebp+var_10], eax
		js	loc_8797B5

loc_879701:				; CODE XREF: IopResourceRequirementsListToReqList+F1j
		lea	eax, [ecx+8]
		mov	ecx, [ecx+4]
		shl	ecx, 5
		add	ecx, eax
		cmp	eax, ecx
		jz	loc_8E4709
		ja	loc_8E4689
		cmp	eax, ebx
		ja	loc_8E4689
		cmp	ecx, ebx
		ja	loc_8E4689
		cmp	byte ptr [eax+1], 80h
		jnz	short loc_879733
		add	eax, 20h

loc_879733:				; CODE XREF: IopResourceRequirementsListToReqList+7Cj
		mov	[ebp+var_38], eax
		jmp	short loc_879747
; 

loc_879738:				; CODE XREF: IopResourceRequirementsListToReqList+B8j
					; IopResourceRequirementsListToReqList+BAj
		cmp	bl, 0F0h
		jz	loc_8E4681

loc_879741:				; CODE XREF: IopResourceRequirementsListToReqList+6AFD2j
		mov	byte ptr [eax],	1
		add	eax, 20h

loc_879747:				; CODE XREF: IopResourceRequirementsListToReqList+84j
					; IopResourceRequirementsListToReqList+CEj ...
		mov	bh, 1

loc_879749:				; CODE XREF: IopResourceRequirementsListToReqList+CAj
		cmp	eax, ecx
		jnb	short loc_87979D
		mov	bl, [eax+1]
		movzx	edi, bl
		mov	[ebp+var_3C], esi
		sub	edi, 80h
		jz	loc_8E4689
		sub	edi, 1
		jz	short loc_87977E
		inc	esi
		test	bl, bl
		js	short loc_879738
		jz	short loc_879738
		test	byte ptr [eax],	8
		jnz	loc_879AF2
		xor	bh, bh

loc_879779:				; CODE XREF: IopResourceRequirementsListToReqList+44Bj
		add	eax, 20h
		jmp	short loc_879749
; 

loc_87977E:				; CODE XREF: IopResourceRequirementsListToReqList+B3j
		cmp	eax, ecx
		jnb	short loc_879747
		mov	ebx, [ebp+var_38]

loc_879785:				; CODE XREF: IopResourceRequirementsListToReqList+E7j
		cmp	byte ptr [eax+1], 81h
		jnz	short loc_879747
		cmp	eax, ebx
		jz	loc_8E4689
		add	eax, 20h
		inc	esi
		cmp	eax, ecx
		jb	short loc_879785
		jmp	short loc_879747
; 

loc_87979D:				; CODE XREF: IopResourceRequirementsListToReqList+99j
		sub	edx, 1
		mov	ebx, [ebp+var_34]
		jns	loc_879701
		mov	eax, [ebp+var_14]
		mov	edi, [eax+1Ch]
		mov	eax, [ebp+var_10]
		mov	[ebp+var_24], edi

loc_8797B5:				; CODE XREF: IopResourceRequirementsListToReqList+49j
		xor	ecx, ecx
		mov	[ebp+var_3C], 0C0000001h
		sub	esi, eax
		mov	[ebp+var_18], ecx
		mov	ebx, ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		mov	eax, esi
		mov	ecx, 0B4h
		mov	[ebp+var_4], ebx
		mul	ecx
		lea	ecx, [ebp+var_18]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_8E46FF
		push	4
		pop	ecx
		cmp	esi, 1
		jbe	loc_879B15
		lea	eax, [esi-1]
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	ebx, [ebp+var_4]

loc_879807:				; CODE XREF: IopResourceRequirementsListToReqList+465j
		test	eax, eax
		js	loc_8E46FF
		lea	eax, [ebp+var_4]
		mov	ecx, ebx
		push	eax
		push	18h
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_8E46FF
		mov	eax, [ebp+var_4]
		lea	ecx, [ebp+var_4]
		mul	edi
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_8E46FF
		cmp	edi, 1
		ja	loc_879B5A
		xor	eax, eax

loc_879847:				; CODE XREF: IopResourceRequirementsListToReqList+4BAj
		test	eax, eax
		js	loc_8E46FF
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_10]
		push	eax
		push	1Ch
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_8E46FF
		mov	esi, [ebp+var_4]
		lea	eax, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		mov	edx, esi
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_8E46FF
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_C]
		mov	ecx, [ebp+var_C]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_8E46FF
		push	20207050h
		push	[ebp+var_C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8E4693
		push	[ebp+var_C]	; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [ebp+var_10]
		add	esp, 0Ch
		add	eax, ebx
		mov	[ebp+var_4], eax
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		add	eax, esi
		mov	[ebp+var_28], eax
		push	[ebp+var_18]	; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+var_14]
		add	esp, 0Ch
		mov	eax, [ecx+4]
		mov	[ebp+var_10], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_8E469D

loc_8798F9:				; CODE XREF: IopResourceRequirementsListToReqList+6AFF1j
		mov	ecx, [ecx+8]
		lea	esi, [ebx+18h]
		mov	edx, [ebp+var_1C]
		and	dword ptr [ebx+0Ch], 0
		mov	[ebx], eax
		mov	eax, edi
		shl	eax, 2
		push	eax		; size_t
		push	0		; int
		push	esi		; void *
		mov	[ebp+var_2C], ecx
		mov	[ebx+14h], edi
		mov	[ebx+8], edx
		mov	[ebx+4], ecx
		mov	[ebp+var_C], esi
		call	_memset
		mov	eax, [ebp+var_24]
		add	esp, 0Ch
		xor	edi, edi
		sub	eax, 1
		mov	[ebp+var_38], eax
		js	loc_879ACA
		mov	eax, [ebp+var_8]

loc_87993C:				; CODE XREF: IopResourceRequirementsListToReqList+412j
		mov	edx, [ebp+var_4]
		mov	ecx, edx
		mov	[ebp+var_44], esi
		lea	esi, [eax+8]
		mov	eax, [eax+4]
		shl	eax, 5
		add	eax, esi
		mov	[ebp+var_40], edi
		mov	[ebp+var_8], eax
		mov	eax, edx
		add	edx, 14h
		mov	[ebp+var_34], eax
		mov	[ebp+var_4], edx
		mov	edx, [ebp+var_C]
		mov	[edx], eax
		add	edx, 4
		and	dword ptr [eax+10h], 0
		mov	[eax+0Ch], edi
		inc	edi
		mov	[eax+8], ebx
		cmp	byte ptr [esi+1], 80h
		mov	[ebp+var_C], edx
		jnz	loc_879B0B
		lea	eax, [esi+8]
		add	esi, 20h
		mov	eax, [eax]

loc_879988:				; CODE XREF: IopResourceRequirementsListToReqList+45Ej
		mov	[ecx], eax
		mov	edx, [ebp+var_4]
		and	[ebp+var_18], 0
		mov	[ebp+var_24], edx

loc_879994:				; CODE XREF: IopResourceRequirementsListToReqList+3E2j
					; IopResourceRequirementsListToReqList+4A3j
		mov	eax, [ebp+var_8]
		cmp	esi, eax
		jnb	loc_879ABD
		cmp	byte ptr [esi+1], 0F0h
		jz	loc_8E46A8
		mov	eax, [ebp+var_28]
		mov	ecx, eax
		mov	edx, [ebp+var_24]
		mov	[ebp+var_30], eax
		add	eax, 0B4h
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_34]
		inc	dword ptr [eax+10h]
		mov	[edx], ecx
		add	edx, 4
		and	dword ptr [ecx+0A8h], 0
		and	dword ptr [ecx+0ACh], 0
		mov	[ecx+0Ch], eax
		mov	eax, [ebp+var_18]
		mov	[ecx+10h], eax
		inc	eax
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_10]
		mov	[ecx], eax
		mov	eax, [ebp+var_2C]
		mov	[ecx+14h], ecx
		mov	[ecx+4], eax
		mov	al, [esi+1]
		mov	[ebp+var_24], edx
		test	al, al
		js	loc_879B1C
		jz	loc_879B1C
		mov	al, 1

loc_879A06:				; CODE XREF: IopResourceRequirementsListToReqList+46Cj
		mov	[ecx+8], al
		lea	edx, [ecx+18h]
		push	4
		pop	eax
		add	[ebp+var_4], eax
		mov	eax, [ebp+var_1C]
		mov	[edx+4], edx
		mov	[edx], edx
		and	dword ptr [edx+8], 0
		mov	[edx+0Ch], esi
		mov	eax, [eax]
		mov	[edx+10h], eax
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+8]
		and	dword ptr [edx+1Ch], 0
		mov	[edx+14h], eax
		mov	eax, [ebp+var_10]
		mov	[edx+20h], eax
		mov	eax, [ebp+var_14]
		mov	eax, [eax+0Ch]
		mov	[edx+24h], eax
		mov	eax, [ebp+var_14]
		mov	eax, [eax+8]
		or	dword ptr [edx+34h], 0FFFFFFFFh
		and	dword ptr [edx+18h], 0
		cmp	byte ptr [ecx+8], 0
		mov	[edx+28h], eax
		lea	eax, [ecx+50h]
		mov	[edx+2Ch], eax
		jz	loc_879B23
		mov	eax, [ebp+var_30]
		mov	[ebp+var_20], 1
		mov	byte ptr [eax+50h], 8
		inc	dword ptr [edx+8]
		mov	eax, [edx+8]

loc_879A77:				; CODE XREF: IopResourceRequirementsListToReqList+454j
		add	esi, 20h
		cmp	esi, [ebp+var_8]
		jnb	short loc_879A8A
		cmp	byte ptr [esi+1], 81h
		jz	short loc_879A9F
		test	byte ptr [esi],	8
		jnz	short loc_879B02

loc_879A8A:				; CODE XREF: IopResourceRequirementsListToReqList+3CBj
					; IopResourceRequirementsListToReqList+3F8j ...
		call	IopSetupArbiterAndTranslators
		mov	[ebp+var_30], eax
		test	eax, eax
		jns	loc_879994
		jmp	loc_8E46C5
; 

loc_879A9F:				; CODE XREF: IopResourceRequirementsListToReqList+3D1j
		mov	eax, [ebp+var_8]
		mov	[ecx+0ACh], esi

loc_879AA8:				; CODE XREF: IopResourceRequirementsListToReqList+409j
		cmp	esi, eax
		jnb	short loc_879A8A
		cmp	byte ptr [esi+1], 81h
		jnz	short loc_879A8A
		inc	dword ptr [ecx+0A8h]
		add	esi, 20h
		jmp	short loc_879AA8
; 

loc_879ABD:				; CODE XREF: IopResourceRequirementsListToReqList+2E7j
		mov	esi, [ebp+var_C]

loc_879AC0:				; CODE XREF: IopResourceRequirementsListToReqList+6B030j
		sub	[ebp+var_38], 1
		jns	loc_87993C

loc_879ACA:				; CODE XREF: IopResourceRequirementsListToReqList+281j
		test	edi, edi
		jz	loc_8E46E7

loc_879AD2:				; CODE XREF: IopResourceRequirementsListToReqList+6B03Cj
		neg	edi
		sbb	edi, edi
		not	edi
		and	edi, [ebp+var_3C]
		jnz	short loc_879AEB
		cmp	[ebp+var_20], edi
		jz	loc_8E46F3
		mov	eax, [ebp+var_48]
		mov	[eax], ebx

loc_879AEB:				; CODE XREF: IopResourceRequirementsListToReqList+429j
					; IopResourceRequirementsListToReqList+6B048j
		mov	eax, edi

loc_879AED:				; CODE XREF: IopResourceRequirementsListToReqList+6AFDCj
					; IopResourceRequirementsListToReqList+6AFE6j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_879AF2:				; CODE XREF: IopResourceRequirementsListToReqList+BFj
		test	bh, bh
		jnz	loc_8E4689
		inc	[ebp+var_10]
		jmp	loc_879779
; 

loc_879B02:				; CODE XREF: IopResourceRequirementsListToReqList+3D6j
		inc	eax
		mov	[edx+8], eax
		jmp	loc_879A77
; 

loc_879B0B:				; CODE XREF: IopResourceRequirementsListToReqList+2C8j
		mov	eax, 3000h
		jmp	loc_879988
; 

loc_879B15:				; CODE XREF: IopResourceRequirementsListToReqList+13Dj
		xor	eax, eax
		jmp	loc_879807
; 

loc_879B1C:				; CODE XREF: IopResourceRequirementsListToReqList+346j
					; IopResourceRequirementsListToReqList+34Cj
		xor	al, al
		jmp	loc_879A06
; 

loc_879B23:				; CODE XREF: IopResourceRequirementsListToReqList+3ABj
		mov	al, [esi+1]
		mov	edx, [ebp+var_30]
		mov	[edx+50h], al
		mov	al, [esi+2]
		mov	[ecx+51h], al
		mov	ax, [esi+4]
		mov	[ecx+52h], ax
		mov	eax, [esi+8]
		mov	[ecx+54h], eax
		mov	eax, [esi+0Ch]
		mov	[ecx+58h], eax
		mov	eax, [esi+10h]
		mov	[ecx+5Ch], eax
		cmp	byte ptr [esi+1], 84h
		jz	short loc_879B71

loc_879B52:				; CODE XREF: IopResourceRequirementsListToReqList+4C6j
					; IopResourceRequirementsListToReqList+6B00Ej
		add	esi, 20h
		jmp	loc_879994
; 

loc_879B5A:				; CODE XREF: IopResourceRequirementsListToReqList+18Dj
		push	4
		pop	ecx
		lea	eax, [edi-1]
		mul	ecx
		lea	ecx, [ebp+var_10]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		jmp	loc_879847
; 

loc_879B71:				; CODE XREF: IopResourceRequirementsListToReqList+49Ej
		mov	[ebp+var_20], 1
		jmp	short loc_879B52
IopResourceRequirementsListToReqList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopSetupArbiterAndTranslators proc near	; CODE XREF: IopResourceRequirementsListToReqList:loc_879A8Ap

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 008E4710 SIZE 00000069 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_10], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_14], eax
		mov	ch, al
		mov	[ebp+var_1C], eax
		mov	bh, al
		mov	[ebp+var_18], eax
		mov	cl, 1
		mov	[ebp+var_8], edi
		mov	eax, [edi+14h]
		mov	edx, [edi+28h]
		mov	[ebp+var_24], edx
		mov	[ebp+var_1], cl
		mov	eax, [eax+24h]
		mov	[ebp+var_3], ch
		mov	bl, [eax+1]
		mov	byte ptr [ebp+var_C], bl
		cmp	bl, 7
		jz	loc_8E4710

loc_879BC0:				; CODE XREF: IopSetupArbiterAndTranslators+6AB9Bj
		mov	eax, [edi+2Ch]
		cmp	eax, 1
		jz	loc_879D59

loc_879BCC:				; CODE XREF: IopSetupArbiterAndTranslators+1E2j
		xor	cl, cl

loc_879BCE:				; CODE XREF: IopSetupArbiterAndTranslators+1EAj
		mov	[ebp+var_2], cl
		test	edx, edx
		jz	loc_879D69
		cmp	eax, 1
		jz	loc_879D69
		mov	eax, [edx+0B0h]
		mov	esi, [eax+14h]

loc_879BEB:				; CODE XREF: IopSetupArbiterAndTranslators+1F5j
		test	esi, esi
		jz	loc_8E476F

loc_879BF3:				; CODE XREF: IopSetupArbiterAndTranslators+11Fj
		mov	eax, _IopRootDeviceNode
		mov	[ebp+var_20], eax
		cmp	esi, eax
		jz	loc_879C9E

loc_879C03:				; CODE XREF: IopSetupArbiterAndTranslators+126j
					; IopSetupArbiterAndTranslators+12Ej
		test	bh, bh
		jnz	short loc_879C54
		mov	eax, [esi+10h]
		mov	[ebp+var_20], eax
		cmp	eax, edx
		jz	short loc_879C54
		lea	eax, [ebp+var_14]
		mov	edx, esi
		push	eax
		push	[ebp+var_C]
		push	2
		pop	ecx
		call	_IopFindResourceHandlerInfo@16 ; IopFindResourceHandlerInfo(x,x,x,x)
		test	al, al
		jz	loc_879D74

loc_879C2A:				; CODE XREF: IopSetupArbiterAndTranslators+235j
		mov	edi, [ebp+var_14]

loc_879C2D:				; CODE XREF: IopSetupArbiterAndTranslators+306j
		test	edi, edi
		jz	loc_879CE8
		mov	eax, [edi+0Ch]
		mov	bh, 1
		test	[eax+14h], bh
		jnz	loc_879CF0

loc_879C43:				; CODE XREF: IopSetupArbiterAndTranslators+18Aj
		mov	eax, [ebp+var_8]
		mov	[eax+0B0h], edi
		mov	word ptr [edi+34h], 0
		mov	edi, eax

loc_879C54:				; CODE XREF: IopSetupArbiterAndTranslators+8Bj
					; IopSetupArbiterAndTranslators+95j ...
		cmp	[ebp+var_1], 0
		jz	short loc_879C89
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		push	eax
		push	[ebp+var_C]
		mov	edx, esi
		inc	ecx
		call	_IopFindResourceHandlerInfo@16 ; IopFindResourceHandlerInfo(x,x,x,x)
		test	al, al
		jz	loc_879D0F

loc_879C73:				; CODE XREF: IopSetupArbiterAndTranslators+1D4j
		mov	edi, [ebp+var_18]

loc_879C76:				; CODE XREF: IopSetupArbiterAndTranslators+352j
		test	edi, edi
		jnz	short loc_879CD3

loc_879C7A:				; CODE XREF: IopSetupArbiterAndTranslators+15Dj
		test	bh, bh
		jnz	short loc_879C86
		test	edi, edi
		jnz	loc_879DBA

loc_879C86:				; CODE XREF: IopSetupArbiterAndTranslators+102j
		mov	edi, [ebp+var_8]

loc_879C89:				; CODE XREF: IopSetupArbiterAndTranslators+DEj
					; IopSetupArbiterAndTranslators+292j
		mov	esi, [esi+8]

loc_879C8C:				; CODE XREF: IopSetupArbiterAndTranslators+147j
					; IopSetupArbiterAndTranslators+152j ...
		test	esi, esi
		jz	short loc_879CD9
		mov	cl, [ebp+var_2]
		mov	edx, [ebp+var_24]
		mov	ch, [ebp+var_3]
		jmp	loc_879BF3
; 

loc_879C9E:				; CODE XREF: IopSetupArbiterAndTranslators+83j
		test	ch, ch
		jnz	loc_879C03
		test	cl, cl
		jnz	loc_879C03
		mov	ecx, [edi]
		mov	edx, [edi+4]
		mov	[ebp+var_2], 1
		call	_IopFindLegacyBusDeviceNode@8 ;	IopFindLegacyBusDeviceNode(x,x)
		mov	esi, eax
		cmp	esi, [ebp+var_20]
		jnz	short loc_879C8C
		mov	ecx, [edi+0Ch]
		mov	ecx, [ecx+8]
		cmp	dword ptr [ecx], 0
		jnz	short loc_879C8C
		jmp	loc_8E471A
; 

loc_879CD3:				; CODE XREF: IopSetupArbiterAndTranslators+FEj
		mov	[ebp+var_3], 1
		jmp	short loc_879C7A
; 

loc_879CD9:				; CODE XREF: IopSetupArbiterAndTranslators+114j
		test	bh, bh
		jz	loc_8E476F
		xor	eax, eax

loc_879CE3:				; CODE XREF: IopSetupArbiterAndTranslators+6ABE9j
					; IopSetupArbiterAndTranslators+6ABF0j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_879CE8:				; CODE XREF: IopSetupArbiterAndTranslators+B5j
					; IopSetupArbiterAndTranslators+6ABC4j
		mov	edi, [ebp+var_8]
		jmp	loc_879C54
; 

loc_879CF0:				; CODE XREF: IopSetupArbiterAndTranslators+C3j
		mov	eax, [ebp+var_8]
		push	ecx
		push	ecx
		mov	ecx, edi
		push	dword ptr [eax+14h]
		push	7
		pop	edx
		call	IopCallArbiter
		test	eax, eax
		jns	loc_879C43
		jmp	loc_8E473C
; 

loc_879D0F:				; CODE XREF: IopSetupArbiterAndTranslators+F3j
		cmp	bl, 0Fh
		ja	loc_8E4743
		xor	eax, eax
		mov	cl, bl
		inc	eax
		shl	ax, cl
		movzx	edi, ax

loc_879D23:				; CODE XREF: IopSetupArbiterAndTranslators+6ABCBj
		mov	edx, [esi+10h]
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_C]
		xor	ecx, ecx
		inc	ecx
		call	IopQueryResourceHandlerInterface
		or	[esi+15Ah], di
		test	eax, eax
		jns	loc_879E85
		or	[esi+158h], di
		cmp	bl, 0Fh
		jbe	loc_879C73
		jmp	loc_8E474A
; 

loc_879D59:				; CODE XREF: IopSetupArbiterAndTranslators+4Cj
		cmp	dword ptr [edi], 0
		jnz	loc_879BCC
		mov	cl, 1
		jmp	loc_879BCE
; 

loc_879D69:				; CODE XREF: IopSetupArbiterAndTranslators+59j
					; IopSetupArbiterAndTranslators+62j
		mov	esi, _IopRootDeviceNode
		jmp	loc_879BEB
; 

loc_879D74:				; CODE XREF: IopSetupArbiterAndTranslators+AAj
		cmp	bl, 0Fh
		ja	loc_8E472B
		xor	eax, eax
		mov	cl, bl
		inc	eax
		shl	ax, cl
		movzx	edi, ax

loc_879D88:				; CODE XREF: IopSetupArbiterAndTranslators+6ABB3j
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_C]
		push	2
		pop	ecx
		call	IopQueryResourceHandlerInterface
		or	[esi+15Eh], di
		test	eax, eax
		jns	short loc_879E11
		or	[esi+15Ch], di
		cmp	bl, 0Fh
		jbe	loc_879C2A
		jmp	loc_8E4732
; 

loc_879DBA:				; CODE XREF: IopSetupArbiterAndTranslators+106j
		mov	eax, [ebp+var_8]
		mov	edx, edi
		mov	ecx, [eax+14h]
		lea	eax, [ebp+var_1C]
		push	eax
		call	IopTranslateAndAdjustReqDesc
		mov	edx, eax
		test	edx, edx
		js	loc_8E4768
		mov	ecx, [ebp+var_1C]
		mov	ecx, [ecx+24h]
		mov	bl, [ecx+1]
		mov	byte ptr [ebp+var_C], bl
		cmp	bl, 7
		jz	loc_8E4754

loc_879DEA:				; CODE XREF: IopSetupArbiterAndTranslators+6ABDFj
		mov	edi, [ebp+var_8]
		cmp	edx, 120h
		mov	ecx, [ebp+var_1C]
		mov	eax, [edi+14h]
		mov	[ecx+14h], eax
		setz	al
		mov	[edi+14h], ecx
		dec	al
		mov	cl, [ebp+var_1]
		and	cl, al
		mov	[ebp+var_1], cl
		jmp	loc_879C89
; 

loc_879E11:				; CODE XREF: IopSetupArbiterAndTranslators+229j
		mov	edi, [ebp+var_10]

loc_879E14:				; CODE XREF: IopSetupArbiterAndTranslators+6ABBDj
		push	20207050h
		push	38h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_8E475E
		mov	word ptr [edx+34h], 0
		lea	ecx, [edx+2Ch]
		mov	[ecx+4], ecx
		lea	eax, [edx+24h]
		mov	[ecx], ecx
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edx+14h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edx+1Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+148h]
		mov	[edx+4], edx
		mov	[edx], edx
		mov	[edx+8], bl
		mov	[edx+10h], esi
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_879ED1
		mov	[edx], eax
		mov	[edx+4], ecx
		mov	[ecx], edx
		mov	[eax+4], edx
		mov	[edx+0Ch], edi
		neg	edi
		sbb	edi, edi
		and	edi, edx
		mov	[ebp+var_14], edi
		jmp	loc_879C2D
; 

loc_879E85:				; CODE XREF: IopSetupArbiterAndTranslators+1C4j
		mov	edi, [ebp+var_10]

loc_879E88:				; CODE XREF: IopSetupArbiterAndTranslators+6ABD5j
		push	20207050h
		push	14h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_8E475E
		mov	[eax+8], bl
		lea	ecx, [esi+150h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[eax+0Ch], edi
		mov	[eax+10h], esi
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_879ED1
		neg	edi
		mov	[eax], ecx
		mov	[eax+4], edx
		sbb	edi, edi
		mov	[edx], eax
		and	edi, eax
		mov	[ecx+4], eax
		mov	[ebp+var_18], edi
		jmp	loc_879C76
; 

loc_879ED1:				; CODE XREF: IopSetupArbiterAndTranslators+2EEj
					; IopSetupArbiterAndTranslators+33Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
IopSetupArbiterAndTranslators endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopFindResourceHandlerInfo(x, x, x,	x)
_IopFindResourceHandlerInfo@16 proc near ; CODE	XREF: IoTranslateBusAddress(x,x,x,x,x,x)+D7p
					; IopSetupArbiterAndTranslators+A3p ...

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		and	dword ptr [ebx], 0
		sub	ecx, 1
		jnz	short loc_879F35
		movzx	edi, word ptr [edx+158h]
		mov	eax, 150h
		movzx	esi, word ptr [edx+15Ah]

loc_879EFC:				; CODE XREF: IopFindResourceHandlerInfo(x,x,x,x)+77j
		mov	cl, [ebp+arg_0]
		add	edx, eax
		xor	eax, eax
		inc	eax
		shl	ax, cl
		movzx	eax, ax
		and	edi, eax
		test	di, di
		jz	short loc_879F1A

loc_879F11:				; CODE XREF: IopFindResourceHandlerInfo(x,x,x,x)+5Dj
					; IopFindResourceHandlerInfo(x,x,x,x)+8Aj
		mov	al, 1

loc_879F13:				; CODE XREF: IopFindResourceHandlerInfo(x,x,x,x)+84j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_879F1A:				; CODE XREF: IopFindResourceHandlerInfo(x,x,x,x)+39j
		and	esi, eax
		test	si, si
		jz	short loc_879F53

loc_879F21:				; CODE XREF: IopFindResourceHandlerInfo(x,x,x,x)+80j
		mov	eax, [edx]

loc_879F23:				; CODE XREF: IopFindResourceHandlerInfo(x,x,x,x)+7Bj
		cmp	eax, edx
		jz	short loc_879F58
		cmp	[eax+8], cl
		jnz	short loc_879F4F
		cmp	cl, 0Fh
		ja	short loc_879F5C

loc_879F31:				; CODE XREF: IopFindResourceHandlerInfo(x,x,x,x)+8Cj
		mov	[ebx], eax
		jmp	short loc_879F11
; 

loc_879F35:				; CODE XREF: IopFindResourceHandlerInfo(x,x,x,x)+11j
		sub	ecx, 1
		jnz	short loc_879F58
		movzx	edi, word ptr [edx+15Ch]
		mov	eax, 148h
		movzx	esi, word ptr [edx+15Eh]
		jmp	short loc_879EFC
; 

loc_879F4F:				; CODE XREF: IopFindResourceHandlerInfo(x,x,x,x)+54j
		mov	eax, [eax]
		jmp	short loc_879F23
; 

loc_879F53:				; CODE XREF: IopFindResourceHandlerInfo(x,x,x,x)+49j
		cmp	cl, 0Fh
		ja	short loc_879F21

loc_879F58:				; CODE XREF: IopFindResourceHandlerInfo(x,x,x,x)+4Fj
					; IopFindResourceHandlerInfo(x,x,x,x)+62j
		xor	al, al
		jmp	short loc_879F13
; 

loc_879F5C:				; CODE XREF: IopFindResourceHandlerInfo(x,x,x,x)+59j
		cmp	dword ptr [eax+0Ch], 0
		jz	short loc_879F11
		jmp	short loc_879F31
_IopFindResourceHandlerInfo@16 endp


;  S U B	R O U T	I N E 


; __stdcall IopFindLegacyBusDeviceNode(x, x)
_IopFindLegacyBusDeviceNode@8 proc near	; CODE XREF: IoTranslateBusAddress(x,x,x,x,x,x)+B1p
					; IopChildToRootTranslation+77p ...
		mov	edi, edi
		push	ebx
		mov	ebx, edx
		push	esi
		mov	esi, _IopRootDeviceNode
		cmp	ecx, 0Fh
		jnz	short loc_879F7A

loc_879F75:				; CODE XREF: IopFindLegacyBusDeviceNode(x,x)+19j
					; IopFindLegacyBusDeviceNode(x,x)+2Bj ...
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_879F7A:				; CODE XREF: IopFindLegacyBusDeviceNode(x,x)+Fj
		cmp	ecx, 11h
		ja	short loc_879F75
		cmp	ecx, 2
		jz	short loc_879FAA

loc_879F84:				; CODE XREF: IopFindLegacyBusDeviceNode(x,x)+49j
		lea	ecx, _IopLegacyBusInformationTable[ecx*8]
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	short loc_879F75
		push	edi

loc_879F92:				; CODE XREF: IopFindLegacyBusDeviceNode(x,x)+42j
		cmp	[eax-60h], ebx
		jnz	short loc_879FA0
		lea	esi, [eax-190h]

loc_879F9D:				; CODE XREF: IopFindLegacyBusDeviceNode(x,x):loc_879FA0j
					; IopFindLegacyBusDeviceNode(x,x)+44j
		pop	edi
		jmp	short loc_879F75
; 

loc_879FA0:				; CODE XREF: IopFindLegacyBusDeviceNode(x,x)+31j
		ja	short loc_879F9D
		mov	eax, [eax]
		cmp	eax, ecx
		jnz	short loc_879F92
		jmp	short loc_879F9D
; 

loc_879FAA:				; CODE XREF: IopFindLegacyBusDeviceNode(x,x)+1Ej
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_879F84
_IopFindLegacyBusDeviceNode@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCallArbiter	proc near		; CODE XREF: .text:0057254Fp
					; .text:0057257Ap ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E4779 SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_1C]
		mov	esi, edx
		stosd
		stosd
		stosd
		stosd
		mov	edi, [ecx+0Ch]
		cmp	esi, 9
		ja	short loc_87A036
		mov	ebx, [ebp+arg_0]
		jmp	ds:off_87A040[esi*4]

loc_879FD8:				; DATA XREF: PAGE:0087A05Co
		mov	esi, ebx
		mov	eax, [esi+18h]
		mov	[ebp+var_C], eax
		mov	eax, [esi+1Ch]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_C]
		mov	[esi+1Ch], eax
		mov	[esi+18h], eax
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	7
		push	dword ptr [edi+4]
		call	dword ptr [edi+10h]
		mov	ecx, eax
		mov	eax, [ebp+var_C]
		mov	[esi+18h], eax
		mov	eax, [ebp+var_8]
		mov	[esi+1Ch], eax

loc_87A00C:				; CODE XREF: IopCallArbiter+70j
					; IopCallArbiter+8Bj ...
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	0Ch
; 

loc_87A015:				; CODE XREF: IopCallArbiter+21j
					; DATA XREF: PAGE:0087A048o ...
		push	0

loc_87A017:				; CODE XREF: IopCallArbiter+6A7E7j
		push	esi

loc_87A018:				; CODE XREF: IopCallArbiter+84j
					; IopCallArbiter+6A815j
		push	dword ptr [edi+4]
		call	dword ptr [edi+10h]
		mov	ecx, eax
		jmp	short loc_87A00C
; 

loc_87A022:				; CODE XREF: IopCallArbiter+21j
					; DATA XREF: PAGE:off_87A040o
		mov	eax, ebx
		lea	ecx, [ebp+var_1C]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		push	ecx
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		push	eax
		jmp	short loc_87A018
; 

loc_87A036:				; CODE XREF: IopCallArbiter+1Cj
					; IopCallArbiter+21j
					; DATA XREF: ...
		mov	ecx, 0C000000Dh
		jmp	short loc_87A00C
IopCallArbiter	endp

; 
		align 10h
off_87A040	dd offset loc_87A022	; DATA XREF: IopCallArbiter+21r
		dd offset loc_8E4779
		dd offset loc_87A015
		dd offset loc_87A036
		dd offset loc_8E479C
		dd offset loc_87A015
		dd offset loc_8E47A6
		dd offset loc_879FD8
		dd offset loc_87A036
		dd offset loc_8E4790

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopQueryResourceHandlerInterface proc near
					; CODE XREF: IoTranslateBusAddress(x,x,x,x,x,x)+F0p
					; IopSetupArbiterAndTranslators+1B6p ...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= word ptr -3Ch
var_3A		= word ptr -3Ah
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E47CA SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	[ebp+var_20], eax
		mov	ebx, ecx
		xor	eax, eax
		mov	[ebp+var_1C], edx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		stosd
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		mov	eax, [eax+124h]
		cmp	eax, [edx+8]
		jz	loc_8E47E7
		test	dword ptr [edx+1Ch], 1000h
		jz	loc_8E47E7
		mov	eax, ebx
		sub	eax, 1
		jnz	loc_87A164
		push	1Ch
		mov	esi, offset _GUID_TRANSLATOR_INTERFACE_STANDARD

loc_87A0C8:				; CODE XREF: IopQueryResourceHandlerInterface+108j
					; IopQueryResourceHandlerInterface+144j
		lea	edi, [ebp+var_14]
		movsd
		pop	eax
		push	20207050h
		mov	[ebp+var_18], eax
		movsd
		movsd
		movsd
		movzx	edi, ax
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8E47CA
		push	edi		; size_t
		xor	edi, edi
		push	edi		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_18]
		lea	ecx, [ebp+var_14]
		add	esp, 0Ch
		mov	[esi], ax
		mov	[ebp+var_3C], ax
		lea	edx, [ebp+var_44]
		xor	eax, eax
		mov	[ebp+var_40], ecx
		mov	ecx, [ebp+var_1C]
		push	edi
		mov	[esi+2], ax
		mov	[ebp+var_3A], ax
		movzx	eax, [ebp+arg_0]
		push	edi
		push	0C00000BBh
		mov	[ebp+var_44], 81Bh
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], eax
		call	IopSynchronousCall
		mov	edi, eax
		test	edi, edi
		jns	short loc_87A175

loc_87A149:				; CODE XREF: IopQueryResourceHandlerInterface+123j
					; IopQueryResourceHandlerInterface+6A77Aj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_87A151:				; CODE XREF: IopQueryResourceHandlerInterface+12Aj
		mov	eax, edi

loc_87A153:				; CODE XREF: IopQueryResourceHandlerInterface+14Ej
					; IopQueryResourceHandlerInterface+6A767j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_87A164:				; CODE XREF: IopQueryResourceHandlerInterface+53j
		sub	eax, 1
		jnz	short loc_87A1A0
		push	18h
		mov	esi, offset _GUID_ARBITER_INTERFACE_STANDARD
		jmp	loc_87A0C8
; 

loc_87A175:				; CODE XREF: IopQueryResourceHandlerInterface+DFj
		sub	ebx, 1
		jz	short loc_87A194
		sub	ebx, 1
		jnz	loc_8E47D4

loc_87A183:				; CODE XREF: IopQueryResourceHandlerInterface+6A76Fj
		cmp	dword ptr [esi+10h], 0

loc_87A187:				; CODE XREF: IopQueryResourceHandlerInterface+136j
		jz	short loc_87A1B8

loc_87A189:				; CODE XREF: IopQueryResourceHandlerInterface+155j
		test	edi, edi
		js	short loc_87A149
		mov	eax, [ebp+var_20]
		mov	[eax], esi
		jmp	short loc_87A151
; 

loc_87A194:				; CODE XREF: IopQueryResourceHandlerInterface+110j
		cmp	dword ptr [esi+10h], 0
		jz	short loc_87A1B8
		cmp	dword ptr [esi+14h], 0
		jmp	short loc_87A187
; 

loc_87A1A0:				; CODE XREF: IopQueryResourceHandlerInterface+FFj
		sub	eax, 1
		jnz	short loc_87A1B1
		push	14h
		mov	esi, offset _GUID_LEGACY_DEVICE_DETECTION_STANDARD
		jmp	loc_87A0C8
; 

loc_87A1B1:				; CODE XREF: IopQueryResourceHandlerInterface+13Bj
		mov	eax, 0C000000Dh
		jmp	short loc_87A153
; 

loc_87A1B8:				; CODE XREF: IopQueryResourceHandlerInterface:loc_87A187j
					; IopQueryResourceHandlerInterface+130j
		mov	edi, 0C0000001h
		jmp	short loc_87A189
IopQueryResourceHandlerInterface endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpReadDeviceConfiguration proc	near	; CODE XREF: PnpGetDeviceResourcesFromRegistry+85p
					; PnpGetDeviceResourcesFromRegistry+13Cp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E47F1 SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], esi
		mov	[ebx], esi
		mov	[eax], esi
		sub	edx, 1
		jz	loc_8E47FB
		sub	edx, 1
		jnz	short loc_87A204
		mov	edx, offset ??_C@_1BK@MCMDOHI@?$AAF?$AAo?$AAr?$AAc?$AAe?$AAd?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg@NNGAKEGL@ ; "ForcedConfig"

loc_87A1EA:				; CODE XREF: PnpReadDeviceConfiguration+53j
					; PnpReadDeviceConfiguration+6A640j
		push	edi
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		call	IopGetRegistryValue
		mov	edi, eax
		test	edi, edi
		jns	short loc_87A215

loc_87A1FB:				; CODE XREF: PnpReadDeviceConfiguration+E1j
		mov	eax, edi
		pop	edi

loc_87A1FE:				; CODE XREF: PnpReadDeviceConfiguration+6A636j
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_87A204:				; CODE XREF: PnpReadDeviceConfiguration+23j
		dec	edx
		sub	edx, 1
		jnz	loc_8E47F1
		mov	edx, offset ??_C@_1BG@MNAOJKEG@?$AAB?$AAo?$AAo?$AAt?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg@NNGAKEGL@ ; "B"
		jmp	short loc_87A1EA
; 

loc_87A215:				; CODE XREF: PnpReadDeviceConfiguration+39j
		mov	esi, [ebp+var_4]
		mov	eax, [esi+4]
		cmp	eax, 8
		jnz	loc_8E481D
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	loc_8E4814
		push	75737050h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx], eax
		test	eax, eax
		jz	short loc_87A2AB
		mov	ecx, [ebp+arg_4]
		mov	eax, [esi+0Ch]
		mov	[ecx], eax
		push	dword ptr [esi+0Ch] ; size_t
		mov	eax, [esi+8]
		add	eax, esi
		push	eax		; void *
		push	dword ptr [ebx]	; void *
		call	_memcpy
		mov	ecx, [ebx]
		add	esp, 0Ch
		xor	ebx, ebx
		mov	[ebp+arg_4], ecx
		lea	eax, [ecx+4]
		cmp	[ecx], ebx
		jbe	short loc_87A299

loc_87A26B:				; CODE XREF: PnpReadDeviceConfiguration+D7j
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_8E4805

loc_87A274:				; CODE XREF: PnpReadDeviceConfiguration+6A64Fj
		lea	ecx, [eax+10h]
		mov	eax, [eax+0Ch]
		test	eax, eax
		jz	short loc_87A28F

loc_87A27E:				; CODE XREF: PnpReadDeviceConfiguration+CDj
		xor	edx, edx
		cmp	byte ptr [ecx],	5
		jz	short loc_87A2A6

loc_87A285:				; CODE XREF: PnpReadDeviceConfiguration+E9j
		add	ecx, 10h
		add	ecx, edx
		sub	eax, 1
		jnz	short loc_87A27E

loc_87A28F:				; CODE XREF: PnpReadDeviceConfiguration+BCj
		mov	eax, ecx
		inc	ebx
		mov	ecx, [ebp+arg_4]
		cmp	ebx, [ecx]
		jb	short loc_87A26B

loc_87A299:				; CODE XREF: PnpReadDeviceConfiguration+A9j
					; PnpReadDeviceConfiguration+F0j ...
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_87A1FB
; 

loc_87A2A6:				; CODE XREF: PnpReadDeviceConfiguration+C3j
		mov	edx, [ecx+4]
		jmp	short loc_87A285
; 

loc_87A2AB:				; CODE XREF: PnpReadDeviceConfiguration+80j
		mov	edi, 0C000009Ah
		jmp	short loc_87A299
PnpReadDeviceConfiguration endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KsepDbCacheReadDevice proc near		; CODE XREF: KseQueryDeviceData+9Dp
					; KseQueryDeviceDataList(x,x,x,x)+C4p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E4827 SIZE 00000031 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_C], 0
		mov	eax, edx
		push	ebx
		push	esi
		push	edi
		and	dword ptr [eax], 0
		mov	ebx, ecx
		push	24h
		pop	ecx
		mov	[esp+18h+var_4], eax
		mov	[esp+18h+var_8], ebx
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8E4827
		lea	eax, [esi+1Ch]
		mov	edx, ebx
		lea	ecx, [esi+14h]
		mov	[eax+4], eax
		mov	[eax], eax
		call	KsepStringDuplicate
		mov	edi, eax
		test	edi, edi
		js	short loc_87A34D
		lea	ecx, [esp+18h+var_C]
		call	KseShimDatabaseOpen
		mov	ebx, [esp+18h+var_C]
		mov	edi, eax
		test	edi, edi
		js	short loc_87A342
		mov	ecx, [ebx]	; int
		mov	edx, offset _KsepMatchMachineInfo ; int
		push	esi		; int
		push	[esp+1Ch+var_8]	; wchar_t *
		call	KsepDbCacheReadDeviceInternal
		mov	edi, eax
		test	edi, edi
		jns	short loc_87A32F
		cmp	edi, 0C0000225h
		jnz	short loc_87A342

loc_87A32F:				; CODE XREF: KsepDbCacheReadDevice+73j
		mov	ecx, [ebx+28h]
		test	ecx, ecx
		jnz	loc_8E4831

loc_87A33A:				; CODE XREF: KsepDbCacheReadDevice+6A590j
					; KsepDbCacheReadDevice+6A5A1j
		mov	eax, [esp+18h+var_4]
		mov	[eax], esi
		xor	esi, esi

loc_87A342:				; CODE XREF: KsepDbCacheReadDevice+5Cj
					; KsepDbCacheReadDevice+7Bj ...
		test	ebx, ebx
		jz	short loc_87A34D
		mov	ecx, ebx
		call	KseShimDatabaseClose

loc_87A34D:				; CODE XREF: KsepDbCacheReadDevice+49j
					; KsepDbCacheReadDevice+92j
		test	esi, esi
		jnz	short loc_87A35A

loc_87A351:				; CODE XREF: KsepDbCacheReadDevice+AEj
					; KsepDbCacheReadDevice+6A57Aj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_87A35A:				; CODE XREF: KsepDbCacheReadDevice+9Dj
		push	esi
		call	_KsepCacheDeviceFree@4 ; KsepCacheDeviceFree(x)
		jmp	short loc_87A351
KsepDbCacheReadDevice endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall KsepDbCacheReadDeviceInternal(int,int,wchar_t *,int)
KsepDbCacheReadDeviceInternal proc near	; CODE XREF: KsepDbCacheReadDevice+6Ap
					; KsepDbCacheReadDevice+6A589p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E4858 SIZE 00000040 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		push	8
		mov	esi, ecx
		lea	edi, [ebp+var_28]
		pop	ecx
		xor	eax, eax
		xor	ebx, ebx
		rep stosd
		push	edx		; int
		push	ebx		; int
		push	ebx		; int
		push	ecx		; int
		push	[ebp+arg_0]	; wchar_t *
		xor	edx, edx
		mov	[ebp+var_4], ebx
		inc	edx
		mov	[ebp+var_8], ebx
		mov	ecx, esi
		call	SdbGetDatabaseMatchEx
		test	eax, eax
		jnz	short loc_87A3A2

loc_87A396:				; CODE XREF: KsepDbCacheReadDeviceInternal+53j
		mov	eax, 0C0000225h

loc_87A39B:				; CODE XREF: KsepDbCacheReadDeviceInternal+7Ej
					; KsepDbCacheReadDeviceInternal+96j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_87A3A2:				; CODE XREF: KsepDbCacheReadDeviceInternal+32j
		lea	ecx, [ebp+var_4]
		mov	edx, eax
		push	ecx
		lea	ecx, [ebp+var_8]
		push	ecx
		mov	ecx, esi
		call	SdbTagRefToTagID
		test	eax, eax
		jz	short loc_87A396
		mov	ebx, [ebp+var_4]
		mov	edx, ebx
		mov	esi, [ebp+var_8]
		mov	ecx, esi
		push	7013h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)

loc_87A3CB:				; CODE XREF: KsepDbCacheReadDeviceInternal+A2j
		mov	edi, eax
		mov	ecx, esi
		test	edi, edi
		jz	short loc_87A406
		lea	eax, [ebp+var_28]
		mov	edx, edi
		push	eax
		call	_KsepDbReadKFlag@12 ; KsepDbReadKFlag(x,x,x)
		test	eax, eax
		js	short loc_87A39B
		push	[ebp+var_20]	; int
		mov	edx, [ebp+var_28]
		push	[ebp+var_24]	; int
		mov	ecx, [ebp+arg_4]
		push	[ebp+var_1C]	; void *
		call	KsepCacheDeviceInsertData
		test	eax, eax
		js	short loc_87A39B
		push	edi
		mov	edx, ebx
		mov	ecx, esi
		call	SdbFindNextTag
		jmp	short loc_87A3CB
; 

loc_87A406:				; CODE XREF: KsepDbCacheReadDeviceInternal+6Fj
		push	7028h
		mov	edx, ebx
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)

loc_87A412:				; CODE XREF: KsepDbCacheReadDeviceInternal+6A531j
		mov	edi, eax
		test	edi, edi
		jnz	loc_8E4858
		jmp	loc_87A39B
KsepDbCacheReadDeviceInternal endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IdpValidateAcpiName(x, x)
_IdpValidateAcpiName@8 proc near	; CODE XREF: PipIommuValidateDeviceId+25p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+8]
		test	esi, esi
		jz	short loc_87A45D
		lea	eax, [edi+18h]
		cmp	esi, eax
		jb	short loc_87A464
		mov	ecx, esi
		push	ebx
		lea	ebx, [ecx+1]

loc_87A43C:				; CODE XREF: IdpValidateAcpiName(x,x)+1Fj
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_87A43C
		sub	ecx, ebx
		inc	ecx
		pop	ebx
		cmp	ecx, 1
		jbe	short loc_87A46B
		add	ecx, esi
		lea	eax, [edi+edx]
		cmp	eax, ecx
		sbb	eax, eax
		and	eax, 80000005h

loc_87A45A:				; CODE XREF: IdpValidateAcpiName(x,x)+40j
					; IdpValidateAcpiName(x,x)+47j	...
		pop	edi
		pop	esi
		retn
; 

loc_87A45D:				; CODE XREF: IdpValidateAcpiName(x,x)+Bj
		mov	eax, 0C0000206h
		jmp	short loc_87A45A
; 

loc_87A464:				; CODE XREF: IdpValidateAcpiName(x,x)+12j
		mov	eax, 0C0000141h
		jmp	short loc_87A45A
; 

loc_87A46B:				; CODE XREF: IdpValidateAcpiName(x,x)+28j
		mov	eax, 0C0040038h
		jmp	short loc_87A45A
_IdpValidateAcpiName@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopAllocateBootResourcesInternal proc near ; CODE XREF:	IopAllocateBootResources(x,x,x)+31p
					; IopReleaseResources(x)+77p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E4898 SIZE 0000007B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		mov	[esp+40h+var_30], ecx
		lea	edi, [esp+40h+var_28]
		push	0Ah
		xor	eax, eax
		mov	[esp+44h+var_2C], edx
		pop	ecx
		rep stosd
		test	edx, edx
		jz	loc_8E4898
		mov	eax, [edx+0B0h]
		mov	esi, [eax+14h]

loc_87A4A4:				; CODE XREF: IopAllocateBootResourcesInternal+6A428j
		mov	edx, [ebp+arg_0]
		push	1
		call	PnpCmResourcesToIoResources
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8E489F
		mov	eax, [esp+40h+var_30]
		lea	edx, [esp+40h+var_10]
		mov	[esp+40h+var_20], eax
		lea	ecx, [esp+40h+var_28]
		mov	eax, [esp+40h+var_2C]
		mov	[esp+40h+var_14], ebx
		mov	[esp+40h+var_28], eax
		call	IopResourceRequirementsListToReqList
		mov	edi, eax
		test	edi, edi
		js	short loc_87A541
		mov	ecx, [esp+40h+var_10]
		test	ecx, ecx
		jz	short loc_87A54E
		call	_IopBootAllocation@4 ; IopBootAllocation(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_87A541
		mov	edx, 80h
		mov	ecx, esi
		call	PipSetDevNodeFlags
		xor	edx, edx
		lea	ecx, [esp+40h+var_28]
		call	PnpBuildCmResourceList
		mov	edi, [esp+40h+var_4]
		test	edi, edi
		js	short loc_87A541
		xor	edi, edi
		cmp	[esi+168h], edi
		jnz	loc_8E48A9
		mov	eax, [esp+40h+var_C]
		mov	[esi+168h], eax

loc_87A529:				; CODE XREF: IopAllocateBootResourcesInternal+6A43Bj
					; IopAllocateBootResourcesInternal+6A44Fj
		mov	eax, [esi+16Ch]
		test	eax, eax
		jnz	loc_8E48C6

loc_87A537:				; CODE XREF: IopAllocateBootResourcesInternal+6A461j
		mov	eax, [esp+40h+var_8]
		mov	[esi+16Ch], eax

loc_87A541:				; CODE XREF: IopAllocateBootResourcesInternal+6Bj
					; IopAllocateBootResourcesInternal+7Ej	...
		mov	ecx, [esp+40h+var_10]
		test	ecx, ecx
		jz	short loc_87A54E
		call	_IopFreeReqList@4 ; IopFreeReqList(x)

loc_87A54E:				; CODE XREF: IopAllocateBootResourcesInternal+73j
					; IopAllocateBootResourcesInternal+D5j
		test	ebx, ebx
		jz	short loc_87A55A
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_87A55A:				; CODE XREF: IopAllocateBootResourcesInternal+DEj
		test	edi, edi
		js	loc_8E48D8

loc_87A562:				; CODE XREF: IopAllocateBootResourcesInternal+6A487j
					; IopAllocateBootResourcesInternal+6A49Cj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
IopAllocateBootResourcesInternal endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IopFreeReqList(x)
_IopFreeReqList@4 proc near		; CODE XREF: .text:0057250Dp
					; IopAllocateBootResourcesInternal+D7p	...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_87A5A0
		push	ebx
		xor	ebx, ebx
		cmp	[esi+14h], ebx
		jbe	short loc_87A597
		push	edi
		lea	edi, [esi+18h]

loc_87A583:				; CODE XREF: IopFreeReqList(x)+26j
		mov	ecx, [edi]
		call	_IopFreeReqAlternative@4 ; IopFreeReqAlternative(x)
		and	dword ptr [edi], 0
		inc	ebx
		lea	edi, [edi+4]
		cmp	ebx, [esi+14h]
		jb	short loc_87A583
		pop	edi

loc_87A597:				; CODE XREF: IopFreeReqList(x)+Fj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebx

loc_87A5A0:				; CODE XREF: IopFreeReqList(x)+7j
		pop	esi
		retn
_IopFreeReqList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopFreeReqAlternative(x)
_IopFreeReqAlternative@4 proc near	; CODE XREF: IopFreeReqList(x)+17p
					; IopResourceRequirementsListToReqList+6B022p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	edi
		mov	edi, ecx
		test	edi, edi
		jz	short loc_87A5DE
		push	ebx
		xor	ebx, ebx
		cmp	[edi+10h], ebx
		jbe	short loc_87A5DD
		lea	ecx, [edi+14h]
		mov	[ebp+var_4], ecx
		push	esi

loc_87A5BE:				; CODE XREF: IopFreeReqAlternative(x)+38j
		mov	eax, [ecx]
		mov	esi, [eax+14h]
		test	esi, esi
		jz	short loc_87A5D0

loc_87A5C7:				; CODE XREF: IopFreeReqAlternative(x)+61j
		cmp	dword ptr [esi+0Ch], 0
		jz	short loc_87A5E1

loc_87A5CD:				; CODE XREF: IopFreeReqAlternative(x)+63j
		mov	ecx, [ebp+var_4]

loc_87A5D0:				; CODE XREF: IopFreeReqAlternative(x)+23j
		inc	ebx
		add	ecx, 4
		mov	[ebp+var_4], ecx
		cmp	ebx, [edi+10h]
		jb	short loc_87A5BE
		pop	esi

loc_87A5DD:				; CODE XREF: IopFreeReqAlternative(x)+13j
		pop	ebx

loc_87A5DE:				; CODE XREF: IopFreeReqAlternative(x)+Bj
		pop	edi
		leave
		retn
; 

loc_87A5E1:				; CODE XREF: IopFreeReqAlternative(x)+29j
		mov	eax, [esi+24h]
		test	eax, eax
		jz	short loc_87A5F4
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+24h], 0

loc_87A5F4:				; CODE XREF: IopFreeReqAlternative(x)+44j
		mov	eax, esi
		mov	esi, [esi+14h]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jnz	short loc_87A5C7
		jmp	short loc_87A5CD
_IopFreeReqAlternative@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopBootAllocation(x)
_IopBootAllocation@4 proc near		; CODE XREF: IopAllocateBootResourcesInternal+75p

var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_20]
		stosd
		xor	ebx, ebx
		push	1
		mov	[ebp+var_4], ebx
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_10]
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], eax
		lea	eax, [ecx+18h]
		mov	[ecx+0Ch], eax
		mov	edx, [eax]
		lea	eax, [ebp+var_10]
		push	eax
		lea	ecx, [edx+14h]
		mov	edx, [edx+10h]
		call	IopAddRemoveReqDescs
		mov	edi, [ebp+var_10]
		lea	eax, [ebp+var_10]
		cmp	edi, eax
		jz	short loc_87A6A0

loc_87A64D:				; CODE XREF: IopBootAllocation(x)+93j
		mov	esi, edi
		mov	[ebp+var_8], edi
		mov	edi, [edi]
		cmp	byte ptr [esi+9], 0
		jz	short loc_87A696
		lea	ebx, [esi-18h]
		mov	[ebp+var_20], ebx
		lea	ecx, [ebp+var_20]
		mov	eax, [esi-20h]
		push	ecx
		push	9
		push	dword ptr [eax+4]
		call	dword ptr [eax+10h]
		test	eax, eax
		js	short loc_87A6A7

loc_87A673:				; CODE XREF: IopBootAllocation(x)+A2j
		mov	eax, [ebp+var_8]
		lea	ecx, [esi-10h]
		mov	word ptr [esi+8], 0
		mov	[ebx+4], ebx
		mov	[ebx], ebx
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi-8]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[ecx+4], ecx
		mov	[ecx], ecx

loc_87A696:				; CODE XREF: IopBootAllocation(x)+50j
		lea	eax, [ebp+var_10]
		cmp	edi, eax
		jnz	short loc_87A64D
		mov	ebx, [ebp+var_4]

loc_87A6A0:				; CODE XREF: IopBootAllocation(x)+43j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_87A6A7:				; CODE XREF: IopBootAllocation(x)+69j
		mov	[ebp+var_4], eax
		jmp	short loc_87A673
_IopBootAllocation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopAddRemoveReqDescs proc near		; CODE XREF: IopBootAllocation(x)+36p
					; PnpSelectFirstConfiguration(x,x,x,x)+2Cp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 008E4913 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	[ebp+var_8], edx
		mov	eax, ecx
		mov	[ebp+var_4], eax
		test	edx, edx
		jz	short locret_87A722
		push	ebx
		xor	ebx, ebx
		test	edx, edx
		jz	short loc_87A721
		push	esi
		push	edi

loc_87A6C9:				; CODE XREF: IopAddRemoveReqDescs+71j
		mov	edi, [eax+ebx*4]
		cmp	byte ptr [edi+8], 0
		jz	short loc_87A71A
		mov	esi, [edi+0B0h]
		mov	al, [esi+34h]
		test	al, 1
		jnz	loc_87A7A3

loc_87A6E3:				; CODE XREF: IopAddRemoveReqDescs+10Cj
		mov	byte ptr [esi+35h], 1
		mov	eax, [edi+14h]
		add	eax, 18h
		cmp	[ebp+arg_4], 0
		jz	short loc_87A761
		lea	ecx, [esi+14h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	edi, [ecx+4]
		cmp	[edi], ecx
		jnz	loc_87A7BD
		mov	[eax+4], edi
		mov	[eax], ecx
		mov	[edi], eax
		lea	edi, [esi+2Ch]
		mov	[ecx+4], eax
		cmp	[edi], edi
		jz	short loc_87A726

loc_87A717:				; CODE XREF: IopAddRemoveReqDescs+B3j
					; IopAddRemoveReqDescs+D2j ...
		mov	eax, [ebp+var_4]

loc_87A71A:				; CODE XREF: IopAddRemoveReqDescs+24j
		inc	ebx
		cmp	ebx, edx
		jb	short loc_87A6C9
		pop	edi
		pop	esi

loc_87A721:				; CODE XREF: IopAddRemoveReqDescs+19j
		pop	ebx

locret_87A722:				; CODE XREF: IopAddRemoveReqDescs+12j
		leave
		retn	8
; 

loc_87A726:				; CODE XREF: IopAddRemoveReqDescs+69j
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_87A74F
		mov	eax, [esi+10h]
		mov	edi, [ebp+arg_0]
		mov	eax, [eax+54h]
		mov	edx, eax
		mov	[ebp+var_C], eax

loc_87A73D:				; CODE XREF: IopAddRemoveReqDescs+6A26Bj
		mov	eax, [ecx-1Ch]
		cmp	[eax+54h], edx
		jb	loc_8E4913

loc_87A749:				; CODE XREF: IopAddRemoveReqDescs+6A271j
		mov	edx, [ebp+var_8]
		lea	edi, [esi+2Ch]

loc_87A74F:				; CODE XREF: IopAddRemoveReqDescs+81j
		mov	[edi], ecx
		mov	eax, [ecx+4]
		mov	[esi+30h], eax
		mov	eax, [ecx+4]
		mov	[eax], edi
		mov	[ecx+4], edi
		jmp	short loc_87A717
; 

loc_87A761:				; CODE XREF: IopAddRemoveReqDescs+45j
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_87A7BD
		mov	edi, [eax+4]
		cmp	[edi], eax
		jnz	short loc_87A7BD
		mov	[edi], ecx
		mov	[ecx+4], edi
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+14h]
		cmp	[eax], eax
		jnz	short loc_87A717
		lea	eax, [esi+2Ch]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_87A7BD
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_87A7BD
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	edx, [ebp+var_8]
		mov	[eax+4], eax
		mov	[eax], eax
		jmp	loc_87A717
; 

loc_87A7A3:				; CODE XREF: IopAddRemoveReqDescs+31j
		and	al, 0FEh
		mov	[esi+34h], al
		mov	eax, [esi+0Ch]
		push	0
		push	3
		push	dword ptr [eax+4]
		call	dword ptr [eax+10h]
		mov	edx, [ebp+var_8]
		jmp	loc_87A6E3
; 

loc_87A7BD:				; CODE XREF: IopAddRemoveReqDescs+54j
					; IopAddRemoveReqDescs+BAj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
IopAddRemoveReqDescs endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpCmResourcesToIoResources proc near	; CODE XREF: .text:00572427p
					; IopAllocateBootResourcesInternal+37p	...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E4922 SIZE 0000008D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	ecx, edx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx]
		lea	eax, [ecx+4]
		xor	esi, esi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_4], eax
		test	edi, edi
		jz	loc_8E49A8
		mov	ebx, edi

loc_87A7E6:				; CODE XREF: PnpCmResourcesToIoResources+48j
		mov	ecx, [eax+0Ch]
		add	esi, ecx
		add	eax, 10h
		test	ecx, ecx
		jz	short loc_87A807

loc_87A7F2:				; CODE XREF: PnpCmResourcesToIoResources+43j
		xor	edx, edx
		cmp	byte ptr [eax],	5
		jz	loc_8E4922

loc_87A7FD:				; CODE XREF: PnpCmResourcesToIoResources+6A164j
		add	eax, 10h
		add	eax, edx
		sub	ecx, 1
		jnz	short loc_87A7F2

loc_87A807:				; CODE XREF: PnpCmResourcesToIoResources+2Ej
		sub	ebx, 1
		jnz	short loc_87A7E6
		test	esi, esi
		jz	loc_8E49A8
		add	esi, edi
		xor	eax, eax
		mov	edi, esi
		inc	eax
		shl	edi, 5
		push	75737050h
		add	edi, 48h
		push	edi
		push	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_14], ebx
		test	ebx, ebx
		jz	loc_8E49A8
		push	edi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	edx, [ebp+var_4]
		lea	edi, [ebx+28h]
		add	esp, 0Ch
		mov	ecx, [edx]
		mov	[ebx+4], ecx
		mov	ecx, [ebp+var_10]
		mov	eax, [ecx+8]
		mov	[ebx+8], eax
		xor	eax, eax
		mov	[ebx+0Ch], eax
		mov	[ebx+10h], eax
		mov	[ebx+14h], eax
		mov	[ebx+18h], eax
		inc	eax
		mov	[edi], al
		mov	[ebx+1Ch], eax
		mov	[ebx+20h], ax
		mov	[ebx+22h], ax
		xor	eax, eax
		mov	[edi+4], eax
		mov	[edi+3], al
		mov	eax, [ebp+arg_0]
		mov	[edi+8], eax
		xor	eax, eax
		mov	word ptr [edi+1], 380h
		add	edi, 20h
		mov	[ebx+24h], esi
		mov	[ebp+var_8], eax
		cmp	[ecx], eax
		jbe	loc_87A920

loc_87A89D:				; CODE XREF: PnpCmResourcesToIoResources+159j
		test	eax, eax
		jnz	loc_8E492B

loc_87A8A5:				; CODE XREF: PnpCmResourcesToIoResources+6A195j
		xor	esi, esi
		lea	ebx, [edx+10h]
		mov	[ebp+var_C], esi
		cmp	[edx+0Ch], esi
		jbe	short loc_87A910

loc_87A8B2:				; CODE XREF: PnpCmResourcesToIoResources+146j
		mov	byte ptr [edi],	1
		mov	al, [ebx]
		mov	[edi+1], al
		mov	al, [ebx+1]
		mov	[edi+2], al
		mov	ax, [ebx+2]
		mov	[edi+4], ax
		xor	eax, eax
		and	[ebp+arg_0], eax
		mov	[edi+6], ax
		mov	byte ptr [edi+3], 0
		movzx	eax, byte ptr [ebx]
		sub	eax, 1
		jz	short loc_87A932
		sub	eax, 1
		jnz	short loc_87A92D
		test	byte ptr [ebx+2], 2
		jnz	loc_8E497A
		movzx	eax, word ptr [ebx+4]
		mov	[edi+0Ch], eax

loc_87A8F3:				; CODE XREF: PnpCmResourcesToIoResources+1F1j
		mov	[edi+8], eax

loc_87A8F6:				; CODE XREF: PnpCmResourcesToIoResources+1B1j
					; PnpCmResourcesToIoResources+1D9j ...
		mov	eax, [ebp+arg_0]
		add	edi, 20h

loc_87A8FC:				; CODE XREF: PnpCmResourcesToIoResources+214j
		add	ebx, 10h
		add	ebx, eax
		inc	esi
		mov	[ebp+var_C], esi
		cmp	esi, [edx+0Ch]
		jb	short loc_87A8B2
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_10]

loc_87A910:				; CODE XREF: PnpCmResourcesToIoResources+EEj
		inc	eax
		mov	edx, ebx
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], eax
		cmp	eax, [ecx]
		jb	short loc_87A89D
		mov	ebx, [ebp+var_14]

loc_87A920:				; CODE XREF: PnpCmResourcesToIoResources+D5j
		sub	edi, ebx
		mov	eax, ebx
		mov	[ebx], edi

loc_87A926:				; CODE XREF: PnpCmResourcesToIoResources+6A1E8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_87A92D:				; CODE XREF: PnpCmResourcesToIoResources+11Ej
		sub	eax, 1
		jnz	short loc_87A975

loc_87A932:				; CODE XREF: PnpCmResourcesToIoResources+119j
					; PnpCmResourcesToIoResources+1C5j
		and	[ebp+var_1C], 0
		lea	eax, [ebp+var_1C]
		and	[ebp+var_18], 0
		push	eax
		push	ebx
		call	RtlCmDecodeMemIoResource
		mov	ecx, [ebx+0Ch]
		mov	esi, [ebp+var_1C]
		mov	[edi+10h], esi
		add	esi, eax
		mov	[edi+8], ecx
		mov	ecx, [ebp+var_18]
		mov	[edi+14h], ecx
		adc	ecx, edx
		mov	edx, [ebp+var_4]
		sub	esi, 1
		mov	[edi+18h], esi
		mov	esi, [ebp+var_C]
		sbb	ecx, 0
		mov	dword ptr [edi+0Ch], 1
		mov	[edi+1Ch], ecx
		jmp	short loc_87A8F6
; 

loc_87A975:				; CODE XREF: PnpCmResourcesToIoResources+16Ej
		sub	eax, 1
		jz	short loc_87A9B8
		sub	eax, 1
		jz	short loc_87A9D3
		sub	eax, 1
		jz	short loc_87A9A0
		sub	eax, 1
		jz	short loc_87A932
		mov	eax, [ebx+4]
		mov	[edi+8], eax
		mov	eax, [ebx+8]
		mov	[edi+0Ch], eax
		mov	eax, [ebx+0Ch]
		mov	[edi+10h], eax
		jmp	loc_87A8F6
; 

loc_87A9A0:				; CODE XREF: PnpCmResourcesToIoResources+1C0j
		mov	eax, [ebx+4]
		mov	[edi+0Ch], eax
		mov	eax, [ebx+4]
		dec	eax
		add	eax, [ebx+8]
		mov	[edi+10h], eax
		mov	eax, [ebx+8]
		jmp	loc_87A8F3
; 

loc_87A9B8:				; CODE XREF: PnpCmResourcesToIoResources+1B6j
		test	byte ptr [ebx+2], 80h
		jnz	loc_8E495C
		mov	eax, [ebx+4]
		mov	[edi+8], eax
		mov	eax, [ebx+4]
		mov	[edi+0Ch], eax
		jmp	loc_87A8F6
; 

loc_87A9D3:				; CODE XREF: PnpCmResourcesToIoResources+1BBj
		mov	eax, [ebx+4]
		jmp	loc_87A8FC
PnpCmResourcesToIoResources endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAllocateBootResources(x,	x, x)
_IopAllocateBootResources@12 proc near	; CODE XREF: IopReportBootResources+3Dp
					; IopAllocateLegacyBootResources+87p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		xor	ebx, ebx
		mov	edi, offset _PpRegistrySemaphore
		push	ebx
		push	ebx
		push	ebx
		push	4
		push	edi
		call	KeWaitForSingleObject
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	IopAllocateBootResourcesInternal
		push	ebx
		push	1
		push	ebx
		push	edi
		mov	esi, eax
		call	KeReleaseSemaphore
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_IopAllocateBootResources@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


PnpFreeResourceRequirementsForAssignTable proc near ; CODE XREF: PnpAllocateResources+221p
					; PnpGetResourceRequirementsForAssignTable+6C326p ...

; FUNCTION CHUNK AT 008E49AF SIZE 0000001C BYTES

		cmp	ecx, edx
		jnb	short locret_87AA6D
		push	esi
		sub	edx, ecx
		lea	esi, [ecx+18h]
		push	edi
		push	28h
		pop	ecx
		lea	eax, [edx-1]
		xor	edx, edx
		div	ecx
		lea	edi, [eax+1]

loc_87AA4C:				; CODE XREF: PnpFreeResourceRequirementsForAssignTable+35j
		mov	ecx, [esi]
		call	_IopFreeReqList@4 ; IopFreeReqList(x)
		and	dword ptr [esi], 0
		test	dword ptr [esi-14h], 200h
		jnz	loc_8E49AF

loc_87AA63:				; CODE XREF: PnpFreeResourceRequirementsForAssignTable+69F80j
					; PnpFreeResourceRequirementsForAssignTable+69F92j
		add	esi, 28h
		sub	edi, 1
		jnz	short loc_87AA4C
		pop	edi
		pop	esi

locret_87AA6D:				; CODE XREF: PnpFreeResourceRequirementsForAssignTable+2j
		retn
PnpFreeResourceRequirementsForAssignTable endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpAllocateResources proc near		; CODE XREF: PnpAssignResourcesToDevices(x,x,x)+42p
					; IopLegacyResourceAllocation(x,x,x,x,x)+F0p

var_48		= dword	ptr -48h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E49CB SIZE 00000113 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	ebx, ecx
		xor	ecx, ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_C], edi
		test	eax, eax
		jz	short loc_87AA94
		mov	[eax], cl

loc_87AA94:				; CODE XREF: PnpAllocateResources+22j
		cmp	[ebp+arg_0], cl
		jnz	short loc_87AAB6
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	ecx
		push	ecx
		push	ecx
		push	4
		push	offset _PpRegistrySemaphore
		call	KeWaitForSingleObject

loc_87AAB6:				; CODE XREF: PnpAllocateResources+29j
		mov	[ebp+var_8], ebx
		lea	eax, [ebp+var_8]
		imul	ebx, 28h
		mov	ecx, edi
		push	eax
		add	ebx, edi
		mov	edx, ebx
		call	PnpGetResourceRequirementsForAssignTable
		mov	esi, eax
		test	esi, esi
		jns	short loc_87AAFC

loc_87AAD1:				; CODE XREF: PnpAllocateResources+226j
		cmp	[ebp+arg_0], 0
		jnz	short loc_87AAF3
		push	0
		push	1
		push	0
		push	offset _PpRegistrySemaphore
		call	KeReleaseSemaphore
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_87AAF3:				; CODE XREF: PnpAllocateResources+67j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_87AAFC:				; CODE XREF: PnpAllocateResources+61j
		xor	edx, edx
		mov	[ebp+var_10], 1
		push	28h
		pop	ecx
		mov	[ebp+var_4], edx
		mov	[ebp+var_14], ecx
		cmp	_IopBootConfigsReserved, dl
		jnz	short loc_87AB42
		mov	eax, edi
		cmp	edi, ebx
		jnb	short loc_87AB30

loc_87AB1C:				; CODE XREF: PnpAllocateResources+C0j
		cmp	[eax+24h], edx
		jl	short loc_87AB2A
		cmp	[eax+14h], edx
		jz	loc_87AD74

loc_87AB2A:				; CODE XREF: PnpAllocateResources+B1j
		add	eax, ecx
		cmp	eax, ebx
		jb	short loc_87AB1C

loc_87AB30:				; CODE XREF: PnpAllocateResources+ACj
					; PnpAllocateResources+30Dj
		cmp	eax, ebx
		jnz	loc_87AD3B

loc_87AB38:				; CODE XREF: PnpAllocateResources+2CFj
					; PnpAllocateResources+301j
		cmp	[ebp+var_4], 0
		jnz	loc_87AC8B

loc_87AB42:				; CODE XREF: PnpAllocateResources+A6j
		mov	ecx, edi
		cmp	edi, ebx
		jnb	short loc_87AB74

loc_87AB48:				; CODE XREF: PnpAllocateResources+242j
		mov	eax, [ecx]
		test	eax, eax
		jz	loc_8E49CB
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]

loc_87AB5B:				; CODE XREF: PnpAllocateResources+69F5Fj
		test	byte ptr [eax+10Ch], 40h
		jz	loc_87ACA9
		cmp	[ecx+14h], edx
		jz	loc_87ACA9
		mov	[ebp+var_10], edx

loc_87AB74:				; CODE XREF: PnpAllocateResources+D8j
					; PnpAllocateResources+248j
		cmp	ecx, ebx
		jz	loc_87AD80
		cmp	edi, ebx
		jnb	loc_87AD80
		mov	eax, ebx
		lea	ecx, [edi+4]
		sub	eax, edi
		xor	edx, edx
		push	28h
		dec	eax
		pop	edi
		div	edi
		lea	esi, [eax+1]
		mov	eax, [ebp+var_8]
		mov	[ebp+var_4], eax

loc_87AB9C:				; CODE XREF: PnpAllocateResources+161j
		mov	edx, [ecx-4]
		test	edx, edx
		jz	loc_8E49D2
		mov	eax, [edx+0B0h]
		mov	edx, [eax+14h]
		mov	eax, [ebp+var_4]

loc_87ABB3:				; CODE XREF: PnpAllocateResources+69F66j
		test	byte ptr [edx+10Ch], 40h
		jz	loc_87AC99
		cmp	dword ptr [ecx+10h], 0
		jz	loc_87AC99

loc_87ABCA:				; CODE XREF: PnpAllocateResources+230j
					; PnpAllocateResources+69F7Bj
		add	ecx, edi
		sub	esi, 1
		jnz	short loc_87AB9C
		mov	edi, [ebp+var_C]

loc_87ABD4:				; CODE XREF: PnpAllocateResources+318j
		test	eax, eax
		jz	loc_8E49EE
		cmp	eax, [ebp+var_18]
		jnz	loc_87ACEB

loc_87ABE5:				; CODE XREF: PnpAllocateResources+281j
					; PnpAllocateResources+2C4j
		cmp	eax, 1
		ja	loc_87ACBB

loc_87ABEE:				; CODE XREF: PnpAllocateResources+278j
		cmp	[ebp+var_10], 0
		jnz	loc_87AD8B
		mov	eax, 0C0000001h

loc_87ABFD:				; CODE XREF: PnpAllocateResources+32Aj
		mov	[ebp+var_4], eax
		test	eax, eax
		jns	loc_87AD9D
		and	[ebp+var_10], 0
		mov	esi, edi
		cmp	edi, ebx
		jnb	short loc_87AC7F

loc_87AC12:				; CODE XREF: PnpAllocateResources+207j
		mov	eax, [esi]
		test	eax, eax
		jz	loc_8E49F8
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		mov	[ebp+var_8], eax

loc_87AC28:				; CODE XREF: PnpAllocateResources+69F8Ej
		lea	eax, [ebp+var_20]
		xor	edx, edx
		push	eax
		inc	edx
		mov	ecx, esi
		call	_PnpFindBestConfiguration@12 ; PnpFindBestConfiguration(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		js	loc_8E4A0D
		lea	ecx, [ebp+var_20]
		mov	[ebp+var_10], 1
		call	_IopCommitConfiguration@4 ; IopCommitConfiguration(x)
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		js	loc_8E4A01
		push	0
		lea	edx, [esi+28h]
		mov	ecx, esi
		call	PnpBuildCmResourceLists
		mov	ecx, [ebp+var_4]

loc_87AC6E:				; CODE XREF: PnpAllocateResources+69F9Aj
					; PnpAllocateResources+6A002j ...
		push	28h
		pop	eax
		add	esi, eax
		cmp	esi, ebx
		jb	short loc_87AC12

loc_87AC77:				; CODE XREF: PnpAllocateResources+6A026j
					; PnpAllocateResources+6A02Ej
		cmp	esi, ebx
		jb	loc_8E4AA1

loc_87AC7F:				; CODE XREF: PnpAllocateResources+1A2j
					; PnpAllocateResources+6A05Dj ...
		mov	esi, [ebp+var_4]

loc_87AC82:				; CODE XREF: PnpAllocateResources+33Ej
					; PnpAllocateResources+363j
		mov	edx, ebx
		mov	ecx, edi
		call	IopReleaseFilteredBootResources

loc_87AC8B:				; CODE XREF: PnpAllocateResources+CEj
					; PnpAllocateResources+69F85j
		mov	edx, ebx
		mov	ecx, edi
		call	PnpFreeResourceRequirementsForAssignTable
		jmp	loc_87AAD1
; 

loc_87AC99:				; CODE XREF: PnpAllocateResources+14Cj
					; PnpAllocateResources+156j
		mov	edx, [ecx]
		test	dl, 20h
		jnz	loc_87ABCA
		jmp	loc_8E49D9
; 

loc_87ACA9:				; CODE XREF: PnpAllocateResources+F4j
					; PnpAllocateResources+FDj
		push	28h
		pop	eax
		add	ecx, eax
		cmp	ecx, ebx
		jb	loc_87AB48
		jmp	loc_87AB74
; 

loc_87ACBB:				; CODE XREF: PnpAllocateResources+17Aj
		xor	ecx, ecx
		test	eax, eax
		jz	short loc_87ACD0
		push	28h
		lea	edx, [edi+10h]
		pop	esi

loc_87ACC7:				; CODE XREF: PnpAllocateResources+260j
		mov	[edx], ecx
		inc	ecx
		add	edx, esi
		cmp	ecx, eax
		jb	short loc_87ACC7

loc_87ACD0:				; CODE XREF: PnpAllocateResources+251j
		push	offset _PnpCompareResourceRequestPriority ; int	__cdecl	(*)(const void *,const void *)
		push	28h
		pop	ecx
		push	ecx		; size_t
		push	eax		; size_t
		push	edi		; void *
		call	_qsort
		mov	eax, [ebp+var_4]
		add	esp, 10h
		jmp	loc_87ABEE
; 

loc_87ACEB:				; CODE XREF: PnpAllocateResources+171j
		mov	edx, edi
		cmp	edi, ebx
		jnb	loc_87ABE5
		lea	ecx, [ebx-28h]
		push	28h
		mov	[ebp+var_8], ecx
		pop	eax

loc_87ACFE:				; CODE XREF: PnpAllocateResources+2BCj
		test	byte ptr [edx+4], 20h
		jz	short loc_87AD37
		push	0Ah
		pop	ecx
		mov	esi, edx
		lea	edi, [ebp+var_48]
		rep movsd
		mov	esi, [ebp+var_8]
		mov	edi, edx
		push	0Ah
		pop	ecx
		rep movsd
		mov	edi, [ebp+var_8]
		lea	esi, [ebp+var_48]
		push	0Ah
		pop	ecx
		sub	ebx, eax
		sub	[ebp+var_8], eax
		rep movsd

loc_87AD28:				; CODE XREF: PnpAllocateResources+2CBj
		cmp	edx, ebx
		jb	short loc_87ACFE
		mov	edi, [ebp+var_C]
		mov	eax, [ebp+var_4]
		jmp	loc_87ABE5
; 

loc_87AD37:				; CODE XREF: PnpAllocateResources+294j
		add	edx, eax
		jmp	short loc_87AD28
; 

loc_87AD3B:				; CODE XREF: PnpAllocateResources+C4j
		cmp	edi, ebx
		jnb	loc_87AB38
		mov	eax, ebx
		lea	ecx, [edi+4]
		sub	eax, edi
		xor	edx, edx
		dec	eax
		div	[ebp+var_14]
		inc	eax
		xor	edx, edx

loc_87AD53:				; CODE XREF: PnpAllocateResources+2FFj
		cmp	[ecx+20h], edx
		jl	short loc_87AD5D
		cmp	[ecx+10h], edx
		jz	short loc_87AD67

loc_87AD5D:				; CODE XREF: PnpAllocateResources+2E8j
		or	dword ptr [ecx], 20h
		mov	dword ptr [ecx+20h], 0C000022Dh

loc_87AD67:				; CODE XREF: PnpAllocateResources+2EDj
		add	ecx, 28h
		sub	eax, 1
		jnz	short loc_87AD53
		jmp	loc_87AB38
; 

loc_87AD74:				; CODE XREF: PnpAllocateResources+B6j
		mov	[ebp+var_4], 1
		jmp	loc_87AB30
; 

loc_87AD80:				; CODE XREF: PnpAllocateResources+108j
					; PnpAllocateResources+110j
		mov	eax, [ebp+var_8]
		mov	[ebp+var_4], eax
		jmp	loc_87ABD4
; 

loc_87AD8B:				; CODE XREF: PnpAllocateResources+184j
		lea	ecx, [ebp+var_20]
		mov	edx, eax
		push	ecx
		mov	ecx, edi
		call	_PnpFindBestConfiguration@12 ; PnpFindBestConfiguration(x,x,x)
		jmp	loc_87ABFD
; 

loc_87AD9D:				; CODE XREF: PnpAllocateResources+194j
		lea	ecx, [ebp+var_20]
		call	_IopCommitConfiguration@4 ; IopCommitConfiguration(x)
		mov	[ebp+arg_4], edi
		mov	esi, eax
		cmp	edi, ebx
		jnb	loc_87AC82
		push	28h
		pop	eax

loc_87ADB5:				; CODE XREF: PnpAllocateResources+35Ej
		test	esi, esi
		js	short loc_87ADD6
		push	0
		lea	edx, [edi+28h]
		mov	ecx, edi
		call	PnpBuildCmResourceLists
		push	28h
		pop	eax

loc_87ADC8:				; CODE XREF: PnpAllocateResources+36Fj
		add	edi, eax
		cmp	edi, ebx
		jb	short loc_87ADB5
		mov	edi, [ebp+var_C]
		jmp	loc_87AC82
; 

loc_87ADD6:				; CODE XREF: PnpAllocateResources+349j
		mov	dword ptr [edi+24h], 0C0000018h
		jmp	short loc_87ADC8
PnpAllocateResources endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpAssignResourcesToDevices(x, x, x)
_PnpAssignResourcesToDevices@12	proc near ; CODE XREF: PnpProcessAssignResources+BDp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, edx
		mov	[ebp+var_10], eax
		test	edi, edi
		jz	short loc_87AE19
		mov	esi, eax
		mov	ebx, edi

loc_87ADFA:				; CODE XREF: PnpAssignResourcesToDevices(x,x,x)+34j
		mov	eax, [esi]
		mov	eax, [eax+0B0h]
		mov	edx, [eax+14h]
		test	byte ptr [edx+10Ch], 1
		jnz	short loc_87AE2E

loc_87AE0E:				; CODE XREF: PnpAssignResourcesToDevices(x,x,x)+85j
					; PnpAssignResourcesToDevices(x,x,x)+8Bj ...
		add	esi, 28h
		sub	ebx, 1
		jnz	short loc_87ADFA
		mov	eax, [ebp+var_10]

loc_87AE19:				; CODE XREF: PnpAssignResourcesToDevices(x,x,x)+14j
		push	[ebp+arg_0]
		mov	edx, eax
		mov	ecx, edi
		push	0
		call	PnpAllocateResources
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_87AE2E:				; CODE XREF: PnpAssignResourcesToDevices(x,x,x)+2Cj
		mov	edx, [edx+18h]
		lea	eax, [ebp+var_C]
		mov	ecx, _PiPnpRtlCtx
		and	[ebp+var_C], 0
		and	[ebp+var_8], 0
		push	0
		push	eax
		push	1
		lea	eax, [ebp-1]
		mov	[ebp+var_1], 0
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	offset _DEVPKEY_Device_Reported
		push	0
		push	0
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_87AE0E
		cmp	[ebp+var_8], 11h
		jnz	short loc_87AE0E
		cmp	[ebp+var_C], 1
		jnz	short loc_87AE0E
		cmp	[ebp+var_1], 0FFh
		jnz	short loc_87AE0E
		and	dword ptr [esi+8], 0
		jmp	short loc_87AE0E
_PnpAssignResourcesToDevices@12	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopOpenRegistryKeyEx(x, x, x, x)
_IopOpenRegistryKeyEx@16 proc near	; CODE XREF: .text:0056830Bp
					; PnpDriverLoadingFailed+61p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_0]
		and	dword ptr [ecx], 0
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+arg_4]
		mov	[ebp+var_18], 18h
		push	ecx
		mov	[ebp+var_14], edx
		mov	[ebp+var_C], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		leave
		retn	8
_IopOpenRegistryKeyEx@16 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PnpWaitForEmptyDeviceEventQueue()
_PnpWaitForEmptyDeviceEventQueue@0 proc	near ; CODE XREF: PnpWaitForBootDevicesDeleted()+3p
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _PnpEventQueueEmpty
		call	KeWaitForSingleObject
		retn
_PnpWaitForEmptyDeviceEventQueue@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PnpWaitForEmptyDeviceActionQueue()
_PnpWaitForEmptyDeviceActionQueue@0 proc near ;	CODE XREF: PopGracefulShutdown(x)+1BEp
					; IopInitializeBootDrivers+6DAp ...
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _PnpEnumerationLock
		call	KeWaitForSingleObject
		retn
_PnpWaitForEmptyDeviceActionQueue@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopPnPDispatch	proc near		; DATA XREF: PipPnPDriverEntry(x,x)+1Ao

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E4ADE SIZE 000002E1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		xor	ebx, ebx
		push	esi
		push	edi
		mov	edi, ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], edi
		mov	[ebp+var_10], edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_18], ebx
		mov	[ebp+var_1C], ebx
		mov	ecx, [edi+60h]
		mov	[ebp+var_C], ecx
		movzx	eax, byte ptr [ecx+1]
		cmp	eax, 8
		jbe	loc_87AFE6
		sub	eax, 9
		jz	short loc_87AF51
		sub	eax, 1
		jz	loc_8E4D6D
		sub	eax, 1
		jz	loc_8E4D5E
		sub	eax, 1
		jz	loc_8E4CC4
		sub	eax, 7
		jz	loc_87B0BC
		sub	eax, 3
		jz	loc_87AFCE	; case 0x0

loc_87AF46:				; CODE XREF: IopPnPDispatch+182j
					; IopPnPDispatch+1A4j ...
		mov	ecx, [edi+1Ch]	; default
		mov	esi, [edi+18h]
		jmp	loc_87AFD3
; 

loc_87AF51:				; CODE XREF: IopPnPDispatch+37j
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	loc_8E4D98
		mov	eax, [edx+0B0h]
		mov	edi, [eax+14h]
		mov	[ebp+arg_0], edi

loc_87AF68:				; CODE XREF: IopPnPDispatch+69EBBj
		mov	esi, [ecx+4]
		xor	ecx, ecx
		push	40h
		pop	eax
		inc	ecx
		mov	[esi], ax
		mov	[esi+2], cx
		mov	eax, _IopRootDeviceNode
		cmp	edx, [eax+10h]
		jz	loc_87B287

loc_87AF86:				; CODE XREF: IopPnPDispatch+3B1j
		mov	[esi+14h], ecx
		lea	edi, [esi+18h]
		mov	[esi+10h], ebx
		push	4
		pop	ecx
		mov	eax, ecx
		stosd
		stosd
		stosd
		stosd
		stosd
		cmp	dword ptr [esi+0Ch], 0FFFFFFFFh
		jnz	short loc_87AFCB
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_8]
		push	ebx
		push	eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_8], ecx
		mov	edx, [edx+18h]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	11h
		push	ebx
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	loc_8E4DA0

loc_87AFCB:				; CODE XREF: IopPnPDispatch+BDj
					; IopPnPDispatch+69EC4j ...
		mov	edi, [ebp+arg_4]

loc_87AFCE:				; CODE XREF: IopPnPDispatch+60j
					; IopPnPDispatch+17Aj ...
		mov	esi, ebx	; case 0x0

loc_87AFD0:				; CODE XREF: IopPnPDispatch+125j
					; IopPnPDispatch+164j ...
		mov	ecx, [ebp+var_4]

loc_87AFD3:				; CODE XREF: IopPnPDispatch+6Cj
					; IopPnPDispatch+1D7j ...
		push	ecx
		mov	edx, esi
		mov	ecx, edi
		call	_IopPnPCompleteRequest@12 ; IopPnPCompleteRequest(x,x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_87AFE6:				; CODE XREF: IopPnPDispatch+2Ej
		jnz	short loc_87B05F
		mov	eax, [ebp+arg_0]
		mov	esi, [edi+18h]
		test	eax, eax
		jz	loc_8E4B30
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]

loc_87AFFF:				; CODE XREF: IopPnPDispatch+69C52j
		cmp	eax, _IopRootDeviceNode
		jnz	short loc_87AFD0
		mov	eax, [ecx+4]
		mov	edx, offset _GUID_ARBITER_INTERFACE_STANDARD
		cmp	eax, edx
		jz	loc_87B20F
		push	10h		; Length
		push	edx		; Source2
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 10h
		jz	loc_87B20C
		mov	eax, [ebp+var_C]
		mov	edx, offset _GUID_TRANSLATOR_INTERFACE_STANDARD
		mov	ecx, [eax+4]
		cmp	ecx, edx
		jz	short loc_87B049
		push	10h		; Length
		push	edx		; Source2
		push	ecx		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 10h
		jnz	short loc_87AFD0
		mov	eax, [ebp+var_C]

loc_87B049:				; CODE XREF: IopPnPDispatch+156j
		mov	eax, [eax+0Ch]
		mov	dword ptr [eax+10h], offset _IopTranslatorHandlerCm@28 ; IopTranslatorHandlerCm(x,x,x,x,x,x,x)
		mov	dword ptr [eax+14h], offset _IopTranslatorHandlerIo@20 ; IopTranslatorHandlerIo(x,x,x,x,x)
		jmp	loc_87AFCE	; case 0x0
; 

loc_87B05F:				; CODE XREF: IopPnPDispatch:loc_87AFE6j
		cmp	eax, 7		; switch 8 cases
		ja	loc_87AF46	; default
		jmp	ds:off_87B298[eax*4] ; switch jump

loc_87B06F:				; DATA XREF: PAGE:off_87B298o
		mov	eax, _IopRootDeviceNode	; case 0x7
		mov	edx, [ebp+arg_0]
		cmp	edx, [eax+10h]
		jz	loc_87B1F1

loc_87B080:				; CODE XREF: IopPnPDispatch+314j
		cmp	dword ptr [ecx+4], 4
		jnz	loc_87AF46	; default
		push	64647050h
		xor	esi, esi
		push	8
		inc	esi
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	loc_8E4B26
		mov	ecx, [ebp+arg_0]
		mov	[eax], esi
		mov	[eax+4], ecx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, [ebp+arg_4]
		mov	esi, ebx
		jmp	loc_87AFD3
; 

loc_87B0BC:				; CODE XREF: IopPnPDispatch+57j
		mov	eax, _IopRootDeviceNode
		mov	edx, [ebp+arg_0]
		cmp	edx, [eax+10h]
		jz	loc_87AF46	; default
		mov	esi, [edi+18h]
		test	esi, esi
		jns	loc_87B23F

loc_87B0D8:				; CODE XREF: IopPnPDispatch+368j
		test	edx, edx
		jz	loc_8E4B4A
		mov	eax, [edx+0B0h]
		mov	edx, [eax+14h]
		mov	[ebp+arg_0], edx

loc_87B0EC:				; CODE XREF: IopPnPDispatch+69C6Fj
		mov	eax, [ecx+4]
		test	eax, eax
		jz	loc_8E4BB8
		jle	loc_8E4BB0
		cmp	eax, 2
		jg	loc_8E4B54
		cmp	esi, 0C00000BBh
		jnz	loc_87AFD0
		lea	eax, [ebp+var_8]
		push	eax
		xor	eax, eax
		cmp	dword ptr [ecx+4], 1
		mov	ecx, [edx+18h]
		setnz	al
		push	ebx
		add	eax, 2
		push	eax
		push	7
		call	PiGetDeviceRegProperty
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	loc_87B1EC
		push	64647050h
		push	[ebp+var_8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_8E4BA6
		lea	ecx, [ebp+var_8]
		push	ecx
		mov	ecx, [ebp+var_C]
		push	eax
		xor	eax, eax
		cmp	dword ptr [ecx+4], 1
		setnz	al
		add	eax, 2
		push	eax
		mov	eax, [ebp+arg_0]
		push	7
		mov	ecx, [eax+18h]
		call	PiGetDeviceRegProperty
		mov	esi, eax
		test	esi, esi
		js	loc_8E4B8A
		mov	ecx, [ebp+var_14]
		mov	edx, ecx
		mov	eax, [ebp+var_8]
		shr	eax, 1
		lea	eax, [ecx+eax*2]
		cmp	ecx, eax
		jnb	short loc_87B1D7
		mov	edi, [ebp+var_8]

loc_87B196:				; CODE XREF: IopPnPDispatch+2E5j
		movzx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		test	ax, ax
		jz	short loc_87B1C9
		add	eax, 0FFFFFFE0h
		cmp	ax, 5Fh
		ja	loc_8E4B98
		cmp	word ptr [ebp+arg_0], 2Ch
		jz	loc_8E4B98

loc_87B1B9:				; CODE XREF: IopPnPDispatch+30Aj
					; IopPnPDispatch+69CC1j
		mov	eax, edi
		add	edx, 2
		shr	eax, 1
		lea	eax, [ecx+eax*2]
		cmp	edx, eax
		jb	short loc_87B196
		jmp	short loc_87B1D4
; 

loc_87B1C9:				; CODE XREF: IopPnPDispatch+2BFj
		test	ebx, ebx
		jz	short loc_87B1E8
		lea	eax, [ebx+2]
		cmp	edx, eax
		jnz	short loc_87B1E8

loc_87B1D4:				; CODE XREF: IopPnPDispatch+2E7j
		mov	edi, [ebp+arg_4]

loc_87B1D7:				; CODE XREF: IopPnPDispatch+2B1j
					; IopPnPDispatch+30Fj
		cmp	esi, 0C0000225h
		jnz	loc_87AFD3
		jmp	loc_87AF46	; default
; 

loc_87B1E8:				; CODE XREF: IopPnPDispatch+2EBj
					; IopPnPDispatch+2F2j
		mov	ebx, edx
		jmp	short loc_87B1B9
; 

loc_87B1EC:				; CODE XREF: IopPnPDispatch+256j
					; IopPnPDispatch+69CB3j ...
		mov	ecx, [ebp+var_4]
		jmp	short loc_87B1D7
; 

loc_87B1F1:				; CODE XREF: IopPnPDispatch+19Aj
		cmp	[ecx+4], ebx
		jnz	loc_87B080
		lea	ecx, [ebp+var_10]
		call	IopGetRootDevices
		mov	esi, eax

loc_87B204:				; CODE XREF: IopPnPDispatch+69EA9j
		mov	ecx, [ebp+var_10]
		jmp	loc_87AFD3
; 

loc_87B20C:				; CODE XREF: IopPnPDispatch+143j
		mov	ecx, [ebp+var_C]

loc_87B20F:				; CODE XREF: IopPnPDispatch+131j
		mov	edx, [ecx+0Ch]
		mov	esi, ebx
		mov	dword ptr [edx+10h], offset ArbArbiterHandler
		movzx	eax, byte ptr [ecx+10h]
		sub	eax, 1
		jz	short loc_87B27B
		sub	eax, 1
		jz	short loc_87B26F
		sub	eax, 1
		jz	short loc_87B263
		sub	eax, 1
		jnz	short loc_87B24D
		mov	dword ptr [edx+4], offset _IopRootDmaArbiter
		jmp	loc_87AFD0
; 

loc_87B23F:				; CODE XREF: IopPnPDispatch+1F2j
		cmp	[edi+1Ch], ebx
		jnz	loc_87AF46	; default
		jmp	loc_87B0D8
; 

loc_87B24D:				; CODE XREF: IopPnPDispatch+351j
		dec	eax
		sub	eax, 1
		jnz	loc_8E4B37
		mov	dword ptr [edx+4], offset _IopRootBusNumberArbiter
		jmp	loc_87AFD0
; 

loc_87B263:				; CODE XREF: IopPnPDispatch+34Cj
					; IopPnPDispatch+69C5Aj
		mov	dword ptr [edx+4], offset _IopRootMemArbiter
		jmp	loc_87AFD0
; 

loc_87B26F:				; CODE XREF: IopPnPDispatch+347j
		mov	dword ptr [edx+4], offset _IopRootIrqArbiter
		jmp	loc_87AFD0
; 

loc_87B27B:				; CODE XREF: IopPnPDispatch+342j
		mov	dword ptr [edx+4], offset _IopRootPortArbiter
		jmp	loc_87AFD0
; 

loc_87B287:				; CODE XREF: IopPnPDispatch+A0j
		or	dword ptr [esi+4], 1C0h
		mov	[esi+0Ch], ebx
		jmp	loc_87AF86
IopPnPDispatch	endp

; 
		align 4
off_87B298	dd offset loc_87AFCE	; DATA XREF: IopPnPDispatch+188r
		dd offset loc_87AFCE	; jump table for switch	statement
		dd offset loc_8E4AE8
		dd offset loc_87AFCE
		dd offset loc_8E4ADE
		dd offset loc_8E4ADE
		dd offset loc_87AFCE
		dd offset loc_87B06F

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpSelectFirstConfiguration(x, x, x, x)
_PnpSelectFirstConfiguration@16	proc near ; CODE XREF: PnpFindBestConfigurationWorker+37p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		test	esi, esi
		jz	short loc_87B2F3
		push	ebx
		push	edi
		lea	ebx, [ecx+18h]

loc_87B2C9:				; CODE XREF: PnpSelectFirstConfiguration(x,x,x,x)+37j
		cmp	[ebp+arg_4], 0
		mov	eax, [ebx]
		lea	ecx, [eax+18h]
		mov	[eax+0Ch], ecx
		mov	edx, [ecx]
		jnz	short loc_87B2F8

loc_87B2D9:				; CODE XREF: PnpSelectFirstConfiguration(x,x,x,x)+45j
					; PnpSelectFirstConfiguration(x,x,x,x)+64j
		push	1
		push	[ebp+arg_0]
		lea	ecx, [edx+14h]
		mov	edx, [edx+10h]
		call	IopAddRemoveReqDescs
		add	ebx, 28h
		sub	esi, 1
		jnz	short loc_87B2C9
		pop	edi
		pop	ebx

loc_87B2F3:				; CODE XREF: PnpSelectFirstConfiguration(x,x,x,x)+Aj
		pop	esi
		pop	ebp
		retn	8
; 

loc_87B2F8:				; CODE XREF: PnpSelectFirstConfiguration(x,x,x,x)+1Fj
		xor	eax, eax
		cmp	[edx+10h], eax
		jbe	short loc_87B2D9
		lea	ecx, [edx+14h]

loc_87B302:				; CODE XREF: PnpSelectFirstConfiguration(x,x,x,x)+62j
		mov	edi, [ecx]
		cmp	byte ptr [edi+8], 0
		jz	short loc_87B313
		cmp	dword ptr [edx], 1
		jnz	short loc_87B313
		or	dword ptr [edi+30h], 1

loc_87B313:				; CODE XREF: PnpSelectFirstConfiguration(x,x,x,x)+50j
					; PnpSelectFirstConfiguration(x,x,x,x)+55j
		inc	eax
		add	ecx, 4
		cmp	eax, [edx+10h]
		jb	short loc_87B302
		jmp	short loc_87B2D9
_PnpSelectFirstConfiguration@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpFindBestConfigurationWorker proc near ; CODE	XREF: PnpFindBestConfiguration(x,x,x)+16p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E4DBF SIZE 00000067 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, ecx
		xor	ecx, ecx
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	[ebp+arg_4]
		mov	[ebp+var_18], ecx
		mov	esi, edx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ecx
		lea	ecx, [ebp+var_10]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], ecx
		mov	ecx, eax
		push	ebx
		mov	[ebx+4], ebx
		mov	[ebx], ebx
		call	_PnpSelectFirstConfiguration@16	; PnpSelectFirstConfiguration(x,x,x,x)
		lea	eax, [ebp+var_20]
		push	eax
		call	KeQuerySystemTime
		mov	eax, _PnpFindBestConfigurationTimeout
		or	[ebp+arg_4], 0FFFFFFFFh
		mov	[ebp+var_8], eax

loc_87B36F:				; CODE XREF: PnpFindBestConfigurationWorker+C6j
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		push	ebx
		call	IopTestConfiguration
		mov	edi, eax
		test	edi, edi
		js	short loc_87B3AF
		mov	eax, [ebx]
		mov	ecx, [ebx+4]
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], ecx
		cmp	esi, 1
		jnz	loc_8E4DBF

loc_87B394:				; CODE XREF: PnpFindBestConfigurationWorker+CBj
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jz	short loc_87B3EB
		xor	edi, edi
		cmp	esi, 1
		jnz	loc_8E4DFF

loc_87B3A6:				; CODE XREF: PnpFindBestConfigurationWorker+D3j
					; PnpFindBestConfigurationWorker+DAj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_87B3AF:				; CODE XREF: PnpFindBestConfigurationWorker+60j
					; PnpFindBestConfigurationWorker+69AC9j ...
		lea	eax, [ebp+var_18]
		push	eax
		call	KeQuerySystemTime
		mov	ecx, [ebp+var_18]
		sub	ecx, [ebp+var_20]
		mov	eax, [ebp+var_14]
		sbb	eax, [ebp+var_1C]
		push	0
		push	2710h
		push	eax
		push	ecx
		call	__alldiv
		mov	edx, esi
		mov	ecx, [ebp+var_4]
		cmp	eax, [ebp+var_8]
		jnb	short loc_87B3FA
		push	ebx
		call	IopSelectNextConfiguration
		test	al, al
		jnz	short loc_87B36F

loc_87B3E6:				; CODE XREF: PnpFindBestConfigurationWorker+E1j
		mov	eax, [ebp+var_10]
		jmp	short loc_87B394
; 

loc_87B3EB:				; CODE XREF: PnpFindBestConfigurationWorker+7Bj
		cmp	edi, 0C0000908h
		jz	short loc_87B3A6
		mov	edi, 0C0000001h
		jmp	short loc_87B3A6
; 

loc_87B3FA:				; CODE XREF: PnpFindBestConfigurationWorker+BCj
		call	_IopCleanupSelectedConfiguration@8 ; IopCleanupSelectedConfiguration(x,x)
		jmp	short loc_87B3E6
PnpFindBestConfigurationWorker endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopTestConfiguration proc near		; CODE XREF: PnpFindBestConfigurationWorker+57p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E4E26 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_8], edx
		push	esi
		push	edi
		lea	edi, [ebp+var_20]
		mov	[ebp+var_C], ecx
		stosd
		xor	ebx, ebx
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		mov	edi, [eax]

loc_87B423:				; CODE XREF: IopTestConfiguration+85j
		cmp	edi, eax
		jz	short loc_87B49B
		cmp	byte ptr [edi+9], 0
		jz	loc_8E4E26
		mov	ebx, [edi-20h]
		lea	eax, [edi-18h]
		and	[ebp+var_1C], 0
		and	[ebp+var_18], 0
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_10], ebx
		push	eax
		movzx	eax, byte ptr [edi-24h]
		push	eax
		push	dword ptr [edi-1Ch]
		call	PnpLookupArbitersNewResources
		lea	eax, [ebp+var_20]
		push	eax
		push	0
		push	dword ptr [ebx+4]
		call	dword ptr [ebx+10h]
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_87B489
		mov	cl, [edi+8]
		mov	eax, [ebp+arg_0]
		and	cl, 0FDh
		mov	edx, [ebp+var_8]
		or	cl, 1
		mov	[edi+8], cl
		mov	ecx, [ebp+var_C]
		mov	byte ptr [edi+9], 0

loc_87B485:				; CODE XREF: IopTestConfiguration+69A28j
		mov	edi, [edi]
		jmp	short loc_87B423
; 

loc_87B489:				; CODE XREF: IopTestConfiguration+68j
		mov	edx, [ebp+var_10]
		lea	ecx, [edi-2Ch]
		mov	edx, [edx+4]
		call	_PnpLogDeviceConflictingResource@8 ; PnpLogDeviceConflictingResource(x,x)
		or	byte ptr [edi+8], 2

loc_87B49B:				; CODE XREF: IopTestConfiguration+23j
					; IopTestConfiguration+69A33j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
IopTestConfiguration endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpLookupArbitersNewResources proc near	; CODE XREF: IopTestConfiguration+53p
					; IopRetestConfiguration(x,x,x)+51p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E4E3A SIZE 000000C4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ebx
		push	edi
		test	edx, edx
		jz	short loc_87B4D2
		mov	eax, [ebp+arg_0]
		mov	edi, [eax+10h]
		mov	eax, ecx

loc_87B4BE:				; CODE XREF: PnpLookupArbitersNewResources+24j
		cmp	[eax], edi
		jz	short loc_87B4CA
		inc	esi
		add	eax, 28h
		cmp	esi, edx
		jb	short loc_87B4BE

loc_87B4CA:				; CODE XREF: PnpLookupArbitersNewResources+1Cj
		cmp	esi, edx
		jb	loc_8E4E3A

loc_87B4D2:				; CODE XREF: PnpLookupArbitersNewResources+10j
		mov	eax, 0C0000001h

loc_87B4D7:				; CODE XREF: PnpLookupArbitersNewResources+69A08j
					; PnpLookupArbitersNewResources+69A55j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
PnpLookupArbitersNewResources endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpFindBestConfiguration(x,	x, x)
_PnpFindBestConfiguration@12 proc near	; CODE XREF: PnpAllocateResources+1C3p
					; PnpAllocateResources+325p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		xor	esi, esi

loc_87B4EC:				; CODE XREF: PnpFindBestConfiguration(x,x,x)+2Aj
		push	esi
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, ebx
		call	PnpFindBestConfigurationWorker
		test	eax, eax
		js	short loc_87B504

loc_87B4FD:				; CODE XREF: PnpFindBestConfiguration(x,x,x)+2Cj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_87B504:				; CODE XREF: PnpFindBestConfiguration(x,x,x)+1Dj
		inc	esi
		cmp	esi, 2
		jb	short loc_87B4EC
		jmp	short loc_87B4FD
_PnpFindBestConfiguration@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpBuildCmResourceLists	proc near	; CODE XREF: PnpAllocateResources+1F8p
					; PnpAllocateResources+352p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008E4EFE SIZE 00000109 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		cmp	[ebp+arg_0], 0
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_C], ecx
		push	edi
		mov	[ebp+var_14], ebx
		jnz	loc_8E4EFE

loc_87B529:				; CODE XREF: PnpBuildCmResourceLists+699F6j
					; PnpBuildCmResourceLists+69A61j
		or	edi, 0FFFFFFFFh

loc_87B52C:				; CODE XREF: PnpBuildCmResourceLists+69AF0j
		mov	[ebp+var_4], edi
		xor	edi, edi
		cmp	ecx, ebx
		jnb	loc_87B5D5
		mov	eax, ebx
		lea	esi, [ecx+24h]
		sub	eax, ecx
		xor	edx, edx
		push	28h
		dec	eax
		pop	ecx
		div	ecx
		lea	ecx, [eax+1]
		mov	[ebp+var_8], ecx
		mov	eax, ecx

loc_87B550:				; CODE XREF: PnpBuildCmResourceLists+BFj
		and	dword ptr [esi-8], 0
		mov	ecx, [esi-20h]
		test	cl, 28h
		jnz	short loc_87B5BF
		test	cl, 10h
		mov	ecx, [ebp+var_4]
		jnz	loc_8E4F72
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_8E4F7D

loc_87B571:				; CODE XREF: PnpBuildCmResourceLists+69A7Dj
		and	dword ptr [esi], 0
		lea	ebx, [esi-24h]
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	PnpBuildCmResourceList
		cmp	dword ptr [esi], 0C000022Dh
		jz	short loc_87B5DC
		cmp	[ebp+arg_0], 0
		jnz	loc_8E4F8E

loc_87B593:				; CODE XREF: PnpBuildCmResourceLists+69AE3j
		mov	ecx, [esi-8]
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jz	short loc_87B5BC
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_87B5DF
		mov	eax, [eax+0B0h]
		mov	ebx, [eax+14h]

loc_87B5AC:				; CODE XREF: PnpBuildCmResourceLists+D5j
		call	_PnpDetermineResourceListSize@4	; PnpDetermineResourceListSize(x)
		mov	edx, [ebp+var_10]
		mov	ecx, ebx
		push	eax
		call	_IopWriteAllocatedResourcesToRegistry@12 ; IopWriteAllocatedResourcesToRegistry(x,x,x)

loc_87B5BC:				; CODE XREF: PnpBuildCmResourceLists+8Fj
					; PnpBuildCmResourceLists+D1j
		mov	eax, [ebp+var_8]

loc_87B5BF:				; CODE XREF: PnpBuildCmResourceLists+4Ej
		mov	ecx, [ebp+var_4]

loc_87B5C2:				; CODE XREF: PnpBuildCmResourceLists+69A6Cj
					; PnpBuildCmResourceLists+69A77j
		add	esi, 28h
		sub	eax, 1
		mov	[ebp+var_8], eax
		jnz	short loc_87B550
		test	edi, edi
		jnz	loc_8E4FF4

loc_87B5D5:				; CODE XREF: PnpBuildCmResourceLists+27j
					; PnpBuildCmResourceLists+69AF6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_87B5DC:				; CODE XREF: PnpBuildCmResourceLists+7Bj
		inc	edi
		jmp	short loc_87B5BC
; 

loc_87B5DF:				; CODE XREF: PnpBuildCmResourceLists+95j
		xor	ebx, ebx
		jmp	short loc_87B5AC
PnpBuildCmResourceLists	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopWriteAllocatedResourcesToRegistry(x, x, x)
_IopWriteAllocatedResourcesToRegistry@12 proc near ; CODE XREF:	PnpBuildCmResourceLists+ABp
					; IoReportDetectedDevice+2E4p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, large fs:124h
		push	ebx
		xor	ebx, ebx
		push	esi
		push	edi
		mov	[ebp+var_8], ebx
		mov	edi, edx
		mov	[ebp+var_10], ebx
		mov	esi, ecx
		mov	[ebp+var_C], ebx
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceSharedLite
		mov	edx, [esi+18h]
		lea	eax, [ebp+var_8]
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		push	eax
		push	1
		push	0F003Fh
		push	ebx
		push	13h
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_87B671
		mov	[ebp+var_C], (offset loc_8B9859+1)
		push	18h
		pop	eax
		mov	word ptr [ebp+var_10+2], ax
		push	16h
		pop	eax
		mov	word ptr [ebp+var_10], ax
		lea	eax, [ebp+var_10]
		test	edi, edi
		jz	short loc_87B690
		push	[ebp+arg_0]
		push	edi
		push	8
		push	ebx
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_87B667:				; CODE XREF: IopWriteAllocatedResourcesToRegistry(x,x,x)+B5j
		push	[ebp+var_8]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)

loc_87B671:				; CODE XREF: IopWriteAllocatedResourcesToRegistry(x,x,x)+55j
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_87B690:				; CODE XREF: IopWriteAllocatedResourcesToRegistry(x,x,x)+71j
		push	eax
		push	[ebp+var_8]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		jmp	short loc_87B667
_IopWriteAllocatedResourcesToRegistry@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCommitConfiguration(x)
_IopCommitConfiguration@4 proc near	; CODE XREF: PnpAllocateResources+1DFp
					; PnpAllocateResources+332p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		xor	edx, edx
		push	esi
		mov	[ebp+var_4], edx
		mov	esi, [ebx]
		cmp	esi, ebx
		jz	short loc_87B6F9
		push	edi

loc_87B6B3:				; CODE XREF: IopCommitConfiguration(x)+5Aj
		mov	edi, esi
		mov	[ebp+var_8], esi
		mov	esi, [esi]
		push	0
		push	2
		mov	eax, [edi-20h]
		push	dword ptr [eax+4]
		call	dword ptr [eax+10h]
		test	eax, eax
		js	short loc_87B6FF
		mov	edx, [ebp+var_4]

loc_87B6CE:				; CODE XREF: IopCommitConfiguration(x)+68j
		mov	eax, [ebp+var_8]
		lea	ecx, [edi-18h]
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		lea	ecx, [edi-10h]
		mov	word ptr [edi+8], 0
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edi-8]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		cmp	esi, ebx
		jnz	short loc_87B6B3
		pop	edi

loc_87B6F9:				; CODE XREF: IopCommitConfiguration(x)+14j
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn
; 

loc_87B6FF:				; CODE XREF: IopCommitConfiguration(x)+2Dj
		mov	edx, eax
		mov	[ebp+var_4], edx
		jmp	short loc_87B6CE
_IopCommitConfiguration@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopTranslateAndAdjustReqDesc proc near	; CODE XREF: IopSetupArbiterAndTranslators+24Cp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E5007 SIZE 000000C6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		mov	eax, edx
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_30], eax
		mov	[ebp+var_24], edi
		mov	eax, [eax+0Ch]
		mov	[ebp+var_2C], eax
		mov	eax, [edi+20h]
		mov	[ebp+var_14], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_1], bl
		test	eax, eax
		jz	loc_8E5007
		mov	ecx, [ebp+arg_0]
		push	esi
		push	20207050h
		shl	eax, 2
		push	eax
		push	1
		mov	[ecx], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_C], esi
		test	esi, esi
		jz	loc_8E5019
		mov	eax, [edi+20h]
		shl	eax, 2
		push	eax		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		mov	eax, [edi+20h]
		add	esp, 0Ch
		shl	eax, 2
		push	20207050h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_1C], ebx
		test	ebx, ebx
		jz	loc_8E5011
		mov	eax, [edi+20h]
		shl	eax, 2
		push	eax		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		and	[ebp+var_20], 0
		add	esp, 0Ch
		cmp	dword ptr [edi+20h], 0
		mov	edx, [edi+24h]
		mov	[ebp+var_10], edx
		jbe	loc_8E503E
		mov	eax, esi
		mov	ecx, ebx
		mov	esi, [ebp+var_14]
		sub	eax, ebx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_28], eax

loc_87B7BF:				; CODE XREF: IopTranslateAndAdjustReqDesc+69920j
		lea	ebx, [eax+ecx]
		mov	eax, [ebp+var_2C]
		push	ebx
		push	ecx
		push	dword ptr [edi+28h]
		push	edx
		push	dword ptr [eax+4]
		call	dword ptr [eax+14h]
		mov	ecx, [ebp+var_18]
		test	eax, eax
		js	loc_8E502B
		mov	edx, [ecx]
		test	edx, edx
		jz	loc_8E502B
		mov	bl, 1
		mov	[ebp+var_1], bl

loc_87B7EB:				; CODE XREF: IopTranslateAndAdjustReqDesc+69933j
		add	[ebp+var_10], 20h
		add	esi, edx
		test	eax, eax
		js	short loc_87B801
		cmp	[ebp+var_8], 120h
		jz	short loc_87B801
		mov	[ebp+var_8], eax

loc_87B801:				; CODE XREF: IopTranslateAndAdjustReqDesc+EDj
					; IopTranslateAndAdjustReqDesc+F6j
		mov	edx, [ebp+var_20]
		add	ecx, 4
		inc	edx
		mov	[ebp+var_18], ecx
		cmp	edx, [edi+20h]
		mov	[ebp+var_20], edx
		mov	edx, [ebp+var_10]
		jb	loc_8E5023
		mov	[ebp+var_14], esi
		mov	esi, [ebp+var_C]
		test	bl, bl
		jz	loc_8E5043

loc_87B828:				; CODE XREF: IopTranslateAndAdjustReqDesc+69940j
		mov	eax, [ebp+var_14]
		push	20207050h
		shl	eax, 5
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8E5053
		push	20207050h
		push	0B4h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_2C], eax
		test	eax, eax
		jz	loc_8E504B
		mov	edx, [ebp+var_14]
		mov	esi, edi
		push	2Dh
		mov	edi, eax
		pop	ecx
		rep movsd
		mov	ecx, [ebp+var_30]
		xor	esi, esi
		mov	edi, [ebp+var_24]
		mov	[eax+0B0h], ecx
		lea	ecx, [eax+18h]
		mov	[eax+0Ch], esi
		mov	[eax+14h], esi
		add	eax, 50h
		mov	[ecx+8], edx
		mov	edx, esi
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		mov	[ecx+0Ch], ebx
		mov	[ecx+2Ch], eax
		mov	eax, [edi+24h]
		mov	[ebp+var_18], eax
		mov	[ebp+var_20], edx
		cmp	[edi+20h], esi
		jbe	short loc_87B8ED
		mov	esi, [ebp+var_1C]
		mov	ecx, [ebp+var_C]
		sub	ecx, esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_30], ecx

loc_87B8B3:				; CODE XREF: IopTranslateAndAdjustReqDesc+1E5j
		mov	eax, [esi]
		test	eax, eax
		jz	loc_8E505F
		shl	eax, 5
		push	eax		; size_t
		push	dword ptr [esi+ecx] ; void *
		push	ebx		; void *
		call	_memcpy
		mov	eax, [esi]
		add	esp, 0Ch
		mov	edx, [ebp+var_20]
		shl	eax, 5

loc_87B8D5:				; CODE XREF: IopTranslateAndAdjustReqDesc+699A6j
		add	[ebp+var_18], 20h
		add	esi, 4
		mov	ecx, [ebp+var_30]
		inc	edx
		add	ebx, eax
		mov	[ebp+var_20], edx
		mov	[ebp+var_14], esi
		cmp	edx, [edi+20h]
		jb	short loc_87B8B3

loc_87B8ED:				; CODE XREF: IopTranslateAndAdjustReqDesc+19Dj
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_2C]
		mov	esi, [ebp+var_C]
		mov	[ecx], eax

loc_87B8F8:				; CODE XREF: IopTranslateAndAdjustReqDesc+69954j
		xor	ebx, ebx
		cmp	[edi+20h], ebx
		jbe	short loc_87B923
		mov	eax, [ebp+var_1C]
		sub	eax, [ebp+var_C]
		mov	[ebp+arg_0], eax

loc_87B908:				; CODE XREF: IopTranslateAndAdjustReqDesc+21Bj
		cmp	dword ptr [eax+esi], 0
		jz	short loc_87B91A
		push	0
		push	dword ptr [esi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_0]

loc_87B91A:				; CODE XREF: IopTranslateAndAdjustReqDesc+206j
		inc	ebx
		add	esi, 4
		cmp	ebx, [edi+20h]
		jb	short loc_87B908

loc_87B923:				; CODE XREF: IopTranslateAndAdjustReqDesc+1F7j
		push	0
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_8]

loc_87B93A:				; CODE XREF: IopTranslateAndAdjustReqDesc+69918j
		pop	esi

loc_87B93B:				; CODE XREF: IopTranslateAndAdjustReqDesc+69906j
		pop	edi
		pop	ebx
		leave
		retn	4
IopTranslateAndAdjustReqDesc endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmCallDllInitialize proc near		; CODE XREF: MiLoadImportDll(x,x,x,x,x)+3Ep
					; PipInitializeDriverDependentDLLs(x,x)+10Cp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E50CD SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], edx
		xor	ebx, ebx
		push	offset ??_C@_0O@PDDHICKK@DllInitialize@NNGAKEGL@ ; "DllInitialize"
		mov	[ebp+var_14], ebx
		push	dword ptr [edi+18h]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		call	_RtlFindExportedRoutineByName@8	; RtlFindExportedRoutineByName(x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_87BAB0
		movzx	eax, word ptr [edi+2Ch]
		lea	ecx, [eax+2]
		cmp	cx, ax
		jbe	loc_8E50D5
		push	ebx
		mov	word ptr [ebp+var_1C+2], cx
		mov	edx, 54446D4Dh
		movzx	ecx, cx
		push	100h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_18], esi
		test	esi, esi
		jz	loc_8E50DF
		movzx	eax, word ptr [edi+2Ch]
		mov	ebx, eax
		mov	word ptr [ebp+var_1C], ax
		push	ebx		; size_t
		push	dword ptr [edi+30h] ; void *
		mov	ecx, eax
		push	esi		; void *
		mov	[ebp+var_4], ecx
		call	_memcpy
		mov	eax, ds:_CmRegistryMachineSystemCurrentControlSetServices
		mov	edi, ebx
		add	esp, 0Ch
		lea	ecx, [edi+eax]
		cmp	cx, ax
		jbe	loc_8E50CD
		lea	eax, [ecx+4]
		cmp	ax, cx
		jbe	loc_8E50E9
		push	0
		movzx	ecx, ax
		mov	edx, 54446D4Dh
		push	40h
		mov	word ptr [ebp+var_14+2], ax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jz	loc_8E50F0
		mov	eax, ds:_CmRegistryMachineSystemCurrentControlSetServices
		mov	word ptr [ebp+var_14], ax
		movzx	eax, ax
		push	eax		; size_t
		push	ds:dword_A94334	; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_14]
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@ ; void	*
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		shr	ebx, 1
		xor	eax, eax
		push	2Eh		; wchar_t
		push	esi		; wchar_t *
		mov	[esi+ebx*2], ax
		call	_wcschr
		pop	ecx
		pop	ecx
		movzx	ecx, di
		test	eax, eax
		jz	short loc_87BA58
		sub	eax, esi
		and	eax, 0FFFFFFFEh
		mov	word ptr [ebp+var_1C], ax
		movzx	ecx, ax

loc_87BA58:				; CODE XREF: MmCallDllInitialize+108j
		movzx	eax, cx
		xor	ecx, ecx
		shr	eax, 1
		mov	[esi+eax*2], cx
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		call	_VfDriverInitStarting@0	; VfDriverInitStarting()
		mov	edi, eax
		lea	eax, [ebp+var_14]
		push	eax
		call	[ebp+var_8]
		push	0
		push	[ebp+var_10]
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		js	short loc_87BAA9
		cmp	byte_6CF558, 0
		jnz	short loc_87BAA9
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		call	_VfDriverInitSuccess@8 ; VfDriverInitSuccess(x,x)

loc_87BAA9:				; CODE XREF: MmCallDllInitialize+152j
					; MmCallDllInitialize+15Bj
		mov	eax, esi

loc_87BAAB:				; CODE XREF: MmCallDllInitialize+170j
					; MmCallDllInitialize+69798j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_87BAB0:				; CODE XREF: MmCallDllInitialize+30j
		xor	eax, eax
		jmp	short loc_87BAAB
MmCallDllInitialize endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmGetDeviceMappedPropertyFromInstanceKeyRegValue(int,void *,int,int,int,int)
_CmGetDeviceMappedPropertyFromInstanceKeyRegValue proc near
					; CODE XREF: _CmGetDeviceMappedProperty+18Ap
					; _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+11Cp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 008E5104 SIZE 000000AD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_1C], edx
		mov	edx, [ebp+arg_C]
		mov	[eax], esi
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_4], esi
		mov	[ebp+var_C], esi
		mov	[eax], esi
		push	edi
		test	edx, edx
		jz	loc_8E5104
		mov	ecx, [ebp+arg_10]
		mov	eax, ecx
		neg	eax
		mov	[ebp+var_8], ecx
		sbb	eax, eax
		and	eax, edx
		mov	[ebp+arg_C], eax

loc_87BAF3:				; CODE XREF: _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+69653j
		mov	edi, [ebp+arg_4]
		mov	ebx, offset off_A42DF0
		mov	ecx, esi
		mov	[ebp+var_10], esi
		mov	edx, [edi+10h]
		mov	[ebp+var_14], edx

loc_87BB06:				; CODE XREF: _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+6966Fj
		mov	eax, [ebx]
		mov	[ebp+arg_10], ebx
		cmp	edx, [eax+10h]
		jnz	loc_8E5112
		push	10h		; size_t
		push	eax		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8E510C
		mov	eax, ebx

loc_87BB2A:				; CODE XREF: _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+69675j
		mov	edi, esi
		test	eax, eax
		jz	loc_8E512E
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jnz	short loc_87BB5A
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_20]
		push	esi
		push	eax
		push	esi
		push	1
		push	esi
		push	10h
		call	_CmOpenDeviceRegKey
		mov	edi, eax
		test	edi, edi
		js	short loc_87BBB9
		mov	eax, [ebp+arg_10]

loc_87BB5A:				; CODE XREF: _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+85j
		mov	ecx, [eax+8]
		mov	eax, [ebp+arg_4]
		mov	[ebp+arg_0], ecx
		cmp	dword ptr [eax+10h], 2
		jnz	loc_8E513B
		push	10h		; size_t
		push	offset _DEVPKEY_Device_Reported	; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8E5138
		mov	[ebp+arg_10], esi
		mov	[ebp+arg_4], 4
		test	ebx, ebx
		jnz	short loc_87BB96
		mov	ebx, [ebp+var_4]

loc_87BB96:				; CODE XREF: _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+DDj
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+arg_4]
		push	eax
		lea	eax, [ebp+arg_10]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	_RegRtlQueryValue
		test	eax, eax
		jns	short loc_87BBD0

loc_87BBB0:				; CODE XREF: _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+120j
					; _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+126j ...
		test	esi, esi
		jnz	short loc_87BBE1

loc_87BBB4:				; CODE XREF: _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+696B1j
					; _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+696BDj
		mov	edi, 0C0000225h

loc_87BBB9:				; CODE XREF: _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+A1j
					; _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+149j ...
		cmp	[ebp+var_4], 0
		jz	short loc_87BBC7
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_87BBC7:				; CODE XREF: _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+109j
					; _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+6967Fj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_87BBD0:				; CODE XREF: _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+FAj
		cmp	[ebp+var_C], 4
		jnz	short loc_87BBB0
		cmp	[ebp+arg_4], 4
		jnz	short loc_87BBB0
		mov	esi, [ebp+arg_10]
		jmp	short loc_87BBB0
; 

loc_87BBE1:				; CODE XREF: _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+FEj
		mov	eax, [ebp+arg_14]
		xor	ecx, ecx
		inc	ecx
		mov	[eax], ecx
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 11h
		cmp	[ebp+var_8], ecx
		jb	short loc_87BBFF
		mov	eax, [ebp+arg_C]
		mov	byte ptr [eax],	0FFh
		jmp	short loc_87BBB9
; 

loc_87BBFF:				; CODE XREF: _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+141j
		mov	edi, 0C0000023h
		jmp	short loc_87BBB9
_CmGetDeviceMappedPropertyFromInstanceKeyRegValue endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ArbArbiterHandler proc near		; DATA XREF: IopPnPDispatch+334o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E51B1 SIZE 00000041 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	dword ptr [esi+4]
		call	KeWaitForSingleObject
		mov	ebx, [ebp+arg_4]
		cmp	ebx, 9		; switch 10 cases
		ja	loc_8E51E8	; default
		jmp	ds:off_87BCBE[ebx*4] ; switch jump

loc_87BC40:				; DATA XREF: PAGE:off_87BCBEo
		push	[ebp+arg_8]	; case 0x9
		push	esi
		call	dword ptr [esi+5Ch]

loc_87BC47:				; CODE XREF: ArbArbiterHandler+82j
					; ArbArbiterHandler+88j ...
		mov	edi, eax

loc_87BC49:				; CODE XREF: ArbArbiterHandler+695E7j
		test	edi, edi
		js	short loc_87BC60
		test	ebx, ebx
		jz	short loc_87BCA8
		cmp	ebx, 2
		jz	short loc_87BC90
		cmp	ebx, 1
		jz	short loc_87BCA8
		cmp	ebx, 3
		jz	short loc_87BC90

loc_87BC60:				; CODE XREF: ArbArbiterHandler+45j
					; ArbArbiterHandler+A0j ...
		push	0
		push	0
		push	dword ptr [esi+4]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_87BC81:				; CODE XREF: ArbArbiterHandler+33j
					; DATA XREF: PAGE:off_87BCBEo
		push	[ebp+arg_8]	; case 0x0
		push	esi
		call	dword ptr [esi+4Ch]
		jmp	short loc_87BC47
; 

loc_87BC8A:				; CODE XREF: ArbArbiterHandler+33j
					; DATA XREF: PAGE:off_87BCBEo
		push	esi		; case 0x2
		call	dword ptr [esi+54h]
		jmp	short loc_87BC47
; 

loc_87BC90:				; CODE XREF: ArbArbiterHandler+4Ej
					; ArbArbiterHandler+58j
		push	0
		push	0
		push	dword ptr [esi+98h]
		mov	byte ptr [esi+94h], 0
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_87BC60
; 

loc_87BCA8:				; CODE XREF: ArbArbiterHandler+49j
					; ArbArbiterHandler+53j
		push	dword ptr [esi+98h]
		mov	byte ptr [esi+94h], 1
		call	_KeResetEvent@4	; KeResetEvent(x)
		jmp	short loc_87BC60
ArbArbiterHandler endp

; 
		db 8Bh,	0FFh
off_87BCBE	dd offset loc_87BC81	; DATA XREF: ArbArbiterHandler+33r
		dd offset loc_8E51B1	; jump table for switch	statement
		dd offset loc_87BC8A
		dd offset loc_8E51BD
		dd offset loc_8E51DE
		dd offset loc_8E51DE
		dd offset loc_8E51C6
		dd offset loc_8E51D2
		dd offset loc_8E51DE
		dd offset loc_87BC40

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ArbBacktrackAllocation(x, x)
_ArbBacktrackAllocation@8 proc near	; DATA XREF: ArbInitializeArbiterInstance+17Ao

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	eax, [ecx+20h]
		push	dword ptr [eax+10h]
		mov	eax, [ebp+arg_0]
		push	dword ptr [ecx+0Ch]
		push	dword ptr [ecx+8]
		push	dword ptr [ecx+4]
		push	dword ptr [ecx]
		push	dword ptr [eax+18h]
		call	RtlDeleteRange
		pop	ebp
		retn	8
_ArbBacktrackAllocation@8 endp ; sp = -18h

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2188. RtlInvertRangeList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlInvertRangeList(x, x)
		public _RtlInvertRangeList@8
_RtlInvertRangeList@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_RtlInvertRangeListEx@20 ; RtlInvertRangeListEx(x,x,x,x,x)
		pop	ebp
		retn	8
_RtlInvertRangeList@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ArbOverrideConflict proc near		; DATA XREF: ArbInitializeArbiterInstance+18Co

var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E51F2 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	eax, eax
		push	edi
		lea	edi, [ebp+var_14]
		xor	ebx, ebx
		stosd
		mov	[ebp+var_4], ebx
		stosd
		stosd
		stosd
		mov	eax, [esi+24h]
		test	byte ptr [eax+24h], 2
		jz	loc_87BDE7
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax+18h]
		call	_RtlGetFirstRange@12 ; RtlGetFirstRange(x,x,x)
		mov	edx, [ebp+var_4]
		test	edx, edx
		jz	short loc_87BDB2
		mov	eax, [esi+14h]
		mov	edi, [esi+10h]
		mov	[ebp+arg_4], eax

loc_87BD7A:				; CODE XREF: ArbOverrideConflict+82j
		mov	eax, [edx+4]
		mov	ecx, [edx]
		mov	[ebp+arg_0], eax
		cmp	eax, [ebp+arg_4]
		ja	short loc_87BDB6
		jb	short loc_87BD8D
		cmp	ecx, edi
		jnb	short loc_87BDB6

loc_87BD8D:				; CODE XREF: ArbOverrideConflict+59j
		mov	eax, [edx+0Ch]
		cmp	eax, [ebp+arg_4]
		jb	short loc_87BD9C
		ja	short loc_87BDF0
		cmp	[edx+8], edi
		jnb	short loc_87BDF0

loc_87BD9C:				; CODE XREF: ArbOverrideConflict+65j
					; ArbOverrideConflict+9Bj ...
		push	1
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	RtlGetNextRange
		mov	edx, [ebp+var_4]
		test	edx, edx
		jnz	short loc_87BD7A

loc_87BDB2:				; CODE XREF: ArbOverrideConflict+41j
		mov	al, bl
		jmp	short loc_87BDE9
; 

loc_87BDB6:				; CODE XREF: ArbOverrideConflict+57j
					; ArbOverrideConflict+5Dj ...
		cmp	[ebp+arg_4], eax
		jb	short loc_87BDC1
		ja	short loc_87BDD0
		cmp	edi, ecx
		jnb	short loc_87BDD0

loc_87BDC1:				; CODE XREF: ArbOverrideConflict+8Bj
		mov	eax, [esi+1Ch]
		cmp	eax, [ebp+arg_0]
		ja	short loc_87BDD0
		jb	short loc_87BD9C
		cmp	[esi+18h], ecx
		jb	short loc_87BD9C

loc_87BDD0:				; CODE XREF: ArbOverrideConflict+8Dj
					; ArbOverrideConflict+91j ...
		mov	al, [edx+18h]
		test	[esi+33h], al
		jnz	short loc_87BD9C
		mov	ecx, [esi+20h]
		mov	eax, [edx+14h]
		cmp	eax, [ecx+10h]
		jz	loc_8E51F2

loc_87BDE7:				; CODE XREF: ArbOverrideConflict+23j
					; ArbOverrideConflict+694CBj
		xor	al, al

loc_87BDE9:				; CODE XREF: ArbOverrideConflict+86j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_87BDF0:				; CODE XREF: ArbOverrideConflict+67j
					; ArbOverrideConflict+6Cj
		mov	eax, [ebp+arg_0]
		jmp	short loc_87BDB6
ArbOverrideConflict endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopPortAddAllocation proc near		; DATA XREF: IopPortInitialize()+1Fo

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E521A SIZE 0000004F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	eax, [esi+20h]
		push	dword ptr [eax+10h]
		mov	eax, [esi+24h]
		push	0
		mov	eax, [eax+24h]
		and	eax, 1
		lea	eax, ds:1[eax*2]
		push	eax
		movzx	eax, byte ptr [esi+32h]
		push	eax
		push	dword ptr [esi+0Ch]
		mov	eax, [ebp+arg_0]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		push	dword ptr [eax+18h]
		call	_RtlAddRange@36	; RtlAddRange(x,x,x,x,x,x,x,x,x)
		mov	ebx, [esi]
		mov	eax, [esi+4]
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], eax

loc_87BE42:				; CODE XREF: IopPortAddAllocation+6946Ej
		mov	edi, [esi+24h]
		lea	edx, [ebp+var_8]
		push	eax
		push	ebx
		mov	eax, [edi+28h]
		movzx	ecx, word ptr [eax+4]
		call	IopPortGetNextAlias
		test	al, al
		jnz	loc_8E521A
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
IopPortAddAllocation endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopPortGetNextAlias proc near		; CODE XREF: IopPortAddAllocation+5Bp
					; IopPortBacktrackAllocation(x,x)+30p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E5269 SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	cl, 4
		jnz	loc_8E5269
		test	cl, 8
		jnz	loc_8E5270

loc_87BE7D:				; CODE XREF: IopPortGetNextAlias+69419j
					; IopPortGetNextAlias+69426j
		xor	al, al

loc_87BE7F:				; CODE XREF: IopPortGetNextAlias+69433j
		pop	ebp
		retn	8
IopPortGetNextAlias endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ArbShareDriverExclusive	proc near	; CODE XREF: ArbFindSuitableRange+F5p

var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_11		= byte ptr -11h
var_10		= word ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E529E SIZE 000000F0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_30]
		stosd
		mov	esi, edx
		mov	ebx, ecx
		xor	ecx, ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], ecx
		stosd
		mov	[ebp+var_11], cl
		mov	ecx, [esi+20h]
		stosd
		stosd
		mov	eax, [ecx+18h]
		test	al, 2
		jnz	loc_8E529E
		test	al, 4
		jnz	short loc_87BEFF
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	0Ah
		push	0Fh
		push	dword ptr [ecx+10h]
		call	IoGetDeviceProperty
		test	eax, eax
		js	short loc_87BEFF
		lea	eax, [ebp+var_10]
		push	offset ??_C@_19OLEIDBPB@?$AAR?$AAO?$AAO?$AAT@NNGAKEGL@ ; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		mov	edx, [esi+20h]
		pop	ecx
		pop	ecx
		mov	ecx, [edx+18h]
		test	eax, eax
		jz	loc_8E52A7
		or	ecx, 4

loc_87BEFC:				; CODE XREF: ArbShareDriverExclusive+6942Aj
		mov	[edx+18h], ecx

loc_87BEFF:				; CODE XREF: ArbShareDriverExclusive+3Dj
					; ArbShareDriverExclusive+55j ...
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		push	dword ptr [ebx+18h]
		call	_RtlGetFirstRange@12 ; RtlGetFirstRange(x,x,x)

loc_87BF0F:				; CODE XREF: ArbShareDriverExclusive+C5j
		mov	edi, [ebp+var_18]
		test	edi, edi
		jz	short loc_87BF87
		mov	eax, [edi+4]
		mov	ebx, [esi+14h]
		mov	edx, [edi]
		mov	ecx, [esi+10h]
		mov	[ebp+var_1C], eax
		cmp	eax, ebx
		ja	short loc_87BF4B
		jb	short loc_87BF2E
		cmp	edx, ecx
		jnb	short loc_87BF4B

loc_87BF2E:				; CODE XREF: ArbShareDriverExclusive+A4j
		cmp	[edi+0Ch], ebx
		jb	short loc_87BF3A
		ja	short loc_87BF98
		cmp	[edi+8], ecx
		jnb	short loc_87BF98

loc_87BF3A:				; CODE XREF: ArbShareDriverExclusive+ADj
					; ArbShareDriverExclusive+D7j ...
		push	1
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		call	RtlGetNextRange
		jmp	short loc_87BF0F
; 

loc_87BF4B:				; CODE XREF: ArbShareDriverExclusive+A2j
					; ArbShareDriverExclusive+A8j ...
		cmp	ebx, eax
		jb	short loc_87BF55
		ja	short loc_87BF64
		cmp	ecx, edx
		jnb	short loc_87BF64

loc_87BF55:				; CODE XREF: ArbShareDriverExclusive+C9j
		mov	eax, [esi+1Ch]
		cmp	eax, [ebp+var_1C]
		jb	short loc_87BF3A
		ja	short loc_87BF64
		cmp	[esi+18h], edx
		jb	short loc_87BF3A

loc_87BF64:				; CODE XREF: ArbShareDriverExclusive+CBj
					; ArbShareDriverExclusive+CFj ...
		mov	cl, [edi+18h]
		test	[esi+33h], cl
		jnz	short loc_87BF3A
		mov	eax, [esi+24h]
		push	2
		pop	ebx
		mov	eax, [eax+28h]
		cmp	[eax+2], bl
		jz	loc_8E52B3
		test	cl, bl
		jz	short loc_87BF3A
		jmp	loc_8E52B3
; 

loc_87BF87:				; CODE XREF: ArbShareDriverExclusive+90j
		xor	al, al

loc_87BF89:				; CODE XREF: ArbShareDriverExclusive+69505j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_87BF98:				; CODE XREF: ArbShareDriverExclusive+AFj
					; ArbShareDriverExclusive+B4j
		mov	eax, [ebp+var_1C]
		jmp	short loc_87BF4B
ArbShareDriverExclusive	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpFilterResourceRequirementsList proc near ; CODE XREF: IopQueryDeviceResources+23Bp
					; PnpGetResourceRequirementsForAssignTable+6C2FDp

var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_A		= byte ptr -0Ah
var_9		= byte ptr -9
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E538E SIZE 00000208 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0BCh
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		mov	[ebp+var_88], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], ecx
		mov	[ebx], ecx
		mov	[eax], ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_5C], edi
		test	esi, esi
		jz	loc_8E5578
		cmp	[esi+1Ch], ecx
		jz	loc_8E5578
		push	75737050h
		push	dword ptr [esi]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_14], ebx
		test	ebx, ebx
		jz	loc_8E538E
		push	dword ptr [esi]	; size_t
		push	esi		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		test	edi, edi
		jz	loc_8E556E
		mov	edx, [edi]
		test	edx, edx
		jz	loc_8E556E
		mov	ebx, [ebp+var_44]
		lea	eax, [edi+4]
		mov	[ebp+var_90], eax

loc_87C021:				; CODE XREF: PnpFilterResourceRequirementsList+C6j
		mov	esi, [eax+0Ch]
		add	ebx, esi
		add	eax, 10h
		test	esi, esi
		jz	short loc_87C061

loc_87C02D:				; CODE XREF: PnpFilterResourceRequirementsList+BEj
		mov	cl, [eax]
		xor	edi, edi
		cmp	cl, 5
		jz	loc_8E5398
		cmp	cl, 7Fh
		ja	loc_87C0DD

loc_87C043:				; CODE XREF: PnpFilterResourceRequirementsList+142j
		test	cl, cl
		jz	loc_87C0E6
		cmp	cl, 8
		jnb	loc_87C0E6

loc_87C054:				; CODE XREF: PnpFilterResourceRequirementsList+149j
		add	eax, 10h
		add	eax, edi
		sub	esi, 1
		jnz	short loc_87C02D
		mov	[ebp+var_44], ebx

loc_87C061:				; CODE XREF: PnpFilterResourceRequirementsList+8Dj
		sub	edx, 1
		jnz	short loc_87C021
		mov	[ebp+var_44], ebx
		test	ebx, ebx
		mov	ebx, [ebp+var_14]
		jz	loc_8E556E
		mov	ecx, [ebx+1Ch]
		lea	edi, [ebx+20h]
		xor	esi, esi
		mov	[ebp+var_6C], edi
		mov	[ebp+var_94], esi
		mov	eax, edi
		lea	edx, [ecx-1]
		test	edx, edx
		js	short loc_87C0C0

loc_87C08E:				; CODE XREF: PnpFilterResourceRequirementsList+11Dj
		lea	ecx, [eax+8]
		mov	eax, [eax+4]
		shl	eax, 5
		add	eax, ecx
		cmp	ecx, eax
		jnb	short loc_87C0B8

loc_87C09D:				; CODE XREF: PnpFilterResourceRequirementsList+112j
		cmp	byte ptr [ecx+1], 0
		jz	loc_8E53A0

loc_87C0A7:				; CODE XREF: PnpFilterResourceRequirementsList+69403j
		mov	byte ptr [ecx+3], 0
		add	ecx, 20h
		cmp	ecx, eax
		jb	short loc_87C09D
		mov	[ebp+var_94], esi

loc_87C0B8:				; CODE XREF: PnpFilterResourceRequirementsList+FDj
		sub	edx, 1
		jns	short loc_87C08E
		mov	ecx, [ebx+1Ch]

loc_87C0C0:				; CODE XREF: PnpFilterResourceRequirementsList+EEj
		lea	eax, [ecx-1]
		mov	[ebp+var_58], edi
		mov	edx, eax
		mov	[ebp+var_68], eax
		mov	eax, 0FFFFh
		test	edx, edx
		mov	[ebp+var_BC], eax
		jmp	loc_87C16A
; 

loc_87C0DD:				; CODE XREF: PnpFilterResourceRequirementsList+9Fj
		cmp	cl, 81h
		ja	loc_87C043

loc_87C0E6:				; CODE XREF: PnpFilterResourceRequirementsList+A7j
					; PnpFilterResourceRequirementsList+B0j ...
		dec	ebx
		jmp	loc_87C054
; 

loc_87C0EC:				; CODE XREF: PnpFilterResourceRequirementsList+472j
		mov	eax, [ebp+var_5C]

loc_87C0EF:				; CODE XREF: PnpFilterResourceRequirementsList+238j
		mov	ecx, edx
		mov	edx, [ebp+var_84]
		inc	edx
		mov	[ebp+var_80], ecx
		mov	[ebp+var_84], edx
		cmp	edx, [eax]
		jb	loc_87C1C8
		mov	esi, [ebp+var_8]
		mov	edx, [ebp+var_8C]

loc_87C112:				; CODE XREF: PnpFilterResourceRequirementsList+224j
		mov	eax, [ebp+var_44]
		cmp	[edi], ax
		jnz	loc_87C671
		mov	ecx, [edi+4]
		cmp	ecx, eax
		jnz	loc_87C6E3

loc_87C129:				; CODE XREF: PnpFilterResourceRequirementsList+69588j
		cmp	[ebp+var_88], 0
		jnz	loc_87C671
		add	[ebp+var_48], ecx
		cmp	[ebp+var_64], 0
		mov	eax, [ebp+var_60]
		mov	[ebp+var_88], edi
		mov	[edi], ax
		jz	short loc_87C154
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 1

loc_87C154:				; CODE XREF: PnpFilterResourceRequirementsList+1ABj
					; PnpFilterResourceRequirementsList+6DEj ...
		mov	eax, [ebp+var_74]
		mov	[edi+4], eax
		mov	edi, esi
		mov	[ebp+var_58], edi
		mov	eax, 0FFFFh

loc_87C164:				; CODE XREF: PnpFilterResourceRequirementsList+6941Fj
		mov	ecx, [ebx+1Ch]
		sub	edx, 1

loc_87C16A:				; CODE XREF: PnpFilterResourceRequirementsList+13Aj
		mov	[ebp+var_8C], edx
		js	loc_87C538
		movzx	ecx, word ptr [edi]
		mov	[ebp+var_60], ecx
		cmp	cx, ax
		jz	loc_8E53A6

loc_87C185:				; CODE XREF: PnpFilterResourceRequirementsList+6940Fj
		mov	ecx, [edi+4]
		xor	eax, eax
		mov	esi, ecx
		mov	[edi], ax
		lea	eax, [edi+8]
		shl	esi, 5
		add	esi, eax
		mov	[ebp+var_74], ecx
		mov	[ebp+var_8], esi
		cmp	eax, esi
		jz	loc_8E53B2
		mov	eax, [ebp+var_5C]
		and	[ebp+var_84], 0
		mov	ecx, [ebp+var_90]
		mov	[ebp+var_64], 1
		cmp	dword ptr [eax], 0
		mov	[ebp+var_80], ecx
		jbe	loc_87C112

loc_87C1C8:				; CODE XREF: PnpFilterResourceRequirementsList+165j
		xor	esi, esi
		lea	edx, [ecx+10h]
		mov	[ebp+var_18], edx
		mov	[ebp+var_7C], esi
		cmp	[ecx+0Ch], esi
		jbe	loc_87C0EF

loc_87C1DC:				; CODE XREF: PnpFilterResourceRequirementsList+46Cj
		mov	cl, [edx]
		and	[ebp+var_54], 0
		movzx	eax, cl
		sub	eax, 5
		jz	loc_8E551A
		sub	eax, 7Ch
		jz	loc_87C3F5
		test	cl, cl
		jz	loc_87C3F5
		cmp	cl, 8
		jnb	loc_87C3F5
		and	[ebp+var_20], 0
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_20]

loc_87C212:				; CODE XREF: PnpFilterResourceRequirementsList+44Ej
		lea	esi, [edi+8]
		cmp	esi, eax
		jnb	loc_87C3E5
		mov	cl, [edx]
		mov	[ebp+var_1], cl

loc_87C222:				; CODE XREF: PnpFilterResourceRequirementsList+294j
		cmp	[esi+1], cl
		jnz	short loc_87C22D
		cmp	byte ptr [esi+3], 0
		jz	short loc_87C239

loc_87C22D:				; CODE XREF: PnpFilterResourceRequirementsList+287j
					; PnpFilterResourceRequirementsList+595j
		add	esi, 20h
		cmp	esi, eax
		jb	short loc_87C222
		jmp	loc_87C3DF
; 

loc_87C239:				; CODE XREF: PnpFilterResourceRequirementsList+28Dj
		mov	ecx, [ebp+var_18]
		xor	eax, eax
		xor	edx, edx
		mov	[ebp+var_10], eax
		and	[ebp+var_4C], edx
		and	[ebp+var_40], edx
		mov	cl, [ecx+1]
		mov	[ebp+var_98], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_A4], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_A0], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_AC], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_A8], eax
		inc	eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_2C], eax
		mov	al, [esi+2]
		mov	[ebp+var_9C], edx
		mov	[ebp+var_A], al
		mov	[ebp+var_9], cl
		test	cl, cl
		jz	loc_8E53C2
		cmp	cl, 3
		ja	loc_8E53C2

loc_87C29D:				; CODE XREF: PnpFilterResourceRequirementsList+69429j
		test	al, al
		jz	loc_8E53CC
		cmp	al, 3
		ja	loc_8E53CC

loc_87C2AD:				; CODE XREF: PnpFilterResourceRequirementsList+69431j
		movzx	ecx, [ebp+var_1]
		xor	eax, eax
		inc	eax
		mov	[ebp+var_B8], ecx
		mov	[ebp+var_78], eax
		mov	[ebp+var_B4], eax
		xor	eax, eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_B0], eax
		mov	eax, ecx
		sub	eax, 1
		jz	loc_87C41E
		sub	eax, 1
		jnz	loc_87C415
		mov	eax, [ebp+var_18]
		mov	edx, [eax+8]

loc_87C2E8:				; CODE XREF: PnpFilterResourceRequirementsList+69450j
		and	[ebp+var_30], 0
		xor	eax, eax
		and	[ebp+var_28], 0
		mov	[ebp+var_38], eax
		mov	[ebp+var_10], eax
		mov	eax, [esi+8]
		mov	[ebp+var_34], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_1C], edx
		mov	[ebp+var_24], eax

loc_87C307:				; CODE XREF: PnpFilterResourceRequirementsList+69445j
		mov	eax, [ebp+var_2C]

loc_87C30A:				; CODE XREF: PnpFilterResourceRequirementsList+51Dj
		cmp	[ebp+var_20], 0
		jnz	loc_87C4EC
		mov	cl, [ebp+var_9]
		cmp	cl, [ebp+var_A]
		jnz	loc_87C52D
		cmp	[ebp+var_34], edx
		jnz	loc_87C52D
		mov	ecx, [ebp+var_10]
		cmp	[ebp+var_30], ecx
		jnz	loc_87C52D
		mov	ecx, [ebp+var_38]
		mov	ebx, [ebp+var_14]
		cmp	[ebp+var_28], ecx
		ja	short loc_87C355
		jb	loc_87C52D
		mov	ebx, [ebp+var_24]
		cmp	ebx, [ebp+var_1C]
		mov	ebx, [ebp+var_14]
		jb	loc_87C52D

loc_87C355:				; CODE XREF: PnpFilterResourceRequirementsList+3A0j
		mov	edi, [ebp+var_4C]
		cmp	[ebp+var_40], edi
		mov	edi, [ebp+var_58]
		ja	short loc_87C36F
		jb	loc_87C52D
		cmp	eax, [ebp+var_50]
		jb	loc_87C52D

loc_87C36F:				; CODE XREF: PnpFilterResourceRequirementsList+3C0j
		mov	eax, [ebp+var_24]
		cmp	eax, [ebp+var_1C]
		jnz	loc_8E5491
		cmp	[ebp+var_28], ecx
		jnz	loc_8E5491

loc_87C384:				; CODE XREF: PnpFilterResourceRequirementsList+694F7j
		inc	word ptr [edi]
		test	byte ptr [esi],	8
		mov	byte ptr [esi+3], 80h
		jnz	loc_8E549A

loc_87C394:				; CODE XREF: PnpFilterResourceRequirementsList+6950Ej
					; PnpFilterResourceRequirementsList+6951Bj
		mov	eax, [ebp+var_18]
		mov	byte ptr [esi],	1
		mov	ax, [eax+2]
		mov	[esi+4], ax
		mov	al, [esi+1]
		cmp	al, 3
		jz	loc_87C4C0
		cmp	al, 1
		jz	loc_87C4C0
		cmp	al, 7
		jz	loc_87C4C0
		cmp	al, 6
		jz	loc_87C6D2

loc_87C3C5:				; CODE XREF: PnpFilterResourceRequirementsList+549j
					; PnpFilterResourceRequirementsList+740j
		mov	eax, [ebp+var_8]
		add	esi, 20h

loc_87C3CB:				; CODE XREF: PnpFilterResourceRequirementsList+6952Aj
		cmp	esi, eax
		jnb	short loc_87C3D8
		test	byte ptr [esi],	8
		jnz	loc_8E54BE

loc_87C3D8:				; CODE XREF: PnpFilterResourceRequirementsList+42Fj
		mov	[ebp+var_20], 1

loc_87C3DF:				; CODE XREF: PnpFilterResourceRequirementsList+296j
		mov	edx, [ebp+var_18]

loc_87C3E2:				; CODE XREF: PnpFilterResourceRequirementsList+69563j
					; PnpFilterResourceRequirementsList+69577j
		mov	ecx, [ebp+var_20]

loc_87C3E5:				; CODE XREF: PnpFilterResourceRequirementsList+279j
		inc	ecx
		mov	[ebp+var_20], ecx
		cmp	ecx, 2
		jb	loc_87C212
		mov	esi, [ebp+var_7C]

loc_87C3F5:				; CODE XREF: PnpFilterResourceRequirementsList+253j
					; PnpFilterResourceRequirementsList+25Bj ...
		mov	eax, [ebp+var_54]

loc_87C3F8:				; CODE XREF: PnpFilterResourceRequirementsList+6957Fj
		add	eax, 10h
		add	edx, eax
		mov	eax, [ebp+var_80]
		inc	esi
		mov	[ebp+var_18], edx
		mov	[ebp+var_7C], esi
		cmp	esi, [eax+0Ch]
		jb	loc_87C1DC
		jmp	loc_87C0EC
; 

loc_87C415:				; CODE XREF: PnpFilterResourceRequirementsList+33Ej
		sub	eax, 1
		jnz	loc_87C681

loc_87C41E:				; CODE XREF: PnpFilterResourceRequirementsList+335j
					; PnpFilterResourceRequirementsList+69439j
		lea	eax, [ebp+var_9C]
		push	eax
		push	[ebp+var_18]
		call	RtlCmDecodeMemIoResource
		mov	ecx, eax
		mov	eax, edx
		mov	edx, ecx
		mov	[ebp+var_50], ecx
		mov	ecx, [ebp+var_9C]
		add	edx, ecx
		mov	[ebp+var_4C], eax
		mov	[ebp+var_70], ecx
		mov	ecx, [ebp+var_98]
		adc	eax, ecx
		add	edx, 0FFFFFFFFh
		mov	[ebp+var_10], ecx
		mov	[ebp+var_1C], edx
		adc	eax, 0FFFFFFFFh
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_AC]
		push	eax
		lea	eax, [ebp+var_A4]
		push	eax
		lea	eax, [ebp+var_B4]
		push	eax
		push	esi
		call	RtlIoDecodeMemIoResource
		mov	ecx, [ebp+var_A0]
		mov	[ebp+var_30], ecx
		mov	ecx, [ebp+var_A4]
		mov	[ebp+var_34], ecx
		mov	ecx, [ebp+var_A8]
		mov	[ebp+var_28], ecx
		mov	ecx, [ebp+var_AC]
		mov	[ebp+var_24], ecx
		mov	ecx, [ebp+var_B0]
		mov	[ebp+var_3C], ecx
		mov	ecx, [ebp+var_B4]
		mov	[ebp+var_40], edx
		mov	edx, [ebp+var_70]
		mov	[ebp+var_78], ecx
		mov	ecx, [ebp+var_B8]

loc_87C4B8:				; CODE XREF: PnpFilterResourceRequirementsList+72Fj
		mov	[ebp+var_2C], eax
		jmp	loc_87C30A
; 

loc_87C4C0:				; CODE XREF: PnpFilterResourceRequirementsList+409j
					; PnpFilterResourceRequirementsList+411j ...
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+var_40]
		mov	[esi+14h], eax
		mov	eax, [ebp+var_2C]
		add	eax, edx
		mov	[esi+10h], edx
		mov	dword ptr [esi+0Ch], 1
		adc	ecx, [ebp+var_10]
		sub	eax, 1
		mov	[esi+18h], eax
		sbb	ecx, 0
		mov	[esi+1Ch], ecx
		jmp	loc_87C3C5
; 

loc_87C4EC:				; CODE XREF: PnpFilterResourceRequirementsList+370j
		mov	bl, [ebp+var_9]
		and	[ebp+var_64], 0
		cmp	bl, [ebp+var_A]
		mov	ebx, [ebp+var_14]
		jnz	short loc_87C52D
		mov	ebx, [ebp+var_10]
		cmp	[ebp+var_30], ebx
		mov	ebx, [ebp+var_14]
		jb	short loc_87C50D
		ja	short loc_87C52D
		cmp	[ebp+var_34], edx
		ja	short loc_87C52D

loc_87C50D:				; CODE XREF: PnpFilterResourceRequirementsList+566j
		mov	ebx, [ebp+var_28]
		cmp	ebx, [ebp+var_38]
		mov	ebx, [ebp+var_14]
		jb	short loc_87C52D
		ja	loc_8E53F3
		mov	ebx, [ebp+var_24]
		cmp	ebx, [ebp+var_1C]
		mov	ebx, [ebp+var_14]
		jnb	loc_8E53F3

loc_87C52D:				; CODE XREF: PnpFilterResourceRequirementsList+37Cj
					; PnpFilterResourceRequirementsList+385j ...
		mov	cl, [ebp+var_1]
		mov	eax, [ebp+var_8]
		jmp	loc_87C22D
; 

loc_87C538:				; CODE XREF: PnpFilterResourceRequirementsList+1D2j
		test	ecx, ecx
		jz	loc_8E5531
		mov	esi, [ebp+var_48]
		sub	esi, [ebp+var_94]
		imul	eax, ecx, 28h
		inc	esi
		shl	esi, 5
		push	75737050h
		add	esi, eax
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_70], ebx
		test	ebx, ebx
		jz	loc_8E5544
		push	esi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [ebp+var_90]
		add	esp, 0Ch
		mov	ecx, [ebp+var_14]
		mov	[ebx], esi
		mov	eax, [eax]
		mov	[ebx+4], eax
		mov	eax, [ebp+var_5C]
		mov	eax, [eax+8]
		mov	[ebx+8], eax
		mov	eax, [ecx+0Ch]
		mov	[ebx+0Ch], eax
		mov	eax, [ecx+1Ch]
		cmp	eax, 1
		ja	loc_8E555B

loc_87C5A3:				; CODE XREF: PnpFilterResourceRequirementsList+695C3j
		cmp	[ebp+var_68], 0
		lea	esi, [ebx+20h]
		mov	[ebx+1Ch], eax
		mov	[ebp+arg_4], esi
		jl	loc_87C65B
		mov	edx, [ebp+var_6C]

loc_87C5B9:				; CODE XREF: PnpFilterResourceRequirementsList+6B4j
		mov	edi, [edx+4]
		lea	ecx, [edx+8]
		movzx	eax, word ptr [edx]
		shl	edi, 5
		add	edi, ecx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_74], edi
		cmp	ax, word ptr [ebp+var_BC]
		jz	short loc_87C64C
		mov	[esi], ax
		mov	ax, [edx+2]
		lea	edx, [esi+8]
		mov	[esi+2], ax
		cmp	byte ptr [ecx+1], 80h
		jz	loc_8E5566
		xor	eax, eax
		mov	word ptr [edx],	8001h
		mov	dword ptr [edx+2], 3
		mov	[edx+6], ax
		mov	dword ptr [edx+8], 1
		add	edx, 20h

loc_87C60A:				; CODE XREF: PnpFilterResourceRequirementsList+695CBj
		cmp	ecx, edi
		jnb	short loc_87C633
		mov	ebx, [ebp+var_6C]

loc_87C611:				; CODE XREF: PnpFilterResourceRequirementsList+68Dj
		cmp	byte ptr [ebx+1], 0
		jz	short loc_87C626
		push	8
		mov	edi, edx
		mov	esi, ebx
		pop	ecx
		rep movsd
		mov	edi, [ebp+var_74]
		add	edx, 20h

loc_87C626:				; CODE XREF: PnpFilterResourceRequirementsList+677j
		add	ebx, 20h
		cmp	ebx, edi
		jb	short loc_87C611
		mov	ebx, [ebp+var_70]
		mov	esi, [ebp+arg_4]

loc_87C633:				; CODE XREF: PnpFilterResourceRequirementsList+66Ej
		mov	eax, edx
		sub	eax, esi
		sub	eax, 8
		sar	eax, 5
		mov	[esi+4], eax
		mov	dword ptr [esi+10h], 1
		mov	esi, edx
		mov	[ebp+arg_4], esi

loc_87C64C:				; CODE XREF: PnpFilterResourceRequirementsList+636j
		sub	[ebp+var_68], 1
		mov	edx, edi
		jns	loc_87C5B9
		mov	ecx, [ebp+var_14]

loc_87C65B:				; CODE XREF: PnpFilterResourceRequirementsList+612j
		mov	edx, [ebp+arg_0]
		push	0
		push	ecx
		mov	[edx], ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_87C668:				; CODE XREF: PnpFilterResourceRequirementsList+695D5j
					; PnpFilterResourceRequirementsList+695DCj ...
		xor	eax, eax

loc_87C66A:				; CODE XREF: PnpFilterResourceRequirementsList+693F5j
					; PnpFilterResourceRequirementsList+695B8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_87C671:				; CODE XREF: PnpFilterResourceRequirementsList+17Aj
					; PnpFilterResourceRequirementsList+192j
		mov	eax, 0FFFFh
		mov	[edi], ax
		dec	dword ptr [ebx+1Ch]
		jmp	loc_87C154
; 

loc_87C681:				; CODE XREF: PnpFilterResourceRequirementsList+47Aj
		sub	eax, 1
		jz	loc_8E53E8
		dec	eax
		sub	eax, 1
		jnz	loc_8E53D4
		mov	eax, [ebp+var_18]
		and	[ebp+var_10], 0
		and	[ebp+var_38], 0
		and	[ebp+var_4C], 0
		mov	edx, [eax+4]
		mov	eax, [eax+8]
		and	[ebp+var_30], 0
		and	[ebp+var_28], 0
		mov	[ebp+var_50], eax
		dec	eax
		add	eax, edx
		and	[ebp+var_40], 0
		mov	[ebp+var_1C], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_34], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_24], eax
		mov	eax, [esi+8]
		jmp	loc_87C4B8
; 

loc_87C6D2:				; CODE XREF: PnpFilterResourceRequirementsList+421j
		mov	eax, [ebp+var_2C]
		dec	eax
		mov	[esi+0Ch], edx
		add	eax, edx
		mov	[esi+10h], eax
		jmp	loc_87C3C5
; 

loc_87C6E3:				; CODE XREF: PnpFilterResourceRequirementsList+185j
		inc	eax
		cmp	ecx, eax
		jz	loc_8E5522

loc_87C6EC:				; CODE XREF: PnpFilterResourceRequirementsList+6958Ej
		mov	eax, [ebp+var_60]
		add	[ebp+var_48], ecx
		mov	[edi], ax
		jmp	loc_87C154
PnpFilterResourceRequirementsList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopMemFindSuitableRange(x, x)
_IopMemFindSuitableRange@8 proc	near	; DATA XREF: IopMemInitialize()+3Fo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	eax, [ecx+20h]
		test	byte ptr [eax+18h], 1
		jnz	short loc_87C718

loc_87C70B:				; CODE XREF: IopMemFindSuitableRange(x,x)+22j
		push	ecx
		push	[ebp+arg_0]
		call	ArbFindSuitableRange
		pop	ebp
		retn	8
; 

loc_87C718:				; CODE XREF: IopMemFindSuitableRange(x,x)+Fj
		or	byte ptr [ecx+33h], 1
		jmp	short loc_87C70B
_IopMemFindSuitableRange@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ArbBuildAssignmentOrdering proc	near	; CODE XREF: ArbInitializeArbiterInstance+1F0p

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E5596 SIZE 000000B8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_54], ecx
		lea	edi, [ebp+var_6C]
		push	6
		mov	[ebp+var_74], eax
		xor	eax, eax
		pop	ecx
		rep stosd
		push	8
		pop	ecx
		lea	edi, [ebp+var_28]
		mov	[ebp+var_34], edx
		rep stosd
		mov	eax, large fs:124h
		mov	[ebp+var_30], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_80], edx
		mov	[ebp+var_7C], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_44], edx
		dec	word ptr [eax+13Ch]
		mov	[ebp+var_2C], edx
		nop
		mov	edi, [ebp+var_54]
		push	edx
		push	edx
		push	edx
		push	edx
		push	dword ptr [edi+4]
		call	KeWaitForSingleObject
		lea	ecx, [edi+1Ch]
		call	ArbFreeOrderingList
		lea	ecx, [edi+24h]
		call	ArbFreeOrderingList
		lea	ecx, [edi+1Ch]
		call	ArbInitializeOrderingList
		mov	esi, eax
		test	esi, esi
		js	loc_8E55F2
		lea	ecx, [edi+24h]
		call	ArbInitializeOrderingList
		mov	esi, eax
		test	esi, esi
		js	loc_8E55F2
		push	76h
		pop	eax
		mov	word ptr [ebp+var_40+2], ax
		xor	ebx, ebx
		mov	word ptr [ebp+var_40], ax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_34]
		mov	[ebp+var_3C], offset ??_C@_1HI@MHCMANAK@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		push	eax
		mov	[ebp+var_6C], 18h
		mov	[ebp+var_68], ebx
		mov	[ebp+var_60], 240h
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8E55F2
		push	1Eh
		pop	eax
		mov	word ptr [ebp+var_40+2], ax
		mov	word ptr [ebp+var_40], ax
		mov	eax, [ebp+var_34]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_30]
		mov	[ebp+var_3C], (offset loc_8C9A29+1)
		push	eax
		mov	[ebp+var_6C], 18h
		mov	[ebp+var_60], 240h
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8E55F2
		mov	ecx, [ebp+var_30]
		lea	eax, [ebp+var_2C]
		push	eax
		mov	edx, offset ??_C@_19LFKAPJKP@?$AAR?$AAo?$AAo?$AAt@NNGAKEGL@ ; "Root"
		call	ArbpGetRegistryValue
		mov	ebx, [ebp+var_2C]
		mov	esi, eax
		test	esi, esi
		js	loc_8E55F5
		test	ebx, ebx
		jz	loc_8E55F5
		cmp	dword ptr [ebx+4], 1
		jz	loc_8E5596
		xor	esi, esi

loc_87C892:				; CODE XREF: ArbBuildAssignmentOrdering+68EACj
		push	[ebp+var_30]
		call	_ZwClose@4	; ZwClose(x)
		mov	[ebp+var_30], esi
		cmp	dword ptr [ebx+4], 0Ah
		jnz	loc_8E55CF
		mov	ecx, [ebx+8]
		add	ecx, 20h
		add	ecx, ebx
		mov	[ebp+var_38], ecx
		mov	eax, [ecx+4]
		lea	edx, [ecx+8]
		shl	eax, 5
		add	eax, 8
		mov	[ebp+var_2C], edx
		add	eax, ecx
		cmp	edx, eax
		jnb	short loc_87C91D

loc_87C8C7:				; CODE XREF: ArbBuildAssignmentOrdering+1FBj
		mov	eax, [ebp+var_74]
		test	eax, eax
		jz	loc_87CA4A
		push	edx
		lea	ecx, [ebp+var_28]
		push	ecx
		call	eax
		mov	esi, eax
		test	esi, esi
		js	loc_8E55F5
		mov	edx, [ebp+var_2C]

loc_87C8E6:				; CODE XREF: ArbBuildAssignmentOrdering+339j
		mov	ecx, [ebp+var_28]
		mov	esi, [edi+10h]
		shr	ecx, 8
		movzx	eax, cl
		cmp	eax, esi
		jz	loc_87CA5C
		cmp	cl, 7
		jz	loc_8E55D6

loc_87C903:				; CODE XREF: ArbBuildAssignmentOrdering+37Dj
					; ArbBuildAssignmentOrdering+68EBBj
		mov	ecx, [ebp+var_38]
		add	edx, 20h
		mov	[ebp+var_2C], edx
		mov	eax, [ecx+4]
		shl	eax, 5
		add	eax, 8
		add	eax, ecx
		cmp	edx, eax
		jb	short loc_87C8C7
		xor	esi, esi

loc_87C91D:				; CODE XREF: ArbBuildAssignmentOrdering+1A7j
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	22h
		pop	eax
		push	esi
		mov	word ptr [ebp+var_40+2], ax
		mov	ebx, esi
		mov	word ptr [ebp+var_40], ax
		mov	eax, [ebp+var_34]
		push	esi
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_40]
		push	esi
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_6C]
		push	esi
		push	eax
		push	20019h
		lea	eax, [ebp+var_30]
		mov	[ebp+var_2C], ebx
		push	eax
		mov	[ebp+var_3C], offset ??_C@_1CE@MAKBJKNC@?$AAR?$AAe?$AAs?$AAe?$AAr?$AAv?$AAe?$AAd?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc@NNGAKEGL@ ;	"ReservedResources"
		mov	[ebp+var_6C], 18h
		mov	[ebp+var_60], 240h
		mov	[ebp+var_5C], esi
		mov	[ebp+var_58], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8E55F5
		mov	ecx, [ebp+var_30]
		lea	eax, [ebp+var_2C]
		push	eax
		mov	edx, offset ??_C@_19LFKAPJKP@?$AAR?$AAo?$AAo?$AAt@NNGAKEGL@ ; "Root"
		call	ArbpGetRegistryValue
		mov	ebx, [ebp+var_2C]
		mov	esi, eax
		test	esi, esi
		js	loc_8E55F5
		cmp	dword ptr [ebx+4], 1
		jnz	short loc_87C9DA
		mov	edx, [ebx+8]
		xor	ecx, ecx
		mov	eax, [ebx+0Ch]
		add	edx, ebx
		shr	eax, 1
		mov	[ebp+var_38], ecx
		cmp	[edx+eax*2-2], cx
		jnz	loc_8E55CF
		mov	ecx, [ebp+var_30]
		lea	eax, [ebp+var_38]
		push	eax
		call	ArbpGetRegistryValue
		mov	esi, eax
		test	esi, esi
		js	loc_8E55F5
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, [ebp+var_38]

loc_87C9DA:				; CODE XREF: ArbBuildAssignmentOrdering+27Fj
		push	[ebp+var_30]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_30], 0
		mov	ecx, [ebx+8]
		add	ecx, 20h
		add	ecx, ebx
		mov	[ebp+var_38], ecx
		lea	edx, [ecx+8]

loc_87C9F4:				; CODE XREF: ArbBuildAssignmentOrdering+32Aj
		mov	eax, [ecx+4]
		shl	eax, 5
		add	eax, 8
		mov	[ebp+var_2C], edx
		add	eax, ecx
		cmp	edx, eax
		jnb	loc_87CB14
		mov	eax, [ebp+var_74]
		test	eax, eax
		jz	loc_87CAA0
		push	edx
		lea	ecx, [ebp+var_28]
		push	ecx
		call	eax
		mov	esi, eax
		test	esi, esi
		js	loc_8E55F5
		mov	edx, [ebp+var_2C]

loc_87CA29:				; CODE XREF: ArbBuildAssignmentOrdering+38Fj
		mov	ecx, [ebp+var_28]
		mov	esi, [edi+10h]
		shr	ecx, 8
		movzx	eax, cl
		cmp	eax, esi
		jz	short loc_87CAB2
		cmp	cl, 7
		jz	loc_8E55E4

loc_87CA42:				; CODE XREF: ArbBuildAssignmentOrdering+3F1j
					; ArbBuildAssignmentOrdering+68EC9j
		mov	ecx, [ebp+var_38]
		add	edx, 20h
		jmp	short loc_87C9F4
; 

loc_87CA4A:				; CODE XREF: ArbBuildAssignmentOrdering+1AEj
		push	8
		pop	ecx
		mov	esi, edx
		lea	edi, [ebp+var_28]
		rep movsd
		mov	edi, [ebp+var_54]
		jmp	loc_87C8E6
; 

loc_87CA5C:				; CODE XREF: ArbBuildAssignmentOrdering+1D6j
					; ArbBuildAssignmentOrdering+68EC1j
		lea	eax, [ebp+var_80]
		push	eax
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_50]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		call	dword ptr [edi+3Ch]
		mov	esi, eax
		test	esi, esi
		js	loc_8E55F5
		push	[ebp+var_44]
		lea	ecx, [edi+1Ch]
		push	[ebp+var_48]
		push	[ebp+var_4C]
		push	[ebp+var_50]
		call	ArbAddOrdering
		mov	esi, eax
		test	esi, esi
		js	loc_8E55F5
		mov	edx, [ebp+var_2C]
		jmp	loc_87C903
; 

loc_87CAA0:				; CODE XREF: ArbBuildAssignmentOrdering+2F1j
		push	8
		pop	ecx
		mov	esi, edx
		lea	edi, [ebp+var_28]
		rep movsd
		mov	edi, [ebp+var_54]
		jmp	loc_87CA29
; 

loc_87CAB2:				; CODE XREF: ArbBuildAssignmentOrdering+319j
					; ArbBuildAssignmentOrdering+68ECFj
		lea	eax, [ebp+var_80]
		push	eax
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_50]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		call	dword ptr [edi+3Ch]
		mov	esi, eax
		test	esi, esi
		js	loc_8E55F5
		push	[ebp+var_44]
		lea	ecx, [edi+24h]
		push	[ebp+var_48]
		push	[ebp+var_4C]
		push	[ebp+var_50]
		call	ArbAddOrdering
		mov	esi, eax
		test	esi, esi
		js	loc_8E55F5
		push	[ebp+var_44]
		lea	ecx, [edi+1Ch]
		push	[ebp+var_48]
		push	[ebp+var_4C]
		push	[ebp+var_50]
		call	ArbPruneOrdering
		mov	esi, eax
		test	esi, esi
		js	loc_8E55F5
		mov	edx, [ebp+var_2C]
		jmp	loc_87CA42
; 

loc_87CB14:				; CODE XREF: ArbBuildAssignmentOrdering+2E6j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	[ebp+var_34]
		call	_ZwClose@4	; ZwClose(x)
		xor	ebx, ebx
		mov	[ebp+var_34], ebx
		mov	esi, ebx

loc_87CB2B:				; CODE XREF: ArbBuildAssignmentOrdering+68F19j
					; ArbBuildAssignmentOrdering+68F2Bj
		push	ebx
		push	ebx
		push	dword ptr [edi+4]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
ArbBuildAssignmentOrdering endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopGenericTranslateOrdering(x, x)
_IopGenericTranslateOrdering@8 proc near ; DATA	XREF: IopMemInitialize()+3o
					; IopPortInitialize()+3o

var_2		= dword	ptr -2
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		push	8
		pop	ecx
		mov	edi, ebx
		mov	byte ptr [ebp+var_2+1],	0
		rep movsd
		mov	esi, [ebp+arg_4]
		mov	byte ptr [ebp+var_2], 0
		mov	al, [esi+1]
		mov	byte ptr [ebp+arg_4+3],	al
		cmp	al, 1
		jz	short loc_87CB87
		cmp	al, 3
		jz	short loc_87CB87
		cmp	al, 7
		jnz	short loc_87CBBE

loc_87CB87:				; CODE XREF: IopGenericTranslateOrdering(x,x)+29j
					; IopGenericTranslateOrdering(x,x)+2Dj
		push	dword ptr [esi+14h]
		lea	ecx, [ebp-1]
		push	dword ptr [esi+10h]
		lea	edx, [ebx+10h]
		push	ecx
		mov	cl, al
		call	IopTranslateBusAddress
		test	eax, eax
		js	short loc_87CBC7
		push	dword ptr [esi+1Ch]
		mov	cl, byte ptr [ebp+arg_4+3]
		lea	eax, [ebp+var_2]
		push	dword ptr [esi+18h]
		lea	edx, [ebx+18h]
		push	eax
		call	IopTranslateBusAddress
		test	eax, eax
		js	short loc_87CBC7
		mov	al, byte ptr [ebp+var_2+1]
		mov	[ebx+1], al

loc_87CBBE:				; CODE XREF: IopGenericTranslateOrdering(x,x)+31j
					; IopGenericTranslateOrdering(x,x)+77j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	8
; 

loc_87CBC7:				; CODE XREF: IopGenericTranslateOrdering(x,x)+49j
					; IopGenericTranslateOrdering(x,x)+62j
		mov	byte ptr [ebx+1], 0
		jmp	short loc_87CBBE
_IopGenericTranslateOrdering@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopTranslateBusAddress proc near	; CODE XREF: IopGenericTranslateOrdering(x,x)+42p
					; IopGenericTranslateOrdering(x,x)+5Bp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008E564E SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	bl, cl
		push	esi
		cmp	bl, 3
		jz	short loc_87CC24
		cmp	bl, 7
		jz	short loc_87CC24
		cmp	bl, 1
		jnz	short loc_87CC40
		xor	esi, esi
		inc	esi

loc_87CBEA:				; CODE XREF: IopTranslateBusAddress+58j
		push	edx
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], esi
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	0
		push	1
		call	ds:__imp__HalTranslateBusAddress@24 ; HalTranslateBusAddress(x,x,x,x,x,x)
		test	al, al
		jz	short loc_87CC39
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_87CC28
		cmp	eax, 1
		jnz	loc_8E564E

loc_87CC16:				; CODE XREF: IopTranslateBusAddress+68A9Ej
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax],	1

loc_87CC1C:				; CODE XREF: IopTranslateBusAddress+69j
					; IopTranslateBusAddress+7Fj
		xor	eax, eax

loc_87CC1E:				; CODE XREF: IopTranslateBusAddress+70j
					; IopTranslateBusAddress+77j
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_87CC24:				; CODE XREF: IopTranslateBusAddress+Dj
					; IopTranslateBusAddress+12j
		xor	esi, esi
		jmp	short loc_87CBEA
; 

loc_87CC28:				; CODE XREF: IopTranslateBusAddress+3Dj
					; IopTranslateBusAddress+68A83j ...
		test	esi, esi
		jnz	short loc_87CC31
		cmp	bl, 7
		jz	short loc_87CC47

loc_87CC31:				; CODE XREF: IopTranslateBusAddress+5Cj
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax],	3
		jmp	short loc_87CC1C
; 

loc_87CC39:				; CODE XREF: IopTranslateBusAddress+36j
		mov	eax, 0C0000001h
		jmp	short loc_87CC1E
; 

loc_87CC40:				; CODE XREF: IopTranslateBusAddress+17j
					; IopTranslateBusAddress+68AA4j
		mov	eax, 0C000000Dh
		jmp	short loc_87CC1E
; 

loc_87CC47:				; CODE XREF: IopTranslateBusAddress+61j
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax],	7
		jmp	short loc_87CC1C
IopTranslateBusAddress endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopIrqTranslateOrdering	proc near	; DATA XREF: IopIrqInitialize()+3o

var_8		= dword	ptr -8
var_2		= byte ptr -2
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E5677 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	edx, edx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, ebx
		push	8
		pop	ecx
		rep movsd
		cmp	byte ptr [ebx+1], 2
		mov	[ebp-1], dl
		mov	[ebp+var_8], edx
		jz	short loc_87CC7E

loc_87CC75:				; CODE XREF: IopIrqTranslateOrdering+5Dj
					; IopIrqTranslateOrdering+68A41j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	8
; 

loc_87CC7E:				; CODE XREF: IopIrqTranslateOrdering+23j
		mov	eax, [ebx+8]
		lea	ecx, [ebp+var_8]
		mov	esi, ds:__imp__HalGetInterruptVector@24	; HalGetInterruptVector(x,x,x,x,x,x)
		push	ecx
		lea	ecx, [ebp-1]
		push	ecx
		push	eax
		push	eax
		push	edx
		push	1
		call	esi
		cmp	[ebp+var_8], 0
		mov	edi, [ebp+arg_0]
		mov	[edi+8], eax
		jnz	loc_8E5677

loc_87CCA6:				; CODE XREF: IopIrqTranslateOrdering+68A47j
		push	8
		pop	ecx
		mov	esi, ebx
		rep movsd
		jmp	short loc_87CC75
IopIrqTranslateOrdering	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ArbAddOrdering	proc near		; CODE XREF: ArbBuildAssignmentOrdering+36Bp
					; ArbBuildAssignmentOrdering+3C1p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E569C SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, ecx
		push	edi
		cmp	[ebp+arg_C], eax
		ja	short loc_87CCD4
		jb	loc_8E569C
		cmp	ebx, [ebp+arg_0]
		jb	loc_8E569C

loc_87CCD4:				; CODE XREF: ArbAddOrdering+13j
		movzx	eax, word ptr [esi]
		mov	ecx, eax
		cmp	ax, [esi+2]
		jz	short loc_87CD13

loc_87CCDF:				; CODE XREF: ArbAddOrdering+ADj
		mov	eax, [esi+4]
		mov	edx, [ebp+arg_0]
		movzx	ecx, cx
		add	ecx, ecx
		mov	[eax+ecx*8], edx
		mov	edx, [ebp+arg_4]
		mov	[eax+ecx*8+4], edx
		movzx	ecx, word ptr [esi]
		mov	eax, [esi+4]
		add	ecx, ecx
		mov	edx, [ebp+arg_C]
		mov	[eax+ecx*8+8], ebx
		mov	[eax+ecx*8+0Ch], edx
		inc	word ptr [esi]
		xor	eax, eax

loc_87CD0C:				; CODE XREF: ArbAddOrdering+B4j
					; ArbAddOrdering+689F1j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_87CD13:				; CODE XREF: ArbAddOrdering+2Dj
		push	4C627241h
		push	8
		pop	ecx
		add	eax, ecx
		shl	eax, 4
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_87CD5F
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_87CD50
		movzx	eax, word ptr [esi]
		shl	eax, 4
		push	eax		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	0
		push	dword ptr [esi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_87CD50:				; CODE XREF: ArbAddOrdering+83j
		movzx	ecx, word ptr [esi]
		push	8
		pop	eax
		add	[esi+2], ax
		mov	[esi+4], edi
		jmp	short loc_87CCDF
; 

loc_87CD5F:				; CODE XREF: ArbAddOrdering+7Cj
		mov	eax, 0C000009Ah
		jmp	short loc_87CD0C
ArbAddOrdering	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ArbTestAllocation proc near		; DATA XREF: ArbInitializeArbiterInstance+F9o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E56A6 SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, [ebx+8]
		test	eax, eax
		jnz	loc_8E56A6
		push	dword ptr [edi+14h]
		push	dword ptr [edi+18h]
		call	RtlCopyRangeList

loc_87CD8C:				; CODE XREF: ArbTestAllocation+6894Ej
		mov	esi, eax
		test	esi, esi
		js	loc_87CE74
		mov	esi, [ebx]
		xor	eax, eax
		xor	ecx, ecx
		mov	[ebp+arg_0], eax
		mov	[ebp+var_8], ecx
		mov	ebx, [esi]
		cmp	esi, ebx
		jz	short loc_87CE0C

loc_87CDA8:				; CODE XREF: ArbTestAllocation+A4j
		mov	esi, [ebp+arg_4]
		inc	eax
		mov	[ebp+arg_0], eax
		cmp	dword ptr [esi+8], 0
		jnz	short loc_87CDC0
		mov	eax, [ebx+10h]
		cmp	ecx, eax
		jnz	loc_87CE5B

loc_87CDC0:				; CODE XREF: ArbTestAllocation+4Dj
					; ArbTestAllocation+109j
		and	dword ptr [ebx+1Ch], 0
		cmp	dword ptr [edi+48h], 0
		jz	short loc_87CDFC
		mov	eax, [ebx+8]
		mov	ecx, [ebx+0Ch]
		shl	eax, 5
		add	eax, ecx

loc_87CDD5:				; CODE XREF: ArbTestAllocation+94j
		mov	[ebp+var_4], ecx
		cmp	ecx, eax
		jnb	short loc_87CDFC
		push	ecx
		call	dword ptr [edi+48h]
		test	eax, eax
		js	loc_8E56B9
		add	[ebx+1Ch], eax
		mov	eax, [ebx+8]
		mov	ecx, [ebp+var_4]
		shl	eax, 5
		add	ecx, 20h
		add	eax, [ebx+0Ch]
		jmp	short loc_87CDD5
; 

loc_87CDFC:				; CODE XREF: ArbTestAllocation+62j
					; ArbTestAllocation+74j
		mov	ebx, [ebx]
		mov	esi, [esi]
		cmp	esi, ebx
		jz	short loc_87CE0C
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_8]
		jmp	short loc_87CDA8
; 

loc_87CE0C:				; CODE XREF: ArbTestAllocation+40j
					; ArbTestAllocation+9Cj ...
		mov	edx, [esi]
		mov	cl, 1
		cmp	edx, esi
		jz	short loc_87CE30

loc_87CE14:				; CODE XREF: ArbTestAllocation+C4j
		mov	ebx, [edx]
		cmp	ebx, esi
		jz	short loc_87CE2C
		mov	eax, [edx+1Ch]
		cmp	eax, [ebx+1Ch]
		jg	loc_8E56C3

loc_87CE26:				; CODE XREF: ArbTestAllocation+68975j
		mov	edx, ebx
		cmp	ebx, esi
		jnz	short loc_87CE14

loc_87CE2C:				; CODE XREF: ArbTestAllocation+B2j
		test	cl, cl
		jz	short loc_87CE0C

loc_87CE30:				; CODE XREF: ArbTestAllocation+ACj
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		push	[ebp+arg_0]
		mov	edx, [edx]
		call	ArbpBuildAllocationStack
		mov	esi, eax
		test	esi, esi
		js	short loc_87CE74
		push	dword ptr [edi+38h]
		push	edi
		call	dword ptr [edi+74h]
		mov	esi, eax
		test	esi, esi
		js	short loc_87CE74

loc_87CE52:				; CODE XREF: ArbTestAllocation+116j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_87CE5B:				; CODE XREF: ArbTestAllocation+54j
		push	eax
		push	edi
		mov	[ebp+var_8], eax
		call	dword ptr [edi+90h]
		mov	esi, eax
		test	esi, esi
		js	short loc_87CE74
		mov	esi, [ebp+arg_4]
		jmp	loc_87CDC0
; 

loc_87CE74:				; CODE XREF: ArbTestAllocation+2Aj
					; ArbTestAllocation+DDj ...
		push	dword ptr [edi+18h]
		call	_RtlFreeRangeList@4 ; RtlFreeRangeList(x)
		jmp	short loc_87CE52
ArbTestAllocation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopGenericScoreRequirement proc	near	; DATA XREF: IopMemInitialize()+35o
					; IopPortInitialize()+51o

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E56E0 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_1C]
		xor	esi, esi
		push	eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_1C], esi
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_18], esi
		push	eax
		push	[ebp+arg_0]
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		call	RtlIoDecodeMemIoResource
		mov	edi, [ebp+var_C]
		mov	ecx, edi
		mov	ebx, [ebp+var_8]
		or	ecx, ebx
		mov	[ebp+arg_0], eax
		mov	[ebp+var_4], edx
		jz	loc_8E56E0

loc_87CEC7:				; CODE XREF: IopGenericScoreRequirement+68867j
		mov	edx, [ebp+var_14]
		mov	ecx, edi
		mov	esi, [ebp+var_10]
		add	edx, edi
		mov	eax, ebx
		adc	esi, ebx
		add	edx, 0FFFFFFFFh
		push	ebx
		adc	esi, 0FFFFFFFFh
		add	ecx, 0FFFFFFFFh
		not	ecx
		adc	eax, 0FFFFFFFFh
		and	edx, ecx
		mov	ecx, [ebp+var_1C]
		not	eax
		and	esi, eax
		sub	ecx, edx
		mov	eax, [ebp+var_18]
		sbb	eax, esi
		sub	ecx, [ebp+arg_0]
		push	edi
		sbb	eax, [ebp+var_4]
		add	ecx, 1
		adc	eax, 0
		push	eax
		push	ecx
		call	__aulldiv
		add	eax, 1
		pop	edi
		adc	edx, 0
		pop	esi
		pop	ebx
		test	edx, edx
		jg	short loc_87CF1F
		jl	short loc_87CF2E
		test	eax, eax
		jb	short loc_87CF2E
		test	edx, edx
		jl	short locret_87CF2A

loc_87CF1F:				; CODE XREF: IopGenericScoreRequirement+95j
		mov	ecx, 7FFFFFFFh
		jg	short loc_87CF33
		cmp	eax, ecx
		ja	short loc_87CF33

locret_87CF2A:				; CODE XREF: IopGenericScoreRequirement+9Fj
					; IopGenericScoreRequirement+B3j ...
		leave
		retn	4
; 

loc_87CF2E:				; CODE XREF: IopGenericScoreRequirement+97j
					; IopGenericScoreRequirement+9Bj
		or	eax, 0FFFFFFFFh
		jmp	short locret_87CF2A
; 

loc_87CF33:				; CODE XREF: IopGenericScoreRequirement+A6j
					; IopGenericScoreRequirement+AAj
		mov	eax, ecx
		jmp	short locret_87CF2A
IopGenericScoreRequirement endp

; 
		align 4
		dd 0CCCCCCCCh
; 
; Exported entry 2037. RtlDeleteRange

		public RtlDeleteRange
RtlDeleteRange:				; CODE XREF: ArbBacktrackAllocation(x,x)+1Fp
					; IopPortBacktrackAllocation(x,x)+5Fp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+8]
		mov	edx, 0C000028Ch
		mov	eax, [esi]
		mov	ebx, [eax]
		lea	ecx, [eax-1Ch]
		sub	ebx, 1Ch
		cmp	esi, eax
		jz	short loc_87CFD0
		push	edi

loc_87CF5B:				; CODE XREF: PAGE:0087CF8Cj
		mov	edi, [ecx+4]
		mov	eax, [ecx]
		cmp	[ebp+18h], edi
		ja	short loc_87CF6C
		jb	short loc_87CFCF
		cmp	[ebp+14h], eax
		jb	short loc_87CFCF

loc_87CF6C:				; CODE XREF: PAGE:0087CF63j
		test	byte ptr [ecx+1Ah], 1
		jnz	loc_8E56EA
		cmp	eax, [ebp+0Ch]
		jnz	short loc_87CF80
		cmp	edi, [ebp+10h]
		jz	short loc_87CF90

loc_87CF80:				; CODE XREF: PAGE:0087CF79j
					; PAGE:0087CF96j ...
		lea	eax, [ebx+1Ch]
		mov	ecx, ebx
		mov	ebx, [eax]
		sub	ebx, 1Ch
		cmp	esi, eax
		jnz	short loc_87CF5B
		jmp	short loc_87CFCF
; 

loc_87CF90:				; CODE XREF: PAGE:0087CF7Ej
		mov	eax, [ecx+8]
		cmp	eax, [ebp+14h]
		jnz	short loc_87CF80
		mov	eax, [ecx+0Ch]
		cmp	eax, [ebp+18h]
		jnz	short loc_87CF80
		mov	eax, [ebp+1Ch]
		cmp	[ecx+14h], eax
		jnz	short loc_87CF80
		lea	eax, [ecx+1Ch]
		mov	edi, [eax]
		cmp	[edi+4], eax
		jnz	short loc_87CFD8
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_87CFD8
		mov	[edx], edi
		mov	[edi+4], edx
		call	_RtlpFreeRangeListEntry@4 ; RtlpFreeRangeListEntry(x)
		xor	edx, edx

loc_87CFC5:				; CODE XREF: PAGE:008E575Aj
		test	edx, edx
		js	short loc_87CFCF
		dec	dword ptr [esi+0Ch]
		inc	dword ptr [esi+10h]

loc_87CFCF:				; CODE XREF: PAGE:0087CF65j
					; PAGE:0087CF6Aj ...
		pop	edi

loc_87CFD0:				; CODE XREF: PAGE:0087CF58j
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	18h
; 

loc_87CFD8:				; CODE XREF: PAGE:0087CFB0j
					; PAGE:0087CFB7j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		db 2 dup(0CCh)
; Exported entry 2189. RtlInvertRangeListEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlInvertRangeListEx(x, x, x, x, x)
		public _RtlInvertRangeListEx@20
_RtlInvertRangeListEx@20 proc near	; CODE XREF: RtlInvertRangeList(x,x)+10p
					; ArbInitializeRangeList(x,x,x,x)+B3p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	eax, eax
		or	esi, 0FFFFFFFFh
		mov	ecx, eax
		mov	edx, eax
		cmp	[edi+0Ch], eax
		jz	loc_87D089
		mov	eax, [edi]
		push	ebx

loc_87D002:				; CODE XREF: RtlInvertRangeListEx(x,x,x,x,x)+4Bj
		lea	ebx, [eax-1Ch]
		cmp	edi, eax
		jz	short loc_87D053
		mov	edi, [ebx+4]
		cmp	edi, edx
		mov	eax, [ebx]
		mov	[ebp+var_4], edi
		mov	edi, [ebp+arg_4]
		jb	short loc_87D01E
		ja	short loc_87D02F
		cmp	eax, ecx
		ja	short loc_87D02F

loc_87D01E:				; CODE XREF: RtlInvertRangeListEx(x,x,x,x,x)+34j
					; RtlInvertRangeListEx(x,x,x,x,x)+6Dj
		mov	ecx, [ebx+8]
		mov	edx, [ebx+0Ch]
		add	ecx, 1
		mov	eax, [ebx+1Ch]
		adc	edx, 0
		jmp	short loc_87D002
; 

loc_87D02F:				; CODE XREF: RtlInvertRangeListEx(x,x,x,x,x)+36j
					; RtlInvertRangeListEx(x,x,x,x,x)+3Aj
		push	[ebp+arg_10]
		add	eax, esi
		push	[ebp+arg_C]
		adc	[ebp+var_4], esi
		push	0
		push	[ebp+arg_8]
		push	[ebp+var_4]
		push	eax
		push	edx
		push	ecx
		push	[ebp+arg_0]
		call	_RtlAddRange@36	; RtlAddRange(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_87D01E
		jmp	short loc_87D082
; 

loc_87D053:				; CODE XREF: RtlInvertRangeListEx(x,x,x,x,x)+25j
		mov	edi, ecx
		mov	eax, edx
		add	edi, esi
		adc	eax, esi
		cmp	edx, eax
		ja	short loc_87D065
		jb	short loc_87D080
		cmp	ecx, edi
		jbe	short loc_87D080

loc_87D065:				; CODE XREF: RtlInvertRangeListEx(x,x,x,x,x)+7Bj
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	0
		push	[ebp+arg_8]
		push	esi
		push	esi
		push	edx
		push	ecx
		push	[ebp+arg_0]
		call	_RtlAddRange@36	; RtlAddRange(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_87D082

loc_87D080:				; CODE XREF: RtlInvertRangeListEx(x,x,x,x,x)+7Dj
					; RtlInvertRangeListEx(x,x,x,x,x)+81j
		xor	eax, eax

loc_87D082:				; CODE XREF: RtlInvertRangeListEx(x,x,x,x,x)+6Fj
					; RtlInvertRangeListEx(x,x,x,x,x)+9Cj
		pop	ebx

loc_87D083:				; CODE XREF: RtlInvertRangeListEx(x,x,x,x,x)+BDj
		pop	edi
		pop	esi
		leave
		retn	14h
; 

loc_87D089:				; CODE XREF: RtlInvertRangeListEx(x,x,x,x,x)+17j
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	eax
		push	[ebp+arg_8]
		push	esi
		push	esi
		push	eax
		push	eax
		push	[ebp+arg_0]
		call	_RtlAddRange@36	; RtlAddRange(x,x,x,x,x,x,x,x,x)
		jmp	short loc_87D083
_RtlInvertRangeListEx@20 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2036. RtlDeleteOwnersRanges

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlDeleteOwnersRanges(x, x)
		public _RtlDeleteOwnersRanges@8
_RtlDeleteOwnersRanges@8 proc near	; CODE XREF: ArbDeleteOwnerRanges(x,x)+Ep
					; ArbQueryConflict(x,x)+1D3p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi

loc_87D0B7:				; CODE XREF: RtlDeleteOwnersRanges(x,x)+82j
		mov	eax, [esi]
		mov	edi, [eax]
		lea	edx, [eax-1Ch]

loc_87D0BE:				; CODE XREF: RtlDeleteOwnersRanges(x,x)+39j
		lea	eax, [edx+1Ch]
		sub	edi, 1Ch
		cmp	esi, eax
		jz	loc_87D14E
		test	byte ptr [edx+1Ah], 1
		jnz	short loc_87D0E1
		mov	ecx, [ebp+arg_4]
		cmp	[edx+14h], ecx
		jz	short loc_87D12A

loc_87D0DA:				; CODE XREF: RtlDeleteOwnersRanges(x,x)+53j
					; RtlDeleteOwnersRanges(x,x)+A6j
		mov	edx, edi
		mov	edi, [edi+1Ch]
		jmp	short loc_87D0BE
; 

loc_87D0E1:				; CODE XREF: RtlDeleteOwnersRanges(x,x)+2Aj
		mov	eax, [edx+10h]
		lea	ecx, [eax-1Ch]
		mov	[esp+10h+var_4], ecx
		mov	ecx, [eax]
		mov	eax, [esp+10h+var_4]

loc_87D0F1:				; CODE XREF: RtlDeleteOwnersRanges(x,x)+6Dj
		add	eax, 0Ch
		sub	ecx, 1Ch
		cmp	edx, eax
		jz	short loc_87D0DA
		mov	eax, [esp+10h+var_4]
		mov	esi, [ebp+arg_4]
		cmp	[eax+14h], esi
		mov	esi, [ebp+arg_0]
		jz	short loc_87D115
		mov	[esp+10h+var_4], ecx
		mov	eax, ecx
		mov	ecx, [ecx+1Ch]
		jmp	short loc_87D0F1
; 

loc_87D115:				; CODE XREF: RtlDeleteOwnersRanges(x,x)+62j
		mov	ecx, eax
		call	RtlpDeleteFromMergedRange
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_87D14E
		dec	dword ptr [esi+0Ch]
		inc	dword ptr [esi+10h]
		jmp	short loc_87D0B7
; 

loc_87D12A:				; CODE XREF: RtlDeleteOwnersRanges(x,x)+32j
		mov	ebx, [eax]
		cmp	[ebx+4], eax
		jnz	short loc_87D159
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_87D159
		mov	[ecx], ebx
		mov	[ebx+4], ecx
		mov	ecx, edx
		call	_RtlpFreeRangeListEntry@4 ; RtlpFreeRangeListEntry(x)
		dec	dword ptr [esi+0Ch]
		inc	dword ptr [esi+10h]
		xor	ebx, ebx
		jmp	short loc_87D0DA
; 

loc_87D14E:				; CODE XREF: RtlDeleteOwnersRanges(x,x)+20j
					; RtlDeleteOwnersRanges(x,x)+7Aj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_87D159:				; CODE XREF: RtlDeleteOwnersRanges(x,x)+89j
					; RtlDeleteOwnersRanges(x,x)+90j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_RtlDeleteOwnersRanges@8 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ArbAllocateEntry proc near		; DATA XREF: ArbInitializeArbiterInstance+141o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E577E SIZE 00000069 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	bl, bl
		push	edi
		mov	[ebp+var_1], bl
		mov	[ebp+var_2], bl
		call	KeQueryInterruptTime
		mov	edi, [ebp+arg_0]
		add	eax, (offset loc_98967E+2)
		mov	ecx, edx
		mov	[ebp+var_C], eax
		adc	ecx, 0
		mov	[ebp+var_8], ecx
		mov	ecx, esi

loc_87D18E:				; CODE XREF: ArbAllocateEntry+85j
					; ArbAllocateEntry+A7j
		cmp	esi, ecx
		jb	loc_87D271
		cmp	dword ptr [esi+20h], 0
		jz	loc_87D271
		push	esi
		push	edi
		call	dword ptr [edi+70h]
		test	eax, eax
		js	loc_87D2C2
		test	bl, bl
		jnz	short loc_87D207

loc_87D1B1:				; CODE XREF: ArbAllocateEntry+63j
					; ArbAllocateEntry+E6j	...
		push	esi
		push	edi
		call	dword ptr [edi+78h]
		test	al, al
		jz	short loc_87D1E5

loc_87D1BA:				; CODE XREF: ArbAllocateEntry+68650j
		push	esi
		push	edi
		call	dword ptr [edi+7Ch]
		test	al, al
		jz	short loc_87D1B1
		mov	ecx, [esi+24h]
		mov	eax, [ecx+10h]
		or	eax, [ecx+14h]
		jz	loc_8E57B3
		push	esi
		push	edi
		call	dword ptr [edi+80h]

loc_87D1DA:				; CODE XREF: ArbAllocateEntry+6865Fj
		mov	ecx, [ebp+arg_4]
		add	esi, 38h
		mov	bl, [ebp+var_1]
		jmp	short loc_87D18E
; 

loc_87D1E5:				; CODE XREF: ArbAllocateEntry+5Aj
					; ArbAllocateEntry+BAj	...
		test	byte ptr [esi+30h], 20h
		jnz	loc_8E57C2
		mov	al, [ebp+var_2]

loc_87D1F2:				; CODE XREF: ArbAllocateEntry+68669j
		mov	ecx, [ebp+arg_4]
		cmp	esi, ecx
		jz	loc_87D2C9
		mov	bl, 1
		sub	esi, 38h
		mov	[ebp+var_1], bl
		jmp	short loc_87D18E
; 

loc_87D207:				; CODE XREF: ArbAllocateEntry+51j
		mov	ecx, [esi+24h]
		and	dword ptr [esi+5Ch], 0
		mov	[ebp+var_1], 0
		mov	eax, [ecx+10h]
		or	eax, [ecx+14h]
		jz	short loc_87D1E5
		push	esi
		push	edi
		call	dword ptr [edi+84h]
		movzx	eax, word ptr [esi+30h]
		test	al, 40h
		jnz	loc_8E577E
		mov	edx, [esi]
		mov	ebx, edx
		mov	eax, [esi+4]
		add	ebx, 0FFFFFFFFh
		mov	ecx, eax
		adc	ecx, 0FFFFFFFFh
		mov	[ebp+arg_0], ecx
		cmp	ecx, eax
		jb	short loc_87D252
		ja	loc_87D1B1
		cmp	ebx, edx
		ja	loc_87D1B1

loc_87D252:				; CODE XREF: ArbAllocateEntry+E4j
		mov	eax, [esi+24h]
		cmp	ecx, [eax+4]
		jb	loc_87D1B1
		ja	loc_8E578C
		cmp	ebx, [eax]
		jb	loc_87D1B1
		jmp	loc_8E578C
; 

loc_87D271:				; CODE XREF: ArbAllocateEntry+32j
					; ArbAllocateEntry+3Cj
		lea	esi, [ecx+20h]
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_87D2A3

loc_87D27A:				; CODE XREF: ArbAllocateEntry+140j
		push	dword ptr [eax+2Ch]
		mov	eax, [esi+4]
		push	dword ptr [esi-1Ch]
		push	dword ptr [esi-20h]
		push	dword ptr [eax+28h]
		call	dword ptr [edi+40h]
		mov	eax, [esi+4]
		mov	ecx, [esi]
		lea	esi, [esi+38h]
		mov	eax, [eax+28h]
		mov	[ecx+30h], eax
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_87D27A
		mov	ecx, [ebp+arg_4]

loc_87D2A3:				; CODE XREF: ArbAllocateEntry+11Aj
		xor	ebx, ebx

loc_87D2A5:				; CODE XREF: ArbAllocateEntry+17Fj
		cmp	dword ptr [ecx+20h], 0
		jz	short loc_87D2C0
		lea	esi, [ecx+30h]

loc_87D2AE:				; CODE XREF: ArbAllocateEntry+160j
		test	byte ptr [esi],	10h
		jnz	loc_8E57CC

loc_87D2B7:				; CODE XREF: ArbAllocateEntry+68684j
		add	esi, 38h
		cmp	dword ptr [esi-10h], 0
		jnz	short loc_87D2AE

loc_87D2C0:				; CODE XREF: ArbAllocateEntry+14Bj
		mov	eax, ebx

loc_87D2C2:				; CODE XREF: ArbAllocateEntry+49j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_87D2C9:				; CODE XREF: ArbAllocateEntry+99j
		xor	ebx, ebx
		test	al, al
		setnz	bl
		dec	ebx
		and	ebx, 0FFFFF6F9h
		add	ebx, 0C0000908h
		jmp	short loc_87D2A5
ArbAllocateEntry endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ArbGetNextAllocationRange proc near	; DATA XREF: ArbInitializeArbiterInstance+14Do

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E57E7 SIZE 00000047 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, [edi+24h]

loc_87D2F1:				; CODE XREF: ArbGetNextAllocationRange+68530j
					; ArbGetNextAllocationRange+68549j
		test	esi, esi
		jnz	loc_87D4AA
		mov	esi, [edi+2Ch]
		mov	ebx, esi

loc_87D2FE:				; CODE XREF: ArbGetNextAllocationRange+1C5j
		mov	edx, [edi+28h]
		imul	eax, edx, 38h
		add	eax, esi
		cmp	ebx, eax
		jb	loc_87D491
		mov	ebx, [ebp+arg_0]

loc_87D311:				; CODE XREF: ArbGetNextAllocationRange+1DCj
		imul	edx, 38h
		lea	ecx, [esi+38h]
		add	edx, esi

loc_87D319:				; CODE XREF: ArbGetNextAllocationRange+68514j
		cmp	ecx, edx
		jb	loc_8E57E7
		mov	eax, [esi+20h]
		cmp	eax, 7FFFFFFFh
		jz	loc_87D4C1
		cmp	eax, 7FFFFFFDh
		jz	loc_87D4CB
		cmp	eax, 7FFFFFFEh
		jz	loc_87D4CB
		test	eax, eax
		jg	loc_87D4C5
		not	eax

loc_87D34F:				; CODE XREF: ArbGetNextAllocationRange+1E6j
		mov	ecx, [esi+4]
		shl	eax, 4
		add	eax, [ebx+20h]
		mov	ebx, [esi]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_1C], ebx
		mov	ecx, [eax+4]
		mov	edx, [eax]
		mov	[ebp+arg_4], ecx
		cmp	[ebp+var_C], ecx
		ja	short loc_87D373
		jb	short loc_87D37B
		cmp	ebx, edx
		jbe	short loc_87D37B

loc_87D373:				; CODE XREF: ArbGetNextAllocationRange+8Bj
		mov	ecx, [ebp+var_C]
		mov	edx, ebx
		mov	[ebp+arg_4], ecx

loc_87D37B:				; CODE XREF: ArbGetNextAllocationRange+8Dj
					; ArbGetNextAllocationRange+91j
		mov	ecx, [esi+8]
		mov	ebx, [eax+8]
		mov	[ebp+var_10], ecx
		mov	ecx, [esi+0Ch]
		mov	[ebp+var_14], ecx
		mov	ecx, [eax+0Ch]
		mov	[ebp+var_4], ecx
		cmp	[ebp+var_14], ecx
		ja	short loc_87D3A6
		mov	eax, [ebp+var_10]
		jb	short loc_87D39E
		cmp	eax, ebx
		jnb	short loc_87D3A6

loc_87D39E:				; CODE XREF: ArbGetNextAllocationRange+B8j
		mov	ebx, eax
		mov	eax, [ebp+var_14]
		mov	[ebp+var_4], eax

loc_87D3A6:				; CODE XREF: ArbGetNextAllocationRange+B3j
					; ArbGetNextAllocationRange+BCj ...
		mov	eax, [esi+10h]
		mov	ecx, [esi+14h]
		mov	[ebp+var_18], eax
		or	eax, ecx
		mov	[ebp+var_8], ecx
		jz	loc_8E57F9
		mov	eax, [esi+18h]
		mov	ecx, [esi+1Ch]
		mov	[ebp+var_14], ecx
		mov	ecx, eax
		push	[ebp+var_14]
		add	ecx, 0FFFFFFFFh
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_14]
		push	[ebp+var_1C]
		adc	eax, 0FFFFFFFFh
		add	edx, ecx
		mov	ecx, [ebp+arg_4]
		adc	ecx, eax
		mov	[ebp+var_10], edx
		push	ecx
		push	edx
		mov	[ebp+arg_4], ecx
		call	__aullrem
		mov	ecx, [ebp+var_10]
		sub	ecx, eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_10], ecx
		sbb	eax, edx
		mov	edx, ebx
		sub	edx, ecx
		mov	[ebp+arg_4], eax
		mov	[ebp+var_20], edx
		mov	edx, [ebp+var_4]
		mov	ecx, edx
		sbb	ecx, eax
		mov	eax, [ebp+var_18]
		add	eax, 0FFFFFFFFh
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_8]
		adc	eax, 0FFFFFFFFh
		cmp	eax, ecx
		jb	short loc_87D42E
		ja	loc_8E580D
		mov	eax, [ebp+var_C]
		cmp	eax, [ebp+var_20]
		ja	loc_8E580D

loc_87D42E:				; CODE XREF: ArbGetNextAllocationRange+13Aj
		xor	ecx, ecx
		push	0
		inc	ecx
		sub	ecx, [ebp+var_18]
		pop	eax
		push	[ebp+var_14]
		sbb	eax, [ebp+var_8]
		add	ebx, ecx
		push	[ebp+var_1C]
		adc	edx, eax
		push	edx
		push	ebx
		mov	[ebp+var_4], edx
		call	__aullrem
		mov	ecx, [ebp+var_18]
		sub	ecx, eax
		mov	eax, [ebp+var_8]
		sbb	eax, edx
		mov	edx, [ebp+arg_4]
		add	ecx, 0FFFFFFFFh
		adc	eax, 0FFFFFFFFh
		add	ebx, ecx
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_4]
		adc	eax, [ebp+var_8]

loc_87D46F:				; CODE XREF: ArbGetNextAllocationRange+68528j
		cmp	ecx, [edi+10h]
		jnz	short loc_87D479
		cmp	edx, [edi+14h]
		jz	short loc_87D4ED

loc_87D479:				; CODE XREF: ArbGetNextAllocationRange+192j
					; ArbGetNextAllocationRange+210j ...
		mov	[edi+1Ch], eax
		mov	al, 1
		mov	[edi+10h], ecx
		mov	[edi+14h], edx
		mov	[edi+18h], ebx
		mov	[edi+24h], esi

loc_87D48A:				; CODE XREF: ArbGetNextAllocationRange+1E3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_87D491:				; CODE XREF: ArbGetNextAllocationRange+28j
		mov	ecx, [ebp+arg_0]
		mov	edx, ebx
		and	dword ptr [ebx+20h], 0
		call	ArbpUpdatePriority
		mov	esi, [edi+2Ch]
		add	ebx, 38h
		jmp	loc_87D2FE
; 

loc_87D4AA:				; CODE XREF: ArbGetNextAllocationRange+13j
		mov	ebx, [ebp+arg_0]
		mov	edx, esi
		mov	ecx, ebx
		call	ArbpUpdatePriority
		mov	esi, [edi+2Ch]
		mov	edx, [edi+28h]
		jmp	loc_87D311
; 

loc_87D4C1:				; CODE XREF: ArbGetNextAllocationRange+49j
		xor	al, al
		jmp	short loc_87D48A
; 

loc_87D4C5:				; CODE XREF: ArbGetNextAllocationRange+67j
		dec	eax
		jmp	loc_87D34F
; 

loc_87D4CB:				; CODE XREF: ArbGetNextAllocationRange+54j
					; ArbGetNextAllocationRange+5Fj
		mov	eax, [esi+4]
		mov	ecx, [esi+0Ch]
		mov	edx, [esi]
		mov	ebx, [esi+8]
		mov	[ebp+arg_4], eax
		mov	[ebp+var_4], ecx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], ecx
		jmp	loc_87D3A6
; 

loc_87D4ED:				; CODE XREF: ArbGetNextAllocationRange+197j
		cmp	ebx, [edi+18h]
		jnz	short loc_87D479
		cmp	eax, [edi+1Ch]
		jnz	short loc_87D479
		jmp	loc_8E5815
ArbGetNextAllocationRange endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ArbpUpdatePriority proc	near		; CODE XREF: ArbGetNextAllocationRange+1BAp
					; ArbGetNextAllocationRange+1D1p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 008E582E SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_20], edx
		mov	ecx, [edx+20h]
		cmp	ecx, 7FFFFFFEh
		jz	loc_87D654
		cmp	ecx, 7FFFFFFDh
		jz	loc_87D654
		mov	eax, [edx+28h]
		mov	al, [eax]
		and	al, 1
		mov	[ebp+var_1], al
		test	ecx, ecx
		jnz	loc_87D64A
		mov	esi, [edi+20h]
		mov	ecx, esi

loc_87D53E:				; CODE XREF: ArbpUpdatePriority+68344j
		movzx	edi, word ptr [edi+1Ch]
		mov	eax, esi
		shl	edi, 4
		add	edi, eax
		mov	[ebp+var_14], edi
		cmp	ecx, edi
		jnb	short loc_87D59A
		mov	eax, [edx]
		mov	[ebp+var_C], eax
		mov	eax, [edx+4]
		mov	[ebp+var_10], eax

loc_87D55B:				; CODE XREF: ArbpUpdatePriority+9Cj
		mov	eax, [ecx+4]
		mov	ebx, [ecx]
		mov	edi, [ebp+var_14]
		mov	[ebp+var_8], eax
		cmp	[ebp+var_10], eax
		ja	short loc_87D572
		jb	short loc_87D5AF
		cmp	[ebp+var_C], ebx
		jb	short loc_87D5AF

loc_87D572:				; CODE XREF: ArbpUpdatePriority+6Dj
					; ArbpUpdatePriority+C5j
		cmp	eax, [ebp+var_10]
		ja	short loc_87D5C3
		jb	short loc_87D57E
		cmp	ebx, [ebp+var_C]
		jnb	short loc_87D5C3

loc_87D57E:				; CODE XREF: ArbpUpdatePriority+7Bj
		mov	eax, [ecx+0Ch]
		mov	edi, [ebp+var_14]
		cmp	eax, [ebp+var_10]
		jb	short loc_87D593
		ja	short loc_87D5C3
		mov	eax, [ecx+8]
		cmp	eax, [ebp+var_C]
		jnb	short loc_87D5C3

loc_87D593:				; CODE XREF: ArbpUpdatePriority+8Bj
					; ArbpUpdatePriority+B9j ...
		add	ecx, 10h
		cmp	ecx, edi
		jb	short loc_87D55B

loc_87D59A:				; CODE XREF: ArbpUpdatePriority+52j
		xor	eax, eax
		cmp	[ebp+var_1], al
		setz	al
		add	eax, 7FFFFFFDh
		mov	[edx+20h], eax
		jmp	loc_87D63A
; 

loc_87D5AF:				; CODE XREF: ArbpUpdatePriority+6Fj
					; ArbpUpdatePriority+74j
		mov	eax, [edx+0Ch]
		cmp	eax, [ebp+var_8]
		jb	short loc_87D593
		ja	short loc_87D5BE
		cmp	[edx+8], ebx
		jb	short loc_87D593

loc_87D5BE:				; CODE XREF: ArbpUpdatePriority+BBj
		mov	eax, [ebp+var_8]
		jmp	short loc_87D572
; 

loc_87D5C3:				; CODE XREF: ArbpUpdatePriority+79j
					; ArbpUpdatePriority+80j ...
		mov	edi, [edx+0Ch]
		mov	eax, [edx+8]
		mov	edx, [ecx+8]
		mov	[ebp+var_18], edx
		mov	edx, [ecx+0Ch]
		cmp	edi, edx
		mov	[ebp+var_24], edx
		mov	edx, [ebp+var_20]
		mov	[ebp+var_1C], edi
		ja	short loc_87D63F
		jb	short loc_87D5E6
		cmp	eax, [ebp+var_18]
		jnb	short loc_87D63F

loc_87D5E6:				; CODE XREF: ArbpUpdatePriority+E3j
					; ArbpUpdatePriority+14Cj
		mov	edi, [ebp+var_10]
		cmp	edi, [ebp+var_8]
		mov	edi, [ebp+var_14]
		jb	short loc_87D604
		ja	short loc_87D5F8
		cmp	[ebp+var_C], ebx
		jbe	short loc_87D604

loc_87D5F8:				; CODE XREF: ArbpUpdatePriority+F5j
		mov	edi, [ebp+var_10]
		mov	ebx, [ebp+var_C]
		mov	[ebp+var_8], edi
		mov	edi, [ebp+var_14]

loc_87D604:				; CODE XREF: ArbpUpdatePriority+F3j
					; ArbpUpdatePriority+FAj
		sub	eax, ebx
		mov	ebx, [ebp+var_1C]
		sbb	ebx, [ebp+var_8]
		add	eax, 1
		adc	ebx, 0
		cmp	ebx, [edx+14h]
		ja	short loc_87D626
		jb	loc_87D593
		cmp	eax, [edx+10h]
		jb	loc_87D593

loc_87D626:				; CODE XREF: ArbpUpdatePriority+119j
		sub	ecx, esi
		sar	ecx, 4
		inc	ecx
		cmp	[ebp+var_1], 0
		mov	[edx+20h], ecx
		jz	short loc_87D63A
		neg	ecx
		mov	[edx+20h], ecx

loc_87D63A:				; CODE XREF: ArbpUpdatePriority+AEj
					; ArbpUpdatePriority+137j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_87D63F:				; CODE XREF: ArbpUpdatePriority+E1j
					; ArbpUpdatePriority+E8j
		mov	edi, [ebp+var_24]
		mov	eax, [ebp+var_18]
		mov	[ebp+var_1C], edi
		jmp	short loc_87D5E6
; 

loc_87D64A:				; CODE XREF: ArbpUpdatePriority+37j
		test	byte ptr [edx+24h], 2
		jz	loc_8E582E

loc_87D654:				; CODE XREF: ArbpUpdatePriority+19j
					; ArbpUpdatePriority+25j
		mov	dword ptr [edx+20h], 7FFFFFFFh
		jmp	short loc_87D63A
ArbpUpdatePriority endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ArbpBuildAllocationStack proc near	; CODE XREF: ArbTestAllocation+D4p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E5845 SIZE 00000006 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	esi
		push	edi
		mov	edi, [ebx]
		xor	esi, esi
		inc	ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_4], edx
		cmp	ebx, edi
		jz	short loc_87D69C

loc_87D682:				; CODE XREF: ArbpBuildAllocationStack+39j
		mov	eax, [edi+8]
		test	eax, eax
		jz	loc_8E5845
		imul	eax, 38h
		add	esi, eax
		inc	edx

loc_87D693:				; CODE XREF: ArbpBuildAllocationStack+681E8j
		mov	edi, [edi]
		cmp	ebx, edi
		jnz	short loc_87D682
		mov	[ebp+var_4], edx

loc_87D69C:				; CODE XREF: ArbpBuildAllocationStack+22j
		mov	edi, [ebp+var_8]
		imul	eax, ecx, 38h
		add	esi, eax
		mov	[ebp+var_C], eax
		cmp	[edi+34h], esi
		jb	loc_87D744

loc_87D6B0:				; CODE XREF: ArbpBuildAllocationStack+110j
		push	esi		; size_t
		push	0		; int
		push	dword ptr [edi+38h] ; void *
		call	_memset
		mov	eax, [ebp+var_C]
		xor	ecx, ecx
		mov	edi, [edi+38h]
		add	esp, 0Ch
		mov	esi, [ebx]
		add	eax, edi
		cmp	ecx, [ebp+var_4]
		sbb	ecx, ecx
		and	ecx, eax
		mov	[ebp+arg_0], ecx
		jmp	short loc_87D6DE
; 

loc_87D6D6:				; CODE XREF: ArbpBuildAllocationStack+ADj
		mov	ebx, [ebp+var_10]
		add	edi, 38h

loc_87D6DC:				; CODE XREF: ArbpBuildAllocationStack+88j
		mov	esi, [esi]

loc_87D6DE:				; CODE XREF: ArbpBuildAllocationStack+76j
		cmp	ebx, esi
		jz	short loc_87D737
		cmp	dword ptr [esi+8], 0
		jz	short loc_87D6DC
		mov	[edi+20h], esi
		mov	eax, [esi+8]
		and	dword ptr [edi+4], 0
		mov	[edi+28h], eax
		mov	[edi+2Ch], ecx
		mov	dword ptr [edi], 1
		mov	eax, [esi+8]
		mov	ebx, [esi+0Ch]
		shl	eax, 5
		add	eax, ebx

loc_87D709:				; CODE XREF: ArbpBuildAllocationStack+D7j
		cmp	ebx, eax
		jnb	short loc_87D6D6
		push	ecx
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		call	_ArbpBuildAlternative@12 ; ArbpBuildAlternative(x,x,x)
		test	eax, eax
		js	short loc_87D73D
		mov	ecx, [ebp+arg_0]
		add	ebx, 20h
		and	dword ptr [ecx+20h], 0
		add	ecx, 38h
		mov	eax, [esi+8]
		shl	eax, 5
		add	eax, [esi+0Ch]
		mov	[ebp+arg_0], ecx
		jmp	short loc_87D709
; 

loc_87D737:				; CODE XREF: ArbpBuildAllocationStack+82j
		and	dword ptr [edi+20h], 0
		xor	eax, eax

loc_87D73D:				; CODE XREF: ArbpBuildAllocationStack+BCj
					; ArbpBuildAllocationStack+11Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_87D744:				; CODE XREF: ArbpBuildAllocationStack+4Cj
		push	41627241h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_87D773
		push	41627241h
		push	dword ptr [edi+38h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_0]
		mov	[edi+38h], eax
		mov	[edi+34h], esi
		jmp	loc_87D6B0
; 

loc_87D773:				; CODE XREF: ArbpBuildAllocationStack+F8j
		mov	eax, 0C000009Ah
		jmp	short loc_87D73D
ArbpBuildAllocationStack endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ArbBootAllocation proc near		; DATA XREF: ArbInitializeArbiterInstance+19Bo

var_9C		= dword	ptr -9Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= word ptr -68h
var_64		= dword	ptr -64h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= word ptr -48h
var_46		= byte ptr -46h
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E584B SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+84h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		lea	eax, [esp+88h+var_78]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	38h		; size_t
		push	0		; int
		push	eax		; void *
		mov	[esp+9Ch+var_7C], ebx
		call	_memset
		push	38h		; size_t
		lea	eax, [esp+0A0h+var_40]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 18h
		mov	[esp+90h+var_50], 1
		lea	eax, [esp+90h+var_40]
		mov	[esp+90h+var_46], 1
		mov	[esp+90h+var_4C], eax
		mov	[esp+90h+var_54], eax
		push	2
		pop	eax
		push	dword ptr [esi+14h]
		mov	[esp+94h+var_48], ax
		push	dword ptr [esi+18h]
		call	RtlCopyRangeList
		mov	eax, [ebx]
		mov	edi, [eax]
		cmp	eax, edi
		jz	loc_87D8DF

loc_87D7FA:				; CODE XREF: ArbBootAllocation+15Fj
		lea	eax, [esp+90h+var_40]
		mov	[esp+90h+var_58], edi
		mov	edx, [edi+0Ch]
		mov	ecx, esi
		push	eax
		call	_ArbpBuildAlternative@12 ; ArbpBuildAlternative(x,x,x)
		mov	ecx, [esp+90h+var_3C]
		mov	eax, [esp+90h+var_30]
		and	[esp+90h+var_44], 0
		or	eax, [esp+90h+var_2C]
		mov	edx, [esp+90h+var_40]
		mov	ebx, [esp+90h+var_34]
		mov	[esp+90h+var_74], ecx
		mov	ecx, [esp+90h+var_38]
		mov	[esp+90h+var_78], edx
		mov	[esp+90h+var_80], ecx
		mov	[esp+90h+var_70], ecx
		mov	[esp+90h+var_6C], ebx
		mov	[esp+90h+var_45], 0
		jz	loc_87D8D1
		mov	eax, [esp+90h+var_28]
		or	eax, [esp+90h+var_24]
		jz	short loc_87D8D1
		mov	eax, [esp+90h+var_3C]
		cmp	ebx, eax
		ja	short loc_87D861
		jb	short loc_87D8D1
		cmp	ecx, edx
		jb	short loc_87D8D1

loc_87D861:				; CODE XREF: ArbBootAllocation+DFj
		push	[esp+90h+var_24]
		push	[esp+94h+var_28]
		push	eax
		push	edx
		call	__aullrem
		or	eax, edx
		jnz	short loc_87D8D1
		mov	eax, [esp+90h+var_80]
		sub	eax, [esp+90h+var_40]
		sbb	ebx, [esp+90h+var_3C]
		add	eax, 1
		adc	ebx, 0
		cmp	eax, [esp+90h+var_30]
		jnz	short loc_87D8D1
		cmp	ebx, [esp+90h+var_2C]
		jnz	short loc_87D8D1
		lea	eax, [esp+90h+var_78]
		push	eax
		push	esi
		call	dword ptr [esi+70h]
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8E5865
		lea	eax, [esp+98h+var_80]
		push	eax
		push	esi
		call	dword ptr [esi+80h]
		push	dword ptr [edi+2Ch]
		mov	eax, [esp+0A4h+var_64]
		push	[esp+0A4h+var_84]
		push	[esp+0A8h+var_88]
		push	dword ptr [eax+28h]
		call	dword ptr [esi+40h]
		test	byte ptr [esp+0B0h+var_68], 10h
		jnz	loc_8E584B

loc_87D8D1:				; CODE XREF: ArbBootAllocation+C9j
					; ArbBootAllocation+D7j ...
		mov	eax, [esp+0B0h+var_9C]
		mov	edi, [edi]
		cmp	[eax], edi
		jnz	loc_87D7FA

loc_87D8DF:				; CODE XREF: ArbBootAllocation+7Aj
		push	dword ptr [esi+14h]
		call	_RtlFreeRangeList@4 ; RtlFreeRangeList(x)
		mov	eax, [esi+18h]
		mov	ecx, [esi+14h]
		mov	[esi+14h], eax
		xor	eax, eax
		mov	[esi+18h], ecx

loc_87D8F5:				; CODE XREF: ArbBootAllocation+680F5j
		mov	ecx, [esp+0B0h+var_24]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
ArbBootAllocation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ArbpBuildAlternative(x, x, x)
_ArbpBuildAlternative@12 proc near	; CODE XREF: ArbpBuildAllocationStack+B5p
					; ArbBootAllocation+8Ep ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, edx
		lea	eax, [esi+18h]
		mov	[esi+28h], edi
		push	eax
		lea	ebx, [esi+10h]
		push	ebx
		lea	edx, [esi+8]
		push	edx
		push	esi
		push	edi
		call	dword ptr [ecx+3Ch]
		test	eax, eax
		js	short loc_87D996
		and	dword ptr [esi+24h], 0
		xor	eax, eax
		xor	ecx, ecx
		inc	eax
		cmp	byte ptr [edi+2], 3
		jz	short loc_87D99D

loc_87D943:				; CODE XREF: ArbpBuildAlternative(x,x,x)+96j
		mov	edx, [esi+0Ch]
		mov	eax, [esi+8]
		mov	ebx, [esi+4]
		mov	[ebp+arg_0], edx
		mov	edx, [esi]
		mov	[ebp+var_8], eax
		sub	eax, edx
		mov	[ebp+var_C], edx
		mov	edx, [ebp+arg_0]
		sbb	edx, ebx
		add	eax, 1
		adc	edx, 0
		cmp	eax, [esi+10h]
		jnz	short loc_87D974
		cmp	edx, [esi+14h]
		jnz	short loc_87D974
		or	ecx, 2
		mov	[esi+24h], ecx

loc_87D974:				; CODE XREF: ArbpBuildAlternative(x,x,x)+5Bj
					; ArbpBuildAlternative(x,x,x)+60j
		mov	dl, [edi+1]
		cmp	dl, 3
		jz	short loc_87D9A4
		mov	eax, ecx
		cmp	dl, 7
		jz	short loc_87D9A4

loc_87D983:				; CODE XREF: ArbpBuildAlternative(x,x,x)+A3j
					; ArbpBuildAlternative(x,x,x)+ABj
		mov	ecx, [ebp+arg_0]
		cmp	ecx, ebx
		ja	short loc_87D994
		jb	short loc_87D9B9
		mov	ecx, [ebp+var_8]
		cmp	ecx, [ebp+var_C]
		jb	short loc_87D9B9

loc_87D994:				; CODE XREF: ArbpBuildAlternative(x,x,x)+7Cj
					; ArbpBuildAlternative(x,x,x)+B3j
		xor	eax, eax

loc_87D996:				; CODE XREF: ArbpBuildAlternative(x,x,x)+26j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_87D99D:				; CODE XREF: ArbpBuildAlternative(x,x,x)+35j
		mov	[esi+24h], eax
		mov	ecx, eax
		jmp	short loc_87D943
; 

loc_87D9A4:				; CODE XREF: ArbpBuildAlternative(x,x,x)+6Ej
					; ArbpBuildAlternative(x,x,x)+75j
		mov	edx, 100h
		mov	eax, ecx
		test	[edi+4], dx
		jz	short loc_87D983
		or	eax, 8
		mov	[esi+24h], eax
		jmp	short loc_87D983
; 

loc_87D9B9:				; CODE XREF: ArbpBuildAlternative(x,x,x)+7Ej
					; ArbpBuildAlternative(x,x,x)+86j
		or	eax, 4
		mov	[esi+24h], eax
		jmp	short loc_87D994
_ArbpBuildAlternative@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ArbAddAllocation(x,	x)
_ArbAddAllocation@8 proc near		; DATA XREF: ArbInitializeArbiterInstance+168o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	eax, [ecx+20h]
		push	dword ptr [eax+10h]
		mov	eax, [ecx+24h]
		push	0
		mov	eax, [eax+24h]
		and	eax, 1
		lea	eax, ds:1[eax*2]
		push	eax
		movzx	eax, byte ptr [ecx+32h]
		push	eax
		push	dword ptr [ecx+0Ch]
		mov	eax, [ebp+arg_0]
		push	dword ptr [ecx+8]
		push	dword ptr [ecx+4]
		push	dword ptr [ecx]
		push	dword ptr [eax+18h]
		call	_RtlAddRange@36	; RtlAddRange(x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	8
_ArbAddAllocation@8 endp

; 
		align 8
; Exported entry 1950. RtlAddRange

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlAddRange(x, x, x, x, x, x, x, x,	x)
		public _RtlAddRange@36
_RtlAddRange@36	proc near		; CODE XREF: IopPortAddAllocation+3Cp
					; RtlInvertRangeListEx(x,x,x,x,x)+66p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+arg_4]
		cmp	[ebp+arg_10], ecx
		ja	short loc_87DA1F
		jb	short loc_87DA7A
		cmp	[ebp+arg_C], eax
		jb	short loc_87DA7A

loc_87DA1F:				; CODE XREF: RtlAddRange(x,x,x,x,x,x,x,x,x)+Ej
		mov	edx, [ebp+arg_1C]
		push	esi
		push	[ebp+arg_20]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	ecx
		mov	cl, [ebp+arg_14]
		push	eax
		call	_RtlpCreateRangeListEntry@28 ; RtlpCreateRangeListEntry(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_87DA81
		test	byte ptr [ebp+arg_18], 2
		jnz	short loc_87DA6E

loc_87DA42:				; CODE XREF: RtlAddRange(x,x,x,x,x,x,x,x,x)+6Aj
		test	byte ptr [ebp+arg_18], 10h
		jnz	short loc_87DA74

loc_87DA48:				; CODE XREF: RtlAddRange(x,x,x,x,x,x,x,x,x)+70j
		push	ebx
		push	edi
		push	[ebp+arg_18]
		mov	edi, [ebp+arg_0]
		mov	edx, esi
		mov	ecx, edi
		call	_RtlpAddRange@12 ; RtlpAddRange(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_87DA88
		inc	dword ptr [edi+0Ch]
		inc	dword ptr [edi+10h]

loc_87DA65:				; CODE XREF: RtlAddRange(x,x,x,x,x,x,x,x,x)+87j
		pop	edi
		mov	eax, ebx
		pop	ebx

loc_87DA69:				; CODE XREF: RtlAddRange(x,x,x,x,x,x,x,x,x)+7Ej
		pop	esi

loc_87DA6A:				; CODE XREF: RtlAddRange(x,x,x,x,x,x,x,x,x)+77j
		pop	ebp
		retn	24h
; 

loc_87DA6E:				; CODE XREF: RtlAddRange(x,x,x,x,x,x,x,x,x)+38j
		or	byte ptr [esi+19h], 1
		jmp	short loc_87DA42
; 

loc_87DA74:				; CODE XREF: RtlAddRange(x,x,x,x,x,x,x,x,x)+3Ej
		or	byte ptr [esi+19h], 10h
		jmp	short loc_87DA48
; 

loc_87DA7A:				; CODE XREF: RtlAddRange(x,x,x,x,x,x,x,x,x)+10j
					; RtlAddRange(x,x,x,x,x,x,x,x,x)+15j
		mov	eax, 0C000000Dh
		jmp	short loc_87DA6A
; 

loc_87DA81:				; CODE XREF: RtlAddRange(x,x,x,x,x,x,x,x,x)+32j
		mov	eax, 0C0000001h
		jmp	short loc_87DA69
; 

loc_87DA88:				; CODE XREF: RtlAddRange(x,x,x,x,x,x,x,x,x)+55j
		mov	ecx, esi
		call	_RtlpFreeRangeListEntry@4 ; RtlpFreeRangeListEntry(x)
		jmp	short loc_87DA65
_RtlAddRange@36	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpDeleteFromMergedRange proc near	; CODE XREF: RtlDeleteOwnersRanges(x,x)+71p
					; PAGE:008E5753p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E5874 SIZE 00000054 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, edx
		push	edi
		lea	eax, [ebx+1Ch]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_87DB67
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_87DB67
		mov	[ecx], edx
		lea	eax, [ebp+var_C]
		mov	[edx+4], ecx
		lea	edx, [esi+10h]
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		mov	eax, [edx]
		mov	edi, [eax]
		lea	ecx, [eax-1Ch]
		sub	edi, 1Ch
		cmp	edx, eax
		jz	loc_8E58A5
		lea	eax, [ecx+1Ch]

loc_87DAE4:				; CODE XREF: RtlpDeleteFromMergedRange+96j
		mov	edx, [eax]
		mov	[ebp+var_4], edx
		cmp	[edx+4], eax
		jnz	short loc_87DB67
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_87DB67
		mov	eax, [ebp+var_4]
		mov	[edx], eax
		push	1
		mov	[eax+4], edx
		mov	edx, ecx
		and	byte ptr [ecx+19h], 0FDh
		lea	ecx, [ebp+var_C]
		call	_RtlpAddRange@12 ; RtlpAddRange(x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		js	loc_8E5874
		mov	ecx, edi
		lea	edx, [esi+10h]
		mov	edi, [edi+1Ch]
		sub	edi, 1Ch
		lea	eax, [ecx+1Ch]
		cmp	edx, eax
		jnz	short loc_87DAE4
		mov	eax, [ebp+var_C]
		lea	ecx, [ebp+var_C]
		cmp	eax, ecx
		jz	loc_8E58A5
		mov	ecx, [esi+20h]
		mov	edx, [esi+1Ch]
		mov	[ecx], eax
		mov	eax, [ebp+var_C]
		mov	[eax+4], ecx
		mov	eax, [ebp+var_8]
		mov	[edx+4], eax
		mov	eax, [ebp+var_8]
		mov	[eax], edx

loc_87DB51:				; CODE XREF: RtlpDeleteFromMergedRange+67E31j
		mov	ecx, ebx
		call	_RtlpFreeRangeListEntry@4 ; RtlpFreeRangeListEntry(x)
		mov	ecx, esi
		call	_RtlpFreeRangeListEntry@4 ; RtlpFreeRangeListEntry(x)
		mov	eax, [ebp+var_4]

loc_87DB62:				; CODE XREF: RtlpDeleteFromMergedRange+67E0Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_87DB67:				; CODE XREF: RtlpDeleteFromMergedRange+1Bj
					; RtlpDeleteFromMergedRange+26j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
RtlpDeleteFromMergedRange endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpAddRange(x, x, x)
_RtlpAddRange@12 proc near		; CODE XREF: RtlAddRange(x,x,x,x,x,x,x,x,x)+4Cp
					; RtlpDeleteFromMergedRange+76p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	eax, [esi+8]
		and	byte ptr [esi+19h], 0FDh
		mov	edi, [ecx]
		mov	edx, [esi+4]
		mov	ebx, [esi]
		mov	[ebp+var_C], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], edx
		cmp	edi, ecx
		jz	short loc_87DBEE
		mov	eax, [ecx+4]
		cmp	edx, [eax-10h]
		ja	short loc_87DBEE
		jb	short loc_87DBA6
		cmp	ebx, [eax-14h]
		ja	short loc_87DBEE

loc_87DBA6:				; CODE XREF: RtlpAddRange(x,x,x)+33j
		lea	edx, [edi-1Ch]

loc_87DBA9:				; CODE XREF: RtlpAddRange(x,x,x)+80j
		mov	edi, [edx+4]
		mov	eax, [edx]
		cmp	[ebp+var_8], edi
		jb	short loc_87DC06
		ja	short loc_87DBBA
		cmp	[ebp+var_C], eax
		jb	short loc_87DC06

loc_87DBBA:				; CODE XREF: RtlpAddRange(x,x,x)+47j
		cmp	edi, [ebp+var_4]
		ja	short loc_87DBC5
		jb	short loc_87DBD5
		cmp	eax, ebx
		jb	short loc_87DBD5

loc_87DBC5:				; CODE XREF: RtlpAddRange(x,x,x)+51j
					; RtlpAddRange(x,x,x)+6Fj ...
		push	[ebp+arg_0]
		push	esi
		call	RtlpAddIntersectingRanges

loc_87DBCE:				; CODE XREF: RtlpAddRange(x,x,x)+98j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_87DBD5:				; CODE XREF: RtlpAddRange(x,x,x)+53j
					; RtlpAddRange(x,x,x)+57j
		mov	eax, [edx+0Ch]
		cmp	eax, [ebp+var_4]
		ja	short loc_87DBC5
		jb	short loc_87DBE4
		cmp	[edx+8], ebx
		jnb	short loc_87DBC5

loc_87DBE4:				; CODE XREF: RtlpAddRange(x,x,x)+71j
		mov	eax, [edx+1Ch]
		lea	edx, [eax-1Ch]
		cmp	ecx, eax
		jnz	short loc_87DBA9

loc_87DBEE:				; CODE XREF: RtlpAddRange(x,x,x)+29j
					; RtlpAddRange(x,x,x)+31j ...
		mov	edx, [ecx+4]
		lea	eax, [esi+1Ch]
		cmp	[edx], ecx
		jnz	short loc_87DC1A
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax

loc_87DC02:				; CODE XREF: RtlpAddRange(x,x,x)+ACj
		xor	eax, eax
		jmp	short loc_87DBCE
; 

loc_87DC06:				; CODE XREF: RtlpAddRange(x,x,x)+45j
					; RtlpAddRange(x,x,x)+4Cj
		mov	edx, [edx+20h]
		lea	eax, [esi+1Ch]
		mov	ecx, [edx]
		mov	[eax], ecx
		mov	[esi+20h], edx
		mov	[ecx+4], eax
		mov	[edx], eax
		jmp	short loc_87DC02
; 

loc_87DC1A:				; CODE XREF: RtlpAddRange(x,x,x)+8Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_RtlpAddRange@12 endp


RtlpAddIntersectingRanges:		; CODE XREF: RtlpAddRange(x,x,x)+5Dp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, [ebp+8]
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		mov	[ebp-8], edi
		mov	dl, [esi+19h]
		and	dl, 1
		test	byte ptr [ebp+0Ch], 1
		mov	[ebp-1], dl
		jz	loc_8E58C8

loc_87DC48:				; CODE XREF: PAGE:008E58CFj
					; PAGE:008E58EDj ...
		test	byte ptr [ebx+1Ah], 1
		jz	short loc_87DC72

loc_87DC4E:				; CODE XREF: PAGE:0087DC7Bj
		mov	eax, [ebx+1Ch]
		lea	esi, [eax-1Ch]

loc_87DC54:				; CODE XREF: PAGE:0087DCC4j
		mov	edi, [eax]
		sub	edi, 1Ch
		cmp	[ebp-8], eax
		jnz	short loc_87DC7F

loc_87DC5E:				; CODE XREF: PAGE:0087DC88j
					; PAGE:0087DC91j
		push	dword ptr [ebp+0Ch]
		mov	edx, [ebp+8]
		mov	ecx, ebx
		call	RtlpAddToMergedRange

loc_87DC6B:				; CODE XREF: PAGE:0087DC7Dj
					; PAGE:008E59A4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_87DC72:				; CODE XREF: PAGE:0087DC4Cj
		mov	ecx, ebx
		call	RtlpConvertToMergedRange
		test	eax, eax
		jns	short loc_87DC4E
		jmp	short loc_87DC6B
; 

loc_87DC7F:				; CODE XREF: PAGE:0087DC5Cj
		mov	ecx, [ebp+8]
		mov	eax, [ecx+0Ch]
		cmp	eax, [esi+4]
		jb	short loc_87DC5E
		ja	short loc_87DC93
		mov	eax, [ecx+8]
		cmp	eax, [esi]
		jb	short loc_87DC5E

loc_87DC93:				; CODE XREF: PAGE:0087DC8Aj
		test	byte ptr [esi+1Ah], 1
		jnz	loc_8E59A9
		lea	eax, [esi+1Ch]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_87DCC6
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_87DCC6
		push	dword ptr [ebp+0Ch]
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	edx, esi
		mov	ecx, ebx
		call	RtlpAddToMergedRange

loc_87DCBF:				; CODE XREF: PAGE:008E5A26j
		mov	esi, edi
		lea	eax, [edi+1Ch]
		jmp	short loc_87DC54
; 

loc_87DCC6:				; CODE XREF: PAGE:0087DCA5j
					; PAGE:0087DCACj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 0CCh
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpAddToMergedRange proc near		; CODE XREF: PAGE:0087DC66p
					; PAGE:0087DCBAp ...

var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008E5A2B SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	al, [edx+19h]
		push	ebx
		push	esi
		mov	esi, [ecx+10h]
		and	al, 1
		push	edi
		lea	edi, [ecx+10h]
		mov	[ebp+var_1], al
		xor	ebx, ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		lea	eax, [esi-1Ch]
		cmp	edi, esi
		jz	loc_8E5A35
		lea	esp, [esp+0]

loc_87DD00:				; CODE XREF: RtlpAddToMergedRange+AAj
		mov	ecx, [eax+4]
		mov	ebx, [edx+4]
		mov	edi, [eax]
		mov	esi, [edx]
		mov	[ebp+var_8], ecx
		cmp	ecx, ebx
		ja	short loc_87DD1F
		jb	loc_87DDDC
		cmp	edi, esi
		jb	loc_87DDDC

loc_87DD1F:				; CODE XREF: RtlpAddToMergedRange+3Fj
					; RtlpAddToMergedRange+123j
		cmp	ebx, ecx
		ja	short loc_87DD31
		jb	loc_87DDF8
		cmp	esi, edi
		jb	loc_87DDF8

loc_87DD31:				; CODE XREF: RtlpAddToMergedRange+51j
					; RtlpAddToMergedRange+134j ...
		cmp	[ebp+var_1], 0
		jnz	loc_87DE46

loc_87DD3B:				; CODE XREF: RtlpAddToMergedRange+17Aj
		test	[ebp+arg_0], 1
		jz	loc_8E5A2B
		or	byte ptr [eax+19h], 2
		or	byte ptr [edx+19h], 2

loc_87DD4D:				; CODE XREF: RtlpAddToMergedRange+10Fj
					; RtlpAddToMergedRange+11Aj ...
		mov	ebx, [ebp+var_C]
		test	ebx, ebx
		jnz	short loc_87DD6C
		mov	ecx, [eax+4]
		cmp	ecx, [edx+4]
		jb	short loc_87DD6C
		ja	loc_87DE20
		mov	ecx, [eax]
		cmp	ecx, [edx]
		ja	loc_87DE20

loc_87DD6C:				; CODE XREF: RtlpAddToMergedRange+82j
					; RtlpAddToMergedRange+8Aj ...
		mov	esi, [ebp+var_10]
		mov	ecx, [eax+1Ch]
		lea	edi, [esi+10h]
		lea	eax, [ecx-1Ch]
		cmp	edi, ecx
		jnz	short loc_87DD00

loc_87DD7C:				; CODE XREF: RtlpAddToMergedRange+67D67j
		lea	ecx, [edx+1Ch]
		test	ebx, ebx
		jnz	loc_87DE2B
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	loc_8E5A3C
		mov	[ecx], edi
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	[edi+4], ecx

loc_87DD9C:				; CODE XREF: RtlpAddToMergedRange+167j
		mov	ecx, [edx+4]
		mov	eax, [edx]
		cmp	ecx, [esi+4]
		ja	short loc_87DDB4
		jb	loc_87DE3C
		cmp	eax, [esi]
		jb	loc_87DE3C

loc_87DDB4:				; CODE XREF: RtlpAddToMergedRange+D4j
					; RtlpAddToMergedRange+171j
		mov	ecx, [edx+0Ch]
		mov	eax, [edx+8]
		cmp	ecx, [esi+0Ch]
		jb	short loc_87DDC6
		ja	short loc_87DE18
		cmp	eax, [esi+8]
		ja	short loc_87DE18

loc_87DDC6:				; CODE XREF: RtlpAddToMergedRange+EDj
					; RtlpAddToMergedRange+14Ej
		mov	al, [esi+19h]
		test	al, 1
		jnz	loc_87DE55

loc_87DDD1:				; CODE XREF: RtlpAddToMergedRange+189j
					; RtlpAddToMergedRange+194j
		xor	eax, eax

loc_87DDD3:				; CODE XREF: RtlpAddToMergedRange+67D60j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_87DDDC:				; CODE XREF: RtlpAddToMergedRange+41j
					; RtlpAddToMergedRange+49j
		cmp	[eax+0Ch], ebx
		jb	loc_87DD4D
		ja	short loc_87DDF0
		cmp	[eax+8], esi
		jb	loc_87DD4D

loc_87DDF0:				; CODE XREF: RtlpAddToMergedRange+115j
		mov	ecx, [ebp+var_8]
		jmp	loc_87DD1F
; 

loc_87DDF8:				; CODE XREF: RtlpAddToMergedRange+53j
					; RtlpAddToMergedRange+5Bj
		mov	ecx, [edx+0Ch]
		cmp	ecx, [ebp+var_8]
		jb	loc_87DD4D
		ja	loc_87DD31
		cmp	[edx+8], edi
		jb	loc_87DD4D
		jmp	loc_87DD31
; 

loc_87DE18:				; CODE XREF: RtlpAddToMergedRange+EFj
					; RtlpAddToMergedRange+F4j
		mov	[esi+8], eax
		mov	[esi+0Ch], ecx
		jmp	short loc_87DDC6
; 

loc_87DE20:				; CODE XREF: RtlpAddToMergedRange+8Cj
					; RtlpAddToMergedRange+96j
		mov	ebx, [eax+20h]
		mov	[ebp+var_C], ebx
		jmp	loc_87DD6C
; 

loc_87DE2B:				; CODE XREF: RtlpAddToMergedRange+B1j
		mov	eax, [ebx]
		mov	[ecx], eax
		mov	[edx+20h], ebx
		mov	[eax+4], ecx
		mov	[ebx], ecx
		jmp	loc_87DD9C
; 

loc_87DE3C:				; CODE XREF: RtlpAddToMergedRange+D6j
					; RtlpAddToMergedRange+DEj
		mov	[esi], eax
		mov	[esi+4], ecx
		jmp	loc_87DDB4
; 

loc_87DE46:				; CODE XREF: RtlpAddToMergedRange+65j
		test	byte ptr [eax+19h], 1
		jz	loc_87DD3B
		jmp	loc_87DD4D
; 

loc_87DE55:				; CODE XREF: RtlpAddToMergedRange+FBj
		cmp	[ebp+var_1], 0
		jnz	loc_87DDD1
		and	al, 0FEh
		mov	[esi+19h], al
		jmp	loc_87DDD1
RtlpAddToMergedRange endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpCreateRangeListEntry(x,	x, x, x, x, x, x)
_RtlpCreateRangeListEntry@28 proc near	; CODE XREF: RtlAddRange(x,x,x,x,x,x,x,x,x)+29p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	offset _RtlpRangeListEntryLookasideList
		mov	edi, edx
		mov	bl, cl
		call	_ExAllocateFromPagedLookasideList@4 ; ExAllocateFromPagedLookasideList(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_87DEB3
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		mov	[esi+1Ah], ax
		mov	eax, [ebp+arg_8]
		mov	[esi+8], eax
		mov	eax, [ebp+arg_C]
		mov	[esi], ecx
		mov	ecx, [ebp+arg_4]
		mov	[esi+0Ch], eax
		mov	eax, [ebp+arg_10]
		mov	byte ptr [esi+19h], 0
		mov	[esi+4], ecx
		mov	[esi+14h], eax
		mov	[esi+18h], bl
		mov	[esi+10h], edi

loc_87DEB3:				; CODE XREF: RtlpCreateRangeListEntry(x,x,x,x,x,x,x)+1Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
_RtlpCreateRangeListEntry@28 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2102. RtlFreeRangeList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlFreeRangeList(x)
		public _RtlFreeRangeList@4
_RtlFreeRangeList@4 proc near		; CODE XREF: ArbTestAllocation+111p
					; ArbBootAllocation+168p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	eax, [esi]
		and	dword ptr [esi+8], 0
		and	dword ptr [esi+0Ch], 0
		mov	edi, [eax]
		lea	ecx, [eax-1Ch]
		sub	edi, 1Ch
		cmp	esi, eax
		jz	short loc_87DF0E
		lea	eax, [ecx+1Ch]
		push	ebx

loc_87DEE6:				; CODE XREF: RtlFreeRangeList(x)+49j
		mov	ebx, [eax]
		cmp	[ebx+4], eax
		jnz	short loc_87DF14
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_87DF14
		mov	[edx], ebx
		mov	[ebx+4], edx
		call	_RtlpDeleteRangeListEntry@4 ; RtlpDeleteRangeListEntry(x)
		mov	ecx, edi
		mov	edi, [edi+1Ch]
		sub	edi, 1Ch
		lea	eax, [ecx+1Ch]
		cmp	esi, eax
		jnz	short loc_87DEE6
		pop	ebx

loc_87DF0E:				; CODE XREF: RtlFreeRangeList(x)+1Ej
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_87DF14:				; CODE XREF: RtlFreeRangeList(x)+29j
					; RtlFreeRangeList(x)+30j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_RtlFreeRangeList@4 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpDeleteRangeListEntry(x)
_RtlpDeleteRangeListEntry@4 proc near	; CODE XREF: RtlFreeRangeList(x)+37p
					; RtlpCopyRangeListEntry+67A33p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	byte ptr [esi+1Ah], 1
		jnz	short loc_87DF2D

loc_87DF25:				; CODE XREF: RtlpDeleteRangeListEntry(x)+34j
		mov	ecx, esi
		pop	esi
		jmp	_RtlpFreeRangeListEntry@4 ; RtlpFreeRangeListEntry(x)
; 

loc_87DF2D:				; CODE XREF: RtlpDeleteRangeListEntry(x)+9j
		push	ebx
		lea	ebx, [esi+10h]
		mov	eax, [ebx]
		push	edi
		lea	ecx, [eax-1Ch]
		jmp	short loc_87DF43
; 

loc_87DF39:				; CODE XREF: RtlpDeleteRangeListEntry(x)+30j
		call	_RtlpFreeRangeListEntry@4 ; RtlpFreeRangeListEntry(x)
		mov	ecx, edi
		lea	eax, [edi+1Ch]

loc_87DF43:				; CODE XREF: RtlpDeleteRangeListEntry(x)+1Dj
		mov	edi, [eax]
		sub	edi, 1Ch
		cmp	ebx, eax
		jnz	short loc_87DF39
		pop	edi
		pop	ebx
		jmp	short loc_87DF25
_RtlpDeleteRangeListEntry@4 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpFreeRangeListEntry(x)
_RtlpFreeRangeListEntry@4 proc near	; CODE XREF: PAGE:0087CFBEp
					; RtlDeleteOwnersRanges(x,x)+99p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	byte ptr [esi+1Ah], 1
		jnz	short loc_87DF61
		test	byte ptr [esi+19h], 10h
		jnz	short loc_87DF6E

loc_87DF61:				; CODE XREF: RtlpFreeRangeListEntry(x)+9j
					; RtlpFreeRangeListEntry(x)+24j ...
		push	esi
		push	offset _RtlpRangeListEntryLookasideList
		call	_ExFreeToPagedLookasideList@8 ;	ExFreeToPagedLookasideList(x,x)
		pop	esi
		retn
; 

loc_87DF6E:				; CODE XREF: RtlpFreeRangeListEntry(x)+Fj
		mov	eax, [esi+10h]
		sub	dword ptr [eax], 1
		jnz	short loc_87DF61
		push	0
		push	dword ptr [esi+10h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_87DF61
_RtlpFreeRangeListEntry@4 endp


;  S U B	R O U T	I N E 


RtlpConvertToMergedRange proc near	; CODE XREF: PAGE:0087DC74p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	RtlpCopyRangeListEntry
		mov	edx, eax
		test	edx, edx
		jz	short loc_87DFB7
		test	byte ptr [esi+19h], 10h
		jnz	loc_8E5A43

loc_87DF9C:				; CODE XREF: RtlpAddToMergedRange+67D7Cj
		xor	eax, eax
		lea	ecx, [esi+10h]
		inc	eax
		mov	[esi+1Ah], ax
		lea	eax, [edx+1Ch]
		mov	[eax], ecx
		mov	[eax+4], ecx
		mov	[ecx+4], eax
		mov	[ecx], eax
		xor	eax, eax
		pop	esi
		retn
; 

loc_87DFB7:				; CODE XREF: RtlpConvertToMergedRange+Ej
		mov	eax, 0C000009Ah
		pop	esi
		retn
RtlpConvertToMergedRange endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2001. RtlCopyRangeList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlCopyRangeList
RtlCopyRangeList proc near		; CODE XREF: ArbTestAllocation+21p
					; ArbBootAllocation+6Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E5A51 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		cmp	dword ptr [esi+0Ch], 0
		jnz	short loc_87E024
		push	ebx
		push	edi
		mov	edi, [ebp+arg_4]
		mov	eax, [edi+8]
		mov	[esi+8], eax
		mov	eax, [edi+0Ch]
		mov	[esi+0Ch], eax
		mov	eax, [edi+10h]
		mov	[esi+10h], eax
		mov	eax, [edi]

loc_87DFEC:				; CODE XREF: RtlCopyRangeList+55j
		lea	ebx, [eax-1Ch]
		cmp	edi, eax
		jz	short loc_87E01B
		mov	ecx, ebx
		call	RtlpCopyRangeListEntry
		test	eax, eax
		jz	loc_8E5A51
		mov	ecx, [esi+4]
		add	eax, 1Ch
		cmp	[ecx], esi
		jnz	short loc_87E02B
		mov	[eax], esi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[esi+4], eax
		mov	eax, [ebx+1Ch]
		jmp	short loc_87DFEC
; 

loc_87E01B:				; CODE XREF: RtlCopyRangeList+2Dj
		xor	eax, eax

loc_87E01D:				; CODE XREF: RtlCopyRangeList+67A98j
		pop	edi
		pop	ebx

loc_87E01F:				; CODE XREF: RtlCopyRangeList+65j
		pop	esi
		pop	ebp
		retn	8
; 

loc_87E024:				; CODE XREF: RtlCopyRangeList+Dj
		mov	eax, 0C000000Dh
		jmp	short loc_87E01F
; 

loc_87E02B:				; CODE XREF: RtlCopyRangeList+46j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
RtlCopyRangeList endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpCopyRangeListEntry proc near	; CODE XREF: RtlpConvertToMergedRange+5p
					; RtlCopyRangeList+31p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E5A61 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	offset _RtlpRangeListEntryLookasideList
		mov	[ebp+var_4], ecx
		call	_ExAllocateFromPagedLookasideList@4 ; ExAllocateFromPagedLookasideList(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_87E065
		mov	edx, [ebp+var_4]
		mov	edi, ebx
		push	0Ah
		pop	ecx
		mov	esi, edx
		rep movsd
		test	byte ptr [ebx+19h], 10h
		jnz	short loc_87E06C

loc_87E05F:				; CODE XREF: RtlpCopyRangeListEntry+41j
		test	byte ptr [edx+1Ah], 1
		jnz	short loc_87E073

loc_87E065:				; CODE XREF: RtlpCopyRangeListEntry+1Bj
					; RtlpCopyRangeListEntry+5Bj
		mov	eax, ebx

loc_87E067:				; CODE XREF: RtlpCopyRangeListEntry+67A3Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_87E06C:				; CODE XREF: RtlpCopyRangeListEntry+2Dj
		mov	eax, [ebx+10h]
		inc	dword ptr [eax]
		jmp	short loc_87E05F
; 

loc_87E073:				; CODE XREF: RtlpCopyRangeListEntry+33j
		lea	esi, [ebx+10h]
		lea	ecx, [edx+10h]
		mov	[esi+4], esi
		mov	[esi], esi
		mov	eax, [ecx]
		cmp	ecx, eax
		mov	[ebp+var_8], ecx

loc_87E085:				; CODE XREF: RtlpCopyRangeListEntry+9Ej
		lea	esi, [eax-1Ch]
		mov	[ebp+var_4], esi
		jz	short loc_87E065
		push	offset _RtlpRangeListEntryLookasideList
		call	_ExAllocateFromPagedLookasideList@4 ; ExAllocateFromPagedLookasideList(x)
		mov	edx, eax
		test	edx, edx
		jz	loc_8E5A61
		push	0Ah
		pop	ecx
		mov	edi, edx
		rep movsd
		test	byte ptr [edx+19h], 10h
		jnz	short loc_87E0D0

loc_87E0AE:				; CODE XREF: RtlpCopyRangeListEntry+A5j
		lea	esi, [ebx+10h]
		add	edx, 1Ch
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_87E0D7
		mov	[edx+4], eax
		mov	[edx], esi
		mov	[eax], edx
		mov	eax, [ebp+var_4]
		mov	[esi+4], edx
		mov	eax, [eax+1Ch]
		cmp	[ebp+var_8], eax
		jmp	short loc_87E085
; 

loc_87E0D0:				; CODE XREF: RtlpCopyRangeListEntry+7Cj
		mov	eax, [edx+10h]
		inc	dword ptr [eax]
		jmp	short loc_87E0AE
; 

loc_87E0D7:				; CODE XREF: RtlpCopyRangeListEntry+89j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
RtlpCopyRangeListEntry endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ArbFindSuitableRange proc near		; CODE XREF: IopMemFindSuitableRange(x,x)+15p
					; DATA XREF: ArbInitializeArbiterInstance+159o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E5A6F SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edx, [esi+14h]
		mov	ecx, [esi+1Ch]
		mov	eax, [esi+18h]
		mov	ebx, [esi+10h]
		mov	[esp+20h+var_4], edx
		mov	[esp+20h+var_8], eax
		mov	[esp+20h+var_C], ecx
		cmp	edx, ecx
		jb	short loc_87E117
		ja	loc_87E1E4
		cmp	ebx, eax
		ja	loc_87E1E4

loc_87E117:				; CODE XREF: ArbFindSuitableRange+2Bj
		mov	ecx, [esi+24h]
		mov	eax, [ecx+10h]
		or	eax, [ecx+14h]
		jz	loc_8E5A6F
		mov	eax, [esi+20h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_8E5A7F
		cmp	eax, 2
		jz	loc_8E5A7F

loc_87E13D:				; CODE XREF: ArbFindSuitableRange+679A7j
		movzx	eax, word ptr [esi+30h]
		mov	edx, [ecx+24h]
		shr	eax, 2
		and	eax, 2
		mov	[esp+20h+var_10], edx
		test	dl, 1
		jnz	short loc_87E1C0

loc_87E153:				; CODE XREF: ArbFindSuitableRange+E7j
		test	byte ptr [esp+20h+var_10], 8
		mov	dl, [esi+33h]
		jnz	short loc_87E1C5

loc_87E15D:				; CODE XREF: ArbFindSuitableRange+EFj
		mov	edi, [ebp+arg_0]
		push	esi
		mov	byte ptr [esp+24h+var_10], dl
		push	dword ptr [edi+0A8h]
		push	dword ptr [edi+0A4h]
		push	[esp+2Ch+var_10]
		push	eax
		push	dword ptr [ecx+1Ch]
		push	dword ptr [ecx+18h]
		push	dword ptr [ecx+14h]
		push	dword ptr [ecx+10h]
		push	[esp+44h+var_C]
		push	[esp+48h+var_8]
		push	[esp+4Ch+var_4]
		push	ebx
		push	dword ptr [edi+18h]
		call	RtlFindRange
		test	eax, eax
		js	short loc_87E1CD
		mov	ecx, [esi+24h]
		mov	edx, [ecx+10h]
		add	edx, [esi]
		mov	ecx, [ecx+14h]
		adc	ecx, [esi+4]
		add	edx, 0FFFFFFFFh
		mov	[esi+8], edx
		adc	ecx, 0FFFFFFFFh
		mov	[esi+0Ch], ecx

loc_87E1B5:				; CODE XREF: ArbFindSuitableRange+FCj
					; ArbFindSuitableRange+6799Ej
		mov	al, 1

loc_87E1B7:				; CODE XREF: ArbFindSuitableRange+106j
					; ArbFindSuitableRange+10Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_87E1C0:				; CODE XREF: ArbFindSuitableRange+75j
		or	eax, 1
		jmp	short loc_87E153
; 

loc_87E1C5:				; CODE XREF: ArbFindSuitableRange+7Fj
		or	dl, 40h
		mov	[esi+33h], dl
		jmp	short loc_87E15D
; 

loc_87E1CD:				; CODE XREF: ArbFindSuitableRange+BDj
		mov	edx, esi
		mov	ecx, edi
		call	ArbShareDriverExclusive
		test	al, al
		jnz	short loc_87E1B5
		push	esi
		push	edi
		call	dword ptr [edi+88h]
		jmp	short loc_87E1B7
; 

loc_87E1E4:				; CODE XREF: ArbFindSuitableRange+2Dj
					; ArbFindSuitableRange+35j
		xor	al, al
		jmp	short loc_87E1B7
ArbFindSuitableRange endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2091. RtlFindRange

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlFindRange
RtlFindRange	proc near		; CODE XREF: ArbFindSuitableRange+B6p
					; IopPortFindSuitableRange+9Dp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= byte ptr  2Ch
arg_28		= byte ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch

; FUNCTION CHUNK AT 008E5A88 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		sub	esi, [ebp+arg_14]
		push	edi
		push	[ebp+arg_20]
		lea	edi, [esp+3Ch+var_10]
		push	[ebp+arg_1C]
		stosd
		stosd
		stosd
		stosd
		mov	edi, [ebp+arg_10]
		sbb	edi, [ebp+arg_18]
		add	esi, 1
		adc	edi, 0
		push	edi
		push	esi
		call	__aullrem
		mov	ecx, [ebp+arg_10]
		sub	esi, eax
		sbb	edi, edx
		mov	edx, [ebp+arg_8]
		cmp	edx, ecx
		ja	loc_8E5A88
		mov	ebx, [ebp+arg_4]
		mov	eax, [ebp+arg_C]
		jb	short loc_87E247
		cmp	ebx, eax
		ja	loc_8E5A88

loc_87E247:				; CODE XREF: RtlFindRange+4Fj
		mov	ebx, [ebp+arg_14]
		add	ebx, 0FFFFFFFFh
		mov	[esp+38h+var_2C], ebx
		mov	ebx, [ebp+arg_18]
		adc	ebx, 0FFFFFFFFh
		mov	[esp+38h+var_28], ebx
		mov	ebx, [ebp+arg_4]
		sub	eax, ebx
		sbb	ecx, edx
		cmp	ecx, [esp+38h+var_28]
		ja	short loc_87E278
		jb	loc_8E5A88
		cmp	eax, [esp+38h+var_2C]
		jb	loc_8E5A88

loc_87E278:				; CODE XREF: RtlFindRange+78j
		mov	ecx, ebx
		mov	eax, edx
		add	ecx, [ebp+arg_1C]
		adc	eax, [ebp+arg_20]
		cmp	eax, edx
		ja	short loc_87E294
		jb	loc_8E5A88
		cmp	ecx, ebx
		jb	loc_8E5A88

loc_87E294:				; CODE XREF: RtlFindRange+96j
		cmp	edi, edx
		ja	short loc_87E2A6
		jb	loc_8E5A88
		cmp	esi, ebx
		jb	loc_8E5A88

loc_87E2A6:				; CODE XREF: RtlFindRange+A8j
		mov	eax, [ebp+arg_14]
		or	eax, [ebp+arg_18]
		jz	loc_8E5A88
		mov	eax, [ebp+arg_1C]
		or	eax, [ebp+arg_20]
		jz	loc_8E5A88
		mov	cl, [ebp+arg_24]
		mov	al, cl
		and	cl, 2
		and	al, 1
		mov	byte ptr [esp+38h+var_1C], cl
		mov	byte ptr [esp+38h+var_18], al
		mov	ecx, edi
		mov	eax, esi
		add	eax, [ebp+arg_14]
		adc	ecx, [ebp+arg_18]
		add	eax, 0FFFFFFFFh
		mov	[esp+38h+var_24], eax
		lea	eax, [esp+38h+var_14]
		push	eax
		lea	eax, [esp+3Ch+var_10]
		adc	ecx, 0FFFFFFFFh
		push	eax
		push	[ebp+arg_0]
		mov	[esp+44h+var_20], ecx
		call	_RtlGetLastRange@12 ; RtlGetLastRange(x,x,x)
		mov	eax, [esp+38h+var_24]
		mov	ecx, [esp+38h+var_20]

loc_87E302:				; CODE XREF: RtlFindRange+188j
					; RtlFindRange+18Ej
		push	[ebp+arg_30]
		mov	dl, [ebp+arg_28]
		push	[ebp+arg_2C]
		push	0
		push	[esp+44h+var_1C]
		push	[esp+48h+var_18]
		push	ecx
		push	eax
		push	edi
		push	esi
		lea	ecx, [esp+5Ch+var_10]
		call	RtlpIsRangeAvailable
		test	al, al
		jz	short loc_87E339
		mov	eax, [ebp+arg_34]
		mov	[eax], esi
		mov	[eax+4], edi
		xor	eax, eax

loc_87E330:				; CODE XREF: RtlFindRange+195j
					; RtlFindRange+6789Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	38h
; 

loc_87E339:				; CODE XREF: RtlFindRange+136j
		mov	eax, [esp+38h+var_8]
		mov	ecx, [eax]
		mov	esi, ecx
		mov	eax, [eax+4]
		mov	edi, eax
		sub	esi, [ebp+arg_14]
		sbb	edi, [ebp+arg_18]
		cmp	edi, eax
		jb	short loc_87E356
		ja	short loc_87E37E
		cmp	esi, ecx
		ja	short loc_87E37E

loc_87E356:				; CODE XREF: RtlFindRange+160j
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	edi
		push	esi
		call	__aullrem
		mov	ecx, [esp+38h+var_28]
		sub	esi, eax
		mov	eax, [esp+38h+var_2C]
		sbb	edi, edx
		add	eax, esi
		adc	ecx, edi
		cmp	edi, [ebp+arg_8]
		ja	short loc_87E302
		jb	short loc_87E37E
		cmp	esi, ebx
		jnb	short loc_87E302

loc_87E37E:				; CODE XREF: RtlFindRange+162j
					; RtlFindRange+166j ...
		mov	eax, 0C0000001h
		jmp	short loc_87E330
RtlFindRange	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2221. RtlIsRangeAvailable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIsRangeAvailable(x, x, x, x, x, x, x, x,	x, x)
		public _RtlIsRangeAvailable@40
_RtlIsRangeAvailable@40	proc near

var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= byte ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	edi
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+arg_0]
		call	_RtlGetFirstRange@12 ; RtlGetFirstRange(x,x,x)
		pop	edi
		cmp	eax, 8000001Ah
		jz	short loc_87E3F4
		test	eax, eax
		js	short locret_87E3F0
		push	[ebp+arg_20]
		mov	cl, [ebp+arg_14]
		push	[ebp+arg_1C]
		mov	dl, [ebp+arg_18]
		mov	al, cl
		push	1
		and	al, 2
		and	cl, 1
		movzx	eax, al
		push	eax
		movzx	eax, cl
		lea	ecx, [ebp+var_14]
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	RtlpIsRangeAvailable
		mov	ecx, [ebp+arg_24]
		mov	[ecx], al

loc_87E3EE:				; CODE XREF: RtlIsRangeAvailable(x,x,x,x,x,x,x,x,x,x)+70j
		xor	eax, eax

locret_87E3F0:				; CODE XREF: RtlIsRangeAvailable(x,x,x,x,x,x,x,x,x,x)+2Cj
		leave
		retn	28h
; 

loc_87E3F4:				; CODE XREF: RtlIsRangeAvailable(x,x,x,x,x,x,x,x,x,x)+28j
		mov	eax, [ebp+arg_24]
		mov	byte ptr [eax],	1
		jmp	short loc_87E3EE
_RtlIsRangeAvailable@40	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpIsRangeAvailable proc near		; CODE XREF: RtlFindRange+12Fp
					; RtlIsRangeAvailable(x,x,x,x,x,x,x,x,x,x)+5Ap

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= byte ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 008E5A92 SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1], dl
		mov	esi, [edi+8]
		mov	[ebp+var_8], esi
		test	esi, esi
		jz	short loc_87E487
		mov	ebx, [ebp+arg_0]

loc_87E418:				; CODE XREF: RtlpIsRangeAvailable+74j
		cmp	[ebp+arg_18], 0
		mov	eax, [edi+4]
		jz	short loc_87E474
		test	eax, eax
		jnz	short loc_87E436
		mov	eax, [ebp+arg_C]
		cmp	eax, [esi+4]
		jb	short loc_87E487
		ja	short loc_87E436
		mov	eax, [ebp+arg_8]
		cmp	eax, [esi]
		jb	short loc_87E487

loc_87E436:				; CODE XREF: RtlpIsRangeAvailable+27j
					; RtlpIsRangeAvailable+31j ...
		mov	ecx, [esi+4]
		mov	edx, [ebp+arg_4]
		mov	eax, [esi]
		cmp	edx, ecx
		ja	short loc_87E448
		jb	short loc_87E490
		cmp	ebx, eax
		jb	short loc_87E490

loc_87E448:				; CODE XREF: RtlpIsRangeAvailable+44j
					; RtlpIsRangeAvailable+99j ...
		cmp	ecx, edx
		ja	short loc_87E49E
		jb	short loc_87E452
		cmp	eax, ebx
		jnb	short loc_87E49E

loc_87E452:				; CODE XREF: RtlpIsRangeAvailable+50j
		cmp	[esi+0Ch], edx
		jb	short loc_87E45E
		ja	short loc_87E49E
		cmp	[esi+8], ebx
		jnb	short loc_87E49E

loc_87E45E:				; CODE XREF: RtlpIsRangeAvailable+59j
					; RtlpIsRangeAvailable+97j ...
		push	dword ptr [ebp+arg_18]
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		call	RtlGetNextRange
		mov	esi, [ebp+var_8]
		test	esi, esi
		jnz	short loc_87E418
		jmp	short loc_87E487
; 

loc_87E474:				; CODE XREF: RtlpIsRangeAvailable+23j
		test	eax, eax
		jnz	short loc_87E436
		mov	eax, [ebp+arg_4]
		cmp	eax, [esi+0Ch]
		ja	short loc_87E487
		jb	short loc_87E436
		cmp	ebx, [esi+8]
		jbe	short loc_87E436

loc_87E487:				; CODE XREF: RtlpIsRangeAvailable+17j
					; RtlpIsRangeAvailable+2Fj ...
		mov	al, 1

loc_87E489:				; CODE XREF: RtlpIsRangeAvailable+C6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_87E490:				; CODE XREF: RtlpIsRangeAvailable+46j
					; RtlpIsRangeAvailable+4Aj
		cmp	[ebp+arg_C], ecx
		jb	short loc_87E45E
		ja	short loc_87E448
		cmp	[ebp+arg_8], eax
		jb	short loc_87E45E
		jmp	short loc_87E448
; 

loc_87E49E:				; CODE XREF: RtlpIsRangeAvailable+4Ej
					; RtlpIsRangeAvailable+54j ...
		cmp	[ebp+arg_10], 0
		jnz	short loc_87E4C4

loc_87E4A4:				; CODE XREF: RtlpIsRangeAvailable+CCj
		mov	al, [ebp+var_1]
		test	[esi+18h], al
		jnz	short loc_87E45E
		cmp	[ebp+arg_14], 0
		jnz	loc_8E5A92

loc_87E4B6:				; CODE XREF: RtlpIsRangeAvailable+676A0j
		cmp	[ebp+arg_20], 0
		jnz	loc_8E5AA1

loc_87E4C0:				; CODE XREF: RtlpIsRangeAvailable+676AEj
		xor	al, al
		jmp	short loc_87E489
; 

loc_87E4C4:				; CODE XREF: RtlpIsRangeAvailable+A6j
		test	byte ptr [esi+19h], 1
		jz	short loc_87E4A4
		jmp	short loc_87E45E
RtlpIsRangeAvailable endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2130. RtlGetNextRange

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlGetNextRange
RtlGetNextRange	proc near		; CODE XREF: ArbOverrideConflict+78p
					; ArbShareDriverExclusive+C0p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 008E5AB5 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		push	edi
		mov	edi, [edx]
		mov	eax, [edi+10h]
		cmp	eax, [edx+0Ch]
		jnz	loc_8E5AB5
		mov	eax, [edx+8]
		test	eax, eax
		jz	loc_8E5ABF
		push	ebx
		mov	bl, [ebp+arg_8]
		push	esi
		test	bl, bl
		jz	short loc_87E539
		mov	esi, [eax+1Ch]

loc_87E500:				; CODE XREF: RtlGetNextRange+6Aj
		mov	eax, [edx+4]
		lea	ecx, [esi-1Ch]
		test	eax, eax
		jnz	short loc_87E53E

loc_87E50A:				; CODE XREF: RtlGetNextRange+7Ej
		lea	eax, [ecx+1Ch]
		cmp	eax, edi
		jz	short loc_87E528
		test	byte ptr [ecx+1Ah], 1
		jnz	short loc_87E552

loc_87E517:				; CODE XREF: RtlGetNextRange+6Ej
					; RtlGetNextRange+90j
		mov	eax, [ebp+arg_4]
		mov	[edx+8], ecx
		mov	[eax], ecx
		xor	eax, eax

loc_87E521:				; CODE XREF: RtlGetNextRange+65j
		pop	esi
		pop	ebx

loc_87E523:				; CODE XREF: RtlGetNextRange+675E8j
					; RtlGetNextRange+675F8j
		pop	edi
		pop	ebp
		retn	0Ch
; 

loc_87E528:				; CODE XREF: RtlGetNextRange+3Dj
		mov	eax, [ebp+arg_4]
		and	dword ptr [edx+8], 0
		and	dword ptr [eax], 0
		mov	eax, 8000001Ah
		jmp	short loc_87E521
; 

loc_87E539:				; CODE XREF: RtlGetNextRange+29j
		mov	esi, [eax+20h]
		jmp	short loc_87E500
; 

loc_87E53E:				; CODE XREF: RtlGetNextRange+36j
		cmp	esi, eax
		jnz	short loc_87E517
		test	bl, bl
		jnz	short loc_87E564
		mov	ecx, [eax+10h]

loc_87E549:				; CODE XREF: RtlGetNextRange+95j
		and	dword ptr [edx+4], 0
		add	ecx, 0FFFFFFE4h
		jmp	short loc_87E50A
; 

loc_87E552:				; CODE XREF: RtlGetNextRange+43j
		lea	eax, [ecx+10h]
		mov	[edx+4], eax
		test	bl, bl
		jnz	short loc_87E569
		mov	ecx, [ecx+14h]

loc_87E55F:				; CODE XREF: RtlGetNextRange+99j
		add	ecx, 0FFFFFFE4h
		jmp	short loc_87E517
; 

loc_87E564:				; CODE XREF: RtlGetNextRange+72j
		mov	ecx, [eax+0Ch]
		jmp	short loc_87E549
; 

loc_87E569:				; CODE XREF: RtlGetNextRange+88j
		mov	ecx, [eax]
		jmp	short loc_87E55F
RtlGetNextRange	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2124. RtlGetFirstRange

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetFirstRange(x,	x, x)
		public _RtlGetFirstRange@12
_RtlGetFirstRange@12 proc near		; CODE XREF: ArbOverrideConflict+37p
					; ArbShareDriverExclusive+86p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, edx
		mov	[esi], ecx
		mov	eax, [ecx+10h]
		mov	[esi+0Ch], eax
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	short loc_87E5AD
		test	byte ptr [eax-2], 1
		jnz	short loc_87E5B7
		mov	[esi+4], edx

loc_87E59A:				; CODE XREF: RtlGetFirstRange(x,x,x)+4Dj
		lea	edx, [eax-1Ch]

loc_87E59D:				; CODE XREF: RtlGetFirstRange(x,x,x)+43j
		mov	ecx, [ebp+arg_8]
		mov	eax, edi
		mov	[esi+8], edx
		pop	edi
		pop	esi
		mov	[ecx], edx
		pop	ebp
		retn	0Ch
; 

loc_87E5AD:				; CODE XREF: RtlGetFirstRange(x,x,x)+1Dj
		mov	[esi+4], edx
		mov	edi, 8000001Ah
		jmp	short loc_87E59D
; 

loc_87E5B7:				; CODE XREF: RtlGetFirstRange(x,x,x)+23j
		add	eax, 0FFFFFFF4h
		mov	[esi+4], eax
		mov	eax, [eax]
		jmp	short loc_87E59A
_RtlGetFirstRange@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2127. RtlGetLastRange

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetLastRange(x, x, x)
		public _RtlGetLastRange@12
_RtlGetLastRange@12 proc near		; CODE XREF: RtlFindRange+107p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	[ecx], esi
		mov	edi, edx
		mov	eax, [esi+10h]
		mov	[ecx+0Ch], eax
		cmp	[esi], esi
		jz	short loc_87E60D
		mov	esi, [esi+4]
		test	byte ptr [esi-2], 1
		jnz	short loc_87E602
		mov	[ecx+4], edx

loc_87E5EF:				; CODE XREF: RtlGetLastRange(x,x,x)+45j
		lea	edx, [esi-1Ch]

loc_87E5F2:				; CODE XREF: RtlGetLastRange(x,x,x)+4Fj
		mov	[ecx+8], edx
		mov	eax, edi
		mov	ecx, [ebp+arg_8]
		pop	edi
		pop	esi
		mov	[ecx], edx
		pop	ebp
		retn	0Ch
; 

loc_87E602:				; CODE XREF: RtlGetLastRange(x,x,x)+24j
		lea	eax, [esi-0Ch]
		mov	[ecx+4], eax
		mov	esi, [esi-8]
		jmp	short loc_87E5EF
; 

loc_87E60D:				; CODE XREF: RtlGetLastRange(x,x,x)+1Bj
		mov	[ecx+4], edx
		mov	edi, 8000001Ah
		jmp	short loc_87E5F2
_RtlGetLastRange@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopGenericUnpackRequirement proc near	; DATA XREF: IopMemInitialize()+13o
					; IopPortInitialize()+33o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008E5ACF SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_10]
		push	ebx
		push	[ebp+arg_4]
		push	edi
		push	esi
		call	RtlIoDecodeMemIoResource
		mov	ecx, [ebp+arg_C]
		push	0
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	eax, [edi]
		or	eax, [edi+4]
		pop	eax
		jz	short loc_87E65F

loc_87E646:				; CODE XREF: IopGenericUnpackRequirement+50j
		cmp	byte ptr [esi+1], 3
		jnz	short loc_87E656
		test	byte ptr [esi+4], 10h
		jnz	loc_8E5ACF

loc_87E656:				; CODE XREF: IopGenericUnpackRequirement+32j
					; IopGenericUnpackRequirement+674BAj ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	14h
; 

loc_87E65F:				; CODE XREF: IopGenericUnpackRequirement+2Cj
		mov	dword ptr [edi], 1
		mov	[edi+4], eax
		jmp	short loc_87E646
IopGenericUnpackRequirement endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ArbpGetRegistryValue proc near		; CODE XREF: ArbBuildAssignmentOrdering+14Ep
					; ArbBuildAssignmentOrdering+269p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E5AF2 SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_10]
		push	edx
		push	eax
		mov	edi, ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		push	ebx
		push	3
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	loc_8E5AF2

loc_87E6A9:				; CODE XREF: ArbpGetRegistryValue+6748Dj
		push	4D627241h
		push	[ebp+var_8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_87E6EA
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_8]
		lea	eax, [ebp+var_10]
		push	esi
		push	3
		push	eax
		push	edi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8E5B07
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		xor	eax, eax

loc_87E6E3:				; CODE XREF: ArbpGetRegistryValue+85j
					; ArbpGetRegistryValue+67498j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_87E6EA:				; CODE XREF: ArbpGetRegistryValue+52j
		mov	eax, 0C000009Ah
		jmp	short loc_87E6E3
ArbpGetRegistryValue endp

; 
		align 2

;  S U B	R O U T	I N E 


ArbInitializeOrderingList proc near	; CODE XREF: ArbBuildAssignmentOrdering+86p
					; ArbBuildAssignmentOrdering+98p

; FUNCTION CHUNK AT 008E5B15 SIZE 00000010 BYTES

		mov	edi, edi
		push	esi
		push	edi
		push	4C627241h
		mov	edi, 100h
		mov	esi, ecx
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		mov	[esi+4], eax
		call	_memset
		xor	ecx, ecx
		add	esp, 0Ch
		mov	[esi], cx
		cmp	[esi+4], ecx
		jz	loc_8E5B15
		push	10h
		pop	eax
		mov	[esi+2], ax
		xor	eax, eax

loc_87E730:				; CODE XREF: ArbInitializeOrderingList+6742Ej
		pop	edi
		pop	esi
		retn
ArbInitializeOrderingList endp

; 
		align 4

;  S U B	R O U T	I N E 


ArbFreeOrderingList proc near		; CODE XREF: ArbBuildAssignmentOrdering+76p
					; ArbBuildAssignmentOrdering+7Ep

; FUNCTION CHUNK AT 008E5B25 SIZE 0000000D BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+4]
		test	eax, eax
		jnz	loc_8E5B25

loc_87E744:				; CODE XREF: ArbFreeOrderingList+673F9j
		xor	eax, eax
		and	[esi+4], eax
		mov	[esi], eax
		pop	esi
		retn
ArbFreeOrderingList endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLoadImportDll(x, x, x, x,	x)
_MiLoadImportDll@20 proc near		; CODE XREF: MiResolveImageReferences+36Ep
					; MiResolveImageReferences+408p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		push	edi
		lea	eax, [ebp+var_8]
		xor	esi, esi
		push	eax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], esi
		push	eax
		mov	eax, [ebp+arg_0]
		or	eax, 8
		mov	[ebp+var_8], esi
		push	eax
		push	esi
		call	_MmLoadSystemImageEx@24	; MmLoadSystemImageEx(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_87E7B4
		mov	esi, [ebp+var_4]
		mov	edx, offset _PsLoadedModuleList
		mov	ecx, esi
		or	dword ptr [esi+34h], 4000000h
		call	MmCallDllInitialize
		mov	edi, eax
		test	edi, edi
		js	short loc_87E7BC
		test	byte ptr [ebp+arg_0], 1
		jnz	short loc_87E7A4
		mov	ecx, esi
		call	_MiFreeDriverInitialization@4 ;	MiFreeDriverInitialization(x)

loc_87E7A4:				; CODE XREF: MiLoadImportDll(x,x,x,x,x)+4Dj
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_4]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+var_8]
		mov	[ecx], eax

loc_87E7B4:				; CODE XREF: MiLoadImportDll(x,x,x,x,x)+2Bj
					; MiLoadImportDll(x,x,x,x,x)+74j
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn	0Ch
; 

loc_87E7BC:				; CODE XREF: MiLoadImportDll(x,x,x,x,x)+47j
		push	esi
		call	MmUnloadSystemImage
		jmp	short loc_87E7B4
_MiLoadImportDll@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ArbDeleteOwnerRanges(x, x)
_ArbDeleteOwnerRanges@8	proc near	; DATA XREF: ArbInitializeArbiterInstance+1E0o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	[ebp+arg_4]
		push	dword ptr [eax+18h]
		call	_RtlDeleteOwnersRanges@8 ; RtlDeleteOwnersRanges(x,x)
		pop	ebp
		retn	8
_ArbDeleteOwnerRanges@8	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ArbPruneOrdering proc near		; CODE XREF: ArbBuildAssignmentOrdering+3DFp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E5B32 SIZE 00000058 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		sub	esp, 18h
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		cmp	[ebp+arg_C], eax
		ja	loc_87E98A
		jb	loc_8E5B32
		mov	edi, [ebp+arg_0]
		cmp	[ebp+arg_8], edi
		jb	loc_8E5B32

loc_87E807:				; CODE XREF: ArbPruneOrdering+1B1j
		movzx	eax, word ptr [ebx]
		shl	eax, 5
		push	4C627241h
		add	eax, 10h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jz	loc_8E5B39
		movzx	eax, word ptr [ebx]
		mov	edx, ecx
		test	ax, ax
		jz	short loc_87E890
		mov	esi, [ebx+4]
		shl	eax, 4
		add	eax, esi
		mov	[ebp+var_4], esi
		cmp	esi, eax
		jnb	short loc_87E890

loc_87E843:				; CODE XREF: ArbPruneOrdering+AFj
		mov	ecx, [esi+4]
		mov	eax, [esi]
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], ecx
		cmp	[ebp+arg_C], ecx
		jb	short loc_87E86B
		ja	short loc_87E85A
		cmp	[ebp+arg_8], eax
		jb	short loc_87E86B

loc_87E85A:				; CODE XREF: ArbPruneOrdering+77j
		mov	eax, [esi+0Ch]
		mov	ecx, [esi+8]
		cmp	[ebp+arg_4], eax
		ja	short loc_87E86B
		jb	short loc_87E8D3
		cmp	edi, ecx
		jbe	short loc_87E8D3

loc_87E86B:				; CODE XREF: ArbPruneOrdering+75j
					; ArbPruneOrdering+7Cj	...
		mov	edi, edx
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_4]

loc_87E874:				; CODE XREF: ArbPruneOrdering+15Dj
		add	edx, 10h

loc_87E877:				; CODE XREF: ArbPruneOrdering+179j
					; ArbPruneOrdering+183j ...
		movzx	eax, word ptr [ebx]
		add	esi, 10h
		mov	edi, [ebp+arg_0]
		shl	eax, 4
		add	eax, [ebx+4]
		mov	[ebp+var_4], esi
		cmp	esi, eax
		jb	short loc_87E843
		mov	ecx, [ebp+var_8]

loc_87E890:				; CODE XREF: ArbPruneOrdering+56j
					; ArbPruneOrdering+65j
		sub	edx, ecx
		sar	edx, 4
		movzx	edi, dx
		mov	eax, edi
		test	di, di
		jz	short loc_87E8BF
		mov	esi, eax
		shl	esi, 4
		cmp	di, [ebx+2]
		ja	loc_8E5B40
		mov	eax, [ebx+4]

loc_87E8B1:				; CODE XREF: ArbPruneOrdering+673A9j
		push	esi		; size_t
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+var_8]
		add	esp, 0Ch

loc_87E8BF:				; CODE XREF: ArbPruneOrdering+C1j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebx], di
		xor	eax, eax

loc_87E8CC:				; CODE XREF: ArbPruneOrdering+67388j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_87E8D3:				; CODE XREF: ArbPruneOrdering+89j
					; ArbPruneOrdering+8Dj
		mov	esi, [ebp+var_10]
		cmp	[ebp+arg_4], esi
		mov	esi, [ebp+var_4]
		jb	short loc_87E95A
		ja	short loc_87E8E5
		cmp	edi, [ebp+var_C]
		jbe	short loc_87E95A

loc_87E8E5:				; CODE XREF: ArbPruneOrdering+102j
		mov	esi, [ebp+arg_4]
		add	edi, 0FFFFFFFFh
		adc	esi, 0FFFFFFFFh
		mov	[ebp+var_14], esi
		lea	esi, [edx+10h]
		mov	[ebp+var_18], esi
		mov	esi, [ebp+var_4]
		cmp	[ebp+arg_C], eax
		ja	short loc_87E93E
		jb	short loc_87E906
		cmp	[ebp+arg_8], ecx
		jnb	short loc_87E93E

loc_87E906:				; CODE XREF: ArbPruneOrdering+123j
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+arg_C]
		add	ecx, 1
		mov	[edx], ecx
		adc	eax, 0
		mov	[edx+4], eax
		mov	eax, [esi+8]
		mov	[edx+8], eax
		mov	eax, [esi+0Ch]
		mov	[edx+0Ch], eax
		mov	edx, [ebp+var_18]
		mov	eax, [esi]
		mov	[edx], eax
		mov	eax, [esi+4]
		mov	[edx+4], eax
		mov	eax, [ebp+var_14]
		mov	[edx+8], edi

loc_87E936:				; CODE XREF: ArbPruneOrdering+1ACj
		mov	[edx+0Ch], eax
		jmp	loc_87E874
; 

loc_87E93E:				; CODE XREF: ArbPruneOrdering+121j
					; ArbPruneOrdering+128j
		mov	eax, [ebp+var_C]
		mov	[edx], eax
		mov	eax, [ebp+var_10]
		mov	[edx+4], eax
		mov	eax, [ebp+var_14]
		mov	[edx+8], edi
		mov	[edx+0Ch], eax
		mov	edx, [ebp+var_18]
		jmp	loc_87E877
; 

loc_87E95A:				; CODE XREF: ArbPruneOrdering+100j
					; ArbPruneOrdering+107j
		cmp	[ebp+arg_C], eax
		jb	short loc_87E96E
		ja	loc_87E877
		cmp	[ebp+arg_8], ecx
		jnb	loc_87E877

loc_87E96E:				; CODE XREF: ArbPruneOrdering+181j
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+arg_C]
		add	ecx, 1
		mov	[edx], ecx
		adc	eax, 0
		mov	[edx+4], eax
		mov	eax, [esi+8]
		mov	[edx+8], eax
		mov	eax, [esi+0Ch]
		jmp	short loc_87E936
; 

loc_87E98A:				; CODE XREF: ArbPruneOrdering+13j
		mov	edi, [ebp+arg_0]
		jmp	loc_87E807
ArbPruneOrdering endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ArbCommitAllocation(x)
_ArbCommitAllocation@4 proc near	; DATA XREF: ArbInitializeArbiterInstance+111o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	dword ptr [esi+14h]
		call	_RtlFreeRangeList@4 ; RtlFreeRangeList(x)
		mov	eax, [esi+18h]
		mov	ecx, [esi+14h]
		mov	[esi+14h], eax
		xor	eax, eax
		mov	[esi+18h], ecx
		pop	esi
		pop	ebp
		retn	4
_ArbCommitAllocation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ArbInitializeArbiterInstance proc near	; CODE XREF: IopBusNumberInitialize()+3Ap
					; IopIrqInitialize()+3Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E5B8A SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	ebx, ebx
		push	4D627241h
		push	10h
		push	200h
		mov	dword ptr [esi], 73627241h
		mov	[esi+0A0h], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+4], eax
		test	eax, eax
		jz	loc_8E5B8A
		xor	edi, edi
		inc	edi
		push	edi
		push	edi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	41627241h
		push	1000h
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+38h], eax
		test	eax, eax
		jz	loc_8E5B8A
		push	52627241h
		push	14h
		push	edi
		mov	dword ptr [esi+34h], 1000h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+14h], eax
		test	eax, eax
		jz	loc_8E5B8A
		push	52627241h
		push	14h
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+18h], eax
		test	eax, eax
		jz	loc_8E5B8A
		mov	eax, [esi+14h]
		push	4D627241h
		push	10h
		push	200h
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[eax+8], ebx
		mov	[eax+0Ch], ebx
		mov	[eax+10h], ebx
		mov	eax, [esi+18h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[eax+8], ebx
		mov	[eax+0Ch], ebx
		mov	[eax+10h], ebx
		mov	[esi+94h], bl
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+98h], eax
		test	eax, eax
		jz	loc_8E5B8A
		push	edi
		push	ebx
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [ebp+arg_4]
		mov	[esi+8], eax
		mov	eax, [ebp+arg_0]
		mov	dword ptr [esi+0Ch], offset ??_C@_19LFKAPJKP@?$AAR?$AAo?$AAo?$AAt@NNGAKEGL@ ; "Root"
		mov	[esi+10h], eax
		cmp	[esi+4Ch], ebx
		jnz	short loc_87EAB6
		mov	dword ptr [esi+4Ch], offset ArbTestAllocation

loc_87EAB6:				; CODE XREF: ArbInitializeArbiterInstance+F7j
		cmp	[esi+50h], ebx
		jnz	short loc_87EAC2
		mov	dword ptr [esi+50h], offset _ArbRetestAllocation@8 ; ArbRetestAllocation(x,x)

loc_87EAC2:				; CODE XREF: ArbInitializeArbiterInstance+103j
		cmp	[esi+54h], ebx
		jnz	short loc_87EACE
		mov	dword ptr [esi+54h], offset _ArbCommitAllocation@4 ; ArbCommitAllocation(x)

loc_87EACE:				; CODE XREF: ArbInitializeArbiterInstance+10Fj
		cmp	[esi+58h], ebx
		jnz	short loc_87EADA
		mov	dword ptr [esi+58h], offset _ArbRollbackAllocation@4 ; ArbRollbackAllocation(x)

loc_87EADA:				; CODE XREF: ArbInitializeArbiterInstance+11Bj
		cmp	[esi+68h], ebx
		jnz	short loc_87EAE6
		mov	dword ptr [esi+68h], offset _MmConfigureGraphicsPtes@8 ; MmConfigureGraphicsPtes(x,x)

loc_87EAE6:				; CODE XREF: ArbInitializeArbiterInstance+127j
		cmp	[esi+70h], ebx
		jnz	short loc_87EAF2
		mov	dword ptr [esi+70h], offset _ArbPreprocessEntry@8 ; ArbPreprocessEntry(x,x)

loc_87EAF2:				; CODE XREF: ArbInitializeArbiterInstance+133j
		cmp	[esi+74h], ebx
		jnz	short loc_87EAFE
		mov	dword ptr [esi+74h], offset ArbAllocateEntry

loc_87EAFE:				; CODE XREF: ArbInitializeArbiterInstance+13Fj
		cmp	[esi+78h], ebx
		jnz	short loc_87EB0A
		mov	dword ptr [esi+78h], offset ArbGetNextAllocationRange

loc_87EB0A:				; CODE XREF: ArbInitializeArbiterInstance+14Bj
		cmp	[esi+7Ch], ebx
		jnz	short loc_87EB16
		mov	dword ptr [esi+7Ch], offset ArbFindSuitableRange

loc_87EB16:				; CODE XREF: ArbInitializeArbiterInstance+157j
		cmp	[esi+80h], ebx
		jnz	short loc_87EB28
		mov	dword ptr [esi+80h], offset _ArbAddAllocation@8	; ArbAddAllocation(x,x)

loc_87EB28:				; CODE XREF: ArbInitializeArbiterInstance+166j
		cmp	[esi+84h], ebx
		jnz	short loc_87EB3A
		mov	dword ptr [esi+84h], offset _ArbBacktrackAllocation@8 ;	ArbBacktrackAllocation(x,x)

loc_87EB3A:				; CODE XREF: ArbInitializeArbiterInstance+178j
		cmp	[esi+88h], ebx
		jnz	short loc_87EB4C
		mov	dword ptr [esi+88h], offset ArbOverrideConflict

loc_87EB4C:				; CODE XREF: ArbInitializeArbiterInstance+18Aj
		cmp	[esi+5Ch], ebx
		jnz	short loc_87EB58
		mov	dword ptr [esi+5Ch], offset ArbBootAllocation

loc_87EB58:				; CODE XREF: ArbInitializeArbiterInstance+199j
		cmp	[esi+64h], ebx
		jnz	short loc_87EB64
		mov	dword ptr [esi+64h], offset _ArbQueryConflict@8	; ArbQueryConflict(x,x)

loc_87EB64:				; CODE XREF: ArbInitializeArbiterInstance+1A5j
		cmp	[esi+60h], ebx
		jnz	short loc_87EB70
		mov	dword ptr [esi+60h], offset _ArbPreprocessEntry@8 ; ArbPreprocessEntry(x,x)

loc_87EB70:				; CODE XREF: ArbInitializeArbiterInstance+1B1j
		cmp	[esi+6Ch], ebx
		jnz	short loc_87EB7C
		mov	dword ptr [esi+6Ch], offset _ArbStartArbiter@8 ; ArbStartArbiter(x,x)

loc_87EB7C:				; CODE XREF: ArbInitializeArbiterInstance+1BDj
		cmp	[esi+8Ch], ebx
		jnz	short loc_87EB8E
		mov	dword ptr [esi+8Ch], offset _ArbInitializeRangeList@16 ; ArbInitializeRangeList(x,x,x,x)

loc_87EB8E:				; CODE XREF: ArbInitializeArbiterInstance+1CCj
		cmp	[esi+90h], ebx
		jnz	short loc_87EBA0
		mov	dword ptr [esi+90h], offset _ArbDeleteOwnerRanges@8 ; ArbDeleteOwnerRanges(x,x)

loc_87EBA0:				; CODE XREF: ArbInitializeArbiterInstance+1DEj
		push	[ebp+arg_C]
		push	ecx
		mov	ecx, esi
		call	ArbBuildAssignmentOrdering
		mov	edi, eax
		test	edi, edi
		js	loc_8E5B8F
		xor	eax, eax

loc_87EBB7:				; CODE XREF: ArbInitializeArbiterInstance+67224j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	10h
ArbInitializeArbiterInstance endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpLogDeviceConflictingResource(x, x)
_PnpLogDeviceConflictingResource@8 proc	near ; CODE XREF: IopTestConfiguration+90p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	edi
		mov	edi, [ebx+14h]
		test	edi, edi
		jz	short loc_87EC41
		mov	eax, [edi+10h]
		push	esi
		test	eax, eax
		jz	short loc_87EC45
		mov	eax, [eax+0B0h]
		mov	esi, [eax+14h]

loc_87EBE5:				; CODE XREF: PnpLogDeviceConflictingResource(x,x)+87j
		test	esi, esi
		jz	short loc_87EC40
		mov	ecx, [esi+1CCh]
		test	ecx, ecx
		jnz	short loc_87EC25
		push	62655250h
		push	50h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+1CCh], eax
		test	eax, eax
		jz	short loc_87EC40
		push	50h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [esi+1CCh]
		add	esp, 0Ch
		mov	edx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_87EC40

loc_87EC25:				; CODE XREF: PnpLogDeviceConflictingResource(x,x)+31j
		cmp	dword ptr [ecx+48h], 0
		jnz	short loc_87EC40
		mov	al, [ebx+8]
		mov	[ecx+40h], al
		mov	eax, [edi+8]
		mov	[ecx+44h], eax
		mov	eax, [edi+0Ch]
		mov	[ecx+48h], eax
		mov	[ecx+4Ch], edx

loc_87EC40:				; CODE XREF: PnpLogDeviceConflictingResource(x,x)+27j
					; PnpLogDeviceConflictingResource(x,x)+49j ...
		pop	esi

loc_87EC41:				; CODE XREF: PnpLogDeviceConflictingResource(x,x)+12j
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_87EC45:				; CODE XREF: PnpLogDeviceConflictingResource(x,x)+1Aj
		xor	esi, esi
		jmp	short loc_87EBE5
_PnpLogDeviceConflictingResource@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopSelectNextConfiguration proc	near	; CODE XREF: PnpFindBestConfigurationWorker+BFp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E5BDF SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	ebx, ebx
		mov	eax, ecx
		mov	esi, ebx
		mov	[ebp+var_C], eax
		test	edi, edi
		jz	short loc_87ECA7
		add	eax, 18h
		mov	[ebp+var_4], eax

loc_87EC6A:				; CODE XREF: IopSelectNextConfiguration+58j
		mov	eax, [eax]
		mov	[ebp+var_8], eax
		push	ebx
		push	ebx
		mov	eax, [eax+0Ch]
		mov	edx, [eax]
		lea	ecx, [edx+14h]
		mov	edx, [edx+10h]
		call	IopAddRemoveReqDescs
		mov	ecx, [ebp+var_8]
		add	dword ptr [ecx+0Ch], 4
		mov	eax, [ecx+0Ch]
		cmp	eax, [ecx+10h]
		jb	short loc_87ECA4
		lea	eax, [ecx+18h]
		inc	esi
		mov	[ecx+0Ch], eax
		mov	eax, [ebp+var_4]
		add	eax, 28h
		mov	[ebp+var_4], eax
		cmp	esi, edi
		jb	short loc_87EC6A

loc_87ECA4:				; CODE XREF: IopSelectNextConfiguration+44j
		mov	eax, [ebp+var_C]

loc_87ECA7:				; CODE XREF: IopSelectNextConfiguration+18j
		cmp	esi, edi
		jnz	short loc_87ECB4
		xor	al, al

loc_87ECAD:				; CODE XREF: IopSelectNextConfiguration+99j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_87ECB4:				; CODE XREF: IopSelectNextConfiguration+5Fj
		test	edi, edi
		jz	short loc_87ECE1
		add	eax, 18h
		mov	[ebp+var_4], eax

loc_87ECBE:				; CODE XREF: IopSelectNextConfiguration+66FA1j
		mov	esi, [eax]
		push	1
		push	[ebp+arg_0]
		mov	eax, [esi+0Ch]
		mov	edx, [eax]
		lea	ecx, [edx+14h]
		mov	edx, [edx+10h]
		call	IopAddRemoveReqDescs
		lea	eax, [esi+18h]
		cmp	[esi+0Ch], eax
		jz	loc_8E5BDF

loc_87ECE1:				; CODE XREF: IopSelectNextConfiguration+6Cj
					; IopSelectNextConfiguration+66FA7j
		mov	al, 1
		jmp	short loc_87ECAD
IopSelectNextConfiguration endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopPortFindSuitableRange proc near	; DATA XREF: IopPortInitialize()+15o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 008E5BF6 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	byte ptr [esp+20h+var_14], 0
		mov	ecx, [esi+24h]
		mov	eax, [ecx+10h]
		mov	edx, [ecx+14h]
		mov	[esp+20h+var_C], eax
		or	eax, edx
		mov	[esp+20h+var_10], edx
		jz	loc_8E5BF6
		mov	eax, [esi+20h]
		mov	edx, [eax+14h]
		test	edx, edx
		jz	short loc_87ED2A
		cmp	edx, 2
		jz	short loc_87ED2A
		test	byte ptr [eax+18h], 1
		jz	short loc_87ED2F

loc_87ED2A:				; CODE XREF: IopPortFindSuitableRange+37j
					; IopPortFindSuitableRange+3Cj
		mov	byte ptr [esp+20h+var_14], 1

loc_87ED2F:				; CODE XREF: IopPortFindSuitableRange+42j
		mov	edi, [esi+14h]
		mov	eax, [esi+1Ch]
		mov	ebx, [esi+10h]
		mov	edx, [esi+18h]
		mov	[esp+20h+var_4], edi
		mov	[esp+20h+var_8], eax
		cmp	edi, eax
		jb	short loc_87ED4D
		ja	short loc_87EDB5
		cmp	ebx, edx
		ja	short loc_87EDB5

loc_87ED4D:				; CODE XREF: IopPortFindSuitableRange+5Fj
		mov	edi, [ebp+arg_0]
		mov	eax, [ecx+24h]
		push	esi
		and	eax, 1
		push	dword ptr [edi+0A8h]
		push	dword ptr [edi+0A4h]
		push	[esp+2Ch+var_14]
		push	eax
		push	dword ptr [ecx+1Ch]
		push	dword ptr [ecx+18h]
		push	[esp+3Ch+var_10]
		push	[esp+40h+var_C]
		push	[esp+44h+var_8]
		push	edx
		push	[esp+4Ch+var_4]
		push	ebx
		push	dword ptr [edi+18h]
		call	RtlFindRange
		test	eax, eax
		js	loc_8E5C06

loc_87ED90:				; CODE XREF: IopPortFindSuitableRange+66F30j
		mov	ecx, [esi+24h]
		mov	edx, [ecx+10h]
		add	edx, [esi]
		mov	ecx, [ecx+14h]
		adc	ecx, [esi+4]
		add	edx, 0FFFFFFFFh
		mov	[esi+8], edx
		adc	ecx, 0FFFFFFFFh
		mov	[esi+0Ch], ecx

loc_87EDAA:				; CODE XREF: IopPortFindSuitableRange+66F1Bj
		mov	al, 1

loc_87EDAC:				; CODE XREF: IopPortFindSuitableRange+D1j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_87EDB5:				; CODE XREF: IopPortFindSuitableRange+61j
					; IopPortFindSuitableRange+65j	...
		xor	al, al
		jmp	short loc_87EDAC
IopPortFindSuitableRange endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ArbAddInaccessibleAllocationRange proc near ; CODE XREF: IopMemInitialize()+81p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E5C1B SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		push	76h
		pop	eax
		mov	word ptr [ebp+var_24+2], ax
		xor	edi, edi
		mov	word ptr [ebp+var_24], ax
		mov	ebx, ecx
		push	18h
		pop	esi
		lea	eax, [ebp+var_24]
		mov	[ebp+var_18], edx
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	20019h
		lea	eax, [ebp+var_C]
		mov	[ebp+var_14], ebx
		push	eax
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_20], offset ??_C@_1HI@MHCMANAK@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		mov	[ebp+var_44], esi
		mov	[ebp+var_40], edi
		mov	[ebp+var_38], 240h
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_87EF64
		push	22h
		pop	eax
		mov	word ptr [ebp+var_2C+2], ax
		mov	word ptr [ebp+var_2C], ax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_8]
		mov	[ebp+var_28], offset ??_C@_1CE@NKBPPJBA@?$AAI?$AAn?$AAa?$AAc?$AAc?$AAe?$AAs?$AAs?$AAi?$AAb?$AAl?$AAe?$AAR?$AAa?$AAn@NNGAKEGL@ ;	"InaccessibleRange"
		push	eax
		mov	[ebp+var_44], esi
		mov	[ebp+var_38], 240h
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8E5C1B
		mov	edx, [ebx+0Ch]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		push	eax
		mov	[ebp+var_4], edi
		call	ArbpGetRegistryValue
		mov	esi, [ebp+var_4]
		mov	edi, eax
		xor	ebx, ebx
		test	edi, edi
		js	loc_8E5C2A
		cmp	dword ptr [esi+4], 1
		mov	[ebp+var_4], esi
		jnz	short loc_87EECC
		mov	edx, [esi+8]
		mov	eax, [esi+0Ch]
		add	edx, esi
		shr	eax, 1
		cmp	[edx+eax*2-2], bx
		jnz	loc_8E5C3D
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_10]
		push	eax
		call	ArbpGetRegistryValue
		mov	edi, eax
		test	edi, edi
		js	loc_8E5C2A
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_10]
		mov	[ebp+var_4], esi

loc_87EECC:				; CODE XREF: ArbAddInaccessibleAllocationRange+D8j
		cmp	dword ptr [esi+4], 0Ah
		jnz	loc_8E5C3D
		mov	ecx, [esi+8]
		add	ecx, 20h
		add	ecx, esi
		mov	[ebp+var_1C], ecx
		mov	eax, [ecx+4]
		lea	ebx, [ecx+8]
		shl	eax, 5
		add	eax, 8
		add	eax, ecx
		cmp	ebx, eax
		jnb	short loc_87EF45
		mov	esi, [ebp+var_14]

loc_87EEF6:				; CODE XREF: ArbAddInaccessibleAllocationRange+186j
		mov	eax, [esi+10h]
		mov	dl, [ebx+1]
		mov	[ebp+var_10], eax
		movzx	eax, dl
		cmp	eax, [ebp+var_10]
		jnz	loc_8E5C47

loc_87EF0B:				; CODE XREF: ArbAddInaccessibleAllocationRange+66EA0j
		push	0
		push	0
		push	1
		push	40h
		push	dword ptr [ebx+1Ch]
		push	dword ptr [ebx+18h]
		push	dword ptr [ebx+14h]
		push	dword ptr [ebx+10h]
		push	[ebp+var_18]
		call	_RtlAddRange@36	; RtlAddRange(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_87EF42
		mov	ecx, [ebp+var_1C]

loc_87EF30:				; CODE XREF: ArbAddInaccessibleAllocationRange+66E90j
					; ArbAddInaccessibleAllocationRange+66E9Aj
		mov	eax, [ecx+4]
		add	ebx, 20h
		shl	eax, 5
		add	eax, 8
		add	eax, ecx
		cmp	ebx, eax
		jb	short loc_87EEF6

loc_87EF42:				; CODE XREF: ArbAddInaccessibleAllocationRange+171j
		mov	esi, [ebp+var_4]

loc_87EF45:				; CODE XREF: ArbAddInaccessibleAllocationRange+137j
		xor	ebx, ebx

loc_87EF47:				; CODE XREF: ArbAddInaccessibleAllocationRange+66E76j
					; ArbAddInaccessibleAllocationRange+66E7Ej ...
		test	esi, esi
		jz	short loc_87EF52
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_87EF52:				; CODE XREF: ArbAddInaccessibleAllocationRange+18Fj
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, edi

loc_87EF64:				; CODE XREF: ArbAddInaccessibleAllocationRange+60j
					; ArbAddInaccessibleAllocationRange+66E6Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
ArbAddInaccessibleAllocationRange endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopDmaPackResource proc	near		; DATA XREF: IopDmaInitialize()+1Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008E5C5F SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_C]
		mov	edx, [ebp+arg_0]
		mov	byte ptr [ecx],	4
		mov	al, [edx+2]
		mov	[ecx+1], al
		movzx	eax, word ptr [edx+4]
		mov	[ecx+2], ax
		test	al, al
		js	loc_8E5C5F
		mov	eax, [ebp+arg_4]
		and	dword ptr [ecx+8], 0
		mov	[ecx+4], eax

loc_87EF98:				; CODE XREF: IopDmaPackResource+66D07j
		xor	eax, eax
		pop	ebp
		retn	10h
IopDmaPackResource endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopBusNumberScoreRequirement(x)
_IopBusNumberScoreRequirement@4	proc near ; DATA XREF: IopBusNumberInitialize()+30o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	eax, [ecx+10h]
		sub	eax, [ecx+0Ch]
		div	dword ptr [ecx+8]
		pop	ebp
		retn	4
_IopBusNumberScoreRequirement@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ArbAddMmConfigRangeAsBootReserved proc near ; CODE XREF: IopMemInitialize()+93j

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E5C76 SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_18], ecx
		push	6
		xor	eax, eax
		mov	[ebp+var_14], edx
		pop	ecx
		lea	edi, [ebp+var_40]
		mov	[ebp+var_20], ebx
		rep stosd
		mov	ecx, _ArbMmConfigRange
		mov	esi, ebx
		mov	[ebp+var_1C], ebx
		mov	edi, ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jnz	loc_87F0F3
		push	76h
		pop	eax
		mov	word ptr [ebp+var_20+2], ax
		mov	edi, 240h
		mov	word ptr [ebp+var_20], ax
		lea	eax, [ebp+var_20]
		push	18h
		pop	esi
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_40]
		push	eax
		push	20019h
		lea	eax, [ebp+var_C]
		mov	[ebp+var_1C], offset ??_C@_1HI@MHCMANAK@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		push	eax
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_87F177
		push	22h
		pop	eax
		mov	word ptr [ebp+var_28+2], ax
		mov	word ptr [ebp+var_28], ax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_40]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_10]
		mov	[ebp+var_24], offset ??_C@_1CE@MAKBJKNC@?$AAR?$AAe?$AAs?$AAe?$AAr?$AAv?$AAe?$AAd?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc@NNGAKEGL@ ;	"ReservedResources"
		push	eax
		mov	[ebp+var_40], esi
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8E5C76
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_8]
		push	eax
		mov	edx, offset ??_C@_1BM@MLHHFGPB@?$AAM?$AAm?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAR?$AAa?$AAn?$AAg?$AAe@NNGAKEGL@ ; "MmConfigRange"
		call	ArbpGetRegistryValue
		mov	esi, [ebp+var_8]
		mov	edi, eax
		test	edi, edi
		js	loc_8E5C85
		cmp	dword ptr [esi+4], 0Ah
		jnz	loc_8E5C98
		lea	ecx, [esi+20h]
		add	ecx, [esi+8]
		mov	[ebp+var_4], ecx
		mov	ebx, [ecx+4]
		test	ebx, ebx
		jz	short loc_87F0F3
		shl	ebx, 5
		push	4E627241h
		add	ebx, 8
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	_ArbMmConfigRange, eax
		test	eax, eax
		jz	short loc_87F0F0
		push	ebx		; size_t
		push	[ebp+var_4]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_87F0F0:				; CODE XREF: ArbAddMmConfigRangeAsBootReserved+12Bj
		mov	ecx, [ebp+var_4]

loc_87F0F3:				; CODE XREF: ArbAddMmConfigRangeAsBootReserved+41j
					; ArbAddMmConfigRangeAsBootReserved+10Cj
		mov	eax, [ecx+4]
		lea	ebx, [ecx+8]
		shl	eax, 5
		add	eax, 8
		add	eax, ecx
		cmp	ebx, eax
		jnb	short loc_87F158
		mov	esi, [ebp+var_14]

loc_87F108:				; CODE XREF: ArbAddMmConfigRangeAsBootReserved+19Dj
		mov	eax, [ebp+var_18]
		mov	dl, [ebx+1]
		mov	eax, [eax+10h]
		mov	[ebp+var_14], eax
		movzx	eax, dl
		cmp	eax, [ebp+var_14]
		jnz	loc_8E5CA2

loc_87F120:				; CODE XREF: ArbAddMmConfigRangeAsBootReserved+66CFFj
		push	0
		push	0
		push	1
		push	1
		push	dword ptr [ebx+1Ch]
		push	dword ptr [ebx+18h]
		push	dword ptr [ebx+14h]
		push	dword ptr [ebx+10h]
		push	esi
		call	_RtlAddRange@36	; RtlAddRange(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_87F155
		mov	ecx, [ebp+var_4]

loc_87F143:				; CODE XREF: ArbAddMmConfigRangeAsBootReserved+66CEFj
					; ArbAddMmConfigRangeAsBootReserved+66CF9j
		mov	eax, [ecx+4]
		add	ebx, 20h
		shl	eax, 5
		add	eax, 8
		add	eax, ecx
		cmp	ebx, eax
		jb	short loc_87F108

loc_87F155:				; CODE XREF: ArbAddMmConfigRangeAsBootReserved+188j
		mov	esi, [ebp+var_8]

loc_87F158:				; CODE XREF: ArbAddMmConfigRangeAsBootReserved+14Dj
		xor	ebx, ebx

loc_87F15A:				; CODE XREF: ArbAddMmConfigRangeAsBootReserved+66CD5j
					; ArbAddMmConfigRangeAsBootReserved+66CDDj ...
		test	esi, esi
		jz	short loc_87F165
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_87F165:				; CODE XREF: ArbAddMmConfigRangeAsBootReserved+1A6j
		push	[ebp+var_10]
		call	_ZwClose@4	; ZwClose(x)
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, edi

loc_87F177:				; CODE XREF: ArbAddMmConfigRangeAsBootReserved+8Aj
					; ArbAddMmConfigRangeAsBootReserved+66CCAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
ArbAddMmConfigRangeAsBootReserved endp


;  S U B	R O U T	I N E 


; __stdcall IopBusNumberInitialize()
_IopBusNumberInitialize@0 proc near	; CODE XREF: IopInitializePlugPlayServices(x,x)+279p
		mov	edi, edi
		push	ecx
		push	0
		push	ecx
		push	offset ??_C@_1BM@HNKAKMEE@?$AAR?$AAo?$AAo?$AAt?$AAB?$AAu?$AAs?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr@NNGAKEGL@
		push	6
		mov	ecx, offset _IopRootBusNumberArbiter
		mov	dword_6CBFDC, offset _IopBusNumberUnpackRequirement@20 ; IopBusNumberUnpackRequirement(x,x,x,x,x)
		mov	dword_6CBFE0, offset _IopBusNumberPackResource@16 ; IopBusNumberPackResource(x,x,x,x)
		mov	dword_6CBFE4, offset _IopBusNumberUnpackResource@12 ; IopBusNumberUnpackResource(x,x,x)
		mov	dword_6CBFE8, offset _IopBusNumberScoreRequirement@4 ; IopBusNumberScoreRequirement(x)
		call	ArbInitializeArbiterInstance
		pop	ecx
		retn
_IopBusNumberInitialize@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IopIrqInitialize()
_IopIrqInitialize@0 proc near		; CODE XREF: IopInitializePlugPlayServices(x,x)+26Ap
		mov	edi, edi
		push	ecx
		push	offset IopIrqTranslateOrdering
		push	ecx
		push	offset ??_C@_1BA@CHLFKMBE@?$AAR?$AAo?$AAo?$AAt?$AAI?$AAR?$AAQ@NNGAKEGL@	; "RootIRQ"
		push	2
		mov	ecx, offset _IopRootIrqArbiter
		mov	dword_6CC09C, offset _IopDmaUnpackRequirement@20 ; IopDmaUnpackRequirement(x,x,x,x,x)
		mov	dword_6CC0A0, offset _IopIrqPackResource@16 ; IopIrqPackResource(x,x,x,x)
		mov	dword_6CC0A4, offset _IopIrqUnpackResource@12 ;	IopIrqUnpackResource(x,x,x)
		mov	dword_6CC0A8, offset _IopIrqScoreRequirement@4 ; IopIrqScoreRequirement(x)
		call	ArbInitializeArbiterInstance
		pop	ecx
		retn
_IopIrqInitialize@0 endp


;  S U B	R O U T	I N E 


; __stdcall IopDmaInitialize()
_IopDmaInitialize@0 proc near		; CODE XREF: IopInitializePlugPlayServices(x,x)+25Bp
		mov	edi, edi
		push	ecx
		push	0
		push	ecx
		push	offset ??_C@_1BA@BOCJFOBE@?$AAR?$AAo?$AAo?$AAt?$AAD?$AAM?$AAA@NNGAKEGL@
		push	4
		mov	ecx, offset _IopRootDmaArbiter
		mov	dword_6CC15C, offset _IopDmaUnpackRequirement@20 ; IopDmaUnpackRequirement(x,x,x,x,x)
		mov	dword_6CC160, offset IopDmaPackResource
		mov	dword_6CC164, offset _IopDmaUnpackResource@12 ;	IopDmaUnpackResource(x,x,x)
		mov	dword_6CC168, offset _IopDmaScoreRequirement@4 ; IopDmaScoreRequirement(x)
		mov	dword_6CC1A8, offset _IopDmaOverrideConflict@8 ; IopDmaOverrideConflict(x,x)
		call	ArbInitializeArbiterInstance
		pop	ecx
		retn
_IopDmaInitialize@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall IopMemInitialize()
_IopMemInitialize@0 proc near		; CODE XREF: IopInitializePlugPlayServices(x,x)+24Cp
		mov	edi, edi
		push	esi
		push	offset _IopGenericTranslateOrdering@8 ;	IopGenericTranslateOrdering(x,x)
		push	ecx
		push	offset ??_C@_1BG@GIPKBPDK@?$AAR?$AAo?$AAo?$AAt?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy@NNGAKEGL@ ; "RootMemory"
		mov	esi, offset _IopRootMemArbiter
		mov	dword_6CC2DC, offset IopGenericUnpackRequirement
		push	3
		mov	ecx, esi
		mov	dword_6CC2E0, offset _IopGenericPackResource@16	; IopGenericPackResource(x,x,x,x)
		mov	dword_6CC2E4, offset _IopGenericUnpackResource@12 ; IopGenericUnpackResource(x,x,x)
		mov	dword_6CC2E8, offset IopGenericScoreRequirement
		mov	dword_6CC31C, offset _IopMemFindSuitableRange@8	; IopMemFindSuitableRange(x,x)
		mov	dword_6CC304, offset _IopMemQueryConflict@8 ; IopMemQueryConflict(x,x)
		call	ArbInitializeArbiterInstance
		test	eax, eax
		js	short loc_87F2E6
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	0FFFh
		push	eax
		push	eax
		push	dword_6CC2B4
		call	_RtlAddRange@36	; RtlAddRange(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_87F2E6
		mov	edx, dword_6CC2B4
		mov	ecx, esi
		call	ArbAddInaccessibleAllocationRange
		test	eax, eax
		js	short loc_87F2E6
		mov	edx, dword_6CC2B4
		mov	ecx, esi
		pop	esi
		jmp	ArbAddMmConfigRangeAsBootReserved
; 

loc_87F2E6:				; CODE XREF: IopMemInitialize()+5Aj
					; IopMemInitialize()+77j ...
		pop	esi
		retn
_IopMemInitialize@0 endp


;  S U B	R O U T	I N E 


; __stdcall IopPortInitialize()
_IopPortInitialize@0 proc near		; CODE XREF: IopInitializePlugPlayServices(x,x)+23Dp
		mov	edi, edi
		push	ecx
		push	offset _IopGenericTranslateOrdering@8 ;	IopGenericTranslateOrdering(x,x)
		push	ecx
		push	offset ??_C@_1BC@FBNILDPO@?$AAR?$AAo?$AAo?$AAt?$AAP?$AAo?$AAr?$AAt@NNGAKEGL@ ; "R"
		push	1
		mov	ecx, offset _IopRootPortArbiter
		mov	dword_6CC25C, offset IopPortFindSuitableRange
		mov	dword_6CC260, offset IopPortAddAllocation
		mov	dword_6CC264, offset _IopPortBacktrackAllocation@8 ; IopPortBacktrackAllocation(x,x)
		mov	dword_6CC21C, offset IopGenericUnpackRequirement
		mov	dword_6CC220, offset _IopGenericPackResource@16	; IopGenericPackResource(x,x,x,x)
		mov	dword_6CC224, offset _IopGenericUnpackResource@12 ; IopGenericUnpackResource(x,x,x)
		mov	dword_6CC228, offset IopGenericScoreRequirement
		call	ArbInitializeArbiterInstance
		pop	ecx
		retn
_IopPortInitialize@0 endp


;  S U B	R O U T	I N E 


; __stdcall MiInitializeWsSwapping(x)
_MiInitializeWsSwapping@4 proc near	; CODE XREF: MiInitNucleus(x)+4C0p
		and	dword ptr [ecx+2ACh], 0
		and	dword ptr [ecx+298h], 0
		mov	dword ptr [ecx+2A0h], offset _MiContractWsSwapPageFileWorker@4 ; MiContractWsSwapPageFileWorker(x)
		mov	[ecx+2A4h], ecx
		retn
_MiInitializeWsSwapping@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreatePfnBitMaps proc	near		; CODE XREF: MmCreatePartition(x,x)+123p
					; MiInitNucleus(x)+486p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E5CBA SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_14], edx
		mov	ecx, dword_6D07B0
		push	esi
		inc	ecx
		xor	esi, esi
		mov	eax, esi
		mov	[ebp+var_10], ecx
		lea	edx, [ebx+0B04h]
		mov	[ebp+var_8], eax
		push	edi
		mov	[ebp+var_C], edx

loc_87F394:				; CODE XREF: MiCreatePfnBitMaps+B8j
		cmp	eax, 1
		jb	loc_87F54A
		mov	[ebp+var_4], 200h
		lea	edi, [ebx+0D78h]
		cmp	ebx, offset _MiSystemPartition
		jnz	loc_8E5CBA

loc_87F3B6:				; CODE XREF: MiCreatePfnBitMaps+1ECj
		mov	eax, ecx
		xor	edx, edx
		div	[ebp+var_4]
		xor	ecx, ecx
		test	edx, edx
		setnz	cl
		add	ecx, eax
		mov	[ebp+var_4], ecx
		lea	eax, [ecx+7]
		mov	ecx, offset dword_6D35E0
		shr	eax, 3
		add	eax, 0FFFh
		shr	eax, 0Ch
		mov	edx, eax
		mov	[ebp+var_18], eax
		call	MiReservePtes
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	loc_8E5CE2
		push	4
		push	[ebp+var_4]
		mov	edx, eax
		mov	ecx, edi
		shl	edx, 9
		call	MiInitializeDynamicBitmap
		test	eax, eax
		jz	loc_8E5CD2
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_10]
		mov	edx, [ebp+var_C]

loc_87F413:				; CODE XREF: MiCreatePfnBitMaps+66953j
		inc	eax
		mov	[edi], esi
		add	edx, 8
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], edx
		cmp	eax, 2
		jb	loc_87F394
		mov	edi, ecx
		mov	eax, ecx
		and	edi, 1FFh
		mov	ecx, offset dword_6D35E0
		neg	edi
		sbb	edi, edi
		shr	eax, 9
		neg	edi
		add	edi, eax
		lea	eax, [edi+0FFFh]
		shr	eax, 0Ch
		mov	edx, eax
		mov	[ebp+var_C], eax
		call	MiReservePtes
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_8E5CE2
		mov	ecx, eax
		mov	eax, edi
		shl	ecx, 9
		push	4
		shl	eax, 3
		mov	edx, ecx
		mov	[ebp+var_4], ecx
		lea	ecx, [ebp+var_20]
		push	eax
		call	MiInitializeDynamicBitmap
		mov	ecx, offset dword_6D35E0
		test	eax, eax
		jz	loc_8E5CC2
		mov	eax, [ebp+var_4]
		mov	[ebx+0B10h], eax
		mov	eax, [ebp+var_10]
		mov	edi, eax
		and	edi, 3FFFFh
		neg	edi
		sbb	edi, edi
		shr	eax, 12h
		neg	edi
		add	edi, eax
		lea	eax, [edi+7]
		shr	eax, 3
		add	eax, 0FFFh
		shr	eax, 0Ch
		mov	edx, eax
		mov	[ebp+var_10], eax
		call	MiReservePtes
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_8E5CE2
		push	4
		push	edi
		mov	edx, eax
		lea	edi, [ebx+0B14h]
		shl	edx, 9
		mov	ecx, edi
		call	MiInitializeDynamicBitmap
		test	eax, eax
		jz	loc_8E5CCA
		mov	[edi], esi
		mov	edi, [ebp+var_14]
		test	edi, edi
		jz	short loc_87F521
		mov	[ebp+var_10], esi
		cmp	[edi], esi
		jbe	short loc_87F521
		lea	ecx, [edi+8]
		mov	[ebp+var_C], ecx

loc_87F4FC:				; CODE XREF: MiCreatePfnBitMaps+1B5j
		mov	eax, [ecx+4]
		mov	edx, [ecx]
		mov	ecx, ebx
		push	eax
		call	_MiSplitPfnBitMaps@12 ;	MiSplitPfnBitMaps(x,x,x)
		test	eax, eax
		jz	short loc_87F55B
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+var_C]
		inc	eax
		add	ecx, 8
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], ecx
		cmp	eax, [edi]
		jb	short loc_87F4FC

loc_87F521:				; CODE XREF: MiCreatePfnBitMaps+183j
					; MiCreatePfnBitMaps+18Aj
		mov	byte ptr [ebx+0A32h], 1
		test	edi, edi
		jz	short loc_87F542
		movzx	edi, ds:_KeNumberNodes
		test	edi, edi
		jz	short loc_87F542

loc_87F537:				; CODE XREF: MiCreatePfnBitMaps+1D6j
		push	esi
		call	_MiInitializeRebuildCandidateCounts@8 ;	MiInitializeRebuildCandidateCounts(x,x)
		inc	esi
		cmp	esi, edi
		jb	short loc_87F537

loc_87F542:				; CODE XREF: MiCreatePfnBitMaps+1C0j
					; MiCreatePfnBitMaps+1CBj
		xor	eax, eax
		inc	eax

loc_87F545:				; CODE XREF: MiCreatePfnBitMaps+1F3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_87F54A:				; CODE XREF: MiCreatePfnBitMaps+2Dj
		mov	eax, ds:_MiLargePageSizes[eax*4]
		mov	edi, edx
		mov	[ebp+var_4], eax
		jmp	loc_87F3B6
; 

loc_87F55B:				; CODE XREF: MiCreatePfnBitMaps+1A1j
					; MiCreatePfnBitMaps+6697Fj
		xor	eax, eax
		jmp	short loc_87F545
MiCreatePfnBitMaps endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSplitPfnBitMaps(x, x, x)
_MiSplitPfnBitMaps@12 proc near		; CODE XREF: MiActOnPartitionNodePages(x,x,x)+2BFp
					; MiCreatePfnBitMaps+19Ap ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, ecx
		mov	eax, edx
		push	esi
		xor	ecx, ecx
		mov	[ebp+var_4], eax
		push	edi
		lea	edx, [ebx+0B04h]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], edx

loc_87F580:				; CODE XREF: MiSplitPfnBitMaps(x,x,x)+A0j
		cmp	ecx, 1
		jnb	loc_87F684
		mov	ecx, ds:_MiLargePageSizes[ecx*4]

loc_87F590:				; CODE XREF: MiSplitPfnBitMaps(x,x,x)+13Bj
		mov	edi, [edx+4]
		mov	[ebp+var_14], edx
		xor	edx, edx
		div	ecx
		mov	[ebp+var_8], ecx
		xor	edx, edx
		mov	esi, eax
		mov	eax, [ebp+var_4]
		add	eax, ecx
		shr	esi, 3
		mov	ecx, [ebp+arg_0]
		add	esi, edi
		dec	ecx
		add	ecx, eax
		mov	eax, [ebp+var_8]
		neg	eax
		and	eax, ecx
		div	[ebp+var_8]
		mov	edx, esi
		mov	[ebp+var_8], eax
		lea	ecx, [eax+7]
		shr	ecx, 3
		sub	ecx, esi
		add	ecx, edi
		shl	ecx, 3
		push	ecx
		push	9
		pop	ecx
		call	MiSplitBitmapPages
		test	eax, eax
		jz	loc_87F6A8
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_10]
		cmp	ecx, [eax]
		jbe	short loc_87F5ED
		mov	[eax], ecx

loc_87F5ED:				; CODE XREF: MiSplitPfnBitMaps(x,x,x)+89j
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_4]

loc_87F5F3:				; CODE XREF: MiSplitPfnBitMaps(x,x,x)+12Aj
		inc	ecx
		add	edx, 8
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], edx
		cmp	ecx, 2
		jb	loc_87F580
		mov	eax, [ebp+arg_0]
		mov	edi, [ebp+var_4]
		mov	edx, edi
		mov	ecx, [ebx+0B10h]
		add	eax, edi
		mov	[ebp+arg_0], eax
		add	eax, 1FFh
		shr	edx, 9
		shr	eax, 9
		add	edx, ecx
		sub	eax, edx
		add	eax, ecx
		shl	eax, 3
		push	eax
		push	9
		pop	ecx
		call	MiSplitBitmapPages
		test	eax, eax
		jz	short loc_87F6A8
		mov	eax, [ebp+arg_0]
		mov	esi, [ebx+0B18h]
		add	eax, 3FFFFh
		shr	eax, 12h
		mov	[ebp+arg_0], eax
		add	eax, 7
		shr	eax, 3
		shr	edi, 15h
		add	edi, esi
		sub	eax, edi
		mov	edx, edi
		add	eax, esi
		shl	eax, 3
		push	eax
		push	9
		pop	ecx
		call	MiSplitBitmapPages
		test	eax, eax
		jz	short loc_87F6A8
		mov	ecx, [ebp+arg_0]
		cmp	ecx, [ebx+0B14h]
		ja	short loc_87F6A0

loc_87F67A:				; CODE XREF: MiSplitPfnBitMaps(x,x,x)+146j
		xor	eax, eax
		inc	eax

loc_87F67D:				; CODE XREF: MiSplitPfnBitMaps(x,x,x)+14Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_87F684:				; CODE XREF: MiSplitPfnBitMaps(x,x,x)+23j
		cmp	ebx, offset _MiSystemPartition
		jnz	loc_87F5F3
		lea	edx, [ebx+0D78h]
		mov	ecx, 200h
		jmp	loc_87F590
; 

loc_87F6A0:				; CODE XREF: MiSplitPfnBitMaps(x,x,x)+118j
		mov	[ebx+0B14h], ecx
		jmp	short loc_87F67A
; 

loc_87F6A8:				; CODE XREF: MiSplitPfnBitMaps(x,x,x)+78j
					; MiSplitPfnBitMaps(x,x,x)+D8j	...
		xor	eax, eax
		jmp	short loc_87F67D
_MiSplitPfnBitMaps@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiComputeNodeMemory proc near		; CODE XREF: MiUpdatePartitionMemory(x,x,x)+AEp
					; MiAddPhysicalMemory(x,x,x,x,x)+3DEp ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E5CEE SIZE 0000009C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		mov	ebx, ecx
		xor	eax, eax
		mov	ecx, large fs:124h
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_2C], ecx
		mov	ecx, [ebx+18h]
		xor	esi, esi
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_30], edi
		mov	[ebp+var_38], ebx
		mov	[ebp+var_14], esi
		mov	[ebp+var_4], edx
		mov	[ebp+var_C], eax
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jz	loc_8E5CEE
		mov	edi, [ecx]
		lea	esi, [ecx+8]
		mov	[ebp+var_20], edi
		lea	esi, [esi+edi*8]
		mov	[ebp+var_10], esi
		mov	esi, eax
		test	edi, edi
		jz	short loc_87F713
		mov	eax, [ebp+var_24]
		mov	edx, [ecx+8]
		mov	ecx, [ecx+edi*8+4]
		mov	[ebp+var_4], edx
		mov	eax, [eax+edi*8]
		dec	eax
		add	eax, ecx
		mov	[ebp+var_C], eax

loc_87F713:				; CODE XREF: MiComputeNodeMemory+4Fj
		mov	[ebx+0F40h], edx
		mov	[ebx+0F44h], eax

loc_87F71F:				; CODE XREF: MiComputeNodeMemory+6664Cj
					; MiComputeNodeMemory+6666Dj
		mov	edi, [ebx+10h]
		xor	ecx, ecx
		mov	[ebp+var_28], edi
		xor	edi, edi
		cmp	cx, ds:_KeNumberNodes
		mov	ecx, [ebp+var_20]
		jnb	loc_87F7F2
		mov	ebx, [ebp+var_28]
		add	ebx, 1FCh
		mov	[ebp+var_18], ebx
		mov	ebx, [ebp+var_14]

loc_87F748:				; CODE XREF: MiComputeNodeMemory+13Aj
		xor	esi, esi
		mov	[ebp+var_8], esi
		cmp	[ebp+var_30], esi
		jz	loc_8E5D1E
		test	ecx, ecx
		jz	short loc_87F78C
		mov	edx, [ebp+var_10]
		mov	eax, ecx
		mov	esi, [ebp+var_24]
		add	edx, 4
		add	esi, 0Ch
		mov	[ebp+var_1C], ecx

loc_87F76B:				; CODE XREF: MiComputeNodeMemory+DBj
		cmp	[edx-4], edi
		jnz	short loc_87F77B
		mov	ecx, [edx]
		mov	eax, [esi]
		add	[ebp+ecx*4+var_8], eax
		mov	eax, [ebp+var_1C]

loc_87F77B:				; CODE XREF: MiComputeNodeMemory+C2j
		add	esi, 8
		add	edx, 8
		sub	eax, 1
		mov	[ebp+var_1C], eax
		jnz	short loc_87F76B

loc_87F789:				; CODE XREF: MiComputeNodeMemory+666D9j
		mov	esi, [ebp+var_8]

loc_87F78C:				; CODE XREF: MiComputeNodeMemory+ACj
					; MiComputeNodeMemory+6667Cj
		mov	eax, [ebp+var_2C]
		dec	word ptr [eax+13Eh]
		nop
		mov	ecx, [ebp+var_18]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_18]
		mov	[eax-24h], esi
		mov	[eax-20h], esi
		or	eax, 0FFFFFFFFh
		mov	esi, [ebp+var_18]
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_87F7C1
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_87F7C1:				; CODE XREF: MiComputeNodeMemory+10Cj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_2C]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		movzx	eax, ds:_KeNumberNodes
		add	esi, 280h
		mov	ecx, [ebp+var_20]
		inc	edi
		mov	[ebp+var_18], esi
		cmp	edi, eax
		jb	loc_87F748
		mov	ebx, [ebp+var_38]
		mov	esi, [ebp+var_14]

loc_87F7F2:				; CODE XREF: MiComputeNodeMemory+87j
		mov	edx, [ebp+var_C]
		cmp	edx, [ebp+var_4]
		mov	[ebx+0F44h], edx
		sbb	eax, eax
		not	eax
		and	eax, [ebp+var_4]
		mov	[ebx+0F40h], eax
		test	esi, esi
		jnz	short loc_87F814

loc_87F80F:				; CODE XREF: MiComputeNodeMemory+16Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_87F814:				; CODE XREF: MiComputeNodeMemory+161j
		mov	ecx, esi
		call	_MiDereferencePageRuns@4 ; MiDereferencePageRuns(x)
		jmp	short loc_87F80F
MiComputeNodeMemory endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializePartition proc near		; CODE XREF: MmCreatePartition(x,x)+FDp
					; MiCreatePfnDatabase(x)+184p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E5D8A SIZE 00000033 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], esi
		mov	dword ptr [esi+8], 12361940h
		mov	[esi], dx
		mov	[esi+4], edi
		cmp	esi, offset _MiSystemPartition
		jnz	loc_8E5D8A

loc_87F85A:				; CODE XREF: MiInitializePartition+66573j
		push	edi
		push	edi
		lea	eax, [esi+3Ch]
		mov	[esi+0A80h], edi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	1
		lea	eax, [esi+0B1Ch]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	ecx, edi
		lea	edx, [esi+540h]

loc_87F882:				; CODE XREF: MiInitializePartition+423j
		cmp	dword_6D06D4, 0
		mov	esi, edi
		mov	eax, [edx]
		jz	short loc_87F8B0

loc_87F88F:				; CODE XREF: MiInitializePartition+90j
		and	dword ptr [eax], 0
		mov	edi, offset loc_7FFFFF
		and	dword ptr [eax+10h], 0
		lea	eax, [eax+14h]
		mov	[eax-10h], ecx
		inc	esi
		mov	[eax-0Ch], edi
		mov	[eax-8], edi
		cmp	esi, dword_6D06D4
		jb	short loc_87F88F

loc_87F8B0:				; CODE XREF: MiInitializePartition+6Fj
		inc	ecx
		add	edx, 4
		cmp	ecx, 1
		jle	loc_87FC3F
		mov	esi, [ebp+var_4]
		xor	edx, edx
		lea	ecx, [esi+580h]
		call	_MiInitializePfnListHead@8 ; MiInitializePfnListHead(x,x)
		lea	ecx, [esi+5C0h]
		inc	edx
		call	_MiInitializePfnListHead@8 ; MiInitializePfnListHead(x,x)
		push	2
		lea	ecx, [esi+600h]
		pop	edx
		call	_MiInitializePfnListHead@8 ; MiInitializePfnListHead(x,x)
		push	5
		lea	ecx, [esi+940h]
		pop	edx
		call	_MiInitializePfnListHead@8 ; MiInitializePfnListHead(x,x)
		push	8
		lea	ecx, [esi+640h]
		pop	edi

loc_87F8FE:				; CODE XREF: MiInitializePartition+EEj
		push	2
		pop	edx
		call	_MiInitializePfnListHead@8 ; MiInitializePfnListHead(x,x)
		add	ecx, 14h
		sub	edi, 1
		jnz	short loc_87F8FE
		lea	eax, [esi+580h]
		mov	ecx, esi
		mov	[esi+95Ch], eax
		lea	eax, [esi+5C0h]
		mov	[esi+960h], eax
		lea	eax, [esi+600h]
		mov	[esi+964h], eax
		call	_MiInitializeLargePageNodeLists@4 ; MiInitializeLargePageNodeLists(x)
		xor	eax, eax
		lea	edi, [esi+0B38h]
		mov	[ebp+var_8], eax

loc_87F944:				; CODE XREF: MiInitializePartition+145j
		xor	esi, esi

loc_87F946:				; CODE XREF: MiInitializePartition+13Cj
		push	esi		; int
		mov	edx, eax	; int
		mov	ecx, edi	; void *
		call	_MiInitializeSlabAllocator@12 ;	MiInitializeSlabAllocator(x,x,x)
		mov	eax, [ebp+var_8]
		inc	esi
		add	edi, 48h
		cmp	esi, 4
		jb	short loc_87F946
		inc	eax
		mov	[ebp+var_8], eax
		cmp	eax, 2
		jb	short loc_87F944
		mov	edi, dword_6D06D4
		xor	edx, edx
		mov	esi, [ebp+var_4]
		lea	eax, [edi+edi]
		mov	ecx, [esi+954h]
		test	eax, eax
		jz	short loc_87F995

loc_87F97D:				; CODE XREF: MiInitializePartition+175j
		and	dword ptr [ecx], 0
		lea	ecx, [ecx+8]
		and	dword ptr [ecx-4], 0
		inc	edx
		mov	edi, dword_6D06D4
		lea	eax, [edi+edi]
		cmp	edx, eax
		jb	short loc_87F97D

loc_87F995:				; CODE XREF: MiInitializePartition+15Dj
		mov	eax, [esi+0F48h]
		xor	edx, edx
		push	64h
		pop	ecx
		div	ecx
		xor	edx, edx
		div	edi
		push	4
		pop	ecx
		cmp	eax, ecx
		jl	loc_8E5D96

loc_87F9B1:				; CODE XREF: MiInitializePartition+6657Aj
		cmp	eax, 10h
		jle	short loc_87F9B9
		push	10h
		pop	eax

loc_87F9B9:				; CODE XREF: MiInitializePartition+196j
		mov	[esi+0DB8h], eax
		cmp	esi, offset _MiSystemPartition
		jnz	short loc_87F9D4
		push	5
		pop	edx
		mov	ecx, offset dword_6CF480
		call	_MiInitializePfnListHead@8 ; MiInitializePfnListHead(x,x)

loc_87F9D4:				; CODE XREF: MiInitializePartition+1A7j
		push	3
		pop	edi
		lea	ecx, [esi+10C0h]
		mov	edx, edi
		call	_MiInitializePfnListHead@8 ; MiInitializePfnListHead(x,x)
		push	4
		lea	ecx, [esi+1100h]
		pop	edx
		call	_MiInitializePfnListHead@8 ; MiInitializePfnListHead(x,x)
		lea	ecx, [esi+700h]
		mov	edx, edi
		call	_MiInitializePfnListHead@8 ; MiInitializePfnListHead(x,x)
		push	10h
		lea	ecx, [esi+740h]
		pop	esi

loc_87FA08:				; CODE XREF: MiInitializePartition+1F7j
		mov	edx, edi
		call	_MiInitializePfnListHead@8 ; MiInitializePfnListHead(x,x)
		add	ecx, 14h
		sub	esi, 1
		jnz	short loc_87FA08
		mov	esi, [ebp+var_4]
		push	4
		lea	eax, [esi+9DCh]
		mov	[ebp+var_8], eax
		lea	eax, [esi+880h]
		mov	[ebp+var_C], eax
		pop	esi

loc_87FA2F:				; CODE XREF: MiInitializePartition+236j
		mov	edx, edi
		mov	ecx, eax
		call	_MiInitializePfnListHead@8 ; MiInitializePfnListHead(x,x)
		push	0
		push	1
		push	[ebp+var_8]
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [ebp+var_C]
		add	[ebp+var_8], 10h
		add	eax, 14h
		mov	[ebp+var_C], eax
		sub	esi, 1
		jnz	short loc_87FA2F
		mov	esi, [ebp+var_4]
		push	5
		pop	edx
		lea	ecx, [esi+900h]
		call	_MiInitializePfnListHead@8 ; MiInitializePfnListHead(x,x)
		lea	eax, [esi+10C0h]
		mov	[esi+970h], ecx
		mov	[esi+968h], eax
		lea	edi, [esi+0A1Ch]
		lea	eax, [esi+1100h]
		mov	[esi+96Ch], eax
		mov	eax, 0FFFEFFFEh
		stosd
		push	0
		push	0
		stosd
		stosd
		stosd
		lea	eax, [esi+0DA4h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esi+0A84h]
		push	3
		pop	edi
		mov	esi, eax

loc_87FAAF:				; CODE XREF: MiInitializePartition+2A1j
		push	1
		push	0
		push	esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		add	esi, 14h
		sub	edi, 1
		jnz	short loc_87FAAF
		mov	esi, [ebp+var_4]
		xor	eax, eax
		push	eax
		push	eax
		mov	[esi+6Ch], eax
		add	esi, 78h
		push	esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	edi, [ebp+var_4]
		mov	eax, esi
		mov	esi, [ebp+var_4]
		add	edi, 90h
		push	0Bh
		pop	ecx
		rep stosd
		lea	eax, [esi+0F04h]
		xor	edi, edi
		push	edi
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+1CCh]
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	1
		lea	eax, [esi+1A4h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		lea	eax, [esi+1B4h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		lea	eax, [esi+18Ch]
		mov	dword ptr [esi+19Ch], 12h
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		lea	eax, [esi+210h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		lea	eax, [esi+260h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	ecx, [esi+164h]
		call	@KeInitializeGate@8 ; KeInitializeGate(x,x)
		lea	eax, [esi+15Ch]
		push	edi
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+228h]
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esi+220h]
		mov	[eax+4], eax
		mov	[eax], eax
		cmp	esi, offset _MiSystemPartition
		jnz	loc_8E5D9D

loc_87FB90:				; CODE XREF: MiInitializePartition+66586j
		mov	ecx, esi
		call	_MiInitializeNuma@4 ; MiInitializeNuma(x)
		mov	[esi+2ACh], edi
		mov	ecx, esi
		mov	dword ptr [esi+2A0h], offset _MiContractWsSwapPageFileWorker@4 ; MiContractWsSwapPageFileWorker(x)
		mov	[esi+2A4h], esi
		mov	[esi+298h], edi
		call	_MiInitializeStoreSupport@4 ; MiInitializeStoreSupport(x)
		mov	ecx, esi
		call	_MiInitializeSections@4	; MiInitializeSections(x)
		lea	edx, [esi+0E20h]
		mov	ecx, esi
		call	_MiInitializeCombining@8 ; MiInitializeCombining(x,x)
		mov	[esi+34Ch], edi
		xor	eax, eax
		mov	[esi+354h], edi
		inc	eax
		mov	[esi+35Ch], edi
		mov	edi, large fs:124h
		mov	[esi+348h], eax
		mov	[esi+350h], eax
		mov	[esi+358h], eax
		dec	word ptr [edi+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset dword_6D2FF4
		call	ExAcquirePushLockExclusiveEx
		or	dword ptr [esi+4], 2
		or	eax, 0FFFFFFFFh
		mov	esi, offset dword_6D2FF4
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_8E5DA9

loc_87FC28:				; CODE XREF: MiInitializePartition+6658Dj
					; MiInitializePartition+6659Aj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_87FC3F:				; CODE XREF: MiInitializePartition+99j
		xor	edi, edi
		jmp	loc_87F882
MiInitializePartition endp


;  S U B	R O U T	I N E 


; __stdcall MiInitializeSections(x)
_MiInitializeSections@4	proc near	; CODE XREF: MiInitializePartition+39Ep
					; MiInitNucleus(x)+243p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		push	7FFFFFFFh
		push	ebx
		lea	edx, [esi+3B8h]
		lea	eax, [edx+14h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edx+1Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edx+24h]
		push	edx
		mov	[eax+4], eax
		mov	[eax], eax
		call	_KeInitializeSemaphore@12 ; KeInitializeSemaphore(x,x,x)
		lea	eax, [esi+3E4h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+424h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+42Ch]
		push	ebx
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+370h]
		push	ebx
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esi+434h]
		push	ebx
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+360h]
		push	ebx
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	ebx
		xor	edi, edi
		lea	eax, [esi+43Ch]
		inc	edi
		push	edi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		lea	eax, [esi+3F0h]
		push	eax
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	ebx
		push	ebx
		lea	eax, [esi+468h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	[esi+478h], ebx
		mov	[esi+47Ch], ebx
		mov	al, [esi+3B3h]
		and	al, 0FDh
		mov	[esi+384h], ebx
		or	al, 4
		mov	[esi+394h], edi
		push	ebx
		mov	[esi+3B3h], al
		lea	eax, [esi+39Ch]
		push	ebx
		push	eax
		mov	[esi+398h], ebx
		mov	[esi+390h], esi
		mov	[esi+3ACh], ebx
		mov	byte ptr [esi+3B0h], 0FFh
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		retn
_MiInitializeSections@4	endp


;  S U B	R O U T	I N E 


; __stdcall MiInitializeStoreSupport(x)
_MiInitializeStoreSupport@4 proc near	; CODE XREF: MiInitializePartition+397p
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		push	edi
		push	edi
		or	dword ptr [esi+2BCh], 0FFFFFFFFh
		lea	eax, [esi+2E0h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		lea	eax, [esi+2F8h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	[esi+2F0h], edi
		mov	[esi+2F4h], edi
		pop	edi
		pop	esi
		retn
_MiInitializeStoreSupport@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeChannelOrdering proc near	; CODE XREF: MiInitializeNuma(x)+8Dp

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E5DBD SIZE 00000053 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dword_6D06B4, 0
		jnz	loc_8E5DBD

loc_87FD8C:				; CODE XREF: MiInitializeChannelOrdering+66091j
		pop	ebp
		retn	4
MiInitializeChannelOrdering endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeLargePageNodeLists(x)
_MiInitializeLargePageNodeLists@4 proc near ; CODE XREF: MiInitializePartition+116p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+0B0Ch]
		cmp	dword_6D2FE8, eax
		jbe	short loc_87FDC2

loc_87FDAB:				; CODE XREF: MiInitializeLargePageNodeLists(x)+2Aj
		mov	[edi+4], edi
		mov	[edi], edi
		add	edi, 0Ch
		inc	eax
		cmp	eax, dword_6D2FE8
		jb	short loc_87FDAB
		mov	edi, [ecx+0B0Ch]

loc_87FDC2:				; CODE XREF: MiInitializeLargePageNodeLists(x)+19j
		mov	ebx, [ecx+10h]
		xor	esi, esi
		xor	eax, eax
		mov	[ebp+var_10], esi
		cmp	ax, ds:_KeNumberNodes
		jnb	loc_87FE59
		add	ebx, 208h
		mov	[ebp+var_C], ebx

loc_87FDE2:				; CODE XREF: MiInitializeLargePageNodeLists(x)+C7j
		lea	edx, [ebx-1B0h]
		xor	ecx, ecx

loc_87FDEA:				; CODE XREF: MiInitializeLargePageNodeLists(x)+A1j
		imul	eax, dword_6D0740[ecx],	0Ch
		mov	[ebp+var_8], 2
		mov	[ebp+var_14], eax
		mov	eax, edx

loc_87FDFD:				; CODE XREF: MiInitializeLargePageNodeLists(x)+93j
		push	2
		pop	ebx

loc_87FE00:				; CODE XREF: MiInitializeLargePageNodeLists(x)+8Dj
		mov	esi, eax
		mov	[ebp+var_4], 4

loc_87FE09:				; CODE XREF: MiInitializeLargePageNodeLists(x)+85j
		mov	[esi], edi
		lea	esi, [esi+4]
		add	edi, [ebp+var_14]
		sub	[ebp+var_4], 1
		jnz	short loc_87FE09
		add	eax, 10h
		sub	ebx, 1
		jnz	short loc_87FE00
		sub	[ebp+var_8], 1
		jnz	short loc_87FDFD
		add	ecx, 4
		add	edx, 98h
		cmp	ecx, 8
		jb	short loc_87FDEA
		mov	esi, [ebp+var_10]
		mov	ebx, [ebp+var_C]
		mov	ecx, ebx
		push	esi
		call	_MiInitializeColorTable@8 ; MiInitializeColorTable(x,x)
		movzx	eax, ds:_KeNumberNodes
		add	ebx, 280h
		inc	esi
		mov	[ebp+var_C], ebx
		mov	[ebp+var_10], esi
		cmp	esi, eax
		jb	short loc_87FDE2

loc_87FE59:				; CODE XREF: MiInitializeLargePageNodeLists(x)+43j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiInitializeLargePageNodeLists@4 endp


;  S U B	R O U T	I N E 


; __stdcall TlgRegisterAggregateProvider(x)
_TlgRegisterAggregateProvider@4	proc near ; CODE XREF: FsRtlInitSystem2()+8p
					; CmFcInitSystem3()+1Fp ...
		mov	edi, edi
		push	ecx
		push	ecx
		push	0
		xor	edx, edx
		call	TlgRegisterAggregateProviderEx
		pop	ecx
		retn
_TlgRegisterAggregateProvider@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

TlgRegisterAggregateProviderEx proc near ; CODE	XREF: TlgRegisterAggregateProvider(x)+8p
					; CmpRegisterTraceLoggingProvider()+Dp	...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E5E10 SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	dl, 1
		xor	cl, cl
		call	CreateTlgAggregateSession
		mov	esi, eax
		test	esi, esi
		jz	loc_8E5E10
		mov	eax, [ebp+arg_0]
		mov	ecx, esi
		mov	[esi+0C0h], edi
		mov	[esi+0C4h], eax
		mov	[esi+0C8h], ebx
		mov	byte ptr [esi+0D9h], 0
		call	ComputeFlushPeriod
		push	esi
		mov	edx, offset TlgAggregateInternalRegisteredProviderEtwCallback
		mov	[esi+0D4h], eax
		mov	ecx, ebx
		call	_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 ; TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8E5E21
		push	0
		xor	edx, edx
		mov	ecx, offset unk_6F9FF4
		call	KeAbPreAcquire
		mov	edi, eax
		mov	eax, offset unk_6F9FF4
		lock bts dword ptr [eax], 0
		jb	loc_8E5E2F

loc_87FEEE:				; CODE XREF: TlgRegisterAggregateProviderEx+65FCBj
		test	edi, edi
		jz	short loc_87FEF6
		or	byte ptr [edi+0Eh], 1

loc_87FEF6:				; CODE XREF: TlgRegisterAggregateProviderEx+82j
		mov	eax, dword_6FD8D4
		test	eax, eax
		jz	short loc_87FF41

loc_87FEFF:				; CODE XREF: TlgRegisterAggregateProviderEx+E9j
		mov	ecx, offset dword_6FD8D4

loc_87FF04:				; CODE XREF: TlgRegisterAggregateProviderEx+AAj
		test	eax, eax
		jz	short loc_87FF1A
		cmp	[eax+0C8h], ebx
		jz	short loc_87FF1C
		lea	ecx, [eax+0CCh]
		mov	eax, [ecx]
		jmp	short loc_87FF04
; 

loc_87FF1A:				; CODE XREF: TlgRegisterAggregateProviderEx+98j
		mov	[ecx], esi

loc_87FF1C:				; CODE XREF: TlgRegisterAggregateProviderEx+A0j
		or	eax, 0FFFFFFFFh
		mov	edi, offset unk_6F9FF4
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_8E5E3E

loc_87FF30:				; CODE XREF: TlgRegisterAggregateProviderEx+65FD2j
					; TlgRegisterAggregateProviderEx+65FDFj
		mov	ecx, edi
		call	KeAbPostRelease
		xor	eax, eax

loc_87FF39:				; CODE XREF: TlgRegisterAggregateProviderEx+65FAEj
					; TlgRegisterAggregateProviderEx+65FBCj
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
; 

loc_87FF41:				; CODE XREF: TlgRegisterAggregateProviderEx+8Fj
		push	0
		mov	edx, offset TlgAggregateInternalProviderCallback
		mov	ecx, offset dword_6B30A8
		call	_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 ; TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)
		mov	eax, dword_6FD8D4
		jmp	short loc_87FEFF
TlgRegisterAggregateProviderEx endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ComputeFlushPeriod proc	near		; CODE XREF: TlgRegisterAggregateProviderEx+3Ep

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ecx
		and	[ebp+var_18], 0
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		mov	ecx, [eax+0C8h]
		cdq
		shrd	eax, edx, 4
		push	10h
		mov	esi, [ecx+4]
		lea	edx, [ebp+var_14]
		sub	esi, 10h
		mov	[ebp+var_1C], eax
		lea	ecx, [ebp+var_18]
		movsd
		movsd
		movsd
		movsd
		call	RunningHash
		push	4
		lea	edx, [ebp+var_1C]
		lea	ecx, [ebp+var_18]
		call	RunningHash
		lea	ecx, [ebp+var_18]
		call	FinishHash
		mov	eax, [ebp+var_18]
		mov	ecx, 927C0h
		xor	edx, edx
		div	ecx
		pop	edi
		pop	esi
		lea	eax, [ecx+edx]
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
ComputeFlushPeriod endp


;  S U B	R O U T	I N E 


CreateTlgAggregateSession proc near	; CODE XREF: TlgRegisterAggregateProviderEx+11p

; FUNCTION CHUNK AT 008E5E52 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebx
		xor	eax, eax
		mov	bl, cl
		test	bl, bl
		mov	bh, dl
		push	esi
		setnz	al
		push	edi
		dec	eax
		push	47417254h
		and	eax, 1FFh
		push	0E0h
		inc	eax
		push	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		xor	edi, edi
		test	esi, esi
		jz	loc_8800A1
		push	0E0h		; size_t
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		jz	loc_8800A1
		mov	[esi+8Ch], edi
		test	bh, bh
		jz	loc_8E5E52

loc_880026:				; CODE XREF: CreateTlgAggregateSession+65E8Cj
		push	47417254h
		push	24h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_880048
		push	9
		xor	eax, eax
		mov	edi, edx
		pop	ecx
		rep stosd
		xor	edi, edi

loc_880048:				; CODE XREF: CreateTlgAggregateSession+6Dj
		mov	[esi+88h], edx
		test	edx, edx
		jz	short loc_8800A1
		push	edi
		push	edi
		lea	eax, [edx+10h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [esi+88h]
		xor	ecx, ecx
		mov	dword ptr [eax+8], offset ?TlgAggregateInternalFlushWorkItemRoutineKernelMode@@YGXPAX@Z	; TlgAggregateInternalFlushWorkItemRoutineKernelMode(void *)
		mov	[eax+0Ch], esi
		mov	[eax], edi
		mov	eax, [esi+88h]
		mov	[eax+20h], cx
		test	bh, bh
		jz	short loc_88009B
		push	8
		push	dword ptr [esi+88h]
		push	offset ?TlgAggregateInternalFlushTimerCallbackKernelMode@@YGXPAU_EX_TIMER@@PAX@Z ; TlgAggregateInternalFlushTimerCallbackKernelMode(_EX_TIMER *,void *)
		call	ExAllocateTimer
		mov	[esi+0D0h], eax
		test	eax, eax
		jz	short loc_8800A1

loc_88009B:				; CODE XREF: CreateTlgAggregateSession+AFj
					; CreateTlgAggregateSession+DCj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_8800A1:				; CODE XREF: CreateTlgAggregateSession+2Dj
					; CreateTlgAggregateSession+44j ...
		mov	ecx, esi
		call	DestroyAggregateSession
		mov	esi, edi
		jmp	short loc_88009B
CreateTlgAggregateSession endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiEnablePagingOfDriver(x)
_MiEnablePagingOfDriver@4 proc near	; CODE XREF: MiEnablePagingTheExecutive()+1Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		mov	edx, [edi+18h]
		call	_MiImagePagable@8 ; MiImagePagable(x,x)
		test	eax, eax
		jz	short loc_8800F6

loc_8800CB:				; CODE XREF: MiEnablePagingOfDriver(x)+48j
		lea	eax, [ebp+var_8]
		mov	edx, esi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		push	1
		mov	ecx, edi
		call	MiSnapDriverRange
		mov	edx, [ebp+var_4]
		mov	esi, eax
		test	edx, edx
		jz	short loc_8800F2
		push	[ebp+var_8]
		mov	ecx, edi
		call	MiSetPagingOfDriver

loc_8800F2:				; CODE XREF: MiEnablePagingOfDriver(x)+3Aj
		test	esi, esi
		jnz	short loc_8800CB

loc_8800F6:				; CODE XREF: MiEnablePagingOfDriver(x)+1Dj
		pop	edi
		pop	esi
		leave
		retn
_MiEnablePagingOfDriver@4 endp


;  S U B	R O U T	I N E 


MiWriteProtectSystemImages proc	near	; CODE XREF: MiInitSystem+1B6p

; FUNCTION CHUNK AT 008E5E5F SIZE 00000021 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		dec	word ptr [edi+13Ch]
		nop
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceExclusiveLite
		mov	esi, _PsLoadedModuleList
		mov	ebx, offset _PsLoadedModuleList

loc_880125:				; CODE XREF: MiWriteProtectSystemImages+43j
		cmp	esi, ebx
		jz	short loc_88013F
		mov	ecx, [esi+3Ch]
		test	ecx, ecx
		jnz	loc_8E5E5F

loc_880134:				; CODE XREF: MiWriteProtectSystemImages+65D6Ej
					; MiWriteProtectSystemImages+65D81j
		mov	ecx, esi
		call	MiProtectSystemImage

loc_88013B:				; CODE XREF: MiWriteProtectSystemImages+65D7Bj
		mov	esi, [esi]
		jmp	short loc_880125
; 

loc_88013F:				; CODE XREF: MiWriteProtectSystemImages+2Dj
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
MiWriteProtectSystemImages endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiProtectSystemImage proc near		; CODE XREF: MiDriverLoadSucceeded+19Cp
					; MiWriteProtectSystemImages+3Cp

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E5E80 SIZE 00000073 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edx, ecx
		lea	edi, [ebp+var_2C]
		push	0Ah
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_54], edx
		mov	ebx, [edx+18h]
		rep stosd
		mov	ecx, ebx
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	loc_880345
		push	ebx
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		and	[ebp+var_50], 0
		mov	esi, eax
		and	[ebp+var_64], 0
		mov	ecx, ebx
		mov	[ebp+var_5C], esi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		xor	edx, edx
		inc	edx
		cmp	eax, edx
		jz	loc_8E5E80
		mov	ecx, ebx
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jz	loc_8E5E80
		mov	eax, [ebp+var_54]
		test	dword ptr [eax+34h], 8000000h
		jz	loc_8803BF

loc_8801CF:				; CODE XREF: MiProtectSystemImage+26Ej
					; MiProtectSystemImage+65D2Fj
		mov	eax, [esi+50h]
		mov	edi, ebx
		movzx	ecx, word ptr [esi+6]
		mov	edx, eax
		and	edx, 0FFFh
		mov	[ebp+var_48], ecx
		neg	edx
		mov	[ebp+var_30], ecx
		sbb	edx, edx
		shr	eax, 0Ch
		neg	edx
		add	edx, eax
		movzx	eax, word ptr [esi+14h]
		add	esi, 18h
		add	esi, eax
		mov	[ebp+var_4C], esi
		test	ecx, ecx
		jz	short loc_88023E
		add	esi, 10h

loc_880204:				; CODE XREF: MiProtectSystemImage+E5j
		mov	eax, [esi-4]
		add	eax, ebx
		cmp	eax, edi
		jb	loc_880345
		mov	edi, [esi]
		mov	ecx, [esi-8]
		cmp	edi, ecx
		jb	loc_880398

loc_88021E:				; CODE XREF: MiProtectSystemImage+246j
		mov	ecx, [ebp+var_5C]
		dec	edi
		add	esi, 28h
		mov	ecx, [ecx+38h]
		add	eax, ecx
		neg	ecx
		add	edi, eax
		and	edi, ecx
		mov	ecx, [ebp+var_30]
		dec	ecx
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jnz	short loc_880204
		mov	esi, [ebp+var_4C]

loc_88023E:				; CODE XREF: MiProtectSystemImage+ABj
		mov	edi, [ebp+var_48]
		imul	ecx, edi, 28h
		mov	[ebp+var_40], 0C0000000h
		dec	ecx
		add	ecx, esi
		mov	[ebp+var_30], ecx
		mov	ecx, ebx
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	[ebp+var_38], eax
		lea	eax, [eax+edx*8]
		xor	edx, edx
		and	[ebp+var_3C], edx
		inc	edi
		mov	[ebp+var_68], eax
		mov	eax, [ebp+var_30]
		mov	[ebp+var_34], edx
		mov	[ebp+var_48], edi

loc_880270:				; CODE XREF: MiProtectSystemImage+1EBj
		cmp	edi, 1
		jz	loc_880367
		mov	ecx, [esi+10h]
		mov	eax, [esi+8]
		mov	[ebp+var_44], ecx
		cmp	ecx, eax
		jb	loc_88039F

loc_88028A:				; CODE XREF: MiProtectSystemImage+24Ej
		mov	eax, [esi+0Ch]
		add	eax, ebx
		mov	ecx, eax
		mov	[ebp+var_60], eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	edi, eax
		mov	[ebp+var_58], eax

loc_88029E:				; CODE XREF: MiProtectSystemImage+232j
		test	edx, edx
		jnz	loc_8E5E88

loc_8802A6:				; CODE XREF: MiProtectSystemImage+65D36j
					; MiProtectSystemImage+65D6Cj
		cmp	edi, [ebp+var_68]
		jnb	loc_88038B

loc_8802AF:				; CODE XREF: MiProtectSystemImage+23Cj
		mov	edi, [esi+24h]
		and	edi, 0E0000000h
		cmp	[ebp+var_64], 1
		jz	loc_8803A7

loc_8802C2:				; CODE XREF: MiProtectSystemImage+266j
					; MiProtectSystemImage+65D77j
		cmp	edi, [ebp+var_40]
		jz	loc_880354

loc_8802CB:				; CODE XREF: MiProtectSystemImage+20Ej
		mov	ecx, [ebp+var_30]
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	esi, eax
		mov	eax, [ebp+var_58]
		cmp	esi, eax
		jz	loc_8E5ED6

loc_8802E0:				; CODE XREF: MiProtectSystemImage+65D92j
		cmp	esi, [ebp+var_38]
		jb	short loc_88030E
		mov	eax, [ebp+var_68]
		cmp	esi, eax
		jnb	loc_8E5EEB

loc_8802F0:				; CODE XREF: MiProtectSystemImage+65D9Aj
		mov	edx, [ebp+var_40]
		mov	ecx, [ebp+var_50]
		call	MiComputeDriverProtection
		mov	edx, [ebp+var_38]
		mov	ecx, [ebp+var_54]
		push	eax
		push	esi
		call	_MiSetSystemCodeProtection@16 ;	MiSetSystemCodeProtection(x,x,x,x)
		mov	eax, [ebp+var_58]
		mov	edx, [ebp+var_34]

loc_88030E:				; CODE XREF: MiProtectSystemImage+18Fj
		mov	esi, [ebp+var_4C]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_5C]
		mov	[ebp+var_40], edi
		mov	ecx, [eax+38h]

loc_88031D:				; CODE XREF: MiProtectSystemImage+20Cj
		mov	eax, [ebp+var_60]
		add	esi, 28h
		mov	edi, [ebp+var_44]
		add	eax, ecx
		dec	edi
		mov	[ebp+var_4C], esi
		add	eax, edi
		neg	ecx
		mov	edi, [ebp+var_48]
		and	eax, ecx
		dec	edi
		dec	eax
		mov	[ebp+var_48], edi
		mov	[ebp+var_30], eax
		test	edi, edi
		jnz	loc_880270

loc_880345:				; CODE XREF: MiProtectSystemImage+30j
					; MiProtectSystemImage+B7j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_880354:				; CODE XREF: MiProtectSystemImage+171j
		mov	eax, [ebp+var_5C]
		mov	ecx, [eax+38h]
		cmp	ecx, 1000h
		jbe	short loc_88031D
		jmp	loc_8802CB
; 

loc_880367:				; CODE XREF: MiProtectSystemImage+11Fj
		and	[ebp+var_8], 0
		lea	esi, [ebp+var_2C]
		and	[ebp+var_60], 0
		mov	ecx, eax
		and	[ebp+var_44], 0
		mov	[ebp+var_4C], esi
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		lea	edi, [eax+8]
		mov	[ebp+var_58], edi
		jmp	loc_88029E
; 

loc_88038B:				; CODE XREF: MiProtectSystemImage+155j
		lea	eax, [ebp+var_2C]
		cmp	esi, eax
		jz	loc_8802AF
		jmp	short loc_880345
; 

loc_880398:				; CODE XREF: MiProtectSystemImage+C4j
		mov	edi, ecx
		jmp	loc_88021E
; 

loc_88039F:				; CODE XREF: MiProtectSystemImage+130j
		mov	[ebp+var_44], eax
		jmp	loc_88028A
; 

loc_8803A7:				; CODE XREF: MiProtectSystemImage+168j
		test	byte ptr ds:_MiFlags+2,	1
		jnz	loc_8E5EC5

loc_8803B4:				; CODE XREF: MiProtectSystemImage+65D7Dj
		or	edi, 80000000h
		jmp	loc_8802C2
; 

loc_8803BF:				; CODE XREF: MiProtectSystemImage+75j
		mov	[ebp+var_64], edx
		jmp	loc_8801CF
MiProtectSystemImage endp

; 
		align 4

;  S U B	R O U T	I N E 


MiComputeDriverProtection proc near	; CODE XREF: MiProtectSystemImage+1A2p
					; MiProtectSystemImage+65D42p ...

; FUNCTION CHUNK AT 008E5EF3 SIZE 00000013 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	edx, edx
		jz	short loc_8803E0
		test	byte ptr ds:_MiFlags+2,	1
		jnz	short loc_8803E0
		or	edx, 20000000h

loc_8803E0:				; CODE XREF: MiComputeDriverProtection+7j
					; MiComputeDriverProtection+10j
		mov	eax, edx
		shr	eax, 1Ch
		and	eax, 2
		test	edx, 40000000h
		jz	short loc_8803F3
		or	eax, 1

loc_8803F3:				; CODE XREF: MiComputeDriverProtection+26j
		test	edx, edx
		js	short loc_8803FD

loc_8803F7:				; CODE XREF: MiComputeDriverProtection+4Fj
					; MiComputeDriverProtection+65B39j
		test	eax, eax
		jz	short loc_880419
		pop	esi
		retn
; 

loc_8803FD:				; CODE XREF: MiComputeDriverProtection+2Dj
		mov	ecx, eax
		and	ecx, 2
		cmp	esi, 1
		jz	loc_8E5EF3
		test	ecx, ecx
		jz	short loc_880414
		push	6

loc_880411:				; CODE XREF: MiComputeDriverProtection+53j
		pop	eax
		pop	esi
		retn
; 

loc_880414:				; CODE XREF: MiComputeDriverProtection+45j
		push	4
		pop	eax
		jmp	short loc_8803F7
; 

loc_880419:				; CODE XREF: MiComputeDriverProtection+31j
		push	18h
		jmp	short loc_880411
MiComputeDriverProtection endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeMemoryEvents(x)
_MiInitializeMemoryEvents@4 proc near	; CODE XREF: MmCreatePartition(x,x)+104p
					; MiInitSystem+121p

var_24		= dword	ptr -24h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_24]
		mov	ebx, ecx
		stosd
		lea	ecx, [ebp+var_24]
		stosd
		stosd
		stosd
		stosd
		call	MiCreateMemoryEventSD
		mov	esi, eax
		test	esi, esi
		js	loc_8804D3
		mov	ecx, ebx
		call	_MiCreatePartitionNamespace@4 ;	MiCreatePartitionNamespace(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8804D3
		mov	esi, offset _MiMemoryEventNames
		lea	edx, [ebx+90h]
		xor	edi, edi
		mov	[ebp+var_C], esi
		mov	[ebp+var_10], edx

loc_880467:				; CODE XREF: MiInitializeMemoryEvents(x)+98j
		xor	ecx, ecx
		cmp	edi, 4
		jb	loc_880510
		mov	eax, [ebx+88h]
		cmp	ebx, offset _MiSystemPartition
		mov	[ebp+var_8], eax
		setz	cl

loc_880484:				; CODE XREF: MiInitializeMemoryEvents(x)+FDj
		lea	eax, [edx+2Ch]
		push	eax
		push	edx
		push	ecx
		lea	eax, [ebp+var_24]
		mov	edx, edi
		push	eax
		push	[ebp+var_8]
		mov	ecx, esi
		call	MiCreateMemoryEvent
		mov	esi, eax
		test	esi, esi
		js	short loc_8804D3
		mov	edx, [ebp+var_10]
		mov	esi, [ebp+var_C]

loc_8804A6:				; CODE XREF: MiInitializeMemoryEvents(x)+F8j
		inc	edi
		add	esi, 8
		add	edx, 4
		mov	[ebp+var_C], esi
		mov	[ebp+var_10], edx
		cmp	edi, 0Bh
		jb	short loc_880467
		cmp	ebx, offset _MiSystemPartition
		jnz	short loc_8804CA
		call	MiInitializePagedPoolEvents
		call	MiSignalNonPagedPoolWatchers

loc_8804CA:				; CODE XREF: MiInitializeMemoryEvents(x)+A0j
		mov	ecx, ebx
		call	MiUpdateAvailableEvents
		xor	esi, esi

loc_8804D3:				; CODE XREF: MiInitializeMemoryEvents(x)+23j
					; MiInitializeMemoryEvents(x)+34j ...
		and	[ebp+var_10], 0
		lea	eax, [ebp-2]
		push	eax
		lea	eax, [ebp+var_10]
		mov	byte ptr [ebp+var_1], 0
		push	eax
		lea	eax, [ebp+var_1]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlGetDaclSecurityDescriptor@16 ; RtlGetDaclSecurityDescriptor(x,x,x,x)
		test	eax, eax
		js	short loc_880504
		cmp	byte ptr [ebp+var_1], 0
		jz	short loc_880504
		push	0
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_880504:				; CODE XREF: MiInitializeMemoryEvents(x)+D4j
					; MiInitializeMemoryEvents(x)+DAj
		not	esi
		shr	esi, 1Fh
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_880510:				; CODE XREF: MiInitializeMemoryEvents(x)+4Ej
		cmp	ebx, offset _MiSystemPartition
		jnz	short loc_8804A6
		and	[ebp+var_8], ecx
		jmp	loc_880484
_MiInitializeMemoryEvents@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreateMemoryEvent proc near		; CODE XREF: MiInitializeMemoryEvents(x)+77p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 008E5F06 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_10], edx
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edx
		mov	eax, [ebx]
		mov	[ebp+var_18], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_14], eax
		push	esi
		mov	esi, edx
		push	edi
		test	ecx, ecx
		jz	short loc_88055F
		add	eax, 2
		mov	[ebp+var_14], eax
		mov	eax, 0FFFEh
		add	word ptr [ebp+var_18], ax
		add	word ptr [ebp+var_18+2], ax

loc_88055F:				; CODE XREF: MiCreateMemoryEvent+2Aj
		lea	eax, [ebp+var_18]
		mov	[ebp+var_3C], 18h
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_4]
		push	edx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_3C]
		push	edx
		push	eax
		push	1F0003h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_38], ecx
		push	eax
		mov	[ebp+var_30], 200h
		mov	[ebp+var_28], edx
		call	_ZwCreateEvent@20 ; ZwCreateEvent(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_880650
		mov	eax, ds:_ExEventObjectType
		lea	ecx, [ebp+arg_0]
		xor	edx, edx
		push	edx
		push	ecx
		push	edx
		push	eax
		push	2
		push	[ebp+var_8]
		mov	[ebp+arg_0], edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, [ebp+arg_0]
		mov	edi, eax
		test	edi, edi
		js	loc_880650
		cmp	[ebp+arg_8], 0
		jz	short loc_880625
		mov	eax, [ebp+arg_4]
		lea	ecx, [ebp+var_C]
		and	[ebp+var_38], 0
		mov	edx, 0F0001h
		and	[ebp+var_28], 0
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+var_10]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_24]
		push	0
		push	eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_3C], 18h
		push	eax
		mov	[ebp+var_30], 210h
		mov	[ebp+var_34], ebx
		mov	[ebp+var_24], 1
		mov	[ebp+var_20], offset _MiResolveMemoryEvent@16 ;	MiResolveMemoryEvent(x,x,x,x)
		call	ObCreateSymbolicLink
		mov	edi, eax
		test	edi, edi
		js	short loc_880650
		push	0
		push	[ebp+var_C]
		call	ObCloseHandle

loc_880625:				; CODE XREF: MiCreateMemoryEvent+A9j
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+var_8]
		mov	[eax], esi
		xor	esi, esi
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx
		xor	eax, eax
		mov	[ebp+var_8], eax
		xor	edi, edi

loc_88063B:				; CODE XREF: MiCreateMemoryEvent+133j
		test	eax, eax
		jnz	loc_8E5F06

loc_880643:				; CODE XREF: MiCreateMemoryEvent+659EEj
		test	esi, esi
		jnz	short loc_880655

loc_880647:				; CODE XREF: MiCreateMemoryEvent+13Cj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_880650:				; CODE XREF: MiCreateMemoryEvent+77j
					; MiCreateMemoryEvent+9Fj ...
		mov	eax, [ebp+var_8]
		jmp	short loc_88063B
; 

loc_880655:				; CODE XREF: MiCreateMemoryEvent+125j
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	short loc_880647
MiCreateMemoryEvent endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpInitializeRootNamespace proc	near	; CODE XREF: ObCreateSiloRootDirectory(x,x)+259p
					; ObInitSystem+475p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E5F13 SIZE 00000081 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		push	ebx
		push	esi
		push	edi
		push	6
		xor	eax, eax
		lea	edi, [ebp+var_48]
		mov	ebx, edx
		mov	[ebp+var_18], eax
		mov	edx, ecx
		mov	[ebp+var_C], eax
		pop	ecx
		rep stosd
		push	edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_10], eax
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		mov	[ebp+var_5], al
		lea	edi, [ebp+var_30]
		xor	eax, eax
		lea	ecx, [ebp+var_30]
		stosd
		stosd
		stosd
		stosd
		stosd
		call	ObCreateKernelObjectsSD
		mov	esi, eax
		test	esi, esi
		js	loc_880775
		xor	edi, edi
		cmp	[ebp+var_5], 0
		jz	loc_8E5F13

loc_8806B4:				; CODE XREF: ObpInitializeRootNamespace+658EFj
		push	edi
		push	[ebp+var_10]
		lea	eax, [ebp+var_30]
		mov	[ebp+var_48], 18h
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	0F000Fh
		lea	eax, [ebp+var_C]
		mov	[ebp+var_44], ebx
		push	eax
		mov	[ebp+var_3C], 250h
		mov	[ebp+var_40], offset _ObpKernelObjectsNameString
		mov	[ebp+var_34], edi
		call	_ZwCreateDirectoryObjectEx@20 ;	ZwCreateDirectoryObjectEx(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_880775
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)
		cmp	[ebp+var_5], 0
		lea	eax, [ebp+var_48]
		mov	[ebp+var_C], edi
		mov	[ebp+var_48], 18h
		mov	[ebp+var_44], ebx
		mov	[ebp+var_3C], 250h
		mov	[ebp+var_40], (offset loc_A4017F+1)
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], edi
		jz	loc_8E5F52
		push	eax
		push	0F000Fh
		lea	eax, [ebp+var_C]
		push	eax
		call	_ZwCreateDirectoryObject@12 ; ZwCreateDirectoryObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_880775
		mov	eax, _ObpDirectoryObjectType
		lea	ecx, [ebp+var_14]
		push	edi
		push	ecx
		push	edi
		push	eax
		push	edi
		push	[ebp+var_C]
		mov	[ebp+var_14], edi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_14]
		mov	_ObpTypeDirectoryObject, eax

loc_880762:				; CODE XREF: ObpInitializeRootNamespace+65924j
		test	esi, esi
		js	short loc_880775
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_1C]
		mov	edx, ebx
		call	ObpCreateDosDevicesDirectory
		mov	esi, eax

loc_880775:				; CODE XREF: ObpInitializeRootNamespace+44j
					; ObpInitializeRootNamespace+91j ...
		cmp	[ebp+var_C], 0
		jz	short loc_880783
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_880783:				; CODE XREF: ObpInitializeRootNamespace+11Bj
		cmp	[ebp+var_10], 0
		jnz	loc_8E5F87

loc_88078D:				; CODE XREF: ObpInitializeRootNamespace+65931j
		lea	ecx, [ebp+var_30]
		call	_ObCleanupSecurityDescriptor@4 ; ObCleanupSecurityDescriptor(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
ObpInitializeRootNamespace endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreatePartitionNamespace(x)
_MiCreatePartitionNamespace@4 proc near	; CODE XREF: MiInitializeMemoryEvents(x)+2Bp

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		stosd
		xor	esi, esi
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		mov	[ebp+var_34], 18h
		push	2
		mov	[ebp+var_2C], eax
		lea	edi, [ebx+88h]
		mov	eax, ds:_SePublicDefaultUnrestrictedSd
		push	esi
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	0F000Fh
		push	edi
		mov	[ebp+var_30], esi
		mov	[ebp+var_28], 240h
		mov	[ebp+var_20], esi
		call	_ZwCreateDirectoryObjectEx@20 ;	ZwCreateDirectoryObjectEx(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_880853
		lea	ecx, [ebp+var_1C]
		call	ObCreateKernelObjectsSD
		mov	esi, eax
		test	esi, esi
		js	short loc_880853
		mov	eax, [edi]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_24], eax
		xor	eax, eax
		push	eax
		push	eax
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	0F000Fh
		lea	eax, [ebx+8Ch]
		mov	[ebp+var_34], 18h
		push	eax
		mov	[ebp+var_28], 240h
		mov	[ebp+var_2C], offset _MiKernelObjectsDirectoryName
		call	_ZwCreateDirectoryObjectEx@20 ;	ZwCreateDirectoryObjectEx(x,x,x,x,x)
		mov	esi, eax

loc_880853:				; CODE XREF: MiCreatePartitionNamespace(x)+67j
					; MiCreatePartitionNamespace(x)+75j
		lea	ecx, [ebp+var_1C]
		call	_ObCleanupSecurityDescriptor@4 ; ObCleanupSecurityDescriptor(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_MiCreatePartitionNamespace@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObCleanupSecurityDescriptor(x)
_ObCleanupSecurityDescriptor@4 proc near ; CODE	XREF: ObpInitializeRootNamespace+132p
					; MiCreatePartitionNamespace(x)+B8p

var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp-2]
		push	eax
		lea	eax, [ebp+var_8]
		mov	byte ptr [ebp+var_1], 0
		push	eax
		lea	eax, [ebp+var_1]
		push	eax
		push	ecx
		call	_RtlGetDaclSecurityDescriptor@16 ; RtlGetDaclSecurityDescriptor(x,x,x,x)
		test	eax, eax
		js	short locret_880897
		cmp	byte ptr [ebp+var_1], 0
		jz	short locret_880897
		push	0
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

locret_880897:				; CODE XREF: ObCleanupSecurityDescriptor(x)+23j
					; ObCleanupSecurityDescriptor(x)+29j
		leave
		retn
_ObCleanupSecurityDescriptor@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


ObCreateKernelObjectsSD	proc near	; CODE XREF: ObpInitializeRootNamespace+3Bp
					; MiCreatePartitionNamespace(x)+6Cp

; FUNCTION CHUNK AT 008E5F94 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, ecx
		push	1
		push	ebx
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_88097E
		push	edi
		push	_SeWorldSid
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	ds:_SeAliasAdminsSid
		mov	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	_SeLocalSystemSid
		add	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	eax, 2Ch
		push	6C636144h
		add	esi, eax
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8E5F94
		push	2		; int
		push	esi		; size_t
		push	edi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_880975
		push	0
		push	_SeWorldSid
		mov	ecx, edi
		push	20003h
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	short loc_880975
		push	0
		push	ds:_SeAliasAdminsSid
		mov	ecx, edi
		push	0F000Fh
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	short loc_880975
		push	0
		push	_SeLocalSystemSid
		mov	ecx, edi
		push	0F000Fh
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	short loc_880975
		push	0
		push	edi
		push	1
		push	ebx
		call	RtlSetDaclSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	short loc_880975
		xor	edi, edi
		xor	esi, esi

loc_880975:				; CODE XREF: ObCreateKernelObjectsSD+67j
					; ObCreateKernelObjectsSD+86j ...
		test	edi, edi
		jnz	loc_8E5F9E

loc_88097D:				; CODE XREF: ObCreateKernelObjectsSD+656FFj
					; ObCreateKernelObjectsSD+6570Cj
		pop	edi

loc_88097E:				; CODE XREF: ObCreateKernelObjectsSD+12j
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
ObCreateKernelObjectsSD	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpCreateDosDevicesDirectory proc near	; CODE XREF: ObpInitializeRootNamespace+110p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008E5FAB SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		push	ebx
		and	[ebp+var_8], 0
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_2C]
		mov	[ebp+var_10], ecx
		stosd
		mov	ebx, edx
		push	ecx
		stosd
		stosd
		stosd
		stosd
		xor	edi, edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jz	short loc_8809C0
		cmp	[ebp+arg_0], edi
		jnz	loc_8E5FAB

loc_8809C0:				; CODE XREF: ObpCreateDosDevicesDirectory+31j
		lea	ecx, [ebp+var_2C]
		call	ObpGetDosDevicesProtection
		test	eax, eax
		js	loc_880B26
		push	edi
		push	[ebp+arg_0]
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_44], 18h
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	0F000Fh
		lea	eax, [ebp+var_8]
		mov	[ebp+var_40], ebx
		push	eax
		mov	[ebp+var_38], 210h
		mov	[ebp+var_3C], offset _ObpGlobalDirectoryName
		mov	[ebp+var_30], edi
		call	_ZwCreateDirectoryObjectEx@20 ;	ZwCreateDirectoryObjectEx(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_880B2D
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_10]
		call	ObpSetSiloDeviceMap
		mov	esi, eax
		test	esi, esi
		js	loc_880B0F
		push	offset ??_C@_11LOCGONAA@@NNGAKEGL@
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_8]
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_44]
		mov	[ebp+var_44], 18h
		push	eax
		push	0F0001h
		lea	eax, [ebp+var_C]
		mov	[ebp+var_38], 210h
		push	eax
		mov	[ebp+var_3C], (offset loc_A401B7+1)
		mov	[ebp+var_30], edi
		call	_ZwCreateSymbolicLinkObject@16 ; ZwCreateSymbolicLinkObject(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_880B0F
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [ebp+var_8]
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_44]
		push	(offset	loc_A40194+4)
		push	eax
		push	0F0001h
		lea	eax, [ebp+var_C]
		mov	[ebp+var_44], 18h
		push	eax
		mov	[ebp+var_38], 210h
		mov	[ebp+var_3C], (offset loc_A401BF+1)
		mov	[ebp+var_30], edi
		call	_ZwCreateSymbolicLinkObject@16 ; ZwCreateSymbolicLinkObject(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_880B0F
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_44], 18h
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_44]
		push	(offset	loc_A4018B+5)
		push	eax
		push	0F0001h
		lea	eax, [ebp+var_C]
		mov	[ebp+var_40], ebx
		push	eax
		mov	[ebp+var_38], 210h
		mov	[ebp+var_3C], (offset loc_A401AF+1)
		mov	[ebp+var_30], edi
		call	_ZwCreateSymbolicLinkObject@16 ; ZwCreateSymbolicLinkObject(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_880B0F
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_880B0F:				; CODE XREF: ObpCreateDosDevicesDirectory+9Cj
					; ObpCreateDosDevicesDirectory+EEj ...
		lea	ecx, [ebp+var_2C]
		call	_ObpFreeDosDevicesProtection@4 ; ObpFreeDosDevicesProtection(x)
		cmp	[ebp+var_8], edi
		jz	short loc_880B24
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_880B24:				; CODE XREF: ObpCreateDosDevicesDirectory+196j
		mov	eax, esi

loc_880B26:				; CODE XREF: ObpCreateDosDevicesDirectory+46j
					; ObpCreateDosDevicesDirectory+6562Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_880B2D:				; CODE XREF: ObpCreateDosDevicesDirectory+87j
		mov	[ebp+var_8], edi
		jmp	short loc_880B0F
ObpCreateDosDevicesDirectory endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpFreeDosDevicesProtection(x)
_ObpFreeDosDevicesProtection@4 proc near ; CODE	XREF: ObpCreateDosDevicesDirectory+18Ep

var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp-2]
		push	eax
		lea	eax, [ebp+var_8]
		mov	byte ptr [ebp+var_1], 0
		push	eax
		lea	eax, [ebp+var_1]
		push	eax
		push	ecx
		call	_RtlGetDaclSecurityDescriptor@16 ; RtlGetDaclSecurityDescriptor(x,x,x,x)
		push	6C636144h
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		leave
		retn
_ObpFreeDosDevicesProtection@4 endp


;  S U B	R O U T	I N E 


ObpSetSiloDeviceMap proc near		; CODE XREF: ObpCreateDosDevicesDirectory+93p

; FUNCTION CHUNK AT 008E5FB5 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi		; struct _exception *
		mov	ebx, edx
		mov	edi, ecx
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	esi, eax
		cmp	edi, esi
		jnz	loc_8E5FB5
		mov	edx, ds:_PsInitialSystemProcess

loc_880B80:				; CODE XREF: ObpSetSiloDeviceMap+6545Bj
		xor	ecx, ecx
		cmp	edi, esi
		push	0
		setnz	cl
		add	ecx, 3
		push	ecx
		push	0
		push	ebx
		mov	ecx, eax
		call	ObpSetDeviceMap
		pop	edi
		pop	esi
		pop	ebx
		retn
ObpSetSiloDeviceMap endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpGetDosDevicesProtection proc	near	; CODE XREF: ObpCreateDosDevicesDirectory+3Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E5FC2 SIZE 00000094 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	eax, ecx
		xor	edi, edi
		push	1
		push	eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], edi
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		test	_ObpProtectionMode, 1
		jz	loc_8E5FC2
		push	_SeLocalSystemSid
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	_SeWorldSid
		mov	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	_SeCreatorOwnerSid
		add	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	ds:_SeAliasAdminsSid
		add	eax, 50h
		lea	esi, [eax+esi*2]
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	6C636144h
		add	esi, eax
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8E604C
		push	2		; int
		push	esi		; size_t
		push	ebx		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, _SeWorldSid
		mov	ecx, ebx
		push	edi
		push	esi
		push	0A0000000h
		push	edi
		push	2
		pop	edx
		call	RtlpAddKnownAce
		push	edi
		mov	edi, _SeLocalSystemSid
		mov	ecx, ebx
		push	edi
		push	10000000h
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		push	0
		push	esi
		push	20000000h
		push	0
		push	2
		pop	esi
		mov	edx, esi
		mov	ecx, ebx
		call	RtlpAddKnownAce
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		push	ebx
		call	_RtlGetAce@12	; RtlGetAce(x,x,x)
		mov	eax, [ebp+var_4]
		mov	edx, esi
		push	0
		push	ds:_SeAliasAdminsSid
		mov	ecx, ebx
		or	byte ptr [eax+1], 0Bh
		push	10000000h
		push	0
		call	RtlpAddKnownAce
		lea	eax, [ebp+var_4]
		push	eax
		push	3
		push	ebx
		call	_RtlGetAce@12	; RtlGetAce(x,x,x)
		mov	eax, [ebp+var_4]
		mov	edx, esi
		push	0
		push	edi
		mov	edi, 10000000h
		mov	ecx, ebx
		or	byte ptr [eax+1], 0Bh
		push	edi
		push	0
		call	RtlpAddKnownAce
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		push	ebx
		call	_RtlGetAce@12	; RtlGetAce(x,x,x)
		mov	eax, [ebp+var_4]
		mov	edx, esi
		push	0
		push	_SeCreatorOwnerSid
		mov	ecx, ebx
		or	byte ptr [eax+1], 0Bh
		push	edi
		push	0
		call	RtlpAddKnownAce
		lea	eax, [ebp+var_4]
		push	eax
		push	5

loc_880CE2:				; CODE XREF: ObpGetDosDevicesProtection+654ABj
		push	ebx
		call	_RtlGetAce@12	; RtlGetAce(x,x,x)
		mov	eax, [ebp+var_4]
		push	0
		push	ebx
		push	1
		push	[ebp+var_8]
		or	byte ptr [eax+1], 0Bh
		call	RtlSetDaclSecurityDescriptor
		xor	eax, eax

loc_880CFE:				; CODE XREF: ObpGetDosDevicesProtection+654B5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
ObpGetDosDevicesProtection endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreateMemoryEventSD proc near		; CODE XREF: MiInitializeMemoryEvents(x)+1Ap

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008E6056 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		mov	ebx, ecx
		push	1
		push	ebx
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_880E57
		push	esi
		push	_SeAllRestrictedAppPackagesSid
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	_SeAllAppPackagesSid
		mov	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	_SeWorldSid
		add	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	ds:_SeAliasAdminsSid
		add	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	_SeLocalSystemSid
		add	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	esi, 44h
		mov	edx, 6C636144h
		add	eax, esi
		push	0
		push	100h
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_880E56
		push	2		; int
		push	[ebp+var_4]	; size_t
		push	esi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_880E4E
		push	0
		push	_SeWorldSid
		mov	ecx, esi
		push	120001h
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	edi, eax
		test	edi, edi
		js	loc_880E4E
		push	0
		push	ds:_SeAliasAdminsSid
		mov	ecx, esi
		push	1F0003h
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	edi, eax
		test	edi, edi
		js	short loc_880E4E
		push	0
		push	_SeLocalSystemSid
		mov	ecx, esi
		push	1F0003h
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	edi, eax
		test	edi, edi
		js	short loc_880E4E
		push	0
		push	_SeAllAppPackagesSid
		mov	ecx, esi
		push	120001h
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	edi, eax
		test	edi, edi
		js	short loc_880E4E
		push	0
		push	_SeAllRestrictedAppPackagesSid
		mov	ecx, esi
		push	120001h
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	edi, eax
		test	edi, edi
		js	short loc_880E4E
		push	0
		push	esi
		push	1
		push	ebx
		call	RtlSetDaclSecurityDescriptor
		mov	edi, eax
		test	edi, edi
		js	short loc_880E4E
		xor	esi, esi
		xor	edi, edi

loc_880E4E:				; CODE XREF: MiCreateMemoryEventSD+90j
					; MiCreateMemoryEventSD+B3j ...
		test	esi, esi
		jnz	loc_8E6056

loc_880E56:				; CODE XREF: MiCreateMemoryEventSD+7Bj
					; MiCreateMemoryEventSD+6535Aj
		pop	esi

loc_880E57:				; CODE XREF: MiCreateMemoryEventSD+16j
		mov	eax, edi
		pop	edi
		pop	ebx
		leave
		retn
MiCreateMemoryEventSD endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtSetDebugFilterState proc near		; CODE XREF: DbgSetDebugFilterState(x,x,x)+Fp
					; MiInitializeLoadedModuleList(x)+52p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 008E6063 SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, large fs:124h
		push	esi
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+8+var_4],	al
		test	al, al
		jnz	loc_8E6063

loc_880E80:				; CODE XREF: NtSetDebugFilterState+6521Cj
		mov	eax, [ebp+arg_0]
		mov	esi, offset _Kd_WIN2000_Mask
		cmp	eax, 9Ch
		jnb	loc_8E608A
		lfence	eax
		mov	esi, ds:_KdComponentTable[eax*4]

loc_880E9D:				; CODE XREF: NtSetDebugFilterState+6522Fj
					; NtSetDebugFilterState+6523Bj
		mov	edx, [ebp+arg_4]
		cmp	edx, 1Fh
		ja	short loc_880EAE
		xor	eax, eax
		mov	ecx, edx
		inc	eax
		shl	eax, cl
		mov	edx, eax

loc_880EAE:				; CODE XREF: NtSetDebugFilterState+45j
		movzx	eax, [ebp+arg_8]
		mov	ecx, edx
		not	ecx
		and	ecx, [esi]
		neg	eax
		sbb	eax, eax
		and	eax, edx
		or	ecx, eax
		xor	eax, eax
		mov	[esi], ecx

loc_880EC4:				; CODE XREF: NtSetDebugFilterState+65227j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
NtSetDebugFilterState endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTransSearchAddTransFromRm proc near	; CODE XREF: CmpTransSearchAddTransFromHive(x,x,x,x,x)+2Fp
					; CmpTransInitializeTransaction+75AA9p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 008F6A11 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		test	ecx, ecx
		jz	short loc_880F1B
		mov	eax, _CmRmSystem
		cmp	ecx, eax
		jnz	loc_8F6A11

loc_880EE5:				; CODE XREF: CmpTransSearchAddTransFromRm+75B4Fj
		cmp	[ebp+arg_0], 0
		jz	loc_8F6A20

loc_880EEF:				; CODE XREF: CmpTransSearchAddTransFromRm+75B56j
		cmp	ecx, eax
		mov	eax, dword_6B179C
		jnz	short loc_880F16

loc_880EF8:				; CODE XREF: CmpTransSearchAddTransFromRm+4Dj
		push	[ebp+arg_8]
		mov	edx, ecx
		mov	ecx, esi
		push	[ebp+arg_4]
		push	eax
		push	[ebp+arg_0]
		call	CmpTransSearchAddTrans
		test	eax, eax
		js	short loc_880F11
		xor	eax, eax

loc_880F11:				; CODE XREF: CmpTransSearchAddTransFromRm+41j
					; CmpTransSearchAddTransFromRm+54j ...
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_880F16:				; CODE XREF: CmpTransSearchAddTransFromRm+2Aj
		mov	eax, [ecx+30h]
		jmp	short loc_880EF8
; 

loc_880F1B:				; CODE XREF: CmpTransSearchAddTransFromRm+Aj
					; CmpTransSearchAddTransFromRm+75B49j
		mov	eax, 0C0190005h
		jmp	short loc_880F11
CmpTransSearchAddTransFromRm endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTransSearchAddTrans proc near	; CODE XREF: CmpTransSearchAddTransFromKeyBody+40p
					; CmpTransSearchAddTransFromRm+3Ap

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F6A32 SIZE 00000131 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+20h+var_10], ecx
		and	[esp+20h+var_C], edi
		mov	ebx, edx
		cmp	[ebp+arg_0], edi
		jz	short loc_880F53
		push	[ebp+arg_0]
		call	_CmpTransReferenceTransaction@4	; CmpTransReferenceTransaction(x)
		mov	esi, eax
		test	esi, esi
		js	loc_880FF0

loc_880F53:				; CODE XREF: CmpTransSearchAddTrans+1Dj
		mov	esi, [ebp+arg_0]
		mov	[esp+20h+var_14], 1

loc_880F5E:				; CODE XREF: CmpTransSearchAddTrans+116j
					; CmpTransSearchAddTrans+75B51j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpTransactionListLock
		call	ExAcquireFastMutexUnsafe
		mov	edx, [esp+20h+var_10]
		mov	ecx, ebx
		push	esi
		call	CmpSearchForTrans
		mov	edx, eax
		test	edx, edx
		jz	short loc_880FFB
		test	esi, esi
		jz	short loc_880F92
		test	byte ptr [edx+18h], 7
		jnz	short loc_881001

loc_880F92:				; CODE XREF: CmpTransSearchAddTrans+68j
		test	byte ptr [edx+18h], 8
		jnz	loc_8F6A32

loc_880F9C:				; CODE XREF: CmpTransSearchAddTrans+DDj
		test	edi, edi
		jnz	loc_881043
		test	edx, edx
		jz	short loc_88100F
		mov	ecx, [ebp+arg_4]
		call	_CmpBindHiveToTrans@8 ;	CmpBindHiveToTrans(x,x)

loc_880FB0:				; CODE XREF: CmpTransSearchAddTrans+173j
		mov	eax, [ebp+arg_C]
		xor	esi, esi
		mov	[eax], edx

loc_880FB7:				; CODE XREF: CmpTransSearchAddTrans+E6j
					; CmpTransSearchAddTrans+75C1Dj
		cmp	[esp+20h+var_C], 0
		jnz	loc_8F6B44

loc_880FC2:				; CODE XREF: CmpTransSearchAddTrans+75C3Cj
		cmp	[esp+20h+var_14], 0
		jz	short loc_880FDF
		mov	ecx, offset _CmpTransactionListLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_880FDF:				; CODE XREF: CmpTransSearchAddTrans+A5j
					; CmpTransSearchAddTrans+75B5Bj
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_880FF0
		mov	ecx, eax
		and	ecx, 0FFFFFFFEh
		call	ObfDereferenceObject

loc_880FF0:				; CODE XREF: CmpTransSearchAddTrans+2Bj
					; CmpTransSearchAddTrans+C2j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_880FFB:				; CODE XREF: CmpTransSearchAddTrans+64j
		cmp	[ebp+arg_8], 0
		jnz	short loc_880F9C

loc_881001:				; CODE XREF: CmpTransSearchAddTrans+6Ej
					; CmpTransSearchAddTrans+75B14j
		mov	esi, 0C0190002h

loc_881006:				; CODE XREF: CmpTransSearchAddTrans+75B90j
					; CmpTransSearchAddTrans+75BFDj ...
		test	edi, edi
		jz	short loc_880FB7
		jmp	loc_8F6B34
; 

loc_88100F:				; CODE XREF: CmpTransSearchAddTrans+84j
		mov	ecx, offset _CmpTransactionListLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	[ebp+arg_4]
		mov	ecx, [esp+24h+var_10]
		mov	edx, ebx
		push	esi
		call	_CmpTransAllocateTrans@16 ; CmpTransAllocateTrans(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_880F5E
		jmp	loc_8F6A78
; 

loc_881043:				; CODE XREF: CmpTransSearchAddTrans+7Cj
		cmp	dword ptr [ebx+30h], 0
		jnz	loc_8F6A82

loc_88104D:				; CODE XREF: CmpTransSearchAddTrans+75B85j
		lea	eax, [ebx+8]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_88109A
		mov	[edi+4], ecx
		mov	[edi], eax
		mov	[ecx], edi
		mov	ecx, offset _CmpTransactionListLock
		mov	[eax+4], edi
		inc	_CmpTransactionInitializingCount
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		and	[esp+20h+var_14], 0
		mov	ecx, edi
		call	CmpTransInitializeTransaction
		mov	esi, eax
		test	esi, esi
		js	loc_8F6AB7
		mov	edx, edi
		jmp	loc_880FB0
; 

loc_88109A:				; CODE XREF: CmpTransSearchAddTrans+133j
					; CmpTransSearchAddTrans+75BB2j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
CmpTransSearchAddTrans endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpSearchForTrans proc near		; CODE XREF: CmpTransSearchAddTrans+5Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 008F6B63 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ecx+8]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, edx
		push	edi
		mov	[ebp+var_4], eax

loc_8810B9:				; CODE XREF: CmpSearchForTrans+75AC8j
					; CmpSearchForTrans+75ADDj
		push	0
		lea	edx, [ebp+var_8]
		mov	ecx, eax
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_8810E5
		test	esi, esi
		jz	loc_8F6B63
		cmp	esi, [edi+1Ch]
		jnz	loc_8F6B63

loc_8810DC:				; CODE XREF: CmpSearchForTrans+75AE3j
		mov	eax, edi

loc_8810DE:				; CODE XREF: CmpSearchForTrans+47j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8810E5:				; CODE XREF: CmpSearchForTrans+29j
		xor	eax, eax
		jmp	short loc_8810DE
CmpSearchForTrans endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTransInitializeTransaction proc near	; CODE XREF: CmpTransSearchAddTrans+162p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F6B88 SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		push	40h
		pop	ebx
		cmp	[edi+1Ch], esi
		jz	loc_881189
		mov	ecx, _CmRmSystem
		cmp	[edi+20h], ecx
		jnz	loc_8F6B88

loc_881118:				; CODE XREF: CmpTransInitializeTransaction+75AB8j
		mov	esi, [edi+1Ch]
		push	esi
		call	_CmpTransReferenceTransaction@4	; CmpTransReferenceTransaction(x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8811C8
		mov	ecx, [edi+20h]
		call	CmpStartRMLogs
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8F6BB1
		mov	edx, [edi+20h]
		lea	ecx, [edi+28h]
		mov	eax, [edi+1Ch]
		and	eax, 0FFFFFFFEh
		push	edi
		mov	edx, [edx+1Ch]
		push	eax
		call	_CmTmCreateEnlistment@16 ; CmTmCreateEnlistment(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8F6BB1
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	ecx
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	dword ptr [edi+28h]
		mov	[ebp+var_4], ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	eax, [ebp+var_4]
		mov	ecx, [edi+20h]
		push	1
		mov	[edi+24h], eax
		call	_CmpAccountForLogReservation@12	; CmpAccountForLogReservation(x,x,x)
		test	eax, eax
		js	short loc_8811CF
		push	60h

loc_881188:				; CODE XREF: CmpTransInitializeTransaction+E7j
		pop	ebx

loc_881189:				; CODE XREF: CmpTransInitializeTransaction+19j
		call	_LOCK_TRANSACTION_LIST@0 ; LOCK_TRANSACTION_LIST()
		test	byte ptr [edi+18h], 6
		jnz	loc_8F6BA7
		mov	[edi+18h], ebx
		dec	_CmpTransactionInitializingCount
		call	_UNLOCK_TRANSACTION_LIST@0 ; UNLOCK_TRANSACTION_LIST()
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		cmp	_CmpTransactionInitializingEvent, ecx
		jz	short loc_8811C6
		xor	edx, edx
		mov	ecx, offset _CmpTransactionInitializingEvent
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)

loc_8811C6:				; CODE XREF: CmpTransInitializeTransaction+CEj
		xor	ebx, ebx

loc_8811C8:				; CODE XREF: CmpTransInitializeTransaction+3Bj
					; CmpTransInitializeTransaction+75AB2j	...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_8811CF:				; CODE XREF: CmpTransInitializeTransaction+9Aj
		push	40h
		jmp	short loc_881188
CmpTransInitializeTransaction endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAccountForLogReservation(x, x, x)
_CmpAccountForLogReservation@12	proc near ; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+292p
					; CmpTransInitializeTransaction+93p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], 28h
		mov	[ebp+var_4], edi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	dword ptr [esi+50h]
		call	ExAcquireResourceExclusiveLite
		cmp	[ebp+arg_0], 0
		mov	edx, [esi+38h]
		push	edi
		push	edi
		jnz	short loc_881221
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_4]
		neg	ecx
		mov	[ebp+var_8], ecx
		adc	eax, edi
		neg	eax
		mov	[ebp+var_4], eax

loc_881221:				; CODE XREF: CmpAccountForLogReservation(x,x,x)+39j
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		push	edi
		push	edi
		push	edi
		push	edi
		push	edx
		call	ds:__imp__ClfsReserveAndAppendLog@36 ; ClfsReserveAndAppendLog(x,x,x,x,x,x,x,x,x)
		mov	ecx, [esi+50h]
		mov	edi, eax
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn	4
_CmpAccountForLogReservation@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmTmCreateEnlistment(x, x, x, x)
_CmTmCreateEnlistment@16 proc near	; CODE XREF: CmpTransInitializeTransaction+64p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		cmp	_CmpNoMoreTx, 1
		push	esi
		jz	short loc_88129E
		push	[ebp+arg_4]
		xor	esi, esi
		mov	[ebp+var_18], 18h
		push	0Eh
		push	esi
		push	[ebp+arg_0]
		lea	eax, [ebp+var_18]
		mov	[ebp+var_14], esi
		push	edx
		push	eax
		push	0F001Fh
		push	esi
		push	ecx
		mov	[ebp+var_C], 200h
		mov	[ebp+var_10], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		call	ds:__imp__TmCreateEnlistment@36	; TmCreateEnlistment(x,x,x,x,x,x,x,x,x)

loc_881299:				; CODE XREF: CmTmCreateEnlistment(x,x,x,x)+53j
		pop	esi
		leave
		retn	8
; 

loc_88129E:				; CODE XREF: CmTmCreateEnlistment(x,x,x,x)+10j
		mov	eax, 0C0000189h
		jmp	short loc_881299
_CmTmCreateEnlistment@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpStartRMLogs	proc near		; CODE XREF: CmpTransInitializeTransaction+44p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008F6BC4 SIZE 00000043 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_18], eax
		mov	esi, eax
		mov	eax, [ebx+3Ch]
		test	al, 8
		jnz	short loc_881324
		test	al, 1
		jnz	short loc_881313
		lea	ecx, [ebp+var_14]
		call	CmpUuidCreate
		test	eax, eax
		js	short loc_8812E8
		mov	byte ptr [ebp+var_18], 1

loc_8812E8:				; CODE XREF: CmpStartRMLogs+3Cj
		mov	edi, [ebx+3Ch]
		xor	cl, cl
		and	edi, 2
		or	edi, 20h
		call	CmpLockRegistryFreezeAware
		xor	edx, edx
		mov	ecx, ebx
		call	CmpStartRMLog
		mov	esi, eax
		test	esi, esi
		js	loc_8F6BC4

loc_88130B:				; CODE XREF: CmpStartRMLogs+75924j
					; CmpStartRMLogs+75930j ...
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	[ebx+edi*2], esi

loc_881313:				; CODE XREF: CmpStartRMLogs+30j
					; CmpStartRMLogs+83j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_881324:				; CODE XREF: CmpStartRMLogs+2Cj
		mov	esi, 0C0000189h
		jmp	short loc_881313
CmpStartRMLogs	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCleanupTransactionState(x, x, x,	x)
_CmpCleanupTransactionState@16 proc near ; CODE	XREF: CmKtmNotification(x,x,x,x,x,x,x)+2C8p
					; CmpRunDownCmRM+18BD7Bp ...

var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_1C]
		push	6
		pop	ecx
		xor	eax, eax
		mov	esi, edx
		rep stosd
		lea	ecx, [ebp+var_1C]
		call	CmpAttachToRegistryProcess
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_CmpTransMgrFreeVolatileData@8 ; CmpTransMgrFreeVolatileData(x,x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _CmpTransactionListLock
		mov	ecx, edi
		call	ExAcquireFastMutexUnsafe
		mov	edx, [esi]
		cmp	[edx+4], esi
		jnz	loc_88143E
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	loc_88143E
		mov	[eax], edx
		mov	ecx, edi
		mov	[edx+4], eax
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		or	dword ptr [esi+18h], 10h
		mov	ecx, [esi+1Ch]
		test	ecx, ecx
		jz	short loc_8813D0
		and	ecx, 0FFFFFFFEh
		call	ObfDereferenceObject

loc_8813D0:				; CODE XREF: CmpCleanupTransactionState(x,x,x,x)+9Aj
		mov	eax, [esi+24h]
		test	eax, eax
		jz	short loc_8813DD
		push	eax
		call	_ObDereferenceObjectDeferDelete@4 ; ObDereferenceObjectDeferDelete(x)

loc_8813DD:				; CODE XREF: CmpCleanupTransactionState(x,x,x,x)+A9j
		push	72544D43h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[ebp+arg_4], 0
		jz	short loc_88142D
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	dword ptr [ebx+50h]
		call	ExAcquireResourceExclusiveLite
		push	1
		mov	ecx, ebx
		call	CmpLogCheckpoint
		mov	ecx, [ebx+50h]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_88142D:				; CODE XREF: CmpCleanupTransactionState(x,x,x,x)+C0j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_88143E:				; CODE XREF: CmpCleanupTransactionState(x,x,x,x)+68j
					; CmpCleanupTransactionState(x,x,x,x)+73j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_CmpCleanupTransactionState@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpStartRMLog	proc near		; CODE XREF: CmpStartRMLogs+56p
					; CmpInitCmRM+11D6E0p ...

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 008F6C07 SIZE 0000015C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_2], 1
		push	esi
		xor	eax, eax
		mov	[ebp+var_44], ebx
		push	edi
		mov	edi, edx
		mov	[ebp+var_48], eax
		mov	esi, ecx
		mov	[ebp+var_10], edi
		mov	[ebp+var_20], esi
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_14], eax
		mov	[ebp+var_24], eax
		call	_LockRMLog@4	; LockRMLog(x)
		test	byte ptr [esi+3Ch], 1
		jnz	loc_8F6C0C
		push	20204D43h
		push	78h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_8F6C07
		or	dword ptr [esi+3Ch], 2
		mov	eax, ds:_CLFS_LSN_INVALID_EXT
		mov	[esi+48h], eax
		mov	eax, ds:dword_41105C
		mov	[esi+4Ch], eax
		cmp	esi, _CmRmSystem
		jnz	loc_8F6C33
		mov	[ebp+var_1C], offset _CmpLogPath
		mov	ecx, 80h
		test	edi, edi
		jnz	loc_8F6C1A

loc_8814ED:				; CODE XREF: CmpStartRMLog+757EAj
		lea	eax, [ebp+var_40]
		push	eax
		mov	eax, dword_6B179C
		mov	eax, [eax+20h]
		add	eax, ecx
		push	eax
		call	_RtlStringFromGUID@8 ; RtlStringFromGUID(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_88173C
		mov	dword ptr [esi+28h], offset loc_500000
		mov	[esi+2Ch], ebx
		mov	eax, dword_6B179C

loc_88151A:				; CODE XREF: CmpStartRMLog+75856j
		mov	ecx, [eax+400h]
		lea	edx, [ebp+var_24]
		call	CmpQueryFileSecurityDescriptor
		mov	edi, eax
		test	edi, edi
		js	loc_881778
		lea	eax, [esi+38h]
		push	eax
		lea	ecx, [esi+34h]
		push	ecx
		lea	edx, [esi+24h]
		push	edx
		lea	eax, [esi+28h]
		push	eax
		mov	eax, [ebp+var_24]
		push	ecx
		mov	[ebp+var_14], eax
		push	eax

loc_88154A:				; CODE XREF: CmpStartRMLog+758EDj
		push	ecx
		mov	ecx, [ebp+var_1C]
		lea	edx, [ebp+var_40]
		call	CmpStartCLFSLog
		mov	edi, eax
		test	edi, edi
		js	loc_88171F
		push	78h
		pop	eax
		push	20204D43h
		push	eax
		push	1
		mov	[ebp+var_24], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_88158E
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		push	dword ptr [esi+34h]
		call	ds:__imp__ClfsGetLogFileInformation@12 ; ClfsGetLogFileInformation(x,x,x)
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_88158E:				; CODE XREF: CmpStartRMLog+133j
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], 78h
		push	eax
		push	[ebp+var_C]
		push	dword ptr [esi+34h]
		call	ds:__imp__ClfsGetLogFileInformation@12 ; ClfsGetLogFileInformation(x,x,x)
		mov	ecx, [ebp+var_C]
		mov	edi, eax
		mov	eax, [ecx+48h]
		mov	[esi+48h], eax
		mov	eax, [ecx+4Ch]
		mov	[esi+4Ch], eax
		test	edi, edi
		js	loc_88171F
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	edi, [esi+38h]
		push	dword ptr [edi]
		call	ds:__imp__ClfsReadRestartArea@20 ; ClfsReadRestartArea(x,x,x,x,x)
		cmp	eax, 401A000Ch
		jz	loc_8F6CB5
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jz	loc_8F6CB5
		mov	eax, [ecx]
		mov	[ebp+var_38], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		call	ds:__imp__ClfsLsnEqual@8 ; ClfsLsnEqual(x,x)
		test	al, al
		jz	loc_8816B2
		mov	eax, [ebp+var_38]
		mov	[ebp+var_78], eax
		mov	eax, [ebp+var_34]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_10], ebx
		push	eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_20], ebx
		push	eax
		lea	eax, [ebp-1]
		mov	[ebp+var_24], ebx
		push	eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_70], ebx
		push	eax
		lea	eax, [ebp+var_20]
		mov	[ebp+var_6C], ebx
		push	eax
		push	3
		lea	eax, [ebp+var_78]
		mov	[ebp+var_68], ebx
		push	eax
		push	dword ptr [edi]
		mov	[ebp+var_64], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ebx
		mov	byte ptr [ebp+var_1], bl
		call	ds:__imp__ClfsReadLogRecord@36 ; ClfsReadLogRecord(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8816A4
		lea	eax, [ebp+var_50]
		mov	byte ptr [ebp+var_1], 1
		push	eax
		lea	eax, [ebp+var_68]
		push	eax
		lea	eax, [ebp+var_70]
		push	eax
		push	ebx
		lea	eax, [ebp+var_1]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_10]
		call	ds:__imp__ClfsReadNextLogRecord@32 ; ClfsReadNextLogRecord(x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000011h
		jnz	loc_8F6C9F
		mov	ecx, [ebp+var_C]
		mov	eax, [ecx+58h]
		mov	[ebp+var_38], eax
		mov	eax, [ecx+5Ch]

loc_8816A1:				; CODE XREF: CmpStartRMLog+7586Cj
		mov	[ebp+var_34], eax

loc_8816A4:				; CODE XREF: CmpStartRMLog+21Ej
					; CmpStartRMLog+7585Dj
		cmp	[ebp+var_10], ebx
		jz	short loc_8816B2
		push	[ebp+var_10]
		call	ds:__imp__ClfsTerminateReadLog@4 ; ClfsTerminateReadLog(x)

loc_8816B2:				; CODE XREF: CmpStartRMLog+1C6j
					; CmpStartRMLog+263j ...
		cmp	[ebp+var_8], ebx
		jz	short loc_8816C3
		push	[ebp+var_8]
		call	ds:__imp__ClfsTerminateReadLog@4 ; ClfsTerminateReadLog(x)
		mov	[ebp+var_8], ebx

loc_8816C3:				; CODE XREF: CmpStartRMLog+271j
		mov	eax, [ebp+var_C]
		add	eax, 58h
		push	eax
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_38]
		push	eax
		call	ds:__imp__ClfsLsnEqual@8 ; ClfsLsnEqual(x,x)
		test	al, al
		jz	loc_8F6CC9

loc_8816DF:				; CODE XREF: CmpStartRMLog+75889j
					; CmpStartRMLog+758A0j
		mov	ecx, [ebp+var_24]
		push	ebx
		mov	eax, [ecx]
		mov	[ebp+var_58], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	ebx
		push	ebx
		push	8
		lea	eax, [ebp+var_58]
		push	eax
		push	dword ptr [edi]
		call	ds:__imp__ClfsWriteRestartArea@28 ; ClfsWriteRestartArea(x,x,x,x,x,x,x)
		mov	edi, eax
		cmp	[ebp+var_2], bl
		jz	short loc_88171F
		cmp	edi, 0C01A001Dh
		jz	loc_8F6CE9
		cmp	dword ptr [esi+24h], 0Ah
		ja	loc_8F6CE9

loc_88171F:				; CODE XREF: CmpStartRMLog+116j
					; CmpStartRMLog+174j ...
		cmp	[ebp+var_8], ebx
		jnz	loc_8F6D36

loc_881728:				; CODE XREF: CmpStartRMLog+758FBj
		test	edi, edi
		js	loc_8F6D44
		mov	eax, [esi+3Ch]
		and	eax, 0FFFFFFFDh
		or	eax, 1
		mov	[esi+3Ch], eax

loc_88173C:				; CODE XREF: CmpStartRMLog+C1j
					; CmpStartRMLog+337j ...
		mov	ecx, esi
		call	_UnlockRMLog@4	; UnlockRMLog(x)
		cmp	[ebp+var_44], ebx
		jnz	loc_8F6D55

loc_88174C:				; CODE XREF: CmpStartRMLog+7591Aj
		cmp	[ebp+var_3C], ebx
		jz	short loc_88175A
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_88175A:				; CODE XREF: CmpStartRMLog+30Bj
		push	ebx
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_881771
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_881771:				; CODE XREF: CmpStartRMLog+324j
		mov	eax, edi

loc_881773:				; CODE XREF: CmpStartRMLog+757D1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_881778:				; CODE XREF: CmpStartRMLog+E8j
		mov	[ebp+var_14], ebx
		jmp	short loc_88173C
CmpStartRMLog	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmLogTmRmAction(x, x, x)
_CmLogTmRmAction@12 proc near		; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+24Bp

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		push	edi
		mov	[ebp+var_3C], esi
		mov	[ebp+var_38], esi
		mov	[ebp+var_44], esi
		mov	[ebp+var_40], esi
		cmp	[ebx+38h], esi
		jz	short loc_88180F
		mov	eax, [ebp+arg_0]
		lea	edi, [ebp+var_20]
		mov	[ebp+var_30], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_24], esi
		lea	esi, [edx+2Ch]
		push	28h
		pop	ecx
		mov	[ebp+var_2C], ecx
		mov	edx, ecx
		mov	[ebp+var_28], eax
		lea	ecx, [ebp+var_30]
		movsd
		movsd
		movsd
		movsd
		call	_HvBufferCheckSum@8 ; HvBufferCheckSum(x,x)
		mov	[ebp+var_30], eax
		lea	edx, [ebp+var_30]
		lea	eax, [ebp+var_3C]
		mov	ecx, ebx
		push	eax
		push	2
		push	28h
		call	CmpTransWriteLog
		test	eax, eax
		js	short loc_8817FE
		lea	eax, [ebp+var_44]
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		push	dword ptr [ebx+38h]
		call	ds:__imp__ClfsFlushToLsn@12 ; ClfsFlushToLsn(x,x,x)

loc_8817FE:				; CODE XREF: CmLogTmRmAction(x,x,x)+6Dj
					; CmLogTmRmAction(x,x,x)+93j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_88180F:				; CODE XREF: CmLogTmRmAction(x,x,x)+28j
		xor	eax, eax
		jmp	short loc_8817FE
_CmLogTmRmAction@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpLogCheckpoint proc near		; CODE XREF: CmpCleanupTransactionState(x,x,x,x)+E3p
					; CmpStopRMLog+18BBCFp	...

var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_3C		= dword	ptr -3Ch
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 008F6D63 SIZE 000000BC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0F0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, ds:_CLFS_LSN_INVALID_EXT
		push	ebx
		push	esi
		mov	[ebp+var_BC], eax
		mov	esi, ecx
		mov	eax, ds:dword_41105C
		xor	ecx, ecx
		push	edi
		mov	[ebp+var_B8], eax
		mov	edi, ecx
		mov	eax, ds:_CLFS_LSN_NULL_EXT
		mov	[ebp+var_EC], eax
		mov	eax, ds:dword_412DAC
		push	78h
		mov	[ebp+var_E8], eax
		pop	eax
		push	eax		; size_t
		mov	[ebp+var_C0], eax
		lea	eax, [ebp+var_B4]
		push	ecx		; int
		push	eax		; void *
		mov	[ebp+var_D4], esi
		mov	[ebp+var_D0], ecx
		mov	[ebp+var_CC], ecx
		mov	[ebp+var_C8], ecx
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpTransactionListLock
		call	ExAcquireFastMutexUnsafe

loc_8818A8:				; CODE XREF: CmpLogCheckpoint+755B5j
		lea	eax, [esi+8]

loc_8818AB:				; CODE XREF: CmpLogCheckpoint+7559Ej
		push	0
		lea	edx, [ebp+var_D0]
		mov	ecx, eax
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jnz	loc_8F6D63
		mov	ecx, offset _CmpTransactionListLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		lea	eax, [ebp+var_BC]
		push	eax
		call	ds:__imp__ClfsLsnInvalid@4 ; ClfsLsnInvalid(x)
		test	al, al
		jz	short loc_881918
		lea	eax, [ebp+var_C0]
		push	eax
		lea	eax, [ebp+var_B4]
		push	eax
		push	dword ptr [esi+34h]
		call	ds:__imp__ClfsGetLogFileInformation@12 ; ClfsGetLogFileInformation(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_881918
		mov	ecx, [ebp+var_5C]
		mov	[ebp+var_BC], ecx
		mov	ecx, [ebp+var_58]
		mov	[ebp+var_B8], ecx

loc_881918:				; CODE XREF: CmpLogCheckpoint+D3j
					; CmpLogCheckpoint+F0j
		push	78h
		pop	eax
		push	20204D43h
		push	eax
		push	1
		mov	[ebp+var_D8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_88194D
		lea	eax, [ebp+var_D8]
		push	eax
		push	ebx
		push	dword ptr [esi+34h]
		call	ds:__imp__ClfsGetLogFileInformation@12 ; ClfsGetLogFileInformation(x,x,x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_88194D:				; CODE XREF: CmpLogCheckpoint+11Ej
		test	edi, edi
		js	short loc_8819BA
		mov	eax, [ebp+var_BC]
		lea	ecx, [ebp+var_BC]
		mov	bl, [ebp+arg_0]
		mov	[ebp+var_CC], eax
		mov	eax, [ebp+var_B8]
		mov	[ebp+var_C8], eax
		lea	eax, [ebp+var_EC]
		push	eax
		lea	eax, [ebp+var_C0]
		push	eax
		movzx	eax, bl
		neg	eax
		push	0
		sbb	eax, eax
		and	eax, ecx
		push	eax
		push	8
		lea	eax, [ebp+var_CC]
		push	eax
		push	dword ptr [esi+38h]
		call	ds:__imp__ClfsWriteRestartArea@28 ; ClfsWriteRestartArea(x,x,x,x,x,x,x)
		mov	edi, eax
		test	bl, bl
		jz	short loc_8819BA
		test	edi, edi
		js	short loc_8819BA
		mov	eax, [ebp+var_BC]
		mov	[esi+48h], eax
		mov	eax, [ebp+var_B8]
		mov	[esi+4Ch], eax

loc_8819BA:				; CODE XREF: CmpLogCheckpoint+13Bj
					; CmpLogCheckpoint+18Ej ...
		push	78h
		pop	eax
		push	20204D43h
		push	eax
		push	1
		mov	[ebp+var_DC], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_881A23
		lea	eax, [ebp+var_DC]
		push	eax
		push	ebx
		push	dword ptr [esi+34h]
		call	ds:__imp__ClfsGetLogFileInformation@12 ; ClfsGetLogFileInformation(x,x,x)
		xor	esi, esi
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8819F0:				; CODE XREF: CmpLogCheckpoint+211j
		cmp	dword_6B2348, 5
		jbe	short loc_881A10
		push	esi
		mov	ebx, offset dword_6B2348
		push	1
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_8F6DEB

loc_881A10:				; CODE XREF: CmpLogCheckpoint+1E3j
					; CmpLogCheckpoint+75606j
		mov	eax, edi

loc_881A12:				; CODE XREF: CmpLogCheckpoint+755D2j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_881A23:				; CODE XREF: CmpLogCheckpoint+1C0j
		xor	esi, esi
		jmp	short loc_8819F0
CmpLogCheckpoint endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTransWriteLog proc near		; CODE XREF: CmAddLogForAction(x,x)+536p
					; CmLogTmRmAction(x,x,x)+66p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00881A5A SIZE 00000051 BYTES
; FUNCTION CHUNK AT 008F6E1F SIZE 00000267 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ebx, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_64], edx
		mov	[ebp+var_60], esi
		mov	[ebp+var_58], edi
		call	_LockRMLog@4	; LockRMLog(x)
		jmp	loc_8F6E1F
CmpTransWriteLog endp

; 
; START	OF FUNCTION CHUNK FOR CmpTransWriteLog

loc_881A5A:				; CODE XREF: CmpTransWriteLog+7543Cj
					; CmpTransWriteLog+7552Fj
		cmp	esi, 0C01A001Dh
		jz	loc_8F6F5C
		test	esi, esi
		js	short loc_881A90
		mov	ecx, [ebx+34h]
		lea	eax, [ebp+var_58]
		push	eax
		push	dword ptr [ebx+24h]
		lea	edx, [ebx+48h]
		push	dword ptr [ebx+28h]
		push	[ebp+var_60]
		call	CmpComputeLogFillLevel
		test	eax, eax
		js	short loc_881A90
		cmp	[ebp+var_58], 50h
		jnb	loc_8F7007

loc_881A90:				; CODE XREF: CmpTransWriteLog+40j
					; CmpTransWriteLog+5Cj	...
		mov	ecx, ebx
		call	_UnlockRMLog@4	; UnlockRMLog(x)
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_50]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; END OF FUNCTION CHUNK	FOR CmpTransWriteLog
; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall UnlockRMLog(x)
_UnlockRMLog@4	proc near		; CODE XREF: CmpStartRMLog+2FAp
					; CmpTransWriteLog+6Ap	...
		mov	edi, edi
		push	ecx
		mov	ecx, [ecx+50h]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	ecx
		retn
_UnlockRMLog@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpComputeLogFillLevel proc near	; CODE XREF: CmpTransWriteLog+55p

var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 008F7086 SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		push	78h		; size_t
		mov	[ebp+var_A0], eax
		mov	ebx, edx
		lea	eax, [ebp+var_80]
		mov	[ebp+var_84], ecx
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		imul	eax, [ebp+arg_8]
		xor	edx, edx
		mov	[ebp+var_90], esi
		mov	[ebp+var_8C], esi
		mov	esi, 0C000022Dh
		push	64h
		pop	ecx
		div	ecx
		push	ebx
		mov	[ebp+var_9C], eax
		call	ds:__imp__ClfsLsnInvalid@4 ; ClfsLsnInvalid(x)
		test	al, al
		jnz	short loc_881B63
		push	edi
		call	ds:__imp__ClfsLsnInvalid@4 ; ClfsLsnInvalid(x)
		test	al, al
		jnz	short loc_881B63
		push	edi
		push	ebx
		call	ds:__imp__ClfsLsnEqual@8 ; ClfsLsnEqual(x,x)
		test	al, al
		jnz	short loc_881B63
		lea	eax, [ebp+var_90]
		push	eax
		push	1000h
		push	[ebp+arg_4]
		push	edi
		push	ebx
		call	ds:__imp__ClfsLsnDifference@20 ; ClfsLsnDifference(x,x,x,x,x)
		mov	esi, eax

loc_881B63:				; CODE XREF: CmpComputeLogFillLevel+6Bj
					; CmpComputeLogFillLevel+76j ...
		push	78h
		pop	eax
		push	20204D43h
		push	eax
		push	1
		mov	[ebp+var_94], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, ds:__imp__ClfsGetLogFileInformation@12 ; ClfsGetLogFileInformation(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_881B9D
		lea	eax, [ebp+var_94]
		push	eax
		push	edi
		push	[ebp+var_84]
		call	ebx
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_881B9D:				; CODE XREF: CmpComputeLogFillLevel+BDj
		test	esi, esi
		js	loc_8F7086
		mov	ecx, [ebp+var_8C]
		mov	eax, [ebp+var_90]

loc_881BB1:				; CODE XREF: CmpComputeLogFillLevel+755F3j
		push	0
		push	[ebp+var_9C]
		push	ecx
		push	eax
		call	__aulldiv
		mov	ecx, [ebp+var_A0]
		mov	[ecx], eax

loc_881BC8:				; CODE XREF: CmpComputeLogFillLevel+755E1j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
CmpComputeLogFillLevel endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall LockRMLog(x)
_LockRMLog@4	proc near		; CODE XREF: CmpStartRMLog+4Dp
					; CmpTransWriteLog+28p
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	dword ptr [ecx+50h]
		call	ExAcquireResourceExclusiveLite
		retn
_LockRMLog@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvBufferCheckSum(x,	x)
_HvBufferCheckSum@8 proc near		; CODE XREF: CmpVerifyLogRecord(x,x)+1Dp
					; CmAddLogForAction(x,x)+50Bp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		shr	edx, 2
		xor	esi, esi
		and	edi, 3
		mov	ecx, esi
		lea	eax, [ebx+edx*4]
		mov	[ebp+var_4], eax
		xor	eax, eax
		inc	eax
		cmp	edx, eax
		jbe	short loc_881C22

loc_881C1A:				; CODE XREF: HvBufferCheckSum(x,x)+2Aj
		xor	ecx, [ebx+eax*4]
		inc	eax
		cmp	eax, edx
		jb	short loc_881C1A

loc_881C22:				; CODE XREF: HvBufferCheckSum(x,x)+22j
		mov	edx, esi
		test	edi, edi
		jz	short loc_881C39
		mov	ebx, [ebp+var_4]

loc_881C2B:				; CODE XREF: HvBufferCheckSum(x,x)+41j
		movzx	eax, byte ptr [ebx+edx]
		shl	esi, 8
		add	esi, eax
		inc	edx
		cmp	edx, edi
		jb	short loc_881C2B

loc_881C39:				; CODE XREF: HvBufferCheckSum(x,x)+30j
		pop	edi
		xor	ecx, esi
		pop	esi
		pop	ebx
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_881C4B

loc_881C43:				; CODE XREF: HvBufferCheckSum(x,x)+58j
		test	ecx, ecx
		jz	short loc_881C50

loc_881C47:				; CODE XREF: HvBufferCheckSum(x,x)+5Dj
		mov	eax, ecx
		leave
		retn
; 

loc_881C4B:				; CODE XREF: HvBufferCheckSum(x,x)+4Bj
		push	0FFFFFFFEh
		pop	ecx
		jmp	short loc_881C43
; 

loc_881C50:				; CODE XREF: HvBufferCheckSum(x,x)+4Fj
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_881C47
_HvBufferCheckSum@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpStartCLFSLog	proc near		; CODE XREF: CmpStartRMLog+10Dp

var_5C		= dword	ptr -5Ch
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 008F70BE SIZE 000000B8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	[ebp+var_50], eax
		mov	ebx, ecx
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_40], eax
		xor	eax, eax
		push	esi
		push	edi
		mov	[ebp+var_30], eax
		lea	edi, [ebp+var_5C]
		mov	[ebp+var_34], eax
		mov	esi, edx
		mov	edx, [ebp+arg_14]
		mov	[ebp+var_2C], eax
		stosd
		push	6
		pop	ecx
		push	20204D43h
		stosd
		mov	[ebp+var_4C], esi
		mov	[ebp+var_38], edx
		stosd
		xor	eax, eax
		and	[edx], eax
		lea	edi, [ebp+var_20]
		rep stosd
		mov	edi, [ebp+var_40]
		and	[edi], eax
		mov	ax, [esi]
		add	ax, 1Ah
		add	ax, [ebx]
		movzx	eax, ax
		push	eax
		push	1
		mov	word ptr [ebp+var_30+2], ax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_2C], eax
		test	eax, eax
		jz	loc_8F70BE
		mov	eax, [ebp+var_38]
		push	(offset	loc_40154B+1)
		and	dword ptr [eax], 0
		lea	eax, [ebp+var_30]
		and	dword ptr [edi], 0
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	ebx
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	esi
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	offset _CmpLogExt
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_5C]
		push	ecx
		xor	esi, esi
		push	eax
		mov	[ebp+var_24], esi
		mov	[ebp+var_3C], esi
		call	_PsDisableImpersonation@8 ; PsDisableImpersonation(x,x)
		mov	ecx, ds:_PsInitialSystemProcess
		xor	edx, edx
		mov	[ebp+var_25], al
		lea	eax, [ebp+var_20]
		push	eax
		call	KiStackAttachProcess
		mov	edi, [ebp+var_44]
		lea	eax, [ebp+var_30]
		push	esi
		push	esi
		push	200h
		push	esi
		push	8
		push	1
		push	edi
		push	esi
		push	0C0010000h
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	ds:__imp__ClfsCreateLogFile@44 ; ClfsCreateLogFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8F70DC
		push	78h
		pop	eax
		push	20204D43h
		push	eax
		push	1
		mov	[ebp+var_34], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8F70C8
		lea	eax, [ebp+var_34]
		push	eax
		push	ebx
		push	[ebp+var_24]
		call	ds:__imp__ClfsGetLogFileInformation@12 ; ClfsGetLogFileInformation(x,x,x)
		mov	esi, eax
		push	0
		push	ebx
		test	esi, esi
		js	loc_8F70D2
		mov	edi, [ebx+28h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_881DAE:				; CODE XREF: CmpStartCLFSLog+754EEj
		lea	eax, [ebp+var_3C]
		push	eax
		push	14h
		push	2
		push	1000h
		push	0
		push	0
		push	1
		push	[ebp+var_24]
		call	ds:__imp__ClfsCreateMarshallingArea@32 ; ClfsCreateMarshallingArea(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_881DE5
		mov	eax, [ebp+var_50]
		mov	ecx, [ebp+var_38]
		mov	[eax], edi
		mov	eax, [ebp+var_24]
		mov	[ecx], eax
		mov	ecx, [ebp+var_40]
		mov	eax, [ebp+var_3C]
		mov	[ecx], eax

loc_881DE5:				; CODE XREF: CmpStartCLFSLog+178j
					; CmpStartCLFSLog+75477j ...
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		cmp	[ebp+var_25], 0
		jnz	loc_8F7149

loc_881DF9:				; CODE XREF: CmpStartCLFSLog+75503j
		push	0
		push	[ebp+var_2C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		js	loc_8F715E

loc_881E0B:				; CODE XREF: CmpStartCLFSLog+7550Cj
					; CmpStartCLFSLog+7551Bj
		mov	eax, esi

loc_881E0D:				; CODE XREF: CmpStartCLFSLog+7546Dj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
CmpStartCLFSLog	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KsepShimDatabaseTime proc near		; CODE XREF: KsepShimDbChanged+3Fp
					; KsepShimDbChanged+8Cp

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 008FEE61 SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi		; char
		xor	eax, eax
		lea	edi, [ebp+var_30]
		push	0Ah
		mov	esi, ecx
		mov	[ebp+var_3C], eax
		pop	ecx
		mov	ebx, edx
		mov	[ebp+var_38], eax
		rep stosd
		mov	[ebp+var_44], eax
		xor	edi, edi
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_3C]
		push	esi
		push	eax
		mov	[ebx], edi
		mov	[ebx+4], edi
		mov	[ebp+var_34], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_5C], 18h
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_44]
		push	5
		push	eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_58], edi
		push	eax
		push	80000000h
		lea	eax, [ebp+var_34]
		mov	[ebp+var_50], 240h
		push	eax
		mov	[ebp+var_4C], edi
		mov	[ebp+var_48], edi
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_881F04
		xor	ecx, ecx
		inc	ecx
		lock xadd _KsepHistoryErrorsIndex, ecx
		inc	ecx
		and	ecx, 3Fh
		mov	ebx, offset ??_C@_0CJ@EBFFHOCD@KSE?3?5ZwOpenFile?5failed?5opening?5@NNGAKEGL@ ;	"KSE: ZwOpenFile failed	opening	DB file!"...
		push	9
		pop	eax
		mov	word_6C7022[ecx*8], ax
		mov	eax, 384h
		mov	dword_6C7024[ecx*8], esi
		mov	_KsepHistoryErrors[ecx*8], ax

loc_881ED0:				; CODE XREF: KsepShimDatabaseTime+7D076j
		test	_KsepDebugFlag,	2
		jnz	sub_8FEE53

loc_881EDD:				; CODE XREF: sub_8FEE53+9j
		push	ebx		; char *
		push	edi		; int
		call	_KsepLogError
		pop	ecx
		pop	ecx

loc_881EE6:				; CODE XREF: KsepShimDatabaseTime+10Fj
		cmp	[ebp+var_34], edi
		jz	short loc_881EF3
		push	[ebp+var_34]
		call	_ZwClose@4	; ZwClose(x)

loc_881EF3:				; CODE XREF: KsepShimDatabaseTime+CBj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_881F04:				; CODE XREF: KsepShimDatabaseTime+7Dj
		push	4
		push	28h
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_44]
		push	eax
		push	[ebp+var_34]
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8FEE61
		mov	eax, [ebp+var_20]
		mov	[ebx], eax
		mov	eax, [ebp+var_1C]
		mov	[ebx+4], eax
		jmp	short loc_881EE6
KsepShimDatabaseTime endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiUEventDeviceNeedsInstall proc	near	; CODE XREF: PAGE:00763CA5p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009074A6 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_8]
		push	ebx
		push	eax
		push	4
		lea	eax, [ebp+var_10]
		mov	[ebp+var_10], ebx
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_4], ebx
		push	eax
		push	offset _DEVPKEY_Device_DevNodeStatus
		mov	esi, edx
		mov	[ebp+var_14], ebx
		push	ebx
		mov	edi, ecx
		mov	[ebp+var_C], ebx
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	ebx
		push	1
		mov	[ebp+var_8], ebx
		mov	[esi], bl
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_881FFC
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_8]
		push	ebx
		push	eax
		push	4
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	offset _DEVPKEY_Device_ProblemCode
		push	ebx
		push	ebx
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_881FFC
		mov	eax, [ebp+var_10]
		test	eax, 40000h
		jnz	short loc_882003
		and	eax, 400h
		jnz	loc_9074A6

loc_881FBD:				; CODE XREF: PiUEventDeviceNeedsInstall+85580j
		test	eax, eax
		jnz	loc_9074B5

loc_881FC5:				; CODE XREF: PiUEventDeviceNeedsInstall+85599j
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_8]
		push	ebx
		push	eax
		push	4
		lea	eax, [ebp+var_14]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	offset _DEVPKEY_Device_ConfigFlags
		push	ebx
		push	ebx
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_881FFC
		test	[ebp+var_14], 420h
		jz	short loc_881FFC

loc_881FF9:				; CODE XREF: PiUEventDeviceNeedsInstall+85589j
					; PiUEventDeviceNeedsInstall+85593j
		mov	byte ptr [esi],	1

loc_881FFC:				; CODE XREF: PiUEventDeviceNeedsInstall+4Bj
					; PiUEventDeviceNeedsInstall+76j ...
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn
; 

loc_882003:				; CODE XREF: PiUEventDeviceNeedsInstall+80j
					; PiUEventDeviceNeedsInstall+8557Aj
		mov	[esi], bl
		jmp	short loc_881FFC
PiUEventDeviceNeedsInstall endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDcGenerateConfigNotificationIfContainerRequiresConfiguration proc near
					; CODE XREF: PiDcHandleContainerEvent(x)+5Fp
					; PiDcInit(x)+1Ep

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 009074CE SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_C]
		push	ebx
		push	eax
		push	1
		lea	eax, [ebp-1]
		mov	[ebp+var_8], ebx
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_C], ebx
		push	eax
		push	offset _DEVPKEY_DeviceContainer_IsConnected
		push	ebx
		mov	edi, ecx
		mov	[ebp+var_10], ebx
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	ebx
		push	5
		mov	[ebp+var_1], bl
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_882093
		cmp	[ebp+var_1], bl
		jz	short loc_882093
		cmp	[ebp+var_8], 11h
		jnz	short loc_882093
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_C]
		push	ebx
		push	eax
		push	4
		lea	eax, [ebp+var_10]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	offset _DEVPKEY_DeviceContainer_ConfigFlags
		push	ebx
		push	ebx
		push	5
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_88209A
		cmp	[ebp+var_8], 7
		jnz	loc_9074CE
		cmp	[ebp+var_10], ebx
		jnz	short loc_88209A

loc_882093:				; CODE XREF: PiDcGenerateConfigNotificationIfContainerRequiresConfiguration+44j
					; PiDcGenerateConfigNotificationIfContainerRequiresConfiguration+49j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_88209A:				; CODE XREF: PiDcGenerateConfigNotificationIfContainerRequiresConfiguration+7Aj
					; PiDcGenerateConfigNotificationIfContainerRequiresConfiguration+89j
		cmp	esi, 0C0000225h
		jz	loc_9074CE

loc_8820A6:				; CODE XREF: PiDcGenerateConfigNotificationIfContainerRequiresConfiguration+854F0j
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _WNF_PNPC_CONTAINER_CONFIG_REQUESTED
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		jmp	short loc_882093
PiDcGenerateConfigNotificationIfContainerRequiresConfiguration endp


;  S U B	R O U T	I N E 


sub_8820B8	proc near		; CODE XREF: ClipInitHandles()+38p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		push	9
		pop	ecx
		mov	esi, offset unk_6D6BC0
		xor	eax, eax
		mov	edi, esi
		mov	edx, offset sub_A1B2A5
		rep stosd
		push	ecx
		push	ecx
		mov	ecx, esi
		mov	dword_6D6BDC, 9Dh
		call	sub_88247E
		mov	esi, eax
		test	esi, esi
		js	short loc_88210C
		push	0
		push	0
		mov	edx, offset ??_C@_1O@HECGKAIN@?$AAS?$AAH?$AAA?$AA2?$AA5?$AA6@NNGAKEGL@
		mov	ecx, offset dword_6D6BE0
		call	_BCryptOpenAlgorithmProvider@16	; BCryptOpenAlgorithmProvider(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_88210C
		mov	ecx, offset unk_6B3040
		call	_TraceLoggingRegister_EtwRegister_EtwSetInformation@4 ;	TraceLoggingRegister_EtwRegister_EtwSetInformation(x)

loc_88210C:				; CODE XREF: sub_8820B8+2Fj
					; sub_8820B8+48j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ecx
		retn
sub_8820B8	endp

; 
		align 8
; Exported entry 2107. RtlGenerateClass5Guid

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlGenerateClass5Guid
RtlGenerateClass5Guid proc near		; CODE XREF: PipCreateComputerId+11Ep

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= word ptr -24h
var_22		= word ptr -22h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 009074FD SIZE 00000031 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_3C], 0
		xor	eax, eax
		and	[ebp+var_38], 0
		and	[ebp+var_34], 0
		and	[ebp+var_2C], 0
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		lea	edi, [ebp+var_28]
		mov	[ebp+var_40], ebx
		stosd
		xor	esi, esi
		mov	[ebp+var_44], edx
		mov	[ebp+var_48], ecx
		stosd
		stosd
		stosd
		test	ebx, ebx
		jz	loc_9074FD
		test	ecx, ecx
		jz	loc_907507
		test	edx, edx
		jz	loc_907511

loc_882172:				; CODE XREF: RtlGenerateClass5Guid+853FCj
		push	0
		push	offset ??_C@_1DK@HJHMGPGD@?$AAM?$AAi?$AAc?$AAr?$AAo?$AAs?$AAo?$AAf?$AAt?$AA?5?$AAP?$AAr?$AAi?$AAm?$AAi@NNGAKEGL@ ; "Microsoft Primitive	Provider"
		mov	edx, offset ??_C@_19DILNDFJH@?$AAS?$AAH?$AAA?$AA1@NNGAKEGL@
		lea	ecx, [ebp+var_34]
		call	_BCryptOpenAlgorithmProvider@16	; BCryptOpenAlgorithmProvider(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_88229D
		push	ecx
		lea	eax, [ebp+var_3C]
		mov	edx, offset ??_C@_1BK@GPNIFMAA@?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAL?$AAe?$AAn?$AAg?$AAt?$AAh@NNGAKEGL@ ;	"ObjectLength"
		push	eax
		push	ecx
		mov	ecx, [ebp+var_34]
		lea	eax, [ebp+var_38]
		push	eax
		call	_BCryptGetProperty@24 ;	BCryptGetProperty(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_88229D
		push	64697547h
		push	[ebp+var_38]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_30], esi
		test	esi, esi
		jz	loc_907524

loc_8821CD:				; CODE XREF: RtlGenerateClass5Guid+85411j
		test	ebx, ebx
		js	loc_88229D
		mov	ecx, [ebp+var_34]
		lea	edx, [ebp+var_2C]
		sub	esp, 0Ch
		push	[ebp+var_38]
		push	esi
		call	_BCryptCreateHash@28 ; BCryptCreateHash(x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_88229D
		mov	edx, [ebp+var_40]
		lea	edi, [ebp+var_28]
		mov	esi, edx
		mov	eax, [edx]
		movsd
		bswap	eax
		movsd
		movsd
		movsd
		mov	[ebp+var_28], eax
		mov	ax, [edx+4]
		mov	ch, al
		mov	cl, ah
		mov	ax, [edx+6]
		mov	[ebp+var_24], cx
		lea	edx, [ebp+var_28]
		mov	ch, al
		mov	cl, ah
		push	ecx
		mov	[ebp+var_22], cx
		mov	ecx, [ebp+var_2C]
		push	10h
		call	_BCryptHashData@16 ; BCryptHashData(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_88229A
		mov	edx, [ebp+var_44]
		push	ecx
		push	[ebp+arg_8]
		mov	ecx, [ebp+var_2C]
		call	_BCryptHashData@16 ; BCryptHashData(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_88229A
		push	ecx
		mov	ecx, [ebp+var_2C]
		lea	edx, [ebp+var_18]
		push	14h
		call	_BCryptFinishHash@16 ; BCryptFinishHash(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_88229A
		mov	edx, [ebp+var_48]
		lea	esi, [ebp+var_18]
		mov	edi, edx
		movsd
		movsd
		movsd
		movsd
		mov	eax, [edx]
		bswap	eax
		mov	[edx], eax
		mov	ax, [edx+4]
		mov	ch, al
		mov	cl, ah
		mov	ax, [edx+6]
		mov	[edx+4], cx
		mov	ch, al
		mov	cl, ah
		movzx	eax, cx
		and	eax, 0FFFh
		or	eax, 5000h
		mov	[edx+6], ax
		mov	al, [edx+8]
		and	al, 3Fh
		or	al, 80h
		mov	[edx+8], al

loc_88229A:				; CODE XREF: RtlGenerateClass5Guid+116j
					; RtlGenerateClass5Guid+12Bj ...
		mov	esi, [ebp+var_30]

loc_88229D:				; CODE XREF: RtlGenerateClass5Guid+72j
					; RtlGenerateClass5Guid+93j ...
		mov	ecx, [ebp+var_2C]
		test	ecx, ecx
		jz	short loc_8822A9
		call	_BCryptDestroyHash@4 ; BCryptDestroyHash(x)

loc_8822A9:				; CODE XREF: RtlGenerateClass5Guid+18Aj
		mov	ecx, [ebp+var_34]
		test	ecx, ecx
		jz	short loc_8822B5
		call	_BCryptCloseAlgorithmProvider@8	; BCryptCloseAlgorithmProvider(x,x)

loc_8822B5:				; CODE XREF: RtlGenerateClass5Guid+196j
		test	esi, esi
		jz	short loc_8822C1
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8822C1:				; CODE XREF: RtlGenerateClass5Guid+19Fj
		mov	eax, ebx

loc_8822C3:				; CODE XREF: RtlGenerateClass5Guid+853EAj
					; RtlGenerateClass5Guid+853F4j	...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
RtlGenerateClass5Guid endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BCryptHashData(x, x, x, x)
_BCryptHashData@16 proc	near		; CODE XREF: RtlGenerateClass5Guid+10Dp
					; RtlGenerateClass5Guid+122p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	esi, 0C0000002h
		mov	ecx, _SepBCryptExtensionHost
		push	edi
		mov	edi, edx
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_88230B
		push	0
		push	[ebp+arg_0]
		push	edi
		push	ebx
		call	dword ptr [eax+58h]
		mov	ecx, _SepBCryptExtensionHost
		mov	esi, eax
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_88230B:				; CODE XREF: BCryptHashData(x,x,x,x)+1Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_BCryptHashData@16 endp


;  S U B	R O U T	I N E 


; __stdcall BCryptDestroyHash(x)
_BCryptDestroyHash@4 proc near		; CODE XREF: RtlGenerateClass5Guid+18Cp
					; sub_A1AD6F+D4p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, 0C0000002h
		mov	ecx, _SepBCryptExtensionHost
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_88233F
		push	edi
		call	dword ptr [eax+1Ch]
		mov	ecx, _SepBCryptExtensionHost
		mov	esi, eax
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_88233F:				; CODE XREF: BCryptDestroyHash(x)+18j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_BCryptDestroyHash@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BCryptFinishHash(x,	x, x, x)
_BCryptFinishHash@16 proc near		; CODE XREF: RtlGenerateClass5Guid+136p
					; sub_A1AD6F+97p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	esi, 0C0000002h
		mov	ecx, _SepBCryptExtensionHost
		push	edi
		mov	edi, edx
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_88237B
		push	0
		push	[ebp+arg_0]
		push	edi
		push	ebx
		call	dword ptr [eax+3Ch]
		mov	ecx, _SepBCryptExtensionHost
		mov	esi, eax
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_88237B:				; CODE XREF: BCryptFinishHash(x,x,x,x)+1Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_BCryptFinishHash@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BCryptCreateHash(x,	x, x, x, x, x, x)
_BCryptCreateHash@28 proc near		; CODE XREF: RtlGenerateClass5Guid+CAp
					; sub_A1AD6F+39p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	esi, 0C0000002h
		mov	ecx, _SepBCryptExtensionHost
		push	edi
		mov	edi, edx
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_8823C1
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edi
		push	ebx
		call	dword ptr [eax+14h]
		mov	ecx, _SepBCryptExtensionHost
		mov	esi, eax
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_8823C1:				; CODE XREF: BCryptCreateHash(x,x,x,x,x,x,x)+1Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
_BCryptCreateHash@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BCryptGetProperty(x, x, x, x, x, x)
_BCryptGetProperty@24 proc near		; CODE XREF: SecureDump_EncryptSymmetricKeyWithPublicKey()+F8p
					; SecureDump_SymmetricEncryptionSetup()+ABp ...

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	esi, 0C0000002h
		mov	ecx, _SepBCryptExtensionHost
		push	edi
		mov	edi, edx
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_882406
		push	0
		push	[ebp+arg_8]
		push	4
		push	[ebp+arg_0]
		push	edi
		push	ebx
		call	dword ptr [eax+54h]
		mov	ecx, _SepBCryptExtensionHost
		mov	esi, eax
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_882406:				; CODE XREF: BCryptGetProperty(x,x,x,x,x,x)+1Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
_BCryptGetProperty@24 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BCryptOpenAlgorithmProvider(x, x, x, x)
_BCryptOpenAlgorithmProvider@16	proc near
					; CODE XREF: SecureDump_EncryptSymmetricKeyWithPublicKey()+AFp
					; SecureDump_SymmetricEncryptionSetup()+2Ap ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	esi, 0C0000002h
		mov	ecx, _SepBCryptExtensionHost
		push	edi
		mov	edi, edx
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_882448
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edi
		push	ebx
		call	dword ptr [eax+64h]
		mov	ecx, _SepBCryptExtensionHost
		mov	esi, eax
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_882448:				; CODE XREF: BCryptOpenAlgorithmProvider(x,x,x,x)+1Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_BCryptOpenAlgorithmProvider@16	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxRegDeleteTree(x, x, x)
__PnpCtxRegDeleteTree@12 proc near	; CODE XREF: PipInitComputerIds+DFp
					; PipInitComputerIds+133p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		test	ecx, ecx
		jz	short loc_88247A
		mov	eax, [ecx+74h]
		test	eax, eax
		jz	short loc_88247A
		mov	eax, [eax+4]

loc_882468:				; CODE XREF: _PnpCtxRegDeleteTree(x,x,x)+2Aj
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	0
		push	eax
		call	_RegRtlDeleteTreeInternal
		pop	esi
		pop	ebp
		retn	4
; 

loc_88247A:				; CODE XREF: _PnpCtxRegDeleteTree(x,x,x)+Aj
					; _PnpCtxRegDeleteTree(x,x,x)+11j
		xor	eax, eax
		jmp	short loc_882468
__PnpCtxRegDeleteTree@12 endp


;  S U B	R O U T	I N E 


sub_88247E	proc near		; CODE XREF: sub_8820B8+26p
					; sub_A1B2D2+5Ep ...
		xor	eax, eax
		mov	dword ptr [ecx], 4
		mov	[ecx+4], eax
		mov	[ecx+8], eax
		mov	[ecx+0Ch], eax
		mov	dword ptr [ecx+10h], 0Ah
		mov	[ecx+14h], edx
		mov	[ecx+18h], eax
		retn	8
sub_88247E	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipHardwareConfigGetIndex(x, x)
_PipHardwareConfigGetIndex@8 proc near	; CODE XREF: IopInitializeBootDrivers+4CAp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_C], 0
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, edx
		push	esi
		test	ebx, ebx
		jz	short loc_8824FF
		lea	eax, [ebp+var_4]
		mov	edx, 20019h
		push	eax
		call	_PipHardwareConfigOpenKey@12 ; PipHardwareConfigOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8824EB
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		lea	eax, [ebp+var_C]
		mov	[ebp+var_8], 4
		push	eax
		mov	edx, (offset loc_8B904F+1)
		call	_RegRtlQueryValue
		mov	esi, eax

loc_8824EB:				; CODE XREF: PipHardwareConfigGetIndex(x,x)+2Aj
		cmp	[ebp+var_4], 0
		jz	short loc_8824F9
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_8824F9:				; CODE XREF: PipHardwareConfigGetIndex(x,x)+4Fj
					; PipHardwareConfigGetIndex(x,x)+64j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8824FF:				; CODE XREF: PipHardwareConfigGetIndex(x,x)+16j
		mov	esi, 0C000000Dh
		jmp	short loc_8824F9
_PipHardwareConfigGetIndex@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpHardwareConfigCreateBootDriverFlags proc near ; CODE	XREF: IopMarkBootPartition+151p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0090752E SIZE 00000205 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_24], edx
		push	6
		pop	ecx
		lea	edi, [ebp+var_58]
		xor	ebx, ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		rep stosd
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		mov	edi, ebx
		test	edx, edx
		jz	loc_90752E
		lea	eax, [ebp+var_1C]
		mov	edx, 20019h
		push	eax
		call	_PipHardwareConfigOpenKey@12 ; PipHardwareConfigOpenKey(x,x,x)
		mov	ebx, [ebp+var_1C]
		mov	esi, eax
		test	esi, esi
		js	short loc_88259B
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_1C], 4
		push	eax
		lea	eax, [ebp+var_40]
		mov	edx, offset ??_C@_1CA@PABBOCNB@?$AAB?$AAo?$AAo?$AAt?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAF?$AAl?$AAa?$AAg?$AAs@NNGAKEGL@ ; "BootDriverFlags"
		push	eax
		lea	eax, [ebp+var_28]
		mov	ecx, ebx
		push	eax
		call	_RegRtlQueryValue
		mov	esi, eax
		test	esi, esi
		js	loc_907538

loc_88259B:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+6Aj
					; PnpHardwareConfigCreateBootDriverFlags+85038j ...
		cmp	[ebp+var_20], 0
		jnz	loc_90770C

loc_8825A5:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+8520Ej
		test	ebx, ebx
		jz	short loc_8825AF
		push	ebx
		call	_ZwClose@4	; ZwClose(x)

loc_8825AF:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+A1j
		test	edi, edi
		jnz	loc_907719

loc_8825B7:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+8521Bj
		cmp	[ebp+var_14], 0
		jnz	loc_907726

loc_8825C1:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+8502Dj
					; PnpHardwareConfigCreateBootDriverFlags+85228j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PnpHardwareConfigCreateBootDriverFlags endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipHardwareConfigOpenKey(x,	x, x)
_PipHardwareConfigOpenKey@12 proc near	; CODE XREF: PipHardwareConfigGetIndex(x,x)+21p
					; PnpHardwareConfigCreateBootDriverFlags+5Ep ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], edx
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		push	edi
		test	ebx, ebx
		jz	short loc_882645
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_8]
		push	eax
		push	0Fh
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_88264C
		mov	eax, _PiPnpRtlCtx
		mov	ecx, esi
		test	eax, eax
		jz	short loc_882615
		mov	ecx, [eax+74h]

loc_882615:				; CODE XREF: PipHardwareConfigOpenKey(x,x,x)+3Ej
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_C]
		push	esi
		push	offset ??_C@_1BA@OFLJGHK@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt@NNGAKEGL@
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_88264C
		mov	eax, [ebp+var_4]
		mov	[ebx], eax
		mov	[ebp+var_4], esi

loc_882638:				; CODE XREF: PipHardwareConfigOpenKey(x,x,x)+7Dj
		test	esi, esi
		jnz	short loc_882651

loc_88263C:				; CODE XREF: PipHardwareConfigOpenKey(x,x,x)+78j
					; PipHardwareConfigOpenKey(x,x,x)+85j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_882645:				; CODE XREF: PipHardwareConfigOpenKey(x,x,x)+1Bj
		mov	edi, 0C000000Dh
		jmp	short loc_88263C
; 

loc_88264C:				; CODE XREF: PipHardwareConfigOpenKey(x,x,x)+33j
					; PipHardwareConfigOpenKey(x,x,x)+5Cj
		mov	esi, [ebp+var_4]
		jmp	short loc_882638
; 

loc_882651:				; CODE XREF: PipHardwareConfigOpenKey(x,x,x)+68j
		push	esi
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_88263C
_PipHardwareConfigOpenKey@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCreateArcName proc near		; CODE XREF: IoCreateArcName(x)+Bp
					; IopCreateArcNamesDisk+12Ap

var_136		= byte ptr -136h
var_135		= byte ptr -135h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_DC		= dword	ptr -0DCh
var_D4		= dword	ptr -0D4h
var_D0		= byte ptr -0D0h
var_C8		= byte ptr -0C8h
var_88		= word ptr -88h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00907733 SIZE 00000229 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 13Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+13Ch+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[esp+140h+var_134], ecx
		push	esi
		push	edi
		lea	edi, [esp+148h+var_D4]
		mov	[esp+148h+var_130], 1000h
		stosd
		xor	ebx, ebx
		push	6
		pop	ecx
		mov	[esp+148h+var_110], ebx
		mov	esi, offset _IoArcTableListHead
		stosd
		mov	[esp+148h+var_10C], ebx
		mov	[esp+148h+var_114], ebx
		mov	[esp+148h+var_120], ebx
		stosd
		xor	eax, eax
		lea	edi, [esp+148h+var_F0]
		mov	[esp+148h+var_F8], ebx
		rep stosd
		lea	edi, [esp+148h+var_108]
		mov	[esp+148h+var_F4], ebx
		stosd
		xor	ecx, ecx
		mov	[esp+148h+var_128], ecx
		mov	[esp+148h+var_124], ecx
		stosd
		stosd
		stosd
		mov	eax, ds:_IoArcTableListHead
		mov	edi, [esp+148h+var_134]

loc_8826D3:				; CODE XREF: IopCreateArcName+3CDj
		cmp	eax, esi
		jz	short loc_8826E7
		cmp	[eax+2Ch], edi
		jnz	loc_882A25
		xor	eax, eax
		jmp	loc_882A10
; 

loc_8826E7:				; CODE XREF: IopCreateArcName+7Bj
		cmp	edx, 0FFFFFFFFh
		jnz	loc_907756
		lea	eax, [esp+148h+var_128]
		push	eax
		lea	eax, [esp+14Ch+var_108]
		push	eax
		push	ecx
		push	0Ch
		lea	eax, [esp+158h+var_D4]
		push	eax
		push	ecx
		push	ecx
		push	edi
		push	2D1080h
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_907733
		push	0
		push	0
		lea	eax, [esp+150h+var_108]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	edx, esi
		mov	ecx, edi
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jz	loc_90773D

loc_882741:				; CODE XREF: IopCreateArcName+850F7j
		test	esi, esi
		js	loc_882A0E
		xor	ecx, ecx

loc_88274B:				; CODE XREF: IopCreateArcName+85100j
		lea	eax, [esp+148h+var_128]
		push	eax
		lea	eax, [esp+14Ch+var_108]
		push	eax
		push	ecx
		push	18h
		lea	eax, [esp+158h+var_F0]
		push	eax
		push	ecx
		push	ecx
		push	edi
		push	70000h
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_907733
		push	0
		push	0
		lea	eax, [esp+150h+var_108]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	edx, esi
		mov	ecx, edi
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jz	loc_90775F

loc_882799:				; CODE XREF: IopCreateArcName+85119j
		test	esi, esi
		js	loc_882A0E
		mov	edx, [esp+148h+var_DC]
		mov	eax, 200h
		cmp	edx, eax
		jb	loc_907778

loc_8827B2:				; CODE XREF: IopCreateArcName+85124j
		cmp	dword ptr [edi+2Ch], 2
		mov	[esp+148h+var_12C], 1
		jz	loc_907783
		push	6F426F49h
		mov	esi, 1000h
		push	esi
		push	eax

loc_8827D0:				; CODE XREF: IopCreateArcName+85211j
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_907945
		lea	eax, [esp+148h+var_128]
		push	eax
		lea	eax, [esp+14Ch+var_108]
		push	eax
		xor	eax, eax
		push	eax
		push	esi
		push	ebx
		push	eax
		push	eax
		push	edi
		push	70050h
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_907870
		lea	eax, [esp+148h+var_108]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	edx, esi
		mov	ecx, edi
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jz	loc_907834

loc_882826:				; CODE XREF: IopCreateArcName+851EFj
		cmp	esi, 0C0000023h
		jz	loc_90784E

loc_882832:				; CODE XREF: IopCreateArcName+8521Bj
		test	esi, esi
		js	loc_8829F6
		mov	eax, [ebx]
		cmp	eax, 2
		jz	loc_907884
		test	eax, eax
		jnz	short loc_882852
		cmp	[ebx+4], eax
		jz	loc_90787A

loc_882852:				; CODE XREF: IopCreateArcName+1EDj
					; IopCreateArcName+85224j
		mov	eax, [esp+148h+var_120]
		xor	cl, cl

loc_882858:				; CODE XREF: IopCreateArcName+85233j
		mov	edi, ds:_IoArcTableListHead
		mov	[esp+148h+var_135], cl
		cmp	edi, offset _IoArcTableListHead
		jz	loc_90793B
		mov	esi, [esp+148h+var_134]

loc_882872:				; CODE XREF: IopCreateArcName+8525Dj
		cmp	byte ptr [edi+30h], 0
		jnz	loc_9078A1
		cmp	dword ptr [edi+2Ch], 0
		jnz	loc_9078A1
		test	cl, cl
		jnz	loc_9078BC
		lea	eax, [esp+148h+var_130]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	IopVerifyDiskSignature
		test	al, al
		jz	loc_9078A1
		cmp	dword ptr [edi+28h], 0
		jnz	loc_907892

loc_8828AE:				; CODE XREF: IopCreateArcName+85241j
		cmp	dword ptr [ebx], 0
		jnz	short loc_8828BF
		mov	eax, [edi+10h]
		cmp	eax, [ebx+0Ch]

loc_8828B9:				; CODE XREF: IopCreateArcName+8526Bj
		jnz	loc_9078A1

loc_8828BF:				; CODE XREF: IopCreateArcName+257j
		mov	[edi+2Ch], esi
		lea	eax, [esp+148h+var_88]
		cmp	dword ptr [esi+2Ch], 2
		push	dword ptr [esp+148h+var_D0] ; char
		jz	loc_9078CA
		push	offset ??_C@_1DM@FMJIKGBL@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi?$AAs@NNGAKEGL@ ; "\\Device\\Harddisk%d\\Partition0"

loc_8828DC:				; CODE XREF: IopCreateArcName+85275j
		push	40h		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 10h
		lea	eax, [esp+148h+var_88]
		push	eax
		lea	eax, [esp+14Ch+var_F8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [edi+0Ch]
		push	eax		; char
		push	offset ??_C@_0M@HCOOGNOF@?2ArcName?2?$CFs@NNGAKEGL@ ; char *
		mov	[esp+150h+var_130], eax
		lea	eax, [esp+150h+var_C8]
		push	40h		; int
		push	eax		; char *
		call	RtlStringCchPrintfA
		add	esp, 10h
		lea	edx, [esp+148h+var_C8]
		lea	ecx, [esp+148h+var_110]
		call	_IopCreateUnicodeFromAnsiBuffer@8 ; IopCreateUnicodeFromAnsiBuffer(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8829F6
		lea	eax, [esp+148h+var_F8]
		push	eax
		lea	eax, [esp+14Ch+var_110]
		push	eax
		call	_IoCreateSymbolicLink@8	; IoCreateSymbolicLink(x,x)
		lea	eax, [esp+148h+var_110]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [esp+148h+var_134]
		cmp	dword ptr [ecx+2Ch], 2
		jz	loc_9078D4
		cmp	dword ptr [ebx+4], 0
		jbe	loc_8829F6
		mov	edi, [esp+148h+var_130]
		xor	esi, esi

loc_882969:				; CODE XREF: IopCreateArcName+396j
		push	[esp+148h+var_12C]
		lea	eax, [esp+14Ch+var_88]
		push	dword ptr [esp+14Ch+var_D0] ; char
		push	(offset	loc_8B846F+3) ;	wchar_t	*
		push	40h		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 14h
		lea	eax, [esp+148h+var_88]
		push	eax
		lea	eax, [esp+14Ch+var_F8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	[esp+148h+var_12C]
		lea	eax, [esp+14Ch+var_C8]
		push	edi		; char
		push	offset ??_C@_0BJ@FAOIOBDH@?2ArcName?2?$CFspartition?$CI?$CFd?$CJ@NNGAKEGL@ ; "\\ArcName\\%spartition(%d)"
		push	40h		; int
		push	eax		; char *
		call	RtlStringCchPrintfA
		add	esp, 14h
		lea	edx, [esp+148h+var_C8]
		lea	ecx, [esp+148h+var_110]
		call	_IopCreateUnicodeFromAnsiBuffer@8 ; IopCreateUnicodeFromAnsiBuffer(x,x)
		test	eax, eax
		js	short loc_8829E3
		lea	eax, [esp+148h+var_F8]
		push	eax
		lea	eax, [esp+14Ch+var_110]
		push	eax
		call	_IoCreateSymbolicLink@8	; IoCreateSymbolicLink(x,x)
		lea	eax, [esp+148h+var_110]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_8829E3:				; CODE XREF: IopCreateArcName+36Ej
		mov	eax, [esp+148h+var_12C]
		inc	eax
		mov	[esp+148h+var_12C], eax
		dec	eax
		cmp	eax, [ebx+4]
		jb	loc_882969

loc_8829F6:				; CODE XREF: IopCreateArcName+1DAj
					; IopCreateArcName+2D2j ...
		test	ebx, ebx
		jz	short loc_882A02
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_882A02:				; CODE XREF: IopCreateArcName+39Ej
					; IopCreateArcName+85171j ...
		mov	eax, [esp+148h+var_114]
		test	eax, eax
		jnz	loc_90794F

loc_882A0E:				; CODE XREF: IopCreateArcName+E9j
					; IopCreateArcName+141j ...
		mov	eax, esi

loc_882A10:				; CODE XREF: IopCreateArcName+88j
		mov	ecx, [esp+148h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_882A25:				; CODE XREF: IopCreateArcName+80j
		mov	eax, [eax]
		jmp	loc_8826D3
IopCreateArcName endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopVerifyDiskSignature proc near	; CODE XREF: IopCreateArcName+23Dp
					; IopGetBootDiskInformation(x,x)+2D8p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090795C SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	byte ptr [edx+14h], 0
		push	esi
		jz	short loc_882A5C
		mov	esi, [ecx]
		lea	eax, [ecx+8]
		test	esi, esi
		jnz	loc_90795C
		mov	ecx, [eax]
		cmp	[edx+8], ecx
		jnz	short loc_882A5C
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_882A55
		mov	[eax], ecx

loc_882A55:				; CODE XREF: IopVerifyDiskSignature+25j
					; IopVerifyDiskSignature+84F5Fj ...
		mov	al, 1

loc_882A57:				; CODE XREF: IopVerifyDiskSignature+32j
		pop	esi
		pop	ebp
		retn	4
; 

loc_882A5C:				; CODE XREF: IopVerifyDiskSignature+Aj
					; IopVerifyDiskSignature+1Ej ...
		xor	al, al
		jmp	short loc_882A57
IopVerifyDiskSignature endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 786. IoCreateArcName

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCreateArcName(x)
		public _IoCreateArcName@4
_IoCreateArcName@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		or	edx, 0FFFFFFFFh
		call	IopCreateArcName
		pop	ebp
		retn	4
_IoCreateArcName@4 endp

; 
		align 10h
; Exported entry 847. IoGetConfigurationInformation

;  S U B	R O U T	I N E 


; __stdcall IoGetConfigurationInformation()
		public _IoGetConfigurationInformation@0
_IoGetConfigurationInformation@0 proc near ; CODE XREF:	PAGE:loc_77ED07p
					; IopCreateArcNamesDisk+3Ep ...
		mov	eax, offset unk_A9337C
		retn
_IoGetConfigurationInformation@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExInitLicenseData proc near		; CODE XREF: sub_685EF9+129p
					; INIT:00ABFCEEp

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= byte ptr -40h
var_3F		= dword	ptr -3Fh
var_3B		= word ptr -3Bh
var_39		= byte ptr -39h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00907998 SIZE 00000078 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		xor	ebx, ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ebx
		mov	edi, [eax+204h]
		mov	[ebp+var_20], edi
		mov	al, [edi+5C10h]
		mov	[ebp+var_15], al
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		push	eax
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jz	short loc_882AD3
		call	_ClipInitHandles@0 ; ClipInitHandles()
		call	sub_ABBE18

loc_882AD3:				; CODE XREF: ExInitLicenseData+41j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		lea	eax, [edi+5B80h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_2C], eax
		call	ExAcquirePushLockExclusiveEx
		xor	eax, eax
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_3B], ax
		inc	eax
		mov	[ebp+var_3F], ebx
		mov	[ebp+var_39], bl
		mov	[ebp+var_68], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_48], 2A30h
		mov	[ebp+var_44], ebx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_40], al
		cmp	_InitSafeBootMode, ebx
		jnz	loc_907998
		cmp	_InitIsWinPEMode, bl
		jnz	loc_907998

loc_882B37:				; CODE XREF: ExInitLicenseData+84F15j
		push	eax
		or	esi, 0FFFFFFFFh
		lea	eax, [ebp+var_68]
		push	esi
		push	eax
		push	edi
		call	ExpSetKernelDataProtection
		mov	eax, esi
		lea	ecx, [edi+5B80h]
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_882B63
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [edi+5B80h]

loc_882B63:				; CODE XREF: ExInitLicenseData+D0j
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	edx, edx
		lea	ecx, [edi+5B80h]
		call	ExAcquirePushLockExclusiveEx
		mov	[edi+4], ebx
		lea	ecx, [edi+5B80h]
		mov	eax, esi
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_882B9F
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [edi+5B80h]

loc_882B9F:				; CODE XREF: ExInitLicenseData+10Cj
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	[edi], ebx
		jz	loc_882CDB
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	edx, edx
		lea	ecx, [edi+5B80h]
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, edi
		call	sub_88355C
		mov	[ebp+var_34], eax
		cmp	eax, 0C000003Eh
		jz	loc_9079A0
		mov	cl, [edi+5C10h]
		mov	[ebp+var_1C], ecx

loc_882BE1:				; CODE XREF: ExInitLicenseData+84F23j
		mov	eax, esi
		lea	esi, [edi+5B80h]
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jz	loc_882D0F

loc_882BF7:				; CODE XREF: ExInitLicenseData+290j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+var_1C]
		cmp	[ebp+var_15], bl
		jnz	short loc_882C13
		test	al, al
		jnz	loc_9079AE

loc_882C13:				; CODE XREF: ExInitLicenseData+183j
					; ExInitLicenseData+84F35j
		cmp	[ebp+var_34], ebx
		jl	short loc_882C37
		test	al, al
		jnz	short loc_882C37
		mov	eax, [edi]
		mov	ecx, ds:dword_A93F18
		push	eax
		mov	edx, [eax+14000h]
		test	ecx, ecx
		jz	loc_9079C0
		push	edx
		push	edi
		call	ecx

loc_882C37:				; CODE XREF: ExInitLicenseData+190j
					; ExInitLicenseData+194j ...
		push	10h
		lea	ecx, [ebp+var_14]
		pop	esi

loc_882C3D:				; CODE XREF: ExInitLicenseData+1BFj
		rdtsc
		mov	[ecx], al
		inc	ecx
		sub	esi, 1
		jnz	short loc_882C3D
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	edx, edx
		lea	ecx, [edi+5B80h]
		call	ExAcquirePushLockExclusiveEx
		add	edi, 5C11h
		lea	esi, [ebp+var_14]
		or	eax, 0FFFFFFFFh
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_2C]
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_882C7D
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_882C7D:				; CODE XREF: ExInitLicenseData+1EEj
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		push	eax
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		mov	esi, [ebp+var_20]
		test	al, al
		jz	loc_9079CC

loc_882CAD:				; CODE XREF: ExInitLicenseData+84F4Aj
					; ExInitLicenseData+84F5Bj
		mov	[esi], ebx
		cmp	[esi+5B7Ch], ebx
		jz	loc_9079E6

loc_882CBB:				; CODE XREF: ExInitLicenseData+84F68j
					; ExInitLicenseData+84F85j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_882CCF
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_882CCF:				; CODE XREF: ExInitLicenseData+240j
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_882CDB:				; CODE XREF: ExInitLicenseData+125j
		cmp	_ExpSystemSetupInProgress, bl
		jnz	short loc_882D00
		lea	ecx, [ebp+var_28]
		call	ExGetExpirationDate
		test	eax, eax
		js	short loc_882D1B
		mov	eax, [ebp+var_24]
		mov	ebx, [ebp+var_28]

loc_882CF5:				; CODE XREF: ExInitLicenseData+297j
		mov	ds:0FFDF02C8h, ebx
		mov	ds:0FFDF02CCh, eax

loc_882D00:				; CODE XREF: ExInitLicenseData+25Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_882D0F:				; CODE XREF: ExInitLicenseData+16Bj
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_882BF7
; 

loc_882D1B:				; CODE XREF: ExInitLicenseData+267j
		mov	eax, ebx
		jmp	short loc_882CF5
ExInitLicenseData endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExGetExpirationDate proc near		; CODE XREF: ExInitLicenseData+260p
					; ExInitializeTimeRefresh+20p

var_48		= dword	ptr -48h
var_44		= word ptr -44h
var_42		= word ptr -42h
var_40		= word ptr -40h
var_3E		= word ptr -3Eh
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= word ptr -28h
var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_F		= byte ptr -0Fh
var_E		= byte ptr -0Eh
var_D		= byte ptr -0Dh
var_C		= byte ptr -0Ch
var_B		= byte ptr -0Bh
var_A		= byte ptr -0Ah
var_9		= byte ptr -9
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00907A10 SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		xor	ecx, ecx
		stosd
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], ecx
		stosd
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ecx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_24]
		stosd
		stosd
		stosd
		stosd
		test	ebx, ebx
		jz	loc_907A10
		push	offset ??_C@_1CM@BIAGPLBJ@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAE?$AAx?$AAp?$AAi?$AAr?$AAa?$AAt?$AAi@NNGAKEGL@
		lea	eax, [ebp+var_38]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_2C]
		push	eax
		push	10h
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		call	_ZwQueryLicenseValue@20	; ZwQueryLicenseValue(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_907A24
		push	10h		; size_t
		lea	eax, [ebp+var_14]
		push	eax		; void *
		lea	eax, [ebp+var_24]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_882DC5
		and	[ebx], eax
		and	[ebx+4], eax

loc_882DAC:				; CODE XREF: ExGetExpirationDate+129j
					; ExGetExpirationDate+84CFFj
		test	esi, esi
		js	loc_907A24

loc_882DB4:				; CODE XREF: ExGetExpirationDate+84CF5j
					; ExGetExpirationDate+84D0Bj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_882DC5:				; CODE XREF: ExGetExpirationDate+85j
		mov	al, byte ptr [ebp+var_14]
		mov	byte ptr [ebp+var_28], al
		mov	al, byte ptr [ebp+var_14+1]
		mov	byte ptr [ebp+var_28+1], al
		mov	ax, [ebp+var_28]
		mov	word ptr [ebp+var_48], ax
		mov	al, byte ptr [ebp+var_14+2]
		mov	byte ptr [ebp+var_28], al
		mov	al, byte ptr [ebp+var_14+3]
		mov	byte ptr [ebp+var_28+1], al
		mov	ax, [ebp+var_28]
		mov	word ptr [ebp+var_48+2], ax
		mov	al, [ebp+var_10]
		mov	byte ptr [ebp+var_28], al
		mov	al, [ebp+var_F]
		mov	byte ptr [ebp+var_28+1], al
		mov	ax, [ebp+var_28]
		mov	[ebp+var_44], ax
		mov	al, [ebp+var_E]
		mov	byte ptr [ebp+var_28], al
		mov	al, [ebp+var_D]
		mov	byte ptr [ebp+var_28+1], al
		mov	ax, [ebp+var_28]
		mov	[ebp+var_42], ax
		mov	al, [ebp+var_C]
		mov	byte ptr [ebp+var_28], al
		mov	al, [ebp+var_B]
		mov	byte ptr [ebp+var_28+1], al
		mov	ax, [ebp+var_28]
		mov	[ebp+var_40], ax
		mov	al, [ebp+var_A]
		mov	byte ptr [ebp+var_28], al
		mov	al, [ebp+var_9]
		mov	byte ptr [ebp+var_28+1], al
		mov	ax, [ebp+var_28]
		mov	[ebp+var_3E], ax
		lea	eax, [ebp+var_48]
		push	ebx
		push	eax
		call	_RtlTimeFieldsToTime@8 ; RtlTimeFieldsToTime(x,x)
		test	al, al
		jnz	loc_882DAC
		jmp	loc_907A1A
ExGetExpirationDate endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SLQueryLicenseValueInternal proc near	; CODE XREF: ntoskrnl_27+34p
					; PAGE:008DD612p

var_190		= dword	ptr -190h
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_129		= byte ptr -129h
var_128		= dword	ptr -128h
var_122		= dword	ptr -122h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_94		= dword	ptr -94h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00907A30 SIZE 0000002C BYTES
; FUNCTION CHUNK AT 00907AC7 SIZE 00000049 BYTES
; FUNCTION CHUNK AT 00907B40 SIZE 00000242 BYTES

		push	188h
		push	offset dword_6A4B20
		call	__SEH_prolog4_GS
		mov	edi, edx
		mov	[ebp+var_184], edi
		mov	[ebp+var_130], ecx
		mov	[ebp+var_178], ecx
		mov	[ebp+var_17C], edi
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_168], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_15C], eax
		mov	edx, [ebp+arg_C]
		mov	[ebp+var_13C], edx
		xor	ebx, ebx
		mov	[ebp+var_128], ebx
		mov	[ebp+var_170], ebx
		mov	[ebp+var_16C], ebx
		mov	byte ptr [ebp+var_122],	bl
		mov	[ebp+var_14C], ebx
		mov	[ebp+var_164], ebx
		xor	eax, eax
		inc	eax
		mov	[ebp+var_144], eax
		mov	[ebp+var_129], al
		test	edi, edi
		jz	loc_907D5B
		test	edx, edx
		jz	loc_907D5B
		mov	esi, ebx
		mov	[ebp+var_138], esi
		mov	[ebp+var_128], esi
		cmp	[edi+4], ebx
		jz	loc_907D5B
		movzx	edx, word ptr [edi]
		and	[ebp+var_134], ebx
		cmp	word ptr [ebp+var_134],	dx
		jz	loc_907D5B
		mov	[ebp+var_140], 2
		cmp	word ptr [ebp+var_140],	dx
		ja	loc_907D5B
		mov	byte ptr [ebp+var_170],	al
		mov	[ebp+var_16C], edi
		call	ExpLoadAndSortLicensingCacheDescriptors
		mov	[ebp+var_180], eax
		mov	[ebp+var_134], ebx
		mov	byte ptr [ebp+var_122+1], bl
		mov	[ebp+var_154], 1
		mov	eax, [ebp+var_16C]
		movzx	eax, word ptr [eax]
		mov	[ebp+var_188], eax
		mov	eax, offset off_A46548
		mov	[ebp+var_148], eax
		mov	edx, eax
		mov	[ebp+var_158], edx
		mov	ecx, ebx
		mov	[ebp+var_150], ebx

loc_882F78:				; CODE XREF: SLQueryLicenseValueInternal+15Cj
		movzx	eax, word ptr [edx+4]
		mov	[ebp+var_160], eax
		cmp	word ptr [ebp+var_188],	ax
		jz	loc_8830FB
		movzx	eax, ax
		add	[ebp+var_154], eax

loc_882F98:				; CODE XREF: SLQueryLicenseValueInternal+340j
		add	ecx, 14h
		mov	[ebp+var_150], ecx
		add	edx, 14h
		mov	[ebp+var_158], edx
		cmp	ecx, 118h
		jb	short loc_882F78
		mov	ecx, ebx

loc_882FB4:				; CODE XREF: SLQueryLicenseValueInternal+3FBj
		test	ecx, ecx
		jnz	loc_883254

loc_882FBC:				; CODE XREF: SLQueryLicenseValueInternal+451j
					; SLQueryLicenseValueInternal+84CA7j
		cmp	byte ptr [ebp+var_122],	0
		jnz	loc_8832B0
		mov	esi, [ebp+var_180]
		test	esi, esi
		js	loc_8832E6
		mov	[ebp+var_128], ebx
		mov	[ebp+var_150], ebx
		lea	eax, [ebp+var_160]
		push	eax		; int
		push	4		; int
		lea	eax, [ebp+var_150]
		push	eax		; void *
		push	ebx		; int
		mov	edx, offset dword_A418D0
		mov	ecx, [ebp+var_130]
		call	ExpQueryLicenseValueFromBlobHelper
		mov	esi, eax
		mov	[ebp+var_138], esi
		mov	[ebp+var_128], esi
		cmp	ds:dword_A93E8C, 0
		jnz	loc_907B40

loc_88301F:				; CODE XREF: SLQueryLicenseValueInternal+84CF3j
					; SLQueryLicenseValueInternal+84D07j
		mov	edi, [ebp+var_130]

loc_883025:				; CODE XREF: SLQueryLicenseValueInternal+84DE9j
					; SLQueryLicenseValueInternal+84E36j ...
		cmp	[ebp+var_129], 0
		jz	short loc_88306A
		push	[ebp+var_13C]	; int
		push	[ebp+arg_8]	; int
		push	[ebp+var_15C]	; void *
		push	[ebp+var_168]	; int
		lea	edx, [ebp+var_170]
		mov	ecx, edi
		call	ExpQueryLicenseValueFromBlobHelper
		mov	esi, eax
		mov	[ebp+var_138], esi
		mov	[ebp+var_128], esi
		cmp	esi, 0C000003Eh
		jz	loc_907CB4

loc_88306A:				; CODE XREF: SLQueryLicenseValueInternal+1D8j
					; SLQueryLicenseValueInternal+84EB7j
		mov	eax, [ebp+var_16C]
		movzx	edx, word ptr [eax]
		mov	[ebp+var_174], edx
		mov	ecx, ebx
		mov	[ebp+var_134], ebx
		mov	eax, offset off_A46548

loc_883086:				; CODE XREF: SLQueryLicenseValueInternal+26Cj
		movzx	eax, word ptr [eax+4]
		mov	[ebp+var_160], eax
		cmp	dx, ax
		jz	loc_883199
		movzx	eax, ax
		add	[ebp+var_144], eax

loc_8830A2:				; CODE XREF: SLQueryLicenseValueInternal+3DEj
		add	ecx, 14h
		mov	[ebp+var_134], ecx
		mov	eax, [ebp+var_148]
		add	eax, 14h
		mov	[ebp+var_148], eax
		cmp	ecx, 118h
		jb	short loc_883086
		mov	eax, ebx

loc_8830C4:				; CODE XREF: SLQueryLicenseValueInternal+48Dj
		test	eax, eax
		jnz	loc_907D10

loc_8830CC:				; CODE XREF: SLQueryLicenseValueInternal+47Fj
					; SLQueryLicenseValueInternal+498j ...
		cmp	[ebp+var_164], 0
		jnz	loc_907D65

loc_8830D9:				; CODE XREF: SLQueryLicenseValueInternal+84F1Dj
		mov	edi, [ebp+var_14C]
		test	edi, edi
		jnz	loc_907D76

loc_8830E7:				; CODE XREF: SLQueryLicenseValueInternal+84F29j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_8830FB:				; CODE XREF: SLQueryLicenseValueInternal+135j
		mov	ecx, [ebp+var_188]
		movzx	ecx, cx
		shr	ecx, 1
		mov	[ebp+var_190], ebx
		jz	short loc_88316B
		mov	eax, [ebp+var_16C]
		mov	eax, [eax+4]
		mov	edi, ecx
		mov	edx, ebx
		mov	esi, [ebp+var_154]
		mov	ebx, eax

loc_883123:				; CODE XREF: SLQueryLicenseValueInternal+2F5j
		movzx	eax, si
		mov	ecx, eax
		shl	ecx, 8
		inc	eax
		or	ecx, eax
		or	ecx, 5555h
		xor	cx, [ebx+edx*2]
		mov	word ptr [ebp+edx*2+var_104], cx
		add	esi, [ebp+var_140]
		inc	edx
		cmp	edx, edi
		jb	short loc_883123
		mov	[ebp+var_154], esi
		mov	esi, [ebp+var_138]
		xor	ebx, ebx
		mov	edi, [ebp+var_184]
		mov	edx, [ebp+var_158]
		mov	eax, [ebp+var_160]

loc_88316B:				; CODE XREF: SLQueryLicenseValueInternal+2B8j
		movzx	eax, ax
		push	eax		; size_t
		push	dword ptr [edx]	; void *
		lea	eax, [ebp+var_104]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_883237
		mov	edx, [ebp+var_158]
		mov	ecx, [ebp+var_150]
		jmp	loc_882F98
; 

loc_883199:				; CODE XREF: SLQueryLicenseValueInternal+23Fj
		movzx	ecx, dx
		shr	ecx, 1
		mov	[ebp+var_17C], ecx
		mov	[ebp+var_180], ebx
		jz	short loc_883203
		mov	eax, [ebp+var_16C]
		mov	eax, [eax+4]
		mov	edx, [ebp+var_144]
		mov	edi, ebx
		mov	ebx, ecx
		mov	esi, eax

loc_8831C1:				; CODE XREF: SLQueryLicenseValueInternal+393j
		movzx	eax, dx
		mov	ecx, eax
		shl	ecx, 8
		inc	eax
		or	ecx, eax
		or	ecx, 5555h
		xor	cx, [esi+edi*2]
		mov	word ptr [ebp+edi*2+var_94], cx
		add	edx, [ebp+var_140]
		inc	edi
		cmp	edi, ebx
		jb	short loc_8831C1
		mov	[ebp+var_144], edx
		mov	esi, [ebp+var_138]
		xor	ebx, ebx
		mov	edi, [ebp+var_130]
		mov	eax, [ebp+var_160]

loc_883203:				; CODE XREF: SLQueryLicenseValueInternal+356j
		movzx	eax, ax
		push	eax		; size_t
		mov	eax, [ebp+var_148]
		push	dword ptr [eax]	; void *
		lea	eax, [ebp+var_94]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_8832D8
		mov	ecx, [ebp+var_134]
		mov	edx, [ebp+var_174]
		jmp	loc_8830A2
; 

loc_883237:				; CODE XREF: SLQueryLicenseValueInternal+32Ej
		mov	eax, [ebp+var_158]
		mov	ecx, [eax+8]
		mov	[ebp+var_134], ecx
		mov	al, [eax+10h]
		mov	byte ptr [ebp+var_122+1], al
		jmp	loc_882FB4
; 

loc_883254:				; CODE XREF: SLQueryLicenseValueInternal+162j
		cmp	byte ptr [ebp+var_122+1], 0
		jnz	loc_907A30
		mov	esi, [ebp+var_130]

loc_883267:				; CODE XREF: SLQueryLicenseValueInternal+84C03j
		mov	[ebp+ms_exc.disabled], ebx
		lea	eax, [ebp+var_122]
		push	eax
		push	[ebp+var_13C]
		push	[ebp+arg_8]
		push	[ebp+var_15C]
		push	[ebp+var_168]
		push	esi
		call	ecx
		mov	esi, eax
		mov	[ebp+var_128], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_130]

loc_88329E:				; CODE XREF: sub_907A6F+53j
		cmp	byte ptr [ebp+var_122+1], 0
		jz	loc_882FBC
		jmp	loc_907AC7
; 

loc_8832B0:				; CODE XREF: SLQueryLicenseValueInternal+16Fj
		mov	[ebp+ms_exc.disabled], 1
		test	esi, esi
		js	short loc_8832CC
		mov	eax, [ebp+var_13C]
		mov	eax, [eax]
		cmp	eax, [ebp+arg_8]
		ja	loc_907B00

loc_8832CC:				; CODE XREF: SLQueryLicenseValueInternal+465j
					; SLQueryLicenseValueInternal+84CB7j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_8830CC
; 

loc_8832D8:				; CODE XREF: SLQueryLicenseValueInternal+3CCj
		mov	eax, [ebp+var_148]
		mov	eax, [eax+0Ch]
		jmp	loc_8830C4
; 

loc_8832E6:				; CODE XREF: SLQueryLicenseValueInternal+17Dj
					; SLQueryLicenseValueInternal+84D3Aj ...
		mov	[ebp+var_128], esi
		jmp	loc_8830CC
SLQueryLicenseValueInternal endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ExpQueryLicenseValueFromBlob(int,void *,int,int)
ExpQueryLicenseValueFromBlob proc near	; CODE XREF: ExpQueryLicenseValueFromBlobHelper+6Bp

var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	10h
		push	offset dword_6A4B68
		call	__SEH_prolog4
		xor	esi, esi
		push	offset sub_8986CA ; int	__cdecl	(*)(const void *,const void *)
		push	8		; size_t
		push	dword ptr [ecx+5B74h] ;	size_t
		lea	eax, [ecx+0Ch]
		push	eax		; void *
		push	edx		; void *
		call	_bsearch
		add	esp, 14h
		test	eax, eax
		jz	short loc_883382
		mov	edx, [eax+4]
		and	[ebp+ms_exc.disabled], esi
		movzx	ecx, word ptr [edx+6]
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_88337A

loc_883334:				; CODE XREF: ExpQueryLicenseValueFromBlob+8Ej
		movzx	eax, word ptr [edx+6]
		cmp	eax, [ebp+arg_8]
		ja	short loc_883389
		cmp	[ebp+arg_4], 0
		jz	short loc_883359
		push	eax		; size_t
		movzx	eax, word ptr [edx+2]
		add	edx, 10h
		add	eax, edx
		push	eax		; void *
		push	[ebp+arg_4]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_883359:				; CODE XREF: ExpQueryLicenseValueFromBlob+4Fj
					; sub_907D92+9j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	esi, esi
		js	short loc_883366
		xor	esi, esi

loc_883366:				; CODE XREF: ExpQueryLicenseValueFromBlob+70j
					; ExpQueryLicenseValueFromBlob+95j ...
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_88337A:				; CODE XREF: ExpQueryLicenseValueFromBlob+40j
		movzx	eax, word ptr [edx+4]
		mov	[ecx], eax
		jmp	short loc_883334
; 

loc_883382:				; CODE XREF: ExpQueryLicenseValueFromBlob+2Aj
		mov	esi, 0C0000034h
		jmp	short loc_883366
; 

loc_883389:				; CODE XREF: ExpQueryLicenseValueFromBlob+49j
		mov	esi, 0C0000023h
		mov	[ebp+var_20], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_883366
ExpQueryLicenseValueFromBlob endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpLoadAndSortLicensingCacheDescriptors	proc near
					; CODE XREF: SLQueryLicenseValueInternal+D9p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 00907DA0 SIZE 00000018 BYTES
; FUNCTION CHUNK AT 00907DC2 SIZE 00000060 BYTES
; FUNCTION CHUNK AT 00907E3E SIZE 0000000F BYTES

		push	20h
		push	offset dword_6A4B88
		call	__SEH_prolog4
		mov	esi, ecx
		mov	[ebp+var_2C], esi
		mov	eax, esi
		mov	[ebp+var_28], eax
		mov	[ebp+var_30], eax
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1A], bl
		mov	[ebp+var_19], bl
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+5B80h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		cmp	[esi+5C10h], bl
		jnz	loc_907DA0
		cmp	[esi+5B78h], bl
		jz	short loc_883431
		cmp	[esi+5B74h], ebx
		jz	loc_907DAC

loc_8833FC:				; CODE XREF: ExpLoadAndSortLicensingCacheDescriptors+9Bj
					; ExpLoadAndSortLicensingCacheDescriptors+84A0Dj ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_8834FF
		mov	edi, [ebp+var_20]
		test	edi, edi
		js	short loc_883415
		cmp	[ebp+var_1A], 1
		jz	short loc_883437

loc_883415:				; CODE XREF: ExpLoadAndSortLicensingCacheDescriptors+73j
					; ExpLoadAndSortLicensingCacheDescriptors+160j
		cmp	[ebp+var_19], 0
		jnz	loc_907E3E

loc_88341F:				; CODE XREF: ExpLoadAndSortLicensingCacheDescriptors+84AAEj
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_883431:				; CODE XREF: ExpLoadAndSortLicensingCacheDescriptors+54j
		mov	[ebp+var_1A], 1
		jmp	short loc_8833FC
; 

loc_883437:				; CODE XREF: ExpLoadAndSortLicensingCacheDescriptors+79j
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+5B80h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		cmp	byte ptr [esi+5B78h], 1
		jz	loc_8834EE
		mov	eax, [esi]
		mov	[ebp+var_24], eax
		test	eax, eax
		jz	loc_907DC2
		mov	ecx, esi
		call	sub_88355C
		mov	edi, eax
		mov	[ebp+var_20], edi
		test	edi, edi
		js	short loc_8834EE
		mov	eax, [ebp+var_24]

loc_883486:				; CODE XREF: ExpLoadAndSortLicensingCacheDescriptors+84A38j
		test	byte ptr [eax+0Ch], 1
		jnz	loc_907DD7

loc_883490:				; CODE XREF: ExpLoadAndSortLicensingCacheDescriptors+84A4Aj
		lea	ecx, [esi+5B74h]
		mov	edx, [ebp+var_30]
		add	edx, 0Ch
		mov	[ebp+var_30], edx
		cmp	[ecx], ebx
		jnz	short loc_8834C1
		push	ecx		; int
		push	0B6Dh		; int
		push	edx		; void *
		mov	dl, 1
		mov	ecx, eax
		call	sub_8835AA
		mov	edi, eax
		mov	[ebp+var_20], edi
		lea	ecx, [esi+5B74h]
		mov	edx, [ebp+var_30]

loc_8834C1:				; CODE XREF: ExpLoadAndSortLicensingCacheDescriptors+107j
		test	edi, edi
		js	loc_907DE9
		mov	eax, [ecx]
		test	eax, eax
		jz	loc_907E0C
		push	offset sub_8986CA ; int	__cdecl	(*)(const void *,const void *)
		push	8		; size_t
		push	eax		; size_t
		push	edx		; void *
		call	_qsort
		add	esp, 10h
		mov	eax, [ebp+var_28]
		mov	byte ptr [eax+5B78h], 1

loc_8834EE:				; CODE XREF: ExpLoadAndSortLicensingCacheDescriptors+C6j
					; ExpLoadAndSortLicensingCacheDescriptors+E7j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_883530
		jmp	loc_883415
ExpLoadAndSortLicensingCacheDescriptors	endp


;  S U B	R O U T	I N E 


sub_8834FF	proc near		; CODE XREF: ExpLoadAndSortLicensingCacheDescriptors+69p
					; sub_907DB8+5j
		lea	edi, [esi+5B80h]
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jnz	short loc_883527

loc_883513:				; CODE XREF: sub_8834FF+2Fj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		retn
; 

loc_883527:				; CODE XREF: sub_8834FF+12j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		jmp	short loc_883513
sub_8834FF	endp


;  S U B	R O U T	I N E 


sub_883530	proc near		; CODE XREF: ExpLoadAndSortLicensingCacheDescriptors+15Bp
					; sub_907E22+3j

; FUNCTION CHUNK AT 00907E2A SIZE 00000014 BYTES

		add	esi, 5B80h
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_907E2A

loc_883545:				; CODE XREF: sub_883530+848FCj
					; sub_883530+84909j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	edi, [ebp-20h]
		retn
sub_883530	endp


;  S U B	R O U T	I N E 


sub_88355C	proc near		; CODE XREF: ExInitLicenseData+13Fp
					; ExpLoadAndSortLicensingCacheDescriptors+DBp
		mov	eax, [ecx]
		push	esi
		test	eax, eax
		jz	short loc_88359E
		cmp	dword ptr [eax+14004h],	3
		jnz	short loc_8835A2
		mov	edx, [eax+14000h]
		cmp	edx, 18h
		jb	short loc_8835A2
		mov	ecx, [eax]
		cmp	edx, ecx
		jb	short loc_8835A2
		cmp	ecx, 18h
		jb	short loc_8835A2
		mov	esi, [eax+4]
		cmp	edx, esi
		jb	short loc_8835A2
		cmp	ecx, esi
		jb	short loc_8835A2
		mov	eax, [eax+8]
		cmp	edx, eax
		jb	short loc_8835A2
		cmp	ecx, eax
		jb	short loc_8835A2
		add	eax, esi
		cmp	eax, ecx
		ja	short loc_8835A2

loc_88359E:				; CODE XREF: sub_88355C+5j
		xor	eax, eax
		pop	esi
		retn
; 

loc_8835A2:				; CODE XREF: sub_88355C+Ej
					; sub_88355C+19j ...
		mov	eax, 0C000003Eh
		pop	esi
		retn
sub_88355C	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	sub_8835AA(void	*,int,int)
sub_8835AA	proc near		; CODE XREF: ExpLoadAndSortLicensingCacheDescriptors+114p
					; SLUpdateLicenseDataInternal(x,x,x)+4CDp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		mov	[ebp+var_1], dl
		mov	edx, ecx
		mov	[ebp+var_8], edx
		test	edi, edi
		jz	short loc_8835DC
		mov	eax, ebx
		shl	eax, 3
		push	eax		; size_t
		push	esi		; int
		push	edi		; void *
		call	_memset
		mov	edx, [ebp+var_8]
		add	esp, 0Ch

loc_8835DC:				; CODE XREF: sub_8835AA+1Dj
		mov	ecx, [edx+4]
		lea	eax, [edx+14h]
		add	ecx, 14h
		add	edx, ecx
		mov	[ebp+arg_0], ecx
		mov	ecx, eax
		mov	[ebp+var_18], edx
		sub	ecx, edx

loc_8835F1:				; CODE XREF: sub_8835AA+E6j
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		jz	loc_8836A0
		mov	edx, ecx
		sub	edx, [ebp+var_8]
		cmp	[ebp+var_1], 1
		jnz	short loc_883675
		lea	eax, [edx+14h]
		cmp	eax, [ebp+arg_0]
		ja	loc_883699
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_C], eax
		movzx	eax, ax
		mov	[ebp+var_10], eax
		add	eax, edx
		cmp	eax, [ebp+arg_0]
		ja	short loc_883699
		movzx	eax, word ptr [ecx+2]
		mov	[ebp+var_14], eax
		cmp	ax, word ptr [ebp+var_C]
		ja	short loc_883699
		mov	edx, [ebp+var_10]
		add	edx, ecx
		cmp	edx, ecx
		jb	short loc_883699
		movzx	eax, ax
		lea	ebx, [ecx+10h]
		mov	[ebp+var_14], eax
		add	eax, 10h
		add	eax, ecx
		mov	[ebp+var_10], ebx
		cmp	eax, ebx
		mov	ebx, [ebp+arg_4]
		jb	short loc_883699
		cmp	eax, edx
		ja	short loc_883699
		movzx	eax, word ptr [ecx+6]
		add	eax, 10h
		add	eax, [ebp+var_14]
		add	eax, ecx
		cmp	eax, [ebp+var_10]
		jb	short loc_883699
		cmp	eax, edx
		ja	short loc_883699
		mov	eax, [ecx+8]
		test	eax, eax
		jnz	short loc_883695

loc_883675:				; CODE XREF: sub_8835AA+5Cj
					; sub_8835AA+EDj
		test	edi, edi
		jz	short loc_883685
		cmp	esi, ebx
		jnb	short loc_883685
		mov	byte ptr [edi+esi*8], 2
		mov	[edi+esi*8+4], ecx

loc_883685:				; CODE XREF: sub_8835AA+CDj
					; sub_8835AA+D1j
		movzx	eax, word ptr [ecx]
		inc	esi
		add	eax, ecx
		mov	ecx, eax
		sub	ecx, [ebp+var_18]
		jmp	loc_8835F1
; 

loc_883695:				; CODE XREF: sub_8835AA+C9j
		test	al, 3
		jnz	short loc_883675

loc_883699:				; CODE XREF: sub_8835AA+64j
					; sub_8835AA+7Bj ...
		mov	eax, 0C000003Eh
		jmp	short loc_8836B2
; 

loc_8836A0:				; CODE XREF: sub_8835AA+4Dj
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_8836A9
		mov	[eax], esi

loc_8836A9:				; CODE XREF: sub_8835AA+FBj
		cmp	ebx, esi
		sbb	eax, eax
		and	eax, 0C0000023h

loc_8836B2:				; CODE XREF: sub_8835AA+F4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
sub_8835AA	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpKernelExpirationDateCacheProvider proc near ; DATA XREF: PAGE:00A465F0o

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_F		= byte ptr -0Fh
var_E		= byte ptr -0Eh
var_D		= byte ptr -0Dh
var_C		= byte ptr -0Ch
var_B		= byte ptr -0Bh
var_A		= byte ptr -0Ah
var_9		= byte ptr -9
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00907E4D SIZE 0000006A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+arg_10]
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_14]
		push	ebx
		mov	[ebp+var_1C], eax
		xor	eax, eax
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		lea	edi, [ebp+var_38]
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		stosd
		push	10h
		stosd
		stosd
		stosd
		pop	eax
		mov	[ecx], eax
		cmp	[ebp+arg_C], eax
		jb	short loc_88372D
		test	edx, edx
		jz	short loc_883707
		mov	dword ptr [edx], 3

loc_883707:				; CODE XREF: ExpKernelExpirationDateCacheProvider+45j
		lea	eax, [ebp+var_28]
		push	eax
		call	SeCodeIntegrityGetBuildExpiryTime
		mov	ebx, eax
		test	ebx, ebx
		jns	loc_907E4D

loc_88371A:				; CODE XREF: ExpKernelExpirationDateCacheProvider+78j
					; ExpKernelExpirationDateCacheProvider+847F8j
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_88372D:				; CODE XREF: ExpKernelExpirationDateCacheProvider+41j
		mov	ebx, 0C0000023h
		jmp	short loc_88371A
ExpKernelExpirationDateCacheProvider endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry  23.

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeCodeIntegrityGetBuildExpiryTime
SeCodeIntegrityGetBuildExpiryTime proc near
					; CODE XREF: ExpKernelExpirationDateCacheProvider+51p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00907EB7 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, dword_6BEA7C
		test	eax, eax
		jz	loc_907EB7
		pop	ebp
		jmp	eax
SeCodeIntegrityGetBuildExpiryTime endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCloudbookHardwareLockedProvider(x, x, x,	x, x, x)
_ExpCloudbookHardwareLockedProvider@24 proc near ; DATA	XREF: PAGE:00A4662Co
					; PAGE:00A46640o ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		mov	edx, [ebp+arg_14]
		push	ebx
		mov	ebx, [ebp+arg_10]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		push	9
		pop	ecx
		push	edx		; int
		mov	[ebp+var_2C], eax
		lea	edi, [ebp+var_28]
		xor	eax, eax
		mov	[ebp+var_38], edx
		push	ebx		; int
		rep stosd
		mov	edi, [ebp+arg_C]
		mov	edx, offset dword_A4189C
		push	edi		; int
		push	[ebp+var_2C]	; void *
		mov	[ebp+var_30], esi
		push	esi		; int
		call	ExpOsProductCacheProviderHelper
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_8837F7
		test	esi, esi
		jns	short loc_8837F7
		xor	esi, esi
		mov	dword ptr [ebx], 4
		push	esi
		push	24h
		lea	eax, [ebp+var_28]
		push	eax
		push	0BEh
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_883811
		cmp	edi, [ebx]
		jb	short loc_88380A
		mov	eax, [ebp+var_28]
		xor	ecx, ecx
		and	eax, 5
		cmp	al, 5
		mov	eax, [ebp+var_30]
		setz	cl
		mov	[ebp+var_34], ecx
		mov	dword ptr [eax], 4
		lea	eax, [ebp+var_34]
		push	dword ptr [ebx]	; size_t
		push	eax		; void *
		push	[ebp+var_2C]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_8837F1:				; CODE XREF: ExpCloudbookHardwareLockedProvider(x,x,x,x,x,x)+BFj
					; ExpCloudbookHardwareLockedProvider(x,x,x,x,x,x)+C6j
		mov	eax, [ebp+var_38]
		mov	byte ptr [eax],	1

loc_8837F7:				; CODE XREF: ExpCloudbookHardwareLockedProvider(x,x,x,x,x,x)+50j
					; ExpCloudbookHardwareLockedProvider(x,x,x,x,x,x)+54j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_88380A:				; CODE XREF: ExpCloudbookHardwareLockedProvider(x,x,x,x,x,x)+75j
		mov	esi, 0C0000023h
		jmp	short loc_8837F1
; 

loc_883811:				; CODE XREF: ExpCloudbookHardwareLockedProvider(x,x,x,x,x,x)+71j
		mov	esi, 0C0000034h
		jmp	short loc_8837F1
_ExpCloudbookHardwareLockedProvider@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ExpOsProductCacheProviderHelper(int,void *,int,int,int)
ExpOsProductCacheProviderHelper	proc near
					; CODE XREF: ExpCloudbookHardwareLockedProvider(x,x,x,x,x,x)+43p
					; ExpCloudbookHardwareIDProvider(x,x,x,x,x,x)+40p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00907EC7 SIZE 0000007E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_10]
		push	ebx
		push	esi
		push	edi
		push	offset dword_A415E0
		mov	byte ptr [eax],	1
		xor	edi, edi
		push	20019h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], edi
		push	eax
		mov	ebx, edx
		mov	[ebp+var_4], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_88387A
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		push	edi
		push	2
		push	ebx
		push	[ebp+var_8]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_907EC7
		cmp	esi, 0C0000023h
		jz	loc_907EC7

loc_883872:				; CODE XREF: ExpOsProductCacheProviderHelper+846C9j
					; ExpOsProductCacheProviderHelper+84728j
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_88387A:				; CODE XREF: ExpOsProductCacheProviderHelper+31j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
ExpOsProductCacheProviderHelper	endp

; 
		align 8
; Exported entry 981. IoSetDevicePropertyData

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoSetDevicePropertyData
IoSetDevicePropertyData	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		test	esi, esi
		jz	loc_9081D9
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_9080FE
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_9080FE
		mov	edx, [ebp+arg_18]
		mov	eax, edx
		push	edx
		neg	eax
		sbb	eax, eax
		and	eax, [ebp+arg_14]
		neg	edx
		push	eax
		sbb	edx, edx
		and	edx, [ebp+arg_10]
		push	edx
		mov	edx, [ebp+arg_4]
		push	ecx
		push	[ebp+arg_8]
		mov	ecx, esi
		call	PnpSetDevicePropertyData
		pop	esi
		pop	ebx
		pop	edi
		pop	ebp
		retn	1Ch
IoSetDevicePropertyData	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpSetDevicePropertyData proc near	; CODE XREF: IoSetDevicePropertyData+55p

var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00908220 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_BC], eax
		xor	edi, edi
		mov	eax, 0AAh
		mov	esi, edx
		push	eax		; size_t
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_C0], esi
		push	edi		; int
		push	eax		; void *
		mov	ebx, ecx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_B8], edi
		mov	[ebp+var_B4], edi
		test	ebx, ebx
		jz	short loc_883946
		mov	eax, [ebx+0B0h]
		mov	edi, [eax+14h]

loc_883946:				; CODE XREF: PnpSetDevicePropertyData+51j
		test	edi, edi
		jz	loc_908220
		cmp	dword ptr [edi+18h], 0
		jz	loc_908220
		cmp	[ebp+arg_0], 0
		jnz	loc_9081E9

loc_883962:				; CODE XREF: IoGetDevicePropertyData+125C52j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpDevicePropertyLock
		call	ExAcquireResourceExclusiveLite
		mov	edx, [edi+18h]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	[ebp+arg_C]
		push	[ebp+var_BC]
		push	[ebp+arg_8]
		push	esi
		push	[ebp+var_B4]
		push	0
		push	1
		call	PiPnpRtlSetObjectProperty
		mov	esi, eax
		test	esi, esi
		js	short loc_8839B5
		mov	eax, [ebp+var_C0]
		cmp	dword ptr [eax+10h], 2
		jz	short loc_8839FB

loc_8839B5:				; CODE XREF: PnpSetDevicePropertyData+BDj
					; PnpSetDevicePropertyData+123j ...
		mov	ecx, offset _PnpDevicePropertyLock
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	esi, 0C0000225h
		jz	short loc_883A23

loc_8839D3:				; CODE XREF: PnpSetDevicePropertyData+13Ej
		cmp	dword ptr [edi+0ACh], 303h
		jge	short loc_8839F2

loc_8839DF:				; CODE XREF: PnpSetDevicePropertyData+10Fj
					; IoGetDevicePropertyData+125C5Dj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
; 

loc_8839F2:				; CODE XREF: PnpSetDevicePropertyData+F3j
		mov	ecx, edi
		call	_PnpSetDeviceInstancePropertyChangeEvent@4 ; PnpSetDeviceInstancePropertyChangeEvent(x)
		jmp	short loc_8839DF
; 

loc_8839FB:				; CODE XREF: PnpSetDevicePropertyData+C9j
		push	10h		; size_t
		push	offset _INTERRUPT_CONNECTION_DATA_PKEY ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_8839B5
		push	[ebp+arg_C]
		mov	edx, [ebp+var_BC]
		mov	ecx, ebx
		call	PnpSetInterruptInformation
		mov	esi, eax
		jmp	short loc_8839B5
; 

loc_883A23:				; CODE XREF: PnpSetDevicePropertyData+E7j
		mov	esi, 0C0000034h
		jmp	short loc_8839D3
PnpSetDevicePropertyData endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpSetInterruptInformation proc	near	; CODE XREF: PnpSetDevicePropertyData+130p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0090828C SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, edx
		push	47706E50h
		mov	[ebp+var_4], ecx
		lea	eax, [edi+4]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_883A81
		push	edi		; size_t
		lea	eax, [esi+4]
		mov	[esi], edi
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		mov	eax, [eax+0B0h]
		mov	ecx, [eax+30h]
		mov	[eax+30h], esi
		test	ecx, ecx
		jnz	loc_90828C

loc_883A78:				; CODE XREF: PnpSetInterruptInformation+8486Dj
		xor	eax, eax

loc_883A7A:				; CODE XREF: PnpSetInterruptInformation+5Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_883A81:				; CODE XREF: PnpSetInterruptInformation+25j
		mov	eax, 0C000009Ah
		jmp	short loc_883A7A
PnpSetInterruptInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpUpdateTrace	proc near		; CODE XREF: NtTraceControl(x,x,x,x,x,x)+25Bp
					; EtwWmitraceWorker()+17Ep

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_2		= word ptr -2
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= word ptr  38h

; FUNCTION CHUNK AT 0090C95A SIZE 00000295 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		xor	ecx, ecx
		mov	[esp+34h+var_20], esi
		xor	eax, eax
		mov	[esp+34h+var_24], ecx
		mov	[esp+34h+var_14], ecx
		mov	[esp+34h+var_10], ecx
		mov	ecx, ebx
		push	edi
		mov	[esp+38h+var_2], ax
		call	@EtwpValidateLoggerInfo@4 ; EtwpValidateLoggerInfo(x)
		test	eax, eax
		js	short loc_883B29
		call	_EtwpValidateFlagExtension@4 ; EtwpValidateFlagExtension(x)
		test	eax, eax
		js	short loc_883B29
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		lea	eax, [esp+38h+var_24]
		mov	edx, ebx
		push	eax
		mov	ecx, esi
		call	EtwpAcquireLoggerContext
		mov	edi, eax
		test	edi, edi
		js	short loc_883B22
		mov	esi, [esp+38h+var_24]
		mov	ecx, [ebx+40h]
		mov	[esp+38h+var_28], ecx
		lea	eax, [esi+0Ch]
		mov	edx, [eax]
		mov	[esp+38h+var_18], eax
		mov	[esp+38h+var_2C], edx
		test	dl, 40h
		jnz	short loc_883B0A
		mov	eax, ecx
		and	eax, 3
		cmp	al, 3
		jnz	loc_883CDF

loc_883B0A:				; CODE XREF: EtwpUpdateTrace+73j
					; EtwpUpdateTrace+B6j ...
		mov	edi, 0C000000Dh

loc_883B0F:				; CODE XREF: EtwpUpdateTrace+F8j
					; EtwpUpdateTrace+16Dj	...
		lea	eax, [esp+38h+var_14]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	dl, 1
		mov	ecx, esi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_883B22:				; CODE XREF: EtwpUpdateTrace+56j
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, edi

loc_883B29:				; CODE XREF: EtwpUpdateTrace+34j
					; EtwpUpdateTrace+3Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_883B30:				; CODE XREF: EtwpUpdateTrace+268j
		test	cl, 2
		setnz	cl
		test	dl, 2
		setz	al
		test	cl, al
		jnz	short loc_883B0A
		mov	ecx, [esp-4+arg_C]
		mov	eax, ecx
		and	eax, 6
		cmp	al, 6
		jz	short loc_883B0A
		or	ecx, edx
		bt	ecx, 8
		setnb	al
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		xor	edx, edx
		and	eax, 0FFFFFFE0h
		add	eax, 0A0h
		mov	ecx, eax
		cmp	[ebx+84h], edx
		jnz	loc_90C95A

loc_883B75:				; CODE XREF: EtwpUpdateTrace+88ED9j
					; EtwpUpdateTrace+88EE2j
		mov	edx, esi
		call	_EtwpCheckLoggerControlAccess@8	; EtwpCheckLoggerControlAccess(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_883B0F
		xor	edx, edx
		cmp	[ebx+84h], edx
		jnz	loc_90C96F

loc_883B90:				; CODE XREF: EtwpUpdateTrace+88EF0j
					; EtwpUpdateTrace+88FC0j
		mov	eax, [esp-4+arg_8]
		test	eax, 400h
		jnz	short loc_883BB2
		mov	ecx, 100h
		test	[esp-4+arg_C], ecx
		jnz	loc_90CA4D
		test	eax, ecx
		jnz	loc_90CA79

loc_883BB2:				; CODE XREF: EtwpUpdateTrace+111j
					; EtwpUpdateTrace+88FD1j ...
		push	10h		; size_t
		lea	edi, [esi+0C8h]
		push	edi		; void *
		push	offset _HeapGuid ; void	*
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_90CA9D
		push	10h		; size_t
		push	edi		; void *
		push	offset _CritSecGuid ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_90CAA1

loc_883BE8:				; CODE XREF: EtwpUpdateTrace+89028j
		mov	edx, esi
		mov	ecx, ebx
		call	EtwpCheckForStackTracingExtension
		mov	edi, eax
		test	edi, edi
		js	loc_883B0F
		mov	eax, [esp-4+arg_1C]
		test	dword ptr [eax], 2000000h
		jz	short loc_883C51
		mov	edx, 80h
		mov	ecx, esi
		call	EtwpCheckSystemTraceAccess
		mov	edi, eax
		test	edi, edi
		js	loc_883B0F
		mov	eax, [esp-4+arg_14]
		cmp	eax, ds:_EtwpHostSiloState
		jnz	short loc_883C3E
		push	0
		mov	edx, ebx
		mov	ecx, esi
		call	EtwpCheckForPoolTagFilterExtension
		mov	edi, eax
		test	edi, edi
		js	loc_883B0F

loc_883C3E:				; CODE XREF: EtwpUpdateTrace+19Fj
		mov	edx, ebx
		mov	ecx, esi
		call	EtwpUpdateLoggerGroupMasks
		mov	edi, eax
		test	edi, edi
		js	loc_883B0F

loc_883C51:				; CODE XREF: EtwpUpdateTrace+17Dj
		mov	edi, [ebx+38h]
		test	edi, edi
		jnz	loc_90CAB5

loc_883C5C:				; CODE XREF: EtwpUpdateTrace+8904Aj
					; EtwpUpdateTrace+89056j
		mov	ecx, [esp-4+arg_8]
		test	ecx, 400h
		jnz	short loc_883C73
		mov	eax, [ebx+44h]
		test	eax, eax
		jnz	loc_90CAE3

loc_883C73:				; CODE XREF: EtwpUpdateTrace+1DEj
					; EtwpUpdateTrace+89061j ...
		mov	edi, 80000h
		test	[esp-4+arg_C], edi
		jnz	loc_90CB08
		test	ecx, edi
		jnz	loc_90CB5A

loc_883C8A:				; CODE XREF: EtwpUpdateTrace+890C0j
					; EtwpUpdateTrace+890CDj ...
		test	byte ptr [esp-4+arg_C],	80h
		jnz	loc_90CB69

loc_883C95:				; CODE XREF: EtwpUpdateTrace+89113j
		mov	ecx, [esp-4+arg_1C]
		mov	eax, [esp-4+arg_8]
		mov	[ecx], eax
		mov	ecx, [ebx+4Ch]
		test	ecx, ecx
		jnz	loc_90CBA0

loc_883CAA:				; CODE XREF: EtwpUpdateTrace+89147j
					; EtwpUpdateTrace+89152j
		mov	[esi+88h], ecx
		mov	edx, esi
		mov	ecx, ebx
		call	EtwpGetLoggerInfoFromContext
		mov	ebx, offset _ETW_EVENT_UPDATE_TRACE
		mov	edi, eax
		push	ebx
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_883B0F
		jmp	loc_90CBDF
; 

loc_883CDF:				; CODE XREF: EtwpUpdateTrace+7Cj
		mov	edi, 0C000h
		mov	eax, ecx
		and	eax, edi
		cmp	eax, edi
		jz	loc_883B0A
		jmp	loc_883B30
EtwpUpdateTrace	endp

; 
		align 2

;  S U B	R O U T	I N E 


EtwpCheckSystemTraceAccess proc	near	; CODE XREF: EtwpUpdateTrace+186p
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+552p ...

; FUNCTION CHUNK AT 0090CBEF SIZE 0000000B BYTES

		mov	eax, edx
		push	ecx
		test	byte ptr [ecx+258h], 20h
		jnz	loc_90CBEF
		push	0
		mov	ecx, offset _SystemTraceControlGuid
		call	_EtwpCheckGuidAccess@12	; EtwpCheckGuidAccess(x,x,x)
		pop	ecx
		retn
EtwpCheckSystemTraceAccess endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpEnableAutoLoggerProvider proc near	; CODE XREF: EtwpEnumerateKeyProviders+CDp

var_3D0		= dword	ptr -3D0h
var_3CC		= dword	ptr -3CCh
var_3C8		= dword	ptr -3C8h
var_3C4		= dword	ptr -3C4h
var_3C0		= dword	ptr -3C0h
var_3BC		= dword	ptr -3BCh
var_3B8		= dword	ptr -3B8h
var_3B4		= dword	ptr -3B4h
var_3B0		= dword	ptr -3B0h
var_3AC		= dword	ptr -3ACh
var_3A8		= dword	ptr -3A8h
var_3A4		= dword	ptr -3A4h
var_3A0		= dword	ptr -3A0h
var_39C		= dword	ptr -39Ch
var_398		= dword	ptr -398h
var_394		= dword	ptr -394h
var_390		= dword	ptr -390h
var_38C		= dword	ptr -38Ch
var_388		= dword	ptr -388h
var_384		= byte ptr -384h
var_380		= dword	ptr -380h
var_37C		= byte ptr -37Ch
var_378		= dword	ptr -378h
var_374		= dword	ptr -374h
var_370		= word ptr -370h
var_36C		= dword	ptr -36Ch
var_364		= dword	ptr -364h
var_360		= dword	ptr -360h
var_35C		= dword	ptr -35Ch
var_358		= dword	ptr -358h
var_354		= dword	ptr -354h
var_350		= dword	ptr -350h
var_34C		= dword	ptr -34Ch
var_348		= dword	ptr -348h
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_33C		= dword	ptr -33Ch
var_338		= dword	ptr -338h
var_334		= dword	ptr -334h
var_330		= dword	ptr -330h
var_320		= dword	ptr -320h
var_318		= dword	ptr -318h
var_314		= dword	ptr -314h
var_310		= dword	ptr -310h
var_30C		= dword	ptr -30Ch
var_308		= dword	ptr -308h
var_304		= dword	ptr -304h
var_2FC		= dword	ptr -2FCh
var_2F8		= dword	ptr -2F8h
var_2F4		= dword	ptr -2F4h
var_2F0		= dword	ptr -2F0h
var_2EC		= dword	ptr -2ECh
var_2E8		= dword	ptr -2E8h
var_2E0		= dword	ptr -2E0h
var_2DC		= dword	ptr -2DCh
var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_2CC		= dword	ptr -2CCh
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_294		= dword	ptr -294h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_27C		= dword	ptr -27Ch
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00910B2B SIZE 0000020D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3D4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	dword ptr [ebp+var_37C], eax
		lea	edi, [ebp+var_3C8]
		mov	eax, [ebp+arg_8]
		push	6
		mov	[ebp+var_38C], ecx
		mov	dword ptr [ebp+var_384], eax
		xor	eax, eax
		pop	ecx
		mov	[ebp+var_388], edx
		xor	edx, edx
		rep stosd
		push	esi
		lea	eax, [ebp+var_3D0]
		mov	[ebp+var_380], esi
		mov	ebx, edx
		mov	[ebp+var_36C], edx
		push	eax
		mov	[ebp+var_33C], ebx
		mov	[ebp+var_3D0], edx
		mov	[ebp+var_3CC], edx
		mov	[ebp+var_354], edx
		mov	[ebp+var_360], edx
		mov	[ebp+var_358], edx
		mov	[ebp+var_35C], edx
		mov	[ebp+var_378], edx
		mov	[ebp+var_374], edx
		mov	[ebp+var_3A8], edx
		mov	[ebp+var_3A4], edx
		mov	[ebp+var_364], edx
		mov	[ebp+var_340], edx
		mov	[ebp+var_338], edx
		mov	[ebp+var_3A0], edx
		mov	[ebp+var_39C], edx
		mov	[ebp+var_344], edx
		mov	[ebp+var_398], edx
		mov	[ebp+var_348], edx
		mov	[ebp+var_394], edx
		mov	[ebp+var_34C], edx
		mov	[ebp+var_390], edx
		mov	[ebp+var_350], edx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		push	24Ch		; size_t
		push	eax		; int
		lea	eax, [ebp+var_320]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	edi, [ebp+var_24]
		xor	eax, eax
		push	8
		pop	ecx
		rep stosd
		mov	ecx, dword ptr [ebp+var_37C]
		xor	edi, edi
		mov	[ebp+var_3B0], edi
		mov	[ebp+var_3AC], edi
		lea	edx, [ecx+2]

loc_883E39:				; CODE XREF: EtwpEnableAutoLoggerProvider+12Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_883E39
		sub	ecx, edx
		mov	edx, esi
		sar	ecx, 1
		lea	esi, [edx+2]

loc_883E4D:				; CODE XREF: EtwpEnableAutoLoggerProvider+142j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, di
		jnz	short loc_883E4D
		sub	edx, esi
		sar	edx, 1
		push	50777445h
		lea	eax, [edx+ecx]
		lea	edi, ds:4[eax*2]
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_334], eax
		push	4
		pop	esi
		test	eax, eax
		jz	loc_910CDC
		push	[ebp+var_380]
		push	dword ptr [ebp+var_37C]	; char
		push	offset ??_C@_1BA@NPEHGALP@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; wchar_t *
		push	edi		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	edi, [ebp+var_334]
		add	esp, 14h
		test	eax, eax
		jnz	loc_88423A
		push	edi
		lea	eax, [ebp+var_3A0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_3A0]
		mov	[ebp+var_3C8], 18h
		mov	[ebp+var_3C0], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_3C8]
		mov	[ebp+var_3C4], ecx
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_340]
		mov	[ebp+var_3BC], 240h
		push	eax
		mov	[ebp+var_3B8], ecx
		mov	[ebp+var_3B4], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_88423A
		mov	eax, dword ptr [ebp+var_384]
		test	eax, eax
		jnz	loc_910B2B

loc_883F1C:				; CODE XREF: EtwpEnableAutoLoggerProvider+8CF01j
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_318], offset ??_C@_1BA@NPJPKIM@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAd@NNGAKEGL@ ;	"Enabled"
		mov	[ebp+var_314], eax
		mov	edx, offset EtwpQueryRegistryCallback
		lea	eax, [ebp+var_354]
		mov	[ebp+var_320], edx
		mov	[ebp+var_CC], eax
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_2F8], eax
		lea	eax, [ebp+var_35C]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_2DC], eax
		lea	eax, [ebp+var_360]
		mov	[ebp+var_BC], eax
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_2C0], eax
		lea	eax, [ebp+var_358]
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_2A4], eax
		lea	eax, [ebp+var_378]
		push	0Bh
		pop	ecx
		mov	[ebp+var_AC], eax
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_288], eax
		lea	eax, [ebp+var_3A8]
		push	1
		mov	[ebp+var_A4], eax
		xor	eax, eax
		push	ecx
		push	eax
		lea	eax, [ebp+var_320]
		mov	[ebp+var_304], edx
		mov	[ebp+var_2E8], edx
		mov	[ebp+var_2CC], edx
		mov	[ebp+var_2B0], edx
		mov	[ebp+var_2A0], ecx
		mov	[ebp+var_B0], ecx
		mov	[ebp+var_294], edx
		mov	edx, [ebp+var_340]
		mov	[ebp+var_284], ecx
		mov	[ebp+var_A8], ecx
		mov	ecx, 40000000h
		push	eax
		mov	[ebp+var_310], esi
		mov	[ebp+var_D0], esi
		mov	[ebp+var_2FC], offset ??_C@_1BO@BKEADOJP@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAy@NNGAKEGL@
		mov	[ebp+var_2F4], esi
		mov	[ebp+var_C8], esi
		mov	[ebp+var_2E0], offset ??_C@_1BI@GEJCFFBF@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAL?$AAe?$AAv?$AAe?$AAl@NNGAKEGL@ ; "EnableLevel"
		mov	[ebp+var_2D8], esi
		mov	[ebp+var_C0], esi
		mov	[ebp+var_2C4], offset ??_C@_1BI@EBHMEIEO@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAF?$AAl?$AAa?$AAg?$AAs@NNGAKEGL@
		mov	[ebp+var_2BC], esi
		mov	[ebp+var_B8], esi
		mov	[ebp+var_2A8], offset ??_C@_1CA@DAIDIDOO@?$AAM?$AAa?$AAt?$AAc?$AAh?$AAA?$AAn?$AAy?$AAK?$AAe?$AAy?$AAw?$AAo?$AAr?$AAd@NNGAKEGL@
		mov	[ebp+var_28C], offset ??_C@_1CA@DABEMIJN@?$AAM?$AAa?$AAt?$AAc?$AAh?$AAA?$AAl?$AAl?$AAK?$AAe?$AAy?$AAw?$AAo?$AAr?$AAd@NNGAKEGL@
		call	RtlpQueryRegistryValues
		test	eax, eax
		js	loc_910CBF
		mov	ecx, [ebp+var_338]
		mov	ebx, [ebp+arg_C]
		test	ecx, ecx
		jnz	loc_910C1A

loc_884092:				; CODE XREF: EtwpEnableAutoLoggerProvider+8CF08j
					; EtwpEnableAutoLoggerProvider+8CF9Cj
		test	eax, eax
		js	loc_910CBF
		cmp	[ebp+var_354], 0
		jz	loc_884206
		xor	eax, eax
		lea	edi, [ebp+var_330]
		mov	dword ptr [ebp+var_370], eax
		neg	ebx
		stosd
		sbb	ebx, ebx
		not	ebx
		and	ebx, [ebp+var_33C]
		stosd
		stosd
		stosd
		mov	eax, [ebp+var_388]
		test	eax, eax
		jz	loc_910CB5

loc_8840D3:				; CODE XREF: EtwpEnableAutoLoggerProvider+8CFA6j
		mov	[ebp+var_370], ax
		mov	edx, ebx
		mov	edi, [ebp+var_334]
		lea	eax, [ebp+var_350]
		push	eax
		lea	eax, [ebp+var_390]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_34C]
		push	eax
		lea	eax, [ebp+var_394]
		push	eax
		lea	eax, [ebp+var_348]
		push	eax
		lea	eax, [ebp+var_398]
		push	eax
		lea	eax, [ebp+var_344]
		push	eax
		lea	eax, [ebp+var_3B0]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	EtwpGetAutoLoggerProviderFilter
		lea	eax, [ebp+var_330]
		push	eax
		lea	eax, [ebp+var_3D0]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		test	eax, eax
		js	loc_910CBF
		push	10h		; size_t
		lea	eax, [ebp+var_330]
		push	offset loc_4075F8 ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_884308
		push	10h		; size_t
		lea	eax, [ebp+var_330]
		push	offset _s_ProviderThreatInt ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_884308
		mov	ebx, [ebp+var_38C]

loc_884182:				; CODE XREF: EtwpEnableAutoLoggerProvider+61Cj
					; EtwpEnableAutoLoggerProvider+63Aj
		mov	ecx, [ebp+var_378]
		mov	eax, ecx
		mov	edx, [ebp+var_374]
		or	eax, edx
		jz	loc_8842D6

loc_884198:				; CODE XREF: EtwpEnableAutoLoggerProvider+5D8j
		push	[ebp+var_350]	; int
		lea	eax, [ebp+var_3B0]
		push	[ebp+var_390]	; int
		push	[ebp+var_34C]	; void *
		push	[ebp+var_394]	; int
		push	[ebp+var_348]	; void *
		push	[ebp+var_398]	; int
		push	[ebp+var_344]	; void *
		push	eax		; int
		lea	eax, [ebp+var_24]
		push	eax		; int
		push	[ebp+var_35C]	; int
		xor	eax, eax
		push	[ebp+var_3A4]	; int
		push	[ebp+var_3A8]	; int
		push	edx		; int
		push	ecx		; int
		push	[ebp+var_360]	; int
		lea	edx, [ebp+var_330]
		mov	ecx, ebx
		push	1		; size_t
		push	eax		; int
		push	dword ptr [ebp+var_370]	; __int16
		push	eax		; int
		call	EtwpEnableTrace
		mov	ecx, [ebp+var_338]

loc_884206:				; CODE XREF: EtwpEnableAutoLoggerProvider+38Dj
		test	eax, eax
		js	loc_910CBF

loc_88420E:				; CODE XREF: EtwpEnableAutoLoggerProvider+8CFBDj
		lea	eax, [ebp+var_364]
		push	esi
		push	eax
		push	esi
		push	(offset	loc_8BA67D+1)
		test	ecx, ecx
		jnz	loc_910CD6
		push	[ebp+var_340]

loc_88422A:				; CODE XREF: EtwpEnableAutoLoggerProvider+8CFC3j
		push	40000000h
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)

loc_884234:				; CODE XREF: EtwpEnableAutoLoggerProvider+600j
					; EtwpEnableAutoLoggerProvider+627j
		mov	ebx, [ebp+var_33C]

loc_88423A:				; CODE XREF: EtwpEnableAutoLoggerProvider+193j
					; EtwpEnableAutoLoggerProvider+1F4j ...
		cmp	[ebp+var_340], 0
		jz	short loc_88424E
		push	[ebp+var_340]
		call	_ZwClose@4	; ZwClose(x)

loc_88424E:				; CODE XREF: EtwpEnableAutoLoggerProvider+52Dj
		test	edi, edi
		jz	short loc_88425B
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_88425B:				; CODE XREF: EtwpEnableAutoLoggerProvider+53Cj
		cmp	[ebp+var_338], 0
		jnz	loc_910CE7

loc_884268:				; CODE XREF: EtwpEnableAutoLoggerProvider+8CFDEj
		test	ebx, ebx
		jnz	loc_910CF7

loc_884270:				; CODE XREF: EtwpEnableAutoLoggerProvider+8CFECj
		xor	ebx, ebx
		cmp	[ebp+var_344], ebx
		jnz	loc_910D05

loc_88427E:				; CODE XREF: EtwpEnableAutoLoggerProvider+8CFFDj
		cmp	[ebp+var_348], 0
		jnz	loc_910D16

loc_88428B:				; CODE XREF: EtwpEnableAutoLoggerProvider+8D00Ej
		cmp	[ebp+var_34C], 0
		jnz	short loc_8842FA

loc_884294:				; CODE XREF: EtwpEnableAutoLoggerProvider+5F2j
		cmp	[ebp+var_350], 0
		jnz	loc_910D27

loc_8842A1:				; CODE XREF: EtwpEnableAutoLoggerProvider+8D01Fj
		lea	edi, [ebp+var_24]

loc_8842A4:				; CODE XREF: EtwpEnableAutoLoggerProvider+59Cj
		push	edi
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		add	edi, 8
		sub	esi, 1
		jnz	short loc_8842A4
		mov	esi, ebx

loc_8842B4:				; CODE XREF: EtwpEnableAutoLoggerProvider+5AFj
		mov	eax, [ebp+esi*4+var_3B0]
		test	eax, eax
		jnz	short loc_8842F1

loc_8842BF:				; CODE XREF: EtwpEnableAutoLoggerProvider+5E4j
		inc	esi
		cmp	esi, 2
		jb	short loc_8842B4
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_8842D6:				; CODE XREF: EtwpEnableAutoLoggerProvider+47Ej
		mov	ecx, [ebp+var_358]
		xor	eax, eax
		mov	edx, eax
		mov	[ebp+var_378], ecx
		mov	[ebp+var_374], edx
		jmp	loc_884198
; 

loc_8842F1:				; CODE XREF: EtwpEnableAutoLoggerProvider+5A9j
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_8842BF
; 

loc_8842FA:				; CODE XREF: EtwpEnableAutoLoggerProvider+57Ej
		push	ebx
		push	[ebp+var_34C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_884294
; 

loc_884308:				; CODE XREF: EtwpEnableAutoLoggerProvider+444j
					; EtwpEnableAutoLoggerProvider+462j
		mov	ebx, [ebp+var_38C]
		cmp	ebx, ds:_EtwpHostSiloState
		jnz	loc_884234
		mov	edx, [ebp+var_388]
		cmp	edx, [ebx+8]
		jnb	short loc_884353
		mov	eax, [ebx+18Ch]
		mov	eax, [eax+edx*4]

loc_88432E:				; CODE XREF: EtwpEnableAutoLoggerProvider+642j
		test	al, 1
		jnz	loc_884182
		xor	ecx, ecx
		cmp	[eax+68h], ecx
		jnz	loc_884234
		mov	ecx, 4000h
		add	eax, 258h
		lock or	[eax], ecx
		jmp	loc_884182
; 

loc_884353:				; CODE XREF: EtwpEnableAutoLoggerProvider+60Fj
		xor	eax, eax
		inc	eax
		jmp	short loc_88432E
EtwpEnableAutoLoggerProvider endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpGetAutoLoggerProviderFilter	proc near ; CODE XREF: EtwpEnableAutoLoggerProvider+40Cp

var_390		= dword	ptr -390h
var_38C		= dword	ptr -38Ch
var_388		= dword	ptr -388h
var_384		= dword	ptr -384h
var_380		= dword	ptr -380h
var_37C		= byte ptr -37Ch
var_378		= dword	ptr -378h
var_374		= dword	ptr -374h
var_370		= dword	ptr -370h
var_36C		= dword	ptr -36Ch
var_368		= dword	ptr -368h
var_364		= dword	ptr -364h
var_360		= dword	ptr -360h
var_35C		= dword	ptr -35Ch
var_358		= dword	ptr -358h
var_354		= dword	ptr -354h
var_350		= dword	ptr -350h
var_34C		= byte ptr -34Ch
var_348		= dword	ptr -348h
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_33C		= dword	ptr -33Ch
var_338		= dword	ptr -338h
var_334		= dword	ptr -334h
var_330		= dword	ptr -330h
var_32C		= dword	ptr -32Ch
var_328		= dword	ptr -328h
var_324		= dword	ptr -324h
var_320		= dword	ptr -320h
var_31C		= dword	ptr -31Ch
var_318		= dword	ptr -318h
var_314		= dword	ptr -314h
var_310		= dword	ptr -310h
var_30C		= dword	ptr -30Ch
var_308		= dword	ptr -308h
var_304		= dword	ptr -304h
var_2FC		= dword	ptr -2FCh
var_2F8		= dword	ptr -2F8h
var_2F4		= dword	ptr -2F4h
var_2F0		= dword	ptr -2F0h
var_2EC		= dword	ptr -2ECh
var_2E8		= dword	ptr -2E8h
var_2E0		= dword	ptr -2E0h
var_2DC		= dword	ptr -2DCh
var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_2CC		= dword	ptr -2CCh
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_294		= dword	ptr -294h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_278		= dword	ptr -278h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_25C		= dword	ptr -25Ch
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 00910D38 SIZE 00000210 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 390h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	dword ptr [ebp+var_34C], edx
		mov	edx, ecx
		mov	dword ptr [ebp+var_37C], edx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_384], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_388], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_350], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_38C], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_354], eax
		mov	eax, [ebp+arg_18]
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_380], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_31C], eax
		mov	eax, [ebp+arg_20]
		mov	[ebp+var_32C], edi
		lea	edi, [ebp+var_378]
		push	6
		mov	[ebp+var_390], eax
		xor	eax, eax
		xor	esi, esi
		pop	ecx
		rep stosd
		mov	ecx, edx
		mov	[ebp+var_360], esi
		mov	[ebp+var_35C], esi
		mov	[ebp+var_318], esi
		mov	[ebp+var_328], esi
		mov	[ebp+var_340], esi
		lea	edx, [ecx+2]
		mov	[ebp+var_33C], esi
		mov	[ebp+var_338], esi
		mov	[ebp+var_334], esi
		mov	[ebp+var_348], esi
		mov	[ebp+var_344], esi
		mov	[ebp+var_320], esi
		mov	[ebp+var_324], esi
		mov	[ebp+var_314], esi
		mov	[ebp+var_310], esi
		mov	[ebp+var_308], esi
		mov	[ebp+var_30C], esi
		mov	[ebp+var_330], esi

loc_884449:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+FAj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_884449
		sub	ecx, edx
		sar	ecx, 1
		push	50777445h
		lea	esi, ds:12h[ecx*2]
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_358], edi
		test	edi, edi
		jz	loc_910D38
		push	dword ptr [ebp+var_37C]	; char
		push	offset ??_C@_1BI@GHNFACD@?$AA?$CF?$AAw?$AAs?$AA?2?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@NNGAKEGL@ ; wchar_t *
		push	esi		; int
		push	edi		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	esi, eax
		add	esp, 10h
		test	esi, esi
		jnz	loc_88452A
		push	edi
		lea	eax, [ebp+var_360]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_360]
		mov	[ebp+var_378], 18h
		mov	[ebp+var_370], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_378]
		mov	[ebp+var_374], ecx
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_308]
		mov	[ebp+var_36C], 240h
		push	eax
		mov	[ebp+var_368], ecx
		mov	[ebp+var_364], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_884502
		xor	eax, eax
		mov	[ebp+var_308], eax

loc_884502:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+1A0j
		mov	eax, dword ptr [ebp+var_34C]
		test	eax, eax
		jnz	loc_910D42

loc_884510:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+8CA9Bj
		cmp	[ebp+var_308], 0
		jnz	loc_8845B1
		cmp	[ebp+var_30C], 0
		jnz	loc_8845B1

loc_88452A:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+13Dj
					; EtwpGetAutoLoggerProviderFilter+588j	...
		xor	eax, eax
		xor	ebx, ebx
		mov	edi, eax

loc_884530:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+1EBj
		mov	eax, [ebp+edi*4+var_314]
		test	eax, eax
		jnz	loc_910F20

loc_88453F:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+8CBCFj
		inc	edi
		cmp	edi, 2
		jb	short loc_884530
		mov	ebx, [ebp+var_330]
		test	esi, esi
		jns	loc_8849C2
		mov	eax, [ebp+var_350]
		xor	esi, esi
		mov	[eax], esi
		mov	eax, [ebp+var_354]
		mov	[eax], esi
		mov	eax, [ebp+var_31C]
		mov	[eax], esi

loc_88456D:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+66Cj
		cmp	[ebp+var_308], 0
		jnz	loc_8849C9

loc_88457A:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+67Cj
		cmp	[ebp+var_30C], 0
		jnz	loc_910F2C

loc_884587:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+8CBDFj
		mov	eax, [ebp+var_358]
		test	eax, eax
		jz	short loc_884598
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_884598:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+237j
		test	ebx, ebx
		jnz	loc_910F3C

loc_8845A0:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+8CBEBj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	24h
; 

loc_8845B1:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+1BFj
					; EtwpGetAutoLoggerProviderFilter+1CCj
		push	24Ch		; size_t
		xor	esi, esi
		lea	eax, [ebp+var_304]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_8845C8:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+28Cj
		push	46777445h
		push	86h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+esi*4+var_314], eax
		inc	esi
		cmp	esi, 2
		jb	short loc_8845C8
		mov	esi, [ebp+var_31C]
		mov	eax, 400h
		push	50777445h
		push	eax
		push	1
		mov	[esi], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+var_380]
		mov	[eax], ecx
		test	ecx, ecx
		jz	loc_910D38
		mov	edx, [ebp+var_32C]
		lea	eax, [ebp+var_B4]
		mov	[ebp+var_2F8], eax
		xor	ebx, ebx
		lea	eax, [ebp+var_318]
		mov	[ebp+var_344], ecx
		mov	[ebp+var_2F0], eax
		inc	ebx
		lea	eax, [ebp+var_AC]
		mov	[ebp+var_2F4], ebx
		mov	[ebp+var_2DC], eax
		lea	eax, [ebp+var_318]
		mov	[ebp+var_2D4], eax
		lea	eax, [edx+8]
		mov	[ebp+var_A8], eax
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_2C0], eax
		lea	eax, [ebp+var_318]
		mov	[ebp+var_2B8], eax
		lea	eax, [edx+10h]
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_2A4], eax
		push	4
		pop	eax
		mov	[ebp+var_2A0], eax
		mov	[ebp+var_9C], eax
		mov	[ebp+var_284], eax
		mov	[ebp+var_94], eax
		mov	[ebp+var_268], eax
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_328]
		mov	[ebp+var_B4], ebx
		mov	[ebp+var_2D8], ebx
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_2BC], ebx
		mov	[ebp+var_A4], ebx
		lea	ebx, [ebp+var_320]
		mov	[ebp+var_88], eax
		mov	eax, [esi]
		xor	esi, esi
		mov	[ebp+var_98], ebx
		inc	esi
		mov	[ebp+var_348], eax
		lea	ebx, [ebp+var_94]
		lea	eax, [ebp+var_84]
		mov	[ebp+var_288], ebx
		mov	[ebp+var_250], eax
		lea	ebx, [ebp+var_324]
		lea	eax, [ebp+var_348]
		mov	[ebp+var_90], ebx
		mov	[ebp+var_80], eax
		lea	ebx, [ebp+var_8C]
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_26C], ebx
		push	3
		mov	ebx, offset EtwpQueryRegistryCallback
		mov	[ebp+var_234], eax
		pop	ecx
		lea	eax, [ebp+var_318]
		mov	[ebp+var_304], offset EtwpQueryRegistryCallback
		mov	[ebp+var_2FC], offset ??_C@_1BE@FDHBJBK@?$AAE?$AAx?$AAe?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr@NNGAKEGL@
		mov	[ebp+var_B0], edx
		mov	[ebp+var_2E8], offset EtwpQueryRegistryCallback
		mov	[ebp+var_2E0], offset ??_C@_1CA@FNMGOGNM@?$AAP?$AAa?$AAc?$AAk?$AAa?$AAg?$AAe?$AAI?$AAd?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr@NNGAKEGL@ ; "PackageIdFilter"
		mov	[ebp+var_2CC], offset EtwpQueryRegistryCallback
		mov	[ebp+var_2C4], offset ??_C@_1DG@NJNDNLDI@?$AAP?$AAa?$AAc?$AAk?$AAa?$AAg?$AAe?$AAR?$AAe?$AAl?$AAa?$AAt?$AAi?$AAv?$AAe@NNGAKEGL@
		mov	[ebp+var_2B0], offset EtwpQueryRegistryCallback
		mov	[ebp+var_2A8], offset ??_C@_1CA@FODMMKIP@?$AAE?$AAv?$AAe?$AAn?$AAt?$AAI?$AAd?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAI?$AAn@NNGAKEGL@
		mov	[ebp+var_294], offset EtwpQueryRegistryCallback
		mov	[ebp+var_28C], offset ??_C@_1CE@LAJLDKOH@?$AAS?$AAt?$AAa?$AAc?$AAk?$AAW?$AAa?$AAl?$AAk?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr@NNGAKEGL@
		mov	[ebp+var_278], offset EtwpQueryRegistryCallback
		mov	[ebp+var_270], offset ??_C@_1BA@NPJPKIM@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAd@NNGAKEGL@ ;	"Enabled"
		mov	[ebp+var_25C], ebx
		mov	[ebp+var_254], offset ??_C@_1CG@CPJPKDBI@?$AAS?$AAc?$AAh?$AAe?$AAm?$AAa?$AAt?$AAi?$AAz?$AAe?$AAd?$AAF?$AAi?$AAl?$AAt@NNGAKEGL@
		mov	[ebp+var_24C], ecx
		mov	[ebp+var_84], ecx
		mov	[ebp+var_240], ebx
		mov	[ebp+var_238], offset ??_C@_1CA@BIAIEJGA@?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr@NNGAKEGL@ ; "ContainerFilter"
		mov	[ebp+var_230], esi
		mov	[ebp+var_22C], eax
		mov	ebx, [ebp+var_330]
		lea	eax, [edx+18h]
		mov	[ebp+var_78], eax
		mov	eax, [ebp+var_314]
		mov	[ebp+var_7C], esi
		push	8
		pop	edx
		test	eax, eax
		jz	short loc_88485C
		add	eax, 4
		mov	[ebp+var_338], 80h
		mov	[ebp+var_334], eax
		lea	eax, [ebp+var_74]
		mov	[ebp+var_218], eax
		lea	eax, [ebp+var_338]
		push	9
		mov	[ebp+var_224], offset EtwpQueryRegistryCallback
		mov	[ebp+var_21C], offset ??_C@_1BC@KAOGBLIA@?$AAE?$AAv?$AAe?$AAn?$AAt?$AAI?$AAd?$AAs@NNGAKEGL@
		mov	[ebp+var_214], ecx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_70], eax
		pop	edx

loc_88485C:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+4BDj
		mov	eax, [ebp+var_310]
		test	eax, eax
		jz	short loc_8848C0
		add	eax, 4
		mov	[ebp+var_340], 80h
		imul	ecx, edx, 1Ch
		mov	[ebp+var_33C], eax
		lea	eax, [ebp+var_B4]
		lea	eax, [eax+edx*8]
		mov	dword ptr [eax], 3
		mov	[ebp+ecx+var_2F8], eax
		lea	eax, [ebp+var_340]
		mov	[ebp+ecx+var_304], offset EtwpQueryRegistryCallback
		mov	[ebp+ecx+var_2FC], offset ??_C@_1BK@DBPDLNFG@?$AAS?$AAt?$AAa?$AAc?$AAk?$AAW?$AAa?$AAl?$AAk?$AAI?$AAd?$AAs@NNGAKEGL@
		mov	[ebp+ecx+var_2F4], 3
		mov	[ebp+edx*8+var_B0], eax

loc_8848C0:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+50Cj
		mov	edx, [ebp+var_308]
		xor	eax, eax
		push	esi
		push	ecx
		push	eax
		lea	eax, [ebp+var_304]
		mov	ecx, 40000000h
		push	eax
		call	RtlpQueryRegistryValues
		mov	esi, eax
		test	esi, esi
		js	loc_88452A
		mov	edx, [ebp+var_30C]
		test	edx, edx
		jnz	loc_910DF8

loc_8848F4:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+8CB97j
					; EtwpGetAutoLoggerProviderFilter+8CB9Fj
		mov	ecx, [ebp+var_314]
		test	ecx, ecx
		jz	short loc_884916
		cmp	[ebp+var_320], 0
		setnz	al
		mov	[ecx], al
		mov	eax, [ebp+var_338]
		shr	eax, 1
		mov	[ecx+2], ax

loc_884916:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+5A4j
		mov	ecx, [ebp+var_310]
		test	ecx, ecx
		jz	short loc_884938
		cmp	[ebp+var_324], 0
		setnz	al
		mov	[ecx], al
		mov	eax, [ebp+var_340]
		shr	eax, 1
		mov	[ecx+2], ax

loc_884938:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+5C6j
		cmp	[ebp+var_328], 0
		mov	ecx, [ebp+var_31C]
		mov	eax, [ebp+var_348]
		mov	[ecx], eax
		jz	loc_910EFC
		mov	ecx, edx
		xor	edi, edi
		mov	edx, [ebp+var_384]

loc_88495D:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+61Aj
		mov	eax, [ebp+ecx*4+var_314]
		mov	[edx+ecx*4], eax
		mov	[ebp+ecx*4+var_314], edi
		inc	ecx
		cmp	ecx, 2
		jb	short loc_88495D
		push	[ebp+var_350]
		mov	edi, [ebp+var_358]
		mov	edx, ebx
		push	[ebp+var_388]
		mov	ecx, edi
		push	offset ??_C@_1CA@MKODHNDA@?$AAE?$AAv?$AAe?$AAn?$AAt?$AAN?$AAa?$AAm?$AAe?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr@NNGAKEGL@
		call	EtwpGetAutoLoggerEventNameFilter
		push	[ebp+var_354]
		mov	edx, ebx
		mov	ecx, edi
		push	[ebp+var_38C]
		push	offset ??_C@_1CA@OEDNFPID@?$AAS?$AAt?$AAa?$AAc?$AAk?$AAN?$AAa?$AAm?$AAe?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr@NNGAKEGL@
		call	EtwpGetAutoLoggerEventNameFilter
		push	[ebp+var_390]
		mov	edx, ebx
		mov	ecx, edi
		call	EtwpGetAutoLoggerLevelKwFilter
		jmp	loc_88452A
; 

loc_8849C2:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+1F5j
		xor	esi, esi
		jmp	loc_88456D
; 

loc_8849C9:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+21Cj
		push	[ebp+var_308]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_88457A
EtwpGetAutoLoggerProviderFilter	endp

; 
		align 2

;  S U B	R O U T	I N E 


CmpCmdInit	proc near		; CODE XREF: CmCompleteRegistryInitialization+58p

; FUNCTION CHUNK AT 00926085 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	bl, cl
		call	CmpInitializeLazyWriters
		push	offset _CmpHoldLazyFlush
		push	offset _CmpEnableLazyFlushDpcRoutine@16	; CmpEnableLazyFlushDpcRoutine(x,x,x,x)
		xor	esi, esi
		mov	dword_6CDCB8, offset _CmpForceFlushWorker@4 ; CmpForceFlushWorker(x)
		mov	edi, offset _CmpEnableLazyFlushDpc
		mov	dword_6CDCBC, esi
		push	edi
		mov	_CmpForceFlushWorkItem,	esi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	esi
		push	offset _CmpEnableLazyFlushTimer
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		mov	eax, _CmpEnableLazyFlushBootDelayInterval
		cmp	eax, 3Ch
		jl	loc_926085

loc_884A2C:				; CODE XREF: CmpCmdInit+A16B3j
		mov	ecx, 258h
		cmp	eax, ecx
		jg	loc_926092

loc_884A39:				; CODE XREF: CmpCmdInit+A16BFj
		mov	edx, 0FF676980h
		mov	ecx, offset _CmpEnableLazyFlushTimer
		imul	edx
		push	edx
		push	eax
		push	edi
		push	esi
		xor	edx, edx
		call	KiSetTimerEx
		push	esi
		push	offset _CmpFreezeThawDpcRoutine@16 ; CmpFreezeThawDpcRoutine(x,x,x,x)
		push	offset _CmpFreezeThawDpc
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	esi
		push	offset _CmpFreezeThawTimer
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		mov	al, ds:_CmpMiniNTBoot
		xor	ecx, ecx
		push	esi
		inc	ecx
		mov	dword_6CDFF8, offset _CmpFreezeThawWorker@4 ; CmpFreezeThawWorker(x)
		push	offset _CmpCoalescingRegistration
		push	ecx
		mov	dword_6CDFFC, esi
		mov	_CmpFreezeThawWorkItem,	esi
		push	offset _CmpCoalescingCallback@12 ; CmpCoalescingCallback(x,x,x)
		mov	_CmpWorkerDataInitialized, cl
		mov	ds:_CmpNoWrite,	al
		mov	_CmpWasSetupBoot, bl
		mov	_CmpEnableLazyFlushTimerInitialized, ecx
		call	PoRegisterCoalescingCallback
		test	eax, eax
		js	short loc_884ABC
		mov	_CmpCoalescingCallbackActive, 1

loc_884ABC:				; CODE XREF: CmpCmdInit+D9j
		pop	edi
		pop	esi
		pop	ebx
		retn
CmpCmdInit	endp


;  S U B	R O U T	I N E 


PopUpdateDiskIdleTimeoutSetting	proc near
					; CODE XREF: PopCoalescingSetActiveState(x):loc_64FAE9p
					; PopHardDiskPowerSettingCallback+A13A4p ...

; FUNCTION CHUNK AT 0092609E SIZE 00000019 BYTES

		mov	edi, edi
		push	ecx
		test	_PopCoalescingState, 1
		mov	eax, _PopDiskCoalescingTimeout
		jnz	short loc_884AD6
		mov	eax, _PopDiskIdleTimeout

loc_884AD6:				; CODE XREF: PopUpdateDiskIdleTimeoutSetting+Fj
		cmp	eax, _PopCurrentDiskIdleTimeout
		jnz	loc_92609E
		pop	ecx
		retn
PopUpdateDiskIdleTimeoutSetting	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1713. PoRegisterCoalescingCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoRegisterCoalescingCallback
PoRegisterCoalescingCallback proc near	; CODE XREF: CmpCmdInit+D2p
					; PopCoalescingInitialize()+2Cp ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 009260B7 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	62436F50h
		push	24h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_9260B7
		xor	eax, eax
		mov	edi, esi
		cmp	[ebp+arg_4], 0
		push	9
		pop	ecx
		rep stosd
		mov	eax, [ebp+arg_C]
		mov	ecx, esi
		mov	[esi+14h], eax
		setnz	al
		mov	[esi+10h], al
		mov	eax, [ebp+arg_0]
		mov	dword ptr [esi+4], offset _PopCoalescingCallback@12 ; PopCoalescingCallback(x,x,x)
		mov	[esi+8], esi
		mov	[esi+0Ch], eax
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		push	0
		lea	ecx, [esi+20h]
		mov	edx, esi
		call	ExCompareExchangeCallBack
		test	al, al
		jz	short loc_884BC1
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopCoalRegistrationListLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	edx, offset _PopCoalRegistrationList
		mov	ecx, off_6B2F04
		mov	dword_6C3544, eax
		lea	eax, [esi+18h]
		cmp	[ecx], edx
		jnz	short loc_884BBC
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		cmp	dword_6C3544, 0
		mov	off_6B2F04, eax
		jz	short loc_884BA1
		and	dword_6C3544, 0

loc_884BA1:				; CODE XREF: PoRegisterCoalescingCallback+AEj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		xor	eax, eax

loc_884BB6:				; CODE XREF: PoRegisterCoalescingCallback+DCj
					; PoRegisterCoalescingCallback+A15D2j
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
; 

loc_884BBC:				; CODE XREF: PoRegisterCoalescingCallback+99j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_884BC1:				; CODE XREF: PoRegisterCoalescingCallback+60j
		mov	eax, 0C000000Dh
		jmp	short loc_884BB6
PoRegisterCoalescingCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpInitializeLazyWriters proc near	; CODE XREF: CmpCmdInit+7p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009260C1 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, _CmpLazyFlushIntervalInSeconds
		push	ebx
		mov	dword_6B1528, eax
		mov	eax, _CmpLazyReconcileIntervalInSeconds
		push	esi
		xor	esi, esi
		mov	dword_6B15A0, eax
		mov	eax, _CmpLazyLocalizeIntervalInSeconds
		mov	ebx, esi
		push	edi
		mov	[esp+30h+var_20], esi
		mov	edi, offset _CmpLazyWriterData
		mov	dword_6B1618, eax
		mov	[esp+30h+var_1C], esi

loc_884C05:				; CODE XREF: CmpInitializeLazyWriters+CEj
		push	esi
		push	edi
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	0
		lea	esi, [edi+28h]
		push	1
		lea	eax, [esi+20h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	offset CmpLazyFlushDpcRoutine
		push	esi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		and	dword ptr [esi+30h], 0
		xor	esi, esi
		mov	eax, _CmpRegistryProcess
		push	esi
		push	esi
		push	edi
		push	offset CmpLazyWriteWorker
		push	esi
		push	eax
		lea	eax, [esp+48h+var_18]
		mov	[esp+48h+var_18], 18h
		push	eax
		push	1FFFFFh
		lea	eax, [esp+50h+var_20]
		mov	[esp+50h+var_14], esi
		push	eax
		mov	[esp+54h+var_C], 200h
		mov	[esp+54h+var_10], esi
		mov	[esp+54h+var_8], esi
		mov	[esp+54h+var_4], esi
		call	PsCreateSystemThreadEx
		test	eax, eax
		js	loc_9260C1
		push	[esp+30h+var_20]
		call	NtClose
		mov	eax, [esp+30h+var_1C]
		inc	ebx
		add	eax, 78h
		add	edi, 78h
		mov	[esp+30h+var_1C], eax
		cmp	eax, 168h
		jb	loc_884C05
		push	esi		; int
		push	esi		; int
		push	offset _CmpUserPresenceCallback@16 ; int
		push	offset _GUID_GLOBAL_USER_PRESENCE ; void *
		push	esi		; int
		mov	_CmpUserPresent, 1
		call	PoRegisterPowerSettingCallback
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
CmpInitializeLazyWriters endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleInitAoAcDozeS4Timer()
_PopIdleInitAoAcDozeS4Timer@0 proc near	; CODE XREF: PoInitSystem+783p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	8
		pop	eax
		push	2
		mov	word ptr [ebp+var_4], ax
		xor	esi, esi
		pop	eax
		push	eax
		mov	word ptr [ebp+var_4+2],	ax
		mov	edx, offset _PopIdleAoAcDozeS4TimerCallback@8 ;	PopIdleAoAcDozeS4TimerCallback(x,x)
		lea	eax, [ebp+var_4]
		mov	_PopIdleAoAcDozeS4Lock,	esi
		push	eax
		push	esi
		mov	ecx, offset _PopIdleAoAcDozeS4Timer
		call	_KeInitializeIRTimer@20	; KeInitializeIRTimer(x,x,x,x,x)
		push	esi		; int
		push	esi		; int
		push	offset _PopIdleGlobalUserPresenceCallback@16 ; int
		push	offset _GUID_GLOBAL_USER_PRESENCE ; void *
		push	esi		; int
		mov	dword_6BFAB8, offset _PopIdleAoAcDozeToS4@4 ; PopIdleAoAcDozeToS4(x)
		mov	dword_6BFABC, esi
		mov	_PopIdleAoAcDozeS4WorkItem, esi
		call	PoRegisterPowerSettingCallback
		pop	esi
		leave
		retn
_PopIdleInitAoAcDozeS4Timer@0 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 259. CmRegisterMachineHiveLoadedNotification

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public CmRegisterMachineHiveLoadedNotification
CmRegisterMachineHiveLoadedNotification	proc near
					; CODE XREF: CmFcManagerStartRuntimePhase(x)+2BCp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00926CFB SIZE 0000004C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	loc_926CFB
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	loc_926D05
		mov	ebx, [ebp+arg_C]
		test	ebx, ebx
		jz	loc_926D0F
		lea	edx, [ebp+var_4]
		call	_CmpFindMachineHiveByMountPoint@8 ; CmpFindMachineHiveByMountPoint(x,x)
		test	eax, eax
		js	loc_884DF2
		push	32394D43h
		push	18h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_926D19
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		mov	[esi], ecx
		xor	edx, edx
		mov	[esi+4], ecx
		mov	[esi+0Ch], eax
		mov	eax, [ebp+var_4]
		mov	[esi+8], edi
		imul	edi, eax, 78h
		mov	[esi+14h], ecx
		mov	[esi+10h], eax
		lea	ecx, dword_6B1684[edi]
		call	ExAcquirePushLockExclusiveEx
		lea	eax, dword_6B1688[edi]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_884DF9
		mov	[esi+4], ecx
		xor	edx, edx
		mov	[esi], eax
		mov	[ecx], esi
		lea	ecx, dword_6B1684[edi]
		mov	[eax+4], esi
		mov	byte ptr [esi+15h], 1
		call	ExReleasePushLockEx
		lea	ecx, dword_6B1680[edi]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		xor	ecx, ecx
		inc	ecx
		cmp	dword_6B1674[edi], ecx
		jz	loc_926D23

loc_884DE1:				; CODE XREF: CmRegisterMachineHiveLoadedNotification+A2012j
					; CmRegisterMachineHiveLoadedNotification+A2024j
		xor	edx, edx
		lea	ecx, dword_6B1680[edi]
		call	ExReleasePushLockEx
		mov	[ebx], esi
		xor	eax, eax

loc_884DF2:				; CODE XREF: CmRegisterMachineHiveLoadedNotification+38j
					; CmRegisterMachineHiveLoadedNotification+A1FE2j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_884DF9:				; CODE XREF: CmRegisterMachineHiveLoadedNotification+8Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
CmRegisterMachineHiveLoadedNotification	endp ; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFindMachineHiveByMountPoint(x, x)
_CmpFindMachineHiveByMountPoint@8 proc near
					; CODE XREF: CmRegisterMachineHiveLoadedNotification+31p

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_94], ecx
		mov	ebx, edx
		mov	esi, edi

loc_884E22:				; CODE XREF: CmpFindMachineHiveByMountPoint(x,x)+6Bj
		mov	eax, 80h
		mov	[ebp+var_90], edi
		mov	word ptr [ebp+var_90+2], ax
		lea	edx, [ebp+var_90]
		lea	eax, [ebp+var_88]
		mov	ecx, esi
		mov	[ebp+var_8C], eax
		call	_CmpBuildMachineHiveMountPoint@8 ; CmpBuildMachineHiveMountPoint(x,x)
		push	1
		push	[ebp+var_94]
		lea	eax, [ebp+var_90]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_884E72
		inc	esi
		cmp	esi, 7
		jb	short loc_884E22
		mov	edi, 0C000003Ah
		jmp	short loc_884E74
; 

loc_884E72:				; CODE XREF: CmpFindMachineHiveByMountPoint(x,x)+65j
		mov	[ebx], esi

loc_884E74:				; CODE XREF: CmpFindMachineHiveByMountPoint(x,x)+72j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpFindMachineHiveByMountPoint@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpInitializeSystemHivesLoad proc near	; CODE XREF: CmCompleteRegistryInitialization+45p

var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00926D47 SIZE 0000006D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0B4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0B4h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		push	ebx
		push	1
		push	offset _CmpLoadWorkerEvent
		mov	[esp+0CCh+var_B0], ebx
		mov	ds:_CmpNoWrite,	bl
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	ebx
		push	1
		push	offset _CmpLoadWorkerDebugEvent
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	edi, edi
		mov	esi, offset dword_6B169C
		mov	[esp+0C0h+var_B4], edi

loc_884ED6:				; CODE XREF: CmpInitializeSystemHivesLoad+113j
		push	edi
		push	edi
		lea	eax, [esi-4Ch]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	1
		lea	eax, [esi-3Ch]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, 80h
		mov	[esp+0C0h+var_AC], edi
		mov	word ptr [esp+0C0h+var_AC+2], ax
		lea	edx, [esp+0C0h+var_AC]
		lea	eax, [esp+0C0h+var_88]
		mov	ecx, ebx
		mov	[esp+0C0h+var_A8], eax
		call	_CmpBuildMachineHiveMountPoint@8 ; CmpBuildMachineHiveMountPoint(x,x)
		push	32364D43h
		mov	eax, 80h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+0C0h+var_A4], eax
		test	eax, eax
		jz	loc_926D7B
		lea	edi, [esi-4]
		mov	ecx, 80h
		and	dword ptr [edi], 0
		mov	edx, edi
		and	dword ptr [edi+4], 0
		mov	[esi-2], cx
		lea	ecx, [esp+0C0h+var_AC]
		mov	[esi], eax
		call	CmpQueryHiveRedirectionFileList
		test	al, al
		jnz	loc_926D47

loc_884F54:				; CODE XREF: CmpInitializeSystemHivesLoad+A1ECDj
		and	dword ptr [edi], 0
		mov	eax, 80h
		and	dword ptr [edi+4], 0
		push	offset ??_C@_1DK@MBODLMJO@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@ ; void *
		mov	[esi-2], ax
		mov	eax, [esp+0C4h+var_A4]
		push	edi		; int
		mov	[esi], eax
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		push	dword ptr [esi-74h] ; void *
		push	edi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		push	2
		pop	edx

loc_884F81:				; CODE XREF: CmpInitializeSystemHivesLoad+A1EC7j
		mov	edi, [esp+0C0h+var_B4]
		inc	ebx
		add	edi, 78h
		add	esi, 78h
		push	0
		mov	[esp+0C4h+var_B4], edi
		cmp	edi, 348h
		pop	edi
		jb	loc_884ED6
		xor	ecx, ecx
		cmp	ds:_CmpShareSystemHives, cl
		jnz	loc_926D58

loc_884FAD:				; CODE XREF: CmpInitializeSystemHivesLoad+A1EF0j
		mov	ds:_CmpSpecialBootCondition, 1
		mov	esi, ecx
		mov	edi, offset dword_6B1650
		mov	ebx, ecx

loc_884FBD:				; CODE XREF: CmpInitializeSystemHivesLoad+1CAj
		test	byte ptr [edi-18h], 1
		jnz	short loc_884FE3
		cmp	esi, 3
		jz	short loc_884FE3
		cmp	esi, 6
		jz	short loc_884FE3
		cmp	esi, edx
		jz	short loc_884FE3
		cmp	_CmpInitRmLogOnLoad, 0
		jnz	short loc_884FE3
		cmp	ds:_CmpForceSynchronousMachineHiveLoad,	0
		jz	short loc_884FED

loc_884FE3:				; CODE XREF: CmpInitializeSystemHivesLoad+13Bj
					; CmpInitializeSystemHivesLoad+140j ...
		push	ecx
		push	ecx
		push	edi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		xor	ecx, ecx

loc_884FED:				; CODE XREF: CmpInitializeSystemHivesLoad+15Bj
		mov	eax, _CmpRegistryProcess
		push	ecx
		push	ecx
		push	esi
		push	offset _CmpLoadHiveThread@4 ; CmpLoadHiveThread(x)
		push	ecx
		push	eax
		lea	eax, [esp+0D8h+var_A0]
		mov	[esp+0D8h+var_A0], 18h
		push	eax
		push	1FFFFFh
		lea	eax, [esp+0E0h+var_B0]
		mov	[esp+0E0h+var_9C], ecx
		push	eax
		mov	[esp+0E4h+var_94], 200h
		mov	[esp+0E4h+var_98], ecx
		mov	[esp+0E4h+var_90], ecx
		mov	[esp+0E4h+var_8C], ecx
		call	PsCreateSystemThreadEx
		test	eax, eax
		js	short loc_88506B
		push	[esp+0C0h+var_B0]
		call	_ZwClose@4	; ZwClose(x)
		push	0
		pop	ecx
		add	ebx, 78h
		inc	esi
		add	edi, 78h
		push	2
		pop	edx
		cmp	ebx, 348h
		jb	loc_884FBD
		mov	ecx, [esp+0C0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_88506B:				; CODE XREF: CmpInitializeSystemHivesLoad+1ACj
		push	eax
		push	esi
		push	3
		jmp	loc_926D7F
CmpInitializeSystemHivesLoad endp


;  S U B	R O U T	I N E 


; __stdcall CmpBuildMachineHiveMountPoint(x, x)
_CmpBuildMachineHiveMountPoint@8 proc near
					; CODE XREF: CmpFindMachineHiveByMountPoint(x,x)+4Ap
					; CmpInitializeSystemHivesLoad+83p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		push	offset ??_C@_1BG@OKCBELMP@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2@NNGAKEGL@ ; "\\REGISTRY\\"
		push	edi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		imul	esi, 78h
		push	off_6B162C[esi]	; void *
		push	edi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	eax, dword_6B1630[esi]
		test	eax, eax
		jz	short loc_8850AA

loc_8850A0:				; CODE XREF: CmpBuildMachineHiveMountPoint(x,x)+42j
		push	eax		; void *
		push	edi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		pop	edi
		pop	esi
		retn
; 

loc_8850AA:				; CODE XREF: CmpBuildMachineHiveMountPoint(x,x)+2Aj
		mov	eax, _CmpMachineHiveList[esi]
		mov	dword_6B1630[esi], eax
		jmp	short loc_8850A0
_CmpBuildMachineHiveMountPoint@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeVelocity()
_KeInitializeVelocity@0	proc near	; CODE XREF: CmCompleteRegistryInitialization:loc_88530Fp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_BamQosGrouping__private_featureState
		test	al, 10h
		jnz	short loc_8850D0
		push	0
		push	eax
		call	_Feature_BamQosGrouping__private_ReportUsageFallback@12	; Feature_BamQosGrouping__private_ReportUsageFallback(x,x,x)

loc_8850D0:				; CODE XREF: KeInitializeVelocity()+Ej
		or	ds:_KiVelocityFlags, 800h
		call	_Feature_SchedulerFavoredCoreRotation__private_ReportDeviceUsage@0 ; Feature_SchedulerFavoredCoreRotation__private_ReportDeviceUsage()
		or	ds:_KiVelocityFlags, 1000h
		call	_Feature_SchedulerQosPreemption__private_ReportDeviceUsage@0 ; Feature_SchedulerQosPreemption__private_ReportDeviceUsage()
		or	ds:_KiVelocityFlags, 4000h
		leave
		retn
_KeInitializeVelocity@0	endp


;  S U B	R O U T	I N E 


PnpBootPhaseComplete proc near		; CODE XREF: CmCompleteRegistryInitialization+124p
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		push	2
		pop	ecx
		call	PiPnpRtlInit
		mov	esi, eax
		test	esi, esi
		js	short loc_88517A
		xor	ebx, ebx
		mov	_PnpBootMode, bl
		cmp	_PnpSetupOOBEInProgress, bl
		jnz	loc_926D89

loc_885121:				; CODE XREF: CmpInitializeSystemHivesLoad+A1F1Dj
					; CmpInitializeSystemHivesLoad+A1F29j
		push	2
		pop	ecx
		call	PiDmaGuardInitialize
		mov	esi, eax
		test	esi, esi
		js	short loc_88517A
		mov	ecx, _IopRootDeviceNode
		push	ebx
		push	ebx
		push	ebx
		mov	ecx, [ecx+10h]
		push	27h
		push	ebx
		push	2
		pop	edx
		call	PnpRequestDeviceAction
		call	PpDevCfgProcessDevices
		mov	esi, eax
		test	esi, esi
		js	short loc_88517A
		push	6E697050h
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_885180
		push	3
		push	eax
		mov	dword ptr [eax+8], offset PipUpdateDeviceProducts
		mov	[eax+0Ch], eax
		mov	[eax], ebx
		call	ExQueueWorkItem

loc_88517A:				; CODE XREF: PnpBootPhaseComplete+11j
					; PnpBootPhaseComplete+33j ...
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ecx
		retn
; 

loc_885180:				; CODE XREF: PnpBootPhaseComplete+6Aj
		mov	esi, 0C000009Ah
		jmp	short loc_88517A
PnpBootPhaseComplete endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpDevCfgProcessDevices proc near	; CODE XREF: PnpBootPhaseComplete+4Cp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00926DB4 SIZE 0000012A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		xor	ecx, ecx
		lea	eax, [ebp+var_18]
		test	byte ptr ds:_PiDevCfgMode, 2
		mov	bl, cl
		push	esi
		mov	esi, eax
		mov	[ebp+var_8], ecx
		push	edi
		mov	[ebp+var_4], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], esi
		jz	short loc_8851F1
		mov	ecx, _IopRootDeviceNode
		mov	edx, offset PiDevCfgProcessDeviceCallback
		push	eax
		call	_PipForDeviceNodeSubtree@12 ; PipForDeviceNodeSubtree(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_926EB8
		mov	eax, esi
		mov	esi, [ebp+var_18]
		cmp	esi, eax
		jnz	loc_926DB4

loc_8851DF:				; CODE XREF: PpDevCfgProcessDevices+6Bj
					; PpDevCfgProcessDevices+A1D33j
		lea	eax, [ebp+var_18]
		cmp	esi, eax
		jnz	loc_926EC0
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8851F1:				; CODE XREF: PpDevCfgProcessDevices+2Dj
		mov	edi, ecx
		jmp	short loc_8851DF
PpDevCfgProcessDevices endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmCompleteRegistryInitialization proc near ; CODE XREF:	NtInitializeRegistry:loc_870063p

var_40		= dword	ptr -40h
var_32		= byte ptr -32h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

; FUNCTION CHUNK AT 00926EDE SIZE 00000039 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+40h+var_28]
		stosd
		xor	ebx, ebx
		mov	si, cx
		mov	[esp+40h+var_2C], ebx
		mov	ecx, offset _CmFirstTime
		stosd
		stosd
		stosd
		xor	eax, eax
		xchg	eax, [ecx]
		test	eax, eax
		jz	loc_926ED4
		push	2
		pop	ecx
		call	EtwInitialize
		push	offset _IopAutoReboot
		call	ds:__imp__CmCompleteInitMachineConfig@4	; CmCompleteInitMachineConfig(x)
		call	CmpInitializeSystemHivesLoad
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		xor	edi, edi
		inc	edi
		cmp	si, di
		setz	cl
		call	CmpCmdInit
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	eax, eax
		inc	eax
		cmp	si, ax
		jz	loc_885303
		mov	_CmpLoadingSystemHivesActive, al
		cmp	_CmpInitRmLogOnLoad, bl
		jnz	loc_926EDE
		mov	[esp+44h+var_31], bl
		cmp	ds:_CmpForceSynchronousMachineHiveLoad,	bl
		jnz	loc_926EDE

loc_885285:				; CODE XREF: CmCompleteRegistryInitialization+A1CECj
		push	ebx
		push	ebx
		lea	eax, [esp+4Ch+var_2C]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		movzx	eax, [esp+44h+var_31]
		lea	edx, [esp+44h+var_2C]
		mov	ecx, _CmpRegistryProcess
		neg	eax
		push	ebx
		push	ebx
		sbb	eax, eax
		mov	[esp+4Ch+var_1C], 18h
		and	eax, edx
		mov	[esp+4Ch+var_18], ebx
		push	eax
		push	offset _CmpFinishSystemHivesLoad@4 ; CmpFinishSystemHivesLoad(x)
		push	ebx
		push	ecx
		lea	eax, [esp+5Ch+var_1C]
		mov	[esp+5Ch+var_10], 200h
		push	eax
		push	1FFFFFh
		lea	eax, [esp+64h+var_30]
		mov	[esp+64h+var_14], ebx
		push	eax
		mov	[esp+68h+var_C], ebx
		mov	[esp+68h+var_8], ebx
		call	PsCreateSystemThreadEx
		test	eax, eax
		js	loc_926EE7
		cmp	[esp+44h+var_31], bl
		jnz	loc_926EF5

loc_8852F6:				; CODE XREF: CmCompleteRegistryInitialization+A1D0Dj
		push	[esp+44h+var_30]
		call	_ZwClose@4	; ZwClose(x)
		mov	[esp+44h+var_30], ebx

loc_885303:				; CODE XREF: CmCompleteRegistryInitialization+68j
		cmp	_CmFastBoot, ebx
		jz	loc_926F08

loc_88530F:				; CODE XREF: CmCompleteRegistryInitialization+A1D1Cj
		call	_KeInitializeVelocity@0	; KeInitializeVelocity()
		push	ebx
		call	_RtlLockBootStatusData@4 ; RtlLockBootStatusData(x)
		call	PnpBootPhaseComplete
		call	PoInitHiberServices
		call	_PoClearTransitionMarker@0 ; PoClearTransitionMarker()
		call	PoEnableCriticalShutdown
		xor	edi, edi
		inc	edi
		mov	ds:_NlsLocaleSectionPointer, edi
		call	ExNotifyPlatformBinaryExecuted
		cmp	si, di
		jz	short loc_885346
		call	IopCopyBootLogRegistryToFile

loc_885346:				; CODE XREF: CmCompleteRegistryInitialization+149j
					; PpDevCfgProcessDevices+A1D51j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
CmCompleteRegistryInitialization endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCopyBootLogRegistryToFile proc near	; CODE XREF: CmCompleteRegistryInitialization+14Bp

var_350		= dword	ptr -350h
var_34C		= dword	ptr -34Ch
var_348		= dword	ptr -348h
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_33C		= dword	ptr -33Ch
var_338		= dword	ptr -338h
var_334		= dword	ptr -334h
var_32C		= dword	ptr -32Ch
var_328		= word ptr -328h
var_326		= word ptr -326h
var_324		= word ptr -324h
var_322		= word ptr -322h
var_320		= word ptr -320h
var_31C		= dword	ptr -31Ch
var_318		= dword	ptr -318h
var_314		= dword	ptr -314h
var_310		= dword	ptr -310h
var_30C		= dword	ptr -30Ch
var_308		= word ptr -308h
var_108		= byte ptr -108h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00926F17 SIZE 00000210 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 354h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_32C]
		stosd
		xor	esi, esi
		mov	[ebp+var_348], esi
		mov	[ebp+var_344], esi
		mov	[ebp+var_30C], esi
		stosd
		mov	[ebp+var_310], esi
		mov	[ebp+var_338], esi
		mov	[ebp+var_334], esi
		stosd
		mov	[ebp+var_340], esi
		mov	[ebp+var_33C], esi
		mov	[ebp+var_31C], esi
		stosd
		mov	[ebp+var_318], esi
		mov	[ebp+var_350], esi
		mov	[ebp+var_34C], esi
		cmp	ds:dword_A933A4, esi
		jnz	loc_926F17

loc_8853CA:				; CODE XREF: IopCopyBootLogRegistryToFile+A1DD2j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
IopCopyBootLogRegistryToFile endp

; 
		align 2

;  S U B	R O U T	I N E 


ExNotifyPlatformBinaryExecuted proc near ; CODE	XREF: CmCompleteRegistryInitialization+141p

; FUNCTION CHUNK AT 00927127 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		dec	word ptr [edi+13Ch]
		nop
		mov	ebx, offset _ExpPlatformBinaryLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	esi, ds:_ExpPlatformBinaryTableInformation
		or	eax, 0FFFFFFFFh
		mov	ds:_ExpPlatformBinaryTableInformation, eax
		lock xadd [ebx], eax
		test	al, 2
		jnz	loc_927127

loc_885416:				; CODE XREF: ExNotifyPlatformBinaryExecuted+A1D4Fj
					; ExNotifyPlatformBinaryExecuted+A1D5Cj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		jnz	loc_92713B

loc_88542C:				; CODE XREF: ExNotifyPlatformBinaryExecuted+A1D6Cj
		pop	edi
		pop	esi
		pop	ebx
		retn
ExNotifyPlatformBinaryExecuted endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoEnableCriticalShutdown proc near	; CODE XREF: CmCompleteRegistryInitialization+133p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092714B SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		xor	ecx, ecx
		inc	ecx
		cmp	_PopThermalCriticalShutdownInitiated, 0
		mov	_PopThermalCriticalShutdownEnabled, cl
		jnz	loc_92714B

loc_885453:				; CODE XREF: PoEnableCriticalShutdown+A1D55j
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		call	_PopQueueBatteryStatusTimeout@0	; PopQueueBatteryStatusTimeout()
		leave
		retn
PoEnableCriticalShutdown endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoClearTransitionMarker()
_PoClearTransitionMarker@0 proc	near	; CODE XREF: CmCompleteRegistryInitialization+12Ep

var_30		= dword	ptr -30h
var_29		= dword	ptr -29h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_30]
		xor	ebx, ebx
		push	eax
		mov	[ebp+var_30], ebx
		mov	byte ptr [ebp+var_29], bl
		call	_RtlLockBootStatusData@4 ; RtlLockBootStatusData(x)
		test	eax, eax
		js	short loc_88549A
		mov	ecx, [ebp+var_30]
		call	_RtlInitializeBootStatusDataBlackBox@4 ; RtlInitializeBootStatusDataBlackBox(x)
		push	[ebp+var_30]
		call	_RtlUnlockBootStatusData@4 ; RtlUnlockBootStatusData(x)

loc_88549A:				; CODE XREF: PoClearTransitionMarker()+28j
		push	20h
		pop	eax
		push	2
		mov	edi, offset _PopBsdPowerTransition
		mov	[ebp+var_29+1],	7
		pop	esi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], 10h
		mov	[ebp+var_18], offset _PopBsdPowerTransitionExtension
		mov	[ebp+var_14], eax
		call	_ExIsSoftBoot@0	; ExIsSoftBoot()
		test	al, al
		jz	short loc_8854E3
		push	3
		lea	eax, [ebp+var_29]
		mov	[ebp+var_10], 5
		pop	esi
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], 1

loc_8854E3:				; CODE XREF: PoClearTransitionMarker()+6Aj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopBsdUpdateLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C3D9C, eax
		xor	eax, eax
		push	8
		pop	ecx
		rep stosd
		push	8
		pop	ecx
		mov	edi, offset _PopBsdPowerTransitionExtension
		mov	byte_6D4A00, 1
		rep stosd
		mov	eax, ds:0FFDF02C4h
		and	byte_6D4C81, 0F3h
		mov	dword_6D4A14, eax
		mov	al, byte_6D4A03
		or	al, 0C0h
		mov	byte_6D4A03, al
		movzx	eax, al
		shr	eax, 6
		mov	dword_6BFDAC, eax
		call	_PopUpdateBsdPowerTransitionReferenceTime@0 ; PopUpdateBsdPowerTransitionReferenceTime()
		and	byte_6D4A06, 0EFh
		lea	edx, [ebp+var_29+1]
		push	ebx
		push	esi
		push	20h
		pop	ecx
		call	RtlpSystemBootStatusRequest
		cmp	dword_6C3D9C, ebx
		jz	short loc_88556F
		mov	dword_6C3D9C, ebx

loc_88556F:				; CODE XREF: PoClearTransitionMarker()+107j
		xor	edx, edx
		mov	ecx, offset _PopBsdUpdateLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	cl, cl
		call	_PopRecordLongPowerButtonPressDetected@4 ; PopRecordLongPowerButtonPressDetected(x)
		mov	eax, _Feature_PdttSupport__private_featureState
		test	al, 10h
		jnz	short loc_885597
		push	ebx
		push	eax
		call	_Feature_PdttSupport__private_ReportUsageFallback@12 ; Feature_PdttSupport__private_ReportUsageFallback(x,x,x)

loc_885597:				; CODE XREF: PoClearTransitionMarker()+12Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		mov	_PopAcpiPdttSupportEnabled, ebx
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PoClearTransitionMarker@0 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2141. RtlGetSystemBootStatus

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetSystemBootStatus(x, x, x, x)
		public _RtlGetSystemBootStatus@16
_RtlGetSystemBootStatus@16 proc	near	; CODE XREF: PopCheckAndClearBootError+27p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	[ebp+arg_C]
		mov	eax, [ebp+arg_0]
		lea	edx, [ebp+var_C]
		push	1
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_4]
		push	1Fh
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		pop	ecx
		mov	[ebp+var_4], eax
		call	RtlpSystemBootStatusRequest
		leave
		retn	10h
_RtlGetSystemBootStatus@16 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2142. RtlGetSystemBootStatusEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetSystemBootStatusEx(x,	x, x)
		public _RtlGetSystemBootStatusEx@12
_RtlGetSystemBootStatusEx@12 proc near	; CODE XREF: PopCheckShutdownMarker+64p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		push	[ebp+arg_4]
		push	1Fh
		pop	ecx
		call	RtlpSystemBootStatusRequest
		pop	ecx
		pop	ebp
		retn	0Ch
_RtlGetSystemBootStatusEx@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopRecordLongPowerButtonPressDetected(x)
_PopRecordLongPowerButtonPressDetected@4 proc near
					; CODE XREF: PoClearTransitionMarker()+122p
					; PopDiagTracePowerButtonBugcheck(x)+29p
		mov	edi, edi
		push	ebx
		mov	bl, cl
		xor	cl, cl
		push	edi
		call	_RtlBootStatusDisableFlushing@4	; RtlBootStatusDisableFlushing(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopBsdUpdateLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	cl, _PnpSetupOOBEInProgress
		mov	dword_6C3D9C, eax
		and	cl, 1
		mov	al, byte_6D4A27
		add	cl, cl
		shl	bl, 2
		xor	bl, al
		and	bl, 4
		xor	al, bl
		mov	byte_6D4A27, al
		mov	al, byte_6D4C81
		and	al, 0FCh
		or	cl, al
		mov	al, _PnpSetupInProgress
		push	0
		push	30h
		and	al, 1
		push	offset _PopBsdPhysicalPowerButtonInfo
		or	cl, al
		push	0Eh
		mov	byte_6D4C81, cl
		call	_RtlSetSystemBootStatus@16 ; RtlSetSystemBootStatus(x,x,x,x)
		push	0
		push	20h
		push	offset _PopBsdPowerTransitionExtension
		push	10h
		call	_RtlSetSystemBootStatus@16 ; RtlSetSystemBootStatus(x,x,x,x)
		cmp	dword_6C3D9C, 0
		jz	short loc_88569D
		and	dword_6C3D9C, 0

loc_88569D:				; CODE XREF: PopRecordLongPowerButtonPressDetected(x)+92j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		pop	edi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopRecordLongPowerButtonPressDetected@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2339. RtlSetSystemBootStatus

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSetSystemBootStatus(x, x, x, x)
		public _RtlSetSystemBootStatus@16
_RtlSetSystemBootStatus@16 proc	near	; CODE XREF: PopBsdHandleRequest(x)+15p
					; PopWriteBsdPoInfo(x,x)+45p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	[ebp+arg_C]
		mov	eax, [ebp+arg_0]
		lea	edx, [ebp+var_C]
		push	1
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_4]
		push	20h
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		pop	ecx
		mov	[ebp+var_4], eax
		call	RtlpSystemBootStatusRequest
		leave
		retn	10h
_RtlSetSystemBootStatus@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpSystemBootStatusRequest proc near	; CODE XREF: RtlSetSystemBootStatusEx(x,x,x)+12p
					; PoClearTransitionMarker()+FCp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092718A SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		mov	ebx, ecx
		mov	[ebp+var_4], eax
		push	edi
		mov	edi, edx
		cmp	[ebp+arg_4], eax
		jnz	loc_92718A

loc_885700:				; CODE XREF: RtlpSystemBootStatusRequest+A1AC6j
		and	[ebp+var_10], 0
		push	eax
		push	[ebp+arg_4]
		lea	eax, [ebp+var_14]
		mov	[ebp+var_14], ebx
		push	10h
		push	eax
		push	57h
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], edi
		call	_ZwPowerInformation@20 ; ZwPowerInformation(x,x,x,x,x)

loc_88571E:				; CODE XREF: RtlpSystemBootStatusRequest+A1ABDj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
RtlpSystemBootStatusRequest endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopUpdateBsdPowerTransitionReferenceTime()
_PopUpdateBsdPowerTransitionReferenceTime@0 proc near ;	CODE XREF: PopBsdHandleRequest(x)+5p
					; PopBsdUpdateWorker(x)+59p ...
		mov	edi, edi
		push	esi
		mov	esi, offset unk_6D4A08
		push	esi
		call	KeQuerySystemTime
		push	8
		push	esi
		push	0
		call	_RtlComputeCrc32@12 ; RtlComputeCrc32(x,x,x)
		mov	dword_6D4A10, eax
		pop	esi
		retn
_PopUpdateBsdPowerTransitionReferenceTime@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlInitializeBootStatusDataBlackBox(x)
_RtlInitializeBootStatusDataBlackBox@4 proc near ; CODE	XREF: PoClearTransitionMarker()+2Dp

var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_B8]
		mov	ebx, 0B0h
		mov	[ebp+var_C8], edi
		push	ebx		; size_t
		push	edi		; int
		push	eax		; void *
		mov	esi, ecx
		mov	[ebp+var_C4], edi
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_C0], edi
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_BC], edi
		push	edi
		push	eax
		push	ebx
		lea	eax, [ebp+var_B8]
		push	eax
		lea	eax, [ebp+var_C8]
		push	eax
		push	edi
		push	edi
		push	edi
		push	esi
		call	_ZwReadFile@36	; ZwReadFile(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8857C9
		push	ebx
		push	edi
		lea	edx, [ebp+var_B8]
		xor	cl, cl
		call	_RtlpRecordBootStatusData@16 ; RtlpRecordBootStatusData(x,x,x,x)
		test	eax, eax
		js	short loc_8857C9
		mov	eax, edi

loc_8857C9:				; CODE XREF: RtlInitializeBootStatusDataBlackBox(x)+6Cj
					; RtlInitializeBootStatusDataBlackBox(x)+7Fj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_RtlInitializeBootStatusDataBlackBox@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopNotifyPolicyDevice proc near		; DATA XREF: PoInitDriverServices()+Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009271AB SIZE 00000075 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	10h		; size_t
		push	(offset	loc_407DCD+3) ;	void *
		lea	eax, [esi+4]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		setz	bl
		cmp	[ebp+arg_4], 8
		jz	loc_9271AB
		cmp	[ebp+arg_4], 3
		jz	loc_9271E5
		test	bl, bl
		jnz	short loc_885835
		mov	edi, offset _PopPolicyDeviceLock
		mov	ecx, edi
		call	_PopAcquireRwLockExclusive@4 ; PopAcquireRwLockExclusive(x)
		mov	edx, [esi+24h]
		mov	ecx, [ebp+arg_4]
		call	PopConnectToPolicyDevice
		mov	ecx, edi
		call	_PopReleaseRwLock@4 ; PopReleaseRwLock(x)

loc_885835:				; CODE XREF: PopNotifyPolicyDevice+3Dj
					; PopNotifyPolicyDevice+A1A08j	...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
PopNotifyPolicyDevice endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopConnectToPolicyDevice proc near	; CODE XREF: PopNotifyPolicyDevice+51p
					; PopPolicyDeviceTargetChange(x,x)+8Cp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00927CC0 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_C], 0
		mov	eax, edx
		push	ebx
		imul	ebx, ecx, 14h
		push	esi
		push	edi
		mov	[esp+18h+var_8], eax
		mov	[esp+18h+var_4], ecx
		add	ebx, offset _PopPolicyDeviceParameters
		mov	edi, [ebx+8]
		mov	esi, [edi]

loc_88586A:				; CODE XREF: PopConnectToPolicyDevice+12Fj
		cmp	esi, edi
		jnz	loc_885959
		movzx	esi, word ptr [eax]
		push	dword ptr [ebx+4]
		add	esi, [ebx]
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_885952
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	ecx, [ebx]
		lea	esi, [edi+10h]
		add	ecx, edi
		add	esp, 0Ch
		mov	[edi+14h], ecx
		mov	ecx, [esp+18h+var_8]
		push	ecx
		push	esi
		mov	ax, [ecx]
		mov	[edi+12h], ax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		mov	eax, [esp+18h+var_4]
		lea	edx, [esp+18h+var_C]
		mov	ecx, esi
		mov	[edi+8], eax
		call	PopGetPolicyDeviceObject
		mov	esi, eax
		test	esi, esi
		jz	short loc_88594A
		movzx	ecx, byte ptr [esi+30h]
		push	0
		push	ecx
		call	IoAllocateIrp
		mov	[esp+18h+var_8], eax
		test	eax, eax
		jz	short loc_88592D
		lea	ecx, [edi+0Ch]
		push	ecx
		push	edi
		push	offset _PopPolicyDeviceTargetChange@8 ;	PopPolicyDeviceTargetChange(x,x)
		push	dword ptr [esi+8]
		push	[esp+28h+var_C]
		push	0
		push	3
		call	IoRegisterPlugPlayNotification
		test	eax, eax
		mov	eax, [esp+18h+var_8]
		js	short loc_885929
		push	edi
		mov	[edi+18h], esi
		mov	[edi+1Ch], eax
		call	dword ptr [ebx+0Ch]
		mov	eax, [ebx+8]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_885974
		mov	[edi], eax
		xor	esi, esi
		mov	[edi+4], edx
		mov	[edx], edi
		mov	[eax+4], edi
		xor	eax, eax
		xor	edi, edi

loc_885929:				; CODE XREF: PopConnectToPolicyDevice+C3j
		test	eax, eax
		jnz	short loc_885979

loc_88592D:				; CODE XREF: PopConnectToPolicyDevice+A1j
					; PopConnectToPolicyDevice+13Fj
		test	esi, esi
		jnz	loc_927CAF

loc_885935:				; CODE XREF: PnpNotifyDriverCallback+B6335j
		cmp	[esp+1Ch+var_10], 0
		jz	short loc_88594A
		mov	ecx, [esp+1Ch+var_10]
		mov	edx, 64506F50h
		call	ObfDereferenceObjectWithTag

loc_88594A:				; CODE XREF: PopConnectToPolicyDevice+8Dj
					; PopConnectToPolicyDevice+FAj
		test	edi, edi
		jnz	loc_927CC0

loc_885952:				; CODE XREF: PopConnectToPolicyDevice+49j
					; PopConnectToPolicyDevice+127j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_885959:				; CODE XREF: PopConnectToPolicyDevice+2Cj
		push	1
		push	eax
		lea	eax, [esi+10h]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jz	short loc_885952
		mov	esi, [esi]
		mov	eax, [esp+18h+var_8]
		jmp	loc_88586A
; 

loc_885974:				; CODE XREF: PopConnectToPolicyDevice+D7j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_885979:				; CODE XREF: PopConnectToPolicyDevice+EBj
		push	eax
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		jmp	short loc_88592D
PopConnectToPolicyDevice endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopThermalZoneAdd proc near		; DATA XREF: .data:006B2F28o

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00927CCE SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		lea	eax, [esi+0F8h]
		cmp	_PopThermalPollingMode,	ebx
		jnz	loc_927CCE
		push	ebx
		push	esi
		push	offset _PopThermalZoneTimerCallback@8 ;	PopThermalZoneTimerCallback(x,x)
		push	eax
		call	_KeInitializeTimer2@16 ; KeInitializeTimer2(x,x,x,x)

loc_8859AE:				; CODE XREF: PopThermalZoneAdd+A236Dj
		mov	eax, [esi+1Ch]
		push	64h
		pop	ecx
		mov	byte ptr [esi+20h], 6
		mov	byte ptr [esi+23h], 2
		mov	word ptr [esi+25h], 0FFFFh
		mov	dword ptr [esi+2Ch], 3E8h
		mov	[esi+30h], ecx
		mov	[esi+34h], ecx
		mov	dword ptr [eax+18h], 0C000009Dh
		mov	eax, _PopThermalZoneNextId
		mov	[esi+178h], eax
		inc	eax
		push	ebx
		mov	_PopThermalZoneNextId, eax
		lea	eax, [esi+158h]
		push	ebx
		push	eax
		mov	[esi+0B8h], ecx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	ebx
		push	ebx
		lea	eax, [esi+168h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	edi, [esi+0E8h]
		mov	dword ptr [edi+8], offset PopThermalWorker
		mov	[edi+0Ch], esi
		mov	[edi], ebx
		call	KeQueryInterruptTime
		mov	[esi+188h], eax
		mov	[esi+190h], eax
		mov	eax, edx
		mov	[esi+194h], eax
		mov	eax, _PopThermalZoneCount
		inc	eax
		mov	[esi+18Ch], edx
		mov	[esi+150h], ebx
		mov	[esi+154h], ebx
		mov	_PopThermalZoneCount, eax
		cmp	eax, 1
		jnz	short loc_885A75
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		cmp	byte_6C2E2D, 1
		jz	short loc_885A70
		mov	byte_6C2E2D, 1
		call	PopResetCurrentPolicies

loc_885A70:				; CODE XREF: PopThermalZoneAdd+E0j
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_885A75:				; CODE XREF: PopThermalZoneAdd+D2j
		mov	cl, 1
		call	PopThermalUpdateTelemetryClientCount
		push	1
		push	edi
		call	ExQueueWorkItem
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
PopThermalZoneAdd endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopGetPolicyDeviceObject proc near	; CODE XREF: PopConnectToPolicyDevice+84p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00927CF4 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[esp+38h+var_18], 18h
		push	esi
		push	esi
		push	esi
		push	1
		push	3
		push	esi
		push	esi
		lea	eax, [esp+54h+var_20]
		mov	[esp+54h+var_20], esi
		push	eax
		lea	eax, [esp+58h+var_18]
		mov	[esp+58h+var_1C], esi
		push	eax
		push	1F01FFh
		lea	eax, [esp+60h+var_28]
		mov	[esp+60h+var_24], esi
		push	eax
		mov	ebx, edx
		mov	[esp+64h+var_28], esi
		mov	edi, esi
		mov	[esp+64h+var_14], esi
		mov	[esp+64h+var_C], 240h
		mov	[esp+64h+var_10], ecx
		mov	[esp+64h+var_8], esi
		mov	[esp+64h+var_4], esi
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_885B50
		mov	eax, ds:_IoFileObjectType
		lea	ecx, [esp+38h+var_24]
		push	esi
		push	esi
		push	ecx
		mov	ecx, [esp+44h+var_28]
		xor	edx, edx
		push	64506F50h
		push	esi
		push	eax
		call	ObpReferenceObjectByHandleWithTag
		test	eax, eax
		js	short loc_885B40
		mov	esi, [esp+38h+var_24]
		push	esi
		call	IoGetRelatedDeviceObject
		mov	edi, eax
		test	edi, edi
		jz	short loc_885B38
		mov	edx, 64506F50h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag
		mov	[ebx], esi
		xor	esi, esi

loc_885B38:				; CODE XREF: PopGetPolicyDeviceObject+9Aj
		test	esi, esi
		jnz	loc_927CF4

loc_885B40:				; CODE XREF: PopGetPolicyDeviceObject+8Aj
					; PopGetPolicyDeviceObject+A2274j
		cmp	[esp+38h+var_28], 0
		jz	short loc_885B50
		push	[esp+38h+var_28]
		call	_ZwClose@4	; ZwClose(x)

loc_885B50:				; CODE XREF: PopGetPolicyDeviceObject+68j
					; PopGetPolicyDeviceObject+B9j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
PopGetPolicyDeviceObject endp

; 
		align 2

; __stdcall PoVolumeDevice(x)
_PoVolumeDevice@4:			; CODE XREF: IoCreateDevice:loc_7EE653p
					; IoVerifyVolume(x,x)+13Bp
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		call	PopGetDope
		mov	esi, eax
		test	esi, esi
		jz	short loc_885BA0
		mov	edi, offset _PopVolumeLock
		mov	ecx, edi
		call	ExAcquireFastMutex
		lea	eax, [esi+34h]
		cmp	dword ptr [eax], 0
		jnz	short loc_885B99
		mov	ecx, dword_6C2B84
		mov	edx, offset _PopVolumeDevices
		cmp	[ecx], edx
		jnz	short loc_885BA4
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	dword_6C2B84, eax

loc_885B99:				; CODE XREF: PAGE:00885B7Cj
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_885BA0:				; CODE XREF: PAGE:00885B68j
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_885BA4:				; CODE XREF: PAGE:00885B8Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		db 2 dup(0CCh)
; Exported entry 1667. PoCreateThermalRequest

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoCreateThermalRequest
PoCreateThermalRequest proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00927D05 SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, esi
		mov	[ebp+var_4], esi
		mov	[eax], esi
		cmp	[ebp+arg_4], esi
		jz	loc_927D30
		cmp	[ebp+arg_8], esi
		jz	loc_927D30
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	loc_927D30
		lea	eax, [ebp+var_4]
		xor	dl, dl
		push	eax
		push	esi
		push	1
		push	[ebp+arg_8]
		call	_PoCaptureReasonContext@24 ; PoCaptureReasonContext(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_927D0A
		push	6C6F4350h
		mov	ebx, 230h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_927D05
		push	ebx		; size_t
		push	esi		; int
		push	edi		; void *
		call	_memset
		mov	esi, [ebp+var_4]
		add	esp, 0Ch
		mov	[edi+0Ch], esi
		mov	byte ptr [edi+8], 64h
		call	KeQueryInterruptTime
		mov	[edi+20h], eax
		mov	ecx, edi
		mov	[edi+28h], eax
		mov	eax, edx
		mov	[edi+2Ch], eax
		mov	eax, [ebp+arg_10]
		shr	eax, 1Fh
		xor	al, 1
		mov	[edi+24h], edx
		mov	edx, [ebp+arg_4]
		movzx	eax, al
		push	eax
		call	PopAssociateThermalRequest
		mov	ebx, eax
		test	ebx, ebx
		js	loc_927D0D
		mov	eax, [ebp+arg_0]
		mov	[eax], edi

loc_885C64:				; CODE XREF: PoCreateThermalRequest+A2187j
		test	ebx, ebx
		js	loc_927D0D

loc_885C6C:				; CODE XREF: PoCreateThermalRequest+A216Cj
					; PoCreateThermalRequest+A217Dj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	14h
PoCreateThermalRequest endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopAssociateThermalRequest proc	near	; CODE XREF: PoCreateThermalRequest+A2p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 00927D3A SIZE 00000060 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	eax, edx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	ecx, eax
		mov	[ebp+var_8], eax
		xor	edi, edi
		call	PopGetDope
		mov	esi, eax
		mov	[ebp+var_4], esi
		test	esi, esi
		jz	loc_927D3A
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopCoolingExtensionLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C21A4, eax
		cmp	[esi+30h], edi
		jnz	loc_927D5A
		test	eax, eax
		jz	short loc_885CD5
		and	dword_6C21A4, edi

loc_885CD5:				; CODE XREF: PopAssociateThermalRequest+57j
		xor	edx, edx
		mov	ecx, offset _PopCoolingExtensionLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	6C6F4350h
		push	48h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_927D3A
		push	48h		; size_t
		xor	esi, esi
		push	esi		; int
		push	edi		; void *
		call	_memset
		lea	eax, [edi+8]
		add	esp, 0Ch
		mov	[eax+4], eax
		mov	ecx, edi
		mov	[eax], eax
		mov	eax, [ebp+var_8]
		mov	[edi+10h], esi
		mov	[edi+14h], esi
		mov	byte ptr [edi+22h], 64h
		mov	[edi+18h], eax
		call	_PopAcquireCoolingInterface@4 ;	PopAcquireCoolingInterface(x)
		mov	esi, eax
		test	esi, esi
		js	loc_885E59
		cmp	[ebp+arg_0], 0
		mov	byte ptr [edi+20h], 1
		jnz	loc_927D44

loc_885D43:				; CODE XREF: PopAssociateThermalRequest+A20DFj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopCoolingExtensionLock
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [ebp+var_4]
		mov	eax, large fs:124h
		mov	dword_6C21A4, eax
		cmp	dword ptr [esi+30h], 0
		jnz	loc_927D5A
		mov	eax, dword_6C21AC
		mov	ecx, offset _PopCoolingExtensionList
		cmp	[eax], ecx
		jnz	loc_885E66
		mov	[edi], ecx
		mov	edx, offset _POP_ETW_EVENT_COOLING_EXTENSION_ADD
		mov	[edi+4], eax
		mov	ecx, edi
		mov	[eax], edi
		mov	dword_6C21AC, edi
		mov	[esi+30h], edi
		call	PopDiagTraceCoolingExtension
		xor	edi, edi
		xor	al, al

loc_885DA7:				; CODE XREF: PopAssociateThermalRequest+A20E7j
		test	al, al
		jnz	loc_927D62

loc_885DAF:				; CODE XREF: PopAssociateThermalRequest+A20F8j
		mov	esi, [ebp+var_4]
		mov	eax, large fs:124h
		mov	esi, [esi+30h]
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [esi+10h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+14h], eax
		mov	esi, [ebp+var_4]
		mov	eax, [esi+30h]
		mov	[ebx+10h], eax
		add	eax, 8
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_885E66
		mov	[ebx+4], ecx
		mov	edx, offset _POP_ETW_EVENT_THERMAL_REQUEST_ADD
		mov	[ebx], eax
		mov	[ecx], ebx
		mov	ecx, ebx
		mov	[eax+4], ebx
		mov	byte ptr [ebx+0Ah], 1
		call	PopDiagTraceThermalRequest
		mov	eax, [ebx+10h]
		cmp	dword ptr [eax+44h], 0
		jz	short loc_885E16
		mov	cl, 1
		call	PopThermalUpdateTelemetryClientCount
		mov	eax, [ebx+10h]

loc_885E16:				; CODE XREF: PopAssociateThermalRequest+194j
		cmp	dword ptr [eax+40h], 0
		jnz	short loc_885E6B

loc_885E1C:				; CODE XREF: PopAssociateThermalRequest+1F9j
		mov	ecx, [esi+30h]
		xor	ebx, ebx
		add	ecx, 10h
		cmp	[ecx+4], ebx
		jz	short loc_885E2C
		mov	[ecx+4], ebx

loc_885E2C:				; CODE XREF: PopAssociateThermalRequest+1B1j
		xor	edx, edx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	dword_6C21A4, ebx
		jz	short loc_885E46
		mov	dword_6C21A4, ebx

loc_885E46:				; CODE XREF: PopAssociateThermalRequest+1C8j
		xor	edx, edx
		mov	ecx, offset _PopCoolingExtensionLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	esi, ebx

loc_885E59:				; CODE XREF: PopAssociateThermalRequest+B9j
					; PopAssociateThermalRequest+A20D9j ...
		test	edi, edi
		jnz	short loc_885E71

loc_885E5D:				; CODE XREF: PopAssociateThermalRequest+202j
					; PopAssociateThermalRequest+A20C9j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_885E66:				; CODE XREF: PopAssociateThermalRequest+10Bj
					; PopAssociateThermalRequest+171j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_885E6B:				; CODE XREF: PopAssociateThermalRequest+1A4j
		mov	byte ptr [ebx+19h], 1
		jmp	short loc_885E1C
; 

loc_885E71:				; CODE XREF: PopAssociateThermalRequest+1E5j
		mov	ecx, edi
		call	_PopCleanCoolingExtension@4 ; PopCleanCoolingExtension(x)
		jmp	short loc_885E5D
PopAssociateThermalRequest endp


;  S U B	R O U T	I N E 


; __stdcall PopAcquireCoolingInterface(x)
_PopAcquireCoolingInterface@4 proc near	; CODE XREF: PopAssociateThermalRequest+B0p
					; PopCoolingExtensionPnpNotification(x,x)+68p
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		push	0
		mov	eax, [esi+18h]
		movzx	eax, byte ptr [eax+30h]
		push	eax
		call	IoAllocateIrp
		mov	edi, eax
		test	edi, edi
		jz	short loc_885EDC
		mov	ecx, [edi+60h]
		push	1Ch
		pop	eax
		push	edi
		and	dword ptr [ecx-14h], 0
		mov	[ecx-1Ch], ax
		xor	eax, eax
		inc	eax
		mov	word ptr [ecx-24h], 81Bh
		mov	[ecx-1Ah], ax
		lea	eax, [esi+2Ch]
		mov	dword ptr [ecx-20h], offset _GUID_THERMAL_COOLING_INTERFACE
		mov	[ecx-18h], eax
		mov	dword ptr [edi+18h], 0C00000BBh
		push	dword ptr [esi+18h]
		call	_IoSynchronousCallDriver@8 ; IoSynchronousCallDriver(x,x)
		mov	esi, eax
		push	edi
		call	_IoFreeIrp@4	; IoFreeIrp(x)

loc_885ED6:				; CODE XREF: PopAcquireCoolingInterface(x)+67j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ecx
		retn
; 

loc_885EDC:				; CODE XREF: PopAcquireCoolingInterface(x)+1Aj
		mov	esi, 0C000009Ah
		jmp	short loc_885ED6
_PopAcquireCoolingInterface@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoInitHiberServices proc near		; CODE XREF: CmCompleteRegistryInitialization+129p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00927D9A SIZE 00000075 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		push	offset ??_C@_1BI@BNCMKGKH@?$AA?2?$AAO?$AAS?$AAD?$AAa?$AAt?$AAa?$AAR?$AAo?$AAo?$AAt@NNGAKEGL@ ; "\\OSDataRoot"
		push	offset _PoHiberFileRoot
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, ds:_PopHiberEnabledReg
		or	ecx, 0FFFFFFFFh
		xor	esi, esi
		mov	bl, 1
		cmp	eax, ecx
		jnz	loc_927D9A
		mov	eax, ds:_PopHiberEnabledDefaultReg
		cmp	eax, ecx
		jz	short loc_885F2C
		test	eax, eax
		setnz	al
		dec	al
		and	bl, al

loc_885F2C:				; CODE XREF: PoInitHiberServices+3Dj
					; PoInitHiberServices+A1EB8j ...
		mov	eax, ds:_PopHiberFileTypeReg
		cmp	eax, ecx
		jnz	loc_927DA9
		mov	eax, ds:_PopHiberFileTypeDefaultReg
		cmp	eax, ecx
		jnz	loc_927DA9

loc_885F46:				; CODE XREF: PoInitHiberServices+A1ECAj
		lea	eax, [ebp+var_C]
		push	eax		; int
		push	(offset	loc_407E0E+2) ;	void *
		call	EmClientQueryRuleState
		call	_ExIsSoftBoot@0	; ExIsSoftBoot()
		test	al, al
		jnz	short loc_885F83
		lea	ecx, [ebp+var_8]
		call	_PopBcdOpen@4	; PopBcdOpen(x)
		test	eax, eax
		js	short loc_885F83
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		call	PopBcdEstablishResumeObject
		mov	ecx, [ebp+var_8]
		call	_PopBcdClearPendingResume@4 ; PopBcdClearPendingResume(x)
		mov	ecx, [ebp+var_8]
		call	BcdCloseStore

loc_885F83:				; CODE XREF: PoInitHiberServices+77j
					; PoInitHiberServices+83j
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		push	0
		push	70h
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_885FD6
		push	72626968h
		push	[ebp+var_4]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_885FD6
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_4]
		push	esi
		push	70h
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_885FD6
		mov	eax, [ebp+var_4]
		add	eax, 0FFFFFFFEh
		mov	[ebp+var_4], eax
		cmp	byte ptr [esi],	0
		jnz	loc_927DB3

loc_885FD6:				; CODE XREF: PoInitHiberServices+B3j
					; PoInitHiberServices+CBj ...
		xor	edi, edi

loc_885FD8:				; CODE XREF: PoInitHiberServices+107j
		cmp	ds:_PopHiberForceDisabledReg[edi], 0
		jnz	loc_927DD0

loc_885FE5:				; CODE XREF: PoInitHiberServices+A1F01j
		add	edi, 4
		cmp	edi, 8
		jb	short loc_885FD8
		push	2
		pop	ecx
		call	_PopAcquireTransitionLock@4 ; PopAcquireTransitionLock(x)
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		test	bl, bl
		setz	cl
		xor	dl, dl
		call	_PopEnableHiberFile@8 ;	PopEnableHiberFile(x,x)
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		push	2
		pop	ecx
		call	_PopReleaseTransitionLock@4 ; PopReleaseTransitionLock(x)
		mov	eax, dword_6D6FB4
		test	eax, eax
		jz	short loc_88601E
		call	eax

loc_88601E:				; CODE XREF: PoInitHiberServices+136j
		test	esi, esi
		jz	short loc_88602D
		push	72626968h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_88602D:				; CODE XREF: PoInitHiberServices+13Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PoInitHiberServices endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEnableHiberFile(x, x)
_PopEnableHiberFile@8 proc near		; CODE XREF: PoInitHiberServices+11Dp
					; NtPowerInformation+171E68p ...

var_46		= byte ptr -46h
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_3E		= byte ptr -3Eh
var_3D		= byte ptr -3Dh
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+58h+var_3D], dl
		lea	edi, [esp+58h+var_18]
		mov	bh, cl
		stosd
		xor	ecx, ecx
		push	6
		mov	[esp+5Ch+var_38], ecx
		mov	bl, cl
		mov	[esp+5Ch+var_34], ecx
		stosd
		mov	[esp+5Ch+var_45], cl
		mov	[esp+5Ch+var_30], ecx
		mov	[esp+5Ch+var_2C], ecx
		stosd
		mov	[esp+5Ch+var_3C], ecx
		mov	[esp+5Ch+var_20], ecx
		mov	[esp+5Ch+var_1C], ecx
		stosd
		mov	[esp+5Ch+var_44], ecx
		mov	[esp+5Ch+var_28], ecx
		mov	[esp+5Ch+var_24], ecx
		mov	[esp+5Ch+var_46], cl
		pop	ecx
		stosd
		call	PopRemoveReasonRecordByReasonCode
		push	8
		pop	ecx
		call	PopRemoveReasonRecordByReasonCode
		cmp	byte_6C2E26, bl
		jnz	short loc_8860AA
		mov	bl, 1

loc_8860AA:				; CODE XREF: PopEnableHiberFile(x,x)+74j
		push	2
		pop	ecx
		call	_PopCheckDisabledReason@8 ; PopCheckDisabledReason(x,x)
		test	al, al
		jnz	short loc_8860CE
		xor	ecx, ecx
		inc	ecx
		call	_PopCheckDisabledReason@8 ; PopCheckDisabledReason(x,x)
		test	al, al
		jnz	short loc_8860CE
		push	0Fh
		pop	ecx
		call	_PopCheckDisabledReason@8 ; PopCheckDisabledReason(x,x)
		test	al, al
		jz	short loc_8860D0

loc_8860CE:				; CODE XREF: PopEnableHiberFile(x,x)+82j
					; PopEnableHiberFile(x,x)+8Ej
		mov	bl, 1

loc_8860D0:				; CODE XREF: PopEnableHiberFile(x,x)+9Aj
		push	10h
		pop	ecx
		call	_PopCheckDisabledReason@8 ; PopCheckDisabledReason(x,x)
		test	al, al
		jz	short loc_8860E6
		mov	esi, 0C00000BBh
		jmp	loc_886487
; 

loc_8860E6:				; CODE XREF: PopEnableHiberFile(x,x)+A8j
		push	0Dh
		pop	ecx
		call	_PopCheckDisabledReason@8 ; PopCheckDisabledReason(x,x)
		test	al, al
		jz	short loc_8860F4
		mov	bl, 1

loc_8860F4:				; CODE XREF: PopEnableHiberFile(x,x)+BEj
		test	bh, bh
		jnz	loc_88619A
		xor	ebx, ebx
		mov	[esp+58h+var_46], 1
		mov	ds:_PopHiberEnabled, bl
		cmp	dword_6C24A4, ebx
		jnz	short loc_886118
		mov	esi, ebx
		jmp	loc_88647B
; 

loc_886118:				; CODE XREF: PopEnableHiberFile(x,x)+DDj
		call	_MmZeroPageFileAtShutdown@0 ; MmZeroPageFileAtShutdown()
		test	eax, eax
		jz	short loc_886132
		mov	edx, dword_6C24A4
		mov	ecx, _PopHiberInfo
		call	_PopZeroHiberFile@8 ; PopZeroHiberFile(x,x)

loc_886132:				; CODE XREF: PopEnableHiberFile(x,x)+EDj
		mov	ecx, dword_6C24A4
		mov	edx, 62486F50h
		call	ObfDereferenceObjectWithTag
		push	_PopHiberInfo
		call	_ZwClose@4	; ZwClose(x)
		push	72626968h
		push	dword_6C24B0
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	80h		; size_t
		push	ebx		; int
		push	offset _PopHiberInfo ; void *
		call	_memset
		mov	edi, dword_6C24DC
		add	esp, 0Ch
		mov	byte_6C2E28, bl
		mov	byte_6C2E36, bl
		mov	byte_6C2E32, bl
		mov	ebx, dword_6C24D8
		call	PopResetCurrentPolicies
		mov	esi, eax
		jmp	loc_886435
; 

loc_88619A:				; CODE XREF: PopEnableHiberFile(x,x)+C4j
		cmp	dword_6C24A4, 0
		jz	short loc_8861AA
		xor	esi, esi
		jmp	loc_886487
; 

loc_8861AA:				; CODE XREF: PopEnableHiberFile(x,x)+16Fj
		and	dword_6C2518, 0
		lea	ecx, [esp+58h+var_44]
		mov	dword_6C24D4, 1
		mov	dword_6C24B8, 641h
		mov	byte_6C24D1, 0
		call	_PopOpenPowerKey@4 ; PopOpenPowerKey(x)
		test	eax, eax
		js	loc_8862E2
		push	offset ??_C@_1BK@BGJMKJDB@?$AAM?$AAa?$AAx?$AAH?$AAu?$AAf?$AAf?$AAR?$AAa?$AAt?$AAi?$AAo@NNGAKEGL@
		lea	eax, [esp+5Ch+var_30]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	esi, [esp+58h+var_44]
		lea	eax, [esp+58h+var_3C]
		push	eax
		push	14h
		lea	eax, [esp+60h+var_18]
		push	eax
		push	2
		lea	eax, [esp+68h+var_30]
		push	eax
		push	esi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_886236
		cmp	[esp+58h+var_14], 4
		jnz	short loc_886236
		cmp	[esp+58h+var_10], 4
		jnz	short loc_886236
		mov	eax, [esp+58h+var_C]
		xor	ecx, ecx
		inc	ecx
		mov	dword_6C24D4, eax
		cmp	eax, ecx
		jl	short loc_886230
		cmp	eax, 63h
		jle	short loc_886236

loc_886230:				; CODE XREF: PopEnableHiberFile(x,x)+1F7j
		mov	dword_6C24D4, ecx

loc_886236:				; CODE XREF: PopEnableHiberFile(x,x)+1D9j
					; PopEnableHiberFile(x,x)+1E0j	...
		push	offset ??_C@_1DA@DMELBCDN@?$AAH?$AAy?$AAb?$AAr?$AAi?$AAd?$AAB?$AAo?$AAo?$AAt?$AAA?$AAn?$AAi?$AAm?$AAa@NNGAKEGL@
		lea	eax, [esp+5Ch+var_28]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		lea	edi, [esp+58h+var_18]
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esp+58h+var_3C]
		push	eax
		push	14h
		lea	eax, [esp+60h+var_18]
		push	eax
		push	2
		lea	eax, [esp+68h+var_28]
		push	eax
		push	esi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_886284
		cmp	[esp+58h+var_14], 4
		jnz	short loc_886284
		cmp	[esp+58h+var_10], 4
		jnz	short loc_886284
		mov	eax, [esp+58h+var_C]
		mov	dword_6C24B8, eax

loc_886284:				; CODE XREF: PopEnableHiberFile(x,x)+239j
					; PopEnableHiberFile(x,x)+240j	...
		push	offset ??_C@_1DC@DPPPMAFH@?$AAM?$AAu?$AAl?$AAt?$AAi?$AAP?$AAh?$AAa?$AAs?$AAe?$AAR?$AAe?$AAs?$AAu?$AAm@NNGAKEGL@
		lea	eax, [esp+5Ch+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		lea	edi, [esp+58h+var_18]
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esp+58h+var_3C]
		push	eax
		push	14h
		lea	eax, [esp+60h+var_18]
		push	eax
		push	2
		lea	eax, [esp+68h+var_20]
		push	eax
		push	esi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8862DC
		cmp	[esp+58h+var_14], 4
		jnz	short loc_8862DC
		cmp	[esp+58h+var_10], 4
		jnz	short loc_8862DC
		cmp	[esp+58h+var_C], 1
		setz	byte_6C24D1
		or	dword_6C2518, 20h

loc_8862DC:				; CODE XREF: PopEnableHiberFile(x,x)+287j
					; PopEnableHiberFile(x,x)+28Ej	...
		push	esi
		call	_ZwClose@4	; ZwClose(x)

loc_8862E2:				; CODE XREF: PopEnableHiberFile(x,x)+1A5j
		cmp	ds:_PopHiberEnabled, 0
		jnz	short loc_8862F7
		mov	ds:_PopHiberEnabled, 1
		mov	[esp+58h+var_46], 1

loc_8862F7:				; CODE XREF: PopEnableHiberFile(x,x)+2B7j
		test	bl, bl
		jz	short loc_886305
		mov	esi, 0C00000BBh
		jmp	loc_886474
; 

loc_886305:				; CODE XREF: PopEnableHiberFile(x,x)+2C7j
		mov	ecx, 13000h
		call	_MmAllocateDumpHibernateResources@4 ; MmAllocateDumpHibernateResources(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_88631F

loc_886315:				; CODE XREF: PopEnableHiberFile(x,x)+373j
		mov	esi, 0C000009Ah
		jmp	loc_886474
; 

loc_88631F:				; CODE XREF: PopEnableHiberFile(x,x)+2E1j
		lea	esi, [edi+200000h]
		test	edi, 1FFFFFh
		jz	short loc_886334
		dec	esi
		and	esi, 0FFE00000h

loc_886334:				; CODE XREF: PopEnableHiberFile(x,x)+2F9j
		mov	eax, esi
		sub	eax, edi
		cmp	eax, 0A000h
		jb	short loc_886341
		mov	esi, edi

loc_886341:				; CODE XREF: PopEnableHiberFile(x,x)+30Bj
		lea	edx, [esp+13h]
		lea	ecx, [esp+58h+var_38]
		call	_PopCalculateHiberFileSize@8 ; PopCalculateHiberFileSize(x,x)
		push	[esp+58h+var_34]
		push	[esp+5Ch+var_38]
		call	_PopCreateHiberFile@8 ;	PopCreateHiberFile(x,x)
		mov	[esp+58h+var_44], eax
		test	eax, eax
		jns	short loc_88637E
		push	4		; int
		lea	eax, [esp+5Ch+var_44]
		push	eax		; void *
		push	8
		pop	edx
		push	6
		pop	ecx
		call	PopLogSleepDisabled
		mov	esi, [esp+58h+var_44]
		jmp	loc_886421
; 

loc_88637E:				; CODE XREF: PopEnableHiberFile(x,x)+32Fj
		push	70616D48h
		mov	ebx, 138h
		mov	dword_6C24BC, edi
		push	ebx
		push	200h
		mov	dword_6C24C0, esi
		xor	edi, edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_886315
		push	ebx		; size_t
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword_6C24D8, esi
		call	PopPreallocateHibernateMemory
		mov	esi, eax
		test	esi, esi
		js	loc_886474
		lea	eax, [esp+58h+var_44]
		xor	ebx, ebx
		push	eax		; int
		inc	ebx
		push	offset _EM_RULE_DISABLE_MULTI_PHASE_RESUME ; void *
		mov	[esp+60h+var_44], ebx
		call	EmClientQueryRuleState
		cmp	[esp+58h+var_44], 2
		jnz	short loc_8863F5
		or	dword_6C2518, 10h
		mov	byte_6C24D1, bl

loc_8863F5:				; CODE XREF: PopEnableHiberFile(x,x)+3B4j
		mov	al, [esp+58h+var_45]
		mov	byte_6C2E28, bl
		mov	byte_6C2E36, al
		cmp	_InitSafeBootMode, edi
		jnz	short loc_886412
		mov	byte_6C2E32, bl

loc_886412:				; CODE XREF: PopEnableHiberFile(x,x)+3D8j
		test	byte_6D6F88, bl
		jnz	short loc_88641F
		call	_PopClearHiberFileSignature@0 ;	PopClearHiberFileSignature()

loc_88641F:				; CODE XREF: PopEnableHiberFile(x,x)+3E6j
		xor	esi, esi

loc_886421:				; CODE XREF: PopEnableHiberFile(x,x)+347j
		test	edi, edi
		jz	short loc_886474
		mov	edx, 13000h
		mov	ecx, edi
		call	_MmReleaseDumpHibernateResources@8 ; MmReleaseDumpHibernateResources(x,x)
		xor	ebx, ebx
		xor	edi, edi

loc_886435:				; CODE XREF: PopEnableHiberFile(x,x)+163j
		test	edi, edi
		jz	short loc_88645E
		push	dword_6C24E0
		push	edi
		call	_MmReturnChargesToLockPagedPool@8 ; MmReturnChargesToLockPagedPool(x,x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	3Ch		; size_t
		push	0		; int
		push	offset dword_6C24DC ; void *
		call	_memset
		add	esp, 0Ch

loc_88645E:				; CODE XREF: PopEnableHiberFile(x,x)+405j
		test	ebx, ebx
		jz	short loc_886474
		push	70616D48h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword_6C24D8, 0

loc_886474:				; CODE XREF: PopEnableHiberFile(x,x)+2CEj
					; PopEnableHiberFile(x,x)+2E8j	...
		cmp	[esp+58h+var_46], 0
		jz	short loc_886487

loc_88647B:				; CODE XREF: PopEnableHiberFile(x,x)+E1j
		cmp	[esp+58h+var_3D], 0
		jz	short loc_886487
		call	_PopSaveHibernateEnabled@0 ; PopSaveHibernateEnabled()

loc_886487:				; CODE XREF: PopEnableHiberFile(x,x)+AFj
					; PopEnableHiberFile(x,x)+173j	...
		mov	ecx, [esp+58h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_PopEnableHiberFile@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopCheckDisabledReason(x, x)
_PopCheckDisabledReason@8 proc near	; CODE XREF: PopEnableHiberFile(x,x)+7Bp
					; PopEnableHiberFile(x,x)+87p ...
		mov	edi, edi
		push	ebx
		xor	bl, bl
		call	_PopGetReasonListByReasonCode@4	; PopGetReasonListByReasonCode(x)
		test	eax, eax
		jnz	short loc_8864AE

loc_8864AA:				; CODE XREF: PopCheckDisabledReason(x,x)+15j
					; PopCheckDisabledReason(x,x)+19j
		mov	al, bl
		pop	ebx
		retn
; 

loc_8864AE:				; CODE XREF: PopCheckDisabledReason(x,x)+Cj
		cmp	[eax+0Bh], bl
		jz	short loc_8864AA
		mov	bl, 1
		jmp	short loc_8864AA
_PopCheckDisabledReason@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPreallocateHibernateMemory proc near	; CODE XREF: PopEnableHiberFile(x,x)+38Ap

var_48		= dword	ptr -48h
var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00927E0F SIZE 0000003E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, dword_6BBFD0
		sub	esp, 50h
		push	ebx
		push	esi
		push	edi
		mov	edi, 19000h
		cmp	edx, 2
		jz	loc_927E02
		mov	eax, [ebp+var_48]
		mov	[ebp+var_8], eax

loc_8864DD:				; CODE XREF: PoInitHiberServices+A1F26j
		xor	ecx, ecx
		call	_MmGetHighestPhysicalPage@4 ; MmGetHighestPhysicalPage(x)
		lea	ebx, [eax+20h]
		and	ebx, 0FFFFFFE0h
		cmp	ebx, eax
		jb	loc_927E25
		mov	eax, ebx
		mov	[ebp+var_10], edi
		shr	eax, 3
		add	edi, eax
		mov	[ebp+var_14], edi
		add	edi, eax
		lea	eax, [edi+7Fh]
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_24], eax
		add	eax, 5Ch
		cmp	edx, 2
		jz	loc_927E0F
		mov	ecx, [ebp+var_34]
		mov	[ebp+var_C], ecx

loc_88651C:				; CODE XREF: PopPreallocateHibernateMemory+A195Dj
		add	eax, 7
		mov	ecx, 0FFFFF000h
		and	eax, 0FFFFFFF8h
		mov	[ebp+var_20], eax
		add	eax, 77h
		and	eax, 0FFFFFFF8h
		mov	[ebp+var_18], eax
		add	eax, 1037h
		and	eax, ecx
		mov	[ebp+var_1C], eax
		add	eax, 3FFFh
		and	eax, ecx
		push	72626968h
		push	eax
		push	1
		mov	[ebp+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_927E25
		push	[ebp+var_4]
		push	esi
		call	_MmObtainChargesToLockPagedPool@8 ; MmObtainChargesToLockPagedPool(x,x)
		test	eax, eax
		jz	loc_927E1A
		mov	eax, [ebp+var_4]
		xor	ecx, ecx
		mov	edx, dword_6BBFD0
		mov	dword_6C24E0, eax
		lea	eax, [esi+1000h]
		mov	dword_6C24DC, esi
		mov	dword_6C24E4, esi
		mov	dword_6C24E8, eax
		cmp	edx, 2
		jz	loc_927E2F
		mov	dword_6C2510, ecx

loc_8865A5:				; CODE XREF: PopPreallocateHibernateMemory+A1981j
		mov	eax, [ebp+var_10]
		add	eax, esi
		mov	dword_6C24F4, ebx
		mov	dword_6C24F8, eax
		mov	eax, [ebp+var_14]
		add	eax, esi
		mov	dword_6C24EC, ebx
		mov	dword_6C24F0, eax
		lea	eax, [edi+esi]
		mov	dword_6C24FC, eax
		cmp	edx, 2
		jz	loc_927E3E
		mov	dword_6C2514, ecx

loc_8865DC:				; CODE XREF: PopPreallocateHibernateMemory+A1990j
		mov	eax, [ebp+var_18]
		add	eax, esi
		mov	dword_6C2500, eax
		mov	eax, [ebp+var_1C]
		add	eax, esi
		mov	dword_6C2504, eax
		mov	eax, [ebp+var_20]
		add	eax, esi
		mov	dword_6C2508, eax
		mov	eax, [ebp+var_24]
		add	eax, esi
		mov	dword_6C250C, eax

loc_886604:				; CODE XREF: PopPreallocateHibernateMemory+A1972j
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn
PopPreallocateHibernateMemory endp

; 
		align 10h
; Exported entry 1451. MmObtainChargesToLockPagedPool

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmObtainChargesToLockPagedPool(x, x)
		public _MmObtainChargesToLockPagedPool@8
_MmObtainChargesToLockPagedPool@8 proc near ; CODE XREF: MiCreatePagingFileMap(x)+50Ap
					; PopPreallocateHibernateMemory+AAp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		and	ecx, 0FFFh
		add	edx, 0FFFh
		add	edx, ecx
		mov	ecx, offset _MiSystemPartition
		push	400h
		shr	edx, 0Ch
		call	_MiChargeResident@12 ; MiChargeResident(x,x,x)
		neg	eax
		sbb	eax, eax
		neg	eax
		pop	ebp
		retn	8
_MmObtainChargesToLockPagedPool@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCreateHiberFile(x, x)
_PopCreateHiberFile@8 proc near		; CODE XREF: PopEnableHiberFile(x,x)+324p

var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0BCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	0Ah
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_60]
		rep stosd
		push	6
		pop	ecx
		push	6
		lea	edi, [ebp+var_38]
		xor	esi, esi
		rep stosd
		pop	ecx
		push	6
		lea	edi, [ebp+var_B8]
		mov	[ebp+var_98], esi
		rep stosd
		pop	ecx
		lea	edi, [ebp+var_20]
		mov	[ebp+var_94], esi
		rep stosd
		mov	eax, [ebp+arg_0]
		mov	ebx, esi
		mov	[ebp+var_80], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_98]
		push	offset ??_C@_1BM@HAIPEBMH@?$AA?2?$AAh?$AAi?$AAb?$AAe?$AAr?$AAf?$AAi?$AAl?$AA?4?$AAs?$AAy?$AAs@NNGAKEGL@	; "\\hiberfil.sys"
		push	eax
		mov	[ebp+var_A0], esi
		mov	[ebp+var_9C], esi
		mov	[ebp+var_74], esi
		mov	[ebp+var_70], esi
		mov	[ebp+var_8C], esi
		mov	[ebp+var_64], esi
		mov	[ebp+var_6C], esi
		mov	[ebp+var_84], esi
		mov	[ebp+var_90], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		mov	word ptr [ebp+var_88], ax
		mov	eax, _PoHiberFileRoot
		add	eax, [ebp+var_98]
		mov	word ptr [ebp+var_88+2], ax
		push	72626968h
		movzx	eax, ax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_84], eax
		test	eax, eax
		jnz	short loc_886719
		mov	esi, 0C000009Ah
		jmp	loc_886A07
; 

loc_886719:				; CODE XREF: PopCreateHiberFile(x,x)+C7j
		push	offset _PoHiberFileRoot
		lea	eax, [ebp+var_88]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		lea	eax, [ebp+var_98]
		push	eax
		lea	eax, [ebp+var_88]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		call	_PopCreateHiberFileSecurityDescriptor@0	; PopCreateHiberFileSecurityDescriptor()
		mov	ebx, eax
		mov	[ebp+var_B8], 18h
		mov	[ebp+var_68], ebx
		lea	eax, [ebp+var_88]
		mov	[ebp+var_A8], ebx
		xor	ebx, ebx
		mov	[ebp+var_B4], esi
		mov	edi, ebx
		mov	[ebp+var_AC], 240h
		mov	[ebp+var_B0], eax
		mov	[ebp+var_A4], ebx

loc_88677D:				; CODE XREF: PopCreateHiberFile(x,x)+1FEj
		push	102h		; int
		push	ebx		; int
		push	ebx		; int
		push	ebx		; int
		push	ebx		; void *
		push	9048h		; int
		push	3		; int
		push	ebx		; int
		push	2006h		; int
		lea	eax, [ebp+var_80]
		push	eax		; int
		lea	eax, [ebp+var_74]
		push	eax		; int
		lea	eax, [ebp+var_B8]
		push	eax		; int
		push	100003h		; int
		lea	eax, [ebp+var_64]
		push	eax		; int
		call	_IoCreateFile@56 ; IoCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8867F0
		cmp	[ebp+var_70], 2
		jnz	short loc_8867BE
		mov	bl, 1

loc_8867BE:				; CODE XREF: PopCreateHiberFile(x,x)+174j
		push	5
		push	18h
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		push	[ebp+var_64]
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_886A04
		xor	eax, eax
		inc	eax
		cmp	[ebp+var_28], eax
		jbe	short loc_88684C
		push	[ebp+var_64]
		call	_ZwClose@4	; ZwClose(x)
		xor	ebx, ebx
		jmp	short loc_88683D
; 

loc_8867F0:				; CODE XREF: PopCreateHiberFile(x,x)+16Ej
		cmp	esi, 0C00000BAh
		jnz	loc_886885
		push	100h		; int
		push	ebx		; int
		push	ebx		; int
		push	ebx		; int
		push	ebx		; void *
		push	201001h		; int
		push	1		; int
		push	ebx		; int
		push	ebx		; int
		lea	eax, [ebp+var_80]
		push	eax		; int
		lea	eax, [ebp+var_74]
		push	eax		; int
		lea	eax, [ebp+var_B8]
		push	eax		; int
		push	10000h		; int
		lea	eax, [ebp+var_64]
		push	eax		; int
		call	_IoCreateFile@56 ; IoCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_886A04
		push	[ebp+var_64]
		call	_ZwClose@4	; ZwClose(x)

loc_88683D:				; CODE XREF: PopCreateHiberFile(x,x)+1A8j
		inc	edi
		mov	[ebp+var_64], ebx
		cmp	edi, 3
		jb	loc_88677D
		jmp	short loc_886885
; 

loc_88684C:				; CODE XREF: PopCreateHiberFile(x,x)+19Cj
		test	bl, bl
		jnz	short loc_886881
		or	[ebp+var_10], 0FFFFFFFFh
		xor	ebx, ebx
		or	[ebp+var_C], 0FFFFFFFFh
		push	ebx
		push	ebx
		push	18h
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_20]
		push	eax
		push	98208h
		lea	eax, [ebp+var_74]
		mov	[ebp+var_18], ebx
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+var_64]
		mov	[ebp+var_14], ebx
		call	_ZwFsControlFile@40 ; ZwFsControlFile(x,x,x,x,x,x,x,x,x,x)
		jmp	short loc_886883
; 

loc_886881:				; CODE XREF: PopCreateHiberFile(x,x)+208j
		xor	ebx, ebx

loc_886883:				; CODE XREF: PopCreateHiberFile(x,x)+239j
		mov	esi, ebx

loc_886885:				; CODE XREF: PopCreateHiberFile(x,x)+1B0j
					; PopCreateHiberFile(x,x)+204j
		test	esi, esi
		js	loc_886A04
		push	4
		push	28h
		lea	eax, [ebp+var_60]
		mov	[ebp+var_40], 2006h
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		push	[ebp+var_64]
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_886A04
		push	ebx
		lea	eax, [ebp+var_6C]
		push	eax
		push	62486F50h
		push	ebx
		push	ds:_IoFileObjectType
		push	3
		push	[ebp+var_64]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_886A04
		mov	eax, [ebp+var_80]
		mov	[ebp+var_A0], eax
		mov	eax, [ebp+var_7C]
		push	14h
		mov	[ebp+var_9C], eax
		lea	eax, [ebp+var_A0]
		push	8
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		push	[ebp+var_64]
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		mov	esi, eax
		mov	edi, 103h
		cmp	esi, edi
		jnz	short loc_886922
		mov	eax, [ebp+var_6C]
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		add	eax, 5Ch
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [ebp+var_74]
		mov	esi, eax
		jmp	short loc_886925
; 

loc_886922:				; CODE XREF: PopCreateHiberFile(x,x)+2C3j
		mov	eax, [ebp+var_74]

loc_886925:				; CODE XREF: PopCreateHiberFile(x,x)+2DAj
		test	esi, esi
		js	loc_886A04
		test	eax, eax
		js	loc_886A02
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	9004Fh
		lea	eax, [ebp+var_74]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+var_64]
		call	_ZwFsControlFile@40 ; ZwFsControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, edi
		jnz	short loc_886966
		mov	eax, [ebp+var_6C]
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		add	eax, 5Ch
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [ebp+var_74]

loc_886966:				; CODE XREF: PopCreateHiberFile(x,x)+30Bj
		test	esi, esi
		js	loc_886A04
		lea	eax, [ebp+var_74]
		push	eax
		push	[ebp+var_64]
		call	_ZwFlushBuffersFile@8 ;	ZwFlushBuffersFile(x,x)
		cmp	eax, edi
		jnz	short loc_88698E
		mov	eax, [ebp+var_6C]
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		add	eax, 5Ch
		push	eax
		call	KeWaitForSingleObject

loc_88698E:				; CODE XREF: PopCreateHiberFile(x,x)+336j
		mov	edx, [ebp+var_6C]
		lea	eax, [ebp+var_8C]
		mov	ecx, [ebp+var_64]
		push	eax
		lea	eax, [ebp+var_90]
		push	eax
		lea	eax, [ebp+var_80]
		push	eax
		call	PopSanityCheckHiberFile
		mov	esi, eax
		test	esi, esi
		js	short loc_886A04
		mov	edx, [ebp+var_8C]
		mov	ecx, [ebp+var_90]
		call	_PopSetHiberFileMcb@8 ;	PopSetHiberFileMcb(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_886A04
		mov	eax, [ebp+var_64]
		mov	ecx, [ebp+var_6C]
		mov	_PopHiberInfo, eax
		mov	eax, [ebp+var_80]
		mov	dword_6C24A8, eax
		mov	eax, [ebp+var_7C]
		push	offset _FILE_TYPE_NOTIFICATION_GUID_HIBERNATION_FILE
		mov	dword_6C24A4, ecx
		mov	dword_6C24AC, eax
		call	FsRtlIssueFileNotificationFsctl
		mov	[ebp+var_64], ebx
		mov	[ebp+var_6C], ebx
		call	PopResetCurrentPolicies
		mov	esi, ebx
		jmp	short loc_886A04
; 

loc_886A02:				; CODE XREF: PopCreateHiberFile(x,x)+2E9j
		mov	esi, eax

loc_886A04:				; CODE XREF: PopCreateHiberFile(x,x)+190j
					; PopCreateHiberFile(x,x)+1E9j	...
		mov	ebx, [ebp+var_68]

loc_886A07:				; CODE XREF: PopCreateHiberFile(x,x)+CEj
		cmp	[ebp+var_64], 0
		jz	short loc_886A15
		push	[ebp+var_64]
		call	_ZwClose@4	; ZwClose(x)

loc_886A15:				; CODE XREF: PopCreateHiberFile(x,x)+3C5j
		mov	ecx, [ebp+var_6C]
		test	ecx, ecx
		jz	short loc_886A26
		mov	edx, 62486F50h
		call	ObfDereferenceObjectWithTag

loc_886A26:				; CODE XREF: PopCreateHiberFile(x,x)+3D4j
		test	ebx, ebx
		jz	short loc_886A32
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_886A32:				; CODE XREF: PopCreateHiberFile(x,x)+3E2j
		mov	eax, [ebp+var_84]
		test	eax, eax
		jz	short loc_886A44
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_886A44:				; CODE XREF: PopCreateHiberFile(x,x)+3F4j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopCreateHiberFile@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PdcPoReportButton proc near		; DATA XREF: PopPdcRegister+3Eo

arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 00927E4D SIZE 00000089 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		test	[ebp+arg_0], 1
		mov	bl, [ebp+arg_4]
		jz	short loc_886A89
		test	bl, bl
		jz	loc_927E4D
		cmp	_PopCapabilities, 1
		jz	short loc_886A89
		mov	_PopCapabilities, 1

loc_886A84:				; CODE XREF: PdcPoReportButton+A1409j
		call	PopResetCurrentPolicies

loc_886A89:				; CODE XREF: PdcPoReportButton+12j
					; PdcPoReportButton+23j ...
		test	[ebp+arg_0], 2
		jnz	loc_927E66

loc_886A93:				; CODE XREF: PdcPoReportButton+A1419j
					; PdcPoReportButton+A142Fj ...
		test	[ebp+arg_0], 4
		jnz	loc_927E9E

loc_886A9D:				; CODE XREF: PdcPoReportButton+A1451j
					; PdcPoReportButton+A1467j ...
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		pop	ebx
		pop	ebp
		retn	8
PdcPoReportButton endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopAdaptivePowerSettingCallback(void *,int,int,int)
PopAdaptivePowerSettingCallback	proc near
					; CODE XREF: PopVideoPowerSettingCallback(x,x,x,x)+79p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00927ED6 SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		cmp	[ebp+arg_8], 4
		push	ebx
		push	esi
		push	edi
		jnz	loc_927EFE
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	loc_927EFE
		mov	al, _PopConsoleSession
		xor	edi, edi
		test	al, al
		setnz	bl
		mov	cl, bl
		xor	cl, 1
		call	PopAcquireAdaptiveLock
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	offset _GUID_NON_ADAPTIVE_INPUT_TIMEOUT	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_886B2A
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	offset _GUID_VIDEO_POWERDOWN_TIMEOUT ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_886B55
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	offset _GUID_VIDEO_CONSOLE_LOCK_TIMEOUT	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_886B65
		mov	eax, [esi]
		mov	_PopAdaptiveLockConsoleTimeout,	eax
		jmp	short loc_886B39
; 

loc_886B2A:				; CODE XREF: PopAdaptivePowerSettingCallback+4Bj
		mov	eax, [esi]
		mov	_PopInputTimeout, eax
		test	bl, bl
		jnz	loc_927ED6

loc_886B39:				; CODE XREF: PopAdaptivePowerSettingCallback+80j
					; PopAdaptivePowerSettingCallback+B4j ...
		sub	esp, 10h
		call	PopDiagTracePolicyChange
		test	bl, bl
		jnz	short loc_886B5E

loc_886B45:				; CODE XREF: PopAdaptivePowerSettingCallback+BBj
					; PopAdaptivePowerSettingCallback+C2j
		call	PopReleaseAdaptiveLock

loc_886B4A:				; CODE XREF: PopAdaptivePowerSettingCallback+A145Bj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_886B55:				; CODE XREF: PopAdaptivePowerSettingCallback+61j
		mov	eax, [esi]
		mov	_PopDisplayTimeout, eax
		jmp	short loc_886B39
; 

loc_886B5E:				; CODE XREF: PopAdaptivePowerSettingCallback+9Bj
		call	_PopCheckConsoleTimeouts@0 ; PopCheckConsoleTimeouts()
		jmp	short loc_886B45
; 

loc_886B65:				; CODE XREF: PopAdaptivePowerSettingCallback+77j
		mov	edi, 0C000000Dh
		jmp	short loc_886B45
PopAdaptivePowerSettingCallback	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTracePolicyChange proc near	; CODE XREF: PopAdaptivePowerSettingCallback+94p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00927F08 SIZE 00000075 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, _PopAdaptiveLockConsoleTimeout
		mov	[ebp+var_7C], eax
		mov	eax, _PopInputTimeout
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_78], eax
		mov	[ebp+var_74], eax
		mov	eax, _PopDisplayTimeout
		mov	[ebp+var_68], ebx
		mov	[ebp+var_70], eax
		mov	[ebp+var_6C], eax
		cmp	_PopDiagHandleRegistered, bl
		jz	short loc_886BCE
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	(offset	loc_407E2F+1)
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_927F08

loc_886BCC:				; CODE XREF: PopDiagTracePolicyChange+A140Cj
		pop	edi
		pop	esi

loc_886BCE:				; CODE XREF: PopDiagTracePolicyChange+3Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
PopDiagTracePolicyChange endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopHardDiskPowerSettingCallback(void *,int,int,int)
PopHardDiskPowerSettingCallback	proc near

var_E8		= dword	ptr -0E8h
var_14		= dword	ptr -14h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00927F7D SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0ECh
		push	ebx
		push	esi
		push	edi
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	offset _GUID_DISK_POWERDOWN_TIMEOUT ; "8gBJj@iun"
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_886C7B
		cmp	[ebp+arg_8], 4
		jnz	loc_886CA7
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	loc_886CA7
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	esi, _PopPolicy
		lea	edi, [esp+0F8h+var_E8]
		mov	eax, [ebx]
		xor	dl, dl
		push	3Ah
		pop	ecx
		rep movsd
		mov	[esp+0F8h+var_14], eax
		mov	cl, 1
		push	0E8h
		lea	eax, [esp+0FCh+var_E8]
		push	eax
		call	PopApplyPolicy
		mov	esi, eax
		imul	eax, [ebx], 3E8h
		test	eax, eax
		jnz	short loc_886C59
		or	eax, 0FFFFFFFFh

loc_886C59:				; CODE XREF: PopHardDiskPowerSettingCallback+76j
		cmp	eax, _PopDiskIdleTimeout
		jnz	loc_927F7D

loc_886C65:				; CODE XREF: PopHardDiskPowerSettingCallback+A13A9j
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		test	esi, esi
		js	short loc_886C70

loc_886C6E:				; CODE XREF: PopHardDiskPowerSettingCallback+C7j
		xor	esi, esi

loc_886C70:				; CODE XREF: PopHardDiskPowerSettingCallback+8Ej
					; PopHardDiskPowerSettingCallback+CEj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_886C7B:				; CODE XREF: PopHardDiskPowerSettingCallback+25j
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	offset _GUID_DISK_BURST_IGNORE_THRESHOLD ; void	*
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_886CA7
		cmp	[ebp+arg_8], 4
		jnz	short loc_886CA7
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_886CA7
		mov	eax, [eax]
		mov	dword_6C2D24, eax
		jmp	short loc_886C6E
; 

loc_886CA7:				; CODE XREF: PopHardDiskPowerSettingCallback+2Bj
					; PopHardDiskPowerSettingCallback+36j ...
		mov	esi, 0C000000Dh
		jmp	short loc_886C70
PopHardDiskPowerSettingCallback	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopConsoleLockPowerSettingCallback(void	*,int,int,int)
_PopConsoleLockPowerSettingCallback@16 proc near

var_E8		= dword	ptr -0E8h
var_98		= dword	ptr -98h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0E8h
		push	esi
		push	edi
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	esi, _PopPolicy
		lea	edi, [esp+0F0h+var_E8]
		push	3Ah
		pop	ecx
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		rep movsd
		push	(offset	loc_407E6F+1) ;	void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_886D1F
		cmp	[ebp+arg_8], 4
		jnz	short loc_886D1F
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_886D1F
		mov	eax, [eax]
		xor	dl, dl
		mov	[esp+0F0h+var_98], eax
		mov	cl, 1
		push	0E8h
		lea	eax, [esp+0F4h+var_E8]
		push	eax
		call	PopApplyPolicy
		mov	esi, eax

loc_886D10:				; CODE XREF: PopConsoleLockPowerSettingCallback(x,x,x,x)+76j
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_886D1F:				; CODE XREF: PopConsoleLockPowerSettingCallback(x,x,x,x)+38j
					; PopConsoleLockPowerSettingCallback(x,x,x,x)+3Ej ...
		mov	esi, 0C000000Dh
		jmp	short loc_886D10
_PopConsoleLockPowerSettingCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopSleepPowerSettingCallback(void *,int,int,int)
PopSleepPowerSettingCallback proc near

var_E8		= dword	ptr -0E8h
var_B8		= dword	ptr -0B8h
var_AC		= dword	ptr -0ACh
var_90		= dword	ptr -90h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00927F8C SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0ECh
		push	ebx
		push	esi
		push	edi
		mov	ebx, 0C000000Dh
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	esi, _PopPolicy
		lea	edi, [esp+0F8h+var_E8]
		push	3Ah
		pop	ecx
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		rep movsd
		push	offset _GUID_STANDBY_TIMEOUT ; void *
		call	_memcmp
		mov	esi, [ebp+arg_4]
		add	esp, 0Ch
		test	eax, eax
		jz	loc_886E04

loc_886D6D:				; CODE XREF: PopSleepPowerSettingCallback+E2j
					; PopSleepPowerSettingCallback+EAj
		mov	edi, [esp+0F8h+var_AC]

loc_886D71:				; CODE XREF: PopSleepPowerSettingCallback+10Dj
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	(offset	loc_405617+1) ;	void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_886E38

loc_886D8B:				; CODE XREF: PopSleepPowerSettingCallback+116j
					; PopSleepPowerSettingCallback+11Ej ...
		test	ebx, ebx
		jns	short loc_886DED

loc_886D8F:				; CODE XREF: PopSleepPowerSettingCallback+DCj
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	offset _GUID_HIBERNATE_FASTS4_POLICY ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_886E63

loc_886DA9:				; CODE XREF: PopSleepPowerSettingCallback+141j
					; PopSleepPowerSettingCallback+149j ...
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	(offset	loc_407E8F+1) ;	void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_886E86

loc_886DC3:				; CODE XREF: PopSleepPowerSettingCallback+164j
					; PopSleepPowerSettingCallback+16Cj ...
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	offset _GUID_UNATTEND_SLEEP_TIMEOUT ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_886EA9

loc_886DDD:				; CODE XREF: PopSleepPowerSettingCallback+187j
					; PopSleepPowerSettingCallback+18Fj ...
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_886DED:				; CODE XREF: PopSleepPowerSettingCallback+67j
		push	0E8h
		lea	eax, [esp+0FCh+var_E8]
		xor	dl, dl
		push	eax
		mov	cl, 1
		call	PopApplyPolicy
		mov	ebx, eax
		jmp	short loc_886D8F
; 

loc_886E04:				; CODE XREF: PopSleepPowerSettingCallback+41j
		cmp	[ebp+arg_8], 4
		jnz	loc_886D6D
		test	esi, esi
		jz	loc_886D6D
		cmp	byte ptr word_6C2E24+1,	0
		mov	edi, [esi]
		mov	[esp+0F8h+var_AC], edi
		jz	loc_927F8C

loc_886E29:				; CODE XREF: PopSleepPowerSettingCallback+A126Dj
					; PopSleepPowerSettingCallback+A127Aj
		mov	[esp+0F8h+var_B8], 2

loc_886E31:				; CODE XREF: PopSleepPowerSettingCallback+A1280j
		xor	ebx, ebx
		jmp	loc_886D71
; 

loc_886E38:				; CODE XREF: PopSleepPowerSettingCallback+5Fj
		cmp	[ebp+arg_8], 4
		jnz	loc_886D8B
		test	esi, esi
		jz	loc_886D8B
		mov	eax, [esi]
		mov	[esp+0F8h+var_90], eax
		test	edi, edi
		jnz	short loc_886E5C
		test	eax, eax
		jnz	loc_927FAB

loc_886E5C:				; CODE XREF: PopSleepPowerSettingCallback+12Cj
					; PopSleepPowerSettingCallback+A128Cj ...
		xor	ebx, ebx
		jmp	loc_886D8B
; 

loc_886E63:				; CODE XREF: PopSleepPowerSettingCallback+7Dj
		cmp	[ebp+arg_8], 4
		jnz	loc_886DA9
		test	esi, esi
		jz	loc_886DA9
		cmp	dword ptr [esi], 0
		setz	byte_6C2D1C
		xor	ebx, ebx
		jmp	loc_886DA9
; 

loc_886E86:				; CODE XREF: PopSleepPowerSettingCallback+97j
		cmp	[ebp+arg_8], 4
		jnz	loc_886DC3
		test	esi, esi
		jz	loc_886DC3
		cmp	dword ptr [esi], 0
		setz	byte_6C2D1D
		xor	ebx, ebx
		jmp	loc_886DC3
; 

loc_886EA9:				; CODE XREF: PopSleepPowerSettingCallback+B1j
		cmp	[ebp+arg_8], 4
		jnz	loc_886DDD
		test	esi, esi
		jz	loc_886DDD
		mov	eax, [esi]
		push	3
		pop	ecx
		mov	dword_6C2D20, eax
		call	PopInitSIdle
		xor	ebx, ebx
		jmp	loc_886DDD
PopSleepPowerSettingCallback endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopChangeCapability(x, x)
_PopChangeCapability@8 proc near	; CODE XREF: NtPowerInformation+1195p
		cmp	[ecx], dl
		jz	short locret_886EDD
		mov	[ecx], dl
		jmp	PopResetCurrentPolicies
; 

locret_886EDD:				; CODE XREF: PopChangeCapability(x,x)+2j
		retn
_PopChangeCapability@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopPowerButtonSettingCallback(void *,int,int,int)
PopPowerButtonSettingCallback proc near

var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E0		= dword	ptr -0E0h
var_D4		= dword	ptr -0D4h
var_C8		= dword	ptr -0C8h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00927FD2 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0F4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0F4h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	esi, _PopPolicy
		lea	edi, [esp+100h+var_F0]
		push	3Ah
		pop	ecx
		push	10h
		rep movsd
		mov	esi, [ebp+arg_0]
		pop	edi
		push	edi		; size_t
		push	esi		; void *
		push	(offset	loc_407EAF+1) ;	void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_886F85
		push	edi		; size_t
		push	esi		; void *
		push	offset _GUID_SLEEPBUTTON_ACTION	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_886FE3
		push	edi		; size_t
		push	esi		; void *
		push	offset _GUID_LIDCLOSE_ACTION ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_886FE9
		push	edi		; size_t
		push	esi		; void *
		push	(offset	loc_407F03+1) ;	void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_886FB0
		cmp	[ebp+arg_8], 4
		jnz	short loc_886FB0
		test	ebx, ebx
		jz	short loc_886FB0
		mov	eax, [ebx]
		cmp	eax, 7
		ja	short loc_886FB0
		mov	[esp+100h+var_C8], eax
		jmp	short loc_886FB0
; 

loc_886F85:				; CODE XREF: PopPowerButtonSettingCallback+4Dj
		lea	ecx, [esp+100h+var_EC]

loc_886F89:				; CODE XREF: PopPowerButtonSettingCallback+109j
					; PopPowerButtonSettingCallback+10Fj
		cmp	[ebp+arg_8], 4
		jnz	loc_927FE4
		test	ebx, ebx
		jz	loc_927FE4
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_886FA6
		cmp	eax, 2
		jnz	short loc_886FEF

loc_886FA6:				; CODE XREF: PopPowerButtonSettingCallback+C1j
					; PopPowerButtonSettingCallback+114j ...
		and	dword ptr [ecx+4], 0
		and	dword ptr [ecx+8], 0
		mov	[ecx], eax

loc_886FB0:				; CODE XREF: PopPowerButtonSettingCallback+8Ej
					; PopPowerButtonSettingCallback+94j ...
		push	0E8h
		lea	eax, [esp+104h+var_F0]
		xor	dl, dl
		push	eax
		mov	cl, 1
		call	PopApplyPolicy
		mov	esi, eax

loc_886FC5:				; CODE XREF: PopPowerButtonSettingCallback+A110Bj
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		mov	ecx, [esp+100h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_886FE3:				; CODE XREF: PopPowerButtonSettingCallback+60j
		lea	ecx, [esp+100h+var_E0]
		jmp	short loc_886F89
; 

loc_886FE9:				; CODE XREF: PopPowerButtonSettingCallback+77j
		lea	ecx, [esp+100h+var_D4]
		jmp	short loc_886F89
; 

loc_886FEF:				; CODE XREF: PopPowerButtonSettingCallback+C6j
		cmp	eax, 6
		jz	short loc_886FA6
		jmp	loc_927FD2
PopPowerButtonSettingCallback endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBatteryAlarmPowerSettingCallback(x, x, x, x)
_PopBatteryAlarmPowerSettingCallback@16	proc near
					; DATA XREF: PopInitializePowerSettingCallbacks()+2Fo

arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	edx, [ebp+arg_C]
		xor	cl, cl
		call	PopBatteryUpdateAlarms
		mov	esi, eax
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	10h
_PopBatteryAlarmPowerSettingCallback@16	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopBatteryUpdateAlarms proc near	; CODE XREF: PopBatteryAlarmPowerSettingCallback(x,x,x,x)+10p
					; PopBatteryApplyCompositeState+A033Ep

var_FE		= byte ptr -0FEh
var_FD		= byte ptr -0FDh
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00927FEE SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 104h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+104h+var_4], eax
		and	[esp+104h+var_F8], 0
		mov	al, cl
		and	[esp+104h+var_FC], 0
		mov	[esp+104h+var_FD], al
		push	ebx
		mov	ebx, edx
		push	esi
		mov	esi, _PopPolicy
		push	edi
		lea	edi, [esp+110h+var_F0]
		push	3Ah
		pop	ecx
		rep movsd
		mov	ecx, dword_6C2D0C
		mov	[esp+110h+var_F4], ecx
		test	al, al
		jnz	loc_927FEE
		lea	edi, [ebx+1]

loc_887073:				; CODE XREF: PopBatteryUpdateAlarms+A0FD5j
		cmp	ebx, edi
		jnb	loc_887120
		imul	eax, ebx, 18h
		lea	esi, [esp+110h+var_8C]
		add	esi, eax

loc_887087:				; CODE XREF: PopBatteryUpdateAlarms+F8j
		lea	eax, [esp+110h+var_F8]
		push	eax		; int
		push	ecx		; int
		lea	eax, [esp+118h+var_FC]
		push	eax		; void *
		push	ecx		; int
		mov	ecx, ds:_GUIDS_BATTERY_DISCHARGE_ACTION[ebx*4]
		call	_PopGetPowerSettingValue@24 ; PopGetPowerSettingValue(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8870B7
		mov	eax, [esp+110h+var_FC]
		cmp	eax, 6
		ja	short loc_8870B7
		test	eax, eax
		mov	[esi+4], eax
		setnz	al
		mov	[esi-4], al

loc_8870B7:				; CODE XREF: PopBatteryUpdateAlarms+83j
					; PopBatteryUpdateAlarms+8Cj
		lea	eax, [esp+110h+var_F8]
		push	eax		; int
		push	ecx		; int
		mov	ecx, ds:_GUIDS_BATTERY_DISCHARGE_LEVEL[ebx*4]
		lea	eax, [esp+118h+var_FC]
		push	eax		; void *
		push	[esp+11Ch+var_F4] ; int
		call	_PopGetPowerSettingValue@24 ; PopGetPowerSettingValue(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8870E3
		mov	eax, [esp+110h+var_FC]
		push	64h
		pop	ecx
		cmp	eax, ecx
		ja	short loc_887148
		mov	[esi], eax

loc_8870E3:				; CODE XREF: PopBatteryUpdateAlarms+B6j
					; PopBatteryUpdateAlarms+12Cj
		lea	eax, [esp+110h+var_F8]
		push	eax		; int
		push	ecx		; int
		mov	ecx, ds:_GUIDS_BATTERY_DISCHARGE_FLAGS[ebx*4]
		lea	eax, [esp+118h+var_FC]
		push	eax		; void *
		push	[esp+11Ch+var_F4] ; int
		call	_PopGetPowerSettingValue@24 ; PopGetPowerSettingValue(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_88710C
		mov	eax, [esp+110h+var_FC]
		and	eax, 7
		mov	[esi+0Ch], eax

loc_88710C:				; CODE XREF: PopBatteryUpdateAlarms+E2j
		mov	ecx, [esp+110h+var_F4]
		inc	ebx
		add	esi, 18h
		cmp	ebx, edi
		jb	loc_887087
		mov	al, [esp+110h+var_FD]

loc_887120:				; CODE XREF: PopBatteryUpdateAlarms+57j
		lea	ecx, [esp+110h+var_F0]
		mov	dl, al
		push	0E8h
		push	ecx
		mov	cl, 1
		call	PopApplyPolicy
		mov	ecx, [esp+110h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_887148:				; CODE XREF: PopBatteryUpdateAlarms+C1j
		mov	[esi], ecx
		jmp	short loc_8870E3
PopBatteryUpdateAlarms endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopResetCurrentPolicies	proc near	; CODE XREF: PopThermalZoneAdd+E9p
					; PopEnableHiberFile(x,x)+15Cp	...

var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_F4		= dword	ptr -0F4h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00927FF8 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 114h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+114h+var_4], eax
		push	esi
		xor	eax, eax
		mov	esi, 0F8h
		push	esi		; size_t
		push	eax		; int
		mov	[esp+120h+var_10C], eax
		mov	[esp+120h+var_108], eax
		mov	[esp+120h+var_104], eax
		mov	[esp+120h+var_110], eax
		lea	eax, [esp+120h+var_100]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [esp+118h+var_10C]
		call	_PopOpenPowerKey@4 ; PopOpenPowerKey(x)
		test	eax, eax
		js	short loc_8871F5
		push	(offset	loc_407EBE+2)
		lea	eax, [esp+11Ch+var_108]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+118h+var_110]
		push	eax
		push	esi
		lea	eax, [esp+120h+var_100]
		push	eax
		push	2
		lea	eax, [esp+128h+var_108]
		push	eax
		push	[esp+12Ch+var_10C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_927FF8
		mov	eax, [esp+118h+var_110]
		add	eax, 0FFFFFFF4h

loc_8871D7:				; CODE XREF: PopResetCurrentPolicies+A0EBAj
		push	eax
		mov	[esp+11Ch+var_110], eax
		xor	dl, dl
		lea	eax, [esp+11Ch+var_F4]
		xor	cl, cl
		push	eax
		call	PopApplyPolicy
		push	[esp+118h+var_10C]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, esi

loc_8871F5:				; CODE XREF: PopResetCurrentPolicies+4Ej
		mov	ecx, [esp+118h+var_4]
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
PopResetCurrentPolicies	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopApplyPolicy	proc near		; CODE XREF: PopVideoPowerSettingCallback(x,x,x,x)+64p
					; PopHardDiskPowerSettingCallback+67p ...

var_1EC		= byte ptr -1ECh
var_1EB		= byte ptr -1EBh
var_1EA		= byte ptr -1EAh
var_1E9		= byte ptr -1E9h
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_178		= dword	ptr -178h
var_F0		= dword	ptr -0F0h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092800B SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1ECh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1ECh+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [esp+1F4h+var_1D8]
		push	edi
		mov	edi, 0E8h
		mov	[esp+1F8h+var_1E9], dl
		push	edi		; size_t
		xor	ebx, ebx
		mov	[esp+1FCh+var_1EA], cl
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+1F8h+var_1E0], ebx
		mov	[esp+1F8h+var_1DC], ebx
		mov	[esp+1F8h+var_1E8], ebx
		cmp	[ebp+arg_4], edi
		jb	loc_92800B
		ja	loc_928015
		push	3Ah
		pop	ecx
		lea	edi, [esp+1F8h+var_F0]
		rep movsd
		lea	edx, [esp+1F8h+var_1D8]
		lea	ecx, [esp+1F8h+var_F0]
		call	PopVerifySystemPowerPolicy
		mov	ebx, eax
		test	ebx, ebx
		js	loc_887363
		mov	esi, _PopPolicy
		lea	eax, [esp+1F8h+var_1D8]
		push	0E8h		; size_t
		push	esi		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_8872B0
		cmp	[esp+1F8h+var_1EA], al
		jz	loc_88737A

loc_8872B0:				; CODE XREF: PopApplyPolicy+9Cj
		lea	eax, [esi+60h]
		mov	[esp+1F8h+var_1EB], 0
		lea	esi, [esp+1F8h+var_178]
		xor	edi, edi
		mov	ecx, esi
		sub	eax, ecx
		mov	[esp+1F8h+var_1E4], eax

loc_8872C9:				; CODE XREF: PopApplyPolicy+E2j
		push	18h		; size_t
		add	eax, esi
		push	eax		; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_88737E
		mov	eax, [esp+1F8h+var_1E4]
		inc	edi
		add	esi, 18h
		cmp	edi, 4
		jb	short loc_8872C9

loc_8872EC:				; CODE XREF: PopApplyPolicy+17Bj
		mov	edi, _PopPolicy
		lea	esi, [esp+1F8h+var_1D8]
		push	3Ah
		pop	ecx
		rep movsd
		push	2
		pop	ecx
		call	_PopSetNotificationWork@4 ; PopSetNotificationWork(x)
		cmp	[esp+1F8h+var_1EB], 0
		jnz	short loc_887388

loc_88730A:				; CODE XREF: PopApplyPolicy+185j
					; PopApplyPolicy+192j
		push	3
		pop	ecx
		call	PopInitSIdle
		cmp	[esp+1F8h+var_1EA], 0
		jz	short loc_887361
		lea	ecx, [esp+1F8h+var_1E8]
		call	_PopOpenPowerKey@4 ; PopOpenPowerKey(x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_887361
		push	(offset	loc_407EBE+2)
		lea	eax, [esp+1FCh+var_1E0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	0E8h
		lea	eax, [esp+1FCh+var_F0]
		push	eax
		push	3
		push	0
		lea	eax, [esp+208h+var_1E0]
		push	eax
		push	[esp+20Ch+var_1E8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[esp+1F8h+var_1E8]
		mov	ebx, eax
		call	_ZwClose@4	; ZwClose(x)

loc_887361:				; CODE XREF: PopApplyPolicy+10Fj
					; PopApplyPolicy+11Ej
		mov	eax, ebx

loc_887363:				; CODE XREF: PopApplyPolicy+7Bj
					; PopApplyPolicy+174j ...
		mov	ecx, [esp+1F8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_88737A:				; CODE XREF: PopApplyPolicy+A2j
		xor	eax, eax
		jmp	short loc_887363
; 

loc_88737E:				; CODE XREF: PopApplyPolicy+D1j
		mov	[esp+1F8h+var_1EB], 1
		jmp	loc_8872EC
; 

loc_887388:				; CODE XREF: PopApplyPolicy+100j
		cmp	[esp+1F8h+var_1E9], 0
		jnz	loc_88730A
		mov	cl, 83h
		call	_PopResetCBTriggers@4 ;	PopResetCBTriggers(x)
		jmp	loc_88730A
PopApplyPolicy	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopVerifySystemPowerPolicy proc	near	; CODE XREF: PopApplyPolicy+72p
					; NtPowerInformation+171CFAp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092801F SIZE 00000109 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		push	3Ah
		pop	ecx
		mov	edi, ebx
		mov	[ebp+var_8], ebx
		rep movsd
		cmp	dword ptr [ebx], 1
		jnz	loc_92801F
		cmp	byte ptr word_6C2E24+1,	0
		push	4
		pop	edx
		push	2
		pop	ecx
		jz	loc_928029
		mov	[ebx+48h], edx

loc_8873D8:				; CODE XREF: PopVerifySystemPowerPolicy+A0C99j
					; PopVerifySystemPowerPolicy+A0CA5j ...
		lea	edi, [ebx+44h]
		mov	eax, [edi]
		cmp	eax, ecx
		jl	loc_928053

loc_8873E5:				; CODE XREF: PopVerifySystemPowerPolicy+A0CB7j
		cmp	eax, edx
		jg	loc_92805C

loc_8873ED:				; CODE XREF: PopVerifySystemPowerPolicy+A0CC0j
		lea	esi, [ebx+48h]
		mov	ecx, [esi]
		cmp	ecx, 2
		jl	loc_928065

loc_8873FB:				; CODE XREF: PopVerifySystemPowerPolicy+A0CCAj
		cmp	ecx, edx
		jg	loc_92806F

loc_887403:				; CODE XREF: PopVerifySystemPowerPolicy+A0CD3j
		cmp	ecx, eax
		jl	loc_928078

loc_88740B:				; CODE XREF: PopVerifySystemPowerPolicy+A0CDCj
		mov	edx, _PopAdminPolicy
		cmp	eax, edx
		jl	loc_928081

loc_887419:				; CODE XREF: PopVerifySystemPowerPolicy+A0CE3j
		mov	eax, dword_6C2D84
		cmp	ecx, eax
		jg	loc_928088

loc_887426:				; CODE XREF: PopVerifySystemPowerPolicy+A0CEAj
		mov	eax, [ebx+0C0h]
		mov	ecx, dword_6C2D88
		cmp	eax, ecx
		jb	loc_92808F

loc_88743A:				; CODE XREF: PopVerifySystemPowerPolicy+A0CF7j
		mov	ecx, dword_6C2D8C
		cmp	eax, ecx
		ja	loc_92809C

loc_887448:				; CODE XREF: PopVerifySystemPowerPolicy+A0D02j
		mov	eax, [ebx+0D4h]
		mov	ecx, dword_6C2D90
		cmp	eax, ecx
		jb	loc_9280A7

loc_88745C:				; CODE XREF: PopVerifySystemPowerPolicy+A0D0Fj
		mov	ecx, dword_6C2D94
		cmp	eax, ecx
		ja	loc_9280B4

loc_88746A:				; CODE XREF: PopVerifySystemPowerPolicy+A0D1Aj
		lea	ecx, [ebx+4]
		call	PopVerifyPowerActionPolicy
		lea	ecx, [ebx+10h]
		call	PopVerifyPowerActionPolicy
		lea	ecx, [ebx+1Ch]
		call	PopVerifyPowerActionPolicy
		lea	ecx, [ebx+30h]
		call	PopVerifyPowerActionPolicy
		xor	edx, edx
		lea	ecx, [ebx+28h]
		inc	edx
		call	PopVerifySystemPowerState
		mov	ecx, edi
		call	PopVerifySystemPowerState
		mov	ecx, esi
		call	PopVerifySystemPowerState
		lea	ecx, [ebx+4Ch]
		call	PopVerifySystemPowerState
		and	[ebp+var_4], 0
		lea	edi, [ebx+68h]
		mov	ebx, [ebp+var_4]

loc_8874B5:				; CODE XREF: PopVerifySystemPowerPolicy+167j
		mov	esi, [edi]
		mov	ecx, edi
		call	PopVerifyPowerActionPolicy
		cmp	esi, 3
		jz	loc_88755F

loc_8874C7:				; CODE XREF: PopVerifySystemPowerPolicy+1C2j
					; PopVerifySystemPowerPolicy+1D5j
		lea	esi, [edi+0Ch]
		xor	edx, edx
		inc	edx
		mov	ecx, esi
		call	PopVerifySystemPowerState
		cmp	dword ptr [edi], 2
		jz	loc_9280BF

loc_8874DD:				; CODE XREF: PopVerifySystemPowerPolicy+A0D22j
					; PopVerifySystemPowerPolicy+A0D38j
		cmp	ebx, 1
		jb	short loc_8874F4
		cmp	dword ptr [edi], 6
		mov	eax, [edi+4]
		jz	loc_9280DD
		and	eax, 0FFFFFFEFh

loc_8874F1:				; CODE XREF: PopVerifySystemPowerPolicy+A0D40j
		mov	[edi+4], eax

loc_8874F4:				; CODE XREF: PopVerifySystemPowerPolicy+140j
		push	64h
		pop	eax
		cmp	[edi-4], eax
		ja	loc_9280E5

loc_887500:				; CODE XREF: PopVerifySystemPowerPolicy+A0D48j
		inc	ebx
		add	edi, 18h
		cmp	ebx, 4
		jb	short loc_8874B5
		mov	ebx, [ebp+var_8]
		lea	ecx, [ebx+0DCh]
		call	PopVerifyPowerActionPolicy
		cmp	dword ptr [ebx+5Ch], 0
		jz	short loc_88757A

loc_88751D:				; CODE XREF: PopVerifySystemPowerPolicy+1E1j
		mov	eax, [ebx+58h]
		test	eax, eax
		jnz	loc_9280ED

loc_887528:				; CODE XREF: PopVerifySystemPowerPolicy+A0D54j
					; PopVerifySystemPowerPolicy+A0D60j
		mov	ecx, [ebx+3Ch]
		mov	edx, ecx
		push	3Ch
		pop	esi
		test	ecx, ecx
		jnz	loc_928105

loc_887538:				; CODE XREF: PopVerifySystemPowerPolicy+A0D67j
					; PopVerifySystemPowerPolicy+A0D72j
		test	eax, eax
		jnz	short loc_887583

loc_88753C:				; CODE XREF: PopVerifySystemPowerPolicy+1E5j
					; PopVerifySystemPowerPolicy+1EAj
		mov	al, [ebx+40h]
		cmp	al, 5Ah
		ja	short loc_88758C

loc_887543:				; CODE XREF: PopVerifySystemPowerPolicy+1F2j
		test	edx, edx
		jnz	loc_928117

loc_88754B:				; CODE XREF: PopVerifySystemPowerPolicy+A0D79j
					; PopVerifySystemPowerPolicy+A0D83j
		mov	eax, [ebx+44h]
		cmp	[ebx+48h], eax
		jl	short loc_887594

loc_887553:				; CODE XREF: PopVerifySystemPowerPolicy+1F7j
		cmp	[ebx+4Ch], eax
		jg	short loc_887599

loc_887558:				; CODE XREF: PopVerifySystemPowerPolicy+1FCj
		xor	eax, eax

loc_88755A:				; CODE XREF: PopVerifySystemPowerPolicy+A0C84j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_88755F:				; CODE XREF: PopVerifySystemPowerPolicy+121j
		cmp	dword ptr [edi], 3
		jge	loc_8874C7
		mov	ecx, edi
		mov	dword ptr [edi], 6
		call	PopVerifyPowerActionPolicy
		jmp	loc_8874C7
; 

loc_88757A:				; CODE XREF: PopVerifySystemPowerPolicy+17Bj
		mov	dword ptr [ebx+5Ch], 1
		jmp	short loc_88751D
; 

loc_887583:				; CODE XREF: PopVerifySystemPowerPolicy+19Aj
		cmp	eax, esi
		jnb	short loc_88753C
		mov	[ebx+58h], esi
		jmp	short loc_88753C
; 

loc_88758C:				; CODE XREF: PopVerifySystemPowerPolicy+1A1j
		mov	byte ptr [ebx+40h], 5Ah
		mov	al, 5Ah
		jmp	short loc_887543
; 

loc_887594:				; CODE XREF: PopVerifySystemPowerPolicy+1B1j
		mov	[ebx+48h], eax
		jmp	short loc_887553
; 

loc_887599:				; CODE XREF: PopVerifySystemPowerPolicy+1B6j
		mov	[ebx+4Ch], eax
		jmp	short loc_887558
PopVerifySystemPowerPolicy endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopResetCBTriggers(x)
_PopResetCBTriggers@4 proc near		; CODE XREF: PopBatteryWorker+38Dp
					; PopApplyPolicy+18Dp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		xor	eax, eax
		movzx	esi, cl
		mov	[ebp+var_4], eax
		not	esi

loc_8875AF:				; CODE XREF: PopResetCBTriggers(x)+32j
		shl	eax, 4
		lea	ecx, [ebp+var_4]
		and	dword_6C25F4[eax], esi
		lea	edx, dword_6C25F0[eax]
		call	PopDiagTraceBatteryTriggerFlags
		mov	eax, [ebp+var_4]
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, 4
		jb	short loc_8875AF
		pop	esi
		leave
		retn
_PopResetCBTriggers@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCreateHiberFileSecurityDescriptor()
_PopCreateHiberFileSecurityDescriptor@0	proc near ; CODE XREF: PopCreateHiberFile(x,x)+F7p

var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		push	72626968h
		xor	eax, eax
		mov	[ebp+var_8], 100h
		push	0Ch
		push	1
		mov	esi, eax
		mov	[ebp+var_C], eax
		mov	edi, eax
		mov	[ebp+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8876F5
		push	1
		lea	eax, [ebp+var_C]
		push	eax
		push	ebx
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		test	eax, eax
		js	loc_8876E1
		push	edi
		push	ebx
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		and	[eax], esi
		lea	eax, [ebp+var_4]
		push	eax
		movzx	eax, byte ptr [ebx+1]
		push	8
		pop	edx
		lea	ecx, ds:10h[eax*4]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_8876E1
		push	72626968h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8876E1
		push	2		; int
		push	[ebp+var_4]	; size_t
		push	edi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		test	eax, eax
		js	short loc_8876E1
		push	esi
		push	ebx
		push	10000h
		push	esi
		push	2
		pop	edx
		mov	ecx, edi
		call	RtlpAddKnownAce
		test	eax, eax
		js	short loc_8876E1
		and	[ebp+var_C], esi
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		push	edi
		call	_RtlGetAce@12	; RtlGetAce(x,x,x)
		mov	eax, [ebp+var_C]
		push	72626968h
		or	byte ptr [eax+1], 2
		mov	eax, [ebp+var_4]
		add	eax, 14h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8876E1
		push	[ebp+var_4]	; size_t
		lea	eax, [esi+14h]
		push	edi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		push	1
		push	esi
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	0
		test	eax, eax
		js	short loc_8876FE
		lea	eax, [esi+14h]
		push	eax
		push	1
		push	esi
		call	RtlSetDaclSecurityDescriptor
		test	eax, eax
		js	short loc_8876FC

loc_8876E1:				; CODE XREF: PopCreateHiberFileSecurityDescriptor()+43j
					; PopCreateHiberFileSecurityDescriptor()+6Bj ...
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		jz	short loc_8876F5
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8876F5:				; CODE XREF: PopCreateHiberFileSecurityDescriptor()+2Fj
					; PopCreateHiberFileSecurityDescriptor()+115j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8876FC:				; CODE XREF: PopCreateHiberFileSecurityDescriptor()+109j
		push	0

loc_8876FE:				; CODE XREF: PopCreateHiberFileSecurityDescriptor()+F9j
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_8876E1
_PopCreateHiberFileSecurityDescriptor@0	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 283. EmProviderRegister

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EmProviderRegister(x, x, x,	x, x, x)
		public _EmProviderRegister@24
_EmProviderRegister@24 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jz	short loc_88771D
		pop	ebp
		jmp	EmpProviderRegister
; 

loc_88771D:				; CODE XREF: EmProviderRegister(x,x,x,x,x,x)+9j
		mov	eax, 0C000000Dh
		pop	ebp
		retn	18h
_EmProviderRegister@24 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 846. IoGetBootDiskInformationLite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetBootDiskInformationLite(x)
		public _IoGetBootDiskInformationLite@4
_IoGetBootDiskInformationLite@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	_InitializationPhase, 2
		jnb	short loc_887746
		mov	ecx, [ebp+arg_0]
		call	IopGetBootDiskInformationLite

loc_887742:				; CODE XREF: IoGetBootDiskInformationLite(x)+1Fj
		pop	ebp
		retn	4
; 

loc_887746:				; CODE XREF: IoGetBootDiskInformationLite(x)+Cj
		mov	eax, 0C0000189h
		jmp	short loc_887742
_IoGetBootDiskInformationLite@4	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 285. EmpProviderRegister

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EmpProviderRegister(int,int,size_t,int,int,int)
		public EmpProviderRegister
EmpProviderRegister proc near		; CODE XREF: EmProviderRegister(x,x,x,x,x,x)+Cj
					; EmInitSystem+28Fp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00928128 SIZE 0000018E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		xor	edx, edx
		mov	ebx, edi
		mov	[ebp+var_8], edi
		mov	ecx, offset _EmpDatabaseLock
		mov	[ebp+var_4], ebx
		mov	esi, edi
		call	ExAcquirePushLockExclusiveEx
		cmp	[ebp+arg_14], ebx
		jz	loc_928131
		cmp	[ebp+arg_4], ebx
		jz	loc_8879B9

loc_887787:				; CODE XREF: EmpProviderRegister+26Aj
		cmp	[ebp+arg_C], ebx
		jz	loc_928128

loc_887790:				; CODE XREF: EmpProviderRegister+A09D9j
		push	72704D45h
		push	24h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_9281F1
		lea	eax, [esi+1Ch]
		mov	[esi+0Ch], edi
		mov	[esi+10h], edi
		mov	[esi+14h], edi
		mov	[esi+18h], edi
		mov	[esi+4], edi
		mov	[esi+8], edi
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	loc_887877
		shl	eax, 2
		push	72704D45h
		push	eax
		push	1
		mov	[ebp+var_10], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+4], eax
		test	eax, eax
		jz	loc_9281FB
		push	[ebp+var_10]	; size_t
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+arg_4]
		add	esp, 0Ch
		mov	eax, [ebp+arg_8]
		add	ecx, 4
		mov	[esi+8], eax

loc_887804:				; CODE XREF: EmpProviderRegister+C0j
		cmp	[ecx], edi
		jnz	loc_928205

loc_88780C:				; CODE XREF: EmpProviderRegister+A0AB6j
		add	ecx, 0Ch
		sub	eax, 1
		jnz	short loc_887804
		mov	eax, [esi+10h]
		test	eax, eax
		jnz	loc_92820D

loc_88781F:				; CODE XREF: EmpProviderRegister+A0AE2j
		mov	edx, [ebp+arg_4]
		add	edx, 8
		mov	[ebp+var_8], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		mov	[ebp+arg_4], edx

loc_887831:				; CODE XREF: EmpProviderRegister+123j
		mov	ecx, [edx-8]	; void *
		test	ecx, ecx
		jz	loc_928131
		call	_EmpSearchEntryDatabase@4 ; EmpSearchEntryDatabase(x)
		mov	edx, eax
		mov	[ebp+var_18], edx
		test	edx, edx
		jz	loc_92827D
		mov	ecx, [esi+4]
		mov	eax, [ebp+var_10]
		mov	[ecx+eax*4], edx
		mov	edx, [ebp+arg_4]
		mov	ecx, [edx-4]
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jnz	loc_928239

loc_887868:				; CODE XREF: EmpProviderRegister+A0B26j
		inc	eax
		add	edx, 0Ch
		mov	[ebp+var_10], eax
		mov	[ebp+arg_4], edx
		cmp	eax, [ebp+arg_8]
		jb	short loc_887831

loc_887877:				; CODE XREF: EmpProviderRegister+75j
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	loc_88791A
		shl	eax, 2
		push	72704D45h
		push	eax
		push	1
		mov	[ebp+arg_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+14h], eax
		test	eax, eax
		jz	loc_9281FB
		push	[ebp+arg_8]	; size_t
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+arg_C]
		add	esp, 0Ch
		mov	eax, [ebp+arg_10]
		add	ecx, 4
		mov	[esi+18h], eax
		mov	[ebp+arg_8], edi
		mov	[ebp+arg_4], ecx

loc_8878BF:				; CODE XREF: EmpProviderRegister+1C6j
		mov	eax, [ecx]
		mov	[ebp+arg_C], eax
		test	eax, eax
		jz	loc_928131
		mov	ecx, [ecx-4]	; void *
		test	ecx, ecx
		jz	loc_928131
		call	_EmpSearchCallbackDatabase@4 ; EmpSearchCallbackDatabase(x)
		mov	edx, eax
		test	edx, edx
		jz	loc_92827D
		mov	eax, [edx+10h]
		test	eax, eax
		jnz	loc_928287

loc_8878F1:				; CODE XREF: EmpProviderRegister+A0B38j
		mov	eax, [esi+14h]
		mov	ecx, [ebp+arg_8]
		mov	[eax+ecx*4], edx
		mov	ecx, [ebp+arg_4]
		mov	eax, [ecx]
		mov	[edx+10h], eax
		mov	eax, [ecx+4]
		add	ecx, 0Ch
		mov	[edx+18h], eax
		mov	eax, [ebp+arg_8]
		inc	eax
		mov	[ebp+arg_4], ecx
		mov	[ebp+arg_8], eax
		cmp	eax, [ebp+arg_10]
		jb	short loc_8878BF

loc_88791A:				; CODE XREF: EmpProviderRegister+12Aj
		mov	ecx, edi
		mov	[ebp+arg_10], edi
		cmp	[esi+8], edi
		jbe	short loc_887953

loc_887924:				; CODE XREF: EmpProviderRegister+1FDj
		mov	eax, [esi+4]
		mov	eax, [eax+ecx*4]
		lock inc dword ptr [eax+10h]
		mov	ebx, [eax+2Ch]
		test	ebx, ebx
		jz	short loc_887948

loc_887935:				; CODE XREF: EmpProviderRegister+1F1j
		mov	ecx, [ebx-4]
		xor	edx, edx
		call	EmpQueueRuleUpdateState
		mov	ebx, [ebx]
		test	ebx, ebx
		jnz	short loc_887935
		mov	ecx, [ebp+arg_10]

loc_887948:				; CODE XREF: EmpProviderRegister+1E1j
		inc	ecx
		mov	[ebp+arg_10], ecx
		cmp	ecx, [esi+8]
		jb	short loc_887924
		mov	ebx, edi

loc_887953:				; CODE XREF: EmpProviderRegister+1D0j
		cmp	[esi+18h], edi
		jbe	short loc_887980

loc_887958:				; CODE XREF: EmpProviderRegister+229j
		mov	eax, [esi+14h]
		mov	eax, [eax+edi*4]
		lock inc dword ptr [eax+14h]
		mov	ebx, [eax+20h]
		jmp	short loc_887973
; 

loc_887967:				; CODE XREF: EmpProviderRegister+223j
		mov	ecx, [ebx-4]
		xor	edx, edx
		call	EmpQueueRuleUpdateState
		mov	ebx, [ebx]

loc_887973:				; CODE XREF: EmpProviderRegister+213j
		test	ebx, ebx
		jnz	short loc_887967
		inc	edi
		cmp	edi, [esi+18h]
		jb	short loc_887958
		mov	ebx, [ebp+var_4]

loc_887980:				; CODE XREF: EmpProviderRegister+204j
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jnz	short loc_8879C7

loc_887987:				; CODE XREF: EmpProviderRegister+27Cj
		mov	eax, [ebp+arg_14]
		mov	[esi], edi
		mov	[eax], esi

loc_88798E:				; CODE XREF: EmpProviderRegister+A09E9j
					; EmpProviderRegister+A0A9Aj ...
		or	edx, 0FFFFFFFFh
		mov	esi, offset _EmpDatabaseLock
		lock xadd [esi], edx
		and	dl, 6
		cmp	dl, 2
		jnz	short loc_8879A9
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8879A9:				; CODE XREF: EmpProviderRegister+24Ej
		mov	ecx, esi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	18h
; 

loc_8879B9:				; CODE XREF: EmpProviderRegister+2Fj
		cmp	[ebp+arg_8], ebx
		jz	loc_887787
		jmp	loc_928131
; 

loc_8879C7:				; CODE XREF: EmpProviderRegister+233j
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		jmp	short loc_887987
EmpProviderRegister endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1971. RtlCharToInteger

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlCharToInteger
RtlCharToInteger proc near		; CODE XREF: IopCheckDiskName(x,x,x)+67p
					; EmpParseTargetRuleStringIndexList+10Fp

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 009282B6 SIZE 00000072 BYTES

		push	0Ch
		push	offset dword_6A71F8
		call	__SEH_prolog4
		mov	edx, [ebp+arg_0]
		mov	bl, [edx]

loc_8879E7:				; CODE XREF: EmpProviderRegister+A0B58j
		cmp	bl, 20h
		jle	loc_92829F
		inc	edx

loc_8879F1:				; CODE XREF: EmpProviderRegister+A0B5Fj
		mov	cl, bl
		cmp	bl, 2Dh
		jz	loc_9282B6
		cmp	bl, 2Bh
		jz	loc_9282B6

loc_887A05:				; CODE XREF: RtlCharToInteger+A08E3j
		mov	esi, edx
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	loc_9282BE
		dec	eax
		sub	eax, 1
		jz	loc_928320
		sub	eax, 6
		jz	loc_928319
		dec	eax
		sub	eax, 1
		jz	short loc_887AA7
		sub	eax, 6
		jnz	loc_92830F
		push	4

loc_887A36:				; CODE XREF: RtlCharToInteger+A0945j
		pop	edi

loc_887A37:				; CODE XREF: RtlCharToInteger+D3j
					; RtlCharToInteger+A08F4j ...
		xor	esi, esi

loc_887A39:				; CODE XREF: RtlCharToInteger+88j
		test	cl, cl
		jz	short loc_887A60
		lea	eax, [ecx-30h]
		cmp	al, 9
		ja	short loc_887A89
		movsx	eax, cl
		sub	eax, 30h

loc_887A4A:				; CODE XREF: RtlCharToInteger+C0j
					; RtlCharToInteger+CFj
		mov	ecx, [ebp+arg_4]
		cmp	eax, ecx
		jnb	short loc_887A60
		test	edi, edi
		jz	short loc_887AAB
		mov	ecx, edi
		shl	esi, cl
		or	esi, eax

loc_887A5B:				; CODE XREF: RtlCharToInteger+DAj
		mov	cl, [edx]
		inc	edx
		jmp	short loc_887A39
; 

loc_887A60:				; CODE XREF: RtlCharToInteger+65j
					; RtlCharToInteger+79j	...
		cmp	bl, 2Dh
		jz	short loc_887AB2

loc_887A65:				; CODE XREF: RtlCharToInteger+DEj
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax

loc_887A77:				; CODE XREF: RtlCharToInteger+A093Ej
					; sub_928336+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_887A89:				; CODE XREF: RtlCharToInteger+6Cj
		lea	eax, [ecx-41h]
		cmp	al, 5
		ja	short loc_887A98
		movsx	eax, cl
		sub	eax, 37h
		jmp	short loc_887A4A
; 

loc_887A98:				; CODE XREF: RtlCharToInteger+B8j
		lea	eax, [ecx-61h]
		cmp	al, 5
		ja	short loc_887A60
		movsx	eax, cl
		sub	eax, 57h
		jmp	short loc_887A4A
; 

loc_887AA7:				; CODE XREF: RtlCharToInteger+53j
		xor	edi, edi
		jmp	short loc_887A37
; 

loc_887AAB:				; CODE XREF: RtlCharToInteger+7Dj
		imul	esi, ecx
		add	esi, eax
		jmp	short loc_887A5B
; 

loc_887AB2:				; CODE XREF: RtlCharToInteger+8Dj
		neg	esi
		jmp	short loc_887A65
RtlCharToInteger endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbpFindNextIndexedWildCardTag proc near ; CODE	XREF: SdbGetDatabaseMatchEx+E8p
					; SdbpSearchDB+AF720p ...

var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_10		= dword	ptr -10h
var_8		= byte ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00928348 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 124h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_11C], 0
		lea	eax, [ebp+var_118]
		push	ebx
		push	esi
		push	edi
		push	104h		; size_t
		mov	esi, ecx
		mov	ebx, edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_120], esi
		call	_memset
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		lea	ecx, [ebp+var_118]
		add	esp, 0Ch
		stosd
		push	dword ptr [ebx+20h]
		stosw
		call	AslStringUpcaseToMultiByteN
		test	eax, eax
		js	short loc_887B70
		mov	edx, [ebx]
		lea	eax, [ebp+var_11C]
		push	eax
		mov	ecx, esi
		call	SdbpGetIndex
		test	eax, eax
		jz	short loc_887B70
		mov	esi, [ebx+10h]
		inc	esi
		cmp	esi, [ebp+var_11C]
		jnb	short loc_887B70
		imul	edi, esi, 0Ch
		add	edi, eax

loc_887B35:				; CODE XREF: SdbpFindNextIndexedWildCardTag+B8j
		test	byte ptr [ebx+14h], 2
		mov	ecx, [edi+4]
		mov	eax, [edi]
		push	ecx
		push	eax
		jz	loc_928348
		lea	ecx, [ebp+var_10+1]
		call	_SdbpKeyToAnsiString@12	; SdbpKeyToAnsiString(x,x,x)
		mov	byte ptr [ebp+var_10], 2Ah

loc_887B52:				; CODE XREF: SdbpFindNextIndexedWildCardTag+A089Ej
		lea	edx, [ebp+var_118]
		lea	ecx, [ebp+var_10]
		call	AslStringPatternMatchA
		test	eax, eax
		jnz	short loc_887B74

loc_887B64:				; CODE XREF: SdbpFindNextIndexedWildCardTag+DBj
					; SdbpFindNextIndexedWildCardTag+ECj ...
		inc	esi
		add	edi, 0Ch
		cmp	esi, [ebp+var_11C]
		jb	short loc_887B35

loc_887B70:				; CODE XREF: SdbpFindNextIndexedWildCardTag+58j
					; SdbpFindNextIndexedWildCardTag+6Cj ...
		xor	eax, eax
		jmp	short loc_887BBB
; 

loc_887B74:				; CODE XREF: SdbpFindNextIndexedWildCardTag+ACj
		mov	ecx, [edi+8]
		mov	edx, ecx
		movzx	eax, word ptr [ebx+0Ch]
		mov	[ebp+var_124], ecx
		mov	ecx, [ebp+var_120]
		push	eax
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	short loc_887B64
		mov	ecx, [ebp+var_120]
		mov	edx, eax
		call	SdbGetStringTagPtr
		test	eax, eax
		jz	short loc_887B64
		mov	edx, [ebx+20h]
		mov	ecx, eax
		call	AslStringPatternMatchW
		test	eax, eax
		jz	short loc_887B64
		mov	eax, [ebp+var_124]
		mov	[ebx+10h], esi

loc_887BBB:				; CODE XREF: SdbpFindNextIndexedWildCardTag+BCj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
SdbpFindNextIndexedWildCardTag endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AslStringPatternMatchA proc near	; CODE XREF: SdbpFindFirstIndexedWildCardTag+10Ap
					; SdbpFindNextIndexedWildCardTag+A5p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00928359 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	eax, edx
		push	edi
		mov	[ebp+var_4], eax
		mov	edi, ecx

loc_887BDB:				; CODE XREF: AslStringPatternMatchA+5Fj
		mov	bl, [edi]

loc_887BDD:				; CODE XREF: AslStringPatternMatchA+9Aj
		test	bl, bl
		jz	loc_928359

loc_887BE5:				; CODE XREF: AslStringPatternMatchA+A0798j
		cmp	bl, 3Fh
		jz	short loc_887C69
		cmp	bl, 2Ah
		jnz	short loc_887C2B
		lea	ecx, [edi+1]
		mov	bl, [ecx]
		mov	[ebp+var_8], ecx
		cmp	bl, 2Ah
		jz	short loc_887C62
		test	bl, bl
		jz	short loc_887C5D
		movsx	eax, bl
		push	eax		; int
		call	_toupper
		mov	ebx, [ebp+var_4]
		mov	esi, eax
		movsx	edx, byte ptr [ebx]
		push	edx		; int
		call	_toupper
		pop	ecx
		pop	ecx
		cmp	esi, eax
		jz	short loc_887C4F

loc_887C1D:				; CODE XREF: AslStringPatternMatchA+7Cj
					; AslStringPatternMatchA+91j
		mov	eax, [ebp+var_4]

loc_887C20:				; CODE XREF: AslStringPatternMatchA+A0j
		cmp	byte ptr [eax],	0
		jz	short loc_887C48
		inc	eax
		mov	[ebp+var_4], eax
		jmp	short loc_887BDB
; 

loc_887C2B:				; CODE XREF: AslStringPatternMatchA+23j
		movsx	eax, byte ptr [eax]
		push	eax		; int
		call	_toupper
		movsx	ecx, bl
		mov	esi, eax
		push	ecx		; int
		call	_toupper
		pop	ecx
		pop	ecx
		cmp	eax, esi
		jnz	short loc_887C48
		inc	edi
		jmp	short loc_887C1D
; 

loc_887C48:				; CODE XREF: AslStringPatternMatchA+59j
					; AslStringPatternMatchA+79j
		xor	eax, eax

loc_887C4A:				; CODE XREF: AslStringPatternMatchA+96j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_887C4F:				; CODE XREF: AslStringPatternMatchA+51j
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		call	AslStringPatternMatchA
		test	eax, eax
		jz	short loc_887C1D

loc_887C5D:				; CODE XREF: AslStringPatternMatchA+34j
					; AslStringPatternMatchA+A0792j
		xor	eax, eax
		inc	eax
		jmp	short loc_887C4A
; 

loc_887C62:				; CODE XREF: AslStringPatternMatchA+30j
		mov	edi, ecx
		jmp	loc_887BDD
; 

loc_887C69:				; CODE XREF: AslStringPatternMatchA+1Ej
		inc	edi
		jmp	short loc_887C20
AslStringPatternMatchA endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpKeyToAnsiString(x, x, x)
_SdbpKeyToAnsiString@12	proc near	; CODE XREF: SdbpFindFirstIndexedWildCardTag+F8p
					; SdbpFindNextIndexedWildCardTag+93p ...

arg_7		= dword	ptr  0Fh

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	edx, edx
		lea	esi, [ebp+arg_7]

loc_887C77:				; CODE XREF: SdbpKeyToAnsiString(x,x,x)+15j
		mov	al, [esi]
		mov	[edx+ecx], al
		inc	edx
		dec	esi
		cmp	edx, 8
		jl	short loc_887C77
		mov	byte ptr [ecx+8], 0
		mov	eax, ecx
		pop	esi
		pop	ebp
		retn	8
_SdbpKeyToAnsiString@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AslStringPatternMatchW proc near	; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+219p
					; SdbpFindFirstIndexedWildCardTag+15Cp	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00928367 SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	ebx, ecx
		mov	ecx, [ebp+var_4]
		xor	edi, edi
		push	2Ah
		pop	edx
		mov	[ebp+var_C], edx

loc_887CA9:				; CODE XREF: AslStringPatternMatchW+5Dj
		movzx	eax, word ptr [ebx]

loc_887CAC:				; CODE XREF: AslStringPatternMatchW+A06E0j
		mov	[ebp+var_8], eax
		test	ax, ax
		jz	short loc_887D15

loc_887CB4:				; CODE XREF: AslStringPatternMatchW+8Cj
		cmp	ax, 3Fh
		jz	short loc_887D1C
		cmp	ax, dx
		jz	short loc_887CED
		mov	cx, [ecx]
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	ecx, [ebp+var_8]
		mov	si, ax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		cmp	ax, si
		jnz	short loc_887D0E
		add	ebx, 2

loc_887CDA:				; CODE XREF: AslStringPatternMatchW+A06FDj
					; AslStringPatternMatchW+A0716j
		mov	ecx, [ebp+var_4]
		push	2Ah
		pop	edx

loc_887CE0:				; CODE XREF: AslStringPatternMatchW+91j
		cmp	[ecx], di
		jz	short loc_887D0E
		add	ecx, 2
		mov	[ebp+var_4], ecx
		jmp	short loc_887CA9
; 

loc_887CED:				; CODE XREF: AslStringPatternMatchW+2Fj
		lea	edx, [ebx+2]
		movzx	eax, word ptr [edx]
		mov	esi, eax
		mov	[ebp+var_8], edx
		cmp	ax, word ptr [ebp+var_C]
		jz	loc_928367
		test	ax, ax
		jnz	loc_928373

loc_887D0B:				; CODE XREF: AslStringPatternMatchW+8Aj
					; AslStringPatternMatchW+A0710j
		xor	edi, edi
		inc	edi

loc_887D0E:				; CODE XREF: AslStringPatternMatchW+47j
					; AslStringPatternMatchW+55j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_887D15:				; CODE XREF: AslStringPatternMatchW+24j
		cmp	[ecx], di
		jz	short loc_887D0B
		jmp	short loc_887CB4
; 

loc_887D1C:				; CODE XREF: AslStringPatternMatchW+2Aj
		add	ebx, 2
		jmp	short loc_887CE0
AslStringPatternMatchW endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MmAllocateIsrStack(x, x)
_MmAllocateIsrStack@8 proc near		; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+18Ap
					; KiStartDynamicProcessor(x,x,x,x)+19Cp ...
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi]
		test	esi, esi
		jnz	short loc_887D5D
		push	ecx
		push	ecx
		mov	ecx, 4000h
		call	MmAllocateIndependentPagesEx
		mov	esi, eax
		test	esi, esi
		jz	short loc_887D79
		lea	ecx, [esi+4000h]
		mov	[edi], ecx

loc_887D49:				; CODE XREF: MmAllocateIsrStack(x,x)+55j
		mov	ecx, esi
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, eax
		call	MiMarkBootGuardPage
		mov	al, 1

loc_887D59:				; CODE XREF: MmAllocateIsrStack(x,x)+59j
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_887D5D:				; CODE XREF: MmAllocateIsrStack(x,x)+Bj
		mov	edx, 3000h
		sub	esi, edx
		push	4
		mov	ecx, esi
		call	MmSetPageProtection
		test	al, al
		jz	short loc_887D79
		sub	esi, 1000h
		jmp	short loc_887D49
; 

loc_887D79:				; CODE XREF: MmAllocateIsrStack(x,x)+1Dj
					; MmAllocateIsrStack(x,x)+4Dj
		xor	al, al
		jmp	short loc_887D59
_MmAllocateIsrStack@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMarkBootGuardPage proc near		; CODE XREF: MmAllocateIsrStack(x,x)+30p
					; MiInitializeKernelStacks()+63p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009283A9 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	eax, [ebx]
		and	eax, 1
		or	eax, 0
		jz	loc_887E60
		mov	esi, [ebx]
		mov	eax, ebx
		shl	eax, 9
		mov	[ebp+var_4], eax
		nop
		mov	edx, [ebx+4]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_887DB9
		push	edx
		push	esi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	esi, eax

loc_887DB9:				; CODE XREF: MiMarkBootGuardPage+30j
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], edx
		nop
		lea	ecx, [ebp+var_10]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_887DD5
		push	edx
		push	esi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	esi, eax

loc_887DD5:				; CODE XREF: MiMarkBootGuardPage+4Cj
		shrd	esi, edx, 0Ch
		and	esi, 1FFFFFFh
		imul	esi, 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	eax, [esi+18h]
		and	eax, offset loc_7FFFFF
		imul	edi, eax, 1Ch
		mov	eax, ds:_ZeroPte
		add	edi, ds:_MmPfnDatabase
		mov	[ebx], eax
		nop
		mov	eax, ds:dword_40F9FC
		xor	edx, edx
		mov	[ebx+4], eax
		mov	ebx, [ebp+var_4]
		mov	ecx, ebx
		push	1
		call	KeFlushSingleTb
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		xor	edx, edx
		mov	ecx, edi
		mov	esi, eax
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		xor	edx, edx
		mov	edi, offset _MiSystemPartition
		inc	edx
		mov	ecx, edi
		call	_MiReturnResident@8 ; MiReturnResident(x,x)
		cmp	esi, 3
		jz	short loc_887E4A
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	MiReturnCommit

loc_887E4A:				; CODE XREF: MiMarkBootGuardPage+C0j
		mov	ecx, ebx
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Eh
		jz	loc_9283A9
		dec	dword_6D361C

loc_887E60:				; CODE XREF: MiMarkBootGuardPage+15j
					; MiMarkBootGuardPage+A0637j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiMarkBootGuardPage endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MmAllocateIndependentPages(x, x)
_MmAllocateIndependentPages@8 proc near	; CODE XREF: KeAllocateInterrupt(x)+45p
					; KeAllocateProcessorProfileStructures+92p ...
		mov	edi, edi
		push	ecx
		push	ecx
		call	MmAllocateIndependentPagesEx
		retn
_MmAllocateIndependentPages@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmAllocateIndependentPagesEx proc near	; CODE XREF: MmAllocateIsrStack(x,x)+14p
					; MmAllocateIndependentPages(x,x)+4p ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_18		= dword	ptr -18h

; FUNCTION CHUNK AT 009283BA SIZE 00000087 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+48h+var_30], edx
		lea	edi, [esp+48h+var_24]
		mov	esi, ecx
		stosd
		push	6
		pop	ecx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+48h+var_18]
		rep stosd
		mov	edi, esi
		and	edi, 0FFFh
		neg	edi
		sbb	edi, edi
		shr	esi, 0Ch
		neg	edi
		add	edi, esi
		mov	esi, offset dword_6D35E0
		mov	edx, edi
		mov	ecx, esi
		call	MiReservePtes
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9283C4
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	_MiObtainPoolCharges@8 ; MiObtainPoolCharges(x,x)
		test	eax, eax
		jz	loc_9283BA
		mov	eax, ebx
		xor	edx, edx
		shl	eax, 9
		mov	ecx, ebx
		push	0A0000004h
		mov	[esp+4Ch+var_28], eax
		call	MiMakeValidPte
		mov	esi, eax
		mov	[esp+48h+var_38], edx
		mov	eax, [esp+48h+var_30]
		lea	edx, [esp+48h+var_24]
		mov	[esp+48h+var_2C], esi
		lea	ecx, [eax+1]
		inc	eax
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		xor	ecx, ecx
		push	eax
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)

loc_887F10:				; CODE XREF: MmAllocateIndependentPagesEx+145j
		lea	ecx, [esp+48h+var_24]
		call	_MiGetNextPageColor@4 ;	MiGetNextPageColor(x)
		mov	esi, eax

loc_887F1B:				; CODE XREF: MmAllocateIndependentPagesEx+A0567j
		push	8
		mov	edx, esi
		mov	ecx, offset _MiSystemPartition
		call	MiGetPage
		mov	[esp+48h+var_30], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_9283CB
		mov	ecx, [esp+48h+var_38]
		mov	edx, eax
		mov	eax, [esp+48h+var_2C]
		and	edx, 1FFFFFFh
		xor	esi, esi
		and	ecx, 0FFFFFFE0h
		shld	esi, edx, 0Ch
		and	eax, 0FFFh
		or	esi, ecx
		shl	edx, 0Ch
		imul	ecx, [esp+48h+var_30], 1Ch
		or	edx, eax
		push	4
		mov	[esp+4Ch+var_2C], edx
		mov	edx, ebx
		push	4
		mov	[esp+50h+var_38], esi
		add	ecx, ds:_MmPfnDatabase
		call	_MiInitializePfn@16 ; MiInitializePfn(x,x,x,x)
		mov	esi, [esp+48h+var_2C]
		mov	ecx, ebx
		mov	edx, [esp+48h+var_38]
		and	[esp+48h+var_30], 0
		mov	[esp+48h+var_34], esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_9283DC
		mov	ecx, [esp+48h+var_30]

loc_887F9D:				; CODE XREF: MmAllocateIndependentPagesEx+A057Fj
					; MmAllocateIndependentPagesEx+A058Dj ...
		mov	esi, [esp+48h+var_34]

loc_887FA1:				; CODE XREF: MmAllocateIndependentPagesEx+A059Dj
		mov	[ebx+4], edx
		nop
		mov	[ebx], esi
		test	ecx, ecx
		jnz	loc_928433

loc_887FAF:				; CODE XREF: MmAllocateIndependentPagesEx+A05CCj
		add	ebx, 8
		sub	edi, 1
		jnz	loc_887F10
		mov	eax, [esp+48h+var_28]

loc_887FBF:				; CODE XREF: MmAllocateIndependentPagesEx+A0556j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
MmAllocateIndependentPagesEx endp


;  S U B	R O U T	I N E 


KeInitializeTimerTable proc near	; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+28Ap
					; KeStartAllProcessors+387p ...

; FUNCTION CHUNK AT 00928441 SIZE 00000064 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		cmp	[esi+3CCh], ebx
		jz	short loc_888055

loc_887FD9:				; CODE XREF: KeInitializeTimerTable+A4j
		mov	cl, [esi+3C5h]
		movzx	eax, cl
		cmp	ds:dword_70E644[eax*8],	ebx
		jz	loc_888071

loc_887FEF:				; CODE XREF: KeInitializeTimerTable+E1j
		mov	eax, ds:_KeTickCount
		lea	edi, [esi+4080h]
		push	ebx
		push	offset KiTimerExpirationDpc
		push	edi
		mov	[esi+2240h], eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	eax, [edi+1Ch]
		mov	ecx, [esi+3CCh]
		test	eax, eax
		jnz	short loc_888020
		lea	eax, [ecx+20h]
		mov	[edi+2], ax

loc_888020:				; CODE XREF: KeInitializeTimerTable+4Fj
		mov	[esi+2260h], ebx
		lea	eax, [esi+22A4h]
		mov	ecx, 100h

loc_888031:				; CODE XREF: KeInitializeTimerTable+7Ej
		or	dword ptr [eax+10h], 0FFFFFFFFh
		mov	[eax-4], ebx
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[eax+0Ch], ebx
		add	eax, 18h
		sub	ecx, 1
		jnz	short loc_888031
		mov	ecx, esi
		call	KiInitializeForceIdle
		xor	eax, eax

loc_888051:				; CODE XREF: KeInitializeTimerTable+A04BAj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_888055:				; CODE XREF: KeInitializeTimerTable+Fj
		mov	eax, ds:_KiSerializeTimerExpiration
		test	eax, eax
		jz	loc_928441
		cmp	eax, 1
		jnz	short loc_8880AE

loc_888067:				; CODE XREF: KeInitializeTimerTable+ECj
					; KeInitializeTimerTable+A0481j ...
		call	_KiInitializeTimer2Data@0 ; KiInitializeTimer2Data()
		jmp	loc_887FD9
; 

loc_888071:				; CODE XREF: KeInitializeTimerTable+21j
		mov	ebx, 4000h
		test	cl, cl
		jnz	loc_92845E
		cmp	ds:_KiSerializeTimerExpiration,	0
		mov	edi, offset _KiPendingTimersMask0
		jz	short loc_88808F
		push	20h
		pop	ebx

loc_88808F:				; CODE XREF: KeInitializeTimerTable+C2j
		xor	cl, cl

loc_888091:				; CODE XREF: KeInitializeTimerTable+A04D1j
					; KeInitializeTimerTable+A04D8j
		movzx	ecx, cl
		mov	eax, ebx
		shl	eax, 3
		xor	ebx, ebx
		mov	ds:_KiPendingTimerBitmaps[ecx*8], eax
		mov	ds:dword_70E644[ecx*8],	edi
		jmp	loc_887FEF
; 

loc_8880AE:				; CODE XREF: KeInitializeTimerTable+9Dj
		mov	ds:_KiSerializeTimerExpiration,	ebx
		jmp	short loc_888067
KeInitializeTimerTable endp


;  S U B	R O U T	I N E 


KiInitializeForceIdle proc near		; CODE XREF: KeInitializeTimerTable+82p

; FUNCTION CHUNK AT 009284A5 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		cmp	[edi+3CCh], ebx
		jz	short loc_8880F5

loc_8880C7:				; CODE XREF: KiInitializeForceIdle+79j
					; KiInitializeForceIdle+A03F9j
		push	ebx
		push	offset _KiForceIdleParkUnparkDpcRoutine@16 ; KiForceIdleParkUnparkDpcRoutine(x,x,x,x)
		lea	esi, [edi+3F18h]
		push	esi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	byte ptr [esi+1], 3
		mov	eax, [esi+1Ch]
		mov	ecx, [edi+3CCh]
		test	eax, eax
		jnz	short loc_8880F1
		lea	eax, [ecx+20h]
		mov	[esi+2], ax

loc_8880F1:				; CODE XREF: KiInitializeForceIdle+32j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_8880F5:				; CODE XREF: KiInitializeForceIdle+Fj
		push	ebx
		push	offset _KiForceIdleStartDpcRoutine@16 ;	KiForceIdleStartDpcRoutine(x,x,x,x)
		push	offset _KiForceIdleStartDpc
		mov	_KiForceIdleLock, ebx
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	ebx
		push	offset _KiForceIdleStopDpcRoutine@16 ; KiForceIdleStopDpcRoutine(x,x,x,x)
		push	offset _KiForceIdleStopDpc
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	byte_6CB3C1, 3
		mov	byte_6CB1C1, 3
		cmp	ds:_KiSerializeTimerExpiration,	ebx
		jnz	short loc_8880C7
		jmp	loc_9284A5
KiInitializeForceIdle endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvlInitializeProcessor proc near	; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+30Bp
					; KeStartAllProcessors+347p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009284B4 SIZE 000000E3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	ds:_HvlHypervisorConnected, 0
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jnz	loc_9284B4

loc_88814E:				; CODE XREF: HvlInitializeProcessor+A042Bj
		xor	eax, eax

loc_888150:				; CODE XREF: HvlInitializeProcessor+A038Ej
					; HvlInitializeProcessor+A045Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
HvlInitializeProcessor endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmCreateShadowMapping proc near		; CODE XREF: KeAllocateProcessorProfileStructures+B8p
					; KiShadowProcessorAllocation+38p ...

var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_EC		= dword	ptr -0ECh
var_E0		= dword	ptr -0E0h
var_D8		= dword	ptr -0D8h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00928597 SIZE 00000040 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 114h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+114h+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		mov	[esp+124h+var_114], ecx
		lea	edi, [esp+124h+var_1C]
		pop	ecx
		xor	eax, eax
		lea	esi, [edx-1]
		xor	ebx, ebx
		push	0D8h		; size_t
		rep stosd
		lea	eax, [esp+124h+var_F8]
		mov	[esp+124h+var_110], ebx
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	edi, [esp+12Ch+var_114]
		lea	edx, [esp+12Ch+var_30]
		add	esp, 0Ch
		mov	[esp+120h+var_D8], 1
		mov	ecx, edi
		mov	[esp+120h+var_EC], offset _MiSystemPartition
		add	esi, edi
		mov	[esp+120h+var_E0], 0Ch
		push	ebx
		call	_MiInitializeColorBase@12 ; MiInitializeColorBase(x,x,x)
		lea	eax, [esp+124h+var_114]
		mov	edx, esi
		push	eax
		push	ecx
		mov	ecx, edi
		call	_MiPageTablesNeeded@12 ; MiPageTablesNeeded(x,x,x)
		mov	edx, eax
		lea	ecx, [esp+128h+var_FC]
		call	MiGetPageTablePages
		test	eax, eax
		js	loc_8882B3
		mov	eax, [esp+124h+var_114]
		mov	[esp+124h+var_F4], eax

loc_8881FA:				; CODE XREF: MmCreateShadowMapping+C2j
		mov	ecx, edi
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, esi
		mov	edi, eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	esi, eax
		mov	[esp+ebx*8+124h+var_10C], edi
		mov	[esp+ebx*8+124h+var_108], esi
		inc	ebx
		cmp	ebx, 2
		jb	short loc_8881FA
		mov	[esp+124h+var_110], esi
		mov	esi, large fs:124h
		mov	[esp+124h+var_118], edi
		mov	edi, ds:_PsInitialSystemProcess
		mov	ebx, [esi+80h]
		cmp	ebx, edi
		jnz	loc_928597

loc_88823D:				; CODE XREF: MmCreateShadowMapping+A0452j
		dec	word ptr [esi+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset dword_6D05C8
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [esp+124h+var_110]
		lea	eax, [esp+124h+var_FC]
		mov	ecx, [esp+124h+var_118]
		push	eax
		push	1
		lea	eax, [esp+12Ch+var_10C]
		push	eax
		call	_MiMakeShadowPageTableRange@20 ; MiMakeShadowPageTableRange(x,x,x,x,x)
		or	eax, 0FFFFFFFFh
		mov	ecx, offset dword_6D05C8
		lock xadd [ecx], eax
		test	al, 2
		jnz	loc_9285AD

loc_88827E:				; CODE XREF: MmCreateShadowMapping+A0459j
					; MmCreateShadowMapping+A0469j
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		cmp	ebx, edi
		jnz	loc_9285C4

loc_888292:				; CODE XREF: MmCreateShadowMapping+A047Cj
		lea	ecx, [esp+124h+var_FC]
		call	_MiCleanupPageTablePages@4 ; MiCleanupPageTablePages(x)
		xor	eax, eax
		inc	eax

loc_88829E:				; CODE XREF: MmCreateShadowMapping+15Fj
		mov	ecx, [esp+124h+var_8]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8882B3:				; CODE XREF: MmCreateShadowMapping+96j
		xor	eax, eax
		jmp	short loc_88829E
MmCreateShadowMapping endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakeShadowPageTableRange(x, x, x,	x, x)
_MiMakeShadowPageTableRange@20 proc near ; CODE	XREF: MmCreateShadowMapping+10Fp
					; MiMakeShadowPageTableRange(x,x,x,x,x)+D9p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		mov	ecx, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		mov	eax, [ecx+edi*8]
		cmp	esi, eax
		jnb	short loc_8882D5
		mov	esi, eax

loc_8882D5:				; CODE XREF: MiMakeShadowPageTableRange(x,x,x,x,x)+19j
		mov	eax, [ecx+edi*8+4]
		cmp	ebx, eax
		jbe	short loc_8882DF
		mov	ebx, eax

loc_8882DF:				; CODE XREF: MiMakeShadowPageTableRange(x,x,x,x,x)+23j
					; MiMakeShadowPageTableRange(x,x,x,x,x)+7Cj
		cmp	esi, ebx
		ja	short loc_888336
		and	[ebp+arg_4], 0
		cmp	edi, 1
		jz	short loc_88833D

loc_8882EC:				; CODE XREF: MiMakeShadowPageTableRange(x,x,x,x,x)+91j
					; MiMakeShadowPageTableRange(x,x,x,x,x)+B0j
		push	ds:dword_40F9FC
		mov	edx, edi
		mov	ecx, esi
		push	ds:_ZeroPte
		push	0
		call	MiReadWriteAnyLevelShadowPte
		and	eax, 1
		or	eax, 0
		jnz	loc_888398
		test	edi, edi
		jnz	loc_88839B
		xor	ecx, ecx

loc_888319:				; CODE XREF: MiMakeShadowPageTableRange(x,x,x,x,x)+F4j
		mov	edx, ecx
		mov	ecx, esi
		push	edi
		call	MiInitializeShadowPageTable

loc_888323:				; CODE XREF: MiMakeShadowPageTableRange(x,x,x,x,x)+E1j
		cmp	[ebp+arg_4], 0
		jnz	short loc_88836A

loc_888329:				; CODE XREF: MiMakeShadowPageTableRange(x,x,x,x,x)+C4j
		mov	eax, [ebp+arg_8]
		cmp	edi, [eax+24h]
		jg	short loc_88837E

loc_888331:				; CODE XREF: MiMakeShadowPageTableRange(x,x,x,x,x)+DEj
		add	esi, 8
		jmp	short loc_8882DF
; 

loc_888336:				; CODE XREF: MiMakeShadowPageTableRange(x,x,x,x,x)+29j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_88833D:				; CODE XREF: MiMakeShadowPageTableRange(x,x,x,x,x)+32j
		mov	ecx, esi
		call	_MiGetLeafVa@4	; MiGetLeafVa(x)
		cmp	eax, 0C0000000h
		jnb	short loc_8882EC
		mov	eax, large fs:124h
		mov	[ebp+arg_4], eax
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceExclusiveLite
		jmp	short loc_8882EC
; 

loc_88836A:				; CODE XREF: MiMakeShadowPageTableRange(x,x,x,x,x)+6Fj
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite
		mov	ecx, [ebp+arg_4]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		jmp	short loc_888329
; 

loc_88837E:				; CODE XREF: MiMakeShadowPageTableRange(x,x,x,x,x)+77j
		push	eax
		mov	ecx, esi
		lea	eax, [edi-1]
		shl	ecx, 9
		push	eax
		push	[ebp+arg_0]
		lea	edx, [ecx+0FF8h]
		call	_MiMakeShadowPageTableRange@20 ; MiMakeShadowPageTableRange(x,x,x,x,x)
		jmp	short loc_888331
; 

loc_888398:				; CODE XREF: MiMakeShadowPageTableRange(x,x,x,x,x)+51j
		nop
		jmp	short loc_888323
; 

loc_88839B:				; CODE XREF: MiMakeShadowPageTableRange(x,x,x,x,x)+59j
		mov	edx, [ebp+arg_8]
		mov	ecx, [edx+8]
		call	_MiGetPfnLink@4	; MiGetPfnLink(x)
		inc	dword ptr [edx+14h]
		mov	[edx+8], eax
		jmp	loc_888319
_MiMakeShadowPageTableRange@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeShadowPageTable proc near	; CODE XREF: MiMakeShadowPageTableRange(x,x,x,x,x)+66p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009285D7 SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		mov	ecx, [ebp+arg_0]
		push	edi
		test	ecx, ecx
		jnz	loc_8884EF
		mov	eax, esi
		shl	eax, 9
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		mov	edx, eax
		test	edx, edx
		jnz	loc_88857B
		mov	edi, [esi]
		nop
		mov	ebx, [esi+4]
		mov	ecx, esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_888401
		push	ebx
		push	edi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	edi, eax
		mov	ebx, edx

loc_888401:				; CODE XREF: MiInitializeShadowPageTable+42j
		mov	edx, edi
		nop
		lea	ecx, [ebp+var_14]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	loc_9285D7
		push	ebx
		push	edx
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	[ebp+var_8], eax
		mov	eax, edx
		mov	edx, [ebp+var_8]

loc_888423:				; CODE XREF: MiInitializeShadowPageTable+A0227j
		shrd	edx, eax, 0Ch
		and	edx, 1FFFFFFh
		mov	[ebp+var_8], edx

loc_888430:				; CODE XREF: MiInitializeShadowPageTable+1FEj
		and	edi, 800h
		or	edi, 0
		jz	loc_8884E7
		push	4
		pop	edi

loc_888442:				; CODE XREF: MiInitializeShadowPageTable+138j
		and	ebx, 80000000h
		xor	eax, eax
		or	eax, ebx
		jz	loc_8885B5

loc_888452:				; CODE XREF: MiInitializeShadowPageTable+206j
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_C], edi

loc_888458:				; CODE XREF: MiInitializeShadowPageTable+161j
		push	ds:dword_40F9FC
		lea	edx, [ecx+1]
		mov	ecx, esi
		push	ds:_ZeroPte
		push	0
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, eax
		call	MiReadWriteAnyLevelShadowPte
		mov	ebx, eax
		nop
		lea	ecx, [ebp+var_14]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_88848F
		push	edx
		push	ebx
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	ebx, eax

loc_88848F:				; CODE XREF: MiInitializeShadowPageTable+D2j
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+arg_0]
		shrd	ebx, edx, 0Ch
		mov	edx, [ebp+var_C]
		and	ebx, 1FFFFFFh

loc_8884A2:				; CODE XREF: MiInitializeShadowPageTable+16Aj
		or	edi, 90000000h
		test	ecx, ecx
		jnz	short loc_88851E

loc_8884AC:				; CODE XREF: MiInitializeShadowPageTable+174j
		push	edi
		mov	edx, eax
		mov	ecx, esi
		call	MiMakeValidPte
		mov	edi, [ebp+arg_0]
		and	eax, 0FFFFFEFFh
		mov	[ebp+var_C], eax
		mov	ecx, edx
		mov	[ebp+var_10], ecx
		test	edi, edi
		jnz	short loc_888528

loc_8884CA:				; CODE XREF: MiInitializeShadowPageTable+1ACj
		push	ecx
		push	eax
		push	1
		mov	edx, edi
		mov	ecx, esi
		call	MiReadWriteAnyLevelShadowPte
		cmp	edi, 1
		jz	loc_888563

loc_8884E0:				; CODE XREF: MiInitializeShadowPageTable+1C4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8884E7:				; CODE XREF: MiInitializeShadowPageTable+87j
		xor	edi, edi
		inc	edi
		jmp	loc_888442
; 

loc_8884EF:				; CODE XREF: MiInitializeShadowPageTable+14j
		mov	eax, ebx
		mov	[ebp+var_C], 1Ch
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	[ebp+var_C]
		and	dword ptr [ebx], 0
		mov	[ebp+var_8], eax
		push	6
		pop	edi
		mov	edx, edi
		mov	[ebp+var_C], edx
		cmp	ecx, 1
		jnz	loc_888458
		or	ebx, 0FFFFFFFFh
		jmp	short loc_8884A2
; 

loc_88851E:				; CODE XREF: MiInitializeShadowPageTable+F8j
		mov	edi, edx
		or	edi, 98000000h
		jmp	short loc_8884AC
; 

loc_888528:				; CODE XREF: MiInitializeShadowPageTable+116j
		cmp	edi, 1
		jnz	short loc_888548
		mov	eax, ds:_PsInitialSystemProcess
		mov	eax, [eax+194h]
		mov	ebx, [eax+18h]
		mov	eax, [eax+1Ch]
		shrd	ebx, eax, 0Ch
		and	ebx, 1FFFFFFh

loc_888548:				; CODE XREF: MiInitializeShadowPageTable+179j
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		push	0A00h
		push	ebx
		call	MiInitializePfnForOtherProcess
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		jmp	loc_8884CA
; 

loc_888563:				; CODE XREF: MiInitializeShadowPageTable+128j
		mov	ecx, esi
		call	MiMarkPxeAsShadowed
		shl	esi, 9
		mov	edx, esi
		mov	ecx, esi
		call	MiReplicatePteChange
		jmp	loc_8884E0
; 

loc_88857B:				; CODE XREF: MiInitializeShadowPageTable+2Dj
		mov	eax, esi

loc_88857D:				; CODE XREF: MiInitializeShadowPageTable+1D5j
		mov	ecx, eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		sub	edx, 1
		jnz	short loc_88857D
		mov	edi, [eax]
		nop
		mov	ebx, [eax+4]
		mov	ecx, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_8885A5
		push	ebx
		push	edi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	edi, eax
		mov	ebx, edx

loc_8885A5:				; CODE XREF: MiInitializeShadowPageTable+1E6j
		mov	ecx, [ebp+var_C]
		call	_MiVaToPfn@4	; MiVaToPfn(x)
		mov	[ebp+var_8], eax
		jmp	loc_888430
; 

loc_8885B5:				; CODE XREF: MiInitializeShadowPageTable+9Aj
		or	edi, 2
		jmp	loc_888452
MiInitializeShadowPageTable endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ExCreatePoolTagTable(x, x)
_ExCreatePoolTagTable@8	proc near	; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+148p
					; KeStartAllProcessors+23Bp
		mov	edi, edi
		push	ecx
		mov	eax, _PoolTrackTableSize
		push	esi
		push	edi
		mov	edi, ecx
		cmp	eax, 5555554h
		jnb	short loc_888605
		inc	eax
		movzx	edx, dx
		imul	ecx, eax, 30h
		push	ecx
		push	ecx
		call	MmAllocateIndependentPagesEx
		mov	esi, eax
		test	esi, esi
		jz	short loc_8885FF
		imul	ecx, _PoolTrackTableSize, 30h
		push	ecx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	_ExPoolTagTables[edi*4], esi

loc_8885FF:				; CODE XREF: ExCreatePoolTagTable(x,x)+25j
		mov	eax, esi

loc_888601:				; CODE XREF: ExCreatePoolTagTable(x,x)+49j
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_888605:				; CODE XREF: ExCreatePoolTagTable(x,x)+11j
		xor	eax, eax
		jmp	short loc_888601
_ExCreatePoolTagTable@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmGetChannelInformation(x, x, x, x)
_MmGetChannelInformation@16 proc near	; CODE XREF: ExpQueryChannelInformation(x,x,x)+47p
					; ExpQueryNumaAvailableMemory(x,x,x)+ACp ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		movzx	eax, ds:_KeNumberNodes
		and	[ebp+var_30], 0
		movzx	ecx, cx
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_0]
		cmp	edx, eax
		jnb	short loc_88868B
		push	esi
		lea	eax, [ebp+var_30]
		push	eax
		mov	eax, ecx
		mov	ecx, dword_6D3018
		push	edx
		lea	edx, [ebp+var_2C]
		mov	ecx, [ecx+eax*4]
		call	MiGetChannelInformation
		mov	esi, [ebp+var_30]
		mov	edx, 68506D4Dh
		push	0
		push	40h
		mov	ecx, esi
		mov	[ebx], esi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[edi], eax
		test	eax, eax
		jz	short loc_888692
		push	esi		; size_t
		lea	ecx, [ebp+var_2C]
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax

loc_88867A:				; CODE XREF: MmGetChannelInformation(x,x,x,x)+8Dj
		pop	esi

loc_88867B:				; CODE XREF: MmGetChannelInformation(x,x,x,x)+86j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_88868B:				; CODE XREF: MmGetChannelInformation(x,x,x,x)+2Aj
		mov	eax, 0C00000EFh
		jmp	short loc_88867B
; 

loc_888692:				; CODE XREF: MmGetChannelInformation(x,x,x,x)+5Ej
		mov	eax, 0C000009Ah
		jmp	short loc_88867A
_MmGetChannelInformation@16 endp

; 
		align 2

; __stdcall CmpLoadHiveThread(x)
_CmpLoadHiveThread@4:			; DATA XREF: CmpInitializeSystemHivesLoad+16Fo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1B4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1B0h], eax
		push	ebx
		xor	ebx, ebx
		lea	eax, [esp+58h]
		push	esi
		push	edi
		mov	edi, [ebp+8]
		push	154h
		push	ebx
		push	eax
		mov	[esp+24h], edi
		mov	[esp+28h], ebx
		mov	[esp+58h], ebx
		mov	[esp+4Ch], ebx
		mov	[esp+50h], ebx
		mov	[esp+54h], ebx
		mov	[esp+38h], ebx
		mov	[esp+40h], ebx
		mov	[esp+3Ch], ebx
		mov	[esp+23h], bl
		mov	[esp+1Ch], ebx
		mov	[esp+34h], ebx
		call	_memset
		add	esp, 0Ch
		imul	edi, 78h
		mov	[esp+38h], ebx
		mov	esi, ebx
		mov	[esp+3Ch], ebx
		mov	[esp+20h], ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, dword_6B1650[edi]
		mov	[esp+1Ch], edi
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esp+18h]
		cmp	eax, ds:_CmpCheckHiveIndex
		jnz	short loc_888751
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _CmpLoadWorkerDebugEvent
		call	KeWaitForSingleObject
		cmp	_KdDebuggerEnabled, bl
		jz	short loc_888751
		cmp	_KdDebuggerNotPresent, bl
		jnz	short loc_888751
		int	3		; Trap to Debugger

loc_888751:				; CODE XREF: PAGE:00888730j
					; PAGE:00888746j ...
		mov	byte_6B164A[edi], 1
		mov	edi, dword_6B1634[edi]
		mov	[esp+24h], edi
		test	edi, edi
		jnz	loc_8888B7
		mov	edi, [esp+0Ch]
		lea	eax, [esp+60h]
		push	eax
		lea	eax, [esp+1Bh]
		push	eax
		mov	edx, dword_6B1638[edi]
		lea	eax, dword_6B164B[edi]
		push	ecx
		push	ecx
		push	ebx
		push	1590001h
		push	eax
		lea	eax, [esp+38h]
		push	eax
		lea	ecx, dword_6B1698[edi]
		call	CmpInitHiveFromFile
		mov	esi, eax
		mov	edx, 0C0000034h
		mov	eax, [esp+18h]
		mov	[esp+10h], esi
		cmp	eax, 6
		jnz	short loc_8887CC
		cmp	byte_6B191C, bl
		jnz	short loc_8887CC
		cmp	esi, edx
		jz	short loc_8887C5
		cmp	esi, 0C000003Bh
		jnz	short loc_8887CC

loc_8887C5:				; CODE XREF: PAGE:008887BBj
					; PAGE:008887E3j
		mov	esi, ebx
		jmp	loc_888D4F
; 

loc_8887CC:				; CODE XREF: PAGE:008887AFj
					; PAGE:008887B7j ...
		mov	ecx, 8000h
		test	dword_6B1638[edi], ecx
		jz	short loc_8887E5
		cmp	byte ptr (dword_6B164B+1)[edi],	bl
		jnz	short loc_8887E5
		cmp	esi, edx
		jz	short loc_8887C5

loc_8887E5:				; CODE XREF: PAGE:008887D7j
					; PAGE:008887DFj
		cmp	esi, 0C0000189h
		jnz	short loc_8887FE
		call	_CmpIsShutdownRundownActive@0 ;	CmpIsShutdownRundownActive()
		test	al, al
		jnz	loc_888D4F
		mov	eax, [esp+18h]

loc_8887FE:				; CODE XREF: PAGE:008887EBj
		test	esi, esi
		js	loc_888DC5
		test	dword_6B1638[edi], ecx
		mov	edi, [esp+1Ch]
		mov	[esp+24h], edi
		jnz	short loc_88882E
		cmp	[edi+410h], ebx
		jz	loc_888DC5
		cmp	[edi+414h], ebx
		jz	loc_888DC5

loc_88882E:				; CODE XREF: PAGE:00888814j
		mov	ecx, [esp+0Ch]
		mov	eax, dword_6B163C[ecx]
		or	eax, 4
		mov	[edi+980h], eax
		mov	dword_6B1644[ecx], edi
		cmp	[esp+17h], bl
		jz	short loc_888878
		push	7
		mov	_CmpInitRmLogOnLoad, 1
		mov	esi, offset dword_6B1650
		pop	edi

loc_88885C:				; CODE XREF: PAGE:0088886Aj
		push	ebx
		push	ebx
		push	esi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		add	esi, 78h
		sub	edi, 1
		jnz	short loc_88885C
		mov	edi, [esp+24h]
		mov	esi, [esp+10h]
		mov	ecx, [esp+0Ch]

loc_888878:				; CODE XREF: PAGE:0088884Bj
		lea	eax, [edi+64h]
		test	dword ptr [eax], 8001h
		mov	[esp+1Ch], eax
		jnz	loc_888CF6
		cmp	_CmpDoIdleProcessing, ebx
		jz	loc_888CF6
		mov	edx, _CmpMachineHiveList[ecx]
		mov	ecx, edi
		call	_CmpInitBackupHive@8 ; CmpInitBackupHive(x,x)
		test	eax, eax
		jns	loc_888CF6
		mov	_CmpDoIdleProcessing, ebx
		jmp	loc_888CF6
; 

loc_8888B7:				; CODE XREF: PAGE:00888764j
		lea	eax, [edi+64h]
		mov	[esp+1Ch], eax
		mov	eax, [eax]
		test	eax, 8001h
		jnz	loc_888C69
		mov	eax, [esp+0Ch]
		lea	ecx, [esp+38h]
		push	ebx
		push	ebx
		push	ecx
		push	ebx
		push	7
		lea	ecx, [esp+24h]
		xor	edx, edx
		push	ecx
		lea	eax, dword_6B1698[eax]
		lea	ecx, [esp+40h]
		mov	[esp+38h], eax
		push	ecx
		mov	ecx, eax
		call	CmpOpenHiveFile
		mov	esi, eax
		test	esi, esi
		js	loc_888B73
		cmp	dword ptr [esp+10h], 2
		mov	eax, ebx
		jnz	short loc_88890C
		xor	eax, eax
		inc	eax

loc_88890C:				; CODE XREF: PAGE:00888907j
		mov	ecx, [esp+20h]
		push	ebx
		push	ebx
		push	ebx
		shl	eax, 4
		push	ebx
		or	eax, 2
		push	eax
		mov	[esp+24h], eax
		lea	eax, [esp+5Ch]
		push	eax
		lea	eax, [esp+44h]
		push	eax
		push	4
		pop	edx
		call	CmpOpenHiveFile
		mov	esi, eax
		test	esi, esi
		jns	short loc_88893E
		push	10h
		jmp	loc_888B72
; 

loc_88893E:				; CODE XREF: PAGE:00888935j
		mov	ecx, [esp+20h]
		lea	eax, [esp+34h]
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	dword ptr [esp+20h]
		push	eax
		lea	eax, [esp+48h]
		push	eax
		push	5
		pop	edx
		call	CmpOpenHiveFile
		mov	esi, eax
		test	esi, esi
		jns	short loc_888969
		push	20h
		jmp	loc_888B72
; 

loc_888969:				; CODE XREF: PAGE:00888960j
		mov	ecx, [esp+28h]
		lea	edx, [esp+40h]
		call	_CmpGetFileSize@8 ; CmpGetFileSize(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_888983
		push	28h
		jmp	loc_888B72
; 

loc_888983:				; CODE XREF: PAGE:0088897Aj
		mov	ecx, [esp+2Ch]
		lea	edx, [esp+50h]
		call	_CmpGetFileSize@8 ; CmpGetFileSize(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_8889C1
		push	esi
		push	4
		pop	edx
		call	_CmpLogFailureToGetFileSize@12 ; CmpLogFailureToGetFileSize(x,x,x)
		push	2Bh
		lea	eax, [esp+64h]
		xor	edx, edx
		push	esi
		mov	[edi+1Ch], eax
		inc	edx
		push	16h
		mov	ecx, eax
		mov	[esp+6Ch], edi
		call	SetFailureLocation
		mov	[esp+50h], ebx
		mov	[esp+54h], ebx

loc_8889C1:				; CODE XREF: PAGE:00888994j
		mov	ecx, [esp+30h]
		lea	edx, [esp+58h]
		call	_CmpGetFileSize@8 ; CmpGetFileSize(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_8889FF
		push	esi
		push	5
		pop	edx
		call	_CmpLogFailureToGetFileSize@12 ; CmpLogFailureToGetFileSize(x,x,x)
		push	2Dh
		lea	eax, [esp+64h]
		xor	edx, edx
		push	esi
		mov	[edi+1Ch], eax
		inc	edx
		push	16h
		mov	ecx, eax
		mov	[esp+6Ch], edi
		call	SetFailureLocation
		mov	esi, ebx
		mov	[esp+10h], ebx
		jmp	short loc_888A0B
; 

loc_8889FF:				; CODE XREF: PAGE:008889D2j
		mov	eax, [esp+5Ch]
		mov	esi, [esp+58h]
		mov	[esp+10h], eax

loc_888A0B:				; CODE XREF: PAGE:008889FDj
		mov	ecx, edi
		call	CmpBecomeActiveFlusherAndReconciler
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, edi
		call	_HvLockHiveFlusherExclusive@4 ;	HvLockHiveFlusherExclusive(x)
		mov	eax, [esp+28h]
		xor	edx, edx
		mov	[edi+400h], eax
		mov	ecx, edi
		mov	eax, [esp+2Ch]
		mov	[edi+410h], eax
		mov	eax, [esp+30h]
		mov	[edi+414h], eax
		mov	eax, [esp+40h]
		mov	[edi+490h], eax
		mov	eax, [esp+44h]
		mov	[edi+494h], eax
		mov	eax, [esp+50h]
		mov	[edi+498h], eax
		mov	eax, [esp+54h]
		mov	[edi+49Ch], eax
		mov	eax, [esp+10h]
		mov	[edi+4A0h], esi
		mov	esi, [esp+0Ch]
		mov	[edi+4A4h], eax
		and	dword ptr [edi+64h], 0FFFFFFFDh
		push	1
		mov	eax, dword_6B163C[esi]
		mov	[edi+980h], eax
		mov	eax, [esp+40h]
		mov	[edi+7Ch], eax
		mov	eax, [edi+0C8h]
		add	eax, 1000h
		push	ebx
		push	eax
		call	CmpDoFileSetSizeEx
		test	eax, eax
		jns	short loc_888AB2
		mov	ds:_CmpCannotWriteConfiguration, 1

loc_888AB2:				; CODE XREF: PAGE:00888AA9j
		mov	eax, [esp+38h]
		cmp	[edi+4Ch], eax
		jz	short loc_888B04
		lea	eax, [edi+2Ch]
		mov	[esp+10h], eax
		cmp	[eax], ebx
		jbe	short loc_888AF4
		mov	esi, [esp+38h]
		mov	edi, eax

loc_888ACC:				; CODE XREF: PAGE:00888AE4j
		push	esi
		push	ebx
		push	edi
		call	_RtlAreBitsClear@12 ; RtlAreBitsClear(x,x,x)
		test	al, al
		jnz	short loc_888AE0
		push	esi
		push	ebx
		push	edi
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)

loc_888AE0:				; CODE XREF: PAGE:00888AD6j
		add	ebx, esi
		cmp	ebx, [edi]
		jb	short loc_888ACC
		mov	edi, [esp+24h]
		xor	ebx, ebx
		mov	esi, [esp+0Ch]
		mov	eax, [esp+10h]

loc_888AF4:				; CODE XREF: PAGE:00888AC4j
		push	eax
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	[edi+34h], eax
		mov	eax, [esp+38h]
		mov	[edi+4Ch], eax

loc_888B04:				; CODE XREF: PAGE:00888AB9j
		mov	eax, [edi+20h]
		cmp	[eax+0FFCh], ebx
		jnz	short loc_888B18
		test	byte ptr [eax+0FF8h], 4
		jz	short loc_888B2A

loc_888B18:				; CODE XREF: PAGE:00888B0Dj
		lea	esi, [edi+2Ch]
		push	esi
		call	_RtlSetAllBits@4 ; RtlSetAllBits(x)
		mov	eax, [esi]
		mov	esi, [esp+0Ch]
		mov	[edi+34h], eax

loc_888B2A:				; CODE XREF: PAGE:00888B16j
		mov	ecx, edi
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		cmp	dword ptr [esp+18h], 3
		jnz	short loc_888B5D
		mov	ecx, edi
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	edx, [edi+20h]
		mov	ecx, edi
		mov	edx, [edx+24h]
		call	_CmpMarkCurrentValueDirty@8 ; CmpMarkCurrentValueDirty(x,x)
		mov	ecx, edi
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)

loc_888B5D:				; CODE XREF: PAGE:00888B40j
		mov	ecx, edi
		mov	dword_6B1644[esi], edi
		call	HvpDropPagedBins
		mov	esi, eax
		test	esi, esi
		jns	short loc_888BBE
		push	50h

loc_888B72:				; CODE XREF: PAGE:00888939j
					; PAGE:00888964j ...
		pop	ebx

loc_888B73:				; CODE XREF: PAGE:008888FAj
		lea	eax, [esp+60h]
		mov	[edi+1Ch], eax
		mov	[esp+60h], edi
		push	ebx
		push	esi
		push	16h
		xor	edx, edx
		mov	ecx, eax
		call	SetFailureLocation
		mov	eax, [esp+20h]
		xor	ebx, ebx
		mov	[esp+24h], eax
		inc	ebx
		lea	eax, [esp+4Ch]
		mov	ds:_CmpPuntBoot, bl
		push	eax
		push	ebx
		lea	eax, [esp+2Ch]
		push	eax
		push	ebx
		push	ebx
		push	0C0000218h
		call	_ExRaiseHardError@24 ; ExRaiseHardError(x,x,x,x,x,x)
		push	esi
		push	dword ptr [esp+1Ch]
		push	ebx
		jmp	loc_888DD3
; 

loc_888BBE:				; CODE XREF: PAGE:00888B6Ej
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	ecx, edi
		call	CmpFinishBeingActiveFlusherAndReconciler
		mov	eax, [edi+20h]
		cmp	[eax+0FFCh], ebx
		jnz	short loc_888BDE
		test	byte ptr [eax+0FF8h], 4
		jz	short loc_888C13

loc_888BDE:				; CODE XREF: PAGE:00888BD3j
		push	0Ch
		pop	edx
		mov	ecx, edi
		call	CmpFlushHive
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, edi
		call	_HvLockHiveFlusherExclusive@4 ;	HvLockHiveFlusherExclusive(x)
		mov	eax, [edi+20h]
		mov	ecx, edi
		mov	[eax+0FFCh], ebx
		mov	eax, [edi+20h]
		and	dword ptr [eax+0FF8h], 0FFFFFFFBh
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_888C13:				; CODE XREF: PAGE:00888BDCj
		cmp	ds:_CmpCannotWriteConfiguration, 0
		jz	short loc_888C21
		call	_CmpDiskFullWarning@0 ;	CmpDiskFullWarning()

loc_888C21:				; CODE XREF: PAGE:00888C1Aj
		push	dword ptr [esp+20h]
		mov	ds:_SystemHiveFullPathName, (offset loc_7FFFFF+1)
		push	offset _SystemHiveFullPathName
		mov	ds:dword_A94254, offset	_SystemHiveFullPathBuffer
		call	_RtlAppendStringToString@8 ; RtlAppendStringToString(x,x)
		cmp	_CmpDoIdleProcessing, 0
		jz	short loc_888CC2
		mov	eax, [esp+0Ch]
		mov	ecx, edi
		mov	edx, _CmpMachineHiveList[eax]
		call	_CmpInitBackupHive@8 ; CmpInitBackupHive(x,x)
		test	eax, eax
		jns	short loc_888CC2
		mov	_CmpDoIdleProcessing, ebx
		jmp	short loc_888CC2
; 

loc_888C69:				; CODE XREF: PAGE:008888C5j
		cmp	ds:_CmpMiniNTBoot, bl
		jnz	short loc_888C79
		cmp	_CmpVolatileBoot, ebx
		jz	short loc_888CC2

loc_888C79:				; CODE XREF: PAGE:00888C6Fj
		test	al, 2
		jz	short loc_888C99
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, edi
		call	_HvLockHiveFlusherExclusive@4 ;	HvLockHiveFlusherExclusive(x)
		and	dword ptr [edi+64h], 0FFFFFFFDh
		mov	ecx, edi
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_888C99:				; CODE XREF: PAGE:00888C7Bj
		mov	eax, [esp+0Ch]
		mov	ds:_SystemHiveFullPathName, (offset loc_7FFFFF+1)
		mov	ds:dword_A94254, offset	_SystemHiveFullPathBuffer
		lea	eax, dword_6B1698[eax]
		push	eax
		push	offset _SystemHiveFullPathName
		call	_RtlAppendStringToString@8 ; RtlAppendStringToString(x,x)

loc_888CC2:				; CODE XREF: PAGE:00888C4Aj
					; PAGE:00888C5Fj ...
		or	dword ptr [edi+980h], 4
		cmp	dword ptr [esp+18h], 3
		jnz	short loc_888CF6
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, edi
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		or	dword ptr [edi+64h], 200h
		mov	ecx, edi
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		lea	eax, [edi+64h]
		mov	[esp+1Ch], eax

loc_888CF6:				; CODE XREF: PAGE:00888885j
					; PAGE:00888891j ...
		call	CmpAcquireShutdownRundown
		test	al, al
		jnz	short loc_888D06
		mov	esi, 0C0000189h
		jmp	short loc_888D4B
; 

loc_888D06:				; CODE XREF: PAGE:00888CFDj
		mov	eax, [esp+1Ch]
		test	dword ptr [eax], 8001h
		jnz	short loc_888D46
		cmp	[edi+400h], ebx
		jz	short loc_888D46
		mov	eax, [esp+0Ch]
		mov	ecx, edi
		mov	edx, _CmpMachineHiveList[eax]
		call	_CmpApplyAdminSdOnHiveFiles@8 ;	CmpApplyAdminSdOnHiveFiles(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_888D46
		mov	eax, [esp+0Ch]
		push	esi
		push	_CmpMachineHiveList[eax]
		push	edi
		push	13h
		push	51h
		jmp	loc_888DD7
; 

loc_888D46:				; CODE XREF: PAGE:00888D10j
					; PAGE:00888D18j ...
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_888D4B:				; CODE XREF: PAGE:00888D04j
		mov	edi, [esp+0Ch]

loc_888D4F:				; CODE XREF: PAGE:008887C7j
					; PAGE:008887F4j
		push	ebx
		push	ebx
		lea	eax, dword_6B1660[edi]
		mov	byte_6B1649[edi], 1
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		xor	eax, eax
		inc	eax
		lock xadd _CmpLoadWorkerIncrement, eax
		inc	eax
		cmp	eax, 6
		jnz	short loc_888D8A
		cmp	ds:_CmpCheckHiveIndex, 7
		jnb	short loc_888D8A
		push	ebx
		push	ebx
		push	offset _CmpLoadWorkerDebugEvent
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_888D8A:				; CODE XREF: PAGE:00888D73j
					; PAGE:00888D7Cj
		mov	eax, dword_6B169C[edi]
		test	eax, eax
		jz	short loc_888DA8
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lea	ecx, dword_6B1698[edi]
		xor	edx, edx
		call	_RtlUnicodeStringInit@8	; RtlUnicodeStringInit(x,x)

loc_888DA8:				; CODE XREF: PAGE:00888D92j
		push	esi
		call	PsTerminateSystemThread
		mov	ecx, [esp+1BCh]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_888DC5:				; CODE XREF: PAGE:00888800j
					; PAGE:0088881Cj ...
		push	esi
		push	eax
		lea	eax, [esp+68h]
		mov	ds:_CmpPuntBoot, 1
		push	eax

loc_888DD3:				; CODE XREF: PAGE:00888BB9j
		push	2
		push	74h

loc_888DD7:				; CODE XREF: PAGE:00888D41j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpFinishBeingActiveFlusherAndReconciler proc near ; CODE XREF:	PAGE:00888BC5p
					; CmReplaceKey(x,x,x,x)+208p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009285DE SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		lea	edi, [esi+24h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		lea	ebx, [esi+9C0h]
		xor	ecx, ecx
		mov	eax, [ebx+4]
		mov	[ebp+var_4], eax
		mov	eax, [esi+9CCh]
		mov	[ebp+var_8], eax
		or	eax, 0FFFFFFFFh
		mov	[ebx+4], ecx
		mov	[ebx], ecx
		mov	[esi+9CCh], ecx
		mov	[esi+9C8h], ecx
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_9285DE

loc_888E33:				; CODE XREF: CmpFinishBeingActiveFlusherAndReconciler+9F802j
					; CmpFinishBeingActiveFlusherAndReconciler+9F80Fj
		mov	ecx, edi
		call	KeAbPostRelease
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	edx, [ebp+var_4]
		mov	edi, 0C0000001h
		push	edi
		mov	ecx, ebx
		call	CmpWakeWriteQueueWaiters
		mov	edx, [ebp+var_8]
		lea	ecx, [esi+9C8h]
		push	edi
		call	CmpWakeWriteQueueWaiters
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
CmpFinishBeingActiveFlusherAndReconciler endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpDropPagedBins proc near		; CODE XREF: PAGE:00888B65p
					; CmpMountPreloadedHives+9A1A7p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009285F2 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edi
		test	byte ptr [esi+64h], 10h
		jz	loc_888F4F
		mov	ecx, [esi+0C8h]
		mov	[ebp+var_18], ecx
		test	ecx, ecx
		jz	loc_888F27
		xor	eax, eax
		mov	[ebp+var_8], eax
		test	ecx, ecx
		jz	loc_888F27

loc_888EA0:				; CODE XREF: HvpDropPagedBins+BDj
		mov	edx, eax
		mov	ecx, esi
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_9285F2
		mov	eax, [eax+4]
		test	al, 8
		jnz	short loc_888F27
		and	eax, 0FFFFFFF0h
		mov	ecx, esi
		mov	[ebp+var_10], eax
		mov	ebx, [eax+8]
		lea	eax, [ebp+var_4]
		push	eax
		push	35324D43h
		push	0
		mov	edx, ebx
		call	_HvpAllocateBin@20 ; HvpAllocateBin(x,x,x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		js	short loc_888F57
		push	ebx		; size_t
		push	[ebp+var_10]	; void *
		push	[ebp+var_4]	; void *
		call	_memcpy
		mov	eax, [ebp+var_14]
		add	esp, 0Ch
		test	byte ptr [eax+4], 2
		jnz	short loc_888F53
		xor	eax, eax

loc_888EF9:				; CODE XREF: HvpDropPagedBins+F1j
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		push	eax
		push	1
		push	[ebp+var_8]
		push	ebx
		call	HvpPointMapEntriesToBuffer
		xor	edi, edi
		mov	ecx, ebx
		mov	[ebp+var_4], edi
		call	CmpReleaseGlobalQuota
		mov	eax, [ebp+var_8]
		add	eax, ebx
		mov	[ebp+var_8], eax
		cmp	eax, [ebp+var_18]
		jb	loc_888EA0

loc_888F27:				; CODE XREF: HvpDropPagedBins+29j
					; HvpDropPagedBins+36j	...
		or	eax, 0FFFFFFFFh
		lock xadd _CmpPreloadedHivesCount, eax
		jnz	short loc_888F39
		call	_MmFreeBootRegistry@0 ;	MmFreeBootRegistry()

loc_888F39:				; CODE XREF: HvpDropPagedBins+CEj
		and	dword ptr [esi+64h], 0FFFFFFEFh
		xor	eax, eax
		mov	[ebp+var_C], eax

loc_888F42:				; CODE XREF: HvpDropPagedBins+F6j
		test	edi, edi
		jnz	loc_928604

loc_888F4A:				; CODE XREF: HvpDropPagedBins+EDj
					; HvpDropPagedBins+9F7B2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_888F4F:				; CODE XREF: HvpDropPagedBins+18j
		xor	eax, eax
		jmp	short loc_888F4A
; 

loc_888F53:				; CODE XREF: HvpDropPagedBins+91j
		mov	eax, [eax]
		jmp	short loc_888EF9
; 

loc_888F57:				; CODE XREF: HvpDropPagedBins+79j
		mov	edi, [ebp+var_4]
		jmp	short loc_888F42
HvpDropPagedBins endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmFreeBootRegistry()
_MmFreeBootRegistry@0 proc near		; CODE XREF: CmpFreeBootRegistry()+3p
					; HvpDropPagedBins+D0p	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	ecx, ecx
		mov	edx, offset dword_6D35A8
		push	edi
		inc	ecx
		xor	eax, eax
		lock cmpxchg [edx], ecx
		mov	esi, eax
		mov	[ebp+var_C], esi
		test	esi, esi
		jz	short loc_888FE1
		mov	ebx, [esi]
		lea	edi, [esi+4]
		push	offset _MiRegistryVaSort ; int __cdecl (*)(const void *,const void *)
		push	4		; size_t
		push	ebx		; size_t
		push	edi		; void *
		call	_qsort
		xor	edx, edx
		add	esp, 10h
		and	[ebp+var_4], edx
		test	ebx, ebx
		jz	short loc_888FD2
		mov	esi, [ebp+var_4]

loc_888FA0:				; CODE XREF: MmFreeBootRegistry()+71j
		mov	eax, [edi]
		inc	edx
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, eax
		lea	eax, [ebx-1]
		mov	[ebp+var_8], ecx
		cmp	esi, eax
		jz	short loc_888FE9
		mov	ecx, [ebp+var_4]
		add	ecx, 1000h
		cmp	ecx, [edi+4]
		jnz	short loc_888FE6

loc_888FC7:				; CODE XREF: MmFreeBootRegistry()+A4j
		add	edi, 4
		inc	esi
		cmp	esi, ebx
		jb	short loc_888FA0
		mov	esi, [ebp+var_C]

loc_888FD2:				; CODE XREF: MmFreeBootRegistry()+3Fj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword_6D35A8, 0

loc_888FE1:				; CODE XREF: MmFreeBootRegistry()+20j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_888FE6:				; CODE XREF: MmFreeBootRegistry()+69j
		mov	ecx, [ebp+var_8]

loc_888FE9:				; CODE XREF: MmFreeBootRegistry()+5Bj
		push	ecx
		cmp	edx, 1
		jz	short loc_889002
		mov	eax, edx
		shl	eax, 3
		sub	ecx, eax
		add	ecx, 8

loc_888FF9:				; CODE XREF: MmFreeBootRegistry()+A9j
		call	MiDeleteBootRange
		xor	edx, edx
		jmp	short loc_888FC7
; 

loc_889002:				; CODE XREF: MmFreeBootRegistry()+91j
		xor	edx, edx
		inc	edx
		jmp	short loc_888FF9
_MmFreeBootRegistry@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpMarkCurrentValueDirty(x,	x)
_CmpMarkCurrentValueDirty@8 proc near	; CODE XREF: PAGE:00888B51p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		or	[ebp+var_C], 0FFFFFFFFh
		lea	eax, [ebp+var_C]
		push	esi
		push	edi
		push	eax
		mov	esi, ecx
		xor	edi, edi
		push	edx
		push	esi
		mov	[ebp+var_8], edi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	short loc_88908D
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_4], edi
		push	ecx
		push	(offset	loc_A3F632+6)
		mov	edx, eax
		mov	ecx, esi
		call	CmpFindSubKeyByNameWithStatus
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		cmp	[ebp+var_4], 0FFFFFFFFh
		jz	short loc_88908D
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+var_4]
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	short loc_88908D
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_4], edi
		push	ecx
		push	edi
		push	edi
		push	(offset	loc_A3F69A+6)
		lea	edx, [eax+24h]
		mov	ecx, esi
		call	_CmpFindNameInList@24 ;	CmpFindNameInList(x,x,x,x,x,x)
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edx, [ebp+var_4]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_88908D
		push	edi
		push	edi
		mov	ecx, esi
		call	HvpMarkCellDirty

loc_88908D:				; CODE XREF: CmpMarkCurrentValueDirty(x,x)+20j
					; CmpMarkCurrentValueDirty(x,x)+43j ...
		pop	edi
		pop	esi
		leave
		retn
_CmpMarkCurrentValueDirty@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpBecomeActiveFlusherAndReconciler proc near ;	CODE XREF: PAGE:00888A0Dp
					; CmReplaceKey(x,x,x,x)+143p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092861B SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		lea	ebx, [esi+9C8h]
		lea	edi, [esi+24h]
		mov	[ebp+var_4], ebx

loc_8890A9:				; CODE XREF: CmpBecomeActiveFlusherAndReconciler+9F592j
					; CmpBecomeActiveFlusherAndReconciler+9F5A6j
		xor	cl, cl
		call	CmpLockRegistryFreezeAware
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, ebx
		call	_CmpIsWriteQueueActive@4 ; CmpIsWriteQueueActive(x)
		test	al, al
		jnz	loc_92861B
		lea	ebx, [esi+9C0h]
		mov	ecx, ebx
		call	_CmpIsWriteQueueActive@4 ; CmpIsWriteQueueActive(x)
		test	al, al
		jnz	loc_928629
		mov	ecx, [ebp+var_4]
		call	_CmpAcquireWriteQueue@4	; CmpAcquireWriteQueue(x)
		mov	ecx, ebx
		call	_CmpAcquireWriteQueue@4	; CmpAcquireWriteQueue(x)
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_92863D

loc_8890FB:				; CODE XREF: CmpBecomeActiveFlusherAndReconciler+9F5ADj
					; CmpBecomeActiveFlusherAndReconciler+9F5BAj
		mov	ecx, edi
		call	KeAbPostRelease
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
CmpBecomeActiveFlusherAndReconciler endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvlPhase0Initialize proc near		; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+8Fp

; FUNCTION CHUNK AT 00928651 SIZE 0000007D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	esi
		mov	esi, ecx
		call	HviIsAnyHypervisorPresent
		movzx	edx, al
		mov	eax, ds:_HvlpFlags
		neg	edx
		push	0
		sbb	edx, edx
		and	eax, 0FFFFEFFFh
		and	edx, 1000h
		or	eax, edx
		mov	ds:_HvlpFlags, eax
		call	HvlQueryConnection
		test	eax, eax
		jns	loc_928651
		mov	ecx, esi
		call	HvlpTryConfigureInterface
		mov	ecx, eax
		test	ecx, ecx
		jns	loc_928651
		lea	eax, [ecx+3FCAF000h]
		neg	eax
		sbb	eax, eax
		and	eax, ecx

loc_889167:				; CODE XREF: HvlPhase0Initialize+9F54Ej
					; HvlPhase0Initialize+9F567j ...
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn			; struct _exception *
HvlPhase0Initialize endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Phase1Initialization(x)
_Phase1Initialization@4	proc near	; DATA XREF: PspInitPhase0+7DFo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, [ebp+arg_0]
		mov	ds:dword_B01640, eax
		mov	ds:dword_B01644, edx
		call	_Phase1InitializationDiscard@4 ; Phase1InitializationDiscard(x)
		push	4Bh
		pop	edx
		push	19h
		pop	ecx
		mov	bl, al
		call	_InbvSetProgressBarSubset@8 ; InbvSetProgressBarSubset(x,x)
		mov	ecx, [ebp+arg_0]
		call	IoInitSystem
		test	al, al
		jz	short loc_8891BA
		mov	ecx, [ebp+arg_0]
		mov	dl, bl
		call	_Phase1InitializationIoReady@8 ; Phase1InitializationIoReady(x,x)
		call	_MmFreeBootDriverInitializationCode@0 ;	MmFreeBootDriverInitializationCode()
		pop	ebx
		pop	ebp
		retn	4
; 

loc_8891BA:				; CODE XREF: Phase1Initialization(x)+38j
		push	69h
		call	_KeBugCheck@4	; KeBugCheck(x)
		int	3		; Trap to Debugger
_Phase1Initialization@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmFreeBootDriverInitializationCode()
_MmFreeBootDriverInitializationCode@0 proc near	; CODE XREF: Phase1Initialization(x)+44p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		call	_MmAcquireLoadLock@0 ; MmAcquireLoadLock()
		mov	edi, eax
		dec	word ptr [edi+13Ch]
		nop
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceExclusiveLite
		mov	esi, _PsLoadedModuleList
		mov	ebx, offset _PsLoadedModuleList

loc_8891F4:				; CODE XREF: MmFreeBootDriverInitializationCode()+48j
		cmp	esi, ebx
		jz	short loc_88920C
		test	dword ptr [esi+34h], 40000000h
		jnz	short loc_889208
		mov	ecx, esi
		call	_MiFreeDriverInitialization@4 ;	MiFreeDriverInitialization(x)

loc_889208:				; CODE XREF: MmFreeBootDriverInitializationCode()+3Dj
		mov	esi, [esi]
		jmp	short loc_8891F4
; 

loc_88920C:				; CODE XREF: MmFreeBootDriverInitializationCode()+34j
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	ecx, edi
		call	_MmReleaseLoadLock@4 ; MmReleaseLoadLock(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MmFreeBootDriverInitializationCode@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiStartDpcThread proc near		; CODE XREF: KiInitializeDynamicProcessor(x)+2Ep
					; INIT:00AC0025p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= word ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009286CE SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		mov	ebx, ecx
		xor	ecx, ecx
		mov	[ebp+var_14], ecx
		stosd
		stosd
		movzx	eax, byte ptr [ebx+3C5h]
		mov	[ebp+var_C], ax
		mov	eax, [ebx+3C8h]
		mov	[ebp+var_10], eax
		lea	eax, [ebx+3CCh]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	ebx
		push	offset _KiExecuteDpc@4 ; KiExecuteDpc(x)
		push	ecx
		push	ecx
		push	ecx
		push	1FFFFFh
		lea	eax, [ebp+var_14]
		push	eax
		call	PsCreateSystemThreadEx
		mov	esi, eax
		test	esi, esi
		js	loc_9286CE
		push	[ebp+var_14]
		call	_ZwClose@4	; ZwClose(x)

loc_889298:				; CODE XREF: KiStartDpcThread+9F4A9j
					; KiStartDpcThread+9F4BBj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
KiStartDpcThread endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPowerButtonBugcheckConfigure	proc near
					; CODE XREF: PopPowerButtonBugcheckWatchCallback(x)+8p
					; PopInitializePowerButtonHold(x)+DDp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009286EC SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		push	1
		mov	esi, ecx
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	4
		push	eax
		push	1
		push	offset _PopPowerButtonBugcheckWatchWorkItem
		push	ecx
		push	esi
		mov	[ebp+var_C], ecx
		mov	bl, cl
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], ecx
		call	_ZwNotifyChangeKey@40 ;	ZwNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_889344

loc_8892E1:				; CODE XREF: PopPowerButtonBugcheckConfigure+9Cj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopPowerButtonBugcheckLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	PopQueryPowerButtonBugcheckConfiguration
		test	eax, eax
		js	short loc_889348
		xor	eax, eax
		cmp	[ebp+var_4], eax
		setnz	al
		inc	eax
		mov	_PopPowerButtonBugcheckConfig, eax

loc_889319:				; CODE XREF: PopPowerButtonBugcheckConfigure+A5j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_9286EC

loc_889328:				; CODE XREF: PopPowerButtonBugcheckConfigure+9F444j
					; PopPowerButtonBugcheckConfigure+9F451j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	bl, bl
		jnz	short loc_889351

loc_88933F:				; CODE XREF: PopPowerButtonBugcheckConfigure+ADj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_889344:				; CODE XREF: PopPowerButtonBugcheckConfigure+35j
		mov	bl, 1
		jmp	short loc_8892E1
; 

loc_889348:				; CODE XREF: PopPowerButtonBugcheckConfigure+5Fj
		and	_PopPowerButtonBugcheckConfig, 0
		jmp	short loc_889319
; 

loc_889351:				; CODE XREF: PopPowerButtonBugcheckConfigure+93j
		push	esi
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_88933F
PopPowerButtonBugcheckConfigure	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagSleepStudyInitialize()
_PopDiagSleepStudyInitialize@0 proc near ; CODE	XREF: PopDiagInitialize():loc_AD1350p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	_PopDiagSleepStudyHandleRegistered, 0
		push	esi
		jnz	short loc_8893A5
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		push	offset _PopDiagSleepStudyHandle	; int
		push	dword ptr [ebp+4] ; int
		mov	edx, offset _SLEEPSTUDY_ETW_PROVIDER ; void *
		mov	ecx, [eax+1F0h]	; int
		push	0		; int
		push	0		; int
		push	3		; int
		call	EtwpRegisterProvider
		mov	esi, eax
		test	esi, esi
		js	short loc_88939A
		mov	_PopDiagSleepStudyHandleRegistered, 1

loc_88939A:				; CODE XREF: PopDiagSleepStudyInitialize()+37j
					; PopDiagSleepStudyInitialize()+50j
		call	_PopSleepstudyInitialize@0 ; PopSleepstudyInitialize()
		mov	eax, esi
		pop	esi
		pop	ecx
		pop	ebp
		retn
; 

loc_8893A5:				; CODE XREF: PopDiagSleepStudyInitialize()+Ej
		mov	esi, 0C0000718h
		jmp	short loc_88939A
_PopDiagSleepStudyInitialize@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SSHSupportEtwRegister(x, x,	x, x)
_SSHSupportEtwRegister@16 proc near	; CODE XREF: SshInitialize+70p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		push	offset _SshpTraceHandle	; int
		push	dword ptr [ebp+4] ; int
		mov	edx, offset _SLEEPSTUDY_ETW_PROVIDER ; void *
		mov	ecx, [eax+1F0h]	; int
		push	0		; int
		push	0		; int
		push	3		; int
		call	EtwpRegisterProvider
		pop	ebp
		retn	8
_SSHSupportEtwRegister@16 endp


;  S U B	R O U T	I N E 


; __stdcall SSHSupportRegisterPowerSettingCallback(x, x, x, x, x)
_SSHSupportRegisterPowerSettingCallback@20 proc	near
					; CODE XREF: SshpSubscribeCallbacks()+8p
		push	offset _SshpPowerSettingHandle ; int
		push	0		; int
		push	offset _SshpPowerSettingCallback@16 ; int
		push	offset _GUID_PDC_IDLE_RESILIENCY_ENGAGED ; void	*
		push	0		; int
		call	PoRegisterPowerSettingCallback
		retn	0Ch
_SSHSupportRegisterPowerSettingCallback@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SshpQueryRegistryValues()
_SshpQueryRegistryValues@0 proc	near	; CODE XREF: SshpWnfCallback(x,x,x,x,x,x)+93p
					; SshInitialize+A8p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	edx, [ebp+var_4]
		push	1
		mov	ecx, offset ??_C@_1EC@HFINLDMB@?$AAS?$AAl?$AAe?$AAe?$AAp?$AAs?$AAt?$AAu?$AAd?$AAy?$AAA?$AAc?$AAt?$AAi?$AAv@NNGAKEGL@
		call	_SshpQueryRegistryULong@12 ; SshpQueryRegistryULong(x,x,x)
		mov	eax, [ebp+var_4]
		lea	edx, [ebp+var_4]
		and	[ebp+var_4], 0
		mov	ecx, offset ??_C@_1EE@LOGFODBK@?$AAS?$AAl?$AAe?$AAe?$AAp?$AAS?$AAt?$AAu?$AAd?$AAy?$AAS?$AAe?$AAs?$AAs?$AAi@NNGAKEGL@
		push	258h
		mov	_SshpActiveThresholdPercent, eax
		call	_SshpQueryRegistryULong@12 ; SshpQueryRegistryULong(x,x,x)
		imul	eax, [ebp+var_4], 989680h
		and	dword_6BEF94, 0
		mov	_SshpSessionThresholdHns, eax
		leave
		retn
_SshpQueryRegistryValues@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


PopNetSetConnectivityConstraint	proc near
					; CODE XREF: PopPowerAggregatorEngageAggressiveStandbyActions(x,x):loc_9B3793p
					; PopNetCompliantNicUpdate(x)+1Aj ...

; FUNCTION CHUNK AT 00928700 SIZE 00000017 BYTES

		mov	eax, _PopNetStandbyStateMask
		xor	dl, dl
		bts	eax, ecx
		mov	_PopNetStandbyStateMask, eax
		cmp	ecx, 6
		jnz	loc_928700

loc_88945A:				; CODE XREF: PopNetSetConnectivityConstraint+9F2C1j
					; PopNetSetConnectivityConstraint+9F2CAj
		mov	dl, 1

loc_88945C:				; CODE XREF: PopNetSetConnectivityConstraint+9F2D0j
		xor	eax, eax
		mov	ecx, offset _PopNetGracePeriodState
		lock xadd [ecx], eax
		cmp	eax, 2
		jz	short loc_88947D

loc_88946C:				; CODE XREF: PopNetSetConnectivityConstraint+3Dj
		test	dl, dl
		jz	short locret_889481
		xor	edx, edx
		mov	ecx, offset unk_6BFEF8
		inc	edx
		jmp	_PopQueueWorkItem@8 ; PopQueueWorkItem(x,x)
; 

loc_88947D:				; CODE XREF: PopNetSetConnectivityConstraint+28j
		mov	dl, 1
		jmp	short loc_88946C
; 

locret_889481:				; CODE XREF: PopNetSetConnectivityConstraint+2Cj
		retn
PopNetSetConnectivityConstraint	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBroadcastSessionInfo(x, x, x)
_PopBroadcastSessionInfo@12 proc near	; CODE XREF: PopWin32kPowerSettingCallback(x,x,x,x)+39p
					; PopPowerSourceChangeCallback+CDp ...

var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		xor	eax, eax
		push	ebx
		xor	ebx, ebx
		mov	[esp+20h+var_14+1], ax
		mov	[esp+20h+var_11], bl
		cmp	_PsWin32CalloutsEstablished, al
		jz	short loc_8894CD
		mov	eax, [ebp+arg_0]
		push	ebx
		push	2
		push	5
		mov	[esp+2Ch+var_18], ecx
		mov	[esp+2Ch+var_10], edx
		lea	edx, [esp+2Ch+var_18]
		pop	ecx
		mov	byte ptr [esp+28h+var_14], bl
		mov	[esp+28h+var_C], eax
		mov	[esp+28h+var_8], ebx
		mov	[esp+28h+var_4], ebx
		call	PopInvokeWin32Callout

loc_8894CD:				; CODE XREF: PopBroadcastSessionInfo(x,x,x)+1Fj
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_PopBroadcastSessionInfo@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmIdleRegisterDefaultStates proc near	; CODE XREF: PopNewProcessorCallback(x,x,x)+3Cp
					; PoInitSystem+3F8p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00928717 SIZE 00000068 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], 1
		xor	bl, bl
		call	PpmHvUseNativeAlgorithms
		test	al, al
		jz	loc_928717

loc_8894F4:				; CODE XREF: PpmIdleRegisterDefaultStates+9F24Fj
		movzx	edi, bl
		inc	edi
		push	694D5050h
		lea	eax, [edi+3]
		imul	eax, 18h
		push	eax
		push	200h
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_928728
		push	[ebp+var_8]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [esi+48h]
		add	esp, 0Ch
		and	eax, 0FFFFFF8Fh
		mov	byte ptr [esi+0Fh], 1
		or	eax, 8000008Fh
		mov	[esi+44h], edi
		mov	[esi+48h], eax
		lea	eax, [esi+58h]
		push	offset ??_C@_17FMFAKLCM@?$AAH?$AAL?$AAT@NNGAKEGL@ ; "HLT"
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	dword ptr [esi+30h], offset @PpmIdleDefaultExecute@32 ;	PpmIdleDefaultExecute(x,x,x,x,x,x,x,x)
		mov	dword ptr [esi+34h], offset _xKdUnmapVirtualAddress@12 ; xKdUnmapVirtualAddress(x,x,x)
		mov	dword ptr [esi+38h], offset _KeIsCetCapable@0 ;	KeIsCetCapable()
		mov	dword ptr [esi+3Ch], offset _KeIsCetCapable@0 ;	KeIsCetCapable()
		mov	byte ptr [esi+0Ch], 0
		test	bl, bl
		jnz	loc_928732

loc_889574:				; CODE XREF: PpmIdleRegisterDefaultStates+9F2A6j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _PpmIdlePolicyLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		push	[ebp+var_4]
		mov	eax, large fs:124h
		mov	edx, offset _PpmIdleInstallDefaultStates@12 ; PpmIdleInstallDefaultStates(x,x,x)
		push	esi
		mov	ecx, offset _KeActiveProcessors
		mov	dword_6C2ADC, eax
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)
		cmp	dword_6C2ADC, 0
		mov	edi, eax
		jz	short loc_8895C0
		and	dword_6C2ADC, 0

loc_8895C0:				; CODE XREF: PpmIdleRegisterDefaultStates+E3j
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	694D5050h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8895D9:				; CODE XREF: PpmIdleRegisterDefaultStates+9F259j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PpmIdleRegisterDefaultStates endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmUpdateIdleStates proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092877F SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+14h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		lea	edi, [esp+20h+var_10]
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _PpmIdlePolicyLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	edi, edi
		mov	dword_6C2ADC, eax
		test	esi, esi
		jz	loc_92877F
		lea	eax, [esi+4]
		push	eax
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		mov	ecx, eax
		cmp	ecx, 0FFFFFFFFh
		jz	loc_92877F
		call	PpmHvUseNativeAlgorithms
		test	al, al
		jz	short loc_8896BD
		xor	eax, eax
		mov	[esp+20h+var_C], edi
		inc	eax
		mov	word ptr [esp+20h+var_10], ax
		mov	word ptr [esp+20h+var_10+2], ax
		xor	eax, eax
		bts	eax, ecx
		cmp	byte ptr [esi+0Dh], 0
		mov	[esp+20h+var_8], eax
		jnz	short loc_8896C6
		cmp	[esi+44h], edi
		jz	short loc_8896CE
		push	3
		mov	edx, offset PpmInstallNewIdleStates

loc_88967F:				; CODE XREF: PpmUpdateIdleStates+ECj
		push	esi

loc_889680:				; CODE XREF: PpmUpdateIdleStates+F5j
		lea	ecx, [esp+28h+var_10]
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)

loc_889689:				; CODE XREF: PpmUpdateIdleStates+E4j
		mov	esi, eax

loc_88968B:				; CODE XREF: PpmUpdateIdleStates+9F1A4j
		cmp	dword_6C2ADC, edi
		jz	short loc_889699
		mov	dword_6C2ADC, edi

loc_889699:				; CODE XREF: PpmUpdateIdleStates+B1j
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [esp+20h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_8896BD:				; CODE XREF: PpmUpdateIdleStates+71j
		mov	edx, esi
		call	_PpmUpdateIdleContext@8	; PpmUpdateIdleContext(x,x)
		jmp	short loc_889689
; 

loc_8896C6:				; CODE XREF: PpmUpdateIdleStates+91j
		push	edi
		mov	edx, offset _PpmUpdateIdleStatesInplace@12 ; PpmUpdateIdleStatesInplace(x,x,x)
		jmp	short loc_88967F
; 

loc_8896CE:				; CODE XREF: PpmUpdateIdleStates+96j
		push	edi
		push	edi
		mov	edx, offset _PpmRemoveIdleStates@12 ; PpmRemoveIdleStates(x,x,x)
		jmp	short loc_889680
PpmUpdateIdleStates endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1613. ObCreateObjectType

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObCreateObjectType(x, x, x,	x)
		public _ObCreateObjectType@16
_ObCreateObjectType@16 proc near	; CODE XREF: MiInitializeSessionIds+E4p
					; MiSectionInitialization+C7p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ObCreateObjectTypeEx
		pop	ebp
		retn	10h
_ObCreateObjectType@16 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1614. ObCreateObjectTypeEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ObCreateObjectTypeEx
ObCreateObjectTypeEx proc near		; CODE XREF: ObCreateObjectType(x,x,x,x)+13p
					; VRegSetup+13Bp ...

var_116		= byte ptr -116h
var_115		= byte ptr -115h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_84		= byte ptr -84h
var_70		= dword	ptr -70h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00928789 SIZE 000000D8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 11Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+11Ch+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	[esp+128h+var_10C], eax
		mov	eax, [ebp+arg_10]
		push	90h		; size_t
		mov	[esp+12Ch+var_E0], eax
		lea	eax, [esp+12Ch+var_98]
		push	0		; int
		push	eax		; void *
		mov	[esp+134h+var_F4], ebx
		mov	[esp+134h+var_EC], esi
		call	_memset
		add	esp, 0Ch
		lea	edi, [esp+128h+var_DC]
		xor	eax, eax
		and	[esp+128h+var_100], eax
		push	6
		pop	ecx
		push	2Ch		; size_t
		push	eax		; int
		rep stosd
		lea	eax, [esp+130h+var_C4]
		push	eax		; void *
		call	_memset
		xor	edx, edx
		add	esp, 0Ch
		mov	[esp+128h+var_114], edx
		mov	[esp+128h+var_110], edx
		mov	[esp+128h+var_115], dl
		test	ebx, ebx
		jz	loc_928794
		movzx	eax, word ptr [ebx]
		mov	ecx, eax
		test	ax, ax
		jz	loc_928794
		test	al, 1
		jnz	loc_928794
		test	esi, esi
		jz	loc_928794
		test	dword ptr [esi+8], 0FFFEE00Dh
		jnz	loc_928794
		cmp	word ptr [esi],	58h
		jnz	loc_928794
		cmp	byte ptr [esi+3], 2
		jnb	loc_928794
		mov	al, [esi+2]
		test	al, 10h
		jnz	loc_889B88

loc_8897CF:				; CODE XREF: ObCreateObjectTypeEx+48Dj
					; ObCreateObjectTypeEx+496j
		mov	edx, [ebp+arg_C]
		mov	[esp+128h+var_E4], edx
		test	al, 4
		jz	loc_889B5C

loc_8897DE:				; CODE XREF: ObCreateObjectTypeEx+463j
					; ObCreateObjectTypeEx+46Ej ...
		shr	ecx, 1
		mov	eax, [esi+24h]
		mov	edi, [ebx+4]
		push	2
		pop	edx
		mov	[esp+128h+var_E8], eax
		mov	[esp+128h+var_F8], edx
		jz	short loc_889806

loc_8897F3:				; CODE XREF: ObCreateObjectTypeEx+106j
		movzx	eax, word ptr [edi]
		dec	ecx
		add	edi, edx
		cmp	eax, 5Ch
		jz	loc_9287AE
		test	ecx, ecx
		jnz	short loc_8897F3

loc_889806:				; CODE XREF: ObCreateObjectTypeEx+F3j
		mov	edx, _ObpTypeDirectoryObject
		mov	[esp+128h+var_C8], 0FFFF1234h
		test	edx, edx
		jz	short loc_889841
		lea	ecx, [esp+128h+var_DC]
		call	_ObpLockDirectoryExclusive@8 ; ObpLockDirectoryExclusive(x,x)
		mov	ecx, _ObpTypeDirectoryObject
		lea	eax, [esp+128h+var_DC]
		push	eax
		push	0
		push	0
		push	40h
		mov	edx, ebx
		call	ObpLookupDirectoryEntryEx
		test	eax, eax
		jnz	loc_9287B8

loc_889841:				; CODE XREF: ObCreateObjectTypeEx+118j
		movzx	eax, word ptr [ebx+2]
		push	6D4E624Fh
		push	eax
		xor	eax, eax
		inc	eax
		push	eax
		mov	[esp+134h+var_F0], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+128h+var_110], eax
		test	eax, eax
		jz	loc_9287BF
		mov	ax, [ebx+2]
		mov	word ptr [esp+128h+var_114+2], ax
		lea	eax, [esp+128h+var_114]
		push	ebx
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		mov	ecx, _ObpTypeObjectType
		test	ecx, ecx
		jz	loc_889BBB
		mov	edi, [esp+128h+var_110]

loc_88988A:				; CODE XREF: ObCreateObjectTypeEx+4FDj
		xor	ebx, ebx
		mov	[esp+128h+var_C4], 10h
		mov	[esp+128h+var_C0], ebx
		xor	dl, dl
		mov	[esp+128h+var_BC], ebx
		mov	[esp+128h+var_AC], ebx
		mov	[esp+128h+var_A8], ebx
		mov	[esp+128h+var_A4], ebx
		mov	[esp+128h+var_A0], ebx
		mov	[esp+128h+var_9C], ebx
		mov	eax, [ecx+50h]
		mov	[esp+128h+var_B8], eax
		mov	eax, [ecx+54h]
		push	ebx
		mov	[esp+12Ch+var_B4], eax
		lea	eax, [esp+12Ch+var_100]
		push	eax
		push	90h
		lea	eax, [esp+134h+var_114]
		mov	[esp+134h+var_B0], 800h
		push	eax
		push	ecx
		lea	ecx, [esp+13Ch+var_C4]
		call	_ObpAllocateObject@28 ;	ObpAllocateObject(x,x,x,x,x,x,x)
		mov	ecx, eax
		mov	[esp+128h+var_FC], ecx
		test	ecx, ecx
		js	loc_9287F0
		cmp	_InitializationPhase, 0
		mov	eax, [esp+128h+var_100]
		mov	[eax+10h], ebx
		lea	ebx, [eax+18h]
		mov	eax, [esp+128h+var_114]
		mov	[ebx+8], eax
		mov	[ebx+0Ch], edi
		jz	short loc_889935
		mov	edx, [esp+128h+var_10C]
		mov	ecx, ebx
		call	_ObpInitObjectTypeSD@8 ; ObpInitObjectTypeSD(x,x)
		mov	edi, eax
		mov	[esp+128h+var_FC], edi
		test	edi, edi
		js	loc_928809

loc_889935:				; CODE XREF: ObCreateObjectTypeEx+21Cj
		xor	eax, eax
		lea	edi, [ebx+18h]
		stosd
		stosd
		stosd
		stosd
		cmp	_ObpTypeObjectType, 0
		jz	loc_889C00
		mov	edi, [esp+128h+var_F4]
		push	edi
		call	_RtlxUnicodeStringToAnsiSize@4 ; RtlxUnicodeStringToAnsiSize(x)
		add	eax, 2
		and	eax, 0FFFCh
		inc	eax
		movzx	eax, ax
		mov	[esp+128h+var_114], eax
		movzx	eax, ax
		push	6E54624Fh
		push	eax
		push	1
		mov	[esp+134h+var_F4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+128h+var_10C], eax
		push	4
		pop	ecx
		test	eax, eax
		jz	loc_928823
		push	[esp+128h+var_F4] ; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [esp+134h+var_114]
		add	esp, 0Ch
		xor	ecx, ecx
		mov	[esp+128h+var_108], ecx
		mov	word ptr [esp+128h+var_108+2], ax
		mov	eax, [esp+128h+var_10C]
		push	ecx
		mov	[esp+12Ch+var_104], eax
		lea	eax, [esp+12Ch+var_108]
		push	edi
		push	eax
		call	RtlUnicodeStringToAnsiString
		test	eax, eax
		js	short loc_8899DD
		movzx	ecx, word ptr [edi]
		shr	ecx, 1

loc_8899C3:				; CODE XREF: ObCreateObjectTypeEx+4B8j
		cmp	ecx, 4
		jb	loc_889B9F
		mov	eax, [esp+128h+var_104]
		mov	byte ptr [esp+128h+var_F0], 0
		mov	eax, [eax]
		mov	[ebx+84h], eax

loc_8899DD:				; CODE XREF: ObCreateObjectTypeEx+2BEj
		push	0
		push	[esp+12Ch+var_10C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	byte ptr [esp+128h+var_F0], 0
		jnz	loc_928820

loc_8899F3:				; CODE XREF: ObCreateObjectTypeEx+519j
					; ObCreateObjectTypeEx+9F135j ...
		mov	edx, [esp+128h+var_E8]
		lea	edi, [ebx+28h]
		push	16h
		pop	ecx
		rep movsd
		mov	[ebx+4Ch], edx
		test	_NtGlobalFlag, 4000h
		jnz	loc_928847

loc_889A12:				; CODE XREF: ObCreateObjectTypeEx+9F14Dj
		mov	eax, [esp+128h+var_EC]
		movzx	ecx, byte ptr [eax+2]
		and	ecx, 10h
		or	ecx, 60h
		shr	ecx, 1
		test	dl, 1
		jnz	loc_889B80
		add	[ebx+54h], ecx

loc_889A2E:				; CODE XREF: ObCreateObjectTypeEx+485j
		cmp	dword ptr [eax+44h], 0
		jnz	short loc_889A3B
		mov	dword ptr [ebx+6Ch], offset SeDefaultObjectMethod

loc_889A3B:				; CODE XREF: ObCreateObjectTypeEx+334j
		and	dword ptr [ebx+80h], 0
		lea	eax, [ebx+88h]
		test	byte ptr [ebx+2Ah], 4
		mov	[ebx+4], ebx
		mov	[ebx], ebx
		mov	[eax+4], eax
		mov	[eax], eax
		jz	loc_889B77
		or	dword ptr [ebx+44h], 100000h
		mov	eax, offset _ObpDefaultObject

loc_889A68:				; CODE XREF: ObCreateObjectTypeEx+47Dj
		mov	[ebx+10h], eax
		call	_KeEnterGuardedRegion@0	; KeEnterGuardedRegion()
		mov	ecx, _ObpTypeObjectType
		xor	edx, edx
		lea	ecx, [ecx+80h]
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esp+128h+var_100]
		call	_OBJECT_HEADER_TO_CREATOR_INFO@4 ; OBJECT_HEADER_TO_CREATOR_INFO(x)
		mov	ecx, _ObpTypeObjectType
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_889C1C
		mov	[eax], ecx
		mov	edi, 0C000009Ah
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		mov	ecx, _ObpTypeObjectType
		mov	eax, [ecx+18h]
		cmp	eax, 100h
		jnb	loc_928850
		mov	esi, [esp+128h+var_FC]
		mov	dword_6C3E3C[eax*4], ebx

loc_889ACB:				; CODE XREF: ObCreateObjectTypeEx+9F154j
		sub	ecx, 0FFFFFF80h
		xor	edx, edx
		call	ExReleasePushLockEx
		call	_KeLeaveGuardedRegion@0	; KeLeaveGuardedRegion()
		cmp	ebx, _ObpTypeObjectType
		jz	short loc_889B05
		test	esi, esi
		js	loc_928857
		lea	ecx, [esp+13h]
		call	_ObpAllocateTypeIndex@4	; ObpAllocateTypeIndex(x)
		mov	esi, eax
		mov	al, [esp+128h+var_115]
		mov	[esp+128h+var_F8], eax

loc_889AFD:				; CODE XREF: ObCreateObjectTypeEx+9F15Ej
		test	esi, esi
		js	loc_9287D9

loc_889B05:				; CODE XREF: ObCreateObjectTypeEx+3E2j
		mov	eax, [esp+128h+var_F8]
		movzx	esi, al
		mov	ds:_ObTypeIndexTable[esi*4], ebx
		mov	[ebx+14h], al
		mov	ecx, _ObpTypeDirectoryObject
		test	ecx, ecx
		jz	short loc_889B34
		lea	eax, [esp+128h+var_DC]
		mov	edx, ebx
		push	eax
		call	_ObpInsertDirectoryEntry@12 ; ObpInsertDirectoryEntry(x,x,x)
		test	al, al
		jz	loc_9287CF

loc_889B34:				; CODE XREF: ObCreateObjectTypeEx+420j
		lea	ecx, [esp+128h+var_DC]
		call	_ObpReleaseLookupContext@4 ; ObpReleaseLookupContext(x)
		mov	eax, [esp+128h+var_E0]
		mov	[eax], ebx
		xor	eax, eax

loc_889B45:				; CODE XREF: ObCreateObjectTypeEx+9F0ABj
					; ObCreateObjectTypeEx+9F0B5j ...
		mov	ecx, [esp+128h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h		; char
; 

loc_889B5C:				; CODE XREF: ObCreateObjectTypeEx+DAj
		mov	eax, [esi+24h]
		test	eax, eax
		jz	loc_8897DE
		cmp	eax, 200h
		jz	loc_8897DE
		jmp	loc_928789
; 

loc_889B77:				; CODE XREF: ObCreateObjectTypeEx+358j
		mov	eax, [esp+128h+var_E4]
		jmp	loc_889A68
; 

loc_889B80:				; CODE XREF: ObCreateObjectTypeEx+327j
		add	[ebx+50h], ecx
		jmp	loc_889A2E
; 

loc_889B88:				; CODE XREF: ObCreateObjectTypeEx+CBj
		cmp	[esi+34h], edx
		jnz	loc_8897CF
		cmp	[esi+38h], edx
		jnz	loc_8897CF
		jmp	loc_928794
; 

loc_889B9F:				; CODE XREF: ObCreateObjectTypeEx+2C8j
		movzx	eax, word ptr [esp+128h+var_108+2]
		cmp	ecx, eax
		jnb	short loc_889BB5
		mov	eax, [esp+128h+var_104]
		mov	byte ptr [eax+ecx], 20h
		inc	word ptr [esp+128h+var_108]

loc_889BB5:				; CODE XREF: ObCreateObjectTypeEx+4A8j
		inc	ecx
		jmp	loc_8899C3
; 

loc_889BBB:				; CODE XREF: ObCreateObjectTypeEx+182j
		mov	eax, [esp+128h+var_114]
		lea	edi, [esp+128h+var_70]
		push	16h
		pop	ecx
		rep movsd
		mov	edi, [esp+128h+var_110]
		lea	ecx, [esp+128h+var_98]
		mov	esi, [esp+128h+var_EC]
		mov	[esp+128h+var_84], 2
		mov	[esp+128h+var_14], 546A624Fh
		mov	[esp+128h+var_90], eax
		mov	[esp+128h+var_8C], edi
		jmp	loc_88988A
; 

loc_889C00:				; CODE XREF: ObCreateObjectTypeEx+247j
		mov	_ObpTypeObjectType, ebx
		mov	dword ptr [ebx+18h], 1
		mov	dword ptr [ebx+84h], 546A624Fh
		jmp	loc_8899F3
; 

loc_889C1C:				; CODE XREF: ObCreateObjectTypeEx+399j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
ObCreateObjectTypeEx endp


;  S U B	R O U T	I N E 


; __stdcall ObpAllocateTypeIndex(x)
_ObpAllocateTypeIndex@4	proc near	; CODE XREF: ObCreateObjectTypeEx+3F0p
		mov	edi, edi
		push	esi
		push	edi
		push	3
		mov	edi, ecx
		mov	esi, offset unk_70E81C
		pop	ecx

loc_889C30:				; CODE XREF: ObpAllocateTypeIndex(x)+25j
		xor	edx, edx
		xor	eax, eax
		inc	edx
		lock cmpxchg [esi], edx
		test	eax, eax
		jz	short loc_889C50
		inc	ecx
		add	esi, 4
		cmp	ecx, 100h
		jb	short loc_889C30
		mov	eax, 0C0000001h
		jmp	short loc_889C54
; 

loc_889C50:				; CODE XREF: ObpAllocateTypeIndex(x)+19j
		mov	[edi], cl
		xor	eax, eax

loc_889C54:				; CODE XREF: ObpAllocateTypeIndex(x)+2Cj
		pop	edi
		pop	esi
		retn
_ObpAllocateTypeIndex@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpInitObjectTypeSD(x, x)
_ObpInitObjectTypeSD@8 proc near	; CODE XREF: ObCreateObjectTypeEx+224p
					; ObInitSystem+514p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_C], ecx
		push	esi
		mov	esi, ebx
		mov	[ebp+var_4], esi
		push	edi
		test	ebx, ebx
		jnz	short loc_889C86
		lea	ecx, [ebp+var_4]
		call	ObpCreateDefaultObjectTypeSD
		mov	esi, [ebp+var_4]
		mov	edi, eax
		test	edi, edi
		js	short loc_889CA5

loc_889C86:				; CODE XREF: ObpInitObjectTypeSD(x,x)+1Bj
		push	8
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	ObLogSecurityDescriptor
		mov	edi, eax
		test	edi, edi
		js	short loc_889CA5
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		test	eax, eax
		jnz	short loc_889CBB
		and	[ecx-4], eax

loc_889CA5:				; CODE XREF: ObpInitObjectTypeSD(x,x)+2Cj
					; ObpInitObjectTypeSD(x,x)+3Ej	...
		test	esi, esi
		jz	short loc_889CB4
		test	ebx, ebx
		jnz	short loc_889CB4
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_889CB4:				; CODE XREF: ObpInitObjectTypeSD(x,x)+4Fj
					; ObpInitObjectTypeSD(x,x)+53j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_889CBB:				; CODE XREF: ObpInitObjectTypeSD(x,x)+48j
		add	eax, 7
		mov	[ecx-4], eax
		jmp	short loc_889CA5
_ObpInitObjectTypeSD@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpCreateDefaultObjectTypeSD proc near	; CODE XREF: ObpInitObjectTypeSD(x,x)+20p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00928861 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		push	_SeWorldSid
		mov	[ebp+var_8], ecx
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	ds:_SeAliasAdminsSid
		mov	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	_SeLocalSystemSid
		add	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	eax, 2Ch
		add	eax, esi
		mov	[ebp+var_4], eax
		add	eax, 14h
		push	6C636144h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_928861
		push	ebx
		mov	ecx, edi
		call	_RtlCreateSecurityDescriptorRelative@8 ; RtlCreateSecurityDescriptorRelative(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_889DC3
		mov	esi, [ebp+var_4]
		lea	ebx, [edi+14h]
		push	esi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		push	2		; int
		push	esi		; size_t
		push	ebx		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_889DC3
		push	0
		push	_SeWorldSid
		mov	ecx, ebx
		push	0F0001h
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	short loc_889DC3
		push	0
		push	ds:_SeAliasAdminsSid
		mov	ecx, ebx
		push	0F0001h
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	short loc_889DC3
		push	0
		push	_SeLocalSystemSid
		mov	ecx, ebx
		push	0F0001h
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	short loc_889DC3
		mov	eax, 8004h
		mov	dword ptr [edi+10h], 14h
		or	[edi+2], ax
		mov	eax, [ebp+var_8]
		mov	[eax], edi

loc_889DBC:				; CODE XREF: ObpCreateDefaultObjectTypeSD+107j
		pop	ebx

loc_889DBD:				; CODE XREF: ObpCreateDefaultObjectTypeSD+9EBA2j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_889DC3:				; CODE XREF: ObpCreateDefaultObjectTypeSD+5Fj
					; ObpCreateDefaultObjectTypeSD+84j ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_889DBC
ObpCreateDefaultObjectTypeSD endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpLookupDirectoryEntry(x, x, x, x)
_ObpLookupDirectoryEntry@16 proc near	; CODE XREF: ObInitSystem+4F8p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		push	0
		push	0
		push	[ebp+arg_0]
		call	ObpLookupDirectoryEntryEx
		pop	ebp
		retn	8
_ObpLookupDirectoryEntry@16 endp


;  S U B	R O U T	I N E 


; __stdcall CcInitializeProcessor(x)
_CcInitializeProcessor@4 proc near	; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+2D2p
					; INIT:00AC33CCp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		call	_MmIsThisAnNtAsSystem@0	; MmIsThisAnNtAsSystem()
		push	4B576343h
		push	80h
		push	200h
		mov	bl, al
		mov	dword ptr [edi+5D4h], offset _CcTwilightLookasideList
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_889E4E
		xor	ecx, ecx
		mov	edx, 200h
		test	bl, bl
		push	offset _ExSystemLookasideListHead
		setnz	cl
		dec	ecx
		and	ecx, 0FFFFFF80h
		add	ecx, 100h
		push	ecx
		push	4B576343h
		push	50h
		mov	ecx, esi
		call	_ExInitializeSystemLookasideList@24 ; ExInitializeSystemLookasideList(x,x,x,x,x,x)

loc_889E42:				; CODE XREF: CcInitializeProcessor(x)+6Dj
		mov	[edi+5D0h], esi
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_889E4E:				; CODE XREF: CcInitializeProcessor(x)+30j
		mov	esi, offset _CcTwilightLookasideList
		jmp	short loc_889E42
_CcInitializeProcessor@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObInitializeProcessor proc near		; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+2AEp
					; ObInitSystem+377p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092886B SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		call	_MmIsThisAnNtAsSystem@0	; MmIsThisAnNtAsSystem()
		xor	edx, edx
		mov	dword ptr [edi+5C4h], offset _ObpCreateInfoLookasideList
		mov	bl, al
		test	bl, bl
		push	4943624Fh
		setnz	dl
		dec	edx
		and	edx, 0FFFFFFF0h
		add	edx, 20h
		push	80h
		movzx	eax, dx
		push	200h
		mov	[ebp+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_92886B
		xor	ecx, ecx
		mov	edx, 200h
		test	bl, bl
		push	offset _ExSystemLookasideListHead
		setnz	cl
		dec	ecx
		and	ecx, 0FFFFFFE0h
		add	ecx, 40h
		push	ecx
		push	4943624Fh
		push	2Ch
		mov	ecx, esi
		call	_ExInitializeSystemLookasideList@24 ; ExInitializeSystemLookasideList(x,x,x,x,x,x)

loc_889ECB:				; CODE XREF: ObInitializeProcessor+9EA1Aj
		push	4D4E624Fh
		push	80h
		mov	ebx, offset _ObpNameBufferLookasideList
		mov	[edi+5C0h], esi
		push	200h
		mov	[edi+5CCh], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_889F1F
		push	offset _ExSystemLookasideListHead
		push	[ebp+var_4]
		xor	edx, edx
		mov	ecx, esi
		push	4D4E624Fh
		push	0F8h
		inc	edx
		call	_ExInitializeSystemLookasideList@24 ; ExInitializeSystemLookasideList(x,x,x,x,x,x)

loc_889F12:				; CODE XREF: ObInitializeProcessor+CBj
		mov	[edi+5C8h], esi
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_889F1F:				; CODE XREF: ObInitializeProcessor+9Ej
		mov	esi, ebx
		jmp	short loc_889F12
ObInitializeProcessor endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoInitializeProcessor proc near		; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+2C1p
					; INIT:00AC2956p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00928875 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_24]
		push	8
		xor	eax, eax
		pop	ecx
		rep stosd
		mov	edi, edx
		test	edi, edi
		jz	loc_928875

loc_889F4F:				; CODE XREF: IoInitializeProcessor+9E95Cj
		push	6F49h
		push	280h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, _IopIrpCreditsEnabled
		mov	esi, eax
		mov	[ebp+var_28], esi
		test	ecx, ecx
		jg	loc_928885
		mov	eax, 7FFFFFFFh

loc_889F7B:				; CODE XREF: IoInitializeProcessor+9E964j
		mov	[ebx+3CE4h], eax
		mov	eax, offset _IopCompletionLookasideList
		mov	[ebx+5DCh], eax
		test	esi, esi
		jz	short loc_889FB3
		movzx	eax, word ptr [edi+6]
		mov	edx, 200h
		push	offset _ExSystemLookasideListHead
		push	eax
		push	50706349h
		push	1Ch
		mov	ecx, esi
		call	_ExInitializeSystemLookasideList@24 ; ExInitializeSystemLookasideList(x,x,x,x,x,x)
		mov	eax, [ebp+var_28]
		sub	esi, 0FFFFFF80h

loc_889FB3:				; CODE XREF: IoInitializeProcessor+6Aj
		mov	[ebx+5D8h], eax
		mov	eax, offset _IopLargeIrpLookasideList
		mov	[ebp+var_28], esi
		mov	[ebx+5B4h], eax
		test	esi, esi
		jz	short loc_889FEF
		movzx	eax, word ptr [edi+4]
		mov	edx, 200h
		push	offset _ExSystemLookasideListHead
		push	eax
		push	4C707249h
		push	dword ptr [edi+14h]
		mov	ecx, esi
		call	_ExInitializeSystemLookasideList@24 ; ExInitializeSystemLookasideList(x,x,x,x,x,x)
		mov	eax, [ebp+var_28]
		sub	esi, 0FFFFFF80h

loc_889FEF:				; CODE XREF: IoInitializeProcessor+A5j
		mov	[ebx+5B0h], eax
		mov	eax, offset _IopMediumIrpLookasideList
		mov	[ebp+var_28], esi
		mov	[ebx+5ACh], eax
		test	esi, esi
		jz	short loc_88A02B
		movzx	eax, word ptr [edi+2]
		mov	edx, 200h
		push	offset _ExSystemLookasideListHead
		push	eax
		push	4D707249h
		push	dword ptr [edi+10h]
		mov	ecx, esi
		call	_ExInitializeSystemLookasideList@24 ; ExInitializeSystemLookasideList(x,x,x,x,x,x)
		mov	eax, [ebp+var_28]
		sub	esi, 0FFFFFF80h

loc_88A02B:				; CODE XREF: IoInitializeProcessor+E1j
		mov	[ebx+5A8h], eax
		mov	eax, offset _IopSmallIrpLookasideList
		mov	[ebp+var_28], esi
		mov	[ebx+5A4h], eax
		test	esi, esi
		jz	short loc_88A066
		movzx	eax, word ptr [edi]
		mov	edx, 200h
		push	offset _ExSystemLookasideListHead
		push	eax
		push	53707249h
		push	dword ptr [edi+0Ch]
		mov	ecx, esi
		call	_ExInitializeSystemLookasideList@24 ; ExInitializeSystemLookasideList(x,x,x,x,x,x)
		mov	eax, [ebp+var_28]
		sub	esi, 0FFFFFF80h

loc_88A066:				; CODE XREF: IoInitializeProcessor+11Dj
		mov	[ebx+5A0h], eax
		mov	eax, offset _IopMdlLookasideList
		mov	[ebx+5BCh], eax
		test	esi, esi
		jz	short loc_88A0E2
		movzx	eax, word ptr [edi+8]
		mov	edx, 200h
		push	offset _ExSystemLookasideListHead
		push	eax
		push	506C644Dh
		push	dword ptr [edi+18h]
		mov	ecx, esi
		call	_ExInitializeSystemLookasideList@24 ; ExInitializeSystemLookasideList(x,x,x,x,x,x)

loc_88A099:				; CODE XREF: IoInitializeProcessor+1C0j
		mov	[ebx+5B8h], esi
		test	byte ptr _IopIrpStackProfilerFlags, 3
		jz	short loc_88A0D1
		push	50h		; size_t
		xor	edi, edi
		lea	esi, [ebx+4608h]
		push	edi		; int
		push	esi		; void *
		call	_memset
		push	50h		; size_t
		mov	[esi+50h], edi
		lea	esi, [ebx+465Ch]
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 18h
		mov	[esi+50h], edi

loc_88A0D1:				; CODE XREF: IoInitializeProcessor+182j
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_88A0E2:				; CODE XREF: IoInitializeProcessor+155j
		mov	esi, eax
		jmp	short loc_88A099
IoInitializeProcessor endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1744. PsAllocSiloContextSlot

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsAllocSiloContextSlot(x, x)
		public _PsAllocSiloContextSlot@8
_PsAllocSiloContextSlot@8 proc near

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		call	PspStorageAllocSlot
		pop	ebp
		retn	8
_PsAllocSiloContextSlot@8 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1881. PsRegisterSiloMonitor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsRegisterSiloMonitor
PsRegisterSiloMonitor proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092888D SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		cmp	byte ptr [esi],	0
		jz	loc_928896
		mov	eax, [esi+8]
		test	eax, eax
		jz	loc_928896
		xor	ecx, ecx
		cmp	[eax], cx
		jz	loc_928896
		cmp	[esi+0Ch], ecx
		jz	loc_92888D

loc_88A135:				; CODE XREF: PsRegisterSiloMonitor+9E78Ej
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jz	loc_9288A0
		mov	eax, [esi+8]
		push	4D6C6953h
		movzx	eax, word ptr [eax]
		movzx	ebx, ax
		add	ebx, 20h
		mov	[ebp+arg_0], eax
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_88A1C7
		push	ebx		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	al, [esi+1]
		add	esp, 0Ch
		mov	[edi+8], al
		mov	al, [esi+2]
		mov	[edi+9], al
		mov	eax, [esi+0Ch]
		mov	[edi+10h], eax
		mov	eax, [esi+10h]
		mov	[edi+14h], eax
		mov	eax, [ebp+arg_0]
		mov	[edi+1Ah], ax
		lea	eax, [edi+20h]
		mov	[edi+1Ch], eax
		lea	eax, [edi+18h]
		push	dword ptr [esi+8]
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		lea	ecx, [edi+0Ch]
		call	PspStorageAllocSlot
		mov	esi, eax
		test	esi, esi
		js	loc_9288AA
		mov	eax, [ebp+arg_4]
		mov	[eax], edi
		xor	eax, eax

loc_88A1C0:				; CODE XREF: PsRegisterSiloMonitor+CAj
					; PsRegisterSiloMonitor+9E799j	...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_88A1C7:				; CODE XREF: PsRegisterSiloMonitor+66j
		mov	eax, 0C000009Ah
		jmp	short loc_88A1C0
PsRegisterSiloMonitor endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspStorageAllocSlot proc near		; CODE XREF: PsAllocSiloContextSlot(x,x)+8p
					; PsRegisterSiloMonitor+A8p ...

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009288BC SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	[ebp+var_4], ecx
		xor	edx, edx
		push	edi
		mov	ecx, offset _PspStorageBitmapLock
		xor	edi, edi
		call	ExAcquirePushLockExclusiveEx
		push	edi
		push	1
		push	offset _PspStorageBitmap
		call	RtlFindClearBitsAndSet
		mov	esi, eax
		or	ebx, 0FFFFFFFFh
		cmp	esi, ebx
		jz	loc_9288BC

loc_88A202:				; CODE XREF: PspStorageAllocSlot+9E704j
					; PspStorageAllocSlot+9E70Ej
		mov	eax, offset _PspStorageBitmapLock
		lock xadd [eax], ebx
		test	bl, 2
		jnz	loc_9288E1

loc_88A214:				; CODE XREF: PspStorageAllocSlot+9E716j
					; PspStorageAllocSlot+9E728j
		mov	ecx, eax
		call	KeAbPostRelease
		test	edi, edi
		js	short loc_88A224
		mov	eax, [ebp+var_4]
		mov	[eax], esi

loc_88A224:				; CODE XREF: PspStorageAllocSlot+4Fj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PspStorageAllocSlot endp

; 
		align 10h
; Exported entry 568. FsRtlIsMobileOS

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlIsMobileOS()
		public _FsRtlIsMobileOS@0
_FsRtlIsMobileOS@0 proc	near		; CODE XREF: INIT:00AC31EDp
					; INIT:00AC3206p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		call	ds:__imp__TmCurrentTransaction@4 ; TmCurrentTransaction(x)
		cmp	eax, 0C00000BBh
		setz	al
		leave
		retn
_FsRtlIsMobileOS@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WheapInitializeErrorSource proc	near	; CODE XREF: WheapInitializeDeferredErrorSources(x)+29p
					; WheaAddErrorSource+6Ep ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009288FB SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		cmp	dword ptr [esi+58h], 10h
		ja	loc_9288FB
		mov	dword ptr [esi+1Ch], 61656857h
		mov	eax, [esi+58h]
		mov	[esi+20h], eax
		mov	eax, [esi+68h]
		mov	[esi+2Ch], eax
		call	_WheapCallErrorSourceCorrect@4 ; WheapCallErrorSourceCorrect(x)
		test	eax, eax
		js	loc_88A30A
		mov	eax, [esi+70h]
		mov	ebx, [esi+30h]
		add	ebx, 48h
		mov	[esi+0Ch], eax
		mov	edi, [esi+64h]
		mov	[esi+14h], edi
		imul	ebx, [esi+68h]
		add	ebx, 9Fh
		and	ebx, 0FFFFFFFCh
		mov	[esi+18h], ebx
		test	edi, edi
		jz	short loc_88A306
		imul	edi, ebx
		push	61656857h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_88A30E
		push	edi		; size_t
		xor	edi, edi
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		mov	[ebp+var_4], edi
		cmp	[esi+14h], edi
		jbe	short loc_88A2FC
		mov	edi, eax

loc_88A2DF:				; CODE XREF: WheapInitializeErrorSource+A7j
		push	esi
		mov	edx, ebx
		mov	ecx, edi
		call	_WheapInitializeErrorRecordWrapper@12 ;	WheapInitializeErrorRecordWrapper(x,x,x)
		mov	eax, [ebp+var_4]
		add	edi, ebx
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, [esi+14h]
		jb	short loc_88A2DF
		mov	eax, [ebp+var_8]
		xor	edi, edi

loc_88A2FC:				; CODE XREF: WheapInitializeErrorSource+8Dj
		mov	[esi+24h], eax

loc_88A2FF:				; CODE XREF: WheapInitializeErrorSource+BAj
					; WheapInitializeErrorSource+C5j ...
		mov	eax, edi

loc_88A301:				; CODE XREF: WheapInitializeErrorSource+BEj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_88A306:				; CODE XREF: WheapInitializeErrorSource+5Bj
		xor	edi, edi
		jmp	short loc_88A2FF
; 

loc_88A30A:				; CODE XREF: WheapInitializeErrorSource+31j
		xor	eax, eax
		jmp	short loc_88A301
; 

loc_88A30E:				; CODE XREF: WheapInitializeErrorSource+75j
		mov	edi, 0C000009Ah
		jmp	short loc_88A2FF
WheapInitializeErrorSource endp

; 
		align 2

;  S U B	R O U T	I N E 


EtwInitialize	proc near		; CODE XREF: CmCompleteRegistryInitialization+35p
					; INIT:00AC2CA2p ...

; FUNCTION CHUNK AT 00928905 SIZE 00000021 BYTES

		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		cmp	ecx, 2
		jnb	short loc_88A329
		call	EtwpInitialize

loc_88A325:				; CODE XREF: EtwInitialize:loc_88A329j
					; EtwInitialize+29j ...
		pop	esi
		pop	ebx
		pop	ecx
		retn
; 

loc_88A329:				; CODE XREF: EtwInitialize+8j
		jnz	short loc_88A325
		mov	eax, ds:_EtwpHostSiloState
		xor	esi, esi
		mov	ds:_EtwpFileSystemReady, 1
		cmp	[eax+8], esi
		jbe	short loc_88A325

loc_88A341:				; CODE XREF: EtwInitialize+77j
		mov	ecx, [eax+188h]
		xor	edx, edx
		inc	edx
		mov	ecx, [ecx+esi*4]
		call	@ExAcquireRundownProtectionCacheAwareEx@8 ; ExAcquireRundownProtectionCacheAwareEx(x,x)
		test	al, al
		jz	short loc_88A384
		mov	eax, ds:_EtwpHostSiloState
		cmp	esi, [eax+8]
		jnb	short loc_88A3D2
		mov	eax, [eax+18Ch]
		mov	ebx, [eax+esi*4]

loc_88A369:				; CODE XREF: EtwInitialize+BFj
		test	bl, 1
		jz	short loc_88A391

loc_88A36E:				; CODE XREF: EtwInitialize+82j
					; EtwInitialize+8Dj ...
		mov	eax, ds:_EtwpHostSiloState
		xor	edx, edx
		inc	edx
		mov	ecx, [eax+188h]
		mov	ecx, [ecx+esi*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)

loc_88A384:				; CODE XREF: EtwInitialize+3Ej
		mov	eax, ds:_EtwpHostSiloState
		inc	esi
		cmp	esi, [eax+8]
		jb	short loc_88A341
		jmp	short loc_88A325
; 

loc_88A391:				; CODE XREF: EtwInitialize+56j
		test	dword ptr [ebx+0Ch], 400h
		jnz	short loc_88A36E
		mov	ecx, ebx
		call	EtwpBuffersFlushRequired
		test	al, al
		jz	short loc_88A36E
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	loc_928905
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		ja	loc_928905
		push	0
		push	0
		lea	eax, [ebx+174h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_88A36E
; 

loc_88A3D2:				; CODE XREF: EtwInitialize+48j
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_88A369
EtwInitialize	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall EtwInitializeProcessor(x)
_EtwInitializeProcessor@4 proc near	; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+2E3p
					; EtwpInitialize+D2p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	70777445h
		mov	ebx, 140h
		mov	edi, ecx
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[edi+4054h], esi
		test	esi, esi
		jz	short loc_88A423
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	edx, [edi+3CCh]
		add	esp, 0Ch
		mov	ecx, esi
		call	_EtwpInitializeActivityIdSeed@8	; EtwpInitializeActivityIdSeed(x,x)
		mov	ecx, esi
		pop	edi
		pop	esi
		pop	ebx
		jmp	EtwpCCSwapInitializeProcessor
; 

loc_88A423:				; CODE XREF: EtwInitializeProcessor(x)+26j
		mov	eax, 0C0000017h
		pop	edi
		pop	esi
		pop	ebx
		retn
_EtwInitializeProcessor@4 endp


;  S U B	R O U T	I N E 


EtwpCCSwapInitializeProcessor proc near	; CODE XREF: EtwInitializeProcessor(x)+46j

; FUNCTION CHUNK AT 00928926 SIZE 00000031 BYTES

		mov	edi, edi
		push	esi
		push	edi
		lea	edi, [ecx+128h]
		xor	esi, esi

loc_88A438:				; CODE XREF: EtwpCCSwapInitializeProcessor+22j
		cmp	_CCSwapNumLoggersPerClockType[esi], 0
		jnz	loc_928926

loc_88A445:				; CODE XREF: EtwpCCSwapInitializeProcessor+9E4FDj
					; EtwpCCSwapInitializeProcessor+9E51Bj
		add	esi, 4
		add	edi, 4
		cmp	esi, 14h
		jb	short loc_88A438
		xor	eax, eax

loc_88A452:				; CODE XREF: EtwpCCSwapInitializeProcessor+9E526j
		pop	edi
		pop	esi
		retn
EtwpCCSwapInitializeProcessor endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpInitializeActivityIdSeed(x, x)
_EtwpInitializeActivityIdSeed@8	proc near ; CODE XREF: EtwInitializeProcessor(x)+3Cp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= word ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		mov	esi, ecx
		stosd
		mov	[esi+6], dx
		stosd
		stosd
		lea	eax, [esi+8]
		push	eax
		call	KeQuerySystemTime
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], 10h
		push	eax		; int
		lea	eax, [ebp+var_14]
		push	eax		; void *
		push	0		; int
		push	0		; int
		push	15h		; int
		call	HeadlessDispatch
		test	eax, eax
		jz	short loc_88A4A9
		lea	eax, [ebp+var_14]
		push	eax
		call	KeQuerySystemTime

loc_88A4A9:				; CODE XREF: EtwpInitializeActivityIdSeed(x,x)+48j
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+var_4]
		mov	[esi], eax
		xor	ecx, ebp
		mov	ax, [ebp+var_10]
		pop	edi
		mov	[esi+4], ax
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpInitializeActivityIdSeed@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiPnpRtlInit	proc near		; CODE XREF: PnpBootPhaseComplete+8p
					; IopInitializePlugPlayServices(x,x)+28Ap ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00928957 SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edi, ecx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		test	edi, edi
		jz	short loc_88A4ED

loc_88A4DD:				; CODE XREF: PiPnpRtlInit+13Bj
		mov	ecx, edi
		call	_PiDrvDbInit@4	; PiDrvDbInit(x)
		mov	esi, eax

loc_88A4E6:				; CODE XREF: PiPnpRtlInit+46j
					; PiPnpRtlInit+56j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_88A4ED:				; CODE XREF: PiPnpRtlInit+17j
		mov	eax, offset _PiPnpRtlActiveOperations
		push	offset _PiPnpRtlRemoveOperationDispatchLock
		mov	dword_6CBF5C, eax
		mov	_PiPnpRtlActiveOperations, eax
		call	ExInitializeResourceLite
		mov	esi, eax
		test	esi, esi
		js	short loc_88A4E6
		push	offset _PiPnpRtlActiveOperationsLock
		call	ExInitializeResourceLite
		mov	esi, eax
		test	esi, esi
		js	short loc_88A4E6
		push	offset _PiPnpRtlCtx
		push	ecx
		push	ecx
		push	ebx
		push	ecx
		xor	edx, edx
		call	_PnpCtxOpenMachine
		mov	esi, eax
		test	esi, esi
		js	short loc_88A4E6
		call	_CmIsStateSeparationEnabled@0 ;	CmIsStateSeparationEnabled()
		test	al, al
		jnz	loc_928957

loc_88A53F:				; CODE XREF: PiPnpRtlInit+9E4BDj
					; PiPnpRtlInit+9E4E4j
		lea	edx, [ebp+var_8]
		mov	ecx, offset PiPnpRtlRegisterDriverMachineNodeCallback
		call	PiDrvDbEnumDriverStoreNodes
		mov	esi, eax
		test	esi, esi
		js	short loc_88A4E6
		mov	esi, [ebp+var_8]
		test	esi, esi
		js	short loc_88A4E6
		xor	edx, edx
		push	offset _PiPnpRtlGetDeviceNtPropertyRoutine@28 ;	PiPnpRtlGetDeviceNtPropertyRoutine(x,x,x,x,x,x,x)
		inc	edx
		call	__PnpCtxSetNtPlugPlayRoutine@12	; _PnpCtxSetNtPlugPlayRoutine(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_88A4E6
		push	offset _PiPnpRtlGetDeviceStatus@24 ; PiPnpRtlGetDeviceStatus(x,x,x,x,x,x)
		push	2
		pop	edx
		call	__PnpCtxSetNtPlugPlayRoutine@12	; _PnpCtxSetNtPlugPlayRoutine(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_88A4E6
		push	offset _PiPnpRtlGetDeviceRelatedDeviceRoutine@28 ; PiPnpRtlGetDeviceRelatedDeviceRoutine(x,x,x,x,x,x,x)
		push	3
		pop	edx
		call	__PnpCtxSetNtPlugPlayRoutine@12	; _PnpCtxSetNtPlugPlayRoutine(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_88A4E6
		push	offset _PiPnpRtlGetDeviceRelationsList@28 ; PiPnpRtlGetDeviceRelationsList(x,x,x,x,x,x,x)
		push	4
		pop	edx
		call	__PnpCtxSetNtPlugPlayRoutine@12	; _PnpCtxSetNtPlugPlayRoutine(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_88A4E6
		push	offset _PiPnpRtlGetDeviceInterfaceEnabled@16 ; PiPnpRtlGetDeviceInterfaceEnabled(x,x,x,x)
		push	5
		pop	edx
		call	__PnpCtxSetNtPlugPlayRoutine@12	; _PnpCtxSetNtPlugPlayRoutine(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_88A4E6
		mov	eax, _PiPnpRtlCtx
		mov	ecx, offset PiPnpRtlObjectActionCallback
		add	eax, 0F8h
		xchg	ecx, [eax]
		mov	eax, _PiPnpRtlCtx
		mov	ecx, offset PiPnpRtlCmActionCallback
		add	eax, 100h
		xchg	ecx, [eax]
		mov	eax, _PiPnpRtlCtx
		mov	ecx, offset _PiPnpRtlObjectEventCallback@20 ; PiPnpRtlObjectEventCallback(x,x,x,x,x)
		add	eax, 0FCh
		xchg	ecx, [eax]
		jmp	loc_88A4DD
PiPnpRtlInit	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxSetNtPlugPlayRoutine(x, x, x)
__PnpCtxSetNtPlugPlayRoutine@12	proc near ; CODE XREF: PiPnpRtlInit+9Dp
					; PiPnpRtlInit+B4p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		cmp	edx, 6
		jge	short loc_88A628
		mov	eax, _PiPnpRtlCtx
		mov	ecx, [ebp+arg_0]
		lea	eax, [eax+edx*4]
		sub	eax, 0FFFFFF80h
		xchg	ecx, [eax]

loc_88A621:				; CODE XREF: _PnpCtxSetNtPlugPlayRoutine(x,x,x)+29j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
; 

loc_88A628:				; CODE XREF: _PnpCtxSetNtPlugPlayRoutine(x,x,x)+Bj
		mov	esi, 0C000000Dh
		jmp	short loc_88A621
__PnpCtxSetNtPlugPlayRoutine@12	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDrvDbInit(x)
_PiDrvDbInit@4	proc near		; CODE XREF: PiPnpRtlInit+1Bp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		xor	edx, edx
		and	[ebp+var_4], edx
		push	esi
		test	ecx, ecx
		jz	short loc_88A664
		cmp	ecx, 2
		jnz	loc_88A6E6
		call	PiDrvDbSetupNodes
		mov	edx, eax
		test	edx, edx
		js	loc_88A6E6
		xor	cl, cl		; char
		call	_PiDrvDbSuspendNodes@4 ; PiDrvDbSuspendNodes(x)
		jmp	loc_88A6E4
; 

loc_88A664:				; CODE XREF: PiDrvDbInit(x)+Ej
		mov	eax, offset _PiDrvDbNodeList
		mov	dword_6CB57C, eax
		mov	_PiDrvDbNodeList, eax
		call	DrvDbOpenContext
		mov	edx, eax
		test	edx, edx
		js	short loc_88A6E6
		xor	esi, esi

loc_88A680:				; CODE XREF: PiDrvDbInit(x)+80j
		mov	ecx, ds:dword_404898[esi]
		test	cl, 4
		jz	short loc_88A694
		call	_CmIsStateSeparationEnabled@0 ;	CmIsStateSeparationEnabled()
		test	al, al
		jnz	short loc_88A6AA

loc_88A694:				; CODE XREF: PiDrvDbInit(x)+59j
		push	0
		push	ecx
		mov	edx, ecx
		mov	ecx, ds:_PiDrvDbNodeDescriptors[esi]
		call	PiDrvDbRegisterNode
		mov	edx, eax
		test	edx, edx
		js	short loc_88A6E6

loc_88A6AA:				; CODE XREF: PiDrvDbInit(x)+62j
		add	esi, 8
		cmp	esi, 10h
		jb	short loc_88A680
		test	edx, edx
		js	short loc_88A6E6
		lea	edx, [ebp+var_4]
		mov	ecx, offset PiDrvDbRegisterNodeCallback
		call	PiDrvDbEnumDriverStoreNodes
		mov	edx, eax
		test	edx, edx
		js	short loc_88A6E6
		mov	edx, [ebp+var_4]
		test	edx, edx
		js	short loc_88A6E6
		mov	cl, 1		; char
		call	_PiDrvDbSuspendNodes@4 ; PiDrvDbSuspendNodes(x)
		mov	edx, eax
		test	edx, edx
		js	short loc_88A6E6
		xor	ecx, ecx
		call	PiDrvDbSetupNodes

loc_88A6E4:				; CODE XREF: PiDrvDbInit(x)+2Fj
		mov	edx, eax

loc_88A6E6:				; CODE XREF: PiDrvDbInit(x)+13j
					; PiDrvDbInit(x)+22j ...
		mov	eax, edx
		pop	esi
		leave
		retn
_PiDrvDbInit@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDrvDbSetupNodes proc near		; CODE XREF: PiDrvDbInit(x)+19p
					; PiDrvDbInit(x)+AFp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009289AD SIZE 00000083 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, ecx
		and	[ebp+var_4], edi
		and	[ebp+var_8], edi
		test	ebx, ebx
		jnz	loc_88A7C8
		mov	[ebp+var_C], offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@NNGAKEGL@

loc_88A710:				; CODE XREF: PiDrvDbSetupNodes+E8j
		mov	esi, _PiDrvDbNodeList
		jmp	loc_88A7B1
; 

loc_88A71B:				; CODE XREF: PiDrvDbSetupNodes+D7j
		mov	edx, [esi+0Ch]
		lea	eax, [ebp+var_8]
		mov	ecx, _PiPnpRtlCtx
		lea	edi, [esi+114h]
		push	0
		push	eax
		push	4
		push	edi
		lea	eax, [ebp+var_4]
		push	eax
		push	offset _DEVPKEY_DriverDatabase_SetupOptions
		push	0
		push	dword ptr [esi+24h]
		push	7
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	loc_9289AD

loc_88A750:				; CODE XREF: PiDrvDbSetupNodes+9E2C5j
					; PiDrvDbSetupNodes+9E2D5j
		mov	dword ptr [edi], 33h

loc_88A756:				; CODE XREF: PiDrvDbSetupNodes+9E2CFj
		mov	edx, [esi+0Ch]
		lea	ecx, [ebp+var_8]
		push	0
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [esi+118h]
		push	4
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	offset _DEVPKEY_DriverDatabase_SetupStatus
		push	0
		push	dword ptr [esi+24h]
		push	7
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_88A7D9
		cmp	[ebp+var_4], 18h
		jnz	short loc_88A7D9
		cmp	[ebp+var_8], 4
		jnz	short loc_88A7D9
		cmp	dword ptr [esi+118h], 103h
		jz	loc_9289C6

loc_88A7A5:				; CODE XREF: PiDrvDbSetupNodes+D5j
					; PiDrvDbSetupNodes+9E2E5j
		test	byte ptr [esi+20h], 20h
		jnz	loc_9289D6

loc_88A7AF:				; CODE XREF: PiDrvDbSetupNodes+D1j
					; PiDrvDbSetupNodes+9E30Ej ...
		mov	esi, [esi]

loc_88A7B1:				; CODE XREF: PiDrvDbSetupNodes+2Aj
		cmp	esi, offset _PiDrvDbNodeList
		jz	short loc_88A7E2
		test	byte ptr [esi+20h], 4
		jnz	short loc_88A7AF
		test	ebx, ebx
		jnz	short loc_88A7A5
		jmp	loc_88A71B
; 

loc_88A7C8:				; CODE XREF: PiDrvDbSetupNodes+17j
		cmp	ebx, 2
		jnz	short loc_88A7E0
		mov	[ebp+var_C], offset ??_C@_1BC@JDKNNDON@?$AAS?$AAO?$AAF?$AAT?$AAW?$AAA?$AAR?$AAE@NNGAKEGL@
		jmp	loc_88A710
; 

loc_88A7D9:				; CODE XREF: PiDrvDbSetupNodes+9Bj
					; PiDrvDbSetupNodes+A1j ...
		xor	edi, edi
		jmp	loc_9289C6
; 

loc_88A7E0:				; CODE XREF: PiDrvDbSetupNodes+DFj
		xor	edi, edi

loc_88A7E2:				; CODE XREF: PiDrvDbSetupNodes+CBj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PiDrvDbSetupNodes endp

; 
		align 2

;  S U B	R O U T	I N E 


; int __fastcall PiDrvDbSuspendNodes(char)
_PiDrvDbSuspendNodes@4 proc near	; CODE XREF: PiDrvDbInit(x)+2Ap
					; PiDrvDbInit(x)+A2p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, _PiDrvDbNodeList
		xor	eax, eax
		push	edi
		mov	edi, ecx
		mov	ebx, offset _PiDrvDbNodeList
		jmp	short loc_88A80F
; 

loc_88A800:				; CODE XREF: PiDrvDbSuspendNodes(x)+2Fj
		mov	edx, [esi+0Ch]	; wchar_t *
		push	edi		; char
		call	DrvDbSuspendDatabase
		test	eax, eax
		js	short loc_88A81B

loc_88A80D:				; CODE XREF: PiDrvDbSuspendNodes(x)+2Dj
		mov	esi, [esi]

loc_88A80F:				; CODE XREF: PiDrvDbSuspendNodes(x)+14j
		cmp	esi, ebx
		jz	short loc_88A81B
		test	byte ptr [esi+20h], 2
		jnz	short loc_88A80D
		jmp	short loc_88A800
; 

loc_88A81B:				; CODE XREF: PiDrvDbSuspendNodes(x)+21j
					; PiDrvDbSuspendNodes(x)+27j
		pop	edi
		pop	esi
		pop	ebx
		retn
_PiDrvDbSuspendNodes@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall DrvDbSuspendDatabase(int,wchar_t *,char)
DrvDbSuspendDatabase proc near		; CODE XREF: PiDrvDbSuspendNodes(x)+1Ap

var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 00928A30 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, _PiDrvDbCtx
		push	esi
		push	edi
		mov	edi, edx
		xor	esi, esi
		mov	[ebp+var_4], esi
		test	edi, edi
		jz	loc_928A30
		push	offset ??_C@_13BBDEGPLJ@?$AA?$CK@NNGAKEGL@ ; wchar_t *
		push	edi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_928A30
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	_DrvDbFindDatabaseNode@12 ; DrvDbFindDatabaseNode(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_88A874
		cmp	[ebp+arg_0], 0
		jz	short loc_88A87D
		mov	ecx, [ebp+var_4]
		or	dword ptr [ecx+1Ch], 4

loc_88A874:				; CODE XREF: DrvDbSuspendDatabase+45j
					; DrvDbSuspendDatabase+64j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_88A87D:				; CODE XREF: DrvDbSuspendDatabase+4Bj
		mov	eax, [ebp+var_4]
		and	dword ptr [eax+1Ch], 0FFFFFFFBh
		jmp	short loc_88A874
DrvDbSuspendDatabase endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDrvDbRegisterNode proc near		; CODE XREF: PiDrvDbInit(x)+6Fp
					; PiDrvDbRegisterNodeCallback+9C6E5p

var_26		= byte ptr -26h
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00928A5D SIZE 00000140 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	esi, ecx
		lea	eax, [esp+34h+var_10]
		xor	ecx, ecx
		mov	[esp+34h+var_1C], esi
		push	edi
		push	ecx
		push	eax
		mov	ebx, edx
		mov	[esp+40h+var_24], ecx
		mov	[esp+40h+var_20], ecx
		mov	[esp+40h+var_25], cl
		mov	[esp+40h+var_18], ecx
		mov	[esp+40h+var_14], ecx
		mov	[esp+40h+var_10], ecx
		mov	[esp+40h+var_C], ecx
		mov	[esp+40h+var_8], ecx
		mov	[esp+40h+var_4], ecx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+38h+var_24]
		mov	edx, ebx
		push	eax		; int
		push	[ebp+arg_4]	; void *
		mov	ecx, esi
		push	0		; void *
		call	PiDrvDbCreateNode
		mov	esi, [esp+38h+var_24]
		mov	edi, eax
		test	edi, edi
		js	short loc_88A964
		test	byte ptr [esi+20h], 1
		jnz	loc_88A991
		movzx	edi, word ptr [esi+10h]
		push	62647050h
		add	edi, 20h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+38h+var_20], eax
		test	eax, eax
		jz	loc_928A5D
		push	offset ??_C@_1BO@JJFLMBDN@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAD?$AAa?$AAt?$AAa?$AAb?$AAa?$AAs?$AAe@NNGAKEGL@ ; "DriverDatabase"
		lea	ecx, [esi+10h]
		shr	edi, 1
		push	ecx		; char
		push	offset ??_C@_1BA@FKNPIBNG@?$AA?$CF?$AAw?$AAZ?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; wchar_t *
		push	edi		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		mov	edi, eax
		add	esp, 14h
		test	edi, edi
		js	short loc_88A964
		mov	edx, [esp+38h+var_1C]
		and	ebx, 8
		push	esi
		push	ecx
		setnz	al
		movzx	eax, al
		push	eax
		mov	eax, [esp+44h+var_20]
		push	eax
		push	ecx
		call	_DrvDbRegisterDatabase@28 ; DrvDbRegisterDatabase(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_88A964
		mov	[esp+38h+var_25], 1

loc_88A95A:				; CODE XREF: PiDrvDbRegisterNode+10Ej
		test	ebx, ebx
		jnz	loc_928A67

loc_88A962:				; CODE XREF: PiDrvDbRegisterNode+9E2BDj
					; PiDrvDbRegisterNode+9E2F6j
		xor	esi, esi

loc_88A964:				; CODE XREF: PiDrvDbRegisterNode+62j
					; PiDrvDbRegisterNode+ACj ...
		lea	eax, [esp+38h+var_10]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, [esp+38h+var_20]
		test	eax, eax
		jz	short loc_88A97E
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_88A97E:				; CODE XREF: PiDrvDbRegisterNode+EEj
		test	esi, esi
		jnz	loc_928B81

loc_88A986:				; CODE XREF: PiDrvDbRegisterNode+9E312j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_88A991:				; CODE XREF: PiDrvDbRegisterNode+68j
		and	ebx, 8
		jmp	short loc_88A95A
PiDrvDbRegisterNode endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiDrvDbCreateNode(void *,void *,int)
PiDrvDbCreateNode proc near		; CODE XREF: PiDrvDbRegisterNode+55p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00928B9D SIZE 00000089 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		push	6
		mov	[ebp+var_8], ecx
		lea	edi, [ebp+var_28]
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_10], edx
		and	[ebp+var_C], eax
		xor	ebx, ebx
		rep stosd
		push	62647050h
		mov	edi, 128h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_928B9D
		push	edi		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_10]
		add	esp, 0Ch
		mov	[esi+20h], eax
		lea	eax, [esi+8]
		push	[ebp+var_8]	; void *
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jz	loc_928BB8
		lea	edi, [esi+10h]
		cmp	[ebp+arg_0], ebx
		jnz	loc_928BA7
		xor	eax, eax
		mov	[edi], ax
		mov	ax, [esi+8]
		add	ax, 26h
		mov	[esi+12h], ax
		movzx	eax, ax
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[esi+14h], eax
		test	eax, eax
		jz	loc_928BB8
		push	offset ??_C@_1CG@GOLKLNMC@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@NNGAKEGL@ ; "\\"
		push	edi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_88AB79
		push	[ebp+var_8]	; void *
		push	edi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_88AB79

loc_88AA53:				; CODE XREF: PiDrvDbCreateNode+9E21Cj
		cmp	[ebp+arg_4], 0
		lea	edi, [esi+18h]
		jnz	loc_928BC2
		xor	eax, eax
		mov	[edi], ax
		mov	ax, [esi+8]
		add	ax, 3Ah
		mov	[esi+1Ah], ax
		movzx	eax, ax
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[esi+1Ch], eax
		test	eax, eax
		jz	loc_928BB8
		push	offset ??_C@_1DK@NGNMMHOD@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@ ; "\\SystemRoot\\System32\\config\\"
		push	edi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_88AB79
		push	[ebp+var_8]	; void *
		push	edi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_88AB79

loc_88AAAD:				; CODE XREF: PiDrvDbCreateNode+9E237j
		mov	eax, [esi+20h]
		test	al, 4
		jz	loc_88AB86
		lea	eax, [esi+2Ch]
		push	eax
		call	ExInitializeResourceLite
		mov	ebx, eax
		test	ebx, ebx
		js	loc_88AB79
		xor	edi, edi
		mov	byte ptr [esi+64h], 1
		push	edi
		lea	eax, [esi+90h]
		push	eax
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	esi
		push	offset PiDrvDbUnloadNodeDpcRoutine
		lea	eax, [esi+0B8h]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	1
		push	edi
		lea	eax, [ebp+var_28]
		mov	[esi+0E8h], edi
		push	eax
		push	1F0003h
		lea	eax, [esi+100h]
		mov	[ebp+var_28], 18h
		push	eax
		mov	[ebp+var_24], edi
		mov	[ebp+var_1C], 200h
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		call	_ZwCreateEvent@20 ; ZwCreateEvent(x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_88AB79
		or	dword ptr [esi+108h], 0FFFFFFFFh
		mov	eax, [esi+20h]
		mov	byte ptr [esi+111h], 1
		mov	[esi+10Ch], edi

loc_88AB45:				; CODE XREF: PiDrvDbCreateNode+1F2j
		test	al, 10h
		jnz	loc_928BD5

loc_88AB4D:				; CODE XREF: PiDrvDbCreateNode+9E28Bj
		mov	dword ptr [esi+118h], 103h
		mov	ecx, offset _PiDrvDbNodeList
		mov	eax, dword_6CB57C
		cmp	[eax], ecx
		jnz	short loc_88AB8A
		mov	[esi+4], eax
		mov	[esi], ecx
		mov	[eax], esi
		mov	eax, [ebp+arg_8]
		mov	dword_6CB57C, esi
		mov	[eax], esi
		mov	esi, edi

loc_88AB79:				; CODE XREF: PiDrvDbCreateNode+A4j
					; PiDrvDbCreateNode+B7j ...
		test	esi, esi
		jnz	short loc_88AB8F

loc_88AB7D:				; CODE XREF: PiDrvDbCreateNode+200j
					; PiDrvDbCreateNode+9E20Cj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
; 

loc_88AB86:				; CODE XREF: PiDrvDbCreateNode+11Cj
		xor	edi, edi
		jmp	short loc_88AB45
; 

loc_88AB8A:				; CODE XREF: PiDrvDbCreateNode+1CDj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_88AB8F:				; CODE XREF: PiDrvDbCreateNode+1E5j
		mov	ecx, esi
		call	_PiDrvDbDestroyNode@4 ;	PiDrvDbDestroyNode(x)
		jmp	short loc_88AB7D
PiDrvDbCreateNode endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDcInitUpdateProperties proc near	; CODE XREF: PiDcInit(x)+Ep

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00928D04 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		push	esi
		push	edi
		mov	[ebp+var_40], eax
		lea	edi, [ebp+var_30]
		mov	[ebp+var_34], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_44], eax
		stosd
		push	6
		pop	ecx
		push	47706E50h
		stosd
		push	218h
		push	1
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		rep stosd
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_928D04
		push	offset ??_C@_1KO@BEMBOCKB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		lea	eax, [ebp+var_3C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_64], 18h
		mov	[ebp+var_5C], eax
		xor	edi, edi
		lea	eax, [ebp+var_64]
		mov	[ebp+var_60], edi
		push	eax
		push	8
		lea	eax, [ebp+var_40]
		mov	[ebp+var_58], 240h
		push	eax
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_88ADDE
		test	esi, esi
		js	loc_88ADE0
		lea	eax, [ebp+var_44]
		mov	[ebp+var_4C], edi
		push	eax
		push	218h
		push	ebx
		push	edi
		push	edi
		push	[ebp+var_40]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)

loc_88AC54:				; CODE XREF: PiDcInitUpdateProperties+241j
		mov	esi, eax
		cmp	esi, 8000001Ah
		jz	loc_88ADDE
		test	esi, esi
		js	loc_88ADE0
		lea	eax, [ebx+10h]
		mov	[ebp+var_64], 18h
		mov	[ebp+var_38], eax
		mov	ax, [ebx+0Ch]
		mov	word ptr [ebp+var_3C], ax
		mov	word ptr [ebp+var_3C+2], ax
		mov	eax, [ebp+var_40]
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	20019h
		lea	eax, [ebp+var_34]
		mov	[ebp+var_34], edi
		push	eax
		mov	[ebp+var_58], 240h
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_88ADE0
		lea	eax, [ebp+var_44]
		push	eax
		push	218h
		push	ebx
		push	1
		push	0

loc_88ACC9:				; CODE XREF: PiDcInitUpdateProperties+20Bj
		push	[ebp+var_34]
		mov	[ebp+var_48], edi
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 8000001Ah
		jz	loc_88ADA8
		cmp	esi, 80000005h
		jz	loc_88AD95
		test	esi, esi
		js	loc_88ADAA
		mov	eax, [ebx+10h]
		sub	eax, 50h
		cmp	eax, 12h
		ja	loc_88AD95
		push	4Ch
		lea	eax, [ebx+14h]
		mov	[ebp+var_38], eax
		pop	eax
		mov	word ptr [ebp+var_3C], ax
		mov	word ptr [ebp+var_3C+2], ax
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		test	eax, eax
		js	short loc_88AD95
		lea	eax, [ebx+62h]
		mov	[ebp+var_38], eax
		mov	ax, [ebx+10h]
		sub	ax, 4Eh
		mov	word ptr [ebp+var_3C], ax
		mov	word ptr [ebp+var_3C+2], ax
		lea	eax, [ebp+var_20]
		push	eax
		push	0Ah
		lea	eax, [ebp+var_3C]
		push	eax
		call	RtlUnicodeStringToInteger
		test	eax, eax
		js	short loc_88AD95
		push	5
		pop	ecx
		lea	esi, [ebp+var_30]
		lea	edi, [ebp+var_1C]
		rep movsd
		cmp	dword ptr [ebx+4], 4
		jnz	loc_928D0E
		cmp	dword ptr [ebx+0Ch], 4
		jnz	loc_928D0E
		mov	eax, [ebx+8]
		mov	eax, [ebx+eax]
		mov	[ebp+var_8], eax

loc_88AD78:				; CODE XREF: PiDcInitUpdateProperties+9E17Aj
		push	0		; int
		push	18h		; size_t
		lea	eax, [ebp+var_1C]
		push	eax		; void *
		push	offset _PiDcUpdateProperties ; int
		call	_RtlInsertElementGenericTableAvl@16 ; RtlInsertElementGenericTableAvl(x,x,x,x)
		test	eax, eax
		jz	loc_928D17
		mov	edi, [ebp+var_48]

loc_88AD95:				; CODE XREF: PiDcInitUpdateProperties+150j
					; PiDcInitUpdateProperties+167j ...
		lea	eax, [ebp+var_44]
		inc	edi
		push	eax
		push	218h
		push	ebx
		push	1
		push	edi
		jmp	loc_88ACC9
; 

loc_88ADA8:				; CODE XREF: PiDcInitUpdateProperties+144j
		xor	esi, esi

loc_88ADAA:				; CODE XREF: PiDcInitUpdateProperties+158j
					; PiDcInitUpdateProperties+9E184j
		push	[ebp+var_34]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_34], 0
		test	esi, esi
		js	short loc_88ADE0
		mov	edi, [ebp+var_4C]
		lea	eax, [ebp+var_44]
		push	eax
		push	218h
		push	ebx
		inc	edi
		push	0
		push	edi
		push	[ebp+var_40]
		mov	[ebp+var_4C], edi
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		push	0
		pop	edi
		jmp	loc_88AC54
; 

loc_88ADDE:				; CODE XREF: PiDcInitUpdateProperties+97j
					; PiDcInitUpdateProperties+C4j
		mov	esi, edi

loc_88ADE0:				; CODE XREF: PiDcInitUpdateProperties+9Fj
					; PiDcInitUpdateProperties+CCj	...
		cmp	[ebp+var_40], 0
		jz	short loc_88ADEE
		push	[ebp+var_40]
		call	_ZwClose@4	; ZwClose(x)

loc_88ADEE:				; CODE XREF: PiDcInitUpdateProperties+24Cj
		cmp	[ebp+var_34], 0
		jnz	loc_928D21

loc_88ADF8:				; CODE XREF: PiDcInitUpdateProperties+9E191j
		test	ebx, ebx
		jz	short loc_88AE07
		push	47706E50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_88AE07:				; CODE XREF: PiDcInitUpdateProperties+262j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PiDcInitUpdateProperties endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpBootDDBHelper	proc near		; CODE XREF: PpInitializeBootDDB+4Dp
					; PpInitializeBootDDB+1F4F9p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00928D2E SIZE 0000009E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		and	dword ptr [ebx], 0
		and	dword ptr [eax], 0
		test	edi, edi
		jz	loc_928DB1
		test	ecx, ecx
		jz	loc_928DB1
		push	20207050h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_928D2E
		push	edi		; size_t
		push	[ebp+var_4]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edx, edi
		mov	ecx, esi
		call	SdbInitDatabaseInMemory
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_928D70
		mov	eax, [ebp+arg_4]
		mov	[ebx], esi
		mov	[eax], ecx
		xor	eax, eax

loc_88AE84:				; CODE XREF: PpBootDDBHelper+9DF53j
					; PpBootDDBHelper+9DFAFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
PpBootDDBHelper	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiUEventBroadcastEventWorker proc near	; DATA XREF: PiUEventQueueBroadcastEventEntry(x)+69o

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00928DCC SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	bh, bh
		mov	edi, offset _PiUEventBroadcastEventQueueLock

loc_88AE9F:				; CODE XREF: PiUEventBroadcastEventWorker+86j
		mov	ecx, edi
		call	ExAcquireFastMutex
		mov	esi, _PiUEventBroadcastEventQueue
		mov	ecx, edi
		mov	bl, [esi+8]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	bl, bl
		jz	short loc_88AECE
		mov	eax, [esi+0Ch]
		sub	eax, 0
		jnz	loc_928DCC
		mov	ecx, [esi+10h]
		call	_PiUEventBroadcastDevnodesChangedEvent@4 ; PiUEventBroadcastDevnodesChangedEvent(x)

loc_88AECE:				; CODE XREF: PiUEventBroadcastEventWorker+2Cj
					; PiUEventBroadcastEventWorker+9DF4Dj ...
		mov	ecx, edi
		call	ExAcquireFastMutex
		mov	eax, _PiUEventBroadcastEventQueue
		mov	edx, offset _PiUEventBroadcastEventQueue
		cmp	[eax+4], edx
		jnz	short loc_88AF2A
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_88AF2A
		mov	_PiUEventBroadcastEventQueue, ecx
		mov	[ecx+4], edx
		cmp	_PiUEventBroadcastEventQueue, edx
		jnz	short loc_88AEFE
		mov	bh, 1

loc_88AEFE:				; CODE XREF: PiUEventBroadcastEventWorker+6Ej
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		push	59706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	bh, bh
		jz	short loc_88AE9F
		push	59706E50h
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_88AF2A:				; CODE XREF: PiUEventBroadcastEventWorker+56j
					; PiUEventBroadcastEventWorker+5Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PiUEventBroadcastEventWorker endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiUEventBroadcastDevnodesChangedEvent(x)
_PiUEventBroadcastDevnodesChangedEvent@4 proc near
					; CODE XREF: PiUEventBroadcastEventWorker+3Dp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	[ebp+var_4], ecx
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_88AF52
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WNF_PNPA_DEVNODES_CHANGED
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		leave
		retn
; 

loc_88AF52:				; CODE XREF: PiUEventBroadcastDevnodesChangedEvent(x)+Cj
		push	esi
		call	_MmGetSessionById@4 ; MmGetSessionById(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_88AF7A
		xor	eax, eax
		lea	ecx, [ebp+var_4]
		push	eax
		push	eax
		push	ecx
		push	eax
		push	eax
		push	eax
		push	offset _WNF_PNPA_DEVNODES_CHANGED_SESSION
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	ecx, esi
		call	ObfDereferenceObject

loc_88AF7A:				; CODE XREF: PiUEventBroadcastDevnodesChangedEvent(x)+2Cj
		pop	esi
		leave
		retn
_PiUEventBroadcastDevnodesChangedEvent@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 791. IoCreateDriver

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoCreateDriver
IoCreateDriver	proc near		; CODE XREF: VfDdiExposeWmiObjects()+42p
					; VfFilterAttach(x,x)+44p ...

var_C4		= dword	ptr -0C4h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= word ptr -80h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00928E10 SIZE 00000095 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0BCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0BCh+var_4], eax
		mov	ecx, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		xor	esi, esi
		mov	[esp+0C4h+var_B0], esi
		mov	[esp+0C4h+var_B4], esi
		mov	[esp+0C4h+var_AC], esi
		mov	[esp+0C4h+var_BC], esi
		mov	[esp+0C4h+var_B8], esi
		mov	[esp+0C4h+var_A4], esi
		push	edi
		test	ecx, ecx
		jz	loc_928E10
		mov	eax, [ecx]
		mov	[esp+0C8h+var_BC], eax
		mov	eax, [ecx+4]

loc_88AFD2:				; CODE XREF: IoCreateDriver+9DEF0j
		mov	edx, ds:_IoDriverObjectType
		mov	edi, 0D0h
		mov	[esp+0C8h+var_B8], eax
		lea	eax, [esp+0C8h+var_BC]
		push	esi
		mov	[esp+0CCh+var_90], eax
		lea	eax, [esp+0CCh+var_B0]
		push	eax
		push	esi
		push	esi
		push	edi
		push	ecx
		push	esi
		lea	eax, [esp+0E4h+var_98]
		mov	[esp+0E4h+var_98], 18h
		push	eax
		xor	cl, cl
		mov	[esp+0E8h+var_94], esi
		mov	[esp+0E8h+var_8C], 250h
		mov	[esp+0E8h+var_88], esi
		mov	[esp+0E8h+var_84], esi
		call	ObCreateObjectEx
		test	eax, eax
		js	loc_88B1C0
		push	edi		; size_t
		push	esi		; int
		mov	esi, [esp+0D0h+var_B0]
		push	esi		; void *
		mov	[esp+0D4h+var_9C], esi
		call	_memset
		add	esp, 0Ch
		lea	eax, [esi+0A8h]
		mov	[esi+18h], eax
		mov	[eax], esi
		lea	eax, [edi-28h]
		lea	edi, [esi+38h]
		push	4
		pop	ecx
		mov	[esi], cx
		mov	[esi+2], ax
		mov	eax, offset _IopInvalidDeviceRequest@8 ; IopInvalidDeviceRequest(x,x)
		mov	[esi+8], ecx
		push	1Ch
		pop	ecx
		rep stosd
		mov	eax, large fs:124h
		mov	[esi+2Ch], ebx
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	edi, offset _PsLoadedModuleResource
		push	edi
		call	ExAcquireResourceSharedLite
		mov	ecx, _PsLoadedModuleList
		mov	esi, offset _PsLoadedModuleList
		jmp	short loc_88B09C
; 

loc_88B08A:				; CODE XREF: IoCreateDriver+11Cj
		mov	edx, [ecx+18h]
		cmp	ebx, edx
		jb	short loc_88B09A
		mov	eax, [ecx+20h]
		add	eax, edx
		cmp	ebx, eax
		jb	short loc_88B0A2

loc_88B09A:				; CODE XREF: IoCreateDriver+10Dj
		mov	ecx, [ecx]

loc_88B09C:				; CODE XREF: IoCreateDriver+106j
		cmp	ecx, esi
		jnz	short loc_88B08A
		jmp	short loc_88B0A9
; 

loc_88B0A2:				; CODE XREF: IoCreateDriver+116j
		mov	eax, [esp+0C8h+var_B0]
		mov	[eax+0Ch], edx

loc_88B0A9:				; CODE XREF: IoCreateDriver+11Ej
		mov	ecx, edi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		movzx	edx, word ptr [esp+0C8h+var_BC]
		xor	ecx, ecx
		add	edx, 2
		inc	ecx
		call	IopVerifierExAllocatePool
		mov	edi, eax
		test	edi, edi
		jz	loc_928E8A
		mov	ecx, [esp+0C8h+var_BC]
		add	ecx, 2
		mov	word ptr [esp+0C8h+var_A4+2], cx
		mov	cx, word ptr [esp+0C8h+var_BC]
		movzx	esi, cx
		push	esi		; size_t
		push	[esp+0CCh+var_B8] ; void *
		mov	word ptr [esp+0D0h+var_A4], cx
		push	edi		; void *
		call	_memcpy
		mov	ecx, [esp+0D4h+var_9C]
		xor	eax, eax
		shr	esi, 1
		add	esp, 0Ch
		xor	edx, edx
		mov	[edi+esi*2], ax
		xor	esi, esi
		mov	ecx, [ecx+18h]
		mov	eax, [esp+0C8h+var_A4]
		mov	[ecx+0Ch], eax
		lea	eax, [esp+0C8h+var_B4]
		push	eax
		push	esi
		push	esi
		push	esi
		mov	[ecx+10h], edi
		mov	ecx, [esp+0D8h+var_B0]
		push	1
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_88B1BE
		mov	eax, ds:_IoDriverObjectType
		lea	ecx, [esp+0C8h+var_A8]
		push	esi
		push	ecx
		push	esi
		push	eax
		push	esi
		push	[esp+0DCh+var_B4]
		mov	[esp+0E0h+var_A8], esi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, [esp+0C8h+var_A8]
		mov	edi, eax
		push	[esp+0C8h+var_B4]
		test	edi, edi
		js	loc_928E77
		call	_ZwClose@4	; ZwClose(x)
		movzx	edx, word ptr [esp+0C8h+var_BC+2]
		mov	ecx, 200h
		call	IopVerifierExAllocatePool
		mov	[esi+20h], eax
		test	eax, eax
		jz	short loc_88B1A6
		mov	ax, word ptr [esp+0C8h+var_BC+2]
		mov	[esi+1Eh], ax
		mov	ax, word ptr [esp+0C8h+var_BC]
		mov	[esi+1Ch], ax
		movzx	eax, word ptr [esp+0C8h+var_BC+2]
		push	eax		; size_t
		push	[esp+0CCh+var_B8] ; void *
		push	dword ptr [esi+20h] ; void *
		call	_memcpy
		add	esp, 0Ch

loc_88B1A6:				; CODE XREF: IoCreateDriver+1FBj
		push	0
		push	esi
		call	ebx
		mov	edi, eax
		test	edi, edi
		js	loc_928E93
		lea	ecx, [esp+0D0h+var_C4]
		call	EtwTiLogDriverObjectLoad

loc_88B1BE:				; CODE XREF: IoCreateDriver+1AFj
					; IoCreateDriver+9DF03j ...
		mov	eax, edi

loc_88B1C0:				; CODE XREF: IoCreateDriver+9Cj
					; IoCreateDriver+9DEC2j ...
		mov	ecx, [esp+0D0h+var_C]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
IoCreateDriver	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VRegSetup	proc near		; DATA XREF: INIT:00AC63F4o

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_1C		= dword	ptr -1Ch
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00928EA5 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		xor	edx, edx
		push	edi
		mov	ecx, offset dword_6B2370
		mov	[esp+7Ch+var_68], edi
		mov	[esp+7Ch+var_64], edi
		mov	[esp+7Ch+var_60], edi
		mov	[esp+7Ch+var_5C], edi
		call	_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 ; TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)
		xor	ebx, ebx
		mov	edx, offset ??_C@_1EM@GLLAFOJP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@NNGAKEGL@
		inc	ebx
		push	ebx
		push	ecx
		push	edi
		push	offset _VrpRegistryValuesTable
		mov	ecx, 80000002h
		call	RtlpQueryRegistryValues
		push	offset ??_C@_1CG@LJMIDBHF@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAV?$AAR?$AAe?$AAg?$AAD?$AAr?$AAi@NNGAKEGL@
		lea	eax, [esp+7Ch+var_68]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	esi, [ebp+arg_0]
		lea	eax, [esp+78h+var_68]
		push	offset _VrpDeviceObject
		push	edi
		push	100h
		push	22h
		push	eax
		push	edi
		push	esi
		call	IoCreateDevice
		test	eax, eax
		js	loc_928EA5
		push	offset _VrpHardCodedSdBlob
		push	0Ch
		push	_VrpDeviceObject
		mov	_VrpDriverObject, esi
		mov	_VrpActiveSilosLock, edi
		call	_ObSetSecurityObjectByPointer@12 ; ObSetSecurityObjectByPointer(x,x,x)
		test	eax, eax
		js	loc_928EB6
		mov	eax, _VrpDeviceObject
		push	offset ??_C@_1DC@PLDMBLKK@?$AAV?$AAR?$AAe?$AAg?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr?$AAa?$AAt?$AAi@NNGAKEGL@	; "VRegConfigurationContext"
		and	dword ptr [eax+1Ch], 0FFFFFF7Fh
		mov	eax, offset VrpRegistryDispatch
		mov	[esi+38h], eax
		mov	[esi+40h], eax
		lea	eax, [esp+7Ch+var_60]
		push	eax
		mov	dword ptr [esi+34h], offset _VrpRegistryUnload@4 ; VrpRegistryUnload(x)
		mov	dword ptr [esi+70h], offset VrpIoctlDeviceDispatch
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	58h
		pop	esi
		push	esi		; size_t
		lea	eax, [esp+7Ch+var_58]
		push	edi		; int
		push	eax		; void *
		call	_memset
		or	byte ptr [esp+84h+var_58+2], 4
		add	esp, 0Ch
		mov	eax, 20000h
		mov	word ptr [esp+78h+var_58], si
		mov	[esp+78h+var_4C], eax
		mov	[esp+78h+var_48], eax
		push	offset _VrpJobContextType
		mov	[esp+7Ch+var_44], eax
		mov	eax, 0F0000h
		push	edi
		mov	[esp+80h+var_40], eax
		mov	[esp+80h+var_3C], eax
		lea	eax, [esp+80h+var_58]
		push	edi
		push	eax
		lea	eax, [esp+88h+var_60]
		mov	[esp+88h+var_50], 100h
		push	eax
		mov	[esp+8Ch+var_34], ebx
		mov	[esp+8Ch+var_30], 3Ch
		mov	[esp+8Ch+var_1C], offset _VrpJobContextDelete@4	; VrpJobContextDelete(x)
		call	ObCreateObjectTypeEx
		test	eax, eax
		js	short loc_88B340
		call	_VrpInitializeLoadedDifferencingHives@0	; VrpInitializeLoadedDifferencingHives()
		test	eax, eax
		js	short loc_88B348
		mov	ecx, offset _VrpSiloContextSlot
		call	PspStorageAllocSlot
		test	eax, eax
		js	loc_928EA9
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_88B340:				; CODE XREF: VRegSetup+142j
		push	edi
		push	4
		jmp	loc_928EAC
; 

loc_88B348:				; CODE XREF: VRegSetup+14Bj
		push	edi
		push	5
		jmp	loc_928EAC
VRegSetup	endp


;  S U B	R O U T	I N E 


; __stdcall VrpInitializeLoadedDifferencingHives()
_VrpInitializeLoadedDifferencingHives@0	proc near ; CODE XREF: VRegSetup+144p
		mov	edi, edi
		push	esi
		push	67655256h
		push	80h
		xor	esi, esi
		push	1
		mov	_gLoadedDiffHivesLock, esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_88B3B4
		mov	ecx, offset _gLoadedDiffHives
		mov	_gLoadedDiffHives, esi
		lea	eax, [edx+80h]
		mov	dword_6CDC98, edx
		or	ecx, 1
		mov	dword_6CDC94, 400h
		cmp	eax, edx
		push	edi
		sbb	eax, eax
		mov	edi, esi
		and	eax, 0FFFFFFE0h
		add	eax, 20h
		jz	short loc_88B3AF

loc_88B3A5:				; CODE XREF: VrpInitializeLoadedDifferencingHives()+5Dj
		inc	edi
		mov	[edx], ecx
		lea	edx, [edx+4]
		cmp	edi, eax
		jb	short loc_88B3A5

loc_88B3AF:				; CODE XREF: VrpInitializeLoadedDifferencingHives()+53j
		pop	edi

loc_88B3B0:				; CODE XREF: VrpInitializeLoadedDifferencingHives()+69j
		mov	eax, esi
		pop	esi
		retn
; 

loc_88B3B4:				; CODE XREF: VrpInitializeLoadedDifferencingHives()+20j
		mov	esi, 0C000009Ah
		jmp	short loc_88B3B0
_VrpInitializeLoadedDifferencingHives@0	endp

; 
		align 10h
; Exported entry 944. IoRegisterLastChanceShutdownNotification

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoRegisterLastChanceShutdownNotification(x)
		public _IoRegisterLastChanceShutdownNotification@4
_IoRegisterLastChanceShutdownNotification@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		push	68536F49h
		push	0Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_88B413
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edx, edi
		mov	[edi+8], esi
		mov	ecx, offset _IopNotifyLastChanceShutdownQueueHead
		call	IopInterlockedInsertHeadList
		or	dword ptr [esi+1Ch], 800h
		mov	edx, esi
		push	ecx
		mov	ecx, (offset loc_408087+1)
		call	_IopLogAuditIoRegisterNotificationEvent@12 ; IopLogAuditIoRegisterNotificationEvent(x,x,x)
		xor	eax, eax
		pop	esi

loc_88B40E:				; CODE XREF: IoRegisterLastChanceShutdownNotification(x)+58j
		pop	edi
		pop	ebp
		retn	4
; 

loc_88B413:				; CODE XREF: IoRegisterLastChanceShutdownNotification(x)+1Bj
		mov	eax, 0C000009Ah
		jmp	short loc_88B40E
_IoRegisterLastChanceShutdownNotification@4 endp

; 
		align 10h
; Exported entry 947. IoRegisterShutdownNotification

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoRegisterShutdownNotification(x)
		public _IoRegisterShutdownNotification@4
_IoRegisterShutdownNotification@4 proc near ; CODE XREF: WmipDriverEntry+134p
					; RawInitialize+B0p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		push	68536F49h
		push	0Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_88B473
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		mov	[edi+8], esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edx, edi
		mov	ecx, offset _IopNotifyShutdownQueueHead
		call	IopInterlockedInsertHeadList
		or	dword ptr [esi+1Ch], 800h
		mov	edx, esi
		push	ecx
		mov	ecx, offset _KERNEL_AUDIT_API_IOREGISTERSHUTDOWNNOTIFICATION
		call	_IopLogAuditIoRegisterNotificationEvent@12 ; IopLogAuditIoRegisterNotificationEvent(x,x,x)
		xor	eax, eax
		pop	esi

loc_88B46E:				; CODE XREF: IoRegisterShutdownNotification(x)+58j
		pop	edi
		pop	ebp
		retn	4
; 

loc_88B473:				; CODE XREF: IoRegisterShutdownNotification(x)+1Bj
		mov	eax, 0C000009Ah
		jmp	short loc_88B46E
_IoRegisterShutdownNotification@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLogAuditIoRegisterNotificationEvent(x, x, x)
_IopLogAuditIoRegisterNotificationEvent@12 proc	near
					; CODE XREF: IoRegisterLastChanceShutdownNotification(x)+46p
					; IoRegisterShutdownNotification(x)+46p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_3C], 0
		push	ebx
		push	esi
		mov	esi, _EtwApiCallsProvRegHandle
		mov	ebx, ecx
		push	edi
		mov	edi, dword_6BC5D4
		mov	eax, esi
		or	eax, edi
		jz	short loc_88B518
		and	[ebp+var_38], 0
		xor	ecx, ecx
		mov	eax, [edx+8]
		test	eax, eax
		jz	short loc_88B4CC
		mov	edx, [eax+20h]
		test	edx, edx
		jz	short loc_88B4CC
		movzx	eax, word ptr [eax+1Ch]
		and	[ebp+var_30], ecx
		and	[ebp+var_28], ecx
		inc	ecx
		mov	[ebp+var_34], edx
		mov	[ebp+var_2C], eax

loc_88B4CC:				; CODE XREF: IopLogAuditIoRegisterNotificationEvent(x,x,x)+38j
					; IopLogAuditIoRegisterNotificationEvent(x,x,x)+3Fj
		mov	eax, ecx
		lea	edx, [ebp+var_38]
		add	eax, eax
		and	[ebp+eax*8+var_30], 0
		and	[ebp+eax*8+var_28], 0
		mov	[ebp+eax*8+var_34], edx
		lea	edx, [ebp+var_3C]
		mov	[ebp+eax*8+var_2C], 2
		lea	eax, [ecx+1]
		add	eax, eax
		mov	[ebp+eax*8+var_34], edx
		xor	edx, edx
		mov	[ebp+eax*8+var_30], edx
		mov	[ebp+eax*8+var_2C], 4
		mov	[ebp+eax*8+var_28], edx
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ecx+2]
		push	eax
		push	edx
		push	ebx
		push	edi
		push	esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_88B518:				; CODE XREF: IopLogAuditIoRegisterNotificationEvent(x,x,x)+2Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_IopLogAuditIoRegisterNotificationEvent@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall WmipUpdateRegistration(x)
_WmipUpdateRegistration@4 proc near	; CODE XREF: IoWMIRegistrationControl+9Fp
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		call	WmipFindRegEntryByDevice
		mov	edi, eax
		test	edi, edi
		jz	short loc_88B553
		xor	ecx, ecx
		mov	edx, edi
		inc	ecx
		call	_WmipQueueRegWork@8 ; WmipQueueRegWork(x,x)
		mov	ecx, edi
		mov	esi, eax
		call	WmipUnreferenceRegEntry

loc_88B54D:				; CODE XREF: WmipUpdateRegistration(x)+2Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ecx
		retn
; 

loc_88B553:				; CODE XREF: WmipUpdateRegistration(x)+Ej
		mov	esi, 0C000000Dh
		jmp	short loc_88B54D
_WmipUpdateRegistration@4 endp


;  S U B	R O U T	I N E 


; __stdcall PpmEnableWmiInterface()
_PpmEnableWmiInterface@0 proc near	; CODE XREF: PopNewProcessorCallback(x,x,x)+37p
					; PoInitSystem+7BAp
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		xor	esi, esi

loc_88B561:				; CODE XREF: PpmEnableWmiInterface()+1Dj
		push	0
		call	_KeQueryGroupAffinity@4	; KeQueryGroupAffinity(x)
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		shl	edx, cl
		test	eax, edx
		jnz	short loc_88B57D

loc_88B573:				; CODE XREF: PpmEnableWmiInterface()+2Ej
					; PpmEnableWmiInterface()+41j ...
		inc	esi
		cmp	esi, 20h
		jb	short loc_88B561
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_88B57D:				; CODE XREF: PpmEnableWmiInterface()+17j
		mov	ecx, esi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_88B573
		xor	edx, edx
		lea	ecx, [edi+3E44h]
		inc	edx
		xor	eax, eax
		lock cmpxchg [ecx], edx
		test	eax, eax
		jnz	short loc_88B573
		push	80000001h
		lea	eax, [edi+3E40h]
		push	eax
		call	IoWMIRegistrationControl
		jmp	short loc_88B573
_PpmEnableWmiInterface@0 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1054. IoWMIRegistrationControl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoWMIRegistrationControl
IoWMIRegistrationControl proc near	; CODE XREF: WheaWmiInit()+17p
					; PpmEnableWmiInterface()+4Fp ...

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00928EBB SIZE 0000007C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, ebx
		mov	[ebp+var_1], bl
		push	edi
		mov	edi, ebx
		cmp	_WmipServiceDeviceObject, ebx
		jz	loc_928EBB
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		js	short loc_88B604

loc_88B5DB:				; CODE XREF: IoWMIRegistrationControl+59j
		mov	edx, 10000h
		test	ecx, edx
		jnz	short loc_88B611

loc_88B5E4:				; CODE XREF: IoWMIRegistrationControl+73j
		sub	ecx, 1
		jnz	short loc_88B637
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	WmipRegisterDevice
		cmp	[ebp+var_1], 0
		mov	ebx, eax
		jnz	short loc_88B62B

loc_88B5FB:				; CODE XREF: IoWMIRegistrationControl+7Fj
					; IoWMIRegistrationControl+A6j	...
		mov	eax, ebx

loc_88B5FD:				; CODE XREF: IoWMIRegistrationControl+9D90Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_88B604:				; CODE XREF: IoWMIRegistrationControl+23j
		mov	esi, 80000000h
		and	ecx, 7FFFFFFFh
		jmp	short loc_88B5DB
; 

loc_88B611:				; CODE XREF: IoWMIRegistrationControl+2Cj
		mov	edi, ecx
		mov	[ebp+var_1], 1
		and	edi, 0F00000h
		and	ecx, 0FF0EFFFFh
		mov	eax, edi
		or	eax, edx
		or	esi, eax
		jmp	short loc_88B5E4
; 

loc_88B62B:				; CODE XREF: IoWMIRegistrationControl+43j
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		call	_WmipSetTraceNotify@8 ;	WmipSetTraceNotify(x,x)
		jmp	short loc_88B5FB
; 

loc_88B637:				; CODE XREF: IoWMIRegistrationControl+31j
		sub	ecx, 1
		jz	loc_928F2A
		sub	ecx, 1
		jz	loc_928F09
		sub	ecx, 1
		jnz	loc_928EC5
		mov	ecx, [ebp+arg_0]
		call	_WmipUpdateRegistration@4 ; WmipUpdateRegistration(x)

loc_88B65A:				; CODE XREF: IoWMIRegistrationControl+9D96Fj
					; IoWMIRegistrationControl+9D97Cj
		mov	ebx, eax
		jmp	short loc_88B5FB
IoWMIRegistrationControl endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipRegisterDevice proc	near		; CODE XREF: IoWMIRegistrationControl+38p
					; IoWMIRegistrationControl+9D96Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edi, ecx
		mov	[ebp+var_4], edi
		mov	esi, ebx
		test	edx, edx
		js	loc_88B72D

loc_88B67A:				; CODE XREF: WmipRegisterDevice+D4j
		test	edx, 10000h
		jnz	loc_88B746

loc_88B686:				; CODE XREF: WmipRegisterDevice+F9j
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		mov	ecx, edi
		call	WmipFindRegEntryByDevice
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	loc_88B75C
		mov	eax, esi
		and	eax, 10000000h
		mov	[ebp+var_C], eax
		jnz	loc_88B737
		push	edi
		call	IoGetAttachedDeviceReference
		mov	edi, eax
		mov	cl, [edi+30h]
		inc	cl
		call	_WmipUpdateDeviceStackSize@4 ; WmipUpdateDeviceStackSize(x)
		mov	ecx, edi
		call	ObfDereferenceObject
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+var_4]
		call	ObReferenceObjectByPointer
		mov	edi, eax

loc_88B6DC:				; CODE XREF: WmipRegisterDevice+DBj
		test	edi, edi
		js	sub_928F4C
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		call	WmipAllocRegEntry
		mov	esi, eax
		test	esi, esi
		jz	sub_928F37
		lock inc dword ptr [esi+18h]
		push	ebx
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		cmp	[ebp+var_C], ebx
		jnz	short loc_88B73B
		mov	edx, esi
		xor	ecx, ecx
		call	_WmipQueueRegWork@8 ; WmipQueueRegWork(x,x)

loc_88B715:				; CODE XREF: WmipRegisterDevice+E6j
		mov	edi, eax
		test	edi, edi
		js	short loc_88B771

loc_88B71B:				; CODE XREF: WmipRegisterDevice+111j
					; WmipRegisterDevice+115j
		mov	ecx, esi
		call	WmipUnreferenceRegEntry

loc_88B722:				; CODE XREF: sub_928F37+10j
					; sub_928F4C+Ej
		test	bl, bl
		jnz	short loc_88B775

loc_88B726:				; CODE XREF: WmipRegisterDevice+11Ej
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_88B72D:				; CODE XREF: WmipRegisterDevice+16j
		mov	esi, 10000000h
		jmp	loc_88B67A
; 

loc_88B737:				; CODE XREF: WmipRegisterDevice+52j
		mov	edi, ebx
		jmp	short loc_88B6DC
; 

loc_88B73B:				; CODE XREF: WmipRegisterDevice+ACj
		xor	dl, dl
		mov	ecx, esi
		call	WmipRegisterOrUpdateDS
		jmp	short loc_88B715
; 

loc_88B746:				; CODE XREF: WmipRegisterDevice+22j
		and	edx, 0F00000h
		or	edx, 4000000h
		shl	edx, 4
		or	esi, edx
		jmp	loc_88B686
; 

loc_88B75C:				; CODE XREF: WmipRegisterDevice+42j
		push	ebx
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	esi, [ebp+var_8]
		mov	edi, 40000000h
		jmp	short loc_88B71B
; 

loc_88B771:				; CODE XREF: WmipRegisterDevice+BBj
		mov	bl, 1
		jmp	short loc_88B71B
; 

loc_88B775:				; CODE XREF: WmipRegisterDevice+C6j
		mov	ecx, esi
		call	_WmipDeregisterRegEntry@4 ; WmipDeregisterRegEntry(x)
		jmp	short loc_88B726
WmipRegisterDevice endp


;  S U B	R O U T	I N E 


; __stdcall WmipQueueRegWork(x,	x)
_WmipQueueRegWork@8 proc near		; CODE XREF: WmipUpdateRegistration(x)+15p
					; WmipRegisterDevice+B2p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	70696D57h
		push	10h
		push	1
		mov	esi, edx
		mov	ebx, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_88B802
		lock inc dword ptr [esi+18h]
		mov	[edi+0Ch], esi
		xor	esi, esi
		push	esi
		push	esi
		push	esi
		mov	[edi+8], ebx
		mov	ebx, offset _WmipSMMutex
		push	esi
		push	ebx
		call	KeWaitForSingleObject
		mov	eax, off_6B3004
		mov	ecx, offset _WmipRegWorkList
		cmp	[eax], ecx
		jnz	short loc_88B7FD
		mov	[edi], ecx
		mov	[edi+4], eax
		push	esi
		mov	[eax], edi
		push	ebx
		mov	off_6B3004, edi
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		xor	eax, eax
		inc	eax
		lock xadd _WmipRegWorkItemCount, eax
		inc	eax
		cmp	eax, 1
		jz	short loc_88B7EF

loc_88B7E9:				; CODE XREF: WmipQueueRegWork(x,x)+7Dj
					; WmipQueueRegWork(x,x)+89j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_88B7EF:				; CODE XREF: WmipQueueRegWork(x,x)+69j
		push	1
		push	offset _WmipRegWorkQueue
		call	ExQueueWorkItem
		jmp	short loc_88B7E9
; 

loc_88B7FD:				; CODE XREF: WmipQueueRegWork(x,x)+44j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_88B802:				; CODE XREF: WmipQueueRegWork(x,x)+1Bj
		mov	esi, 0C000009Ah
		jmp	short loc_88B7E9
_WmipQueueRegWork@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall WmipUpdateDeviceStackSize(x)
_WmipUpdateDeviceStackSize@4 proc near	; CODE XREF: WmipRegisterDevice+65p
					; WmipForwardWmiIrp+183EF3p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, offset _WmipSMMutex
		push	esi
		push	esi
		push	esi
		push	esi
		push	edi
		mov	bl, cl
		call	KeWaitForSingleObject
		mov	eax, _WmipServiceDeviceObject
		cmp	[eax+30h], bl
		jl	short loc_88B837

loc_88B82C:				; CODE XREF: WmipUpdateDeviceStackSize(x)+30j
		push	esi
		push	edi
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_88B837:				; CODE XREF: WmipUpdateDeviceStackSize(x)+20j
		mov	[eax+30h], bl
		jmp	short loc_88B82C
_WmipUpdateDeviceStackSize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipSetTraceNotify(x, x)
_WmipSetTraceNotify@8 proc near		; CODE XREF: IoWMIRegistrationControl+7Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	eax, edx
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], ebx
		lea	edx, [ebp+var_C]
		mov	[ebp+var_8], ebx
		mov	ecx, eax
		call	_EtwGetNotifyRoutineGroup@8 ; EtwGetNotifyRoutineGroup(x,x)
		test	eax, eax
		js	short loc_88B8BD
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		mov	esi, offset _WmipSMMutex
		push	esi
		call	KeWaitForSingleObject
		mov	eax, _WmipServiceDeviceObject
		push	ebx
		push	esi
		mov	al, [eax+30h]
		inc	al
		mov	byte ptr [ebp+var_4], al
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		push	ebx
		push	[ebp+var_4]
		call	IoAllocateIrp
		mov	esi, eax
		test	esi, esi
		jz	short loc_88B8BD
		add	dword ptr [esi+60h], 0FFFFFFDCh
		lea	eax, [ebp+var_C]
		mov	edx, [esi+60h]
		dec	byte ptr [esi+23h]
		mov	ecx, _WmipServiceDeviceObject
		push	eax
		push	8
		mov	[edx+14h], ecx
		mov	dl, 0Dh
		push	ebx
		push	edi
		mov	ecx, esi
		call	WmipForwardWmiIrp
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)

loc_88B8BD:				; CODE XREF: WmipSetTraceNotify(x,x)+23j
					; WmipSetTraceNotify(x,x)+55j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_WmipSetTraceNotify@8 endp


;  S U B	R O U T	I N E 


; __stdcall EtwGetNotifyRoutineGroup(x,	x)
_EtwGetNotifyRoutineGroup@8 proc near	; CODE XREF: WmipSetTraceNotify(x,x)+1Cp
		test	edx, edx
		jz	short loc_88B918
		cmp	ecx, 200000h
		jz	short loc_88B8F6
		cmp	ecx, 100000h
		jz	short loc_88B90F
		cmp	ecx, 400000h
		jz	short loc_88B900
		cmp	ecx, (offset loc_7FFFFF+1)
		jnz	short loc_88B8F3
		mov	dword ptr [edx+4], offset _EtwpSplitIoNotifyRoutines

loc_88B8ED:				; CODE XREF: EtwGetNotifyRoutineGroup(x,x)+3Cj
					; EtwGetNotifyRoutineGroup(x,x)+54j
		mov	dword ptr [edx], 1

loc_88B8F3:				; CODE XREF: EtwGetNotifyRoutineGroup(x,x)+22j
					; EtwGetNotifyRoutineGroup(x,x)+4Bj
		xor	eax, eax
		retn
; 

loc_88B8F6:				; CODE XREF: EtwGetNotifyRoutineGroup(x,x)+Aj
		mov	eax, _EtwpTdiIoNotify
		mov	[edx+4], eax
		jmp	short loc_88B8ED
; 

loc_88B900:				; CODE XREF: EtwGetNotifyRoutineGroup(x,x)+1Aj
		mov	dword ptr [edx], 2
		mov	dword ptr [edx+4], offset _EtwpFileIoNotifyRoutines
		jmp	short loc_88B8F3
; 

loc_88B90F:				; CODE XREF: EtwGetNotifyRoutineGroup(x,x)+12j
		mov	dword ptr [edx+4], offset _EtwpDiskIoNotifyRoutines
		jmp	short loc_88B8ED
; 

loc_88B918:				; CODE XREF: EtwGetNotifyRoutineGroup(x,x)+2j
		mov	eax, 0C000000Dh
		retn
_EtwGetNotifyRoutineGroup@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipUpdateDataSource proc near		; CODE XREF: WmipProcessWmiRegInfo(x,x,x,x)+AEp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00928F5F SIZE 000001D6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		mov	ebx, [ecx+10h]
		push	esi
		xor	esi, esi
		mov	[ebp+var_18], edx
		mov	[ebp+var_4], esi
		push	edi
		test	ebx, ebx
		jz	loc_928F5F
		mov	ecx, ebx
		call	WmipReferenceEntry
		mov	edi, esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], esi
		call	_WmipEnterSMCritSection@0 ; WmipEnterSMCritSection()
		mov	eax, [ebp+var_18]
		and	[ebp+var_14], esi
		cmp	[eax+10h], esi
		jbe	short loc_88B9B7
		lea	esi, [eax+14h]

loc_88B973:				; CODE XREF: WmipUpdateDataSource+91j
		test	dword ptr [esi+10h], 10000h
		mov	edx, esi
		jnz	short loc_88B9F9
		lea	ecx, [ebp+var_4]
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, ebx
		push	eax
		call	WmipUpdateModifyGuid
		cmp	eax, 1
		jz	loc_928F87
		cmp	eax, 2
		jz	loc_928F94

loc_88B99F:				; CODE XREF: WmipUpdateDataSource+E6j
					; WmipUpdateDataSource+9D68Cj
		mov	ecx, [ebp+var_14]
		add	esi, 1Ch
		mov	eax, [ebp+var_18]
		inc	ecx
		mov	[ebp+var_14], ecx
		cmp	ecx, [eax+10h]
		jb	short loc_88B973
		mov	edi, [ebp+var_C]
		mov	esi, [ebp+var_8]

loc_88B9B7:				; CODE XREF: WmipUpdateDataSource+50j
		push	0
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	edx, ebx
		mov	ecx, offset _WmipDSChunkInfo
		call	WmipUnreferenceEntry
		mov	ebx, [ebp+var_1C]
		test	ebx, ebx
		jnz	loc_928FAF

loc_88B9DA:				; CODE XREF: WmipUpdateDataSource+9D766j
		mov	ebx, [ebp+var_20]
		test	ebx, ebx
		jnz	loc_929089

loc_88B9E5:				; CODE XREF: WmipUpdateDataSource+9D7B6j
		mov	ebx, [ebp+var_24]
		test	ebx, ebx
		jnz	loc_9290D9

loc_88B9F0:				; CODE XREF: WmipUpdateDataSource+9D812j
		xor	eax, eax

loc_88B9F2:				; CODE XREF: WmipUpdateDataSource+9D646j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_88B9F9:				; CODE XREF: WmipUpdateDataSource+5Ej
		mov	ecx, ebx
		call	_WmipFindISInDSByGuid@8	; WmipFindISInDSByGuid(x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_88B99F
		jmp	loc_928F69
WmipUpdateDataSource endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipUpdateModifyGuid proc near		; CODE XREF: WmipUpdateDataSource+6Ap

var_40		= dword	ptr -40h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00929135 SIZE 0000012C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		push	esi
		push	edi
		push	34h		; size_t
		xor	esi, esi
		lea	eax, [ebp+var_40]
		mov	edi, edx
		mov	ebx, ecx
		push	esi		; int
		push	eax		; void *
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], ebx
		call	_memset
		mov	eax, [ebp+arg_8]
		add	esp, 0Ch
		mov	edx, edi
		mov	ecx, ebx
		mov	[eax], esi
		call	_WmipFindISInDSByGuid@8	; WmipFindISInDSByGuid(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_929135
		mov	ecx, offset _WmipISChunkInfo
		call	_WmipAllocEntry@4 ; WmipAllocEntry(x)
		mov	edi, eax
		mov	[ebp+var_C], edi
		test	edi, edi
		jz	short loc_88BA87
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_8]
		push	dword ptr [eax+1Ch]
		push	edi
		push	[ebp+arg_4]
		call	WmipBuildInstanceSet
		test	eax, eax
		js	short loc_88BA87
		mov	edx, edi
		mov	ecx, ebx
		call	WmipIsEqualInstanceSets
		test	al, al
		jz	loc_92914F

loc_88BA87:				; CODE XREF: WmipUpdateModifyGuid+4Fj
					; WmipUpdateModifyGuid+68j ...
		mov	edx, ebx
		mov	ebx, offset _WmipISChunkInfo
		mov	ecx, ebx
		call	WmipUnreferenceEntry
		test	edi, edi
		jz	short loc_88BAA2
		mov	edx, edi
		mov	ecx, ebx
		call	WmipUnreferenceEntry

loc_88BAA2:				; CODE XREF: WmipUpdateModifyGuid+8Bj
					; WmipUpdateModifyGuid+9D73Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
WmipUpdateModifyGuid endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipIsEqualInstanceSets	proc near	; CODE XREF: WmipUpdateModifyGuid+6Ep
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [edx+8]
		push	ebx
		mov	ebx, [ecx+8]
		xor	eax, ebx
		push	esi
		push	edi
		test	eax, 0FFFF9FFFh
		jnz	short loc_88BB13
		test	bl, 1
		jz	loc_9291EF
		mov	eax, [ecx+24h]
		cmp	eax, [edx+24h]
		jnz	short loc_88BB13
		mov	eax, [ecx+30h]
		add	eax, 4
		mov	ecx, eax

loc_88BADD:				; CODE XREF: WmipIsEqualInstanceSets+51j
		mov	dx, [ecx]
		cmp	dx, [eax]
		jnz	short loc_88BB0C
		test	dx, dx
		jz	short loc_88BAFF
		mov	dx, [ecx+2]
		cmp	dx, [eax+2]
		jnz	short loc_88BB0C
		add	ecx, 4
		add	eax, 4
		test	dx, dx
		jnz	short loc_88BADD

loc_88BAFF:				; CODE XREF: WmipIsEqualInstanceSets+3Cj
		xor	eax, eax

loc_88BB01:				; CODE XREF: WmipIsEqualInstanceSets+65j
		test	eax, eax
		jnz	short loc_88BB13

loc_88BB05:				; CODE XREF: WmipUpdateModifyGuid+9D7E6j
					; WmipUpdateModifyGuid+9D7FCj ...
		mov	al, 1

loc_88BB07:				; CODE XREF: WmipIsEqualInstanceSets+69j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_88BB0C:				; CODE XREF: WmipIsEqualInstanceSets+37j
					; WmipIsEqualInstanceSets+46j
		sbb	eax, eax
		or	eax, 1
		jmp	short loc_88BB01
; 

loc_88BB13:				; CODE XREF: WmipIsEqualInstanceSets+16j
					; WmipIsEqualInstanceSets+27j ...
		xor	al, al
		jmp	short loc_88BB07
WmipIsEqualInstanceSets	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipRegisterOrUpdateDS proc near	; CODE XREF: WmipRegisterDevice+E1p
					; WmipRegistrationWorker(x)+81p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00929261 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[esp+24h+var_10], edx
		xor	ebx, ebx
		mov	[esp+24h+var_14], esi
		mov	eax, 2000h
		mov	[esp+24h+var_4], ebx
		push	edi
		mov	[esp+28h+var_18], eax

loc_88BB3F:				; CODE XREF: WmipRegisterOrUpdateDS+DFj
		push	44696D57h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_929279
		mov	ebx, [esp+28h+var_18]
		lea	ecx, [esp+28h+var_8]
		mov	edx, [esi+8]
		xor	eax, eax
		cmp	byte ptr [esp+28h+var_10], al
		push	ecx
		push	edi
		setnz	al
		mov	cl, 0Bh
		push	ebx
		push	eax
		mov	[esp+38h+var_C], eax
		call	_WmipSendWmiIrp@24 ; WmipSendWmiIrp(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_88BBCE

loc_88BB82:				; CODE XREF: WmipRegisterOrUpdateDS+D9j
		cmp	esi, 0C0000023h
		jz	short loc_88BBFC
		mov	ebx, [esp+28h+var_4]
		cmp	ebx, 4
		jz	loc_929261

loc_88BB97:				; CODE XREF: WmipRegisterOrUpdateDS+9D75Cj
					; WmipRegisterOrUpdateDS+9D766j
		mov	eax, [esp+28h+var_18]
		cmp	esi, 0C0000023h
		jz	short loc_88BBF3
		test	esi, esi
		js	short loc_88BBB9
		push	[esp+28h+var_10]
		mov	ecx, [esp+2Ch+var_14]
		mov	edx, edi
		push	ebx
		call	_WmipProcessWmiRegInfo@16 ; WmipProcessWmiRegInfo(x,x,x,x)
		mov	esi, eax

loc_88BBB9:				; CODE XREF: WmipRegisterOrUpdateDS+8Dj
		test	edi, edi
		jz	short loc_88BBC5
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_88BBC5:				; CODE XREF: WmipRegisterOrUpdateDS+A3j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_88BBCE:				; CODE XREF: WmipRegisterOrUpdateDS+68j
		cmp	esi, 0C0000023h
		jz	short loc_88BBFC
		mov	edx, [esp+28h+var_14]
		lea	eax, [esp+28h+var_8]
		push	eax
		push	edi
		push	ebx
		push	[esp+34h+var_C]
		mov	edx, [edx+8]
		mov	cl, 8
		call	_WmipSendWmiIrp@24 ; WmipSendWmiIrp(x,x,x,x,x,x)
		mov	esi, eax
		jmp	short loc_88BB82
; 

loc_88BBF3:				; CODE XREF: WmipRegisterOrUpdateDS+89j
		mov	esi, [esp+28h+var_14]
		jmp	loc_88BB3F
; 

loc_88BBFC:				; CODE XREF: WmipRegisterOrUpdateDS+70j
					; WmipRegisterOrUpdateDS+BCj
		mov	ebx, [esp+28h+var_4]
		jmp	loc_929261
WmipRegisterOrUpdateDS endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall WmipAllocDataSource()
_WmipAllocDataSource@0 proc near	; CODE XREF: WmipAddDataSource+30p
		mov	ecx, offset _WmipDSChunkInfo
		call	_WmipAllocEntry@4 ; WmipAllocEntry(x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_88BC33
		push	edi
		lea	ecx, [edx+14h]
		mov	dword ptr [edx+24h], 4
		mov	[ecx+4], ecx
		lea	edi, [edx+2Ch]
		mov	[edx+28h], edi
		xor	eax, eax
		mov	[ecx], ecx
		stosd
		stosd
		stosd
		stosd
		pop	edi

loc_88BC33:				; CODE XREF: WmipAllocDataSource()+Ej
		mov	eax, edx
		retn
_WmipAllocDataSource@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipProcessWmiRegInfo(x, x,	x, x)
_WmipProcessWmiRegInfo@16 proc near	; CODE XREF: WmipRegisterOrUpdateDS+9Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_C], ecx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, edx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx

loc_88BC51:				; CODE XREF: WmipProcessWmiRegInfo(x,x,x,x)+A5j
		cmp	[esi], edi
		ja	loc_88BCEB
		lea	eax, [ebp+var_8]
		mov	edx, edi
		push	eax
		push	dword ptr [esi+8]
		mov	ecx, esi
		call	_WmipValidateWmiRegInfoString@16 ; WmipValidateWmiRegInfoString(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_88BCB5
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		push	dword ptr [esi+0Ch]
		mov	ecx, esi
		call	_WmipValidateWmiRegInfoString@16 ; WmipValidateWmiRegInfoString(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_88BCB5
		imul	eax, [esi+10h],	1Ch
		add	eax, 14h
		cmp	eax, edi
		ja	short loc_88BCEB
		cmp	[ebp+arg_4], 0
		mov	edx, esi
		mov	ecx, [ebp+var_C]
		jnz	short loc_88BCE3
		push	[ebp+var_4]
		push	[ebp+var_8]
		push	edi
		call	WmipAddDataSource

loc_88BCA7:				; CODE XREF: WmipProcessWmiRegInfo(x,x,x,x)+B3j
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_88BCAE
		inc	ebx

loc_88BCAE:				; CODE XREF: WmipProcessWmiRegInfo(x,x,x,x)+75j
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_88BCC6

loc_88BCB5:				; CODE XREF: WmipProcessWmiRegInfo(x,x,x,x)+37j
					; WmipProcessWmiRegInfo(x,x,x,x)+4Dj ...
		xor	eax, eax
		cmp	eax, ebx
		pop	edi
		sbb	eax, eax
		not	eax
		pop	esi
		and	eax, ecx
		pop	ebx
		leave
		retn	8
; 

loc_88BCC6:				; CODE XREF: WmipProcessWmiRegInfo(x,x,x,x)+7Dj
		cmp	edi, eax
		jb	short loc_88BCB5
		sub	edi, eax
		cmp	edi, 14h
		jb	short loc_88BCB5
		add	esi, eax
		lea	eax, [esi+3]
		and	eax, 0FFFFFFFCh
		cmp	eax, esi
		jz	loc_88BC51
		jmp	short loc_88BCB5
; 

loc_88BCE3:				; CODE XREF: WmipProcessWmiRegInfo(x,x,x,x)+63j
		push	edi
		call	WmipUpdateDataSource
		jmp	short loc_88BCA7
; 

loc_88BCEB:				; CODE XREF: WmipProcessWmiRegInfo(x,x,x,x)+1Dj
					; WmipProcessWmiRegInfo(x,x,x,x)+58j
		mov	ecx, 0C000000Dh
		jmp	short loc_88BCB5
_WmipProcessWmiRegInfo@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipAddDataSource proc near		; CODE XREF: WmipProcessWmiRegInfo(x,x,x,x)+6Cp
					; WmipInitializeDataStructs+D5p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_6		= dword	ptr -6
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00929283 SIZE 000000DE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		stosd
		mov	ebx, ecx
		mov	esi, edx
		mov	[ebp+var_18], ebx
		xor	edx, edx
		mov	[ebp+var_10], esi
		mov	[ebp+var_1C], edx
		stosd
		mov	byte ptr [ebp+var_6], dl
		mov	byte ptr [ebp+var_6+1],	dl
		stosd
		stosd
		mov	edi, [ebx+10h]
		test	edi, edi
		jnz	short loc_88BD3D
		call	_WmipAllocDataSource@0 ; WmipAllocDataSource()
		mov	edi, eax
		test	edi, edi
		jz	loc_929283
		mov	eax, [ebx+8]
		xor	edx, edx
		mov	byte ptr [ebp+var_6+1],	1
		mov	[edi+1Ch], eax

loc_88BD3D:				; CODE XREF: WmipAddDataSource+2Ej
		lea	ebx, [esi+14h]
		mov	ecx, edx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_14], ecx
		cmp	[esi+10h], edx
		jbe	short loc_88BD76

loc_88BD4D:				; CODE XREF: WmipAddDataSource+82j
		mov	eax, [ebx+10h]
		test	eax, 10000h
		jnz	short loc_88BD67
		and	eax, 81000h
		cmp	eax, 80000h
		jnz	loc_88BE6E

loc_88BD67:				; CODE XREF: WmipAddDataSource+63j
					; WmipAddDataSource+1EBj
		inc	ecx
		add	ebx, 1Ch
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ebx
		cmp	ecx, [esi+10h]
		jb	short loc_88BD4D

loc_88BD76:				; CODE XREF: WmipAddDataSource+59j
		mov	esi, [ebp+var_18]
		mov	esi, [esi+18h]
		and	esi, 40000000h
		jnz	loc_88BEE2

loc_88BD88:				; CODE XREF: WmipAddDataSource+202j
		neg	esi
		lea	eax, [ebp+var_2C]
		sbb	esi, esi
		and	esi, eax
		call	_WmipEnterSMCritSection@0 ; WmipEnterSMCritSection()
		mov	dl, byte ptr [ebp+var_6+1]
		mov	ecx, edi
		push	esi
		call	WmipLinkDataSourceToList
		mov	ebx, eax
		xor	eax, eax
		push	eax
		push	offset _WmipSMMutex
		mov	[ebp+arg_0], ebx
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		test	esi, esi
		jnz	loc_88BEF9

loc_88BDBB:				; CODE XREF: WmipAddDataSource+221j
		test	ebx, ebx
		js	short loc_88BE26
		mov	eax, [ebp+var_18]
		mov	[eax+10h], edi
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	loc_929331

loc_88BDD0:				; CODE XREF: WmipAddDataSource+9D64Bj
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_88BE3B
		call	_WmipCountedToSz@4 ; WmipCountedToSz(x)
		mov	ebx, eax
		xor	edx, edx

loc_88BDE0:				; CODE XREF: WmipAddDataSource+14Dj
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_88BE37
		call	_WmipCountedToSz@4 ; WmipCountedToSz(x)
		mov	esi, eax
		xor	edx, edx

loc_88BDF0:				; CODE XREF: WmipAddDataSource+147j
		test	ebx, ebx
		jz	short loc_88BE09
		cmp	[ebx], dx
		jz	short loc_88BE02
		test	esi, esi
		jz	short loc_88BE02
		cmp	[esi], dx
		jnz	short loc_88BE41

loc_88BE02:				; CODE XREF: WmipAddDataSource+105j
					; WmipAddDataSource+109j ...
		push	edx
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_88BE09:				; CODE XREF: WmipAddDataSource+100j
		test	esi, esi
		jz	short loc_88BE16
		xor	eax, eax
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_88BE16:				; CODE XREF: WmipAddDataSource+119j
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	WmipGenerateRegistrationNotification
		xor	eax, eax
		mov	edi, eax
		mov	ebx, eax

loc_88BE26:				; CODE XREF: WmipAddDataSource+CBj
					; WmipAddDataSource+1DCj ...
		test	edi, edi
		jnz	loc_929342

loc_88BE2E:				; CODE XREF: WmipAddDataSource+9D596j
					; WmipAddDataSource+9D654j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
; 

loc_88BE37:				; CODE XREF: WmipAddDataSource+F3j
		mov	esi, edx
		jmp	short loc_88BDF0
; 

loc_88BE3B:				; CODE XREF: WmipAddDataSource+E3j
		xor	edx, edx
		mov	ebx, edx
		jmp	short loc_88BDE0
; 

loc_88BE41:				; CODE XREF: WmipAddDataSource+10Ej
		lea	eax, [ebp+var_6]
		mov	ecx, edi
		push	eax
		push	esi
		push	edx
		mov	edx, ebx
		call	WmipAddMofResource
		test	eax, eax
		js	short loc_88BE6A
		cmp	byte ptr [ebp+var_6], 0
		jz	short loc_88BE6A
		push	1
		push	offset _GUID_MOF_RESOURCE_ADDED_NOTIFICATION
		mov	edx, esi
		mov	ecx, ebx
		call	_WmipGenerateMofResourceNotification@16	; WmipGenerateMofResourceNotification(x,x,x,x)

loc_88BE6A:				; CODE XREF: WmipAddDataSource+160j
					; WmipAddDataSource+166j
		xor	edx, edx
		jmp	short loc_88BE02
; 

loc_88BE6E:				; CODE XREF: WmipAddDataSource+6Fj
		mov	ecx, offset _WmipISChunkInfo
		call	_WmipAllocEntry@4 ; WmipAllocEntry(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_92928D
		or	dword ptr [esi+8], 8
		mov	ecx, ebx
		mov	edx, [ebp+var_10]
		mov	[esi+1Ch], ebx
		mov	[esi+20h], edi
		push	dword ptr [edi+1Ch]
		push	esi
		push	[ebp+arg_0]
		call	WmipBuildInstanceSet
		push	10h		; size_t
		push	offset _WmipBinaryMofGuid ; void *
		push	[ebp+var_C]	; void *
		mov	ebx, eax
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_88BF18

loc_88BEB5:				; CODE XREF: WmipAddDataSource+229j
		lea	eax, [edi+14h]
		add	esi, 14h
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_88BF1D
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[ecx+4], esi
		mov	[eax], esi
		test	ebx, ebx
		js	loc_88BE26
		mov	ebx, [ebp+var_C]
		mov	ecx, [ebp+var_14]
		mov	esi, [ebp+var_10]
		jmp	loc_88BD67
; 

loc_88BEE2:				; CODE XREF: WmipAddDataSource+90j
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_28], eax
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], eax
		jmp	loc_88BD88
; 

loc_88BEF9:				; CODE XREF: WmipAddDataSource+C3j
					; WmipAddDataSource+9D602j
		mov	ebx, [esi]
		cmp	ebx, esi
		jnz	loc_929297
		lea	ebx, [esi+8]

loc_88BF06:				; CODE XREF: WmipAddDataSource+9D63Aj
		mov	esi, [ebx]
		cmp	esi, ebx
		jnz	loc_9292F9
		mov	ebx, [ebp+arg_0]
		jmp	loc_88BDBB
; 

loc_88BF18:				; CODE XREF: WmipAddDataSource+1C1j
		mov	[ebp+var_1C], esi
		jmp	short loc_88BEB5
; 

loc_88BF1D:				; CODE XREF: WmipAddDataSource+1CEj
					; WmipAddDataSource+9D5A8j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
WmipAddDataSource endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipBuildInstanceSet proc near		; CODE XREF: WmipUpdateModifyGuid+61p
					; WmipAddDataSource+1A6p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00929361 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_10], edx
		push	edi
		mov	edi, [ebp+arg_4]
		xor	ecx, ecx
		mov	ebx, ecx
		mov	[ebp+var_2C], ecx
		mov	edx, [esi+14h]
		mov	[ebp+var_4], ecx
		mov	[edi+2Ch], eax
		mov	eax, [edi+8]
		and	eax, 0FFFD7FF8h
		mov	[edi+24h], edx
		mov	[edi+28h], ecx
		mov	[edi+8], eax
		mov	ecx, [esi+10h]
		mov	[ebp+var_14], esi
		mov	[ebp+var_24], ebx
		mov	[ebp+var_C], edx
		test	cl, 1
		jnz	loc_88C1FA

loc_88BF6E:				; CODE XREF: WmipBuildInstanceSet+2E1j
		test	ecx, 80000h
		jnz	loc_88C218

loc_88BF7A:				; CODE XREF: WmipBuildInstanceSet+307j
					; WmipBuildInstanceSet+318j
		test	cl, 40h
		jnz	loc_88C208

loc_88BF83:				; CODE XREF: WmipBuildInstanceSet+2F1j
		mov	eax, [esi+18h]
		mov	edi, [ebp+var_10]
		add	edi, eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_28], edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_1C], eax
		test	cl, 4
		jnz	loc_88C04A
		test	cl, 8
		jz	loc_88C035
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_4]
		push	ecx
		mov	ecx, [ebp+var_10]
		push	eax
		call	_WmipValidateWmiRegInfoString@16 ; WmipValidateWmiRegInfoString(x,x,x,x)
		test	eax, eax
		js	loc_92936C
		mov	ebx, [ebp+var_4]
		test	ebx, ebx
		jz	loc_92936C
		movzx	eax, word ptr [ebx]
		add	ebx, 2
		shr	eax, 1
		mov	[ebp+arg_4], eax
		push	70696D57h
		lea	eax, ds:6[eax*2]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	loc_929376
		mov	edx, [ebp+arg_4]
		lea	esi, [eax+4]
		push	edx
		push	ebx
		inc	edx
		mov	ecx, esi
		call	RtlStringCchCopyNW
		mov	edx, esi
		mov	esi, [ebp+var_14]
		push	ecx
		mov	ecx, esi
		call	_WmipDetermineInstanceBaseIndex@12 ; WmipDetermineInstanceBaseIndex(x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	ebx, [ebp+var_24]
		mov	[ecx], eax
		mov	eax, [edi+8]
		or	eax, 1
		mov	[edi+30h], ecx
		mov	[edi+8], eax
		test	byte ptr [esi+10h], 20h
		jz	short loc_88C035
		or	eax, 20000h
		mov	[edi+8], eax

loc_88C035:				; CODE XREF: WmipBuildInstanceSet+81j
					; WmipBuildInstanceSet+109j ...
		xor	eax, eax
		mov	esi, eax

loc_88C039:				; CODE XREF: WmipBuildInstanceSet+9D460j
		test	ebx, ebx
		jnz	loc_88C1EE

loc_88C041:				; CODE XREF: WmipBuildInstanceSet+19Ej
					; WmipBuildInstanceSet+1B8j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_88C04A:				; CODE XREF: WmipBuildInstanceSet+78j
		and	[ebp+arg_8], 0
		xor	ebx, ebx
		and	[ebp+var_18], 0
		inc	ebx
		mov	[ebp+var_24], 2
		mov	ecx, ebx
		mov	[ebp+var_8], ecx
		test	edx, edx
		jz	loc_88C10F

loc_88C069:				; CODE XREF: WmipBuildInstanceSet+9D445j
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		mov	[ebp+var_4], ecx
		lea	ecx, [ebp+var_4]
		push	ecx
		mov	ecx, [ebp+var_10]
		push	eax
		call	_WmipValidateWmiRegInfoString@16 ; WmipValidateWmiRegInfoString(x,x,x,x)
		test	eax, eax
		js	loc_92936C
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	loc_92936C
		movzx	eax, word ptr [eax]
		mov	edx, eax
		shr	edx, 1
		cmp	edx, [ebp+arg_8]
		jbe	short loc_88C0A0
		mov	[ebp+arg_8], edx

loc_88C0A0:				; CODE XREF: WmipBuildInstanceSet+179j
		mov	ecx, [ebp+var_8]
		and	eax, 0FFFFFFFEh
		add	ecx, 12h
		mov	[ebp+arg_4], ebx
		add	ecx, eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_8], ecx
		mov	ecx, ebx
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_88C041
		mov	eax, [ebp+arg_4]
		lea	ecx, [ebp+arg_4]
		mul	[ebp+var_24]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_88C041
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_20]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_88C041
		mov	eax, [ebp+var_18]
		inc	eax
		mov	[ebp+var_18], eax
		cmp	eax, [ebp+var_C]
		jb	loc_929361
		mov	esi, [ebp+var_14]
		mov	ecx, [ebp+var_8]

loc_88C10F:				; CODE XREF: WmipBuildInstanceSet+141j
		push	70696D57h
		push	ecx
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	loc_929376
		mov	ecx, [ebp+var_24]
		or	[edi+8], ecx
		mov	[edi+30h], eax
		mov	eax, [ebp+arg_8]
		push	70696D57h
		lea	eax, ds:2[eax*2]
		push	eax
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_929376
		mov	edi, [ebp+arg_4]
		xor	ecx, ecx
		mov	eax, [ebp+var_C]
		mov	[ebp+var_24], ecx
		lea	edx, [edi+eax*4]
		mov	[ebp+arg_4], edx
		test	eax, eax
		jz	loc_88C035
		mov	eax, [ebp+arg_8]
		inc	eax
		mov	[ebp+arg_8], eax

loc_88C16F:				; CODE XREF: WmipBuildInstanceSet+2CAj
		mov	[edi+ecx*4], edx
		mov	edx, [ebp+var_28]
		movzx	eax, word ptr [edx]
		lea	ecx, [edx+2]
		mov	edx, [ebp+arg_8]
		shr	eax, 1
		push	eax
		mov	[ebp+var_28], ecx
		push	ecx
		mov	ecx, ebx
		mov	[ebp+arg_0], eax
		call	RtlStringCchCopyNW
		push	[ebp+arg_4]
		mov	eax, [ebp+arg_0]
		mov	edx, ebx
		add	eax, 7
		mov	ecx, esi
		push	eax
		call	_WmipMangleInstanceName@16 ; WmipMangleInstanceName(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_929380
		mov	edx, [ebp+arg_4]
		mov	ecx, edx
		lea	esi, [ecx+2]

loc_88C1B4:				; CODE XREF: WmipBuildInstanceSet+29Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_2C]
		jnz	short loc_88C1B4
		mov	eax, [ebp+arg_0]
		sub	ecx, esi
		mov	esi, [ebp+var_14]
		sar	ecx, 1
		lea	edx, [edx+ecx*2]
		mov	ecx, [ebp+var_28]
		add	edx, 2
		mov	[ebp+arg_4], edx
		lea	eax, [ecx+eax*2]
		mov	ecx, [ebp+var_24]
		inc	ecx
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], ecx
		cmp	ecx, [ebp+var_C]
		jnb	loc_88C035
		jmp	short loc_88C16F
; 

loc_88C1EE:				; CODE XREF: WmipBuildInstanceSet+119j
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_88C041
; 

loc_88C1FA:				; CODE XREF: WmipBuildInstanceSet+46j
		or	eax, 4
		mov	[edi+8], eax
		mov	ecx, [esi+10h]
		jmp	loc_88BF6E
; 

loc_88C208:				; CODE XREF: WmipBuildInstanceSet+5Bj
		or	eax, 8000h
		mov	[edi+8], eax
		mov	ecx, [esi+10h]
		jmp	loc_88BF83
; 

loc_88C218:				; CODE XREF: WmipBuildInstanceSet+52j
		or	eax, 1000h
		mov	[edi+8], eax
		mov	ecx, [esi+10h]
		test	ecx, 1000h
		jz	loc_88BF7A
		or	eax, 80000h
		mov	[edi+8], eax
		mov	ecx, [esi+10h]
		jmp	loc_88BF7A
WmipBuildInstanceSet endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipValidateWmiRegInfoString(x, x, x, x)
_WmipValidateWmiRegInfoString@16 proc near ; CODE XREF:	WmipProcessWmiRegInfo(x,x,x,x)+2Ep
					; WmipProcessWmiRegInfo(x,x,x,x)+44p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		mov	eax, ecx
		mov	ecx, [ebp+arg_0]
		cmp	ecx, esi
		ja	short loc_88C276
		test	cl, 1
		jnz	short loc_88C276
		test	ecx, ecx
		jz	short loc_88C272
		lea	edx, [eax+ecx]
		movzx	eax, word ptr [edx]
		add	eax, ecx
		cmp	eax, esi
		ja	short loc_88C276

loc_88C266:				; CODE XREF: WmipValidateWmiRegInfoString(x,x,x,x)+34j
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		xor	eax, eax

loc_88C26D:				; CODE XREF: WmipValidateWmiRegInfoString(x,x,x,x)+3Bj
		pop	esi
		pop	ebp
		retn	8
; 

loc_88C272:				; CODE XREF: WmipValidateWmiRegInfoString(x,x,x,x)+18j
		xor	edx, edx
		jmp	short loc_88C266
; 

loc_88C276:				; CODE XREF: WmipValidateWmiRegInfoString(x,x,x,x)+Fj
					; WmipValidateWmiRegInfoString(x,x,x,x)+14j ...
		mov	eax, 0C000000Dh
		jmp	short loc_88C26D
_WmipValidateWmiRegInfoString@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipDetermineInstanceBaseIndex(x, x, x)
_WmipDetermineInstanceBaseIndex@12 proc	near ; CODE XREF: WmipBuildInstanceSet+ECp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= word ptr -2

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_8], edx
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		mov	esi, ecx
		mov	edi, eax
		call	KeWaitForSingleObject
		xor	dl, dl
		mov	ecx, esi
		call	_WmipFindGEByGuid@8 ; WmipFindGEByGuid(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_88C316
		lea	edx, [ebx+20h]
		mov	eax, [edx]
		jmp	short loc_88C2F2
; 

loc_88C2B6:				; CODE XREF: WmipDetermineInstanceBaseIndex(x,x,x)+6Aj
					; WmipDetermineInstanceBaseIndex(x,x,x)+8Aj
		mov	dx, [ecx]
		cmp	dx, [esi]
		mov	[ebp+var_2], dx
		lea	edx, [ebx+20h]
		jnz	short loc_88C32B
		cmp	[ebp+var_2], 0
		jz	short loc_88C2EA
		mov	dx, [ecx+2]
		cmp	dx, [esi+2]
		mov	[ebp+var_2], dx
		lea	edx, [ebx+20h]
		jnz	short loc_88C32B
		add	ecx, 4
		add	esi, 4
		cmp	[ebp+var_2], 0
		jnz	short loc_88C2B6

loc_88C2EA:				; CODE XREF: WmipDetermineInstanceBaseIndex(x,x,x)+4Cj
		xor	ecx, ecx

loc_88C2EC:				; CODE XREF: WmipDetermineInstanceBaseIndex(x,x,x)+B2j
		test	ecx, ecx
		jz	short loc_88C332

loc_88C2F0:				; CODE XREF: WmipDetermineInstanceBaseIndex(x,x,x)+7Cj
					; WmipDetermineInstanceBaseIndex(x,x,x)+BEj ...
		mov	eax, [eax]

loc_88C2F2:				; CODE XREF: WmipDetermineInstanceBaseIndex(x,x,x)+36j
		cmp	eax, edx
		jz	short loc_88C30A
		test	byte ptr [eax+8], 1
		jz	short loc_88C2F0
		mov	ecx, [eax+30h]
		mov	[ebp+var_C], ecx
		lea	esi, [ecx+4]
		mov	ecx, [ebp+var_8]
		jmp	short loc_88C2B6
; 

loc_88C30A:				; CODE XREF: WmipDetermineInstanceBaseIndex(x,x,x)+76j
		mov	edx, ebx
		mov	ecx, offset _WmipGEChunkInfo
		call	WmipUnreferenceEntry

loc_88C316:				; CODE XREF: WmipDetermineInstanceBaseIndex(x,x,x)+2Fj
		push	0
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_88C32B:				; CODE XREF: WmipDetermineInstanceBaseIndex(x,x,x)+45j
					; WmipDetermineInstanceBaseIndex(x,x,x)+5Dj
		sbb	ecx, ecx
		or	ecx, 1
		jmp	short loc_88C2EC
; 

loc_88C332:				; CODE XREF: WmipDetermineInstanceBaseIndex(x,x,x)+70j
		mov	esi, [ebp+var_C]
		mov	ecx, [eax+24h]
		add	ecx, [esi]
		cmp	edi, ecx
		ja	short loc_88C2F0
		mov	edi, ecx
		jmp	short loc_88C2F0
_WmipDetermineInstanceBaseIndex@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipGenerateRegistrationNotification proc near ; CODE XREF: WmipAddDataSource+129p
					; WmipRemoveDS(x)+Fp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00929387 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_10], edx
		push	edi
		mov	[ebp+var_18], ebx
		call	WmipReferenceEntry
		xor	edx, edx
		lea	edi, [ebx+14h]
		and	[ebp+var_14], edx
		xor	esi, esi
		mov	[ebp+var_4], edi
		mov	edi, [edi]
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], esi
		cmp	edi, [ebp+var_4]
		jz	short loc_88C3C2
		mov	edx, [ebp+var_4]

loc_88C377:				; CODE XREF: WmipGenerateRegistrationNotification+75j
		lea	esi, [edi-14h]
		test	byte ptr [esi+8], 8
		jnz	short loc_88C3B3
		mov	ebx, [esi+1Ch]
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_14]
		add	ebx, 28h
		push	eax
		lea	eax, [ebp+var_C]
		mov	edx, esi
		push	eax
		mov	ecx, ebx
		call	_WmipCachePtrs@20 ; WmipCachePtrs(x,x,x,x,x)
		mov	eax, [ebp+var_10]
		cmp	eax, 1
		jnz	loc_929387
		mov	edx, esi
		mov	ecx, ebx
		call	WmipEnableCollectionForNewGuid

loc_88C3B0:				; CODE XREF: WmipGenerateRegistrationNotification+9D048j
					; WmipGenerateRegistrationNotification+9D057j
		mov	edx, [ebp+var_4]

loc_88C3B3:				; CODE XREF: WmipGenerateRegistrationNotification+3Cj
		mov	edi, [edi]
		cmp	edi, edx
		jnz	short loc_88C377
		mov	esi, [ebp+var_8]
		mov	edx, [ebp+var_C]
		mov	ebx, [ebp+var_18]

loc_88C3C2:				; CODE XREF: WmipGenerateRegistrationNotification+30j
		mov	ecx, [ebp+var_10]
		push	esi
		call	_WmipSendGuidUpdateNotifications@12 ; WmipSendGuidUpdateNotifications(x,x,x)
		test	esi, esi
		jz	short loc_88C3D7
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_88C3D7:				; CODE XREF: WmipGenerateRegistrationNotification+8Bj
		mov	edx, ebx
		mov	ecx, offset _WmipDSChunkInfo
		call	WmipUnreferenceEntry
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
WmipGenerateRegistrationNotification endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipEnableCollectionForNewGuid proc near
					; CODE XREF: WmipGenerateRegistrationNotification+69p
					; WmipUpdateDataSource+9D7F5p

var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092939E SIZE 00000133 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		lea	eax, [ebp+var_38]
		mov	esi, edx
		mov	edi, ecx
		mov	[ebp+var_40], esi
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_3C], edi
		call	_memset
		add	esp, 0Ch
		xor	dl, dl
		mov	ecx, edi
		call	_WmipFindGEByGuid@8 ; WmipFindGEByGuid(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_88C462
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		cmp	dword ptr [ebx+38h], 0
		ja	loc_92939E

loc_88C440:				; CODE XREF: WmipEnableCollectionForNewGuid+9CFBEj
					; WmipEnableCollectionForNewGuid+9D047j
		cmp	dword ptr [ebx+3Ch], 0
		ja	loc_929434

loc_88C44A:				; CODE XREF: WmipEnableCollectionForNewGuid+9D057j
					; WmipEnableCollectionForNewGuid+9D0D6j ...
		mov	edx, ebx
		mov	ecx, offset _WmipGEChunkInfo
		call	WmipUnreferenceEntry
		push	0
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)

loc_88C462:				; CODE XREF: WmipEnableCollectionForNewGuid+3Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
WmipEnableCollectionForNewGuid endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipCachePtrs(x, x,	x, x, x)
_WmipCachePtrs@20 proc near		; CODE XREF: WmipGenerateRegistrationNotification+54p
					; WmipUpdateDataSource+9D687p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_4], ecx
		mov	ecx, [ebp+arg_4]
		push	edi
		mov	eax, [esi]
		mov	[ebp+var_8], edx
		mov	edi, [ecx]
		cmp	eax, edi
		jz	short loc_88C4AC
		mov	edi, [ebx]

loc_88C495:				; CODE XREF: WmipCachePtrs(x,x,x,x,x)+87j
		mov	ecx, [ebp+var_4]
		mov	[edi+eax*8], ecx
		mov	ecx, [ebp+var_8]
		mov	[edi+eax*8+4], ecx
		inc	eax
		mov	[esi], eax

loc_88C4A5:				; CODE XREF: WmipCachePtrs(x,x,x,x,x)+52j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_88C4AC:				; CODE XREF: WmipCachePtrs(x,x,x,x,x)+1Fj
		push	70696D57h
		lea	eax, ds:200h[edi*8]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_88C4A5
		mov	eax, [ebp+arg_4]
		mov	esi, [eax]
		mov	ecx, esi
		mov	eax, [ebx]
		shl	ecx, 3
		push	ecx		; size_t
		push	eax		; void *
		push	edi		; void *
		mov	[ebp+arg_8], eax
		call	_memcpy
		mov	ecx, [ebp+arg_4]
		lea	eax, [esi+40h]
		add	esp, 0Ch
		mov	[ecx], eax
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jnz	short loc_88C4FB

loc_88C4EF:				; CODE XREF: WmipCachePtrs(x,x,x,x,x)+91j
		mov	eax, [ebp+arg_0]
		mov	esi, [ebp+arg_0]
		mov	[ebx], edi
		mov	eax, [eax]
		jmp	short loc_88C495
; 

loc_88C4FB:				; CODE XREF: WmipCachePtrs(x,x,x,x,x)+7Bj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_88C4EF
_WmipCachePtrs@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipSendGuidUpdateNotifications(x, x, x)
_WmipSendGuidUpdateNotifications@12 proc near
					; CODE XREF: WmipGenerateRegistrationNotification+84p
					; WmipUpdateDataSource+9D759p ...

var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		mov	esi, edi
		shl	esi, 4
		add	esi, 8
		push	70696D57h
		lea	eax, [esi+66h]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		jz	loc_88C5E8
		lea	eax, [esi+66h]
		push	eax		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		push	30h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	dword ptr [ebx+18h], 0B48D49A1h
		lea	eax, [esi+66h]
		add	esp, 0Ch
		mov	dword ptr [ebx+1Ch], 11D0E777h
		mov	dword ptr [ebx+20h], 0A0000CA5h
		lea	ecx, [ebx+42h]
		mov	dword ptr [ebx+24h], 102906C9h
		mov	[ebx], eax
		push	1Ch
		pop	edx
		mov	dword ptr [ebx+2Ch], 0Ah
		mov	dword ptr [ebx+30h], 40h
		mov	dword ptr [ebx+38h], 60h
		mov	[ebx+3Ch], esi
		push	(offset	loc_8C02E1+1)
		mov	[ebx+40h], dx
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		mov	eax, [ebx+38h]
		lea	edx, [ebx+8]
		mov	ecx, [ebp+var_4]
		add	edx, eax
		mov	[eax+ebx], ecx
		xor	ecx, ecx
		mov	[eax+ebx+4], edi
		test	edi, edi
		jz	short loc_88C5D5
		mov	ebx, [ebp+arg_0]
		mov	eax, edi

loc_88C5C1:				; CODE XREF: WmipSendGuidUpdateNotifications(x,x,x)+CAj
		mov	esi, [ebx+ecx*8]
		mov	edi, edx
		add	edx, 10h
		inc	ecx
		movsd
		movsd
		movsd
		movsd
		cmp	ecx, eax
		jb	short loc_88C5C1
		mov	ebx, [ebp+var_C]

loc_88C5D5:				; CODE XREF: WmipSendGuidUpdateNotifications(x,x,x)+B4j
		push	0
		mov	dl, 1
		mov	ecx, ebx
		call	WmipProcessEvent
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_88C5E8:				; CODE XREF: WmipSendGuidUpdateNotifications(x,x,x)+2Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_WmipSendGuidUpdateNotifications@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipLinkDataSourceToList proc near	; CODE XREF: WmipAddDataSource+AAp
					; WmipUpdateAddGuid(x,x,x,x,x)+6Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009294D1 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_1], dl
		push	esi
		push	edi
		lea	eax, [ebx+14h]
		mov	esi, [eax]

loc_88C605:				; CODE XREF: WmipLinkDataSourceToList+85j
		mov	[ebp+var_C], esi
		cmp	esi, eax
		jz	short loc_88C677
		lea	edi, [esi-14h]
		test	byte ptr [edi+8], 8
		mov	[ebp+var_8], edi
		jz	short loc_88C673
		mov	ecx, [edi+1Ch]
		xor	dl, dl
		call	_WmipFindGEByGuid@8 ; WmipFindGEByGuid(x,x)
		test	eax, eax
		jnz	short loc_88C65D
		call	_WmipAllocGuidEntry@0 ;	WmipAllocGuidEntry()
		test	eax, eax
		jz	loc_9294D1
		mov	esi, [ebp+var_8]
		lea	edi, [eax+28h]
		mov	ecx, _WmipGEHeadPtr
		mov	esi, [esi+1Ch]
		movsd
		movsd
		movsd
		movsd
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_88C6A3
		mov	esi, [ebp+var_C]
		mov	edi, [ebp+var_8]
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[edx+4], eax
		mov	[ecx], eax

loc_88C65D:				; CODE XREF: WmipLinkDataSourceToList+34j
		push	[ebp+arg_0]
		and	dword ptr [edi+8], 0FFFFFFF7h
		mov	edx, eax
		mov	ecx, edi
		mov	[edi+1Ch], eax
		call	_WmipLinkInstanceSetToGuidEntry@12 ; WmipLinkInstanceSetToGuidEntry(x,x,x)
		lea	eax, [ebx+14h]

loc_88C673:				; CODE XREF: WmipLinkDataSourceToList+26j
		mov	esi, [esi]
		jmp	short loc_88C605
; 

loc_88C677:				; CODE XREF: WmipLinkDataSourceToList+1Aj
		cmp	[ebp+var_1], 0
		jz	short loc_88C69A
		mov	eax, _WmipDSHeadPtr
		or	dword ptr [ebx+8], 40000000h
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_88C6A3
		mov	[ebx], eax
		mov	[ebx+4], ecx
		mov	[ecx], ebx
		mov	[eax+4], ebx

loc_88C69A:				; CODE XREF: WmipLinkDataSourceToList+8Bj
		xor	eax, eax

loc_88C69C:				; CODE XREF: WmipLinkDataSourceToList+9CEE6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_88C6A3:				; CODE XREF: WmipLinkDataSourceToList+5Bj
					; WmipLinkDataSourceToList+9Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
WmipLinkDataSourceToList endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipLinkInstanceSetToGuidEntry(x, x, x)
_WmipLinkInstanceSetToGuidEntry@12 proc	near ; CODE XREF: WmipLinkDataSourceToList+7Bp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		lea	eax, [edx+20h]
		push	esi
		mov	esi, [eax+4]
		cmp	[esi], eax
		jnz	short loc_88C6DD
		mov	[ecx+4], esi
		mov	[ecx], eax
		mov	[esi], ecx
		mov	[eax+4], ecx
		inc	dword ptr [edx+14h]
		test	dword ptr [ecx+8], 80000h
		pop	esi
		jnz	short loc_88C6D3

loc_88C6CF:				; CODE XREF: WmipLinkInstanceSetToGuidEntry(x,x,x)+33j
		pop	ebp
		retn	4
; 

loc_88C6D3:				; CODE XREF: WmipLinkInstanceSetToGuidEntry(x,x,x)+25j
		mov	edx, [ebp+arg_0]
		call	WmipRegisterEtwProvider
		jmp	short loc_88C6CF
; 

loc_88C6DD:				; CODE XREF: WmipLinkInstanceSetToGuidEntry(x,x,x)+Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_WmipLinkInstanceSetToGuidEntry@12 endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall WmipAllocGuidEntry()
_WmipAllocGuidEntry@0 proc near		; CODE XREF: WmipOpenBlock+133p
					; WmipLinkDataSourceToList+36p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, 70696D57h
		xor	edi, edi
		push	ebx
		push	20h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_88C740
		mov	ecx, offset _WmipGEChunkInfo
		call	_WmipAllocEntry@4 ; WmipAllocEntry(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_88C73C
		lea	ecx, [edi+20h]
		mov	[edi+40h], esi
		mov	[ecx+4], ecx
		lea	eax, [edi+64h]
		mov	[ecx], ecx
		lea	ecx, [edi+18h]
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		mov	[eax+4], eax
		mov	[eax], eax
		and	dword ptr [esi+10h], 0
		mov	dword ptr [esi+18h], offset WmipLegacyEtwWorker
		mov	[esi+1Ch], edi
		xor	esi, esi

loc_88C73C:				; CODE XREF: WmipAllocGuidEntry()+2Dj
		test	esi, esi
		jnz	short loc_88C746

loc_88C740:				; CODE XREF: WmipAllocGuidEntry()+1Dj
					; WmipAllocGuidEntry()+6Bj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_88C746:				; CODE XREF: WmipAllocGuidEntry()+5Cj
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_88C740
_WmipAllocGuidEntry@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall WmipAllocEntry(x)
_WmipAllocEntry@4 proc near		; CODE XREF: WmipUpdateModifyGuid+43p
					; WmipAllocDataSource()+5p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		push	dword ptr [edi]
		call	_ExAllocateFromPagedLookasideList@4 ; ExAllocateFromPagedLookasideList(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_88C784
		push	dword ptr [edi+4] ; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	dword ptr [esi+0Ch], 1
		add	esp, 0Ch
		mov	eax, [edi+0Ch]
		mov	[esi+8], eax
		mov	eax, [edi+10h]
		mov	[esi+10h], eax

loc_88C784:				; CODE XREF: WmipAllocEntry(x)+11j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_WmipAllocEntry@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipMangleInstanceName(x, x, x, x)
_WmipMangleInstanceName@16 proc	near	; CODE XREF: WmipBuildInstanceSet+27Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		lea	eax, [ebp+var_4]
		mov	edi, ecx
		xor	ebx, ebx
		push	eax
		mov	edx, 7FFFFFFFh
		mov	[ebp+var_C], ebx
		mov	ecx, esi
		mov	[ebp+var_4], ebx
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		push	esi
		call	RtlStringCchCopyW
		xor	dl, dl
		mov	ecx, edi
		call	_WmipFindGEByGuid@8 ; WmipFindGEByGuid(x,x)
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jz	short loc_88C7F7
		mov	edi, [ebp+var_4]
		push	5Ah
		pop	eax
		mov	esi, eax
		dec	edi
		mov	eax, [ebp+arg_4]

loc_88C7DB:				; CODE XREF: WmipMangleInstanceName(x,x,x,x)+A7j
		lea	edx, [ebp+var_C]
		push	edx
		mov	edx, eax
		call	WmipFindISinGEbyName
		test	eax, eax
		jnz	short loc_88C800

loc_88C7EA:				; CODE XREF: WmipMangleInstanceName(x,x,x,x)+B4j
		mov	edx, [ebp+var_8]
		mov	ecx, offset _WmipGEChunkInfo
		call	WmipUnreferenceEntry

loc_88C7F7:				; CODE XREF: WmipMangleInstanceName(x,x,x,x)+43j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_88C800:				; CODE XREF: WmipMangleInstanceName(x,x,x,x)+5Ej
		mov	edx, eax
		mov	ecx, offset _WmipISChunkInfo
		call	WmipUnreferenceEntry
		push	5Ah
		pop	eax
		cmp	si, ax
		jnz	short loc_88C833
		mov	eax, [ebp+arg_0]
		inc	edi
		dec	eax
		push	41h
		pop	esi
		cmp	edi, eax
		jz	short loc_88C839
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		mov	[eax+edi*2+2], cx

loc_88C82A:				; CODE XREF: WmipMangleInstanceName(x,x,x,x)+ADj
		mov	ecx, [ebp+var_8]
		mov	[eax+edi*2], si
		jmp	short loc_88C7DB
; 

loc_88C833:				; CODE XREF: WmipMangleInstanceName(x,x,x,x)+88j
		mov	eax, [ebp+arg_4]
		inc	esi
		jmp	short loc_88C82A
; 

loc_88C839:				; CODE XREF: WmipMangleInstanceName(x,x,x,x)+94j
		mov	ebx, 0C000009Ah
		jmp	short loc_88C7EA
_WmipMangleInstanceName@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipFindISinGEbyName proc near		; CODE XREF: WmipMangleInstanceName(x,x,x,x)+57p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= word ptr -2
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009294DB SIZE 00000094 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	eax, edx
		push	esi
		mov	ebx, eax
		mov	[ebp+var_8], eax
		push	edi
		xor	edi, edi
		mov	esi, ecx
		mov	[ebp+var_10], edi
		lea	ecx, [ebx+2]

loc_88C85C:				; CODE XREF: WmipFindISinGEbyName+25j
		mov	ax, [ebx]
		add	ebx, 2
		cmp	ax, di
		jnz	short loc_88C85C
		push	edi
		push	edi
		push	edi
		sub	ebx, ecx
		push	edi
		sar	ebx, 1
		push	offset _WmipSMMutex
		mov	[ebp+var_C], ebx
		call	KeWaitForSingleObject
		lea	eax, [esi+20h]
		mov	esi, [eax]
		mov	[ebp+var_18], eax
		cmp	esi, eax
		jz	short loc_88C8F7

loc_88C888:				; CODE XREF: WmipFindISinGEbyName+B5j
		mov	eax, [esi+8]
		test	al, 1
		jnz	loc_9294DB
		test	al, 2
		jz	short loc_88C8F0
		mov	eax, [esi+24h]
		mov	ecx, edi
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	short loc_88C8F0
		mov	edi, [esi+30h]

loc_88C8A6:				; CODE XREF: WmipFindISinGEbyName+ACj
		mov	edx, [edi]
		mov	eax, [ebp+var_8]

loc_88C8AB:				; CODE XREF: WmipFindISinGEbyName+9Dj
		mov	bx, [eax]
		cmp	bx, [edx]
		mov	[ebp+var_2], bx
		mov	ebx, [ebp+var_C]
		jnz	short loc_88C90D
		cmp	[ebp+var_2], 0
		jz	short loc_88C8DF
		mov	bx, [eax+2]
		cmp	bx, [edx+2]
		mov	[ebp+var_2], bx
		mov	ebx, [ebp+var_C]
		jnz	short loc_88C90D
		add	eax, 4
		add	edx, 4
		cmp	[ebp+var_2], 0
		jnz	short loc_88C8AB

loc_88C8DF:				; CODE XREF: WmipFindISinGEbyName+7Fj
		xor	eax, eax

loc_88C8E1:				; CODE XREF: WmipFindISinGEbyName+D2j
		test	eax, eax
		jz	short loc_88C914
		inc	ecx
		add	edi, 4
		cmp	ecx, [ebp+var_14]
		jb	short loc_88C8A6

loc_88C8EE:				; CODE XREF: WmipFindISinGEbyName+9CCB8j
					; WmipFindISinGEbyName+9CCCDj ...
		xor	edi, edi

loc_88C8F0:				; CODE XREF: WmipFindISinGEbyName+55j
					; WmipFindISinGEbyName+61j
		mov	esi, [esi]
		cmp	esi, [ebp+var_18]
		jnz	short loc_88C888

loc_88C8F7:				; CODE XREF: WmipFindISinGEbyName+46j
		mov	esi, edi

loc_88C8F9:				; CODE XREF: WmipFindISinGEbyName+E2j
		push	edi

loc_88C8FA:				; CODE XREF: WmipFindISinGEbyName+9CD2Aj
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_88C90D:				; CODE XREF: WmipFindISinGEbyName+78j
					; WmipFindISinGEbyName+90j
		sbb	eax, eax
		or	eax, 1
		jmp	short loc_88C8E1
; 

loc_88C914:				; CODE XREF: WmipFindISinGEbyName+A3j
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	ecx, esi
		call	WmipReferenceEntry
		xor	edi, edi
		jmp	short loc_88C8F9
WmipFindISinGEbyName endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipAddMofResource proc	near		; CODE XREF: WmipAddDataSource+159p
					; WmipInitializeDataStructs+105p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0092956F SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_C], ecx
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		call	_WmipFindMRByNames@8 ; WmipFindMRByNames(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_88CA6C
		mov	ecx, offset _WmipMRChunkInfo
		call	_WmipAllocEntry@4 ; WmipAllocEntry(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_92956F
		xor	edx, edx
		inc	edx
		cmp	byte ptr [ebp+arg_0], 0
		mov	[ebp+var_4], edx
		jnz	loc_88CA73

loc_88C96C:				; CODE XREF: WmipAddMofResource+152j
		mov	ecx, edi
		xor	ebx, ebx
		lea	eax, [ecx+2]
		mov	[ebp+arg_0], eax

loc_88C976:				; CODE XREF: WmipAddMofResource+5Bj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_88C976
		sub	ecx, [ebp+arg_0]
		sar	ecx, 1
		push	70696D57h
		lea	eax, ds:2[ecx*2]
		push	eax
		push	edx
		mov	[ebp+arg_0], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+arg_4]
		mov	[esi+14h], eax
		lea	edx, [ecx+2]

loc_88C9A5:				; CODE XREF: WmipAddMofResource+8Aj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_88C9A5
		sub	ecx, edx
		sar	ecx, 1
		push	70696D57h
		lea	eax, ds:2[ecx*2]
		push	eax
		push	1
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [esi+14h]
		mov	[esi+18h], eax
		test	ecx, ecx
		jz	loc_929579
		test	eax, eax
		jz	loc_929579
		mov	edx, [ebp+arg_0]
		push	edi
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		push	[ebp+arg_4]
		mov	edx, [ebp+var_8]
		mov	ecx, [esi+18h]
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		mov	edi, offset _WmipSMMutex
		push	edi
		call	KeWaitForSingleObject
		mov	eax, _WmipMRHeadPtr
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_88CA7B
		mov	[esi], eax
		mov	[esi+4], ecx
		push	ebx
		mov	[ecx], esi
		push	edi
		mov	[eax+4], esi
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)

loc_88CA24:				; CODE XREF: WmipAddMofResource+14Dj
		mov	eax, [ebp+arg_8]
		mov	edi, [ebp+var_C]
		mov	ecx, [ebp+var_4]
		mov	[eax], cl
		test	edi, edi
		jz	short loc_88CA80
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		mov	edx, esi
		mov	ecx, edi
		call	WmipInsertMofResource
		push	ebx
		push	offset _WmipSMMutex
		mov	edi, eax
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)

loc_88CA57:				; CODE XREF: WmipAddMofResource+9CC5Aj
		mov	edx, esi
		mov	ecx, offset _WmipMRChunkInfo
		call	WmipUnreferenceEntry

loc_88CA63:				; CODE XREF: WmipAddMofResource+15Ej
					; WmipAddMofResource+9CC50j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_88CA6C:				; CODE XREF: WmipAddMofResource+1Ej
		xor	ebx, ebx
		mov	byte ptr [ebp+var_4], bl
		jmp	short loc_88CA24
; 

loc_88CA73:				; CODE XREF: WmipAddMofResource+42j
		or	[esi+8], edx
		jmp	loc_88C96C
; 

loc_88CA7B:				; CODE XREF: WmipAddMofResource+EDj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_88CA80:				; CODE XREF: WmipAddMofResource+10Dj
		mov	edi, ebx
		jmp	short loc_88CA63
WmipAddMofResource endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipInsertMofResource proc near		; CODE XREF: WmipAddMofResource+121p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00929583 SIZE 00000090 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		xor	eax, eax
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_10], edx
		push	edi
		mov	ebx, [esi+24h]
		test	ebx, ebx
		jz	short loc_88CAB6
		mov	edi, [esi+28h]

loc_88CAA8:				; CODE XREF: WmipInsertMofResource+4Bj
		mov	ecx, [edi+eax*4]
		cmp	ecx, edx
		jz	short loc_88CAC5
		test	ecx, ecx
		jnz	short loc_88CACC
		mov	[edi+eax*4], edx

loc_88CAB6:				; CODE XREF: WmipInsertMofResource+1Fj
					; WmipInsertMofResource+4Dj
		cmp	eax, ebx
		jz	loc_929583

loc_88CABE:				; CODE XREF: WmipInsertMofResource+9CB8Aj
		mov	ecx, edx
		call	WmipReferenceEntry

loc_88CAC5:				; CODE XREF: WmipInsertMofResource+29j
		xor	eax, eax

loc_88CAC7:				; CODE XREF: WmipInsertMofResource+9CB2Aj
					; WmipInsertMofResource+9CB4Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_88CACC:				; CODE XREF: WmipInsertMofResource+2Dj
		inc	eax
		cmp	eax, ebx
		jb	short loc_88CAA8
		jmp	short loc_88CAB6
WmipInsertMofResource endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall WmipFindMRByNames(x, x)
_WmipFindMRByNames@8 proc near		; CODE XREF: WmipAddMofResource+15p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	edi, edx
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		mov	ebx, ecx
		call	KeWaitForSingleObject
		mov	eax, _WmipMRHeadPtr
		mov	esi, [eax]
		cmp	esi, eax
		jz	short loc_88CB2F

loc_88CAF8:				; CODE XREF: WmipFindMRByNames(x,x)+59j
		mov	eax, [esi+14h]
		mov	ecx, ebx

loc_88CAFD:				; CODE XREF: WmipFindMRByNames(x,x)+49j
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	short loc_88CB79
		test	dx, dx
		jz	short loc_88CB1F
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	short loc_88CB79
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_88CAFD

loc_88CB1F:				; CODE XREF: WmipFindMRByNames(x,x)+34j
		xor	eax, eax

loc_88CB21:				; CODE XREF: WmipFindMRByNames(x,x)+AAj
		test	eax, eax
		jz	short loc_88CB43

loc_88CB25:				; CODE XREF: WmipFindMRByNames(x,x)+9Aj
		mov	esi, [esi]
		cmp	esi, _WmipMRHeadPtr
		jnz	short loc_88CAF8

loc_88CB2F:				; CODE XREF: WmipFindMRByNames(x,x)+22j
		xor	esi, esi

loc_88CB31:				; CODE XREF: WmipFindMRByNames(x,x)+A3j
		push	0
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_88CB43:				; CODE XREF: WmipFindMRByNames(x,x)+4Fj
		mov	eax, [esi+18h]
		mov	ecx, edi

loc_88CB48:				; CODE XREF: WmipFindMRByNames(x,x)+94j
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	short loc_88CB80
		test	dx, dx
		jz	short loc_88CB6A
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	short loc_88CB80
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_88CB48

loc_88CB6A:				; CODE XREF: WmipFindMRByNames(x,x)+7Fj
		xor	eax, eax

loc_88CB6C:				; CODE XREF: WmipFindMRByNames(x,x)+B1j
		test	eax, eax
		jnz	short loc_88CB25
		mov	ecx, esi
		call	WmipReferenceEntry
		jmp	short loc_88CB31
; 

loc_88CB79:				; CODE XREF: WmipFindMRByNames(x,x)+2Fj
					; WmipFindMRByNames(x,x)+3Ej
		sbb	eax, eax
		or	eax, 1
		jmp	short loc_88CB21
; 

loc_88CB80:				; CODE XREF: WmipFindMRByNames(x,x)+7Aj
					; WmipFindMRByNames(x,x)+89j
		sbb	eax, eax
		or	eax, 1
		jmp	short loc_88CB6C
_WmipFindMRByNames@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipRegisterEtwProvider	proc near	; CODE XREF: WmipLinkInstanceSetToGuidEntry(x,x,x)+2Ep

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00929613 SIZE 00000050 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, [ebx+1Ch]
		inc	dword ptr [edi+6Ch]
		cmp	dword ptr [edi+6Ch], 1
		jnz	short loc_88CBDB
		push	70696D57h
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_88CBD6
		mov	[edi+50h], eax
		mov	[eax+8], esi
		mov	esi, eax

loc_88CBBE:				; CODE XREF: WmipRegisterEtwProvider+9CAD6j
		mov	edx, [ebp+var_4]

loc_88CBC1:				; CODE XREF: WmipRegisterEtwProvider+59j
		or	dword ptr [ebx+8], 100000h
		test	esi, esi
		jz	short loc_88CBD6
		push	edx
		mov	edx, edi
		mov	ecx, esi
		call	WmipQueueLegacyEtwWork

loc_88CBD6:				; CODE XREF: WmipRegisterEtwProvider+2Cj
					; WmipRegisterEtwProvider+42j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_88CBDB:				; CODE XREF: WmipRegisterEtwProvider+1Aj
		mov	eax, [edi+58h]
		or	eax, [edi+5Ch]
		jz	short loc_88CBC1
		jmp	loc_929613
WmipRegisterEtwProvider	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipGenerateMofResourceNotification(x, x, x, x)
_WmipGenerateMofResourceNotification@16	proc near ; CODE XREF: WmipAddDataSource+173p
					; WmipMRCleanup(x)+27p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	eax, ecx
		mov	[ebp+var_14], edx
		push	esi
		mov	esi, eax
		mov	[ebp+var_C], eax
		push	edi
		xor	edi, edi
		lea	ecx, [esi+2]

loc_88CC02:				; CODE XREF: WmipGenerateMofResourceNotification(x,x,x,x)+23j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, di
		jnz	short loc_88CC02
		sub	esi, ecx
		mov	ecx, edx
		sar	esi, 1
		lea	edx, [ecx+2]
		lea	esi, ds:4[esi*2]
		mov	[ebp+var_8], esi

loc_88CC20:				; CODE XREF: WmipGenerateMofResourceNotification(x,x,x,x)+41j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_88CC20
		sub	ecx, edx
		sar	ecx, 1
		push	70696D57h
		lea	ecx, ds:4[ecx*2]
		lea	eax, [esi+ecx]
		mov	[ebp+var_10], ecx
		lea	esi, [eax+48h]
		mov	[ebp+var_4], eax
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_88CCF8
		push	esi		; size_t
		push	edi		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		mov	[ebx], esi
		mov	esi, [ebp+arg_0]
		mov	[ebx+0Ch], edi
		lea	edi, [ebx+18h]
		mov	[ebx+4], eax
		lea	eax, [ebx+10h]
		mov	dword ptr [ebx+8], 1
		mov	dword ptr [ebx+2Ch], 10Ah
		movsd
		push	eax
		movsd
		movsd
		movsd
		call	KeQuerySystemTime
		mov	eax, [ebp+var_4]
		lea	esi, [ebx+48h]
		mov	edi, [ebp+var_8]
		mov	[ebx+3Ch], eax
		sub	edi, 2
		xor	eax, eax
		mov	dword ptr [ebx+30h], 40h
		push	edi		; size_t
		push	[ebp+var_C]	; void *
		mov	dword ptr [ebx+38h], 48h
		mov	[ebx+40h], ax
		mov	[esi], di
		add	esi, 2
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+var_10]
		add	esp, 0Ch
		shr	edi, 1
		sub	eax, 2
		push	eax		; size_t
		push	[ebp+var_14]	; void *
		mov	[esi+edi*2], ax
		lea	eax, [edi+1]
		lea	eax, [esi+eax*2]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	dl, 1
		mov	ecx, ebx
		push	0
		call	WmipProcessEvent
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_88CCF8:				; CODE XREF: WmipGenerateMofResourceNotification(x,x,x,x)+6Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_WmipGenerateMofResourceNotification@16	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipQueueLegacyEtwWork proc near	; CODE XREF: WmipRegisterEtwProvider+49p
					; WmipLegacyEtwCallback(x,x,x,x)+122p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00929663 SIZE 000000D7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		mov	ecx, esi
		call	WmipReferenceEntry
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jnz	loc_929663

loc_88CD1E:				; CODE XREF: WmipQueueLegacyEtwWork+9C967j
					; WmipQueueLegacyEtwWork+9C97Dj ...
		mov	eax, [esi+60h]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jnz	loc_9296B7
		lea	eax, [esi+64h]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_88CD62
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi
		mov	eax, [esi+8]
		test	al, 10h
		jnz	short loc_88CD5B
		or	eax, 10h
		mov	[esi+8], eax
		mov	eax, [esi+40h]
		push	1
		add	eax, 10h
		push	eax
		call	ExQueueWorkItem

loc_88CD5B:				; CODE XREF: WmipQueueLegacyEtwWork+45j
					; WmipQueueLegacyEtwWork+9C9D1j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_88CD62:				; CODE XREF: WmipQueueLegacyEtwWork+34j
					; WmipQueueLegacyEtwWork+9C99Bj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
WmipQueueLegacyEtwWork endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipFindISInDSByGuid(x, x)
_WmipFindISInDSByGuid@8	proc near	; CODE XREF: WmipUpdateDataSource+DDp
					; WmipUpdateModifyGuid+2Fp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		lea	ebx, [ecx+14h]
		mov	[ebp+var_4], edx
		mov	esi, [ebx]
		push	edi

loc_88CD79:				; CODE XREF: WmipFindISInDSByGuid(x,x)+34j
		cmp	esi, ebx
		jz	short loc_88CDAE
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_88CD9A
		push	10h		; size_t
		add	eax, 28h
		push	eax		; void *
		push	edx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_88CD9E
		mov	edx, [ebp+var_4]

loc_88CD9A:				; CODE XREF: WmipFindISInDSByGuid(x,x)+1Aj
		mov	esi, [esi]
		jmp	short loc_88CD79
; 

loc_88CD9E:				; CODE XREF: WmipFindISInDSByGuid(x,x)+2Dj
		lea	ecx, [esi-14h]
		call	WmipReferenceEntry
		lea	eax, [esi-14h]

loc_88CDA9:				; CODE XREF: WmipFindISInDSByGuid(x,x)+48j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_88CDAE:				; CODE XREF: WmipFindISInDSByGuid(x,x)+13j
		xor	eax, eax
		jmp	short loc_88CDA9
_WmipFindISInDSByGuid@8	endp

; 
		align 8
; Exported entry 940. IoRegisterFileSystem

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoRegisterFileSystem
IoRegisterFileSystem proc near		; CODE XREF: RawInitialize+116p
					; RawInitialize+121p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092973A SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	1
		push	dword ptr [esi+8]
		call	_FsRtlSetDriverBacking@8 ; FsRtlSetDriverBacking(x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	cl, 1
		call	IopSetFsRegistrationInProgress
		push	1
		push	offset _IopDatabaseResource
		call	ExAcquireResourceExclusiveLite
		mov	eax, [esi+2Ch]
		cmp	eax, 14h
		jz	loc_88CEDF
		cmp	eax, 3
		jz	loc_88CED5
		cmp	eax, 8
		jnz	loc_88CEE9
		mov	ecx, offset _IopDiskFileSystemQueueHead

loc_88CE11:				; CODE XREF: IoRegisterFileSystem+122j
					; IoRegisterFileSystem+13Fj
		mov	eax, [esi+8]
		or	dword ptr [eax+8], 80h

loc_88CE1B:				; CODE XREF: IoRegisterFileSystem+12Cj
		mov	edx, [esi+1Ch]
		test	edx, 10000h
		jnz	loc_88CEBC
		mov	eax, [ecx]
		mov	edi, 200h
		test	edx, edi
		jnz	loc_92973A
		mov	edx, ecx

loc_88CE3B:				; CODE XREF: IoRegisterFileSystem+9C9A1j
		cmp	eax, ecx
		jz	short loc_88CE48
		test	[eax-18h], edi
		jnz	loc_929755

loc_88CE48:				; CODE XREF: IoRegisterFileSystem+85j
		mov	ecx, [edx]
		lea	eax, [esi+34h]
		cmp	[ecx+4], edx
		jnz	loc_88CEFC
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[ecx+4], eax
		mov	[edx], eax

loc_88CE60:				; CODE XREF: IoRegisterFileSystem+11Bj
					; IoRegisterFileSystem+134j ...
		inc	_IopFsRegistrationOps
		mov	ebx, offset _IopFsNotifyChangeQueueHead
		and	dword ptr [esi+1Ch], 0FFFFFF7Fh
		mov	edi, _IopFsNotifyChangeQueueHead
		jmp	short loc_88CE84
; 

loc_88CE7A:				; CODE XREF: IoRegisterFileSystem+CEj
		push	1
		lea	eax, [edi]
		mov	edi, [edi]
		push	esi
		call	dword ptr [eax+0Ch]

loc_88CE84:				; CODE XREF: IoRegisterFileSystem+C0j
		cmp	edi, ebx
		jnz	short loc_88CE7A
		xor	cl, cl
		call	IopSetFsRegistrationInProgress
		mov	ecx, offset _IopDatabaseResource
		call	ExReleaseResourceLite
		xor	cl, cl
		call	IopSetFsRegistrationInProgress
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	dl, 1
		mov	ecx, esi
		call	IopIncrementDeviceObjectRefCount
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_88CEBC:				; CODE XREF: IoRegisterFileSystem+6Cj
		mov	ecx, [ecx+4]
		lea	eax, [esi+34h]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_88CEFC
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		jmp	short loc_88CE60
; 

loc_88CED5:				; CODE XREF: IoRegisterFileSystem+45j
		mov	ecx, offset _IopCdRomFileSystemQueueHead
		jmp	loc_88CE11
; 

loc_88CEDF:				; CODE XREF: IoRegisterFileSystem+3Cj
		mov	ecx, offset _IopNetworkFileSystemQueueHead
		jmp	loc_88CE1B
; 

loc_88CEE9:				; CODE XREF: IoRegisterFileSystem+4Ej
		cmp	eax, 20h
		jnz	loc_88CE60
		mov	ecx, offset _IopTapeFileSystemQueueHead
		jmp	loc_88CE11
; 

loc_88CEFC:				; CODE XREF: IoRegisterFileSystem+98j
					; IoRegisterFileSystem+10Fj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
IoRegisterFileSystem endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipDmgInitPhaseTwo proc	near		; CODE XREF: PiDmaGuardInitialize+11p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092975E SIZE 0000004E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PipDmaGuardPolicy, 0
		push	esi
		push	edi
		jnz	loc_92975E

loc_88CF23:				; CODE XREF: PipDmgInitPhaseTwo+9C872j
		cmp	dword_6B2B18, 5
		jbe	short loc_88CF48
		push	4000h
		xor	esi, esi
		mov	edi, offset dword_6B2B18
		push	esi
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_929779

loc_88CF48:				; CODE XREF: PipDmgInitPhaseTwo+28j
					; PipDmgInitPhaseTwo+9C8A5j
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PipDmgInitPhaseTwo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DrvDbOpenContext proc near		; CODE XREF: PiDrvDbInit(x)+43p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009297AC SIZE 0000005A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, _PiPnpRtlCtx
		xor	ebx, ebx
		and	_PiDrvDbCtx, ebx
		push	42444450h
		push	20h
		mov	eax, [edi]
		push	1
		mov	[ebp+var_C], edi
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_9297AC
		xor	eax, eax
		mov	[esi+10h], eax
		mov	[esi+14h], eax
		mov	[esi+18h], eax
		mov	[esi+1Ch], eax
		mov	eax, [ebp+var_8]
		push	42444450h
		mov	[esi+4], eax
		lea	eax, [esi+0Ch]
		push	38h
		push	200h
		mov	[esi], edi
		mov	dword ptr [esi+8], 0D0000000h
		mov	[eax+4], eax
		mov	[eax], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+1Ch], eax
		test	eax, eax
		jz	loc_9297C5
		push	eax
		call	ExInitializeResourceLite
		mov	edi, eax
		test	edi, edi
		js	loc_9297B6

loc_88CFE5:				; CODE XREF: DrvDbOpenContext+9C87Aj
		lea	eax, [ebp+var_4]
		mov	edx, offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@NNGAKEGL@
		push	eax
		push	0
		push	0
		push	3
		push	offset ??_C@_1BO@JJFLMBDN@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAD?$AAa?$AAt?$AAa?$AAb?$AAa?$AAs?$AAe@NNGAKEGL@ ; "DriverDatabase"
		push	1
		mov	ecx, esi
		call	DrvDbCreateDatabaseNode
		mov	ebx, [ebp+var_4]
		mov	edi, eax
		test	edi, edi
		js	short loc_88D032
		mov	edx, ebx
		mov	ecx, esi
		call	DrvDbLoadDatabaseNode
		mov	edi, eax
		test	edi, edi
		js	short loc_88D032
		mov	ecx, [ebp+var_C]
		mov	edx, esi
		call	_DrvDbRegisterObjects@8	; DrvDbRegisterObjects(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_88D032
		mov	_PiDrvDbCtx, esi
		xor	esi, esi

loc_88D032:				; CODE XREF: DrvDbOpenContext+B1j
					; DrvDbOpenContext+C0j	...
		test	esi, esi
		jnz	loc_9297D7

loc_88D03A:				; CODE XREF: DrvDbOpenContext+9C859j
					; DrvDbOpenContext+9C8A9j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
DrvDbOpenContext endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbRegisterObjects(x, x)
_DrvDbRegisterObjects@8	proc near	; CODE XREF: DrvDbOpenContext+C7p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	ebx, ecx
		xor	esi, esi

loc_88D052:				; CODE XREF: DrvDbRegisterObjects(x,x)+5Dj
		mov	edi, ds:dword_404C60[esi]
		xor	edx, edx
		lea	eax, [edi-1]
		cmp	eax, 0Ah
		ja	short loc_88D0A8
		mov	ecx, ds:off_404C64[esi]
		lea	eax, [ebx+98h]
		lea	eax, [eax+edi*4]
		xchg	ecx, [eax]

loc_88D073:				; CODE XREF: DrvDbRegisterObjects(x,x)+6Bj
		test	edx, edx
		js	short loc_88D0A1
		mov	edi, ds:dword_404C60[esi]
		xor	edx, edx
		lea	eax, [edi-1]
		cmp	eax, 0Ah
		ja	short loc_88D0AF
		mov	ecx, [ebp+var_4]
		lea	eax, [ebx+0C8h]
		lea	eax, [eax+edi*4]
		xchg	ecx, [eax]

loc_88D095:				; CODE XREF: DrvDbRegisterObjects(x,x)+72j
		test	edx, edx
		js	short loc_88D0A1
		add	esi, 8
		cmp	esi, 28h
		jb	short loc_88D052

loc_88D0A1:				; CODE XREF: DrvDbRegisterObjects(x,x)+33j
					; DrvDbRegisterObjects(x,x)+55j
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn
; 

loc_88D0A8:				; CODE XREF: DrvDbRegisterObjects(x,x)+1Ej
		mov	edx, 0C000000Dh
		jmp	short loc_88D073
; 

loc_88D0AF:				; CODE XREF: DrvDbRegisterObjects(x,x)+43j
		mov	edx, 0C000000Dh
		jmp	short loc_88D095
_DrvDbRegisterObjects@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbRegisterDatabase(x, x,	x, x, x, x, x)
_DrvDbRegisterDatabase@28 proc near	; CODE XREF: PiDrvDbRegisterNode+C4p

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		mov	edi, _PiDrvDbCtx
		mov	esi, edx
		push	eax
		mov	ecx, edi
		call	_DrvDbFindDatabaseNode@12 ; DrvDbFindDatabaseNode(x,x,x)
		test	eax, eax
		jns	short loc_88D105
		lea	eax, [ebp+var_4]
		mov	edx, esi
		push	eax
		push	[ebp+arg_10]
		movzx	eax, [ebp+arg_8]
		mov	ecx, edi
		neg	eax
		push	offset _PiDrvDbNodeActionCallback@24 ; PiDrvDbNodeActionCallback(x,x,x,x,x,x)
		sbb	eax, eax
		and	eax, 10h
		push	eax
		push	[ebp+arg_4]
		push	0
		call	DrvDbCreateDatabaseNode

loc_88D0FF:				; CODE XREF: DrvDbRegisterDatabase(x,x,x,x,x,x,x)+54j
		pop	edi
		pop	esi
		leave
		retn	14h
; 

loc_88D105:				; CODE XREF: DrvDbRegisterDatabase(x,x,x,x,x,x,x)+21j
		mov	eax, 40000000h
		jmp	short loc_88D0FF
_DrvDbRegisterDatabase@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DrvDbCreateDatabaseNode	proc near	; CODE XREF: DrvDbOpenContext+A5p
					; DrvDbRegisterDatabase(x,x,x,x,x,x,x)+44p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00929806 SIZE 0000017B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_14]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		push	esi
		mov	esi, ebx
		mov	[ebp+var_8], ebx
		push	edi
		mov	edi, edx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], edi
		mov	[eax], ebx
		cmp	[ebp+arg_4], ebx
		jz	loc_929806
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_14], ebx

loc_88D13D:				; CODE XREF: DrvDbCreateDatabaseNode+9C75Fj
		push	42444450h
		push	54h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_929870
		push	54h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		mov	eax, [eax+4]
		mov	[esi+20h], eax
		mov	eax, [ebp+arg_8]
		mov	[esi+1Ch], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+10h], eax
		mov	eax, [ebp+arg_C]
		mov	[esi+28h], eax
		mov	eax, [ebp+arg_10]
		mov	[esi+2Ch], eax
		lea	eax, [esi+8]
		push	edi		; void *
		push	eax		; int
		mov	dword ptr [esi+24h], 10000h
		call	RtlCreateUnicodeString
		test	al, al
		jz	loc_92987A
		lea	eax, [esi+14h]
		push	ebx		; void *
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jz	loc_92987A
		push	42444450h
		push	38h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+4Ch], eax
		test	eax, eax
		jz	loc_929894
		push	eax
		call	ExInitializeResourceLite
		mov	edi, eax
		test	edi, edi
		js	loc_929884

loc_88D1DA:				; CODE XREF: DrvDbCreateDatabaseNode+9C795j
		mov	eax, [ebp+var_4]
		add	eax, 0Ch
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_88D22D
		test	byte ptr [ebp+arg_8], 10h
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		jnz	loc_9298A6

loc_88D1FB:				; CODE XREF: DrvDbCreateDatabaseNode+9C7A2j
					; DrvDbCreateDatabaseNode+9C7D4j ...
		mov	eax, [ebp+arg_14]
		mov	[eax], esi
		xor	esi, esi

loc_88D202:				; CODE XREF: DrvDbCreateDatabaseNode+9C756j
					; DrvDbCreateDatabaseNode+9C769j ...
		cmp	[ebp+var_8], 0
		jnz	loc_929914

loc_88D20C:				; CODE XREF: DrvDbCreateDatabaseNode+9C810j
		test	esi, esi
		jnz	loc_929921

loc_88D214:				; CODE XREF: DrvDbCreateDatabaseNode+9C863j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_88D224
		cmp	eax, [ebp+arg_4]
		jnz	loc_929974

loc_88D224:				; CODE XREF: DrvDbCreateDatabaseNode+10Dj
					; DrvDbCreateDatabaseNode+9C870j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_88D22D:				; CODE XREF: DrvDbCreateDatabaseNode+D9j
					; DrvDbCreateDatabaseNode+9C81Ej ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
DrvDbCreateDatabaseNode	endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDrvDbEnumDriverStoreNodes proc near	; CODE XREF: PiPnpRtlInit+83p
					; PiDrvDbInit(x)+8Ep

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00929981 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_10], ecx
		push	offset ??_C@_1BM@PNGDECLI@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAS?$AAt?$AAo?$AAr?$AAe?$AAs@NNGAKEGL@ ; "\\DriverStores"
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_1C], esi
		push	eax
		mov	ebx, edx
		mov	[ebp+var_18], esi
		mov	[ebp+var_4], esi
		mov	edi, esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_34], 18h
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	1
		lea	eax, [ebp+var_4]
		mov	[ebp+var_30], esi
		push	eax
		mov	[ebp+var_28], 240h
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], esi
		call	_ZwOpenDirectoryObject@12 ; ZwOpenDirectoryObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_88D337
		push	62647050h
		mov	esi, 400h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_14], edi
		test	edi, edi
		jz	loc_929981
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	1
		push	1
		push	esi

loc_88D2C5:				; CODE XREF: PiDrvDbEnumDriverStoreNodes+DFj
		push	edi
		push	[ebp+var_4]
		call	_ZwQueryDirectoryObject@28 ; ZwQueryDirectoryObject(x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 8000001Ah
		jz	short loc_88D313
		test	esi, esi
		js	short loc_88D337
		xor	eax, eax
		mov	esi, edi
		cmp	[edi], ax
		jz	short loc_88D2FF
		mov	edi, [ebp+var_10]

loc_88D2E8:				; CODE XREF: PiDrvDbEnumDriverStoreNodes+C8j
		push	ebx
		push	dword ptr [esi+4]
		call	edi
		test	al, al
		jz	short loc_88D2FC
		add	esi, 10h
		xor	eax, eax
		cmp	[esi], ax
		jnz	short loc_88D2E8

loc_88D2FC:				; CODE XREF: PiDrvDbEnumDriverStoreNodes+BEj
		mov	edi, [ebp+var_14]

loc_88D2FF:				; CODE XREF: PiDrvDbEnumDriverStoreNodes+B1j
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		xor	eax, eax
		push	eax
		push	1
		push	400h
		jmp	short loc_88D2C5
; 

loc_88D313:				; CODE XREF: PiDrvDbEnumDriverStoreNodes+A4j
		xor	ebx, ebx
		mov	esi, ebx

loc_88D317:				; CODE XREF: PiDrvDbEnumDriverStoreNodes+107j
		cmp	[ebp+var_4], 0
		jz	short loc_88D325
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_88D325:				; CODE XREF: PiDrvDbEnumDriverStoreNodes+E9j
		test	edi, edi
		jz	short loc_88D330
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_88D330:				; CODE XREF: PiDrvDbEnumDriverStoreNodes+F5j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_88D337:				; CODE XREF: PiDrvDbEnumDriverStoreNodes+61j
					; PiDrvDbEnumDriverStoreNodes+A8j ...
		xor	ebx, ebx
		jmp	short loc_88D317
PiDrvDbEnumDriverStoreNodes endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiPnpRtlRegisterDriverMachineNodeCallback(wchar_t *,int)
PiPnpRtlRegisterDriverMachineNodeCallback proc near ; DATA XREF: PiPnpRtlInit+7Eo

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092998B SIZE 0000006C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@NNGAKEGL@ ; wchar_t *
		push	[ebp+arg_0]	; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_92998B

loc_88D35E:				; CODE XREF: PiPnpRtlRegisterDriverMachineNodeCallback+9C67Fj
		xor	ebx, ebx

loc_88D360:				; CODE XREF: PiPnpRtlRegisterDriverMachineNodeCallback+9C687j
					; PiPnpRtlRegisterDriverMachineNodeCallback+9C6A9j
		cmp	[ebp+var_4], 0
		jnz	loc_9299EA

loc_88D36A:				; CODE XREF: PiPnpRtlRegisterDriverMachineNodeCallback+9C6B6j
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx
		shr	ebx, 1Fh
		xor	bl, 1
		mov	al, bl
		pop	ebx
		leave
		retn	8
PiPnpRtlRegisterDriverMachineNodeCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiDrvDbRegisterNodeCallback(wchar_t *,int)
PiDrvDbRegisterNodeCallback proc near	; DATA XREF: PiDrvDbInit(x)+89o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009299F7 SIZE 00000088 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	edi
		push	offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@NNGAKEGL@ ; wchar_t *
		push	[ebp+arg_0]	; wchar_t *
		call	__wcsicmp
		pop	ecx
		xor	ebx, ebx
		pop	ecx
		test	eax, eax
		jnz	loc_9299F7

loc_88D39C:				; CODE XREF: PiDrvDbRegisterNodeCallback+9C6AFj
					; PiDrvDbRegisterNodeCallback+9C6FEj
		mov	eax, [ebp+arg_4]
		pop	edi
		mov	[eax], ebx
		shr	ebx, 1Fh
		xor	bl, 1
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	8
PiDrvDbRegisterNodeCallback endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpRegisterTraceLoggingProvider()
_CmpRegisterTraceLoggingProvider@0 proc	near ; CODE XREF: INIT:00AC63EAp
		mov	edi, edi
		push	ecx
		push	ecx
		push	0
		xor	edx, edx
		mov	ecx, offset dword_6B2348
		call	TlgRegisterAggregateProviderEx
		pop	ecx
		retn
_CmpRegisterTraceLoggingProvider@0 endp


;  S U B	R O U T	I N E 


CmpInitializeNameCache proc near	; CODE XREF: CmInitSystem1(x)+16Ep

; FUNCTION CHUNK AT 00929A7F SIZE 0000001B BYTES

		mov	edi, edi
		push	esi
		push	edi
		push	61434D43h
		mov	edi, 4000h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	_CmpNameCacheTable, esi
		test	esi, esi
		jz	loc_929A7F
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax

loc_88D3F8:				; CODE XREF: CmpInitializeNameCache+3Ej
		and	dword ptr [esi+eax*8], 0
		inc	eax
		cmp	eax, 800h
		jb	short loc_88D3F8
		pop	edi
		pop	esi
		retn
CmpInitializeNameCache endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmpInitSIDToHiveMapping()
_CmpInitSIDToHiveMapping@0 proc	near	; CODE XREF: CmInitSystem1(x)+178p
		mov	ecx, offset _CmpSIDMappingLock
		jmp	@KeInitializeGuardedMutex@4 ; KeInitializeGuardedMutex(x)
_CmpInitSIDToHiveMapping@0 endp


;  S U B	R O U T	I N E 


; __stdcall CmpInitializeDelayedCloseTable()
_CmpInitializeDelayedCloseTable@0 proc near ; CODE XREF: CmInitSystem1(x)+18Cp
		and	dword_6CE00C, 0
		mov	ecx, offset _CmpDelayedCloseTableLock
		and	_CmpDelayCloseWorkItem,	0
		mov	dword_6CE008, offset CmpDelayCloseWorker
		call	@KeInitializeGuardedMutex@4 ; KeInitializeGuardedMutex(x)
		mov	eax, offset _CmpDelayedLRUListHead
		mov	dword_6CE044, eax
		mov	_CmpDelayedLRUListHead,	eax
		retn
_CmpInitializeDelayedCloseTable@0 endp


;  S U B	R O U T	I N E 


; __stdcall CmpInitCallbacks()
_CmpInitCallbacks@0 proc near		; CODE XREF: CmInitSystem1(x)+191p
		mov	edi, edi
		push	esi
		xor	esi, esi
		mov	eax, offset _CallbackListHead
		push	offset a425000	; "425000"
		push	offset _CmLegacyAltitude
		mov	_CmpCallBackCount, esi
		mov	dword_6CE35C, eax
		mov	_CallbackListHead, eax
		mov	_CmpCallbackListLock, esi
		mov	_CmpContextListLock, esi
		mov	_CallbackListDeleteEvent, esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset _CmpCallbackCookie
		call	KeQuerySystemTime
		mov	_CmpCallbackContextSList, esi
		mov	dword_6CE36C, esi
		pop	esi
		retn
_CmpInitCallbacks@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmpInitializeMachineHiveLoadedCallbacks()
_CmpInitializeMachineHiveLoadedCallbacks@0 proc	near ; CODE XREF: CmInitSystem1(x)+196p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	offset _CmpMachineHiveCallbackEvent
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	7
		mov	esi, offset dword_6B1688
		pop	edi

loc_88D4B3:				; CODE XREF: CmpInitializeMachineHiveLoadedCallbacks()+5Dj
		push	ebx
		push	ebx
		lea	eax, [esi-18h]
		mov	[esi-8], ebx
		mov	[esi-4], ebx
		push	eax
		mov	[esi+4], esi
		mov	[esi], esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	32394D43h
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+8], eax
		lea	ecx, [esi-60h]
		mov	dword ptr [eax+8], offset CmpMachineHiveLoadedWorkItem
		mov	[eax+0Ch], ecx
		mov	[eax], ebx
		mov	[esi+0Ch], ebx
		add	esi, 78h
		sub	edi, 1
		jnz	short loc_88D4B3
		pop	edi
		pop	esi
		pop	ebx
		retn
_CmpInitializeMachineHiveLoadedCallbacks@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


CmpInitializeFreezeThaw	proc near	; CODE XREF: CmInitSystem1(x)+19Bp
		and	_CmpFreezeListLock, 0
		mov	eax, offset _CmpFreezeThawWaitListHead
		cmp	_CmFreezeThawTimeoutInSeconds, 384h
		mov	dword_6CDFE4, eax
		mov	_CmpFreezeThawWaitListHead, eax
		ja	loc_929A8F
		retn
CmpInitializeFreezeThaw	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvInitializeHashLibrary()
_HvInitializeHashLibrary@0 proc	near	; CODE XREF: CmInitSystem1(x)+1A0p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		call	@SymCryptInit@0	; SymCryptInit()
		push	8
		lea	edx, [ebp+var_8]
		mov	[ebp+var_8], 7A4E55C5h
		mov	ecx, offset _HvSymcryptSeed
		mov	[ebp+var_4], 82EF4D88h
		call	@SymCryptMarvin32ExpandSeed@12 ; SymCryptMarvin32ExpandSeed(x,x,x)
		neg	eax
		sbb	eax, eax
		and	eax, 0C0000001h
		leave
		retn
_HvInitializeHashLibrary@0 endp


;  S U B	R O U T	I N E 


; __stdcall CmpValidateGlobalFlushControlFlags()
_CmpValidateGlobalFlushControlFlags@0 proc near	; CODE XREF: CmInitSystem1(x)+1A5p
		test	_CmpGlobalFlushControlFlags, 0FFFFFFFEh
		jnz	short loc_88D565
		retn
; 

loc_88D565:				; CODE XREF: CmpValidateGlobalFlushControlFlags()+Aj
		and	_CmpGlobalFlushControlFlags, 0
		retn
_CmpValidateGlobalFlushControlFlags@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmpInitializeGlobalKeyLockTracker()
_CmpInitializeGlobalKeyLockTracker@0 proc near ; CODE XREF: CmInitSystem1(x)+1AAp
		and	_CmpKeyLockTracker, 0
		mov	eax, offset dword_6CDF64
		mov	dword_6CDF68, eax
		mov	dword_6CDF64, eax
		retn
_CmpInitializeGlobalKeyLockTracker@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmpVolumeManagerInitialize(x)
_CmpVolumeManagerInitialize@4 proc near	; CODE XREF: CmInitSystem1(x)+1B4p
		and	ds:_CmpVolumeManager, 0
		mov	eax, offset dword_A940E4
		mov	ds:dword_A940E8, eax
		mov	ds:dword_A940E4, eax
		retn
_CmpVolumeManagerInitialize@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpInitializeLightWeightTransactionType()
_CmpInitializeLightWeightTransactionType@0 proc	near ; CODE XREF: CmInitSystem1(x)+1F4p

var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		push	esi
		push	edi
		push	58h
		pop	esi
		push	esi		; size_t
		xor	edi, edi
		lea	eax, [ebp+var_58]
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	eax, 1F003Fh
		mov	word ptr [ebp+var_58], si
		mov	[ebp+var_40], eax
		add	esp, 0Ch
		mov	[ebp+var_3C], eax
		mov	al, byte ptr [ebp+var_58+2]
		and	al, 0EFh
		mov	[ebp+var_50], 30h
		or	al, 0Ch
		mov	[ebp+var_4C], 120001h
		mov	[ebp+var_48], 12003Eh
		mov	[ebp+var_44], 120018h
		mov	[ebp+var_30], 10h
		mov	[ebp+var_34], 1
		mov	byte ptr [ebp+var_58+2], al
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], offset _CmpCloseLightWeightTransaction@16	; CmpCloseLightWeightTransaction(x,x,x,x)
		mov	[ebp+var_1C], offset _CmpDeleteLightWeightTransaction@4	; CmpDeleteLightWeightTransaction(x)
		push	offset _CmRegistryTransactionType
		push	edi
		push	edi
		lea	eax, [ebp+var_58]
		push	eax
		push	offset _CmpTransactionTypeNameString
		call	ObCreateObjectTypeEx
		pop	edi
		pop	esi
		leave
		retn
_CmpInitializeLightWeightTransactionType@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpInitializeRegistryProcess()
_CmpInitializeRegistryProcess@0	proc near ; CODE XREF: CmInitSystem1(x):loc_AC7B6Cp

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		push	6
		pop	ecx
		rep stosd
		mov	edi, eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], edi
		mov	[ebp+var_28], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		call	_CmSiProcessTupleInitialize@4 ;	CmSiProcessTupleInitialize(x)
		lea	ecx, [ebp+var_20]
		call	CmpCreateRegistryProcessToken
		mov	esi, eax
		test	esi, esi
		js	loc_88D75C
		mov	ecx, ds:_PsInitialSystemProcess
		mov	edx, offset _CmRegistryProcessName
		mov	al, [ecx+3A6h]
		mov	byte ptr [ebp+var_34], al
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	[ebp+var_34]
		push	edi
		call	PsCreateMinimalProcess
		mov	esi, eax
		test	esi, esi
		js	loc_88D79A
		lea	eax, [ebp+var_30]
		push	eax
		push	edi
		push	ds:_SeTokenObjectType
		push	1
		push	edi
		push	200h
		push	[ebp+var_20]
		call	ObOpenObjectByPointer
		mov	esi, eax
		test	esi, esi
		js	loc_88D79A
		mov	edi, [ebp+var_24]
		lea	eax, [ebp+var_30]
		push	8
		push	eax
		push	9
		push	edi
		call	_ZwSetInformationProcess@16 ; ZwSetInformationProcess(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_88D75C
		push	ecx
		mov	edx, edi
		call	CmSiProcessTupleStartFromHandle
		mov	esi, eax
		test	esi, esi
		js	short loc_88D75C
		xor	esi, esi
		lea	ecx, [ebp+var_1C]
		mov	edi, esi
		call	CmpAttachToRegistryProcess
		push	1
		push	esi
		mov	eax, 4000000h
		push	eax
		push	eax
		call	_MmAdjustWorkingSetSize@16 ; MmAdjustWorkingSetSize(x,x,x,x)
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		push	esi
		push	1
		push	offset _CmpDummyThreadEvent
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	esi
		push	offset _CmpDummyThreadRoutine@4	; CmpDummyThreadRoutine(x)
		lea	ecx, [ebp+var_28]
		call	_CmpCreateRegistryThread@16 ; CmpCreateRegistryThread(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_88D75C
		push	edi
		push	42424D43h
		push	1000h
		push	edi
		push	1
		push	offset _CmpFreePoolLookaside@8 ; CmpFreePoolLookaside(x,x)
		push	offset _CmpAllocatePoolWithTagLookaside@16 ; CmpAllocatePoolWithTagLookaside(x,x,x,x)
		push	offset _CmpBounceBufferLookaside
		call	_ExInitializeLookasideListEx@32	; ExInitializeLookasideListEx(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_88D75C
		xor	esi, esi

loc_88D75C:				; CODE XREF: CmpInitializeRegistryProcess()+40j
					; CmpInitializeRegistryProcess()+B0j ...
		cmp	[ebp+var_20], 0
		jz	short loc_88D76A
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObject

loc_88D76A:				; CODE XREF: CmpInitializeRegistryProcess()+134j
		cmp	[ebp+var_30], 0
		jz	short loc_88D778
		push	[ebp+var_30]
		call	_ZwClose@4	; ZwClose(x)

loc_88D778:				; CODE XREF: CmpInitializeRegistryProcess()+142j
		cmp	[ebp+var_28], 0
		jz	short loc_88D786
		push	[ebp+var_28]
		call	_ZwClose@4	; ZwClose(x)

loc_88D786:				; CODE XREF: CmpInitializeRegistryProcess()+150j
		test	edi, edi
		jnz	short loc_88D79F

loc_88D78A:				; CODE XREF: CmpInitializeRegistryProcess()+179j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_88D79A:				; CODE XREF: CmpInitializeRegistryProcess()+70j
					; CmpInitializeRegistryProcess()+95j
		mov	edi, [ebp+var_24]
		jmp	short loc_88D75C
; 

loc_88D79F:				; CODE XREF: CmpInitializeRegistryProcess()+15Cj
		push	edi
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_88D78A
_CmpInitializeRegistryProcess@0	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCreateRegistryThread(x, x, x, x)
_CmpCreateRegistryThread@16 proc near	; CODE XREF: CmpInitializeRegistryProcess()+FBp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		mov	eax, _CmpRegistryProcess
		xor	edx, edx
		push	edx
		push	edx
		push	[ebp+arg_4]
		mov	[esp+24h+var_18], 18h
		push	[ebp+arg_0]
		mov	[esp+28h+var_14], edx
		push	edx
		push	eax
		lea	eax, [esp+30h+var_18]
		mov	[esp+30h+var_C], 200h
		push	eax
		push	1FFFFFh
		push	ecx
		mov	[esp+3Ch+var_10], edx
		mov	[esp+3Ch+var_8], edx
		mov	[esp+3Ch+var_4], edx
		call	PsCreateSystemThreadEx
		mov	esp, ebp
		pop	ebp
		retn	8
_CmpCreateRegistryThread@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsCreateMinimalProcess proc near	; CODE XREF: SmFirstTimeInit+344p
					; CmpInitializeRegistryProcess()+67p ...

var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_14C		= dword	ptr -14Ch
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 00929A9A SIZE 0000005C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+18Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ebx, esi
		push	edi
		mov	[esp+198h+var_17C], eax
		lea	edi, [esp+198h+var_1C]
		mov	eax, [ebp+arg_18]
		mov	[esp+198h+var_178], eax
		mov	eax, [ebp+arg_1C]
		push	6
		mov	[esp+19Ch+var_188], ecx
		pop	ecx
		mov	[esp+198h+var_174], eax
		xor	eax, eax
		mov	[esp+198h+var_180], edx
		xor	edx, edx
		push	144h		; size_t
		rep stosd
		push	edx		; int
		lea	eax, [esp+1A0h+var_168]
		mov	[esp+1A0h+var_184], ebx
		push	eax		; void *
		mov	[esp+1A4h+var_170], edx
		mov	[esp+1A4h+var_16C], edx
		call	_memset
		mov	edi, [esp+1A4h+var_188]
		xor	edx, edx
		add	esp, 0Ch
		mov	[esp+198h+var_18C], edx
		test	ebx, ebx
		jnz	short loc_88D886
		push	edi
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	ebx, eax
		xor	edx, edx
		mov	[esp+198h+var_184], ebx

loc_88D886:				; CODE XREF: PsCreateMinimalProcess+7Cj
		mov	ecx, [ebp+arg_C]
		xor	eax, eax
		test	esi, esi
		setnz	al
		or	ecx, 800h
		mov	[esp+198h+var_188], eax
		lea	eax, [esp+198h+var_18C]
		push	eax
		lea	eax, [esp+19Ch+var_170]
		mov	[ebp+arg_C], ecx
		push	eax
		push	edx
		xor	eax, eax
		test	esi, esi
		setnz	al
		push	eax
		push	edx
		push	[ebp+arg_10]
		push	ecx
		push	ebx
		push	edx
		push	edx
		push	edx
		push	[ebp+arg_4]
		mov	ecx, edi
		push	edx
		xor	dl, dl
		call	_PspAllocateProcess@60 ; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_929A9A
		mov	ecx, [ebp+arg_14]
		test	ecx, ecx
		jnz	loc_929AA4

loc_88D8DB:				; CODE XREF: PsCreateMinimalProcess+9C2B4j
		mov	ecx, [esp+198h+var_18C]
		xor	ebx, ebx
		inc	ebx
		test	[ecx+3A8h], bl
		jz	short loc_88D947
		cmp	dword ptr [ecx+3D4h], 0
		jnz	short loc_88D947
		call	_KeKvaShadowingActive@0	; KeKvaShadowingActive()
		test	eax, eax
		jz	short loc_88D947
		mov	[ecx+74h], bl
		mov	eax, [esp+198h+var_18C]
		add	eax, 3A8h
		lock bts dword ptr [eax], 0Eh
		mov	ecx, [esp+198h+var_18C]
		jb	short loc_88D947
		lea	eax, [esp+198h+var_1C]
		xor	edx, edx
		push	eax
		call	KiStackAttachProcess
		mov	ecx, [esp+198h+var_18C]
		cmp	ecx, ds:_PsInitialSystemProcess
		jz	short loc_88D935
		mov	edx, ebx
		call	MiDeleteProcessShadow

loc_88D935:				; CODE XREF: PsCreateMinimalProcess+132j
		xor	edx, edx
		lea	ecx, [esp+198h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [esp+198h+var_18C]

loc_88D947:				; CODE XREF: PsCreateMinimalProcess+EEj
					; PsCreateMinimalProcess+F7j ...
		mov	eax, [esp+198h+var_180]
		test	eax, eax
		jz	short loc_88D95A
		mov	edx, eax
		call	_PspSetMinimalProcessName@8 ; PspSetMinimalProcessName(x,x)
		mov	ecx, [esp+198h+var_18C]

loc_88D95A:				; CODE XREF: PsCreateMinimalProcess+153j
		cmp	[esp+198h+var_170], 0
		jnz	loc_929AB3

loc_88D965:				; CODE XREF: PsCreateMinimalProcess+9C2BCj
		lea	eax, [esp+198h+var_168]
		mov	edx, edi
		push	eax
		push	[esp+19Ch+var_17C]
		push	ebx
		push	0
		push	[ebp+arg_C]
		push	2000000h
		call	PspInsertProcess
		mov	esi, eax
		test	esi, esi
		js	loc_929ABB
		or	[esp+198h+var_188], 4
		mov	eax, [esp+198h+var_178]
		test	eax, eax
		jnz	loc_929AD7

loc_88D99B:				; CODE XREF: PsCreateMinimalProcess+9C2EDj
		mov	ecx, [esp+198h+var_18C]
		call	DbgkCreateMinimalProcess
		push	ds:_PsProcessType
		mov	ecx, [esp+19Ch+var_18C]
		lea	edx, [esp+19Ch+var_168]
		or	[esp+19Ch+var_188], 2
		or	[esp+19Ch+var_30], 200h
		call	PspCreateObjectHandle
		mov	ebx, [esp+198h+var_184]
		mov	esi, eax
		test	esi, esi
		js	short loc_88DA46
		mov	ecx, [esp+198h+var_174]
		mov	eax, [esp+198h+var_28]
		mov	[ecx], eax
		mov	eax, [esp+198h+var_188]
		and	eax, 0FFFFFFFBh
		mov	[esp+198h+var_188], eax

loc_88D9E9:				; CODE XREF: PsCreateMinimalProcess+250j
					; PsCreateMinimalProcess+9C2D8j
		test	al, 2
		jz	short loc_88DA04
		lea	ecx, [esp+198h+var_168]
		call	SepDeleteAccessState
		lea	eax, [esp+198h+var_14C]
		push	eax
		call	SeReleaseSubjectContext
		mov	eax, [esp+198h+var_188]

loc_88DA04:				; CODE XREF: PsCreateMinimalProcess+1F1j
		mov	ecx, [esp+198h+var_18C]
		test	ecx, ecx
		jz	short loc_88DA1F
		cmp	eax, 4
		jnb	short loc_88DA4C

loc_88DA11:				; CODE XREF: PsCreateMinimalProcess+259j
		mov	ecx, [esp+198h+var_18C]
		mov	edx, 72437350h
		call	ObfDereferenceObjectWithTag

loc_88DA1F:				; CODE XREF: PsCreateMinimalProcess+210j
		test	byte ptr [esp+198h+var_188], 1
		jnz	short loc_88DA2D
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_88DA2D:				; CODE XREF: PsCreateMinimalProcess+22Aj
		mov	ecx, [esp+198h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_88DA46:				; CODE XREF: PsCreateMinimalProcess+1D5j
					; PsCreateMinimalProcess+9C2A5j ...
		mov	eax, [esp+198h+var_188]
		jmp	short loc_88D9E9
; 

loc_88DA4C:				; CODE XREF: PsCreateMinimalProcess+215j
		mov	edx, esi
		call	_PsTerminateProcess@8 ;	PsTerminateProcess(x,x)
		jmp	short loc_88DA11
PsCreateMinimalProcess endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DbgkCreateMinimalProcess proc near	; CODE XREF: PsCreateMinimalProcess+1A5p

var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00929AF6 SIZE 00000040 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	0A8h		; size_t
		lea	eax, [ebp+var_B0]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esi+0FCh]
		mov	ecx, 400001h
		lock or	[eax], ecx
		cmp	dword ptr [esi+190h], 0
		jnz	loc_929AF6

loc_88DAA0:				; CODE XREF: DbgkCreateMinimalProcess+9C0DBj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
DbgkCreateMinimalProcess endp


;  S U B	R O U T	I N E 


; __stdcall PspSetMinimalProcessName(x,	x)
_PspSetMinimalProcessName@8 proc near	; CODE XREF: PsCreateMinimalProcess+157p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		push	6E497350h
		movzx	eax, word ptr [esi]
		add	eax, 8
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_88DB1D
		lea	ecx, [edi+8]
		mov	[edi+4], ecx
		mov	ax, [esi]
		mov	[edi], ax
		mov	ax, [esi]
		mov	[edi+2], ax
		movzx	eax, word ptr [esi]
		push	eax		; size_t
		push	dword ptr [esi+4] ; void *
		push	ecx		; void *
		call	_memcpy
		mov	eax, [ebx+1C0h]
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_88DB08
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_88DB08:				; CODE XREF: PspSetMinimalProcessName(x,x)+50j
		mov	edx, esi
		mov	[ebx+1C0h], edi
		mov	ecx, ebx
		call	_PspSetProcessShortName@8 ; PspSetProcessShortName(x,x)
		xor	eax, eax

loc_88DB19:				; CODE XREF: PspSetMinimalProcessName(x,x)+74j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_88DB1D:				; CODE XREF: PspSetMinimalProcessName(x,x)+23j
		mov	eax, 0C0000017h
		jmp	short loc_88DB19
_PspSetMinimalProcessName@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCreateRegistryProcessToken proc near	; CODE XREF: CmpInitializeRegistryProcess()+37p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00929B36 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		push	ds:_PsInitialSystemProcess
		xor	edi, edi
		mov	[ebp+var_14], ecx
		xor	ebx, ebx
		mov	[ebp+var_C], edi
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_10], eax
		push	ecx
		push	1
		push	eax
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_88DBEC
		lea	eax, [ebp+var_4]
		push	eax
		push	2
		push	[ebp+var_10]
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_88DBEC
		mov	eax, [ebp+var_4]
		xor	ecx, ecx
		push	34384D43h
		inc	ecx
		mov	eax, [eax]
		lea	edx, ds:0Ch[eax*8]
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_929B36
		mov	eax, [ebp+var_4]
		mov	eax, [eax]
		inc	eax
		mov	[ebx], eax
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx]
		mov	[ebx+4], eax
		mov	eax, [ecx+4]
		mov	[ebx+8], eax
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx]
		shl	eax, 3
		push	eax		; size_t
		lea	eax, [ecx+4]
		push	eax		; void *
		lea	eax, [ebx+0Ch]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_C]
		push	eax
		push	edi
		push	edi
		push	ebx
		push	1
		push	[ebp+var_10]
		call	SeFilterToken
		mov	esi, eax
		test	esi, esi
		js	short loc_88DC30
		mov	ecx, [ebp+var_14]
		xor	esi, esi
		mov	eax, [ebp+var_C]
		mov	[ecx], eax

loc_88DBEC:				; CODE XREF: CmpCreateRegistryProcessToken+3Bj
					; CmpCreateRegistryProcessToken+53j ...
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_88DBFA
		mov	ecx, eax
		call	ObfDereferenceObject

loc_88DBFA:				; CODE XREF: CmpCreateRegistryProcessToken+CDj
		test	edi, edi
		jnz	short loc_88DC35

loc_88DBFE:				; CODE XREF: CmpCreateRegistryProcessToken+118j
		cmp	[ebp+var_8], 0
		jz	short loc_88DC0E
		push	0
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_88DC0E:				; CODE XREF: CmpCreateRegistryProcessToken+DEj
		cmp	[ebp+var_4], 0
		jz	short loc_88DC1E
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_88DC1E:				; CODE XREF: CmpCreateRegistryProcessToken+EEj
		test	ebx, ebx
		jz	short loc_88DC29
		mov	ecx, ebx
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_88DC29:				; CODE XREF: CmpCreateRegistryProcessToken+FCj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_88DC30:				; CODE XREF: CmpCreateRegistryProcessToken+BCj
		mov	edi, [ebp+var_C]
		jmp	short loc_88DBEC
; 

loc_88DC35:				; CODE XREF: CmpCreateRegistryProcessToken+D8j
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	short loc_88DBFE
CmpCreateRegistryProcessToken endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2465. SeFilterToken

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeFilterToken
SeFilterToken	proc near		; CODE XREF: CmpCreateRegistryProcessToken+B3p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00929B40 SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	ecx, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_14]
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edi
		mov	esi, edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		mov	[ebx], edi
		test	ecx, ecx
		jz	short loc_88DC6D
		mov	eax, [ecx]
		mov	[ebp+var_10], eax

loc_88DC6D:				; CODE XREF: SeFilterToken+22j
		mov	edx, [ebp+arg_C]
		lea	eax, [ecx+4]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		test	edx, edx
		jnz	short loc_88DCE2

loc_88DC7D:				; CODE XREF: SeFilterToken+A3j
		lea	eax, [edx+4]
		neg	edx
		sbb	edx, edx
		and	edx, eax
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jnz	loc_929B40
		mov	eax, esi

loc_88DC93:				; CODE XREF: SeFilterToken+9BF06j
					; SeFilterToken+9BF1Fj
		lea	edi, [ebp+var_4]
		push	edi
		xor	edi, edi
		push	edi
		push	eax
		push	esi
		push	edx
		push	[ebp+var_C]
		xor	dl, dl
		push	ecx
		push	[ebp+var_10]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_4]
		call	_SepFilterToken@44 ; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_88DCD9
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		push	edi
		push	edi
		push	edi
		push	edi
		push	edi
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_88DCD9
		mov	ecx, [ebp+var_4]
		call	_SepFinalizeTokenAcls@4	; SepFinalizeTokenAcls(x)
		mov	eax, [ebp+var_4]
		mov	[ebx], eax

loc_88DCD9:				; CODE XREF: SeFilterToken+71j
					; SeFilterToken+86j
		mov	eax, esi

loc_88DCDB:				; CODE XREF: SeFilterToken+9BF29j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_88DCE2:				; CODE XREF: SeFilterToken+37j
		mov	eax, [edx]
		mov	[ebp+var_C], eax
		jmp	short loc_88DC7D
SeFilterToken	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpInitSiloSupport(x)
_CmpInitSiloSupport@4 proc near		; CODE XREF: CmInitSystem1(x)+295p

var_4		= dword	ptr -4

		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, offset _CmpSiloContextSlot
		call	PspStorageAllocSlot
		test	eax, eax
		js	short loc_88DD05
		mov	ecx, esi
		pop	esi
		jmp	_CmInitServerSiloState@4 ; CmInitServerSiloState(x)
; 

loc_88DD05:				; CODE XREF: CmpInitSiloSupport(x)+11j
		pop	esi
		retn
; 
		align 4

; __stdcall CmInitServerSiloState(x)
_CmInitServerSiloState@4:		; CODE XREF: CmpInitSiloSupport(x)+16j
					; PspInitializeServerSiloDeferred(x)+8Fp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	edx, [ebp+var_4]
		push	esi
		call	CmpGetOrCreateContextForSiloNoRef
		test	eax, eax
		js	short loc_88DD60
		mov	ecx, [ebp+var_4]
		call	_CmpStartSiloRegistryNamespace@4 ; CmpStartSiloRegistryNamespace(x)
		test	eax, eax
		js	short loc_88DD60
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+var_4]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		or	dword ptr [esi+4], 1
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	eax, eax

loc_88DD60:				; CODE XREF: CmpInitSiloSupport(x)+33j
					; CmpInitSiloSupport(x)+3Fj
		pop	esi
		leave
		retn
_CmpInitSiloSupport@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpAddProcessorConfigurationEntry proc near ; CODE XREF: CmInitializeProcessor(x)+A9p
					; CmpInitializeMachineDependentConfiguration+1CEp

var_138		= dword	ptr -138h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_11C		= dword	ptr -11Ch
var_118		= word ptr -118h
var_116		= word ptr -116h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_A0		= byte ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00929B72 SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 138h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_E4], eax
		push	34h		; size_t
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_100], ebx
		mov	esi, ecx
		mov	[ebp+var_FC], ebx
		push	ebx		; int
		push	eax		; void *
		mov	edi, edx
		mov	[ebp+var_F0], esi
		mov	[ebp+var_F8], ebx
		mov	[ebp+var_D8], ebx
		call	_memset
		or	[ebp+var_D4], 0FFFFFFFFh
		lea	eax, [ebp+var_138]
		add	esp, 0Ch
		mov	[ebp+var_EC], ebx
		mov	[ebp+var_E8], ebx
		mov	[ebp+var_E0], ebx
		mov	[ebp+var_DC], ebx
		push	34h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	bl, [esi+14h]
		xor	eax, eax
		inc	eax
		mov	[ebp+var_11C], edi
		mov	[ebp+var_12C], eax
		add	esp, 0Ch
		mov	[ebp+var_128], eax
		movzx	eax, byte ptr [esi+3C5h]
		mov	[ebp+var_118], ax
		movzx	eax, byte ptr [esi+3C4h]
		mov	[ebp+var_116], ax
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_10C], eax
		movzx	eax, word ptr [esi+16h]
		mov	ecx, eax
		shr	ecx, 8
		cmp	byte ptr [esi+15h], 0
		jz	loc_929B72
		mov	edx, offset _CmpProcessorString2 ; "x86	Family %u Model	%u Stepping %u"

loc_88DE44:				; CODE XREF: CmpAddProcessorConfigurationEntry+9BE16j
		movzx	eax, al
		push	eax
		push	ecx
		movsx	eax, bl
		push	eax
		push	edx
		lea	eax, [ebp+var_8C]
		push	80h
		push	eax
		call	_sprintf_s
		lea	ecx, [ebp+var_8C]
		add	esp, 18h
		lea	edx, [ecx+1]

loc_88DE6B:				; CODE XREF: CmpAddProcessorConfigurationEntry+10Cj
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_88DE6B
		mov	ebx, [ebp+var_E4]
		sub	ecx, edx
		push	ecx
		push	offset _CmpDeviceIndexTable
		push	0FFFFFFFFh
		lea	eax, [ecx+1]
		mov	edx, ebx
		mov	[ebp+var_110], eax
		lea	ecx, [ebp+var_138]
		push	0FFFFFFFFh
		lea	eax, [ebp+var_D4]
		push	eax
		call	CmpInitializeRegistryNode
		test	eax, eax
		js	loc_88E241
		push	34h		; size_t
		lea	eax, [ebp+var_138]
		push	0		; int
		push	eax		; void *
		call	_memset
		movzx	eax, byte ptr [esi+3C5h]
		add	esp, 0Ch
		cmp	byte ptr [esi+14h], 3
		mov	[ebp+var_118], ax
		movzx	eax, byte ptr [esi+3C4h]
		mov	[ebp+var_116], ax
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_12C], 1
		mov	[ebp+var_128], 2
		mov	[ebp+var_11C], edi
		mov	[ebp+var_10C], eax
		jz	loc_929B7F

loc_88DF08:				; CODE XREF: CmpAddProcessorConfigurationEntry+9BE34j
		lea	ecx, [ebp+var_8C]
		lea	edx, [ecx+1]

loc_88DF11:				; CODE XREF: CmpAddProcessorConfigurationEntry+1B2j
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_88DF11
		sub	ecx, edx
		mov	edx, ebx
		push	ecx
		push	offset _CmpDeviceIndexTable
		push	0FFFFFFFFh
		lea	eax, [ecx+1]
		mov	[ebp+var_110], eax
		lea	ecx, [ebp+var_138]
		push	0FFFFFFFFh
		lea	eax, [ebp+var_D8]
		push	eax
		call	CmpInitializeRegistryNode
		mov	ebx, eax
		mov	[ebp+var_E4], ebx
		test	ebx, ebx
		js	loc_88E22B
		push	[ebp+var_D8]
		call	_ZwClose@4	; ZwClose(x)
		mov	dl, [esi+15h]
		lea	ecx, [esi+3D3Ch]
		movsx	eax, dl
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_104], eax
		test	dl, dl
		jz	loc_929B9D
		xor	eax, eax
		lea	edi, [ebp+var_9C]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, 80000000h
		cpuid
		mov	esi, ebx
		lea	edi, [ebp+var_9C]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		cmp	[ebp+var_9C], 80000004h
		jb	loc_929BC4
		lea	eax, [ebp+var_D0]
		mov	edx, 80000002h
		mov	[ebp+var_D8], eax
		mov	[ebp+var_F4], edx

loc_88DFCE:				; CODE XREF: CmpAddProcessorConfigurationEntry+2D7j
		xor	eax, eax
		lea	edi, [ebp+var_9C]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		mov	eax, edx
		cpuid
		mov	esi, ebx
		lea	edi, [ebp+var_9C]
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	ecx, [ebp+var_D8]
		mov	[edi+0Ch], edx
		mov	eax, [ebp+var_9C]
		mov	edx, [ebp+var_F4]
		mov	[ecx], eax
		mov	eax, [ebp+var_98]
		mov	[ecx+4], eax
		mov	eax, [ebp+var_94]
		mov	[ecx+8], eax
		mov	eax, [ebp+var_90]
		mov	[ecx+0Ch], eax
		add	ecx, 10h
		inc	edx
		mov	[ebp+var_D8], ecx
		mov	[ebp+var_F4], edx
		cmp	edx, 80000004h
		jbe	short loc_88DFCE
		mov	[ebp+var_A0], 0
		test	ecx, ecx
		jz	loc_929BC4
		push	offset _CmpProcessorNameString
		lea	eax, [ebp+var_E0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		cmp	byte ptr [ebp+var_D0], 20h
		jz	loc_929BB4

loc_88E06C:				; CODE XREF: CmpAddProcessorConfigurationEntry+9BE5Bj
		lea	ecx, [ebp+var_D0]
		add	eax, ecx
		push	eax
		lea	eax, [ebp+var_100]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_100]
		push	eax
		lea	eax, [ebp+var_EC]
		push	eax
		call	RtlAnsiStringToUnicodeString
		mov	ebx, eax
		test	ebx, ebx
		js	loc_88E22B
		movzx	eax, word ptr [ebp+var_EC]
		add	eax, 2
		push	eax
		push	[ebp+var_E8]
		lea	eax, [ebp+var_E0]
		push	1
		push	0
		push	eax
		push	[ebp+var_D4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	ebx, eax
		lea	eax, [ebp+var_EC]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	ebx, ebx
		js	loc_88E22B

loc_88E0DD:				; CODE XREF: CmpAddProcessorConfigurationEntry+9BE66j
		mov	esi, [ebp+var_F0]

loc_88E0E3:				; CODE XREF: CmpAddProcessorConfigurationEntry+9BE40j
		mov	edi, [ebp+var_104]
		test	edi, edi
		jz	short loc_88E167

loc_88E0ED:				; CODE XREF: CmpAddProcessorConfigurationEntry+9BE4Bj
		push	offset _CmpVendorID ; "VendorIdentifier"
		lea	eax, [ebp+var_E0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		lea	eax, [ebp+var_100]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_100]
		push	eax
		lea	eax, [ebp+var_EC]
		push	eax
		call	RtlAnsiStringToUnicodeString
		mov	ebx, eax
		test	ebx, ebx
		js	loc_88E22B
		movzx	eax, word ptr [ebp+var_EC]
		add	eax, 2
		push	eax
		push	[ebp+var_E8]
		lea	eax, [ebp+var_E0]
		push	1
		push	0
		push	eax
		push	[ebp+var_D4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	ebx, eax
		lea	eax, [ebp+var_EC]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	ebx, ebx
		js	loc_88E22B

loc_88E167:				; CODE XREF: CmpAddProcessorConfigurationEntry+387j
		mov	eax, [esi+3D50h]
		or	eax, [esi+3D54h]
		jz	short loc_88E1B7
		mov	eax, [esi+3D50h]
		mov	[ebp+var_F8], eax
		lea	eax, [ebp+var_E0]
		push	offset _CmpFeatureBits ; "FeatureSet"
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [ebp+var_F8]
		push	eax
		push	4
		push	0
		lea	eax, [ebp+var_E0]
		push	eax
		push	[ebp+var_D4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_88E22B

loc_88E1B7:				; CODE XREF: CmpAddProcessorConfigurationEntry+40Fj
		lea	edi, [esi+3C0h]
		cmp	dword ptr [edi], 0
		jz	short loc_88E1F2
		push	offset _CmpMHz	; "~MHz"
		lea	eax, [ebp+var_E0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		push	edi
		push	4
		push	0
		lea	eax, [ebp+var_E0]
		push	eax
		push	[ebp+var_D4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_88E22B

loc_88E1F2:				; CODE XREF: CmpAddProcessorConfigurationEntry+45Cj
		add	esi, 3D58h
		mov	eax, [esi]
		or	eax, [esi+4]
		jz	short loc_88E22B
		push	offset _CmpUpdateRevision
		lea	eax, [ebp+var_E0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	8
		push	esi
		push	3
		push	0
		lea	eax, [ebp+var_E0]
		push	eax
		push	[ebp+var_D4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	ebx, eax

loc_88E22B:				; CODE XREF: CmpAddProcessorConfigurationEntry+1E7j
					; CmpAddProcessorConfigurationEntry+336j ...
		cmp	[ebp+var_D4], 0FFFFFFFFh
		jz	short loc_88E23F
		push	[ebp+var_D4]
		call	_ZwClose@4	; ZwClose(x)

loc_88E23F:				; CODE XREF: CmpAddProcessorConfigurationEntry+4CEj
		mov	eax, ebx

loc_88E241:				; CODE XREF: CmpAddProcessorConfigurationEntry+13Fj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
CmpAddProcessorConfigurationEntry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpInitializeRegistryNode proc near	; CODE XREF: CmpAddProcessorConfigurationEntry+138p
					; CmpAddProcessorConfigurationEntry+1D8p ...

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00929BCF SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 78h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		mov	edi, ecx
		mov	[ebp+var_74], eax
		xor	ecx, ecx
		mov	[ebp+var_40], ecx
		mov	ebx, ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], ecx
		cmp	[edi+0Ch], ecx
		jz	loc_88E4C1
		mov	eax, [edi+10h]

loc_88E2A0:				; CODE XREF: CmpInitializeRegistryNode+274j
		lea	eax, _CmTypeName[eax*8]
		mov	[ebp+var_6C], 18h
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_68], edx
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_30]
		mov	[ebp+var_60], 240h
		push	eax
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], ecx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_88E486
		cmp	[edi+0Ch], ebx
		jz	loc_88E390
		mov	ecx, [edi+10h]
		cmp	ecx, 2Ah
		jnb	loc_929BCF
		movzx	eax, word ptr [esi+ecx*2]
		mov	edx, eax
		inc	eax
		mov	[esi+ecx*2], ax

loc_88E302:				; CODE XREF: CmpInitializeRegistryNode+9B97Fj
		lea	eax, [ebp+var_14]
		push	eax
		push	0Ch
		push	0Ah
		movzx	eax, dx
		push	eax
		call	RtlIntegerToChar
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_4C]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_3C], eax
		xor	eax, eax
		push	18h
		mov	word ptr [ebp+var_40], ax
		pop	eax
		mov	word ptr [ebp+var_40+2], ax
		lea	eax, [ebp+var_4C]
		push	0
		push	eax
		lea	eax, [ebp+var_40]
		push	eax
		call	RtlAnsiStringToUnicodeString
		mov	esi, [ebp+var_30]
		xor	ecx, ecx
		push	18h
		pop	eax
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_68], esi
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_30]
		mov	[ebp+var_60], 240h
		push	eax
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], ecx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		push	esi
		mov	[ebp+var_70], eax
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [ebp+var_70]
		test	eax, eax
		js	loc_88E486

loc_88E390:				; CODE XREF: CmpInitializeRegistryNode+93j
		push	offset ??_C@_1CM@ODEMAHPH@?$AAC?$AAo?$AAm?$AAp?$AAo?$AAn?$AAe?$AAn?$AAt?$AA?5?$AAI?$AAn?$AAf?$AAo?$AAr@NNGAKEGL@
		lea	eax, [ebp+var_38]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	10h
		lea	eax, [edi+14h]
		push	eax
		push	3
		push	0
		lea	eax, [ebp+var_38]
		push	eax
		push	[ebp+var_30]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_929BD6
		cmp	[edi+28h], ebx
		jz	short loc_88E424
		push	offset ??_C@_1BG@IEICLFFJ@?$AAI?$AAd?$AAe?$AAn?$AAt?$AAi?$AAf?$AAi?$AAe?$AAr@NNGAKEGL@ ; "Identifier"
		lea	eax, [ebp+var_38]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	dword ptr [edi+2Ch]
		lea	eax, [ebp+var_4C]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_4C]
		push	eax
		lea	eax, [ebp+var_54]
		push	eax
		call	RtlAnsiStringToUnicodeString
		mov	esi, eax
		test	esi, esi
		js	loc_929BD6
		movzx	eax, word ptr [ebp+var_54]
		add	eax, 2
		push	eax
		push	[ebp+var_50]
		lea	eax, [ebp+var_38]
		push	1
		push	0
		push	eax
		push	[ebp+var_30]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_54]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	esi, esi
		js	loc_929BD6

loc_88E424:				; CODE XREF: CmpInitializeRegistryNode+16Fj
		push	offset ??_C@_1CG@CDEDNCMF@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn?$AA?5?$AAD@NNGAKEGL@
		lea	eax, [ebp+var_38]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [edi+30h]
		test	eax, eax
		jnz	short loc_88E497

loc_88E439:				; CODE XREF: CmpInitializeRegistryNode+26Aj
					; CmpInitializeRegistryNode+9B9D5j
		cmp	dword ptr [edi+30h], 0
		jnz	short loc_88E44F
		mov	eax, ds:_CmpConfigurationData
		xor	ecx, ecx
		push	10h
		pop	ebx
		and	[eax+0Ch], ecx
		mov	[eax+8], ecx

loc_88E44F:				; CODE XREF: CmpInitializeRegistryNode+1EBj
		mov	ecx, ds:_CmpConfigurationData
		mov	eax, [ebp+arg_4]
		push	ebx
		push	ecx
		mov	[ecx], eax
		mov	eax, [ebp+arg_8]
		push	9
		mov	[ecx+4], eax
		lea	eax, [ebp+var_38]
		push	0
		push	eax
		push	[ebp+var_30]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_929BD6
		mov	ecx, [ebp+var_74]
		mov	eax, [ebp+var_30]
		mov	[ecx], eax
		xor	eax, eax

loc_88E486:				; CODE XREF: CmpInitializeRegistryNode+8Aj
					; CmpInitializeRegistryNode+138j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
; 

loc_88E497:				; CODE XREF: CmpInitializeRegistryNode+1E5j
		mov	ecx, [edi+24h]
		lea	ebx, [ecx+8]
		cmp	ebx, ds:_CmpConfigurationAreaSize
		ja	loc_929BE5
		push	ecx		; size_t
		push	eax		; void *
		mov	eax, ds:_CmpConfigurationData
		add	eax, 8

loc_88E4B3:				; CODE XREF: CmpInitializeRegistryNode+9B9C8j
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_88E439
; 

loc_88E4C1:				; CODE XREF: CmpInitializeRegistryNode+45j
		mov	[edi+10h], ecx
		mov	eax, ecx
		jmp	loc_88E2A0
CmpInitializeRegistryNode endp

; 
		align 10h
; Exported entry 2018. RtlCreateUnicodeStringFromAsciiz

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCreateUnicodeStringFromAsciiz(x,	x)
		public _RtlCreateUnicodeStringFromAsciiz@8
_RtlCreateUnicodeStringFromAsciiz@8 proc near
					; CODE XREF: CmpSetSystemRegistryString(x,x,x)+22p
					; IopInitializeBootLogging(x,x)+159p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	[ebp+arg_4]
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	eax
		call	_RtlInitAnsiStringEx@8 ; RtlInitAnsiStringEx(x,x)
		test	eax, eax
		js	short loc_88E507
		push	1
		lea	ecx, [ebp+var_8]
		push	ecx
		push	[ebp+arg_0]
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	short loc_88E507
		mov	al, 1

locret_88E503:				; CODE XREF: RtlCreateUnicodeStringFromAsciiz(x,x)+39j
		leave
		retn	8
; 

loc_88E507:				; CODE XREF: RtlCreateUnicodeStringFromAsciiz(x,x)+1Dj
					; RtlCreateUnicodeStringFromAsciiz(x,x)+2Fj
		xor	al, al
		jmp	short locret_88E503
_RtlCreateUnicodeStringFromAsciiz@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


CmpSetupLoggingState proc near		; CODE XREF: CmpInitializeSystemHive+7Fp
					; CmpInitializePreloadedHive+178p

; FUNCTION CHUNK AT 00929C2C SIZE 00000085 BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	eax, [edi]
		test	al, 1
		jnz	loc_929C2C

loc_88E51E:				; CODE XREF: CmpSetupLoggingState+9B722j
					; CmpSetupLoggingState+9B7A0j
		pop	edi
		pop	esi
		retn
CmpSetupLoggingState endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpMarkCurrentProfileDirty()
_CmpMarkCurrentProfileDirty@0 proc near	; CODE XREF: CmInitSystem1(x)+5FFp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		or	[ebp+var_10], 0FFFFFFFFh
		lea	edx, [ebp+var_8]
		push	ebx
		push	esi
		xor	ebx, ebx
		push	edi
		push	ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_C], ebx
		call	CmpOpenDevicesControlSet
		test	eax, eax
		js	loc_88E624
		mov	edi, [ebp+var_8]
		lea	eax, [ebp+var_28]
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_28], 18h
		push	eax
		mov	[ebp+var_24], edi
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_20], offset _CmpControlIdConfigDbString
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		push	edi
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	loc_88E624
		mov	eax, ds:_CmKeyObjectType
		lea	ecx, [ebp+var_8]
		push	ebx
		push	ecx
		push	ebx
		push	eax
		push	20019h
		push	[ebp+var_4]
		mov	[ebp+var_8], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_88E624
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		mov	esi, [ebp+var_8]
		lea	edx, [ebp+var_10]
		push	edx
		mov	eax, [esi+8]
		mov	ecx, [eax+14h]
		mov	eax, [eax+10h]
		push	ecx
		push	eax
		call	dword ptr [eax+4]
		test	eax, eax
		jz	short loc_88E618
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_8], ebx
		push	ecx
		mov	ecx, [esi+8]
		lea	edx, [eax+24h]
		push	ebx
		push	ebx
		push	(offset	loc_A3F667+1)
		mov	ecx, [ecx+10h]
		call	_CmpFindNameInList@24 ;	CmpFindNameInList(x,x,x,x,x,x)
		mov	eax, [esi+8]
		lea	ecx, [ebp+var_10]
		push	ecx
		mov	eax, [eax+10h]
		push	eax
		call	dword ptr [eax+8]
		mov	edx, [ebp+var_8]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_88E618
		mov	ecx, [esi+8]
		push	ebx
		push	1
		mov	ecx, [ecx+10h]
		call	HvpMarkCellDirty

loc_88E618:				; CODE XREF: CmpMarkCurrentProfileDirty()+B4j
					; CmpMarkCurrentProfileDirty()+E6j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	ecx, esi
		call	ObfDereferenceObject

loc_88E624:				; CODE XREF: CmpMarkCurrentProfileDirty()+25j
					; CmpMarkCurrentProfileDirty()+68j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpMarkCurrentProfileDirty@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EnlistKeyBodyWithKCB proc near		; CODE XREF: CmpInitializePreloadedHive+3B9p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00929CB1 SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		lea	esi, [ecx+14h]
		mov	[ebp+var_8], edx
		xor	edi, edi
		mov	[ebp+var_4], ecx
		mov	[esi+4], esi
		mov	ebx, edi
		mov	[esi], esi

loc_88E646:				; CODE XREF: EnlistKeyBodyWithKCB+9B690j
		mov	edx, [ecx+8]
		xor	eax, eax
		add	edx, 48h
		add	edx, ebx
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	loc_929CB1

loc_88E65C:				; CODE XREF: EnlistKeyBodyWithKCB+9B6BAj
					; EnlistKeyBodyWithKCB+9B6C4j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
EnlistKeyBodyWithKCB endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmSetAcpiHwProfile proc	near		; CODE XREF: IopExecuteHardwareProfileChange(x,x,x,x,x)+164p
					; CmpCreateHardwareProfiles+45Bp

var_278		= byte ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_8		= dword	ptr -8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00929CF3 SIZE 0000039D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 278h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_25C], edx
		lea	edi, [ebp+var_240]
		mov	edx, [ebp+arg_8]
		push	6
		mov	[ebp+var_24C], ecx
		mov	[ebp+var_270], eax
		xor	eax, eax
		pop	ecx
		mov	[edx], al
		mov	ebx, eax
		mov	[ebp+var_250], eax
		mov	[ebp+var_21C], eax
		mov	[ebp+var_220], eax
		mov	[ebp+var_210], eax
		mov	[ebp+var_254], eax
		mov	[ebp+var_244], eax
		mov	dword ptr [ebp+var_278], eax
		mov	[ebp+var_274], eax
		mov	[ebp+var_218], eax
		mov	[ebp+var_214], eax
		mov	[ebp+var_260], eax
		mov	[ebp+var_228], eax
		mov	[ebp+var_264], eax
		mov	[ebp+var_224], eax
		mov	[ebp+var_268], eax
		mov	[ebp+var_258], eax
		mov	[ebp+var_248], eax
		rep stosd
		lea	eax, [ebp+var_278]
		mov	[ebp+var_26C], edx
		push	eax
		lea	edx, [ebp+var_250]
		call	CmpOpenDevicesControlSet
		mov	esi, eax
		test	esi, esi
		js	loc_929D3E
		mov	edi, [ebp+var_250]
		lea	eax, [ebp+var_240]
		and	[ebp+var_230], ebx
		and	[ebp+var_22C], ebx
		push	eax
		push	20019h
		lea	eax, [ebp+var_21C]
		mov	[ebp+var_240], 18h
		push	eax
		mov	[ebp+var_23C], edi
		mov	[ebp+var_234], 240h
		mov	[ebp+var_238], offset _CmpControlIdConfigDbString
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_929CF3
		mov	ecx, [ebp+var_21C]
		lea	edx, [ebp+var_248]
		mov	eax, 100h
		push	eax
		lea	eax, [ebp+var_10C]
		push	eax
		lea	eax, [ebp+var_20C]
		push	eax
		lea	eax, [ebp+var_258]
		push	eax
		call	CmpGetAcpiProfileInformation
		mov	esi, eax
		test	esi, esi
		js	loc_929D3E
		and	[ebp+var_230], ebx
		lea	eax, [ebp+var_240]
		and	[ebp+var_22C], ebx
		push	eax
		mov	[ebp+var_23C], edi
		lea	eax, [ebp+var_220]
		push	20019h
		mov	edi, 240h
		mov	[ebp+var_240], 18h
		push	eax
		mov	[ebp+var_234], edi
		mov	[ebp+var_238], (offset loc_A3F61F+1)
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_929CFE
		push	offset ??_C@_1CA@CEMLPECN@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAD?$AAo?$AAc?$AAk?$AAI?$AAn?$AAf?$AAo@NNGAKEGL@
		lea	eax, [ebp+var_218]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_21C]
		and	[ebp+var_230], ebx
		and	[ebp+var_22C], ebx
		mov	[ebp+var_23C], eax
		lea	eax, [ebp+var_218]
		mov	[ebp+var_238], eax
		lea	eax, [ebp+var_240]
		push	eax
		push	20019h
		lea	eax, [ebp+var_210]
		mov	[ebp+var_240], 18h
		push	eax
		mov	[ebp+var_234], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_929D09
		push	offset ??_C@_1BK@DIMLADLC@?$AAD?$AAo?$AAc?$AAk?$AAi?$AAn?$AAg?$AAS?$AAt?$AAa?$AAt?$AAe@NNGAKEGL@ ; "DockingState"
		lea	eax, [ebp+var_218]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_260]
		mov	edi, 100h
		push	eax
		push	edi
		lea	eax, [ebp+var_10C]
		push	eax
		push	1
		lea	eax, [ebp+var_218]
		push	eax
		push	[ebp+var_210]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_92A069
		cmp	[ebp+var_108], 4
		jnz	loc_92A069
		mov	eax, [ebp+var_104]
		push	offset ??_C@_1CC@GFOCCCFH@?$AAA?$AAc?$AAp?$AAi?$AAS?$AAe?$AAr?$AAi?$AAa?$AAl?$AAN?$AAu?$AAm?$AAb?$AAe@NNGAKEGL@	; "AcpiSerialNumber"
		mov	esi, [ebp+eax+var_10C]
		lea	eax, [ebp+var_218]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_260]
		push	eax
		push	edi
		lea	eax, [ebp+var_10C]
		push	eax
		push	1
		lea	eax, [ebp+var_218]
		push	eax
		push	[ebp+var_210]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_929D14

loc_88E90C:				; CODE XREF: CmSetAcpiHwProfile+9B6B7j
		xor	ebx, ebx

loc_88E90E:				; CODE XREF: CmSetAcpiHwProfile+9B715j
		push	offset ??_C@_1BM@EBFHNJCL@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg@NNGAKEGL@
		lea	eax, [ebp+var_218]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_260]
		push	eax
		push	edi
		lea	eax, [ebp+var_10C]
		push	eax
		push	1
		lea	eax, [ebp+var_218]
		push	eax
		push	[ebp+var_21C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_929F76
		cmp	[ebp+var_108], 4
		jnz	loc_929F76
		push	[ebp+var_258]	; void *
		mov	eax, [ebp+var_104]
		mov	edx, esi
		push	[ebp+var_248]	; int
		mov	ecx, [ebp+var_24C]
		mov	edi, [ebp+eax+var_10C]
		push	edi		; int
		push	ebx		; int
		call	CmpFilterAcpiDockingState
		mov	esi, eax
		test	esi, esi
		js	loc_929D3E
		push	0
		lea	eax, [ebp+var_264]
		push	eax
		push	[ebp+var_248]
		call	[ebp+var_25C]
		cmp	[ebp+var_264], 0FFFFFFFFh
		mov	esi, eax
		jz	loc_88EAD6
		test	esi, esi
		js	loc_929D3E
		mov	eax, [ebp+var_250]
		and	[ebp+var_230], 0
		and	[ebp+var_22C], 0
		mov	[ebp+var_23C], eax
		lea	eax, [ebp+var_240]
		push	eax
		push	20019h
		lea	eax, [ebp+var_244]
		mov	[ebp+var_240], 18h
		push	eax
		mov	[ebp+var_234], 240h
		mov	[ebp+var_238], (offset loc_A3F627+1)
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_929D7E
		imul	ecx, [ebp+var_264], 14h
		mov	eax, [ebp+var_248]
		mov	edx, [ecx+eax+18h]
		mov	eax, [ecx+eax+14h]
		mov	[ebp+var_25C], edx
		mov	[ebp+var_224], eax
		test	dl, 8
		jnz	loc_929D8A

loc_88EA39:				; CODE XREF: CmSetAcpiHwProfile+9B75Bj
		mov	esi, edx
		and	esi, 4
		jnz	loc_929DC4
		cmp	eax, edi
		jnz	loc_929DC4

loc_88EA4C:				; CODE XREF: CmSetAcpiHwProfile+9B90Cj
		mov	esi, [ebp+var_24C]
		push	offset ??_C@_1BK@DIMLADLC@?$AAD?$AAo?$AAc?$AAk?$AAi?$AAn?$AAg?$AAS?$AAt?$AAa?$AAt?$AAe@NNGAKEGL@ ; "DockingState"
		movzx	eax, word ptr [esi]
		mov	[ebp+var_228], eax
		lea	eax, [ebp+var_218]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [ebp+var_228]
		push	eax
		push	4
		push	0
		lea	eax, [ebp+var_218]
		push	eax
		push	[ebp+var_210]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1CC@GFOCCCFH@?$AAA?$AAc?$AAp?$AAi?$AAS?$AAe?$AAr?$AAi?$AAa?$AAl?$AAN?$AAu?$AAm?$AAb?$AAe@NNGAKEGL@	; "AcpiSerialNumber"
		lea	eax, [ebp+var_218]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	eax, word ptr [esi+2]
		push	eax
		lea	eax, [esi+4]
		push	eax
		push	3
		push	0
		lea	eax, [ebp+var_218]
		push	eax
		push	[ebp+var_210]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		test	byte ptr [ebp+var_25C],	2
		mov	esi, eax
		jz	loc_929F80

loc_88EACA:				; CODE XREF: CmSetAcpiHwProfile+9B93Fj
		cmp	[ebp+var_224], edi
		jnz	loc_929FA8

loc_88EAD6:				; CODE XREF: CmSetAcpiHwProfile+343j
					; CmSetAcpiHwProfile+9B695j ...
		test	esi, esi
		js	loc_929D3E
		mov	ecx, [ebp+var_270]
		mov	eax, [ebp+var_220]
		mov	[ecx], eax

loc_88EAEC:				; CODE XREF: CmSetAcpiHwProfile+9B6E1j
					; CmSetAcpiHwProfile+9B6F2j
		cmp	[ebp+var_254], 0
		jnz	loc_92A073

loc_88EAF9:				; CODE XREF: CmSetAcpiHwProfile+9BA1Aj
		cmp	[ebp+var_21C], 0
		jz	short loc_88EB0D
		push	[ebp+var_21C]
		call	_ZwClose@4	; ZwClose(x)

loc_88EB0D:				; CODE XREF: CmSetAcpiHwProfile+49Cj
		cmp	[ebp+var_210], 0
		jz	short loc_88EB21
		push	[ebp+var_210]
		call	_ZwClose@4	; ZwClose(x)

loc_88EB21:				; CODE XREF: CmSetAcpiHwProfile+4B0j
		cmp	[ebp+var_244], 0
		jz	short loc_88EB35
		push	[ebp+var_244]
		call	_ZwClose@4	; ZwClose(x)

loc_88EB35:				; CODE XREF: CmSetAcpiHwProfile+4C4j
		test	ebx, ebx
		jnz	loc_92A083

loc_88EB3D:				; CODE XREF: CmSetAcpiHwProfile+9BA27j
		mov	edx, [ebp+var_248]
		xor	ebx, ebx
		test	edx, edx
		jz	short loc_88EB87
		mov	ecx, ebx
		mov	[ebp+var_228], ecx
		cmp	[edx+4], ebx
		jbe	short loc_88EB80

loc_88EB56:				; CODE XREF: CmSetAcpiHwProfile+51Aj
		imul	eax, ecx, 14h
		mov	eax, [eax+edx+0Ch]
		test	eax, eax
		jz	short loc_88EB74
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_228]
		mov	edx, [ebp+var_248]

loc_88EB74:				; CODE XREF: CmSetAcpiHwProfile+4FBj
		inc	ecx
		mov	[ebp+var_228], ecx
		cmp	ecx, [edx+4]
		jb	short loc_88EB56

loc_88EB80:				; CODE XREF: CmSetAcpiHwProfile+4F0j
		push	ebx
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_88EB87:				; CODE XREF: CmSetAcpiHwProfile+4E3j
		mov	edx, [ebp+var_258]
		test	edx, edx
		jz	short loc_88EBD0
		mov	ecx, ebx
		mov	[ebp+var_228], ecx
		cmp	[edx+4], ebx
		jbe	short loc_88EBC9

loc_88EB9E:				; CODE XREF: CmSetAcpiHwProfile+563j
		mov	eax, ecx
		add	eax, eax
		mov	eax, [edx+eax*8+14h]
		test	eax, eax
		jz	short loc_88EBBD
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_228]
		mov	edx, [ebp+var_258]

loc_88EBBD:				; CODE XREF: CmSetAcpiHwProfile+544j
		inc	ecx
		mov	[ebp+var_228], ecx
		cmp	ecx, [edx+4]
		jb	short loc_88EB9E

loc_88EBC9:				; CODE XREF: CmSetAcpiHwProfile+538j
		push	ebx
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_88EBD0:				; CODE XREF: CmSetAcpiHwProfile+52Bj
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
CmSetAcpiHwProfile endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmpFilterAcpiDockingState(int,int,int,void *)
CmpFilterAcpiDockingState proc near	; CODE XREF: CmSetAcpiHwProfile+316p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0092A090 SIZE 000000AD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_C]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_2], bl
		mov	[ebp+var_3], bl
		mov	[ebp+var_4], bl
		push	esi
		mov	esi, edx
		mov	edx, ecx
		mov	[ebp+var_14], esi
		mov	cl, bl
		mov	[ebp+var_8], edx
		mov	[ebp+var_1], cl
		push	edi
		mov	edi, ebx
		mov	[ebp+var_10], edi
		test	eax, eax
		jz	loc_92A096
		cmp	[eax+4], ebx
		jbe	loc_92A096
		lea	esi, [eax+10h]

loc_88EC25:				; CODE XREF: CmpFilterAcpiDockingState+D0j
		mov	ecx, [esi-4]
		and	ecx, 3
		jz	short loc_88EC37
		movzx	eax, word ptr [edx]
		and	eax, 3
		cmp	ecx, eax
		jnz	short loc_88ECA7

loc_88EC37:				; CODE XREF: CmpFilterAcpiDockingState+47j
		movzx	eax, word ptr [edx+2]
		mov	ecx, [esi]
		cmp	ecx, eax
		jnz	short loc_88ECA7
		push	ecx		; Length
		push	dword ptr [esi+4] ; Source2
		lea	eax, [edx+4]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	[esi], eax
		jnz	short loc_88ECA4
		mov	edx, [ebp+arg_8]
		mov	[ebp+var_C], ebx
		cmp	[edx+4], ebx
		jbe	short loc_88ECA4
		mov	ecx, [esi-8]
		lea	edi, [edx+18h]
		mov	ebx, [ebp+var_8]

loc_88EC66:				; CODE XREF: CmpFilterAcpiDockingState+B9j
		cmp	[edi-4], ecx
		jnz	short loc_88EC75
		or	dword ptr [edi], 2
		mov	ecx, [esi-8]
		mov	[ebp+var_1], 1

loc_88EC75:				; CODE XREF: CmpFilterAcpiDockingState+85j
		movzx	eax, word ptr [ebx]
		cmp	[ebp+var_14], eax
		jnz	short loc_88EC87
		cmp	[ebp+arg_0], 0
		jnz	short loc_88EC87
		mov	[ebp+var_2], 1

loc_88EC87:				; CODE XREF: CmpFilterAcpiDockingState+97j
					; CmpFilterAcpiDockingState+9Dj
		cmp	ecx, [ebp+arg_4]
		jnz	short loc_88EC90
		mov	[ebp+var_3], 1

loc_88EC90:				; CODE XREF: CmpFilterAcpiDockingState+A6j
		mov	eax, [ebp+var_C]
		add	edi, 14h
		inc	eax
		mov	[ebp+var_C], eax
		cmp	eax, [edx+4]
		jb	short loc_88EC66
		mov	edi, [ebp+var_10]
		xor	ebx, ebx

loc_88ECA4:				; CODE XREF: CmpFilterAcpiDockingState+6Cj
					; CmpFilterAcpiDockingState+77j
		mov	edx, [ebp+var_8]

loc_88ECA7:				; CODE XREF: CmpFilterAcpiDockingState+51j
					; CmpFilterAcpiDockingState+5Bj
		mov	eax, [ebp+arg_C]
		inc	edi
		add	esi, 10h
		mov	[ebp+var_10], edi
		cmp	edi, [eax+4]
		jb	loc_88EC25
		cmp	[ebp+var_2], 0
		jz	loc_92A090

loc_88ECC4:				; CODE XREF: CmpFilterAcpiDockingState+9B4B6j
					; CmpFilterAcpiDockingState+9B4BEj ...
		mov	edi, [ebp+arg_8]
		mov	eax, [edi+4]
		test	eax, eax
		jz	short loc_88ED23
		lea	ecx, [edi+8]
		lea	edx, [edi+1Ch]
		mov	[ebp+arg_C], ecx
		lea	esi, [edi+14h]
		mov	[ebp+arg_0], edx
		add	edi, 18h

loc_88ECE0:				; CODE XREF: CmpFilterAcpiDockingState+13Dj
		cmp	[ebp+var_2], 0
		mov	ecx, [edi]
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+arg_C]
		jz	loc_92A0E5
		test	byte ptr [ebp+var_8], 2
		jz	short loc_88ED2C
		cmp	[ebp+var_3], 0
		jz	loc_92A0C0
		mov	edx, [ebp+arg_4]
		cmp	[esi], edx
		mov	edx, [ebp+arg_0]

loc_88ED0A:				; CODE XREF: CmpFilterAcpiDockingState+9B537j
		jnz	short loc_88ED2C

loc_88ED0C:				; CODE XREF: CmpFilterAcpiDockingState+9B50Bj
					; CmpFilterAcpiDockingState+9B515j ...
		add	edx, 14h
		inc	ebx
		add	edi, 14h
		mov	[ebp+arg_0], edx
		add	esi, 14h
		add	ecx, 14h
		mov	[ebp+arg_C], ecx

loc_88ED1F:				; CODE XREF: CmpFilterAcpiDockingState+15Fj
					; CmpFilterAcpiDockingState+9B4FCj
		cmp	ebx, eax
		jb	short loc_88ECE0

loc_88ED23:				; CODE XREF: CmpFilterAcpiDockingState+E8j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	10h
; 

loc_88ED2C:				; CODE XREF: CmpFilterAcpiDockingState+112j
					; CmpFilterAcpiDockingState:loc_88ED0Aj ...
		mov	[ebp+var_8], eax
		sub	[ebp+var_8], ebx
		sub	[ebp+var_8], 1
		jnz	loc_92A120

loc_88ED3C:				; CODE XREF: CmpFilterAcpiDockingState+9B554j
		mov	ecx, [ebp+arg_8]
		dec	eax
		mov	[ecx+4], eax
		jmp	short loc_88ED1F
CmpFilterAcpiDockingState endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpGetAcpiProfileInformation proc near	; CODE XREF: CmSetAcpiHwProfile+148p

var_A0		= dword	ptr -0A0h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0092A13D SIZE 0000013A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_8]
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, edx
		push	30h		; size_t
		push	eax		; int
		mov	[ebp+var_54], eax
		mov	[ebp+var_58], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_38]
		push	eax		; void *
		mov	[ebp+var_5C], esi
		mov	[ebp+var_60], ecx
		mov	[ebp+var_50], edi
		call	_memset
		and	dword ptr [esi], 0
		lea	eax, [ebp+var_48]
		add	esp, 0Ch
		xor	esi, esi
		mov	[edi], esi
		push	offset ??_C@_1CE@JCFICPFJ@?$AAH?$AAa?$AAr?$AAd?$AAw?$AAa?$AAr?$AAe?$AA?5?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl@NNGAKEGL@ ; "Hardware Profiles"
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_60]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	20019h
		lea	eax, [ebp+var_58]
		mov	[ebp+var_78], 18h
		push	eax
		mov	[ebp+var_6C], 240h
		mov	[ebp+var_68], esi
		mov	[ebp+var_64], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		mov	[ebp+var_3C], esi
		test	esi, esi
		js	loc_92A13D
		lea	eax, [ebp+var_4C]
		push	eax
		push	30h
		lea	eax, [ebp+var_38]
		push	eax
		push	2
		push	[ebp+var_58]
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_3C], esi
		test	esi, esi
		js	loc_88F30F
		mov	eax, [ebp+var_24]
		dec	eax
		imul	eax, 14h
		push	20204D43h
		add	eax, 1Ch
		push	eax
		push	1
		mov	[ebp+var_4C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, [ebp+var_5C]
		mov	[esi], eax
		test	eax, eax
		jz	loc_92A146
		push	[ebp+var_4C]	; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [esi]
		add	esp, 0Ch
		mov	eax, [ebp+var_24]
		mov	[ecx], eax
		mov	eax, [esi]
		and	dword ptr [eax+4], 0
		xor	eax, eax
		mov	[ebp+var_90], eax
		cmp	[ebp+var_24], eax
		jbe	loc_88F0A8

loc_88EE5A:				; CODE XREF: CmpGetAcpiProfileInformation+359j
		and	[ebp+var_80], 0
		lea	ecx, [ebp+var_4C]
		push	ecx
		push	0FEh
		push	ebx
		push	0
		push	eax
		push	[ebp+var_58]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_88F0A5
		mov	eax, [ebx+0Ch]
		xor	ecx, ecx
		shr	eax, 1
		mov	[ebx+eax*2+10h], cx
		movzx	eax, word ptr [ebx+0Ch]
		and	[ebp+var_68], ecx
		and	[ebp+var_64], ecx
		mov	word ptr [ebp+var_48], ax
		add	eax, 2
		mov	word ptr [ebp+var_48+2], ax
		lea	eax, [ebx+10h]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+var_58]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	20019h
		lea	eax, [ebp+var_40]
		mov	[ebp+var_78], 18h
		push	eax
		mov	[ebp+var_6C], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_88F0A5
		lea	eax, [ebp+var_80]
		push	eax
		push	0
		lea	eax, [ebp+var_48]
		push	eax
		call	RtlUnicodeStringToInteger
		push	offset ??_C@_1CA@DNKLCGOJ@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAr?$AAe?$AAn?$AAc?$AAe?$AAO?$AAr?$AAd?$AAe?$AAr@NNGAKEGL@	; "P"
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4C]
		xor	edi, edi
		push	eax
		push	100h
		push	ebx
		inc	edi
		lea	eax, [ebp+var_48]
		push	edi
		push	eax
		push	[ebp+var_40]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_92A153
		cmp	dword ptr [ebx+4], 4
		jnz	loc_92A153
		mov	eax, [ebx+8]
		mov	esi, [ebx+eax]
		mov	[ebp+var_3C], esi
		mov	[ebp+var_84], esi

loc_88EF2E:				; CODE XREF: CmpGetAcpiProfileInformation+9B419j
		push	offset ??_C@_1BK@BFIEKNFP@?$AAF?$AAr?$AAi?$AAe?$AAn?$AAd?$AAl?$AAy?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@ ; "FriendlyName"
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4C]
		push	eax
		push	100h
		push	ebx
		push	edi
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_40]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_92A164
		cmp	[ebx+4], edi
		jnz	loc_92A164
		push	20204D43h
		push	dword ptr [ebx+0Ch]
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebx+0Ch]
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_88], eax
		test	eax, eax
		jz	loc_92A1BC
		push	ecx		; size_t
		mov	ecx, [ebx+8]
		add	ecx, ebx

loc_88EF8F:				; CODE XREF: CmpGetAcpiProfileInformation+9B458j
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		and	[ebp+var_7C], 0
		lea	eax, [ebp+var_48]
		add	esp, 0Ch
		push	offset ??_C@_1BE@CCJOPAOC@?$AAA?$AAl?$AAi?$AAa?$AAs?$AAa?$AAb?$AAl?$AAe@NNGAKEGL@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4C]
		push	eax
		push	100h
		push	ebx
		push	edi
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_40]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		push	4
		pop	esi
		test	eax, eax
		js	loc_92A1A3
		cmp	[ebx+4], esi
		jnz	loc_92A1A3
		mov	eax, [ebx+8]
		cmp	dword ptr [ebx+eax], 0
		jnz	loc_92A1A3

loc_88EFE3:				; CODE XREF: CmpGetAcpiProfileInformation+9B460j
		push	offset ??_C@_1BC@CLFDFOLE@?$AAP?$AAr?$AAi?$AAs?$AAt?$AAi?$AAn?$AAe@NNGAKEGL@
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4C]
		push	eax
		push	100h
		push	ebx
		push	edi
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_40]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_88F01D
		cmp	[ebx+4], esi
		jnz	short loc_88F01D
		mov	eax, [ebx+8]
		cmp	dword ptr [ebx+eax], 0
		jz	short loc_88F01D
		mov	[ebp+var_7C], esi

loc_88F01D:				; CODE XREF: CmpGetAcpiProfileInformation+2C4j
					; CmpGetAcpiProfileInformation+2C9j ...
		cmp	[ebp+var_80], 0
		jnz	loc_88F346
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_7C], esi
		mov	[ebp+var_84], eax

loc_88F033:				; CODE XREF: CmpGetAcpiProfileInformation+603j
		mov	ecx, [ebp+var_5C]
		xor	esi, esi
		mov	ecx, [ecx]
		mov	edi, [ecx+4]
		test	edi, edi
		jz	short loc_88F06C
		mov	edx, ecx

loc_88F043:				; CODE XREF: CmpGetAcpiProfileInformation+9B46Bj
		cmp	[edx+10h], eax
		jb	loc_92A1AB
		mov	eax, [ecx]
		sub	eax, esi
		imul	eax, 14h
		sub	eax, 14h
		push	eax		; size_t
		lea	eax, [edx+8]
		push	eax		; void *
		lea	eax, [edx+1Ch]
		push	eax		; void *
		call	_memmove
		mov	eax, [ebp+var_5C]
		add	esp, 0Ch
		mov	ecx, [eax]

loc_88F06C:				; CODE XREF: CmpGetAcpiProfileInformation+2F9j
					; CmpGetAcpiProfileInformation+9B471j
		imul	eax, esi, 14h
		lea	edi, [ecx+8]
		push	5
		pop	ecx
		lea	esi, [ebp+var_8C]
		add	edi, eax
		mov	eax, [ebp+var_5C]
		rep movsd
		mov	eax, [eax]
		inc	dword ptr [eax+4]
		push	[ebp+var_40]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [ebp+var_90]
		inc	eax
		mov	[ebp+var_90], eax
		cmp	eax, [ebp+var_24]
		jb	loc_88EE5A

loc_88F0A5:				; CODE XREF: CmpGetAcpiProfileInformation+12Fj
					; CmpGetAcpiProfileInformation+18Aj
		mov	edi, [ebp+var_50]

loc_88F0A8:				; CODE XREF: CmpGetAcpiProfileInformation+10Ej
		push	offset ??_C@_1BE@EFIOFOBM@?$AAA?$AAc?$AAp?$AAi?$AAA?$AAl?$AAi?$AAa?$AAs@NNGAKEGL@
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_60]
		and	[ebp+var_68], 0
		and	[ebp+var_64], 0
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	20019h
		lea	eax, [ebp+var_54]
		mov	[ebp+var_78], 18h
		push	eax
		mov	[ebp+var_6C], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_92A1C3
		lea	eax, [ebp+var_4C]
		push	eax
		push	30h
		lea	eax, [ebp+var_38]
		push	eax
		push	2
		push	[ebp+var_54]
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_3C], esi
		test	esi, esi
		js	loc_88F30F
		mov	eax, [ebp+var_24]
		dec	eax
		imul	eax, 14h
		push	20204D43h
		add	eax, 1Ch
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[edi], ecx
		test	ecx, ecx
		jz	loc_92A146
		mov	eax, [ebp+var_24]
		mov	[ecx+4], eax
		mov	ecx, [edi]
		mov	eax, [ebp+var_24]
		mov	[ecx], eax
		xor	eax, eax
		mov	[ebp+var_60], eax
		cmp	[ebp+var_24], eax
		jbe	loc_88F30F
		xor	edi, edi

loc_88F153:				; CODE XREF: CmpGetAcpiProfileInformation+5C3j
		lea	ecx, [ebp+var_4C]
		push	ecx
		push	0FEh
		push	ebx
		push	0
		push	eax
		push	[ebp+var_54]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_3C], esi
		test	esi, esi
		js	loc_88F30F
		mov	eax, [ebx+0Ch]
		xor	ecx, ecx
		shr	eax, 1
		mov	[ebx+eax*2+10h], cx
		movzx	eax, word ptr [ebx+0Ch]
		and	[ebp+var_68], ecx
		and	[ebp+var_64], ecx
		mov	word ptr [ebp+var_48], ax
		add	eax, 2
		mov	word ptr [ebp+var_48+2], ax
		lea	eax, [ebx+10h]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+var_54]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	20019h
		lea	eax, [ebp+var_40]
		mov	[ebp+var_78], 18h
		push	eax
		mov	[ebp+var_6C], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		mov	[ebp+var_3C], esi
		test	esi, esi
		js	loc_88F30F
		push	offset ??_C@_1BM@IAAGELMO@?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl?$AAe?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr@NNGAKEGL@ ;	"P"
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4C]
		push	eax
		push	100h
		push	ebx
		push	1
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_40]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_92A1D7
		cmp	dword ptr [ebx+4], 4
		jnz	loc_92A1D7
		mov	esi, [ebp+var_50]
		mov	eax, [ebx+8]
		push	offset ??_C@_1BK@DIMLADLC@?$AAD?$AAo?$AAc?$AAk?$AAi?$AAn?$AAg?$AAS?$AAt?$AAa?$AAt?$AAe@NNGAKEGL@ ; "DockingState"
		mov	ecx, [esi]
		mov	eax, [ebx+eax]
		mov	[ecx+edi+8], eax
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4C]
		push	eax
		push	100h
		push	ebx
		push	1
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_40]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_92A1D7
		cmp	dword ptr [ebx+4], 4
		jnz	loc_92A1D7
		mov	eax, [ebx+8]
		mov	ecx, [esi]
		push	offset ??_C@_1CC@GFOCCCFH@?$AAA?$AAc?$AAp?$AAi?$AAS?$AAe?$AAr?$AAi?$AAa?$AAl?$AAN?$AAu?$AAm?$AAb?$AAe@NNGAKEGL@	; "AcpiSerialNumber"
		mov	eax, [ebx+eax]
		mov	[ecx+edi+0Ch], eax
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4C]
		push	eax
		push	100h
		push	ebx
		push	1
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_40]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_3C], esi
		test	esi, esi
		js	loc_92A1D7
		cmp	dword ptr [ebx+4], 3
		jnz	loc_92A1D7
		mov	eax, [ebp+var_50]
		mov	ecx, [eax]
		mov	eax, [ebx+0Ch]
		mov	[ecx+edi+10h], eax
		mov	eax, [ebx+0Ch]
		test	eax, eax
		jz	loc_92A1D0
		push	20204D43h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax

loc_88F2C3:				; CODE XREF: CmpGetAcpiProfileInformation+9B48Cj
		mov	eax, [ebp+var_50]
		mov	eax, [eax]
		mov	[eax+edi+14h], ecx
		mov	edx, [ebx+0Ch]
		test	edx, edx
		jz	short loc_88F2F4
		mov	eax, [ebp+var_50]
		mov	eax, [eax]
		mov	ecx, [eax+edi+14h]
		test	ecx, ecx
		jz	loc_92A1BC
		mov	eax, [ebx+8]
		push	edx		; size_t
		add	eax, ebx
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_88F2F4:				; CODE XREF: CmpGetAcpiProfileInformation+58Bj
		push	[ebp+var_40]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [ebp+var_60]
		add	edi, 10h
		inc	eax
		mov	[ebp+var_60], eax
		cmp	eax, [ebp+var_24]
		jb	loc_88F153

loc_88F30F:				; CODE XREF: CmpGetAcpiProfileInformation+BBj
					; CmpGetAcpiProfileInformation+3C7j ...
		cmp	[ebp+var_54], 0
		jz	short loc_88F31D
		push	[ebp+var_54]
		call	_ZwClose@4	; ZwClose(x)

loc_88F31D:				; CODE XREF: CmpGetAcpiProfileInformation+5CDj
					; CmpGetAcpiProfileInformation+9B485j
		cmp	[ebp+var_58], 0
		jz	short loc_88F32B
		push	[ebp+var_58]
		call	_ZwClose@4	; ZwClose(x)

loc_88F32B:				; CODE XREF: CmpGetAcpiProfileInformation+5DBj
		test	esi, esi
		js	loc_92A1EC

loc_88F333:				; CODE XREF: CmpGetAcpiProfileInformation+9B4EEj
					; CmpGetAcpiProfileInformation+9B52Cj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_88F346:				; CODE XREF: CmpGetAcpiProfileInformation+2DBj
		mov	eax, [ebp+var_3C]
		jmp	loc_88F033
CmpGetAcpiProfileInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFinishSystemHivesLoad(x)
_CmpFinishSystemHivesLoad@4 proc near	; DATA XREF: CmCompleteRegistryInitialization+BFo

var_248		= dword	ptr -248h
var_23E		= byte ptr -23Eh
var_23D		= byte ptr -23Dh
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_204		= dword	ptr -204h
var_1F8		= dword	ptr -1F8h
var_1EC		= dword	ptr -1ECh
var_1E0		= dword	ptr -1E0h
var_88		= dword	ptr -88h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 234h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+234h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	6
		pop	ecx
		mov	[esp+240h+var_230], eax
		lea	edi, [esp+240h+var_210]
		xor	eax, eax
		xor	ebx, ebx
		rep stosd
		push	6
		pop	ecx
		lea	edi, [esp+240h+var_1F8]
		mov	[esp+240h+var_224], ebx
		push	154h		; size_t
		rep stosd
		lea	eax, [esp+244h+var_1E0]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	eax, large fs:124h
		lea	ecx, [esp+24Ch+var_22C]
		mov	_CmpMountThread, eax
		add	esp, 0Ch
		mov	eax, 80h
		mov	[esp+240h+var_22C], ebx
		mov	word ptr [esp+240h+var_22C+2], ax
		mov	edx, offset ??_C@_1BG@OKCBELMP@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2@NNGAKEGL@ ;	"\\REGISTRY\\"
		lea	eax, [esp+240h+var_88]
		mov	ds:_CmpNoWrite,	bl
		mov	[esp+240h+var_228], eax
		call	_RtlUnicodeStringCopyString@8 ;	RtlUnicodeStringCopyString(x,x)
		movzx	eax, word ptr [esp+240h+var_22C]
		mov	esi, 20204D43h
		push	esi
		mov	edx, 0A8h
		mov	[esp+244h+var_214], eax
		mov	ecx, 200h
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+240h+var_21C], edi
		test	edi, edi
		jz	loc_88F9FE
		push	esi
		push	1Ch
		pop	edx
		mov	ecx, 200h
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[esp+240h+var_218], ebx
		test	ebx, ebx
		jnz	short loc_88F42A
		push	0C000009Ah
		push	eax
		push	6
		jmp	loc_88FA06
; 

loc_88F42A:				; CODE XREF: CmpFinishSystemHivesLoad(x)+CDj
		call	CmpHiveRootSecurityDescriptor
		push	7
		mov	[esp+244h+var_220], eax
		mov	ecx, ebx
		pop	eax
		mov	edx, offset dword_6B1660
		mov	esi, eax

loc_88F43F:				; CODE XREF: CmpFinishSystemHivesLoad(x)+FCj
		mov	[ecx], edx
		add	edx, 78h
		add	ecx, 4
		sub	esi, 1
		jnz	short loc_88F43F
		mov	esi, [esp+240h+var_230]
		test	esi, esi
		jnz	short loc_88F4BD
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset unk_6B17C8
		call	KeWaitForSingleObject
		push	esi
		push	esi
		push	offset unk_6B17C8
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		lea	eax, [esp+240h+var_1F8]
		push	eax
		push	ds:_PsInitialSystemProcess
		call	KeStackAttachProcess
		mov	dl, _CmpInitRmLogOnLoad
		xor	ecx, ecx
		call	CmpInitCmRM
		lea	eax, [esp+240h+var_1F8]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		mov	eax, _CmRmSystem
		test	eax, eax
		jz	short loc_88F4BA
		push	eax
		push	offset _CmKtmNotification@28 ; CmKtmNotification(x,x,x,x,x,x,x)
		push	dword ptr [eax+1Ch]
		call	ds:__imp__TmEnableCallbacks@12 ; TmEnableCallbacks(x,x,x)
		mov	ecx, _CmRmSystem
		call	CmRmFinalizeRecovery

loc_88F4BA:				; CODE XREF: CmpFinishSystemHivesLoad(x)+150j
		push	7
		pop	eax

loc_88F4BD:				; CODE XREF: CmpFinishSystemHivesLoad(x)+104j
					; CmpFinishSystemHivesLoad(x)+3A8j
		push	edi
		push	0
		push	0
		push	0
		push	0
		push	1
		push	ebx
		push	eax
		call	KeWaitForMultipleObjects
		xor	cl, cl
		xor	ebx, ebx
		push	7
		mov	[esp+250h+var_23E], cl
		pop	eax

loc_88F4DA:				; CODE XREF: CmpFinishSystemHivesLoad(x)+392j
		imul	edi, ebx, 78h
		cmp	byte_6B1648[edi], 0
		jnz	loc_88F6D9
		cmp	byte_6B1649[edi], 0
		jnz	short loc_88F4FE
		mov	cl, 1
		mov	[esp+24Ch+var_23E], cl
		jmp	loc_88F6DD
; 

loc_88F4FE:				; CODE XREF: CmpFinishSystemHivesLoad(x)+1A3j
		mov	eax, [esp+24Ch+var_220]
		push	off_6B162C[edi]	; void *
		mov	word ptr [esp+250h+var_238], ax
		lea	eax, [esp+250h+var_238]
		push	eax		; int
		mov	[esp+254h+var_23D], 0
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		push	dword_6B1630[edi] ; void *
		lea	eax, [esp+250h+var_238]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		xor	edx, edx
		cmp	dword_6B1634[edi], edx
		jnz	loc_88F644
		mov	ecx, dword_6B1644[edi]
		test	ecx, ecx
		jz	loc_88F644
		lea	eax, [esp+24Ch+var_1EC]
		push	eax
		movzx	eax, byte ptr dword_6B164B[edi]
		push	1
		push	edx
		push	edx
		push	[esp+25Ch+var_22C]
		push	edx
		push	edx
		push	dword_6B1640[edi]
		push	eax
		push	ecx
		lea	ecx, [esp+274h+var_238]
		call	CmpLinkHiveToMaster
		mov	ecx, eax
		test	ecx, ecx
		js	loc_88F7E5
		call	_CmpLockHiveListExclusive@0 ; CmpLockHiveListExclusive()
		mov	ecx, ds:dword_A940F4
		mov	edx, offset _CmpHiveListHead
		mov	eax, dword_6B1644[edi]
		add	eax, 420h
		cmp	[ecx], edx
		jnz	loc_88F7E0
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	ds:dword_A940F4, eax
		call	_CmpUnlockHiveList@0 ; CmpUnlockHiveList()
		mov	ecx, dword_6B1644[edi]
		call	_CmpRecheckHiveVolumePolicy@4 ;	CmpRecheckHiveVolumePolicy(x)
		cmp	byte ptr dword_6B164B[edi], 0
		jz	short loc_88F615
		mov	eax, dword_6B1644[edi]
		mov	ecx, large fs:124h
		or	dword ptr [eax+64h], 20h
		mov	eax, dword_6B1644[edi]
		mov	[eax+9ACh], ecx
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	ecx, dword_6B1644[edi]
		push	4
		pop	edx
		call	CmpFlushHive
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		mov	eax, dword_6B1644[edi]
		and	dword ptr [eax+64h], 0FFFFFFDFh
		xor	edx, edx
		mov	eax, dword_6B1644[edi]
		mov	[eax+9ACh], edx
		jmp	short loc_88F617
; 

loc_88F615:				; CODE XREF: CmpFinishSystemHivesLoad(x)+276j
		xor	edx, edx

loc_88F617:				; CODE XREF: CmpFinishSystemHivesLoad(x)+2C5j
		mov	ecx, _CmRmSystem
		test	ecx, ecx
		jz	short loc_88F644
		mov	eax, dword_6B1644[edi]
		test	byte ptr [eax+64h], 2
		jnz	short loc_88F644
		cmp	[eax+9A0h], edx
		jnz	short loc_88F644
		inc	dword ptr [ecx+20h]
		mov	eax, dword_6B1644[edi]
		mov	[eax+9A0h], ecx

loc_88F644:				; CODE XREF: CmpFinishSystemHivesLoad(x)+1EBj
					; CmpFinishSystemHivesLoad(x)+1F9j ...
		mov	ecx, dword_6B1644[edi]
		test	ecx, ecx
		jz	short loc_88F653
		call	CmpAddToHiveFileList

loc_88F653:				; CODE XREF: CmpFinishSystemHivesLoad(x)+2FEj
		mov	byte_6B1648[edi], 1
		cmp	ebx, 3
		jnz	loc_88F6FB
		test	esi, esi
		jnz	loc_88F794
		call	CmpMountPreloadedHives
		call	CmpInterlockedFunction
		lea	esi, dword_6B1680[edi]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		push	0
		push	0
		lea	eax, dword_6B1670[edi]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	ebx
		pop	ecx
		mov	[esp+24Ch+var_23D], 1
		call	_CmpNotifyMachineHiveLoaded@4 ;	CmpNotifyMachineHiveLoaded(x)
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		cmp	byte_6B1738, 0
		jz	loc_88F790
		cmp	_CmFastBoot, 0
		jz	loc_88F790
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_ExpRefreshSystemTime@0	; ExpRefreshSystemTime()
		call	PsBootPhaseComplete

loc_88F6D2:				; CODE XREF: CmpFinishSystemHivesLoad(x)+48Dj
		mov	esi, [esp+24Ch+var_23C]

loc_88F6D6:				; CODE XREF: CmpFinishSystemHivesLoad(x)+44Dj
					; CmpFinishSystemHivesLoad(x)+458j
		push	7
		pop	eax

loc_88F6D9:				; CODE XREF: CmpFinishSystemHivesLoad(x)+196j
		mov	cl, [esp+24Ch+var_23E]

loc_88F6DD:				; CODE XREF: CmpFinishSystemHivesLoad(x)+1ABj
		inc	ebx
		cmp	ebx, eax
		jb	loc_88F4DA
		test	cl, cl
		jz	loc_88F88F
		mov	ebx, [esp+24Ch+var_224]
		mov	edi, [esp+24Ch+var_228]
		jmp	loc_88F4BD
; 

loc_88F6FB:				; CODE XREF: CmpFinishSystemHivesLoad(x)+30Fj
		cmp	ebx, 2
		jnz	short loc_88F769
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		test	esi, esi
		jnz	short loc_88F762
		lea	esi, dword_6B1680[edi]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		push	0
		push	0
		lea	eax, dword_6B1670[edi]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	ebx
		pop	ecx
		mov	[esp+24Ch+var_23D], 1
		call	_CmpNotifyMachineHiveLoaded@4 ;	CmpNotifyMachineHiveLoaded(x)
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		cmp	byte_6B17B0, 0
		jz	short loc_88F759
		cmp	_CmFastBoot, 0
		jz	short loc_88F759
		call	_ExpRefreshSystemTime@0	; ExpRefreshSystemTime()
		call	PsBootPhaseComplete

loc_88F759:				; CODE XREF: CmpFinishSystemHivesLoad(x)+3F6j
					; CmpFinishSystemHivesLoad(x)+3FFj
		call	CmpSetVersionData
		mov	esi, [esp+24Ch+var_23C]

loc_88F762:				; CODE XREF: CmpFinishSystemHivesLoad(x)+3B9j
		call	CmpCreatePerfKeys
		jmp	short loc_88F799
; 

loc_88F769:				; CODE XREF: CmpFinishSystemHivesLoad(x)+3B0j
		cmp	ebx, 1
		jnz	short loc_88F77F
		mov	edx, offset ??_C@_1DE@PHKABCAI@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		mov	ecx, offset ??_C@_1DO@BDGINLPJ@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@

loc_88F778:				; CODE XREF: CmpFinishSystemHivesLoad(x)+440j
		call	CmpLinkKeyToHive
		jmp	short loc_88F794
; 

loc_88F77F:				; CODE XREF: CmpFinishSystemHivesLoad(x)+41Ej
		cmp	ebx, 4
		jnz	short loc_88F794
		mov	edx, offset ??_C@_1DA@PDHFOJA@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAU?$AAs?$AAe?$AAr?$AA?2@NNGAKEGL@
		mov	ecx, (offset loc_8B6C79+1)
		jmp	short loc_88F778
; 

loc_88F790:				; CODE XREF: CmpFinishSystemHivesLoad(x)+362j
					; CmpFinishSystemHivesLoad(x)+36Fj
		mov	esi, [esp+24Ch+var_23C]

loc_88F794:				; CODE XREF: CmpFinishSystemHivesLoad(x)+317j
					; CmpFinishSystemHivesLoad(x)+42Fj ...
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_88F799:				; CODE XREF: CmpFinishSystemHivesLoad(x)+419j
		test	esi, esi
		jnz	loc_88F6D6
		cmp	[esp+24Ch+var_23D], 0
		jnz	loc_88F6D6
		lea	esi, dword_6B1680[edi]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		push	0
		push	0
		lea	eax, dword_6B1670[edi]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, ebx
		call	_CmpNotifyMachineHiveLoaded@4 ;	CmpNotifyMachineHiveLoaded(x)
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		jmp	loc_88F6D2
; 

loc_88F7E0:				; CODE XREF: CmpFinishSystemHivesLoad(x)+24Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_88F7E5:				; CODE XREF: CmpFinishSystemHivesLoad(x)+22Aj
		call	_CmpIsShutdownRundownActive@0 ;	CmpIsShutdownRundownActive()
		test	al, al
		jz	loc_88F87F
		and	_CmpMountThread, 0
		mov	_CmpLoadingSystemHivesActive, 0
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	ebx, ebx
		xor	edi, edi

loc_88F809:				; CODE XREF: CmpFinishSystemHivesLoad(x)+528j
		lea	eax, dword_6B1650[edi]
		push	eax
		call	_KeReadStateSemaphore@4	; KeReadStateSemaphore(x)
		test	eax, eax
		jz	short loc_88F86C
		cmp	byte_6B1648[edi], 0
		jnz	short loc_88F86C
		cmp	byte_6B1649[edi], 0
		jnz	short loc_88F83D
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, dword_6B1660[edi]
		push	eax
		call	KeWaitForSingleObject

loc_88F83D:				; CODE XREF: CmpFinishSystemHivesLoad(x)+4DBj
		lea	esi, dword_6B1680[edi]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		push	0
		push	0
		lea	eax, dword_6B1670[edi]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, ebx
		call	_CmpNotifyMachineHiveLoaded@4 ;	CmpNotifyMachineHiveLoaded(x)
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx

loc_88F86C:				; CODE XREF: CmpFinishSystemHivesLoad(x)+4C9j
					; CmpFinishSystemHivesLoad(x)+4D2j
		add	edi, 78h
		inc	ebx
		cmp	edi, 348h
		jb	short loc_88F809
		xor	ebx, ebx
		jmp	loc_88F9A4
; 

loc_88F87F:				; CODE XREF: CmpFinishSystemHivesLoad(x)+49Ej
		lea	eax, [esp+24Ch+var_238]
		push	eax
		push	ebx
		push	ecx
		push	1
		push	73h
		jmp	loc_88FA0A
; 

loc_88F88F:				; CODE XREF: CmpFinishSystemHivesLoad(x)+39Aj
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		xor	ebx, ebx
		mov	ds:_CmpSpecialBootCondition, bl
		call	_CmpInitVirtualEngine@0	; CmpInitVirtualEngine()
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		test	esi, esi
		jz	loc_88F95E
		lea	eax, [esp+24Ch+var_204]
		push	eax
		push	ds:_PsInitialSystemProcess
		call	KeStackAttachProcess
		mov	dl, _CmpInitRmLogOnLoad
		xor	ecx, ecx
		call	CmpInitCmRM
		lea	eax, [esp+24Ch+var_204]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		mov	eax, _CmRmSystem
		test	eax, eax
		jz	short loc_88F8F8
		push	eax
		push	offset _CmKtmNotification@28 ; CmKtmNotification(x,x,x,x,x,x,x)
		push	dword ptr [eax+1Ch]
		call	ds:__imp__TmEnableCallbacks@12 ; TmEnableCallbacks(x,x,x)
		mov	ecx, _CmRmSystem
		call	CmRmFinalizeRecovery

loc_88F8F8:				; CODE XREF: CmpFinishSystemHivesLoad(x)+58Ej
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		call	CmpMountPreloadedHives
		call	CmpInterlockedFunction
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		push	7
		mov	edi, ebx
		mov	esi, offset dword_6B1680
		pop	ebx

loc_88F916:				; CODE XREF: CmpFinishSystemHivesLoad(x)+5F5j
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		push	0
		push	0
		lea	eax, [esi-10h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, edi
		call	_CmpNotifyMachineHiveLoaded@4 ;	CmpNotifyMachineHiveLoaded(x)
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		inc	edi
		add	esi, 78h
		sub	ebx, 1
		jnz	short loc_88F916
		cmp	_CmFastBoot, ebx
		jz	short loc_88F957
		call	_ExpRefreshSystemTime@0	; ExpRefreshSystemTime()
		call	PsBootPhaseComplete

loc_88F957:				; CODE XREF: CmpFinishSystemHivesLoad(x)+5FDj
		call	CmpSetVersionData
		xor	ebx, ebx

loc_88F95E:				; CODE XREF: CmpFinishSystemHivesLoad(x)+55Aj
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esp+268h+var_228]
		mov	[esp+268h+var_228], 18h
		push	eax
		push	2
		lea	eax, [esp+270h+var_23C]
		mov	[esp+270h+var_224], ebx
		push	eax
		mov	[esp+274h+var_21C], 240h
		mov	[esp+274h+var_220], offset _CmpConfigurationManagerKeyName
		mov	[esp+274h+var_218], ebx
		mov	[esp+274h+var_214], ebx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_88F9A4
		push	[esp+258h+var_23C]
		call	_ZwClose@4	; ZwClose(x)

loc_88F9A4:				; CODE XREF: CmpFinishSystemHivesLoad(x)+52Cj
					; CmpFinishSystemHivesLoad(x)+64Bj
		mov	eax, [esp+258h+var_248]
		mov	ds:_CmpSpecialBootCondition, bl
		mov	_CmpLoadingSystemHivesActive, bl
		mov	_CmpMountThread, ebx
		test	eax, eax
		jz	short loc_88F9C6
		push	ebx
		push	ebx
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_88F9C6:				; CODE XREF: CmpFinishSystemHivesLoad(x)+66Ej
		mov	eax, [esp+258h+var_238]
		test	eax, eax
		jz	short loc_88F9D5
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_88F9D5:				; CODE XREF: CmpFinishSystemHivesLoad(x)+67Ej
		mov	ecx, [esp+258h+var_234]
		call	_CmpFreePool@4	; CmpFreePool(x)
		mov	ecx, [esp+258h+var_230]
		call	_CmpFreePool@4	; CmpFreePool(x)
		mov	ecx, [esp+258h+var_1C]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_88F9FE:				; CODE XREF: CmpFinishSystemHivesLoad(x)+B1j
		push	0C000009Ah
		push	ebx
		push	4

loc_88FA06:				; CODE XREF: CmpFinishSystemHivesLoad(x)+D7j
		push	2
		push	74h

loc_88FA0A:				; CODE XREF: CmpFinishSystemHivesLoad(x)+53Cj
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_CmpFinishSystemHivesLoad@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpLinkKeyToHive proc near		; CODE XREF: CmpFinishSystemHivesLoad(x):loc_88F778p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092A277 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_18]
		push	ecx
		push	eax
		mov	esi, edx
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_18]
		mov	[ebp+var_30], 18h
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	3
		push	edi
		push	edi
		lea	eax, [ebp+var_30]
		mov	[ebp+var_2C], edi
		push	eax
		push	20h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_24], 240h
		push	eax
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_88FAB2
		cmp	[ebp+var_8], 1
		jnz	loc_92A277
		push	esi
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	eax, word ptr [ebp+var_10]
		push	eax
		push	[ebp+var_C]
		push	6
		push	edi
		push	offset _CmSymbolicLinkValueName
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_88FAB2
		mov	al, 1

loc_88FAAE:				; CODE XREF: CmpLinkKeyToHive+A4j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_88FAB2:				; CODE XREF: CmpLinkKeyToHive+60j
					; CmpLinkKeyToHive+9Aj	...
		xor	al, al
		jmp	short loc_88FAAE
CmpLinkKeyToHive endp


;  S U B	R O U T	I N E 


; __stdcall CmpInitVirtualEngine()
_CmpInitVirtualEngine@0	proc near	; CODE XREF: CmpFinishSystemHivesLoad(x)+54Ep
		cmp	ds:_CmpShareSystemHives, 0
		jnz	short loc_88FACF
		cmp	_CmVEEnabled, 1
		setz	al

loc_88FAC9:				; CODE XREF: CmpInitVirtualEngine()+1Bj
		mov	_CmpVEEnabled, al
		retn
; 

loc_88FACF:				; CODE XREF: CmpInitVirtualEngine()+7j
		xor	al, al
		jmp	short loc_88FAC9
_CmpInitVirtualEngine@0	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCreatePerfKeys proc near		; CODE XREF: CmpFinishSystemHivesLoad(x):loc_88F762p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= word ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092A284 SIZE 0000007A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_2C], 18h
		push	esi
		push	edi
		mov	[ebp+var_14], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	20006h
		lea	eax, [ebp+var_14]
		mov	[ebp+var_20], 240h
		push	eax
		mov	[ebp+var_24], offset _CmpPerflibPathString
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_88FB5E
		mov	ecx, [ebp+var_14]
		mov	edx, offset ??_C@_17JGEJMDGN@?$AA0?$AA0?$AA9@NNGAKEGL@ ; "009"
		push	80000050h
		call	_CmpCreatePredefined@12	; CmpCreatePredefined(x,x,x)
		mov	ecx, [ebp+var_14]
		mov	edi, 80000060h
		push	edi
		mov	edx, offset ??_C@_1CA@KOOGNCIL@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAL?$AAa?$AAn?$AAg?$AAu?$AAa?$AAg?$AAe@NNGAKEGL@
		call	_CmpCreatePredefined@12	; CmpCreatePredefined(x,x,x)
		cmp	ds:_PsDefaultSystemLocaleId, 409h
		jnz	loc_92A284

loc_88FB56:				; CODE XREF: CmpCreatePerfKeys+9A825j
		push	[ebp+var_14]
		call	_ZwClose@4	; ZwClose(x)

loc_88FB5E:				; CODE XREF: CmpCreatePerfKeys+4Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpCreatePerfKeys endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCreatePredefined(x, x, x)
_CmpCreatePredefined@12	proc near	; CODE XREF: CmpCreatePerfKeys+5Ap
					; CmpCreatePerfKeys+6Dp ...

var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_B0		= dword	ptr -0B0h
var_9C		= dword	ptr -9Ch
var_88		= dword	ptr -88h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_48		= dword	ptr -48h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0F0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		push	0B4h		; size_t
		push	eax		; int
		mov	[ebp+var_D0], eax
		mov	edi, edx
		mov	[ebp+var_CC], eax
		mov	ebx, ecx
		mov	[ebp+var_C8], eax
		lea	eax, [ebp+var_C4]
		push	eax		; void *
		call	_memset
		or	[ebp+var_88], 0FFFFFFFFh
		lea	eax, [ebp+var_6C]
		add	esp, 0Ch
		mov	[ebp+var_68], eax
		xor	ecx, ecx
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_48]
		push	38h		; size_t
		push	ecx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_B0], 1000001h
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_C4], 21h
		mov	[ebp+var_9C], esi
		push	edi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	esi, ds:_CmKeyObjectType
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_E0], eax
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_E4], ebx
		xor	ebx, ebx
		push	eax
		mov	[ebp+var_E8], 18h
		mov	[ebp+var_DC], 240h
		mov	[ebp+var_D8], ebx
		mov	[ebp+var_D4], ebx
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		lea	eax, [ebp+var_C4]
		push	eax
		push	20019h
		push	ebx
		push	ebx
		push	esi
		lea	eax, [ebp+var_E8]
		push	eax
		call	ObOpenObjectByNameEx
		test	eax, eax
		js	short loc_88FC88
		push	ebx
		lea	eax, [ebp+var_EC]
		push	eax
		push	ebx
		push	ds:_CmKeyObjectType
		push	ebx
		push	[ebp+var_C8]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		push	[ebp+var_C8]
		call	_ZwClose@4	; ZwClose(x)

loc_88FC88:				; CODE XREF: CmpCreatePredefined(x,x,x)+F4j
		xor	dl, dl
		lea	ecx, [ebp+var_C4]
		call	CmpCleanupParseContext
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_CmpCreatePredefined@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpSetVersionData proc near		; CODE XREF: CmpFinishSystemHivesLoad(x):loc_88F759p
					; CmpFinishSystemHivesLoad(x):loc_88F957p

var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_88		= dword	ptr -88h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092A2FE SIZE 000000B9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi		; struct _exception *
		xor	esi, esi
		lea	edi, [ebp+var_1B4]
		push	6
		pop	ecx
		push	220h		; size_t
		xor	eax, eax
		mov	[ebp+var_1BC], esi
		push	esi		; int
		rep stosd
		push	offset _CmpEditionVersion ; void *
		mov	[ebp+var_1B8], esi
		mov	[ebp+var_1C4], esi
		mov	[ebp+var_1C0], esi
		mov	[ebp+var_194], esi
		mov	[ebp+var_190], esi
		mov	[ebp+var_18C], esi
		mov	[ebp+var_19C], esi
		mov	[ebp+var_198], esi
		call	_memset
		add	esp, 0Ch
		call	CmpHiveRootSecurityDescriptor
		mov	ebx, eax
		mov	edi, offset _VersionDataKeys
		cmp	_VersionDataKeys, esi
		jz	loc_890076
		mov	eax, 14Ch

loc_88FD33:				; CODE XREF: CmpSetVersionData+3CAj
		cmp	[edi+8], ax
		jnz	loc_89006B
		push	dword ptr [edi]
		lea	eax, [ebp+var_1C4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		push	esi
		push	offset _nullclass
		lea	eax, [ebp+var_1C4]
		mov	[ebp+var_1B4], 18h
		mov	[ebp+var_1AC], eax
		lea	eax, [ebp+var_1B4]
		push	esi
		push	eax
		push	4
		lea	eax, [ebp+var_18C]
		mov	[ebp+var_1B0], esi
		push	eax
		mov	[ebp+var_1A8], 240h
		mov	[ebp+var_1A4], ebx
		mov	[ebp+var_1A0], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_890090
		mov	eax, [ebp+var_18C]
		push	esi
		push	esi
		push	offset _nullclass
		mov	[ebp+var_1B0], eax
		lea	eax, [ebp+var_1B4]
		push	esi
		push	eax
		push	2
		lea	eax, [ebp+var_19C]
		mov	[ebp+var_1B4], 18h
		push	eax
		mov	[ebp+var_1A8], 240h
		mov	[ebp+var_1AC], (offset loc_A3F5FF+1)
		mov	[ebp+var_1A4], ebx
		mov	[ebp+var_1A0], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		push	[ebp+var_18C]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	loc_8900A6
		mov	eax, [ebp+var_19C]
		mov	[ebp+var_1B0], eax
		xor	eax, eax
		push	eax
		push	eax
		push	offset _nullclass
		push	eax
		mov	[ebp+var_1A0], eax
		lea	eax, [ebp+var_1B4]
		push	eax
		push	3
		lea	eax, [ebp+var_18C]
		mov	[ebp+var_1B4], 18h
		push	eax
		mov	[ebp+var_1A8], 240h
		mov	[ebp+var_1AC], (offset loc_A3F657+1)
		mov	[ebp+var_1A4], ebx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		push	[ebp+var_19C]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	loc_8900A6
		mov	eax, 14Ch
		cmp	[edi+8], ax
		jnz	short loc_88FE98
		mov	edx, [ebp+var_18C]
		mov	ecx, offset _CmpEditionVersion
		push	ebx
		call	CmpQueryEditionVersion
		test	eax, eax
		jns	loc_92A2FE

loc_88FE98:				; CODE XREF: CmpSetVersionData+1D7j
					; CmpSetVersionData+9A67Aj
		movzx	eax, _CmVersionString
		xor	esi, esi
		add	eax, 2
		push	eax
		push	dword_6CE784
		push	1
		push	esi
		push	(offset	loc_A3F657+1)
		push	[ebp+var_18C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	4
		lea	eax, [ebp+var_198]
		mov	[ebp+var_198], 0Ah
		push	eax
		push	4
		push	esi
		push	(offset	loc_A3F64F+1)
		push	[ebp+var_18C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	4
		lea	eax, [ebp+var_198]
		mov	[ebp+var_198], esi
		push	eax
		push	4
		push	esi
		push	offset _CmpCurrentMinorVersionString
		push	[ebp+var_18C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	[ebp+var_198], esi
		cmp	_CmpEditionVersion, esi
		jnz	loc_92A325

loc_88FF18:				; CODE XREF: CmpSetVersionData+9A68Fj
		push	offset ??_C@_04HJMOFLDF@Free@NNGAKEGL@ ; "Free"
		push	offset ??_C@_0P@LCEDEPJL@Multiprocessor@NNGAKEGL@ ; "Multiprocessor"
		push	offset ??_C@_05DNIIFBMG@?$CFs?5?$CFs@NNGAKEGL@
		lea	eax, [ebp+var_88]
		push	80h
		push	eax
		call	_sprintf_s
		add	esp, 14h
		lea	eax, [ebp+var_88]
		push	eax
		lea	eax, [ebp+var_1BC]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		lea	eax, [ebp+var_188]
		mov	[ebp+var_194], 1000000h
		mov	[ebp+var_190], eax
		lea	eax, [ebp+var_1BC]
		push	esi
		push	eax
		lea	eax, [ebp+var_194]
		push	eax
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	short loc_88FFBF
		movzx	eax, word ptr [ebp+var_194]
		add	eax, 2
		push	eax
		push	[ebp+var_190]
		push	1
		push	esi
		push	(offset	loc_A3F65F+1)
		push	[ebp+var_18C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	ax, word ptr _CmCSDVersionString
		test	ax, ax
		jnz	loc_92A33A
		push	(offset	loc_A3F6A7+1)
		push	[ebp+var_18C]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_88FFBF:				; CODE XREF: CmpSetVersionData+2D4j
					; CmpSetVersionData+9A6CEj
		mov	eax, _CmNtSpBuildNumber
		test	eax, eax
		jz	loc_92A3A2
		push	eax
		push	offset ??_C@_02GMHACPFF@?$CFu@NNGAKEGL@
		lea	eax, [ebp+var_88]
		push	80h
		push	eax
		call	_sprintf_s
		add	esp, 10h
		lea	eax, [ebp+var_88]
		push	eax
		lea	eax, [ebp+var_1BC]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		lea	eax, [ebp+var_188]
		mov	[ebp+var_194], 1000000h
		mov	[ebp+var_190], eax
		lea	eax, [ebp+var_1BC]
		push	esi
		push	eax
		lea	eax, [ebp+var_194]
		push	eax
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	loc_92A379

loc_89002B:				; CODE XREF: CmpSetVersionData+9A6F7j
					; CmpSetVersionData+9A70Cj
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	ecx, eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		movzx	ecx, word ptr [eax+26Ch]
		add	ecx, 2
		push	ecx
		push	dword ptr [eax+270h]
		push	1
		push	esi
		push	(offset	loc_A3F607+1)
		push	[ebp+var_18C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[ebp+var_18C]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, 14Ch

loc_89006B:				; CODE XREF: CmpSetVersionData+91j
		add	edi, 0Ch
		cmp	[edi], esi
		jnz	loc_88FD33

loc_890076:				; CODE XREF: CmpSetVersionData+82j
		mov	eax, dword_6CE76C
		test	eax, eax
		jz	short loc_890085
		push	eax
		call	_ExFreePool@4	; ExFreePool(x)

loc_890085:				; CODE XREF: CmpSetVersionData+3D7j
		push	esi
		push	offset _CmCSDVersionString
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_890090:				; CODE XREF: CmpSetVersionData+F6j
					; CmpSetVersionData+402j
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_8900A6:				; CODE XREF: CmpSetVersionData+15Ej
					; CmpSetVersionData+1C8j
		xor	esi, esi
		jmp	short loc_890090
CmpSetVersionData endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpQueryEditionVersion proc near	; CODE XREF: CmpSetVersionData+1E5p

var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092A3B7 SIZE 00000315 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 138h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		push	100h		; size_t
		push	eax		; int
		mov	[ebp+var_114], eax
		mov	edi, edx
		mov	[ebp+var_110], eax
		mov	ebx, ecx
		lea	eax, [ebp+var_10C]
		push	eax		; void *
		call	_memset
		push	220h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		and	[ebp+var_124], 0
		lea	eax, [ebp+var_138]
		add	esp, 18h
		mov	[ebp+var_134], edi
		xor	edi, edi
		mov	[ebp+var_138], 18h
		inc	edi
		mov	[ebp+var_12C], 240h
		mov	[ebp+var_130], offset _CmpEditionVersionString
		push	eax
		push	edi
		lea	eax, [ebp+var_114]
		mov	[ebp+var_128], esi
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		jns	loc_92A3B7

loc_890149:				; CODE XREF: CmpQueryEditionVersion+9A61Dj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
CmpQueryEditionVersion endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpHiveRootSecurityDescriptor proc near	; CODE XREF: CmpFinishSystemHivesLoad(x):loc_88F42Ap
					; CmpSetVersionData+70p ...

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= word ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= byte ptr -78h
var_77		= byte ptr -77h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= word ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_34		= dword	ptr -34h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092A6CC SIZE 00000059 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	18h
		pop	eax
		push	1Ah
		mov	word ptr [ebp+var_94], ax
		mov	edi, 20204D43h
		pop	eax
		push	edi
		xor	ebx, ebx
		mov	word ptr [ebp+var_94+2], ax
		xor	eax, eax
		mov	[ebp+var_90], offset ??_C@_1BK@KMMANFGK@?$AAr?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AAR?$AAe?$AAa?$AAd@NNGAKEGL@ ; "registryRead"
		inc	ebx
		mov	[ebp+var_7C], eax
		push	0Ch
		push	ebx
		mov	[ebp+var_78], al
		mov	[ebp+var_77], bl
		mov	[ebp+var_6C], eax
		mov	[ebp+var_68], 500h
		mov	[ebp+var_84], eax
		mov	[ebp+var_80], 0F00h
		mov	[ebp+var_64], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	edi
		push	0Ch
		push	ebx
		mov	[ebp+var_74], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	edi
		push	0Ch
		mov	esi, eax
		push	ebx
		mov	[ebp+var_88], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	edi
		push	10h
		push	ebx
		mov	[ebp+var_70], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	edi
		push	10h
		push	1
		mov	ebx, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	eax, [ebp+var_74]
		mov	[ebp+var_8C], edi
		test	eax, eax
		jz	loc_92A6D4
		test	esi, esi
		jz	loc_92A6D4
		cmp	[ebp+var_70], 0
		jz	loc_92A6D4
		test	ebx, ebx
		jz	loc_92A6D4
		test	edi, edi
		jz	loc_92A6D4
		push	1
		lea	ecx, [ebp+var_7C]
		push	ecx
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		test	eax, eax
		js	loc_92A71D
		push	1
		lea	eax, [ebp+var_6C]
		push	eax
		push	esi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		test	eax, eax
		js	loc_92A71D
		push	1
		lea	eax, [ebp+var_6C]
		push	eax
		push	[ebp+var_70]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		test	eax, eax
		js	loc_92A71D
		push	2
		lea	eax, [ebp+var_6C]
		push	eax
		push	ebx
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		test	eax, eax
		js	loc_92A71D
		push	2
		lea	eax, [ebp+var_84]
		push	eax
		push	edi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		test	eax, eax
		js	loc_92A71D
		push	0
		push	[ebp+var_74]
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	0
		push	esi
		and	dword ptr [eax], 0
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	0
		push	[ebp+var_70]
		mov	dword ptr [eax], 0Ch
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	0
		push	ebx
		mov	dword ptr [eax], 12h
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	1
		push	ebx
		mov	dword ptr [eax], 20h
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	0
		push	edi
		mov	dword ptr [eax], 220h
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	1
		push	edi
		mov	dword ptr [eax], 2
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	dword ptr [eax], 1
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_94]
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_92A6CC
		movzx	eax, byte ptr [ebx+1]
		movzx	ecx, byte ptr [edi+1]
		add	ecx, eax
		mov	eax, [ebp+var_70]
		push	20204D43h
		movzx	eax, byte ptr [eax+1]
		add	ecx, eax
		movzx	eax, byte ptr [esi+1]
		add	ecx, eax
		mov	eax, [ebp+var_74]
		movzx	eax, byte ptr [eax+1]
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_34+1]
		add	ecx, eax
		lea	eax, ds:68h[ecx*4]
		push	eax
		push	1
		mov	[ebp+var_6C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_92A6E3
		push	2		; int
		push	[ebp+var_6C]	; size_t
		push	esi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		push	0
		test	eax, eax
		js	loc_92A6EB
		push	[ebp+var_70]
		mov	ecx, esi
		push	0F003Fh
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		test	eax, eax
		js	loc_92A716
		push	0
		push	ebx
		push	0F003Fh
		push	0
		push	2
		pop	edx
		mov	ecx, esi
		call	RtlpAddKnownAce
		test	eax, eax
		js	loc_92A716
		push	0
		push	[ebp+var_74]
		mov	ecx, esi
		push	20019h
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		test	eax, eax
		js	loc_92A716
		push	0
		push	[ebp+var_88]
		mov	ecx, esi
		push	20019h
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		test	eax, eax
		js	loc_92A716
		push	0
		push	edi
		mov	edi, 20019h
		mov	ecx, esi
		push	edi
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		test	eax, eax
		js	loc_92A716
		push	0
		lea	eax, [ebp+var_34]
		mov	ecx, esi
		push	eax
		push	edi
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		test	eax, eax
		js	loc_92A716
		lea	eax, [ebp+var_64]
		push	eax
		push	0
		push	esi
		call	_RtlGetAce@12	; RtlGetAce(x,x,x)
		mov	eax, [ebp+var_64]
		or	byte ptr [eax+1], 2
		lea	eax, [ebp+var_64]
		push	eax
		push	1
		push	esi
		call	_RtlGetAce@12	; RtlGetAce(x,x,x)
		mov	eax, [ebp+var_64]
		or	byte ptr [eax+1], 2
		lea	eax, [ebp+var_64]
		push	eax
		push	2
		push	esi
		call	_RtlGetAce@12	; RtlGetAce(x,x,x)
		mov	eax, [ebp+var_64]
		or	byte ptr [eax+1], 2
		lea	eax, [ebp+var_64]
		push	eax
		push	3
		push	esi
		call	_RtlGetAce@12	; RtlGetAce(x,x,x)
		mov	eax, [ebp+var_64]
		or	byte ptr [eax+1], 2
		lea	eax, [ebp+var_64]
		push	eax
		push	4
		push	esi
		call	_RtlGetAce@12	; RtlGetAce(x,x,x)
		mov	eax, [ebp+var_64]
		or	byte ptr [eax+1], 2
		lea	eax, [ebp+var_64]
		push	eax
		push	5
		push	esi
		call	_RtlGetAce@12	; RtlGetAce(x,x,x)
		mov	eax, [ebp+var_64]
		push	20204D43h
		or	byte ptr [eax+1], 2
		mov	eax, [ebp+var_6C]
		add	eax, 14h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_92A6F0
		push	[ebp+var_6C]	; size_t
		lea	eax, [edi+14h]
		push	esi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		push	1
		push	edi
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	[ebp+var_6C], eax
		push	0
		test	eax, eax
		js	loc_92A6F8
		lea	eax, [edi+14h]
		push	eax
		push	1
		push	edi
		call	RtlSetDaclSecurityDescriptor
		mov	[ebp+var_6C], eax
		push	0
		test	eax, eax
		js	loc_92A707
		push	[ebp+var_74]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	[ebp+var_88]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	[ebp+var_70]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	[ebp+var_8C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpHiveRootSecurityDescriptor endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsBootPhaseComplete proc near		; CODE XREF: CmpFinishSystemHivesLoad(x)+37Fp
					; CmpFinishSystemHivesLoad(x)+406p ...

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= word ptr -28h
var_26		= word ptr -26h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_1A		= word ptr -1Ah
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= word ptr -10h
var_E		= word ptr -0Eh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092A725 SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi		; struct _exception *
		xor	eax, eax
		mov	[ebp+var_64], (offset loc_840081+1)
		push	18h
		pop	esi
		push	1Ah
		lea	edi, [ebp+var_38]
		mov	[ebp+var_60], offset ??_C@_1IE@LJHLBMJB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@	; "\\Registry\\Machine\\SYSTEM\\CurrentControl"...
		stosd
		xor	ebx, ebx
		mov	edx, offset ??_C@_1CE@KAIDKDBK@?$AAD?$AAe?$AAv?$AAO?$AAv?$AAe?$AAr?$AAr?$AAi?$AAd?$AAe?$AAE?$AAn?$AAa?$AAb@NNGAKEGL@
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ebx
		mov	word ptr [ebp+var_6C], si
		stosd
		mov	[ebp+var_68], offset ??_C@_1BK@ICAHHPJE@?$AAU?$AAA?$AAC?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAe?$AAd@NNGAKEGL@
		mov	[ebp+var_74], offset loc_980096
		mov	[ebp+var_70], offset ??_C@_1JI@FLCAMDIB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@	; "\\Registry\\Machine\\Software\\Microsoft\\Wi"...
		stosd
		mov	[ebp+var_24], offset ??_C@_1BE@PBGLAGDD@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAL?$AAU?$AAA@NNGAKEGL@	; "EnableLUA"
		mov	[ebp+var_20], 1
		mov	[ebp+var_18], offset ??_C@_1CK@KFCEJEJF@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAV?$AAi?$AAr?$AAt?$AAu?$AAa?$AAl?$AAi?$AAz@NNGAKEGL@ ;	"EnableVirtualization"
		stosd
		pop	eax
		push	12h
		mov	word ptr [ebp+var_6C+2], ax
		pop	eax
		push	14h
		mov	[ebp+var_28], ax
		pop	eax
		push	28h
		mov	[ebp+var_26], ax
		pop	eax
		push	2Ah
		mov	[ebp+var_1C], ax
		pop	eax
		push	30h
		mov	[ebp+var_1A], ax
		pop	eax
		push	32h
		mov	[ebp+var_10], ax
		pop	eax
		push	3
		pop	edi
		sub	esp, 0Ch
		mov	[ebp+var_E], ax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_14], 2
		mov	[ebp+var_C], offset ??_C@_1DC@PMGBICCE@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAe?$AAr@NNGAKEGL@ ; "E"
		mov	[ebp+var_8], edi
		push	eax
		push	ecx
		mov	[ebp+var_44], ebx
		call	RtlQueryImageFileExecutionOptions
		test	eax, eax
		jns	loc_92A725

loc_890605:				; CODE XREF: PsBootPhaseComplete+9A1FEj
		sub	esp, 0Ch
		mov	edx, offset ??_C@_1CC@OLECMBJN@?$AAM?$AAa?$AAx?$AAL?$AAo?$AAa?$AAd?$AAe?$AAr?$AAT?$AAh?$AAr?$AAe?$AAa?$AAd@NNGAKEGL@
		push	offset _PsDefaultLoaderThreads
		push	ecx
		call	RtlQueryImageFileExecutionOptions
		sub	esp, 0Ch
		mov	edx, offset ??_C@_1EA@DIFBALL@?$AAN?$AAo?$AAR?$AAe?$AAm?$AAo?$AAt?$AAe?$AAT?$AAh?$AAr?$AAe?$AAa?$AAd?$AAB@NNGAKEGL@ ; "NoRemoteThreadBeforeProcessInit"
		push	offset _PsNoRemoteThreadBeforeProcessInit
		push	ecx
		call	RtlQueryImageFileExecutionOptions
		lea	eax, [ebp+var_64]
		mov	[ebp+var_5C], esi
		mov	[ebp+var_54], eax
		xor	esi, esi
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_58], esi
		push	eax
		push	1
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_50], 240h
		push	eax
		mov	[ebp+var_4C], esi
		mov	[ebp+var_48], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_89072A
		lea	eax, [ebp+var_44]
		push	eax
		push	10h
		lea	eax, [ebp+var_38]
		push	eax
		push	2
		lea	eax, [ebp+var_6C]
		push	eax
		push	[ebp+var_3C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_89068C
		cmp	[ebp+var_34], 4
		jnz	short loc_89068C
		cmp	[ebp+var_30], 4
		jnz	short loc_89068C
		cmp	[ebp+var_2C], ebx
		jz	short loc_89068C
		mov	bl, 1

loc_89068C:				; CODE XREF: PsBootPhaseComplete+139j
					; PsBootPhaseComplete+13Fj ...
		push	esi
		push	[ebp+var_3C]
		call	ObCloseHandle
		mov	[ebp+var_3C], esi
		test	bl, bl
		jz	loc_89072A
		lea	eax, [ebp+var_74]
		mov	[ebp+var_5C], 18h
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	1
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_58], esi
		push	eax
		mov	[ebp+var_50], 240h
		mov	[ebp+var_4C], esi
		mov	[ebp+var_48], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	edx, eax
		test	edx, edx
		js	loc_92A741
		mov	ecx, [ebp+var_3C]

loc_8906D9:				; CODE XREF: PsBootPhaseComplete+9A208j
		lea	esi, [ebp+var_20]

loc_8906DC:				; CODE XREF: PsBootPhaseComplete+1DFj
		test	ecx, ecx
		jz	short loc_8906FB
		lea	eax, [ebp+var_44]
		push	eax
		push	10h
		lea	eax, [ebp+var_38]
		push	eax
		push	2
		lea	eax, [esi-8]
		push	eax
		push	ecx
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	ecx, [ebp+var_3C]
		mov	edx, eax

loc_8906FB:				; CODE XREF: PsBootPhaseComplete+1A0j
		test	edx, edx
		js	short loc_890709
		cmp	[ebp+var_2C], 0
		jz	loc_92A74B

loc_890709:				; CODE XREF: PsBootPhaseComplete+1BFj
					; PsBootPhaseComplete+9A211j ...
		mov	eax, [esi]
		mov	ecx, 0FFDF02F0h
		lock bts [ecx],	eax
		mov	ecx, [ebp+var_3C]

loc_890717:				; CODE XREF: PsBootPhaseComplete+9A221j
		add	esi, 0Ch
		sub	edi, 1
		jnz	short loc_8906DC
		test	ecx, ecx
		jz	short loc_89072A
		push	edi
		push	ecx
		call	ObCloseHandle

loc_89072A:				; CODE XREF: PsBootPhaseComplete+119j
					; PsBootPhaseComplete+15Cj ...
		call	PspIsDfssEnabled
		mov	ds:_PsCpuFairShareEnabled, al
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	ecx, eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	esi, eax
		call	_PspQueryForwardersEnabled@0 ; PspQueryForwardersEnabled()
		mov	ecx, [ebp+var_4]
		mov	[esi+260h], al
		xor	ecx, ebp
		mov	eax, ds:_PspGlobalFlags
		and	eax, 0FFFFFFF7h
		pop	edi
		or	eax, 4
		pop	esi
		mov	ds:_PspGlobalFlags, eax
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PsBootPhaseComplete endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlQueryImageFileExecutionOptions proc near ; CODE XREF: PsBootPhaseComplete+BAp
					; PsBootPhaseComplete+D5p ...

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092A764 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	ecx, [ebp+var_4]
		push	esi
		push	edi
		mov	edi, edx
		call	@RtlpOpenBaseImageFileOptionsKey@4 ; RtlpOpenBaseImageFileOptionsKey(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8907A9
		push	0
		push	4
		push	[ebp+arg_4]
		push	4
		push	edi
		push	[ebp+var_4]
		call	RtlQueryImageFileKeyOption
		cmp	_RtlpDisableIFEOCaching, 0
		mov	esi, eax
		jnz	loc_92A764

loc_8907A9:				; CODE XREF: RtlQueryImageFileExecutionOptions+1Aj
					; RtlQueryImageFileExecutionOptions+9A000j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	14h
RtlQueryImageFileExecutionOptions endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpRefreshSystemTime()
_ExpRefreshSystemTime@0	proc near	; CODE XREF: CmpFinishSystemHivesLoad(x)+37Ap
					; CmpFinishSystemHivesLoad(x)+401p ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_20], eax
		lea	edi, [ebp+var_14]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		stosd
		stosd
		stosd
		stosd
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	cl, 1
		mov	esi, [eax+268h]
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		mov	bl, _ExpSystemIsInCmosMode
		lea	eax, [ebp+var_14]
		push	eax
		call	ds:__imp__HalQueryRealTimeClock@4 ; HalQueryRealTimeClock(x)
		test	al, al
		jz	short loc_890885
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlTimeFieldsToTime@8 ; RtlTimeFieldsToTime(x,x)
		test	al, al
		jz	short loc_890885
		mov	edi, [esi+1B4h]
		xor	cl, cl
		call	_ExpRefreshTimeZoneInformation@4 ; ExpRefreshTimeZoneInformation(x)
		test	al, al
		jz	short loc_890885
		cmp	edi, [esi+1B4h]
		jz	short loc_890885
		lea	eax, [ebp+var_20]
		push	eax
		call	KeQuerySystemTime
		cmp	_ExpRealTimeIsUniversal, 0
		jnz	short loc_89086C
		test	bl, bl
		jnz	short loc_8908A3
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_ExSystemTimeToLocalTime@8 ; ExSystemTimeToLocalTime(x,x)
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlTimeToTimeFields@8 ; RtlTimeToTimeFields(x,x)
		lea	eax, [ebp+var_14]
		push	eax
		call	ds:__imp__HalSetRealTimeClock@4	; HalSetRealTimeClock(x)

loc_89086C:				; CODE XREF: ExpRefreshSystemTime()+90j
		mov	eax, [ebp+var_20]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_24], eax

loc_890878:				; CODE XREF: ExpRefreshSystemTime()+10Bj
		push	3
		lea	edx, [ebp+var_20]
		lea	ecx, [ebp+var_28]
		call	_PoNotifySystemTimeSet@12 ; PoNotifySystemTimeSet(x,x,x)

loc_890885:				; CODE XREF: ExpRefreshSystemTime()+54j
					; ExpRefreshSystemTime()+65j ...
		mov	ecx, offset _ExpTimeRefreshLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_8908A3:				; CODE XREF: ExpRefreshSystemTime()+94j
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		call	_ExLocalTimeToSystemTime@8 ; ExLocalTimeToSystemTime(x,x)
		push	0
		lea	edx, [ebp+var_20]
		lea	ecx, [ebp+var_28]
		call	_KeSetSystemTime@12 ; KeSetSystemTime(x,x,x)
		jmp	short loc_890878
_ExpRefreshSystemTime@0	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpInterlockedFunction proc near	; CODE XREF: CmpFinishSystemHivesLoad(x)+322p
					; CmpFinishSystemHivesLoad(x)+5B4p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_C		= byte ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092A771 SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	18h
		pop	esi
		xor	edi, edi
		mov	[ebp+var_44], esi
		lea	eax, [ebp+var_44]
		mov	[ebp+var_24], edi
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_24]
		mov	[ebp+var_1C], edi
		mov	ebx, 240h
		mov	[ebp+var_2C], edi
		push	eax
		mov	[ebp+var_28], edi
		mov	[ebp+var_48], edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_38], ebx
		mov	[ebp+var_3C], offset _CmRegistryMachineSystemCurrentControlSet
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_8909C2
		mov	eax, [ebp+var_24]
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_44], esi
		push	eax
		mov	[ebp+var_38], ebx
		mov	[ebp+var_3C], (offset loc_A3F6B7+1)
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		push	[ebp+var_24]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_8909C0
		push	offset ??_C@_1CC@PLGBKPMK@?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo?$AAr?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo@LBKOJDO@ ; "ProcessorControl"
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_48]
		push	eax
		push	14h
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		lea	eax, [ebp+var_2C]
		push	eax
		push	[ebp+var_1C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		push	4
		pop	ebx
		test	esi, esi
		js	loc_92A780
		movzx	ecx, [ebp+var_C]
		mov	[ebp+var_20], ecx
		cmp	ecx, 2
		jnz	loc_92A771

loc_89099A:				; CODE XREF: CmpInterlockedFunction+99EE2j
		push	1
		push	edi
		mov	edx, offset _KeOptimizeProcessorControlState@8 ; KeOptimizeProcessorControlState(x,x)
		mov	ecx, offset _KeActiveProcessors
		call	_KeGenericProcessorCallback@16 ; KeGenericProcessorCallback(x,x,x,x)
		push	2
		pop	eax
		cmp	[ebp+var_20], eax
		jnz	loc_92A7A7

loc_8909B8:				; CODE XREF: CmpInterlockedFunction+99EBBj
					; CmpInterlockedFunction+99EFDj
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_8909C0:				; CODE XREF: CmpInterlockedFunction+95j
		mov	eax, esi

loc_8909C2:				; CODE XREF: CmpInterlockedFunction+58j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpInterlockedFunction endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpMountPreloadedHives proc near	; CODE XREF: CmpFinishSystemHivesLoad(x)+31Dp
					; CmpFinishSystemHivesLoad(x)+5AFp

var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092A7C2 SIZE 000004B3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1CCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	eax, [ebp+var_178]
		push	edi
		push	154h		; size_t
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_1BC], ebx
		mov	[ebp+var_1CC], ebx
		mov	[ebp+var_1C8], ebx
		mov	[ebp+var_180], ebx
		mov	[ebp+var_17C], ebx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_1C0], ebx
		xor	eax, eax
		mov	[ebp+var_1A8], ebx
		lea	edi, [ebp+var_1C]
		mov	[ebp+var_1C4], ebx
		mov	[ebp+var_1AC], ebx
		push	6
		pop	ecx
		rep stosd
		push	62534D43h
		mov	eax, 1000h
		mov	[ebp+var_1A0], ebx
		push	eax
		push	1
		mov	[ebp+var_1A4], ebx
		mov	[ebp+var_19C], ebx
		mov	[ebp+var_1B8], ebx
		mov	[ebp+var_1B4], ebx
		mov	[ebp+var_198], ebx
		mov	[ebp+var_194], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_1B0], edx
		test	edx, edx
		jz	loc_92A7C2
		mov	edi, _CmpPreloadedHivesList

loc_890A93:				; CODE XREF: CmpMountPreloadedHives+9A282j
		cmp	edi, offset _CmpPreloadedHivesList
		jnz	loc_92A837
		push	ebx
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpMountPreloadedHives endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpAdminSystemSecurityDescriptor proc near ; CODE XREF:	CmInitSystem1(x)+17Dp

var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092AC75 SIZE 00000050 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, 20204D43h
		mov	[ebp+var_8], 500h
		push	edi
		xor	esi, esi
		xor	eax, eax
		push	0Ch
		inc	esi
		mov	[ebp+var_C], eax
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	edi
		push	10h
		push	esi
		mov	ebx, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	ebx, ebx
		jz	loc_92AC7D
		test	edi, edi
		jz	loc_92AC7D
		push	esi
		lea	eax, [ebp+var_C]
		push	eax
		push	ebx
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		test	eax, eax
		js	loc_92ACBD
		push	2
		lea	eax, [ebp+var_C]
		push	eax
		push	edi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		test	eax, eax
		js	loc_92ACBD
		push	0
		push	ebx
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	0
		push	edi
		mov	dword ptr [eax], 12h
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	esi
		push	edi
		mov	dword ptr [eax], 20h
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	20204D43h
		mov	dword ptr [eax], 220h
		movzx	eax, byte ptr [ebx+1]
		movzx	ecx, byte ptr [edi+1]
		add	ecx, eax
		lea	eax, ds:28h[ecx*4]
		push	eax
		push	esi
		mov	[ebp+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_C], esi
		test	esi, esi
		jz	loc_92AC75
		push	2		; int
		push	[ebp+var_4]	; size_t
		push	esi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		push	0
		test	eax, eax
		js	loc_92AC8B
		push	ebx
		push	1F01FFh
		push	0
		push	2
		pop	edx
		mov	ecx, esi
		call	RtlpAddKnownAce
		test	eax, eax
		js	loc_92ACB6
		push	0
		push	edi
		push	1F01FFh
		push	0
		push	2
		pop	edx
		mov	ecx, esi
		call	RtlpAddKnownAce
		test	eax, eax
		js	loc_92ACB6
		mov	eax, [ebp+var_4]
		push	20204D43h
		add	eax, 14h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_92AC90
		push	[ebp+var_4]	; size_t
		lea	eax, [esi+14h]
		push	[ebp+var_C]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		push	1
		push	esi
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	[ebp+var_4], eax
		push	0
		test	eax, eax
		js	loc_92AC98
		lea	eax, [esi+14h]
		push	eax
		push	1
		push	esi
		call	RtlSetDaclSecurityDescriptor
		mov	[ebp+var_4], eax
		push	0
		test	eax, eax
		js	loc_92ACA7
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
CmpAdminSystemSecurityDescriptor endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpOpenDevicesControlSet proc near	; CODE XREF: CmpMarkCurrentProfileDirty()+1Ep
					; CmSetAcpiHwProfile+BAp ...

var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092ACC5 SIZE 0000006F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 138h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_120], eax
		lea	edi, [ebp+var_138]
		push	6
		xor	eax, eax
		mov	[ebp+var_11C], edx
		xor	esi, esi
		mov	ebx, (offset loc_A3F60F+1)
		pop	ecx
		rep stosd
		mov	[ebp+var_110], esi
		cmp	_CmStateSeparationEnabled, eax
		jnz	short loc_890C8C
		mov	ebx, (offset loc_A3F617+1)

loc_890C8C:				; CODE XREF: CmpOpenDevicesControlSet+47j
		mov	eax, 100h
		mov	[ebp+var_118], esi
		mov	word ptr [ebp+var_118+2], ax
		lea	eax, [ebp+var_10C]
		push	ebx		; char
		mov	[ebp+var_114], eax
		lea	eax, [ebp+var_118]
		push	offset ??_C@_1FA@FPGGIGOJ@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\Registry\\Machine\\%wZ\\CurrentControlSet"...
		push	eax		; int
		call	_RtlUnicodeStringPrintf
		mov	edi, eax
		add	esp, 0Ch
		test	edi, edi
		js	loc_890D64
		lea	eax, [ebp+var_118]
		mov	[ebp+var_138], 18h
		mov	[ebp+var_130], eax
		lea	eax, [ebp+var_138]
		push	eax
		push	20019h
		lea	eax, [ebp+var_110]
		mov	[ebp+var_134], esi
		push	eax
		mov	[ebp+var_12C], 240h
		mov	[ebp+var_128], esi
		mov	[ebp+var_124], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000034h
		jz	loc_92ACC5

loc_890D21:				; CODE XREF: CmpOpenDevicesControlSet+9A0F1j
		test	edi, edi
		js	short loc_890D64
		mov	ecx, [ebp+var_11C]
		mov	eax, [ebp+var_110]
		mov	[ebp+var_110], esi
		mov	[ecx], eax
		mov	ecx, [ebp+var_120]
		test	ecx, ecx
		jz	short loc_890D51
		mov	eax, [ebx]
		mov	[ecx], eax
		mov	eax, [ebx+4]
		mov	[ecx+4], eax

loc_890D4D:				; CODE XREF: CmpOpenDevicesControlSet+12Cj
		test	esi, esi
		jnz	short loc_890D6C

loc_890D51:				; CODE XREF: CmpOpenDevicesControlSet+103j
					; CmpOpenDevicesControlSet+134j
		mov	ecx, [ebp+var_8]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_890D64:				; CODE XREF: CmpOpenDevicesControlSet+85j
					; CmpOpenDevicesControlSet+E5j	...
		mov	esi, [ebp+var_110]
		jmp	short loc_890D4D
; 

loc_890D6C:				; CODE XREF: CmpOpenDevicesControlSet+111j
		push	esi
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_890D51
CmpOpenDevicesControlSet endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspQueryForwardersEnabled()
_PspQueryForwardersEnabled@0 proc near	; CODE XREF: PsBootPhaseComplete+204p
					; PspSiloLoadApiSets(x)+87p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_3C]
		push	ebx
		push	38h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_38], 124h
		xor	ebx, ebx
		mov	[ebp+var_34], offset ??_C@_1BK@JHMIDBDI@?$AAO?$AAC?$AAF?$AAW?$AA_?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAd@NNGAKEGL@ ; "OCFW_Enabled"
		inc	ebx
		mov	[ebp+var_2C], 4000000h
		lea	eax, [ebp+var_4]
		mov	edx, offset ??_C@_1HG@MMHJMIMI@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\"
		push	ebx
		push	ecx
		mov	[ebp+var_30], eax
		xor	ecx, ecx
		push	0
		lea	eax, [ebp+var_3C]
		push	eax
		call	RtlpQueryRegistryValues
		test	eax, eax
		jns	short loc_890DCE

loc_890DC7:				; CODE XREF: PspQueryForwardersEnabled()+60j
		xor	bl, bl

loc_890DC9:				; CODE XREF: PspQueryForwardersEnabled()+5Ej
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_890DCE:				; CODE XREF: PspQueryForwardersEnabled()+51j
		cmp	[ebp+var_4], 0
		jnz	short loc_890DC9
		jmp	short loc_890DC7
_PspQueryForwardersEnabled@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspIsDfssEnabled proc near		; CODE XREF: PsBootPhaseComplete:loc_89072Ap

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092AD34 SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		xor	ecx, ecx
		mov	eax, offset _PspQuotaKeyNames
		push	esi
		push	edi
		mov	[ebp+var_8], ecx
		mov	bl, cl
		mov	[ebp+var_4], ecx
		mov	edi, ecx
		mov	[ebp+var_C], eax

loc_890DF5:				; CODE XREF: PspIsDfssEnabled+99F7Dj
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	1
		lea	eax, [ebp+var_4]
		mov	[ebp+var_24], 18h
		push	eax
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], 240h
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_890E4B
		push	0
		push	4
		lea	eax, [ebp+var_8]
		push	eax
		push	4
		push	offset ??_C@_1BO@DLGJDBIE@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAC?$AAp?$AAu?$AAQ?$AAu?$AAo?$AAt?$AAa@NNGAKEGL@
		push	[ebp+var_4]
		call	RtlQueryImageFileKeyOption
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		jns	loc_92AD34

loc_890E4B:				; CODE XREF: PspIsDfssEnabled+4Aj
		test	bl, bl
		jnz	short loc_890E56

loc_890E4F:				; CODE XREF: PspIsDfssEnabled+85j
					; PspIsDfssEnabled+99F84j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_890E56:				; CODE XREF: PspIsDfssEnabled+77j
					; PspIsDfssEnabled+99F75j
		call	_PspReadDfssConfigurationValues@0 ; PspReadDfssConfigurationValues()
		jmp	short loc_890E4F
PspIsDfssEnabled endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfTLoggingWorker proc near		; DATA XREF: PfTStart+8Do

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092AD5F SIZE 00000084 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+94h+var_4], eax
		mov	eax, large fs:124h
		or	[esp+94h+var_8C], 0FFFFFFFFh
		or	[esp+94h+var_84], 0FFFFFFFFh
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	0FFFFFFFFh
		push	eax
		mov	[esp+0A8h+var_90], 0FFFB6C20h
		mov	[esp+0A8h+var_88], 4D2FA200h
		call	KeSetBasePriorityThread
		lea	eax, [ebx+40h]
		mov	[esp+0A0h+var_6C], offset unk_6FB60C
		mov	[esp+0A0h+var_78], eax
		mov	cl, 1
		lea	eax, [ebx+14h]
		mov	[esp+0A0h+var_74], eax
		lea	eax, [ebx+4]
		mov	[esp+0A0h+var_70], eax
		call	KiQueryUnbiasedInterruptTime
		mov	dword_6D42F8, eax
		xor	edi, edi
		mov	dword_6D42FC, edx

loc_890ED9:				; CODE XREF: PfTLoggingWorker+A7j
					; PfTLoggingWorker+D8j	...
		lea	eax, [esp+0A0h+var_68]
		push	eax
		lea	eax, [esp+0A4h+var_88]
		push	eax
		push	edi
		push	edi
		push	edi
		push	1
		lea	eax, [esp+0B8h+var_78]
		push	eax
		push	4
		call	KeWaitForMultipleObjects
		mov	esi, eax
		cmp	esi, 102h
		jz	loc_92AD5F

loc_890F02:				; CODE XREF: PfTLoggingWorker+99F04j
		cmp	esi, 4
		jge	short loc_890ED9
		push	[esp+esi*4+0A0h+var_78]
		call	_KeResetEvent@4	; KeResetEvent(x)
		test	esi, esi
		jz	short loc_890F21
		call	_PFP_CAN_DO_ACCESS_LOGGING@0 ; PFP_CAN_DO_ACCESS_LOGGING()
		test	eax, eax
		jz	loc_92AD67

loc_890F21:				; CODE XREF: PfTLoggingWorker+B4j
		sub	esi, edi
		jz	loc_92ADCC
		sub	esi, 1
		jz	short loc_890FAC
		sub	esi, 1
		jz	short loc_890F82
		sub	esi, 1
		jnz	short loc_890ED9
		mov	esi, edi

loc_890F3A:				; CODE XREF: PfTLoggingWorker+1ACj
		call	PfpFlushBuffers
		movzx	edi, al
		test	al, al
		jz	loc_890FEF

loc_890F4A:				; CODE XREF: PfTLoggingWorker+19Bj
		inc	esi
		test	edi, edi
		jz	loc_891004

loc_890F53:				; CODE XREF: PfTLoggingWorker+1B2j
		xor	edi, edi

loc_890F55:				; CODE XREF: PfTLoggingWorker+99F25j
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		sub	eax, dword_6D42F8
		sbb	edx, dword_6D42FC
		mov	[esp+0A0h+var_7C], edx
		jnz	loc_92AD88
		cmp	eax, 0B2D05E00h
		jbe	loc_890ED9
		jmp	loc_92AD88
; 

loc_890F82:				; CODE XREF: PfTLoggingWorker+D3j
		call	PfpFlushBuffers
		movzx	esi, al
		call	_PfTGenerateTrace@0 ; PfTGenerateTrace()
		test	esi, esi
		jnz	loc_890ED9
		cmp	eax, 0C000009Ah
		jz	loc_92AD92

loc_890FA2:				; CODE XREF: PfTLoggingWorker+99F40j
		call	PfpFlushBuffers
		jmp	loc_890ED9
; 

loc_890FAC:				; CODE XREF: PfTLoggingWorker+CEj
		mov	esi, edi

loc_890FAE:				; CODE XREF: PfTLoggingWorker+99F63j
		call	PfpFlushBuffers
		movzx	edi, al
		test	al, al
		jz	short loc_890FC0
		cmp	dword ptr [ebx+34h], 0
		jz	short loc_890FD0

loc_890FC0:				; CODE XREF: PfTLoggingWorker+15Aj
		call	_PfTGenerateTrace@0 ; PfTGenerateTrace()
		cmp	eax, 0C000009Ah
		jz	loc_92ADA3

loc_890FD0:				; CODE XREF: PfTLoggingWorker+160j
		xor	eax, eax
		inc	eax

loc_890FD3:				; CODE XREF: PfTLoggingWorker+99F58j
		add	esi, eax
		test	edi, edi
		jz	loc_92ADBB

loc_890FDD:				; CODE XREF: PfTLoggingWorker+99F69j
		xor	edi, edi

loc_890FDF:				; CODE XREF: PfTLoggingWorker+99F12j
		push	edi
		push	edi
		lea	eax, [ebx+24h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_890ED9
; 

loc_890FEF:				; CODE XREF: PfTLoggingWorker+E6j
		call	_PfTGenerateTrace@0 ; PfTGenerateTrace()
		cmp	eax, 0C000009Ah
		jnz	loc_890F4A
		jmp	loc_92AD75
; 

loc_891004:				; CODE XREF: PfTLoggingWorker+EFj
		cmp	esi, 3E8h
		jb	loc_890F3A
		jmp	loc_890F53
PfTLoggingWorker endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiSwIrpInterfaceSetState proc near	; CODE XREF: PiSwDispatch+F6p

var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
Handle		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 0092AE05 SIZE 00000014 BYTES

		push	1Ch
		push	offset dword_6A7260
		call	__SEH_prolog4
		mov	[ebp+var_2C], ecx
		mov	edx, [ecx+60h]
		mov	eax, [edx+18h]
		mov	eax, [eax+10h]
		mov	[ebp+var_24], eax
		xor	edi, edi
		mov	[ebp+Handle], edi
		mov	[ebp+var_1C], edi
		mov	eax, [ecx+0Ch]
		test	eax, eax
		jz	loc_92AE0F
		lea	ecx, [ebp+Handle]
		push	ecx		; pHandle
		push	dword ptr [edx+8] ; BufferSize
		push	eax		; pBuffer
		call	ds:__imp__MesDecodeBufferHandleCreate@12 ; MesDecodeBufferHandleCreate(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8910F9
		mov	[ebp+ms_exc.disabled], edi
		lea	eax, [ebp+var_1C]
		push	eax
		push	offset dword_A40038
		push	(offset	loc_A400C7+1)
		push	offset dword_A3FCB4
		push	[ebp+Handle]
		call	ds:__imp__NdrMesTypeDecode2@20 ; NdrMesTypeDecode2(x,x,x,x,x)

loc_89107B:				; CODE XREF: sub_92ADF5+Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	esi, esi
		js	short loc_8910F9
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	loc_92AE0F
		cmp	[eax], edi
		jz	loc_92AE0F
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	edi, offset _PiSwLockObj
		push	edi
		call	ExAcquireResourceExclusiveLite
		mov	ecx, [ebp+var_24]
		call	_PiSwDeviceOperationsAllowed@4 ; PiSwDeviceOperationsAllowed(x)
		test	al, al
		jz	loc_92AE05
		mov	edx, [ebp+var_1C]
		mov	edx, [edx]
		call	_PiSwDeviceFindInterfaceEntry@8	; PiSwDeviceFindInterfaceEntry(x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_891139
		mov	eax, [ebp+var_1C]
		movzx	eax, byte ptr [eax+4]
		push	eax
		mov	ecx, [ebp+var_24]
		call	_PiSwDeviceInterfaceSetState@12	; PiSwDeviceInterfaceSetState(x,x,x)
		mov	esi, eax

loc_8910E6:				; CODE XREF: PiSwIrpInterfaceSetState+128j
					; PiSwIrpInterfaceSetState+99DF4j
		mov	ecx, edi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_8910F9:				; CODE XREF: PiSwIrpInterfaceSetState+40j
					; PiSwIrpInterfaceSetState+6Ej	...
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_89110B
		push	6370726Bh
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_89110B:				; CODE XREF: PiSwIrpInterfaceSetState+E8j
		cmp	[ebp+Handle], 0
		jz	short loc_89111A
		push	[ebp+Handle]	; Handle
		call	ds:__imp__MesHandleFree@4 ; MesHandleFree(x)

loc_89111A:				; CODE XREF: PiSwIrpInterfaceSetState+F9j
		mov	ecx, [ebp+var_2C]
		mov	[ecx+18h], esi
		xor	dl, dl
		call	IofCompleteRequest
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_891139:				; CODE XREF: PiSwIrpInterfaceSetState+BCj
		mov	esi, 0C0000225h
		jmp	short loc_8910E6
PiSwIrpInterfaceSetState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiSwIrpCleanup	proc near		; CODE XREF: PiSwDispatch+EDp
					; PiSwIrpStartCreateWorker+99BA2p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092AE19 SIZE 00000072 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		push	edi
		mov	edi, ebx
		mov	[esp+18h+var_8], ebx
		mov	[esp+18h+var_4], ebx
		call	_PiSwLock@0	; PiSwLock()
		cmp	[esi+60h], ebx
		jz	short loc_8911DA
		mov	eax, [esi+3Ch]

loc_891169:				; CODE XREF: PiSwIrpCleanup+99CFCj
		mov	eax, [eax+4]
		push	4		; size_t
		push	offset _PiSwBusName ; wchar_t *
		push	eax		; wchar_t *
		mov	[esp+24h+var_C], eax
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_92AE19
		push	[esp+18h+var_C]
		lea	eax, [esp+1Ch+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, 746C6644h
		lea	ecx, [esp+18h+var_8]
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		test	eax, eax
		jz	short loc_8911DA
		mov	ecx, eax
		call	ObfDereferenceObject

loc_8911AF:				; CODE XREF: PiSwIrpCleanup+9Cj
					; PiSwIrpCleanup+99CF3j
		mov	eax, [esi+4Ch]
		test	eax, eax
		jnz	loc_92AE41

loc_8911BA:				; CODE XREF: PiSwIrpCleanup+99D0Aj
					; PiSwIrpCleanup+99D17j
		and	dword ptr [esi+4], 0FFFFFFFEh
		test	bl, bl
		jnz	loc_92AE5C

loc_8911C6:				; CODE XREF: PiSwIrpCleanup+99D2Dj
		call	_PiSwUnlock@0	; PiSwUnlock()
		test	edi, edi
		jnz	loc_92AE72

loc_8911D3:				; CODE XREF: PiSwIrpCleanup+99D46j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8911DA:				; CODE XREF: PiSwIrpCleanup+24j
					; PiSwIrpCleanup+66j ...
		mov	bl, 1
		jmp	short loc_8911AF
PiSwIrpCleanup	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiSwIrpInterfaceRegister proc near	; CODE XREF: PiSwDispatch+ADp

var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
Handle		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 0092AE8B SIZE 00000074 BYTES
; FUNCTION CHUNK AT 0092AF2B SIZE 00000041 BYTES

		push	30h
		push	offset dword_6A7280
		call	__SEH_prolog4
		mov	[ebp+var_30], ecx
		mov	eax, [ecx+60h]
		mov	[ebp+var_38], eax
		mov	eax, [eax+18h]
		mov	edi, [eax+10h]
		mov	[ebp+var_40], edi
		xor	ebx, ebx
		mov	[ebp+Handle], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_19], bl
		mov	ecx, [ecx+0Ch]
		test	ecx, ecx
		jz	loc_92AE8B
		lea	eax, [ebp+Handle]
		push	eax		; pHandle
		mov	eax, [ebp+var_38]
		push	dword ptr [eax+8] ; BufferSize
		push	ecx		; pBuffer
		call	ds:__imp__MesDecodeBufferHandleCreate@12 ; MesDecodeBufferHandleCreate(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_92AE90
		mov	[ebp+ms_exc.disabled], ebx
		lea	eax, [ebp+var_20]
		push	eax
		push	offset dword_A3FFD4
		push	(offset	loc_A400C7+1)
		push	offset dword_A3FCB4
		push	[ebp+Handle]
		call	ds:__imp__NdrMesTypeDecode2@20 ; NdrMesTypeDecode2(x,x,x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_89125C:				; CODE XREF: sub_92AF11+15j
		test	esi, esi
		js	loc_92AE90
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	loc_92AF34
		cmp	[eax], ebx
		jz	loc_92AF34
		mov	ecx, [eax+0Ch]
		test	ecx, ecx
		jz	loc_92AF2B

loc_891282:				; CODE XREF: PiSwIrpInterfaceRegister+99D50j
		mov	eax, [ebp+var_20]
		mov	edx, [eax+8]
		test	edx, edx
		jz	loc_92AF3E

loc_891290:				; CODE XREF: PiSwIrpInterfaceRegister+99D64j
		call	_PiSwValidatePropertyArray@8 ; PiSwValidatePropertyArray(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_92AE90
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PiSwLockObj
		call	ExAcquireResourceExclusiveLite
		mov	ecx, edi
		call	_PiSwDeviceOperationsAllowed@4 ; PiSwDeviceOperationsAllowed(x)
		test	al, al
		jz	loc_92AF47
		test	byte ptr [edi+24h], 8
		jnz	loc_92AF47
		lea	eax, [ebp+var_34]
		push	eax		; int
		lea	eax, [ebp+var_28]
		push	eax		; int
		push	1		; char
		mov	edx, [ebp+var_20]
		push	dword ptr [edx+4] ; int
		mov	edx, [edx]	; int
		mov	ecx, [edi+2Ch]	; int
		call	IopRegisterDeviceInterface
		mov	esi, eax
		cmp	esi, 40000000h
		jz	short loc_8912FE
		test	esi, esi
		js	loc_8913D0

loc_8912FE:				; CODE XREF: PiSwIrpInterfaceRegister+116j
		mov	ecx, [edi+40h]
		test	ecx, ecx
		jz	short loc_89130B
		mov	eax, [ebp+var_34]
		or	[ecx+1Ch], eax

loc_89130B:				; CODE XREF: PiSwIrpInterfaceRegister+125j
		mov	edx, [ebp+var_28]
		mov	ecx, edi
		call	_PiSwDeviceFindInterfaceEntry@8	; PiSwDeviceFindInterfaceEntry(x,x)
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	loc_92AF51
		lea	eax, [ebp+var_24]
		push	eax
		mov	edx, [ebp+var_20]
		push	dword ptr [edx+8]
		mov	edx, [edx+0Ch]
		mov	ecx, [ebp+var_28]
		call	PiSwInterfaceCreate
		mov	esi, eax
		test	esi, esi
		js	loc_8913D0
		mov	[ebp+var_19], 1
		lea	ecx, [edi+64h]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_891484
		mov	eax, [ebp+var_24]
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax

loc_89135E:				; CODE XREF: PiSwIrpInterfaceRegister+99D89j
		mov	ecx, offset _PiSwLockObj
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		js	loc_92AE90
		mov	eax, [ebp+var_20]
		mov	ecx, [eax+0Ch]
		test	ecx, ecx
		jz	short loc_89139A
		push	dword ptr [eax+8]
		push	ecx
		push	3
		pop	edx
		mov	ecx, [ebp+var_24]
		mov	ecx, [ecx+8]
		call	PiSwPropertySet
		mov	esi, eax

loc_89139A:				; CODE XREF: PiSwIrpInterfaceRegister+1A6j
		test	esi, esi
		js	loc_92AE90
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PiSwLockObj
		call	ExAcquireResourceExclusiveLite
		mov	eax, [ebp+var_20]
		movzx	eax, byte ptr [eax+10h]
		push	eax
		mov	edx, [ebp+var_24]
		mov	ecx, edi
		call	_PiSwDeviceInterfaceSetState@12	; PiSwDeviceInterfaceSetState(x,x,x)
		mov	esi, eax

loc_8913D0:				; CODE XREF: PiSwIrpInterfaceRegister+11Aj
					; PiSwIrpInterfaceRegister+15Bj ...
		mov	ecx, offset _PiSwLockObj
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		js	loc_92AE90
		mov	edi, [ebp+var_28]
		push	edi
		mov	edx, [ebp+var_38]
		mov	edx, [edx+4]
		mov	eax, [ebp+var_30]
		mov	ecx, [eax+0Ch]
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_92AE90
		lea	ecx, [edi+2]

loc_891410:				; CODE XREF: PiSwIrpInterfaceRegister+23Bj
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, bx
		jnz	short loc_891410
		sub	edi, ecx
		sar	edi, 1
		lea	eax, ds:2[edi*2]
		mov	ecx, [ebp+var_30]
		mov	[ecx+1Ch], eax

loc_89142C:				; CODE XREF: PiSwIrpInterfaceRegister+99D5Bj
		test	esi, esi
		js	loc_92AE90

loc_891434:				; CODE XREF: PiSwIrpInterfaceRegister+99CB6j
					; PiSwIrpInterfaceRegister+99CC0j ...
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_891446
		push	6370726Bh
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_891446:				; CODE XREF: PiSwIrpInterfaceRegister+25Bj
		mov	edi, [ebp+var_28]
		test	edi, edi
		jz	short loc_891454
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_891454:				; CODE XREF: PiSwIrpInterfaceRegister+26Dj
		cmp	[ebp+Handle], 0
		jz	short loc_891463
		push	[ebp+Handle]	; Handle
		call	ds:__imp__MesHandleFree@4 ; MesHandleFree(x)

loc_891463:				; CODE XREF: PiSwIrpInterfaceRegister+27Aj
		mov	eax, [ebp+var_30]
		mov	[eax+18h], esi
		xor	dl, dl
		mov	ecx, eax
		call	IofCompleteRequest
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_891484:				; CODE XREF: PiSwIrpInterfaceRegister+16Dj
					; PiSwIrpInterfaceRegister+99CEBj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PiSwIrpInterfaceRegister endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiSwDeviceInterfaceSetState(x, x, x)
_PiSwDeviceInterfaceSetState@12	proc near ; CODE XREF: PiSwIrpInterfaceSetState+C9p
					; PiSwIrpInterfaceRegister+1EBp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ecx+40h]
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, edx
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		push	edi
		mov	edi, esi
		mov	[ebp+var_4], edi
		test	eax, eax
		jz	short loc_89151A
		mov	eax, [eax+28h]
		test	eax, eax
		jz	short loc_89151A
		test	byte ptr [eax+4], 1
		mov	eax, [ebp+arg_0]
		jnz	short loc_8914CB

loc_8914BB:				; CODE XREF: PiSwDeviceInterfaceSetState(x,x,x)+44j
					; PiSwDeviceInterfaceSetState(x,x,x)+93j
		mov	[ebx+14h], al

loc_8914BE:				; CODE XREF: PiSwDeviceInterfaceSetState(x,x,x)+63j
					; PiSwDeviceInterfaceSetState(x,x,x)+72j ...
		test	edi, edi
		jnz	short loc_89151F

loc_8914C2:				; CODE XREF: PiSwDeviceInterfaceSetState(x,x,x)+A0j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8914CB:				; CODE XREF: PiSwDeviceInterfaceSetState(x,x,x)+2Fj
		cmp	[ebx+14h], al
		jz	short loc_8914BB
		mov	ecx, [ebx+8]
		lea	eax, [ebp+var_4]
		push	eax
		push	57706E50h
		mov	edx, 7FFFFFFFh
		call	PnpAllocatePWSTR
		mov	edi, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	short loc_8914BE
		push	1
		mov	edx, edi
		call	__CmSetDeviceInterfacePathFormat@12 ; _CmSetDeviceInterfacePathFormat(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8914BE
		push	edi
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	[ebp+arg_0]
		lea	eax, [ebp+var_C]
		push	eax
		call	_IoSetDeviceInterfaceState@8 ; IoSetDeviceInterfaceState(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8914BE

loc_89151A:				; CODE XREF: PiSwDeviceInterfaceSetState(x,x,x)+1Fj
					; PiSwDeviceInterfaceSetState(x,x,x)+26j
		mov	eax, [ebp+arg_0]
		jmp	short loc_8914BB
; 

loc_89151F:				; CODE XREF: PiSwDeviceInterfaceSetState(x,x,x)+36j
		push	57706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_8914C2
_PiSwDeviceInterfaceSetState@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiSwInterfaceCreate proc near		; CODE XREF: PiSwIrpInterfaceRegister+152p
					; PiSwCompleteCreate+99A16p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092AF6C SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	57706E50h
		push	18h
		push	1
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, [ebp+arg_4]
		mov	edi, eax
		mov	[esi], edi
		test	edi, edi
		jz	loc_92AF6C
		push	6
		pop	ecx
		xor	eax, eax
		mov	edx, 7FFFFFFFh
		rep stosd
		mov	eax, [esi]
		mov	ecx, [ebp+var_4]
		add	eax, 8
		push	eax
		push	57706E50h
		call	PnpAllocatePWSTR
		mov	edi, eax
		test	edi, edi
		js	loc_92AF71
		mov	ecx, [esi]
		mov	edx, ebx
		lea	eax, [ecx+0Ch]
		push	eax
		lea	eax, [ecx+10h]
		push	eax
		push	ecx
		mov	ecx, [ebp+arg_0]
		call	PnpCopyDevPropertyArray
		mov	edi, eax
		test	edi, edi
		js	loc_92AF71

loc_89159F:				; CODE XREF: PiSwInterfaceCreate+99A49j
					; PiSwInterfaceCreate+99A57j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
PiSwInterfaceCreate endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiSwCompleteCreate proc	near		; CODE XREF: PiSwPdoPnPDispatch+15Ap

var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_221		= byte ptr -221h
var_220		= dword	ptr -220h
var_210		= dword	ptr -210h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092AF88 SIZE 0000013D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 264h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_220]
		stosd
		xor	ebx, ebx
		mov	esi, ecx
		mov	[ebp+var_244], ebx
		mov	[ebp+var_250], esi
		mov	[ebp+var_238], ebx
		stosd
		mov	[ebp+var_22C], ebx
		mov	[ebp+var_240], ebx
		mov	[ebp+var_254], ebx
		stosd
		mov	[ebp+var_24C], ebx
		mov	[ebp+var_248], ebx
		mov	[ebp+var_25C], ebx
		stosd
		lea	eax, [ebp+var_234]
		mov	[ebp+var_258], ebx
		mov	[ebp+var_264], ebx
		mov	[ebp+var_260], ebx
		mov	[ebp+var_23C], ebx
		mov	[ebp+var_230], eax
		mov	[ebp+var_234], eax
		call	_PiSwLock@0	; PiSwLock()
		mov	eax, [esi+28h]
		mov	edi, [eax]
		test	edi, edi
		jz	loc_92AF88
		and	dword ptr [eax+4], 0FFFFFFF9h
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		mov	eax, [edi+2Ch]
		add	ecx, 14h
		mov	[ebp+var_238], ecx
		test	eax, eax
		jnz	loc_92AF92

loc_891663:				; CODE XREF: PiSwCompleteCreate+99A01j
		movzx	edx, word ptr [ecx]
		lea	eax, [ebp+var_228]
		mov	ecx, [ecx+4]
		push	eax
		shr	edx, 1
		push	57706E50h
		inc	edx
		mov	[ebp+var_228], ebx
		call	PnpAllocatePWSTR
		mov	esi, eax
		test	esi, esi
		js	loc_891750
		push	[ebp+var_228]
		lea	eax, [edi+28h]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		or	dword ptr [edi+4], 4
		cmp	[edi+30h], ebx
		jnz	loc_891750
		mov	eax, [edi+4Ch]
		test	eax, eax
		jz	short loc_89170C
		xor	ecx, ecx
		add	eax, 38h
		xchg	ecx, [eax]
		test	ecx, ecx
		jz	short loc_89170C
		mov	eax, [edi+4Ch]
		mov	[ebp+var_244], eax
		mov	[edi+4Ch], ebx
		test	eax, eax
		jz	short loc_89170C
		mov	ecx, [eax+60h]
		push	dword ptr [edi+2Ch]
		mov	[ebp+var_228], ecx
		mov	edx, [ecx+4]
		mov	ecx, [eax+0Ch]
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_891750
		mov	edx, [ebp+var_228]
		lea	eax, [ebp+var_24C]
		mov	ecx, [ebp+var_244]
		push	eax
		mov	edx, [edx+4]
		mov	ecx, [ecx+0Ch]
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_891750

loc_89170C:				; CODE XREF: PiSwCompleteCreate+106j
					; PiSwCompleteCreate+111j ...
		mov	edx, [edi+58h]
		lea	eax, [ebp+var_22C]
		push	eax
		lea	eax, [ebp+var_240]
		push	eax
		push	ecx
		mov	ecx, [edi+5Ch]
		call	PnpCopyDevPropertyArray
		mov	esi, eax
		test	esi, esi
		js	short loc_891750
		lea	eax, [edi+64h]
		mov	edi, [eax]
		mov	[ebp+var_228], eax
		cmp	edi, eax
		jnz	loc_92AFAE

loc_89173F:				; CODE XREF: PiSwCompleteCreate+99A54j
		mov	ecx, [ebp+var_250]
		mov	[ebp+var_23C], ecx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_891750:				; CODE XREF: PiSwCompleteCreate+DFj
					; PiSwCompleteCreate+FBj ...
		call	_PiSwUnlock@0	; PiSwUnlock()
		mov	edi, [ebp+var_22C]
		test	esi, esi
		js	short loc_89179B
		test	edi, edi
		jz	short loc_891781
		mov	ecx, [ebp+var_238]
		xor	edx, edx
		push	[ebp+var_240]
		inc	edx
		push	edi
		mov	ecx, [ecx+4]
		call	PiSwPropertySet
		mov	esi, eax
		test	esi, esi
		js	short loc_89179B

loc_891781:				; CODE XREF: PiSwCompleteCreate+1B9j
		mov	edi, [ebp+var_234]

loc_891787:				; CODE XREF: PiSwCompleteCreate+99B18j
		lea	eax, [ebp+var_234]
		cmp	edi, eax
		jnz	loc_92B006

loc_891795:				; CODE XREF: PiSwCompleteCreate+99A71j
					; PiSwCompleteCreate+99AA2j ...
		mov	edi, [ebp+var_22C]

loc_89179B:				; CODE XREF: PiSwCompleteCreate+1B5j
					; PiSwCompleteCreate+1D7j
		mov	eax, [ebp+var_23C]
		test	eax, eax
		jz	short loc_8917AC
		mov	ecx, eax
		call	ObfDereferenceObject

loc_8917AC:				; CODE XREF: PiSwCompleteCreate+1FBj
		test	edi, edi
		jz	short loc_8917C2
		mov	ecx, [ebp+var_240]
		mov	edx, edi
		push	57706E50h
		call	_PnpFreeDevPropertyArray@12 ; PnpFreeDevPropertyArray(x,x,x)

loc_8917C2:				; CODE XREF: PiSwCompleteCreate+206j
		lea	ecx, [ebp+var_234]
		call	PiSwFreeInterfaceList
		lea	eax, [ebp+var_264]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [ebp+var_244]
		test	ecx, ecx
		jz	short loc_8917FD
		test	esi, esi
		js	short loc_8917F0
		mov	ebx, [ebp+var_24C]
		add	ebx, 2

loc_8917F0:				; CODE XREF: PiSwCompleteCreate+23Dj
		mov	[ecx+1Ch], ebx
		xor	dl, dl
		mov	[ecx+18h], esi
		call	IofCompleteRequest

loc_8917FD:				; CODE XREF: PiSwCompleteCreate+239j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PiSwCompleteCreate endp


;  S U B	R O U T	I N E 


PiSwFreeInterfaceList proc near		; CODE XREF: PiSwCompleteCreate+220p
					; PiSwIrpStartCreateWorker+99A49p ...

; FUNCTION CHUNK AT 0092B0C5 SIZE 0000002A BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx

loc_891811:				; CODE XREF: PiSwFreeInterfaceList+998CFj
		mov	ecx, [esi]
		cmp	ecx, esi
		jnz	loc_92B0C5
		pop	esi
		retn
PiSwFreeInterfaceList endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiSwIrpStartCreate proc	near		; CODE XREF: PiSwDispatch+93p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
Handle		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 0092B0EF SIZE 0000000A BYTES
; FUNCTION CHUNK AT 0092B124 SIZE 00000015 BYTES

		push	1Ch
		push	offset dword_6A72A0
		call	__SEH_prolog4
		mov	esi, ecx
		mov	[ebp+var_2C], esi
		mov	eax, [esi+60h]
		and	[ebp+Handle], 0
		and	[ebp+var_1C], 0
		mov	[ebp+var_28], esi
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	loc_92B0E5
		cmp	dword ptr [eax+4], 0C8h
		jb	loc_92B0EF
		lea	edx, [ebp+Handle]
		push	edx		; pHandle
		push	dword ptr [eax+8] ; BufferSize
		push	ecx		; pBuffer
		call	ds:__imp__MesDecodeBufferHandleCreate@12 ; MesDecodeBufferHandleCreate(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_8918A3
		and	[ebp+ms_exc.disabled], 0
		lea	eax, [ebp+var_1C]
		push	eax
		push	offset dword_A3FE24
		push	(offset	loc_A400C7+1)
		push	offset dword_A3FCB4
		push	[ebp+Handle]
		call	ds:__imp__NdrMesTypeDecode2@20 ; NdrMesTypeDecode2(x,x,x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_891890:				; CODE XREF: sub_92B10B+14j
		test	edi, edi
		js	short loc_8918A3
		mov	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_1C]
		call	PiSwIrpStartCreateWorker
		mov	edi, eax
		xor	esi, esi

loc_8918A3:				; CODE XREF: PiSwIrpStartCreate+49j
					; PiSwIrpStartCreate+74j ...
		test	esi, esi
		jnz	loc_92B124

loc_8918AB:				; CODE XREF: PiSwIrpStartCreate+99916j
		cmp	[ebp+var_1C], 0
		jz	short loc_8918BE
		push	6370726Bh
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8918BE:				; CODE XREF: PiSwIrpStartCreate+91j
		cmp	[ebp+Handle], 0
		jz	short loc_8918CD
		push	[ebp+Handle]	; Handle
		call	ds:__imp__MesHandleFree@4 ; MesHandleFree(x)

loc_8918CD:				; CODE XREF: PiSwIrpStartCreate+A4j
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PiSwIrpStartCreate endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiSwIrpStartCreateWorker proc near	; CODE XREF: PiSwIrpStartCreate+7Cp
					; PiSwStartCreate(x,x,x,x,x,x,x,x,x,x,x,x,x)+9Fp

var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092B139 SIZE 00000353 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		xor	ecx, ecx
		mov	[esp+30h+var_10], ecx
		mov	[esp+30h+var_14], ecx
		mov	[esp+30h+var_1C], ecx
		mov	[esp+30h+var_18], ecx
		mov	[esp+30h+var_1D], cl
		mov	[esp+30h+var_1E], cl
		mov	[esp+30h+var_4], ecx
		mov	ecx, edi
		call	PiSwValidateCreateData
		mov	esi, eax
		test	esi, esi
		js	loc_891B0B
		call	_PiSwLock@0	; PiSwLock()
		test	ebx, ebx
		jz	short loc_891946
		mov	eax, [ebx+60h]
		mov	[esp+30h+var_10], eax
		mov	eax, [eax+18h]
		cmp	dword ptr [eax+10h], 0
		jnz	loc_92B139

loc_89193E:				; CODE XREF: PiSwIrpStartCreateWorker+9985Ej
		test	esi, esi
		js	loc_891AB5

loc_891946:				; CODE XREF: PiSwIrpStartCreateWorker+48j
		lea	ecx, [esp+30h+var_14]
		call	_PiSwDeviceCreate@4 ; PiSwDeviceCreate(x)
		mov	esi, eax
		test	esi, esi
		js	loc_891AB5
		mov	ecx, [esp+30h+var_14]
		mov	edx, edi
		lea	ecx, [ecx+8]
		call	_PiSwInstanceInfoInit@8	; PiSwInstanceInfoInit(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_891AB5
		lea	eax, [esp+13h]
		push	eax		; int
		push	4		; size_t
		lea	eax, [esp+38h+var_14]
		push	eax		; void *
		push	offset _PiSwDeviceInstanceTable	; int
		call	_RtlInsertElementGenericTableAvl@16 ; RtlInsertElementGenericTableAvl(x,x,x,x)
		test	eax, eax
		jz	loc_92B41B
		cmp	[esp+30h+var_1D], 0
		mov	eax, [eax]
		mov	[esp+30h+var_1C], eax
		jz	loc_92B183
		and	[esp+30h+var_14], 0
		lock inc dword ptr [eax]
		mov	ecx, [esp+30h+var_1C]
		mov	edx, edi
		lea	ecx, [ecx+10h]
		call	_PiSwPnPInfoInit@8 ; PiSwPnPInfoInit(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_92B148
		mov	eax, [esp+30h+var_1C]
		mov	ecx, [edi+2Ch]
		mov	[eax+54h], ecx
		cmp	dword ptr [edi+30h], 0
		jz	short loc_8919FD
		mov	ecx, [edi+2Ch]
		call	_PiSwAllocMem@4	; PiSwAllocMem(x)
		mov	ecx, [esp+30h+var_1C]
		mov	[ecx+50h], eax
		mov	eax, [esp+30h+var_1C]
		mov	eax, [eax+50h]
		test	eax, eax
		jz	loc_92B143
		push	dword ptr [edi+2Ch] ; size_t
		push	dword ptr [edi+30h] ; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_8919FD:				; CODE XREF: PiSwIrpStartCreateWorker+EEj
		mov	ecx, [esp+30h+var_1C]
		mov	edx, [edi+38h]
		lea	eax, [ecx+58h]
		push	eax
		lea	eax, [ecx+5Ch]
		push	eax
		push	ecx
		mov	ecx, [edi+34h]
		call	PnpCopyDevPropertyArray
		mov	esi, eax
		test	esi, esi
		js	loc_92B148
		mov	edx, [esp+30h+var_1C]
		mov	ecx, [edi+4]
		call	_PiSwBusRelationAdd@8 ;	PiSwBusRelationAdd(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_92B148

loc_891A35:				; CODE XREF: PiSwIrpStartCreateWorker+9997Dj
		mov	ecx, [esp+30h+var_1C]
		mov	edx, 746C6644h
		mov	ecx, [ecx+3Ch]
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	[esp+30h+var_18], eax

loc_891A4A:				; CODE XREF: PiSwIrpStartCreateWorker+999D5j
					; PiSwIrpStartCreateWorker+99AE9j
		mov	al, 1
		mov	[esp+30h+var_1E], al

loc_891A50:				; CODE XREF: PiSwIrpStartCreateWorker+9993Ej
		test	ebx, ebx
		jz	short loc_891A7E
		test	al, al
		jz	loc_92B3D8
		mov	ecx, offset _PiSwIrpCancelStartCreate@8	; PiSwIrpCancelStartCreate(x,x)
		lea	eax, [ebx+38h]
		xchg	ecx, [eax]
		cmp	byte ptr [ebx+24h], 0
		jnz	loc_92B3CE
		mov	eax, [esp+30h+var_1C]
		mov	[eax+4Ch], ebx
		mov	eax, [ebx+60h]
		or	byte ptr [eax+3], 1

loc_891A7E:				; CODE XREF: PiSwIrpStartCreateWorker+172j
					; PiSwIrpStartCreateWorker+99B36j
		mov	eax, [esp+30h+var_1C]
		or	dword ptr [eax+4], 1
		test	ebx, ebx
		jz	short loc_891A9D
		mov	eax, [esp+30h+var_10]
		mov	ecx, [eax+18h]
		mov	eax, [esp+30h+var_1C]
		mov	[ecx+10h], eax
		and	[esp+30h+var_1C], 0

loc_891A9D:				; CODE XREF: PiSwIrpStartCreateWorker+1A8j
		mov	eax, [esp+30h+var_18]
		test	eax, eax
		jz	short loc_891AAD
		push	5
		push	eax
		call	IoInvalidateDeviceRelations

loc_891AAD:				; CODE XREF: PiSwIrpStartCreateWorker+1C3j
					; PiSwIrpStartCreateWorker+99B40j
		test	esi, esi
		js	loc_92B148

loc_891AB5:				; CODE XREF: PiSwIrpStartCreateWorker+60j
					; PiSwIrpStartCreateWorker+73j	...
		call	_PiSwUnlock@0	; PiSwUnlock()
		mov	al, [esp+30h+var_1E]
		test	esi, esi
		js	short loc_891ACA
		test	al, al
		jz	loc_92B425

loc_891ACA:				; CODE XREF: PiSwIrpStartCreateWorker+1E0j
					; PiSwIrpStartCreateWorker+22Fj
		test	ebx, ebx
		jz	loc_92B46B
		test	esi, esi
		js	short loc_891B11
		test	al, al
		jz	loc_92B450
		mov	esi, 103h

loc_891AE3:				; CODE XREF: PiSwIrpStartCreateWorker+99B86j
					; PiSwIrpStartCreateWorker+99B8Dj ...
		mov	ecx, [esp+30h+var_1C]
		test	ecx, ecx
		jnz	short loc_891B1A

loc_891AEB:				; CODE XREF: PiSwIrpStartCreateWorker+23Fj
		mov	ecx, [esp+30h+var_14]
		test	ecx, ecx
		jnz	short loc_891B21

loc_891AF3:				; CODE XREF: PiSwIrpStartCreateWorker+246j
		mov	eax, [esp+30h+var_18]
		test	eax, eax
		jz	short loc_891B02
		mov	ecx, eax
		call	ObfDereferenceObject

loc_891B02:				; CODE XREF: PiSwIrpStartCreateWorker+219j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_891B0B:				; CODE XREF: PiSwIrpStartCreateWorker+3Bj
					; PiSwIrpStartCreateWorker+99B4Aj ...
		mov	al, [esp+30h+var_1E]
		jmp	short loc_891ACA
; 

loc_891B11:				; CODE XREF: PiSwIrpStartCreateWorker+1F4j
		and	dword ptr [ebx+1Ch], 0
		jmp	loc_92B45A
; 

loc_891B1A:				; CODE XREF: PiSwIrpStartCreateWorker+209j
		call	PiSwDeviceDereference
		jmp	short loc_891AEB
; 

loc_891B21:				; CODE XREF: PiSwIrpStartCreateWorker+211j
		call	PiSwDeviceDereference
		jmp	short loc_891AF3
PiSwIrpStartCreateWorker endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiSwBusRelationAdd(x, x)
_PiSwBusRelationAdd@8 proc near		; CODE XREF: PiSwIrpStartCreateWorker+146p
					; PiSwIrpStartCreateWorker+99AD2p ...

var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		and	[ebp+var_8], 0
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	byte ptr [ebp+var_1], 0
		stosd
		mov	ebx, edx
		mov	edx, 0C8h
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_8]
		push	eax
		push	57706E50h
		call	PnpAllocatePWSTR
		mov	esi, [ebp+var_8]
		mov	edi, eax
		test	edi, edi
		js	short loc_891BB5
		push	ecx
		push	ecx
		mov	edx, esi
		lea	ecx, [ebp+var_18]
		call	RtlUnicodeStringInitWorker
		mov	edi, eax
		test	edi, edi
		js	short loc_891BB5
		lea	eax, [ebp+var_1]
		push	eax		; int
		push	10h		; size_t
		lea	eax, [ebp+var_18]
		push	eax		; void *
		push	offset _PiSwBusRelationsTable ;	int
		call	_RtlInsertElementGenericTableAvl@16 ; RtlInsertElementGenericTableAvl(x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_891BD7
		cmp	byte ptr [ebp+var_1], 0
		jnz	short loc_891BCB

loc_891B94:				; CODE XREF: PiSwBusRelationAdd(x,x)+ADj
					; PiSwBusRelationAdd(x,x)+B4j
		test	edi, edi
		js	short loc_891BB5
		lea	ecx, [edx+8]
		mov	[ebx+3Ch], edx
		mov	edx, [ecx+4]
		lea	eax, [ebx+34h]
		cmp	[edx], ecx
		jnz	short loc_891BDE
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		lock inc dword ptr [ebx]

loc_891BB5:				; CODE XREF: PiSwBusRelationAdd(x,x)+38j
					; PiSwBusRelationAdd(x,x)+4Aj ...
		test	esi, esi
		jz	short loc_891BC4
		push	57706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_891BC4:				; CODE XREF: PiSwBusRelationAdd(x,x)+8Fj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_891BCB:				; CODE XREF: PiSwBusRelationAdd(x,x)+6Aj
		lea	ecx, [edx+8]
		xor	esi, esi
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		jmp	short loc_891B94
; 

loc_891BD7:				; CODE XREF: PiSwBusRelationAdd(x,x)+64j
		mov	edi, 0C000009Ah
		jmp	short loc_891B94
; 

loc_891BDE:				; CODE XREF: PiSwBusRelationAdd(x,x)+7Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_PiSwBusRelationAdd@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpCopyDevPropertyArray	proc near	; CODE XREF: PiSwInterfaceCreate+64p
					; PiSwCompleteCreate+179p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0092B48C SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	eax, ecx
		push	edi
		mov	edi, [ebp+arg_4]
		xor	ecx, ecx
		mov	[ebp+var_C], edx
		mov	ebx, ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], ecx
		mov	[edi], ecx
		mov	[esi], ecx
		test	edx, edx
		jz	loc_891C90
		test	eax, eax
		jz	short loc_891C90
		push	28h
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_891C90
		push	57706E50h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi], eax
		test	eax, eax
		jz	loc_92B48C
		push	[ebp+var_4]	; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		and	[ebp+arg_4], 0
		add	esp, 0Ch
		cmp	[ebp+var_8], 0
		jbe	short loc_891C90
		xor	ecx, ecx
		mov	[ebp+arg_8], ecx

loc_891C5F:				; CODE XREF: PnpCopyDevPropertyArray+AAj
		mov	eax, [esi]
		add	eax, ecx
		add	ecx, [ebp+var_C]
		push	eax
		call	PnpCopyDevProperty
		mov	ebx, eax
		mov	[ebp+var_4], ebx
		test	ebx, ebx
		js	loc_92B494
		mov	eax, [ebp+arg_4]
		inc	dword ptr [edi]
		inc	eax
		mov	ecx, [ebp+arg_8]
		add	ecx, 28h
		mov	[ebp+arg_4], eax
		mov	[ebp+arg_8], ecx
		cmp	eax, [ebp+var_8]
		jb	short loc_891C5F

loc_891C90:				; CODE XREF: PnpCopyDevPropertyArray+26j
					; PnpCopyDevPropertyArray+2Ej ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
PnpCopyDevPropertyArray	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpCopyDevProperty proc	near		; CODE XREF: PnpCopyDevPropertyArray+83p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092B4E2 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	edx, ecx
		push	esi
		push	edi
		push	0Ah
		pop	ecx
		mov	esi, edx
		mov	[ebp+var_4], edx
		mov	edi, ebx
		xor	eax, eax
		rep movsd
		lea	esi, [ebx+18h]
		mov	[ebx+24h], eax
		mov	[esi], eax
		mov	edi, 57706E50h
		mov	ecx, [edx+18h]
		test	ecx, ecx
		jnz	loc_92B4E2
		xor	esi, esi

loc_891CD0:				; CODE XREF: PnpCopyDevProperty+9985Aj
		mov	eax, [ebx+20h]
		test	eax, eax
		jz	short loc_891CEB
		push	edi
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+24h], eax
		test	eax, eax
		jz	loc_92B4F9

loc_891CEB:				; CODE XREF: PnpCopyDevProperty+3Bj
		mov	eax, [ebp+var_4]
		push	dword ptr [ebx+20h] ; size_t
		push	dword ptr [eax+24h] ; void *
		push	dword ptr [ebx+24h] ; void *
		call	_memcpy
		add	esp, 0Ch

loc_891CFF:				; CODE XREF: PnpCopyDevProperty+99876j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
PnpCopyDevProperty endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiSwPnPInfoInit(x, x)
_PiSwPnPInfoInit@8 proc	near		; CODE XREF: PiSwIrpStartCreateWorker+D1p
					; PiSwIrpStartCreateWorker+99A57p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], esi
		push	edi
		mov	eax, [esi+20h]
		push	ecx
		mov	[edi+14h], eax
		mov	edx, [esi+0Ch]
		mov	ecx, [esi+10h]
		mov	[ebp+var_8], edi
		call	_PnpAllocateMultiSZ@16 ; PnpAllocateMultiSZ(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_891D89
		mov	edx, [esi+14h]
		lea	eax, [edi+4]
		push	eax
		push	ecx
		mov	ecx, [esi+18h]
		call	_PnpAllocateMultiSZ@16 ; PnpAllocateMultiSZ(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_891D89
		cmp	dword ptr [esi+1Ch], 0
		jnz	short loc_891D90

loc_891D51:				; CODE XREF: PiSwPnPInfoInit(x,x)+ACj
					; PiSwPnPInfoInit(x,x)+B3j
		test	ebx, ebx
		js	short loc_891D89
		mov	ecx, [esi+24h]
		lea	eax, [edi+0Ch]
		push	eax
		push	57706E50h
		mov	edx, 7FFFh
		call	PnpAllocatePWSTR
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_891D89
		mov	ecx, [esi+28h]
		lea	eax, [edi+10h]
		push	eax
		push	57706E50h
		mov	edx, 7FFFh
		call	PnpAllocatePWSTR
		mov	ebx, eax

loc_891D89:				; CODE XREF: PiSwPnPInfoInit(x,x)+2Bj
					; PiSwPnPInfoInit(x,x)+41j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_891D90:				; CODE XREF: PiSwPnPInfoInit(x,x)+47j
		push	57706E50h
		push	10h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi+8], eax
		test	eax, eax
		jz	short loc_891DB6
		mov	esi, [esi+1Ch]
		mov	edi, eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_4]
		mov	edi, [ebp+var_8]
		jmp	short loc_891D51
; 

loc_891DB6:				; CODE XREF: PiSwPnPInfoInit(x,x)+9Bj
		mov	ebx, 0C000009Ah
		jmp	short loc_891D51
_PiSwPnPInfoInit@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpAllocateMultiSZ(x, x, x,	x)
_PnpAllocateMultiSZ@16 proc near	; CODE XREF: PiSwPdoPnPDispatch+36Cp
					; PiSwPnPInfoInit(x,x)+22p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	eax, ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		mov	[ebx], esi
		test	eax, eax
		jz	short loc_891E43
		lea	ecx, [ebp+var_8]
		push	ecx
		mov	ecx, eax
		call	_PnpGetMultiSzLength@12	; PnpGetMultiSzLength(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_891E43
		push	edi
		mov	edi, [ebp+var_8]
		push	2
		pop	ecx
		cmp	edi, ecx
		jbe	short loc_891E42
		mov	eax, edi
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_891E42
		push	57706E50h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx], eax
		test	eax, eax
		jz	short loc_891E4B
		push	[ebp+var_4]	; size_t
		push	[ebp+var_C]	; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebx]
		add	esp, 0Ch
		xor	ecx, ecx
		mov	[eax+edi*2-2], cx
		mov	eax, [ebx]
		mov	[eax+edi*2-4], cx

loc_891E42:				; CODE XREF: PnpAllocateMultiSZ(x,x,x,x)+3Aj
					; PnpAllocateMultiSZ(x,x,x,x)+4Ej ...
		pop	edi

loc_891E43:				; CODE XREF: PnpAllocateMultiSZ(x,x,x,x)+1Ej
					; PnpAllocateMultiSZ(x,x,x,x)+2Fj
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_891E4B:				; CODE XREF: PnpAllocateMultiSZ(x,x,x,x)+63j
		mov	esi, 0C000009Ah
		jmp	short loc_891E42
_PnpAllocateMultiSZ@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpGetMultiSzLength(x, x, x)
_PnpGetMultiSzLength@12	proc near	; CODE XREF: PnpAllocateMultiSZ(x,x,x,x)+26p
					; PiSwStartCreate(x,x,x,x,x,x,x,x,x,x,x,x,x)+6Dp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, edx
		push	edi
		mov	[ebp+var_8], ecx
		and	dword ptr [esi], 0

loc_891E6B:				; CODE XREF: PnpGetMultiSzLength(x,x,x)+54j
		mov	edi, [esi]
		lea	eax, [ebp+var_4]
		mov	edx, ebx
		push	eax
		sub	edx, edi
		lea	ecx, [ecx+edi*2]
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		test	eax, eax
		js	short loc_891EA8
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		push	esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_891EA8
		mov	ecx, [esi]
		xor	edx, edx
		push	esi
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_891EA8
		cmp	[ebp+var_4], 0
		mov	ecx, [ebp+var_8]
		jnz	short loc_891E6B

loc_891EA8:				; CODE XREF: PnpGetMultiSzLength(x,x,x)+2Dj
					; PnpGetMultiSzLength(x,x,x)+3Cj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PnpGetMultiSzLength@12	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PiSwInstanceInfoInit(x, x)
_PiSwInstanceInfoInit@8	proc near	; CODE XREF: PiSwIrpStartCreateWorker+82p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		push	dword ptr [ebx]
		push	offset _PiSwBusName
		push	2
		push	edi
		push	57706E50h
		push	0C8h
		call	PnpConcatPWSTR
		mov	esi, eax
		add	esp, 18h
		test	esi, esi
		js	short loc_891EFD
		mov	ecx, [ebx+8]
		lea	eax, [edi+4]
		push	eax
		push	57706E50h
		mov	edx, 0C8h
		call	PnpAllocatePWSTR
		mov	esi, eax
		test	esi, esi
		js	short loc_891EFD

loc_891EF7:				; CODE XREF: PiSwInstanceInfoInit(x,x)+54j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_891EFD:				; CODE XREF: PiSwInstanceInfoInit(x,x)+29j
					; PiSwInstanceInfoInit(x,x)+45j
		mov	ecx, edi
		call	_PiSwInstanceInfoFree@4	; PiSwInstanceInfoFree(x)
		jmp	short loc_891EF7
_PiSwInstanceInfoInit@8	endp


;  S U B	R O U T	I N E 


; __stdcall PiSwDeviceCreate(x)
_PiSwDeviceCreate@4 proc near		; CODE XREF: PiSwIrpStartCreateWorker+6Ap
		mov	edi, edi
		push	esi
		push	edi
		push	57706E50h
		push	70h
		push	1
		mov	edi, ecx
		xor	esi, esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi], eax
		test	eax, eax
		jz	short loc_891F4F
		push	70h		; size_t
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	eax, [edi]
		add	esp, 0Ch
		mov	dword ptr [eax], 1
		mov	eax, [edi]
		add	eax, 44h
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [edi]
		add	eax, 64h
		mov	[eax+4], eax
		mov	[eax], eax

loc_891F4A:				; CODE XREF: PiSwDeviceCreate(x)+4Ej
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_891F4F:				; CODE XREF: PiSwDeviceCreate(x)+1Aj
		mov	esi, 0C000009Ah
		jmp	short loc_891F4A
_PiSwDeviceCreate@4 endp


;  S U B	R O U T	I N E 


PiSwValidateCreateData proc near	; CODE XREF: PiSwIrpStartCreateWorker+32p

; FUNCTION CHUNK AT 0092B515 SIZE 00000017 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, 0C000000Dh
		test	esi, esi
		jz	loc_892175
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	loc_892175
		push	ebx
		xor	ebx, ebx
		cmp	[ecx], bx
		jz	loc_892174
		lea	edx, [ecx+2]

loc_891F83:				; CODE XREF: PiSwValidateCreateData+36j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_891F83
		sub	ecx, edx
		sar	ecx, 1
		cmp	ecx, 0C7h
		ja	loc_892174
		mov	ebx, [esi]
		test	ebx, ebx
		jz	loc_892174
		xor	eax, eax
		cmp	[ebx], ax
		jz	loc_892174
		xor	dl, dl
		mov	ecx, ebx
		call	_PiSwIsValidPnpId@8 ; PiSwIsValidPnpId(x,x)
		test	al, al
		jz	loc_892174
		mov	edi, [esi+8]
		test	edi, edi
		jz	short loc_89203F
		xor	eax, eax
		cmp	[edi], ax
		jz	short loc_89203F
		mov	ecx, edi
		call	_PiSwIsValidPnpId@8 ; PiSwIsValidPnpId(x,x)
		test	al, al
		jz	short loc_89203F
		lea	ecx, [ebx+2]
		xor	edx, edx

loc_891FE2:				; CODE XREF: PiSwValidateCreateData+95j
		mov	ax, [ebx]
		add	ebx, 2
		cmp	ax, dx
		jnz	short loc_891FE2
		sub	ebx, ecx
		lea	ecx, [edi+2]
		sar	ebx, 1

loc_891FF4:				; CODE XREF: PiSwValidateCreateData+A7j
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, dx
		jnz	short loc_891FF4
		sub	edi, ecx
		lea	eax, [ebx+5]
		sar	edi, 1
		add	eax, edi
		cmp	eax, 0C7h
		ja	short loc_89203F
		test	dword ptr [esi+20h], 0FFFFFFF0h
		jnz	short loc_89203F
		mov	edx, [esi+0Ch]
		cmp	edx, 3FFh
		ja	short loc_89203F
		xor	ebx, ebx
		test	edx, edx
		jz	loc_89217A

loc_89202D:				; CODE XREF: PiSwValidateCreateData+227j
		mov	edi, [esi+10h]
		test	edi, edi
		jz	short loc_892077
		mov	ecx, edi
		call	_PnpValidateMultiSz@8 ;	PnpValidateMultiSz(x,x)
		test	eax, eax
		jns	short loc_89205E

loc_89203F:				; CODE XREF: PiSwValidateCreateData+73j
					; PiSwValidateCreateData+7Aj ...
		mov	edi, 0C000000Dh
		jmp	loc_892174
; 

loc_892049:				; CODE XREF: PiSwValidateCreateData+FCj
					; PiSwValidateCreateData+11Fj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_892049
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2

loc_89205E:				; CODE XREF: PiSwValidateCreateData+E7j
		cmp	[edi], bx
		jz	short loc_89207B
		mov	dl, 1
		mov	ecx, edi
		call	_PiSwIsValidPnpId@8 ; PiSwIsValidPnpId(x,x)
		test	al, al
		jz	short loc_89203F
		mov	ecx, edi
		lea	edx, [ecx+2]
		jmp	short loc_892049
; 

loc_892077:				; CODE XREF: PiSwValidateCreateData+DCj
		test	edx, edx
		jnz	short loc_89203F

loc_89207B:				; CODE XREF: PiSwValidateCreateData+10Bj
		mov	edx, [esi+14h]
		cmp	edx, 3FFh
		ja	short loc_89203F
		test	edx, edx
		jz	loc_892188

loc_89208E:				; CODE XREF: PiSwValidateCreateData+235j
		mov	edi, [esi+18h]
		test	edi, edi
		jz	short loc_8920D4
		mov	ecx, edi
		call	_PnpValidateMultiSz@8 ;	PnpValidateMultiSz(x,x)
		test	eax, eax
		js	short loc_89203F
		jmp	short loc_8920B7
; 

loc_8920A2:				; CODE XREF: PiSwValidateCreateData+155j
					; PiSwValidateCreateData+17Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_8920A2
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2

loc_8920B7:				; CODE XREF: PiSwValidateCreateData+14Aj
		cmp	[edi], bx
		jz	short loc_8920DC
		mov	dl, 1
		mov	ecx, edi
		call	_PiSwIsValidPnpId@8 ; PiSwIsValidPnpId(x,x)
		test	al, al
		jz	loc_89203F
		mov	ecx, edi
		lea	edx, [ecx+2]
		jmp	short loc_8920A2
; 

loc_8920D4:				; CODE XREF: PiSwValidateCreateData+13Dj
		test	edx, edx
		jnz	loc_89203F

loc_8920DC:				; CODE XREF: PiSwValidateCreateData+164j
		mov	ecx, [esi+24h]
		mov	edi, 7FFEh
		test	ecx, ecx
		jz	short loc_892102
		lea	edx, [ecx+2]

loc_8920EB:				; CODE XREF: PiSwValidateCreateData+19Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_8920EB
		sub	ecx, edx
		sar	ecx, 1
		cmp	ecx, edi
		ja	loc_89203F

loc_892102:				; CODE XREF: PiSwValidateCreateData+190j
		mov	ecx, [esi+28h]
		test	ecx, ecx
		jz	short loc_892123
		lea	edx, [ecx+2]

loc_89210C:				; CODE XREF: PiSwValidateCreateData+1BFj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_89210C
		sub	ecx, edx
		sar	ecx, 1
		cmp	ecx, edi
		ja	loc_89203F

loc_892123:				; CODE XREF: PiSwValidateCreateData+1B1j
		mov	eax, [esi+30h]
		test	eax, eax
		jnz	short loc_892133
		cmp	[esi+2Ch], ebx
		jnz	loc_89203F

loc_892133:				; CODE XREF: PiSwValidateCreateData+1D2j
		mov	ecx, [esi+2Ch]
		test	ecx, ecx
		jnz	short loc_892142
		test	eax, eax
		jnz	loc_89203F

loc_892142:				; CODE XREF: PiSwValidateCreateData+1E2j
		test	eax, eax
		jz	short loc_892155
		push	eax
		push	ecx
		call	_SeValidSecurityDescriptor@8 ; SeValidSecurityDescriptor(x,x)
		test	al, al
		jz	loc_89203F

loc_892155:				; CODE XREF: PiSwValidateCreateData+1EEj
		test	byte ptr [esi+20h], 8
		jnz	loc_92B515

loc_89215F:				; CODE XREF: PiSwValidateCreateData+995C2j
					; PiSwValidateCreateData+995D1j
		mov	ecx, [esi+38h]
		test	ecx, ecx
		jz	short loc_892196

loc_892166:				; CODE XREF: PiSwValidateCreateData+243j
		mov	edx, [esi+34h]
		test	edx, edx
		jz	short loc_8921A0

loc_89216D:				; CODE XREF: PiSwValidateCreateData+24Cj
		call	_PiSwValidatePropertyArray@8 ; PiSwValidatePropertyArray(x,x)
		mov	edi, eax

loc_892174:				; CODE XREF: PiSwValidateCreateData+24j
					; PiSwValidateCreateData+42j ...
		pop	ebx

loc_892175:				; CODE XREF: PiSwValidateCreateData+Dj
					; PiSwValidateCreateData+18j
		mov	eax, edi
		pop	edi
		pop	esi
		retn
; 

loc_89217A:				; CODE XREF: PiSwValidateCreateData+D1j
		cmp	[esi+10h], ebx
		jz	loc_89202D
		jmp	loc_89203F
; 

loc_892188:				; CODE XREF: PiSwValidateCreateData+132j
		cmp	[esi+18h], ebx
		jz	loc_89208E
		jmp	loc_89203F
; 

loc_892196:				; CODE XREF: PiSwValidateCreateData+20Ej
		cmp	[esi+34h], ebx
		jz	short loc_892166
		jmp	loc_89203F
; 

loc_8921A0:				; CODE XREF: PiSwValidateCreateData+215j
		test	ecx, ecx
		jz	short loc_89216D
		jmp	loc_89203F
PiSwValidateCreateData endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PiSwIsValidPnpId(x,	x)
_PiSwIsValidPnpId@8 proc near		; CODE XREF: PiSwValidateCreateData+61p
					; PiSwValidateCreateData+7Ep ...
		movzx	eax, word ptr [ecx]
		push	esi
		test	ax, ax
		jz	short loc_8921D5
		mov	esi, eax

loc_8921B5:				; CODE XREF: PiSwIsValidPnpId(x,x)+29j
		lea	eax, [esi-21h]
		cmp	ax, 5Eh
		ja	short loc_8921DF
		cmp	si, 2Ch
		jz	short loc_8921DF
		test	dl, dl
		jz	short loc_8921D9

loc_8921C8:				; CODE XREF: PiSwIsValidPnpId(x,x)+33j
		add	ecx, 2
		movzx	eax, word ptr [ecx]
		mov	esi, eax
		test	ax, ax
		jnz	short loc_8921B5

loc_8921D5:				; CODE XREF: PiSwIsValidPnpId(x,x)+7j
		mov	al, 1
		pop	esi
		retn
; 

loc_8921D9:				; CODE XREF: PiSwIsValidPnpId(x,x)+1Cj
		cmp	word ptr [ecx],	5Ch
		jnz	short loc_8921C8

loc_8921DF:				; CODE XREF: PiSwIsValidPnpId(x,x)+12j
					; PiSwIsValidPnpId(x,x)+18j
		xor	al, al
		pop	esi
		retn
_PiSwIsValidPnpId@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiSwIrpInterfacePropertySet proc near	; CODE XREF: PiSwDispatch+4Fp

var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
Handle		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 0092B54E SIZE 0000001E BYTES

		push	1Ch
		push	offset dword_6A72C0
		call	__SEH_prolog4
		mov	[ebp+var_2C], ecx
		mov	edx, [ecx+60h]
		mov	eax, [edx+18h]
		mov	eax, [eax+10h]
		mov	[ebp+var_24], eax
		xor	edi, edi
		mov	[ebp+Handle], edi
		mov	[ebp+var_1C], edi
		mov	eax, [ecx+0Ch]
		test	eax, eax
		jz	loc_92B562
		lea	ecx, [ebp+Handle]
		push	ecx		; pHandle
		push	dword ptr [edx+8] ; BufferSize
		push	eax		; pBuffer
		call	ds:__imp__MesDecodeBufferHandleCreate@12 ; MesDecodeBufferHandleCreate(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_892311
		mov	[ebp+ms_exc.disabled], edi
		lea	eax, [ebp+var_1C]
		push	eax
		push	offset dword_A40050
		push	(offset	loc_A400C7+1)
		push	offset dword_A3FCB4
		push	[ebp+Handle]
		call	ds:__imp__NdrMesTypeDecode2@20 ; NdrMesTypeDecode2(x,x,x,x,x)

loc_892249:				; CODE XREF: sub_92B53E+Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	esi, esi
		js	loc_892311
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	loc_92B562
		cmp	[eax], edi
		jz	loc_92B562
		mov	ecx, [eax+8]
		test	ecx, ecx
		jz	loc_92B562
		mov	edx, [eax+4]
		test	edx, edx
		jz	loc_92B562
		call	_PiSwValidatePropertyArray@8 ; PiSwValidatePropertyArray(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_892311
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	edi, offset _PiSwLockObj
		push	edi
		call	ExAcquireResourceExclusiveLite
		mov	ecx, [ebp+var_24]
		call	_PiSwDeviceOperationsAllowed@4 ; PiSwDeviceOperationsAllowed(x)
		test	al, al
		jz	loc_92B54E
		mov	edx, [ebp+var_1C]
		mov	edx, [edx]
		call	_PiSwDeviceFindInterfaceEntry@8	; PiSwDeviceFindInterfaceEntry(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_92B558
		mov	eax, [ebp+var_1C]
		push	dword ptr [eax+4]
		push	dword ptr [eax+8]
		mov	edx, [ecx+10h]
		mov	ecx, [ecx+0Ch]
		call	PiSwUpdateArrayProperties
		mov	esi, eax

loc_8922E5:				; CODE XREF: PiSwIrpInterfacePropertySet+9936Fj
					; PiSwIrpInterfacePropertySet+99379j
		mov	ecx, edi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		js	short loc_892311
		mov	ecx, [ebp+var_1C]
		push	dword ptr [ecx+4]
		push	dword ptr [ecx+8]
		push	3
		pop	edx
		mov	ecx, [ecx]
		call	PiSwPropertySet
		mov	esi, eax

loc_892311:				; CODE XREF: PiSwIrpInterfacePropertySet+40j
					; PiSwIrpInterfacePropertySet+6Ej ...
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_892323
		push	6370726Bh
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_892323:				; CODE XREF: PiSwIrpInterfacePropertySet+132j
		cmp	[ebp+Handle], 0
		jz	short loc_892332
		push	[ebp+Handle]	; Handle
		call	ds:__imp__MesHandleFree@4 ; MesHandleFree(x)

loc_892332:				; CODE XREF: PiSwIrpInterfacePropertySet+143j
		mov	ecx, [ebp+var_2C]
		mov	[ecx+18h], esi
		xor	dl, dl
		call	IofCompleteRequest
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PiSwIrpInterfacePropertySet endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiSwDeviceFindInterfaceEntry(x, x)
_PiSwDeviceFindInterfaceEntry@8	proc near ; CODE XREF: PiSwIrpInterfaceSetState+B3p
					; PiSwIrpInterfaceRegister+132p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	eax, edx
		lea	ebx, [ecx+64h]
		mov	esi, [ebx]
		push	edi
		mov	[ebp+var_4], eax
		xor	edi, edi

loc_892367:				; CODE XREF: PiSwDeviceFindInterfaceEntry(x,x)+36j
		cmp	esi, ebx
		jz	short loc_89237C
		push	dword ptr [esi+8] ; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_892383
		mov	edi, esi

loc_89237C:				; CODE XREF: PiSwDeviceFindInterfaceEntry(x,x)+17j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_892383:				; CODE XREF: PiSwDeviceFindInterfaceEntry(x,x)+26j
		mov	esi, [esi]
		mov	eax, [ebp+var_4]
		jmp	short loc_892367
_PiSwDeviceFindInterfaceEntry@8	endp

; 
		align 10h
; Exported entry 938. IoRegisterDeviceInterface

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoRegisterDeviceInterface
IoRegisterDeviceInterface proc near	; CODE XREF: PiSwCompleteCreate+99AECp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0092B56C SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_C]
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_C], edx
		push	ebx
		mov	[eax], edx
		mov	ebx, edx
		mov	[ebp+var_4], ebx
		mov	[eax+4], edx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], edi
		test	ecx, ecx
		jz	loc_92B56C
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_92B56C
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_92B56C
		cmp	[eax+18h], edx
		jz	loc_892481
		push	edx
		lea	eax, [ebp+var_C]
		push	eax
		push	edx
		call	ObQueryNameStringMode
		cmp	[ebp+var_C], 8
		jbe	loc_892481
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jnz	short loc_892456

loc_892406:				; CODE XREF: IoRegisterDeviceInterface+CAj
					; IoRegisterDeviceInterface+EFj
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_4]
		mov	edx, [ebp+arg_4] ; int
		and	[ebp+var_4], edi
		push	eax		; int
		mov	ecx, [ecx+18h]	; int
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	0		; char
		push	ebx		; int
		call	IopRegisterDeviceInterface
		mov	edi, [ebp+var_8]
		mov	esi, eax
		test	esi, esi
		js	short loc_892488
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_4]
		push	edi
		push	[ebp+arg_C]
		or	[ecx+1Ch], eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_892488

loc_892443:				; CODE XREF: IoRegisterDeviceInterface+DEj
					; IoRegisterDeviceInterface+F6j ...
		mov	edx, [ebp+arg_8]
		mov	ecx, ebx
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_892456:				; CODE XREF: IoRegisterDeviceInterface+74j
		cmp	word ptr [eax],	2
		jb	short loc_892406
		push	eax
		xor	edx, edx
		lea	ecx, [ebp+var_4]
		call	PnpUnicodeStringToWstr
		mov	ebx, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	short loc_892443
		push	offset ??_C@_15MNCACJLI@?$AA?2?$AA?1@NNGAKEGL@ ; "\\/"
		push	ebx		; wchar_t *
		call	_wcspbrk
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_892406

loc_892481:				; CODE XREF: IoRegisterDeviceInterface+54j
					; IoRegisterDeviceInterface+69j
		mov	esi, 0C0000010h
		jmp	short loc_892443
; 

loc_892488:				; CODE XREF: IoRegisterDeviceInterface+99j
					; IoRegisterDeviceInterface+B1j
		xor	edx, edx
		jmp	loc_92B571
IoRegisterDeviceInterface endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall IopRegisterDeviceInterface(int,int,int,char,int,int)
IopRegisterDeviceInterface proc	near	; CODE XREF: PiSwIrpInterfaceRegister+109p
					; IoRegisterDeviceInterface+8Dp ...

var_F2		= byte ptr -0F2h
var_F1		= dword	ptr -0F1h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
Source2		= dword	ptr -0B8h
var_A8		= word ptr -0A8h
var_58		= dword	ptr -58h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0092B585 SIZE 00000117 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0F4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0F4h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	[esp+0F8h+var_CC], eax
		mov	eax, [ebp+arg_C]
		push	esi
		push	edi
		mov	[esp+100h+var_D0], eax
		lea	edi, [esp+100h+Source2]
		xor	eax, eax
		mov	[esp+100h+var_E4], ecx
		stosd
		mov	esi, edx
		push	ecx		; int
		lea	edx, [esp+104h+var_A8] ; void *
		mov	ecx, esi	; int
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	edi, eax
		mov	[esp+104h+var_BC], eax
		mov	[esp+104h+var_EC], edi
		mov	[esp+104h+var_E0], eax
		mov	[esp+104h+var_D4], eax
		mov	byte ptr [esp+104h+var_E8], al
		mov	[esp+104h+var_C8], eax
		mov	byte ptr [esp+104h+var_F1], al
		mov	[esp+104h+var_F1+1], eax
		mov	[esp+104h+var_D8], eax
		mov	[esp+104h+var_C0], eax
		mov	[esp+104h+var_C4], eax
		mov	[ebx], eax
		call	_PnpStringFromGuid@12 ;	PnpStringFromGuid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_92B668
		push	20207050h
		push	400h
		mov	esi, 200h
		push	1
		mov	[esp+10Ch+var_DC], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx], eax
		test	eax, eax
		jz	loc_92B585
		lea	ecx, [esp+100h+var_DC]
		push	ecx
		push	esi
		push	eax
		xor	eax, eax
		lea	edx, [esp+10Ch+var_A8]
		push	eax
		push	[esp+110h+var_CC]
		push	[esp+114h+var_E4]
		call	_CmGetDeviceInterfaceName
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	loc_92B58F

loc_892565:				; CODE XREF: IopRegisterDeviceInterface+99140j
		test	esi, esi
		js	loc_92B668
		mov	esi, [esp+100h+var_D0]
		test	esi, esi
		jz	short loc_89258C
		lea	ecx, [esp+100h+var_A8] ; wchar_t *
		call	_PipCheckForDenyExecute@4 ; PipCheckForDenyExecute(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, (offset loc_7FFFFF+1)
		mov	[esi], eax

loc_89258C:				; CODE XREF: IopRegisterDeviceInterface+E3j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceExclusiveLite
		mov	edx, [ebx]
		lea	eax, [esp+100h+var_F1+1]
		push	eax
		push	3
		pop	ecx
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		test	eax, eax
		js	short loc_8925F5
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [esp+100h+var_F1+1]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	eax, [esi+18h]
		xor	edx, edx
		mov	ecx, esi
		mov	[esp+100h+var_E8], eax
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		and	byte ptr [esp+100h+var_E8], 1

loc_8925F5:				; CODE XREF: IopRegisterDeviceInterface+127j
		lea	eax, [esp+100h+var_D8]
		push	eax
		push	4
		lea	edx, [esp+108h+var_A8]
		pop	ecx
		call	PiDmAddCacheReferenceForObject
		mov	esi, eax
		test	esi, esi
		js	loc_89275D
		mov	edi, [esp+100h+var_E4]
		lea	eax, [esp+100h+var_D4]
		xor	ecx, ecx
		mov	edx, edi
		push	eax
		inc	ecx
		call	PiDmAddCacheReferenceForObject
		mov	esi, eax
		test	esi, esi
		js	loc_89275D
		xor	ecx, ecx
		lea	eax, [esp+100h+var_C4]
		push	ecx
		push	eax
		push	10h
		lea	eax, [esp+10Ch+Source2]
		mov	edx, edi
		push	eax
		lea	eax, [esp+110h+var_C0]
		push	eax
		push	offset _DEVPKEY_Device_ContainerId
		push	ecx
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000225h
		jz	loc_92B5D5
		test	esi, esi
		js	loc_89275D

loc_89266D:				; CODE XREF: IopRegisterDeviceInterface+9914Fj
		lea	ecx, [esp+100h+Source2]	; Source2
		call	_PnpIsNullGuid@4 ; PnpIsNullGuid(x)
		test	al, al
		jnz	short loc_8926B3
		push	ecx		; int
		lea	edx, [esp+104h+var_58] ; void *
		lea	ecx, [esp+104h+Source2]	; int
		call	_PnpStringFromGuid@12 ;	PnpStringFromGuid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_89275D
		lea	eax, [esp+100h+var_EC]
		push	eax
		push	5
		lea	edx, [esp+108h+var_58]
		pop	ecx
		call	PiDmAddCacheReferenceForObject
		mov	esi, eax
		test	esi, esi
		js	loc_89275D

loc_8926B3:				; CODE XREF: IopRegisterDeviceInterface+1E8j
		cmp	byte ptr [esp+100h+var_E8], 0
		jz	loc_92B5E4

loc_8926BE:				; CODE XREF: IopRegisterDeviceInterface+9918Dj
		mov	edi, [esp+100h+var_F1+1]
		test	edi, edi
		jz	loc_92B622

loc_8926CA:				; CODE XREF: IopRegisterDeviceInterface+991AFj
		mov	edx, [esp+100h+var_D8]
		xor	eax, eax
		push	eax
		push	edi
		xor	ecx, ecx
		call	_PiDmListAddObject@16 ;	PiDmListAddObject(x,x,x,x)
		mov	esi, [esp+100h+var_E4]
		mov	ecx, esi
		movzx	edx, byte ptr [esp+100h+var_F1]
		neg	edx
		sbb	edx, edx
		lea	eax, [ecx+2]
		and	edx, 20000h
		mov	[esp+100h+var_D0], eax

loc_8926F5:				; CODE XREF: IopRegisterDeviceInterface+270j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+100h+var_BC]
		jnz	short loc_8926F5
		sub	ecx, [esp+100h+var_D0]
		push	edx
		mov	edx, [ebx]
		sar	ecx, 1
		lea	eax, ds:2[ecx*2]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	esi
		push	12h
		push	offset _DEVPKEY_Device_InstanceId
		xor	eax, eax
		push	eax
		push	[esp+118h+var_E0]
		push	3
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_92B644
		mov	edx, [esp+100h+var_D4]
		xor	eax, eax
		push	eax
		xor	ecx, ecx
		push	edi
		inc	ecx
		call	_PiDmListAddObject@16 ;	PiDmListAddObject(x,x,x,x)
		mov	edx, [esp+100h+var_EC]
		test	edx, edx
		jz	short loc_89275D
		xor	eax, eax
		push	eax
		push	edi
		push	2
		pop	ecx
		call	_PiDmListAddObject@16 ;	PiDmListAddObject(x,x,x,x)

loc_89275D:				; CODE XREF: IopRegisterDeviceInterface+17Aj
					; IopRegisterDeviceInterface+197j ...
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		js	loc_92B664
		cmp	[ebp+arg_4], 0
		jnz	short loc_89278C
		mov	edx, [ebx]
		push	1
		call	__CmSetDeviceInterfacePathFormat@12 ; _CmSetDeviceInterfacePathFormat(x,x,x)
		mov	esi, eax

loc_89278C:				; CODE XREF: IopRegisterDeviceInterface+2EFj
		mov	edi, [esp+100h+var_EC]

loc_892790:				; CODE XREF: IopRegisterDeviceInterface+991DCj
					; IopRegisterDeviceInterface+991EFj
		cmp	[esp+100h+var_E0], 0
		jnz	loc_92B684

loc_89279B:				; CODE XREF: IopRegisterDeviceInterface+991FDj
		mov	ecx, [esp+100h+var_C8]
		test	ecx, ecx
		jnz	loc_92B692

loc_8927A7:				; CODE XREF: IopRegisterDeviceInterface+99207j
		mov	ecx, [esp+100h+var_F1+1]
		test	ecx, ecx
		jz	short loc_8927B4
		call	PiDmObjectRelease

loc_8927B4:				; CODE XREF: IopRegisterDeviceInterface+31Dj
		mov	ebx, [esp+100h+var_D8]
		test	ebx, ebx
		jz	short loc_8927CF
		mov	edx, [ebx+0Ch]
		push	ecx
		mov	ecx, [ebx+14h]
		call	PiDmRemoveCacheReferenceForObject
		mov	ecx, ebx
		call	PiDmObjectRelease

loc_8927CF:				; CODE XREF: IopRegisterDeviceInterface+32Aj
		mov	ebx, [esp+100h+var_D4]
		test	ebx, ebx
		jz	short loc_8927EA
		mov	edx, [ebx+0Ch]
		push	ecx
		mov	ecx, [ebx+14h]
		call	PiDmRemoveCacheReferenceForObject
		mov	ecx, ebx
		call	PiDmObjectRelease

loc_8927EA:				; CODE XREF: IopRegisterDeviceInterface+345j
		test	edi, edi
		jz	short loc_892801
		mov	edx, [edi+0Ch]
		push	ecx
		mov	ecx, [edi+14h]
		call	PiDmRemoveCacheReferenceForObject
		mov	ecx, edi
		call	PiDmObjectRelease

loc_892801:				; CODE XREF: IopRegisterDeviceInterface+35Cj
		mov	ecx, [esp+100h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
IopRegisterDeviceInterface endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDmListInitEnumCallback proc near	; DATA XREF: PiDmListInit(x)+13o

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0092B69C SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+6Ch+var_4], eax
		mov	eax, [ebp+arg_8]
		xor	edx, edx
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	ecx, 400h
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	[esp+78h+var_5C], ebx
		mov	[esp+78h+var_64], edx
		mov	[esp+78h+var_68], ecx
		mov	[esp+78h+var_60], edx
		mov	[eax], dl

loc_892855:				; CODE XREF: PiDmListInitEnumCallback+98E98j
		cmp	ecx, [esi+4]
		ja	loc_89292A

loc_89285E:				; CODE XREF: PiDmListInitEnumCallback+139j
		push	edx
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [esp+7Ch+var_68]
		push	eax
		push	dword ptr [esi+4]
		lea	eax, [esp+84h+var_64]
		mov	[esp+84h+var_68], edx
		push	dword ptr [esi]
		push	eax
		imul	eax, [esi+8], 14h
		push	ds:off_4042D0[eax]
		push	edx
		push	edx
		push	dword ptr [ebx+14h]
		mov	edx, [ebx+0Ch]
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000023h
		jz	loc_92B6AC

loc_89289D:				; CODE XREF: PiDmListInitEnumCallback+98EA2j
		cmp	edi, 0C0000225h
		jz	short loc_89291B
		test	edi, edi
		js	short loc_892905
		cmp	[esp+78h+var_64], 0Dh
		jnz	short loc_89291F
		push	ecx		; int
		mov	ecx, [esi]	; int
		lea	edx, [esp+7Ch+var_58] ;	void *
		call	_PnpStringFromGuid@12 ;	PnpStringFromGuid(x,x,x)
		lea	edx, [esp+78h+var_58]

loc_8928C0:				; CODE XREF: PiDmListInitEnumCallback+10Ej
		imul	ecx, [esi+8], 14h
		lea	eax, [esp+78h+var_60]
		push	eax
		mov	ecx, ds:_PiDmListDefs[ecx]
		call	PiDmAddCacheReferenceForObject
		mov	ebx, [esp+78h+var_60]
		mov	edi, eax
		test	edi, edi
		js	short loc_8928EE
		mov	ecx, [esi+8]
		mov	edx, ebx
		push	0
		push	[esp+7Ch+var_5C]
		call	_PiDmListAddObject@16 ;	PiDmListAddObject(x,x,x,x)

loc_8928EE:				; CODE XREF: PiDmListInitEnumCallback+C2j
		test	ebx, ebx
		jz	short loc_892905
		mov	edx, [ebx+0Ch]
		push	ecx
		mov	ecx, [ebx+14h]
		call	PiDmRemoveCacheReferenceForObject
		mov	ecx, ebx
		call	PiDmObjectRelease

loc_892905:				; CODE XREF: PiDmListInitEnumCallback+8Dj
					; PiDmListInitEnumCallback+D6j	...
		mov	ecx, [esp+78h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_89291B:				; CODE XREF: PiDmListInitEnumCallback+89j
		xor	edi, edi
		jmp	short loc_892905
; 

loc_89291F:				; CODE XREF: PiDmListInitEnumCallback+94j
		cmp	[esp+78h+var_64], 12h
		jnz	short loc_892905
		mov	edx, [esi]
		jmp	short loc_8928C0
; 

loc_89292A:				; CODE XREF: PiDmListInitEnumCallback+3Ej
		mov	eax, [esi]
		mov	[esi+4], ecx
		test	eax, eax
		jnz	loc_92B69C

loc_892937:				; CODE XREF: PiDmListInitEnumCallback+98E8Dj
		mov	eax, [esi+4]
		push	5A706E50h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi], eax
		test	eax, eax
		jz	loc_92B6B7
		xor	edx, edx
		jmp	loc_89285E
PiDmListInitEnumCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmListAddObject(x, x, x, x)
_PiDmListAddObject@16 proc near		; CODE XREF: PiPnpRtlCmActionCallback+348p
					; IopRegisterDeviceInterface+244p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	eax, edx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	[ebp+var_4], eax
		mov	ecx, [eax+14h]
		call	PiDmGetObjectManagerForObjectType
		mov	esi, large fs:124h
		mov	edi, eax
		dec	word ptr [esi+13Ch]
		nop
		mov	esi, [ebp+var_4]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, large fs:124h
		dec	word ptr [ecx+13Ch]
		nop
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		push	[ebp+arg_4]
		mov	edx, edi
		mov	ecx, ebx
		push	[ebp+arg_0]
		push	esi
		call	_PiDmListAddObjectWorker@20 ; PiDmListAddObjectWorker(x,x,x,x,x)
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PiDmListAddObject@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmListAddObjectWorker(x, x, x, x,	x)
_PiDmListAddObjectWorker@20 proc near	; CODE XREF: PiDmListAddObject(x,x,x,x)+59p
					; PiDmListAddList(x,x,x,x)+B2p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		imul	eax, ecx, 14h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_4], edx
		mov	edi, ds:dword_4042CC[eax]
		add	edi, [ebp+arg_4]
		mov	esi, ds:dword_4042C4[eax]
		add	esi, [ebp+arg_0]
		cmp	[edi], ebx
		jnz	short loc_892A6F
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	edx
		call	ExAcquireResourceExclusiveLite
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		inc	dword ptr [eax+8]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_892A77
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	[edi], esi
		mov	[edi+4], eax
		mov	[eax], edi
		mov	[esi+4], edi
		inc	dword ptr [esi+8]
		push	1
		call	PiDmListUpdateAggregationCountWorker

loc_892A61:				; CODE XREF: PiDmListAddObjectWorker(x,x,x,x,x)+89j
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jnz	short loc_892A73

loc_892A68:				; CODE XREF: PiDmListAddObjectWorker(x,x,x,x,x)+8Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_892A6F:				; CODE XREF: PiDmListAddObjectWorker(x,x,x,x,x)+26j
		mov	bl, 1
		jmp	short loc_892A61
; 

loc_892A73:				; CODE XREF: PiDmListAddObjectWorker(x,x,x,x,x)+7Ej
		mov	[eax], bl
		jmp	short loc_892A68
; 

loc_892A77:				; CODE XREF: PiDmListAddObjectWorker(x,x,x,x,x)+5Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PiDmListAddObjectWorker@20 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDmListUpdateAggregationCountWorker proc near
					; CODE XREF: PiDmListAddObjectWorker(x,x,x,x,x)+74p
					; PiDmListRemoveObjectWorker(x,x,x,x,x)+96p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092B6C1 SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		xor	ebx, ebx
		mov	eax, edx
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		mov	edi, ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	byte ptr [ebp+var_1], bl

loc_892A9F:				; CODE XREF: PiDmListUpdateAggregationCountWorker+34j
		mov	ecx, ds:_PiDmAggregatedBooleanDefs[ebx]
		cmp	[eax+14h], ecx
		jz	short loc_892AB9

loc_892AAA:				; CODE XREF: PiDmListUpdateAggregationCountWorker+B7j
		add	ebx, 1Ch
		cmp	ebx, 54h
		jb	short loc_892A9F
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_892AB9:				; CODE XREF: PiDmListUpdateAggregationCountWorker+2Cj
		mov	eax, [edi+14h]
		cmp	eax, ds:dword_401B1C[ebx]
		jnz	short loc_892B30
		mov	esi, ds:dword_401B28[ebx]
		add	esi, edi
		cmp	dword ptr [esi], 80000000h
		jz	short loc_892B30
		lea	eax, [ebp+var_C]
		push	eax
		lea	edx, [ebp+var_10]
		call	_PiDmGetCacheKeys@12 ; PiDmGetCacheKeys(x,x,x)
		push	ds:off_401B14[ebx] ; void *
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		call	_PiDmGetCachedKeyIndex@12 ; PiDmGetCachedKeyIndex(x,x,x)
		cmp	eax, [ebp+var_C]
		jnb	short loc_892B30
		mov	ecx, [ebp+var_8]
		imul	eax, 14h
		add	ecx, 40h
		add	ecx, eax
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_892B38
		cmp	eax, 1
		jz	short loc_892B38
		lea	eax, [ebp+var_18]
		push	eax
		push	1
		lea	eax, [ebp+var_1]
		push	eax
		lea	edx, [ebp+var_14]
		call	PiDmCacheDataDecode
		test	eax, eax
		js	loc_92B6D5
		cmp	byte ptr [ebp+var_1], 0FFh
		jz	loc_92B6C1

loc_892B30:				; CODE XREF: PiDmListUpdateAggregationCountWorker+46j
					; PiDmListUpdateAggregationCountWorker+56j ...
		mov	eax, [ebp+var_8]
		jmp	loc_892AAA
; 

loc_892B38:				; CODE XREF: PiDmListUpdateAggregationCountWorker+89j
					; PiDmListUpdateAggregationCountWorker+8Ej ...
		mov	dword ptr [esi], 80000000h
		jmp	short loc_892B30
PiDmListUpdateAggregationCountWorker endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PipCheckForDenyExecute(wchar_t	*)
_PipCheckForDenyExecute@4 proc near	; CODE XREF: IopRegisterDeviceInterface+E9p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		xor	eax, eax
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], eax
		mov	esi, eax
		mov	[ebp+var_4], eax
		push	edi		; wchar_t *
		push	offset ??_C@_1EO@OJOAMFJO@?$AA?$HL?$AA5?$AA3?$AAf?$AA5?$AA6?$AA3?$AA0?$AAd?$AA?9?$AAb?$AA6?$AAb?$AAf?$AA?9@NNGAKEGL@ ; wchar_t *
		mov	[ebp+var_8], esi
		mov	bl, al
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_892C1E
		push	edi
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@
		push	offset ??_C@_1HG@BJBJOOLC@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		push	3
		lea	eax, [ebp+var_8]
		push	eax
		push	47706E50h
		push	200h
		call	PnpConcatPWSTR
		mov	esi, [ebp+var_8]
		add	esp, 1Ch
		test	eax, eax
		js	short loc_892C1E
		push	esi
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_14]
		mov	[ebp+var_2C], 18h
		mov	[ebp+var_24], eax
		xor	edi, edi
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_28], edi
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_20], 240h
		push	eax
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_892C1E
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_C]
		push	eax
		push	edi
		mov	edx, offset ??_C@_1BK@CNPDEJDJ@?$AAD?$AAe?$AAn?$AAy?$AA_?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAe@NNGAKEGL@ ;	"Deny_Execute"
		call	IopGetRegistryValue
		mov	ecx, [ebp+var_C]
		test	eax, eax
		js	short loc_892C13
		test	ecx, ecx
		jz	short loc_892C1E
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_892C13
		cmp	dword ptr [ecx+0Ch], 4
		jnz	short loc_892C13
		mov	eax, [ecx+8]
		cmp	[ecx+eax], edi
		jz	short loc_892C13
		mov	bl, 1

loc_892C13:				; CODE XREF: PipCheckForDenyExecute(x)+B7j
					; PipCheckForDenyExecute(x)+C1j ...
		test	ecx, ecx
		jz	short loc_892C1E
		push	edi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_892C1E:				; CODE XREF: PipCheckForDenyExecute(x)+31j
					; PipCheckForDenyExecute(x)+5Fj ...
		cmp	[ebp+var_4], 0
		jz	short loc_892C2C
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_892C2C:				; CODE XREF: PipCheckForDenyExecute(x)+E2j
		test	esi, esi
		jz	short loc_892C3B
		push	47706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_892C3B:				; CODE XREF: PipCheckForDenyExecute(x)+EEj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_PipCheckForDenyExecute@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpLoadInstallLanguageFallback	proc near ; CODE XREF: _RtlpMuiRegLoadInstalled+50p
					; _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+129p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092B6F0 SIZE 000000D8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_20], eax
		mov	ebx, eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		push	esi
		mov	esi, edx
		mov	[ebp+var_14], esi
		push	edi
		test	ecx, ecx
		jz	loc_92B7BE
		test	esi, esi
		jz	loc_92B7BE
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	loc_92B7BE
		mov	edx, 0ACh
		call	_MuiRegAllocArray
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_92B6F0
		push	158h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		and	[ebp+var_10], 0
		add	esp, 0Ch
		xor	eax, eax
		mov	[esi], ax
		mov	[edi], ax
		lea	eax, [ebp+var_20]
		push	offset ??_C@_1IA@LECPAJIF@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_C]
		xor	edx, edx
		push	eax
		push	ecx
		lea	ecx, [ebp+var_20]
		call	_LdrpOpenKey@16	; LdrpOpenKey(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_892D04
		push	offset ??_C@_1DA@LMPHJKLA@?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAL?$AAa?$AAn?$AAg?$AAu?$AAa?$AAg?$AAe@NNGAKEGL@	; "I"
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ecx		; int
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_18]
		push	eax		; int
		push	ebx		; void *
		lea	eax, [ebp+var_10]
		mov	[ebp+var_18], 4
		push	eax		; int
		lea	edx, [ebp+var_20]
		call	LdrpQueryValueKey
		mov	esi, eax
		test	esi, esi
		jns	loc_92B6FA

loc_892D04:				; CODE XREF: RtlpLoadInstallLanguageFallback+8Cj
					; RtlpLoadInstallLanguageFallback+98AB3j ...
		cmp	[ebp+var_C], 0
		jz	short loc_892D12
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_892D12:				; CODE XREF: RtlpLoadInstallLanguageFallback+C6j
		test	ebx, ebx
		jz	short loc_892D1F
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_892D1F:				; CODE XREF: RtlpLoadInstallLanguageFallback+D2j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
RtlpLoadInstallLanguageFallback	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvHiveStartMemoryBacked	proc near	; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+41Fp
					; CmpGetSystemControlValues+BBp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

; FUNCTION CHUNK AT 0092B7C8 SIZE 00000210 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_14], 0
		mov	eax, edx
		and	[ebp+var_10], 0
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_28]
		mov	[ebx+1Ch], edi
		test	eax, eax
		jz	short loc_892D55
		cmp	eax, 1
		jnz	loc_893091

loc_892D55:				; CODE XREF: HvHiveStartMemoryBacked+22j
					; HvHiveStartMemoryBacked+36Cj	...
		mov	edx, [ebp+arg_0]
		mov	[ebp+arg_0], edx
		test	edx, 0FF617CECh
		jnz	loc_892F9D
		mov	ecx, [ebp+arg_4]
		cmp	ecx, 2
		ja	loc_892F9D
		mov	esi, [ebp+arg_10]
		test	esi, esi
		jz	loc_892F9D
		cmp	esi, 8
		ja	loc_892F9D
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jz	loc_892F8A

loc_892D92:				; CODE XREF: HvHiveStartMemoryBacked+26Fj
		mov	eax, [ebp+arg_20]
		test	eax, eax
		jz	short loc_892D9C
		mov	byte ptr [eax],	0

loc_892D9C:				; CODE XREF: HvHiveStartMemoryBacked+6Fj
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_892DC3
		mov	eax, [eax]
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+arg_C]
		mov	eax, [eax+4]
		mov	[ebx+10h], eax
		mov	eax, [ebp+arg_C]
		mov	eax, [eax+0Ch]
		mov	[ebx+14h], eax
		mov	eax, [ebp+arg_C]
		mov	eax, [eax+10h]
		mov	[ebx+18h], eax

loc_892DC3:				; CODE XREF: HvHiveStartMemoryBacked+79j
		test	ecx, ecx
		jnz	loc_892FA2
		and	[ebx+68h], ecx

loc_892DCE:				; CODE XREF: HvHiveStartMemoryBacked+286j
		mov	eax, [ebp+arg_10]
		mov	[ebx+4Ch], eax
		mov	al, dl
		not	al
		mov	[ebx+64h], edx
		and	eax, 0FFFFFF01h
		mov	dword ptr [ebx+98h], 2
		mov	[ebp+arg_C], eax
		lea	eax, [ebp+var_14]
		push	eax
		mov	dword ptr [ebx+48h], 1000h
		mov	dword ptr [ebx+4], offset _HvpGetCellPaged@12 ;	HvpGetCellPaged(x,x,x)
		mov	dword ptr [ebx+8], offset HvpReleaseCellPaged
		call	KeQuerySystemTime
		mov	eax, [ebp+var_14]
		xor	edx, edx
		mov	[ebp+arg_4], eax
		inc	edx
		mov	[ebx+88h], eax
		mov	eax, [ebp+var_10]
		mov	[ebp+var_10], eax
		mov	[ebx+8Ch], eax
		mov	eax, [ebp+var_8]
		mov	[ebx+82h], dl
		test	eax, eax
		jz	loc_892FB3
		cmp	eax, 4
		jz	loc_89309F
		cmp	eax, 3
		jz	loc_92B8A5
		cmp	eax, edx
		jnz	loc_92B9CE
		cmp	dword ptr [esi], 66676572h
		jnz	loc_92B8B7
		cmp	dword ptr [esi+1Ch], 0
		jnz	loc_92B8B7
		cmp	[esi+20h], edx
		jnz	loc_92B8B7
		cmp	[esi+14h], edx
		ja	loc_92B8B7
		mov	eax, [esi+18h]
		sub	eax, 3
		cmp	eax, 3
		ja	loc_92B8B7
		cmp	dword ptr [esi+28h], 7FFFE000h
		ja	loc_92B8B7
		mov	ecx, esi
		call	_HvpHeaderCheckSum@4 ; HvpHeaderCheckSum(x)
		cmp	eax, [esi+1FCh]
		jnz	loc_92B8B7
		push	33314D43h
		push	[ebp+arg_C]
		push	dword ptr [ebx+48h]
		call	dword ptr [ebx+0Ch]
		mov	ecx, eax
		mov	[ebx+20h], ecx
		test	ecx, ecx
		jz	loc_92B94A
		mov	eax, [ebp+arg_10]
		shl	eax, 9
		dec	eax
		test	eax, ecx
		jnz	loc_92B954
		mov	eax, [ebp+arg_24]
		test	eax, eax
		jz	short loc_892EDF
		mov	dword ptr [eax], 33314D43h

loc_892EDF:				; CODE XREF: HvHiveStartMemoryBacked+1AFj
					; HvHiveStartMemoryBacked+98C59j ...
		mov	edi, [ebx+20h]
		mov	ecx, 80h
		rep movsd
		mov	esi, [ebp+arg_8]
		mov	ecx, [ebx+20h]
		push	0
		mov	eax, [esi+0FFCh]
		mov	[ecx+0FFCh], eax
		mov	ecx, [ebx+20h]
		mov	eax, [esi+0FF8h]
		mov	[ecx+0FF8h], eax
		mov	eax, [esi+4]
		mov	[ebx+6Ch], eax
		mov	[ebx+78h], eax
		mov	[ebx+70h], eax
		mov	eax, [ebx+20h]
		mov	ecx, [eax+14h]
		mov	eax, [eax+18h]
		shl	ecx, 0Ch
		add	eax, 0FFFFF000h
		add	eax, ecx
		mov	ecx, ebx
		mov	[ebx+9Ch], eax
		mov	edx, [esi+28h]
		call	_HvpAdjustHiveFreeDisplay@12 ; HvpAdjustHiveFreeDisplay(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_92B992
		push	20000h
		lea	edx, [esi+1000h]
		mov	ecx, ebx
		call	HvpBuildMapForMemoryBackedHive
		test	eax, eax
		js	loc_92B7F9
		mov	eax, [ebx+20h]
		test	byte ptr [eax+90h], 1
		jnz	loc_92B9B8

loc_892F6F:				; CODE XREF: HvHiveStartMemoryBacked+98C95j
					; HvHiveStartMemoryBacked+98CA1j
		and	dword ptr [eax+90h], 0FFFFFFFEh
		mov	edx, [ebp+arg_14]
		mov	ecx, [ebx+20h]
		call	_HvpFillFileName@8 ; HvpFillFileName(x,x)

loc_892F81:				; CODE XREF: HvHiveStartMemoryBacked+364j
					; HvHiveStartMemoryBacked+3B6j	...
		xor	eax, eax

loc_892F83:				; CODE XREF: HvHiveStartMemoryBacked+98AF7j
					; HvHiveStartMemoryBacked+98BFFj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	2Ch
; 

loc_892F8A:				; CODE XREF: HvHiveStartMemoryBacked+64j
		cmp	eax, 4
		jz	short loc_892F9D
		cmp	eax, 3
		jz	short loc_892F9D
		cmp	eax, 1
		jnz	loc_892D92

loc_892F9D:				; CODE XREF: HvHiveStartMemoryBacked+39j
					; HvHiveStartMemoryBacked+45j ...
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_892FA2:				; CODE XREF: HvHiveStartMemoryBacked+9Dj
		dec	ecx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 3
		inc	ecx
		mov	[ebx+68h], ecx
		jmp	loc_892DCE
; 

loc_892FB3:				; CODE XREF: HvHiveStartMemoryBacked+109j
		push	31314D43h
		push	[ebp+arg_C]
		push	dword ptr [ebx+48h]
		call	dword ptr [ebx+0Ch]
		mov	esi, eax
		mov	[ebp+arg_C], esi
		test	esi, esi
		jz	loc_92B7D6
		mov	eax, [ebp+arg_10]
		shl	eax, 9
		dec	eax
		test	eax, esi
		jnz	loc_92B824
		mov	eax, [ebp+arg_24]
		test	eax, eax
		jz	short loc_892FEA
		mov	dword ptr [eax], 31314D43h

loc_892FEA:				; CODE XREF: HvHiveStartMemoryBacked+2BAj
					; HvHiveStartMemoryBacked+98B2Bj ...
		push	1000h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	edx, [ebp+arg_14]
		xor	eax, eax
		or	dword ptr [esi+24h], 0FFFFFFFFh
		inc	eax
		add	esp, 0Ch
		mov	dword ptr [esi], 66676572h
		mov	ecx, esi
		mov	[esi+4], eax
		mov	[esi+8], eax
		mov	[esi+20h], eax
		mov	[esi+2Ch], eax
		call	_HvpFillFileName@8 ; HvpFillFileName(x,x)
		mov	eax, [ebp+arg_0]
		and	dword ptr [esi+90h], 0
		and	eax, 80000h
		jnz	loc_92B864

loc_893032:				; CODE XREF: HvHiveStartMemoryBacked+98B46j
		neg	eax
		sbb	eax, eax
		xor	ecx, ecx
		inc	ecx
		and	eax, 3
		mov	[esi+14h], ecx
		add	eax, 3
		mov	[esi+18h], eax
		mov	[ebx+9Ch], eax
		mov	eax, [ebp+arg_4]
		mov	dword ptr [esi+0A4h], 6D746D72h
		mov	[ebx+6Ch], ecx
		mov	[ebx+78h], ecx
		mov	[ebx+70h], ecx
		mov	ecx, [ebp+arg_18]
		mov	[esi+0Ch], eax
		mov	eax, [ebp+var_10]
		mov	[esi+10h], eax
		test	ecx, ecx
		jnz	loc_92B873

loc_893075:				; CODE XREF: HvHiveStartMemoryBacked+98B66j
		cmp	[ebp+arg_1C], 0
		jnz	loc_92B893

loc_89307F:				; CODE XREF: HvHiveStartMemoryBacked+98B78j
		mov	eax, [ebp+arg_C]
		mov	[ebx+20h], eax
		and	dword ptr [eax+0FF8h], 0
		jmp	loc_892F81
; 

loc_893091:				; CODE XREF: HvHiveStartMemoryBacked+27j
		cmp	eax, 4
		jz	loc_892D55
		jmp	loc_92B7C8
; 

loc_89309F:				; CODE XREF: HvHiveStartMemoryBacked+112j
		mov	[ebx+20h], esi
		mov	ecx, [esi+14h]
		mov	eax, [esi+18h]
		add	eax, 0FFFFF000h
		shl	ecx, 0Ch
		add	eax, ecx
		mov	dword ptr [ebx+4], offset _HvpGetCellFlat@12 ; HvpGetCellFlat(x,x,x)
		or	byte ptr [ebx+50h], 3
		mov	[ebx+9Ch], eax
		mov	dword ptr [ebx+8], offset _HvpReleaseCellFlat@8	; HvpReleaseCellFlat(x,x)
		mov	eax, [esi+28h]
		mov	[ebx+0C8h], eax
		mov	[ebx+98h], edx

loc_8930D9:				; CODE XREF: HvHiveStartMemoryBacked+98C17j
		mov	eax, [ebp+arg_24]
		test	eax, eax
		jz	loc_892F81
		and	dword ptr [eax], 0
		jmp	loc_892F81
HvHiveStartMemoryBacked	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpBuildMapForMemoryBackedHive proc near ; CODE	XREF: HvHiveStartMemoryBacked+22Ap
					; HvHiveStartMemoryBacked+98C0Ep

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092B9D8 SIZE 000000AF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_14], edx
		push	esi
		xor	al, al
		mov	[ebp+var_C], ebx
		push	edi
		mov	esi, [ebx+1Ch]
		mov	[ebp+var_1], al
		call	HvpInitMap
		mov	edi, eax
		test	edi, edi
		js	loc_8931A3
		mov	eax, [ebx+20h]
		xor	edx, edx
		mov	[ebp+var_8], edx
		mov	eax, [eax+28h]
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	short loc_8931A1
		mov	edi, 40000009h

loc_89312D:				; CODE XREF: HvpBuildMapForMemoryBackedHive+AFj
		mov	ebx, [ebp+var_14]
		add	ebx, edx
		push	eax
		mov	ecx, ebx
		call	_HvpValidateLoadedBin@12 ; HvpValidateLoadedBin(x,x,x)
		test	al, al
		jz	loc_92B9D8

loc_893142:				; CODE XREF: HvpBuildMapForMemoryBackedHive+98937j
		mov	ecx, [ebx+8]
		call	CmpClaimGlobalQuota
		test	al, al
		jz	loc_92BA34
		mov	ecx, [ebp+var_C]
		mov	edx, ebx
		push	0
		push	0
		push	[ebp+var_8]
		push	dword ptr [ebx+8]
		call	HvpPointMapEntriesToBuffer
		mov	eax, [ebp+var_C]
		test	byte ptr [eax+50h], 2
		jnz	short loc_89318A
		push	[ebp+arg_0]
		mov	edx, ebx
		mov	ecx, eax
		push	[ebp+var_8]
		call	HvpEnlistFreeCells
		cmp	eax, edi
		jz	short loc_8931AC
		test	eax, eax
		js	loc_92BA55

loc_89318A:				; CODE XREF: HvpBuildMapForMemoryBackedHive+81j
		mov	cl, [ebp+var_1]

loc_89318D:				; CODE XREF: HvpBuildMapForMemoryBackedHive+C5j
		mov	edx, [ebp+var_8]
		add	edx, [ebx+8]
		mov	eax, [ebp+var_10]
		mov	[ebp+var_8], edx
		cmp	edx, eax
		jb	short loc_89312D
		test	cl, cl
		jnz	short loc_8931A3

loc_8931A1:				; CODE XREF: HvpBuildMapForMemoryBackedHive+3Aj
		xor	edi, edi

loc_8931A3:				; CODE XREF: HvpBuildMapForMemoryBackedHive+24j
					; HvpBuildMapForMemoryBackedHive+B3j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8931AC:				; CODE XREF: HvpBuildMapForMemoryBackedHive+94j
		mov	cl, 1
		mov	[ebp+var_1], cl
		jmp	short loc_89318D
HvpBuildMapForMemoryBackedHive endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFindSubKeyByName(x, x, x)
_CmpFindSubKeyByName@12	proc near	; CODE XREF: CmpLoadServicesNode(x,x,x,x)+29p
					; CmpFindGroupOrderList(x,x)+29p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_0]
		call	CmpFindSubKeyByNameWithStatus
		mov	eax, [ebp+var_4]
		leave
		retn	4
_CmpFindSubKeyByName@12	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpFindControlSet proc near		; CODE XREF: CmpAcquireSystemDriverHiveContext(x)+3Ap
					; CmpGetSystemControlValues+106p

var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_88		= dword	ptr -88h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092BA87 SIZE 0000006A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1D4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	[ebp+var_19C], eax
		mov	esi, ecx
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_1C4], edx
		xor	ecx, ecx
		mov	[ebp+var_1B4], eax
		push	edi
		mov	[ebp+var_1AC], eax
		mov	[ebp+var_1D4], eax
		mov	[ebp+var_1A4], eax
		mov	[ebp+var_1CC], eax
		lea	eax, [ebp+var_1A4]
		push	eax
		push	edx
		push	esi
		mov	[ebp+var_194], ecx
		mov	[ebp+var_190], ecx
		mov	[ebp+var_1C0], ecx
		mov	[ebp+var_1BC], ecx
		mov	[ebp+var_1B0], ecx
		mov	[ebp+var_1A8], ecx
		mov	[ebp+var_1D0], ecx
		mov	[ebp+var_1B8], ecx
		mov	[ebp+var_1A0], ecx
		mov	[ebp+var_1C8], ecx
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jz	loc_893576
		push	offset ??_C@_1O@DBFGALKA@?$AAs?$AAe?$AAl?$AAe?$AAc?$AAt@NNGAKEGL@ ; "select"
		lea	eax, [ebp+var_194]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		and	[ebp+var_198], 0
		lea	eax, [ebp+var_198]
		push	eax
		lea	eax, [ebp+var_194]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	CmpFindSubKeyByNameWithStatus
		lea	eax, [ebp+var_1A4]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		cmp	[ebp+var_198], 0FFFFFFFFh
		jz	loc_893576
		lea	eax, [ebp+var_1A4]
		push	eax
		push	[ebp+var_198]
		push	esi
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jz	loc_893576
		push	offset ??_C@_1BG@MJOFNOIM@?$AAA?$AAu?$AAt?$AAo?$AAS?$AAe?$AAl?$AAe?$AAc?$AAt@NNGAKEGL@
		lea	eax, [ebp+var_194]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	ecx, ecx
		lea	eax, [ebp+var_18C]
		push	eax
		push	ecx
		push	ecx
		lea	eax, [ebp+var_194]
		mov	[ebp+var_18C], ecx
		push	eax
		lea	edx, [edi+24h]
		mov	ecx, esi
		call	_CmpFindNameInList@24 ;	CmpFindNameInList(x,x,x,x,x,x)
		lea	eax, [ebp+var_1A4]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		cmp	[ebp+var_18C], 0FFFFFFFFh
		jnz	loc_92BA87
		mov	byte ptr [ebx],	1

loc_893323:				; CODE XREF: CmpFindControlSet+9890Ej
		lea	eax, [ebp+var_1A4]
		push	eax
		push	[ebp+var_198]
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_893576
		lea	ecx, [ebp+var_18C]
		xor	edi, edi
		push	ecx
		push	edi
		push	edi
		push	[ebp+var_19C]
		lea	edx, [eax+24h]
		mov	[ebp+var_18C], edi
		mov	ecx, esi
		call	_CmpFindNameInList@24 ;	CmpFindNameInList(x,x,x,x,x,x)
		lea	eax, [ebp+var_1A4]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		cmp	[ebp+var_18C], 0FFFFFFFFh
		jz	loc_893576
		lea	eax, [ebp+var_1B4]
		push	eax
		push	[ebp+var_18C]
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_893576
		cmp	dword ptr [eax+0Ch], 4
		jnz	loc_92BAE5
		mov	edx, [ebp+var_18C]
		lea	ecx, [ebp+var_1AC]
		push	ecx
		lea	ecx, [ebp+var_1B8]
		push	ecx
		push	eax
		mov	ecx, esi
		call	CmpValueToData
		mov	ebx, eax
		lea	eax, [ebp+var_1B4]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		test	ebx, ebx
		jz	loc_893576
		push	dword ptr [ebx]
		lea	eax, [ebp+var_88]
		push	offset ??_C@_0P@IKGNAJNG@ControlSet?$CF03d@NNGAKEGL@ ; "ControlSet%03d"
		push	80h
		push	eax
		call	_sprintf_s
		lea	ecx, [ebp+var_88]
		add	esp, 10h
		lea	edx, [ecx+1]

loc_8933ED:				; CODE XREF: CmpFindControlSet+220j
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_8933ED
		lea	eax, [ebp+var_88]
		mov	[ebp+var_194], 1000000h
		mov	[ebp+var_1BC], eax
		sub	ecx, edx
		lea	eax, [ebp+var_188]
		mov	word ptr [ebp+var_1C0+2], cx
		mov	[ebp+var_190], eax
		lea	eax, [ebp+var_1C0]
		push	edi
		push	eax
		lea	eax, [ebp+var_194]
		mov	word ptr [ebp+var_1C0],	cx
		push	eax
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	loc_89356B
		lea	eax, [ebp+var_1A4]
		push	eax
		push	[ebp+var_1C4]
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_89356B
		lea	ecx, [ebp+var_19C]
		mov	[ebp+var_19C], edi
		push	ecx
		lea	ecx, [ebp+var_194]
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	CmpFindSubKeyByNameWithStatus
		lea	eax, [ebp+var_1A4]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		cmp	[ebp+var_19C], 0FFFFFFFFh
		jz	loc_89356B
		lea	eax, [ebp+var_1A4]
		push	eax
		push	[ebp+var_198]
		push	esi
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jz	loc_89356B
		push	offset ??_C@_1BA@OFLJGHK@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt@NNGAKEGL@
		lea	eax, [ebp+var_194]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	ecx, ecx
		lea	eax, [ebp+var_18C]
		push	eax
		push	ecx
		push	ecx
		lea	eax, [ebp+var_194]
		mov	[ebp+var_18C], ecx
		push	eax
		lea	edx, [edi+24h]
		mov	ecx, esi
		call	_CmpFindNameInList@24 ;	CmpFindNameInList(x,x,x,x,x,x)
		lea	eax, [ebp+var_1A4]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		cmp	[ebp+var_18C], 0FFFFFFFFh
		jz	short loc_893549
		lea	eax, [ebp+var_1B4]
		push	eax
		push	[ebp+var_18C]
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	short loc_89356B
		cmp	dword ptr [eax+0Ch], 4
		jnz	short loc_89353E
		mov	edx, [ebp+var_18C]
		lea	ecx, [ebp+var_1D4]
		push	ecx
		lea	ecx, [ebp+var_1B8]
		push	ecx
		push	eax
		mov	ecx, esi
		call	CmpValueToData
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_89356B
		mov	eax, [ebx]
		mov	[ecx], eax
		lea	eax, [ebp+var_1D4]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_89353E:				; CODE XREF: CmpFindControlSet+339j
		lea	eax, [ebp+var_1B4]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_893549:				; CODE XREF: CmpFindControlSet+31Ej
		lea	eax, [ebp+var_1AC]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	eax, [ebp+var_19C]

loc_89355A:				; CODE XREF: CmpFindControlSet+3A7j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_89356B:				; CODE XREF: CmpFindControlSet+26Aj
					; CmpFindControlSet+283j ...
		lea	eax, [ebp+var_1AC]
		push	eax

loc_893572:				; CODE XREF: CmpFindControlSet+9891Aj
		push	esi
		call	dword ptr [esi+8]

loc_893576:				; CODE XREF: CmpFindControlSet+9Bj
					; CmpFindControlSet+E2j ...
		or	eax, 0FFFFFFFFh
		jmp	short loc_89355A
CmpFindControlSet endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpWalkPath(x, x, x)
_CmpWalkPath@12	proc near		; CODE XREF: CmpPreserveSystemHiveData(x,x)+17Cp
					; CmpPreserveSystemHiveData(x,x)+18Ap ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		lea	eax, [ebp+var_C]
		and	[ebp+var_8], 0
		push	esi
		push	edi
		push	[ebp+arg_0]
		mov	esi, edx
		mov	edi, ecx
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_C]
		mov	edx, esi
		push	eax
		mov	ecx, edi
		call	_CmpWalkUnicodeStringPath@12 ; CmpWalkUnicodeStringPath(x,x,x)
		pop	edi
		pop	esi
		leave
		retn	4
_CmpWalkPath@12	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpWalkUnicodeStringPath(x,	x, x)
_CmpWalkUnicodeStringPath@12 proc near	; CODE XREF: CmpWalkPath(x,x,x)+2Ap
					; CmpFindHiveSubKey:loc_ACA501p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	esi, edx
		xor	ebx, ebx
		mov	edx, [ebp+arg_0]
		or	[ebp+var_14], 0FFFFFFFFh
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], ebx
		mov	eax, [edx]
		mov	[ebp+var_1C], eax
		mov	eax, [edx+4]
		mov	[ebp+var_8], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_18], eax

loc_8935DE:				; CODE XREF: CmpWalkUnicodeStringPath(x,x,x)+70j
		lea	eax, [ebp+arg_0+3]
		push	eax
		lea	edx, [ebp+var_C]
		lea	ecx, [ebp+var_1C]
		call	_CmpGetNextName@12 ; CmpGetNextName(x,x,x)
		cmp	word ptr [ebp+var_C], bx
		jz	short loc_893629
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		push	edi
		call	dword ptr [edi+4]
		test	eax, eax
		jz	short loc_893624
		lea	ecx, [ebp+arg_0]
		mov	[ebp+arg_0], ebx
		push	ecx
		lea	ecx, [ebp+var_C]
		mov	edx, eax
		push	ecx
		mov	ecx, edi
		call	CmpFindSubKeyByNameWithStatus
		mov	esi, [ebp+arg_0]
		lea	ecx, [ebp+var_14]
		push	ecx
		push	edi
		call	dword ptr [edi+8]
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_8935DE

loc_893624:				; CODE XREF: CmpWalkUnicodeStringPath(x,x,x)+4Cj
		or	eax, 0FFFFFFFFh
		jmp	short loc_89362B
; 

loc_893629:				; CODE XREF: CmpWalkUnicodeStringPath(x,x,x)+3Fj
		mov	eax, esi

loc_89362B:				; CODE XREF: CmpWalkUnicodeStringPath(x,x,x)+75j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_CmpWalkUnicodeStringPath@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGetNextName(x, x, x)
_CmpGetNextName@12 proc	near		; CODE XREF: CmpWalkUnicodeStringPath(x,x,x)+36p
					; CmpFindHiveSubKey+3Fp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	[ebp+var_8], ebx
		mov	esi, [edi+4]
		test	esi, esi
		jz	loc_893728
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		test	ax, ax
		jz	loc_893728
		movzx	ecx, word ptr [esi]
		test	cx, cx
		jz	loc_893728
		mov	[ebp+var_4], 5Ch
		mov	edx, eax
		movzx	eax, ax
		mov	[ebp+var_C], 2
		cmp	cx, word ptr [ebp+var_4]
		jz	short loc_8936F2

loc_893685:				; CODE XREF: CmpGetNextName(x,x,x)+F1j
		movzx	ecx, ax
		mov	[ebx+4], esi
		mov	eax, ecx
		test	dx, dx
		jz	short loc_8936C5
		mov	ebx, [ebp+var_4]
		mov	edx, ecx

loc_893697:				; CODE XREF: CmpGetNextName(x,x,x)+8Ej
		movzx	eax, dx
		cmp	[esi], bx
		jz	short loc_8936C2
		mov	cx, [edi]
		mov	edx, 0FFFEh
		sub	cx, word ptr [ebp+var_C]
		add	esi, 2
		add	[edi+2], dx
		movzx	eax, cx
		mov	[edi+4], esi
		mov	edx, eax
		mov	[edi], cx
		test	cx, cx
		jnz	short loc_893697

loc_8936C2:				; CODE XREF: CmpGetNextName(x,x,x)+6Bj
		mov	ebx, [ebp+var_8]

loc_8936C5:				; CODE XREF: CmpGetNextName(x,x,x)+5Ej
		mov	dx, [edi+4]
		sub	dx, [ebx+4]
		test	ax, ax
		mov	eax, [ebp+arg_0]
		setz	cl
		mov	[ebx], dx
		mov	[ebx+2], dx
		mov	[eax], cl
		mov	eax, 200h
		cmp	ax, dx
		sbb	al, al
		inc	al

loc_8936EB:				; CODE XREF: CmpGetNextName(x,x,x)+107j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8936F2:				; CODE XREF: CmpGetNextName(x,x,x)+51j
		mov	edx, [ebp+var_4]

loc_8936F5:				; CODE XREF: CmpGetNextName(x,x,x)+EAj
		mov	ax, [edi]
		mov	ebx, 0FFFEh
		sub	ax, word ptr [ebp+var_C]
		add	esi, 2
		add	[edi+2], bx
		mov	ebx, [ebp+var_8]
		mov	[edi+4], esi
		movzx	ecx, ax
		mov	[edi], ax
		test	ax, ax
		jz	short loc_893728
		cmp	[esi], dx
		jz	short loc_8936F5
		movzx	edx, ax
		mov	eax, ecx
		jmp	loc_893685
; 

loc_893728:				; CODE XREF: CmpGetNextName(x,x,x)+17j
					; CmpGetNextName(x,x,x)+28j ...
		mov	ecx, [ebp+arg_0]
		mov	al, 1
		and	dword ptr [ebx+4], 0
		mov	byte ptr [ecx],	1
		xor	ecx, ecx
		mov	[ebx], cx
		jmp	short loc_8936EB
_CmpGetNextName@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFindValueByName(x, x, x)
_CmpFindValueByName@12 proc near	; CODE XREF: CmpSortDriverList+A9p
					; CmSelectQualifiedInstallLanguage+160p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		push	0
		push	[ebp+arg_0]
		add	edx, 24h
		call	_CmpFindNameInList@24 ;	CmpFindNameInList(x,x,x,x,x,x)
		mov	eax, [ebp+var_4]
		leave
		retn	4
_CmpFindValueByName@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpValueToData	proc near		; CODE XREF: CmpFindControlSet+1DDp
					; CmpFindControlSet+352p ...

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	[ebp+arg_8]
		lea	eax, [ebp-1]
		xor	ebx, ebx
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], ebx
		push	eax
		push	[ebp+arg_4]
		mov	esi, ecx
		mov	[ebp+var_1], bl
		push	[ebp+arg_0]
		call	CmpGetValueData
		test	al, al
		jz	short loc_8937A1
		cmp	[ebp+var_1], 1
		jz	sub_92BAF1
		mov	eax, [ebp+var_8]

loc_89379B:				; CODE XREF: CmpValueToData+43j
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_8937A1:				; CODE XREF: CmpValueToData+2Cj
		xor	eax, eax
		jmp	short loc_89379B
CmpValueToData	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpMuiRegLoadRegistryInfo proc	near	; CODE XREF: RtlpMuiRegCreateKernelRegistryInfo+5Ap

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		and	[esp+4+var_4], 0
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_8937FF
		call	RtlpMuiRegLoadLicInformation
		test	eax, eax
		js	loc_92BB09

loc_8937C7:				; CODE XREF: sub_92BAF1+25j
		push	ecx
		push	ecx
		mov	ecx, esi
		call	_RtlpMuiRegLoadInstalled
		test	eax, eax
		js	short loc_8937FA
		push	4
		pop	edx
		mov	ecx, esi
		call	RtlpMuiRegFreeRegistryInfo
		push	esi
		lea	edx, [esp+0Ch+var_4]
		call	RtlpLoadLanguageConfigList
		test	eax, eax
		js	short loc_8937FA
		mov	ecx, [esp+8+var_4]
		test	ecx, ecx
		jz	short loc_8937FA
		or	dword ptr [esi], 4
		mov	[esi+1Ch], ecx

loc_8937FA:				; CODE XREF: RtlpMuiRegLoadRegistryInfo+2Cj
					; RtlpMuiRegLoadRegistryInfo+44j ...
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8937FF:				; CODE XREF: RtlpMuiRegLoadRegistryInfo+12j
		mov	eax, 0C000000Dh
		jmp	short loc_8937FA
RtlpMuiRegLoadRegistryInfo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpPopulateLanguageConfigList proc near ; CODE	XREF: RtlpLoadLanguageConfigList+87p

var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= word ptr -230h
var_22E		= dword	ptr -22Eh
var_22A		= word ptr -22Ah
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092BB1B SIZE 00000298 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFE0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 278h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_250], edx
		push	esi
		push	edi
		mov	[ebp+var_254], eax
		lea	edi, [ebp+var_22E+2]
		mov	byte ptr [ebp+var_22E+1], al
		mov	esi, ecx
		mov	ecx, [ebx+8]
		mov	[ebp+var_25C], eax
		stosd
		mov	[ebp+var_260], esi
		mov	[ebp+var_24C], ecx
		stosd
		stosd
		xor	eax, eax
		mov	edi, eax
		test	esi, esi
		jz	loc_92BD96
		test	edx, edx
		jz	loc_92BD96
		test	ecx, ecx
		jz	loc_92BD96
		mov	edi, [edx]
		mov	[ebp+var_234], edi
		mov	[ebp+var_238], eax

loc_89388D:				; CODE XREF: RtlpPopulateLanguageConfigList+115j
		lea	ecx, [ebp+var_25C]
		push	ecx
		push	200h
		lea	ecx, [ebp+var_220]
		push	ecx
		push	1
		push	eax
		push	esi
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_92BB1B
		cmp	esi, 8000001Ah
		jnz	short loc_8938D4

loc_8938BB:				; CODE XREF: RtlpPopulateLanguageConfigList+9837Aj
					; RtlpPopulateLanguageConfigList+984B8j ...
		mov	eax, [ebp+var_238]
		inc	eax
		mov	[ebp+var_238], eax

loc_8938C8:				; CODE XREF: RtlpPopulateLanguageConfigList+98581j
		cmp	esi, 8000001Ah
		jnz	short loc_893915
		xor	eax, eax
		mov	esi, eax

loc_8938D4:				; CODE XREF: RtlpPopulateLanguageConfigList+B3j
					; RtlpPopulateLanguageConfigList+98595j
		test	edi, edi
		jnz	short loc_8938F6
		cmp	esi, 0C000000Dh
		jz	short loc_8938F6

loc_8938E0:				; CODE XREF: RtlpPopulateLanguageConfigList+9858Bj
		xor	ecx, ecx
		inc	ecx
		call	_RtlpMuiRegCreateLanguageConfigList@4 ;	RtlpMuiRegCreateLanguageConfigList(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_893920

loc_8938EE:				; CODE XREF: RtlpPopulateLanguageConfigList+11Fj
		mov	eax, [ebp+var_250]
		mov	[eax], edi

loc_8938F6:				; CODE XREF: RtlpPopulateLanguageConfigList+D0j
					; RtlpPopulateLanguageConfigList+D8j
		test	esi, esi
		js	loc_92BDA0

loc_8938FE:				; CODE XREF: RtlpPopulateLanguageConfigList+9859Cj
					; RtlpPopulateLanguageConfigList+985A8j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_893915:				; CODE XREF: RtlpPopulateLanguageConfigList+C8j
		mov	esi, [ebp+var_260]
		jmp	loc_89388D
; 

loc_893920:				; CODE XREF: RtlpPopulateLanguageConfigList+E6j
		mov	esi, 0C0000017h
		jmp	short loc_8938EE
RtlpPopulateLanguageConfigList endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpMuiRegCreateLanguages(x)
_RtlpMuiRegCreateLanguages@4 proc near	; CODE XREF: _RtlpMuiRegLoadInstalled+61p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		push	ecx
		push	1Ch
		push	4
		pop	esi
		push	10h
		mov	[ebp+var_4], ecx
		mov	edx, esi
		pop	ecx
		call	_SafeAllocBlob
		mov	edx, eax
		test	edx, edx
		jz	short loc_893964
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		mov	[edx+6], ax
		lea	eax, [edx+10h]
		mov	[edx], ecx
		mov	[edx+4], si
		mov	[edx+0Ch], eax

loc_893964:				; CODE XREF: RtlpMuiRegCreateLanguages(x)+25j
		mov	eax, edx
		pop	esi
		leave
		retn
_RtlpMuiRegCreateLanguages@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpMuiRegCreateLanguageConfigList(x)
_RtlpMuiRegCreateLanguageConfigList@4 proc near
					; CODE XREF: RtlpPopulateLanguageConfigList+DDp
					; RtlpPopulateLanguageConfigList+98535p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		mov	[ebp+var_4], ecx
		cmp	esi, 1
		jl	short loc_8939AA

loc_89397D:				; CODE XREF: RtlpMuiRegCreateLanguageConfigList(x)+43j
		lea	eax, [ebp+var_4]
		mov	edx, esi
		push	eax
		push	ecx
		push	ecx
		push	0Ch
		pop	ecx
		push	ecx
		call	_SafeAllocBlob
		test	eax, eax
		jz	short loc_8939A7
		mov	ecx, [ebp+var_4]
		mov	[eax], ecx
		xor	ecx, ecx
		mov	[eax+4], cx
		lea	ecx, [eax+0Ch]
		mov	[eax+6], si
		mov	[eax+8], ecx

loc_8939A7:				; CODE XREF: RtlpMuiRegCreateLanguageConfigList(x)+26j
		pop	esi
		leave
		retn
; 

loc_8939AA:				; CODE XREF: RtlpMuiRegCreateLanguageConfigList(x)+11j
		push	4
		pop	esi
		jmp	short loc_89397D
_RtlpMuiRegCreateLanguageConfigList@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpMuiRegCreateStringPool(x, x)
_RtlpMuiRegCreateStringPool@8 proc near	; CODE XREF: _RtlpMuiRegLoadInstalled+79p
					; RtlpMuiRegResizeStringPool(x,x,x,x)+97p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		xor	eax, eax
		push	ebx
		push	esi
		mov	ebx, ecx
		inc	eax
		push	edi
		mov	edi, edx
		cmp	ebx, eax
		jge	short loc_8939CB
		push	4
		pop	ebx

loc_8939CB:				; CODE XREF: RtlpMuiRegCreateStringPool(x,x)+16j
		cmp	edi, eax
		jge	short loc_8939D2
		push	28h
		pop	edi

loc_8939D2:				; CODE XREF: RtlpMuiRegCreateStringPool(x,x)+1Dj
		lea	eax, [ebp+var_4]
		mov	edx, ebx
		push	eax
		push	2
		push	edi
		push	2
		push	14h
		pop	ecx
		call	_SafeAllocBlob
		mov	esi, eax
		test	esi, esi
		jz	short loc_893A1D
		mov	ecx, [ebp+var_4]
		movzx	edx, bx
		mov	[esi], ecx
		lea	ecx, [esi+14h]
		mov	[esi+0Ch], ecx
		mov	[esi+4], dx
		lea	eax, [ecx+edx*2]
		mov	[esi+8], di
		xor	ecx, ecx
		mov	[esi+10h], eax
		mov	[eax], cx
		xor	edx, edx
		mov	eax, [esi+0Ch]
		inc	edx
		mov	[esi+0Ah], dx
		mov	[eax], cx
		mov	[esi+6], dx

loc_893A1D:				; CODE XREF: RtlpMuiRegCreateStringPool(x,x)+39j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_RtlpMuiRegCreateStringPool@8 endp


;  S U B	R O U T	I N E 


_RtlpMuiRegLoadInstalled proc near	; CODE XREF: RtlpMuiRegLoadRegistryInfo+25p

; FUNCTION CHUNK AT 0092BDB3 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		test	esi, esi
		jz	loc_92BDB3
		cmp	ds:_PsUILanguageComitted, edi
		jz	short loc_893A79
		lea	ebx, [esi+4]
		push	ebx
		call	_ZwQueryInstallUILanguage@4 ; ZwQueryInstallUILanguage(x)
		mov	edi, eax
		test	edi, edi
		js	loc_893AE1
		movzx	eax, word ptr [ebx]
		mov	ecx, 1000h
		cmp	ax, cx
		jz	loc_893AE1
		mov	ecx, 1400h
		cmp	ax, cx
		jz	short loc_893AE1
		lea	eax, [esi+8]
		mov	ecx, esi
		push	eax
		lea	edx, [esi+6]
		call	RtlpLoadInstallLanguageFallback

loc_893A79:				; CODE XREF: _RtlpMuiRegLoadInstalled+17j
		mov	edx, 3FFh
		mov	ecx, esi
		call	RtlpMuiRegFreeRegistryInfo
		call	_RtlpMuiRegCreateLanguages@4 ; RtlpMuiRegCreateLanguages(x)
		mov	[esi+14h], eax
		test	eax, eax
		jz	loc_92BDBD
		or	dword ptr [esi], 1
		or	ecx, 0FFFFFFFFh
		mov	edx, ecx
		call	_RtlpMuiRegCreateStringPool@8 ;	RtlpMuiRegCreateStringPool(x,x)
		mov	[esi+18h], eax
		test	eax, eax
		jz	short loc_893AE1
		or	dword ptr [esi], 2
		call	_IsMachineLanguageListInMutableLocation
		mov	ecx, esi
		mov	edx, offset aRegistryMach_4 ; "\\Registry\\Machine\\OSDATA\\System\\Current"...
		test	al, al
		jnz	short loc_893AC1
		mov	edx, offset ??_C@_1IG@EEKPLJNI@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@

loc_893AC1:				; CODE XREF: _RtlpMuiRegLoadInstalled+96j
		call	_RtlpMuiRegLoadInstalledFromKey
		mov	edi, eax
		test	edi, edi
		js	short loc_893AE1
		mov	ecx, esi
		call	_RtlpMuiRegValidateInstalled
		mov	edi, eax
		test	edi, edi
		js	short loc_893AE1

loc_893AD9:				; CODE XREF: _RtlpMuiRegLoadInstalled+C9j
		mov	eax, edi

loc_893ADB:				; CODE XREF: _RtlpMuiRegLoadInstalled+98394j
		pop	edi
		pop	esi
		pop	ebx
		retn	8
; 

loc_893AE1:				; CODE XREF: _RtlpMuiRegLoadInstalled+26j
					; _RtlpMuiRegLoadInstalled+37j	...
		mov	edx, 3FFh
		mov	ecx, esi
		call	RtlpMuiRegFreeRegistryInfo
		jmp	short loc_893AD9
_RtlpMuiRegLoadInstalled endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpMuiRegAddLanguageByName proc near	; CODE XREF: _RtlpMuiRegLoadInstalledFromKey+20Cp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0092BDC7 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		push	edi
		push	7
		mov	esi, ecx
		mov	[ebp+var_28], eax
		pop	ecx
		push	[ebp+arg_4]
		mov	ebx, edx
		lea	edi, [ebp+var_20]
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		rep stosd
		mov	[ebp+var_24], edx
		mov	ecx, esi
		push	edx
		lea	edx, [ebp+var_20]
		call	__RtlpMuiRegInitAnyLanguage@16 ; _RtlpMuiRegInitAnyLanguage(x,x,x,x)
		test	eax, eax
		js	short loc_893B7E
		mov	cl, byte ptr [ebp+var_20]
		test	cl, 4
		jnz	loc_92BDC7
		test	cl, 2
		jnz	loc_92BDD6

loc_893B46:				; CODE XREF: RtlpMuiRegAddLanguageByName+982F6j
		test	eax, eax
		js	short loc_893B7E
		mov	edx, [ebp+var_24]
		test	cl, 4
		mov	ecx, esi
		jnz	short loc_893B8F
		call	RtlpIsALicensedRegularLanguage

loc_893B59:				; CODE XREF: RtlpMuiRegAddLanguageByName+A4j
		test	eax, eax
		js	short loc_893B7E
		mov	eax, 820h
		lea	ecx, [ebp+var_20]
		or	word ptr [ebp+var_20], ax
		mov	edx, ebx
		call	RtlpMuiRegAddAlternateCodePage
		push	[ebp+var_28]
		lea	ecx, [esi+14h]
		lea	edx, [ebp+var_20]
		call	RtlpMuiRegGetOrAddLangInfo

loc_893B7E:				; CODE XREF: RtlpMuiRegAddLanguageByName+3Fj
					; RtlpMuiRegAddLanguageByName+58j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_893B8F:				; CODE XREF: RtlpMuiRegAddLanguageByName+62j
		call	_RtlpIsALicensedLIPLanguage@8 ;	RtlpIsALicensedLIPLanguage(x,x)
		jmp	short loc_893B59
RtlpMuiRegAddLanguageByName endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	LdrpQueryValueKey(int,void *,int,int)
LdrpQueryValueKey proc near		; CODE XREF: RtlpMuiRegAddAlternateCodePage+57p
					; _RtlpMuiRegLoadInstalledFromKey+181p	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0092BDEB SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		cmp	[ebp+arg_4], 0
		mov	eax, edx
		push	ebx
		push	edi
		mov	edi, [ebp+arg_8]
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], ecx
		jz	short loc_893C2F
		test	edi, edi
		jz	loc_92BDEB

loc_893BB9:				; CODE XREF: LdrpQueryValueKey+9Bj
		mov	ebx, [edi]

loc_893BBB:				; CODE XREF: LdrpQueryValueKey+9Fj
		and	[ebp+arg_8], 0
		add	ebx, 0Ch
		push	esi
		mov	[ebp+var_C], ebx
		jz	loc_92BDF5
		push	72746C6Dh
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_893BEB
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch

loc_893BEB:				; CODE XREF: LdrpQueryValueKey+47j
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]

loc_893BF1:				; CODE XREF: LdrpQueryValueKey+98261j
		test	esi, esi
		jz	loc_92BDFC
		lea	edx, [ebp+arg_8]
		push	edx
		push	ebx
		push	esi
		push	2
		push	eax
		push	ecx
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	ebx, eax
		cmp	ebx, 0C0000034h
		jnz	short loc_893C37

loc_893C12:				; CODE XREF: LdrpQueryValueKey+A9j
					; LdrpQueryValueKey+ADj ...
		test	ebx, ebx
		jns	short loc_893C63

loc_893C16:				; CODE XREF: LdrpQueryValueKey+A3j
		cmp	ebx, 80000005h
		jz	short loc_893C63

loc_893C1E:				; CODE XREF: LdrpQueryValueKey+DBj
					; LdrpQueryValueKey+E2j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_893C26:				; CODE XREF: LdrpQueryValueKey+9826Bj
		mov	eax, ebx
		pop	esi

loc_893C29:				; CODE XREF: LdrpQueryValueKey+9825Aj
		pop	edi
		pop	ebx
		leave
		retn	10h
; 

loc_893C2F:				; CODE XREF: LdrpQueryValueKey+19j
		test	edi, edi
		jnz	short loc_893BB9
		xor	ebx, ebx
		jmp	short loc_893BBB
; 

loc_893C37:				; CODE XREF: LdrpQueryValueKey+7Aj
		test	ebx, ebx
		js	short loc_893C16
		cmp	[ebp+arg_4], 0
		jz	short loc_893C12
		test	edi, edi
		jz	short loc_893C12
		mov	eax, [esi+8]
		cmp	eax, [edi]
		ja	short loc_893C7A
		cmp	eax, [ebp+var_C]
		ja	short loc_893C12
		push	eax		; size_t
		lea	eax, [esi+0Ch]
		push	eax		; void *
		push	[ebp+arg_4]	; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_893C12
; 

loc_893C63:				; CODE XREF: LdrpQueryValueKey+7Ej
					; LdrpQueryValueKey+86j ...
		test	edi, edi
		jz	short loc_893C6C
		mov	eax, [esi+8]
		mov	[edi], eax

loc_893C6C:				; CODE XREF: LdrpQueryValueKey+CFj
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_893C1E
		mov	eax, [esi+4]
		mov	[ecx], eax
		jmp	short loc_893C1E
; 

loc_893C7A:				; CODE XREF: LdrpQueryValueKey+B4j
		mov	ebx, 80000005h
		jmp	short loc_893C63
LdrpQueryValueKey endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_RtlpMuiRegValidateInstalled proc near	; CODE XREF: _RtlpMuiRegLoadInstalled+AAp

var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= word ptr -0D0h
var_CE		= word ptr -0CEh
var_CC		= word ptr -0CCh
var_CA		= word ptr -0CAh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092BE06 SIZE 000001F7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 104h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_104], esi
		xor	eax, eax
		mov	[ebp+var_D8], eax
		mov	ecx, 0AAh
		mov	[ebp+var_F0], eax
		push	ecx		; size_t
		push	eax		; int
		mov	[ebp+var_EC], eax
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_E4], eax
		mov	[ebp+var_C8], eax
		mov	[ebp+var_C4], eax
		mov	[ebp+var_C0], eax
		mov	[ebp+var_BC], eax
		mov	[ebp+var_100], eax
		mov	[ebp+var_FC], eax
		mov	[ebp+var_F8], eax
		lea	eax, [ebp+var_B8]
		push	eax		; void *
		mov	[ebp+var_DC], edi
		mov	[ebp+var_F4], edi
		call	_memset
		mov	ebx, ds:_PsUILanguageComitted
		add	esp, 0Ch
		movzx	eax, word ptr [esi+4]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 3FFFFFCCh
		add	ebx, 0C0000034h
		test	ax, ax
		jnz	short loc_893D44
		lea	eax, [ebp+var_D8]
		push	eax
		call	NtQueryInstallUILanguage
		test	eax, eax
		js	loc_893EEF
		mov	eax, [ebp+var_D8]

loc_893D44:				; CODE XREF: _RtlpMuiRegValidateInstalled+A6j
		lea	ecx, [ebp+var_F4]
		mov	[ebp+var_D8], eax
		push	ecx
		push	0
		mov	edx, eax
		mov	ecx, esi
		call	RtlpMuiRegGetInstalledLanguageIndexByLangId
		cmp	eax, 0C0000034h
		jz	loc_92BE06
		cmp	eax, 0C00000BBh
		jz	loc_92BE06
		test	eax, eax
		js	short loc_893DE1
		movsx	eax, word ptr [ebp+var_F4]
		mov	edx, [esi+14h]

loc_893D80:				; CODE XREF: _RtlpMuiRegValidateInstalled+98272j
		mov	[ebp+var_DC], eax
		cmp	eax, edi
		jz	short loc_893DE7
		lea	ecx, [ebp+var_B8]
		imul	eax, 1Ch
		mov	[ebp+var_FC], ecx
		mov	ecx, 0AAh
		mov	word ptr [ebp+var_100+2], cx
		lea	ecx, [ebp+var_100]
		mov	edx, [edx+0Ch]
		push	ecx
		add	edx, eax
		mov	[ebp+var_E0], eax
		mov	ecx, esi
		call	RtlpGetNameFromLangInfoNode
		test	eax, eax
		js	short loc_893DE1
		mov	edx, [ebp+var_FC]
		mov	ecx, esi
		call	RtlpIsALicensedRegularLanguage
		test	eax, eax
		js	loc_92BEF9
		mov	[ebp+var_E4], 1

loc_893DE1:				; CODE XREF: _RtlpMuiRegValidateInstalled+F2j
					; _RtlpMuiRegValidateInstalled+13Ej ...
		mov	eax, [ebp+var_DC]

loc_893DE7:				; CODE XREF: _RtlpMuiRegValidateInstalled+106j
		test	ebx, ebx
		jz	loc_893EFE

loc_893DEF:				; CODE XREF: _RtlpMuiRegValidateInstalled+27Fj
		mov	edx, edi
		mov	ecx, esi
		call	_RtlpRemovePendingDeleteLanguages
		mov	ecx, [esi+14h]
		xor	eax, eax
		and	[ebp+var_D8], 0
		cmp	ax, [ecx+6]
		jnb	short loc_893E40
		mov	edx, [ebp+var_D8]
		mov	eax, ecx
		xor	edi, edi

loc_893E14:				; CODE XREF: _RtlpMuiRegValidateInstalled+1BCj
		mov	ecx, eax
		mov	eax, [eax+0Ch]
		mov	al, [edi+eax]
		and	al, 22h
		cmp	al, 22h
		jz	loc_92BF22

loc_893E26:				; CODE XREF: _RtlpMuiRegValidateInstalled+982D5j
					; _RtlpMuiRegValidateInstalled+982E1j ...
		movzx	eax, word ptr [ecx+6]
		inc	edx
		add	edi, 1Ch
		mov	[ebp+var_D8], edx
		cmp	edx, eax
		mov	[ebp+var_E8], ecx
		mov	eax, ecx
		jl	short loc_893E14

loc_893E40:				; CODE XREF: _RtlpMuiRegValidateInstalled+186j
		and	[ebp+var_D8], 0
		xor	eax, eax
		cmp	ax, [ecx+6]
		jnb	short loc_893EB6
		mov	edx, ecx
		xor	edi, edi

loc_893E53:				; CODE XREF: _RtlpMuiRegValidateInstalled+232j
		mov	eax, [edx+0Ch]
		mov	ecx, edx
		mov	[ebp+var_E0], eax
		movzx	eax, word ptr [eax+edi]
		mov	[ebp+var_E8], eax
		and	al, 21h
		cmp	al, 21h
		jnz	short loc_893E9F
		mov	eax, [ebp+var_E8]
		test	eax, 1000h
		jnz	short loc_893E81
		inc	[ebp+var_E4]

loc_893E81:				; CODE XREF: _RtlpMuiRegValidateInstalled+1F7j
		mov	ecx, edx
		test	ebx, ebx
		jnz	short loc_893E9F
		mov	esi, [ebp+var_D8]
		cmp	esi, [ebp+var_DC]
		mov	esi, [ebp+var_104]
		jnz	loc_92BFA6

loc_893E9F:				; CODE XREF: _RtlpMuiRegValidateInstalled+1EAj
					; _RtlpMuiRegValidateInstalled+203j ...
		movzx	eax, word ptr [ecx+6]
		add	edi, 1Ch
		inc	[ebp+var_D8]
		mov	edx, ecx
		cmp	[ebp+var_D8], eax
		jl	short loc_893E53

loc_893EB6:				; CODE XREF: _RtlpMuiRegValidateInstalled+1CBj
		xor	eax, eax
		xor	edi, edi
		cmp	ax, [ecx+6]
		jnb	short loc_893EDF
		xor	ebx, ebx

loc_893EC2:				; CODE XREF: _RtlpMuiRegValidateInstalled+25Bj
		mov	eax, [ecx+0Ch]
		mov	edx, ecx
		test	byte ptr [ebx+eax], 4
		jnz	loc_92BFDF

loc_893ED1:				; CODE XREF: _RtlpMuiRegValidateInstalled+98369j
		movzx	eax, word ptr [edx+6]
		inc	edi
		add	ebx, 1Ch
		mov	ecx, edx
		cmp	edi, eax
		jl	short loc_893EC2

loc_893EDF:				; CODE XREF: _RtlpMuiRegValidateInstalled+23Cj
		mov	eax, [ebp+var_F8]
		test	eax, eax
		jnz	loc_92BFF0

loc_893EED:				; CODE XREF: _RtlpMuiRegValidateInstalled+98376j
		xor	eax, eax

loc_893EEF:				; CODE XREF: _RtlpMuiRegValidateInstalled+B6j
					; _RtlpMuiRegValidateInstalled+981A3j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_893EFE:				; CODE XREF: _RtlpMuiRegValidateInstalled+167j
		movzx	edi, ax
		jmp	loc_893DEF
_RtlpMuiRegValidateInstalled endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpLoadLanguageConfigList proc	near	; CODE XREF: RtlpMuiRegLoadRegistryInfo+3Dp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= dword	ptr -5
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092BFFD SIZE 00000089 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		xor	eax, eax
		push	esi
		mov	esi, edx
		mov	byte ptr [ebp+var_5], al
		mov	[ebp+var_18], eax
		mov	ebx, eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		push	edi
		test	esi, esi
		jz	loc_92C03E
		cmp	[ebp+arg_0], eax
		jz	loc_92C03E
		mov	ebx, [esi]
		lea	eax, [ebp+var_18]
		push	offset ??_C@_1HG@DLPFCGIL@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\Registry\\Machine\\Software\\Policies\\Mic"...
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_C]
		xor	edx, edx
		push	eax
		push	ecx
		lea	ecx, [ebp+var_18]
		call	_LdrpOpenKey@16	; LdrpOpenKey(x,x,x,x)
		test	eax, eax
		jns	loc_92BFFD

loc_893F5E:				; CODE XREF: RtlpLoadLanguageConfigList+98120j
		push	offset ??_C@_1KM@IAIDLDJP@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\Registry\\Machine\\System\\CurrentControl"...
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_C]
		xor	edx, edx
		push	eax
		push	ecx
		lea	ecx, [ebp+var_18]
		call	_LdrpOpenKey@16	; LdrpOpenKey(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_92C02B
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_C]
		mov	edx, esi
		call	RtlpPopulateLanguageConfigList
		mov	edi, eax

loc_893F94:				; CODE XREF: RtlpLoadLanguageConfigList+9810Ej
					; RtlpLoadLanguageConfigList+9812Bj ...
		cmp	[ebp+var_C], 0
		jz	short loc_893FA2
		push	[ebp+var_C]
		call	NtClose

loc_893FA2:				; CODE XREF: RtlpLoadLanguageConfigList+92j
		test	edi, edi
		js	loc_92C048
		cmp	dword ptr [esi], 0
		jz	loc_92C068

loc_893FB3:				; CODE XREF: RtlpLoadLanguageConfigList+98144j
					; RtlpLoadLanguageConfigList+9814Ej ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
RtlpLoadLanguageConfigList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LdrpOpenKey(x, x, x, x)
_LdrpOpenKey@16	proc near		; CODE XREF: _RtlpRemovePendingDeleteLanguages+7Ap
					; _IsMachineLanguageListInMutableLocation+2Cp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_4]
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		mov	[ebp+var_10], ecx
		lea	ecx, [ebp+var_18]
		and	dword ptr [eax], 0
		push	ecx
		push	20019h
		push	eax
		mov	[ebp+var_18], 18h
		mov	[ebp+var_14], edx
		mov	[ebp+var_C], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		leave
		retn	8
_LdrpOpenKey@16	endp

; 
		align 2

;  S U B	R O U T	I N E 


RtlpIsALicensedRegularLanguage proc near ; CODE	XREF: RtlpMuiRegAddLanguageByName+64p
					; _RtlpMuiRegValidateInstalled+148p

; FUNCTION CHUNK AT 0092C086 SIZE 00000035 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	short loc_894031
		mov	ecx, [esi+50h]	; wchar_t *
		test	ecx, ecx
		jz	short loc_894016
		call	RtlpLangNameInMultiSzString
		test	al, al
		jz	short loc_894031

loc_894016:				; CODE XREF: RtlpIsALicensedRegularLanguage+11j
		mov	ecx, [esi+4Ch]
		test	ecx, ecx
		jnz	loc_92C086
		mov	ecx, [esi+5Ch]
		xor	eax, eax
		test	ecx, ecx
		jnz	loc_92C0A3

loc_89402E:				; CODE XREF: RtlpIsALicensedRegularLanguage+3Cj
					; RtlpIsALicensedRegularLanguage+980A4j ...
		pop	edi
		pop	esi
		retn
; 

loc_894031:				; CODE XREF: RtlpIsALicensedRegularLanguage+Aj
					; RtlpIsALicensedRegularLanguage+1Aj
		mov	eax, 0C0000034h
		jmp	short loc_89402E
RtlpIsALicensedRegularLanguage endp


;  S U B	R O U T	I N E 


; int __fastcall RtlpLangNameInMultiSzString(wchar_t *,wchar_t *)
RtlpLangNameInMultiSzString proc near	; CODE XREF: RtlpIsALicensedRegularLanguage+13p
					; RtlpIsALicensedRegularLanguage+9808Ep ...

; FUNCTION CHUNK AT 0092C0BB SIZE 00000025 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	short loc_894063
		test	edi, edi
		jz	short loc_894063

loc_89404B:				; CODE XREF: RtlpLangNameInMultiSzString+9809Dj
		cmp	[esi], bx
		jz	short loc_894063
		push	edi		; wchar_t *
		push	esi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_92C0BB
		mov	bl, 1

loc_894063:				; CODE XREF: RtlpLangNameInMultiSzString+Dj
					; RtlpLangNameInMultiSzString+11j ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		retn
RtlpLangNameInMultiSzString endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MUIRegistrySystemRoutine(x)
_MUIRegistrySystemRoutine@4 proc near	; DATA XREF: NtGetMUIRegistryInfo+20Ao

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_8940BC
		push	edi
		lea	eax, [esi+1Ch]
		push	eax		; int
		push	dword ptr [esi+18h] ; int
		lea	eax, [esi+14h]
		push	eax		; int
		push	dword ptr [esi+10h] ; int
		lea	eax, [esi+0Ch]
		push	eax		; size_t
		lea	edx, [esi+8]
		lea	ecx, [esi+4]
		call	RtlpMuiRegCreateKernelRegistryInfo
		mov	[esi+20h], eax
		test	eax, eax
		js	short loc_8940AB
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_8940AB
		mov	eax, ds:0FFDF03A4h
		mov	[ecx+0Ch], eax

loc_8940AB:				; CODE XREF: MUIRegistrySystemRoutine(x)+30j
					; MUIRegistrySystemRoutine(x)+37j
		mov	eax, [esi]
		pop	edi
		test	eax, eax
		jz	short loc_8940BC
		push	0
		push	1
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_8940BC:				; CODE XREF: MUIRegistrySystemRoutine(x)+Bj
					; MUIRegistrySystemRoutine(x)+46j
		pop	esi
		pop	ebp
		retn	4
_MUIRegistrySystemRoutine@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_RtlpMuiRegSerializeRegistryInfo proc near
					; CODE XREF: RtlpMuiRegCreateKernelRegistryInfo+EFp
					; RtlpMuiRegCreateKernelRegistryInfo+14Ep

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092C0E0 SIZE 00000115 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1C], esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_18], edi
		test	esi, esi
		jz	loc_92C1EB
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	loc_92C1EB
		mov	eax, [eax]
		xor	ebx, ebx
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_8941C1
		test	edi, edi
		jz	loc_92C1EB
		mov	[ebp+var_1], 1

loc_894105:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+10Aj
		mov	eax, [esi+14h]
		mov	[ebp+var_8], 0FFFFFFF8h
		push	68h
		pop	edx
		mov	[ebp+var_C], edx
		mov	ecx, edx
		mov	[ebp+var_10], ecx
		test	eax, eax
		jz	loc_92C0E0
		mov	ecx, [eax]
		add	ecx, edx
		cmp	ecx, edx
		jb	loc_92C1EB
		mov	edx, [ebp+var_8]
		add	ecx, 7
		and	ecx, edx
		mov	[ebp+var_10], ecx

loc_894139:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+98021j
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_894154
		mov	eax, [eax]
		add	eax, ecx
		cmp	eax, ecx
		jb	loc_92C1EB
		lea	ecx, [eax+7]
		and	ecx, edx
		mov	[ebp+var_10], ecx

loc_894154:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+7Cj
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	short loc_89416F
		mov	eax, [eax]
		add	eax, ecx
		cmp	eax, ecx
		jb	loc_92C1EB
		lea	ecx, [eax+7]
		and	ecx, edx
		mov	[ebp+var_10], ecx

loc_89416F:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+97j
		mov	eax, [esi+24h]
		test	eax, eax
		jnz	loc_92C0E8

loc_89417A:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+9803Aj
		mov	eax, [esi+58h]
		test	eax, eax
		jnz	loc_92C101

loc_894185:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+98042j
					; _RtlpMuiRegSerializeRegistryInfo+9805Aj
		mov	eax, [esi+60h]
		test	eax, eax
		jnz	loc_92C121

loc_894190:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+98062j
					; _RtlpMuiRegSerializeRegistryInfo+9807Aj
		mov	eax, [esi+54h]
		test	eax, eax
		jz	short loc_8941AE
		cmp	[esi+50h], ebx
		jz	short loc_8941AE
		add	eax, ecx
		cmp	eax, ecx
		jb	loc_92C1EB
		lea	ecx, [eax+7]
		and	ecx, edx
		mov	[ebp+var_10], ecx

loc_8941AE:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+D3j
					; _RtlpMuiRegSerializeRegistryInfo+D8j
		cmp	[ebp+var_1], bl
		jnz	short loc_8941D1

loc_8941B3:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+98084j
		mov	edx, [ebp+arg_0]
		mov	[edx], ecx

loc_8941B8:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+239j
					; _RtlpMuiRegSerializeRegistryInfo+9812Ej
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
; 

loc_8941C1:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+31j
		test	edi, edi
		jnz	loc_92C1EB
		mov	[ebp+var_1], bl
		jmp	loc_894105
; 

loc_8941D1:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+EFj
		mov	eax, [ebp+var_14]
		cmp	eax, ecx
		jb	loc_92C141
		push	eax		; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		push	19h
		pop	ecx
		rep movsd
		mov	esi, [ebp+var_18]
		mov	edi, [ebp+var_1C]
		lea	eax, [esi+68h]
		mov	ecx, [edi+14h]
		mov	[ebp+var_8], eax
		test	ecx, ecx
		jz	short loc_894228
		push	dword ptr [ecx]	; size_t
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[esi+74h], ebx
		push	68h
		pop	ecx
		mov	[esi+14h], ecx
		mov	eax, [edi+14h]
		mov	ecx, [eax]
		add	ecx, 6Fh
		and	ecx, 0FFFFFFF8h
		mov	[ebp+var_C], ecx
		lea	eax, [ecx+esi]
		mov	[ebp+var_8], eax

loc_894228:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+13Bj
		mov	ecx, [edi+18h]
		test	ecx, ecx
		jz	short loc_894262
		push	dword ptr [ecx]	; size_t
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		mov	ecx, [ebp+var_C]
		add	ecx, 7
		mov	[eax+0Ch], ebx
		mov	[eax+10h], ebx
		sub	eax, esi
		mov	[esi+18h], eax
		mov	eax, [edi+18h]
		mov	eax, [eax]
		add	ecx, eax
		and	ecx, 0FFFFFFF8h
		mov	[ebp+var_C], ecx
		lea	eax, [ecx+esi]
		mov	[ebp+var_8], eax

loc_894262:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+16Bj
		mov	ecx, [edi+1Ch]
		test	ecx, ecx
		jz	short loc_894299
		push	dword ptr [ecx]	; size_t
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		mov	ecx, [ebp+var_C]
		add	ecx, 7
		mov	[eax+8], ebx
		sub	eax, esi
		mov	[esi+1Ch], eax
		mov	eax, [edi+1Ch]
		mov	eax, [eax]
		add	ecx, eax
		and	ecx, 0FFFFFFF8h
		mov	[ebp+var_C], ecx
		lea	eax, [ecx+esi]
		mov	[ebp+var_8], eax

loc_894299:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+1A5j
		mov	ecx, [edi+24h]
		test	ecx, ecx
		jnz	loc_92C14B

loc_8942A4:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+980B6j
		mov	ecx, [edi+58h]
		test	ecx, ecx
		jnz	loc_92C17D

loc_8942AF:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+980C0j
					; _RtlpMuiRegSerializeRegistryInfo+980EEj
		mov	ecx, [edi+60h]
		test	ecx, ecx
		jnz	loc_92C1B5

loc_8942BA:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+980F8j
					; _RtlpMuiRegSerializeRegistryInfo+98124j
		mov	edx, [edi+54h]
		test	edx, edx
		jz	short loc_8942DB
		mov	ecx, [edi+50h]
		test	ecx, ecx
		jz	short loc_8942DB
		push	edx		; size_t
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		sub	eax, esi
		mov	[esi+50h], eax

loc_8942DB:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+1FDj
					; _RtlpMuiRegSerializeRegistryInfo+204j
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+var_10]
		mov	[esi+20h], ebx
		mov	[esi+28h], ebx
		mov	[esi+30h], ebx
		mov	[esi+34h], ebx
		mov	[esi+38h], ebx
		mov	[esi+3Ch], ebx
		mov	dword ptr [esi], 400h
		mov	[edx], eax
		jmp	loc_8941B8
_RtlpMuiRegSerializeRegistryInfo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpMuiRegGetInstalledLanguageIndexByLangId proc near
					; CODE XREF: RtlpMuiRegCreateKernelRegistryInfo+BBp
					; RtlpMuiRegCreateKernelRegistryInfo+D8p ...

var_12		= byte ptr -12h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092C1F5 SIZE 0000008F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		mov	eax, ecx
		mov	bx, dx
		xor	ecx, ecx
		mov	[esp+18h+var_C], eax
		mov	[esp+18h+var_8], ecx
		mov	edx, 0C0000034h
		mov	[esp+18h+var_4], ecx
		mov	[esp+18h+var_11], cl
		push	esi
		mov	esi, edx
		push	edi
		test	eax, eax
		jz	short loc_89438E
		test	bx, bx
		jz	short loc_89438E
		mov	edi, 1000h
		cmp	bx, di
		jz	short loc_89438A
		mov	edx, [eax+14h]
		movzx	eax, word ptr [edx+6]
		mov	[esp+20h+var_10], eax
		test	eax, eax
		jz	loc_92C212
		mov	edx, [edx+0Ch]

loc_894355:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndexByLangId+97F0Cj
		cmp	[edx+4], bx
		jnz	loc_92C206
		movzx	edi, word ptr [edx]
		mov	eax, edi
		and	eax, 1020h
		cmp	ax, 20h
		jnz	loc_92C1F5
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	short loc_894385

loc_89437A:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndexByLangId+88j
		xor	eax, eax

loc_89437C:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndexByLangId+8Cj
					; RtlpMuiRegGetInstalledLanguageIndexByLangId+93j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_894385:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndexByLangId+78j
		mov	[eax], cx
		jmp	short loc_89437A
; 

loc_89438A:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndexByLangId+3Dj
		mov	eax, edx
		jmp	short loc_89437C
; 

loc_89438E:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndexByLangId+2Ej
					; RtlpMuiRegGetInstalledLanguageIndexByLangId+33j
		mov	eax, 0C000000Dh
		jmp	short loc_89437C
RtlpMuiRegGetInstalledLanguageIndexByLangId endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _RtlpMuiRegInitAnyLanguage(x, x, x,	x)
__RtlpMuiRegInitAnyLanguage@16 proc near ; CODE	XREF: RtlpMuiRegAddLanguageByName+38p
					; _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+DDp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		or	[ebp+var_8], 0FFFFFFFFh
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_0]
		mov	[ebp+var_10], eax
		mov	esi, edx
		mov	[ebp+var_C], eax
		mov	ebx, ecx
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlCultureNameToLCID@8	; RtlCultureNameToLCID(x,x)
		test	al, al
		jz	short loc_89442F
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		mov	ecx, ebx
		call	RtlpMuiRegGetOrAddString
		mov	edi, eax
		test	edi, edi
		js	short loc_894426
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		mov	cx, word ptr [ebp+var_4]
		mov	[esi+2], ax
		mov	ax, word ptr [ebp+var_8]
		mov	[esi+6], ax
		xor	eax, eax
		mov	[esi], dx
		mov	[esi+4], cx
		mov	[esi+8], eax
		mov	[esi+0Ch], eax
		mov	[esi+10h], eax
		mov	[esi+14h], eax
		mov	[esi+18h], eax
		test	edx, 2000h
		jnz	short loc_894426
		push	ecx
		mov	edx, esi
		mov	ecx, ebx
		call	__RtlpMuiRegAddNeutralLanguage@12 ; _RtlpMuiRegAddNeutralLanguage(x,x,x)

loc_894426:				; CODE XREF: _RtlpMuiRegInitAnyLanguage(x,x,x,x)+4Fj
					; _RtlpMuiRegInitAnyLanguage(x,x,x,x)+84j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_89442F:				; CODE XREF: _RtlpMuiRegInitAnyLanguage(x,x,x,x)+39j
		mov	edi, 0C00B0004h
		jmp	short loc_894426
__RtlpMuiRegInitAnyLanguage@16 endp


;  S U B	R O U T	I N E 


; __stdcall _RtlpMuiRegAddNeutralLanguage(x, x,	x)
__RtlpMuiRegAddNeutralLanguage@12 proc near
					; CODE XREF: _RtlpMuiRegInitAnyLanguage(x,x,x,x)+8Bp
		test	ecx, ecx
		jz	short loc_894450
		test	edx, edx
		jz	short loc_894450
		mov	eax, 3FFFh
		and	[edx+8], ax
		xor	eax, eax
		mov	[edx+0Ah], ax

locret_89444D:				; CODE XREF: _RtlpMuiRegAddNeutralLanguage(x,x,x)+1Fj
		retn	4
; 

loc_894450:				; CODE XREF: _RtlpMuiRegAddNeutralLanguage(x,x,x)+2j
					; _RtlpMuiRegAddNeutralLanguage(x,x,x)+6j
		mov	eax, 0C000000Dh
		jmp	short locret_89444D
__RtlpMuiRegAddNeutralLanguage@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpMuiRegGetOrAddString proc near	; CODE XREF: _RtlpMuiRegInitAnyLanguage(x,x,x,x)+46p
					; _RtlpMuiRegValidateInstalled+981E7p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092C284 SIZE 00000057 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_8], ebx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	short loc_8944C7
		test	edi, edi
		jz	short loc_8944C7
		cmp	[edi], bx
		jz	short loc_8944C7
		mov	eax, [esi]
		and	eax, 2
		mov	[ebp+var_C], eax
		cmp	[ebp+arg_0], bl
		jz	short loc_8944C2
		mov	byte ptr [ebp+var_4], 1
		test	eax, eax
		jz	short loc_8944C2

loc_894491:				; CODE XREF: RtlpMuiRegGetOrAddString+6Dj
		mov	ecx, [esi+18h]
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_4]
		call	RtlpMuiRegGetOrAddStringToPool
		movzx	eax, ax
		mov	[ebp+var_4], eax
		test	ax, ax
		js	loc_92C284

loc_8944AF:				; CODE XREF: RtlpMuiRegGetOrAddString+74j
					; RtlpMuiRegGetOrAddString+97E56j ...
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_8944B9
		mov	[ecx], ax

loc_8944B9:				; CODE XREF: RtlpMuiRegGetOrAddString+5Cj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_8944C2:				; CODE XREF: RtlpMuiRegGetOrAddString+2Fj
					; RtlpMuiRegGetOrAddString+37j
		mov	byte ptr [ebp+var_4], bl
		jmp	short loc_894491
; 

loc_8944C7:				; CODE XREF: RtlpMuiRegGetOrAddString+19j
					; RtlpMuiRegGetOrAddString+1Dj	...
		mov	ebx, 0C000000Dh
		jmp	short loc_8944AF
RtlpMuiRegGetOrAddString endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpMuiRegGetOrAddStringToPool proc near ; CODE	XREF: RtlpMuiRegGetOrAddString+43p
					; RtlpMuiRegGetOrAddString+97E68p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092C2DB SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		mov	eax, edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		mov	edi, ecx
		call	_RtlpMuiRegGetStringIndexInPool@8 ; RtlpMuiRegGetStringIndexInPool(x,x)
		mov	esi, [ebp+arg_4]
		mov	ebx, eax
		test	esi, esi
		jz	short loc_8944F6
		xor	eax, eax
		mov	[esi], eax

loc_8944F6:				; CODE XREF: RtlpMuiRegGetOrAddStringToPool+22j
		test	ebx, ebx
		jns	loc_8945A3
		test	edi, edi
		jz	loc_8945AC
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	loc_8945AC
		mov	ecx, eax
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_894518:				; CODE XREF: RtlpMuiRegGetOrAddStringToPool+53j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_894518
		movzx	eax, word ptr [edi+0Ah]
		sub	ecx, edx
		sar	ecx, 1
		mov	[ebp+arg_4], eax
		lea	edx, [ecx+1]
		movzx	ecx, ax
		movzx	eax, word ptr [edi+8]
		add	ecx, edx
		mov	[ebp+var_C], edx
		cmp	ecx, eax
		ja	loc_92C2DB
		cmp	[ebp+arg_0], bl
		jz	short loc_8945AC
		movzx	esi, word ptr [edi+6]
		cmp	si, [edi+4]
		jnb	short loc_8945AC
		push	2
		pop	ecx
		mov	eax, edx
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_8945AC
		push	[ebp+var_4]	; size_t
		lea	eax, [esi+1]
		mov	ebx, esi
		push	[ebp+var_8]	; void *
		mov	[edi+6], ax
		mov	eax, [ebp+arg_4]
		movzx	esi, ax
		inc	eax
		mov	[edi+0Ah], ax
		mov	eax, [edi+10h]
		movsx	ecx, si
		lea	eax, [eax+ecx*2]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_C]
		add	esp, 0Ch
		add	[edi+0Ah], ax
		mov	eax, [edi+0Ch]
		mov	[eax+ebx*2], si

loc_8945A3:				; CODE XREF: RtlpMuiRegGetOrAddStringToPool+2Aj
		mov	eax, ebx

loc_8945A5:				; CODE XREF: RtlpMuiRegGetOrAddStringToPool+E1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_8945AC:				; CODE XREF: RtlpMuiRegGetOrAddStringToPool+32j
					; RtlpMuiRegGetOrAddStringToPool+3Dj ...
		or	eax, 0FFFFFFFFh
		jmp	short loc_8945A5
RtlpMuiRegGetOrAddStringToPool endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall RtlpMuiRegGetStringIndexInPool(x, x)
_RtlpMuiRegGetStringIndexInPool@8 proc near ; CODE XREF: RtlpMuiRegGetOrAddStringToPool+16p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		test	edi, edi
		jz	short loc_8945F4
		test	ebx, ebx
		jz	short loc_8945F4
		xor	eax, eax
		xor	esi, esi
		cmp	ax, [edi+6]
		jnb	short loc_8945F4

loc_8945CD:				; CODE XREF: RtlpMuiRegGetStringIndexInPool(x,x)+40j
		mov	eax, [edi+0Ch]
		movsx	ecx, word ptr [eax+esi*2]
		mov	eax, [edi+10h]
		lea	eax, [eax+ecx*2]
		cmp	eax, ebx
		jz	short loc_8945FB
		push	ebx		; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_8945FB
		movzx	eax, word ptr [edi+6]
		inc	esi
		cmp	esi, eax
		jl	short loc_8945CD

loc_8945F4:				; CODE XREF: RtlpMuiRegGetStringIndexInPool(x,x)+Bj
					; RtlpMuiRegGetStringIndexInPool(x,x)+Fj ...
		or	eax, 0FFFFFFFFh

loc_8945F7:				; CODE XREF: RtlpMuiRegGetStringIndexInPool(x,x)+4Bj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_8945FB:				; CODE XREF: RtlpMuiRegGetStringIndexInPool(x,x)+2Aj
					; RtlpMuiRegGetStringIndexInPool(x,x)+37j
		mov	eax, esi
		jmp	short loc_8945F7
_RtlpMuiRegGetStringIndexInPool@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2020. RtlCultureNameToLCID

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCultureNameToLCID(x, x)
		public _RtlCultureNameToLCID@8
_RtlCultureNameToLCID@8	proc near	; CODE XREF: RtlpMuiRegLoadLicInformation+180p
					; RtlpMuiRegLoadLicInformation+29Ep ...

var_B0		= dword	ptr -0B0h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		xor	cl, cl		; void *
		push	edi
		mov	edi, [ebp+arg_4]
		test	eax, eax
		jz	short loc_894683
		test	edi, edi
		jz	short loc_894683
		push	esi
		movzx	esi, word ptr [eax]
		xor	edx, edx
		cmp	dx, si
		jz	short loc_894682
		mov	edx, [eax+4]
		test	edx, edx
		jz	short loc_894682
		lea	eax, [esi+2]
		cmp	eax, 55h
		ja	short loc_894682
		push	esi		; size_t
		push	edx		; void *
		lea	eax, [ebp+var_B0]
		push	eax		; void *
		call	_memcpy
		and	esi, 0FFFFFFFEh
		add	esp, 0Ch
		cmp	esi, 0AAh
		jnb	short loc_894694
		push	2
		xor	eax, eax
		lea	ecx, [ebp+var_B0]
		pop	edx
		mov	word ptr [ebp+esi+var_B0], ax
		call	_DownLevelLanguageNameToLangID@8 ; DownLevelLanguageNameToLangID(x,x)
		movzx	eax, ax
		test	eax, eax
		mov	[edi], eax
		setnz	cl

loc_894682:				; CODE XREF: RtlCultureNameToLCID(x,x)+2Fj
					; RtlCultureNameToLCID(x,x)+36j ...
		pop	esi

loc_894683:				; CODE XREF: RtlCultureNameToLCID(x,x)+20j
					; RtlCultureNameToLCID(x,x)+24j
		mov	al, cl
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_894694:				; CODE XREF: RtlCultureNameToLCID(x,x)+5Aj
		call	___report_rangecheckfailure
		int	3		; Trap to Debugger
_RtlCultureNameToLCID@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpGetWindowsPolicy proc near		; CODE XREF: RtlpMuiRegLoadLicInformation+6Cp
					; RtlpMuiRegLoadLicInformation+8Cp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092CA01 SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	esi, esi
		mov	[ebp+var_4], edi
		test	edi, edi
		jz	loc_92CA15
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jz	loc_92CA15
		cmp	[ebp+arg_4], esi
		jz	loc_92CA15
		test	ecx, ecx
		jz	loc_92CA15
		push	ecx
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		push	esi
		push	esi
		push	edi
		lea	eax, [ebp+var_C]
		push	eax
		call	_ZwQueryLicenseValue@20	; ZwQueryLicenseValue(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	loc_92CA01
		cmp	edi, 0C0000023h
		jnz	short loc_89472D
		mov	ebx, [ebx]
		test	ebx, ebx
		jz	short loc_89475A

loc_894707:				; CODE XREF: RtlpGetWindowsPolicy+9836Bj
		push	72746C6Dh
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_89475E
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch

loc_894726:				; CODE XREF: RtlpGetWindowsPolicy+C2j
		test	esi, esi
		jz	short loc_89475E
		mov	ebx, [ebp+arg_0]

loc_89472D:				; CODE XREF: RtlpGetWindowsPolicy+65j
		push	ebx
		push	dword ptr [ebx]
		lea	eax, [ebp+var_C]
		push	esi
		push	[ebp+var_4]
		push	eax
		call	_ZwQueryLicenseValue@20	; ZwQueryLicenseValue(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_894751
		mov	eax, [ebp+arg_4]
		mov	[eax], esi

loc_894748:				; CODE XREF: RtlpGetWindowsPolicy+B9j
					; RtlpGetWindowsPolicy+C9j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_894751:				; CODE XREF: RtlpGetWindowsPolicy+A7j
					; RtlpGetWindowsPolicy+98380j
		test	esi, esi
		jz	short loc_894748
		jmp	loc_92CA1F
; 

loc_89475A:				; CODE XREF: RtlpGetWindowsPolicy+6Bj
		xor	esi, esi
		jmp	short loc_894726
; 

loc_89475E:				; CODE XREF: RtlpGetWindowsPolicy+7Ej
					; RtlpGetWindowsPolicy+8Ej
		mov	edi, 0C0000017h
		jmp	short loc_894748
RtlpGetWindowsPolicy endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ValidateRegistrLangType(x)
_ValidateRegistrLangType@4 proc	near	; CODE XREF: _RtlpMuiRegLoadInstalledFromKey+196p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		xor	edx, edx
		test	bl, 18h
		jz	short loc_8947A1
		test	bl, 7
		jz	short loc_8947A1
		push	esi
		mov	esi, offset _ulInvalidTypes

loc_89477D:				; CODE XREF: ValidateRegistrLangType(x)+2Aj
		mov	ecx, [esi]
		mov	eax, ecx
		and	eax, ebx
		cmp	ecx, eax
		jz	short loc_8947A8
		add	esi, 4
		cmp	esi, offset dword_412E18
		jl	short loc_89477D
		test	bl, 3
		jz	short loc_89479C
		test	bl, 10h
		jz	short loc_8947A8

loc_89479C:				; CODE XREF: ValidateRegistrLangType(x)+2Fj
					; ValidateRegistrLangType(x)+47j
		pop	esi

loc_89479D:				; CODE XREF: ValidateRegistrLangType(x)+40j
		mov	eax, edx
		pop	ebx
		retn
; 

loc_8947A1:				; CODE XREF: ValidateRegistrLangType(x)+Aj
					; ValidateRegistrLangType(x)+Fj
		mov	edx, 0C000000Dh
		jmp	short loc_89479D
; 

loc_8947A8:				; CODE XREF: ValidateRegistrLangType(x)+1Fj
					; ValidateRegistrLangType(x)+34j
		mov	edx, 0C000000Dh
		jmp	short loc_89479C
_ValidateRegistrLangType@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpMuiRegFreeRegistryInfo proc	near	; CODE XREF: RtlpMuiRegCreateKernelRegistryInfo+175p
					; RtlpMuiRegLoadRegistryInfo+33p ...

; FUNCTION CHUNK AT 0092CA6A SIZE 000000F3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		mov	ebx, edx
		test	esi, esi
		jz	loc_92CB53
		test	ebx, ebx
		jz	loc_92CB53
		test	ebx, 400h
		jnz	loc_8948CD

loc_8947DE:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+122j
		test	bl, 1
		jz	short loc_8947FC
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_8947F9
		test	byte ptr [esi],	1
		jz	short loc_8947F6
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8947F6:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+3Dj
		mov	[esi+14h], edi

loc_8947F9:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+38j
		and	dword ptr [esi], 0FFFFFFFEh

loc_8947FC:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+31j
		test	bl, 2
		jz	short loc_89481A
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_894817
		test	byte ptr [esi],	2
		jz	short loc_894814
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_894814:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+5Bj
		mov	[esi+18h], edi

loc_894817:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+56j
		and	dword ptr [esi], 0FFFFFFFDh

loc_89481A:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+4Fj
		test	bl, 4
		jz	short loc_89482D
		mov	eax, [esi+1Ch]
		test	eax, eax
		jnz	loc_8948D7

loc_89482A:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+136j
		and	dword ptr [esi], 0FFFFFFFBh

loc_89482D:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+6Dj
		test	bl, 8
		jz	short loc_894840
		mov	eax, [esi+20h]
		test	eax, eax
		jnz	loc_92CA6A

loc_89483D:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+982C9j
		and	dword ptr [esi], 0FFFFFFF7h

loc_894840:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+80j
		test	bl, 10h
		jz	short loc_894853
		mov	eax, [esi+24h]
		test	eax, eax
		jnz	loc_92CA7E

loc_894850:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+982EEj
		and	dword ptr [esi], 0FFFFFFEFh

loc_894853:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+93j
		test	bl, 20h
		jz	short loc_894866
		mov	eax, [esi+28h]
		test	eax, eax
		jnz	loc_92CAA3

loc_894863:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+98313j
		and	dword ptr [esi], 0FFFFFFDFh

loc_894866:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+A6j
		test	bl, 40h
		jz	short loc_894879
		mov	eax, [esi+34h]
		test	eax, eax
		jnz	loc_92CAC8

loc_894876:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+98338j
		and	dword ptr [esi], 0FFFFFFBFh

loc_894879:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+B9j
		test	bl, bl
		jns	short loc_89488E
		mov	eax, [esi+30h]
		test	eax, eax
		jnz	loc_92CAED

loc_894888:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+9835Dj
		and	dword ptr [esi], 0FFFFFF7Fh

loc_89488E:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+CBj
		mov	ecx, 200h
		test	ebx, ecx
		jz	short loc_8948A8
		mov	eax, [esi+38h]
		test	eax, eax
		jnz	loc_92CB12

loc_8948A2:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+98381j
		and	dword ptr [esi], 0FFFFFDFFh

loc_8948A8:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+E5j
		mov	ecx, 800h
		test	ebx, ecx
		jnz	short loc_8948EB

loc_8948B1:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+156j
		test	ebx, 0FFFh
		jz	short loc_8948C4
		mov	ecx, [esi+3Ch]
		test	ecx, ecx
		jnz	loc_92CB36

loc_8948C4:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+107j
					; RtlpMuiRegFreeRegistryInfo+9839Ej ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8948CD:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+28j
		mov	ebx, 0FFFh
		jmp	loc_8947DE
; 

loc_8948D7:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+74j
		test	byte ptr [esi],	4
		jz	short loc_8948E3
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8948E3:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+12Aj
		mov	[esi+1Ch], edi
		jmp	loc_89482A
; 

loc_8948EB:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+FFj
		mov	eax, [esi+50h]
		test	eax, eax
		jz	short loc_894900
		test	[esi], ecx
		jz	short loc_8948FD
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8948FD:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+144j
		mov	[esi+50h], edi

loc_894900:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+140j
		and	dword ptr [esi], 0FFFFF7FFh
		jmp	short loc_8948B1
RtlpMuiRegFreeRegistryInfo endp


;  S U B	R O U T	I N E 


; __stdcall RtlpMuiRegCreateRegistryInfo()
_RtlpMuiRegCreateRegistryInfo@0	proc near
					; CODE XREF: RtlpMuiRegCreateKernelRegistryInfo+46p
		mov	edi, edi
		push	esi
		push	72746C6Dh
		push	64h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_894939
		push	60h		; size_t
		lea	ecx, [esi+4]
		push	0		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [esi], 400h
		mov	eax, esi
		pop	esi
		retn
; 

loc_894939:				; CODE XREF: RtlpMuiRegCreateRegistryInfo()+15j
		xor	eax, eax
		pop	esi
		retn
_RtlpMuiRegCreateRegistryInfo@0	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpViewMapAdjustFlag(x, x, x)
_HvpViewMapAdjustFlag@12 proc near	; CODE XREF: HvUnlockHiveFilePages(x)+1Fp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	edi
		mov	edi, ecx
		mov	eax, [edi+1Ch]
		test	al, 2
		jz	loc_894A0A
		xor	edx, edx
		mov	ecx, 1000h
		mov	[ebp+var_4], edx
		cmp	edx, [edi+0Ch]
		jl	short loc_89496C
		jg	loc_8949E9
		cmp	ecx, [edi+8]
		jnb	short loc_8949E9

loc_89496C:				; CODE XREF: HvpViewMapAdjustFlag(x,x,x)+21j
		push	ebx
		push	esi
		lea	ebx, [edi+20h]

loc_894971:				; CODE XREF: HvpViewMapAdjustFlag(x,x,x)+9Dj
					; HvpViewMapAdjustFlag(x,x,x)+A4j
		test	byte ptr [ebx+4], 1
		mov	esi, [ebx]
		jz	short loc_894983
		test	esi, esi
		jz	loc_894A03
		xor	esi, ebx

loc_894983:				; CODE XREF: HvpViewMapAdjustFlag(x,x,x)+39j
					; HvpViewMapAdjustFlag(x,x,x)+C7j
		movzx	edx, byte ptr [ebx+4]
		and	edx, 1
		test	esi, esi
		jz	short loc_8949BA
		mov	ebx, [ebp+var_4]

loc_894991:				; CODE XREF: HvpViewMapAdjustFlag(x,x,x)+69j
		cmp	ebx, [esi+24h]
		jl	short loc_89499D
		jg	short loc_8949AB
		cmp	ecx, [esi+20h]
		jnb	short loc_8949AB

loc_89499D:				; CODE XREF: HvpViewMapAdjustFlag(x,x,x)+56j
		mov	eax, [esi]

loc_89499F:				; CODE XREF: HvpViewMapAdjustFlag(x,x,x)+C3j
		test	edx, edx
		jnz	short loc_8949F6

loc_8949A3:				; CODE XREF: HvpViewMapAdjustFlag(x,x,x)+BAj
		mov	esi, eax

loc_8949A5:				; CODE XREF: HvpViewMapAdjustFlag(x,x,x)+BEj
		test	esi, esi
		jnz	short loc_894991
		jmp	short loc_8949B7
; 

loc_8949AB:				; CODE XREF: HvpViewMapAdjustFlag(x,x,x)+58j
					; HvpViewMapAdjustFlag(x,x,x)+5Dj
		cmp	ebx, [esi+2Ch]
		jl	short loc_8949B7
		jg	short loc_8949FE
		cmp	ecx, [esi+28h]
		jnb	short loc_8949FE

loc_8949B7:				; CODE XREF: HvpViewMapAdjustFlag(x,x,x)+6Bj
					; HvpViewMapAdjustFlag(x,x,x)+70j
		lea	ebx, [edi+20h]

loc_8949BA:				; CODE XREF: HvpViewMapAdjustFlag(x,x,x)+4Ej
		push	dword ptr [esi+2Ch]
		mov	edx, esi
		mov	ecx, edi
		push	dword ptr [esi+28h]
		push	dword ptr [esi+24h]
		push	dword ptr [esi+20h]
		call	HvpViewMapMakeViewRangeUnCOWByPolicy
		mov	eax, [esi+2Ch]
		mov	ecx, [esi+28h]
		mov	[ebp+var_4], eax
		cmp	eax, [edi+0Ch]
		jl	short loc_894971
		jg	short loc_8949E4
		cmp	ecx, [edi+8]
		jb	short loc_894971

loc_8949E4:				; CODE XREF: HvpViewMapAdjustFlag(x,x,x)+9Fj
		mov	eax, [edi+1Ch]
		pop	esi
		pop	ebx

loc_8949E9:				; CODE XREF: HvpViewMapAdjustFlag(x,x,x)+23j
					; HvpViewMapAdjustFlag(x,x,x)+2Cj
		and	eax, 0FFFFFFFDh
		mov	[edi+1Ch], eax
		xor	eax, eax
		pop	edi
		leave
		retn	4
; 

loc_8949F6:				; CODE XREF: HvpViewMapAdjustFlag(x,x,x)+63j
		test	eax, eax
		jz	short loc_8949A3
		xor	esi, eax
		jmp	short loc_8949A5
; 

loc_8949FE:				; CODE XREF: HvpViewMapAdjustFlag(x,x,x)+72j
					; HvpViewMapAdjustFlag(x,x,x)+77j
		mov	eax, [esi+4]
		jmp	short loc_89499F
; 

loc_894A03:				; CODE XREF: HvpViewMapAdjustFlag(x,x,x)+3Dj
		xor	esi, esi
		jmp	loc_894983
; 

loc_894A0A:				; CODE XREF: HvpViewMapAdjustFlag(x,x,x)+Ej
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_HvpViewMapAdjustFlag@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvpViewMapMakeViewRangeUnCOWByPolicy proc near ; CODE XREF: HvpViewMapAdjustFlag(x,x,x)+8Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0092CB5D SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		push	esi
		mov	[ebp+var_4], ecx
		mov	esi, edx
		mov	ecx, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+arg_4], ecx
		cmp	ecx, [ebp+arg_C]
		jl	short loc_894A38
		jg	short loc_894A95
		cmp	edi, [ebp+arg_8]
		jnb	short loc_894A95

loc_894A38:				; CODE XREF: HvpViewMapMakeViewRangeUnCOWByPolicy+1Fj
		push	ebx

loc_894A39:				; CODE XREF: HvpViewMapMakeViewRangeUnCOWByPolicy+7Bj
					; HvpViewMapMakeViewRangeUnCOWByPolicy+82j
		mov	eax, [esi+10h]
		mov	ebx, edi
		mov	edx, [esi+30h]
		sub	ebx, eax
		shr	ebx, 0Ch
		sub	edx, eax
		add	edx, edi
		mov	[ebp+var_8], edx
		mov	al, [ebx+esi+38h]
		test	al, 10h
		jz	short loc_894A78
		mov	eax, [ebp+var_4]
		push	1000h
		push	edx
		mov	edx, [eax+18h]
		call	_CmSiUnlockViewOfSection@16 ; CmSiUnlockViewOfSection(x,x,x,x)
		and	byte ptr [ebx+esi+38h],	0EFh
		dec	dword ptr [esi+34h]
		mov	al, [ebx+esi+38h]
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+var_8]

loc_894A78:				; CODE XREF: HvpViewMapMakeViewRangeUnCOWByPolicy+43j
		test	al, 4
		jnz	short loc_894A9B

loc_894A7C:				; CODE XREF: HvpViewMapMakeViewRangeUnCOWByPolicy+93j
					; HvpViewMapMakeViewRangeUnCOWByPolicy+9816Aj
		add	edi, 1000h
		adc	ecx, 0
		mov	[ebp+arg_4], ecx
		cmp	ecx, [ebp+arg_C]
		jl	short loc_894A39
		jg	short loc_894A94
		cmp	edi, [ebp+arg_8]
		jb	short loc_894A39

loc_894A94:				; CODE XREF: HvpViewMapMakeViewRangeUnCOWByPolicy+7Dj
		pop	ebx

loc_894A95:				; CODE XREF: HvpViewMapMakeViewRangeUnCOWByPolicy+21j
					; HvpViewMapMakeViewRangeUnCOWByPolicy+26j
		pop	edi
		pop	esi
		leave
		retn	10h
; 

loc_894A9B:				; CODE XREF: HvpViewMapMakeViewRangeUnCOWByPolicy+6Aj
		and	al, 0FBh
		mov	[ebx+esi+38h], al
		test	al, 2
		jnz	short loc_894A7C
		jmp	loc_92CB5D
HvpViewMapMakeViewRangeUnCOWByPolicy endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetMatchingDeviceList proc near	; CODE XREF: _PnpDispatchDevice+CCp
					; _CmDeleteDeviceWorker(x,x,x)+302p ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0092CB7F SIZE 0000004A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	ebx, [ecx+100h]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_18], edi
		mov	edi, 0C0000120h
		mov	[ebp+var_34], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], esi
		mov	[ebp+var_14], eax
		test	ebx, ebx
		jz	short loc_894B22
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	4
		push	1
		push	0
		push	ecx
		call	ebx
		cmp	eax, 0C0000002h
		jnz	loc_92CB7F
		xor	ebx, ebx

loc_894B1F:				; CODE XREF: _CmGetMatchingDeviceList+980DDj
		mov	ecx, [ebp+var_34]

loc_894B22:				; CODE XREF: _CmGetMatchingDeviceList+57j
		movzx	eax, word ptr [ebp+var_14]
		test	eax, eax
		jnz	short loc_894B5E
		push	[ebp+var_18]
		xor	edx, edx
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	[ebp+var_24]
		push	[ebp+var_28]
		push	eax
		call	_CmGetMatchingDeviceListForSubkey
		mov	esi, eax

loc_894B43:				; CODE XREF: _CmGetMatchingDeviceList+B9j
		test	ebx, ebx
		jnz	loc_92CB94

loc_894B4B:				; CODE XREF: _CmGetMatchingDeviceList+980E5j
					; _CmGetMatchingDeviceList+98103j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
; 

loc_894B5E:				; CODE XREF: _CmGetMatchingDeviceList+7Ej
		mov	esi, 0C000000Dh
		jmp	short loc_894B43
_CmGetMatchingDeviceList endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetMatchingInstallerClassList(x,	x, x, x, x, x, x)
__CmGetMatchingInstallerClassList@28 proc near ; CODE XREF: _PnpDispatchInstallerClass+97p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_10]
		test	si, si
		jnz	short loc_894B8F
		push	esi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		push	2
		pop	edx
		call	_CmGetMatchingCommonClassList

loc_894B8A:				; CODE XREF: _CmGetMatchingInstallerClassList(x,x,x,x,x,x,x)+2Ej
		pop	esi
		pop	ebp
		retn	14h
; 

loc_894B8F:				; CODE XREF: _CmGetMatchingInstallerClassList(x,x,x,x,x,x,x)+Cj
		mov	eax, 0C000000Dh
		jmp	short loc_894B8A
__CmGetMatchingInstallerClassList@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetMatchingInterfaceClassList(x,	x, x, x, x, x, x)
__CmGetMatchingInterfaceClassList@28 proc near ; CODE XREF: _PnpDispatchInterfaceClass+97p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_10]
		test	si, si
		jnz	short loc_894BBF
		push	esi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		push	4
		pop	edx
		call	_CmGetMatchingCommonClassList

loc_894BBA:				; CODE XREF: _CmGetMatchingInterfaceClassList(x,x,x,x,x,x,x)+2Ej
		pop	esi
		pop	ebp
		retn	14h
; 

loc_894BBF:				; CODE XREF: _CmGetMatchingInterfaceClassList(x,x,x,x,x,x,x)+Cj
		mov	eax, 0C000000Dh
		jmp	short loc_894BBA
__CmGetMatchingInterfaceClassList@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpDispatchDevicePanel	proc near	; DATA XREF: _PnpCtxOpenMachine+176o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0092CBC9 SIZE 000000BC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_C]
		xor	edx, edx
		dec	eax
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edx
		push	esi
		mov	esi, edx
		cmp	eax, 8		; switch 9 cases
		ja	short loc_894C15 ; default
		jmp	ds:off_894C1E[eax*4] ; switch jump

loc_894BE8:				; DATA XREF: PAGE:off_894C1Eo
		mov	ecx, [ebp+arg_10] ; case 0x4
		mov	eax, [ecx]
		test	eax, eax
		jnz	loc_92CC03

loc_894BF5:				; CODE XREF: _PnpDispatchDevicePanel+9804Ej
		mov	eax, [ecx+14h]
		and	eax, 0FFFF0000h
		push	eax
		push	dword ptr [ecx+10h]
		push	dword ptr [ecx+0Ch]
		push	dword ptr [ecx+8]
		mov	ecx, [ebp+arg_0]
		push	esi
		call	_CmGetMatchingDevicePanelList

loc_894C10:				; CODE XREF: _PnpDispatchDevicePanel+54j
					; _PnpDispatchDevicePanel+9800Bj ...
		pop	esi
		leave
		retn	14h
; 

loc_894C15:				; CODE XREF: _PnpDispatchDevicePanel+19j
		mov	eax, 0C000000Dh	; default
		jmp	short loc_894C10
_PnpDispatchDevicePanel	endp

; 
		db 8Bh,	0FFh
off_894C1E	dd offset loc_92CBC9	; DATA XREF: _PnpDispatchDevicePanel+1Br
		dd offset loc_92CBD6	; jump table for switch	statement
		dd offset loc_92CBF9
		dd offset loc_92CBF9
		dd offset loc_894BE8
		dd offset loc_92CC19
		dd offset loc_92CC31
		dd offset loc_92CC4B
		dd offset loc_92CC6E

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetMatchingDevicePanelList proc near	; CODE XREF: _PnpDispatchDevicePanel+45p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0092CC85 SIZE 0000004A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	ebx, [ecx+100h]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_18], edi
		mov	edi, 0C0000120h
		mov	[ebp+var_34], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], esi
		mov	[ebp+var_14], eax
		test	ebx, ebx
		jz	short loc_894CBA
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	4
		push	6
		push	0
		push	ecx
		call	ebx
		cmp	eax, 0C0000002h
		jnz	loc_92CC85
		xor	ebx, ebx

loc_894CB7:				; CODE XREF: _CmGetMatchingDevicePanelList+9804Bj
		mov	ecx, [ebp+var_34]

loc_894CBA:				; CODE XREF: _CmGetMatchingDevicePanelList+57j
		push	[ebp+var_14]
		mov	edx, [ebp+var_28]
		push	[ebp+var_18]
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	[ebp+var_24]
		call	_CmGetMatchingDevicePanelListWorker
		mov	esi, eax
		test	ebx, ebx
		jnz	loc_92CC9A

loc_894CDB:				; CODE XREF: _CmGetMatchingDevicePanelList+98053j
					; _CmGetMatchingDevicePanelList+98071j	...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_CmGetMatchingDevicePanelList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetMatchingDeviceListForSubkey proc near ; CODE XREF: _CmGetMatchingDeviceList+92p
					; _CmGetMatchingFilteredDeviceListWorker(x,x,x,x,x,x,x,x,x)+87p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0092CCCF SIZE 0000006F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_14]
		push	ebx
		push	esi
		mov	ebx, ecx
		xor	ecx, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_14], edi
		mov	[ebp+var_4], ecx
		mov	[eax], ecx
		cmp	[ebp+arg_10], ecx
		jbe	short loc_894D18
		mov	eax, [ebp+arg_C]
		mov	[eax], cx

loc_894D18:				; CODE XREF: _CmGetMatchingDeviceListForSubkey+22j
		lea	eax, [ebp+var_C]
		mov	ecx, ebx
		push	eax
		push	5
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_894E3B
		xor	ecx, ecx
		mov	eax, edi
		mov	[ebp+var_8], ecx
		test	edi, edi
		jnz	loc_92CCCF

loc_894D3F:				; CODE XREF: _CmGetMatchingDeviceListForSubkey+9800Dj
					; _CmGetMatchingDeviceListForSubkey+9801Cj ...
		test	esi, esi
		js	loc_894E3B
		test	ebx, ebx
		jz	loc_92CD23
		mov	ecx, [ebx+74h]

loc_894D52:				; CODE XREF: _CmGetMatchingDeviceListForSubkey+98037j
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_4]
		push	eax
		push	8
		push	0
		push	edi
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C000017Ch
		jz	loc_92CD2A
		test	esi, esi
		js	loc_894E3B
		push	52504E50h
		push	1ACh
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_92CD34
		push	1A8h		; size_t
		xor	esi, esi
		lea	eax, [edi+4]
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_8]
		lea	ecx, [edi+4]
		add	esp, 0Ch
		mov	edx, 0C8h
		inc	eax
		mov	[edi], eax
		push	900h
		push	esi
		push	esi
		push	[ebp+var_14]
		call	RtlStringCchCopyExW
		mov	al, [ebp+arg_0]
		mov	ecx, ebx
		mov	[edi+194h], al
		mov	eax, [ebp+arg_4]
		mov	[edi+198h], eax
		mov	eax, [ebp+arg_8]
		mov	[edi+19Ch], eax
		mov	eax, [ebp+arg_C]
		mov	[edi+1A0h], eax
		mov	eax, [ebp+arg_10]
		push	edi
		mov	[edi+1A4h], eax
		mov	[edi+1A8h], esi
		mov	edx, [ebp+var_4]
		push	offset _CmEnumSubkeyCallback
		call	__PnpCtxRegEnumKeyWithCallback@16 ; _PnpCtxRegEnumKeyWithCallback(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_894E33
		mov	ecx, [ebp+arg_14]
		mov	eax, [edi+1A8h]
		mov	[ecx], eax
		test	eax, eax
		jz	short loc_894E33
		inc	eax
		mov	[ecx], eax
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	short loc_894E52
		cmp	[ebp+arg_10], eax
		jb	short loc_894E52
		xor	edx, edx
		mov	[ecx+eax*2-2], dx

loc_894E33:				; CODE XREF: _CmGetMatchingDeviceListForSubkey+11Ej
					; _CmGetMatchingDeviceListForSubkey+12Dj ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_894E3B:				; CODE XREF: _CmGetMatchingDeviceListForSubkey+3Cj
					; _CmGetMatchingDeviceListForSubkey+53j ...
		cmp	[ebp+var_4], 0
		jz	short loc_894E49
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_894E49:				; CODE XREF: _CmGetMatchingDeviceListForSubkey+151j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_894E52:				; CODE XREF: _CmGetMatchingDeviceListForSubkey+137j
					; _CmGetMatchingDeviceListForSubkey+13Cj
		mov	esi, 0C0000023h
		jmp	short loc_894E33
_CmGetMatchingDeviceListForSubkey endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetMatchingDevicePanelListWorker proc near ;	CODE XREF: _CmGetMatchingDevicePanelList+8Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0092CD3E SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_C]
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, [ebp+arg_4]
		and	dword ptr [eax], 0
		cmp	[ebp+arg_8], 0
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], ecx
		jbe	short loc_894E83
		xor	eax, eax
		mov	[ebx], ax

loc_894E83:				; CODE XREF: _CmGetMatchingDevicePanelListWorker+22j
		lea	eax, [ebp+var_4]
		push	eax
		push	0Bh
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_894F25
		push	52504E50h
		xor	edi, edi
		push	90h
		inc	edi
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_92CD3E
		push	74h		; size_t
		lea	eax, [esi+4]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_C]
		and	dword ptr [esi+88h], 0
		mov	[esi+78h], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+7Ch], eax
		mov	eax, [ebp+arg_8]
		push	esi
		mov	[esi+84h], eax
		mov	eax, [ebp+arg_10]
		push	offset __CmDevicePanelEnumSubkeyCallback@16 ; _CmDevicePanelEnumSubkeyCallback(x,x,x,x)
		mov	[esi], edi
		mov	[esi+80h], ebx
		mov	[esi+8Ch], eax
		call	__PnpCtxRegEnumKeyWithCallback@16 ; _PnpCtxRegEnumKeyWithCallback(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_894F1D
		mov	ecx, [ebp+arg_C]
		mov	eax, [esi+88h]
		mov	[ecx], eax
		test	eax, eax
		jnz	loc_92CD48

loc_894F1D:				; CODE XREF: _CmGetMatchingDevicePanelListWorker+AEj
					; _CmGetMatchingDevicePanelListWorker+97F01j ...
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_894F25:				; CODE XREF: _CmGetMatchingDevicePanelListWorker+39j
					; _CmGetMatchingDevicePanelListWorker+97EE9j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_CmGetMatchingDevicePanelListWorker endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetMatchingDeviceContainerList proc near ; CODE XREF: _PnpDispatchDeviceContainer+AEp

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0092CD6A SIZE 0000004A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	ebx, [ecx+100h]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_18], edi
		mov	edi, 0C0000120h
		mov	[ebp+var_34], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], esi
		mov	[ebp+var_14], eax
		test	ebx, ebx
		jz	short loc_894FA6
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	4
		push	5
		push	0
		push	ecx
		call	ebx
		cmp	eax, 0C0000002h
		jnz	loc_92CD6A
		xor	ebx, ebx

loc_894FA3:				; CODE XREF: _CmGetMatchingDeviceContainerList+97E44j
		mov	ecx, [ebp+var_34]

loc_894FA6:				; CODE XREF: _CmGetMatchingDeviceContainerList+57j
		mov	edx, [ebp+var_28]
		push	ecx
		push	[ebp+var_18]
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	[ebp+var_24]
		call	__CmGetMatchingDeviceContainerListWorker@28 ; _CmGetMatchingDeviceContainerListWorker(x,x,x,x,x,x,x)
		mov	esi, eax
		test	ebx, ebx
		jnz	loc_92CD7F

loc_894FC5:				; CODE XREF: _CmGetMatchingDeviceContainerList+97E4Cj
					; _CmGetMatchingDeviceContainerList+97E6Aj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_CmGetMatchingDeviceContainerList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetMatchingDeviceContainerListWorker(x, x, x, x,	x, x, x)
__CmGetMatchingDeviceContainerListWorker@28 proc near
					; CODE XREF: _CmGetMatchingDeviceContainerList+88p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		push	esi
		push	edi
		push	eax
		push	0Ah
		mov	edi, edx
		mov	esi, ecx
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		test	eax, eax
		js	short loc_89501C
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+var_8]
		push	ecx
		push	[ebp+arg_C]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_10]
		push	[ebp+arg_8]
		mov	[ebp+var_10], edi
		push	[ebp+arg_4]
		push	eax
		push	ecx
		mov	ecx, esi
		call	__PnpGetGenericObjectList@32 ; _PnpGetGenericObjectList(x,x,x,x,x,x,x,x)

loc_89501C:				; CODE XREF: _CmGetMatchingDeviceContainerListWorker(x,x,x,x,x,x,x)+20j
		pop	edi
		pop	esi
		leave
		retn	14h
__CmGetMatchingDeviceContainerListWorker@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetMatchingFilteredDeviceInterfaceListWorker	proc near
					; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceList+C4p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= word ptr  24h

; FUNCTION CHUNK AT 0092CDB4 SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_18]
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_C], ecx
		xor	edx, edx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], edx
		mov	[eax], edx
		cmp	[ebp+arg_14], edx
		jbe	short loc_895052
		mov	eax, [ebp+arg_10]
		mov	[eax], dx

loc_895052:				; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceListWorker+28j
		mov	edx, [ebp+arg_4]
		test	edx, 0FFFFFFFEh
		jnz	loc_92CDB4
		movzx	eax, [ebp+arg_1C]
		test	eax, eax
		jnz	loc_92CDB4
		lea	eax, [ebp+var_8]
		and	edx, 1
		push	eax
		push	9
		mov	[ebp+arg_4], edx
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8951A1
		test	ebx, ebx
		jnz	loc_92CDBE
		mov	dword ptr [ebp+arg_1C],	1

loc_895098:				; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceListWorker+97DAEj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	loc_92CDD5
		mov	ecx, [eax+74h]

loc_8950A6:				; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceListWorker+97DB5j
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	8
		push	0
		push	ebx
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C000017Ch
		jz	loc_92CDDC
		test	esi, esi
		js	loc_8951A1
		push	52504E50h
		push	5A4h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_92CDE6
		push	5A0h		; size_t
		xor	esi, esi
		lea	eax, [edi+4]
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	eax, dword ptr [ebp+arg_1C]
		lea	ecx, [edi+3F4h]
		add	esp, 0Ch
		mov	[edi], eax
		mov	edx, 0C8h
		push	900h
		push	esi
		push	esi
		push	[ebp+arg_0]
		call	RtlStringCchCopyExW
		mov	eax, [ebp+arg_4]
		mov	ebx, [ebp+arg_10]
		mov	ecx, [ebp+var_C]
		mov	[edi+58Ch], al
		mov	eax, [ebp+arg_8]
		mov	[edi+590h], eax
		mov	eax, [ebp+arg_C]
		mov	[edi+594h], eax
		mov	eax, [ebp+arg_14]
		push	edi
		mov	[edi+584h], esi
		mov	[edi+588h], esi
		mov	[edi+598h], ebx
		mov	[edi+59Ch], eax
		mov	[edi+5A0h], esi
		mov	edx, [ebp+var_4]
		push	offset _CmDeviceClassesSubkeyCallback
		call	__PnpCtxRegEnumKeyWithCallback@16 ; _PnpCtxRegEnumKeyWithCallback(x,x,x,x)
		mov	esi, eax
		mov	eax, [edi+584h]
		test	eax, eax
		jnz	loc_92CDF0

loc_89517B:				; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceListWorker+97DD6j
		test	esi, esi
		js	short loc_8951A1
		mov	ecx, [ebp+arg_18]
		mov	eax, [edi+5A0h]
		mov	[ecx], eax
		test	eax, eax
		jz	short loc_8951A1
		inc	eax
		mov	[ecx], eax
		test	ebx, ebx
		jz	short loc_8951CD
		cmp	[ebp+arg_14], eax
		jb	short loc_8951CD
		xor	ecx, ecx
		mov	[ebx+eax*2-2], cx

loc_8951A1:				; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceListWorker+61j
					; _CmGetMatchingFilteredDeviceInterfaceListWorker+A5j ...
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	edi, edi
		jz	short loc_8951B6
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8951B6:				; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceListWorker+18Aj
		cmp	[ebp+var_4], 0
		jz	short loc_8951C4
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_8951C4:				; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceListWorker+198j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	20h
; 

loc_8951CD:				; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceListWorker+171j
					; _CmGetMatchingFilteredDeviceInterfaceListWorker+176j
		mov	esi, 0C0000023h
		jmp	short loc_8951A1
_CmGetMatchingFilteredDeviceInterfaceListWorker	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpGetGenericObjectList(x,	x, x, x, x, x, x, x)
__PnpGetGenericObjectList@32 proc near	; CODE XREF: _CmGetMatchingDeviceContainerListWorker(x,x,x,x,x,x,x)+3Fp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_10]
		and	dword ptr [edi], 0
		test	ebx, ebx
		jz	short loc_8951F4
		xor	eax, eax
		mov	[esi], ax

loc_8951F4:				; CODE XREF: _PnpGetGenericObjectList(x,x,x,x,x,x,x,x)+19j
		mov	eax, [ebp+arg_4]
		and	[ebp+var_4], 0
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	offset __PnpObjectListCallback@16 ; _PnpObjectListCallback(x,x,x,x)
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], ebx
		mov	[ebp+var_14], offset _CmContainerListGenericObjectCallback
		call	__PnpCtxRegEnumKeyWithCallback@16 ; _PnpCtxRegEnumKeyWithCallback(x,x,x,x)
		test	eax, eax
		js	short loc_895238
		mov	ecx, [ebp+var_4]
		mov	[edi], ecx
		test	ecx, ecx
		jz	short loc_895238
		inc	ecx
		mov	[edi], ecx
		test	esi, esi
		jz	short loc_89523F
		cmp	ebx, ecx
		jb	short loc_89523F
		xor	edx, edx
		mov	[esi+ecx*2-2], dx

loc_895238:				; CODE XREF: _PnpGetGenericObjectList(x,x,x,x,x,x,x,x)+47j
					; _PnpGetGenericObjectList(x,x,x,x,x,x,x,x)+50j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_89523F:				; CODE XREF: _PnpGetGenericObjectList(x,x,x,x,x,x,x,x)+57j
					; _PnpGetGenericObjectList(x,x,x,x,x,x,x,x)+5Bj
		mov	eax, 0C0000023h
		jmp	short loc_895238
__PnpGetGenericObjectList@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetMatchingCommonClassList proc near	; CODE XREF: _CmGetMatchingInstallerClassList(x,x,x,x,x,x,x)+1Fp
					; _CmGetMatchingInterfaceClassList(x,x,x,x,x,x,x)+1Fp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0092CDFD SIZE 0000004F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_34], edx
		mov	edx, ecx
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+arg_10]
		push	esi
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	ebx, [edx+100h]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_20], esi
		mov	esi, [ebp+var_34]
		mov	[ebp+var_38], edx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], eax
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_28], edi
		test	ebx, ebx
		jz	short loc_8952C0
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	4
		push	esi
		push	0
		push	edx
		call	ebx
		cmp	eax, 0C0000002h
		jnz	loc_92CDFD
		xor	ebx, ebx

loc_8952C0:				; CODE XREF: _CmGetMatchingCommonClassList+5Dj
					; _CmGetMatchingCommonClassList+97BC2j
		mov	edi, [ebp+var_38]
		mov	edx, esi
		push	ecx
		push	[ebp+var_18]
		mov	ecx, edi
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	[ebp+var_24]
		push	[ebp+var_28]
		call	_CmGetMatchingCommonClassListWorker
		mov	esi, eax
		test	ebx, ebx
		jnz	loc_92CE15

loc_8952E6:				; CODE XREF: _CmGetMatchingCommonClassList+97BCAj
					; _CmGetMatchingCommonClassList+97BE7j	...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_CmGetMatchingCommonClassList endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetMatchingCommonClassListWorker proc near ;	CODE XREF: _CmGetMatchingCommonClassList+91p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0092CE4C SIZE 00000050 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		mov	eax, ecx
		mov	ecx, [ebp+arg_10]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], eax
		and	[ecx], esi
		mov	ebx, edx
		push	edi
		cmp	[ebp+arg_C], esi
		jbe	short loc_895324
		mov	ecx, [ebp+arg_8]
		xor	edx, edx
		mov	[ecx], dx

loc_895324:				; CODE XREF: _CmGetMatchingCommonClassListWorker+20j
		cmp	ebx, 2
		jnz	loc_8953DF
		push	7

loc_89532F:				; CODE XREF: _CmGetMatchingCommonClassListWorker+ECj
		pop	edx
		lea	ecx, [ebp+var_4]
		push	ecx
		mov	ecx, eax
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8953D6
		push	52504E50h
		push	1Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_92CE4C
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		and	dword ptr [esi+4], 0
		and	dword ptr [esi+18h], 0
		mov	[esi+8], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+0Ch], eax
		mov	eax, [ebp+arg_8]
		push	esi
		mov	[esi+10h], eax
		mov	eax, [ebp+arg_C]
		push	offset _CmClassSubkeyCallback
		mov	[esi], ebx
		mov	[esi+14h], eax
		call	__PnpCtxRegEnumKeyWithCallback@16 ; _PnpCtxRegEnumKeyWithCallback(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_8953CA
		cmp	ebx, 4
		jnz	short loc_8953A8
		mov	ebx, [ebp+var_8]
		cmp	byte ptr [ebx+4], 0
		jnz	loc_92CE56

loc_8953A8:				; CODE XREF: _CmGetMatchingCommonClassListWorker+9Fj
					; _CmGetMatchingCommonClassListWorker+97B80j ...
		mov	ecx, [ebp+arg_10]
		mov	eax, [esi+18h]
		mov	[ecx], eax
		test	eax, eax
		jz	short loc_8953CA
		inc	eax
		mov	[ecx], eax
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_8953EB
		cmp	[ebp+arg_C], eax
		jb	short loc_8953EB
		xor	edx, edx
		mov	[ecx+eax*2-2], dx

loc_8953CA:				; CODE XREF: _CmGetMatchingCommonClassListWorker+9Aj
					; _CmGetMatchingCommonClassListWorker+B8j ...
		test	esi, esi
		jz	short loc_8953D6
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8953D6:				; CODE XREF: _CmGetMatchingCommonClassListWorker+45j
					; _CmGetMatchingCommonClassListWorker+D2j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_8953DF:				; CODE XREF: _CmGetMatchingCommonClassListWorker+2Dj
		cmp	ebx, 4
		jnz	short loc_8953F2
		push	8
		jmp	loc_89532F
; 

loc_8953EB:				; CODE XREF: _CmGetMatchingCommonClassListWorker+C2j
					; _CmGetMatchingCommonClassListWorker+C7j
		mov	edi, 0C0000023h
		jmp	short loc_8953CA
; 

loc_8953F2:				; CODE XREF: _CmGetMatchingCommonClassListWorker+E8j
		mov	edi, 0C000000Dh
		jmp	short loc_8953CA
_CmGetMatchingCommonClassListWorker endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_RegRtlDeleteTreeInternal proc near	; CODE XREF: _PnpCtxRegDeleteTree(x,x,x)+1Ep
					; PpDevCfgProcessDeviceOperations+6C85Cp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092CE9C SIZE 0000011B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		xor	eax, eax
		mov	[esp+24h+var_C], ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, eax
		mov	[esp+30h+var_20], eax
		mov	[esp+30h+var_1C], eax
		mov	edi, eax
		mov	[esp+30h+var_8], eax
		mov	esi, edx
		mov	[esp+30h+var_14], eax
		mov	[esp+30h+var_10], eax
		lea	eax, [esp+30h+var_14]
		push	eax
		lea	eax, [esp+34h+var_10]
		mov	[esp+34h+var_4], esi
		push	eax
		mov	[esp+38h+var_18], ebx
		call	IoGetStackLimits
		lea	eax, [esp+30h+var_14]
		sub	eax, [esp+30h+var_10]
		cmp	eax, 400h
		jb	loc_92CE9C
		push	[ebp+arg_0]
		mov	ecx, [esp+34h+var_C]
		lea	eax, [esp+34h+var_20]
		push	eax
		push	3001Fh
		push	ebx
		mov	edx, esi
		call	_RegRtlOpenKeyTransacted
		mov	esi, eax
		test	esi, esi
		js	loc_89550D
		mov	ecx, [esp+30h+var_20]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+3Ch+var_1C]
		xor	edx, edx
		push	eax
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		push	2
		pop	ecx
		test	eax, eax
		jnz	short loc_8954B4
		mov	eax, [esp+30h+var_1C]
		test	eax, eax
		jnz	loc_92CEA6

loc_89549D:				; CODE XREF: _RegRtlDeleteTreeInternal+97ACCj
		mul	ecx
		lea	ecx, [esp+30h+var_18]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_89550D
		mov	ebx, [esp+30h+var_18]

loc_8954B4:				; CODE XREF: _RegRtlDeleteTreeInternal+95j
		test	ebx, ebx
		jnz	loc_92CECB

loc_8954BC:				; CODE XREF: _RegRtlDeleteTreeInternal+97AE2j
					; _RegRtlDeleteTreeInternal+97B74j ...
		xor	eax, eax

loc_8954BE:				; CODE XREF: _RegRtlDeleteTreeInternal+97B7Fj
		mov	[esp+30h+var_1C], eax

loc_8954C2:				; CODE XREF: _RegRtlDeleteTreeInternal+97B49j
		mov	ecx, ebx
		mov	edx, eax
		shr	ecx, 1
		mov	[esp+30h+var_14], ecx
		mov	[esp+30h+var_10], ecx
		lea	ecx, [esp+30h+var_10]
		push	ecx
		mov	ecx, [esp+34h+var_20]
		push	edi
		call	_RegRtlEnumKey
		cmp	eax, 8000001Ah
		jnz	loc_92CEEC

loc_8954EA:				; CODE XREF: _RegRtlDeleteTreeInternal+97AF7j
					; _RegRtlDeleteTreeInternal+97B50j ...
		test	esi, esi
		js	short loc_89550D
		push	[ebp+arg_0]
		mov	edx, [esp+34h+var_4]
		mov	ecx, [esp+34h+var_C]
		call	__RegRtlDeleteKeyTransacted@12 ; _RegRtlDeleteKeyTransacted(x,x,x)
		cmp	eax, 0C0000121h
		jz	loc_92CF88
		test	eax, eax
		js	short loc_895530

loc_89550D:				; CODE XREF: _RegRtlDeleteTreeInternal+75j
					; _RegRtlDeleteTreeInternal+B4j ...
		cmp	[esp+30h+var_20], 0
		jz	short loc_89551D
		push	[esp+30h+var_20]
		call	_ZwClose@4	; ZwClose(x)

loc_89551D:				; CODE XREF: _RegRtlDeleteTreeInternal+118j
		test	edi, edi
		jnz	loc_92CFAA

loc_895525:				; CODE XREF: _RegRtlDeleteTreeInternal+97BB8j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_895530:				; CODE XREF: _RegRtlDeleteTreeInternal+111j
					; _RegRtlDeleteTreeInternal+97B93j ...
		mov	esi, eax
		jmp	short loc_89550D
_RegRtlDeleteTreeInternal endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _RegRtlDeleteKeyTransacted(x, x, x)
__RegRtlDeleteKeyTransacted@12 proc near ; CODE	XREF: _RegRtlDeleteTreeInternal+FFp
					; _CmAddDeviceToContainerWorker+6E805p	...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		test	edx, edx
		jz	short loc_89555F
		push	[ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	eax
		push	10000h
		push	0
		call	_RegRtlOpenKeyTransacted
		mov	esi, eax
		test	esi, esi
		js	short loc_895567
		mov	ecx, [ebp+var_4]

loc_89555F:				; CODE XREF: _RegRtlDeleteKeyTransacted(x,x,x)+Dj
		push	ecx
		call	_ZwDeleteKey@4	; ZwDeleteKey(x)
		mov	esi, eax

loc_895567:				; CODE XREF: _RegRtlDeleteKeyTransacted(x,x,x)+26j
		cmp	[ebp+var_4], 0
		jz	short loc_895575
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_895575:				; CODE XREF: _RegRtlDeleteKeyTransacted(x,x,x)+37j
		mov	eax, esi
		pop	esi
		leave
		retn	4
__RegRtlDeleteKeyTransacted@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxRegEnumKeyWithCallback(x, x,	x, x)
__PnpCtxRegEnumKeyWithCallback@16 proc near
					; CODE XREF: _CmGetMatchingDeviceListForSubkey+115p
					; _CmGetMatchingDevicePanelListWorker+A5p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	esi
		test	ecx, ecx
		jz	short loc_8955BB
		mov	esi, [ecx+74h]

loc_89558C:				; CODE XREF: _PnpCtxRegEnumKeyWithCallback(x,x,x,x)+41j
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_C], ecx
		mov	ecx, edx
		push	eax
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], offset __PnpCtxInternalEnumKeyCallback@16	; _PnpCtxInternalEnumKeyCallback(x,x,x,x)
		call	_RegRtlEnumKeyWithCallback
		pop	esi
		leave
		retn	8
; 

loc_8955BB:				; CODE XREF: _PnpCtxRegEnumKeyWithCallback(x,x,x,x)+Bj
		xor	esi, esi
		jmp	short loc_89558C
__PnpCtxRegEnumKeyWithCallback@16 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_RegRtlEnumKeyWithCallback proc	near	; CODE XREF: _PnpCtxRegEnumKeyWithCallback(x,x,x,x)+35p

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092CFB7 SIZE 0000008B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+74h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	[esp+7Ch+var_5C], eax
		xor	eax, eax
		push	edi
		mov	ebx, eax
		mov	[esp+80h+var_74], eax
		mov	esi, eax
		mov	[esp+80h+var_64], eax
		mov	edi, eax
		mov	[esp+80h+var_70], eax
		mov	[esp+80h+var_68], eax
		lea	eax, [esp+80h+var_70]
		push	eax
		lea	eax, [esp+84h+var_68]
		mov	[esp+84h+var_60], ecx
		push	eax
		mov	[esp+88h+var_6C], ebx
		call	IoGetStackLimits
		lea	eax, [esp+80h+var_70]
		sub	eax, [esp+80h+var_68]
		cmp	eax, 400h
		jb	loc_92CFB7
		mov	ecx, [esp+80h+var_60]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+8Ch+var_74]
		xor	edx, edx
		push	eax
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		push	2
		pop	ecx
		test	eax, eax
		jnz	short loc_895681
		mov	eax, [esp+80h+var_74]
		test	eax, eax
		jz	short loc_895666
		lea	ecx, [esp+80h+var_74]
		xor	edx, edx
		push	ecx
		inc	edx
		mov	ecx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_89571F
		mov	eax, [esp+80h+var_74]
		push	2
		pop	ecx

loc_895666:				; CODE XREF: _RegRtlEnumKeyWithCallback+84j
		mul	ecx
		lea	ecx, [esp+80h+var_6C]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_89571F
		mov	ebx, [esp+80h+var_6C]

loc_895681:				; CODE XREF: _RegRtlEnumKeyWithCallback+7Cj
		cmp	ebx, 50h
		ja	loc_895735
		push	50h
		lea	eax, [esp+84h+var_58]
		pop	ebx

loc_895691:				; CODE XREF: _RegRtlEnumKeyWithCallback+18Cj
		xor	ecx, ecx
		mov	[esp+80h+var_74], ecx

loc_895697:				; CODE XREF: _RegRtlEnumKeyWithCallback+97A4Aj
		mov	[esp+80h+var_70], eax

loc_89569B:				; CODE XREF: _RegRtlEnumKeyWithCallback+159j
		mov	edx, ebx
		shr	edx, 1
		mov	[esp+80h+var_68], edx
		mov	[esp+80h+var_6C], edx
		lea	edx, [esp+80h+var_6C]
		push	edx
		mov	edx, ecx
		mov	ecx, [esp+84h+var_60]
		push	eax
		call	_RegRtlEnumKey
		cmp	eax, 8000001Ah
		jz	short loc_89571B
		cmp	eax, 0C000017Ch
		jz	short loc_89571B
		cmp	eax, 0C0000023h
		jz	loc_92CFC1
		test	eax, eax
		jnz	loc_895762
		push	[esp+80h+var_5C]
		mov	eax, [esp+84h+var_70]
		xor	edx, edx
		mov	ecx, [esp+84h+var_68]
		push	eax
		push	[esp+88h+var_60]
		mov	[eax+ecx*2-2], dx
		call	__SysCtxInternalEnumSubkeyCallback@12 ;	_SysCtxInternalEnumSubkeyCallback(x,x,x)
		mov	ecx, eax
		sub	ecx, 0
		jnz	loc_92D00F
		mov	ecx, [esp+80h+var_74]
		inc	ecx

loc_895706:				; CODE XREF: _RegRtlEnumKeyWithCallback+97A64j
		mov	[esp+80h+var_74], ecx

loc_89570A:				; CODE XREF: _RegRtlEnumKeyWithCallback+97A5Dj
		test	esi, esi
		jnz	short loc_89571B
		push	2
		pop	edx
		cmp	eax, edx
		jz	short loc_89571B
		mov	eax, [esp+80h+var_70]
		jmp	short loc_89569B
; 

loc_89571B:				; CODE XREF: _RegRtlEnumKeyWithCallback+FDj
					; _RegRtlEnumKeyWithCallback+104j ...
		test	edi, edi
		jnz	short loc_895751

loc_89571F:				; CODE XREF: _RegRtlEnumKeyWithCallback+99j
					; _RegRtlEnumKeyWithCallback+B7j ...
		mov	ecx, [esp+80h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_895735:				; CODE XREF: _RegRtlEnumKeyWithCallback+C4j
		push	4C474552h
		push	ebx
		push	1
		mov	[esp+8Ch+var_64], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_89575B
		jmp	loc_895691
; 

loc_895751:				; CODE XREF: _RegRtlEnumKeyWithCallback+15Dj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_89571F
; 

loc_89575B:				; CODE XREF: _RegRtlEnumKeyWithCallback+18Aj
					; _RegRtlEnumKeyWithCallback+97A40j
		mov	esi, 0C0000017h
		jmp	short loc_89571F
; 

loc_895762:				; CODE XREF: _RegRtlEnumKeyWithCallback+113j
		mov	esi, eax
		jmp	short loc_89571B
_RegRtlEnumKeyWithCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_RegRtlEnumKey	proc near		; CODE XREF: _RegRtlDeleteTreeInternal+E0p
					; _RegRtlEnumKeyWithCallback+F3p ...

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092D042 SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 98h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+98h+var_4], eax
		xor	eax, eax
		mov	[esp+98h+var_74], ecx
		mov	ecx, [ebp+arg_0]
		and	[esp+98h+var_88], eax
		and	[esp+98h+var_90], eax
		push	esi
		push	edi
		mov	esi, edx
		mov	[esp+0A0h+var_6C], ecx
		mov	edx, [ebp+arg_4]
		xor	edi, edi
		mov	[esp+0A0h+var_78], esi
		mov	[esp+0A0h+var_84], edx
		mov	[esp+0A0h+var_80], eax
		mov	[esp+0A0h+var_94], edi
		test	ecx, ecx
		jz	short loc_8957DC
		mov	eax, [edx]
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [esp+0A0h+var_94]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_895893
		mov	edi, [esp+0A0h+var_94]
		mov	ecx, [esp+0A0h+var_6C]
		mov	esi, [esp+0A0h+var_78]

loc_8957DC:				; CODE XREF: _RegRtlEnumKey+4Cj
		push	60h
		pop	eax
		mov	[esp+0A0h+var_7C], eax
		cmp	edi, eax
		ja	loc_8958B8
		lea	ecx, [esp+0A0h+var_68]

loc_8957EF:				; CODE XREF: _RegRtlEnumKey+158j
		lea	edx, [esp+0A0h+var_88]
		mov	[esp+0A0h+var_8C], eax
		push	edx
		push	eax
		push	ecx
		push	0
		push	esi
		push	[esp+0B4h+var_74]
		mov	[esp+0B8h+var_94], ecx
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_8958AB

loc_895814:				; CODE XREF: _RegRtlEnumKey+14Dj
		mov	eax, [esp+0A0h+var_94]
		lea	ecx, [esp+0A0h+var_90]
		push	ecx
		add	eax, 0Ch
		push	2
		pop	ecx
		mov	edx, ecx
		mov	[esp+0A4h+var_70], eax
		mov	ecx, [eax]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_895893
		mov	ecx, [esp+0A0h+var_84]
		mov	eax, [esp+0A0h+var_90]
		shr	eax, 1
		mov	[ecx], eax
		cmp	[esp+0A0h+var_90], edi
		ja	loc_92D042
		mov	eax, [esp+0A0h+var_7C]
		cmp	[esp+0A0h+var_88], eax
		ja	short loc_8958C3

loc_895856:				; CODE XREF: _RegRtlEnumKey+1EBj
		mov	eax, [esp+0A0h+var_94]
		mov	edx, [esp+0A0h+var_70]
		mov	edi, [esp+0A0h+var_6C]
		lea	ecx, [eax+10h]
		mov	edx, [edx]
		push	edx		; size_t
		push	ecx		; void *
		push	edi		; void *
		cmp	eax, edi
		jz	loc_895969
		call	_memcpy

loc_895877:				; CODE XREF: _RegRtlEnumKey+208j
		mov	eax, [esp+0ACh+var_84]
		add	esp, 0Ch
		xor	ecx, ecx
		mov	eax, [eax]
		mov	[edi+eax*2-2], cx

loc_895887:				; CODE XREF: _RegRtlEnumKey+1D5j
					; _RegRtlEnumKey+978F6j ...
		mov	eax, [esp+0A0h+var_80]
		test	eax, eax
		jnz	loc_89595C

loc_895893:				; CODE XREF: _RegRtlEnumKey+64j
					; _RegRtlEnumKey+CEj ...
		mov	ecx, [esp+0A0h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_8958AB:				; CODE XREF: _RegRtlEnumKey+A8j
		cmp	esi, 80000005h
		jnz	short loc_895893
		jmp	loc_895814
; 

loc_8958B8:				; CODE XREF: _RegRtlEnumKey+7Fj
		mov	eax, edi
		mov	[esp+0A0h+var_7C], eax
		jmp	loc_8957EF
; 

loc_8958C3:				; CODE XREF: _RegRtlEnumKey+EEj
		lea	eax, [esp+0A0h+var_8C]
		mov	edx, edi
		push	eax
		push	10h
		pop	ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_895893
		push	4C474552h
		push	[esp+0A4h+var_8C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+0A0h+var_80], eax
		test	eax, eax
		jz	loc_92D04C
		lea	ecx, [esp+0A0h+var_88]
		mov	[esp+0A0h+var_94], eax
		push	ecx
		push	[esp+0A4h+var_8C]
		push	eax
		push	0
		push	[esp+0B0h+var_78]
		push	[esp+0B4h+var_74]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_92D056

loc_89591B:				; CODE XREF: _RegRtlEnumKey+978FCj
		mov	eax, [esp+0A0h+var_80]
		lea	ecx, [esp+0A0h+var_90]
		push	ecx
		add	eax, 0Ch
		push	2
		pop	ecx
		mov	edx, ecx
		mov	[esp+0A4h+var_70], eax
		mov	ecx, [eax]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_895887
		mov	ecx, [esp+0A0h+var_84]
		mov	eax, [esp+0A0h+var_90]
		shr	eax, 1
		mov	[ecx], eax
		cmp	[esp+0A0h+var_90], edi
		jbe	loc_895856
		jmp	loc_92D067
; 

loc_89595C:				; CODE XREF: _RegRtlEnumKey+127j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_895893	; void *
; 

loc_895969:				; CODE XREF: _RegRtlEnumKey+106j
		call	_memmove
		jmp	loc_895877
_RegRtlEnumKey	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmDeviceClassesSubkeyCallback proc near
					; DATA XREF: _CmGetMatchingFilteredDeviceInterfaceListWorker+13Fo
					; _CmDeviceClassesSubkeyCallback+368o

var_3A		= byte ptr -3Ah
var_39		= dword	ptr -39h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0092D071 SIZE 000000F7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		xor	ecx, ecx
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		mov	[esp+48h+var_34], ecx
		mov	edi, ecx
		mov	[esp+48h+var_39+1], ecx
		mov	edx, [esi]
		mov	[esp+48h+var_1C], ecx
		mov	[esp+48h+var_30], ecx
		mov	[esp+48h+var_2C], ecx
		mov	[esp+48h+var_8], ecx
		mov	[esp+48h+var_4], ecx
		mov	[esp+48h+var_10], ecx
		mov	[esp+48h+var_C], ecx
		mov	[esp+48h+var_18], ecx
		mov	[esp+48h+var_14], ecx
		mov	[esp+48h+var_28], ecx
		mov	[esp+48h+var_24], ecx
		mov	[esp+48h+var_3A], cl
		mov	byte ptr [esp+48h+var_39], cl
		cmp	edx, 1
		jz	loc_895D4A
		lea	eax, [edx-2]
		cmp	eax, 1
		ja	short loc_895A0E
		mov	ecx, ebx
		lea	eax, [ecx+2]
		mov	[esp+48h+var_20], eax

loc_8959E4:				; CODE XREF: _CmDeviceClassesSubkeyCallback+7Bj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+48h+var_34]
		jnz	short loc_8959E4
		sub	ecx, [esp+48h+var_20]
		sar	ecx, 1
		cmp	ecx, 1
		jb	loc_895BA8
		push	23h
		pop	eax
		cmp	[ebx], ax
		jnz	loc_895BA8

loc_895A0C:				; CODE XREF: _CmDeviceClassesSubkeyCallback+3FFj
		xor	ecx, ecx

loc_895A0E:				; CODE XREF: _CmDeviceClassesSubkeyCallback+65j
		cmp	edx, 3
		jb	loc_895BC1
		jnz	short loc_895A26
		cmp	byte ptr [esi+58Ch], 0
		jnz	loc_895BC1

loc_895A26:				; CODE XREF: _CmDeviceClassesSubkeyCallback+A3j
					; _CmDeviceClassesSubkeyCallback+275j
		mov	eax, [esi]
		cmp	eax, 3
		jb	loc_895BF1
		jnz	short loc_895A5E
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_895A38:				; CODE XREF: _CmDeviceClassesSubkeyCallback+CFj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+48h+var_34]
		jnz	short loc_895A38
		sub	ecx, edx
		sar	ecx, 1
		cmp	ecx, 1
		jbe	short loc_895A67
		push	23h
		pop	eax
		cmp	[ebx], ax
		jnz	short loc_895A67
		push	3
		mov	[esp+4Ch+var_3A], 1
		pop	eax

loc_895A5E:				; CODE XREF: _CmDeviceClassesSubkeyCallback+BDj
					; _CmDeviceClassesSubkeyCallback+293j
		cmp	eax, 2
		jb	loc_895AF0

loc_895A67:				; CODE XREF: _CmDeviceClassesSubkeyCallback+D8j
					; _CmDeviceClassesSubkeyCallback+E0j
		push	52504E50h
		push	3F0h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_92D112
		lea	eax, [esi+4]
		xor	ecx, ecx
		mov	edx, 1F8h
		cmp	[eax], cx
		jz	loc_895D43
		push	900h
		lea	ecx, [esp+4Ch+var_24]
		push	ecx
		lea	ecx, [esp+50h+var_28]
		push	ecx
		push	eax
		mov	ecx, edi
		call	RtlStringCchCopyExW
		test	eax, eax
		js	loc_895B84
		mov	ecx, [esp+48h+var_28]
		xor	eax, eax
		mov	edx, [esp+48h+var_24]
		dec	edx
		mov	[ecx], ax

loc_895AC2:				; CODE XREF: _CmDeviceClassesSubkeyCallback+3D1j
		cmp	[esp+48h+var_3A], 1
		mov	[esp+48h+var_28], ecx
		jnz	loc_895BB3

loc_895AD1:				; CODE XREF: _CmDeviceClassesSubkeyCallback+242j
		push	ebx
		call	RtlStringCchCopyW
		test	eax, eax
		js	loc_895B84
		cmp	[esp+48h+var_3A], 1
		jnz	short loc_895AF0
		mov	eax, [esp+48h+var_28]
		push	5Ch
		pop	ecx
		mov	[eax], cx

loc_895AF0:				; CODE XREF: _CmDeviceClassesSubkeyCallback+EDj
					; _CmDeviceClassesSubkeyCallback+170j ...
		cmp	dword ptr [esi], 3
		jb	loc_895C0C
		mov	eax, dword ptr ds:??_C@_19MJCDBCKE@?$AA?2?$AA?2?$AA?$DP?$AA?2@NNGAKEGL@	; "\\"
		mov	edx, edi
		mov	[edi], eax
		mov	eax, ds:off_8B6B82
		mov	[edi+4], eax
		call	__CmValidateDeviceInterfaceName@8 ; _CmValidateDeviceInterfaceName(x,x)
		test	eax, eax
		js	short loc_895B84
		push	edi
		lea	eax, [esp+4Ch+var_8]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_895B84
		movzx	ebx, word ptr [esp+48h+var_8+2]
		shr	ebx, 1
		cmp	byte ptr [esi+58Ch], 0
		jnz	loc_92D119

loc_895B36:				; CODE XREF: _CmDeviceClassesSubkeyCallback+977C8j
		mov	eax, [esi+590h]
		test	eax, eax
		jnz	loc_92D141

loc_895B44:				; CODE XREF: _CmDeviceClassesSubkeyCallback+977E3j
		add	[esi+5A0h], ebx
		mov	edx, [esi+59Ch]
		cmp	edx, ebx
		jbe	short loc_895B84
		mov	ecx, [esi+598h]
		xor	eax, eax
		push	900h
		push	eax
		push	eax
		push	edi
		call	RtlStringCchCopyExW
		lea	eax, [ebx+ebx]
		add	[esi+598h], eax
		sub	[esi+59Ch], ebx
		mov	ebx, [esp+48h+var_1C]

loc_895B7C:				; CODE XREF: _CmDeviceClassesSubkeyCallback+3AEj
		test	ebx, ebx
		jnz	loc_895D27

loc_895B84:				; CODE XREF: _CmDeviceClassesSubkeyCallback+13Aj
					; _CmDeviceClassesSubkeyCallback+165j ...
		xor	ebx, ebx
		test	edi, edi
		jz	short loc_895B91
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_895B91:				; CODE XREF: _CmDeviceClassesSubkeyCallback+214j
					; _CmDeviceClassesSubkeyCallback+977A0j
		mov	eax, [esp+48h+var_30]
		test	eax, eax
		jnz	loc_92D15C

loc_895B9D:				; CODE XREF: _CmDeviceClassesSubkeyCallback+271j
					; _CmDeviceClassesSubkeyCallback+27Bj ...
		cmp	[esp+48h+var_39+1], 0
		jnz	loc_895D35

loc_895BA8:				; CODE XREF: _CmDeviceClassesSubkeyCallback+86j
					; _CmDeviceClassesSubkeyCallback+92j ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_895BB3:				; CODE XREF: _CmDeviceClassesSubkeyCallback+157j
		cmp	dword ptr [esi], 2
		jz	loc_895AD1
		jmp	loc_895AF0
; 

loc_895BC1:				; CODE XREF: _CmDeviceClassesSubkeyCallback+9Dj
					; _CmDeviceClassesSubkeyCallback+ACj
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_895BCB
		mov	ecx, [eax+74h]

loc_895BCB:				; CODE XREF: _CmDeviceClassesSubkeyCallback+252j
		mov	edx, [ebp+arg_4]
		lea	eax, [esp+48h+var_39+1]
		push	eax
		push	20019h
		push	8
		push	ebx
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jz	short loc_895B9D
		test	eax, eax
		jns	loc_895A26
		jmp	short loc_895B9D
; 

loc_895BF1:				; CODE XREF: _CmDeviceClassesSubkeyCallback+B7j
		cmp	eax, 2
		jnz	short loc_895C05
		xor	ecx, ecx
		cmp	[esi+3F4h], cx
		jnz	loc_92D071

loc_895C05:				; CODE XREF: _CmDeviceClassesSubkeyCallback+280j
					; _CmDeviceClassesSubkeyCallback+97798j
		mov	eax, [esi]
		jmp	loc_895A5E
; 

loc_895C0C:				; CODE XREF: _CmDeviceClassesSubkeyCallback+17Fj
		push	52504E50h
		push	5A4h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_895B84
		push	5A4h		; size_t
		xor	eax, eax
		push	eax		; int
		push	ebx		; void *
		call	_memset
		mov	ecx, [esi]
		add	esp, 0Ch
		xor	eax, eax
		inc	ecx
		mov	[ebx], ecx
		mov	edx, 1F8h
		lea	ecx, [ebx+4]
		push	900h
		push	eax
		push	eax
		push	edi
		call	RtlStringCchCopyExW
		push	900h
		xor	eax, eax
		lea	ecx, [ebx+3F4h]
		push	eax
		push	eax
		lea	eax, [esi+3F4h]
		mov	edx, 0C8h
		push	eax
		call	RtlStringCchCopyExW
		mov	eax, [esi+584h]
		mov	ecx, [ebp+arg_0]
		mov	[ebx+584h], eax
		mov	eax, [esi+588h]
		mov	[ebx+588h], eax
		mov	al, [esi+58Ch]
		mov	[ebx+58Ch], al
		mov	eax, [esi+590h]
		mov	[ebx+590h], eax
		mov	eax, [esi+594h]
		mov	[ebx+594h], eax
		mov	eax, [esi+598h]
		mov	[ebx+598h], eax
		mov	eax, [esi+59Ch]
		mov	[ebx+59Ch], eax
		mov	eax, [esi+5A0h]
		push	ebx
		mov	[ebx+5A0h], eax
		mov	edx, [esp+4Ch+var_39+1]
		push	offset _CmDeviceClassesSubkeyCallback
		call	__PnpCtxRegEnumKeyWithCallback@16 ; _PnpCtxRegEnumKeyWithCallback(x,x,x,x)
		mov	eax, [ebx+584h]
		mov	[esi+584h], eax
		mov	eax, [ebx+588h]
		mov	[esi+588h], eax
		mov	eax, [ebx+5A0h]
		mov	[esi+5A0h], eax
		mov	eax, [ebx+598h]
		mov	[esi+598h], eax
		mov	eax, [ebx+59Ch]
		mov	[esi+59Ch], eax
		jmp	loc_895B7C
; 

loc_895D27:				; CODE XREF: _CmDeviceClassesSubkeyCallback+20Aj
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_895B84
; 

loc_895D35:				; CODE XREF: _CmDeviceClassesSubkeyCallback+22Ej
		push	[esp+48h+var_39+1]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_895BA8
; 

loc_895D43:				; CODE XREF: _CmDeviceClassesSubkeyCallback+11Bj
		mov	ecx, edi
		jmp	loc_895AC2
; 

loc_895D4A:				; CODE XREF: _CmDeviceClassesSubkeyCallback+59j
		mov	ecx, ebx
		lea	eax, [ecx+2]
		mov	[esp+48h+var_20], eax

loc_895D53:				; CODE XREF: _CmDeviceClassesSubkeyCallback+3EAj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+48h+var_34]
		jnz	short loc_895D53
		sub	ecx, [esp+48h+var_20]
		sar	ecx, 1
		cmp	ecx, 26h
		jnz	loc_895BA8
		cmp	word ptr [ebx],	7Bh
		jz	loc_895A0C
		jmp	loc_895BA8
_CmDeviceClassesSubkeyCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmEnumSubkeyCallback proc near		; DATA XREF: _CmGetMatchingDeviceListForSubkey+110o
					; _CmEnumSubkeyCallback+21Bo

var_16		= byte ptr -16h
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0092D168 SIZE 0000004A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		push	52504E50h
		push	190h
		push	1
		mov	[esp+34h+var_14], eax
		mov	ebx, eax
		mov	[esp+34h+var_8], eax
		mov	[esp+34h+var_4], eax
		mov	[esp+34h+var_C], eax
		mov	[esp+34h+var_10], eax
		mov	[esp+34h+var_15], al
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_895EBF
		mov	esi, [ebp+arg_C]
		xor	ecx, ecx
		mov	edx, 0C8h
		lea	eax, [esi+4]
		cmp	[eax], cx
		jz	loc_895FE8
		push	900h
		lea	ecx, [esp+2Ch+var_10]
		push	ecx
		lea	ecx, [esp+30h+var_C]
		push	ecx
		push	eax
		mov	ecx, edi
		call	RtlStringCchCopyExW
		test	eax, eax
		js	loc_895EB6
		mov	eax, [esp+28h+var_10]
		cmp	eax, 2
		jb	loc_895EB6
		mov	ecx, [esp+28h+var_C]
		push	5Ch
		pop	edx
		mov	[ecx], dx
		add	ecx, 2
		xor	edx, edx
		mov	[ecx], dx
		lea	edx, [eax-2]

loc_895E1A:				; CODE XREF: _CmEnumSubkeyCallback+26Cj
		push	[ebp+arg_8]
		call	RtlStringCchCopyW
		test	eax, eax
		js	loc_895EB6
		cmp	dword ptr [esi], 3
		jb	loc_895ED5
		mov	edx, edi
		call	__CmValidateDeviceName@8 ; _CmValidateDeviceName(x,x)
		test	eax, eax
		js	short loc_895EB6
		push	edi
		lea	eax, [esp+2Ch+var_8]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_895EB6
		movzx	eax, word ptr [esp+28h+var_8+2]
		shr	eax, 1
		mov	[esp+28h+var_C], eax
		cmp	[esi+194h], bl
		jnz	loc_92D171

loc_895E64:				; CODE XREF: _CmEnumSubkeyCallback+97414j
		mov	eax, [esi+198h]
		test	eax, eax
		jnz	loc_92D197

loc_895E72:				; CODE XREF: _CmEnumSubkeyCallback+9742Fj
		mov	eax, [esp+28h+var_C]
		add	[esi+1A8h], eax
		mov	edx, [esi+1A4h]
		cmp	edx, eax
		jbe	short loc_895EB6
		mov	ecx, [esi+1A0h]
		xor	eax, eax
		push	900h
		push	eax
		push	eax
		push	edi
		call	RtlStringCchCopyExW
		mov	ecx, [esp+28h+var_C]
		lea	eax, [ecx+ecx]
		add	[esi+1A0h], eax
		sub	[esi+1A4h], ecx

loc_895EAE:				; CODE XREF: _CmEnumSubkeyCallback+249j
		test	ebx, ebx
		jnz	loc_895FCC

loc_895EB6:				; CODE XREF: _CmEnumSubkeyCallback+74j
					; _CmEnumSubkeyCallback+81j ...
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_895EBF:				; CODE XREF: _CmEnumSubkeyCallback+3Fj
		cmp	[esp+28h+var_14], 0
		jnz	loc_895FDA

loc_895ECA:				; CODE XREF: _CmEnumSubkeyCallback+265j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_895ED5:				; CODE XREF: _CmEnumSubkeyCallback+AFj
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	loc_92D168
		mov	ecx, [eax+74h]

loc_895EE3:				; CODE XREF: _CmEnumSubkeyCallback+973EEj
		mov	edx, [ebp+arg_4]
		lea	eax, [esp+28h+var_14]
		push	eax
		push	20019h
		push	8
		push	[ebp+arg_8]
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jz	short loc_895EB6
		test	eax, eax
		js	short loc_895EB6
		push	52504E50h
		push	1ACh
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_895EB6
		push	1ACh		; size_t
		xor	eax, eax
		push	eax		; int
		push	ebx		; void *
		call	_memset
		mov	ecx, [esi]
		add	esp, 0Ch
		xor	eax, eax
		inc	ecx
		mov	[ebx], ecx
		mov	edx, 0C8h
		lea	ecx, [ebx+4]
		push	900h
		push	eax
		push	eax
		push	edi
		call	RtlStringCchCopyExW
		mov	al, [esi+194h]
		mov	ecx, [ebp+arg_0]
		mov	[ebx+194h], al
		mov	eax, [esi+198h]
		mov	[ebx+198h], eax
		mov	eax, [esi+19Ch]
		mov	[ebx+19Ch], eax
		mov	eax, [esi+1A0h]
		mov	[ebx+1A0h], eax
		mov	eax, [esi+1A4h]
		mov	[ebx+1A4h], eax
		mov	eax, [esi+1A8h]
		push	ebx
		mov	[ebx+1A8h], eax
		mov	edx, [esp+2Ch+var_14]
		push	offset _CmEnumSubkeyCallback
		call	__PnpCtxRegEnumKeyWithCallback@16 ; _PnpCtxRegEnumKeyWithCallback(x,x,x,x)
		mov	eax, [ebx+1A8h]
		mov	[esi+1A8h], eax
		mov	eax, [ebx+1A0h]
		mov	[esi+1A0h], eax
		mov	eax, [ebx+1A4h]
		mov	[esi+1A4h], eax
		jmp	loc_895EAE
; 

loc_895FCC:				; CODE XREF: _CmEnumSubkeyCallback+132j
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_895EB6
; 

loc_895FDA:				; CODE XREF: _CmEnumSubkeyCallback+146j
		push	[esp+28h+var_14]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_895ECA
; 

loc_895FE8:				; CODE XREF: _CmEnumSubkeyCallback+55j
		mov	ecx, edi
		jmp	loc_895E1A
_CmEnumSubkeyCallback endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmClassSubkeyCallback proc near	; DATA XREF: _CmGetMatchingCommonClassListWorker+87o
					; _CmGetMatchingCommonClassListWorker+97B87o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0092D1B2 SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		xor	ebx, ebx
		push	edi
		mov	edi, [ebp+arg_8]
		mov	[ebp+var_4], ebx
		mov	edx, [esi+4]
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		test	edx, edx
		jnz	loc_92D1B2

loc_896017:				; CODE XREF: _CmClassSubkeyCallback+971E0j
		mov	eax, [esi]
		cmp	al, 2
		jnz	short loc_896075

loc_89601D:				; CODE XREF: _CmClassSubkeyCallback+88j
		mov	ecx, edi
		call	__PnpIsValidGuidString@4 ; _PnpIsValidGuidString(x)
		test	al, al
		jz	short loc_89606C
		push	edi
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_89606C
		movzx	ebx, word ptr [ebp+var_C+2]
		mov	eax, [esi+8]
		shr	ebx, 1
		test	eax, eax
		jnz	loc_92D1E3

loc_896047:				; CODE XREF: _CmClassSubkeyCallback+97206j
		add	[esi+18h], ebx
		mov	edx, [esi+14h]
		cmp	edx, ebx
		jbe	short loc_89606C
		mov	ecx, [esi+10h]
		push	900h
		push	0
		push	0
		push	edi
		call	RtlStringCchCopyExW
		lea	eax, [ebx+ebx]
		add	[esi+10h], eax
		sub	[esi+14h], ebx

loc_89606C:				; CODE XREF: _CmClassSubkeyCallback+36j
					; _CmClassSubkeyCallback+44j ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	10h
; 

loc_896075:				; CODE XREF: _CmClassSubkeyCallback+2Bj
		cmp	eax, 4
		jz	short loc_89601D
		jmp	short loc_89606C
_CmClassSubkeyCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpObjectListCallback(x, x, x, x)
__PnpObjectListCallback@16 proc	near	; DATA XREF: _PnpGetGenericObjectList(x,x,x,x,x,x,x,x)+2Eo

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		lea	edx, [ecx+2]
		xor	ebx, ebx

loc_89608C:				; CODE XREF: _PnpObjectListCallback(x,x,x,x)+19j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_89608C
		mov	esi, [ebp+arg_C]
		sub	ecx, edx
		sar	ecx, 1
		mov	eax, [esi]
		lea	edi, [ecx+1]
		test	eax, eax
		jz	short loc_8960B7
		push	dword ptr [esi+4]
		push	ebx
		push	[ebp+arg_8]
		push	[ebp+arg_0]
		call	eax
		test	al, al
		jz	short loc_8960DC

loc_8960B7:				; CODE XREF: _PnpObjectListCallback(x,x,x,x)+29j
		add	[esi+10h], edi
		mov	edx, [esi+0Ch]
		cmp	edx, edi
		jbe	short loc_8960DC
		mov	ecx, [esi+8]
		push	900h
		push	ebx
		push	ebx
		push	[ebp+arg_8]
		call	RtlStringCchCopyExW
		lea	eax, [edi+edi]
		add	[esi+8], eax
		sub	[esi+0Ch], edi

loc_8960DC:				; CODE XREF: _PnpObjectListCallback(x,x,x,x)+39j
					; _PnpObjectListCallback(x,x,x,x)+43j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	10h
__PnpObjectListCallback@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmContainerListGenericObjectCallback proc near
					; DATA XREF: _PnpGetGenericObjectList(x,x,x,x,x,x,x,x)+39o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0092D1FB SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		xor	ebx, ebx
		test	esi, esi
		jz	short loc_89610E
		mov	edx, [ebp+arg_4]
		call	__CmValidateDeviceContainerName@8 ; _CmValidateDeviceContainerName(x,x)
		test	eax, eax
		js	short loc_89610E
		mov	eax, [esi]
		mov	bl, 1
		test	eax, eax
		jnz	loc_92D1FB

loc_89610E:				; CODE XREF: _CmContainerListGenericObjectCallback+Ej
					; _CmContainerListGenericObjectCallback+1Aj ...
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	10h
_CmContainerListGenericObjectCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl MiRegistryVaSort(const void *,const void *)
_MiRegistryVaSort proc near		; DATA XREF: MmFreeBootRegistry()+27o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		mov	eax, [ebp+arg_4]
		mov	eax, [eax]
		cmp	eax, ecx
		ja	short loc_89612F
		sbb	eax, eax
		neg	eax
		pop	ebp
		retn
; 

loc_89612F:				; CODE XREF: _MiRegistryVaSort+11j
		or	eax, 0FFFFFFFFh
		pop	ebp
		retn
_MiRegistryVaSort endp


;  S U B	R O U T	I N E 


; __stdcall ExpInitLicensing(x)
_ExpInitLicensing@4 proc near		; CODE XREF: sub_685EF9+F5p
					; INIT:00ACD0D4p
		xor	edx, edx
		cmp	ecx, offset _PspHostSiloGlobals
		jnz	short loc_896180
		mov	eax, offset dword_A94E80
		mov	ds:dword_B15740, 14000h
		mov	ds:dword_B15744, edx
		mov	ds:dword_A94E80, offset	_ExpHostBootLicensingData
		mov	[ecx+204h], eax

loc_896163:				; CODE XREF: ExpInitLicensing(x)+52j
		or	dword ptr [eax+5C2Ch], 0FFFFFFFFh
		mov	[eax+4], edx
		mov	[eax+5C0Ch], edx
		mov	[eax+5B80h], edx
		mov	[eax+5C28h], edx
		retn
; 

loc_896180:				; CODE XREF: ExpInitLicensing(x)+8j
		mov	eax, [ecx+204h]
		jmp	short loc_896163
_ExpInitLicensing@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlInitNlsTables proc near		; CODE XREF: Phase1InitializationDiscard(x):loc_AC0D6Fp
					; INIT:loc_ACD280p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092D20F SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	offset word_AFD074
		push	ecx
		mov	esi, edx
		call	RtlInitCodePageTable
		push	offset _InitTableInfo
		push	esi
		call	RtlInitCodePageTable
		mov	edx, [ebp+arg_0]
		pop	esi
		test	edx, edx
		jz	loc_92D20F
		mov	ax, [edx+2]
		inc	ax
		movzx	ecx, ax
		lea	eax, [edx+4]
		mov	ds:dword_AFD0A0, eax
		lea	eax, [edx+2]
		lea	eax, [eax+ecx*2]
		mov	ds:dword_AFD0A4, eax

loc_8961CE:				; CODE XREF: RtlInitNlsTables+97095j
		pop	ebp
		retn	8
RtlInitNlsTables endp

; 
		align 8
; Exported entry 2156. RtlInitCodePageTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlInitCodePageTable
RtlInitCodePageTable proc near		; CODE XREF: RtlInitNlsTables+Ep
					; RtlInitNlsTables+19p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092D222 SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, 0FDE9h
		push	edi
		test	esi, esi
		jz	loc_92D222
		movzx	edi, word ptr [esi+2]
		cmp	di, ax
		jz	loc_92D222
		movzx	ecx, word ptr [esi]
		mov	ebx, [ebp+arg_4]
		mov	edx, ecx
		mov	ax, [esi+edx*2]
		inc	edx
		add	ax, cx
		mov	[ebx], di
		movzx	eax, ax
		lea	edi, [ebx+0Eh]
		mov	[ebp+var_4], eax
		mov	ax, [esi+4]
		mov	[ebx+2], ax
		mov	ax, [esi+6]
		mov	[ebx+4], ax
		mov	ax, [esi+8]
		mov	[ebx+6], ax
		mov	ax, [esi+0Ah]
		mov	[ebx+8], ax
		mov	ax, [esi+0Ch]
		add	esi, 0Eh
		mov	[ebx+0Ah], ax
		xor	eax, eax
		movsd
		movsd
		movsd
		mov	esi, [ebp+arg_0]
		lea	ecx, [esi+edx*2]
		xor	edx, edx
		mov	[ebx+1Ch], ecx
		cmp	[ecx+200h], dx
		setnz	al
		dec	eax
		and	eax, 0FFFFFE00h
		add	eax, 402h
		add	eax, ecx
		mov	[ebx+24h], eax
		cmp	[eax], dx
		ja	short loc_896291
		mov	eax, edx

loc_896276:				; CODE XREF: RtlInitCodePageTable+BFj
		mov	[ebx+28h], eax
		mov	eax, [ebp+var_4]
		mov	[ebx+0Ch], dx
		movzx	edx, ax
		inc	edx
		lea	edx, [esi+edx*2]

loc_896287:				; CODE XREF: RtlInitCodePageTable+97080j
		pop	edi
		pop	esi
		mov	[ebx+20h], edx
		pop	ebx
		leave
		retn	8
; 

loc_896291:				; CODE XREF: RtlInitCodePageTable+9Aj
		xor	edx, edx
		inc	edx
		add	eax, 2
		jmp	short loc_896276
RtlInitCodePageTable endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlResetRtlTranslations	proc near	; CODE XREF: Phase1InitializationDiscard(x)+A00p
					; INIT:00ACD285p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092D25D SIZE 0000007D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		movzx	eax, ds:word_AFD074
		mov	edx, 0FDE9h
		push	ebx
		cmp	ax, dx
		jz	loc_92D28B
		movzx	ecx, ds:_InitTableInfo
		mov	[ebp+var_8], ecx
		cmp	cx, dx
		jz	loc_92D28B
		mov	ds:_NlsAnsiCodePage, ax
		xor	ebx, ebx
		movzx	eax, ds:word_AFD080
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		test	ax, ax
		jnz	loc_92D25D
		push	200h		; size_t
		push	ebx		; int
		push	offset _NlsLeadByteInfoTable ; void *
		call	_memset
		add	esp, 0Ch

loc_8962FA:				; CODE XREF: RtlResetRtlTranslations+96FD5j
		mov	eax, ds:dword_AFD09C
		cmp	word ptr [ebp+var_4], bx
		mov	ds:_NlsMbAnsiCodePageTables, eax
		mov	eax, ds:dword_AFD090
		setnz	ds:_NlsMbCodePageTag
		mov	ds:_NlsAnsiToUnicodeData, eax
		mov	eax, ds:dword_AFD094
		mov	ds:_NlsUnicodeToAnsiData, eax
		mov	ds:_NlsUnicodeToMbAnsiData, eax
		mov	eax, [ebp+var_8]
		mov	ds:_NlsOemCodePage, ax
		movzx	eax, ds:word_AFD054
		mov	ds:_NlsActiveCodePageIsUTF8, bl
		mov	[ebp+var_8], eax
		test	ax, ax
		jnz	loc_92D274
		push	200h		; size_t
		push	ebx		; int
		push	offset _NlsOemLeadByteInfoTable	; void *
		call	_memset
		add	esp, 0Ch

loc_89635D:				; CODE XREF: RtlResetRtlTranslations+96FECj
		mov	eax, ds:dword_AFD070
		cmp	word ptr [ebp+var_8], 0
		mov	ds:_NlsMbOemCodePageTables, eax
		mov	eax, ds:dword_AFD064
		pop	edi
		mov	ds:_NlsOemToUnicodeData, eax
		setnz	al
		mov	ds:_NlsOemCodePageIsUTF8, bl
		mov	ebx, ds:dword_AFD068
		pop	esi

loc_896387:				; CODE XREF: RtlResetRtlTranslations+9703Bj
		mov	ds:_NlsMbOemCodePageTag, al
		mov	ax, ds:word_AFD04C
		mov	ds:_OemDefaultChar, ax
		mov	ax, ds:word_AFD050
		mov	ds:_OemTransUniDefaultChar, ax
		mov	eax, ds:dword_AFD0A0
		mov	ds:_Nls844UnicodeUpcaseTable, eax
		mov	eax, ds:dword_AFD0A4
		mov	ds:_NlsUnicodeToOemData, ebx
		mov	ds:_NlsUnicodeToMbOemData, ebx
		mov	ds:_Nls844UnicodeLowercaseTable, eax
		pop	ebx
		leave
		retn
RtlResetRtlTranslations	endp

; 
		align 4

;  S U B	R O U T	I N E 


PspSanitizeResourceLimits proc near	; CODE XREF: PspReadUserQuotaLimits+122F1Cp
					; PsInitializeQuotaSystem(x)+56p

; FUNCTION CHUNK AT 0092D2DA SIZE 0000006C BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		mov	edi, offset _PspResourceFlags

loc_8963D6:				; CODE XREF: PspSanitizeResourceLimits+30j
		mov	al, [edi]
		test	al, 2
		jnz	loc_92D2DA
		test	al, 1
		jz	short loc_8963EC
		cmp	dword ptr [esi], 0
		jnz	short loc_8963EC
		or	dword ptr [esi], 0FFFFFFFFh

loc_8963EC:				; CODE XREF: PspSanitizeResourceLimits+1Aj
					; PspSanitizeResourceLimits+1Fj ...
		add	edi, 8
		add	esi, 4
		cmp	edi, offset _PsAltSystemCallHandlers
		jl	short loc_8963D6
		mov	eax, [ecx]
		mov	edx, 0FFFh
		cmp	eax, 0FFFFFFFFh
		jnz	loc_92D306

loc_89640A:				; CODE XREF: PspSanitizeResourceLimits+96F47j
					; PspSanitizeResourceLimits+96F53j
		mov	eax, [ecx+4]
		cmp	eax, 0FFFFFFFFh
		jnz	loc_92D320

loc_896416:				; CODE XREF: PspSanitizeResourceLimits+96F62j
					; PspSanitizeResourceLimits+96F6Fj
		xor	eax, eax

loc_896418:				; CODE XREF: PspSanitizeResourceLimits+96F79j
		pop	edi
		pop	esi
		pop	ebx
		retn
PspSanitizeResourceLimits endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExGetSuiteMask(x, x)
_ExGetSuiteMask@8 proc near		; CODE XREF: PspSiloInitializeSuiteMask(x)+39p
					; ExpInitSystemPhase0()+C7p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_4], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		mov	bl, dl
		stosd
		stosd
		stosd
		call	ExpParseSuiteMask
		mov	esi, eax
		lea	eax, [ebp+var_4]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	6
		call	RtlGetProductInfo
		test	al, al
		jz	short loc_896473
		mov	ecx, [ebp+var_4]
		cmp	ecx, 0ABCDABCDh
		jz	short loc_896473
		call	_ExpGetNonMatchingSuiteMask@4 ;	ExpGetNonMatchingSuiteMask(x)
		not	eax
		lea	edx, [ebp+var_10]
		and	esi, eax
		call	_ExpGetProductInfoSuiteTypeMap@8 ; ExpGetProductInfoSuiteTypeMap(x,x)
		test	al, al
		jz	short loc_896473
		or	esi, [ebp+var_C]

loc_896473:				; CODE XREF: ExGetSuiteMask(x,x)+32j
					; ExGetSuiteMask(x,x)+3Dj ...
		xor	eax, eax
		or	esi, 10h
		test	bl, bl
		pop	edi
		setnz	al
		dec	eax
		and	eax, 0FFFFFFF7h
		add	eax, 11h
		bts	esi, eax
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_ExGetSuiteMask@8 endp


;  S U B	R O U T	I N E 


; __stdcall ExpGetProductInfoSuiteTypeMap(x, x)
_ExpGetProductInfoSuiteTypeMap@8 proc near ; CODE XREF:	ExGetSuiteMask(x,x)+4Bp
					; ExpUpdateProductType+36p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		mov	esi, ecx
		mov	eax, ecx

loc_89649A:				; CODE XREF: ExpGetProductInfoSuiteTypeMap(x,x)+1Dj
		cmp	dword ptr ds:_ExpProductInfoSuiteTypeMap[eax], edi
		jz	short loc_8964AF
		add	eax, 0Ch
		inc	esi
		cmp	eax, 264h
		jb	short loc_89649A
		jmp	short loc_8964BF
; 

loc_8964AF:				; CODE XREF: ExpGetProductInfoSuiteTypeMap(x,x)+12j
		imul	esi, 0Ch
		mov	edi, edx
		mov	cl, 1
		add	esi, offset _ExpProductInfoSuiteTypeMap
		movsd
		movsd
		movsd

loc_8964BF:				; CODE XREF: ExpGetProductInfoSuiteTypeMap(x,x)+1Fj
		pop	edi
		mov	al, cl
		pop	esi
		retn
_ExpGetProductInfoSuiteTypeMap@8 endp


;  S U B	R O U T	I N E 


; __stdcall ExpGetNonMatchingSuiteMask(x)
_ExpGetNonMatchingSuiteMask@4 proc near	; CODE XREF: ExGetSuiteMask(x,x)+3Fp
		xor	eax, eax
		mov	edx, eax

loc_8964C8:				; CODE XREF: ExpGetNonMatchingSuiteMask(x)+1Bj
		cmp	dword ptr ds:_ExpProductInfoSuiteTypeMap[edx], ecx
		jz	short loc_8964D6
		or	eax, ds:dword_A41214[edx]

loc_8964D6:				; CODE XREF: ExpGetNonMatchingSuiteMask(x)+Aj
		add	edx, 0Ch
		cmp	edx, 264h
		jb	short loc_8964C8
		retn
_ExpGetNonMatchingSuiteMask@4 endp


;  S U B	R O U T	I N E 


ExpParseSuiteMask proc near		; CODE XREF: ExGetSuiteMask(x,x)+19p

; FUNCTION CHUNK AT 0092D346 SIZE 00000295 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	esi, ebx
		jmp	loc_896673
; 

loc_8964F2:				; CODE XREF: ExpParseSuiteMask+194j
		mov	ecx, ds:off_A414A4
		mov	eax, edi

loc_8964FA:				; CODE XREF: ExpParseSuiteMask+40j
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	loc_896682
		test	dx, dx
		jz	short loc_896524
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	loc_896682
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_8964FA

loc_896524:				; CODE XREF: ExpParseSuiteMask+27j
		mov	eax, ebx

loc_896526:				; CODE XREF: ExpParseSuiteMask+1A5j
		test	eax, eax
		jz	loc_8966BB
		mov	ecx, ds:off_A414B4
		mov	eax, edi

loc_896536:				; CODE XREF: ExpParseSuiteMask+7Cj
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	loc_89668C
		test	dx, dx
		jz	short loc_896560
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	loc_89668C
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_896536

loc_896560:				; CODE XREF: ExpParseSuiteMask+63j
		mov	eax, ebx

loc_896562:				; CODE XREF: ExpParseSuiteMask+1AFj
		test	eax, eax
		jz	loc_8966C0
		mov	ecx, ds:off_A414A8
		mov	eax, edi

loc_896572:				; CODE XREF: ExpParseSuiteMask+B8j
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	loc_896696
		test	dx, dx
		jz	short loc_89659C
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	loc_896696
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_896572

loc_89659C:				; CODE XREF: ExpParseSuiteMask+9Fj
		mov	eax, ebx

loc_89659E:				; CODE XREF: ExpParseSuiteMask+1B9j
		test	eax, eax
		jz	loc_8966C5
		mov	ecx, ds:off_A414AC
		mov	eax, edi

loc_8965AE:				; CODE XREF: ExpParseSuiteMask+F4j
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	loc_8966A0
		test	dx, dx
		jz	short loc_8965D8
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	loc_8966A0
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_8965AE

loc_8965D8:				; CODE XREF: ExpParseSuiteMask+DBj
		mov	eax, ebx

loc_8965DA:				; CODE XREF: ExpParseSuiteMask+1C3j
		test	eax, eax
		jz	loc_8966CA
		mov	ecx, ds:off_A414B0
		mov	eax, edi

loc_8965EA:				; CODE XREF: ExpParseSuiteMask+130j
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	loc_8966AA
		test	dx, dx
		jz	short loc_896614
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	loc_8966AA
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_8965EA

loc_896614:				; CODE XREF: ExpParseSuiteMask+117j
		mov	eax, ebx

loc_896616:				; CODE XREF: ExpParseSuiteMask+1CDj
		test	eax, eax
		jz	loc_8966CF
		mov	ecx, ds:off_A414B8
		mov	eax, edi

loc_896626:				; CODE XREF: ExpParseSuiteMask+168j
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	loc_8966B4
		test	dx, dx
		jz	short loc_89664C
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	short loc_8966B4
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_896626

loc_89664C:				; CODE XREF: ExpParseSuiteMask+153j
		mov	eax, ebx

loc_89664E:				; CODE XREF: ExpParseSuiteMask+1D7j
		test	eax, eax
		jnz	loc_92D346
		or	esi, 10h

loc_896659:				; CODE XREF: ExpParseSuiteMask+1DCj
					; ExpParseSuiteMask+1E1j ...
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_89665E:				; CODE XREF: ExpParseSuiteMask+185j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_89665E
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2

loc_896673:				; CODE XREF: ExpParseSuiteMask+Bj
		cmp	[edi], bx
		jnz	loc_8964F2
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_896682:				; CODE XREF: ExpParseSuiteMask+1Ej
					; ExpParseSuiteMask+31j
		sbb	eax, eax
		or	eax, 1
		jmp	loc_896526
; 

loc_89668C:				; CODE XREF: ExpParseSuiteMask+5Aj
					; ExpParseSuiteMask+6Dj
		sbb	eax, eax
		or	eax, 1
		jmp	loc_896562
; 

loc_896696:				; CODE XREF: ExpParseSuiteMask+96j
					; ExpParseSuiteMask+A9j
		sbb	eax, eax
		or	eax, 1
		jmp	loc_89659E
; 

loc_8966A0:				; CODE XREF: ExpParseSuiteMask+D2j
					; ExpParseSuiteMask+E5j
		sbb	eax, eax
		or	eax, 1
		jmp	loc_8965DA
; 

loc_8966AA:				; CODE XREF: ExpParseSuiteMask+10Ej
					; ExpParseSuiteMask+121j
		sbb	eax, eax
		or	eax, 1
		jmp	loc_896616
; 

loc_8966B4:				; CODE XREF: ExpParseSuiteMask+14Aj
					; ExpParseSuiteMask+15Dj
		sbb	eax, eax
		or	eax, 1
		jmp	short loc_89664E
; 

loc_8966BB:				; CODE XREF: ExpParseSuiteMask+46j
		or	esi, 1
		jmp	short loc_896659
; 

loc_8966C0:				; CODE XREF: ExpParseSuiteMask+82j
		or	esi, 20h
		jmp	short loc_896659
; 

loc_8966C5:				; CODE XREF: ExpParseSuiteMask+BEj
		or	esi, 2
		jmp	short loc_896659
; 

loc_8966CA:				; CODE XREF: ExpParseSuiteMask+FAj
		or	esi, 8
		jmp	short loc_896659
; 

loc_8966CF:				; CODE XREF: ExpParseSuiteMask+136j
		or	esi, 4
		jmp	short loc_896659
ExpParseSuiteMask endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1342. LdrAccessResource

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LdrAccessResource(x, x, x, x)
		public _LdrAccessResource@16
_LdrAccessResource@16 proc near		; CODE XREF: FindBitmapResource(x,x)+4Dp
					; INIT:00ACD416p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		call	LdrpAccessResourceData
		pop	ebp
		retn	10h
_LdrAccessResource@16 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1346. LdrFindResource_U

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LdrFindResource_U(x, x, x, x)
		public _LdrFindResource_U@16
_LdrFindResource_U@16 proc near		; CODE XREF: FindBitmapResource(x,x)+3Bp
					; INIT:00ACD3FAp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	[ebp+arg_8]
		call	_LdrpSearchResourceSection_U@20	; LdrpSearchResourceSection_U(x,x,x,x,x)
		pop	ebp
		retn	10h
_LdrFindResource_U@16 endp


;  S U B	R O U T	I N E 


; __stdcall DbgkpInitializePhase0SiloState(x)
_DbgkpInitializePhase0SiloState@4 proc near ; CODE XREF: DbgkpInitializePhase0()+5Bp
		and	dword ptr [ecx], 0
		xor	eax, eax
		retn
_DbgkpInitializePhase0SiloState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpInitializePhase1SiloState(x)
_DbgkpInitializePhase1SiloState@4 proc near ; CODE XREF: DbgkInitializeServerSilo(x)+22p
					; DbgkpInitializePhase1()+Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	46h
		pop	eax
		push	48h
		mov	word ptr [ebp+var_8], ax
		lea	edx, [ecx+0Ch]
		pop	eax
		lea	ecx, [ebp+var_8]
		mov	word ptr [ebp+var_8+2],	ax
		mov	[ebp+var_4], offset ??_C@_1EI@MEPMEHFB@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@
		call	DbgkpCreateNotificationEvent
		test	eax, eax
		js	short locret_896749
		xor	eax, eax

locret_896749:				; CODE XREF: DbgkpInitializePhase1SiloState(x)+29j
		leave
		retn
_DbgkpInitializePhase1SiloState@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DbgkpCreateNotificationEvent proc near	; CODE XREF: DbgkpInitializePhase1SiloState(x)+22p

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_74		= dword	ptr -74h
var_6C		= dword	ptr -6Ch
var_60		= dword	ptr -60h
var_30		= dword	ptr -30h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092D5DB SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+9Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		and	[esp+0A8h+var_9C], 0
		lea	edi, [esp+0A8h+var_74]
		mov	[esp+0A8h+var_98], ecx
		stosd
		mov	ebx, edx
		push	26h
		mov	[esp+0ACh+var_90], offset ??_C@_1CI@PDLNLLIE@?$AAl?$AAp?$AAa?$AAc?$AAI?$AAn?$AAs?$AAt?$AAr?$AAu?$AAm?$AAe?$AAn?$AAt?$AAa@NNGAKEGL@ ; "lpacInstrumentation"
		stosd
		stosd
		stosd
		stosd
		pop	eax
		push	28h
		mov	word ptr [esp+0ACh+var_94], ax
		pop	eax
		mov	word ptr [esp+0A8h+var_94+2], ax
		lea	eax, [esp+0A8h+var_60]
		push	eax
		lea	eax, [esp+0ACh+var_30]
		push	eax
		lea	eax, [esp+0B0h+var_94]
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_896975
		push	1
		lea	eax, [esp+0B8h+var_80]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		test	eax, eax
		js	loc_896975
		push	_SeWorldSid
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	_SeLocalSystemSid
		mov	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	_SeLocalSid
		add	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	_SeAllAppPackagesSid
		add	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	esi, eax
		lea	eax, [esp+0B4h+var_6C]
		push	eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	6C636144h
		lea	edi, [eax+44h]
		add	edi, esi
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_92D5DB
		push	2		; int
		push	edi		; size_t
		push	esi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	edi, eax
		push	0
		test	edi, edi
		js	loc_92D5E7
		push	_SeLocalSid
		mov	ecx, esi
		push	120001h
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	edi, eax
		push	0
		test	edi, edi
		js	loc_92D5E7
		push	_SeAllAppPackagesSid
		mov	ecx, esi
		push	120001h
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	edi, eax
		push	0
		test	edi, edi
		js	loc_92D5E7
		lea	eax, [esp+0B8h+var_6C]
		mov	ecx, esi
		push	eax
		push	120001h
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	edi, eax
		push	0
		test	edi, edi
		js	loc_92D5E7
		push	_SeLocalSystemSid
		mov	ecx, esi
		push	1F0003h
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	edi, eax
		push	0
		test	edi, edi
		js	loc_92D5E7
		push	_SeWorldSid
		mov	ecx, esi
		push	120001h
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	edi, eax
		push	0
		push	esi
		test	edi, edi
		js	loc_92D5E8
		push	1
		lea	eax, [esp+0C0h+var_80]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	edi, eax
		test	edi, edi
		js	loc_92D5E5
		mov	eax, [esp+0B4h+var_A4]
		xor	ecx, ecx
		mov	[esp+0B4h+var_90], eax
		lea	eax, [esp+0B4h+var_80]
		push	ecx
		mov	[esp+0B8h+var_88], eax
		lea	eax, [esp+0B8h+var_98]
		push	ecx
		push	eax
		push	1F0003h
		lea	eax, [esp+0C4h+var_A8]
		mov	[esp+0C4h+var_98], 18h
		push	eax
		mov	[esp+0C8h+var_94], ecx
		mov	[esp+0C8h+var_8C], 210h
		mov	[esp+0C8h+var_84], ecx
		call	_ZwCreateEvent@20 ; ZwCreateEvent(x,x,x,x,x)
		push	0
		push	esi
		mov	edi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		js	short loc_896973
		mov	eax, ds:_ExEventObjectType
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ebx
		push	6B676244h
		push	ecx
		mov	ecx, [esp+0C8h+var_A8]
		push	eax
		push	2
		pop	edx
		call	ObpReferenceObjectByHandleWithTag
		push	[esp+0B4h+var_A8]
		mov	edi, eax
		call	_ZwClose@4	; ZwClose(x)

loc_896973:				; CODE XREF: DbgkpCreateNotificationEvent+1FDj
					; DbgkpCreateNotificationEvent+96EA1j
		mov	eax, edi

loc_896975:				; CODE XREF: DbgkpCreateNotificationEvent+63j
					; DbgkpCreateNotificationEvent+77j ...
		mov	ecx, [esp+0B4h+var_10]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
DbgkpCreateNotificationEvent endp


;  S U B	R O U T	I N E 


; __stdcall DbgkpGetServerSiloState(x)
_DbgkpGetServerSiloState@4 proc	near	; CODE XREF: DbgkpInitializePhase0()+54p
					; DbgkpInitializePhase1()+5p
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		add	eax, 238h
		retn
_DbgkpGetServerSiloState@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspInitializeProtectedProcessParameters	proc near
					; CODE XREF: PspInitializeServerSiloDeferred(x)+40p
					; PspInitPhase2(x)+130p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092D5F2 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	6C537350h
		mov	eax, [ebx+26Ch]
		mov	[ebx+248h], eax
		mov	eax, [ebx+270h]
		mov	[ebx+24Ch], eax
		mov	eax, [ebx+270h]
		mov	[ebp+var_4], eax
		mov	ax, [ebx+26Ch]
		add	ax, 2Ah
		add	ax, ax
		mov	[ebx+250h], ax
		add	eax, 2
		mov	[ebx+252h], ax
		movzx	eax, ax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+254h], eax
		test	eax, eax
		jz	loc_92D5F2
		push	esi
		mov	esi, ds:off_A40538
		push	edi
		mov	edi, eax
		movsd
		movsd
		movsw
		lea	esi, [eax+0Ah]
		movzx	eax, word ptr [ebx+26Ch]
		push	eax		; size_t
		push	dword ptr [ebx+270h] ; void *
		push	esi		; void *
		call	_memcpy
		movzx	eax, word ptr [ebx+26Ch]
		xor	ecx, ecx
		add	eax, esi
		mov	esi, ds:off_A40548
		mov	edi, eax
		push	6
		lea	edx, [eax+14h]
		movsd
		movsd
		movsd
		movsd
		movsw
		mov	[eax+12h], cx
		mov	edi, edx
		mov	esi, ds:off_A40540
		mov	eax, [ebp+var_4]
		pop	ecx
		rep movsd
		mov	eax, [eax]
		lea	edi, [edx+1Eh]
		mov	[edx+18h], eax
		xor	eax, eax
		mov	[edx+1Ch], ax
		mov	esi, dword ptr ds:loc_A4052F+1
		push	5
		pop	ecx
		rep movsd
		movsw
		movzx	eax, word ptr [ebx+26Ch]
		lea	esi, [edx+34h]
		push	eax		; size_t
		push	dword ptr [ebx+270h] ; void *
		push	esi		; void *
		call	_memcpy
		movzx	eax, word ptr [ebx+26Ch]
		add	esp, 18h
		add	esi, eax
		xor	eax, eax
		pop	edi
		mov	[esi], eax
		pop	esi

loc_896A97:				; CODE XREF: PspInitializeProtectedProcessParameters+96C61j
		pop	ebx
		leave
		retn
PspInitializeProtectedProcessParameters	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepInitializationPhase1()
_SepInitializationPhase1@0 proc	near	; CODE XREF: SeInitServerSilo(x)+94p
					; SeInitSystem+1Ap

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		mov	[esp+58h+var_38], esi
		mov	[esp+58h+var_34], esi
		mov	[esp+58h+var_48], esi
		mov	[esp+58h+var_3C], esi
		mov	[esp+58h+var_44], esi
		mov	[esp+58h+var_40], esi
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		mov	bl, al
		test	bl, bl
		jnz	short loc_896B0E
		mov	ecx, large fs:124h
		xor	edx, edx
		push	esi
		push	esi
		push	esi
		mov	eax, [ecx+80h]
		push	esi
		push	esi
		mov	ecx, [eax+12Ch]
		and	ecx, 0FFFFFFF8h
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		call	SeMakeAnonymousLogonToken
		mov	ds:_SeAnonymousLogonToken, eax
		call	SeMakeAnonymousLogonTokenNoEveryone
		mov	ds:_SeAnonymousLogonTokenNoEveryone, eax

loc_896B0E:				; CODE XREF: SepInitializationPhase1()+3Cj
		push	offset ??_C@_09OFABOBDM@?2Security@NNGAKEGL@
		lea	eax, [esp+5Ch+var_38]
		push	eax
		call	_RtlInitString@8 ; RtlInitString(x,x)
		push	1
		lea	eax, [esp+5Ch+var_38]
		push	eax
		lea	eax, [esp+60h+var_44]
		push	eax
		call	RtlAnsiStringToUnicodeString
		push	1
		lea	eax, [esp+5Ch+var_18]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	20206553h
		push	100h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_896CBB
		push	2
		pop	edi
		push	edi		; int
		push	100h		; size_t
		push	esi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		push	0
		push	_SeLocalSystemSid
		mov	edx, edi
		mov	ecx, esi
		push	0F000Fh
		push	0
		call	RtlpAddKnownAce
		push	0
		push	ds:_SeAliasAdminsSid
		mov	edx, edi
		mov	ecx, esi
		push	20003h
		push	0
		call	RtlpAddKnownAce
		push	0
		push	_SeWorldSid
		mov	edx, edi
		mov	ecx, esi
		push	edi
		push	0
		call	RtlpAddKnownAce
		push	0
		push	esi
		push	1
		lea	eax, [esp+64h+var_18]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		and	[esp+58h+var_2C], 0
		lea	eax, [esp+58h+var_44]
		and	[esp+58h+var_1C], 0
		mov	[esp+58h+var_28], eax
		lea	eax, [esp+58h+var_18]
		push	18h
		pop	edi
		mov	[esp+58h+var_20], eax
		lea	eax, [esp+58h+var_30]
		push	eax
		push	0F000Fh
		lea	eax, [esp+60h+var_48]
		mov	[esp+60h+var_30], edi
		push	eax
		mov	[esp+64h+var_24], 50h
		call	_ZwCreateDirectoryObject@12 ; ZwCreateDirectoryObject(x,x,x)
		lea	eax, [esp+58h+var_44]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	offset ??_C@_0BP@HPNNBFHI@LSA_AUTHENTICATION_INITIALIZED@NNGAKEGL@
		lea	eax, [esp+5Ch+var_38]
		push	eax
		call	_RtlInitString@8 ; RtlInitString(x,x)
		push	1
		lea	eax, [esp+5Ch+var_38]
		push	eax
		lea	eax, [esp+60h+var_44]
		push	eax
		call	RtlAnsiStringToUnicodeString
		mov	eax, [esp+58h+var_48]
		mov	[esp+58h+var_2C], eax
		lea	eax, [esp+58h+var_44]
		mov	[esp+58h+var_28], eax
		mov	eax, ds:_SePublicDefaultSd
		mov	[esp+58h+var_20], eax
		xor	eax, eax
		push	eax
		push	eax
		mov	[esp+60h+var_1C], eax
		lea	eax, [esp+60h+var_30]
		push	eax
		mov	[esp+64h+var_30], edi
		lea	eax, [esp+64h+var_3C]
		mov	[esp+64h+var_24], 50h
		push	40000000h
		push	eax
		call	_ZwCreateEvent@20 ; ZwCreateEvent(x,x,x,x,x)
		lea	eax, [esp+58h+var_44]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		push	[esp+58h+var_48]
		call	_ZwClose@4	; ZwClose(x)
		push	[esp+58h+var_3C]
		call	_ZwClose@4	; ZwClose(x)
		test	bl, bl
		jnz	short loc_896CA2
		call	SepInitProcessAuditSd
		call	_SepInitializeCodeIntegrity@0 ;	SepInitializeCodeIntegrity()
		call	_SepInitializeAuthorizationCallbacks@0 ; SepInitializeAuthorizationCallbacks()
		call	SepInitializeSingletonAttributesStructures
		test	eax, eax
		js	short loc_896CBB

loc_896CA2:				; CODE XREF: SepInitializationPhase1()+1EEj
		call	_SddlBaseInitialize@0 ;	SddlBaseInitialize()
		mov	al, 1

loc_896CA9:				; CODE XREF: SepInitializationPhase1()+223j
		mov	ecx, [esp+58h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_896CBB:				; CODE XREF: SepInitializationPhase1()+B8j
					; SepInitializationPhase1()+206j
		xor	al, al
		jmp	short loc_896CA9
_SepInitializationPhase1@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

InitializeSidLookupTable proc near	; CODE XREF: SddlBaseInitialize()j

var_38		= dword	ptr -38h
var_34		= word ptr -34h
var_30		= dword	ptr -30h
var_2C		= word ptr -2Ch
var_28		= dword	ptr -28h
var_24		= word ptr -24h
var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_10		= dword	ptr -10h
var_C		= word ptr -0Ch
var_8		= dword	ptr -8
var_4		= word ptr -4

; FUNCTION CHUNK AT 0092D5FC SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_C], 100h
		push	edi
		push	3Fh
		mov	[ebp+var_10], eax
		mov	esi, offset unk_6B4014
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], 200h
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], 300h
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], 500h
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], 1000h
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], 0F00h
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], 1200h
		pop	ebx

loc_896D14:				; CODE XREF: InitializeSidLookupTable+A8j
		cmp	byte ptr [esi-1Ch], 1
		jz	loc_92D5FC

loc_896D1E:				; CODE XREF: InitializeSidLookupTable+96945j
		mov	eax, [esi-4]
		dec	eax
		mov	[esi-0Ch], esi
		cmp	eax, 0Ah	; switch 11 cases
		ja	short loc_896D60 ; default
		jmp	ds:off_896DE8[eax*4] ; switch jump

loc_896D31:				; DATA XREF: PAGE:off_896DE8o
		push	2		; case 0x5
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	0
		push	dword ptr [esi-0Ch]
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	dword ptr [eax], 20h

loc_896D4D:				; CODE XREF: InitializeSidLookupTable+F1j
		push	1

loc_896D4F:				; CODE XREF: InitializeSidLookupTable+BFj
		push	dword ptr [esi-0Ch]
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	ecx, [esi-8]
		mov	[eax], ecx

loc_896D5C:				; CODE XREF: InitializeSidLookupTable+122j
		mov	byte ptr [esi-1Ch], 1

loc_896D60:				; CODE XREF: InitializeSidLookupTable+68j
					; InitializeSidLookupTable+6Aj
					; DATA XREF: ...
		xor	eax, eax	; default

loc_896D62:				; CODE XREF: InitializeSidLookupTable+9693Fj
		add	esi, 64h
		sub	ebx, 1
		jnz	short loc_896D14
		pop	edi
		pop	esi
		mov	al, 1
		pop	ebx
		leave
		retn
; 

loc_896D71:				; CODE XREF: InitializeSidLookupTable+6Aj
					; DATA XREF: PAGE:off_896DE8o
		lea	eax, [ebp+var_8] ; case	0x4

loc_896D74:				; CODE XREF: InitializeSidLookupTable+C4j
					; InitializeSidLookupTable+C9j	...
		push	1
		push	eax
		push	esi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	0
		jmp	short loc_896D4F
; 

loc_896D81:				; CODE XREF: InitializeSidLookupTable+6Aj
					; DATA XREF: PAGE:off_896DE8o
		lea	eax, [ebp+var_28] ; case 0x7
		jmp	short loc_896D74
; 

loc_896D86:				; CODE XREF: InitializeSidLookupTable+6Aj
					; DATA XREF: PAGE:off_896DE8o
		lea	eax, [ebp+var_20] ; case 0x3
		jmp	short loc_896D74
; 

loc_896D8B:				; CODE XREF: InitializeSidLookupTable+6Aj
					; DATA XREF: PAGE:off_896DE8o
		lea	eax, [ebp+var_38] ; case 0xA
		jmp	short loc_896D74
; 

loc_896D90:				; CODE XREF: InitializeSidLookupTable+6Aj
					; DATA XREF: PAGE:off_896DE8o
		lea	eax, [ebp+var_10] ; case 0x0
		jmp	short loc_896D74
; 

loc_896D95:				; CODE XREF: InitializeSidLookupTable+6Aj
					; DATA XREF: PAGE:off_896DE8o
		push	2		; case 0x8
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	0
		push	dword ptr [esi-0Ch]
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	dword ptr [eax], 2
		jmp	short loc_896D4D
; 

loc_896DB3:				; CODE XREF: InitializeSidLookupTable+6Aj
					; DATA XREF: PAGE:off_896DE8o
		push	6		; case 0x9
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	0
		push	dword ptr [esi-0Ch]
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	1
		mov	dword ptr [eax], 54h
		push	dword ptr [esi-0Ch]
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	edi, eax
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		stosd
		jmp	loc_896D5C
InitializeSidLookupTable endp

; 
		align 4
off_896DE8	dd offset loc_896D90	; DATA XREF: InitializeSidLookupTable+6Ar
		dd offset loc_92D60A	; jump table for switch	statement
		dd offset loc_896D60
		dd offset loc_896D86
		dd offset loc_896D71
		dd offset loc_896D31
		dd offset loc_896D60
		dd offset loc_896D81
		dd offset loc_896D95
		dd offset loc_896DB3
		dd offset loc_896D8B

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpInitializeProcessorTrace()
_EtwpInitializeProcessorTrace@0	proc near ; CODE XREF: EtwpInitialize+140p

var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_12		= word ptr -12h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_8], 0
		xor	eax, eax
		and	[ebp+var_4], 0
		mov	ecx, offset _EtwpHwTraceExtensionHost
		mov	[ebp+var_12], ax
		push	0Bh
		pop	eax
		mov	word ptr [ebp+var_18], ax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_10], 200h
		push	3
		mov	word ptr [ebp+var_18+2], ax
		pop	eax
		mov	[ebp+var_14], ax
		lea	eax, [ebp+var_18]
		push	eax
		mov	[ebp+var_C], (offset loc_4037CD+3)
		call	ExRegisterHost
		test	eax, eax
		js	short loc_896E61
		leave
		retn
; 

loc_896E61:				; CODE XREF: EtwpInitializeProcessorTrace()+49j
		and	_EtwpHwTraceExtensionHost, 0
		leave
		retn
_EtwpInitializeProcessorTrace@0	endp

; 
		align 10h
; Exported entry 414. ExRegisterExtension

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExRegisterExtension
ExRegisterExtension proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0092D612 SIZE 000000BF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	ebx
		and	eax, 0FFFF0000h
		push	esi
		push	edi
		cmp	eax, 10000h
		jnz	loc_92D61C
		mov	ebx, [ebp+arg_8]
		xor	edi, edi
		cmp	[ebx+8], edi
		jz	loc_92D612

loc_896E99:				; CODE XREF: ExRegisterExtension+967A6j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	edi
		xor	edx, edx
		mov	ecx, offset _ExpHostListLock
		call	KeAbPreAcquire
		push	11h
		mov	esi, eax
		mov	edx, offset _ExpHostListLock
		pop	ecx
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	loc_896FE2

loc_896ECC:				; CODE XREF: ExRegisterExtension+181j
		test	esi, esi
		jz	short loc_896ED4
		or	byte ptr [esi+0Eh], 1

loc_896ED4:				; CODE XREF: ExRegisterExtension+5Ej
		mov	dx, [ebx+2]
		mov	cx, [ebx]
		call	_ExpFindHost@8	; ExpFindHost(x,x)
		push	11h
		mov	esi, eax
		xor	edx, edx
		pop	eax
		mov	ecx, offset _ExpHostListLock
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jnz	loc_896FF6

loc_896EF9:				; CODE XREF: ExRegisterExtension+190j
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		jz	loc_92D626
		movzx	eax, word ptr [ebx+4]
		cmp	ax, [esi+10h]
		jb	loc_92D630
		mov	edx, eax
		mov	ecx, edi
		test	edx, edx
		jz	short loc_896F3B
		mov	eax, [ebx+8]

loc_896F2B:				; CODE XREF: ExRegisterExtension+C9j
		cmp	[eax], edi
		jz	loc_92D643
		inc	ecx
		add	eax, 4
		cmp	ecx, edx
		jb	short loc_896F2B

loc_896F3B:				; CODE XREF: ExRegisterExtension+B6j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	edi, [esi+28h]
		xor	edx, edx
		push	0
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	[ebp+arg_4], eax
		lock bts dword ptr [edi], 0
		jb	loc_92D65E

loc_896F65:				; CODE XREF: ExRegisterExtension+967FBj
		test	eax, eax
		jz	short loc_896F6D
		or	byte ptr [eax+0Eh], 1

loc_896F6D:				; CODE XREF: ExRegisterExtension+F7j
		cmp	dword ptr [esi+2Ch], 0
		jnz	loc_92D68E
		test	byte ptr [esi+30h], 1
		jnz	loc_92D68E
		mov	eax, [esi+1Ch]
		test	eax, eax
		jnz	short loc_897005

loc_896F88:				; CODE XREF: ExRegisterExtension+19Cj
		mov	eax, [ebx+8]
		test	eax, eax
		jz	loc_92D670

loc_896F93:				; CODE XREF: ExRegisterExtension+96805j
		mov	[esi+2Ch], eax
		xor	ecx, ecx
		lea	eax, [esi+24h]
		xchg	ecx, [eax]
		mov	eax, [esi+1Ch]
		test	eax, eax
		jnz	short loc_897011

loc_896FA4:				; CODE XREF: ExRegisterExtension+1A8j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_92D67A

loc_896FB3:				; CODE XREF: ExRegisterExtension+9680Cj
					; ExRegisterExtension+96819j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [ebx+0Ch]
		test	ecx, ecx
		jnz	short loc_896FDB

loc_896FCD:				; CODE XREF: ExRegisterExtension+170j
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		xor	eax, eax

loc_896FD4:				; CODE XREF: ExRegisterExtension+967B1j
					; ExRegisterExtension+967BBj ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_896FDB:				; CODE XREF: ExRegisterExtension+15Bj
		mov	eax, [esi+18h]
		mov	[ecx], eax
		jmp	short loc_896FCD
; 

loc_896FE2:				; CODE XREF: ExRegisterExtension+56j
		mov	eax, offset _ExpHostListLock
		mov	edx, esi
		push	eax
		mov	ecx, eax
		call	ExfAcquirePushLockSharedEx
		jmp	loc_896ECC
; 

loc_896FF6:				; CODE XREF: ExRegisterExtension+83j
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, offset _ExpHostListLock
		jmp	loc_896EF9
; 

loc_897005:				; CODE XREF: ExRegisterExtension+116j
		push	dword ptr [esi+20h]
		push	0
		call	eax ; _ExpHostListLock
		jmp	loc_896F88
; 

loc_897011:				; CODE XREF: ExRegisterExtension+132j
		push	dword ptr [esi+20h]
		push	1
		call	eax ; _ExpHostListLock
		jmp	short loc_896FA4
ExRegisterExtension endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExRegisterHost	proc near		; CODE XREF: IopInitializeIoRate()+42p
					; EtwpInitializeProcessorTrace()+42p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092D6D1 SIZE 00000066 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	48457845h
		push	34h
		push	dword ptr [esi+8]
		mov	[ebp+var_4], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_92D6D1
		and	byte ptr [ebx+30h], 0FEh
		lea	edi, [ebx+0Ch]
		xor	eax, eax
		mov	dword ptr [ebx+8], 1
		push	6
		pop	ecx
		mov	[ebx+2Ch], eax
		rep movsd
		lea	ecx, [ebx+24h]
		mov	[ebx+28h], eax
		mov	[ecx], eax
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _ExpHostListLock
		xor	edx, edx
		push	0
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	esi, eax
		lock bts dword ptr [edi], 0
		jb	loc_92D6DB

loc_897093:				; CODE XREF: ExRegisterHost+966CBj
		test	esi, esi
		jz	short loc_89709B
		or	byte ptr [esi+0Eh], 1

loc_89709B:				; CODE XREF: ExRegisterHost+7Bj
		mov	eax, [ebp+arg_0]
		mov	dx, [eax+2]
		mov	cx, [eax]
		call	_ExpFindHost@8	; ExpFindHost(x,x)
		mov	esi, eax
		or	ecx, 0FFFFFFFFh
		test	esi, esi
		jnz	loc_92D6EA
		mov	eax, ds:dword_A9AABC
		mov	edx, offset _ExpHostList
		xor	edi, edi
		cmp	[eax], edx
		jnz	short loc_897107
		mov	[ebx+4], eax
		mov	[ebx], edx
		mov	[eax], ebx
		mov	eax, [ebp+var_4]
		mov	ds:dword_A9AABC, ebx
		mov	[eax], ebx

loc_8970D9:				; CODE XREF: ExRegisterHost+966F2j
					; ExRegisterHost+96703j
		mov	esi, offset _ExpHostListLock
		lock xadd [esi], ecx
		test	cl, 2
		jnz	loc_92D722

loc_8970EB:				; CODE XREF: ExRegisterHost+9670Bj
					; ExRegisterHost+96718j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi

loc_897100:				; CODE XREF: ExRegisterHost+966BCj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_897107:				; CODE XREF: ExRegisterHost+ABj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
ExRegisterHost	endp			; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall ExpFindHost(x, x)
_ExpFindHost@8	proc near		; CODE XREF: ExRegisterExtension+6Bp
					; ExRegisterHost+8Bp
		mov	eax, ds:_ExpHostList
		push	esi
		mov	esi, offset _ExpHostList

loc_897117:				; CODE XREF: ExpFindHost(x,x)+17j
		cmp	eax, esi
		jz	short loc_897125
		cmp	[eax+0Ch], cx
		jz	short loc_897129

loc_897121:				; CODE XREF: ExpFindHost(x,x)+21j
		mov	eax, [eax]
		jmp	short loc_897117
; 

loc_897125:				; CODE XREF: ExpFindHost(x,x)+Dj
		xor	eax, eax
		pop	esi
		retn
; 

loc_897129:				; CODE XREF: ExpFindHost(x,x)+13j
		cmp	[eax+0Eh], dx
		jnz	short loc_897121
		lock inc dword ptr [eax+8]
		pop	esi
		retn
_ExpFindHost@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwRegisterCounters()
_EtwRegisterCounters@0 proc near	; CODE XREF: ExpPcwHostCallback:loc_897200p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	esi
		push	32h
		pop	eax
		push	34h
		mov	word ptr [ebp+var_8], ax
		mov	esi, offset _EtwpEventTracingCounterSetCallback@12 ; EtwpEventTracingCounterSetCallback(x,x,x)
		pop	eax
		mov	word ptr [ebp+var_8+2],	ax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_20]
		push	eax
		push	offset _PcwpEventTracingCounterSet
		mov	[ebp+var_4], offset ??_C@_1DE@GILKAFIA@?$AAE?$AAv?$AAe?$AAn?$AAt?$AA?5?$AAT?$AAr?$AAa?$AAc?$AAi?$AAn?$AAg?$AA?5?$AAf@NNGAKEGL@
		mov	[ebp+var_20], 100h
		mov	[ebp+var_14], offset ?Descriptors@?1??PcwpRegisterEventTracingCounterSet@@9@9 ;	`PcwpRegisterEventTracingCounterSet'::`2'::Descriptors
		mov	[ebp+var_18], 6
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], 1
		call	PcwRegister
		push	42h
		pop	eax
		push	44h
		mov	word ptr [ebp+var_8], ax
		pop	eax
		mov	word ptr [ebp+var_8+2],	ax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_20]
		push	eax
		push	offset _PcwpEventTracingSessionCounterSet
		mov	[ebp+var_4], offset ??_C@_1EE@NGOEOFND@?$AAE?$AAv?$AAe?$AAn?$AAt?$AA?5?$AAT?$AAr?$AAa?$AAc?$AAi?$AAn?$AAg?$AA?5?$AAf@NNGAKEGL@
		mov	[ebp+var_20], 100h
		mov	[ebp+var_14], (offset loc_408169+3)
		mov	[ebp+var_18], 5
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], 2
		call	PcwRegister
		pop	esi
		leave
		retn
_EtwRegisterCounters@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpPcwHostCallback proc	near		; DATA XREF: ExpInitializePcw()+34o

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092D737 SIZE 00000079 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, [ebp+arg_0]
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		sub	eax, 1
		jz	short loc_897200
		sub	eax, 1
		jz	loc_92D737

loc_8971F7:				; CODE XREF: ExpPcwHostCallback+1BDj
					; ExpPcwHostCallback+965C1j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_897200:				; CODE XREF: ExpPcwHostCallback+14j
		call	_EtwRegisterCounters@0 ; EtwRegisterCounters()
		push	1Eh
		pop	eax
		push	20h
		mov	word ptr [esp+34h+var_20], ax
		mov	ebx, 100h
		pop	eax
		mov	word ptr [esp+30h+var_20+2], ax
		xor	esi, esi
		push	2Ah
		lea	eax, [esp+34h+var_20]
		mov	[esp+34h+var_1C], offset ??_C@_1CA@DPHKDJLG@?$AAS?$AAy?$AAn?$AAc?$AAh?$AAr?$AAo?$AAn?$AAi?$AAz?$AAa?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		pop	edi
		mov	[esp+30h+var_14], eax
		lea	eax, [esp+30h+var_18]
		push	eax
		push	offset _PcwpSynchCounterSet
		mov	[esp+38h+var_18], ebx
		mov	[esp+38h+var_C], offset	?Descriptors@?1??PcwpRegisterSynchCounterSet@@9@9 ; `PcwpRegisterSynchCounterSet'::`2'::Descriptors
		mov	[esp+38h+var_10], edi
		mov	[esp+38h+var_8], offset	_KiSynchCounterSetCallback@12 ;	KiSynchCounterSetCallback(x,x,x)
		mov	[esp+38h+var_4], esi
		call	PcwRegister
		push	26h
		pop	eax
		push	28h
		mov	word ptr [esp+34h+var_20], ax
		pop	eax
		mov	word ptr [esp+30h+var_20+2], ax
		lea	eax, [esp+30h+var_20]
		mov	[esp+30h+var_14], eax
		lea	eax, [esp+30h+var_18]
		push	eax
		push	offset _PcwpSynchNumaCounterSet
		mov	[esp+38h+var_1C], offset ??_C@_1CI@PHJJBKFE@?$AAS?$AAy?$AAn?$AAc?$AAh?$AAr?$AAo?$AAn?$AAi?$AAz?$AAa?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		mov	[esp+38h+var_18], ebx
		mov	[esp+38h+var_C], offset	?Descriptors@?1??PcwpRegisterSynchCounterSet@@9@9 ; `PcwpRegisterSynchCounterSet'::`2'::Descriptors
		mov	[esp+38h+var_10], edi
		mov	[esp+38h+var_8], offset	_KiSynchNumaCounterSetCallback@12 ; KiSynchNumaCounterSetCallback(x,x,x)
		mov	[esp+38h+var_4], esi
		call	PcwRegister
		push	2Ch
		pop	eax
		mov	word ptr [esp+30h+var_20+2], ax
		lea	eax, [esp+30h+var_20]
		mov	[esp+30h+var_14], eax
		lea	eax, [esp+30h+var_18]
		push	eax
		push	offset _PcwpProcessorCounterSet
		mov	word ptr [esp+38h+var_20], di
		mov	[esp+38h+var_1C], offset ??_C@_1CM@PNMDNLFC@?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo?$AAr?$AA?5?$AAI?$AAn?$AAf?$AAo?$AAr@NNGAKEGL@ ; "Processor	Information"
		mov	[esp+38h+var_18], ebx
		mov	[esp+38h+var_C], offset	?Descriptors@?1??PcwpRegisterProcessorCounterSet@@9@9 ;	`PcwpRegisterProcessorCounterSet'::`2'::Descriptors
		mov	[esp+38h+var_10], 23h
		mov	[esp+38h+var_8], offset	ExProcessorCounterSetCallback
		mov	[esp+38h+var_4], esi
		call	PcwRegister
		call	_PsIsDiskCountersEnabled@0 ; PsIsDiskCountersEnabled()
		push	30h
		pop	edi
		push	32h
		pop	ecx
		test	al, al
		jz	short loc_89734C
		lea	eax, [esp+30h+var_20]
		mov	word ptr [esp+30h+var_20], di
		mov	[esp+30h+var_14], eax
		lea	eax, [esp+30h+var_18]
		push	eax
		push	offset _PcwpFileSystemDiskIOCounterSet
		mov	word ptr [esp+38h+var_20+2], cx
		mov	[esp+38h+var_1C], offset ??_C@_1DC@JFFDHOK@?$AAF?$AAi?$AAl?$AAe?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?5?$AAD?$AAi?$AAs?$AAk@NNGAKEGL@ ; "FileSystem	Disk Activity"
		mov	[esp+38h+var_18], ebx
		mov	[esp+38h+var_C], offset	?Descriptors@?1??PcwpRegisterFileSystemDiskIOCounterSet@@9@9 ; `PcwpRegisterFileSystemDiskIOCounterSet'::`2'::Descriptors
		mov	[esp+38h+var_10], 2
		mov	[esp+38h+var_8], offset	_FsRtlDiskIOCounterSetCallback@12 ; FsRtlDiskIOCounterSetCallback(x,x,x)
		mov	[esp+38h+var_4], esi
		call	PcwRegister
		push	32h
		pop	ecx

loc_89734C:				; CODE XREF: ExpPcwHostCallback+126j
		lea	eax, [esp+30h+var_20]
		mov	word ptr [esp+30h+var_20], di
		mov	[esp+30h+var_14], eax
		lea	eax, [esp+30h+var_18]
		push	eax
		push	offset _PcwpThermalCounterSet
		mov	word ptr [esp+38h+var_20+2], cx
		mov	[esp+38h+var_1C], offset ??_C@_1DC@HHPGCLBM@?$AAT?$AAh?$AAe?$AAr?$AAm?$AAa?$AAl?$AA?5?$AAZ?$AAo?$AAn?$AAe?$AA?5?$AAI?$AAn@NNGAKEGL@ ; "T"
		mov	[esp+38h+var_18], ebx
		mov	[esp+38h+var_C], offset	?Descriptors@?1??PcwpRegisterThermalCounterSet@@9@9 ; `PcwpRegisterThermalCounterSet'::`2'::Descriptors
		mov	[esp+38h+var_10], 4
		mov	[esp+38h+var_8], offset	_PoThermalCounterSetCallback@12	; PoThermalCounterSetCallback(x,x,x)
		mov	[esp+38h+var_4], esi
		call	PcwRegister
		jmp	loc_8971F7
ExpPcwHostCallback endp

; 
		align 10h
; Exported entry 1655. PcwRegister

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PcwRegister
PcwRegister	proc near		; CODE XREF: EtwRegisterCounters()+51p
					; EtwRegisterCounters()+99p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092D7B0 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, ds:_ExpPcwExtensionHost
		push	esi
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	loc_92D7B0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	dword ptr [eax]
		mov	ecx, ds:_ExpPcwExtensionHost
		mov	esi, eax
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_8973CF:				; CODE XREF: PcwRegister+9641Dj
		mov	eax, esi
		pop	esi
		pop	ecx
		pop	ebp
		retn	8
PcwRegister	endp ; sp = -8

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall SepInitializeCodeIntegrity()
_SepInitializeCodeIntegrity@0 proc near	; CODE XREF: SepInitializationPhase1()+1F5p
		mov	edi, edi
		push	esi
		push	edi
		push	6
		pop	edi
		push	6Ch		; size_t
		xor	esi, esi
		push	esi		; int
		push	offset dword_6BEA24 ; void *
		call	_memset
		mov	eax, ds:_KeLoaderBlock
		add	esp, 0Ch
		mov	_SeCiCallbacks,	74h
		mov	dword_6BEA90, 0A000008h
		test	eax, eax
		jz	short loc_897440
		mov	ecx, [eax+84h]
		test	ecx, ecx
		jz	short loc_897424
		mov	ecx, [ecx+0A78h]
		test	ecx, ecx
		jz	short loc_897424
		mov	edi, [ecx]

loc_897424:				; CODE XREF: SepInitializeCodeIntegrity()+3Ej
					; SepInitializeCodeIntegrity()+48j
		mov	ecx, [eax+78h]	; char *
		test	ecx, ecx
		jz	short loc_897434
		call	SepIsOptionPresent
		test	eax, eax
		jnz	short loc_897455

loc_897434:				; CODE XREF: SepInitializeCodeIntegrity()+51j
					; SepInitializeCodeIntegrity()+84j
		mov	eax, ds:_KeLoaderBlock
		test	eax, eax
		jz	short loc_897440
		lea	esi, [eax+20h]

loc_897440:				; CODE XREF: SepInitializeCodeIntegrity()+34j
					; SepInitializeCodeIntegrity()+63j
		push	offset _SeCiPrivateApis
		push	offset _SeCiCallbacks
		push	esi
		push	edi
		call	ds:__imp__CiInitialize@16 ; CiInitialize(x,x,x,x)
		pop	edi
		pop	esi
		retn
; 

loc_897455:				; CODE XREF: SepInitializeCodeIntegrity()+5Aj
		or	_SeCiDebugOptions, 1
		jmp	short loc_897434
_SepInitializeCodeIntegrity@0 endp


;  S U B	R O U T	I N E 


; int __fastcall SepIsOptionPresent(char *)
SepIsOptionPresent proc	near		; CODE XREF: SepInitializeCodeIntegrity()+53p

; FUNCTION CHUNK AT 0092D7C2 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, offset ??_C@_0P@OBFFLNHC@MINTCBIGNOREKD@NNGAKEGL@ ; "MINTCBIGNOREKD"
		mov	ebx, ecx
		push	esi		; char *
		push	ebx		; char *
		xor	edi, edi
		call	_strstr
		mov	edx, eax
		pop	ecx
		pop	ecx
		test	edx, edx
		jnz	short loc_897481

loc_89747B:				; CODE XREF: SepIsOptionPresent+96375j
					; SepIsOptionPresent+96384j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_897481:				; CODE XREF: SepIsOptionPresent+1Bj
		lea	ecx, [esi+1]
		jmp	loc_92D7C2
SepIsOptionPresent endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepCreateToken(x, x, x, x, x, x, x,	x, x, x, x, x, x, x, x,	x, x, x, x)
_SepCreateToken@76 proc	near		; CODE XREF: SeMakeSystemToken+5AAp
					; SeMakeAnonymousLogonTokenNoEveryone+1D6p ...

arg_4		= dword	ptr  0Ch
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch
arg_38		= dword	ptr  40h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	1
		xor	eax, eax
		xor	dl, dl
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _SeSystemTokenSource
		push	[ebp+arg_38]
		push	[ebp+arg_34]
		push	[ebp+arg_30]
		push	[ebp+arg_2C]
		push	[ebp+arg_28]
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	eax
		push	1
		push	[ebp+arg_4]
		push	eax
		call	SepCreateTokenEx
		pop	ecx
		pop	ebp
		retn	44h
_SepCreateToken@76 endp

; 
		align 8
; Exported entry 1949. RtlAddProcessTrustLabelAce

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public RtlAddProcessTrustLabelAce
RtlAddProcessTrustLabelAce proc	near	; CODE XREF: SepSetProcessTrustLabelAceForToken(x)+1E2p
					; RtlpNewSecurityObject+1025E7p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0092D7F0 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	esi, esi
		jz	loc_8975DE
		push	esi
		call	RtlValidAcl
		test	al, al
		jz	loc_8975DE
		cmp	byte ptr [ebp+arg_10], 14h
		jnz	loc_92D804
		mov	edi, [ebp+arg_C]
		push	edi
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_92D7F0
		mov	ecx, edi
		call	_RtlIsValidProcessTrustLabelSid@4 ; RtlIsValidProcessTrustLabelSid(x)
		test	al, al
		jz	loc_92D804
		mov	bl, [esi]
		cmp	bl, 4
		ja	loc_92D7FA
		push	4
		pop	eax
		cmp	[ebp+arg_4], eax
		ja	loc_92D7FA
		movzx	eax, bl
		cmp	eax, [ebp+arg_4]
		ja	short loc_89754A
		mov	bl, byte ptr [ebp+arg_4]

loc_89754A:				; CODE XREF: RtlAddProcessTrustLabelAce+6Dj
		test	[ebp+arg_8], 0FFFFFFE0h
		jnz	loc_92D804
		test	[ebp+arg_14], 0FF000000h
		jnz	loc_92D804
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		call	_RtlFirstFreeAce@8 ; RtlFirstFreeAce(x,x)
		test	al, al
		jz	short loc_8975DE
		movzx	eax, byte ptr [edi+1]
		mov	edx, [ebp+var_4]
		push	4
		pop	ecx
		add	ax, cx
		shl	ax, 2
		movzx	eax, ax
		mov	[ebp+arg_10], eax
		test	edx, edx
		jz	short loc_8975D7
		movzx	ecx, word ptr [esi+2]
		movzx	eax, ax
		add	ecx, esi
		add	eax, edx
		cmp	eax, ecx
		ja	short loc_8975D7
		mov	eax, [ebp+arg_8]
		mov	[edx+1], al
		mov	eax, [ebp+arg_10]
		mov	[edx+2], ax
		mov	eax, [ebp+arg_14]
		mov	[edx+4], eax
		lea	eax, [edx+8]
		push	edi		; void *
		push	eax		; void *
		mov	byte ptr [edx],	14h
		movzx	eax, byte ptr [edi+1]
		lea	eax, ds:8[eax*4]
		push	eax		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		inc	word ptr [esi+4]
		xor	eax, eax
		mov	[esi], bl

loc_8975D0:				; CODE XREF: RtlAddProcessTrustLabelAce+104j
					; RtlAddProcessTrustLabelAce+10Bj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_8975D7:				; CODE XREF: RtlAddProcessTrustLabelAce+B3j
					; RtlAddProcessTrustLabelAce+C2j
		mov	eax, 0C0000099h
		jmp	short loc_8975D0
; 

loc_8975DE:				; CODE XREF: RtlAddProcessTrustLabelAce+12j
					; RtlAddProcessTrustLabelAce+20j ...
		mov	eax, 0C0000077h
		jmp	short loc_8975D0
RtlAddProcessTrustLabelAce endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall SepInitializeSharedSidMap()
_SepInitializeSharedSidMap@0 proc near	; CODE XREF: SepVariableInitialization()+1A0Ap
		mov	eax, ds:_g_SepSidMapping
		push	esi
		xor	esi, esi
		push	esi
		mov	[eax], esi
		add	eax, 4
		push	esi
		push	eax
		mov	[eax], esi
		call	_RtlCreateHashTable@12 ; RtlCreateHashTable(x,x,x)
		test	al, al
		jz	short loc_897605

loc_897601:				; CODE XREF: SepInitializeSharedSidMap()+24j
		mov	eax, esi
		pop	esi
		retn
; 

loc_897605:				; CODE XREF: SepInitializeSharedSidMap()+19j
		mov	esi, 0C0000017h
		jmp	short loc_897601
_SepInitializeSharedSidMap@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmStoreRegister	proc near		; CODE XREF: SmFirstTimeInit+4B4p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092D80E SIZE 0000007A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	dword_6D5104, 1
		push	edi
		mov	[esp+28h+var_14], ebx
		call	_MmStoreCheckPagefiles@0 ; MmStoreCheckPagefiles()
		test	eax, eax
		jz	loc_92D80E
		push	ebx
		push	40h
		push	18h
		mov	edx, 70546D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_92D818
		push	ebx
		lea	eax, [esi+4]
		mov	dword ptr [esi], offset	_MiSystemPartition
		push	ebx
		push	eax
		mov	[esp+34h+var_4], eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	ebx
		push	ebx
		push	esi
		push	offset MiStoreEvictThread
		push	ebx
		push	ebx
		push	ebx
		push	1FFFFFh
		lea	eax, [esp+48h+var_14]
		mov	[esi+14h], ebx
		push	eax
		call	PsCreateSystemThreadEx
		mov	edi, eax
		test	edi, edi
		js	loc_92D822
		mov	eax, ds:dword_7051C4
		mov	edx, 20206D4Dh
		push	ebx
		pop	ecx
		test	al, 1Fh
		push	ebx
		setnz	cl
		shr	eax, 5
		add	ecx, 2
		add	ecx, eax
		shl	ecx, 2
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[esp+28h+var_18], eax
		test	eax, eax
		jz	loc_92D877
		mov	ecx, ds:dword_7051C4
		mov	[eax], ecx
		lea	ecx, [eax+8]
		push	eax
		mov	[eax+4], ecx
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		mov	ecx, ebx
		mov	edi, ebx
		mov	ebx, dword_6D5D8C
		xor	edx, edx
		test	ebx, ebx
		jz	short loc_8976FE

loc_8976E1:				; CODE XREF: MmStoreRegister+F0j
		mov	eax, dword_6D5D94[edx*4]
		mov	eax, [eax+4]
		test	edi, edi
		ja	short loc_8976F9
		jb	short loc_8976F5
		cmp	ecx, eax
		jnb	short loc_8976F9

loc_8976F5:				; CODE XREF: MmStoreRegister+E3j
		mov	ecx, eax
		xor	edi, edi

loc_8976F9:				; CODE XREF: MmStoreRegister+E1j
					; MmStoreRegister+E7j
		inc	edx
		cmp	edx, ebx
		jb	short loc_8976E1

loc_8976FE:				; CODE XREF: MmStoreRegister+D3j
		add	ecx, dword_6D5D88
		mov	eax, 0FFFFFFFh
		adc	edi, 0
		jnz	loc_92D82E
		cmp	ecx, eax
		ja	loc_92D82E

loc_89771A:				; CODE XREF: MmStoreRegister+96229j
		push	2
		push	0
		push	0
		push	ecx
		push	ecx
		push	0
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	MiCreatePagefile
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_92D83A
		mov	ecx, ebx
		call	MiInsertPageFileInList
		mov	edi, eax
		mov	eax, [esp+28h+var_18]
		test	edi, edi
		js	loc_92D84F
		and	[esp+28h+var_10], 0
		mov	dword_6D5148, eax
		mov	dword_6D5104, 0FEh
		movzx	eax, word ptr [ebx+74h]
		and	eax, 0Fh
		mov	dword_6D50FC, eax
		mov	eax, [ebp+arg_0]
		push	0
		mov	dword_6D514C, eax
		lea	eax, [esp+2Ch+var_10]
		push	eax
		push	0
		push	ds:_PsThreadType
		push	1FFFFFh
		push	[esp+3Ch+var_14]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	eax, [esp+28h+var_10]
		xor	ebx, ebx
		mov	dword_6D511C, eax
		mov	eax, [ebp+arg_4]
		mov	dword_6D5150, eax
		xor	eax, eax
		mov	dword_6D5100, 1
		xor	edi, edi

loc_8977B5:				; CODE XREF: MmStoreRegister+9623Ej
					; MmStoreRegister+9624Aj
		test	eax, eax
		jnz	loc_92D85B

loc_8977BD:				; CODE XREF: MmStoreRegister+96257j
		test	ebx, ebx
		jnz	loc_92D868

loc_8977C5:				; CODE XREF: MmStoreRegister+96266j
		xor	ebx, ebx

loc_8977C7:				; CODE XREF: MmStoreRegister+96277j
		push	ebx
		push	ebx
		push	[esp+30h+var_4]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	ebx
		push	[esp+2Ch+var_14]
		call	ObCloseHandle

loc_8977DC:				; CODE XREF: MmStoreRegister+9621Dj
		mov	eax, edi

loc_8977DE:				; CODE XREF: MmStoreRegister+96207j
					; MmStoreRegister+96211j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
MmStoreRegister	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCreatePagingFile(x, x, x,	x)
_NtCreatePagingFile@16 proc near	; DATA XREF: .text:00581134o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	offset _MiSystemPartition ; int
		mov	al, [eax+15Ah]
		push	[ebp+arg_C]	; int
		mov	byte ptr [ebp+var_4], al
		push	[ebp+var_4]	; int
		push	[ebp+arg_8]	; void *
		call	MiCreatePagingFile
		leave
		retn	10h
_NtCreatePagingFile@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	MiCreatePagingFile(void	*,int,int,int)
MiCreatePagingFile proc	near		; CODE XREF: NtCreatePagingFile(x,x,x,x)+29p
					; sub_8ECD89+19p

var_B0		= dword	ptr -0B0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0092D888 SIZE 00000022 BYTES
; FUNCTION CHUNK AT 0092D8BD SIZE 00000020 BYTES
; FUNCTION CHUNK AT 0092D8F0 SIZE 00000016 BYTES
; FUNCTION CHUNK AT 0092D91C SIZE 0000001F BYTES
; FUNCTION CHUNK AT 0092D965 SIZE 00000280 BYTES

		push	0A0h
		push	offset dword_6A7300
		call	__SEH_prolog4
		mov	ebx, edx
		mov	[ebp+var_28], ecx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_9C]
		rep stosd
		xor	ecx, ecx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], ecx
		mov	[ebp+var_84], ecx
		mov	[ebp+var_80], ecx
		mov	[ebp+var_48], ecx
		lea	edi, [ebp+var_B0]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_3C], ecx
		mov	ecx, [ebp+arg_C]
		mov	esi, [ebp+arg_8]
		cmp	ecx, offset _MiSystemPartition
		jnz	loc_92D888

loc_897881:				; CODE XREF: MiCreatePagingFile+96076j
		test	esi, offset loc_7FFFFF
		jnz	loc_897DBF
		test	esi, esi
		js	loc_897DB3

loc_897895:				; CODE XREF: MiCreatePagingFile+59Fj
		test	esi, 0FF7FFFFFh
		setnz	cl
		bt	esi, 17h
		setb	al
		test	cl, al
		jnz	loc_897DBF
		cmp	byte ptr [ebp+arg_4], 0
		jz	loc_92D8C7
		push	[ebp+arg_4]
		push	ds:dword_A94A0C
		push	ds:_SeCreatePagefilePrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_92D8BD
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_92D8BD
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, [ebp+var_28]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_92D895

loc_8978F4:				; CODE XREF: MiCreatePagingFile+9607Dj
		nop
		mov	al, [ecx]
		mov	ecx, [ebp+arg_0]
		mov	edx, ecx
		test	cl, 3
		jnz	loc_897F83
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_92D89C

loc_897912:				; CODE XREF: MiCreatePagingFile+96084j
		nop
		mov	al, [edx]
		mov	edx, ebx
		test	bl, 3
		jnz	loc_897F83
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	loc_92D8A3

loc_89792D:				; CODE XREF: MiCreatePagingFile+9608Bj
		nop
		mov	al, [edx]
		mov	eax, [ebx]
		mov	[ebp+var_54], eax
		mov	edi, [ebx+4]
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], edi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_897945:				; CODE XREF: MiCreatePagingFile+960BEj
		mov	edx, eax
		mov	eax, edi
		cmp	eax, 0FFFh
		jb	short loc_897962
		ja	loc_92DBDB
		cmp	edx, 0FFFFE000h
		ja	loc_92DBDB

loc_897962:				; CODE XREF: MiCreatePagingFile+134j
		test	eax, eax
		jg	short loc_897978
		jl	loc_92DBDB
		cmp	edx, 100000h
		jb	loc_92DBDB

loc_897978:				; CODE XREF: MiCreatePagingFile+14Aj
		mov	ebx, [ebp+arg_4]
		test	bl, bl
		jz	loc_92D8F0
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ecx]
		mov	[ebp+var_40], eax
		mov	[ebp+var_64], eax
		mov	ecx, [ecx+4]
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_60], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_8979A2:				; CODE XREF: MiCreatePagingFile+960E7j
		cmp	ecx, 0FFFh
		jb	short loc_8979BB
		ja	loc_92DBD1
		cmp	eax, 0FFFFE000h
		ja	loc_92DBD1

loc_8979BB:				; CODE XREF: MiCreatePagingFile+18Ej
		cmp	edi, ecx
		jl	short loc_8979CE
		jg	loc_92DBD1
		cmp	[ebp+var_54], eax
		ja	loc_92DBD1

loc_8979CE:				; CODE XREF: MiCreatePagingFile+1A3j
		test	bl, bl
		jz	loc_92D91C
		mov	[ebp+ms_exc.disabled], 2
		mov	ecx, [ebp+var_28]
		mov	eax, [ecx]
		mov	[ebp+var_24], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_20], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_8979F2:				; CODE XREF: MiCreatePagingFile+96110j
		mov	ax, word ptr [ebp+var_24]
		mov	word ptr [ebp+var_24+2], ax
		test	ax, ax
		jz	loc_92DBC7
		mov	edx, 100h
		cmp	ax, dx
		ja	loc_92DBC7
		movzx	ecx, ax
		push	0
		push	edx
		mov	edx, 20206D4Dh
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		mov	[ebp+arg_0], edi
		test	edi, edi
		jz	loc_92DBBD
		test	bl, bl
		jz	loc_92D965
		mov	[ebp+ms_exc.disabled], 3
		mov	cx, word ptr [ebp+var_24]
		test	cx, cx
		jz	short loc_897A67
		movzx	eax, cx
		mov	edx, [ebp+var_20]
		add	eax, edx
		mov	edi, ds:_MmUserProbeAddress
		cmp	eax, edi
		ja	loc_92D92F
		cmp	eax, edx
		jb	loc_92D92F

loc_897A64:				; CODE XREF: MiCreatePagingFile+9611Cj
		mov	edi, [ebp+arg_0]

loc_897A67:				; CODE XREF: MiCreatePagingFile+22Aj
		movzx	eax, cx
		push	eax		; size_t
		push	[ebp+var_20]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_897A7E:				; CODE XREF: MiCreatePagingFile+9615Cj
		mov	[ebp+var_20], edi
		test	esi, (offset loc_7FFFFF+1)
		jnz	loc_92D97B
		and	[ebp+arg_4], 0
		and	[ebp+var_1C], 0
		push	1
		lea	eax, [ebp+var_B0]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_897F53
		push	ds:_SeAliasAdminsSid
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		mov	esi, eax
		push	_SeLocalSystemSid
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	eax, 20h
		add	esi, eax
		push	0
		push	100h
		mov	edx, 6C636144h
		mov	ecx, esi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_3C], ebx
		test	ebx, ebx
		jz	loc_92D98D
		push	2		; int
		push	esi		; size_t
		push	ebx		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_897F53
		mov	eax, ds:_SeAliasAdminsSid
		push	0
		push	eax
		mov	esi, 1F01FFh
		push	esi
		push	0
		push	2
		pop	edx
		mov	ecx, ebx
		call	RtlpAddKnownAce
		mov	edi, eax
		test	edi, edi
		js	loc_897F53
		mov	eax, _SeLocalSystemSid
		push	0
		push	eax
		push	esi
		push	0
		push	2
		pop	edx
		mov	ecx, ebx
		call	RtlpAddKnownAce
		mov	edi, eax
		test	edi, edi
		js	loc_897F53
		push	0
		push	ebx
		push	1
		lea	eax, [ebp+var_B0]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	edi, eax
		test	edi, edi
		js	loc_897F53
		xor	edx, edx
		mov	esi, edx
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		js	short loc_897B72
		test	ebx, 2000000h
		jz	short loc_897B75
		push	2
		jmp	short loc_897B74
; 

loc_897B72:				; CODE XREF: MiCreatePagingFile+34Aj
		push	3

loc_897B74:				; CODE XREF: MiCreatePagingFile+356j
		pop	esi

loc_897B75:				; CODE XREF: MiCreatePagingFile+352j
		mov	[ebp+var_9C], 18h
		mov	[ebp+var_98], edx
		mov	[ebp+var_90], 240h
		lea	eax, [ebp+var_24]
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_8C], eax
		mov	[ebp+var_88], edx
		mov	ecx, [ebp+var_34]
		add	ecx, 0FFFh
		mov	eax, [ebp+var_30]
		adc	eax, edx
		and	ecx, 0FFFFF000h
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], eax
		push	edx		; void *
		push	edx		; int
		mov	edi, 112h
		push	edi		; int
		push	edx		; int
		push	edx		; int
		push	edx		; int
		push	edx		; void *
		push	9008h		; int
		push	edx		; int
		push	2		; int
		push	6		; int
		lea	eax, [ebp+var_34]
		push	eax		; int
		lea	eax, [ebp+var_50]
		push	eax		; int
		lea	eax, [ebp+var_9C]
		push	eax		; int
		mov	edx, 140003h
		lea	ecx, [ebp+var_1C]
		call	_IopCreateFile@64 ; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_897DD6
		mov	ecx, [ebp+arg_C]
		call	MiEnablePartitionMappedWrites
		mov	edi, eax
		test	edi, edi
		js	loc_897F53
		cmp	[ebp+var_50], 0
		jl	short loc_897C31
		lea	eax, [ebp+var_B0]
		push	eax
		push	4
		push	[ebp+var_1C]
		call	_ZwSetSecurityObject@12	; ZwSetSecurityObject(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_897F53

loc_897C31:				; CODE XREF: MiCreatePagingFile+3FAj
		push	0
		mov	eax, [ebp+var_3C]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[ebp+var_3C], eax
		mov	edi, [ebp+var_50]
		test	edi, edi
		js	loc_897F53
		push	14h
		push	8
		lea	eax, [ebp+var_6C]
		push	eax
		lea	eax, [ebp+var_50]
		push	eax
		push	[ebp+var_1C]
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_897F53
		mov	edi, [ebp+var_50]
		test	edi, edi
		js	loc_897F53
		mov	eax, ds:_IoFileObjectType
		xor	edx, edx
		mov	[ebp+var_58], edx
		push	edx
		lea	ecx, [ebp+var_58]
		push	ecx
		push	edx
		push	eax
		push	3
		push	[ebp+var_1C]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		mov	esi, [ebp+var_58]
		mov	[ebp+var_5C], esi
		test	edi, edi
		js	loc_897F53
		push	esi
		call	IoGetRelatedDeviceObject
		mov	eax, [eax+2Ch]
		cmp	eax, 8
		jnz	loc_92D997

loc_897CB2:				; CODE XREF: MiCreatePagingFile+96180j
					; MiCreatePagingFile+96189j ...
		mov	ecx, esi
		call	MiCheckPageFileMapping
		mov	edi, eax
		test	edi, edi
		js	loc_897F47
		push	0
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_84]
		push	eax
		push	0
		push	8
		push	4
		pop	edx
		mov	ecx, esi
		call	IopQueryXxxInformation
		mov	edi, eax
		test	edi, edi
		js	loc_897F47
		test	byte ptr [ebp+var_80], 4
		jnz	loc_92D9BC
		mov	dl, 1
		mov	ecx, esi
		call	PiPagePathSetState
		mov	edi, eax
		test	edi, edi
		js	loc_897F47
		push	offset _FILE_TYPE_NOTIFICATION_GUID_PAGE_FILE
		mov	ecx, esi
		call	FsRtlIssueFileNotificationFsctl
		cmp	[ebp+arg_C], offset _MiSystemPartition
		jnz	short loc_897D2B
		mov	ecx, esi
		call	_MiZeroPageFileFirstPage@4 ; MiZeroPageFileFirstPage(x)
		mov	edi, eax
		test	edi, edi
		js	loc_92D9C6

loc_897D2B:				; CODE XREF: MiCreatePagingFile+4FEj
		push	1
		push	ebx
		lea	eax, [ebp+var_24]
		push	eax
		mov	eax, [ebp+var_40]
		mov	ecx, [ebp+var_2C]
		shrd	eax, ecx, 0Ch
		push	eax
		mov	ecx, [ebp+var_34]
		mov	eax, [ebp+var_30]
		shrd	ecx, eax, 0Ch
		push	ecx
		push	[ebp+var_1C]
		mov	edx, esi
		mov	ebx, [ebp+arg_C]
		mov	ecx, ebx
		call	MiCreatePagefile
		mov	esi, eax
		test	esi, esi
		jz	loc_92DBBD
		mov	ecx, esi
		call	MiInsertPageFileInList
		mov	edi, eax
		test	edi, edi
		js	loc_92D9D4
		cmp	ebx, offset _MiSystemPartition
		jnz	short loc_897DAF
		test	byte ptr [esi+74h], 0Fh
		jnz	short loc_897D8D
		test	byte ptr ds:dword_718474, 3
		jnz	loc_92D9E3

loc_897D8D:				; CODE XREF: MiCreatePagingFile+564j
					; MiCreatePagingFile+96240j
		cmp	byte_6D3028, 0
		jnz	short loc_897DAF
		test	byte ptr [esi+74h], 10h
		jnz	short loc_897DAF
		push	dword ptr [esi+34h]
		push	dword ptr [esi+30h]
		mov	ecx, [ebp+var_1C]
		call	IoInitializeCrashDump
		mov	byte_6D3028, al

loc_897DAF:				; CODE XREF: MiCreatePagingFile+55Ej
					; MiCreatePagingFile+57Aj ...
		xor	eax, eax
		jmp	short loc_897DC4
; 

loc_897DB3:				; CODE XREF: MiCreatePagingFile+75j
		test	esi, 42000000h
		jz	loc_897895

loc_897DBF:				; CODE XREF: MiCreatePagingFile+6Dj
					; MiCreatePagingFile+8Dj ...
		mov	eax, 0C00000F2h

loc_897DC4:				; CODE XREF: MiCreatePagingFile+597j
					; MiCreatePagingFile+764j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_897DD6:				; CODE XREF: MiCreatePagingFile+3DEj
		push	0		; void *
		push	0		; int
		push	edi		; int
		push	0		; int
		push	0		; int
		push	0		; int
		push	0		; void *
		push	8008h		; int
		push	1		; int
		push	3		; int
		push	6		; int
		lea	eax, [ebp+var_34]
		push	eax		; int
		lea	eax, [ebp+var_50]
		push	eax		; int
		lea	eax, [ebp+var_9C]
		push	eax		; int
		mov	edx, 100002h
		lea	ecx, [ebp+var_1C]
		call	_IopCreateFile@64 ; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_92DA5F
		mov	eax, ds:_IoFileObjectType
		and	[ebp+var_44], 0
		push	0
		lea	ecx, [ebp+var_44]
		push	ecx
		push	0
		push	eax
		push	3
		push	[ebp+var_1C]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		mov	eax, [ebp+var_44]
		mov	[ebp+var_5C], eax
		test	edi, edi
		js	loc_897F53
		xor	ebx, ebx
		mov	[ebp+var_2C], ebx
		mov	eax, large fs:124h
		mov	[ebp+var_40], eax
		dec	word ptr [eax+13Eh]
		nop
		mov	ecx, [ebp+arg_C]
		add	ecx, 278h
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+arg_C]
		mov	eax, [ecx+0F4Ch]
		mov	[ebp+var_48], eax
		and	[ebp+var_28], ebx
		test	eax, eax
		jz	short loc_897EC2
		lea	eax, [ecx+0F54h]
		mov	[ebp+arg_8], eax

loc_897E82:				; CODE XREF: MiCreatePagingFile+96261j
		mov	edx, [eax]
		movzx	ecx, word ptr [edx+74h]
		test	ecx, 840h
		jnz	loc_92DA6B
		mov	eax, [edx+1Ch]
		mov	eax, [eax+14h]
		mov	ebx, [ebp+var_44]
		cmp	eax, [ebx+14h]
		mov	ebx, [ebp+var_2C]
		jnz	loc_92DA68
		not	ecx
		shr	ecx, 4
		and	ecx, 1
		mov	eax, esi
		not	eax
		and	eax, 1
		cmp	cl, al
		jnz	loc_92DA86
		mov	ebx, edx

loc_897EC2:				; CODE XREF: MiCreatePagingFile+65Dj
					; MiCreatePagingFile+96267j
		test	ebx, ebx
		jz	loc_92DA90
		mov	edx, [ebp+var_64]
		mov	eax, [ebp+var_60]
		shrd	edx, eax, 0Ch
		mov	[ebp+var_38], edx
		mov	ecx, [ebp+var_34]
		mov	eax, [ebp+var_30]
		shrd	ecx, eax, 0Ch
		mov	[ebp+arg_8], ecx
		cmp	[ebx+8], ecx
		ja	loc_92DA9A
		mov	eax, [ebx+4]
		cmp	eax, edx
		ja	loc_92DAA4
		jb	loc_92DAAE

loc_897EFE:				; CODE XREF: MiCreatePagingFile+9633Aj
		cmp	ecx, [ebx+8]
		ja	loc_92DB6C

loc_897F07:				; CODE XREF: MiCreatePagingFile+96349j
					; MiCreatePagingFile+9636Fj ...
		cmp	esi, 2
		jb	short loc_897F15
		mov	eax, 80h
		or	[ebx+74h], ax

loc_897F15:				; CODE XREF: MiCreatePagingFile+6F0j
					; MiCreatePagingFile+96271j ...
		mov	ebx, [ebp+arg_4]

loc_897F18:				; CODE XREF: MiCreatePagingFile+962BBj
		or	eax, 0FFFFFFFFh
		mov	esi, [ebp+arg_C]
		add	esi, 278h
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_92DB99

loc_897F30:				; CODE XREF: MiCreatePagingFile+96381j
					; MiCreatePagingFile+9638Ej
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_40]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		test	ebx, ebx
		jnz	loc_92DBAD

loc_897F47:				; CODE XREF: MiCreatePagingFile+4A3j
					; MiCreatePagingFile+4C8j ...
		mov	ecx, [ebp+var_5C]
		test	ecx, ecx
		jz	short loc_897F53
		call	ObfDereferenceObject

loc_897F53:				; CODE XREF: MiCreatePagingFile+28Dj
					; MiCreatePagingFile+2DDj ...
		cmp	[ebp+var_1C], 0
		jz	short loc_897F63
		push	0
		push	[ebp+var_1C]
		call	ObCloseHandle

loc_897F63:				; CODE XREF: MiCreatePagingFile+73Dj
					; MiCreatePagingFile+96249j
		mov	eax, [ebp+var_3C]
		test	eax, eax
		jz	short loc_897F72
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_897F72:				; CODE XREF: MiCreatePagingFile+74Ej
		push	0
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_897F7C:				; CODE XREF: MiCreatePagingFile+961C4j
		mov	eax, edi
		jmp	loc_897DC4
; 

loc_897F83:				; CODE XREF: MiCreatePagingFile+E5j
					; MiCreatePagingFile+100j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
MiCreatePagingFile endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInsertPageFileInList proc near	; CODE XREF: MmStoreRegister+130p
					; MiCreatePagingFile+549p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092DBE5 SIZE 0000010D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		mov	[ebp+var_14], edi
		mov	eax, [edi]
		or	byte ptr [edi+76h], 1
		mov	[ebp+var_20], eax
		mov	eax, [edi+4]
		mov	[ebp+var_1C], eax
		cmp	[edi+24h], ecx
		jbe	short loc_897FC4

loc_897FB2:				; CODE XREF: MiInsertPageFileInList+3Aj
		mov	eax, [edi+20h]
		mov	eax, [eax+ecx*4]
		inc	ecx
		mov	dword ptr [eax], 99887711h
		cmp	ecx, [edi+24h]
		jb	short loc_897FB2

loc_897FC4:				; CODE XREF: MiInsertPageFileInList+28j
		mov	ebx, [edi+90h]
		xor	eax, eax
		cmp	ebx, offset _MiSystemPartition
		setz	al
		dec	eax
		and	eax, 0FFFFFFF1h
		add	eax, 10h
		mov	[ebp+var_10], eax
		mov	eax, large fs:124h
		mov	[ebp+var_8], eax
		dec	word ptr [eax+13Eh]
		nop
		lea	esi, [ebx+278h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		cmp	dword_6D302C, 0
		jnz	loc_92DBE5
		cmp	dword ptr [ebx+5Ch], 0
		jz	loc_898120

loc_898016:				; CODE XREF: MiInsertPageFileInList+1D7j
		mov	ecx, [ebx+0F4Ch]
		mov	[ebp+var_24], ecx
		cmp	ecx, [ebp+var_10]
		jnb	loc_92DCAF
		mov	ax, [edi+74h]
		and	[ebp+var_10], 0
		xor	ax, cx
		and	ax, 0Fh
		xor	[edi+74h], ax
		movzx	ecx, word ptr [edi+74h]
		mov	eax, [ebx+0F4Ch]
		mov	[ebp+var_18], ecx
		test	eax, eax
		jz	short loc_898084
		mov	esi, [ebp+var_10]
		lea	edx, [ebx+0F54h]
		mov	edi, eax

loc_898057:				; CODE XREF: MiInsertPageFileInList+E6j
		mov	eax, [edx]
		mov	ecx, 800h
		test	[eax+74h], cx
		jnz	loc_92DC51

loc_898068:				; CODE XREF: MiInsertPageFileInList+95CCAj
		add	edx, 4
		sub	edi, 1
		jnz	short loc_898057
		mov	edi, [ebp+var_14]
		test	esi, esi
		mov	ecx, [ebp+var_18]
		lea	esi, [ebx+278h]
		jnz	loc_92DC57

loc_898084:				; CODE XREF: MiInsertPageFileInList+C2j
					; MiInsertPageFileInList+95CDEj
		movzx	eax, word ptr [edi+74h]
		test	al, 50h
		jnz	short loc_8980BF
		mov	edx, [ebp+var_20]
		mov	ecx, ebx
		push	edi
		push	0
		push	[ebp+var_1C]
		call	MiIncreaseCommitLimits
		test	eax, eax
		jz	loc_92DC8D
		test	byte ptr [edi+74h], 20h
		jnz	short loc_8980E2
		cmp	dword ptr [ebx+274h], 0
		jnz	short loc_8980E2
		mov	dword ptr [ebx+274h], 1
		jmp	short loc_8980E2
; 

loc_8980BF:				; CODE XREF: MiInsertPageFileInList+102j
		test	al, 10h
		jnz	loc_898164

loc_8980C7:				; CODE XREF: MiInsertPageFileInList+1E5j
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	MiUpdatePageFileList
		mov	eax, [ebp+var_24]
		mov	[ebx+eax*4+0F54h], edi
		inc	eax
		mov	[ebx+0F4Ch], eax

loc_8980E2:				; CODE XREF: MiInsertPageFileInList+120j
					; MiInsertPageFileInList+129j ...
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_92DCDE

loc_8980F1:				; CODE XREF: MiInsertPageFileInList+95D58j
					; MiInsertPageFileInList+95D65j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_8]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	MiUpdateReserveClusterInfo
		push	edx
		push	edx
		lea	eax, [ebx+210h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		xor	eax, eax

loc_89811B:				; CODE XREF: MiInsertPageFileInList+95D51j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_898120:				; CODE XREF: MiInsertPageFileInList+88j
		mov	ecx, ebx
		call	MiMakePartitionActive
		test	eax, eax
		jz	loc_92DC0A
		mov	eax, [ebx+64h]
		push	ebx
		push	offset MiModifiedPageWriter
		push	0
		mov	eax, [eax+38h]
		push	eax
		push	0
		push	1FFFFFh
		lea	eax, [ebp+var_4]
		push	eax
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		js	loc_92DC2F
		mov	eax, [ebp+var_4]
		mov	[ebx+5Ch], eax
		jmp	loc_898016
; 

loc_898164:				; CODE XREF: MiInsertPageFileInList+139j
		mov	ecx, ebx
		call	_MiNumberWsSwapPagefiles@4 ; MiNumberWsSwapPagefiles(x)
		test	eax, eax
		jz	loc_8980C7
		jmp	loc_92DCAF
MiInsertPageFileInList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreatePagefile proc near		; CODE XREF: MmStoreRegister+11Fp
					; MiCreatePagingFile+538p

var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0092DCF2 SIZE 0000004F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0B4h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_10]
		lea	eax, [esp+0BCh+var_A0]
		push	edi
		mov	edi, 0A0h
		mov	[esp+0C0h+var_B4], edx
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		mov	[esp+0CCh+var_B0], ecx
		call	_memset
		mov	ebx, [ebp+arg_14]
		add	esp, 0Ch
		and	ebx, 2
		mov	edx, 20206D4Dh
		mov	ecx, edi
		mov	[esp+0C0h+var_A4], ebx
		push	0
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_92DCF2

loc_8981CD:				; CODE XREF: MiCreatePagefile+95B7Ej
		mov	ecx, [ebp+arg_4]
		mov	eax, [esp+0C0h+var_B4]
		mov	edx, [ebp+arg_C]
		mov	[edi+1Ch], eax
		mov	eax, [ebp+arg_0]
		mov	[edi+84h], eax
		mov	eax, [ebp+arg_8]
		mov	[edi+4], eax
		lea	eax, [ecx-2]
		mov	[edi+0Ch], eax
		mov	[edi+18h], eax
		mov	[edi], ecx
		mov	[edi+8], ecx
		lea	ecx, [edi+30h]
		mov	eax, ds:dword_7051C4
		mov	[edi+40h], eax
		mov	eax, ds:dword_7051C4
		shl	eax, 2
		mov	[edi+4Ch], eax
		mov	eax, [esp+0C0h+var_B0]
		mov	[edi+90h], eax
		xor	eax, eax
		mov	[edi+28h], eax
		mov	[edi+2Ch], eax
		mov	[edi+8Ch], eax
		test	edx, edx
		jz	loc_8983C3
		mov	eax, [edx]
		mov	[ecx], eax
		mov	eax, [edx+4]
		mov	[ecx+4], eax

loc_898237:				; CODE XREF: MiCreatePagefile+252j
		test	esi, esi
		js	loc_8983CF
		test	ebx, ebx
		jnz	loc_8983DD
		test	esi, 40000000h
		jnz	loc_92DCFB

loc_898253:				; CODE XREF: MiCreatePagefile+95B88j
		test	esi, 2000000h
		jnz	loc_92DD05

loc_89825F:				; CODE XREF: MiCreatePagefile+260j
					; MiCreatePagefile+26Aj
		test	esi, 1000000h
		jnz	loc_92DD0F

loc_89826B:				; CODE XREF: MiCreatePagefile+95BA0j
		test	byte ptr [ebp+arg_14], 1
		jz	short loc_89827A
		mov	eax, 200h
		or	[edi+74h], ax

loc_89827A:				; CODE XREF: MiCreatePagefile+F7j
		mov	eax, esi
		and	eax, 3C000000h
		jnz	loc_92DD1D

loc_898287:				; CODE XREF: MiCreatePagefile+95BABj
		lea	eax, [esp+0C0h+var_A0]
		cmp	edi, eax
		jz	loc_92DD28
		mov	eax, ds:dword_7051C4
		mov	[esp+0C0h+var_AC], eax
		test	esi, esi
		js	short loc_8982A8
		test	ebx, ebx
		jnz	loc_89833E

loc_8982A8:				; CODE XREF: MiCreatePagefile+126j
		sar	esi, 1Fh
		mov	edx, 20206D4Dh
		add	esi, 2
		push	0
		mov	ecx, esi
		shl	ecx, 2
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[edi+20h], eax
		test	eax, eax
		jz	loc_92DD28
		and	[esp+0C0h+var_B4], 0
		test	esi, esi
		jz	short loc_898324

loc_8982D5:				; CODE XREF: MiCreatePagefile+1AAj
		mov	edx, [esp+0C0h+var_AC]
		mov	ecx, [esp+0C0h+var_B0]
		push	0
		call	_MiAllocateModWriterEntry@12 ; MiAllocateModWriterEntry(x,x,x)
		mov	[esp+0C0h+var_A8], eax
		test	eax, eax
		jz	loc_92DD28
		push	0A0h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [esp+0CCh+var_A8]
		add	esp, 0Ch
		mov	eax, [esp+0C0h+var_B0]
		mov	edx, [esp+0C0h+var_B4]
		mov	[ecx+54h], edi
		mov	[ecx+78h], eax
		mov	eax, [edi+20h]
		mov	[eax+edx*4], ecx
		inc	dword ptr [edi+24h]
		inc	edx
		mov	[esp+0C0h+var_B4], edx
		cmp	edx, esi
		jb	short loc_8982D5

loc_898324:				; CODE XREF: MiCreatePagefile+15Bj
		test	ebx, ebx
		jnz	short loc_89833E
		mov	ecx, [edi+4]
		call	_MiReservePageHash@4 ; MiReservePageHash(x)
		test	eax, eax
		jz	loc_92DD28
		mov	[edi+80h], eax

loc_89833E:				; CODE XREF: MiCreatePagefile+12Aj
					; MiCreatePagefile+1AEj
		mov	ecx, [edi+4]
		call	_MiCreatePageFileSpaceBitmaps@4	; MiCreatePageFileSpaceBitmaps(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_92DD28
		lea	esi, [ebx+4]
		mov	[edi+38h], ebx
		push	esi
		call	_RtlSetAllBits@4 ; RtlSetAllBits(x)
		mov	ecx, [edi]
		sub	ecx, 2
		push	ecx
		push	2
		push	esi
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		mov	esi, [esp+0C0h+var_A4]
		add	ebx, 0Ch
		push	ebx
		call	_RtlSetAllBits@4 ; RtlSetAllBits(x)
		test	esi, esi
		jnz	short loc_898389
		mov	eax, [edi]
		sub	eax, 2
		push	eax
		push	2
		push	ebx
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)

loc_898389:				; CODE XREF: MiCreatePagefile+201j
		mov	dword ptr [edi+3Ch], 2
		test	esi, esi
		jnz	short loc_8983B8
		push	esi
		push	40h
		mov	edx, 6342694Dh
		mov	ecx, 4000h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[edi+6Ch], eax
		test	eax, eax
		jz	loc_92DD28
		mov	ecx, edi
		call	MiInitializePagefileBitmapsCache

loc_8983B8:				; CODE XREF: MiCreatePagefile+21Aj
		mov	eax, edi

loc_8983BA:				; CODE XREF: MiCreatePagefile+95BC4j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_8983C3:				; CODE XREF: MiCreatePagefile+AFj
		push	eax
		push	ecx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	loc_898237
; 

loc_8983CF:				; CODE XREF: MiCreatePagefile+C1j
		mov	eax, 0B0h

loc_8983D4:				; CODE XREF: MiCreatePagefile+95B92j
		or	[edi+74h], ax
		jmp	loc_89825F
; 

loc_8983DD:				; CODE XREF: MiCreatePagefile+C9j
		or	word ptr [edi+74h], 60h
		jmp	loc_89825F
MiCreatePagefile endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreatePageFileSpaceBitmaps(x)
_MiCreatePageFileSpaceBitmaps@4	proc near ; CODE XREF: MiCreatePagefile+1C9p
					; MiCreatePagingFile+962EBp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	eax, ecx
		mov	edx, 62506D4Dh
		push	0
		pop	ebx
		test	al, 1Fh
		mov	[ebp+var_4], eax
		push	0
		setnz	bl
		shr	eax, 5
		add	ebx, eax
		shl	ebx, 2
		push	40h
		lea	ecx, ds:14h[ebx*2]
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_89843E
		mov	edx, [ebp+var_4]
		lea	eax, [ecx+14h]
		mov	dword ptr [ecx], 1
		mov	[ecx+8], eax
		add	eax, ebx
		mov	[ecx+4], edx
		mov	[ecx+10h], eax
		mov	eax, ecx
		mov	[ecx+0Ch], edx

loc_89843B:				; CODE XREF: MiCreatePageFileSpaceBitmaps(x)+58j
		pop	ebx
		leave
		retn
; 

loc_89843E:				; CODE XREF: MiCreatePageFileSpaceBitmaps(x)+35j
		xor	eax, eax
		jmp	short loc_89843B
_MiCreatePageFileSpaceBitmaps@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiZeroPageFileFirstPage(x)
_MiZeroPageFileFirstPage@4 proc	near	; CODE XREF: MiCreatePagingFile+502p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= word ptr -20h
var_1E		= word ptr -1Eh
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+48h+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+50h+var_10], 1000h
		lea	edi, [esp+50h+var_34]
		mov	esi, ecx
		stosd
		push	20h
		stosd
		stosd
		stosd
		xor	edi, edi
		pop	eax
		mov	[esp+50h+var_20], ax
		mov	eax, 4002h
		mov	[esp+50h+var_1E], ax
		mov	eax, dword_6D34F0
		push	edi
		mov	[esp+54h+var_8], eax
		lea	eax, [esp+54h+var_34]
		push	edi
		push	eax
		mov	[esp+5Ch+var_48], edi
		mov	[esp+5Ch+var_44], edi
		mov	[esp+5Ch+var_40], edi
		mov	[esp+5Ch+var_3C], edi
		mov	[esp+5Ch+var_1C], edi
		mov	[esp+5Ch+var_18], edi
		mov	[esp+5Ch+var_24], edi
		mov	[esp+5Ch+var_14], edi
		mov	[esp+5Ch+var_C], edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+50h+var_48]
		mov	ecx, esi
		push	eax
		push	edi
		push	edi
		lea	eax, [esp+5Ch+var_34]
		push	eax
		lea	eax, [esp+60h+var_40]
		push	eax
		lea	edx, [esp+64h+var_24]
		call	_MiSynchronousPageWrite@28 ; MiSynchronousPageWrite(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8984F0
		push	edi
		push	edi
		push	edi
		push	12h
		lea	eax, [esp+60h+var_34]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esp+50h+var_48]

loc_8984F0:				; CODE XREF: MiZeroPageFileFirstPage(x)+99j
		test	byte ptr [esp+50h+var_1E], 1
		jz	short loc_898505
		lea	eax, [esp+50h+var_24]
		push	eax
		push	[esp+54h+var_18]
		call	MmUnmapLockedPages

loc_898505:				; CODE XREF: MiZeroPageFileFirstPage(x)+B3j
		mov	ecx, [esp+50h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_MiZeroPageFileFirstPage@4 endp


;  S U B	R O U T	I N E 


; __stdcall MmStoreCheckPagefiles()
_MmStoreCheckPagefiles@0 proc near	; CODE XREF: SmFirstTimeInit:loc_4D0089p
					; MmStoreRegister+1Ep
		mov	edx, dword_6D5D8C
		test	edx, edx
		jz	short loc_898543
		xor	ecx, ecx
		test	edx, edx
		jz	short loc_89853F

loc_898528:				; CODE XREF: MmStoreCheckPagefiles()+25j
		mov	eax, dword_6D5D94[ecx*4]
		movzx	eax, word ptr [eax+74h]
		test	eax, 0C00h
		jnz	short loc_898543
		inc	ecx
		cmp	ecx, edx
		jb	short loc_898528

loc_89853F:				; CODE XREF: MmStoreCheckPagefiles()+Ej
		xor	eax, eax
		inc	eax
		retn
; 

loc_898543:				; CODE XREF: MmStoreCheckPagefiles()+8j
					; MmStoreCheckPagefiles()+20j
		xor	eax, eax
		retn
_MmStoreCheckPagefiles@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoInitializeCrashDump proc near		; CODE XREF: MiCreatePagingFile+58Bp
					; sub_AEA0DE+4p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092DD41 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		cmp	_ForceDumpDisabled, 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		jnz	short loc_8985B0
		mov	esi, large fs:124h
		dec	word ptr [esi+13Ch]
		nop
		push	1
		push	offset _IopCrashDumpLock
		call	ExAcquireResourceExclusiveLite
		push	[ebp+arg_4]
		mov	ecx, edi
		push	[ebp+arg_0]
		call	IopInitializeCrashDump
		mov	bl, al
		test	bl, bl
		jz	loc_92DD41
		call	_IopRemoveDumpCapsuleSupport@0 ; IopRemoveDumpCapsuleSupport()

loc_898594:				; CODE XREF: IoInitializeCrashDump+95802j
					; IoInitializeCrashDump+9580Dj
		mov	ecx, offset _IopCrashDumpLock
		call	ExReleaseResourceLite
		mov	ecx, esi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	al, bl

loc_8985A7:				; CODE XREF: IoInitializeCrashDump+6Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_8985B0:				; CODE XREF: IoInitializeCrashDump+15j
		xor	al, al
		jmp	short loc_8985A7
IoInitializeCrashDump endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopInitializeCrashDump proc near	; CODE XREF: IoConfigureCrashDump+86839p
					; IoInitializeCrashDump+3Ap ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= byte ptr -14h
var_13		= word ptr -13h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092DD58 SIZE 0000006D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		xor	ebx, ebx
		mov	esi, ecx
		mov	[ebp+var_4], ebx
		stosd
		stosd
		cmp	_ForceDumpDisabled, bl
		jnz	loc_898699
		lea	edx, [ebp+var_4]
		call	_IopReadDumpRegistry@8 ; IopReadDumpRegistry(x,x)
		mov	eax, _CrashdmpImageEntry
		test	eax, eax
		jz	short loc_8985F7
		cmp	_CrashdmpDumpBlock, ebx
		jnz	loc_92DD58

loc_8985F7:				; CODE XREF: IopInitializeCrashDump+35j
					; IopInitializeCrashDump+957B0j
		cmp	[ebp+var_4], ebx
		jz	loc_898690
		test	eax, eax
		jnz	short loc_898611
		call	IopLoadCrashdumpDriver
		test	eax, eax
		js	loc_898699

loc_898611:				; CODE XREF: IopInitializeCrashDump+4Ej
		lea	ecx, [ebp+var_10]
		call	SecureDump_GetSecureDumpSettings
		test	eax, eax
		js	short loc_898699
		cmp	byte ptr [ebp+var_10], bl
		jnz	loc_92DD69

loc_898626:				; CODE XREF: IopInitializeCrashDump+95801j
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	offset _CrashdmpDumpBlock
		push	esi
		call	dword_6D4AC4
		test	eax, eax
		js	loc_92DDBA
		mov	eax, _CrashdmpDumpBlock
		mov	_CrashdmpInitialized, 1
		mov	ecx, [eax+30Ch]
		test	ecx, ecx
		jnz	short loc_898660
		test	esi, esi
		jz	short loc_898690
		mov	ecx, esi
		test	ecx, ecx
		jz	short loc_898690

loc_898660:				; CODE XREF: IopInitializeCrashDump+A0j
		mov	eax, ds:_IoFileObjectType
		lea	edx, [ebp+arg_4]
		push	ebx
		push	edx
		push	ebx
		push	eax
		push	ebx
		push	ecx
		mov	[ebp+arg_4], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, [ebp+arg_4]
		test	eax, eax
		js	short loc_898690
		push	offset _FILE_TYPE_NOTIFICATION_GUID_CRASHDUMP_FILE
		mov	ecx, esi
		call	FsRtlIssueFileNotificationFsctl
		mov	ecx, esi
		call	ObfDereferenceObject

loc_898690:				; CODE XREF: IopInitializeCrashDump+46j
					; IopInitializeCrashDump+A4j ...
		mov	al, 1

loc_898692:				; CODE XREF: IopInitializeCrashDump+E7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_898699:				; CODE XREF: IopInitializeCrashDump+20j
					; IopInitializeCrashDump+57j ...
		xor	al, al
		jmp	short loc_898692
IopInitializeCrashDump endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MmGetNumberOfPhysicalPagesForPartitionObject(x)
_MmGetNumberOfPhysicalPagesForPartitionObject@4	proc near
					; CODE XREF: CcInitializePartition+192p
					; CcInitializePartition+1CFp ...
		mov	eax, [ecx]
		movzx	ecx, word ptr [eax]
		mov	eax, dword_6D3018
		mov	eax, [eax+ecx*4]
		mov	eax, [eax+0F48h]
		retn
_MmGetNumberOfPhysicalPagesForPartitionObject@4	endp


;  S U B	R O U T	I N E 


MmReserveViewInSystemCache proc	near	; CODE XREF: CcInitializePartitionVacbs+81p
					; CcBuildUpHighPriorityMappings(x,x)+3Ep

; FUNCTION CHUNK AT 0092DDC5 SIZE 0000000A BYTES

		mov	edi, edi
		push	ecx
		mov	ecx, [ecx]
		call	MiObtainSystemCacheView
		test	eax, eax
		jz	loc_92DDC5
		shl	eax, 9
		pop	ecx
		retn
MmReserveViewInSystemCache endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl sub_8986CA(const void *,const void *)
sub_8986CA	proc near		; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+5EFp
					; DATA XREF: ExpQueryLicenseValueFromBlob+Eo ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	byte ptr [eax],	2
		mov	ecx, [eax+4]
		jnz	short loc_89871D
		lea	edx, [ecx+10h]
		add	ecx, 2

loc_8986E0:				; CODE XREF: sub_8986CA+56j
		mov	eax, [ebp+arg_4]
		push	esi
		push	edi
		movzx	edi, word ptr [ecx]
		cmp	byte ptr [eax],	2
		mov	ecx, [eax+4]
		jnz	short loc_898722
		lea	esi, [ecx+10h]
		add	ecx, 2

loc_8986F6:				; CODE XREF: sub_8986CA+5Bj
		movzx	eax, word ptr [ecx]
		push	0
		shr	eax, 1
		push	eax
		push	esi
		mov	eax, edi
		shr	eax, 1
		push	eax
		push	edx
		call	_RtlCompareUnicodeStrings@20 ; RtlCompareUnicodeStrings(x,x,x,x,x)
		mov	ecx, eax
		xor	eax, eax
		pop	edi
		pop	esi
		test	ecx, ecx
		jle	short loc_898717
		inc	eax
		pop	ebp
		retn
; 

loc_898717:				; CODE XREF: sub_8986CA+48j
		setns	al
		dec	eax
		pop	ebp
		retn
; 

loc_89871D:				; CODE XREF: sub_8986CA+Ej
		mov	edx, [ecx+4]
		jmp	short loc_8986E0
; 

loc_898722:				; CODE XREF: sub_8986CA+24j
		mov	esi, [ecx+4]
		jmp	short loc_8986F6
sub_8986CA	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmListInit(x)
_PiDmListInit@4	proc near		; CODE XREF: PiDmInit()+A8p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		lea	eax, [ebp+var_C]
		and	[ebp+var_8], 0
		mov	edx, offset PiDmListInitEnumCallback
		mov	[ebp+var_4], ecx
		imul	ecx, 14h
		push	esi
		push	eax
		mov	ecx, ds:dword_4042C8[ecx]
		call	_PiDmEnumObjectsWithCallback@12	; PiDmEnumObjectsWithCallback(x,x,x)
		cmp	[ebp+var_C], 0
		mov	esi, eax
		jz	short loc_898768
		push	5A706E50h
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_898768:				; CODE XREF: PiDmListInit(x)+31j
		mov	eax, esi
		pop	esi
		leave
		retn
_PiDmListInit@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDmObjectManagerPopulate proc near	; CODE XREF: PiDmInit()+5Bp
					; PiDmInit()+69p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092DDCF SIZE 0000004D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_C], 40000h
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_10], eax
		push	edi
		mov	[ebp+var_4], ebx
		mov	esi, eax
		mov	[ebp+var_8], eax

loc_89878F:				; CODE XREF: PiDmObjectManagerPopulate+64j
		test	esi, esi
		jnz	loc_92DDCF

loc_898797:				; CODE XREF: PiDmObjectManagerPopulate+9566Cj
		mov	eax, [ebp+var_C]
		push	5A706E50h
		add	eax, eax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_92DDDF
		mov	edx, [ebx+70h]
		lea	eax, [ebp+var_C]
		push	10000h
		push	eax
		push	[ebp+var_C]
		push	esi
		push	ecx
		push	ecx
		call	_PnpGetObjectList
		mov	edi, eax
		cmp	edi, 0C0000023h
		jz	short loc_89878F

loc_8987D4:				; CODE XREF: PiDmObjectManagerPopulate+95676j
		test	edi, edi
		js	short loc_89884F
		cmp	[ebp+var_C], 0
		jbe	short loc_89884F
		xor	eax, eax
		mov	ebx, esi
		cmp	[esi], ax
		jz	short loc_89884C

loc_8987E7:				; CODE XREF: PiDmObjectManagerPopulate+DCj
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		mov	edx, ebx
		mov	ecx, [ecx+70h]
		call	PiDmObjectCreate
		mov	edi, eax
		test	edi, edi
		js	short loc_89884C
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		inc	ecx
		or	[eax+18h], ecx
		mov	eax, [ebp+var_8]
		mov	[eax+8], ecx
		xor	eax, eax
		push	eax		; int
		push	4		; size_t
		lea	eax, [ebp+var_8]
		push	eax		; void *
		mov	eax, [ebp+var_4]
		add	eax, 38h
		push	eax		; int
		call	_RtlInsertElementGenericTableAvl@16 ; RtlInsertElementGenericTableAvl(x,x,x,x)
		test	eax, eax
		jz	loc_92DDE9
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_89882F:				; CODE XREF: PiDmObjectManagerPopulate+CBj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_10]
		jnz	short loc_89882F
		sub	ecx, edx
		xor	eax, eax
		sar	ecx, 1
		lea	ebx, [ebx+ecx*2]
		add	ebx, 2
		cmp	[ebx], ax
		jnz	short loc_8987E7

loc_89884C:				; CODE XREF: PiDmObjectManagerPopulate+77j
					; PiDmObjectManagerPopulate+8Ej ...
		mov	ebx, [ebp+var_4]

loc_89884F:				; CODE XREF: PiDmObjectManagerPopulate+68j
					; PiDmObjectManagerPopulate+6Ej
		test	esi, esi
		jz	short loc_89885E
		push	5A706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_89885E:				; CODE XREF: PiDmObjectManagerPopulate+E3j
		test	edi, edi
		js	short loc_898869

loc_898862:				; CODE XREF: PiDmObjectManagerPopulate+956A9j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_898869:				; CODE XREF: PiDmObjectManagerPopulate+F2j
		add	ebx, 38h
		jmp	loc_92DE09
PiDmObjectManagerPopulate endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDmObjectCreate proc near		; CODE XREF: PiDmObjectManagerPopulate+85p
					; PiDmAddCacheReferenceForObject+CD44Cp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= dword	ptr -5
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092DE1C SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_20], edx
		push	esi
		mov	[eax], ebx
		lea	edx, [ebp+var_18]
		push	edi
		lea	eax, [ebp+var_14]
		mov	[ebp+var_28], ebx
		mov	esi, ecx
		mov	[ebp+var_24], ebx
		push	eax
		mov	[ebp+var_C], esi
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	byte ptr [ebp+var_5], bl
		call	_PiDmGetCacheKeys@12 ; PiDmGetCacheKeys(x,x,x)
		mov	eax, [ebp+var_14]
		mov	[ebp+var_10], eax
		imul	eax, 14h
		push	5A706E50h
		add	eax, 40h
		push	eax
		push	1
		mov	[ebp+var_1C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_92DE1C
		push	[ebp+var_1C]	; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		mov	ecx, [ebp+var_20]
		lea	eax, [edi+0Ch]
		add	esp, 0Ch
		mov	[edi], ebx
		mov	edx, 7FFFFFFFh
		mov	dword ptr [edi+4], 1
		mov	[edi+14h], esi
		push	eax
		push	5A706E50h
		call	PnpAllocatePWSTR
		mov	esi, eax
		test	esi, esi
		js	loc_898A43
		mov	eax, [ebp+var_C]
		mov	edx, [edi+0Ch]
		push	ebx
		cmp	eax, 3
		jnz	loc_898A10
		call	__CmSetDeviceInterfacePathFormat@12 ; _CmSetDeviceInterfacePathFormat(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_898A43
		mov	edx, [edi+0Ch]
		add	edx, 8

loc_89892B:				; CODE XREF: PiDmObjectCreate+1ADj
		push	ecx
		push	ecx
		lea	ecx, [ebp+var_28]
		call	RtlUnicodeStringInitWorker
		mov	esi, eax
		test	esi, esi
		js	loc_898A43
		lea	eax, [edi+10h]
		push	eax
		push	ebx
		push	1
		lea	eax, [ebp+var_28]
		push	eax
		call	RtlHashUnicodeString
		mov	ecx, [ebp+var_C]
		mov	esi, eax
		mov	eax, ecx
		sub	eax, 1
		jz	loc_898A31
		sub	eax, 1
		jz	loc_898A24
		dec	eax
		sub	eax, 1
		jz	loc_898A24
		sub	eax, 1
		jz	loc_898A36
		sub	eax, 1
		jz	loc_898A36

loc_898984:				; CODE XREF: PiDmObjectCreate+1BAj
		mov	edx, [ebp+var_10]
		test	edx, edx
		jz	short loc_8989A1
		lea	eax, [edi+40h]
		mov	ecx, edx

loc_898990:				; CODE XREF: PiDmObjectCreate+12Aj
		mov	dword ptr [eax], 1
		lea	eax, [eax+14h]
		sub	ecx, 1
		jnz	short loc_898990
		mov	ecx, [ebp+var_C]

loc_8989A1:				; CODE XREF: PiDmObjectCreate+117j
					; PiDmObjectCreate+13Dj
		cmp	ecx, ds:_PiDmAggregatedBooleanDefs[ebx]
		jz	short loc_8989C7

loc_8989A9:				; CODE XREF: PiDmObjectCreate+19Cj
		add	ebx, 1Ch
		cmp	ebx, 54h
		jb	short loc_8989A1

loc_8989B1:				; CODE XREF: PiDmObjectCreate+955B9j
		test	esi, esi
		js	loc_898A43
		mov	eax, [ebp+arg_0]
		mov	[eax], edi

loc_8989BE:				; CODE XREF: PiDmObjectCreate+1D8j
					; PiDmObjectCreate+955AFj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8989C7:				; CODE XREF: PiDmObjectCreate+135j
		push	ds:off_401B14[ebx] ; void *
		mov	esi, [ebp+var_18]
		mov	ecx, esi
		call	_PiDmGetCachedKeyIndex@12 ; PiDmGetCachedKeyIndex(x,x,x)
		cmp	eax, [ebp+var_10]
		jnb	loc_92DE26
		mov	ecx, eax
		lea	edx, [ebp+var_5]
		imul	eax, 14h
		add	ecx, ecx
		add	eax, 40h
		add	eax, edi
		push	eax		; int
		push	dword ptr [esi+ecx*8+8]	; int
		push	dword ptr [esi+ecx*8+4]	; int
		push	1		; size_t
		push	11h
		pop	ecx
		call	PiDmCacheDataEncode
		mov	esi, eax
		test	esi, esi
		js	short loc_898A43
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+var_10]
		jmp	short loc_8989A9
; 

loc_898A10:				; CODE XREF: PiDmObjectCreate+9Ej
		push	eax
		call	_PnpValidateObjectName
		mov	esi, eax
		test	esi, esi
		js	short loc_898A43
		mov	edx, [edi+0Ch]
		jmp	loc_89892B
; 

loc_898A24:				; CODE XREF: PiDmObjectCreate+F0j
					; PiDmObjectCreate+FAj
		lea	eax, [edi+1Ch]

loc_898A27:				; CODE XREF: PiDmObjectCreate+1C2j
					; PiDmObjectCreate+1CFj
		mov	[eax], eax
		mov	[eax+4], eax
		jmp	loc_898984
; 

loc_898A31:				; CODE XREF: PiDmObjectCreate+E7j
		lea	eax, [edi+34h]
		jmp	short loc_898A27
; 

loc_898A36:				; CODE XREF: PiDmObjectCreate+103j
					; PiDmObjectCreate+10Cj
		lea	eax, [edi+1Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edi+28h]
		jmp	short loc_898A27
; 

loc_898A43:				; CODE XREF: PiDmObjectCreate+8Ej
					; PiDmObjectCreate+ADj	...
		mov	ecx, edi
		call	PiDmObjectRelease
		jmp	loc_8989BE
PiDmObjectCreate endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PiDmObjectManagerInit(x, x)
_PiDmObjectManagerInit@8 proc near	; CODE XREF: PiDmInit()+Fp
					; PiDmInit()+1Cp ...
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, edx
		push	esi
		call	ExInitializeResourceLite
		push	0		; int
		push	offset _PiDmFreeGenericTableEntry@8 ; int
		push	offset _PiDmAllocateGenericTableEntry@8	; int
		push	offset _PiDmCompareObjects@12 ;	int
		lea	eax, [esi+38h]
		push	eax		; void *
		call	_RtlInitializeGenericTableAvl@20 ; RtlInitializeGenericTableAvl(x,x,x,x,x)
		mov	[esi+70h], edi
		pop	edi
		pop	esi
		pop	ecx
		retn
_PiDmObjectManagerInit@8 endp


;  S U B	R O U T	I N E 


; __stdcall WdipSemInitialize()
_WdipSemInitialize@0 proc near		; CODE XREF: EtwpInitialize+218p
		mov	edi, edi
		push	esi
		call	_WdipSemInitializeGlobalState@0	; WdipSemInitializeGlobalState()
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _WdipSemPushLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		call	_WdipSemCleanStart@0 ; WdipSemCleanStart()
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		pop	esi
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_WdipSemInitialize@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemCleanStart()
_WdipSemCleanStart@0 proc near		; CODE XREF: WdipSemInitialize()+24p
					; WdipSemUpdate():loc_9EBCF2p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	esi
		call	_WdipSemGetLoggerIds@0 ; WdipSemGetLoggerIds()
		mov	esi, eax
		test	esi, esi
		js	short loc_898B08
		call	_WdipSemEnableSemProvider@0 ; WdipSemEnableSemProvider()
		mov	esi, eax
		test	esi, esi
		js	short loc_898B08
		call	WdipSemLoadConfigInfo
		mov	esi, eax
		test	esi, esi
		js	short loc_898B08
		call	WdipSemLoadGroupPolicy
		mov	esi, eax
		test	esi, esi
		js	short loc_898B08
		call	WdipSemLoadScenarioTable
		mov	esi, eax
		test	esi, esi
		js	short loc_898B08
		call	_WdipSemStartTimeoutCheck@0 ; WdipSemStartTimeoutCheck()
		mov	esi, eax

loc_898B08:				; CODE XREF: WdipSemCleanStart()+13j
					; WdipSemCleanStart()+1Ej ...
		call	WdipSemCleanupGroupPolicy
		test	esi, esi
		js	short loc_898B1F
		mov	_WdipSemEnabled, 1

loc_898B18:				; CODE XREF: WdipSemCleanStart()+64j
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_898B1F:				; CODE XREF: WdipSemCleanStart()+4Fj
		call	_WdipSemShutdown@0 ; WdipSemShutdown()
		jmp	short loc_898B18
_WdipSemCleanStart@0 endp


;  S U B	R O U T	I N E 


WdipSemCleanupGroupPolicy proc near	; CODE XREF: WdipSemCleanStart():loc_898B08p
					; WdipSemLoadGroupPolicy+95265p

; FUNCTION CHUNK AT 0092DE30 SIZE 00000010 BYTES

		mov	eax, _WdipSemDisabledScenarioTable
		test	eax, eax
		jnz	loc_92DE30
		retn
WdipSemCleanupGroupPolicy endp


;  S U B	R O U T	I N E 


; __stdcall WdipSemStartTimeoutCheck()
_WdipSemStartTimeoutCheck@0 proc near	; CODE XREF: WdipSemCleanStart()+41p
		cmp	_WdipTimeoutWorkEnabled, 0
		jnz	short loc_898B9F
		push	esi
		mov	_WdipTimeoutWorkEnabled, 1
		call	_WdipSemSqmInit@0 ; WdipSemSqmInit()
		push	8
		xor	esi, esi
		push	esi
		push	offset _WdipTimeoutTimerRoutine@8 ; WdipTimeoutTimerRoutine(x,x)
		call	ExAllocateTimer
		mov	_WdipTimeoutTimer, eax
		test	eax, eax
		jz	short loc_898B9E
		or	dword_6BC6E8, 0FFFFFFFFh
		or	dword_6BC6EC, 0FFFFFFFFh
		push	1
		push	offset _WdipTimeoutWorkItem
		mov	_WdipTimeoutTimerParameters, esi
		mov	dword_6BC6E4, esi
		mov	dword_6BC6C8, offset WdipTimeoutCheckRoutine
		mov	dword_6BC6CC, esi
		mov	_WdipTimeoutWorkItem, esi
		call	ExQueueWorkItem

loc_898B9E:				; CODE XREF: WdipSemStartTimeoutCheck()+2Cj
		pop	esi

loc_898B9F:				; CODE XREF: WdipSemStartTimeoutCheck()+7j
		xor	eax, eax
		retn
_WdipSemStartTimeoutCheck@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemSqmInit()
_WdipSemSqmInit@0 proc near		; CODE XREF: WdipSemStartTimeoutCheck()+11p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_28], 1
		push	esi
		xor	esi, esi
		mov	[ebp+var_24], eax
		mov	eax, _SeLocalSystemSid
		push	eax
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], 4
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], esi
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], esi
		lea	eax, [ebp+var_24]
		xor	edx, edx
		push	eax
		push	2
		push	ecx
		push	ecx
		mov	ecx, offset _WDI_SEM_EVENT_SQM_INIT
		call	_WdipSemWriteEvent@24 ;	WdipSemWriteEvent(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_WdipSemSqmInit@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WdipSemLoadGroupPolicy proc near	; CODE XREF: WdipSemCleanStart()+2Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092DE40 SIZE 0000005A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		and	[ebp+var_8], 0
		xor	edx, edx
		push	esi
		push	4
		pop	esi
		push	eax
		mov	ecx, offset ??_C@_1HE@LEFGKEGL@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@NNGAKEGL@
		mov	[ebp+var_C], esi
		call	_WdipSemOpenRegistryKey@12 ; WdipSemOpenRegistryKey(x,x,x)
		test	eax, eax
		jns	loc_92DE40

loc_898C39:				; CODE XREF: WdipSemLoadGroupPolicy+9526Aj
		xor	esi, esi

loc_898C3B:				; CODE XREF: WdipSemLoadGroupPolicy+9525Fj
					; WdipSemLoadGroupPolicy+95273j ...
		cmp	[ebp+var_4], 0
		jnz	loc_92DE8D

loc_898C45:				; CODE XREF: WdipSemLoadGroupPolicy+9528Bj
		mov	eax, esi
		pop	esi
		leave
		retn
WdipSemLoadGroupPolicy endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WdipSemLoadConfigInfo proc near		; CODE XREF: WdipSemCleanStart()+20p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092DE9A SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		xor	ebx, ebx
		lea	eax, [ebp+var_4]
		push	esi
		push	eax
		xor	edx, edx
		mov	[ebp+var_4], ebx
		mov	ecx, offset ??_C@_1HM@CHDHGGFH@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@NNGAKEGL@ ; "\\REGISTRY\\MACHINE\\SYSTEM\\CURRENTCONTROL"...
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_10], ebx
		call	_WdipSemOpenRegistryKey@12 ; WdipSemOpenRegistryKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_898CDA
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_8]
		mov	edx, (offset loc_8BFEDD+1)
		push	eax
		push	4
		pop	esi
		push	esi
		push	esi
		call	WdipSemQueryValueFromRegistry
		test	eax, eax
		js	short loc_898C9B
		cmp	[ebp+var_8], ebx
		jz	short loc_898CED

loc_898C9B:				; CODE XREF: WdipSemLoadConfigInfo+4Aj
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_10]
		mov	edx, (offset loc_8BFE91+1)
		push	eax
		push	esi
		push	esi
		call	WdipSemQueryValueFromRegistry
		mov	esi, eax
		test	esi, esi
		js	short loc_898CF4
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	loc_92DE9A
		imul	eax, 3Ch

loc_898CC6:				; CODE XREF: WdipSemLoadConfigInfo+B1j
		mov	_WdipSemTimeoutEnabled,	1

loc_898CCD:				; CODE XREF: WdipSemLoadConfigInfo+9525Bj
		mov	ecx, [ebp+var_4]
		mov	_WdipSemTimeoutValue, eax
		call	_WdipSemDeleteValueFromRegistry@8 ; WdipSemDeleteValueFromRegistry(x,x)

loc_898CDA:				; CODE XREF: WdipSemLoadConfigInfo+2Cj
					; WdipSemLoadConfigInfo+A8j
		cmp	[ebp+var_4], ebx
		jz	short loc_898CE7
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_898CE7:				; CODE XREF: WdipSemLoadConfigInfo+93j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_898CED:				; CODE XREF: WdipSemLoadConfigInfo+4Fj
		mov	esi, 0C0000001h
		jmp	short loc_898CDA
; 

loc_898CF4:				; CODE XREF: WdipSemLoadConfigInfo+6Cj
		mov	esi, ebx
		mov	eax, 258h
		jmp	short loc_898CC6
WdipSemLoadConfigInfo endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemEnableSemProvider()
_WdipSemEnableSemProvider@0 proc near	; CODE XREF: WdipSemCleanStart()+15p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, _WdipDiagLoggerId
		mov	eax, offset _WdipDiagLoggerId
		push	esi
		xor	esi, esi
		push	edi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		xchg	ecx, [eax]
		push	1
		push	esi
		push	2
		push	esi
		mov	edi, offset _WDI_SEM_PROVIDER
		push	esi
		mov	edx, edi
		call	_WdipSemEnableDisableTrace@28 ;	WdipSemEnableDisableTrace(x,x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_898D96
		mov	ecx, _WdipContextLoggerId
		mov	eax, offset _WdipContextLoggerId
		xchg	ecx, [eax]
		push	1
		push	esi
		push	1
		push	esi
		push	esi
		mov	edx, edi
		call	_WdipSemEnableDisableTrace@28 ;	WdipSemEnableDisableTrace(x,x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_898D96
		mov	eax, _WdipSemRegHandle
		or	eax, dword_6BCB74
		jnz	short loc_898D96
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	edx, edi	; void *
		mov	ecx, [eax+1F0h]	; int
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	dword ptr [ebp+4] ; int
		push	esi		; int
		push	esi		; int
		push	3		; int
		call	EtwpRegisterProvider
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_898D96
		mov	eax, [ebp+var_8]
		mov	_WdipSemRegHandle, eax
		mov	eax, [ebp+var_4]
		mov	dword_6BCB74, eax

loc_898D96:				; CODE XREF: WdipSemEnableSemProvider()+35j
					; WdipSemEnableSemProvider()+56j ...
		pop	edi
		mov	eax, ecx
		pop	esi
		leave
		retn
_WdipSemEnableSemProvider@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WdipSemLoadNextEndEvent	proc near	; CODE XREF: WdipSemLoadNextScenario+3F9p

var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_120		= dword	ptr -120h
var_A0		= dword	ptr -0A0h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092DEAA SIZE 0000004C BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 1C8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ecx
		xor	ecx, ecx
		mov	[ebp+var_1B0], eax
		mov	[ebp+var_1A4], ecx
		mov	[ebp+var_1C0], ecx
		mov	[ebp+var_1BC], ecx
		mov	[ebp+var_1A8], ecx
		mov	[ebp+var_1AC], ecx
		mov	[ebp+var_1B4], ecx
		mov	[ebp+var_1B8], ecx
		mov	[ebp+var_1C8], ecx
		mov	[ebp+var_1C4], ecx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, [ebx+8]
		test	eax, eax
		jz	loc_92DEAA
		test	edi, edi
		jz	loc_92DEAA
		push	98h		; size_t
		push	ecx		; int
		lea	eax, [ebp+var_A0]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_1A8]
		push	eax
		push	96h
		lea	eax, [ebp+var_A0]
		push	eax
		push	0
		push	esi
		push	[ebp+var_1B0]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 8000001Ah
		jz	loc_89905B
		test	esi, esi
		js	loc_89905B
		mov	eax, [ebp+var_94]
		mov	esi, 80h
		cmp	eax, esi
		jnb	loc_92DEB4
		shr	eax, 1
		xor	ecx, ecx
		push	esi		; size_t
		push	ecx		; int
		mov	word ptr [ebp+eax*2+var_90], cx
		lea	eax, [ebp+var_120]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_1A0]
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	ecx, ecx
		push	40h
		pop	esi

loc_898EAD:				; CODE XREF: WdipSemLoadNextEndEvent+12Cj
		lea	eax, [ecx+ecx]
		movzx	edx, word ptr [ebp+eax+var_90]
		cmp	edx, 3Bh
		jz	short loc_898ECC
		inc	ecx
		mov	word ptr [ebp+eax+var_120], dx
		cmp	ecx, esi
		jb	short loc_898EAD
		jmp	short loc_898EE1
; 

loc_898ECC:				; CODE XREF: WdipSemLoadNextEndEvent+11Fj
		cmp	eax, 80h
		jnb	loc_899091
		xor	edx, edx
		mov	word ptr [ebp+eax+var_120], dx

loc_898EE1:				; CODE XREF: WdipSemLoadNextEndEvent+12Ej
		cmp	ecx, esi
		jnb	loc_92DEBE
		inc	ecx
		cmp	ecx, esi
		jnb	loc_92DEBE
		lea	edx, [ebp+var_1A0]

loc_898EF8:				; CODE XREF: WdipSemLoadNextEndEvent+172j
		movzx	eax, word ptr [ebp+ecx*2+var_90]
		mov	[edx], ax
		test	ax, ax
		jz	short loc_898F10
		inc	ecx
		add	edx, 2
		cmp	ecx, esi
		jb	short loc_898EF8

loc_898F10:				; CODE XREF: WdipSemLoadNextEndEvent+16Aj
		cmp	ecx, esi
		jnb	loc_92DEBE
		lea	eax, [ebp+var_120]
		push	eax
		lea	eax, [ebp+var_1C0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		lea	eax, [ebp+var_1C0]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_89905B
		lea	eax, [ebp+var_1A0]
		push	eax
		lea	eax, [ebp+var_1C0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_1AC]
		push	eax
		push	0Ah
		lea	eax, [ebp+var_1C0]
		push	eax
		call	RtlUnicodeStringToInteger
		mov	esi, eax
		test	esi, esi
		js	loc_89905B
		mov	ax, word ptr [ebp+var_1AC]
		lea	ecx, [ebp+var_90]
		mov	edx, [ebp+var_1B0]
		mov	[edi+10h], ax
		lea	eax, [ebp+var_1A4]
		push	eax
		call	_WdipSemOpenRegistryKey@12 ; WdipSemOpenRegistryKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_89905B
		mov	ecx, [ebp+var_1A4]
		lea	eax, [ebp+var_1A8]
		push	eax
		lea	eax, [ebp+var_1B4]
		mov	edx, (offset loc_8BFEC1+1)
		push	eax
		push	4
		push	4
		call	WdipSemQueryValueFromRegistry
		mov	esi, eax
		test	esi, esi
		js	loc_92DEC8
		mov	eax, [ebp+var_1B4]
		test	eax, eax
		jz	loc_92DED4
		mov	[edi+12h], al

loc_898FDE:				; CODE XREF: WdipSemLoadNextEndEvent+9513Cj
		mov	ecx, [ebp+var_1A4]
		lea	eax, [ebp+var_1A8]
		push	eax
		lea	eax, [ebp+var_1C8]
		mov	edx, offset ??_C@_1BA@DJIMNDKE@?$AAK?$AAe?$AAy?$AAw?$AAo?$AAr?$AAd@NNGAKEGL@
		push	eax
		push	8
		push	0Bh
		call	WdipSemQueryValueFromRegistry
		mov	esi, eax
		test	esi, esi
		js	loc_92DEDD
		mov	ecx, [ebp+var_1C8]
		mov	eax, ecx
		mov	edx, [ebp+var_1C4]
		or	eax, edx
		jz	loc_92DEE9
		mov	[edi+18h], ecx
		mov	[edi+1Ch], edx

loc_899026:				; CODE XREF: WdipSemLoadNextEndEvent+95155j
		mov	ecx, [ebp+var_1A4]
		lea	eax, [ebp+var_1A8]
		push	eax
		lea	eax, [ebp+var_1B8]
		mov	edx, offset ??_C@_1BO@BKEADOJP@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAy@NNGAKEGL@
		push	eax
		push	4
		push	4
		call	WdipSemQueryValueFromRegistry
		mov	esi, eax
		test	esi, esi
		jns	short loc_899086
		cmp	esi, 0C0000034h
		jnz	short loc_89905B
		xor	esi, esi
		and	[edi+24h], esi

loc_89905B:				; CODE XREF: WdipSemLoadNextEndEvent+BCj
					; WdipSemLoadNextEndEvent+C4j ...
		cmp	[ebp+var_1A4], 0
		jz	short loc_89906F
		push	[ebp+var_1A4]
		call	_ZwClose@4	; ZwClose(x)

loc_89906F:				; CODE XREF: WdipSemLoadNextEndEvent+2C6j
					; WdipSemLoadNextEndEvent+95113j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_899086:				; CODE XREF: WdipSemLoadNextEndEvent+2B0j
		mov	eax, [ebp+var_1B8]
		mov	[edi+24h], eax
		jmp	short loc_89905B
; 

loc_899091:				; CODE XREF: WdipSemLoadNextEndEvent+135j
		call	___report_rangecheckfailure
WdipSemLoadNextEndEvent	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WdipSemLoadNextContextProvider proc near ; CODE	XREF: WdipSemLoadNextScenario+49Fp

var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092DEF6 SIZE 00000052 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 0D0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_C4], edx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_D0], eax
		mov	[ebp+var_C8], esi
		mov	[ebp+var_CC], eax
		mov	[ebp+var_A8], eax
		mov	[ebp+var_A4], eax
		mov	[ebp+var_B0], eax
		mov	[ebp+var_B4], eax
		mov	[ebp+var_C0], eax
		mov	[ebp+var_BC], eax
		mov	[ebp+var_AC], eax
		push	edi
		mov	edi, [ebx+8]
		test	esi, esi
		jz	loc_92DEF6
		test	edi, edi
		jz	loc_92DEF6
		push	98h		; size_t
		push	eax		; int
		lea	eax, [ebp+var_A0]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_A8]
		push	eax
		push	96h
		lea	eax, [ebp+var_A0]
		push	eax
		push	0
		push	[ebp+var_C4]
		push	esi
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 8000001Ah
		jz	loc_8992D7
		test	esi, esi
		js	loc_8992D7
		mov	eax, [ebp+var_94]
		cmp	eax, 80h
		jnb	loc_92DF00
		shr	eax, 1
		xor	ecx, ecx
		mov	word ptr [ebp+eax*2+var_90], cx
		lea	eax, [ebp+var_90]
		push	eax
		lea	eax, [ebp+var_D0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		lea	eax, [ebp+var_D0]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8992D7
		push	10h		; size_t
		push	offset _WDI_SEM_PROVIDER ; void	*
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_92DF0A
		mov	edx, [ebp+var_C8]
		lea	eax, [ebp+var_A4]
		push	eax
		lea	ecx, [ebp+var_90]
		call	_WdipSemOpenRegistryKey@12 ; WdipSemOpenRegistryKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8992D7
		mov	ecx, [ebp+var_A4]
		lea	eax, [ebp+var_A8]
		push	eax
		lea	eax, [ebp+var_B0]
		mov	edx, (offset loc_8BFEC1+1)
		push	eax
		push	4
		push	4
		call	WdipSemQueryValueFromRegistry
		mov	esi, eax
		test	esi, esi
		js	loc_92DF14
		mov	eax, [ebp+var_B0]
		test	eax, eax
		jz	loc_92DF20
		mov	[edi+12h], al

loc_899222:				; CODE XREF: WdipSemLoadNextContextProvider+94E8Ej
		mov	ecx, [ebp+var_A4]
		lea	eax, [ebp+var_A8]
		push	eax
		lea	eax, [ebp+var_C0]
		mov	edx, offset ??_C@_1BA@DJIMNDKE@?$AAK?$AAe?$AAy?$AAw?$AAo?$AAr?$AAd@NNGAKEGL@
		push	eax
		push	8
		push	0Bh
		call	WdipSemQueryValueFromRegistry
		mov	esi, eax
		test	esi, esi
		js	loc_92DF29
		mov	ecx, [ebp+var_C0]
		mov	eax, ecx
		mov	edx, [ebp+var_BC]
		or	eax, edx
		jz	loc_899302
		mov	[edi+18h], ecx
		mov	[edi+1Ch], edx

loc_89926A:				; CODE XREF: WdipSemLoadNextContextProvider+274j
		mov	ecx, [ebp+var_A4]
		lea	eax, [ebp+var_A8]
		push	eax
		lea	eax, [ebp+var_AC]
		mov	edx, offset ??_C@_1BK@BMNPCGJG@?$AAC?$AAa?$AAp?$AAt?$AAu?$AAr?$AAe?$AAS?$AAt?$AAa?$AAt?$AAe@NNGAKEGL@ ;	"CaptureState"
		push	eax
		push	4
		push	4
		call	WdipSemQueryValueFromRegistry
		mov	esi, eax
		test	esi, esi
		jns	loc_92DF3A
		cmp	esi, 0C0000034h
		jnz	short loc_89930F

loc_89929E:				; CODE XREF: WdipSemLoadNextContextProvider+282j
		and	dword ptr [edi+20h], 0

loc_8992A2:				; CODE XREF: WdipSemLoadNextContextProvider+94EADj
		mov	ecx, [ebp+var_A4]
		lea	eax, [ebp+var_A8]
		push	eax
		lea	eax, [ebp+var_B4]
		mov	edx, offset ??_C@_1BO@BKEADOJP@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAy@NNGAKEGL@
		push	eax
		push	4
		push	4
		call	WdipSemQueryValueFromRegistry
		mov	esi, eax
		test	esi, esi
		jns	short loc_89931A
		cmp	esi, 0C0000034h
		jnz	short loc_8992D7
		xor	esi, esi
		and	[edi+24h], esi

loc_8992D7:				; CODE XREF: WdipSemLoadNextContextProvider+C0j
					; WdipSemLoadNextContextProvider+C8j ...
		cmp	[ebp+var_A4], 0
		jz	short loc_8992EB
		push	[ebp+var_A4]
		call	_ZwClose@4	; ZwClose(x)

loc_8992EB:				; CODE XREF: WdipSemLoadNextContextProvider+248j
					; WdipSemLoadNextContextProvider+94E65j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_899302:				; CODE XREF: WdipSemLoadNextContextProvider+1C8j
					; WdipSemLoadNextContextProvider+94E9Fj
		or	dword ptr [edi+18h], 0FFFFFFFFh
		or	dword ptr [edi+1Ch], 0FFFFFFFFh
		jmp	loc_89926A
; 

loc_89930F:				; CODE XREF: WdipSemLoadNextContextProvider+206j
		cmp	[ebp+var_AC], 3
		jb	short loc_8992D7
		jmp	short loc_89929E
; 

loc_89931A:				; CODE XREF: WdipSemLoadNextContextProvider+232j
		mov	eax, [ebp+var_B4]
		mov	[edi+24h], eax
		jmp	short loc_8992D7
WdipSemLoadNextContextProvider endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WdipSemLoadScenarioTable proc near	; CODE XREF: WdipSemCleanStart()+36p

var_210		= dword	ptr -210h
var_F8		= word ptr -0F8h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B1		= byte ptr -0B1h
var_B0		= dword	ptr -0B0h
var_A0		= dword	ptr -0A0h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092DF48 SIZE 00000174 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 210h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_B0]
		stosd
		xor	ecx, ecx
		push	11Ch		; size_t
		push	ecx		; int
		mov	[ebp+var_CC], ecx
		mov	esi, ecx
		stosd
		mov	[ebp+var_C0], ecx
		mov	[ebp+var_BC], ecx
		mov	[ebp+var_C8], ecx
		stosd
		mov	[ebp+var_D0], ecx
		mov	[ebp+var_D4], ecx
		mov	[ebp+var_D8], ecx
		stosd
		lea	eax, [ebp+var_210]
		push	eax		; void *
		mov	[ebp+var_EC], ecx
		mov	[ebp+var_E8], ecx
		call	_memset
		and	[ebp+var_DC], esi
		lea	eax, [ebp+var_CC]
		and	[ebp+var_E0], esi
		add	esp, 0Ch
		xor	edx, edx
		mov	ecx, offset ??_C@_1IC@EKLNPIEE@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@NNGAKEGL@
		push	eax
		call	_WdipSemOpenRegistryKey@12 ; WdipSemOpenRegistryKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_89970C
		xor	edi, edi
		jmp	short loc_8993DD
; 

loc_8993D7:				; CODE XREF: WdipSemLoadScenarioTable+27Ej
					; WdipSemLoadScenarioTable+94C53j ...
		mov	edi, [ebp+var_C4]

loc_8993DD:				; CODE XREF: WdipSemLoadScenarioTable+AFj
					; WdipSemLoadScenarioTable+145j ...
		cmp	[ebp+var_C0], 0
		jz	short loc_8993F8
		push	[ebp+var_C0]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_C0], 0

loc_8993F8:				; CODE XREF: WdipSemLoadScenarioTable+BEj
		cmp	[ebp+var_BC], 0
		jnz	loc_899627

loc_899405:				; CODE XREF: WdipSemLoadScenarioTable+313j
		cmp	[ebp+var_C8], 0
		jz	short loc_899420
		push	[ebp+var_C8]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_C8], 0

loc_899420:				; CODE XREF: WdipSemLoadScenarioTable+E6j
		push	98h		; size_t
		lea	eax, [ebp+var_A0]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_D0]
		push	eax
		push	96h
		lea	eax, [ebp+var_A0]
		push	eax
		push	0
		push	edi
		push	[ebp+var_CC]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		inc	edi
		mov	[ebp+var_C4], edi
		cmp	eax, 8000001Ah
		jz	loc_899705
		test	eax, eax
		js	loc_8993DD
		mov	eax, [ebp+var_94]
		cmp	eax, 80h
		jnb	loc_92E074
		shr	eax, 1
		xor	ecx, ecx
		mov	word ptr [ebp+eax*2+var_90], cx
		lea	eax, [ebp+var_90]
		push	eax
		lea	eax, [ebp+var_EC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_B0]
		push	eax
		lea	eax, [ebp+var_EC]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		test	eax, eax
		js	loc_8993DD
		mov	edi, _WdipSemDisabledScenarioTable
		test	edi, edi
		jnz	loc_92DF48

loc_8994CA:				; CODE XREF: WdipSemLoadScenarioTable+94C37j
					; WdipSemLoadScenarioTable+94C71j
		mov	edx, [ebp+var_CC]
		lea	eax, [ebp+var_C0]
		push	eax
		lea	ecx, [ebp+var_90]
		call	_WdipSemOpenRegistryKey@12 ; WdipSemOpenRegistryKey(x,x,x)
		mov	edi, [ebp+var_C4]
		test	eax, eax
		js	loc_8993DD
		mov	edx, [ebp+var_C0]
		lea	eax, [ebp+var_BC]
		push	eax
		mov	ecx, offset ??_C@_1O@BJPKKLLM@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg@NNGAKEGL@ ; "Config"
		mov	[ebp+var_B8], 1
		mov	[ebp+var_B1], 1
		call	_WdipSemOpenRegistryKey@12 ; WdipSemOpenRegistryKey(x,x,x)
		test	eax, eax
		jns	loc_89963E

loc_899520:				; CODE XREF: WdipSemLoadScenarioTable+94CB2j
					; WdipSemLoadScenarioTable+94CCAj
		mov	edx, [ebp+var_C0]
		lea	eax, [ebp+var_C8]
		push	eax
		mov	ecx, offset ??_C@_1CA@EPMAPCPA@?$AAI?$AAn?$AAs?$AAt?$AAr?$AAu?$AAm?$AAe?$AAn?$AAt?$AAa?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@ ; "Instrumentation"
		call	_WdipSemOpenRegistryKey@12 ; WdipSemOpenRegistryKey(x,x,x)
		mov	edi, [ebp+var_C4]
		test	eax, eax
		js	loc_8993DD
		xor	edi, edi
		mov	[ebp+var_B8], edi

loc_89954D:				; CODE XREF: WdipSemLoadScenarioTable+2C5j
					; WdipSemLoadScenarioTable+2D3j
		test	esi, esi
		jz	short loc_899558
		mov	ecx, esi
		call	_WdipSemFreeScenario@4 ; WdipSemFreeScenario(x)

loc_899558:				; CODE XREF: WdipSemLoadScenarioTable+229j
		mov	ecx, offset unk_6BDBE0
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8995FE

loc_89956C:				; CODE XREF: WdipSemLoadScenarioTable+2E6j
		push	270h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	al, [ebp+var_B1]
		add	esp, 0Ch
		mov	[esi+268h], al
		mov	edx, edi
		mov	ecx, [ebp+var_C8]
		push	esi
		call	WdipSemLoadNextScenario
		inc	[ebp+var_B8]
		mov	edi, eax
		cmp	edi, 8000001Ah
		jz	loc_8993D7
		test	edi, edi
		js	loc_92DFF5
		cmp	dword_6BCB60, 40h
		jnb	loc_92E030
		mov	edi, dword_6BDB80
		mov	ecx, esi
		call	WdipSemUpdateProviderTableWithScenario
		test	eax, eax
		js	loc_92E024
		cmp	dword ptr [esi+34h], 0
		ja	short loc_899617

loc_8995DA:				; CODE XREF: WdipSemLoadScenarioTable+2FAj
		mov	ecx, esi
		call	_WdipSemUpdateProviderEntriesForScenario@4 ; WdipSemUpdateProviderEntriesForScenario(x)
		cmp	dword ptr [esi+34h], 0
		mov	edi, [ebp+var_B8]
		jbe	loc_89954D
		xor	esi, esi

loc_8995F3:				; CODE XREF: WdipSemLoadScenarioTable+94CE7j
					; WdipSemLoadScenarioTable+94CF9j ...
		mov	edi, [ebp+var_B8]
		jmp	loc_89954D
; 

loc_8995FE:				; CODE XREF: WdipSemLoadScenarioTable+240j
		mov	ecx, 270h
		call	_WdipSemAllocatePool@4 ; WdipSemAllocatePool(x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_89956C
		jmp	loc_92E06A
; 

loc_899617:				; CODE XREF: WdipSemLoadScenarioTable+2B2j
		mov	ecx, esi	; void *
		call	WdipSemAddScenarioToTable
		test	eax, eax
		jns	short loc_8995DA
		jmp	loc_92E024
; 

loc_899627:				; CODE XREF: WdipSemLoadScenarioTable+D9j
		push	[ebp+var_BC]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_BC], 0
		jmp	loc_899405
; 

loc_89963E:				; CODE XREF: WdipSemLoadScenarioTable+1F4j
		mov	ecx, [ebp+var_BC]
		lea	eax, [ebp+var_D0]
		push	eax
		lea	eax, [ebp+var_D4]
		mov	edx, offset ??_C@_1DC@HIPLPNKJ@?$AAS?$AAc?$AAe?$AAn?$AAa?$AAr?$AAi?$AAo?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAi@NNGAKEGL@
		push	eax
		push	4
		push	4
		call	WdipSemQueryValueFromRegistry
		test	eax, eax
		jns	loc_92DF9C

loc_899668:				; CODE XREF: WdipSemLoadScenarioTable+94C89j
		mov	ecx, [ebp+var_BC]
		lea	eax, [ebp+var_D0]
		push	eax
		lea	eax, [ebp+var_D8]
		mov	edx, offset ??_C@_1DM@OJNCOCJI@?$AAS?$AAc?$AAe?$AAn?$AAa?$AAr?$AAi?$AAo?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAi@NNGAKEGL@
		push	eax
		push	4
		push	4
		call	WdipSemQueryValueFromRegistry
		test	eax, eax
		js	loc_92DFB4
		test	byte ptr [ebp+var_D8], 1
		jz	loc_92DFB4
		push	11Ch		; size_t
		lea	eax, [ebp+var_210]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	10h
		pop	eax
		push	6
		push	40h
		push	[ebp+var_E0]
		mov	[ebp+var_F8], ax
		push	[ebp+var_DC]
		call	_VerSetConditionMask@16	; VerSetConditionMask(x,x,x,x)
		mov	ecx, edx
		mov	[ebp+var_DC], eax
		push	ecx
		push	eax
		push	40h
		lea	eax, [ebp+var_210]
		mov	[ebp+var_E0], ecx
		push	eax
		call	RtlVerifyVersionInfo
		mov	edi, [ebp+var_C4]
		test	eax, eax
		jns	loc_8993DD
		jmp	loc_92DFB4
; 

loc_899705:				; CODE XREF: WdipSemLoadScenarioTable+13Dj
		xor	edi, edi
		call	WdipSemEnableAllProviders

loc_89970C:				; CODE XREF: WdipSemLoadScenarioTable+A7j
					; WdipSemLoadScenarioTable+94D49j ...
		cmp	[ebp+var_CC], 0
		jz	short loc_899727
		push	[ebp+var_CC]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_CC], 0

loc_899727:				; CODE XREF: WdipSemLoadScenarioTable+3EDj
		cmp	[ebp+var_C0], 0
		jnz	loc_92E07E

loc_899734:				; CODE XREF: WdipSemLoadScenarioTable+94D6Aj
		cmp	[ebp+var_BC], 0
		jnz	loc_92E095

loc_899741:				; CODE XREF: WdipSemLoadScenarioTable+94D81j
		cmp	[ebp+var_C8], 0
		jnz	loc_92E0AC

loc_89974E:				; CODE XREF: WdipSemLoadScenarioTable+94D91j
		test	esi, esi
		jz	short loc_899759
		mov	ecx, esi
		call	_WdipSemFreeScenario@4 ; WdipSemFreeScenario(x)

loc_899759:				; CODE XREF: WdipSemLoadScenarioTable+42Aj
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
WdipSemLoadScenarioTable endp ;	sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WdipSemLoadNextScenario	proc near	; CODE XREF: WdipSemLoadScenarioTable+26Bp

var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A1		= byte ptr -1A1h
var_1A0		= dword	ptr -1A0h
var_120		= dword	ptr -120h
var_A0		= dword	ptr -0A0h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092E0BC SIZE 0000006B BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 1D8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ecx
		xor	ecx, ecx
		mov	[ebp+var_1C0], eax
		mov	[ebp+var_1B0], ecx
		mov	[ebp+var_1B8], ecx
		mov	[ebp+var_1BC], ecx
		mov	[ebp+var_1D0], ecx
		mov	[ebp+var_1CC], ecx
		mov	[ebp+var_1A8], ecx
		mov	[ebp+var_1B4], ecx
		mov	[ebp+var_1AC], ecx
		mov	[ebp+var_1C4], ecx
		mov	[ebp+var_1C8], ecx
		mov	[ebp+var_1D8], ecx
		mov	[ebp+var_1D4], ecx
		mov	[ebp+var_1A1], cl
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, [ebx+8]
		test	eax, eax
		jz	loc_92E0BC
		test	edi, edi
		jz	loc_92E0BC
		push	98h		; size_t
		push	ecx		; int
		lea	eax, [ebp+var_A0]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_1B4]
		push	eax
		push	96h
		lea	eax, [ebp+var_A0]
		push	eax
		push	0
		push	esi
		push	[ebp+var_1C0]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 8000001Ah
		jz	loc_899A7B
		test	esi, esi
		js	loc_899A7B
		mov	eax, [ebp+var_94]
		mov	esi, 80h
		cmp	eax, esi
		jnb	loc_92E0C6
		shr	eax, 1
		xor	ecx, ecx
		push	esi		; size_t
		push	ecx		; int
		mov	word ptr [ebp+eax*2+var_90], cx
		lea	eax, [ebp+var_120]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_1A0]
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	ecx, ecx
		push	40h
		pop	esi

loc_899897:				; CODE XREF: WdipSemLoadNextScenario+144j
		lea	eax, [ecx+ecx]
		movzx	edx, word ptr [ebp+eax+var_90]
		cmp	edx, 3Bh
		jz	short loc_8998B6
		inc	ecx
		mov	word ptr [ebp+eax+var_120], dx
		cmp	ecx, esi
		jb	short loc_899897
		jmp	short loc_8998CB
; 

loc_8998B6:				; CODE XREF: WdipSemLoadNextScenario+137j
		cmp	eax, 80h
		jnb	loc_899CC1
		xor	edx, edx
		mov	word ptr [ebp+eax+var_120], dx

loc_8998CB:				; CODE XREF: WdipSemLoadNextScenario+146j
		cmp	ecx, esi
		jnb	loc_92E0DE
		inc	ecx
		xor	edx, edx
		cmp	ecx, esi
		jnb	loc_92E0DE

loc_8998DE:				; CODE XREF: WdipSemLoadNextScenario+189j
		movzx	eax, word ptr [ebp+ecx*2+var_90]
		mov	word ptr [ebp+edx*2+var_1A0], ax
		test	ax, ax
		jz	short loc_8998F9
		inc	ecx
		inc	edx
		cmp	ecx, esi
		jb	short loc_8998DE

loc_8998F9:				; CODE XREF: WdipSemLoadNextScenario+183j
		cmp	ecx, esi
		jnb	loc_92E0DE
		cmp	edx, 1
		jz	loc_899ACE

loc_89990A:				; CODE XREF: WdipSemLoadNextScenario+368j
					; WdipSemLoadNextScenario+375j
		lea	eax, [ebp+var_120]
		push	eax
		lea	eax, [ebp+var_1D0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		lea	eax, [ebp+var_1D0]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_899A7B
		cmp	[ebp+var_1A1], 0
		jnz	short loc_89997A
		lea	eax, [ebp+var_1A0]
		push	eax
		lea	eax, [ebp+var_1D0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_1AC]
		push	eax
		push	0Ah
		lea	eax, [ebp+var_1D0]
		push	eax
		call	RtlUnicodeStringToInteger
		mov	esi, eax
		test	esi, esi
		js	loc_899A7B
		mov	ax, word ptr [ebp+var_1AC]
		mov	[edi+10h], ax

loc_89997A:				; CODE XREF: WdipSemLoadNextScenario+1CDj
		mov	edx, [ebp+var_1C0]
		lea	eax, [ebp+var_1B0]
		push	eax
		lea	ecx, [ebp+var_90]
		call	_WdipSemOpenRegistryKey@12 ; WdipSemOpenRegistryKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_899A7B
		mov	ecx, [ebp+var_1B0]
		lea	eax, [ebp+var_1B4]
		push	eax
		lea	eax, [ebp+var_1C4]
		mov	edx, (offset loc_8BFEC1+1)
		push	eax
		push	4
		push	4
		call	WdipSemQueryValueFromRegistry
		mov	esi, eax
		test	esi, esi
		js	loc_899B0B
		mov	eax, [ebp+var_1C4]
		test	eax, eax
		jnz	loc_899AE8

loc_8999D6:				; CODE XREF: WdipSemLoadNextScenario+3A3j
		mov	byte ptr [edi+12h], 0FFh

loc_8999DA:				; CODE XREF: WdipSemLoadNextScenario+37Dj
		mov	ecx, [ebp+var_1B0]
		lea	eax, [ebp+var_1B4]
		push	eax
		lea	eax, [ebp+var_1D8]
		mov	edx, offset ??_C@_1BA@DJIMNDKE@?$AAK?$AAe?$AAy?$AAw?$AAo?$AAr?$AAd@NNGAKEGL@
		push	eax
		push	8
		push	0Bh
		call	WdipSemQueryValueFromRegistry
		mov	esi, eax
		test	esi, esi
		js	loc_92E0E8
		mov	ecx, [ebp+var_1D8]
		mov	eax, ecx
		mov	edx, [ebp+var_1D4]
		or	eax, edx
		jz	loc_899AFE
		mov	[edi+18h], ecx
		mov	[edi+1Ch], edx

loc_899A22:				; CODE XREF: WdipSemLoadNextScenario+398j
		mov	ecx, [ebp+var_1B0]
		lea	eax, [ebp+var_1B4]
		push	eax
		lea	eax, [ebp+var_1C8]
		mov	edx, offset ??_C@_1BO@BKEADOJP@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAy@NNGAKEGL@
		push	eax
		push	4
		push	4
		call	WdipSemQueryValueFromRegistry
		mov	esi, eax
		test	esi, esi
		jns	loc_899AF0
		cmp	esi, 0C0000034h
		jnz	short loc_899A7B
		and	dword ptr [edi+24h], 0

loc_899A5A:				; CODE XREF: WdipSemLoadNextScenario+38Bj
		mov	edx, [ebp+var_1B0]
		lea	eax, [ebp+var_1BC]
		push	eax
		mov	ecx, offset ??_C@_1BE@OIDFIPDC@?$AAE?$AAn?$AAd?$AAE?$AAv?$AAe?$AAn?$AAt?$AAs@NNGAKEGL@ ; "EndEvents"
		call	_WdipSemOpenRegistryKey@12 ; WdipSemOpenRegistryKey(x,x,x)
		xor	esi, esi
		test	eax, eax
		jns	loc_899B1C

loc_899A7B:				; CODE XREF: WdipSemLoadNextScenario+D4j
					; WdipSemLoadNextScenario+DCj ...
		cmp	[ebp+var_1B0], 0
		jz	short loc_899A8F
		push	[ebp+var_1B0]
		call	_ZwClose@4	; ZwClose(x)

loc_899A8F:				; CODE XREF: WdipSemLoadNextScenario+314j
		cmp	[ebp+var_1B8], 0
		jnz	loc_899CB1

loc_899A9C:				; CODE XREF: WdipSemLoadNextScenario+54Ej
		cmp	[ebp+var_1BC], 0
		jnz	loc_899C89

loc_899AA9:				; CODE XREF: WdipSemLoadNextScenario+526j
		mov	eax, [ebp+var_1A8]
		test	eax, eax
		jnz	loc_899C99

loc_899AB7:				; CODE XREF: WdipSemLoadNextScenario+537j
					; WdipSemLoadNextScenario+94953j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_899ACE:				; CODE XREF: WdipSemLoadNextScenario+196j
		cmp	word ptr [ebp+var_1A0],	2Ah
		jnz	loc_89990A
		mov	[ebp+var_1A1], 1
		jmp	loc_89990A
; 

loc_899AE8:				; CODE XREF: WdipSemLoadNextScenario+262j
		mov	[edi+12h], al
		jmp	loc_8999DA
; 

loc_899AF0:				; CODE XREF: WdipSemLoadNextScenario+2DAj
		mov	eax, [ebp+var_1C8]
		mov	[edi+24h], eax
		jmp	loc_899A5A
; 

loc_899AFE:				; CODE XREF: WdipSemLoadNextScenario+2A8j
					; WdipSemLoadNextScenario+94986j
		or	dword ptr [edi+18h], 0FFFFFFFFh
		or	dword ptr [edi+1Ch], 0FFFFFFFFh
		jmp	loc_899A22
; 

loc_899B0B:				; CODE XREF: WdipSemLoadNextScenario+254j
		cmp	esi, 0C0000034h
		jz	loc_8999D6
		jmp	loc_899A7B
; 

loc_899B1C:				; CODE XREF: WdipSemLoadNextScenario+307j
		mov	[ebp+var_1AC], esi

loc_899B22:				; CODE XREF: WdipSemLoadNextScenario+516j
		mov	ecx, offset unk_6BDBD8
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	[ebp+var_1A8], eax
		test	eax, eax
		jnz	short loc_899B4C
		push	30h
		pop	ecx
		call	_WdipSemAllocatePool@4 ; WdipSemAllocatePool(x)
		mov	[ebp+var_1A8], eax
		test	eax, eax
		jz	loc_92E11D

loc_899B4C:				; CODE XREF: WdipSemLoadNextScenario+3C6j
		push	30h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+var_1BC]
		add	esp, 0Ch
		mov	edx, esi
		push	[ebp+var_1A8]
		call	WdipSemLoadNextEndEvent
		inc	[ebp+var_1AC]
		mov	esi, eax
		cmp	esi, 8000001Ah
		jnz	loc_899C5A
		cmp	dword ptr [edi+34h], 0
		jz	loc_899CAA
		cmp	[ebp+var_1A1], 0
		jnz	loc_92E0DE
		mov	edx, [ebp+var_1B0]
		lea	eax, [ebp+var_1B8]
		push	eax
		mov	ecx, offset ??_C@_1CC@GNJGIMBM@?$AAC?$AAo?$AAn?$AAt?$AAe?$AAx?$AAt?$AAP?$AAr?$AAo?$AAv?$AAi?$AAd?$AAe?$AAr@NNGAKEGL@
		call	_WdipSemOpenRegistryKey@12 ; WdipSemOpenRegistryKey(x,x,x)
		xor	esi, esi
		test	eax, eax
		js	loc_899A7B
		mov	eax, [ebp+var_1A8]
		mov	[ebp+var_1AC], esi

loc_899BC4:				; CODE XREF: WdipSemLoadNextScenario+4E7j
		test	eax, eax
		jnz	short loc_899BF2
		mov	ecx, offset unk_6BDBD8
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	[ebp+var_1A8], eax
		test	eax, eax
		jnz	short loc_899BF2
		push	30h
		pop	ecx
		call	_WdipSemAllocatePool@4 ; WdipSemAllocatePool(x)
		mov	[ebp+var_1A8], eax
		test	eax, eax
		jz	loc_92E11D

loc_899BF2:				; CODE XREF: WdipSemLoadNextScenario+458j
					; WdipSemLoadNextScenario+46Cj
		push	30h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+var_1B8]
		add	esp, 0Ch
		mov	edx, esi
		push	[ebp+var_1A8]
		call	WdipSemLoadNextContextProvider
		inc	[ebp+var_1AC]
		mov	esi, eax
		cmp	esi, 8000001Ah
		jz	loc_899CAA
		test	esi, esi
		js	loc_899A7B
		mov	ecx, [edi+30h]
		cmp	ecx, 7Ch
		jnb	loc_92E100
		mov	eax, [ebp+var_1A8]
		mov	esi, [ebp+var_1AC]
		mov	[edi+ecx*4+38h], eax
		inc	dword ptr [edi+30h]
		xor	eax, eax
		mov	[ebp+var_1A8], eax
		jmp	loc_899BC4
; 

loc_899C5A:				; CODE XREF: WdipSemLoadNextScenario+40Cj
		test	esi, esi
		js	loc_899A7B
		mov	ecx, [edi+34h]
		cmp	ecx, 10h
		jnb	loc_92E0F9
		mov	eax, [ebp+var_1A8]
		mov	esi, [ebp+var_1AC]
		mov	[edi+ecx*4+228h], eax
		inc	dword ptr [edi+34h]
		jmp	loc_899B22
; 

loc_899C89:				; CODE XREF: WdipSemLoadNextScenario+335j
		push	[ebp+var_1BC]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_899AA9
; 

loc_899C99:				; CODE XREF: WdipSemLoadNextScenario+343j
		mov	edx, eax
		mov	ecx, offset unk_6BDBD8
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		jmp	loc_899AB7
; 

loc_899CAA:				; CODE XREF: WdipSemLoadNextScenario+416j
					; WdipSemLoadNextScenario+4B2j
		xor	esi, esi
		jmp	loc_899A7B
; 

loc_899CB1:				; CODE XREF: WdipSemLoadNextScenario+328j
		push	[ebp+var_1B8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_899A9C
; 

loc_899CC1:				; CODE XREF: WdipSemLoadNextScenario+14Dj
		call	___report_rangecheckfailure
WdipSemLoadNextScenario	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WdipSemQueryValueFromRegistry proc near	; CODE XREF: WdipSemLoadConfigInfo+43p
					; WdipSemLoadConfigInfo+63p ...

var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092E127 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 0B0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebx+10h]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_9C], eax
		mov	ecx, [ebx+14h]
		push	edi
		xor	edi, edi
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_AC], edi
		mov	[ebp+var_A8], edi
		mov	[ebp+var_A0], edi
		test	esi, esi
		jz	loc_92E127
		test	edx, edx
		jz	loc_92E127
		test	eax, eax
		jz	loc_92E127
		test	ecx, ecx
		jz	loc_92E127
		push	edx
		lea	eax, [ebp+var_AC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_A0]
		push	eax
		push	90h
		lea	eax, [ebp+var_98]
		push	eax
		push	2
		lea	eax, [ebp+var_AC]
		push	eax
		push	esi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_899DB8
		test	esi, esi
		js	short loc_899DB8
		mov	edi, [ebp+var_90]
		cmp	edi, [ebx+0Ch]
		ja	short loc_899DCF
		mov	eax, [ebp+var_94]
		cmp	eax, [ebx+8]
		jnz	short loc_899DCF
		push	dword ptr [ebx+0Ch] ; size_t
		push	0		; int
		push	[ebp+var_9C]	; void *
		call	_memset
		push	edi		; size_t
		lea	eax, [ebp+var_8C]
		push	eax		; void *
		push	[ebp+var_9C]	; void *
		call	_memcpy
		mov	eax, [ebp+var_A4]
		add	esp, 18h
		mov	[eax], edi

loc_899DB8:				; CODE XREF: WdipSemQueryValueFromRegistry+A8j
					; WdipSemQueryValueFromRegistry+ACj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	10h
; 

loc_899DCF:				; CODE XREF: WdipSemQueryValueFromRegistry+B7j
					; WdipSemQueryValueFromRegistry+C2j
		mov	esi, 0C0000001h
		jmp	short loc_899DB8
WdipSemQueryValueFromRegistry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemOpenRegistryKey(x, x, x)
_WdipSemOpenRegistryKey@12 proc	near	; CODE XREF: WdipSemLoadGroupPolicy+22p
					; WdipSemLoadConfigInfo+23p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, edx
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		test	ecx, ecx
		jz	short loc_899E31
		cmp	[ebp+arg_0], edi
		jz	short loc_899E31
		push	ecx
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_C]
		mov	[ebp+var_24], 18h
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	0F003Fh
		push	[ebp+arg_0]
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], 240h
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)

loc_899E2B:				; CODE XREF: WdipSemOpenRegistryKey(x,x,x)+60j
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_899E31:				; CODE XREF: WdipSemOpenRegistryKey(x,x,x)+16j
					; WdipSemOpenRegistryKey(x,x,x)+1Bj
		mov	eax, 0C000000Dh
		jmp	short loc_899E2B
_WdipSemOpenRegistryKey@12 endp


;  S U B	R O U T	I N E 


; __stdcall WdipSemFreeScenario(x)
_WdipSemFreeScenario@4 proc near	; CODE XREF: WdipSemLoadScenarioTable+22Dp
					; WdipSemLoadScenarioTable+42Ep ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_899EAD
		push	ebx
		xor	ebx, ebx
		push	edi
		cmp	[esi+30h], ebx
		ja	short loc_899E68

loc_899E4A:				; CODE XREF: WdipSemFreeScenario(x)+4Fj
		and	dword ptr [esi+30h], 0
		xor	ebx, ebx
		cmp	[esi+34h], ebx
		ja	short loc_899E89

loc_899E55:				; CODE XREF: WdipSemFreeScenario(x)+71j
		and	dword ptr [esi+34h], 0
		mov	edx, esi
		pop	edi
		pop	ebx
		mov	ecx, offset unk_6BDBE0
		pop	esi
		jmp	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
; 

loc_899E68:				; CODE XREF: WdipSemFreeScenario(x)+10j
		lea	edi, [esi+38h]

loc_899E6B:				; CODE XREF: WdipSemFreeScenario(x)+4Dj
		mov	edx, [edi]
		test	edx, edx
		jz	short loc_899E7E
		mov	ecx, offset unk_6BDBD8
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		and	dword ptr [edi], 0

loc_899E7E:				; CODE XREF: WdipSemFreeScenario(x)+37j
		inc	ebx
		add	edi, 4
		cmp	ebx, [esi+30h]
		jb	short loc_899E6B
		jmp	short loc_899E4A
; 

loc_899E89:				; CODE XREF: WdipSemFreeScenario(x)+1Bj
		lea	edi, [esi+228h]

loc_899E8F:				; CODE XREF: WdipSemFreeScenario(x)+73j
		mov	edx, [edi]
		test	edx, edx
		jz	short loc_899EA2
		mov	ecx, offset unk_6BDBD8
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		and	dword ptr [edi], 0

loc_899EA2:				; CODE XREF: WdipSemFreeScenario(x)+5Bj
		inc	ebx
		add	edi, 4
		cmp	ebx, [esi+34h]
		jnb	short loc_899E55
		jmp	short loc_899E8F
; 

loc_899EAD:				; CODE XREF: WdipSemFreeScenario(x)+7j
		pop	esi
		retn
_WdipSemFreeScenario@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemUpdateProviderEntriesForScenario(x)
_WdipSemUpdateProviderEntriesForScenario@4 proc	near
					; CODE XREF: WdipSemLoadScenarioTable+2B6p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		cmp	[edi+34h], esi
		setnbe	al
		mov	dl, al
		mov	[ebp+var_1], al
		call	_WdipSemUpdateProviderEntryForEvent@8 ;	WdipSemUpdateProviderEntryForEvent(x,x)
		cmp	[edi+34h], esi
		ja	short loc_899ED5

loc_899ED1:				; CODE XREF: WdipSemUpdateProviderEntriesForScenario(x)+40j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_899ED5:				; CODE XREF: WdipSemUpdateProviderEntriesForScenario(x)+1Fj
		push	ebx
		lea	ebx, [edi+228h]

loc_899EDC:				; CODE XREF: WdipSemUpdateProviderEntriesForScenario(x)+3Dj
		mov	dl, [ebp+var_1]
		mov	ecx, [ebx]
		call	_WdipSemUpdateProviderEntryForEvent@8 ;	WdipSemUpdateProviderEntryForEvent(x,x)
		inc	esi
		lea	ebx, [ebx+4]
		cmp	esi, [edi+34h]
		jb	short loc_899EDC
		pop	ebx
		jmp	short loc_899ED1
_WdipSemUpdateProviderEntriesForScenario@4 endp


;  S U B	R O U T	I N E 


; __stdcall WdipSemUpdateProviderEntryForEvent(x, x)
_WdipSemUpdateProviderEntryForEvent@8 proc near
					; CODE XREF: WdipSemUpdateProviderEntriesForScenario(x)+17p
					; WdipSemUpdateProviderEntriesForScenario(x)+31p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, [ecx+28h]
		mov	dh, dl
		mov	dl, [ecx+12h]
		push	edi
		mov	edi, [esi+18h]
		mov	ebx, [esi+1Ch]
		mov	al, [esi+10h]
		or	edi, [ecx+18h]
		or	ebx, [ecx+1Ch]
		cmp	dl, al
		ja	short loc_899F14
		mov	dl, al

loc_899F14:				; CODE XREF: WdipSemUpdateProviderEntryForEvent(x,x)+1Ej
		mov	eax, [esi+20h]
		or	eax, [ecx+24h]
		inc	dword ptr [esi+28h]
		or	byte ptr [esi+24h], 1
		mov	[esi+18h], edi
		mov	[esi+1Ch], ebx
		mov	[esi+10h], dl
		mov	[esi+20h], eax
		test	dh, dh
		jnz	short loc_899F35

loc_899F31:				; CODE XREF: WdipSemUpdateProviderEntryForEvent(x,x)+71j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_899F35:				; CODE XREF: WdipSemUpdateProviderEntryForEvent(x,x)+3Dj
		mov	edi, [esi+38h]
		mov	ebx, [esi+3Ch]
		mov	dl, [ecx+12h]
		mov	al, [esi+30h]
		or	edi, [ecx+18h]
		or	ebx, [ecx+1Ch]
		cmp	dl, al
		ja	short loc_899F4D
		mov	dl, al

loc_899F4D:				; CODE XREF: WdipSemUpdateProviderEntryForEvent(x,x)+57j
		mov	eax, [esi+40h]
		or	eax, [ecx+24h]
		or	byte ptr [esi+44h], 1
		mov	[esi+38h], edi
		mov	[esi+3Ch], ebx
		mov	[esi+30h], dl
		mov	[esi+40h], eax
		jmp	short loc_899F31
_WdipSemUpdateProviderEntryForEvent@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WdipSemUpdateProviderTableWithScenario proc near ; CODE	XREF: WdipSemLoadScenarioTable+2A1p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092E131 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	loc_92E131
		call	WdipSemUpdateProviderTableWithEvent
		test	eax, eax
		js	short loc_899F92
		push	ebx
		push	edi
		xor	edi, edi
		mov	ebx, edi
		cmp	[esi+30h], edi
		ja	short loc_899FB1

loc_899F8B:				; CODE XREF: WdipSemUpdateProviderTableWithScenario+6Bj
		cmp	[esi+34h], edi
		ja	short loc_899F95

loc_899F90:				; CODE XREF: WdipSemUpdateProviderTableWithScenario+3Ej
					; WdipSemUpdateProviderTableWithScenario+47j ...
		pop	edi
		pop	ebx

loc_899F92:				; CODE XREF: WdipSemUpdateProviderTableWithScenario+18j
					; WdipSemUpdateProviderTableWithScenario+941D0j
		pop	esi
		leave
		retn
; 

loc_899F95:				; CODE XREF: WdipSemUpdateProviderTableWithScenario+28j
		lea	ebx, [esi+228h]

loc_899F9B:				; CODE XREF: WdipSemUpdateProviderTableWithScenario+49j
		mov	ecx, [ebx]
		call	WdipSemUpdateProviderTableWithEvent
		test	eax, eax
		js	short loc_899F90
		inc	edi
		add	ebx, 4
		cmp	edi, [esi+34h]
		jnb	short loc_899F90
		jmp	short loc_899F9B
; 

loc_899FB1:				; CODE XREF: WdipSemUpdateProviderTableWithScenario+23j
		lea	ecx, [esi+38h]
		mov	[ebp+var_4], ecx

loc_899FB7:				; CODE XREF: WdipSemUpdateProviderTableWithScenario+69j
		mov	ecx, [ecx]
		call	WdipSemUpdateProviderTableWithEvent
		test	eax, eax
		js	short loc_899F90
		mov	ecx, [ebp+var_4]
		inc	ebx
		add	ecx, 4
		mov	[ebp+var_4], ecx
		cmp	ebx, [esi+30h]
		jb	short loc_899FB7
		jmp	short loc_899F8B
WdipSemUpdateProviderTableWithScenario endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WdipSemUpdateProviderTableWithEvent proc near
					; CODE XREF: WdipSemUpdateProviderTableWithScenario+11p
					; WdipSemUpdateProviderTableWithScenario+37p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092E13B SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		mov	[ebp+var_8], esi
		test	esi, esi
		jz	loc_92E13B
		call	_WdipSemQueryProviderTable@4 ; WdipSemQueryProviderTable(x)
		test	eax, eax
		jz	short loc_899FFE
		mov	[esi+28h], eax

loc_899FF8:				; CODE XREF: WdipSemUpdateProviderTableWithEvent+8Cj
					; WdipSemUpdateProviderTableWithEvent+9416Cj ...
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_899FFE:				; CODE XREF: WdipSemUpdateProviderTableWithEvent+1Fj
		cmp	dword_6BDB80, 400h
		jnb	loc_92E145
		push	edi
		mov	ecx, offset unk_6BDBE8
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edi, eax
		mov	[ebp+var_4], edi
		test	edi, edi
		jnz	short loc_89A033
		push	50h
		pop	ecx
		call	_WdipSemAllocatePool@4 ; WdipSemAllocatePool(x)
		mov	edi, eax
		mov	[ebp+var_4], eax
		test	edi, edi
		jz	short loc_89A062

loc_89A033:				; CODE XREF: WdipSemUpdateProviderTableWithEvent+4Cj
		push	50h		; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		movsd
		movsd
		movsd
		movsd
		mov	ecx, dword_6BDB80
		mov	_WdipSemProviderTable[ecx*4], eax
		mov	ecx, [ebp+var_8]
		inc	dword_6BDB80
		mov	[ecx+28h], eax

loc_89A05F:				; CODE XREF: WdipSemUpdateProviderTableWithEvent+93j
		pop	edi
		jmp	short loc_899FF8
; 

loc_89A062:				; CODE XREF: WdipSemUpdateProviderTableWithEvent+5Dj
		mov	ebx, 0C000009Ah
		jmp	short loc_89A05F
WdipSemUpdateProviderTableWithEvent endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall WdipSemQueryProviderTable(void	*)
_WdipSemQueryProviderTable@4 proc near	; CODE XREF: WdipSemUpdateProviderTableWithEvent+18p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	short loc_89A0B2
		push	ebx
		mov	ebx, dword_6BDB80
		push	esi
		mov	esi, edi
		test	ebx, ebx
		jz	short loc_89A0B0

loc_89A089:				; CODE XREF: WdipSemQueryProviderTable(x)+3Fj
		mov	eax, _WdipSemProviderTable[esi*4]
		push	10h		; size_t
		push	eax		; void *
		push	ecx		; void *
		mov	[ebp+var_8], eax
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_89A0AD
		mov	ecx, [ebp+var_4]
		inc	esi
		cmp	esi, ebx
		jb	short loc_89A089
		jmp	short loc_89A0B0
; 

loc_89A0AD:				; CODE XREF: WdipSemQueryProviderTable(x)+37j
		mov	edi, [ebp+var_8]

loc_89A0B0:				; CODE XREF: WdipSemQueryProviderTable(x)+1Dj
					; WdipSemQueryProviderTable(x)+41j
		pop	esi
		pop	ebx

loc_89A0B2:				; CODE XREF: WdipSemQueryProviderTable(x)+Fj
		mov	eax, edi
		pop	edi
		leave
		retn
_WdipSemQueryProviderTable@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WdipSemEnableAllProviders proc near	; CODE XREF: WdipSemLoadScenarioTable+3E1p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092E170 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, _WdipDiagLoggerId
		mov	ecx, offset _WdipDiagLoggerId
		push	ebx
		push	esi
		push	edi
		xchg	eax, [ecx]
		mov	[ebp+var_8], eax
		mov	ecx, offset _WdipContextLoggerId
		mov	eax, _WdipContextLoggerId
		xchg	eax, [ecx]
		xor	ecx, ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], ecx
		cmp	dword_6BDB80, ecx
		jz	short loc_89A155

loc_89A0EE:				; CODE XREF: WdipSemEnableAllProviders+9Bj
		mov	ebx, _WdipSemProviderTable[ecx*4]
		push	10h		; size_t
		push	offset _WDI_SEM_PROVIDER ; void	*
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_89A146
		lea	edi, [ebx+10h]
		cmp	dword ptr [edi+18h], 0
		lea	esi, [ebx+30h]
		jz	short loc_89A146
		cmp	byte ptr [edi+14h], 0
		jz	short loc_89A146
		movzx	eax, byte ptr [edi]
		mov	edx, ebx
		mov	ecx, [ebp+var_8]
		push	1
		push	dword ptr [edi+10h]
		push	dword ptr [edi+0Ch]
		push	dword ptr [edi+8]
		push	eax
		call	_WdipSemEnableDisableTrace@28 ;	WdipSemEnableDisableTrace(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_92E170
		mov	byte ptr [edi+15h], 1
		cmp	byte ptr [esi+14h], 0
		jnz	short loc_89A15A

loc_89A146:				; CODE XREF: WdipSemEnableAllProviders+4Fj
					; WdipSemEnableAllProviders+5Bj ...
		mov	ecx, [ebp+var_4]
		inc	ecx
		mov	[ebp+var_4], ecx
		cmp	ecx, dword_6BDB80
		jb	short loc_89A0EE

loc_89A155:				; CODE XREF: WdipSemEnableAllProviders+34j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_89A15A:				; CODE XREF: WdipSemEnableAllProviders+8Cj
		movzx	eax, byte ptr [esi]
		mov	edx, ebx
		mov	ecx, [ebp+var_C]
		push	1
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	eax
		call	_WdipSemEnableDisableTrace@28 ;	WdipSemEnableDisableTrace(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_92E177
		mov	byte ptr [esi+15h], 1
		jmp	short loc_89A146
WdipSemEnableAllProviders endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall WdipSemAddScenarioToTable(void	*)
WdipSemAddScenarioToTable proc near	; CODE XREF: WdipSemLoadScenarioTable+2F3p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092E185 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		test	edi, edi
		jz	loc_92E185
		mov	eax, dword_6BCB60
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, esi
		test	eax, eax
		jz	short loc_89A1C8

loc_89A1A6:				; CODE XREF: WdipSemAddScenarioToTable+44j
		mov	eax, _WdipSemScenarioTable[ebx*4]
		push	10h		; size_t
		push	edi		; void *
		push	eax		; void *
		mov	[ebp+var_4], eax
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_89A1E1

loc_89A1C0:				; CODE XREF: WdipSemAddScenarioToTable+6Aj
		mov	eax, [ebp+var_8]
		inc	ebx
		cmp	ebx, eax
		jb	short loc_89A1A6

loc_89A1C8:				; CODE XREF: WdipSemAddScenarioToTable+22j
		cmp	eax, 40h
		jnb	short loc_89A20E
		mov	_WdipSemScenarioTable[eax*4], edi
		inc	dword_6BCB60

loc_89A1DA:				; CODE XREF: WdipSemAddScenarioToTable+79j
					; WdipSemAddScenarioToTable+8Aj ...
		pop	ebx

loc_89A1DB:				; CODE XREF: WdipSemAddScenarioToTable+94008j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_89A1E1:				; CODE XREF: WdipSemAddScenarioToTable+3Cj
		mov	ecx, [ebp+var_4]
		mov	ax, [ecx+10h]
		cmp	ax, [edi+10h]
		jnz	short loc_89A1C0
		mov	edx, ecx
		mov	ecx, edi
		call	WdipSemMergeScenarios
		mov	esi, eax
		test	esi, esi
		js	short loc_89A1DA
		mov	ecx, [ebp+var_4]
		mov	_WdipSemScenarioTable[ebx*4], edi
		call	_WdipSemFreeScenario@4 ; WdipSemFreeScenario(x)
		jmp	short loc_89A1DA
; 

loc_89A20E:				; CODE XREF: WdipSemAddScenarioToTable+49j
		mov	esi, 0C0000001h
		jmp	short loc_89A1DA
WdipSemAddScenarioToTable endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemDeleteValueFromRegistry(x, x)
_WdipSemDeleteValueFromRegistry@8 proc near ; CODE XREF: WdipSemLoadConfigInfo+8Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_89A247
		push	offset ??_C@_1BE@CMBKOPGC@?$AAS?$AAE?$AAM?$AAU?$AAp?$AAd?$AAa?$AAt?$AAe@NNGAKEGL@
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_89A244:				; CODE XREF: WdipSemDeleteValueFromRegistry(x,x)+36j
		pop	esi
		leave
		retn
; 

loc_89A247:				; CODE XREF: WdipSemDeleteValueFromRegistry(x,x)+14j
		mov	eax, 0C000000Dh
		jmp	short loc_89A244
_WdipSemDeleteValueFromRegistry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WdipSemMergeScenarios proc near		; CODE XREF: WdipSemAddScenarioToTable+70p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092E18F SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_C], ecx
		mov	esi, edx
		push	edi
		mov	edi, ebx
		test	ecx, ecx
		jz	loc_92E18F
		test	esi, esi
		jz	loc_92E18F
		call	_WdipSemMergeEvents@8 ;	WdipSemMergeEvents(x,x)
		mov	[ebp+var_4], ebx
		cmp	[esi+30h], ebx
		jbe	short loc_89A2AA
		lea	edx, [esi+38h]
		mov	[ebp+var_8], edx

loc_89A285:				; CODE XREF: WdipSemMergeScenarios+5Aj
		mov	edx, [edx]
		call	WdipSemAddContextEventToScenario
		mov	edi, eax
		test	edi, edi
		js	short loc_89A2D7
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+var_8]
		inc	eax
		mov	ecx, [ebp+var_C]
		add	edx, 4
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], edx
		cmp	eax, [esi+30h]
		jb	short loc_89A285

loc_89A2AA:				; CODE XREF: WdipSemMergeScenarios+2Fj
		cmp	[esi+34h], ebx
		jbe	short loc_89A2D7
		lea	eax, [esi+228h]
		mov	[ebp+var_8], eax

loc_89A2B8:				; CODE XREF: WdipSemMergeScenarios+87j
		mov	edx, [eax]
		call	WdipSemAddEndEventToScenario
		mov	edi, eax
		test	edi, edi
		js	short loc_89A2D7
		mov	eax, [ebp+var_8]
		inc	ebx
		mov	ecx, [ebp+var_C]
		add	eax, 4
		mov	[ebp+var_8], eax
		cmp	ebx, [esi+34h]
		jb	short loc_89A2B8

loc_89A2D7:				; CODE XREF: WdipSemMergeScenarios+42j
					; WdipSemMergeScenarios+5Fj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
WdipSemMergeScenarios endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WdipSemAddContextEventToScenario proc near ; CODE XREF:	WdipSemMergeScenarios+39p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092E199 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	eax, ecx
		xor	ebx, ebx
		mov	[ebp+var_10], eax
		push	esi
		mov	esi, edx
		test	eax, eax
		jz	loc_92E199
		test	esi, esi
		jz	loc_92E199
		push	edi
		mov	edi, [eax+30h]
		mov	[ebp+var_4], ebx
		test	edi, edi
		jz	short loc_89A33B
		lea	ecx, [eax+38h]
		mov	[ebp+var_8], ecx

loc_89A312:				; CODE XREF: WdipSemAddContextEventToScenario+5Bj
		mov	eax, [ecx]
		push	10h		; size_t
		push	eax		; void *
		push	esi		; void *
		mov	[ebp+var_C], eax
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_89A36F
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		inc	eax
		add	ecx, 4
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], ecx
		cmp	eax, edi
		jb	short loc_89A312

loc_89A33B:				; CODE XREF: WdipSemAddContextEventToScenario+2Cj
		cmp	edi, 7Ch
		jnb	short loc_89A37B
		mov	ecx, offset unk_6BDBD8
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_92E1A3

loc_89A354:				; CODE XREF: WdipSemAddContextEventToScenario+93ED1j
		mov	eax, [ebp+var_10]
		mov	edi, edx
		push	0Ch
		pop	ecx
		rep movsd
		mov	ecx, [eax+30h]
		mov	[eax+ecx*4+38h], edx
		inc	dword ptr [eax+30h]

loc_89A368:				; CODE XREF: WdipSemAddContextEventToScenario+9Bj
					; WdipSemAddContextEventToScenario+A2j	...
		pop	edi

loc_89A369:				; CODE XREF: WdipSemAddContextEventToScenario+93EC0j
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_89A36F:				; CODE XREF: WdipSemAddContextEventToScenario+47j
		mov	ecx, [ebp+var_C]
		mov	edx, esi
		call	_WdipSemMergeEvents@8 ;	WdipSemMergeEvents(x,x)
		jmp	short loc_89A368
; 

loc_89A37B:				; CODE XREF: WdipSemAddContextEventToScenario+60j
		mov	ebx, 0C0000001h
		jmp	short loc_89A368
WdipSemAddContextEventToScenario endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WdipSemAddEndEventToScenario proc near	; CODE XREF: WdipSemMergeScenarios+6Cp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092E1BF SIZE 0000006B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	eax, ecx
		xor	ebx, ebx
		mov	[ebp+var_10], eax
		push	esi
		mov	esi, edx
		test	eax, eax
		jz	short loc_89A3ED
		test	esi, esi
		jz	short loc_89A3ED
		push	edi
		mov	edi, [eax+34h]
		mov	[ebp+var_4], ebx
		test	edi, edi
		jz	loc_92E1D7
		lea	ecx, [eax+228h]
		mov	[ebp+var_8], ecx

loc_89A3B5:				; CODE XREF: WdipSemAddEndEventToScenario+93E4Fj
		mov	eax, [ecx]
		push	10h		; size_t
		push	eax		; void *
		push	esi		; void *
		mov	[ebp+var_C], eax
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_92E1BF
		mov	ecx, [ebp+var_C]
		mov	ax, [esi+10h]
		cmp	ax, [ecx+10h]
		jnz	loc_92E1BF
		mov	edx, esi
		call	_WdipSemMergeEvents@8 ;	WdipSemMergeEvents(x,x)

loc_89A3E6:				; CODE XREF: WdipSemAddEndEventToScenario+93E5Fj
					; WdipSemAddEndEventToScenario+93E87j ...
		pop	edi

loc_89A3E7:				; CODE XREF: WdipSemAddEndEventToScenario+70j
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_89A3ED:				; CODE XREF: WdipSemAddEndEventToScenario+15j
					; WdipSemAddEndEventToScenario+19j
		mov	ebx, 0C000000Dh
		jmp	short loc_89A3E7
WdipSemAddEndEventToScenario endp


;  S U B	R O U T	I N E 


; __stdcall WdipSemMergeEvents(x, x)
_WdipSemMergeEvents@8 proc near		; CODE XREF: WdipSemMergeScenarios+24p
					; WdipSemAddContextEventToScenario+96p	...
		test	ecx, ecx
		jz	short locret_89A41F
		test	edx, edx
		jz	short locret_89A41F
		mov	al, [ecx+12h]
		push	ebx
		mov	bl, [edx+12h]
		cmp	al, bl
		ja	short loc_89A409
		mov	al, bl

loc_89A409:				; CODE XREF: WdipSemMergeEvents(x,x)+11j
		mov	[ecx+12h], al
		mov	eax, [edx+18h]
		or	[ecx+18h], eax
		mov	eax, [edx+1Ch]
		or	[ecx+1Ch], eax
		mov	eax, [edx+24h]
		or	[ecx+24h], eax
		pop	ebx

locret_89A41F:				; CODE XREF: WdipSemMergeEvents(x,x)+2j
					; WdipSemMergeEvents(x,x)+6j
		retn
_WdipSemMergeEvents@8 endp


;  S U B	R O U T	I N E 


; __stdcall WdipSemInitializeGlobalState()
_WdipSemInitializeGlobalState@0	proc near ; CODE XREF: WdipSemInitialize()+3p
					; WdipSemUpdate()+Ep
		mov	edi, edi
		push	ebx
		xor	ebx, ebx
		mov	_WdipSemPushLock, ebx
		mov	_WdipSemRegHandle, ebx
		mov	dword_6BCB74, ebx
		mov	_WdipSemEnabled, bl
		mov	_WdipSemTimeoutEnabled,	bl
		mov	_WdipSemTimeoutValue, ebx
		mov	_WdipSemDisabledScenarioTable, ebx
		mov	_WdipDiagLoggerId, ebx
		mov	_WdipContextLoggerId, ebx
		call	_WdipSemInitializePool@0 ; WdipSemInitializePool()
		push	104h		; size_t
		push	ebx		; int
		push	offset _WdipSemScenarioTable ; void *
		call	_memset
		push	1004h		; size_t
		push	ebx		; int
		push	offset _WdipSemProviderTable ; void *
		call	_memset
		add	esp, 18h
		mov	dword_6BDB84, ebx
		mov	eax, offset _WdipSemEnabledInstanceTable
		mov	dword_6BDB98, ebx
		mov	dword_6BDB94, eax
		mov	_WdipSemEnabledInstanceTable, eax
		mov	dword_6BDB9C, ebx
		call	_WdipSemClearFrequentScenarioTable@0 ; WdipSemClearFrequentScenarioTable()
		mov	_WdipSemInitialized, 1
		pop	ebx
		retn
_WdipSemInitializeGlobalState@0	endp


;  S U B	R O U T	I N E 


; __stdcall WdipSemInitializePool()
_WdipSemInitializePool@0 proc near	; CODE XREF: WdipSemInitializeGlobalState()+3Bp
		mov	edi, edi
		push	esi
		push	48h		; size_t
		push	0		; int
		mov	esi, offset _WdipSemPool
		push	esi		; void *
		call	_memset
		and	dword_6BDBD0, 0
		push	30h		; size_t
		push	0		; int
		push	offset unk_6BDBD8 ; void *
		mov	dword_6BDBC4, esi
		mov	_WdipSemPool, esi
		call	_memset
		add	esp, 18h
		pop	esi
		retn
_WdipSemInitializePool@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpQueryModuleInformationEx proc near	; CODE XREF: PAGE:0077EF38p

var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0092E23F SIZE 0000000A BYTES

		push	1Ch
		push	offset dword_6A7340
		call	__SEH_prolog4
		mov	ebx, edx
		xor	edx, edx
		mov	[ebp+var_20], edx
		and	[ebp+var_1C], edx
		push	2
		pop	edi
		cmp	[ebp+arg_0], edi
		jb	loc_89A5AD
		and	[ebp+ms_exc.disabled], edx
		xor	eax, eax
		mov	[ebx], ax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+arg_8]

loc_89A51E:				; CODE XREF: ExpQueryModuleInformationEx+D3j
		mov	ecx, _PsLoadedModuleList

loc_89A524:				; CODE XREF: ExpQueryModuleInformationEx+6Dj
		mov	[ebp+arg_8], ecx
		cmp	ecx, offset _PsLoadedModuleList
		jz	short loc_89A592
		lea	eax, [edi+12Ch]
		cmp	eax, edi
		jb	loc_92E23F
		mov	edi, eax
		cmp	[ebp+arg_0], edi
		jnb	short loc_89A559
		test	esi, esi
		jz	short loc_89A54A
		mov	[esi], edi

loc_89A54A:				; CODE XREF: ExpQueryModuleInformationEx+5Cj
		mov	[ebp+var_1C], 0C0000004h

loc_89A551:				; CODE XREF: ExpQueryModuleInformationEx+A6j
		inc	edx
		mov	[ebp+var_20], edx
		mov	ecx, [ecx]
		jmp	short loc_89A524
; 

loc_89A559:				; CODE XREF: ExpQueryModuleInformationEx+58j
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, 12Ch
		mov	[ebx], ax
		push	ebx
		call	_ExpConvertLdrEntryToModuleInfo@12 ; ExpConvertLdrEntryToModuleInfo(x,x,x)
		cmp	[ebp+arg_4], 0
		jnz	short loc_89A5C2

loc_89A574:				; CODE XREF: ExpQueryModuleInformationEx+DFj
		mov	eax, 12Ch
		add	ebx, eax
		mov	[ebp+var_2C], ebx
		xor	eax, eax
		mov	[ebx], ax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+arg_8]
		mov	edx, [ebp+var_20]
		jmp	short loc_89A551
; 

loc_89A592:				; CODE XREF: ExpQueryModuleInformationEx+43j
		test	esi, esi
		jz	short loc_89A598
		mov	[esi], edi

loc_89A598:				; CODE XREF: ExpQueryModuleInformationEx+AAj
		mov	eax, [ebp+var_1C]

loc_89A59B:				; CODE XREF: ExpQueryModuleInformationEx+93D5Aj
					; sub_92E23A+2Cj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_89A5AD:				; CODE XREF: ExpQueryModuleInformationEx+1Cj
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jz	short loc_89A5B6
		mov	[esi], edi

loc_89A5B6:				; CODE XREF: ExpQueryModuleInformationEx+C8j
		mov	[ebp+var_1C], 0C0000004h
		jmp	loc_89A51E
; 

loc_89A5C2:				; CODE XREF: ExpQueryModuleInformationEx+88j
		and	dword ptr [ebx+124h], 0
		jmp	short loc_89A574
ExpQueryModuleInformationEx endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpConvertLdrEntryToModuleInfo(x, x, x)
_ExpConvertLdrEntryToModuleInfo@12 proc	near ; CODE XREF: ExpQueryModuleInformationEx+7Fp
					; ExpQuerySingleModuleInformation(x,x,x,x)+BBp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], 1000000h
		push	0
		and	dword ptr [esi+8], 0
		mov	eax, [edi+18h]
		mov	[esi+0Ch], eax
		mov	eax, [edi+20h]
		mov	[esi+10h], eax
		mov	eax, [edi+34h]
		mov	[esi+14h], eax
		mov	ax, [edi+38h]
		mov	[esi+1Ch], ax
		xor	eax, eax
		mov	[esi+1Ah], ax
		lea	eax, [esi+20h]
		mov	[ebp+var_4], eax
		lea	eax, [edi+24h]
		push	eax
		lea	eax, [ebp+var_8]
		mov	[esi+18h], dx
		push	eax
		call	RtlUnicodeStringToAnsiString
		movzx	eax, word ptr [ebp+var_8]
		mov	edx, [ebp+var_4]
		add	eax, edx
		jmp	short loc_89A635
; 

loc_89A629:				; CODE XREF: ExpConvertLdrEntryToModuleInfo(x,x,x)+6Bj
		dec	eax
		mov	cl, [eax]
		test	cl, cl
		jz	short loc_89A63C
		cmp	cl, 5Ch
		jz	short loc_89A63B

loc_89A635:				; CODE XREF: ExpConvertLdrEntryToModuleInfo(x,x,x)+5Bj
		cmp	eax, edx
		ja	short loc_89A629
		jmp	short loc_89A63C
; 

loc_89A63B:				; CODE XREF: ExpConvertLdrEntryToModuleInfo(x,x,x)+67j
		inc	eax

loc_89A63C:				; CODE XREF: ExpConvertLdrEntryToModuleInfo(x,x,x)+62j
					; ExpConvertLdrEntryToModuleInfo(x,x,x)+6Dj
		sub	eax, edx
		mov	[esi+1Eh], ax
		mov	eax, [edi+40h]
		mov	[esi+120h], eax
		mov	eax, [edi+58h]
		and	dword ptr [esi+128h], 0
		pop	edi
		mov	[esi+124h], eax
		pop	esi
		leave
		retn	4
_ExpConvertLdrEntryToModuleInfo@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipApplyFunctionToServiceInstances proc	near ; CODE XREF: PipAddDevicesToBootDriver(x)+Ep

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0092E26B SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		xor	ebx, ebx
		lea	eax, [ebp+var_8]
		push	esi
		push	edi
		push	ebx
		push	eax
		mov	ecx, edx
		mov	[ebp+var_8], ebx
		push	ebx
		mov	edx, 20019h
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], ebx
		call	PipOpenServiceEnumKeys
		test	eax, eax
		jns	short loc_89A69E

loc_89A697:				; CODE XREF: PipApplyFunctionToServiceInstances+DDj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_89A69E:				; CODE XREF: PipApplyFunctionToServiceInstances+33j
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_14]
		push	eax
		push	ebx
		mov	edx, offset ??_C@_1M@NBCIMFHI@?$AAC?$AAo?$AAu?$AAn?$AAt@NNGAKEGL@ ; "C"
		mov	esi, ebx
		call	IopGetRegistryValue
		mov	edi, eax
		test	edi, edi
		js	loc_92E26B
		mov	ecx, [ebp+var_14]
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_89A6D1
		cmp	dword ptr [ecx+0Ch], 4
		jb	short loc_89A6D1
		mov	eax, [ecx+8]
		mov	esi, [ecx+eax]

loc_89A6D1:				; CODE XREF: PipApplyFunctionToServiceInstances+61j
					; PipApplyFunctionToServiceInstances+67j
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_89A6D8:				; CODE XREF: PipApplyFunctionToServiceInstances+93C17j
		test	esi, esi
		jz	short loc_89A735
		push	20207050h
		push	200h
		push	1
		mov	[ebp+var_10], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_92E27E
		xor	eax, eax

loc_89A6FC:				; CODE XREF: PipApplyFunctionToServiceInstances+C0j
		lea	ecx, [ebp+var_1C]
		mov	[ebp+var_18], eax
		push	ecx
		push	200h
		push	ebx
		push	1
		push	eax
		push	[ebp+var_8]
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_89A724
		cmp	dword ptr [ebx+4], 1
		jz	short loc_89A744

loc_89A71E:				; CODE XREF: PipApplyFunctionToServiceInstances+C7j
					; PipApplyFunctionToServiceInstances+117j ...
		mov	eax, [ebp+var_18]
		inc	eax
		jmp	short loc_89A6FC
; 

loc_89A724:				; CODE XREF: PipApplyFunctionToServiceInstances+B4j
		cmp	eax, 8000001Ah
		jnz	short loc_89A71E
		xor	edi, edi

loc_89A72D:				; CODE XREF: PipApplyFunctionToServiceInstances+180j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_89A735:				; CODE XREF: PipApplyFunctionToServiceInstances+78j
					; PipApplyFunctionToServiceInstances+93C0Fj ...
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, edi
		jmp	loc_89A697
; 

loc_89A744:				; CODE XREF: PipApplyFunctionToServiceInstances+BAj
		xor	eax, eax
		and	[ebp+var_14], eax
		mov	word ptr [ebp+var_24], ax
		lea	eax, [ebp+var_14]
		mov	edx, [ebx+0Ch]
		push	ecx
		mov	ecx, [ebx+8]
		push	eax
		add	ecx, ebx
		call	_PnpRegSzToString@16 ; PnpRegSzToString(x,x,x,x)
		mov	ecx, [ebp+var_14]
		mov	word ptr [ebp+var_24], cx
		mov	ax, [ebx+0Ch]
		mov	word ptr [ebp+var_24+2], ax
		mov	eax, [ebx+8]
		add	eax, ebx
		mov	[ebp+var_20], eax
		test	cx, cx
		jz	short loc_89A71E
		lea	eax, [ebp+var_24]
		xor	edx, edx
		push	eax
		lea	ecx, [ebp+var_C]
		call	PnpUnicodeStringToWstr
		test	eax, eax
		js	short loc_89A71E
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	eax
		push	0
		push	0F003Fh
		push	0
		push	10h
		call	_CmOpenDeviceRegKey
		mov	ecx, [ebp+var_C]
		lea	edx, [ebp+var_24]
		mov	edi, eax
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)
		test	edi, edi
		js	loc_89A71E
		push	[ebp+arg_C]
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_10]
		call	_PipAddDevicesToBootDriverWorker@12 ; PipAddDevicesToBootDriverWorker(x,x,x)
		push	[ebp+var_10]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		jnz	loc_89A71E
		jmp	loc_89A72D
PipApplyFunctionToServiceInstances endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiProcessAddBootDevices(x)
_PiProcessAddBootDevices@4 proc	near	; CODE XREF: PipAddDevicesToBootDriverWorker(x,x,x)+1Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ecx+0B0h]
		xor	edx, edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edx
		push	esi
		mov	esi, [eax+14h]
		mov	[ebp+var_4], edx
		cmp	dword ptr [esi+0ACh], 302h
		jnz	short loc_89A858
		test	dword ptr [esi+10Ch], 6002h
		jnz	short loc_89A858
		cmp	[esi+124h], edx
		jnz	short loc_89A858
		lea	ecx, [ebp+var_4]
		call	PiPnpRtlBeginOperation
		mov	al, _PnPBootDriversInitialized
		lea	edx, [ebp+var_C]
		mov	ecx, esi
		mov	byte ptr [ebp+var_8], al
		call	PipCallDriverAddDevice
		test	eax, eax
		js	short loc_89A84C
		xor	dl, dl
		mov	ecx, esi
		call	_PoFxPrepareDevice@8 ; PoFxPrepareDevice(x,x)

loc_89A84C:				; CODE XREF: PiProcessAddBootDevices(x)+59j
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_89A858
		call	PiPnpRtlEndOperation

loc_89A858:				; CODE XREF: PiProcessAddBootDevices(x)+27j
					; PiProcessAddBootDevices(x)+33j ...
		xor	eax, eax
		pop	esi
		leave
		retn
_PiProcessAddBootDevices@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1690. PoFxRegisterCoreDevice

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoFxRegisterCoreDevice
PoFxRegisterCoreDevice proc near	; CODE XREF: PoFxRegisterDebugger+F77Cp

var_4C		= dword	ptr -4Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0092E288 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		push	0Ah
		xor	eax, eax
		lea	edi, [esp+3Ch+var_28]
		pop	ecx
		xor	ebx, ebx
		rep stosd
		mov	edi, ebx
		mov	[esp+38h+var_2C], ebx
		cmp	[ebp+arg_0], eax
		jz	loc_92E292
		mov	esi, [ebp+arg_4]
		cmp	dword ptr [esi], 1
		jnz	loc_92E292
		cmp	[esi+10h], ebx
		jz	loc_92E292
		mov	edx, [esi+4]
		lea	ecx, [esi+1Ch]
		call	PopFxConvertV1Components
		mov	edi, eax
		test	edi, edi
		jz	loc_92E288
		mov	eax, [esi+8]
		xor	ecx, ecx
		mov	edx, [ebp+arg_0]
		mov	[esp+38h+var_28], eax
		mov	eax, [esi+0Ch]
		mov	[esp+38h+var_24], eax
		mov	eax, [esi+14h]
		mov	[esp+38h+var_20], eax
		mov	eax, [esi+10h]
		mov	[esp+38h+var_10], eax
		lea	eax, [esp+38h+var_2C]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	dword ptr [esi+18h]
		lea	eax, [esp+4Ch+var_28]
		mov	[esp+4Ch+var_1C], ebx
		push	dword ptr [esi+4]
		mov	[esp+50h+var_18], ebx
		push	edi
		push	eax
		mov	[esp+58h+var_14], ebx
		mov	[esp+58h+var_C], ebx
		mov	[esp+58h+var_8], ebx
		mov	[esp+58h+var_4], ebx
		call	_PopFxRegisterDeviceWorker@40 ;	PopFxRegisterDeviceWorker(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_89A93C
		push	[esp+58h+var_4C]
		call	PopFxInsertDevice
		mov	esi, ebx

loc_89A919:				; CODE XREF: PoFxRegisterCoreDevice+DEj
					; PoFxRegisterCoreDevice+93A35j
		test	edi, edi
		jz	short loc_89A928
		push	4D584650h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_89A928:				; CODE XREF: PoFxRegisterCoreDevice+B9j
					; PoFxRegisterCoreDevice+93A2Bj
		mov	ecx, [ebp+arg_8]
		mov	eax, [esp+58h+var_4C]
		pop	edi
		mov	[ecx], eax
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_89A93C:				; CODE XREF: PoFxRegisterCoreDevice+AAj
		mov	[esp+58h+var_4C], ebx
		jmp	short loc_89A919
PoFxRegisterCoreDevice endp

; 
		align 8
; Exported entry 1692. PoFxRegisterDevice

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PoFxRegisterDevice
PoFxRegisterDevice proc	near

var_42		= byte ptr -42h
var_41		= byte ptr -41h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0092E29C SIZE 00000092 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		mov	[esp+44h+var_40], eax
		push	ebx
		mov	ebx, eax
		push	esi
		push	edi
		test	edx, edx
		jz	loc_92E29C
		mov	esi, [ebp+arg_4]
		mov	ecx, eax
		mov	edi, eax
		mov	[esp+50h+var_10], eax
		mov	[esp+50h+var_C], eax
		mov	[esp+50h+var_8], ecx
		mov	eax, [esi]
		mov	[esp+50h+var_4], edi
		cmp	eax, 1
		jnz	loc_89AA75
		push	edx
		push	offset ??_C@_0CL@DBJKDPMB@Device?5using?5PO_FX_VERSION_V1?3?5@NNGAKEGL@	; "Device using	PO_FX_VERSION_V1: devobj 0"...
		inc	ebx
		push	ebx
		call	_PopPrintEx
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, [eax+8]
		add	eax, 1Ch
		push	eax
		push	offset ??_C@_0BB@OOMNGHGK@?5?9?5Driver?3?5?$CC?$CFwZ?$CC@NNGAKEGL@ ; " - Driver: \"%wZ\""
		push	ebx
		call	_PopPrintEx
		add	esp, 0Ch
		push	offset ??_C@_01EEMJAFIK@?6@NNGAKEGL@
		push	ebx
		call	_PopPrintEx
		mov	eax, [esi+20h]
		mov	edx, [esi+4]
		and	[esp+58h+var_34], edi
		and	[esp+58h+var_38], edi
		mov	[esp+58h+var_3C], eax
		mov	eax, [esi+8]
		mov	[esp+58h+var_28], eax
		mov	eax, [esi+0Ch]
		mov	[esp+58h+var_24], eax
		mov	eax, [esi+10h]
		mov	[esp+58h+var_20], eax
		mov	eax, [esi+14h]
		pop	ecx
		mov	[esp+54h+var_1C], eax
		mov	eax, [esi+18h]
		pop	ecx
		mov	[esp+50h+var_18], eax
		lea	ecx, [esi+24h]
		mov	eax, [esi+1Ch]
		mov	[esp+50h+var_30], edx
		mov	[esp+50h+var_14], eax
		call	PopFxConvertV1Components
		mov	edx, [esp+50h+var_30]
		mov	ebx, eax
		mov	ecx, edi

loc_89AA10:				; CODE XREF: PoFxRegisterDevice+939A3j
		mov	eax, [esp+50h+var_3C]

loc_89AA14:				; CODE XREF: PoFxRegisterDevice+192j
		mov	[esp+50h+var_41], 0
		test	ecx, ecx
		jnz	loc_89AADF
		test	edi, edi
		jnz	loc_92E324

loc_89AA29:				; CODE XREF: PoFxRegisterDevice+1A4j
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		push	[esp+54h+var_38]
		push	[esp+58h+var_34]
		push	eax
		push	edx
		push	ebx
		lea	edx, [esp+68h+var_28]
		call	PopFxRegisterDevice
		mov	edi, eax
		test	edi, edi
		js	short loc_89AA54
		cmp	[esp+50h+var_41], 0
		jnz	loc_89AAF1

loc_89AA54:				; CODE XREF: PoFxRegisterDevice+FFj
					; PoFxRegisterDevice+939E1j
		xor	eax, eax
		inc	eax

loc_89AA57:				; CODE XREF: PoFxRegisterDevice+20Dj
					; PoFxRegisterDevice+939ADj ...
		test	ebx, ebx
		jz	short loc_89AA6A
		cmp	[esi], eax
		jnz	short loc_89AA6A
		push	4D584650h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_89AA6A:				; CODE XREF: PoFxRegisterDevice+111j
					; PoFxRegisterDevice+115j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_89AA75:				; CODE XREF: PoFxRegisterDevice+3Dj
		cmp	eax, 2
		jz	loc_92E2A6
		cmp	eax, 3
		jnz	loc_92E324
		mov	eax, [esi+10h]
		mov	ebx, [esi+8]
		mov	ecx, [esi+28h]
		mov	edi, [esi+2Ch]
		mov	edx, [esi+38h]
		mov	[esp+50h+var_28], eax
		mov	eax, [esi+14h]
		mov	[esp+50h+var_24], eax
		mov	eax, [esi+18h]
		mov	[esp+50h+var_20], eax
		mov	eax, [esi+1Ch]
		mov	[esp+50h+var_1C], eax
		mov	eax, [esi+20h]
		mov	[esp+50h+var_18], eax
		mov	eax, [esi+24h]
		mov	[esp+50h+var_34], ebx
		mov	ebx, [esi+0Ch]
		mov	[esp+50h+var_14], eax
		mov	eax, [esi+34h]
		mov	[esp+50h+var_38], ebx
		lea	ebx, [esi+40h]
		mov	[esp+50h+var_40], esi
		mov	[esp+50h+var_8], ecx
		mov	[esp+50h+var_4], edi
		jmp	loc_89AA14
; 

loc_89AADF:				; CODE XREF: PoFxRegisterDevice+D3j
		test	edi, edi
		jz	loc_92E324
		mov	[esp+50h+var_41], 1
		jmp	loc_89AA29
; 

loc_89AAF1:				; CODE XREF: PoFxRegisterDevice+106j
		mov	eax, [ebp+arg_8]
		mov	edx, [eax]
		mov	eax, [esp+50h+var_40]
		mov	eax, [eax+30h]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_89AB60
		test	eax, eax
		jnz	short loc_89AB0B
		mov	eax, _PopFxDirectedFxDefaultTimeout

loc_89AB0B:				; CODE XREF: PoFxRegisterDevice+1BCj
		mov	[edx+268h], eax

loc_89AB11:				; CODE XREF: PoFxRegisterDevice+21Fj
		mov	eax, [esp+50h+var_40]
		add	edx, 238h
		mov	ecx, [eax+8]
		mov	eax, ecx
		and	eax, 2
		or	eax, 0
		jz	short loc_89AB37
		mov	eax, 200h
		lock or	[edx], eax
		mov	eax, [esp+50h+var_40]
		mov	ecx, [eax+8]

loc_89AB37:				; CODE XREF: PoFxRegisterDevice+1DEj
		and	ecx, 4
		or	ecx, 0
		jz	short loc_89AB47
		mov	eax, 400h
		lock or	[edx], eax

loc_89AB47:				; CODE XREF: PoFxRegisterDevice+1F5j
		push	20h
		pop	eax
		lock or	[edx], eax
		xor	eax, eax
		inc	eax
		cmp	[esp+50h+var_28], 0
		jnz	loc_89AA57
		jmp	loc_92E2F0
; 

loc_89AB60:				; CODE XREF: PoFxRegisterDevice+1B8j
		and	dword ptr [edx+268h], 0
		jmp	short loc_89AB11
PoFxRegisterDevice endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxRegisterDevice proc near		; CODE XREF: PoFxRegisterDevice+F6p
					; PoFxEnableDStateReporting(x,x)+75p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 0092E32E SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_C], edx
		mov	esi, ecx
		mov	edi, 78466F50h
		mov	[ebp+var_10], esi
		mov	edx, edi
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_92E32E
		mov	edx, edi
		mov	ecx, esi
		call	IoGetAttachedDeviceReferenceWithTag
		mov	edi, eax
		mov	[ebp+var_8], edi
		test	edi, edi
		jz	loc_92E338
		mov	eax, [ebx+0B0h]
		mov	esi, [eax+14h]
		test	esi, esi
		jz	loc_92E342
		lea	edx, [esi+0A8h]
		xor	edi, edi
		mov	eax, [edx]

loc_89ABC8:				; CODE XREF: PopFxRegisterDevice+66j
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_89ABC8
		mov	edi, [ebp+var_8]
		test	al, 1
		jz	loc_92E355
		mov	ecx, [esi+50h]
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_10]
		mov	al, [edi+30h]
		lea	edx, [esi+48h]
		push	[ebp+arg_C]
		inc	al
		movzx	eax, al
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	[ebp+var_C]
		call	_PopFxRegisterDeviceWorker@40 ;	PopFxRegisterDeviceWorker(x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_92E349
		mov	eax, [ebp+var_4]
		xor	edi, edi
		mov	[eax+1Ch], esi
		cmp	[esi+28h], edi
		jnz	loc_92E35C
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		lea	edx, [edx+308h]
		call	PopGenerateDeviceFriendlyName
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		call	_PopFxAssignDeviceToDevNode@8 ;	PopFxAssignDeviceToDevNode(x,x)
		mov	esi, [ebp+var_10]
		mov	edx, 78466F50h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+var_4]
		xor	dl, dl
		mov	ecx, [ebp+var_8]
		mov	[eax+34h], esi
		mov	eax, [ebp+var_4]
		mov	[eax+38h], ecx
		mov	ecx, [ebp+var_4]
		call	PopFxTraceDeviceRegistration
		push	[ebp+var_4]
		call	PopFxInsertDevice
		mov	ecx, edi
		mov	ebx, edi

loc_89AC70:				; CODE XREF: PopFxRegisterDevice+937E6j
		test	ecx, ecx
		jnz	loc_92E36B

loc_89AC78:				; CODE XREF: PopFxRegisterDevice+937D3j
					; PopFxRegisterDevice+9380Bj
		test	ebx, ebx
		jnz	loc_92E37A

loc_89AC80:				; CODE XREF: PopFxRegisterDevice+937C9j
					; PopFxRegisterDevice+9381Cj
		mov	ecx, [ebp+arg_14]
		mov	eax, [ebp+var_4]
		mov	[ecx], eax
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
PopFxRegisterDevice endp

; 
		align 2

; __stdcall PopFxRegisterDeviceWorker(x, x, x, x, x, x,	x, x, x, x)
_PopFxRegisterDeviceWorker@40:		; CODE XREF: PoFxRegisterCoreDevice+A1p
					; PopFxRegisterDevice+98p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		and	dword ptr [ebp-2Ch], 0
		and	dword ptr [ebp-24h], 0
		push	ebx
		push	esi
		mov	esi, [ebp+10h]
		mov	[ebp-50h], edx
		mov	[ebp-6Ch], ecx
		push	edi
		test	esi, esi
		jnz	short loc_89ACBC
		mov	esi, 0C000000Dh
		jmp	loc_89B34E
; 

loc_89ACBC:				; CODE XREF: PAGE:0089ACB0j
		imul	edi, esi, 0Ch
		xor	eax, eax
		push	4D584650h
		inc	eax
		push	edi
		push	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp-28h], eax
		test	eax, eax
		jnz	short loc_89ACDF
		mov	esi, 0C000009Ah
		jmp	loc_89B34E
; 

loc_89ACDF:				; CODE XREF: PAGE:0089ACD3j
		xor	ebx, ebx
		and	[ebp-8], ebx
		push	edi
		push	ebx
		push	eax
		mov	[ebp-20h], ebx
		call	_memset
		and	[ebp-34h], ebx
		add	esp, 0Ch
		test	esi, esi
		jz	loc_89ADA8
		mov	edi, [ebp+0Ch]
		add	edi, 18h

loc_89AD03:				; CODE XREF: PAGE:0089ADA2j
		mov	edx, [edi+4]
		test	edx, edx
		jz	loc_89AE47
		xor	eax, eax
		inc	eax
		cmp	edx, eax
		jbe	short loc_89AD3D
		mov	eax, [ebp+8]
		cmp	dword ptr [eax], 0
		jz	loc_89AE47
		cmp	dword ptr [eax+4], 0
		jz	loc_89AE47
		cmp	dword ptr [eax+8], 0
		jz	loc_89AE47
		cmp	[edi], edx
		jnb	loc_89AE47

loc_89AD3D:				; CODE XREF: PAGE:0089AD13j
		lea	eax, [ebp-20h]
		mov	ecx, ebx
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_89AE47
		mov	edx, [edi+0Ch]
		test	edx, edx
		jz	short loc_89AD93
		cmp	edx, esi
		jnb	loc_89AE47
		mov	ecx, [ebp-8]
		lea	eax, [ebp-8]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_89AE47
		mov	edx, [ebp-28h]
		xor	ecx, ecx

loc_89AD78:				; CODE XREF: PAGE:0089AD91j
		mov	eax, [edi+10h]
		mov	eax, [eax+ecx*4]
		cmp	eax, esi
		jnb	loc_89AE47
		imul	eax, 0Ch
		inc	dword ptr [eax+edx+8]
		inc	ecx
		cmp	ecx, [edi+0Ch]
		jb	short loc_89AD78

loc_89AD93:				; CODE XREF: PAGE:0089AD55j
		mov	eax, [ebp-34h]
		add	edi, 30h
		mov	ebx, [ebp-20h]
		inc	eax
		mov	[ebp-34h], eax
		cmp	eax, esi
		jb	loc_89AD03

loc_89ADA8:				; CODE XREF: PAGE:0089ACF7j
		imul	eax, esi, 170h
		lea	ecx, ds:7[esi*4]
		and	ecx, 0FFFFFFF8h
		imul	edx, ebx, 18h
		mov	[ebp-48h], ecx
		add	ecx, eax
		xor	eax, eax
		mov	[ebp-44h], ecx
		mov	[ebp-4Ch], eax
		lea	edi, [edx+ecx]
		cmp	[ebp+18h], al
		jle	short loc_89ADD9
		mov	[ebp-4Ch], edi
		add	edi, 98h

loc_89ADD9:				; CODE XREF: PAGE:0089ADCEj
		mov	[ebp-30h], eax
		mov	[ebp-34h], eax
		mov	eax, [ebp-8]
		test	eax, eax
		jz	short loc_89ADF3
		shl	eax, 3
		mov	[ebp-30h], edi
		add	edi, eax
		mov	[ebp-34h], edi
		add	edi, eax

loc_89ADF3:				; CODE XREF: PAGE:0089ADE4j
		mov	eax, _PopFxRuntimeLogNumberEntries
		lea	ecx, ds:13h[esi*4]
		mov	ebx, [ebp-50h]
		and	ecx, 0FFFFFFF8h
		imul	eax, esi
		mov	[ebp-68h], edi
		mov	[ebp-3Ch], ecx
		mov	[ebp-64h], eax
		imul	eax, 18h
		add	edi, eax
		imul	eax, esi, 28h
		mov	[ebp-40h], edi
		add	ecx, eax
		mov	[ebp-38h], ecx
		add	ecx, edx
		mov	[ebp-10h], ecx
		lea	edx, [ebp-2Ch]
		mov	ecx, ebx
		call	PopFxFindAcpiDeviceByUniqueId
		test	eax, eax
		js	short loc_89AE51
		mov	eax, [ebp-2Ch]
		xor	ecx, ecx
		mov	ebx, eax
		inc	ecx
		mov	[ebp-24h], ebx
		add	eax, 78h
		lock or	[eax], ecx
		jmp	short loc_89AE7E
; 

loc_89AE47:				; CODE XREF: PAGE:0089AD08j
					; PAGE:0089AD1Bj ...
		mov	esi, 0C000000Dh
		jmp	loc_89B333
; 

loc_89AE51:				; CODE XREF: PAGE:0089AE32j
		cmp	eax, 0C0000056h
		jnz	short loc_89AE60
		lea	esi, [eax+4Dh]
		jmp	loc_89B333
; 

loc_89AE60:				; CODE XREF: PAGE:0089AE56j
		lea	eax, [ebp-24h]
		push	eax
		push	0
		push	ecx
		mov	ecx, ebx
		call	_PopFxCreateDeviceCommon@20 ; PopFxCreateDeviceCommon(x,x,x,x,x)
		mov	ebx, [ebp-24h]
		mov	esi, eax
		test	ebx, ebx
		jz	loc_89B333
		mov	esi, [ebp+10h]

loc_89AE7E:				; CODE XREF: PAGE:0089AE45j
		push	18h
		push	0
		push	0
		push	4D584650h
		lea	eax, [ebx+7Ch]
		push	eax
		call	IoInitializeRemoveLockEx
		push	4D584650h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp-4], eax
		test	eax, eax
		jnz	short loc_89AEB3

loc_89AEA9:				; CODE XREF: PAGE:0089AECAj
		mov	esi, 0C000009Ah
		jmp	loc_89B30C
; 

loc_89AEB3:				; CODE XREF: PAGE:0089AEA7j
		push	4D584650h
		push	dword ptr [ebp-10h]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp-0Ch], eax
		test	eax, eax
		jz	short loc_89AEA9
		push	edi
		mov	edi, [ebp-4]
		push	0
		push	edi
		call	_memset
		mov	eax, [ebp+14h]
		add	esp, 0Ch
		mov	[ebx+23Ch], esi
		mov	edx, offset _PopFxDeviceAccountingLevel
		mov	esi, [ebp+8]
		mov	[ebx+240h], edi
		lea	edi, [ebx+3Ch]
		push	0Ah
		pop	ecx
		rep movsd
		mov	[ebx+64h], eax
		xor	ecx, ecx
		and	dword ptr [ebx+160h], 0
		xor	eax, eax
		lock cmpxchg [edx], ecx
		push	dword ptr [ebp-10h]
		mov	esi, [ebp-0Ch]
		push	0
		mov	[ebx+16Ch], eax
		push	esi
		mov	[ebp-5Ch], eax
		mov	dword ptr [ebx+168h], 5
		call	_memset
		mov	eax, [ebp+20h]
		xor	edx, edx
		mov	ecx, [ebp+1Ch]
		add	esp, 0Ch
		mov	edi, [ebp+10h]
		mov	[esi+4], eax
		mov	eax, [ebp-48h]
		mov	[esi], ecx
		mov	ecx, [ebp-4]
		add	eax, ecx
		mov	[ebp-74h], eax
		mov	[ebp+14h], eax
		mov	eax, [ebp-44h]
		add	eax, ecx
		mov	[esi+8], edi
		mov	[ebp+20h], eax
		mov	eax, [ebp-3Ch]
		add	eax, esi
		mov	[ebp-1Ch], edx
		mov	[ebp-70h], eax
		mov	[ebp-18h], eax
		mov	eax, [ebp-38h]
		add	eax, esi
		mov	[ebp-14h], eax
		test	edi, edi
		jz	loc_89B1C5
		mov	eax, [ebp-34h]
		xor	esi, esi
		add	eax, ecx
		mov	edi, [ebp+14h]
		cmp	esi, [ebp-8]
		push	0FFFFFFE0h
		sbb	esi, esi
		and	esi, eax
		mov	eax, [ebp-30h]
		add	eax, ecx
		mov	[ebp-3Ch], esi
		xor	esi, esi
		cmp	esi, [ebp-8]
		lea	esi, [edi+20h]
		mov	[ebp-30h], esi
		sbb	edx, edx
		and	edx, eax
		mov	eax, [ebp-40h]
		add	eax, 0FFFFFE90h
		mov	[ebp-38h], edx
		mov	edx, [ebp+0Ch]
		mov	[ebp-58h], eax
		add	edx, 20h
		mov	eax, [ebp-28h]
		add	eax, 8
		mov	[ebp+8], edx
		mov	[ebp-34h], eax
		pop	eax
		sub	eax, ecx
		mov	ecx, edx
		mov	edx, [ebp-1Ch]
		mov	[ebp-54h], eax
		push	0FFFFFFF0h
		pop	eax
		sub	eax, [ebp-0Ch]
		mov	[ebp-44h], eax

loc_89AFD5:				; CODE XREF: PAGE:0089B1BDj
		mov	eax, [ebx+240h]
		mov	[eax+edx*4], edi
		mov	eax, [ebp-54h]
		add	eax, esi
		cmp	eax, [ebp-58h]
		ja	loc_89B2A9
		lea	eax, [ecx-20h]
		mov	esi, eax
		mov	[ebp+0Ch], eax
		xor	eax, eax
		inc	eax
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp-30h]
		xor	edi, edi
		push	edi
		lea	eax, [esi+20h]
		mov	[esi-10h], edx
		mov	edx, [ebp+14h]
		push	eax
		mov	[esi+10h], ebx
		mov	dword ptr [esi-4], offset PopFxComponentWork
		mov	[esi], edx
		mov	[esi-0Ch], edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	edx, [ebp+8]
		mov	[esi+30h], edi
		mov	eax, [edx-4]
		mov	[esi+4Ch], eax
		mov	eax, [ebp+20h]
		mov	[esi+50h], eax
		mov	eax, [edx-8]
		or	dword ptr [esi+78h], 0FFFFFFFFh
		mov	[esi+54h], eax
		mov	eax, [ebp-5Ch]
		mov	[esi+70h], edi
		mov	[esi+7Ch], eax
		mov	eax, [edx+4]
		test	eax, eax
		jz	short loc_89B06D
		mov	edi, [ebp-38h]
		xor	ecx, ecx
		mov	[esi+58h], eax
		mov	[esi+5Ch], edi

loc_89B057:				; CODE XREF: PAGE:0089B066j
		mov	eax, [edx+8]
		mov	eax, [eax+ecx*4]
		mov	[edi], eax
		add	edi, 8
		inc	ecx
		cmp	ecx, [esi+58h]
		jb	short loc_89B057
		mov	[ebp-38h], edi
		xor	edi, edi

loc_89B06D:				; CODE XREF: PAGE:0089B04Aj
		mov	eax, [ebp-34h]
		cmp	[eax], edi
		jbe	short loc_89B082
		mov	ecx, [ebp-3Ch]
		mov	[esi+68h], ecx
		mov	eax, [eax]
		lea	ecx, [ecx+eax*8]
		mov	[ebp-3Ch], ecx

loc_89B082:				; CODE XREF: PAGE:0089B072j
		mov	eax, [ebp-0Ch]
		mov	edx, [ebp-1Ch]
		mov	edi, [ebp-18h]
		mov	ecx, [ebp-44h]
		add	ecx, 10h
		mov	[eax+edx*4+0Ch], edi
		add	ecx, edi
		mov	eax, [ebp-10h]
		add	eax, 0FFFFFFD8h
		cmp	ecx, eax
		ja	loc_89B2A9
		mov	esi, [ebp+0Ch]
		mov	ecx, [ebp+8]
		and	dword ptr [ebp-48h], 0
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp-18h]
		mov	eax, [ecx-10h]
		mov	esi, [ebp-30h]
		mov	[edi+10h], eax
		mov	eax, [ecx-0Ch]
		mov	[edi+14h], eax
		mov	eax, [ecx-4]
		mov	[edi+1Ch], eax
		mov	eax, [ebp-14h]
		mov	[edi+20h], eax
		mov	eax, [ecx-8]
		mov	[edi+18h], eax
		cmp	dword ptr [esi+4Ch], 0
		jbe	loc_89B18F
		mov	edi, [ebp-40h]
		and	dword ptr [ebp+0Ch], 0
		add	edi, 0FFFFFFE8h
		push	0FFFFFFF0h
		pop	eax
		sub	eax, [ebp-4]
		mov	[ebp-60h], edi
		mov	[ebp-30h], eax

loc_89B0F7:				; CODE XREF: PAGE:0089B186j
		mov	edx, [ebp+20h]
		add	edx, 10h
		add	eax, edx
		mov	edx, [ebp-10h]
		cmp	eax, edi
		ja	loc_89B2A9
		mov	edi, [ecx]
		add	edi, [ebp+0Ch]
		mov	ecx, [ebp+20h]
		mov	eax, [edi+10h]
		mov	[ecx+10h], eax
		mov	eax, [edi]
		mov	[ecx], eax
		mov	eax, [edi+4]
		mov	[ecx+4], eax
		mov	eax, [edi+8]
		mov	[ecx+8], eax
		mov	eax, [edi+0Ch]
		mov	[ecx+0Ch], eax
		add	ecx, 18h
		mov	eax, [ebp-14h]
		mov	[ebp+20h], ecx
		add	eax, 10h
		mov	ecx, [ebp-44h]
		add	ecx, eax
		lea	eax, [edx-18h]
		cmp	ecx, eax
		ja	loc_89B2A9
		mov	ecx, [ebp-14h]
		mov	eax, [edi+10h]
		add	dword ptr [ebp+0Ch], 18h
		mov	[ecx+10h], eax
		mov	eax, [edi]
		mov	[ecx], eax
		mov	eax, [edi+4]
		mov	[ecx+4], eax
		mov	eax, [edi+8]
		mov	[ecx+8], eax
		mov	eax, [edi+0Ch]
		mov	edi, [ebp-60h]
		mov	[ecx+0Ch], eax
		add	ecx, 18h
		mov	eax, [ebp-48h]
		inc	eax
		mov	[ebp-14h], ecx
		cmp	eax, [esi+4Ch]
		mov	ecx, [ebp+8]
		mov	[ebp-48h], eax
		mov	eax, [ebp-30h]
		jb	loc_89B0F7
		mov	edi, [ebp-18h]

loc_89B18F:				; CODE XREF: PAGE:0089B0DBj
		mov	edx, [ebp-1Ch]
		add	edi, 28h
		add	dword ptr [ebp-34h], 0Ch
		mov	eax, 170h
		add	[ebp+14h], eax
		add	esi, eax
		inc	edx
		mov	[ebp-18h], edi
		mov	edi, [ebp+10h]
		add	ecx, 30h
		mov	[ebp-30h], esi
		mov	[ebp-1Ch], edx
		mov	[ebp+8], ecx
		cmp	edx, edi
		jnb	short loc_89B1C2
		mov	edi, [ebp+14h]
		jmp	loc_89AFD5
; 

loc_89B1C2:				; CODE XREF: PAGE:0089B1B8j
		mov	ecx, [ebp-4]

loc_89B1C5:				; CODE XREF: PAGE:0089AF71j
		mov	eax, [ebp-64h]
		mov	[ebx+244h], eax
		mov	eax, [ebp-68h]
		add	eax, ecx
		cmp	dword ptr [ebp-8], 0
		mov	[ebx+248h], eax
		jbe	short loc_89B1F4
		mov	ecx, [ebp-28h]
		mov	edx, ebx
		push	edi
		call	_PopFxVerifyDependencies@12 ; PopFxVerifyDependencies(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_89B2FF

loc_89B1F4:				; CODE XREF: PAGE:0089B1DDj
		xor	edx, edx
		mov	[ebp+8], edx
		test	edi, edi
		jz	short loc_89B26A

loc_89B1FD:				; CODE XREF: PAGE:0089B268j
		mov	eax, [ebx+240h]
		and	dword ptr [ebp+0Ch], 0
		mov	eax, [eax+edx*4]
		mov	[ebp+14h], eax
		cmp	dword ptr [eax+78h], 0
		jbe	short loc_89B250
		mov	edi, [ebp+0Ch]

loc_89B216:				; CODE XREF: PAGE:0089B24Bj
		mov	eax, [eax+7Ch]
		mov	ecx, [eax+edi*8]
		mov	eax, [ebx+240h]
		mov	esi, [eax+ecx*4]
		mov	ecx, [esi+84h]
		mov	eax, [esi+88h]
		mov	[eax+ecx*8], edx
		mov	eax, [esi+88h]
		mov	[eax+ecx*8+4], edi
		mov	eax, [ebp+14h]
		inc	dword ptr [esi+84h]
		inc	edi
		cmp	edi, [eax+78h]
		jb	short loc_89B216
		mov	edi, [ebp+10h]

loc_89B250:				; CODE XREF: PAGE:0089B211j
		xor	ecx, ecx
		mov	edx, eax
		inc	ecx
		push	ecx
		push	0
		mov	ecx, ebx
		call	PopFxActivateComponent
		mov	edx, [ebp+8]
		inc	edx
		mov	[ebp+8], edx
		cmp	edx, edi
		jb	short loc_89B1FD

loc_89B26A:				; CODE XREF: PAGE:0089B1FBj
		mov	cl, [ebp+18h]
		test	cl, cl
		jle	short loc_89B28F
		mov	eax, [ebp-4]
		add	cl, 2
		add	eax, [ebp-4Ch]
		mov	[ebx+0Ch], eax
		push	0
		movzx	eax, cl
		push	eax
		call	IoAllocateIrp
		mov	[ebx+8], eax
		test	eax, eax
		jz	short loc_89B2A9

loc_89B28F:				; CODE XREF: PAGE:0089B26Fj
		mov	esi, [ebp-0Ch]
		mov	edx, [ebp-50h]
		mov	ecx, [ebp-6Ch]
		push	esi
		push	ebx
		call	PopFxRegisterDeviceWithPep
		test	al, al
		jz	loc_89B357
		jmp	short loc_89B2B0
; 

loc_89B2A9:				; CODE XREF: PAGE:0089AFE6j
					; PAGE:0089B09Fj ...
		mov	esi, 0C000009Ah
		jmp	short loc_89B2FF
; 

loc_89B2B0:				; CODE XREF: PAGE:0089B2A7j
		mov	ecx, ebx
		call	PopPlRegisterDevice
		test	edi, edi
		jz	short loc_89B2F3
		mov	esi, [ebp-70h]
		mov	ebx, [ebp-74h]
		add	esi, 1Ch

loc_89B2C4:				; CODE XREF: PAGE:0089B2EEj
		mov	eax, [esi-0Ch]
		and	eax, 2
		or	eax, 0
		jz	short loc_89B2D3
		or	dword ptr [ebx+38h], 2

loc_89B2D3:				; CODE XREF: PAGE:0089B2CDj
		mov	eax, [esi]
		mov	ecx, ebx
		mov	[ebp-20h], eax
		mov	[ebx+6Ch], eax
		call	PopPlRegisterComponent
		add	ebx, 170h
		add	esi, 28h
		sub	edi, 1
		jnz	short loc_89B2C4
		mov	ebx, [ebp-24h]

loc_89B2F3:				; CODE XREF: PAGE:0089B2B9j
		mov	eax, [ebp+24h]
		mov	[eax], ebx
		xor	ebx, ebx
		and	[ebp-4], ebx
		xor	esi, esi

loc_89B2FF:				; CODE XREF: PAGE:0089B1EEj
					; PAGE:0089B2AEj
		push	4D584650h
		push	dword ptr [ebp-0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_89B30C:				; CODE XREF: PAGE:0089AEAEj
		test	ebx, ebx
		jz	short loc_89B321
		cmp	dword ptr [ebp-2Ch], 0
		jnz	short loc_89B321
		push	4D584650h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_89B321:				; CODE XREF: PAGE:0089B30Ej
					; PAGE:0089B314j
		mov	eax, [ebp-4]
		test	eax, eax
		jz	short loc_89B333
		push	4D584650h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_89B333:				; CODE XREF: PAGE:0089AE4Cj
					; PAGE:0089AE5Bj ...
		push	4D584650h
		push	dword ptr [ebp-28h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp-2Ch]
		test	eax, eax
		jz	short loc_89B34E
		mov	ecx, eax
		call	_PopFxReleaseAcpiRefDevice@8 ; PopFxReleaseAcpiRefDevice(x,x)

loc_89B34E:				; CODE XREF: PAGE:0089ACB7j
					; PAGE:0089ACDAj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	20h
; 

loc_89B357:				; CODE XREF: PAGE:0089B2A1j
		push	0
		push	esi
		mov	edx, ebx
		mov	ecx, 601h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPepRegisterDevice proc near		; CODE XREF: PopFxRegisterDeviceWithPep+8Fp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0092E38B SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, [ebp+arg_8]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_20], edx
		push	esi
		mov	[eax], ebx
		mov	eax, [ebp+arg_0]
		push	edi
		mov	[ebp+var_24], ecx
		mov	esi, [eax+8]
		mov	[ebp+var_14], esi
		test	esi, esi
		jz	loc_89B67A
		mov	ecx, ebx
		add	eax, 0Ch
		mov	[ebp+var_8], ecx
		mov	edi, ebx
		mov	[ebp+var_10], eax

loc_89B39E:				; CODE XREF: PopPepRegisterDevice+69j
		mov	eax, [eax]
		mov	edx, [eax+1Ch]
		test	edx, edx
		jz	loc_89B67A
		js	loc_89B67A
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_89B67A
		mov	eax, [ebp+var_10]
		inc	edi
		mov	ecx, [ebp+var_8]
		add	eax, 4
		mov	[ebp+var_10], eax
		cmp	edi, esi
		jb	short loc_89B39E
		imul	edi, esi, 0A8h
		mov	[ebp+var_10], ebx
		add	edi, 88h
		test	ecx, ecx
		jz	short loc_89B3EE
		imul	eax, ecx, 18h
		mov	[ebp+var_10], edi
		add	edi, eax

loc_89B3EE:				; CODE XREF: PopPepRegisterDevice+7Cj
		imul	eax, esi, 3Ch
		push	54706550h
		add	eax, 3Ch
		add	eax, edi
		push	eax
		push	200h
		mov	[ebp+var_18], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_C], esi
		test	esi, esi
		jz	loc_89B67A
		push	[ebp+var_24]
		push	esi		; char
		push	offset ??_C@_0CF@FJDBEHMB@PopPep?3?5register?5device?5?$CI0x?$CFp?0?5@NNGAKEGL@	; "PopPep: register device (0x%p, %wZ)\n"
		push	3		; int
		push	92h		; int
		call	_DbgPrintEx
		add	esp, 14h
		push	[ebp+var_18]	; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_10]
		add	esp, 0Ch
		add	eax, esi
		mov	[ebp+var_4], eax
		lea	eax, [esi+edi]
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_20]
		mov	[esi+18h], eax
		mov	eax, [edi]
		mov	[esi+10h], eax
		mov	eax, [edi+4]
		push	ebx
		mov	[esi+14h], eax
		lea	eax, [esi+1Ch]
		push	ebx
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	ecx, [ebp+var_14]
		mov	edx, ebx
		mov	ebx, [ebp+var_8]
		mov	eax, offset _ActivityAttributes
		mov	[esi+84h], ecx
		mov	[esi+5Ch], ecx
		lea	ecx, [esi+30h]
		mov	byte ptr [esi+58h], 1

loc_89B485:				; CODE XREF: PopPepRegisterDevice+138j
		cmp	edx, 5
		ja	short loc_89B494
		cmp	byte ptr [eax],	1
		jnz	short loc_89B494
		mov	[ecx], ebx
		add	ebx, 14h

loc_89B494:				; CODE XREF: PopPepRegisterDevice+120j
					; PopPepRegisterDevice+125j
		add	eax, 7Ch
		inc	edx
		add	ecx, 4
		cmp	eax, offset dword_4014F0
		jl	short loc_89B485
		or	dword ptr [esi+8], 1
		mov	eax, [esi+0Ch]
		mov	[ebp+var_8], ebx
		xor	ebx, ebx
		mov	edx, ebx
		mov	[esi+0Ch], eax
		mov	[ebp+var_20], edx
		cmp	[ebp+var_14], edx
		jz	loc_89B65F
		lea	eax, [edi+0Ch]
		mov	[ebp+var_10], 0FFFFFF78h
		lea	edi, [esi+98h]
		mov	[ebp+var_24], eax
		mov	[ebp+arg_0], edi

loc_89B4D5:				; CODE XREF: PopPepRegisterDevice+2F1j
		mov	eax, [eax]
		lea	ecx, [edi+20h]
		mov	[edi-8], edx
		mov	edx, ebx
		mov	ebx, [ebp+var_8]
		mov	[ebp+var_1C], eax
		mov	eax, offset _ActivityAttributes
		mov	dword ptr [edi-0Ch], 3
		mov	edi, [ebp+var_10]

loc_89B4F4:				; CODE XREF: PopPepRegisterDevice+1B1j
		mov	esi, ebx
		cmp	edx, 5
		ja	loc_89B683
		cmp	byte ptr [eax],	1
		jnz	loc_89B683
		mov	esi, [ecx+edi]

loc_89B50B:				; CODE XREF: PopPepRegisterDevice+31Ej
		mov	[ecx], esi
		add	eax, 7Ch
		inc	edx
		add	ecx, 4
		cmp	eax, offset dword_4014F0
		jl	short loc_89B4F4
		mov	edi, [ebp+arg_0]
		mov	esi, [ebp+var_C]
		mov	[ebp+var_8], ebx
		xor	ebx, ebx
		push	ebx
		push	ebx
		lea	eax, [edi+10h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	edx, [ebp+var_1C]
		mov	eax, [edx+10h]
		mov	[edi], eax
		mov	eax, [edx+14h]
		mov	[edi+4], eax
		mov	eax, [edx+1Ch]
		mov	[edi+8Ch], eax
		dec	eax
		mov	ecx, [edx+18h]
		cmp	eax, ecx
		jb	short loc_89B552
		mov	eax, ecx

loc_89B552:				; CODE XREF: PopPepRegisterDevice+1E6j
		mov	[edx+18h], eax
		or	dword ptr [edi+40h], 0FFFFFFFFh
		or	dword ptr [edi+44h], 0FFFFFFFFh
		mov	[edi+64h], eax
		mov	eax, [ebp+var_4]
		mov	[edi+90h], eax
		mov	[edi+48h], ebx
		mov	[edi+4Ch], ebx
		mov	eax, [edi+2Ch]
		mov	[edi+50h], ebx
		mov	[edi+54h], ebx
		or	dword ptr [eax], 4
		mov	eax, [edx+1Ch]
		cmp	eax, 1
		ja	loc_89B68B

loc_89B587:				; CODE XREF: PopPepRegisterDevice+330j
		mov	[ebp+var_1C], ebx
		test	eax, eax
		jz	short loc_89B607
		mov	ecx, [ebp+var_18]
		push	0FFFFFFF8h
		add	ecx, 0FFFFFFE8h
		mov	[ebp+arg_0], ebx
		pop	eax
		sub	eax, esi
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], eax

loc_89B5A2:				; CODE XREF: PopPepRegisterDevice+29Dj
		mov	esi, [ebp+var_4]
		add	esi, 8
		add	eax, esi
		mov	esi, [ebp+var_C]
		cmp	eax, ecx
		ja	loc_92E38B
		mov	ecx, [edx+20h]
		mov	esi, [ebp+var_4]
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+ecx]
		mov	[esi], eax
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+ecx+4]
		mov	ecx, esi
		mov	[ecx+4], eax
		mov	ecx, [edx+20h]
		mov	eax, [ebp+arg_0]
		mov	eax, [ecx+eax+8]
		mov	[esi+8], eax
		mov	eax, [ebp+arg_0]
		add	[ebp+arg_0], 18h
		mov	eax, [ecx+eax+0Ch]
		mov	ecx, esi
		mov	esi, [ebp+var_C]
		mov	[ecx+0Ch], eax
		add	ecx, 18h
		mov	eax, [ebp+var_28]
		mov	[ebp+var_4], ecx
		mov	ecx, [ebp+var_1C]
		inc	ecx
		cmp	ecx, [edx+1Ch]
		mov	[ebp+var_1C], ecx
		mov	ecx, [ebp+var_2C]
		jb	short loc_89B5A2

loc_89B607:				; CODE XREF: PopPepRegisterDevice+224j
		push	dword ptr [edi+44h]
		lea	ecx, [edi-10h]
		mov	[edi+68h], ebx
		push	dword ptr [edi+40h]
		call	_PopPepComponentGetLatencyIdleState@12 ; PopPepComponentGetLatencyIdleState(x,x,x)
		push	dword ptr [edi+4Ch]
		mov	[edi+6Ch], eax
		push	dword ptr [edi+48h]
		call	_PopPepComponentGetResidencyIdleState@12 ; PopPepComponentGetResidencyIdleState(x,x,x)
		mov	edx, [ebp+var_20]
		mov	ecx, 0A8h
		sub	[ebp+var_10], ecx
		mov	[edi+70h], eax
		mov	eax, [edi+8Ch]
		dec	eax
		inc	edx
		mov	[edi+74h], eax
		mov	[edi+78h], eax
		mov	[edi+7Ch], eax
		add	edi, ecx
		mov	eax, [ebp+var_24]
		add	eax, 4
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], eax
		mov	[ebp+arg_0], edi
		cmp	edx, [ebp+var_14]
		jb	loc_89B4D5

loc_89B65F:				; CODE XREF: PopPepRegisterDevice+151j
		cmp	[ebp+arg_4], 2
		mov	bl, 1
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		jz	short loc_89B69D

loc_89B66C:				; CODE XREF: PopPepRegisterDevice+338j
		mov	edx, esi
		mov	dword ptr [esi+78h], 1
		call	PopPepInsertDevice

loc_89B67A:				; CODE XREF: PopPepRegisterDevice+23j
					; PopPepRegisterDevice+3Dj ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	0Ch
; 

loc_89B683:				; CODE XREF: PopPepRegisterDevice+191j
					; PopPepRegisterDevice+19Aj
		add	ebx, 14h
		jmp	loc_89B50B
; 

loc_89B68B:				; CODE XREF: PopPepRegisterDevice+219j
		mov	eax, [esi+0Ch]
		and	dword ptr [esi+8], 0FFFFFFFEh
		mov	[esi+0Ch], eax
		mov	eax, [edx+1Ch]
		jmp	loc_89B587
; 

loc_89B69D:				; CODE XREF: PopPepRegisterDevice+302j
		mov	[esi+4Ch], bl
		jmp	short loc_89B66C
PopPepRegisterDevice endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipProcessStartPhase1 proc near		; CODE XREF: PipProcessDevNodeTree+314p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092E39B SIZE 000000FE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edi, edx
		test	byte_6CD8BB, 10h
		mov	esi, ecx
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], ebx
		jnz	loc_92E39B

loc_89B6C5:				; CODE XREF: PipProcessStartPhase1+92D09j
		cmp	[ebp+arg_0], ebx
		jnz	short loc_89B70F

loc_89B6CA:				; CODE XREF: PipProcessStartPhase1+77j
		mov	ecx, [esi+10h]
		xor	edx, edx
		inc	edx
		call	IopUncacheInterfaceInformation
		cmp	[esi+174h], ebx
		jnz	loc_92E3B0

loc_89B6E1:				; CODE XREF: PipProcessStartPhase1+92D3Bj
		cmp	_PipHalIommuSecurityEnabled, bl
		jnz	loc_92E3E2

loc_89B6ED:				; CODE XREF: PipProcessStartPhase1+92D48j
					; PipProcessStartPhase1+92D57j
		push	edi
		xor	edx, edx
		mov	ecx, esi
		call	PnpStartDeviceNode
		mov	edi, eax

loc_89B6F9:				; CODE XREF: PipProcessStartPhase1+7Ej
					; PipProcessStartPhase1+92D32j
		test	byte_6CD8BB, 10h
		jnz	loc_92E484

loc_89B706:				; CODE XREF: PipProcessStartPhase1+92DF2j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_89B70F:				; CODE XREF: PipProcessStartPhase1+26j
		test	dword ptr [esi+10Ch], 400000h
		jz	short loc_89B6CA
		mov	edi, 0C000022Dh
		jmp	short loc_89B6F9
PipProcessStartPhase1 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpStartDeviceNode proc	near		; CODE XREF: PipProcessStartPhase1+50p
					; PnpReallocateResources(x)+106p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092E499 SIZE 000000A8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edi, edx
		neg	edi
		mov	[ebp+var_18], ebx
		mov	esi, ecx
		mov	[ebp+var_14], ebx
		sbb	edi, edi
		mov	[ebp+var_10], ebx
		and	edi, 5
		mov	[ebp+var_C], ebx
		test	edx, edx
		jnz	short loc_89B75B
		mov	ecx, [esi+10h]
		call	_IopGetSessionIdFromPDO@4 ; IopGetSessionIdFromPDO(x)
		cmp	eax, 0FFFFFFFFh
		jnz	loc_89B825

loc_89B75B:				; CODE XREF: PnpStartDeviceNode+26j
					; PnpStartDeviceNode+112j
		cmp	[ebp+arg_0], ebx
		jnz	loc_92E49B
		test	byte ptr _PnpAsyncOptions, 1
		jz	loc_92E49B
		test	dword ptr [esi+10Ch], 400000h
		jnz	loc_92E49B
		mov	eax, [esi+10h]
		test	dword ptr [eax+1Ch], 4000h
		jnz	loc_92E49B
		cmp	_InitSafeBootMode, ebx
		jnz	loc_92E49B
		push	ecx
		lea	edx, [edi+306h]
		mov	ecx, esi
		call	_PnpDeviceCompletionRequestCreate@12 ; PnpDeviceCompletionRequestCreate(x,x,x)
		mov	ebx, eax
		mov	[ebp+arg_0], ebx
		test	ebx, ebx
		jz	loc_92E499
		lea	edx, [esi+14h]
		mov	ecx, offset _KMPnPEvt_DeviceStart_Start
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)
		push	ecx
		mov	edx, 305h
		mov	ecx, esi
		call	PipSetDevNodeState
		mov	edx, ebx
		mov	dword ptr [esi+108h], 103h
		call	PnpDeviceCompletionQueueAddDispatchedRequest
		mov	ecx, [esi+10h]
		mov	edx, offset _PnpDeviceCompletionRoutine@12 ; PnpDeviceCompletionRoutine(x,x,x)
		push	ebx
		call	_PnpStartDevice@12 ; PnpStartDevice(x,x,x)
		mov	ebx, eax
		cmp	ebx, 103h
		jnz	short loc_89B811
		lea	edx, [esi+14h]
		mov	ecx, offset _KMPnPEvt_DeviceStart_Pend
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)

loc_89B808:				; CODE XREF: PnpStartDeviceNode+101j
					; PnpStartDeviceNode+92E1Aj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
; 

loc_89B811:				; CODE XREF: PnpStartDeviceNode+D7j
		mov	edx, [ebp+arg_0]
		call	PnpDeviceCompletionQueueRemoveCompletedRequest
		mov	ecx, [ebp+arg_0]
		call	PnpDeviceCompletionProcessCompletedRequest
		mov	ebx, eax
		jmp	short loc_89B808
; 

loc_89B825:				; CODE XREF: PnpStartDeviceNode+33j
		mov	ecx, [esi+10h]
		mov	edx, 400h
		push	1
		call	PpMarkDeviceStackExtensionFlag
		jmp	loc_89B75B
PnpStartDeviceNode endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxFindDeviceAndAllocateUniqueId proc	near ; CODE XREF: PoFxPrepareDevice(x,x)+4Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092E541 SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, edx
		lea	edx, [ebp+var_C]
		mov	[ebp+var_C], edi
		mov	esi, ecx
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		call	_PopFxQueryBiosDeviceName@8 ; PopFxQueryBiosDeviceName(x,x)
		test	eax, eax
		js	short loc_89B89B
		lea	edx, [ebp+var_4]
		lea	ecx, [ebp+var_C]
		call	PopFxFindAcpiDeviceByUniqueId
		mov	edi, eax
		test	edi, edi
		jns	loc_92E541
		cmp	edi, 0C0000056h
		jz	loc_92E560
		mov	eax, [ebp+var_C]
		mov	[esi+48h], eax
		mov	eax, [ebp+var_8]
		mov	[esi+4Ch], eax

loc_89B88D:				; CODE XREF: PopFxFindDeviceAndAllocateUniqueId+92D21j
		xor	edi, edi

loc_89B88F:				; CODE XREF: PopFxFindDeviceAndAllocateUniqueId+6Dj
					; PopFxFindDeviceAndAllocateUniqueId+92D2Aj ...
		mov	eax, [ebp+var_4]
		mov	[ebx], eax
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_89B89B:				; CODE XREF: PopFxFindDeviceAndAllocateUniqueId+24j
		mov	eax, [esi+14h]
		mov	[esi+48h], eax
		mov	eax, [esi+18h]
		mov	[esi+4Ch], eax
		jmp	short loc_89B88F
PopFxFindDeviceAndAllocateUniqueId endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopUncacheInterfaceInformation proc near ; CODE	XREF: PipProcessStartPhase1+2Ep
					; IopDestroyDeviceNode+14A718p	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092E57C SIZE 0000005C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	eax, edx
		mov	[ebp+var_C], eax
		push	esi
		mov	esi, ecx
		push	edi
		test	eax, eax
		jz	short loc_89B8E0
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	0
		push	0
		push	0
		push	4
		push	offset _PpRegistrySemaphore
		call	KeWaitForSingleObject

loc_89B8E0:				; CODE XREF: IopUncacheInterfaceInformation+14j
		test	esi, esi
		jz	short loc_89B94F
		mov	eax, [esi+0B0h]
		mov	edi, [eax+14h]

loc_89B8ED:				; CODE XREF: IopUncacheInterfaceInformation+A7j
		lea	ebx, [edi+148h]
		mov	esi, [ebx]

loc_89B8F5:				; CODE XREF: IopUncacheInterfaceInformation+92CFBj
		cmp	esi, ebx
		jnz	loc_92E57C
		lea	ebx, [edi+150h]
		mov	esi, [ebx]

loc_89B905:				; CODE XREF: IopUncacheInterfaceInformation+92D29j
		cmp	esi, ebx
		jnz	loc_92E5AA
		lea	eax, [edi+148h]
		mov	[ebx+4], ebx
		mov	[eax+4], eax
		mov	[eax], eax
		xor	eax, eax
		mov	[edi+15Ch], eax
		mov	[edi+158h], eax
		pop	edi
		pop	esi
		mov	[ebx], ebx
		pop	ebx
		cmp	[ebp+var_C], eax
		jz	short locret_89B94D
		push	eax
		push	1
		push	eax
		push	offset _PpRegistrySemaphore
		call	KeReleaseSemaphore
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

locret_89B94D:				; CODE XREF: IopUncacheInterfaceInformation+87j
		leave
		retn
; 

loc_89B94F:				; CODE XREF: IopUncacheInterfaceInformation+38j
		xor	edi, edi
		jmp	short loc_89B8ED
IopUncacheInterfaceInformation endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopFxConvertV1Components proc near	; CODE XREF: PoFxRegisterCoreDevice+45p
					; PoFxRegisterDevice+BBp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092E5D8 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	esi
		mov	eax, ecx
		mov	esi, edx
		xor	ecx, ecx
		mov	[ebp+var_20], eax
		mov	[ebp+var_4], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_10], ecx
		test	esi, esi
		jz	loc_89BB0D
		push	ebx
		push	edi
		mov	edi, ecx
		add	eax, 10h
		mov	[ebp+var_8], edi
		mov	ebx, ecx
		mov	[ebp+var_C], eax

loc_89B986:				; CODE XREF: PopFxConvertV1Components+5Ej
		mov	edx, [eax]
		test	edx, edx
		jz	loc_89BB0B
		lea	eax, [ebp+var_8]
		mov	ecx, edi
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_89BB0B
		mov	eax, [ebp+var_C]
		inc	ebx
		mov	edi, [ebp+var_8]
		add	eax, 1Ch
		mov	[ebp+var_C], eax
		cmp	ebx, esi
		jb	short loc_89B986
		push	30h
		pop	ecx
		mov	eax, esi
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_89BB0B
		mov	ebx, [ebp+var_4]
		mov	eax, edi
		push	18h
		pop	ecx
		mul	ecx
		add	ebx, 7
		lea	ecx, [ebp+var_10]
		push	edx
		and	ebx, 0FFFFFFF8h
		push	eax
		mov	[ebp+var_18], ebx
		mov	[ebp+var_4], ebx
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_89BB0B
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_4]
		push	eax
		mov	edx, ebx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_89BB0B
		mov	edi, [ebp+var_4]
		push	4D584650h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_89BB0B
		push	edi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [ebp+var_18]
		add	esp, 0Ch
		and	[ebp+var_14], 0
		add	eax, ebx
		mov	[ebp+var_10], eax
		test	esi, esi
		jz	loc_89BAFE
		mov	ecx, [ebp+var_20]
		lea	edi, [ebx+1Ch]
		add	ecx, 10h
		mov	[ebp+var_C], edi
		mov	[ebp+var_18], ecx
		mov	edx, esi

loc_89BA59:				; CODE XREF: PopFxConvertV1Components+1A4j
		add	edi, 0FFFFFFE4h
		lea	esi, [ecx-10h]
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_C]
		mov	esi, [ebp+var_10]
		and	[ebp+var_C], 0
		and	dword ptr [edi-0Ch], 0
		and	dword ptr [edi-8], 0
		mov	eax, [ecx]
		mov	[edi], eax
		mov	[edi+4], esi
		mov	eax, [ecx+4]
		mov	[edi-4], eax
		cmp	dword ptr [ecx], 0
		jbe	short loc_89BAE3
		mov	eax, [ebp+var_4]
		and	[ebp+var_8], 0
		add	eax, 0FFFFFFE8h
		mov	[ebp+var_24], eax
		push	0FFFFFFF0h
		pop	eax
		sub	eax, ebx
		mov	[ebp+var_20], eax

loc_89BA9C:				; CODE XREF: PopFxConvertV1Components+18Dj
		add	eax, 10h
		add	eax, esi
		cmp	eax, [ebp+var_24]
		ja	short loc_89BB03
		mov	ecx, [ecx+8]
		add	ecx, [ebp+var_8]
		add	[ebp+var_8], 18h
		mov	eax, [ecx+10h]
		mov	[esi+10h], eax
		mov	eax, [ecx]
		mov	[esi], eax
		mov	eax, [ecx+4]
		mov	[esi+4], eax
		mov	eax, [ecx+8]
		mov	[esi+8], eax
		mov	eax, [ecx+0Ch]
		mov	ecx, [ebp+var_18]
		mov	[esi+0Ch], eax
		add	esi, 18h
		mov	eax, [ebp+var_C]
		inc	eax
		mov	[ebp+var_10], esi
		cmp	eax, [ecx]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_20]
		jb	short loc_89BA9C

loc_89BAE3:				; CODE XREF: PopFxConvertV1Components+131j
		mov	eax, [ebp+var_14]
		add	ecx, 1Ch
		inc	eax
		mov	[ebp+var_18], ecx
		add	edi, 30h
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], edi
		cmp	eax, edx
		jb	loc_89BA59

loc_89BAFE:				; CODE XREF: PopFxConvertV1Components+EEj
		mov	[ebp+var_1C], ebx
		xor	ebx, ebx

loc_89BB03:				; CODE XREF: PopFxConvertV1Components+150j
		test	ebx, ebx
		jnz	loc_92E5D8

loc_89BB0B:				; CODE XREF: PopFxConvertV1Components+36j
					; PopFxConvertV1Components+49j	...
		pop	edi
		pop	ebx

loc_89BB0D:				; CODE XREF: PopFxConvertV1Components+1Dj
		mov	eax, [ebp+var_1C]
		pop	esi
		leave
		retn
PopFxConvertV1Components endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopRegistryInitializeCallbacks proc near ; CODE	XREF: IoInitSystem:loc_AC0216p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 0092E5E8 SIZE 00000009 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		mov	ebx, eax
		mov	[ebp+var_C], eax
		push	esi
		mov	esi, offset _IopRegistryRegisteredCallbacks
		mov	[ebp+var_8], eax
		push	edi
		mov	byte ptr [ebp+var_1], al
		cmp	off_6B2D38, eax
		jz	short loc_89BBAD
		mov	edi, esi

loc_89BB3B:				; CODE XREF: IopRegistryInitializeCallbacks+97j
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_89BBB4
		push	esi
		call	eax

loc_89BB45:				; CODE XREF: IopRegistryInitializeCallbacks+A2j
		test	eax, eax
		js	loc_92E5E8
		push	dword ptr [esi]
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		and	dword ptr [esi+20h], 0
		lea	ecx, [ebp+var_1]
		push	ecx
		lea	edx, [esi+10h]
		mov	dword ptr [esi+28h], offset IopRegistryCallback
		lea	ecx, [ebp+var_C]
		mov	[esi+2Ch], ebx
		call	_IopRegistryOpenDeepestPath@12 ; IopRegistryOpenDeepestPath(x,x,x)
		test	eax, eax
		js	short loc_89BBA1
		push	1
		xor	ecx, ecx
		lea	eax, [esi+30h]
		push	ecx
		push	ecx
		push	1
		push	dword ptr [esi+4]
		push	eax
		push	1
		lea	eax, [esi+20h]
		push	eax
		push	ecx
		push	dword ptr [esi+10h]
		call	_ZwNotifyChangeKey@40 ;	ZwNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)
		cmp	byte ptr [ebp+var_1], 0
		jz	short loc_89BBA1
		or	dword ptr [esi+14h], 1

loc_89BBA1:				; CODE XREF: IopRegistryInitializeCallbacks+63j
					; IopRegistryInitializeCallbacks+87j ...
		add	edi, 38h
		inc	ebx
		mov	esi, edi
		cmp	dword ptr [edi+8], 0
		jnz	short loc_89BB3B

loc_89BBAD:				; CODE XREF: IopRegistryInitializeCallbacks+23j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
; 

loc_89BBB4:				; CODE XREF: IopRegistryInitializeCallbacks+2Cj
		xor	eax, eax
		jmp	short loc_89BB45
IopRegistryInitializeCallbacks endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopRegistryCallback proc near		; DATA XREF: IopRegistryInitializeCallbacks+4Fo
					; IopRegistryCallback+3Fo

var_E		= byte ptr -0Eh
var_D		= byte ptr -0Dh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092E5F1 SIZE 0000006E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		imul	edi, esi, 38h
		mov	[esp+20h+var_C], eax
		mov	[esp+20h+var_8], eax
		mov	[esp+20h+var_4], eax
		mov	[esp+20h+var_D], al
		lea	eax, [esp+20h+var_8]
		push	_IopRegistryRegisteredCallbacks[edi]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	ebx, dword_6B2D50[edi]
		and	dword ptr [ebx], 0
		mov	dword ptr [ebx+8], offset IopRegistryCallback
		mov	[ebx+0Ch], esi
		test	byte ptr dword_6B2D44[edi], 1
		jnz	loc_92E5F1
		lea	esi, dword_6B2D60[edi]

loc_89BC14:				; CODE XREF: IopRegistryCallback+92A73j
		lea	eax, [esp+13h]
		push	eax
		lea	edx, [esp+24h+var_C]
		lea	ecx, [esp+24h+var_8]
		call	_IopRegistryOpenDeepestPath@12 ; IopRegistryOpenDeepestPath(x,x,x)
		test	eax, eax
		js	loc_92E648
		push	dword_6B2D40[edi]
		call	_ZwClose@4	; ZwClose(x)
		cmp	[esp+20h+var_D], 1
		mov	eax, [esp+20h+var_C]
		mov	dword_6B2D40[edi], eax
		jz	loc_92E630

loc_89BC4E:				; CODE XREF: IopRegistryCallback+92A8Bj
		mov	eax, dword_6B2D34[edi]
		xor	edx, edx
		mov	ecx, dword_6B2D40[edi]
		push	1
		push	edx
		push	edx
		push	1
		push	eax
		push	esi
		push	1
		push	ebx
		push	edx
		push	ecx
		call	_ZwNotifyChangeKey@40 ;	ZwNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_92E648

loc_89BC76:				; CODE XREF: IopRegistryCallback+92A6Dj
					; IopRegistryCallback+92AA2j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
IopRegistryCallback endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopRegistryOpenDeepestPath(x, x, x)
_IopRegistryOpenDeepestPath@12 proc near ; CODE	XREF: IopRegistryInitializeCallbacks+5Cp
					; IopRegistryCallback+69p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	eax, [esi]
		mov	[ebp+var_10], eax
		mov	eax, [esi+4]
		mov	[ebp+var_C], eax

loc_89BC9E:				; CODE XREF: IopRegistryOpenDeepestPath(x,x,x)+66j
		push	0
		push	10h
		lea	eax, [ebp+var_10]
		xor	edx, edx
		push	eax
		lea	ecx, [ebp+var_8]
		call	IopOpenRegistryKey
		mov	edx, eax
		test	edx, edx
		jns	short loc_89BCEA
		mov	cx, word ptr [ebp+var_10]
		test	cx, cx
		jz	short loc_89BCFE
		mov	edi, [ebp+var_C]

loc_89BCC2:				; CODE XREF: IopRegistryOpenDeepestPath(x,x,x)+5Bj
		movzx	eax, cx
		shr	eax, 1
		cmp	word ptr [edi+eax*2-2],	5Ch
		mov	eax, 0FFFEh
		jz	short loc_89BCDF
		add	cx, ax
		mov	word ptr [ebp+var_10], cx
		jnz	short loc_89BCC2
		jmp	short loc_89BCFE
; 

loc_89BCDF:				; CODE XREF: IopRegistryOpenDeepestPath(x,x,x)+52j
		add	cx, ax
		mov	word ptr [ebp+var_10], cx
		jnz	short loc_89BC9E
		jmp	short loc_89BCFE
; 

loc_89BCEA:				; CODE XREF: IopRegistryOpenDeepestPath(x,x,x)+34j
		mov	eax, [ebp+var_8]
		mov	[ebx], eax
		mov	ax, word ptr [ebp+var_10]
		cmp	ax, [esi]
		mov	eax, [ebp+arg_0]
		setz	cl
		mov	[eax], cl

loc_89BCFE:				; CODE XREF: IopRegistryOpenDeepestPath(x,x,x)+3Dj
					; IopRegistryOpenDeepestPath(x,x,x)+5Dj ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	4
_IopRegistryOpenDeepestPath@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall IopSymlinkRegistryCallback(x)
_IopSymlinkRegistryCallback@4 proc near	; CODE XREF: IopSymlinkRegistryInitCallback(x)+2p
					; IopRegistryCallback+92A3Fp ...
		mov	ecx, offset ??_C@_1IO@NFJIEDOB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		call	_IopSymlinkQueryEnabledClasses@4 ; IopSymlinkQueryEnabledClasses(x)
		test	eax, eax
		jns	short locret_89BD20
		mov	ecx, offset ??_C@_1HM@IHPPCBKD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\Registry\\Machine\\System\\CurrentControl"...
		call	_IopSymlinkQueryEnabledClasses@4 ; IopSymlinkQueryEnabledClasses(x)

locret_89BD20:				; CODE XREF: IopSymlinkRegistryCallback(x)+Cj
		retn	4
_IopSymlinkRegistryCallback@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopSymlinkQueryEnabledClasses(x)
_IopSymlinkQueryEnabledClasses@4 proc near ; CODE XREF:	IopSymlinkRegistryCallback(x)+5p
					; IopSymlinkRegistryCallback(x)+13p

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		lea	eax, [ebp+var_5C]
		push	ecx
		push	eax
		mov	[ebp+var_4C], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_5C], esi
		mov	[ebp+var_58], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		push	20019h
		lea	eax, [ebp+var_5C]
		xor	edx, edx
		push	eax
		lea	ecx, [ebp+var_4C]
		call	IopOpenRegistryKey
		mov	ebx, eax
		test	ebx, ebx
		js	loc_89BE0A
		push	offset ??_C@_1DM@BLAIFNDD@?$AAS?$AAy?$AAm?$AAl?$AAi?$AAn?$AAk?$AAL?$AAo?$AAc?$AAa?$AAl?$AAT?$AAo?$AAL@NNGAKEGL@
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1DO@LNGINOPB@?$AAS?$AAy?$AAm?$AAl?$AAi?$AAn?$AAk?$AAL?$AAo?$AAc?$AAa?$AAl?$AAT?$AAo?$AAR@NNGAKEGL@
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_40], 1
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1EA@IEPMNFHB@?$AAS?$AAy?$AAm?$AAl?$AAi?$AAn?$AAk?$AAR?$AAe?$AAm?$AAo?$AAt?$AAe?$AAT?$AAo@NNGAKEGL@
		lea	eax, [ebp+var_30]
		mov	[ebp+var_34], 2
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1DO@HBJDDGDI@?$AAS?$AAy?$AAm?$AAl?$AAi?$AAn?$AAk?$AAR?$AAe?$AAm?$AAo?$AAt?$AAe?$AAT?$AAo@NNGAKEGL@
		lea	eax, [ebp+var_24]
		mov	[ebp+var_28], 8
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		pop	eax
		mov	[ebp+var_1C], eax
		mov	edi, esi

loc_89BDC4:				; CODE XREF: IopSymlinkQueryEnabledClasses(x)+DDj
		lea	ecx, [ebp+var_50]
		movzx	eax, di
		push	ecx
		imul	eax, 0Ch
		lea	ecx, [ebp+var_18]
		push	14h
		push	ecx
		lea	ecx, [ebp+var_48]
		push	2
		mov	[ebp+var_54], eax
		add	eax, ecx
		push	eax
		push	[ebp+var_4C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_89BE0A
		cmp	[ebp+var_C], 0
		jz	short loc_89BDFA
		mov	eax, [ebp+var_54]
		add	esi, [ebp+eax+var_40]

loc_89BDFA:				; CODE XREF: IopSymlinkQueryEnabledClasses(x)+CDj
		push	4
		inc	edi
		pop	eax
		cmp	di, ax
		jb	short loc_89BDC4
		mov	eax, offset _IopSymlinkEnabledTypes
		xchg	esi, [eax]

loc_89BE0A:				; CODE XREF: IopSymlinkQueryEnabledClasses(x)+45j
					; IopSymlinkQueryEnabledClasses(x)+C7j
		cmp	[ebp+var_4C], 0
		jz	short loc_89BE18
		push	[ebp+var_4C]
		call	_ZwClose@4	; ZwClose(x)

loc_89BE18:				; CODE XREF: IopSymlinkQueryEnabledClasses(x)+EAj
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IopSymlinkQueryEnabledClasses@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtLockProductActivationKeys proc near	; DATA XREF: .text:00580FA8o

var_8B4		= dword	ptr -8B4h
var_8B0		= dword	ptr -8B0h
var_8AC		= dword	ptr -8ACh
var_8A8		= dword	ptr -8A8h
var_8A4		= dword	ptr -8A4h
var_8A0		= dword	ptr -8A0h
var_89C		= dword	ptr -89Ch
var_898		= dword	ptr -898h
var_894		= dword	ptr -894h
var_890		= dword	ptr -890h
var_88C		= dword	ptr -88Ch
var_888		= dword	ptr -888h
var_884		= dword	ptr -884h
var_880		= dword	ptr -880h
var_87C		= dword	ptr -87Ch
var_878		= dword	ptr -878h
var_870		= dword	ptr -870h
var_86C		= dword	ptr -86Ch
var_868		= dword	ptr -868h
var_864		= dword	ptr -864h
var_860		= dword	ptr -860h
var_859		= dword	ptr -859h
var_458		= dword	ptr -458h
var_44C		= dword	ptr -44Ch
var_448		= dword	ptr -448h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092E65F SIZE 00000036 BYTES
; FUNCTION CHUNK AT 0092E6BB SIZE 0000001C BYTES

		push	8A4h
		push	offset dword_6A7368
		call	__SEH_prolog4_GS
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_870], ebx
		xor	eax, eax
		mov	[ebp+var_87C], eax
		mov	[ebp+var_878], eax
		mov	[ebp+var_868], eax
		mov	[ebp+var_86C], eax
		push	0Fh
		pop	ecx
		mov	esi, offset dword_412E18
		lea	edi, [ebp+var_58]
		rep movsd
		mov	ecx, 0AB71h
		mov	edx, eax

loc_89BE70:				; CODE XREF: NtLockProductActivationKeys+56j
		movzx	eax, word ptr [ebp+edx*2+var_58]
		add	ecx, eax
		xor	ecx, eax
		movzx	ecx, cx
		inc	edx
		cmp	edx, 1Eh
		jb	short loc_89BE70
		mov	eax, 0B94Fh
		cmp	ax, cx
		jnz	loc_92E65F
		push	34h
		pop	edx
		mov	[ebp+var_860], edx

loc_89BE99:				; CODE XREF: NtLockProductActivationKeys+E4j
		mov	esi, [ebp+edx+var_58]
		mov	edi, [ebp+edx+var_54]
		mov	ebx, 0C6EF3720h
		push	20h
		pop	edx

loc_89BEA9:				; CODE XREF: NtLockProductActivationKeys+CBj
		mov	ecx, esi
		shr	ecx, 5
		mov	eax, esi
		shl	eax, 4
		xor	ecx, eax
		add	ecx, esi
		mov	eax, ebx
		shr	eax, 0Bh
		and	eax, 3
		mov	eax, ds:_abWPAStringKey[eax*4]
		add	eax, ebx
		xor	ecx, eax
		sub	edi, ecx
		add	ebx, 61C88647h
		mov	ecx, edi
		shr	ecx, 5
		mov	eax, edi
		shl	eax, 4
		xor	ecx, eax
		add	ecx, edi
		mov	eax, ebx
		and	eax, 3
		mov	eax, ds:_abWPAStringKey[eax*4]
		add	eax, ebx
		xor	ecx, eax
		sub	esi, ecx
		sub	edx, 1
		jnz	short loc_89BEA9
		mov	edx, [ebp+var_860]
		mov	[ebp+edx+var_58], esi
		mov	[ebp+edx+var_54], edi
		sub	edx, 1
		mov	[ebp+var_860], edx
		jns	short loc_89BE99
		lea	eax, [ebp+var_58]
		push	eax
		lea	eax, [ebp+var_87C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		mov	ebx, [ebp+var_870]
		jnz	loc_92E669
		test	ebx, ebx
		jnz	loc_92E6BB

loc_89BF42:				; CODE XREF: NtLockProductActivationKeys+92866j
					; NtLockProductActivationKeys+92898j
		mov	[ebp+var_8B4], 18h
		xor	ecx, ecx
		mov	[ebp+var_8B0], ecx
		mov	[ebp+var_8A8], 240h
		lea	eax, [ebp+var_87C]
		mov	[ebp+var_8AC], eax
		mov	[ebp+var_8A4], ecx
		mov	[ebp+var_8A0], ecx
		lea	eax, [ebp+var_8B4]
		push	eax
		push	20019h
		lea	eax, [ebp+var_868]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_89C14E
		xor	ecx, ecx
		mov	[ebp+var_860], ecx
		lea	eax, [ebp+var_86C]
		push	eax
		push	400h
		lea	eax, [ebp+var_458]
		push	eax
		push	ecx
		push	ecx

loc_89BFB5:				; CODE XREF: NtLockProductActivationKeys+2F4j
		push	[ebp+var_868]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 8000001Ah
		jz	loc_89C123
		and	[ebp+var_884], 0
		and	[ebp+var_880], 0
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_89C]
		rep stosd
		and	[ebp+var_864], eax
		test	esi, esi
		js	loc_89C15A
		mov	eax, [ebp+var_44C]
		add	eax, 40h
		mov	esi, 400h
		cmp	eax, esi
		ja	loc_92E6C7
		lea	eax, [ebp+var_58]
		push	eax
		push	200h
		lea	eax, [ebp+var_859+1]
		push	eax
		call	_wcscpy_s
		mov	eax, [ebp+var_44C]
		shr	eax, 1
		push	eax
		lea	eax, [ebp+var_448]
		push	eax
		mov	edi, 200h
		push	edi
		lea	eax, [ebp+var_859+1]
		push	eax
		call	_wcsncat_s
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@
		push	edi
		lea	eax, [ebp+var_859+1]
		push	eax
		call	_wcscat_s
		add	esp, 28h
		lea	eax, [ebp+var_859+1]
		push	eax
		lea	eax, [ebp+var_884]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_89C], 18h
		xor	ecx, ecx
		mov	[ebp+var_898], ecx
		mov	[ebp+var_890], 240h
		lea	eax, [ebp+var_884]
		mov	[ebp+var_894], eax
		mov	[ebp+var_88C], ecx
		mov	[ebp+var_888], ecx
		lea	eax, [ebp+var_89C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_864]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_89C156
		mov	byte ptr [ebp+var_859],	0
		lea	edx, [ebp+var_859]
		mov	ecx, [ebp+var_864]
		call	_IsRegistryKeyLocked@8 ; IsRegistryKeyLocked(x,x)
		test	eax, eax
		js	short loc_89C152
		cmp	byte ptr [ebp+var_859],	0
		jnz	short loc_89C0F0
		push	[ebp+var_864]
		call	_ZwLockRegistryKey@4 ; ZwLockRegistryKey(x)

loc_89C0F0:				; CODE XREF: NtLockProductActivationKeys+2B9j
		test	eax, eax
		js	short loc_89C152

loc_89C0F4:				; CODE XREF: NtLockProductActivationKeys+32Aj
		push	[ebp+var_864]
		call	_ZwClose@4	; ZwClose(x)

loc_89C0FF:				; CODE XREF: NtLockProductActivationKeys+32Ej
		mov	eax, [ebp+var_860]
		inc	eax
		mov	[ebp+var_860], eax

loc_89C10C:				; CODE XREF: NtLockProductActivationKeys+928A8j
		lea	ecx, [ebp+var_86C]
		push	ecx
		push	esi
		lea	ecx, [ebp+var_458]
		push	ecx
		push	0
		push	eax
		jmp	loc_89BFB5
; 

loc_89C123:				; CODE XREF: NtLockProductActivationKeys+19Ej
					; NtLockProductActivationKeys+332j
		push	[ebp+var_868]
		call	_ZwClose@4	; ZwClose(x)
		sub	esi, 8000001Ah
		neg	esi
		sbb	esi, esi
		and	esi, ebx
		mov	eax, esi

loc_89C13C:				; CODE XREF: NtLockProductActivationKeys+326j
					; NtLockProductActivationKeys+9283Aj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_89C14E:				; CODE XREF: NtLockProductActivationKeys+168j
		mov	eax, ebx
		jmp	short loc_89C13C
; 

loc_89C152:				; CODE XREF: NtLockProductActivationKeys+2B0j
					; NtLockProductActivationKeys+2C8j
		mov	ebx, eax
		jmp	short loc_89C0F4
; 

loc_89C156:				; CODE XREF: NtLockProductActivationKeys+290j
		mov	ebx, eax
		jmp	short loc_89C0FF
; 

loc_89C15A:				; CODE XREF: NtLockProductActivationKeys+1C7j
		mov	ebx, esi
		jmp	short loc_89C123
NtLockProductActivationKeys endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IsRegistryKeyLocked(x, x)
_IsRegistryKeyLocked@8 proc near	; CODE XREF: NtLockProductActivationKeys+2A9p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edi, edx
		push	ebx
		lea	edx, [ebp+var_4]
		mov	[ebp+var_4], ebx
		push	edx
		push	ebx
		mov	[edi], bl
		mov	eax, ds:_CmKeyObjectType
		push	eax
		push	20019h
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_89C1A0
		mov	ecx, [ebp+var_4]
		mov	edx, [ecx+8]
		mov	dl, [edx+4]
		and	dl, 80h
		mov	[edi], dl
		call	ObfDereferenceObject

loc_89C1A0:				; CODE XREF: IsRegistryKeyLocked(x,x)+2Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_IsRegistryKeyLocked@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpFindSubkeyInHashByChildCell proc near ; CODE	XREF: CmpFindSubKeyByNumberEx+CEp
					; CmpFindSubKeyByNumberEx+11275Cp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= dword	ptr -5
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0092E6D7 SIZE 000000C6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		or	[ebp+var_20], 0FFFFFFFFh
		mov	ebx, edx
		and	[ebp+var_1C], 0
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		mov	eax, [esi+434h]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_8]
		and	dword ptr [eax], 0
		mov	eax, [edi+8]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+arg_4]
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_92E6D7
		imul	edx, [ebp+var_C], 25h
		lea	ecx, [eax+4Ch]
		test	byte ptr [eax+2], 20h
		mov	[ebp+var_C], edx
		movzx	edx, word ptr [eax+48h]
		jz	loc_92E6E1
		call	_CmpHashCompressedComponent@8 ;	CmpHashCompressedComponent(x,x)

loc_89C207:				; CODE XREF: CmpFindSubkeyInHashByChildCell+9254Cj
		add	eax, [ebp+var_C]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_20]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edx, ebx
		mov	ecx, edi
		call	CmpUnlockTwoKcbs
		mov	ecx, [ebp+var_C]
		lea	eax, [edi+10h]
		push	ecx
		mov	ecx, [eax]
		mov	[ebp+var_14], eax
		call	CmpLockHashEntryShared
		mov	edx, ebx
		mov	ecx, edi
		call	_CmpLockTwoKcbsShared@8	; CmpLockTwoKcbsShared(x,x)
		push	[ebp+var_C]
		mov	ecx, esi
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		mov	esi, [ebp+var_10]
		imul	eax, 0Ch
		mov	esi, [eax+esi+8]
		test	esi, esi
		jnz	loc_92E6F9

loc_89C254:				; CODE XREF: CmpFindSubkeyInHashByChildCell+9259Cj
					; CmpFindSubkeyInHashByChildCell+925F0j
		mov	ecx, [ebp+var_14]
		push	[ebp+var_C]
		mov	ecx, [ecx]
		call	_CmpUnlockHashEntry@8 ;	CmpUnlockHashEntry(x,x)
		xor	eax, eax

loc_89C263:				; CODE XREF: CmpFindSubkeyInHashByChildCell+92534j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
CmpFindSubkeyInHashByChildCell endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGetHashIndexInHive(x, x)
_CmpGetHashIndexInHive@8 proc near	; CODE XREF: CmpFindKcbInHashEntryByName+1Cp
					; CmpUnlockHashEntryByKcb(x)+10p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ecx+438h]
		shr	eax, 9
		xor	eax, [ebp+arg_0]
		imul	edx, eax, 18AA3h
		mov	eax, edx
		shr	eax, 9
		xor	eax, edx
		dec	ecx
		and	eax, ecx
		pop	ebp
		retn	4
_CmpGetHashIndexInHive@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpHashCompressedComponent(x, x)
_CmpHashCompressedComponent@8 proc near	; CODE XREF: CmDeleteLayeredKey(x,x,x)+2ECp
					; CmpFindSubkeyInHashByChildCell+5Ap ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, edx
		xor	esi, esi
		push	edi
		mov	edi, ecx
		test	ebx, ebx
		jz	short loc_89C2B9

loc_89C2A1:				; CODE XREF: CmpHashCompressedComponent(x,x)+25j
		mov	cl, [edi]
		movzx	eax, cl
		cmp	cl, 61h
		jnb	short loc_89C2BF

loc_89C2AB:				; CODE XREF: CmpHashCompressedComponent(x,x)+3Cj
		imul	esi, 25h
		movzx	ecx, ax
		add	esi, ecx
		inc	edi
		sub	ebx, 1
		jnz	short loc_89C2A1

loc_89C2B9:				; CODE XREF: CmpHashCompressedComponent(x,x)+Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_89C2BF:				; CODE XREF: CmpHashCompressedComponent(x,x)+17j
		cmp	cl, 7Ah
		jbe	short loc_89C2D0
		mov	ecx, eax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)

loc_89C2CB:				; CODE XREF: CmpHashCompressedComponent(x,x)+41j
		movzx	eax, ax
		jmp	short loc_89C2AB
; 

loc_89C2D0:				; CODE XREF: CmpHashCompressedComponent(x,x)+30j
		add	eax, 0FFFFFFE0h
		jmp	short loc_89C2CB
_CmpHashCompressedComponent@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SshpQueryRegistryULong(x, x, x)
_SshpQueryRegistryULong@12 proc	near	; CODE XREF: SshpQueryRegistryValues()+15p
					; SshpQueryRegistryValues()+33p

var_458		= dword	ptr -458h
var_454		= dword	ptr -454h
var_450		= dword	ptr -450h
var_44C		= dword	ptr -44Ch
var_448		= dword	ptr -448h
var_420		= dword	ptr -420h
var_41C		= dword	ptr -41Ch
var_214		= dword	ptr -214h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 458h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_420]
		xor	ebx, ebx
		push	eax		; int
		push	208h		; int
		lea	eax, [ebp+var_41C]
		mov	esi, edx
		push	eax		; void *
		push	ebx		; int
		push	offset ??_C@_1GO@EIGBCGIE@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@ ; void	*
		push	ebx		; int
		push	offset ??_C@_1CG@NPABGACC@?$AAS?$AAl?$AAe?$AAe?$AAp?$AAS?$AAt?$AAu?$AAd?$AAy?$AAS?$AAe?$AAt?$AAt?$AAi@NNGAKEGL@	; int
		mov	edi, ecx
		call	RtlGetPersistedStateLocation
		test	eax, eax
		js	loc_89C3A2
		push	offset ??_C@_1CG@ECHCOIBH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\Registry\\Machine\\"
		mov	edx, 104h
		lea	ecx, [ebp+var_214]
		call	RtlStringCchCopyW
		test	eax, eax
		js	short loc_89C3A2
		lea	eax, [ebp+var_41C]
		mov	edx, 104h
		push	eax
		lea	ecx, [ebp+var_214]
		call	_RtlStringCchCatW@12 ; RtlStringCchCatW(x,x,x)
		test	eax, eax
		js	short loc_89C3A2
		push	38h		; size_t
		lea	eax, [ebp+var_458]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_454], 124h
		lea	eax, [ebp+var_458]
		mov	[ebp+var_450], edi
		lea	edx, [ebp+var_214]
		mov	[ebp+var_44C], esi
		mov	[ebp+var_448], 4000000h
		push	1
		push	ecx
		push	ebx
		push	eax
		xor	ecx, ecx
		call	RtlpQueryRegistryValues
		test	eax, eax
		jns	short loc_89C3A7

loc_89C3A2:				; CODE XREF: SshpQueryRegistryULong(x,x,x)+44j
					; SshpQueryRegistryULong(x,x,x)+61j ...
		mov	eax, [ebp+arg_0]
		mov	[esi], eax

loc_89C3A7:				; CODE XREF: SshpQueryRegistryULong(x,x,x)+CAj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_SshpQueryRegistryULong@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckMatchingFiles(x, x, x, x, x, x, x)
_SdbpCheckMatchingFiles@28 proc	near	; DATA XREF: .text:off_4045E4o
					; .text:004046E4o

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, esi
		mov	[esp+2Ch+var_1C], esi
		push	edi
		mov	[esp+30h+var_18], ebx
		mov	[esp+30h+var_20], esi
		call	_Feature_CompatBuildInVb__private_IsEnabledDeviceUsage@0 ; Feature_CompatBuildInVb__private_IsEnabledDeviceUsage()
		test	eax, eax
		jnz	short loc_89C3F3
		mov	eax, [ebp+arg_14]
		cmp	[eax+2Ch], esi
		jz	short loc_89C3F3

loc_89C3E7:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+E5j
		xor	edi, edi
		inc	edi
		mov	[esp+30h+var_1C], edi
		jmp	loc_89C5D2
; 

loc_89C3F3:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+25j
					; SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+2Dj
		mov	edx, [ebp+arg_10]
		mov	ecx, [ebp+arg_8]
		push	6001h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	loc_89C5D4
		mov	ecx, [ebp+arg_8]
		mov	edx, eax
		call	SdbGetStringTagPtr
		mov	edi, eax
		mov	[esp+30h+var_4], edi
		test	edi, edi
		jnz	short loc_89C43D
		push	offset ??_C@_0CL@CODINPLA@Failed?5to?5get?5the?5string?5from?5t@NNGAKEGL@
		push	0B7Fh

loc_89C429:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+11Ej
		push	(offset	loc_8C3049+5)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_89C5D4
; 

loc_89C43D:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+65j
		cmp	word ptr [edi],	2Ah
		mov	ecx, [ebp+arg_14]
		mov	eax, [ecx+4]
		jnz	short loc_89C4A6
		test	eax, eax
		jz	short loc_89C496
		mov	edx, [ebp+arg_4]
		lea	ecx, [esp+30h+var_1C]
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_8]
		call	_SdbpCheckAllAttributes@20 ; SdbpCheckAllAttributes(x,x,x,x,x)
		mov	ecx, eax
		call	AslFileNotFound
		test	eax, eax
		jz	short loc_89C473

loc_89C46B:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+BDj
		xor	esi, esi
		inc	esi
		jmp	loc_89C5D4
; 

loc_89C473:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+B1j
		test	ecx, ecx
		jns	short loc_89C46B
		push	ecx
		push	(offset	loc_8C3060+6)
		push	0B98h
		push	(offset	loc_8C3049+5)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_89C5D4
; 

loc_89C496:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+93j
		call	_Feature_CompatBuildInVb__private_IsEnabledDeviceUsage@0 ; Feature_CompatBuildInVb__private_IsEnabledDeviceUsage()
		test	eax, eax
		jnz	loc_89C3E7
		mov	ecx, [ebp+arg_14]

loc_89C4A6:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+8Fj
		mov	edx, edi
		lea	edi, [edx+2]

loc_89C4AB:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+FCj
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, si
		jnz	short loc_89C4AB
		sub	edx, edi
		sar	edx, 1
		test	byte ptr [ecx],	1
		mov	[esp+30h+var_8], edx
		jnz	short loc_89C4E2
		call	SdbpInitializeSearchDBContext
		test	eax, eax
		jnz	short loc_89C4DB
		push	offset ??_C@_0CF@DDPIMIDA@Failed?5to?5initialize?5SEARCHDBCO@NNGAKEGL@
		push	0BBEh
		jmp	loc_89C429
; 

loc_89C4DB:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+112j
		mov	ecx, [ebp+arg_14]
		mov	edx, [esp+30h+var_8]

loc_89C4E2:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+109j
		mov	eax, [ecx+24h]
		xor	edi, edi
		inc	edi
		mov	[esp+30h+var_C], eax
		mov	[esp+30h+var_10], esi
		cmp	[eax], esi
		jle	loc_89C5B9
		add	eax, 4
		mov	[esp+30h+var_14], eax

loc_89C4FF:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+1FBj
		lea	ebx, [esp+30h+var_18]
		push	ebx		; int
		push	eax		; int
		push	edx		; int
		push	[esp+3Ch+var_4]	; void *
		mov	edx, ecx
		mov	ecx, [ebp+arg_4]
		call	SdbpResolveMatchingFile
		test	eax, eax
		jz	loc_89C610
		mov	ebx, [esp+30h+var_18]
		lea	ecx, [esp+30h+var_20]
		push	esi
		push	esi
		push	esi
		mov	edx, ebx
		mov	[esp+3Ch+var_20], esi
		call	AslFileMappingCreate
		test	eax, eax
		jns	short loc_89C54F
		test	ebx, ebx
		jz	short loc_89C545
		push	74705041h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_89C545:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+180j
		mov	eax, [esp+30h+var_20]
		mov	[esp+30h+var_20], eax
		jmp	short loc_89C58E
; 

loc_89C54F:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+17Cj
		mov	eax, [esp+30h+var_20]
		lea	ecx, [esp+30h+var_1C]
		mov	edx, [ebp+arg_4]
		push	eax
		push	[ebp+arg_10]
		mov	[esp+38h+var_20], eax
		push	[ebp+arg_8]
		call	_SdbpCheckAllAttributes@20 ; SdbpCheckAllAttributes(x,x,x,x,x)
		test	eax, eax
		jns	loc_89C600
		mov	ecx, [esp+30h+var_20]
		call	AslFileMappingDelete
		mov	[esp+30h+var_20], esi
		test	ebx, ebx
		jz	short loc_89C58E
		push	74705041h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_89C58E:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+195j
					; SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+1C9j
		mov	ecx, [esp+30h+var_C]
		mov	ebx, esi
		mov	eax, [esp+30h+var_10]
		add	[esp+30h+var_14], 18h
		inc	eax
		mov	edx, [esp+30h+var_8]
		cmp	eax, [ecx]
		mov	ecx, [ebp+arg_14]
		mov	[esp+30h+var_10], eax
		mov	eax, [esp+30h+var_14]
		mov	[esp+30h+var_18], ebx
		jl	loc_89C4FF

loc_89C5B9:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+13Aj
					; SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+251j ...
		mov	eax, [esp+30h+var_4]
		movzx	eax, word ptr [eax]
		cmp	eax, 25h
		jz	short loc_89C5CF
		cmp	eax, 5Ch
		jz	short loc_89C5CF
		cmp	eax, 2Eh
		jnz	short loc_89C5D2

loc_89C5CF:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+20Bj
					; SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+210j
		mov	[ecx+28h], edi

loc_89C5D2:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+36j
					; SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+215j
		mov	esi, edi

loc_89C5D4:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+4Dj
					; SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+80j ...
		mov	ecx, [esp+30h+var_20]
		call	AslFileMappingDelete
		test	ebx, ebx
		jz	short loc_89C5EC
		push	74705041h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_89C5EC:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+227j
		mov	edx, [ebp+arg_0]
		mov	eax, esi
		mov	ecx, [esp+30h+var_1C]
		pop	edi
		pop	esi
		mov	[edx], ecx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_89C600:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+1B4j
		mov	eax, [esp+30h+var_10]
		mov	ecx, [ebp+arg_14]
		test	eax, eax
		jle	short loc_89C5B9
		mov	[ecx+28h], edi
		jmp	short loc_89C5B9
; 

loc_89C610:				; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+15Ej
		push	offset ??_C@_0CA@GEALLKGN@Failed?5to?5resolve?5matching?5file@NNGAKEGL@
		push	0BD6h
		push	(offset	loc_8C3049+5)
		push	1
		call	AslLogCallPrintf
		mov	ebx, [esp+40h+var_18]
		add	esp, 10h
		jmp	short loc_89C5D4
_SdbpCheckMatchingFiles@28 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SdbpResolveMatchingFile(void *,int,int,int)
SdbpResolveMatchingFile	proc near	; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+157p
					; SdbpCheckMatchingDir(x,x,x,x,x,x,x)+BCp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0092E79D SIZE 00000179 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_C]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_10], edx
		push	edi
		mov	[eax], ebx
		mov	edi, ecx
		mov	eax, 0FFFFh
		mov	[ebp+var_18], edi
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_4], ebx
		mov	[ebp+var_14], ebx
		test	eax, eax
		jz	loc_92E79D
		push	esi
		mov	esi, [ebp+arg_0]
		push	25h
		pop	ecx
		cmp	[esi], cx
		jnz	loc_92E7E7
		sub	esp, 0Ch
		lea	edx, [ebp+var_8]
		lea	ecx, [ebp+var_C]
		call	AslEnvGetProcessWowInfo
		test	eax, eax
		js	loc_92E7BB
		mov	cx, [edi+1A8h]
		call	AslImageFileToArchitecture
		movzx	eax, ax
		mov	ecx, 0FFFFh
		cmp	ax, cx
		jnz	short loc_89C6A8
		movzx	eax, word ptr [ebp+var_8]

loc_89C6A8:				; CODE XREF: SdbpResolveMatchingFile+72j
		mov	ecx, [ebp+var_10]
		mov	edx, esi
		push	eax		; int
		push	[ebp+var_C]	; int
		lea	eax, [ebp+var_4]
		mov	ecx, [ecx+1Ch]
		push	eax		; int
		push	ebx		; void *
		push	ebx		; int
		call	AslEnvExpandStrings2
		test	eax, eax
		jns	short loc_89C6CE
		cmp	eax, 0C0000023h
		jnz	loc_92E7C8

loc_89C6CE:				; CODE XREF: SdbpResolveMatchingFile+91j
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+eax]
		mov	[ebp+var_4], ecx

loc_89C6D7:				; CODE XREF: SdbpResolveMatchingFile+921FAj
		lea	eax, [ebp+var_4]
		push	eax
		push	14h
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_92E82F
		mov	eax, [ebp+var_4]
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_92E83B
		mov	edi, 208h
		cmp	[ebp+var_4], edi
		jnb	loc_92E847

loc_89C713:				; CODE XREF: SdbpResolveMatchingFile+9221Aj
		push	ecx
		mov	edx, edi
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_92E84F
		mov	eax, [ebp+arg_0]
		push	25h
		pop	ecx
		cmp	[eax], cx
		jnz	loc_92E8BB
		sub	esp, 0Ch
		lea	edx, [ebp+var_8]
		lea	ecx, [ebp+var_C]
		call	AslEnvGetProcessWowInfo
		test	eax, eax
		js	loc_92E86D
		mov	eax, [ebp+var_18]
		mov	cx, [eax+1A8h]
		call	AslImageFileToArchitecture
		movzx	eax, ax
		mov	ecx, 0FFFFh
		cmp	ax, cx
		jnz	short loc_89C76A
		movzx	eax, word ptr [ebp+var_8]

loc_89C76A:				; CODE XREF: SdbpResolveMatchingFile+134j
		mov	edx, [ebp+arg_0]
		push	eax		; int
		push	[ebp+var_C]	; int
		lea	eax, [ebp+var_4]
		shr	edi, 1
		push	eax		; int
		mov	eax, [ebp+var_10]
		push	edi		; void *
		push	esi		; int
		mov	ecx, [eax+1Ch]
		call	AslEnvExpandStrings2
		test	eax, eax
		js	loc_92E899

loc_89C78C:				; CODE XREF: SdbpResolveMatchingFile+922BEj
		push	edi		; int
		mov	edx, esi	; int
		mov	ecx, esi	; wchar_t *
		call	AslPathClean
		test	eax, eax
		js	loc_92E87A
		mov	edx, esi
		lea	ecx, [ebp+var_14]
		call	AslPathToNetworkPathNt
		test	eax, eax
		jns	loc_92E8F3
		push	4		; size_t
		mov	edi, offset ??_C@_19JHEHLFPM@?$AA?2?$AA?$DP?$AA?$DP?$AA?2@NNGAKEGL@ ; "\\??\\"
		push	edi		; wchar_t *
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_89C7F7
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_89C7CA:				; CODE XREF: SdbpResolveMatchingFile+1A3j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_89C7CA
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, ds:2[ecx*2]
		push	eax		; size_t
		lea	eax, [esi+8]
		push	esi		; void *
		push	eax		; void *
		call	_memmove
		push	8		; size_t
		push	edi		; void *
		push	esi		; void *
		call	_memmove
		add	esp, 18h

loc_89C7F7:				; CODE XREF: SdbpResolveMatchingFile+193j
					; SdbpResolveMatchingFile+922D1j
		mov	eax, [ebp+arg_C]
		mov	[eax], esi
		mov	esi, ebx
		xor	ebx, ebx
		inc	ebx

loc_89C801:				; CODE XREF: SdbpResolveMatchingFile+92264j
					; SdbpResolveMatchingFile+92286j
		test	esi, esi
		jnz	loc_92E906

loc_89C809:				; CODE XREF: SdbpResolveMatchingFile+921B2j
					; SdbpResolveMatchingFile+92238j ...
		pop	esi

loc_89C80A:				; CODE XREF: SdbpResolveMatchingFile+92186j
		pop	edi
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
SdbpResolveMatchingFile	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	AslEnvExpandStrings2(int,void *,int,int,int)
AslEnvExpandStrings2 proc near		; CODE XREF: SdbpResolveMatchingFile+8Ap
					; SdbpResolveMatchingFile+14Fp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0092E916 SIZE 00000060 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_10], ecx
		push	edi
		mov	esi, edx
		mov	[ebp+var_8], ebx
		mov	edi, ebx
		mov	[ebp+var_4], ebx
		lea	ecx, [edx+2]

loc_89C82F:				; CODE XREF: AslEnvExpandStrings2+26j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, bx
		jnz	short loc_89C82F
		sub	edx, ecx
		mov	ecx, [ebp+arg_0]
		sar	edx, 1
		lea	eax, [edx+1]
		mov	[ebp+var_C], eax
		test	ecx, ecx
		jz	short loc_89C850
		xor	edx, edx
		mov	[ecx], dx

loc_89C850:				; CODE XREF: AslEnvExpandStrings2+37j
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		jz	short loc_89C85B
		xor	ecx, ecx
		mov	[ebx], ecx

loc_89C85B:				; CODE XREF: AslEnvExpandStrings2+43j
		lea	ecx, [ebp+var_4]
		mov	edx, eax
		push	ecx
		push	[ebp+arg_10]
		xor	ecx, ecx
		push	[ebp+arg_C]
		push	ecx
		push	ecx
		mov	ecx, esi
		call	AslpEnvResolveVars
		cmp	eax, 0C0000023h
		jnz	loc_92E916
		mov	eax, [ebp+var_4]
		cmp	[ebp+var_C], eax
		jz	short loc_89C8CF
		push	ecx
		lea	edx, [eax+eax]
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_92E927
		mov	edx, esi
		lea	ecx, [edx+2]

loc_89C89D:				; CODE XREF: AslEnvExpandStrings2+95j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [ebp+var_8]
		jnz	short loc_89C89D
		lea	eax, [ebp+var_4]
		sub	edx, ecx
		push	eax
		push	[ebp+arg_10]
		sar	edx, 1
		mov	ecx, esi
		push	[ebp+arg_C]
		inc	edx
		push	[ebp+var_4]
		push	edi
		call	AslpEnvResolveVars
		mov	esi, eax
		test	esi, esi
		js	loc_92E94A
		mov	esi, edi

loc_89C8CF:				; CODE XREF: AslEnvExpandStrings2+71j
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_89C8D4:				; CODE XREF: AslEnvExpandStrings2+CCj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_8]
		jnz	short loc_89C8D4
		push	ebx		; int
		push	[ebp+arg_4]	; void *
		sub	ecx, edx
		mov	edx, esi
		push	[ebp+arg_0]	; int
		sar	ecx, 1
		push	ecx		; int
		mov	ecx, [ebp+var_10]
		call	AslEnvExpandStrings
		mov	esi, eax
		test	esi, esi
		jns	short loc_89C908
		cmp	esi, 0C0000023h
		jnz	loc_92E957

loc_89C908:				; CODE XREF: AslEnvExpandStrings2+E8j
					; AslEnvExpandStrings2+9215Fj
		test	edi, edi
		jz	short loc_89C917
		push	74705041h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_89C917:				; CODE XREF: AslEnvExpandStrings2+F8j
					; AslEnvExpandStrings2+92133j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
AslEnvExpandStrings2 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AslpEnvResolveVars proc	near		; CODE XREF: AslEnvExpandStrings2+5Bp
					; AslEnvExpandStrings2+ACp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h
arg_C		= word ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0092E976 SIZE 00000104 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_8], ecx
		push	edi
		xor	eax, eax
		mov	[ebp+var_14], esi
		xor	edx, edx
		mov	[ebp+var_C], eax
		xor	edi, edi
		mov	[ebp+var_4], edx
		xor	ecx, ecx
		mov	[ebp+var_10], ecx

loc_89C944:				; CODE XREF: AslpEnvResolveVars+AEj
		test	eax, eax
		jnz	loc_89CA65
		mov	ebx, ecx
		shl	ebx, 4
		mov	ecx, dword_6B3070[ebx]
		cmp	esi, ecx
		jbe	short loc_89C9C4
		push	ecx		; size_t
		push	off_6B3068[ebx]	; wchar_t *
		push	[ebp+var_8]	; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_92E9E7
		mov	edi, dword_6B3074[ebx]
		sub	edi, dword_6B3070[ebx]
		add	edi, esi
		cmp	edi, [ebp+arg_4]
		ja	short loc_89C9D9
		cmp	[ebp+var_10], eax
		jnz	loc_92E997
		mov	si, [ebp+arg_8]
		mov	[ebp+var_C], eax

loc_89C998:				; CODE XREF: AslpEnvResolveVars+91j
		mov	cx, [ebp+arg_C]
		cmp	word_6B3470[eax], si
		jz	short loc_89C9EC

loc_89C9A5:				; CODE XREF: AslpEnvResolveVars+D3j
		mov	edx, [ebp+var_4]

loc_89C9A8:				; CODE XREF: AslpEnvResolveVars+140j
		add	eax, 8
		mov	[ebp+var_C], eax
		cmp	eax, 38h
		jb	short loc_89C998
		test	edx, edx
		jz	loc_92E976

loc_89C9BB:				; CODE XREF: AslpEnvResolveVars+9207Bj
					; AslpEnvResolveVars+920B4j
		mov	esi, [ebp+var_14]
		xor	eax, eax
		inc	eax
		mov	[ebp+var_C], eax

loc_89C9C4:				; CODE XREF: AslpEnvResolveVars+39j
					; AslpEnvResolveVars+920CAj
		mov	ecx, [ebp+var_10]
		inc	ecx
		mov	[ebp+var_10], ecx
		cmp	ecx, 4
		jb	loc_89C944
		jmp	loc_92EA42
; 

loc_89C9D9:				; CODE XREF: AslpEnvResolveVars+66j
		mov	esi, 0C0000023h

loc_89C9DE:				; CODE XREF: AslpEnvResolveVars+147j
		mov	eax, [ebp+arg_10]
		mov	[eax], edi

loc_89C9E3:				; CODE XREF: AslpEnvResolveVars+92110j
					; AslpEnvResolveVars+9213Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_89C9EC:				; CODE XREF: AslpEnvResolveVars+83j
		cmp	word_6B3472[eax], cx
		jnz	short loc_89C9A5
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	offset ??_C@_1BK@JEOALCGP@?$AA?$CF?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AAr?$AAo?$AAo?$AAt?$AA?$CF@NNGAKEGL@
		call	RtlStringCchCopyW
		mov	esi, eax
		test	esi, esi
		js	loc_92EA09
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	off_6B3474[eax]
		call	_RtlStringCchCatW@12 ; RtlStringCchCatW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_92E9FC
		mov	eax, dword_6B3070[ebx]
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+arg_4]
		lea	eax, [ecx+eax*2]
		mov	ecx, [ebp+arg_0]
		push	eax
		call	_RtlStringCchCatW@12 ; RtlStringCchCatW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_92E9EF
		mov	eax, [ebp+var_C]
		xor	edx, edx
		mov	cx, [ebp+arg_C]
		inc	edx
		mov	si, [ebp+arg_8]
		mov	[ebp+var_4], edx
		jmp	loc_89C9A8
; 

loc_89CA65:				; CODE XREF: AslpEnvResolveVars+26j
					; AslpEnvResolveVars+92124j ...
		xor	esi, esi
		jmp	loc_89C9DE
AslpEnvResolveVars endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	AslEnvExpandStrings(int,int,void *,int)
AslEnvExpandStrings proc near		; CODE XREF: AslEnvExpandStrings2+DFp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0092EA7A SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_10], 0
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, edx
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_18], ecx
		xor	ecx, ecx
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], ecx
		cmp	edi, 1
		jb	short loc_89CAE9
		mov	[ebp+arg_8], edx

loc_89CA9E:				; CODE XREF: AslEnvExpandStrings+74j
		movzx	edx, word ptr [esi]
		push	25h
		pop	ecx
		cmp	dx, cx
		mov	[ebp+var_1C], edx
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+arg_8]
		jz	short loc_89CB07

loc_89CAB2:				; CODE XREF: AslEnvExpandStrings+153j
		cmp	eax, 0C0000023h
		jz	short loc_89CACF
		cmp	ebx, 1
		jbe	loc_92EAB5
		mov	eax, [ebp+var_1C]
		dec	ebx
		mov	[edx], ax
		add	edx, 2
		mov	[ebp+arg_8], edx

loc_89CACF:				; CODE XREF: AslEnvExpandStrings+4Bj
					; AslEnvExpandStrings+92050j
		inc	ecx
		dec	edi

loc_89CAD1:				; CODE XREF: AslEnvExpandStrings+117j
		mov	[ebp+var_4], ecx

loc_89CAD4:				; CODE XREF: AslEnvExpandStrings+14Bj
					; AslEnvExpandStrings+92044j
		mov	eax, [ebp+var_8]
		add	esi, 2
		mov	[ebp+var_C], esi
		cmp	edi, 1
		jnb	short loc_89CA9E
		cmp	eax, 0C0000023h
		jz	short loc_89CAF6

loc_89CAE9:				; CODE XREF: AslEnvExpandStrings+2Dj
		test	ebx, ebx
		jz	loc_92EAC1
		xor	esi, esi
		mov	[edx], si

loc_89CAF6:				; CODE XREF: AslEnvExpandStrings+7Bj
					; AslEnvExpandStrings+9205Aj
		mov	edx, [ebp+arg_C]
		pop	edi
		pop	esi
		pop	ebx
		test	edx, edx
		jz	short locret_89CB03
		inc	ecx
		mov	[edx], ecx

locret_89CB03:				; CODE XREF: AslEnvExpandStrings+92j
		leave
		retn	10h
; 

loc_89CB07:				; CODE XREF: AslEnvExpandStrings+44j
		and	[ebp+arg_4], 0
		lea	eax, [edi-1]
		add	esi, 2
		mov	[ebp+arg_0], eax
		test	eax, eax
		mov	[ebp+var_14], esi
		mov	eax, [ebp+var_8]
		jz	loc_89CBBC
		mov	ecx, [ebp+arg_0]
		push	25h
		pop	edx

loc_89CB28:				; CODE XREF: AslEnvExpandStrings+CAj
		cmp	[esi], dx
		jz	short loc_89CB38
		add	esi, 2
		inc	[ebp+arg_4]
		cmp	[ebp+arg_4], ecx
		jb	short loc_89CB28

loc_89CB38:				; CODE XREF: AslEnvExpandStrings+BFj
		cmp	[ebp+arg_4], 0
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+arg_8]
		jz	short loc_89CBBC
		mov	edx, [ebp+arg_0]
		cmp	[ebp+arg_4], edx
		mov	edx, [ebp+arg_8]
		jnb	short loc_89CBBC
		mov	ecx, [ebp+var_18]
		lea	eax, [ebp+var_10]
		push	eax		; int
		push	ebx		; int
		push	edx		; void *
		push	[ebp+arg_4]	; int
		mov	edx, [ebp+var_14]
		call	AslEnvVarQuery
		mov	edx, 0C0000023h
		cmp	eax, edx
		jnz	short loc_89CB88
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+var_4]
		dec	eax
		add	ecx, eax
		mov	[ebp+var_8], edx
		push	0FFFFFFFEh
		pop	eax
		sub	eax, [ebp+arg_4]
		add	edi, eax

loc_89CB80:				; CODE XREF: AslEnvExpandStrings+92039j
		mov	edx, [ebp+arg_8]
		jmp	loc_89CAD1
; 

loc_89CB88:				; CODE XREF: AslEnvExpandStrings+FEj
		test	eax, eax
		js	loc_92EA7A
		mov	ecx, [ebp+var_4]
		add	ecx, [ebp+var_10]
		push	0FFFFFFFEh
		pop	eax
		sub	eax, [ebp+arg_4]
		add	edi, eax
		mov	[ebp+var_4], ecx
		mov	eax, [ebp+var_10]
		cmp	ebx, eax
		jbe	loc_92EAAA
		mov	edx, [ebp+arg_8]
		sub	ebx, eax
		lea	edx, [edx+eax*2]
		mov	[ebp+arg_8], edx
		jmp	loc_89CAD4
; 

loc_89CBBC:				; CODE XREF: AslEnvExpandStrings+B0j
					; AslEnvExpandStrings+D6j ...
		mov	esi, [ebp+var_C]
		jmp	loc_89CAB2
AslEnvExpandStrings endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	AslEnvVarQuery(int,void	*,int,int)
AslEnvVarQuery	proc near		; CODE XREF: AslEnvExpandStrings+F2p
					; SdbpGetProcessHistory(x,x,x)+51p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0092EACB SIZE 0000011E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	eax, edx
		mov	ebx, ecx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, offset ??_C@_1BG@MCEEPJDG@?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AAr?$AAo?$AAo?$AAt@NNGAKEGL@
		mov	[ebp+var_4], eax
		xor	esi, esi
		lea	eax, [eax+edi*2]
		mov	[ebp+arg_0], eax
		lea	edx, [ecx+2]

loc_89CBE8:				; CODE XREF: AslEnvVarQuery+2Dj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_89CBE8
		sub	ecx, edx
		sar	ecx, 1
		cmp	edi, ecx
		jb	loc_92EADF
		push	ecx		; size_t
		push	offset ??_C@_1BG@MCEEPJDG@?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AAr?$AAo?$AAo?$AAt@NNGAKEGL@ ; wchar_t *
		push	[ebp+var_4]	; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_92EADF
		call	RtlGetNtSystemRoot
		mov	edi, eax
		lea	edx, [edi+2]

loc_89CC22:				; CODE XREF: AslEnvVarQuery+67j
		mov	cx, [edi]
		add	edi, 2
		cmp	cx, si
		jnz	short loc_89CC22
		sub	edi, edx
		sar	edi, 1
		cmp	edi, [ebp+arg_8]
		jb	short loc_89CC55
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	loc_92EACB

loc_89CC41:				; CODE XREF: AslEnvVarQuery+91F0Bj
					; AslEnvVarQuery+91F16j
		mov	ecx, [ebp+arg_C]
		lea	eax, [edi+1]
		mov	[ecx], eax
		mov	eax, 0C0000023h

loc_89CC4E:				; CODE XREF: AslEnvVarQuery+ACj
					; AslEnvVarQuery+92016j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_89CC55:				; CODE XREF: AslEnvVarQuery+70j
		mov	ecx, [ebp+arg_C]
		mov	esi, [ebp+arg_4]
		mov	[ecx], edi
		add	edi, edi
		push	edi		; size_t
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax
		mov	[edi+esi], ax
		jmp	short loc_89CC4E
AslEnvVarQuery	endp


;  S U B	R O U T	I N E 


AslImageFileToArchitecture proc	near	; CODE XREF: SdbpResolveMatchingFile+62p
					; SdbpResolveMatchingFile+124p	...

; FUNCTION CHUNK AT 0092EBE9 SIZE 00000009 BYTES

		xor	eax, eax

loc_89CC74:				; CODE XREF: AslImageFileToArchitecture+14j
		cmp	word_6B6496[eax*4], cx
		jz	loc_92EBE9
		inc	eax
		cmp	eax, 4
		jb	short loc_89CC74
		mov	eax, 0FFFFh
		retn
AslImageFileToArchitecture endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AslEnvGetProcessWowInfo	proc near	; CODE XREF: SdbpResolveMatchingFile+4Ep
					; SdbpResolveMatchingFile+10Dp	...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092EBF2 SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[ebp+var_20], ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		mov	ebx, edx
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		stosd
		stosd
		stosd
		xor	edi, edi
		inc	edi
		test	ecx, ecx
		jz	short loc_89CCE1
		push	0
		push	0Ch
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_92EBF2
		mov	ecx, [ebp+var_20]
		mov	ax, word ptr [ebp+var_10]
		mov	[ecx], ax

loc_89CCE1:				; CODE XREF: AslEnvGetProcessWowInfo+2Fj
		test	ebx, ebx
		jz	short loc_89CD04
		push	0
		push	0Ch
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_92EBFF
		mov	ax, word ptr [ebp+var_1C]
		mov	[ebx], ax

loc_89CD04:				; CODE XREF: AslEnvGetProcessWowInfo+55j
		xor	esi, esi

loc_89CD06:				; CODE XREF: AslEnvGetProcessWowInfo+91F8Aj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
AslEnvGetProcessWowInfo	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AslPathToNetworkPathNt proc near	; CODE XREF: SdbpResolveMatchingFile+173p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092EC1D SIZE 00000088 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_8], eax
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], ebx
		mov	ecx, ebx
		mov	[eax], esi
		call	AslpDetermineDosPathNameType
		cmp	eax, 1
		jz	loc_92EC1D
		mov	esi, 0C000000Dh

loc_89CD46:				; CODE XREF: AslPathToNetworkPathNt+91F86j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
AslPathToNetworkPathNt endp


;  S U B	R O U T	I N E 


AslpDetermineDosPathNameType proc near	; CODE XREF: AslPathToNetworkPathNt+19p

; FUNCTION CHUNK AT 0092ECA5 SIZE 00000052 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	edx, edx
		push	edi
		lea	edi, [esi+2]

loc_89CD57:				; CODE XREF: AslpDetermineDosPathNameType+14j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, dx
		jnz	short loc_89CD57
		sub	esi, edi
		sar	esi, 1
		cmp	esi, 4
		jbe	short loc_89CD9E
		movzx	eax, word ptr [ecx]
		push	2Fh
		pop	edx
		push	5Ch
		pop	esi
		cmp	ax, si
		jz	loc_92ECA5
		cmp	ax, dx
		jz	loc_92ECA5
		test	ax, ax
		jz	short loc_89CDAC
		cmp	word ptr [ecx+2], 3Ah
		jnz	short loc_89CDAC
		movzx	eax, word ptr [ecx+4]
		cmp	ax, si
		jnz	short loc_89CDA3

loc_89CD9B:				; CODE XREF: AslpDetermineDosPathNameType+5Aj
		push	2

loc_89CD9D:				; CODE XREF: AslpDetermineDosPathNameType+5Ej
					; AslpDetermineDosPathNameType+62j ...
		pop	edx

loc_89CD9E:				; CODE XREF: AslpDetermineDosPathNameType+1Dj
					; AslpDetermineDosPathNameType+91F7Fj ...
		pop	edi
		mov	eax, edx
		pop	esi
		retn
; 

loc_89CDA3:				; CODE XREF: AslpDetermineDosPathNameType+4Dj
		cmp	ax, dx
		jz	short loc_89CD9B
		push	3
		jmp	short loc_89CD9D
; 

loc_89CDAC:				; CODE XREF: AslpDetermineDosPathNameType+3Dj
					; AslpDetermineDosPathNameType+44j
		push	5
		jmp	short loc_89CD9D
AslpDetermineDosPathNameType endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall AslPathClean(wchar_t *,int,int)
AslPathClean	proc near		; CODE XREF: SdbpResolveMatchingFile+161p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092ECF7 SIZE 00000116 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		push	edi
		mov	edi, ebx
		mov	[ebp+var_4], ebx
		xor	edx, edx
		lea	ecx, [edi+2]

loc_89CDC9:				; CODE XREF: AslPathClean+22j
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, dx
		jnz	short loc_89CDC9
		sub	edi, ecx
		sar	edi, 1
		mov	[ebp+var_C], edi
		lea	eax, [edi+1]
		cmp	[ebp+arg_0], eax
		jb	loc_92ECF7
		push	esi
		push	3Ah		; wchar_t
		push	ebx		; wchar_t *
		call	_wcschr
		mov	esi, eax
		pop	ecx
		pop	ecx
		test	esi, esi
		jz	loc_92ED01

loc_89CDFC:				; CODE XREF: AslPathClean+91F9Aj
		sub	esi, ebx
		shr	esi, 1
		inc	esi

loc_89CE01:				; CODE XREF: AslPathClean+91F85j
					; AslPathClean+91FA1j
		mov	[ebp+arg_0], esi

loc_89CE04:				; CODE XREF: AslPathClean+91F68j
		lea	eax, [esi+esi]
		push	eax		; size_t
		push	ebx		; void *
		push	[ebp+var_8]	; void *
		call	_memmove
		add	esp, 0Ch
		mov	ecx, esi
		mov	eax, esi
		cmp	esi, edi
		jnb	short loc_89CE9A
		mov	[ebp+var_10], 2Fh
		mov	[ebp+var_18], 2Eh

loc_89CE2A:				; CODE XREF: AslPathClean+E8j
		movzx	edx, word ptr [ebx+eax*2]
		push	5Ch
		pop	edi
		cmp	dx, di
		mov	edi, [ebp+var_C]
		jz	short loc_89CEAC
		cmp	dx, word ptr [ebp+var_10]
		jz	short loc_89CEAC
		push	2Eh
		pop	ebx
		cmp	dx, bx
		mov	ebx, [ebp+var_4]
		jz	loc_92ED6D
		cmp	eax, edi
		jnb	short loc_89CE94
		mov	esi, [ebp+var_8]

loc_89CE55:				; CODE XREF: AslPathClean+C2j
		movzx	edx, word ptr [ebx+eax*2]
		push	5Ch
		pop	ebx
		cmp	dx, bx
		mov	ebx, [ebp+var_4]
		jz	short loc_89CE74
		cmp	dx, word ptr [ebp+var_10]
		jz	short loc_89CE74
		mov	[esi+ecx*2], dx
		inc	ecx
		inc	eax
		cmp	eax, edi
		jb	short loc_89CE55

loc_89CE74:				; CODE XREF: AslPathClean+B2j
					; AslPathClean+B8j
		mov	esi, [ebp+arg_0]
		cmp	eax, edi
		jnb	short loc_89CE94
		cmp	ecx, 2
		jb	short loc_89CE94
		mov	edx, [ebp+var_8]
		push	2Eh
		pop	ebx
		cmp	[edx+ecx*2-2], bx
		mov	ebx, [ebp+var_4]
		jz	loc_92ED56

loc_89CE94:				; CODE XREF: AslPathClean+A0j
					; AslPathClean+C9j ...
		dec	eax

loc_89CE95:				; CODE XREF: AslPathClean+10Ej
					; AslPathClean+11Bj ...
		inc	eax
		cmp	eax, edi
		jb	short loc_89CE2A

loc_89CE9A:				; CODE XREF: AslPathClean+6Aj
					; AslPathClean+91FC5j
		mov	eax, [ebp+var_8]
		xor	edx, edx
		pop	esi
		mov	[eax+ecx*2], dx
		xor	eax, eax

loc_89CEA6:				; CODE XREF: AslPathClean+91F4Cj
		pop	edi
		pop	ebx
		leave
		retn	4
; 

loc_89CEAC:				; CODE XREF: AslPathClean+87j
					; AslPathClean+8Dj
		mov	edx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_89CEC0
		push	5Ch
		pop	ebx
		cmp	[edx+ecx*2-2], bx
		mov	ebx, [ebp+var_4]
		jz	short loc_89CE95

loc_89CEC0:				; CODE XREF: AslPathClean+101j
		push	5Ch
		pop	edi
		mov	[edx+ecx*2], di
		inc	ecx
		mov	edi, [ebp+var_C]
		jmp	short loc_89CE95
AslPathClean	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbpInitializeSearchDBContext proc near	; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+10Bp
					; SdbpCheckMatchingDir(x,x,x,x,x,x,x)+7Cp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092EE0D SIZE 0000004C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	edi
		mov	edi, ecx
		xor	edx, edx
		cmp	[edi+24h], edx
		jnz	loc_89CF82
		mov	ebx, [edi+20h]
		push	esi
		test	ebx, ebx
		jnz	short loc_89CF69
		test	byte ptr [edi],	2
		jz	loc_92EE0D

loc_89CEF5:				; CODE XREF: SdbpInitializeSearchDBContext+91F44j
		mov	esi, [edi+10h]
		lea	ecx, [esi+2]

loc_89CEFB:				; CODE XREF: SdbpInitializeSearchDBContext+36j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, dx
		jnz	short loc_89CEFB
		sub	esi, ecx
		mov	ecx, [edi+14h]
		sar	esi, 1
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_89CF12:				; CODE XREF: SdbpInitializeSearchDBContext+4Dj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_89CF12
		sub	ecx, edx
		sar	ecx, 1
		push	ecx
		mov	[ebp+var_4], ecx
		lea	eax, [ecx+esi]
		add	eax, eax
		mov	[ebp+var_8], eax
		lea	edx, [eax+2]
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_92EE39
		add	esi, esi
		push	esi		; size_t
		push	dword ptr [edi+10h] ; void *
		push	ebx		; void *
		call	_memmove
		mov	eax, [ebp+var_4]
		add	eax, eax
		push	eax		; size_t
		push	dword ptr [edi+14h] ; void *
		lea	eax, [esi+ebx]
		push	eax		; void *
		call	_memmove
		mov	eax, [ebp+var_8]
		add	esp, 18h
		xor	ecx, ecx
		mov	[eax+ebx], cx

loc_89CF69:				; CODE XREF: SdbpInitializeSearchDBContext+1Cj
					; SdbpInitializeSearchDBContext+91F59j
		lea	edx, [edi+24h]
		mov	[edi+20h], ebx
		mov	ecx, ebx	; wchar_t *
		call	SdbpCreateSearchPathPartsFromPath
		test	eax, eax
		jz	short loc_89CF7D
		or	dword ptr [edi], 1

loc_89CF7D:				; CODE XREF: SdbpInitializeSearchDBContext+AAj
					; SdbpInitializeSearchDBContext+91F86j
		pop	esi

loc_89CF7E:				; CODE XREF: SdbpInitializeSearchDBContext+B7j
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_89CF82:				; CODE XREF: SdbpInitializeSearchDBContext+10j
		xor	eax, eax
		inc	eax
		jmp	short loc_89CF7E
SdbpInitializeSearchDBContext endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall SdbpCreateSearchPathPartsFromPath(wchar_t *)
SdbpCreateSearchPathPartsFromPath proc near ; CODE XREF: SdbpInitializeSearchDBContext+A3p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092EE59 SIZE 00000079 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		xor	eax, eax
		mov	[ebp+var_10], edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], eax
		mov	esi, eax
		mov	[ebp+var_8], esi
		test	edi, edi
		jz	loc_92EE59
		push	ebx
		push	3Bh
		xor	ebx, ebx
		cmp	[edi], ax
		pop	eax
		push	eax		; wchar_t
		push	edi		; wchar_t *
		setnz	bl
		mov	[ebp+var_4], eax
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_92EE79

loc_89CFC9:				; CODE XREF: SdbpCreateSearchPathPartsFromPath+91F08j
		lea	eax, [ebx-1]
		imul	edx, eax, 18h
		push	ecx
		add	edx, 1Ch
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	edx, eax
		mov	[ebp+var_8], edx
		test	edx, edx
		jz	loc_92EE95
		mov	ecx, edi
		mov	[edx], ebx
		lea	ebx, [ecx+2]

loc_89CFEC:				; CODE XREF: SdbpCreateSearchPathPartsFromPath+6Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_C]
		jnz	short loc_89CFEC
		sub	ecx, ebx
		sar	ecx, 1
		lea	eax, [edi+ecx*2]
		cmp	eax, edi
		jb	short loc_89D02C
		lea	ebx, [edx+8]
		xor	edx, edx

loc_89D008:				; CODE XREF: SdbpCreateSearchPathPartsFromPath+9Fj
		movzx	ecx, word ptr [eax]
		cmp	ecx, 5Ch
		jz	short loc_89D039

loc_89D010:				; CODE XREF: SdbpCreateSearchPathPartsFromPath+B7j
		cmp	cx, word ptr [ebp+var_4]
		jz	short loc_89D01A

loc_89D016:				; CODE XREF: SdbpCreateSearchPathPartsFromPath+B3j
		cmp	edi, eax
		jnz	short loc_89D022

loc_89D01A:				; CODE XREF: SdbpCreateSearchPathPartsFromPath+8Cj
		test	esi, esi
		jnz	loc_92EEB5

loc_89D022:				; CODE XREF: SdbpCreateSearchPathPartsFromPath+90j
					; SdbpCreateSearchPathPartsFromPath+91F45j
		sub	eax, 2
		cmp	eax, edi
		jnb	short loc_89D008
		mov	edx, [ebp+var_8]

loc_89D02C:				; CODE XREF: SdbpCreateSearchPathPartsFromPath+79j
		mov	eax, [ebp+var_10]
		mov	[eax], edx
		xor	eax, eax
		inc	eax

loc_89D034:				; CODE XREF: SdbpCreateSearchPathPartsFromPath+91F28j
		pop	ebx

loc_89D035:				; CODE XREF: SdbpCreateSearchPathPartsFromPath+91EECj
		pop	edi
		pop	esi
		leave
		retn
; 

loc_89D039:				; CODE XREF: SdbpCreateSearchPathPartsFromPath+86j
		test	esi, esi
		jnz	short loc_89D016
		mov	esi, eax
		jmp	short loc_89D010
SdbpCreateSearchPathPartsFromPath endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWorkQueueManagerThread proc near	; DATA XREF: ExpWorkQueueManagerStart(x)+30o

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_50		= byte ptr -50h
var_4F		= byte ptr -4Fh
var_4E		= byte ptr -4Eh
var_4D		= byte ptr -4Dh
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092EED2 SIZE 0000014C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		and	[esp+58h+var_44], 0
		and	[esp+58h+var_48], 0
		push	esi
		push	edi
		lea	edi, [esp+60h+var_1C]
		mov	[esp+60h+var_4D], 1
		stosd
		stosd
		stosd
		mov	edi, 6C577845h
		push	edi
		push	8
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[esp+60h+var_4C], esi
		test	esi, esi
		jz	short loc_89D0B2
		push	edi
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+60h+var_48], edi
		test	edi, edi
		jz	loc_92EED2
		mov	[esp+60h+var_4D], 0

loc_89D0B2:				; CODE XREF: ExpWorkQueueManagerThread+4Ej
					; ExpWorkQueueManagerThread+91E9Dj
		mov	eax, large fs:124h
		push	0Ch
		push	eax
		mov	[esp+68h+var_38], eax
		call	KeSetActualBasePriorityThread
		mov	eax, _ExpWorkerThreadTimeoutInSeconds
		lea	ecx, [esp+60h+var_30]
		and	[esp+60h+var_30], 0
		mov	esi, (offset loc_98967E+2)
		and	[esp+60h+var_2C], 0
		or	[esp+60h+var_28], 0FFFFFFFFh
		or	[esp+60h+var_24], 0FFFFFFFFh
		mul	esi
		push	ecx
		shrd	eax, edx, 2
		sar	edx, 2
		push	edx
		push	eax
		neg	eax
		adc	edx, 0
		neg	edx
		push	edx
		push	eax
		lea	eax, [ebx+50h]
		push	eax
		call	KeSetTimer2
		mov	eax, _ExpWorkerThreadTimeoutInSeconds
		lea	ecx, [ebx+8]
		mul	esi
		mov	[esp+60h+var_10], ecx
		lea	ecx, [ebx+40h]
		mov	edi, eax
		mov	[esp+60h+var_40], edx
		xor	edx, edx
		mov	[esp+60h+var_34], edi
		lea	eax, [ebx+18h]
		mov	[esp+60h+var_4E], dl
		mov	[esp+60h+var_C], eax
		mov	[esp+60h+var_8], ecx

loc_89D130:				; CODE XREF: ExpWorkQueueManagerThread+21Bj
		push	edx
		push	edx
		push	edx
		push	1
		push	edx
		push	1
		lea	eax, [esp+78h+var_10]
		mov	[esp+78h+var_4F], dl
		push	eax
		push	3
		call	KeWaitForMultipleObjects
		sub	eax, 0
		jnz	loc_89D29D
		mov	eax, [ebx+0ACh]
		test	eax, eax
		jnz	loc_92EFEA
		xor	edi, edi

loc_89D161:				; CODE XREF: ExpWorkQueueManagerThread+163j
		mov	eax, [ebx]
		mov	edx, [ebx+4]
		mov	[esp+60h+var_3C], eax
		mov	eax, [eax+4]
		movzx	ecx, word ptr [edx+8Ah]
		mov	esi, [eax+ecx*4]
		mov	eax, [esi+edi*4]
		test	al, 1
		jnz	loc_92EF7D
		xor	eax, eax

loc_89D184:				; CODE XREF: ExpWorkQueueManagerThread+91F45j
		test	eax, eax
		js	loc_92EF8C
		mov	edx, [ebx+4]
		mov	ecx, [ebx]
		push	edi
		call	_ExpPartitionGetQueue@12 ; ExpPartitionGetQueue(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	loc_89D272

loc_89D1A1:				; CODE XREF: ExpWorkQueueManagerThread+23Dj
					; ExpWorkQueueManagerThread+250j ...
		inc	edi
		cmp	edi, 8
		jl	short loc_89D161

loc_89D1A7:				; CODE XREF: ExpWorkQueueManagerThread+267j
					; ExpWorkQueueManagerThread+286j
		cmp	[esp+60h+var_4E], 0
		jnz	short loc_89D1FC

loc_89D1AE:				; CODE XREF: ExpWorkQueueManagerThread+91F36j
		xor	esi, esi

loc_89D1B0:				; CODE XREF: ExpWorkQueueManagerThread+1B0j
		mov	edx, [ebx+4]
		mov	ecx, [ebx]
		push	esi
		call	_ExpPartitionGetQueue@12 ; ExpPartitionGetQueue(x,x,x)
		mov	ecx, [eax+1A4h]
		mov	[eax+1A8h], ecx
		mov	ecx, [eax+1ACh]
		and	ecx, 3FFFh
		cmp	ecx, [eax+1B4h]
		jge	loc_92EF96
		cmp	[esp+60h+var_4F], 0
		jnz	loc_92EF96
		mov	al, [esp+60h+var_4E]

loc_89D1EE:				; CODE XREF: ExpWorkQueueManagerThread+91F5Aj
		inc	esi
		cmp	esi, 1
		jle	short loc_89D1B0
		test	al, al
		jnz	loc_92EFA1

loc_89D1FC:				; CODE XREF: ExpWorkQueueManagerThread+16Aj
					; ExpWorkQueueManagerThread+91F78j
		lea	eax, [esp+60h+var_44]
		push	eax
		lea	eax, [esp+64h+var_1C]
		push	eax
		mov	eax, [ebx+4]
		movzx	eax, word ptr [eax+8Ah]
		push	eax
		call	_KeQueryNodeActiveAffinity@12 ;	KeQueryNodeActiveAffinity(x,x,x)
		mov	ecx, [esp+60h+var_38]
		mov	ax, [ecx+158h]
		cmp	ax, word ptr [esp+60h+var_18]
		jnz	loc_92EFBF
		mov	eax, [ecx+154h]
		cmp	eax, [esp+60h+var_1C]
		jnz	loc_92EFBF

loc_89D23C:				; CODE XREF: ExpWorkQueueManagerThread+91F86j
		mov	edi, [esp+60h+var_44]
		xor	esi, esi

loc_89D242:				; CODE XREF: ExpWorkQueueManagerThread+213j
		mov	edx, [ebx+4]
		mov	ecx, [ebx]
		push	esi
		call	_ExpPartitionGetQueue@12 ; ExpPartitionGetQueue(x,x,x)
		test	eax, eax
		jnz	short loc_89D262

loc_89D251:				; CODE XREF: ExpWorkQueueManagerThread+229j
					; ExpWorkQueueManagerThread+91F92j
		inc	esi
		cmp	esi, 8
		jl	short loc_89D242
		mov	edi, [esp+60h+var_34]
		xor	edx, edx
		jmp	loc_89D130
; 

loc_89D262:				; CODE XREF: ExpWorkQueueManagerThread+20Dj
		movzx	edx, di
		cmp	[eax+190h], edx
		jz	short loc_89D251
		jmp	loc_92EFCD
; 

loc_89D272:				; CODE XREF: ExpWorkQueueManagerThread+159j
		mov	edx, [ecx+1B4h]
		call	_ExpNewThreadNecessary@8 ; ExpNewThreadNecessary(x,x)
		test	al, al
		jz	loc_89D1A1
		lea	edx, [ebx+0B0h]
		call	ExpCreateWorkerThread
		test	eax, eax
		jns	loc_89D1A1
		jmp	loc_92EF8C
; 

loc_89D29D:				; CODE XREF: ExpWorkQueueManagerThread+109j
		sub	eax, 1
		jz	loc_92EEE4
		sub	eax, 1
		jnz	loc_89D1A7
		xor	esi, esi

loc_89D2B1:				; CODE XREF: ExpWorkQueueManagerThread+284j
		mov	edx, [ebx+4]
		mov	ecx, [ebx]
		push	esi
		call	_ExpPartitionGetQueue@12 ; ExpPartitionGetQueue(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_89D2CD

loc_89D2C2:				; CODE XREF: ExpWorkQueueManagerThread+297j
					; ExpWorkQueueManagerThread+29Dj ...
		inc	esi
		cmp	esi, 8
		jl	short loc_89D2B1
		jmp	loc_89D1A7
; 

loc_89D2CD:				; CODE XREF: ExpWorkQueueManagerThread+27Ej
		mov	edx, [ecx+1ACh]
		test	edx, 4000h
		jnz	short loc_89D2C2
		cmp	dword ptr [ecx+4], 0
		jnz	short loc_89D2C2
		mov	eax, [ecx+1B0h]
		and	edx, 3FFFh
		add	eax, eax
		sar	eax, 1
		sub	edx, eax
		jz	short loc_89D2C2
		push	[esp+60h+var_40]
		push	edi
		call	_KeTimeOutQueueWaiters@16 ; KeTimeOutQueueWaiters(x,x,x,x)
		jmp	short loc_89D2C2
ExpWorkQueueManagerThread endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopReleaseFilteredBootResources	proc near ; CODE XREF: PnpAllocateResources+218p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092F01E SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		push	edi
		cmp	ecx, edx
		jnb	loc_89D3AB
		sub	edx, ecx
		lea	esi, [ecx+1Ch]
		push	28h
		pop	ecx
		lea	eax, [edx-1]
		xor	edx, edx
		div	ecx
		inc	eax
		mov	[ebp+var_4], eax

loc_89D32A:				; CODE XREF: IopReleaseFilteredBootResources+90j
		test	byte ptr [esi-18h], 28h
		jnz	short loc_89D38A
		cmp	dword ptr [esi+8], 0
		jnz	short loc_89D377
		cmp	dword ptr [esi-14h], 4
		jnz	short loc_89D377
		mov	edx, [esi]
		test	edx, edx
		jz	short loc_89D377
		and	[ebp+var_8], 0
		mov	eax, [esi-1Ch]
		test	eax, eax
		jz	loc_92F01E
		mov	eax, [eax+0B0h]
		mov	edi, [eax+14h]

loc_89D35A:				; CODE XREF: IopReleaseFilteredBootResources+91D1Ej
		lea	eax, [ebp+var_8]
		mov	ecx, edi
		push	eax
		call	_PnpNeedToReleaseBootResources@12 ; PnpNeedToReleaseBootResources(x,x,x)
		test	eax, eax
		jnz	short loc_89D3B0
		cmp	[ebp+var_8], eax
		jz	short loc_89D371
		xor	ebx, ebx
		inc	ebx

loc_89D371:				; CODE XREF: IopReleaseFilteredBootResources+6Aj
					; IopReleaseFilteredBootResources+D8j
		mov	eax, [ebp+var_4]
		push	28h
		pop	ecx

loc_89D377:				; CODE XREF: IopReleaseFilteredBootResources+32j
					; IopReleaseFilteredBootResources+38j ...
		test	byte ptr [esi-18h], 10h
		jnz	loc_92F040
		cmp	dword ptr [esi], 0
		jz	loc_92F040

loc_89D38A:				; CODE XREF: IopReleaseFilteredBootResources+2Cj
					; IopReleaseFilteredBootResources+91D45j ...
		add	esi, ecx
		sub	eax, 1
		mov	[ebp+var_4], eax
		jnz	short loc_89D32A
		test	ebx, ebx
		jz	short loc_89D3AB
		push	0
		push	0
		push	0
		push	0
		push	0
		xor	edx, edx
		xor	ecx, ecx
		call	PnpRequestDeviceAction

loc_89D3AB:				; CODE XREF: IopReleaseFilteredBootResources+Fj
					; IopReleaseFilteredBootResources+94j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_89D3B0:				; CODE XREF: IopReleaseFilteredBootResources+65j
		xor	ebx, ebx
		lea	ecx, [esi-1Ch]
		inc	ebx
		call	PnpReleaseBootResourcesForFilteredRequirements
		lea	edx, [ebx+7Fh]
		mov	[ebp+var_8], eax
		mov	ecx, edi
		call	PipClearDevNodeFlags
		mov	eax, [ebp+var_8]
		test	eax, eax
		js	loc_92F025

loc_89D3D3:				; CODE XREF: IopReleaseFilteredBootResources+91D39j
		and	dword ptr [edi+11Ch], 0
		jmp	short loc_89D371
IopReleaseFilteredBootResources	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpNeedToReleaseBootResources(x, x,	x)
_PnpNeedToReleaseBootResources@12 proc near ; CODE XREF: IopReleaseFilteredBootResources+5Ep

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, [ebp+arg_0]
		push	esi
		xor	esi, esi
		mov	[ebp+var_1C], edx
		cmp	dword ptr [edx], 1
		mov	[eax], esi
		jnz	loc_89D4FF
		mov	eax, [ecx+168h]
		test	eax, eax
		jz	loc_89D4FF
		mov	ecx, [eax]
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jz	loc_89D4FF
		add	eax, 4
		mov	edx, esi
		mov	[ebp+var_18], edx
		test	ecx, ecx
		jz	loc_89D4FF
		push	ebx
		push	edi

loc_89D425:				; CODE XREF: PnpNeedToReleaseBootResources(x,x,x)+110j
		lea	edi, [eax+10h]
		mov	[ebp+var_4], esi
		mov	eax, [eax+0Ch]
		mov	[ebp+var_2C], eax
		test	eax, eax
		jz	loc_89D4E4
		mov	eax, esi

loc_89D43B:				; CODE XREF: PnpNeedToReleaseBootResources(x,x,x)+FCj
		mov	bl, [edi]
		mov	ecx, esi
		test	bl, bl
		jz	loc_89D4CC
		cmp	bl, 5
		jz	loc_89D510
		cmp	bl, 8
		jnb	short loc_89D4CC
		mov	eax, [ebp+var_1C]
		mov	edx, esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_24], 1
		mov	[ebp+var_10], edx
		mov	ecx, [eax+10h]
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_89D506
		add	eax, 14h
		mov	[ebp+var_C], eax

loc_89D47B:				; CODE XREF: PnpNeedToReleaseBootResources(x,x,x)+D9j
		mov	cl, [eax]
		cmp	cl, 5
		jz	loc_89D50B
		cmp	bl, cl
		jnz	short loc_89D4A4
		mov	edx, eax
		mov	[ebp+var_14], 1
		mov	ecx, edi
		call	PnpIsRangeWithin
		test	eax, eax
		jnz	short loc_89D4BC
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+var_10]

loc_89D4A4:				; CODE XREF: PnpNeedToReleaseBootResources(x,x,x)+ACj
		mov	ecx, esi

loc_89D4A6:				; CODE XREF: PnpNeedToReleaseBootResources(x,x,x)+132j
		add	eax, 10h
		add	eax, ecx
		inc	edx
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], edx
		cmp	edx, [ebp+var_20]
		jb	short loc_89D47B
		mov	eax, [ebp+var_24]
		jmp	short loc_89D4BE
; 

loc_89D4BC:				; CODE XREF: PnpNeedToReleaseBootResources(x,x,x)+C0j
		mov	eax, esi

loc_89D4BE:				; CODE XREF: PnpNeedToReleaseBootResources(x,x,x)+DEj
		cmp	[ebp+var_14], esi
		jz	short loc_89D506
		test	eax, eax
		jnz	short loc_89D4F4
		mov	eax, [ebp+var_4]
		mov	ecx, esi

loc_89D4CC:				; CODE XREF: PnpNeedToReleaseBootResources(x,x,x)+65j
					; PnpNeedToReleaseBootResources(x,x,x)+77j ...
		add	edi, 10h
		add	edi, ecx
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, [ebp+var_2C]
		jb	loc_89D43B
		mov	ecx, [ebp+var_30]
		mov	edx, [ebp+var_18]

loc_89D4E4:				; CODE XREF: PnpNeedToReleaseBootResources(x,x,x)+57j
		inc	edx
		mov	eax, edi
		mov	[ebp+var_18], edx
		cmp	edx, ecx
		jb	loc_89D425
		jmp	short loc_89D4FD
; 

loc_89D4F4:				; CODE XREF: PnpNeedToReleaseBootResources(x,x,x)+E9j
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 1

loc_89D4FD:				; CODE XREF: PnpNeedToReleaseBootResources(x,x,x)+116j
					; PnpNeedToReleaseBootResources(x,x,x)+12Dj
		pop	edi
		pop	ebx

loc_89D4FF:				; CODE XREF: PnpNeedToReleaseBootResources(x,x,x)+16j
					; PnpNeedToReleaseBootResources(x,x,x)+24j ...
		mov	eax, esi
		pop	esi
		leave
		retn	4
; 

loc_89D506:				; CODE XREF: PnpNeedToReleaseBootResources(x,x,x)+93j
					; PnpNeedToReleaseBootResources(x,x,x)+E5j
		xor	esi, esi
		inc	esi
		jmp	short loc_89D4FD
; 

loc_89D50B:				; CODE XREF: PnpNeedToReleaseBootResources(x,x,x)+A4j
		mov	ecx, [eax+4]
		jmp	short loc_89D4A6
; 

loc_89D510:				; CODE XREF: PnpNeedToReleaseBootResources(x,x,x)+6Ej
		mov	ecx, [edi+4]
		jmp	short loc_89D4CC
_PnpNeedToReleaseBootResources@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpIsRangeWithin proc near		; CODE XREF: PnpNeedToReleaseBootResources(x,x,x)+B9p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092F059 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	ebx, edx
		mov	[ebp+var_28], esi
		mov	[ebp+var_C], ebx
		mov	[ebp+var_24], esi
		movzx	eax, byte ptr [edi]
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		sub	eax, 1
		jz	short loc_89D580
		sub	eax, 1
		jnz	short loc_89D57B
		mov	ecx, [edi+8]
		mov	eax, [ebx+8]

loc_89D549:				; CODE XREF: PnpIsRangeWithin+91B57j
		mov	edx, esi
		mov	[ebp+var_1C], ecx
		mov	ebx, edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], ebx

loc_89D55C:				; CODE XREF: PnpIsRangeWithin+BBj
					; PnpIsRangeWithin+11Bj
		mov	ebx, [ebp+var_10]
		cmp	[ebp+var_18], ebx
		mov	ebx, [ebp+var_C]
		jb	short loc_89D574
		ja	short loc_89D5D3
		mov	ebx, [ebp+var_8]
		cmp	[ebp+var_1C], ebx
		mov	ebx, [ebp+var_C]
		jnb	short loc_89D5D3

loc_89D574:				; CODE XREF: PnpIsRangeWithin+4Fj
					; PnpIsRangeWithin+C0j	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_89D57B:				; CODE XREF: PnpIsRangeWithin+2Bj
		sub	eax, 1
		jnz	short loc_89D5F8

loc_89D580:				; CODE XREF: PnpIsRangeWithin+26j
					; PnpIsRangeWithin+91B46j
		lea	eax, [ebp+var_28]
		push	eax
		push	edi
		call	RtlCmDecodeMemIoResource
		mov	ecx, [ebp+var_28]
		add	eax, ecx
		mov	[ebp+var_1C], ecx
		mov	ecx, [ebp+var_24]
		adc	edx, ecx
		add	eax, 0FFFFFFFFh
		mov	[ebp+var_18], ecx
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_14]
		push	eax
		adc	edx, 0FFFFFFFFh
		push	ebx
		mov	[ebp+var_24], edx
		call	RtlCmDecodeMemIoResource
		mov	ecx, edx
		mov	edx, [ebp+var_14]
		add	eax, edx
		mov	[ebp+var_8], edx
		mov	edx, [ebp+var_10]
		adc	ecx, edx
		mov	[ebp+var_10], edx
		mov	edx, [ebp+var_24]
		add	eax, 0FFFFFFFFh
		adc	ecx, 0FFFFFFFFh
		mov	[ebp+var_4], ecx
		mov	ecx, [ebp+var_20]
		jmp	short loc_89D55C
; 

loc_89D5D3:				; CODE XREF: PnpIsRangeWithin+51j
					; PnpIsRangeWithin+5Cj
		cmp	edx, [ebp+var_4]
		ja	short loc_89D574
		jb	short loc_89D5DE
		cmp	ecx, eax
		ja	short loc_89D574

loc_89D5DE:				; CODE XREF: PnpIsRangeWithin+C2j
					; PnpIsRangeWithin+91B4Cj
		mov	al, [edi+1]
		cmp	al, [ebx+1]
		jnz	short loc_89D574
		mov	ax, [edi+2]
		cmp	ax, [ebx+2]
		jnz	short loc_89D574
		xor	esi, esi
		inc	esi
		jmp	loc_89D574
; 

loc_89D5F8:				; CODE XREF: PnpIsRangeWithin+68j
		sub	eax, 1
		jz	loc_92F067
		dec	eax
		sub	eax, 1
		jnz	loc_92F059
		mov	eax, [edi+8]
		mov	edx, esi
		mov	ecx, [edi+4]
		dec	eax
		mov	[ebp+var_1C], ecx
		add	ecx, eax
		mov	eax, [ebx+4]
		mov	[ebp+var_8], eax
		mov	eax, [ebx+8]
		mov	ebx, [ebp+var_8]
		dec	ebx
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		add	eax, ebx
		mov	[ebp+var_4], esi
		jmp	loc_89D55C
PnpIsRangeWithin endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PdcTaskClientRegister(x, x)
_PdcTaskClientRegister@8 proc near	; CODE XREF: PopDiagInitialize()+D7p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, 63636450h
		xor	ebx, ebx
		push	edi
		push	24h
		push	1
		mov	_PopSleepStudyTaskClientActivator, ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_89D6A7
		mov	[esi+14h], ebx
		lea	eax, [esi+14h]
		mov	[esi+18h], ebx
		push	eax
		mov	[esi+1Ch], ebx
		lea	eax, [ebp+var_4]
		mov	[esi+20h], ebx
		sub	esp, 10h
		mov	[esi], edi
		mov	dword ptr [esi+10h], 44h
		mov	[esi+8], ebx
		push	eax
		mov	[esi+0Ch], ebx
		push	esi
		mov	[esi+4], ebx
		mov	[ebp+var_4], ebx
		call	PdcPortOpenCommon
		mov	edi, eax
		test	edi, edi
		jnz	short loc_89D69C
		mov	_PopSleepStudyTaskClientActivator, esi
		mov	esi, ebx

loc_89D69C:				; CODE XREF: PdcTaskClientRegister(x,x)+5Cj
		test	esi, esi
		jnz	short loc_89D6AE

loc_89D6A0:				; CODE XREF: PdcTaskClientRegister(x,x)+76j
					; PdcTaskClientRegister(x,x)+7Fj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_89D6A7:				; CODE XREF: PdcTaskClientRegister(x,x)+24j
		mov	edi, 0C0000017h
		jmp	short loc_89D6A0
; 

loc_89D6AE:				; CODE XREF: PdcTaskClientRegister(x,x)+68j
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_89D6A0
_PdcTaskClientRegister@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PdcPortOpenCommon proc near		; CODE XREF: PdcTaskClientRegister(x,x)+53p

var_314		= dword	ptr -314h
var_310		= dword	ptr -310h
var_30C		= dword	ptr -30Ch
var_308		= dword	ptr -308h
var_2F8		= dword	ptr -2F8h
var_2EC		= dword	ptr -2ECh
var_2E8		= dword	ptr -2E8h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 0092F0A2 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 318h
		mov	eax, 310h
		push	ebx
		push	esi
		push	edi
		push	eax		; size_t
		xor	edi, edi
		lea	eax, [ebp+var_314]
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+arg_18]
		add	esp, 0Ch
		mov	ebx, edi
		push	50636450h
		push	688h
		push	1
		mov	[eax], edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_92F0A2
		push	688h		; size_t
		push	edi		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	[esi+67Ch], eax
		mov	ebx, 50636450h
		mov	eax, [ebp+arg_4]
		mov	[esi], ebx
		push	44h
		pop	edx
		mov	eax, [eax]
		push	4
		pop	ecx
		mov	[esi+8], edx
		mov	[esi+0Ch], ecx
		mov	[esi+4], edi
		mov	[esi+680h], eax
		push	ebx
		push	5Ch
		push	1
		mov	[ebp+var_2F8], 5
		mov	[ebp+var_2EC], edx
		mov	[ebp+var_2E8], ecx
		mov	[ebp+var_314], 31002F8h
		mov	[ebp+var_310], edi
		mov	[ebp+var_30C], edi
		mov	[ebp+var_308], edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_92F0A2
		push	edi
		push	edi
		push	5Ch
		push	ebx
		lea	eax, [ebp+var_314]
		mov	dword ptr [ebx], 1
		push	43h
		mov	[ebx+4], eax
		mov	[ebx+8], esi
		call	ds:__imp__ZwPowerInformation@20	; ZwPowerInformation(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_89D7C4
		mov	eax, [ebp+arg_18]
		xor	edi, edi
		mov	[eax], esi
		test	edi, edi
		js	short loc_89D7C4

loc_89D7AF:				; CODE XREF: PdcPortOpenCommon+10Ej
					; PdcPortOpenCommon+117j
		test	ebx, ebx
		jz	short loc_89D7BB
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_89D7BB:				; CODE XREF: PdcPortOpenCommon+F9j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_89D7C4:				; CODE XREF: PdcPortOpenCommon+EAj
					; PdcPortOpenCommon+F5j ...
		test	esi, esi
		jz	short loc_89D7AF
		mov	ecx, esi
		call	_PdcpPortReleaseResources@4 ; PdcpPortReleaseResources(x)
		jmp	short loc_89D7AF
PdcPortOpenCommon endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LocalpConvertStringSidToSid proc near	; CODE XREF: SeConvertStringSidToSid+2Cp
					; LocalGetSidForString+72p

var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= byte ptr -218h
var_216		= byte ptr -216h
var_215		= byte ptr -215h
var_214		= word ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_205		= byte ptr -205h
var_204		= dword	ptr -204h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092F0AC SIZE 000001BE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 254h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_250], edx
		push	edi
		push	0Ah
		mov	edi, ebx
		mov	[ebp+var_21C], ebx
		mov	[ebp+var_210], ebx
		xor	esi, esi
		mov	[ebp+var_220], eax
		mov	[ebp+var_230], esi
		pop	ebx
		mov	[ebp+var_22C], ebx
		test	ecx, ecx
		jz	loc_92F260
		test	edx, edx
		jz	loc_92F260
		test	eax, eax
		jz	loc_92F260
		movzx	eax, word ptr [ecx]
		push	53h
		pop	edx
		mov	[ebp+var_248], edx
		cmp	ax, dx
		jnz	loc_92F0AC

loc_89D847:				; CODE XREF: LocalpConvertStringSidToSid+918DDj
		push	2Dh
		pop	eax
		cmp	[ecx+2], ax
		jnz	loc_92F0B5
		push	78h
		lea	esi, [ecx+4]
		pop	ecx
		push	58h
		pop	edx
		push	30h
		pop	eax
		mov	[ebp+var_24C], eax
		cmp	[esi], ax
		jz	loc_92F0BF

loc_89D86F:				; CODE XREF: LocalpConvertStringSidToSid+918F9j
					; LocalpConvertStringSidToSid+91908j
		push	ebx		; int
		lea	eax, [ebp+var_210]
		push	eax		; wchar_t **
		push	esi		; wchar_t *
		call	_wcstoul
		add	esp, 0Ch
		mov	[ebp+var_254], eax
		cmp	eax, 0FFh
		ja	loc_92F0B5
		mov	eax, [ebp+var_210]
		cmp	eax, esi
		jz	loc_92F0B5
		push	2Dh
		pop	ecx
		cmp	[eax], cx
		jnz	loc_92F0B5
		lea	esi, [eax+2]
		xor	eax, eax
		cmp	[esi], ax
		jz	loc_92F0B5
		push	ecx		; wchar_t
		push	esi		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_92F0B5
		cmp	eax, esi
		jz	loc_92F0B5
		push	30h
		pop	eax
		cmp	[esi], ax
		jz	loc_92F0DF

loc_89D8DE:				; CODE XREF: LocalpConvertStringSidToSid+9191Fj
		mov	eax, ebx

loc_89D8E0:				; CODE XREF: LocalpConvertStringSidToSid+91928j
		lea	ecx, [ebp+var_234]
		xor	edx, edx
		push	ecx
		push	1
		push	eax
		lea	eax, [ebp+var_210]
		mov	[ebp+var_234], edx
		push	eax
		push	esi
		push	edx
		call	_wcstoxq
		mov	[ebp+var_224], eax
		add	esp, 18h
		mov	eax, edx
		mov	[ebp+var_20C], eax
		cmp	eax, 0FFFFh
		ja	loc_92F0B5
		mov	edx, [ebp+var_224]
		jb	short loc_89D92D
		cmp	edx, 0FFFFFFFFh
		ja	loc_92F0B5

loc_89D92D:				; CODE XREF: LocalpConvertStringSidToSid+150j
		mov	ebx, [ebp+var_210]
		cmp	ebx, esi
		jz	loc_92F0B5
		push	2Dh
		pop	ecx
		cmp	[ebx], cx
		jnz	loc_92F0B5
		xor	esi, esi
		cmp	[ebx+2], si
		jz	loc_92F0B5
		mov	ecx, edx
		mov	byte ptr [ebp+var_214+1], dl
		shrd	ecx, eax, 8
		mov	eax, [ebp+var_20C]
		mov	esi, ebx
		mov	byte ptr [ebp+var_214],	cl
		mov	ecx, edx
		shrd	ecx, eax, 10h
		mov	[ebp+var_20C], 3Bh
		mov	[ebp+var_215], cl
		mov	ecx, eax
		shrd	edx, eax, 18h
		mov	[ebp-217h], cl
		shr	ecx, 8
		xor	eax, eax
		mov	[ebp+var_218], cl
		mov	cl, al
		mov	[ebp+var_216], dl
		mov	[ebp+var_205], cl
		mov	[ebp+var_224], 29h
		mov	[ebp+var_238], 2Ch
		mov	[ebp+var_23C], 3Ah
		mov	[ebp+var_240], 47h
		mov	[ebp+var_244], 4Fh
		mov	[ebp+var_228], 44h

loc_89D9E4:				; CODE XREF: LocalpConvertStringSidToSid+293j
		cmp	cl, 0FFh
		jz	loc_92F24E
		movzx	eax, word ptr [esi]
		push	2Dh
		pop	edx
		cmp	ax, dx
		jz	short loc_89DA6D
		cmp	ax, word ptr [ebp+var_20C]
		jz	loc_89DAAA
		test	ax, ax
		jz	loc_89DAAA
		cmp	ax, word ptr [ebp+var_224]
		jz	loc_89DAAA
		cmp	eax, 20h
		jz	loc_89DAAA
		cmp	ax, word ptr [ebp+var_238]
		jz	short loc_89DAAA

loc_89DA2D:				; CODE XREF: LocalpConvertStringSidToSid+29Fj
		movzx	edx, word ptr [esi+2]
		cmp	dx, word ptr [ebp+var_23C]
		jz	loc_92F0FF

loc_89DA3E:				; CODE XREF: LocalpConvertStringSidToSid+91946j
		cmp	ax, word ptr [ebp+var_24C]
		jb	loc_92F126
		cmp	eax, 39h
		ja	loc_92F126

loc_89DA54:				; CODE XREF: LocalpConvertStringSidToSid+9195Cj
					; LocalpConvertStringSidToSid+9196Aj
		cmp	ax, word ptr [ebp+var_228]
		jz	loc_92F14C

loc_89DA61:				; CODE XREF: LocalpConvertStringSidToSid+2B0j
					; LocalpConvertStringSidToSid+2D6j ...
		inc	esi
		add	esi, 1
		jnz	loc_89D9E4
		jmp	short loc_89DACC
; 

loc_89DA6D:				; CODE XREF: LocalpConvertStringSidToSid+224j
		cmp	[esi-2], dx
		jz	short loc_89DA2D
		push	30h
		inc	cl
		pop	eax
		mov	[ebp+var_205], cl
		cmp	[esi+2], ax
		jnz	short loc_89DA61
		lea	ecx, [esi+4]
		movzx	eax, word ptr [ecx]
		push	78h
		pop	edx
		cmp	ax, dx
		jz	loc_89DC31
		push	58h
		pop	edx
		cmp	ax, dx
		jz	loc_89DC31

loc_89DAA2:				; CODE XREF: LocalpConvertStringSidToSid+461j
		mov	cl, [ebp+var_205]
		jmp	short loc_89DA61
; 

loc_89DAAA:				; CODE XREF: LocalpConvertStringSidToSid+22Dj
					; LocalpConvertStringSidToSid+236j ...
		cmp	[esi-2], dx
		jz	loc_92F1D8
		inc	cl
		mov	[ebp+var_205], cl

loc_89DABC:				; CODE XREF: LocalpConvertStringSidToSid+91A0Ej
		mov	eax, [ebp+var_220]
		mov	[eax], esi
		test	edi, edi
		jnz	loc_92F239

loc_89DACC:				; CODE XREF: LocalpConvertStringSidToSid+299j
					; LocalpConvertStringSidToSid+91A01j
		test	cl, cl
		jz	loc_92F232
		sub	cl, 1
		mov	[ebp+var_205], cl
		jz	loc_92F232
		movzx	eax, cl
		add	ebx, 2
		push	ecx
		mov	ecx, eax
		mov	[ebp+var_20C], eax
		shl	ecx, 2
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	[ebp+var_21C], eax
		test	eax, eax
		jz	loc_92F1E5
		xor	eax, eax
		mov	esi, eax
		cmp	[ebp+var_20C], eax
		jbe	short loc_89DB82

loc_89DB14:				; CODE XREF: LocalpConvertStringSidToSid+3AEj
		push	30h
		pop	eax
		cmp	[ebx], ax
		jz	loc_89DC11

loc_89DB20:				; CODE XREF: LocalpConvertStringSidToSid+451j
		mov	eax, [ebp+var_22C]

loc_89DB26:				; CODE XREF: LocalpConvertStringSidToSid+45Aj
		push	eax		; int
		lea	eax, [ebp+var_210]
		push	eax		; wchar_t **
		push	ebx		; wchar_t *
		call	_wcstoul
		mov	ecx, [ebp+var_21C]
		add	esp, 0Ch
		mov	[ecx+esi*4], eax
		mov	ebx, [ebp+var_210]
		test	ebx, ebx
		jz	short loc_89DB76
		movzx	eax, word ptr [ebx]
		test	ax, ax
		jz	short loc_89DB76
		push	29h
		pop	ecx
		cmp	ax, cx
		jz	short loc_89DB76
		push	3Bh
		pop	ecx
		cmp	ax, cx
		jz	short loc_89DB76
		push	2Ch
		pop	ecx
		cmp	ax, cx
		jz	short loc_89DB76
		push	2Dh
		pop	ecx
		cmp	ax, cx
		jnz	loc_92F1EF

loc_89DB76:				; CODE XREF: LocalpConvertStringSidToSid+376j
					; LocalpConvertStringSidToSid+37Ej ...
		add	ebx, 2
		inc	esi
		cmp	esi, [ebp+var_20C]
		jb	short loc_89DB14

loc_89DB82:				; CODE XREF: LocalpConvertStringSidToSid+340j
					; LocalpConvertStringSidToSid+91A6Dj
		mov	bl, [ebp+var_205]
		movzx	esi, bl
		push	ecx
		lea	ecx, ds:0Ch[esi*4]
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+var_250]
		mov	[eax], ecx
		test	ecx, ecx
		jz	loc_92F244
		mov	eax, [ebp+var_254]
		mov	[ecx], al
		mov	eax, dword ptr [ebp+var_218]
		mov	[ecx+2], eax
		mov	ax, [ebp+var_214]
		mov	[ecx+6], ax
		mov	eax, esi
		shl	eax, 2
		push	eax		; size_t
		push	[ebp+var_21C]	; void *
		lea	eax, [ecx+8]
		mov	[ecx+1], bl
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_89DBE1:				; CODE XREF: LocalpConvertStringSidToSid+91A5Bj
					; LocalpConvertStringSidToSid+91A77j
		mov	eax, [ebp+var_21C]
		test	eax, eax
		jz	short loc_89DC38
		xor	ebx, ebx
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_89DBF4:				; CODE XREF: LocalpConvertStringSidToSid+468j
		mov	eax, [ebp+var_230]
		test	eax, eax
		jnz	short loc_89DC3C

loc_89DBFE:				; CODE XREF: LocalpConvertStringSidToSid+471j
					; LocalpConvertStringSidToSid+919C2j ...
		mov	eax, edi

loc_89DC00:				; CODE XREF: LocalpConvertStringSidToSid+918E8j
					; LocalpConvertStringSidToSid+91A93j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_89DC11:				; CODE XREF: LocalpConvertStringSidToSid+348j
		movzx	eax, word ptr [ebx+2]
		push	78h
		pop	ecx
		cmp	ax, cx
		jz	short loc_89DC29
		push	58h
		pop	ecx
		cmp	ax, cx
		jnz	loc_89DB20

loc_89DC29:				; CODE XREF: LocalpConvertStringSidToSid+449j
		push	10h
		pop	eax
		jmp	loc_89DB26
; 

loc_89DC31:				; CODE XREF: LocalpConvertStringSidToSid+2BEj
					; LocalpConvertStringSidToSid+2CAj
		mov	esi, ecx
		jmp	loc_89DAA2
; 

loc_89DC38:				; CODE XREF: LocalpConvertStringSidToSid+417j
					; LocalpConvertStringSidToSid+91A18j ...
		xor	ebx, ebx
		jmp	short loc_89DBF4
; 

loc_89DC3C:				; CODE XREF: LocalpConvertStringSidToSid+42Aj
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_89DBFE
LocalpConvertStringSidToSid endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1400. MmFreeMappingAddress

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmFreeMappingAddress
MmFreeMappingAddress proc near		; CODE XREF: SmFpCleanup+F781Ep
					; PnprFreeMappingReserve(x)+21p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092F26A SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	edx, edi
		call	MiRemoveMappingNode
		mov	[ebp+var_C], eax
		cmp	[eax+14h], edi
		jnz	loc_92F26A
		mov	edx, [eax+0Ch]
		mov	ecx, edx
		mov	ebx, [eax+10h]
		mov	[ebp+arg_0], edx
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	[ebp+var_4], eax
		mov	esi, eax
		lea	ecx, [eax+ebx*8]
		mov	[ebp+var_8], ecx
		cmp	eax, ecx
		jnb	short loc_89DCD8

loc_89DC8D:				; CODE XREF: MmFreeMappingAddress+89j
		cmp	esi, eax
		jz	short loc_89DD04
		test	esi, 0FFFh
		jz	short loc_89DD04

loc_89DC99:				; CODE XREF: MmFreeMappingAddress+ECj
		mov	edx, [esi]
		nop
		mov	eax, [esi+4]
		mov	ecx, esi
		mov	[ebp+arg_4], eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	loc_92F28B
		push	[ebp+arg_4]
		push	edx
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	[ebp+arg_4], eax
		mov	eax, edx
		mov	edx, [ebp+arg_4]

loc_89DCC2:				; CODE XREF: MmFreeMappingAddress+91644j
		or	edx, eax
		jnz	loc_92F293
		mov	eax, [ebp+var_4]
		add	esi, 8
		cmp	esi, [ebp+var_8]
		jb	short loc_89DC8D
		mov	edx, [ebp+arg_0]

loc_89DCD8:				; CODE XREF: MmFreeMappingAddress+41j
		test	byte ptr ds:dword_7051B4, 1
		jnz	loc_92F29F

loc_89DCE5:				; CODE XREF: MmFreeMappingAddress+9165Dj
		mov	edx, [ebp+var_4]
		mov	ecx, offset dword_6D35E0
		push	ebx
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		push	0
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_89DD04:				; CODE XREF: MmFreeMappingAddress+45j
					; MmFreeMappingAddress+4Dj
		mov	ecx, esi
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	edx, [eax]
		nop
		mov	ecx, [eax+4]
		mov	[ebp+arg_4], ecx
		mov	ecx, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_89DD2D
		push	[ebp+arg_4]
		push	edx
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	[ebp+arg_4], eax
		mov	edx, eax

loc_89DD2D:				; CODE XREF: MmFreeMappingAddress+D3j
		and	edx, 80h
		or	edx, 0
		jz	loc_89DC99
		jmp	loc_92F277
MmFreeMappingAddress endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1372. MmAllocateMappingAddress

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmAllocateMappingAddress(x,	x)
		public _MmAllocateMappingAddress@8
_MmAllocateMappingAddress@8 proc near	; CODE XREF: SmFpPreAllocate+153p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	MmAllocateMappingAddressEx
		pop	ebp
		retn	8
_MmAllocateMappingAddress@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1373. MmAllocateMappingAddressEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmAllocateMappingAddressEx
MmAllocateMappingAddressEx proc	near	; CODE XREF: MmAllocateMappingAddress(x,x)+Dp
					; PnprInitializeMappingReserve(x,x)+1Cp ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0092F2AC SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		test	[ebp+arg_8], 0FFFFFFFEh
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		jnz	loc_89DE39
		mov	esi, [ebp+arg_0]
		lea	esi, [esi+0FFFh]
		shr	esi, 0Ch
		test	esi, esi
		jz	loc_92F2AC
		test	ebx, ebx
		jz	loc_89DE39
		xor	eax, eax
		mov	edx, 6D72694Dh
		push	eax
		push	40h
		push	1Ch
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_89DE39
		mov	edx, esi
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_92F2C1
		mov	edx, [ebp+arg_8]
		shl	eax, 9
		mov	[esp+38h+var_28], eax
		mov	[edi+0Ch], eax
		mov	[edi+10h], esi
		mov	[edi+14h], ebx
		mov	[edi+18h], edx
		test	esi, esi
		jz	short loc_89DE0D
		mov	edx, esi

loc_89DDF1:				; CODE XREF: MmAllocateMappingAddressEx+A5j
		mov	eax, ds:_ZeroPte
		mov	[ecx], eax
		nop
		mov	eax, ds:dword_40F9FC
		lea	ecx, [ecx+8]
		mov	[ecx-4], eax
		sub	edx, 1
		jnz	short loc_89DDF1
		mov	eax, [esp+38h+var_28]

loc_89DE0D:				; CODE XREF: MmAllocateMappingAddressEx+8Bj
		test	byte ptr ds:dword_7051B4, 1
		jnz	loc_92F2CE

loc_89DE1A:				; CODE XREF: MmAllocateMappingAddressEx+915A0j
		mov	ecx, edi
		call	_MiInsertMappingNode@4 ; MiInsertMappingNode(x)
		mov	eax, [esp+38h+var_28]

loc_89DE25:				; CODE XREF: MmAllocateMappingAddressEx+D9j
		mov	ecx, [esp+38h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_89DE39:				; CODE XREF: MmAllocateMappingAddressEx+23j
					; MmAllocateMappingAddressEx+3Fj ...
		xor	eax, eax
		jmp	short loc_89DE25
MmAllocateMappingAddressEx endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipChangeDeviceObjectFromRegistryProperties proc near
					; CODE XREF: PipCallDriverAddDevice+67Bp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_1A		= dword	ptr -1Ah
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 0092F307 SIZE 00000078 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_30], 0
		push	ebx
		mov	ebx, ecx
		mov	byte ptr [ebp+var_1A], 0
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_20], ecx
		push	esi
		mov	eax, [ebx+0B0h]
		push	edi
		mov	edi, edx
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_38], edi
		mov	[ebp+var_24], edx
		test	ebx, ebx
		jz	loc_92F307
		mov	esi, [eax+14h]

loc_89DE7F:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+914CBj
		mov	eax, [eax+10h]
		and	[ebp+var_48], 0
		and	eax, 800h
		and	[ebp+var_4C], 0
		and	[ebp+var_34], 0
		and	[ebp+var_44], 0
		and	[ebp+var_2C], 0
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	edx
		mov	edx, [esi+18h]
		push	ecx
		push	edi
		push	1Ah
		pop	ecx
		mov	[ebp+var_3C], esi
		mov	byte ptr [ebp+var_1A+1], 0
		call	_PipGetRegistryDwordWithFallback@24 ; PipGetRegistryDwordWithFallback(x,x,x,x,x,x)
		mov	edx, [esi+18h]
		mov	[ebp+var_1C], al
		lea	eax, [ebp+var_44]
		push	eax
		push	[ebp+var_24]
		push	[ebp+var_20]
		push	edi
		push	1Bh
		pop	ecx
		call	_PipGetRegistryDwordWithFallback@24 ; PipGetRegistryDwordWithFallback(x,x,x,x,x,x)
		mov	edx, [esi+18h]
		mov	[ebp+var_25], al
		lea	eax, [ebp+var_2C]
		push	eax
		push	[ebp+var_24]
		push	[ebp+var_20]
		push	edi
		push	1Ch
		pop	ecx
		call	_PipGetRegistryDwordWithFallback@24 ; PipGetRegistryDwordWithFallback(x,x,x,x,x,x)
		cmp	[ebp+arg_8], 0
		jnz	loc_89E093
		mov	eax, [ebx+10h]
		test	eax, eax
		jz	loc_89E093

loc_89DEFE:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+257j
		xor	edi, edi
		jmp	short loc_89DF08
; 

loc_89DF02:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+CCj
		or	edi, [eax+20h]
		mov	eax, [eax+10h]

loc_89DF08:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+C2j
		test	eax, eax
		jnz	short loc_89DF02
		or	edi, [ebp+var_2C]
		xor	esi, esi
		mov	ecx, [ebp+var_50]
		and	edi, 5010Fh
		mov	edx, [ebp+var_3C]
		mov	eax, ecx
		neg	eax
		mov	[ebp+var_2C], edi
		mov	[ebp+var_40], esi
		sbb	eax, eax
		and	eax, [ebp+var_24]
		neg	ecx
		mov	edx, [edx+18h]
		sbb	ecx, ecx
		and	ecx, [ebp+var_20]
		push	eax
		push	ecx
		push	[ebp+var_38]
		call	_PipGetRegistrySecurityWithFallback@20 ; PipGetRegistrySecurityWithFallback(x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_89DFFB
		lea	eax, [ebp-1Bh]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		push	ecx
		call	_RtlGetOwnerSecurityDescriptor@12 ; RtlGetOwnerSecurityDescriptor(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_92F36A
		and	[ebp+var_24], esi
		cmp	[ebp+var_30], esi
		jnz	loc_92F318

loc_89DF71:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+914E0j
		lea	eax, [ebp-1Bh]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_20]
		call	_RtlGetGroupSecurityDescriptor@12 ; RtlGetGroupSecurityDescriptor(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_92F36A
		cmp	[ebp+var_30], 0
		jnz	loc_92F323

loc_89DF95:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+914EEj
		lea	eax, [ebp-1Bh]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ebp+var_1A]
		push	eax
		push	[ebp+var_20]
		call	_RtlGetSaclSecurityDescriptor@16 ; RtlGetSaclSecurityDescriptor(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_92F36A
		cmp	byte ptr [ebp+var_1A], 0
		jnz	loc_92F331

loc_89DFBD:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+914FCj
		lea	eax, [ebp-1Bh]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ebp+var_1A]
		push	eax
		push	[ebp+var_20]
		call	_RtlGetDaclSecurityDescriptor@16 ; RtlGetDaclSecurityDescriptor(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_92F36A
		cmp	byte ptr [ebp+var_1A], 0
		mov	ecx, [ebp+var_20]
		mov	edi, [ebp+var_2C]
		jz	short loc_89DFED
		mov	esi, [ebp+var_24]
		or	esi, 4

loc_89DFED:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+1A7j
					; PipChangeDeviceObjectFromRegistryProperties+2B0j
		cmp	[ebp+var_1C], 0
		jz	short loc_89E005
		mov	eax, [ebp+var_34]
		mov	[ebx+2Ch], eax
		jmp	short loc_89E005
; 

loc_89DFFB:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+109j
		cmp	[ebp+var_1C], 0
		jnz	loc_89E0B2

loc_89E005:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+1B3j
					; PipChangeDeviceObjectFromRegistryProperties+1BBj
		cmp	[ebp+var_25], 0
		jnz	loc_92F33F

loc_89E00F:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+91505j
					; PipChangeDeviceObjectFromRegistryProperties+9150Fj
		mov	eax, [ebx+20h]
		and	eax, 0FFFAFEF0h
		or	eax, edi
		mov	[ebx+20h], eax
		mov	eax, [ebx+10h]
		jmp	short loc_89E027
; 

loc_89E021:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+1EBj
		or	[eax+20h], edi
		mov	eax, [eax+10h]

loc_89E027:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+1E1j
		test	eax, eax
		jnz	short loc_89E021
		xor	edi, edi
		test	ecx, ecx
		jz	short loc_89E03B
		push	ecx
		push	esi
		push	ebx
		call	_ObSetSecurityObjectByPointer@12 ; ObSetSecurityObjectByPointer(x,x,x)
		mov	edi, eax

loc_89E03B:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+1F1j
		mov	dl, byte ptr [ebp+var_1A+1]
		mov	ecx, ebx

loc_89E040:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+21Bj
		mov	eax, [ecx+8]
		test	dword ptr [eax+8], 100h
		jnz	loc_92F352

loc_89E050:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+91527j
		test	dl, dl
		jnz	short loc_89E09A

loc_89E054:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+263j
					; PipChangeDeviceObjectFromRegistryProperties+272j
		mov	ecx, [ecx+10h]
		test	ecx, ecx
		jnz	short loc_89E040

loc_89E05B:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+9152Fj
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_89E06E
		test	dl, dl
		jnz	short loc_89E06E
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_89E06E:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+222j
					; PipChangeDeviceObjectFromRegistryProperties+226j ...
		mov	eax, [ebp+var_48]
		test	eax, eax
		jnz	loc_92F372

loc_89E079:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+9153Cj
		mov	eax, [ebp+var_4C]
		test	eax, eax
		jnz	short loc_89E0F3

loc_89E080:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+2BDj
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_89E093:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+AFj
					; PipChangeDeviceObjectFromRegistryProperties+BAj
		mov	eax, ebx
		jmp	loc_89DEFE
; 

loc_89E09A:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+214j
		cmp	dword ptr [ecx+98h], 0
		jz	short loc_89E054
		mov	eax, [ecx+0B0h]
		or	dword ptr [eax+10h], 800h
		jmp	short loc_89E054
; 

loc_89E0B2:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+1C1j
		xor	eax, eax
		lea	edi, [ebp+var_1A+2]
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_40]
		mov	edi, [ebp+var_2C]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_4C]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_1A+2]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_34]
		call	IopCreateDefaultDeviceSecurityDescriptor
		mov	ecx, eax
		mov	[ebp+var_20], eax
		test	ecx, ecx
		jz	loc_92F30E
		mov	esi, [ebp+var_40]
		mov	byte ptr [ebp+var_1A+1], 1
		jmp	loc_89DFED
; 

loc_89E0F3:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+240j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_89E080
PipChangeDeviceObjectFromRegistryProperties endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipGetRegistryDwordWithFallback(x, x, x, x,	x, x)
_PipGetRegistryDwordWithFallback@24 proc near
					; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+74p
					; PipChangeDeviceObjectFromRegistryProperties+8Dp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		push	4
		pop	edi
		xor	ebx, ebx
		mov	[ebp+var_4], edi
		push	ebx
		lea	eax, [ebp+var_4]
		mov	[ebp+var_8], ebx
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], ebx
		push	eax
		lea	eax, [ebp+var_8]
		mov	esi, ecx
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	esi
		push	[ebp+arg_0]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_89E16D

loc_89E139:				; CODE XREF: PipGetRegistryDwordWithFallback(x,x,x,x,x,x)+72j
					; PipGetRegistryDwordWithFallback(x,x,x,x,x,x)+77j
		cmp	[ebp+arg_8], ebx
		jz	short loc_89E164
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_4], edi
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		push	[ebp+arg_8]
		call	__CmGetInstallerClassRegProp@32	; _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_89E183

loc_89E164:				; CODE XREF: PipGetRegistryDwordWithFallback(x,x,x,x,x,x)+3Ej
					; PipGetRegistryDwordWithFallback(x,x,x,x,x,x)+83j ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	10h
; 

loc_89E16D:				; CODE XREF: PipGetRegistryDwordWithFallback(x,x,x,x,x,x)+39j
		cmp	[ebp+var_8], edi
		jnz	short loc_89E139
		cmp	[ebp+var_4], edi
		jnz	short loc_89E139

loc_89E177:				; CODE XREF: PipGetRegistryDwordWithFallback(x,x,x,x,x,x)+8Dj
		mov	ecx, [ebp+arg_C]
		mov	bl, 1
		mov	eax, [ebp+var_C]
		mov	[ecx], eax
		jmp	short loc_89E164
; 

loc_89E183:				; CODE XREF: PipGetRegistryDwordWithFallback(x,x,x,x,x,x)+64j
		cmp	[ebp+var_8], edi
		jnz	short loc_89E164
		cmp	[ebp+var_4], edi
		jz	short loc_89E177
		jmp	short loc_89E164
_PipGetRegistryDwordWithFallback@24 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipGetRegistrySecurityWithFallback(x, x, x,	x, x)
_PipGetRegistrySecurityWithFallback@20 proc near
					; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+FDp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_8], 0
		mov	eax, 80h
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		push	edi
		push	6E657050h
		push	eax
		push	1
		mov	edi, edx
		mov	[ebp+var_4], eax
		xor	bl, bl
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_89E264
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_4]
		push	0
		push	eax
		push	esi
		lea	eax, [ebp+var_8]
		mov	edx, edi
		push	eax
		push	18h
		push	[ebp+arg_0]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jz	loc_89E2DF

loc_89E1EE:				; CODE XREF: PipGetRegistrySecurityWithFallback(x,x,x,x,x)+18Dj
		test	eax, eax
		jns	loc_89E2A5

loc_89E1F6:				; CODE XREF: PipGetRegistrySecurityWithFallback(x,x,x,x,x)+119j
					; PipGetRegistrySecurityWithFallback(x,x,x,x,x)+12Cj ...
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	short loc_89E24E
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	esi
		lea	eax, [ebp+var_8]
		push	eax
		push	18h
		push	edi
		call	__CmGetInstallerClassRegProp@32	; _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jz	short loc_89E268

loc_89E21F:				; CODE XREF: PipGetRegistrySecurityWithFallback(x,x,x,x,x)+110j
		test	eax, eax
		js	short loc_89E24E
		cmp	[ebp+var_8], 3
		jnz	short loc_89E24E
		push	0
		push	[ebp+var_4]
		push	esi
		call	_RtlValidRelativeSecurityDescriptor@12 ; RtlValidRelativeSecurityDescriptor(x,x,x)
		test	al, al
		jz	short loc_89E24E
		lea	eax, [ebp+var_C]
		push	eax		; int
		push	1		; int
		push	1		; int
		push	0		; char
		push	esi		; size_t
		call	SeCaptureSecurityDescriptor
		test	eax, eax
		js	short loc_89E24E

loc_89E24C:				; CODE XREF: PipGetRegistrySecurityWithFallback(x,x,x,x,x)+144j
		mov	bl, 1

loc_89E24E:				; CODE XREF: PipGetRegistrySecurityWithFallback(x,x,x,x,x)+6Bj
					; PipGetRegistrySecurityWithFallback(x,x,x,x,x)+91j ...
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	bl, bl
		jz	short loc_89E264
		mov	eax, [ebp+var_C]

loc_89E25D:				; CODE XREF: PipGetRegistrySecurityWithFallback(x,x,x,x,x)+D6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_89E264:				; CODE XREF: PipGetRegistrySecurityWithFallback(x,x,x,x,x)+30j
					; PipGetRegistrySecurityWithFallback(x,x,x,x,x)+C8j ...
		xor	eax, eax
		jmp	short loc_89E25D
; 

loc_89E268:				; CODE XREF: PipGetRegistrySecurityWithFallback(x,x,x,x,x)+8Dj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	6E657050h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_89E264
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	esi
		lea	eax, [ebp+var_8]
		push	eax
		push	18h
		push	edi
		call	__CmGetInstallerClassRegProp@32	; _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)
		jmp	loc_89E21F
; 

loc_89E2A5:				; CODE XREF: PipGetRegistrySecurityWithFallback(x,x,x,x,x)+60j
		cmp	[ebp+var_8], 3
		jnz	loc_89E1F6
		push	0
		push	[ebp+var_4]
		push	esi
		call	_RtlValidRelativeSecurityDescriptor@12 ; RtlValidRelativeSecurityDescriptor(x,x,x)
		test	al, al
		jz	loc_89E1F6
		lea	eax, [ebp+var_C]
		push	eax		; int
		push	1		; int
		push	1		; int
		push	0		; char
		push	esi		; size_t
		call	SeCaptureSecurityDescriptor
		test	eax, eax
		jns	loc_89E24C
		jmp	loc_89E1F6
; 

loc_89E2DF:				; CODE XREF: PipGetRegistrySecurityWithFallback(x,x,x,x,x)+58j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	6E657050h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_89E264
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_4]
		push	0
		push	eax
		push	esi
		lea	eax, [ebp+var_8]
		mov	edx, edi
		push	eax
		push	18h
		push	[ebp+arg_0]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		jmp	loc_89E1EE
_PipGetRegistrySecurityWithFallback@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpValidateFilterDescriptors(x, x)
_EtwpValidateFilterDescriptors@8 proc near ; CODE XREF:	EtwpValidateEnableNotification+13Dp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_C], edx
		push	esi
		push	edi
		lea	edi, [ebp+var_30]
		mov	ebx, ecx
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ebx+74h]
		cmp	eax, 0Dh
		ja	loc_89E3E5
		mov	ecx, [ebx+4]
		mov	esi, eax
		shl	esi, 4
		add	esi, 78h
		mov	[ebp+var_14], esi
		cmp	esi, ecx
		ja	loc_89E3E5
		xor	edx, edx
		lea	edi, [ebx+78h]
		and	[ebp+var_1C], edx
		mov	[ebp+var_10], edx
		test	eax, eax
		jz	loc_89E4D3

loc_89E370:				; CODE XREF: EtwpValidateFilterDescriptors(x,x)+1A8j
		mov	ecx, [edi+4]
		mov	eax, [edi]
		mov	[ebp+var_8], eax
		mov	[ebp+var_18], ecx
		test	ecx, ecx
		jb	short loc_89E3E5
		ja	short loc_89E385
		cmp	eax, esi
		jb	short loc_89E3E5

loc_89E385:				; CODE XREF: EtwpValidateFilterDescriptors(x,x)+5Dj
		mov	edx, [ebx+50h]
		test	dl, 20h
		jz	short loc_89E3C1
		mov	eax, [edi+0Ch]
		cmp	eax, 80001000h
		jz	short loc_89E3E5
		cmp	eax, 80000200h
		jz	short loc_89E3E5
		cmp	eax, 80000400h
		jz	short loc_89E3E5
		cmp	eax, 80002000h
		jz	short loc_89E3E5
		cmp	eax, 80000100h
		jz	short loc_89E3E5
		cmp	eax, 80000000h
		jz	short loc_89E3E5
		cmp	eax, 80000002h
		jz	short loc_89E3E5

loc_89E3C1:				; CODE XREF: EtwpValidateFilterDescriptors(x,x)+69j
		mov	ecx, [edi+0Ch]
		test	edx, 400h
		jz	short loc_89E3EF
		mov	edx, 80000100h
		cmp	ecx, edx
		jz	short loc_89E3E5
		cmp	ecx, 80000000h
		jz	short loc_89E3E5
		cmp	ecx, 80000002h
		jnz	short loc_89E3FC

loc_89E3E5:				; CODE XREF: EtwpValidateFilterDescriptors(x,x)+1Fj
					; EtwpValidateFilterDescriptors(x,x)+35j ...
		mov	eax, 0C000000Dh

loc_89E3EA:				; CODE XREF: EtwpValidateFilterDescriptors(x,x)+192j
					; EtwpValidateFilterDescriptors(x,x)+1BEj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_89E3EF:				; CODE XREF: EtwpValidateFilterDescriptors(x,x)+A8j
		cmp	ecx, 80008000h
		jz	short loc_89E3E5
		mov	edx, 80000100h

loc_89E3FC:				; CODE XREF: EtwpValidateFilterDescriptors(x,x)+C1j
		mov	eax, [edi+8]
		cmp	eax, 400h
		jbe	short loc_89E412
		cmp	ecx, edx
		jz	short loc_89E416
		cmp	ecx, 80000400h
		jnz	short loc_89E3E5

loc_89E412:				; CODE XREF: EtwpValidateFilterDescriptors(x,x)+E2j
		cmp	ecx, edx
		jnz	short loc_89E41D

loc_89E416:				; CODE XREF: EtwpValidateFilterDescriptors(x,x)+E6j
		cmp	eax, 1000h
		ja	short loc_89E3E5

loc_89E41D:				; CODE XREF: EtwpValidateFilterDescriptors(x,x)+F2j
		cmp	ecx, 80000400h
		jz	short loc_89E42D
		cmp	ecx, 80002000h
		jnz	short loc_89E434

loc_89E42D:				; CODE XREF: EtwpValidateFilterDescriptors(x,x)+101j
		cmp	eax, 1000h
		ja	short loc_89E3E5

loc_89E434:				; CODE XREF: EtwpValidateFilterDescriptors(x,x)+109j
		and	[ebp+var_4], 0
		mov	edx, eax
		add	edx, [ebp+var_8]
		mov	esi, [ebp+var_18]
		adc	[ebp+var_4], esi
		cmp	[ebp+var_4], esi
		jb	short loc_89E3E5
		ja	short loc_89E44F
		cmp	edx, [ebp+var_8]
		jb	short loc_89E3E5

loc_89E44F:				; CODE XREF: EtwpValidateFilterDescriptors(x,x)+126j
		cmp	[ebp+var_4], 0
		mov	esi, [ebx+4]
		mov	[ebp+var_20], esi
		mov	esi, [ebp+var_14]
		ja	short loc_89E3E5
		jb	short loc_89E465
		cmp	edx, [ebp+var_20]
		ja	short loc_89E3E5

loc_89E465:				; CODE XREF: EtwpValidateFilterDescriptors(x,x)+13Cj
		mov	edx, [ebp+var_10]
		add	edx, eax
		mov	[ebp+var_10], edx
		cmp	ecx, 80000004h
		jnz	short loc_89E47D
		mov	eax, [ebp+var_C]
		mov	[eax+28h], edi
		jmp	short loc_89E4BD
; 

loc_89E47D:				; CODE XREF: EtwpValidateFilterDescriptors(x,x)+151j
		cmp	ecx, 80004000h
		jnz	short loc_89E48D
		mov	eax, [ebp+var_C]
		mov	[eax+20h], edi
		jmp	short loc_89E4BD
; 

loc_89E48D:				; CODE XREF: EtwpValidateFilterDescriptors(x,x)+161j
		mov	[ebp+var_28], eax
		xor	edx, edx
		mov	eax, ebx
		mov	[ebp+var_24], ecx
		add	eax, [ebp+var_8]
		mov	[ebp+var_30], eax
		lea	eax, [ebx+28h]
		adc	edx, [ebp+var_18]
		push	eax
		push	[ebp+var_C]
		mov	[ebp+var_2C], edx
		lea	edx, [ebp+var_30]
		call	EtwpAllocateFilter
		test	eax, eax
		js	loc_89E3EA
		mov	edx, [ebp+var_10]

loc_89E4BD:				; CODE XREF: EtwpValidateFilterDescriptors(x,x)+159j
					; EtwpValidateFilterDescriptors(x,x)+169j
		mov	eax, [ebp+var_1C]
		add	edi, 10h
		inc	eax
		mov	[ebp+var_1C], eax
		cmp	eax, [ebx+74h]
		jb	loc_89E370
		mov	ecx, [ebx+4]

loc_89E4D3:				; CODE XREF: EtwpValidateFilterDescriptors(x,x)+48j
		lea	eax, [esi+edx]
		cmp	eax, ecx
		jnz	loc_89E3E5
		xor	eax, eax
		jmp	loc_89E3EA
_EtwpValidateFilterDescriptors@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpAllocateFilter proc	near		; CODE XREF: EtwpValidateFilterDescriptors(x,x)+18Bp
					; EtwpValidateTraceControlFilterDescriptors(x,x,x,x)+125p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092F37F SIZE 000000E1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, edx
		cmp	ecx, 80000008h
		jz	loc_92F37F
		cmp	ecx, 80000010h
		jz	loc_92F396
		cmp	ecx, 80000020h
		jz	loc_92F39E
		cmp	ecx, 80008000h
		jz	loc_92F384
		cmp	ecx, 80001000h
		jz	loc_92F3A6
		cmp	ecx, 80000200h
		jnz	loc_92F408
		mov	ebx, [edi]
		mov	edi, [edi+8]
		lea	eax, [edi-6]
		cmp	eax, 3FAh
		ja	short loc_89E59C
		movzx	ecx, word ptr [ebx+2]
		mov	edx, ecx
		lea	eax, ds:4[edx*2]
		cmp	edi, eax
		jnz	short loc_89E59C
		test	cx, cx
		jz	short loc_89E59C
		cmp	ecx, 40h
		ja	short loc_89E59C
		test	edx, edx
		jz	short loc_89E57E
		lea	eax, [ebx+4]
		mov	edi, 0FFFFh

loc_89E571:				; CODE XREF: EtwpAllocateFilter+96j
		cmp	[eax], di
		jz	short loc_89E59C
		inc	esi
		add	eax, 2
		cmp	esi, edx
		jb	short loc_89E571

loc_89E57E:				; CODE XREF: EtwpAllocateFilter+81j
		mov	eax, [ebp+arg_0]
		add	eax, 10h

loc_89E584:				; CODE XREF: EtwpAllocateFilter+90F1Dj
		push	eax
		push	ecx
		mov	cl, [ebx]
		lea	edx, [ebx+4]
		call	EtwpCreatePerfectHashFunction

loc_89E590:				; CODE XREF: EtwpAllocateFilter+90EABj
					; EtwpAllocateFilter+90F3Fj ...
		mov	esi, eax

loc_89E592:				; CODE XREF: EtwpAllocateFilter+BBj
					; EtwpAllocateFilter+90F52j
		mov	eax, esi

loc_89E594:				; CODE XREF: EtwpAllocateFilter+90F64j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
; 

loc_89E59C:				; CODE XREF: EtwpAllocateFilter+62j
					; EtwpAllocateFilter+73j ...
		mov	esi, 0C000000Dh
		jmp	short loc_89E592
EtwpAllocateFilter endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpCreatePerfectHashFunction proc near	; CODE XREF: EtwpAllocateFilter+A5p

var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_20D		= dword	ptr -20Dh
var_209		= dword	ptr -209h
var_205		= byte ptr -205h
var_204		= dword	ptr -204h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092F460 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 220h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	[ebp+var_218], edx
		xor	esi, esi
		mov	edx, [ebp+arg_0]
		xor	ebx, ebx
		mov	[ebp+var_205], cl
		inc	esi
		movzx	ecx, dx
		dec	ecx
		mov	[ebp+var_220], eax
		mov	[ebp+var_21C], ebx
		mov	byte ptr [ebp+var_20D],	bl
		mov	[ebp+var_214], 3Fh
		push	edi
		mov	edi, ebx
		cmp	ecx, esi
		jle	short loc_89E612

loc_89E5F9:				; CODE XREF: EtwpCreatePerfectHashFunction+60j
		lea	eax, [esi+esi]
		or	eax, 1
		movzx	esi, ax
		cmp	esi, ecx
		jl	short loc_89E5F9
		push	40h
		pop	eax
		cmp	si, ax
		ja	loc_92F460

loc_89E612:				; CODE XREF: EtwpCreatePerfectHashFunction+53j
					; EtwpCreatePerfectHashFunction+C2j
		mov	byte ptr [ebp+var_209],	bl

loc_89E618:				; CODE XREF: EtwpCreatePerfectHashFunction+B1j
		push	[ebp+var_209]
		mov	ecx, [ebp+var_218]
		lea	eax, [ebp+var_204]
		push	esi
		push	eax
		call	_EtwpGetDirectMappingCount@20 ;	EtwpGetDirectMappingCount(x,x,x,x,x)
		movzx	ecx, ax
		mov	al, byte ptr [ebp+var_209]
		cmp	cx, di
		ja	loc_89E6DA

loc_89E643:				; CODE XREF: EtwpCreatePerfectHashFunction+147j
		mov	edx, [ebp+arg_0]
		cmp	cx, dx
		jz	short loc_89E668
		inc	al
		mov	byte ptr [ebp+var_209],	al
		cmp	al, 10h
		jb	short loc_89E618
		lea	eax, [esi+esi]
		or	eax, 1
		movzx	esi, ax
		push	40h
		pop	eax
		cmp	si, ax
		jbe	short loc_89E612

loc_89E668:				; CODE XREF: EtwpCreatePerfectHashFunction+A5j
		test	di, di
		jz	loc_92F460
		mov	edi, [ebp+var_214]
		lea	eax, [ebp+var_21C]
		mov	ecx, [ebp+var_218]
		push	eax
		lea	eax, [ebp+var_204]
		push	eax
		push	edi
		push	[ebp+var_20D]
		call	EtwpFillPerfectHashTable
		movzx	esi, ax
		push	46777445h
		lea	eax, ds:0Ah[esi*4]
		movzx	eax, ax
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_89E723
		mov	al, byte ptr [ebp+var_20D]
		cmp	[ebp+var_205], bl
		mov	[edx+1], al
		setnz	al
		mov	[edx+2], di
		mov	[edx], al
		xor	eax, eax
		mov	[edx+4], si
		jmp	short loc_89E703
; 

loc_89E6DA:				; CODE XREF: EtwpCreatePerfectHashFunction+99j
		movzx	edx, si
		mov	edi, ecx
		mov	byte ptr [ebp+var_20D],	al
		mov	[ebp+var_214], edx
		jmp	loc_89E643
; 

loc_89E6F0:				; CODE XREF: EtwpCreatePerfectHashFunction+162j
		movzx	ecx, bl
		inc	bl
		mov	eax, [ebp+ecx*4+var_204]
		mov	[edx+ecx*4+6], eax
		movzx	eax, bl

loc_89E703:				; CODE XREF: EtwpCreatePerfectHashFunction+134j
		cmp	ax, si
		jb	short loc_89E6F0
		mov	eax, [ebp+var_220]
		mov	[eax], edx
		xor	eax, eax

loc_89E712:				; CODE XREF: EtwpCreatePerfectHashFunction+184j
					; EtwpCreatePerfectHashFunction+90EC1j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_89E723:				; CODE XREF: EtwpCreatePerfectHashFunction+114j
		mov	eax, 0C0000017h
		jmp	short loc_89E712
EtwpCreatePerfectHashFunction endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpGetDirectMappingCount(x, x, x, x, x)
_EtwpGetDirectMappingCount@20 proc near	; CODE XREF: EtwpCreatePerfectHashFunction+88p

arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_0]
		add	eax, 2
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, 0FFFFh
		mov	ecx, 80h

loc_89E747:				; CODE XREF: EtwpGetDirectMappingCount(x,x,x,x,x)+26j
		mov	[eax], si
		lea	eax, [eax+4]
		sub	ecx, 1
		jnz	short loc_89E747
		xor	eax, eax
		push	eax
		pop	esi
		cmp	ax, dx
		jnb	short loc_89E790
		movzx	edx, dx

loc_89E75E:				; CODE XREF: EtwpGetDirectMappingCount(x,x,x,x,x)+64j
		movzx	eax, word ptr [edi]
		mov	cl, [ebp+arg_8]
		mov	[ebp+arg_0], eax
		ror	ax, cl
		movzx	ecx, ax
		movzx	eax, [ebp+arg_4]
		and	ecx, eax
		mov	eax, 0FFFFh
		cmp	[ebx+ecx*4+2], ax
		jnz	short loc_89E788
		mov	eax, [ebp+arg_0]
		inc	esi
		mov	[ebx+ecx*4+2], ax

loc_89E788:				; CODE XREF: EtwpGetDirectMappingCount(x,x,x,x,x)+53j
		add	edi, 2
		sub	edx, 1
		jnz	short loc_89E75E

loc_89E790:				; CODE XREF: EtwpGetDirectMappingCount(x,x,x,x,x)+2Fj
		pop	edi
		mov	ax, si
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_EtwpGetDirectMappingCount@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpFillPerfectHashTable proc near	; CODE XREF: EtwpCreatePerfectHashFunction+EEp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0092F46A SIZE 00000155 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_4]
		push	ebx
		inc	eax
		mov	[ebp+var_4], ecx
		push	esi
		mov	esi, [ebp+arg_8]
		xor	ecx, ecx
		push	edi
		mov	[ebp+var_10], eax
		mov	ebx, 0FFFFh
		movzx	edi, ax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_C], 0FFh
		mov	[eax], cx
		mov	eax, esi
		mov	ecx, 80h

loc_89E7D0:				; CODE XREF: EtwpFillPerfectHashTable+43j
		mov	[eax+2], bx
		mov	byte ptr [eax],	0FFh
		lea	eax, [eax+4]
		sub	ecx, 1
		jnz	short loc_89E7D0
		xor	eax, eax
		cmp	ax, dx
		jnb	short loc_89E830
		movzx	eax, dx
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_4]

loc_89E7EF:				; CODE XREF: EtwpFillPerfectHashTable+94j
		movzx	eax, word ptr [eax]
		xor	ebx, ebx
		mov	cl, byte ptr [ebp+arg_0]
		mov	[ebp+arg_8], eax
		ror	ax, cl
		and	ax, word ptr [ebp+arg_4]
		movzx	edx, ax
		mov	eax, edx

loc_89E806:				; CODE XREF: EtwpFillPerfectHashTable+90D04j
		mov	ecx, 0FFFFh
		cmp	[esi+eax*4+2], cx
		jnz	loc_92F46A

loc_89E816:				; CODE XREF: EtwpFillPerfectHashTable+90CDBj
		mov	ecx, [ebp+arg_8]
		movzx	eax, dx
		mov	[esi+eax*4+2], cx
		mov	eax, [ebp+var_4]
		add	eax, 2
		sub	[ebp+var_8], 1
		mov	[ebp+var_4], eax
		jnz	short loc_89E7EF

loc_89E830:				; CODE XREF: EtwpFillPerfectHashTable+4Aj
		lea	eax, [edi-1]
		xor	edx, edx
		movzx	ecx, ax
		mov	eax, [ebp+arg_4]
		movzx	eax, ax
		inc	eax
		mov	[ebp+arg_C], eax

loc_89E842:				; CODE XREF: EtwpFillPerfectHashTable+90D93j
		movzx	ebx, cx
		mov	[ebp+arg_8], ebx
		mov	[ebp+arg_0], ecx
		cmp	ebx, eax
		ja	loc_92F4A3

loc_89E853:				; CODE XREF: EtwpFillPerfectHashTable+90D0Dj
					; EtwpFillPerfectHashTable+90D37j
		mov	eax, [ebp+var_10]
		movzx	ecx, ax
		lea	eax, [edi-1]
		movzx	edx, ax
		mov	[ebp+arg_0], edx
		cmp	edx, [ebp+arg_C]
		ja	loc_92F532

loc_89E86B:				; CODE XREF: EtwpFillPerfectHashTable+90D9Bj
					; EtwpFillPerfectHashTable+90DBCj ...
		mov	ax, di
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
EtwpFillPerfectHashTable endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmSetDeviceRegPropWorker proc near	; CODE XREF: _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)+A7p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= word ptr  1Ch

; FUNCTION CHUNK AT 0092F5BF SIZE 00000126 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		movzx	eax, [ebp+arg_14]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], edx
		and	[ebp+var_4], esi
		mov	[ebp+var_C], ecx
		push	edi
		test	eax, eax
		jnz	loc_92F5BF
		mov	ebx, [ebp+arg_10]
		test	ebx, ebx
		jz	loc_92F5C9
		mov	ecx, [ebp+arg_C]
		mov	dword ptr [ebp+arg_14],	ecx
		test	ecx, ecx
		jz	loc_92F5BF

loc_89E8B1:				; CODE XREF: _CmSetDeviceRegPropWorker+90D56j
		mov	edi, [ebp+arg_4]
		lea	eax, [edi-1]
		cmp	eax, 24h
		ja	loc_89E99E
		cmp	edi, 25h
		ja	loc_89E99E
		movzx	eax, ds:byte_89E9AE[edi]
		jmp	ds:off_89E9A6[eax*4]

loc_89E8D7:				; DATA XREF: PAGE:0089E9AAo
		mov	edx, edi
		call	__CmDevicePropertyWrite@8 ; _CmDevicePropertyWrite(x,x)
		test	al, al
		jz	loc_92F5D1
		mov	ecx, edi
		call	__MapCmDevicePropertyToRegType@4 ; _MapCmDevicePropertyToRegType(x)
		test	eax, eax
		jz	loc_92F5DB
		cmp	[ebp+arg_8], eax
		jnz	loc_92F5BF
		cmp	edi, 8
		jz	loc_92F64C
		cmp	edi, 0Bh
		jz	loc_92F616
		cmp	edi, 18h
		jz	loc_92F5E5

loc_89E919:				; CODE XREF: _CmSetDeviceRegPropWorker+90D71j
					; _CmSetDeviceRegPropWorker+90D90j ...
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jz	loc_92F65A

loc_89E924:				; CODE XREF: _CmSetDeviceRegPropWorker+90E0Aj
		cmp	edi, 8
		jz	short loc_89E95F
		mov	edx, edi
		call	_MapCmDevicePropertyToRegValue
		mov	edx, eax
		test	edx, edx
		jz	short loc_89E99E
		cmp	[ebp+arg_10], 0
		jz	loc_92F685
		mov	ecx, ebx
		test	ebx, ebx
		jz	short loc_89E989

loc_89E946:				; CODE XREF: _CmSetDeviceRegPropWorker+116j
		push	[ebp+arg_10]
		push	dword ptr [ebp+arg_14]
		push	[ebp+arg_8]
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jz	short loc_89E98E
		test	eax, eax
		js	short loc_89E995

loc_89E95F:				; CODE XREF: _CmSetDeviceRegPropWorker+B1j
					; _CmSetDeviceRegPropWorker+121j ...
		test	esi, esi
		js	short loc_89E976
		test	ebx, ebx
		jz	short loc_89E999

loc_89E967:				; CODE XREF: _CmSetDeviceRegPropWorker+126j
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		push	edi
		push	ebx
		push	1
		call	_CmRaisePropertyChangeEvent

loc_89E976:				; CODE XREF: _CmSetDeviceRegPropWorker+EBj
					; _CmSetDeviceRegPropWorker+11Dj ...
		cmp	[ebp+var_4], 0
		jnz	loc_92F6D8

loc_89E980:				; CODE XREF: _CmSetDeviceRegPropWorker+90D4Ej
					; _CmSetDeviceRegPropWorker+90D60j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_89E989:				; CODE XREF: _CmSetDeviceRegPropWorker+CEj
		mov	ecx, [ebp+var_4]
		jmp	short loc_89E946
; 

loc_89E98E:				; CODE XREF: _CmSetDeviceRegPropWorker+E3j
		mov	esi, 0C000000Eh
		jmp	short loc_89E976
; 

loc_89E995:				; CODE XREF: _CmSetDeviceRegPropWorker+E7j
		mov	esi, eax
		jmp	short loc_89E95F
; 

loc_89E999:				; CODE XREF: _CmSetDeviceRegPropWorker+EFj
		mov	ebx, [ebp+var_4]
		jmp	short loc_89E967
; 

loc_89E99E:				; CODE XREF: _CmSetDeviceRegPropWorker+44j
					; _CmSetDeviceRegPropWorker+4Dj ...
		mov	esi, 0C0000230h
		jmp	short loc_89E976
_CmSetDeviceRegPropWorker endp

; 
		align 2
off_89E9A6	dd offset loc_89E99E	; DATA XREF: _CmSetDeviceRegPropWorker+5Ar
		dd offset loc_89E8D7
byte_89E9AE	db 0			; DATA XREF: _CmSetDeviceRegPropWorker+53r
		db 1
		dd 1000101h, 1010000h, 3 dup(1010101h),	10101h,	3 dup(1010101h)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmRaisePropertyChangeEvent proc near	; CODE XREF: _CmSetDeviceRegPropWorker+FBp
					; _PnpRaiseNtPlugPlayDevicePropertyChangeEvent+A1B33p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0092F6E5 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		call	_CmMapRegPropToPropertyKey
		mov	ebx, [ebp+arg_4]
		test	eax, eax
		jz	short loc_89EA0A
		mov	ecx, [ebp+arg_0]
		push	eax
		push	0
		push	ebx
		call	_CmMapCmObjectTypeToPnpObjectType
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	_PnpObjectRaisePropertyChangeEvent

loc_89EA0A:				; CODE XREF: _CmRaisePropertyChangeEvent+1Ej
		mov	eax, [esi+104h]
		test	eax, eax
		jnz	loc_92F6E5

loc_89EA18:				; CODE XREF: _CmRaisePropertyChangeEvent+90D27j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_CmRaisePropertyChangeEvent endp

; 
		align 10h

;  S U B	R O U T	I N E 


_CmMapRegPropToPropertyKey proc	near	; CODE XREF: _CmRaisePropertyChangeEvent+14p

; FUNCTION CHUNK AT 0092F700 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebx
		xor	eax, eax
		mov	ebx, edx
		push	edi
		sub	ecx, 1
		jnz	loc_92F700
		mov	ecx, offset __CmDeviceRegPropMap
		push	21h

loc_89EA38:				; CODE XREF: _CmMapRegPropToPropertyKey+90CF0j
		pop	edi
		push	esi
		mov	esi, eax

loc_89EA3C:				; CODE XREF: _CmMapRegPropToPropertyKey+2Bj
		mov	edx, ecx
		cmp	[ecx+8], ebx
		jz	short loc_89EA4D
		inc	esi
		add	ecx, 10h
		mov	edx, eax
		cmp	esi, edi
		jb	short loc_89EA3C

loc_89EA4D:				; CODE XREF: _CmMapRegPropToPropertyKey+21j
		pop	esi
		test	edx, edx
		jz	short loc_89EA54
		mov	eax, [edx]

loc_89EA54:				; CODE XREF: _CmMapRegPropToPropertyKey+30j
					; _CmMapRegPropToPropertyKey+90CE3j
		pop	edi
		pop	ebx
		retn
_CmMapRegPropToPropertyKey endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmIsDeviceRegPropWritable(x, x, x)
__CmIsDeviceRegPropWritable@12 proc near ; CODE	XREF: PiPnpRtlCmActionCallback+1DFp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		lea	eax, [edx-1]
		xor	esi, esi
		cmp	eax, 24h
		ja	short loc_89EA8C
		cmp	edx, 25h
		ja	short loc_89EA8C
		movzx	eax, ds:byte_89EA9C[edx]
		jmp	ds:off_89EA94[eax*4]

loc_89EA7B:				; DATA XREF: PAGE:0089EA98o
		call	__CmDevicePropertyWrite@8 ; _CmDevicePropertyWrite(x,x)
		mov	ecx, [ebp+arg_0]
		mov	[ecx], al

loc_89EA85:				; CODE XREF: _CmIsDeviceRegPropWritable(x,x,x)+39j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
; 

loc_89EA8C:				; CODE XREF: _CmIsDeviceRegPropWritable(x,x,x)+Ej
					; _CmIsDeviceRegPropWritable(x,x,x)+13j ...
		mov	esi, 0C0000230h
		jmp	short loc_89EA85
__CmIsDeviceRegPropWritable@12 endp

; 
		align 4
off_89EA94	dd offset loc_89EA8C	; DATA XREF: _CmIsDeviceRegPropWritable(x,x,x)+1Cr
		dd offset loc_89EA7B
byte_89EA9C	db 0			; DATA XREF: _CmIsDeviceRegPropWritable(x,x,x)+15r
		db 3 dup(1)
		dd 100h, 4 dup(1010101h), 1010001h, 2 dup(1010101h)
; 
		add	[ecx], eax

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpWriteToEtw(x, x)
_AdtpWriteToEtw@8 proc near		; CODE XREF: SepRmCallLsa+118p

var_BFC		= dword	ptr -0BFCh
var_BF8		= dword	ptr -0BF8h
var_BF4		= dword	ptr -0BF4h
var_BF0		= dword	ptr -0BF0h
var_BEC		= dword	ptr -0BECh
var_BE8		= word ptr -0BE8h
var_BE5		= word ptr -0BE5h
var_BE3		= byte ptr -0BE3h
var_BE2		= word ptr -0BE2h
var_BE0		= dword	ptr -0BE0h
var_BDC		= dword	ptr -0BDCh
var_BD8		= dword	ptr -0BD8h
var_BD0		= dword	ptr -0BD0h
var_8D8		= dword	ptr -8D8h
var_838		= dword	ptr -838h
var_34		= dword	ptr -34h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0BFCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_838]
		push	800h		; size_t
		mov	esi, edx
		mov	[ebp+var_BEC], ebx
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_BFC], esi
		mov	edi, ecx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_8D8]
		push	0A0h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_34]
		push	30h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi], bl
		xor	edx, edx
		mov	ecx, edi
		call	AdtpNormalizeAuditInfoHelper
		cmp	[edi+28h], ebx
		jnz	short loc_89EB3F
		mov	esi, 0C000000Dh
		jmp	loc_89EDB1
; 

loc_89EB3F:				; CODE XREF: AdtpWriteToEtw(x,x)+71j
		push	8
		pop	eax
		mov	[ebp+var_BF8], 80200000h
		cmp	[edi+12h], ax
		jz	short loc_89EB5C
		mov	[ebp+var_BF8], 80100000h

loc_89EB5C:				; CODE XREF: AdtpWriteToEtw(x,x)+8Ej
		lea	eax, [ebp+var_34]
		xor	edx, edx
		push	eax
		lea	eax, [ebp+var_BEC]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_BD8]
		push	eax
		lea	eax, [ebp+var_8D8]
		push	eax
		lea	eax, [ebp+var_838]
		push	eax
		push	2
		call	AdtpPackageParameters
		mov	esi, eax
		test	esi, esi
		js	loc_89EDB1
		movzx	eax, word ptr [edi+10h]
		test	ax, ax
		jz	short loc_89EBBE
		lea	ecx, [ebp+var_BF4]
		mov	[ebp+var_BF0], ebx
		push	ecx
		mov	ecx, eax
		mov	[ebp+var_BF4], ebx
		lea	edx, [ebp+var_BF0]
		call	AdtpGetCategoryAndSubCategoryId
		test	eax, eax
		jns	short loc_89EBC5

loc_89EBBE:				; CODE XREF: AdtpWriteToEtw(x,x)+D6j
		mov	esi, 0FF00h
		jmp	short loc_89EBDA
; 

loc_89EBC5:				; CODE XREF: AdtpWriteToEtw(x,x)+FAj
		mov	eax, [ebp+var_BF0]
		add	eax, 30h
		shl	eax, 8
		add	eax, [ebp+var_BF4]
		movzx	esi, ax

loc_89EBDA:				; CODE XREF: AdtpWriteToEtw(x,x)+101j
		mov	eax, [edi+4]
		mov	ecx, 1349h
		cmp	eax, ecx
		ja	short loc_89EC59
		jz	loc_89EC8F
		mov	ecx, 1237h
		cmp	eax, ecx
		ja	short loc_89EC20
		jz	loc_89EC8F
		sub	eax, 1208h
		jz	loc_89EC8F
		sub	eax, 8
		jz	loc_89ED68
		sub	eax, 1Eh
		jz	short loc_89EC8F
		push	2
		pop	ecx
		sub	eax, ecx
		jz	short loc_89EC8F
		sub	eax, 5
		jmp	short loc_89EC8D
; 

loc_89EC20:				; CODE XREF: AdtpWriteToEtw(x,x)+131j
		cmp	eax, 1250h
		jz	loc_89ED68
		cmp	eax, 1258h
		jbe	short loc_89EC55
		cmp	eax, 125Eh
		jbe	short loc_89EC8F
		cmp	eax, 126Fh
		jz	short loc_89EC8F
		cmp	eax, 12D0h
		jz	short loc_89EC8F
		cmp	eax, 133Fh
		jbe	short loc_89EC55
		cmp	eax, 1345h

loc_89EC53:				; CODE XREF: AdtpWriteToEtw(x,x)+273j
					; AdtpWriteToEtw(x,x)+2A1j
		jbe	short loc_89EC8F

loc_89EC55:				; CODE XREF: AdtpWriteToEtw(x,x)+16Ej
					; AdtpWriteToEtw(x,x)+18Aj ...
		mov	cl, bl
		jmp	short loc_89EC91
; 

loc_89EC59:				; CODE XREF: AdtpWriteToEtw(x,x)+122j
		cmp	eax, 154Ch
		ja	loc_89ED3A
		cmp	eax, 154Bh
		jnb	short loc_89EC8F
		mov	ecx, 1414h
		cmp	eax, ecx
		ja	loc_89ED0F
		jz	short loc_89EC8F
		cmp	eax, 13C2h
		jb	short loc_89EC55
		cmp	eax, 13C3h
		jbe	short loc_89EC8F
		cmp	eax, 1405h

loc_89EC8D:				; CODE XREF: AdtpWriteToEtw(x,x)+15Cj
		jnz	short loc_89EC55

loc_89EC8F:				; CODE XREF: AdtpWriteToEtw(x,x)+124j
					; AdtpWriteToEtw(x,x)+133j ...
		mov	cl, 1

loc_89EC91:				; CODE XREF: AdtpWriteToEtw(x,x)+195j
					; AdtpWriteToEtw(x,x)+2A9j ...
		mov	ax, [edi+4]
		mov	[ebp+var_BE8], ax
		mov	eax, ebx
		mov	[ebp+var_BE0], eax
		mov	eax, [ebp+var_BF8]
		mov	[ebp+var_BDC], eax
		xor	eax, eax
		mov	[ebp-0BE6h], cl
		mov	ecx, [ebp+var_BEC]
		mov	[ebp+var_BE5], 0Ah
		mov	[ebp+var_BE2], si
		mov	[ebp+var_BE3], bl
		cmp	ax, cx
		jnb	loc_89ED7F
		lea	eax, [ebp+var_BD0]
		movzx	edx, cx

loc_89ECE6:				; CODE XREF: AdtpWriteToEtw(x,x)+22Cj
		add	ebx, [eax]
		lea	eax, [eax+10h]
		sub	edx, 1
		jnz	short loc_89ECE6
		cmp	ebx, 0DC00h
		jbe	loc_89ED7F
		mov	eax, [ebp+var_BFC]
		mov	esi, 80000005h
		mov	byte ptr [eax],	1
		jmp	loc_89EDB7
; 

loc_89ED0F:				; CODE XREF: AdtpWriteToEtw(x,x)+1B0j
		cmp	eax, 1424h
		jb	loc_89EC55
		cmp	eax, 1425h
		jbe	loc_89EC8F
		cmp	eax, 14FFh
		jbe	loc_89EC55
		cmp	eax, 1501h
		jmp	loc_89EC53
; 

loc_89ED3A:				; CODE XREF: AdtpWriteToEtw(x,x)+19Cj
		cmp	eax, 1600h
		jz	loc_89EC8F
		cmp	eax, 1650h
		jz	short loc_89ED70
		cmp	eax, 187Fh
		jbe	loc_89EC55
		cmp	eax, 1881h
		jbe	short loc_89ED68
		cmp	eax, 1883h
		jmp	loc_89EC53
; 

loc_89ED68:				; CODE XREF: AdtpWriteToEtw(x,x)+147j
					; AdtpWriteToEtw(x,x)+163j ...
		push	2
		pop	ecx
		jmp	loc_89EC91
; 

loc_89ED70:				; CODE XREF: AdtpWriteToEtw(x,x)+288j
		call	_Feature_Servicing_Opnum_Filter__private_IsEnabledDeviceUsage@0	; Feature_Servicing_Opnum_Filter__private_IsEnabledDeviceUsage()
		test	eax, eax
		setnz	cl
		jmp	loc_89EC91
; 

loc_89ED7F:				; CODE XREF: AdtpWriteToEtw(x,x)+215j
					; AdtpWriteToEtw(x,x)+234j
		movzx	eax, cx
		lea	edx, [ebp+var_BD8]
		neg	eax
		sbb	eax, eax
		and	eax, edx
		push	eax
		movzx	eax, cx
		lea	ecx, [ebp+var_BE8]
		push	eax
		call	_EtwWriteKMSecurityEvent@16 ; EtwWriteKMSecurityEvent(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C00002FEh
		jnz	short loc_89EDB1
		mov	eax, [ebp+var_BFC]
		mov	byte ptr [eax],	1

loc_89EDB1:				; CODE XREF: AdtpWriteToEtw(x,x)+78j
					; AdtpWriteToEtw(x,x)+C9j ...
		mov	ecx, [ebp+var_BEC]

loc_89EDB7:				; CODE XREF: AdtpWriteToEtw(x,x)+248j
		movzx	eax, cx
		lea	edx, [ebp+var_BD8]
		push	eax
		lea	ecx, [ebp+var_34]
		call	_AdtpCleanupParameterAllocations@12 ; AdtpCleanupParameterAllocations(x,x,x)
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_AdtpWriteToEtw@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AdtpGetCategoryAndSubCategoryId	proc near ; CODE XREF: AdtpWriteToEtwEx(x,x)+F1p
					; AdtpWriteToEtw(x,x)+F3p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092F715 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		add	ecx, 0FFFFFF9Ch
		xor	edi, edi
		mov	ebx, edx
		cmp	ecx, 3Bh
		ja	short loc_89EE2F
		mov	esi, [ebp+arg_0]
		test	ebx, ebx
		jz	loc_92F715

loc_89EDF9:				; CODE XREF: AdtpGetCategoryAndSubCategoryId+90943j
		mov	edx, edi

loc_89EDFB:				; CODE XREF: AdtpGetCategoryAndSubCategoryId+35j
		movzx	eax, ds:_AdtpPerCategoryCount[edx*2]
		add	eax, edi
		cmp	eax, ecx
		ja	short loc_89EE18
		inc	edx
		mov	edi, eax
		cmp	edx, 9
		jb	short loc_89EDFB
		mov	eax, 0C0000001h
		jmp	short loc_89EE28
; 

loc_89EE18:				; CODE XREF: AdtpGetCategoryAndSubCategoryId+2Dj
		test	ebx, ebx
		jz	short loc_89EE1E
		mov	[ebx], edx

loc_89EE1E:				; CODE XREF: AdtpGetCategoryAndSubCategoryId+40j
		test	esi, esi
		jz	short loc_89EE26
		sub	ecx, edi
		mov	[esi], ecx

loc_89EE26:				; CODE XREF: AdtpGetCategoryAndSubCategoryId+46j
		xor	eax, eax

loc_89EE28:				; CODE XREF: AdtpGetCategoryAndSubCategoryId+3Cj
					; AdtpGetCategoryAndSubCategoryId+5Aj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_89EE2F:				; CODE XREF: AdtpGetCategoryAndSubCategoryId+12j
					; AdtpGetCategoryAndSubCategoryId+9093Dj
		mov	eax, 0C000000Dh
		jmp	short loc_89EE28
AdtpGetCategoryAndSubCategoryId	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AdtpEtwBuildString proc	near		; CODE XREF: AdtpPackageParameters+D3p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0092F722 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_10], ecx
		push	esi
		push	edi
		movzx	eax, word ptr [ebx]
		movzx	esi, word ptr [ebx+2]
		mov	edx, eax
		mov	[ebp+var_8], edx
		shr	edx, 1
		cmp	si, ax
		mov	eax, [ebp+var_4]
		mov	[ebp+var_C], esi
		lea	edi, [edx+1]
		jbe	short loc_89EE73
		mov	esi, [ebx+4]
		cmp	[esi+edi*2-2], ax
		jz	short loc_89EEBA
		mov	esi, [ebp+var_C]

loc_89EE73:				; CODE XREF: AdtpEtwBuildString+2Ej
		cmp	si, word ptr [ebp+var_8]
		jz	short loc_89EED4

loc_89EE79:				; CODE XREF: AdtpEtwBuildString+A1j
					; AdtpEtwBuildString+ABj
		mov	ecx, [ebp+arg_4]
		mov	edx, [ecx]
		lea	eax, [edx+edi]
		cmp	eax, 400h
		jnb	loc_92F722
		mov	eax, [ebp+arg_0]
		lea	esi, [eax+edx*2]
		lea	eax, [edx+edi]
		mov	[ecx], eax
		mov	eax, [ebp+var_8]
		movzx	eax, ax

loc_89EE9D:				; CODE XREF: AdtpEtwBuildString+90915j
		movzx	eax, ax
		push	eax		; size_t
		push	dword ptr [ebx+4] ; void *
		push	esi		; void *
		call	_memcpy
		mov	ecx, [ebp+var_10]
		add	esp, 0Ch
		xor	eax, eax
		mov	[esi+edi*2-2], ax
		mov	eax, [ebp+var_4]

loc_89EEBA:				; CODE XREF: AdtpEtwBuildString+38j
					; AdtpEtwBuildString+AFj
		mov	[ecx+4], eax
		lea	eax, [edi+edi]
		mov	[ecx+8], eax
		mov	eax, [ebp+var_4]
		mov	[ecx+0Ch], eax
		xor	eax, eax
		mov	[ecx], esi

loc_89EECD:				; CODE XREF: AdtpEtwBuildString+90907j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_89EED4:				; CODE XREF: AdtpEtwBuildString+41j
		cmp	edi, 1
		jbe	short loc_89EE79
		mov	esi, [ebx+4]
		cmp	[esi+edi*2-4], ax
		jnz	short loc_89EE79
		mov	edi, edx
		jmp	short loc_89EEBA
AdtpEtwBuildString endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpSubstituteDriveLetter(x)
_AdtpSubstituteDriveLetter@4 proc near	; CODE XREF: AdtpPackageParameters+B5p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		lea	edx, [ebp+var_4]
		push	ebx
		push	eax
		mov	ebx, ecx
		call	_AdtpLookupDriveLetter@12 ; AdtpLookupDriveLetter(x,x,x)
		test	al, al
		jz	short loc_89EF46
		mov	ax, [ebx]
		mov	edx, [ebx+4]
		mov	ecx, [ebp+var_4]
		sub	ax, cx
		push	esi
		push	edi
		movzx	edi, ax
		mov	esi, edx
		mov	ax, word ptr [ebp+var_8]
		push	3Ah
		mov	[esi], ax
		pop	eax
		mov	[esi+2], ax
		movzx	eax, cx
		add	eax, edx
		push	edi		; size_t
		push	eax		; void *
		lea	eax, [esi+4]
		push	eax		; void *
		call	_memmove
		add	esp, 0Ch
		lea	eax, [edi+4]
		mov	[ebx], ax
		pop	edi
		pop	esi

loc_89EF46:				; CODE XREF: AdtpSubstituteDriveLetter(x)+20j
		pop	ebx
		leave
		retn
_AdtpSubstituteDriveLetter@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpLookupDriveLetter(x, x,	x)
_AdtpLookupDriveLetter@12 proc near	; CODE XREF: AdtpSubstituteDriveLetter(x)+19p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	19h
		mov	[ebp+var_8], edx
		mov	edi, ecx
		pop	ebx
		mov	esi, offset unk_A9AC28

loc_89EF61:				; CODE XREF: AdtpLookupDriveLetter(x,x,x)+27j
		cmp	dword ptr [esi+4], 0
		jnz	short loc_89EF77

loc_89EF67:				; CODE XREF: AdtpLookupDriveLetter(x,x,x)+38j
					; AdtpLookupDriveLetter(x,x,x)+61j
		sub	esi, 0Ch
		dec	ebx
		cmp	esi, offset unk_A9AAFC
		jge	short loc_89EF61
		xor	al, al
		jmp	short loc_89EFCE
; 

loc_89EF77:				; CODE XREF: AdtpLookupDriveLetter(x,x,x)+1Bj
		movzx	eax, word ptr [esi]
		movzx	ecx, word ptr [edi]
		mov	edx, eax
		cmp	ax, cx
		jnb	short loc_89EF67
		mov	[ebp+var_4], ecx
		mov	ecx, edx
		mov	[edi], ax
		mov	eax, [edi+4]
		shr	ecx, 1
		cmp	word ptr [eax+ecx*2], 5Ch
		jnz	short loc_89EFA5
		push	1
		push	esi
		push	edi
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_89EFAD

loc_89EFA5:				; CODE XREF: AdtpLookupDriveLetter(x,x,x)+4Cj
		mov	eax, [ebp+var_4]
		mov	[edi], ax
		jmp	short loc_89EF67
; 

loc_89EFAD:				; CODE XREF: AdtpLookupDriveLetter(x,x,x)+59j
		mov	eax, [ebp+var_4]
		imul	ecx, ebx, 0Ch
		mov	[edi], ax
		mov	al, 1
		mov	dx, ds:_DriveMappingArray[ecx]
		mov	ecx, [ebp+arg_0]
		mov	[ecx], dx
		mov	edx, [ebp+var_8]
		mov	cx, [esi]
		mov	[edx], cx

loc_89EFCE:				; CODE XREF: AdtpLookupDriveLetter(x,x,x)+2Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_AdtpLookupDriveLetter@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AdtpBuildMessageString proc near	; CODE XREF: AdtpPackageParameters+129p

var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0092F750 SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	dword ptr [ebp+var_4], ecx
		push	esi
		push	edi
		test	ebx, ebx
		jz	short loc_89F05C
		mov	edx, [ebp+arg_8]
		xor	ecx, ecx
		mov	esi, [edx]
		lea	edi, [esi+0Dh]
		cmp	edi, 400h
		jnb	loc_92F750
		mov	eax, [ebp+arg_4]
		mov	[edx], edi
		lea	esi, [eax+esi*2]
		mov	al, cl

loc_89F009:				; CODE XREF: AdtpBuildMessageString+9079Bj
		push	dword ptr [ebp+var_4] ;	char
		mov	edi, [ebp+arg_C]
		push	offset ??_C@_1O@PEHDFMOI@?$AA?$CF?$AA?$CF?$AA?$CF?$AA?$CF?$AA?$CF?$AAu@NNGAKEGL@ ; "%%%%%u"
		push	0Dh		; int
		push	esi		; wchar_t *
		mov	[edi], al
		call	StringCchPrintfW
		add	esp, 10h
		test	eax, eax
		js	loc_92F776
		mov	ecx, esi
		xor	edi, edi
		lea	edx, [ecx+2]

loc_89F030:				; CODE XREF: AdtpBuildMessageString+63j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_89F030
		sub	ecx, edx
		mov	[ebx], esi
		sar	ecx, 1
		xor	edx, edx
		mov	[ebx+4], edx
		mov	[ebx+0Ch], edx
		lea	eax, ds:2[ecx*2]
		mov	[ebx+8], eax
		xor	eax, eax

loc_89F055:				; CODE XREF: AdtpBuildMessageString+8Bj
					; AdtpBuildMessageString+90793j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_89F05C:				; CODE XREF: AdtpBuildMessageString+11j
					; AdtpBuildMessageString+907A3j ...
		mov	eax, 0C000000Dh
		jmp	short loc_89F055
AdtpBuildMessageString endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AdtpBuildLogonIdStrings	proc near	; CODE XREF: AdtpPackageParameters+180p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0092F78F SIZE 00000075 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		mov	eax, edx
		mov	edx, [ebp+arg_4]
		push	edi
		push	eax
		push	esi
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], ecx
		call	SepGetLogonSessionAccountInfo
		mov	edi, eax
		xor	ebx, ebx
		test	edi, edi
		js	loc_92F78F
		mov	eax, [ebp+arg_4]
		mov	esi, offset ??_C@_13IMODFHAA@?$AA?9@NNGAKEGL@
		cmp	[eax+4], ebx
		jnz	short loc_89F0CC
		push	esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_89F0A3:				; CODE XREF: AdtpBuildLogonIdStrings+6Ej
		mov	eax, [ebp+arg_C]
		cmp	[eax+4], ebx
		jnz	short loc_89F0D4
		push	esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_89F0B2:				; CODE XREF: AdtpBuildLogonIdStrings+76j
		cmp	[ebp+var_4], ebx
		jnz	short loc_89F0C0

loc_89F0B7:				; CODE XREF: AdtpBuildLogonIdStrings+61j
					; AdtpBuildLogonIdStrings+66j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_89F0C0:				; CODE XREF: AdtpBuildLogonIdStrings+51j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_89F0B7
		mov	byte ptr [eax],	1
		jmp	short loc_89F0B7
; 

loc_89F0CC:				; CODE XREF: AdtpBuildLogonIdStrings+36j
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	1
		jmp	short loc_89F0A3
; 

loc_89F0D4:				; CODE XREF: AdtpBuildLogonIdStrings+45j
		mov	eax, [ebp+arg_10]
		mov	byte ptr [eax],	1
		jmp	short loc_89F0B2
AdtpBuildLogonIdStrings	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepGetLogonSessionAccountInfo proc near	; CODE XREF: AdtpBuildLogonIdStrings+1Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092F804 SIZE 000000F5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		xor	edi, edi
		imul	esi, [ebx], 5B250A24h
		shr	esi, 1Ch
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, esi
		and	eax, 3
		imul	eax, 38h
		push	1
		lea	eax, _SepRmDbLock[eax]
		push	eax
		mov	[ebp+var_C], eax
		call	ExAcquireResourceSharedLite
		mov	eax, ds:_SepLogonSessions
		mov	esi, [eax+esi*4]
		test	esi, esi
		jz	loc_92F80E
		mov	ecx, [ebx]

loc_89F130:				; CODE XREF: SepGetLogonSessionAccountInfo+9072Cj
		cmp	ecx, [esi+4]
		jnz	loc_92F804
		mov	eax, [ebx+4]
		cmp	eax, [esi+8]
		jnz	loc_92F804
		mov	eax, [esi+24h]
		xor	ebx, ebx
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		mov	[edx], eax
		mov	eax, [esi+28h]
		mov	[edx+4], eax
		mov	eax, [esi+2Ch]
		mov	[ecx], eax
		mov	eax, [esi+30h]
		mov	[ecx+4], eax
		and	[edx+4], edi
		and	[ecx+4], edi
		cmp	[esi+28h], ebx
		jnz	loc_92F818

loc_89F172:				; CODE XREF: SepGetLogonSessionAccountInfo+90757j
		cmp	[esi+30h], ebx
		jnz	loc_92F838

loc_89F17B:				; CODE XREF: SepGetLogonSessionAccountInfo+90775j
					; SepGetLogonSessionAccountInfo+90780j
		mov	eax, [esi+20h]
		mov	[ebp+var_8], eax
		test	edi, edi
		js	loc_92F895
		cmp	[ebp+arg_4], ebx
		jnz	short loc_89F1E7

loc_89F18E:				; CODE XREF: SepGetLogonSessionAccountInfo+10Dj
					; SepGetLogonSessionAccountInfo+907A9j	...
		test	edi, edi
		js	loc_92F895
		movzx	eax, word ptr [esi+26h]
		push	eax		; size_t
		mov	eax, [ebp+var_4]
		push	dword ptr [esi+28h] ; void *
		push	dword ptr [eax+4] ; void *
		call	_memcpy
		movzx	eax, word ptr [esi+2Eh]
		add	esp, 0Ch
		push	eax		; size_t
		mov	eax, [ebp+arg_0]
		push	dword ptr [esi+30h] ; void *
		push	dword ptr [eax+4] ; void *
		call	_memcpy
		add	esp, 0Ch
		test	ebx, ebx
		jnz	loc_92F8CE

loc_89F1CA:				; CODE XREF: SepGetLogonSessionAccountInfo+90737j
					; SepGetLogonSessionAccountInfo+907DFj	...
		mov	ecx, [ebp+var_C]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_89F1E7:				; CODE XREF: SepGetLogonSessionAccountInfo+B0j
		test	eax, eax
		jz	short loc_89F18E
		jmp	loc_92F861
SepGetLogonSessionAccountInfo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopGetRootDevices proc near		; CODE XREF: IopPnPDispatch+31Dp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092F8F9 SIZE 00000074 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+38h+var_20], ecx
		lea	edi, [esp+38h+var_10]
		stosd
		push	64647050h
		push	400h
		push	1
		stosd
		stosd
		stosd
		xor	edi, edi
		mov	[esp+44h+var_2C], edi
		mov	ebx, edi
		mov	[esp+44h+var_18], edi
		mov	[esp+44h+var_14], edi
		mov	[ecx], edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+38h+var_4], eax
		test	eax, eax
		jz	loc_92F963
		mov	eax, large fs:124h
		mov	[esp+38h+var_C], 100h
		mov	[esp+38h+var_8], edi
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceExclusiveLite
		mov	[esp+38h+var_28], 800h
		mov	esi, 0C0000023h

loc_89F26E:				; CODE XREF: IopGetRootDevices+DAj
		cmp	edi, 5
		jnb	loc_89F3D0
		xor	esi, esi
		test	ebx, ebx
		jnz	loc_92F8F9

loc_89F281:				; CODE XREF: IopGetRootDevices+90710j
		mov	eax, [esp+38h+var_28]
		push	64647050h
		add	eax, eax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[esp+38h+var_1C], ebx
		test	ebx, ebx
		jz	loc_92F959
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [esp+3Ch+var_28]
		push	eax
		push	[esp+40h+var_28]
		mov	edx, offset ??_C@_19LFKAPJKP@?$AAR?$AAo?$AAo?$AAt@NNGAKEGL@ ; "Root"
		push	ebx
		push	esi
		push	esi
		push	1
		call	_CmGetMatchingFilteredDeviceList
		mov	esi, eax
		inc	edi
		cmp	esi, 0C0000023h
		jz	short loc_89F26E
		test	esi, esi
		js	loc_89F3D0
		xor	esi, esi
		mov	edi, ebx
		mov	[esp+38h+var_10], esi
		cmp	[ebx], si
		jz	loc_89F36C

loc_89F2E5:				; CODE XREF: IopGetRootDevices+176j
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [esp+38h+var_2C]
		push	esi
		push	eax
		push	esi
		push	0F003Fh
		push	esi
		push	10h
		mov	edx, edi
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_92F943
		push	edi
		lea	eax, [esp+3Ch+var_18]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_89F336
		mov	ecx, [esp+38h+var_2C]
		lea	eax, [esp+38h+var_10]
		push	eax
		lea	edx, [esp+3Ch+var_18]
		call	IopInitializeDeviceInstanceKey
		test	eax, eax
		jz	loc_92F905

loc_89F336:				; CODE XREF: IopGetRootDevices+12Aj
		push	[esp+38h+var_2C]
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	loc_92F943
		mov	ecx, edi
		xor	esi, esi
		lea	edx, [ecx+2]

loc_89F34E:				; CODE XREF: IopGetRootDevices+167j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_89F34E
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2
		cmp	[edi], si
		jnz	loc_89F2E5

loc_89F36C:				; CODE XREF: IopGetRootDevices+EFj
					; IopGetRootDevices+9071Ej
		mov	esi, [esp+38h+var_10]
		test	esi, esi
		js	loc_92F943
		mov	edi, [esp+38h+var_8]
		test	edi, edi
		jz	loc_92F94F
		push	64647050h
		lea	eax, ds:8[edi*4]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+38h+var_24], ecx
		test	ecx, ecx
		jz	loc_92F913
		mov	eax, edi
		mov	[ecx], edi
		shl	eax, 2
		push	eax		; size_t
		push	[esp+3Ch+var_4]	; void *
		lea	eax, [ecx+4]
		push	eax		; void *
		call	_memcpy
		mov	ecx, [esp+44h+var_20]
		add	esp, 0Ch
		mov	eax, [esp+38h+var_24]
		mov	[ecx], eax

loc_89F3C8:				; CODE XREF: IopGetRootDevices+90759j
					; IopGetRootDevices+90764j
		test	esi, esi
		js	loc_92F918

loc_89F3D0:				; CODE XREF: IopGetRootDevices+81j
					; IopGetRootDevices+DEj ...
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	0
		push	[esp+3Ch+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		jz	short loc_89F3FD
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_89F3FD:				; CODE XREF: IopGetRootDevices+203j
		mov	eax, esi

loc_89F3FF:				; CODE XREF: IopGetRootDevices+90778j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
IopGetRootDevices endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopInitializeDeviceInstanceKey proc near ; CODE	XREF: IopGetRootDevices+139p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0092F96D SIZE 000001A4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_C], edx
		lea	eax, [ebp+var_4]
		mov	[ebp+var_20], ecx
		push	eax
		push	ebx
		mov	edx, offset ??_C@_1BA@LEPEEO@?$AAP?$AAh?$AAa?$AAn?$AAt?$AAo?$AAm@NNGAKEGL@ ; "Phantom"
		mov	[ebp+var_4], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_14], ebx
		call	IopGetRegistryValue
		test	eax, eax
		jns	loc_92F96D

loc_89F43C:				; CODE XREF: IopInitializeDeviceInstanceKey+90589j
		mov	ebx, [ebp+arg_0]
		mov	esi, [ebx+4]
		cmp	[ebx+8], esi
		jz	loc_92F99A

loc_89F44B:				; CODE XREF: IopInitializeDeviceInstanceKey+905D4j
		mov	ecx, [ebp+var_C]
		mov	edx, 746C6644h
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	edx, eax
		mov	[ebp+var_10], edx
		test	edx, edx
		jz	short loc_89F486
		mov	ecx, edx
		call	_IopIsRootEnumeratedDeviceObjectActive@4 ; IopIsRootEnumeratedDeviceObjectActive(x)
		test	al, al
		jz	loc_92F9EA
		mov	ecx, [ebx+8]
		mov	eax, [ebx+0Ch]
		mov	[eax+ecx*4], edx

loc_89F479:				; CODE XREF: IopInitializeDeviceInstanceKey+283j
		inc	dword ptr [ebx+8]

loc_89F47C:				; CODE XREF: IopInitializeDeviceInstanceKey+9058Fj
					; IopInitializeDeviceInstanceKey+905EBj
		xor	eax, eax
		inc	eax

loc_89F47F:				; CODE XREF: IopInitializeDeviceInstanceKey+90706j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_89F486:				; CODE XREF: IopInitializeDeviceInstanceKey+59j
		lea	ecx, [ebp+var_10]
		call	_IopCreateRootEnumeratedDeviceObject@4 ; IopCreateRootEnumeratedDeviceObject(x)
		test	eax, eax
		js	loc_92FB08
		mov	esi, [ebp+var_10]
		lea	edx, [ebp+var_14]
		mov	ecx, esi
		or	dword ptr [esi+1Ch], 1000h
		mov	eax, [esi+0B0h]
		or	dword ptr [eax+10h], 10h
		call	PipAllocateDeviceNode
		cmp	eax, 0C000036Eh
		jz	loc_92FAF3
		mov	edi, [ebp+var_14]
		test	edi, edi
		jz	loc_92FAF3
		mov	eax, [ebp+var_C]
		mov	ecx, edi
		movzx	edx, word ptr [eax]
		add	edx, 2
		call	_PnpAllocateDeviceInstancePath@8 ; PnpAllocateDeviceInstancePath(x,x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		js	loc_92FAE8
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		call	_PnpCopyDeviceInstancePath@8 ; PnpCopyDeviceInstancePath(x,x)
		push	11h
		pop	edx
		mov	ecx, edi
		call	PipSetDevNodeFlags
		push	ecx
		mov	edx, 302h
		mov	ecx, edi
		call	PipSetDevNodeState
		mov	ecx, _IopRootDeviceNode
		mov	edx, edi
		call	PpDevNodeInsertIntoTree
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_1C]
		mov	esi, [ebp+var_20]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_1C], 4
		mov	edx, [edi+18h]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	0Bh
		push	esi
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_92FA1C
		cmp	[ebp+var_18], 4
		jnz	loc_92F9F6
		cmp	[ebp+var_1C], 4
		jnz	loc_92F9F6
		mov	eax, [ebp+var_8]

loc_89F566:				; CODE XREF: IopInitializeDeviceInstanceKey+905F5j
		test	al, 20h
		jnz	loc_92FA00
		test	eax, 2000h
		jnz	loc_92FA16
		test	al, 40h
		jnz	loc_92FA06

loc_89F581:				; CODE XREF: IopInitializeDeviceInstanceKey+9061Dj
					; IopInitializeDeviceInstanceKey+9062Ej
		lea	eax, [ebp+var_4]
		mov	edx, offset ??_C@_1CK@HKNPKCBC@?$AAN?$AAo?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc?$AAe?$AAA?$AAt?$AAI?$AAn?$AAi@NNGAKEGL@ ; "NoResourceAtInitTime"
		push	eax
		push	0
		mov	ecx, esi
		call	IopGetRegistryValue
		test	eax, eax
		jns	loc_89F68E

loc_89F59B:				; CODE XREF: IopInitializeDeviceInstanceKey+2B7j
		mov	ecx, edi
		call	_PnpQueryAndSaveDeviceNodeCapabilities@4 ; PnpQueryAndSaveDeviceNodeCapabilities(x)
		test	dword ptr [edi+170h], 4000h
		jnz	loc_92FA39

loc_89F5B2:				; CODE XREF: IopInitializeDeviceInstanceKey+90646j
					; IopInitializeDeviceInstanceKey+9065Fj
		mov	eax, [edi+10Ch]
		and	eax, 6000h
		cmp	_PnpBootMode, 0
		mov	[ebp+arg_0], eax
		jz	short loc_89F5DA
		or	dword ptr [edi+1C8h], 1000h
		mov	[ebp+var_24], 2

loc_89F5DA:				; CODE XREF: IopInitializeDeviceInstanceKey+1C1j
		mov	ecx, [edi+18h]
		mov	edx, esi
		call	_PnpClearDeviceTemporaryProperties@8 ; PnpClearDeviceTemporaryProperties(x,x)
		test	dword ptr [edi+170h], 4000h
		setz	cl
		test	byte ptr [ebp+var_8], 1
		setz	al
		test	cl, al
		jz	short loc_89F60F
		cmp	[ebp+arg_0], 0
		mov	edx, esi
		mov	ecx, edi
		jnz	loc_92FA6A
		call	PpDevCfgProcessDeviceOperations

loc_89F60F:				; CODE XREF: IopInitializeDeviceInstanceKey+1F4j
					; IopInitializeDeviceInstanceKey+9066Cj
		mov	eax, [edi+10Ch]
		and	eax, 2000h
		jnz	loc_92FA77

loc_89F620:				; CODE XREF: IopInitializeDeviceInstanceKey+9067Ej
		test	eax, eax
		jnz	loc_92FA89

loc_89F628:				; CODE XREF: IopInitializeDeviceInstanceKey+90690j
		push	1
		lea	edx, [edi+14h]
		mov	ecx, esi
		call	PnpIsDeviceInstanceEnabled
		test	eax, eax
		jz	loc_92FA9B

loc_89F63C:				; CODE XREF: IopInitializeDeviceInstanceKey+90678j
					; IopInitializeDeviceInstanceKey+9068Aj ...
		push	0
		lea	eax, [edi+1Ch]
		mov	dl, 1
		push	eax
		lea	ecx, [edi+14h]
		call	_PpDeviceRegistration@16 ; PpDeviceRegistration(x,x,x,x)
		mov	ecx, [edi+10h]
		lea	edx, [edi+14h]
		call	_PnpMapDeviceObjectToDeviceInstance@8 ;	PnpMapDeviceObjectToDeviceInstance(x,x)
		mov	esi, [ebp+var_10]
		lea	eax, [ebp+var_24]
		and	[ebp+arg_0], 0
		xor	edx, edx
		push	eax
		lea	eax, [ebp+arg_0]
		mov	ecx, esi
		push	eax
		push	4
		call	PnpGetDeviceResourcesFromRegistry
		test	eax, eax
		jns	loc_92FAB3

loc_89F679:				; CODE XREF: IopInitializeDeviceInstanceKey+906B1j
					; IopInitializeDeviceInstanceKey+906DDj
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_89F680:				; CODE XREF: IopInitializeDeviceInstanceKey+906FCj
		mov	ecx, [ebx+8]
		mov	eax, [ebx+0Ch]
		mov	[eax+ecx*4], esi
		jmp	loc_89F479
; 

loc_89F68E:				; CODE XREF: IopInitializeDeviceInstanceKey+18Fj
		mov	esi, [ebp+var_4]
		cmp	dword ptr [esi+4], 4
		jnz	short loc_89F6B2
		cmp	dword ptr [esi+0Ch], 4
		jb	short loc_89F6B2
		mov	eax, [esi+8]
		cmp	dword ptr [esi+eax], 0
		jz	short loc_89F6B2
		mov	edx, 100h
		mov	ecx, edi
		call	PipSetDevNodeFlags

loc_89F6B2:				; CODE XREF: IopInitializeDeviceInstanceKey+28Fj
					; IopInitializeDeviceInstanceKey+295j ...
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_20]
		jmp	loc_89F59B
IopInitializeDeviceInstanceKey endp


;  S U B	R O U T	I N E 


; __stdcall IopIsRootEnumeratedDeviceObjectActive(x)
_IopIsRootEnumeratedDeviceObjectActive@4 proc near
					; CODE XREF: IopInitializeDeviceInstanceKey+5Dp
					; PiCMCreateDevice(x,x,x,x,x,x)+355p
		mov	eax, [ecx+28h]
		test	eax, eax
		jz	short loc_89F6CE
		test	byte ptr [eax],	1
		jnz	short loc_89F6EA

loc_89F6CE:				; CODE XREF: IopIsRootEnumeratedDeviceObjectActive(x)+5j
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_89F6E7
		test	dword ptr [eax+10Ch], 10000h
		jnz	short loc_89F6EA

loc_89F6E7:				; CODE XREF: IopIsRootEnumeratedDeviceObjectActive(x)+17j
		mov	al, 1
		retn
; 

loc_89F6EA:				; CODE XREF: IopIsRootEnumeratedDeviceObjectActive(x)+Aj
					; IopIsRootEnumeratedDeviceObjectActive(x)+23j
		xor	al, al
		retn
_IopIsRootEnumeratedDeviceObjectActive@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PnpCopyDeviceInstancePath(x, x)
_PnpCopyDeviceInstancePath@8 proc near	; CODE XREF: IopInitializeDeviceInstanceKey+E4p
					; PiInitializeDevice(x)+22Ep ...
		mov	edi, edi
		push	edx
		lea	eax, [ecx+14h]
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		retn
_PnpCopyDeviceInstancePath@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PnpAllocateDeviceInstancePath(x, x)
_PnpAllocateDeviceInstancePath@8 proc near ; CODE XREF:	IopInitializeDeviceInstanceKey+CFp
					; IoReportDetectedDevice+8906Ep ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	eax, eax
		push	49706E50h
		push	edx
		push	200h
		mov	[esi+14h], ax
		mov	[esi+16h], dx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+18h], eax
		neg	eax
		pop	esi
		sbb	eax, eax
		and	eax, 3FFFFF66h
		add	eax, 0C000009Ah
		retn
_PnpAllocateDeviceInstancePath@8 endp


;  S U B	R O U T	I N E 


PipAllocateDeviceNode proc near		; CODE XREF: PipProcessEnumeratedChildDevice+4Ep
					; IopInitializeDeviceInstanceKey+A9p ...

; FUNCTION CHUNK AT 0092FB11 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	646F6E44h
		mov	ebx, 1F4h
		mov	esi, edx
		push	ebx
		push	200h
		mov	edi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi], eax
		test	eax, eax
		jz	loc_92FB11
		lock inc _IopNumberDeviceNodes
		push	ebx		; size_t
		xor	ebx, ebx
		push	ebx		; int
		push	dword ptr [esi]	; void *
		call	_memset
		mov	eax, [esi]
		or	edx, 0FFFFFFFFh
		mov	ecx, 0FFFFh
		add	esp, 0Ch
		mov	[eax+12Ch], edx
		mov	eax, [esi]
		mov	[eax+130h], edx
		mov	eax, [esi]
		mov	[eax+134h], edx
		mov	eax, [esi]
		mov	[eax+138h], edx
		mov	eax, [esi]
		mov	[eax+13Ch], cx
		mov	eax, [esi]
		mov	dword ptr [eax+0ACh], 301h
		mov	eax, [esi]
		mov	[eax+184h], ebx
		mov	eax, [esi]
		mov	[eax+198h], ebx
		mov	eax, [esi]
		mov	[eax+19Ch], ebx
		mov	eax, [esi]
		mov	[eax+1A0h], ebx
		mov	eax, [esi]
		mov	[eax+1A4h], edx
		mov	eax, [esi]
		mov	[eax+13Eh], bx
		mov	eax, [esi]
		add	eax, 148h
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [esi]
		add	eax, 150h
		mov	[eax+4], eax
		mov	[eax], eax
		test	edi, edi
		jz	short loc_89F80C
		mov	eax, [esi]
		mov	[eax+10h], edi
		mov	ecx, [edi+0B0h]
		mov	eax, [esi]
		mov	[ecx+14h], eax
		and	dword ptr [edi+1Ch], 0FFFFFF7Fh

loc_89F80C:				; CODE XREF: PipAllocateDeviceNode+C5j
		mov	eax, [esi]
		add	eax, 140h
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [esi]
		add	eax, 178h
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [esi]
		add	eax, 188h
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [esi]
		add	eax, 190h
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [esi]
		add	eax, 64h
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [esi]
		add	eax, 6Ch
		mov	[eax+4], eax
		mov	[eax], eax
		xor	eax, eax

loc_89F852:				; CODE XREF: PipAllocateDeviceNode+903E8j
		pop	edi
		pop	esi
		pop	ebx
		retn
PipAllocateDeviceNode endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCreateRootEnumeratedDeviceObject(x)
_IopCreateRootEnumeratedDeviceObject@4 proc near
					; CODE XREF: IopInitializeDeviceInstanceKey+83p
					; IoReportDetectedDevice+88FE1p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_4]
		xor	esi, esi
		push	eax
		push	esi
		push	80h
		push	4
		push	esi
		push	4
		push	_PnpDriverObject
		mov	ebx, ecx
		mov	[ebp+var_4], esi
		call	IoCreateDevice
		mov	edi, eax
		test	edi, edi
		js	short loc_89F89B
		mov	edx, [ebp+var_4]
		mov	[ebx], edx
		mov	ecx, [edx+28h]
		mov	[ecx], esi

loc_89F890:				; CODE XREF: IopCreateRootEnumeratedDeviceObject(x)+48j
		test	esi, esi
		jnz	short loc_89F8A0

loc_89F894:				; CODE XREF: IopCreateRootEnumeratedDeviceObject(x)+50j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_89F89B:				; CODE XREF: IopCreateRootEnumeratedDeviceObject(x)+2Ej
		mov	esi, [ebp+var_4]
		jmp	short loc_89F890
; 

loc_89F8A0:				; CODE XREF: IopCreateRootEnumeratedDeviceObject(x)+3Cj
		push	esi
		call	IoDeleteDevice
		jmp	short loc_89F894
_IopCreateRootEnumeratedDeviceObject@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	WmipTranslatePDOInstanceNames(void *,int)
WmipTranslatePDOInstanceNames proc near	; CODE XREF: WmipForwardWmiIrp+16Ap

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0092FB1B SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, [ecx+0Ch]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+1Ch]
		mov	[ebp+var_3], dl
		xor	edx, edx
		inc	edi
		mov	[ebp+var_2C], ecx
		mov	ebx, edx
		mov	[ebp+var_10], edx
		and	edi, 0FFFFFFFEh
		mov	[ebp+var_1], dl
		mov	[ebp+var_8], edx
		mov	esi, edx
		mov	[ebp+var_18], ebx
		mov	ecx, eax
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], edx
		mov	[ebp+var_2], 1
		mov	[ebp+var_C], edi
		mov	[ebp+var_1C], edx
		mov	[ebp+var_14], eax

loc_89F8F0:				; CODE XREF: WmipTranslatePDOInstanceNames+B3j
		mov	[ebp+var_28], edx
		cmp	[ecx+10h], edx
		jbe	short loc_89F951
		mov	[ebp+var_18], edx
		lea	edi, [ecx+14h]

loc_89F8FE:				; CODE XREF: WmipTranslatePDOInstanceNames+A2j
		push	10h		; size_t
		push	offset _WmipDataProviderPnpidGuid ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_89FBB3
		push	10h		; size_t
		push	offset _WmipDataProviderPnPIdInstanceNamesGuid ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_89FBB3

loc_89F92E:				; CODE XREF: WmipTranslatePDOInstanceNames+311j
					; WmipTranslatePDOInstanceNames+9027Cj
		mov	edx, [edi+10h]
		test	dl, 20h
		jnz	loc_89FAB5

loc_89F93A:				; CODE XREF: WmipTranslatePDOInstanceNames+234j
					; WmipTranslatePDOInstanceNames+241j
		mov	eax, [ebp+var_28]
		add	edi, 1Ch
		mov	ecx, [ebp+var_14]
		inc	eax
		mov	[ebp+var_28], eax
		cmp	eax, [ecx+10h]
		jb	short loc_89F8FE
		mov	[ebp+var_18], ebx
		xor	edx, edx

loc_89F951:				; CODE XREF: WmipTranslatePDOInstanceNames+4Ej
		mov	eax, [ecx+4]
		add	ecx, eax
		mov	[ebp+var_14], ecx
		test	eax, eax
		jnz	short loc_89F8F0
		push	4
		pop	ecx
		cmp	[ebp+var_2], al
		jz	loc_89FA98
		test	ebx, ebx
		jz	loc_89FA98
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_34]
		call	IoGetDeviceInstanceName
		test	eax, eax
		js	loc_89FA8E
		mov	eax, [ebp+var_34]
		lea	ecx, [esi+7]
		and	ecx, 0FFFFFFF8h
		movzx	eax, ax
		mov	[ebp+arg_0], ecx
		sub	ecx, esi
		lea	edx, ds:54h[eax*2]
		lea	eax, [ecx+edx]
		add	[ebp+var_C], eax
		cmp	[ebp+var_1], 0
		jnz	loc_92FB56
		mov	edi, [ebp+var_10]
		sub	edi, ecx
		cmp	edx, edi
		ja	loc_92FB56
		mov	esi, [ebp+arg_4]
		cmp	dword ptr [esi+0Ch], 0
		jnz	loc_89FA85
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edi, [ebp+var_1C]
		mov	ecx, [ebp+var_14]
		mov	[esi+0Ch], ebx
		mov	[esi+1Ch], edi
		mov	esi, [ebp+arg_0]
		mov	eax, esi
		push	4Ch		; size_t
		sub	eax, ecx
		push	0		; int
		push	esi		; void *
		mov	[ecx+4], eax
		lea	ebx, [esi+4Ch]
		call	_memset
		mov	edx, [ebp+var_34]
		movzx	ecx, dx
		mov	dword ptr [esi+10h], 2
		push	ecx		; size_t
		push	[ebp+var_30]	; void *
		lea	eax, ds:54h[ecx*2]
		mov	[esi], eax
		lea	eax, [esi+14h]
		mov	[eax+14h], edi
		mov	esi, offset _WmipDataProviderPnpidGuid
		mov	dword ptr [eax+10h], 28h
		mov	edi, eax
		movsd
		movsd
		movsd
		movsd
		mov	dword ptr [eax+18h], 4Ch
		lea	eax, [edx+2]
		mov	[ebx], ax
		add	ebx, 2
		push	ebx		; void *
		call	_memcpy
		mov	ecx, [ebp+arg_0]
		mov	esi, offset _WmipDataProviderPnPIdInstanceNamesGuid
		mov	eax, [ebp+var_34]
		movzx	edx, ax
		push	5Fh
		pop	eax
		lea	edi, [ecx+30h]
		mov	[ebx+edx], ax
		lea	eax, [edx+50h]
		mov	dword ptr [ecx+40h], 4
		mov	dword ptr [ecx+44h], 1
		movsd
		push	edx		; size_t
		push	[ebp+var_30]	; void *
		movsd
		movsd
		movsd
		mov	[ecx+48h], eax
		mov	eax, [ebp+var_34]
		mov	[ebx+edx+2], ax
		lea	eax, [edx+4]
		add	eax, ebx
		push	eax		; void *
		call	_memcpy
		mov	ebx, [ebp+var_18]
		add	esp, 24h

loc_89FA85:				; CODE XREF: WmipTranslatePDOInstanceNames+118j
					; WmipTranslatePDOInstanceNames+902B2j
		lea	eax, [ebp+var_34]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_89FA8E:				; CODE XREF: WmipTranslatePDOInstanceNames+D6j
		mov	ecx, ebx
		call	ObfDereferenceObject
		push	4
		pop	ecx

loc_89FA98:				; CODE XREF: WmipTranslatePDOInstanceNames+BBj
					; WmipTranslatePDOInstanceNames+C3j
		cmp	[ebp+var_1], 0
		mov	eax, [ebp+var_C]
		jnz	short loc_89FAA3
		mov	ecx, eax

loc_89FAA3:				; CODE XREF: WmipTranslatePDOInstanceNames+1F7j
		mov	edx, [ebp+var_20]
		pop	edi
		pop	esi
		pop	ebx
		mov	[edx], eax
		mov	eax, [ebp+var_2C]
		mov	[eax+1Ch], ecx
		leave
		retn	8
; 

loc_89FAB5:				; CODE XREF: WmipTranslatePDOInstanceNames+8Cj
		test	esi, esi
		jz	short loc_89FAEE

loc_89FAB9:				; CODE XREF: WmipTranslatePDOInstanceNames+269j
		mov	eax, [edi+14h]
		cmp	[ebp+var_1C], eax
		jb	short loc_89FB13

loc_89FAC1:				; CODE XREF: WmipTranslatePDOInstanceNames+26Ej
		mov	eax, [edi+18h]
		mov	[ebp+var_8], eax
		cmp	eax, [ebp+var_18]
		jnz	short loc_89FB18
		mov	ecx, [ebp+var_24]
		or	edx, 8
		mov	[edi+10h], edx
		mov	[edi+18h], ecx

loc_89FAD8:				; CODE XREF: WmipTranslatePDOInstanceNames+306j
		cmp	[ebp+var_3], 0Bh
		jnz	loc_89F93A
		mov	ecx, eax
		call	ObfDereferenceObject
		jmp	loc_89F93A
; 

loc_89FAEE:				; CODE XREF: WmipTranslatePDOInstanceNames+20Fj
		mov	ecx, [ebp+var_20]
		mov	eax, ecx
		mov	ecx, [ecx+4]

loc_89FAF6:				; CODE XREF: WmipTranslatePDOInstanceNames+90286j
		test	ecx, ecx
		jnz	loc_92FB29
		mov	esi, [eax]
		inc	esi
		and	esi, 0FFFFFFFEh
		add	esi, eax
		mov	eax, [ebp+var_20]
		sub	eax, esi
		add	eax, [ebp+arg_0]
		mov	[ebp+var_10], eax
		jmp	short loc_89FAB9
; 

loc_89FB13:				; CODE XREF: WmipTranslatePDOInstanceNames+217j
		mov	[ebp+var_1C], eax
		jmp	short loc_89FAC1
; 

loc_89FB18:				; CODE XREF: WmipTranslatePDOInstanceNames+222j
		lea	edx, [ebp+var_34]
		mov	ecx, eax
		call	IoGetDeviceInstanceName
		test	eax, eax
		js	loc_89FBAB
		cmp	[ebp+var_2], 0
		jz	loc_92FB3C
		test	ebx, ebx
		jnz	loc_92FB33
		mov	ebx, [ebp+var_8]
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_89FB46:				; CODE XREF: WmipTranslatePDOInstanceNames+9028Ej
					; WmipTranslatePDOInstanceNames+9029Aj	...
		mov	eax, [ebp+var_34]
		movzx	edx, ax
		lea	eax, [edx+4]
		add	[ebp+var_C], eax
		cmp	[ebp+var_1], 0
		jnz	short loc_89FBC4
		cmp	eax, [ebp+var_10]
		ja	short loc_89FBC4
		or	dword ptr [edi+10h], 8
		mov	eax, esi
		sub	eax, [ebp+var_14]
		mov	ecx, [ebp+var_8]
		mov	[edi+18h], eax
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_34]
		push	edx		; size_t
		push	[ebp+var_30]	; void *
		add	eax, 2
		mov	[ebp+var_18], ecx
		mov	[esi], ax
		add	esi, 2
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+var_34]
		add	esp, 0Ch
		movzx	ecx, ax
		add	esi, ecx
		push	5Fh
		pop	eax
		mov	[esi], ax
		lea	eax, [ecx+4]
		add	esi, 2
		sub	[ebp+var_10], eax

loc_89FBA2:				; CODE XREF: WmipTranslatePDOInstanceNames+320j
		lea	eax, [ebp+var_34]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_89FBAB:				; CODE XREF: WmipTranslatePDOInstanceNames+27Cj
		mov	eax, [ebp+var_8]
		jmp	loc_89FAD8
; 

loc_89FBB3:				; CODE XREF: WmipTranslatePDOInstanceNames+68j
					; WmipTranslatePDOInstanceNames+80j
		mov	[ebp+var_2], 0
		test	ebx, ebx
		jz	loc_89F92E
		jmp	loc_92FB1B
; 

loc_89FBC4:				; CODE XREF: WmipTranslatePDOInstanceNames+2AEj
					; WmipTranslatePDOInstanceNames+2B3j
		mov	[ebp+var_1], 1
		jmp	short loc_89FBA2
WmipTranslatePDOInstanceNames endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpUpdateDynamicTimeZones proc	near	; CODE XREF: ExpRefreshTimeZoneInformation(x)+6EEp

var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_164		= word ptr -164h
var_160		= dword	ptr -160h
var_5C		= dword	ptr -5Ch
var_30		= dword	ptr -30h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092FB5F SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1DCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_1A4], ecx
		push	edi
		push	110h		; size_t
		lea	eax, [ebp+var_170]
		mov	[ebp+var_178], ebx
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_174], ebx
		mov	[ebp+var_17C], ebx
		mov	[ebp+var_188], ebx
		mov	[ebp+var_184], ebx
		mov	[ebp+var_180], ebx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_30]
		push	2Ch		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_5C]
		push	2Ch		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	edi, [ebp+var_1A0]
		xor	eax, eax
		push	6
		pop	ecx
		push	38h		; size_t
		rep stosd
		lea	eax, [ebp+var_1DC]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_1D8], 124h
		lea	eax, [ebp+var_30]
		mov	[ebp+var_1D4], offset ??_C@_17LIOBIM@?$AAT?$AAZ?$AAI@NNGAKEGL@ ; "TZI"
		mov	[ebp+var_1D0], eax
		mov	edx, offset ??_C@_1BG@DHBIEIAA@?$AAT?$AAi?$AAm?$AAe?$AA?5?$AAZ?$AAo?$AAn?$AAe?$AAs@NNGAKEGL@ ; "Time Zones"
		lea	eax, [ebp+var_178]
		mov	[ebp+var_1CC], 3000000h
		push	eax
		push	ebx
		push	3
		pop	ecx
		call	RtlpGetRegistryHandle
		test	eax, eax
		jns	short loc_89FCB1

loc_89FCA0:				; CODE XREF: RtlpUpdateDynamicTimeZones+2AAj
		mov	ecx, [ebp+var_4]
		mov	al, bl
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_89FCB1:				; CODE XREF: RtlpUpdateDynamicTimeZones+D4j
		lea	eax, [ebp+var_188]
		xor	esi, esi
		push	eax
		push	110h
		lea	eax, [ebp+var_170]
		xor	ebx, ebx
		push	eax
		push	esi
		push	esi
		push	[ebp+var_178]
		inc	ebx
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_89FE69
		mov	edi, [ebp+var_1A4]

loc_89FCE4:				; CODE XREF: RtlpUpdateDynamicTimeZones+299j
		mov	ax, [ebp+var_164]
		lea	ecx, [ebp+var_160]
		and	[ebp+var_190], 0
		and	[ebp+var_18C], 0
		mov	word ptr [ebp+var_184+2], ax
		mov	word ptr [ebp+var_184],	ax
		mov	eax, [ebp+var_178]
		mov	[ebp+var_19C], eax
		lea	eax, [ebp+var_184]
		mov	[ebp+var_198], eax
		lea	eax, [ebp+var_1A0]
		push	eax
		push	2000000h
		lea	eax, [ebp+var_174]
		mov	[ebp+var_180], ecx
		push	eax
		mov	[ebp+var_1A0], 18h
		mov	[ebp+var_194], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_89FE3F
		push	offset _szDynamicDst
		lea	eax, [ebp+var_184]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_174]
		and	[ebp+var_190], 0
		and	[ebp+var_18C], 0
		mov	[ebp+var_19C], eax
		lea	eax, [ebp+var_184]
		mov	[ebp+var_198], eax
		lea	eax, [ebp+var_1A0]
		push	eax
		push	20019h
		lea	eax, [ebp+var_17C]
		mov	[ebp+var_1A0], 18h
		push	eax
		mov	[ebp+var_194], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_89FE34
		push	2Ch		; size_t
		lea	eax, [ebp+var_30]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+var_174]
		lea	eax, [ebp+var_1DC]
		add	esp, 0Ch
		mov	[ebp+var_30], 0FFFFFFD4h
		push	ebx
		push	ecx
		push	0
		push	eax
		mov	ecx, 40000000h
		call	RtlpQueryRegistryValues
		test	eax, eax
		js	short loc_89FE29
		mov	edx, [ebp+var_17C] ; int
		lea	ecx, [ebp+var_5C] ; void *
		push	edi		; __int16
		call	RtlpFindRegTziForCurrentYear
		test	eax, eax
		js	short loc_89FE29
		push	2Ch		; size_t
		lea	eax, [ebp+var_30]
		push	eax		; void *
		lea	eax, [ebp+var_5C]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_92FB5F

loc_89FE29:				; CODE XREF: RtlpUpdateDynamicTimeZones+230j
					; RtlpUpdateDynamicTimeZones+243j ...
		push	[ebp+var_17C]
		call	_ZwClose@4	; ZwClose(x)

loc_89FE34:				; CODE XREF: RtlpUpdateDynamicTimeZones+1FAj
		push	[ebp+var_174]
		call	_ZwClose@4	; ZwClose(x)

loc_89FE3F:				; CODE XREF: RtlpUpdateDynamicTimeZones+18Fj
		lea	eax, [ebp+var_188]
		inc	esi
		push	eax
		push	110h
		lea	eax, [ebp+var_170]
		push	eax
		push	0
		push	esi
		push	[ebp+var_178]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_89FCE4

loc_89FE69:				; CODE XREF: RtlpUpdateDynamicTimeZones+10Ej
		push	[ebp+var_178]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_89FCA0
RtlpUpdateDynamicTimeZones endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmPerfRegisterNativePerfStates(x)
_PpmPerfRegisterNativePerfStates@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	dl, dl
		call	PpmRegisterPerfStates
		pop	ebp
		retn	4
_PpmPerfRegisterNativePerfStates@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmReinitializeHeteroEngine(x)
_PpmReinitializeHeteroEngine@4 proc near ; CODE	XREF: PpmPerfClearBootOverrides+8202Cj
					; PpmHeteroHgsBackupInit+7E86Dp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		xor	eax, eax
		test	cl, cl
		jz	short loc_89FEAD
		or	eax, 800h

loc_89FEA0:				; CODE XREF: PpmReinitializeHeteroEngine(x)+24j
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_4], eax
		call	PpmReapplyPerfPolicy
		leave
		retn
; 

loc_89FEAD:				; CODE XREF: PpmReinitializeHeteroEngine(x)+Bj
		or	eax, 1000h
		jmp	short loc_89FEA0
_PpmReinitializeHeteroEngine@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmRegisterPerfStates proc near		; CODE XREF: PpmPerfRegisterNativePerfStates(x)+Ap
					; PpmPerfRegisterHvPerfStateCounters(x)+D4p

var_92		= byte ptr -92h
var_91		= byte ptr -91h
var_8E		= byte ptr -8Eh
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch

; FUNCTION CHUNK AT 0092FB81 SIZE 000000F8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 94h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+0A0h+var_C]
		mov	esi, ecx
		stosd
		xor	ecx, ecx
		mov	bl, dl
		mov	[esp+0A0h+var_44], esi
		mov	[esp+0A0h+var_40], ecx
		mov	[esp+0A0h+var_3C], ecx
		stosd
		mov	[esp+0A0h+var_7C], ecx
		mov	[esp+13h], cl
		mov	[esp+0A0h+var_34], ecx
		stosd
		xor	eax, eax
		lea	edi, [esp+0A0h+var_18]
		stosd
		stosd
		stosd
		mov	eax, [esi+24h]
		mov	edi, [esi+10h]
		mov	[esp+0A0h+var_8C], eax
		mov	eax, [esi+14h]
		mov	[esp+0A0h+var_48], eax
		xor	eax, eax
		inc	eax
		mov	[esp+0A0h+var_78], edi
		mov	word ptr [esp+0A0h+var_38], ax
		mov	word ptr [esp+0A0h+var_38+2], ax
		mov	eax, ecx
		mov	[esp+0A0h+var_58], eax
		mov	[esp+0A0h+var_30], eax
		lea	eax, [esp+0A0h+var_C]
		push	eax
		call	_KeQueryActiveProcessorAffinity@4 ; KeQueryActiveProcessorAffinity(x)
		test	bl, bl
		jnz	short loc_89FF42
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)

loc_89FF42:				; CODE XREF: PpmRegisterPerfStates+82j
		mov	ebx, [esp+0A0h+var_8C]
		or	eax, 0FFFFFFFFh
		or	edx, eax
		mov	[esp+0A0h+var_70], eax
		xor	ecx, ecx
		mov	[esp+0A0h+var_6C], edx
		test	ebx, ebx
		jz	short loc_89FF88
		mov	eax, [esi+0A4h]
		add	eax, 8

loc_89FF62:				; CODE XREF: PpmRegisterPerfStates+CAj
		mov	edx, [eax]
		cmp	edx, 2
		jnb	loc_92FB81
		cmp	[esp+edx*4+0A0h+var_70], 0FFFFFFFFh
		jnz	short loc_89FF78
		mov	[esp+edx*4+0A0h+var_70], ecx

loc_89FF78:				; CODE XREF: PpmRegisterPerfStates+BEj
		inc	ecx
		add	eax, 10h
		cmp	ecx, ebx
		jb	short loc_89FF62
		mov	edx, [esp+0A0h+var_6C]
		mov	eax, [esp+0A0h+var_70]

loc_89FF88:				; CODE XREF: PpmRegisterPerfStates+A3j
		cmp	eax, 0FFFFFFFFh
		jz	loc_92FB8C

loc_89FF91:				; CODE XREF: PpmRegisterPerfStates+8FCDDj
		xor	ecx, ecx
		xor	eax, eax

loc_89FF95:				; CODE XREF: PpmRegisterPerfStates+EDj
		cmp	[esp+eax*4+0A0h+var_70], 0FFFFFFFFh
		jz	short loc_89FF9D
		inc	ecx

loc_89FF9D:				; CODE XREF: PpmRegisterPerfStates+E6j
		inc	eax
		cmp	eax, 2
		jb	short loc_89FF95
		mov	eax, [esp+0A0h+var_78]
		imul	eax, ecx
		imul	edi, 78h
		push	704D5050h
		mov	[esp+0A4h+var_74], ecx
		imul	eax, 28h
		add	edi, 21Fh
		and	edi, 0FFFFFFF8h
		add	eax, edi
		push	eax
		push	200h
		mov	[esp+0ACh+var_8C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[esp+0A0h+var_7C], ebx
		test	ebx, ebx
		jz	loc_92FB96
		push	[esp+0A0h+var_8C] ; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebx+218h]
		cmp	byte ptr [esi+0Bh], 0
		lea	edx, [ebx+edi]
		mov	[esp+0A0h+var_8C], eax
		mov	[esp+0A0h+var_60], edx
		jz	short loc_8A000F
		mov	eax, [esi+30h]
		mov	ds:_PpmPerfQosTransitionHysteresis, eax

loc_8A000F:				; CODE XREF: PpmRegisterPerfStates+151j
		and	[esp+0A0h+var_50], 0
		cmp	[esp+0A0h+var_78], 0
		jbe	loc_8A01E2
		and	[esp+0A0h+var_68], 0
		lea	edi, [ebx+21Ch]
		xor	ecx, ecx
		mov	[esp+0A0h+var_64], edx
		imul	eax, [esp+0A0h+var_74],	28h
		mov	[esp+0A0h+var_4C], ecx
		mov	[esp+0A0h+var_5C], eax

loc_8A003D:				; CODE XREF: PpmRegisterPerfStates+328j
		mov	eax, [esi+0A8h]
		add	eax, ecx
		mov	[esp+0A0h+var_88], eax
		mov	ecx, [eax]
		mov	[esp+0A0h+var_84], ecx
		cmp	ecx, 0FFFFFFFFh
		jz	loc_92FBD1
		mov	eax, dword_6B5BE8
		shr	eax, cl
		test	al, 1
		jnz	loc_92FBD1
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	[esp+0A0h+var_54], eax
		add	eax, 3EA0h
		mov	ecx, eax
		mov	[esp+0A0h+var_2C], eax
		call	_PpmAllocatePerfCheck@4	; PpmAllocatePerfCheck(x)
		mov	[esp+0A0h+var_80], eax
		test	eax, eax
		js	loc_92FBD8
		mov	eax, [esp+0A0h+var_58]
		xor	dl, dl
		mov	ecx, [esp+0A0h+var_84]
		bts	eax, ecx
		mov	ecx, [esp+0A0h+var_54]
		mov	[esp+0A0h+var_58], eax
		mov	[esp+0A0h+var_30], eax
		mov	eax, [esp+0A0h+var_2C]
		mov	[edi-4], eax
		call	_KeQueryCycleCounterFrequency@8	; KeQueryCycleCounterFrequency(x,x)
		mov	ecx, ds:_PpmPerfQosTransitionHysteresisOverride
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_8A00C2
		mov	ecx, ds:_PpmPerfQosTransitionHysteresis

loc_8A00C2:				; CODE XREF: PpmRegisterPerfStates+206j
		push	edx
		push	eax
		push	0
		push	0F4240h
		push	0
		push	ecx
		call	PpmConvertTime
		mov	ecx, [esp+0A0h+var_54]
		push	64h
		mov	[ecx+3F00h], eax
		mov	[ecx+3F04h], edx
		mov	ecx, [esp+0A4h+var_88]
		pop	edx
		mov	[edi+1Ch], edx
		mov	eax, [ecx+4]
		mov	[edi], eax
		mov	eax, [ecx+8]
		mov	[edi+4], eax
		mov	eax, [ecx+0Ch]
		mov	[edi+8], eax
		mov	eax, [ecx+10h]
		and	dword ptr [edi+6Ch], 0
		mov	[edi+0Ch], eax
		mov	eax, [esp+0A0h+var_48]
		mov	[edi+24h], edx
		mov	[edi+34h], edx
		mov	[edi+38h], eax
		mov	dword ptr [edi+3Ch], 1
		mov	[edi+40h], edx
		mov	[edi+44h], edx
		mov	[edi+60h], edx
		mov	[edi+64h], edx
		cmp	byte ptr [esi+7], 0
		jz	loc_92FB9D

loc_8A0132:				; CODE XREF: PpmRegisterPerfStates+8FCEDj
		xor	al, al

loc_8A0134:				; CODE XREF: PpmRegisterPerfStates+8FCF5j
		mov	[edi+69h], al
		cmp	[ecx+8], edx
		jb	loc_92FBAE

loc_8A0140:				; CODE XREF: PpmRegisterPerfStates+8FD18j
		mov	eax, [esp+0A0h+var_64]
		mov	ebx, [esp+0A0h+var_68]
		mov	[esp+0A0h+var_84], eax
		xor	eax, eax
		mov	[esp+0A0h+var_88], eax

loc_8A0152:				; CODE XREF: PpmRegisterPerfStates+2F3j
		mov	ecx, [esp+eax*4+0A0h+var_70]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_8A019F
		mov	eax, [esi+0ACh]
		mov	edx, ecx
		add	ecx, ebx
		shl	edx, 4
		add	edx, [esi+0A4h]
		mov	eax, [eax+ecx*4]
		mov	ecx, [esp+0A0h+var_84]
		mov	[ecx+24h], eax
		mov	al, [edx+0Dh]
		mov	[ecx+21h], al
		mov	al, [edx+0Ch]
		mov	[ecx+20h], al
		mov	al, [edx+0Eh]
		mov	[ecx+22h], al
		mov	al, [edx+4]
		mov	[ecx+23h], al
		mov	eax, [edx]
		mov	[ecx], eax
		add	ecx, 28h
		mov	eax, [esp+0A0h+var_88]
		mov	[esp+0A0h+var_84], ecx

loc_8A019F:				; CODE XREF: PpmRegisterPerfStates+2A5j
		inc	eax
		mov	[esp+0A0h+var_88], eax
		cmp	eax, 2
		jb	short loc_8A0152
		mov	eax, [esp+0A0h+var_68]
		add	edi, 78h
		add	eax, [esp+0A0h+var_74]
		mov	edx, [esp+0A0h+var_50]
		mov	ecx, [esp+0A0h+var_4C]
		inc	edx
		mov	ebx, [esp+0A0h+var_7C]
		add	ecx, 14h
		mov	[esp+0A0h+var_68], eax
		mov	eax, [esp+0A0h+var_5C]
		add	[esp+0A0h+var_64], eax
		mov	[esp+0A0h+var_50], edx
		mov	[esp+0A0h+var_4C], ecx
		cmp	edx, [esp+0A0h+var_78]
		jb	loc_8A003D

loc_8A01E2:				; CODE XREF: PpmRegisterPerfStates+165j
		lea	eax, [esp+0A0h+var_38]
		push	eax
		lea	eax, [esp+0A4h+var_18]
		push	eax
		call	_KeFirstGroupAffinityEx@8 ; KeFirstGroupAffinityEx(x,x)
		and	[esp+0A0h+var_80], 0
		mov	eax, [esp+0A0h+var_18]
		test	eax, eax
		jz	loc_92FBEB
		bsf	ecx, eax
		mov	[esp+0A0h+var_80], ecx

loc_8A020F:				; CODE XREF: PpmRegisterPerfStates+8FD3Aj
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		lea	edi, [ebx+0Ch]
		lea	esi, [esp+0A0h+var_38]
		push	0
		lea	ecx, [eax+3EA0h]
		mov	[ebx+8], ecx
		mov	al, [eax+3ED0h]
		movsd
		mov	[ebx+20h], al
		movsd
		movsd
		mov	esi, [esp+0A4h+var_44]
		mov	eax, [esi+5Ch]
		mov	[ebx+28h], eax
		mov	eax, [esi+64h]
		mov	[ebx+30h], eax
		mov	eax, [esi+68h]
		mov	[ebx+34h], eax
		mov	eax, [esi+6Ch]
		mov	[ebx+38h], eax
		mov	eax, [esi+70h]
		mov	[ebx+3Ch], eax
		mov	eax, [esi+60h]
		mov	[ebx+2Ch], eax
		mov	eax, [esi+4Ch]
		mov	[ebx+18h], eax
		lea	eax, [ebx+218h]
		mov	[ebx+24h], eax
		mov	dword ptr [ebx+13Ch], 1
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	edi, [esp+0A4h+var_7C]
		mov	[ebx+20Ch], edx
		mov	edx, [esp+0A4h+var_4C]
		mov	[ebx+208h], eax
		mov	[ebx+1Ch], edi
		mov	[ebx+54h], edx
		mov	eax, [esi+2Ch]
		mov	[ebx+64h], eax
		mov	eax, [esi+18h]
		mov	[ebx+58h], eax
		mov	eax, [esi+1Ch]
		mov	[ebx+5Ch], eax
		mov	eax, [esi+20h]
		mov	[ebx+60h], eax
		mov	al, [esi+4]
		mov	[ebx+79h], al
		mov	eax, [esi+84h]
		mov	[ebx+48h], eax
		mov	eax, [esi+88h]
		mov	[ebx+4Ch], eax
		mov	eax, [esi+7Ch]
		mov	[ebx+40h], eax
		mov	eax, [esi+80h]
		mov	[ebx+44h], eax
		mov	al, [esi+34h]
		push	5
		mov	[ebx+7Fh], al
		lea	eax, [ebx+14Ch]
		pop	ecx

loc_8A02E1:				; CODE XREF: PpmRegisterPerfStates+43Cj
		mov	dword ptr [eax-4], 64h
		mov	[eax], edx
		lea	eax, [eax+28h]
		sub	ecx, 1
		jnz	short loc_8A02E1
		mov	al, [esi+6]
		xor	edx, edx
		mov	[ebx+7Ah], al
		mov	al, [esi+7]
		mov	[ebx+7Bh], al
		mov	al, [esi+8]
		mov	[ebx+7Ch], al
		mov	eax, 0FDh
		cmp	[esi+4], ax
		jz	loc_92FBF3
		mov	al, 1
		cmp	[esi+88h], edx
		jnz	loc_92FBF3

loc_8A0323:				; CODE XREF: PpmRegisterPerfStates+8FD41j
		mov	[ebx+7Eh], al
		mov	al, [esi+0Bh]
		mov	[ebx+7Dh], al
		cmp	ds:_PpmPerfQosManageIdleProcessors, 0FFFFFFFFh
		jnz	short loc_8A0342
		xor	eax, eax
		cmp	[esi+0Ch], al
		setnz	al
		mov	ds:_PpmPerfQosManageIdleProcessors, eax

loc_8A0342:				; CODE XREF: PpmRegisterPerfStates+47Fj
		mov	eax, [esi+38h]
		mov	[ebx+68h], eax
		mov	eax, [esi+3Ch]
		mov	[ebx+6Ch], eax
		mov	eax, [esi+40h]
		mov	[ebx+70h], eax
		mov	eax, [esi+44h]
		mov	[ebx+74h], eax
		mov	byte ptr [ebx+78h], 64h
		mov	ecx, [esi+28h]
		cmp	dword_6C047C, edx
		ja	short loc_8A037F
		jb	short loc_8A0373
		cmp	_PpmCheckMinimumPeriod,	ecx
		ja	short loc_8A037F

loc_8A0373:				; CODE XREF: PpmRegisterPerfStates+4B5j
		mov	_PpmCheckMinimumPeriod,	ecx
		mov	dword_6C047C, edx

loc_8A037F:				; CODE XREF: PpmRegisterPerfStates+4B3j
					; PpmRegisterPerfStates+4BDj
		cmp	[ebx+34h], edx
		jnz	loc_92FBFA

loc_8A0388:				; CODE XREF: PpmRegisterPerfStates+8FD4Dj
		cmp	[ebx+30h], edx
		jz	short loc_8A0394
		or	_PpmAllowedActions, 20h

loc_8A0394:				; CODE XREF: PpmRegisterPerfStates+4D7j
		cmp	[ebx+2Ch], edx
		jnz	loc_92FC06

loc_8A039D:				; CODE XREF: PpmRegisterPerfStates+8FD5Cj
		cmp	[ebx+3Ch], edx
		jnz	loc_92FC15

loc_8A03A6:				; CODE XREF: PpmRegisterPerfStates+8FD6Bj
		cmp	[ebx+38h], edx
		jnz	loc_92FC24

loc_8A03AF:				; CODE XREF: PpmRegisterPerfStates+8FD7Aj
		cmp	byte ptr [esi+9], 0
		jnz	loc_92FC33

loc_8A03B9:				; CODE XREF: PpmRegisterPerfStates+8FD86j
		cmp	byte ptr [esi+0Ah], 0
		jnz	loc_92FC3F

loc_8A03C3:				; CODE XREF: PpmRegisterPerfStates+8FD92j
		mov	[esp+0A4h+var_60], edx
		lea	eax, [esp+0A4h+var_60]
		xor	ecx, ecx
		lock or	[eax], ecx
		test	edi, edi
		jz	short loc_8A0440
		imul	eax, [esp+0A4h+var_78],	28h
		mov	[esp+0A4h+var_84], eax
		mov	esi, eax
		lea	eax, [ebx+218h]

loc_8A03E5:				; CODE XREF: PpmRegisterPerfStates+586j
		mov	ecx, [eax]
		and	[esp+0A4h+var_44], 0
		and	[esp+0A4h+var_40], 0
		mov	edx, [esp+0A4h+var_64]
		mov	[ecx+4], eax
		xor	eax, eax
		mov	dword ptr [ecx+24h], 10000h
		mov	[ecx], ebx

loc_8A0403:				; CODE XREF: PpmRegisterPerfStates+563j
		cmp	[esp+eax+0A4h+var_74], 0FFFFFFFFh
		jz	short loc_8A0411
		mov	[esp+eax+0A4h+var_44], edx
		add	edx, 28h

loc_8A0411:				; CODE XREF: PpmRegisterPerfStates+554j
		add	eax, 4
		cmp	eax, 8
		jb	short loc_8A0403
		add	ecx, 0FFFFC160h
		lea	edx, [esp+0A4h+var_44]
		call	PpmInstallFeedbackCounters
		mov	eax, [esp+14h]
		add	[esp+0A4h+var_64], esi
		add	eax, 78h
		mov	[esp+14h], eax
		sub	edi, 1
		jnz	short loc_8A03E5
		mov	esi, [esp+0A4h+var_48]

loc_8A0440:				; CODE XREF: PpmRegisterPerfStates+51Ej
		cmp	_PpmPerfGlobalContext, 0
		jnz	short loc_8A0451
		mov	eax, [esi+48h]
		mov	_PpmPerfGlobalContext, eax

loc_8A0451:				; CODE XREF: PpmRegisterPerfStates+593j
		mov	ecx, _PpmPerfControlReadFeedback
		test	ecx, ecx
		jnz	short loc_8A0467
		mov	ecx, [esi+8Ch]
		mov	_PpmPerfControlReadFeedback, ecx

loc_8A0467:				; CODE XREF: PpmRegisterPerfStates+5A5j
		cmp	_PpmPerfControlAcquirePerformance, 0
		jnz	short loc_8A047B
		mov	eax, [esi+90h]
		mov	_PpmPerfControlAcquirePerformance, eax

loc_8A047B:				; CODE XREF: PpmRegisterPerfStates+5BAj
		cmp	_PpmPerfControlCommitPerformance, 0
		jnz	short loc_8A048F
		mov	eax, [esi+94h]
		mov	_PpmPerfControlCommitPerformance, eax

loc_8A048F:				; CODE XREF: PpmRegisterPerfStates+5CEj
		cmp	_PpmParkPreferenceHandler, 0
		jnz	short loc_8A04A3
		mov	eax, [esi+98h]
		mov	_PpmParkPreferenceHandler, eax

loc_8A04A3:				; CODE XREF: PpmRegisterPerfStates+5E2j
		cmp	_PpmParkMaskHandler, 0
		jnz	short loc_8A04B7
		mov	eax, [esi+9Ch]
		mov	_PpmParkMaskHandler, eax

loc_8A04B7:				; CODE XREF: PpmRegisterPerfStates+5F6j
		cmp	_PpmCheckCompleteHandler, 0
		jnz	short loc_8A04CB
		mov	eax, [esi+0A0h]
		mov	_PpmCheckCompleteHandler, eax

loc_8A04CB:				; CODE XREF: PpmRegisterPerfStates+60Aj
		cmp	_PpmPerfControlStartPolicyUpdate, 0
		jnz	short loc_8A04DC
		mov	eax, [esi+74h]
		mov	_PpmPerfControlStartPolicyUpdate, eax

loc_8A04DC:				; CODE XREF: PpmRegisterPerfStates+61Ej
		cmp	_PpmPerfControlCompletePolicyUpdate, 0
		jnz	short loc_8A04ED
		mov	eax, [esi+78h]
		mov	_PpmPerfControlCompletePolicyUpdate, eax

loc_8A04ED:				; CODE XREF: PpmRegisterPerfStates+62Fj
		test	ecx, ecx
		jnz	loc_92FC4B

loc_8A04F5:				; CODE XREF: PpmRegisterPerfStates+8FD9Ej
		mov	eax, ds:dword_70EE24
		mov	esi, offset _PpmPerfDomainHead
		inc	ds:_PpmPerfDomainCount
		cmp	[eax], esi
		jnz	loc_8A05F9
		mov	[ebx], esi
		mov	dl, 1
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	ecx, ds:_PpmPerfDomainHead
		mov	ds:dword_70EE24, ebx
		mov	[esp+0A4h+var_91], dl
		cmp	ecx, esi
		jz	short loc_8A053F

loc_8A052A:				; CODE XREF: PpmRegisterPerfStates+685j
		cmp	byte ptr [ecx+7Dh], 0
		mov	ecx, [ecx]
		setz	al
		dec	al
		and	dl, al
		cmp	ecx, esi
		jnz	short loc_8A052A
		mov	[esp+0A4h+var_91], dl

loc_8A053F:				; CODE XREF: PpmRegisterPerfStates+674j
		mov	eax, offset _PpmPerfStatesRegistered
		push	eax
		push	eax
		lea	eax, [esp+0ACh+var_3C]
		push	eax
		call	_KeOrAffinityEx@12 ; KeOrAffinityEx(x,x,x)
		mov	edx, ebx
		mov	word ptr [ebx+214h], 101h
		mov	ecx, offset _PpmAllowedActions
		call	PpmUpdateProcessorPolicy
		mov	ecx, ebx
		call	_PpmCheckResetProcessors@4 ; PpmCheckResetProcessors(x)
		test	byte ptr [esp+0A4h+var_34], 1
		jz	short loc_8A0578
		call	PpmParkApplyPolicy

loc_8A0578:				; CODE XREF: PpmRegisterPerfStates+6BDj
		call	_PpmCheckReInit@0 ; PpmCheckReInit()
		xor	ebx, ebx
		xor	esi, esi
		mov	cl, 1
		call	PpmPerfUpdateDomainPolicy

loc_8A0588:				; CODE XREF: PpmRegisterPerfStates+8FD32j
		cmp	[esp+0A4h+var_91], 0
		jz	loc_92FC57

loc_8A0593:				; CODE XREF: PpmRegisterPerfStates+8FDAAj
		mov	eax, dword_6B5BE8
		cmp	eax, dword_6B5BAC
		jnz	short loc_8A05B1
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		mov	cl, 1
		call	_PpmReinitializeHeteroEngine@4 ; PpmReinitializeHeteroEngine(x)

loc_8A05B1:				; CODE XREF: PpmRegisterPerfStates+6EAj
					; PpmRegisterPerfStates+8FDB0j
		test	ebx, ebx
		jnz	loc_92FC69

loc_8A05B9:				; CODE XREF: PpmRegisterPerfStates+8FDC0j
		and	[esp+0A4h+var_2C], 0
		lea	eax, [esp+0A4h+var_2C]
		and	[esp+0A4h+var_28], 0
		or	[esp+0A4h+var_24], 0FFFFFFFFh
		or	[esp+0A4h+var_20], 0FFFFFFFFh
		push	eax
		push	8
		push	61C46800h
		push	0FFFFFFF7h
		push	9E3B9800h
		push	offset _PpmPerfTelemetryTimer
		call	KeSetTimer2
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8A05F9:				; CODE XREF: PpmRegisterPerfStates+653j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
PpmRegisterPerfStates endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmCheckInitProcessors proc near	; CODE XREF: PpmReapplyPerfPolicy+B6j
					; PopNewProcessorCallback(x,x,x)+32p ...

var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_1A		= word ptr -1Ah
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092FC79 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	ebx, offset _PpmCheckRegistered
		push	esi
		push	edi
		lea	edi, [ebp+var_30]
		xor	esi, esi
		stosd
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_1A], ax
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		test	ecx, ecx
		jnz	loc_8A06F5
		mov	edi, offset _PpmPerfPolicyLock
		mov	ecx, edi
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		lea	eax, [ebp+var_30]
		push	eax
		call	_KeQueryActiveProcessorAffinity@4 ; KeQueryActiveProcessorAffinity(x)
		lea	eax, [ebp+var_10]
		push	eax
		push	ebx
		lea	eax, [ebp+var_30]
		push	eax
		call	_KeSubtractAffinityEx@12 ; KeSubtractAffinityEx(x,x,x)
		test	al, al
		jz	loc_92FC79
		mov	edi, [ebp+var_8]

loc_8A066A:				; CODE XREF: PpmCheckInitProcessors+10Aj
		push	ebx
		lea	eax, [ebp+var_10]
		push	eax
		push	ebx
		call	_KeOrAffinityEx@12 ; KeOrAffinityEx(x,x,x)
		test	edi, edi
		jz	short loc_8A06C0
		xor	eax, eax
		mov	[ebp+var_1C], ax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_24], eax

loc_8A068B:				; CODE XREF: PpmCheckInitProcessors+B1j
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_8A06B1
		mov	ecx, [ebp+var_18]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		lea	ecx, [eax+3EA0h]
		call	_PpmAllocatePerfCheck@4	; PpmAllocatePerfCheck(x)
		jmp	short loc_8A068B
; 

loc_8A06B1:				; CODE XREF: PpmCheckInitProcessors+9Cj
		push	esi
		push	esi
		mov	edx, offset _PpmCheckProcessorInit@12 ;	PpmCheckProcessorInit(x,x,x)
		lea	ecx, [ebp+var_10]
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)

loc_8A06C0:				; CODE XREF: PpmCheckInitProcessors+79j
		call	PpmParkRegisterParking
		mov	eax, large fs:20h
		mov	eax, [eax+3D54h]
		and	eax, 4
		or	esi, eax
		jnz	loc_92FC85

loc_8A06DC:				; CODE XREF: PpmCheckInitProcessors+8F69Fj
		call	_PpmCheckReInit@0 ; PpmCheckReInit()
		call	_PpmCheckApplyParkConstraints@0	; PpmCheckApplyParkConstraints()

loc_8A06E6:				; CODE XREF: PpmCheckInitProcessors+8F682j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_8A06F5:				; CODE XREF: PpmCheckInitProcessors+38j
		xor	eax, eax
		mov	[ebp+var_C], esi
		inc	eax
		mov	edi, esi
		mov	word ptr [ebp+var_10], ax
		mov	word ptr [ebp+var_10+2], ax
		mov	[ebp+var_8], edi
		jmp	loc_8A066A
PpmCheckInitProcessors endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PpmAllocatePerfCheck(x)
_PpmAllocatePerfCheck@4	proc near	; CODE XREF: PpmRegisterPerfStates+1C7p
					; PpmCheckInitProcessors+ACp
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		cmp	[ebx+8], esi
		jnz	short loc_8A0749
		push	edi
		push	704D5050h
		push	158h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_8A074E
		push	158h		; size_t
		push	esi		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebx+8], edi

loc_8A0748:				; CODE XREF: PpmAllocatePerfCheck(x)+45j
		pop	edi

loc_8A0749:				; CODE XREF: PpmAllocatePerfCheck(x)+Bj
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_8A074E:				; CODE XREF: PpmAllocatePerfCheck(x)+26j
		mov	esi, 0C000009Ah
		jmp	short loc_8A0748
_PpmAllocatePerfCheck@4	endp

; 
		align 2

;  S U B	R O U T	I N E 


PpmReapplyPerfPolicy proc near		; CODE XREF: PpmInfoApplySettingUpdate+83p
					; PpmReinitializeHeteroEngine(x)+18p ...

; FUNCTION CHUNK AT 0092FCA2 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, [esi]
		test	eax, 1800h
		jz	short loc_8A0788
		shr	eax, 0Bh
		and	al, 1
		mov	cl, al
		call	_PopInitializeHeteroProcessors@4 ; PopInitializeHeteroProcessors(x)
		mov	ecx, [esi]
		test	ecx, 800h
		jz	loc_92FCA2

loc_8A0780:				; CODE XREF: PpmReapplyPerfPolicy+8F554j
		or	ecx, 200Eh
		mov	[esi], ecx

loc_8A0788:				; CODE XREF: PpmReapplyPerfPolicy+Ej
					; PpmReapplyPerfPolicy+8F54Ej
		xor	edx, edx
		mov	ecx, esi
		call	PpmUpdateProcessorPolicy
		mov	eax, [esi]
		test	al, 4
		jnz	short loc_8A07CF

loc_8A0797:				; CODE XREF: PpmReapplyPerfPolicy+80j
		test	al, 10h
		jnz	loc_92FCAF

loc_8A079F:				; CODE XREF: PpmReapplyPerfPolicy+8F560j
		test	al, 8
		jnz	short loc_8A07C2

loc_8A07A3:				; CODE XREF: PpmReapplyPerfPolicy+73j
		xor	bh, bh
		mov	bl, 1
		test	al, 2
		jnz	short loc_8A07D8

loc_8A07AB:				; CODE XREF: PpmReapplyPerfPolicy+8Fj
		mov	edi, offset _PpmPerfPolicyLock
		test	al, 4
		jnz	short loc_8A07E7

loc_8A07B4:				; CODE XREF: PpmReapplyPerfPolicy+A3j
		test	bl, bl
		jz	short loc_8A07CB
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_PpmReleaseLock@4 ; PpmReleaseLock(x)
; 

loc_8A07C2:				; CODE XREF: PpmReapplyPerfPolicy+4Bj
		call	_PpmCheckReInit@0 ; PpmCheckReInit()
		mov	eax, [esi]
		jmp	short loc_8A07A3
; 

loc_8A07CB:				; CODE XREF: PpmReapplyPerfPolicy+60j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_8A07CF:				; CODE XREF: PpmReapplyPerfPolicy+3Fj
		call	PpmParkApplyPolicy
		mov	eax, [esi]
		jmp	short loc_8A0797
; 

loc_8A07D8:				; CODE XREF: PpmReapplyPerfPolicy+53j
		xor	cl, cl
		xor	bl, bl
		mov	bh, 1
		call	PpmPerfUpdateDomainPolicy
		mov	eax, [esi]
		jmp	short loc_8A07AB
; 

loc_8A07E7:				; CODE XREF: PpmReapplyPerfPolicy+5Cj
		test	bh, bh
		jnz	short loc_8A07FB

loc_8A07EB:				; CODE XREF: PpmReapplyPerfPolicy+AEj
		xor	bl, bl
		test	eax, 2000h
		jnz	short loc_8A0806
		call	_PpmCheckApplyParkConstraints@0	; PpmCheckApplyParkConstraints()
		jmp	short loc_8A07B4
; 

loc_8A07FB:				; CODE XREF: PpmReapplyPerfPolicy+93j
		mov	ecx, edi
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		mov	eax, [esi]
		jmp	short loc_8A07EB
; 

loc_8A0806:				; CODE XREF: PpmReapplyPerfPolicy+9Cj
		pop	edi
		xor	ecx, ecx
		pop	esi
		inc	ecx
		pop	ebx
		jmp	PpmCheckInitProcessors
PpmReapplyPerfPolicy endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmCheckReInit()
_PpmCheckReInit@0 proc near		; CODE XREF: PpmCheckResumePpmEngineFromSx()+47p
					; PpmCheckPausePpmEngineForSx()+24p ...

var_A		= byte ptr -0Ah
var_9		= byte ptr -9
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	ecx, _PpmCurrentProfile
		push	ebx
		push	esi
		imul	esi, dword_6C2D0C, 0F0h
		xor	bl, bl
		push	edi
		mov	[esp+18h+var_A], bl
		mov	[esp+18h+var_9], bl
		add	esi, ecx
		cmp	ds:_PpmPerfDomainHead, offset _PpmPerfDomainHead
		jz	short loc_8A088C
		lea	ecx, [esi+20h]
		call	PpmPerfCheckRequired
		test	al, al
		setnz	bh
		cmp	_PpmCheckPollForFeedback, 0
		mov	[esp+18h+var_A], bh
		mov	bl, bh
		jz	short loc_8A0866
		mov	bl, 1

loc_8A0866:				; CODE XREF: PpmCheckReInit()+50j
		call	_PoEnergyEstimationEnabled@0 ; PoEnergyEstimationEnabled()
		test	al, al
		jz	short loc_8A0871
		mov	bl, 1

loc_8A0871:				; CODE XREF: PpmCheckReInit()+5Bj
		push	2
		lea	ecx, [esi+74h]
		pop	edx

loc_8A0877:				; CODE XREF: PpmCheckReInit()+78j
		mov	eax, [ecx]
		cmp	eax, [ecx+8]
		jz	short loc_8A0884
		mov	bl, 1
		mov	[esp+18h+var_9], bl

loc_8A0884:				; CODE XREF: PpmCheckReInit()+6Aj
		add	ecx, 4
		sub	edx, 1
		jnz	short loc_8A0877

loc_8A088C:				; CODE XREF: PpmCheckReInit()+34j
		call	_PpmParkParkingAvailable@0 ; PpmParkParkingAvailable()
		test	al, al
		jz	short loc_8A089B
		mov	bl, 1
		mov	[esp+18h+var_A], bl

loc_8A089B:				; CODE XREF: PpmCheckReInit()+81j
		call	_PopInterruptSteeringEnabled@0 ; PopInterruptSteeringEnabled()
		test	al, al
		jz	short loc_8A08A6
		mov	bl, 1

loc_8A08A6:				; CODE XREF: PpmCheckReInit()+90j
		test	bl, bl
		jz	short loc_8A08B8
		cmp	_PpmCheckArmed,	0
		jnz	short loc_8A08B8
		call	_PpmPerfResetHistoryAll@0 ; PpmPerfResetHistoryAll()

loc_8A08B8:				; CODE XREF: PpmCheckReInit()+96j
					; PpmCheckReInit()+9Fj
		cmp	_PpmCheckForceDisarm, 0
		setnz	bh
		dec	bh
		and	bh, bl
		cmp	[esp+18h+var_9], 0
		jnz	short loc_8A08D2
		call	_PpmPerfClearResponsivenessHints@0 ; PpmPerfClearResponsivenessHints()

loc_8A08D2:				; CODE XREF: PpmCheckReInit()+B9j
		mov	bl, [esp+18h+var_A]
		mov	cl, bl
		call	PpmParkUpdateConcurrencyTracking
		test	bh, bh
		jz	short loc_8A08E8
		call	PpmCheckArmPeriod
		jmp	short loc_8A0930
; 

loc_8A08E8:				; CODE XREF: PpmCheckReInit()+CDj
		cmp	_PpmCheckArmed,	0
		jz	short loc_8A0930

loc_8A08F1:				; CODE XREF: PpmCheckReInit()+10Ej
					; PpmCheckReInit()+112j
		mov	esi, _PpmCheckLastExecutionTime
		mov	eax, esi
		mov	edi, dword_6C049C
		mov	edx, edi
		mov	[esp+18h+var_4], edi
		mov	[esp+18h+var_8], offset	_PpmCheckLastExecutionTime
		nop
		mov	edi, [esp+18h+var_8]
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [esp+18h+var_4]
		cmp	eax, esi
		jnz	short loc_8A08F1
		cmp	edx, edi
		jnz	short loc_8A08F1
		mov	bl, [esp+18h+var_A]
		mov	_PpmCheckArmed,	cl

loc_8A0930:				; CODE XREF: PpmCheckReInit()+D4j
					; PpmCheckReInit()+DDj
		cmp	ds:_PpmHeteroPolicy, 0
		mov	_PpmCheckPipelines, offset _PpmCheckHomogeneousPipelines
		jz	short loc_8A0951
		test	bl, bl
		jz	short loc_8A0951
		mov	_PpmCheckPipelines, offset _PpmCheckHeterogeneousPipelines

loc_8A0951:				; CODE XREF: PpmCheckReInit()+12Fj
					; PpmCheckReInit()+133j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PpmCheckReInit@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmParkUpdateConcurrencyTracking proc near ; CODE XREF:	PpmCheckReInit()+C6p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092FCBB SIZE 00000093 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		xor	ebx, ebx
		mov	ch, cl
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_11], ch
		stosd
		stosd
		cmp	_PpmParkNumNodes, ebx
		jz	short loc_8A09C1
		xor	edx, edx
		xor	eax, eax
		inc	edx

loc_8A098C:				; CODE XREF: PpmParkUpdateConcurrencyTracking+67j
		imul	esi, eax, 0D0h
		add	esi, _PpmParkNodes
		mov	cl, [esi+6Ah]
		mov	al, cl
		and	al, 8
		test	ch, ch
		jnz	loc_92FCEA
		test	al, al
		jnz	loc_92FCBB

loc_8A09AF:				; CODE XREF: PpmParkUpdateConcurrencyTracking+8F394j
					; PpmParkUpdateConcurrencyTracking+8F3F1j
		inc	ebx
		movzx	eax, bx
		push	1
		mov	[ebp+var_1C], ebx
		pop	edx
		cmp	eax, _PpmParkNumNodes
		jb	short loc_8A098C

loc_8A09C1:				; CODE XREF: PpmParkUpdateConcurrencyTracking+2Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PpmParkUpdateConcurrencyTracking endp


;  S U B	R O U T	I N E 


; __stdcall PpmParkParkingAvailable()
_PpmParkParkingAvailable@0 proc	near	; CODE XREF: PpmParkRegisterParking+583p
					; PpmCheckReInit():loc_8A088Cp	...
		cmp	_PpmParkNumNodes, 1
		jnz	short loc_8A09F1
		mov	ecx, large fs:20h
		mov	eax, _PpmParkNodes
		movzx	eax, byte ptr [eax+6]
		cmp	[ecx+344h], eax
		jz	short loc_8A0A68

loc_8A09F1:				; CODE XREF: PpmParkParkingAvailable()+7j
		push	edi
		xor	edi, edi
		xor	dl, dl
		cmp	_PpmParkNumNodes, edi
		jz	short loc_8A0A5B
		mov	eax, _PpmParkNodes
		push	ebx
		add	eax, 5Ch
		push	esi

loc_8A0A08:				; CODE XREF: PpmParkParkingAvailable()+87j
		cmp	byte ptr [eax+2], 0
		ja	short loc_8A0A73
		cmp	byte ptr [eax+4], 0
		ja	short loc_8A0A73
		cmp	dword ptr [eax-48h], 0
		jnz	short loc_8A0A73
		cmp	dword_6B5BB8, 0
		jnz	short loc_8A0A73
		xor	ecx, ecx
		lea	esi, [eax-3Ch]

loc_8A0A28:				; CODE XREF: PpmParkParkingAvailable()+79j
		mov	bl, [eax+ecx-4]
		test	bl, bl
		jz	short loc_8A0A42
		mov	dh, [eax+ecx]
		cmp	[eax+ecx-2], dh
		jb	short loc_8A0A6F
		cmp	dh, bl
		jb	short loc_8A0A6F
		cmp	dword ptr [esi], 0
		jnz	short loc_8A0A6B

loc_8A0A42:				; CODE XREF: PpmParkParkingAvailable()+5Ej
					; PpmParkParkingAvailable()+9Dj
		inc	ecx
		add	esi, 4
		cmp	ecx, 2
		jb	short loc_8A0A28

loc_8A0A4B:				; CODE XREF: PpmParkParkingAvailable()+A1j
		inc	edi
		add	eax, 0D0h
		cmp	edi, _PpmParkNumNodes
		jb	short loc_8A0A08

loc_8A0A59:				; CODE XREF: PpmParkParkingAvailable()+A5j
		pop	esi
		pop	ebx

loc_8A0A5B:				; CODE XREF: PpmParkParkingAvailable()+2Cj
		movzx	ecx, dl
		mov	al, dl
		mov	_PpmIsParkingEnabled, ecx
		pop	edi
		retn
; 

loc_8A0A68:				; CODE XREF: PpmParkParkingAvailable()+1Fj
		xor	al, al
		retn
; 

loc_8A0A6B:				; CODE XREF: PpmParkParkingAvailable()+70j
		mov	dl, 1
		jmp	short loc_8A0A42
; 

loc_8A0A6F:				; CODE XREF: PpmParkParkingAvailable()+67j
					; PpmParkParkingAvailable()+6Bj
		mov	dl, 1
		jmp	short loc_8A0A4B
; 

loc_8A0A73:				; CODE XREF: PpmParkParkingAvailable()+3Cj
					; PpmParkParkingAvailable()+42j ...
		mov	dl, 1
		jmp	short loc_8A0A59
_PpmParkParkingAvailable@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleInitializeConcurrency(x, x, x)
_PpmIdleInitializeConcurrency@12 proc near ; CODE XREF:	PpmParkRegisterParking+366p
					; PpmParkRegisterParking+83C6Ep

var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[ebp+var_18], eax
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_28]
		mov	[ebp+var_1C], edx
		stosd
		mov	esi, ecx
		push	esi
		mov	ebx, [esi+8]
		stosd
		not	ebx
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		lea	eax, [ebp+var_28]
		add	cl, dl
		push	eax
		movzx	edi, cl
		call	_KeFirstGroupAffinityEx@8 ; KeFirstGroupAffinityEx(x,x)
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	short loc_8A0B19
		mov	esi, [eax]
		test	esi, esi
		jz	short loc_8A0B19
		cmp	edi, [esi+4]
		jnz	short loc_8A0B19
		and	dword ptr [eax], 0

loc_8A0B00:				; CODE XREF: PpmIdleInitializeConcurrency(x,x,x)+F1j
		mov	eax, [ebp+var_14]

loc_8A0B03:				; CODE XREF: PpmIdleInitializeConcurrency(x,x,x)+F8j
		mov	ecx, [ebp+var_1C]
		pop	edi
		mov	[ecx], esi
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_8A0B19:				; CODE XREF: PpmIdleInitializeConcurrency(x,x,x)+78j
					; PpmIdleInitializeConcurrency(x,x,x)+7Ej ...
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	ebx, ds:28h[edi*8]
		call	KeSetSystemGroupAffinityThread
		push	704D5050h
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_10]
		push	eax
		call	KeRevertToUserGroupAffinityThread
		test	esi, esi
		jz	short loc_8A0B6B
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		and	dword ptr [esi], 0
		add	esp, 0Ch
		mov	[esi+4], edi
		call	_PpmQueryTime@0	; PpmQueryTime()
		mov	[esi+10h], eax
		mov	[esi+14h], edx
		jmp	short loc_8A0B00
; 

loc_8A0B6B:				; CODE XREF: PpmIdleInitializeConcurrency(x,x,x)+D2j
		mov	eax, 0C000009Ah
		jmp	short loc_8A0B03
_PpmIdleInitializeConcurrency@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmPerfResetHistoryAll()
_PpmPerfResetHistoryAll@0 proc near	; CODE XREF: PpmCheckReInit()+A1p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		and	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	eax, dword_6B5BAC
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], offset _PpmCheckRegistered

loc_8A0B91:				; CODE XREF: PpmPerfResetHistoryAll()+43j
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short locret_8A0BB7
		mov	ecx, [ebp+var_4]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		lea	ecx, [eax+3EA0h]
		call	PpmPerfResetHistory
		jmp	short loc_8A0B91
; 

locret_8A0BB7:				; CODE XREF: PpmPerfResetHistoryAll()+2Ej
		leave
		retn
_PpmPerfResetHistoryAll@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopInitializeHeteroProcessors(x)
_PopInitializeHeteroProcessors@4 proc near ; CODE XREF:	PpmReapplyPerfPolicy+17p
					; PoInitSystem+5FFp

var_1C		= byte ptr -1Ch
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= word ptr -4
var_2		= word ptr -2

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		xor	al, al
		mov	bl, cl
		cmp	_PpmBackgroundProfile, 0
		push	esi
		push	edi
		mov	[esp+28h+var_19], bl
		mov	[esp+28h+var_1A], al
		jnz	short loc_8A0BEF
		cmp	_PpmEntryLevelPerfProfile, 0
		jnz	short loc_8A0BEF
		cmp	_PpmMultimediaQosProfile, 0
		jz	short loc_8A0C0F

loc_8A0BEF:				; CODE XREF: PopInitializeHeteroProcessors(x)+21j
					; PopInitializeHeteroProcessors(x)+2Aj
		cmp	ds:_PpmPerfSchedulerDirectedPerfStatesSupported, al
		jz	short loc_8A0C0F
		push	0
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		cmp	eax, 2
		jb	short loc_8A0C0B
		mov	al, 1
		mov	[esp+28h+var_1A], al
		jmp	short loc_8A0C0F
; 

loc_8A0C0B:				; CODE XREF: PopInitializeHeteroProcessors(x)+47j
		mov	al, [esp+28h+var_1A]

loc_8A0C0F:				; CODE XREF: PopInitializeHeteroProcessors(x)+33j
					; PopInitializeHeteroProcessors(x)+3Bj	...
		cmp	ds:_PpmPerfVmQosSupported, 0
		jz	short loc_8A0C1E
		mov	al, 1
		mov	[esp+28h+var_1A], al

loc_8A0C1E:				; CODE XREF: PopInitializeHeteroProcessors(x)+5Cj
		test	al, al
		jz	short loc_8A0C30
		cmp	ds:_PpmPerfQosGroupPolicyDisable, 0
		mov	[esp+28h+var_1C], 1
		jz	short loc_8A0C35

loc_8A0C30:				; CODE XREF: PopInitializeHeteroProcessors(x)+66j
		mov	[esp+28h+var_1C], 0

loc_8A0C35:				; CODE XREF: PopInitializeHeteroProcessors(x)+74j
		test	bl, bl
		jz	loc_8A0D8D
		mov	esi, ds:_PpmHeteroCapabilityTest
		xor	ecx, ecx
		mov	[esp+28h+var_10], esi
		cmp	[esi], ecx
		jbe	short loc_8A0C5E
		lea	eax, [esi+8]

loc_8A0C50:				; CODE XREF: PopInitializeHeteroProcessors(x)+A2j
		mov	word ptr [eax-1], 0
		lea	eax, [eax+3]
		inc	ecx
		cmp	ecx, [esi]
		jb	short loc_8A0C50

loc_8A0C5E:				; CODE XREF: PopInitializeHeteroProcessors(x)+91j
		call	PpmHeteroComputeRelativePerformance
		call	PpmHeteroUpdateHgsConfiguration
		mov	ecx, esi
		call	PopDetectSimulatedHeteroProcessors
		movzx	eax, al
		xor	ebx, ebx
		test	eax, eax
		mov	[esp+28h+var_18], eax
		setnz	bl
		test	eax, eax
		jnz	loc_8A0D36
		mov	ecx, esi
		call	PpmHeteroDetectHgsCores
		movzx	eax, al
		mov	[esp+28h+var_18], eax
		test	eax, eax
		jz	short loc_8A0C9E
		push	5
		jmp	loc_8A0D35
; 

loc_8A0C9E:				; CODE XREF: PopInitializeHeteroProcessors(x)+DBj
		xor	eax, eax
		and	[esp+28h+var_14], eax
		cmp	ds:_PpmHeteroNominalPerformanceClasses,	1
		mov	[esp+28h+var_2], ax
		ja	short loc_8A0CBB
		cmp	ds:_PpmHeteroHighestPerformanceClasses,	1
		jbe	short loc_8A0D18

loc_8A0CBB:				; CODE XREF: PopInitializeHeteroProcessors(x)+F6j
		xor	eax, eax
		mov	[esp+28h+var_4], ax
		mov	eax, dword_6B5BE8
		mov	[esp+28h+var_8], eax
		mov	[esp+28h+var_C], offset	_PpmPerfStatesRegistered
		jmp	short loc_8A0CFE
; 

loc_8A0CD5:				; CODE XREF: PopInitializeHeteroProcessors(x)+155j
		mov	edi, [esp+28h+var_14]
		mov	ecx, edi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		imul	ecx, edi, 3
		cmp	ds:_PpmHeteroNominalPerformanceClasses,	1
		mov	eax, [eax+3EA0h]
		jbe	short loc_8A0CF7
		mov	al, [eax+21h]
		jmp	short loc_8A0CFA
; 

loc_8A0CF7:				; CODE XREF: PopInitializeHeteroProcessors(x)+136j
		mov	al, [eax+22h]

loc_8A0CFA:				; CODE XREF: PopInitializeHeteroProcessors(x)+13Bj
		mov	[ecx+esi+8], al

loc_8A0CFE:				; CODE XREF: PopInitializeHeteroProcessors(x)+119j
		lea	eax, [esp+28h+var_C]
		push	eax
		lea	eax, [esp+2Ch+var_14]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jz	short loc_8A0CD5
		xor	eax, eax
		mov	byte ptr [esi+5], 1
		inc	eax

loc_8A0D18:				; CODE XREF: PopInitializeHeteroProcessors(x)+FFj
		mov	[esp+28h+var_18], eax
		test	eax, eax
		jz	short loc_8A0D24
		push	3
		jmp	short loc_8A0D35
; 

loc_8A0D24:				; CODE XREF: PopInitializeHeteroProcessors(x)+164j
		cmp	[esp+28h+var_1C], 0
		jz	short loc_8A0D36
		mov	[esp+28h+var_18], 1
		push	4

loc_8A0D35:				; CODE XREF: PopInitializeHeteroProcessors(x)+DFj
					; PopInitializeHeteroProcessors(x)+168j
		pop	ebx

loc_8A0D36:				; CODE XREF: PopInitializeHeteroProcessors(x)+C5j
					; PopInitializeHeteroProcessors(x)+16Fj
		cmp	ebx, ds:_PopHeteroSystem
		jz	short loc_8A0D45
		mov	[esp+28h+var_1B], 1
		jmp	short loc_8A0DA9
; 

loc_8A0D45:				; CODE XREF: PopInitializeHeteroProcessors(x)+182j
		push	0FFFFh
		mov	[esp+2Ch+var_1B], 0
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_8A0DA9
		mov	eax, ds:_PpmHeteroCapability
		lea	ecx, [esi+7]
		lea	edi, [eax+8]
		sub	eax, esi
		mov	esi, eax

loc_8A0D69:				; CODE XREF: PopInitializeHeteroProcessors(x)+1CBj
		mov	al, [esi+ecx]
		cmp	al, [ecx]
		jnz	short loc_8A0D77
		mov	al, [edi]
		cmp	al, [ecx+1]
		jz	short loc_8A0D7C

loc_8A0D77:				; CODE XREF: PopInitializeHeteroProcessors(x)+1B4j
		mov	[esp+28h+var_1B], 1

loc_8A0D7C:				; CODE XREF: PopInitializeHeteroProcessors(x)+1BBj
		add	edi, 3
		add	ecx, 3
		sub	edx, 1
		jnz	short loc_8A0D69
		mov	esi, [esp+28h+var_10]
		jmp	short loc_8A0DA9
; 

loc_8A0D8D:				; CODE XREF: PopInitializeHeteroProcessors(x)+7Dj
		mov	ebx, ds:_PopHeteroSystem
		xor	eax, eax
		mov	esi, ds:_PpmHeteroCapability
		test	ebx, ebx
		mov	[esp+28h+var_1B], 0
		setnz	al
		mov	[esp+28h+var_18], eax

loc_8A0DA9:				; CODE XREF: PopInitializeHeteroProcessors(x)+189j
					; PopInitializeHeteroProcessors(x)+19Ej ...
		mov	dl, [esp+28h+var_19]
		mov	ecx, ebx
		call	_PopConfigureHeteroPolicies@8 ;	PopConfigureHeteroPolicies(x,x)
		cmp	[esp+28h+var_1B], 0
		jnz	short loc_8A0DD1
		test	ebx, ebx
		jz	short loc_8A0DC3
		test	al, al
		jnz	short loc_8A0DD1

loc_8A0DC3:				; CODE XREF: PopInitializeHeteroProcessors(x)+203j
		mov	al, [esp+28h+var_1C]
		cmp	ds:_PpmPerfQosSupportedAndAllowed, al
		jz	short loc_8A0DF4
		jmp	short loc_8A0DD5
; 

loc_8A0DD1:				; CODE XREF: PopInitializeHeteroProcessors(x)+1FFj
					; PopInitializeHeteroProcessors(x)+207j
		mov	al, [esp+28h+var_1C]

loc_8A0DD5:				; CODE XREF: PopInitializeHeteroProcessors(x)+215j
		lea	ecx, [esp+28h+var_18]
		movzx	edx, al
		push	ecx
		mov	ecx, esi
		call	_KeConfigureHeteroProcessors@12	; KeConfigureHeteroProcessors(x,x,x)
		test	eax, eax
		jz	short loc_8A0DF4
		xor	edx, edx
		mov	ecx, offset _PopUpdateSingleProcessHeteroPolicies@8 ; PopUpdateSingleProcessHeteroPolicies(x,x)
		call	PsEnumProcesses

loc_8A0DF4:				; CODE XREF: PopInitializeHeteroProcessors(x)+213j
					; PopInitializeHeteroProcessors(x)+22Cj
		cmp	[esp+28h+var_18], 0
		jnz	short loc_8A0E2C
		mov	eax, ds:_PpmHeteroCapability
		xor	ebx, ebx
		mov	ds:_PopHeteroSystem, ebx
		mov	edx, ebx
		cmp	[eax], ebx
		jbe	short loc_8A0E24
		lea	ecx, [eax+8]

loc_8A0E11:				; CODE XREF: PopInitializeHeteroProcessors(x)+268j
		mov	[ecx-1], bx
		inc	edx
		mov	[ecx-2], bl
		add	ecx, 3
		mov	[eax+4], bx
		cmp	edx, [eax]
		jb	short loc_8A0E11

loc_8A0E24:				; CODE XREF: PopInitializeHeteroProcessors(x)+252j
		cmp	[esp+28h+var_1A], bl
		jz	short loc_8A0E64
		jmp	short loc_8A0E5D
; 

loc_8A0E2C:				; CODE XREF: PopInitializeHeteroProcessors(x)+23Fj
		mov	ecx, ds:_PpmHeteroCapability
		mov	ds:_PopHeteroSystem, ebx
		cmp	esi, ecx
		jz	short loc_8A0E4F
		mov	eax, [esi]
		add	eax, 2
		imul	eax, 3
		push	eax		; size_t
		push	esi		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_8A0E4F:				; CODE XREF: PopInitializeHeteroProcessors(x)+280j
		cmp	[esp+28h+var_1C], 0
		jz	short loc_8A0E5B
		call	_PpmIdleEnableIdleDurationExpirationTimeout@0 ;	PpmIdleEnableIdleDurationExpirationTimeout()

loc_8A0E5B:				; CODE XREF: PopInitializeHeteroProcessors(x)+29Aj
		xor	ebx, ebx

loc_8A0E5D:				; CODE XREF: PopInitializeHeteroProcessors(x)+270j
		mov	ds:_PpmPerfQosSupportedAndConfigured, 1

loc_8A0E64:				; CODE XREF: PopInitializeHeteroProcessors(x)+26Ej
		mov	edx, ds:_PopHeteroSystem
		cmp	edx, 1
		jz	short loc_8A0E81
		cmp	edx, 2
		jz	short loc_8A0E81
		cmp	edx, 5
		jz	short loc_8A0E81
		mov	ds:_PpmHeteroPolicy, ebx
		jmp	short loc_8A0E8B
; 

loc_8A0E81:				; CODE XREF: PopInitializeHeteroProcessors(x)+2B3j
					; PopInitializeHeteroProcessors(x)+2B8j ...
		mov	eax, ds:_PpmHeteroDesiredPolicy
		mov	ds:_PpmHeteroPolicy, eax

loc_8A0E8B:				; CODE XREF: PopInitializeHeteroProcessors(x)+2C5j
		cmp	ds:_PpmPerfArtificialDomainSetting, 0FFFFFFFFh
		jnz	short loc_8A0EA1
		xor	ecx, ecx
		test	edx, edx
		setnz	cl
		mov	ds:_PpmPerfArtificialDomainEnabled, ecx

loc_8A0EA1:				; CODE XREF: PopInitializeHeteroProcessors(x)+2D8j
		call	PpmEventHeteroConfigUpdate
		xor	cl, cl
		call	PpmEventHeteroPolicy
		mov	al, [esp+28h+var_1C]
		pop	edi
		pop	esi
		mov	ds:_PpmPerfQosSupportedAndAllowed, al
		mov	al, [esp+20h+var_1B]
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PopInitializeHeteroProcessors@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmEventHeteroPolicy proc near		; CODE XREF: PopInitializeHeteroProcessors(x)+2EEp
					; PpmEventTraceControlCallback+82E89p

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092FD4E SIZE 000000BB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, offset _PPM_ETW_HETEROGENEOUS_POLICIES_RUNDOWN
		test	cl, cl
		jnz	short loc_8A0EE6
		mov	esi, (offset loc_40855F+1)

loc_8A0EE6:				; CODE XREF: PpmEventHeteroPolicy+1Dj
		cmp	_PpmEtwRegistered, 0
		jz	short loc_8A0F0F
		push	ebx
		mov	ebx, _PpmEtwHandle
		push	edi
		mov	edi, dword_6BFD04
		push	esi
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_92FD4E

loc_8A0F0D:				; CODE XREF: PpmEventHeteroPolicy+8EF42j
		pop	edi
		pop	ebx

loc_8A0F0F:				; CODE XREF: PpmEventHeteroPolicy+2Bj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PpmEventHeteroPolicy endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmEventHeteroConfigUpdate proc	near	; CODE XREF: PopInitializeHeteroProcessors(x):loc_8A0EA1p

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= word ptr -60h
var_5E		= word ptr -5Eh
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092FE09 SIZE 000000C1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		push	esi
		xor	esi, esi
		mov	[ebp+var_5E], ax
		mov	[ebp+var_5C], esi
		mov	[ebp+var_58], esi
		cmp	_PpmEtwRegistered, al
		jz	short loc_8A0F66
		push	edi
		mov	edi, offset _PPM_ETW_PROCESSOR_CLASS_UPDATE
		push	edi
		push	dword_6BFD04
		push	_PpmEtwHandle
		call	EtwEventEnabled
		test	al, al
		jnz	loc_92FE09

loc_8A0F65:				; CODE XREF: PpmEventHeteroConfigUpdate+8EFA9j
		pop	edi

loc_8A0F66:				; CODE XREF: PpmEventHeteroConfigUpdate+27j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PpmEventHeteroConfigUpdate endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopConfigureHeteroPolicies(x, x)
_PopConfigureHeteroPolicies@8 proc near	; CODE XREF: PopInitializeHeteroProcessors(x)+1F5p

var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6B		= byte ptr -6Bh
var_6A		= byte ptr -6Ah
var_69		= byte ptr -69h
var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		xor	eax, eax
		mov	[ebp+var_74], ecx
		pop	ecx
		lea	edi, [ebp+var_B4]
		mov	[ebp+var_69], dl
		rep stosd
		lea	edi, [ebp+var_68]
		xor	ebx, ebx
		stosd
		mov	esi, ebx
		push	3Ch		; size_t
		push	ebx		; int
		mov	[ebp+var_7C], ebx
		stosd
		mov	[ebp+var_90], ebx
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_94], ebx
		stosd
		mov	[ebp+var_78], ebx
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_98], ebx
		stosd
		lea	eax, [ebp+var_54]
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_74]
		add	esp, 0Ch
		mov	[ebp+var_20], 7
		push	5
		pop	ecx
		mov	[ebp+var_54], ecx
		push	0Ah
		pop	edi
		push	2
		pop	edx
		cmp	eax, 4
		jnz	short loc_8A0FFD
		mov	[ebp+var_28], edi
		jmp	short loc_8A1034
; 

loc_8A0FFD:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+82j
		mov	[ebp+var_28], 8
		cmp	eax, 3
		jnz	short loc_8A1029
		mov	[ebp+var_24], 1450h
		mov	[ebp+var_20], 37h

loc_8A1017:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+D5j
		mov	ecx, edi
		lea	edi, [ebp+var_50]
		push	4
		pop	eax
		rep stosd
		mov	[ebp+var_44], edx
		mov	[ebp+var_4C], edx
		jmp	short loc_8A1058
; 

loc_8A1029:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+93j
		cmp	eax, ecx
		jnz	short loc_8A1034
		mov	[ebp+var_20], 17h

loc_8A1034:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+87j
					; PopConfigureHeteroPolicies(x,x)+B7j
		mov	[ebp+var_24], 64h
		push	2
		pop	edx
		test	eax, eax
		jle	short loc_8A104F
		cmp	eax, edx
		jle	short loc_8A1093
		cmp	eax, 3
		jz	short loc_8A1017
		cmp	eax, ecx
		jz	short loc_8A1093

loc_8A104F:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+CCj
		mov	ecx, edi
		xor	eax, eax
		lea	edi, [ebp+var_50]
		rep stosd

loc_8A1058:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+B3j
					; PopConfigureHeteroPolicies(x,x)+148j
		push	5
		pop	edi
		push	edi
		pop	ecx
		mov	[ebp+var_70], ecx
		mov	edx, ebx

loc_8A1062:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+1BAj
		mov	eax, edx
		sub	eax, 1
		jz	short loc_8A10D2
		sub	eax, 1
		jz	short loc_8A10CA
		sub	eax, 1
		jz	short loc_8A10BE
		sub	eax, 1

loc_8A1076:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+154j
		mov	ecx, _PpmCurrentProfile
		imul	eax, dword_6C2D0C, 0F0h
		add	ecx, 20h
		add	ecx, eax
		or	esi, 1800h
		jmp	short loc_8A10F4
; 

loc_8A1093:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+D0j
					; PopConfigureHeteroPolicies(x,x)+D9j
		mov	eax, ebx
		lea	ecx, [ebp+var_50]

loc_8A1098:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+146j
		mov	[ebp+var_70], edx

loc_8A109B:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+140j
		cmp	eax, edx
		jz	short loc_8A10A8
		cmp	eax, 3
		jz	short loc_8A10A8
		mov	edi, edx
		jmp	short loc_8A10AB
; 

loc_8A10A8:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+129j
					; PopConfigureHeteroPolicies(x,x)+12Ej
		push	3
		pop	edi

loc_8A10AB:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+132j
		mov	[ecx], edi
		add	ecx, 4
		sub	[ebp+var_70], 1
		jnz	short loc_8A109B
		inc	eax
		cmp	eax, 5
		jb	short loc_8A1098
		jmp	short loc_8A1058
; 

loc_8A10BE:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+FDj
		mov	ecx, _PpmMultimediaQosProfile
		test	ecx, ecx
		jnz	short loc_8A10DC
		jmp	short loc_8A1076
; 

loc_8A10CA:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+F8j
		mov	ecx, _PpmBackgroundProfile
		jmp	short loc_8A10D8
; 

loc_8A10D2:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+F3j
		mov	ecx, _PpmEntryLevelPerfProfile

loc_8A10D8:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+15Cj
		test	ecx, ecx
		jz	short loc_8A10F0

loc_8A10DC:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+152j
		imul	eax, dword_6C2D0C, 0F0h
		add	eax, 20h
		add	ecx, eax
		mov	esi, [ecx+4]
		jmp	short loc_8A10F4
; 

loc_8A10F0:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+166j
		mov	esi, ebx
		mov	ecx, ebx

loc_8A10F4:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+11Dj
					; PopConfigureHeteroPolicies(x,x)+17Aj
		test	esi, 1000h
		jz	short loc_8A1102
		mov	edi, [ecx+0E4h]

loc_8A1102:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+186j
		test	esi, 800h
		jz	short loc_8A1115
		mov	ecx, [ecx+0E8h]
		mov	[ebp+var_70], ecx
		jmp	short loc_8A1118
; 

loc_8A1115:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+194j
		mov	ecx, [ebp+var_70]

loc_8A1118:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+19Fj
		push	5
		pop	eax
		cmp	edi, eax
		jz	short loc_8A1123
		mov	[ebp+edx*8+var_50], edi

loc_8A1123:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+1A9j
		cmp	ecx, eax
		jz	short loc_8A112B
		mov	[ebp+edx*8+var_4C], ecx

loc_8A112B:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+1B1j
		inc	edx
		cmp	edx, eax
		jb	loc_8A1062
		cmp	[ebp+var_69], bl
		jz	loc_8A1254
		push	0Ah
		pop	ecx
		mov	edi, offset dword_6C0024
		rep stosd
		or	dword_6C0054, 0FFFFFFFFh
		mov	_PopHeteroLegacyOverride, eax
		lea	eax, [ebp+var_90]
		push	offset ??_C@_1GG@MENCCAOO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@NNGAKEGL@ ; "\\Registry\\MACHINE\\SYSTEM\\CurrentControl"...
		push	eax
		mov	dword_6C004C, ebx
		mov	dword_6C0050, ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_90]
		mov	[ebp+var_B4], 18h
		mov	[ebp+var_AC], eax
		lea	eax, [ebp+var_B4]
		push	eax
		push	8
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_B0], ebx
		push	eax
		mov	[ebp+var_A8], 240h
		mov	[ebp+var_A4], ebx
		mov	[ebp+var_A0], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_8A1254
		mov	eax, [ebp+var_7C]
		mov	esi, ebx
		mov	[ebp+var_B0], eax

loc_8A11C7:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+2D2j
		push	dword ptr ds:(loc_A404CF+1)[esi]
		lea	eax, [ebp+var_90]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_B4]
		push	eax
		push	1
		lea	eax, [ebp+var_78]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_8A1240
		push	dword ptr ds:(loc_A404D3+1)[esi]
		lea	eax, [ebp+var_9C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_94]
		push	eax
		push	10h
		lea	eax, [ebp+var_68]
		push	eax
		push	4
		lea	eax, [ebp+var_9C]
		push	eax
		push	[ebp+var_78]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8A1238
		cmp	[ebp+var_68], 4
		jnz	short loc_8A1238
		mov	ecx, ds:dword_A404D8[esi]
		mov	eax, [ebp+var_60]
		mov	_PopHeteroLegacyOverride[ecx], eax

loc_8A1238:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+2ADj
					; PopConfigureHeteroPolicies(x,x)+2B3j
		push	[ebp+var_78]
		call	_ZwClose@4	; ZwClose(x)

loc_8A1240:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+279j
		add	esi, 0Ch
		cmp	esi, 54h
		jb	loc_8A11C7
		push	[ebp+var_7C]
		call	_ZwClose@4	; ZwClose(x)

loc_8A1254:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+1C3j
					; PopConfigureHeteroPolicies(x,x)+242j
		push	2
		pop	esi
		push	4
		mov	eax, ebx
		pop	edi

loc_8A125C:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+303j
		mov	edx, esi

loc_8A125E:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+2FEj
		mov	ecx, dword_6C0024[eax]
		cmp	ecx, 5
		jz	short loc_8A126D
		mov	[ebp+eax+var_50], ecx

loc_8A126D:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+2F3j
		add	eax, edi
		sub	edx, 1
		jnz	short loc_8A125E
		cmp	eax, 28h
		jb	short loc_8A125C
		mov	eax, _PopHeteroLegacyOverride
		cmp	eax, 5
		jz	short loc_8A1286
		mov	[ebp+var_54], eax

loc_8A1286:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+30Dj
		mov	eax, dword_6C004C
		test	eax, eax
		jz	short loc_8A1292
		mov	[ebp+var_28], eax

loc_8A1292:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+319j
		mov	eax, dword_6C0050
		test	eax, eax
		jz	short loc_8A129E
		mov	[ebp+var_24], eax

loc_8A129E:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+325j
		mov	eax, dword_6C0054
		cmp	eax, 0FFFFFFFFh
		jz	short loc_8A12AB
		mov	[ebp+var_20], eax

loc_8A12AB:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+332j
		cmp	ds:_PpmPerfBootHeteroPolicyOverrideEnabled, ebx
		jz	short loc_8A12CE
		push	5
		lea	eax, [ebp+var_50]
		pop	edx

loc_8A12B9:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+358j
		mov	ecx, esi

loc_8A12BB:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+353j
		cmp	dword ptr [eax], 3
		jnz	short loc_8A12C2
		mov	[eax], edi

loc_8A12C2:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+34Aj
		add	eax, edi
		sub	ecx, 1
		jnz	short loc_8A12BB
		sub	edx, 1
		jnz	short loc_8A12B9

loc_8A12CE:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+33Dj
		mov	dl, 1
		lea	edi, [ebp+var_4C]
		mov	ecx, ebx

loc_8A12D5:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+375j
		mov	eax, [ebp+ecx*8+var_50]
		cmp	eax, [edi]
		lea	edi, [edi+8]
		setnz	al
		dec	al
		and	dl, al
		inc	ecx
		cmp	ecx, 5
		jb	short loc_8A12D5
		test	dl, dl
		jz	short loc_8A12F3
		and	[ebp+var_20], 0FFFFFFFBh

loc_8A12F3:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+379j
		mov	eax, ds:_PpmPerfQosTransitionHysteresisOverride
		mov	ecx, ds:_PpmPerfQosTransitionHysteresis
		cmp	eax, 0FFFFFFFFh
		jz	short loc_8A1305
		mov	ecx, eax

loc_8A1305:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+38Dj
		test	ecx, ecx
		jz	short loc_8A1320
		imul	ecx, ds:_PpmPerfQosTransitionHysteresis, 0Ah
		mov	edx, ds:_KeMinimumIncrement
		mov	[ebp+var_1C], ecx
		cmp	ecx, edx
		ja	short loc_8A1320
		mov	[ebp+var_1C], edx

loc_8A1320:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+393j
					; PopConfigureHeteroPolicies(x,x)+3A7j
		mov	ecx, ds:_PpmPerfQosTransitionHysteresis
		cmp	eax, 0FFFFFFFFh
		jz	short loc_8A132D
		mov	ecx, eax

loc_8A132D:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+3B5j
		mov	edx, 1F4h
		cmp	ecx, edx
		jbe	short loc_8A1342
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_8A1344
		mov	eax, ds:_PpmPerfQosTransitionHysteresis
		jmp	short loc_8A1344
; 

loc_8A1342:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+3C0j
		mov	eax, edx

loc_8A1344:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+3C5j
					; PopConfigureHeteroPolicies(x,x)+3CCj
		mov	ecx, [ebp+var_74]
		imul	eax, 0Ah
		mov	ds:dword_70EE1C, ebx
		mov	ds:_PpmPerfQosIdleExpirationTimeout, eax
		cmp	ecx, 1
		jz	short loc_8A136E
		cmp	ecx, esi
		jz	short loc_8A136E
		cmp	ecx, 5
		jz	short loc_8A136E
		xor	esi, esi
		xor	eax, eax
		inc	esi
		inc	eax
		jmp	loc_8A1402
; 

loc_8A136E:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+3E4j
					; PopConfigureHeteroPolicies(x,x)+3E8j	...
		mov	eax, [ebp+var_54]
		mov	ch, bl
		mov	[ebp+var_6A], bl
		mov	dh, bl
		sub	eax, ebx
		jz	short loc_8A13EA
		sub	eax, esi
		jz	short loc_8A13E3
		sub	eax, esi
		jz	short loc_8A13DF
		sub	eax, 1
		jnz	short loc_8A13F1
		mov	[ebp+var_70], ebx
		lea	edi, [ebp+var_50]

loc_8A138F:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+467j
		mov	cl, bl
		mov	[ebp+var_74], esi
		mov	dl, bl

loc_8A1396:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+443j
		mov	eax, [edi]
		sub	eax, ebx
		jz	short loc_8A13AC
		sub	eax, esi
		jz	short loc_8A13A8
		sub	eax, esi
		jnz	short loc_8A13B0
		mov	cl, 1
		jmp	short loc_8A13B0
; 

loc_8A13A8:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+42Aj
		mov	dl, 1
		jmp	short loc_8A13B0
; 

loc_8A13AC:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+426j
		mov	cl, 1
		mov	dl, cl

loc_8A13B0:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+42Ej
					; PopConfigureHeteroPolicies(x,x)+432j	...
		add	edi, 4
		sub	[ebp+var_74], 1
		jnz	short loc_8A1396
		mov	[ebp+var_69], dl
		mov	[ebp+var_6B], cl
		call	_PpmHeteroComputeBias@8	; PpmHeteroComputeBias(x,x)
		mov	ebx, [ebp+var_70]
		or	ch, cl
		or	dh, dl
		push	0
		mov	[ebp+ebx*4+var_18], eax
		mov	eax, ebx
		inc	eax
		mov	[ebp+var_70], eax
		pop	ebx
		cmp	eax, 5
		jb	short loc_8A138F
		jmp	short loc_8A13F1
; 

loc_8A13DF:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+40Ej
		mov	ch, 1
		jmp	short loc_8A13EE
; 

loc_8A13E3:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+40Aj
		mov	dh, 1
		mov	[ebp+var_6A], dh
		jmp	short loc_8A13F1
; 

loc_8A13EA:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+406j
		mov	ch, 1
		mov	dh, ch

loc_8A13EE:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+46Dj
		mov	[ebp+var_6A], ch

loc_8A13F1:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+413j
					; PopConfigureHeteroPolicies(x,x)+469j	...
		mov	dl, dh
		mov	cl, ch
		call	_PpmHeteroComputeBias@8	; PpmHeteroComputeBias(x,x)
		cmp	[ebp+var_6A], 0
		mov	esi, eax
		jz	short loc_8A140A

loc_8A1402:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+3F5j
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		stosd
		stosd

loc_8A140A:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+48Cj
		lea	ecx, [ebp+var_54]
		call	KeConfigureHeteroPolicy
		cmp	ds:_PpmHeteroParkBias, esi
		jz	short loc_8A1422
		mov	ds:_PpmHeteroParkBias, esi
		mov	al, 1

loc_8A1422:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+4A4j
					; PopConfigureHeteroPolicies(x,x)+4C8j
		mov	ecx, [ebp+ebx+var_18]
		cmp	ds:_PpmHeteroQosBias[ebx], ecx
		jz	short loc_8A1436
		mov	ds:_PpmHeteroQosBias[ebx], ecx
		mov	al, 1

loc_8A1436:				; CODE XREF: PopConfigureHeteroPolicies(x,x)+4B8j
		add	ebx, 4
		cmp	ebx, 14h
		jb	short loc_8A1422
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopConfigureHeteroPolicies@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeConfigureHeteroPolicy	proc near	; CODE XREF: PopConfigureHeteroPolicies(x,x)+499p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092FECA SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		mov	[ebp+var_8], edi
		cmp	dword ptr [edi], 9
		jnb	loc_92FECA

loc_8A1468:				; CODE XREF: KeConfigureHeteroPolicy+8EA7Ej
		push	5
		lea	ecx, [edi+4]
		pop	esi
		mov	eax, ecx
		mov	edi, esi

loc_8A1472:				; CODE XREF: KeConfigureHeteroPolicy+3Aj
		push	2
		pop	edx

loc_8A1475:				; CODE XREF: KeConfigureHeteroPolicy+35j
		cmp	[eax], esi
		jge	loc_92FED1

loc_8A147D:				; CODE XREF: KeConfigureHeteroPolicy+8EA85j
		add	eax, 4
		sub	edx, 1
		jnz	short loc_8A1475
		sub	edi, 1
		jnz	short loc_8A1472
		mov	edi, [ebp+var_8]
		mov	edx, [edi+34h]
		test	edx, 0FFFFFFC0h
		jnz	loc_92FED8

loc_8A149C:				; CODE XREF: KeConfigureHeteroPolicy+8EA8Fj
		mov	eax, [edi]
		mov	[ebp+var_4], eax
		cmp	ds:_KiDesiredHeteroCpuPolicy, eax
		jnz	short loc_8A14FD
		mov	eax, ds:_KiDynamicHeteroCpuPolicyImportantPriority
		cmp	ds:_KiDynamicHeteroCpuPolicyMask, edx
		jnz	short loc_8A14FA
		cmp	eax, [edi+2Ch]
		jnz	short loc_8A14FA
		mov	eax, ds:_KiDynamicHeteroCpuPolicyExpectedRuntime
		cmp	eax, [edi+30h]
		jnz	short loc_8A14FA

loc_8A14C5:				; CODE XREF: KeConfigureHeteroPolicy+EAj
		mov	eax, offset _KiDynamicHeteroCpuPolicy

loc_8A14CA:				; CODE XREF: KeConfigureHeteroPolicy+97j
		push	2
		pop	edi

loc_8A14CD:				; CODE XREF: KeConfigureHeteroPolicy+92j
		mov	edx, [ecx]
		cmp	[eax], edx
		jz	short loc_8A14D7
		mov	bl, 1
		mov	[eax], edx

loc_8A14D7:				; CODE XREF: KeConfigureHeteroPolicy+83j
		add	ecx, 4
		add	eax, 4
		sub	edi, 1
		jnz	short loc_8A14CD
		sub	esi, 1
		jnz	short loc_8A14CA
		mov	edi, [ebp+var_8]
		mov	al, bl
		mov	ecx, [edi+38h]
		pop	edi
		pop	esi
		mov	ds:_KiQosHysteresisTimerPeriod,	ecx
		pop	ebx
		leave
		retn
; 

loc_8A14FA:				; CODE XREF: KeConfigureHeteroPolicy+66j
					; KeConfigureHeteroPolicy+6Bj ...
		mov	eax, [ebp+var_4]

loc_8A14FD:				; CODE XREF: KeConfigureHeteroPolicy+59j
		mov	ecx, ds:_KiProcessorBlock
		mov	bl, 1
		mov	ds:_KiDesiredHeteroCpuPolicy, eax
		mov	dl, bl
		mov	eax, [edi+2Ch]
		mov	ds:_KiDynamicHeteroCpuPolicyImportantPriority, eax
		mov	eax, [edi+34h]
		mov	ds:_KiDynamicHeteroCpuPolicyMask, eax
		mov	esi, [edi+30h]
		mov	ds:_KiDynamicHeteroCpuPolicyExpectedRuntime, esi
		call	_KeQueryCycleCounterFrequency@8	; KeQueryCycleCounterFrequency(x,x)
		imul	eax, esi
		lea	ecx, [edi+4]
		push	5
		pop	esi
		mov	ds:_KiDynamicHeteroCpuPolicyExpectedCycles, eax
		jmp	short loc_8A14C5
KeConfigureHeteroPolicy	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDetectSimulatedHeteroProcessors proc	near
					; CODE XREF: PopInitializeHeteroProcessors(x)+B0p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0092FEE2 SIZE 00000144 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		xor	eax, eax
		mov	[ebp+var_54], ecx
		pop	ecx
		lea	edi, [ebp+var_30]
		xor	ebx, ebx
		rep stosd
		lea	edi, [ebp+var_18]
		mov	[ebp+var_3C], ebx
		stosd
		push	offset ??_C@_1KE@DHGFLKAG@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@NNGAKEGL@
		mov	[ebp+var_38], ebx
		mov	[ebp+var_5C], ebx
		stosd
		mov	[ebp+var_58], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_50], ebx
		stosd
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_64], ebx
		stosd
		lea	eax, [ebp+var_5C]
		push	eax
		mov	[ebp+var_60], ebx
		mov	[ebp+var_48], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_7C], 18h
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_7C]
		push	eax
		push	8
		lea	eax, [ebp+var_38]
		mov	[ebp+var_78], ebx
		push	eax
		mov	[ebp+var_70], 240h
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_68], ebx
		mov	[ebp+var_31], bl
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		jns	loc_92FEE2

loc_8A15CB:				; CODE XREF: PopDetectSimulatedHeteroProcessors+8EAA5j
					; PopDetectSimulatedHeteroProcessors+8EAE7j
		mov	ecx, [ebp+var_4]
		mov	al, [ebp+var_31]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopDetectSimulatedHeteroProcessors endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmHeteroComputeRelativePerformance proc near
					; CODE XREF: PopInitializeHeteroProcessors(x):loc_8A0C5Ep

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 00930026 SIZE 000002D3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, dword_6B5BAC
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_1], bl
		test	eax, eax
		jz	short loc_8A1602
		cmp	ds:_PpmPerfDomainCount,	1
		jnz	loc_930026

loc_8A1602:				; CODE XREF: PpmHeteroComputeRelativePerformance+15j
					; PpmHeteroComputeRelativePerformance+8EA4Ej ...
		mov	al, [ebp+var_1]
		pop	ebx
		leave
		retn
PpmHeteroComputeRelativePerformance endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspAssignPrimaryToken proc near		; CODE XREF: PAGE:007A78EFp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009302F9 SIZE 0000003D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ds:_SeTokenObjectType
		push	edi
		mov	[ebp+var_10], ecx
		mov	edi, edx
		xor	ecx, ecx
		push	ecx
		mov	byte ptr [ebp+var_1], cl
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		push	edi
		push	eax
		push	1
		push	[ebp+arg_4]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	loc_8A1755
		push	ebx
		mov	ebx, [ebp+var_C]
		lea	edx, [ebp+var_1]
		push	esi
		mov	ecx, ebx
		call	_SeIsTokenAssignableToProcess@8	; SeIsTokenAssignableToProcess(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A174A
		cmp	byte ptr [ebp+var_1], 0
		mov	esi, 200h
		jz	loc_9302F9

loc_8A1667:				; CODE XREF: PspAssignPrimaryToken+8ED0Aj
		push	0
		lea	eax, [ebp+var_8]
		push	eax
		push	65537350h
		push	edi
		push	ds:_PsProcessType
		push	esi
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A174A
		mov	edi, [ebp+var_8]
		mov	esi, 8000h
		and	[ebp+arg_0], 0
		test	[edi+0F8h], esi
		jnz	loc_93032C
		mov	edx, [ebp+var_10]
		mov	ecx, edi
		call	_PspLockProcessShared@8	; PspLockProcessShared(x,x)
		test	[edi+0F8h], esi
		jnz	loc_930322
		lea	eax, [ebp+arg_0]
		mov	edx, ebx
		push	eax
		mov	ecx, edi
		call	SeExchangePrimaryToken
		mov	esi, eax
		mov	[ebp+var_14], esi
		test	esi, esi
		js	short loc_8A1717

loc_8A16D0:				; CODE XREF: PspAssignPrimaryToken+F1j
					; PspAssignPrimaryToken+F5j
		mov	eax, _PsNextSecurityDomain
		mov	esi, offset _PsNextSecurityDomain
		mov	edi, dword_6B5BC4
		mov	ebx, eax
		add	ebx, 1
		mov	[ebp+arg_4], eax
		mov	ecx, edi
		mov	edx, edi
		adc	ecx, 0
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [ebp+arg_4]
		cmp	eax, ecx
		jnz	short loc_8A16D0
		cmp	edx, edi
		jnz	short loc_8A16D0
		add	ecx, 1
		adc	edi, 0
		push	edi
		mov	edi, [ebp+var_8]
		push	ecx
		mov	ecx, edi
		call	PspWriteProcessSecurityDomain
		mov	ebx, [ebp+var_C]
		mov	esi, [ebp+var_14]

loc_8A1717:				; CODE XREF: PspAssignPrimaryToken+C6j
					; PspAssignPrimaryToken+8ED1Fj
		mov	edx, [ebp+var_10]
		mov	ecx, edi
		call	_PspUnlockProcessSecurityShared@8 ; PspUnlockProcessSecurityShared(x,x)

loc_8A1721:				; CODE XREF: PspAssignPrimaryToken+8ED29j
		test	esi, esi
		js	short loc_8A173E
		mov	edx, [ebp+var_10]
		mov	ecx, edi
		call	_PspSynchronizeWithProcessInsertion@8 ;	PspSynchronizeWithProcessInsertion(x,x)
		mov	ecx, [ebp+arg_0]
		call	ObfDereferenceObject
		mov	ecx, edi
		call	_ObDereferenceDeviceMap@4 ; ObDereferenceDeviceMap(x)

loc_8A173E:				; CODE XREF: PspAssignPrimaryToken+11Bj
		mov	edx, 65537350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_8A174A:				; CODE XREF: PspAssignPrimaryToken+4Aj
					; PspAssignPrimaryToken+7Ej ...
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	eax, esi
		pop	esi
		pop	ebx

loc_8A1755:				; CODE XREF: PspAssignPrimaryToken+31j
		pop	edi
		leave
		retn	8
PspAssignPrimaryToken endp


;  S U B	R O U T	I N E 


SeAssignPrimaryToken proc near		; CODE XREF: PspInitializeProcessSecurity+1C1p

; FUNCTION CHUNK AT 00930336 SIZE 00000020 BYTES

		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		xor	edx, edx
		mov	ecx, 86h
		call	SeAuditingWithTokenForSubcategory
		test	al, al
		jz	short loc_8A177C
		mov	edx, esi
		mov	ecx, edi
		call	SepAuditAssignPrimaryToken

loc_8A177C:				; CODE XREF: SeAssignPrimaryToken+17j
		cmp	dword ptr [edi+12Ch], 0
		jnz	loc_930336

loc_8A1789:				; CODE XREF: SeAssignPrimaryToken+8EBF7j
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edx, esi
		mov	byte ptr [esi+0B4h], 1
		lea	ecx, [edi+12Ch]
		call	@ObInitializeFastReference@8 ; ObInitializeFastReference(x,x)
		pop	edi
		pop	esi
		pop	ecx
		retn
SeAssignPrimaryToken endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeExchangePrimaryToken proc near	; CODE XREF: PspAssignPrimaryToken+BAp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00930356 SIZE 000000F6 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, edx
		mov	byte ptr [ebp+var_1], 0
		push	edi
		xor	edi, edi
		mov	ebx, ecx
		and	[ebp+var_C], edi
		cmp	dword ptr [esi+0A8h], 1
		jnz	loc_930356
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		cmp	eax, 0FFFFFFFFh
		jnz	loc_930360

loc_8A17DB:				; CODE XREF: SeExchangePrimaryToken+8EBBEj
					; SeExchangePrimaryToken+8EBCDj
		mov	ecx, ebx
		call	_MmGetSessionId@4 ; MmGetSessionId(x)
		mov	[ebp+var_8], eax
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceExclusiveLite
		and	[ebp+var_10], 0
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock or	[eax], ecx
		cmp	[esi+0B4h], cl
		jnz	loc_93037A
		lea	eax, [ebp+var_1]
		mov	byte ptr [esi+0B4h], 1
		push	eax
		mov	edx, ebx
		mov	ecx, esi
		call	_SepSetTrustLevelForProcessToken@12 ; SepSetTrustLevelForProcessToken(x,x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		js	loc_9303A7
		test	dword ptr [esi+0B0h], 4000h
		jnz	loc_9303D3

loc_8A183B:				; CODE XREF: SeExchangePrimaryToken+8EC31j
					; SeExchangePrimaryToken+8EC72j
		lea	eax, [ebp+var_C]
		mov	ecx, esi
		push	eax
		push	edi
		mov	edi, [ebp+var_8]
		mov	edx, edi
		push	1
		call	_SepSetTokenSessionById@20 ; SepSetTokenSessionById(x,x,x,x,x)
		and	[ebp+var_10], 0
		lea	eax, [ebp+var_10]
		mov	[esi+78h], edi
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jnz	loc_930442

loc_8A1875:				; CODE XREF: SeExchangePrimaryToken+8EC9Fj
		xor	edx, edx
		mov	ecx, 86h
		call	SeAuditingWithTokenForSubcategory
		test	al, al
		jz	short loc_8A188E
		mov	edx, esi
		mov	ecx, ebx
		call	SepAuditAssignPrimaryToken

loc_8A188E:				; CODE XREF: SeExchangePrimaryToken+DBj
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		lea	ecx, [ebx+12Ch]
		mov	edx, esi
		call	@ObFastReplaceObject@8 ; ObFastReplaceObject(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8A18EE
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceExclusiveLite
		xor	edx, edx
		lea	eax, [ebp+var_10]
		mov	[ebp+var_10], edx
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	[esi+0B4h], dl
		lea	eax, [ebp+var_10]
		mov	[ebp+var_10], edx
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		xor	eax, eax

loc_8A18E7:				; CODE XREF: SeExchangePrimaryToken+14Bj
					; SeExchangePrimaryToken+8EBB3j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8A18EE:				; CODE XREF: SeExchangePrimaryToken+FEj
		mov	eax, 0C000007Ch
		jmp	short loc_8A18E7
SeExchangePrimaryToken endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepAuditAssignPrimaryToken proc	near	; CODE XREF: SeAssignPrimaryToken+1Dp
					; SeExchangePrimaryToken+E1p

var_2C8		= dword	ptr -2C8h
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2A8		= dword	ptr -2A8h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_290		= word ptr -290h
var_28E		= word ptr -28Eh
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1EC		= dword	ptr -1ECh
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0093044C SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2CCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2CCh+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+2D8h+var_2BC], edx
		lea	edi, [esp+2D8h+var_2B0]
		mov	ebx, ecx
		stosd
		push	298h		; size_t
		stosd
		stosd
		stosd
		lea	eax, [esp+2DCh+var_2A0]
		xor	edi, edi
		push	edi		; int
		push	eax		; void *
		mov	[esp+2E4h+var_2C4], edi
		mov	[esp+2E4h+var_2C8], edi
		call	_memset
		add	esp, 0Ch
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		mov	esi, eax
		cmp	[esi+1C0h], edi
		jz	loc_8A1B29
		mov	eax, [esi+0E4h]
		mov	ecx, large fs:124h
		mov	[esp+2D8h+var_2B4], eax
		lea	eax, [esp+2D8h+var_2B0]
		push	eax
		push	dword ptr [ecx+80h]
		mov	ecx, large fs:124h
		push	ecx
		call	SeCaptureSubjectContextEx
		mov	edi, [esp+2D8h+var_2B0]
		test	edi, edi
		jnz	short loc_8A1992
		mov	edi, [esp+2D8h+var_2A8]
		test	edi, edi
		jz	loc_93044C

loc_8A1992:				; CODE XREF: SepAuditAssignPrimaryToken+8Ej
		mov	eax, [edi+94h]
		lea	edx, [esp+2D8h+var_2C4]
		mov	ecx, esi
		mov	eax, [eax]
		mov	[esp+2D8h+var_2C0], eax
		call	PsGetAllocatedFullProcessImageNameEx
		mov	esi, eax
		test	esi, esi
		js	loc_8A1AF7
		mov	eax, [ebx+0E4h]
		lea	edx, [esp+2D8h+var_2C8]
		mov	ecx, ebx
		mov	[esp+2D8h+var_2B8], eax
		call	PsGetAllocatedFullProcessImageNameEx
		mov	esi, eax
		test	esi, esi
		js	loc_8A1AF7
		mov	ecx, [esp+2D8h+var_2C0]
		mov	eax, 86h
		push	5
		pop	edx
		mov	[esp+2D8h+var_290], ax
		push	8
		pop	eax
		mov	[esp+2D8h+var_28E], ax
		movzx	eax, byte ptr [ecx+1]
		push	4
		pop	ebx
		push	8
		lea	eax, ds:8[eax*4]
		mov	[esp+2DCh+var_278], ecx
		pop	ecx
		mov	[esp+2D8h+var_284], eax
		mov	eax, [edi+18h]
		mov	[esp+2D8h+var_258], eax
		mov	eax, [edi+1Ch]
		mov	[esp+2D8h+var_25C], ecx
		mov	[esp+2D8h+var_248], ecx
		mov	ecx, [esp+2D8h+var_2BC]
		mov	[esp+2D8h+var_254], eax
		push	0Bh
		pop	edi
		mov	eax, [ecx+18h]
		mov	[esp+2D8h+var_244], eax
		mov	eax, [ecx+1Ch]
		mov	ecx, [esp+2D8h+var_2C8]
		mov	[esp+2D8h+var_240], eax
		mov	eax, [esp+2D8h+var_2B8]
		mov	[esp+2D8h+var_230], eax
		movzx	eax, word ptr [ecx]
		push	2
		add	eax, 8
		mov	[esp+2DCh+var_214], ecx
		mov	ecx, [esp+2DCh+var_2C4]
		mov	[esp+2DCh+var_2A0], edx
		mov	[esp+2DCh+var_260], edx
		pop	edx
		mov	[esp+2D8h+var_220], eax
		mov	eax, [esp+2D8h+var_2B4]
		mov	[esp+2D8h+var_208], eax
		movzx	eax, word ptr [ecx]
		push	8
		mov	[esp+2DCh+var_224], edx
		mov	[esp+2DCh+var_1FC], edx
		pop	edx
		add	eax, edx
		mov	[esp+2D8h+var_1EC], ecx
		lea	ecx, [esp+2D8h+var_2A0]
		mov	[esp+2D8h+var_29C], 1258h
		mov	[esp+2D8h+var_288], ebx
		mov	[esp+2D8h+var_274], 1
		mov	[esp+2D8h+var_270], 18h
		mov	[esp+2D8h+var_264], offset _SeSubsystemName
		mov	[esp+2D8h+var_24C], 23h
		mov	[esp+2D8h+var_238], edi
		mov	[esp+2D8h+var_234], ebx
		mov	[esp+2D8h+var_210], edi
		mov	[esp+2D8h+var_20C], ebx
		mov	[esp+2D8h+var_1F8], eax
		mov	[esp+2D8h+var_298], edx
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)

loc_8A1AF7:				; CODE XREF: SepAuditAssignPrimaryToken+B7j
					; SepAuditAssignPrimaryToken+D6j ...
		cmp	[esp+2D8h+var_2C8], 0
		jz	short loc_8A1B09
		push	0
		push	[esp+2DCh+var_2C8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8A1B09:				; CODE XREF: SepAuditAssignPrimaryToken+206j
		cmp	[esp+2D8h+var_2C4], 0
		jz	short loc_8A1B1B
		push	0
		push	[esp+2DCh+var_2C4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8A1B1B:				; CODE XREF: SepAuditAssignPrimaryToken+218j
		test	esi, esi
		js	short loc_8A1B3E

loc_8A1B1F:				; CODE XREF: SepAuditAssignPrimaryToken+24Ej
		lea	eax, [esp+2D8h+var_2B0]
		push	eax
		call	SeReleaseSubjectContext

loc_8A1B29:				; CODE XREF: SepAuditAssignPrimaryToken+59j
		mov	ecx, [esp+2D8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8A1B3E:				; CODE XREF: SepAuditAssignPrimaryToken+227j
		push	esi
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		jmp	short loc_8A1B1F
SepAuditAssignPrimaryToken endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BcdUtilGetBootOptionString proc	near	; CODE XREF: SeAuditBootConfiguration+153p
					; SeAuditBootConfiguration+3FDp

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00930456 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, edx
		and	eax, 0F000000h
		cmp	eax, 2000000h
		jnz	short loc_8A1B71
		call	BcdUtilGetBootOption
		mov	edx, eax
		test	edx, edx
		jnz	loc_930456
		mov	eax, 0C0000225h

loc_8A1B6D:				; CODE XREF: BcdUtilGetBootOptionString+30j
					; BcdUtilGetBootOptionString+8E928j
		pop	ebp
		retn	4
; 

loc_8A1B71:				; CODE XREF: BcdUtilGetBootOptionString+11j
		mov	eax, 0C000000Dh
		jmp	short loc_8A1B6D
BcdUtilGetBootOptionString endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BcdUtilGetBootOptionInteger proc near	; CODE XREF: SeAuditBootConfiguration+1F2p
					; SeAuditBootConfiguration+2D4p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00930473 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, edx
		and	eax, 0F000000h
		cmp	eax, 5000000h
		jnz	short loc_8A1BA5
		push	esi
		call	BcdUtilGetBootOption
		mov	esi, eax
		test	esi, esi
		jnz	loc_930473
		mov	eax, 0C0000225h

loc_8A1BA0:				; CODE XREF: BcdUtilGetBootOptionInteger+8E90Fj
		pop	esi

loc_8A1BA1:				; CODE XREF: BcdUtilGetBootOptionInteger+32j
		pop	ebp
		retn	4
; 

loc_8A1BA5:				; CODE XREF: BcdUtilGetBootOptionInteger+11j
		mov	eax, 0C000000Dh
		jmp	short loc_8A1BA1
BcdUtilGetBootOptionInteger endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeAuditBootConfiguration proc near	; CODE XREF: INIT:00AC2D02p

var_2D0		= dword	ptr -2D0h
var_2CC		= dword	ptr -2CCh
var_2C8		= dword	ptr -2C8h
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A1		= dword	ptr -2A1h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_290		= word ptr -290h
var_28E		= word ptr -28Eh
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0093048C SIZE 0000008F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2D4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_2CC], 80000000h
		push	298h		; size_t
		lea	eax, [ebp+var_2A1+1]
		mov	[ebp+var_2D0], ebx
		push	ebx		; int
		push	eax		; void *
		mov	edi, ecx
		mov	[ebp+var_2C8], ebx
		mov	[ebp+var_2C4], ebx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_2B8], ebx
		mov	eax, 91h
		mov	[ebp+var_2B4], ebx
		mov	[ebp+var_290], ax
		lea	eax, [ebp+var_2D0]
		mov	[ebp+var_2C0], ebx
		push	8
		pop	esi
		push	eax
		mov	eax, large fs:124h
		mov	[ebp+var_2BC], ebx
		mov	byte ptr [ebp+var_2A1],	bl
		mov	[ebp+var_2B0], ebx
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		mov	[ebp+var_2AC], ebx
		mov	[ebp+var_2A1+1], 6
		mov	[ebp+var_29C], 12DAh
		mov	[ebp+var_28E], si
		call	SeCaptureSubjectContextEx
		mov	ecx, [ebp+var_2D0]
		mov	eax, ecx
		test	ecx, ecx
		jnz	short loc_8A1C7E
		mov	eax, [ebp+var_2C8]

loc_8A1C7E:				; CODE XREF: SeAuditBootConfiguration+CAj
		mov	eax, [eax+94h]
		mov	edx, [eax]
		test	ecx, ecx
		jnz	short loc_8A1C90
		mov	ecx, [ebp+var_2C8]

loc_8A1C90:				; CODE XREF: SeAuditBootConfiguration+DCj
		movzx	eax, byte ptr [edx+1]
		mov	[ebp+var_278], edx
		mov	edx, 12000030h
		mov	[ebp+var_288], 4
		mov	[ebp+var_274], 1
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_270], 18h
		mov	[ebp+var_284], eax
		mov	eax, [ecx+18h]
		mov	[ebp+var_258], eax
		mov	eax, [ecx+1Ch]
		mov	ecx, edi
		mov	[ebp+var_254], eax
		lea	eax, [ebp+var_2B8]
		push	eax
		mov	[ebp+var_264], offset _SeSubsystemName
		mov	[ebp+var_260], 5
		mov	[ebp+var_25C], esi
		call	BcdUtilGetBootOptionString
		mov	ecx, 0FFFEh
		test	eax, eax
		jns	loc_93048C

loc_8A1D11:				; CODE XREF: SeAuditBootConfiguration+8E8EAj
		push	offset ??_C@_13IMODFHAA@?$AA?9@NNGAKEGL@
		lea	eax, [ebp+var_2B8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	si, word ptr [ebp+var_2B8]

loc_8A1D29:				; CODE XREF: SeAuditBootConfiguration+8E8F7j
					; SeAuditBootConfiguration+8E907j
		movzx	eax, si
		mov	edx, 16000040h
		add	eax, 8
		mov	[ebp+var_24C], 1
		mov	[ebp+var_248], eax
		mov	ecx, edi
		lea	eax, [ebp+var_2B8]
		mov	[ebp+var_23C], eax
		lea	eax, [ebp+var_2A1]
		push	eax
		call	_BcdUtilGetBootOptionBoolean@12	; BcdUtilGetBootOptionBoolean(x,x,x)
		test	eax, eax
		mov	[ebp+var_238], 15h
		push	0
		sets	al
		mov	[ebp+var_234], 4
		dec	al
		mov	edx, 15000047h
		and	byte ptr [ebp+var_2A1],	al
		mov	ecx, edi
		pop	eax
		setz	al
		add	eax, 732h
		mov	[ebp+var_230], eax
		lea	eax, [ebp+var_2B0]
		push	eax
		call	BcdUtilGetBootOptionInteger
		test	eax, eax
		jns	loc_9304B8
		mov	eax, ebx
		mov	ecx, ebx
		mov	[ebp+var_2B0], eax
		mov	[ebp+var_2AC], ecx

loc_8A1DBB:				; CODE XREF: SeAuditBootConfiguration+8E918j
		cmp	eax, 1
		jnz	short loc_8A1DC9
		mov	eax, 737h
		cmp	ecx, ebx
		jz	short loc_8A1DCE

loc_8A1DC9:				; CODE XREF: SeAuditBootConfiguration+212j
		mov	eax, 736h

loc_8A1DCE:				; CODE XREF: SeAuditBootConfiguration+21Bj
		mov	[ebp+var_21C], eax
		mov	edx, 26000141h
		lea	eax, [ebp+var_2A1]
		mov	[ebp+var_224], 15h
		push	eax
		mov	ecx, edi
		mov	[ebp+var_220], 4
		call	_BcdUtilGetBootOptionBoolean@12	; BcdUtilGetBootOptionBoolean(x,x,x)
		test	eax, eax
		mov	[ebp+var_210], 15h
		push	0
		sets	al
		mov	[ebp+var_20C], 4
		dec	al
		mov	edx, 260000A0h
		and	byte ptr [ebp+var_2A1],	al
		mov	ecx, edi
		pop	eax
		setz	al
		add	eax, 732h
		mov	[ebp+var_208], eax
		lea	eax, [ebp+var_2A1]
		push	eax
		call	_BcdUtilGetBootOptionBoolean@12	; BcdUtilGetBootOptionBoolean(x,x,x)
		test	eax, eax
		mov	[ebp+var_1FC], 15h
		push	0
		sets	al
		mov	[ebp+var_1F8], 4
		dec	al
		mov	edx, 25000142h
		and	byte ptr [ebp+var_2A1],	al
		mov	ecx, edi
		pop	eax
		setz	al
		add	eax, 732h
		mov	[ebp+var_1F4], eax
		lea	eax, [ebp+var_2B0]
		push	eax
		call	BcdUtilGetBootOptionInteger
		test	eax, eax
		jns	loc_9304C9
		mov	eax, ebx
		mov	ecx, ebx
		mov	[ebp+var_2B0], eax
		mov	[ebp+var_2AC], ecx

loc_8A1E9D:				; CODE XREF: SeAuditBootConfiguration+8E929j
		mov	ebx, 739h
		cmp	eax, 1
		jnz	short loc_8A1EAD
		mov	eax, ebx
		test	ecx, ecx
		jz	short loc_8A1EB2

loc_8A1EAD:				; CODE XREF: SeAuditBootConfiguration+2F9j
		mov	eax, 738h

loc_8A1EB2:				; CODE XREF: SeAuditBootConfiguration+2FFj
		mov	[ebp+var_1E0], eax
		mov	edx, 16000049h
		lea	eax, [ebp+var_2A1]
		mov	[ebp+var_1E8], 15h
		push	eax
		mov	ecx, edi
		mov	[ebp+var_1E4], 4
		call	_BcdUtilGetBootOptionBoolean@12	; BcdUtilGetBootOptionBoolean(x,x,x)
		test	eax, eax
		mov	[ebp+var_1D4], 15h
		push	0
		sets	al
		mov	[ebp+var_1D0], 4
		dec	al
		mov	edx, 1600007Eh
		and	byte ptr [ebp+var_2A1],	al
		mov	ecx, edi
		pop	eax
		setz	al
		add	eax, 732h
		mov	[ebp+var_1CC], eax
		lea	eax, [ebp+var_2A1]
		push	eax
		call	_BcdUtilGetBootOptionBoolean@12	; BcdUtilGetBootOptionBoolean(x,x,x)
		test	eax, eax
		mov	[ebp+var_1C0], 15h
		push	0
		sets	al
		mov	[ebp+var_1BC], 4
		dec	al
		mov	edx, 16000048h
		and	byte ptr [ebp+var_2A1],	al
		mov	ecx, edi
		pop	eax
		setz	al
		add	eax, 732h
		mov	[ebp+var_1B8], eax
		lea	eax, [ebp+var_2A1]
		push	eax
		call	_BcdUtilGetBootOptionBoolean@12	; BcdUtilGetBootOptionBoolean(x,x,x)
		test	eax, eax
		mov	[ebp+var_1AC], 15h
		push	0
		sets	al
		mov	[ebp+var_1A8], 4
		dec	al
		mov	edx, 22000117h
		and	byte ptr [ebp+var_2A1],	al
		mov	ecx, edi
		pop	eax
		setz	al
		add	eax, 732h
		mov	[ebp+var_1A4], eax
		lea	eax, [ebp+var_2C0]
		push	eax
		call	BcdUtilGetBootOptionString
		test	eax, eax
		jns	loc_9304DA

loc_8A1FB6:				; CODE XREF: SeAuditBootConfiguration+8E937j
		push	offset ??_C@_13IMODFHAA@?$AA?9@NNGAKEGL@
		lea	eax, [ebp+var_2C0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_2C0]

loc_8A1FCD:				; CODE XREF: SeAuditBootConfiguration+8E944j
					; SeAuditBootConfiguration+8E959j
		movzx	eax, ax
		xor	esi, esi
		add	eax, 8
		inc	esi
		mov	[ebp+var_194], eax
		mov	edx, 250000F0h
		lea	eax, [ebp+var_2C0]
		mov	[ebp+var_198], esi
		mov	[ebp+var_188], eax
		mov	ecx, edi
		lea	eax, [ebp+var_2B0]
		push	eax
		call	BcdUtilGetBootOptionInteger
		test	eax, eax
		jns	loc_93050A
		xor	edx, edx
		xor	ecx, ecx

loc_8A200D:				; CODE XREF: SeAuditBootConfiguration+8E96Aj
		cmp	edx, esi
		jnz	short loc_8A2015
		test	ecx, ecx
		jz	short loc_8A201A

loc_8A2015:				; CODE XREF: SeAuditBootConfiguration+463j
		mov	ebx, 738h

loc_8A201A:				; CODE XREF: SeAuditBootConfiguration+467j
		test	eax, eax
		mov	[ebp+var_184], 15h
		push	4
		sets	al
		mov	[ebp+var_17C], ebx
		dec	al
		mov	edx, 260000F2h
		and	byte ptr [ebp+var_2A1],	al
		mov	ecx, edi
		pop	esi
		lea	eax, [ebp+var_2A1]
		mov	[ebp+var_180], esi
		push	eax
		call	_BcdUtilGetBootOptionBoolean@12	; BcdUtilGetBootOptionBoolean(x,x,x)
		test	eax, eax
		mov	[ebp+var_170], 15h
		push	0
		sets	al
		mov	[ebp+var_16C], esi
		dec	al
		mov	[ebp+var_298], 0Fh
		and	byte ptr [ebp+var_2A1],	al
		lea	ecx, [ebp+var_2A1+1]
		pop	eax
		setz	al
		add	eax, 732h
		mov	[ebp+var_168], eax
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)
		lea	eax, [ebp+var_2D0]
		push	eax
		call	SeReleaseSubjectContext
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
SeAuditBootConfiguration endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BcdUtilGetBootOptionBoolean(x, x, x)
_BcdUtilGetBootOptionBoolean@12	proc near ; CODE XREF: SeAuditBootConfiguration+1ADp
					; SeAuditBootConfiguration+24Ap ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, edx
		and	eax, 0F000000h
		cmp	eax, 6000000h
		jnz	short loc_8A20E8
		call	BcdUtilGetBootOption
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_8A20D9
		mov	eax, 0C0000225h

loc_8A20D5:				; CODE XREF: BcdUtilGetBootOptionBoolean(x,x,x)+34j
					; BcdUtilGetBootOptionBoolean(x,x,x)+3Bj
		pop	ebp
		retn	4
; 

loc_8A20D9:				; CODE XREF: BcdUtilGetBootOptionBoolean(x,x,x)+1Cj
		mov	eax, [ecx+4]
		mov	cl, [ecx+eax]
		mov	eax, [ebp+arg_0]
		mov	[eax], cl
		xor	eax, eax
		jmp	short loc_8A20D5
; 

loc_8A20E8:				; CODE XREF: BcdUtilGetBootOptionBoolean(x,x,x)+11j
		mov	eax, 0C000000Dh
		jmp	short loc_8A20D5
_BcdUtilGetBootOptionBoolean@12	endp

; 
		align 10h

;  S U B	R O U T	I N E 


BcdUtilGetBootOption proc near		; CODE XREF: BcdUtilGetBootOptionString+13p
					; BcdUtilGetBootOptionInteger+14p ...

; FUNCTION CHUNK AT 0093051B SIZE 00000018 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		test	edi, edi
		jz	short loc_8A2118
		xor	eax, eax

loc_8A20FF:				; CODE XREF: BcdUtilGetBootOption+26j
		lea	esi, [eax+edi]
		cmp	[esi], ebx
		jz	short loc_8A211E

loc_8A2106:				; CODE XREF: BcdUtilGetBootOption+32j
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jnz	loc_93051B

loc_8A2111:				; CODE XREF: BcdUtilGetBootOption+8E43Ej
		mov	eax, [esi+10h]
		test	eax, eax
		jnz	short loc_8A20FF

loc_8A2118:				; CODE XREF: BcdUtilGetBootOption+Bj
		xor	eax, eax

loc_8A211A:				; CODE XREF: BcdUtilGetBootOption+36j
					; BcdUtilGetBootOption+8E438j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_8A211E:				; CODE XREF: BcdUtilGetBootOption+14j
		cmp	byte ptr [esi+14h], 0
		jnz	short loc_8A2106
		mov	eax, esi
		jmp	short loc_8A211A
BcdUtilGetBootOption endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeAuditProcessCreation proc near	; CODE XREF: PspInsertProcess+1EEp

var_336		= byte ptr -336h
var_335		= byte ptr -335h
var_334		= dword	ptr -334h
var_330		= dword	ptr -330h
var_32C		= dword	ptr -32Ch
var_328		= dword	ptr -328h
var_324		= dword	ptr -324h
var_320		= dword	ptr -320h
var_31C		= dword	ptr -31Ch
var_318		= dword	ptr -318h
var_314		= dword	ptr -314h
var_310		= dword	ptr -310h
var_30C		= dword	ptr -30Ch
var_308		= dword	ptr -308h
var_304		= dword	ptr -304h
var_300		= dword	ptr -300h
var_2FC		= dword	ptr -2FCh
var_2F8		= dword	ptr -2F8h
var_2F0		= dword	ptr -2F0h
var_2E8		= dword	ptr -2E8h
var_2E4		= dword	ptr -2E4h
var_2E0		= dword	ptr -2E0h
var_2D8		= word ptr -2D8h
var_2D6		= word ptr -2D6h
var_2D0		= dword	ptr -2D0h
var_2CC		= dword	ptr -2CCh
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_294		= dword	ptr -294h
var_290		= dword	ptr -290h
var_28C		= dword	ptr -28Ch
var_280		= dword	ptr -280h
var_27C		= dword	ptr -27Ch
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_1F8		= dword	ptr -1F8h
var_50		= dword	ptr -50h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00930533 SIZE 0000011E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 33Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+33Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+348h+var_300], edx
		lea	edi, [esp+348h+var_2F8]
		xor	edx, edx
		stosd
		mov	esi, ecx
		mov	[esp+348h+var_320], esi
		mov	[esp+348h+var_308], edx
		mov	[esp+348h+var_304], edx
		stosd
		mov	[esp+348h+var_334], edx
		mov	[esp+348h+var_328], edx
		mov	[esp+348h+var_330], edx
		stosd
		mov	[esp+348h+var_32C], edx
		mov	[esp+348h+var_335], dl
		mov	[esp+348h+var_336], dl
		stosd
		lea	eax, [esp+348h+var_50]
		mov	edi, edx
		mov	[esp+348h+var_30C], eax
		mov	[esp+348h+var_324], edx
		cmp	[esi+1C0h], edx
		jz	loc_8A24C7
		mov	eax, [esi+0E4h]
		mov	[esp+348h+var_2FC], eax
		mov	eax, [esi+170h]
		mov	[esp+348h+var_314], eax
		lea	eax, [esp+348h+var_330]
		push	eax
		push	esi
		call	_SeLocateProcessImageName@8 ; SeLocateProcessImageName(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8A24DC
		lea	eax, [esp+348h+var_328]
		push	eax
		push	[esp+34Ch+var_314]
		call	PsLookupProcessByProcessId
		test	eax, eax
		js	loc_930541
		mov	eax, [esp+348h+var_328]
		cmp	[eax+1C0h], edi
		jz	loc_930533
		lea	ecx, [esp+348h+var_32C]
		push	ecx
		push	eax
		call	_SeLocateProcessImageName@8 ; SeLocateProcessImageName(x,x)
		mov	eax, [esp+348h+var_328]

loc_8A21F8:				; CODE XREF: SeAuditProcessCreation+8E414j
		mov	edx, 746C6644h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag

loc_8A2204:				; CODE XREF: SeAuditProcessCreation+8E422j
		push	esi
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_93054F
		mov	eax, [esi+0C0h]
		mov	eax, [eax+18h]
		test	al, 4
		jnz	loc_930559
		movzx	eax, al
		and	eax, 2
		or	eax, 0F20h
		shr	eax, 1
		mov	[esp+348h+var_318], eax

loc_8A2236:				; CODE XREF: SeAuditProcessCreation+8E439j
		mov	eax, [esi+18h]
		mov	ecx, [esi+0B8h]
		mov	[esp+348h+var_310], eax
		mov	eax, [esi+1Ch]
		mov	[esp+348h+var_31C], eax
		cmp	ecx, [esi+7Ch]
		jnb	loc_930566
		mov	eax, [esi+94h]
		push	dword ptr [eax+ecx*8] ;	void *
		lea	eax, [esp+34Ch+var_50]
		push	eax		; void *
		push	44h		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		mov	ebx, eax

loc_8A226D:				; CODE XREF: SeAuditProcessCreation+8E447j
		mov	ecx, esi
		call	ObfDereferenceObject
		test	ebx, ebx
		js	loc_8A24DC
		cmp	_SepRmAuditProcessCommandLine, 0
		jnz	loc_930574

loc_8A2289:				; CODE XREF: SeAuditProcessCreation+8E46Dj
					; SeAuditProcessCreation+8E487j ...
		push	offset ??_C@_11LOCGONAA@@NNGAKEGL@
		lea	eax, [esp+34Ch+var_308]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	edi, [esp+348h+var_308]

loc_8A229C:				; CODE XREF: SeAuditProcessCreation+8E4B7j
					; SeAuditProcessCreation+8E4BEj
		lea	eax, [esp+348h+var_2F8]
		push	eax
		call	SeCaptureSubjectContext
		push	298h		; size_t
		lea	eax, [esp+34Ch+var_2E8]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [esp+354h+var_2F0]
		add	esp, 0Ch
		mov	esi, [esp+348h+var_31C]
		mov	eax, 86h
		mov	[esp+348h+var_2D8], ax
		mov	[esp+348h+var_2E8], 5
		mov	edx, [ecx+18h]
		push	8
		pop	eax
		mov	[esp+348h+var_2D6], ax
		mov	eax, [ecx+94h]
		mov	ecx, [ecx+1Ch]
		mov	[esp+348h+var_2E4], 1250h
		mov	eax, [eax]
		mov	[esp+348h+var_320], eax
		cmp	edx, [esp+348h+var_310]
		jnz	loc_9305EB
		cmp	ecx, esi
		jnz	loc_9305EB

loc_8A2308:				; CODE XREF: SeAuditProcessCreation+8E4C8j
		movzx	eax, byte ptr [eax+1]
		mov	[esp+348h+var_29C], ecx
		mov	ecx, [esp+348h+var_330]
		push	4
		lea	eax, ds:8[eax*4]
		mov	[esp+34Ch+var_2A0], edx
		mov	[esp+34Ch+var_2CC], eax
		mov	eax, [esp+34Ch+var_320]
		mov	[esp+34Ch+var_2C0], eax
		mov	eax, [esp+34Ch+var_2FC]
		mov	[esp+34Ch+var_28C], eax
		movzx	eax, word ptr [ecx]
		add	eax, 8
		mov	[esp+34Ch+var_270], ecx
		pop	edx
		mov	[esp+348h+var_27C], eax
		mov	eax, [esp+348h+var_318]
		mov	[esp+348h+var_264], eax
		mov	eax, [esp+348h+var_314]
		mov	[esp+348h+var_250], eax
		movzx	eax, word ptr [edi]
		push	8
		pop	ecx
		add	eax, ecx
		mov	[esp+348h+var_2D0], 4
		cmp	[esp+348h+var_336], 0
		mov	[esp+348h+var_2BC], 1
		mov	[esp+348h+var_2B8], 18h
		mov	[esp+348h+var_2AC], offset _SeSubsystemName
		mov	[esp+348h+var_2A8], 5
		mov	[esp+348h+var_2A4], 8
		mov	[esp+348h+var_294], 0Bh
		mov	[esp+348h+var_290], edx
		mov	[esp+348h+var_280], 2
		mov	[esp+348h+var_26C], 15h
		mov	[esp+348h+var_268], edx
		mov	[esp+348h+var_258], 0Bh
		mov	[esp+348h+var_254], edx
		mov	[esp+348h+var_244], 22h
		mov	[esp+348h+var_240], eax
		mov	[esp+348h+var_234], edi
		jnz	loc_9305F5
		mov	[esp+348h+var_230], 6

loc_8A2426:				; CODE XREF: SeAuditProcessCreation+8E4F1j
		mov	eax, [esp+348h+var_324]
		test	eax, eax
		jnz	loc_93061E
		mov	ecx, [esp+348h+var_32C]
		mov	[esp+348h+var_21C], 2
		mov	[esp+348h+var_20C], ecx
		movzx	eax, word ptr [ecx]
		add	eax, 8
		mov	[esp+348h+var_218], eax

loc_8A2455:				; CODE XREF: SeAuditProcessCreation+8E50Fj
		mov	ecx, [esp+348h+var_30C]
		mov	[esp+348h+var_1F8], ecx
		mov	[esp+348h+var_208], edx
		mov	[esp+348h+var_2E0], 0Bh
		movzx	eax, byte ptr [ecx+1]
		lea	ecx, [esp+348h+var_2E8]
		lea	eax, ds:8[eax*4]
		mov	[esp+348h+var_204], eax
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)
		lea	eax, [esp+348h+var_2F8]
		push	eax
		call	SeReleaseSubjectContext
		test	ebx, ebx
		js	short loc_8A24DC

loc_8A2498:				; CODE XREF: SeAuditProcessCreation+3BAj
		cmp	[esp+348h+var_330], 0
		jz	short loc_8A24AA
		push	0
		push	[esp+34Ch+var_330]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8A24AA:				; CODE XREF: SeAuditProcessCreation+375j
		cmp	[esp+348h+var_32C], 0
		jz	short loc_8A24BC
		push	0
		push	[esp+34Ch+var_32C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8A24BC:				; CODE XREF: SeAuditProcessCreation+387j
		cmp	[esp+348h+var_335], 0
		jnz	loc_93063C

loc_8A24C7:				; CODE XREF: SeAuditProcessCreation+6Cj
					; SeAuditProcessCreation+8E516j ...
		mov	ecx, [esp+348h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8A24DC:				; CODE XREF: SeAuditProcessCreation+95j
					; SeAuditProcessCreation+14Ej ...
		push	ebx
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		jmp	short loc_8A2498
SeAuditProcessCreation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiNormalizeDeviceText proc near		; CODE XREF: PnpQueryDeviceText(x,x,x,x)+70p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= byte ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00930651 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_3C], edx
		push	6
		mov	esi, ecx
		mov	[ebp+var_14], eax
		xor	ebx, ebx
		mov	[ebp+var_8], eax
		pop	ecx
		lea	edi, [ebp+var_64]
		mov	[ebp+var_20], esi
		rep stosd
		push	eax
		mov	edi, eax
		mov	[ebp+var_18], ebx
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_4C], ebx
		push	eax
		mov	[ebp+var_48], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ebx
		mov	[edx], ebx
		mov	[ebp+var_4], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_44]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A2803
		push	1
		lea	eax, [ebp+var_44]
		push	eax
		push	offset _CmRegistryMachineName
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	loc_8A2836
		movzx	eax, word ptr [ebp+var_44]
		push	20207050h
		add	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_28], esi
		test	esi, esi
		jz	loc_930651
		movzx	eax, word ptr [ebp+var_44]
		push	eax		; size_t
		push	[ebp+var_20]	; void *
		push	esi		; void *
		call	_memcpy
		movzx	eax, word ptr [ebp+var_44]
		add	esp, 0Ch
		shr	eax, 1
		xor	ecx, ecx
		push	2Ch		; wchar_t
		push	esi		; wchar_t *
		mov	[esi+eax*2], cx
		call	_wcschr
		mov	esi, eax
		pop	ecx
		pop	ecx
		test	esi, esi
		jz	loc_8A283C
		xor	eax, eax
		mov	[esi], ax
		add	esi, 2
		push	2Ch		; wchar_t
		push	esi		; wchar_t *
		mov	[ebp+var_1C], esi
		call	_wcschr
		mov	ebx, eax
		pop	ecx
		pop	ecx
		test	ebx, ebx
		jz	short loc_8A25D3
		xor	eax, eax
		mov	[ebx], ax
		add	ebx, 2

loc_8A25D3:				; CODE XREF: PiNormalizeDeviceText+E5j
		push	0Ah
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	__wcstoi64
		mov	[ebp+var_20], eax
		xor	esi, esi
		mov	eax, [ebp+var_10]
		add	esp, 0Ch
		mov	dword ptr [ebp+var_34],	edx
		cmp	[eax], si
		jnz	loc_8A27E5
		push	[ebp+var_28]
		lea	eax, [ebp+var_44]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	18h
		pop	eax
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_44]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	20019h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_60], esi
		push	eax
		mov	[ebp+var_58], 240h
		mov	[ebp+var_54], esi
		mov	[ebp+var_50], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A27E5
		lea	eax, [ebp+var_C]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	[ebp+var_8]
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	loc_8A27E5
		push	20207050h
		push	[ebp+var_C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_93065B
		lea	ecx, [ebp+var_C]
		push	ecx
		push	[ebp+var_C]
		push	eax
		xor	eax, eax
		push	eax
		push	[ebp+var_8]
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A27E5
		mov	ecx, [ebp+var_14]
		mov	edx, [ebp+var_8]
		mov	ax, [ecx+0Ch]
		mov	word ptr [ebp+var_44], ax
		mov	ax, [ecx+0Ch]
		mov	word ptr [ebp+var_44+2], ax
		lea	eax, [ecx+10h]
		mov	[ebp+var_40], eax
		lea	ecx, [ebp+var_44]
		lea	eax, [ebp+var_4C]
		push	eax
		call	IopBuildFullDriverPath
		mov	esi, eax
		test	esi, esi
		js	loc_8A27E5
		push	1Ah
		pop	eax
		push	18h
		mov	word ptr [ebp+var_44+2], ax
		pop	eax
		mov	word ptr [ebp+var_44], ax
		lea	eax, [ebp+var_4C]
		push	1
		push	eax
		lea	eax, [ebp+var_44]
		mov	[ebp+var_40], offset ??_C@_1BK@DHFJHPDK@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2@NNGAKEGL@ ; "\\"
		push	eax
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	loc_8A27E5
		mov	eax, [ebp+var_48]
		mov	edx, [ebp+var_20]
		add	eax, 18h
		mov	ecx, [ebp+var_8]
		mov	dword ptr [ebp+var_34],	eax
		mov	eax, [ebp+var_4C]
		add	eax, 0FFFFFFE8h
		movzx	eax, ax
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_4]
		push	eax
		call	PiGetDefaultMessageString
		mov	esi, eax
		test	esi, esi
		js	loc_8A27E5
		mov	ecx, [ebp+var_1C]
		xor	esi, esi
		lea	edx, [ecx+2]

loc_8A2724:				; CODE XREF: PiNormalizeDeviceText+249j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_8A2724
		mov	esi, [ebp+var_4]
		sub	ecx, edx
		mov	edx, esi
		sar	ecx, 1
		lea	edi, [edx+2]

loc_8A273B:				; CODE XREF: PiNormalizeDeviceText+261j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [ebp+var_18]
		jnz	short loc_8A273B
		mov	eax, [ebp+var_2C]
		sub	edx, edi
		sar	edx, 1
		movzx	eax, ax
		add	edx, ecx
		add	eax, 0Ah
		lea	edx, [eax+edx*2]
		mov	[ebp+var_20], edx
		test	ebx, ebx
		jz	short loc_8A277E
		mov	ecx, ebx
		lea	edi, [ecx+2]

loc_8A2765:				; CODE XREF: PiNormalizeDeviceText+28Bj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_18]
		jnz	short loc_8A2765
		sub	ecx, edi
		sar	ecx, 1
		lea	edx, [edx+ecx*2]
		add	edx, 6
		mov	[ebp+var_20], edx

loc_8A277E:				; CODE XREF: PiNormalizeDeviceText+27Aj
		push	20207050h
		push	edx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_93065B
		push	esi
		push	[ebp+var_1C]
		xor	eax, eax
		push	dword ptr [ebp+var_34] ; char
		push	offset ??_C@_1BG@OFLIBHPP@?$AA?$EA?$AA?$CF?$AAs?$AA?0?$AA?$CD?$AA?$CF?$AAs?$AA?$DL?$AA?$CF?$AAs@NNGAKEGL@ ; "@%s,#%s;%s"
		push	eax		; int
		lea	eax, [ebp+var_24]
		push	eax		; int
		lea	eax, [ebp+var_10]
		push	eax		; int
		push	[ebp+var_20]	; size_t
		push	edi		; int
		call	RtlStringCbPrintfExW
		mov	esi, eax
		add	esp, 24h
		test	esi, esi
		js	short loc_8A27E5
		test	ebx, ebx
		jz	short loc_8A27DC
		push	ebx		; char
		push	offset ??_C@_1M@FMABBLFH@?$AA?$DL?$AA?$CI?$AA?$CF?$AAs?$AA?$CJ@NNGAKEGL@ ; ";(%s)"
		push	[ebp+var_24]	; int
		push	[ebp+var_10]	; wchar_t *
		call	_RtlStringCbPrintfW
		mov	esi, eax
		add	esp, 10h
		test	esi, esi
		js	short loc_8A27E5

loc_8A27DC:				; CODE XREF: PiNormalizeDeviceText+2DCj
		mov	eax, [ebp+var_3C]
		xor	ebx, ebx
		mov	esi, ebx
		mov	[eax], edi

loc_8A27E5:				; CODE XREF: PiNormalizeDeviceText+10Cj
					; PiNormalizeDeviceText+150j ...
		mov	ebx, [ebp+var_4]

loc_8A27E8:				; CODE XREF: PiNormalizeDeviceText+35Aj
		xor	eax, eax
		push	eax
		push	[ebp+var_28]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_8A2803
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8A2803:				; CODE XREF: PiNormalizeDeviceText+5Cj
					; PiNormalizeDeviceText+314j ...
		lea	eax, [ebp+var_4C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	ebx, ebx
		jz	short loc_8A2819
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8A2819:				; CODE XREF: PiNormalizeDeviceText+32Aj
		cmp	[ebp+var_8], 0
		jz	short loc_8A2827
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_8A2827:				; CODE XREF: PiNormalizeDeviceText+339j
		test	esi, esi
		js	loc_930665

loc_8A282F:				; CODE XREF: PiNormalizeDeviceText+8E183j
					; PiNormalizeDeviceText+8E192j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8A2836:				; CODE XREF: PiNormalizeDeviceText+74j
		xor	eax, eax
		mov	esi, eax
		jmp	short loc_8A2803
; 

loc_8A283C:				; CODE XREF: PiNormalizeDeviceText+C6j
		xor	esi, esi
		jmp	short loc_8A27E8
PiNormalizeDeviceText endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiGetDefaultMessageString proc near	; CODE XREF: PiNormalizeDeviceText+229p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0093067B SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_1C]
		push	edi
		push	eax
		mov	ebx, edx
		mov	[ebp+var_24], edi
		mov	esi, ecx
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	edx, [ebp+var_1C]
		mov	ecx, esi
		call	IopGetDriverNameFromKeyNode
		mov	esi, eax
		test	esi, esi
		js	loc_8A294D
		lea	ecx, [ebp+var_1C]
		call	_IopReferenceDriverObjectByName@4 ; IopReferenceDriverObjectByName(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_93067B
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		xor	ebx, ebx
		push	ebx
		push	0Bh
		push	dword ptr [edi+0Ch]
		call	_RtlFindMessage@20 ; RtlFindMessage(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A294D
		mov	eax, [ebp+var_8]
		movzx	ecx, word ptr [eax+2]
		add	eax, 4
		push	eax		; void *
		test	cl, 1
		jz	loc_930685
		lea	eax, [ebp+var_14]
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jz	loc_8A2973

loc_8A28E1:				; CODE XREF: PiGetDefaultMessageString+8DE8Cj
		mov	ax, word ptr [ebp+var_14]
		cmp	ax, 4
		jb	short loc_8A2910
		mov	edx, [ebp+var_10]
		movzx	ecx, ax
		cmp	word ptr [ecx+edx-4], 0Dh
		jnz	short loc_8A2910
		xor	eax, eax
		mov	[ecx+edx-4], ax
		mov	ecx, 0FFFCh
		mov	ax, word ptr [ebp+var_14]
		add	ax, cx
		mov	word ptr [ebp+var_14], ax

loc_8A2910:				; CODE XREF: PiGetDefaultMessageString+A9j
					; PiGetDefaultMessageString+B7j
		movzx	eax, ax
		push	20207050h
		add	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8A2973
		movzx	eax, word ptr [ebp+var_14]
		push	eax		; size_t
		push	[ebp+var_10]	; void *
		push	esi		; void *
		call	_memcpy
		movzx	eax, word ptr [ebp+var_14]
		add	esp, 0Ch
		shr	eax, 1
		xor	ecx, ecx
		mov	[esi+eax*2], cx
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		mov	esi, ebx

loc_8A294D:				; CODE XREF: PiGetDefaultMessageString+48j
					; PiGetDefaultMessageString+76j ...
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	edi, edi
		jz	short loc_8A296A
		mov	ecx, edi
		call	ObfDereferenceObject

loc_8A296A:				; CODE XREF: PiGetDefaultMessageString+121j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8A2973:				; CODE XREF: PiGetDefaultMessageString+9Bj
					; PiGetDefaultMessageString+E7j
		mov	esi, 0C000009Ah
		jmp	short loc_8A294D
PiGetDefaultMessageString endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeRegisterElamCertResources(x, x, x, x)
_SeRegisterElamCertResources@16	proc near ; CODE XREF: ExpQueryElamCertInfo(x)+191p
					; PipInitializeEarlyLaunchDrivers+4Dp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		xor	eax, eax
		mov	[ebp+var_14], offset ??_C@_1CC@EFNOOOGP@?$AAM?$AAS?$AAE?$AAL?$AAA?$AAM?$AAC?$AAE?$AAR?$AAT?$AAI?$AAN?$AAF?$AAO?$AAI@NNGAKEGL@
		push	eax
		push	eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_10], (offset loc_8BF0FF+1)
		push	eax
		xor	eax, eax
		cmp	[ebp+arg_0], al
		setnz	al
		dec	eax
		and	eax, 0FFFFFE00h
		add	eax, 1210h
		push	eax
		push	3
		lea	eax, [ebp+var_14]
		push	eax
		push	ecx
		call	_LdrResSearchResource@32 ; LdrResSearchResource(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short locret_8A29D4
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		call	SepParseElamCertResources

locret_8A29D4:				; CODE XREF: SeRegisterElamCertResources(x,x,x,x)+4Dj
		leave
		retn	8
_SeRegisterElamCertResources@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepParseElamCertResources proc near	; CODE XREF: SeRegisterElamCertResources(x,x,x,x)+55p

var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1C8		= dword	ptr -1C8h
var_48		= dword	ptr -48h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009306D1 SIZE 00000025 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 224h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_220], eax
		mov	edi, eax
		mov	[ebp+var_1F8], eax
		mov	[ebp+var_1FC], eax
		lea	eax, [edx-2]
		cmp	eax, 0FFFDh
		ja	loc_9306D9
		movzx	eax, word ptr [ecx]
		lea	ebx, [ecx+edx]
		lea	esi, [ecx+2]
		mov	[ebp+var_20C], ebx
		xor	ecx, ecx
		mov	[ebp+var_224], eax
		mov	[ebp+var_208], ecx
		test	eax, eax
		jz	loc_8A2D82
		mov	[ebp+var_214], 40h
		mov	[ebp+var_210], 20h

loc_8A2A4D:				; CODE XREF: SepParseElamCertResources+3A5j
		lea	eax, [esi+2]
		cmp	eax, ebx
		ja	loc_9306D9
		mov	edx, ebx
		lea	eax, [ebp+var_1F8]
		sub	edx, esi
		mov	ecx, esi
		push	eax
		shr	edx, 1
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		test	eax, eax
		js	loc_8A2D84
		mov	eax, [ebp+var_1F8]
		inc	eax
		lea	eax, [esi+eax*2]
		lea	edi, [eax+2]
		mov	[ebp+var_204], eax
		cmp	edi, ebx
		jnb	loc_9306D9
		xor	edx, edx
		mov	cl, 1
		mov	ebx, edx
		mov	[ebp+var_200], ebx
		cmp	[esi], dx
		jz	loc_8A2B25

loc_8A2AA4:				; CODE XREF: SepParseElamCertResources+13Dj
		push	40h
		pop	eax
		cmp	ebx, eax
		jnb	loc_9306D9
		test	cl, cl
		jnz	loc_8A2CD2
		shl	byte ptr [ebp+ebx+var_48], 4
		mov	dl, byte ptr [ebp+ebx+var_48]

loc_8A2AC0:				; CODE XREF: SepParseElamCertResources+2FEj
		movzx	eax, word ptr [esi]
		mov	[ebp+var_1E4], eax
		movzx	eax, ax
		cmp	ax, word ptr [ebp+var_210]
		jz	loc_9306D1
		cmp	eax, 2Fh
		jbe	loc_9306D9
		cmp	eax, 39h
		ja	loc_8A2CDB
		mov	al, [esi]
		sub	al, 30h

loc_8A2AEF:				; CODE XREF: SepParseElamCertResources+319j
					; SepParseElamCertResources+339j
		add	al, dl
		mov	byte ptr [ebp+ebx+var_48], al

loc_8A2AF5:				; CODE XREF: SepParseElamCertResources+8DCFBj
		test	cl, cl
		jnz	short loc_8A2B00
		inc	ebx
		mov	[ebp+var_200], ebx

loc_8A2B00:				; CODE XREF: SepParseElamCertResources+11Fj
		push	20h
		pop	eax
		cmp	[esi], ax
		jz	short loc_8A2B0D
		test	cl, cl
		setz	cl

loc_8A2B0D:				; CODE XREF: SepParseElamCertResources+12Ej
		add	esi, 2
		xor	edx, edx
		cmp	[esi], dx
		jnz	short loc_8A2AA4
		test	cl, cl
		jz	loc_9306D9
		mov	eax, [ebp+var_204]

loc_8A2B25:				; CODE XREF: SepParseElamCertResources+C6j
		movzx	ecx, word ptr [eax]
		mov	edx, 8004h
		mov	eax, ecx
		cmp	ax, dx
		jz	short loc_8A2B4E
		add	edx, 7
		cmp	ax, dx
		jbe	loc_9306D9
		mov	eax, 800Eh
		cmp	cx, ax
		ja	loc_9306D9

loc_8A2B4E:				; CODE XREF: SepParseElamCertResources+15Aj
		mov	edx, [ebp+var_20C]
		lea	eax, [ebp+var_1FC]
		sub	edx, edi
		mov	ecx, edi
		push	eax
		shr	edx, 1
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		test	eax, eax
		js	loc_8A2D84
		mov	edx, [ebp+var_1FC]
		mov	[ebp+var_1F0], edx
		lea	eax, [edi+edx*2]
		lea	esi, [eax+2]
		mov	[ebp+var_1E4], eax
		xor	eax, eax
		mov	[ebp+var_21C], esi
		mov	[ebp+var_1E8], eax
		test	edx, edx
		jz	loc_8A2D23
		push	3Bh		; wchar_t
		push	edi		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_9306E3

loc_8A2BB0:				; CODE XREF: SepParseElamCertResources+8DD19j
		xor	eax, eax
		mov	[ebp+var_1E4], eax
		lea	eax, [ebp+var_1C8]
		mov	[ebp+var_1EC], eax

loc_8A2BC4:				; CODE XREF: SepParseElamCertResources+2F2j
		xor	eax, eax
		mov	[ebp+var_1F4], eax
		mov	eax, ecx
		sub	eax, edi
		inc	eax
		shr	eax, 1
		cmp	ecx, edi
		sbb	edx, edx
		not	edx
		and	edx, eax
		mov	[ebp+var_218], edx
		mov	edx, [ebp+var_1E8]
		jz	short loc_8A2C1E
		mov	esi, [ebp+var_1EC]
		mov	edx, [ebp+var_218]
		mov	ebx, [ebp+var_1F4]

loc_8A2BFB:				; CODE XREF: SepParseElamCertResources+232j
		mov	ax, [edi]
		inc	ebx
		mov	[esi], ax
		lea	esi, [esi+2]
		lea	edi, [edi+2]
		cmp	ebx, edx
		jnz	short loc_8A2BFB
		mov	esi, [ebp+var_21C]
		mov	edx, [ebp+var_1E8]
		mov	[ebp+var_1F4], ebx

loc_8A2C1E:				; CODE XREF: SepParseElamCertResources+20Fj
		mov	edi, [ebp+var_1F4]
		xor	ebx, ebx
		mov	eax, [ebp+var_1E4]
		add	eax, edi
		mov	word ptr [ebp+eax*2+var_1C8], bx
		lea	eax, [edi+edi]
		mov	ebx, [ebp+var_200]
		mov	word ptr [ebp+edx*8+var_1E0], ax
		add	eax, 2
		mov	word ptr [ebp+edx*8+var_1E0+2],	ax
		mov	eax, [ebp+var_1EC]
		mov	[ebp+edx*8+var_1DC], eax
		movzx	eax, word ptr [ecx]
		mov	edi, eax
		test	ax, ax
		jz	short loc_8A2C6F
		add	ecx, 2
		movzx	edi, word ptr [ecx]

loc_8A2C6F:				; CODE XREF: SepParseElamCertResources+28Fj
		test	di, di
		jz	loc_8A2D16
		push	3Bh		; wchar_t
		push	ecx		; wchar_t *
		mov	edi, ecx
		call	_wcschr
		pop	ecx
		pop	ecx
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_8A2CA5
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_8A2C8F:				; CODE XREF: SepParseElamCertResources+2C4j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_220]
		jnz	short loc_8A2C8F
		sub	ecx, edx
		sar	ecx, 1
		lea	ecx, [edi+ecx*2]

loc_8A2CA5:				; CODE XREF: SepParseElamCertResources+2B0j
		mov	eax, [ebp+var_1E4]
		inc	[ebp+var_1E8]
		add	eax, 40h
		sub	[ebp+var_1EC], 0FFFFFF80h
		mov	[ebp+var_1E4], eax
		cmp	eax, 0C0h
		jnb	short loc_8A2D1D
		test	ecx, ecx
		jnz	loc_8A2BC4
		jmp	short loc_8A2D1D
; 

loc_8A2CD2:				; CODE XREF: SepParseElamCertResources+D9j
		mov	byte ptr [ebp+ebx+var_48], dl
		jmp	loc_8A2AC0
; 

loc_8A2CDB:				; CODE XREF: SepParseElamCertResources+10Dj
		cmp	ax, word ptr [ebp+var_214]
		jbe	loc_9306D9
		cmp	eax, 46h
		ja	short loc_8A2CF6
		mov	al, [esi]
		sub	al, 37h
		jmp	loc_8A2AEF
; 

loc_8A2CF6:				; CODE XREF: SepParseElamCertResources+313j
		cmp	eax, 60h
		jbe	loc_9306D9
		cmp	word ptr [ebp+var_1E4],	66h
		ja	loc_9306D9
		mov	al, [esi]
		sub	al, 57h
		jmp	loc_8A2AEF
; 

loc_8A2D16:				; CODE XREF: SepParseElamCertResources+29Aj
		inc	edx
		mov	[ebp+var_1E8], edx

loc_8A2D1D:				; CODE XREF: SepParseElamCertResources+2EEj
					; SepParseElamCertResources+2F8j ...
		mov	edx, [ebp+var_1F0]

loc_8A2D23:				; CODE XREF: SepParseElamCertResources+1BEj
		mov	edi, dword_6BEA48
		lea	eax, [ebp+var_1E0]
		mov	ecx, edx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, [ebp+var_1E8]
		neg	edx
		sbb	edx, edx
		and	edx, eax
		test	edi, edi
		jz	short loc_8A2D93
		mov	eax, [ebp+var_204]
		push	0
		push	ecx
		push	edx
		movzx	eax, word ptr [eax]
		push	eax
		push	ebx
		lea	eax, [ebp+var_48]
		push	eax
		push	7
		call	edi
		mov	edi, eax
		test	edi, edi
		js	short loc_8A2D82
		mov	ecx, [ebp+var_208]
		inc	ecx
		mov	[ebp+var_208], ecx
		cmp	ecx, [ebp+var_224]
		jnb	short loc_8A2D82
		mov	ebx, [ebp+var_20C]
		jmp	loc_8A2A4D
; 

loc_8A2D82:				; CODE XREF: SepParseElamCertResources+5Bj
					; SepParseElamCertResources+388j ...
		mov	eax, edi

loc_8A2D84:				; CODE XREF: SepParseElamCertResources+96j
					; SepParseElamCertResources+190j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_8A2D93:				; CODE XREF: SepParseElamCertResources+36Bj
		mov	edi, 0C00000BBh
		jmp	short loc_8A2D82
SepParseElamCertResources endp

; 
		align 10h
; Exported entry 2446. SeCompareSigningLevels

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeCompareSigningLevels(x, x)
		public _SeCompareSigningLevels@8
_SeCompareSigningLevels@8 proc near	; CODE XREF: MiValidateSectionSigningPolicy(x,x,x,x,x,x,x,x,x,x,x)+D2p
					; PAGE:007A3017p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, dword_6BEA40
		test	eax, eax
		jz	short loc_8A2DB1
		pop	ebp
		jmp	eax
; 

loc_8A2DB1:				; CODE XREF: SeCompareSigningLevels(x,x)+Cj
		xor	eax, eax
		pop	ebp
		retn	8
_SeCompareSigningLevels@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmEtwEnableCallback proc near		; DATA XREF: SmInitSystem(x)+13o

arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 009306F6 SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	short loc_8A2DD0
		cmp	ecx, 1
		jnz	short loc_8A2E19

loc_8A2DD0:				; CODE XREF: SmEtwEnableCallback+11j
		mov	eax, [ebp+arg_C]
		or	eax, 40h
		mov	ds:dword_718654, eax
		cmp	ecx, 1
		jnz	short loc_8A2E19

loc_8A2DE0:				; CODE XREF: SmEtwEnableCallback+66j
		xor	esi, esi
		mov	ebx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals

loc_8A2DE7:				; CODE XREF: SmEtwEnableCallback+4Aj
		push	ecx
		mov	edx, esi
		mov	ecx, ebx
		call	_SmKmStoreReferenceEx@12 ; SmKmStoreReferenceEx(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_9306F6

loc_8A2DFB:				; CODE XREF: SmEtwEnableCallback+8D973j
		inc	esi
		cmp	esi, 400h
		jb	short loc_8A2DE7
		push	3
		pop	ecx
		call	_SmEtwEnabled@4	; SmEtwEnabled(x)
		test	eax, eax
		jnz	short loc_8A2E20

loc_8A2E10:				; CODE XREF: SmEtwEnableCallback+64j
					; SmEtwEnableCallback+6Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_8A2E19:				; CODE XREF: SmEtwEnableCallback+16j
					; SmEtwEnableCallback+26j
		cmp	ecx, 2
		jnz	short loc_8A2E10
		jmp	short loc_8A2DE0
; 

loc_8A2E20:				; CODE XREF: SmEtwEnableCallback+56j
		mov	ecx, ebx
		call	?SmStoresContentsRundown@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@@Z ; SMKM_STORE_MGR<SM_TRAITS>::SmStoresContentsRundown(SMKM_STORE_MGR<SM_TRAITS> *)
		jmp	short loc_8A2E10
SmEtwEnableCallback endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EmCpuMatchCallback(x, x, x,	x, x, x, x)
_EmCpuMatchCallback@28 proc near	; DATA XREF: .text:00401B78o

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	edi
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	loc_8A2EFD
		mov	ebx, [ebp+arg_10]
		test	ebx, ebx
		jz	loc_8A2EFD
		cmp	[ebp+arg_14], 4
		jnz	loc_8A2EFD
		cmp	[ebp+arg_C], 4
		jnz	loc_8A2EFD
		mov	edx, large fs:20h
		mov	eax, [edi]
		push	esi
		xor	esi, esi
		mov	[ebp+arg_14], edx
		cmp	byte ptr [eax],	2Ah
		jz	short loc_8A2EB0
		lea	ecx, [edx+3D3Ch]

loc_8A2E75:				; CODE XREF: EmCpuMatchCallback(x,x,x,x,x,x,x)+75j
		mov	bl, [ecx]
		cmp	bl, [eax]
		mov	byte ptr [ebp+arg_8+3],	bl
		mov	ebx, [ebp+arg_10]
		jnz	short loc_8A2EF6
		cmp	byte ptr [ebp+arg_8+3],	0
		jz	short loc_8A2EA1
		mov	dl, [ecx+1]
		cmp	dl, [eax+1]
		mov	byte ptr [ebp+arg_8+3],	dl
		mov	edx, [ebp+arg_14]
		jnz	short loc_8A2EF6
		add	ecx, 2
		add	eax, 2
		cmp	byte ptr [ebp+arg_8+3],	0
		jnz	short loc_8A2E75

loc_8A2EA1:				; CODE XREF: EmCpuMatchCallback(x,x,x,x,x,x,x)+5Bj
		mov	eax, esi

loc_8A2EA3:				; CODE XREF: EmCpuMatchCallback(x,x,x,x,x,x,x)+D1j
		test	eax, eax
		jz	short loc_8A2EB0

loc_8A2EA7:				; CODE XREF: EmCpuMatchCallback(x,x,x,x,x,x,x)+97j
					; EmCpuMatchCallback(x,x,x,x,x,x,x)+ADj ...
		mov	eax, esi
		pop	esi

loc_8A2EAA:				; CODE XREF: EmCpuMatchCallback(x,x,x,x,x,x,x)+D6j
		pop	edi
		pop	ebx
		pop	ebp
		retn	1Ch
; 

loc_8A2EB0:				; CODE XREF: EmCpuMatchCallback(x,x,x,x,x,x,x)+43j
					; EmCpuMatchCallback(x,x,x,x,x,x,x)+7Bj
		push	dword ptr [ebx+4]
		movsx	edx, byte ptr [edx+14h]
		mov	ecx, [edi+4]
		call	EmpCheckOperator
		test	eax, eax
		jz	short loc_8A2EA7
		mov	eax, [ebp+arg_14]
		push	dword ptr [ebx+8]
		mov	ecx, [edi+8]
		movzx	edx, byte ptr [eax+17h]
		call	EmpCheckOperator
		test	eax, eax
		jz	short loc_8A2EA7
		mov	eax, [ebp+arg_14]
		push	dword ptr [ebx+0Ch]
		mov	ecx, [edi+0Ch]
		movzx	edx, byte ptr [eax+16h]
		call	EmpCheckOperator
		mov	esi, eax
		neg	esi
		sbb	esi, esi
		and	esi, 2
		jmp	short loc_8A2EA7
; 

loc_8A2EF6:				; CODE XREF: EmCpuMatchCallback(x,x,x,x,x,x,x)+55j
					; EmCpuMatchCallback(x,x,x,x,x,x,x)+69j
		sbb	eax, eax
		or	eax, 1
		jmp	short loc_8A2EA3
; 

loc_8A2EFD:				; CODE XREF: EmCpuMatchCallback(x,x,x,x,x,x,x)+Cj
					; EmCpuMatchCallback(x,x,x,x,x,x,x)+17j ...
		xor	eax, eax
		inc	eax
		jmp	short loc_8A2EAA
_EmCpuMatchCallback@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EmpCheckOperator proc near		; CODE XREF: EmCpuMatchCallback(x,x,x,x,x,x,x)+90p
					; EmCpuMatchCallback(x,x,x,x,x,x,x)+A6p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00930730 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, ecx
		xor	ecx, ecx
		push	edi
		mov	edi, edx
		mov	esi, ecx

loc_8A2F12:				; CODE XREF: EmpCheckOperator+26j
		movzx	eax, byte ptr [ebx+esi]
		mov	edx, offset ??_C@_01NEMOKFLO@?$DN@NNGAKEGL@
		cmp	al, [edx+esi]
		jnz	loc_8A30ED
		inc	esi
		cmp	esi, 2
		jnz	short loc_8A2F12
		mov	eax, ecx

loc_8A2F2C:				; CODE XREF: EmpCheckOperator+1F2j
		test	eax, eax
		jnz	short loc_8A2F41

loc_8A2F30:				; CODE XREF: EmpCheckOperator+60j
		xor	ecx, ecx
		cmp	edi, [ebp+arg_0]
		setz	cl

loc_8A2F38:				; CODE XREF: EmpCheckOperator+19Cj
					; EmpCheckOperator+1DEj ...
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		pop	ebp
		retn	4
; 

loc_8A2F41:				; CODE XREF: EmpCheckOperator+2Cj
		mov	edx, ecx

loc_8A2F43:				; CODE XREF: EmpCheckOperator+5Aj
		movzx	eax, byte ptr [ebx+edx]
		mov	esi, (offset ??_C@_02KAJCEFMN@?$DN?$CB@NNGAKEGL@+4)
		push	1
		cmp	al, [esi+edx]
		pop	esi
		jnz	loc_8A30F9
		inc	edx
		cmp	edx, 3
		jnz	short loc_8A2F43
		mov	eax, ecx

loc_8A2F60:				; CODE XREF: EmpCheckOperator+1FBj
		test	eax, eax
		jz	short loc_8A2F30
		mov	edx, ecx

loc_8A2F66:				; CODE XREF: EmpCheckOperator+7Dj
		movzx	eax, byte ptr [ebx+edx]
		mov	esi, (offset loc_8B818F+3)
		push	1
		cmp	al, [esi+edx]
		pop	esi
		jnz	loc_8A3102
		inc	edx
		cmp	edx, 3
		jnz	short loc_8A2F66
		mov	eax, ecx

loc_8A2F83:				; CODE XREF: EmpCheckOperator+204j
		test	eax, eax
		jz	loc_930749
		mov	edx, ecx

loc_8A2F8D:				; CODE XREF: EmpCheckOperator+A4j
		movzx	eax, byte ptr [ebx+edx]
		mov	esi, (offset ??_C@_01NEMOKFLO@?$DN@NNGAKEGL@+2)
		push	1
		cmp	al, [esi+edx]
		pop	esi
		jnz	loc_8A310B
		inc	edx
		cmp	edx, 3
		jnz	short loc_8A2F8D
		mov	eax, ecx

loc_8A2FAA:				; CODE XREF: EmpCheckOperator+20Dj
		test	eax, eax
		jz	loc_930749
		mov	edx, ecx

loc_8A2FB4:				; CODE XREF: EmpCheckOperator+CBj
		movzx	eax, byte ptr [ebx+edx]
		mov	esi, offset ??_C@_02KAJCEFMN@?$DN?$CB@NNGAKEGL@
		push	1
		cmp	al, [esi+edx]
		pop	esi
		jnz	loc_8A3114
		inc	edx
		cmp	edx, 3
		jnz	short loc_8A2FB4
		mov	eax, ecx

loc_8A2FD1:				; CODE XREF: EmpCheckOperator+216j
		test	eax, eax
		jz	loc_930749
		mov	edx, ecx

loc_8A2FDB:				; CODE XREF: EmpCheckOperator+F2j
		movzx	eax, byte ptr [ebx+edx]
		mov	esi, (offset loc_8B819B+1)
		push	1
		cmp	al, [esi+edx]
		pop	esi
		jnz	loc_8A311D
		inc	edx
		cmp	edx, 2
		jnz	short loc_8A2FDB
		mov	eax, ecx

loc_8A2FF8:				; CODE XREF: EmpCheckOperator+21Fj
		test	eax, eax
		jz	loc_930730
		mov	edx, ecx

loc_8A3002:				; CODE XREF: EmpCheckOperator+119j
		movzx	eax, byte ptr [ebx+edx]
		mov	esi, offset ??_C@_02EHCHHCKH@?$DM?$DN@NNGAKEGL@
		push	1
		cmp	al, [esi+edx]
		pop	esi
		jnz	loc_8A3126
		inc	edx
		cmp	edx, 3
		jnz	short loc_8A3002
		mov	eax, ecx

loc_8A301F:				; CODE XREF: EmpCheckOperator+228j
		test	eax, eax
		jz	loc_930741
		mov	edx, ecx

loc_8A3029:				; CODE XREF: EmpCheckOperator+140j
		movzx	eax, byte ptr [ebx+edx]
		mov	esi, offset ??_C@_02FPPOCJNB@?$DN?$DM@NNGAKEGL@
		push	1
		cmp	al, [esi+edx]
		pop	esi
		jnz	loc_8A312F
		inc	edx
		cmp	edx, 3
		jnz	short loc_8A3029
		mov	eax, ecx

loc_8A3046:				; CODE XREF: EmpCheckOperator+231j
		test	eax, eax
		jz	loc_930741
		mov	edx, ecx

loc_8A3050:				; CODE XREF: EmpCheckOperator+167j
		movzx	eax, byte ptr [ebx+edx]
		mov	esi, (offset ??_C@_02FPPOCJNB@?$DN?$DM@NNGAKEGL@+4)
		push	1
		cmp	al, [esi+edx]
		pop	esi
		jnz	loc_8A3138
		inc	edx
		cmp	edx, 2
		jnz	short loc_8A3050
		mov	eax, ecx

loc_8A306D:				; CODE XREF: EmpCheckOperator+23Aj
		test	eax, eax
		jz	loc_930735
		mov	edx, ecx

loc_8A3077:				; CODE XREF: EmpCheckOperator+18Ej
		movzx	eax, byte ptr [ebx+edx]
		mov	esi, offset ??_C@_02EEKDKGMJ@?$DO?$DN@NNGAKEGL@
		push	1
		cmp	al, [esi+edx]
		pop	esi
		jnz	loc_8A3141
		inc	edx
		cmp	edx, 3
		jnz	short loc_8A3077
		mov	eax, ecx

loc_8A3094:				; CODE XREF: EmpCheckOperator+243j
		test	eax, eax
		jnz	short loc_8A30A3

loc_8A3098:				; CODE XREF: EmpCheckOperator+1C2j
		cmp	edi, [ebp+arg_0]

loc_8A309B:				; CODE XREF: EmpCheckOperator+8D842j
		sbb	ecx, ecx
		inc	ecx
		jmp	loc_8A2F38
; 

loc_8A30A3:				; CODE XREF: EmpCheckOperator+194j
		mov	edx, ecx

loc_8A30A5:				; CODE XREF: EmpCheckOperator+1BCj
		movzx	eax, byte ptr [ebx+edx]
		mov	esi, (offset ??_C@_02EEKDKGMJ@?$DO?$DN@NNGAKEGL@+4)
		push	1
		cmp	al, [esi+edx]
		pop	esi
		jnz	loc_8A314A
		inc	edx
		cmp	edx, 3
		jnz	short loc_8A30A5
		mov	eax, ecx

loc_8A30C2:				; CODE XREF: EmpCheckOperator+24Cj
		test	eax, eax
		jz	short loc_8A3098
		mov	edi, offset ??_C@_01NBENCBCI@?$CK@NNGAKEGL@
		mov	edx, ecx

loc_8A30CD:				; CODE XREF: EmpCheckOperator+1D8j
		movzx	eax, byte ptr [ebx+edx]
		cmp	al, [edi+edx]
		jnz	short loc_8A3153
		inc	edx
		cmp	edx, 2
		jnz	short loc_8A30CD
		mov	eax, ecx

loc_8A30DE:				; CODE XREF: EmpCheckOperator+255j
		test	eax, eax
		jnz	loc_8A2F38
		mov	ecx, esi
		jmp	loc_8A2F38
; 

loc_8A30ED:				; CODE XREF: EmpCheckOperator+1Cj
		sbb	eax, eax
		xor	esi, esi
		inc	esi
		or	eax, esi
		jmp	loc_8A2F2C
; 

loc_8A30F9:				; CODE XREF: EmpCheckOperator+50j
		sbb	eax, eax
		or	eax, esi
		jmp	loc_8A2F60
; 

loc_8A3102:				; CODE XREF: EmpCheckOperator+73j
		sbb	eax, eax
		or	eax, esi
		jmp	loc_8A2F83
; 

loc_8A310B:				; CODE XREF: EmpCheckOperator+9Aj
		sbb	eax, eax
		or	eax, esi
		jmp	loc_8A2FAA
; 

loc_8A3114:				; CODE XREF: EmpCheckOperator+C1j
		sbb	eax, eax
		or	eax, esi
		jmp	loc_8A2FD1
; 

loc_8A311D:				; CODE XREF: EmpCheckOperator+E8j
		sbb	eax, eax
		or	eax, esi
		jmp	loc_8A2FF8
; 

loc_8A3126:				; CODE XREF: EmpCheckOperator+10Fj
		sbb	eax, eax
		or	eax, esi
		jmp	loc_8A301F
; 

loc_8A312F:				; CODE XREF: EmpCheckOperator+136j
		sbb	eax, eax
		or	eax, esi
		jmp	loc_8A3046
; 

loc_8A3138:				; CODE XREF: EmpCheckOperator+15Dj
		sbb	eax, eax
		or	eax, esi
		jmp	loc_8A306D
; 

loc_8A3141:				; CODE XREF: EmpCheckOperator+184j
		sbb	eax, eax
		or	eax, esi
		jmp	loc_8A3094
; 

loc_8A314A:				; CODE XREF: EmpCheckOperator+1B2j
		sbb	eax, eax
		or	eax, esi
		jmp	loc_8A30C2
; 

loc_8A3153:				; CODE XREF: EmpCheckOperator+1D2j
		sbb	eax, eax
		or	eax, esi
		jmp	short loc_8A30DE
EmpCheckOperator endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PiDmaGuardProcessPreAddDevice(x, x)
_PiDmaGuardProcessPreAddDevice@8 proc near ; CODE XREF:	PipCallDriverAddDevice+5DBp
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, [ecx]
		push	edi
		mov	edi, edx
		mov	eax, [esi+1D0h]
		test	eax, eax
		jz	short loc_8A3192
		test	byte ptr [eax+8], 10h
		jnz	short loc_8A3196
		test	dword ptr [esi+170h], 100000h
		jnz	short loc_8A319B
		call	_PipDmgGetDeviceDmarPolicy@4 ; PipDmgGetDeviceDmarPolicy(x)

loc_8A3184:				; CODE XREF: PiDmaGuardProcessPreAddDevice(x,x)+3Fj
					; PiDmaGuardProcessPreAddDevice(x,x)+44j
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	_PipDmgSaveDeviceDmarPolicy@12 ; PipDmgSaveDeviceDmarPolicy(x,x,x)

loc_8A318E:				; CODE XREF: PiDmaGuardProcessPreAddDevice(x,x)+3Aj
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_8A3192:				; CODE XREF: PiDmaGuardProcessPreAddDevice(x,x)+11j
		xor	eax, eax
		jmp	short loc_8A318E
; 

loc_8A3196:				; CODE XREF: PiDmaGuardProcessPreAddDevice(x,x)+17j
		xor	eax, eax
		inc	eax
		jmp	short loc_8A3184
; 

loc_8A319B:				; CODE XREF: PiDmaGuardProcessPreAddDevice(x,x)+23j
		push	2
		pop	eax
		jmp	short loc_8A3184
_PiDmaGuardProcessPreAddDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipDmgSaveDeviceDmarPolicy(x, x, x)
_PipDmgSaveDeviceDmarPolicy@12 proc near ; CODE	XREF: PiDmaGuardProcessPreAddDevice(x,x)+2Fp

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 98h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		mov	eax, edx
		mov	[ebp+var_80], ebx
		push	edi
		push	ebx
		mov	edx, [esi+18h]
		cmp	[ebp+arg_0], ebx
		jnz	short loc_8A31E3
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		push	ebx
		push	ebx
		push	offset _DEVPKEY_Device_DmaRemappingPolicy
		push	ebx
		push	ebx
		inc	ebx
		push	ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		jmp	short loc_8A3204
; 

loc_8A31E3:				; CODE XREF: PipDmgSaveDeviceDmarPolicy(x,x,x)+28j
		push	4
		lea	ecx, [ebp+arg_0]
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	7
		push	offset _DEVPKEY_Device_DmaRemappingPolicy
		push	ebx
		xor	ebx, ebx
		push	eax
		inc	ebx
		push	ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_80], eax

loc_8A3204:				; CODE XREF: PipDmgSaveDeviceDmarPolicy(x,x,x)+41j
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	loc_8A32D5
		cmp	dword_6B2B18, 5
		jbe	loc_8A32D5
		push	4000h
		push	0
		mov	ecx, offset dword_6B2B18
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_8A32D5
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_5C], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_34]
		mov	[ebp+var_88], ecx
		mov	[ebp+var_4C], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_3C], eax
		movzx	eax, word ptr [esi+14h]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_84]
		push	8
		pop	edx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_94]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_7C]
		push	eax
		push	7
		mov	[ebp+var_58], ecx
		mov	[ebp+var_54], edx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_90], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], edx
		mov	edx, (offset loc_41C26D+6)
		mov	[ebp+var_10], ecx
		push	ecx
		mov	ecx, offset dword_6B2B18
		mov	[ebp+var_44], 2
		mov	[ebp+var_84], edi
		mov	[ebp+var_24], 4
		mov	[ebp+var_94], 1000000h
		call	__tlgWriteAgg@20 ; _tlgWriteAgg(x,x,x,x,x)
		mov	edi, [ebp+arg_0]

loc_8A32D5:				; CODE XREF: PipDmgSaveDeviceDmarPolicy(x,x,x)+69j
					; PipDmgSaveDeviceDmarPolicy(x,x,x)+76j ...
		mov	esi, [esi+1D0h]
		cmp	edi, 2
		jnz	short loc_8A32EE
		push	0
		push	dword ptr [esi]
		call	off_6B1464	; xHalpIsInterruptTypeSecondary(x,x)
		test	al, al
		jnz	short loc_8A32F0

loc_8A32EE:				; CODE XREF: PipDmgSaveDeviceDmarPolicy(x,x,x)+13Ej
		xor	bl, bl

loc_8A32F0:				; CODE XREF: PipDmgSaveDeviceDmarPolicy(x,x,x)+14Cj
		mov	al, [esi+8]
		mov	ecx, [ebp+var_8]
		and	al, 0FEh
		or	al, bl
		xor	ecx, ebp
		pop	edi
		mov	[esi+8], al
		mov	eax, [ebp+var_80]
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PipDmgSaveDeviceDmarPolicy@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipDmgGetDeviceDmarPolicy(x)
_PipDmgGetDeviceDmarPolicy@4 proc near	; CODE XREF: PiDmaGuardProcessPreAddDevice(x,x)+25p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_18], ecx
		lea	edi, [ebp+var_14]
		stosd
		push	6
		pop	ebx
		stosd
		stosd
		stosd
		lea	edi, [ecx+8]

loc_8A3335:				; CODE XREF: PipDmgGetDeviceDmarPolicy(x)+33j
		mov	esi, [edi]

loc_8A3337:				; CODE XREF: PipDmgGetDeviceDmarPolicy(x)+66j
		test	esi, esi
		jnz	short loc_8A3366
		add	edi, 4
		sub	ebx, 1
		jnz	short loc_8A3335
		cmp	[ebp+var_10], ebx
		ja	short loc_8A338F
		cmp	[ebp+var_8], ebx
		ja	short loc_8A3376
		xor	eax, eax
		cmp	eax, [ebp+var_C]
		sbb	eax, eax
		and	eax, 2

loc_8A3357:				; CODE XREF: PipDmgGetDeviceDmarPolicy(x)+7Fj
					; PipDmgGetDeviceDmarPolicy(x)+84j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_8A3366:				; CODE XREF: PipDmgGetDeviceDmarPolicy(x)+2Bj
		mov	ecx, [esi]
		call	PipDmgGetDriverDmarCompatLevel
		mov	esi, [esi+4]
		inc	[ebp+eax*4+var_14]
		jmp	short loc_8A3337
; 

loc_8A3376:				; CODE XREF: PipDmgGetDeviceDmarPolicy(x)+3Dj
		mov	eax, [ebp+var_18]
		mov	eax, [eax]
		mov	eax, [eax+1D0h]
		test	eax, eax
		jz	short loc_8A338B
		test	byte ptr [eax+8], 24h
		jnz	short loc_8A3394

loc_8A338B:				; CODE XREF: PipDmgGetDeviceDmarPolicy(x)+75j
		xor	eax, eax
		jmp	short loc_8A3357
; 

loc_8A338F:				; CODE XREF: PipDmgGetDeviceDmarPolicy(x)+38j
		xor	eax, eax
		inc	eax
		jmp	short loc_8A3357
; 

loc_8A3394:				; CODE XREF: PipDmgGetDeviceDmarPolicy(x)+7Bj
		push	2
		pop	eax
		jmp	short loc_8A3357
_PipDmgGetDeviceDmarPolicy@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipDmgGetDriverDmarCompatLevel proc near ; CODE	XREF: PipDmgGetDeviceDmarPolicy(x)+5Ap

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00930756 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		or	[ebp+var_4], 0FFFFFFFFh
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_10], eax
		push	eax
		push	eax
		mov	[ebp+var_C], eax
		mov	esi, eax
		mov	ecx, [ebx+18h]
		mov	edx, 20019h
		mov	[ebp+var_8], eax
		add	ecx, 0Ch
		lea	eax, [ebp+var_8]
		push	eax
		call	PipOpenServiceEnumKeys
		mov	edi, [ebp+var_8]
		test	eax, eax
		js	short loc_8A343A
		push	16h
		pop	eax
		push	14h
		mov	word ptr [ebp+var_10+2], ax
		xor	ecx, ecx
		pop	eax
		mov	word ptr [ebp+var_10], ax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_C], offset ??_C@_1BG@PGIGMDPA@?$AAP?$AAa?$AAr?$AAa?$AAm?$AAe?$AAt?$AAe?$AAr?$AAs@NNGAKEGL@ ; "Parameters"
		push	eax
		mov	[ebp+var_4], ecx
		mov	[ebp+var_28], 18h
		mov	[ebp+var_24], edi
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_8A343A
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], esi
		mov	edx, offset ??_C@_1CO@OOMNNACE@?$AAD?$AAm?$AAa?$AAR?$AAe?$AAm?$AAa?$AAp?$AAp?$AAi?$AAn?$AAg?$AAC?$AAo?$AAm@NNGAKEGL@ ; "DmaRemappingCompatible"
		push	eax
		call	_PnpGetRegistryDword@12	; PnpGetRegistryDword(x,x,x)
		test	eax, eax
		jns	short loc_8A345D

loc_8A343A:				; CODE XREF: PipDmgGetDriverDmarCompatLevel+39j
					; PipDmgGetDriverDmarCompatLevel+86j ...
		cmp	[ebp+var_4], 0
		jz	short loc_8A344C
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_4], 0

loc_8A344C:				; CODE XREF: PipDmgGetDriverDmarCompatLevel+A4j
		test	edi, edi
		jz	short loc_8A3456
		push	edi
		call	_ZwClose@4	; ZwClose(x)

loc_8A3456:				; CODE XREF: PipDmgGetDriverDmarCompatLevel+B4j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8A345D:				; CODE XREF: PipDmgGetDriverDmarCompatLevel+9Ej
		mov	eax, [ebp+var_8]
		sub	eax, 0
		jz	short loc_8A3485
		sub	eax, 1
		jz	short loc_8A3480
		sub	eax, 1
		jnz	short loc_8A343A
		push	3
		pop	esi
		call	_VfIsVerifierEnabled@0 ; VfIsVerifierEnabled()
		test	eax, eax
		jz	short loc_8A343A
		jmp	loc_930756
; 

loc_8A3480:				; CODE XREF: PipDmgGetDriverDmarCompatLevel+CEj
					; PipDmgGetDriverDmarCompatLevel+8D3D9j
		push	2
		pop	esi
		jmp	short loc_8A343A
; 

loc_8A3485:				; CODE XREF: PipDmgGetDriverDmarCompatLevel+C9j
		xor	esi, esi
		inc	esi
		jmp	short loc_8A343A
PipDmgGetDriverDmarCompatLevel endp

; 
		align 10h
; Exported entry 1097. KeAllocateCalloutStack

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeAllocateCalloutStack(x)
		public _KeAllocateCalloutStack@4
_KeAllocateCalloutStack@4 proc near

var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		xor	eax, eax
		cmp	[ebp+arg_0], al
		push	0
		push	1
		setnz	al
		push	eax
		call	KeAllocateCalloutStackEx
		test	eax, eax
		js	short loc_8A34BB
		mov	eax, [ebp+var_4]

locret_8A34B7:				; CODE XREF: KeAllocateCalloutStack(x)+2Dj
		leave
		retn	4
; 

loc_8A34BB:				; CODE XREF: KeAllocateCalloutStack(x)+22j
		xor	eax, eax
		jmp	short locret_8A34B7
_KeAllocateCalloutStack@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1098. KeAllocateCalloutStackEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeAllocateCalloutStackEx
KeAllocateCalloutStackEx proc near	; CODE XREF: KeAllocateCalloutStack(x)+1Bp

var_12		= byte ptr -12h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00930778 SIZE 00000069 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, [ebp+arg_0]
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		sub	eax, 0
		jnz	loc_930778
		xor	bl, bl

loc_8A34E0:				; CODE XREF: KeAllocateCalloutStackEx+8D2C5j
		mov	al, [ebp+arg_4]
		mov	[esp+20h+var_11], bl
		test	al, al
		jz	loc_93078E
		cmp	[ebp+arg_8], 0
		jnz	loc_930798
		movzx	eax, al
		mov	[esp+20h+var_C], eax
		push	6353654Bh
		lea	eax, ds:28h[eax*4]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[esp+20h+var_4], esi
		test	esi, esi
		jz	loc_9307A2
		mov	al, [esp+20h+var_11]
		movzx	ebx, bl
		neg	ebx
		movzx	ecx, al
		mov	[esp+20h+var_8], ecx
		sbb	ebx, ebx
		xor	edi, edi
		and	ebx, 5
		cmp	[esp+20h+var_C], edi
		jbe	short loc_8A3576
		lea	eax, [esi+28h]
		mov	[esp+20h+var_10], eax

loc_8A3549:				; CODE XREF: KeAllocateCalloutStackEx+ACj
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	MmCreateKernelStack
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_9307AC
		mov	eax, [esp+20h+var_10]
		inc	edi
		mov	[eax], ecx
		add	eax, 4
		mov	[esp+20h+var_10], eax
		cmp	edi, [esp+20h+var_C]
		jb	short loc_8A3549
		mov	al, [esp+20h+var_11]

loc_8A3576:				; CODE XREF: KeAllocateCalloutStackEx+7Cj
		mov	[esi+4], al
		mov	al, [ebp+arg_4]
		mov	[esi+5], al
		lea	eax, [esi+8]
		push	0
		push	eax
		mov	dword ptr [esi], 6B617453h
		mov	byte ptr [esi+6], 0
		call	_KeInitializeMutex@8 ; KeInitializeMutex(x,x)
		mov	eax, [ebp+arg_C]
		mov	[eax], esi
		xor	eax, eax

loc_8A359B:				; CODE XREF: KeAllocateCalloutStackEx+8D2BEj
					; KeAllocateCalloutStackEx+8D2CFj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
KeAllocateCalloutStackEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IopCreateCmResourceList(int,void *)
IopCreateCmResourceList	proc near	; CODE XREF: IopAllocateLegacyBootResources+2Fp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009307E1 SIZE 00000174 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_24], edx
		xor	esi, esi
		mov	edx, ds:_IopInitHalResources
		xor	ebx, ebx
		push	4
		pop	ecx
		mov	[ebp+var_4], ecx
		xor	edi, edi
		mov	ecx, [edx]
		lea	eax, [edx+4]
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], esi
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	short loc_8A3651

loc_8A35DC:				; CODE XREF: IopCreateCmResourceList+A2j
		and	[ebp+var_C], 0
		lea	esi, [eax+10h]
		push	10h
		mov	[ebp+var_28], esi
		mov	esi, [eax+0Ch]
		test	esi, esi
		pop	edx
		mov	[ebp+var_2C], esi
		mov	esi, [ebp+var_8]
		mov	[ebp+var_14], edx
		jz	short loc_8A362B
		mov	esi, [ebp+var_28]
		mov	ecx, [ebp+var_C]
		mov	ebx, [ebp+var_2C]

loc_8A3602:				; CODE XREF: IopCreateCmResourceList+79j
		and	[ebp+var_C], 0
		cmp	byte ptr [esi],	5
		push	10h
		pop	edx
		jz	loc_9307E1

loc_8A3612:				; CODE XREF: IopCreateCmResourceList+8D24Bj
		add	[ebp+var_14], edx
		adc	ecx, [ebp+var_C]
		add	esi, edx
		sub	ebx, 1
		jnz	short loc_8A3602
		mov	ebx, [ebp+var_1C]
		mov	esi, [ebp+var_8]
		mov	edx, [ebp+var_14]
		mov	[ebp+var_C], ecx

loc_8A362B:				; CODE XREF: IopCreateCmResourceList+53j
		mov	ecx, [ebp+var_24]
		cmp	[eax], ecx
		mov	ecx, [ebp+var_4]
		jz	short loc_8A365F

loc_8A3635:				; CODE XREF: IopCreateCmResourceList+C4j
					; IopCreateCmResourceList+CEj
		add	ecx, edx
		mov	[ebp+var_4], ecx
		adc	esi, [ebp+var_C]
		add	eax, edx
		sub	[ebp+var_20], 1
		mov	[ebp+var_8], esi
		jnz	short loc_8A35DC
		mov	edx, [ebp+var_18]
		mov	eax, edi
		or	eax, ebx
		jnz	short loc_8A3674

loc_8A3651:				; CODE XREF: IopCreateCmResourceList+36j
		mov	eax, [ebp+arg_4]
		mov	[eax], edx

loc_8A3656:				; CODE XREF: IopCreateCmResourceList+8D279j
					; IopCreateCmResourceList+8D36Fj
		xor	eax, eax

loc_8A3658:				; CODE XREF: IopCreateCmResourceList+EEj
					; IopCreateCmResourceList+8D3A5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_8A365F:				; CODE XREF: IopCreateCmResourceList+8Fj
		mov	esi, [ebp+arg_0]
		cmp	[eax+4], esi
		mov	esi, [ebp+var_8]
		jnz	short loc_8A3635
		add	edi, edx
		adc	ebx, [ebp+var_C]
		mov	[ebp+var_1C], ebx
		jmp	short loc_8A3635
; 

loc_8A3674:				; CODE XREF: IopCreateCmResourceList+ABj
		add	edi, 4
		adc	ebx, 0
		cmp	edi, ecx
		jnz	loc_9307F4
		cmp	ebx, esi
		jnz	loc_9307F4

loc_8A368A:				; CODE XREF: IopCreateCmResourceList+8D3ACj
		mov	ecx, [ebp+arg_4]
		mov	eax, edx
		and	dword ptr [ecx], 0
		jmp	short loc_8A3658
IopCreateCmResourceList	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCombineCmResourceList proc near	; CODE XREF: IopAllocateLegacyBootResources+90p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00930955 SIZE 00000070 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		test	ebx, ebx
		jnz	loc_930955
		mov	eax, edi

loc_8A36AB:				; CODE XREF: IopCombineCmResourceList+8D2C7j
					; IopCombineCmResourceList+8D32Cj
		pop	edi
		pop	ebx
		leave
		retn
IopCombineCmResourceList endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepInitializeSystemSecurityAttributes(x)
_AuthzBasepInitializeSystemSecurityAttributes@4	proc near ; CODE XREF: SeRmInitPhase1()+61p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		push	2Eh
		pop	eax
		mov	word ptr [ebp+var_34], ax
		lea	edi, [ebp+var_2C]
		push	30h
		pop	eax
		mov	word ptr [ebp+var_34+2], ax
		xor	eax, eax
		mov	[ebp+var_30], (offset loc_8C6563+1)
		stosd
		mov	[ebp+var_4], 2
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	word ptr [ebp+var_1C+2], ax
		xor	edi, edi
		inc	edi
		lea	eax, [ebp+var_34]
		mov	[ebp+var_18], edi
		mov	word ptr [ebp+var_1C], di
		mov	[ebp+var_14], eax
		call	_AuthzBasepAllocateSecurityAttributesList@0 ; AuthzBasepAllocateSecurityAttributesList()
		mov	esi, eax
		test	esi, esi
		jz	short loc_8A3759
		call	RtlIsMultiSessionSku
		mov	bl, al
		test	bl, bl
		jz	short loc_8A3760
		mov	eax, edi

loc_8A370E:				; CODE XREF: AuthzBasepInitializeSystemSecurityAttributes(x)+B2j
		and	[ebp+var_C], 0
		lea	edx, [ebp+var_4]
		mov	[ebp+var_10], eax
		mov	ecx, esi
		push	6
		pop	eax
		mov	word ptr [ebp+var_2C], ax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_1C]
		push	eax
		mov	[ebp+var_24], edi
		call	AuthzBasepSetSecurityAttributesToken
		mov	edi, eax
		mov	ecx, esi
		mov	edx, offset _WindowsSystemAttributes
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	short loc_8A3764
		xor	esi, esi
		mov	_SepAllowAccessUponLogoff, bl

loc_8A374E:				; CODE XREF: AuthzBasepInitializeSystemSecurityAttributes(x)+B9j
		test	esi, esi
		jnz	short loc_8A376B

loc_8A3752:				; CODE XREF: AuthzBasepInitializeSystemSecurityAttributes(x)+AEj
					; AuthzBasepInitializeSystemSecurityAttributes(x)+C2j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8A3759:				; CODE XREF: AuthzBasepInitializeSystemSecurityAttributes(x)+4Fj
		mov	edi, 0C000009Ah
		jmp	short loc_8A3752
; 

loc_8A3760:				; CODE XREF: AuthzBasepInitializeSystemSecurityAttributes(x)+5Aj
		xor	eax, eax
		jmp	short loc_8A370E
; 

loc_8A3764:				; CODE XREF: AuthzBasepInitializeSystemSecurityAttributes(x)+94j
		mov	edi, 0C0000001h
		jmp	short loc_8A374E
; 

loc_8A376B:				; CODE XREF: AuthzBasepInitializeSystemSecurityAttributes(x)+A0j
		mov	ecx, esi
		call	AuthzBasepFreeSecurityAttributesList
		jmp	short loc_8A3752
_AuthzBasepInitializeSystemSecurityAttributes@4	endp


;  S U B	R O U T	I N E 


; __stdcall SepAdtRegNotificationCallback(x)
_SepAdtRegNotificationCallback@4 proc near
					; DATA XREF: SepAdtOpenRegAndSetupNotification(x,x,x,x)+39o
		call	_SepAdtInitializeCrashOnFail@0 ; SepAdtInitializeCrashOnFail()
		call	_SepAdtInitializePrivilegeAuditing@0 ; SepAdtInitializePrivilegeAuditing()
		call	_SepAdtInitializeBounds@0 ; SepAdtInitializeBounds()
		push	1
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	5
		push	offset _SepAdtIoStatusBlock
		push	1
		push	offset _SepAdtLsaRegWatchWorkItem
		push	eax
		push	eax
		push	eax
		push	ds:_SepAdtRegNotifyHandle
		call	NtNotifyChangeMultipleKeys
		retn	4
_SepAdtRegNotificationCallback@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdtInitializeBounds()
_SepAdtInitializeBounds@0 proc near	; CODE XREF: SepAdtRegNotificationCallback(x)+Ap
					; SepAdtInitializeAuditingOptions()+4Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, ds:_SepAdtRegNotifyHandle
		test	ecx, ecx
		jz	short loc_8A3800
		lea	eax, [ebp+var_C]
		mov	edx, offset ??_C@_1O@OLLLPIHG@?$AAB?$AAo?$AAu?$AAn?$AAd?$AAs@NNGAKEGL@
		push	eax
		push	8
		push	3
		call	_SepRegQueryValue@20 ; SepRegQueryValue(x,x,x,x,x)
		test	eax, eax
		js	short loc_8A3800
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_C]
		cmp	ecx, edx
		jnb	short loc_8A3800
		cmp	ecx, 10h
		jb	short loc_8A3800
		mov	eax, edx
		sub	eax, ecx
		cmp	eax, 10h
		jb	short loc_8A3800
		mov	_SepAdtMaxListLength, edx
		mov	_SepAdtMinListLength, ecx

loc_8A3800:				; CODE XREF: SepAdtInitializeBounds()+1Aj
					; SepAdtInitializeBounds()+30j	...
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_SepAdtInitializeBounds@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdtInitializePrivilegeAuditing()
_SepAdtInitializePrivilegeAuditing@0 proc near
					; CODE XREF: SepAdtRegNotificationCallback(x)+5p
					; SepAdtInitializeAuditingOptions()+4Ap

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, ds:_SepAdtRegNotifyHandle
		mov	[ebp+var_1], 0
		test	ecx, ecx
		jz	short loc_8A383D
		lea	eax, [ebp-1]
		mov	edx, (offset loc_8BF5CD+1)
		push	eax
		push	1
		push	3
		call	_SepRegQueryValue@20 ; SepRegQueryValue(x,x,x,x,x)
		cmp	[ebp+var_1], 0
		mov	eax, offset _SepFilterPrivilegesShort
		jnz	short loc_8A3842

loc_8A383D:				; CODE XREF: SepAdtInitializePrivilegeAuditing()+12j
		mov	eax, offset _SepFilterPrivilegesLong

loc_8A3842:				; CODE XREF: SepAdtInitializePrivilegeAuditing()+2Fj
		mov	ds:_SepFilterPrivileges, eax
		mov	al, 1
		leave
		retn
_SepAdtInitializePrivilegeAuditing@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdtInitializeCrashOnFail()
_SepAdtInitializeCrashOnFail@0 proc near ; CODE	XREF: SepAdtRegNotificationCallback(x)p
					; SepAdtInitializeAuditingOptions()+45p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, ds:_SepAdtRegNotifyHandle
		xor	edx, edx
		and	[ebp+var_4], edx
		test	ecx, ecx
		jz	short loc_8A3883
		lea	eax, [ebp+var_4]
		mov	edx, offset ??_C@_1CC@LOHLDOPL@?$AAC?$AAr?$AAa?$AAs?$AAh?$AAO?$AAn?$AAA?$AAu?$AAd?$AAi?$AAt?$AAF?$AAa?$AAi@NNGAKEGL@
		push	eax
		push	4
		push	4
		call	_SepRegQueryValue@20 ; SepRegQueryValue(x,x,x,x,x)
		cmp	[ebp+var_4], 2
		mov	edx, eax
		ja	short locret_8A388C
		xor	eax, eax
		inc	eax
		cmp	[ebp+var_4], eax
		jz	short loc_8A3885

loc_8A3883:				; CODE XREF: SepAdtInitializeCrashOnFail()+13j
		xor	al, al

loc_8A3885:				; CODE XREF: SepAdtInitializeCrashOnFail()+35j
		mov	_SepCrashOnAuditFail, al
		mov	eax, edx

locret_8A388C:				; CODE XREF: SepAdtInitializeCrashOnFail()+2Dj
		leave
		retn
_SepAdtInitializeCrashOnFail@0 endp


;  S U B	R O U T	I N E 


; __stdcall SepAdtOpenRegAndSetupNotification(x, x, x, x)
_SepAdtOpenRegAndSetupNotification@16 proc near
					; CODE XREF: SepAdtInitializeAuditingOptions()+3Ap
		mov	edi, edi
		push	ecx
		push	offset _SepAdtRegNotifyHandle
		mov	edx, 211h
		mov	ecx, offset ??_C@_1GO@BNNKBEEN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@
		call	_SepRegOpenKey@12 ; SepRegOpenKey(x,x,x)
		test	eax, eax
		js	short loc_8A38E2
		mov	eax, ds:_SepAdtRegNotifyHandle
		xor	ecx, ecx
		push	1
		push	ecx
		push	ecx
		push	ecx
		push	5
		push	offset _SepAdtIoStatusBlock
		push	1
		push	offset _SepAdtLsaRegWatchWorkItem
		push	ecx
		push	ecx
		push	ecx
		push	eax
		mov	dword_6FD620, offset _SepAdtRegNotificationCallback@4 ;	SepAdtRegNotificationCallback(x)
		mov	dword_6FD624, ecx
		mov	_SepAdtLsaRegWatchWorkItem, ecx
		call	NtNotifyChangeMultipleKeys

loc_8A38E2:				; CODE XREF: SepAdtOpenRegAndSetupNotification(x,x,x,x)+19j
		pop	ecx
		retn	8
_SepAdtOpenRegAndSetupNotification@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdtOpenEtwReadyEvent(x)
_SepAdtOpenEtwReadyEvent@4 proc	near	; CODE XREF: SepRmCallLsa+1B2p
					; SepAdtInitializeAuditingOptions()+17p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		push	edi
		push	(offset	loc_8BF5A1+1)
		lea	eax, [ebp+var_8]
		xor	edi, edi
		push	eax
		mov	esi, ecx
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		lea	eax, [ebp+var_8]
		mov	[ebp+var_20], 18h
		push	edi
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_20]
		push	eax
		push	100003h
		push	esi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_14], 280h
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		call	NtCreateEvent
		cmp	eax, 40000000h
		jz	short loc_8A3948
		cmp	eax, 0C0000035h
		jz	short loc_8A3948

loc_8A3944:				; CODE XREF: SepAdtOpenEtwReadyEvent(x)+64j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_8A3948:				; CODE XREF: SepAdtOpenEtwReadyEvent(x)+55j
					; SepAdtOpenEtwReadyEvent(x)+5Cj
		mov	eax, edi
		jmp	short loc_8A3944
_SepAdtOpenEtwReadyEvent@4 endp


;  S U B	R O U T	I N E 


; __stdcall AdtpInitializeAuditingCommon()
_AdtpInitializeAuditingCommon@0	proc near ; CODE XREF: SepAdtInitializeAuditingOptions()+Bp
		mov	edi, edi
		push	esi
		mov	word ptr ds:_AdtpNullSid, 101h
		mov	ds:_AdtpRegisteredWithEtw, 1
		call	AdtpInitializeDriveLetters
		test	eax, eax
		js	short loc_8A397A
		call	AdtpObjsInitialize
		mov	esi, eax
		test	esi, esi
		js	short loc_8A397A
		call	_AdtpDbInitializePrivilegeObject@0 ; AdtpDbInitializePrivilegeObject()
		mov	eax, esi

loc_8A397A:				; CODE XREF: AdtpInitializeAuditingCommon()+1Aj
					; AdtpInitializeAuditingCommon()+25j
		pop	esi
		retn
_AdtpInitializeAuditingCommon@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AdtpObjsInitialize proc	near		; CODE XREF: AdtpInitializeAuditingCommon()+1Cp

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 009309C5 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		xor	eax, eax
		mov	[ebp+var_1], 1
		push	esi
		push	edi
		push	6
		pop	ecx
		lea	edi, [ebp+var_4C]
		mov	[ebp+var_C], eax
		rep stosd
		push	offset _AdtpSourceModuleLock
		mov	[ebp+var_1C], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_20], eax
		mov	_AdtpSourceModules, eax
		call	ExInitializeResourceLite
		xor	esi, esi
		mov	ecx, offset _AdtpAccessIdsStringBuffer
		push	18h
		mov	[ebp+var_14], esi
		mov	ebx, esi
		mov	edi, offset _AdtpEventIdStringStandard
		mov	[ebp+var_18], ecx
		pop	edx

loc_8A39D6:				; CODE XREF: AdtpObjsInitialize+98j
		xor	eax, eax
		mov	[edi+2], dx
		push	edi
		mov	[edi], ax
		lea	eax, [ebx+601h]
		push	0Ah
		push	eax
		mov	[edi+4], ecx
		call	_RtlIntegerToUnicodeString@12 ;	RtlIntegerToUnicodeString(x,x,x)
		test	eax, eax
		js	loc_8A3D71
		mov	eax, [ebp+var_14]
		add	edi, 8
		mov	ecx, [ebp+var_18]
		add	eax, 0Ch
		push	18h
		pop	edx
		add	ecx, edx
		mov	[ebp+var_14], eax
		inc	ebx
		mov	[ebp+var_18], ecx
		cmp	ebx, 6
		jbe	short loc_8A39D6
		lea	eax, _AdtpAccessIdsStringBuffer[eax*2]
		mov	ebx, esi
		mov	edi, offset _AdtpEventIdStringSpecific
		mov	[ebp+var_18], eax

loc_8A3A27:				; CODE XREF: AdtpObjsInitialize+E0j
		push	edi
		mov	[edi+4], eax
		xor	ecx, ecx
		push	0Ah
		lea	eax, [ebx+610h]
		mov	[edi], cx
		push	eax
		mov	[edi+2], dx
		call	_RtlIntegerToUnicodeString@12 ;	RtlIntegerToUnicodeString(x,x,x)
		test	eax, eax
		js	loc_8A3D71
		mov	eax, [ebp+var_18]
		add	edi, 8
		push	18h
		pop	edx
		add	eax, edx
		inc	ebx
		mov	[ebp+var_18], eax
		cmp	ebx, 0Fh
		jbe	short loc_8A3A27
		push	offset ??_C@_1IM@HLFDLGLG@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\Registry\\Machine\\System\\CurrentControl"...
		lea	eax, [ebp+var_34]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_34]
		mov	[ebp+var_4C], 18h
		push	esi
		mov	[ebp+var_44], eax
		lea	ecx, [ebp+var_C]
		push	esi
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_48], esi
		push	eax
		mov	edx, 20019h
		mov	[ebp+var_40], 240h
		mov	[ebp+var_3C], esi
		mov	[ebp+var_38], esi
		call	CmOpenKey
		mov	ebx, eax
		xor	eax, eax
		cmp	ebx, 0C0000034h
		jz	loc_8A3D71
		jmp	short loc_8A3ACC
; 

loc_8A3AAE:				; CODE XREF: AdtpObjsInitialize+2C9j
					; AdtpObjsInitialize+2D1j
		test	ebx, ebx
		jnz	short loc_8A3AC8
		test	al, al
		jnz	short loc_8A3AC8
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_8A3AC8
		push	eax
		call	NtClose
		xor	eax, eax
		mov	[ebp+var_10], eax

loc_8A3AC8:				; CODE XREF: AdtpObjsInitialize+134j
					; AdtpObjsInitialize+138j ...
		mov	eax, [ebp+var_14]
		inc	eax

loc_8A3ACC:				; CODE XREF: AdtpObjsInitialize+130j
		mov	[ebp+var_14], eax
		test	ebx, ebx
		js	loc_8A3D5D
		lea	ecx, [ebp+var_8]
		push	ecx
		push	0
		push	0
		push	0
		push	eax
		push	[ebp+var_C]
		call	NtEnumerateKey
		mov	ebx, eax
		cmp	ebx, 0C0000023h
		jnz	loc_8A3D55
		push	6B416553h
		push	[ebp+var_8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9309C5
		lea	eax, [ebp+var_8]
		xor	esi, esi
		push	eax
		push	[ebp+var_8]
		push	edi
		push	esi
		push	[ebp+var_14]
		push	[ebp+var_C]
		call	NtEnumerateKey
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8A3D55
		push	6B416553h
		push	10h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_20], ebx
		test	ebx, ebx
		jz	loc_9309C5
		mov	ecx, _AdtpSourceModules
		mov	[ebx], ecx
		lea	ecx, [ebx+4]
		mov	_AdtpSourceModules, ebx
		mov	[ebx+0Ch], esi
		movzx	eax, word ptr [edi+0Ch]
		mov	[ecx], ax
		add	eax, 2
		mov	[ebx+6], ax
		push	6B416553h
		movzx	eax, ax
		push	eax
		push	1
		mov	[ebp+var_18], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+8], eax
		test	eax, eax
		jz	loc_9309C5
		mov	ax, [edi+0Ch]
		mov	ebx, [ebp+var_18]
		mov	word ptr [ebp+var_2C], ax
		mov	word ptr [ebp+var_2C+2], ax
		lea	eax, [edi+10h]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	ebx
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_C]
		lea	ecx, [ebp+var_1C]
		push	18h
		pop	edi
		push	esi
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_44], ebx
		mov	ebx, 20019h
		push	esi
		push	eax
		mov	edx, ebx
		mov	[ebp+var_4C], edi
		mov	[ebp+var_40], 240h
		mov	[ebp+var_3C], esi
		mov	[ebp+var_38], esi
		call	CmOpenKey
		test	eax, eax
		js	loc_8A3D71
		push	offset ??_C@_1BI@OADGGPMJ@?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAN?$AAa?$AAm?$AAe?$AAs@NNGAKEGL@ ; "ObjectNames"
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_4C], edi
		mov	edi, [ebp+var_1C]
		lea	ecx, [ebp+var_10]
		push	esi
		mov	[ebp+var_44], eax
		mov	edx, ebx
		push	esi
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_48], edi
		push	eax
		mov	[ebp+var_40], 240h
		mov	[ebp+var_3C], esi
		mov	[ebp+var_38], esi
		call	CmOpenKey
		push	edi
		mov	ebx, eax
		call	NtClose
		mov	al, 1
		mov	[ebp+var_1], al
		cmp	ebx, 0C0000034h
		jz	loc_8A3D49

loc_8A3C3E:				; CODE XREF: AdtpObjsInitialize+3D4j
					; AdtpObjsInitialize+3DCj
		xor	esi, esi

loc_8A3C40:				; CODE XREF: AdtpObjsInitialize+3C8j
		mov	[ebp+var_18], esi
		test	ebx, ebx
		js	loc_8A3AAE
		cmp	al, 1
		jnz	loc_8A3AAE
		mov	ebx, [ebp+var_10]
		lea	eax, [ebp+var_8]
		push	eax
		push	0
		push	0
		push	1
		push	esi
		push	ebx
		call	NtEnumerateValueKey
		cmp	eax, 0C0000023h
		jnz	loc_8A3D2C
		push	6B416553h
		push	[ebp+var_8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9309C5
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_8]
		push	edi
		push	1
		push	esi
		push	ebx
		call	NtEnumerateValueKey
		mov	[ebp+var_24], eax
		test	eax, eax
		js	short loc_8A3D1D
		push	6B416553h
		push	10h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_9309C5
		mov	eax, [ebp+var_20]
		lea	ebx, [esi+4]
		push	6B416553h
		mov	ecx, [eax+0Ch]
		mov	[esi], ecx
		mov	[eax+0Ch], esi
		movzx	eax, word ptr [edi+10h]
		mov	[ebx], ax
		add	eax, 2
		mov	[esi+6], ax
		movzx	eax, ax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+8], eax
		test	eax, eax
		jz	loc_9309C5
		mov	ax, [edi+10h]
		mov	word ptr [ebp+var_2C], ax
		mov	word ptr [ebp+var_2C+2], ax
		lea	eax, [edi+14h]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	ebx
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		cmp	dword ptr [edi+0Ch], 4
		jb	short loc_8A3D76
		mov	eax, [edi+8]
		mov	eax, [edi+eax]
		mov	[esi+0Ch], eax

loc_8A3D1D:				; CODE XREF: AdtpObjsInitialize+325j
					; AdtpObjsInitialize+401j
		xor	esi, esi
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_24]
		mov	esi, [ebp+var_18]

loc_8A3D2C:				; CODE XREF: AdtpObjsInitialize+2F0j
		lea	ebx, [eax+7FFFFFE6h]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, eax
		inc	esi
		cmp	eax, 8000001Ah
		setnz	al
		mov	[ebp+var_1], al
		jmp	loc_8A3C40
; 

loc_8A3D49:				; CODE XREF: AdtpObjsInitialize+2BCj
		xor	al, al
		xor	ebx, ebx
		mov	[ebp+var_1], al
		jmp	loc_8A3C3E
; 

loc_8A3D55:				; CODE XREF: AdtpObjsInitialize+176j
					; AdtpObjsInitialize+1AFj
		mov	al, [ebp+var_1]
		jmp	loc_8A3C3E
; 

loc_8A3D5D:				; CODE XREF: AdtpObjsInitialize+155j
		push	[ebp+var_C]
		call	NtClose
		lea	eax, [ebx+7FFFFFE6h]
		neg	eax
		sbb	eax, eax
		and	eax, ebx

loc_8A3D71:				; CODE XREF: AdtpObjsInitialize+77j
					; AdtpObjsInitialize+C8j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8A3D76:				; CODE XREF: AdtpObjsInitialize+396j
		mov	dword ptr [esi+0Ch], 610h
		jmp	short loc_8A3D1D
AdtpObjsInitialize endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AdtpInitializeDriveLetters proc	near	; CODE XREF: AdtpInitializeAuditingCommon()+13p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009309CF SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	ecx, [ebp+var_44]
		sub	esp, 0Ch
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_4C], ebx
		call	sub_574F78
		lea	eax, [ebp+var_44]
		push	eax
		lea	eax, [ebp+var_5C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, [ebp+var_58]
		mov	eax, ebx
		mov	esi, offset unk_A9AAFC
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], eax
		mov	edi, esi

loc_8A3DCD:				; CODE XREF: AdtpInitializeDriveLetters+97j
		add	eax, 41h
		mov	[ebp+var_74], 18h
		mov	[ecx+18h], ax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	1
		lea	eax, [ebp+var_48]
		mov	[ebp+var_70], ebx
		push	eax
		mov	[ebp+var_68], 240h
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], ebx
		call	NtOpenSymbolicLinkObject
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_8A3E19

loc_8A3E06:				; CODE XREF: AdtpInitializeDriveLetters+EDj
					; AdtpInitializeDriveLetters+8CC61j
		mov	eax, [ebp+var_50]
		inc	eax
		mov	[ebp+var_50], eax
		cmp	eax, 1Ah
		jnb	short loc_8A3E6F
		mov	ecx, [ebp+var_54]
		xor	ebx, ebx
		jmp	short loc_8A3DCD
; 

loc_8A3E19:				; CODE XREF: AdtpInitializeDriveLetters+84j
		mov	eax, [ebp+var_54]
		mov	ebx, 100h
		push	6B416553h
		push	ebx
		push	1
		mov	ax, [eax+18h]
		mov	[edi-4], ax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_78], eax
		test	eax, eax
		jz	loc_9309E6
		push	0
		push	edi
		push	[ebp+var_48]
		mov	dword ptr [edi], 1000000h
		mov	[edi+4], eax
		call	NtQuerySymbolicLinkObject
		push	[ebp+var_48]
		mov	ebx, eax
		call	NtClose
		test	ebx, ebx
		js	loc_9309CF
		inc	[ebp+var_4C]
		add	edi, 0Ch
		jmp	short loc_8A3E06
; 

loc_8A3E6F:				; CODE XREF: AdtpInitializeDriveLetters+90j
					; AdtpInitializeDriveLetters+8CC6Bj
		cmp	ebx, 0C0000017h
		jz	short loc_8A3ECE
		xor	edi, edi
		cmp	[ebp+var_4C], edi
		jbe	short loc_8A3EBD

loc_8A3E7E:				; CODE XREF: AdtpInitializeDriveLetters+13Bj
		and	[ebp+var_70], 0
		lea	eax, [ebp+var_74]
		and	[ebp+var_64], 0
		xor	bl, bl
		and	[ebp+var_60], 0
		push	eax
		push	1
		lea	eax, [ebp+var_48]
		mov	[ebp+var_74], 18h
		push	eax
		mov	[ebp+var_68], 240h
		mov	[ebp+var_6C], esi
		call	NtOpenSymbolicLinkObject
		test	eax, eax
		jns	loc_9309F0

loc_8A3EB4:				; CODE XREF: AdtpInitializeDriveLetters+8CCA5j
		inc	edi
		add	esi, 0Ch

loc_8A3EB8:				; CODE XREF: AdtpInitializeDriveLetters+8CC9Fj
		cmp	edi, [ebp+var_4C]
		jb	short loc_8A3E7E

loc_8A3EBD:				; CODE XREF: AdtpInitializeDriveLetters+FCj
		xor	eax, eax

loc_8A3EBF:				; CODE XREF: AdtpInitializeDriveLetters+153j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_8A3ECE:				; CODE XREF: AdtpInitializeDriveLetters+F5j
		mov	eax, 0C0000017h
		jmp	short loc_8A3EBF
AdtpInitializeDriveLetters endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1338. KseRegisterShim

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseRegisterShim(x, x, x)
		public _KseRegisterShim@12
_KseRegisterShim@12 proc near		; CODE XREF: KseZeroPoolInitialize+Cp
					; KseDriverScopeInitialize+Ep ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	KseRegisterShimEx
		pop	ecx
		pop	ebp
		retn	0Ch
_KseRegisterShim@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1339. KseRegisterShimEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KseRegisterShimEx
KseRegisterShimEx proc near		; CODE XREF: KseRegisterShim(x,x,x)+11p

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00930A2A SIZE 00000142 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	esi, esi
		jz	loc_930A2A
		push	2
		pop	edi
		cmp	dword_6D4A78, edi
		jnz	loc_930A34
		and	[ebp+arg_0], 0
		lea	ecx, [ebp+arg_0]
		call	_KsepGetLoadedModulesList@4 ; KsepGetLoadedModulesList(x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8A4037
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+4]
		push	esi
		call	KsepValidateShimProviderAndData
		test	eax, eax
		jz	loc_930A3E
		push	18h
		pop	ecx
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_930A9F
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset unk_6D4A90
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [esi+4]	; void *
		push	0		; int
		push	ecx		; int
		mov	ecx, offset _KseEngine ; int
		call	KsepIsShimRegistered
		test	eax, eax
		jnz	loc_930AA9
		and	[edi+0Ch], eax
		mov	ecx, offset unk_6D4A80
		mov	eax, [ebp+arg_8]
		mov	[edi+10h], eax
		mov	eax, [ebp+arg_C]
		mov	[edi+8], esi
		mov	[edi+14h], eax
		mov	eax, dword_6D4A84
		cmp	[eax], ecx
		jnz	loc_8A404D
		mov	[edi+4], eax
		mov	[edi], ecx
		mov	[eax], edi
		or	eax, 0FFFFFFFFh
		mov	dword_6D4A84, edi
		lock xadd [ebx], eax
		test	al, 2
		jnz	loc_930B40

loc_8A3FCD:				; CODE XREF: KseRegisterShimEx+8CC48j
					; KseRegisterShimEx+8CC55j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	dword ptr [esi+0Ch], offset unk_6D4A94
		xor	ebx, ebx
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryMessagesIndex, eax
		inc	eax
		and	eax, 3Fh
		mov	ecx, 119h
		push	2
		pop	edi
		and	dword_6C7244[eax*8], ebx
		test	_KsepDebugFlag,	1
		mov	word_6C7242[eax*8], di
		mov	_KsepHistoryMessages[eax*8], cx
		jnz	loc_930B54

loc_8A4024:				; CODE XREF: KseRegisterShimEx+8CC6Dj
		mov	eax, [esi+4]
		push	dword ptr [eax]
		push	offset ??_C@_0CL@NFECGAAK@KSE?3?5Succeeded?5shim?5?$FL0x?$CF08X?$FN?5re@NNGAKEGL@ ; "KSE: Succeeded shim [0x%08X] registrati"...
		push	edi
		call	_KsepLogInfo

loc_8A4034:				; CODE XREF: KseRegisterShimEx+8CBA0j
		add	esp, 0Ch

loc_8A4037:				; CODE XREF: KseRegisterShimEx+33j
					; KseRegisterShimEx+8CBAAj ...
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_8A4043
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)

loc_8A4043:				; CODE XREF: KseRegisterShimEx+142j
		mov	eax, ebx

loc_8A4045:				; CODE XREF: KseRegisterShimEx+8CB35j
					; KseRegisterShimEx+8CB3Fj
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	10h
; 

loc_8A404D:				; CODE XREF: KseRegisterShimEx+B1j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
KseRegisterShimEx endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall KsepIsShimRegistered(int,void *,int,int)
KsepIsShimRegistered proc near		; CODE XREF: KseRegisterShimEx+86p
					; KseUnregisterShim(x,x,x)+60p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00930B6C SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	[ebp+var_8], edx
		test	edx, edx
		jz	short loc_8A40AB
		test	ecx, ecx
		jz	short loc_8A40AB
		push	ebx
		lea	eax, [ecx+0Ch]
		xor	ebx, ebx
		push	esi
		mov	esi, [eax]
		mov	[ebp+var_4], eax
		cmp	esi, eax
		jz	short loc_8A40A3
		push	edi

loc_8A4075:				; CODE XREF: KsepIsShimRegistered+4Ej
		mov	edi, esi
		mov	esi, [esi]
		test	byte ptr [edi+10h], 4
		jnz	short loc_8A409E
		mov	eax, [edi+8]
		push	10h		; size_t
		push	edx		; void *
		push	dword ptr [eax+4] ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_930B6C
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+var_8]

loc_8A409E:				; CODE XREF: KsepIsShimRegistered+2Bj
		cmp	esi, eax
		jnz	short loc_8A4075

loc_8A40A2:				; CODE XREF: KsepIsShimRegistered+8CB26j
		pop	edi

loc_8A40A3:				; CODE XREF: KsepIsShimRegistered+20j
		pop	esi
		mov	eax, ebx
		pop	ebx

locret_8A40A7:				; CODE XREF: KsepIsShimRegistered+5Bj
		leave
		retn	8
; 

loc_8A40AB:				; CODE XREF: KsepIsShimRegistered+Cj
					; KsepIsShimRegistered+10j
		xor	eax, eax
		jmp	short locret_8A40A7
KsepIsShimRegistered endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KsepValidateShimProviderAndData	proc near ; CODE XREF: KseRegisterShimEx+40p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00930B7D SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	short loc_8A4129
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_8A4129
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KsepGetModuleInfoByAddress@16 ; KsepGetModuleInfoByAddress(x,x,x,x)
		test	eax, eax
		js	short loc_8A4129
		mov	ebx, [ebp+var_8]
		mov	edi, [ebp+var_4]
		add	ebx, edi
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_8A4129
		mov	ecx, eax

loc_8A40EF:				; CODE XREF: KsepValidateShimProviderAndData+6Dj
		cmp	dword ptr [eax], 4
		jz	short loc_8A411F
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_8A4129
		mov	edx, eax

loc_8A40FD:				; CODE XREF: KsepValidateShimProviderAndData+66j
		cmp	dword ptr [eax], 2
		jz	short loc_8A4118
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_8A4129
		cmp	eax, edi
		jb	loc_930B7D

loc_8A4111:				; CODE XREF: KsepValidateShimProviderAndData+8CAD5j
		add	edx, 10h
		mov	eax, edx
		jnz	short loc_8A40FD

loc_8A4118:				; CODE XREF: KsepValidateShimProviderAndData+50j
		add	ecx, 0Ch
		mov	eax, ecx
		jnz	short loc_8A40EF

loc_8A411F:				; CODE XREF: KsepValidateShimProviderAndData+42j
		xor	eax, eax
		inc	eax

loc_8A4122:				; CODE XREF: KsepValidateShimProviderAndData+7Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8A4129:				; CODE XREF: KsepValidateShimProviderAndData+14j
					; KsepValidateShimProviderAndData+1Bj ...
		xor	eax, eax
		jmp	short loc_8A4122
KsepValidateShimProviderAndData	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepGetModuleInfoByAddress(x, x, x,	x)
_KsepGetModuleInfoByAddress@16 proc near ; CODE	XREF: KsepValidateShimProviderAndData+25p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		test	edi, edi
		jz	short loc_8A4194
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jz	short loc_8A4194
		test	edx, edx
		jz	short loc_8A4194
		mov	eax, [edx]
		xor	ecx, ecx
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_8A4176
		add	edx, 10h

loc_8A4156:				; CODE XREF: KsepGetModuleInfoByAddress(x,x,x,x)+46j
		mov	esi, [edx-4]
		cmp	edi, esi
		jb	short loc_8A416B
		mov	eax, [edx]
		mov	[ebp+var_4], eax
		add	eax, esi
		cmp	edi, eax
		jb	short loc_8A417D
		mov	eax, [ebp+arg_0]

loc_8A416B:				; CODE XREF: KsepGetModuleInfoByAddress(x,x,x,x)+2Dj
		inc	ecx
		add	edx, 11Ch
		cmp	ecx, eax
		jb	short loc_8A4156

loc_8A4176:				; CODE XREF: KsepGetModuleInfoByAddress(x,x,x,x)+23j
		mov	eax, 0C0000225h
		jmp	short loc_8A418D
; 

loc_8A417D:				; CODE XREF: KsepGetModuleInfoByAddress(x,x,x,x)+38j
		mov	eax, [ebp+arg_4]
		mov	[ebx], esi
		test	eax, eax
		jz	short loc_8A418B
		mov	ecx, [ebp+var_4]
		mov	[eax], ecx

loc_8A418B:				; CODE XREF: KsepGetModuleInfoByAddress(x,x,x,x)+56j
		xor	eax, eax

loc_8A418D:				; CODE XREF: KsepGetModuleInfoByAddress(x,x,x,x)+4Dj
					; KsepGetModuleInfoByAddress(x,x,x,x)+6Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_8A4194:				; CODE XREF: KsepGetModuleInfoByAddress(x,x,x,x)+Dj
					; KsepGetModuleInfoByAddress(x,x,x,x)+14j ...
		mov	eax, 0C000000Dh
		jmp	short loc_8A418D
_KsepGetModuleInfoByAddress@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepGetLoadedModulesList(x)
_KsepGetLoadedModulesList@4 proc near	; CODE XREF: KseRegisterShimEx+2Ap
					; KsepResolveApplicableShimsForDriver(x,x)+2A0p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, ecx
		test	ebx, ebx
		jz	short loc_8A4202
		push	esi
		push	edi
		mov	esi, 120h

loc_8A41B5:				; CODE XREF: KsepGetLoadedModulesList(x)+57j
		mov	ecx, esi
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_8A4212
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		push	edi
		push	0Bh
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		mov	esi, eax
		mov	eax, [edi]
		mov	[ebp+var_8], eax
		test	esi, esi
		jns	short loc_8A41F5
		cmp	esi, 0C0000004h
		jnz	short loc_8A41F7
		mov	ecx, edi
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
		imul	esi, [ebp+var_8], 11Ch
		add	esi, 4
		jmp	short loc_8A41B5
; 

loc_8A41F5:				; CODE XREF: KsepGetLoadedModulesList(x)+3Cj
		mov	[ebx], edi

loc_8A41F7:				; CODE XREF: KsepGetLoadedModulesList(x)+44j
		test	esi, esi
		js	short loc_8A4209

loc_8A41FB:				; CODE XREF: KsepGetLoadedModulesList(x)+74j
					; KsepGetLoadedModulesList(x)+7Bj
		pop	edi
		mov	eax, esi
		pop	esi

loc_8A41FF:				; CODE XREF: KsepGetLoadedModulesList(x)+6Bj
		pop	ebx
		leave
		retn
; 

loc_8A4202:				; CODE XREF: KsepGetLoadedModulesList(x)+10j
		mov	eax, 0C000000Dh
		jmp	short loc_8A41FF
; 

loc_8A4209:				; CODE XREF: KsepGetLoadedModulesList(x)+5Dj
		mov	ecx, edi
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
		jmp	short loc_8A41FB
; 

loc_8A4212:				; CODE XREF: KsepGetLoadedModulesList(x)+24j
		mov	esi, 0C000009Ah
		jmp	short loc_8A41FB
_KsepGetLoadedModulesList@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepRmCommandServerThread proc near	; DATA XREF: SeRmInitPhase1()+49o

var_242		= byte ptr -242h
var_241		= byte ptr -241h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_228		= dword	ptr -228h
var_218		= dword	ptr -218h
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1F0		= dword	ptr -1F0h
var_110		= dword	ptr -110h
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00930B8A SIZE 000001B0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 244h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+244h+var_4], eax
		push	ebx
		push	esi
		push	edi		; struct _exception *
		mov	esi, 0F8h
		lea	eax, [esp+250h+var_200]
		push	esi		; size_t
		xor	edi, edi
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+250h+var_100]
		push	esi		; size_t
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		mov	[esp+250h+var_240], edi
		mov	ecx, [eax+80h]
		mov	ds:_SepRmLsaCallProcess, ecx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		push	edi
		call	_PoRequestShutdownEvent@4 ; PoRequestShutdownEvent(x)
		mov	esi, eax
		test	esi, esi
		js	loc_930B8A
		xor	ebx, ebx
		mov	[esp+250h+var_204], edi
		mov	[esp+250h+var_208], 10000E8h
		inc	ebx
		mov	[esp+250h+var_104], edi
		mov	[esp+250h+var_108], 10000E8h

loc_8A42AD:				; CODE XREF: SepRmCommandServerThread+EBj
		mov	ecx, edi

loc_8A42AF:				; CODE XREF: SepRmCommandServerThread+13Bj
					; SepRmCommandServerThread+150j ...
		lea	eax, [esp+250h+var_208]
		push	eax
		push	ecx
		lea	eax, [esp+258h+var_240]
		push	eax
		push	ds:dword_A94E28
		call	_ZwReplyWaitReceivePort@16 ; ZwReplyWaitReceivePort(x,x,x,x)
		mov	ecx, edi
		mov	[esp+250h+var_23C], ecx
		test	eax, eax
		js	loc_930BB8

loc_8A42D3:				; CODE XREF: SepRmCommandServerThread+8C9BFj
		mov	esi, [esp+250h+var_240]
		cmp	esi, 0FFFFFFF8h
		jnz	short loc_8A42E7
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	esi, eax
		mov	[esp+250h+var_240], esi

loc_8A42E7:				; CODE XREF: SepRmCommandServerThread+C0j
		mov	ecx, [esp+250h+var_204]
		and	ecx, 7FFFh
		mov	eax, ecx
		mov	word ptr [esp+250h+var_204], cx
		cmp	ax, bx
		jnz	short loc_8A435A
		mov	eax, [esp+250h+var_1F0]
		dec	eax
		cmp	eax, 0Bh
		ja	short loc_8A42AD
		push	esi
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	ecx, [esp+250h+var_1F0]
		mov	esi, eax
		lea	eax, [esp+250h+var_108]
		push	eax
		lea	eax, [esp+254h+var_208]
		push	eax
		call	ds:_SepRmCommandDispatch[ecx*4]
		push	esi
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		mov	eax, [esp+258h+var_208]
		lea	ecx, [esp+258h+var_110]
		mov	[esp+258h+var_108], eax
		mov	eax, [esp+258h+var_204]
		mov	[esp+258h+var_104], eax
		mov	eax, [esp+258h+var_200]
		mov	[esp+258h+var_100], eax
		jmp	loc_8A42AF
; 

loc_8A435A:				; CODE XREF: SepRmCommandServerThread+E1j
		cmp	eax, 5
		jz	loc_930BDE
		mov	ecx, [esp+250h+var_23C]
		cmp	eax, 0Ah
		jnz	loc_8A42AF
		lea	ecx, [esp+250h+var_208]
		call	SepRmLsaConnectRequest

loc_8A4379:				; CODE XREF: SepRmCommandServerThread+8CB1Bj
		mov	ecx, [esp+250h+var_23C]
		jmp	loc_8A42AF
SepRmCommandServerThread endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepRmGlobalSaclSetWrkr proc near	; DATA XREF: PAGE:00A40D10o

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00930D3A SIZE 0000013D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		push	ebx
		mov	[ebp+var_1C], eax
		mov	bl, al
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], eax
		movzx	eax, word ptr [ecx+1Ch]
		mov	edx, eax
		mov	word ptr [ebp+var_1C+2], ax
		mov	word ptr [ebp+var_1C], ax
		lea	eax, [ecx+1Eh]
		push	esi
		mov	[ebp+var_14], eax
		lea	ecx, [ebp+var_1C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_4]
		push	edi
		mov	[ebp+arg_0], edx
		lea	edx, [ebp+var_C]
		push	eax
		call	SepRmFetchGlobalSacl
		mov	edi, eax
		test	edi, edi
		jns	loc_930D3A

loc_8A43D6:				; CODE XREF: SepRmGlobalSaclSetWrkr+8CA5Dj
					; SepRmGlobalSaclSetWrkr+8CA66j ...
		cmp	[ebp+var_4], 0
		jnz	loc_930E68

loc_8A43E0:				; CODE XREF: SepRmGlobalSaclSetWrkr+8CAF0j
		test	bl, bl
		jnz	loc_930D8B

loc_8A43E8:				; CODE XREF: SepRmGlobalSaclSetWrkr+8CA18j
		mov	eax, [ebp+arg_4]
		mov	[eax+18h], edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
SepRmGlobalSaclSetWrkr endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepRmFetchGlobalSacl proc near		; CODE XREF: SepRmGlobalSaclSetWrkr+45p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00930E77 SIZE 000000E1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_C], edx
		push	edi
		push	6C635347h
		movzx	esi, word ptr [ebx]
		add	esi, 62h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_8A4486
		push	offset _GlobalSaclKeyPrefix
		mov	edx, esi
		mov	ecx, edi
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		test	eax, eax
		js	short loc_8A444D
		movzx	eax, word ptr [ebx]
		mov	ecx, edi
		shr	eax, 1
		push	eax
		push	dword ptr [ebx+4]
		shr	esi, 1
		mov	edx, esi
		call	_RtlStringCchCatNW@16 ;	RtlStringCchCatNW(x,x,x,x)

loc_8A444D:				; CODE XREF: SepRmFetchGlobalSacl+41j
		lea	eax, [ebp+var_8]
		mov	edx, 201h
		push	eax
		mov	ecx, edi
		call	_SepRegOpenKey@12 ; SepRegOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_930E77

loc_8A4467:				; CODE XREF: SepRmFetchGlobalSacl+95j
					; SepRmFetchGlobalSacl+8CAA4j ...
		cmp	[ebp+var_8], 0
		jnz	loc_930F47

loc_8A4471:				; CODE XREF: SepRmFetchGlobalSacl+8CB5Dj
		test	edi, edi
		jz	short loc_8A447D
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8A447D:				; CODE XREF: SepRmFetchGlobalSacl+7Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8A4486:				; CODE XREF: SepRmFetchGlobalSacl+2Fj
					; SepRmFetchGlobalSacl+8CAE1j
		mov	esi, 0C0000017h
		jmp	short loc_8A4467
SepRmFetchGlobalSacl endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepRmCapUpdateWrkr proc	near		; DATA XREF: PAGE:00A40D14o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00930F58 SIZE 000000E1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		lea	edx, [ebp+var_4]
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	ecx, [eax+1Ch]
		push	edi
		call	SepBuildCapPolicyTable
		mov	[ebp+arg_0], eax
		test	eax, eax
		js	loc_930FEA
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jnz	loc_930F58

loc_8A44BF:				; CODE XREF: SepRmCapUpdateWrkr+8CAD1j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _SepRmCapTableLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ebx, ds:_SepRmCapTable
		mov	eax, [ebp+var_4]
		mov	ds:_SepRmCapTable, eax
		cmp	ds:_SepRmCapTable, 0
		push	0FFFFFFFFh
		setnz	_SepRmEnforceCap
		cmp	_SepRmEnforceCap, 0
		pop	edi
		jnz	loc_930F64

loc_8A4507:				; CODE XREF: SepRmCapUpdateWrkr+8CADDj
					; SepRmCapUpdateWrkr+8CB1Dj
		mov	eax, edi
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_930FB0

loc_8A4515:				; CODE XREF: SepRmCapUpdateWrkr+8CB24j
					; SepRmCapUpdateWrkr+8CB31j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	ebx, ebx
		jnz	loc_930FC4

loc_8A4530:				; CODE XREF: SepRmCapUpdateWrkr+8CB3Ej
					; SepRmCapUpdateWrkr+8CB4Bj ...
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		pop	edi
		pop	esi
		mov	[eax+18h], ecx
		pop	ebx
		leave
		retn	8
SepRmCapUpdateWrkr endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepReadAndPopulateCapes	proc near	; CODE XREF: SepBuildCapPolicyTable+8Ap

var_520		= dword	ptr -520h
var_51C		= dword	ptr -51Ch
var_518		= dword	ptr -518h
var_514		= dword	ptr -514h
var_510		= dword	ptr -510h
var_50C		= dword	ptr -50Ch
var_508		= dword	ptr -508h
var_504		= dword	ptr -504h
var_500		= dword	ptr -500h
var_4FC		= dword	ptr -4FCh
var_4F8		= dword	ptr -4F8h
var_4F4		= dword	ptr -4F4h
var_4F0		= dword	ptr -4F0h
var_4E9		= byte ptr -4E9h
var_4E8		= dword	ptr -4E8h
var_2B8		= word ptr -2B8h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00931039 SIZE 0000067A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 524h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_504], edx
		mov	eax, ecx
		mov	[ebp+var_508], eax
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_4F4]
		mov	[ebp+var_520], ecx
		lea	ebx, [ebp+var_4E8]
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_51C], ecx
		xor	ecx, ecx
		push	edx
		mov	[ebp+var_4F4], ecx
		mov	edi, ecx
		mov	[ebp+var_4E9], cl
		mov	[ebp+var_4F0], ecx
		mov	[ebp+var_510], ecx
		mov	ecx, 230h
		push	ecx
		mov	[ebp+var_500], ecx
		mov	ecx, ebx
		push	ecx
		push	2
		push	eax
		mov	[ebp+var_514], ebx
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_931039

loc_8A45C8:				; CODE XREF: SepReadAndPopulateCapes+8CB58j
		mov	eax, [ebx+14h]
		mov	[ebp+var_50C], eax
		test	eax, eax
		jnz	loc_9310D7
		mov	edx, [ebp+var_51C]
		mov	ecx, [ebp+var_520]
		and	[edx], edi
		and	[ecx], edi

loc_8A45E9:				; CODE XREF: SepReadAndPopulateCapes+8CB07j
					; SepReadAndPopulateCapes+8CC55j ...
		test	esi, esi
		js	loc_93109E

loc_8A45F1:				; CODE XREF: SepReadAndPopulateCapes+8CB7Aj
					; SepReadAndPopulateCapes+8CB8Bj
		cmp	[ebp+var_4E9], 0
		jnz	loc_931685

loc_8A45FE:				; CODE XREF: SepReadAndPopulateCapes+8D14Dj
					; SepReadAndPopulateCapes+8D15Ej
		test	edi, edi
		jnz	loc_9316A3

loc_8A4606:				; CODE XREF: SepReadAndPopulateCapes+8D16Ej
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
SepReadAndPopulateCapes	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepRmSetAuditEventWrkr proc near	; DATA XREF: PAGE:00A40D00o

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009316B3 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [ebp+arg_4]
		and	[ebp+var_4], 0
		and	dword ptr [eax+18h], 0
		mov	eax, [ebp+arg_0]
		add	eax, 1Ch
		mov	[ebp+arg_4], eax
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	locret_8A4703
		push	ebx
		push	esi
		push	edi
		mov	edi, offset _SeAuditingStateByCategory
		mov	[ebp+var_14], 9
		mov	eax, offset _AdtpPerCategoryCount
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], eax

loc_8A465D:				; CODE XREF: SepRmSetAuditEventWrkr+D6j
		movzx	esi, word ptr [eax]
		xor	edx, edx
		xor	eax, eax
		mov	[ebp+var_1C], esi
		xor	ebx, ebx
		cmp	ax, si
		jnb	short loc_8A46CD
		mov	edi, [ebp+var_4]
		mov	eax, [ebp+arg_4]
		lea	ecx, [eax+edi*2]
		mov	eax, offset _SeAuditingState
		sub	eax, [ebp+arg_4]
		mov	[ebp+var_18], eax
		mov	eax, offset unk_6BE6C1
		sub	eax, [ebp+arg_4]
		mov	[ebp+arg_0], eax
		movzx	eax, si
		mov	esi, [ebp+arg_0]
		add	edi, eax
		mov	[ebp+var_4], edi
		mov	edi, [ebp+var_18]
		mov	[ebp+var_8], eax

loc_8A469E:				; CODE XREF: SepRmSetAuditEventWrkr+A6j
		mov	byte ptr [esi+ecx], 0
		mov	byte ptr [edi+ecx], 0
		movzx	eax, word ptr [ecx]
		mov	esi, eax
		mov	[ebp+var_18], esi
		mov	esi, [ebp+arg_0]
		test	al, 1
		jnz	short loc_8A4707

loc_8A46B5:				; CODE XREF: SepRmSetAuditEventWrkr+F5j
		test	al, 2
		jnz	short loc_8A4711

loc_8A46B9:				; CODE XREF: SepRmSetAuditEventWrkr+FCj
		add	ecx, 2
		sub	[ebp+var_8], 1
		jnz	short loc_8A469E
		mov	esi, [ebp+var_1C]
		mov	edi, [ebp+var_10]
		test	dx, dx
		jnz	short loc_8A4718

loc_8A46CD:				; CODE XREF: SepRmSetAuditEventWrkr+52j
		push	24h
		pop	ecx
		push	14h
		pop	edx
		push	44h

loc_8A46D5:				; CODE XREF: SepRmSetAuditEventWrkr+10Fj
					; SepRmSetAuditEventWrkr+8D0A1j
		pop	eax
		test	bx, bx
		jnz	short loc_8A472B

loc_8A46DB:				; CODE XREF: SepRmSetAuditEventWrkr+116j
					; SepRmSetAuditEventWrkr+11Aj
		mov	[edi], eax
		add	edi, 4
		mov	eax, [ebp+var_C]
		add	eax, 2
		mov	[ebp+var_10], edi
		sub	[ebp+var_14], 1
		mov	[ebp+var_C], eax
		jnz	loc_8A465D
		pop	edi
		pop	esi
		mov	_SepRmAuditingEnabled, 1
		pop	ebx

locret_8A4703:				; CODE XREF: SepRmSetAuditEventWrkr+23j
		leave
		retn	8
; 

loc_8A4707:				; CODE XREF: SepRmSetAuditEventWrkr+99j
		mov	byte ptr [edi+ecx], 1
		inc	edx
		movzx	eax, word ptr [ecx]
		jmp	short loc_8A46B5
; 

loc_8A4711:				; CODE XREF: SepRmSetAuditEventWrkr+9Dj
		mov	byte ptr [esi+ecx], 1
		inc	ebx
		jmp	short loc_8A46B9
; 

loc_8A4718:				; CODE XREF: SepRmSetAuditEventWrkr+B1j
		cmp	dx, si
		jz	loc_9316B3
		push	22h
		pop	ecx
		push	12h
		pop	edx
		push	42h
		jmp	short loc_8A46D5
; 

loc_8A472B:				; CODE XREF: SepRmSetAuditEventWrkr+BFj
		mov	eax, edx
		cmp	bx, si
		jz	short loc_8A46DB
		mov	eax, ecx
		jmp	short loc_8A46DB
SepRmSetAuditEventWrkr endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepRmLsaConnectRequest proc near	; CODE XREF: SepRmCommandServerThread+15Ap

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009316C0 SIZE 00000073 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		xor	eax, eax
		mov	[ebp+var_68], 18h
		mov	edx, ecx
		lea	edi, [ebp+var_44]
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_10]
		mov	[ebp+var_24], edx
		stosd
		xor	esi, esi
		mov	[ebp+var_4C], esi
		mov	ebx, esi
		mov	[ebp+var_48], esi
		mov	[ebp+var_2C], esi
		stosd
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		stosd
		lea	eax, [edx+8]
		push	eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_64], esi
		push	eax
		push	28h
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_5C], esi
		push	eax
		mov	[ebp+var_60], esi
		mov	[ebp+var_58], esi
		mov	[ebp+var_54], esi
		call	_ZwOpenProcess@16 ; ZwOpenProcess(x,x,x,x)
		test	eax, eax
		js	loc_9316C8
		mov	eax, ds:_PsProcessType
		lea	ecx, [ebp+var_18]
		push	esi
		push	ecx
		push	esi
		push	eax
		push	esi
		push	[ebp+var_1C]
		mov	[ebp+var_18], esi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, [ebp+var_18]
		mov	[ebp+var_18], ebx
		test	eax, eax
		js	loc_9316C0
		push	ebx
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		mov	esi, eax
		mov	ecx, esi
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		lea	edi, [eax+1C0h]
		cmp	dword ptr [edi], 0
		jnz	loc_9316EF
		mov	eax, [ebp+var_1C]
		mov	ecx, edi
		mov	[edi], eax
		call	SepRmVerifyLsaProtectionLevel
		push	esi
		mov	[ebp+var_50], 0Ch
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		mov	[ebp+var_11], al
		test	al, al
		jz	loc_9316FB
		push	0FFFFFFF8h
		pop	eax

loc_8A4812:				; CODE XREF: SepRmLsaConnectRequest+8CFD3j
		lea	edx, [ebp+var_50]
		push	edx
		push	0
		push	1
		push	[ebp+var_24]
		lea	ecx, [edi+0Ch]
		push	eax
		push	ecx
		call	_ZwAcceptConnectPort@24	; ZwAcceptConnectPort(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_93170E
		push	dword ptr [edi+0Ch]
		call	_ZwCompleteConnectPort@4 ; ZwCompleteConnectPort(x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8A492C
		xor	edx, edx
		mov	[ebp+var_C], 2
		push	edx
		push	8000000h
		push	4
		lea	eax, [edi+18h]
		mov	[ebp+var_8], 101h
		push	eax
		push	edx
		lea	ecx, [edi+14h]
		mov	dword ptr [eax], 1000h
		push	0F001Fh
		push	ecx
		mov	[edi+1Ch], edx
		call	_ZwCreateSection@28 ; ZwCreateSection(x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8A492C
		mov	[ebp+var_44], 18h
		xor	ebx, ebx
		mov	eax, [edi+14h]
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], ebx
		mov	eax, [edi+18h]
		push	esi
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	esi, eax
		lea	eax, [ebp+var_2C]
		push	offset ??_C@_1CE@KFPIKEIA@?$AA?2?$AAS?$AAe?$AAL?$AAs?$AAa?$AAC?$AAo?$AAm?$AAm?$AAa?$AAn?$AAd?$AAP?$AAo@NNGAKEGL@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		push	ebx
		lea	eax, [ebp+var_20]
		push	eax
		push	ebx
		lea	eax, [ebp+var_44]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [edi+4]
		push	eax
		call	_ZwConnectPort@32 ; ZwConnectPort(x,x,x,x,x,x,x,x)
		push	esi
		mov	ebx, eax
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		test	ebx, ebx
		js	short loc_8A492C
		cmp	[ebp+var_20], 100h
		jnz	loc_931729
		mov	eax, [ebp+var_34]
		mov	[edi+24h], eax
		mov	eax, [ebp+var_30]
		sub	eax, [ebp+var_34]
		mov	[edi+28h], eax
		mov	eax, [ebp+var_30]
		mov	[edi+20h], eax

loc_8A48FE:				; CODE XREF: SepRmLsaConnectRequest+1FDj
		mov	eax, [edi+14h]
		test	eax, eax
		jz	short loc_8A490F
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		and	dword ptr [edi+14h], 0

loc_8A490F:				; CODE XREF: SepRmLsaConnectRequest+1CDj
		mov	ecx, [ebp+var_18]
		test	ecx, ecx
		jz	short loc_8A491B
		call	ObfDereferenceObject

loc_8A491B:				; CODE XREF: SepRmLsaConnectRequest+1DEj
		mov	eax, ebx

loc_8A491D:				; CODE XREF: SepRmLsaConnectRequest+8CFB4j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_8A492C:				; CODE XREF: SepRmLsaConnectRequest+107j
					; SepRmLsaConnectRequest+144j ...
		mov	ecx, edi
		call	_SepRmCleanupRmLsaState@4 ; SepRmCleanupRmLsaState(x)
		jmp	short loc_8A48FE
SepRmLsaConnectRequest endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1719. PoRequestShutdownEvent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoRequestShutdownEvent(x)
		public _PoRequestShutdownEvent@4
_PoRequestShutdownEvent@4 proc near	; CODE XREF: SepRmCommandServerThread+63p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_8A494A
		and	dword ptr [esi], 0

loc_8A494A:				; CODE XREF: PoRequestShutdownEvent(x)+Bj
		mov	ecx, large fs:124h
		call	PopRequestShutdownWait
		test	eax, eax
		js	short loc_8A4966
		test	esi, esi
		jz	short loc_8A4964
		mov	dword ptr [esi], offset	_PopShutdownEvent

loc_8A4964:				; CODE XREF: PoRequestShutdownEvent(x)+22j
		xor	eax, eax

loc_8A4966:				; CODE XREF: PoRequestShutdownEvent(x)+1Ej
		pop	esi
		pop	ebp
		retn	4
_PoRequestShutdownEvent@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


PopRequestShutdownWait proc near	; CODE XREF: PoRequestShutdownEvent(x)+17p

; FUNCTION CHUNK AT 00931733 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	4C536F50h
		push	8
		push	1
		mov	edi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8A49CB
		mov	edx, 64536F50h
		mov	[esi+4], edi
		mov	ecx, edi
		call	ObfReferenceObjectWithTag
		mov	ebx, offset _PopShutdownListMutex
		mov	ecx, ebx
		call	ExAcquireFastMutex
		cmp	_PopShutdownListAvailable, 0
		jz	loc_931733
		mov	eax, _PopShutdownThreadList
		mov	[esi], eax
		mov	_PopShutdownThreadList,	esi
		xor	esi, esi

loc_8A49BE:				; CODE XREF: PopRequestShutdownWait+8CDE0j
		mov	ecx, ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, esi

loc_8A49C7:				; CODE XREF: PopRequestShutdownWait+64j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_8A49CB:				; CODE XREF: PopRequestShutdownWait+19j
		mov	eax, 0C0000017h
		jmp	short loc_8A49C7
PopRequestShutdownWait endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepRmVerifyLsaProtectionLevel proc near	; CODE XREF: SepRmLsaConnectRequest+BCp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00931751 SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_20], 4
		push	offset ??_C@_1CM@IGDPDBMK@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA_?$AAL?$AAs?$AAa?$AA_?$AAP?$AAp?$AAl?$AA_@NNGAKEGL@
		lea	eax, [ebp+var_28]
		mov	[ebp+var_28], ebx
		push	eax
		mov	esi, ecx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], 77FA9ABDh
		mov	[ebp+var_10], 4D320359h
		mov	[ebp+var_C], 0F42860BDh
		mov	[ebp+var_8], 4B788FE7h
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		call	_ZwQuerySystemEnvironmentValueEx@20 ; ZwQuerySystemEnvironmentValueEx(x,x,x,x,x)
		cmp	[ebp+var_18], 4
		jz	loc_931751

loc_8A4A44:				; CODE XREF: SepRmVerifyLsaProtectionLevel+8CDABj
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
SepRmVerifyLsaProtectionLevel endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetDeviceRegKeySecurityDescriptor proc near ; CODE XREF: _CmOpenDeviceRegKeyWorker+2D5p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009317AC SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	eax, eax
		xor	esi, esi
		xor	bl, bl
		mov	[ebp+var_4], eax
		push	edi
		test	edx, edx
		jz	loc_9317AC
		test	edx, 0FFFFFCE8h
		jnz	loc_9317AC
		mov	edi, [ebp+arg_0]
		and	[edi], eax
		test	edx, 0F00h
		jnz	short loc_8A4AC3
		movzx	eax, dl
		cmp	eax, 11h
		jz	short loc_8A4A98
		cmp	eax, 12h
		jz	short loc_8A4ACC

loc_8A4A93:				; CODE XREF: _CmGetDeviceRegKeySecurityDescriptor+7Fj
		cmp	eax, 13h
		jnz	short loc_8A4AD3

loc_8A4A98:				; CODE XREF: _CmGetDeviceRegKeySecurityDescriptor+3Aj
					; _CmGetDeviceRegKeySecurityDescriptor+7Dj ...
		cmp	dword ptr [ecx], 0A000000h
		jb	short loc_8A4AAE
		cmp	eax, 11h
		jz	short loc_8A4ADA
		cmp	eax, 12h
		jz	loc_93179E

loc_8A4AAE:				; CODE XREF: _CmGetDeviceRegKeySecurityDescriptor+4Cj
					; _CmGetDeviceRegKeySecurityDescriptor+8Aj ...
		lea	edx, [ebp+var_4]
		mov	cl, bl
		call	_CmGetRegKeySecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	short loc_8A4ADE
		mov	ecx, [ebp+var_4]
		mov	[edi], ecx

loc_8A4AC3:				; CODE XREF: _CmGetDeviceRegKeySecurityDescriptor+32j
					; _CmGetDeviceRegKeySecurityDescriptor+84j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8A4ACC:				; CODE XREF: _CmGetDeviceRegKeySecurityDescriptor+3Fj
		cmp	[ecx+4], bl
		jnz	short loc_8A4A98
		jmp	short loc_8A4A93
; 

loc_8A4AD3:				; CODE XREF: _CmGetDeviceRegKeySecurityDescriptor+44j
		cmp	eax, 14h
		jnz	short loc_8A4AC3
		jmp	short loc_8A4A98
; 

loc_8A4ADA:				; CODE XREF: _CmGetDeviceRegKeySecurityDescriptor+51j
					; SepRmVerifyLsaProtectionLevel+8CDD5j
		mov	bl, 1
		jmp	short loc_8A4AAE
; 

loc_8A4ADE:				; CODE XREF: _CmGetDeviceRegKeySecurityDescriptor+6Aj
		mov	eax, [ebp+var_4]
		jmp	loc_9317B1
_CmGetDeviceRegKeySecurityDescriptor endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetRegKeySecurityDescriptor proc near
					; CODE XREF: _CmGetDeviceRegKeySecurityDescriptor+61p
					; _CmGetDeviceInterfaceRegKeySecurityDescriptor(x,x,x)+45p

var_74		= dword	ptr -74h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= word ptr -54h
var_50		= dword	ptr -50h
var_4C		= word ptr -4Ch
var_48		= dword	ptr -48h
var_44		= word ptr -44h
var_3D		= byte ptr -3Dh
var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009317C6 SIZE 0000009E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_60], edx
		lea	edi, [ebp+var_74]
		mov	[ebp+var_44], 500h
		stosd
		mov	bl, cl
		push	1
		xor	ecx, ecx
		mov	[ebp+var_3D], bl
		mov	[ebp+var_48], ecx
		stosd
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], 100h
		mov	[ebp+var_58], ecx
		stosd
		mov	[ebp+var_54], 0F00h
		mov	[edx], ecx
		stosd
		stosd
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A4D6E
		xor	edi, edi
		lea	eax, [ebp+var_20]
		push	edi
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	dword ptr [eax], 12h
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_9317C6
		push	1
		lea	eax, [ebp+var_50]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A4D6E
		push	edi
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	[eax], edi
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_9317C6
		push	2
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A4D6E
		push	edi
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	1
		mov	dword ptr [eax], 20h
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	dword ptr [eax], 220h
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_9317C6
		test	bl, bl
		jnz	loc_9317D0

loc_8A4BF1:				; CODE XREF: _CmGetRegKeySecurityDescriptor+8CD2Fj
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		mov	esi, eax
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	esi, eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	esi, 20h
		add	esi, eax
		test	bl, bl
		jnz	loc_93181A

loc_8A4C1D:				; CODE XREF: _CmGetRegKeySecurityDescriptor+8CD3Fj
		push	52504E50h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_93182A
		push	2		; int
		push	esi		; size_t
		push	ebx		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A4D66
		push	0
		lea	eax, [ebp+var_20]
		mov	ecx, ebx
		push	eax
		push	0F003Fh
		push	2
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	loc_8A4D66
		push	0
		lea	eax, [ebp+var_2C]
		mov	ecx, ebx
		push	eax
		push	20019h
		push	2
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	loc_8A4D66
		push	0
		lea	eax, [ebp+var_14]
		mov	ecx, ebx
		push	eax
		push	0F003Fh
		push	2
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	loc_8A4D66
		cmp	[ebp+var_3D], 0
		jnz	loc_931834

loc_8A4CB4:				; CODE XREF: _CmGetRegKeySecurityDescriptor+8CD6Cj
		xor	edi, edi
		lea	eax, [ebp+var_74]
		inc	edi
		push	edi
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A4D66
		push	0
		push	ebx
		push	edi
		lea	eax, [ebp+var_74]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	loc_8A4D66
		push	edi
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8A4D66
		push	edi
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8A4D66
		mov	eax, 1500h
		or	word ptr [ebp+var_74+2], ax
		lea	eax, [ebp+var_74]
		push	eax
		call	_RtlValidSecurityDescriptor@4 ;	RtlValidSecurityDescriptor(x)
		test	al, al
		jz	short loc_8A4D7F
		lea	eax, [ebp+var_74]
		push	eax
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		mov	[ebp+var_5C], eax
		cmp	eax, 14h
		jb	short loc_8A4D86
		push	52504E50h
		push	eax
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_8A4D8D
		lea	eax, [ebp+var_5C]
		push	eax
		push	edi
		lea	eax, [ebp+var_74]
		push	eax
		call	_RtlAbsoluteToSelfRelativeSD@12	; RtlAbsoluteToSelfRelativeSD(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8A4D5E
		mov	eax, [ebp+var_60]
		mov	[eax], edi
		xor	edi, edi

loc_8A4D5E:				; CODE XREF: _CmGetRegKeySecurityDescriptor+26Fj
		test	edi, edi
		jnz	loc_931857

loc_8A4D66:				; CODE XREF: _CmGetRegKeySecurityDescriptor+15Bj
					; _CmGetRegKeySecurityDescriptor+17Cj ...
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8A4D6E:				; CODE XREF: _CmGetRegKeySecurityDescriptor+59j
					; _CmGetRegKeySecurityDescriptor+95j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_8A4D7F:				; CODE XREF: _CmGetRegKeySecurityDescriptor+238j
		mov	esi, 0C00000E5h
		jmp	short loc_8A4D66
; 

loc_8A4D86:				; CODE XREF: _CmGetRegKeySecurityDescriptor+249j
		mov	esi, 0C000003Eh
		jmp	short loc_8A4D66
; 

loc_8A4D8D:				; CODE XREF: _CmGetRegKeySecurityDescriptor+25Bj
		mov	esi, 0C0000017h
		jmp	short loc_8A4D66
_CmGetRegKeySecurityDescriptor endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopGenerateDeviceFriendlyName proc near	; CODE XREF: PopFxRegisterDevice+C3p
					; PopDirectedDripsDiagCreateDeviceDescription(x,x)+1Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00931864 SIZE 00000061 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	edi, edx
		xor	edx, edx
		lea	ecx, [ebp+var_4]
		push	ecx
		push	edx
		push	edx
		mov	[edi], edx
		mov	[edi+4], edx
		mov	eax, [ebx+10h]
		push	edx
		push	eax
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], eax
		call	IoGetDeviceProperty
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	loc_931878
		mov	ecx, [ebp+var_4]
		mov	edx, 0FFFFh
		cmp	ecx, edx
		ja	loc_931864
		lea	eax, [ebx+48h]
		mov	[ebp+var_10], eax
		movzx	eax, word ptr [eax]
		add	eax, 6
		add	eax, ecx
		mov	[ebp+var_C], eax
		cmp	eax, edx
		ja	loc_931864
		push	4D584650h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_93186E
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		push	[ebp+var_4]
		push	0
		push	[ebp+var_8]
		call	IoGetDeviceProperty
		mov	esi, eax
		test	esi, esi
		js	short loc_8A4E93
		push	ecx
		push	ecx
		mov	edx, ebx
		mov	ecx, edi
		call	RtlUnicodeStringInitWorker
		mov	esi, eax
		mov	eax, [ebp+var_C]
		mov	[edi+2], ax
		test	esi, esi
		js	short loc_8A4E93
		mov	edx, offset ??_C@_15CMBHNMLL@?$AA?5?$AA?$CI@NNGAKEGL@ ;	" ("
		mov	ecx, edi
		call	_RtlUnicodeStringCatString@8 ; RtlUnicodeStringCatString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8A4E93
		mov	edx, [ebp+var_10]
		mov	ecx, edi
		call	_RtlUnicodeStringCat@8 ; RtlUnicodeStringCat(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8A4E93
		mov	edx, offset ??_C@_13DIBMAFH@?$AA?$CJ@NNGAKEGL@
		mov	ecx, edi
		call	_RtlUnicodeStringCatString@8 ; RtlUnicodeStringCatString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8A4E93
		movzx	eax, word ptr [edi+2]
		movzx	ecx, word ptr [edi]
		sub	eax, 2
		cmp	ecx, eax
		ja	short loc_8A4EA6
		mov	eax, [edi+4]
		shr	ecx, 1
		xor	edx, edx
		mov	[eax+ecx*2], dx

loc_8A4E8B:				; CODE XREF: PopGenerateDeviceFriendlyName+117j
		test	esi, esi
		js	short loc_8A4E93

loc_8A4E8F:				; CODE XREF: PopGenerateDeviceFriendlyName+8CB1Cj
		xor	ebx, ebx
		xor	esi, esi

loc_8A4E93:				; CODE XREF: PopGenerateDeviceFriendlyName+90j
					; PopGenerateDeviceFriendlyName+A8j ...
		test	ebx, ebx
		jnz	loc_9318B5

loc_8A4E9B:				; CODE XREF: PopGenerateDeviceFriendlyName+8CAEAj
					; PopGenerateDeviceFriendlyName+8CB2Cj
		test	esi, esi
		js	short loc_8A4EAD

loc_8A4E9F:				; CODE XREF: PopGenerateDeviceFriendlyName+120j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8A4EA6:				; CODE XREF: PopGenerateDeviceFriendlyName+EAj
		mov	esi, 80000005h
		jmp	short loc_8A4E8B
; 

loc_8A4EAD:				; CODE XREF: PopGenerateDeviceFriendlyName+109j
					; PopGenerateDeviceFriendlyName+8CAD5j	...
		and	dword ptr [edi], 0
		and	dword ptr [edi+4], 0
		jmp	short loc_8A4E9F
PopGenerateDeviceFriendlyName endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipMakeGloballyUniqueId	proc near	; CODE XREF: PiProcessNewDeviceNode+239p
					; PiProcessNewDeviceNode+6E771p ...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009318C5 SIZE 000001F8 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	[ebp+var_50], eax
		mov	esi, ecx
		xor	eax, eax
		mov	[ebp+var_48], edx
		push	edi
		mov	[ebp+var_30], eax
		mov	edi, eax
		mov	[ebp+var_2C], eax
		mov	ebx, eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_4C], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceSharedLite
		xor	edx, edx
		test	esi, esi
		jz	loc_9318C5
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	[ebp+var_34], eax

loc_8A4F24:				; CODE XREF: PipMakeGloballyUniqueId+8CA14j
		push	edx
		lea	ecx, [ebp+var_2C]
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	edx
		push	2001Fh
		push	edx
		mov	edx, [eax+18h]
		push	10h
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_8A5088
		push	1Eh
		pop	eax
		push	1Ch
		mov	word ptr [ebp+var_24+2], ax
		pop	eax
		mov	word ptr [ebp+var_24], ax
		lea	eax, [ebp+var_1C]
		push	eax
		push	10h
		lea	eax, [ebp+var_18]
		mov	[ebp+var_20], (offset loc_8B98BD+1)
		push	eax
		push	2
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_2C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_9318CF
		push	1Eh
		pop	eax
		push	1Ch
		mov	word ptr [ebp+var_24+2], ax
		pop	eax
		push	42h
		mov	word ptr [ebp+var_24], ax
		pop	eax
		push	6E657050h
		push	eax
		push	1
		mov	[ebp+var_20], (offset loc_8B9894+6)
		mov	[ebp+var_1C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_38], ebx
		test	ebx, ebx
		jz	loc_931AB3
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_1C]
		lea	eax, [ebp+var_24]
		push	ebx
		push	2
		push	eax
		push	[ebp+var_2C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93191B
		cmp	dword ptr [ebx+4], 1
		jnz	loc_931911
		mov	eax, [ebx+8]
		push	6E657050h
		push	eax
		push	1
		mov	[ebp+var_28], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_931AB3
		mov	edx, [ebp+var_28]
		lea	eax, [ebx+0Ch]
		push	eax
		mov	ecx, edi
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)

loc_8A500B:				; CODE XREF: PipMakeGloballyUniqueId+8CA56j
					; PipMakeGloballyUniqueId+8CBF8j
		mov	edx, edi
		lea	ecx, [edx+2]

loc_8A5010:				; CODE XREF: PipMakeGloballyUniqueId+164j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [ebp+var_44]
		jnz	short loc_8A5010
		mov	eax, [ebp+var_48]
		sub	edx, ecx
		sar	edx, 1
		test	eax, eax
		jz	loc_8A50D3
		mov	ecx, eax
		lea	eax, [ecx+2]
		mov	[ebp+var_40], eax

loc_8A5033:				; CODE XREF: PipMakeGloballyUniqueId+187j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_44]
		jnz	short loc_8A5033
		sub	ecx, [ebp+var_40]
		sar	ecx, 1

loc_8A5044:				; CODE XREF: PipMakeGloballyUniqueId+221j
		lea	eax, [edx+2]
		add	eax, ecx
		mov	[ebp+var_1C], eax
		add	eax, eax
		push	6E657050h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_4C], eax
		test	eax, eax
		jz	loc_931AB3
		mov	edx, [ebp+var_48]
		test	edx, edx
		jz	short loc_8A50DC
		push	edx
		push	edi		; char
		push	offset ??_C@_1M@IDEFLMF@?$AA?$CF?$AAs?$AA?$CG?$AA?$CF?$AAs@NNGAKEGL@ ; wchar_t *
		push	[ebp+var_1C]	; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 14h

loc_8A5080:				; CODE XREF: PipMakeGloballyUniqueId+231j
					; PipMakeGloballyUniqueId+8CA60j ...
		push	[ebp+var_2C]
		call	_ZwClose@4	; ZwClose(x)

loc_8A5088:				; CODE XREF: PipMakeGloballyUniqueId+8Ej
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	ebx, ebx
		jz	short loc_8A50AB
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8A50AB:				; CODE XREF: PipMakeGloballyUniqueId+1EAj
		test	edi, edi
		jz	short loc_8A50B8
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8A50B8:				; CODE XREF: PipMakeGloballyUniqueId+1F7j
		mov	ecx, [ebp+var_50]
		mov	eax, [ebp+var_4C]
		pop	edi
		mov	[ecx], eax
		mov	eax, esi
		mov	ecx, [ebp+var_8]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_8A50D3:				; CODE XREF: PipMakeGloballyUniqueId+16Fj
		xor	eax, eax
		mov	ecx, eax
		jmp	loc_8A5044
; 

loc_8A50DC:				; CODE XREF: PipMakeGloballyUniqueId+1B5j
		mov	edx, [ebp+var_1C]
		mov	ecx, eax
		push	edi
		call	RtlStringCchCopyW
		jmp	short loc_8A5080
PipMakeGloballyUniqueId	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1939. RtlAddAccessAllowedAceEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlAddAccessAllowedAceEx(x,	x, x, x, x)
		public _RtlAddAccessAllowedAceEx@20
_RtlAddAccessAllowedAceEx@20 proc near	; CODE XREF: PiAuCreateLocalSystemSecurityObject+5Fp
					; PiAuGetDriverDataDirectorySecurityObject+83p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	RtlpAddKnownAce
		pop	ebp
		retn	14h
_RtlAddAccessAllowedAceEx@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiAuAllocateAndInitializeSid proc near	; CODE XREF: PiAuCreateUserSids(x)+38p
					; PiAuCreateUserSids(x)+69p ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00931ABD SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		cmp	esi, 3FFFFFF7h
		ja	short loc_8A515E
		lea	eax, ds:8[esi*4]

loc_8A512C:				; CODE XREF: PiAuAllocateAndInitializeSid+53j
		push	20207050h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi], eax
		test	eax, eax
		jz	loc_931ABD
		push	esi
		push	ebx
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_931AC2

loc_8A5155:				; CODE XREF: PiAuAllocateAndInitializeSid+8C9B8j
					; PiAuAllocateAndInitializeSid+8C9C9j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_8A515E:				; CODE XREF: PiAuAllocateAndInitializeSid+15j
		or	eax, 0FFFFFFFFh
		jmp	short loc_8A512C
PiAuAllocateAndInitializeSid endp

; 
		align 8
; Exported entry 1941. RtlAddAccessDeniedAceEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlAddAccessDeniedAceEx(x, x, x, x,	x)
		public _RtlAddAccessDeniedAceEx@20
_RtlAddAccessDeniedAceEx@20 proc near	; CODE XREF: PiAuCreateStandardSecurityObject+171p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	1
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	RtlpAddKnownAce
		pop	ebp
		retn	14h
_RtlAddAccessDeniedAceEx@20 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 911. IoOpenDriverRegistryKey

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoOpenDriverRegistryKey(x, x, x, x,	x)
		public _IoOpenDriverRegistryKey@20
_IoOpenDriverRegistryKey@20 proc near

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+40h+var_18]
		push	6
		xor	edx, edx
		mov	[esp+44h+var_2C], eax
		pop	ecx
		rep stosd
		mov	[esp+40h+var_24], eax
		mov	edi, edx
		mov	eax, [ebp+arg_0]
		mov	ebx, edx
		mov	[esp+40h+var_30], edx
		mov	[esp+40h+var_28], edi
		mov	[esp+40h+var_1C], edx
		mov	[esp+40h+var_20], ebx
		test	eax, eax
		jz	short loc_8A5225
		mov	eax, [eax+18h]
		test	eax, eax
		jz	short loc_8A5225
		cmp	[eax+10h], edx
		jz	short loc_8A5225
		lea	ecx, [eax+0Ch]
		cmp	[ecx], dx
		jz	short loc_8A5225
		cmp	[ebp+arg_C], edx
		jnz	short loc_8A5225
		cmp	[ebp+arg_10], edx
		jz	short loc_8A5225
		push	edx
		push	edx
		lea	eax, [esp+48h+var_20]
		mov	edx, 2001Dh
		push	eax
		call	PipOpenServiceEnumKeys
		mov	ebx, [esp+40h+var_20]
		mov	esi, eax
		test	esi, esi
		js	short loc_8A5235
		lea	eax, [esp+40h+var_28]
		mov	edx, offset ??_C@_19BIEPDBPA@?$AAT?$AAy?$AAp?$AAe@NNGAKEGL@
		push	eax
		push	edi
		mov	ecx, ebx
		call	IopGetRegistryValue
		mov	edi, [esp+40h+var_28]
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_8A527C
		xor	edx, edx

loc_8A5225:				; CODE XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+3Cj
					; IoOpenDriverRegistryKey(x,x,x,x,x)+43j ...
		mov	esi, 0C000000Dh

loc_8A522A:				; CODE XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+22Aj
					; IoOpenDriverRegistryKey(x,x,x,x,x)+28Dj ...
		test	edi, edi
		jz	short loc_8A5235
		push	edx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8A5235:				; CODE XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+75j
					; IoOpenDriverRegistryKey(x,x,x,x,x)+A0j
		cmp	[esp+40h+var_30], 0
		jz	short loc_8A5245
		push	[esp+40h+var_30]
		call	_ZwClose@4	; ZwClose(x)

loc_8A5245:				; CODE XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+AEj
		mov	eax, [esp+40h+var_2C]
		test	eax, eax
		jz	short loc_8A5257
		cmp	eax, ebx
		jz	short loc_8A5257
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_8A5257:				; CODE XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+BFj
					; IoOpenDriverRegistryKey(x,x,x,x,x)+C3j
		test	ebx, ebx
		jz	short loc_8A5261
		push	ebx
		call	_ZwClose@4	; ZwClose(x)

loc_8A5261:				; CODE XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+CDj
		mov	eax, [esp+40h+var_1C]
		test	eax, eax
		jz	short loc_8A5271
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8A5271:				; CODE XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+DBj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8A527C:				; CODE XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+95j
		test	esi, esi
		js	loc_8A5423
		cmp	dword ptr [edi+4], 4
		jnz	loc_8A541E
		cmp	dword ptr [edi+0Ch], 4
		jnz	loc_8A541E
		mov	eax, [edi+8]
		xor	edx, edx
		test	byte ptr [edi+eax], 0Bh
		jz	short loc_8A5225
		mov	eax, [ebp+arg_4]
		sub	eax, edx
		jz	loc_8A5396
		sub	eax, 1
		jnz	loc_8A5225
		mov	ecx, [ebp+arg_0]
		lea	eax, [esp+40h+var_24]
		push	eax
		mov	ecx, [ecx+18h]
		add	ecx, 0Ch
		call	PiCreateDriverRedirectedStateKey
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_8A52D8
		mov	eax, ebx
		jmp	short loc_8A52E4
; 

loc_8A52D8:				; CODE XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+146j
		mov	eax, [esp+40h+var_24]
		test	esi, esi
		js	loc_8A538D

loc_8A52E4:				; CODE XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+14Aj
		and	[esp+40h+var_8], 0
		and	[esp+40h+var_4], 0
		mov	[esp+40h+var_2C], eax
		mov	[esp+40h+var_14], eax
		lea	eax, [esp+40h+var_18]
		push	eax
		push	[ebp+arg_8]
		lea	eax, [esp+48h+var_30]
		mov	[esp+48h+var_18], 18h
		push	eax
		mov	[esp+4Ch+var_C], 240h
		mov	[esp+4Ch+var_10], (offset loc_403A65+3)
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_8A5383
		lea	ecx, [esp+40h+var_1C]
		call	_PiAuGetServiceStateSecurityObject@4 ; PiAuGetServiceStateSecurityObject(x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A5423
		mov	eax, [esp+40h+var_2C]
		mov	[esp+40h+var_14], eax
		mov	eax, [esp+40h+var_1C]
		mov	[esp+40h+var_8], eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		mov	[esp+50h+var_4], eax
		lea	eax, [esp+50h+var_18]
		push	eax
		push	[ebp+arg_8]
		lea	eax, [esp+58h+var_30]
		mov	[esp+58h+var_18], 18h
		push	eax
		mov	[esp+5Ch+var_C], 240h
		mov	[esp+5Ch+var_10], (offset loc_403A65+3)
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax

loc_8A5383:				; CODE XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+19Cj
		test	esi, esi
		js	loc_8A5423
		jmp	short loc_8A53F1
; 

loc_8A538D:				; CODE XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+152j
		mov	[esp+40h+var_2C], eax
		jmp	loc_8A5423
; 

loc_8A5396:				; CODE XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+11Cj
		mov	eax, [ebp+arg_8]
		test	eax, 2000000h
		jz	short loc_8A53AA
		and	eax, 0FDFFFFFFh
		or	eax, 20019h

loc_8A53AA:				; CODE XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+212j
		test	eax, 7FFDFFE6h
		jz	short loc_8A53BB
		mov	esi, 0C0000022h
		jmp	loc_8A522A
; 

loc_8A53BB:				; CODE XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+223j
		lea	ecx, [esp+40h+var_18]
		mov	[esp+40h+var_18], 18h
		push	ecx
		push	eax
		lea	eax, [esp+48h+var_30]
		mov	[esp+48h+var_14], ebx
		push	eax
		mov	[esp+4Ch+var_C], 240h
		mov	[esp+4Ch+var_10], (offset loc_403A5F+1)
		mov	[esp+4Ch+var_8], edx
		mov	[esp+4Ch+var_4], edx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax

loc_8A53F1:				; CODE XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+1FFj
		test	esi, esi
		js	short loc_8A5423
		cmp	[ebp+arg_4], 1
		mov	eax, [esp+40h+var_30]
		jnz	short loc_8A540E
		test	eax, eax
		jz	short loc_8A540E
		mov	ecx, eax
		call	_IopApplyMutableTagToRegistryKey@4 ; IopApplyMutableTagToRegistryKey(x)
		mov	eax, [esp+40h+var_30]

loc_8A540E:				; CODE XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+271j
					; IoOpenDriverRegistryKey(x,x,x,x,x)+275j
		mov	ecx, [ebp+arg_10]
		xor	edx, edx
		mov	[esp+40h+var_30], edx
		mov	[ecx], eax
		jmp	loc_8A522A
; 

loc_8A541E:				; CODE XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+FCj
					; IoOpenDriverRegistryKey(x,x,x,x,x)+106j
		mov	esi, 0C000014Ch

loc_8A5423:				; CODE XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+F2j
					; IoOpenDriverRegistryKey(x,x,x,x,x)+1ABj ...
		xor	edx, edx
		jmp	loc_8A522A
_IoOpenDriverRegistryKey@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCreateDriverRedirectedStateKey proc near
					; CODE XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+139p
					; IopInitializeBootDrivers+2D1FFp

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00931ADC SIZE 0000015B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_40]
		push	6
		mov	esi, ecx
		mov	[ebp+var_28], eax
		pop	ecx
		rep stosd
		mov	ebx, eax
		mov	[ebp+var_24], eax
		mov	edi, eax
		mov	dword ptr [ebp+var_20],	eax
		push	eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_20]
		push	eax
		mov	[ebp+var_10], esi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		test	esi, esi
		jz	short loc_8A54D3
		cmp	[esi+4], ebx
		jz	short loc_8A54D3
		push	2
		pop	eax
		cmp	[esi], ax
		jb	short loc_8A54D3
		cmp	[ebp+arg_0], ebx
		jz	short loc_8A54D3
		lea	eax, [ebp+var_20]
		xor	edx, edx	; void *
		push	eax		; int
		push	edi		; int
		mov	ecx, offset ??_C@_1CA@MIBAJKAO@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAS?$AAt?$AAa?$AAt?$AAe?$AAP?$AAa?$AAt?$AAh@NNGAKEGL@ ; "DriverStatePath"
		call	PiGetStateRootPath
		mov	esi, eax
		test	esi, esi
		jns	loc_931ADC

loc_8A54A2:				; CODE XREF: PiCreateDriverRedirectedStateKey+AEj
					; PiCreateDriverRedirectedStateKey+8C6CFj ...
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	[ebp+var_8], 0
		jnz	loc_931C1D

loc_8A54BE:				; CODE XREF: PiCreateDriverRedirectedStateKey+8C7FBj
		test	edi, edi
		jnz	short loc_8A54DA

loc_8A54C2:				; CODE XREF: PiCreateDriverRedirectedStateKey+B6j
		test	ebx, ebx
		jnz	loc_931C2A

loc_8A54CA:				; CODE XREF: PiCreateDriverRedirectedStateKey+8C808j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8A54D3:				; CODE XREF: PiCreateDriverRedirectedStateKey+49j
					; PiCreateDriverRedirectedStateKey+4Ej	...
		mov	esi, 0C000000Dh
		jmp	short loc_8A54A2
; 

loc_8A54DA:				; CODE XREF: PiCreateDriverRedirectedStateKey+96j
		push	edi
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_8A54C2
PiCreateDriverRedirectedStateKey endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PiGetStateRootPath(int,void *,int,int)
PiGetStateRootPath proc	near		; CODE XREF: PiCreateDriverRedirectedStateKey+69p
					; IoGetDeviceDirectory(x,x,x,x,x)+F3p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00931C37 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		cmp	[ebp+arg_4], 0
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_8], eax
		jz	loc_931C37
		xor	edx, edx
		lea	ecx, [ebp+var_4]
		push	ecx		; int
		push	edx		; int
		push	edx		; void *
		push	[ebp+arg_0]	; int
		mov	[ebp+var_4], edx
		push	ebx		; void *
		push	edx		; int
		push	eax		; int
		call	RtlGetPersistedStateLocation
		mov	esi, eax
		test	esi, esi
		jns	loc_931C41
		cmp	esi, 80000005h
		jz	short loc_8A552F

loc_8A5526:				; CODE XREF: PiGetStateRootPath+99j
					; PiGetStateRootPath+A5j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_8A552F:				; CODE XREF: PiGetStateRootPath+42j
		push	6F697050h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_8A5582
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	[ebp+var_4]	; int
		push	edi		; void *
		push	[ebp+arg_0]	; int
		push	ebx		; void *
		push	0		; int
		push	[ebp+var_8]	; int
		call	RtlGetPersistedStateLocation
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_8A5589
		test	esi, esi
		js	short loc_8A5579
		push	edi
		push	[ebp+arg_4]
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8A5579
		xor	edi, edi

loc_8A5579:				; CODE XREF: PiGetStateRootPath+84j
					; PiGetStateRootPath+93j ...
		test	edi, edi
		jz	short loc_8A5526
		jmp	loc_931C4B
; 

loc_8A5582:				; CODE XREF: PiGetStateRootPath+60j
		mov	esi, 0C000009Ah
		jmp	short loc_8A5526
; 

loc_8A5589:				; CODE XREF: PiGetStateRootPath+80j
		mov	esi, 0C00000E5h
		jmp	short loc_8A5579
PiGetStateRootPath endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpInitBootEntropyInformation(x, x,	x)
_ExpInitBootEntropyInformation@12 proc near
					; DATA XREF: ExQueryBootEntropyInformation(x)+10o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ds:_KeLoaderBlock
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		mov	ebx, [eax+84h]
		mov	eax, 448h
		mov	esi, [ecx]
		add	ebx, 0F8h
		mov	[ebp+var_C], ebx
		mov	[ebp+var_10], esi
		test	esi, esi
		jz	loc_8A5652
		push	eax		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_8], 0Ah
		lea	ecx, [ebx+1Ch]
		sub	ebx, esi
		mov	[ebp+var_4], ecx
		lea	edx, [esi+10h]
		push	edi

loc_8A55E2:				; CODE XREF: ExpInitBootEntropyInformation(x,x,x)+9Cj
		mov	eax, [ecx-14h]
		lea	esi, [ecx+10h]
		mov	[edx-8], eax
		lea	edi, [edx+1Ch]
		mov	eax, [ebx+edx]
		mov	[edx], eax
		lea	edx, [edx+68h]
		mov	eax, [ebx+edx-64h]
		mov	[edx-64h], eax
		mov	eax, [ecx-4]
		mov	[edx-60h], eax
		mov	eax, [ecx]
		mov	[edx-5Ch], eax
		mov	eax, [ecx+4]
		mov	[edx-58h], eax
		mov	eax, [ecx+8]
		mov	[edx-54h], eax
		mov	eax, [ecx+0Ch]
		push	10h
		mov	[edx-50h], eax
		pop	ecx
		rep movsd
		mov	ecx, [ebp+var_4]
		add	ecx, 68h
		sub	[ebp+var_8], 1
		mov	[ebp+var_4], ecx
		jnz	short loc_8A55E2
		mov	ebx, [ebp+var_C]
		mov	edi, [ebp+var_10]
		push	0Ch
		pop	ecx
		mov	eax, [ebx]
		lea	esi, [ebx+418h]
		mov	[edi], eax
		add	edi, 418h
		rep movsd
		mov	ecx, [ebp+arg_4]
		mov	eax, 448h
		pop	edi

loc_8A5652:				; CODE XREF: ExpInitBootEntropyInformation(x,x,x)+2Dj
					; ExpInitBootEntropyInformation(x,x,x)+C9j
		mov	byte ptr [ebx],	0
		inc	ebx
		sub	eax, 1
		jnz	short loc_8A5652
		or	dword ptr [ecx], 0FFFFFFFFh
		inc	eax
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_ExpInitBootEntropyInformation@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


KseShimDatabaseBootRelease proc	near	; CODE XREF: PnpCompleteSystemStartProcess()+50p
					; KseShimDatabaseClose+48p

; FUNCTION CHUNK AT 00931C58 SIZE 00000014 BYTES

		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _KsepShimDbLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		cmp	_KsepShimDbDuringBoot, 0
		jz	short loc_8A569F
		mov	eax, _KsepShimDbRefCount
		test	eax, eax
		jz	short loc_8A56C2
		sub	eax, 1
		mov	_KsepShimDbRefCount, eax
		jz	short loc_8A56C2

loc_8A569F:				; CODE XREF: KseShimDatabaseBootRelease+24j
					; KseShimDatabaseBootRelease+7Ej
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_931C58

loc_8A56AE:				; CODE XREF: KseShimDatabaseBootRelease+8C5F4j
					; KseShimDatabaseBootRelease+8C601j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		pop	esi
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
; 

loc_8A56C2:				; CODE XREF: KseShimDatabaseBootRelease+2Dj
					; KseShimDatabaseBootRelease+37j
		mov	ecx, offset _KsepShimDb
		call	_KsepSdbBootRelease@4 ;	KsepSdbBootRelease(x)
		mov	ecx, offset unk_6C7488
		call	_KsepSdbBootRelease@4 ;	KsepSdbBootRelease(x)
		and	_KsepShimDbHandle, 0
		and	_KsepShimDbDuringBoot, 0
		jmp	short loc_8A569F
KseShimDatabaseBootRelease endp


;  S U B	R O U T	I N E 


; __stdcall KsepSdbBootRelease(x)
_KsepSdbBootRelease@4 proc near		; CODE XREF: KseShimDatabaseBootRelease+61p
					; KseShimDatabaseBootRelease+6Bp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_8A56F9
		call	SdbReleaseDatabase
		and	dword ptr [esi], 0

loc_8A56F9:				; CODE XREF: KsepSdbBootRelease(x)+9j
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_8A5709
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
		and	dword ptr [esi+4], 0

loc_8A5709:				; CODE XREF: KsepSdbBootRelease(x)+18j
		pop	esi
		retn
_KsepSdbBootRelease@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


PpReleaseBootDDB proc near		; CODE XREF: PnpCompleteSystemStartProcess()+4Bp

; FUNCTION CHUNK AT 00931C6C SIZE 00000022 BYTES

		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	ebx, offset _PiDDBLock
		push	ebx
		call	ExAcquireResourceExclusiveLite
		mov	ecx, ds:_PpDDBHandle
		xor	edi, edi
		test	ecx, ecx
		jz	short loc_8A577C
		call	SdbReleaseDatabase
		push	edi
		push	ds:_PpBootDDB
		mov	ds:_PpDDBHandle, edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ds:_PpBootDDB, edi
		mov	esi, edi

loc_8A5755:				; CODE XREF: PpReleaseBootDDB+75j
		mov	ecx, ds:_PpDDBPatchHandle
		test	ecx, ecx
		jnz	loc_931C6C

loc_8A5763:				; CODE XREF: PpReleaseBootDDB+8C57Dj
		mov	ecx, ebx
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_8A577C:				; CODE XREF: PpReleaseBootDDB+28j
		mov	esi, 0C0000001h
		jmp	short loc_8A5755
PpReleaseBootDDB endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PiInitReleaseCachedGroupInformation()
_PiInitReleaseCachedGroupInformation@0 proc near
					; CODE XREF: PnpCompleteSystemStartProcess()+46p
		mov	ecx, _PiInitGroupOrderTable
		test	ecx, ecx
		jz	short locret_8A57A9
		movzx	edx, _PiInitGroupOrderTableCount
		call	_PnpFreeUnicodeStringList@8 ; PnpFreeUnicodeStringList(x,x)
		and	_PiInitGroupOrderTable,	0
		xor	eax, eax
		mov	_PiInitGroupOrderTableCount, ax

locret_8A57A9:				; CODE XREF: PiInitReleaseCachedGroupInformation()+8j
		retn
_PiInitReleaseCachedGroupInformation@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwInitializeSiloState proc near	; CODE XREF: PspInitializeServerSiloDeferred(x)+9Cp
					; EtwpInitialize+1DAp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 00931C8E SIZE 00000060 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		push	61777445h
		push	0AA8h
		mov	edi, ecx
		push	204h
		mov	[ebp+var_10], edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		jz	loc_931CE4
		push	0AA4h		; size_t
		xor	esi, esi
		lea	eax, [ebx+4]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebx], edi
		mov	ecx, edi
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	ecx, ebx
		mov	[ebx+4], eax
		call	_EtwpReadPerSiloConfigParameters@4 ; EtwpReadPerSiloConfigParameters(x)
		push	0FFFFh
		call	KeQueryMaximumProcessorCountEx
		imul	edi, [ebx+8], 14h
		push	61777445h
		mov	[ebp+var_8], eax
		add	edi, 40h
		imul	edi, eax
		push	edi
		push	204h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+8D8h], eax
		test	eax, eax
		jz	loc_931CA5
		push	edi		; size_t
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+var_8]
		add	esp, 0Ch
		mov	ecx, edx
		shl	ecx, 6
		add	ecx, [ebx+8D8h]
		test	edx, edx
		jz	short loc_8A588D
		mov	edi, esi

loc_8A5856:				; CODE XREF: EtwInitializeSiloState+E1j
		mov	eax, [ebx+8D8h]
		mov	[edi+eax], ecx
		lea	edi, [edi+40h]
		mov	eax, [ebx+8]
		lea	ecx, [ecx+eax*4]
		mov	eax, [ebx+8D8h]
		mov	[edi+eax-3Ch], ecx
		mov	eax, [ebx+8]
		lea	ecx, [ecx+eax*8]
		mov	eax, [ebx+8D8h]
		mov	[edi+eax-38h], ecx
		mov	eax, [ebx+8]
		lea	ecx, [ecx+eax*8]
		sub	edx, 1
		jnz	short loc_8A5856

loc_8A588D:				; CODE XREF: EtwInitializeSiloState+A8j
		push	3
		pop	eax
		push	40h
		pop	edi
		push	eax
		mov	[ebx+890h], ax
		lea	ecx, [ebx+190h]
		pop	ebx

loc_8A58A2:				; CODE XREF: EtwInitializeSiloState+112j
		mov	[ecx+18h], esi
		mov	eax, ecx
		mov	edx, ebx

loc_8A58A9:				; CODE XREF: EtwInitializeSiloState+10Aj
		mov	[eax+4], eax
		mov	[eax], eax
		add	eax, 8
		sub	edx, 1
		jnz	short loc_8A58A9
		add	ecx, 1Ch
		sub	edi, 1
		jnz	short loc_8A58A2
		mov	ebx, [ebp+var_C]
		push	61777445h
		mov	edi, [ebx+8]
		shl	edi, 2
		lea	eax, [edi+edi]
		push	eax
		push	204h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+188h], eax
		test	eax, eax
		jz	loc_931CA5
		lea	ecx, [eax+edi]
		mov	[ebx+18Ch], ecx
		lea	ecx, [edi+edi]
		push	ecx		; size_t
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	edi, esi
		cmp	[ebx+8], esi
		jbe	short loc_8A5940

loc_8A5906:				; CODE XREF: EtwInitializeSiloState+194j
		mov	eax, [ebx+18Ch]
		push	63777445h
		push	200h
		mov	dword ptr [eax+edi*4], 1
		call	ExAllocateCacheAwareRundownProtection
		mov	ecx, [ebx+188h]
		mov	[ecx+edi*4], eax
		mov	eax, [ebx+188h]
		cmp	[eax+edi*4], esi
		jz	loc_931C8E
		inc	edi
		cmp	edi, [ebx+8]
		jb	short loc_8A5906

loc_8A5940:				; CODE XREF: EtwInitializeSiloState+15Aj
		mov	esi, offset _SecurityProviderGuid
		lea	edi, [ebx+24h]
		lea	eax, [ebx+0A88h]
		movsd
		movsd
		movsd
		movsd
		xor	esi, esi
		mov	[ebx+174h], ebx
		push	esi
		push	eax
		mov	[ebx+17Ch], esi
		call	_KeInitializeMutex@8 ; KeInitializeMutex(x,x)
		mov	edi, [ebp+var_10]
		mov	ecx, edi
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		push	edi
		mov	[eax+1F0h], ebx
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		mov	[ebp+var_1], al
		test	al, al
		jz	short loc_8A59C2
		mov	ecx, [ebx+18Ch]
		lea	eax, [ebx+8DCh]
		push	esi
		push	offset _EtwpContainerResumeWnfCallback@24 ; EtwpContainerResumeWnfCallback(x,x,x,x,x,x)
		push	esi
		push	1
		push	offset _WNF_CONT_RESTORE_FROM_SNAPSHOT_COMPLETE
		push	eax
		mov	ds:_EtwpHostSiloState, ebx
		mov	dword_6B58B8, ecx
		mov	dword_6B58BC, esi
		mov	dword_6B58C0, ebx
		mov	dword_6B58C4, esi
		call	_ExSubscribeWnfStateChange@24 ;	ExSubscribeWnfStateChange(x,x,x,x,x,x)

loc_8A59C2:				; CODE XREF: EtwInitializeSiloState+1D8j
		push	edi
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		lea	ecx, [ebx+8F0h]
		mov	[ebp+var_10], eax
		push	ecx
		lea	ecx, [ebx+900h]
		push	ecx
		lea	ecx, [ebx+910h]
		push	ecx
		lea	ecx, [ebx+90Ch]
		push	ecx
		lea	edx, [ebx+908h]
		lea	ecx, [ebx+8E0h]
		call	EtwpQueryPartitionRegistryInformation
		cmp	[ebp+var_1], 0
		mov	edi, ds:__imp__KeQueryPerformanceCounter@4 ; KeQueryPerformanceCounter(x)
		jz	short loc_8A5A12
		push	esi
		call	edi
		mov	ds:dword_B01668, eax
		mov	ds:dword_B0166C, edx

loc_8A5A12:				; CODE XREF: EtwInitializeSiloState+258j
		call	EtwpInitializeAutoLoggers
		cmp	[ebp+var_1], 0
		jz	short loc_8A5A2B
		push	esi
		call	edi
		mov	ds:dword_B01670, eax
		mov	ds:dword_B01674, edx

loc_8A5A2B:				; CODE XREF: EtwInitializeSiloState+271j
		push	[ebp+var_10]
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [ebx+17Ch]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		lea	edx, [ebx+74h]
		mov	[ebx+180h], eax
		lea	edi, [ebx+890h]
		mov	eax, esi
		mov	[ebp+var_8], eax

loc_8A5A68:				; CODE XREF: EtwInitializeSiloState+2D3j
		movzx	ecx, word ptr [edi]
		test	cx, cx
		jnz	short loc_8A5AB7

loc_8A5A70:				; CODE XREF: EtwInitializeSiloState+346j
		inc	eax
		add	edi, 2
		add	edx, 20h
		mov	[ebp+var_8], eax
		cmp	eax, 8
		jb	short loc_8A5A68
		xor	edx, edx
		mov	[ebx+180h], esi
		lea	ecx, [ebx+17Ch]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	[ebx+8B4h], esi
		mov	[ebx+8ACh], esi
		mov	[ebx+8B0h], esi

loc_8A5AB0:				; CODE XREF: EtwInitializeSiloState+8C53Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8A5AB7:				; CODE XREF: EtwInitializeSiloState+2C4j
		or	dword ptr [edx+0Ch], 0FFFFFFFFh
		or	dword ptr [edx+10h], 0FFFFFFFFh
		mov	[edx+2], cx
		mov	dword ptr [edx-4], 1
		mov	byte ptr [edx],	0FFh
		mov	[edx+14h], esi
		mov	[edx+18h], esi
		mov	dword ptr [edx+4], 40h
		movzx	ecx, byte ptr [ebx+8A0h]
		movzx	eax, al
		bts	ecx, eax
		mov	eax, [ebp+var_8]
		mov	[ebx+8A0h], cl
		jmp	loc_8A5A70
EtwInitializeSiloState endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpInitializeAutoLoggers proc near	; CODE XREF: EtwInitializeSiloState:loc_8A5A12p

var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_134		= dword	ptr -134h
var_118		= dword	ptr -118h
var_90		= dword	ptr -90h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00931CEE SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 174h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+174h+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	21h
		pop	ecx
		push	22h
		mov	esi, offset ??_C@_1IE@LAHHDNMO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\Registry\\Machine\\System\\CurrentControl"...
		lea	edi, [esp+184h+var_118]
		rep movsd
		pop	ecx
		push	6
		mov	esi, offset ??_C@_1II@DHOKGAJM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\Registry\\Machine\\System\\CurrentControl"...
		lea	edi, [esp+184h+var_90]
		rep movsd
		pop	ecx
		mov	esi, offset ??_C@_1BK@IDOACBDN@?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AAL?$AAo?$AAg?$AAg?$AAe?$AAr@NNGAKEGL@
		lea	edi, [esp+180h+var_134]
		rep movsd
		push	38h		; size_t
		xor	ebx, ebx
		lea	eax, [esp+184h+var_16C]
		push	ebx		; int
		push	eax		; void *
		movsw
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+180h+var_16C]
		push	ebx		; int
		push	offset _EtwpFreeKeyNameEntry@8 ; int
		push	offset _EtwpAllocateKeyNameEntry@8 ; int
		push	offset _EtwpAvlCompareKeyNames@12 ; int
		push	eax		; void *
		call	_RtlInitializeGenericTableAvl@20 ; RtlInitializeGenericTableAvl(x,x,x,x,x)
		mov	edi, 74777445h
		push	edi
		push	1FEh
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8A5C22
		lea	eax, [esp+180h+var_170]
		push	eax		; int
		push	1FEh		; int
		push	esi		; void *
		push	ebx		; int
		push	ebx		; void *
		push	ebx		; int
		push	offset ??_C@_1CE@NMNLGNJL@?$AAE?$AAT?$AAW?$AAA?$AAu?$AAt?$AAo?$AAL?$AAo?$AAg?$AAg?$AAe?$AAr?$AAP?$AAa@NNGAKEGL@	; int
		call	RtlGetPersistedStateLocation
		test	eax, eax
		jz	short loc_8A5BB1
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, ebx

loc_8A5BB1:				; CODE XREF: EtwpInitializeAutoLoggers+B0j
		push	edi
		push	1FEh
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_931CFC
		lea	eax, [esp+180h+var_170]
		push	eax		; int
		push	1FEh		; int
		push	edi		; void *
		push	ebx		; int
		push	ebx		; void *
		push	ebx		; int
		push	offset ??_C@_1CI@DFBOJNPN@?$AAE?$AAT?$AAW?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AAL?$AAo?$AAg?$AAg?$AAe?$AAr@NNGAKEGL@	; "ETWGlobalLoggerPath"
		call	RtlGetPersistedStateLocation
		test	eax, eax
		jz	short loc_8A5BF1
		push	74777445h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, ebx

loc_8A5BF1:				; CODE XREF: EtwpInitializeAutoLoggers+ECj
		push	edi
		lea	edx, [esp+184h+var_90]
		lea	ecx, [esp+184h+var_134]
		call	EtwStartAutoLogger
		lea	eax, [esp+180h+var_16C]
		mov	edx, esi
		push	eax
		lea	ecx, [esp+184h+var_118]
		call	EtwpEnumerateAutologgerPath
		test	esi, esi
		jnz	loc_931CEE

loc_8A5C1A:				; CODE XREF: EtwpInitializeAutoLoggers+8C208j
					; EtwpInitializeAutoLoggers+8C219j
		test	edi, edi
		jnz	loc_931D14

loc_8A5C22:				; CODE XREF: EtwpInitializeAutoLoggers+90j
					; EtwpInitializeAutoLoggers+8C229j
		lea	ecx, [esp+180h+var_16C]
		call	_EtwpFreeKeyNameList@4 ; EtwpFreeKeyNameList(x)
		mov	ecx, [esp+180h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
EtwpInitializeAutoLoggers endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpEnumerateAutologgerPath proc near	; CODE XREF: EtwpInitializeAutoLoggers+117p
					; EtwpInitializeAutoLoggers+8C201p

var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= byte ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_12D		= dword	ptr -12Dh
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00931D24 SIZE 00000099 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 170h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_150], eax
		mov	edi, ecx
		xor	eax, eax
		mov	dword ptr [ebp+var_148], edi
		push	120h		; size_t
		push	eax		; int
		mov	[ebp+var_13C], eax
		mov	ebx, edx
		mov	[ebp+var_14C], eax
		mov	[ebp+var_158], eax
		mov	[ebp+var_154], eax
		mov	[ebp+var_134], eax
		mov	[ebp+var_138], eax
		mov	byte ptr [ebp+var_12D],	al
		lea	eax, [ebp+var_12D+1]
		push	eax		; void *
		call	_memset
		mov	esi, edi
		add	esp, 0Ch
		xor	edx, edx
		mov	[ebp+var_140], edx
		lea	ecx, [esi+2]

loc_8A5CB9:				; CODE XREF: EtwpEnumerateAutologgerPath+82j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, dx
		jnz	short loc_8A5CB9
		sub	esi, ecx
		sar	esi, 1
		test	ebx, ebx
		jnz	loc_931D24

loc_8A5CD0:				; CODE XREF: EtwpEnumerateAutologgerPath+8C128j
		push	edi
		lea	eax, [ebp+var_158]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_158]
		mov	[ebp+var_170], 18h
		mov	[ebp+var_168], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_170]
		mov	[ebp+var_16C], ecx
		push	eax
		push	20019h
		lea	eax, [ebp+var_138]
		mov	[ebp+var_164], 240h
		push	eax
		mov	[ebp+var_160], ecx
		mov	[ebp+var_15C], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_8A5E54
		push	74777445h
		lea	esi, ds:104h[esi*2]
		push	esi
		push	1
		mov	[ebp+var_144], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8A5E29
		test	ebx, ebx
		jnz	loc_931D6D

loc_8A5D5D:				; CODE XREF: EtwpEnumerateAutologgerPath+8C14Aj
		mov	eax, [ebp+var_140]

loc_8A5D63:				; CODE XREF: EtwpEnumerateAutologgerPath+1E3j
		lea	ecx, [ebp+var_14C]
		push	ecx
		push	11Eh
		lea	ecx, [ebp+var_12D+1]
		push	ecx
		xor	ecx, ecx
		push	ecx
		push	eax
		push	[ebp+var_138]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A5E65
		mov	eax, [ebp+var_120]
		cmp	eax, 102h
		jnb	short loc_8A5E14
		shr	eax, 1
		xor	ecx, ecx
		mov	word ptr [ebp+eax*2+var_11C], cx
		lea	eax, [ebp+var_12D]
		push	eax		; int
		mov	eax, [ebp+var_120]
		add	eax, 2
		push	eax		; size_t
		lea	eax, [ebp+var_11C]
		push	eax		; void *
		push	[ebp+var_150]	; int
		call	_RtlInsertElementGenericTableAvl@16 ; RtlInsertElementGenericTableAvl(x,x,x,x)
		cmp	byte ptr [ebp+var_12D],	0
		jz	short loc_8A5E14
		lea	eax, [ebp+var_11C]
		push	eax
		push	dword ptr [ebp+var_148]	; char
		push	offset ??_C@_1BA@NPEHGALP@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; wchar_t *
		push	[ebp+var_144]	; int
		push	edi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 14h
		test	eax, eax
		jnz	short loc_8A5E14
		test	ebx, ebx
		jnz	loc_931D8F

loc_8A5E01:				; CODE XREF: EtwpEnumerateAutologgerPath+8C178j
		push	[ebp+var_134]
		mov	edx, edi
		lea	ecx, [ebp+var_11C]
		call	EtwStartAutoLogger

loc_8A5E14:				; CODE XREF: EtwpEnumerateAutologgerPath+15Aj
					; EtwpEnumerateAutologgerPath+192j ...
		mov	eax, [ebp+var_140]
		inc	eax
		mov	[ebp+var_140], eax
		test	esi, esi
		jns	loc_8A5D63

loc_8A5E29:				; CODE XREF: EtwpEnumerateAutologgerPath+10Fj
		mov	esi, [ebp+var_134]

loc_8A5E2F:				; CODE XREF: EtwpEnumerateAutologgerPath+8C144j
		cmp	[ebp+var_138], 0
		jz	short loc_8A5E43
		push	[ebp+var_138]
		call	_ZwClose@4	; ZwClose(x)

loc_8A5E43:				; CODE XREF: EtwpEnumerateAutologgerPath+1F6j
		xor	ebx, ebx
		test	edi, edi
		jz	short loc_8A5E50
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8A5E50:				; CODE XREF: EtwpEnumerateAutologgerPath+207j
		test	esi, esi
		jnz	short loc_8A5EC7

loc_8A5E54:				; CODE XREF: EtwpEnumerateAutologgerPath+EBj
					; EtwpEnumerateAutologgerPath+28Ej
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_8A5E65:				; CODE XREF: EtwpEnumerateAutologgerPath+149j
		xor	eax, eax
		mov	[ebp+var_13C], eax
		lea	eax, [esi+7FFFFFE6h]
		neg	eax
		sbb	eax, eax
		and	eax, esi
		push	eax
		call	RtlNtStatusToDosError
		mov	[ebp+var_13C], eax
		mov	eax, ebx
		test	ebx, ebx
		jnz	short loc_8A5E91
		mov	eax, dword ptr [ebp+var_148]

loc_8A5E91:				; CODE XREF: EtwpEnumerateAutologgerPath+249j
		push	4
		lea	ecx, [ebp+var_13C]
		push	ecx
		push	4
		push	(offset	loc_8BA67D+1)
		push	eax
		xor	eax, eax
		push	eax
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)
		cmp	esi, 80000005h
		jz	short loc_8A5EBE
		cmp	esi, 0C0000023h
		jnz	loc_8A5E14

loc_8A5EBE:				; CODE XREF: EtwpEnumerateAutologgerPath+270j
		xor	eax, eax
		mov	esi, eax
		jmp	loc_8A5E14
; 

loc_8A5EC7:				; CODE XREF: EtwpEnumerateAutologgerPath+212j
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_8A5E54
EtwpEnumerateAutologgerPath endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 979. IoSetDeviceInterfacePropertyData

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetDeviceInterfacePropertyData(x,	x, x, x, x, x, x)
		public _IoSetDeviceInterfacePropertyData@28
_IoSetDeviceInterfacePropertyData@28 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_18]
		mov	eax, ecx
		mov	edx, [ebp+arg_4]
		neg	eax
		push	ecx
		sbb	eax, eax
		and	eax, [ebp+arg_14]
		neg	ecx
		push	eax
		sbb	ecx, ecx
		and	ecx, [ebp+arg_10]
		push	ecx
		push	ecx
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		call	PnpSetDeviceInterfacePropertyData
		pop	ebp
		retn	1Ch
_IoSetDeviceInterfacePropertyData@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpSetDeviceInterfacePropertyData proc near
					; CODE XREF: IoSetDeviceInterfacePropertyData(x,x,x,x,x,x,x)+25p

var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00931DBD SIZE 00000041 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_C0], eax
		xor	esi, esi
		mov	eax, 0AAh
		mov	ebx, edx
		push	eax		; size_t
		lea	eax, [ebp+var_B0]
		mov	edi, ecx
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_BC], esi
		mov	[ebp+var_B8], esi
		mov	[ebp+var_B4], esi
		test	edi, edi
		jz	loc_931DF4
		cmp	[edi+4], esi
		jz	loc_931DF4
		cmp	[edi], si
		jz	loc_931DF4
		cmp	[ebp+arg_0], esi
		jnz	loc_931DBD

loc_8A5F76:				; CODE XREF: PnpSetDeviceInterfacePropertyData+8BEE0j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpDevicePropertyLock
		call	ExAcquireResourceExclusiveLite
		push	edi
		xor	edx, edx
		lea	ecx, [ebp+var_B4]
		call	PnpUnicodeStringToWstr
		mov	esi, eax
		test	esi, esi
		js	short loc_8A5FD0
		mov	edx, [ebp+var_B4]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	[ebp+arg_C]
		push	[ebp+var_C0]
		push	[ebp+arg_8]
		push	ebx
		push	[ebp+var_B8]
		push	0
		push	3
		call	PiPnpRtlSetObjectProperty
		mov	esi, eax

loc_8A5FD0:				; CODE XREF: PnpSetDeviceInterfacePropertyData+9Ej
		mov	ecx, [ebp+var_B4]
		mov	edx, edi
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)
		mov	ecx, offset _PnpDevicePropertyLock
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	esi, 0C0000225h
		jz	short loc_8A600E

loc_8A5FFB:				; CODE XREF: PnpSetDeviceInterfacePropertyData+10Fj
					; PnpSetDeviceInterfacePropertyData+8BEEBj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
; 

loc_8A600E:				; CODE XREF: PnpSetDeviceInterfacePropertyData+F5j
		mov	esi, 0C0000034h
		jmp	short loc_8A5FFB
PnpSetDeviceInterfacePropertyData endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqIrpPropertySet proc	near		; CODE XREF: PiDqDispatch+205p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
Handle		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 00931E20 SIZE 000000B2 BYTES

		push	44h
		push	offset dword_6A7388
		call	__SEH_prolog4
		mov	[ebp+var_48], ecx
		mov	edx, [ecx+60h]
		xor	ebx, ebx
		mov	[ebp+Handle], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1A], bl
		mov	[ebp+var_19], bl
		mov	[ebp+var_40], ebx
		mov	eax, [ecx+0Ch]
		test	eax, eax
		jz	loc_931EBB
		lea	ecx, [ebp+Handle]
		push	ecx		; pHandle
		push	dword ptr [edx+8] ; BufferSize
		push	eax		; pBuffer
		call	ds:__imp__MesDecodeBufferHandleCreate@12 ; MesDecodeBufferHandleCreate(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A61BB
		mov	[ebp+ms_exc.disabled], ebx
		lea	eax, [ebp+var_20]
		push	eax
		push	offset dword_407A68
		push	offset off_4016D8
		push	(offset	loc_4077CB+1)
		push	[ebp+Handle]
		call	ds:__imp__NdrMesTypeDecode2@20 ; NdrMesTypeDecode2(x,x,x,x,x)

loc_8A6081:				; CODE XREF: sub_931E10+Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	esi, esi
		js	loc_8A61BB
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	loc_931EBB
		mov	edx, [eax+4]
		test	edx, edx
		jz	loc_931EBB
		cmp	[eax+0Ch], ebx
		jz	loc_931EBB
		cmp	[eax+8], ebx
		jz	loc_931EBB
		mov	ecx, [eax]
		call	PiDqGetPnpObjectType
		mov	edi, eax
		mov	[ebp+var_34], edi
		test	edi, edi
		jz	loc_931EBB
		push	ecx
		push	ecx
		lea	eax, [ebp+var_24]
		push	eax
		push	ebx
		push	ebx
		push	7
		push	edi
		xor	ecx, ecx
		call	_PiDqOpenObjectRegKey@36 ; PiDqOpenObjectRegKey(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A61BB
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+8]
		test	eax, eax
		jz	short loc_8A6114
		mov	esi, [ecx+0Ch]
		mov	ecx, ebx

loc_8A60F7:				; CODE XREF: PiDqIrpPropertySet+FCj
		mov	edx, [ecx+esi+14h]
		test	edx, edx
		jnz	short loc_8A6103
		mov	[ebp+var_1A], 1

loc_8A6103:				; CODE XREF: PiDqIrpPropertySet+E7j
		cmp	edx, 1
		jz	loc_931E20

loc_8A610C:				; CODE XREF: PiDqIrpPropertySet+8BE0Ej
		add	ecx, 28h
		sub	eax, 1
		jnz	short loc_8A60F7

loc_8A6114:				; CODE XREF: PiDqIrpPropertySet+DAj
		cmp	[ebp+var_1A], 0
		jz	short loc_8A612A
		push	2
		pop	ecx
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jz	loc_931E29

loc_8A612A:				; CODE XREF: PiDqIrpPropertySet+102j
		cmp	[ebp+var_19], 0
		jnz	loc_931E33

loc_8A6134:				; CODE XREF: PiDqIrpPropertySet+8BE2Fj
					; PiDqIrpPropertySet+8BE59j
		lea	ecx, [ebp+var_40]
		call	PiPnpRtlBeginOperation
		mov	esi, eax
		test	esi, esi
		js	short loc_8A61BB
		mov	[ebp+var_38], ebx
		mov	eax, [ebp+var_20]
		cmp	[eax+8], ebx
		jbe	short loc_8A61BB
		mov	edx, ebx
		mov	[ebp+var_3C], ebx

loc_8A6152:				; CODE XREF: PiDqIrpPropertySet+1A3j
		mov	eax, [ebp+var_20]
		mov	edi, [eax+0Ch]
		add	edi, edx
		mov	ecx, [edi+20h]
		mov	edx, [edi+24h]
		mov	esi, [edi+1Ch]
		mov	eax, [edi+18h]
		mov	[ebp+var_30], eax
		cmp	[edi+14h], ebx
		mov	eax, [ebp+var_20]
		jnz	loc_931E74
		push	ebx
		push	ecx
		push	edx
		push	esi
		push	edi
		push	[ebp+var_30]
		push	[ebp+var_24]
		push	[ebp+var_34]
		mov	edx, [eax+4]
		mov	ecx, _PiPnpRtlCtx
		call	PiPnpRtlSetObjectProperty
		mov	esi, eax

loc_8A6193:				; CODE XREF: PiDqIrpPropertySet+8BE78j
					; PiDqIrpPropertySet+8BEA0j
		cmp	esi, 0C0000225h
		jz	loc_8A621F

loc_8A619F:				; CODE XREF: PiDqIrpPropertySet+212j
		test	esi, esi
		js	short loc_8A61BB
		mov	ecx, [ebp+var_38]
		inc	ecx
		mov	[ebp+var_38], ecx
		mov	edx, [ebp+var_3C]
		add	edx, 28h
		mov	[ebp+var_3C], edx
		mov	eax, [ebp+var_20]
		cmp	ecx, [eax+8]
		jb	short loc_8A6152

loc_8A61BB:				; CODE XREF: PiDqIrpPropertySet+46j
					; PiDqIrpPropertySet+74j ...
		cmp	[ebp+var_24], 0
		jz	short loc_8A61C9
		push	[ebp+var_24]
		call	_ZwClose@4	; ZwClose(x)

loc_8A61C9:				; CODE XREF: PiDqIrpPropertySet+1A9j
		cmp	[ebp+var_28], 0
		jnz	loc_931EC5

loc_8A61D3:				; CODE XREF: PiDqIrpPropertySet+8BEB7j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_8A61E5
		push	6370726Bh
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8A61E5:				; CODE XREF: PiDqIrpPropertySet+1C2j
		cmp	[ebp+Handle], 0
		jz	short loc_8A61F4
		push	[ebp+Handle]	; Handle
		call	ds:__imp__MesHandleFree@4 ; MesHandleFree(x)

loc_8A61F4:				; CODE XREF: PiDqIrpPropertySet+1D3j
		mov	ecx, [ebp+var_40]
		test	ecx, ecx
		jz	short loc_8A6200
		call	PiPnpRtlEndOperation

loc_8A6200:				; CODE XREF: PiDqIrpPropertySet+1E3j
		mov	ecx, [ebp+var_48]
		mov	[ecx+18h], esi
		xor	dl, dl
		call	IofCompleteRequest
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8A621F:				; CODE XREF: PiDqIrpPropertySet+183j
		mov	eax, [edi+1Ch]
		neg	eax
		sbb	eax, eax
		and	esi, eax
		jmp	loc_8A619F
PiDqIrpPropertySet endp

; 
		align 2

;  S U B	R O U T	I N E 


PsLocateSystemDlls proc	near		; CODE XREF: INIT:00AC2F4Dp

; FUNCTION CHUNK AT 00931ED2 SIZE 00000036 BYTES

		mov	edi, edi
		push	ecx
		push	esi
		push	edi		; struct _exception *
		push	6
		call	_ExVerifySuite@4 ; ExVerifySuite(x)
		test	al, al
		jnz	loc_931ED2

loc_8A6242:				; CODE XREF: PsLocateSystemDlls+8BCB1j
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	edi, eax
		and	edi, 4
		xor	esi, esi

loc_8A624E:				; CODE XREF: PsLocateSystemDlls+2Fj
		mov	ecx, ds:_PspSystemDlls[esi*4]
		test	ecx, ecx
		jnz	short loc_8A6265

loc_8A6259:				; CODE XREF: PsLocateSystemDlls+4Cj
					; PsLocateSystemDlls+8BCC1j
		inc	esi
		cmp	esi, 6
		jl	short loc_8A624E

loc_8A625F:				; CODE XREF: PsLocateSystemDlls+8BCABj
		pop	edi
		xor	eax, eax
		pop	esi
		pop	ecx
		retn
; 

loc_8A6265:				; CODE XREF: PsLocateSystemDlls+29j
		mov	eax, [ecx+8]
		and	al, 10h
		movzx	edx, al
		neg	edx
		sbb	edx, edx
		and	edx, edi
		call	PspLocateSystemDll
		test	eax, eax
		jns	short loc_8A6259
		jmp	loc_931EE4
PsLocateSystemDlls endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspLocateSystemDll proc	near		; CODE XREF: PsLocateSystemDlls+45p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00931F08 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		xor	ecx, ecx
		test	_NtGlobalFlag, 40000h
		mov	[ebp+var_10], ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_20], ecx
		lea	esi, [edi+0Ch]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_8], ecx
		jz	short loc_8A62D4
		mov	eax, [esi]
		push	ecx
		push	ecx
		mov	[ebp+var_18], eax
		mov	eax, [esi+4]
		push	ecx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_18]
		push	8
		push	eax
		push	26h
		call	_ZwSystemDebugControl@24 ; ZwSystemDebugControl(x,x,x,x,x,x)
		xor	ecx, ecx

loc_8A62D4:				; CODE XREF: PspLocateSystemDll+33j
		mov	[ebp+var_30], esi
		lea	eax, [ebp+var_20]
		xor	esi, esi
		mov	[ebp+var_38], 18h
		push	esi
		push	1
		push	eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_34], ecx
		push	eax
		push	100020h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_2C], 240h
		push	eax
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		js	loc_8A63A8
		or	ebx, 2
		mov	[ebp+var_30], esi
		push	ebx
		push	[ebp+var_4]
		lea	edx, [ebp+var_38]
		push	0Ch
		push	esi
		lea	ecx, [ebp+var_8]
		call	MmCreateSpecialImageSection
		push	esi
		test	eax, eax
		js	loc_931F03
		push	[ebp+var_4]
		call	ObCloseHandle
		mov	eax, ds:_MmSectionObjectType
		lea	ecx, [ebp+var_C]
		push	esi
		push	ecx
		push	esi
		push	eax
		push	0F001Fh
		push	[ebp+var_8]
		mov	[ebp+var_C], esi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		push	esi
		test	eax, eax
		js	short loc_8A63AD
		push	[ebp+var_8]
		call	ObCloseHandle
		lea	eax, [ebp+var_10]
		push	eax
		push	2
		push	[ebp+var_C]
		call	_MmGetSectionInformation@12 ; MmGetSectionInformation(x,x,x)
		test	eax, eax
		js	short loc_8A63B5
		mov	eax, [ebp+var_10]
		mov	ecx, edi
		mov	edx, [ebp+var_C]
		mov	[edi+20h], eax
		call	@ObInitializeFastReference@8 ; ObInitializeFastReference(x,x)
		mov	eax, large fs:124h
		mov	edx, edi
		push	1
		mov	[edi+4], esi
		push	esi
		mov	ecx, [eax+80h]
		call	PspMapSystemDll
		test	eax, eax
		js	loc_931F08
		xor	eax, eax

loc_8A63A8:				; CODE XREF: PspLocateSystemDll+89j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8A63AD:				; CODE XREF: PspLocateSystemDll+D7j
		push	esi
		push	4
		jmp	loc_931F0C
; 

loc_8A63B5:				; CODE XREF: PspLocateSystemDll+F1j
		push	esi
		push	esi
		push	8
		jmp	loc_931F0C
PspLocateSystemDll endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpGetNtProductTypeFromLicenseValue proc near
					; CODE XREF: ExpWatchProductTypeInitialization+5Cp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ds:off_A414E8
		xor	eax, eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		push	4
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	NtQueryLicenseValue
		test	eax, eax
		js	short loc_8A6418
		cmp	[ebp+var_4], 4
		jnz	short loc_8A6418
		cmp	[ebp+var_8], 4
		jnz	short loc_8A6418
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	loc_931F15

loc_8A6418:				; CODE XREF: ExpGetNtProductTypeFromLicenseValue+41j
					; ExpGetNtProductTypeFromLicenseValue+47j ...
		xor	al, al
		leave
		retn
ExpGetNtProductTypeFromLicenseValue endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpCallAddDevice proc near		; CODE XREF: PipCallDriverAddDevice+724p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00931F27 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_28], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_14], eax
		lea	edi, [ebp+var_10]
		xor	eax, eax
		mov	esi, edx
		test	byte_6CD8BB, 8
		mov	ebx, ecx
		stosd
		stosd
		stosd
		jnz	loc_931F27

loc_8A6454:				; CODE XREF: PnpCallAddDevice+8BB25j
		mov	ecx, [ebx+10h]
		lea	edx, [ebp+var_10]
		call	PnpSetDeviceAffinityThread
		mov	ecx, large fs:124h
		lea	edx, [ebp+var_28]
		push	4
		mov	[ebp+var_1C], ecx
		pop	ecx
		mov	[ebp+var_18], eax
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], esi
		call	_PnpEnableWatchdog@8 ; PnpEnableWatchdog(x,x)
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		inc	ecx
		mov	edi, eax
		push	ecx
		push	[ebp+var_14]
		mov	ecx, [ebx+10h]
		call	PpvUtilCallAddDevice
		mov	esi, eax
		test	edi, edi
		jz	short loc_8A64A5
		mov	ecx, edi
		call	PnpCancelWatchdog
		mov	ecx, edi
		call	_PnpFreeWatchdog@4 ; PnpFreeWatchdog(x)

loc_8A64A5:				; CODE XREF: PnpCallAddDevice+79j
		cmp	[ebp+var_18], 0
		jnz	loc_931F46

loc_8A64AF:				; CODE XREF: PnpCallAddDevice+8BB33j
		test	byte_6CD8BB, 8
		jnz	short loc_8A64CB

loc_8A64B8:				; CODE XREF: PnpCallAddDevice+B6j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_8A64CB:				; CODE XREF: PnpCallAddDevice+9Aj
		push	esi
		push	ecx
		call	_McTemplateK0q_EtwWriteTransfer@16 ; McTemplateK0q_EtwWriteTransfer(x,x,x,x)
		jmp	short loc_8A64B8
PnpCallAddDevice endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceFxDeviceStartPowerManagement proc near
					; CODE XREF: PoFxStartDevicePowerManagement+A6p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00931F54 SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_18], ecx
		push	ebx
		push	ebx
		push	3
		xor	edx, edx
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		cmp	_PopDiagHandleRegistered, bl
		jz	short loc_8A6523
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_DEVICE_START_POWER_MANAGEMENT
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_931F54

loc_8A6521:				; CODE XREF: PopDiagTraceFxDeviceStartPowerManagement+8BAA6j
		pop	edi
		pop	esi

loc_8A6523:				; CODE XREF: PopDiagTraceFxDeviceStartPowerManagement+29j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopDiagTraceFxDeviceStartPowerManagement endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PfTInitialize(void *,int,char)
PfTInitialize	proc near		; CODE XREF: PfSetSuperfetchInformation+1374BBp
					; PfTStart+8B23Ep ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 00931F7F SIZE 00000060 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		cmp	[ebp+arg_0], 0
		lea	ebx, [esi+180h]
		jnz	loc_931F7F
		push	240h		; size_t
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		push	40h		; size_t
		push	edi		; int
		push	offset _PfKernelGlobals	; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi], edi

loc_8A6573:				; CODE XREF: PfTInitialize+8BA6Cj
		call	_KeQueryTimeIncrement@0	; KeQueryTimeIncrement()
		push	edi
		push	eax
		push	edi
		push	23C34600h
		call	__aulldiv
		mov	_PfKernelGlobals, eax
		lea	edi, [esi+10h]
		mov	dword_6FB604, edx
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd
		and	[esi+1Ch], eax
		lea	edx, [esi+28h]
		and	dword ptr [esi+10h], 0FFFFFFF0h
		mov	edi, edx
		mov	[esi+1Ah], ax
		lea	eax, [esi+20h]
		mov	[eax+4], eax
		mov	[eax], eax
		push	2
		pop	eax
		mov	[esi+18h], ax
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd
		and	[edx+0Ch], eax
		mov	ecx, ebx
		mov	[edx+0Ah], ax
		lea	eax, [edx+10h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [edx]
		and	eax, 0FFFFFFF1h
		or	eax, 1
		mov	[edx], eax
		xor	eax, eax
		mov	[edx+8], ax
		cmp	[ebp+arg_0], al
		jnz	loc_931FA1
		call	@KeInitializeGuardedMutex@4 ; KeInitializeGuardedMutex(x)

loc_8A65EF:				; CODE XREF: PfTInitialize+8BA76j
		cmp	[ebp+arg_0], 0
		lea	eax, [esi+15Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+164h]
		mov	[eax+4], eax
		mov	[eax], eax
		jnz	loc_931FAB
		push	0
		mov	edx, offset _PfKernelGlobals
		mov	ecx, esi
		call	_PfTAccessTracingInitialize@12 ; PfTAccessTracingInitialize(x,x,x)

loc_8A661D:				; CODE XREF: PfTInitialize+8BA82j
		mov	ebx, dword ptr [ebp+arg_0]
		lea	eax, [esi+54h]
		lea	edi, [esi+64h]
		test	bl, bl
		jnz	loc_931FB7
		push	0
		push	0
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	0
		push	0
		push	edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	edi, edi
		lea	eax, [esi+44h]
		push	edi
		push	edi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		lea	eax, [esi+80h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)

loc_8A665D:				; CODE XREF: PfTInitialize+8BAAAj
		push	ebx
		lea	ecx, [esi+0A0h]
		mov	[esp+34h+var_20], 0CEB10001h
		lea	edx, [esp+34h+var_20]
		mov	[esp+34h+var_1C], 4C4E6650h
		mov	[esp+34h+var_18], 1
		mov	[esp+34h+var_14], 38h
		mov	[esp+34h+var_10], 40h
		mov	[esp+34h+var_C], edi
		mov	[esp+34h+var_4], offset	_PfpSectInfoHandleFullBuffer@4 ; PfpSectInfoHandleFullBuffer(x)
		mov	[esp+34h+var_8], offset	_PfpSectInfoHandleOutOfBuffers@4 ; PfpSectInfoHandleOutOfBuffers(x)
		call	PfFbBufferListInitialize
		mov	[esi+150h], edi
		lea	ecx, [esi+100h]
		mov	[esi+154h], edi
		lea	edx, [esp+30h+var_20]
		or	dword ptr [esi+158h], 0FFFFFFFFh
		push	ebx
		mov	[esp+34h+var_20], 0CEB10002h
		mov	[esp+34h+var_1C], 4C456650h
		mov	[esp+34h+var_18], 200h
		mov	[esp+34h+var_14], 18h
		mov	[esp+34h+var_10], 40h
		mov	[esp+34h+var_C], edi
		mov	[esp+34h+var_4], offset	_PfpEventHandleFullBuffer@4 ; PfpEventHandleFullBuffer(x)
		mov	[esp+34h+var_8], offset	_PfpEventHandleOutOfBuffers@4 ;	PfpEventHandleOutOfBuffers(x)
		call	PfFbBufferListInitialize
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
PfTInitialize	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfFbBufferListInitialize proc near	; CODE XREF: PfTInitialize+174p
					; PfTInitialize+1D3p

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 00931FDF SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	bl, [ebp+arg_0]
		xor	eax, eax
		push	esi
		mov	esi, edx
		mov	edx, ecx
		push	edi
		test	bl, bl
		jnz	loc_931FDF
		mov	[edx], eax
		mov	[edx+4], eax
		mov	[edx+40h], eax
		mov	[edx+44h], eax
		mov	[edx+48h], eax
		mov	[edx+4Ch], eax

loc_8A673C:				; CODE XREF: PfFbBufferListInitialize+8B8D6j
		push	6
		xor	eax, eax
		lea	edi, [edx+8]
		pop	ecx
		rep stosd
		mov	eax, [esi+0Ch]
		cmp	eax, 18h
		jb	short loc_8A676B

loc_8A674E:				; CODE XREF: PfFbBufferListInitialize+5Cj
		push	8
		pop	ecx
		lea	edi, [edx+20h]
		test	bl, bl
		rep movsd
		pop	edi
		pop	esi
		mov	[edx+2Ch], eax
		pop	ebx
		jnz	short loc_8A6770
		mov	ecx, edx
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)

loc_8A6767:				; CODE XREF: PfFbBufferListInitialize+62j
		pop	ebp
		retn	4
; 

loc_8A676B:				; CODE XREF: PfFbBufferListInitialize+3Aj
		push	18h
		pop	eax
		jmp	short loc_8A674E
; 

loc_8A6770:				; CODE XREF: PfFbBufferListInitialize+4Cj
		xor	eax, eax
		xchg	eax, [edx]
		jmp	short loc_8A6767
PfFbBufferListInitialize endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpSetBaseTime	proc near		; CODE XREF: PfpParametersInitialize(x)+117p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00931FED SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_C]
		xor	ebx, ebx
		push	eax
		mov	edi, edx
		mov	[ebp+var_C], ebx
		mov	esi, ecx
		mov	[ebp+var_8], ebx
		call	KeQuerySystemTime
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		sub	eax, 0C89DC000h
		sbb	ecx, 1C07385h
		cmp	ecx, ebx
		jg	short loc_8A67B1
		jl	short loc_8A67F0
		cmp	eax, ebx
		jb	short loc_8A67F0

loc_8A67B1:				; CODE XREF: PfpSetBaseTime+33j
					; PfpSetBaseTime+7Ej
		push	ebx
		push	2710h
		push	ecx
		push	eax
		call	__alldiv
		push	4
		shrd	eax, edx, 0Ah
		pop	ebx
		mov	[ebp+var_4], eax
		mov	edx, offset ??_C@_1BC@FBKCDMNG@?$AAB?$AAa?$AAs?$AAe?$AAT?$AAi?$AAm?$AAe@NNGAKEGL@ ; "BaseTime"
		push	ebx
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		mov	ecx, esi
		call	_PfpSetParameter@20 ; PfpSetParameter(x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	loc_931FED

loc_8A67E4:				; CODE XREF: PfpSetBaseTime+8B891j
		mov	eax, [ebp+var_4]
		mov	[edi], eax
		mov	eax, ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8A67F0:				; CODE XREF: PfpSetBaseTime+35j
					; PfpSetBaseTime+39j
		mov	eax, ebx
		mov	ecx, ebx
		jmp	short loc_8A67B1
PfpSetBaseTime	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfpSetParameter(x, x, x, x,	x)
_PfpSetParameter@20 proc near		; CODE XREF: PfpSetBaseTime+5Fp
					; PfSetSuperfetchInformation+137537p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	esi
		push	edx
		push	eax
		mov	esi, ecx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		test	esi, esi
		jz	short loc_8A682F
		push	[ebp+arg_8]
		lea	eax, [ebp+var_8]
		push	[ebp+arg_4]
		push	4
		push	0
		push	eax
		push	esi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_8A682A:				; CODE XREF: PfpSetParameter(x,x,x,x,x)+3Ej
		pop	esi
		leave
		retn	0Ch
; 

loc_8A682F:				; CODE XREF: PfpSetParameter(x,x,x,x,x)+1Ej
		mov	eax, 0C000000Dh
		jmp	short loc_8A682A
_PfpSetParameter@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpParametersRead proc near		; CODE XREF: PfpParametersWatcher(x)+111p
					; PfpParametersInitialize(x)+C9p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0093200C SIZE 0000000C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_20]
		push	7
		pop	ecx
		push	4
		mov	eax, [ebx+4]
		lea	esi, [ebx+24h]
		rep movsd
		mov	[ebp+var_28], eax
		mov	edx, offset ??_C@_1CC@HFKJICAM@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAS?$AAu?$AAp?$AAe?$AAr?$AAf?$AAe?$AAt?$AAc@NNGAKEGL@ ; "EnableSuperfetch"
		mov	esi, [ebp+var_28]
		lea	eax, [ebp+var_24]
		pop	edi
		push	eax
		lea	eax, [ebp+var_20]
		mov	[ebp+var_24], edi
		push	eax
		push	edi
		mov	ecx, esi
		call	_PfpGetParameter@20 ; PfpGetParameter(x,x,x,x,x)
		test	eax, eax
		js	loc_93200C
		cmp	_InitSafeBootMode, 0
		jnz	loc_93200C

loc_8A6891:				; CODE XREF: PfpParametersRead+8B7DDj
		lea	eax, [ebp+var_24]
		mov	[ebp+var_24], edi
		push	eax
		lea	eax, [ebp+var_18]
		mov	edx, offset ??_C@_1CO@IGFOGBCM@?$AAS?$AAa?$AAv?$AAe?$AAd?$AAS?$AAe?$AAc?$AAt?$AAI?$AAn?$AAf?$AAo?$AAT?$AAr@NNGAKEGL@
		push	eax
		push	edi
		mov	ecx, esi
		call	_PfpGetParameter@20 ; PfpGetParameter(x,x,x,x,x)
		lea	eax, [ebp+var_24]
		mov	[ebp+var_24], edi
		push	eax
		lea	eax, [ebp+var_14]
		mov	edx, offset ??_C@_1DC@HNLGHJPA@?$AAS?$AAa?$AAv?$AAe?$AAd?$AAP?$AAa?$AAg?$AAe?$AAA?$AAc?$AAc?$AAe?$AAs?$AAs@NNGAKEGL@
		push	eax
		push	edi
		mov	ecx, esi
		call	_PfpGetParameter@20 ; PfpGetParameter(x,x,x,x,x)
		mov	ecx, [ebx+4]
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_24], edi
		push	eax
		push	edi
		mov	edx, offset ??_C@_1CO@PPFJHOGF@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAt?$AAc?$AAh?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@NNGAKEGL@ ; "PrefetchTimeoutStandby"
		call	_PfpGetParameter@20 ; PfpGetParameter(x,x,x,x,x)
		mov	ecx, [ebx+4]
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_24], edi
		push	eax
		push	edi
		mov	edx, offset ??_C@_1DC@LHKMKNKA@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAt?$AAc?$AAh?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@NNGAKEGL@ ; "P"
		call	_PfpGetParameter@20 ; PfpGetParameter(x,x,x,x,x)
		mov	ecx, [ebx+4]
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_24], edi
		push	eax
		push	edi
		mov	edx, offset ??_C@_1DC@HGPDJOGO@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAt?$AAc?$AAh?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@NNGAKEGL@ ; "P"
		call	_PfpGetParameter@20 ; PfpGetParameter(x,x,x,x,x)
		lea	ecx, [ebp+var_20]
		call	_PfpParametersVerify@4 ; PfpParametersVerify(x)
		test	eax, eax
		js	short loc_8A692B
		inc	dword ptr [ebx+1DCh]
		lea	esi, [ebp+var_20]
		push	7
		pop	ecx
		lea	edi, [ebx+24h]
		xor	eax, eax
		rep movsd

loc_8A692B:				; CODE XREF: PfpParametersRead+E0j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PfpParametersRead endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnParametersRead proc	near		; CODE XREF: PfpParametersWatcher(x)+125p
					; PfpParametersInitialize(x)+D0p

var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_230		= dword	ptr -230h
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_1B0		= word ptr -1B0h
var_B2		= word ptr -0B2h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00932018 SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 25Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_250], 0
		lea	eax, [ebp+var_244]
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_240]
		push	66h
		pop	ecx
		push	4
		lea	esi, [ebx+40h]
		mov	[ebp+var_258], ebx
		rep movsd
		mov	edi, [ebx+4]
		mov	edx, offset ??_C@_1CC@GCKPOFNI@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAP?$AAr?$AAe?$AAf?$AAe?$AAt?$AAc?$AAh?$AAe@NNGAKEGL@ ; "EnablePrefetcher"
		pop	ecx
		push	eax
		lea	eax, [ebp+var_250]
		mov	[ebp+var_244], ecx
		push	eax
		push	ecx
		mov	ecx, edi
		call	_PfpGetParameter@20 ; PfpGetParameter(x,x,x,x,x)
		test	eax, eax
		js	loc_932018
		lea	esi, [ebp+var_250]

loc_8A69A4:				; CODE XREF: PfSnParametersRead+8B6E0j
		and	[ebp+var_24C], 0
		lea	eax, [ebp+var_230]
		mov	[ebp+var_248], eax
		lea	eax, [ebx+1E0h]
		mov	ebx, [ebp+var_24C]
		mov	[ebp+var_254], eax

loc_8A69C9:				; CODE XREF: PfSnParametersRead+1BEj
		mov	edx, [eax]
		xor	eax, eax
		mov	[ebp+var_24C], edx
		test	esi, esi
		jz	short loc_8A69E5
		inc	eax
		mov	ecx, ebx
		shl	eax, cl
		and	eax, [esi]
		neg	eax
		sbb	eax, eax
		add	eax, 2

loc_8A69E5:				; CODE XREF: PfSnParametersRead+9Bj
		push	edx
		mov	edx, 0A0h
		mov	[ebp+ebx*4+var_240], eax
		lea	ecx, [ebp+var_A8]
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		push	offset ??_C@_1BI@IDFHKOAN@?$AAM?$AAa?$AAx?$AAN?$AAu?$AAm?$AAP?$AAa?$AAg?$AAe?$AAs@NNGAKEGL@ ; "M"
		mov	edx, 0A0h
		lea	ecx, [ebp+var_A8]
		call	_RtlStringCbCatW@12 ; RtlStringCbCatW(x,x,x)
		push	4
		pop	ecx
		lea	eax, [ebp+var_244]
		mov	[ebp+var_244], ecx
		push	eax
		mov	eax, [ebp+var_248]
		lea	edx, [ebp+var_A8]
		add	eax, 0FFFFFFF8h
		push	eax
		push	ecx
		mov	ecx, edi
		call	_PfpGetParameter@20 ; PfpGetParameter(x,x,x,x,x)
		push	[ebp+var_24C]
		mov	edx, 0A0h
		lea	ecx, [ebp+var_A8]
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		push	offset ??_C@_1BO@ELFNNOI@?$AAM?$AAa?$AAx?$AAN?$AAu?$AAm?$AAS?$AAe?$AAc?$AAt?$AAi?$AAo?$AAn?$AAs@NNGAKEGL@
		mov	edx, 0A0h
		lea	ecx, [ebp+var_A8]
		call	_RtlStringCbCatW@12 ; RtlStringCbCatW(x,x,x)
		push	4
		pop	ecx
		lea	eax, [ebp+var_244]
		mov	[ebp+var_244], ecx
		push	eax
		mov	eax, [ebp+var_248]
		lea	edx, [ebp+var_A8]
		add	eax, 0FFFFFFFCh
		push	eax
		push	ecx
		mov	ecx, edi
		call	_PfpGetParameter@20 ; PfpGetParameter(x,x,x,x,x)
		push	[ebp+var_24C]
		mov	edx, 0A0h
		lea	ecx, [ebp+var_A8]
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		push	offset ??_C@_1BI@KFJDPHNK@?$AAT?$AAi?$AAm?$AAe?$AAr?$AAP?$AAe?$AAr?$AAi?$AAo?$AAd@NNGAKEGL@ ; "TimerPeriod"
		mov	edx, 0A0h
		lea	ecx, [ebp+var_A8]
		call	_RtlStringCbCatW@12 ; RtlStringCbCatW(x,x,x)
		lea	eax, [ebp+var_244]
		mov	[ebp+var_244], 8
		push	eax
		push	[ebp+var_248]
		lea	edx, [ebp+var_A8]
		mov	ecx, edi
		push	3
		call	_PfpGetParameter@20 ; PfpGetParameter(x,x,x,x,x)
		mov	eax, [ebp+var_254]
		inc	ebx
		add	[ebp+var_248], 10h
		add	eax, 4
		mov	[ebp+var_254], eax
		cmp	ebx, 2
		jl	loc_8A69C9
		lea	eax, [ebp+var_244]
		mov	[ebp+var_244], 60h
		push	eax
		lea	eax, [ebp+var_210]
		mov	edx, offset ??_C@_1BK@JNOPGJGM@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAt?$AAc?$AAh?$AAR?$AAo?$AAo?$AAt@NNGAKEGL@ ;	"PrefetchRoot"
		push	eax
		push	1
		mov	ecx, edi
		call	_PfpGetParameter@20 ; PfpGetParameter(x,x,x,x,x)
		push	4
		pop	ebx
		lea	eax, [ebp+var_244]
		mov	[ebp+var_244], ebx
		push	eax
		lea	eax, [ebp+var_B0]
		mov	edx, offset ??_C@_1BM@PAENGAEN@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAt?$AAc?$AAh?$AAF?$AAl?$AAa?$AAg?$AAs@NNGAKEGL@ ; "P"
		push	eax
		push	ebx
		mov	ecx, edi
		call	_PfpGetParameter@20 ; PfpGetParameter(x,x,x,x,x)
		lea	eax, [ebp+var_244]
		mov	[ebp+var_244], ebx
		push	eax
		lea	eax, [ebp+var_218]
		mov	edx, offset ??_C@_1CG@DPODCKAI@?$AAM?$AAa?$AAx?$AAN?$AAu?$AAm?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AAT?$AAr?$AAa@NNGAKEGL@
		push	eax
		push	ebx
		mov	ecx, edi
		call	_PfpGetParameter@20 ; PfpGetParameter(x,x,x,x,x)
		lea	eax, [ebp+var_244]
		mov	[ebp+var_244], ebx
		push	eax
		lea	eax, [ebp+var_214]
		mov	edx, offset ??_C@_1CE@EIPBMMNL@?$AAM?$AAa?$AAx?$AAN?$AAu?$AAm?$AAS?$AAa?$AAv?$AAe?$AAd?$AAT?$AAr?$AAa?$AAc@NNGAKEGL@ ; "MaxNumSavedTraces"
		push	eax
		push	ebx
		mov	ecx, edi
		call	_PfpGetParameter@20 ; PfpGetParameter(x,x,x,x,x)
		lea	eax, [ebp+var_244]
		mov	[ebp+var_244], 100h
		push	eax
		lea	eax, [ebp+var_1B0]
		mov	edx, offset ??_C@_1BO@OABOJJKM@?$AAH?$AAo?$AAs?$AAt?$AAi?$AAn?$AAg?$AAA?$AAp?$AAp?$AAL?$AAi?$AAs?$AAt@NNGAKEGL@	; "HostingAppList"
		push	eax
		push	1
		mov	ecx, edi
		call	_PfpGetParameter@20 ; PfpGetParameter(x,x,x,x,x)
		xor	eax, eax
		mov	[ebp+var_B2], ax
		lea	eax, [ebp+var_1B0]
		push	eax		; wchar_t *
		call	__wcsupr
		pop	ecx
		lea	eax, [ebp+var_244]
		mov	[ebp+var_244], ebx
		push	eax
		lea	eax, [ebp+var_AC]
		mov	edx, offset ??_C@_1CA@GHDNPJP@?$AAN?$AAu?$AAm?$AAT?$AAr?$AAa?$AAc?$AAe?$AAP?$AAe?$AAr?$AAi?$AAo?$AAd?$AAs@NNGAKEGL@
		push	eax
		push	ebx
		mov	ecx, edi
		call	_PfpGetParameter@20 ; PfpGetParameter(x,x,x,x,x)
		lea	ecx, [ebp+var_240]
		call	PfSnParametersVerify
		mov	ebx, [ebp+var_258]
		test	eax, eax
		js	short loc_8A6C0C
		push	66h
		pop	ecx
		lea	esi, [ebp+var_240]
		xor	eax, eax
		lea	edi, [ebx+40h]
		rep movsd

loc_8A6C0C:				; CODE XREF: PfSnParametersRead+2C0j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PfSnParametersRead endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfpGetParameter(x, x, x, x,	x)
_PfpGetParameter@20 proc near		; CODE XREF: PfpParametersRead+41p
					; PfpParametersRead+6Ep ...

var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 120h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_120], 0
		lea	eax, [ebp+var_120]
		and	[ebp+var_11C], 0
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	esi, ecx
		push	edx
		push	eax
		mov	[ebp+var_118], 110h
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		test	esi, esi
		jz	short loc_8A6CD2
		lea	eax, [ebp+var_118]
		push	eax
		push	[ebp+var_118]
		lea	eax, [ebp+var_114]
		push	eax
		push	2
		lea	eax, [ebp+var_120]
		push	eax
		push	esi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_8A6C9D

loc_8A6C8C:				; CODE XREF: PfpGetParameter(x,x,x,x,x)+B4j
					; PfpGetParameter(x,x,x,x,x)+BBj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_8A6C9D:				; CODE XREF: PfpGetParameter(x,x,x,x,x)+6Ej
		cmp	[ebp+var_118], 10h
		jb	short loc_8A6CD9
		mov	eax, [ebp+var_110]
		cmp	eax, [ebp+arg_0]
		jnz	short loc_8A6CE0
		mov	esi, [ebp+var_10C]
		cmp	esi, [edi]
		ja	short loc_8A6CE7
		push	esi		; size_t
		lea	eax, [ebp+var_108]
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[edi], esi
		xor	eax, eax
		jmp	short loc_8A6C8C
; 

loc_8A6CD2:				; CODE XREF: PfpGetParameter(x,x,x,x,x)+47j
		mov	eax, 0C000000Dh
		jmp	short loc_8A6C8C
; 

loc_8A6CD9:				; CODE XREF: PfpGetParameter(x,x,x,x,x)+88j
		mov	eax, 0C0000001h
		jmp	short loc_8A6C8C
; 

loc_8A6CE0:				; CODE XREF: PfpGetParameter(x,x,x,x,x)+93j
		mov	eax, 0C0000024h
		jmp	short loc_8A6C8C
; 

loc_8A6CE7:				; CODE XREF: PfpGetParameter(x,x,x,x,x)+9Dj
		mov	eax, 0C0000023h
		jmp	short loc_8A6C8C
_PfpGetParameter@20 endp


;  S U B	R O U T	I N E 


; __stdcall PfpParametersVerify(x)
_PfpParametersVerify@4 proc near	; CODE XREF: PfpParametersRead+D9p
		mov	eax, [ecx]
		mov	edx, 0C000000Dh
		test	eax, eax
		js	short loc_8A6D43
		test	eax, 0FFFFFFFCh

loc_8A6CFE:				; CODE XREF: PfpParametersVerify(x)+5Aj
		jnz	short loc_8A6D40
		mov	eax, 10000h
		cmp	[ecx+8], eax
		ja	short loc_8A6D40
		cmp	[ecx+0Ch], eax
		ja	short loc_8A6D40
		mov	eax, [ecx+10h]
		push	esi
		mov	esi, 9C4h
		push	edi
		sub	eax, esi
		mov	edi, 0E09Ch
		cmp	eax, edi
		ja	short loc_8A6D3E
		mov	eax, [ecx+14h]
		sub	eax, 1388h
		cmp	eax, 0D6D8h
		ja	short loc_8A6D3E
		mov	eax, [ecx+18h]
		sub	eax, esi
		cmp	edi, eax
		sbb	eax, eax
		and	edx, eax

loc_8A6D3E:				; CODE XREF: PfpParametersVerify(x)+34j
					; PfpParametersVerify(x)+43j
		pop	edi
		pop	esi

loc_8A6D40:				; CODE XREF: PfpParametersVerify(x):loc_8A6CFEj
					; PfpParametersVerify(x)+1Aj ...
		mov	eax, edx
		retn
; 

loc_8A6D43:				; CODE XREF: PfpParametersVerify(x)+9j
		cmp	eax, 80000000h
		jmp	short loc_8A6CFE
_PfpParametersVerify@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnParametersVerify proc near		; CODE XREF: PfSnParametersRead+2B3p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0093201F SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	ecx, edi
		lea	eax, [esi+30h]

loc_8A6D5B:				; CODE XREF: PfSnParametersVerify+1Dj
		cmp	[eax], di
		jz	short loc_8A6D6E
		inc	ecx
		add	eax, 2
		cmp	ecx, 30h
		jb	short loc_8A6D5B
		jmp	loc_93201F
; 

loc_8A6D6E:				; CODE XREF: PfSnParametersVerify+14j
		push	ebx
		mov	[ebp+var_4], edi
		lea	ebx, [esi+90h]

loc_8A6D78:				; CODE XREF: PfSnParametersVerify+51j
		movzx	eax, word ptr [ebx]
		test	ax, ax
		jz	short loc_8A6DA4
		push	eax		; wchar_t
		call	_towupper
		pop	ecx
		cmp	ax, [ebx]
		jnz	short loc_8A6D9D
		mov	eax, [ebp+var_4]
		add	ebx, 2
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, 80h
		jb	short loc_8A6D78

loc_8A6D9D:				; CODE XREF: PfSnParametersVerify+40j
					; PfSnParametersVerify+62j ...
		mov	ecx, 0C000000Dh
		jmp	short loc_8A6E18
; 

loc_8A6DA4:				; CODE XREF: PfSnParametersVerify+34j
		lea	ecx, [esi+10h]

loc_8A6DA7:				; CODE XREF: PfSnParametersVerify+9Fj
		mov	eax, [esi+edi*4]
		test	eax, eax
		js	short loc_8A6D9D
		cmp	eax, 3
		jge	short loc_8A6D9D
		cmp	dword ptr [ecx-8], 100000h
		ja	short loc_8A6D9D
		cmp	dword ptr [ecx-4], 4000h
		ja	short loc_8A6D9D
		mov	edx, [ecx]
		mov	eax, [ecx+4]
		add	edx, 65A0BC00h
		adc	eax, 1
		cmp	eax, 1
		jb	short loc_8A6DE2
		ja	short loc_8A6D9D
		cmp	edx, 65A0BBFFh
		ja	short loc_8A6D9D

loc_8A6DE2:				; CODE XREF: PfSnParametersVerify+8Cj
		inc	edi
		add	ecx, 10h
		cmp	edi, 2
		jl	short loc_8A6DA7
		mov	eax, 1000h
		cmp	[esi+28h], eax
		ja	short loc_8A6D9D
		cmp	[esi+2Ch], eax
		ja	short loc_8A6D9D
		cmp	dword ptr [esi+190h], 20h
		jnb	short loc_8A6D9D
		mov	eax, [esi+194h]
		dec	eax
		push	9
		pop	ecx
		cmp	ecx, eax
		mov	ecx, 0C000000Dh
		sbb	eax, eax
		and	ecx, eax

loc_8A6E18:				; CODE XREF: PfSnParametersVerify+58j
		pop	ebx

loc_8A6E19:				; CODE XREF: PfSnParametersVerify+8B2DAj
		pop	edi
		mov	eax, ecx
		pop	esi
		leave
		retn
PfSnParametersVerify endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfTStart	proc near		; CODE XREF: PfSetSuperfetchInformation+4D3p
					; PfpParametersPropagate(x)+67p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00932029 SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_8], edi
		test	bl, 1
		jz	short loc_8A6E4D
		test	byte_6D46A4, 1
		jz	loc_932029

loc_8A6E4D:				; CODE XREF: PfTStart+1Ej
					; PfTStart+8B20Cj
		test	bl, 2
		jz	short loc_8A6E5F
		test	byte_6D46A4, 1
		jz	loc_932031

loc_8A6E5F:				; CODE XREF: PfTStart+30j
					; PfTStart+8B218j ...
		mov	eax, ebx
		and	eax, 1
		mov	[ebp+var_C], eax
		jz	loc_8A6EFC
		push	424C6650h
		push	8
		lea	ecx, [esi+10h]
		mov	edx, 8000h
		call	PfTAllocateBuffers
		mov	edi, eax
		test	edi, edi
		js	loc_932053
		push	54456650h
		push	2
		lea	ecx, [esi+28h]
		mov	edx, 0A020h
		call	PfTAllocateBuffers
		mov	edi, eax
		test	edi, edi
		js	loc_932053
		lea	eax, [esi+40h]
		push	eax
		push	offset PfTLoggingWorker
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	1FFFFFh
		lea	eax, [ebp+var_8]
		push	eax
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_932053
		xor	edi, edi
		lea	eax, [ebp+arg_0]
		push	edi
		push	eax
		push	edi
		push	ds:_PsThreadType
		mov	[ebp+arg_0], edi
		push	1FFFFFh
		push	[ebp+var_8]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	eax, [ebp+arg_0]
		push	edi
		push	[ebp+var_8]
		mov	[esi+40h], eax
		call	ObCloseHandle

loc_8A6EFC:				; CODE XREF: PfTStart+47j
		test	bl, 3
		jz	short loc_8A6F30
		lea	edi, [esi+1A0h]
		cmp	dword ptr [edi], 0
		jnz	short loc_8A6F30
		push	offset ??_C@_1EK@EHHBPNBG@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	edx, edx
		lea	ecx, [ebp+var_18]
		push	edi
		inc	edx
		call	PfpCreateEvent
		mov	edi, eax
		test	edi, edi
		js	loc_932053

loc_8A6F30:				; CODE XREF: PfTStart+DFj PfTStart+EAj
		mov	edi, [ebp+var_C]
		test	edi, edi
		jz	short loc_8A6F65
		lea	ecx, [esi+100h]
		mov	edx, 100000h
		call	_PfFbBufferListUpdateMax@8 ; PfFbBufferListUpdateMax(x,x)
		mov	eax, ds:_KeNumberProcessors
		mov	edx, ds:_KeNumberProcessors
		add	edx, 2
		shl	edx, 0Ch
		lea	eax, ds:4[eax*2]
		push	eax
		call	PfFbBufferListAllocate

loc_8A6F65:				; CODE XREF: PfTStart+115j
		mov	eax, ebx
		and	eax, 2
		mov	[ebp+var_C], eax
		jz	short loc_8A6F9D
		lea	ecx, [esi+0A0h]
		mov	edx, 1000000h
		call	_PfFbBufferListUpdateMax@8 ; PfFbBufferListUpdateMax(x,x)
		mov	eax, ds:_KeNumberProcessors
		mov	edx, ds:_KeNumberProcessors
		add	edx, 7
		shl	edx, 0Fh
		lea	eax, ds:0Eh[eax*2]
		push	eax
		call	PfFbBufferListAllocate

loc_8A6F9D:				; CODE XREF: PfTStart+14Dj
		lea	ecx, [esi+180h]
		call	ExAcquireFastMutex
		test	edi, edi
		jz	short loc_8A6FCE
		mov	eax, dword_6D46B0
		mov	[esi+170h], eax
		call	_PFP_CAN_DO_ACCESS_LOGGING@0 ; PFP_CAN_DO_ACCESS_LOGGING()
		test	eax, eax
		jz	short loc_8A6FCE
		push	2
		mov	edx, offset _PfKernelGlobals
		mov	ecx, esi
		call	_PfTAccessTracingStart@12 ; PfTAccessTracingStart(x,x,x)

loc_8A6FCE:				; CODE XREF: PfTStart+18Aj
					; PfTStart+19Ej
		cmp	[ebp+var_C], 0
		jz	short loc_8A6FDF
		mov	eax, dword_6D46AC
		mov	[esi+178h], eax

loc_8A6FDF:				; CODE XREF: PfTStart+1B2j
		lea	ecx, [esi+180h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		or	[esi+4], ebx
		test	edi, edi
		jz	short loc_8A7017
		and	[ebp+var_10], 0
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock or	[eax], ecx
		xor	edx, edx
		mov	ecx, offset PfCalculateProcessHash
		call	PsEnumProcesses
		push	1
		mov	edx, offset _PfKernelGlobals
		mov	ecx, esi
		call	_PfTAccessTracingStart@12 ; PfTAccessTracingStart(x,x,x)

loc_8A7017:				; CODE XREF: PfTStart+1CFj
		xor	edi, edi

loc_8A7019:				; CODE XREF: PfTStart+8B243j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
PfTStart	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfTAllocateBuffers proc	near		; CODE XREF: PfTStart+5Cp PfTStart+7Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00932068 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		mov	eax, edx
		xor	ebx, ebx
		shl	eax, 4
		mov	[ebp+var_8], ebx
		mov	esi, [edi]
		and	esi, 0Fh
		or	esi, eax
		mov	[edi], esi
		cmp	[ebp+arg_0], ebx
		jbe	short loc_8A708C

loc_8A7049:				; CODE XREF: PfTAllocateBuffers+68j
		push	[ebp+arg_4]
		push	edx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_932068
		test	byte ptr [edi],	0Fh
		jnz	short loc_8A70B0
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		push	ebx
		call	_PfTLbInitialize@12 ; PfTLbInitialize(x,x,x)

loc_8A706E:				; CODE XREF: PfTAllocateBuffers+A7j
		mov	eax, [edi+0Ch]
		mov	edx, [ebp+var_4]
		mov	[esi], eax
		inc	word ptr [edi+0Ah]
		mov	eax, [ebp+var_8]
		inc	dword ptr [edi+4]
		inc	eax
		mov	[edi+0Ch], esi
		mov	[ebp+var_8], eax
		cmp	eax, [ebp+arg_0]
		jb	short loc_8A7049

loc_8A708C:				; CODE XREF: PfTAllocateBuffers+25j
		mov	ecx, edi
		call	_PfTGetFreeBuffer@4 ; PfTGetFreeBuffer(x)
		add	edi, 10h
		mov	ecx, [edi]
		cmp	[ecx+4], edi
		jnz	short loc_8A70CB
		mov	[eax], ecx
		mov	[eax+4], edi
		mov	[ecx+4], eax
		mov	[edi], eax

loc_8A70A7:				; CODE XREF: PfTAllocateBuffers+8B04Bj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_8A70B0:				; CODE XREF: PfTAllocateBuffers+3Fj
		push	[ebp+var_4]	; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+4], esi
		mov	[esi], esi
		mov	dword ptr [esi+18h], 800h
		jmp	short loc_8A706E
; 

loc_8A70CB:				; CODE XREF: PfTAllocateBuffers+79j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall PfpScenCtxStart(x)
_PfpScenCtxStart@4:			; CODE XREF: PfInitializeSuperfetch()+25p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	esi
		push	offset ??_C@_1FA@CHOKCDEG@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@ ; "\\KernelObjects\\SuperfetchScenarioNotify"...
		push	eax
		mov	esi, ecx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esi+28h]
		xor	edx, edx
		push	eax
		lea	ecx, [ebp+var_8]
		call	PfpCreateEvent
		pop	esi
		leave
		retn
PfTAllocateBuffers endp


;  S U B	R O U T	I N E 


; int __fastcall PfSnPrefetchCacheCtxInitialize(void *)
_PfSnPrefetchCacheCtxInitialize@4 proc near ; CODE XREF: PfSnInitializePrefetcher()+80p
		mov	edi, edi
		push	esi
		push	50h		; size_t
		mov	esi, ecx
		push	0		; int
		push	esi		; void *
		call	_memset
		and	dword ptr [esi+4], 0
		lea	eax, [esi+0Ch]
		and	dword ptr [esi+14h], 0
		add	esp, 0Ch
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+18h]
		push	eax
		call	ExInitializeResourceLite
		pop	esi
		retn
_PfSnPrefetchCacheCtxInitialize@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpCreateEvent	proc near		; CODE XREF: PfTStart+101p
					; PfTAllocateBuffers+D8p ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00932072 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+40h+var_30], ecx
		push	6
		pop	ecx
		and	[esp+40h+var_34], 0
		lea	edi, [esp+40h+var_18]
		rep stosd
		lea	edi, [esp+40h+var_2C]
		mov	ebx, edx
		stosd
		push	1
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esp+44h+var_2C]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A72A7
		push	ds:_SeAliasAdminsSid
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	_SeLocalSystemSid
		mov	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	eax, 20h
		push	6C636144h
		add	esi, eax
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_932072
		push	2		; int
		push	esi		; size_t
		push	edi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A728B
		push	0
		push	ds:_SeAliasAdminsSid
		mov	ecx, edi
		push	1F0003h
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	loc_8A728B
		push	0
		push	_SeLocalSystemSid
		mov	ecx, edi
		push	1F0003h
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	loc_8A728B
		push	0
		push	edi
		push	1
		lea	eax, [esp+4Ch+var_2C]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	short loc_8A728B
		mov	eax, [esp+40h+var_30]
		xor	ecx, ecx
		mov	[esp+40h+var_10], eax
		lea	eax, [esp+40h+var_2C]
		push	ecx
		push	ebx
		mov	[esp+48h+var_8], eax
		mov	ebx, 1F0003h
		lea	eax, [esp+48h+var_18]
		mov	[esp+48h+var_18], 18h
		push	eax
		push	ebx
		lea	eax, [esp+50h+var_34]
		mov	[esp+50h+var_14], ecx
		push	eax
		mov	[esp+54h+var_C], 290h
		mov	[esp+54h+var_4], ecx
		call	_ZwCreateEvent@20 ; ZwCreateEvent(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8A728B
		mov	eax, ds:_ExEventObjectType
		lea	ecx, [esp+40h+var_30]
		and	[esp+40h+var_30], 0
		push	0
		push	ecx
		push	0
		push	eax
		push	ebx
		push	[esp+54h+var_34]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	esi, eax
		mov	eax, [esp+40h+var_30]
		mov	[ecx], eax
		test	esi, esi
		js	short loc_8A728B
		xor	esi, esi

loc_8A728B:				; CODE XREF: PfpCreateEvent+84j
					; PfpCreateEvent+A7j ...
		cmp	[esp+40h+var_34], 0
		jz	short loc_8A729B
		push	[esp+40h+var_34]
		call	_ZwClose@4	; ZwClose(x)

loc_8A729B:				; CODE XREF: PfpCreateEvent+160j
		test	edi, edi
		jz	short loc_8A72A7
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8A72A7:				; CODE XREF: PfpCreateEvent+3Dj
					; PfpCreateEvent+16Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
PfpCreateEvent	endp


;  S U B	R O U T	I N E 


; int __fastcall PfpScenCtxInitialize(void *)
_PfpScenCtxInitialize@4	proc near	; CODE XREF: PfInitializeSuperfetch()+1Ep
		mov	edi, edi
		push	esi
		push	50h		; size_t
		mov	esi, ecx
		push	0		; int
		push	esi		; void *
		call	_memset
		and	dword ptr [esi+4], 0FFFFFFFCh
		lea	eax, [esi+8]
		add	esp, 0Ch
		push	0
		push	0
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		pop	esi
		retn
_PfpScenCtxInitialize@4	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PfpRpStart(x)
_PfpRpStart@4	proc near		; CODE XREF: PfpRpInitialize+70j
		xor	edx, edx
		lea	eax, [ecx+50h]
		xchg	edx, [eax]
		or	dword ptr [ecx+60h], 1
		retn
_PfpRpStart@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AslFileMappingCreateFromImageView proc near ; CODE XREF: SdbGetDatabaseMatch+110p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0093207C SIZE 00000050 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		test	edi, edi
		jz	loc_9320C2
		xor	ecx, ecx
		cmp	[edi], cx
		jz	loc_9320C2
		test	ebx, ebx
		jz	loc_9320C2
		cmp	[ebp+arg_0], ecx
		jz	loc_9320C2
		push	ecx
		push	38h
		pop	edx
		mov	[ebx], ecx
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8A7395
		mov	edx, edi
		mov	ecx, esi
		call	AslStringDuplicate
		mov	edi, eax
		test	edi, edi
		js	loc_93207C
		mov	eax, [ebp+arg_4]
		lea	edi, [esi+28h]
		xor	ecx, ecx
		xor	edx, edx
		inc	edx
		mov	[esi+30h], edx
		mov	[esi+20h], ecx
		mov	[esi+8], ecx
		mov	[esi+0Ch], ecx
		mov	[esi+14h], ecx
		mov	[esi+24h], cx
		mov	[esi+26h], cl
		mov	ecx, [ebp+arg_0]
		mov	[esi+10h], eax
		mov	[esi+27h], dl
		mov	[esi+18h], ecx
		mov	[esi+1Ch], eax
		test	eax, eax
		jz	short loc_8A739C
		mov	edx, edi
		lea	ecx, [esi+8]
		call	AslpFileMappingGetFileKind
		test	eax, eax
		js	loc_93209B

loc_8A737F:				; CODE XREF: AslFileMappingCreateFromImageView+BAj
					; AslFileMappingCreateFromImageView+8ADD9j
		xor	ecx, ecx
		mov	[ebx], esi
		mov	esi, ecx
		mov	edi, ecx

loc_8A7387:				; CODE XREF: AslFileMappingCreateFromImageView+8ADB2j
		test	esi, esi
		jnz	short loc_8A73A0

loc_8A738B:				; CODE XREF: AslFileMappingCreateFromImageView+B6j
					; AslFileMappingCreateFromImageView+C3j
		mov	eax, edi

loc_8A738D:				; CODE XREF: AslFileMappingCreateFromImageView+8ADE3j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
; 

loc_8A7395:				; CODE XREF: AslFileMappingCreateFromImageView+40j
		mov	edi, 0C0000017h
		jmp	short loc_8A738B
; 

loc_8A739C:				; CODE XREF: AslFileMappingCreateFromImageView+87j
		mov	[edi], edx
		jmp	short loc_8A737F
; 

loc_8A73A0:				; CODE XREF: AslFileMappingCreateFromImageView+A5j
		mov	ecx, esi
		call	AslFileMappingDelete
		jmp	short loc_8A738B
AslFileMappingCreateFromImageView endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AslpFileMappingGetFileKind proc	near	; CODE XREF: AslFileMappingCreateFromImageView+8Ep
					; AslFileMappingCreate+AFCD3p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 009320CC SIZE 00000026 BYTES
; FUNCTION CHUNK AT 00932128 SIZE 00000034 BYTES

		push	18h
		push	offset dword_6A73A8
		call	__SEH_prolog4
		mov	[ebp+var_24], edx
		mov	edx, [ecx+8]
		mov	edi, [ecx+0Ch]
		mov	eax, edx
		or	eax, edi
		jz	loc_93214C
		xor	esi, esi
		cmp	[ecx+14h], esi
		jz	loc_93214C
		cmp	edi, esi
		ja	short loc_8A73E7
		jb	loc_9320CC
		cmp	edx, 40h
		jb	loc_9320CC

loc_8A73E7:				; CODE XREF: AslpFileMappingGetFileKind+2Cj
		mov	eax, [ecx+10h]
		mov	[ebp+var_1C], 3
		test	eax, eax
		jz	loc_932128
		cmp	eax, 0FFFFFFFFh
		jz	loc_932128
		mov	[ebp+ms_exc.disabled], esi
		mov	ecx, 5A4Dh
		cmp	[eax], cx
		jnz	short loc_8A743A
		mov	[ebp+var_1C], 4
		mov	ecx, [eax+3Ch]
		lea	ebx, [ecx+4]
		cmp	edi, esi
		ja	short loc_8A7426
		jb	short loc_8A743A
		cmp	edx, ebx
		jb	short loc_8A743A

loc_8A7426:				; CODE XREF: AslpFileMappingGetFileKind+74j
		cmp	dword ptr [eax+ecx], 4550h
		jnz	loc_9320D7
		mov	[ebp+var_1C], 6

loc_8A743A:				; CODE XREF: AslpFileMappingGetFileKind+63j
					; AslpFileMappingGetFileKind+76j ...
		mov	[ebp+var_20], esi

loc_8A743D:				; CODE XREF: sub_932100+23j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_8A7444:				; CODE XREF: AslpFileMappingGetFileKind+8AD9Dj
		mov	edx, [ebp+var_24]
		mov	ecx, [ebp+var_1C]
		mov	[edx], ecx
		mov	eax, esi

loc_8A744E:				; CODE XREF: AslpFileMappingGetFileKind+8ADADj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
AslpFileMappingGetFileKind endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KsepCacheInitialize proc near		; CODE XREF: KsepEngineInitialize+30p
					; KsepEngineInitialize+4Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0093215C SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	3Ch
		pop	ecx
		mov	edi, edx
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_932161
		mov	eax, [ebp+arg_0]
		lea	ecx, [esi+14h]
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		mov	ecx, 6F8h
		mov	[esi+34h], eax
		mov	eax, [ebp+arg_4]
		mov	dword ptr [esi+10h], 100h
		mov	[esi+30h], edi
		mov	[esi+38h], eax
		mov	dword ptr [esi+8], 0DFh
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		xor	ecx, ecx
		mov	[esi+0Ch], eax
		test	eax, eax
		jz	loc_93215C
		cmp	[esi+8], ecx
		jbe	short loc_8A74CB

loc_8A74BA:				; CODE XREF: KsepCacheInitialize+6Bj
		mov	eax, [esi+0Ch]
		lea	eax, [eax+ecx*8]
		inc	ecx
		mov	[eax+4], eax
		mov	[eax], eax
		cmp	ecx, [esi+8]
		jb	short loc_8A74BA

loc_8A74CB:				; CODE XREF: KsepCacheInitialize+5Aj
		and	dword ptr [esi], 0

loc_8A74CE:				; CODE XREF: KsepCacheInitialize+8AD0Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
KsepCacheInitialize endp


;  S U B	R O U T	I N E 


; __stdcall KsepRegistryCloseKey(x)
_KsepRegistryCloseKey@4	proc near	; CODE XREF: KsepMatchInitBiosInfo+1C3p
					; KsepEngineReadFlags+E7p ...
		test	ecx, ecx
		jz	short locret_8A74E7
		push	ecx
		call	_ZwClose@4	; ZwClose(x)
		lock inc dword_6C6FBC

locret_8A74E7:				; CODE XREF: KsepRegistryCloseKey(x)+2j
		retn
_KsepRegistryCloseKey@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KsepRegistryQueryDWORD proc near	; CODE XREF: KsepEngineReadFlags+7Fp
					; KsepEngineReadFlags+14538p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0093216F SIZE 000000C5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		and	[ebp+var_2C], 0
		and	[ebp+var_28], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		mov	ebx, ecx
		mov	[ebp+var_24], edx
		inc	esi
		push	4
		pop	ecx
		test	ebx, ebx
		jz	loc_93216F

loc_8A751B:				; CODE XREF: KsepRegistryQueryDWORD+8ACBCj
					; KsepRegistryQueryDWORD+8ACD7j
		test	edi, edi
		jz	loc_9321C4

loc_8A7523:				; CODE XREF: KsepRegistryQueryDWORD+8AD0Fj
					; KsepRegistryQueryDWORD+8AD27j
		push	[ebp+var_24]
		and	dword ptr [edi], 0
		lea	eax, [ebp+var_2C]
		push	eax
		mov	[ebp+var_20], 14h
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_20]
		lea	eax, [ebp+var_1C]
		push	eax
		push	2
		lea	eax, [ebp+var_2C]
		push	eax
		push	ebx
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_932214

loc_8A755A:				; CODE XREF: KsepRegistryQueryDWORD+8AD3Dj
					; KsepRegistryQueryDWORD+8AD47j
		mov	eax, ecx
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
KsepRegistryQueryDWORD endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepRegistryQueryMULTISZ(x,	x, x, x, x)
_KsepRegistryQueryMULTISZ@20 proc near	; CODE XREF: KsepMatchInitBiosInfo+D7p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_8]	; int
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; void *
		push	7		; int
		call	KsepRegistryQuerySZ
		pop	ecx
		pop	ebp
		retn	0Ch
_KsepRegistryQueryMULTISZ@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	KsepRegistryQuerySZ(int,void *,int,int)
KsepRegistryQuerySZ proc near		; CODE XREF: KsepRegistryQueryMULTISZ(x,x,x,x,x)+11p
					; KsepRegistryQueryDriverShims+AF673p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00932234 SIZE 00000157 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		xor	ecx, ecx
		mov	[ebp+var_C], edi
		xor	esi, esi
		mov	[ebp+var_14], ecx
		inc	esi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_4], ecx
		push	4
		pop	edx
		test	edi, edi
		jz	loc_932234

loc_8A75B6:				; CODE XREF: KsepRegistryQuerySZ+8ACDFj
					; KsepRegistryQuerySZ+8ACFBj
		cmp	[ebp+arg_4], 0
		jz	loc_93228A

loc_8A75C0:				; CODE XREF: KsepRegistryQuerySZ+8AD35j
					; KsepRegistryQuerySZ+8AD4Cj
		mov	ebx, [ebp+arg_C]
		test	ebx, ebx
		jz	loc_9322DB

loc_8A75CB:				; CODE XREF: KsepRegistryQuerySZ+8AD89j
					; KsepRegistryQuerySZ+8ADA1j
		push	[ebp+var_8]
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		push	0
		push	2
		lea	eax, [ebp+var_14]
		push	eax
		push	edi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000023h
		jnz	loc_932330
		mov	ecx, [ebp+var_4]
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8A7658
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_4]
		lea	eax, [ebp+var_14]
		push	esi
		push	2
		push	eax
		push	[ebp+var_C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_8A7648
		mov	ecx, [esi+8]
		cmp	ecx, [ebp+arg_8]
		ja	short loc_8A765F
		mov	eax, [esi+4]
		cmp	eax, [ebp+arg_0]
		jnz	short loc_8A7666
		push	ecx		; size_t
		lea	eax, [esi+0Ch]
		push	eax		; void *
		push	[ebp+arg_4]	; void *
		call	_memcpy
		mov	eax, [esi+8]
		add	esp, 0Ch
		mov	[ebx], eax

loc_8A7648:				; CODE XREF: KsepRegistryQuerySZ+97j
					; KsepRegistryQuerySZ+DAj ...
		mov	ecx, esi
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)

loc_8A764F:				; CODE XREF: KsepRegistryQuerySZ+8ADA8j
					; KsepRegistryQuerySZ+8ADE4j ...
		mov	eax, edi

loc_8A7651:				; CODE XREF: KsepRegistryQuerySZ+D3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_8A7658:				; CODE XREF: KsepRegistryQuerySZ+7Bj
		mov	eax, 0C0000017h
		jmp	short loc_8A7651
; 

loc_8A765F:				; CODE XREF: KsepRegistryQuerySZ+9Fj
		mov	edi, 0C0000023h
		jmp	short loc_8A7648
; 

loc_8A7666:				; CODE XREF: KsepRegistryQuerySZ+A7j
		mov	edi, 0C0000024h
		jmp	short loc_8A7648
KsepRegistryQuerySZ endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepStringAnsiToUnicode(x, x, x, x)
_KsepStringAnsiToUnicode@16 proc near	; CODE XREF: KsepMatchInitCpuInfo(x)+39p
					; KsepMatchInitAcpiOemInfo(x,x,x)+7Fp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		mov	[ebp+var_C], ecx
		mov	word ptr [ebp+var_10], ax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4], eax
		movzx	eax, [ebp+arg_4]
		mov	word ptr [ebp+var_8+2],	ax
		mov	word ptr [ebp+var_8], ax
		lea	eax, [ebp+var_8]
		push	0
		push	eax
		lea	eax, [ebp+var_10]
		mov	word ptr [ebp+var_10+2], dx
		push	eax
		call	RtlAnsiStringToUnicodeString
		leave
		retn	8
_KsepStringAnsiToUnicode@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDirectedDripsWorkerRoutine proc near	; DATA XREF: PopDirectedDripsInitializePhase3+31o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0093238B SIZE 0000006F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]

loc_8A76B6:				; CODE XREF: PopDirectedDripsWorkerRoutine+ACj
		lea	eax, [edi+14h]

loc_8A76B9:				; CODE XREF: PopDirectedDripsWorkerRoutine+24j
					; PopDirectedDripsWorkerRoutine+60j
		push	0
		push	0
		push	0
		push	0
		push	eax
		call	KeWaitForSingleObject
		test	eax, eax
		lea	eax, [edi+14h]
		jnz	short loc_8A76B9
		lea	eax, [edi+8]
		mov	[ebp+var_4], eax
		mov	edi, eax

loc_8A76D6:				; CODE XREF: PopDirectedDripsWorkerRoutine+49j
					; PopDirectedDripsWorkerRoutine+4Dj
		mov	eax, [edi]
		mov	esi, [edi+4]
		mov	edx, esi
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], esi
		nop
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [ebp+var_8]
		cmp	eax, ebx
		jnz	short loc_8A76D6
		cmp	edx, esi
		jnz	short loc_8A76D6
		mov	edi, [ebp+arg_0]
		push	esi
		push	ebx
		call	PopDiagTraceDirectedDripsWorker
		mov	eax, ebx
		or	eax, esi
		lea	eax, [edi+14h]
		jz	short loc_8A76B9

loc_8A770A:				; CODE XREF: PopDirectedDripsWorkerRoutine+B2j
		mov	eax, ebx
		or	eax, 0
		jz	loc_93238B
		and	[ebp+var_C], 0
		bsf	ecx, ebx

loc_8A771C:				; CODE XREF: PopDirectedDripsWorkerRoutine+8ACEDj
		xor	eax, eax
		xor	edx, edx
		inc	eax
		call	__allshl
		mov	esi, eax
		mov	ecx, edx
		not	esi
		not	ecx
		and	ebx, esi
		mov	esi, [ebp+var_4]
		and	esi, ecx
		mov	[ebp+var_4], esi
		cmp	eax, 2
		jnz	loc_93239A
		test	edx, edx
		jnz	loc_93239A
		mov	ecx, edi
		call	PopDirectedDripsRefreshDisengageState

loc_8A7750:				; CODE XREF: PopDirectedDripsWorkerRoutine+8AD04j
					; PopDirectedDripsWorkerRoutine+8AD1Aj	...
		mov	eax, ebx
		or	eax, esi
		jz	loc_8A76B6
		jmp	short loc_8A770A
PopDirectedDripsWorkerRoutine endp


;  S U B	R O U T	I N E 


; __stdcall WmipRegistrationWorker(x)
_WmipRegistrationWorker@4 proc near	; DATA XREF: WmipInitializeRegistration(x):loc_AC60F5o
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx

loc_8A7763:				; CODE XREF: WmipRegistrationWorker(x)+9Fj
		call	_WmipEnterSMCritSection@0 ; WmipEnterSMCritSection()
		mov	edi, _WmipRegWorkList
		mov	eax, [edi+0Ch]
		test	eax, eax
		jz	short loc_8A779E
		mov	eax, [eax+8]
		cmp	eax, _WmipServiceDeviceObject
		jz	short loc_8A779E
		push	ebx
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	cl, 1
		call	_IoControlPnpDeviceActionQueue@4 ; IoControlPnpDeviceActionQueue(x)
		xor	cl, cl
		call	_IoControlPnpDeviceActionQueue@4 ; IoControlPnpDeviceActionQueue(x)
		call	_WmipEnterSMCritSection@0 ; WmipEnterSMCritSection()

loc_8A779E:				; CODE XREF: WmipRegistrationWorker(x)+17j
					; WmipRegistrationWorker(x)+22j
		mov	eax, _WmipRegWorkList
		cmp	dword ptr [eax+4], offset _WmipRegWorkList
		jnz	short loc_8A7810
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_8A7810
		push	ebx
		mov	_WmipRegWorkList, ecx
		push	offset _WmipSMMutex
		mov	dword ptr [ecx+4], offset _WmipRegWorkList
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	esi, [edi+0Ch]
		test	esi, esi
		jz	short loc_8A77E9
		mov	eax, [edi+8]
		sub	eax, ebx
		jnz	short loc_8A7807
		xor	dl, dl

loc_8A77DB:				; CODE XREF: WmipRegistrationWorker(x)+B2j
		mov	ecx, esi
		call	WmipRegisterOrUpdateDS

loc_8A77E2:				; CODE XREF: WmipRegistrationWorker(x)+AEj
		mov	ecx, esi
		call	WmipUnreferenceRegEntry

loc_8A77E9:				; CODE XREF: WmipRegistrationWorker(x)+74j
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		or	eax, 0FFFFFFFFh
		lock xadd _WmipRegWorkItemCount, eax
		jnz	loc_8A7763
		pop	edi
		pop	esi
		pop	ebx
		retn	4
; 

loc_8A7807:				; CODE XREF: WmipRegistrationWorker(x)+7Bj
		sub	eax, 1
		jnz	short loc_8A77E2
		mov	dl, 1
		jmp	short loc_8A77DB
; 

loc_8A7810:				; CODE XREF: WmipRegistrationWorker(x)+4Ej
					; WmipRegistrationWorker(x)+55j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_WmipRegistrationWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpDeletePropertyWorker proc near	; CODE XREF: _PnpSetGenericStoreProperty(x,x,x,x,x,x,x,x)+1Ep
					; DrvDbDeleteObjectSubKey(x,x,x,x)+14Ep

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 009323FA SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_6C], 0
		cmp	[ebp+arg_8], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_7C], edx
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_78], esi
		jnz	loc_932424
		cmp	[ebp+arg_10], 0
		jnz	loc_932424
		test	ebx, ebx
		jnz	loc_9323FA

loc_8A7859:				; CODE XREF: _PnpDeletePropertyWorker+8ABFFj
		push	dword ptr [edi+10h]
		movzx	eax, byte ptr [edi+0Fh]
		push	eax
		movzx	eax, byte ptr [edi+0Eh]
		push	eax
		movzx	eax, byte ptr [edi+0Dh]
		push	eax
		movzx	eax, byte ptr [edi+0Ch]
		push	eax
		movzx	eax, byte ptr [edi+0Bh]
		push	eax
		movzx	eax, byte ptr [edi+0Ah]
		push	eax
		movzx	eax, byte ptr [edi+9]
		push	eax
		movzx	eax, byte ptr [edi+8]
		push	eax
		movzx	eax, word ptr [edi+6]
		push	eax
		movzx	eax, word ptr [edi+4]
		push	eax
		push	dword ptr [edi]	; char
		xor	edi, edi
		lea	eax, [ebp+var_68]
		push	offset ??_C@_1HE@PLLNIKMH@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAx?$AA?9?$AA?$CF?$AA0?$AA4@NNGAKEGL@ ;	"{%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%"...
		push	800h		; int
		push	edi		; int
		push	edi		; int
		push	30h		; int
		push	eax		; void *
		call	RtlStringCchPrintfExW
		add	esp, 48h
		test	eax, eax
		js	loc_93241A
		mov	edx, [ebp+var_7C]
		lea	eax, [ebp+var_6C]
		push	eax
		push	ecx
		push	edi
		push	6
		lea	eax, [ebp+var_68]
		mov	ecx, esi
		push	eax
		call	_PnpOpenPropertiesKey
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_8A792B
		test	esi, esi
		js	short loc_8A7918
		push	ebx
		lea	eax, [ebp+var_74]
		mov	[ebp+var_74], edi
		push	eax
		mov	[ebp+var_70], edi
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_8A78FC
		lea	eax, [ebp+var_74]
		push	eax
		push	[ebp+var_6C]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		mov	edi, eax

loc_8A78FC:				; CODE XREF: _PnpDeletePropertyWorker+D6j
		push	[ebp+var_6C]
		call	_ZwClose@4	; ZwClose(x)
		cmp	edi, 0C0000034h
		jz	short loc_8A792B
		cmp	edi, 0C000017Ch
		jz	short loc_8A792B
		test	edi, edi
		js	short loc_8A7932

loc_8A7918:				; CODE XREF: _PnpDeletePropertyWorker+C0j
					; _PnpDeletePropertyWorker+11Aj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_8A792B:				; CODE XREF: _PnpDeletePropertyWorker+BCj
					; _PnpDeletePropertyWorker+F4j	...
		mov	esi, 0C0000225h
		jmp	short loc_8A7918
; 

loc_8A7932:				; CODE XREF: _PnpDeletePropertyWorker+100j
		mov	esi, edi
		jmp	short loc_8A7918
_PnpDeletePropertyWorker endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmAllocateGenericTableEntry(x, x)
_PiDmAllocateGenericTableEntry@8 proc near ; DATA XREF:	PiDmObjectManagerInit(x,x)+16o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	5A706E50h
		push	[ebp+arg_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	8
_PiDmAllocateGenericTableEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopThermalWorker proc near		; DATA XREF: PopThermalZoneAdd+8Do

var_3E		= byte ptr -3Eh
var_3D		= byte ptr -3Dh
var_3C		= dword	ptr -3Ch
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0093242E SIZE 0000029C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+44h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [esp+50h+var_18]
		stosd
		stosd
		stosd
		stosd
		call	KeQueryInterruptTime
		mov	edi, [ebx+18h]
		mov	esi, eax
		mov	eax, [ebx+1Ch]
		xor	ecx, ecx
		mov	[esp+50h+var_20], eax
		mov	eax, large fs:124h
		mov	[esp+50h+var_3D], cl
		mov	[esp+50h+var_35], cl
		mov	byte ptr [esp+50h+var_34], cl
		dec	word ptr [eax+13Ch]
		mov	[esp+50h+var_2C], ecx
		lea	ecx, [ebx+150h]
		mov	[esp+50h+var_28], esi
		mov	[esp+50h+var_3C], edx
		mov	[esp+50h+var_30], edi
		mov	[esp+50h+var_1C], ecx
		nop
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[ebx+154h], eax
		cmp	byte ptr [ebx+22h], 0
		jnz	loc_93242E
		mov	ecx, [esp+50h+var_20]
		push	8
		pop	edx
		mov	eax, [ecx+18h]
		test	eax, eax
		js	loc_8A7C08
		movzx	eax, byte ptr [ebx+20h]
		dec	eax
		cmp	eax, 9		; switch 10 cases
		ja	loc_9325CC	; default
		jmp	ds:off_8A7D3A[eax*4] ; switch jump

loc_8A79FF:				; DATA XREF: PAGE:off_8A7D3Ao
		mov	al, [ebx+26h]	; case 0x2
		mov	[ebx+25h], al
		jmp	short loc_8A7A3C
; 

loc_8A7A07:				; CODE XREF: PopThermalWorker+2ACj
		and	cl, 0FBh

loc_8A7A0A:				; CODE XREF: PopThermalWorker+2B5j
		mov	[ebx+21h], cl

loc_8A7A0D:				; CODE XREF: PopThermalWorker+30Fj
					; PopThermalWorker+39Ej
		mov	eax, [ebx+0B8h]
		cmp	eax, [ebx+30h]
		jnz	loc_932521
		and	cl, 1
		cmp	byte ptr [esp+50h+var_34], 0
		jnz	loc_9324CA
		test	cl, cl
		jnz	loc_9324D2

loc_8A7A32:				; CODE XREF: PopThermalWorker+8AB7Ej
					; PopThermalWorker+8AC61j
		mov	ecx, ebx
		call	PopCheckAndHandleThermalConditions

loc_8A7A39:				; CODE XREF: PopThermalWorker+33Cj
		push	8
		pop	edx

loc_8A7A3C:				; CODE XREF: PopThermalWorker+B7j
					; PopThermalWorker+2BFj ...
		mov	al, [ebx+25h]
		lea	ecx, [ebx+26h]
		cmp	al, [ecx]
		jnz	loc_8A7C8F

loc_8A7A4A:				; CODE XREF: PopThermalWorker+346j
		mov	eax, [ebx+30h]
		cmp	eax, [ebx+34h]
		mov	ah, 1
		jnz	short loc_8A7A58
		mov	ah, [esp+50h+var_35]

loc_8A7A58:				; CODE XREF: PopThermalWorker+104j
		mov	al, [ebx+20h]
		cmp	al, 6
		jz	short loc_8A7AD3
		cmp	al, 0Ah
		jz	loc_8A7C99
		cmp	al, 7
		jz	loc_8A7CB3
		cmp	[esp+50h+var_3D], 0
		jnz	loc_8A7B44
		test	ah, ah
		jnz	loc_9325EB
		mov	ecx, _PopCoolingMode
		movzx	eax, byte ptr [ebx+23h]
		mov	[esp+50h+var_24], ecx
		cmp	eax, ecx
		jnz	loc_8A7CD0
		cmp	byte ptr [ebx+0C4h], 0
		jnz	loc_9325FC
		xor	ecx, ecx
		mov	byte ptr [ebx+20h], 1
		xor	edx, edx
		test	byte ptr [ebx+21h], 1
		jnz	loc_93260B

loc_8A7AB7:				; CODE XREF: PopThermalWorker+8ACC2j
					; PopThermalWorker+8ACE2j ...
		xor	esi, esi
		mov	[esp+50h+var_24], esi
		cmp	_PopThermalPollingMode,	esi
		jnz	loc_93263D

loc_8A7AC9:				; CODE XREF: PopThermalWorker+8AD4Aj
					; PopThermalWorker+8AD53j
		mov	eax, ecx
		or	eax, edx
		jnz	loc_9326A6

loc_8A7AD3:				; CODE XREF: PopThermalWorker+10Fj
					; PopThermalWorker+8AD77j
		push	5Ch
		lea	ecx, [ebx+50h]
		mov	byte ptr [esp+54h+var_3C], 1
		mov	edx, 294080h

loc_8A7AE2:				; CODE XREF: PopThermalWorker+37Dj
		pop	eax
		mov	esi, eax

loc_8A7AE5:				; CODE XREF: PopThermalWorker+209j
					; PopThermalWorker+360j
		push	eax
		push	esi
		push	ecx
		push	[esp+5Ch+var_3C]
		mov	ecx, [ebx+1Ch]
		call	_PopPrepareIoctl@24 ; PopPrepareIoctl(x,x,x,x,x,x)
		mov	ecx, [esp+50h+var_20]
		mov	edx, ecx
		mov	eax, [ecx+60h]
		mov	ecx, [esp+50h+var_30]
		mov	dword ptr [eax-8], offset _PopThermalIrpComplete@12 ; PopThermalIrpComplete(x,x,x)
		mov	[eax-4], ebx
		mov	byte ptr [eax-21h], 0E0h
		call	IofCallDriver

loc_8A7B14:				; CODE XREF: PopThermalWorker+8AAFDj
		mov	eax, [esp+50h+var_1C]
		cmp	dword ptr [eax+4], 0
		jz	short loc_8A7B22
		and	dword ptr [eax+4], 0

loc_8A7B22:				; CODE XREF: PopThermalWorker+1CEj
		xor	edx, edx
		mov	ecx, eax
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [esp+50h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_8A7B44:				; CODE XREF: PopThermalWorker+126j
		mov	byte ptr [ebx+20h], 3
		mov	edx, 298088h

loc_8A7B4D:				; CODE XREF: PopThermalWorker+8ACA9j
		push	4
		pop	esi

loc_8A7B50:				; CODE XREF: PopThermalWorker+397j
		mov	byte ptr [esp+50h+var_3C], 1
		xor	eax, eax
		jmp	short loc_8A7AE5
; 

loc_8A7B59:				; CODE XREF: PopThermalWorker+AAj
					; DATA XREF: PAGE:off_8A7D3Ao
		mov	eax, [esp+50h+var_3C] ;	case 0x0
		mov	[ebx+0D4h], eax
		mov	al, [ebx+21h]
		mov	[ebx+0D0h], esi
		test	al, 2
		jnz	short loc_8A7B84
		or	al, 2
		lea	edx, [ebx+398h]
		push	edi
		lea	ecx, [ebx+50h]
		mov	[ebx+21h], al
		call	PopDiagTraceThermalZoneEnumeration

loc_8A7B84:				; CODE XREF: PopThermalWorker+220j
		lea	eax, [esp+50h+var_2C]
		mov	ecx, ebx
		push	eax
		push	[esp+54h+var_3C]
		lea	edx, [esp+58h+var_34]
		push	esi
		call	PopCheckThermalPolicy
		push	0
		push	0
		lea	eax, [ebx+168h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	eax, [esp+50h+var_2C]
		mov	[esp+50h+var_2C], eax

loc_8A7BB1:				; CODE XREF: PopThermalWorker+8AB2Bj
					; PopThermalWorker+8AB45j
		mov	dl, [ebx+25h]
		mov	edi, [ebx+0BCh]
		movzx	esi, byte ptr [ebx+70h]
		movzx	eax, dl
		cmp	edi, eax
		jz	loc_8A7C4C

loc_8A7BC9:				; CODE XREF: PopThermalWorker+315j
					; PopThermalWorker+3A4j
		mov	al, [ebx+0BCh]
		lea	ecx, [ebx+180h]
		mov	[ebx+26h], al
		call	_PopThermalUpdateActiveTimeTracking@8 ;	PopThermalUpdateActiveTimeTracking(x,x)
		mov	al, [ebx+21h]
		mov	[esp+50h+var_3D], 1
		cmp	edi, esi
		jb	loc_8A7CF7

loc_8A7BED:				; CODE XREF: PopThermalWorker+8AB52j
		test	al, 4
		jnz	loc_9324A5

loc_8A7BF5:				; CODE XREF: PopThermalWorker+3E5j
					; PopThermalWorker+8AB4Cj ...
		mov	cl, [ebx+21h]
		cmp	edi, esi
		jnb	loc_8A7A07
		or	cl, 4
		jmp	loc_8A7A0A
; 

loc_8A7C08:				; CODE XREF: PopThermalWorker+96j
		cmp	eax, 0C000009Dh
		jz	loc_8A7A3C
		cmp	eax, 0C0000120h
		jz	loc_8A7A3C
		cmp	byte ptr [ebx+20h], 7
		jnz	loc_932437
		mov	byte ptr [ebx+20h], 1
		jmp	loc_8A7A3C
; 

loc_8A7C31:				; CODE XREF: PopThermalWorker+AAj
					; DATA XREF: PAGE:off_8A7D3Ao
		mov	al, [ebx+70h]	; case 0x5
		mov	[ebx+181h], al
		mov	byte ptr [ebx+20h], 0Ah
		jmp	loc_8A7A3C
; 

loc_8A7C43:				; CODE XREF: PopThermalWorker+AAj
					; DATA XREF: PAGE:off_8A7D3Ao
		mov	byte ptr [ebx+20h], 7 ;	case 0x9
		jmp	loc_8A7A3C
; 

loc_8A7C4C:				; CODE XREF: PopThermalWorker+275j
		mov	cl, [ebx+21h]
		mov	al, cl
		and	al, 4
		cmp	edi, esi
		jnb	loc_8A7CEA
		test	al, al
		jnz	loc_8A7A0D
		jmp	loc_8A7BC9
; 

loc_8A7C68:				; CODE XREF: PopThermalWorker+AAj
					; DATA XREF: PAGE:off_8A7D3Ao
		mov	al, [ebx+24h]	; case 0x1
		mov	ecx, edi
		movzx	edx, al
		mov	[ebx+23h], al
		call	PopDiagTraceThermalCoolingMode
		cmp	_WmiThermalPolicyEventEnabled, 0
		jnz	loc_9325B4

loc_8A7C85:				; CODE XREF: PopThermalWorker+8AC6Ej
		mov	[esp+50h+var_3D], 1
		jmp	loc_8A7A39
; 

loc_8A7C8F:				; CODE XREF: PopThermalWorker+F6j
		mov	[esp+50h+var_3D], 1
		jmp	loc_8A7A4A
; 

loc_8A7C99:				; CODE XREF: PopThermalWorker+113j
		push	8
		pop	esi
		mov	edx, 294098h
		mov	byte ptr [esp+50h+var_3C], 0
		lea	ecx, [ebx+398h]
		mov	eax, esi
		jmp	loc_8A7AE5
; 

loc_8A7CB3:				; CODE XREF: PopThermalWorker+11Bj
					; PopThermalWorker+8ACB8j
		lea	ecx, [ebx+0ACh]
		mov	byte ptr [esp+50h+var_3C], 0
		mov	dword ptr [ecx], 1
		mov	edx, 294094h
		push	18h
		jmp	loc_8A7AE2
; 

loc_8A7CD0:				; CODE XREF: PopThermalWorker+144j
		mov	eax, [esp+50h+var_24]
		lea	ecx, [ebx+24h]
		xor	esi, esi
		mov	byte ptr [ebx+20h], 2
		mov	[ecx], al
		mov	edx, 298084h
		inc	esi
		jmp	loc_8A7B50
; 

loc_8A7CEA:				; CODE XREF: PopThermalWorker+307j
		test	al, al
		jz	loc_8A7A0D
		jmp	loc_8A7BC9
; 

loc_8A7CF7:				; CODE XREF: PopThermalWorker+299j
		test	al, 4
		jnz	loc_932498
		mov	edx, [esp+50h+var_30]
		lea	ecx, [ebx+50h]
		push	0
		push	1
		call	PopDiagTraceActiveCooling
		mov	edx, [esp+50h+var_30]
		lea	ecx, [ebx+50h]
		push	1
		push	1
		call	PopDiagTraceActiveCooling
		mov	eax, [esp+50h+var_28]
		mov	[ebx+0D8h], eax
		mov	eax, [esp+50h+var_3C]
		mov	[ebx+0DCh], eax
		jmp	loc_8A7BF5
PopThermalWorker endp

; 
		db 8Bh,	0FFh
off_8A7D3A	dd offset loc_8A7B59	; DATA XREF: PopThermalWorker+AAr
		dd offset loc_8A7C68	; jump table for switch	statement
		dd offset loc_8A79FF
		dd offset loc_9325C1
		dd offset loc_9325CC
		dd offset loc_8A7C31
		dd offset loc_932450
		dd offset loc_93245A
		dd offset loc_9325CC
		dd offset loc_8A7C43

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPrepareIoctl(x, x, x, x,	x, x)
_PopPrepareIoctl@24 proc near		; CODE XREF: PopThermalWorker+1A1p
					; PopBatteryInitialize(x)+48p ...

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	edi, edx
		push	0C00000BBh
		push	ebx
		call	_IoReuseIrp@8	; IoReuseIrp(x,x)
		mov	esi, [ebx+60h]
		cmp	[ebp+arg_0], 0
		setnz	al
		add	al, 0Eh
		mov	[esi-24h], al
		mov	eax, [ebp+arg_8]
		mov	[esi-1Ch], eax
		mov	eax, [ebp+arg_C]
		mov	[esi-18h], edi
		mov	[esi-20h], eax
		mov	eax, [ebp+arg_4]
		pop	edi
		pop	esi
		mov	[ebx+0Ch], eax
		pop	ebx
		pop	ebp
		retn	10h
_PopPrepareIoctl@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopCheckThermalPolicy proc near		; CODE XREF: PopThermalWorker+246p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 009326CA SIZE 0000012F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_10], edx
		push	edi
		mov	edx, 6D546F50h
		mov	ecx, [esi+18h]
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	edi, eax
		xor	ebx, ebx
		mov	[ebp+var_C], edi
		test	edi, edi
		jz	loc_9326CA
		mov	ecx, [edi+0B0h]
		mov	ecx, [ecx+14h]

loc_8A7DD9:				; CODE XREF: PopCheckThermalPolicy+8A928j
		test	ecx, ecx
		jz	loc_9326D1
		mov	ecx, [ecx+4Ch]

loc_8A7DE4:				; CODE XREF: PopCheckThermalPolicy+8A932j
		imul	eax, [esi+0A8h], 0F4240h
		mov	[esi+0C8h], eax
		mov	eax, [esi+6Ch]
		test	eax, eax
		jz	short loc_8A7E06
		mov	edx, [esi+60h]
		cmp	edx, eax
		jnb	loc_9326DB

loc_8A7E06:				; CODE XREF: PopCheckThermalPolicy+55j
		mov	al, bl

loc_8A7E08:				; CODE XREF: PopCheckThermalPolicy+8A94Bj
		mov	[esi+0B2h], al
		mov	eax, [esi+9Ch]
		test	eax, eax
		jnz	loc_9326F4

loc_8A7E1C:				; CODE XREF: PopCheckThermalPolicy+8A95Bj
		mov	al, bl

loc_8A7E1E:				; CODE XREF: PopCheckThermalPolicy+8A955j
		mov	[esi+0B1h], al
		mov	eax, [esi+68h]
		test	eax, eax
		jnz	loc_932704

loc_8A7E2F:				; CODE XREF: PopCheckThermalPolicy+8A96Dj
					; PopCheckThermalPolicy+8A97Aj	...
		movzx	edx, byte ptr [esi+70h]
		mov	eax, ebx
		test	edx, edx
		jz	short loc_8A7E54
		mov	ecx, [esi+60h]
		mov	[ebp+var_8], ecx
		lea	ecx, [esi+74h]
		mov	edi, [ebp+var_8]

loc_8A7E45:				; CODE XREF: PopCheckThermalPolicy+ABj
		cmp	edi, [ecx]
		jnb	short loc_8A7E51
		inc	eax
		add	ecx, 4
		cmp	eax, edx
		jb	short loc_8A7E45

loc_8A7E51:				; CODE XREF: PopCheckThermalPolicy+A3j
		mov	edi, [ebp+var_C]

loc_8A7E54:				; CODE XREF: PopCheckThermalPolicy+93j
		mov	ecx, [ebp+arg_0]
		sub	ecx, [esi+40h]
		mov	edx, [esi+48h]
		mov	[esi+0BCh], eax
		mov	eax, [ebp+arg_4]
		sbb	eax, [esi+44h]
		cmp	eax, ebx
		ja	short loc_8A7E7B
		jb	loc_932736
		cmp	ecx, edx
		jb	loc_932736

loc_8A7E7B:				; CODE XREF: PopCheckThermalPolicy+C7j
		cmp	dword ptr [esi+30h], 64h
		mov	ecx, [esi+60h]
		mov	[ebp+var_8], ecx
		jnz	loc_932749
		mov	eax, [esi+64h]
		test	eax, eax
		jz	short loc_8A7E9A
		cmp	ecx, eax
		jnb	loc_932749

loc_8A7E9A:				; CODE XREF: PopCheckThermalPolicy+ECj
		mov	eax, [ebp+arg_8]
		mov	[esi+0B4h], ebx
		mov	[eax], ebx

loc_8A7EA5:				; CODE XREF: PopCheckThermalPolicy+8A9A0j
					; PopCheckThermalPolicy+8AA50j
		mov	eax, [ebp+var_10]
		mov	[eax], bl
		test	edi, edi
		jz	short loc_8A7EBA
		mov	edx, 6D546F50h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_8A7EBA:				; CODE XREF: PopCheckThermalPolicy+108j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
PopCheckThermalPolicy endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceActiveCooling proc near	; CODE XREF: PopThermalWorker+3BCp
					; PopThermalWorker+3CCp ...

var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_AC		= dword	ptr -0ACh
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009327F9 SIZE 00000216 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_12C], eax
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_13C], ebx
		mov	[ebp+var_124], eax
		mov	[ebp+var_128], eax
		mov	[ebp+var_148], eax
		mov	[ebp+var_144], eax
		cmp	_PopDiagHandleRegistered, al
		jnz	loc_9327F9

loc_8A7F10:				; CODE XREF: PopDiagTraceActiveCooling+8A956j
					; PopDiagTraceActiveCooling+8A979j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
PopDiagTraceActiveCooling endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceThermalCoolingMode proc near ; CODE	XREF: PopThermalWorker+325p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00932A0F SIZE 000000FC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_58], ebx
		push	edi
		mov	di, dx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ebx
		cmp	_PopDiagHandleRegistered, bl
		jnz	loc_932A0F

loc_8A7F56:				; CODE XREF: PopDiagTraceThermalCoolingMode+8AB05j
					; PopDiagTraceThermalCoolingMode+8ABD2j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopDiagTraceThermalCoolingMode endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiUEventNotifyDeviceInstancePropertyChange proc	near
					; CODE XREF: PiUEventProcessNotifyEventEntry(x)+32p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00932B0B SIZE 00000048 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], esi
		cmp	dword ptr [ebx+3Ch], 9
		jnz	short loc_8A7FC6
		push	edi
		mov	ecx, offset _PiUEventClientRegistrationListLock
		call	ExAcquireFastMutex
		lea	ecx, [ebx+50h]
		call	_PiUEventHashStringIntoBucket@4	; PiUEventHashStringIntoBucket(x)
		mov	[ebp+var_10], offset unk_6CC748
		lea	eax, _PiUEventDevInstancePropertyClientList[eax*8]
		mov	[ebp+var_14], eax

loc_8A7FA1:				; CODE XREF: PiUEventNotifyDeviceInstancePropertyChange+50j
		mov	eax, [ebp+esi*4+var_14]
		mov	[ebp+var_C], eax
		mov	edi, [eax]
		cmp	edi, eax
		jnz	loc_932B0B

loc_8A7FB2:				; CODE XREF: PiUEventNotifyDeviceInstancePropertyChange+8ABE8j
		inc	esi
		cmp	esi, 2
		jb	short loc_8A7FA1
		mov	ecx, offset _PiUEventClientRegistrationListLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	esi, [ebp+var_8]
		pop	edi

loc_8A7FC6:				; CODE XREF: PiUEventNotifyDeviceInstancePropertyChange+15j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
PiUEventNotifyDeviceInstancePropertyChange endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDeferSetInterfaceState proc near	; CODE XREF: IopProcessSetInterfaceState+1BBp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00932B53 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	20207050h
		push	10h
		push	1
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8A802D
		mov	dx, [ebx]
		lea	ecx, [esi+8]
		call	IopAllocateUnicodeString
		mov	edi, eax
		test	edi, edi
		js	loc_932B53
		push	ebx
		lea	eax, [esi+8]
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		mov	eax, [ebp+var_4]
		add	eax, 188h
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_8A8034
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi

loc_8A8026:				; CODE XREF: PiDeferSetInterfaceState+66j
					; PiDeferSetInterfaceState+8AB94j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8A802D:				; CODE XREF: PiDeferSetInterfaceState+20j
		mov	edi, 0C000009Ah
		jmp	short loc_8A8026
; 

loc_8A8034:				; CODE XREF: PiDeferSetInterfaceState+4Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PiDeferSetInterfaceState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiDmGetReferencedObjectFromProperty(int,int,void *,int,int)
PiDmGetReferencedObjectFromProperty proc near
					; CODE XREF: PiDmObjectProcessPropertyChange+2BAp

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00932B65 SIZE 0000009B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_10]
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_64], edx
		mov	ecx, [ebp+arg_8]
		xor	esi, esi
		push	ebx		; int
		push	ecx		; void *
		mov	[ebp+var_60], ecx
		mov	ecx, edi
		push	eax		; int
		mov	[ebp+var_58], esi
		mov	[ebp+var_5C], esi
		mov	[ebx], esi
		call	PiDmObjectGetCachedObjectReference
		mov	esi, eax
		test	esi, esi
		js	loc_932B77
		mov	ecx, [ebx]
		mov	edx, [ecx+14h]
		cmp	edx, [ebp+arg_C]
		jnz	loc_932B65

loc_8A808C:				; CODE XREF: PiDmGetReferencedObjectFromProperty+8AB38j
					; PiDmGetReferencedObjectFromProperty+8AB43j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
PiDmGetReferencedObjectFromProperty endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 681. FsRtlVolumeDeviceToCorrelationId

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlVolumeDeviceToCorrelationId(x,	x)
		public _FsRtlVolumeDeviceToCorrelationId@8
_FsRtlVolumeDeviceToCorrelationId@8 proc near

var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+14h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	esi, [ebp+arg_0]
		mov	ebx, [ebp+arg_4]
		lea	edi, [esp+20h+var_14]
		stosd
		xor	ecx, ecx
		push	ecx
		push	10h
		stosd
		stosd
		stosd
		lea	eax, [esp+28h+var_14]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	offset loc_4D0018
		push	esi
		call	FsRtlIssueDeviceIoControl
		test	eax, eax
		js	short loc_8A8107
		mov	edi, ebx
		lea	esi, [esp+20h+var_14]
		movsd
		movsd
		movsd
		movsd

loc_8A80F3:				; CODE XREF: FsRtlVolumeDeviceToCorrelationId(x,x)+6Aj
		mov	ecx, [esp+20h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_8A8107:				; CODE XREF: FsRtlVolumeDeviceToCorrelationId(x,x)+43j
		push	ebx
		push	esi
		call	_IoVolumeDeviceToGuid@8	; IoVolumeDeviceToGuid(x,x)
		jmp	short loc_8A80F3
_FsRtlVolumeDeviceToCorrelationId@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 533. FsRtlGetSectorSizeInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlGetSectorSizeInformation
FsRtlGetSectorSizeInformation proc near	; CODE XREF: RawQueryVolumeInformation+16EE99p

var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= byte ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= byte ptr -34h
var_30		= dword	ptr -30h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00932C00 SIZE 000000E9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+10Ch+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	edx, edx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	eax, eax
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+118h+var_30]
		mov	[esp+118h+var_104], ebx
		push	90h		; size_t
		rep stosd
		push	edx		; int
		lea	eax, [esp+120h+var_100]
		mov	[esp+120h+var_108], edx
		push	eax		; void *
		mov	[esp+124h+var_68], edx
		mov	[esp+124h+var_5C], edx
		mov	[esp+124h+var_58], edx
		mov	[esp+124h+var_54], edx
		mov	[esp+124h+var_50], edx
		mov	[esp+124h+var_4C], edx
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		mov	edi, esi
		push	7
		pop	ecx
		rep stosd
		xor	edi, edi
		lea	eax, [esp+118h+var_30]
		push	edi
		push	18h
		push	eax
		push	edi
		push	edi
		push	2
		push	70000h
		push	ebx
		call	FsRtlIssueDeviceIoControl
		test	eax, eax
		js	loc_8A8491
		mov	ecx, [esp+118h+var_1C]
		test	ecx, ecx
		jz	loc_932CDF
		lea	eax, [ecx-1]
		test	eax, ecx
		jnz	loc_932CDF
		push	2
		pop	ecx
		lea	eax, [esp+118h+var_108]
		mov	[esp+118h+var_68], edi
		push	eax
		push	1Ch
		lea	eax, [esp+120h+var_64]
		mov	[esp+120h+var_6C], edi
		push	eax
		push	0Ch
		lea	eax, [esp+128h+var_70]
		mov	[esp+128h+var_70], 6
		push	eax
		push	ecx
		push	2D1400h
		push	ebx
		mov	[esp+138h+var_5C], edi
		mov	[esp+138h+var_58], edi
		mov	[esp+138h+var_54], edi
		mov	[esp+138h+var_50], edi
		mov	[esp+138h+var_4C], edi
		mov	[esp+138h+var_64], ecx
		mov	[esp+138h+var_60], 1
		call	FsRtlIssueDeviceIoControl
		test	eax, eax
		js	loc_932C02
		mov	eax, [esp+118h+var_108]
		cmp	eax, 1Ch
		jb	loc_932C02
		cmp	[esp+118h+var_64], 1Ch
		jb	loc_932C02
		cmp	[esp+118h+var_60], eax
		jb	loc_932C02
		mov	ebx, [esp+118h+var_54]
		test	ebx, ebx
		jz	loc_932C02
		cmp	ebx, [esp+118h+var_1C]
		jnz	loc_932C02
		mov	ecx, [esp+118h+var_50]
		cmp	ecx, ebx
		jb	loc_932C02
		test	ecx, ecx
		jz	loc_932C02
		lea	eax, [ecx-1]
		test	eax, ecx
		jnz	loc_932C02
		xor	edx, edx
		mov	eax, ecx
		div	ebx
		test	edx, edx
		jnz	loc_932C02
		mov	edi, [esp+118h+var_4C]
		mov	eax, edi
		div	ebx
		test	edx, edx
		jnz	loc_932C00
		mov	ebx, [esp+118h+var_1C]

loc_8A82E3:				; CODE XREF: FsRtlGetSectorSizeInformation+8AB29j
		or	dword ptr [esi+18h], 0FFFFFFFFh
		mov	[esi], ebx
		mov	[esi+4], ecx
		mov	[esi+8], ecx
		mov	dword ptr [esi+10h], 3
		mov	[esi+14h], edi
		mov	[esi+0Ch], ebx
		cmp	edi, 0FFFFFFFFh
		jz	loc_932C59
		mov	eax, edi
		mov	[esi+14h], edi
		xor	edx, edx
		div	ecx
		mov	edi, edx
		test	edi, edi
		jnz	loc_932C44

loc_8A8318:				; CODE XREF: FsRtlGetSectorSizeInformation+8AB35j
		mov	ebx, [esp+118h+var_104]
		lea	eax, [esp+118h+var_100]
		xor	ecx, ecx
		push	ecx
		push	90h
		push	eax
		push	ecx
		push	ecx
		push	2
		push	70048h
		push	ebx
		call	FsRtlIssueDeviceIoControl
		test	eax, eax
		js	short loc_8A8371
		push	0
		push	[esp+11Ch+var_50]
		push	[esp+120h+var_F4]
		push	[esp+124h+var_F8]
		call	__allrem
		mov	ecx, eax
		xor	edx, edx
		mov	eax, [esp+118h+var_50]
		sub	eax, ecx
		mov	[esi+18h], ecx
		div	[esp+118h+var_50]
		cmp	edx, edi
		jnz	loc_932C50

loc_8A8371:				; CODE XREF: FsRtlGetSectorSizeInformation+224j
					; FsRtlGetSectorSizeInformation+8AB3Ej	...
		xor	eax, eax
		and	[esp+118h+var_68], 0
		lea	edi, [esp+118h+var_48]
		and	[esp+118h+var_6C], 0
		stosd
		mov	[esp+118h+var_70], 7
		stosd
		stosd
		lea	eax, [esp+118h+var_108]
		push	eax
		push	0Ch
		pop	edi
		push	edi
		lea	eax, [esp+120h+var_48]
		push	eax
		push	edi
		lea	eax, [esp+128h+var_70]
		push	eax
		push	2
		push	2D1400h
		push	ebx
		call	FsRtlIssueDeviceIoControl
		test	eax, eax
		js	short loc_8A83D5
		cmp	[esp+118h+var_40], 0
		mov	eax, [esp+118h+var_108]
		jz	loc_932C62

loc_8A83D5:				; CODE XREF: FsRtlGetSectorSizeInformation+2ABj
					; FsRtlGetSectorSizeInformation+8AB4Ej	...
		xor	eax, eax
		and	[esp+118h+var_68], 0
		lea	edi, [esp+118h+var_3C]
		and	[esp+118h+var_6C], 0
		stosd
		mov	[esp+118h+var_70], 8
		stosd
		stosd
		lea	eax, [esp+118h+var_108]
		push	eax
		push	0Ch
		pop	edi
		push	edi
		lea	eax, [esp+120h+var_3C]
		push	eax
		push	edi
		lea	eax, [esp+128h+var_70]
		push	eax
		push	2
		push	2D1400h
		push	ebx
		call	FsRtlIssueDeviceIoControl
		test	eax, eax
		js	short loc_8A8439
		cmp	[esp+118h+var_34], 0
		mov	eax, [esp+118h+var_108]
		jnz	loc_932C8D

loc_8A8439:				; CODE XREF: FsRtlGetSectorSizeInformation+30Fj
					; FsRtlGetSectorSizeInformation+8AB79j	...
		xor	eax, eax
		and	[esp+118h+var_68], 0
		lea	edi, [esp+118h+var_18]
		and	[esp+118h+var_6C], 0
		stosd
		mov	[esp+118h+var_70], 37h
		stosd
		stosd
		stosd
		lea	eax, [esp+118h+var_108]
		push	eax
		push	10h
		lea	eax, [esp+120h+var_18]
		push	eax
		push	0Ch
		lea	eax, [esp+128h+var_70]
		push	eax
		push	2
		push	2D1400h
		push	ebx
		call	FsRtlIssueDeviceIoControl
		test	eax, eax
		jns	loc_932CB8

loc_8A848F:				; CODE XREF: FsRtlGetSectorSizeInformation+8ABA7j
					; FsRtlGetSectorSizeInformation+8ABBAj	...
		xor	eax, eax

loc_8A8491:				; CODE XREF: FsRtlGetSectorSizeInformation+A1j
					; FsRtlGetSectorSizeInformation+8ABCEj
		mov	ecx, [esp+118h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
FsRtlGetSectorSizeInformation endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 576. FsRtlIssueDeviceIoControl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlIssueDeviceIoControl
FsRtlIssueDeviceIoControl proc near	; CODE XREF: FsRtlVolumeDeviceToCorrelationId(x,x)+3Cp
					; FsRtlGetSectorSizeInformation+9Ap ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 00932CE9 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+20h+var_10]
		stosd
		xor	esi, esi
		push	esi
		push	esi
		mov	[esp+28h+var_18], esi
		stosd
		mov	[esp+28h+var_14], esi
		stosd
		stosd
		lea	eax, [esp+28h+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+20h+var_18]
		push	eax
		lea	eax, [esp+24h+var_10]
		push	eax
		push	esi
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_0]
		push	[ebp+arg_4]
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_8A8541
		mov	edx, [ecx+60h]
		mov	al, [ebp+arg_8]
		or	[edx-22h], al
		mov	edx, ecx
		mov	ecx, [ebp+arg_0]
		call	IofCallDriver
		mov	ecx, eax
		cmp	ecx, 103h
		jz	loc_932CE9

loc_8A8524:				; CODE XREF: FsRtlIssueDeviceIoControl+8A84Dj
		test	ecx, ecx
		js	short loc_8A852F
		mov	edx, [ebp+arg_1C]
		test	edx, edx
		jnz	short loc_8A8539

loc_8A852F:				; CODE XREF: FsRtlIssueDeviceIoControl+78j
					; FsRtlIssueDeviceIoControl+91j
		mov	eax, ecx

loc_8A8531:				; CODE XREF: FsRtlIssueDeviceIoControl+98j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_8A8539:				; CODE XREF: FsRtlIssueDeviceIoControl+7Fj
		mov	eax, [esp+20h+var_14]
		mov	[edx], eax
		jmp	short loc_8A852F
; 

loc_8A8541:				; CODE XREF: FsRtlIssueDeviceIoControl+53j
		mov	eax, 0C000009Ah
		jmp	short loc_8A8531
FsRtlIssueDeviceIoControl endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall DrvDbGetDriverDatabaseMappedProperty(int,wchar_t *,int,void *,int,void	*,int,int)
DrvDbGetDriverDatabaseMappedProperty proc near ; CODE XREF: DrvDbLoadDatabaseNode+EFp
					; DrvDbLoadDatabaseNode+13Ap ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00932D00 SIZE 0000030B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, [ebp+arg_14]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	[esp+28h+var_14], ecx
		xor	ecx, ecx
		push	offset ??_C@_13BBDEGPLJ@?$AA?$CK@NNGAKEGL@ ; wchar_t *
		mov	[ebx], ecx
		mov	esi, ecx
		push	edx		; wchar_t *
		mov	[esp+30h+var_8], edx
		mov	[esp+30h+var_C], ecx
		mov	[esp+30h+var_18], ecx
		mov	[eax], ecx
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_932D00
		mov	edi, [ebp+arg_4]
		mov	edx, [edi+10h]
		mov	[esp+28h+var_10], edx
		cmp	edx, 2
		jz	loc_8A864C

loc_8A859C:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+120j
		xor	eax, eax

loc_8A859E:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+6Bj
		mov	eax, off_6B2AC4[esi]
		cmp	[eax+10h], edx
		jz	loc_8A866D

loc_8A85AD:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+13Dj
		add	esi, 4
		cmp	esi, 1Ch
		jb	short loc_8A859E
		xor	ecx, ecx
		mov	eax, ecx
		mov	ebx, ecx
		mov	[esp+28h+var_4], eax
		mov	esi, ecx

loc_8A85C1:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+92j
		mov	ecx, ds:off_4037F8[esi]
		cmp	[ecx+10h], edx
		jz	short loc_8A85DE

loc_8A85CC:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+8AA04j
		inc	eax
		add	esi, 18h
		mov	[esp+28h+var_4], eax
		cmp	esi, 120h
		jb	short loc_8A85C1
		jmp	short loc_8A85FD
; 

loc_8A85DE:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+82j
		push	10h		; size_t
		push	edi		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_932F44
		imul	ebx, [esp+28h+var_4], arg_10
		add	ebx, offset off_4037F8

loc_8A85FD:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+94j
		test	ebx, ebx
		jz	loc_932F51
		mov	edi, [esp+28h+var_8]

loc_8A8609:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+8AA82j
		cmp	[ebp+arg_0], 0
		mov	eax, [esp+28h+var_18]
		jz	short loc_8A868A
		test	eax, eax
		jnz	loc_932FCF

loc_8A861B:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+164j
					; DrvDbGetDriverDatabaseMappedProperty+8AA8Bj
		mov	edx, [esp+28h+var_C]
		test	edx, edx
		jnz	short loc_8A8626
		mov	edx, [ebp+arg_0]

loc_8A8626:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+D9j
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	ebx
		call	DrvDbGetRegValueMappedProperty
		mov	esi, eax

loc_8A863A:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+16Aj
					; DrvDbGetDriverDatabaseMappedProperty+8A7BDj ...
		cmp	[esp+28h+var_C], 0
		jnz	short loc_8A86B4

loc_8A8641:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+175j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_8A864C:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+4Ej
		push	10h		; size_t
		push	offset _DEVPKEY_NODE ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_932D0A
		mov	edx, [esp+28h+var_10]
		jmp	loc_8A859C
; 

loc_8A866D:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+5Fj
		push	10h		; size_t
		push	edi		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_932D5C
		mov	edx, [esp+28h+var_10]
		jmp	loc_8A85AD
; 

loc_8A868A:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+C9j
					; DrvDbGetDriverDatabaseMappedProperty+8AA91j
		test	eax, eax
		jnz	loc_932FDE

loc_8A8692:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+8AA9Aj
		xor	ecx, ecx
		lea	eax, [esp+28h+var_C]
		push	ecx		; int
		push	eax		; int
		push	ecx		; char
		mov	ecx, [esp+34h+var_14] ;	int
		mov	edx, edi	; wchar_t *
		push	1		; int
		call	DrvDbOpenDriverDatabaseRegKey

loc_8A86A8:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+8AABEj
		mov	esi, eax
		test	esi, esi
		jns	loc_8A861B
		jmp	short loc_8A863A
; 

loc_8A86B4:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+F7j
		push	[esp+28h+var_C]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_8A8641
DrvDbGetDriverDatabaseMappedProperty endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall DrvDbOpenDriverDatabaseRegKey(int,wchar_t *,int,char,int,int)
DrvDbOpenDriverDatabaseRegKey proc near	; CODE XREF: DrvDbDispatchDriverDatabase+82p
					; DrvDbGetDriverDatabaseMappedProperty+15Bp ...

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 0093300B SIZE 0000007C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_1], 0
		push	offset ??_C@_13BBDEGPLJ@?$AA?$CK@NNGAKEGL@ ; wchar_t *
		push	ebx		; wchar_t *
		mov	edi, ecx
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_93300B
		lea	eax, [ebp+var_8]
		mov	edx, ebx
		push	eax
		mov	ecx, edi
		call	_DrvDbFindDatabaseNode@12 ; DrvDbFindDatabaseNode(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_933016
		test	esi, esi
		js	short loc_8A877E

loc_8A870B:				; CODE XREF: DrvDbOpenDriverDatabaseRegKey+8A951j
					; DrvDbOpenDriverDatabaseRegKey+8A983j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, [ebp+var_8]
		push	1
		push	dword ptr [ebx+4Ch]
		call	ExAcquireResourceExclusiveLite
		test	byte ptr [ebx+1Ch], 1
		jz	loc_933048

loc_8A8730:				; CODE XREF: DrvDbOpenDriverDatabaseRegKey+8A99Bj
		mov	eax, [edi]
		mov	edx, [ebx+30h]
		test	eax, eax
		jz	short loc_8A878F
		mov	ecx, [eax+74h]

loc_8A873C:				; CODE XREF: DrvDbOpenDriverDatabaseRegKey+D1j
		push	[ebp+arg_8]
		push	[ebp+arg_0]
		push	0
		push	0
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	byte ptr [ebx+1Ch], 1
		mov	esi, eax
		jz	loc_933060

loc_8A8757:				; CODE XREF: DrvDbOpenDriverDatabaseRegKey+8A9A9j
		test	esi, esi
		js	short loc_8A8762
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jnz	short loc_8A8787

loc_8A8762:				; CODE XREF: DrvDbOpenDriverDatabaseRegKey+99j
					; DrvDbOpenDriverDatabaseRegKey+CDj ...
		mov	ecx, [ebx+4Ch]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		js	loc_93306E

loc_8A877E:				; CODE XREF: DrvDbOpenDriverDatabaseRegKey+49j
					; DrvDbOpenDriverDatabaseRegKey+8A95Aj	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_8A8787:				; CODE XREF: DrvDbOpenDriverDatabaseRegKey+A0j
		mov	dword ptr [eax], 2
		jmp	short loc_8A8762
; 

loc_8A878F:				; CODE XREF: DrvDbOpenDriverDatabaseRegKey+77j
		xor	ecx, ecx
		jmp	short loc_8A873C
DrvDbOpenDriverDatabaseRegKey endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtLockRegistryKey(x)
_NtLockRegistryKey@4 proc near		; DATA XREF: .text:00580FA4o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		and	[ebp+var_4], 0
		push	esi
		mov	al, [eax+15Ah]
		test	al, al
		jnz	short loc_8A87FE
		call	CmpAcquireShutdownRundown
		test	al, al
		jz	short loc_8A8805
		push	0
		lea	eax, [ebp+var_4]
		mov	edx, 20006h
		push	eax
		push	0
		push	ecx
		mov	ecx, [ebp+arg_0]
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8A87E4
		mov	ecx, [ebp+var_4]
		call	CmLockKeyForWrite
		mov	esi, eax
		test	esi, esi
		js	short loc_8A87E4
		xor	esi, esi

loc_8A87E4:				; CODE XREF: NtLockRegistryKey(x)+3Ej
					; NtLockRegistryKey(x)+4Cj
		cmp	[ebp+var_4], 0
		jz	short loc_8A87F2
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject

loc_8A87F2:				; CODE XREF: NtLockRegistryKey(x)+54j
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_8A87F7:				; CODE XREF: NtLockRegistryKey(x)+6Fj
					; NtLockRegistryKey(x)+76j
		mov	eax, esi
		pop	esi
		leave
		retn	4
; 

loc_8A87FE:				; CODE XREF: NtLockRegistryKey(x)+19j
		mov	esi, 0C0000061h
		jmp	short loc_8A87F7
; 

loc_8A8805:				; CODE XREF: NtLockRegistryKey(x)+22j
		mov	esi, 0C0000189h
		jmp	short loc_8A87F7
_NtLockRegistryKey@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmLockKeyForWrite proc near		; CODE XREF: NtLockRegistryKey(x)+43p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00933087 SIZE 0000004B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	edx, edx
		and	[ebp+var_C], edx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		and	[ebp+var_4], 0
		lea	ecx, [ebp+var_4]
		push	ecx
		push	_CmpSiloContextSlot
		push	eax
		call	PsGetPermanentSiloContext
		cmp	[ebp+var_4], 0
		jz	loc_933087
		push	ebx
		push	edi
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	edi, [esi+8]
		xor	edx, edx
		lea	ecx, [edi+18h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	edx, edx
		mov	ecx, esi
		mov	[edi+1Ch], eax
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	loc_9330AD
		mov	eax, [edi+10h]
		cmp	eax, ds:_CmpMasterHive
		jz	loc_933091
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp+var_4]
		call	_CmpPerformSiloKeyLockTrackerEnabledCheck@4 ; CmpPerformSiloKeyLockTrackerEnabledCheck(x)
		mov	esi, eax
		test	esi, esi
		js	loc_93309A
		lea	ebx, [ecx+8]
		mov	eax, [ebx]

loc_8A88B0:				; CODE XREF: CmLockKeyForWrite+B3j
		cmp	eax, ebx
		jz	short loc_8A88C1
		cmp	[eax+8], edi
		jz	loc_933098
		mov	eax, [eax]
		jmp	short loc_8A88B0
; 

loc_8A88C1:				; CODE XREF: CmLockKeyForWrite+A6j
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, edi
		call	_CmpCreateSiloKeyLockEntry@4 ; CmpCreateSiloKeyLockEntry(x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_9330CB
		lea	edx, [ebp+var_C]
		mov	ecx, edi
		call	CmpGlobalLockKeyForWrite
		mov	esi, eax
		test	esi, esi
		js	loc_9330AD
		mov	edx, [ebp+var_8]
		mov	eax, [ebp+var_C]
		mov	[edx+0Ch], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_4]
		call	_CmpPerformSiloKeyLockTrackerEnabledCheck@4 ; CmpPerformSiloKeyLockTrackerEnabledCheck(x)
		mov	esi, eax
		test	esi, esi
		js	loc_93309A
		mov	edx, [ebx+4]
		cmp	[edx], ebx
		jnz	short loc_8A899F
		mov	eax, [ebp+var_8]
		mov	[eax+4], edx
		mov	[eax], ebx
		mov	[edx], eax
		xor	edx, edx
		mov	[ebx+4], eax
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, edi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	esi, [edi+24h]
		jmp	short loc_8A8986
; 

loc_8A8960:				; CODE XREF: CmLockKeyForWrite+183j
		lea	ecx, [esi+18h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	[esi+1Ch], eax
		mov	eax, 100h
		or	[esi+4], ax
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	esi, [esi+24h]

loc_8A8986:				; CODE XREF: CmLockKeyForWrite+152j
		mov	eax, [esi+10h]
		cmp	eax, ds:_CmpMasterHive
		jnz	short loc_8A8960
		xor	esi, esi

loc_8A8993:				; CODE XREF: CmLockKeyForWrite+8A8ADj
					; CmLockKeyForWrite+8A8BAj
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		pop	edi
		pop	ebx

loc_8A899A:				; CODE XREF: CmLockKeyForWrite+8A880j
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_8A899F:				; CODE XREF: CmLockKeyForWrite+126j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
CmLockKeyForWrite endp			; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall CmpPerformSiloKeyLockTrackerEnabledCheck(x)
_CmpPerformSiloKeyLockTrackerEnabledCheck@4 proc near ;	CODE XREF: CmLockKeyForWrite+90p
					; CmLockKeyForWrite+112p
		mov	eax, [ecx+4]
		test	al, 2
		jnz	short loc_8A89BF
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFF45h
		add	eax, 0C00000BBh
		retn
; 

loc_8A89BF:				; CODE XREF: CmpPerformSiloKeyLockTrackerEnabledCheck(x)+5j
		mov	eax, 0C0000189h
		retn
_CmpPerformSiloKeyLockTrackerEnabledCheck@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


CmpGlobalLockKeyForWrite proc near	; CODE XREF: CmLockKeyForWrite+DFp

; FUNCTION CHUNK AT 009330D2 SIZE 00000024 BYTES

		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	ebx, edx
		mov	edi, ecx
		nop
		xor	edx, edx
		mov	ecx, offset _CmpKeyLockTracker
		call	ExAcquirePushLockSharedEx
		mov	esi, dword_6CDF64
		mov	eax, offset dword_6CDF64

loc_8A89F2:				; CODE XREF: CmpGlobalLockKeyForWrite+3Bj
		cmp	esi, eax
		jz	short loc_8A8A03
		cmp	[esi+0Ch], edi
		jz	loc_9330D2
		mov	esi, [esi]
		jmp	short loc_8A89F2
; 

loc_8A8A03:				; CODE XREF: CmpGlobalLockKeyForWrite+2Ej
					; CmpGlobalLockKeyForWrite+8A70Ej
		xor	edx, edx
		mov	ecx, offset _CmpKeyLockTracker
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, edi
		call	_CmpCreateGlobalKeyLockEntry@4 ; CmpCreateGlobalKeyLockEntry(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8A8A86
		mov	eax, 80h
		or	[edi+4], ax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _CmpKeyLockTracker
		call	ExAcquirePushLockExclusiveEx
		mov	eax, dword_6CDF68
		mov	ecx, offset dword_6CDF64
		cmp	[eax], ecx
		jnz	short loc_8A8A8D
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6CDF68, esi

loc_8A8A66:				; CODE XREF: CmpGlobalLockKeyForWrite+8A720j
					; CmpGlobalLockKeyForWrite+8A72Bj
		xor	edx, edx
		mov	[ebx], esi
		mov	ecx, offset _CmpKeyLockTracker
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	eax, eax

loc_8A8A82:				; CODE XREF: CmpGlobalLockKeyForWrite+C5j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_8A8A86:				; CODE XREF: CmpGlobalLockKeyForWrite+60j
		mov	eax, 0C000009Ah
		jmp	short loc_8A8A82
; 

loc_8A8A8D:				; CODE XREF: CmpGlobalLockKeyForWrite+91j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
CmpGlobalLockKeyForWrite endp		; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall CmpCreateGlobalKeyLockEntry(x)
_CmpCreateGlobalKeyLockEntry@4 proc near ; CODE	XREF: CmpGlobalLockKeyForWrite+57p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		call	CmpReferenceKeyControlBlockUnsafe
		push	33374D43h
		push	10h
		xor	ecx, ecx
		pop	edx
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8A8AC9
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0
		mov	dword ptr [esi+8], 1
		mov	[esi+0Ch], edi

loc_8A8AC4:				; CODE XREF: CmpCreateGlobalKeyLockEntry(x)+3Ej
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_8A8AC9:				; CODE XREF: CmpCreateGlobalKeyLockEntry(x)+1Fj
		mov	ecx, edi
		call	CmpDereferenceKeyControlBlockUnsafe
		jmp	short loc_8A8AC4
_CmpCreateGlobalKeyLockEntry@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpCreateSiloKeyLockEntry(x)
_CmpCreateSiloKeyLockEntry@4 proc near	; CODE XREF: CmLockKeyForWrite+CAp
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, ecx
		call	CmpReferenceKeyControlBlockUnsafe
		push	34374D43h
		push	10h
		xor	ecx, ecx
		pop	edx
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8A8B05
		push	edi
		mov	edi, esi
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		mov	[esi+8], ebx
		pop	edi

loc_8A8B00:				; CODE XREF: CmpCreateSiloKeyLockEntry(x)+3Aj
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_8A8B05:				; CODE XREF: CmpCreateSiloKeyLockEntry(x)+1Fj
		mov	ecx, ebx
		call	CmpDereferenceKeyControlBlockUnsafe
		jmp	short loc_8A8B00
_CmpCreateSiloKeyLockEntry@4 endp


;  S U B	R O U T	I N E 


PiSwProcessParentStartIrp proc near	; CODE XREF: PnpDeviceCompletionProcessCompletedRequest+9Ep
					; PnpStartDeviceNode+92DF5p

; FUNCTION CHUNK AT 009330F6 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		test	esi, esi
		jz	short loc_8A8B6C
		mov	eax, [esi+0B0h]
		mov	ebx, [eax+14h]

loc_8A8B24:				; CODE XREF: PiSwProcessParentStartIrp+60j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PiSwLockObj
		call	ExAcquireResourceExclusiveLite
		lea	ecx, [ebx+14h]
		call	_PiSwFindBusRelations@4	; PiSwFindBusRelations(x)
		test	eax, eax
		jnz	short loc_8A8B70

loc_8A8B4A:				; CODE XREF: PiSwProcessParentStartIrp+65j
		mov	ecx, offset _PiSwLockObj
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	edi, edi
		jnz	loc_9330F6

loc_8A8B68:				; CODE XREF: PiSwProcessParentStartIrp+8A5F0j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_8A8B6C:				; CODE XREF: PiSwProcessParentStartIrp+Bj
		mov	ebx, edi
		jmp	short loc_8A8B24
; 

loc_8A8B70:				; CODE XREF: PiSwProcessParentStartIrp+3Aj
		lea	edi, [eax+8]
		jmp	short loc_8A8B4A
PiSwProcessParentStartIrp endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxRegQueryValue(x, x, x, x, x,	x)
__PnpCtxRegQueryValue@24 proc near	; CODE XREF: PipUpdateDeviceProducts+236p
					; PipUpdateDeviceProducts+274p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		mov	ecx, edx
		mov	edx, [ebp+arg_0]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_RegRtlQueryValue
		pop	ebp
		retn	10h
__PnpCtxRegQueryValue@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxRegOpenKey(x, x, x, x, x, x)
__PnpCtxRegOpenKey@24 proc near		; CODE XREF: PipUpdateDeviceProducts+ABp
					; PipUpdateDeviceProducts+20Dp	...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ecx, ecx
		jnz	short loc_8A8BA1

loc_8A8B9B:				; CODE XREF: _PnpCtxRegOpenKey(x,x,x,x,x,x)+12j
		pop	ebp
		jmp	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
; 

loc_8A8BA1:				; CODE XREF: _PnpCtxRegOpenKey(x,x,x,x,x,x)+7j
		mov	ecx, [ecx+74h]
		jmp	short loc_8A8B9B
__PnpCtxRegOpenKey@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxRegEnumKey(x, x, x, x, x)
__PnpCtxRegEnumKey@20 proc near		; CODE XREF: PipUpdateDeviceProducts+1EDp
					; PipHardwareConfigExists(x,x)+53p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, edx
		push	ecx
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		push	[ebp+arg_4]
		call	_RegRtlEnumKey
		pop	ecx
		pop	ebp
		retn	0Ch
__PnpCtxRegEnumKey@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxRegCreateKey(x, x, x, x, x, x, x, x)
__PnpCtxRegCreateKey@32	proc near	; CODE XREF: PipUpdateDeviceProducts+34Fp
					; IopInitializeBootDrivers+2D236p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ecx, ecx
		jnz	short loc_8A8BE7

loc_8A8BCB:				; CODE XREF: _PnpCtxRegCreateKey(x,x,x,x,x,x,x,x)+28j
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	ecx
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	__SysCtxRegCreateKey@36	; _SysCtxRegCreateKey(x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	18h
; 

loc_8A8BE7:				; CODE XREF: _PnpCtxRegCreateKey(x,x,x,x,x,x,x,x)+7j
		mov	ecx, [ecx+74h]
		jmp	short loc_8A8BCB
__PnpCtxRegCreateKey@32	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_PnpCtxRegEnumValue(int,void *,int,int,void *,int)
__PnpCtxRegEnumValue@32	proc near	; CODE XREF: PipUpdateDeviceProducts+328p
					; PipResetMatchingFilteredDevices+144D5p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_14]	; int
		mov	ecx, edx
		mov	edx, [ebp+arg_0]
		push	[ebp+arg_10]	; void *
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		push	[ebp+arg_4]	; void *
		call	_RegRtlEnumValue
		pop	ebp
		retn	18h
__PnpCtxRegEnumValue@32	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxRegQueryInfoKey(x, x, x, x, x, x, x)
__PnpCtxRegQueryInfoKey@28 proc	near	; CODE XREF: PipUpdateDeviceProducts+179p
					; PipUpdateDeviceProducts+2AEp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, edx
		push	ecx
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_0]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		pop	ecx
		pop	ebp
		retn	14h
__PnpCtxRegQueryInfoKey@28 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxRegCreateTree(x, x, x, x, x,	x, x, x)
__PnpCtxRegCreateTree@32 proc near	; CODE XREF: PipUpdateDeviceProducts+139p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ecx, ecx
		jnz	short loc_8A8C55

loc_8A8C39:				; CODE XREF: _PnpCtxRegCreateTree(x,x,x,x,x,x,x,x)+28j
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	ecx
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	__SysCtxRegCreateTree@36 ; _SysCtxRegCreateTree(x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	18h
; 

loc_8A8C55:				; CODE XREF: _PnpCtxRegCreateTree(x,x,x,x,x,x,x,x)+7j
		mov	ecx, [ecx+74h]
		jmp	short loc_8A8C39
__PnpCtxRegCreateTree@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDevCfgQueryObjectProperties proc near	; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+1A1p
					; PiDevCfgCheckDeviceNeedsUpdate(x,x)+297p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00933103 SIZE 00000224 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	ecx, _PiPnpRtlCtx
		mov	eax, edx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_24], eax
		mov	ebx, edi
		mov	[ebp+var_28], ecx
		mov	esi, edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_18], 1
		mov	[ebp+var_8], edi
		mov	[ebp+var_14], edi
		cmp	[ebp+arg_4], ebx
		jnz	short loc_8A8CAE
		push	edi
		push	edi
		lea	edx, [ebp+var_10]
		push	edx
		push	edi
		push	2000001h
		push	[ebp+arg_0]
		mov	edx, eax
		call	_PnpOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_8A8D72

loc_8A8CAE:				; CODE XREF: PiDevCfgQueryObjectProperties+32j
		mov	[ebp+var_20], edi
		cmp	[ebp+arg_C], ebx
		jbe	loc_8A8D72
		mov	edi, [ebp+arg_8]
		add	edi, 4
		mov	[ebp+var_1C], edi

loc_8A8CC3:				; CODE XREF: PiDevCfgQueryObjectProperties+10Aj
		mov	eax, [edi+0Ch]
		mov	ecx, [edi+4]
		mov	[ebp+var_C], ecx
		test	al, 4
		jnz	loc_933103
		xor	edx, edx
		mov	[ebp+var_4], edx
		mov	edx, [edi+8]

loc_8A8CDC:				; CODE XREF: PiDevCfgQueryObjectProperties+8A4B8j
		mov	[ebp+arg_8], edx
		test	al, 2
		jnz	loc_933117

loc_8A8CE7:				; CODE XREF: PiDevCfgQueryObjectProperties+8A4F3j
		cmp	[ebp+arg_4], 0
		mov	eax, [ebp+arg_4]
		jnz	short loc_8A8CF3
		mov	eax, [ebp+var_10]

loc_8A8CF3:				; CODE XREF: PiDevCfgQueryObjectProperties+94j
		xor	esi, esi
		push	esi
		lea	esi, [ebp+var_8]
		push	esi
		push	edx
		mov	edx, [ebp+var_24]
		push	ecx
		lea	ecx, [ebp+var_18]
		push	ecx
		push	dword ptr [edi-4]
		xor	ecx, ecx
		push	ecx
		mov	ecx, [ebp+var_28]
		push	eax
		push	[ebp+arg_0]
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	loc_933152

loc_8A8D23:				; CODE XREF: PiDevCfgQueryObjectProperties+8A52Dj
		cmp	esi, 0C000009Ah
		jz	short loc_8A8D6A
		test	esi, esi
		jns	loc_933199

loc_8A8D33:				; CODE XREF: PiDevCfgQueryObjectProperties+8A558j
					; PiDevCfgQueryObjectProperties+8A641j
		mov	ecx, [ebp+var_4]

loc_8A8D36:				; CODE XREF: PiDevCfgQueryObjectProperties+8A5A7j
					; PiDevCfgQueryObjectProperties+8A5C0j	...
		mov	edx, [ebp+arg_8]

loc_8A8D39:				; CODE XREF: PiDevCfgQueryObjectProperties+8A53Aj
					; PiDevCfgQueryObjectProperties+8A668j
		mov	[edi+10h], esi
		test	esi, esi
		jns	short loc_8A8D54
		test	byte ptr [edi+0Ch], 8
		jnz	loc_9332E0

loc_8A8D4A:				; CODE XREF: PiDevCfgQueryObjectProperties+8A693j
					; PiDevCfgQueryObjectProperties+8A69Dj	...
		test	byte ptr [edi+0Ch], 1
		jnz	short loc_8A8D6A
		xor	eax, eax
		mov	esi, eax

loc_8A8D54:				; CODE XREF: PiDevCfgQueryObjectProperties+E4j
		mov	edx, [ebp+var_20]
		add	edi, 18h
		inc	edx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_20], edx
		cmp	edx, [ebp+arg_C]
		jb	loc_8A8CC3

loc_8A8D6A:				; CODE XREF: PiDevCfgQueryObjectProperties+CFj
					; PiDevCfgQueryObjectProperties+F4j ...
		test	ebx, ebx
		jnz	loc_933319

loc_8A8D72:				; CODE XREF: PiDevCfgQueryObjectProperties+4Ej
					; PiDevCfgQueryObjectProperties+5Aj ...
		cmp	[ebp+var_10], 0
		jz	short loc_8A8D80
		push	[ebp+var_10]
		call	_ZwClose@4	; ZwClose(x)

loc_8A8D80:				; CODE XREF: PiDevCfgQueryObjectProperties+11Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
PiDevCfgQueryObjectProperties endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbpCheckKObject proc near		; CODE XREF: SdbGetDatabaseMatchEx+9Fp
					; SdbGetDatabaseMatchEx+D6p

var_44		= dword	ptr -44h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00933327 SIZE 000001B7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		push	ebx
		push	esi
		push	edi
		push	34h		; size_t
		xor	edi, edi
		mov	[ebp+var_4], edx
		lea	eax, [ebp+var_44]
		mov	ebx, ecx
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+arg_0]
		mov	eax, edi
		add	esp, 0Ch
		mov	[ebp+var_C], edi
		mov	[ebp+var_10], edi
		mov	esi, edi
		mov	edi, [ebx+4]
		mov	[ebp+var_8], eax
		test	edx, edx
		jnz	loc_933327

loc_8A8DC6:				; CODE XREF: SdbpCheckKObject+8A5B8j
		sub	esp, 10h
		mov	[ebp+var_44], 1Ah
		mov	edx, eax
		lea	ecx, [ebp+var_44]
		call	_SdbpCreateSearchDBContext@24 ;	SdbpCreateSearchDBContext(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8A8E9C
		lea	eax, [ebp+var_C]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_44]
		push	eax
		push	[ebp+var_4]
		call	SdbpCheckForMatch
		mov	esi, eax
		test	esi, esi
		jz	loc_8A8E9C
		mov	ebx, [ebp+arg_10]
		test	ebx, ebx
		jz	loc_8A8E9C
		mov	eax, [ebx]
		mov	ecx, edi
		mov	edx, [ebp+var_4]
		xor	esi, esi
		push	701Fh
		mov	[ebp+arg_0], eax
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	[ebp+arg_C], eax
		test	eax, eax
		jnz	loc_933347

loc_8A8E32:				; CODE XREF: SdbpCheckKObject+8A63Dj
		mov	eax, [ebx+4]
		mov	ecx, edi
		mov	edx, [ebp+var_4]
		xor	esi, esi
		push	7022h
		mov	[ebp+arg_0], eax
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	[ebp+arg_C], eax
		test	eax, eax
		jnz	loc_9333CC

loc_8A8E54:				; CODE XREF: SdbpCheckKObject+8A69Fj
		mov	eax, [ebx+8]
		mov	ecx, edi
		mov	edx, [ebp+var_4]
		xor	esi, esi
		push	7020h
		mov	[ebp+arg_0], eax
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_93342E

loc_8A8E75:				; CODE XREF: SdbpCheckKObject+8A6E6j
		mov	eax, [ebp+arg_10]
		mov	ecx, edi
		mov	edx, [ebp+var_4]
		xor	esi, esi
		push	7021h
		mov	eax, [eax+0Ch]
		mov	[ebp+arg_10], eax
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_933475

loc_8A8E99:				; CODE XREF: SdbpCheckKObject+8A74Fj
		xor	esi, esi
		inc	esi

loc_8A8E9C:				; CODE XREF: SdbpCheckKObject+54j
					; SdbpCheckKObject+76j	...
		lea	ecx, [ebp+var_44]
		call	_SdbpReleaseSearchDBContext@4 ;	SdbpReleaseSearchDBContext(x)
		mov	ecx, [ebp+var_8]
		call	AslFileMappingDelete
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
SdbpCheckKObject endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbpCheckForMatch proc near		; CODE XREF: SdbpCheckKObject+6Dp
					; SdbpCheckExe(x,x,x,x,x,x,x,x)+24p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 009334DE SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_C], ecx
		xor	esi, esi
		mov	edx, ebx
		push	100Dh
		mov	ecx, edi
		mov	[ebp+var_4], esi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jnz	loc_9334DE

loc_8A8EE8:				; CODE XREF: SdbpCheckForMatch+8A62Fj
		mov	edx, ebx
		mov	ecx, edi
		call	SdbpMatchOsVersion
		test	eax, eax
		jz	short loc_8A8F49
		push	ecx
		push	0
		push	[ebp+arg_4]
		xor	edx, edx
		lea	ecx, [ebp+var_4]
		push	ebx
		push	edi
		push	[ebp+var_C]
		call	_SdbpMatchList@32 ; SdbpMatchList(x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_8A8F67
		mov	esi, [ebp+var_4]
		test	esi, esi
		jz	short loc_8A8F67
		push	[ebp+arg_C]
		mov	edx, ebx
		mov	ecx, edi
		call	SdbpGetExeEntryFlags
		test	eax, eax
		jz	short loc_8A8F67
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		jz	short loc_8A8F49
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	3001h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jnz	loc_9334EA
		mov	dword ptr [ebx], 2

loc_8A8F49:				; CODE XREF: SdbpCheckForMatch+3Dj
					; SdbpCheckForMatch+74j ...
		mov	eax, [ebp+arg_4]
		cmp	dword ptr [eax+28h], 0
		jz	short loc_8A8F6B
		cmp	[ebp+var_8], 0
		jnz	short loc_8A8F6B
		xor	ecx, ecx
		inc	ecx

loc_8A8F5B:				; CODE XREF: SdbpCheckForMatch+B7j
		pop	edi
		mov	[eax+28h], ecx
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_8A8F67:				; CODE XREF: SdbpCheckForMatch+56j
					; SdbpCheckForMatch+5Dj ...
		xor	esi, esi
		jmp	short loc_8A8F49
; 

loc_8A8F6B:				; CODE XREF: SdbpCheckForMatch+9Aj
					; SdbpCheckForMatch+A0j
		xor	ecx, ecx
		jmp	short loc_8A8F5B
SdbpCheckForMatch endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbpMatchOsVersion proc	near		; CODE XREF: SdbpCheckForMatch+36p

var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009334FF SIZE 00000089 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 134h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	118h		; size_t
		lea	eax, [ebp+var_124]
		mov	[ebp+var_130], edx
		push	0		; int
		xor	esi, esi
		mov	[ebp+var_12C], ecx
		push	eax		; void *
		inc	esi
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_128], 11Ch
		lea	eax, [ebp+var_128]
		push	eax
		call	RtlGetVersion
		mov	edi, [ebp+var_124]
		xor	ebx, ebx
		mov	edx, [ebp+var_130]
		mov	ecx, [ebp+var_12C]
		shld	ebx, edi, 10h
		push	501Dh
		shl	edi, 10h
		or	edi, [ebp+var_120]
		shld	ebx, edi, 10h
		shl	edi, 10h
		or	edi, [ebp+var_11C]
		shld	ebx, edi, 10h
		shl	edi, 10h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jnz	loc_9334FF

loc_8A900A:				; CODE XREF: SdbpMatchOsVersion+8A5B1j
		mov	edx, [ebp+var_130]
		mov	ecx, [ebp+var_12C]
		push	501Fh
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jnz	loc_933526

loc_8A9028:				; CODE XREF: SdbpMatchOsVersion+8A5DBj
					; SdbpMatchOsVersion+8A5E2j
		mov	edx, [ebp+var_130]
		mov	ecx, [ebp+var_12C]
		push	501Eh
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jnz	loc_933557

loc_8A9046:				; CODE XREF: SdbpMatchOsVersion+8A60Cj
					; SdbpMatchOsVersion+8A613j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
SdbpMatchOsVersion endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbpGetExeEntryFlags proc near		; CODE XREF: SdbpCheckForMatch+66p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00933588 SIZE 0000007E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_1C], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_24], eax
		lea	edi, [ebp+var_18]
		xor	eax, eax
		mov	esi, edx
		stosd
		mov	ebx, ecx
		push	9004h
		mov	[ebp+var_20], esi
		stosd
		stosd
		stosd
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	loc_933588
		push	10h		; int
		lea	ecx, [ebp+var_18]
		mov	edx, eax
		push	ecx		; void *
		mov	ecx, ebx
		call	SdbReadBinaryTag
		test	eax, eax
		jz	loc_933595
		lea	edx, [ebp+var_1C]
		lea	ecx, [ebp+var_18] ; int
		call	SdbGetEntryFlags
		mov	edi, [ebp+var_20]
		neg	eax
		push	700Dh
		sbb	esi, esi
		mov	edx, edi
		and	esi, [ebp+var_1C]
		mov	ecx, ebx
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jnz	loc_9335B6

loc_8A90DB:				; CODE XREF: SdbpGetExeEntryFlags+8A574j
					; SdbpGetExeEntryFlags+8A588j ...
		push	4032h
		mov	edx, edi
		mov	ecx, ebx
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jnz	loc_9335F1

loc_8A90F1:				; CODE XREF: SdbpGetExeEntryFlags+8A5A9j
		mov	eax, [ebp+var_24]
		mov	[eax], esi
		xor	eax, eax
		inc	eax

loc_8A90F9:				; CODE XREF: SdbpGetExeEntryFlags+8A559j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
SdbpGetExeEntryFlags endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall SdbGetEntryFlags(int)
SdbGetEntryFlags proc near		; CODE XREF: SdbpGetExeEntryFlags+5Ep
					; SdbReadEntryInformation(x,x,x)+F1p

var_5C		= dword	ptr -5Ch
var_58		= word ptr -58h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00933606 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	ecx		; int
		mov	esi, edx
		lea	ecx, [ebp+var_58] ; wchar_t *
		push	27h
		xor	edi, edi
		pop	edx
		mov	[esi], edi
		call	AslGuidToString
		test	eax, eax
		js	loc_933606
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_5C], edi
		push	eax
		push	1
		lea	edx, [ebp+var_58]
		call	SdbpQueryAppCompatFlagsByExeID
		test	eax, eax
		jns	short loc_8A917C

loc_8A914D:				; CODE XREF: SdbGetEntryFlags+77j
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_5C], edi
		push	eax
		push	edi
		lea	edx, [ebp+var_58]
		call	SdbpQueryAppCompatFlagsByExeID
		mov	ecx, [esi]
		test	eax, eax
		jns	short loc_8A9183

loc_8A9163:				; CODE XREF: SdbGetEntryFlags+7Cj
		and	ecx, 0FFFh
		mov	[esi], ecx

loc_8A916B:				; CODE XREF: SdbGetEntryFlags+8A513j
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		pop	edi
		xor	ecx, ebp
		inc	eax
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_8A917C:				; CODE XREF: SdbGetEntryFlags+41j
		mov	eax, [ebp+var_5C]
		mov	[esi], eax
		jmp	short loc_8A914D
; 

loc_8A9183:				; CODE XREF: SdbGetEntryFlags+57j
		or	ecx, [ebp+var_5C]
		jmp	short loc_8A9163
SdbGetEntryFlags endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbpQueryAppCompatFlagsByExeID proc near ; CODE	XREF: SdbGetEntryFlags+3Ap
					; SdbGetEntryFlags+4Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00933622 SIZE 0000006F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	ecx
		push	[ebp+arg_0]
		mov	ebx, edx
		lea	ecx, [ebp+var_4]
		push	80000100h
		mov	edx, (offset loc_8C3BF0+2)
		call	AslRegistryGetKey
		mov	esi, eax
		test	esi, esi
		jns	loc_93363E
		cmp	esi, 0C0000034h
		jnz	loc_933622

loc_8A91C7:				; CODE XREF: SdbpQueryAppCompatFlagsByExeID+8A4B1j
					; SdbpQueryAppCompatFlagsByExeID+8A4CEj ...
		cmp	[ebp+var_4], 0
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_8]
		mov	[ecx], eax
		jnz	loc_933684

loc_8A91D9:				; CODE XREF: SdbpQueryAppCompatFlagsByExeID+8A504j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
SdbpQueryAppCompatFlagsByExeID endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AslRegistryGetKey proc near		; CODE XREF: SdbpQueryAppCompatFlagsByExeID+24p
					; AslpProcessMatchRegNode(x,x)+28p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00933691 SIZE 0000004E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		lea	edi, [ebp+var_30]
		mov	edx, ecx
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd
		xor	edi, edi
		mov	[ebp+var_C], edx
		lea	ecx, [ebp+var_18]
		mov	[edx], edi
		mov	edx, ebx
		mov	[ebp+var_10], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_8], edi
		cmp	[ebp+arg_4], eax
		jnz	short loc_8A9285
		call	AslRegistryBuildUserPath
		mov	esi, eax
		test	esi, esi
		js	loc_9336BF

loc_8A9227:				; CODE XREF: AslRegistryGetKey+ACj
		lea	eax, [ebp+var_18]
		mov	[ebp+var_30], 18h
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+arg_0]
		lea	eax, [ebp+var_8]
		mov	[ebp+var_2C], edi
		push	eax
		mov	[ebp+var_24], 240h
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_9336CD
		cmp	esi, 0C0000034h
		jnz	loc_93369F

loc_8A926A:				; CODE XREF: AslRegistryGetKey+8A4D8j
					; AslRegistryGetKey+8A4F8j
		cmp	[ebp+var_14], edi
		jz	short loc_8A927C
		push	74705041h
		push	[ebp+var_14]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8A927C:				; CODE XREF: AslRegistryGetKey+8Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_8A9285:				; CODE XREF: AslRegistryGetKey+34j
		call	AslRegistryBuildMachinePath
		mov	esi, eax
		test	esi, esi
		jns	short loc_8A9227
		jmp	loc_933691
AslRegistryGetKey endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AslRegistryBuildMachinePath proc near	; CODE XREF: AslRegistryGetKey:loc_8A9285p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009336DF SIZE 00000038 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	offset ??_C@_1CE@NMBJJGCH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\"
		lea	eax, [ebp+var_8]
		xor	edi, edi
		push	eax
		mov	ebx, edx
		mov	[ebp+var_8], edi
		mov	esi, ecx
		mov	[ebp+var_4], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, ebx
		xor	eax, eax
		mov	[esi], ax
		lea	edx, [ecx+2]

loc_8A92C4:				; CODE XREF: AslRegistryBuildMachinePath+37j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_8A92C4
		mov	eax, [ebp+var_8]
		sub	ecx, edx
		sar	ecx, 1
		push	ecx
		lea	eax, [eax+ecx*2]
		add	eax, 2
		movzx	edx, ax
		mov	[esi+2], ax
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	[esi+4], eax
		test	eax, eax
		jz	loc_9336DF
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		test	ebx, ebx
		jz	short loc_8A930C
		cmp	word ptr [ebx],	5Ch
		jnz	loc_933707

loc_8A930C:				; CODE XREF: AslRegistryBuildMachinePath+6Aj
					; AslRegistryBuildMachinePath+8A47Cj
		push	ebx		; void *
		push	esi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)

loc_8A9313:				; CODE XREF: AslRegistryBuildMachinePath+8A46Cj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
AslRegistryBuildMachinePath endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AslRegistryBuildUserPath proc near	; CODE XREF: AslRegistryGetKey+36p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00933717 SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		xor	eax, eax
		mov	ebx, edx
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		mov	edi, ecx
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlFormatCurrentUserKeyPath@4 ; RtlFormatCurrentUserKeyPath(x)
		mov	esi, eax
		test	esi, esi
		js	loc_933717
		mov	ecx, ebx
		xor	eax, eax
		mov	[edi], ax
		xor	esi, esi
		lea	edx, [ecx+2]

loc_8A9350:				; CODE XREF: AslRegistryBuildUserPath+3Fj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_8A9350
		mov	eax, [ebp+var_8]
		sub	ecx, edx
		sar	ecx, 1
		push	ecx
		lea	eax, [eax+ecx*2]
		add	eax, 2
		movzx	edx, ax
		mov	[edi+2], ax
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	[edi+4], eax
		test	eax, eax
		jz	loc_933736
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	ebx		; void *
		push	edi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)

loc_8A9391:				; CODE XREF: AslRegistryBuildUserPath+8A417j
					; AslRegistryBuildUserPath+8A43Aj
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
AslRegistryBuildUserPath endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall AslGuidToString(wchar_t *,int,int)
AslGuidToString	proc near		; CODE XREF: SdbGetEntryFlags+21p
					; SdbpGetCustomSdbFileName(x,x,x)+14p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00933759 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		movzx	eax, byte ptr [esi+0Fh]
		push	eax
		movzx	eax, byte ptr [esi+0Eh]
		push	eax
		movzx	eax, byte ptr [esi+0Dh]
		push	eax
		movzx	eax, byte ptr [esi+0Ch]
		push	eax
		movzx	eax, byte ptr [esi+0Bh]
		push	eax
		movzx	eax, byte ptr [esi+0Ah]
		push	eax
		movzx	eax, byte ptr [esi+9]
		push	eax
		movzx	eax, byte ptr [esi+8]
		push	eax
		movzx	eax, word ptr [esi+6]
		push	eax
		movzx	eax, word ptr [esi+4]
		push	eax
		push	dword ptr [esi]	; char
		push	offset ??_C@_1HM@GHDLPNLE@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAh?$AAx?$AA?9?$AA?$CF?$AA0@NNGAKEGL@ ;	"{%08lx-%04hx-%04hx-%02hx%02hx-%02hx%02h"...
		push	edx		; int
		push	ecx		; wchar_t *
		call	RtlStringCchPrintfW
		mov	esi, eax
		add	esp, 38h
		test	esi, esi
		js	loc_933759
		xor	esi, esi

loc_8A93FA:				; CODE XREF: AslGuidToString+8A3D1j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
AslGuidToString	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapViewOfPhysicalSection proc	near	; CODE XREF: MiMapViewOfSection+523p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00933778 SIZE 0000015E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		mov	ebx, ecx
		mov	[esp+40h+var_8], edx
		push	esi
		push	edi
		test	byte ptr [ebx+28h], 2
		jnz	loc_9338CC
		xor	ecx, ecx
		cmp	[ebx+38h], ecx
		jnz	loc_9338CC
		mov	esi, [ebp+arg_4]
		mov	eax, [ebx+3Ch]
		shr	esi, 3
		mov	[esp+48h+var_3C], eax
		cmp	esi, 2
		jz	loc_9338C2
		mov	eax, [ebp+arg_4]
		and	eax, 5
		cmp	al, 5
		jz	loc_9338C2
		cmp	[ebp+arg_4], 18h
		jz	loc_9338C2
		mov	eax, large fs:124h
		mov	edx, 6C646156h
		push	ecx
		push	40h
		push	28h
		mov	[esp+54h+var_1C], ecx
		pop	ecx
		mov	[esp+50h+var_28], eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		mov	[esp+48h+var_4], edi
		test	edi, edi
		jz	loc_933778
		mov	ecx, [ebp+arg_4]
		mov	eax, [edi+1Ch]
		and	ecx, 1Fh
		and	dword ptr [edi+18h], 0
		and	eax, 0FFFFF01Fh
		shl	ecx, 7
		or	ecx, eax
		mov	dword ptr [edi+8], 0FFFFFFFEh
		mov	eax, [ebp+arg_0]
		or	ecx, 100010h
		mov	[edi+1Ch], ecx
		mov	ecx, [eax]
		mov	eax, [eax+4]
		shrd	ecx, eax, 0Ch
		call	_MiSanitizePage@4 ; MiSanitizePage(x)
		mov	edx, [esp+48h+var_3C]
		mov	ecx, [esp+48h+var_28]
		and	[esp+48h+var_14], 0
		or	[esp+48h+var_2C], 0FFFFFFFFh
		mov	[esp+48h+var_30], eax
		call	_LOCK_ADDRESS_SPACE@8 ;	LOCK_ADDRESS_SPACE(x,x)
		mov	eax, [esp+48h+var_3C]
		test	byte ptr [eax+0FCh], 20h
		jnz	loc_933782
		test	byte ptr [ebx+30h], 1
		mov	eax, [ebp+arg_0]
		jnz	loc_933800
		movzx	eax, word ptr [eax]
		lea	ecx, [esp+48h+var_14]
		add	eax, [ebx+0Ch]
		mov	edx, [ebx]
		push	ecx
		lea	ecx, [esp+4Ch+var_1C]
		mov	[esp+4Ch+var_C], eax
		push	ecx
		push	0
		push	[ebp+arg_4]
		push	ecx
		push	dword ptr [ebx+8]
		mov	ecx, [ebx+14h]
		push	eax
		push	dword ptr [ebx+4]
		call	_MiSelectUserAddress@40	; MiSelectUserAddress(x,x,x,x,x,x,x,x,x,x)
		mov	[esp+48h+var_34], eax
		test	eax, eax
		js	loc_93378A
		mov	eax, [ebp+arg_0]
		mov	edx, [esp+48h+var_C]
		mov	ecx, [esp+48h+var_14]
		dec	edx
		add	edx, ecx
		movzx	eax, word ptr [eax]
		add	ecx, eax
		mov	[esp+48h+var_C], ecx
		mov	eax, ecx

loc_8A9546:				; CODE XREF: MiMapViewOfPhysicalSection+8A448j
		mov	ebx, [esp+48h+var_30]
		mov	ecx, ebx
		shr	eax, 0Ch
		shr	edx, 0Ch
		sub	ecx, eax
		add	ecx, edx
		mov	[esp+48h+var_18], edx
		mov	[edi+10h], edx
		xor	edx, edx
		inc	edx
		mov	[esp+48h+var_14], eax
		mov	[edi+0Ch], eax
		mov	[esp+48h+var_10], ecx
		mov	[esp+48h+var_24], edx
		cmp	esi, 3
		jz	loc_93384F
		dec	esi
		neg	esi
		sbb	esi, esi
		and	esi, edx
		mov	[esp+48h+var_24], esi

loc_8A9583:				; CODE XREF: MiMapViewOfPhysicalSection+8A451j
					; MiMapViewOfPhysicalSection+8A45Fj
		or	[esp+48h+var_30], 0FFFFFFFFh
		xor	esi, esi
		mov	[esp+48h+var_20], esi
		mov	eax, ebx
		mov	[esp+48h+var_38], ebx
		cmp	ebx, ecx
		ja	short loc_8A95D6

loc_8A9598:				; CODE XREF: MiMapViewOfPhysicalSection+1D2j
		mov	ecx, eax
		call	_MiIsPfn@4	; MiIsPfn(x)
		mov	ecx, [esp+48h+var_38]
		test	eax, eax
		jnz	short loc_8A95B4
		test	esi, esi
		jz	loc_8A9640

loc_8A95AF:				; CODE XREF: MiMapViewOfPhysicalSection+242j
		inc	esi
		mov	[esp+48h+var_20], esi

loc_8A95B4:				; CODE XREF: MiMapViewOfPhysicalSection+1A3j
		cmp	ecx, [esp+48h+var_10]
		jz	loc_8A9649
		cmp	eax, 1
		jz	loc_8A9649

loc_8A95C7:				; CODE XREF: MiMapViewOfPhysicalSection+249j
					; MiMapViewOfPhysicalSection+28Dj
		mov	eax, [esp+48h+var_38]
		inc	eax
		mov	[esp+48h+var_38], eax
		cmp	eax, [esp+48h+var_10]
		jbe	short loc_8A9598

loc_8A95D6:				; CODE XREF: MiMapViewOfPhysicalSection+194j
		mov	edx, [esp+48h+var_3C]
		push	ecx
		mov	ecx, edi
		call	MiInsertVadCharges
		mov	esi, eax
		mov	[esp+48h+var_34], esi
		test	esi, esi
		js	loc_93378E
		push	ebx
		mov	ebx, [esp+4Ch+var_3C]
		mov	edx, edi
		mov	ecx, ebx
		call	MiInsertViewOfPhysicalSection
		cmp	[esp+48h+var_1C], 0
		jz	short loc_8A9616
		push	[esp+48h+var_1C]
		mov	edx, [esp+4Ch+var_18]
		mov	ecx, [esp+4Ch+var_14]
		call	MiAdvanceVadHint

loc_8A9616:				; CODE XREF: MiMapViewOfPhysicalSection+201j
		test	byte ptr [ebp+arg_4], 2
		jnz	loc_933866

loc_8A9620:				; CODE XREF: MiMapViewOfPhysicalSection+8A46Bj
		mov	ecx, [esp+48h+var_28]
		mov	edx, ebx
		call	UNLOCK_ADDRESS_SPACE

loc_8A962B:				; CODE XREF: MiMapViewOfPhysicalSection+8A4BBj
		mov	ecx, [esp+48h+var_8]
		mov	eax, [esp+48h+var_C]
		mov	[ecx], eax
		xor	eax, eax

loc_8A9637:				; CODE XREF: MiMapViewOfPhysicalSection+8A37Bj
					; MiMapViewOfPhysicalSection+8A3F9j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_8A9640:				; CODE XREF: MiMapViewOfPhysicalSection+1A7j
		mov	[esp+48h+var_30], ecx
		jmp	loc_8A95AF
; 

loc_8A9649:				; CODE XREF: MiMapViewOfPhysicalSection+1B6j
					; MiMapViewOfPhysicalSection+1BFj
		test	esi, esi
		jz	loc_8A95C7
		mov	edx, [esp+48h+var_30]
		push	ecx
		push	0
		push	0
		push	[esp+54h+var_24]
		xor	ecx, ecx
		push	esi
		inc	ecx
		call	MiReferenceIoPages
		mov	esi, eax
		mov	[esp+48h+var_34], esi
		test	esi, esi
		js	loc_93378E
		mov	eax, [esp+48h+var_20]
		mov	ecx, [esp+48h+var_30]
		dec	eax
		or	[esp+48h+var_30], 0FFFFFFFFh
		add	eax, ecx
		xor	esi, esi
		mov	[esp+48h+var_2C], eax
		mov	[esp+48h+var_20], esi
		jmp	loc_8A95C7
MiMapViewOfPhysicalSection endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTransMgrCommit(x, x, x)
_CmpTransMgrCommit@12 proc near		; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+1FDp
					; CmpLazyCommitWorker(x)+D1p ...

var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_5C		= byte ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_2C		= dword	ptr -2Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		lea	edi, [ebp+var_68]
		mov	[ebp+var_58], edx
		stosd
		or	ebx, 0FFFFFFFFh
		push	6
		pop	ecx
		mov	[ebp+var_50], ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		and	[esi], eax
		lea	edi, [ebp+var_44]
		cmp	dword_6B2348, 5
		mov	esi, offset dword_6B2348
		rep stosd
		mov	edi, 0FFF0BDC0h
		mov	[ebp+var_54], edi
		jbe	short loc_8A9703
		push	eax
		push	1
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_8A9703
		lea	eax, [ebp+var_2C]
		push	eax
		push	2
		push	0
		push	0
		push	offset dword_41A9F0
		push	esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_8A9703:				; CODE XREF: CmpTransMgrCommit(x,x,x)+4Aj
					; CmpTransMgrCommit(x,x,x)+58j
		lea	ecx, [ebp+var_44]
		call	CmpAttachToRegistryProcess
		lea	ecx, [ebp+var_68]
		call	_CmpInitializeLightWeightTransaction@4 ; CmpInitializeLightWeightTransaction(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8A977D
		mov	eax, [ebp+var_58]
		mov	[ebp+var_60], eax
		mov	al, 1
		mov	[ebp+var_5C], 1
		mov	[ebp+var_45], al

loc_8A9728:				; CODE XREF: CmpTransMgrCommit(x,x,x)+E7j
		test	al, al
		jnz	short loc_8A9764
		lea	eax, [ebp+var_54]
		push	eax
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		shld	ebx, edi, 1
		add	edi, edi
		mov	[ebp+var_50], ebx
		mov	[ebp+var_54], edi
		cmp	ebx, 0FFFFFFFFh
		jl	short loc_8A9768
		jg	short loc_8A9754
		cmp	edi, 0EE1E5D00h
		jbe	short loc_8A9768

loc_8A9754:				; CODE XREF: CmpTransMgrCommit(x,x,x)+B6j
		mov	edi, 0EE1E5D00h
		or	ebx, 0FFFFFFFFh
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], ebx
		jmp	short loc_8A9768
; 

loc_8A9764:				; CODE XREF: CmpTransMgrCommit(x,x,x)+96j
		mov	[ebp+var_45], 0

loc_8A9768:				; CODE XREF: CmpTransMgrCommit(x,x,x)+B4j
					; CmpTransMgrCommit(x,x,x)+BEj	...
		and	[ebp+var_68], 0
		lea	ecx, [ebp+var_68]
		call	_CmpCommitLightWeightTransaction@4 ; CmpCommitLightWeightTransaction(x)
		mov	esi, eax
		mov	al, [ebp+var_45]
		test	esi, esi
		js	short loc_8A9728

loc_8A977D:				; CODE XREF: CmpTransMgrCommit(x,x,x)+83j
		xor	edx, edx
		lea	ecx, [ebp+var_44]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		cmp	dword_6B2348, 5
		jbe	short loc_8A97B8
		xor	ebx, ebx
		mov	edi, offset dword_6B2348
		push	ebx
		push	1
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_8A97B8
		lea	eax, [ebp+var_2C]
		push	eax
		push	2
		push	ebx
		push	ebx
		push	offset word_41A9CE
		push	edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_8A97B8:				; CODE XREF: CmpTransMgrCommit(x,x,x)+FAj
					; CmpTransMgrCommit(x,x,x)+10Fj
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_CmpTransMgrCommit@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTransMgrPrepare proc	near		; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+218p
					; CmpRmUnDoPhase(x)+A0p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009338D6 SIZE 000000B0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	eax, eax
		push	esi
		push	edi
		mov	[ebp+var_24], edx
		lea	edi, [ebp+var_1C]
		mov	edx, [ebp+arg_0]
		mov	esi, ecx
		push	6
		pop	ecx
		mov	[ebx], al
		and	[edx], eax
		rep stosd
		mov	[ebp+var_2C], esi
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], ebx
		call	_LOCK_TRANSACTION_LIST@0 ; LOCK_TRANSACTION_LIST()
		mov	edi, [ebp+var_24]
		xor	ebx, ebx
		inc	ebx
		or	[edi+18h], ebx
		call	_UNLOCK_TRANSACTION_LIST@0 ; UNLOCK_TRANSACTION_LIST()
		add	edi, 8
		cmp	[edi], edi
		jz	loc_9338D6
		lea	ecx, [ebp+var_1C]
		call	CmpAttachToRegistryProcess
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		and	[ebp+var_20], 0
		lea	edx, [ebp+var_20]
		push	0
		mov	ecx, edi
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jz	short loc_8A9869
		mov	edi, [ebp+var_28]

loc_8A9845:				; CODE XREF: CmpTransMgrPrepare+9Bj
		mov	eax, [eax+18h]
		mov	eax, [eax+10h]
		cmp	[eax+9A0h], esi
		jnz	short loc_8A9855
		inc	dword ptr [edi]

loc_8A9855:				; CODE XREF: CmpTransMgrPrepare+85j
		mov	ecx, [ebp+var_24]
		lea	edx, [ebp+var_20]
		push	0
		lea	ecx, [ecx+8]
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jnz	short loc_8A9845

loc_8A9869:				; CODE XREF: CmpTransMgrPrepare+74j
		mov	esi, [esi+30h]
		test	esi, esi
		jnz	loc_9338E2
		xor	ecx, ecx
		jmp	short loc_8A988E
; 

loc_8A9878:				; CODE XREF: CmpTransMgrPrepare+D8j
		test	byte ptr [edi+64h], 2
		jnz	short loc_8A988C
		mov	edx, [ebp+var_24]
		mov	ecx, edi
		call	_CmpIsHiveBoundToTrans@8 ; CmpIsHiveBoundToTrans(x,x)
		test	al, al
		jnz	short loc_8A98A6

loc_8A988C:				; CODE XREF: CmpTransMgrPrepare+B0j
					; CmpTransMgrPrepare+D6j ...
		mov	ecx, edi

loc_8A988E:				; CODE XREF: CmpTransMgrPrepare+AAj
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_8A98C3
		mov	eax, [ebp+var_2C]
		cmp	[edi+9A0h], eax
		jnz	short loc_8A988C
		jmp	short loc_8A9878
; 

loc_8A98A6:				; CODE XREF: CmpTransMgrPrepare+BEj
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	ecx, edi
		call	CmpTransMgrSyncHive
		mov	esi, eax
		test	esi, esi
		js	loc_93390C
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		jmp	short loc_8A988C
; 

loc_8A98C3:				; CODE XREF: CmpTransMgrPrepare+CBj
		mov	esi, dword_6B179C
		mov	eax, [esi+20h]
		test	byte ptr [eax+90h], 1
		jz	loc_93391C

loc_8A98D9:				; CODE XREF: CmpTransMgrPrepare+8A1AAj
		xor	esi, esi
		test	bl, bl
		jz	short loc_8A98E4

loc_8A98DF:				; CODE XREF: CmpTransMgrPrepare+8A129j
					; CmpTransMgrPrepare+8A184j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_8A98E4:				; CODE XREF: CmpTransMgrPrepare+111j
					; CmpTransMgrPrepare+8A14Bj ...
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_8A98EE:				; CODE XREF: CmpTransMgrPrepare+8A111j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
CmpTransMgrPrepare endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmpIsHiveBoundToTrans(x, x)
_CmpIsHiveBoundToTrans@8 proc near	; CODE XREF: CmpTransMgrPrepare+B7p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, [edx+48h]
		test	edi, edi
		jz	short loc_8A9927
		xor	esi, esi
		test	edi, edi
		jz	short loc_8A9922
		lea	eax, [edx+4Ch]

loc_8A9916:				; CODE XREF: CmpIsHiveBoundToTrans(x,x)+1Ej
		cmp	ecx, [eax]
		jz	short loc_8A9927
		inc	esi
		add	eax, 4
		cmp	esi, edi
		jb	short loc_8A9916

loc_8A9922:				; CODE XREF: CmpIsHiveBoundToTrans(x,x)+Fj
		xor	al, al

loc_8A9924:				; CODE XREF: CmpIsHiveBoundToTrans(x,x)+27j
		pop	edi
		pop	esi
		retn
; 

loc_8A9927:				; CODE XREF: CmpIsHiveBoundToTrans(x,x)+9j
					; CmpIsHiveBoundToTrans(x,x)+16j
		mov	al, 1
		jmp	short loc_8A9924
_CmpIsHiveBoundToTrans@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpTransMgrSyncHive proc near		; CODE XREF: CmpTransMgrPrepare+E1p
					; CmpTransMgrPrepare+8A135p

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 00933986 SIZE 00000053 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		lea	esi, [edi+24h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [edi+20h]
		or	eax, 0FFFFFFFFh
		test	byte ptr [edx+90h], 1
		jnz	short loc_8A99A1
		lea	ebx, [edi+28h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		push	0
		push	20h
		xor	edx, edx
		mov	ecx, edi
		call	HvpMarkDirty
		mov	[ebp+var_1], al
		or	ecx, 0FFFFFFFFh
		lock xadd [ebx], ecx
		test	cl, 2
		jnz	loc_933986

loc_8A9983:				; CODE XREF: CmpTransMgrSyncHive+8A05Dj
					; CmpTransMgrSyncHive+8A06Aj
		mov	ecx, ebx
		call	KeAbPostRelease
		cmp	[ebp+var_1], 0
		jz	loc_93399B
		mov	eax, [edi+20h]
		or	dword ptr [eax+90h], 1
		or	eax, 0FFFFFFFFh

loc_8A99A1:				; CODE XREF: CmpTransMgrSyncHive+29j
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_9339C5

loc_8A99AD:				; CODE XREF: CmpTransMgrSyncHive+8A09Bj
					; CmpTransMgrSyncHive+8A0A8j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	edx, edx
		mov	ecx, edi
		call	CmpFlushHive
		mov	edi, eax
		test	edi, edi
		js	short loc_8A99CF

loc_8A99C8:				; CODE XREF: CmpTransMgrSyncHive+A8j
					; CmpTransMgrSyncHive+8A094j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8A99CF:				; CODE XREF: CmpTransMgrSyncHive+9Aj
		mov	edi, 0C000009Ah
		jmp	short loc_8A99C8
CmpTransMgrSyncHive endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopSetDeviceSecurityDescriptors(x, x, x, x,	x, x)
_IopSetDeviceSecurityDescriptors@24 proc near ;	CODE XREF: IopGetSetSecurityObject+33Ap

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		mov	ecx, esi
		mov	[ebp+var_4], edi
		xor	ebx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_8A99EF:				; CODE XREF: IopSetDeviceSecurityDescriptors(x,x,x,x,x,x)+4Cj
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	IopSetDeviceSecurityDescriptor
		cmp	esi, edi
		jz	short loc_8A9A2D

loc_8A9A06:				; CODE XREF: IopSetDeviceSecurityDescriptors(x,x,x,x,x,x)+59j
		mov	edi, [esi+10h]
		test	edi, edi
		jz	short loc_8A9A14
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_8A9A14:				; CODE XREF: IopSetDeviceSecurityDescriptors(x,x,x,x,x,x)+35j
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	esi, edi
		test	edi, edi
		mov	edi, [ebp+var_4]
		jnz	short loc_8A99EF
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
; 

loc_8A9A2D:				; CODE XREF: IopSetDeviceSecurityDescriptors(x,x,x,x,x,x)+2Ej
		mov	ebx, eax
		jmp	short loc_8A9A06
_IopSetDeviceSecurityDescriptors@24 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2607. WheaAddErrorSourceDeviceDriver

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public WheaAddErrorSourceDeviceDriver
WheaAddErrorSourceDeviceDriver proc near
					; CODE XREF: WheaAddErrorSourceDeviceDriverV1(x,x,x,x)+4Ep

var_3D4		= dword	ptr -3D4h
var_3D0		= dword	ptr -3D0h
var_3CC		= dword	ptr -3CCh
var_3C8		= dword	ptr -3C8h
var_3C4		= dword	ptr -3C4h
var_3C0		= dword	ptr -3C0h
var_3BC		= dword	ptr -3BCh
var_3B8		= dword	ptr -3B8h
var_3B0		= dword	ptr -3B0h
var_3A8		= dword	ptr -3A8h
var_398		= word ptr -398h
var_394		= dword	ptr -394h
var_390		= dword	ptr -390h
var_38C		= dword	ptr -38Ch
var_388		= dword	ptr -388h
var_384		= dword	ptr -384h
var_380		= dword	ptr -380h
var_37C		= dword	ptr -37Ch
var_36C		= dword	ptr -36Ch
var_35C		= dword	ptr -35Ch
var_358		= dword	ptr -358h
var_354		= dword	ptr -354h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 009339D9 SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		sub	esp, 3D4h
		push	ebx
		xor	ebx, ebx
		cmp	[ecx+1Ch], ebx
		jz	loc_933A0A
		cmp	[ecx+20h], ebx
		jz	loc_933A0A
		mov	eax, [ecx]
		dec	eax
		sub	eax, 1
		jnz	loc_933A00
		push	esi
		mov	esi, [ecx+28h]
		push	edi
		mov	edi, [ecx+24h]
		add	esi, 2
		imul	edi, esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], edi
		cmp	byte_6FD8A4, bl
		jnz	short loc_8A9A8D
		push	offset _WheaDeviceDriverDefaultSourceConfig
		push	10h
		call	WheaConfigureErrorSource

loc_8A9A8D:				; CODE XREF: WheaAddErrorSourceDeviceDriver+49j
		push	3CCh		; size_t
		lea	eax, [ebp+var_3D4]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+arg_4]
		add	esp, 0Ch
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_3C0], eax
		mov	[ebp+var_3C4], edi
		lea	edi, [ebp+var_37C]
		mov	ax, [ecx+14h]
		mov	[ebp+var_3BC], esi
		lea	esi, [ecx+2Ch]
		mov	[ebp+var_398], ax
		mov	[ebp+var_3D4], 3CCh
		mov	[ebp+var_3D0], 0Bh
		mov	[ebp+var_3CC], 10h
		mov	[ebp+var_3C8], 1
		mov	[ebp+var_3B8], ebx
		mov	[ebp+var_3B0], ebx
		movsd
		mov	eax, [ecx+1Ch]
		movsd
		movsd
		movsd
		lea	esi, [ecx+3Ch]
		lea	edi, [ebp+var_36C]
		movsd
		movsd
		movsd
		movsd
		lea	esi, [ecx+4]
		lea	edi, [ebp+var_3A8]
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+arg_8]
		mov	[ebp+var_388], eax
		mov	eax, [ecx+20h]
		mov	[ebp+var_384], eax
		mov	[ebp+var_380], offset _WheapCorrectErrorSourceDeviceDriver@8 ; WheapCorrectErrorSourceDeviceDriver(x,x)
		mov	[ebp+var_38C], ebx
		mov	[ebp+var_354], ebx
		test	edi, edi
		jz	loc_8A9BF5
		cmp	[ebp+var_4], ebx
		jz	loc_8A9BF5
		mov	ecx, [ecx+24h]
		mov	edx, [ebp+var_8]
		imul	ecx, edx
		call	_WheapDeviceDriverGetPacketLength@8 ; WheapDeviceDriverGetPacketLength(x,x)
		mov	[ebp+arg_8], eax
		mov	esi, 200h
		imul	eax, edi
		push	41454857h
		push	eax
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		imul	ecx, edi, 54h
		mov	ebx, eax
		push	41454857h
		push	ecx
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	ebx, ebx
		jz	short loc_8A9BEE
		test	esi, esi
		jz	short loc_8A9BEE
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_394], eax
		mov	[ebp+var_38C], ebx
		mov	eax, [ecx+24h]
		mov	[ebp+var_35C], eax
		mov	eax, [ecx+28h]
		mov	[ebp+var_354], esi
		mov	[ebp+var_358], eax
		mov	[ebp+var_390], edi

loc_8A9BCC:				; CODE XREF: WheaAddErrorSourceDeviceDriver+1C1j
		push	[ebp+arg_0]
		lea	eax, [ebp+var_3D4]
		push	eax
		call	WheaAddErrorSource
		mov	edi, eax
		test	edi, edi
		js	loc_9339D9

loc_8A9BE5:				; CODE XREF: WheaAddErrorSourceDeviceDriver+1BDj
					; WheaAddErrorSourceDeviceDriver+89FB4j ...
		mov	eax, edi
		pop	edi
		pop	esi

loc_8A9BE9:				; CODE XREF: WheaAddErrorSourceDeviceDriver+89FCFj
					; WheaAddErrorSourceDeviceDriver+89FD9j
		pop	ebx
		leave
		retn	0Ch
; 

loc_8A9BEE:				; CODE XREF: WheaAddErrorSourceDeviceDriver+160j
					; WheaAddErrorSourceDeviceDriver+164j
		mov	edi, 0C000009Ah
		jmp	short loc_8A9BE5
; 

loc_8A9BF5:				; CODE XREF: WheaAddErrorSourceDeviceDriver+117j
					; WheaAddErrorSourceDeviceDriver+120j
		mov	esi, ebx
		jmp	short loc_8A9BCC
WheaAddErrorSourceDeviceDriver endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2606. WheaAddErrorSource

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public WheaAddErrorSource
WheaAddErrorSource proc	near		; CODE XREF: WheaAddErrorSourceDeviceDriver+1A0p

var_400		= dword	ptr -400h
var_3FC		= dword	ptr -3FCh
var_3F8		= dword	ptr -3F8h
var_3F4		= dword	ptr -3F4h
var_3F0		= dword	ptr -3F0h
var_3EC		= dword	ptr -3ECh
var_3E8		= dword	ptr -3E8h
var_3E4		= dword	ptr -3E4h
var_3E0		= dword	ptr -3E0h
var_3DC		= dword	ptr -3DCh
var_3D8		= dword	ptr -3D8h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00933A14 SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 400h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	ecx, [eax+8]
		mov	[ebp+var_400], eax
		call	WheapIsNonHestErrorSource
		test	al, al
		jz	loc_933A14
		push	61656857h
		mov	esi, 420h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_933A1E
		push	esi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	esi, [ebp+var_400]
		lea	edi, [ebx+50h]
		mov	ecx, 0F3h
		add	esp, 0Ch
		rep movsd
		mov	ecx, ebx
		call	WheapInitializeErrorSource
		mov	[ebp+var_3FC], eax
		test	eax, eax
		jnz	loc_933A28
		mov	eax, [ebp+arg_4]
		mov	edx, ebx
		mov	[ebx+28h], eax
		call	_WheapAddErrorSource@8 ; WheapAddErrorSource(x,x)
		and	[ebp+var_3FC], 0
		cmp	_WheapInitializationComplete, 0
		jnz	loc_933A38

loc_8A9CA0:				; CODE XREF: WheaAddErrorSource+89E35j
		mov	ebx, [ebp+var_3FC]

loc_8A9CA6:				; CODE XREF: WheaAddErrorSource+89E1Bj
					; WheaAddErrorSource+89E25j ...
		and	[ebp+var_3EC], 0
		lea	eax, [ebp+var_3F8]
		mov	esi, [ebp+var_400]
		lea	edi, [ebp+var_3D8]
		mov	[ebp+var_3F8], 674C6857h
		mov	ecx, 0F3h
		mov	[ebp+var_3F4], 1
		mov	[ebp+var_3F0], 3F1h
		mov	[ebp+var_3E4], 8000000Ch
		mov	[ebp+var_3E8], 4C4E524Bh
		mov	[ebp+var_3E0], 2
		mov	[ebp+var_3DC], 3D1h
		rep movsd
		push	eax
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], 0
		call	WheaLogInternalEvent
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
WheaAddErrorSource endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapLogInitEvent()
_WheapLogInitEvent@0 proc near		; CODE XREF: INIT:00AC4559p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		imul	eax, dword_6F9ACC, 420h
		push	ebx
		push	esi
		push	edi
		push	61656857h
		push	eax
		push	200h
		mov	[ebp+var_4C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8A9E80
		mov	eax, dword_6F9AD4
		cmp	eax, offset dword_6F9AD4
		jz	short loc_8A9D90
		mov	edx, ebx

loc_8A9D76:				; CODE XREF: WheapLogInitEvent()+62j
		mov	esi, eax
		mov	edi, edx
		mov	ecx, 108h
		add	edx, 420h
		rep movsd
		mov	eax, [eax]
		cmp	eax, offset dword_6F9AD4
		jnz	short loc_8A9D76

loc_8A9D90:				; CODE XREF: WheapLogInitEvent()+46j
		mov	edi, dword_6B9384
		lea	eax, [ebp+var_50]
		mov	esi, [ebp+var_4C]
		xor	ecx, ecx
		push	4
		pop	edx
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_4C]
		push	offset _EVENT_WHEA_INIT_OP
		mov	[ebp+var_28], eax
		mov	eax, _WheapEtwHandle
		push	edi
		push	eax
		mov	[ebp+var_48], offset dword_6F9ACC
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_50], 0Ah
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], ecx
		mov	[ebp+var_54], eax
		call	EtwEventEnabled
		cmp	al, 1
		jnz	short loc_8A9E10
		lea	eax, [ebp+var_48]
		push	eax
		push	4
		push	0
		push	offset _EVENT_WHEA_INIT_OP
		push	edi
		push	[ebp+var_54]
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	esi, [ebp+var_4C]

loc_8A9E10:				; CODE XREF: WheapLogInitEvent()+C9j
		mov	edi, 61656857h
		lea	eax, [esi+20h]
		push	edi
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8A9E79
		mov	edx, [ebp+var_4C]
		lea	eax, [esi+20h]
		and	dword ptr [esi+0Ch], 0
		mov	dword ptr [esi], 674C6857h
		mov	dword ptr [esi+4], 1
		lea	ecx, [edx+20h]
		mov	dword ptr [esi+14h], 80000002h
		mov	[esi+8], ecx
		mov	dword ptr [esi+10h], 4C4E524Bh
		mov	dword ptr [esi+18h], 2
		mov	[esi+1Ch], edx
		push	[ebp+var_4C]	; size_t
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		push	esi
		call	WheaLogInternalEvent
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8A9E79:				; CODE XREF: WheapLogInitEvent()+FCj
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8A9E80:				; CODE XREF: WheapLogInitEvent()+36j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_WheapLogInitEvent@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiUEventNotifyDeviceInstanceChange proc	near
					; CODE XREF: PiUEventProcessNotifyEventEntry(x):loc_845282p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00933A5D SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], esi
		mov	eax, [ebx+3Ch]
		sub	eax, 4
		jz	short loc_8A9EB3
		sub	eax, 6
		jz	short loc_8A9EB3
		sub	eax, 1
		jnz	short loc_8A9EF8

loc_8A9EB3:				; CODE XREF: PiUEventNotifyDeviceInstanceChange+17j
					; PiUEventNotifyDeviceInstanceChange+1Cj
		push	edi
		mov	ecx, offset _PiUEventClientRegistrationListLock
		call	ExAcquireFastMutex
		lea	ecx, [ebx+50h]
		call	_PiUEventHashStringIntoBucket@4	; PiUEventHashStringIntoBucket(x)
		mov	[ebp+var_10], offset unk_6CC7C8
		lea	eax, _PiUEventDevInstanceClientList[eax*8]
		mov	[ebp+var_14], eax

loc_8A9ED7:				; CODE XREF: PiUEventNotifyDeviceInstanceChange+58j
		mov	eax, [ebp+esi*4+var_14]
		mov	[ebp+var_C], eax
		mov	edi, [eax]
		cmp	edi, eax
		jnz	short loc_8A9EFE

loc_8A9EE4:				; CODE XREF: PiUEventNotifyDeviceInstanceChange+9Dj
		inc	esi
		cmp	esi, 2
		jb	short loc_8A9ED7
		mov	ecx, offset _PiUEventClientRegistrationListLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	esi, [ebp+var_8]
		pop	edi

loc_8A9EF8:				; CODE XREF: PiUEventNotifyDeviceInstanceChange+21j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8A9EFE:				; CODE XREF: PiUEventNotifyDeviceInstanceChange+52j
					; PiUEventNotifyDeviceInstanceChange+9Bj
		mov	eax, edi
		mov	edi, [edi]
		mov	[ebp+var_4], eax
		cmp	esi, 1
		jb	loc_933A5D

loc_8A9F0E:				; CODE XREF: PiUEventNotifyDeviceInstanceChange+89BE9j
		mov	edx, eax
		mov	ecx, ebx
		call	PiUEventApplyAdditionalFilters
		test	al, al
		jz	short loc_8A9F28
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		call	PiUEventNotifyClient
		mov	[ebp+var_8], eax

loc_8A9F28:				; CODE XREF: PiUEventNotifyDeviceInstanceChange+89j
					; PiUEventNotifyDeviceInstanceChange+89BE0j
		cmp	edi, [ebp+var_C]
		jnz	short loc_8A9EFE
		jmp	short loc_8A9EE4
PiUEventNotifyDeviceInstanceChange endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopQueryLegacyBusInformation proc near	; CODE XREF: PipCallDriverAddDevice+699p

var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00933A7E SIZE 00000045 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		push	9
		mov	esi, ecx
		lea	edi, [ebp+var_28]
		pop	ecx
		xor	eax, eax
		lea	edx, [ebp+var_28]
		rep stosd
		lea	eax, [ebp+var_4]
		mov	word ptr [ebp+var_28], 181Bh
		push	eax
		xor	ebx, ebx
		mov	ecx, esi
		push	ebx
		push	0C00000BBh
		mov	[ebp+var_4], ebx
		call	IopSynchronousCall
		mov	edi, eax
		test	edi, edi
		jns	short loc_8A9F75

loc_8A9F6C:				; CODE XREF: IopQueryLegacyBusInformation+6Fj
					; IopQueryLegacyBusInformation+89B59j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_8A9F75:				; CODE XREF: IopQueryLegacyBusInformation+3Aj
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	loc_933A7E
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	short loc_8A9F8C
		mov	eax, [ecx+10h]
		mov	[edx], eax

loc_8A9F8C:				; CODE XREF: IopQueryLegacyBusInformation+55j
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_8A9F98
		mov	eax, [ecx+14h]
		mov	[edx], eax

loc_8A9F98:				; CODE XREF: IopQueryLegacyBusInformation+61j
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_8A9F6C
IopQueryLegacyBusInformation endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpPartitionStart(x)
_ExpPartitionStart@4 proc near		; CODE XREF: ExpWorkerInitialization+B1p

var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_4], ecx
		xor	esi, esi
		push	edi
		cmp	ax, ds:_KeNumberNodes
		jnb	short loc_8AA00F

loc_8A9FBD:				; CODE XREF: ExpPartitionStart(x)+6Bj
		mov	ecx, esi
		movzx	ebx, si
		call	_KeIsNodeInitialized@4 ; KeIsNodeInitialized(x)
		test	al, al
		jz	short loc_8AA016
		mov	ecx, ds:_KeNodeBlock[ebx*4]

loc_8A9FD2:				; CODE XREF: ExpPartitionStart(x)+76j
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		push	0
		stosd
		stosd
		lea	eax, [ebp+var_10]
		push	eax
		movzx	eax, word ptr [ecx+8Ah]
		push	eax
		call	_KeQueryNodeActiveAffinity@12 ;	KeQueryNodeActiveAffinity(x,x,x)
		cmp	[ebp+var_10], 0
		jz	short loc_8AA005
		mov	eax, [ebp+var_4]
		mov	ecx, [eax+8]
		mov	ecx, [ecx+ebx*4]
		call	_ExpWorkQueueManagerStart@4 ; ExpWorkQueueManagerStart(x)
		test	eax, eax
		js	short loc_8AA011

loc_8AA005:				; CODE XREF: ExpPartitionStart(x)+4Fj
		inc	esi
		cmp	si, ds:_KeNumberNodes
		jb	short loc_8A9FBD

loc_8AA00F:				; CODE XREF: ExpPartitionStart(x)+19j
		xor	eax, eax

loc_8AA011:				; CODE XREF: ExpPartitionStart(x)+61j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8AA016:				; CODE XREF: ExpPartitionStart(x)+27j
		xor	ecx, ecx
		jmp	short loc_8A9FD2
_ExpPartitionStart@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWorkQueueManagerStart(x)
_ExpWorkQueueManagerStart@4 proc near	; CODE XREF: ExpPartitionStart(x)+5Ap
					; ExpNodeHotAddProcessorWorker(x)+2Ep

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		xor	edx, edx
		push	esi
		xor	esi, esi
		inc	edx
		push	edi
		mov	[ebp+var_4], esi
		lea	edi, [ebx+0A8h]
		xor	eax, eax
		lock cmpxchg [edi], edx
		test	eax, eax
		jnz	short loc_8AA065
		mov	eax, [ebx]
		lea	edx, [ebp+var_4]
		mov	ecx, [ebx+4]
		push	edx
		push	esi
		mov	eax, [eax]
		push	ebx
		push	offset ExpWorkQueueManagerThread
		push	ecx
		mov	eax, [eax+38h]
		push	eax
		push	ecx
		call	_ExpNodeCreateSystemThread@36 ;	ExpNodeCreateSystemThread(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8AA06C
		mov	eax, [ebp+var_4]
		xchg	eax, [edi]

loc_8AA065:				; CODE XREF: ExpWorkQueueManagerStart(x)+21j
					; ExpWorkQueueManagerStart(x)+56j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8AA06C:				; CODE XREF: ExpWorkQueueManagerStart(x)+44j
		xor	ecx, ecx
		xchg	ecx, [edi]
		jmp	short loc_8AA065
_ExpWorkQueueManagerStart@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExAllocatePrivateWorkerPool(x, x, x)
_ExAllocatePrivateWorkerPool@12	proc near ; CODE XREF: SmFirstTimeInit+47Dp
		mov	edi, edi
		push	ecx
		mov	eax, ds:_PspSystemPartition
		mov	ecx, [eax+8]
		push	ecx
		call	ExpPartitionCreatePool
		retn	4
_ExAllocatePrivateWorkerPool@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpPartitionCreatePool proc near	; CODE XREF: ExAllocatePrivateWorkerPool(x,x,x)+Cp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00933AC3 SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_4], 0
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		lea	ebx, [eax+0Ch]
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], ebx

loc_8AA0A0:				; CODE XREF: ExpPartitionCreatePool+2Aj
		bsf	eax, [ebx]
		mov	[ebp+var_4], eax
		jz	loc_933AF0
		lock btr [ebx],	eax
		jnb	short loc_8AA0A0
		mov	eax, large fs:20h
		mov	edx, [eax+338h]
		mov	cx, [edx+8Ah]
		call	_KeIsNodeInitialized@4 ; KeIsNodeInitialized(x)
		mov	edi, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		movzx	esi, al
		neg	esi
		push	edi
		sbb	esi, esi
		and	esi, edx
		xor	edx, edx
		push	esi
		push	10h
		inc	edx
		mov	[ebp+var_C], esi
		call	ExpPartitionCreatePoolInternal
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_8AA131
		movzx	esi, word ptr [esi+8Ah]
		xor	eax, eax
		and	esi, 7Fh
		xor	ebx, ebx
		add	esi, esi
		or	esi, 1
		cmp	ax, ds:_KeNumberNodes
		jnb	short loc_8AA124
		mov	eax, [ebp+var_C]

loc_8AA10D:				; CODE XREF: ExpPartitionCreatePool+9Cj
		cmp	bx, [eax+8Ah]
		jnz	loc_933AC3

loc_8AA11A:				; CODE XREF: ExpPartitionCreatePool+89A65j
		inc	ebx
		cmp	bx, ds:_KeNumberNodes
		jb	short loc_8AA10D

loc_8AA124:				; CODE XREF: ExpPartitionCreatePool+82j
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		mov	ebx, [ebp+var_10]
		push	8
		mov	[eax], edi
		pop	edi

loc_8AA131:				; CODE XREF: ExpPartitionCreatePool+66j
		cmp	edi, 8
		jnz	short loc_8AA13F

loc_8AA136:				; CODE XREF: ExpPartitionCreatePool+BDj
					; ExpPartitionCreatePool+89A6Fj
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	8
; 

loc_8AA13F:				; CODE XREF: ExpPartitionCreatePool+AEj
		lock bts [ebx],	edi
		jmp	short loc_8AA136
ExpPartitionCreatePool endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpPartitionInitialize proc near	; CODE XREF: ExpWorkerInitialization+A0p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00933AFA SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		push	6C577845h
		push	10h
		mov	ebx, ecx
		push	200h
		mov	[ebp+var_C], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_933AFA
		xor	eax, eax
		mov	edi, esi
		stosd
		stosd
		stosd
		stosd
		movzx	edi, ds:_KeNumberNodes
		mov	[esi], ebx
		mov	ebx, 6C577845h
		push	ebx
		shl	edi, 2
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+4], eax
		test	eax, eax
		jz	loc_933B0F
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		movzx	edi, ds:_KeNumberNodes
		add	esp, 0Ch
		shl	edi, 2
		push	ebx
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+8], eax
		test	eax, eax
		jz	loc_933B0F
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		add	esp, 0Ch
		xor	ebx, ebx
		cmp	ax, ds:_KeNumberNodes
		jnb	loc_8AA2B1

loc_8AA1EB:				; CODE XREF: ExpPartitionInitialize+165j
		movzx	edi, bx
		mov	ecx, ebx
		mov	[ebp+var_8], edi
		call	_KeIsNodeInitialized@4 ; KeIsNodeInitialized(x)
		test	al, al
		jz	loc_933B06
		mov	eax, ds:_KeNodeBlock[edi*4]
		mov	[ebp+var_4], eax

loc_8AA20A:				; CODE XREF: ExpPartitionInitialize+899C4j
		push	6C577845h
		push	0B8h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [esi+8]
		mov	[ecx+edi*4], eax
		mov	eax, [esi+8]
		mov	ecx, [eax+edi*4]
		test	ecx, ecx
		jz	loc_933B0F
		push	[ebp+var_4]
		mov	edx, esi
		call	_ExpWorkQueueManagerInitialize@12 ; ExpWorkQueueManagerInitialize(x,x,x)
		push	6C577845h
		push	20h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [esi+4]
		mov	[ecx+edi*4], eax
		mov	eax, [esi+4]
		cmp	dword ptr [eax+edi*4], 0
		jz	loc_933B0F
		mov	edi, [esi+4]
		xor	eax, eax
		mov	edx, [ebp+var_8]
		push	8
		pop	ecx
		push	eax
		mov	edi, [edi+edx*4]
		xor	edx, edx
		push	[ebp+var_4]
		rep stosd
		push	_ExpMaximumKernelWorkerThreads
		mov	ecx, esi
		call	ExpPartitionCreatePoolInternal
		mov	edi, eax
		test	edi, edi
		js	short loc_8AA2C5
		push	1
		push	[ebp+var_4]
		xor	edx, edx
		mov	ecx, esi
		push	_ExpMaximumKernelWorkerThreads
		call	ExpPartitionCreatePoolInternal
		mov	edi, eax
		test	edi, edi
		js	short loc_8AA2C5
		inc	ebx
		cmp	bx, ds:_KeNumberNodes
		jb	loc_8AA1EB

loc_8AA2B1:				; CODE XREF: ExpPartitionInitialize+9Fj
		mov	eax, [ebp+var_C]
		mov	dword ptr [esi+0Ch], 0FCh
		mov	[eax+8], esi
		xor	eax, eax

loc_8AA2C0:				; CODE XREF: ExpPartitionInitialize+899BBj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8AA2C5:				; CODE XREF: ExpPartitionInitialize+141j
					; ExpPartitionInitialize+15Bj ...
		mov	ecx, esi
		call	_ExpPartitionDestroy@4 ; ExpPartitionDestroy(x)
		jmp	loc_933AFF
ExpPartitionInitialize endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpPartitionCreatePoolInternal proc near ; CODE	XREF: ExpPartitionCreatePool+5Dp
					; ExpPartitionInitialize+138p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00933B19 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	6C577845h
		push	1C0h
		push	200h
		mov	[ebp+var_4], edx
		mov	ebx, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_8AA35B
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_8]	; int
		mov	eax, [ebx+8]
		push	edx		; int
		movzx	ecx, word ptr [edx+8Ah]
		mov	edx, [ebp+var_4] ; int
		push	ebx		; int
		push	[ebp+arg_0]	; int
		mov	esi, [eax+ecx*4]
		mov	ecx, edi	; void *
		call	_ExpWorkQueueInitialize@24 ; ExpWorkQueueInitialize(x,x,x,x,x,x)
		lea	edx, [esi+0B0h]
		mov	ecx, edi
		call	_ExpWorkQueueCreateMinimumThreads@8 ; ExpWorkQueueCreateMinimumThreads(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8AA34A
		mov	eax, [ebp+arg_4]
		movzx	ecx, word ptr [eax+8Ah]
		mov	eax, [ebx+4]
		mov	ecx, [eax+ecx*4]
		mov	eax, [ebp+arg_8]
		mov	[ecx+eax*4], edi
		xor	edi, edi
		xor	esi, esi

loc_8AA34A:				; CODE XREF: ExpPartitionCreatePoolInternal+5Cj
		test	edi, edi
		jnz	loc_933B19

loc_8AA352:				; CODE XREF: ExpPartitionCreatePoolInternal+8Ej
					; ExpPartitionCreatePoolInternal+89856j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_8AA35B:				; CODE XREF: ExpPartitionCreatePoolInternal+27j
		mov	esi, 0C0000017h
		jmp	short loc_8AA352
ExpPartitionCreatePoolInternal endp


;  S U B	R O U T	I N E 


; __stdcall ExpWorkQueueCreateMinimumThreads(x,	x)
_ExpWorkQueueCreateMinimumThreads@8 proc near
					; CODE XREF: ExpPartitionCreatePoolInternal+53p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	ebx, edx
		mov	eax, [edi+1B0h]
		add	eax, eax
		test	eax, eax
		jg	short loc_8AA37F

loc_8AA379:				; CODE XREF: ExpWorkQueueCreateMinimumThreads(x,x)+37j
		xor	eax, eax

loc_8AA37B:				; CODE XREF: ExpWorkQueueCreateMinimumThreads(x,x)+28j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_8AA37F:				; CODE XREF: ExpWorkQueueCreateMinimumThreads(x,x)+15j
					; ExpWorkQueueCreateMinimumThreads(x,x)+39j
		mov	edx, ebx
		mov	ecx, edi
		call	ExpCreateWorkerThread
		test	eax, eax
		js	short loc_8AA37B
		mov	eax, [edi+1B0h]
		inc	esi
		add	eax, eax
		sar	eax, 1
		cmp	esi, eax
		jge	short loc_8AA379
		jmp	short loc_8AA37F
_ExpWorkQueueCreateMinimumThreads@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ExpWorkQueueInitialize(void *,int,int,int,int,int)
_ExpWorkQueueInitialize@24 proc	near	; CODE XREF: ExpPartitionCreatePoolInternal+46p

var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_4], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		mov	ebx, edx
		stosd
		push	1C0h		; size_t
		push	0		; int
		stosd
		stosd
		mov	edi, ecx
		push	edi		; void *
		call	_memset
		mov	esi, [ebp+arg_8]
		lea	eax, [ebp+var_4]
		add	esp, 0Ch
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		movzx	eax, word ptr [esi+8Ah]
		push	eax
		call	_KeQueryNodeActiveAffinity@12 ;	KeQueryNodeActiveAffinity(x,x,x)
		movzx	edx, word ptr [ebp+var_4]
		mov	ecx, edi
		call	KeInitializePriQueue
		mov	eax, [ebp+arg_4]
		mov	[edi+19Ch], eax
		mov	eax, [edi+1B0h]
		xor	eax, ebx
		mov	[edi+1A0h], esi
		and	eax, 7FFFFFFFh
		xor	[edi+1B0h], eax
		mov	eax, [ebp+arg_0]
		mov	[edi+1B4h], eax
		mov	eax, [ebp+arg_C]
		mov	[edi+1B8h], eax
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_ExpWorkQueueInitialize@24 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWorkQueueManagerInitialize(x, x,	x)
_ExpWorkQueueManagerInitialize@12 proc near ; CODE XREF: ExpPartitionInitialize+F1p

var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		mov	ebx, ecx
		push	0B0h		; size_t
		mov	esi, edx
		mov	[ebp+var_4], ebx
		stosd
		stosd
		lea	eax, [ebx+8]
		xor	edi, edi
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	[ebx+4], eax
		lea	eax, [ebx+8]
		mov	[ebx], esi
		push	edi
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	1
		lea	eax, [ebx+18h]
		push	eax
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	edi
		push	1
		lea	eax, [ebx+40h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	8
		push	ebx
		push	offset _ExpWorkQueueManagerReaperTimer@8 ; ExpWorkQueueManagerReaperTimer(x,x)
		lea	eax, [ebx+50h]
		push	eax
		call	_KeInitializeTimer2@16 ; KeInitializeTimer2(x,x,x,x)
		push	edi
		lea	eax, [ebp+var_10]
		push	eax
		mov	eax, [ebx+4]
		movzx	eax, word ptr [eax+8Ah]
		push	eax
		call	_KeQueryNodeActiveAffinity@12 ;	KeQueryNodeActiveAffinity(x,x,x)
		mov	ebx, [ebp+var_10]
		mov	esi, [ebp+var_4]
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		jz	short loc_8AA4EF
		mov	ecx, [esi+4]
		lea	edx, [ebp+var_10]
		push	edi
		push	edi
		call	_KeSelectIdealProcessor@16 ; KeSelectIdealProcessor(x,x,x,x)
		movzx	edi, ax

loc_8AA4EF:				; CODE XREF: ExpWorkQueueManagerInitialize(x,x,x)+B5j
		mov	[esi+0B0h], di
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ExpWorkQueueManagerInitialize@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpWaitForHiveMount proc near		; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+B16p
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+B43p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00933B2D SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ecx]
		mov	edx, [ecx+4]
		mov	cx, ax
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], edx
		push	edi
		test	cx, cx
		jz	loc_933B3E
		push	5Ch
		pop	edi
		mov	eax, 0FFFEh

loc_8AA52A:				; CODE XREF: CmpWaitForHiveMount+89635j
		cmp	[edx], di
		jz	loc_933B2D

loc_8AA533:				; CODE XREF: CmpWaitForHiveMount+8963Bj
		mov	[ebp+var_4], edx
		test	cx, cx
		jz	loc_933B3E
		mov	esi, ebx
		mov	ebx, eax

loc_8AA543:				; CODE XREF: CmpWaitForHiveMount+52j
		movzx	eax, si
		cmp	[edx+eax*2], di
		jz	short loc_8AA552
		inc	esi
		add	cx, bx
		jnz	short loc_8AA543

loc_8AA552:				; CODE XREF: CmpWaitForHiveMount+4Cj
		lea	eax, [esi+esi]
		lea	ecx, [ebp+var_8]
		mov	word ptr [ebp+var_8], ax
		call	_CmpHashUnicodeComponent@4 ; CmpHashUnicodeComponent(x)
		xor	ebx, ebx
		mov	ecx, ebx

loc_8AA565:				; CODE XREF: CmpWaitForHiveMount+7Aj
		movzx	esi, cx
		imul	edx, esi, 14h
		cmp	dword_6B19F0[edx], eax
		jz	short loc_8AA588
		inc	ecx
		cmp	cx, 8
		jb	short loc_8AA565
		mov	eax, offset dword_6B19F4
		lock bts dword ptr [eax], 2

loc_8AA584:				; CODE XREF: CmpWaitForHiveMount+8964Aj
		xor	al, al
		jmp	short loc_8AA5D2
; 

loc_8AA588:				; CODE XREF: CmpWaitForHiveMount+73j
		lea	edi, dword_6B19F4[edx]
		lock bts dword ptr [edi], 3
		lock inc dword_6B19F8[edx]
		imul	esi, 14h
		push	ebx
		push	ebx
		imul	eax, dword_6B19EC[esi],	78h
		add	eax, offset dword_6B1650
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, dword_6B19EC[esi]
		imul	eax, ecx, 78h
		cmp	dword_6B1674[eax], ebx
		jnz	short loc_8AA5D9
		mov	eax, [ebp+arg_4]
		mov	bl, 1
		push	5
		mov	[eax], ecx
		pop	eax

loc_8AA5CC:				; CODE XREF: CmpWaitForHiveMount+DEj
		lock bts [edi],	eax
		mov	al, bl

loc_8AA5D2:				; CODE XREF: CmpWaitForHiveMount+88j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_8AA5D9:				; CODE XREF: CmpWaitForHiveMount+C2j
		xor	eax, eax
		inc	eax
		jmp	short loc_8AA5CC
CmpWaitForHiveMount endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnBuildScenarioEventDescriptors(x, x, x, x)
_PfSnBuildScenarioEventDescriptors@16 proc near	; CODE XREF: PfSnLogScenarioDecision+72p
					; PfSnLogPrefetchSectionsStop+16E9EBp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		mov	esi, edi
		lea	ecx, [esi+2]

loc_8AA5EF:				; CODE XREF: PfSnBuildScenarioEventDescriptors(x,x,x,x)+1Aj
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, bx
		jnz	short loc_8AA5EF
		mov	eax, [ebp+arg_0]
		sub	esi, ecx
		mov	ecx, [ebp+arg_4]
		sar	esi, 1
		push	4
		mov	[eax], si
		mov	[ecx], eax
		mov	[ecx+4], ebx
		mov	[ecx+0Ch], ebx
		mov	dword ptr [ecx+8], 2
		movzx	eax, word ptr [eax]
		add	eax, eax
		mov	[ecx+10h], edi
		mov	[ecx+18h], eax
		lea	eax, [edi+3Ch]
		mov	[ecx+20h], eax
		pop	eax
		pop	edi
		pop	esi
		mov	[ecx+14h], ebx
		mov	[ecx+1Ch], ebx
		mov	[ecx+24h], ebx
		mov	[ecx+2Ch], ebx
		mov	[ecx+34h], ebx
		mov	[ecx+3Ch], ebx
		mov	[ecx+28h], eax
		mov	[ecx+30h], edx
		mov	[ecx+38h], eax
		pop	ebx
		pop	ebp
		retn	8
_PfSnBuildScenarioEventDescriptors@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmGetDeviceControlKeyPath(int,int,int,void *,int,int)
__CmGetDeviceControlKeyPath@32 proc near ; CODE	XREF: _CmGetDeviceRegKeyPath+BFp

arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_0], 0FFFFFFECh
		jnz	short loc_8AA6AE
		mov	ecx, edx
		push	esi
		push	edi
		xor	edi, edi
		lea	esi, [ecx+2]

loc_8AA663:				; CODE XREF: _CmGetDeviceControlKeyPath(x,x,x,x,x,x,x,x)+20j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_8AA663
		mov	eax, [ebp+arg_14]
		sub	ecx, esi
		sar	ecx, 1
		add	ecx, 27h
		test	eax, eax
		jz	short loc_8AA67E
		mov	[eax], ecx

loc_8AA67E:				; CODE XREF: _CmGetDeviceControlKeyPath(x,x,x,x,x,x,x,x)+2Ej
		cmp	ecx, [ebp+arg_10]
		ja	short loc_8AA6B5
		push	offset ??_C@_1BA@JGFNDEFA@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl@NNGAKEGL@
		push	edx
		push	offset ??_C@_1DM@BNJPOICG@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@ ; char
		push	offset ??_C@_1BC@GLIGFLDD@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@	; "%s\\%s\\%s"
		push	800h		; int
		push	edi		; int
		push	edi		; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		call	RtlStringCchPrintfExW
		add	esp, 24h

loc_8AA6A8:				; CODE XREF: _CmGetDeviceControlKeyPath(x,x,x,x,x,x,x,x)+6Ej
		pop	edi
		pop	esi

loc_8AA6AA:				; CODE XREF: _CmGetDeviceControlKeyPath(x,x,x,x,x,x,x,x)+67j
		pop	ebp
		retn	18h
; 

loc_8AA6AE:				; CODE XREF: _CmGetDeviceControlKeyPath(x,x,x,x,x,x,x,x)+Cj
		mov	eax, 0C000000Dh
		jmp	short loc_8AA6AA
; 

loc_8AA6B5:				; CODE XREF: _CmGetDeviceControlKeyPath(x,x,x,x,x,x,x,x)+35j
		mov	eax, 0C0000023h
		jmp	short loc_8AA6A8
__CmGetDeviceControlKeyPath@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopBootStatGet	proc near		; CODE XREF: PopPowerInformationInternal+3C7p

var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 00933B4D SIZE 00000011 BYTES
; FUNCTION CHUNK AT 00933B9C SIZE 0000000E BYTES

		push	40h
		push	offset dword_6A73E8
		call	__SEH_prolog4
		mov	[ebp+var_50], edx
		mov	[ebp+var_24], ecx
		xor	ebx, ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_44], ebx
		mov	esi, ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1B], bl
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		mov	[ebp+var_1A], al
		test	al, al
		jz	loc_8AA8D5
		mov	eax, [ecx+8]
		push	0Ch
		pop	ecx
		mul	ecx
		push	edx
		push	eax
		lea	ecx, [ebp+var_30]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8AA86A
		push	206D654Dh
		mov	edi, [ebp+var_30]
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_2C], esi
		test	esi, esi
		jz	loc_933B4D
		mov	[ebp+ms_exc.disabled], ebx
		test	edi, edi
		jz	short loc_8AA765
		mov	eax, [ebp+var_24]
		mov	eax, [eax+0Ch]
		test	al, 3
		jnz	loc_8AA8EC
		lea	edx, [eax+edi]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		ja	loc_933B57
		cmp	edx, eax
		jb	loc_933B57

loc_8AA765:				; CODE XREF: PopBootStatGet+80j
					; PopBootStatGet+8949Dj
		push	edi		; size_t
		mov	eax, [ebp+var_24]
		push	dword ptr [eax+0Ch] ; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edi, ebx

loc_8AA777:				; CODE XREF: PopBootStatGet+214j
		mov	[ebp+var_3C], edi
		mov	eax, [ebp+var_24]
		cmp	edi, [eax+8]
		jb	loc_8AA8BD
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_8AA78D:				; CODE XREF: PopBootStatGet+21Fj
		mov	[ebp+var_1B], 1
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	edx, edx
		mov	ecx, offset _PopBootStatLock
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlLockBootStatusData@4 ; RtlLockBootStatusData(x)
		mov	edi, eax
		test	edi, edi
		js	loc_8AA86A
		mov	al, [ebp+var_19]
		test	al, al
		jz	short loc_8AA7D2
		push	1
		mov	dl, al
		mov	ecx, [ebp+var_20]
		call	_PopBootStatAccessCheck@12 ; PopBootStatAccessCheck(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8AA86A

loc_8AA7D2:				; CODE XREF: PopBootStatGet+FEj
		mov	eax, ebx

loc_8AA7D4:				; CODE XREF: PopBootStatGet+1A9j
		mov	[ebp+var_30], eax
		mov	ecx, [ebp+var_24]
		cmp	eax, [ecx+8]
		jnb	loc_8AA86A
		imul	eax, 0Ch
		add	eax, esi
		mov	[ebp+var_38], eax
		mov	eax, [eax]
		mov	[ebp+var_48], eax
		lea	ecx, [ebp+var_44]
		push	ecx
		lea	edx, [ebp+var_34]
		mov	ecx, eax
		call	_RtlBootStatusItemInfo@12 ; RtlBootStatusItemInfo(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_8AA86A
		mov	eax, [ebp+var_34]
		lea	ecx, _PopBootStat[eax]
		mov	[ebp+var_44], ecx
		lea	eax, [ebp+var_28]
		push	eax
		mov	eax, [ebp+var_38]
		push	dword ptr [eax+8]
		push	ecx
		push	[ebp+var_48]
		push	1
		push	[ebp+var_20]
		call	RtlGetSetBootStatusData
		mov	edi, eax
		test	edi, edi
		js	short loc_8AA856
		cmp	[ebp+var_28], 0
		jbe	short loc_8AA856
		mov	[ebp+ms_exc.disabled], 1
		push	[ebp+var_28]	; size_t
		push	[ebp+var_44]	; void *
		mov	eax, [ebp+var_38]
		push	dword ptr [eax+4] ; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_8AA856:				; CODE XREF: PopBootStatGet+170j
					; PopBootStatGet+176j
		mov	edx, [ebp+var_50]
		test	edx, edx
		jnz	loc_933B9C

loc_8AA861:				; CODE XREF: PopBootStatGet+894E9j
		mov	eax, [ebp+var_30]
		inc	eax
		jmp	loc_8AA7D4
; 

loc_8AA86A:				; CODE XREF: PopBootStatGet+58j
					; PopBootStatGet+F3j ...
		cmp	[ebp+var_20], 0
		jz	short loc_8AA878
		push	[ebp+var_20]
		call	_RtlUnlockBootStatusData@4 ; RtlUnlockBootStatusData(x)

loc_8AA878:				; CODE XREF: PopBootStatGet+1B2j
		cmp	[ebp+var_1B], 0
		jz	short loc_8AA89A
		or	eax, 0FFFFFFFFh
		mov	ecx, offset _PopBootStatLock
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jz	short loc_8AA8E0

loc_8AA890:				; CODE XREF: PopBootStatGet+22Ej
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_8AA89A:				; CODE XREF: PopBootStatGet+1C0j
		cmp	[ebp+var_19], 0
		jz	short loc_8AA8AB
		test	esi, esi
		jz	short loc_8AA8AB
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8AA8AB:				; CODE XREF: PopBootStatGet+1E2j
					; PopBootStatGet+1E6j
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8AA8BD:				; CODE XREF: PopBootStatGet+C4j
		imul	eax, edi, 0Ch
		push	1
		push	dword ptr [eax+esi+8]
		push	dword ptr [eax+esi+4]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		inc	edi
		jmp	loc_8AA777
; 

loc_8AA8D5:				; CODE XREF: PopBootStatGet+3Cj
		mov	esi, [ecx+0Ch]
		mov	[ebp+var_2C], esi
		jmp	loc_8AA78D
; 

loc_8AA8E0:				; CODE XREF: PopBootStatGet+1D2j
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset _PopBootStatLock
		jmp	short loc_8AA890
; 

loc_8AA8EC:				; CODE XREF: PopBootStatGet+8Aj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger
PopBootStatGet	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PpmWmiDispatch(int,void	*,int,void *,int,int)
PpmWmiDispatch	proc near		; DATA XREF: PoInitializePrcb+1Do

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00933BAA SIZE 00000134 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, dword ptr [ebp+arg_10]
		xor	edx, edx
		mov	eax, [ebp+arg_0]
		add	ecx, 0FFFFFF30h
		mov	[ebp+arg_10], dl
		push	ebx
		mov	bl, dl
		push	esi
		push	edi
		sub	eax, edx
		jz	short loc_8AA961
		sub	eax, 1
		jz	loc_933CC5
		sub	eax, 3
		jz	short loc_8AA95A
		sub	eax, 1
		jz	loc_933BAA
		sub	eax, 3
		jz	short loc_8AA93E
		mov	eax, [ebp+arg_14]
		mov	[eax], edx
		mov	eax, 0C0000010h

loc_8AA937:				; CODE XREF: PpmWmiDispatch+62j
					; PpmWmiDispatch+66j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	18h
; 

loc_8AA93E:				; CODE XREF: PpmWmiDispatch+39j
		push	[ebp+arg_14]	; int
		mov	ecx, [ecx-39A4h]
		push	[ebp+arg_C]	; void *
		push	[ebp+arg_8]	; int
		call	PpmWmiRegisterInfo

loc_8AA952:				; CODE XREF: PpmWmiDispatch+893E7j
		test	eax, eax
		js	short loc_8AA937

loc_8AA956:				; CODE XREF: PpmWmiDispatch+8936Cj
					; PpmWmiDispatch+89378j ...
		xor	eax, eax
		jmp	short loc_8AA937
; 

loc_8AA95A:				; CODE XREF: PpmWmiDispatch+2Bj
		mov	bl, 1
		jmp	loc_933BAA
; 

loc_8AA961:				; CODE XREF: PpmWmiDispatch+1Dj
		mov	[ebp+arg_10], 1
		jmp	loc_933CC5
PpmWmiDispatch	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PpmWmiRegisterInfo(int,void *,int)
PpmWmiRegisterInfo proc	near		; CODE XREF: PpmWmiDispatch+5Bp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00933CDE SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, 128h
		mov	[ebp+var_4], ecx
		cmp	eax, ebx
		jb	loc_933CDE
		push	ebx		; size_t
		push	0		; int
		push	[ebp+arg_4]	; void *
		call	_memset
		mov	ecx, [ebp+arg_4]
		add	esp, 0Ch
		push	esi
		mov	dword ptr [ecx+10h], 8
		lea	edx, [ecx+28h]
		xor	ecx, ecx
		push	edi

loc_8AA9A3:				; CODE XREF: PpmWmiRegisterInfo+67j
		mov	esi, ds:_PpmWmiGuidList[ecx]
		lea	edi, [edx-14h]
		movsd
		movsd
		movsd
		movsd
		mov	eax, ds:dword_404A38[ecx]
		mov	[edx-4], eax
		mov	eax, ds:dword_404A34[ecx]
		add	ecx, 0Ch
		mov	[edx], eax
		lea	edx, [edx+1Ch]
		mov	dword ptr [edx-18h], 0F4h
		cmp	ecx, 60h
		jb	short loc_8AA9A3
		mov	ecx, [ebp+arg_4]
		push	32h
		pop	eax
		push	[ebp+var_4]
		mov	[ecx], ebx
		mov	[ecx+0F4h], ax
		mov	eax, [ebp+arg_0]
		push	offset ??_C@_1BO@PKDNPFIL@?$AAP?$AAP?$AAM?$AA_?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo?$AAr?$AA_@NNGAKEGL@ ; char
		add	eax, 0FFFFFF0Ah
		push	offset ??_C@_19HEPLDNLP@?$AA?$CF?$AAs?$AA?$CF?$AAd@NNGAKEGL@ ; "%s%d"
		push	eax		; int
		lea	eax, [ecx+0F6h]
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 14h
		mov	ecx, eax
		pop	edi
		pop	esi
		test	ecx, ecx
		js	short loc_8AAA11
		xor	ecx, ecx

loc_8AAA11:				; CODE XREF: PpmWmiRegisterInfo+A3j
					; PpmWmiRegisterInfo+89386j
		mov	eax, [ebp+arg_8]
		mov	[eax], ebx
		mov	eax, ecx
		pop	ebx
		leave
		retn	0Ch
PpmWmiRegisterInfo endp

; 
		align 2

;  S U B	R O U T	I N E 


PpmGetPolicyAction proc	near		; CODE XREF: PpmInfoApplySettingUpdate+72p
					; PpmCompareAndApplyPolicySettings(x,x,x)+135p

; FUNCTION CHUNK AT 00933CF5 SIZE 0000003F BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, [ecx]
		push	edi
		mov	edi, [ecx+4]
		mov	ecx, esi
		mov	eax, edi
		and	ecx, 700h
		and	eax, 380h
		or	ecx, eax
		push	0
		pop	ebx
		jnz	loc_8AAAD0

loc_8AAA42:				; CODE XREF: PpmGetPolicyAction+101j
					; PpmGetPolicyAction+892E5j
		mov	ecx, edi
		mov	eax, ebx
		and	ecx, 40h
		or	eax, ecx
		jnz	loc_933D08

loc_8AAA51:				; CODE XREF: PpmGetPolicyAction+892F1j
					; PpmGetPolicyAction+892FAj
		mov	ecx, esi
		mov	eax, edi
		and	ecx, 0EC0h
		and	eax, 0CC540h
		or	ecx, eax
		jnz	loc_8AAB2A

loc_8AAA68:				; CODE XREF: PpmGetPolicyAction+10Fj
		mov	ecx, edi
		mov	eax, ebx
		and	ecx, 1800h
		or	eax, ecx
		jnz	loc_933D1D

loc_8AAA7A:				; CODE XREF: PpmGetPolicyAction+89305j
		mov	ecx, esi
		mov	eax, edi
		and	ecx, 30000h
		and	eax, 100000h
		or	ecx, eax
		jnz	loc_8AAB32

loc_8AAA91:				; CODE XREF: PpmGetPolicyAction+117j
		mov	ecx, esi
		mov	eax, edi
		and	ecx, 30DC0h
		and	eax, 0C400h
		or	ecx, eax
		jnz	short loc_8AAACB

loc_8AAAA4:				; CODE XREF: PpmGetPolicyAction+B0j
		mov	eax, esi
		and	edi, 2000h
		and	eax, 0D8000000h
		or	eax, edi
		jnz	loc_933D28

loc_8AAAB9:				; CODE XREF: PpmGetPolicyAction+8930Dj
		and	esi, 1000h
		or	esi, ebx
		pop	edi
		pop	esi
		pop	ebx
		jnz	loc_933D30
		retn
; 

loc_8AAACB:				; CODE XREF: PpmGetPolicyAction+84j
		or	dword ptr [edx], 8
		jmp	short loc_8AAAA4
; 

loc_8AAAD0:				; CODE XREF: PpmGetPolicyAction+1Ej
		mov	eax, esi
		mov	ecx, 200h
		and	eax, 100h
		or	eax, ebx
		jnz	short loc_8AAB3A

loc_8AAAE0:				; CODE XREF: PpmGetPolicyAction+11Ej
		mov	eax, esi
		and	eax, 400h
		or	eax, ebx
		jnz	loc_933CF5

loc_8AAAEF:				; CODE XREF: PpmGetPolicyAction+892DAj
		mov	eax, esi
		and	eax, ecx
		or	eax, ebx
		jnz	short loc_8AAB5F

loc_8AAAF7:				; CODE XREF: PpmGetPolicyAction+144j
		mov	ecx, edi
		mov	eax, ebx
		and	ecx, 100h
		or	eax, ecx
		jnz	short loc_8AAB3E

loc_8AAB05:				; CODE XREF: PpmGetPolicyAction+126j
		mov	ecx, edi
		mov	eax, ebx
		and	ecx, 80h
		or	eax, ecx
		jnz	short loc_8AAB46

loc_8AAB13:				; CODE XREF: PpmGetPolicyAction+138j
					; PpmGetPolicyAction+13Fj
		mov	ecx, edi
		mov	eax, ebx
		and	ecx, 200h
		or	eax, ecx
		jz	loc_8AAA42
		jmp	loc_933CFD
; 

loc_8AAB2A:				; CODE XREF: PpmGetPolicyAction+44j
		or	dword ptr [edx], 2
		jmp	loc_8AAA68
; 

loc_8AAB32:				; CODE XREF: PpmGetPolicyAction+6Dj
		or	dword ptr [edx], 0Ch
		jmp	loc_8AAA91
; 

loc_8AAB3A:				; CODE XREF: PpmGetPolicyAction+C0j
		or	[edx], ecx
		jmp	short loc_8AAAE0
; 

loc_8AAB3E:				; CODE XREF: PpmGetPolicyAction+E5j
		or	dword ptr [edx], 82h
		jmp	short loc_8AAB05
; 

loc_8AAB46:				; CODE XREF: PpmGetPolicyAction+F3j
		mov	eax, [edx]
		or	eax, 100h
		cmp	ds:_PpmPerfAutonomousActivityWindowViaPerfControl, 0
		mov	[edx], eax
		jz	short loc_8AAB13
		or	eax, 2
		mov	[edx], eax
		jmp	short loc_8AAB13
; 

loc_8AAB5F:				; CODE XREF: PpmGetPolicyAction+D7j
		or	dword ptr [edx], 20h
		jmp	short loc_8AAAF7
PpmGetPolicyAction endp


;  S U B	R O U T	I N E 


; __stdcall PiUEventQueueBroadcastEventEntry(x)
_PiUEventQueueBroadcastEventEntry@4 proc near
					; CODE XREF: PiUEventProcessBroadcastNotifications:loc_8453DCp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ecx, offset _PiUEventBroadcastEventQueueLock
		push	edi
		call	ExAcquireFastMutex
		mov	edi, offset _PiUEventBroadcastEventQueue
		mov	ecx, esi
		cmp	_PiUEventBroadcastEventQueue, edi
		setz	bl
		call	PiUEventCoalesceBroadcastEvents
		mov	byte ptr [esi+8], 1
		mov	eax, dword_6CC7D4
		cmp	[eax], edi
		jnz	short loc_8AABE0
		mov	[esi], edi
		mov	ecx, offset _PiUEventBroadcastEventQueueLock
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6CC7D4, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	bl, bl
		jz	short loc_8AABDC
		push	59706E50h
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_8AABDC
		and	dword ptr [eax], 0
		push	4
		push	eax
		mov	dword ptr [eax+8], offset PiUEventBroadcastEventWorker
		mov	[eax+0Ch], eax
		call	ExQueueWorkItem

loc_8AABDC:				; CODE XREF: PiUEventQueueBroadcastEventEntry(x)+4Cj
					; PiUEventQueueBroadcastEventEntry(x)+61j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_8AABE0:				; CODE XREF: PiUEventQueueBroadcastEventEntry(x)+31j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_PiUEventQueueBroadcastEventEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiUEventCoalesceBroadcastEvents	proc near
					; CODE XREF: PiUEventQueueBroadcastEventEntry(x)+21p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00933D34 SIZE 0000006F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, _PiUEventBroadcastEventQueue
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx

loc_8AAC07:				; CODE XREF: PiUEventCoalesceBroadcastEvents+55j
		cmp	esi, offset _PiUEventBroadcastEventQueue
		jz	short loc_8AAC34
		mov	ecx, [esi+0Ch]
		cmp	ecx, [edi+0Ch]
		jnz	short loc_8AAC39
		mov	eax, [esi+10h]
		cmp	eax, [edi+10h]
		jnz	short loc_8AAC39
		cmp	ecx, 3
		jz	loc_933D34
		cmp	ecx, 2
		jz	loc_933D84

loc_8AAC31:				; CODE XREF: PiUEventCoalesceBroadcastEvents+89193j
					; PiUEventCoalesceBroadcastEvents+891B2j
		mov	[esi+8], bl

loc_8AAC34:				; CODE XREF: PiUEventCoalesceBroadcastEvents+27j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8AAC39:				; CODE XREF: PiUEventCoalesceBroadcastEvents+2Fj
					; PiUEventCoalesceBroadcastEvents+37j ...
		mov	esi, [esi]
		jmp	short loc_8AAC07
PiUEventCoalesceBroadcastEvents	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1919. PsStartSiloMonitor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsStartSiloMonitor
PsStartSiloMonitor proc	near

var_22		= byte ptr -22h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00933DA3 SIZE 000000F3 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi		; struct _exception *
		push	6
		pop	ecx
		lea	edi, [esp+30h+var_1C]
		xor	ebx, ebx
		rep stosd
		mov	eax, large fs:124h
		mov	edi, ebx
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PspSiloMonitorLock
		call	ExAcquirePushLockExclusiveEx
		cmp	[esi], ebx
		jnz	loc_8AAD5D
		cmp	[esi+4], ebx
		jnz	loc_8AAD5D
		cmp	[esi+9], bl
		jnz	short loc_8AACB2
		xor	ecx, ecx

loc_8AAC9F:				; CODE XREF: PsStartSiloMonitor+89170j
		mov	dl, 1
		call	_PspGetNextSilo@8 ; PspGetNextSilo(x,x)
		mov	[esp+30h+var_20], eax
		test	eax, eax
		jnz	loc_933DA3

loc_8AACB2:				; CODE XREF: PsStartSiloMonitor+59j
		cmp	[esi+10h], ebx
		jz	loc_8AAD5D
		cmp	[esi+8], bl
		jz	short loc_8AACFD
		mov	ecx, ds:_PsInitialSystemProcess
		lea	eax, [esp+30h+var_1C]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	edx, esi
		mov	[esp+30h+var_20], eax
		mov	ecx, eax
		call	_PspInvokeCreateCallback@8 ; PspInvokeCreateCallback(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_933DC1

loc_8AACEE:				; CODE XREF: PsStartSiloMonitor+89182j
					; PsStartSiloMonitor+89193j
		xor	edx, edx
		lea	ecx, [esp+30h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		test	edi, edi
		js	short loc_8AAD5D

loc_8AACFD:				; CODE XREF: PsStartSiloMonitor+7Cj
		mov	ecx, ds:_PsInitialSystemProcess
		lea	eax, [esp+30h+var_1C]
		push	eax
		xor	edx, edx
		mov	[esp+34h+var_21], bl
		mov	[esp+34h+var_20], ebx
		call	KiStackAttachProcess
		mov	dl, 1
		xor	ecx, ecx
		call	_PspGetNextSilo@8 ; PspGetNextSilo(x,x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_933DDA

loc_8AAD2A:				; CODE XREF: PsStartSiloMonitor+891CBj
		xor	edx, edx
		lea	ecx, [esp+30h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		cmp	[esp+30h+var_21], 0
		jnz	loc_933E12
		mov	eax, dword_6BEE1C
		mov	ecx, offset _PspSiloMonitorList
		cmp	[eax], ecx
		jnz	short loc_8AAD9A
		mov	[esi], ecx
		mov	edi, ebx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6BEE1C, esi

loc_8AAD5D:				; CODE XREF: PsStartSiloMonitor+47j
					; PsStartSiloMonitor+50j ...
		or	eax, 0FFFFFFFFh
		mov	esi, offset _PspSiloMonitorLock
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_933E82

loc_8AAD71:				; CODE XREF: PsStartSiloMonitor+89242j
					; PsStartSiloMonitor+8924Fj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [esp+30h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4		; struct _exception *
; 

loc_8AAD9A:				; CODE XREF: PsStartSiloMonitor+10Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PsStartSiloMonitor endp


;  S U B	R O U T	I N E 


; __stdcall PspInvokeCreateCallback(x, x)
_PspInvokeCreateCallback@8 proc	near	; CODE XREF: PsStartSiloMonitor+9Dp
					; PsStartSiloMonitor+891A8p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		push	0
		mov	edx, ebx
		xor	ecx, ecx
		lea	edi, [esi+18h]
		push	edi
		call	EtwTraceJobServerSiloMonitorCallback
		push	ebx
		call	dword ptr [esi+10h]
		mov	esi, eax
		xor	ecx, ecx
		push	esi
		push	edi
		mov	edx, ebx
		inc	ecx
		call	EtwTraceJobServerSiloMonitorCallback
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_PspInvokeCreateCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiSwDeviceMakeCompatibleIds proc near	; CODE XREF: PiSwPdoPnPDispatch+34Ap

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00933E96 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_14], edx
		xor	ebx, ebx
		mov	[ebp+var_8], edi
		mov	eax, ebx
		mov	[ebp+var_4], eax
		mov	esi, [edi+14h]
		test	esi, esi
		jz	short loc_8AAE4A
		cmp	[esi], bx
		jz	short loc_8AAE4A

loc_8AADF6:				; CODE XREF: PiSwDeviceMakeCompatibleIds+75j
		mov	edi, esi
		lea	ecx, [edi+2]

loc_8AADFB:				; CODE XREF: PiSwDeviceMakeCompatibleIds+34j
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, bx
		jnz	short loc_8AADFB
		sub	edi, ecx
		push	offset _PiSwGenericRawCompatibleId ; wchar_t *
		push	esi		; wchar_t *
		sar	edi, 1
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_8AAF01
		push	offset _PiSwGenericCompatibleId	; wchar_t *
		push	esi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		test	eax, eax
		mov	eax, [ebp+var_4]
		pop	ecx
		jz	short loc_8AAE3C
		lea	eax, [eax+edi*2]
		add	eax, 2
		mov	[ebp+var_4], eax

loc_8AAE3C:				; CODE XREF: PiSwDeviceMakeCompatibleIds+61j
					; PiSwDeviceMakeCompatibleIds+134j
		lea	esi, [esi+edi*2]
		add	esi, 2
		cmp	[esi], bx
		jnz	short loc_8AADF6
		mov	edi, [ebp+var_8]

loc_8AAE4A:				; CODE XREF: PiSwDeviceMakeCompatibleIds+1Fj
					; PiSwDeviceMakeCompatibleIds+24j
		test	byte ptr [edi+24h], 8
		jnz	short loc_8AAE53
		add	eax, 1Eh

loc_8AAE53:				; CODE XREF: PiSwDeviceMakeCompatibleIds+7Ej
		push	57706E50h
		add	eax, 1Ah
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_10], edx
		test	edx, edx
		jz	loc_933E96
		mov	edi, [edi+14h]
		mov	[ebp+var_4], eax
		test	edi, edi
		jz	short loc_8AAEC9
		cmp	[edi], bx
		jz	short loc_8AAEC9

loc_8AAE7F:				; CODE XREF: PiSwDeviceMakeCompatibleIds+F4j
		mov	esi, edi
		lea	ecx, [esi+2]

loc_8AAE84:				; CODE XREF: PiSwDeviceMakeCompatibleIds+BDj
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, bx
		jnz	short loc_8AAE84
		sub	esi, ecx
		push	offset _PiSwGenericRawCompatibleId ; wchar_t *
		sar	esi, 1
		push	edi		; wchar_t *
		mov	[ebp+var_C], esi
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_8AAEB8
		push	offset _PiSwGenericCompatibleId	; wchar_t *
		push	edi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_8AAF09

loc_8AAEB8:				; CODE XREF: PiSwDeviceMakeCompatibleIds+D5j
		mov	eax, [ebp+var_4]

loc_8AAEBB:				; CODE XREF: PiSwDeviceMakeCompatibleIds+158j
		lea	edi, [edi+esi*2]
		add	edi, 2
		cmp	[edi], bx
		jnz	short loc_8AAE7F
		mov	edx, [ebp+var_10]

loc_8AAEC9:				; CODE XREF: PiSwDeviceMakeCompatibleIds+A8j
					; PiSwDeviceMakeCompatibleIds+ADj
		mov	ecx, [ebp+var_8]
		test	byte ptr [ecx+24h], 8
		jnz	short loc_8AAEE3
		push	7
		mov	edi, eax
		mov	esi, offset _PiSwGenericRawCompatibleId
		pop	ecx
		rep movsd
		add	eax, 1Eh
		movsw

loc_8AAEE3:				; CODE XREF: PiSwDeviceMakeCompatibleIds+100j
		push	6
		pop	ecx
		mov	esi, offset _PiSwGenericCompatibleId
		mov	edi, eax
		rep movsd
		xor	ecx, ecx
		mov	[eax+18h], cx

loc_8AAEF5:				; CODE XREF: PiSwDeviceMakeCompatibleIds+890CBj
		mov	eax, [ebp+var_14]
		pop	edi
		pop	esi
		mov	[eax], edx
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_8AAF01:				; CODE XREF: PiSwDeviceMakeCompatibleIds+49j
		mov	eax, [ebp+var_4]
		jmp	loc_8AAE3C
; 

loc_8AAF09:				; CODE XREF: PiSwDeviceMakeCompatibleIds+E6j
		lea	esi, ds:2[esi*2]
		push	esi		; size_t
		push	edi		; void *
		push	[ebp+var_4]	; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		add	eax, esi
		mov	esi, [ebp+var_C]
		mov	[ebp+var_4], eax
		jmp	short loc_8AAEBB
PiSwDeviceMakeCompatibleIds endp

; 
		align 10h
; Exported entry 957. IoReportDetectedDevice

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoReportDetectedDevice
IoReportDetectedDevice proc near

var_1FE		= byte ptr -1FEh
var_1FD		= byte ptr -1FDh
var_1FC		= dword	ptr -1FCh
var_1F8		= byte ptr -1F8h
var_1F7		= byte ptr -1F7h
var_1F6		= byte ptr -1F6h
var_1F5		= byte ptr -1F5h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= byte ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 00933EA0 SIZE 0000050E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 204h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+204h+var_4], eax
		mov	eax, [ebp+arg_10]
		lea	ecx, [esp+204h+var_198]
		xor	edx, edx
		mov	[esp+204h+var_1D4], eax
		mov	eax, [ebp+arg_14]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, edx
		mov	[esp+210h+var_1B0], eax
		mov	eax, [ebp+arg_1C]
		mov	[esp+210h+var_19C], eax
		mov	ebx, [edi+18h]
		add	ebx, 0Ch
		mov	[esp+210h+var_1D0], edi
		mov	eax, [eax]
		mov	[esp+210h+var_1F7], dl
		mov	[esp+210h+var_1CC], edx
		mov	[esp+210h+var_1C8], edx
		mov	[esp+210h+var_1E0], edx
		mov	[esp+210h+var_1B8], edx
		mov	[esp+210h+var_1B4], edx
		mov	[esp+210h+var_1BC], edx
		mov	[esp+210h+var_1E4], edx
		mov	[esp+210h+var_1FD], dl
		mov	[esp+210h+var_1F4], esi
		mov	[esp+210h+var_1D8], edx
		mov	[esp+210h+var_1FC], edx
		mov	[esp+210h+var_1EC], ecx
		mov	[esp+210h+var_1F0], 1900000h
		mov	[esp+210h+var_1E8], edx
		mov	[esp+210h+var_1F5], dl
		mov	[esp+210h+var_1DC], edx
		mov	[esp+210h+var_1AC], edx
		test	eax, eax
		jnz	loc_933EA0
		test	byte ptr [edi+8], 4
		jnz	loc_8AB2BB

loc_8AAFD9:				; CODE XREF: IoReportDetectedDevice+3CAj
		push	offset ??_C@_1M@NNKCILJE@?$AAR?$AAO?$AAO?$AAT?$AA?2@NNGAKEGL@ ;	"ROOT\\"
		lea	eax, [esp+214h+var_1F0]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		test	eax, eax
		js	loc_8AB2A4
		test	byte ptr [edi+8], 4
		lea	eax, [esp+210h+var_1CC]
		jnz	short loc_8AAFFC
		mov	eax, ebx

loc_8AAFFC:				; CODE XREF: IoReportDetectedDevice+C8j
		push	eax
		lea	eax, [esp+214h+var_1F0]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		test	eax, eax
		js	loc_8AB2A4

loc_8AB00F:				; CODE XREF: IoReportDetectedDevice+88F7Fj
		lea	ecx, [esp+210h+var_1AC]
		call	PiPnpRtlBeginOperation
		mov	edi, eax
		test	edi, edi
		js	loc_8AB258
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeLockTree
		test	esi, esi
		jnz	short loc_8AB059
		mov	eax, [esp+210h+var_1D0]
		test	byte ptr [eax+8], 4
		jnz	short loc_8AB059
		mov	edx, [ebp+arg_8]
		lea	eax, [esp+210h+var_1F4]
		mov	ecx, [ebp+arg_4]
		push	eax
		push	[ebp+arg_C]
		call	IopDuplicateDetection
		mov	esi, [esp+210h+var_1F4]
		mov	edi, eax
		test	edi, edi
		jns	loc_933EBF

loc_8AB059:				; CODE XREF: IoReportDetectedDevice+FCj
					; IoReportDetectedDevice+106j ...
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceExclusiveLite
		test	esi, esi
		jnz	loc_8AB191
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@ ; void	*
		lea	eax, [esp+214h+var_1F0]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8AB258
		movzx	edi, word ptr [esp+210h+var_1F0]
		mov	ecx, 190h
		movzx	eax, di
		xor	edx, edx
		sub	ecx, eax
		mov	[esp+210h+var_1A4], edi
		shr	ecx, 1
		shr	eax, 1
		mov	[esp+210h+var_1A8], ecx
		lea	eax, [esp+eax*2+210h+var_198]
		mov	[esp+210h+var_1A0], eax

loc_8AB0B0:				; CODE XREF: IoReportDetectedDevice+88FCCj
		push	edx		; char
		push	offset ??_C@_19PDMGBJHF@?$AA?$CF?$AA0?$AA4?$AAu@NNGAKEGL@ ; wchar_t *
		mov	word ptr [esp+218h+var_1F0], di
		xor	edi, edi
		push	edi		; int
		mov	[esp+21Ch+var_1C0], edx
		lea	edx, [esp+21Ch+var_1C4]
		push	edi		; int
		push	edx		; int
		push	ecx		; int
		push	eax		; void *
		mov	[esp+22Ch+var_1C4], eax
		call	RtlStringCchPrintfExW
		mov	dx, word ptr [esp+22Ch+var_1F0]
		add	esp, 1Ch
		mov	ecx, [esp+210h+var_1C4]
		movzx	eax, dx
		and	eax, 0FFFFFFFEh
		sub	ecx, eax
		lea	eax, [esp+210h+var_198]
		sub	ecx, eax
		sar	ecx, 1
		cmp	ecx, 0FFFFFFFFh
		jz	loc_933ED4
		lea	eax, [ecx+ecx]

loc_8AB0FB:				; CODE XREF: IoReportDetectedDevice+88FADj
		mov	ecx, _PiPnpRtlCtx
		movzx	eax, ax
		add	dx, ax
		lea	eax, [esp+13h]
		push	edi
		push	eax
		lea	eax, [esp+218h+var_1FC]
		mov	word ptr [esp+218h+var_1F0], dx
		mov	edx, [esp+218h+var_1EC]
		push	eax
		push	0F003Fh
		call	_CmCreateDevice
		mov	edi, eax
		test	edi, edi
		js	loc_93418E
		cmp	[esp+210h+var_1FD], 0
		jnz	short loc_8AB181
		mov	edx, [esp+210h+var_1FC]
		lea	eax, [esp+210h+var_1D8]
		and	[esp+210h+var_1D8], 0
		lea	ecx, [esp+210h+var_1F0]
		push	eax
		push	[esp+214h+var_1D4]
		push	ebx
		call	IopIsReportedAlready
		test	al, al
		jz	loc_933EE2
		mov	edx, 746C6644h
		lea	ecx, [esp+210h+var_1F0]
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	[esp+210h+var_1DC], eax
		test	eax, eax
		jz	loc_933F01
		mov	eax, [eax+0B0h]
		mov	esi, [eax+14h]

loc_8AB17D:				; CODE XREF: IoReportDetectedDevice+88FD8j
		mov	[esp+210h+var_1F4], esi

loc_8AB181:				; CODE XREF: IoReportDetectedDevice+204j
		test	edi, edi
		js	loc_93418E
		test	esi, esi
		jz	loc_933F0D

loc_8AB191:				; CODE XREF: IoReportDetectedDevice+13Cj
		cmp	[esp+210h+var_1D8], 0
		jz	short loc_8AB1C2
		mov	ecx, esi
		call	_PipAreDriversLoaded@4 ; PipAreDriversLoaded(x)
		test	eax, eax
		jnz	loc_934243
		test	dword ptr [esi+10Ch], 6000h
		jnz	loc_934222

loc_8AB1B7:				; CODE XREF: IoReportDetectedDevice+892FBj
					; IoReportDetectedDevice+89304j ...
		cmp	[esp+210h+var_1DC], 0
		jz	loc_934255

loc_8AB1C2:				; CODE XREF: IoReportDetectedDevice+266j
					; IoReportDetectedDevice+8932Cj
		cmp	[esp+210h+var_1FC], 0
		jz	loc_934261

loc_8AB1CD:				; CODE XREF: IoReportDetectedDevice+89247j
					; IoReportDetectedDevice+8934Cj
		mov	ebx, [esp+210h+var_1D4]
		test	ebx, ebx
		jnz	loc_934281
		cmp	[esp+210h+var_1B0], ebx
		jnz	loc_934281

loc_8AB1E3:				; CODE XREF: IoReportDetectedDevice+89399j
					; IoReportDetectedDevice+893B3j
		cmp	[ebp+arg_18], 0
		jz	loc_8AB2FF
		mov	edx, 100h
		mov	ecx, esi
		call	PipSetDevNodeFlags
		push	ecx
		mov	ecx, [esp+214h+var_1FC]
		mov	edx, offset ??_C@_1CK@HKNPKCBC@?$AAN?$AAo?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc?$AAe?$AAA?$AAt?$AAI?$AAn?$AAi@NNGAKEGL@ ; "NoResourceAtInitTime"
		call	_PnpSetRegistryDword@12	; PnpSetRegistryDword(x,x,x)
		mov	ecx, ebx
		call	_PnpDetermineResourceListSize@4	; PnpDetermineResourceListSize(x)
		push	eax
		mov	edx, ebx
		mov	ecx, esi
		call	_IopWriteAllocatedResourcesToRegistry@12 ; IopWriteAllocatedResourcesToRegistry(x,x,x)

loc_8AB219:				; CODE XREF: IoReportDetectedDevice+3E3j
					; IoReportDetectedDevice+892DDj ...
		test	edi, edi
		js	loc_93418E
		mov	eax, [esi+8]
		mov	ecx, esi
		mov	eax, [eax+1A4h]
		mov	[esi+1A4h], eax
		call	_IopDoDeferredSetInterfaceState@4 ; IopDoDeferredSetInterfaceState(x)
		push	ecx
		mov	edx, 307h
		mov	ecx, esi
		call	PipSetDevNodeState
		cmp	[esp+210h+var_1F5], 0
		jnz	loc_934381

loc_8AB24F:				; CODE XREF: IoReportDetectedDevice+8945Dj
		mov	ecx, [esp+210h+var_19C]
		mov	eax, [esi+10h]
		mov	[ecx], eax

loc_8AB258:				; CODE XREF: IoReportDetectedDevice+ECj
					; IoReportDetectedDevice+155j ...
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeUnlockTree
		cmp	[esp+210h+var_1E8], 0
		jnz	loc_934392

loc_8AB27A:				; CODE XREF: IoReportDetectedDevice+8946Bj
		cmp	[esp+210h+var_1E4], 0
		jnz	loc_9343A0

loc_8AB285:				; CODE XREF: IoReportDetectedDevice+89479j
		cmp	[esp+210h+var_1FC], 0
		jz	short loc_8AB295
		push	[esp+210h+var_1FC]
		call	_ZwClose@4	; ZwClose(x)

loc_8AB295:				; CODE XREF: IoReportDetectedDevice+35Aj
		mov	ecx, [esp+210h+var_1AC]
		test	ecx, ecx
		jz	short loc_8AB2A2
		call	PiPnpRtlEndOperation

loc_8AB2A2:				; CODE XREF: IoReportDetectedDevice+36Bj
		mov	eax, edi

loc_8AB2A4:				; CODE XREF: IoReportDetectedDevice+BAj
					; IoReportDetectedDevice+D9j ...
		mov	ecx, [esp+210h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_8AB2BB:				; CODE XREF: IoReportDetectedDevice+A3j
		movzx	ecx, word ptr [ebx]
		mov	edx, [ebx+4]
		shr	ecx, 1
		dec	ecx
		lea	ecx, [edx+ecx*2]
		jmp	short loc_8AB2D2
; 

loc_8AB2C9:				; CODE XREF: IoReportDetectedDevice+3A4j
		cmp	word ptr [ecx],	5Ch
		jz	short loc_8AB2DD
		sub	ecx, 2

loc_8AB2D2:				; CODE XREF: IoReportDetectedDevice+397j
		cmp	ecx, edx
		jnz	short loc_8AB2C9
		mov	eax, 0C00000EFh
		jmp	short loc_8AB2A4
; 

loc_8AB2DD:				; CODE XREF: IoReportDetectedDevice+39Dj
		add	ecx, 2
		mov	[esp+210h+var_1C8], ecx
		sub	ecx, [ebx+4]
		mov	ax, [ebx]
		and	ecx, 0FFFFFFFEh
		sub	ax, cx
		mov	word ptr [esp+210h+var_1CC], ax
		mov	word ptr [esp+210h+var_1CC+2], ax
		jmp	loc_8AAFD9
; 

loc_8AB2FF:				; CODE XREF: IoReportDetectedDevice+2B7j
		test	ebx, ebx
		jnz	loc_9342E8

loc_8AB307:				; CODE XREF: IoReportDetectedDevice+893BBj
					; IoReportDetectedDevice+893C5j
		mov	edx, 100h
		mov	ecx, esi
		call	PipSetDevNodeFlags
		jmp	loc_8AB219
IoReportDetectedDevice endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopIsReportedAlready proc near		; CODE XREF: IoReportDetectedDevice+21Dp

var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 009343AE SIZE 000000D1 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 240h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[ebp+var_240], eax
		xor	ebx, ebx
		mov	eax, [ebp+arg_4]
		and	[ebp+var_238], ebx
		and	[ebp+var_230], ebx
		push	esi
		mov	[ebp+var_214], eax
		mov	esi, ebx
		mov	eax, [ebp+arg_8]
		push	edi
		mov	[ebp+var_210], eax
		xor	edi, edi
		push	edi
		and	[eax], ebx
		lea	eax, [ebp+var_234]
		push	eax
		lea	eax, [ebp+var_20C]
		mov	[ebp+var_224], ecx
		push	eax
		lea	eax, [ebp+var_230]
		mov	[ebp+var_23C], ebx
		push	eax
		push	5
		push	edx
		mov	edx, [ecx+4]
		mov	ecx, _PiPnpRtlCtx
		mov	[ebp+var_220], esi
		mov	[ebp+var_22C], ebx
		mov	[ebp+var_228], ebx
		mov	[ebp+var_21C], ebx
		mov	[ebp+var_218], ebx
		mov	[ebp+var_234], 200h
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_934434
		cmp	[ebp+var_230], 1
		jnz	loc_934434
		cmp	[ebp+var_234], ebx
		jz	loc_934434
		lea	eax, [ebp+var_20C]
		push	eax
		lea	eax, [ebp+var_22C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	loc_934434
		push	1
		lea	eax, [ebp+var_22C]
		push	eax
		push	[ebp+var_240]
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	loc_934434
		mov	edx, [ebp+var_224]
		lea	eax, [ebp+var_21C]
		xor	ecx, ecx
		push	ecx
		push	eax
		mov	edx, [edx+4]
		push	ecx
		push	20019h
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	14h
		call	_CmOpenDeviceRegKey
		test	eax, eax
		jns	loc_9343AE

loc_8AB441:				; CODE XREF: IopIsReportedAlready+890C4j
					; IopIsReportedAlready+890CEj ...
		mov	eax, [ebp+var_214]

loc_8AB447:				; CODE XREF: IopIsReportedAlready+890DDj
					; IopIsReportedAlready+890F2j
		test	eax, eax
		jnz	loc_934434

loc_8AB44F:				; CODE XREF: IopIsReportedAlready+890EAj
		test	edi, edi
		mov	edi, [ebp+var_210]
		jnz	short loc_8AB45F
		mov	dword ptr [edi], 1

loc_8AB45F:				; CODE XREF: IopIsReportedAlready+13Fj
					; IopIsReportedAlready+89122j
		xor	ecx, ecx
		lea	eax, [ebp+var_218]
		push	ecx
		push	eax
		mov	eax, [ebp+var_224]
		push	ecx
		push	0F003Fh
		push	ecx
		mov	edx, [eax+4]
		mov	ecx, _PiPnpRtlCtx
		push	13h
		call	_CmOpenDeviceRegKey
		test	eax, eax
		jns	loc_93443F

loc_8AB48E:				; CODE XREF: IopIsReportedAlready+89148j
		xor	ecx, ecx
		cmp	[edi], ecx
		jz	loc_8AB51E
		mov	eax, [ebp+var_218]
		test	eax, eax
		jnz	short loc_8AB4D6
		push	ecx
		lea	eax, [ebp+var_218]
		push	eax
		mov	eax, [ebp+var_224]
		push	1
		push	0F003Fh
		push	ecx
		mov	edx, [eax+4]
		mov	ecx, _PiPnpRtlCtx
		push	13h
		call	_CmOpenDeviceRegKey
		test	eax, eax
		js	loc_8AB55B
		mov	eax, [ebp+var_218]

loc_8AB4D6:				; CODE XREF: IopIsReportedAlready+188j
		push	1Eh
		pop	ecx
		push	1Ch
		mov	word ptr [ebp+var_22C+2], cx
		pop	ecx
		push	4
		mov	word ptr [ebp+var_22C],	cx
		lea	ecx, [ebp+var_238]
		push	ecx
		push	4
		push	0
		lea	ecx, [ebp+var_22C]
		mov	[ebp+var_228], offset ??_C@_1BO@DEANAFMF@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAR?$AAe?$AAp?$AAo?$AAr?$AAt?$AAe?$AAd@NNGAKEGL@ ; "DeviceReported"
		push	ecx
		push	eax
		mov	[ebp+var_238], 1
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8AB55B
		mov	bl, 1

loc_8AB51E:				; CODE XREF: IopIsReportedAlready+17Aj
					; IopIsReportedAlready+245j
		cmp	[ebp+var_218], 0
		jz	short loc_8AB532
		push	[ebp+var_218]
		call	_ZwClose@4	; ZwClose(x)

loc_8AB532:				; CODE XREF: IopIsReportedAlready+20Dj
		mov	eax, [ebp+var_23C]
		test	eax, eax
		jnz	loc_934465

loc_8AB540:				; CODE XREF: IopIsReportedAlready+89155j
		test	esi, esi
		jnz	loc_934472

loc_8AB548:				; CODE XREF: IopIsReportedAlready+89162j
		mov	ecx, [ebp+var_8]
		mov	al, bl
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_8AB55B:				; CODE XREF: IopIsReportedAlready+1B2j
					; IopIsReportedAlready+202j ...
		xor	bl, bl
		jmp	short loc_8AB51E
IopIsReportedAlready endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpSetRegistryDword(x, x, x)
_PnpSetRegistryDword@12	proc near	; CODE XREF: IoReportDetectedDevice+2D3p
					; IoReportDetectedDevice+891ACp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		lea	eax, [ebp+var_C]
		and	[ebp+var_8], 0
		push	esi
		push	edx
		push	eax
		mov	esi, ecx
		mov	[ebp+var_4], 1
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		push	0
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		pop	esi
		leave
		retn	4
_PnpSetRegistryDword@12	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopDuplicateDetection proc near		; CODE XREF: IoReportDetectedDevice+116p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0093447F SIZE 00000051 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		mov	[eax], esi
		call	_IopFindLegacyBusDeviceNode@8 ;	IopFindLegacyBusDeviceNode(x,x)
		test	eax, eax
		jz	short loc_8AB5DB
		mov	edx, [eax+10h]
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		push	3
		pop	ecx
		call	IopQueryResourceHandlerInterface
		test	eax, eax
		jns	loc_93447F

loc_8AB5DB:				; CODE XREF: IopDuplicateDetection+23j
					; IopDuplicateDetection+88EE6j
		mov	eax, 0C0000010h

loc_8AB5E0:				; CODE XREF: IopDuplicateDetection+88F2Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
IopDuplicateDetection endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PdcPoPpmRegisterProfiles(x,	x)
_PdcPoPpmRegisterProfiles@8 proc near	; DATA XREF: PopPdcRegister+84o

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	cl, [ebp+arg_0]
		call	PpmRegisterProfiles
		pop	ebp
		retn	8
_PdcPoPpmRegisterProfiles@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmRegisterProfiles proc near		; CODE XREF: PdcPoPpmRegisterProfiles(x,x)+Bp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 009344D0 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		and	[ebp+var_8], 0
		and	[ebp+var_10], 0
		push	ebx
		mov	bl, cl
		mov	[ebp+var_14], edx
		mov	[ebp+var_1], bl
		cmp	bl, 1Fh
		ja	loc_9344D0
		push	esi
		movzx	eax, bl
		mov	[ebp+var_20], eax
		cdq
		mov	esi, eax
		mov	eax, edx
		push	edi
		mov	edi, 228h
		mul	edi
		mov	ecx, eax
		mov	eax, esi
		mul	edi
		add	ecx, edx
		push	ecx
		push	eax
		lea	ecx, [ebp+var_10]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	[ebp+var_18], eax
		test	eax, eax
		js	loc_8AB7F5
		mov	esi, [ebp+var_10]
		xor	bh, bh
		inc	esi
		and	esi, 0FFFFFFFEh
		mov	[ebp+var_10], esi
		mov	edi, esi
		test	bl, bl
		jz	short loc_8AB697

loc_8AB661:				; CODE XREF: PpmRegisterProfiles+99j
		lea	eax, [ebp+var_8]
		movzx	ecx, bh
		push	eax
		mov	eax, [ebp+var_14]
		add	ecx, ecx
		mov	edx, 7FFFFFFFh
		mov	ecx, [eax+ecx*8+4]
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		mov	[ebp+var_18], eax
		test	eax, eax
		js	loc_8AB7F5
		mov	eax, [ebp+var_8]
		add	eax, 2
		add	edi, eax
		inc	bh
		mov	[ebp+var_10], edi
		cmp	bh, bl
		jb	short loc_8AB661

loc_8AB697:				; CODE XREF: PpmRegisterProfiles+63j
		push	664D5050h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_1C], ebx
		test	ebx, ebx
		jz	loc_9344DA
		push	[ebp+var_10]	; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		xor	dl, dl
		lea	eax, [esi+ebx]
		add	esp, 0Ch
		mov	[ebp+var_C], eax
		cmp	[ebp+var_1], dl
		jbe	loc_8AB764
		mov	eax, [ebp+var_14]
		lea	ecx, [ebx+1Ch]
		mov	bl, [ebp+var_1]
		add	eax, 4
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], ecx

loc_8AB6E5:				; CODE XREF: PpmRegisterProfiles+163j
		mov	esi, [eax-4]
		lea	edi, [ecx-14h]
		movsd
		movsd
		movsd
		movsd
		mov	al, [eax+4]
		lea	edi, [ecx-1Ch]
		or	dword ptr [ecx+1FCh], 0FFFFFFFFh
		or	dword ptr [ecx+200h], 0FFFFFFFFh
		inc	dl
		mov	esi, [ebp+var_10]
		mov	[ecx], al
		mov	eax, [ebp+var_C]
		mov	[edi], eax
		lea	eax, [ebp+var_8]
		mov	[ecx-18h], dl
		mov	esi, [esi]
		mov	ecx, esi
		mov	[ebp+var_2], dl
		mov	edx, 7FFFFFFFh
		push	eax
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	ecx, [ebp+var_C]
		push	esi
		mov	esi, [ebp+var_8]
		lea	edx, [esi+1]
		call	RtlStringCchCopyW
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_14]
		mov	dl, [ebp+var_2]
		add	ecx, 228h
		mov	[ebp+var_14], ecx
		lea	eax, [eax+esi*2]
		add	eax, 2
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_10]
		mov	[eax+8], edi
		add	eax, 10h
		mov	[ebp+var_10], eax
		cmp	dl, bl
		jb	short loc_8AB6E5
		mov	ebx, [ebp+var_1C]

loc_8AB764:				; CODE XREF: PpmRegisterProfiles+D1j
		mov	edi, offset _PpmPerfPolicyLock
		mov	ecx, edi
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C2ADC, eax
		mov	al, [ebp+var_1]
		mov	_PpmProfiles, ebx
		mov	_PpmProfileCount, al
		test	al, al
		jz	short loc_8AB7BC
		mov	esi, [ebp+var_20]

loc_8AB7AA:				; CODE XREF: PpmRegisterProfiles+1BEj
		mov	ecx, ebx
		call	_PpmResetProfileSettings@4 ; PpmResetProfileSettings(x)
		add	ebx, 228h
		sub	esi, 1
		jnz	short loc_8AB7AA

loc_8AB7BC:				; CODE XREF: PpmRegisterProfiles+1A9j
		xor	cl, cl
		call	PpmEventTraceProfiles
		cmp	dword_6C2ADC, 0
		jz	short loc_8AB7D3
		and	dword_6C2ADC, 0

loc_8AB7D3:				; CODE XREF: PpmRegisterProfiles+1CEj
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, edi
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		or	_PpmProfileStatus, 1
		mov	eax, [ebp+var_18]

loc_8AB7F5:				; CODE XREF: PpmRegisterProfiles+4Dj
					; PpmRegisterProfiles+84j ...
		pop	edi
		pop	esi

loc_8AB7F7:				; CODE XREF: PpmRegisterProfiles+88ED9j
		pop	ebx
		leave
		retn
PpmRegisterProfiles endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmEventTraceProfiles proc near		; CODE XREF: PpmRegisterProfiles+1C2p
					; PpmEventTraceControlCallback+82EE5p

var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009344E4 SIZE 000001FD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0BCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		push	ebx
		mov	bh, cl
		mov	[ebp+var_98], eax
		mov	[ebp+var_A0], eax
		mov	[ebp+var_9C], eax
		mov	[ebp+var_A8], eax
		mov	[ebp+var_A4], eax
		mov	[ebp+var_B0], eax
		mov	[ebp+var_AC], eax
		cmp	_PpmEtwRegistered, al
		jnz	loc_9344E4

loc_8AB84A:				; CODE XREF: PpmEventTraceProfiles+88D0Dj
					; PpmEventTraceProfiles+88EE2j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PpmEventTraceProfiles endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeQueryCpuSetInformation proc near	; CODE XREF: PAGE:00781E87p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009346E1 SIZE 00000063 BYTES

		push	34h
		push	offset dword_6A7410
		call	__SEH_prolog4
		mov	[ebp+var_34], edx
		mov	edi, ecx
		mov	[ebp+var_30], edi
		mov	esi, [ebp+arg_4]
		mov	ebx, esi
		lea	eax, [esi+428h]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, eax

loc_8AB87D:				; CODE XREF: KeQueryCpuSetInformation+15Dj
		mov	ecx, offset _KiCpuSetSequence
		call	_RtlBeginReadTickLock@4	; RtlBeginReadTickLock(x)
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], edx
		mov	eax, ds:_KiTotalCpuSetCount
		mov	[ebp+var_2C], eax
		and	[ebp+ms_exc.disabled], 0
		shl	eax, 5
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		cmp	[ebp+var_34], eax
		jb	loc_8AB9CF
		push	eax		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		xor	edi, edi
		mov	[ebp+var_24], edi
		xor	ecx, ecx
		mov	[ebp+var_28], ecx
		mov	eax, ds:_KiGroupBlock
		mov	[ebp+var_20], eax
		mov	edx, [ebp+var_2C]

loc_8AB8CB:				; CODE XREF: KeQueryCpuSetInformation+13Bj
		test	eax, eax
		jz	loc_9346E1
		and	[ebp+var_38], 0
		bsf	esi, eax
		btr	eax, esi
		mov	[ebp+var_38], eax
		mov	[ebp+var_20], eax
		mov	eax, ecx
		shl	eax, 5
		add	eax, [ebp+var_30]
		mov	[ebp+var_1C], eax
		mov	edx, esi
		call	_KiGetCpuSetData@8 ; KiGetCpuSetData(x,x)
		mov	[ebp+var_24], eax
		mov	edx, [ebp+var_1C]
		mov	dword ptr [edx], 20h
		and	dword ptr [edx+4], 0
		mov	ecx, edi
		shl	ecx, 10h
		or	ecx, esi
		or	ecx, 100h
		mov	[edx+8], ecx
		mov	[edx+0Ch], di
		mov	cl, [eax+1]
		mov	[edx+0Eh], cl
		mov	ecx, eax
		mov	al, [ecx+2]
		mov	[edx+0Fh], al
		mov	al, [ecx+3]
		mov	[edx+10h], al
		mov	al, [ecx+4]
		mov	[edx+11h], al
		mov	al, [ecx+5]
		mov	[edx+12h], al
		mov	al, [ecx+6]
		mov	[edx+14h], al
		xor	eax, eax
		mov	[ebp+var_1C], eax
		mov	ecx, esi
		xor	esi, esi
		inc	esi
		shl	esi, cl
		xor	ecx, ecx
		test	ds:_KiNonParkedCpuSets[edi*4], esi
		jz	loc_934703

loc_8AB95A:				; CODE XREF: KeQueryCpuSetInformation+88EB7j
		test	ds:_KiSystemAllowedCpuSets[edi*8], esi
		jz	loc_934714
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jnz	loc_934727

loc_8AB972:				; CODE XREF: KeQueryCpuSetInformation+88ED9j
					; KeQueryCpuSetInformation+88EE7j
		mov	[edx+13h], al
		mov	ecx, [ebp+var_24]
		mov	eax, [ecx+8]
		mov	ecx, [ecx+0Ch]
		mov	[edx+18h], eax
		mov	[edx+1Ch], ecx
		mov	ecx, [ebp+var_28]
		inc	ecx
		mov	[ebp+var_28], ecx
		mov	eax, [ebp+var_38]
		mov	edx, [ebp+var_2C]

loc_8AB991:				; CODE XREF: KeQueryCpuSetInformation+88EA6j
		cmp	ecx, edx
		jb	loc_8AB8CB

loc_8AB999:				; CODE XREF: KeQueryCpuSetInformation+88E96j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	[ebp+var_3C]
		push	[ebp+var_40]
		mov	ecx, offset _KiCpuSetSequence
		call	_RtlTryEndReadTickLock@12 ; RtlTryEndReadTickLock(x,x,x)
		test	eax, eax
		mov	edi, [ebp+var_30]
		jz	loc_8AB87D
		xor	eax, eax

loc_8AB9BD:				; CODE XREF: KeQueryCpuSetInformation+183j
					; sub_934754+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_8AB9CF:				; CODE XREF: KeQueryCpuSetInformation+4Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000023h
		jmp	short loc_8AB9BD
KeQueryCpuSetInformation endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmEventTraceProfileSetting proc near	; CODE XREF: PpmSetProfilePolicySetting+1FCp
					; PpmSetProfilePolicySetting+170B94p ...

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch

; FUNCTION CHUNK AT 00934766 SIZE 000000C0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PpmEtwRegistered, 0
		push	esi
		mov	esi, edx
		mov	byte ptr [ebp+var_78], cl
		jz	short loc_8ABA26
		mov	eax, dword_6BFD04
		push	ebx
		mov	bl, [ebp+arg_14]
		test	bl, bl
		jnz	short loc_8ABA35
		push	offset _PPM_ETW_PROCESSOR_PROFILE_SETTING_CHANGE

loc_8ABA11:				; CODE XREF: PpmEventTraceProfileSetting+5Cj
		push	eax
		mov	eax, _PpmEtwHandle
		push	eax
		call	EtwEventEnabled
		test	al, al
		jnz	loc_934766

loc_8ABA25:				; CODE XREF: PpmEventTraceProfileSetting+88E43j
		pop	ebx

loc_8ABA26:				; CODE XREF: PpmEventTraceProfileSetting+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_8ABA35:				; CODE XREF: PpmEventTraceProfileSetting+2Cj
		push	offset _PPM_ETW_PROCESSOR_PROFILE_SETTING_RUNDOWN
		jmp	short loc_8ABA11
PpmEventTraceProfileSetting endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 936. IoRegisterBootDriverReinitialization

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoRegisterBootDriverReinitialization(x, x, x)
		public _IoRegisterBootDriverReinitialization@12
_IoRegisterBootDriverReinitialization@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	_IopBootDriverReinitCompleted, 1
		jz	short loc_8ABA90
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		push	69526F49h
		push	14h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_8ABA94
		or	dword ptr [esi+8], 20h
		mov	ecx, offset _IopBootDriverReinitializeQueueHead
		mov	eax, [ebp+arg_4]
		mov	[edx+0Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[edx+8], esi
		mov	[edx+10h], eax
		call	IopInterlockedInsertTailList

loc_8ABA8F:				; CODE XREF: IoRegisterBootDriverReinitialization(x,x,x)+59j
		pop	esi

loc_8ABA90:				; CODE XREF: IoRegisterBootDriverReinitialization(x,x,x)+Cj
		pop	ebp
		retn	0Ch
; 

loc_8ABA94:				; CODE XREF: IoRegisterBootDriverReinitialization(x,x,x)+2Ej
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	short loc_8ABA8F
_IoRegisterBootDriverReinitialization@12 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 939. IoRegisterDriverReinitialization

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoRegisterDriverReinitialization(x,	x, x)
		public _IoRegisterDriverReinitialization@12
_IoRegisterDriverReinitialization@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		push	69526F49h
		push	14h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_8ABAEB
		or	dword ptr [esi+8], 8
		mov	ecx, offset _IopDriverReinitializeQueueHead
		mov	eax, [ebp+arg_4]
		mov	[edx+0Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[edx+8], esi
		mov	[edx+10h], eax
		call	IopInterlockedInsertTailList

loc_8ABAE6:				; CODE XREF: IoRegisterDriverReinitialization(x,x,x)+50j
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_8ABAEB:				; CODE XREF: IoRegisterDriverReinitialization(x,x,x)+25j
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	short loc_8ABAE6
_IoRegisterDriverReinitialization@12 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 862. IoGetDmaAdapter

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoGetDmaAdapter
IoGetDmaAdapter	proc near		; CODE XREF: VfGetDmaAdapter(x,x,x)+122p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_3C		= dword	ptr -3Ch
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00934826 SIZE 00000237 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		mov	edi, [ebp+arg_4]
		push	40h		; size_t
		mov	[esp+64h+var_50], eax
		lea	eax, [esp+64h+var_48]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+60h+var_4C], ebx
		test	esi, esi
		jz	short loc_8ABB8D
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_934870
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_934870
		mov	eax, large fs:124h
		push	esi
		push	eax
		call	off_6B13CC	; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)
		mov	eax, [edi+14h]
		cmp	eax, 0FFFFFFFFh
		jz	loc_934826
		cmp	eax, 0Fh
		jz	loc_934826

loc_8ABB7E:				; CODE XREF: IoGetDmaAdapter+88D71j
		push	[esp+68h+var_58]
		mov	edx, edi
		mov	ecx, esi
		call	PiGetDmaAdapterFromBusInterface
		mov	ebx, eax

loc_8ABB8D:				; CODE XREF: IoGetDmaAdapter+3Ej
		test	ebx, ebx
		jnz	short loc_8ABB9F
		push	[esp+68h+var_58]
		push	edi
		push	esi
		call	dword_6B2BF8
		mov	ebx, eax

loc_8ABB9F:				; CODE XREF: IoGetDmaAdapter+95j
		test	esi, esi
		jz	short loc_8ABBB3
		xor	eax, eax
		push	eax
		mov	eax, large fs:124h
		push	eax
		call	off_6B13CC	; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)

loc_8ABBB3:				; CODE XREF: IoGetDmaAdapter+A7j
		mov	ecx, [esp+7Ch+var_20]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
IoGetDmaAdapter	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiGetDmaAdapterFromBusInterface	proc near ; CODE XREF: IoGetDmaAdapter+8Cp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_24]
		push	8
		pop	ecx
		rep stosd
		xor	edi, edi
		mov	ebx, edx
		test	esi, esi
		jz	loc_934A3C
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_934961
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_934961
		lea	eax, [ebp+var_24]
		mov	edx, offset _GUID_BUS_INTERFACE_STANDARD
		push	eax		; void *
		push	edi		; int
		push	20h		; __int16
		push	1		; __int16
		mov	ecx, esi
		call	PnpQueryInterface
		test	eax, eax
		js	short loc_8ABC3F
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_8ABC39
		push	[ebp+arg_0]
		push	ebx
		push	[ebp+var_20]
		call	eax
		mov	edi, eax

loc_8ABC39:				; CODE XREF: PiGetDmaAdapterFromBusInterface+62j
		push	[ebp+var_20]
		call	[ebp+var_18]

loc_8ABC3F:				; CODE XREF: PiGetDmaAdapterFromBusInterface+5Bj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
PiGetDmaAdapterFromBusInterface	endp


;  S U B	R O U T	I N E 


; __stdcall PopIdleWakeInitialize()
_PopIdleWakeInitialize@0 proc near	; CODE XREF: PoInitSystem+6DBp
		mov	edi, edi
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, 989680h
		push	ebx
		push	esi
		push	ebx
		push	2FAF080h
		mov	_PopIdleWakeContextLock, ebx
		call	_PpmConvertTimeFrom@16 ; PpmConvertTimeFrom(x,x,x,x)
		push	ebx
		push	esi
		mov	dword_6BFC2C, edx
		mov	edx, offset _PopIdleSpuriousWakeBucketLimitsQpc
		push	edx
		push	6
		pop	ecx
		mov	_PopIdleWakeSourceSpuriousThresholdQpc,	eax
		call	_PopIdleWakeConvertIntervalBucketsFrom@20 ; PopIdleWakeConvertIntervalBucketsFrom(x,x,x,x,x)
		push	ebx
		push	esi
		mov	edx, offset _PopIdleWakeSourceActiveBucketLimitsQpc
		push	edx
		push	5
		pop	ecx
		call	_PopIdleWakeConvertIntervalBucketsFrom@20 ; PopIdleWakeConvertIntervalBucketsFrom(x,x,x,x,x)
		push	ebx
		push	esi
		mov	edx, offset _PopIdleWakeSourceActivatorBucketLimitsQpc
		push	edx
		push	5
		pop	ecx
		call	_PopIdleWakeConvertIntervalBucketsFrom@20 ; PopIdleWakeConvertIntervalBucketsFrom(x,x,x,x,x)
		push	ebx
		push	esi
		mov	edx, offset _PopIdleWakeSourceDeviceBucketLimitsQpc
		push	edx
		push	5
		pop	ecx
		call	_PopIdleWakeConvertIntervalBucketsFrom@20 ; PopIdleWakeConvertIntervalBucketsFrom(x,x,x,x,x)
		push	ebx
		push	esi
		mov	edx, offset _PopIdleWakeSourceExcessBucketLimitsQpc
		push	edx
		push	3
		pop	ecx
		call	_PopIdleWakeConvertIntervalBucketsFrom@20 ; PopIdleWakeConvertIntervalBucketsFrom(x,x,x,x,x)
		push	ebx
		mov	esi, 3E8h
		mov	edx, offset _PopIdleWakeIdleAccountingBucketLimitsMs
		push	esi
		push	offset _PopIdleWakeIdleAccountingBucketLimitsQpc
		push	9
		pop	ecx
		call	_PopIdleWakeConvertIntervalBucketsFrom@20 ; PopIdleWakeConvertIntervalBucketsFrom(x,x,x,x,x)
		or	dword_6BFC88, 0FFFFFFFFh
		mov	edx, offset _PopIdleWakePeriodAccountingBucketLimitsMs
		or	dword_6BFC8C, 0FFFFFFFFh
		push	ebx
		push	esi
		push	offset _PopIdleWakePeriodAccountingBucketLimitsQpc
		push	0Bh
		pop	ecx
		call	_PopIdleWakeConvertIntervalBucketsFrom@20 ; PopIdleWakeConvertIntervalBucketsFrom(x,x,x,x,x)
		or	dword_6BFCF8, 0FFFFFFFFh
		or	dword_6BFCFC, 0FFFFFFFFh
		pop	esi
		pop	ebx
		retn
_PopIdleWakeInitialize@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleWakeConvertIntervalBucketsFrom(x, x,	x, x, x)
_PopIdleWakeConvertIntervalBucketsFrom@20 proc near ; CODE XREF: PopIdleWakeInitialize()+34p
					; PopIdleWakeInitialize()+44p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		test	ebx, ebx
		jz	short loc_8ABD43
		push	esi
		mov	esi, [ebp+arg_0]
		sub	edi, esi

loc_8ABD23:				; CODE XREF: PopIdleWakeConvertIntervalBucketsFrom(x,x,x,x,x)+32j
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	dword ptr [edi+esi+4]
		push	dword ptr [edi+esi]
		call	_PpmConvertTimeFrom@16 ; PpmConvertTimeFrom(x,x,x,x)
		mov	[esi], eax
		lea	esi, [esi+8]
		mov	[esi-4], edx
		sub	ebx, 1
		jnz	short loc_8ABD23
		pop	esi

loc_8ABD43:				; CODE XREF: PopIdleWakeConvertIntervalBucketsFrom(x,x,x,x,x)+Dj
		pop	edi
		pop	ebx
		pop	ebp
		retn	0Ch
_PopIdleWakeConvertIntervalBucketsFrom@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqActionDataGetChangedProperties proc	near ; CODE XREF: PiDqActionDataCreate+13Cp

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 00934A5D SIZE 000001E0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_14]
		push	edi
		mov	[ebp+var_50], eax
		lea	edi, [ebp+var_2C]
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_64], ecx
		push	0Ah
		mov	[ebp+var_40], eax
		xor	eax, eax
		mov	[ebp+var_54], edx
		mov	ebx, eax
		mov	edx, [ebp+arg_1C]
		pop	ecx
		rep stosd
		xor	edi, edi
		mov	[ebp+var_38], esi
		lea	ecx, [ebp+var_60]
		mov	[ebp+var_44], edx
		mov	[ebp+var_68], eax
		mov	[ebp+var_30], ebx
		mov	[ebp+var_48], eax
		mov	[ebp+var_3C], edi
		mov	[ebp+var_60], edi
		mov	[edx], edi
		call	PiPnpRtlBeginOperation
		mov	[ebp+var_5C], edi
		cmp	[esi+2Ch], edi
		jbe	loc_8ABEC3
		mov	edx, [ebp+arg_C]
		lea	ecx, [esi+30h]
		mov	[ebp+var_34], ecx
		mov	eax, esi

loc_8ABDC1:				; CODE XREF: PiDqActionDataGetChangedProperties+173j
		mov	esi, edi
		test	edx, edx
		jz	loc_934A5D
		cmp	[ebp+arg_10], 0
		mov	ebx, edi
		jbe	loc_8ABEED
		mov	eax, [ecx+10h]
		lea	edi, [edx+14h]
		mov	[ebp+var_4C], eax

loc_8ABDE0:				; CODE XREF: PiDqActionDataGetChangedProperties+A2j
		cmp	eax, [edi-4]
		jz	short loc_8ABDF6

loc_8ABDE5:				; CODE XREF: IoGetDmaAdapter+88F5Ej
		inc	ebx
		add	edi, 1Ch
		cmp	ebx, [ebp+arg_10]
		jb	short loc_8ABDE0

loc_8ABDEE:				; CODE XREF: PiDqActionDataGetChangedProperties+88ED0j
		mov	ebx, [ebp+var_30]
		jmp	loc_8ABEA5
; 

loc_8ABDF6:				; CODE XREF: PiDqActionDataGetChangedProperties+99j
		push	10h		; size_t
		lea	eax, [edi-14h]
		push	eax		; void *
		push	ecx		; void *
		call	_memcmp
		mov	ecx, [ebp+var_34]
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_934A55
		mov	eax, [ecx+14h]
		cmp	eax, [edi]
		jnz	loc_934A55
		xor	edx, edx
		cmp	[ecx+18h], edx
		jnz	loc_934A4C

loc_8ABE26:				; CODE XREF: IoGetDmaAdapter+88F55j
		mov	ebx, [ebp+var_30]
		xor	edi, edi

loc_8ABE2B:				; CODE XREF: PiDqActionDataGetChangedProperties+88D16j
		sub	eax, edi
		jnz	loc_934A65
		mov	edi, [ebp+var_54]

loc_8ABE36:				; CODE XREF: PiDqActionDataGetChangedProperties+88D65j
		test	ebx, ebx
		js	loc_8ABEC3
		cmp	[ebp+arg_4], 0
		jnz	loc_934AB4
		mov	eax, [ebp+var_44]
		mov	ecx, [ebp+var_3C]
		mov	edx, [eax]
		cmp	ecx, edx
		ja	short loc_8ABE76
		cmp	[ebp+arg_10], 0
		jbe	loc_934C02
		mov	ecx, [ebp+arg_10]

loc_8ABE61:				; CODE XREF: PiDqActionDataGetChangedProperties+88EC8j
		mov	[ebp+var_3C], ecx
		push	ecx
		mov	ecx, [ebp+var_40]
		call	PiDqGrowPropertyArray
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_8ABEC3
		mov	eax, [ebp+var_44]

loc_8ABE76:				; CODE XREF: PiDqActionDataGetChangedProperties+108j
		imul	eax, [eax], 28h
		mov	edx, edi
		mov	ecx, [ebp+var_40]
		add	eax, [ecx]
		mov	ecx, [ebp+var_50]
		push	eax
		mov	eax, [ebp+var_34]
		push	dword ptr [eax+18h]
		push	dword ptr [eax+14h]
		push	eax
		push	esi
		call	PiDqPnPGetObjectProperty
		mov	ebx, eax
		mov	[ebp+var_30], ebx
		test	ebx, ebx
		js	short loc_8ABEC3
		mov	eax, [ebp+var_44]

loc_8ABEA0:				; CODE XREF: PiDqActionDataGetChangedProperties+88EB3j
		inc	dword ptr [eax]

loc_8ABEA2:				; CODE XREF: PiDqActionDataGetChangedProperties+88E42j
		mov	ecx, [ebp+var_34]

loc_8ABEA5:				; CODE XREF: PiDqActionDataGetChangedProperties+A7j
		mov	eax, [ebp+var_38]
		xor	edi, edi
		mov	edx, [ebp+arg_C]

loc_8ABEAD:				; CODE XREF: PiDqActionDataGetChangedProperties+1A6j
		mov	esi, [ebp+var_5C]
		add	ecx, 1Ch
		inc	esi
		mov	[ebp+var_34], ecx
		mov	[ebp+var_5C], esi
		cmp	esi, [eax+2Ch]
		jb	loc_8ABDC1

loc_8ABEC3:				; CODE XREF: PiDqActionDataGetChangedProperties+66j
					; PiDqActionDataGetChangedProperties+EEj ...
		mov	esi, [ebp+var_48]
		test	esi, esi
		jnz	loc_934C29

loc_8ABECE:				; CODE XREF: PiDqActionDataGetChangedProperties+88EE2j
					; PiDqActionDataGetChangedProperties+88EEEj
		mov	ecx, [ebp+var_60]
		test	ecx, ecx
		jz	short loc_8ABEDA
		call	PiPnpRtlEndOperation

loc_8ABEDA:				; CODE XREF: PiDqActionDataGetChangedProperties+189j
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	20h
; 

loc_8ABEED:				; CODE XREF: PiDqActionDataGetChangedProperties+87j
		mov	ebx, [ebp+var_30]
		jmp	short loc_8ABEAD
PiDqActionDataGetChangedProperties endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqGrowPropertyArray proc near		; CODE XREF: PiDqActionDataGetChangedProperties+11Ep
					; PiDqActionDataGetChangedProperties+88E7Dp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00934C3D SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		imul	eax, [ebp+arg_0], 28h
		push	ebx
		push	esi
		push	edi
		push	58706E50h
		push	eax
		push	1
		mov	[ebp+var_4], edx
		mov	esi, ecx
		xor	edi, edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_8ABF2E
		mov	ecx, [esi]
		test	ecx, ecx
		jnz	loc_934C3D

loc_8ABF23:				; CODE XREF: PiDqGrowPropertyArray+88D66j
		mov	[esi], ebx

loc_8ABF25:				; CODE XREF: PiDqGrowPropertyArray+41j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8ABF2E:				; CODE XREF: PiDqGrowPropertyArray+25j
		mov	edi, 0C000009Ah
		jmp	short loc_8ABF25
PiDqGrowPropertyArray endp

; 
		align 2

;  S U B	R O U T	I N E 


PpmEnableProfile proc near		; CODE XREF: PdcPoPpmResetProfile(x,x)+24p
					; PpmRegisterSpmSettings(x)+233p ...

; FUNCTION CHUNK AT 00934C5D SIZE 0000002C BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		push	10h		; size_t
		push	offset _GUID_POWER_POLICY_PROFILE_LOW_POWER ; void *
		or	dword ptr [esi+18h], 1
		lea	edi, [esi+8]
		mov	bl, [esi+4]
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_8ABFAF
		push	10h		; size_t
		push	(offset	loc_408894+4) ;	void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_934C5D
		push	10h		; size_t
		push	offset _GUID_POWER_POLICY_PROFILE_ENTRY_LEVEL_PERF ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_934C65
		push	10h		; size_t
		push	offset _GUID_POWER_POLICY_PROFILE_QOS_MULTIMEDIA ; void	*
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_934C6D

loc_8ABFA3:				; CODE XREF: PpmEnableProfile+7Fj
					; PpmEnableProfile+88D4Ej
		mov	dl, 1
		mov	cl, bl
		pop	edi
		pop	esi
		pop	ebx
		jmp	PpmEventTraceProfileEnable
; 

loc_8ABFAF:				; CODE XREF: PpmEnableProfile+23j
		mov	_PpmLowPowerProfile, esi
		jmp	short loc_8ABFA3
PpmEnableProfile endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmEventTraceProfileEnable proc	near	; CODE XREF: PpmEnableProfile+74j
					; PpmDisableProfile(x)+A7p

var_18		= byte ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	[ebp+var_18], cl
		push	esi
		mov	esi, (offset loc_4088A5+3)
		test	dl, dl
		jz	short loc_8ABFF1

loc_8ABFD7:				; CODE XREF: PpmEventTraceProfileEnable+3Ej
		cmp	_PpmEtwRegistered, 0
		jnz	sub_934C89

loc_8ABFE4:				; CODE XREF: sub_934C89+3Ej
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_8ABFF1:				; CODE XREF: PpmEventTraceProfileEnable+1Dj
		mov	esi, offset _PPM_ETW_PROCESSOR_PROFILE_DISABLED
		jmp	short loc_8ABFD7
PpmEventTraceProfileEnable endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2325. RtlSelfRelativeToAbsoluteSD

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlSelfRelativeToAbsoluteSD(void *,void	*,int,void *,int,void *,int,void *,int,void *,int)
		public RtlSelfRelativeToAbsoluteSD
RtlSelfRelativeToAbsoluteSD proc near

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

; FUNCTION CHUNK AT 00934CCC SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		cmp	[ecx+2], ax
		jge	loc_934CCC
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	edx, [ebp+var_14]
		call	RtlpQuerySecurityDescriptor
		cmp	[ebp+arg_4], 0
		mov	eax, [ebp+arg_28]
		mov	edx, [ebp+arg_20]
		mov	esi, [ebp+arg_18]
		mov	ebx, [ebp+arg_10]
		jz	loc_8AC0FF
		mov	ecx, [ebp+arg_8]
		cmp	dword ptr [ecx], 14h
		jb	loc_8AC0FF
		mov	eax, [ebp+var_8]
		cmp	eax, [edx]
		mov	eax, [ebp+arg_28]
		ja	short loc_8AC0FF
		mov	edi, [ebp+var_10]
		cmp	edi, [ebx]
		mov	edi, [ebp+arg_4]
		ja	short loc_8AC0FF
		mov	eax, [ebp+var_C]
		cmp	eax, [esi]
		mov	eax, [ebp+arg_28]
		ja	short loc_8AC0FF
		mov	ecx, [ebp+var_4]
		cmp	ecx, [eax]
		mov	ecx, [ebp+arg_0]
		ja	short loc_8AC0FF
		push	14h		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memmove
		mov	ecx, [ebp+var_14]
		xor	eax, eax
		mov	[edi+4], eax
		add	esp, 0Ch
		mov	[edi+8], eax
		mov	[edi+0Ch], eax
		mov	[edi+10h], eax
		mov	eax, 7FFFh
		and	[edi+2], ax
		test	ecx, ecx
		jnz	short loc_8AC123

loc_8AC0C8:				; CODE XREF: RtlSelfRelativeToAbsoluteSD+141j
		mov	ecx, [ebp+var_18]
		test	ecx, ecx
		jnz	short loc_8AC141

loc_8AC0CF:				; CODE XREF: RtlSelfRelativeToAbsoluteSD+15Fj
		mov	ecx, [ebp+var_1C]
		test	ecx, ecx
		jnz	loc_934CD6

loc_8AC0DA:				; CODE XREF: RtlSelfRelativeToAbsoluteSD+88CEDj
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jz	short loc_8AC0F6
		movzx	eax, word ptr [ecx+2]
		mov	esi, [ebp+arg_C]
		push	eax		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memmove
		add	esp, 0Ch
		mov	[edi+10h], esi

loc_8AC0F6:				; CODE XREF: RtlSelfRelativeToAbsoluteSD+E1j
		xor	eax, eax

loc_8AC0F8:				; CODE XREF: RtlSelfRelativeToAbsoluteSD+123j
		pop	edi
		pop	esi
		pop	ebx

locret_8AC0FB:				; CODE XREF: RtlSelfRelativeToAbsoluteSD+88CD3j
		leave
		retn	2Ch
; 

loc_8AC0FF:				; CODE XREF: RtlSelfRelativeToAbsoluteSD+66j
					; RtlSelfRelativeToAbsoluteSD+72j ...
		mov	ecx, [ebp+arg_8]
		mov	dword ptr [ecx], 14h
		mov	ecx, [ebp+var_4]
		mov	[eax], ecx
		mov	eax, [ebp+var_8]
		mov	[edx], eax
		mov	eax, [ebp+var_C]
		mov	[esi], eax
		mov	eax, [ebp+var_10]
		mov	[ebx], eax
		mov	eax, 0C0000023h
		jmp	short loc_8AC0F8
; 

loc_8AC123:				; CODE XREF: RtlSelfRelativeToAbsoluteSD+C8j
		movzx	eax, byte ptr [ecx+1]
		mov	esi, [ebp+arg_1C]
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memmove
		add	esp, 0Ch
		mov	[edi+4], esi
		jmp	short loc_8AC0C8
; 

loc_8AC141:				; CODE XREF: RtlSelfRelativeToAbsoluteSD+CFj
		movzx	eax, byte ptr [ecx+1]
		mov	esi, [ebp+arg_24]
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memmove
		add	esp, 0Ch
		mov	[edi+8], esi
		jmp	loc_8AC0CF
RtlSelfRelativeToAbsoluteSD endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipLegacyEtwWorker proc near		; CODE XREF: WmipAddDataSource+9D5C1p
					; DATA XREF: WmipAllocGuidEntry()+4Eo

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00934CF0 SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	edi
		call	WmipReferenceEntry
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		mov	ebx, [esi+60h]
		test	ebx, ebx
		jnz	loc_934CF0
		lea	ebx, [esi+64h]

loc_8AC196:				; CODE XREF: WmipLegacyEtwWorker+93j
					; WmipLegacyEtwWorker+88B91j
		mov	edi, [ebx]
		cmp	edi, ebx
		jz	short loc_8AC1F7
		cmp	[edi+4], ebx
		jnz	short loc_8AC220
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	short loc_8AC220
		push	0
		mov	[ebx], eax
		push	offset _WmipSMMutex
		mov	[eax+4], ebx
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, [edi+8]
		sub	eax, 0
		jnz	loc_934CF8
		mov	edx, edi
		mov	ecx, esi
		call	_WmipProcessLegacyEtwRegister@8	; WmipProcessLegacyEtwRegister(x,x)

loc_8AC1CE:				; CODE XREF: WmipLegacyEtwWorker+88B9Ej
					; WmipLegacyEtwWorker+88BADj ...
		mov	edx, esi
		mov	ecx, offset _WmipGEChunkInfo
		call	WmipUnreferenceEntry
		push	70696D57h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		jmp	short loc_8AC196
; 

loc_8AC1F7:				; CODE XREF: WmipLegacyEtwWorker+38j
		and	dword ptr [esi+8], 0FFFFFFEFh
		and	dword ptr [esi+60h], 0
		push	0
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	edx, esi
		mov	ecx, offset _WmipGEChunkInfo
		call	WmipUnreferenceEntry
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_8AC220:				; CODE XREF: WmipLegacyEtwWorker+3Dj
					; WmipLegacyEtwWorker+44j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
WmipLegacyEtwWorker endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipProcessLegacyEtwRegister(x, x)
_WmipProcessLegacyEtwRegister@8	proc near ; CODE XREF: WmipLegacyEtwWorker+67p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		mov	esi, edx
		mov	edi, ecx
		call	KeWaitForSingleObject
		mov	ebx, [edi+50h]
		cmp	ebx, esi
		jnz	short loc_8AC250
		or	dword ptr [edi+50h], 0FFFFFFFFh

loc_8AC250:				; CODE XREF: WmipProcessLegacyEtwRegister(x,x)+24j
		mov	eax, [edi+48h]
		mov	ecx, [edi+4Ch]
		mov	[ebp+var_4], eax
		mov	[ebp+var_10], eax
		xor	eax, eax
		push	eax
		push	offset _WmipSMMutex
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], ecx
		mov	[edi+48h], eax
		mov	[edi+4Ch], eax
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	ecx, [ebp+var_4]
		mov	eax, ecx
		mov	edx, [ebp+var_8]
		or	eax, edx
		jnz	short loc_8AC2CB

loc_8AC281:				; CODE XREF: WmipProcessLegacyEtwRegister(x,x)+ACj
		cmp	ebx, esi
		jnz	short loc_8AC2C6
		lea	eax, [ebp+var_10]
		xor	ebx, ebx
		push	eax		; int
		push	edi		; int
		push	offset _WmipLegacyEtwCallback@16 ; int
		push	ebx		; int
		lea	eax, [edi+28h]
		push	eax		; void *
		call	_EtwRegisterClassicProvider@20 ; EtwRegisterClassicProvider(x,x,x,x,x)
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _WmipSMMutex
		mov	esi, eax
		call	KeWaitForSingleObject
		test	esi, esi
		js	short loc_8AC2D4
		mov	eax, [ebp+var_10]
		mov	[edi+48h], eax
		mov	eax, [ebp+var_C]
		mov	[edi+4Ch], eax

loc_8AC2BB:				; CODE XREF: WmipProcessLegacyEtwRegister(x,x)+B1j
		push	ebx
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)

loc_8AC2C6:				; CODE XREF: WmipProcessLegacyEtwRegister(x,x)+5Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8AC2CB:				; CODE XREF: WmipProcessLegacyEtwRegister(x,x)+59j
		push	edx
		push	ecx
		call	EtwUnregister
		jmp	short loc_8AC281
; 

loc_8AC2D4:				; CODE XREF: WmipProcessLegacyEtwRegister(x,x)+87j
		mov	[edi+50h], ebx
		jmp	short loc_8AC2BB
_WmipProcessLegacyEtwRegister@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpGetAutoLoggerEventNameFilter proc near ; CODE XREF:	EtwpGetAutoLoggerProviderFilter+637p
					; EtwpGetAutoLoggerProviderFilter+651p

var_354		= dword	ptr -354h
var_350		= dword	ptr -350h
var_34C		= dword	ptr -34Ch
var_348		= dword	ptr -348h
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_33C		= dword	ptr -33Ch
var_338		= dword	ptr -338h
var_334		= dword	ptr -334h
var_330		= dword	ptr -330h
var_32C		= dword	ptr -32Ch
var_328		= byte ptr -328h
var_324		= dword	ptr -324h
var_320		= dword	ptr -320h
var_31C		= dword	ptr -31Ch
var_318		= dword	ptr -318h
var_314		= dword	ptr -314h
var_310		= byte ptr -310h
var_30C		= dword	ptr -30Ch
var_308		= dword	ptr -308h
var_304		= dword	ptr -304h
var_2FC		= dword	ptr -2FCh
var_2F8		= dword	ptr -2F8h
var_2F4		= dword	ptr -2F4h
var_2F0		= dword	ptr -2F0h
var_2E8		= dword	ptr -2E8h
var_2E0		= dword	ptr -2E0h
var_2DC		= dword	ptr -2DCh
var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2CC		= dword	ptr -2CCh
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B0		= dword	ptr -2B0h
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_294		= dword	ptr -294h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_278		= dword	ptr -278h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00934D20 SIZE 000003A0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 358h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	dword ptr [ebp+var_328], ecx
		lea	edi, [ebp+var_34C]
		push	6
		pop	ecx
		mov	dword ptr [ebp+var_310], edx
		mov	edx, [ebp+arg_8]
		rep stosd
		mov	ecx, dword ptr [ebp+var_328]
		mov	edi, eax
		mov	[ebx], eax
		mov	[ebp+var_320], edx
		mov	[edx], eax
		mov	[ebp+var_32C], esi
		lea	edx, [ecx+2]
		mov	[ebp+var_31C], eax
		mov	[ebp+var_308], eax
		mov	[ebp+var_30C], eax
		mov	[ebp+var_334], eax
		mov	[ebp+var_330], eax
		mov	[ebp+var_350], eax
		mov	[ebp+var_318], eax
		mov	[ebp+var_314], eax

loc_8AC35F:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+92j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_31C]
		jnz	short loc_8AC35F
		sub	ecx, edx
		mov	edx, esi
		sar	ecx, 1
		lea	esi, [edx+2]

loc_8AC377:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+AAj
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [ebp+var_31C]
		jnz	short loc_8AC377
		sub	edx, esi
		sar	edx, 1
		push	50777445h
		lea	eax, [edx+ecx]
		lea	eax, ds:4[eax*2]
		push	eax
		push	1
		mov	[ebp+var_324], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_354], esi
		test	esi, esi
		jz	loc_8AC472
		push	[ebp+var_32C]
		push	dword ptr [ebp+var_328]	; char
		push	offset ??_C@_1BA@NPEHGALP@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; wchar_t *
		push	[ebp+var_324]	; int
		push	esi		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	ecx, eax
		add	esp, 14h
		test	ecx, ecx
		jnz	loc_8AC470
		push	esi
		lea	eax, [ebp+var_334]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_334]
		mov	[ebp+var_34C], 18h
		mov	[ebp+var_344], eax
		xor	esi, esi
		lea	eax, [ebp+var_34C]
		mov	[ebp+var_348], esi
		push	eax
		push	20019h
		lea	eax, [ebp+var_308]
		mov	[ebp+var_340], 240h
		push	eax
		mov	[ebp+var_33C], esi
		mov	[ebp+var_338], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jns	short loc_8AC446
		mov	[ebp+var_308], esi

loc_8AC446:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+164j
		mov	eax, dword ptr [ebp+var_310]
		test	eax, eax
		jnz	loc_934D20

loc_8AC454:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+88B22j
					; EtwpGetAutoLoggerEventNameFilter+88B2Ej
		cmp	[ebp+var_308], 0
		jnz	loc_934E0D
		cmp	[ebp+var_30C], 0
		jnz	loc_934E0D

loc_8AC46E:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+88DB3j
		test	ecx, ecx

loc_8AC470:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+101j
					; EtwpGetAutoLoggerEventNameFilter+88ABFj ...
		jns	short loc_8AC4D2

loc_8AC472:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+D7j
					; EtwpGetAutoLoggerEventNameFilter+88A99j ...
		xor	esi, esi

loc_8AC474:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+88CCEj
		mov	eax, [ebp+var_320]
		mov	[eax], esi
		mov	eax, [ebx]
		test	eax, eax
		jnz	loc_935092

loc_8AC486:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+1FAj
					; EtwpGetAutoLoggerEventNameFilter+88DC1j
		cmp	[ebp+var_308], 0
		jnz	loc_9350A0

loc_8AC493:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+88DD1j
		mov	eax, [ebp+var_354]
		test	eax, eax
		jz	short loc_8AC4A4
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8AC4A4:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+1C1j
		cmp	[ebp+var_30C], 0
		jnz	loc_9350B0

loc_8AC4B1:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+88DE1j
		test	edi, edi
		jnz	short loc_8AC4D6

loc_8AC4B5:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+203j
		lea	eax, [ebp+var_318]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_8AC4D2:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter:loc_8AC470j
		xor	esi, esi
		jmp	short loc_8AC486
; 

loc_8AC4D6:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+1D9j
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_8AC4B5
EtwpGetAutoLoggerEventNameFilter endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 921. IoQueryInterface

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IoQueryInterface(int,char,int,__int16,__int16,int,void *)
		public _IoQueryInterface@28
_IoQueryInterface@28 proc near		; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+A9p

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= word ptr  14h
arg_10		= word ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_4], 1
		push	[ebp+arg_18]	; void *
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_14]	; int
		jnz	short loc_8AC50A
		push	dword ptr [ebp+arg_C] ;	__int16
		push	dword ptr [ebp+arg_10] ; __int16
		call	PnpQueryInterface

loc_8AC506:				; CODE XREF: IoQueryInterface(x,x,x,x,x,x,x)+31j
		pop	ebp
		retn	1Ch		; int
; 

loc_8AC50A:				; CODE XREF: IoQueryInterface(x,x,x,x,x,x,x)+15j
		push	dword ptr [ebp+arg_10] ; __int16
		push	dword ptr [ebp+arg_C] ;	__int16
		call	_IopQueryInterfaceRecurseUp@24 ; IopQueryInterfaceRecurseUp(x,x,x,x,x,x)
		jmp	short loc_8AC506
_IoQueryInterface@28 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IopQueryInterfaceRecurseUp(__int16,__int16,int,void *)
_IopQueryInterfaceRecurseUp@24 proc near ; CODE	XREF: IoQueryInterface(x,x,x,x,x,x,x)+2Cp

var_4		= dword	ptr -4
arg_0		= word ptr  8
arg_4		= word ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		xor	ecx, ecx
		mov	[esp+10h+var_4], edi
		call	PpDevNodeLockTree
		mov	edx, 49706E50h
		mov	ecx, esi
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_8AC5B2
		mov	ecx, [ebx+0B0h]
		mov	esi, [ecx+14h]
		jmp	short loc_8AC587
; 

loc_8AC550:				; CODE XREF: IopQueryInterfaceRecurseUp(x,x,x,x,x,x)+75j
		test	esi, esi
		jz	short loc_8AC5B6
		cmp	dword ptr [esi+0ACh], 314h
		jz	short loc_8AC5B6
		push	[ebp+arg_C]	; void *
		mov	ecx, [esi+10h]
		mov	edx, edi
		push	[ebp+arg_8]	; int
		push	dword ptr [ebp+arg_0] ;	__int16
		push	dword ptr [ebp+arg_4] ;	__int16
		call	PnpQueryInterface
		mov	edi, eax
		cmp	edi, 0C00000BBh
		jnz	short loc_8AC594
		mov	esi, [esi+8]
		mov	edi, [esp+10h+var_4]

loc_8AC587:				; CODE XREF: IopQueryInterfaceRecurseUp(x,x,x,x,x,x)+36j
					; IopQueryInterfaceRecurseUp(x,x,x,x,x,x)+9Cj
		cmp	esi, _IopRootDeviceNode
		jnz	short loc_8AC550
		mov	edi, 0C00000BBh

loc_8AC594:				; CODE XREF: IopQueryInterfaceRecurseUp(x,x,x,x,x,x)+66j
					; IopQueryInterfaceRecurseUp(x,x,x,x,x,x)+A3j
		mov	edx, 49706E50h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_8AC5B2:				; CODE XREF: IopQueryInterfaceRecurseUp(x,x,x,x,x,x)+2Bj
		xor	esi, esi
		jmp	short loc_8AC587
; 

loc_8AC5B6:				; CODE XREF: IopQueryInterfaceRecurseUp(x,x,x,x,x,x)+3Aj
					; IopQueryInterfaceRecurseUp(x,x,x,x,x,x)+46j
		mov	edi, 0C00002B6h
		jmp	short loc_8AC594
_IopQueryInterfaceRecurseUp@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl PnpCompareResourceRequestPriority(const void *,const void	*)
_PnpCompareResourceRequestPriority proc	near ; DATA XREF: PnpAllocateResources:loc_87ACD0o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		push	esi
		mov	edx, [eax+0Ch]
		cmp	edx, [ecx+0Ch]
		jnz	short loc_8AC5E2
		mov	edx, [eax+10h]
		cmp	edx, [ecx+10h]
		ja	short loc_8AC5E4
		jnb	short loc_8AC5E9

loc_8AC5DC:				; CODE XREF: _PnpCompareResourceRequestPriority:loc_8AC5E2j
					; _PnpCompareResourceRequestPriority+2Fj
		or	eax, 0FFFFFFFFh

loc_8AC5DF:				; CODE XREF: _PnpCompareResourceRequestPriority+29j
		pop	esi
		pop	ebp
		retn
; 

loc_8AC5E2:				; CODE XREF: _PnpCompareResourceRequestPriority+12j
		jbe	short loc_8AC5DC

loc_8AC5E4:				; CODE XREF: _PnpCompareResourceRequestPriority+1Aj
					; _PnpCompareResourceRequestPriority+2Dj
		xor	eax, eax
		inc	eax
		jmp	short loc_8AC5DF
; 

loc_8AC5E9:				; CODE XREF: _PnpCompareResourceRequestPriority+1Cj
		cmp	eax, ecx
		jnb	short loc_8AC5E4
		jmp	short loc_8AC5DC
_PnpCompareResourceRequestPriority endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCreateKeyedEvent proc	near		; DATA XREF: .text:00581148o

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 009350C0 SIZE 0000002B BYTES

		push	1Ch
		push	offset dword_6A7430
		call	__SEH_prolog4
		xor	edi, edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_20], edi
		mov	eax, large fs:124h
		mov	cl, [eax+15Ah]
		mov	byte ptr [ebp+var_24], cl
		mov	[ebp+ms_exc.disabled], edi
		test	cl, cl
		jnz	loc_9350C0

loc_8AC61E:				; CODE XREF: NtCreateKeyedEvent+88AECj
		mov	eax, [ebp+arg_0]
		mov	[eax], edi
		push	0FFFFFFFEh
		pop	ebx
		mov	[ebp+ms_exc.disabled], ebx
		cmp	[ebp+arg_C], 0
		jnz	loc_9350E1
		mov	edx, ds:_ExpKeyedEventObjectType
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		push	edi
		push	300h
		push	ecx
		push	[ebp+var_24]
		push	[ebp+arg_8]
		call	ObCreateObjectEx
		test	eax, eax
		js	short loc_8AC69B
		mov	esi, [ebp+var_1C]
		lea	eax, [esi+4]
		push	40h
		pop	ecx

loc_8AC65E:				; CODE XREF: NtCreateKeyedEvent+7Cj
		mov	[eax-4], edi
		mov	[eax+4], eax
		mov	[eax], eax
		add	eax, 0Ch
		sub	ecx, 1
		jnz	short loc_8AC65E
		lea	eax, [ebp+var_20]
		push	eax
		push	edi
		push	edi
		push	edi
		push	[ebp+arg_4]
		xor	edx, edx
		mov	ecx, esi
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_8AC69B
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	[ebp+ms_exc.disabled], ebx

loc_8AC699:				; CODE XREF: sub_9350FB+Dj
		mov	eax, edx

loc_8AC69B:				; CODE XREF: NtCreateKeyedEvent+63j
					; NtCreateKeyedEvent+95j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
NtCreateKeyedEvent endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PfpRpControlRequestReset(x,	x)
_PfpRpControlRequestReset@8 proc near	; CODE XREF: PfpRpControlRequestPerform(x,x)+3Fp
					; PfpRpShutdown(x)+179p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		lea	eax, [esi+48h]
		push	eax
		lea	edx, [esi+38h]
		call	PfpRpCHashEmpty
		xor	ecx, ecx
		jmp	short loc_8AC6D3
; 

loc_8AC6C3:				; CODE XREF: PfpRpControlRequestReset(x,x)+2Cj
		mov	edx, 0FFFFBFFFh
		lea	ecx, [eax+0FCh]
		lock and [ecx],	edx
		mov	ecx, eax

loc_8AC6D3:				; CODE XREF: PfpRpControlRequestReset(x,x)+13j
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		test	eax, eax
		jnz	short loc_8AC6C3
		lea	eax, [esi+34h]
		mov	ecx, esi
		push	eax
		lea	edx, [esi+20h]
		call	PfpRpCHashEmpty
		and	dword ptr [esi+30h], 0
		xor	eax, eax
		pop	esi
		retn
_PfpRpControlRequestReset@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfpRpCHashEmpty	proc near		; CODE XREF: PfpRpControlRequestReset(x,x)+Cp
					; PfpRpControlRequestReset(x,x)+37p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0093512F SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	eax, edx
		mov	[ebp+var_8], ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], eax
		inc	edi
		or	esi, 0FFFFFFFFh
		mov	ecx, [eax+4]
		mov	ebx, esi
		shl	edi, cl
		mov	eax, edi
		test	edi, edi
		jz	short loc_8AC71C

loc_8AC717:				; CODE XREF: PfpRpCHashEmpty+28j
		inc	ebx
		shr	eax, 1
		jnz	short loc_8AC717

loc_8AC71C:				; CODE XREF: PfpRpCHashEmpty+23j
		lea	eax, [edi-1]
		test	eax, edi
		jnz	loc_93512F

loc_8AC727:				; CODE XREF: PfpRpCHashEmpty+88A3Ej
		xor	eax, eax
		push	eax		; size_t
		push	eax		; int
		push	eax		; void *
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [ebp+var_8]
		xor	edx, edx
		add	edi, 4Ch
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx]
		mov	[ebp+var_8], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_4]
		xor	ecx, ecx
		mov	[eax], ecx
		mov	[eax+4], ebx
		mov	[eax+8], ecx
		mov	[eax+0Ch], ecx
		mov	eax, esi
		mov	esi, [ebp+arg_0]
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8AC797
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8AC797:				; CODE XREF: PfpRpCHashEmpty+9Cj
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8AC7B7
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8AC7B7:				; CODE XREF: PfpRpCHashEmpty+BCj
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	loc_935135

loc_8AC7CE:				; CODE XREF: PfpRpCHashEmpty+88A4Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
PfpRpCHashEmpty	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 909. IoOpenDeviceInterfaceRegistryKey

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoOpenDeviceInterfaceRegistryKey
IoOpenDeviceInterfaceRegistryKey proc near
					; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+BAp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00935142 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		push	edi
		test	esi, esi
		jz	loc_935142
		cmp	[esi+4], ebx
		jz	loc_935142
		cmp	[esi], bx
		jz	loc_935142
		push	esi
		xor	edx, edx
		lea	ecx, [ebp+var_4]
		call	PnpUnicodeStringToWstr
		mov	edi, eax
		test	edi, edi
		js	short loc_8AC873
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceExclusiveLite
		mov	edx, [ebp+var_4]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	ebx
		push	1
		push	[ebp+arg_4]
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	32h
		call	_CmOpenDeviceInterfaceRegKey
		mov	edi, eax
		test	edi, edi
		js	short loc_8AC85D
		test	ebx, ebx
		jz	short loc_8AC85D
		mov	ecx, [ebx]
		call	_IopApplyMutableTagToRegistryKey@4 ; IopApplyMutableTagToRegistryKey(x)

loc_8AC85D:				; CODE XREF: IoOpenDeviceInterfaceRegistryKey+76j
					; IoOpenDeviceInterfaceRegistryKey+7Aj
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_8AC873:				; CODE XREF: IoOpenDeviceInterfaceRegistryKey+3Bj
					; IoOpenDeviceInterfaceRegistryKey+8896Dj
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
IoOpenDeviceInterfaceRegistryKey endp


;  S U B	R O U T	I N E 


; int __fastcall SmKmInitialize(void *)
_SmKmInitialize@8 proc near		; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmInitialize(SMKM_STORE_MGR<SM_TRAITS> *,_SMKM_STORE_MGR_PARAMS	*)+38p
		mov	edi, edi
		push	esi
		push	0F0h		; size_t
		mov	esi, ecx
		push	0		; int
		push	esi		; void *
		call	_memset
		or	dword ptr [esi+0ECh], 0FFFFFFFFh
		add	esp, 0Ch
		mov	dword ptr [esi+80h], offset SMKM_STORE_MGR_SM_TRAITS___SmStoreMgrCallback
		pop	esi
		retn
_SmKmInitialize@8 endp


;  S U B	R O U T	I N E 


; __stdcall FsRtlInitializeTieringHeat()
_FsRtlInitializeTieringHeat@0 proc near	; CODE XREF: FsRtlInitSystem()+BFp
		mov	edi, edi
		push	ecx
		mov	eax, offset _FsRtlTieringHeatData
		push	offset unk_6CDB08
		mov	dword_6CDB04, eax
		mov	_FsRtlTieringHeatData, eax
		call	ExInitializeResourceLite
		pop	ecx
		retn
_FsRtlInitializeTieringHeat@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlGetTunnelParameterValue proc near	; CODE XREF: FsRtlInitializeTunnels+31p
					; FsRtlInitializeTunnels+53p

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0093514C SIZE 0000006F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	7Ah
		pop	eax
		push	7Ch
		mov	word ptr [ebp+var_80], ax
		mov	edi, ecx
		pop	eax
		mov	word ptr [ebp+var_80+2], ax
		xor	ecx, ecx
		lea	eax, [ebp+var_80]
		mov	[ebp+var_78], edx
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_98]
		push	eax
		push	20019h
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_74], edi
		push	eax
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_70], ecx
		mov	[ebp+var_7C], offset ??_C@_1HM@IHPPCBKD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@	; "\\Registry\\Machine\\System\\CurrentControl"...
		mov	[ebp+var_98], 18h
		mov	[ebp+var_94], ecx
		mov	[ebp+var_8C], 40h
		mov	[ebp+var_88], ecx
		mov	[ebp+var_84], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_8AC995
		push	5Ch
		pop	ebx
		lea	eax, [ebp+var_70]
		push	eax
		lea	esi, [ebp+var_68]
		push	ebx
		mov	eax, esi
		push	eax
		push	1
		push	edi

loc_8AC962:				; CODE XREF: FsRtlGetTunnelParameterValue+888B3j
		push	[ebp+var_6C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 80000005h
		jz	loc_93514C
		push	[ebp+var_6C]
		call	_ZwClose@4	; ZwClose(x)
		test	edi, edi
		jns	loc_93518E

loc_8AC988:				; CODE XREF: FsRtlGetTunnelParameterValue+888D3j
					; FsRtlGetTunnelParameterValue+888DDj
		lea	eax, [ebp+var_68]
		cmp	esi, eax
		jnz	loc_9351AE

loc_8AC993:				; CODE XREF: FsRtlGetTunnelParameterValue+888EAj
		mov	eax, edi

loc_8AC995:				; CODE XREF: FsRtlGetTunnelParameterValue+83j
					; FsRtlGetTunnelParameterValue+888BDj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
FsRtlGetTunnelParameterValue endp


;  S U B	R O U T	I N E 


; __stdcall IopIncDisableableDepends(x)
_IopIncDisableableDepends@4 proc near	; CODE XREF: PiProcessQueryDeviceState+94p
		mov	edi, edi
		push	esi
		mov	esi, ecx

loc_8AC9A9:				; CODE XREF: IopIncDisableableDepends(x)+2Bj
		test	esi, esi
		jz	short loc_8AC9D1
		xor	eax, eax
		inc	eax
		lock xadd [esi+184h], eax
		inc	eax
		cmp	eax, 1
		jnz	short loc_8AC9D1
		mov	edx, [esi+18h]
		test	edx, edx
		jz	short loc_8AC9CC
		push	0Bh
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent

loc_8AC9CC:				; CODE XREF: IopIncDisableableDepends(x)+1Fj
		mov	esi, [esi+8]
		jmp	short loc_8AC9A9
; 

loc_8AC9D1:				; CODE XREF: IopIncDisableableDepends(x)+7j
					; IopIncDisableableDepends(x)+18j
		pop	esi
		retn
_IopIncDisableableDepends@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpQueryMemoryTopologyInformation proc near ; CODE XREF: PAGE:007808B2p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	14h
		push	offset dword_6A7458
		call	__SEH_prolog4
		mov	ebx, edx
		mov	edi, ecx
		and	[ebp+var_20], 0
		and	[ebp+var_1C], 0
		lea	edx, [ebp+var_20]
		lea	ecx, [ebp+var_1C]
		call	MmGetNodeChannelRanges
		mov	esi, eax
		test	esi, esi
		js	short loc_8ACA23
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		cmp	ecx, ebx
		ja	short loc_8ACA47
		and	[ebp+ms_exc.disabled], 0
		push	ecx		; size_t
		push	[ebp+var_1C]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	esi, esi

loc_8ACA23:				; CODE XREF: ExpQueryMemoryTopologyInformation+27j
					; ExpQueryMemoryTopologyInformation+78j ...
		cmp	[ebp+var_1C], 0
		jz	short loc_8ACA33
		push	0
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8ACA33:				; CODE XREF: ExpQueryMemoryTopologyInformation+53j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8ACA47:				; CODE XREF: ExpQueryMemoryTopologyInformation+33j
		mov	esi, 0C0000023h
		jmp	short loc_8ACA23
ExpQueryMemoryTopologyInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmGetNodeChannelRanges proc near	; CODE XREF: ExpQueryMemoryTopologyInformation+1Ep

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009351DD SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		mov	[ebp+var_20], edx
		xor	edx, edx
		push	esi
		mov	[ebp+var_1C], ecx
		inc	edx
		push	edi
		mov	ecx, offset _MiSystemPartition
		call	MiReferencePageRuns
		mov	ebx, eax
		xor	edi, edi
		push	edi
		push	40h
		mov	edx, 68506D4Dh
		mov	esi, [ebx]
		dec	esi
		shl	esi, 5
		add	esi, 30h
		mov	ecx, esi
		mov	[ebp+var_14], esi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	loc_9351DD
		mov	ecx, [ebx]
		mov	[eax], ecx
		movzx	ecx, ds:_KeNumberNodes
		mov	[eax+8], ecx
		lea	ecx, [ebx+8]
		mov	[eax+4], edi
		mov	dword ptr [eax+0Ch], 1
		add	eax, 10h
		mov	[ebp+var_10], eax
		mov	eax, [ebx]
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], edi
		lea	edx, [eax+1]
		lea	edx, [ebx+edx*8]
		mov	[ebp+var_8], edx
		test	eax, eax
		jz	short loc_8ACB2A
		mov	esi, [ebp+var_10]

loc_8ACACF:				; CODE XREF: MmGetNodeChannelRanges+D7j
		mov	eax, [ecx]
		mov	[esi+8], eax
		mov	[esi+0Ch], edi
		mov	eax, [ecx+4]
		mov	[esi+10h], eax
		mov	[esi+14h], edi
		mov	ecx, [edx]
		mov	[esi], ecx
		lea	esi, [esi+20h]
		mov	eax, [edx+4]
		xor	edx, edx
		imul	ecx, 280h
		mov	[esi-1Ch], eax
		add	ecx, eax
		mov	eax, dword_6D4E50
		cmp	byte ptr [ecx+eax+203h], 1
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_C]
		setz	dl
		mov	[esi-8], edx
		add	ecx, 8
		mov	edx, [ebp+var_8]
		add	edx, 8
		mov	[ebp+var_4], ecx
		inc	eax
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], eax
		cmp	eax, [ebx]
		jb	short loc_8ACACF
		mov	esi, [ebp+var_14]

loc_8ACB2A:				; CODE XREF: MmGetNodeChannelRanges+7Cj
					; MmGetNodeChannelRanges+88794j
		mov	ecx, ebx
		call	_MiDereferencePageRuns@4 ; MiDereferencePageRuns(x)
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+var_18]
		mov	[ecx], eax
		mov	eax, [ebp+var_20]
		mov	[eax], esi
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MmGetNodeChannelRanges endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1253. KeRegisterProcessorChangeCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeRegisterProcessorChangeCallback
KeRegisterProcessorChangeCallback proc near ; CODE XREF: PoInitSystem+5ECp

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= word ptr -0Ch
var_A		= byte ptr -0Ah
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 009351E7 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	ebx, [ebp+arg_0]
		lea	edi, [esp+58h+var_18]
		mov	[esp+58h+var_44], eax
		xor	esi, esi
		xor	eax, eax
		mov	[esp+58h+var_40], ebx
		stosd
		push	offset ??_C@_1CO@FHBOFCJN@?$AA?2?$AAC?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk?$AA?2?$AAP?$AAr?$AAo?$AAc?$AAe@NNGAKEGL@
		mov	[esp+5Ch+var_48], esi
		mov	[esp+5Ch+var_38], esi
		stosd
		mov	[esp+5Ch+var_34], esi
		stosd
		stosd
		stosd
		lea	eax, [esp+5Ch+var_38]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [esp+5Ch+var_38]
		mov	[esp+5Ch+var_30], 18h
		mov	[esp+5Ch+var_28], eax
		lea	eax, [esp+5Ch+var_30]
		push	esi
		push	eax
		lea	eax, [esp+64h+var_48]
		mov	[esp+64h+var_2C], esi
		push	eax
		mov	[esp+68h+var_24], 240h
		mov	[esp+68h+var_20], esi
		mov	[esp+68h+var_1C], esi
		call	_ExCreateCallback@16 ; ExCreateCallback(x,x,x,x)
		mov	[esp+58h+var_4C], eax
		test	eax, eax
		js	loc_9351E7
		mov	ecx, offset _KiDynamicProcessorLock
		call	@KeAcquireGuardedMutex@4 ; KeAcquireGuardedMutex(x)
		push	[esp+58h+var_44]
		push	ebx
		push	[esp+60h+var_48]
		call	ExRegisterCallback
		mov	ecx, [esp+58h+var_48]
		mov	ebx, eax
		mov	[esp+58h+var_3C], ebx
		call	ObfDereferenceObject
		test	ebx, ebx
		jz	short loc_8ACC0B
		test	[ebp+arg_8], 1
		jnz	short loc_8ACC2B

loc_8ACC0B:				; CODE XREF: KeRegisterProcessorChangeCallback+B9j
					; KeRegisterProcessorChangeCallback+168j ...
		mov	ecx, offset _KiDynamicProcessorLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, ebx

loc_8ACC17:				; CODE XREF: KeRegisterProcessorChangeCallback+8869Fj
		mov	ecx, [esp+58h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_8ACC2B:				; CODE XREF: KeRegisterProcessorChangeCallback+BFj
		mov	eax, ds:_KeNumberProcessors
		mov	edi, esi
		mov	[esp+58h+var_48], eax
		test	eax, eax
		jz	loc_8ACD07

loc_8ACC3E:				; CODE XREF: KeRegisterProcessorChangeCallback+150j
		mov	ecx, ds:_KiProcessorBlock[edi*4]
		mov	[esp+58h+var_14], edi
		movzx	eax, byte ptr [ecx+3C5h]
		mov	[esp+58h+var_C], ax
		mov	al, [ecx+3C4h]
		mov	[esp+58h+var_A], al
		lea	eax, [esp+58h+var_8]
		push	eax
		push	edi
		mov	[esp+60h+var_10], esi
		call	ds:__imp__HalGetProcessorIdByNtNumber@8	; HalGetProcessorIdByNtNumber(x,x)
		lea	eax, [esp+60h+var_54]
		mov	[esp+60h+var_20], esi
		push	eax
		lea	eax, [esp+64h+var_20]
		mov	[esp+64h+var_54], esi
		push	eax
		push	[esp+68h+var_4C]
		call	[esp+6Ch+var_48]
		mov	eax, [esp+6Ch+var_60]
		test	eax, eax
		js	loc_9351EE
		inc	edi
		cmp	edi, [esp+6Ch+var_5C]
		jb	short loc_8ACC3E

loc_8ACC9C:				; CODE XREF: KeRegisterProcessorChangeCallback+1C1j
		test	eax, eax
		js	loc_9351EE
		mov	[esp+6Ch+var_2C], 1

loc_8ACCAC:				; CODE XREF: KeRegisterProcessorChangeCallback+886BCj
		mov	[esp+6Ch+var_24], eax
		test	edi, edi
		jz	loc_8ACC0B
		mov	ebx, [esp+6Ch+var_54]

loc_8ACCBC:				; CODE XREF: KeRegisterProcessorChangeCallback+1B2j
		mov	ecx, ds:_KiProcessorBlock[esi*4]
		mov	[esp+6Ch+var_28], esi
		movzx	eax, byte ptr [ecx+3C5h]
		mov	word ptr [esp+6Ch+var_20], ax
		mov	al, [ecx+3C4h]
		mov	byte ptr [esp+6Ch+var_20+2], al
		lea	eax, [esp+6Ch+var_1C]
		push	eax
		push	esi
		call	ds:__imp__HalGetProcessorIdByNtNumber@8	; HalGetProcessorIdByNtNumber(x,x)
		lea	eax, [esp+74h+var_68]
		push	eax
		lea	eax, [esp+78h+var_34]
		push	eax
		push	[esp+7Ch+var_60]
		call	ebx
		inc	esi
		cmp	esi, edi
		jb	short loc_8ACCBC
		mov	ebx, [esp+80h+var_64]
		jmp	loc_8ACC0B
; 

loc_8ACD07:				; CODE XREF: KeRegisterProcessorChangeCallback+EEj
		mov	eax, [esp+58h+var_4C]
		jmp	short loc_8ACC9C
KeRegisterProcessorChangeCallback endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpRealtimeRestoreState proc near	; CODE XREF: EtwpRealtimeCreateLogfile+17Ep

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0093520B SIZE 00000059 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		mov	ebx, ecx
		lea	edi, [ebp+var_68]
		pop	ecx
		push	48h
		xor	eax, eax
		rep stosd
		pop	esi
		xor	edi, edi
		lea	eax, [ebp+var_50]
		push	esi		; size_t
		push	edi		; int
		push	eax		; void *
		mov	[ebp+var_70], edi
		mov	[ebp+var_6C], edi
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_68]
		push	5
		push	18h
		push	eax
		lea	eax, [ebp+var_70]
		push	eax
		push	dword ptr [ebx+110h]
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		test	eax, eax
		js	short loc_8ACD6D
		mov	eax, [ebp+var_60]
		or	eax, [ebp+var_5C]
		jnz	short loc_8ACD7C

loc_8ACD6B:				; CODE XREF: EtwpRealtimeRestoreState+210j
					; EtwpRealtimeRestoreState+8850Dj ...
		xor	eax, eax

loc_8ACD6D:				; CODE XREF: EtwpRealtimeRestoreState+53j
					; EtwpRealtimeRestoreState+A6j	...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_8ACD7C:				; CODE XREF: EtwpRealtimeRestoreState+5Bj
		cmp	[ebp+var_5C], edi
		jg	short loc_8ACD90
		jl	loc_93525A
		cmp	[ebp+var_60], esi
		jb	loc_93525A

loc_8ACD90:				; CODE XREF: EtwpRealtimeRestoreState+71j
		push	edi
		lea	eax, [ebp+var_78]
		mov	[ebp+var_78], edi
		push	eax
		push	esi
		lea	eax, [ebp+var_50]
		mov	[ebp+var_74], edi
		push	eax
		lea	eax, [ebp+var_70]
		push	eax
		push	edi
		push	edi
		push	edi
		push	dword ptr [ebx+110h]
		call	_ZwReadFile@36	; ZwReadFile(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8ACD6D
		mov	eax, [ebp+var_70]
		test	eax, eax
		js	short loc_8ACD6D
		cmp	[ebp+var_6C], esi
		jnz	loc_93520B
		cmp	[ebp+var_50], 73466C52h
		jnz	loc_93525A
		cmp	[ebp+var_48], 1
		jnz	loc_93525A
		mov	ecx, ebx
		call	EtwpQueryUsedProcessorCount
		cmp	[ebp+var_44], eax
		jnz	loc_93525A
		cmp	[ebp+var_30], edi
		jz	loc_93525A
		mov	eax, [ebp+var_14]
		cmp	[ebp+var_24], eax
		jg	loc_93525A
		mov	ecx, [ebp+var_18]
		jl	short loc_8ACE10
		cmp	[ebp+var_28], ecx
		ja	loc_93525A

loc_8ACE10:				; CODE XREF: EtwpRealtimeRestoreState+F7j
		mov	esi, [ebp+var_1C]
		cmp	esi, eax
		jg	loc_93525A
		mov	edx, [ebp+var_20]
		jl	short loc_8ACE28
		cmp	edx, ecx
		ja	loc_93525A

loc_8ACE28:				; CODE XREF: EtwpRealtimeRestoreState+110j
		cmp	edx, [ebp+var_28]
		jnz	short loc_8ACE36
		cmp	esi, [ebp+var_24]
		jz	loc_93525A

loc_8ACE36:				; CODE XREF: EtwpRealtimeRestoreState+11Dj
		cmp	eax, edi
		jg	short loc_8ACE49
		jl	loc_93525A
		cmp	ecx, 48h
		jb	loc_93525A

loc_8ACE49:				; CODE XREF: EtwpRealtimeRestoreState+12Aj
		mov	esi, [ebx+144h]
		mov	edx, [ebx+140h]
		cmp	eax, esi
		jl	short loc_8ACE67
		jg	loc_93525A
		cmp	ecx, edx
		ja	loc_93525A

loc_8ACE67:				; CODE XREF: EtwpRealtimeRestoreState+149j
		cmp	[ebp+var_C], esi
		jb	short loc_8ACE7B
		ja	loc_93525A
		cmp	[ebp+var_10], edx
		ja	loc_93525A

loc_8ACE7B:				; CODE XREF: EtwpRealtimeRestoreState+15Cj
		cmp	[ebp+var_5C], eax
		jg	short loc_8ACE8F
		jl	loc_93525A
		cmp	[ebp+var_60], ecx
		jb	loc_93525A

loc_8ACE8F:				; CODE XREF: EtwpRealtimeRestoreState+170j
		push	edi
		lea	eax, [ebp+var_78]
		mov	[ebp+var_50], edi
		push	eax
		push	48h
		lea	eax, [ebp+var_50]
		push	eax
		lea	eax, [ebp+var_70]
		push	eax
		push	edi
		push	edi
		push	edi
		push	dword ptr [ebx+110h]
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_8ACD6D
		mov	eax, [ebp+var_30]
		lea	edi, [ebx+150h]
		mov	[ebx+148h], eax
		lea	esi, [ebp+var_40]
		mov	eax, [ebp+var_28]
		mov	ecx, ebx
		mov	[ebx+128h], eax
		mov	eax, [ebp+var_24]
		movsd
		mov	[ebx+12Ch], eax
		mov	eax, [ebp+var_20]
		mov	[ebx+120h], eax
		mov	eax, [ebp+var_1C]
		movsd
		mov	[ebx+124h], eax
		mov	eax, [ebp+var_18]
		mov	[ebx+130h], eax
		mov	eax, [ebp+var_14]
		movsd
		mov	[ebx+134h], eax
		mov	eax, [ebp+var_10]
		mov	[ebx+138h], eax
		mov	eax, [ebp+var_C]
		movsd
		mov	[ebx+13Ch], eax
		call	_EtwpIsRealtimeLogfileSpaceAvailable@4 ; EtwpIsRealtimeLogfileSpaceAvailable(x)
		test	al, al
		jnz	loc_8ACD6B
		jmp	loc_935215
EtwpRealtimeRestoreState endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 644. FsRtlRegisterUncProviderEx2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlRegisterUncProviderEx2
FsRtlRegisterUncProviderEx2 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00935264 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		mov	ecx, 200h
		cmp	[eax+2], cx
		jb	loc_935264
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	eax
		call	FsRtlpRegisterUncProvider

loc_8ACF54:				; CODE XREF: FsRtlRegisterUncProviderEx2+88341j
		pop	ebp
		retn	10h
FsRtlRegisterUncProviderEx2 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlpRegisterUncProvider proc near	; CODE XREF: FsRtlRegisterUncProviderEx2+21p
					; FsRtlRegisterUncProvider(x,x,x)+36p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00935274 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		or	[ebp+var_4], 0FFFFFFFFh
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		test	esi, esi
		jz	loc_935291
		xor	edx, edx
		cmp	[esi+4], edx
		jz	loc_935291
		cmp	[esi], dx
		jz	loc_935291
		cmp	[esi+2], dx
		jz	loc_935291
		mov	eax, [ebp+arg_0]
		mov	ecx, 101h
		cmp	[eax+2], cx
		jb	short loc_8ACFA4
		test	ebx, ebx
		jz	loc_935291

loc_8ACFA4:				; CODE XREF: FsRtlpRegisterUncProvider+42j
		push	edi
		push	edx
		push	edx
		push	edx
		push	edx
		push	offset _FsRtlpUncSemaphore
		call	KeWaitForSingleObject
		lea	ecx, [ebp+var_4]
		call	_FsRtlpOpenDev@8 ; FsRtlpOpenDev(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_935274
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		push	ebx
		call	FsRtlpRegisterProviderWithMUP
		mov	edi, eax
		test	edi, edi
		js	loc_935274
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_4]
		inc	ds:_FsRtlpRedirs
		mov	[ecx], eax

loc_8ACFEB:				; CODE XREF: FsRtlpRegisterUncProvider+88334j
		push	0
		push	1
		push	0
		push	offset _FsRtlpUncSemaphore
		call	KeReleaseSemaphore
		mov	eax, edi
		pop	edi

loc_8ACFFE:				; CODE XREF: FsRtlpRegisterUncProvider+88344j
		pop	esi
		pop	ebx
		leave
		retn	8
FsRtlpRegisterUncProvider endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlpRegisterProviderWithMUP proc near	; CODE XREF: FsRtlpRegisterUncProvider+76p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009352A1 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		push	6E755346h
		movzx	edi, word ptr [ebx]
		add	edi, 10h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8AD0A1
		lea	ecx, [esi+10h]
		mov	[esi+4], ecx
		mov	ax, [ebx]
		mov	[esi], ax
		mov	ax, [ebx]
		mov	[esi+2], ax
		mov	eax, [ebp+arg_0]
		mov	[esi+8], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+0Ch], eax
		movzx	eax, word ptr [ebx]
		push	eax		; size_t
		push	dword ptr [ebx+4] ; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ebx, [ebp+var_4]
		xor	ecx, ecx
		lea	eax, [ebp+var_C]
		push	ecx
		push	ecx
		push	edi
		push	esi
		push	100004h
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	ebx
		call	_ZwFsControlFile@40 ; ZwFsControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 103h
		jz	loc_9352A1

loc_8AD090:				; CODE XREF: FsRtlpRegisterProviderWithMUP+882AAj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi

loc_8AD09A:				; CODE XREF: FsRtlpRegisterProviderWithMUP+A2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_8AD0A1:				; CODE XREF: FsRtlpRegisterProviderWithMUP+32j
		mov	eax, 0C000009Ah
		jmp	short loc_8AD09A
FsRtlpRegisterProviderWithMUP endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpOpenDev(x, x)
_FsRtlpOpenDev@8 proc near		; CODE XREF: FsRtlpRegisterUncProvider+5Ep

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_8]
		push	offset ??_C@_1BI@GOOABFBJ@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAM?$AAu?$AAp@NNGAKEGL@ ;	"\\Device\\Mup"
		push	eax
		mov	esi, ecx
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		push	edi
		push	edi
		push	1
		push	3
		push	80h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_28], 18h
		push	edi
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_24], edi
		push	eax
		push	40000000h
		push	esi
		mov	[ebp+var_1C], 200h
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8AD11C
		mov	eax, [ebp+var_10]
		test	eax, eax
		js	short loc_8AD11C

loc_8AD118:				; CODE XREF: FsRtlpOpenDev(x,x)+77j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_8AD11C:				; CODE XREF: FsRtlpOpenDev(x,x)+67j
					; FsRtlpOpenDev(x,x)+6Ej
		or	dword ptr [esi], 0FFFFFFFFh
		jmp	short loc_8AD118
_FsRtlpOpenDev@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtSetUuidSeed	proc near		; DATA XREF: .text:00580C54o

var_98		= dword	ptr -98h
var_84		= dword	ptr -84h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= word ptr -54h
var_50		= dword	ptr -50h
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
var_44		= word ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009352B3 SIZE 0000001B BYTES
; FUNCTION CHUNK AT 00935302 SIZE 00000014 BYTES

		push	88h
		push	offset dword_6A7478
		call	__SEH_prolog4_GS
		xor	ebx, ebx
		mov	[ebp+var_3C], ebx
		xor	eax, eax
		lea	edi, [ebp+var_84]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_34], 50h
		mov	[ebp+var_30], 1F12C0C6h
		mov	[ebp+var_2C], 36011346h
		mov	[ebp+var_28], 0E65ACE03h
		mov	[ebp+var_24], 5AE7EA38h
		mov	[ebp+var_20], 0CDB58062h
		mov	[ebp+var_40], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], 500h
		mov	[ebp+var_35], bl
		mov	[ebp+var_64], ebx
		xor	eax, eax
		lea	edi, [ebp+var_98]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_50], ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, large fs:124h
		mov	[ebp+var_6C], eax
		mov	eax, [eax+80h]
		mov	ecx, large fs:124h
		mov	[ebp+var_70], ecx
		lea	edx, [ebp+var_84]
		push	edx
		push	eax
		push	ecx
		call	SeCaptureSubjectContextEx
		mov	[ebp+var_35], 1
		push	64695555h
		push	20h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_40], esi
		test	esi, esi
		jz	loc_9352B3
		push	6
		lea	eax, [ebp+var_48]
		push	eax
		push	esi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	[ebp+var_3C], eax
		test	eax, eax
		js	loc_9352C4
		mov	edi, ebx

loc_8AD1F0:				; CODE XREF: NtSetUuidSeed+E6j
		mov	[ebp+var_5C], edi
		cmp	edi, 6
		jnb	short loc_8AD20A
		mov	esi, [ebp+edi*4+var_34]
		push	edi
		push	[ebp+var_40]
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	[eax], esi
		inc	edi
		jmp	short loc_8AD1F0
; 

loc_8AD20A:				; CODE XREF: NtSetUuidSeed+D4j
		mov	esi, [ebp+var_40]
		push	esi
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	eax, 14h
		mov	[ebp+var_60], eax
		mov	[ebp+var_74], eax
		push	64695555h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_50], edi
		test	edi, edi
		jz	loc_9352B3
		push	2		; int
		push	[ebp+var_60]	; size_t
		push	edi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	[ebp+var_3C], eax
		test	eax, eax
		js	loc_9352C4
		push	ebx
		push	esi
		xor	esi, esi
		inc	esi
		push	esi
		push	ebx
		push	2
		pop	edx
		mov	ecx, edi
		call	RtlpAddKnownAce
		mov	[ebp+var_3C], eax
		test	eax, eax
		js	loc_9352C4
		push	esi
		lea	eax, [ebp+var_98]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	[ebp+var_3C], eax
		test	eax, eax
		js	loc_9352C4
		push	ebx
		push	edi
		push	esi
		lea	eax, [ebp+var_98]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	[ebp+var_3C], eax
		test	eax, eax
		js	loc_9352C4
		lea	eax, [ebp+var_3C]
		push	eax
		lea	eax, [ebp+var_64]
		push	eax
		push	esi
		push	(offset	loc_4088C5+3)
		push	ebx
		push	ebx
		push	esi
		push	ebx
		lea	eax, [ebp+var_84]
		push	eax
		lea	eax, [ebp+var_98]
		push	eax
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_49], al
		test	al, al
		jz	loc_9352BA
		mov	ecx, [ebp+arg_0]
		mov	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_9352C7

loc_8AD2DC:				; CODE XREF: NtSetUuidSeed+881A7j
		nop
		mov	al, [edx]
		mov	eax, [ecx]
		mov	[ebp+var_58], eax
		mov	ax, [ecx+4]
		mov	[ebp+var_54], ax
		mov	[ebp+var_3C], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_8AD2F6:				; CODE XREF: sub_9352DC+12j
		cmp	[ebp+var_40], 0
		jz	short loc_8AD305
		push	ebx
		push	[ebp+var_40]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8AD305:				; CODE XREF: NtSetUuidSeed+1D8j
		cmp	[ebp+var_50], 0
		jz	short loc_8AD314
		push	ebx
		push	[ebp+var_50]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8AD314:				; CODE XREF: NtSetUuidSeed+1E7j
		cmp	[ebp+var_3C], 0
		jnz	short loc_8AD38B
		mov	edi, large fs:124h
		dec	word ptr [edi+13Ch]
		nop
		push	ebx
		xor	edx, edx
		mov	ebx, offset _ExpUuidLock
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	esi, eax
		lock bts dword ptr [ebx], 0
		jb	sub_9352F3

loc_8AD345:				; CODE XREF: sub_9352F3+Aj
		test	esi, esi
		jz	short loc_8AD34D
		or	byte ptr [esi+0Eh], 1

loc_8AD34D:				; CODE XREF: NtSetUuidSeed+225j
		mov	eax, [ebp+var_58]
		mov	ds:dword_A93E1C+2, eax
		mov	ax, [ebp+var_54]
		mov	word ptr ds:dword_A93E20+2, ax
		mov	al, byte ptr [ebp+var_58]
		shr	al, 7
		not	al
		and	al, 1
		mov	ds:_ExpUuidCacheValid, al
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		test	al, 2
		jnz	loc_935302

loc_8AD37D:				; CODE XREF: NtSetUuidSeed+881E2j
					; NtSetUuidSeed+881EFj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_8AD38B:				; CODE XREF: NtSetUuidSeed+1F6j
		cmp	[ebp+var_35], 0
		jz	short loc_8AD39D
		lea	eax, [ebp+var_84]
		push	eax
		call	SeReleaseSubjectContext

loc_8AD39D:				; CODE XREF: NtSetUuidSeed+26Dj
		mov	eax, [ebp+var_3C]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
NtSetUuidSeed	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	KsepDbCacheQueryDeviceData(int,int,void	*)
_KsepDbCacheQueryDeviceData@20 proc near ; CODE	XREF: KsepDbCacheQueryDevice+96p
					; KseQueryDeviceData+BDp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, 0C0000225h
		push	edi
		mov	edi, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_8AD3F7
		xor	esi, esi
		call	_KsepCacheDeviceQueryData@8 ; KsepCacheDeviceQueryData(x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_8AD400
		mov	eax, [ebp+arg_0]
		mov	ecx, [edx+14h]
		mov	[eax], ecx
		mov	ecx, [edi]
		mov	eax, [edx+10h]
		mov	[edi], eax
		cmp	ecx, eax
		jb	short loc_8AD404
		push	dword ptr [edx+10h] ; size_t
		push	dword ptr [edx+18h] ; void *
		push	[ebp+arg_8]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_8AD3F7:				; CODE XREF: KsepDbCacheQueryDeviceData(x,x,x,x,x)+12j
					; KsepDbCacheQueryDeviceData(x,x,x,x,x)+50j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ecx
		pop	ebp
		retn	0Ch
; 

loc_8AD400:				; CODE XREF: KsepDbCacheQueryDeviceData(x,x,x,x,x)+1Fj
		mov	[edi], esi
		jmp	short loc_8AD3F7
; 

loc_8AD404:				; CODE XREF: KsepDbCacheQueryDeviceData(x,x,x,x,x)+32j
		mov	esi, 0C0000023h
		jmp	short loc_8AD3F7
_KsepDbCacheQueryDeviceData@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepCacheDeviceQueryData(x,	x)
_KsepCacheDeviceQueryData@8 proc near	; CODE XREF: KsepDbCacheQueryDeviceData(x,x,x,x,x)+16p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		push	edx
		lea	ebx, [ecx+1Ch]
		mov	esi, [ebx]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_8AD42E:				; CODE XREF: KsepCacheDeviceQueryData(x,x)+3Bj
		cmp	esi, ebx
		jz	short loc_8AD450
		mov	edi, esi
		lea	eax, [ebp+var_8]
		mov	esi, [esi]
		push	1
		push	eax
		lea	eax, [edi+8]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_8AD42E
		mov	eax, edi

loc_8AD44B:				; CODE XREF: KsepCacheDeviceQueryData(x,x)+46j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8AD450:				; CODE XREF: KsepCacheDeviceQueryData(x,x)+24j
		xor	eax, eax
		jmp	short loc_8AD44B
_KsepCacheDeviceQueryData@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_8AD454	proc near		; CODE XREF: ExpSetKernelDataProtection+156p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		test	edi, edi
		jz	short loc_8AD47D
		mov	ecx, [edi]
		mov	[ebp+var_4], ecx
		lea	ecx, [ebp+var_4]
		call	WarbirdKmEncryptPointer
		mov	ecx, [ebp+var_4]
		mov	[edi], ecx

loc_8AD477:				; CODE XREF: sub_8AD454+2Ej
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_8AD47D:				; CODE XREF: sub_8AD454+Fj
		mov	esi, 0C000000Dh
		jmp	short loc_8AD477
sub_8AD454	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WarbirdKmEncryptPointer	proc near	; CODE XREF: sub_8AD454+19p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00935316 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ecx
		mov	[ebp+var_24], eax
		push	ebx
		push	esi
		mov	eax, [eax]
		mov	[ebp+var_14], eax
		mov	eax, ds:dword_A940A0
		mov	[ebp+var_10], eax
		mov	eax, ds:dword_A940A4
		push	edi
		mov	[ebp+var_C], eax
		xor	eax, eax
		or	ebx, 0FFFFFFFFh
		mov	[ebp+var_1C], eax
		push	38h
		mov	[ebp+var_20], ebx
		mov	edi, eax
		mov	[ebp+var_18], eax
		lea	ebx, [ebp+var_14]
		mov	esi, eax
		pop	edx

loc_8AD4CB:				; CODE XREF: WarbirdKmEncryptPointer+63j
		movzx	eax, byte ptr [ebx]
		inc	ebx
		cmp	esi, 4
		jge	loc_935316
		lea	ecx, [edx-20h]
		shl	eax, cl
		or	[ebp+var_18], eax

loc_8AD4E0:				; CODE XREF: WarbirdKmEncryptPointer+87E99j
		sub	edx, 8
		inc	esi
		cmp	edx, 18h
		jg	short loc_8AD4CB
		mov	ebx, [ebp+var_20]
		mov	esi, offset unk_A9407E
		push	1Eh
		pop	edx
		mov	[ebp+var_14], edx

loc_8AD4F7:				; CODE XREF: WarbirdKmEncryptPointer+96j
		mov	al, ds:byte_A94081[edx]
		cmp	al, 1Fh
		jb	short loc_8AD580

loc_8AD501:				; CODE XREF: WarbirdKmEncryptPointer+127j
		mov	al, ds:byte_A94080[edx]
		cmp	al, 1Fh
		jb	short loc_8AD555

loc_8AD50B:				; CODE XREF: WarbirdKmEncryptPointer+FAj
		sub	edx, 2
		sub	esi, 8
		mov	[ebp+var_14], edx
		cmp	esi, offset unk_A94006
		jge	short loc_8AD4F7
		xor	edi, [ebp+var_18]
		lea	esi, [ebp+var_20]
		xor	ebx, [ebp+var_1C]
		xor	eax, eax
		cmp	eax, 4
		jge	loc_935322

loc_8AD530:				; CODE XREF: WarbirdKmEncryptPointer+B8j
		rol	edi, 8
		mov	ecx, edi

loc_8AD535:				; CODE XREF: WarbirdKmEncryptPointer+87EA3j
		mov	[esi], cl
		inc	eax
		inc	esi
		cmp	eax, 4
		jl	short loc_8AD530
		mov	ecx, [ebp+var_24]
		mov	eax, [ebp+var_20]
		pop	edi
		pop	esi
		mov	[ecx], eax
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_8AD555:				; CODE XREF: WarbirdKmEncryptPointer+85j
		movzx	ecx, al
		lea	eax, [ebp+var_10]
		push	ebx
		push	eax
		movzx	eax, byte ptr [esi-3]
		push	eax
		movzx	eax, byte ptr [esi-4]
		push	eax
		movzx	eax, byte ptr [esi-5]
		push	eax
		movzx	eax, byte ptr [esi-6]
		push	eax
		push	edx
		call	ds:off_A93F70[ecx*4]
		mov	edx, [ebp+var_14]
		xor	edi, eax
		jmp	short loc_8AD50B
; 

loc_8AD580:				; CODE XREF: WarbirdKmEncryptPointer+7Bj
		movzx	ecx, al
		lea	eax, [ebp+var_10]
		push	edi
		push	eax
		movzx	eax, byte ptr [esi+1]
		push	eax
		movzx	eax, byte ptr [esi]
		push	eax
		movzx	eax, byte ptr [esi-1]
		push	eax
		movzx	eax, byte ptr [esi-2]
		push	eax
		lea	eax, [edx+1]
		push	eax
		call	ds:off_A93F70[ecx*4]
		mov	edx, [ebp+var_14]
		xor	ebx, eax
		jmp	loc_8AD501
WarbirdKmEncryptPointer	endp


;  S U B	R O U T	I N E 


; __stdcall IopRearrangeReqList(x)
_IopRearrangeReqList@4 proc near	; CODE XREF: PnpGetResourceRequirementsForAssignTable+15Ep
					; PnpReleaseResourcesInternal(x)+26Fp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, [edi+14h]
		lea	esi, [edi+18h]
		cmp	eax, 1
		ja	short loc_8AD5E9

loc_8AD5C1:				; CODE XREF: IopRearrangeReqList(x)+62j
		mov	ecx, esi
		lea	edx, [ecx+eax*4]

loc_8AD5C6:				; CODE XREF: IopRearrangeReqList(x)+27j
		cmp	ecx, edx
		jnb	short loc_8AD5D9
		mov	eax, [ecx]
		cmp	dword ptr [eax], 7FFFh
		ja	short loc_8AD5D9
		add	ecx, 4
		jmp	short loc_8AD5C6
; 

loc_8AD5D9:				; CODE XREF: IopRearrangeReqList(x)+18j
					; IopRearrangeReqList(x)+22j
		mov	eax, ecx
		sub	eax, esi
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[edi+10h], eax
		pop	edi
		pop	esi
		retn
; 

loc_8AD5E9:				; CODE XREF: IopRearrangeReqList(x)+Fj
		xor	ecx, ecx

loc_8AD5EB:				; CODE XREF: IopRearrangeReqList(x)+49j
		mov	eax, [esi]
		lea	esi, [esi+4]
		mov	[eax+4], ecx
		inc	ecx
		mov	eax, [edi+14h]
		cmp	ecx, eax
		jb	short loc_8AD5EB
		push	offset IopCompareReqAlternativePriority	; int __cdecl (*)(const	void *,const void *)
		push	4		; size_t
		push	eax		; size_t
		lea	esi, [edi+18h]
		push	esi		; void *
		call	_qsort
		add	esp, 10h
		mov	eax, [edi+14h]
		jmp	short loc_8AD5C1
_IopRearrangeReqList@4 endp


;  S U B	R O U T	I N E 


PipSetDevNodeUserFlags proc near	; CODE XREF: PiProcessQueryDeviceState+8Dp
					; PiProcessQueryDeviceState:loc_86433Ep ...

; FUNCTION CHUNK AT 0093532C SIZE 00000024 BYTES

		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi+110h]
		mov	eax, edi
		or	eax, edx
		mov	[esi+110h], eax
		xor	eax, edi
		test	eax, 347h
		jnz	short loc_8AD638

loc_8AD634:				; CODE XREF: PipSetDevNodeUserFlags+29j
					; PipSetDevNodeUserFlags+49j ...
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_8AD638:				; CODE XREF: PipSetDevNodeUserFlags+1Ej
		mov	edx, [esi+18h]
		test	edx, edx
		jz	short loc_8AD634
		push	0Bh
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		mov	ecx, [esi+110h]
		mov	eax, ecx
		xor	eax, edi
		test	al, 40h
		jnz	loc_93532C

loc_8AD658:				; CODE XREF: PipSetDevNodeUserFlags+87D28j
		xor	ecx, edi
		test	cl, 4
		jz	short loc_8AD634
		jmp	loc_935341
PipSetDevNodeUserFlags endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 963. IoReportRootDevice

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoReportRootDevice
IoReportRootDevice proc	near

var_35A		= dword	ptr -35Ah
var_354		= dword	ptr -354h
var_350		= dword	ptr -350h
var_34C		= dword	ptr -34Ch
var_348		= dword	ptr -348h
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_33C		= dword	ptr -33Ch
var_338		= dword	ptr -338h
var_334		= dword	ptr -334h
var_330		= dword	ptr -330h
var_1A0		= dword	ptr -1A0h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00935350 SIZE 00000124 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 35Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+35Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		lea	ecx, [esp+35Ch+var_330]
		push	ebx
		push	esi
		xor	edx, edx
		mov	[esp+364h+var_334], eax
		mov	esi, [eax+18h]
		mov	ebx, 190h
		push	edi
		mov	[esp+368h+var_354], ecx
		lea	eax, [esp+368h+var_35A+2]
		push	offset ??_C@_1M@NNKCILJE@?$AAR?$AAO?$AAO?$AAT?$AA?2@NNGAKEGL@ ;	"ROOT\\"
		mov	edi, edx
		mov	byte ptr [esp+36Ch+var_35A+1], dl
		lea	ecx, [esp+36Ch+var_1A0]
		mov	[esp+36Ch+var_348], edx
		add	esi, 0Ch
		mov	byte ptr [esp+36Ch+var_35A], dl
		push	eax		; int
		mov	[esp+370h+var_34C], edi
		mov	[esp+370h+var_35A+2], 1900000h
		mov	[esp+370h+var_33C], ecx
		mov	[esp+370h+var_340], 1920000h
		mov	[esp+370h+var_338], esi
		mov	[esp+370h+var_344], edx
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		test	eax, eax
		js	loc_8AD832
		push	esi
		lea	eax, [esp+36Ch+var_35A+2]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		test	eax, eax
		js	loc_8AD832
		lea	eax, [ebx-2]
		cmp	word ptr [esp+368h+var_35A+2], ax
		ja	loc_935350
		lea	eax, [esp+368h+var_35A+2]
		push	eax
		lea	eax, [esp+36Ch+var_340]
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		lea	ecx, [esp+368h+var_344]
		call	PiPnpRtlBeginOperation
		mov	esi, eax
		test	esi, esi
		js	loc_8AD802
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeLockTree
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceExclusiveLite
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@ ; void	*
		lea	eax, [esp+36Ch+var_35A+2]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8AD802
		movzx	ecx, word ptr [esp+368h+var_35A+2]
		lea	edx, [esp+368h+var_330]
		xor	esi, esi
		mov	eax, ecx
		shr	eax, 1
		push	esi		; char
		push	offset ??_C@_19PDMGBJHF@?$AA?$CF?$AA0?$AA4?$AAu@NNGAKEGL@ ; wchar_t *
		push	esi		; int
		lea	edx, [edx+eax*2]
		push	esi		; int
		lea	eax, [esp+378h+var_350]
		mov	[esp+378h+var_350], edx
		push	eax		; int
		mov	eax, ebx
		sub	eax, ecx
		shr	eax, 1
		push	eax		; int
		push	edx		; void *
		call	RtlStringCchPrintfExW
		mov	dx, word ptr [esp+384h+var_35A+2]
		add	esp, 1Ch
		mov	ecx, [esp+368h+var_350]
		movzx	eax, dx
		and	eax, 0FFFFFFFEh
		sub	ecx, eax
		lea	eax, [esp+368h+var_330]
		sub	ecx, eax
		sar	ecx, 1
		cmp	ecx, 0FFFFFFFFh
		jz	loc_93535A
		lea	eax, [ecx+ecx]
		movzx	eax, ax

loc_8AD7C1:				; CODE XREF: IoReportRootDevice+87CF7j
		mov	ecx, _PiPnpRtlCtx
		add	dx, ax
		push	esi
		lea	eax, [esp+36Ch+var_35A]
		mov	word ptr [esp+36Ch+var_35A+2], dx
		mov	edx, [esp+36Ch+var_354]
		push	eax
		lea	eax, [esp+370h+var_34C]
		push	eax
		push	0F003Fh
		call	_CmCreateDevice
		mov	bl, byte ptr [esp+368h+var_35A]
		mov	esi, eax
		mov	edi, [esp+368h+var_34C]
		test	esi, esi
		js	loc_93544D
		test	bl, bl
		jnz	loc_935366

loc_8AD802:				; CODE XREF: IoReportRootDevice+C4j
					; IoReportRootDevice+F6j ...
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeUnlockTree
		test	edi, edi
		jz	short loc_8AD823
		push	edi
		call	_ZwClose@4	; ZwClose(x)

loc_8AD823:				; CODE XREF: IoReportRootDevice+1B1j
		mov	ecx, [esp+368h+var_344]
		test	ecx, ecx
		jz	short loc_8AD830
		call	PiPnpRtlEndOperation

loc_8AD830:				; CODE XREF: IoReportRootDevice+1BFj
		mov	eax, esi

loc_8AD832:				; CODE XREF: IoReportRootDevice+81j
					; IoReportRootDevice+94j ...
		mov	ecx, [esp+368h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
IoReportRootDevice endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpUnloadAttachedDriver	proc near	; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+291p
					; PipCallDriverAddDevice+775p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00935474 SIZE 00000068 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		xor	eax, eax
		push	esi
		mov	esi, [ecx+18h]
		push	edi
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		cmp	[ecx+14h], eax
		jz	short loc_8AD86E
		cmp	[ecx+4], eax
		jz	loc_935474

loc_8AD86E:				; CODE XREF: PnpUnloadAttachedDriver+19j
					; PnpUnloadAttachedDriver+87C8Dj
		xor	eax, eax

loc_8AD870:				; CODE XREF: PnpUnloadAttachedDriver+87C52j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PnpUnloadAttachedDriver	endp

; 
		align 2

;  S U B	R O U T	I N E 


EtwpAcquireTokenAccessInformation proc near ; CODE XREF: EtwpEnableGuid+6FBp

; FUNCTION CHUNK AT 009354DC SIZE 00000015 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	edx, edx
		push	edi
		lea	edi, [esi+1F0h]
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		lea	ebx, [esi+234h]
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_8AD8A3
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [ebx], 0

loc_8AD8A3:				; CODE XREF: EtwpAcquireTokenAccessInformation+20j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	eax
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		push	ebx
		mov	esi, eax
		push	16h
		push	esi
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	ecx, esi
		mov	ebx, eax
		call	ObfDereferenceObject
		or	ecx, 0FFFFFFFFh
		lock xadd [edi], ecx
		test	cl, 2
		jnz	loc_9354DC

loc_8AD8D9:				; CODE XREF: EtwpAcquireTokenAccessInformation+87C69j
					; EtwpAcquireTokenAccessInformation+87C76j
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		retn
EtwpAcquireTokenAccessInformation endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2170. RtlInitializeRangeList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlInitializeRangeList(x)
		public _RtlInitializeRangeList@4
_RtlInitializeRangeList@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[eax+8], ecx
		mov	[eax+0Ch], ecx
		mov	[eax+10h], ecx
		pop	ebp
		retn	4
_RtlInitializeRangeList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFcBufferManagerUpdateBuffers(x,	x, x, x)
_RtlpFcBufferManagerUpdateBuffers@16 proc near
					; CODE XREF: CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+29Fp
					; CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+240p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], 3
		push	esi
		mov	[ebp+var_8], ebx
		push	edi
		mov	eax, [ebx]
		lea	esi, [ebx+10h]
		and	eax, 1
		mov	[ebp+var_10], eax
		lea	ecx, [eax-1]
		imul	eax, 30h
		and	ecx, 1
		mov	[ebp+var_C], ecx
		add	esi, eax
		imul	eax, ecx, 30h
		lea	ecx, [ebx+10h]
		mov	[ebp+var_14], esi
		mov	ebx, esi
		sub	ebx, edx
		add	ecx, eax
		sub	ecx, edx

loc_8AD949:				; CODE XREF: RtlpFcBufferManagerUpdateBuffers(x,x,x,x)+64j
		mov	eax, [edx]
		lea	edi, [ecx+edx]
		or	eax, [edx+4]
		lea	esi, [edx+ebx]
		jz	short loc_8AD961
		mov	esi, edx
		movsd
		movsd
		movsd
		movsd
		lea	esi, [edx+ebx]
		mov	edi, edx

loc_8AD961:				; CODE XREF: RtlpFcBufferManagerUpdateBuffers(x,x,x,x)+4Cj
		movsd
		add	edx, 10h
		sub	[ebp+var_4], 1
		movsd
		movsd
		movsd
		jnz	short loc_8AD949
		mov	ecx, [ebp+var_C]
		mov	edx, ecx
		mov	ebx, [ebp+var_8]
		mov	eax, [ebp+arg_0]
		mov	[ebx+ecx*8+70h], eax
		mov	eax, [ebp+arg_4]
		mov	[ebx+ecx*8+74h], eax
		mov	ecx, ebx
		call	_RtlUpdateSwapReference@8 ; RtlUpdateSwapReference(x,x)
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+var_14] ; void *
		and	dword ptr [ebx+eax*8+70h], 0
		and	dword ptr [ebx+eax*8+74h], 0
		call	_RtlpFcInitializeBuffers@4 ; RtlpFcInitializeBuffers(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_RtlpFcBufferManagerUpdateBuffers@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpMachineHiveLoadedWorkItem proc near	; DATA XREF: CmpInitializeMachineHiveLoadedCallbacks()+48o

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 0093550E SIZE 00000013 BYTES

		push	14h
		push	offset dword_6A74B8
		call	__SEH_prolog4
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_1C], eax
		lea	ecx, [eax+5Ch]
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ecx
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx

loc_8AD9CA:				; CODE XREF: CmpMachineHiveLoadedWorkItem+3Ej
					; CmpMachineHiveLoadedWorkItem+A3j ...
		mov	eax, [ebp+var_1C]
		add	eax, 60h
		mov	esi, [eax]
		cmp	esi, eax
		jnz	short loc_8ADA04
		or	ecx, 0FFFFFFFFh
		mov	eax, [ebp+var_1C]
		add	eax, 6Ch
		lock xadd [eax], ecx
		dec	ecx
		test	ecx, ecx
		jg	short loc_8AD9CA
		xor	edx, edx
		mov	ecx, [ebp+var_20]
		call	ExReleasePushLockEx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8ADA04:				; CODE XREF: CmpMachineHiveLoadedWorkItem+2Cj
		mov	[ebp+arg_0], esi
		mov	ecx, [esi]
		cmp	[esi+4], eax
		jnz	short loc_8ADA57
		cmp	[ecx+4], esi
		jnz	short loc_8ADA57
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	word ptr [esi+14h], 1
		xor	edx, edx
		mov	ecx, [ebp+var_24]
		call	ExReleasePushLockEx
		and	[ebp+ms_exc.disabled], 0
		push	dword ptr [esi+0Ch]
		call	dword ptr [esi+8]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_8ADA39:				; CODE XREF: sub_9354F1+18j
		xor	edx, edx
		mov	ecx, [ebp+var_20]
		call	ExAcquirePushLockExclusiveEx
		mov	byte ptr [esi+14h], 0
		cmp	byte ptr [esi+16h], 0
		jz	loc_8AD9CA
		jmp	loc_93550E
; 
		retn
; 

loc_8ADA57:				; CODE XREF: CmpMachineHiveLoadedWorkItem+64j
					; CmpMachineHiveLoadedWorkItem+69j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
CmpMachineHiveLoadedWorkItem endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmFcpManagerSoftwareHiveReady proc near	; DATA XREF: CmFcManagerStartRuntimePhase(x)+2B7o

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00935521 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	byte ptr [esi+0DCh], 1
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	edi, [esi+0D8h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		xor	dl, dl
		mov	ecx, esi
		call	CmFcpManagerDrainUsageNotifications
		xor	dl, dl
		mov	ecx, esi
		call	CmFcpManagerDrainUsageNotifications
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_935521

loc_8ADAAB:				; CODE XREF: CmFcpManagerSoftwareHiveReady+87AC7j
					; CmFcpManagerSoftwareHiveReady+87AD4j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebp
		retn	4
CmFcpManagerSoftwareHiveReady endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmFcpManagerDrainUsageNotifications proc near ;	CODE XREF: CmFcpManagerSoftwareHiveReady+32p
					; CmFcpManagerSoftwareHiveReady+3Bp ...

var_32		= byte ptr -32h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00935535 SIZE 000000CA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		and	[esp+34h+var_24], 0
		push	ebx
		mov	ebx, ecx
		mov	[esp+38h+var_31], dl
		push	esi
		push	edi
		mov	[esp+40h+var_C], ebx
		lea	ecx, [ebx+0CCh]
		mov	esi, [ecx]
		and	esi, 1
		lea	edx, [esi-1]
		and	edx, 1
		call	_RtlUpdateSwapReference@8 ; RtlUpdateSwapReference(x,x)
		lea	ecx, [esp+40h+var_24]
		push	ecx
		lea	edx, [esp+44h+var_18]
		lea	ecx, [ebx+48h]
		call	_RtlpFcBufferManagerReferenceBuffers@12	; RtlpFcBufferManagerReferenceBuffers(x,x,x)
		mov	eax, [ebx+esi*4+0E4h]
		xor	edi, edi
		mov	ecx, [esp+40h+var_24]
		and	[esp+40h+var_28], 0
		mov	[esp+40h+var_30], eax
		add	eax, 8
		mov	[esp+40h+var_4], eax
		lea	eax, [esp+40h+var_28]
		mov	edx, [ecx+2Ch]
		mov	ecx, [ecx+28h]
		mov	[esp+40h+var_1C], edx
		xor	edx, edx
		mov	[esp+40h+var_18], ecx
		lea	ecx, [esp+40h+var_8]
		push	eax
		mov	[esp+44h+var_8], 40h
		mov	[esp+44h+var_2C], edi
		call	RtlFindNextForwardRunSet
		test	eax, eax
		jnz	loc_935535

loc_8ADB57:				; CODE XREF: CmFcpManagerDrainUsageNotifications+87B36j
		mov	edx, [esp+40h+var_24]
		lea	ecx, [ebx+48h]
		call	_RtlpFcBufferManagerDereferenceBuffers@8 ; RtlpFcBufferManagerDereferenceBuffers(x,x)
		test	edi, edi
		jnz	short loc_8ADB6E

loc_8ADB67:				; CODE XREF: CmFcpManagerDrainUsageNotifications+B1j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8ADB6E:				; CODE XREF: CmFcpManagerDrainUsageNotifications+A1j
		mov	ecx, ebx
		call	_CmFcpManagerArmFeatureUsageRetryTimer@4 ; CmFcpManagerArmFeatureUsageRetryTimer(x)
		jmp	short loc_8ADB67
CmFcpManagerDrainUsageNotifications endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlUpdateSwapReference(x, x)
_RtlUpdateSwapReference@8 proc near	; CODE XREF: RtlpFcBufferManagerUpdateBuffers(x,x,x,x)+7Ep
					; CmFcpManagerDrainUsageNotifications+2Ep ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		mov	esi, edx
		mov	ebx, ecx
		and	esi, 1
		stosd
		stosd
		xchg	esi, [ebx]
		shr	esi, 1
		jz	short loc_8ADC11
		lea	ecx, [ebp+var_10]
		call	_PoCopyDeepIdleMask@4 ;	PoCopyDeepIdleMask(x)
		lea	eax, [ebp+var_10]
		push	eax
		push	eax
		push	offset _KeActiveProcessors
		call	_KeSubtractAffinityEx@12 ; KeSubtractAffinityEx(x,x,x)
		movzx	eax, large byte	ptr fs:51h
		mov	ecx, [ebp+var_8]
		btr	ecx, eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_8], ecx
		push	eax
		call	_KeIsEmptyAffinityEx@4 ; KeIsEmptyAffinityEx(x)
		test	eax, eax
		jnz	short loc_8ADBE6
		push	eax
		push	eax
		mov	edx, offset _RtlEndStrongEnumerationHashTable@8	; RtlEndStrongEnumerationHashTable(x,x)
		lea	ecx, [ebp+var_10]
		call	_KeGenericProcessorCallback@16 ; KeGenericProcessorCallback(x,x,x,x)

loc_8ADBE6:				; CODE XREF: RtlUpdateSwapReference(x,x)+5Dj
		lea	edi, [ebx+4]
		mov	eax, esi
		lock xadd [edi], eax
		add	eax, esi
		mov	[ebp+var_14], eax
		jz	short loc_8ADC11

loc_8ADBF6:				; CODE XREF: RtlUpdateSwapReference(x,x)+97j
		push	0
		push	4
		lea	eax, [ebp+var_14]
		mov	edx, edi
		push	eax
		lea	ecx, [ebx+8]
		call	ExBlockOnAddressPushLock
		mov	eax, [edi]
		mov	[ebp+var_14], eax
		test	eax, eax
		jnz	short loc_8ADBF6

loc_8ADC11:				; CODE XREF: RtlUpdateSwapReference(x,x)+28j
					; RtlUpdateSwapReference(x,x)+7Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_RtlUpdateSwapReference@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PfSnPrefetchCacheCtxStart proc near	; CODE XREF: PfSnPrefetchCacheEntryGet(x,x,x,x)+24Fp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009355FF SIZE 00000076 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	esi
		push	edi
		push	66506343h
		push	1000h
		mov	edi, ecx
		push	200h
		mov	[ebp+var_14], edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_9355FF
		mov	eax, edi
		lea	ecx, [esi+80h]
		xor	edx, edx
		or	eax, 1
		cmp	ecx, esi
		mov	[ebp+var_4], edx
		push	ebx
		sbb	ecx, ecx
		mov	ebx, esi
		and	ecx, 0FFFFFFE0h
		add	ecx, 20h
		jz	short loc_8ADC79

loc_8ADC6C:				; CODE XREF: PfSnPrefetchCacheCtxStart+57j
		inc	[ebp+var_4]
		mov	[ebx], eax
		lea	ebx, [ebx+4]
		cmp	[ebp+var_4], ecx
		jb	short loc_8ADC6C

loc_8ADC79:				; CODE XREF: PfSnPrefetchCacheCtxStart+4Aj
		mov	eax, [edi+4]
		or	ebx, 0FFFFFFFFh
		mov	ecx, eax
		and	ecx, 1Fh
		shl	ebx, cl
		mov	[ebp+var_8], ebx
		mov	ebx, edx
		test	eax, 0FFFFFFE0h
		ja	loc_935609

loc_8ADC96:				; CODE XREF: PfSnPrefetchCacheCtxStart+87A50j
		mov	eax, [edi+4]
		lea	ecx, [esi+83h]
		and	eax, 1Fh
		mov	[edi+8], esi
		and	ecx, 0FFFFFFFCh
		or	eax, 400h
		sub	esi, ecx
		mov	[edi+4], eax
		push	64h
		xor	edx, edx
		lea	eax, [esi+1000h]
		pop	esi
		div	esi
		pop	ebx
		imul	edx, eax, 64h
		add	edx, ecx
		jmp	short loc_8ADCD1
; 

loc_8ADCC7:				; CODE XREF: PfSnPrefetchCacheCtxStart+B3j
		mov	eax, [edi+14h]
		mov	[ecx], eax
		mov	[edi+14h], ecx
		add	ecx, esi

loc_8ADCD1:				; CODE XREF: PfSnPrefetchCacheCtxStart+A5j
		cmp	ecx, edx
		jb	short loc_8ADCC7
		xor	eax, eax

loc_8ADCD7:				; CODE XREF: PfSnPrefetchCacheCtxStart+879E4j
		pop	edi
		pop	esi
		leave
		retn
PfSnPrefetchCacheCtxStart endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDqQueryCompletePendedIrp proc	near	; CODE XREF: PiDqObjectManagerServiceActionQueue+33Ap
					; PiDqObjectManagerServiceActionQueue+AE617p

var_10		= dword	ptr -10h

; FUNCTION CHUNK AT 00935675 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		mov	esi, ecx
		stosd
		stosd
		stosd
		stosd
		mov	eax, [esi+5Ch]
		test	eax, eax
		jz	short loc_8ADD38
		mov	edx, [eax+60h]
		xor	ecx, ecx
		add	eax, 38h
		xchg	ecx, [eax]
		test	ecx, ecx
		jz	short loc_8ADD38
		test	byte ptr [esi+74h], 1
		jnz	loc_935675
		mov	edx, [edx+4]
		lea	eax, [ebp+var_10]
		push	eax
		push	0
		mov	ecx, esi
		call	_PiDqQueryGetNextIoctlInfo@16 ;	PiDqQueryGetNextIoctlInfo(x,x,x,x)
		lea	eax, [ebp+var_10]
		xor	edx, edx
		push	eax
		push	10h

loc_8ADD28:				; CODE XREF: PiDqQueryCompletePendedIrp+879A2j
		mov	ecx, [esi+5Ch]
		call	PiDqIrpComplete
		and	dword ptr [esi+74h], 0FFFFFFEFh
		and	dword ptr [esi+5Ch], 0

loc_8ADD38:				; CODE XREF: PiDqQueryCompletePendedIrp+1Aj
					; PiDqQueryCompletePendedIrp+28j
		pop	edi
		pop	esi
		leave
		retn
PiDqQueryCompletePendedIrp endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopInsertLegacyBusDeviceNode proc near	; CODE XREF: PipCallDriverAddDevice+7DBp

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00935683 SIZE 00000008 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		cmp	esi, 11h
		ja	short loc_8ADDC9
		cmp	esi, 0Fh
		jz	short loc_8ADDC9
		cmp	esi, 2
		jz	loc_935683

loc_8ADD5A:				; CODE XREF: IopInsertLegacyBusDeviceNode+8794Aj
		mov	eax, large fs:124h
		push	ebx
		dec	word ptr [eax+13Ch]
		nop
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	ebx
		push	4
		push	offset _PpRegistrySemaphore
		call	KeWaitForSingleObject
		lea	ecx, _IopLegacyBusInformationTable[esi*8]
		mov	edx, [ecx]

loc_8ADD83:				; CODE XREF: IopInsertLegacyBusDeviceNode+57j
		cmp	edx, ecx
		jz	short loc_8ADD95
		mov	eax, [edx-60h]
		cmp	eax, [ebp+arg_0]
		ja	short loc_8ADD95
		jz	short loc_8ADDAE
		mov	edx, [edx]
		jmp	short loc_8ADD83
; 

loc_8ADD95:				; CODE XREF: IopInsertLegacyBusDeviceNode+49j
					; IopInsertLegacyBusDeviceNode+51j
		mov	eax, [edx+4]
		lea	ecx, [edi+190h]
		mov	[edi+194h], eax
		mov	[ecx], edx
		mov	eax, [edx+4]
		mov	[eax], ecx
		mov	[edx+4], ecx

loc_8ADDAE:				; CODE XREF: IopInsertLegacyBusDeviceNode+53j
		push	ebx
		push	1
		push	ebx
		push	offset _PpRegistrySemaphore
		call	KeReleaseSemaphore
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	ebx

loc_8ADDC9:				; CODE XREF: IopInsertLegacyBusDeviceNode+Ej
					; IopInsertLegacyBusDeviceNode+13j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
IopInsertLegacyBusDeviceNode endp

; 
		align 10h

;  S U B	R O U T	I N E 


CmReferenceKtmTransaction proc near	; CODE XREF: CmpTransReferenceTransaction(x)+14p

; FUNCTION CHUNK AT 0093568B SIZE 00000011 BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		push	esi
		call	ds:__imp__TmIsTransactionActive@4 ; TmIsTransactionActive(x)
		test	al, al
		jz	loc_93568B

loc_8ADDEC:				; CODE XREF: CmReferenceKtmTransaction+878C7j
		mov	eax, edi
		pop	edi
		pop	esi
		retn
CmReferenceKtmTransaction endp ; sp = -4

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopInitializeTimer(x, x, x,	x, x, x)
_PopInitializeTimer@24 proc near	; CODE XREF: PopCheckPowerSourceAfterRtcWakeInitialize()+16p
					; PopThermalInit()+43p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	8
		push	[ebp+arg_0]
		mov	esi, ecx
		push	edx
		push	esi
		call	_KeInitializeTimer2@16 ; KeInitializeTimer2(x,x,x,x)
		xor	edx, edx
		lea	eax, [esi+68h]
		xchg	edx, [eax]
		mov	eax, [ebp+arg_4]
		and	dword ptr [esi+58h], 0
		mov	[esi+60h], eax
		mov	eax, [ebp+arg_8]
		mov	[esi+64h], eax
		pop	esi
		pop	ebp
		retn	10h
_PopInitializeTimer@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWnfGetPermanentDataStoreHandleByScopeId proc	near
					; CODE XREF: ExpWnfGetPermanentDataStoreHandle+4Cp
					; ExpWnfDeleteScopeInstances(x,x)+ECp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0093569C SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		xor	esi, esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		cmp	[ebp+arg_8], esi
		jnz	loc_9356AE
		test	ecx, ecx
		jnz	loc_93569C

loc_8ADE47:				; CODE XREF: ExpWnfGetPermanentDataStoreHandleByScopeId+8787Dj
					; ExpWnfGetPermanentDataStoreHandleByScopeId+87886j
		cmp	ecx, 2
		jz	loc_9356C2
		xor	ecx, ecx
		lea	edx, [ebp+var_8]
		inc	ecx
		call	ExpWnfGetNameStoreRegistryRoot
		test	eax, eax
		jns	short loc_8ADE64

loc_8ADE5F:				; CODE XREF: ExpWnfGetPermanentDataStoreHandleByScopeId+87j
					; ExpWnfGetPermanentDataStoreHandleByScopeId+8Bj ...
		pop	esi
		leave
		retn	14h
; 

loc_8ADE64:				; CODE XREF: ExpWnfGetPermanentDataStoreHandleByScopeId+3Bj
		push	offset ??_C@_19IEEMEPMH@?$AAD?$AAa?$AAt?$AAa@NNGAKEGL@ ; "Data"
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_8]
		push	esi
		push	esi
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_10]
		push	esi
		push	esi
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	0F003Fh
		push	[ebp+arg_10]
		mov	[ebp+var_28], 18h
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8ADE5F
		xor	eax, eax
		jmp	short loc_8ADE5F
ExpWnfGetPermanentDataStoreHandleByScopeId endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDiagTraceDirectedDripsInitialization	proc near
					; CODE XREF: PopDirectedDripsInitializePhase3+B1p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009356D6 SIZE 0000006A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		push	edi
		mov	[ebp+var_64], esi
		cmp	_PopTriggerDiagHandleRegistered, bl
		jz	short loc_8ADEF7
		cmp	dword_6B23F8, 5
		jbe	short loc_8ADEF7
		push	4000h
		mov	edi, offset dword_6B23F8
		push	ebx
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_9356D6

loc_8ADEF7:				; CODE XREF: PopDiagTraceDirectedDripsInitialization+22j
					; PopDiagTraceDirectedDripsInitialization+2Bj ...
		cmp	_PopDiagHandleRegistered, bl
		jz	short loc_8ADF1F
		mov	esi, dword_6C1D74
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_DIRECTED_DRIPS_INITIALIZATION
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_935704

loc_8ADF1F:				; CODE XREF: PopDiagTraceDirectedDripsInitialization+4Dj
					; PopDiagTraceDirectedDripsInitialization+8788Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopDiagTraceDirectedDripsInitialization	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsQueryEnabledMitigations(x)
_PopDirectedDripsQueryEnabledMitigations@4 proc	near
					; CODE XREF: PopDirectedDripsEngage(x,x)+29p
					; PopDirectedDripsInitializePhase3+1Ep

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		lea	edx, [ebp+var_4]
		push	ebx
		push	esi
		mov	esi, ecx
		xor	bh, bh
		xor	bl, bl
		call	PopDirectedDripsQueryRegistryValues
		mov	eax, [ebp+var_4]
		test	al, 1
		jz	short loc_8ADF59
		inc	bh
		and	eax, 0FFFFFFFEh
		mov	[ebp+var_4], eax

loc_8ADF59:				; CODE XREF: PopDirectedDripsQueryEnabledMitigations(x)+21j
		test	al, 2
		jz	short loc_8ADF65
		and	eax, 0FFFFFFFDh
		mov	bl, 1
		mov	[ebp+var_4], eax

loc_8ADF65:				; CODE XREF: PopDirectedDripsQueryEnabledMitigations(x)+2Dj
		test	al, 8
		jnz	short loc_8ADF94
		call	PopDirectedDripsQueryPs4Support
		cmp	eax, 1
		jnz	short loc_8ADF77
		mov	bl, al
		jmp	short loc_8ADF80
; 

loc_8ADF77:				; CODE XREF: PopDirectedDripsQueryEnabledMitigations(x)+43j
		test	eax, eax
		setnz	al
		dec	al
		and	bl, al

loc_8ADF80:				; CODE XREF: PopDirectedDripsQueryEnabledMitigations(x)+47j
		mov	eax, _Feature_DirectedFx__private_featureState
		test	al, 10h
		jnz	short loc_8ADF91
		push	0
		push	eax
		call	_Feature_DirectedFx__private_ReportUsageFallback@12 ; Feature_DirectedFx__private_ReportUsageFallback(x,x,x)

loc_8ADF91:				; CODE XREF: PopDirectedDripsQueryEnabledMitigations(x)+59j
		mov	eax, [ebp+var_4]

loc_8ADF94:				; CODE XREF: PopDirectedDripsQueryEnabledMitigations(x)+39j
		test	bh, bh
		jz	short loc_8ADF9B
		or	eax, 1

loc_8ADF9B:				; CODE XREF: PopDirectedDripsQueryEnabledMitigations(x)+68j
		test	bl, bl
		jz	short loc_8ADFA2
		or	eax, 2

loc_8ADFA2:				; CODE XREF: PopDirectedDripsQueryEnabledMitigations(x)+6Fj
		mov	[esi+24h], eax
		pop	esi
		pop	ebx
		leave
		retn
_PopDirectedDripsQueryEnabledMitigations@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDirectedDripsQueryPs4Support	proc near
					; CODE XREF: PopDirectedDripsQueryEnabledMitigations(x)+3Bp

var_2		= byte ptr -2
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 00935740 SIZE 00000041 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	ebx, ebx
		mov	byte ptr [ebp+var_1], bl
		cmp	_PopDirectedDripsOverride, ebx
		jz	short loc_8ADFF5
		lea	ecx, [ebp-1]
		call	_PopDirectedDripsQueryEmPS4DisableSetting@4 ; PopDirectedDripsQueryEmPS4DisableSetting(x)
		cmp	byte ptr [ebp+var_1], bl
		jnz	short loc_8ADFF5
		mov	eax, _PopDirectedDripsOverride
		test	eax, eax
		jz	short loc_8ADFD9
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_8ADFF9

loc_8ADFD9:				; CODE XREF: PopDirectedDripsQueryPs4Support+28j
		cmp	byte_6C2E26, bl
		jz	short loc_8ADFFE
		cmp	_PopPlatformAoAc, bl
		jnz	loc_935740
		push	6

loc_8ADFEF:				; CODE XREF: PopDirectedDripsQueryPs4Support+4Dj
					; PopDirectedDripsQueryPs4Support+56j ...
		pop	ebx

loc_8ADFF0:				; CODE XREF: PopDirectedDripsQueryPs4Support+52j
					; PopDirectedDripsQueryPs4Support+877CAj
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_8ADFF5:				; CODE XREF: PopDirectedDripsQueryPs4Support+12j
					; PopDirectedDripsQueryPs4Support+1Fj
		push	2
		jmp	short loc_8ADFEF
; 

loc_8ADFF9:				; CODE XREF: PopDirectedDripsQueryPs4Support+2Dj
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_8ADFF0
; 

loc_8ADFFE:				; CODE XREF: PopDirectedDripsQueryPs4Support+35j
		push	3
		jmp	short loc_8ADFEF
PopDirectedDripsQueryPs4Support	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsQueryEmPS4DisableSetting(x)
_PopDirectedDripsQueryEmPS4DisableSetting@4 proc near
					; CODE XREF: PopDirectedDripsQueryPs4Support+17p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		lea	eax, [ebp+var_4]
		xor	ebx, ebx
		push	eax		; int
		inc	ebx
		mov	esi, ecx
		push	offset _GUID_EM_RULE_DIRECTED_DRIPS_PLATFORM_DISABLE_PS4_MATCH ; void *
		mov	[ebp+var_4], ebx
		call	EmClientQueryRuleState
		test	eax, eax
		js	short loc_8AE02A
		cmp	[ebp+var_4], 2
		jz	short loc_8AE02C

loc_8AE02A:				; CODE XREF: PopDirectedDripsQueryEmPS4DisableSetting(x)+20j
		xor	bl, bl

loc_8AE02C:				; CODE XREF: PopDirectedDripsQueryEmPS4DisableSetting(x)+26j
		mov	[esi], bl
		pop	esi
		pop	ebx
		leave
		retn
_PopDirectedDripsQueryEmPS4DisableSetting@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDirectedDripsQueryRegistryValues proc near
					; CODE XREF: PopDirectedDripsQueryEnabledMitigations(x)+17p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00935781 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		or	[ebp+var_1C], 0FFFFFFFFh
		lea	edi, [ebp+var_3C]
		xor	eax, eax
		mov	esi, ecx
		push	6
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_18]
		mov	ebx, edx
		stosd
		xor	edx, edx
		add	esi, 194h
		mov	[ebp+var_40], edx
		mov	[ebp+var_44], edx
		mov	dword ptr [ebx], 3
		stosd
		cmp	dword ptr [esi], 0FFFFFFFFh
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], edx
		stosd
		stosd
		stosd
		jnz	short loc_8AE0F9
		push	18h
		pop	edi
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_3C], edi
		push	eax
		push	20019h
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_38], edx
		push	eax
		mov	[ebp+var_30], 240h
		mov	[ebp+var_34], offset _CmRegistryMachineSystemCurrentControlSet
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], edx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_8AE126
		push	offset aControlPower ; "Control\\Power"
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_1C]
		xor	ecx, ecx
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_40]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_3C], edi
		push	eax
		push	20019h
		push	esi
		mov	[ebp+var_30], 240h
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ecx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8AE126

loc_8AE0F9:				; CODE XREF: PopDirectedDripsQueryRegistryValues+4Cj
		push	offset aDirecteddripsa ; "DirectedDripsAction"
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_44]
		push	eax
		push	14h
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		lea	eax, [ebp+var_24]
		push	eax
		push	dword ptr [esi]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_935781

loc_8AE126:				; CODE XREF: PopDirectedDripsQueryRegistryValues+7Fj
					; PopDirectedDripsQueryRegistryValues+C5j ...
		cmp	[ebp+var_1C], 0FFFFFFFFh
		jz	short loc_8AE134
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_8AE134:				; CODE XREF: PopDirectedDripsQueryRegistryValues+F8j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopDirectedDripsQueryRegistryValues endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsInitializeDisengageTimer(x,	x, x)
_PopDirectedDripsInitializeDisengageTimer@12 proc near
					; CODE XREF: PopDirectedDripsInitializePhase0(x)+64p
					; PopDirectedDripsInitializePhase0(x)+77p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	8
		mov	[ecx+4], eax
		xor	eax, eax
		push	ecx
		mov	[ecx+8], eax
		mov	[ecx+0Ch], eax
		mov	[ecx+10h], eax
		lea	eax, [ecx+18h]
		push	offset _PopDirectedDripsDisengageTimerCallback@8 ; PopDirectedDripsDisengageTimerCallback(x,x)
		push	eax
		mov	[ecx], edx
		call	_KeInitializeTimer2@16 ; KeInitializeTimer2(x,x,x,x)
		pop	ebp
		retn	4
_PopDirectedDripsInitializeDisengageTimer@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsUmInitialize()
_PopDirectedDripsUmInitialize@0	proc near
					; CODE XREF: PopDirectedDripsInitializePhase0(x)+90j
		mov	edi, edi
		push	ebx
		xor	ebx, ebx
		push	ebx		; int
		push	offset _PopDirectedDripsUmTestDeviceFree@8 ; int
		push	offset _PopDirectedDripsUmTestDeviceAllocate@8 ; int
		push	offset _PopDirectedDripsUmTestDeviceCompare@12 ; int
		mov	_PopDirectedDripsUmLock, ebx
		mov	dword_6BF3E4, ebx
		push	offset _PopDirectedDripsUmTestDeviceTable ; void *
		mov	_PopDirectedDripsUmTestDeviceCount, ebx
		call	_RtlInitializeGenericTableAvl@20 ; RtlInitializeGenericTableAvl(x,x,x,x,x)
		mov	_PopDirectedDripsUmTestPermissive, bl
		pop	ebx
		retn
_PopDirectedDripsUmInitialize@0	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpCtxOpenMachine proc	near		; CODE XREF: PiPnpRtlInit+63p
					; PiDevCfgInitDriverDatabaseCallback(x,x,x)+5Bp ...

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00935795 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_10]
		push	ebx
		push	esi
		push	edi
		push	52504E50h
		push	10Ch
		xor	edi, edi
		mov	ebx, edx
		push	1
		mov	[ebp+var_4], edi
		mov	[eax], edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_935795
		push	10Ch		; size_t
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [esi], 0A000000h
		lea	edi, [esi+8]
		mov	[edi+4], edi
		lea	eax, [esi+10h]
		mov	[edi], edi
		push	4
		pop	ecx

loc_8AE200:				; CODE XREF: _PnpCtxOpenMachine+5Fj
		mov	[eax+4], eax
		mov	[eax], eax
		add	eax, 8
		sub	ecx, 1
		jnz	short loc_8AE200
		lea	eax, [ebp+var_4]
		mov	edx, offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@NNGAKEGL@
		push	eax
		push	ecx
		push	[ebp+arg_4]
		push	ecx
		push	ebx
		push	ecx
		push	1
		mov	ecx, esi
		call	_PnpCtxCreateNode
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8AE373
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	loc_8AE36E
		mov	edi, [ebp+var_4]
		lea	eax, [esi+8]
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		lea	ecx, [esi+18h]
		mov	[eax+4], edi
		lea	eax, [edi+8]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_8AE36E
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		push	52504E50h
		mov	[ecx+4], eax
		push	38h
		mov	[esi+30h], edi
		mov	eax, [edi+1Ch]
		push	200h
		mov	[esi+74h], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	loc_93579F
		push	eax
		call	ExInitializeResourceLite
		mov	ebx, eax
		mov	eax, [ebp+arg_4]
		test	ebx, ebx
		js	short loc_8AE29F
		mov	[esi+7Ch], eax
		xor	eax, eax

loc_8AE29F:				; CODE XREF: _PnpCtxOpenMachine+ECj
		test	eax, eax
		jnz	loc_9357A9

loc_8AE2A7:				; CODE XREF: _PnpCtxOpenMachine+87605j
		test	ebx, ebx
		js	loc_8AE359
		and	dword ptr [esi+78h], 0
		lea	edi, [esi+80h]
		push	6
		pop	ecx
		xor	eax, eax
		rep stosd
		xor	edi, edi
		lea	eax, [esi+0C8h]
		mov	[esi+98h], edi
		mov	[esi+0B4h], edi
		mov	[esi+0B8h], edi
		mov	[esi+0BCh], edi
		mov	[esi+0C0h], edi
		mov	[esi+0C4h], edi
		push	30h		; size_t
		push	edi		; int
		push	eax		; void *
		mov	dword ptr [esi+9Ch], offset _PnpDispatchDevice
		mov	dword ptr [esi+0A0h], offset _PnpDispatchInstallerClass
		mov	dword ptr [esi+0A4h], offset _PnpDispatchDeviceInterface
		mov	dword ptr [esi+0A8h], offset _PnpDispatchInterfaceClass
		mov	dword ptr [esi+0ACh], offset _PnpDispatchDeviceContainer
		mov	dword ptr [esi+0B0h], offset _PnpDispatchDevicePanel
		call	_memset
		mov	eax, [ebp+arg_10]
		add	esp, 0Ch
		mov	[esi+0F8h], edi
		mov	[esi+0FCh], edi
		mov	[esi+100h], edi
		mov	[esi+104h], edi
		mov	[esi+108h], edi
		mov	[eax], esi
		mov	esi, edi

loc_8AE359:				; CODE XREF: _PnpCtxOpenMachine+FDj
					; _PnpCtxOpenMachine+1CAj ...
		test	edi, edi
		jnz	short loc_8AE378

loc_8AE35D:				; CODE XREF: _PnpCtxOpenMachine+1D3j
		test	esi, esi
		jnz	loc_9357B6

loc_8AE365:				; CODE XREF: _PnpCtxOpenMachine+875EEj
					; _PnpCtxOpenMachine+87612j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	14h
; 

loc_8AE36E:				; CODE XREF: _PnpCtxOpenMachine+89j
					; _PnpCtxOpenMachine+AAj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8AE373:				; CODE XREF: _PnpCtxOpenMachine+7Ej
		mov	edi, [ebp+var_4]
		jmp	short loc_8AE359
; 

loc_8AE378:				; CODE XREF: _PnpCtxOpenMachine+1AFj
		mov	ecx, edi
		call	__PnpCtxDestroyNode@4 ;	_PnpCtxDestroyNode(x)
		jmp	short loc_8AE35D
_PnpCtxOpenMachine endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpCtxCreateNode proc near		; CODE XREF: _PnpCtxOpenMachine+75p
					; _PnpCtxRegisterMachineNode(x,x,x,x,x,x,x)+79p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 009357C3 SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_18]
		push	ebx
		push	esi
		push	edi
		push	52504E50h
		push	4Ch
		xor	edi, edi
		mov	[ebp+var_8], ecx
		and	[eax], edi
		mov	ebx, edx
		push	1
		mov	[ebp+var_4], edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_9357C3
		push	4Ch		; size_t
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esi+10h]
		push	ebx		; void *
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jz	loc_9357CD
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_8]
		mov	[esi+18h], eax
		lea	eax, [ebp+var_4]
		push	eax
		mov	eax, [ebp+var_8]
		push	dword ptr [eax]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	ecx
		call	_SysCtxOpenMachine
		mov	edi, [ebp+var_4]
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_8AE450
		xor	ecx, ecx
		cmp	dword ptr [edi], 0A000000h
		jb	short loc_8AE449
		mov	eax, [ebp+arg_0]
		mov	[esi+20h], ecx
		mov	[esi+24h], ecx
		mov	[esi+28h], ecx
		mov	[esi+2Ch], ecx
		mov	[esi+30h], ecx
		mov	[esi+34h], ecx
		mov	[esi+38h], ecx
		mov	[esi+40h], ecx
		mov	[esi+44h], ecx
		mov	[esi+48h], ecx
		sub	eax, 1
		jnz	loc_9357D7

loc_8AE42C:				; CODE XREF: _PnpCtxCreateNode+87458j
					; _PnpCtxCreateNode+87485j
		mov	eax, [ebp+arg_18]
		mov	[esi+1Ch], edi
		mov	edi, ecx
		mov	[eax], esi
		mov	esi, ecx

loc_8AE438:				; CODE XREF: _PnpCtxCreateNode+CCj
					; _PnpCtxCreateNode+D0j ...
		test	esi, esi
		jnz	short loc_8AE454

loc_8AE43C:				; CODE XREF: _PnpCtxCreateNode+D9j
		test	edi, edi
		jnz	short loc_8AE45D

loc_8AE440:				; CODE XREF: _PnpCtxCreateNode+E2j
					; _PnpCtxCreateNode+87446j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	1Ch
; 

loc_8AE449:				; CODE XREF: _PnpCtxCreateNode+7Ej
		mov	ebx, 0C00000BBh
		jmp	short loc_8AE438
; 

loc_8AE450:				; CODE XREF: _PnpCtxCreateNode+74j
					; _PnpCtxCreateNode+87450j
		xor	ecx, ecx
		jmp	short loc_8AE438
; 

loc_8AE454:				; CODE XREF: _PnpCtxCreateNode+B8j
		push	ecx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_8AE43C
; 

loc_8AE45D:				; CODE XREF: _PnpCtxCreateNode+BCj
		mov	ecx, edi
		call	__SysCtxCloseMachine@4 ; _SysCtxCloseMachine(x)
		jmp	short loc_8AE440
_PnpCtxCreateNode endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_SysCtxOpenMachine proc	near		; CODE XREF: _PnpCtxCreateNode+68p

var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= byte ptr -120h
var_14		= byte ptr -14h
var_12		= byte ptr -12h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 0093580C SIZE 00000102 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+14Ch+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	[esp+158h+var_130], eax
		xor	edi, edi
		mov	eax, [ebp+arg_8]
		mov	esi, edi
		mov	[esp+158h+var_138], eax
		mov	eax, [ebp+arg_10]
		push	53504E50h
		push	1Ch
		push	1
		mov	[esp+164h+var_134], edx
		mov	[esp+164h+var_12C], eax
		mov	[esp+164h+var_148], edi
		mov	[esp+164h+var_13C], edi
		mov	[esp+164h+var_144], edi
		mov	[esp+164h+var_140], edi
		mov	[esp+164h+var_14C], edi
		mov	[eax], edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_93580C
		mov	edx, [ebp+arg_C]
		xor	eax, eax
		push	7
		pop	ecx
		mov	edi, ebx
		rep stosd
		xor	edi, edi
		test	edx, edx
		jz	loc_935816

loc_8AE4E6:				; CODE XREF: _SysCtxOpenMachine+87410j
		mov	eax, [esp+158h+var_138]
		mov	[ebx], edx
		test	eax, eax
		jnz	loc_93587B

loc_8AE4F4:				; CODE XREF: _SysCtxOpenMachine+8742Cj
		mov	eax, [esp+158h+var_134]
		mov	edx, 2000000h
		test	eax, eax
		jnz	loc_9358A1
		push	[esp+158h+var_14C]
		lea	eax, [esp+15Ch+var_148]
		mov	ecx, 80000002h
		push	eax
		push	edx
		mov	edx, offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@NNGAKEGL@

loc_8AE519:				; CODE XREF: _SysCtxOpenMachine+87452j
		push	edi
		call	_RegRtlOpenKeyTransacted
		mov	esi, eax
		test	esi, esi
		jnz	loc_8AE608

loc_8AE529:				; CODE XREF: _SysCtxOpenMachine+8743Ej
		mov	edx, [esp+158h+var_148]
		test	edx, edx
		jz	short loc_8AE549
		lea	eax, [esp+158h+var_140]
		push	eax
		push	[esp+15Ch+var_14C]
		call	_SysCtxOpenControlSet
		mov	esi, eax
		test	esi, esi
		jnz	loc_8AE608

loc_8AE549:				; CODE XREF: _SysCtxOpenMachine+C9j
		mov	eax, [esp+158h+var_130]
		test	eax, eax
		jnz	loc_9358BD
		push	[esp+158h+var_14C]
		lea	eax, [esp+15Ch+var_144]
		mov	ecx, 80000003h
		push	eax

loc_8AE563:				; CODE XREF: _SysCtxOpenMachine+8746Bj
		push	2000000h
		push	edi
		xor	edx, edx
		call	_RegRtlOpenKeyTransacted
		mov	esi, eax
		test	esi, esi
		jnz	loc_8AE608

loc_8AE57A:				; CODE XREF: _SysCtxOpenMachine+8745Aj
		mov	byte ptr [ebx+8], 1
		mov	eax, [esp+158h+var_14C]
		mov	[ebx+4], eax
		mov	eax, [esp+158h+var_148]
		mov	[ebx+0Ch], eax
		mov	eax, [esp+158h+var_13C]
		mov	[ebx+10h], eax
		mov	eax, [esp+158h+var_140]
		mov	[ebx+18h], eax
		mov	eax, [esp+158h+var_144]
		mov	[ebx+14h], eax
		mov	eax, [esp+158h+var_12C]
		mov	[esp+158h+var_148], edi
		mov	[esp+158h+var_140], edi
		mov	[esp+158h+var_144], edi
		mov	[eax], ebx
		mov	eax, edi
		mov	ebx, edi
		mov	[esp+158h+var_14C], eax

loc_8AE5BB:				; CODE XREF: _SysCtxOpenMachine+1A6j
		test	eax, eax
		jnz	short loc_8AE60E

loc_8AE5BF:				; CODE XREF: _SysCtxOpenMachine+1AEj
					; _SysCtxOpenMachine+87436j
		cmp	[esp+158h+var_148], 0
		jnz	loc_9358D6

loc_8AE5CA:				; CODE XREF: _SysCtxOpenMachine+87479j
		cmp	[esp+158h+var_13C], 0
		jnz	loc_9358E4

loc_8AE5D5:				; CODE XREF: _SysCtxOpenMachine+87487j
		cmp	[esp+158h+var_140], 0
		jnz	loc_9358F2

loc_8AE5E0:				; CODE XREF: _SysCtxOpenMachine+87495j
		cmp	[esp+158h+var_144], 0
		jnz	loc_935900

loc_8AE5EB:				; CODE XREF: _SysCtxOpenMachine+874A3j
		test	ebx, ebx
		jnz	short loc_8AE616

loc_8AE5EF:				; CODE XREF: _SysCtxOpenMachine+1B7j
		mov	ecx, [esp+158h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_8AE608:				; CODE XREF: _SysCtxOpenMachine+BDj
					; _SysCtxOpenMachine+DDj ...
		mov	eax, [esp+158h+var_14C]
		jmp	short loc_8AE5BB
; 

loc_8AE60E:				; CODE XREF: _SysCtxOpenMachine+157j
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_8AE5BF
; 

loc_8AE616:				; CODE XREF: _SysCtxOpenMachine+187j
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_8AE5EF
_SysCtxOpenMachine endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_SysCtxOpenControlSet proc near		; CODE XREF: _SysCtxOpenMachine+D4p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= byte ptr -2Ch
var_28		= dword	ptr -28h
var_21		= byte ptr -21h
var_20		= word ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 0093590E SIZE 0000013F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	ebx
		push	eax
		mov	edi, edx
		mov	dword ptr [ebp+var_2C],	ecx
		push	2000000h
		mov	[ebp+var_28], ecx
		mov	edx, offset ??_C@_1CE@MEIKCFL@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAS@NNGAKEGL@
		mov	[ebp+var_34], ecx
		mov	[ebp+var_21], cl
		mov	[eax], ecx
		push	ecx
		mov	ecx, edi
		mov	[ebp+var_30], eax
		call	_RegRtlOpenKeyTransacted
		mov	esi, eax
		test	esi, esi
		jnz	loc_93590E

loc_8AE66E:				; CODE XREF: _SysCtxOpenControlSet+872F4j
					; _SysCtxOpenControlSet+87336j	...
		cmp	[ebp+var_28], 0
		jnz	loc_935A40

loc_8AE678:				; CODE XREF: _SysCtxOpenControlSet+87428j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_SysCtxOpenControlSet endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiSwAddPdoAssociation(x, x,	x)
_PiSwAddPdoAssociation@12 proc near	; CODE XREF: PiSwGetChildPdo+E0p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	57706E50h
		push	18h
		mov	esi, edx
		mov	[ebp+var_8], ecx
		push	1
		mov	[ebp+var_4], esi
		xor	ebx, ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_8AE70D
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [ebp+var_4]
		mov	[edi+10h], eax
		mov	eax, [ebp+var_8]
		add	eax, 44h
		mov	[edi+14h], esi
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_8AE714
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi
		mov	eax, offset _PiSwGlobalPdoAssociationList
		mov	ecx, dword_6CB69C
		add	edi, 8
		cmp	[ecx], eax
		jnz	short loc_8AE714
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	dword_6CB69C, edi

loc_8AE704:				; CODE XREF: PiSwAddPdoAssociation(x,x,x)+86j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
; 

loc_8AE70D:				; CODE XREF: PiSwAddPdoAssociation(x,x,x)+26j
		mov	ebx, 0C000009Ah
		jmp	short loc_8AE704
; 

loc_8AE714:				; CODE XREF: PiSwAddPdoAssociation(x,x,x)+4Dj
					; PiSwAddPdoAssociation(x,x,x)+69j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_PiSwAddPdoAssociation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFormFullImageName(x, x, x)
_MiFormFullImageName@12	proc near	; CODE XREF: MiResolveImageReferences+350p
					; MiResolveImageReferences+3E9p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		mov	edx, 54446D4Dh
		push	0
		push	100h
		mov	ax, [edi]
		add	ax, 2
		add	ax, [ebx]
		movzx	ecx, ax
		mov	[esi+2], ax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		mov	[esi+4], ecx
		test	ecx, ecx
		jz	short loc_8AE795
		mov	ax, [edi]
		mov	[esi], ax
		movzx	eax, word ptr [edi]
		push	eax		; size_t
		push	dword ptr [edi+4] ; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	ebx
		push	esi
		call	_RtlAppendStringToString@8 ; RtlAppendStringToString(x,x)
		mov	ecx, [esi+4]
		test	eax, eax
		js	short loc_8AE78D
		movzx	eax, word ptr [esi]
		xor	edx, edx
		shr	eax, 1
		mov	[ecx+eax*2], dx
		xor	eax, eax
		inc	eax

loc_8AE786:				; CODE XREF: MiFormFullImageName(x,x,x)+7Dj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_8AE78D:				; CODE XREF: MiFormFullImageName(x,x,x)+5Cj
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8AE795:				; CODE XREF: MiFormFullImageName(x,x,x)+38j
		xor	eax, eax
		jmp	short loc_8AE786
_MiFormFullImageName@12	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpGetAutoLoggerLevelKwFilter proc near ; CODE	XREF: EtwpGetAutoLoggerProviderFilter+660p

var_33C		= dword	ptr -33Ch
var_338		= byte ptr -338h
var_334		= dword	ptr -334h
var_330		= dword	ptr -330h
var_32C		= dword	ptr -32Ch
var_328		= dword	ptr -328h
var_324		= dword	ptr -324h
var_320		= dword	ptr -320h
var_31C		= dword	ptr -31Ch
var_318		= dword	ptr -318h
var_314		= byte ptr -314h
var_310		= dword	ptr -310h
var_30C		= dword	ptr -30Ch
var_308		= dword	ptr -308h
var_304		= dword	ptr -304h
var_2FC		= dword	ptr -2FCh
var_2F8		= dword	ptr -2F8h
var_2F4		= dword	ptr -2F4h
var_2F0		= dword	ptr -2F0h
var_2E8		= dword	ptr -2E8h
var_2E0		= dword	ptr -2E0h
var_2DC		= dword	ptr -2DCh
var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2CC		= dword	ptr -2CCh
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B0		= dword	ptr -2B0h
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00935A4D SIZE 00000267 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 340h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	dword ptr [ebp+var_314], edx
		mov	edx, ecx
		mov	[ebp+var_310], eax
		push	6
		pop	ecx
		xor	eax, eax
		mov	dword ptr [ebp+var_338], edx
		lea	edi, [ebp+var_334]
		mov	[ebp+var_308], esi
		rep stosd
		mov	ecx, edx
		mov	[ebp+var_30C], esi
		mov	[ebp+var_31C], esi
		mov	ebx, esi
		mov	[ebp+var_318], esi
		lea	edx, [ecx+2]

loc_8AE7F7:				; CODE XREF: EtwpGetAutoLoggerLevelKwFilter+66j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_8AE7F7
		sub	ecx, edx
		sar	ecx, 1
		push	50777445h
		lea	edi, ds:28h[ecx*2]
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_33C], esi
		test	esi, esi
		jz	loc_8AE8DA
		push	dword ptr [ebp+var_338]	; char
		push	offset ??_C@_1CO@KJDELHKH@?$AA?$CF?$AAw?$AAs?$AA?2?$AAS?$AAt?$AAa?$AAc?$AAk?$AAL?$AAe?$AAv?$AAe?$AAl?$AAK@NNGAKEGL@ ; wchar_t *
		push	edi		; int
		push	esi		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	edi, eax
		add	esp, 10h
		test	edi, edi
		jnz	loc_8AE8D8
		push	esi
		lea	eax, [ebp+var_31C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_31C]
		mov	[ebp+var_334], 18h
		mov	[ebp+var_32C], eax
		xor	esi, esi
		lea	eax, [ebp+var_334]
		mov	[ebp+var_330], esi
		push	eax
		push	20019h
		lea	eax, [ebp+var_308]
		mov	[ebp+var_328], 240h
		push	eax
		mov	[ebp+var_324], esi
		mov	[ebp+var_320], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_8AE8AE
		mov	[ebp+var_308], esi

loc_8AE8AE:				; CODE XREF: EtwpGetAutoLoggerLevelKwFilter+10Cj
		mov	eax, dword ptr [ebp+var_314]
		test	eax, eax
		jnz	loc_935A4D

loc_8AE8BC:				; CODE XREF: EtwpGetAutoLoggerLevelKwFilter+87362j
					; EtwpGetAutoLoggerLevelKwFilter+8736Ej
		cmp	[ebp+var_308], 0
		jnz	loc_935B0D
		cmp	[ebp+var_30C], 0
		jnz	loc_935B0D

loc_8AE8D6:				; CODE XREF: EtwpGetAutoLoggerLevelKwFilter+874A3j
					; EtwpGetAutoLoggerLevelKwFilter+874E8j
		test	edi, edi

loc_8AE8D8:				; CODE XREF: EtwpGetAutoLoggerLevelKwFilter+A9j
					; EtwpGetAutoLoggerLevelKwFilter+872FFj
		jns	short loc_8AE8EA

loc_8AE8DA:				; CODE XREF: EtwpGetAutoLoggerLevelKwFilter+8Aj
					; EtwpGetAutoLoggerLevelKwFilter+872DFj ...
		mov	esi, [ebp+var_310]
		mov	eax, [esi]
		test	eax, eax
		jnz	loc_935C87

loc_8AE8EA:				; CODE XREF: EtwpGetAutoLoggerLevelKwFilter:loc_8AE8D8j
					; EtwpGetAutoLoggerLevelKwFilter+874F8j
		cmp	[ebp+var_308], 0
		jnz	loc_935C97

loc_8AE8F7:				; CODE XREF: EtwpGetAutoLoggerLevelKwFilter+87508j
		mov	eax, [ebp+var_33C]
		test	eax, eax
		jz	short loc_8AE909
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8AE909:				; CODE XREF: EtwpGetAutoLoggerLevelKwFilter+165j
		mov	edx, [ebp+var_30C]
		test	edx, edx
		jnz	short loc_8AE92C

loc_8AE913:				; CODE XREF: EtwpGetAutoLoggerLevelKwFilter+198j
		test	ebx, ebx
		jnz	loc_935CA7

loc_8AE91B:				; CODE XREF: EtwpGetAutoLoggerLevelKwFilter+87515j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_8AE92C:				; CODE XREF: EtwpGetAutoLoggerLevelKwFilter+177j
		push	edx
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_8AE913
EtwpGetAutoLoggerLevelKwFilter endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 782. IoConnectInterrupt

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoConnectInterrupt
IoConnectInterrupt proc	near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

; FUNCTION CHUNK AT 00935CB4 SIZE 00000023 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	al, al
		jnz	loc_935CB4
		push	[ebp+arg_28]
		mov	eax, [ebp+arg_24]
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	IopConnectInterruptFullySpecified
		leave
		retn	2Ch
IoConnectInterrupt endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopConnectInterruptFullySpecified proc near ; CODE XREF: IoConnectInterrupt+48p
					; sub_907FBB+97p

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= byte ptr -50h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= byte ptr -40h
var_38		= dword	ptr -38h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

; FUNCTION CHUNK AT 00935CD7 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+74h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_20]
		lea	eax, [esp+7Ch+var_60]
		push	edi
		push	58h		; size_t
		xor	edi, edi
		mov	[esp+84h+var_64], edx
		push	edi		; int
		push	eax		; void *
		mov	ebx, ecx
		call	_memset
		add	esp, 0Ch
		mov	[esp+80h+var_70], edi
		mov	[esp+80h+var_68], edi
		mov	[esp+80h+var_6C], edi
		cmp	[ebp+arg_0], edi
		jz	loc_935CD7
		xor	dl, dl
		mov	ecx, esi
		call	_KeVerifyGroupAffinity@8 ; KeVerifyGroupAffinity(x,x)
		test	al, al
		jz	loc_935CD7
		mov	cl, byte ptr [ebp+arg_14]
		mov	al, [ebp+arg_10]
		test	cl, cl
		jz	loc_935CCF
		cmp	cl, al
		jb	loc_935CD7

loc_8AE9FC:				; CODE XREF: IoConnectInterrupt+87398j
		mov	ecx, [ebp+arg_C]
		mov	[esp+80h+var_50], al
		mov	eax, [ebp+arg_18]
		mov	[esp+80h+var_48], eax
		lea	eax, [esp+80h+var_38]
		push	eax
		mov	[esp+84h+var_58], edi
		lea	eax, [esp+84h+var_6C]
		mov	[esp+84h+var_60], 1
		lea	edi, [esp+84h+var_44]
		mov	[esp+84h+var_54], ecx
		push	eax
		movsd
		lea	eax, [esp+88h+var_70]
		push	eax
		lea	eax, [esp+8Ch+var_44]
		push	eax
		movsd
		push	ecx
		movsd
		call	ds:__imp__HalGetVectorInput@20 ; HalGetVectorInput(x,x,x,x,x)
		test	eax, eax
		js	short loc_8AEAA7
		push	[esp+94h+var_84]
		xor	esi, esi
		push	esi
		call	off_6B1308	; xHalpIsInterruptTypeSecondary(x,x)
		test	al, al
		mov	eax, [esp+9Ch+var_88]
		jnz	short loc_8AEA5F
		cmp	eax, 3
		jz	short loc_8AEABB
		cmp	eax, 4
		jz	short loc_8AEABB

loc_8AEA5F:				; CODE XREF: IopConnectInterruptFullySpecified+C7j
		test	[esp+9Ch+var_40], 1
		mov	[esp+9Ch+var_68], eax
		mov	eax, [esp+9Ch+var_8C]
		mov	[esp+9Ch+var_44], eax
		jnz	short loc_8AEAC2

loc_8AEA72:				; CODE XREF: IopConnectInterruptFullySpecified+13Aj
		mov	edx, [esp+9Ch+var_80]
		lea	eax, [esp+9Ch+var_7C]
		push	eax
		push	[ebp+arg_24]
		lea	ecx, [esp+0A4h+var_84]
		mov	[ebx], esi
		push	[ebp+arg_1C]
		push	[ebp+arg_14]
		push	[ebp+arg_8]
		push	esi
		push	[ebp+arg_4]
		push	esi
		push	[ebp+arg_0]
		call	IopConnectInterrupt
		test	eax, eax
		js	short loc_8AEAA7
		mov	ecx, [esp+9Ch+var_84]
		add	ecx, 60h
		mov	[ebx], ecx

loc_8AEAA7:				; CODE XREF: IopConnectInterruptFullySpecified+B2j
					; IopConnectInterruptFullySpecified+110j ...
		mov	ecx, [esp+9Ch+var_20]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	28h
; 

loc_8AEABB:				; CODE XREF: IopConnectInterruptFullySpecified+CCj
					; IopConnectInterruptFullySpecified+D1j
		mov	eax, 0C00000BBh
		jmp	short loc_8AEAA7
; 

loc_8AEAC2:				; CODE XREF: IopConnectInterruptFullySpecified+E4j
		mov	byte ptr [ebp+arg_1C], 1
		jmp	short loc_8AEA72
IopConnectInterruptFullySpecified endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmSetDeviceContainerMappedProperty proc near ;	CODE XREF: _PnpDispatchDeviceContainer+84p
					; _CmDeleteDeviceContainerWorker(x,x,x)+F3p

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00935CE1 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		push	edi
		mov	edi, 0C0000016h
		jnz	short loc_8AEAFF
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		xor	esi, esi
		mov	ecx, [ebx+10h]
		mov	[ebp+arg_4], ecx

loc_8AEAE6:				; CODE XREF: _CmSetDeviceContainerMappedProperty+33j
		mov	eax, ds:off_404C40[esi]
		cmp	ecx, [eax+10h]
		jz	loc_935CE1

loc_8AEAF5:				; CODE XREF: _CmSetDeviceContainerMappedProperty+8722Cj
		add	esi, 8
		cmp	esi, 20h
		jb	short loc_8AEAE6

loc_8AEAFD:				; CODE XREF: _CmSetDeviceContainerMappedProperty+87236j
		pop	esi
		pop	ebx

loc_8AEAFF:				; CODE XREF: _CmSetDeviceContainerMappedProperty+Fj
		mov	eax, edi
		pop	edi
		pop	ebp
		retn	18h
_CmSetDeviceContainerMappedProperty endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopInitializeTriageDumpData proc near	; CODE XREF: INIT:loc_AC2F18p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00935D03 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		cmp	_IopTriageDumpDataArray, ebx
		jnz	loc_8AEBD0
		push	ebx
		push	2000h
		lea	ecx, [ebp+var_4]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_8AEBD0
		mov	eax, ecx
		mov	ecx, [ebp+var_4]
		push	eax
		push	20h
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_8AEBD0
		push	edi
		mov	edi, 72546F49h
		push	edi
		push	[ebp+var_4]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	_IopTriageDumpDataArray, eax
		test	eax, eax
		jz	short loc_8AEBCF
		push	[ebp+var_4]
		push	eax
		call	_KeInitializeTriageDumpDataArray@8 ; KeInitializeTriageDumpDataArray(x,x)
		test	eax, eax
		js	loc_935D03
		mov	eax, _IopNumTriageDumpDataBlocks
		test	eax, eax
		jz	short loc_8AEBAB
		push	esi
		mov	esi, ebx

loc_8AEB84:				; CODE XREF: IopInitializeTriageDumpData+A2j
		mov	ecx, _IopTriageDumpDataBlocks[esi*8]
		mov	eax, dword_6CD044[esi*8]
		sub	eax, ecx
		push	eax
		push	ecx
		push	_IopTriageDumpDataArray
		call	KeAddTriageDumpDataBlock
		inc	esi
		cmp	esi, _IopNumTriageDumpDataBlocks
		jb	short loc_8AEB84
		pop	esi

loc_8AEBAB:				; CODE XREF: IopInitializeTriageDumpData+79j
		push	offset ??_C@_0BB@EBGFFGKP@IoTriageDumpData@NNGAKEGL@ ; "IoTriageDumpData"
		push	7
		push	offset _IoBugCheckTriageDumpDataCallback@16 ; IoBugCheckTriageDumpDataCallback(x,x,x,x)
		push	offset _IopBugCheckTriageDumpDataCallbackRecord
		mov	byte_6D4DC0, bl
		call	KeRegisterBugCheckReasonCallback
		test	al, al
		jz	loc_935D03

loc_8AEBCF:				; CODE XREF: IopInitializeTriageDumpData+5Fj
					; IopInitializeTriageDumpData+87204j ...
		pop	edi

loc_8AEBD0:				; CODE XREF: IopInitializeTriageDumpData+12j
					; IopInitializeTriageDumpData+28j ...
		pop	ebx
		leave
		retn
IopInitializeTriageDumpData endp

; 
		align 4

;  S U B	R O U T	I N E 


PiHotSwapGetDefaultBusRemovalPolicy proc near ;	CODE XREF: PpHotSwapUpdateRemovalPolicy+68p

; FUNCTION CHUNK AT 00935D22 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, edx
		push	8
		pop	eax
		cmp	[esi+14h], ax
		jbe	short loc_8AEC00
		push	4		; size_t
		push	offset ??_C@_19FLKKDFNN@?$AAU?$AAS?$AAB?$AA?2@NNGAKEGL@	; wchar_t *
		push	dword ptr [esi+18h] ; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_8AECA1

loc_8AEC00:				; CODE XREF: PiHotSwapGetDefaultBusRemovalPolicy+10j
		push	5
		pop	ebx
		push	0Ah
		pop	eax
		cmp	[esi+14h], ax
		jbe	short loc_8AEC3F
		push	ebx		; size_t
		push	offset ??_C@_1M@MNAMHDH@?$AA1?$AA3?$AA9?$AA4?$AA?2@NNGAKEGL@ ; "1"
		push	dword ptr [esi+18h] ; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_8AEC9B
		push	0Ah
		pop	eax
		cmp	[esi+14h], ax
		jbe	short loc_8AEC3F
		push	ebx		; size_t
		push	offset ??_C@_1M@MIMPIDIL@?$AAS?$AAB?$AAP?$AA2?$AA?2@NNGAKEGL@ ;	wchar_t	*
		push	dword ptr [esi+18h] ; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_8AEC9B

loc_8AEC3F:				; CODE XREF: PiHotSwapGetDefaultBusRemovalPolicy+36j
					; PiHotSwapGetDefaultBusRemovalPolicy+54j
		cmp	word ptr [esi+14h], 0Eh
		jbe	short loc_8AEC5C
		push	7		; size_t
		push	offset ??_C@_1BA@EOIJBEEM@?$AAP?$AAC?$AAM?$AAC?$AAI?$AAA?$AA?2@NNGAKEGL@ ; "PCMCIA\\"
		push	dword ptr [esi+18h] ; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_8AEC9B

loc_8AEC5C:				; CODE XREF: PiHotSwapGetDefaultBusRemovalPolicy+70j
		push	8
		pop	eax
		cmp	[esi+14h], ax
		jbe	short loc_8AEC7F
		push	4		; size_t
		push	offset ??_C@_19KLPPDPHB@?$AAP?$AAC?$AAI?$AA?2@NNGAKEGL@	; wchar_t *
		push	dword ptr [esi+18h] ; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_935D22

loc_8AEC7F:				; CODE XREF: PiHotSwapGetDefaultBusRemovalPolicy+8Fj
					; PiHotSwapGetDefaultBusRemovalPolicy+87156j ...
		mov	eax, [esi+1D0h]
		test	eax, eax
		jnz	short loc_8AECA6

loc_8AEC89:				; CODE XREF: PiHotSwapGetDefaultBusRemovalPolicy+D8j
		mov	eax, [esi+8]
		xor	ebx, ebx
		cmp	byte ptr [eax+13Eh], 5
		setz	bl
		add	ebx, 4

loc_8AEC9B:				; CODE XREF: PiHotSwapGetDefaultBusRemovalPolicy+4Bj
					; PiHotSwapGetDefaultBusRemovalPolicy+69j ...
		mov	[edi], ebx
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_8AECA1:				; CODE XREF: PiHotSwapGetDefaultBusRemovalPolicy+26j
		push	5
		pop	ebx
		jmp	short loc_8AEC9B
; 

loc_8AECA6:				; CODE XREF: PiHotSwapGetDefaultBusRemovalPolicy+B3j
		test	byte ptr [eax+8], 4
		jnz	short loc_8AEC9B
		jmp	short loc_8AEC89
PiHotSwapGetDefaultBusRemovalPolicy endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1410. MmGetPhysicalMemoryRanges

;  S U B	R O U T	I N E 


; __stdcall MmGetPhysicalMemoryRanges()
		public _MmGetPhysicalMemoryRanges@0
_MmGetPhysicalMemoryRanges@0 proc near	; CODE XREF: IopGetPhysicalMemoryBlock()+11p
					; IoFillDumpHeader(x,x,x,x,x,x,x,x):loc_60AD90p
		mov	edi, edi
		push	ecx
		push	0
		push	0
		call	MmGetPhysicalMemoryRangesEx2
		pop	ecx
		retn
_MmGetPhysicalMemoryRanges@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpHandlePageFileOpenNotification proc near ; CODE XREF: NtInitializeRegistry+5Bp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00935D4C SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		pop	ecx
		rep stosd
		inc	eax
		mov	ecx, offset _CmpBootPageFilesCreated
		xchg	eax, [ecx]
		test	eax, eax
		jnz	loc_935D4C
		call	CmpAcquireShutdownRundown
		test	al, al
		jz	loc_935D56
		xor	esi, esi
		mov	ebx, esi
		mov	edi, esi
		cmp	ds:_CmpWellKnownVolumeList, ebx
		jz	short loc_8AED6D
		mov	eax, offset _CmpWellKnownVolumeList

loc_8AED11:				; CODE XREF: CmpHandlePageFileOpenNotification+7Bj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		push	ecx
		push	ecx
		mov	[ebp+var_20], ecx
		call	_CmpVolumeManagerGetContextForFilePath@16 ; CmpVolumeManagerGetContextForFilePath(x,x,x,x)
		test	eax, eax
		js	short loc_8AED33
		mov	ecx, [ebp+var_20]
		mov	ecx, [ecx]
		call	CmpVolumeContextSendDeviceUsageNotification
		test	eax, eax
		js	short loc_8AED33
		inc	edi

loc_8AED33:				; CODE XREF: CmpHandlePageFileOpenNotification+60j
					; CmpHandlePageFileOpenNotification+6Ej
		inc	ebx
		lea	eax, _CmpWellKnownVolumeList[ebx*8]
		cmp	[eax], esi
		jnz	short loc_8AED11
		test	edi, edi
		jz	short loc_8AED6D
		lea	ecx, [ebp+var_1C]
		call	CmpAttachToRegistryProcess
		xor	ecx, ecx
		jmp	short loc_8AED58
; 

loc_8AED4F:				; CODE XREF: CmpHandlePageFileOpenNotification+9Fj
		mov	ecx, edi
		call	_CmpRecheckHiveVolumePolicy@4 ;	CmpRecheckHiveVolumePolicy(x)
		mov	ecx, edi

loc_8AED58:				; CODE XREF: CmpHandlePageFileOpenNotification+8Bj
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_8AED4F
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_8AED6D:				; CODE XREF: CmpHandlePageFileOpenNotification+48j
					; CmpHandlePageFileOpenNotification+7Fj
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_8AED72:				; CODE XREF: CmpHandlePageFileOpenNotification+8708Fj
					; CmpHandlePageFileOpenNotification+87099j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpHandlePageFileOpenNotification endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpVolumeContextSendDeviceUsageNotification proc near
					; CODE XREF: CmpHandlePageFileOpenNotification+67p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00935D60 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		cmp	dword ptr [edi+20h], 0
		jz	loc_935D60
		lea	esi, [edi+24h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		xor	ecx, ecx
		push	11h
		pop	eax
		cmp	[edi+28h], cl
		jz	short loc_8AEDCF
		xor	ebx, ebx
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_8AEDC1
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8AEDC1:				; CODE XREF: CmpVolumeContextSendDeviceUsageNotification+34j
		mov	ecx, esi
		call	KeAbPostRelease

loc_8AEDC8:				; CODE XREF: CmpVolumeContextSendDeviceUsageNotification+76j
					; CmpVolumeContextSendDeviceUsageNotification+ACj ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_8AEDCF:				; CODE XREF: CmpVolumeContextSendDeviceUsageNotification+29j
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_8AEDDF
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8AEDDF:				; CODE XREF: CmpVolumeContextSendDeviceUsageNotification+52j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [edi+20h]
		xor	eax, eax
		inc	eax
		mov	dl, al
		mov	[ebp+var_4], eax
		call	PiPagePathSetState
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_8AEDC8
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		cmp	byte ptr [edi+28h], 0
		jnz	short loc_8AEE15
		xor	eax, eax
		mov	byte ptr [ebp+var_4], 0
		inc	eax
		mov	[edi+28h], al

loc_8AEE15:				; CODE XREF: CmpVolumeContextSendDeviceUsageNotification+85j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_935D6A

loc_8AEE24:				; CODE XREF: CmpVolumeContextSendDeviceUsageNotification+86FE8j
					; CmpVolumeContextSendDeviceUsageNotification+86FF5j
		mov	ecx, esi
		call	KeAbPostRelease
		xor	ebx, ebx
		cmp	byte ptr [ebp+var_4], bl
		jz	short loc_8AEDC8
		jmp	loc_935D7E
CmpVolumeContextSendDeviceUsageNotification endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpVolumeManagerGetContextForFilePath(x, x,	x, x)
_CmpVolumeManagerGetContextForFilePath@16 proc near
					; CODE XREF: CmpHandlePageFileOpenNotification+59p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		xor	eax, eax
		mov	[ebp+var_24], 18h
		push	esi
		push	eax
		push	eax
		push	eax
		push	1
		push	7
		push	eax
		push	eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_18], 240h
		push	eax
		push	80h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_1C], edx
		push	eax
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8AEE99
		push	[ebp+arg_4]
		mov	edx, [ebp+var_4]
		push	ecx
		call	CmpVolumeManagerGetContextForFile
		mov	esi, eax

loc_8AEE99:				; CODE XREF: CmpVolumeManagerGetContextForFilePath(x,x,x,x)+51j
		cmp	[ebp+var_4], 0
		jz	short loc_8AEEA7
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_8AEEA7:				; CODE XREF: CmpVolumeManagerGetContextForFilePath(x,x,x,x)+65j
		mov	eax, esi
		pop	esi
		leave
		retn	8
_CmpVolumeManagerGetContextForFilePath@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiPagePathSetState proc	near		; CODE XREF: MiCreatePagingFile+4DCp
					; CmpVolumeContextSendDeviceUsageNotification+6Dp ...

var_2E		= byte ptr -2Eh
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h

; FUNCTION CHUNK AT 00935D8D SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[esp+40h+var_2D], dl
		push	0Ah
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+40h+var_28]
		rep stosd
		xor	edi, edi
		mov	ecx, ebx
		mov	[esp+40h+var_2C], edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		push	ebx
		call	IoGetRelatedDeviceObject
		mov	[esp+40h+var_28], eax
		lea	ecx, [esp+40h+var_28]
		mov	al, [esp+40h+var_2D]
		mov	[esp+40h+var_24], 1
		mov	[esp+40h+var_20], al
		mov	[esp+40h+var_1C], ebx
		call	_PpIrpAllocateDeviceUsageNotification@4	; PpIrpAllocateDeviceUsageNotification(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_935D8D
		push	esi
		call	_IoQueueThreadIrp@4 ; IoQueueThreadIrp(x)
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeLockTree
		mov	ecx, [esp+40h+var_28]
		mov	edx, esi
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jz	loc_935D9E

loc_8AEF32:				; CODE XREF: PiPagePathSetState+86F02j
		test	esi, esi
		js	short loc_8AEF5B
		lea	edx, [esp+40h+var_2C]
		mov	ecx, ebx
		call	_IoGetRelatedTargetDevice@8 ; IoGetRelatedTargetDevice(x,x)
		test	eax, eax
		js	short loc_8AEF5B
		mov	dl, [esp+40h+var_2D]
		mov	ecx, [esp+40h+var_2C]
		call	_PoDirectedDripsNotifyPagingDeviceUsage@8 ; PoDirectedDripsNotifyPagingDeviceUsage(x,x)
		mov	ecx, [esp+40h+var_2C]
		call	ObfDereferenceObject

loc_8AEF5B:				; CODE XREF: PiPagePathSetState+86j
					; PiPagePathSetState+95j
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeUnlockTree
		mov	eax, esi

loc_8AEF65:				; CODE XREF: PiPagePathSetState+86EEBj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
PiPagePathSetState endp


;  S U B	R O U T	I N E 


; __stdcall PoDirectedDripsNotifyPagingDeviceUsage(x, x)
_PoDirectedDripsNotifyPagingDeviceUsage@8 proc near ; CODE XREF: PiPagePathSetState+9Fp
		mov	edi, edi
		push	ebx
		mov	bl, dl
		mov	edx, 64446F50h
		push	esi
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	esi, eax
		test	esi, esi
		jz	short loc_8AEFAE
		mov	ecx, [esi+0B0h]
		mov	ecx, [ecx+14h]

loc_8AEF8B:				; CODE XREF: PoDirectedDripsNotifyPagingDeviceUsage(x,x)+44j
		test	ecx, ecx
		jz	short loc_8AEFA0
		mov	eax, [ecx+1ECh]
		test	bl, bl
		jz	short loc_8AEFB2
		inc	eax

loc_8AEF9A:				; CODE XREF: PoDirectedDripsNotifyPagingDeviceUsage(x,x)+47j
		mov	[ecx+1ECh], eax

loc_8AEFA0:				; CODE XREF: PoDirectedDripsNotifyPagingDeviceUsage(x,x)+21j
		mov	ecx, esi
		mov	edx, 64446F50h
		pop	esi
		pop	ebx
		jmp	ObfDereferenceObjectWithTag
; 

loc_8AEFAE:				; CODE XREF: PoDirectedDripsNotifyPagingDeviceUsage(x,x)+14j
		xor	ecx, ecx
		jmp	short loc_8AEF8B
; 

loc_8AEFB2:				; CODE XREF: PoDirectedDripsNotifyPagingDeviceUsage(x,x)+2Bj
		dec	eax
		jmp	short loc_8AEF9A
_PoDirectedDripsNotifyPagingDeviceUsage@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PpIrpAllocateDeviceUsageNotification(x)
_PpIrpAllocateDeviceUsageNotification@4	proc near ; CODE XREF: PiPagePathSetState+4Ep
					; PipSendGuestAssignedNotification(x,x)+31p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	ebx, ebx
		push	ebx
		push	ebx
		lea	edi, [esi+18h]
		push	edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [esi]
		push	ebx
		movzx	eax, byte ptr [eax+30h]
		push	eax
		call	IoAllocateIrp
		mov	edx, eax
		test	edx, edx
		jz	short loc_8AF028
		mov	ecx, [esi+0Ch]
		lea	eax, [esi+10h]
		mov	[edx+64h], ecx
		mov	ecx, large fs:124h
		mov	[edx+50h], ecx
		mov	ecx, [edx+60h]
		mov	[edx+20h], bl
		mov	[edx+2Ch], edi
		mov	dword ptr [edx+8], 4
		mov	[edx+28h], eax
		mov	[edx+30h], ebx
		mov	word ptr [ecx-24h], 161Bh
		mov	eax, [esi+0Ch]
		mov	[ecx-0Ch], eax
		mov	dword ptr [edx+18h], 0C00000BBh
		mov	[edx+0Ch], ebx
		mov	al, [esi+8]
		mov	[ecx-20h], al
		mov	eax, [esi+4]
		mov	[ecx-1Ch], eax

loc_8AF028:				; CODE XREF: PpIrpAllocateDeviceUsageNotification(x)+25j
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		retn
_PpIrpAllocateDeviceUsageNotification@4	endp


;  S U B	R O U T	I N E 


; __stdcall IdpValidatePciPath(x, x)
_IdpValidatePciPath@8 proc near		; CODE XREF: PipIommuValidateDeviceId+3Ep
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi+10h]
		test	edi, edi
		jz	short loc_8AF063
		movzx	ecx, word ptr [esi+0Eh]
		test	cx, cx
		jz	short loc_8AF063
		lea	eax, [esi+18h]
		cmp	edi, eax
		jb	short loc_8AF05C
		add	ecx, edi
		lea	eax, [esi+edx]
		cmp	eax, ecx
		sbb	eax, eax
		and	eax, 80000005h

loc_8AF059:				; CODE XREF: IdpValidatePciPath(x,x)+33j
					; IdpValidatePciPath(x,x)+3Aj
		pop	edi
		pop	esi
		retn
; 

loc_8AF05C:				; CODE XREF: IdpValidatePciPath(x,x)+1Bj
		mov	eax, 0C0000141h
		jmp	short loc_8AF059
; 

loc_8AF063:				; CODE XREF: IdpValidatePciPath(x,x)+Bj
					; IdpValidatePciPath(x,x)+14j
		mov	eax, 0C0000206h
		jmp	short loc_8AF059
_IdpValidatePciPath@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiSwDeviceInterfacesUpdateState	proc near ; CODE XREF: PiSwPdoPnPDispatch+2B4p
					; PiSwPdoPnPDispatch+9F301p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00935DB5 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], edx
		and	[ebp+var_14], esi
		lea	eax, [ecx+64h]
		mov	ebx, [eax]
		and	[ebp+var_10], esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], esi
		cmp	ebx, eax
		jz	short loc_8AF102

loc_8AF091:				; CODE XREF: PiSwDeviceInterfacesUpdateState+8Ej
		cmp	byte ptr [ebx+14h], 0
		jz	short loc_8AF0F4
		mov	ecx, [ebx+8]
		lea	eax, [ebp+var_4]
		push	eax
		push	57706E50h
		mov	edx, 7FFFFFFFh
		call	PnpAllocatePWSTR
		mov	esi, [ebp+var_4]
		mov	edi, eax
		test	edi, edi
		js	short loc_8AF0FA
		push	1
		mov	edx, esi
		call	__CmSetDeviceInterfacePathFormat@12 ; _CmSetDeviceInterfacePathFormat(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_8AF0FA
		push	esi
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	[ebp+var_8]
		lea	eax, [ebp+var_14]
		push	eax
		call	_IoSetDeviceInterfaceState@8 ; IoSetDeviceInterfaceState(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_8AF0FA
		push	57706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_C]
		xor	esi, esi
		mov	[ebp+var_4], esi

loc_8AF0F4:				; CODE XREF: PiSwDeviceInterfacesUpdateState+2Bj
		mov	ebx, [ebx]
		cmp	ebx, eax
		jnz	short loc_8AF091

loc_8AF0FA:				; CODE XREF: PiSwDeviceInterfacesUpdateState+4Aj
					; PiSwDeviceInterfacesUpdateState+59j ...
		test	esi, esi
		jnz	loc_935DB5

loc_8AF102:				; CODE XREF: PiSwDeviceInterfacesUpdateState+25j
					; PiSwDeviceInterfacesUpdateState+86D56j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PiSwDeviceInterfacesUpdateState	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageEnsureContext()
_EtwpCoverageEnsureContext@0 proc near	; CODE XREF: EtwTelemetryCoverageReport(x):loc_54DB44p
					; EtwSetProcessTelemetryCoverage:loc_850649p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		cmp	_EtwpInitialized, 0
		push	ebx
		push	esi
		push	edi
		jnz	short loc_8AF128

loc_8AF11E:				; CODE XREF: EtwpCoverageEnsureContext()+26j
		mov	ebx, 0C00000BBh
		jmp	loc_8AF520
; 

loc_8AF128:				; CODE XREF: EtwpCoverageEnsureContext()+12j
		mov	edx, _EtwpCoverageEntryCount
		test	edx, edx
		jz	short loc_8AF11E
		mov	eax, 80000h
		cmp	edx, eax
		jb	short loc_8AF13D
		mov	edx, eax

loc_8AF13D:				; CODE XREF: EtwpCoverageEnsureContext()+2Fj
		cmp	edx, 40h
		ja	short loc_8AF145
		push	40h
		pop	edx

loc_8AF145:				; CODE XREF: EtwpCoverageEnsureContext()+36j
		xor	ebx, ebx
		lea	eax, [edx-1]
		or	esi, 0FFFFFFFFh
		inc	ebx
		test	eax, edx
		jz	short loc_8AF161
		mov	ecx, esi
		test	edx, edx
		jz	short loc_8AF15D

loc_8AF158:				; CODE XREF: EtwpCoverageEnsureContext()+51j
		inc	ecx
		shr	edx, 1
		jnz	short loc_8AF158

loc_8AF15D:				; CODE XREF: EtwpCoverageEnsureContext()+4Cj
		mov	edx, ebx
		shl	edx, cl

loc_8AF161:				; CODE XREF: EtwpCoverageEnsureContext()+46j
		mov	eax, 3E8h
		mov	_EtwpCoverageEntryCount, edx
		cmp	_EtwpCoverageFlushPeriod, eax
		ja	short loc_8AF179
		mov	_EtwpCoverageFlushPeriod, eax

loc_8AF179:				; CODE XREF: EtwpCoverageEnsureContext()+68j
		mov	eax, 36EE80h
		cmp	_EtwpCoverageResetPeriod, eax
		ja	short loc_8AF18B
		mov	_EtwpCoverageResetPeriod, eax

loc_8AF18B:				; CODE XREF: EtwpCoverageEnsureContext()+7Aj
		push	56777445h
		push	2Ch
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_8], edi
		test	edi, edi
		jnz	short loc_8AF1AB
		mov	ebx, 0C000009Ah
		jmp	loc_8AF520
; 

loc_8AF1AB:				; CODE XREF: EtwpCoverageEnsureContext()+95j
		push	2Ch		; size_t
		xor	ebx, ebx
		push	ebx		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		push	56777445h
		push	110h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi], eax
		test	eax, eax
		jnz	short loc_8AF1DD
		mov	ebx, 0C000009Ah
		jmp	loc_8AF4D6
; 

loc_8AF1DD:				; CODE XREF: EtwpCoverageEnsureContext()+C7j
		push	110h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [edi]
		add	esp, 0Ch
		mov	[ecx+18h], ebx
		lea	eax, [ecx+20h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edi+20h]
		mov	dword ptr [ecx+30h], offset _EtwpCoverageHighIrqlCPWorkItemCallback@4 ;	EtwpCoverageHighIrqlCPWorkItemCallback(x)
		mov	[ecx+34h], edi
		mov	[ecx+28h], ebx
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, _EtwpCoverageFlushPeriod
		mov	[edi+10h], eax
		mov	eax, 0FFDF0324h
		mov	ebx, ds:0FFDF0004h
		mov	[ebp+var_4], ebx
		mov	ecx, [eax]
		add	eax, 0FFFFFFFCh
		mov	edx, [eax]
		mov	eax, 0FFDF0328h
		mov	eax, [eax]
		cmp	ecx, eax
		jz	short loc_8AF256
		mov	ebx, 0FFDF0324h
		lea	esi, [ebx-4]
		lea	edi, [ebx+4]

loc_8AF241:				; CODE XREF: EtwpCoverageEnsureContext()+141j
		pause
		mov	ecx, [ebx]
		mov	edx, [esi]
		mov	eax, [edi]
		cmp	ecx, eax
		jnz	short loc_8AF241
		mov	edi, [ebp+var_8]
		or	esi, 0FFFFFFFFh
		mov	ebx, [ebp+var_4]

loc_8AF256:				; CODE XREF: EtwpCoverageEnsureContext()+12Aj
		mov	eax, edx
		shl	ecx, 8
		imul	ecx, [ebp+var_4]
		mul	ebx
		push	8
		mov	ebx, eax
		mov	eax, [edi]
		shrd	ebx, edx, 18h
		add	ebx, ecx
		mov	[eax+10h], ebx
		mov	eax, [edi]
		push	eax
		push	offset _EtwpCoverageResetTimerCallback@8 ; EtwpCoverageResetTimerCallback(x,x)
		add	eax, 40h
		mov	[ebp+var_8], ebx
		push	eax
		mov	[edi+0Ch], ebx
		call	_KeInitializeTimer2@16 ; KeInitializeTimer2(x,x,x,x)
		mov	eax, [edi]
		push	8
		push	eax
		push	offset _EtwpCoverageFlushTimerCallback@8 ; EtwpCoverageFlushTimerCallback(x,x)
		add	eax, 98h
		push	eax
		call	_KeInitializeTimer2@16 ; KeInitializeTimer2(x,x,x,x)
		mov	eax, [edi]
		mov	ecx, edi
		and	dword ptr [eax+100h], 0
		mov	dword ptr [eax+108h], offset _EtwpCoverageResetWorkItemCallback@4 ; EtwpCoverageResetWorkItemCallback(x)
		mov	[eax+10Ch], edi
		mov	eax, [edi]
		and	dword ptr [eax+0F0h], 0
		mov	dword ptr [eax+0F8h], offset _EtwpCoverageFlushWorkItemCallback@4 ; EtwpCoverageFlushWorkItemCallback(x)
		mov	[eax+0FCh], edi
		call	EtwpCoverageEnsureStringBuffer
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8AF4D6
		mov	eax, _EtwpCoverageEntryCount
		lea	ecx, [ebp+var_20]
		xor	edx, edx
		shl	eax, 2
		push	edx
		push	edx
		push	8000000h
		push	4
		push	ecx
		push	edx
		mov	[ebp+var_20], eax
		lea	eax, [edi+4]
		push	0F001Fh
		push	eax
		mov	[ebp+var_1C], edx
		call	MmCreateSection
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8AF4D6
		and	[ebp+var_C], 0
		lea	ecx, [ebp+var_C]
		push	ecx
		lea	eax, [edi+8]
		push	eax
		push	dword ptr [edi+4]
		call	_MmMapViewInSystemSpace@12 ; MmMapViewInSystemSpace(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8AF4D6
		lea	edx, [edi+8]
		xor	ecx, ecx
		mov	eax, [edx]
		inc	ecx
		mov	byte ptr [eax],	2
		mov	eax, [edx]
		mov	[eax+1], cl
		mov	eax, [edx]
		mov	[eax+18h], ecx
		mov	eax, [edx]
		mov	ecx, [edi]
		mov	eax, [eax+18h]
		mov	[ecx], eax
		mov	eax, [edx]
		mov	ecx, [ebp+var_8]
		mov	eax, [eax+18h]
		mov	ds:0FFDF037Ch, eax
		mov	eax, [edx]
		mov	[eax+14h], ecx
		mov	eax, [edx]
		mov	ecx, [edi]
		mov	eax, [eax+14h]
		mov	[ecx+14h], eax
		mov	ecx, _EtwpCoverageEntryCount
		mov	eax, [edx]
		dec	ecx
		mov	[eax+8], ecx
		mov	eax, [edx]
		mov	ecx, [ebp+var_20]
		add	ecx, 0FFFFFFCCh
		shr	ecx, 2
		mov	[eax+4], ecx
		mov	eax, [edx]
		mov	[eax+4], ecx
		shr	ecx, 2
		imul	eax, ecx, 3
		mov	ecx, [edx]
		mov	[edi+14h], eax
		mov	eax, [ecx+4]
		lea	eax, ds:34h[eax*4]
		mov	[ecx+10h], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _EtwpCoverageLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	ebx, ebx
		mov	_EtwpCoverageLockOwner,	eax
		cmp	_EtwpCoverageContext, ebx
		jnz	short loc_8AF436
		mov	ecx, edi
		mov	eax, [edi]
		mov	edi, ebx
		mov	_EtwpCoverageContext, ecx
		mov	_EtwpCoverageNonPagedContext, eax
		cmp	_EtwpCoverageCoreTracingEnabled, ebx
		jz	short loc_8AF400
		mov	eax, [ecx+8]
		xor	ecx, ecx
		inc	ecx
		or	[eax+2], cx
		mov	dword ptr ds:0FFDF037Ch, 0FFFFFF00h

loc_8AF400:				; CODE XREF: EtwpCoverageEnsureContext()+2E0j
		mov	eax, _EtwpCoverageResetPeriod
		mov	ecx, 2710h
		mul	ecx
		lea	ecx, [ebp+var_30]
		mov	[ebp+var_30], ebx
		push	ecx
		push	edx
		push	eax
		neg	eax
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], esi
		adc	edx, ebx
		mov	[ebp+var_24], esi
		neg	edx
		push	edx
		push	eax
		mov	eax, _EtwpCoverageContext
		mov	eax, [eax]
		add	eax, 40h
		push	eax
		call	KeSetTimer2

loc_8AF436:				; CODE XREF: EtwpCoverageEnsureContext()+2C7j
		mov	_EtwpCoverageLockOwner,	ebx
		or	eax, 0FFFFFFFFh
		mov	esi, offset _EtwpCoverageLock
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8AF455
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8AF455:				; CODE XREF: EtwpCoverageEnsureContext()+342j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, dword_6B3010
		cmp	eax, ds:0FFDF037Ch
		jnb	short loc_8AF497
		cmp	dword_6B300C, 0
		jnz	short loc_8AF48D
		mov	ecx, off_6B3008
		lea	edx, [ebp+var_10]
		mov	[ebp+var_10], ebx
		call	_TelemetryCoverageStringHashInternal@8 ; TelemetryCoverageStringHashInternal(x,x)
		mov	dword_6B300C, eax

loc_8AF48D:				; CODE XREF: EtwpCoverageEnsureContext()+36Bj
		push	offset off_6B3008
		call	_EtwTelemetryCoverageReport@4 ;	EtwTelemetryCoverageReport(x)

loc_8AF497:				; CODE XREF: EtwpCoverageEnsureContext()+362j
		cmp	_EtwpCoverageCoreTracingEnabled, 0
		jz	short loc_8AF4D6
		mov	eax, dword_6B3740
		cmp	eax, ds:0FFDF037Ch
		jnb	short loc_8AF4D6
		cmp	dword_6B373C, 0
		jnz	short loc_8AF4CC
		mov	ecx, off_6B3738
		lea	edx, [ebp+var_14]
		mov	[ebp+var_14], ebx
		call	_TelemetryCoverageStringHashInternal@8 ; TelemetryCoverageStringHashInternal(x,x)
		mov	dword_6B373C, eax

loc_8AF4CC:				; CODE XREF: EtwpCoverageEnsureContext()+3AAj
		push	offset off_6B3738
		call	_EtwTelemetryCoverageReport@4 ;	EtwTelemetryCoverageReport(x)

loc_8AF4D6:				; CODE XREF: EtwpCoverageEnsureContext()+CEj
					; EtwpCoverageEnsureContext()+1CFj ...
		test	edi, edi
		jz	short loc_8AF520
		mov	eax, [edi+8]
		test	eax, eax
		jz	short loc_8AF4EB
		push	eax
		call	_MmUnmapViewInSystemSpace@4 ; MmUnmapViewInSystemSpace(x)
		and	dword ptr [edi+8], 0

loc_8AF4EB:				; CODE XREF: EtwpCoverageEnsureContext()+3D5j
		mov	ecx, [edi+4]
		test	ecx, ecx
		jz	short loc_8AF4FB
		call	ObfDereferenceObject
		and	dword ptr [edi+4], 0

loc_8AF4FB:				; CODE XREF: EtwpCoverageEnsureContext()+3E6j
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_8AF50C
		push	56777445h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8AF50C:				; CODE XREF: EtwpCoverageEnsureContext()+3F5j
		xor	edx, edx
		mov	ecx, edi
		call	_EtwpCoverageFreeStringBuffers@8 ; EtwpCoverageFreeStringBuffers(x,x)
		push	56777445h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8AF520:				; CODE XREF: EtwpCoverageEnsureContext()+19j
					; EtwpCoverageEnsureContext()+9Cj ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_EtwpCoverageEnsureContext@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


EtwpCoverageEnsureStringBuffer proc near ; CODE	XREF: EtwpCoverageRecord(x,x)+166p
					; EtwpCoverageEnsureContext()+1C6p

; FUNCTION CHUNK AT 00935DC5 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		lea	esi, [ebx+20h]
		mov	edx, [esi]

loc_8AF533:				; CODE XREF: EtwpCoverageEnsureStringBuffer+868ACj
		cmp	edx, esi
		jnz	loc_935DC5
		push	edi
		push	56777445h
		push	2000h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_8AF579
		mov	edx, 2000h	; size_t
		mov	ecx, edi	; void *
		call	_EtwpCoverageInitializeStringBuffer@8 ;	EtwpCoverageInitializeStringBuffer(x,x)
		mov	[ebx+1Ch], edi
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_8AF580
		mov	[edi+4], eax
		mov	[edi], esi
		mov	[eax], edi
		xor	eax, eax
		mov	[esi+4], edi

loc_8AF575:				; CODE XREF: EtwpCoverageEnsureStringBuffer+56j
		pop	edi

loc_8AF576:				; CODE XREF: EtwpCoverageEnsureStringBuffer+868B6j
		pop	esi
		pop	ebx
		retn
; 

loc_8AF579:				; CODE XREF: EtwpCoverageEnsureStringBuffer+29j
		mov	eax, 0C000009Ah
		jmp	short loc_8AF575
; 

loc_8AF580:				; CODE XREF: EtwpCoverageEnsureStringBuffer+3Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall KsepDbReadKFlag(x, x, x)
_KsepDbReadKFlag@12:			; CODE XREF: KsepDbCacheReadDeviceInternal+77p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, 0C0000001h
		push	edi
		mov	edi, ecx
		test	esi, esi
		jz	short loc_8AF5FB
		push	6001h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	short loc_8AF5FB
		mov	edx, eax
		mov	ecx, edi
		call	SdbGetStringTagPtr
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_8AF5FB
		mov	eax, [ebp+8]
		mov	edx, esi
		push	5005h
		mov	[eax], ecx
		mov	ecx, edi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_8AF5FB
		mov	eax, [ebp+8]
		xor	ebx, ebx
		push	ebx
		push	ebx
		mov	ecx, edi
		mov	dword ptr [eax+4], 0Bh
		lea	esi, [eax+18h]
		call	SdbReadQWORDTag
		mov	[esi], eax
		mov	eax, [ebp+8]
		mov	[esi+4], edx
		mov	[eax+0Ch], esi
		mov	dword ptr [eax+8], 8

loc_8AF5FB:				; CODE XREF: EtwpCoverageEnsureStringBuffer+71j
					; EtwpCoverageEnsureStringBuffer+7Fj ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	4
EtwpCoverageEnsureStringBuffer endp ; sp = -0Ch


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbReadQWORDTag	proc near		; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+116p
					; SdbpCheckApplicationTypeAttributes(x,x,x,x)+148p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00935DE3 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	eax, ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, edx
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], ebx
		call	SdbGetTagFromTagID
		mov	ecx, 0F000h
		mov	edx, esi
		and	ax, cx
		mov	ecx, 5000h
		cmp	ax, cx
		mov	ecx, [ebp+var_4]
		jnz	loc_935DE3
		push	8		; int
		lea	eax, [ebp+var_C]
		push	eax		; void *
		call	SdbpReadTagData
		test	eax, eax
		jz	short loc_8AF65E
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+var_8]

loc_8AF657:				; CODE XREF: SdbReadQWORDTag+5Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_8AF65E:				; CODE XREF: SdbReadQWORDTag+4Bj
					; SdbReadQWORDTag+86802j
		mov	eax, edi
		mov	edx, ebx
		jmp	short loc_8AF657
SdbReadQWORDTag	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtEnergyTrackerCreate(x,	x)
_PopEtEnergyTrackerCreate@8 proc near	; CODE XREF: NtPowerInformation+144Fp

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		push	ebx
		xor	eax, eax
		mov	[esp+48h+var_30], edx
		push	esi
		push	edi
		lea	edi, [esp+50h+var_2C]
		mov	esi, ecx
		stosd
		xor	ebx, ebx
		mov	ecx, ebx
		mov	[esp+50h+var_40], ebx
		mov	[esp+50h+var_3C], ebx
		mov	edx, 40000h
		stosd
		stosd
		stosd
		stosd
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_8AF69E
		cmp	eax, edx
		jbe	short loc_8AF6A0

loc_8AF69E:				; CODE XREF: PopEtEnergyTrackerCreate(x,x)+34j
		mov	[esi], edx

loc_8AF6A0:				; CODE XREF: PopEtEnergyTrackerCreate(x,x)+38j
		cmp	_PopEtGlobals, ecx
		jnz	short loc_8AF6B2
		mov	edi, 0C00000BBh
		jmp	loc_8AF8FD
; 

loc_8AF6B2:				; CODE XREF: PopEtEnergyTrackerCreate(x,x)+42j
		mov	eax, large fs:124h
		cmp	[eax+15Ah], cl
		jnz	short loc_8AF6C5
		mov	ecx, 200h

loc_8AF6C5:				; CODE XREF: PopEtEnergyTrackerCreate(x,x)+5Aj
		mov	eax, large fs:124h
		push	ebx
		mov	[esp+54h+var_C], ecx
		mov	[esp+54h+var_18], 18h
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+54h+var_38], al
		mov	eax, _PopEtGlobals
		mov	[esp+54h+var_14], ebx
		mov	[esp+54h+var_10], ebx
		mov	[esp+54h+var_8], ebx
		mov	edx, [eax+10h]
		lea	eax, [esp+54h+var_40]
		push	eax
		push	ebx
		push	ebx
		push	258h
		push	ecx
		push	[esp+68h+var_38]
		lea	eax, [esp+6Ch+var_18]
		mov	[esp+6Ch+var_4], ebx
		push	eax
		xor	cl, cl
		call	ObCreateObjectEx
		mov	edi, eax
		test	edi, edi
		js	loc_8AF8DE
		mov	ebx, [esp+50h+var_40]
		mov	ecx, ebx	; void *
		mov	[esp+50h+var_38], ebx
		call	_PopEtEnergyTrackerInitialize@4	; PopEtEnergyTrackerInitialize(x)
		lea	edi, [ebx+10h]
		mov	edx, 0FFDF0320h
		movsd
		mov	ecx, 0FFDF0328h
		movsd
		movsd
		or	dword ptr [ebx+254h], 1
		mov	esi, 0FFDF0324h
		mov	edi, ds:0FFDF0004h
		mov	[esp+50h+var_34], edi
		mov	esi, [esi]
		mov	edx, [edx]
		mov	eax, [ecx]
		cmp	esi, eax
		jz	short loc_8AF77F
		lea	ebx, [ecx-4]
		lea	edi, [ecx-8]

loc_8AF766:				; CODE XREF: PopEtEnergyTrackerCreate(x,x)+111j
		pause
		mov	esi, [ebx]
		mov	edx, [edi]
		mov	ecx, [ecx]
		cmp	esi, ecx
		mov	ecx, 0FFDF0328h
		jnz	short loc_8AF766
		mov	ebx, [esp+50h+var_38]
		mov	edi, [esp+50h+var_34]

loc_8AF77F:				; CODE XREF: PopEtEnergyTrackerCreate(x,x)+FAj
		mov	eax, edx
		shl	esi, 8
		mul	edi
		imul	esi, edi
		mov	cl, 1
		shrd	eax, edx, 18h
		add	eax, esi
		mov	esi, [esp+50h+var_40]
		mov	[esi+228h], eax
		call	KiQueryUnbiasedInterruptTime
		xor	edi, edi
		push	edi
		push	2710h
		push	edx
		push	eax
		call	__aulldiv
		mov	[esi+22Ch], eax
		mov	eax, large fs:124h
		mov	dword ptr [esi+230h], 1
		mov	esi, _PopEtGlobals
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [esi+8]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, _PopEtGlobals
		mov	[esi+0Ch], eax
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jz	short loc_8AF7F8
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8AF7F8:				; CODE XREF: PopEtEnergyTrackerCreate(x,x)+18Dj
		mov	esi, [esp+50h+var_40]
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[ecx+4], esi
		add	ecx, 8
		cmp	[ecx+4], edi
		jz	short loc_8AF811
		mov	[ecx+4], edi

loc_8AF811:				; CODE XREF: PopEtEnergyTrackerCreate(x,x)+1A8j
		xor	edx, edx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		lea	edx, [esp+50h+var_2C]
		mov	[esp+50h+var_28], edi
		mov	ecx, offset _PopEtProcessEnumSnapshotCallback@8	; PopEtProcessEnumSnapshotCallback(x,x)
		mov	[esp+50h+var_24], edi
		mov	[esp+50h+var_1C], edi
		mov	[esp+50h+var_2C], 1
		mov	[esp+50h+var_20], esi
		call	PsEnumProcesses
		mov	edi, eax
		test	edi, edi
		js	loc_8AF8E2
		mov	eax, large fs:124h
		lea	edi, [esi+8]
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	esi, [esp+50h+var_40]
		mov	[edi+4], eax
		mov	eax, [esi+23Ch]
		mov	[esp+50h+var_34], eax
		test	eax, eax
		jnz	short loc_8AF889
		and	dword ptr [ebx+254h], 0FFFFFFFEh

loc_8AF889:				; CODE XREF: PopEtEnergyTrackerCreate(x,x)+21Cj
		xor	ebx, ebx
		cmp	[edi+4], ebx
		jz	short loc_8AF893
		mov	[edi+4], ebx

loc_8AF893:				; CODE XREF: PopEtEnergyTrackerCreate(x,x)+22Aj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	[esp+50h+var_34], ebx
		jz	short loc_8AF8AE
		mov	edi, 0C000009Ah
		jmp	short loc_8AF8E2
; 

loc_8AF8AE:				; CODE XREF: PopEtEnergyTrackerCreate(x,x)+241j
		lea	eax, [esp+50h+var_3C]
		xor	edx, edx
		push	eax
		push	ebx
		push	ebx
		push	1
		push	1
		mov	ecx, esi
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_8AF8CC
		mov	esi, ebx
		jmp	short loc_8AF8E2
; 

loc_8AF8CC:				; CODE XREF: PopEtEnergyTrackerCreate(x,x)+262j
		mov	ecx, [esp+50h+var_30]
		mov	edi, ebx
		mov	eax, [esp+50h+var_3C]
		mov	[esp+50h+var_3C], ebx
		mov	[ecx], eax
		jmp	short loc_8AF8E2
; 

loc_8AF8DE:				; CODE XREF: PopEtEnergyTrackerCreate(x,x)+B7j
		mov	esi, [esp+50h+var_40]

loc_8AF8E2:				; CODE XREF: PopEtEnergyTrackerCreate(x,x)+1E3j
					; PopEtEnergyTrackerCreate(x,x)+248j ...
		cmp	[esp+50h+var_3C], 0
		jz	short loc_8AF8F2
		push	[esp+50h+var_3C]
		call	NtClose

loc_8AF8F2:				; CODE XREF: PopEtEnergyTrackerCreate(x,x)+283j
		test	esi, esi
		jz	short loc_8AF8FD
		mov	ecx, esi
		call	ObfDereferenceObject

loc_8AF8FD:				; CODE XREF: PopEtEnergyTrackerCreate(x,x)+49j
					; PopEtEnergyTrackerCreate(x,x)+290j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PopEtEnergyTrackerCreate@8 endp


;  S U B	R O U T	I N E 


; int __fastcall PopEtEnergyTrackerInitialize(void *)
_PopEtEnergyTrackerInitialize@4	proc near ; CODE XREF: PopEtEnergyTrackerCreate(x,x)+C7p
		mov	edi, edi
		push	esi
		push	edi
		push	258h		; size_t
		xor	edi, edi
		mov	esi, ecx
		push	edi		; int
		push	esi		; void *
		call	_memset
		push	1F0h		; size_t
		mov	[esi+30h], edi
		lea	eax, [esi+38h]
		mov	[esi+2Ch], edi
		push	edi		; int
		push	eax		; void *
		mov	[esi+1Ch], edi
		mov	[esi+24h], edi
		mov	[esi+20h], edi
		call	_memset
		mov	eax, _PopEtGlobals
		add	esp, 18h
		add	eax, 2A4h
		mov	[esi+40h], eax
		pop	edi
		pop	esi
		retn
_PopEtEnergyTrackerInitialize@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepSetSystemPaths proc near		; CODE XREF: SepIsMinTCB:loc_7A266Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00935E0B SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	eax, ecx
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_C], eax
		call	SepLoadNgenLocations
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		add	eax, 26Ch
		mov	[ebp+var_4], eax
		push	63734943h
		movzx	eax, word ptr [eax]
		add	eax, 1Eh
		mov	[ebp+var_8], eax
		add	eax, 10h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_8AF9E3
		mov	eax, [ebp+var_4]
		lea	esi, [edi+10h]
		push	dword ptr [eax+4] ; char
		push	offset a??WsSystem32 ; "\\??\\%ws\\System32\\"
		push	[ebp+var_8]	; int
		push	esi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 10h
		push	esi
		push	edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [edi]
		mov	edx, edi
		mov	ecx, [ebp+var_C]
		mov	[edi+8], eax
		add	ecx, 10h
		mov	eax, [edi+4]
		mov	[edi+0Ch], eax
		push	0Ch
		pop	eax
		mov	[edi+8], ax
		xor	eax, eax
		lock cmpxchg [ecx], edx
		neg	eax
		sbb	eax, eax
		and	eax, edi
		jnz	loc_935E0B

loc_8AF9DC:				; CODE XREF: SepSetSystemPaths+9Cj
					; SepSetSystemPaths+864CAj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_8AF9E3:				; CODE XREF: SepSetSystemPaths+41j
		mov	ebx, 0C0000017h
		jmp	short loc_8AF9DC
SepSetSystemPaths endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepLoadNgenLocations proc near		; CODE XREF: SepSetSystemPaths+12p

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00935E1B SIZE 0000005E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+94h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[esp+0A0h+var_64], ecx
		push	30h		; size_t
		lea	eax, [esp+0A4h+var_38]
		mov	[esp+0A4h+var_8C], ebx
		push	ebx		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		mov	[esp+0ACh+var_80], ebx
		lea	edi, [esp+0ACh+var_48]
		mov	[esp+0ACh+var_60], 18h
		stosd
		add	esp, 0Ch
		mov	[esp+0A0h+var_5C], ebx
		mov	[esp+0A0h+var_54], 240h
		mov	[esp+0A0h+var_58], offset dword_403918
		stosd
		mov	[esp+0A0h+var_50], ebx
		mov	[esp+0A0h+var_4C], ebx
		stosd
		stosd
		lea	eax, [esp+0A0h+var_60]
		push	eax
		push	20019h
		lea	eax, [esp+0A8h+var_8C]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_935E1B
		lea	eax, [esp+0A0h+var_80]
		push	eax
		push	30h
		lea	eax, [esp+0A8h+var_38]
		push	eax
		push	2
		push	[esp+0B0h+var_8C]
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8AFD1E
		mov	eax, [esp+0A0h+var_18]
		test	eax, eax
		jz	loc_8AFD1E
		cmp	[esp+0A0h+var_14], ebx
		jz	loc_8AFD1E
		cmp	[esp+0A0h+var_14], 0FFFFh
		ja	loc_8AFD1E
		mov	[esp+0A0h+var_94], ebx
		mov	edi, ebx
		mov	[esp+0A0h+var_90], ebx
		test	eax, eax
		jz	loc_8AFD45

loc_8AFAD3:				; CODE XREF: SepLoadNgenLocations+156j
		lea	eax, [esp+0A0h+var_80]
		push	eax
		push	10h
		lea	eax, [esp+0A8h+var_48]
		push	eax
		push	ebx
		push	edi
		push	[esp+0B4h+var_8C]
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_8AFAFC
		cmp	esi, 80000005h
		jnz	loc_8AFD1E

loc_8AFAFC:				; CODE XREF: SepLoadNgenLocations+104j
		cmp	[esp+0A0h+var_44], 4
		jnz	loc_935E2C
		mov	ecx, [esp+0A0h+var_40]
		cmp	ecx, 2
		jb	loc_935E2C
		mov	edx, [esp+0A0h+var_94]
		lea	eax, [esp+0A0h+var_94]
		push	eax
		add	ecx, 8
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8AFD1E
		mov	eax, [esp+0A0h+var_90]
		inc	eax
		mov	[esp+0A0h+var_90], eax

loc_8AFB38:				; CODE XREF: SepLoadNgenLocations+86446j
		inc	edi
		cmp	edi, [esp+0A0h+var_18]
		jb	short loc_8AFAD3
		test	eax, eax
		jz	loc_8AFD45
		mov	ecx, [esp+0A0h+var_94]
		lea	eax, [esp+0A0h+var_94]
		push	eax
		push	8
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8AFD1E
		mov	eax, [esp+0A0h+var_14]
		mov	edi, 63734943h
		add	eax, 10h
		push	edi
		push	eax
		push	1
		mov	[esp+0ACh+var_70], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+0A0h+var_84], eax
		test	eax, eax
		jz	loc_935E35
		push	edi
		push	[esp+0A4h+var_94]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+0A0h+var_68], edi
		test	edi, edi
		jz	loc_935E3F
		mov	eax, [esp+0A0h+var_90]
		mov	ecx, 0FFFFh
		inc	eax
		mov	[edi+4], ecx
		lea	edx, [edi+eax*8]
		mov	eax, edi
		sub	eax, edx
		mov	[esp+0A0h+var_88], edx
		mov	edx, [esp+0A0h+var_94]
		add	edx, eax
		mov	eax, ebx
		mov	[esp+0A0h+var_7C], edx
		mov	edx, ebx
		mov	[esp+0A0h+var_74], eax
		mov	[esp+0A0h+var_94], edx
		cmp	[esp+0A0h+var_18], eax
		jbe	loc_8AFCE3
		mov	ecx, [esp+0A0h+var_84]
		lea	edx, [edi+8]
		mov	[esp+0A0h+var_78], edx

loc_8AFBED:				; CODE XREF: SepLoadNgenLocations+2E7j
		lea	edx, [esp+0A0h+var_80]
		push	edx
		push	[esp+0A4h+var_70]
		push	ecx
		push	ebx
		push	eax
		push	[esp+0B4h+var_8C]
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8AFD08
		mov	ecx, [esp+0A0h+var_84]
		cmp	dword ptr [ecx+4], 4
		jnz	loc_8AFCC1
		mov	eax, [ecx+8]
		mov	[esp+0A0h+var_6C], eax
		cmp	eax, 2
		jb	loc_8AFCC1
		mov	edi, eax
		mov	edx, edi

loc_8AFC2E:				; CODE XREF: SepLoadNgenLocations+8646Aj
		mov	eax, edi
		shr	eax, 1
		cmp	[ecx+eax*2+0Ah], bx
		jz	loc_935E49

loc_8AFC3D:				; CODE XREF: SepLoadNgenLocations+86470j
		mov	edi, [esp+0A0h+var_68]
		test	edx, edx
		jz	short loc_8AFCC1
		cmp	edx, [esp+0A0h+var_7C]
		ja	loc_935E5F
		mov	eax, [esp+0A0h+var_94]
		cmp	eax, [esp+0A0h+var_90]
		jnb	loc_935E5F
		movzx	eax, word ptr [edi+4]
		cmp	eax, edx
		jb	short loc_8AFC67
		mov	eax, edx

loc_8AFC67:				; CODE XREF: SepLoadNgenLocations+279j
		mov	[edi+4], ax
		movzx	eax, word ptr [edi+6]
		mov	edx, [ecx+8]
		cmp	eax, edx
		ja	short loc_8AFC78
		mov	eax, edx

loc_8AFC78:				; CODE XREF: SepLoadNgenLocations+28Aj
		mov	edx, [esp+0A0h+var_78]
		mov	[edi+6], ax
		mov	eax, [esp+0A0h+var_88]
		mov	[edx+4], eax
		mov	ax, [ecx+8]
		mov	[edx], ax
		mov	ax, [ecx+8]
		mov	[edx+2], ax
		lea	eax, [ecx+0Ch]
		push	dword ptr [ecx+8] ; size_t
		push	eax		; void *
		push	[esp+0A8h+var_88] ; void *
		call	_memcpy
		mov	ecx, [esp+0ACh+var_84]
		add	esp, 0Ch
		mov	eax, [ecx+8]
		add	[esp+0A0h+var_88], eax
		sub	[esp+0A0h+var_7C], eax
		inc	[esp+0A0h+var_94]
		add	[esp+0A0h+var_78], 8

loc_8AFCC1:				; CODE XREF: SepLoadNgenLocations+22Aj
					; SepLoadNgenLocations+23Aj ...
		mov	eax, [esp+0A0h+var_74]
		inc	eax
		mov	[esp+0A0h+var_74], eax
		cmp	eax, [esp+0A0h+var_18]
		jb	loc_8AFBED
		movzx	ecx, word ptr [edi+4]
		movzx	ebx, word ptr [edi+6]
		mov	edx, [esp+0A0h+var_94]

loc_8AFCE3:				; CODE XREF: SepLoadNgenLocations+1F2j
		lea	eax, [ecx+8]
		mov	[edi], edx
		mov	ecx, [esp+0A0h+var_64]
		mov	edx, edi
		mov	[edi+4], ax
		add	ecx, 14h
		lea	eax, [ebx+8]
		mov	[edi+6], ax
		xor	eax, eax
		lock cmpxchg [ecx], edx
		neg	eax
		sbb	eax, eax
		and	edi, eax

loc_8AFD08:				; CODE XREF: SepLoadNgenLocations+21Cj
					; SepLoadNgenLocations+8647Aj
		test	edi, edi
		jnz	loc_935E69

loc_8AFD10:				; CODE XREF: SepLoadNgenLocations+8645Aj
					; SepLoadNgenLocations+8648Aj
		push	63734943h
		push	[esp+0A4h+var_84]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8AFD1E:				; CODE XREF: SepLoadNgenLocations+A4j
					; SepLoadNgenLocations+B3j ...
		cmp	[esp+0A0h+var_8C], 0
		jz	short loc_8AFD2E
		push	[esp+0A0h+var_8C]
		call	_ZwClose@4	; ZwClose(x)

loc_8AFD2E:				; CODE XREF: SepLoadNgenLocations+339j
		mov	ecx, [esp+0A0h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8AFD45:				; CODE XREF: SepLoadNgenLocations+E3j
					; SepLoadNgenLocations+15Aj ...
		mov	esi, ebx
		jmp	short loc_8AFD1E
SepLoadNgenLocations endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCreatePassiveInterruptRealtimeThreads(x,	x)
_IopCreatePassiveInterruptRealtimeThreads@8 proc near
					; CODE XREF: IopInitializePassiveInterruptServices()+30p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		xor	ebx, ebx
		mov	[esp+28h+var_18], 18h
		push	esi
		push	edi
		mov	edi, ebx
		mov	[esp+30h+var_20], ebx
		mov	[esp+30h+var_14], ebx
		mov	[esp+30h+var_C], 200h
		mov	[esp+30h+var_10], ebx
		mov	[esp+30h+var_8], ebx
		mov	[esp+30h+var_4], ebx
		cmp	_PassiveInterruptRealtimeWorkerCount, bl
		jbe	short loc_8AFE02

loc_8AFD88:				; CODE XREF: IopCreatePassiveInterruptRealtimeThreads(x,x)+B6j
		push	ebx
		push	ebx
		push	offset _PassiveInterruptRealtimeWorkQueue
		push	offset _IopPassiveInterruptRealtimeWorker@4 ; IopPassiveInterruptRealtimeWorker(x)
		push	ebx
		push	ebx
		lea	eax, [esp+48h+var_18]
		push	eax
		push	1FFFFFh
		lea	eax, [esp+50h+var_20]
		push	eax
		call	PsCreateSystemThreadEx
		test	eax, eax
		js	short loc_8AFE04
		mov	eax, ds:_PsThreadType
		lea	ecx, [esp+30h+var_1C]
		push	ebx
		push	ecx
		push	ebx
		push	eax
		push	1FFFFFh
		push	[esp+44h+var_20]
		mov	[esp+48h+var_1C], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		push	[esp+30h+var_20]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_8AFDF6
		movzx	eax, _PassiveInterruptRealtimeWorkerPriority
		push	eax
		push	[esp+34h+var_1C]
		call	KeSetActualBasePriorityThread
		mov	ecx, [esp+30h+var_1C]
		call	ObfDereferenceObject

loc_8AFDF6:				; CODE XREF: IopCreatePassiveInterruptRealtimeThreads(x,x)+90j
		movzx	eax, _PassiveInterruptRealtimeWorkerCount
		inc	edi
		cmp	edi, eax
		jb	short loc_8AFD88

loc_8AFE02:				; CODE XREF: IopCreatePassiveInterruptRealtimeThreads(x,x)+3Cj
		mov	eax, ebx

loc_8AFE04:				; CODE XREF: IopCreatePassiveInterruptRealtimeThreads(x,x)+62j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_IopCreatePassiveInterruptRealtimeThreads@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopQueryPassiveInterruptRegistryOptions	proc near
					; CODE XREF: IopInitializePassiveInterruptServices()+3p

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00935E79 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	70h		; size_t
		xor	esi, esi
		lea	eax, [ebp+var_78]
		push	esi		; int
		push	eax		; void *
		call	_memset
		movzx	eax, _PassiveInterruptForceCriticalWorker
		add	esp, 0Ch
		mov	[ebp+var_84], eax
		mov	ecx, 4000004h
		movzx	eax, _PassiveInterruptRealtimeWorkerCount
		mov	edx, 120h
		mov	[ebp+var_7C], eax
		movzx	eax, _PassiveInterruptRealtimeWorkerPriority
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_6C], eax
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_80]
		push	1
		mov	[ebp+var_50], eax
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_84]
		push	ecx
		push	esi
		mov	[ebp+var_34], eax
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	2
		mov	[ebp+var_74], edx
		mov	[ebp+var_68], ecx
		mov	[ebp+var_58], edx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_3C], edx
		mov	edx, (offset loc_8B9579+1)
		mov	[ebp+var_30], ecx
		pop	ecx
		mov	[ebp+var_70], offset ??_C@_1DM@NKNBKI@?$AAP?$AAa?$AAs?$AAs?$AAi?$AAv?$AAe?$AAI?$AAn?$AAt?$AAR?$AAe?$AAa?$AAl?$AAT@NNGAKEGL@
		mov	[ebp+var_60], esi
		mov	[ebp+var_54], offset ??_C@_1EC@LAKHOLBC@?$AAP?$AAa?$AAs?$AAs?$AAi?$AAv?$AAe?$AAI?$AAn?$AAt?$AAR?$AAe?$AAa?$AAl?$AAT@NNGAKEGL@ ;	"PassiveIntRealTimeWorkerPriority"
		mov	[ebp+var_44], esi
		mov	[ebp+var_38], offset ??_C@_1DM@PCLNIALE@?$AAP?$AAa?$AAs?$AAs?$AAi?$AAv?$AAe?$AAI?$AAn?$AAt?$AAF?$AAo?$AAr?$AAc?$AAe@NNGAKEGL@ ;	"PassiveIntForceCriticalWorker"
		mov	[ebp+var_28], esi
		call	RtlpQueryRegistryValues
		mov	edx, eax
		test	edx, edx
		js	short loc_8AFEE4
		mov	cl, byte ptr [ebp+var_7C]
		test	cl, cl
		jz	short loc_8AFED9
		cmp	cl, 10h
		ja	short loc_8AFEF3

loc_8AFED3:				; CODE XREF: IopQueryPassiveInterruptRegistryOptions+E9j
		mov	_PassiveInterruptRealtimeWorkerCount, cl

loc_8AFED9:				; CODE XREF: IopQueryPassiveInterruptRegistryOptions+C0j
		mov	al, byte ptr [ebp+var_80]
		cmp	al, 10h
		ja	loc_935E79

loc_8AFEE4:				; CODE XREF: IopQueryPassiveInterruptRegistryOptions+B9j
					; IopQueryPassiveInterruptRegistryOptions+86078j
		mov	ecx, [ebp+var_4]
		mov	eax, edx
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_8AFEF3:				; CODE XREF: IopQueryPassiveInterruptRegistryOptions+C5j
		mov	cl, 10h
		jmp	short loc_8AFED3
IopQueryPassiveInterruptRegistryOptions	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObInitServerSilo proc near		; CODE XREF: PspInitializeServerSiloDeferred(x)+6Ap
					; ObInitSystem+359p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00935E89 SIZE 000000A9 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		mov	[esp+30h+var_1C], edi
		mov	[esp+30h+var_20], edi
		mov	[esp+30h+var_24], edi
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	ebx, eax
		push	25h
		pop	edx
		lea	ecx, [ebx+74h]
		mov	[ebx+70h], edi
		mov	[ecx+128h], edi

loc_8AFF2C:				; CODE XREF: ObInitServerSilo+3Fj
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		add	ecx, 8
		sub	edx, 1
		jnz	short loc_8AFF2C
		push	esi
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jz	loc_935E89

loc_8AFF47:				; CODE XREF: ObInitServerSilo+86035j
		xor	eax, eax

loc_8AFF49:				; CODE XREF: ObInitServerSilo+85FA4j
					; ObInitServerSilo+85FC9j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
ObInitServerSilo endp


;  S U B	R O U T	I N E 


; __stdcall PopEtInitializeBuiltinAppId(x, x)
_PopEtInitializeBuiltinAppId@8 proc near ; CODE	XREF: PopEtInit+ACp
					; PopEtInit+BCp ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, _PopEtGlobals
		push	edi
		xor	edi, edi
		push	2
		lea	eax, [esi+2D0h]
		mov	[ecx+0Ch], edi
		mov	[ecx+10h], eax
		lea	eax, [esi+2D8h]
		mov	[ecx+20h], eax
		lea	esi, [edx+2]
		movzx	eax, byte ptr [eax+1]
		pop	ebx
		add	ax, bx
		mov	[ecx+14h], edx
		shl	ax, 2
		mov	[ecx+2Ah], ax

loc_8AFF8A:				; CODE XREF: PopEtInitializeBuiltinAppId(x,x)+42j
		mov	ax, [edx]
		add	edx, ebx
		cmp	ax, di
		jnz	short loc_8AFF8A
		sub	edx, esi
		pop	edi
		sar	edx, 1
		pop	esi
		mov	[ecx+24h], dx
		pop	ebx
		retn
_PopEtInitializeBuiltinAppId@8 endp


;  S U B	R O U T	I N E 


; __stdcall RtlInternTableInitialize(x,	x)
_RtlInternTableInitialize@8 proc near	; CODE XREF: PopEtInit+88p
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		xor	eax, eax
		push	6
		pop	ecx
		mov	edi, esi
		rep stosd
		and	[esi+4], eax
		pop	edi
		mov	[esi+0Ch], edx
		pop	esi
		retn
_RtlInternTableInitialize@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpCCSwapStart	proc near		; CODE XREF: EtwpUpdateGroupMasks+243p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00935F32 SIZE 00000041 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, ds:_KeNumberProcessors
		mov	[ebp+var_4], ecx
		mov	eax, _CCSwapNumLoggersPerClockType[edi*4]
		test	eax, eax
		jnz	short loc_8B002E
		xor	ebx, ebx
		test	ecx, ecx
		jz	short loc_8B002E

loc_8AFFDD:				; CODE XREF: EtwpCCSwapStart+6Dj
		mov	ecx, ebx
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	esi, [eax+4054h]
		cmp	dword ptr [esi+edi*4+128h], 0
		jnz	short loc_8B003D
		push	77734343h
		push	400h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+edi*4+128h], eax
		test	eax, eax
		jz	loc_935F32

loc_8B0017:				; CODE XREF: EtwpCCSwapStart+8Dj
		mov	eax, [esi+edi*4+128h]
		and	dword ptr [eax], 0
		inc	ebx
		cmp	ebx, [ebp+var_4]
		jb	short loc_8AFFDD
		mov	eax, _CCSwapNumLoggersPerClockType[edi*4]

loc_8B002E:				; CODE XREF: EtwpCCSwapStart+1Dj
					; EtwpCCSwapStart+23j
		inc	eax
		mov	_CCSwapNumLoggersPerClockType[edi*4], eax
		xor	eax, eax

loc_8B0038:				; CODE XREF: EtwpCCSwapStart+85FB6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8B003D:				; CODE XREF: EtwpCCSwapStart+3Aj
		mov	byte ptr [esi+edi+120h], 0
		jmp	short loc_8B0017
EtwpCCSwapStart	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 942. IoRegisterFsRegistrationChangeMountAware

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoRegisterFsRegistrationChangeMountAware
IoRegisterFsRegistrationChangeMountAware proc near
					; CODE XREF: IoRegisterFsRegistrationChange(x,x)+Dp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 00935F73 SIZE 0000010C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_IopBlockLegacyFsFilters, 0
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		jnz	loc_935F73

loc_8B0074:				; CODE XREF: IoRegisterFsRegistrationChangeMountAware+85F31j
		push	1
		push	edi
		call	_FsRtlSetDriverBacking@8 ; FsRtlSetDriverBacking(x,x)
		test	eax, eax
		js	short loc_8B00E5
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	esi, esi
		cmp	[ebp+arg_8], 0
		jz	loc_93600C
		push	esi
		push	offset _IopDatabaseResource
		call	ExAcquireResourceExclusiveLite
		test	al, al
		jz	loc_935FF9

loc_8B00AD:				; CODE XREF: IoRegisterFsRegistrationChangeMountAware+85FCCj
		cmp	_IopFsNotifyChangeQueueHead, offset _IopFsNotifyChangeQueueHead
		jz	short loc_8B00F6
		mov	eax, dword_6CCDCC
		cmp	[eax+8], edi
		jnz	short loc_8B00F6
		cmp	[eax+0Ch], ebx
		jnz	short loc_8B00F6
		mov	ecx, offset _IopDatabaseResource
		call	ExReleaseResourceLite
		mov	esi, 0C0000038h

loc_8B00D7:				; CODE XREF: IoRegisterFsRegistrationChangeMountAware+85FBBj
					; IoRegisterFsRegistrationChangeMountAware+85FE0j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi

loc_8B00E5:				; CODE XREF: IoRegisterFsRegistrationChangeMountAware+32j
					; IoRegisterFsRegistrationChangeMountAware+149j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_8B00F6:				; CODE XREF: IoRegisterFsRegistrationChangeMountAware+6Bj
					; IoRegisterFsRegistrationChangeMountAware+75j	...
		push	73466F49h
		push	10h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_93601D
		mov	[eax+8], edi
		mov	edx, offset _IopFsNotifyChangeQueueHead
		mov	[eax+0Ch], ebx
		mov	ecx, dword_6CCDCC
		cmp	[ecx], edx
		jnz	short loc_8B019A
		cmp	[ebp+arg_8], 1
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	dword_6CCDCC, eax
		jnz	short loc_8B013F

loc_8B0133:				; CODE XREF: IoRegisterFsRegistrationChangeMountAware+8602Ej
		cmp	_IopMountsInProgress, esi
		jnz	loc_936031

loc_8B013F:				; CODE XREF: IoRegisterFsRegistrationChangeMountAware+E5j
					; IoRegisterFsRegistrationChangeMountAware+8601Ej
		push	esi
		mov	edx, ebx
		mov	ecx, offset _IopNetworkFileSystemQueueHead
		call	IopNotifyAlreadyRegisteredFileSystems
		push	1
		mov	edx, ebx
		mov	ecx, offset _IopCdRomFileSystemQueueHead
		call	IopNotifyAlreadyRegisteredFileSystems
		push	1
		mov	edx, ebx
		mov	ecx, offset _IopDiskFileSystemQueueHead
		call	IopNotifyAlreadyRegisteredFileSystems
		push	1
		mov	edx, ebx
		mov	ecx, offset _IopTapeFileSystemQueueHead
		call	IopNotifyAlreadyRegisteredFileSystems
		mov	ecx, offset _IopDatabaseResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	eax, eax
		jmp	loc_8B00E5
; 

loc_8B019A:				; CODE XREF: IoRegisterFsRegistrationChangeMountAware+D3j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
IoRegisterFsRegistrationChangeMountAware endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopNotifyAlreadyRegisteredFileSystems proc near
					; CODE XREF: IoRegisterFsRegistrationChangeMountAware+FBp
					; IoRegisterFsRegistrationChangeMountAware+109p ...

var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 0093607F SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		mov	edi, [esi]
		cmp	edi, esi
		jz	short loc_8B01CA
		push	ebx
		mov	bl, [ebp+arg_0]

loc_8B01B7:				; CODE XREF: IopNotifyAlreadyRegisteredFileSystems+85EEEj
		mov	ecx, [edi]
		cmp	ecx, esi
		jnz	loc_93607F
		test	bl, bl
		jz	loc_93607F

loc_8B01C9:				; CODE XREF: IopNotifyAlreadyRegisteredFileSystems+85EF4j
		pop	ebx

loc_8B01CA:				; CODE XREF: IopNotifyAlreadyRegisteredFileSystems+11j
		pop	edi
		pop	esi
		leave
		retn	4
IopNotifyAlreadyRegisteredFileSystems endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiSwDeviceCompareObjects proc near	; DATA XREF: PiSwInit()+17o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00936099 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	esi
		push	edi
		mov	esi, [eax]
		mov	eax, [ebp+arg_8]
		mov	edi, [eax]
		push	dword ptr [edi+0Ch] ; wchar_t *
		push	dword ptr [esi+0Ch] ; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_936099

loc_8B01F8:				; CODE XREF: PiSwDeviceCompareObjects+85ED8j
		pop	edi
		xor	eax, eax
		pop	esi
		test	ecx, ecx
		js	short loc_8B0204
		setle	al
		inc	eax

loc_8B0204:				; CODE XREF: PiSwDeviceCompareObjects+2Ej
		pop	ebp
		retn	0Ch
PiSwDeviceCompareObjects endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiSwIrpSetLifetime(x)
_PiSwIrpSetLifetime@4 proc near		; CODE XREF: PiSwDispatch+A4p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	edx, [edi+60h]
		cmp	dword ptr [edx+8], 4
		mov	eax, [edx+18h]
		mov	eax, [eax+10h]
		mov	[ebp+var_4], eax
		jnz	short loc_8B0283
		push	ebx
		mov	ebx, [edi+0Ch]
		cmp	dword ptr [ebx], 1
		ja	short loc_8B0291
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PiSwLockObj
		call	ExAcquireResourceExclusiveLite
		mov	ecx, [ebp+var_4]
		call	_PiSwDeviceOperationsAllowed@4 ; PiSwDeviceOperationsAllowed(x)
		test	al, al
		jz	short loc_8B028A
		mov	eax, [ebx]
		mov	[ecx+60h], eax

loc_8B025A:				; CODE XREF: PiSwIrpSetLifetime(x)+87j
		mov	ecx, offset _PiSwLockObj
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_8B0270:				; CODE XREF: PiSwIrpSetLifetime(x)+8Ej
		pop	ebx

loc_8B0271:				; CODE XREF: PiSwIrpSetLifetime(x)+80j
		xor	dl, dl
		mov	[edi+18h], esi
		mov	ecx, edi
		call	IofCompleteRequest
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_8B0283:				; CODE XREF: PiSwIrpSetLifetime(x)+1Cj
		mov	esi, 0C000000Dh
		jmp	short loc_8B0271
; 

loc_8B028A:				; CODE XREF: PiSwIrpSetLifetime(x)+4Bj
		mov	esi, 0C00000BBh
		jmp	short loc_8B025A
; 

loc_8B0291:				; CODE XREF: PiSwIrpSetLifetime(x)+25j
		mov	esi, 0C000000Dh
		jmp	short loc_8B0270
_PiSwIrpSetLifetime@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_PnpGetEnumSecurityDescriptor proc near	; CODE XREF: _PnpCtxGetCachedNodeBaseKey+15Bp

var_68		= dword	ptr -68h
var_64		= word ptr -64h
var_60		= dword	ptr -60h
var_5C		= word ptr -5Ch
var_58		= dword	ptr -58h
var_54		= word ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_38		= dword	ptr -38h
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009360AD SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+6Ch+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[esp+70h+var_64], 500h
		push	esi
		push	edi
		mov	ebx, eax
		mov	[esp+78h+var_68], eax
		mov	[esp+78h+var_60], eax
		lea	edi, [esp+78h+var_4C]
		mov	[esp+78h+var_58], eax
		stosd
		push	1
		mov	[esp+7Ch+var_50], ebx
		mov	[esp+7Ch+var_5C], 300h
		stosd
		mov	[esp+7Ch+var_54], 100h
		stosd
		stosd
		stosd
		lea	eax, [esp+7Ch+var_68]
		push	eax
		lea	eax, [esp+80h+var_38]
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		test	eax, eax
		js	loc_8B0555
		xor	esi, esi
		lea	eax, [esp+78h+var_38]
		push	esi
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	dword ptr [eax], 12h
		lea	eax, [esp+78h+var_38]
		push	eax
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_8B0555
		xor	edi, edi
		lea	eax, [esp+78h+var_60]
		inc	edi
		push	edi
		push	eax
		lea	eax, [esp+80h+var_2C]
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		test	eax, eax
		js	loc_8B0555
		push	esi
		lea	eax, [esp+7Ch+var_2C]
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	dword ptr [eax], 4
		lea	eax, [esp+78h+var_2C]
		push	eax
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_8B0555
		push	edi
		lea	eax, [esp+7Ch+var_58]
		push	eax
		lea	eax, [esp+80h+var_20]
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		test	eax, eax
		js	loc_8B0555
		push	esi
		lea	eax, [esp+7Ch+var_20]
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	[eax], esi
		lea	eax, [esp+78h+var_20]
		push	eax
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_8B0555
		push	2
		lea	eax, [esp+7Ch+var_68]
		push	eax
		lea	eax, [esp+80h+var_14]
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		test	eax, eax
		js	loc_8B0555
		push	esi
		lea	eax, [esp+7Ch+var_14]
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	edi
		mov	dword ptr [eax], 20h
		lea	eax, [esp+7Ch+var_14]
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	dword ptr [eax], 220h
		lea	eax, [esp+78h+var_14]
		push	eax
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_8B0555
		lea	eax, [esp+78h+var_20]
		push	eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		mov	esi, eax
		lea	eax, [esp+78h+var_2C]
		push	eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	esi, eax
		lea	eax, [esp+78h+var_38]
		push	eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	eax, 20h
		push	52504E50h
		add	esi, eax
		push	esi
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8B0555
		push	2		; int
		push	esi		; size_t
		push	edi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		test	eax, eax
		js	loc_8B054D
		xor	esi, esi
		lea	eax, [esp+78h+var_38]
		push	esi
		push	eax
		push	0F003Fh
		push	2
		push	2
		pop	edx
		mov	ecx, edi
		call	RtlpAddKnownAce
		test	eax, eax
		js	loc_8B054D
		push	esi
		lea	eax, [esp+7Ch+var_2C]
		mov	ecx, edi
		push	eax
		push	20000h
		push	2
		push	2
		pop	edx
		call	RtlpAddKnownAce
		test	eax, eax
		js	loc_8B054D
		push	esi
		lea	eax, [esp+7Ch+var_20]
		mov	ecx, edi
		push	eax
		push	20019h
		push	2
		push	2
		pop	edx
		call	RtlpAddKnownAce
		test	eax, eax
		js	loc_8B054D
		push	1
		lea	eax, [esp+7Ch+var_4C]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		test	eax, eax
		js	loc_8B054D
		push	esi
		push	edi
		inc	esi
		lea	eax, [esp+80h+var_4C]
		push	esi
		push	eax
		call	RtlSetDaclSecurityDescriptor
		test	eax, eax
		js	loc_8B054D
		push	esi
		lea	eax, [esp+7Ch+var_14]
		push	eax
		lea	eax, [esp+80h+var_4C]
		push	eax
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		test	eax, eax
		js	short loc_8B054D
		push	esi
		lea	eax, [esp+7Ch+var_14]
		push	eax
		lea	eax, [esp+80h+var_4C]
		push	eax
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		test	eax, eax
		js	short loc_8B054D
		mov	eax, 1400h
		or	word ptr [esp+78h+var_4C+2], ax
		lea	eax, [esp+78h+var_4C]
		push	eax
		call	_RtlValidSecurityDescriptor@4 ;	RtlValidSecurityDescriptor(x)
		test	al, al
		jz	short loc_8B054D
		lea	eax, [esp+78h+var_4C]
		push	eax
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		mov	ebx, eax
		mov	[esp+78h+var_68], ebx
		cmp	ebx, 14h
		jb	short loc_8B056F
		push	52504E50h
		push	ebx
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8B056F
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+78h+var_68]
		push	eax
		push	esi
		lea	eax, [esp+80h+var_4C]
		push	eax
		call	_RtlAbsoluteToSelfRelativeSD@12	; RtlAbsoluteToSelfRelativeSD(x,x,x)
		test	eax, eax
		js	short loc_8B0569
		mov	ebx, esi
		xor	esi, esi

loc_8B0545:				; CODE XREF: _PnpGetEnumSecurityDescriptor+2D5j
		test	esi, esi
		jnz	loc_9360AD

loc_8B054D:				; CODE XREF: _PnpGetEnumSecurityDescriptor+193j
					; _PnpGetEnumSecurityDescriptor+1B4j ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8B0555:				; CODE XREF: _PnpGetEnumSecurityDescriptor+5Ej
					; _PnpGetEnumSecurityDescriptor+83j ...
		mov	ecx, [esp+78h+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8B0569:				; CODE XREF: _PnpGetEnumSecurityDescriptor+2A7j
		mov	ebx, [esp+78h+var_50]
		jmp	short loc_8B0545
; 

loc_8B056F:				; CODE XREF: _PnpGetEnumSecurityDescriptor+275j
					; _PnpGetEnumSecurityDescriptor+287j
		mov	ebx, [esp+78h+var_50]
		jmp	short loc_8B054D
_PnpGetEnumSecurityDescriptor endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 802. IoCreateSystemThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoCreateSystemThread
IoCreateSystemThread proc near

var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 009360BA SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		push	ebx
		push	edi
		mov	edi, [ebp+arg_0]
		movzx	eax, word ptr [edi]
		cmp	ax, 3
		jnz	loc_9360BA

loc_8B0596:				; CODE XREF: IoCreateSystemThread+85B44j
		push	0Ch
		xor	ecx, ecx
		pop	edx
		inc	ecx
		call	IopVerifierExAllocatePool
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_8B05EE
		mov	eax, [ebp+arg_18]
		mov	ecx, edi
		mov	[ebx+4], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebx], edi
		mov	[ebx+8], eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		push	0
		push	0
		push	ebx
		push	offset _IopThreadStart@4 ; IopThreadStart(x)
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	PsCreateSystemThreadEx
		mov	[esp+10h+var_4], eax
		test	eax, eax
		js	loc_9360D6

loc_8B05E6:				; CODE XREF: IoCreateSystemThread+79j
					; IoCreateSystemThread+85B6Fj
		pop	edi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
; 

loc_8B05EE:				; CODE XREF: IoCreateSystemThread+2Bj
		mov	eax, 0C000009Ah
		jmp	short loc_8B05E6
IoCreateSystemThread endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxRegQueryKeyPathName(x, x, x,	x)
__PnpCtxRegQueryKeyPathName@16 proc near ; CODE	XREF: PipHardwareConfigInit+2DBp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	ecx, edx
		mov	edx, [ebp+arg_0]
		call	_RegRtlQueryKeyPathName
		pop	ebp
		retn	8
__PnpCtxRegQueryKeyPathName@16 endp


;  S U B	R O U T	I N E 


; __stdcall KeOptimizeProcessorControlState(x, x)
_KeOptimizeProcessorControlState@8 proc	near ; DATA XREF: CmpInterlockedFunction+DDo
		call	Ke386ConfigureCyrixProcessor
		retn	8
_KeOptimizeProcessorControlState@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopFxInitializeWorkPool(x, x)
_PopFxInitializeWorkPool@8 proc	near	; CODE XREF: PopFxRegisterPluginEx(x,x,x,x)+E5p
					; PoFxInitPowerManagement+118p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		push	94h		; size_t
		push	0		; int
		lea	eax, [edi+0Ch]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[edi], esi
		and	dword ptr [edi+4], 0
		lea	eax, [edi+8]
		mov	[eax+4], eax
		lea	esi, [edi+10h]
		mov	[eax], eax
		push	2
		pop	ebx

loc_8B0644:				; CODE XREF: PopFxInitializeWorkPool(x,x)+43j
		push	7FFFFFFFh
		push	0
		push	esi
		call	_KeInitializeSemaphore@12 ; KeInitializeSemaphore(x,x,x)
		add	esi, 14h
		sub	ebx, 1
		jnz	short loc_8B0644
		push	4
		lea	ecx, [edi+4Ch]
		pop	edx

loc_8B065F:				; CODE XREF: PopFxInitializeWorkPool(x,x)+63j
		lea	eax, [ecx-10h]
		mov	[eax], edi
		and	dword ptr [ecx-0Ch], 0
		mov	dword ptr [ecx-4], offset _PopFxPluginWork@4 ; PopFxPluginWork(x)
		mov	[ecx], eax
		lea	ecx, [ecx+14h]
		sub	edx, 1
		jnz	short loc_8B065F
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_PopFxCreateEmergencyWorkerThread@4 ; PopFxCreateEmergencyWorkerThread(x)
_PopFxInitializeWorkPool@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxCreateEmergencyWorkerThread(x)
_PopFxCreateEmergencyWorkerThread@4 proc near ;	CODE XREF: PopFxInitializeWorkPool(x,x)+6Aj

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		xor	eax, eax
		mov	[esp+1Ch+var_18], 18h
		push	esi
		push	eax
		push	eax
		push	ecx
		push	offset _PopFxEmergencyWorker@4 ; PopFxEmergencyWorker(x)
		push	eax
		push	eax
		mov	[esp+38h+var_1C], eax
		mov	[esp+38h+var_14], eax
		mov	[esp+38h+var_10], eax
		mov	[esp+38h+var_8], eax
		mov	[esp+38h+var_4], eax
		lea	eax, [esp+38h+var_18]
		push	eax
		push	1FFFFFh
		lea	eax, [esp+40h+var_1C]
		mov	[esp+40h+var_C], 200h
		push	eax
		call	PsCreateSystemThreadEx
		mov	esi, eax
		test	esi, esi
		js	short loc_8B06E3
		push	[esp+20h+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_8B06E3:				; CODE XREF: PopFxCreateEmergencyWorkerThread(x)+54j
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_PopFxCreateEmergencyWorkerThread@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpRegisterFirmwareTableInformationHandler proc	near ; CODE XREF: PAGE:007B405Ep

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 0093615B SIZE 00000066 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		xor	esi, esi
		cmp	[ebp+arg_0], 0
		push	edi
		mov	edi, ecx
		jnz	loc_93615B
		test	edi, edi
		jz	loc_9361B7
		cmp	edx, 10h
		jb	loc_9361B7
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _ExpFirmwareTableResource
		call	ExAcquireResourceExclusiveLite
		mov	ebx, _ExpFirmwareTableProviderListHead
		mov	edx, offset _ExpFirmwareTableProviderListHead
		add	ebx, 0FFFFFFF0h
		lea	eax, [ebx+10h]
		cmp	eax, edx
		jz	short loc_8B0754
		mov	ecx, [edi]

loc_8B0742:				; CODE XREF: ExpRegisterFirmwareTableInformationHandler+68j
		cmp	[ebx], ecx
		jz	loc_936165
		mov	eax, [ebx+10h]
		lea	ebx, [eax-10h]
		cmp	eax, edx
		jnz	short loc_8B0742

loc_8B0754:				; CODE XREF: ExpRegisterFirmwareTableInformationHandler+54j
		cmp	byte ptr [edi+4], 0
		jz	short loc_8B07D1
		push	54465241h
		push	18h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_8B07CA
		mov	eax, [edi]
		mov	[edx], eax
		mov	eax, [edi+8]
		mov	[edx+8], eax
		mov	ecx, [edi+0Ch]
		lea	edi, [edx+10h]
		mov	[edx+0Ch], ecx
		mov	[edi+4], edi
		mov	[edi], edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, dword_6BC03C
		mov	ecx, offset _ExpFirmwareTableProviderListHead
		cmp	[eax], ecx
		jnz	short loc_8B07C5
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	dword_6BC03C, edi

loc_8B07A6:				; CODE XREF: ExpRegisterFirmwareTableInformationHandler+E5j
					; ExpRegisterFirmwareTableInformationHandler+ECj ...
		mov	ecx, offset _ExpFirmwareTableResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_8B07BC:				; CODE XREF: ExpRegisterFirmwareTableInformationHandler+85A76j
					; ExpRegisterFirmwareTableInformationHandler+85AD2j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_8B07C5:				; CODE XREF: ExpRegisterFirmwareTableInformationHandler+ADj
					; ExpRegisterFirmwareTableInformationHandler+85A95j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8B07CA:				; CODE XREF: ExpRegisterFirmwareTableInformationHandler+82j
		mov	esi, 0C000009Ah
		jmp	short loc_8B07A6
; 

loc_8B07D1:				; CODE XREF: ExpRegisterFirmwareTableInformationHandler+6Ej
					; ExpRegisterFirmwareTableInformationHandler+85A87j
		mov	esi, 0C000000Dh
		jmp	short loc_8B07A6
ExpRegisterFirmwareTableInformationHandler endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepBuildDefaultCap proc	near		; CODE XREF: SepRmDbInitialization()+ADp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009361C1 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_4], edi
		call	_SepBuildDefaultCape@4 ; SepBuildDefaultCape(x)
		mov	esi, eax
		mov	ebx, 70536553h
		test	esi, esi
		js	loc_9361C6
		push	ebx
		push	28h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_9361C1
		mov	[ecx], edi
		mov	[ecx+4], edi
		mov	[ecx+8], edi
		mov	eax, ds:_DefaultCapName
		mov	[ecx+14h], eax
		mov	eax, ds:off_A93D9C
		mov	[ecx+18h], eax
		xor	eax, eax
		inc	eax
		mov	[ecx+10h], edi
		mov	[ecx+1Ch], eax
		mov	[ecx+20h], eax
		mov	eax, [ebp+var_4]
		mov	[ecx+24h], eax
		mov	[ecx+0Ch], edi
		mov	ds:_SepRmDefaultCap, ecx

loc_8B0844:				; CODE XREF: SepBuildDefaultCap+859F1j
					; SepBuildDefaultCap+85A00j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
SepBuildDefaultCap endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	KsepCacheDeviceInsertData(void *,int,int)
KsepCacheDeviceInsertData proc near	; CODE XREF: KsepDbCacheReadDeviceInternal+8Fp
					; KsepDbCacheReadDeviceInternal+6A51Ap

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 009361DD SIZE 00000047 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	1Ch
		mov	ebx, ecx
		mov	edi, edx
		pop	ecx
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8B08C6
		lea	ecx, [esi+8]
		mov	edx, edi
		call	KsepStringDuplicate
		mov	edi, eax
		test	edi, edi
		js	short loc_8B08B5
		mov	edi, [ebp+arg_8]
		mov	ecx, edi
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	[esi+18h], eax
		test	eax, eax
		jz	short loc_8B08CD
		push	edi		; size_t
		push	[ebp+arg_0]	; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		mov	[esi+14h], eax
		lea	eax, [ebx+1Ch]
		mov	[esi+10h], edi
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_8B08D4
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		xor	esi, esi
		mov	edi, esi

loc_8B08B5:				; CODE XREF: KsepCacheDeviceInsertData+28j
					; KsepCacheDeviceInsertData+86j
		test	esi, esi
		jnz	loc_9361DD

loc_8B08BD:				; CODE XREF: KsepCacheDeviceInsertData+7Fj
					; KsepCacheDeviceInsertData+859A8j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_8B08C6:				; CODE XREF: KsepCacheDeviceInsertData+18j
		mov	edi, 0C0000017h
		jmp	short loc_8B08BD
; 

loc_8B08CD:				; CODE XREF: KsepCacheDeviceInsertData+39j
		mov	edi, 0C0000017h
		jmp	short loc_8B08B5
; 

loc_8B08D4:				; CODE XREF: KsepCacheDeviceInsertData+59j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

PspAllocatePartition:			; CODE XREF: PspInitializeSystemPartitionPhase0+C9p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	edx, ds:_PsPartitionType
		lea	edi, [ebp+var_20]
		push	6
		mov	esi, ecx
		xor	eax, eax
		pop	ecx
		rep stosd
		xor	ecx, ecx
		lea	eax, [ebp+var_24]
		push	ecx
		push	eax
		push	ecx
		push	ecx
		push	40h
		push	ecx
		push	ecx
		mov	[ebp+var_28], ecx
		mov	bl, cl
		mov	[ebp+var_24], ecx
		xor	cl, cl
		push	esi
		call	ObCreateObjectEx
		mov	esi, [ebp+var_24]
		mov	edi, eax
		test	edi, edi
		js	short loc_8B0977
		push	40h		; size_t
		push	0		; int
		push	esi		; void *
		mov	bl, 1
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [esi+0Ch], 2
		mov	edx, 64726148h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		xor	eax, eax
		mov	ecx, esi
		inc	eax
		mov	[esi+10h], eax
		mov	edx, eax
		and	dword ptr [esi+30h], 0
		call	_MmCreatePartition@8 ; MmCreatePartition(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_8B0977
		mov	ecx, esi
		call	_PspAddPartitionToGlobalList@4 ; PspAddPartitionToGlobalList(x)
		or	dword ptr [esi+3Ch], 1
		mov	ds:_PspSystemPartition,	esi
		xor	esi, esi
		xor	edi, edi

loc_8B0977:				; CODE XREF: KsepCacheDeviceInsertData+D9j
					; KsepCacheDeviceInsertData+114j
		test	esi, esi
		jnz	loc_9361F9

loc_8B097F:				; CODE XREF: KsepCacheDeviceInsertData+859C6j
					; KsepCacheDeviceInsertData+859D3j
		mov	ecx, [ebp+var_8]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
KsepCacheDeviceInsertData endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopLogSleepDisabled(void *,int)
PopLogSleepDisabled proc near		; CODE XREF: PopUpdateUpgradeInProgress(x)+C8p
					; NtPowerInformation+12E6p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00936224 SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	eax, ecx
		mov	ebx, edx
		push	edi
		mov	[ebp+var_4], eax
		call	_PopGetReasonListByReasonCode@4	; PopGetReasonListByReasonCode(x)
		test	eax, eax
		jnz	loc_936224
		mov	edi, [ebp+arg_4]
		push	esi
		push	66756263h
		add	edi, 18h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_93622E
		push	edi		; size_t
		xor	edi, edi
		push	edi		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		mov	[esi+10h], eax
		test	bl, 1
		jz	short loc_8B09E8
		mov	byte ptr [esi+8], 1

loc_8B09E8:				; CODE XREF: PopLogSleepDisabled+50j
		test	bl, 2
		jz	short loc_8B09F1
		mov	byte ptr [esi+9], 1

loc_8B09F1:				; CODE XREF: PopLogSleepDisabled+59j
		test	bl, 4
		jnz	short loc_8B0A38

loc_8B09F6:				; CODE XREF: PopLogSleepDisabled+AAj
		test	bl, 8
		jnz	short loc_8B0A3E

loc_8B09FB:				; CODE XREF: PopLogSleepDisabled+B0j
		test	bl, 10h
		jnz	short loc_8B0A44

loc_8B0A00:				; CODE XREF: PopLogSleepDisabled+B6j
		test	bl, 20h
		jz	short loc_8B0A09
		mov	byte ptr [esi+0Ch], 1

loc_8B0A09:				; CODE XREF: PopLogSleepDisabled+71j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	loc_936238

loc_8B0A14:				; CODE XREF: PopLogSleepDisabled+858B9j
		mov	eax, dword_6C2AF4
		mov	ecx, offset _PowerStateDisableReasonListHead
		cmp	[eax], ecx
		jnz	short loc_8B0A4A
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6C2AF4, esi

loc_8B0A2F:				; CODE XREF: PopLogSleepDisabled+858A1j
		pop	esi

loc_8B0A30:				; CODE XREF: PopLogSleepDisabled+85897j
		mov	eax, edi
		pop	edi
		pop	ebx
		leave
		retn	8
; 

loc_8B0A38:				; CODE XREF: PopLogSleepDisabled+62j
		mov	byte ptr [esi+0Ah], 1
		jmp	short loc_8B09F6
; 

loc_8B0A3E:				; CODE XREF: PopLogSleepDisabled+67j
		mov	byte ptr [esi+0Bh], 1
		jmp	short loc_8B09FB
; 

loc_8B0A44:				; CODE XREF: PopLogSleepDisabled+6Cj
		mov	byte ptr [esi+0Eh], 1
		jmp	short loc_8B0A00
; 

loc_8B0A4A:				; CODE XREF: PopLogSleepDisabled+8Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
PopLogSleepDisabled endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpInitSystem	proc near		; CODE XREF: LpcInitSystem()+Dp

var_90		= dword	ptr -90h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_74		= dword	ptr -74h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00936250 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_30]
		push	2Ch		; size_t
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		dec	word ptr [eax+13Ch]
		nop
		push	6E496C41h
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ds:_AlpcpDummyEvent, eax
		test	eax, eax
		jz	loc_936250
		push	1
		push	ebx
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, offset _AlpcpPortList
		mov	_AlpcpPortListLock, ebx
		mov	dword_6C6F14, eax
		mov	_AlpcpPortList,	eax
		lea	eax, [ebp+var_38]
		push	offset ??_C@_1BE@PJBJJIKA@?$AAA?$AAL?$AAP?$AAC?$AA?5?$AAP?$AAo?$AAr?$AAt@NNGAKEGL@ ; "ALPC Port"
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	58h
		pop	esi
		push	esi		; size_t
		lea	eax, [ebp+var_90]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	word ptr [ebp+var_90], si
		lea	edi, [ebp+var_84]
		mov	esi, offset _AlpcpPortMapping
		add	esp, 0Ch
		movsd
		push	offset _AlpcPortObjectType
		push	95h
		push	ebx
		movsd
		movsd
		movsd
		mov	al, byte ptr [ebp+var_90+2]
		mov	edi, 200h
		and	al, 0DBh
		mov	[ebp+var_6C], edi
		or	al, 10h
		mov	[ebp+var_68], ebx
		mov	byte ptr [ebp+var_90+2], al
		lea	eax, [ebp+var_90]
		push	eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_64], 130h
		push	eax
		mov	[ebp+var_88], 80h
		mov	[ebp+var_74], 1F0001h
		mov	[ebp+var_5C], offset _AlpcpOpenPort@24 ; AlpcpOpenPort(x,x,x,x,x,x)
		mov	[ebp+var_58], offset _AlpcpClosePort@16	; AlpcpClosePort(x,x,x,x)
		mov	[ebp+var_54], offset _AlpcpDeletePort@4	; AlpcpDeletePort(x)
		call	ObCreateObjectTypeEx
		mov	esi, eax
		test	esi, esi
		js	loc_8B0C60
		xor	edx, edx
		xor	ecx, ecx
		call	ExCreateHandleTable
		push	ebx
		push	20h
		pop	esi
		push	esi
		push	734D6C41h
		push	1B0h
		push	ebx
		push	offset AlpcpFreeMessageFunction
		push	offset AlpcpAllocateMessageFunction
		push	offset _AlpcpLookasides
		mov	ds:_AlpcMessageTable, eax
		call	ExInitializePagedLookasideListInternal
		push	ebx
		push	esi
		push	49436C41h
		push	40h
		push	ebx
		push	offset _PfSnScenarioFree@4 ; PfSnScenarioFree(x)
		push	offset _AlpcpAllocateBuffer@12 ; AlpcpAllocateBuffer(x,x,x)
		push	offset unk_6FB0C0
		call	ExInitializePagedLookasideListInternal
		push	ebx
		push	esi
		push	61486C41h
		push	40h
		push	ebx
		push	ebx
		push	ebx
		push	offset unk_6FB180
		call	ExInitializePagedLookasideListInternal
		push	esi
		push	65536C41h
		push	14h
		push	edi
		push	ebx
		push	ebx
		push	offset _AlpcpNPLookasides
		call	_ExInitializeNPagedLookasideList@28 ; ExInitializeNPagedLookasideList(x,x,x,x,x,x,x)
		push	ebx
		push	2Ch
		lea	eax, [ebp+var_30]
		push	eax
		push	ebx
		call	NtQuerySystemInformation
		mov	esi, eax
		test	esi, esi
		js	short loc_8B0C0C
		mov	eax, [ebp+var_18]
		mov	ds:_AlpcpRegionGranularity, eax
		mov	eax, [ebp+var_28]
		mov	ds:_AlpcpViewGranularity, eax

loc_8B0C0C:				; CODE XREF: AlpcpInitSystem+1AAj
		cmp	_AlpcpMessageLogEnabled, ebx
		jnz	loc_93625A
		mov	eax, offset _AlpcpMessageLogListHead
		mov	_AlpcpMessageLogLock, ebx
		mov	dword_6C6F54, eax
		mov	_AlpcpMessageLogListHead, eax
		mov	eax, offset _AlpcpFreeMessageLogListHead
		mov	dword_6C6F4C, eax
		mov	_AlpcpFreeMessageLogListHead, eax
		mov	eax, offset _AlpcpFreeMessageSnapshotListHead
		mov	dword_6C6F44, eax
		mov	_AlpcpFreeMessageSnapshotListHead, eax

loc_8B0C4B:				; CODE XREF: AlpcpInitSystem+85819j
		mov	eax, offset dword_6C6F28
		mov	_AlpcpCompletionListDatabase, ebx
		mov	dword_6C6F2C, eax
		mov	dword_6C6F28, eax

loc_8B0C60:				; CODE XREF: AlpcpInitSystem+118j
					; AlpcpInitSystem+85805j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
AlpcpInitSystem	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AlpcpInitializeMessageLog proc near	; CODE XREF: AlpcpInitSystem+85814p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0093626E SIZE 00000183 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, offset _AlpcpMessageLogListHead
		push	ebx
		mov	dword_6C6F54, eax
		mov	ebx, ecx
		mov	_AlpcpMessageLogListHead, eax
		mov	eax, offset _AlpcpFreeMessageLogListHead
		push	esi
		xor	esi, esi
		mov	dword_6C6F4C, eax
		mov	_AlpcpFreeMessageLogListHead, eax
		mov	eax, offset _AlpcpFreeMessageSnapshotListHead
		mov	[ebp+var_8], ebx
		mov	_AlpcpMessageLogLock, esi
		mov	dword_6C6F44, eax
		mov	_AlpcpFreeMessageSnapshotListHead, eax
		push	edi
		mov	edi, edx
		test	ebx, ebx
		jnz	loc_93626E

loc_8B0CCC:				; CODE XREF: AlpcpInitializeMessageLog+855F2j
					; AlpcpInitializeMessageLog+856B8j ...
		xor	eax, eax

loc_8B0CCE:				; CODE XREF: AlpcpInitializeMessageLog+85671j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
AlpcpInitializeMessageLog endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipClearDevNodeProblem proc near	; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+337p
					; PipCallDriverAddDevice+32Ep ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	dword ptr [esi+10Ch], 2000h
		mov	edi, [esi+114h]
		mov	ebx, [esi+118h]
		jnz	loc_936369
		test	edi, edi
		jnz	loc_936369

loc_8B0D09:				; CODE XREF: AlpcpInitializeMessageLog+85763j
					; AlpcpInitializeMessageLog+8576Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PipClearDevNodeProblem endp


;  S U B	R O U T	I N E 


PopNetEvaluateStateMask	proc near	; CODE XREF: PopNetEvaluationWorkerCallback+44p

; FUNCTION CHUNK AT 009363F1 SIZE 0000003F BYTES

		mov	eax, _PopNetStandbyStateMask
		test	al, 4
		jnz	short loc_8B0D34
		test	al, 8
		jnz	loc_9363F1
		test	al, 40h
		jz	loc_9363FE
		mov	dword ptr [ecx], 2
		mov	dword ptr [edx], 6
		retn
; 

loc_8B0D34:				; CODE XREF: PopNetEvaluateStateMask+7j
		push	2
		pop	eax
		mov	[ecx], eax
		mov	[edx], eax
		retn
PopNetEvaluateStateMask	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopTraceStandbyConnectivityUpdate proc near ; CODE XREF: PopNetEvaluationWorkerCallback+101p
					; PopNetInitialize+22EB0p

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00936430 SIZE 00000069 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		xor	ebx, ebx
		mov	[ebp+var_88], esi
		cmp	dword_6B23F8, 5
		mov	[ebp+var_84], edi
		jbe	short loc_8B0D87
		push	4000h
		push	ebx
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_936430

loc_8B0D87:				; CODE XREF: PopTraceStandbyConnectivityUpdate+31j
					; PopTraceStandbyConnectivityUpdate+85758j
		cmp	_PopDiagHandleRegistered, bl
		jz	short loc_8B0DE5
		mov	esi, dword_6C1D74
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_STANDBY_CONNECTIVITY_UPDATE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_8B0DE5
		push	4
		pop	ecx
		lea	eax, [ebp+var_84]
		mov	[ebp+var_24], ebx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_88]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	2
		push	ebx
		push	offset _POP_ETW_EVENT_STANDBY_CONNECTIVITY_UPDATE
		push	esi
		push	edi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_8B0DE5:				; CODE XREF: PopTraceStandbyConnectivityUpdate+51j
					; PopTraceStandbyConnectivityUpdate+6Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopTraceStandbyConnectivityUpdate endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopNetPublishWnfStateUpdate(x)
_PopNetPublishWnfStateUpdate@4 proc near ; CODE	XREF: PopNetEvaluationWorkerCallback+E0p
					; PopNetInitialize+22EDBp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		xor	edx, edx
		mov	eax, edx
		mov	[ebp+var_4], edx
		or	[ebp+var_4], 0FFFFFFFFh
		or	eax, 1
		test	cl, cl
		jnz	short loc_8B0E30
		and	eax, 0FFFFFFFDh

loc_8B0E10:				; CODE XREF: PopNetPublishWnfStateUpdate(x)+3Fj
		push	edx
		push	edx
		push	edx
		push	edx
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		push	8
		push	eax
		push	offset _WNF_SEB_NETWORK_CONNECTIVITY_IN_STANDBY
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	_PopNetStandbyStatePublished, 1
		leave
		retn
; 

loc_8B0E30:				; CODE XREF: PopNetPublishWnfStateUpdate(x)+17j
		or	eax, 2
		jmp	short loc_8B0E10
_PopNetPublishWnfStateUpdate@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


PopNetUpdateCsConsumptionFlags proc near ; CODE	XREF: PopNetEvaluationWorkerCallback+D3p
					; PopPdcCsDeviceNotification(x):loc_9B5412p

; FUNCTION CHUNK AT 00936499 SIZE 00000025 BYTES

		mov	eax, dword_6D44C8
		or	eax, dword_6D44CC
		jnz	loc_936499

locret_8B0E47:				; CODE XREF: PopNetUpdateCsConsumptionFlags+8566Cj
		retn
PopNetUpdateCsConsumptionFlags endp


;  S U B	R O U T	I N E 


AslFileNotFound	proc near		; CODE XREF: AslFileMappingCreate+120p
					; SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+AAp ...

; FUNCTION CHUNK AT 009364BE SIZE 0000000F BYTES

		cmp	ecx, 0C000003Ah
		jnz	short loc_8B0E54

loc_8B0E50:				; CODE XREF: AslFileNotFound+12j
					; AslFileNotFound+8567Cj
		xor	eax, eax
		inc	eax
		retn
; 

loc_8B0E54:				; CODE XREF: AslFileNotFound+6j
		cmp	ecx, 0C0000034h
		jz	short loc_8B0E50
		jmp	loc_9364BE
AslFileNotFound	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1055. IoWMISetNotificationCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoWMISetNotificationCallback(x, x, x)
		public _IoWMISetNotificationCallback@12
_IoWMISetNotificationCallback@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, offset _WmipSMMutex
		push	edi
		push	edi
		push	edi
		push	edi
		push	esi
		call	KeWaitForSingleObject
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		push	edi
		push	esi
		mov	[ecx+30h], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+34h], eax
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		pop	edi
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	0Ch
_IoWMISetNotificationCallback@12 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2038. RtlDeleteRegistryValue

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlDeleteRegistryValue(x, x, x)
		public _RtlDeleteRegistryValue@12
_RtlDeleteRegistryValue@12 proc	near	; CODE XREF: PerfDiagpSaveActiveDCLLogFileName+A61CEp
					; PerfDiagpSaveActiveDCLLogFileName+A61E3p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		mov	ecx, [ebp+arg_0]
		push	esi
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		call	RtlpGetRegistryHandle
		test	eax, eax
		js	short loc_8B0EF0
		push	[ebp+arg_8]
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_8]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		test	[ebp+arg_0], 40000000h
		mov	esi, eax
		jz	short loc_8B0EF5

loc_8B0EEE:				; CODE XREF: RtlDeleteRegistryValue(x,x,x)+5Bj
		mov	eax, esi

loc_8B0EF0:				; CODE XREF: RtlDeleteRegistryValue(x,x,x)+27j
		pop	esi
		leave
		retn	0Ch
; 

loc_8B0EF5:				; CODE XREF: RtlDeleteRegistryValue(x,x,x)+4Aj
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_8B0EEE
_RtlDeleteRegistryValue@12 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1050. IoWMIQueryAllData

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoWMIQueryAllData(x, x, x)
		public _IoWMIQueryAllData@12
_IoWMIQueryAllData@12 proc near

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		lea	eax, [esp+58h+var_50]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_4]
		push	48h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [edi]
		xor	edx, edx
		add	esp, 0Ch
		mov	[esp+60h+var_54], edx
		test	esi, esi
		jz	short loc_8B0FA0
		cmp	eax, 48h
		jb	short loc_8B0FA0

loc_8B0F48:				; CODE XREF: IoWMIQueryAllData(x,x,x)+A3j
		lea	ecx, [esp+60h+var_54]
		mov	[esi+10h], edx
		push	ecx
		push	eax
		push	esi
		mov	[esi+0Ch], edx
		mov	ecx, ebx
		push	edx
		xor	edx, edx
		mov	dword ptr [esi+2Ch], 1
		mov	dword ptr [esi], 30h
		call	WmipQueryAllData
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_8B0F8A
		mov	eax, [esi+2Ch]
		test	eax, 100h
		jnz	short loc_8B0FB9
		test	al, 20h
		jz	short loc_8B0FA9
		mov	eax, [esi+30h]
		mov	[edi], eax

loc_8B0F85:				; CODE XREF: IoWMIQueryAllData(x,x,x)+B3j
		mov	ecx, 0C0000023h

loc_8B0F8A:				; CODE XREF: IoWMIQueryAllData(x,x,x)+6Cj
					; IoWMIQueryAllData(x,x,x)+B1j	...
		pop	edi
		mov	eax, ecx
		mov	ecx, [esp+5Ch+var_4]
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_8B0FA0:				; CODE XREF: IoWMIQueryAllData(x,x,x)+3Dj
					; IoWMIQueryAllData(x,x,x)+42j
		push	48h
		lea	esi, [esp+64h+var_50]
		pop	eax
		jmp	short loc_8B0F48
; 

loc_8B0FA9:				; CODE XREF: IoWMIQueryAllData(x,x,x)+7Aj
		mov	eax, [esp+60h+var_54]
		mov	[edi], eax
		lea	eax, [esp+60h+var_50]
		cmp	esi, eax
		jnz	short loc_8B0F8A
		jmp	short loc_8B0F85
; 

loc_8B0FB9:				; CODE XREF: IoWMIQueryAllData(x,x,x)+76j
		mov	ecx, 0C00000BBh
		jmp	short loc_8B0F8A
_IoWMIQueryAllData@12 endp

; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpAssignKeySecurity proc near		; CODE XREF: CmpSecurityMethod+1BAp

var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 009364CD SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		and	[ebp+var_18], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	word ptr [ebp+var_18], ax
		lea	edi, [ebp+var_2C]
		stosd
		mov	esi, ecx
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_10], edx
		xor	bl, bl
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_C], esi
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		mov	word ptr [ebp+var_2C+2], cx
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpShutdownRundown
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	[ebp+var_1], al
		test	al, al
		jz	loc_9364CD
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	edi, [esi+8]
		lea	ecx, [ebp+var_2C]
		mov	edx, edi
		mov	[ebp+var_8], 1
		mov	ebx, [edi+10h]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8B1152
		lea	ecx, [ebp+var_2C]
		call	_CmpLockKcbStackExclusive@4 ; CmpLockKcbStackExclusive(x)
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	loc_8B1114
		lea	ecx, [ebx+24h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lea	ecx, [ebx+484h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		push	[ebp+var_8]
		lea	edx, [ebp+var_1C]
		mov	ecx, edi
		call	CmpGetKeyNodeForKcb
		mov	ecx, large fs:124h
		mov	esi, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_14], esi
		and	dword ptr [eax-4], 0
		cmp	byte ptr [ecx+15Ah], 0
		jnz	short loc_8B10A4
		test	byte ptr [ebx+980h], 20h
		jnz	loc_9364E3

loc_8B10A4:				; CODE XREF: CmpAssignKeySecurity+D3j
					; CmpAssignKeySecurity+85528j ...
		mov	edx, [edi+14h]
		lea	eax, [esi+2Ch]
		mov	ecx, [edi+10h]
		push	eax		; int
		push	0		; int
		push	[ebp+var_10]	; void *
		mov	[ebp+var_C], eax
		push	esi		; int
		call	_CmpGetSecurityDescriptorNode@24 ; CmpGetSecurityDescriptorNode(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8B10D7
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		push	0
		push	[ebp+var_8]
		mov	edx, [edx]
		push	0
		call	CmpAssignSecurityToKcb
		xor	esi, esi

loc_8B10D7:				; CODE XREF: CmpAssignKeySecurity+FEj
		cmp	[ebp+var_14], 0
		jz	short loc_8B10E8
		mov	eax, [edi+10h]
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_8B10E8:				; CODE XREF: CmpAssignKeySecurity+119j
		xor	edx, edx
		lea	ecx, [ebx+484h]
		call	ExReleasePushLockEx
		push	11h
		xor	edx, edx
		lea	edi, [ebx+24h]
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_8B110D
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8B110D:				; CODE XREF: CmpAssignKeySecurity+142j
		mov	ecx, edi
		call	KeAbPostRelease

loc_8B1114:				; CODE XREF: CmpAssignKeySecurity+8Fj
		lea	ecx, [ebp+var_2C]
		call	CmpUnlockKcbStack
		mov	ebx, [ebp+var_8]

loc_8B111F:				; CODE XREF: CmpAssignKeySecurity+193j
					; CmpAssignKeySecurity+8551Cj
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jnz	short loc_8B1157

loc_8B1126:				; CODE XREF: CmpAssignKeySecurity+19Aj
		test	bl, bl
		jz	short loc_8B112F
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_8B112F:				; CODE XREF: CmpAssignKeySecurity+166j
		cmp	[ebp+var_1], 0
		jz	short loc_8B114B
		mov	ecx, offset _CmpShutdownRundown
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_8B114B:				; CODE XREF: CmpAssignKeySecurity+171j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8B1152:				; CODE XREF: CmpAssignKeySecurity+73j
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_8B111F
; 

loc_8B1157:				; CODE XREF: CmpAssignKeySecurity+162j
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	short loc_8B1126
CmpAssignKeySecurity endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

DbgkRegisterErrorPort proc near		; CODE XREF: PAGE:007B4141p

var_A0		= dword	ptr -0A0h
var_9C		= word ptr -9Ch
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 00936504 SIZE 0000000A BYTES
; FUNCTION CHUNK AT 00936530 SIZE 00000055 BYTES

		push	90h
		push	offset dword_6A74D8
		call	__SEH_prolog4_GS
		mov	ebx, edx
		mov	[ebp+var_4C], ecx
		xor	esi, esi
		mov	[ebp+var_54], esi
		mov	[ebp+var_50], esi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_A0]
		rep stosd
		mov	[ebp+var_58], esi
		push	6
		pop	ecx
		lea	edi, [ebp+var_84]
		rep stosd
		push	2Ch		; size_t
		push	esi		; int
		lea	eax, [ebp+var_48]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		test	ebx, ebx
		jz	loc_93657B
		test	bl, 1
		jnz	loc_93657B
		cmp	ebx, 0FFFFh
		ja	loc_93657B
		push	50676244h
		push	ebx
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	[ebp+var_50], eax
		test	eax, eax
		jz	loc_936504
		mov	word ptr [ebp+var_54+2], bx
		mov	word ptr [ebp+var_54], bx
		mov	edi, esi
		mov	[ebp+ms_exc.disabled], esi
		push	ebx		; size_t
		push	[ebp+var_4C]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_8B11FA:				; CODE XREF: sub_93651C+Fj
		test	edi, edi
		js	loc_8B1346
		push	50676244h
		push	0Ch
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_936530
		mov	eax, 0FFFF8000h
		mov	[ebp+var_9C], ax
		push	18h
		pop	eax
		mov	word ptr [ebp+var_A0+2], ax
		mov	[ebp+var_58], eax
		mov	[ebp+var_38], 0A8h
		mov	[ebp+var_30], 1500h
		mov	[ebp+var_48], 100000h
		mov	[ebp+var_84], eax
		mov	[ebp+var_80], esi
		mov	[ebp+var_78], 200h
		mov	[ebp+var_7C], esi
		mov	[ebp+var_74], esi
		mov	[ebp+var_70], esi
		push	esi
		push	esi
		push	esi
		lea	eax, [ebp+var_58]
		push	eax
		lea	eax, [ebp+var_A0]
		push	eax
		push	esi
		push	20000h
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_84]
		push	eax
		lea	eax, [ebp+var_54]
		push	eax
		lea	eax, [ebx+8]
		push	eax
		call	_ZwAlpcConnectPort@44 ;	ZwAlpcConnectPort(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8B1342
		mov	eax, large fs:124h
		mov	[ebp+var_5C], eax
		mov	dword ptr [ebx], 1
		mov	[ebx+4], esi
		mov	eax, [eax+80h]
		mov	[ebp+var_68], eax
		push	eax
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		mov	[ebp+var_64], eax
		mov	ecx, eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		lea	edi, [eax+238h]
		mov	[ebp+var_6C], edi
		mov	eax, [ebp+var_5C]
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+4]
		mov	[ebp+var_4C], eax
		test	eax, eax
		jnz	short loc_8B12FF
		push	[ebp+var_64]
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jz	short loc_8B12FF
		mov	eax, 0FFDF02F0h
		lock bts dword ptr [eax], 0

loc_8B12FF:				; CODE XREF: DbgkRegisterErrorPort+189j
					; DbgkRegisterErrorPort+195j
		mov	[edi+4], ebx
		mov	eax, [ebp+var_68]
		mov	[edi+8], eax
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_93653A

loc_8B1317:				; CODE XREF: DbgkRegisterErrorPort+853DEj
					; DbgkRegisterErrorPort+853EBj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_5C]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	edi, esi
		mov	ebx, esi
		mov	ecx, [ebp+var_4C]
		test	ecx, ecx
		jnz	loc_93654E

loc_8B1335:				; CODE XREF: DbgkRegisterErrorPort+8540Dj
					; DbgkRegisterErrorPort+85418j
		push	esi
		push	esi
		mov	eax, [ebp+var_6C]
		push	dword ptr [eax+0Ch]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_8B1342:				; CODE XREF: DbgkRegisterErrorPort+133j
		test	ebx, ebx
		jnz	short loc_8B1361

loc_8B1346:				; CODE XREF: DbgkRegisterErrorPort+9Ej
					; DbgkRegisterErrorPort+20Aj ...
		lea	eax, [ebp+var_54]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, edi

loc_8B1351:				; CODE XREF: DbgkRegisterErrorPort+853ABj
					; DbgkRegisterErrorPort+85422j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8B1361:				; CODE XREF: DbgkRegisterErrorPort+1E6j
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_8B1346
DbgkRegisterErrorPort endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SleepstudyHelperCreateLibrary proc near	; CODE XREF: SleepstudyHelper_Initialize(x,x)+13p
					; DATA XREF: .data:006B35D8o

var_28		= dword	ptr -28h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00936585 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	edi
		test	ebx, ebx
		jz	loc_936585
		cmp	_SshpInitialized, 0
		jz	loc_93658F
		mov	edx, [ebp+arg_0]
		push	esi
		push	24h
		pop	ecx
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8B1400
		mov	eax, [ebp+arg_0]
		xor	edi, edi
		mov	[esi], edi
		xor	edx, edx
		mov	[esi+4], edi
		mov	ecx, offset _SshpLibraryListLock
		mov	[esi+10h], edi
		mov	[esi+18h], edi
		mov	[esi+20h], edi
		mov	[esi+0Ch], eax
		lea	eax, [esi+14h]
		mov	[esi+8], edi
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+1Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, dword_6BEF9C
		mov	ecx, offset _SshpLibraryList
		cmp	[eax], ecx
		jnz	short loc_8B1407
		mov	[esi], ecx
		mov	ecx, offset _SshpLibraryListLock
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6BEF9C, esi
		call	SSHSupportReleasePushLockExclusive
		mov	[ebx], esi

loc_8B13F7:				; CODE XREF: SleepstudyHelperCreateLibrary+9Bj
		pop	esi

loc_8B13F8:				; CODE XREF: SleepstudyHelperCreateLibrary+85220j
					; SleepstudyHelperCreateLibrary+8522Aj
		mov	eax, edi
		pop	edi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_8B1400:				; CODE XREF: SleepstudyHelperCreateLibrary+2Fj
		mov	edi, 0C000009Ah
		jmp	short loc_8B13F7
; 

loc_8B1407:				; CODE XREF: SleepstudyHelperCreateLibrary+72j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

KsepDbCacheInsertDevice:		; CODE XREF: KseQueryDeviceData+CAp
					; KseQueryDeviceDataList(x,x,x,x)+E5p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	9
		xor	eax, eax
		lea	edi, [ebp+var_28]
		pop	ecx
		rep stosd
		mov	eax, large fs:124h
		mov	ebx, 0C000000Dh
		mov	ecx, dword_6D4A9C
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		push	esi
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, dword_6D4A9C
		lea	edx, [ebp+var_28]
		call	_KsepCacheLookup@8 ; KsepCacheLookup(x,x)
		test	eax, eax
		jnz	short loc_8B1472
		mov	edx, [ebp+var_4]
		mov	ecx, dword_6D4A9C
		call	KsepCacheInsert
		xor	ebx, ebx

loc_8B1472:				; CODE XREF: SleepstudyHelperCreateLibrary+F6j
		mov	esi, dword_6D4A9C
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_936599

loc_8B1487:				; CODE XREF: SleepstudyHelperCreateLibrary+85231j
					; SleepstudyHelperCreateLibrary+8523Ej
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
SleepstudyHelperCreateLibrary endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl IopCompareReqAlternativePriority(const void *,const void *)
IopCompareReqAlternativePriority proc near ; DATA XREF:	IopRearrangeReqList(x)+4Bo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009365AD SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	ecx, [eax]
		mov	eax, [ebp+arg_4]
		mov	edx, [ecx]
		mov	eax, [eax]
		cmp	edx, [eax]
		jnz	short loc_8B14CA
		mov	edx, [ecx+4]
		cmp	edx, [eax+4]
		jbe	loc_9365AD

loc_8B14C4:				; CODE XREF: IopCompareReqAlternativePriority:loc_8B14CAj
					; IopCompareReqAlternativePriority+85113j
		xor	eax, eax
		inc	eax

loc_8B14C7:				; CODE XREF: IopCompareReqAlternativePriority+2Dj
		pop	esi
		pop	ebp
		retn
; 

loc_8B14CA:				; CODE XREF: IopCompareReqAlternativePriority+14j
		ja	short loc_8B14C4

loc_8B14CC:				; CODE XREF: IopCompareReqAlternativePriority:loc_9365ADj
					; IopCompareReqAlternativePriority+85119j
		or	eax, 0FFFFFFFFh
		jmp	short loc_8B14C7
IopCompareReqAlternativePriority endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpMuiRegGetOrAddLangInfo proc	near	; CODE XREF: RtlpMuiRegAddLanguageByName+89p
					; _RtlpMuiRegValidateInstalled+9825Dp ...

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009365C0 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		test	edi, edi
		jz	short loc_8B1543
		mov	esi, [edi]
		test	esi, esi
		jz	short loc_8B1543
		test	ebx, ebx
		jz	short loc_8B1543
		xor	eax, eax
		cmp	[ebx+4], ax
		jz	loc_9365C0

loc_8B14F8:				; CODE XREF: RtlpMuiRegGetOrAddLangInfo+850F8j
		mov	ecx, esi
		call	RtlpMuiRegGetLangInfoIndex
		movzx	edx, ax
		test	dx, dx
		jns	short loc_8B1530
		mov	ax, [esi+6]
		cmp	ax, [esi+4]
		jnb	loc_9365CF

loc_8B1515:				; CODE XREF: RtlpMuiRegGetOrAddLangInfo+8510Cj
		movzx	eax, word ptr [esi+6]
		mov	edx, eax
		inc	eax
		mov	[esi+6], ax
		movsx	eax, dx
		imul	edi, eax, 1Ch
		push	7
		pop	ecx
		add	edi, [esi+0Ch]
		mov	esi, ebx
		rep movsd

loc_8B1530:				; CODE XREF: RtlpMuiRegGetOrAddLangInfo+33j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_8B153A
		mov	[eax], dx

loc_8B153A:				; CODE XREF: RtlpMuiRegGetOrAddLangInfo+63j
		xor	eax, eax

loc_8B153C:				; CODE XREF: RtlpMuiRegGetOrAddLangInfo+76j
					; RtlpMuiRegGetOrAddLangInfo+85116j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_8B1543:				; CODE XREF: RtlpMuiRegGetOrAddLangInfo+Ej
					; RtlpMuiRegGetOrAddLangInfo+14j ...
		mov	eax, 0C000000Dh
		jmp	short loc_8B153C
RtlpMuiRegGetOrAddLangInfo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpMuiRegGetLangInfoIndex proc	near	; CODE XREF: RtlpMuiRegGetOrAddLangInfo+28p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009365ED SIZE 000000F0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	[ebp+var_28], esi
		test	edi, edi
		jz	short loc_8B15AF
		test	esi, esi
		jz	short loc_8B15AF
		movzx	ecx, word ptr [esi+4]
		xor	eax, eax
		mov	[ebp+var_C], ecx
		test	cx, cx
		jz	short loc_8B15B7

loc_8B1572:				; CODE XREF: RtlpMuiRegGetLangInfoIndex+73j
		mov	edx, [edi+0Ch]
		mov	eax, esi
		sub	eax, edx
		mov	[ebp+var_10], edx
		push	1Ch
		cdq
		pop	ebx
		idiv	ebx
		test	eax, eax
		jns	loc_9365ED

loc_8B158A:				; CODE XREF: RtlpMuiRegGetLangInfoIndex+850AFj
		movzx	eax, word ptr [edi+6]
		xor	ebx, ebx
		and	[ebp+var_4], ebx
		cdq
		mov	[ebp+var_14], ebx
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], edx
		test	edx, edx
		jb	short loc_8B15AF
		ja	loc_9365FE
		test	eax, eax
		jnz	loc_9365FE

loc_8B15AF:				; CODE XREF: RtlpMuiRegGetLangInfoIndex+14j
					; RtlpMuiRegGetLangInfoIndex+18j ...
		or	eax, 0FFFFFFFFh

loc_8B15B2:				; CODE XREF: RtlpMuiRegGetLangInfoIndex+850A9j
					; RtlpMuiRegGetLangInfoIndex+8518Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8B15B7:				; CODE XREF: RtlpMuiRegGetLangInfoIndex+26j
		cmp	[esi+6], ax
		jl	short loc_8B15AF
		jmp	short loc_8B1572
RtlpMuiRegGetLangInfoIndex endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 438. ExSizeOfRundownProtectionCacheAware

;  S U B	R O U T	I N E 


; __stdcall ExSizeOfRundownProtectionCacheAware()
		public _ExSizeOfRundownProtectionCacheAware@0
_ExSizeOfRundownProtectionCacheAware@0 proc near
		mov	edi, edi
		push	esi
		mov	esi, ds:_KeNumberProcessors
		cmp	esi, 1
		jbe	short loc_8B15E2
		call	_KeGetRecommendedSharedDataAlignment@0 ; KeGetRecommendedSharedDataAlignment()
		lea	ecx, [esi+1]
		imul	eax, ecx

loc_8B15DD:				; CODE XREF: ExSizeOfRundownProtectionCacheAware()+21j
		add	eax, 10h
		pop	esi
		retn
; 

loc_8B15E2:				; CODE XREF: ExSizeOfRundownProtectionCacheAware()+Cj
		push	4
		pop	eax
		jmp	short loc_8B15DD
_ExSizeOfRundownProtectionCacheAware@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpCrimsonProvEnableCallback proc near	; DATA XREF: EtwpInitialize+252o

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 009366DD SIZE 00000102 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_20]
		push	edi
		xor	edi, edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	offset _EtwpCrimsonMaskMutex
		call	KeWaitForSingleObject
		cmp	esi, 1
		jnz	loc_93670D
		mov	ebx, _EtwpPsProvRegHandle
		mov	esi, edi
		mov	edi, dword_6BC18C
		push	offset _ProcessStart
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jnz	short loc_8B1647
		push	offset _EnableProcessTracingCallbacks
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jz	short loc_8B164A

loc_8B1647:				; CODE XREF: EtwpCrimsonProvEnableCallback+4Dj
		xor	esi, esi
		inc	esi

loc_8B164A:				; CODE XREF: EtwpCrimsonProvEnableCallback+5Dj
		push	offset _ThreadStart
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_9366DD

loc_8B165E:				; CODE XREF: EtwpCrimsonProvEnableCallback+850F8j
		push	offset _ImageLoad
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_9366E5

loc_8B1672:				; CODE XREF: EtwpCrimsonProvEnableCallback+85100j
		push	offset _JobStart
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jnz	loc_9366ED

loc_8B1686:				; CODE XREF: EtwpCrimsonProvEnableCallback+8510Bj
		push	0
		push	180h
		push	0
		push	edi
		mov	[ebp+var_40], esi
		mov	esi, 20002000h
		push	ebx
		mov	[ebp+var_44], 80007h
		mov	[ebp+var_3C], esi
		call	EtwProviderEnabled
		movzx	eax, al
		push	0
		neg	eax
		push	200h
		push	0
		sbb	eax, eax
		and	eax, esi
		mov	esi, 40000002h
		push	edi
		push	ebx
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], esi
		call	EtwProviderEnabled
		movzx	eax, al
		neg	eax
		push	3
		sbb	eax, eax
		and	eax, esi
		cmp	[ebp+arg_4], 2
		mov	[ebp+var_30], eax
		pop	edi
		jz	loc_9366F8

loc_8B16E5:				; CODE XREF: EtwpCrimsonProvEnableCallback+85120j
					; EtwpCrimsonProvEnableCallback+851F2j
		xor	ebx, ebx

loc_8B16E7:				; CODE XREF: EtwpCrimsonProvEnableCallback+13Cj
		mov	edx, [ebp+ebx*8+var_40]
		mov	eax, edx
		mov	esi, [ebp+ebx*8+var_44]
		not	eax
		mov	ecx, ds:_EtwpHostSiloState
		and	esi, eax
		mov	eax, edx
		and	edx, 1FFFFFFFh
		shr	eax, 1Dh
		or	[ecx+eax*4+0A48h], edx
		mov	eax, esi
		shr	eax, 1Dh
		and	esi, 1FFFFFFFh
		not	esi
		and	[ecx+eax*4+0A48h], esi
		inc	ebx
		cmp	ebx, edi
		jb	short loc_8B16E7
		push	0
		push	offset _EtwpCrimsonMaskMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		push	57777445h
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		test	eax, eax
		jz	short loc_8B175F
		and	dword ptr [eax], 0
		push	1
		push	eax
		mov	dword ptr [eax+8], offset _EtwpUpdateKernelGroupsWork@4	; EtwpUpdateKernelGroupsWork(x)
		mov	[eax+0Ch], eax
		call	ExQueueWorkItem

loc_8B175F:				; CODE XREF: EtwpCrimsonProvEnableCallback+160j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	24h
EtwpCrimsonProvEnableCallback endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmpUpdatePhaseAccessBit()
_CmpUpdatePhaseAccessBit@0 proc	near	; CODE XREF: CmpAcceptBoot+49p
		cmp	_CmpAccessBitForPhase, 2
		push	esi
		jz	short loc_8B17A3
		mov	_CmpAccessBitForPhase, 2
		xor	ecx, ecx

loc_8B1781:				; CODE XREF: CmpUpdatePhaseAccessBit()+2Dj
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8B179D
		test	byte ptr [esi+64h], 10h
		jnz	short loc_8B1799
		mov	ecx, esi
		call	CmpTrimHive

loc_8B1799:				; CODE XREF: CmpUpdatePhaseAccessBit()+22j
		mov	ecx, esi
		jmp	short loc_8B1781
; 

loc_8B179D:				; CODE XREF: CmpUpdatePhaseAccessBit()+1Cj
		pop	esi
		jmp	CmpUpdateReorganizeRegistryValues
; 

loc_8B17A3:				; CODE XREF: CmpUpdatePhaseAccessBit()+8j
		pop	esi
		retn
_CmpUpdatePhaseAccessBit@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpUpdateReorganizeRegistryValues proc near ; CODE XREF: CmpUpdatePhaseAccessBit()+30j
					; CmpReorganizeHive+184DCAp

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= word ptr -44h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009367DF SIZE 0000010C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_48]
		stosd
		xor	esi, esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_28], esi
		stosd
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], esi
		stosd
		stosd
		mov	eax, _CmpReorganizeTotalBytesSaved
		or	eax, dword_6FDE74
		jnz	loc_9367DF

loc_8B17E5:				; CODE XREF: CmpUpdateReorganizeRegistryValues+85040j
					; CmpUpdateReorganizeRegistryValues+85086j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpUpdateReorganizeRegistryValues endp

; 
		align 4

;  S U B	R O U T	I N E 


; int __fastcall PiDqObjectManagerInit(void *)
_PiDqObjectManagerInit@8 proc near	; CODE XREF: PiDqInit()+Bp
					; PiDqInit()+18p ...
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		push	80h		; size_t
		mov	edi, ecx
		mov	esi, edx
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[edi+80h], esi
		push	edi
		call	ExInitializeResourceLite
		lea	ecx, [edi+38h]
		call	@KeInitializeGuardedMutex@4 ; KeInitializeGuardedMutex(x)
		and	dword ptr [edi+58h], 0
		lea	eax, [edi+68h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edi+70h]
		mov	dword ptr [edi+60h], offset PiDqObjectManagerServiceActionQueue
		mov	[edi+64h], edi
		pop	edi
		mov	[eax+4], eax
		mov	[eax], eax
		pop	esi
		pop	ecx
		retn
_PiDqObjectManagerInit@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmFcpWorkItemInitialize(x, x, x, x)
_CmFcpWorkItemInitialize@16 proc near	; CODE XREF: CmFcpInitializeChangeSubscription(x,x,x)+23p
					; CmFcManagerInitialize(x)+9Dp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		push	esi
		mov	esi, ecx
		mov	[esi+4], eax
		lea	ecx, [esi+10h]
		mov	[esi+10h], eax
		mov	[esi+18h], eax
		mov	[esi+1Ch], eax
		mov	[esi+20h], eax
		mov	dword ptr [esi+8], offset _CmFcpWorkItemWrapper@4 ; CmFcpWorkItemWrapper(x)
		mov	[esi+0Ch], esi
		mov	[esi], eax
		mov	[esi+14h], eax
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		mov	eax, [ebp+arg_0]
		mov	[esi+1Ch], eax
		mov	eax, [ebp+arg_4]
		mov	dword ptr [esi+18h], 4
		mov	[esi+20h], eax
		pop	esi
		pop	ebp
		retn	8
_CmFcpWorkItemInitialize@16 endp


;  S U B	R O U T	I N E 


; __stdcall RtlInitializeSwapReference(x)
_RtlInitializeSwapReference@4 proc near	; CODE XREF: CmFcManagerInitialize(x)+58p
					; CmFcManagerInitialize(x)+73p
		xor	eax, eax
		mov	[ecx], eax
		mov	[ecx+4], eax
		mov	[ecx+8], eax
		retn
_RtlInitializeSwapReference@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PspInitializeQuotaBlock(void *)
PspInitializeQuotaBlock	proc near	; CODE XREF: PspAssignProcessQuotaBlock+18Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009368EB SIZE 00000080 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		xor	esi, esi
		mov	[esp+18h+var_8], edx
		push	240h		; size_t
		push	esi		; int
		push	ebx		; void *
		mov	edi, ecx
		mov	[esp+24h+var_4], esi
		call	_memset
		xor	eax, eax
		add	esp, 0Ch
		inc	eax
		mov	[ebx+204h], eax
		mov	[ebx+200h], eax
		test	edi, edi
		jnz	loc_9368EB
		jmp	short loc_8B18FE
; 

loc_8B18DD:				; CODE XREF: PspInitializeQuotaBlock+90j
		cmp	eax, 0FFFFFFFFh
		jnz	loc_936931
		and	dword ptr [edx+40h], 0
		imul	ecx, esi, 1Ch
		add	ecx, offset _PspQuotaExpansionDescriptors
		call	_PspInsertExpansionEntry@8 ; PspInsertExpansionEntry(x,x)

loc_8B18F8:				; CODE XREF: PspInitializeQuotaBlock+74j
					; PspInitializeQuotaBlock+8Ej ...
		inc	esi
		cmp	esi, 4
		jge	short loc_8B192A

loc_8B18FE:				; CODE XREF: PspInitializeQuotaBlock+43j
					; PspInitializeQuotaBlock+85057j
		mov	eax, [esp+18h+var_8]

loc_8B1902:				; CODE XREF: PspInitializeQuotaBlock+8507Bj
		mov	cl, ds:_PspResourceFlags[esi*8]
		test	cl, 2
		jnz	short loc_8B18F8
		mov	edx, esi
		shl	edx, 7
		add	edx, ebx
		test	eax, eax
		jz	loc_936922
		mov	eax, [eax+esi*4]

loc_8B1920:				; CODE XREF: PspInitializeQuotaBlock+85094j
		mov	[edx+40h], eax
		test	cl, 1
		jz	short loc_8B18F8
		jmp	short loc_8B18DD
; 

loc_8B192A:				; CODE XREF: PspInitializeQuotaBlock+64j
		xor	eax, eax

loc_8B192C:				; CODE XREF: PspInitializeQuotaBlock+85085j
					; PspInitializeQuotaBlock+850CEj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
PspInitializeQuotaBlock	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmInitializeHandBuiltProcess proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+104Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0093696B SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, ecx
		push	esi
		push	40h
		mov	edx, 3250694Dh
		mov	ecx, 0F98h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[esp+18h+var_4], eax
		test	eax, eax
		jz	loc_93696B
		push	1
		add	eax, 0A4h
		push	eax
		call	_ExInitializeAutoExpandPushLock@8 ; ExInitializeAutoExpandPushLock(x,x)
		mov	eax, large fs:124h
		mov	edx, [eax+80h]
		mov	[esp+18h+var_8], edx
		lea	ebx, [edx+240h]
		mov	ecx, ebx
		call	_MiGetSharedVm@4 ; MiGetSharedVm(x)
		mov	ecx, [edx+18h]
		mov	[edi+18h], ecx
		mov	ecx, [edx+194h]
		mov	[edi+194h], ecx
		lea	ecx, [edi+420h]
		mov	[edi+134h], esi
		mov	[edi+138h], esi
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		mov	ecx, edi
		push	esi
		mov	[esp+1Ch+var_C], eax
		mov	[edi+41Ch], esi
		call	MiAllocateProcessShadow
		test	eax, eax
		js	loc_8B1A6A
		lea	ecx, [edi+240h]
		call	_MiGetSharedVm@4 ; MiGetSharedVm(x)
		mov	edx, [esp+18h+var_C]
		push	8
		mov	[eax], esi
		mov	[edi+350h], esi
		lea	esi, [edi+240h]
		mov	ecx, [ebx+3Ch]
		mov	[esi+3Ch], ecx
		mov	ecx, [ebx+50h]
		mov	[esi+50h], ecx
		mov	ecx, [edx+1Ch]
		mov	[eax+1Ch], ecx
		mov	ecx, [edx+20h]
		lea	edx, [esi+18h]
		mov	[eax+20h], ecx
		mov	eax, [ebx+40h]
		mov	ecx, [esp+1Ch+var_8]
		mov	[esi+40h], eax
		mov	eax, [ebx+44h]
		mov	[esi+44h], eax
		mov	eax, [ebx+48h]
		mov	[esi+48h], eax
		mov	eax, [ebx+4Ch]
		sub	ebx, esi
		mov	[esi+4Ch], eax
		mov	eax, [ecx+1CCh]
		mov	[edi+1CCh], eax
		mov	eax, [ecx+14Ch]
		mov	[edi+14Ch], eax
		mov	eax, [esp+1Ch+var_4]
		mov	[esi+0Ch], eax
		pop	ecx

loc_8B1A4B:				; CODE XREF: MmInitializeHandBuiltProcess+120j
		mov	eax, [ebx+edx]
		mov	[edx], eax
		lea	edx, [edx+4]
		sub	ecx, 1
		jnz	short loc_8B1A4B
		xor	edx, edx
		mov	ecx, edi
		call	MiInsertNewProcess
		mov	ecx, esi
		call	MiAllowWorkingSetExpansion
		xor	eax, eax

loc_8B1A6A:				; CODE XREF: MmInitializeHandBuiltProcess+97j
					; MmInitializeHandBuiltProcess+8503Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
MmInitializeHandBuiltProcess endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1519. NtDeleteFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtDeleteFile(x)
		public _NtDeleteFile@4
_NtDeleteFile@4	proc near		; DATA XREF: .text:005810B4o

var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_130		= dword	ptr -130h
var_128		= dword	ptr -128h
var_120		= dword	ptr -120h
var_110		= dword	ptr -110h
var_10A		= word ptr -10Ah
var_FC		= dword	ptr -0FCh
var_E2		= byte ptr -0E2h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D4		= dword	ptr -0D4h
var_C4		= dword	ptr -0C4h
var_A8		= dword	ptr -0A8h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 140h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+140h+var_4], eax
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [esp+144h+var_A8]
		push	edi
		push	0A0h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, large fs:124h
		mov	edi, 90h
		push	edi		; size_t
		push	0		; int
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+15Ch+var_140], al
		lea	eax, [esp+15Ch+var_138]
		push	eax		; void *
		call	_memset
		add	esp, 18h
		mov	word ptr [esp+148h+var_138+2], di
		mov	[esp+148h+var_110], 1000h
		lea	edi, [esp+148h+var_D4]
		mov	[esp+148h+var_FC], 1
		mov	[esp+148h+var_E2], 1
		push	8
		pop	eax
		mov	word ptr [esp+148h+var_138], ax
		push	7
		pop	eax
		mov	[esp+148h+var_10A], ax
		lea	eax, [esp+148h+var_A8]
		mov	[esp+148h+var_E0], eax
		xor	eax, eax
		mov	[esp+148h+var_120], esi
		mov	[esp+148h+var_DC], 20h
		stosd
		push	14h
		stosd
		stosd
		stosd
		stosd
		pop	eax
		mov	word ptr [esp+148h+var_D4], ax
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		mov	[esp+148h+var_C4], eax
		call	_IopUpdateOtherOperationCount@0	; IopUpdateOtherOperationCount()
		lea	eax, [esp+148h+var_13C]
		push	eax
		push	[esp+14Ch+var_C4]
		lea	eax, [esp+150h+var_138]
		push	eax
		push	10000h
		push	0
		push	[esp+15Ch+var_140]
		push	ds:_IoFileObjectType
		push	esi
		call	ObOpenObjectByNameEx
		lea	ecx, [esp+148h+var_138]
		mov	esi, eax
		call	_IopCleanupExtraCreateParameters@4 ; IopCleanupExtraCreateParameters(x)
		cmp	[esp+148h+var_128], 0BEAA0251h
		mov	eax, esi
		jz	short loc_8B1B8A

loc_8B1B74:				; CODE XREF: NtDeleteFile(x)+118j
		mov	ecx, [esp+148h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_8B1B8A:				; CODE XREF: NtDeleteFile(x)+FCj
		mov	eax, [esp+148h+var_130]
		jmp	short loc_8B1B74
_NtDeleteFile@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

TlgAggregateInternalRegisteredProviderEtwCallback proc near
					; DATA XREF: TlgAggregateAbsorbEvent+12o
					; TlgAggregateFlush(x)o ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 00936975 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_20]
		mov	eax, [esi+0C0h]
		test	eax, eax
		jnz	short loc_8B1BB9

loc_8B1BA3:				; CODE XREF: TlgAggregateInternalRegisteredProviderEtwCallback+49j
		cmp	[ebp+arg_4], 1
		jnz	loc_936975
		mov	ecx, esi
		call	LookUpTableFlushComplete

loc_8B1BB4:				; CODE XREF: TlgAggregateInternalRegisteredProviderEtwCallback+84DE9j
					; TlgAggregateInternalRegisteredProviderEtwCallback+84DF6j
		pop	esi
		pop	ebp
		retn	24h
; 

loc_8B1BB9:				; CODE XREF: TlgAggregateInternalRegisteredProviderEtwCallback+11j
		push	dword ptr [esi+0C4h]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	eax
		jmp	short loc_8B1BA3
TlgAggregateInternalRegisteredProviderEtwCallback endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LookUpTableFlushComplete proc near	; CODE XREF: TlgAggregateFlush(x)+27j
					; TlgAggregateInternalRegisteredProviderEtwCallback+1Fp ...

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 0093698B SIZE 00000129 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+74h+var_4], eax
		mov	edx, [ecx+80h]
		mov	[esp+74h+var_74], ecx
		push	ebx
		push	esi
		push	edi
		test	edx, edx
		jnz	loc_93698B

loc_8B1C06:				; CODE XREF: LookUpTableFlushComplete+84ED3j
		mov	ecx, [esp+80h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
LookUpTableFlushComplete endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpTraceLoggingProvEnableCallback proc	near ; DATA XREF: EtwpInitialize+268o

arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_20		= dword	ptr  28h

; FUNCTION CHUNK AT 00936AB4 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 2
		mov	ecx, [ebp+arg_20]
		jz	loc_936AB4

loc_8B1C2A:				; CODE XREF: EtwpTraceLoggingProvEnableCallback+84EA2j
					; EtwpTraceLoggingProvEnableCallback+84EB3j
		pop	ebp
		retn	24h
EtwpTraceLoggingProvEnableCallback endp


;  S U B	R O U T	I N E 


; __stdcall MiTracingEnabledCallback(x,	x, x, x, x, x, x, x, x)
_MiTracingEnabledCallback@36 proc near	; DATA XREF: MiInitSystem+438o
		retn	24h
_MiTracingEnabledCallback@36 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HeadlessTerminalAddResources proc near	; CODE XREF: IoReportHalResourceUsage+85p
					; IoReportHalResourceUsage+E8p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00936AD0 SIZE 000000C5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, _HeadlessGlobals
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	[ebp+var_8], ecx
		xor	ecx, ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], ecx
		push	edi
		mov	edi, edx
		test	eax, eax
		jnz	loc_936AD0

loc_8B1C5D:				; CODE XREF: HeadlessTerminalAddResources+84EA5j
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		mov	eax, ecx

loc_8B1C64:				; CODE XREF: HeadlessTerminalAddResources+84F5Ej
		mov	[ebx], ecx

loc_8B1C66:				; CODE XREF: HeadlessTerminalAddResources+84F52j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
HeadlessTerminalAddResources endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpIsUnsecureName(x, x)
_ObpIsUnsecureName@8 proc near		; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+12B3p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		and	[ebp+var_8], 0
		cmp	_ObpUnsecureGlobalNamesBuffer, 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		jz	short loc_8B1CC8
		mov	esi, offset _ObpUnsecureGlobalNamesBuffer

loc_8B1C95:				; CODE XREF: ObpIsUnsecureName(x,x)+58j
		push	esi
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edi, [ebp+var_C]
		test	di, di
		jz	short loc_8B1CB8
		push	ebx
		push	[ebp+var_4]
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_8B1CCF

loc_8B1CB8:				; CODE XREF: ObpIsUnsecureName(x,x)+37j
		movzx	eax, di
		add	eax, 2
		shr	eax, 1
		lea	esi, [esi+eax*2]
		test	di, di
		jnz	short loc_8B1C95

loc_8B1CC8:				; CODE XREF: ObpIsUnsecureName(x,x)+20j
		xor	al, al

loc_8B1CCA:				; CODE XREF: ObpIsUnsecureName(x,x)+63j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8B1CCF:				; CODE XREF: ObpIsUnsecureName(x,x)+48j
		mov	al, 1
		jmp	short loc_8B1CCA
_ObpIsUnsecureName@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpLogRefreshTimeZoneInformationSuccess(x, x, x, x,	x)
_ExpLogRefreshTimeZoneInformationSuccess@20 proc near
					; CODE XREF: ExpRefreshTimeZoneInformation(x)+718p

var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_11F		= byte ptr -11Fh
var_11D		= dword	ptr -11Dh
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 158h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	bl, dl
		mov	esi, ecx
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		cmp	dword_6B2A90, 5
		mov	ecx, [eax+268h]
		jbe	loc_8B1F32
		mov	eax, [ecx+310h]
		xor	edi, edi
		mov	[ebp+var_124], eax
		lea	eax, [ebp+var_124]
		mov	[ebp+var_FC], eax
		mov	eax, [ecx+1B4h]
		mov	[ebp+var_128], eax
		lea	eax, [ebp+var_128]
		mov	[ebp+var_EC], eax
		mov	eax, [ecx+1B0h]
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_12C], eax
		lea	eax, [ebp+var_12C]
		mov	[ebp+var_DC], eax
		mov	al, byte ptr _ExpRealTimeIsUniversal
		mov	byte ptr [ebp+var_11D],	al
		lea	eax, [ebp+var_11D]
		mov	[ebp+var_CC], eax
		lea	eax, [ebp-11Eh]
		and	[ebp+var_C0], 0
		mov	[ebp+var_BC], eax
		mov	eax, [ecx]
		mov	[ebp+var_144], eax
		mov	eax, [ecx+4]
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_140], eax
		lea	eax, [ebp+var_144]
		mov	[ebp+var_AC], eax
		push	4
		mov	eax, [ecx]
		mov	[ebp+var_14C], eax
		mov	eax, [ecx+4]
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_148], eax
		lea	eax, [ebp+var_14C]
		pop	edx
		mov	[ebp+var_9C], eax
		mov	eax, [ecx]
		mov	[ebp+var_F4], edx
		mov	[ebp+var_E4], edx
		mov	[ebp+var_D4], edx
		push	8
		pop	edx
		mov	[ebp+var_154], eax
		mov	eax, [ecx+4]
		lea	ecx, [ebp+var_7C]
		mov	[ebp+var_F8], edi
		mov	[ebp+var_F0], edi
		mov	[ebp+var_E8], edi
		mov	[ebp+var_E0], edi
		mov	[ebp+var_D8], edi
		mov	[ebp+var_D0], edi
		mov	[ebp+var_C8], edi
		inc	edi
		mov	[ebp+var_150], eax
		lea	eax, [ebp+var_154]
		mov	[ebp-11Eh], bl
		xor	ebx, ebx
		mov	[ebp+var_A4], edx
		mov	[ebp+var_94], edx
		mov	[ebp+var_84], edx
		lea	edx, [esi+0ACh]
		mov	[ebp+var_C4], edi
		mov	[ebp+var_B8], ebx
		mov	[ebp+var_B4], edi
		mov	[ebp+var_B0], ebx
		mov	[ebp+var_A8], ebx
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_98], ebx
		mov	[ebp+var_90], ebx
		mov	[ebp+var_8C], eax
		mov	[ebp+var_88], ebx
		mov	[ebp+var_80], ebx
		call	_tlgCreate1Sz_wchar_t
		mov	al, [esi+1ACh]
		mov	[ebp+var_11F], al
		lea	eax, [ebp+var_11F]
		mov	[ebp+var_6C], eax
		mov	[ebp+var_68], ebx
		mov	[ebp+var_64], edi
		mov	[ebp+var_60], ebx
		mov	eax, [esi]
		mov	[ebp+var_130], eax
		lea	eax, [ebp+var_130]
		mov	[ebp+var_5C], eax
		mov	eax, [esi+54h]
		mov	[ebp+var_134], eax
		lea	eax, [ebp+var_134]
		mov	[ebp+var_4C], eax
		mov	eax, [esi+0A8h]
		push	4
		pop	ecx
		mov	[ebp+var_138], eax
		lea	eax, [ebp+var_138]
		mov	[ebp+var_3C], eax
		lea	eax, [esi+44h]
		push	10h
		mov	[ebp+var_2C], eax
		lea	eax, [esi+98h]
		mov	[ebp+var_54], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_34], ecx
		pop	ecx
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_11D+1]
		push	eax
		push	11h
		push	ebx
		push	ebx
		push	offset loc_4244AB
		push	offset dword_6B2A90
		mov	[ebp+var_58], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_8B1F32:				; CODE XREF: ExpLogRefreshTimeZoneInformationSuccess(x,x,x,x,x)+2Ej
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_ExpLogRefreshTimeZoneInformationSuccess@20 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbTagIDToTagRef proc near		; CODE XREF: SdbGetDatabaseMatchEx+B8p
					; SdbGetDatabaseMatch+AFE41p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00936B95 SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		lea	eax, [ebp+arg_4]
		or	[ebp+arg_4], 0FFFFFFFFh
		xor	esi, esi
		push	eax
		push	ecx
		call	_SdbpFindLocalDatabaseByPDB@16 ; SdbpFindLocalDatabaseByPDB(x,x,x,x)
		test	eax, eax
		jz	loc_936B95
		mov	eax, [ebp+arg_4]
		inc	esi
		shl	eax, 1Ch
		or	eax, [ebp+arg_0]

loc_8B1F70:				; CODE XREF: SdbTagIDToTagRef+84C6Cj
		mov	[edi], eax
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebp
		retn	8
SdbTagIDToTagRef endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpFindLocalDatabaseByPDB(x, x, x,	x)
_SdbpFindLocalDatabaseByPDB@16 proc near ; CODE	XREF: SdbTagIDToTagRef+15p

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+10h]
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_4], eax
		xor	edx, edx
		push	edi
		mov	esi, edx
		lea	edi, [ecx+24h]

loc_8B1F92:				; CODE XREF: SdbpFindLocalDatabaseByPDB(x,x,x,x)+4Aj
		xor	eax, eax
		mov	ecx, esi
		inc	eax
		shl	eax, cl
		test	[ebp+var_4], eax
		jz	short loc_8B1FBD
		test	byte ptr [edi+4], 2
		jz	short loc_8B1FBD
		cmp	ebx, [edi]
		jnz	short loc_8B1FBD
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		inc	edx
		test	ecx, ecx
		jz	short loc_8B1FB4
		mov	[ecx], esi

loc_8B1FB4:				; CODE XREF: SdbpFindLocalDatabaseByPDB(x,x,x,x)+36j
					; SdbpFindLocalDatabaseByPDB(x,x,x,x)+4Cj
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	8
; 

loc_8B1FBD:				; CODE XREF: SdbpFindLocalDatabaseByPDB(x,x,x,x)+22j
					; SdbpFindLocalDatabaseByPDB(x,x,x,x)+28j ...
		inc	esi
		add	edi, 18h
		cmp	esi, 10h
		jb	short loc_8B1F92
		jmp	short loc_8B1FB4
_SdbpFindLocalDatabaseByPDB@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpUuidLoadSequenceNumber(x)
_ExpUuidLoadSequenceNumber@4 proc near	; CODE XREF: ExpAllocateUuids:loc_7DB96Cp

var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 240h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_240]
		rep stosd
		xor	edi, edi
		lea	eax, [ebp+var_218]
		mov	esi, 1FEh
		mov	[ebp+var_228], edi
		push	esi		; size_t
		push	edi		; int
		push	eax		; void *
		mov	[ebp+var_224], edi
		mov	[ebp+var_220], edi
		mov	[ebp+var_21C], edi
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_218]
		push	edi		; int
		push	esi		; int
		push	eax		; void *
		push	edi		; int
		push	offset ??_C@_1JK@FPNBIBFK@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; void *
		push	edi		; int
		push	offset ??_C@_1CA@FGPEOOAL@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAi?$AAv?$AAe@NNGAKEGL@	; int
		call	RtlGetPersistedStateLocation
		mov	esi, eax
		test	esi, esi
		js	loc_8B20DC
		lea	eax, [ebp+var_218]
		push	eax
		lea	eax, [ebp+var_228]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_228]
		mov	[ebp+var_240], 18h
		mov	[ebp+var_238], eax
		lea	eax, [ebp+var_240]
		push	eax
		push	80000000h
		lea	eax, [ebp+var_21C]
		mov	[ebp+var_23C], edi
		push	eax
		mov	[ebp+var_234], 240h
		mov	[ebp+var_230], edi
		mov	[ebp+var_22C], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8B20DC
		lea	eax, [ebp+var_220]
		push	eax
		push	14h
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		push	offset _ExpUuidSequenceNumberRegName
		push	[ebp+var_21C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8B20DC
		cmp	[ebp+var_14], 4
		jnz	short loc_8B20FF
		cmp	[ebp+var_10], 4
		jnz	short loc_8B20FF
		mov	eax, [ebp+var_C]
		mov	ds:_ExpUuidSequenceNumber, eax

loc_8B20DC:				; CODE XREF: ExpUuidLoadSequenceNumber(x)+72j
					; ExpUuidLoadSequenceNumber(x)+D9j ...
		cmp	[ebp+var_21C], edi
		jz	short loc_8B20EF
		push	[ebp+var_21C]
		call	_ZwClose@4	; ZwClose(x)

loc_8B20EF:				; CODE XREF: ExpUuidLoadSequenceNumber(x)+11Aj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_8B20FF:				; CODE XREF: ExpUuidLoadSequenceNumber(x)+104j
					; ExpUuidLoadSequenceNumber(x)+10Aj
		mov	esi, 0C0000001h
		jmp	short loc_8B20DC
_ExpUuidLoadSequenceNumber@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpUuidSaveSequenceNumber(x)
_ExpUuidSaveSequenceNumber@4 proc near	; CODE XREF: ExpUuidSaveSequenceNumberIf():loc_7DB87Ap

var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 230h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ds:_ExpUuidSequenceNumber
		push	esi
		push	edi
		push	6
		mov	[ebp+var_210], eax
		lea	edi, [ebp+var_230]
		pop	ecx
		xor	eax, eax
		mov	esi, 1FEh
		rep stosd
		xor	edi, edi
		lea	eax, [ebp+var_208]
		push	esi		; size_t
		push	edi		; int
		push	eax		; void *
		mov	[ebp+var_218], edi
		mov	[ebp+var_214], edi
		mov	[ebp+var_20C], edi
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_208]
		push	edi		; int
		push	esi		; int
		push	eax		; void *
		push	edi		; int
		push	offset ??_C@_1JK@FPNBIBFK@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; void *
		push	edi		; int
		push	offset ??_C@_1CA@FGPEOOAL@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAi?$AAv?$AAe@NNGAKEGL@	; int
		call	RtlGetPersistedStateLocation
		mov	esi, eax
		test	esi, esi
		js	loc_8B2204
		lea	eax, [ebp+var_208]
		push	eax
		lea	eax, [ebp+var_218]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_218]
		mov	[ebp+var_230], 18h
		mov	[ebp+var_228], eax
		lea	eax, [ebp+var_230]
		push	eax
		push	0C0000000h
		lea	eax, [ebp+var_20C]
		mov	[ebp+var_22C], edi
		push	eax
		mov	[ebp+var_224], 240h
		mov	[ebp+var_220], edi
		mov	[ebp+var_21C], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8B2204
		push	4
		lea	eax, [ebp+var_210]
		push	eax
		push	4
		push	edi
		push	offset _ExpUuidSequenceNumberRegName
		push	[ebp+var_20C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax

loc_8B2204:				; CODE XREF: ExpUuidSaveSequenceNumber(x)+77j
					; ExpUuidSaveSequenceNumber(x)+DEj
		cmp	[ebp+var_20C], edi
		jz	short loc_8B2217
		push	[ebp+var_20C]
		call	_ZwClose@4	; ZwClose(x)

loc_8B2217:				; CODE XREF: ExpUuidSaveSequenceNumber(x)+104j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_ExpUuidSaveSequenceNumber@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_RegRtlOpenPredefinedKey proc near	; CODE XREF: _RegRtlOpenKeyTransacted+CFp
					; _RegRtlCreateKeyTransacted+117EF3p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00936BB5 SIZE 00000040 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		push	esi
		push	edi
		mov	edi, edx
		cmp	ecx, 80000002h
		jnz	short loc_8B226C
		mov	edx, ds:off_403DFC

loc_8B224B:				; CODE XREF: _RegRtlOpenPredefinedKey+5Ej
					; _RegRtlOpenPredefinedKey+66j	...
		push	ebx
		push	edi
		push	2000000h
		push	ebx
		xor	ecx, ecx
		call	_RegRtlOpenKeyTransacted
		mov	esi, eax

loc_8B225C:				; CODE XREF: _RegRtlOpenPredefinedKey+849B5j
					; _RegRtlOpenPredefinedKey+849C8j
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8B226C:				; CODE XREF: _RegRtlOpenPredefinedKey+1Bj
		cmp	ecx, 80000000h
		jz	short loc_8B2288
		cmp	ecx, 80000003h
		jnz	loc_936BB5
		mov	edx, dword ptr ds:loc_403E03+1
		jmp	short loc_8B224B
; 

loc_8B2288:				; CODE XREF: _RegRtlOpenPredefinedKey+4Aj
		mov	edx, ds:off_405020
		jmp	short loc_8B224B
_RegRtlOpenPredefinedKey endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTraceTimeZoneInformationRefresh proc	near
					; CODE XREF: ExpRefreshTimeZoneInformation(x)+1C3p
					; ExpRefreshTimeZoneInformation(x)+72Fp

var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_CF		= dword	ptr -0CFh
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

; FUNCTION CHUNK AT 00936BF5 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0E0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_E0], edx
		mov	[ebp+var_DC], ecx
		push	ebx
		push	esi
		push	edi
		sub	eax, 1
		jz	loc_936BFC
		sub	eax, 1
		jnz	loc_936BF5
		mov	al, 44h

loc_8B22CB:				; CODE XREF: EtwTraceTimeZoneInformationRefresh+84967j
					; EtwTraceTimeZoneInformationRefresh+8496Ej
		xor	ebx, ebx
		xor	esi, esi
		push	4
		inc	ebx
		cmp	dword_6B2A40, 5
		pop	edi
		ja	short loc_8B2303

loc_8B22DC:				; CODE XREF: EtwTraceTimeZoneInformationRefresh+12Cj
		mov	ecx, _EtwKernelProvRegHandle
		mov	eax, ecx
		mov	edx, dword_6BC12C
		or	eax, edx
		jnz	loc_8B23C1

loc_8B22F2:				; CODE XREF: EtwTraceTimeZoneInformationRefresh+195j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_8B2303:				; CODE XREF: EtwTraceTimeZoneInformationRefresh+4Aj
		mov	byte ptr [ebp+var_CF+2], al
		lea	eax, [ebp+var_CF+2]
		mov	[ebp+var_8C], eax
		mov	al, byte ptr [ebp+arg_4]
		mov	byte ptr [ebp+var_CF+1], al
		lea	eax, [ebp+var_CF+1]
		mov	[ebp+var_7C], eax
		mov	al, [ebp+arg_8]
		mov	byte ptr [ebp+var_CF], al
		lea	eax, [ebp+var_CF]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_CF+3]
		push	eax
		push	7
		push	esi
		mov	[ebp+var_D4], ecx
		lea	ecx, [ebp+var_D4]
		push	esi
		mov	[ebp+var_AC], ecx
		lea	ecx, [ebp+var_D8]
		push	(offset	loc_42378B+6)
		push	offset dword_6B2A40
		mov	[ebp+var_A8], esi
		mov	[ebp+var_A4], edi
		mov	[ebp+var_A0], esi
		mov	[ebp+var_D8], edx
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_98], esi
		mov	[ebp+var_94], edi
		mov	[ebp+var_90], esi
		mov	[ebp+var_88], esi
		mov	[ebp+var_84], ebx
		mov	[ebp+var_80], esi
		mov	[ebp+var_78], esi
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], esi
		mov	[ebp+var_68], esi
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_8B22DC
; 

loc_8B23C1:				; CODE XREF: EtwTraceTimeZoneInformationRefresh+5Cj
		lea	eax, [ebp+var_DC]
		mov	[ebp+var_58], esi
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_E0]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	5
		push	esi
		push	offset _KernelTimeZoneInformationRefresh
		push	edx
		push	ecx
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], esi
		mov	[ebp+var_48], esi
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], esi
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_8B22F2
EtwTraceTimeZoneInformationRefresh endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtDeleteWnfStateData(x, x)
_NtDeleteWnfStateData@8	proc near	; DATA XREF: .text:005810A0o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ecx
		mov	ecx, [ebp+arg_0]
		call	ExpNtDeleteWnfStateData
		pop	ebp
		retn	8
_NtDeleteWnfStateData@8	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpNtDeleteWnfStateData	proc near	; CODE XREF: NtDeleteWnfStateData(x,x)+Cp

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 00936C03 SIZE 00000163 BYTES
; FUNCTION CHUNK AT 00936D8E SIZE 00000012 BYTES

		push	68h
		push	offset dword_6A74F8
		call	__SEH_prolog4_GS
		mov	[ebp+var_3C], edx
		mov	esi, ecx
		xor	edi, edi
		mov	[ebp+var_5C], edi
		mov	[ebp+var_58], edi
		mov	[ebp+var_60], edi
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_35], al
		mov	byte ptr [ebp+var_34], al
		mov	[ebp+var_48], edi
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], edi
		mov	ebx, edi
		mov	[ebp+var_54], ebx
		mov	[ebp+var_78], edi
		mov	[ebp+var_74], edi
		mov	[ebp+ms_exc.disabled], edi
		mov	edi, [ebp+var_34]
		push	edi
		lea	edx, [ebp+var_5C]
		mov	ecx, esi
		call	ExpCaptureWnfStateName
		mov	esi, eax
		mov	[ebp+var_68], esi
		test	esi, esi
		js	loc_936C03
		mov	edi, [ebp+var_5C]
		mov	ecx, edi
		mov	ebx, [ebp+var_58]
		mov	eax, ebx
		shrd	ecx, eax, 4
		and	ecx, 3
		mov	[ebp+var_50], ecx
		mov	[ebp+var_6C], ecx
		mov	ecx, edi
		shrd	ecx, eax, 6
		and	ecx, 0Fh
		mov	[ebp+var_30], ecx
		mov	[ebp+var_54], ecx
		lea	eax, [ebp+var_78]
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		push	[ebp+var_34]
		mov	edx, [ebp+var_3C]
		call	_ExpWnfCaptureScopeInstanceId@20 ; ExpWnfCaptureScopeInstanceId(x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_68], esi
		test	esi, esi
		js	loc_936C0F
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	al, [ebp+var_35]
		test	al, al
		jz	loc_936C1B
		and	[ebp+var_4C], 0
		cmp	[ebp+var_3C], 0
		jnz	loc_936C27

loc_8B250B:				; CODE XREF: ExpNtDeleteWnfStateData+847E2j
					; ExpNtDeleteWnfStateData+847FBj
		test	al, al
		jz	loc_936C40
		mov	ecx, large fs:124h
		mov	[ebp+var_64], ecx
		mov	eax, [ecx+80h]
		mov	[ebp+var_3C], eax
		mov	ebx, [ebp+var_58]
		mov	edi, [ebp+var_5C]
		mov	eax, [ebp+var_6C]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+var_54]
		mov	[ebp+var_30], eax

loc_8B2538:				; CODE XREF: ExpNtDeleteWnfStateData+84810j
		cmp	eax, 5
		jz	loc_936C55

loc_8B2541:				; CODE XREF: ExpNtDeleteWnfStateData+84851j
		push	[ebp+var_60]	; void *
		push	eax		; int
		push	[ebp+var_64]	; int
		mov	edx, [ebp+var_3C]
		lea	ecx, [ebp+var_44]
		call	ExpWnfResolveScopeInstance
		mov	esi, eax
		test	esi, esi
		js	short loc_8B25C1
		push	ebx
		push	edi
		lea	edx, [ebp+var_40]
		mov	ecx, [ebp+var_44]
		call	_ExpWnfLookupNameInstance@16 ; ExpWnfLookupNameInstance(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_936C96

loc_8B2574:				; CODE XREF: ExpNtDeleteWnfStateData+8485Aj
		test	esi, esi
		js	short loc_8B25C1
		cmp	[ebp+var_4C], 0
		jnz	short loc_8B2592
		push	2
		pop	edx
		mov	ecx, [ebp+var_40]
		mov	ecx, [ecx+2Ch]
		call	_ExpWnfCheckCallerAccess@8 ; ExpWnfCheckCallerAccess(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8B25C1

loc_8B2592:				; CODE XREF: ExpNtDeleteWnfStateData+13Cj
		cmp	[ebp+var_50], 3
		jz	loc_936D00

loc_8B259C:				; CODE XREF: ExpNtDeleteWnfStateData+848C9j
		mov	ecx, edi
		mov	eax, ebx
		shrd	ecx, eax, 0Ah
		test	cl, 1
		jnz	loc_936D19

loc_8B25AD:				; CODE XREF: ExpNtDeleteWnfStateData+848EBj
					; ExpNtDeleteWnfStateData+848F9j
		mov	ecx, [ebp+var_40]
		call	_ExpWnfDeleteStateData@4 ; ExpWnfDeleteStateData(x)
		cmp	[ebp+var_30], 5
		jz	loc_936D3E

loc_8B25BF:				; CODE XREF: ExpNtDeleteWnfStateData+8489Dj
					; ExpNtDeleteWnfStateData+848BBj ...
		xor	esi, esi

loc_8B25C1:				; CODE XREF: ExpNtDeleteWnfStateData+117j
					; ExpNtDeleteWnfStateData+136j	...
		mov	ebx, [ebp+var_30]

loc_8B25C4:				; CODE XREF: sub_936D76+13j
		mov	edi, [ebp+var_34]

loc_8B25C7:				; CODE XREF: ExpNtDeleteWnfStateData+847CAj
		mov	ecx, [ebp+var_40]
		test	ecx, ecx
		jz	short loc_8B25D6
		add	ecx, 4
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_8B25D6:				; CODE XREF: ExpNtDeleteWnfStateData+18Cj
		mov	ecx, [ebp+var_44]
		test	ecx, ecx
		jz	short loc_8B25E5
		add	ecx, 4
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_8B25E5:				; CODE XREF: ExpNtDeleteWnfStateData+19Bj
		cmp	[ebp+var_48], 0
		jnz	loc_936D8E

loc_8B25EF:				; CODE XREF: ExpNtDeleteWnfStateData+8495Bj
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	edi
		lea	edx, [ebp+var_78]
		mov	ecx, ebx
		call	_ExpWnfReleaseCapturedScopeInstanceId@12 ; ExpWnfReleaseCapturedScopeInstanceId(x,x,x)
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
ExpNtDeleteWnfStateData	endp

; 
		align 8
; Exported entry 485. FsRtlBalanceReads

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public FsRtlBalanceReads
FsRtlBalanceReads proc near

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00936DA0 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+20h+var_10]
		stosd
		xor	esi, esi
		push	esi
		push	esi
		mov	[esp+28h+var_18], esi
		stosd
		mov	[esp+28h+var_14], esi
		stosd
		stosd
		lea	eax, [esp+28h+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+20h+var_18]
		push	eax
		lea	eax, [esp+24h+var_10]
		push	eax
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	[ebp+arg_0]
		push	(offset	loc_660013+8)
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_8B2682
		mov	ecx, [ebp+arg_0]
		mov	edx, eax
		call	IofCallDriver
		cmp	eax, 103h
		jz	loc_936DA0

loc_8B267A:				; CODE XREF: FsRtlBalanceReads+6Fj
					; FsRtlBalanceReads+8479Aj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_8B2682:				; CODE XREF: FsRtlBalanceReads+4Bj
		mov	eax, 0C000009Ah
		jmp	short loc_8B267A
FsRtlBalanceReads endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1626. ObIsDosDeviceLocallyMapped

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObIsDosDeviceLocallyMapped(x, x)
		public _ObIsDosDeviceLocallyMapped@8
_ObIsDosDeviceLocallyMapped@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		lea	eax, [ebx-1]
		cmp	eax, 19h
		ja	short loc_8B26ED
		push	esi
		push	edi
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, large fs:124h
		mov	edi, eax
		dec	word ptr [ecx+13Eh]
		nop
		xor	edx, edx
		lea	ecx, [edi+70h]
		call	ExAcquirePushLockSharedEx
		cmp	dword ptr [edi+ebx*4+4], 0
		lea	ecx, [edi+70h]
		mov	eax, [ebp+arg_4]
		setnz	dl
		mov	[eax], dl
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		xor	eax, eax
		pop	esi

loc_8B26E8:				; CODE XREF: ObIsDosDeviceLocallyMapped(x,x)+64j
		pop	ebx
		pop	ebp
		retn	8
; 

loc_8B26ED:				; CODE XREF: ObIsDosDeviceLocallyMapped(x,x)+Fj
		mov	eax, 0C000000Dh
		jmp	short loc_8B26E8
_ObIsDosDeviceLocallyMapped@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1707. PoGetThermalRequestSupport

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoGetThermalRequestSupport(x, x)
		public _PoGetThermalRequestSupport@8
_PoGetThermalRequestSupport@8 proc near	; CODE XREF: PoSetThermalActiveCooling(x,x)+Cp
					; PoSetThermalPassiveCooling(x,x)+Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	edx, [eax+10h]
		xor	eax, eax
		sub	ecx, eax
		jz	short loc_8B271D
		sub	ecx, 1
		jnz	short loc_8B2719
		cmp	[edx+40h], eax

loc_8B2716:				; CODE XREF: PoGetThermalRequestSupport(x,x)+26j
		setnz	al

loc_8B2719:				; CODE XREF: PoGetThermalRequestSupport(x,x)+17j
		pop	ebp
		retn	8
; 

loc_8B271D:				; CODE XREF: PoGetThermalRequestSupport(x,x)+12j
		cmp	[edx+44h], eax
		jmp	short loc_8B2716
_PoGetThermalRequestSupport@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpVolumeContextCreate proc near	; CODE XREF: CmpVolumeManagerGetContextForFile+FFp
					; CmpVolumeManagerGetContextForFile+1848D0p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00936DB7 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	2Ch
		mov	edi, edx
		mov	ebx, ecx
		mov	edx, 39384D43h
		pop	ecx
		call	_CmSiAllocateMemory@8 ;	CmSiAllocateMemory(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8B277F
		push	2Ch		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [esi+0Ch], 1
		mov	edx, ebx
		mov	ecx, esi
		push	edi
		call	CmpVolumeContextStart
		mov	edi, eax
		test	edi, edi
		js	short loc_8B276E
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		xor	esi, esi
		xor	edi, edi

loc_8B276E:				; CODE XREF: CmpVolumeContextCreate+41j
		test	esi, esi
		jnz	loc_936DB7

loc_8B2776:				; CODE XREF: CmpVolumeContextCreate+62j
					; CmpVolumeContextCreate+846A3j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_8B277F:				; CODE XREF: CmpVolumeContextCreate+1Dj
		mov	edi, 0C000009Ah
		jmp	short loc_8B2776
CmpVolumeContextCreate endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpVolumeContextStart proc near		; CODE XREF: CmpVolumeContextCreate+38p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00936DCA SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		push	6
		mov	ebx, ecx
		lea	edi, [ebp+var_30]
		pop	ecx
		xor	eax, eax
		mov	esi, edx
		xor	edx, edx
		rep stosd
		push	edx
		lea	eax, [ebp+var_10]
		mov	[ebp+var_10], edx
		push	eax
		mov	[ebp+var_C], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_8], edx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edi, [ebp+arg_0]
		lea	eax, [ebx+10h]
		mov	[ebx+8], esi
		test	edi, edi
		jz	loc_936DCA
		push	eax
		push	edi
		call	_IoVolumeDeviceToGuid@8	; IoVolumeDeviceToGuid(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8B2883
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		call	IoVolumeDeviceToGuidPath
		mov	esi, eax
		xor	edi, edi
		test	esi, esi
		js	short loc_8B285D
		push	edi
		push	edi
		push	40h
		push	1
		push	7
		push	edi
		lea	eax, [ebp+var_10]
		mov	[ebp+var_30], 18h
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_18]
		push	edi
		push	eax
		lea	eax, [ebp+var_30]
		mov	[ebp+var_2C], edi
		push	eax
		push	180h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_24], 200h
		push	eax
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edi
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8B285D
		mov	eax, _CmIoFileObjectType
		lea	ecx, [ebp+arg_0]
		push	edi
		push	ecx
		push	edi
		mov	eax, [eax]
		push	eax
		push	180h
		push	[ebp+var_8]
		mov	[ebp+arg_0], edi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+arg_0]
		mov	[ebx+20h], eax

loc_8B2857:				; CODE XREF: CmpVolumeContextStart+8464Fj
		test	esi, esi
		js	short loc_8B285D
		mov	esi, edi

loc_8B285D:				; CODE XREF: CmpVolumeContextStart+66j
					; CmpVolumeContextStart+A9j ...
		cmp	[ebp+var_8], 0
		jz	short loc_8B286B
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_8B286B:				; CODE XREF: CmpVolumeContextStart+DBj
		cmp	[ebp+var_C], 0
		jz	short loc_8B287A
		push	edi
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8B287A:				; CODE XREF: CmpVolumeContextStart+E9j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8B2883:				; CODE XREF: CmpVolumeContextStart+50j
		xor	edi, edi
		jmp	short loc_8B285D
CmpVolumeContextStart endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 274. DbgkLkmdRegisterCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public DbgkLkmdRegisterCallback
DbgkLkmdRegisterCallback proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00936DDA SIZE 00000044 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		and	eax, 3
		cmp	al, 3
		jz	short loc_8B28FA
		push	ebx
		push	esi
		push	edi
		mov	edi, offset unk_6D6C80
		xor	ebx, ebx
		mov	esi, edi

loc_8B28A7:				; CODE XREF: DbgkLkmdRegisterCallback+33j
		mov	ecx, esi
		call	ExReferenceCallBackBlock
		test	eax, eax
		jnz	loc_936DDA

loc_8B28B6:				; CODE XREF: DbgkLkmdRegisterCallback+8455Fj
		add	ebx, 8
		add	esi, 8
		cmp	ebx, 40h
		jb	short loc_8B28A7
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	_ExAllocateCallBack@8 ;	ExAllocateCallBack(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_8B2901
		xor	esi, esi

loc_8B28D4:				; CODE XREF: DbgkLkmdRegisterCallback+8457Aj
		push	0
		mov	edx, ebx
		mov	ecx, edi
		call	ExCompareExchangeCallBack
		test	al, al
		jz	loc_936DFF
		mov	eax, [ebp+arg_8]
		mov	dword_6D6C84[esi*8], eax
		xor	eax, eax

loc_8B28F3:				; CODE XREF: DbgkLkmdRegisterCallback+7Aj
					; DbgkLkmdRegisterCallback+8456Ej ...
		pop	edi
		pop	esi
		pop	ebx

loc_8B28F6:				; CODE XREF: DbgkLkmdRegisterCallback+73j
		pop	ebp
		retn	0Ch
; 

loc_8B28FA:				; CODE XREF: DbgkLkmdRegisterCallback+Dj
		mov	eax, 0C000000Dh
		jmp	short loc_8B28F6
; 

loc_8B2901:				; CODE XREF: DbgkLkmdRegisterCallback+44j
		mov	eax, 0C0000017h
		jmp	short loc_8B28F3
DbgkLkmdRegisterCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SdbTagRefToTagID proc near		; CODE XREF: KsepDbCacheReadDeviceInternal+4Cp
					; KsepDbGetDriverShimsInternal+AFC27p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00936E1E SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_2C], eax
		mov	eax, edx
		and	eax, 0FFFFFFFh
		shr	edx, 1Ch
		push	ebx
		mov	[ebp+var_24], eax
		xor	ebx, ebx
		imul	eax, edx, 18h
		inc	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1C], edx
		xor	ecx, ecx
		mov	[ebp+var_20], esi
		push	edi
		add	eax, esi
		mov	[ebp+var_18], ecx
		mov	edx, [eax+28h]
		test	dl, 2
		jz	loc_936E1E
		mov	ecx, [eax+24h]
		lea	esi, [eax+14h]
		lea	edi, [ecx+14h]
		movsd
		movsd
		movsd
		movsd

loc_8B2964:				; CODE XREF: SdbTagRefToTagID+84545j
		test	ecx, ecx
		jz	short loc_8B2994

loc_8B2968:				; CODE XREF: SdbTagRefToTagID+8Ej
		test	ebx, ebx
		jz	short loc_8B2998
		mov	eax, [ebp+var_24]

loc_8B296F:				; CODE XREF: SdbTagRefToTagID+94j
		mov	edx, [ebp+var_28]
		test	edx, edx
		jz	short loc_8B2978
		mov	[edx], ecx

loc_8B2978:				; CODE XREF: SdbTagRefToTagID+6Cj
		mov	ecx, [ebp+var_2C]
		test	ecx, ecx
		jz	short loc_8B2981
		mov	[ecx], eax

loc_8B2981:				; CODE XREF: SdbTagRefToTagID+75j
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_8B2994:				; CODE XREF: SdbTagRefToTagID+5Ej
					; SdbTagRefToTagID+84519j
		xor	ebx, ebx
		jmp	short loc_8B2968
; 

loc_8B2998:				; CODE XREF: SdbTagRefToTagID+62j
		xor	ecx, ecx
		xor	eax, eax
		jmp	short loc_8B296F
SdbTagRefToTagID endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiRemoveDeferredSetInterfaceState proc near
					; CODE XREF: IopProcessSetInterfaceState:loc_859CA9p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00936E52 SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		lea	eax, [ecx+188h]
		mov	[ebp+var_8], edx
		push	esi
		mov	esi, [eax]
		mov	ebx, 0C0000001h
		mov	[ebp+var_4], eax
		cmp	esi, eax
		jnz	short loc_8B29C4

loc_8B29BE:				; CODE XREF: PiRemoveDeferredSetInterfaceState+48j
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_8B29C4:				; CODE XREF: PiRemoveDeferredSetInterfaceState+1Ej
		push	edi

loc_8B29C5:				; CODE XREF: PiRemoveDeferredSetInterfaceState+45j
		mov	edi, [esi]
		lea	eax, [esi+8]
		push	1
		push	edx
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	loc_936E52
		mov	edx, [ebp+var_8]
		mov	esi, edi
		cmp	esi, [ebp+var_4]
		jnz	short loc_8B29C5

loc_8B29E5:				; CODE XREF: PiRemoveDeferredSetInterfaceState+844D7j
		pop	edi
		jmp	short loc_8B29BE
PiRemoveDeferredSetInterfaceState endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PerfDiagpUpdatePerfDiagLoggerEnableFlags(x,	x)
_PerfDiagpUpdatePerfDiagLoggerEnableFlags@8 proc near
					; CODE XREF: PerfDiagpProxyWorker:loc_7DFDE1p

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	eax, [ebp+var_34]
		push	30h		; size_t
		push	ebx		; int
		push	eax		; void *
		mov	esi, edx
		mov	[ebp+var_38], ebx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_70]
		push	38h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_68], esi
		lea	eax, [ebp+var_34]
		mov	[ebp+var_6C], 20h
		mov	[ebp+var_64], eax
		mov	edx, offset ??_C@_1FC@PKMDBHLJ@?$AAD?$AAi?$AAa?$AAg?$AAn?$AAo?$AAs?$AAt?$AAi?$AAc?$AAs?$AA?2?$AAP?$AAe?$AAr@NNGAKEGL@
		lea	eax, [ebp+var_70]
		mov	[ebp+var_34], 30h
		push	3
		pop	esi
		push	1
		push	ecx
		push	ebx
		push	eax
		push	2
		pop	ecx
		mov	[ebp+var_60], esi
		call	RtlpQueryRegistryValues
		test	eax, eax
		js	short loc_8B2A9C
		cmp	[ebp+var_30], esi
		jnz	short loc_8B2AAA
		mov	esi, [ebp+var_34]
		cmp	esi, 28h
		ja	short loc_8B2AB1
		push	esi		; size_t
		lea	eax, [ebp+var_2C]
		push	eax		; void *
		push	offset unk_6BC800 ; void *
		call	_memcpy
		add	esp, 0Ch
		shr	esi, 2
		xor	ecx, ecx
		mov	edx, esi
		inc	ecx
		call	_PerfDiagpInitializeLoggerInfo@8 ; PerfDiagpInitializeLoggerInfo(x,x)
		lea	eax, [ebp+var_38]
		mov	ecx, offset dword_6BC748
		push	eax		; int
		mov	eax, dword_6BC748
		push	eax		; int
		push	ecx		; void *
		push	eax		; int
		push	ecx		; void *
		push	4		; int
		call	_NtTraceControl@24 ; NtTraceControl(x,x,x,x,x,x)

loc_8B2A9C:				; CODE XREF: PerfDiagpUpdatePerfDiagLoggerEnableFlags(x,x)+6Dj
					; PerfDiagpUpdatePerfDiagLoggerEnableFlags(x,x)+C7j ...
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_8B2AAA:				; CODE XREF: PerfDiagpUpdatePerfDiagLoggerEnableFlags(x,x)+72j
		mov	eax, 0C000000Dh
		jmp	short loc_8B2A9C
; 

loc_8B2AB1:				; CODE XREF: PerfDiagpUpdatePerfDiagLoggerEnableFlags(x,x)+7Aj
		mov	eax, 0C0000023h
		jmp	short loc_8B2A9C
_PerfDiagpUpdatePerfDiagLoggerEnableFlags@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmProcessConfigRequest proc near	; CODE XREF: SmSetStoreInformation+9Ep

var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_70		= dword	ptr -70h
var_54		= dword	ptr -54h
var_50		= word ptr -50h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 00936E89 SIZE 00000090 BYTES
; FUNCTION CHUNK AT 00936F34 SIZE 0000012C BYTES

		push	1Ch
		push	offset dword_6A7518
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ebx
		cmp	edx, 8
		jnz	loc_936E7F
		mov	[ebp+ms_exc.disabled], ebx
		cmp	[ebp+arg_0], bl
		jz	short loc_8B2AFD
		test	cl, 3
		jnz	loc_8B2C07
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	loc_936E89

loc_8B2AF3:				; CODE XREF: SmProcessConfigRequest+843D3j
		mov	al, [ecx]
		mov	[ecx], al
		mov	al, [ecx+4]
		mov	[ecx+4], al

loc_8B2AFD:				; CODE XREF: SmProcessConfigRequest+23j
		mov	eax, [ecx]
		mov	[ebp+var_28], eax
		mov	ecx, [ecx+4]
		mov	[ebp+var_24], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	al, 4
		jnz	loc_936E90
		test	eax, 0FFFF00h
		jnz	loc_936F12
		shr	eax, 18h
		cmp	eax, 3
		jnb	loc_936F12
		sub	eax, ebx
		jnz	loc_936E9A
		cmp	ecx, 100h
		jnb	loc_936F12
		mov	esi, ecx
		shr	esi, 2
		mov	eax, esi
		and	eax, 3
		cmp	eax, 3
		jnb	loc_936F12
		and	ecx, 30h
		cmp	ecx, 30h
		jnb	loc_936F12
		cmp	eax, 2
		jz	loc_936ED0
		cmp	ecx, 20h
		jz	loc_936ED0

loc_8B2B73:				; CODE XREF: SmProcessConfigRequest+8442Ej
		mov	eax, ds:dword_718474
		mov	edx, [ebp+var_24]
		mov	ecx, edx
		and	ecx, 3
		shl	ecx, 4
		and	esi, 0Fh
		or	ecx, esi
		and	eax, 0FFFFFF00h
		or	ecx, eax
		and	edx, 0C0h
		or	ecx, edx
		mov	ds:dword_718474, ecx
		test	cl, 3
		jz	loc_936F34
		mov	[ebp+var_1C], ebx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	esi, offset unk_718494
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		or	eax, 0FFFFFFFFh
		cmp	ds:dword_718490, eax
		jnz	loc_936EF3
		mov	eax, dword_6D3018
		mov	eax, [eax]
		mov	edx, [eax+0F48h]
		lea	eax, [ebp+var_1C]
		push	eax
		push	ebx
		shr	edx, 9
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	_SmpDirtyStoreCreate@16	; SmpDirtyStoreCreate(x,x,x,x)
		test	eax, eax
		js	short loc_8B2BFF
		mov	eax, [ebp+var_1C]
		mov	ds:dword_718490, eax

loc_8B2BFF:				; CODE XREF: SmProcessConfigRequest+13Dj
		or	eax, 0FFFFFFFFh
		jmp	loc_936EF3
; 

loc_8B2C07:				; CODE XREF: SmProcessConfigRequest+28j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

PopMonitorProcessLoop:			; CODE XREF: PopMonitorAlpcCallback(x,x,x)p
					; PopUmpoInitializeMonitorChannel+10Bp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+9Ch+var_34], eax
		push	ebx
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+0A8h+var_98]
		push	2Ch		; size_t
		rep stosd
		xor	esi, esi
		lea	eax, [esp+0ACh+var_80]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+0A8h+var_9C]
		push	20h
		pop	ebx
		push	esi
		push	esi
		push	eax
		lea	eax, [esp+0B4h+var_54]
		mov	[esp+0B4h+var_9C], ebx
		push	eax
		push	esi
		push	esi
		push	esi
		push	_PopAlpcMonitorServerPort
		call	_ZwAlpcSendWaitReceivePort@32 ;	ZwAlpcSendWaitReceivePort(x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	loc_936F48

loc_8B2C6B:				; CODE XREF: SmProcessConfigRequest+845A3j
		mov	ecx, [esp+0A8h+var_34]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
SmProcessConfigRequest endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopThermalHandlePreviousShutdown proc near ; CODE XREF:	PoInitSystem+802p

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5D		= byte ptr -5Dh
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00937060 SIZE 000001B4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		lea	edx, [ebp+var_68]
		push	esi
		push	edi
		xor	cl, cl
		mov	[ebp+var_68], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_88], ebx
		mov	[ebp+var_84], ebx
		mov	[ebp+var_78], ebx
		mov	[ebp+var_74], ebx
		mov	[ebp+var_80], ebx
		mov	[ebp+var_7C], ebx
		mov	[ebp+var_6C], ebx
		call	PopOpenThermalLoggingKey
		test	eax, eax
		js	short loc_8B2D2F
		push	offset _PopThermalShutdownOccurredName
		lea	eax, [ebp+var_88]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	(offset	loc_408B0F+1)
		lea	eax, [ebp+var_78]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset _PopThermalShutdownTemperatureName
		lea	eax, [ebp+var_80]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		lea	edi, [ebp+var_5C]
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_64]
		mov	edi, [ebp+var_68]
		push	eax
		push	14h
		lea	eax, [ebp+var_5C]
		push	eax
		push	2
		lea	eax, [ebp+var_88]
		push	eax
		push	edi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_937060

loc_8B2D25:				; CODE XREF: PopThermalHandlePreviousShutdown+843E8j
					; PopThermalHandlePreviousShutdown+843F1j ...
		test	edi, edi
		jz	short loc_8B2D2F
		push	edi
		call	_ZwClose@4	; ZwClose(x)

loc_8B2D2F:				; CODE XREF: PopThermalHandlePreviousShutdown+4Aj
					; PopThermalHandlePreviousShutdown+A9j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopThermalHandlePreviousShutdown endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpRealtimeUpdateReferenceTime(x, x)
_EtwpRealtimeUpdateReferenceTime@8 proc	near ; CODE XREF: EtwpRealtimeCreateLogfile+1D5p
					; EtwpRealtimeResetReferenceTime(x)+21p

var_48		= dword	ptr -48h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		push	48h		; size_t
		lea	eax, [ebp+var_48]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	ebx, ecx
		call	_memset
		add	esp, 0Ch
		lea	edx, [ebp+var_48]
		mov	ecx, ebx
		call	EtwpInitializeBufferHeader
		push	3
		pop	edi
		mov	eax, 0FEFFh
		lea	ecx, [ebp+var_48]
		and	[ebp+var_14], ax
		mov	edx, edi
		call	@EtwpResetBufferHeader@8 ; EtwpResetBufferHeader(x,x)
		mov	[ebp+var_1C], edi
		lea	edx, [ebp+var_48]
		xor	eax, eax
		mov	[ebp+var_18], 48h
		inc	eax
		lea	edi, [ebp+var_10]
		cmp	dword ptr [ebx+148h], 0
		mov	ecx, ebx
		mov	[ebp+var_14], ax
		movsd
		movsd
		movsd
		movsd
		jbe	short loc_8B2DAD
		call	EtwpRealtimeSaveBuffer

loc_8B2DA8:				; CODE XREF: EtwpRealtimeUpdateReferenceTime(x,x)+74j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8B2DAD:				; CODE XREF: EtwpRealtimeUpdateReferenceTime(x,x)+63j
		call	EtwpRealtimeDeliverBuffer
		jmp	short loc_8B2DA8
_EtwpRealtimeUpdateReferenceTime@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SmProcessRegistrationRequest proc near	; CODE XREF: SmQueryStoreInformation+EAp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 00937214 SIZE 0000000A BYTES

		push	18h
		push	offset dword_6A7538
		call	__SEH_prolog4
		mov	ebx, ecx
		xor	eax, eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		cmp	edx, 8
		jnz	loc_937214
		mov	[ebp+ms_exc.disabled], eax
		mov	cl, [ebp+arg_4]
		test	cl, cl
		jz	short loc_8B2DF5
		test	bl, 3
		jnz	short loc_8B2E53
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jnb	short loc_8B2E58

loc_8B2DEB:				; CODE XREF: SmProcessRegistrationRequest+A7j
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+4]
		mov	[ebx+4], al

loc_8B2DF5:				; CODE XREF: SmProcessRegistrationRequest+27j
		mov	edx, [ebx]
		mov	[ebp+var_28], edx
		mov	eax, [ebx+4]
		mov	[ebp+var_24], eax
		push	0FFFFFFFEh
		pop	esi
		mov	[ebp+ms_exc.disabled], esi
		cmp	dl, 2
		jnz	short loc_8B2E5D
		test	edx, 0FFFFFF00h
		jnz	short loc_8B2E5D
		lea	edx, [ebp+var_28]
		call	SmGetRegistrationInfo
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_8B2E3F
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_28]
		mov	[ebx], eax
		mov	eax, [ebp+var_24]
		mov	[ebx+4], eax
		mov	[ebp+ms_exc.disabled], esi
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 8

loc_8B2E3F:				; CODE XREF: SmProcessRegistrationRequest+6Bj
					; SmProcessRegistrationRequest+AEj ...
		mov	eax, ecx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_8B2E53:				; CODE XREF: SmProcessRegistrationRequest+2Cj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_8B2E58:				; CODE XREF: SmProcessRegistrationRequest+35j
		mov	byte ptr [eax],	0
		jmp	short loc_8B2DEB
; 

loc_8B2E5D:				; CODE XREF: SmProcessRegistrationRequest+55j
					; SmProcessRegistrationRequest+5Dj
		mov	ecx, 0C000000Dh
		jmp	short loc_8B2E3F
SmProcessRegistrationRequest endp


;  S U B	R O U T	I N E 


SmGetRegistrationInfo proc near		; CODE XREF: SmProcessRegistrationRequest+62p

; FUNCTION CHUNK AT 008B2E99 SIZE 0000002C BYTES
; FUNCTION CHUNK AT 00937251 SIZE 0000003C BYTES

		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	edi, edx
		mov	bl, cl
		nop
		xor	edx, edx
		mov	ecx, offset unk_718464
		call	ExAcquirePushLockExclusiveEx
		test	byte ptr ds:dword_718450, 8
		jz	loc_937251
		xor	esi, esi
		jmp	loc_937268
SmGetRegistrationInfo endp

; 
; START	OF FUNCTION CHUNK FOR SmGetRegistrationInfo

loc_8B2E99:				; CODE XREF: SmGetRegistrationInfo+84414j
					; SmGetRegistrationInfo+84424j
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	esi, esi
		js	short loc_8B2EBF
		lea	eax, [edi+4]
		mov	dl, bl
		push	eax
		mov	ecx, offset dword_7185B0
		call	_SmRegistrationInfoFill@12 ; SmRegistrationInfoFill(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8B2EBF
		xor	esi, esi

loc_8B2EBF:				; CODE XREF: SmGetRegistrationInfo+41j
					; SmGetRegistrationInfo+57j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; END OF FUNCTION CHUNK	FOR SmGetRegistrationInfo
; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmRegistrationInfoFill(x, x, x)
_SmRegistrationInfoFill@12 proc	near	; CODE XREF: SmGetRegistrationInfo+4Ep

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_4]
		mov	ebx, edx
		push	eax
		push	ebx
		push	ds:_ExEventObjectType
		xor	esi, esi
		push	1F0003h
		push	esi
		push	esi
		push	dword ptr [ecx]
		mov	[ebp+var_4], esi
		call	ObOpenObjectByPointer
		mov	edi, eax
		test	edi, edi
		js	short loc_8B2F0C
		mov	eax, [ebp+arg_0]
		mov	edi, esi
		mov	ecx, [ebp+var_4]
		mov	[eax], ecx

loc_8B2EFF:				; CODE XREF: SmRegistrationInfoFill(x,x,x)+49j
		test	esi, esi
		jnz	short loc_8B2F11

loc_8B2F03:				; CODE XREF: SmRegistrationInfoFill(x,x,x)+52j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8B2F0C:				; CODE XREF: SmRegistrationInfoFill(x,x,x)+2Dj
		mov	esi, [ebp+var_4]
		jmp	short loc_8B2EFF
; 

loc_8B2F11:				; CODE XREF: SmRegistrationInfoFill(x,x,x)+3Bj
		push	ebx
		push	esi
		call	ObCloseHandle
		jmp	short loc_8B2F03
_SmRegistrationInfoFill@12 endp


;  S U B	R O U T	I N E 


; __stdcall IopCreateVpb(x)
_IopCreateVpb@4	proc near		; CODE XREF: IoCreateDevice+412p
					; IoVerifyVolume(x,x)+130p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	20627056h
		push	58h
		pop	ebx
		push	ebx
		push	200h
		mov	edi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8B2F5C
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+2], bx
		mov	[esi+0Ch], edi
		push	0Ah
		pop	eax
		mov	[esi], ax
		xor	eax, eax
		mov	[edi+24h], esi

loc_8B2F58:				; CODE XREF: IopCreateVpb(x)+47j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_8B2F5C:				; CODE XREF: IopCreateVpb(x)+1Ej
		mov	eax, 0C000009Ah
		jmp	short loc_8B2F58
_IopCreateVpb@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExInitializeLeapSecondData proc	near	; CODE XREF: Phase1InitializationDiscard(x):loc_AC0D9Bp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	28h
		push	offset dword_6A7560
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_38], 1000h
		mov	[ebp+var_34], ebx
		push	ebx
		push	8000000h
		push	4
		lea	eax, [ebp+var_38]
		push	eax
		push	ebx
		push	6
		lea	eax, [ebp+var_1C]
		push	eax
		call	_ZwCreateSection@28 ; ZwCreateSection(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8B30A5
		mov	eax, ds:_MmSectionObjectType
		mov	[ebp+var_20], ebx
		push	ebx
		lea	ecx, [ebp+var_20]
		push	ecx
		push	ebx
		push	eax
		push	6
		push	[ebp+var_1C]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8B30A5
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ebx
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		push	[ebp+var_20]
		call	_MmMapViewInSystemSpace@12 ; MmMapViewInSystemSpace(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8B30A5
		push	6453704Ch
		mov	edi, [ebp+var_24]
		push	edi
		mov	ebx, [ebp+var_28]
		push	ebx
		call	_MmSizeOfMdl@8	; MmSizeOfMdl(x,x)
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8B30C5
		and	dword ptr [esi], 0
		mov	ecx, ebx
		and	ecx, 0FFFh
		lea	eax, [edi+0FFFh]
		add	eax, ecx
		shr	eax, 0Ch
		lea	eax, ds:1Ch[eax*4]
		mov	[esi+4], ax
		xor	eax, eax
		mov	[esi+6], ax
		mov	eax, ebx
		and	eax, 0FFFFF000h
		mov	[esi+10h], eax
		mov	[esi+18h], ecx
		mov	[esi+14h], edi
		xor	edi, edi
		mov	[ebp+ms_exc.disabled], edi
		push	1
		push	edi
		push	esi
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	40000010h
		push	edi
		push	edi
		push	1
		push	edi
		push	esi
		call	MmMapLockedPagesSpecifyCache
		mov	edi, eax
		test	edi, edi
		jz	short loc_8B30C5
		push	ebx
		call	_MmUnmapViewInSystemSpace@4 ; MmUnmapViewInSystemSpace(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8B30A5
		and	ds:_ExpLeapSecondDataLock, 0
		mov	eax, [ebp+var_20]
		mov	ds:_ExLeapSecondDataSectionPointer, eax
		push	[ebp+var_24]	; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		xor	dl, dl
		mov	ecx, edi
		call	_ExpReadLeapSecondData@8 ; ExpReadLeapSecondData(x,x)
		mov	_ExLeapSecondData, edi

loc_8B30A5:				; CODE XREF: ExInitializeLeapSecondData+37j
					; ExInitializeLeapSecondData+5Aj ...
		cmp	[ebp+var_1C], 0
		jz	short loc_8B30B3
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_8B30B3:				; CODE XREF: ExInitializeLeapSecondData+145j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8B30C5:				; CODE XREF: ExInitializeLeapSecondData+A1j
					; ExInitializeLeapSecondData+107j
		mov	esi, 0C0000017h
		jmp	short loc_8B30A5
ExInitializeLeapSecondData endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtFlushInstallUILanguage proc near	; DATA XREF: .text:00581048o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009372AD SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, large fs:124h
		push	esi
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+8+var_4],	al
		test	al, al
		jz	loc_9372E2
		push	[esp+8+var_4]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_9372AD
		cmp	ds:_PsUILanguageComitted, 0
		jnz	loc_9372B7
		cmp	_MUIRefreshCachedUILock, 0
		jnz	short loc_8B3138
		mov	ecx, offset _MUIRefreshCachedUILock
		call	MUIInitializeResourceLock
		mov	edx, 0C0000000h
		mov	ecx, eax
		and	ecx, edx
		cmp	ecx, edx
		jz	short loc_8B318D

loc_8B3138:				; CODE XREF: NtFlushInstallUILanguage+53j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	esi, esi
		inc	esi
		push	esi
		push	_MUIRefreshCachedUILock
		call	ExAcquireResourceExclusiveLite
		cmp	[ebp+arg_4], 0
		jz	short loc_8B3161
		mov	ds:_PsUILanguageComitted, esi

loc_8B3161:				; CODE XREF: NtFlushInstallUILanguage+8Dj
		movzx	eax, word ptr [ebp+arg_0]
		cmp	ax, ds:_PsInstallUILanguageId
		jnz	loc_9372CA
		xor	esi, esi

loc_8B3174:				; CODE XREF: NtFlushInstallUILanguage+84211j
		mov	ecx, _MUIRefreshCachedUILock
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi

loc_8B318D:				; CODE XREF: NtFlushInstallUILanguage+6Aj
					; NtFlushInstallUILanguage+841E6j ...
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
NtFlushInstallUILanguage endp


;  S U B	R O U T	I N E 


MUIInitializeResourceLock proc near	; CODE XREF: NtGetMUIRegistryInfo+29Cp
					; NtFlushInstallUILanguage+5Ap	...

; FUNCTION CHUNK AT 009372EC SIZE 0000000D BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		test	ebx, ebx
		jz	short loc_8B31EE
		cmp	dword ptr [ebx], 0
		jnz	short loc_8B31F5
		push	6D756950h
		push	38h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8B31F9
		push	esi
		call	ExInitializeResourceLite
		mov	edi, eax
		mov	eax, 0C0000000h
		mov	ecx, edi
		and	ecx, eax
		cmp	ecx, eax
		jz	short loc_8B31E0
		mov	ecx, esi
		xor	eax, eax
		lock cmpxchg [ebx], ecx
		test	eax, eax
		jnz	short loc_8B3200
		xor	esi, esi

loc_8B31DE:				; CODE XREF: MUIInitializeResourceLock+72j
		xor	edi, edi

loc_8B31E0:				; CODE XREF: MUIInitializeResourceLock+3Aj
		test	esi, esi
		jnz	loc_9372EC

loc_8B31E8:				; CODE XREF: MUIInitializeResourceLock+5Fj
					; MUIInitializeResourceLock+63j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_8B31EE:				; CODE XREF: MUIInitializeResourceLock+9j
		mov	edi, 0C000000Dh
		jmp	short loc_8B31E8
; 

loc_8B31F5:				; CODE XREF: MUIInitializeResourceLock+Ej
		xor	edi, edi
		jmp	short loc_8B31E8
; 

loc_8B31F9:				; CODE XREF: MUIInitializeResourceLock+25j
		mov	edi, 0C0000017h
		jmp	short loc_8B31E8
; 

loc_8B3200:				; CODE XREF: MUIInitializeResourceLock+46j
		push	esi
		call	ExDeleteResourceLite
		jmp	short loc_8B31DE
MUIInitializeResourceLock endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepCacheDeviceEqual(x, x)
_KsepCacheDeviceEqual@8	proc near	; DATA XREF: KsepEngineInitialize+10o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		add	eax, 14h
		push	1
		push	eax
		mov	eax, [ebp+arg_0]
		add	eax, 14h
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		neg	eax
		sbb	eax, eax
		inc	eax
		pop	ebp
		retn	8
_KsepCacheDeviceEqual@8	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopPdcInvocation(x,	x)
_PopPdcInvocation@8 proc near		; CODE XREF: NtPowerInformation+CADp
		mov	eax, [ecx]
		sub	eax, 0
		jz	short loc_8B323D
		sub	eax, 1
		jnz	short loc_8B3242
		jmp	_PopRegisterClient@4 ; PopRegisterClient(x)
; 

loc_8B323D:				; CODE XREF: PopPdcInvocation(x,x)+5j
		jmp	PopPdcRegister
; 

loc_8B3242:				; CODE XREF: PopPdcInvocation(x,x)+Aj
		mov	eax, 0C000000Dh
		retn
; 

; __stdcall PopRegisterClient(x)
_PopRegisterClient@4:			; CODE XREF: PopPdcInvocation(x,x)+Cj
		mov	edi, edi
		push	esi
		mov	esi, dword_6D6FB8
		mov	eax, 0C0000002h
		test	esi, esi
		jz	short loc_8B3264
		mov	eax, [ecx+4]
		mov	edx, [ecx+8]
		push	eax
		push	edx
		call	esi

loc_8B3264:				; CODE XREF: PopPdcInvocation(x,x)+2Cj
		pop	esi
		retn
_PopPdcInvocation@8 endp


;  S U B	R O U T	I N E 


PopPdcRegister	proc near		; CODE XREF: PopPdcInvocation(x,x):loc_8B323Dj

; FUNCTION CHUNK AT 009372F9 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, edx
		push	esi
		mov	esi, ecx
		test	ebx, ebx
		jz	loc_9372F9
		push	edi
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		and	_PopModernStandbyTransitionInfo, 0
		add	esi, 4
		push	16h
		pop	ecx
		mov	edi, offset _PoPdcCallbacks
		rep movsd
		mov	dword ptr [ebx], offset	_PdcPoResiliencyClient@12 ; PdcPoResiliencyClient(x,x,x)
		mov	dword ptr [ebx+4], offset _PdcPoLowPower@4 ; PdcPoLowPower(x)
		mov	dword ptr [ebx+8], offset _PdcPoSetPowerAction@20 ; PdcPoSetPowerAction(x,x,x,x,x)
		mov	dword ptr [ebx+0Ch], offset PdcPoReportButton
		mov	dword ptr [ebx+10h], offset _PdcPoReportLidState@4 ; PdcPoReportLidState(x)
		mov	dword ptr [ebx+14h], offset _PdcPoRecordButton@0 ; PdcPoRecordButton()
		mov	dword ptr [ebx+18h], offset _PdcPoVerifyActionPolicy@4 ; PdcPoVerifyActionPolicy(x)
		mov	dword ptr [ebx+1Ch], offset _PdcPoVerifyPowerState@8 ; PdcPoVerifyPowerState(x,x)
		mov	dword ptr [ebx+20h], offset _PopBlockSessionSwitch@8 ; PopBlockSessionSwitch(x,x)
		mov	dword ptr [ebx+24h], offset _PopControlMonitor@8 ; PopControlMonitor(x,x)
		mov	dword ptr [ebx+28h], offset _PopNotifyCsStateExited@0 ;	PopNotifyCsStateExited()
		mov	dword ptr [ebx+2Ch], offset _PdcPoCurrentPdcPhase@12 ; PdcPoCurrentPdcPhase(x,x,x)
		mov	dword ptr [ebx+30h], offset _PdcPoIdleScanEnabled@0 ; PdcPoIdleScanEnabled()
		mov	dword ptr [ebx+34h], offset _PdcPoPpmRegisterProfiles@8	; PdcPoPpmRegisterProfiles(x,x)
		mov	dword ptr [ebx+38h], offset _PdcPoPpmApplyProfile@4 ; PdcPoPpmApplyProfile(x)
		mov	dword ptr [ebx+3Ch], offset _PdcPoPpmResetProfile@8 ; PdcPoPpmResetProfile(x,x)
		mov	dword ptr [ebx+40h], offset _PdcPoNetworkResiliency@4 ;	PdcPoNetworkResiliency(x)
		mov	dword ptr [ebx+44h], offset _PpmQueryDripsResidency@0 ;	PpmQueryDripsResidency()
		mov	dword ptr [ebx+48h], offset _PdcPoSleepStudyHelperSetPhaseActive@8 ; PdcPoSleepStudyHelperSetPhaseActive(x,x)
		mov	dword ptr [ebx+4Ch], offset _PdcPoPowerRequestBlockingCallback@4 ; PdcPoPowerRequestBlockingCallback(x)
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		xor	eax, eax
		pop	edi

loc_8B3323:				; CODE XREF: PopPdcRegister+84098j
		pop	esi
		pop	ebx
		retn
PopPdcRegister	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpQueryInterruptSteeringInformation proc near ; CODE XREF: PAGE:00781ED0p

var_3C		= dword	ptr -3Ch
var_24		= dword	ptr -24h
var_1F		= dword	ptr -1Fh
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00937303 SIZE 00000027 BYTES
; FUNCTION CHUNK AT 00937346 SIZE 0000001C BYTES

		push	2Ch
		push	offset dword_6A7580
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_19], bl
		mov	[ebp+var_1A], bl
		mov	[ebp+var_24], ebx
		mov	byte ptr [ebp+var_1F], bl
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jnz	loc_937303
		test	ecx, ecx
		jz	loc_937320
		cmp	edx, 14h
		jnz	loc_937320
		mov	[ebp+ms_exc.disabled], ebx
		mov	edx, [ecx]
		mov	[ebp+var_24], edx
		mov	ah, [ecx+4]
		mov	[ebp+var_19], ah
		mov	al, [ecx+5]
		mov	[ebp+var_1B], al
		mov	[ebp+var_1A], al
		mov	al, [ecx+6]
		mov	byte ptr [ebp+var_1F], al
		lea	esi, [ecx+8]
		lea	edi, [ebp+var_3C]
		movsd
		movsd
		movsd
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi
		push	4
		pop	ecx
		cmp	[ebp+arg_4], ecx
		jb	loc_93730D
		mov	[ebp+ms_exc.disabled], 2
		mov	esi, [ebp+arg_0]
		mov	[esi], ebx
		test	ah, ah
		jz	loc_937346
		cmp	edx, 0FFFFFFFFh
		jnz	loc_937346
		call	_KeIntSteerIsSteeringEnabled@0 ; KeIntSteerIsSteeringEnabled()
		test	al, al

loc_8B33C1:				; CODE XREF: ExpQueryInterruptSteeringInformation+84037j
		jz	short loc_8B33C9
		mov	dword ptr [esi], 1

loc_8B33C9:				; CODE XREF: ExpQueryInterruptSteeringInformation:loc_8B33C1j
		mov	[ebp+ms_exc.disabled], edi

loc_8B33CC:				; CODE XREF: ExpQueryInterruptSteeringInformation+83FE2j
					; ExpQueryInterruptSteeringInformation+83FFFj ...
		mov	eax, ebx

loc_8B33CE:				; CODE XREF: PAGE:009373A1j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
ExpQueryInterruptSteeringInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtCreateKeyTransacted proc near		; DATA XREF: .text:00581144o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 009373A6 SIZE 0000002E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpShutdownRundown
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	bl, al
		test	bl, bl
		jz	loc_9373A6

loc_8B340B:				; CODE XREF: NtCreateKeyTransacted+83FD4j
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_4]
		push	esi
		xor	ebx, ebx
		push	ebx
		mov	al, [eax+15Ah]
		push	ecx
		mov	byte ptr [ebp+var_8], al
		push	[ebp+var_8]
		mov	eax, _CmRegistryTransactionType
		push	eax
		push	4
		push	[ebp+arg_18]
		mov	[ebp+var_4], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, [ebp+var_4]
		mov	edi, eax
		cmp	edi, 0C0000024h
		jnz	loc_9373C4
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_8]
		push	ebx
		push	ecx
		mov	[ebp+var_8], ebx
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_4], al
		push	[ebp+var_4]
		mov	eax, ds:_TmTransactionObjectType
		push	eax
		push	4
		push	[ebp+arg_18]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, [ebp+var_8]
		mov	edi, eax

loc_8B3478:				; CODE XREF: NtCreateKeyTransacted+83FEFj
		test	edi, edi
		js	short loc_8B3497
		mov	edx, [ebp+arg_4]
		push	esi
		push	[ebp+arg_1C]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	ecx
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		call	CmCreateKey
		mov	edi, eax

loc_8B3497:				; CODE XREF: NtCreateKeyTransacted+9Aj
					; NtCreateKeyTransacted+83FE6j
		test	esi, esi
		jz	short loc_8B34A5
		and	esi, 0FFFFFFFEh
		mov	ecx, esi
		call	ObfDereferenceObject

loc_8B34A5:				; CODE XREF: NtCreateKeyTransacted+B9j
		mov	ecx, offset _CmpShutdownRundown
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	esi

loc_8B34BC:				; CODE XREF: NtCreateKeyTransacted+83FDFj
		mov	eax, edi
		pop	edi
		pop	ebx
		leave
		retn	20h
NtCreateKeyTransacted endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpMergeFilteredResourceRequirementsList proc near ; CODE XREF:	IopQueryDeviceResources+2B0p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009373D4 SIZE 0000004C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		mov	[eax], ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	loc_9373D4
		cmp	[esi+1Ch], ecx
		jz	loc_9373D4

loc_8B34E9:				; CODE XREF: PnpMergeFilteredResourceRequirementsList+83F21j
		test	esi, esi
		jz	short loc_8B355A
		cmp	[esi+1Ch], ecx
		jz	short loc_8B355A
		test	edi, edi
		jz	short loc_8B3553
		cmp	[edi+1Ch], ecx
		jz	short loc_8B3553

loc_8B34FB:				; CODE XREF: PnpMergeFilteredResourceRequirementsList+83F28j
		mov	ecx, [esi]
		mov	eax, [edi]
		add	ecx, 0FFFFFFE0h
		add	eax, ecx
		push	75737050h
		push	eax
		push	1
		mov	[ebp+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_8B3561
		push	dword ptr [esi]	; size_t
		push	esi		; void *
		push	ebx		; void *
		call	_memcpy
		mov	ecx, [esi]
		mov	esi, [ebp+var_4]
		mov	eax, esi
		sub	eax, ecx
		push	eax		; size_t
		lea	eax, [edi+20h]
		push	eax		; void *
		lea	eax, [ecx+ebx]
		push	eax		; void *
		call	_memcpy
		mov	[ebx], esi
		add	esp, 18h
		mov	eax, [edi+1Ch]
		add	[ebx+1Ch], eax
		mov	eax, [ebp+arg_0]
		mov	[eax], ebx

loc_8B354A:				; CODE XREF: PnpMergeFilteredResourceRequirementsList+83F12j
					; PnpMergeFilteredResourceRequirementsList+83F1Bj ...
		xor	eax, eax

loc_8B354C:				; CODE XREF: PnpMergeFilteredResourceRequirementsList+A2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8B3553:				; CODE XREF: PnpMergeFilteredResourceRequirementsList+30j
					; PnpMergeFilteredResourceRequirementsList+35j
		mov	ebx, esi
		jmp	loc_9373EA
; 

loc_8B355A:				; CODE XREF: PnpMergeFilteredResourceRequirementsList+27j
					; PnpMergeFilteredResourceRequirementsList+2Cj
		mov	ebx, edi
		jmp	loc_9373EA
; 

loc_8B3561:				; CODE XREF: PnpMergeFilteredResourceRequirementsList+54j
					; PnpMergeFilteredResourceRequirementsList+83F40j
		mov	eax, 0C000009Ah
		jmp	short loc_8B354C
PnpMergeFilteredResourceRequirementsList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall RtlpOpenBaseImageFileOptionsKeyEx(x, x, x)
@RtlpOpenBaseImageFileOptionsKeyEx@12 proc near
					; CODE XREF: RtlpOpenBaseImageFileOptionsKey(x)+23p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, large fs:124h
		xor	edx, edx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		mov	al, [eax+15Ah]
		cmp	al, 1
		mov	[ebp+var_20], 18h
		lea	eax, [ebp+var_20]
		mov	[ebp+var_1C], ecx
		setz	dl
		mov	[ebp+var_18], offset loc_403928
		dec	edx
		mov	[ebp+var_10], ecx
		push	eax
		and	edx, 0FFFFFC00h
		mov	[ebp+var_C], ecx
		push	9
		lea	eax, [ebp+var_8]
		add	edx, 640h
		push	eax
		mov	[ebp+var_14], edx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		jns	short loc_8B35CA

loc_8B35C5:				; CODE XREF: RtlpOpenBaseImageFileOptionsKeyEx(x,x,x)+69j
		pop	esi
		leave
		retn	4
; 

loc_8B35CA:				; CODE XREF: RtlpOpenBaseImageFileOptionsKeyEx(x,x,x)+5Bj
		mov	eax, [ebp+var_8]
		mov	[esi], eax
		xor	eax, eax
		jmp	short loc_8B35C5
@RtlpOpenBaseImageFileOptionsKeyEx@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpGetSystemPlatformBinary proc	near	; CODE XREF: PAGE:0078085Fp

var_64		= dword	ptr -64h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_32		= byte ptr -32h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 00937420 SIZE 00000211 BYTES
; FUNCTION CHUNK AT 0093765D SIZE 00000028 BYTES
; FUNCTION CHUNK AT 009376AF SIZE 0000000A BYTES
; FUNCTION CHUNK AT 009376E6 SIZE 0000001E BYTES

		push	5Ch
		push	offset dword_6A75B8
		call	__SEH_prolog4_GS
		mov	[ebp+var_54], ecx
		xor	ebx, ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_38], ebx
		xor	eax, eax
		lea	edi, [ebp+var_30]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_40], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ebx
		mov	edi, ebx
		mov	[ebp+var_3C], edi
		mov	[ebp+var_31], bl
		mov	[ebp+var_32], bl
		mov	[ebp+var_50], ebx
		mov	[ebp+var_58], ebx
		cmp	edx, 18h
		jb	loc_937420
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ecx+14h]
		mov	[ebp+var_38], eax
		mov	eax, [ecx+10h]
		mov	[ebp+var_44], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_48], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_4C], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	esi, offset _ExpPlatformBinaryLock
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	al, 1
		mov	ecx, ds:_ExpPlatformBinaryTableInformation
		cmp	ecx, 0FFFFFFFFh
		jz	loc_93742F
		test	ecx, ecx
		jnz	loc_9374C7
		push	11h
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_8B3682
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8B3682:				; CODE XREF: ExpGetSystemPlatformBinary+A5j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	[ebp+var_31], bl
		cmp	[ebp+var_44], 0
		jnz	short loc_8B371A
		cmp	[ebp+var_38], 0
		jnz	short loc_8B371A
		mov	[ebp+var_30], 41435049h
		mov	[ebp+var_2C], 1
		mov	[ebp+var_28], 54425057h
		mov	[ebp+var_24], ebx
		lea	eax, [ebp+var_40]
		push	eax
		push	14h
		xor	dl, dl
		lea	ecx, [ebp+var_30]
		call	ExpGetSystemFirmwareTableInformation
		cmp	eax, 0C0000023h
		jz	loc_937439
		xor	ebx, ebx
		test	eax, eax
		sets	bl
		dec	ebx
		and	ebx, 0FFFFFFC0h
		add	ebx, 0C00000BBh

loc_8B36E8:				; CODE XREF: ExpGetSystemPlatformBinary+14Bj
					; ExpGetSystemPlatformBinary+83E56j ...
		mov	al, [ebp+var_31]

loc_8B36EB:				; CODE XREF: ExpGetSystemPlatformBinary+83E60j
					; ExpGetSystemPlatformBinary+84058j ...
		test	al, al
		jnz	loc_9374D2

loc_8B36F3:				; CODE XREF: ExpGetSystemPlatformBinary+83F26j
		mov	eax, [ebp+var_50]
		test	eax, eax
		jnz	loc_9376E6

loc_8B36FE:				; CODE XREF: ExpGetSystemPlatformBinary+8411Bj
		test	edi, edi
		jnz	loc_9376F4

loc_8B3706:				; CODE XREF: ExpGetSystemPlatformBinary+8412Bj
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8B371A:				; CODE XREF: ExpGetSystemPlatformBinary+C8j
					; ExpGetSystemPlatformBinary+CEj
		mov	ebx, 0C000000Dh
		jmp	short loc_8B36E8
ExpGetSystemPlatformBinary endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 372. ExGetSystemFirmwareTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ExGetSystemFirmwareTable
ExGetSystemFirmwareTable proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00937704 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_C]
		test	ebx, ebx
		jnz	short loc_8B3744
		test	edi, edi
		jnz	loc_937704

loc_8B3744:				; CODE XREF: ExGetSystemFirmwareTable+14j
		push	esi
		push	54465241h
		lea	eax, [edi+10h]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_93770E
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		mov	[esi], ecx
		xor	dl, dl
		mov	ecx, [ebp+arg_4]
		push	eax
		lea	eax, [edi+10h]
		mov	[esi+8], ecx
		push	eax
		mov	ecx, esi
		mov	[esi+0Ch], edi
		mov	dword ptr [esi+4], 1
		call	ExpGetSystemFirmwareTableInformation
		mov	edi, eax
		test	edi, edi
		jns	short loc_8B3793
		cmp	edi, 0C0000023h
		jnz	short loc_8B379F

loc_8B3793:				; CODE XREF: ExGetSystemFirmwareTable+63j
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	short loc_8B379F
		mov	eax, [esi+0Ch]
		mov	[ecx], eax

loc_8B379F:				; CODE XREF: ExGetSystemFirmwareTable+6Bj
					; ExGetSystemFirmwareTable+72j
		test	edi, edi
		js	short loc_8B37BB
		test	ebx, ebx
		jz	short loc_8B37BB
		mov	eax, [ebp+var_4]
		add	eax, 0FFFFFFF0h
		push	eax		; size_t
		lea	eax, [esi+10h]
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_8B37BB:				; CODE XREF: ExGetSystemFirmwareTable+7Bj
					; ExGetSystemFirmwareTable+7Fj
		push	54465241h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8B37C6:				; CODE XREF: ExGetSystemFirmwareTable+83FEDj
		mov	eax, edi
		pop	esi

loc_8B37C9:				; CODE XREF: ExGetSystemFirmwareTable+83FE3j
		pop	edi
		pop	ebx
		leave
		retn	14h
ExGetSystemFirmwareTable endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2331. RtlSetControlSecurityDescriptor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSetControlSecurityDescriptor(x, x, x)
		public _RtlSetControlSecurityDescriptor@12
_RtlSetControlSecurityDescriptor@12 proc near
					; CODE XREF: RtlpSysVolCreateSecurityDescriptor(x,x)+D5p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		movzx	edx, si
		mov	ecx, edx
		push	edi
		mov	di, [ebp+arg_8]
		not	ecx
		movzx	eax, di
		and	ecx, eax
		neg	ecx
		sbb	cl, cl
		and	edx, 0FFFFC03Fh
		inc	cl
		neg	edx
		sbb	dl, dl
		inc	dl
		test	cl, dl
		jz	short loc_8B381C
		mov	eax, [ebp+arg_0]
		not	esi
		and	si, [eax+2]
		or	si, di
		mov	[eax+2], si
		xor	eax, eax

loc_8B3816:				; CODE XREF: RtlSetControlSecurityDescriptor(x,x,x)+4Dj
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_8B381C:				; CODE XREF: RtlSetControlSecurityDescriptor(x,x,x)+2Ej
		mov	eax, 0C000000Dh
		jmp	short loc_8B3816
_RtlSetControlSecurityDescriptor@12 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ExpWnfAllocateScopeMap(x)
_ExpWnfAllocateScopeMap@4 proc near	; CODE XREF: ExpWnfResolveScopeInstance+399p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	20666E57h
		push	58h
		pop	ebx
		push	ebx
		push	1
		mov	edi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8B387C
		push	54h		; size_t
		lea	eax, [esi+4]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+2], bx
		mov	eax, 901h
		mov	[esi], ax
		lea	eax, [esi+14h]
		push	6
		pop	ecx

loc_8B3863:				; CODE XREF: ExpWnfAllocateScopeMap(x)+4Ej
		mov	[eax+4], eax
		mov	[eax], eax
		and	dword ptr [eax-4], 0
		add	eax, 0Ch
		sub	ecx, 1
		jnz	short loc_8B3863
		mov	[edi], esi
		xor	eax, eax

loc_8B3878:				; CODE XREF: ExpWnfAllocateScopeMap(x)+5Dj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_8B387C:				; CODE XREF: ExpWnfAllocateScopeMap(x)+1Bj
		mov	eax, 0C000009Ah
		jmp	short loc_8B3878
_ExpWnfAllocateScopeMap@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KitpReadUlongFromKey proc near		; CODE XREF: KitpInitAitSampleRate(x)+3Fp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00937718 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		mov	esi, [ebp+arg_0]
		lea	edi, [ebp+var_18]
		and	[ebp+var_1C], 0
		stosd
		and	dword ptr [esi], 0
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_1C]
		push	eax
		push	14h
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		push	(offset	loc_403937+1)
		push	ecx
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_937718

loc_8B38CB:				; CODE XREF: KitpReadUlongFromKey+83EA7j
					; KitpReadUlongFromKey+83EB1j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
KitpReadUlongFromKey endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KitpOpenRegKey(x, x, x)
_KitpOpenRegKey@12 proc	near		; CODE XREF: KitpInitAitSampleRate(x)+2Fp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		xor	eax, eax
		mov	[ebp+var_1C], 18h
		mov	[ebp+var_18], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	1
		push	[ebp+arg_0]
		mov	[ebp+var_10], 240h
		mov	[ebp+var_14], (offset loc_40392F+1)
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		leave
		retn	4
_KitpOpenRegKey@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopThreadStart(x)
_IopThreadStart@4 proc near		; DATA XREF: IoCreateSystemThread+47o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	edi, [ebp+var_C]
		push	0
		push	[ebp+arg_0]
		movsd
		movsd
		movsd
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	[ebp+var_4]
		call	[ebp+var_8]
		mov	ecx, [ebp+var_C]
		call	ObfDereferenceObject
		push	0
		call	PsTerminateSystemThread
		pop	edi
		pop	esi
		leave
		retn	4
_IopThreadStart@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeEntropySystem(x, x, x)
_KeInitializeEntropySystem@12 proc near	; CODE XREF: PAGE:007B44F5p

var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	ds:_KiEntropyTimingRoutine, 0
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], ebx
		jnz	short loc_8B39A2
		push	esi
		push	edi
		mov	edi, ds:_KeNumberProcessors
		xor	esi, esi
		test	edi, edi
		jz	short loc_8B3993
		mov	ebx, edx

loc_8B3974:				; CODE XREF: KeInitializeEntropySystem(x,x,x)+40j
		push	[ebp+arg_0]
		mov	eax, ds:_KiProcessorBlock[esi*4]
		push	100h
		add	eax, 4178h
		push	eax
		call	ebx
		inc	esi
		cmp	esi, edi
		jb	short loc_8B3974
		mov	ebx, [ebp+var_8]

loc_8B3993:				; CODE XREF: KeInitializeEntropySystem(x,x,x)+22j
		pop	edi
		mov	ds:_KiEntropyTimingRoutine, ebx
		xor	eax, eax
		pop	esi

loc_8B399D:				; CODE XREF: KeInitializeEntropySystem(x,x,x)+59j
		pop	ebx
		leave
		retn	4
; 

loc_8B39A2:				; CODE XREF: KeInitializeEntropySystem(x,x,x)+14j
		mov	eax, 0C000000Dh
		jmp	short loc_8B399D
_KeInitializeEntropySystem@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpUpdateSchematizedFilterData	proc near ; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+79p
					; EtwpUpdateFilterData(x,x,x,x,x)+37Ep

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 0093773A SIZE 0000007C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], edx
		cmp	[ebp+arg_4], 0
		mov	ebx, ecx
		push	edi
		jz	loc_93773A
		mov	eax, [ebx+2Ch]
		test	eax, eax
		jnz	short loc_8B39D4

loc_8B39CB:				; CODE XREF: EtwpUpdateSchematizedFilterData+83DA0j
					; EtwpUpdateSchematizedFilterData+83DBDj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_8B39D4:				; CODE XREF: EtwpUpdateSchematizedFilterData+1Fj
		mov	edi, esi
		jmp	loc_93779F
EtwpUpdateSchematizedFilterData	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopExecutionRequiredSettingCallback(void *,int,int,int)
PopExecutionRequiredSettingCallback proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 009377B6 SIZE 0000005D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	edi
		mov	edi, 0C000000Dh
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopPowerRequestLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		mov	dword_6C3884, eax
		push	offset _GUID_EXECUTION_REQUIRED_REQUEST_TIMEOUT	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_8B3A79
		cmp	[ebp+arg_8], 4
		jnz	short loc_8B3A79
		push	esi
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_8B3A78
		push	ebx
		push	offset _PopExecutionRequiredTimer
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		mov	eax, [esi]
		mov	ds:_PopExecutionRequiredTimeout, eax
		call	PopSetExecutionRequiredTimer
		xor	bl, bl
		cmp	ds:_PopExecutionRequiredTimeout, 0
		jz	short loc_8B3A60
		cmp	byte_6C3863, bl
		jnz	loc_9377B6

loc_8B3A5E:				; CODE XREF: PopExecutionRequiredSettingCallback+83DE9j
					; PopExecutionRequiredSettingCallback+83DF5j ...
		mov	bl, 1

loc_8B3A60:				; CODE XREF: PopExecutionRequiredSettingCallback+74j
					; PopExecutionRequiredSettingCallback+83E1Ej ...
		cmp	_PopExecutionRequiredContext, bl
		jz	short loc_8B3A75
		mov	cl, bl
		mov	_PopExecutionRequiredContext, bl
		call	PopEnableExecutionRequiredPowerRequests

loc_8B3A75:				; CODE XREF: PopExecutionRequiredSettingCallback+8Aj
		xor	edi, edi
		pop	ebx

loc_8B3A78:				; CODE XREF: PopExecutionRequiredSettingCallback+52j
		pop	esi

loc_8B3A79:				; CODE XREF: PopExecutionRequiredSettingCallback+44j
					; PopExecutionRequiredSettingCallback+4Aj
		cmp	dword_6C3884, 0
		jz	short loc_8B3A89
		and	dword_6C3884, 0

loc_8B3A89:				; CODE XREF: PopExecutionRequiredSettingCallback+A4j
		xor	edx, edx
		mov	ecx, offset _PopPowerRequestLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, edi
		pop	edi
		pop	ebp
		retn	10h
PopExecutionRequiredSettingCallback endp

; 
		align 2

;  S U B	R O U T	I N E 


PopEnableExecutionRequiredPowerRequests	proc near
					; CODE XREF: PopExecutionRequiredSettingCallback+94p
					; PopPowerRequestNotifyAudioStateChanged+A9953p ...

; FUNCTION CHUNK AT 00937813 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, _PopPowerRequestObjectList
		mov	bl, cl
		push	edi
		mov	edi, offset _PopPowerRequestObjectList

loc_8B3AB4:				; CODE XREF: PopEnableExecutionRequiredPowerRequests+27j
		cmp	esi, edi
		jz	short loc_8B3ACB
		mov	ecx, esi
		call	_PopPowerRequestIsExecutionRequiredCapable@4 ; PopPowerRequestIsExecutionRequiredCapable(x)
		test	al, al
		jnz	loc_937813

loc_8B3AC7:				; CODE XREF: PopEnableExecutionRequiredPowerRequests+83D7Aj
					; PopEnableExecutionRequiredPowerRequests+83D87j
		mov	esi, [esi]
		jmp	short loc_8B3AB4
; 

loc_8B3ACB:				; CODE XREF: PopEnableExecutionRequiredPowerRequests+14j
		pop	edi
		pop	esi
		pop	ebx
		retn
PopEnableExecutionRequiredPowerRequests	endp

; 
		align 10h

;  S U B	R O U T	I N E 


PopSetExecutionRequiredTimer proc near	; CODE XREF: PopExecutionRequiredSettingCallback+66p
					; PopPowerRequestNotifySystemIdleStateChanged(x)+52p

; FUNCTION CHUNK AT 0093782E SIZE 00000063 BYTES

		cmp	byte_6C3863, 0
		jnz	loc_93782E

locret_8B3ADD:				; CODE XREF: PopSetExecutionRequiredTimer+83D65j
		retn
PopSetExecutionRequiredTimer endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 787. IoCreateController

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCreateController(x)
		public _IoCreateController@4
_IoCreateController@4 proc near

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, _IopCaseInsensitive
		push	ebx
		push	esi
		xor	esi, esi
		mov	edx, ds:_IoControllerObjectType
		neg	eax
		mov	[esp+2Ch+var_20], esi
		push	edi
		mov	edi, [ebp+arg_0]
		sbb	eax, eax
		and	eax, 40h
		mov	[esp+30h+var_1C], esi
		push	esi
		add	eax, 200h
		mov	[esp+34h+var_18], 18h
		mov	[esp+34h+var_C], eax
		lea	ebx, [edi+28h]
		lea	eax, [esp+34h+var_20]
		mov	[esp+34h+var_14], esi
		push	eax
		push	esi
		push	esi
		push	ebx
		push	ecx
		push	esi
		lea	eax, [esp+4Ch+var_18]
		mov	[esp+4Ch+var_10], esi
		push	eax
		xor	cl, cl
		mov	[esp+50h+var_8], esi
		mov	[esp+50h+var_4], esi
		call	ObCreateObjectEx
		test	eax, eax
		js	short loc_8B3BB6
		mov	ecx, [esp+30h+var_20]
		lea	eax, [esp+30h+var_1C]
		push	eax
		lea	eax, [esp+34h+var_20]
		xor	edx, edx
		push	eax
		push	esi
		push	1
		push	3
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8B3BB6
		push	esi
		push	[esp+34h+var_1C]
		call	ObCloseHandle
		push	ebx		; size_t
		push	esi		; int
		push	[esp+38h+var_20] ; void	*
		call	_memset
		mov	eax, [esp+3Ch+var_20]
		add	esp, 0Ch
		push	2
		pop	ecx
		mov	[eax], cx
		lea	ecx, [edi+28h]
		mov	eax, [esp+30h+var_20]
		mov	[eax+2], cx
		mov	ecx, [esp+30h+var_20]
		lea	eax, [ecx+28h]
		mov	[ecx+4], eax
		mov	eax, [esp+30h+var_20]
		add	eax, 8
		push	eax
		call	_KeInitializeDeviceQueue@4 ; KeInitializeDeviceQueue(x)
		mov	esi, [esp+30h+var_20]

loc_8B3BB6:				; CODE XREF: IoCreateController(x)+6Aj
					; IoCreateController(x)+88j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_IoCreateController@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlpQueryTimeZoneKeyNameRoutine(int,int,void *,int,int,int)
_RtlpQueryTimeZoneKeyNameRoutine@24 proc near
					; DATA XREF: RtlpQueryTimeZoneInformationWorker(x,x)+20Bo

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		push	edi
		shr	eax, 1
		push	eax
		push	[ebp+arg_8]
		call	_wcsnlen
		mov	ebx, [ebp+arg_14]
		mov	edi, eax
		pop	ecx
		pop	ecx
		movzx	eax, word ptr [ebx+2]
		lea	ecx, ds:2[edi*2]
		cmp	ecx, eax
		ja	short loc_8B3C18

loc_8B3BEE:				; CODE XREF: RtlpQueryTimeZoneKeyNameRoutine(x,x,x,x,x,x)+5Bj
		lea	esi, [edi+edi]
		push	esi		; size_t
		push	[ebp+arg_8]	; void *
		push	dword ptr [ebx+4] ; void *
		call	_memcpy
		mov	eax, [ebx+4]
		add	esp, 0Ch
		xor	ecx, ecx
		mov	[esi+eax], cx
		lea	eax, [edi+edi]
		pop	edi
		mov	[ebx], ax
		xor	eax, eax
		pop	esi
		pop	ebx
		pop	ebp
		retn	18h
; 

loc_8B3C18:				; CODE XREF: RtlpQueryTimeZoneKeyNameRoutine(x,x,x,x,x,x)+2Aj
		mov	edi, eax
		shr	edi, 1
		dec	edi
		jmp	short loc_8B3BEE
_RtlpQueryTimeZoneKeyNameRoutine@24 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 555. FsRtlInitializeTunnelCache

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlInitializeTunnelCache(x)
		public _FsRtlInitializeTunnelCache@4
_FsRtlInitializeTunnelCache@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		xor	edi, edi
		inc	eax
		push	edi
		push	eax
		mov	[esi], eax
		lea	eax, [esi+0Ch]
		push	eax
		mov	[esi+4], edi
		mov	[esi+8], edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esi+24h]
		mov	[esi+20h], edi
		mov	[eax+4], eax
		mov	[eax], eax
		xor	eax, eax
		pop	edi
		mov	[esi+2Ch], ax
		pop	esi
		pop	ebp
		retn	4
_FsRtlInitializeTunnelCache@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmRegistrationCtxStart(x)
_SmRegistrationCtxStart@4 proc near	; CODE XREF: SmFirstTimeInit+2E0p
					; SmGetRegistrationInfo+843F2p	...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		lea	edx, [ebp+var_4]
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_4], esi
		call	_SmCreateEvent@8 ; SmCreateEvent(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_8B3C8E
		mov	eax, [ebp+var_4]
		mov	edi, esi
		mov	[ebx], eax

loc_8B3C83:				; CODE XREF: SmRegistrationCtxStart(x)+33j
		test	esi, esi
		jnz	short loc_8B3C93

loc_8B3C87:				; CODE XREF: SmRegistrationCtxStart(x)+3Cj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_8B3C8E:				; CODE XREF: SmRegistrationCtxStart(x)+1Cj
		mov	esi, [ebp+var_4]
		jmp	short loc_8B3C83
; 

loc_8B3C93:				; CODE XREF: SmRegistrationCtxStart(x)+27j
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	short loc_8B3C87
_SmRegistrationCtxStart@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmCreateEvent(x, x)
_SmCreateEvent@8 proc near		; CODE XREF: SmRegistrationCtxStart(x)+13p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[esp+30h+var_18], 18h
		push	ebx
		push	1
		lea	eax, [esp+38h+var_18]
		mov	[esp+38h+var_20], ebx
		push	eax
		push	1F0003h
		lea	eax, [esp+40h+var_20]
		mov	[esp+40h+var_14], ebx
		push	eax
		mov	edi, edx
		mov	[esp+44h+var_C], 200h
		mov	[esp+44h+var_10], ebx
		mov	[esp+44h+var_8], ebx
		mov	[esp+44h+var_4], ebx
		call	_ZwCreateEvent@20 ; ZwCreateEvent(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8B3D22
		mov	eax, ds:_ExEventObjectType
		lea	ecx, [esp+30h+var_1C]
		push	ebx
		push	ecx
		push	ebx
		push	eax
		push	1F0003h
		push	[esp+44h+var_20]
		mov	[esp+48h+var_1C], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, [esp+30h+var_1C]
		mov	esi, eax
		test	esi, esi
		js	short loc_8B3D1E
		mov	[edi], ecx
		mov	esi, ebx
		mov	ecx, ebx

loc_8B3D1E:				; CODE XREF: SmCreateEvent(x,x)+7Aj
		test	ecx, ecx
		jnz	short loc_8B3D3A

loc_8B3D22:				; CODE XREF: SmCreateEvent(x,x)+51j
					; SmCreateEvent(x,x)+A3j
		cmp	[esp+30h+var_20], ebx
		jz	short loc_8B3D31
		push	[esp+30h+var_20]
		call	_ZwClose@4	; ZwClose(x)

loc_8B3D31:				; CODE XREF: SmCreateEvent(x,x)+8Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8B3D3A:				; CODE XREF: SmCreateEvent(x,x)+84j
		call	ObfDereferenceObject
		jmp	short loc_8B3D22
_SmCreateEvent@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmInitializeHandBuiltProcess2 proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1235p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00937891 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [esp+30h+var_1C]
		push	6
		pop	ecx
		xor	eax, eax
		rep stosd
		call	_MiGetWsAndMakePageTablesNx@0 ;	MiGetWsAndMakePageTablesNx()
		mov	eax, large fs:124h
		xor	edx, edx
		mov	ecx, ebx
		mov	eax, [eax+80h]
		mov	eax, [eax+24Ch]
		mov	[ebx+24Ch], eax
		lea	eax, [esp+30h+var_1C]
		push	eax
		call	KiStackAttachProcess
		xor	edx, edx
		mov	ecx, ebx
		call	MiAllocateProcessVads
		mov	[esp+30h+var_20], eax
		test	eax, eax
		jz	short loc_8B3DE1
		lea	edx, [esp+30h+var_20]
		mov	ecx, ebx
		call	_MiInsertProcessVads@8 ; MiInsertProcessVads(x,x)
		mov	esi, eax

loc_8B3DB1:				; CODE XREF: MmInitializeHandBuiltProcess2+A4j
		xor	edx, edx
		lea	ecx, [esp+30h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		test	esi, esi
		js	short loc_8B3DCD
		mov	eax, ds:_MmTrackLockedPages
		test	al, 1
		jnz	loc_937891

loc_8B3DCD:				; CODE XREF: MmInitializeHandBuiltProcess2+7Cj
					; MmInitializeHandBuiltProcess2+83B54j	...
		mov	ecx, [esp+30h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_8B3DE1:				; CODE XREF: MmInitializeHandBuiltProcess2+60j
		mov	esi, 0C0000017h
		jmp	short loc_8B3DB1
MmInitializeHandBuiltProcess2 endp


;  S U B	R O U T	I N E 


; __stdcall NtIsUILanguageComitted()
_NtIsUILanguageComitted@0 proc near	; DATA XREF: .text:00580FC8o
		mov	eax, ds:_PsUILanguageComitted
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFFCCh
		add	eax, 0C0000034h
		retn
_NtIsUILanguageComitted@0 endp

; 

; __stdcall PopDispatchCallback(x)
_PopDispatchCallback@4:			; DATA XREF: .text:00403CA8o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	dword ptr [ebp+8]
		push	_ExCbPowerState
		call	_ExNotifyCallback@12 ; ExNotifyCallback(x,x,x)
		mov	eax, large fs:124h
		cmp	dword ptr [eax+13Ch], 0
		jnz	short loc_8B3E24
		pop	ebp
		retn	4
; 

loc_8B3E24:				; CODE XREF: PAGE:008B3E1Ej
		push	20h
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		db 2 dup(0CCh)
; Exported entry 2498. SeRegisterLogonSessionTerminatedRoutineEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeRegisterLogonSessionTerminatedRoutineEx(x, x)
		public _SeRegisterLogonSessionTerminatedRoutineEx@8
_SeRegisterLogonSessionTerminatedRoutineEx@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_8B3E9D
		push	esi
		push	53466553h
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8B3EA4
		mov	eax, large fs:124h
		push	ebx
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _SepRmNotifyMutex
		mov	ecx, ebx
		call	ExAcquireFastMutexUnsafe
		mov	eax, ds:_SeFileSystemNotifyRoutinesExHead
		mov	ecx, ebx
		mov	[esi], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+4], edi
		mov	[esi+8], eax
		mov	ds:_SeFileSystemNotifyRoutinesExHead, esi
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	eax, eax
		pop	ebx

loc_8B3E97:				; CODE XREF: SeRegisterLogonSessionTerminatedRoutineEx(x,x)+7Bj
		pop	esi

loc_8B3E98:				; CODE XREF: SeRegisterLogonSessionTerminatedRoutineEx(x,x)+74j
		pop	edi
		pop	ebp
		retn	8
; 

loc_8B3E9D:				; CODE XREF: SeRegisterLogonSessionTerminatedRoutineEx(x,x)+Bj
		mov	eax, 0C000000Dh
		jmp	short loc_8B3E98
; 

loc_8B3EA4:				; CODE XREF: SeRegisterLogonSessionTerminatedRoutineEx(x,x)+20j
		mov	eax, 0C000009Ah
		jmp	short loc_8B3E97
_SeRegisterLogonSessionTerminatedRoutineEx@8 endp

; 
		align 10h
; Exported entry 798. IoCreateStreamFileObjectEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCreateStreamFileObjectEx(x, x, x)
		public _IoCreateStreamFileObjectEx@12
_IoCreateStreamFileObjectEx@12 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		inc	eax
		push	8
		mov	word ptr [ebp+var_C+2],	ax
		pop	eax
		push	[ebp+arg_8]
		mov	word ptr [ebp+var_C], ax
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		lea	eax, [ebp+var_C]
		push	[ebp+arg_0]
		push	eax
		call	IoCreateStreamFileObjectEx2
		mov	eax, [ebp+var_4]
		leave
		retn	0Ch
_IoCreateStreamFileObjectEx@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExIsMultiSessionSku proc near		; CODE XREF: PspSiloInitializeIsMultiSessionSku(x)+1Ep
					; InitSkuSessionParameters+Ep

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 009378A8 SIZE 0000003D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	44h
		pop	eax
		xor	ebx, ebx
		mov	word ptr [ebp+var_10], ax
		push	46h
		mov	esi, ecx
		mov	[ebp+var_18], ebx
		pop	eax
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_14], ebx
		mov	word ptr [ebp+var_10+2], ax
		mov	[ebp+var_C], offset ??_C@_1EG@MFPCCJEE@?$AAe?$AAx?$AAt?$AA?9?$AAm?$AAs?$AA?9?$AAw?$AAi?$AAn?$AA?9?$AAs?$AAe?$AAs?$AAs@NNGAKEGL@
		mov	byte ptr [ebp+var_1], bl
		mov	[ebp+var_8], ebx
		call	_ExpGetNumberOfInitialSessionsFromRegistry@4 ; ExpGetNumberOfInitialSessionsFromRegistry(x)
		mov	edx, eax
		test	edx, edx
		js	short loc_8B3F36
		cmp	[ebp+var_8], 1
		jbe	loc_9378A8
		mov	byte ptr [esi],	1

loc_8B3F36:				; CODE XREF: ExIsMultiSessionSku+3Bj
					; ExIsMultiSessionSku+839D8j ...
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn
ExIsMultiSessionSku endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpGetNumberOfInitialSessionsFromRegistry(x)
_ExpGetNumberOfInitialSessionsFromRegistry@4 proc near ; CODE XREF: ExIsMultiSessionSku+32p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_3C]
		push	esi
		push	38h		; size_t
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_38], 124h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_34], offset ??_C@_1DA@LMDDKGAG@?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr?$AAO?$AAf?$AAI?$AAn?$AAi?$AAt?$AAi?$AAa?$AAl@NNGAKEGL@
		mov	[ebp+var_30], eax
		mov	edx, offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@NNGAKEGL@
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_2C], 4000004h
		push	1
		push	ecx
		push	0
		push	eax
		push	2
		pop	ecx
		call	RtlpQueryRegistryValues
		test	eax, eax
		js	short loc_8B3F95
		mov	ecx, [ebp+var_4]
		mov	[esi], ecx

loc_8B3F95:				; CODE XREF: ExpGetNumberOfInitialSessionsFromRegistry(x)+52j
		pop	esi
		leave
		retn
_ExpGetNumberOfInitialSessionsFromRegistry@4 endp


;  S U B	R O U T	I N E 


; int __fastcall PopDefaultPolicy(void *)
_PopDefaultPolicy@4 proc near		; CODE XREF: PopResetCurrentPolicies+A0EB0p
					; PoInitSystem+390p
		mov	edi, edi
		push	esi
		push	edi
		push	0E8h		; size_t
		xor	edi, edi
		mov	esi, ecx
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		inc	eax
		mov	[esi], eax
		mov	[esi+28h], eax
		push	2
		pop	edx
		push	4
		pop	ecx
		mov	[esi+5Ch], eax
		lea	eax, [esi+74h]
		mov	[esi+44h], edx
		mov	[esi+48h], ecx
		mov	[esi+4Ch], edx

loc_8B3FCC:				; CODE XREF: PopDefaultPolicy(x)+3Cj
		mov	[eax], edx
		lea	eax, [eax+18h]
		sub	ecx, 1
		jnz	short loc_8B3FCC
		mov	[esi+8], edi
		mov	[esi+0Ch], edi
		mov	dword ptr [esi+4], 6
		mov	[esi+14h], edi
		mov	[esi+18h], edi
		mov	[esi+10h], edx
		mov	[esi+20h], edi
		mov	[esi+24h], edi
		mov	[esi+1Ch], edi
		pop	edi
		pop	esi
		retn
_PopDefaultPolicy@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_RegRtlQueryKeyPathName	proc near	; CODE XREF: _PnpCtxRegQueryKeyPathName(x,x,x,x)+Dp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009378E5 SIZE 000000EF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_18], ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], eax
		mov	[ebp+var_1C], edi
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_4], eax
		call	__RegRtlIsPredefinedKey@4 ; _RegRtlIsPredefinedKey(x)
		test	al, al
		jnz	loc_9378E5

loc_8B402C:				; CODE XREF: _RegRtlQueryKeyPathName+838FFj
		mov	eax, [ebp+arg_0]
		push	2
		pop	ecx
		mov	eax, [eax]
		mul	ecx
		lea	ecx, [ebp+var_C]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8B40A6
		mov	ebx, [ebp+var_C]
		cmp	ebx, 8
		jb	short loc_8B40B6
		mov	ecx, ebx

loc_8B4050:				; CODE XREF: _RegRtlQueryKeyPathName+C4j
		mov	eax, [ebp+var_8]
		mov	[ebp+var_10], edi
		test	eax, eax
		jnz	short loc_8B405D
		mov	eax, [ebp+var_18]

loc_8B405D:				; CODE XREF: _RegRtlQueryKeyPathName+60j
		lea	edx, [ebp+var_4]
		push	edx
		push	ecx
		push	edi
		push	1
		push	eax
		call	_ZwQueryObject@20 ; ZwQueryObject(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_93790D
		movzx	ecx, word ptr [edi]
		mov	edx, [ebp+arg_0]
		lea	eax, [ecx+2]
		mov	edi, eax
		shr	edi, 1
		mov	[edx], edi
		cmp	ebx, eax
		jb	loc_937903
		mov	eax, [ebp+var_10]
		mov	ebx, [ebp+var_1C]
		push	ecx		; size_t
		push	dword ptr [eax+4] ; void *
		push	ebx		; void *
		call	_memmove
		add	esp, 0Ch
		xor	eax, eax
		mov	[ebx+edi*2-2], ax

loc_8B40A6:				; CODE XREF: _RegRtlQueryKeyPathName+4Cj
					; _RegRtlQueryKeyPathName+838F9j ...
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	short loc_8B40BE

loc_8B40AD:				; CODE XREF: _RegRtlQueryKeyPathName+CCj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_8B40B6:				; CODE XREF: _RegRtlQueryKeyPathName+54j
		push	8
		lea	edi, [ebp+var_24]
		pop	ecx
		jmp	short loc_8B4050
; 

loc_8B40BE:				; CODE XREF: _RegRtlQueryKeyPathName+B3j
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_8B40AD
_RegRtlQueryKeyPathName	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KsepSdbBootInitialize proc near		; CODE XREF: KseShimDatabaseBootInitialize+61p
					; KseShimDatabaseBootInitialize+FAC2p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009379D4 SIZE 000000BB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		mov	ecx, esi
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9379D4
		push	esi		; size_t
		push	ebx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edx, esi
		mov	ecx, edi
		call	SdbInitDatabaseInMemory
		test	eax, eax
		jz	loc_937A2E
		mov	esi, [ebp+arg_0]
		mov	[esi+4], edi
		mov	[esi], eax
		mov	ecx, [eax+4]
		call	SdbGetDatabaseEdition
		mov	[esi+20h], eax
		xor	esi, esi

loc_8B4114:				; CODE XREF: KsepSdbBootInitialize+83963j
					; KsepSdbBootInitialize+839C4j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
KsepSdbBootInitialize endp

; 
		align 2

WheapEtwEnableCallback:			; DATA XREF: WheapInitializeEventing+4Eo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, [ebp+0Ch]
		mov	_WheapEventingInitialized, eax
		push	ebx
		push	esi
		push	edi
		cmp	eax, 1
		jnz	loc_8B41BF
		xor	edi, edi
		mov	ebx, offset _WheapWaitingETWEvents

loc_8B4142:				; CODE XREF: PAGE:00937A9Ej
		push	edi
		push	edi
		push	edi
		push	edi
		push	offset _WheapWaitingETWEventLock
		call	KeWaitForSingleObject
		mov	esi, _WheapWaitingETWEvents
		cmp	[esi+4], ebx
		jnz	short loc_8B41C8
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_8B41C8
		push	edi
		push	edi
		mov	_WheapWaitingETWEvents,	eax
		push	offset _WheapWaitingETWEventLock
		mov	[eax+4], ebx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		cmp	esi, ebx
		jnz	loc_937A8F
		mov	ebx, offset _WheapDeferredInternalLogs

loc_8B4183:				; CODE XREF: PAGE:00937AACj
		push	edi
		push	edi
		push	edi
		push	edi
		push	offset _WheapDeferredInternalLogsEventLock
		call	KeWaitForSingleObject
		mov	esi, _WheapDeferredInternalLogs
		cmp	[esi+4], ebx
		jnz	short loc_8B41C8
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_8B41C8
		push	edi
		push	edi
		mov	_WheapDeferredInternalLogs, eax
		push	offset _WheapDeferredInternalLogsEventLock
		mov	[eax+4], ebx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		cmp	esi, ebx
		jnz	loc_937AA3

loc_8B41BF:				; CODE XREF: PAGE:008B4135j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
; 

loc_8B41C8:				; CODE XREF: PAGE:008B4159j
					; PAGE:008B4160j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		db 2 dup(0CCh)
; Exported entry 894. IoInitializeTimer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoInitializeTimer(x, x, x)
		public _IoInitializeTimer@12
_IoInitializeTimer@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	edx, [esi+18h]
		test	edx, edx
		jnz	short loc_8B4213
		push	69546F49h
		push	18h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_8B4238
		and	dword ptr [edx+2], 0
		and	dword ptr [edx+6], 0
		xor	eax, eax
		mov	[edx+0Ah], ax
		push	9
		pop	eax
		mov	[edx], ax
		mov	[edx+14h], esi
		mov	[esi+18h], edx

loc_8B4213:				; CODE XREF: IoInitializeTimer(x,x,x)+Ej
		mov	eax, [ebp+arg_4]
		mov	ecx, offset _IopTimerQueueHead
		mov	[edx+0Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[edx+10h], eax
		add	edx, 4
		push	offset _IopTimerLock
		call	@ExfInterlockedInsertTailList@12 ; ExfInterlockedInsertTailList(x,x,x)
		xor	eax, eax

loc_8B4233:				; CODE XREF: IoInitializeTimer(x,x,x)+6Bj
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_8B4238:				; CODE XREF: IoInitializeTimer(x,x,x)+25j
		mov	eax, 0C000009Ah
		jmp	short loc_8B4233
_IoInitializeTimer@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_CmGetMatchingDeviceInterfaceList proc near ; CODE XREF: _PnpDispatchDeviceInterface+C5p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00937AB1 SIZE 0000004A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	ebx, [ecx+100h]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_18], edi
		mov	edi, 0C0000120h
		mov	[ebp+var_34], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], esi
		mov	[ebp+var_14], eax
		test	ebx, ebx
		jz	short loc_8B42B8
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	4
		push	3
		push	0
		push	ecx
		call	ebx
		cmp	eax, 0C0000002h
		jnz	loc_937AB1
		xor	ebx, ebx

loc_8B42B5:				; CODE XREF: _CmGetMatchingDeviceInterfaceList+83879j
		mov	ecx, [ebp+var_34]

loc_8B42B8:				; CODE XREF: _CmGetMatchingDeviceInterfaceList+57j
		push	[ebp+var_14]
		mov	edx, [ebp+var_28]
		push	[ebp+var_18]
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	[ebp+var_24]
		call	__CmGetMatchingDeviceInterfaceListWorker@28 ; _CmGetMatchingDeviceInterfaceListWorker(x,x,x,x,x,x,x)
		mov	esi, eax
		test	ebx, ebx
		jnz	loc_937AC6

loc_8B42D9:				; CODE XREF: _CmGetMatchingDeviceInterfaceList+83881j
					; _CmGetMatchingDeviceInterfaceList+8389Fj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_CmGetMatchingDeviceInterfaceList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetMatchingDeviceInterfaceListWorker(x, x, x, x,	x, x, x)
__CmGetMatchingDeviceInterfaceListWorker@28 proc near
					; CODE XREF: _CmGetMatchingDeviceInterfaceList+8Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_10]
		test	si, si
		jnz	short loc_8B4318
		push	esi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		push	0
		push	0
		xor	edx, edx
		call	_CmGetMatchingFilteredDeviceInterfaceList

loc_8B4313:				; CODE XREF: _CmGetMatchingDeviceInterfaceListWorker(x,x,x,x,x,x,x)+31j
		pop	esi
		pop	ebp
		retn	14h
; 

loc_8B4318:				; CODE XREF: _CmGetMatchingDeviceInterfaceListWorker(x,x,x,x,x,x,x)+Cj
		mov	eax, 0C000000Dh
		jmp	short loc_8B4313
__CmGetMatchingDeviceInterfaceListWorker@28 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpDriverLoadingFailed proc near	; CODE XREF: IopLoadDriver+5EBp
					; IopInitializeBuiltinDriver(x,x,x,x,x,x)+358p

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00937AFB SIZE 00000334 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	esi, esi
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_58], esi
		mov	eax, edx
		mov	[ebp+var_50], edi
		push	0Ah
		inc	ebx
		mov	[ebp+var_60], eax
		mov	[ebp+var_44], edi
		mov	[ebp+var_54], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_38], esi
		mov	[ebp+var_4C], esi
		pop	ecx
		test	edi, edi
		jz	loc_937AFB
		push	8
		pop	eax
		mov	word ptr [ebp+var_34], ax
		mov	edx, edi
		push	20019h
		lea	eax, [ebp+var_34]
		mov	word ptr [ebp+var_34+2], cx
		push	eax
		lea	ecx, [ebp+var_38]
		mov	[ebp+var_30], offset ??_C@_19DDCEFKEI@?$AAE?$AAn?$AAu?$AAm@NNGAKEGL@ ; "Enum"
		call	_IopOpenRegistryKeyEx@16 ; IopOpenRegistryKeyEx(x,x,x,x)

loc_8B4386:				; CODE XREF: PnpDriverLoadingFailed+837F9j
		test	eax, eax
		jns	loc_937B1E

loc_8B438E:				; CODE XREF: PnpDriverLoadingFailed+83AEFj
					; PnpDriverLoadingFailed+83B0Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PnpDriverLoadingFailed endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmFcpMapSection	proc near		; CODE XREF: CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+151p
					; CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+F5p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00937E2F SIZE 0000003E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		xor	ecx, ecx
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_4], ecx
		mov	eax, [ebx+8]
		test	eax, eax
		jnz	loc_937E2F
		mov	[esi], ecx
		mov	[esi+4], ecx
		mov	[esi+8], ecx
		mov	[esi+0Ch], ecx
		mov	eax, [ebx]
		mov	[esi], eax
		mov	eax, [ebx+4]
		mov	[esi+4], eax
		mov	eax, ecx

loc_8B43D4:				; CODE XREF: CmFcpMapSection+83AA4j
					; CmFcpMapSection+83ACAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
CmFcpMapSection	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipISCleanup(x)
_WmipISCleanup@4 proc near		; DATA XREF: .data:006B29E0o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+30h]
		test	eax, eax
		jz	short loc_8B43F6
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+30h], 0

loc_8B43F6:				; CODE XREF: WmipISCleanup(x)+Ej
		pop	esi
		pop	ebp
		retn	4
_WmipISCleanup@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpGetSystemFlushInformation proc near	; CODE XREF: PAGE:00781989p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 00937E6D SIZE 00000008 BYTES
; FUNCTION CHUNK AT 00937E9F SIZE 000000BA BYTES

		push	38h
		push	offset dword_6A7610
		call	__SEH_prolog4_GS
		mov	edi, ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edi
		xor	esi, esi
		mov	ebx, esi
		mov	edx, esi
		mov	eax, ds:_KeFeatureBits
		and	eax, 40000h
		or	eax, esi
		jz	short loc_8B4425
		inc	edx

loc_8B4425:				; CODE XREF: ExpGetSystemFlushInformation+26j
		mov	ecx, ds:dword_70E754
		and	ecx, 2
		mov	eax, esi
		or	eax, ecx
		jnz	loc_937E6D

loc_8B4438:				; CODE XREF: ExpGetSystemFlushInformation+83A74j
		mov	[ebp+ms_exc.disabled], esi
		mov	[edi], edx
		mov	eax, large fs:20h
		mov	eax, [eax+3B8h]
		mov	[edi+4], eax
		mov	[edi+8], esi
		mov	[edi+0Ch], esi
		mov	[edi+10h], esi
		mov	[edi+14h], esi
		mov	[edi+18h], esi
		mov	[edi+1Ch], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_8B4465:				; CODE XREF: sub_937E85+15j
		mov	al, _ExpPlatformCapabilitiesCached
		test	al, al
		jnz	short loc_8B44C2
		mov	[ebp+var_38], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], 41435049h
		mov	[ebp+var_2C], 1
		mov	[ebp+var_28], 5449464Eh
		mov	[ebp+var_24], esi
		lea	eax, [ebp+var_34]
		push	eax
		push	14h
		xor	dl, dl
		lea	ecx, [ebp+var_30]
		call	ExpGetSystemFirmwareTableInformation
		cmp	eax, 0C0000023h
		jz	loc_937E9F

loc_8B44AA:				; CODE XREF: ExpGetSystemFlushInformation+83AB6j
					; ExpGetSystemFlushInformation+83B58j
		mov	eax, [ebp+var_38]
		mov	_ExpPlatformFlushCapabilities, eax
		mov	eax, esi
		mov	dword_6FD63C, eax
		mov	_ExpPlatformCapabilitiesCached,	1
		mov	ebx, esi

loc_8B44C2:				; CODE XREF: ExpGetSystemFlushInformation+70j
		mov	ecx, _ExpPlatformFlushCapabilities
		mov	edx, dword_6FD63C
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
ExpGetSystemFlushInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTraceLeapSecondDataUpdate proc near	; CODE XREF: ExpReadLeapSecondData(x,x)+196p
					; INIT:00AC2EA1p

var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00937F59 SIZE 0000008E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		xor	ebx, ebx
		mov	[ebp+var_C0], esi
		cmp	dword_6B2A40, 5
		mov	[ebp+var_BC], edi
		jbe	short loc_8B4531
		push	4000h
		push	ebx
		mov	ecx, offset dword_6B2A40
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_937F59

loc_8B4531:				; CODE XREF: EtwTraceLeapSecondDataUpdate+31j
		push	4
		pop	edi

loc_8B4534:				; CODE XREF: EtwTraceLeapSecondDataUpdate+83AFCj
		mov	ecx, _EtwKernelProvRegHandle
		mov	eax, ecx
		mov	edx, dword_6BC12C
		or	eax, edx
		jz	short loc_8B459A
		lea	eax, [ebp+var_BC]
		mov	[ebp+var_44], ebx
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	edi
		push	ebx
		push	offset _KernelLeapSecondDataUpdate
		push	edx
		push	ecx
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_8B459A:				; CODE XREF: EtwTraceLeapSecondDataUpdate+5Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
EtwTraceLeapSecondDataUpdate endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpLoadMicroarchitecturalPmcs proc near ; CODE	XREF: EtwpInitialize:loc_AC4A84p

var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00937FE7 SIZE 00000115 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 254h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		lea	eax, [ebp+var_220]
		push	218h		; size_t
		push	esi		; int
		push	eax		; void *
		mov	[ebp+var_224], esi
		mov	[ebp+var_228], esi
		call	_memset
		mov	ebx, offset ??_C@_1IK@FCPDDGMM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		mov	[ebp+var_230], esi
		mov	ecx, ebx
		mov	[ebp+var_22C], esi
		add	esp, 0Ch
		mov	[ebp+var_24C], esi
		lea	edx, [ecx+2]

loc_8B4603:				; CODE XREF: EtwpLoadMicroarchitecturalPmcs+60j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_8B4603
		sub	ecx, edx
		sar	ecx, 1
		push	50777445h
		lea	eax, ds:202h[ecx*2]
		push	eax
		push	1
		mov	[ebp+var_250], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_8B4698
		push	ebx
		lea	eax, [ebp+var_230]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_230]
		mov	[ebp+var_248], 18h
		mov	[ebp+var_240], eax
		lea	eax, [ebp+var_248]
		push	eax
		push	20019h
		lea	eax, [ebp+var_228]
		mov	[ebp+var_244], esi
		push	eax
		mov	[ebp+var_23C], 240h
		mov	[ebp+var_238], esi
		mov	[ebp+var_234], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		jns	short loc_8B46A7

loc_8B468D:				; CODE XREF: EtwpLoadMicroarchitecturalPmcs+83B4Bj
		push	50777445h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8B4698:				; CODE XREF: EtwpLoadMicroarchitecturalPmcs+84j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_8B46A7:				; CODE XREF: EtwpLoadMicroarchitecturalPmcs+DFj
		or	ebx, 0FFFFFFFFh
		jmp	loc_937FE7
EtwpLoadMicroarchitecturalPmcs endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpCoverageProvEnableCallback proc near ; DATA	XREF: EtwpInitializeCoverage()+Ao

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009380FC SIZE 000000A5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	ebx, ebx
		inc	ebx
		cmp	dword_6B2A68, 0
		push	esi
		jbe	short loc_8B46D9
		push	0
		push	ebx
		mov	ecx, offset dword_6B2A68
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jnz	loc_9380FC

loc_8B46D9:				; CODE XREF: EtwpCoverageProvEnableCallback+12j
		xor	bl, bl

loc_8B46DB:				; CODE XREF: EtwpCoverageProvEnableCallback+83A53j
					; EtwpCoverageProvEnableCallback+83A64j ...
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _EtwpCoverageLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, _EtwpCoverageContext
		mov	_EtwpCoverageLockOwner,	eax
		test	ecx, ecx
		jnz	loc_938145

loc_8B4710:				; CODE XREF: EtwpCoverageProvEnableCallback+83A9Ej
					; EtwpCoverageProvEnableCallback+83ABCj ...
		and	_EtwpCoverageLockOwner,	0
		movzx	eax, bl
		mov	_EtwpCoverageCoreTracingEnabled, eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_93818D

loc_8B472E:				; CODE XREF: EtwpCoverageProvEnableCallback+83ADFj
					; EtwpCoverageProvEnableCallback+83AECj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	esi
		pop	ebx
		leave
		retn	24h
EtwpCoverageProvEnableCallback endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipUpdateSetupInProgress proc near	; CODE XREF: PipUpdateSetupInProgressNotify(x,x)+43p
					; IopInitializePlugPlayServices(x,x)+439p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009381A1 SIZE 00000043 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	eax, ecx
		xor	ebx, ebx
		push	edi
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_C], eax
		push	ecx
		push	ebx
		mov	edx, offset ??_C@_1CM@DHJDDPJO@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAS?$AAe?$AAt?$AAu?$AAp?$AAI?$AAn?$AAP?$AAr@NNGAKEGL@
		mov	[ebp+var_4], ebx
		mov	ecx, eax
		mov	[ebp+var_8], ebx
		mov	esi, ebx
		mov	edi, ebx
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_8B4798
		mov	ecx, [ebp+var_4]
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_8B4791
		cmp	dword ptr [ecx+0Ch], 4
		jnz	short loc_8B4791
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		mov	[ebp+var_8], eax

loc_8B4791:				; CODE XREF: PipUpdateSetupInProgress+38j
					; PipUpdateSetupInProgress+3Ej
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8B4798:				; CODE XREF: PipUpdateSetupInProgress+2Fj
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		mov	edx, offset ??_C@_1BO@JHOBKEAA@?$AAO?$AAO?$AAB?$AAE?$AAI?$AAn?$AAP?$AAr?$AAo?$AAg?$AAr?$AAe?$AAs?$AAs@NNGAKEGL@
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_8B47CA
		mov	ecx, [ebp+var_4]
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_8B47C3
		cmp	dword ptr [ecx+0Ch], 4
		jnz	short loc_8B47C3
		mov	eax, [ecx+8]
		mov	esi, [ecx+eax]

loc_8B47C3:				; CODE XREF: PipUpdateSetupInProgress+6Dj
					; PipUpdateSetupInProgress+73j
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8B47CA:				; CODE XREF: PipUpdateSetupInProgress+64j
		cmp	[ebp+var_8], ebx
		jnz	short loc_8B47EB
		test	esi, esi
		jnz	loc_9381A1

loc_8B47D7:				; CODE XREF: PipUpdateSetupInProgress+A5j
					; PipUpdateSetupInProgress+83A6Dj ...
		pop	edi
		test	esi, esi
		mov	_PnpSetupInProgress, bl
		pop	esi
		setnz	_PnpSetupOOBEInProgress
		pop	ebx
		leave
		retn
; 

loc_8B47EB:				; CODE XREF: PipUpdateSetupInProgress+85j
					; PipUpdateSetupInProgress+83A97j
		mov	bl, 1
		jmp	short loc_8B47D7
PipUpdateSetupInProgress endp

; 
		align 10h

;  S U B	R O U T	I N E 


PopExtendConnectionState proc near	; CODE XREF: PopSetGlobalUserStatus(x,x):loc_8414E3p
					; PopInitializeAdpm()+39j

; FUNCTION CHUNK AT 009381E4 SIZE 0000003D BYTES

		mov	edi, edi
		push	esi
		mov	esi, _PopMaximumConnectionSessions
		push	edi
		test	esi, esi
		jnz	loc_9381E4
		push	8
		pop	esi

loc_8B4805:				; CODE XREF: PopExtendConnectionState+839FEj
					; PopExtendConnectionState+83A09j
		push	73655350h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_8B4852
		push	ebx
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	ebx, _PopConnectionState
		add	esp, 0Ch
		test	ebx, ebx
		jnz	loc_9381FE

loc_8B4833:				; CODE XREF: PopExtendConnectionState+83A2Cj
		mov	eax, esi
		mov	_PopConnectionState, edi
		shl	eax, 3
		mov	_PopMaximumConnectionSessions, eax
		mov	_PopConnectionBitmap, eax
		mov	dword_6BFB84, edi
		pop	ebx

loc_8B484F:				; CODE XREF: PopExtendConnectionState+69j
		pop	edi
		pop	esi
		retn
; 

loc_8B4852:				; CODE XREF: PopExtendConnectionState+26j
		and	_PopMaximumConnectionSessions, 0
		jmp	short loc_8B484F
PopExtendConnectionState endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpInitFullProcessSecurityInfo(x, x, x)
_ExpInitFullProcessSecurityInfo@12 proc	near
					; DATA XREF: ExCheckFullProcessInformationAccess+1Bo

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_8		= dword	ptr -8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		lea	eax, [ebp+var_64]
		push	54h		; size_t
		xor	esi, esi
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_68], esi
		lea	eax, [ebp+var_84]
		mov	[ebp+var_84], 18h
		mov	[ebp+var_80], esi
		mov	[ebp+var_7C], offset off_A41204
		push	eax
		push	1
		lea	eax, [ebp+var_68]
		mov	[ebp+var_78], 240h
		push	eax
		mov	[ebp+var_74], esi
		mov	[ebp+var_70], esi
		mov	[ebp+var_6C], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8B490B
		lea	eax, [ebp+var_6C]
		push	eax
		push	54h
		lea	eax, [ebp+var_64]
		push	eax
		push	2
		push	offset unk_6B3018
		push	[ebp+var_68]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8B4903
		cmp	[ebp+var_5C], 44h
		ja	short loc_8B4923
		push	[ebp+var_5C]	; size_t
		lea	eax, [ebp+var_58]
		mov	ebx, offset _ExpFullProcessInformationSid
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[edi], ebx

loc_8B4903:				; CODE XREF: ExpInitFullProcessSecurityInfo(x,x,x)+88j
					; ExpInitFullProcessSecurityInfo(x,x,x)+CCj
		push	[ebp+var_68]
		call	_ZwClose@4	; ZwClose(x)

loc_8B490B:				; CODE XREF: ExpInitFullProcessSecurityInfo(x,x,x)+69j
		mov	ecx, [ebp+var_8]
		not	esi
		shr	esi, 1Fh
		xor	ecx, ebp
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_8B4923:				; CODE XREF: ExpInitFullProcessSecurityInfo(x,x,x)+8Ej
		mov	esi, 0C0000023h
		jmp	short loc_8B4903
_ExpInitFullProcessSecurityInfo@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtSetDefaultHardErrorPort proc near	; DATA XREF: .text:00580CFCo

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00938221 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, large fs:124h
		mov	esi, eax
		mov	cl, [ecx+15Ah]
		mov	byte ptr [ebp+var_4], cl
		push	[ebp+var_4]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_938221
		cmp	dword ptr [esi+200h], 1
		jz	short loc_8B49DE
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_4]
		xor	edx, edx
		push	edx
		push	ecx
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_8], al
		push	[ebp+var_8]
		mov	eax, ds:_LpcPortObjectType
		push	eax
		push	edx
		push	[ebp+arg_0]
		mov	[ebp+var_4], edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		mov	[esi+1FCh], ecx
		test	eax, eax
		js	short loc_8B49D9
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	short loc_8B49B6
		mov	_ExReadyForErrors, 1

loc_8B49B6:				; CODE XREF: NtSetDefaultHardErrorPort+83j
		mov	eax, large fs:124h
		mov	dword ptr [esi+200h], 1
		mov	ecx, [eax+80h]
		mov	[esi+1F8h], ecx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	eax, eax

loc_8B49D9:				; CODE XREF: NtSetDefaultHardErrorPort+7Aj
					; NtSetDefaultHardErrorPort+B9j ...
		pop	esi
		leave
		retn	4
; 

loc_8B49DE:				; CODE XREF: NtSetDefaultHardErrorPort+42j
		mov	eax, 0C0000001h
		jmp	short loc_8B49D9
NtSetDefaultHardErrorPort endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpGetSystemWriteConstraintInformation proc near ; CODE	XREF: PAGE:0078204Bp

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 0093822B SIZE 0000008B BYTES

		push	58h
		push	offset dword_6A7630
		call	__SEH_prolog4
		mov	ebx, ecx
		xor	eax, eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_68], 18h
		mov	[ebp+var_64], eax
		mov	[ebp+var_60], offset dword_A411F8
		mov	[ebp+var_5C], 240h
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], eax
		push	6
		pop	ecx
		lea	edi, [ebp+var_50]
		rep stosd
		xor	edi, edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], edi
		push	edi
		push	edi
		push	20h
		push	1
		push	edi
		push	80h
		push	edi
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_68]
		push	eax
		push	100000h
		lea	eax, [ebp+var_20]
		push	eax
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	loc_93822B
		mov	esi, edi

loc_8B4A63:				; CODE XREF: ExpGetSystemWriteConstraintInformation+83847j
					; ExpGetSystemWriteConstraintInformation+83880j ...
		cmp	[ebp+var_20], edi
		jnz	loc_93829C

loc_8B4A6C:				; CODE XREF: ExpGetSystemWriteConstraintInformation+838BEj
		cmp	[ebp+var_24], edi
		jnz	loc_9382A9

loc_8B4A75:				; CODE XREF: ExpGetSystemWriteConstraintInformation+838CBj
		mov	[ebp+ms_exc.disabled], edi
		mov	eax, [ebp+var_38]
		mov	[ebx], eax
		mov	eax, [ebp+var_34]
		mov	[ebx+4], eax

loc_8B4A83:				; CODE XREF: sub_9382C6+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
ExpGetSystemWriteConstraintInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtOpenPartition	proc near		; DATA XREF: .text:00580F1Co

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0093830E SIZE 00000010 BYTES

		push	18h
		push	offset dword_6A7650
		call	__SEH_prolog4
		xor	edi, edi
		mov	[ebp+var_1C], edi
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_20], al
		test	al, al
		jz	short loc_8B4ADA
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jnb	short loc_8B4B33

loc_8B4ACF:				; CODE XREF: NtOpenPartition+99j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_8B4ADA:				; CODE XREF: NtOpenPartition+22j
		mov	esi, ds:_PsPartitionType
		lea	eax, [ebp+var_1C]
		push	eax
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		push	edi
		push	[ebp+arg_4]
		push	edi
		push	[ebp+var_20]
		push	esi
		push	[ebp+arg_8]
		call	ObOpenObjectByNameEx
		mov	esi, eax
		test	esi, esi
		js	short loc_8B4B21
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_1C]
		mov	[ecx], eax

loc_8B4B10:				; CODE XREF: sub_938303+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	esi, esi
		js	loc_93830E

loc_8B4B1F:				; CODE XREF: NtOpenPartition+8387Dj
		mov	eax, esi

loc_8B4B21:				; CODE XREF: NtOpenPartition+63j
					; sub_9382E1+Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_8B4B33:				; CODE XREF: NtOpenPartition+31j
		mov	ecx, eax
		jmp	short loc_8B4ACF
NtOpenPartition	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2173. RtlInitializeUnicodePrefix

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlInitializeUnicodePrefix(x)
		public _RtlInitializeUnicodePrefix@4
_RtlInitializeUnicodePrefix@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax+8], 0
		mov	dword ptr [eax], 800h
		mov	[eax+4], eax
		pop	ebp
		retn	4
_RtlInitializeUnicodePrefix@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2479. SeOpenObjectAuditAlarmForNonObObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public SeOpenObjectAuditAlarmForNonObObject
SeOpenObjectAuditAlarmForNonObObject proc near

var_A		= dword	ptr -0Ah
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

; FUNCTION CHUNK AT 0093831E SIZE 0000014D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_24]
		test	bl, bl
		push	esi
		mov	esi, [ebp+arg_14]
		setz	al
		push	edi
		push	esi
		movzx	eax, al
		mov	dl, bl
		push	eax
		push	77h
		pop	ecx
		mov	byte ptr [esp+20h+var_A+1], 0
		call	SepAdtAuditThisEventWithContext
		mov	byte ptr [esp+18h+var_A], al
		test	al, al
		jnz	loc_93831E

loc_8B4B93:				; CODE XREF: SeOpenObjectAuditAlarmForNonObObject+83884j
		cmp	[ebp+arg_20], 0
		jnz	loc_93842F

loc_8B4B9D:				; CODE XREF: SeOpenObjectAuditAlarmForNonObObject+838D0j
					; SeOpenObjectAuditAlarmForNonObObject+838D7j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
SeOpenObjectAuditAlarmForNonObObject endp


;  S U B	R O U T	I N E 


NtSerializeBoot	proc near		; DATA XREF: .text:00580D18o

; FUNCTION CHUNK AT 0093846B SIZE 00000014 BYTES

		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 1
		jnz	loc_93846B
		push	1
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_938475
		jmp	_PnpSerializeBoot@0 ; PnpSerializeBoot()
NtSerializeBoot	endp

; [00000001 BYTES: COLLAPSED FUNCTION nullsub_10. PRESS	KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDcAllocateGenericTableEntry(x, x)
_PiDcAllocateGenericTableEntry@8 proc near ; DATA XREF:	PiDcInit(x)+2Fo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	47706E50h
		push	[ebp+arg_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	8
_PiDcAllocateGenericTableEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiSwAllocateGenericTableEntry(x, x)
_PiSwAllocateGenericTableEntry@8 proc near ; DATA XREF:	PiSwInit()+10o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	57706E50h
		push	[ebp+arg_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	8
_PiSwAllocateGenericTableEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopEsPowerSettingPolicyCallback	proc near

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0093847F SIZE 0000003B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	loc_9384B0
		cmp	[ebp+arg_8], 4
		jnz	loc_9384B0
		mov	eax, large fs:124h
		xor	ebx, ebx
		push	edi
		mov	byte ptr [ebp+arg_4+3],	bl
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopEsLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, large fs:124h
		mov	dword_6BFD2C, ecx
		mov	eax, [esi]
		cmp	eax, 1
		jz	loc_93847F
		test	eax, eax
		jnz	short loc_8B4C70
		cmp	byte_6C2D54, bl
		jnz	loc_938494

loc_8B4C70:				; CODE XREF: PopEsPowerSettingPolicyCallback+58j
					; PopEsPowerSettingPolicyCallback+8387Bj ...
		test	ecx, ecx
		jz	short loc_8B4C7A
		mov	dword_6BFD2C, ebx

loc_8B4C7A:				; CODE XREF: PopEsPowerSettingPolicyCallback+68j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		cmp	byte ptr [ebp+arg_4+3],	bl
		jnz	loc_9384A3

loc_8B4C92:				; CODE XREF: PopEsPowerSettingPolicyCallback+838A1j
					; PopEsPowerSettingPolicyCallback+838ABj
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	10h
PopEsPowerSettingPolicyCallback	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEsPowerSettingBatteryThresholdCallback(x, x, x, x)
_PopEsPowerSettingBatteryThresholdCallback@16 proc near

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, 0C000000Dh
		test	edi, edi
		jz	short loc_8B4D0E
		cmp	[ebp+arg_8], 4
		jnz	short loc_8B4D0E
		mov	eax, large fs:124h
		xor	esi, esi
		push	ebx
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _PopEsLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	edx, large fs:124h
		push	64h
		mov	dword_6BFD2C, edx
		mov	eax, [edi]
		pop	ecx
		mov	dword_6C2D50, eax
		cmp	eax, ecx
		ja	short loc_8B4D16

loc_8B4CED:				; CODE XREF: PopEsPowerSettingBatteryThresholdCallback(x,x,x,x)+82j
		test	edx, edx
		jz	short loc_8B4CF7
		mov	dword_6BFD2C, esi

loc_8B4CF7:				; CODE XREF: PopEsPowerSettingBatteryThresholdCallback(x,x,x,x)+55j
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	2
		pop	ecx
		call	_PopEsWorkItemSchedule@4 ; PopEsWorkItemSchedule(x)
		pop	ebx

loc_8B4D0E:				; CODE XREF: PopEsPowerSettingBatteryThresholdCallback(x,x,x,x)+11j
					; PopEsPowerSettingBatteryThresholdCallback(x,x,x,x)+17j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	10h
; 

loc_8B4D16:				; CODE XREF: PopEsPowerSettingBatteryThresholdCallback(x,x,x,x)+51j
		mov	dword_6C2D50, ecx
		jmp	short loc_8B4CED
_PopEsPowerSettingBatteryThresholdCallback@16 endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerRequestOverrideInitialize()
_PopPowerRequestOverrideInitialize@0 proc near
					; CODE XREF: PopUmpoProcessPowerMessage:loc_76662Ep
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopPowerRequestLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	esi, _PopPowerRequestObjectList
		mov	ebx, offset _PopPowerRequestObjectList
		jmp	short loc_8B4D53
; 

loc_8B4D4A:				; CODE XREF: PopPowerRequestOverrideInitialize()+37j
		mov	ecx, esi
		call	_PopUmpoSendPowerRequestOverrideQuery@4	; PopUmpoSendPowerRequestOverrideQuery(x)
		mov	esi, [esi]

loc_8B4D53:				; CODE XREF: PopPowerRequestOverrideInitialize()+2Aj
		cmp	esi, ebx
		jnz	short loc_8B4D4A
		cmp	dword_6C3884, 0
		jnz	short loc_8B4D71

loc_8B4D60:				; CODE XREF: PopPowerRequestOverrideInitialize()+5Aj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
; 

loc_8B4D71:				; CODE XREF: PopPowerRequestOverrideInitialize()+40j
		and	dword_6C3884, 0
		jmp	short loc_8B4D60
_PopPowerRequestOverrideInitialize@0 endp


;  S U B	R O U T	I N E 


; __stdcall MiInitializeSystemCache(x)
_MiInitializeSystemCache@4 proc	near	; CODE XREF: MiObtainSystemCacheView+651p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, 80000000h
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		lea	ecx, [esi+450h]
		mov	edx, eax
		call	_InitializeListHeadPte@8 ; InitializeListHeadPte(x,x)
		cmp	esi, offset _MiSystemPartition
		jnz	short loc_8B4DD3
		mov	al, byte_6D36A0
		and	dword_6D2EA8, 0
		and	al, 0FAh
		or	al, 2
		mov	byte_6D36A0, al
		mov	eax, ds:_MiLowHalVa
		sub	eax, dword_6D07D0
		shr	eax, 0Ch

loc_8B4DC1:				; CODE XREF: MiInitializeSystemCache(x)+5Bj
		push	eax
		push	2
		lea	edx, [esi+1040h]
		mov	ecx, esi
		call	MiInitializeSystemWorkingSetList
		pop	esi
		retn
; 

loc_8B4DD3:				; CODE XREF: MiInitializeSystemCache(x)+22j
		xor	eax, eax
		jmp	short loc_8B4DC1
_MiInitializeSystemCache@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpInitializePrivateSessionDemuxObject()
_EtwpInitializePrivateSessionDemuxObject@0 proc	near ; CODE XREF: EtwpInitialize+111p

var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		push	ebx
		push	esi
		push	edi
		push	58h
		pop	esi
		xor	ebx, ebx
		lea	eax, [ebp+var_60]
		push	esi		; size_t
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	_memset
		mov	word ptr [ebp+var_60], si
		lea	edi, [ebp+var_54]
		mov	esi, offset _EtwpGenericMapping
		mov	[ebp+var_58], 100h
		add	esp, 0Ch
		lea	eax, [ebp+var_8]
		movsd
		push	offset ??_C@_1CK@IBJMKJMK@?$AAE?$AAt?$AAw?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAD?$AAe?$AAm?$AAu?$AAx@NNGAKEGL@
		push	eax
		movsd
		movsd
		movsd
		or	byte ptr [ebp+var_60+2], 14h
		mov	[ebp+var_3C], 1
		mov	[ebp+var_38], 14h
		mov	[ebp+var_2C], offset _EtwpOpenRegistrationObject@24 ; EtwpOpenRegistrationObject(x,x,x,x,x,x)
		mov	[ebp+var_24], offset _EtwpDeleteSessionDemuxObject@4 ; EtwpDeleteSessionDemuxObject(x)
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset _EtwpSessionDemuxObjectType
		push	ebx
		push	ebx
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	ObCreateObjectTypeEx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpInitializePrivateSessionDemuxObject@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvlQueryEnlightenmentInfo proc near	; CODE XREF: PAGE:00780B44p

var_30		= byte ptr -30h
var_2E		= byte ptr -2Eh
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009384BA SIZE 00000014 BYTES

		push	20h
		push	offset dword_6A7678
		call	__SEH_prolog4
		cmp	[ebp+arg_0], 0
		jnz	loc_9384BA
		cmp	edx, 10h
		jnz	loc_9384C4
		and	[ebp+var_2C], 0
		cmp	ds:_HvlHypervisorConnected, 0
		setnz	[ebp+var_30]
		mov	al, byte ptr ds:_HvlpRootFlags
		shr	al, 3
		and	al, 1
		mov	[ebp-2Fh], al
		mov	eax, ds:_HvlpFlags
		shr	eax, 0Ch
		and	al, 1
		mov	[ebp+var_2E], al
		mov	al, byte ptr ds:_HvlpSchedulerType
		mov	[ebp+var_2D], al
		mov	eax, ds:_HvlEnlightenments
		mov	[ebp+var_28], eax
		and	[ebp+var_24], 0
		xor	edx, edx
		and	[ebp+ms_exc.disabled], edx
		lea	esi, [ebp+var_30]
		mov	edi, ecx
		movsd
		movsd
		movsd
		movsd

loc_8B4EC4:				; CODE XREF: sub_9384DC+6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	edx, edx
		js	short loc_8B4EEC
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 10h

loc_8B4ED8:				; CODE XREF: HvlQueryEnlightenmentInfo+98j
		mov	eax, edx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_8B4EEC:				; CODE XREF: HvlQueryEnlightenmentInfo+73j
					; HvlQueryEnlightenmentInfo+83665j ...
		mov	ecx, [ebp+arg_4]
		and	dword ptr [ecx], 0
		jmp	short loc_8B4ED8
HvlQueryEnlightenmentInfo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

TtmInit		proc near		; CODE XREF: PoInitSystem+807p

var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 009384E7 SIZE 00000086 BYTES
; FUNCTION CHUNK AT 00938572 SIZE 000000AB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		cmp	ds:_TtmpEnabled, 1
		push	58h
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		pop	esi
		jz	loc_9384E7
		mov	ds:_TtmpQueueObjectType, ebx

loc_8B4F1D:				; CODE XREF: TtmInit+8368Bj
		push	offset _TtmpSessionLock
		call	ExInitializeResourceLite
		cmp	ds:_TtmpEnabled, 1
		mov	ds:_TtmpSession, ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		jz	loc_938584
		mov	ds:_TtmpTerminalObjectType, ebx

loc_8B4F46:				; CODE XREF: TtmInit+8371Ej
		push	ebx
		mov	edx, offset _TtmpTraceLoggingCallback@36 ; TtmpTraceLoggingCallback(x,x,x,x,x,x,x,x,x)
		mov	ecx, offset dword_A93BC8
		call	_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 ; TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)
		push	ebx
		xor	edx, edx
		mov	ecx, offset dword_A93C00
		call	_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 ; TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
TtmInit		endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1094. KeAddSystemServiceTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeAddSystemServiceTable(x, x, x, x,	x)
		public _KeAddSystemServiceTable@20
_KeAddSystemServiceTable@20 proc near

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_10]
		cmp	eax, 1
		jz	short loc_8B4F80
		cmp	eax, 2
		jnz	short loc_8B4FCB

loc_8B4F80:				; CODE XREF: KeAddSystemServiceTable(x,x,x,x,x)+Bj
		cmp	eax, 2
		jz	short loc_8B4FC2
		cmp	ds:dword_70E690, 0
		jnz	short loc_8B4FCB
		cmp	ds:dword_70E710, 0
		jnz	short loc_8B4FCB

loc_8B4F97:				; CODE XREF: KeAddSystemServiceTable(x,x,x,x,x)+5Bj
		mov	edx, eax
		shl	edx, 4
		cmp	eax, 1
		jnz	short loc_8B4FCF
		mov	eax, [ebp+arg_0]
		mov	ds:_KeServiceDescriptorTableShadow[edx], eax
		mov	eax, [ebp+arg_8]
		mov	ds:dword_70E708[edx], eax
		mov	eax, [ebp+arg_C]
		mov	ds:dword_70E70C[edx], eax

loc_8B4FBC:				; CODE XREF: KeAddSystemServiceTable(x,x,x,x,x)+7Cj
		mov	al, 1

loc_8B4FBE:				; CODE XREF: KeAddSystemServiceTable(x,x,x,x,x)+5Fj
		pop	ebp
		retn	14h
; 

loc_8B4FC2:				; CODE XREF: KeAddSystemServiceTable(x,x,x,x,x)+15j
		cmp	ds:dword_70E6D0, 0
		jz	short loc_8B4F97

loc_8B4FCB:				; CODE XREF: KeAddSystemServiceTable(x,x,x,x,x)+10j
					; KeAddSystemServiceTable(x,x,x,x,x)+1Ej ...
		xor	al, al
		jmp	short loc_8B4FBE
; 

loc_8B4FCF:				; CODE XREF: KeAddSystemServiceTable(x,x,x,x,x)+31j
		mov	ecx, [ebp+arg_0]
		mov	ds:_KiSystemAllowedCpuSets[edx], ecx
		mov	ecx, [ebp+arg_8]
		mov	ds:_KiNonParkedCpuSets[edx], ecx
		mov	ecx, [ebp+arg_C]
		mov	ds:_KiReservedCpuSets[edx], ecx
		jmp	short loc_8B4FBC
_KeAddSystemServiceTable@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpUuidGetValues(x)
_ExpUuidGetValues@4 proc near		; CODE XREF: ExUuidCreate+F1p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		lea	edx, [ebp+var_8]
		push	esi
		mov	[ebp+var_10], eax
		mov	esi, ecx
		mov	[ebp+var_C], eax
		lea	ecx, [ebp+var_10]
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	eax
		call	ExpAllocateUuids
		mov	ecx, 0C000022Dh
		cmp	eax, ecx
		jz	short loc_8B505B
		test	eax, eax
		js	short loc_8B505F
		mov	ecx, [ebp+var_4]
		mov	eax, ecx
		mov	edx, [ebp+var_8]
		shr	eax, 8
		and	al, 3Fh
		mov	[esi+0Dh], cl
		or	al, 80h
		mov	[esi+0Ch], al
		lea	ecx, [edx-1]
		xor	eax, eax
		add	ecx, [ebp+var_10]
		adc	eax, [ebp+var_C]
		add	ecx, 3E42C000h
		mov	[esi], ecx
		adc	eax, 146BF3h
		mov	[esi+4], eax
		lea	eax, [esi+8]
		xchg	edx, [eax]
		xor	eax, eax

loc_8B5058:				; CODE XREF: ExpUuidGetValues(x)+71j
					; ExpUuidGetValues(x)+78j
		pop	esi
		leave
		retn
; 

loc_8B505B:				; CODE XREF: ExpUuidGetValues(x)+2Fj
		mov	eax, ecx
		jmp	short loc_8B5058
; 

loc_8B505F:				; CODE XREF: ExpUuidGetValues(x)+33j
		mov	eax, 0C0000017h
		jmp	short loc_8B5058
_ExpUuidGetValues@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopUserPresencePredictionModeCallback(void *,int,int,int)
PopUserPresencePredictionModeCallback proc near

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 0093861D SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	esi
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	offset _GUID_USER_PRESENCE_PREDICTION ;	void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_8B50DE
		cmp	[ebp+arg_8], 4
		jnz	short loc_8B50DE
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_8B50DE
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	eax, [esi]
		xor	esi, esi
		test	eax, eax
		jnz	loc_93861D
		push	44h		; size_t
		lea	eax, [ebp+var_44]
		mov	dword_6C2D60, esi
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	[ebp+var_40], 2

loc_8B50BC:				; CODE XREF: PopUserPresencePredictionModeCallback+835DBj
		add	esp, 0Ch
		mov	[ebp+var_44], 0Ch
		lea	ecx, [ebp+var_44]
		push	esi
		push	44h
		pop	edx
		call	PopUmpoSendPowerMessage

loc_8B50D2:				; CODE XREF: PopUserPresencePredictionModeCallback+835BCj
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_8B50D7:				; CODE XREF: PopUserPresencePredictionModeCallback+7Dj
		mov	eax, esi
		pop	esi
		leave
		retn	10h
; 

loc_8B50DE:				; CODE XREF: PopUserPresencePredictionModeCallback+1Dj
					; PopUserPresencePredictionModeCallback+23j ...
		mov	esi, 0C000000Dh
		jmp	short loc_8B50D7
PopUserPresencePredictionModeCallback endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipSaveGuidSecurityDescriptor proc near ; CODE	XREF: WmipSecurityMethod+13Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00938646 SIZE 00000062 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[esp+18h+var_4], ecx
		push	ebx
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		xor	esi, esi
		mov	[esp+18h+var_8], eax
		xor	edi, edi
		mov	[esp+18h+var_C], edi

loc_8B510C:				; CODE XREF: WmipSaveGuidSecurityDescriptor+83593j
		test	edi, edi
		jnz	loc_938646

loc_8B5114:				; CODE XREF: WmipSaveGuidSecurityDescriptor+83571j
		lea	eax, [esp+18h+var_C]
		push	eax		; int
		push	edi		; int
		push	esi		; void *
		push	0		; int
		push	0		; void *
		push	0		; int
		push	offset ??_C@_1CA@GCICNJFG@?$AAE?$AAT?$AAW?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AAP?$AAa?$AAt?$AAh@NNGAKEGL@	; "ETWSecurityPath"
		call	RtlGetPersistedStateLocation
		mov	edi, eax
		cmp	edi, 80000005h
		jz	loc_938667
		test	edi, edi
		jz	loc_93867E

loc_8B5141:				; CODE XREF: WmipSaveGuidSecurityDescriptor+835B0j
		cmp	edi, 0C0000034h
		jnz	short loc_8B5165
		push	[esp+18h+var_8]
		mov	eax, [esp+1Ch+var_4]
		push	ebx
		push	3
		push	dword ptr [eax+4]
		push	offset ??_C@_1BK@FCPONPHF@?$AAW?$AAM?$AAI?$AA?2?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy@NNGAKEGL@
		push	2
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)
		mov	edi, eax

loc_8B5165:				; CODE XREF: WmipSaveGuidSecurityDescriptor+61j
		test	esi, esi
		jnz	loc_93869B

loc_8B516D:				; CODE XREF: WmipSaveGuidSecurityDescriptor+835BDj
		mov	eax, edi

loc_8B516F:				; CODE XREF: WmipSaveGuidSecurityDescriptor+8357Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
WmipSaveGuidSecurityDescriptor endp


;  S U B	R O U T	I N E 


; __stdcall PopUpdateExternalDisplayState(x)
_PopUpdateExternalDisplayState@4 proc near ; CODE XREF:	PopPowerInformationInternal+572p
		mov	edi, edi
		push	ebx
		mov	bl, cl
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	cl, bl
		mov	_PopConsoleExternalDisplayConnected, bl
		call	_PopDiagTraceExternalDisplayState@4 ; PopDiagTraceExternalDisplayState(x)
		xor	edx, edx
		mov	ecx, offset _PopExternalMonitorUpdatedWorkItem
		inc	edx
		call	_PopQueueWorkItem@8 ; PopQueueWorkItem(x,x)
		pop	ebx
		jmp	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
_PopUpdateExternalDisplayState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceExternalDisplayState(x)
_PopDiagTraceExternalDisplayState@4 proc near
					; CODE XREF: PopUpdateExternalDisplayState(x)+12p

var_39		= dword	ptr -39h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	dword_6B23F8, 5
		jbe	short loc_8B51EA
		lea	eax, [ebp+var_39]
		mov	byte ptr [ebp+var_39], cl
		mov	[ebp+var_18], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_39+1]
		mov	[ebp+var_14], ecx
		push	eax
		push	3
		push	ecx
		push	ecx
		push	(offset	loc_41E3F8+6)
		push	offset dword_6B23F8
		mov	[ebp+var_10], 1
		mov	[ebp+var_C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_8B51EA:				; CODE XREF: PopDiagTraceExternalDisplayState(x)+19j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceExternalDisplayState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopDeepSleepPowerSettingCallback(void *,int,int,int)
_PopDeepSleepPowerSettingCallback@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		mov	esi, 0C000000Dh
		push	(offset	loc_408C56+2) ;	void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_8B5240
		cmp	[ebp+arg_8], 4
		jnz	short loc_8B5240
		push	edi
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_8B523F
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		xor	esi, esi
		cmp	[edi], esi
		setnbe	_PopDeepSleepIsEnabled
		call	PopCheckResiliencyScenarios
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_8B523F:				; CODE XREF: PopDeepSleepPowerSettingCallback(x,x,x,x)+2Dj
		pop	edi

loc_8B5240:				; CODE XREF: PopDeepSleepPowerSettingCallback(x,x,x,x)+1Fj
					; PopDeepSleepPowerSettingCallback(x,x,x,x)+25j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	10h
_PopDeepSleepPowerSettingCallback@16 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 935. IoRegisterBootDriverCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoRegisterBootDriverCallback(x, x)
		public _IoRegisterBootDriverCallback@8
_IoRegisterBootDriverCallback@8	proc near

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	esi
		xor	esi, esi
		cmp	_PnpBootDriverCallbackRegistrationClosed, 0
		mov	[esp+28h+var_20], esi
		mov	[esp+28h+var_1C], esi
		jnz	short loc_8B52D5
		cmp	ds:_PnpBootDriverCallbackObject, esi
		jnz	short loc_8B52BD
		push	(offset	loc_8B9463+1)
		lea	eax, [esp+2Ch+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	1
		lea	eax, [esp+2Ch+var_20]
		mov	[esp+2Ch+var_18], 18h
		mov	[esp+2Ch+var_10], eax
		lea	eax, [esp+2Ch+var_18]
		push	1
		push	eax
		push	offset _PnpBootDriverCallbackObject
		mov	[esp+38h+var_14], esi
		mov	[esp+38h+var_C], 240h
		mov	[esp+38h+var_8], esi
		mov	[esp+38h+var_4], esi
		call	_ExCreateCallback@16 ; ExCreateCallback(x,x,x,x)
		test	eax, eax
		js	short loc_8B52D5

loc_8B52BD:				; CODE XREF: IoRegisterBootDriverCallback(x,x)+25j
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	ds:_PnpBootDriverCallbackObject
		call	ExRegisterCallback

loc_8B52CE:				; CODE XREF: IoRegisterBootDriverCallback(x,x)+8Bj
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_8B52D5:				; CODE XREF: IoRegisterBootDriverCallback(x,x)+1Dj
					; IoRegisterBootDriverCallback(x,x)+6Fj
		xor	eax, eax
		jmp	short loc_8B52CE
_IoRegisterBootDriverCallback@8	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLoadUserSymbols proc near		; CODE XREF: MiMapViewOfImageSection+929p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 009386A8 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_10], edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		call	MiReferenceControlAreaFile
		mov	ebx, eax
		lea	edx, [ebx+30h]
		cmp	[edx], si
		jz	loc_9386A8
		mov	eax, [edi]
		mov	eax, [eax+24h]
		mov	ecx, [eax+34h]
		mov	eax, [eax+2Ch]
		mov	[ebp+var_C], ecx
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_8], eax
		call	DbgUnicodeStringToAnsiString
		mov	edx, ebx
		mov	ecx, edi
		mov	esi, eax
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)
		cmp	esi, 1
		jnz	short loc_8B534B
		push	[ebp+var_8]
		mov	edx, [ebp+var_10]
		lea	ecx, [ebp+var_18]
		push	[ebp+var_C]
		push	[ebp+arg_0]
		call	_DbgLoadUserImageSymbols@20 ; DbgLoadUserImageSymbols(x,x,x,x,x)
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlFreeAnsiString@4 ; RtlFreeAnsiString(x)

loc_8B534B:				; CODE XREF: MiLoadUserSymbols+52j
					; MiLoadUserSymbols+833D7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
MiLoadUserSymbols endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopPpmHeteroPolicyCallback(void	*,int,int,int)
PopPpmHeteroPolicyCallback proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 009386B6 SIZE 0000003E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	offset _GUID_PROCESSOR_HETEROGENEOUS_POLICY ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_8B53B6
		cmp	[ebp+arg_8], 4
		jnz	short loc_8B53B6
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_8B53B6
		mov	esi, [esi]
		xor	edi, edi
		test	esi, esi
		js	short loc_8B53B2
		cmp	esi, 5
		jge	short loc_8B53B2

loc_8B5389:				; CODE XREF: PopPpmHeteroPolicyCallback+62j
		push	ebx
		mov	ebx, offset _PpmPerfPolicyLock
		mov	ecx, ebx
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		cmp	esi, ds:_PpmHeteroDesiredPolicy
		jnz	loc_9386B6

loc_8B53A2:				; CODE XREF: PopPpmHeteroPolicyCallback+8338Aj
		mov	ecx, ebx
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)

loc_8B53A9:				; CODE XREF: PopPpmHeteroPolicyCallback+8339Dj
		pop	ebx

loc_8B53AA:				; CODE XREF: PopPpmHeteroPolicyCallback+69j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
; 

loc_8B53B2:				; CODE XREF: PopPpmHeteroPolicyCallback+30j
					; PopPpmHeteroPolicyCallback+35j
		mov	esi, edi
		jmp	short loc_8B5389
; 

loc_8B53B6:				; CODE XREF: PopPpmHeteroPolicyCallback+1Bj
					; PopPpmHeteroPolicyCallback+21j ...
		mov	edi, 0C000000Dh
		jmp	short loc_8B53AA
PopPpmHeteroPolicyCallback endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 856. IoGetDeviceNumaNode

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetDeviceNumaNode(x, x)
		public _IoGetDeviceNumaNode@8
_IoGetDeviceNumaNode@8 proc near	; CODE XREF: IopGetNumaNodeInformation(x,x)+29p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_8B5418
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_8B5418
		test	dword ptr [eax+10Ch], 20000h
		jnz	short loc_8B5418
		mov	ecx, [eax+1A4h]
		cmp	ecx, 0FFFFFFFEh
		jnz	short loc_8B540A

loc_8B53F2:				; CODE XREF: IoGetDeviceNumaNode(x,x)+4Bj
		call	_KeQueryHighestNodeNumber@0 ; KeQueryHighestNodeNumber()
		test	ax, ax
		jnz	short loc_8B5411
		xor	ecx, ecx

loc_8B53FE:				; CODE XREF: IoGetDeviceNumaNode(x,x)+4Dj
		mov	eax, [ebp+arg_4]
		mov	[eax], cx
		xor	eax, eax

loc_8B5406:				; CODE XREF: IoGetDeviceNumaNode(x,x)+54j
					; IoGetDeviceNumaNode(x,x)+5Bj
		pop	ebp
		retn	8
; 

loc_8B540A:				; CODE XREF: IoGetDeviceNumaNode(x,x)+2Ej
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_8B53F2
		jmp	short loc_8B53FE
; 

loc_8B5411:				; CODE XREF: IoGetDeviceNumaNode(x,x)+38j
		mov	eax, 0C0000225h
		jmp	short loc_8B5406
; 

loc_8B5418:				; CODE XREF: IoGetDeviceNumaNode(x,x)+Aj
					; IoGetDeviceNumaNode(x,x)+17j	...
		mov	eax, 0C000000Dh
		jmp	short loc_8B5406
_IoGetDeviceNumaNode@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PopFxPlatformRegisterInterface(x, x)
_PopFxPlatformRegisterInterface@8 proc near ; CODE XREF: PopPowerInformationInternal+4E8p
		cmp	dword ptr [ecx+4], 1
		push	esi
		push	edi
		mov	edi, edx
		jnz	short loc_8B547A
		cmp	dword ptr [ecx+8], 0
		jz	short loc_8B5481
		mov	edx, [ecx+10h]
		test	edx, edx
		jz	short loc_8B5481
		push	ebx
		mov	esi, 0C0000001h
		mov	ebx, offset unk_6BF848
		xor	eax, eax
		lock cmpxchg [ebx], edx
		pop	ebx
		test	eax, eax
		jnz	short loc_8B5475
		mov	eax, [ecx+8]
		xor	esi, esi
		mov	_PopFxPlatformInterface, eax
		mov	edx, 4D584650h
		mov	eax, [ecx+0Ch]
		mov	dword_6BF844, eax
		and	[edi+4], esi
		mov	dword ptr [edi], offset	PoFxPlatformRequestHandler
		mov	ecx, [ecx+10h]
		call	ObfReferenceObjectWithTag

loc_8B5475:				; CODE XREF: PopFxPlatformRegisterInterface(x,x)+2Bj
					; PopFxPlatformRegisterInterface(x,x)+5Fj ...
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_8B547A:				; CODE XREF: PopFxPlatformRegisterInterface(x,x)+8j
		mov	esi, 0C0000059h
		jmp	short loc_8B5475
; 

loc_8B5481:				; CODE XREF: PopFxPlatformRegisterInterface(x,x)+Ej
					; PopFxPlatformRegisterInterface(x,x)+15j
		mov	esi, 0C000000Dh
		jmp	short loc_8B5475
_PopFxPlatformRegisterInterface@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEsPublishState()
_PopEsPublishState@0 proc near		; CODE XREF: PopEsUpdateState+81EC6p
					; PopEsWorker:loc_86E0F0p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		or	[ebp+var_4], 0FFFFFFFFh
		xor	eax, eax
		cmp	_PopEsState, 1
		setz	al
		lea	eax, ds:1[eax*2]
		mov	[ebp+var_8], eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	8
		lea	eax, [ebp+var_8]
		push	eax
		push	offset _WNF_PO_ENERGY_SAVER_STATE
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		push	offset _PopEsState ; void *
		push	4
		pop	edx
		mov	ecx, (offset loc_408CBF+1) ; int
		call	_PopSetPowerSettingValueAcDc@12	; PopSetPowerSettingValueAcDc(x,x,x)
		leave
		retn
_PopEsPublishState@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiProcessStartSystemDevices(x)
_PiProcessStartSystemDevices@4 proc near ; CODE	XREF: .text:0054F266p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		push	edi
		xor	edx, edx
		mov	[ebp+var_8], edi
		mov	ecx, offset _KMPnPEvt_SystemStartPnPEnum_Start
		mov	[ebp+var_4], edi
		call	_PnpDiagnosticTrace@12 ; PnpDiagnosticTrace(x,x,x)
		mov	eax, [esi+8]
		mov	edx, esi
		push	edi
		push	edi
		push	edi
		mov	eax, [eax+0B0h]
		push	edi
		mov	ecx, [eax+14h]
		mov	al, _PnPBootDriversInitialized
		mov	byte ptr [ebp+var_4], al
		lea	eax, [ebp+var_8]
		push	eax
		mov	[ebp+var_8], 3
		call	PipProcessDevNodeTree
		push	edi
		xor	edx, edx
		mov	ecx, offset _KMPnPEvt_SystemStartPnPEnum_Stop
		call	_PnpDiagnosticTrace@12 ; PnpDiagnosticTrace(x,x,x)
		pop	edi
		xor	eax, eax
		pop	esi
		leave
		retn
_PiProcessStartSystemDevices@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetupMixedRealitytNotification()
_PopSetupMixedRealitytNotification@0 proc near ; CODE XREF: PoInitSystem+7DFp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, offset _WNF_SEB_MIXED_REALITY
		push	edi
		push	edi
		push	edi
		mov	eax, edi
		mov	[ebp+var_8], edi
		or	[ebp+var_8], 0FFFFFFFFh
		and	eax, 0FFFFFFFDh
		or	eax, 1
		push	edi
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_C]
		push	8
		push	eax
		push	esi
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		push	edi
		push	offset _PopWnfMixedRealityCallback@24 ;	PopWnfMixedRealityCallback(x,x,x,x,x,x)
		push	edi
		push	1
		push	esi
		lea	eax, [ebp+var_4]
		push	eax
		call	_ExSubscribeWnfStateChange@24 ;	ExSubscribeWnfStateChange(x,x,x,x,x,x)
		pop	edi
		pop	esi
		leave
		retn
_PopSetupMixedRealitytNotification@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoQueryVhdBootInformation proc near	; CODE XREF: PAGE:00780E17p

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	0Ch
		push	offset dword_6A7698
		call	__SEH_prolog4
		xor	esi, esi
		mov	ebx, [ebp+arg_4]
		mov	[ebx], esi
		mov	edi, dword_6B64B4
		cmp	[ebp+arg_0], edi
		jb	short loc_8B55CA
		mov	[ebp+ms_exc.disabled], esi
		push	edi		; size_t
		push	off_6B34A8	; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_8B55B4:				; CODE XREF: IoQueryVhdBootInformation+53j
		mov	[ebx], edi

loc_8B55B6:				; CODE XREF: sub_938702+Dj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_8B55CA:				; CODE XREF: IoQueryVhdBootInformation+1Cj
		mov	esi, 0C0000023h
		jmp	short loc_8B55B4
IoQueryVhdBootInformation endp

; 
		align 2

;  S U B	R O U T	I N E 


CmSiRWLockReleaseExclusive proc	near	; CODE XREF: CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+213p
					; CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+2BEp ...

; FUNCTION CHUNK AT 00938714 SIZE 00000012 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_938714

loc_8B55E6:				; CODE XREF: CmSiRWLockReleaseExclusive+83144j
					; CmSiRWLockReleaseExclusive+8314Fj
		mov	ecx, esi
		pop	esi
		jmp	KeAbPostRelease
CmSiRWLockReleaseExclusive endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopCoalescingPowerSettingCallback(void *,int,int,int)
PopCoalescingPowerSettingCallback proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00938726 SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, 0C000000Dh
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	offset _GUID_DISK_COALESCING_POWERDOWN_TIMEOUT ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_8B5642
		cmp	[ebp+arg_8], 4
		jnz	short loc_8B5642
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_8B5642
		mov	eax, [eax]
		mov	ds:_PopDppeCoalescingSpindownTimeout, eax
		test	eax, eax
		jnz	short loc_8B562F
		or	eax, 0FFFFFFFFh

loc_8B562F:				; CODE XREF: PopCoalescingPowerSettingCallback+3Cj
		cmp	eax, _PopDiskCoalescingTimeout
		jnz	loc_938726

loc_8B563B:				; CODE XREF: PopCoalescingPowerSettingCallback+83142j
		call	PopCheckResiliencyScenarios
		xor	esi, esi

loc_8B5642:				; CODE XREF: PopCoalescingPowerSettingCallback+24j
					; PopCoalescingPowerSettingCallback+2Aj ...
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	10h
PopCoalescingPowerSettingCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmRegisterSystemHiveLimitCallback proc near
					; CODE XREF: IopInitializePlugPlayServices(x,x)+A4p

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00938735 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, dword_6B179C
		push	esi
		test	eax, eax
		jz	short loc_8B56C0
		mov	eax, [eax+20h]
		xor	edx, edx
		mov	eax, [eax+28h]
		add	eax, 1000h
		imul	eax, 64h
		div	_CmSystemHiveLimitSize
		mov	esi, eax

loc_8B5675:				; CODE XREF: CmRegisterSystemHiveLimitCallback+74j
		cmp	_CmpSystemHiveHysteresisCallback, 0
		jnz	short loc_8B56B9
		mov	eax, [ebp+arg_0]
		push	5Ah
		pop	ecx
		mov	_CmpSystemHiveHysteresisLow, 50h
		mov	_CmpSystemHiveHysteresisHigh, ecx
		mov	_CmpSystemHiveHysteresisContext, eax
		mov	_CmpSystemHiveHysteresisCallback, offset _PpSystemHiveLimitCallback@8 ;	PpSystemHiveLimitCallback(x,x)
		mov	_CmpSystemHiveHysteresisLowSeen, 1
		cmp	esi, ecx
		jnb	loc_938735

loc_8B56B2:				; CODE XREF: CmRegisterSystemHiveLimitCallback+830F7j
		mov	_CmpSystemHiveHysteresisHighSeen, 0

loc_8B56B9:				; CODE XREF: CmRegisterSystemHiveLimitCallback+2Ej
					; CmRegisterSystemHiveLimitCallback+83104j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
; 

loc_8B56C0:				; CODE XREF: CmRegisterSystemHiveLimitCallback+Dj
		xor	esi, esi
		jmp	short loc_8B5675
CmRegisterSystemHiveLimitCallback endp


;  S U B	R O U T	I N E 


; __stdcall IopQueryProcessorInitValues(x)
_IopQueryProcessorInitValues@4 proc near ; CODE	XREF: IoInitializeProcessor+9E954p
					; IoEnableIrpCredits()+32p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		call	_MmIsThisAnNtAsSystem@0	; MmIsThisAnNtAsSystem()
		mov	bl, al
		xor	edx, edx
		test	bl, bl
		setnz	dl
		xor	eax, eax
		dec	edx
		and	edx, 0FFFFFFC0h
		add	edx, 60h
		test	bl, bl
		movzx	esi, dx
		setnz	al
		mov	[edi+6], si
		dec	eax
		mov	[edi], si
		and	eax, 0FFFFFFC0h
		sub	eax, 0FFFFFF80h
		movzx	edx, ax
		xor	eax, eax
		test	bl, bl
		mov	[edi+4], dx
		setnz	al
		xor	ecx, ecx
		dec	eax
		and	eax, 0FFFFFF80h
		add	eax, 100h
		test	bl, bl
		movzx	eax, ax
		setnz	cl
		mov	[edi+8], ax
		dec	ecx
		and	ecx, 0FFFF0600h
		add	ecx, 10000h
		mov	[edi+1Ch], ecx
		mov	ax, [edi+4]
		shr	dword ptr [edi+1Ch], 5
		mov	[edi+2], ax
		mov	dword ptr [edi+0Ch], 94h
		imul	eax, _IopMediumIrpStackLocations, 24h
		add	eax, 70h
		mov	[edi+10h], eax
		imul	eax, _IopLargeIrpStackLocations, 24h
		mov	dword ptr [edi+18h], 60h
		add	eax, 70h
		mov	[edi+14h], eax
		pop	edi
		pop	esi
		pop	ebx
		retn
_IopQueryProcessorInitValues@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	NtSystemDebugControl(int,int,size_t,void *,int,int)
NtSystemDebugControl proc near		; DATA XREF: .text:00580C20o

var_C0		= dword	ptr -0C0h
var_98		= dword	ptr -98h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00938757 SIZE 000000AA BYTES
; FUNCTION CHUNK AT 00938827 SIZE 0000008B BYTES
; FUNCTION CHUNK AT 009388CE SIZE 00000065 BYTES
; FUNCTION CHUNK AT 00938946 SIZE 0000003C BYTES
; FUNCTION CHUNK AT 00938998 SIZE 00000021 BYTES
; FUNCTION CHUNK AT 009389D7 SIZE 00000030 BYTES
; FUNCTION CHUNK AT 00938A1D SIZE 00000023 BYTES
; FUNCTION CHUNK AT 00938A56 SIZE 00000023 BYTES
; FUNCTION CHUNK AT 00938A8F SIZE 00000021 BYTES
; FUNCTION CHUNK AT 00938AC6 SIZE 0000000F BYTES
; FUNCTION CHUNK AT 00938AE3 SIZE 0000003C BYTES
; FUNCTION CHUNK AT 00938B3D SIZE 0000003C BYTES
; FUNCTION CHUNK AT 00938B97 SIZE 00000047 BYTES
; FUNCTION CHUNK AT 00938BF8 SIZE 0000010C BYTES
; FUNCTION CHUNK AT 00938D25 SIZE 00000043 BYTES
; FUNCTION CHUNK AT 00938D86 SIZE 00000050 BYTES
; FUNCTION CHUNK AT 00938DE7 SIZE 00000007 BYTES

		push	0B0h
		push	offset dword_6A76B8
		call	__SEH_prolog4
		and	[ebp+var_24], 0
		push	9
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_98]
		rep stosd
		push	0Ah
		pop	ecx
		lea	edi, [ebp+var_C0]
		rep stosd
		and	[ebp+var_30], eax
		and	[ebp+var_34], eax
		and	[ebp+var_38], eax
		cmp	_KdPitchDebugger, al
		jz	short loc_8B57D6
		cmp	_KdLocalDebugEnabled, al
		jnz	short loc_8B57D6
		mov	esi, [ebp+arg_0]
		cmp	esi, 1Dh
		jz	loc_938757
		cmp	esi, 25h
		jz	loc_938757
		mov	eax, 0C0000354h

loc_8B57C4:				; CODE XREF: NtSystemDebugControl+83025j
					; NtSystemDebugControl+83183j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_8B57D6:				; CODE XREF: NtSystemDebugControl+3Aj
					; NtSystemDebugControl+42j
		mov	esi, [ebp+arg_0]
		jmp	loc_938757
NtSystemDebugControl endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

NtListenPort	proc near		; DATA XREF: .text:00580FC4o

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	0Ch
		push	offset dword_6A7788
		call	__SEH_prolog4
		xor	edi, edi
		push	0FFFFFFFEh
		pop	ebx
		mov	esi, [ebp+arg_4]

loc_8B57F2:				; CODE XREF: NtListenPort+55j
		push	edi
		push	esi
		push	edi
		push	edi
		push	[ebp+arg_0]
		call	NtReplyWaitReceivePortEx
		mov	ecx, eax
		mov	[ebp+ms_exc.disabled], edi
		test	ecx, ecx
		jnz	short loc_8B5819
		mov	ax, [esi+4]
		mov	edx, 7FFFh
		and	ax, dx
		cmp	ax, 0Ah
		jnz	short loc_8B5830

loc_8B5819:				; CODE XREF: NtListenPort+27j
		mov	[ebp+ms_exc.disabled], ebx

loc_8B581C:				; CODE XREF: PAGE:00938E32j
		mov	eax, ecx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_8B5830:				; CODE XREF: NtListenPort+39j
		mov	[ebp+ms_exc.disabled], ebx
		jmp	short loc_8B57F2
NtListenPort	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpInternHashBucketsAllocate(x, x)
_RtlpInternHashBucketsAllocate@8 proc near ; CODE XREF:	RtlInternTableIntern+17Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	[ebp+arg_0]
		push	eax
		mov	ecx, [eax+0Ch]
		call	dword ptr [ecx]
		pop	ebp
		retn	8
_RtlpInternHashBucketsAllocate@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopDeviceIdlePolicySettingCallback(void	*,int,int,int)
_PopDeviceIdlePolicySettingCallback@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	offset _GUID_DEVICE_IDLE_POLICY	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_8B5886
		cmp	[ebp+arg_8], 4
		jnz	short loc_8B5886
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_8B5886
		mov	eax, [eax]
		cmp	eax, 1
		ja	short loc_8B5886
		mov	dword_6C2D28, eax
		xor	eax, eax

loc_8B5882:				; CODE XREF: PopDeviceIdlePolicySettingCallback(x,x,x,x)+3Fj
		pop	ebp
		retn	10h
; 

loc_8B5886:				; CODE XREF: PopDeviceIdlePolicySettingCallback(x,x,x,x)+19j
					; PopDeviceIdlePolicySettingCallback(x,x,x,x)+1Fj ...
		mov	eax, 0C000000Dh
		jmp	short loc_8B5882
_PopDeviceIdlePolicySettingCallback@16 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopAllowAwayModeSettingCallback(void *,int,int,int)
PopAllowAwayModeSettingCallback	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00938E37 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, 0C000000Dh
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	offset _GUID_ALLOW_AWAYMODE ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_8B58D4
		push	4
		pop	ecx
		cmp	[ebp+arg_8], ecx
		jnz	short loc_8B58D4
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_8B58D4
		xor	ebx, ebx
		cmp	[eax], ebx
		jz	loc_938E37
		mov	byte_6C2D12, 1

loc_8B58D4:				; CODE XREF: PopAllowAwayModeSettingCallback+24j
					; PopAllowAwayModeSettingCallback+2Cj ...
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	10h
PopAllowAwayModeSettingCallback	endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1897. PsSetCreateProcessNotifyRoutine

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSetCreateProcessNotifyRoutine(x, x)
		public _PsSetCreateProcessNotifyRoutine@8
_PsSetCreateProcessNotifyRoutine@8 proc	near ; CODE XREF: VfFaultsSetParameters(x)+3Cp
					; ViInitSystemPhase1+17p

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		cmp	[ebp+arg_4], dl
		setnz	dl
		call	PspSetCreateProcessNotifyRoutine
		pop	ebp
		retn	8
_PsSetCreateProcessNotifyRoutine@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1840. PsInsertPermanentSiloContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsInsertPermanentSiloContext(x, x, x)
		public _PsInsertPermanentSiloContext@12
_PsInsertPermanentSiloContext@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	[ebp+arg_8]
		call	PsInsertPermanentSiloContextEx
		pop	ecx
		pop	ebp
		retn	0Ch
_PsInsertPermanentSiloContext@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopRtcWakeSettingCallback(void *,int,int,int)
_PopRtcWakeSettingCallback@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		mov	esi, 0C000000Dh
		push	(offset	loc_408D2F+1) ;	void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_8B5965
		cmp	[ebp+arg_8], 4
		jnz	short loc_8B5965
		push	edi
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_8B5964
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		xor	esi, esi
		cmp	[edi], esi
		setnbe	_PoRtcWakeAllowed
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_8B5964:				; CODE XREF: PopRtcWakeSettingCallback(x,x,x,x)+2Dj
		pop	edi

loc_8B5965:				; CODE XREF: PopRtcWakeSettingCallback(x,x,x,x)+1Fj
					; PopRtcWakeSettingCallback(x,x,x,x)+25j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	10h
_PopRtcWakeSettingCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExInitializeUtcTimeZoneBias(x)
_ExInitializeUtcTimeZoneBias@4 proc near ; CODE	XREF: Phase1InitializationDiscard(x)+BAFp

var_210		= dword	ptr -210h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_172		= word ptr -172h
var_164		= dword	ptr -164h
var_11E		= word ptr -11Eh
var_110		= dword	ptr -110h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 214h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	eax, eax
		mov	esi, ecx
		push	edi
		push	1B0h		; size_t
		push	eax		; int
		mov	[ebp+var_1D0], eax
		mov	[ebp+var_1CC], eax
		mov	[ebp+var_1D8], eax
		mov	[ebp+var_1D4], eax
		lea	eax, [ebp+var_1B8]
		push	eax		; void *
		call	_memset
		xor	eax, eax
		lea	edi, [ebp+var_210]
		stosd
		add	esp, 0Ch
		cmp	_ExpRealTimeIsUniversal, 0
		stosd
		stosd
		stosd
		jnz	short loc_8B59D4
		mov	eax, 0C00000BBh
		jmp	loc_8B5C09
; 

loc_8B59D4:				; CODE XREF: ExInitializeUtcTimeZoneBias(x)+5Cj
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	edi, [eax+268h]
		lea	eax, [ebp+var_1B8]
		push	eax
		mov	[ebp+var_1DC], edi
		call	_RtlQueryDynamicTimeZoneInformation@4 ;	RtlQueryDynamicTimeZoneInformation(x)
		test	eax, eax
		js	loc_8B5C09
		mov	ecx, [ebp+var_1B8]
		mov	eax, [ebp+var_110]
		mov	ebx, [ebp+var_164]
		add	eax, ecx
		mov	[ebp+var_1C4], eax
		add	ebx, ecx
		lea	eax, [ebp+var_210]
		push	eax
		push	esi
		call	_RtlTimeToTimeFields@8 ; RtlTimeToTimeFields(x,x)
		cmp	[ebp+var_172], 0
		jz	loc_8B5C04
		cmp	[ebp+var_11E], 0
		jz	loc_8B5C04
		push	ecx
		push	esi
		lea	edx, [ebp+var_1D8]
		lea	ecx, [ebp-174h]
		call	RtlCutoverTimeToSystemTime
		test	al, al
		jz	loc_8B5C04
		push	ecx
		push	esi
		lea	edx, [ebp+var_1D0]
		lea	ecx, [ebp-120h]
		call	RtlCutoverTimeToSystemTime
		test	al, al
		jz	loc_8B5C04
		imul	eax, ebx, 3Ch
		mov	ecx, 989680h
		imul	ecx
		mov	ecx, eax
		add	ecx, [ebp+var_1D0]
		mov	[ebp+var_1C0], ecx
		adc	edx, [ebp+var_1CC]
		imul	eax, [ebp+var_1C4], 3Ch
		mov	[ebp+var_1BC], edx
		mov	[ebp+var_1CC], edx
		mov	edx, 989680h
		mov	[ebp+var_1D0], ecx
		imul	edx
		add	eax, [ebp+var_1D8]
		mov	[ebp+var_1D8], eax
		adc	edx, [ebp+var_1D4]
		mov	[ebp+var_1D4], edx
		cmp	[ebp+var_1BC], edx
		jg	short loc_8B5B20
		jl	short loc_8B5AD8
		cmp	ecx, eax
		jnb	short loc_8B5B20

loc_8B5AD8:				; CODE XREF: ExInitializeUtcTimeZoneBias(x)+166j
		mov	edi, [ebp+var_1C0]
		mov	ecx, [ebp+var_1C4]
		mov	[ebp+var_200], edi
		mov	edi, [ebp+var_1BC]
		mov	[ebp+var_1F4], 2
		mov	[ebp+var_1E4], 1
		mov	[ebp+var_1F4], 2
		mov	[ebp+var_1E4], 1
		mov	[ebp+var_1FC], edi
		jmp	short loc_8B5B5E
; 

loc_8B5B20:				; CODE XREF: ExInitializeUtcTimeZoneBias(x)+164j
					; ExInitializeUtcTimeZoneBias(x)+16Aj
		mov	ecx, ebx
		mov	[ebp+var_1E4], 2
		mov	ebx, [ebp+var_1C4]
		mov	[ebp+var_200], eax
		mov	eax, [ebp+var_1C0]
		mov	[ebp+var_1FC], edx
		mov	edx, [ebp+var_1BC]
		mov	[ebp+var_1F4], 1
		mov	[ebp+var_1E4], 2

loc_8B5B5E:				; CODE XREF: ExInitializeUtcTimeZoneBias(x)+1B2j
		mov	edi, [esi]
		mov	esi, [esi+4]
		mov	[ebp+var_1C0], edi
		mov	edi, [ebp+var_1DC]
		mov	[ebp+var_1EC], edx
		mov	[ebp+var_1F0], eax
		mov	[ebp+var_1E8], ebx
		mov	[ebp+var_1F8], ecx
		mov	[ebp+var_1BC], esi
		cmp	esi, [ebp+var_1FC]
		jl	short loc_8B5BCA
		mov	esi, [ebp+var_1C0]
		jg	short loc_8B5BA5
		cmp	esi, [ebp+var_200]
		jb	short loc_8B5BCA

loc_8B5BA5:				; CODE XREF: ExInitializeUtcTimeZoneBias(x)+22Fj
		cmp	[ebp+var_1BC], edx
		jg	short loc_8B5BCA
		jl	short loc_8B5BB3
		cmp	esi, eax
		jnb	short loc_8B5BCA

loc_8B5BB3:				; CODE XREF: ExInitializeUtcTimeZoneBias(x)+241j
		mov	eax, [ebp+var_1F4]
		mov	[edi+1B0h], eax
		mov	[edi+1B4h], ecx
		imul	eax, ecx, 3Ch
		jmp	short loc_8B5BDF
; 

loc_8B5BCA:				; CODE XREF: ExInitializeUtcTimeZoneBias(x)+227j
					; ExInitializeUtcTimeZoneBias(x)+237j ...
		mov	eax, [ebp+var_1E4]
		mov	[edi+1B0h], eax
		mov	[edi+1B4h], ebx
		imul	eax, ebx, 3Ch

loc_8B5BDF:				; CODE XREF: ExInitializeUtcTimeZoneBias(x)+25Cj
		mov	ecx, 989680h
		imul	ecx
		lea	ecx, [edi+1B8h]
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	dword ptr ds:0FFDF025Ch, 0
		call	_ExpWriteTimeZoneBias@4	; ExpWriteTimeZoneBias(x)
		xor	eax, eax
		jmp	short loc_8B5C09
; 

loc_8B5C04:				; CODE XREF: ExInitializeUtcTimeZoneBias(x)+BEj
					; ExInitializeUtcTimeZoneBias(x)+CCj ...
		mov	eax, 0C0000001h

loc_8B5C09:				; CODE XREF: ExInitializeUtcTimeZoneBias(x)+63j
					; ExInitializeUtcTimeZoneBias(x)+87j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_ExInitializeUtcTimeZoneBias@4 endp


;  S U B	R O U T	I N E 


; __stdcall WheaCrashDumpInitializationComplete()
_WheaCrashDumpInitializationComplete@0 proc near ; CODE	XREF: PAGE:007B3D43p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, offset _WheapLiveDumpLock
		xor	ebx, ebx
		mov	ecx, edi
		mov	esi, ebx
		call	ExAcquireFastMutex
		cmp	_WheapLiveDumpRecordList, offset _WheapLiveDumpRecordList
		mov	_WheapCrashDumpInitialized, 1
		jnz	short loc_8B5C51

loc_8B5C40:				; CODE XREF: WheaCrashDumpInitializationComplete()+3Bj
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	bl, bl
		jnz	short loc_8B5C55

loc_8B5C4B:				; CODE XREF: WheaCrashDumpInitializationComplete()+44j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_8B5C51:				; CODE XREF: WheaCrashDumpInitializationComplete()+26j
		mov	bl, 1
		jmp	short loc_8B5C40
; 

loc_8B5C55:				; CODE XREF: WheaCrashDumpInitializationComplete()+31j
		call	_WheapReportDeferredLiveDumps@0	; WheapReportDeferredLiveDumps()
		mov	esi, eax
		jmp	short loc_8B5C4B
_WheaCrashDumpInitializationComplete@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpKernelProvEnableCallback(x, x, x, x, x,	x, x, x, x)
_EtwpKernelProvEnableCallback@36 proc near ; DATA XREF:	EtwpInitialize+232o

arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_1C]
		push	ecx
		push	ecx
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	ecx
		call	SeEtwEnableCallback
		pop	ebp
		retn	24h
_EtwpKernelProvEnableCallback@36 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PfSnQueueEnablePrefetcherTimer(x)
_PfSnQueueEnablePrefetcherTimer@4 proc near ; CODE XREF: PfSnBeginBootPhase+B9p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		push	edi
		inc	ecx
		call	_PfSnAllocateEnablePrefetcherTimer@4 ; PfSnAllocateEnablePrefetcherTimer(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_8B5CAA
		mov	eax, [esi+4]
		xor	edx, edx
		mov	ecx, [esi]
		xor	esi, esi
		push	eax
		push	ecx
		lea	eax, [edi+28h]
		mov	ecx, edi
		push	eax
		push	esi
		call	KiSetTimerEx

loc_8B5CA5:				; CODE XREF: PfSnQueueEnablePrefetcherTimer(x)+35j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_8B5CAA:				; CODE XREF: PfSnQueueEnablePrefetcherTimer(x)+12j
		mov	esi, 0C000009Ah
		jmp	short loc_8B5CA5
_PfSnQueueEnablePrefetcherTimer@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExQueryBootEntropyInformation(x)
_ExQueryBootEntropyInformation@4 proc near ; CODE XREF:	PAGE:0078102Ap
					; INIT:00ABFD57p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	0
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ecx
		push	eax
		push	offset _ExpInitBootEntropyInformation@12 ; ExpInitBootEntropyInformation(x,x,x)
		push	offset _ExpBootEntropyInit
		call	RtlRunOnceExecuteOnce
		test	eax, eax
		js	short locret_8B5CE0
		cmp	[ebp+var_4], 0FFFFFFFFh
		jz	short locret_8B5CE0
		mov	eax, 0C0000001h

locret_8B5CE0:				; CODE XREF: ExQueryBootEntropyInformation(x)+21j
					; ExQueryBootEntropyInformation(x)+27j
		leave
		retn
_ExQueryBootEntropyInformation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspSetThreadPpmPolicy proc near		; CODE XREF: NtSetInformationThread+BDFp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00938E56 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	esi
		xor	esi, esi
		sub	eax, esi
		jz	short loc_8B5CFF
		sub	eax, 1
		jnz	loc_938E56
		mov	esi, 100h

loc_8B5CFF:				; CODE XREF: PspSetThreadPpmPolicy+Dj
					; PspSetThreadPpmPolicy+83187j	...
		push	edi
		mov	edi, [ebp+arg_0]
		add	edi, 244h

loc_8B5D09:				; CODE XREF: PspSetThreadPpmPolicy+3Bj
		mov	edx, [edi]
		mov	ecx, edx
		and	ecx, 0FFFFFCFFh
		mov	eax, edx
		or	ecx, esi
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_8B5D09
		pop	edi

loc_8B5D20:				; CODE XREF: PspSetThreadPpmPolicy+8317Cj
		pop	esi
		pop	ebp
		retn	8
PspSetThreadPpmPolicy endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUpdateBackgroundCoolingStatus(x)
_PopUpdateBackgroundCoolingStatus@4 proc near
					; CODE XREF: PopPowerInformationInternal+171377p
					; PoInitSystem+645p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ds:_WNF_EXEC_THERMAL_LIMITER_TERMINATE_BACKGROUND_TASKS
		mov	[ebp+var_C], eax
		mov	eax, ds:dword_413108
		mov	[ebp+var_8], eax
		xor	eax, eax
		test	cl, cl
		setnz	al
		mov	[ebp+var_10], eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	4
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopUpdateBackgroundCoolingStatus@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpInternHashBucketsFree(x, x)
_RtlpInternHashBucketsFree@8 proc near	; CODE XREF: RtlInternTableIntern+2AAp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	[ebp+arg_0]
		push	eax
		mov	ecx, [eax+0Ch]
		call	dword ptr [ecx+4]
		pop	ebp
		retn	8
_RtlpInternHashBucketsFree@8 endp

; 
		align 10h
; Exported entry 1036. IoUpdateShareAccess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoUpdateShareAccess(x, x)
		public _IoUpdateShareAccess@8
_IoUpdateShareAccess@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_IoUpdateLinkShareAccessEx@16 ;	IoUpdateLinkShareAccessEx(x,x,x,x)
		pop	ebp
		retn	8
_IoUpdateShareAccess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtLoadKey(x, x)
_NtLoadKey@8	proc near		; DATA XREF: .text:00580FB8o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_NtLoadKeyEx@32	; NtLoadKeyEx(x,x,x,x,x,x,x,x)
		pop	ebp
		retn	8
_NtLoadKey@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGenerateSecureCookie()
_MiGenerateSecureCookie@0 proc near	; CODE XREF: MiInitSystem+253p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	esi
		mov	esi, large fs:20h
		push	edi
		push	eax
		call	KeQuerySystemTime
		rdtsc
		mov	edi, eax
		xor	ecx, ecx
		xor	edi, [esi+590h]
		xor	edi, [esi+4B4h]
		xor	edi, [ebp+var_4]
		xor	edi, [ebp+var_8]
		call	ExGenRandom
		xor	edi, eax
		jz	short loc_8B5E0C

loc_8B5E06:				; CODE XREF: MiGenerateSecureCookie()+4Bj
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn
; 

loc_8B5E0C:				; CODE XREF: MiGenerateSecureCookie()+40j
		xor	edi, edi
		inc	edi
		jmp	short loc_8B5E06
_MiGenerateSecureCookie@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall EtwpInitializeProviderTraits()
_EtwpInitializeProviderTraits@0	proc near ; CODE XREF: EtwpInitialize+195p
		mov	edi, edi
		push	esi
		mov	ecx, offset _EtwpProviderTraitsKmMutex
		call	@KeInitializeGuardedMutex@4 ; KeInitializeGuardedMutex(x)
		xor	esi, esi
		mov	ecx, offset _EtwpProviderTraitsUmMutex
		mov	_EtwpProviderTraitsKmTree, esi
		mov	dword_6BC3AC, esi
		call	@KeInitializeGuardedMutex@4 ; KeInitializeGuardedMutex(x)
		mov	_EtwpProviderTraitsUmTree, esi
		mov	dword_6BC404, esi
		pop	esi
		retn
_EtwpInitializeProviderTraits@0	endp

; 
		align 2

;  S U B	R O U T	I N E 


DrvDbCheckSchemaVersionSupported proc near ; CODE XREF:	DrvDbLoadDatabaseNode+19Ep

; FUNCTION CHUNK AT 00938E78 SIZE 00000011 BYTES

		cmp	ecx, 0FFFFFFFFh
		jz	short loc_8B5E60
		test	ecx, ecx
		jz	short loc_8B5E5B
		cmp	ecx, 10000h
		ja	loc_938E78

loc_8B5E5B:				; CODE XREF: DrvDbCheckSchemaVersionSupported+7j
		mov	cl, 1

loc_8B5E5D:				; CODE XREF: DrvDbCheckSchemaVersionSupported+1Cj
					; DrvDbCheckSchemaVersionSupported+8303Ej
		mov	al, cl
		retn
; 

loc_8B5E60:				; CODE XREF: DrvDbCheckSchemaVersionSupported+3j
		xor	cl, cl
		jmp	short loc_8B5E5D
DrvDbCheckSchemaVersionSupported endp


;  S U B	R O U T	I N E 


PopSetupHighPerfPowerRequest proc near	; CODE XREF: PoInitSystem+7B5p

; FUNCTION CHUNK AT 00938E89 SIZE 0000002A BYTES

		cmp	ds:_PpmHighPerfDuration, 0
		push	esi
		jz	short loc_8B5E88
		call	_PpmBeginHighPerfRequest@0 ; PpmBeginHighPerfRequest()
		mov	esi, eax
		test	esi, esi
		js	loc_938E89
		xor	ecx, ecx
		call	PpmEndHighPerfRequest

loc_8B5E84:				; CODE XREF: PopSetupHighPerfPowerRequest+83033j
					; PopSetupHighPerfPowerRequest+8304Aj
		mov	eax, esi
		pop	esi
		retn
; 

loc_8B5E88:				; CODE XREF: PopSetupHighPerfPowerRequest+8j
		xor	esi, esi
		jmp	loc_938E89
PopSetupHighPerfPowerRequest endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2014. RtlCreateRegistryKey

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCreateRegistryKey(x, x)
		public _RtlCreateRegistryKey@8
_RtlCreateRegistryKey@8	proc near	; CODE XREF: WheapCommitPolicy()+22p
					; WheapCommitPolicy()+30p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		and	[ebp+var_4], 0
		push	eax
		push	1
		call	RtlpGetRegistryHandle
		test	eax, eax
		js	short locret_8B5EC6
		test	[ebp+arg_0], 40000000h
		jnz	short loc_8B5EC4
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_8B5EC4:				; CODE XREF: RtlCreateRegistryKey(x,x)+26j
		xor	eax, eax

locret_8B5EC6:				; CODE XREF: RtlCreateRegistryKey(x,x)+1Dj
		leave
		retn	8
_RtlCreateRegistryKey@8	endp

; 
		align 10h
; Exported entry 1763. PsEstablishWin32Callouts

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public PsEstablishWin32Callouts
PsEstablishWin32Callouts proc near

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00938EB3 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	esi
		call	_ExAllocateCallBack@8 ;	ExAllocateCallBack(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8B5F03
		push	0
		mov	edx, esi
		mov	ecx, offset _PsWin32CallBack
		call	ExCompareExchangeCallBack
		test	al, al
		jz	loc_938EB3
		mov	_PsWin32CalloutsEstablished, 1

loc_8B5F03:				; CODE XREF: PsEstablishWin32Callouts+14j
					; PsEstablishWin32Callouts+82FEBj
		pop	esi
		pop	ebp
		retn	4
PsEstablishWin32Callouts endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1361. LsaRegisterLogonProcess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; NTSTATUS __stdcall LsaRegisterLogonProcess(PLSA_STRING LogonProcessName,PHANDLE LsaHandle,PLSA_OPERATIONAL_MODE SecurityMode)
		public _LsaRegisterLogonProcess@12
_LsaRegisterLogonProcess@12 proc near

LogonProcessName= dword	ptr  8
LsaHandle	= dword	ptr  0Ch
SecurityMode	= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, _SepAuthExtensionHost
		push	esi
		mov	esi, 0C0000002h
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_8B5F41
		push	[ebp+SecurityMode]
		push	[ebp+LsaHandle]
		push	[ebp+LogonProcessName]
		call	dword ptr [eax+14h]
		mov	ecx, _SepAuthExtensionHost
		mov	esi, eax
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_8B5F41:				; CODE XREF: LsaRegisterLogonProcess(x,x,x)+18j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	0Ch
_LsaRegisterLogonProcess@12 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1360. LsaLookupAuthenticationPackage

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; NTSTATUS __stdcall LsaLookupAuthenticationPackage(HANDLE LsaHandle,PLSA_STRING PackageName,PULONG AuthenticationPackage)
		public _LsaLookupAuthenticationPackage@12
_LsaLookupAuthenticationPackage@12 proc	near

LsaHandle	= dword	ptr  8
PackageName	= dword	ptr  0Ch
AuthenticationPackage= dword ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, _SepAuthExtensionHost
		push	esi
		mov	esi, 0C0000002h
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_8B5F81
		push	[ebp+AuthenticationPackage]
		push	[ebp+PackageName]
		push	[ebp+LsaHandle]
		call	dword ptr [eax+10h]
		mov	ecx, _SepAuthExtensionHost
		mov	esi, eax
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_8B5F81:				; CODE XREF: LsaLookupAuthenticationPackage(x,x,x)+18j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	0Ch
_LsaLookupAuthenticationPackage@12 endp


;  S U B	R O U T	I N E 


CmpVolumeManagerUnlockContextListExclusive proc	near
					; CODE XREF: CmpVolumeManagerGetContextForFile+146p

; FUNCTION CHUNK AT 00938EC0 SIZE 00000012 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_938EC0

loc_8B5F9C:				; CODE XREF: CmpVolumeManagerUnlockContextListExclusive+82F3Aj
					; CmpVolumeManagerUnlockContextListExclusive+82F45j
		mov	ecx, esi
		pop	esi
		jmp	KeAbPostRelease
CmpVolumeManagerUnlockContextListExclusive endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopNetDisconnectedStandbyModeCallback(x, x,	x, x)
_PopNetDisconnectedStandbyModeCallback@16 proc near

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_8], 4
		push	esi
		push	edi
		jnz	short loc_8B5FD4
		mov	esi, [ebp+arg_4]
		cmp	dword ptr [esi], 1
		ja	short loc_8B5FD4
		xor	edi, edi
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	eax, [esi]
		mov	dword_6C2D5C, eax
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_8B5FCC:				; CODE XREF: PopNetDisconnectedStandbyModeCallback(x,x,x,x)+35j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
; 

loc_8B5FD4:				; CODE XREF: PopNetDisconnectedStandbyModeCallback(x,x,x,x)+Bj
					; PopNetDisconnectedStandbyModeCallback(x,x,x,x)+13j
		mov	edi, 0C000000Dh
		jmp	short loc_8B5FCC
_PopNetDisconnectedStandbyModeCallback@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopNetConnectivityInStandbyCallback(x, x, x, x)
_PopNetConnectivityInStandbyCallback@16	proc near

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_8], 4
		push	esi
		push	edi
		jnz	short loc_8B600C
		mov	esi, [ebp+arg_4]
		cmp	dword ptr [esi], 2
		ja	short loc_8B600C
		xor	edi, edi
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	eax, [esi]
		mov	dword_6C2D58, eax
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_8B6004:				; CODE XREF: PopNetConnectivityInStandbyCallback(x,x,x,x)+35j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
; 

loc_8B600C:				; CODE XREF: PopNetConnectivityInStandbyCallback(x,x,x,x)+Bj
					; PopNetConnectivityInStandbyCallback(x,x,x,x)+13j
		mov	edi, 0C000000Dh
		jmp	short loc_8B6004
_PopNetConnectivityInStandbyCallback@16	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmpDummyThreadRoutine(x)
_CmpDummyThreadRoutine@4 proc near	; DATA XREF: CmpInitializeRegistryProcess()+F3o
		mov	edi, edi
		push	esi
		xor	esi, esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	offset _CmpDummyThreadEvent
		call	KeWaitForSingleObject
		push	esi
		push	esi
		push	eax
		push	23h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_CmpDummyThreadRoutine@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpInitializeLastBranchTracing	proc near ; CODE XREF: EtwpInitialize+13Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00938ED2 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		xor	eax, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	_EtwpLastBranchLookAsideList, eax
		mov	dword_6BC454, eax
		mov	dword_6BC458, eax
		mov	dword_6BC45C, eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	off_6B1418	; xHalpIsInterruptTypeSecondary(x,x)
		test	al, al
		jnz	loc_938ED2
		leave
		retn
EtwpInitializeLastBranchTracing	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwTiLogDriverObjectUnLoad proc	near	; CODE XREF: IopUnloadDriver+307p
					; IoDeleteDriver(x)+Cp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00938EE4 SIZE 00000093 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, dword_6BC124
		mov	ebx, ecx
		push	edi
		mov	edi, _EtwThreatIntProvRegHandle
		push	offset _THREATINT_DRIVER_OBJECT_UNLOAD
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_938EE4

loc_8B60A7:				; CODE XREF: EtwTiLogDriverObjectUnLoad+82E86j
					; EtwTiLogDriverObjectUnLoad+82F02j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
EtwTiLogDriverObjectUnLoad endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipQueryWmiRegInfo(x, x, x, x)
_WmipQueryWmiRegInfo@16	proc near	; CODE XREF: IoWMISystemControl+164p
					; DATA XREF: PAGE:00A40FD4o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_C]
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	offset ??_C@_0L@NABPFONB@SMBiosData@NNGAKEGL@ ;	"SMBiosData"
		mov	dword ptr [eax], offset	_WmipRegistryPath
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_8]
		call	RtlAnsiStringToUnicodeString
		leave
		retn	10h
_WmipQueryWmiRegInfo@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PerfDiagpBootSystemProxyCallback(x,	x, x, x, x, x, x, x, x)
_PerfDiagpBootSystemProxyCallback@36 proc near ; DATA XREF: PerfDiagInitialize()+1Bo

arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		jz	short loc_8B610B
		cmp	[ebp+arg_8], 55h
		jnz	short loc_8B6107
		xor	ecx, ecx
		inc	ecx

loc_8B6102:				; CODE XREF: PerfDiagpBootSystemProxyCallback(x,x,x,x,x,x,x,x,x)+20j
		call	_PerfDiagpRequestState@4 ; PerfDiagpRequestState(x)

loc_8B6107:				; CODE XREF: PerfDiagpBootSystemProxyCallback(x,x,x,x,x,x,x,x,x)+Fj
		pop	ebp
		retn	24h
; 

loc_8B610B:				; CODE XREF: PerfDiagpBootSystemProxyCallback(x,x,x,x,x,x,x,x,x)+9j
		push	2
		pop	ecx
		jmp	short loc_8B6102
_PerfDiagpBootSystemProxyCallback@36 endp


;  S U B	R O U T	I N E 


PopInitializePreSleepNotifications proc	near ; CODE XREF: PoInitSystem+792p

; FUNCTION CHUNK AT 00938F77 SIZE 0000000D BYTES

		mov	eax, _PopPreSleepNotificationSeconds
		cmp	eax, 78h
		jb	loc_938F77

loc_8B611E:				; CODE XREF: PopInitializePreSleepNotifications+82E6Fj
		mov	ecx, 0E10h
		cmp	eax, ecx
		ja	short loc_8B614E

loc_8B6127:				; CODE XREF: PopInitializePreSleepNotifications+45j
		mov	dword_6BFB3C, eax
		mov	ecx, offset unk_6BFB30
		xor	eax, eax
		xchg	eax, [ecx]
		and	dword_6BFB2C, 0
		and	_PopPreSleepNotifyWorkItem, 0
		mov	dword_6BFB28, offset _PopPreSleepNotifyWorker@4	; PopPreSleepNotifyWorker(x)
		retn
; 

loc_8B614E:				; CODE XREF: PopInitializePreSleepNotifications+15j
		mov	eax, ecx
		mov	_PopPreSleepNotificationSeconds, eax
		jmp	short loc_8B6127
PopInitializePreSleepNotifications endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1899. PsSetCreateProcessNotifyRoutineEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSetCreateProcessNotifyRoutineEx(x, x)
		public _PsSetCreateProcessNotifyRoutineEx@8
_PsSetCreateProcessNotifyRoutineEx@8 proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		cmp	[ebp+arg_4], dl
		setnz	dl
		add	edx, 2
		call	PspSetCreateProcessNotifyRoutine
		pop	ebp
		retn	8
_PsSetCreateProcessNotifyRoutineEx@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmEventTraceControlCallback proc near	; DATA XREF: PpmEventInitialize()+Ao

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= word ptr -4
var_2		= word ptr -2
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00938F84 SIZE 000001E0 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	eax, eax
		xor	ebx, ebx
		mov	[esp+20h+var_2], ax
		mov	[esp+20h+var_10], ebx
		cmp	edi, 2
		jz	loc_938F84
		test	edi, edi
		jz	loc_938F84

loc_8B61A7:				; CODE XREF: PpmEventTraceControlCallback+82F3Cj
					; PpmEventTraceControlCallback+82FE7j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
PpmEventTraceControlCallback endp


;  S U B	R O U T	I N E 


; __stdcall ExInitLicenseCallback()
_ExInitLicenseCallback@0 proc near	; CODE XREF: Phase1InitializationDiscard(x)+891p
		mov	edi, edi
		push	esi
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		push	1
		push	1
		push	offset dword_A415B0
		mov	esi, [eax+204h]
		add	esi, 5B84h
		push	esi
		call	_ExCreateCallback@16 ; ExCreateCallback(x,x,x,x)
		test	eax, eax
		js	short loc_8B61D9
		pop	esi
		retn
; 

loc_8B61D9:				; CODE XREF: ExInitLicenseCallback()+25j
		and	dword ptr [esi], 0
		pop	esi
		retn
_ExInitLicenseCallback@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PdcPoSleepStudyHelperSetPhaseActive(x, x)
_PdcPoSleepStudyHelperSetPhaseActive@8 proc near ; DATA	XREF: PopPdcRegister+A7o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	dl, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	SshSetPdcPhaseActive
		pop	ebp
		retn	8
_PdcPoSleepStudyHelperSetPhaseActive@8 endp


;  S U B	R O U T	I N E 


SshSetPdcPhaseActive proc near		; CODE XREF: PdcPoSleepStudyHelperSetPhaseActive(x,x)+Bp

; FUNCTION CHUNK AT 008B6229 SIZE 00000005 BYTES
; FUNCTION CHUNK AT 00939164 SIZE 0000003C BYTES

		sub	ecx, 1
		jz	loc_939196
		sub	ecx, 1
		jz	loc_93918C
		sub	ecx, 1
		jz	loc_939182
		sub	ecx, 1
		jz	loc_939178
		sub	ecx, 1
		jz	loc_93916E
		sub	ecx, 3
		jz	loc_939164
		retn
SshSetPdcPhaseActive endp

; 
; START	OF FUNCTION CHUNK FOR SshSetPdcPhaseActive

loc_8B6229:				; CODE XREF: SshSetPdcPhaseActive+82F77j
					; SshSetPdcPhaseActive+82F81j ...
		jmp	_SshpSetCollectionActive@8 ; SshpSetCollectionActive(x,x)
; END OF FUNCTION CHUNK	FOR SshSetPdcPhaseActive

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlWaitForSmssEvent(x)
_FsRtlWaitForSmssEvent@4 proc near	; DATA XREF: FsRtlInitializeSmssEvent()+88o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_0]
		call	KeWaitForSingleObject
		mov	ecx, [ebp+arg_0]
		mov	ds:_FsRtlpVolumeStartupApplicationsComplete, 1
		call	ObfDereferenceObject
		pop	ebp
		retn	4
_FsRtlWaitForSmssEvent@4 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 1822. PsGetSiloIdentifier

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetSiloIdentifier(x)
		public _PsGetSiloIdentifier@4
_PsGetSiloIdentifier@4 proc near	; CODE XREF: ObCreateSiloRootDirectory(x,x)+B2p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_8B626A

loc_8B6266:				; CODE XREF: PsGetSiloIdentifier(x)+16j
		pop	ebp
		retn	4
; 

loc_8B626A:				; CODE XREF: PsGetSiloIdentifier(x)+Aj
		mov	eax, [eax+2D4h]
		jmp	short loc_8B6266
_PsGetSiloIdentifier@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetupMobileHotspotNotification()
_PopSetupMobileHotspotNotification@0 proc near ; CODE XREF: PoInitSystem+7FDp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	0
		push	offset _PopWnfMobileHotspotCallback@24 ; PopWnfMobileHotspotCallback(x,x,x,x,x,x)
		push	0
		push	1
		push	offset _WNF_SEB_MOBILE_HOTSPOT
		lea	eax, [ebp+var_4]
		push	eax
		call	_ExSubscribeWnfStateChange@24 ;	ExSubscribeWnfStateChange(x,x,x,x,x,x)
		leave
		retn
_PopSetupMobileHotspotNotification@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetupBluetoothChargingNotification()
_PopSetupBluetoothChargingNotification@0 proc near ; CODE XREF:	PoInitSystem+7F8p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	0
		push	offset _PopWnfBluetoothChargingCallback@24 ; PopWnfBluetoothChargingCallback(x,x,x,x,x,x)
		push	0
		push	1
		push	offset _WNF_BLTH_BLUETOOTH_DEVICE_DOCK_STATUS
		lea	eax, [ebp+var_4]
		push	eax
		call	_ExSubscribeWnfStateChange@24 ;	ExSubscribeWnfStateChange(x,x,x,x,x,x)
		leave
		retn
_PopSetupBluetoothChargingNotification@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetupAirplaneModeNotification()
_PopSetupAirplaneModeNotification@0 proc near ;	CODE XREF: PoInitSystem+7F3p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	0
		push	offset PopWnfAirplaneModeCallback
		push	0
		push	1
		push	(offset	loc_408DDF+1)
		lea	eax, [ebp+var_4]
		push	eax
		call	_ExSubscribeWnfStateChange@24 ;	ExSubscribeWnfStateChange(x,x,x,x,x,x)
		leave
		retn
_PopSetupAirplaneModeNotification@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetupSprActiveSessionChangeNotification()
_PopSetupSprActiveSessionChangeNotification@0 proc near	; CODE XREF: PoInitSystem+7EEp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	0
		push	offset _PopWnfSprActiveSessionChangeCallback@24	; PopWnfSprActiveSessionChangeCallback(x,x,x,x,x,x)
		push	0
		push	1
		push	offset _WNF_SRUM_SCREENONSTUDY_SESSION
		lea	eax, [ebp+var_4]
		push	eax
		call	_ExSubscribeWnfStateChange@24 ;	ExSubscribeWnfStateChange(x,x,x,x,x,x)
		leave
		retn
_PopSetupSprActiveSessionChangeNotification@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetupFullScrenVideoNotification()
_PopSetupFullScrenVideoNotification@0 proc near	; CODE XREF: PoInitSystem+7E4p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	0
		push	offset _PopWnfFullscreenVideoCallback@24 ; PopWnfFullscreenVideoCallback(x,x,x,x,x,x)
		push	0
		push	1
		push	(offset	loc_408DEF+1)
		lea	eax, [ebp+var_4]
		push	eax
		call	_ExSubscribeWnfStateChange@24 ;	ExSubscribeWnfStateChange(x,x,x,x,x,x)
		leave
		retn
_PopSetupFullScrenVideoNotification@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetupUserPresencePredictionNotification()
_PopSetupUserPresencePredictionNotification@0 proc near	; CODE XREF: PoInitSystem+7E9p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	0
		push	offset _PopWnfUserAwayPredictionCallback@24 ; PopWnfUserAwayPredictionCallback(x,x,x,x,x,x)
		push	0
		push	1
		push	offset _WNF_PO_USER_AWAY_PREDICTION
		lea	eax, [ebp+var_4]
		push	eax
		call	_ExSubscribeWnfStateChange@24 ;	ExSubscribeWnfStateChange(x,x,x,x,x,x)
		leave
		retn
_PopSetupUserPresencePredictionNotification@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetupAudioEventNotification()
_PopSetupAudioEventNotification@0 proc near ; CODE XREF: PoInitSystem+7DAp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	0
		push	offset PopWnfAudioCallback
		push	0
		push	1
		push	offset _WNF_SEB_AUDIO_ACTIVITY
		lea	eax, [ebp+var_4]
		push	eax
		call	_ExSubscribeWnfStateChange@24 ;	ExSubscribeWnfStateChange(x,x,x,x,x,x)
		leave
		retn
_PopSetupAudioEventNotification@0 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpInitializeCoverage()
_EtwpInitializeCoverage@0 proc near	; CODE XREF: EtwpInitialize+222p
		mov	dword ptr ds:0FFDF037Ch, 1
		mov	edx, offset EtwpCoverageProvEnableCallback
		and	_EtwpCoverageLock, 0
		mov	ecx, offset dword_6B2A68
		push	0
		call	_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 ; TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)
		retn
_EtwpInitializeCoverage@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmFcpCleanupSectionState(x)
_CmFcpCleanupSectionState@4 proc near	; CODE XREF: CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+2F4p
					; CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+291p ...
		mov	ecx, [ecx+8]
		test	ecx, ecx
		jnz	ObfDereferenceObject
		retn
_CmFcpCleanupSectionState@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmFcpUnmapSection(x)
_CmFcpUnmapSection@4 proc near		; CODE XREF: CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+2E3p
					; CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+280p ...
		mov	edi, edi
		push	ecx
		mov	eax, [ecx+8]
		test	eax, eax
		jnz	short loc_8B639C
		pop	ecx
		retn
; 

loc_8B639C:				; CODE XREF: CmFcpUnmapSection(x)+8j
		push	eax
		call	_MmUnmapViewInSystemSpace@4 ; MmUnmapViewInSystemSpace(x)
		pop	ecx
		retn
_CmFcpUnmapSection@4 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpRegisterSecurityProvider(x)
_EtwpRegisterSecurityProvider@4	proc near ; CODE XREF: NtTraceControl(x,x,x,x,x,x)+586p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		cmp	[edi+8A8h], esi
		jnz	short loc_8B63C4
		call	_PsGetCurrentThreadProcessId@0 ; PsGetCurrentThreadProcessId()
		mov	[edi+8A8h], eax

loc_8B63BF:				; CODE XREF: EtwpRegisterSecurityProvider(x)+25j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_8B63C4:				; CODE XREF: EtwpRegisterSecurityProvider(x)+Ej
		mov	esi, 0C0000022h
		jmp	short loc_8B63BF
_EtwpRegisterSecurityProvider@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxEmergencyWorker(x)
_PopFxEmergencyWorker@4	proc near	; DATA XREF: PopFxCreateEmergencyWorkerThread(x)+19o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	10h
		push	eax
		call	KeSetActualBasePriorityThread
		mov	ecx, [ebp+arg_0]
		or	edx, 0FFFFFFFFh
		call	PopFxProcessWorkPool
		pop	ebp
		retn	4
_PopFxEmergencyWorker@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpEtwDumpTxR	proc near		; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+374p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 009391A0 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ds:_CmpTraceTxrRoutine
		test	esi, esi
		jnz	loc_9391A0

loc_8B6402:				; CODE XREF: CmpEtwDumpTxR+82DB4j
					; CmpEtwDumpTxR+82DC1j	...
		pop	esi
		pop	ebp
		retn	10h
CmpEtwDumpTxR	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmFcpIncrementChangeStamp(x, x)
_CmFcpIncrementChangeStamp@8 proc near	; CODE XREF: CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+CFp
					; CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+79p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		add	ecx, 1
		mov	eax, ecx
		adc	edx, 0
		or	eax, edx
		jz	short loc_8B6425

loc_8B641F:				; CODE XREF: CmFcpIncrementChangeStamp(x,x)+22j
		mov	eax, ecx
		pop	ebp
		retn	8
; 

loc_8B6425:				; CODE XREF: CmFcpIncrementChangeStamp(x,x)+15j
		xor	ecx, ecx
		inc	ecx
		xor	edx, edx
		jmp	short loc_8B641F
_CmFcpIncrementChangeStamp@8 endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 2489. SeQuerySecureBootPolicyValue

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SeQuerySecureBootPolicyValue(int,int,int,void *,int,int)
		public SeQuerySecureBootPolicyValue
SeQuerySecureBootPolicyValue proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 009391C8 SIZE 00000071 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		cmp	dword_6FDDF4, 0
		push	esi
		jnz	loc_9391C8
		mov	esi, 80430006h

loc_8B6454:				; CODE XREF: SeQuerySecureBootPolicyValue+82DAAj
					; SeQuerySecureBootPolicyValue+82DCCj ...
		mov	eax, esi
		pop	esi
		leave
		retn	18h
SeQuerySecureBootPolicyValue endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSessionPoolTrackTableSize()
_MiSessionPoolTrackTableSize@0 proc near
					; CODE XREF: ExInitializeSessionPoolTrackTable()+14p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, 155h
		bsr	ecx, eax
		jz	short locret_8B6471
		xor	eax, eax
		inc	eax
		shl	eax, cl

locret_8B6471:				; CODE XREF: MiSessionPoolTrackTableSize()+Ej
		leave
		retn
_MiSessionPoolTrackTableSize@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall EtwpInitializeSiloAllowedGroupMask()
_EtwpInitializeSiloAllowedGroupMask@0 proc near	; CODE XREF: EtwpInitialize+1D3p
		or	ds:_EtwpSiloAllowedGroupMask, 1600370Fh
		mov	ecx, offset _EtwpSiloAllowedGroupMask
		or	ds:dword_70EF9C, 8206h
		or	ds:dword_70EFA0, 10040h
		or	ds:dword_70EFB0, 1FFFFFFFh
		xor	dl, dl
		jmp	_EtwpMapEnableFlags@8 ;	EtwpMapEnableFlags(x,x)
_EtwpInitializeSiloAllowedGroupMask@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUpdateKernelGroupsWork(x)
_EtwpUpdateKernelGroupsWork@4 proc near	; DATA XREF: EtwpCrimsonProvEnableCallback+168o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, ds:_EtwpHostSiloState
		xor	edx, edx
		push	8
		call	EtwpUpdateGlobalGroupMasks
		pop	ebp
		retn	4
_EtwpUpdateKernelGroupsWork@4 endp


;  S U B	R O U T	I N E 


; __stdcall MmQuitNextSession(x)
_MmQuitNextSession@4 proc near		; CODE XREF: MiTrimSharedPageFromViews(x,x,x,x,x)+28Ap
					; MiTrimSharedPageFromViews(x,x,x,x,x)+573p ...
		call	ObfDereferenceObject
		xor	eax, eax
		retn
_MmQuitNextSession@4 endp

; 
		align 8
; Exported entry 392. ExIsManufacturingModeEnabled

;  S U B	R O U T	I N E 


; __stdcall ExIsManufacturingModeEnabled()
		public _ExIsManufacturingModeEnabled@0
_ExIsManufacturingModeEnabled@0	proc near ; CODE XREF: IopInitializeSystemDrivers+41p
		mov	al, byte ptr _ExpManufacturingInformation
		and	al, 1
		retn
_ExIsManufacturingModeEnabled@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopDecDisableableDepends proc near	; CODE XREF: PiProcessQueryDeviceState+11Ap
					; IopRemoveDevice(x,x)+B0p

; FUNCTION CHUNK AT 00939239 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx

loc_8B64E9:				; CODE XREF: IopDecDisableableDepends+82D6Aj
		test	esi, esi
		jz	short loc_8B64FF
		or	eax, 0FFFFFFFFh
		lock xadd [esi+184h], eax
		dec	eax
		jz	loc_939239

loc_8B64FF:				; CODE XREF: IopDecDisableableDepends+Bj
		pop	esi
		leave
		retn
IopDecDisableableDepends endp


;  S U B	R O U T	I N E 


CmpEtwGetHivePath proc near		; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+151p

; FUNCTION CHUNK AT 0093924F SIZE 0000000B BYTES

		cmp	ds:_CmpTraceTxrRoutine,	0
		mov	eax, 0C0000001h
		jnz	loc_93924F
		retn
CmpEtwGetHivePath endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 873. IoGetIommuInterface

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public IoGetIommuInterface
IoGetIommuInterface proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	al, al
		jnz	loc_935CB4
		pop	ebp
		jmp	off_6B1430	; xHalIommuUnblockDevice(x,x)
IoGetIommuInterface endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTransGetUOW(x)
_CmpTransGetUOW@4 proc near		; CODE XREF: CmpTransAllocateTrans(x,x,x,x)+64p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		and	eax, 0FFFFFFFEh
		test	byte ptr [ebp+arg_0], 1
		jnz	short loc_8B654C

loc_8B6545:				; CODE XREF: CmpTransGetUOW(x)+1Bj
		add	eax, 60h
		pop	ebp
		retn	4
; 

loc_8B654C:				; CODE XREF: CmpTransGetUOW(x)+Fj
		mov	eax, [eax+8]
		jmp	short loc_8B6545
_CmpTransGetUOW@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PdcPoVerifyPowerState(x, x)
_PdcPoVerifyPowerState@8 proc near	; DATA XREF: PopPdcRegister+5Ao

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		call	PopVerifySystemPowerState
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		pop	ebp
		retn	8
_PdcPoVerifyPowerState@8 endp


;  S U B	R O U T	I N E 


PopCheckSkipTick proc near		; CODE XREF: PopNewProcessorCallback(x,x,x)+21p
					; PoInitSystem+6B0p

; FUNCTION CHUNK AT 0093925A SIZE 00000034 BYTES

		mov	eax, ds:_PopApicMode
		cmp	eax, 2
		jnz	loc_93925A

loc_8B657E:				; CODE XREF: PopCheckSkipTick+82CFDj
					; PopCheckSkipTick+82D15j
		mov	al, 1
		retn
PopCheckSkipTick endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmSiRWLockAcquireExclusive(x)
_CmSiRWLockAcquireExclusive@4 proc near	; CODE XREF: SshpSetCollectionActive(x,x)+24p
					; CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+86p ...
		xor	edx, edx
		jmp	ExAcquirePushLockExclusiveEx
_CmSiRWLockAcquireExclusive@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIntSteerEventTraceControlCallback(x, x, x, x, x, x, x, x,	x)
_KiIntSteerEventTraceControlCallback@36	proc near ; DATA XREF: KiIntSteerConnect+28Eo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 2
		jz	short loc_8B659F
		cmp	[ebp+arg_4], 0
		jz	short loc_8B659F

loc_8B659B:				; CODE XREF: KiIntSteerEventTraceControlCallback(x,x,x,x,x,x,x,x,x)+1Cj
		pop	ebp
		retn	24h
; 

loc_8B659F:				; CODE XREF: KiIntSteerEventTraceControlCallback(x,x,x,x,x,x,x,x,x)+9j
					; KiIntSteerEventTraceControlCallback(x,x,x,x,x,x,x,x,x)+Fj
		mov	cl, 1
		call	_KiIntSteerLogStatus@4 ; KiIntSteerLogStatus(x)
		jmp	short loc_8B659B
_KiIntSteerEventTraceControlCallback@36	endp


;  S U B	R O U T	I N E 


; __stdcall CmpEtwReleaseHivePath(x)
_CmpEtwReleaseHivePath@4 proc near	; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+37Dp
		cmp	dword ptr [ecx+4], 0
		jnz	short loc_8B65AF
		retn
; 

loc_8B65AF:				; CODE XREF: CmpEtwReleaseHivePath(x)+4j
		push	ecx
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		retn
_CmpEtwReleaseHivePath@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiSwDeviceDereference proc near		; CODE XREF: PiSwDispatch+C7p
					; PiSwIrpStartCreateWorker:loc_891B1Ap	...

; FUNCTION CHUNK AT 0093928E SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		dec	eax
		jz	loc_93928E

loc_8B65CD:				; CODE XREF: PiSwDeviceDereference+82CE8j
		pop	esi
		leave
		retn
PiSwDeviceDereference endp


;  S U B	R O U T	I N E 


; __stdcall PdcPoIdleScanEnabled()
_PdcPoIdleScanEnabled@0	proc near	; DATA XREF: PopPdcRegister+7Do
		xor	eax, eax
		cmp	eax, _PopIdleScanInterval
		sbb	eax, eax
		and	eax, 3FFFFFFFh
		add	eax, 0C0000001h
		retn
_PdcPoIdleScanEnabled@0	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDispatchCallout(x)
_PopDispatchCallout@4 proc near		; DATA XREF: .text:00403CB8o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	PopEventCalloutDispatch
		pop	ebp
		retn	4
_PopDispatchCallout@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1412. MmGetPhysicalMemoryRangesEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmGetPhysicalMemoryRangesEx(x)
		public _MmGetPhysicalMemoryRangesEx@4
_MmGetPhysicalMemoryRangesEx@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_0]
		call	MmGetPhysicalMemoryRangesEx2
		pop	ebp
		retn	4
_MmGetPhysicalMemoryRangesEx@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpTracingProvEnableCallback proc near	; DATA XREF: EtwpInitialize+209o

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 009392A3 SIZE 0000022A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		cmp	[ebp+arg_4], 2
		push	ebx
		push	esi
		push	edi
		mov	[esp+10h+var_1], 0
		jz	loc_9392A3

loc_8B662D:				; CODE XREF: EtwpTracingProvEnableCallback+82EB6j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
EtwpTracingProvEnableCallback endp


;  S U B	R O U T	I N E 


WmipReleaseCollectionEnabled proc near	; CODE XREF: WmipSendEnableRequest+A0p
					; WmipDoDisableRequest+59p ...

; FUNCTION CHUNK AT 009394CD SIZE 00000012 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	byte ptr [esi+8], 8
		jnz	loc_9394CD
		pop	esi
		retn
WmipReleaseCollectionEnabled endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 642. FsRtlRegisterMupCalls

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlRegisterMupCalls(x)
		public _FsRtlRegisterMupCalls@4
_FsRtlRegisterMupCalls@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, offset _pFsRtlpMupCalls
		xchg	eax, [ecx]
		pop	ebp
		retn	4
_FsRtlRegisterMupCalls@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 641. FsRtlRegisterFltMgrCalls

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlRegisterFltMgrCalls(x)
		public _FsRtlRegisterFltMgrCalls@4
_FsRtlRegisterFltMgrCalls@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, offset _FltMgrCallbacks
		xchg	eax, [ecx]
		pop	ebp
		retn	4
_FsRtlRegisterFltMgrCalls@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

TlgAggregateInternalProviderCallback proc near
					; DATA XREF: TlgRegisterAggregateProviderEx+D5o

arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 009394DF SIZE 00000082 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		cmp	[ebp+arg_4], 2
		push	esi
		push	edi
		jz	loc_9394DF

loc_8B668C:				; CODE XREF: TlgAggregateInternalProviderCallback+82E6Bj
					; TlgAggregateInternalProviderCallback+82E75j ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	24h
TlgAggregateInternalProviderCallback endp


;  S U B	R O U T	I N E 


PfSnDetermineEnablePrefetcher proc near	; CODE XREF: PfSnBeginBootPhase+98p
					; PfpParametersWatcher(x)+12Ep

; FUNCTION CHUNK AT 00939561 SIZE 0000000F BYTES

		cmp	_InitSafeBootMode, 0
		jnz	loc_939561
		retn
PfSnDetermineEnablePrefetcher endp


;  S U B	R O U T	I N E 


PopExternalMonitorUpdatedWorker	proc near ; DATA XREF: PoInitSystem+172o

; FUNCTION CHUNK AT 00939570 SIZE 0000001E BYTES

		cmp	_PopPlatformAoAc, 0
		jnz	loc_939570

locret_8B66AF:				; CODE XREF: PopExternalMonitorUpdatedWorker+82EE7j
		retn	4
PopExternalMonitorUpdatedWorker	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepZwLockRegistryKey(x)
_SepZwLockRegistryKey@4	proc near	; DATA XREF: .text:004037DCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	_ZwLockRegistryKey@4 ; ZwLockRegistryKey(x)
_SepZwLockRegistryKey@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall KiInitializeProcessorState(void *,int,int,void	*,void *,int,int,int,int,int)
_KiInitializeProcessorState@40 proc near ; CODE	XREF: KiStartDynamicProcessor(x,x,x,x)+1CFp
					; KeStartAllProcessors+2E0p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= byte ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		xor	eax, eax
		mov	[ebp+var_8], edx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		mov	ebx, ecx
		push	edi
		push	320h		; size_t
		shl	esi, 5
		push	eax		; int
		add	esi, 603Fh
		mov	[ebp+var_4], ebx
		push	ebx		; void *
		mov	dword ptr [ebp+var_14],	eax
		and	esi, 0FFFFFFC0h
		mov	dword ptr [ebp+var_14+4], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		call	_memset
		add	esp, 0Ch
		sgdt	fword ptr [ebp+var_14+2]
		mov	edi, [ebp+arg_8]
		lea	edx, [ebx+2F4h]
		push	edi		; void *
		lea	ecx, [ebp+var_14]
		call	KiCloneDescriptor
		mov	ebx, [ebx+2F8h]
		mov	[ebp+arg_C], ebx
		sidt	fword ptr [ebp+var_14+2]
		mov	edx, [ebp+var_4]
		lea	ecx, [edi+3000h]
		mov	ax, word ptr [ebp+var_14+2]
		mov	[edx+300h], ecx
		mov	[edx+2FEh], ax
		push	_KiBootProcessorIdtSize	; size_t
		push	_KiBootProcessorIdt ; void *
		push	ecx		; void *
		call	_memcpy
		mov	edi, [ebp+arg_4]
		lea	eax, [ebp+var_1C]
		add	esp, 0Ch
		mov	edx, ebx
		push	edi		; void *
		push	eax		; int
		push	30h
		pop	ecx
		call	KiCloneSelector
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esi+edi]
		mov	[ebp+var_C], eax
		push	4E0h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	esi, [ebp+arg_8]
		add	esp, 0Ch
		mov	edx, ebx
		lea	eax, [esi+400h]
		push	eax		; void *
		lea	eax, [ebp+var_24]
		push	eax		; int
		push	28h
		pop	eax
		mov	ecx, eax
		call	KiCloneSelector
		lea	eax, [esi+2520h]
		push	eax		; void *
		lea	eax, [ebp+var_2C]
		push	eax		; int
		push	50h
		mov	edx, ebx
		pop	ecx
		call	KiCloneSelector
		lea	eax, [esi+24B0h]
		mov	edx, ebx
		push	eax		; void *
		lea	eax, [ebp+var_34]
		push	eax		; int
		push	58h
		pop	ecx
		call	KiCloneSelector
		lea	eax, [esi+2590h]
		mov	edx, ebx
		push	eax		; void *
		lea	eax, [ebp+var_3C]
		mov	ecx, 0A0h
		push	eax		; int
		call	KiCloneSelector
		mov	eax, [ebp+arg_1C]
		mov	[esi+2524h], eax
		mov	[esi+2558h], eax
		mov	[esi+24B4h], eax
		mov	[esi+24E8h], eax
		mov	[esi+2594h], eax
		mov	[esi+25C8h], eax
		mov	ecx, [ebp+var_4]
		mov	eax, cr0
		and	eax, 0FFFAFFFFh
		mov	[ecx+2CCh], eax
		mov	eax, cr3
		mov	[ecx+2D4h], eax
		mov	eax, cr4
		mov	[ecx+2D8h], eax
		pushf
		pop	eax
		mov	[ecx+0C0h], eax
		and	dword ptr [ecx+0C0h], 0FFFFFDFFh
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+arg_C]
		mov	esi, [ebp+arg_10]
		mov	ebx, [ebp+var_8]
		or	dword ptr [edx+310h], 0FFFFFFFFh
		push	28h
		pop	eax
		mov	[edx+304h], ax
		mov	eax, [ebp+arg_0]
		mov	edi, [ebp+var_C]
		shl	eax, 0Eh
		mov	[ecx+38h], ax
		mov	eax, [ebp+arg_0]
		shl	eax, 0Eh
		xor	eax, [ecx+3Ch]
		mov	byte ptr [ecx+2Dh], 89h
		and	eax, 0F0000h
		xor	[ecx+3Ch], eax
		lea	eax, [esi-8]
		mov	[esi-4], ebx
		push	20h
		mov	[edx+0C4h], eax
		pop	eax
		push	[ebp+arg_18]
		mov	dword ptr [edx+0B8h], offset _KiSystemStartup@4	; KiSystemStartup(x)
		push	[ebp+arg_14]
		mov	dword ptr [edx+0BCh], 8
		push	edi
		push	[ebp+var_20]
		mov	[edx+98h], eax
		push	dword ptr [edx+2F8h]
		mov	[edx+94h], eax
		push	dword ptr [edx+300h]
		mov	dword ptr [edx+90h], 30h
		push	[ebp+var_18]
		mov	dword ptr [edx+0C8h], 10h
		push	[ebp+arg_0]
		call	_KiInitializePcr@32 ; KiInitializePcr(x,x,x,x,x,x,x,x)
		mov	ecx, large fs:20h
		mov	edx, [ebp+arg_4]
		mov	eax, [ecx+3F38h]
		mov	[edx+4058h], eax
		mov	eax, [ecx+3F3Ch]
		lea	ecx, [edx+120h]
		mov	[edx+405Ch], eax
		mov	eax, [ebp+var_18]
		mov	edx, [ebp+arg_8]
		mov	eax, [eax+20h]
		mov	[ebx+48h], esi
		mov	[ebx+54h], edi
		mov	[ebx+4Ch], eax
		call	_KiEnableKvaShadowing@8	; KiEnableKvaShadowing(x,x)
		test	eax, eax
		jz	short loc_8B693E
		mov	eax, [ebp+var_18]
		mov	eax, [eax+20h]

loc_8B693E:				; CODE XREF: KiInitializeProcessorState(x,x,x,x,x,x,x,x,x,x)+278j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
_KiInitializeProcessorState@40 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

Ke386CyrixId	proc near		; CODE XREF: Ke386ConfigureCyrixProcessor+3p
					; CmpAddProcessorConfigurationEntry:loc_929B9Dp

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 009360EE SIZE 0000006D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:20h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_1], bl
		cmp	[eax+15h], bl
		jz	loc_9360EE
		mov	ecx, offset _CmpCyrixID	; "CyrixInstead"
		add	eax, 3D3Ch

loc_8B696B:				; CODE XREF: Ke386CyrixId+3Fj
		mov	dl, [eax]
		cmp	dl, [ecx]
		jnz	short loc_8B6996
		test	dl, dl
		jz	short loc_8B6987
		mov	dl, [eax+1]
		cmp	dl, [ecx+1]
		jnz	short loc_8B6996
		add	eax, 2
		add	ecx, 2
		test	dl, dl
		jnz	short loc_8B696B

loc_8B6987:				; CODE XREF: Ke386CyrixId+2Dj
		mov	eax, ebx

loc_8B6989:				; CODE XREF: Ke386CyrixId+55j
		test	eax, eax
		jz	loc_9360EE
		xor	eax, eax

loc_8B6993:				; CODE XREF: Ke386CyrixId+7F810j
		pop	ebx
		leave
		retn
; 

loc_8B6996:				; CODE XREF: Ke386CyrixId+29j
					; Ke386CyrixId+35j
		sbb	eax, eax
		or	eax, 1
		jmp	short loc_8B6989
Ke386CyrixId	endp

; 
		align 2

??_C@_1DE@JMADIDNJ@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@:
					; DATA XREF: .text:00401530o
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
; 
		db 0
		db 2 dup(0)
; 

??_C@_1M@DCMFPONJ@?$AAE?$AAn?$AAu?$AAm?$AA?2@NNGAKEGL@:	; DATA XREF: .text:00401AF4o
		inc	ebp
		add	[esi+0], ch
		jnz	short $+2
		insd
		add	[eax+eax+0], bl
; 
		db 0
; 

??_C@_1CG@EBHDPJAG@?$AAH?$AAa?$AAr?$AAd?$AAw?$AAa?$AAr?$AAe?$AA?5?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl@NNGAKEGL@:
		dec	eax
		add	[ecx+0], ah
		jb	short $+2
		add	fs:[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[eax], ah
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[esi+0], ah
		imul	eax, [eax], 65006Ch
		jnb	short $+2
		pop	esp
; 
		db 3 dup(0)
; 

??_C@_1CO@PCPCFID@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC@NNGAKEGL@:
					; DATA XREF: .text:004016D4o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+44h], bl
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		inc	ebx
		add	[eax+eax+61h], ch
		add	[ebx+0], dh
		jnb	short $+2
		add	gs:[ebx+0], dh
		pop	esp
; 
		db 0
		db 2 dup(0)
; 

??_C@_1DE@GJPKHPPK@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC@NNGAKEGL@:
					; DATA XREF: .text:00401528o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+44h], bl
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+61h], dh
		add	[ecx+0], ch
		outsb
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		pop	esp
; 
		db 0
		db 2 dup(0)
; 

??_C@_1BO@BMNBPCJG@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAC?$AAl?$AAa?$AAs?$AAs?$AA?2@NNGAKEGL@:
					; DATA XREF: .text:0040172Co
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+43h], bl
		add	[eax+eax+61h], ch
		add	[ebx+0], dh
		jnb	short $+2
		pop	esp
; 
		db 3 dup(0)
; 

??_C@_1LI@FFKDHKIH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		outsd
		add	[esi+0], ah
		jz	short $+2
		ja	short $+2
		popa
		add	[edx+0], dh
		add	gs:[eax+eax+4Dh], bl
		add	[ecx+0], ch
		arpl	[eax], ax
		jb	short $+2
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		pop	esp
		add	[edi+0], dl
		imul	eax, [eax], 64006Eh
		outsd
		add	[edi+0], dh
		jnb	short $+2
		and	[eax], al
		dec	esi
		add	[eax+eax+5Ch], dl
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		pop	esp
		add	[ecx+0], cl
		insd
		add	[ecx+0], ah
		add	[di+0],	ah
		and	[eax], al
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		and	[eax], al
		inc	ebp
		add	[eax+0], bh
		add	gs:[ebx+0], ah
		jnz	short $+2
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	edi
		add	[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BC@CFEJIEP@?$AAA?$AAP?$AAP?$AAI?$AAD?$AA?3?$AA?1?$AA?1@NNGAKEGL@:
					; DATA XREF: .text:00401538o
		inc	ecx
		add	[eax+0], dl
		push	eax
		add	[ecx+0], cl
		inc	esp
		add	[edx], bh
		add	[edi], ch
		add	[edi], ch
; 
		db 0
		db 2 dup(0)
; 

??_C@_1BK@CCOOHMCM@?$AAH?$AAT?$AAR?$AAE?$AAE?$AA?2?$AAR?$AAO?$AAO?$AAT?$AA?2?$AA0@NNGAKEGL@:
					; DATA XREF: .text:00401170o
					; _CmGetDeviceMappedPropertyFromComposite+382o	...
		dec	eax
		add	[eax+eax+52h], dl
		add	[ebp+0], al
		inc	ebp
		add	[eax+eax+52h], bl
		add	[edi+0], cl
		dec	edi
		add	[eax+eax+5Ch], dl
		add	[eax], dh
; 
		db 3 dup(0)
; 

??_C@_1M@GMCFOPCE@?$AAR?$AAo?$AAo?$AAt?$AA?2@NNGAKEGL@:	; DATA XREF: .text:00401168o
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+5Ch], dh
; 
		db 3 dup(0)
; wchar_t ??_C
??_C@_19JHEHLFPM@?$AA?2?$AA?$DP?$AA?$DP?$AA?2@NNGAKEGL@: ; DATA	XREF: .text:00401A3Co
					; _CmGetDeviceInterfaceName+80o ...
		unicode	0, <\??\>,0
??_C@_19MJCDBCKE@?$AA?2?$AA?2?$AA?$DP?$AA?2@NNGAKEGL@ db '\',0 ; DATA XREF: .text:00401A34o
					; _CmSetDeviceInterfacePathFormat(x,x,x):loc_7FB671r ...
		db '\',0
off_8B6B82	dd offset loc_5C0039+6	; DATA XREF: _CmSetDeviceInterfacePathFormat(x,x,x)+34r
					; _CmDeviceClassesSubkeyCallback+18Er
		align 4
; void ??_C
??_C@_1BG@OKCBELMP@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2@NNGAKEGL@:
					; DATA XREF: CmpBuildMachineHiveMountPoint(x,x)+8o
					; CmpFinishSystemHivesLoad(x)+70o
		unicode	0, <\REGISTRY\>,0
; 

; void ??_C
??_C@_1DK@MBODLMJO@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@:
					; DATA XREF: CmpInitializeSystemHivesLoad+DAo
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+5Ch], dh
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		xor	eax, [eax]
		xor	al, [eax]
		pop	esp
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		db	66h
		add	[ecx+0], ch
		add	[si+0],	bl
; 
		dw 0
; 

??_C@_1DE@PHKABCAI@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: CmpFinishSystemHivesLoad(x)+420o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		inc	ecx
		add	[ebp+0], cl
		pop	esp
		add	[ebx+0], dl
		inc	ecx
		add	[ebp+0], cl
; 
		dw 0
; 

??_C@_1DO@BDGINLPJ@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: CmpFinishSystemHivesLoad(x)+425o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		add	gs:[ebx+0], ah
		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 790074h
		pop	esp
		add	[ebx+0], dl
		inc	ecx
		add	[ebp+0], cl
; 
		db 2 dup(0)
; 

??_C@_1DA@PDHFOJA@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAU?$AAs?$AAe?$AAr?$AA?2@NNGAKEGL@:
					; DATA XREF: CmpFinishSystemHivesLoad(x)+436o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], dl
		jnb	short $+2
		add	gs:[edx+0], dh
		pop	esp
		add	[esi], ch
		add	[eax+eax+65h], al
		add	[esi+0], ah
		popa
		add	[ebp+0], dh
		insb
		add	[eax+eax+0], dh

loc_8B6C79:				; DATA XREF: CmpFinishSystemHivesLoad(x)+43Bo
		add	[eax+eax+52h], bl
		add	[ebp+0], ah
		add	[bx+di+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], dl
		jnb	short $+2
		add	gs:[edx+0], dh
		pop	esp
		add	[ebx+0], dl
		sub	eax, 2D003100h
		add	ds:31002D00h, dh
		add	[eax], bh
; 
		db 0
		db 2 dup(0)
; wchar_t ??_C
??_C@_15EFLNJKHH@?$AA?$CF?$AAu@NNGAKEGL@ dd offset loc_750024+1
					; DATA XREF: PiProcessDriverInstance+105o
					; PiFindDevInstMatch+C8o ...
		align 10h
??_C@_0P@LCEDEPJL@Multiprocessor@NNGAKEGL@ db 'Multiprocessor',0
					; DATA XREF: CmpSetVersionData+277o
		align 10h
??_C@_04HJMOFLDF@Free@NNGAKEGL@	db 'Free',0 ; DATA XREF: CmpSetVersionData:loc_88FF18o
		align 2

??_C@_05DNIIFBMG@?$CFs?5?$CFs@NNGAKEGL@: ; DATA	XREF: CmpSetVersionData+27Co
		and	eax, 73252073h
; 
		db 0
; 

??_C@_02GMHACPFF@?$CFu@NNGAKEGL@:	; DATA XREF: CmpSetVersionData+327o
					; CmpMountPreloadedHives+99F2Co
		and	eax, 3ACC0075h
; 
		db 3 dup(0)
; void ??_C
??_C@_1BI@BNCMKGKH@?$AA?2?$AAO?$AAS?$AAD?$AAa?$AAt?$AAa?$AAR?$AAo?$AAo?$AAt@NNGAKEGL@:
					; DATA XREF: PoInitHiberServices+13o
					; CmpMountPreloadedHives+99F5Do
		unicode	0, <\OSDataRoot>,0
; wchar_t ??_C
??_C@_1FA@FPGGIGOJ@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: CmpOpenDevicesControlSet+73o
					; CmpOpenDevicesControlSet+9A0BFo
		unicode	0, <\Registry\Machine\%wZ\CurrentControlSet>,0
; 

; wchar_t ??_C
??_C@_1FA@BCFKMFHE@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: CmpSaveBootControlSet(x)+19Eo
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+53h], ch
		add	[ebp+0], ah
		jz	short $+2
		and	eax, 33003000h
		add	[eax+eax+0], ah
; 
		db 0
??_C@_17JGEJMDGN@?$AA0?$AA0?$AA9@NNGAKEGL@: ; DATA XREF: CmpCreatePerfKeys+50o
		unicode	0, <009>,0
??_C@_1CA@KOOGNCIL@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAL?$AAa?$AAn?$AAg?$AAu?$AAa?$AAg?$AAe@NNGAKEGL@ dd offset loc_750042+1
					; DATA XREF: CmpCreatePerfKeys+68o
aRrentlanguage:
		unicode	0, <rrentLanguage>,0
; 

; wchar_t ??_C
??_C@_19JIECANHN@?$AA?$CF?$AA0?$AA?$CK?$AAX@NNGAKEGL@: ; DATA XREF: CmpCreatePerfKeys+9A806o
		and	eax, 2A003000h
		add	[eax+0], bl
; 
		db 2 dup(0)
; 

??_C@_05FPNECAEJ@80387@NNGAKEGL@:	; DATA XREF: CmpAddProcessorConfigurationEntry:loc_929B7Fo
		cmp	[eax], dh
		xor	edi, [eax]
		aaa
; 
		db 0
??_C@_0DD@BGFPCJCC@IoStatusBlock?5pointing?5onto?5its@NNGAKEGL@	db 'IoStatusBlock pointing onto itself AsyncUser = %p',0Ah,0
					; DATA XREF: CmpPostApc+18206Fo
					; CmpPostApc+18209Co ...
		align 4
??_C@_1EA@KMDJMPOH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: CmpMachineHiveCallbackFatalFilter(x,x)+301o
		unicode	0, <\Registry\Machine\System\Select>,0
??_C@_1BA@OFLJGHK@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt@NNGAKEGL@	dd offset loc_750042+1
					; DATA XREF: PipHardwareConfigOpenKey(x,x,x)+4Eo
					; CmpFindControlSet+2D9o ...
aRrent:
		unicode	0, <rrent>,0
; 

??_C@_1BK@DJDGPBNF@?$AAS?$AAh?$AAu?$AAt?$AAd?$AAo?$AAw?$AAn?$AAP?$AAa?$AAt?$AAh@NNGAKEGL@:
					; DATA XREF: CmpRecordShutdownStopTime()+64o
		push	ebx
		add	[eax+0], ch
		jnz	short $+2
		jz	short $+2
		add	fs:[edi+0], ch
		ja	short $+2
		outsb
		add	[eax+0], dl
		popa
		add	[eax+eax+68h], dh
; 
		db 0
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_1DI@KMNHGFKK@?$AAS?$AAh?$AAu?$AAt?$AAd?$AAo?$AAw?$AAn?$AAS?$AAt?$AAo?$AAp?$AAT?$AAi?$AAm@NNGAKEGL@ proc near
					; DATA XREF: CmpRecordShutdownStopTime()+D1o
		push	ebx
		add	[eax+0], ch
		jnz	short $+2
		jz	short $+2
		add	fs:[edi+0], ch
		ja	short $+2
		outsb
??_C@_1DI@KMNHGFKK@?$AAS?$AAh?$AAu?$AAt?$AAd?$AAo?$AAw?$AAn?$AAS?$AAt?$AAo?$AAp?$AAT?$AAi?$AAm@NNGAKEGL@ endp

		add	[ebx+0], dl
		jz	short $+2
		outsd
		add	[eax+0], dh
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		db	66h
		add	[ebx+0], al
		outsd
		add	[ebp+0], dh
		outsb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
; 
		db 2 dup(0)
; 

??_C@_1DK@HHNMLAIB@?$AAL?$AAa?$AAs?$AAt?$AAB?$AAo?$AAo?$AAt?$AAP?$AAe?$AAr?$AAf?$AAC?$AAo?$AAu@NNGAKEGL@:
					; DATA XREF: CmpRecordShutdownStopTime()+FBo
		dec	esp
		add	[ecx+0], ah
		jnb	short $+2
		jz	short $+2
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+50h], dh
		add	[ebp+0], ah
		jb	short $+2
		db	66h
		add	[ebx+0], al
		outsd
		add	[ebp+0], dh
		outsb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		inc	esi
		add	[edx+0], dh
		add	gs:[ecx+0], dh
		jnz	short $+2
		add	gs:[esi+0], ch
		arpl	[eax], ax
		jns	short $+2
; 
		dw 0

;  S U B	R O U T	I N E 


??_C@_1EI@GHNPDKLI@?$AAS?$AAh?$AAu?$AAt?$AAd?$AAo?$AAw?$AAn?$AAS?$AAt?$AAo?$AAp?$AAT?$AAi?$AAm@NNGAKEGL@ proc near
					; DATA XREF: CmpRecordShutdownStopTime()+136o
		push	ebx
		add	[eax+0], ch
		jnz	short $+2
		jz	short $+2
		add	fs:[edi+0], ch
		ja	short $+2
		outsb
??_C@_1EI@GHNPDKLI@?$AAS?$AAh?$AAu?$AAt?$AAd?$AAo?$AAw?$AAn?$AAS?$AAt?$AAo?$AAp?$AAT?$AAi?$AAm@NNGAKEGL@ endp

		add	[ebx+0], dl
		jz	short $+2
		outsd
		add	[eax+0], dh
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		db	66h
		add	[ebx+0], al
		outsd
		add	[ebp+0], dh
		outsb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		inc	edx
		add	[ebp+0], dh
		imul	eax, [eax], 64006Ch
		dec	esp
		add	[ecx+0], ah
		bound	eax, [eax]
; 
		dw 0
; 

??_C@_1BC@HJOIIEGB@?$AAB?$AAu?$AAi?$AAl?$AAd?$AAL?$AAa?$AAb@NNGAKEGL@:
					; DATA XREF: CmpReadBuildLab(x,x)+68o
		inc	edx
		add	[ebp+0], dh
		imul	eax, [eax], 64006Ch
		dec	esp
		add	[ecx+0], ah
		bound	eax, [eax]
; 
		db 2 dup(0)
; 

??_C@_1MA@KCGLEHPJ@?$AA?2?$AAr?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAm?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: CmpUpdateReorganizeRegistryValues+85046o
		pop	esp
		add	[edx+0], dh
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], ch
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dh
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		db	66h
		add	[ecx+0], ch
		add	[di+0],	dh
		jb	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax], ah
		add	[ebp+0], cl
		popa
		add	[esi+0], ch
		popa
		add	[edi+0], ah
		add	gs:[edx+0], dh
		pop	esp
		add	[eax+eax+65h], al
		add	[esi+0], ah
		jb	short $+2
		popa
		add	[edi+0], ah
; 
		db 2 dup(0)
; 

??_C@_1BO@JBMIMNMP@?$AA?$CF?$AA0?$AA2?$AAd?$AA?3?$AA?$CF?$AA0?$AA2?$AAd?$AA?3?$AA?$CF?$AA0?$AA4?$AAd@NNGAKEGL@:
					; DATA XREF: CmpUpdateReorganizeRegistryValues+850BEo
		and	eax, 32003000h
		add	[eax+eax+3Ah], ah
		add	ds:32003000h, ah
		add	[eax+eax+3Ah], ah
		add	ds:34003000h, ah
		add	[eax+eax+0], ah
; 
		db 0
; 

??_C@_1BA@LAKJGBNI@?$AAL?$AAa?$AAs?$AAt?$AAR?$AAu?$AAn@NNGAKEGL@:
					; DATA XREF: CmpUpdateReorganizeRegistryValues+850D6o
		dec	esp
		add	[ecx+0], ah
		jnb	short $+2
		jz	short $+2
		push	edx
		add	[ebp+0], dh
		outsb
; 
		db 3 dup(0)
; 

??_C@_1CA@DFGBBCPM@?$AAT?$AAo?$AAt?$AAa?$AAl?$AAB?$AAy?$AAt?$AAe?$AAs?$AAS?$AAa?$AAv?$AAe?$AAd@NNGAKEGL@:
					; DATA XREF: CmpUpdateReorganizeRegistryValues+85114o
		push	esp
		add	[edi+0], ch
		jz	short $+2
		popa
		add	[eax+eax+42h], ch
		add	[ecx+0], bh
		jz	short $+2
		add	gs:[ebx+0], dh
		push	ebx
		add	[ecx+0], ah
		jbe	short $+2
		add	gs:[eax+eax+0],	ah
; 
		db 0
; void ??_C
??_C@_1CA@DOEFBOAB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAU?$AAs?$AAe?$AAr?$AA?2@NNGAKEGL@:
					; DATA XREF: CmRealKCBToVirtualPath(x,x,x,x):loc_839A76o
					; ExpWnfGetPermanentPerUserDataStoreHandle(x,x)+5Co
		unicode	0, <\Registry\User\>,0
; 

; void ??_C
??_C@_1BM@HHPHHPEN@?$AA?2?$AAV?$AAi?$AAr?$AAt?$AAu?$AAa?$AAl?$AAS?$AAt?$AAo?$AAr?$AAe@NNGAKEGL@:
					; DATA XREF: CmRealKCBToVirtualPath(x,x,x,x)+F8o
		pop	esp
		add	[esi+0], dl
		imul	eax, [eax], 740072h
		jnz	short $+2
		popa
		add	[eax+eax+53h], ch
		add	[eax+eax+6Fh], dh
		add	[edx+0], dh
		add	gs:[eax], al
; 
		db 0
; 

; void ??_C
??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@:	; DATA XREF: AslpFileStringTokenize(x,x,x)+2Do
					; AslpFileStringTokenize(x,x,x)+6Do ...
		pop	esp
; 
		db 3 dup(0)
; void ??_C
??_C@_1BC@PGMOPNLK@?$AA_?$AAC?$AAl?$AAa?$AAs?$AAs?$AAe?$AAs@NNGAKEGL@:
					; DATA XREF: CmpGetVirtualizationID+8Ao
		unicode	0, <_Classes>,0
??_C@_1EK@IKDAGJBP@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@ db '\',0
					; DATA XREF: CmpFlushBackupHive(x)+94o
					; CmpInitBackupHive(x,x)+51o
		dd offset loc_790051+2
		dd offset loc_740072+1
aEmrootSystem32:
		unicode	0, <emRoot\System32\Config\RegBack\>,0
; 

; void ??_C
??_C@_19NBLAHBNG@?$AA?4?$AAO?$AAL?$AAD@NNGAKEGL@: ; DATA XREF: CmpFlushBackupHive(x)+E3o
		add	cs:[edi+0], cl
		dec	esp
		add	[eax+eax+0], al

loc_8B70E1:				; DATA XREF: PAGE:0074BAABo
		add	[eax+eax], bh
		push	ebp
		add	[esi+0], ch
		imul	eax, [eax], 6Eh
		add	[edi+0], ch
		ja	short $+2
		outsb
		add	[eax], ah
		add	[edx+0], dh
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		and	[eax], al
		imul	eax, [eax], 65h
		add	[ecx+0], bh
		db	3Eh
		add	[eax], al
; 
		db 0
??_C@_1BK@KMMANFGK@?$AAr?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AAR?$AAe?$AAa?$AAd@NNGAKEGL@:
					; DATA XREF: CmpHiveRootSecurityDescriptor+36o
		unicode	0, <registryRead>,0
??_C@_17KACEIPNC@?$AAK?$AAe?$AAy@NNGAKEGL@ db 'K',0
					; DATA XREF: CmpExamineSaclForAuditEvent(x,x,x):loc_942683o
					; SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+167o
		dd offset loc_790063+2
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_1BC@FCJNIDNL@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy@NNGAKEGL@ proc near
					; DATA XREF: PipCreateDependencyNode+1EEo
					; IopQuerySecureDeviceClassState+17o ...
		push	ebx
		add	[ebp+0], ah
		arpl	[eax], ax
??_C@_1BC@FCJNIDNL@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy@NNGAKEGL@ endp

		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 790074h
; 
		dw 0
??_C@_1HI@EDNIGPI@?$AA?2?$AAr?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAm?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: CmpAddToHiveFileList:loc_7DF3FAo
		unicode	0, <\registry\machine\system\currentcontrolset\control\hiveli>
		unicode	0, <st>,0
; 

??_C@_1IO@IILNFANJ@?$AA?2?$AAr?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAm?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: CmpQueryHiveRedirectionFileList+11B702o
		pop	esp
		add	[edx+0], dh
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], ch
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dh
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], ah
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		arpl	[eax], ax
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+73h], ch
		add	[ebp+0], ah
		jz	short $+2
		pop	esp
		add	[ebx+0], ah
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+0], ch
		imul	eax, [eax], 650076h
		jb	short $+2
		add	gs:[eax+eax+69h], ah
		add	[edx+0], dh
		add	gs:[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		insb
		add	[ecx+0], ch
		jnb	short $+2
		jz	short $+2
; 
		db 2 dup(0)
; 

??_C@_1CM@ODEMAHPH@?$AAC?$AAo?$AAm?$AAp?$AAo?$AAn?$AAe?$AAn?$AAt?$AA?5?$AAI?$AAn?$AAf?$AAo?$AAr@NNGAKEGL@:
					; DATA XREF: IopGetRegistryValues(x,x,x)+40o
					; CmpInitializeRegistryNode:loc_88E390o
		inc	ebx
		add	[edi+0], ch
		insd
		add	[eax+0], dh
		outsd
		add	[esi+0], ch
		add	gs:[esi+0], ch
		jz	short $+2
		and	[eax], al
		dec	ecx
		add	[esi+0], ch
		db	66h
		add	[edi+0], ch
		jb	short $+2
		insd
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
; 
		db 2 dup(0)
; 

??_C@_1CG@CDEDNCMF@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn?$AA?5?$AAD@NNGAKEGL@:
					; DATA XREF: IopGetRegistryValues(x,x,x)+2Do
					; CmpInitializeRegistryNode:loc_88E424o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[esi+0], ah
		imul	eax, [eax], 750067h
		jb	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax], ah
		add	[eax+eax+61h], al
		add	[eax+eax+61h], dh
; 
		db 3 dup(0)
??_C@_1BG@IEICLFFJ@?$AAI?$AAd?$AAe?$AAn?$AAt?$AAi?$AAf?$AAi?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: IopGetRegistryValues(x,x,x)+13o
					; CmpInitializeRegistryNode+171o
		unicode	0, <Identifier>,0
??_C@_1EG@OMAKEJKM@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@ db '\',0
					; DATA XREF: CmpLogTxrInitEvent(x,x,x)+27o
		dd offset loc_790051+2
		dd offset loc_740072+1
aEmrootSystem_0:
		unicode	0, <emRoot\System32\Config\SYSTEM>,0
??_C@_1O@DBFGALKA@?$AAs?$AAe?$AAl?$AAe?$AAc?$AAt@NNGAKEGL@:
					; DATA XREF: CmpFindControlSet+A1o
		unicode	0, <select>,0
??_C@_0P@IKGNAJNG@ControlSet?$CF03d@NNGAKEGL@ db 'ControlSet%03d',0
					; DATA XREF: CmpFindControlSet+1FFo
		align 2
??_C@_1BG@MJOFNOIM@?$AAA?$AAu?$AAt?$AAo?$AAS?$AAe?$AAl?$AAe?$AAc?$AAt@NNGAKEGL@	dd offset loc_75003C+5
					; DATA XREF: CmpFindControlSet+103o
		dw 74h
aOselect:
		unicode	0, <oSelect>,0
??_C@_1CE@JCFICPFJ@?$AAH?$AAa?$AAr?$AAd?$AAw?$AAa?$AAr?$AAe?$AA?5?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl@NNGAKEGL@:
					; DATA XREF: _PnpCtxGetCachedNodeBaseKey+1DEo
					; CmpGetAcpiProfileInformation+56o ...
		unicode	0, <Hardware Profiles>,0
??_C@_1BK@BFIEKNFP@?$AAF?$AAr?$AAi?$AAe?$AAn?$AAd?$AAl?$AAy?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@:
					; DATA XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+291o
					; CmpGetAcpiProfileInformation:loc_88EF2Eo ...
		unicode	0, <FriendlyName>,0
??_C@_1CA@DNKLCGOJ@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAr?$AAe?$AAn?$AAc?$AAe?$AAO?$AAr?$AAd?$AAe?$AAr@NNGAKEGL@ db 'P',0
					; DATA XREF: CmpGetAcpiProfileInformation+19Fo
					; CmpCloneHwProfile(x,x,x,x,x,x,x)+499o ...
aReferenceorder:
		unicode	0, <referenceOrder>,0
; 

??_C@_1BE@CCJOPAOC@?$AAA?$AAl?$AAi?$AAa?$AAs?$AAa?$AAb?$AAl?$AAe@NNGAKEGL@:
					; DATA XREF: CmpGetAcpiProfileInformation+25Ao
					; CmpCloneHwProfile(x,x,x,x,x,x,x):loc_947691o
		inc	ecx
		add	[eax+eax+69h], ch
		add	[ecx+0], ah
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
; 
		db 2 dup(0)
; 

??_C@_1BA@MAILMBPH@?$AA?9?$AA?9?$AA?9?$AA?9?$AA?9?$AA?9?$AA?9@NNGAKEGL@:
					; DATA XREF: CmpGetAcpiProfileInformation:loc_92A164o
		sub	eax, 2D002D00h
		add	ds:2D002D00h, ch
; 
		db 0, 2Dh, 0
		db 2 dup(0)
; 

??_C@_1BE@EFIOFOBM@?$AAA?$AAc?$AAp?$AAi?$AAA?$AAl?$AAi?$AAa?$AAs@NNGAKEGL@:
					; DATA XREF: CmpGetAcpiProfileInformation:loc_88F0A8o
					; CmpAddAcpiAliasEntry(x,x,x,x,x,x,x,x)+2Bo
		inc	ecx
		add	[ebx+0], ah
		jo	short $+2
		imul	eax, [eax], 6C0041h
		imul	eax, [eax], 730061h
; 
		db 2 dup(0)
; 

??_C@_1BC@CLFDFOLE@?$AAP?$AAr?$AAi?$AAs?$AAt?$AAi?$AAn?$AAe@NNGAKEGL@:
					; DATA XREF: CmpGetAcpiProfileInformation:loc_88EFE3o
		push	eax
		add	[edx+0], dh
		imul	eax, [eax], 740073h
		imul	eax, [eax], 65006Eh
; 
		dw 0
??_C@_1BK@DIMLADLC@?$AAD?$AAo?$AAc?$AAk?$AAi?$AAn?$AAg?$AAS?$AAt?$AAa?$AAt?$AAe@NNGAKEGL@:
					; DATA XREF: CmSetAcpiHwProfile+211o
					; CmSetAcpiHwProfile+3EEo ...
		unicode	0, <DockingState>,0
??_C@_1BM@IAAGELMO@?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl?$AAe?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr@NNGAKEGL@ db 'P',0
					; DATA XREF: CmpGetAcpiProfileInformation+48Fo
					; CmpAddAcpiAliasEntry(x,x,x,x,x,x,x,x)+1A3o ...
aRofilenumber:
		unicode	0, <rofileNumber>,0
; 

??_C@_19BLGDCJIP@?$AA?$CF?$AA0?$AA4?$AAd@NNGAKEGL@:
					; DATA XREF: CmpAddAcpiAliasEntry(x,x,x,x,x,x,x,x)+9Ao
					; CmpCloneHwProfile(x,x,x,x,x,x,x)+E7o	...
		and	eax, 34003000h
		add	[eax+eax+0], ah
; 
		db 0
??_C@_1CC@GFOCCCFH@?$AAA?$AAc?$AAp?$AAi?$AAS?$AAe?$AAr?$AAi?$AAa?$AAl?$AAN?$AAu?$AAm?$AAb?$AAe@NNGAKEGL@:
					; DATA XREF: CmSetAcpiHwProfile+265o
					; CmSetAcpiHwProfile+427o ...
		unicode	0, <AcpiSerialNumber>,0
??_C@_1BM@EBFHNJCL@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg@NNGAKEGL@ dd offset loc_750042+1
					; DATA XREF: CmSetAcpiHwProfile:loc_88E90Eo
					; CmSetAcpiHwProfile:loc_929F3Eo
		dw 72h
aRentconfig:
		unicode	0, <rentConfig>,0
??_C@_1CA@CEMLPECN@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAD?$AAo?$AAc?$AAk?$AAI?$AAn?$AAf?$AAo@NNGAKEGL@ dd offset loc_750042+1
					; DATA XREF: CmSetAcpiHwProfile+1AAo
					; CmSetAcpiHwProfile:loc_929EBEo ...
		dw 72h
aRentdockinfo:
		unicode	0, <rentDockInfo>,0
; 

; wchar_t ??_C
??_C@_1HO@DPJFAAAO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: CmSetAcpiHwProfile+9B9CEo
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	ds:5A007700h, ah
		add	[eax+eax+43h], bl
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[eax+0], cl
		popa
		add	[edx+0], dh
		add	fs:[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[eax], ah
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[esi+0], ah
		imul	eax, [eax], 65006Ch
		jnb	short $+2
		pop	esp
		add	ds:34003000h, ah
		add	[eax+eax+0], ah
		add	ds:34003000h, ah ; DATA	XREF: CmSetAcpiHwProfile+9B7D0o
					; CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+31Co ...
		add	[eax+eax+0], ah
; 
		db 3 dup(0)
; 

??_C@_1O@KHOHJKPL@?$AAD?$AAo?$AAc?$AAk?$AAI?$AAD@NNGAKEGL@:
					; DATA XREF: CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+8Ao
					; CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x):loc_947DF8o
		inc	esp
		add	[edi+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 49h
		add	[eax+eax+0], al
; 
		db 0
; 

??_C@_1BK@GBMCOKGG@?$AAS?$AAe?$AAr?$AAi?$AAa?$AAl?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+53o
					; CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+255o
		push	ebx
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 6C0061h
		dec	esi
		add	[ebp+0], dh
		insd
		add	[edx+0], ah
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1O@DHDEGGFC@?$AAC?$AAl?$AAo?$AAn?$AAe?$AAd@NNGAKEGL@:
					; DATA XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+5F3o
					; CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+375o
		inc	ebx
		add	[eax+eax+6Fh], ch
		add	[esi+0], ch
		add	gs:[eax+eax+0],	ah
		add	[ecx+0], al	; DATA XREF: CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+C5o
		insb
		add	[ecx+0], ch
		popa
		add	[ebx+0], dh
; 
		db 2 dup(0)
; 

??_C@_1BM@PBKGKIHI@?$AAH?$AAw?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl?$AAe?$AAG?$AAu?$AAi?$AAd@NNGAKEGL@:
					; DATA XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+651o
		dec	eax
		add	[edi+0], dh
		push	eax
		add	[edx+0], dh
		outsd
		add	[esi+0], ah
		imul	eax, [eax], 65006Ch
		inc	edi
		add	[ebp+0], dh
		imul	eax, [eax], 64h

??_C@_1CO@NILKMGBN@?$AAH?$AAa?$AAr?$AAd?$AAw?$AAa?$AAr?$AAe?$AA?5?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl@NNGAKEGL@:
					; DATA XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+279o
		dec	eax
		add	[ecx+0], ah
		jb	short $+2
		add	fs:[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[eax], ah
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[esi+0], ah
		imul	eax, [eax], 65006Ch
		jnb	short $+2
		pop	esp
		add	ds:34003000h, ah
		add	[eax+eax+0], ah
		add	[eax+eax+6Fh], al
					; DATA XREF: CmpCreateHwProfileFriendlyName(x,x,x,x)+98o
		add	[ebx+0], ah
		imul	eax, [eax], 65h
		add	[eax+eax+0], ah

loc_8B7595:				; DATA XREF: EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+1FBo
					; EtwTimLogRedirectionTrustPolicy(x,x,x,x,x)+39Eo ...
		add	[ebp+0], dl
		outsb
		add	[ebx+0], ch
		outsb
		add	[edi+0], ch
		ja	short $+2
		outsb
; 
		db 0
		db 2 dup(0)
; 

??_C@_1M@OLDAANJO@?$AA?$CF?$AAs?$AA?5?$AA?$CF?$AAu@NNGAKEGL@:
					; DATA XREF: CmpCreateHwProfileFriendlyName(x,x,x,x)+260o
		and	eax, 20007300h
		add	large ds:7500h,	ah
		add	[ebp+0], dl	; DATA XREF: CmpCreateHwProfileFriendlyName(x,x,x,x)+A9o
		outsb
		add	[eax+eax+6Fh], ah
		add	[ebx+0], ah
		imul	eax, [eax], 65h
		add	[eax+eax+0], ah
		add	[ebx+0], al	; DATA XREF: CmpPreserveSystemHiveData(x,x)+Do
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[esi+0], al
		popa
		add	[ebx+0], dh
		jz	short $+2
		inc	ebx
		add	[ecx+0], ah
		arpl	[eax], ax
		push	6500h
		add	[edi+0], dl	; DATA XREF: CmpPreserveSystemHiveData(x,x)+116o
		push	eax
		add	[ecx+0], al
; 
		dw 0
; 

??_C@_1BM@NLGAGAOC@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@NNGAKEGL@:
					; DATA XREF: CmpPreserveSystemHiveData(x,x)+E8o
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+75h], ah
		add	[ebx+0], ah
		jz	short $+2
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
; 
		dw 0
; 

??_C@_1CO@CJDHJLDB@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt@NNGAKEGL@:
					; DATA XREF: CmpPreserveSystemHiveData(x,x)+DEo
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+50h], bl
		add	[edx+0], dh
		outsd
		add	[eax+eax+75h], ah
		add	[ebx+0], ah
		jz	short $+2
		dec	edi
		add	[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		db 2 dup(0)
; 

; char ??_C
??_C@_0O@OPFGLDE@ControlSet000@NNGAKEGL@: ; DATA XREF: CmpPreserveSystemHiveData(x,x)+42Bo
		inc	ebx
		outsd
		outsb
		jz	short near ptr loc_8B76AF+2
		outsd
		insb
		push	ebx
		db	65h
		jz	short loc_8B7675
		xor	[eax], dh
; 
		db 0
??_C@_1CE@MEIKCFL@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAS@NNGAKEGL@	dd offset loc_750042+1
					; DATA XREF: _SysCtxOpenControlSet+2Co
					; CmpPreserveSystemHiveData(x,x)+1CBo
aRrentcontrolse:
		unicode	0, <rrentControlSet>,0
; 

; wchar_t ??_C
??_C@_1BM@DEAICIBD@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAS?$AAe?$AAt?$AA0?$AA0?$AA0@NNGAKEGL@:
					; DATA XREF: CmpPreserveSystemHiveData(x,x):loc_949A5Do
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh

loc_8B7675:				; CODE XREF: PAGE:008B7642j
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+30h], dh
		add	[eax], dh
		add	[eax], dh
; 
		db 3 dup(0)
??_C@_03PCJIPBFG@?4?$CFu@NNGAKEGL@ dd offset loc_752529+5
					; DATA XREF: CmpAddRemoveContainerToCLFSLog(x,x,x,x,x,x,x,x)+10Ao

;  S U B	R O U T	I N E 


??_C@_1EM@GLLAFOJP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@NNGAKEGL@ proc near
					; DATA XREF: VRegSetup+2Fo
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
??_C@_1EM@GLLAFOJP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@NNGAKEGL@ endp

		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ebx+0], al
		outsd

loc_8B76AF:				; CODE XREF: PAGE:008B763Dj
		add	[esi+0], ch
		db	66h
		add	[ecx+0], ch
		add	[di+0],	dh
		jb	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax], ah
		add	[ebp+0], cl
		popa
		add	[esi+0], ch
		popa
		add	[edi+0], ah
		add	gs:[edx+0], dh
; 
		dw 0
??_C@_1O@PAINHNKI@?$AA1?$AA8?$AA9?$AA9?$AA0?$AA0@NNGAKEGL@:
					; DATA XREF: VrpIncrementSiloCount+43o
		unicode	0, <189900>,0
; 

??_C@_1CG@LJMIDBHF@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAV?$AAR?$AAe?$AAg?$AAD?$AAr?$AAi@NNGAKEGL@:
					; DATA XREF: VRegSetup+47o
		pop	esp
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		pop	esp
		add	[esi+0], dl
		push	edx
		add	[ebp+0], ah
		add	[si+0],	al
		jb	short $+2
		imul	eax, [eax], 650076h
		jb	short $+2
; 
		dw 0
??_C@_1DC@PLDMBLKK@?$AAV?$AAR?$AAe?$AAg?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr?$AAa?$AAt?$AAi@NNGAKEGL@:
					; DATA XREF: VRegSetup+A5o
		unicode	0, <VRegConfigurationContext>,0
; void ??_C
??_C@_1O@KICFGMEB@?$AA?2?$AAS?$AAi?$AAl?$AAo?$AA_@NNGAKEGL@ db '\',0
					; DATA XREF: VrpPreLoadKey(x,x)+4D0o
aSilo_:
		unicode	0, <Silo_>,0
; 

; void ??_C
??_C@_13ENNFDPBH@?$AA_@NNGAKEGL@:	; DATA XREF: VrpPreLoadKey(x,x)+4F4o
					; VrpPreLoadKey(x,x)+517o ...
		pop	edi
; 
		db 3 dup(0)
??_C@_1CI@PDLNLLIE@?$AAl?$AAp?$AAa?$AAc?$AAI?$AAn?$AAs?$AAt?$AAr?$AAu?$AAm?$AAe?$AAn?$AAt?$AAa@NNGAKEGL@:
					; DATA XREF: DbgkpCreateNotificationEvent+33o
		unicode	0, <lpacInstrumentation>,0
; 

??_C@_1EI@MEPMEHFB@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@:
					; DATA XREF: DbgkpInitializePhase1SiloState(x)+1Bo
		pop	esp
		add	[ebx+0], cl
		add	gs:[edx+0], dh
		outsb
		add	[ebp+0], ah
		insb
		add	[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		inc	ebp
		add	[edx+0], dh
		jb	short $+2
		outsd
		add	[edx+0], dh
		push	eax
		add	[edi+0], ch
		jb	short $+2
		jz	short $+2
		push	edx
		add	[ebp+0], ah
		popa
		add	[eax+eax+79h], ah
; 
		db 3 dup(0)
??_C@_1IA@DFJIGEFL@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: DbgkpLkmdSqmIsOptedIn()+16o
		unicode	0, <\Registry\Machine\Software\Policies\Microsoft\SQMClient\W>
		unicode	0, <indows>,0
??_C@_1GO@NDGGKOHN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: DbgkpLkmdSqmIsOptedIn()+20o
		unicode	0, <\Registry\Machine\Software\Microsoft\SQMClient\Windows>,0
??_C@_1BG@OLBJDGGK@?$AAC?$AAE?$AAI?$AAP?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe@NNGAKEGL@	db 'C',0
					; DATA XREF: DbgkpLkmdSqmIsOptedIn()+2Ao
aEipenable:
		unicode	0, <EIPEnable>,0
; char ??_C[]
??_C@_0CM@JGOHABJG@DBGK?3?5DbgkpWerCleanupContext?3?5C@NNGAKEGL@ db 'DBGK: DbgkpWerCleanupContext: Context 0x%p',0Ah,0
					; DATA XREF: DbgkpWerCleanupContext(x)+8o
; 

; char ??_C
??_C@_0DJ@GHCNCPCO@DBGK?3?5IoDiscardDeferredLiveDump@NNGAKEGL@:
					; DATA XREF: DbgkpWerCleanupContext(x)+34o
		inc	esp
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]
		dec	ecx
		outsd
		inc	esp
		imul	esi, [ebx+63h],	44647261h
		db	65h, 66h, 65h
		jb	short near ptr loc_8B7976+1
		db	65h, 64h
		dec	esp
		imul	esi, [esi+65h],	706D7544h
		inc	esp
		popa
		jz	short near ptr loc_8B796F+5
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	7473202Ch
		popa
		jz	short loc_8B7996
		jnb	short near ptr loc_8B7942+1
		xor	[eax+25h], bh
		pop	eax
		or	al, [eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0DC@EABLBAKN@DBGK?3?5Creating?5mini?5live?5dump?4?5@NNGAKEGL@:
					; DATA XREF: DbgkpWerCaptureLiveTriageDump(x)+1Bo
		inc	esp
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]
		inc	ebx
		jb	short near ptr loc_8B7996+2
		popa
		jz	short loc_8B799F
		outsb
		and	[di+69h], ch
		outsb
		imul	esp, [eax], 6576696Ch

loc_8B7942:				; CODE XREF: PAGE:008B7921j
		and	[ebp+esi*2+6Dh], ah
		jo	short loc_8B7976
		and	[ebx+6Fh], al
		insd
		jo	short near ptr loc_8B79BC+1
		outsb
		outs	dx, byte ptr gs:[esi]
		jz	short loc_8B79A1
		popa
		insd
		and	gs:0A7377h, ah

; char ??_C
??_C@_0CN@CIIFFEL@DBGK?3?5KeCapturePersistentThread@NNGAKEGL@:
					; DATA XREF: DbgkpWerCaptureLiveTriageDump(x)+98o
		inc	esp
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]
		dec	ebx
		db	65h
		inc	ebx
		popa
		jo	short loc_8B79DC
		jnz	short loc_8B79DC
		db	65h
		push	eax
		db	65h
		jb	short loc_8B79E2

loc_8B796F:				; CODE XREF: PAGE:008B7911j
		imul	esi, [ebx+74h],	54746E65h

loc_8B7976:				; CODE XREF: PAGE:008B7946j
					; PAGE:008B7900j
		push	64616572h
		push	ebx
		jz	short loc_8B79DF
		jz	short loc_8B79E5
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	44CC000Ah
					; DATA XREF: DbgkpWerCleanupContext(x)+101o
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]
		inc	esp
		bound	esp, [edi+6Bh]
		jo	short near ptr loc_8B79EC+1

loc_8B7996:				; CODE XREF: PAGE:008B791Fj
					; PAGE:008B7931j
		db	65h
		jb	short loc_8B79DC
		insb
		db	65h
		popa
		outsb
		jnz	short near ptr loc_8B7A09+6

loc_8B799F:				; CODE XREF: PAGE:008B7934j
		inc	ebx
		outsd

loc_8B79A1:				; CODE XREF: PAGE:008B7951j
		outsb
		jz	short loc_8B7A09
		js	short loc_8B7A1A
		cmp	ah, [eax]
		push	edi
		db	65h
		jb	short near ptr loc_8B79F2+6
		imul	esi, [esi+65h],	6E72654Bh
		db	65h
		insb
		inc	ebx
		popa
		outsb
		arpl	[ebp+6Ch], sp
		push	edx

loc_8B79BC:				; CODE XREF: PAGE:008B794Cj
		db	65h
		jo	short near ptr loc_8B7A2C+2
		jb	short near ptr loc_8B7A33+2
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	7830202Ch
		and	eax, 44000A58h	; DATA XREF: DbgkpWerCleanupContext(x)+120o
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]
		inc	esp
		bound	esp, [edi+6Bh]
		jo	short loc_8B7A33

loc_8B79DC:				; CODE XREF: PAGE:008B7966j
					; PAGE:008B7968j ...
		db	65h
		jb	short loc_8B7A22

loc_8B79DF:				; CODE XREF: PAGE:008B797Cj
		insb
		db	65h
		popa

loc_8B79E2:				; CODE XREF: PAGE:008B796Cj
		outsb
		jnz	short near ptr loc_8B7A54+1

loc_8B79E5:				; CODE XREF: PAGE:008B797Ej
		inc	ebx
		outsd
		outsb
		jz	short near ptr loc_8B7A4C+3
		js	short near ptr loc_8B7A5F+1

loc_8B79EC:				; CODE XREF: PAGE:008B7994j
		cmp	ah, [eax]
		push	edi
		db	65h
		jb	short near ptr loc_8B7A3D+1

loc_8B79F2:				; CODE XREF: PAGE:008B79A9j
		imul	esi, [esi+65h],	6E72654Bh
		db	65h
		insb
		inc	ebx
		insb
		outsd
		jnb	short near ptr loc_8B7A64+1
		dec	eax
		popa
		outsb
		db	64h
		insb
		and	gs:[esi+61h], ah

loc_8B7A09:				; CODE XREF: PAGE:008B79A2j
					; PAGE:008B799Dj
		imul	ebp, [ebp+64h],	7830202Ch
		and	eax, 0CC000A58h

??_C@_0FI@JFBJONDB@DBGK?3?5DbgkpWerCaptureLiveTriage@NNGAKEGL@:
					; DATA XREF: DbgkpWerCaptureLiveTriageDump(x)+F8o
		inc	esp
		inc	edx
		inc	edi
		dec	ebx

loc_8B7A1A:				; CODE XREF: PAGE:008B79A4j
		cmp	ah, [eax]
		inc	esp
		bound	esp, [edi+6Bh]
		jo	short near ptr loc_8B7A78+1

loc_8B7A22:				; CODE XREF: PAGE:loc_8B79DCj
		db	65h
		jb	short loc_8B7A68
		popa
		jo	short loc_8B7A9C
		jnz	short loc_8B7A9C
		db	65h
		dec	esp

loc_8B7A2C:				; CODE XREF: PAGE:loc_8B79BCj
		imul	esi, [esi+65h],	61697254h

loc_8B7A33:				; CODE XREF: PAGE:008B79DAj
					; PAGE:008B79BFj
		db	67h, 65h
		inc	esp
		jnz	short near ptr loc_8B7AA2+3
		jo	short loc_8B7A74
		and	[edi+65h], dl

loc_8B7A3D:				; CODE XREF: PAGE:008B79EFj
		jb	short loc_8B7A8B
		imul	esi, [esi+65h],	6E72654Bh
		db	65h
		insb
		push	ebx
		jnz	short near ptr loc_8B7AAC+1
		insd

loc_8B7A4C:				; CODE XREF: PAGE:008B79E8j
		imul	esi, [edx+edx*2+65h], 74726F70h

loc_8B7A54:				; CODE XREF: PAGE:008B79E3j
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	74697720h

loc_8B7A5F:				; CODE XREF: PAGE:008B79EAj
		push	61747320h

loc_8B7A64:				; CODE XREF: PAGE:008B79FEj
		jz	short loc_8B7ADB
		jnb	short near ptr loc_8B7A87+1

loc_8B7A68:				; CODE XREF: PAGE:loc_8B7A22j
		xor	[eax+25h], bh
		pop	eax
		or	al, [eax]

; char ??_C
??_C@_0DK@HACPALBM@DBGK?3?5Creating?5full?5dump?4?5?5Comp@NNGAKEGL@:
					; DATA XREF: DbgkpWerCaptureLiveFullDump(x,x)+19o
		inc	esp
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]

loc_8B7A74:				; CODE XREF: PAGE:008B7A38j
		inc	ebx
		jb	short ??_C@_0DD@EHPANEIH@DBGK?3?5DbgkpWerWriteTriageDump?5f@NNGAKEGL@
		popa

loc_8B7A78:				; CODE XREF: PAGE:008B7A20j
		jz	short loc_8B7AE3
		outsb
		and	[bp+75h], ah
		insb
		insb
		and	[ebp+esi*2+6Dh], ah
		jo	short near ptr loc_8B7AB4+1

loc_8B7A87:				; CODE XREF: PAGE:008B7A66j
		and	[eax], ah
		inc	ebx
		outsd

loc_8B7A8B:				; CODE XREF: PAGE:loc_8B7A3Dj
		insd
		jo	short near ptr loc_8B7AFC+1
		outsb
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_8B7AE0+1
		popa
		insd
		and	gs:202C7377h, ah

loc_8B7A9C:				; CODE XREF: PAGE:008B7A26j
					; PAGE:008B7A28j
		inc	esp
		db	65h, 66h, 65h
		jb	short near ptr loc_8B7AC0+2

loc_8B7AA2:				; CODE XREF: PAGE:008B7A36j
		cmp	eax, 0A642520h
; 
		db 0
; 

; char ??_C
??_C@_0DD@PGHNHIBM@DBGK?3?5DbgkpWerInvokeCallbacks?5f@NNGAKEGL@:
					; DATA XREF: DbgkpWerCaptureLiveTriageDump(x)+C0o
		inc	esp
		inc	edx
		inc	edi
		dec	ebx

loc_8B7AAC:				; CODE XREF: PAGE:008B7A49j
		cmp	ah, [eax]
		inc	esp
		bound	esp, [edi+6Bh]
		jo	short near ptr loc_8B7B09+2

loc_8B7AB4:				; CODE XREF: PAGE:008B7A85j
		db	65h
		jb	short near ptr loc_8B7AFC+4
		outsb
		jbe	short near ptr loc_8B7B26+3
		imul	esp, [ebp+43h],	61h
		insb
		insb

loc_8B7AC0:				; CODE XREF: PAGE:008B7A9Dj
		bound	esp, [ecx+63h]
		imul	esi, [ebx+20h],	66h
		popa
		imul	ebp, [ebp+64h],	7473202Ch
		popa
		jz	short near ptr loc_8B7B47+1
		jnb	short near ptr loc_8B7AF3+2
		xor	[eax+25h], bh
		pop	eax
		or	al, [eax]

loc_8B7ADB:				; CODE XREF: PAGE:loc_8B7A64j
		int	3		; Trap to Debugger

??_C@_0DD@EHPANEIH@DBGK?3?5DbgkpWerWriteTriageDump?5f@NNGAKEGL@: ; CODE	XREF: PAGE:008B7A75j
					; DATA XREF: DbgkpWerCaptureLiveTriageDump(x)+E0o
		inc	esp
		inc	edx
		inc	edi
		dec	ebx

loc_8B7AE0:				; CODE XREF: PAGE:008B7A91j
		cmp	ah, [eax]
		inc	esp

loc_8B7AE3:				; CODE XREF: PAGE:loc_8B7A78j
		bound	esp, [edi+6Bh]
		jo	short near ptr loc_8B7B3D+2
		db	65h
		jb	short near ptr loc_8B7B3D+5
		jb	short loc_8B7B56
		jz	short loc_8B7B54
		push	esp
		jb	short loc_8B7B5B
		popa

loc_8B7AF3:				; CODE XREF: PAGE:008B7AD3j
		db	67h, 65h
		inc	esp
		jnz	short loc_8B7B65
		jo	short loc_8B7B1A
		popaw

loc_8B7AFC:				; CODE XREF: PAGE:008B7A8Cj
					; PAGE:loc_8B7AB4j
		imul	ebp, [ebp+64h],	7473202Ch
		popa
		jz	short loc_8B7B7C
		jnb	short near ptr loc_8B7B26+3

loc_8B7B09:				; CODE XREF: PAGE:008B7AB2j
		xor	[eax+25h], bh
		pop	eax
		or	al, [eax]
		int	3		; Trap to Debugger

??_C@_0EO@DIEJBPEN@DBGK?3?5DbgkpWerCaptureLiveFullDu@NNGAKEGL@:
					; DATA XREF: DbgkpWerCaptureLiveFullDump(x,x)+121o
		inc	esp
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]
		inc	esp
		bound	esp, [edi+6Bh]

loc_8B7B1A:				; CODE XREF: PAGE:008B7AF8j
		jo	short near ptr loc_8B7B72+1
		db	65h
		jb	short loc_8B7B62
		popa
		jo	short near ptr loc_8B7B92+4
		jnz	short near ptr loc_8B7B92+4
		db	65h
		dec	esp

loc_8B7B26:				; CODE XREF: PAGE:008B7AB8j
					; PAGE:008B7B07j
		imul	esi, [esi+65h],	6C6C7546h
		inc	esp
		jnz	short near ptr loc_8B7B9C+1
		jo	short loc_8B7B6C
		and	[ecx+6Fh], cl
		inc	ebx
		popa
		jo	short near ptr loc_8B7BAC+1
		jnz	short near ptr loc_8B7BAC+1
		db	65h
		dec	esp

loc_8B7B3D:				; CODE XREF: PAGE:008B7AE6j
					; PAGE:008B7AE8j
		imul	esi, [esi+65h],	706D7544h
		and	[esi+61h], ah

loc_8B7B47:				; CODE XREF: PAGE:008B7AD1j
		imul	ebp, [ebp+64h],	74697720h
		push	61747320h

loc_8B7B54:				; CODE XREF: PAGE:008B7AEDj
		jz	short near ptr ??_C@_0FH@OHNJFOED@DBGK?3?5DbgkpWerDeferredWriteRout@NNGAKEGL@+0Bh

loc_8B7B56:				; CODE XREF: PAGE:008B7AEBj
		jnb	short near ptr loc_8B7B75+3
		xor	[eax+25h], bh

loc_8B7B5B:				; CODE XREF: PAGE:008B7AF0j
		pop	eax
		or	al, [eax]

; char ??_C
??_C@_0CJ@OGLEMCBF@DBGK?3?5Could?5not?5allocate?5an?5Io?5@NNGAKEGL@:
					; DATA XREF: DbgkpWerCaptureLiveFullDump(x,x)+4Ao
		inc	esp
		inc	edx
		inc	edi
		dec	ebx

loc_8B7B62:				; CODE XREF: PAGE:008B7B1Cj
		cmp	ah, [eax]
		inc	ebx

loc_8B7B65:				; CODE XREF: PAGE:008B7AF6j
		outsd
		jnz	short near ptr ??_C@_0FH@OHNJFOED@DBGK?3?5DbgkpWerDeferredWriteRout@NNGAKEGL@+14h
		and	fs:[esi+6Fh], ch

loc_8B7B6C:				; CODE XREF: PAGE:008B7B30j
		jz	short loc_8B7B8E
		popa
		insb
		insb
		outsd

loc_8B7B72:				; CODE XREF: PAGE:loc_8B7B1Aj
		arpl	[ecx+74h], sp

loc_8B7B75:				; CODE XREF: PAGE:loc_8B7B56j
		and	gs:[ecx+6Eh], ah
		and	[ecx+6Fh], cl

loc_8B7B7C:				; CODE XREF: PAGE:008B7B05j
		and	[ebx+6Fh], al
		outsb
		jz	short near ptr ??_C@_0FH@OHNJFOED@DBGK?3?5DbgkpWerDeferredWriteRout@NNGAKEGL@+34h
		outsd
		insb
		or	al, cs:[eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0DH@FNCDKNFE@DBGK?3?5WerLiveKernelOpenDumpFile@NNGAKEGL@:
					; DATA XREF: DbgkpWerCaptureLiveFullDump(x,x)+BEo
		inc	esp
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]

loc_8B7B8E:				; CODE XREF: PAGE:loc_8B7B6Cj
		push	edi
		db	65h
		jb	short near ptr ??_C@_0FH@OHNJFOED@DBGK?3?5DbgkpWerDeferredWriteRout@NNGAKEGL@+1Eh

loc_8B7B92:				; CODE XREF: PAGE:008B7B20j
					; PAGE:008B7B22j
		imul	esi, [esi+65h],	6E72654Bh
		db	65h
		insb
		dec	edi

loc_8B7B9C:				; CODE XREF: PAGE:008B7B2Ej
		jo	short near ptr ??_C@_0FH@OHNJFOED@DBGK?3?5DbgkpWerDeferredWriteRout@NNGAKEGL@+43h
		outsb
		inc	esp
		jnz	short near ptr ??_C@_0FH@OHNJFOED@DBGK?3?5DbgkpWerDeferredWriteRout@NNGAKEGL@+4Fh
		jo	short near ptr ??_C@_0FH@OHNJFOED@DBGK?3?5DbgkpWerDeferredWriteRout@NNGAKEGL@+2Ah
		imul	ebp, [ebp+20h],	6C696166h

loc_8B7BAC:				; CODE XREF: PAGE:008B7B37j
					; PAGE:008B7B39j
		db	65h, 64h
		and	cs:[ebx+74h], dl
		popa
		jz	short near ptr ??_C@_0CL@GAIMIBPK@DBGK?3?5Failed?5to?5create?5timer?0?5s@NNGAKEGL@+12h
		jnb	short near ptr ??_C@_0FH@OHNJFOED@DBGK?3?5DbgkpWerDeferredWriteRout@NNGAKEGL@+17h
		cmp	eax, 25783020h
		pop	eax
		or	al, [eax]
		int	3		; Trap to Debugger
; 
??_C@_0FH@OHNJFOED@DBGK?3?5DbgkpWerDeferredWriteRout@NNGAKEGL@ db 'DBGK: DbgkpWerDeferredWriteRoutine: WerLiveKernelSubmitReport fai'
					; CODE XREF: PAGE:loc_8B7B54j
					; DATA XREF: DbgkpWerDeferredWriteRoutine(x)+8Bo
		db 'led with status 0x%X',0Ah,0
		align 4
; char ??_C[]
??_C@_0CL@GAIMIBPK@DBGK?3?5Failed?5to?5create?5timer?0?5s@NNGAKEGL@ db 'DBGK: Failed to create timer, status 0x%X',0Ah,0
					; DATA XREF: DbgkpWerInitializeDeferredLiveDump(x)+59o
		align 4
; char ??_C[]
??_C@_0DK@OHIACILJ@DBGK?3?5DbgkpWerDeferredWriteRout@NNGAKEGL@ db 'DBGK: DbgkpWerDeferredWriteRoutine entered, context 0x%p',0Ah,0
					; DATA XREF: DbgkpWerDeferredWriteRoutine(x)+Co
; char ??_C[]
??_C@_0EI@HLLEJAAI@DBGK?3?5DbgkpWerDeferredWriteRout@NNGAKEGL@ db 'DBGK: DbgkpWerDeferredWriteRoutine: dump write failed with status'
					; DATA XREF: DbgkpWerDeferredWriteRoutine(x)+6Ao
		db ' 0x%X',0Ah,0
; 

; char ??_C
??_C@_0DF@HIJLMJII@DBGK?3?5DbgkpWerInvokeCallbacks?5e@NNGAKEGL@:
					; DATA XREF: DbgkpWerInvokeCallbacks(x)+8o
		inc	esp
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]
		inc	esp
		bound	esp, [edi+6Bh]
		jo	short near ptr ??_C@_0CO@DAEDMEKC@DBGK?3?5Failed?5to?5reference?5timer@NNGAKEGL@+2Dh
		db	65h
		jb	short near ptr ??_C@_0CO@DAEDMEKC@DBGK?3?5Failed?5to?5reference?5timer@NNGAKEGL@+22h
		outsb
		jbe	short near ptr ??_C@_0CB@HEDBEK@DBGK?3?5Could?5not?5allocate?5timer?4@NNGAKEGL@+1Dh
		imul	esp, [ebp+43h],	61h
		insb
		insb
		bound	esp, [ecx+63h]
		imul	esi, [ebx+20h],	65h
		outsb
		jz	short near ptr ??_C@_1KM@IEMJAIOM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+1
		jb	short near ptr ??_C@_1KM@IEMJAIOM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+3
		db	64h
		sub	al, 20h
		arpl	[edi+6Eh], bp
		jz	short near ptr ??_C@_1KM@IEMJAIOM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+0Bh
		js	short near ptr ??_C@_1KM@IEMJAIOM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+1Ch
		and	[eax], dh
		js	short near ptr ??_C@_0CO@DAEDMEKC@DBGK?3?5Failed?5to?5reference?5timer@NNGAKEGL@+21h
		jo	short near ptr ??_C@_0CO@DAEDMEKC@DBGK?3?5Failed?5to?5reference?5timer@NNGAKEGL@+8
		add	ah, cl
; 
; char ??_C[]
??_C@_0CO@DAEDMEKC@DBGK?3?5Failed?5to?5reference?5timer@NNGAKEGL@ db 'DBGK: Failed to reference timer, status 0x%X',0Ah,0
					; CODE XREF: PAGE:008B7CF8j
					; DATA XREF: DbgkpWerInitializeDeferredLiveDump(x)+9Eo
; char ??_C[]
??_C@_0CB@HEDBEK@DBGK?3?5Could?5not?5allocate?5timer?4@NNGAKEGL@ db 'DBGK: Could not allocate timer.',0Ah,0
					; DATA XREF: DbgkpWerInitializeDeferredLiveDump(x)+CFo
		align 4
??_C@_1KM@IEMJAIOM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; CODE XREF: PAGE:008B7CE6j
					; PAGE:008B7CE8j ...
		unicode	0, <\Registry\Machine\System\CurrentControlSet\Control\CrashC>
		unicode	0, <ontrol\FullLiveKernelReports>,0
??_C@_1CG@PNAEGJGD@?$AAF?$AAu?$AAl?$AAl?$AAL?$AAi?$AAv?$AAe?$AAR?$AAe?$AAp?$AAo?$AAr?$AAt?$AAs@NNGAKEGL@ dd offset loc_750044+2
					; DATA XREF: DbgkpWerIsFullLiveDumpDisabled()+2Bo
aLllivereportsm:
		unicode	0, <llLiveReportsMax>,0
; 

; char ??_C
??_C@_0CJ@NJPIGKGC@DBGK?3?5Invoking?5callback?5at?5addr@NNGAKEGL@:
					; DATA XREF: DbgkpWerInvokeCallbacks(x)+21o
		inc	esp
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]
		dec	ecx
		outsb
		jbe	short loc_8B7E97
		imul	ebp, [ecx+6Eh],	67h
		and	[ebx+61h], ah
		insb
		insb
		bound	esp, [ecx+63h]
		imul	esp, [eax], 61h
		jz	short near ptr loc_8B7E58+1
		popa
		db	64h, 64h
		jb	short loc_8B7EA3
		jnb	short loc_8B7EB3
		and	[eax], dh
		js	short loc_8B7E69
		jo	short near ptr loc_8B7E4E+2
		add	ah, cl

; char ??_C
??_C@_0DF@LIFIPAMA@DBGK?3?5callback?5at?5address?50x?$CFp?5@NNGAKEGL@:
					; DATA XREF: DbgkpWerInvokeCallbacks(x)+57o
		inc	esp
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]

loc_8B7E4E:				; CODE XREF: PAGE:008B7E44j
		arpl	[ecx+6Ch], sp
		insb
		bound	esp, [ecx+63h]
		imul	esp, [eax], 61h

loc_8B7E58:				; CODE XREF: PAGE:008B7E37j
		jz	short loc_8B7E7A
		popa
		db	64h, 64h
		jb	short near ptr loc_8B7EC2+2
		jnb	short loc_8B7ED4
		and	[eax], dh
		js	short near ptr loc_8B7E88+2
		jo	short near ptr loc_8B7E85+2
		jb	short loc_8B7ECE

loc_8B7E69:				; CODE XREF: PAGE:008B7E42j
		jz	short loc_8B7EE0
		jb	short near ptr loc_8B7ED4+7
		db	65h
		and	fs:[ebx+74h], dh
		popa
		jz	short loc_8B7EEA
		jnb	short loc_8B7E97
		xor	[eax+25h], bh

loc_8B7E7A:				; CODE XREF: PAGE:loc_8B7E58j
		pop	eax
		or	al, [eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0CB@IFOMHPGE@DBGK?3?5Required?5total?5aize?3?50x?$CFX@NNGAKEGL@:
					; DATA XREF: DbgkpWerUpdateTriageDumpHeader(x)+7Fo
		inc	esp
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]
		push	edx

loc_8B7E85:				; CODE XREF: PAGE:008B7E65j
		db	65h
		jno	short loc_8B7EFD

loc_8B7E88:				; CODE XREF: PAGE:008B7E63j
		imul	esi, [edx+65h],	6F742064h
		jz	short loc_8B7EF2
		insb
		and	[ecx+69h], ah
		jp	short near ptr loc_8B7EFA+2

loc_8B7E97:				; CODE XREF: PAGE:008B7E26j
					; PAGE:008B7E75j
		cmp	ah, [eax]
		xor	[eax+25h], bh
		pop	eax
		or	al, [eax]
		int	3		; Trap to Debugger

??_C@_0EN@DDOOMDH@DBGK?3?5DbgkWerWriteTriageDump?3?5W@NNGAKEGL@:
					; DATA XREF: DbgkpWerWriteTriageDump(x)+2Co
		inc	esp
		inc	edx
		inc	edi

loc_8B7EA3:				; CODE XREF: PAGE:008B7E3Aj
		dec	ebx
		cmp	ah, [eax]
		inc	esp
		bound	esp, [edi+6Bh]
		push	edi
		db	65h
		jb	short loc_8B7F05
		jb	short near ptr loc_8B7F18+1
		jz	short loc_8B7F17
		push	esp

loc_8B7EB3:				; CODE XREF: PAGE:008B7E3Ej
		jb	short near ptr loc_8B7F1C+2
		popa
		db	67h, 65h
		inc	esp
		jnz	short near ptr loc_8B7F23+5
		jo	short near ptr loc_8B7EF5+2
		and	[edi+65h], dl
		jb	short loc_8B7F0E

loc_8B7EC2:				; CODE XREF: PAGE:008B7E5Bj
		imul	esi, [esi+65h],	6E72654Bh
		db	65h
		insb
		dec	edi
		jo	short loc_8B7F33

loc_8B7ECE:				; CODE XREF: PAGE:008B7E67j
		outsb
		inc	esp
		jnz	short near ptr loc_8B7F3E+1
		jo	short near ptr loc_8B7F18+2

loc_8B7ED4:				; CODE XREF: PAGE:008B7E5Fj
					; PAGE:008B7E6Bj
		imul	ebp, [ebp+20h],	6C696166h
		db	65h, 64h
		sub	al, 20h

loc_8B7EE0:				; CODE XREF: PAGE:loc_8B7E69j
		jnb	short near ptr loc_8B7F53+3
		popa
		jz	short near ptr loc_8B7F58+2
		jnb	short near ptr loc_8B7F06+1
		xor	[eax+25h], bh

loc_8B7EEA:				; CODE XREF: PAGE:008B7E73j
		pop	eax
		or	al, [eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0DO@FGHFHDJA@DBGK?3?5DbgkpWerProcessPolicyResu@NNGAKEGL@:
					; DATA XREF: DbgkpWerProcessPolicyResult(x,x,x,x)+39o
		inc	esp
		inc	edx
		inc	edi
		dec	ebx

loc_8B7EF2:				; CODE XREF: PAGE:008B7E8Fj
		cmp	ah, [eax]
		inc	esp

loc_8B7EF5:				; CODE XREF: PAGE:008B7EBBj
		bound	esp, [edi+6Bh]
		jo	short near ptr loc_8B7F50+1

loc_8B7EFA:				; CODE XREF: PAGE:008B7E95j
		db	65h
		jb	short near ptr loc_8B7F4C+1

loc_8B7EFD:				; CODE XREF: PAGE:loc_8B7E85j
		jb	short near ptr loc_8B7F6D+1
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_8B7F53+1
		outsd

loc_8B7F05:				; CODE XREF: PAGE:008B7EABj
		insb

loc_8B7F06:				; CODE XREF: PAGE:008B7EE5j
		imul	esp, [ebx+79h],	75736552h
		insb

loc_8B7F0E:				; CODE XREF: PAGE:008B7EC0j
		jz	short near ptr loc_8B7F49+1
		and	[ebp+6Eh], dl
		imul	ebp, [esi+6Fh],	77h

loc_8B7F17:				; CODE XREF: PAGE:008B7EB0j
		outsb

loc_8B7F18:				; CODE XREF: PAGE:008B7EAEj
					; PAGE:008B7ED2j
		and	[eax+6Fh], dh
		insb

loc_8B7F1C:				; CODE XREF: PAGE:loc_8B7EB3j
		imul	esp, [ebx+79h],	74706F20h

loc_8B7F23:				; CODE XREF: PAGE:008B7EB9j
		imul	ebp, [edi+6Eh],	0A642520h
		or	al, [eax]

; char ??_C
??_C@_0DJ@KKILGGNJ@DBGK?3?5Overflow?5calculating?5tota@NNGAKEGL@:
					; DATA XREF: DbgkpWerUpdateTriageDumpHeader(x)+3Do
		inc	esp
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]
		dec	edi

loc_8B7F33:				; CODE XREF: PAGE:008B7ECCj
		jbe	short loc_8B7F9A
		jb	short near ptr loc_8B7F9C+1
		insb
		outsd
		ja	short loc_8B7F5B
		arpl	[ecx+6Ch], sp

loc_8B7F3E:				; CODE XREF: PAGE:008B7ED0j
		arpl	[ebp+6Ch], si
		popa
		jz	short loc_8B7FAD
		outsb
		and	[si+6Fh], dh

loc_8B7F49:				; CODE XREF: PAGE:loc_8B7F0Ej
		jz	short near ptr loc_8B7FAB+1
		insb

loc_8B7F4C:				; CODE XREF: PAGE:loc_8B7EFAj
		and	[edx+6Ch], ah
		outsd

loc_8B7F50:				; CODE XREF: PAGE:008B7EF8j
		arpl	[ebx+73h], bp

loc_8B7F53:				; CODE XREF: PAGE:008B7F02j
					; PAGE:loc_8B7EE0j
		and	cs:[edx+6Ch], al
		outsd

loc_8B7F58:				; CODE XREF: PAGE:008B7EE3j
		arpl	[ebx+20h], bp

loc_8B7F5B:				; CODE XREF: PAGE:008B7F39j
		arpl	[edi+75h], bp
		outsb
		jz	short near ptr loc_8B7F7A+7
		and	eax, 0CC000A69h

??_C@_0DB@KOIJBBFF@DBGK?3?5Triage?5dump?5write?5failed?5@NNGAKEGL@:
					; DATA XREF: DbgkpWerWriteTriageDump(x)+5Eo
		inc	esp
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]
		push	esp

loc_8B7F6D:				; CODE XREF: PAGE:loc_8B7EFDj
		jb	short loc_8B7FD8
		popa
		and	gs:[si+75h], ah
		insd
		jo	short ??_C@_0DG@GBCANKPK@DBGK?3?5Writing?5secondary?5data?5fa@NNGAKEGL@
		ja	short loc_8B7FEC

loc_8B7F7A:				; CODE XREF: PAGE:008B7F5Fj
		imul	esi, [ebp+20h],	6C696166h
		db	65h
		and	fs:[edi+69h], dh
		jz	short loc_8B7FF1
		and	[ebx+74h], dl
		popa
		jz	short near ptr loc_8B8002+2
		jnb	short near ptr loc_8B7FAF+2
		xor	[eax+25h], bh
		pop	eax
		or	al, [eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0DG@GBCANKPK@DBGK?3?5Writing?5secondary?5data?5fa@NNGAKEGL@:
					; CODE XREF: PAGE:008B7F76j
					; DATA XREF: DbgkpWerWriteTriageDump(x)+76o
		inc	esp
		inc	edx

loc_8B7F9A:				; CODE XREF: PAGE:loc_8B7F33j
		inc	edi
		dec	ebx

loc_8B7F9C:				; CODE XREF: PAGE:008B7F35j
		cmp	ah, [eax]
		push	edi
		jb	short loc_8B800A
		jz	short loc_8B800C
		outsb
		and	[bp+di+65h], dh
		arpl	[edi+6Eh], bp

loc_8B7FAB:				; CODE XREF: PAGE:loc_8B7F49j
		db	64h
		popa

loc_8B7FAD:				; CODE XREF: PAGE:008B7F42j
		jb	short near ptr loc_8B8027+1

loc_8B7FAF:				; CODE XREF: PAGE:008B7F8Fj
		and	[ecx+74h], ah
		popa
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	74697720h
		push	61745320h
		jz	short near ptr loc_8B803A+1
		jnb	short near ptr loc_8B7FE3+5
		xor	[eax+25h], bh
		pop	eax
		or	al, [eax]

; char ??_C
??_C@_0EE@GNJPNGPG@DBGK?3?5DbgkWerCaptureLiveKernelD@NNGAKEGL@:
					; DATA XREF: DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+29o
		inc	esp
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]
		inc	esp
		bound	esp, [edi+6Bh]

loc_8B7FD8:				; CODE XREF: PAGE:loc_8B7F6Dj
		push	edi
		db	65h
		jb	short near ptr loc_8B801D+2
		popa
		jo	short near ptr loc_8B8052+1
		jnz	short near ptr loc_8B8052+1
		db	65h
		dec	esp

loc_8B7FE3:				; CODE XREF: PAGE:008B7FC6j
		imul	esi, [esi+65h],	6E72654Bh
		db	65h
		insb

loc_8B7FEC:				; CODE XREF: PAGE:008B7F78j
		inc	esp
		jnz	short near ptr ??_C@_0DE@OKPJIPEF@DBGK?3?5DbgkWerAddSecondaryData?3?5@NNGAKEGL@+6
		jo	short near ptr loc_8B8027+4

loc_8B7FF1:				; CODE XREF: PAGE:008B7F87j
		and	[ebx+61h], ah
		insb
		insb
		db	65h
		and	fs:[ecx+74h], ah
		and	[ecx+52h], cl
		push	ecx
		dec	esp
		and	[esi], bh

loc_8B8002:				; CODE XREF: PAGE:008B7F8Dj
		and	[eax+41h], dl
		push	ebx
		push	ebx
		dec	ecx
		push	esi
		inc	ebp

loc_8B800A:				; CODE XREF: PAGE:008B7F9Fj
		pop	edi
		dec	esp

loc_8B800C:				; CODE XREF: PAGE:008B7FA1j
		inc	ebp
		push	esi
		inc	ebp
		dec	esp
		or	al, [eax]

; char ??_C
??_C@_0ED@CCPHDIIL@DBGK?3?5DbgkWerCaptureLiveKernelD@NNGAKEGL@:
					; DATA XREF: DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+4Co
		inc	esp
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]
		inc	esp
		bound	esp, [edi+6Bh]
		push	edi

loc_8B801D:				; CODE XREF: PAGE:008B7FD9j
		db	65h
		jb	short near ptr ??_C@_0DE@OKPJIPEF@DBGK?3?5DbgkWerAddSecondaryData?3?5@NNGAKEGL@+0Dh
		popa
		jo	short near ptr ??_C@_0GG@IEDCCMKH@DBGK?3?5DbgkWerAddSecondaryData?3?5@NNGAKEGL@+0Dh
		jnz	short near ptr ??_C@_0GG@IEDCCMKH@DBGK?3?5DbgkWerAddSecondaryData?3?5@NNGAKEGL@+0Dh
		db	65h
		dec	esp

loc_8B8027:				; CODE XREF: PAGE:loc_8B7FADj
					; PAGE:008B7FEFj
		imul	esi, [esi+65h],	6E72654Bh
		db	65h
		insb
		inc	esp
		jnz	short near ptr ??_C@_0GG@IEDCCMKH@DBGK?3?5DbgkWerAddSecondaryData?3?5@NNGAKEGL@+16h
		jo	short near ptr ??_C@_0DE@OKPJIPEF@DBGK?3?5DbgkWerAddSecondaryData?3?5@NNGAKEGL@+19h
		and	[ebx+61h], ah
		insb
		insb

loc_8B803A:				; CODE XREF: PAGE:008B7FC4j
		db	65h
		and	fs:[edx+65h], ah
		outsw
		jb	short near ptr ??_C@_0GG@IEDCCMKH@DBGK?3?5DbgkWerAddSecondaryData?3?5@NNGAKEGL@+1Eh
		and	[ecx+6Eh], ch
		imul	esi, [ecx+ebp*2+61h], 617A696Ch
		jz	short near ptr ??_C@_0GG@IEDCCMKH@DBGK?3?5DbgkWerAddSecondaryData?3?5@NNGAKEGL@+2Fh
		outsd
		outsb

loc_8B8052:				; CODE XREF: PAGE:008B7FDDj
					; PAGE:008B7FDFj
		or	al, cs:[eax]
		int	3		; Trap to Debugger
; 
; char ??_C[]
??_C@_0DE@OKPJIPEF@DBGK?3?5DbgkWerAddSecondaryData?3?5@NNGAKEGL@ db 'DBGK: DbgkWerAddSecondaryData: Invalid parameter.',0Ah
					; CODE XREF: PAGE:008B7FEDj
					; PAGE:loc_8B801Dj
					; DATA XREF: ...
		db 0Ah,0
; char ??_C[]
??_C@_0GG@IEDCCMKH@DBGK?3?5DbgkWerAddSecondaryData?3?5@NNGAKEGL@ db 'DBGK: DbgkWerAddSecondaryData: Secondary data exceeds buffer. Siz'
					; CODE XREF: PAGE:008B8021j
					; PAGE:008B8023j
					; DATA XREF: ...
		db 'e 0x%x Maxsize 0x%x Datasize 0x%x.',0Ah
		db 0Ah,0
; char ??_C[]
??_C@_0DN@OGIPNPDE@DBGK?3?5Full?5Live?5Kernel?5Dumps?5ar@NNGAKEGL@ db 'DBGK: Full Live Kernel Dumps are disabled. Failing request.',0Ah,0
					; DATA XREF: DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+6Fo
		align 2

; char ??_C
??_C@_0FF@CDLFGOPC@DBGK?3?5DbgkWerCaptureLiveKernelD@NNGAKEGL@:
					; DATA XREF: DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+160o
		inc	esp
		inc	edx
		inc	edi
		dec	ebx
		cmp	ah, [eax]
		inc	esp
		bound	esp, [edi+6Bh]
		push	edi
		db	65h
		jb	short near ptr loc_8B817E+1
		popa
		jo	short near ptr ??_C@_1HM@IHPPCBKD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+7
		jnz	short near ptr ??_C@_1HM@IHPPCBKD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+7
		db	65h
		dec	esp
		imul	esi, [esi+65h],	6E72654Bh
		db	65h
		insb
		inc	esp
		jnz	short near ptr ??_C@_1HM@IHPPCBKD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+10h
		jo	short near ptr ??_C@_02KAJCEFMN@?$DN?$CB@NNGAKEGL@+1
		and	[edi+65h], dl
		jb	short ??_C@_01NBENCBCI@?$CK@NNGAKEGL@
		imul	esi, [esi+65h],	6E72654Bh
		db	65h
		insb
		inc	ebx
		jb	short near ptr ??_C@_1HM@IHPPCBKD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+1Bh
		popa
		jz	short near ptr ??_C@_1HM@IHPPCBKD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+1Eh
		push	edx
		db	65h
		jo	short near ptr ??_C@_1HM@IHPPCBKD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+2Ch
		jb	short near ptr ??_C@_1HM@IHPPCBKD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+33h
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	7473202Ch
		popa
		jz	short near ptr ??_C@_1HM@IHPPCBKD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+42h
		jnb	short loc_8B819B
		xor	[eax+25h], bh

loc_8B817E:				; CODE XREF: PAGE:008B8139j
		js	short near ptr ??_C@_1HM@IHPPCBKD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+2
		or	cl, [edx]
		add	ah, cl

??_C@_01NEMOKFLO@?$DN@NNGAKEGL@:	; DATA XREF: EmpCheckOperator+14o
					; EmpCheckOperator+8Fo
		cmp	eax, 3E3C00h
		int	3		; Trap to Debugger

??_C@_02KAJCEFMN@?$DN?$CB@NNGAKEGL@:	; CODE XREF: PAGE:008B814Fj
					; DATA XREF: EmpCheckOperator+B6o ...
		cmp	eax, 3DCC0021h

loc_8B818F:				; DATA XREF: EmpCheckOperator+68o
		cmp	eax, 3D21CC00h
		add	ah, cl

??_C@_02FPPOCJNB@?$DN?$DM@NNGAKEGL@:	; DATA XREF: EmpCheckOperator+12Bo
					; EmpCheckOperator+152o
		cmp	eax, 3ECC003Ch

loc_8B819B:				; CODE XREF: PAGE:008B8179j
					; DATA XREF: EmpCheckOperator+DDo
		add	[eax+eax], bh

??_C@_02EHCHHCKH@?$DM?$DN@NNGAKEGL@:	; DATA XREF: EmpCheckOperator+104o
		cmp	al, 3Dh
		add	ah, cl

??_C@_01NBENCBCI@?$CK@NNGAKEGL@:	; CODE XREF: PAGE:008B8154j
					; DATA XREF: EmpCheckOperator+1C4o
		sub	al, [eax]

??_C@_02EEKDKGMJ@?$DO?$DN@NNGAKEGL@:	; DATA XREF: EmpCheckOperator+179o
					; EmpCheckOperator+1A7o
		db	3Eh
		cmp	eax, 3E3DCC00h
		add	ah, cl
; 
??_C@_1HM@IHPPCBKD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; CODE XREF: PAGE:loc_8B817Ej
					; PAGE:008B813Dj ...
		unicode	0, <\Registry\Machine\System\CurrentControlSet\Control\FileSy>
		unicode	0, <stem>,0
; wchar_t ??_C
??_C@_1BI@GOOABFBJ@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAM?$AAu?$AAp@NNGAKEGL@:
					; DATA XREF: FsRtlpOpenDev(x,x)+Fo
					; IopReplaceSymlinkPath(x,x,x,x,x,x,x)+19Bo
		unicode	0, <\Device\Mup>,0

;  S U B	R O U T	I N E 


??_C@_1CA@DPHKDJLG@?$AAS?$AAy?$AAn?$AAc?$AAh?$AAr?$AAo?$AAn?$AAi?$AAz?$AAa?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@ proc near
					; DATA XREF: ExpPcwHostCallback+4Ao
		push	ebx
		add	[ecx+0], bh
		outsb
??_C@_1CA@DPHKDJLG@?$AAS?$AAy?$AAn?$AAc?$AAh?$AAr?$AAo?$AAn?$AAi?$AAz?$AAa?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@ endp

		add	[ebx+0], ah
		push	6F007200h
		add	[esi+0], ch
		imul	eax, [eax], 61007Ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dw 0
??_C@_1DE@GILKAFIA@?$AAE?$AAv?$AAe?$AAn?$AAt?$AA?5?$AAT?$AAr?$AAa?$AAc?$AAi?$AAn?$AAg?$AA?5?$AAf@NNGAKEGL@ dd offset loc_760043+2
					; DATA XREF: EtwRegisterCounters()+2Bo
aEntTracingForW:
		unicode	0, <ent	Tracing	for Windows>,0
??_C@_1CM@PNMDNLFC@?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo?$AAr?$AA?5?$AAI?$AAn?$AAf?$AAo?$AAr@NNGAKEGL@:
					; DATA XREF: ExpPcwHostCallback+ECo
		unicode	0, <Processor Information>,0
??_C@_1DC@JFFDHOK@?$AAF?$AAi?$AAl?$AAe?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?5?$AAD?$AAi?$AAs?$AAk@NNGAKEGL@:
					; DATA XREF: ExpPcwHostCallback+144o
		unicode	0, <FileSystem Disk Activity>,0
??_C@_1DC@HHPGCLBM@?$AAT?$AAh?$AAe?$AAr?$AAm?$AAa?$AAl?$AA?5?$AAZ?$AAo?$AAn?$AAe?$AA?5?$AAI?$AAn@NNGAKEGL@ db 'T',0
					; DATA XREF: ExpPcwHostCallback+190o
aHermalZoneInfo:
		unicode	0, <hermal Zone	Information>,0
??_C@_1EE@NGOEOFND@?$AAE?$AAv?$AAe?$AAn?$AAt?$AA?5?$AAT?$AAr?$AAa?$AAc?$AAi?$AAn?$AAg?$AA?5?$AAf@NNGAKEGL@ dd offset loc_760043+2
					; DATA XREF: EtwRegisterCounters()+73o
aEntTracingFo_0:
		unicode	0, <ent	Tracing	for Windows Session>,0

;  S U B	R O U T	I N E 


??_C@_1CI@PHJJBKFE@?$AAS?$AAy?$AAn?$AAc?$AAh?$AAr?$AAo?$AAn?$AAi?$AAz?$AAa?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@ proc near
					; DATA XREF: ExpPcwHostCallback+A4o
		push	ebx
		add	[ecx+0], bh
		outsb
??_C@_1CI@PHJJBKFE@?$AAS?$AAy?$AAn?$AAc?$AAh?$AAr?$AAo?$AAn?$AAi?$AAz?$AAa?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@ endp

		add	[ebx+0], ah
		push	6F007200h
		add	[esi+0], ch
		imul	eax, [eax], 61007Ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		dec	esi
		add	[ebp+0], dh
		insd
		add	[ecx+0], ah
; 
		dw 0
??_C@_1BA@HANLFFFG@?$AAd?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt@NNGAKEGL@:
					; DATA XREF: FsRtlAddDiskIOCounterInstance(x,x):loc_959138o
					; FsRtlDiskIOCounterSetCallback(x,x,x):loc_9591A5o
		unicode	0, <default>,0
??_C@_1CG@LDMOIOKE@?$AAM?$AAe?$AAa?$AAs?$AAu?$AAr?$AAe?$AAd?$AAO?$AAp?$AAe?$AAr?$AAa?$AAt?$AAi@NNGAKEGL@:
					; DATA XREF: FsRtlHeatInit(x,x,x)+BFo
		unicode	0, <MeasuredOperations>,0
; 

??_C@_1IC@FDJAEMPF@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: FsRtlHeatInit(x,x,x)+6Do
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+eax+69h], dl
		add	[ebp+0], ah
		jb	short $+2
		add	gs:[eax+eax+53h], ah
		add	[eax+eax+6Fh], dh
		add	[edx+0], dh
		popa
		add	[edi+0], ah
		add	gs:[eax], al
; 
		db 0
??_C@_1BA@NPJPKIM@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAd@NNGAKEGL@:
					; DATA XREF: EtwpEnableAutoLoggerProvider+20Eo
					; EtwpGetAutoLoggerProviderFilter+461o	...
		unicode	0, <Enabled>,0
; 

; char ??_C
??_C@_0O@LFBEJCLG@HYPERVISORDBG@NNGAKEGL@: ; DATA XREF:	HvlPhase0Initialize+9F57Bo
		dec	eax
		pop	ecx
		push	eax
		inc	ebp
		push	edx
		push	esi
		dec	ecx
		push	ebx
		dec	edi
		push	edx
		inc	esp
		inc	edx
		inc	edi
; 
		db 0
; 

; char ??_C
??_C@_0M@HCOOGNOF@?2ArcName?2?$CFs@NNGAKEGL@: ;	DATA XREF: IopCreateArcName+2A3o
		pop	esp
		inc	ecx
		jb	short near ptr loc_8B84CA+3
		dec	esi
		popa
		insd
		db	65h
		pop	esp

loc_8B846F:				; DATA XREF: IopCreateArcName+31Eo
		and	eax, (offset loc_5C0070+3)
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		pop	esp
		add	[eax+0], cl
		popa
		add	[edx+0], dh
		add	fs:[eax+eax+69h], ah
		add	[ebx+0], dh
		imul	eax, [eax], 25h
		add	[eax+eax+5Ch], ah
		add	[eax+0], dl
		popa
		add	[edx+0], dh
		jz	short $+2
		imul	eax, [eax], 690074h
		outsd
		add	[esi+0], ch
		and	eax, 6400h
		add	[eax+eax+44h], bl ; DATA XREF: IopCreateArcName:loc_9078CAo
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		pop	esp
		add	[ebx+0], al
		add	fs:[edx+0], dl
		outsd
		add	[ebp+0], ch

loc_8B84CA:				; CODE XREF: PAGE:008B8468j
		and	eax, 6400h
; 
		db 0
; wchar_t ??_C
??_C@_1DM@FMJIKGBL@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi?$AAs@NNGAKEGL@:
					; DATA XREF: IopCreateArcName+27Do
		unicode	0, <\Device\Harddisk%d\Partition0>,0
; char ??_C[]
??_C@_0BJ@FAOIOBDH@?2ArcName?2?$CFspartition?$CI?$CFd?$CJ@NNGAKEGL@ db '\ArcName\%spartition(%d)',0
					; DATA XREF: IopCreateArcName+34Co
		align 2

; wchar_t ??_C
??_C@_1BM@LOIAIOCF@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AA?$CF?$AA0?$AA8?$AAl?$AAx@NNGAKEGL@:
					; DATA XREF: IoCreateDevice+396o
		pop	esp
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		pop	esp
		add	ds:38003000h, ah
		add	[eax+eax+78h], ch
; 
		db 0
		db 2 dup(0)
; 

??_C@_1BK@LABJKOM@?$AA?2?$AAD?$AAo?$AAs?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAs?$AA?2@NNGAKEGL@:
					; DATA XREF: EtwpCreateNtFileName:loc_7BC258o
		pop	esp
		add	[eax+eax+6Fh], al
		add	[ebx+0], dh
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
		pop	esp
; 
		db 3 dup(0)
??_C@_1BE@GBAFMKEO@?$AA?2?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAs@NNGAKEGL@:
					; DATA XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+35Bo
		unicode	0, <\Sessions>,0
; 

; wchar_t ??_C
??_C@_1BK@DCDPNLIM@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?2?$AA?$CF?$AA0?$AA8?$AAu@NNGAKEGL@:
					; DATA XREF: IoCreateDriver+9DE9Bo
		pop	esp
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		pop	esp
		add	ds:38003000h, ah
		add	[ebp+0], dh
; 
		db 2 dup(0)
; 

??_C@_1DC@GKOJGBFO@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@NNGAKEGL@:
					; DATA XREF: IoSetSystemPartition(x)+22o
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
; 
		dw 0
??_C@_19BIEPDBPA@?$AAT?$AAy?$AAp?$AAe@NNGAKEGL@	dd offset loc_790051+3
					; DATA XREF: IopGetDriverNameFromKeyNode+3Ao
					; BiGetObjectDescription(x,x)+39o ...
aPe:
		unicode	0, <pe>,0
; 

??_C@_1BC@PAOLLJBM@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?2@NNGAKEGL@:
					; DATA XREF: IopGetDriverNameFromKeyNode+64o
					; PipCallDriverAddDeviceQueryRoutine+2Fo
		pop	esp
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		pop	esp
; 
		db 3 dup(0)
; 

??_C@_1CM@JPFBADDC@?$AA?2?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AA?2?$AAT?$AAR?$AAK?$AAW?$AAK@NNGAKEGL@:
					; DATA XREF: IopConnectLinkTrackingPort(x)+4Co
		pop	esp
		add	[ebx+0], dl
		add	gs:[ebx+0], ah
		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 790074h
		pop	esp
		add	[eax+eax+52h], dl
		add	[ebx+0], cl
		push	edi
		add	[ebx+0], cl
		push	ebx
		add	[edi+0], bl
		push	eax
		add	[edi+0], cl
		push	edx
		add	[eax+eax+0], dl
; 
		db 0
??_C@_1BG@OBMODCLN@?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@:
					; DATA XREF: IopGetDriverNameFromKeyNode+1Do
		unicode	0, <ObjectName>,0
??_C@_1BK@DHFJHPDK@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2@NNGAKEGL@ db '\',0
					; DATA XREF: PiLookupInDDBCache+149o
					; IopQueryRegistryKeySystemPath+21o ...
		dd offset loc_790051+2
		dd offset loc_740072+1
aEmroot:
		unicode	0, <emRoot\>,0
??_C@_1BO@DFBFEJHF@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAS?$AAt?$AAo?$AAr?$AAe?$AAs?$AA?2@NNGAKEGL@:
					; DATA XREF: IopQueryRegistryKeySystemPath+68o
		unicode	0, <\DriverStores\>,0
??_C@_1BK@GABKLNKA@?$AA?2?$AAF?$AAi?$AAl?$AAe?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2@NNGAKEGL@ db '\',0
					; DATA XREF: IopGetDriverNameFromKeyNode:loc_84D17Ao
aFilesystem:
		unicode	0, <FileSystem\>,0
; 

??_C@_1O@GINMMDNN@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm@NNGAKEGL@:
					; DATA XREF: IopQueryRegistryKeySystemPath+14o
					; BiMarkTreatAsSystemStore+2Ao	...
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
; 
		db 2 dup(0)
; 

; void ??_C
??_C@_19GEHBKJLM@?$AA?4?$AAS?$AAY?$AAS@NNGAKEGL@: ; DATA XREF: PiLookupInDDBCache+31Ao
					; IopLoadDriver+14Co
		add	cs:[ebx+0], dl
		pop	ecx
		add	[ebx+0], dl
; 
		dw 0
; 

??_C@_1M@LHGLMLD@?$AAG?$AAr?$AAo?$AAu?$AAp@NNGAKEGL@: ;	DATA XREF: IopLoadDriver:loc_8FCDB3o
		inc	edi
		add	[edx+0], dh
		outsd
		add	[ebp+0], dh
		jo	short $+2
; 
		dw 0
; 

??_C@_1CE@GJFMKGAN@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA3?$AA2?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: PiLookupInDDBCache+313o
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		xor	eax, [eax]
		xor	al, [eax]
		pop	esp
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		jnb	short $+2
		pop	esp
; 
		db 3 dup(0)
??_C@_1BE@CMLCLKJK@?$AAI?$AAm?$AAa?$AAg?$AAe?$AAP?$AAa?$AAt?$AAh@NNGAKEGL@:
					; DATA XREF: PiLookupInDDBCache+1A5o
					; PiDevCfgMakeServiceBootStart(x)+B2o ...
		unicode	0, <ImagePath>,0
??_C@_1BI@FFNFOEKI@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AA?2@NNGAKEGL@:
					; DATA XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+2Do
		unicode	0, <\??\Global\>,0
??_C@_1CE@HKBNEBBK@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AA?2?$AAV?$AAo?$AAl?$AAu@NNGAKEGL@:
					; DATA XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+42o
		unicode	0, <\??\Global\Volume>,0
; 

??_C@_0CG@KIBIFHIL@SAFEBOOT?3?5skipping?5device?5?$DN?5?$CFwZ@NNGAKEGL@:
					; DATA XREF: IopLoadDriver+B06B0o
		push	ebx
		inc	ecx
		inc	esi
		inc	ebp
		inc	edx
		dec	edi
		dec	edi
		push	esp
		cmp	ah, [eax]
		jnb	short near ptr loc_8B8779+2
		imul	esi, [eax+70h],	20676E69h
		db	64h, 65h
		jbe	short loc_8B8784
		arpl	[ebp+20h], sp
		cmp	eax, 5A772520h
		sub	ds:0A295A77h, ah
		add	[ebp+0], al	; DATA XREF: IopLoadDriver+B0795o
		jb	short $+2
		jb	short $+2
		outsd
		add	[edx+0], dh
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
; 
		db 3 dup(0)
??_C@_1BA@EBPJHHKE@?$AAN?$AAE?$AAT?$AAW?$AAO?$AAR?$AAK@NNGAKEGL@:
					; DATA XREF: IopSafebootDriverLoad(x,x):loc_95D47Eo
		unicode	0, <NETWORK>,0

;  S U B	R O U T	I N E 


??_C@_1CA@LCCLCIKI@?$AAS?$AAa?$AAf?$AAe?$AAB?$AAo?$AAo?$AAt?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAs@NNGAKEGL@ proc near
					; DATA XREF: IopSafebootDriverLoad(x,x)+10Eo
		push	ebx
		add	[ecx+0], ah
		db	66h
		add	[ebp+0], ah
		inc	edx
		add	[edi+0], ch
		outsd
??_C@_1CA@LCCLCIKI@?$AAS?$AAa?$AAf?$AAe?$AAB?$AAo?$AAo?$AAt?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAs@NNGAKEGL@ endp

		add	[eax+eax+44h], dh
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BG@KPDPFBJH@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAV?$AAo?$AAl?$AAu?$AAm?$AAe@NNGAKEGL@:
					; DATA XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+79o
					; ExpTranslateEfiPath(x,x,x,x):loc_A0A1D9o
		pop	esp
		add	[edi], bh
		add	[edi], bh

loc_8B8779:				; CODE XREF: PAGE:008B870Ej
		add	[eax+eax+56h], bl
		add	[edi+0], ch
		insb
		add	[ebp+0], dh

loc_8B8784:				; CODE XREF: PAGE:008B8717j
		insd
		add	[ebp+0], ah
; 
		db 2 dup(0)
; 

??_C@_1BA@MHDMKJEM@?$AAM?$AAI?$AAN?$AAI?$AAM?$AAA?$AAL@NNGAKEGL@:
					; DATA XREF: IopSafebootDriverLoad(x,x):loc_95D485o
		dec	ebp
		add	[ecx+0], cl
		dec	esi
		add	[ecx+0], cl
		dec	ebp
		add	[ecx+0], al
		dec	esp
; 
		db 0
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_15KNBIKKIN@?$AA?$CF?$AAd@NNGAKEGL@: ; DATA XREF: WmipInsertStaticNames+D9o
					; EtwpGenerateFileName+40o ...
		and	eax, 6400h
; 
		db 0
??_C@_11LOCGONAA@@NNGAKEGL@ db 2 dup(0)	; DATA XREF: .text:00404CB8o
					; PiDmEnumObjectsWithCallback(x,x,x)+6Co ...
; 

; wchar_t ??_C
??_C@_13HOIJIPNN@?$AA?5@NNGAKEGL@:	; DATA XREF: IopBootLog+AF27Ao
					; PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+3B8o ...
		and	[eax], al
; 
		db 2 dup(0)
; 

??_C@_15JNBOKNOG@?$AA?$AN?$AA?6@NNGAKEGL@: ; DATA XREF:	IopBootLog+AF2ABo
					; AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x):loc_A28547o ...
		or	eax, 0A00h
		add	ds:25206432h, ah ; DATA	XREF: IopCopyBootLogRegistryToFile+A1C55o
		xor	ah, [eax+25h]
		xor	al, 64h
		and	ds:3A643230h, ah
		and	eax, 3A643230h
		and	eax, 2E643230h
		and	eax, 0D643330h
		or	al, [eax]

??_C@_1DA@MICMNBLJ@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAn?$AAt?$AAb@NNGAKEGL@:
					; DATA XREF: IopBootLogToFile(x)+57o
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+5Ch], dh
		add	[esi+0], ch
		jz	short $+2
		bound	eax, [eax]
		jz	short $+2
		insb
		add	[edi+0], ch
		add	ds:7400h, ch
		add	[eax+0], bh
		jz	short $+2
; 
		db 2 dup(0)
??_C@_0BB@EBGFFGKP@IoTriageDumpData@NNGAKEGL@ db 'IoTriageDumpData',0
					; DATA XREF: IopInitializeTriageDumpData:loc_8AEBABo
		align 10h

??_C@_19DDLLJDOO@?$AAF?$AAi?$AAl?$AAe@NNGAKEGL@:
					; DATA XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+A8o
					; SeAuditingFileOrGlobalEvents(x,x,x)+13o
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
; 
		db 2 dup(0)
; 

??_C@_1HC@DKINPPAJ@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: PipCreateDependencyNode+D7o
					; IopCreateSecureDeviceClassSettings+45o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], al
		insb
		add	[ecx+0], ah
		jnb	short $+2
		jnb	short $+2
; 
		dw 0

;  S U B	R O U T	I N E 


??_C@_1CE@CBJLLHKI@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAe?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC?$AAl?$AAa@NNGAKEGL@ proc near
					; DATA XREF: IopGetPersistedStateLocation+3Ao
		push	ebx
		add	[ebp+0], ah
		arpl	[eax], ax
??_C@_1CE@CBJLLHKI@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAe?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC?$AAl?$AAa@NNGAKEGL@ endp

		jnz	short $+2
		jb	short $+2
		add	gs:[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		inc	ebx
		add	[eax+eax+61h], ch
		add	[ebx+0], dh
		jnb	short $+2
; 
		dw 0
??_C@_1BG@KCOOGCNN@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAT?$AAy?$AAp?$AAe@NNGAKEGL@:
					; DATA XREF: IopQuerySecureDeviceClassState+B8o
		unicode	0, <DeviceType>,0
??_C@_1CM@DIJFBEC@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC?$AAh?$AAa?$AAr?$AAa?$AAc?$AAt?$AAe?$AAr@NNGAKEGL@	db 'D',0
					; DATA XREF: IopQuerySecureDeviceClassState+E5o
		dd offset loc_760065
aIcecharacteris:
		unicode	0, <iceCharacteristics>,0
; 

??_C@_1CM@HAEMEGGB@?$AAD?$AA?3?$AAP?$AAA?$AAI?$AA?$CI?$AAA?$AA?$DL?$AAO?$AAI?$AAC?$AAI?$AA?$DL?$AAG?$AAA@NNGAKEGL@:
					; DATA XREF: PipCreateDependencyNode+183o
		inc	esp
		add	[edx], bh
		add	[eax+0], dl
		inc	ecx
		add	[ecx+0], cl
		sub	[eax], al
		inc	ecx
		add	[ebx], bh
		add	[edi+0], cl
		dec	ecx
		add	[ebx+0], al
		dec	ecx
		add	[ebx], bh
		add	[edi+0], al
		inc	ecx
		add	[ebx], bh
		add	[ebx], bh
		add	[ebx], bh
		add	[ebx+0], dl
		pop	ecx
		add	[ecx], ch
; 
		db 0
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1BG@COALCEMK@?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAi?$AAe?$AAs@NNGAKEGL@:
					; DATA XREF: _PnpOpenPropertiesKey+92o
					; _PnpOpenPropertiesKey+13Ao ...
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+0], dh
		add	gs:[edx+0], dh
		jz	short $+2
		imul	eax, [eax], 730065h
; 
		dw 0
; 

??_C@_1M@OAHBGIFG@?$AAC?$AAl?$AAa?$AAs?$AAs@NNGAKEGL@:
					; DATA XREF: IopCreateSecureDeviceClassSettings:loc_8E4290o
		inc	ebx
		add	[eax+eax+61h], ch
		add	[ebx+0], dh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BO@DAOBINHA@?$AAN?$AAo?$AAD?$AAi?$AAs?$AAp?$AAl?$AAa?$AAy?$AAC?$AAl?$AAa?$AAs?$AAs@NNGAKEGL@:
					; DATA XREF: IopCreateSecureDeviceClassSettings+6B9C8o
		dec	esi
		add	[edi+0], ch
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		jo	short $+2
		insb
		add	[ecx+0], ah
		jns	short $+2
		inc	ebx
		add	[eax+eax+61h], ch
		add	[ebx+0], dh
		jnb	short $+2
; 
		db 2 dup(0)
??_C@_1BE@DJHAJDEM@?$AAE?$AAx?$AAc?$AAl?$AAu?$AAs?$AAi?$AAv?$AAe@NNGAKEGL@ dd offset loc_780040+5
					; DATA XREF: IopQuerySecureDeviceClassState+112o
		dw 63h
		dd offset loc_75006C
aSive:
		unicode	0, <sive>,0
; 

??_C@_13JGCMLPCH@?$AA1@NNGAKEGL@:	; DATA XREF: IopCreateSecureDeviceClassSettings+6B9D8o
					; _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+182o
		xor	[eax], eax
; 
		db 2 dup(0)
; 

??_C@_1BG@OPOOGLJC@?$AAN?$AAo?$AAU?$AAs?$AAe?$AAC?$AAl?$AAa?$AAs?$AAs@NNGAKEGL@:
					; DATA XREF: IopCreateSecureDeviceClassSettings+6B9F8o
		dec	esi
		add	[edi+0], ch
		push	ebp
		add	[ebx+0], dh
		add	gs:[ebx+0], al
		insb
		add	[ecx+0], ah
		jnb	short $+2
		jnb	short $+2
; 
		dw 0
; 

??_C@_1DM@BLAIFNDD@?$AAS?$AAy?$AAm?$AAl?$AAi?$AAn?$AAk?$AAL?$AAo?$AAc?$AAa?$AAl?$AAT?$AAo?$AAL@NNGAKEGL@:
					; DATA XREF: IopSymlinkQueryEnabledClasses(x)+4Bo
		push	ebx
		add	[ecx+0], bh
		insd
		add	[eax+eax+69h], ch
		add	[esi+0], ch
		imul	eax, [eax], 4Ch
		add	[edi+0], ch
		arpl	[eax], ax
		popa
		add	[eax+eax+54h], ch
		add	[edi+0], ch
		dec	esp
		add	[edi+0], ch
		arpl	[eax], ax
		popa
		add	[eax+eax+45h], ch
		add	[esi+0], dh
		popa
		add	[eax+eax+75h], ch
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dw 0

;  S U B	R O U T	I N E 


??_C@_1DO@LNGINOPB@?$AAS?$AAy?$AAm?$AAl?$AAi?$AAn?$AAk?$AAL?$AAo?$AAc?$AAa?$AAl?$AAT?$AAo?$AAR@NNGAKEGL@ proc near
					; DATA XREF: IopSymlinkQueryEnabledClasses(x)+59o
		push	ebx
		add	[ecx+0], bh
		insd
??_C@_1DO@LNGINOPB@?$AAS?$AAy?$AAm?$AAl?$AAi?$AAn?$AAk?$AAL?$AAo?$AAc?$AAa?$AAl?$AAT?$AAo?$AAR@NNGAKEGL@ endp

		add	[eax+eax+69h], ch
		add	[esi+0], ch
		imul	eax, [eax], 4Ch
		add	[edi+0], ch
		arpl	[eax], ax
		popa
		add	[eax+eax+54h], ch
		add	[edi+0], ch
		push	edx
		add	[ebp+0], ah
		insd
		add	[edi+0], ch
		jz	short $+2
		add	gs:[ebp+0], al
		jbe	short $+2
		popa
		add	[eax+eax+75h], ch
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
; 
		db 2 dup(0)
; 

??_C@_1IO@NFJIEDOB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: IopSymlinkRegistryCallback(x)o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		outsd
		add	[esi+0], ah
		jz	short $+2
		ja	short $+2
		popa
		add	[edx+0], dh
		add	gs:[eax+eax+50h], bl
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 730065h
		pop	esp
		add	[ebp+0], cl
		imul	eax, [eax], 720063h
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		pop	esp
		add	[edi+0], dl
		imul	eax, [eax], 64006Eh
		outsd
		add	[edi+0], dh
		jnb	short $+2
		pop	esp
		add	[esi+0], al
		imul	eax, [eax], 65006Ch
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		jnb	short $+2
		pop	esp
		add	[esi+0], cl
		push	esp
		add	[esi+0], al
		push	ebx
; 
		db 3 dup(0)
; 

??_C@_1BA@EGBLHBDC@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAC?$AA?3?$AA?$AA@NNGAKEGL@:
					; DATA XREF: IoIsValidNameGraftingBuffer(x,x)+F3o
		pop	esp
		add	[edi], bh
		add	[edi], bh
		add	[eax+eax+43h], bl
		add	[edx], bh
; 
		db 0
		dd 0
; 

??_C@_1EA@IEPMNFHB@?$AAS?$AAy?$AAm?$AAl?$AAi?$AAn?$AAk?$AAR?$AAe?$AAm?$AAo?$AAt?$AAe?$AAT?$AAo@NNGAKEGL@:
					; DATA XREF: IopSymlinkQueryEnabledClasses(x)+6Eo
		push	ebx
		add	[ecx+0], bh
		insd
		add	[eax+eax+69h], ch
		add	[esi+0], ch
		imul	eax, [eax], 52h
		add	[ebp+0], ah
		insd
		add	[edi+0], ch
		jz	short $+2
		add	gs:[eax+eax+6Fh], dl
		add	[edx+0], dl
		add	gs:[ebp+0], ch
		outsd
		add	[eax+eax+65h], dh
		add	[ebp+0], al
		jbe	short $+2
		popa
		add	[eax+eax+75h], ch
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dw 0
; 

??_C@_1DO@HBJDDGDI@?$AAS?$AAy?$AAm?$AAl?$AAi?$AAn?$AAk?$AAR?$AAe?$AAm?$AAo?$AAt?$AAe?$AAT?$AAo@NNGAKEGL@:
					; DATA XREF: IopSymlinkQueryEnabledClasses(x)+83o
		push	ebx
		add	[ecx+0], bh
		insd
		add	[eax+eax+69h], ch
		add	[esi+0], ch
		imul	eax, [eax], 52h
		add	[ebp+0], ah
		insd
		add	[edi+0], ch
		jz	short $+2
		add	gs:[eax+eax+6Fh], dl
		add	[eax+eax+6Fh], cl
		add	[ebx+0], ah
		popa
		add	[eax+eax+45h], ch
		add	[esi+0], dh
		popa
		add	[eax+eax+75h], ch
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
; 
		db 2 dup(0)
; 

??_C@_1DE@MJJBHHAG@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAM?$AAo?$AAu?$AAn?$AAt?$AAP?$AAo@NNGAKEGL@:
					; DATA XREF: IoVolumeDeviceNameToGuidPath+CEo
					; IoVolumeDeviceToDosName+C5o
		pop	esp
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		pop	esp
		add	[ebp+0], cl
		outsd
		add	[ebp+0], dh
		outsb
		add	[eax+eax+50h], dh
		add	[edi+0], ch
		imul	eax, [eax], 74006Eh
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1EG@JCCHLBNP@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@:
					; DATA XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+18Do
		pop	esp
		add	[ebx+0], cl
		add	gs:[edx+0], dh
		outsb
		add	[ebp+0], ah
		insb
		add	[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
		pop	esp
		add	[eax+0], cl
		imul	eax, [eax], 680067h
		inc	ebx
		add	[edi+0], ch
		insd
		add	[ebp+0], ch
		imul	eax, [eax], 430074h
		outsd
		add	[esi+0], ch
		add	fs:[ecx+0], ch
		jz	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dw 0
; 

??_C@_1EE@GONCMNFF@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@:
					; DATA XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+16Do
		pop	esp
		add	[ebx+0], cl
		add	gs:[edx+0], dh
		outsb
		add	[ebp+0], ah
		insb
		add	[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
		pop	esp
		add	[eax+eax+6Fh], cl
		add	[edi+0], dh
		dec	ebp
		add	[ebp+0], ah
		insd
		add	[edi+0], ch
		jb	short $+2
		jns	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+69h], ah
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
; 
		db 3 dup(0)
; 

??_C@_1FA@LHALGJAB@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@:
					; DATA XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+149o
		pop	esp
		add	[ebx+0], cl
		add	gs:[edx+0], dh
		outsb
		add	[ebp+0], ah
		insb
		add	[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
		pop	esp
		add	[eax+eax+6Fh], cl
		add	[edi+0], dh
		dec	esi
		add	[edi+0], ch
		outsb
		add	[eax+0], dl
		popa
		add	[edi+0], ah
		add	gs:[eax+eax+50h], ah
		add	[edi+0], ch
		outsd
		add	[eax+eax+43h], ch
		add	[edi+0], ch
		outsb
		add	[eax+eax+69h], ah
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
; 
		db 3 dup(0)
??_C@_1DE@IDANIFDM@?$AAM?$AAi?$AAr?$AAr?$AAo?$AAr?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAP?$AAa?$AAr@NNGAKEGL@:
					; DATA XREF: IopLiveDumpInitRegistrySettings(x)+ADo
		unicode	0, <MirrorSystemPartitionOnly>,0
??_C@_1CO@DFPMJEGC@?$AAB?$AAu?$AAf?$AAf?$AAe?$AAr?$AAA?$AAl?$AAl?$AAo?$AAc?$AAa?$AAt?$AAi?$AAo@NNGAKEGL@ dd offset loc_750042
					; DATA XREF: IopLiveDumpInitRegistrySettings(x)+64o
aFferallocation:
		unicode	0, <fferAllocationScheme>,0
; 

??_C@_1HI@GBCIFIH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: IopLiveDumpInitRegistrySettings(x)+2Co
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+eax+69h], cl
		add	[esi+0], dh
		add	gs:[eax+eax+75h], al
		add	[ebp+0], ch
		jo	short $+2
; 
		db 2 dup(0)
; 

??_C@_1EK@GMOJIIIJ@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@:
					; DATA XREF: IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)+57o
		pop	esp
		add	[ebx+0], cl
		add	gs:[edx+0], dh
		outsb
		add	[ebp+0], ah
		insb
		add	[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
		pop	esp
		add	[ebp+0], cl
		add	gs:[ebp+0], ch
		outsd
		add	[edx+0], dh
		jns	short $+2
		push	eax
		add	[ecx+0], ah
		jb	short $+2
		jz	short $+2
		imul	eax, [eax], 690074h
		outsd
		add	[esi+0], ch
		dec	eax
		add	[ecx+0], bh
		jo	short $+2
		add	gs:[edx+0], dh
		push	esi
; 
		db 3 dup(0)
??_C@_1BK@PDBCOOKL@?$AAD?$AAu?$AAm?$AAp?$AAF?$AAi?$AAl?$AAe?$AAS?$AAi?$AAz?$AAe@NNGAKEGL@ dd offset loc_750044
					; DATA XREF: IopLiveDumpInitRegistrySettings(x)+182o
aMpfilesize:
		unicode	0, <mpFileSize>,0
; 

??_C@_1DA@KAEFOLN@?$AAS?$AAk?$AAi?$AAp?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAi?$AAn?$AAg?$AAI?$AAn@NNGAKEGL@:
					; DATA XREF: IopLiveDumpInitRegistrySettings(x)+139o
		push	ebx
		add	[ebx+0], ch
		imul	eax, [eax], 440070h
		imul	eax, [eax], 610073h
		bound	eax, [eax]
		insb
		add	[ecx+0], ch
		outsb
		add	[edi+0], ah
		dec	ecx
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edx+0], dh
		jb	short $+2
		jnz	short $+2
		jo	short $+2
		jz	short $+2
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1CM@PEONNGOP@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAI?$AAn?$AAs?$AAt?$AAr?$AAu?$AAm?$AAe?$AAn@NNGAKEGL@:
					; DATA XREF: IopLiveDumpInitRegistrySettings(x)+F0o
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+61h], dh
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
; 
		db 0
		db 2 dup(0)
??_C@_1CA@KOKODHP@?$AAE?$AAv?$AAe?$AAn?$AAt?$AAl?$AAo?$AAg?$AA?9?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm@NNGAKEGL@ dd offset loc_760043+2
					; DATA XREF: IopErrorLogConnectSession():loc_868848o
		dw 65h
		dd offset loc_74006D+1
aLogSystem:
		unicode	0, <log-System>,0
; 

; wchar_t ??_C
??_C@_19ENNDBEJL@?$AAN?$AAT?$AAF?$AAS@NNGAKEGL@: ; DATA	XREF: IopErrorLogThread+A0736o
		dec	esi
		add	[eax+eax+46h], dl
		add	[ebx+0], dl
; 
		dw 0
; 

??_C@_1CE@DLCIFMKP@?$AAA?$AAp?$AAp?$AAl?$AAi?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AA?5?$AAP?$AAo?$AAp@NNGAKEGL@:
					; DATA XREF: IopErrorLogThread:loc_9088C4o
		inc	ecx
		add	[eax+0], dh
		jo	short $+2
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax], ah
		add	[eax+0], dl
		outsd
		add	[eax+0], dh
		jnz	short $+2
		jo	short $+2
; 
		dw 0
; 

??_C@_1BO@EGCMCODO@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAS?$AAy?$AAs?$AAE?$AAn?$AAv@NNGAKEGL@:
					; DATA XREF: IopOpenSystemVariableDevice(x,x,x):loc_9636E2o
		pop	esp
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		inc	ebp
		add	[esi+0], ch
		jbe	short $+2
; 
		db 2 dup(0)
; 

??_C@_1IA@DLIAHLEC@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs@NNGAKEGL@:
					; DATA XREF: IopOpenSystemVariableDevice(x,x,x)+23o
		pop	esp
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		pop	esp
		add	[edi+0], dl
		imul	eax, [eax], 64006Eh
		outsd
		add	[edi+0], dh
		jnb	short $+2
		push	esp
		add	[edx+0], dh
		jnz	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[eax+eax+52h], ah
		add	[eax+eax+5Ch], dl
		add	[ebx+0], bh
		add	ss:[ecx], bh
		add	[ecx], bh
		add	[ecx+0], al
		inc	ecx
		add	[edx], dh
		add	[esi+0], al
		xor	[eax], eax
		sub	eax, 34004100h
		add	[edx], dh
		add	[ebp+0], al
		sub	eax, 30003400h
		add	[eax+eax+46h], al
		add	ds:41004200h, ch
		add	[edx+0], al
		inc	ebp
		add	ds:41003300h, ch
		add	[ecx+0], al
		inc	ecx
		add	[eax+eax+32h], al
		add	[edx+0], al
		inc	edx
		add	[esi], dh
		add	[ecx+0], al
		xor	al, 0
		aaa
		add	[ebp+0], bh
; 
		db 2 dup(0)
; 

??_C@_0CN@OHIJAEJ@Server?5Silo?5attempting?5to?5unloa@NNGAKEGL@: ; DATA	XREF: sub_8FF269+1o
		push	ebx
		db	65h
		jb	short loc_8B8F30
		db	65h
		jb	short near ptr loc_8B8EDC+1
		push	ebx
		imul	ebp, [edi+ebp*2+20h], 65747461h
		insd
		jo	short near ptr loc_8B8F3C+1
		imul	ebp, [esi+67h],	206F7420h
		jnz	short near ptr loc_8B8F3F+1
		insb
		outsd
		popa
		and	fs:[edx+esi*2+69h], ah
		jbe	short near ptr loc_8B8F3F+2

loc_8B8EDC:				; CODE XREF: PAGE:008B8EBAj
		jb	short near ptr loc_8B8EFD+1
		and	eax, 0A5A77h
		int	3		; Trap to Debugger

??_C@_1CG@NMIHHCCE@?$AAP?$AAn?$AAp?$AAS?$AAe?$AAt?$AAu?$AAp?$AAI?$AAn?$AAP?$AAr?$AAo?$AAg?$AAr@NNGAKEGL@:
					; DATA XREF: PipUpdateSetupInProgress+83A61o
		push	eax
		add	[esi+0], ch
		jo	short $+2
		push	ebx
		add	[ebp+0], ah
		jz	short $+2
		jnz	short $+2
		jo	short $+2
		dec	ecx
		add	[esi+0], ch
		push	eax
		add	[edx+0], dh
		outsd

loc_8B8EFD:				; CODE XREF: PAGE:loc_8B8EDCj
		add	[edi+0], ah
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BO@JHOBKEAA@?$AAO?$AAO?$AAB?$AAE?$AAI?$AAn?$AAP?$AAr?$AAo?$AAg?$AAr?$AAe?$AAs?$AAs@NNGAKEGL@:
					; DATA XREF: PipUpdateSetupInProgress+58o
		dec	edi
		add	[edi+0], cl
		inc	edx
		add	[ebp+0], al
		dec	ecx
		add	[esi+0], ch
		push	eax
		add	[edx+0], dh
		outsd
		add	[edi+0], ah
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
; 
		dw 0

;  S U B	R O U T	I N E 


??_C@_1CM@DHJDDPJO@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAS?$AAe?$AAt?$AAu?$AAp?$AAI?$AAn?$AAP?$AAr@NNGAKEGL@ proc near
					; DATA XREF: PopUpdateUpgradeInProgress(x):loc_736E8Bo
					; PipUpdateSetupInProgress+17o
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2

loc_8B8F30:				; CODE XREF: PAGE:008B8EB7j
		add	gs:[ebp+0], ch
		push	ebx
		add	[ebp+0], ah
		jz	short $+2
		jnz	short $+2

loc_8B8F3C:				; CODE XREF: PAGE:008B8EC7j
		jo	short $+2
		dec	ecx

loc_8B8F3F:				; CODE XREF: PAGE:008B8ED0j
					; PAGE:008B8EDAj
		add	[esi+0], ch
		push	eax
		add	[edx+0], dh
		outsd
??_C@_1CM@DHJDDPJO@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAS?$AAe?$AAt?$AAu?$AAp?$AAI?$AAn?$AAP?$AAr@NNGAKEGL@ endp

		add	[edi+0], ah
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
; 
		dw 0
; 

; wchar_t ??_C
??_C@_13BBDEGPLJ@?$AA?$CK@NNGAKEGL@:	; DATA XREF: DrvDbSuspendDatabase+1Fo
					; DrvDbGetDriverDatabaseMappedProperty+1Ao ...
		sub	al, [eax]
; 
		dw 0
??_C@_1BM@NDODFCEE@?$AAL?$AAo?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AAP?$AAa?$AAt?$AAh?$AAs@NNGAKEGL@:
					; DATA XREF: PiQueryRemovableDeviceOverride:loc_8770C1o
					; PiDevCfgClearDeviceMigrationNode(x,x)+EAo ...
		unicode	0, <LocationPaths>,0
??_C@_1CG@LEOIEOED@?$AAC?$AAh?$AAi?$AAl?$AAd?$AAL?$AAo?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AAP?$AAa@NNGAKEGL@:
					; DATA XREF: PiQueryRemovableDeviceOverride+A2o
					; PiQueryRemovableDeviceOverride+197o
		unicode	0, <ChildLocationPaths>,0
; 

??_C@_1IG@GGMOEGCN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: PipFindDeviceOverrideEntry+6C6E9o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		dec	edi
		add	[esi+0], dh
		add	gs:[edx+0], dh
		jb	short $+2
		imul	eax, [eax], 650064h
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BE@BCPLGAPH@?$AAR?$AAe?$AAm?$AAo?$AAv?$AAa?$AAb?$AAl?$AAe@NNGAKEGL@:
					; DATA XREF: PiQueryRemovableDeviceOverride+6C929o
		push	edx
		add	[ebp+0], ah
		insd
		add	[edi+0], ch
		jbe	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
; 
		dw 0
; wchar_t ??_C
??_C@_1M@DFKENGJN@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@:
					; DATA XREF: _CmGetDeviceSoftwareKeyPath+76o
					; _CmGetCommonClassRegKeyPath:loc_7FCA56o ...
		unicode	0, <%s\%s>,0
; 

??_C@_1BA@LLDEAMNN@?$AAL?$AAa?$AAs?$AAt?$AAU?$AAs?$AAe@NNGAKEGL@:
					; DATA XREF: PipHardwareConfigGetLastUseTime(x,x)+46o
		dec	esp
		add	[ecx+0], ah
		jnb	short $+2
		jz	short $+2
		push	ebp
		add	[ebx+0], dh
		add	gs:[eax], al

loc_8B904F:				; DATA XREF: PipHardwareConfigGetIndex(x,x)+3Fo
		add	[ecx+0], cl
		add	fs:[eax], al
		add	[ebx+0], dl	; DATA XREF: PipHardwareConfigActivateService(x)+7Co
					; PipHardwareConfigClearStartOverrideCallback(x,x,x,x)+26o
		jz	short $+2
		popa
		add	[edx+0], dh
		jz	short $+2
		dec	edi
		add	[esi+0], dh
		add	gs:[edx+0], dh
		jb	short $+2
		imul	eax, [eax], 650064h
; 
		db 2 dup(0)
; 

??_C@_1EC@DGAEKDHP@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@:
					; DATA XREF: PnpHardwareConfigCreateBootDriverFlags+8515Co
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+0], ch
; 
		db 0
??_C@_1CA@PABBOCNB@?$AAB?$AAo?$AAo?$AAt?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAF?$AAl?$AAa?$AAg?$AAs@NNGAKEGL@:
					; DATA XREF: PnpHardwareConfigCreateBootDriverFlags+7Ao
					; PnpHardwareConfigCreateBootDriverFlags+85185o ...
		unicode	0, <BootDriverFlags>,0
; 

??_C@_1BK@CGJOHCEH@?$AAR?$AAe?$AAs?$AAp?$AAe?$AAc?$AAi?$AAa?$AAl?$AAi?$AAz?$AAe@NNGAKEGL@:
					; DATA XREF: PipHardwareConfigTriggerRespecialize(x)+71o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jo	short $+2
		add	gs:[ebx+0], ah
		imul	eax, [eax], 6C0061h
		imul	eax, [eax], 65007Ah
; 
		db 2 dup(0)
; 

??_C@_1DO@PGOAJPNE@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: PopUpdateUpgradeInProgress(x)+3Co
					; PipHardwareConfigTriggerRespecialize(x)+36o ...
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], dl
		add	gs:[eax+eax+75h], dh
		add	[eax+0], dh
; 
		dw 0
??_C@_1BI@CEAGCKOK@?$AAC?$AAo?$AAm?$AAp?$AAu?$AAt?$AAe?$AAr?$AAI?$AAd?$AAs@NNGAKEGL@:
					; DATA XREF: PipCheckComputerSupported(x)+6Bo
		unicode	0, <ComputerIds>,0
??_C@_1BG@PGIGMDPA@?$AAP?$AAa?$AAr?$AAa?$AAm?$AAe?$AAt?$AAe?$AAr?$AAs@NNGAKEGL@:
					; DATA XREF: PipDmgGetDriverDmarCompatLevel+5Do
					; PipGetDriverKsrGuid(x,x)+5Eo
		unicode	0, <Parameters>,0
??_C@_1BA@DKPHFNPD@?$AAK?$AAs?$AAr?$AAG?$AAu?$AAi?$AAd@NNGAKEGL@ db 'K',0
					; DATA XREF: PipGetDriverKsrGuidRegistryValue(x,x)+14o
aSrguid:
		unicode	0, <srGuid>,0
??_C@_1BG@MNAOJKEG@?$AAB?$AAo?$AAo?$AAt?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg@NNGAKEGL@	db 'B',0
					; DATA XREF: PiQueryAndAllocateBootResources+D3o
					; PnpReadDeviceConfiguration+4Eo ...
aOotconfig:
		unicode	0, <ootConfig>,0
??_C@_1BO@DEANAFMF@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAR?$AAe?$AAp?$AAo?$AAr?$AAt?$AAe?$AAd@NNGAKEGL@:
					; DATA XREF: IopIsReportedAlready+1E5o
					; IoReportDetectedDevice+891A7o ...
		unicode	0, <DeviceReported>,0
; 

; wchar_t ??_C
??_C@_19PDMGBJHF@?$AA?$CF?$AA0?$AA4?$AAu@NNGAKEGL@: ; DATA XREF: IoReportDetectedDevice+181o
					; IoReportRootDevice+10Co ...
		and	eax, 34003000h
		add	[ebp+0], dh
; 
		dw 0
; void ??_C
??_C@_1M@NNKCILJE@?$AAR?$AAO?$AAO?$AAT?$AA?2@NNGAKEGL@:
					; DATA XREF: IoReportDetectedDevice:loc_8AAFD9o
					; IoReportRootDevice+3Co
		unicode	0, <ROOT\>,0
??_C@_1BI@IOBDJLCI@?$AAP?$AAn?$AAP?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: PnpBuildCmResourceList+3B3o
		unicode	0, <PnP	Manager>,0
??_C@_1CK@HKNPKCBC@?$AAN?$AAo?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc?$AAe?$AAA?$AAt?$AAI?$AAn?$AAi@NNGAKEGL@:
					; DATA XREF: IopInitializeDeviceInstanceKey+17Eo
					; IoReportDetectedDevice+2CEo
		unicode	0, <NoResourceAtInitTime>,0
??_C@_1CE@CAEIBNIA@?$AAB?$AAa?$AAs?$AAi?$AAc?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAV?$AAe?$AAc?$AAt@NNGAKEGL@ db 'B',0
					; DATA XREF: PiQueryResourceRequirements+C1o
					; PnpGetDeviceResourcesFromRegistry+6CB8Fo ...
aAsicconfigvect:
		unicode	0, <asicConfigVector>,0
; 

; wchar_t ??_C
??_C@_15EFAGCOOD@?$AA?$DL?$AA?$CI@NNGAKEGL@: ; DATA XREF: PiGetDeviceRegProperty:loc_7965F7o
					; PiGetDeviceRegistryProperty(x,x,x,x,x,x)+154o
		cmp	eax, [eax]
		sub	[eax], al
; 
		dw 0
??_C@_1BA@EMGOOHIB@?$AAL?$AAo?$AAg?$AAC?$AAo?$AAn?$AAf@NNGAKEGL@:
					; DATA XREF: _CmGetDeviceLogConfKeyPath(x,x,x,x,x,x,x,x)+37o
					; PiGetDeviceRegistryProperty(x,x,x,x,x,x)+7Do
		unicode	0, <LogConf>,0
??_C@_1CA@MIBAJKAO@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAS?$AAt?$AAa?$AAt?$AAe?$AAP?$AAa?$AAt?$AAh@NNGAKEGL@:
					; DATA XREF: PiCreateDriverRedirectedStateKey+64o
					; PiOpenDriverRedirectedStateKey(x,x,x)+6Bo ...
		unicode	0, <DriverStatePath>,0
; 

??_C@_1BI@IHFDDONL@?$AA?$CF?$AAw?$AAZ?$AA?2?$AA?$CF?$AAw?$AAZ?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@:
					; DATA XREF: PiGetDriverMutableStateDirectory(x,x,x)+A8o
		and	eax, 5A007700h
		add	[eax+eax+25h], bl
		add	[edi+0], dh
		pop	edx
		add	[eax+eax+25h], bl
		add	[edi+0], dh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1CM@EJFOHJD@?$AAW?$AAi?$AAn?$AA3?$AA2?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe?$AAS?$AAt?$AAa@NNGAKEGL@:
					; DATA XREF: PiGetDriverMutableStateDirectory(x,x,x)+3Do
		push	edi
		add	[ecx+0], ch
		outsb
		add	[ebx], dh
		add	[edx], dh
		add	[ebx+0], dl
		add	gs:[edx+0], dh
		jbe	short $+2
		imul	eax, [eax], 650063h
		push	ebx
		add	[eax+eax+61h], dh
		add	[eax+eax+65h], dh
		add	[edx+0], dl
		outsd
		add	[edi+0], ch
		jz	short $+2
; 
		dw 0
; void ??_C
??_C@_1DC@JDNMDENN@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: PiGetDriverMutableStateDirectory(x,x,x)+35o
		unicode	0, <\SystemRoot\ServiceState>,0
??_C@_1BA@IHOFGBGC@?$AA?$CF?$AAw?$AAZ?$AA?2?$AA?$CF?$AAw?$AAZ@NNGAKEGL@	dd offset loc_770025
					; DATA XREF: PiCreateDriverRedirectedStateKey+8C703o
					; PiOpenDriverRedirectedStateKey(x,x,x)+C9o
		dw 5Ah
aWz:
		unicode	0, <\%wZ>,0
; 

; void ??_C
??_C@_1EC@HELHKOLE@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@:
					; DATA XREF: IoGetDeviceDirectory(x,x,x,x,x)+E6o
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+5Ch], dh
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		xor	eax, [eax]
		xor	al, [eax]
		pop	esp
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		push	ebx
		add	[eax+eax+61h], dh
		add	[eax+eax+65h], dh
; 
		db 3 dup(0)
; 

??_C@_1CA@DADMMGPH@?$AA?$CF?$AAw?$AAZ?$AA?2?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAZ?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@:
					; DATA XREF: PiBuildAndOpenDeviceDirectoryPath(x,x,x,x,x)+76o
		and	eax, 5A007700h
		add	[eax+eax+25h], bl
		add	[edi+0], dh
		jnb	short $+2
		pop	esp
		add	ds:5A007700h, ah
		add	[eax+eax+25h], bl
		add	[edi+0], dh
		jnb	short $+2
; 
		dw 0
??_C@_1BA@HICHNCPO@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAs@NNGAKEGL@:
					; DATA XREF: PiCreateDriverSwDevices+4Co
					; PiBuildAndOpenDeviceDirectoryPath(x,x,x,x,x)+70o ...
		unicode	0, <Devices>,0
??_C@_19IEEMEPMH@?$AAD?$AAa?$AAt?$AAa@NNGAKEGL@:
					; DATA XREF: ExpWnfGetPermanentDataStoreHandleByScopeId:loc_8ADE64o
					; IoGetDeviceDirectory(x,x,x,x,x)+1B7o	...
		unicode	0, <Data>,0
??_C@_1BI@LKGKDEHA@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAS?$AAt?$AAa?$AAt?$AAe@NNGAKEGL@ db	'D',0
					; DATA XREF: IoGetDeviceDirectory(x,x,x,x,x)+EEo
aRiverstate:
		unicode	0, <riverState>,0
; 

; wchar_t ??_C
??_C@_1EO@OJOAMFJO@?$AA?$HL?$AA5?$AA3?$AAf?$AA5?$AA6?$AA3?$AA0?$AAd?$AA?9?$AAb?$AA6?$AAb?$AAf?$AA?9@NNGAKEGL@:
					; DATA XREF: PipCheckForDenyExecute(x)+18o
		jnp	short $+2
		xor	eax, 66003300h
		add	ds:33003600h, dh
		add	[eax], dh
		add	[eax+eax+2Dh], ah
		add	[edx+0], ah
		add	ss:[edx+0], ah
		db	66h
		add	ds:31003100h, ch
		add	[eax+eax+30h], ah
		add	ds:34003900h, ch
		add	[esi+0], ah
		xor	al, [eax]
		sub	eax, 30003000h
		add	[ecx+0], ah
		xor	[eax], al
		arpl	[eax], ax
		cmp	[eax], eax
		xor	[eax], eax
		add	gs:[esi+0], ah
		bound	eax, [eax]
		cmp	[eax], al
		bound	eax, [eax]
		jge	short $+2
; 
		dw 0
; wchar_t ??_C
??_C@_15MNCACJLI@?$AA?2?$AA?1@NNGAKEGL@: ; DATA	XREF: IoRegisterDeviceInterface+E0o
		unicode	0, <\/>,0
; void ??_C
??_C@_1BG@KEFMGHOI@?$AA?2?$AAG?$AAL?$AAO?$AAB?$AAA?$AAL?$AA?$DP?$AA?$DP?$AA?2@NNGAKEGL@	db '\',0
					; DATA XREF: IopBuildGlobalSymbolicLinkString+94o
aGlobal??:
		unicode	0, <GLOBAL??\>,0
??_C@_1BK@CNPDEJDJ@?$AAD?$AAe?$AAn?$AAy?$AA_?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAe@NNGAKEGL@:
					; DATA XREF: PipCheckForDenyExecute(x)+A8o
		unicode	0, <Deny_Execute>,0
; 

??_C@_1HG@BJBJOOLC@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: PipCheckForDenyExecute(x)+3Do
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		jz	short $+2
		outsd
		add	[edx+0], dh
		popa
		add	[edi+0], ah
		add	gs:[eax], al

loc_8B9463:				; DATA XREF: IoRegisterBootDriverCallback(x,x)+27o
		add	[eax+eax+43h], bl
		add	[ecx+0], ah
		insb
		add	[eax+eax+62h], ch
		add	[ecx+0], ah
		arpl	[eax], ax
		imul	eax, [eax], 5Ch
		add	[edx+0], al
		outsd
		add	[edi+0], ch
		jz	short $+2
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1DC@IFGNMEPF@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@:
					; DATA XREF: MiSessionObjectCreate+118o
					; PnpInitializeNotifyEntry+E9o	...
		pop	esp
		add	[ebx+0], cl
		add	gs:[edx+0], dh
		outsb
		add	[ebp+0], ah
		insb
		add	[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
		pop	esp
		add	[ebx+0], dl
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	eax, 6400h
; 
		db 0
??_C@_1DM@PCLNIALE@?$AAP?$AAa?$AAs?$AAs?$AAi?$AAv?$AAe?$AAI?$AAn?$AAt?$AAF?$AAo?$AAr?$AAc?$AAe@NNGAKEGL@:
					; DATA XREF: IopQueryPassiveInterruptRegistryOptions+A6o
		unicode	0, <PassiveIntForceCriticalWorker>,0
??_C@_1EC@LAKHOLBC@?$AAP?$AAa?$AAs?$AAs?$AAi?$AAv?$AAe?$AAI?$AAn?$AAt?$AAR?$AAe?$AAa?$AAl?$AAT@NNGAKEGL@:
					; DATA XREF: IopQueryPassiveInterruptRegistryOptions+9Co
		unicode	0, <PassiveIntRealTimeWorkerPriority>,0
; 

??_C@_1DM@NKNBKI@?$AAP?$AAa?$AAs?$AAs?$AAi?$AAv?$AAe?$AAI?$AAn?$AAt?$AAR?$AAe?$AAa?$AAl?$AAT@NNGAKEGL@:
					; DATA XREF: IopQueryPassiveInterruptRegistryOptions+92o
		push	eax
		add	[ecx+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 650076h
		dec	ecx
		add	[esi+0], ch
		jz	short $+2
		push	edx
		add	[ebp+0], ah
		popa
		add	[eax+eax+54h], ch
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		push	edi
		add	[edi+0], ch
		jb	short $+2
		imul	eax, [eax], 65h
		add	[edx+0], dh
		inc	ebx
		add	[edi+0], ch
		jnz	short $+2
		outsb
		add	[eax+eax+0], dh

loc_8B9579:				; DATA XREF: IopQueryPassiveInterruptRegistryOptions+89o
		add	[ebx+0], dl
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		endp

		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ecx+0], cl
		das
		add	[edi+0], cl
		and	[eax], al
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
; 
		dw 0
??_C@_19DDCEFKEI@?$AAE?$AAn?$AAu?$AAm@NNGAKEGL@:
					; DATA XREF: _PnpCtxGetCachedNodeBaseKey+156o
					; PipOpenServiceEnumKeys:loc_876267o ...
		unicode	0, <Enum>,0
??_C@_1M@NBCIMFHI@?$AAC?$AAo?$AAu?$AAn?$AAt@NNGAKEGL@ db 'C',0
					; DATA XREF: PiProcessDriverInstance+190o
					; PiFindDevInstMatch+19o ...
		dd offset loc_75006C+3
		dd offset loc_74006D+1
		db 2 dup(0)
; 

??_C@_1BK@IOIONMMG@?$AAN?$AAe?$AAx?$AAt?$AAI?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe@NNGAKEGL@:
					; DATA XREF: PiProcessDriverInstance+1BCo
					; PnpDriverLoadingFailed+83ABAo
		dec	esi
		add	[ebp+0], ah
		js	short $+2
		jz	short $+2
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[esi+0], ch
		arpl	[eax], ax
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1CA@KLKNBMIL@?$AAI?$AAN?$AAI?$AAT?$AAS?$AAT?$AAA?$AAR?$AAT?$AAF?$AAA?$AAI?$AAL?$AAE?$AAD@NNGAKEGL@:
					; DATA XREF: PnpDriverLoadingFailed+83818o
		dec	ecx
		add	[esi+0], cl
		dec	ecx
		add	[eax+eax+53h], dl
		add	[eax+eax+41h], dl
		add	[edx+0], dl
		push	esp
		add	[esi+0], al
		inc	ecx
		add	[ecx+0], cl
		dec	esp
		add	[ebp+0], al
		inc	esp
; 
		db 3 dup(0)
; 

??_C@_1BM@NKKGOMEP@?$AAC?$AAS?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAF?$AAl?$AAa?$AAg?$AAs@NNGAKEGL@:
					; DATA XREF: PnpGetDeviceInstanceCsConfigFlags+6C968o
		inc	ebx
		add	[ebx+0], dl
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[esi+0], ah
		imul	eax, [eax], 460067h
		insb
		add	[ecx+0], ah
		add	[bp+di+0], dh
; 
		dw 0
??_C@_1BC@JLNJLCPI@?$AAP?$AAn?$AAp?$AAF?$AAl?$AAa?$AAg?$AAs@NNGAKEGL@:
					; DATA XREF: PnpPrepareDriverLoading+78o
					; PiDevCfgVerifyService(x,x,x)+118o
		unicode	0, <PnpFlags>,0
; 

??_C@_1CI@GMEBAAHF@?$AAt?$AAo?$AAo?$AA?5?$AAm?$AAa?$AAn?$AAy?$AA?5?$AAs?$AAe?$AAp?$AAa?$AAr?$AAa@NNGAKEGL@:
					; DATA XREF: PnpFixupID+6E124o
		jz	short $+2
		outsd
		add	[edi+0], ch
		and	[eax], al
		insd
		add	[ecx+0], ah
		outsb
		add	[ecx+0], bh
		and	[eax], al
		jnb	short $+2
		add	gs:[eax+0], dh
		popa
		add	[edx+0], dh
		popa
		add	[eax+eax+6Fh], dh
		add	[edx+0], dh
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1CE@DJNCMLJD@?$AAi?$AAn?$AAv?$AAa?$AAl?$AAi?$AAd?$AA?5?$AAc?$AAh?$AAa?$AAr?$AAa?$AAc?$AAt@NNGAKEGL@:
					; DATA XREF: PnpFixupID+6E141o
		imul	eax, [eax], 76006Eh
		popa
		add	[eax+eax+69h], ch
		add	[eax+eax+20h], ah
		add	[ebx+0], ah
		push	72006100h
		add	[ecx+0], ah
		arpl	[eax], ax
		jz	short $+2
		add	gs:[edx+0], dh
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1GI@JHCBPFLC@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAx?$AA?9?$AA?$CF?$AA0?$AA4@NNGAKEGL@:
					; DATA XREF: _PnpSetPropertyWorker+9Bo
					; PnpStringFromGuid(x,x,x)+34o	...
		jnp	short $+2
		and	eax, 38003000h
		add	[eax+eax+78h], ch
		add	ds:30002500h, ch
		add	[eax+eax], dh
		js	short $+2
		sub	eax, 30002500h
		add	[eax+eax], dh
		js	short $+2
		sub	eax, 30002500h
		add	[edx], dh
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		sub	eax, 30002500h
		add	[edx], dh
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		jge	short $+2
; 
		db 2 dup(0)
; 

??_C@_1EO@NFBNALDE@?$AA?$HL?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA?9?$AA0?$AA0?$AA0?$AA0?$AA?9@NNGAKEGL@:
					; DATA XREF: PnpIsNullGuidString(x)o
		jnp	short $+2
		xor	[eax], al
		xor	[eax], al
		xor	[eax], al
		xor	[eax], al
		xor	[eax], al
		xor	[eax], al
		xor	[eax], al
		xor	[eax], al
		sub	eax, 30003000h
		add	[eax], dh
		add	[eax], dh
		add	ds:30003000h, ch
		add	[eax], dh
		add	[eax], dh
		add	ds:30003000h, ch
		add	[eax], dh
		add	[eax], dh
		add	ds:30003000h, ch
		add	[eax], dh
		add	[eax], dh
		add	[eax], dh
		add	[eax], dh
		add	[eax], dh
		add	[eax], dh
		add	[eax], dh
		add	[eax], dh
		add	[eax], dh
		add	[eax], dh
		add	[ebp+0], bh
; 
		dw 0
; 

??_C@_1FA@JJLOMFOH@?$AAf?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAI?$AAR?$AAP?$AA_?$AAM?$AAN?$AA_?$AAQ@NNGAKEGL@:
					; DATA XREF: PnpQueryID+6E20Fo
		db	66h
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[ecx+0], cl
		push	edx
		add	[eax+0], dl
		pop	edi
		add	[ebp+0], cl
		dec	esi
		add	[edi+0], bl
		push	ecx
		add	[ebp+0], dl
		inc	ebp
		add	[edx+0], dl
		pop	ecx
		add	[edi+0], bl
		dec	ecx
		add	[eax+eax+2Dh], al
		add	[edx+0], al
		jnz	short $+2
		jnb	short $+2
		push	ecx
		add	[ebp+0], dh
		add	gs:[edx+0], dh
		jns	short $+2
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		dec	ecx
		add	[eax+eax+0], al
		add	[esi+0], ch	; DATA XREF: PnpFixupID+6E15Eo
		outsd
		add	[eax+eax+20h], dh
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		insd
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[eax+eax+2Ch], ah
		add	[eax], ah
		add	[eax+eax+6Fh], dh
		add	[edi+0], ch
		and	[eax], al
		insb
		add	[edi+0], ch
		outsb
		add	[edi+0], ah
		and	[eax], al
		outsd
		add	[edx+0], dh
		and	[eax], al
		imul	eax, [eax], 76006Eh
		popa
		add	[eax+eax+69h], ch
		add	[eax+eax+20h], ah
		add	[esi+0], ch
		jnz	short $+2
		insd
		add	[edx+0], ah
		add	gs:[edx+0], dh
		and	[eax], al
		outsd
		add	[esi+0], ah
		and	[eax], al
		jnb	short $+2
		add	gs:[eax+0], dh
		popa
		add	[edx+0], dh
		popa
		add	[eax+eax+6Fh], dh
		add	[edx+0], dh
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1DE@IBBBPFGH@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAF?$AAi?$AAr?$AAm?$AAw?$AAa?$AAr@NNGAKEGL@:
					; DATA XREF: PnpCheckDriverDependencies(x,x,x)+88o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+46h], bl
		add	[ecx+0], ch
		jb	short $+2
		insd
		add	[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[edx+0], dl
		add	gs:[ebx+0], dh
		outsd
		add	[ebp+0], dh
		jb	short $+2
		arpl	[eax], ax
		add	gs:[ebx+0], dh
; 
		db 2 dup(0)
; 

??_C@_13GMDMCADD@?$AA?$CD@NNGAKEGL@:	; DATA XREF: _CmGetDeviceInterfaceName+E2o
		and	eax, [eax]
; 
		db 2 dup(0)
; 

??_C@_1CE@IHKFLCFN@?$AAL?$AAa?$AAs?$AAt?$AAA?$AAt?$AAt?$AAe?$AAm?$AAp?$AAt?$AAS?$AAt?$AAa?$AAt@NNGAKEGL@:
					; DATA XREF: PnpCheckDriverDependencies(x,x,x)+187o
		dec	esp
		add	[ecx+0], ah
		jnb	short $+2
		jz	short $+2
		inc	ecx
		add	[eax+eax+74h], dh
		add	[ebp+0], ah
		insd
		add	[eax+0], dh
		jz	short $+2
		push	ebx
		add	[eax+eax+61h], dh
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
; 
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_1M@OHGOPPGD@?$AAP?$AAh?$AAa?$AAs?$AAe@NNGAKEGL@ proc near
					; DATA XREF: PnpCheckDriverDependencies(x,x,x)+143o
		push	eax
		add	[eax+0], ch
		popa
		add	[ebx+0], dh
		add	gs:[eax], al

loc_8B9859:				; DATA XREF: IopWriteAllocatedResourcesToRegistry(x,x,x)+57o
					; PnpReadDeviceConfiguration:loc_8E47FBo
		add	[ecx+0], al
		insb
		add	[eax+eax+6Fh], ch
		add	[ebx+0], ah
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[esi+0], ah
		imul	eax, [eax], 67h
??_C@_1M@OHGOPPGD@?$AAP?$AAh?$AAa?$AAs?$AAe@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0O@HCMCJMOF@Size?5Mismatch@NNGAKEGL@ proc	near
					; DATA XREF: PnpCompareInterruptInformation+9CCBAo
		push	ebx
		imul	edi, [edx+65h],	73694D20h
		insd
		popa
		jz	short near ptr ??_C@_1BC@GLIGFLDD@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@+5
		push	746F4E00h	; DATA XREF: PnpCompareInterruptInformation+9CC5Fo
		and	[esi+6Fh], al
		jnz	short near ptr loc_8B98F3+3
		add	fs:[ebx+6Fh], al ; DATA	XREF: PnpCompareInterruptInformation+9CD41o
		insd
		jo	short near ptr ??_C@_1M@IDEFLMF@?$AA?$CF?$AAs?$AA?$CG?$AA?$CF?$AAs@NNGAKEGL@+2
		jb	short near ptr loc_8B98F3+3
		and	[esi+61h], al

loc_8B9894:				; DATA XREF: PipMakeGloballyUniqueId+E4o
					; PipMakeGloballyUniqueId+8CBA9o ...
		imul	ebp, [ebp+64h],	50CC00h
		popa
		add	[edx+0], dh
		add	gs:[esi+0], ch
		jz	short $+2
		dec	ecx
		add	[eax+eax+50h], ah
		add	[edx+0], dh
		add	gs:[esi+0], ah
		imul	eax, [eax], 78h

; wchar_t ??_C
??_C@_15LHNHECKK@?$AA?$CF?$AAx@NNGAKEGL@: ; DATA XREF: PipMakeGloballyUniqueId+8CA46o
		and	eax, 7800h

loc_8B98BD:				; DATA XREF: PipMakeGloballyUniqueId+ABo
		add	[ebp+0], dl
??_C@_0O@HCMCJMOF@Size?5Mismatch@NNGAKEGL@ endp

		outsb
		add	[ecx+0], ch
		jno	short $+2
		jnz	short $+2
		add	gs:[eax+0], dl
		popa
		add	[edx+0], dh
		add	gs:[esi+0], ch
		jz	short $+2
		dec	ecx
		add	[eax+eax+0], al
; 
		db 0
; wchar_t ??_C
??_C@_1BC@GLIGFLDD@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@:
					; CODE XREF: ??_C@_0O@HCMCJMOF@Size?5Mismatch@NNGAKEGL@+Aj
					; DATA XREF: _CmGetDeviceHardwareKeyPath:loc_7D46D9o ...
		unicode	0, <%s\%s\%s>,0
; 

; wchar_t ??_C
??_C@_1M@IDEFLMF@?$AA?$CF?$AAs?$AA?$CG?$AA?$CF?$AAs@NNGAKEGL@:
					; CODE XREF: ??_C@_0O@HCMCJMOF@Size?5Mismatch@NNGAKEGL@+1Bj
					; DATA XREF: PipMakeGloballyUniqueId+1B9o
		and	eax, 26007300h

loc_8B98F3:				; CODE XREF: ??_C@_0O@HCMCJMOF@Size?5Mismatch@NNGAKEGL@+14j
					; ??_C@_0O@HCMCJMOF@Size?5Mismatch@NNGAKEGL@+1Dj
		add	large ds:7300h,	ah
		add	ds:26007800h, ah ; DATA	XREF: PipMakeGloballyUniqueId+8CBB9o
		add	ds:26007800h, ah
		add	large ds:7800h,	ah
		add	ds:2E007300h, ah ; DATA	XREF: PipMakeGloballyUniqueId+8CB02o
		add	ds:2E007800h, ah
		add	large ds:7800h,	ah
		add	[esi+0], cl	; DATA XREF: PipMakeGloballyUniqueId+8CAFDo
		add	gs:[eax+0], bh
		jz	short $+2
		push	eax
		add	[ecx+0], ah
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		dec	ecx
		add	[eax+eax+0], al

loc_8B9937:				; DATA XREF: PnpCheckPossibleBootStartDriver(x)+11o
		add	[edx+0], al
		outsd
		add	[edi+0], ch
		jz	short $+2
		inc	esi
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BA@LOGOFDCJ@?$AA?$CK?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: PnpGetServiceStartType+6CF6Ao
		sub	al, [eax]
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
; 
		dw 0
; 

??_C@_1M@IOJLKPKK@?$AAS?$AAt?$AAa?$AAr?$AAt@NNGAKEGL@: ; DATA XREF: EtwStartAutoLogger+22Ao
					; PnpGetServiceStartType+41o ...
		push	ebx
		add	[eax+eax+61h], dh
		add	[edx+0], dh
		jz	short $+2
; 
		dw 0
; 

??_C@_1IK@ONEDDMHI@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@:
					; DATA XREF: PnpGetServiceStartType+6CEB6o
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebp+0], cl
		popa
		add	[esi+0], ch
		jnz	short $+2
		db	66h
		add	[ecx+0], ah
		arpl	[eax], ax
		jz	short $+2
		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 67006Eh
		dec	ebp
		add	[edi+0], ch
		add	fs:[ebp+0], ah
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		pop	esp
		add	[ebx+0], dl
		add	gs:[edx+0], dh
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
		pop	esp
; 
		db 0
		db 2 dup(0)
; 

??_C@_1BC@LDIMLHJH@?$AAP?$AAo?$AAr?$AAt?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@:
					; DATA XREF: PiUEventBroadcastPortsChangedEvent(x,x,x)+68o
		push	eax
		add	[edi+0], ch
		jb	short $+2
		jz	short $+2
		dec	esi
		add	[ecx+0], ah
		insd
		add	[ebp+0], ah
; 
		dw 0
??_C@_1CK@FJCLHILF@?$AAl?$AAp?$AAa?$AAc?$AAP?$AAn?$AAp?$AAN?$AAo?$AAt?$AAi?$AAf?$AAi?$AAc?$AAa@NNGAKEGL@:
					; DATA XREF: PopCreateNotificationName(x)+1Ao
					; PiUEventInitClientRegistrationContext+16o
		unicode	0, <lpacPnpNotifications>,0
; 

??_C@_1DC@BHKKHEJ@?$AAB?$AAU?$AAI?$AAL?$AAD?$AA?5?$AAD?$AAR?$AAI?$AAV?$AAE?$AAR?$AA?5?$AAP?$AAA@NNGAKEGL@:
					; DATA XREF: PpCheckInDriverDatabase+B098Fo
		inc	edx
		add	[ebp+0], dl
		dec	ecx
		add	[eax+eax+44h], cl
		add	[eax], ah
		add	[eax+eax+52h], al
		add	[ecx+0], cl
		push	esi
		add	[ebp+0], al
		push	edx
		add	[eax], ah
		add	[eax+0], dl
		inc	ecx
		add	[eax+eax+48h], dl
		add	[eax], ah
		add	[esi+0], al
		inc	ecx
		add	[ecx+0], cl
		dec	esp
		add	[ebp+0], al
		inc	esp
; 
		db 3 dup(0)
; 

??_C@_1CK@LCFHMPII@?$AAI?$AAN?$AAI?$AAT?$AA?5?$AAD?$AAA?$AAT?$AAA?$AAB?$AAA?$AAS?$AAE?$AA?5?$AAF@NNGAKEGL@:
					; DATA XREF: PiInitializeDDB+AF347o
					; PpBootDDBHelper+9DF78o
		dec	ecx
		add	[esi+0], cl
		dec	ecx
		add	[eax+eax+20h], dl
		add	[eax+eax+41h], al
		add	[eax+eax+41h], dl
		add	[edx+0], al
		inc	ecx
		add	[ebx+0], dl
		inc	ebp
		add	[eax], ah
		add	[esi+0], al
		inc	ecx
		add	[ecx+0], cl
		dec	esp
		add	[ebp+0], al
		inc	esp
; 
		db 0
		db 2 dup(0)
; 

??_C@_1BM@NIOJMEIL@?$AAO?$AAU?$AAT?$AA?5?$AAO?$AAF?$AA?5?$AAM?$AAE?$AAM?$AAO?$AAR?$AAY@NNGAKEGL@:
					; DATA XREF: PpBootDDBHelper+9DF2Co
		dec	edi
		add	[ebp+0], dl
		push	esp
		add	[eax], ah
		add	[edi+0], cl
		inc	esi
		add	[eax], ah
		add	[ebp+0], cl
		inc	ebp
		add	[ebp+0], cl
		dec	edi
		add	[edx+0], dl
		pop	ecx
; 
		db 0
		db 2 dup(0)
; 

??_C@_1O@MPKBHDFA@?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@NNGAKEGL@:
					; DATA XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+15o
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
; 
		dw 0
; 

??_C@_1DA@ENMEFAGE@?$AAD?$AAA?$AAT?$AAA?$AAB?$AAA?$AAS?$AAE?$AA?5?$AAM?$AAA?$AAP?$AAP?$AAI?$AAN@NNGAKEGL@:
					; DATA XREF: PiInitializeDDB+AF39Do
		inc	esp
		add	[ecx+0], al
		push	esp
		add	[ecx+0], al
		inc	edx
		add	[ecx+0], al
		push	ebx
		add	[ebp+0], al
		and	[eax], al
		dec	ebp
		add	[ecx+0], al
		push	eax
		add	[eax+0], dl
		dec	ecx
		add	[esi+0], cl
		inc	edi
		add	[eax], ah
		add	[esi+0], al
		inc	ecx
		add	[ecx+0], cl
		dec	esp
		add	[ebp+0], al
		inc	esp
; 
		db 3 dup(0)
; 

??_C@_1DA@CGKMMHFH@?$AAD?$AAA?$AAT?$AAA?$AAB?$AAA?$AAS?$AAE?$AA?5?$AAS?$AAE?$AAC?$AAT?$AAI?$AAO@NNGAKEGL@:
					; DATA XREF: PiInitializeDDB+AF386o
		inc	esp
		add	[ecx+0], al
		push	esp
		add	[ecx+0], al
		inc	edx
		add	[ecx+0], al
		push	ebx
		add	[ebp+0], al
		and	[eax], al
		push	ebx
		add	[ebp+0], al
		inc	ebx
		add	[eax+eax+49h], dl
		add	[edi+0], cl
		dec	esi
		add	[eax], ah
		add	[esi+0], al
		inc	ecx
		add	[ecx+0], cl
		dec	esp
		add	[ebp+0], al
		inc	esp
; 
		db 3 dup(0)
; 

??_C@_1CK@FMLCBACL@?$AAD?$AAA?$AAT?$AAA?$AAB?$AAA?$AAS?$AAE?$AA?5?$AAO?$AAP?$AAE?$AAN?$AA?5?$AAF@NNGAKEGL@:
					; DATA XREF: PiInitializeDDB+AF33Bo
		inc	esp
		add	[ecx+0], al
		push	esp
		add	[ecx+0], al
		inc	edx
		add	[ecx+0], al
		push	ebx
		add	[ebp+0], al
		and	[eax], al
		dec	edi
		add	[eax+0], dl
		inc	ebp
		add	[esi+0], cl
		and	[eax], al
		inc	esi
		add	[ecx+0], al
		dec	ecx
		add	[eax+eax+45h], cl
		add	[eax+eax+0], al
		add	[edx+0], dl	; DATA XREF: PiIsDriverBlocked+AFF21o
		inc	ebp
		add	[ecx+0], al
		inc	esp
		add	[eax], ah
		add	[eax+eax+52h], al
		add	[ecx+0], cl
		push	esi
		add	[ebp+0], al
		push	edx
		add	[eax], ah
		add	[ecx+0], cl
		inc	esp
		add	[eax], ah
		add	[esi+0], al
		inc	ecx
		add	[ecx+0], cl
		dec	esp
		add	[ebp+0], al
		inc	esp
; 
		db 0
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1BK@DOBMICEC@?$AAA?$AAC?$AAP?$AAI?$AA?2?$AAP?$AAN?$AAP?$AA0?$AAA?$AA0?$AA3@NNGAKEGL@:
					; DATA XREF: IopIsPciRootBus(x,x):loc_96CE6Co
		inc	ecx
		add	[ebx+0], al
		push	eax
		add	[ecx+0], cl
		pop	esp
		add	[eax+0], dl
		dec	esi
		add	[eax+0], dl
		xor	[eax], al
		inc	ecx
		add	[eax], dh
		add	[ebx], dh
; 
		db 3 dup(0)
??_C@_1BG@GIPKBPDK@?$AAR?$AAo?$AAo?$AAt?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy@NNGAKEGL@:
					; DATA XREF: IopMemInitialize()+9o
		unicode	0, <RootMemory>,0
??_C@_1BC@FBNILDPO@?$AAR?$AAo?$AAo?$AAt?$AAP?$AAo?$AAr?$AAt@NNGAKEGL@ db 'R',0
					; DATA XREF: IopPortInitialize()+9o
aOotport:
		unicode	0, <ootPort>,0
??_C@_19LFKAPJKP@?$AAR?$AAo?$AAo?$AAt@NNGAKEGL@:
					; DATA XREF: ArbBuildAssignmentOrdering+149o
					; ArbBuildAssignmentOrdering+264o ...
		unicode	0, <Root>,0
; wchar_t ??_C
??_C@_1BK@OJBNAFED@?$AAA?$AAC?$AAP?$AAI?$AA?2?$AAP?$AAN?$AAP?$AA0?$AAA?$AA0?$AA8@NNGAKEGL@ db 'A',0
					; DATA XREF: IopIsPciRootBus(x,x)+81o
aCpiPnp0a08:
		unicode	0, <CPI\PNP0A08>,0
; 

??_C@_1BA@BOCJFOBE@?$AAR?$AAo?$AAo?$AAt?$AAD?$AAM?$AAA@NNGAKEGL@:
					; DATA XREF: IopDmaInitialize()+6o
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+44h], dh
		add	[ebp+0], cl
		inc	ecx
; 
		db 3 dup(0)
??_C@_1BA@CHLFKMBE@?$AAR?$AAo?$AAo?$AAt?$AAI?$AAR?$AAQ@NNGAKEGL@:
					; DATA XREF: IopIrqInitialize()+9o
		unicode	0, <RootIRQ>,0
; 

??_C@_1BM@HNKAKMEE@?$AAR?$AAo?$AAo?$AAt?$AAB?$AAu?$AAs?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: IopBusNumberInitialize()+6o
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+42h], dh
		add	[ebp+0], dh
		jnb	short $+2
		dec	esi
		add	[ebp+0], dh
		insd
		add	[edx+0], ah
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1BA@LMMHLKFA@?$AAD?$AAE?$AAV?$AAI?$AAC?$AAE?$AAS@NNGAKEGL@:
					; DATA XREF: PiPnpRtlInit+9E4A4o
		inc	esp
		add	[ebp+0], al
		push	esi
		add	[ecx+0], cl
		inc	ebx
		add	[ebp+0], al
		push	ebx
; 
		db 3 dup(0)
; wchar_t ??_C
??_C@_1EO@EKIIDBMB@?$AA?$HL?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA?9?$AA0?$AA0?$AA0?$AA0?$AA?9@NNGAKEGL@:
					; DATA XREF: PiPnpRtlApplyMandatoryDeviceContainerFilters(x,x,x,x,x)+1Bo
					; PipProcessStartPhase3+289o ...
		unicode	0, <{00000000-0000-0000-FFFF-FFFFFFFFFFFF}>,0
; 

; wchar_t ??_C
??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@NNGAKEGL@:
					; DATA XREF: PiDrvDbSetupNodes+1Do
					; DrvDbOpenContext+90o	...
		push	ebx
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
; 
		dw 0
??_C@_1JI@IBPLMKFD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: PipDmgInitReadGroupPolicy()+28o
		unicode	0, <\Registry\Machine\Software\Policies\Microsoft\Windows\Ker>
		unicode	0, <nel	DMA Protection>,0
??_C@_1CO@OOMNNACE@?$AAD?$AAm?$AAa?$AAR?$AAe?$AAm?$AAa?$AAp?$AAp?$AAi?$AAn?$AAg?$AAC?$AAo?$AAm@NNGAKEGL@:
					; DATA XREF: PipDmgGetDriverDmarCompatLevel+91o
		unicode	0, <DmaRemappingCompatible>,0
; 

??_C@_1DA@ECPFKNNG@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAE?$AAn?$AAu?$AAm?$AAe?$AAr?$AAa?$AAt?$AAi@NNGAKEGL@:
					; DATA XREF: PipDmgInitReadGroupPolicy()+5Do
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		inc	ebp
		add	[esi+0], ch
		jnz	short $+2
		insd
		add	[ebp+0], ah
		jb	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax+0], dl
		outsd
		add	[eax+eax+69h], ch
		add	[ebx+0], ah
		jns	short $+2
; 
		db 2 dup(0)
; 

??_C@_1KO@BEMBOCKB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: PiDcInitUpdateProperties+53o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		pop	ecx
		add	[ebx+0], dl
		push	esp
		add	[ebp+0], al
		dec	ebp
		add	[eax+eax+43h], bl
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+61h], dh
		add	[ecx+0], ch
		outsb
		add	[ebp+0], ah
		jb	short $+2
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+0], dh
		add	gs:[edx+0], dh
		jz	short $+2
		jns	short $+2
		push	ebp
		add	[eax+0], dh
		add	fs:[ecx+0], ah
		jz	short $+2
		add	gs:[ebp+0], al
		jbe	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		jnb	short $+2
; 
		dw 0
??_C@_1BG@FHMIEFJA@?$AA?2?$AAD?$AAe?$AAv?$AA?2?$AAQ?$AAu?$AAe?$AAr?$AAy@NNGAKEGL@:
					; DATA XREF: PiDqDispatch+83o
		unicode	0, <\Dev\Query>,0
; 

??_C@_1CA@FJGOFOAA@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI?$AAn?$AAt?$AAe?$AAr?$AAf?$AAa?$AAc?$AAe@NNGAKEGL@:
					; DATA XREF: PiDqConvertObjectTypeToString(x,x):loc_96EB01o
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		dec	ecx
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edx+0], dh
		db	66h
		add	[ecx+0], ah
		arpl	[eax], ax
		add	gs:[eax], al

loc_8B9E51:				; DATA XREF: PiDqDeleteUserObjectFromLoadedHives(x,x)+47o
		add	[eax+eax+52h], bl
		add	[ebp+0], al
		inc	edi
		add	[ecx+0], cl
		push	ebx
		add	[eax+eax+52h], dl
		add	[ecx+0], bl
		pop	esp
		add	[ebp+0], dl
		push	ebx
		add	[ebp+0], al
		push	edx
; 
		db 3 dup(0)
; void ??_C
??_C@_1CA@BAGEJGFP@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAU?$AAS?$AAE?$AAR?$AA?2@NNGAKEGL@:
					; DATA XREF: .text:00405018o
					; PiDqOpenUserObjectRegKey+ECo	...
		unicode	0, <\REGISTRY\USER\>,0
??_C@_1BK@CEGKAJBG@?$AA?2?$AAD?$AAe?$AAv?$AA?2?$AAN?$AAo?$AAS?$AAt?$AAa?$AAt?$AAe@NNGAKEGL@:
					; DATA XREF: PiDqDispatch:loc_7FACDDo
		unicode	0, <\Dev\NoState>,0
; 

??_C@_17OLHCHGJI@?$AAA?$AAE?$AAP@NNGAKEGL@:
					; DATA XREF: PiDqConvertObjectTypeToString(x,x):loc_96EB1Do
		inc	ecx
		add	[ebp+0], al
		push	eax
; 
		db 0
		db 2 dup(0)
; 

??_C@_1CK@KNOHNFMP@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI?$AAn?$AAt?$AAe?$AAr?$AAf?$AAa?$AAc?$AAe@NNGAKEGL@:
					; DATA XREF: PiDqConvertObjectTypeToString(x,x):loc_96EB16o
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		dec	ecx
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edx+0], dh
		db	66h
		add	[ecx+0], ah
		arpl	[eax], ax
		add	gs:[ebx+0], al
		insb
		add	[ecx+0], ah
		jnb	short $+2
		jnb	short $+2
; 
		dw 0
??_C@_1O@HAMLNBEA@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@NNGAKEGL@:
					; DATA XREF: PiDqConvertObjectTypeToString(x,x):loc_96EB0Fo
					; PiDevCfgConfigureDeviceInterface(x,x,x)+14o ...
		unicode	0, <Device>,0
; 

??_C@_1CA@EADKOLGB@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: PiDqConvertObjectTypeToString(x,x):loc_96EB08o
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+61h], dh
		add	[ecx+0], ch
		outsb
		add	[ebp+0], ah
		jb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1CO@FPFGHDKK@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: PiDqConvertObjectTypeToString(x,x):loc_96EB39o
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+61h], dh
		add	[ecx+0], ch
		outsb
		add	[ebp+0], ah
		jb	short $+2
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		jo	short $+2
		insb
		add	[ecx+0], ah
		jns	short $+2
; 
		dw 0
; 

??_C@_1CO@BOHOPNOD@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI?$AAn?$AAt?$AAe?$AAr?$AAf?$AAa?$AAc?$AAe@NNGAKEGL@:
					; DATA XREF: PiDqConvertObjectTypeToString(x,x):loc_96EB32o
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		dec	ecx
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edx+0], dh
		db	66h
		add	[ecx+0], ah
		arpl	[eax], ax
		add	gs:[eax+eax+69h], al
		add	[ebx+0], dh
		jo	short $+2
		insb
		add	[ecx+0], ah
		jns	short $+2
; 
		db 2 dup(0)
; 

??_C@_1CK@OPLFMDGP@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: PiDqConvertObjectTypeToString(x,x):loc_96EB2Bo
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[eax+eax+6Ch], ch
		add	[ebp+0], ah
		jb	short $+2
		inc	ebx
		add	[eax+eax+61h], ch
		add	[ebx+0], dh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BK@HNBMGFAO@?$AAA?$AAE?$AAP?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: PiDqConvertObjectTypeToString(x,x):loc_96EB24o
		inc	ecx
		add	[ebp+0], al
		push	eax
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		popa
		add	[ecx+0], ch
		outsb
		add	[ebp+0], ah
		jb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BE@MFOLOKJL@?$AAI?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe?$AAs@NNGAKEGL@:
					; DATA XREF: PiDqConvertQueryTypeToString(x,x):loc_96ECADo
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[esi+0], ch
		arpl	[eax], ax
		add	gs:[ebx+0], dh
; 
		db 2 dup(0)
; 

??_C@_1BC@LDHKIAE@?$AAI?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe@NNGAKEGL@:
					; DATA XREF: PiDqConvertQueryTypeToString(x,x):loc_96ECB4o
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[esi+0], ch
		arpl	[eax], ax
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1BI@LIJEIIAJ@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAP?$AAa?$AAn?$AAe?$AAl@NNGAKEGL@:
					; DATA XREF: PiDqConvertObjectTypeToString(x,x):loc_96EB47o
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		push	eax
		add	[ecx+0], ah
		outsb
		add	[ebp+0], ah
		insb
; 
		db 3 dup(0)
; 

??_C@_1BG@JHBJODFK@?$AAA?$AAE?$AAP?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe@NNGAKEGL@:
					; DATA XREF: PiDqConvertObjectTypeToString(x,x):loc_96EB40o
		inc	ecx
		add	[ebp+0], al
		push	eax
		add	[ebx+0], dl
		add	gs:[edx+0], dh
		jbe	short $+2
		imul	eax, [eax], 650063h
; 
		db 2 dup(0)
; 

??_C@_1BK@EHEKFHFC@?$AA?$DM?$AAm?$AAo?$AAr?$AAe?$AA?5?$AAf?$AAl?$AAa?$AAg?$AAs?$AA?$DO@NNGAKEGL@:
					; DATA XREF: PiDqConvertQueryFlagsToString(x,x,x,x)+E8o
		cmp	al, 0
		insd
		add	[edi+0], ch
		jb	short $+2
		add	gs:[eax], ah
		add	[esi+0], ah
		insb
		add	[ecx+0], ah
		add	[bp+di+0], dh
		db	3Eh
		add	[eax], al
; 
		db 0
; 

??_C@_1CM@PCLLHIPJ@?$AAD?$AAe?$AAv?$AAQ?$AAu?$AAe?$AAr?$AAy?$AAF?$AAl?$AAa?$AAg?$AAL?$AAo?$AAc@NNGAKEGL@:
					; DATA XREF: PiDqConvertQueryFlagsToString(x,x,x,x)+BCo
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		push	ecx
		add	[ebp+0], dh
		add	gs:[edx+0], dh
		jns	short $+2
		inc	esi
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		dec	esp
		add	[edi+0], ch
		arpl	[eax], ax
		popa
		add	[eax+eax+69h], ch
		add	[edx+0], bh
		add	gs:[eax], ah
; 
		db 3 dup(0)
??_C@_1DG@CINBGJHP@?$AAD?$AAe?$AAv?$AAQ?$AAu?$AAe?$AAr?$AAy?$AAF?$AAl?$AAa?$AAg?$AAA?$AAl?$AAl@NNGAKEGL@:
					; DATA XREF: PiDqConvertQueryFlagsToString(x,x,x,x)+8Co
		unicode	0, <DevQueryFlagAllProperties >,0
; 

??_C@_1DG@MBMMKDCI@?$AAD?$AAe?$AAv?$AAQ?$AAu?$AAe?$AAr?$AAy?$AAF?$AAl?$AAa?$AAg?$AAU?$AAp?$AAd@NNGAKEGL@:
					; DATA XREF: PiDqConvertQueryFlagsToString(x,x,x,x)+58o
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		push	ecx
		add	[ebp+0], dh
		add	gs:[edx+0], dh
		jns	short $+2
		inc	esi
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		push	ebp
		add	[eax+0], dh
		add	fs:[ecx+0], ah
		jz	short $+2
		add	gs:[edx+0], dl
		add	gs:[ebx+0], dh
		jnz	short $+2
		insb
		add	[eax+eax+73h], dh
		add	[eax], ah
; 
		db 3 dup(0)
??_C@_1CK@LLHOGJK@?$AAP?$AAe?$AAn?$AAd?$AAi?$AAn?$AAg?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr@NNGAKEGL@:
					; DATA XREF: PpDevCfgProcessDeviceOperations+56o
					; PpDevCfgProcessDeviceOperations+6C855o
		unicode	0, <PendingConfiguration>,0
??_C@_1BA@DJLBFCNB@?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@NNGAKEGL@ db 'F',0
					; DATA XREF: _CmGetInstallerClassCompoundFilters+71o
					; _CmGetDeviceCompoundFilters+69o ...
aIlters:
		unicode	0, <ilters>,0
; 

??_C@_1BM@ICBIINEM@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@:
					; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+ACFo
					; PiDevCfgConfigureDeviceLocation(x,x,x,x)+256o ...
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[esi+0], ah
		imul	eax, [eax], 750067h
		jb	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
; 
		db 0
		db 2 dup(0)
; 

??_C@_1CA@EEKMHEGJ@?$AA?$CF?$AAh?$AAu?$AA?4?$AA?$CF?$AAh?$AAu?$AA?4?$AA?$CF?$AAh?$AAu?$AA?4?$AA?$CF?$AAh?$AAu@NNGAKEGL@:
					; DATA XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+224o
					; PiDevCfgSplitDriverConfigurationId(x,x,x,x,x,x)+1CBo
		and	eax, 75006800h
		add	[esi], ch
		add	ds:75006800h, ah
		add	[esi], ch
		add	ds:75006800h, ah
		add	[esi], ch
		add	ds:75006800h, ah
; 
		db 0
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1BI@IEJCOLMP@?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu@NNGAKEGL@:
					; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+12C4o
					; PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+2D1o
		and	eax, 2E007500h
		add	ds:2E007500h, ah
		add	ds:2E007500h, ah
		add	large ds:7500h,	ah
		add	ds:32003000h, ah
					; DATA XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+2A0o
		add	[eax+eax+2Fh], ah
		add	ds:32003000h, ah
		add	[eax+eax+2Fh], ah
		add	ds:34003000h, ah
		add	[eax+eax+0], ah
		add	ds:73007700h, ah
					; DATA XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+B92o
		add	ds:5A007700h, ah
		add	[edx], bh
		add	ds:5A007700h, ah
		add	[edx], bh
		add	ds:5A007700h, ah
		add	[edx], bh
		add	ds:5A007700h, ah
; 
		db 0
		db 2 dup(0)
; 

??_C@_13DEFPDAGF@?$AA?0@NNGAKEGL@:	; DATA XREF: PiDevCfgBuildDriverConfigurationId(x,x)+112o
					; PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x):loc_97772Bo
		sub	al, 0
; 
		db 2 dup(0)
; 

??_C@_19LNJPNLEB@?$AA?3?$AA?$CF?$AAw?$AAs@NNGAKEGL@:
					; DATA XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+3FFo
		cmp	al, [eax]
		and	eax, 73007700h
; 
		db 3 dup(0)
??_C@_1BK@IHJLDEBK@?$AA?$CF?$AAw?$AAZ?$AA?3?$AA?$CF?$AAw?$AAZ?$AA?3?$AA?$CF?$AA0?$AA8?$AAX@NNGAKEGL@ dd	offset loc_770025
					; DATA XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+3D9o
aZWz08x:
		unicode	0, <Z:%wZ:%08X>,0
; 

??_C@_1CC@NPDHLKAB@?$AAA?$AAl?$AAl?$AAo?$AAw?$AAD?$AAe?$AAn?$AAy?$AAL?$AAa?$AAy?$AAe?$AAr?$AAe@NNGAKEGL@:
					; DATA XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+114o
		inc	ecx
		add	[eax+eax+6Ch], ch
		add	[edi+0], ch
		ja	short $+2
		inc	esp
		add	[ebp+0], ah
		outsb
		add	[ecx+0], bh
		dec	esp
		add	[ecx+0], ah
		jns	short $+2
		add	gs:[edx+0], dh
		add	gs:[eax+eax+0],	ah
		add	[edx+0], dl	; DATA XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+EDo
		add	gs:[ebx+0], dh
		jz	short $+2
		jb	short $+2
		imul	eax, [eax], 740063h
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1GC@IKLGFJMB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+9Bo
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		popa
		add	[edx+0], ah
		popa
		add	[ebx+0], dh
		add	gs:[eax+eax+50h], bl
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 730065h
; 
		dw 0
; 

??_C@_1II@OAHIPMAC@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+4Ao
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		outsd
		add	[esi+0], ah
		jz	short $+2
		ja	short $+2
		popa
		add	[edx+0], dh
		add	gs:[eax+eax+50h], bl
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 730065h
		pop	esp
		add	[ebp+0], cl
		imul	eax, [eax], 720063h
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		pop	esp
		add	[edi+0], dl
		imul	eax, [eax], 64006Eh
		outsd
		add	[edi+0], dh
		jnb	short $+2
		pop	esp
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[eax+eax+6Ch], ch
; 
		db 3 dup(0)
??_C@_1BO@GPHLCNOK@?$AAA?$AAl?$AAl?$AAo?$AAw?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI?$AAD?$AAs@NNGAKEGL@:
					; DATA XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+253o
		unicode	0, <AllowDeviceIDs>,0
; 

??_C@_1CE@EIBAFMB@?$AAD?$AAe?$AAn?$AAy?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC?$AAl?$AAa?$AAs?$AAs@NNGAKEGL@:
					; DATA XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+192o
		inc	esp
		add	[ebp+0], ah
		outsb
		add	[ecx+0], bh
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		inc	ebx
		add	[eax+eax+61h], ch
		add	[ebx+0], dh
		jnb	short $+2
		add	gs:[ebx+0], dh
; 
		db 2 dup(0)
; 

??_C@_1CG@DCECOKLJ@?$AAA?$AAl?$AAl?$AAo?$AAw?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC?$AAl?$AAa?$AAs@NNGAKEGL@:
					; DATA XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+174o
		inc	ecx
		add	[eax+eax+6Ch], ch
		add	[edi+0], ch
		ja	short $+2
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		inc	ebx
		add	[eax+eax+61h], ch
		add	[ebx+0], dh
		jnb	short $+2
		add	gs:[ebx+0], dh
; 
		dw 0
; 

??_C@_1CK@ILAKMLGI@?$AAD?$AAe?$AAn?$AAy?$AAR?$AAe?$AAm?$AAo?$AAv?$AAa?$AAb?$AAl?$AAe?$AAD?$AAe@NNGAKEGL@:
					; DATA XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+14Do
		inc	esp
		add	[ebp+0], ah
		outsb
		add	[ecx+0], bh
		push	edx
		add	[ebp+0], ah
		insd
		add	[edi+0], ch
		jbe	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1CA@LONBEDBA@?$AAD?$AAe?$AAn?$AAy?$AAU?$AAn?$AAs?$AAp?$AAe?$AAc?$AAi?$AAf?$AAi?$AAe?$AAd@NNGAKEGL@:
					; DATA XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+3FDo
		inc	esp
		add	[ebp+0], ah
		outsb
		add	[ecx+0], bh
		push	ebp
		add	[esi+0], ch
		jnb	short $+2
		jo	short $+2
		add	gs:[ebx+0], ah
		imul	eax, [eax], 690066h
		add	gs:[eax+eax+0],	ah
		add	[eax+eax+65h], al
					; DATA XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+3BDo
		add	[esi+0], ch
		jns	short $+2
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[esi+0], ch
		arpl	[eax], ax
		add	gs:[ecx+0], cl
		inc	esp
		add	[ebx+0], dh
; 
		db 2 dup(0)
; 

??_C@_1CC@LHEJOKDF@?$AAA?$AAl?$AAl?$AAo?$AAw?$AAI?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe?$AAI?$AAD@NNGAKEGL@:
					; DATA XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+39Fo
		inc	ecx
		add	[eax+eax+6Ch], ch
		add	[edi+0], ch
		ja	short $+2
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[esi+0], ch
		arpl	[eax], ax
		add	gs:[ecx+0], cl
		inc	esp
		add	[ebx+0], dh
; 
		dw 0
; 

??_C@_1BM@IBNKIDD@?$AAD?$AAe?$AAn?$AAy?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI?$AAD?$AAs@NNGAKEGL@:
					; DATA XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+26Bo
		inc	esp
		add	[ebp+0], ah
		outsb
		add	[ecx+0], bh
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		dec	ecx
		add	[eax+eax+73h], al
; 
		db 3 dup(0)
??_C@_1BM@JBLBDIOG@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@NNGAKEGL@:
					; DATA XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+5D3o
		unicode	0, <DriverVersion>,0
??_C@_1BG@IAFOGIBK@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAD?$AAa?$AAt?$AAe@NNGAKEGL@:
					; DATA XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+5B4o
					; _CmDeleteDeviceMappedPropertyFromDriverKeyRegValue(x,x,x)+F8o ...
		unicode	0, <DriverDate>,0
; 

??_C@_1BI@OAJEEHJL@?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAo?$AAr?$AAs@NNGAKEGL@:
					; DATA XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+462o
		inc	esp
		add	[ebp+0], ah
		jnb	short $+2
		arpl	[eax], ax
		jb	short $+2
		imul	eax, [eax], 740070h
		outsd
		add	[edx+0], dh
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BO@LGEPHCPO@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn?$AAs@NNGAKEGL@:
					; DATA XREF: DrvDbGetDriverPackageMappedProperty+11AE14o
					; PiDevCfgOpenDriverConfiguration(x,x,x)+20o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[esi+0], ah
		imul	eax, [eax], 750067h
		jb	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], dh
; 
		dw 0
; 

??_C@_1BC@EAIBBAIC@?$AA?$EA?$AA?$CF?$AAw?$AAZ?$AA?0?$AA?$CF?$AAw?$AAZ@NNGAKEGL@:
					; DATA XREF: PiDevCfgBuildIndirectString(x,x,x,x)+1D3o
		inc	eax
		add	ds:5A007700h, ah
		add	[eax+eax], ch
		and	eax, 5A007700h
; 
		db 0
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_1BA@ENIPEGKK@?$AAS?$AAt?$AAr?$AAi?$AAn?$AAg?$AAs@NNGAKEGL@ proc near
					; DATA XREF: PiDevCfgBuildIndirectString(x,x,x,x)+99o
		push	ebx
		add	[eax+eax+72h], dh
		add	[ecx+0], ch
		outsb
??_C@_1BA@ENIPEGKK@?$AAS?$AAt?$AAr?$AAi?$AAn?$AAg?$AAs@NNGAKEGL@ endp

		add	[edi+0], ah
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BI@KGJMAEC@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAF?$AAl?$AAa?$AAg?$AAs@NNGAKEGL@:
					; DATA XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+19Do
					; PiDevCfgMigrateDevice(x,x,x,x,x,x)+26Bo ...
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[esi+0], ah
		imul	eax, [eax], 460067h
		insb
		add	[ecx+0], ah
		add	[bp+di+0], dh
; 
		db 2 dup(0)
??_C@_1BG@LJENICHM@?$AAE?$AAx?$AAc?$AAl?$AAu?$AAd?$AAe?$AAI?$AAd?$AAs@NNGAKEGL@	dd offset loc_780040+5
					; DATA XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+5E0o
		dw 63h
		dd offset loc_75006C
aDeids:
		unicode	0, <deIds>,0
; 

??_C@_19EKBFMKFK@?$AA?0?$AA?$CF?$AAw?$AAZ@NNGAKEGL@:
					; DATA XREF: PiDevCfgBuildDriverConfigurationId(x,x)+C2o
		sub	al, 0
		and	eax, 5A007700h
; 
		db 0
		db 2 dup(0)
; 

??_C@_1BA@FLBMBFFF@?$AA?$CF?$AAw?$AAZ?$AA?3?$AA?$CF?$AAw?$AAZ@NNGAKEGL@:
					; DATA XREF: PiDevCfgBuildDriverConfigurationId(x,x)+94o
		and	eax, 5A007700h
		add	[edx], bh
		add	ds:5A007700h, ah
; 
		db 0
		db 2 dup(0)
; wchar_t ??_C
??_C@_1EC@BBAOPJFC@?$AA?$CF?$AAw?$AAZ?$AA?3?$AA?$CF?$AA0?$AA8?$AAx?$AA?$CF?$AA0?$AA8?$AAx?$AA?3?$AA?$CF?$AAw@NNGAKEGL@ dd offset loc_770025
					; DATA XREF: PiDevCfgBuildDriverNodeStrongName(x,x,x,x)+D1o
		dw 5Ah
a08x08xWzU_U_U_:
		unicode	0, <:%08x%08x:%wZ:%u.%u.%u.%u:%wZ>,0
; 

; wchar_t ??_C
??_C@_19IPGHFAML@?$AA?$DL?$AA?$CF?$AAw?$AAZ@NNGAKEGL@:
					; DATA XREF: PiDevCfgBuildIndirectString(x,x,x,x)+20Ao
		cmp	eax, [eax]
		and	eax, 5A007700h
; 
		db 0
		db 2 dup(0)
; 

??_C@_1BI@CHKFBIMA@?$AA?$CF?$AAh?$AAu?$AA?1?$AA?$CF?$AAh?$AAu?$AA?1?$AA?$CF?$AAh?$AAu@NNGAKEGL@:
					; DATA XREF: PiDevCfgSplitDriverConfigurationId(x,x,x,x,x,x)+184o
		and	eax, 75006800h
		add	[edi], ch
		add	ds:75006800h, ah
		add	[edi], ch
		add	ds:75006800h, ah
; 
		db 0
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1DI@BBGEGIPL@?$AA?0?$AA?$CF?$AA0?$AA2?$AAd?$AA?1?$AA?$CF?$AA0?$AA2?$AAd?$AA?1?$AA?$CF?$AA0?$AA4?$AAd@NNGAKEGL@:
					; DATA XREF: PiDevCfgBuildDriverConfigurationId(x,x)+167o
		sub	al, 0
		and	eax, 32003000h
		add	[eax+eax+2Fh], ah
		add	ds:32003000h, ah
		add	[eax+eax+2Fh], ah
		add	ds:34003000h, ah
		add	[eax+eax+2Ch], ah
		add	ds:2E007500h, ah
		add	ds:2E007500h, ah
		add	ds:2E007500h, ah
		add	large ds:7500h,	ah
; 
		db 0
; 

??_C@_1BA@IELBACJJ@?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe@NNGAKEGL@:
					; DATA XREF: PiDevCfgQueryDriverConfiguration(x)+83o
		push	ebx
		add	[ebp+0], ah
		jb	short $+2
		jbe	short $+2
		imul	eax, [eax], 650063h
; 
		db 2 dup(0)
; 

??_C@_1CA@HOLKNBGP@?$AAI?$AAn?$AAc?$AAl?$AAu?$AAd?$AAe?$AAd?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAs@NNGAKEGL@:
					; DATA XREF: PiDevCfgQueryDriverConfiguration(x)+19Ao
		dec	ecx
		add	[esi+0], ch
		arpl	[eax], ax
		insb
		add	[ebp+0], dh
		add	fs:[ebp+0], ah
		add	fs:[ebx+0], al
		outsd
		add	[esi+0], ch
		db	66h
		add	[ecx+0], ch
		add	[bp+di+0], dh
; 
		db 2 dup(0)
; 

??_C@_1BK@PIHNOJBM@?$AAI?$AAn?$AAc?$AAl?$AAu?$AAd?$AAe?$AAd?$AAI?$AAn?$AAf?$AAs@NNGAKEGL@:
					; DATA XREF: PiDevCfgQueryDriverConfiguration(x)+184o
		dec	ecx
		add	[esi+0], ch
		arpl	[eax], ax
		insb
		add	[ebp+0], dh
		add	fs:[ebp+0], ah
		add	fs:[ecx+0], cl
		outsb
		add	[esi+0], ah
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BK@FNJCPENK@?$AAU?$AAp?$AAp?$AAe?$AAr?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@NNGAKEGL@:
					; DATA XREF: PiDevCfgQueryDriverConfiguration(x)+163o
		push	ebp
		add	[eax+0], dh
		jo	short $+2
		add	gs:[edx+0], dh
		inc	esi
		add	[ecx+0], ch
		insb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BK@LMFDGODN@?$AAL?$AAo?$AAw?$AAe?$AAr?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@NNGAKEGL@:
					; DATA XREF: PiDevCfgQueryDriverConfiguration(x)+151o
		dec	esp
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		inc	esi
		add	[ecx+0], ch
		insb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BK@KMOEEMNF@?$AAI?$AAn?$AAc?$AAl?$AAu?$AAd?$AAe?$AAS?$AAc?$AAo?$AAp?$AAe@NNGAKEGL@:
					; DATA XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+2C1o
		dec	ecx
		add	[esi+0], ch
		arpl	[eax], ax
		insb
		add	[ebp+0], dh
		add	fs:[ebp+0], ah
		push	ebx
		add	[ebx+0], ah
		outsd
		add	[eax+0], dh
		add	gs:[eax], al
		add	[edx+0], dl	; DATA XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+12Ao
					; PiDevCfgQueryDriverConfiguration(x)+1B0o
		add	gs:[edx+0], ah
		outsd
		add	[edi+0], ch
		jz	short $+2
; 
		dw 0
??_C@_1DA@LIEHOELA@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAL@NNGAKEGL@:
					; DATA XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+B7o
		unicode	0, <Control\DeviceLocations>,0
; 

??_C@_1BK@PGBJEKCF@?$AAM?$AAa?$AAn?$AAu?$AAf?$AAa?$AAc?$AAt?$AAu?$AAr?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+5A9o
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ebp+0], dh
		db	66h
		add	[ecx+0], ah
		arpl	[eax], ax
		jz	short $+2
		jnz	short $+2
		jb	short $+2
		add	gs:[edx+0], dh
; 
		db 2 dup(0)
; 

??_C@_1BI@DLMANABL@?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@:
					; DATA XREF: BiUnloadHiveByHandle(x,x)+26o
					; BiAddStoreFromFile+92o ...
		inc	esp
		add	[ebp+0], ah
		jnb	short $+2
		arpl	[eax], ax
		jb	short $+2
		imul	eax, [eax], 740070h
		imul	eax, [eax], 6E006Fh
; 
		db 2 dup(0)
; 

??_C@_1CI@IBANAFHK@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn?$AA?2?$AAR@NNGAKEGL@:
					; DATA XREF: PiDevCfgResetDeviceKeys(x,x,x)+37o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[esi+0], ah
		imul	eax, [eax], 750067h
		jb	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax+eax+52h], bl
		add	[ebp+0], ah
		jnb	short $+2
		add	gs:[eax+eax+0],	dh

loc_8BA67D:				; DATA XREF: EtwStartAutoLogger+990o
					; EtwpEnableAutoLoggerProvider+503o ...
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
; 
		dw 0
; 

??_C@_1BG@JELGADA@?$AAI?$AAn?$AAt?$AAe?$AAr?$AAf?$AAa?$AAc?$AAe?$AAs@NNGAKEGL@:
					; DATA XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+48o
		dec	ecx
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edx+0], dh
		db	66h
		add	[ecx+0], ah
		arpl	[eax], ax
		add	gs:[ebx+0], dh
; 
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_1CO@OPKJDAJE@?$AAS?$AAe?$AAt?$AAu?$AAp?$AA?2?$AAR?$AAe?$AAs?$AAo?$AAl?$AAv?$AAe?$AAF?$AAi@NNGAKEGL@ proc near
					; DATA XREF: PiDevCfgInitResolveContext(x,x,x)+DAo
					; PiDrvDbOverlayNodeHive(x,x,x)+D8o ...
		push	ebx
		add	[ebp+0], ah
		jz	short $+2
		jnz	short $+2
		jo	short $+2
		pop	esp
		add	[edx+0], dl
		add	gs:[ebx+0], dh
		outsd
??_C@_1CO@OPKJDAJE@?$AAS?$AAe?$AAt?$AAu?$AAp?$AA?2?$AAR?$AAe?$AAs?$AAo?$AAl?$AAv?$AAe?$AAF?$AAi@NNGAKEGL@ endp

		add	[eax+eax+76h], ch
		add	[ebp+0], ah
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		push	eax
		add	[ecx+0], ah
		jz	short $+2
		push	7300h
; 
		db 0
??_C@_1BE@BDPBLKHD@?$AAV?$AAa?$AAr?$AAi?$AAa?$AAb?$AAl?$AAe?$AAs@NNGAKEGL@:
					; DATA XREF: PiDevCfgInitResolveContext(x,x,x)+19o
					; PiDevCfgResolveVariableFormatString(x,x,x)+73o
		unicode	0, <Variables>,0
??_C@_1BA@BPDPPBLC@?$AAC?$AAl?$AAa?$AAs?$AAs?$AAe?$AAs@NNGAKEGL@:
					; DATA XREF: PiDevCfgInitMigrationContext(x,x,x)+140o
		unicode	0, <Classes>,0
??_C@_1DA@PEBFPDJH@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAM@NNGAKEGL@:
					; DATA XREF: PiDevCfgInitMigrationContext(x,x,x)+72o
		unicode	0, <Control\DeviceMigration>,0
; 

??_C@_1BA@BNFIHHGN@?$AAB?$AAl?$AAo?$AAc?$AAk?$AAe?$AAd@NNGAKEGL@:
					; DATA XREF: PiDevCfgVerifyDeviceAllowed(x,x)+88o
		inc	edx
		add	[eax+eax+6Fh], ch
		add	[ebx+0], ah
		imul	eax, [eax], 65h
		add	[eax+eax+0], ah
; 
		db 0

;  S U B	R O U T	I N E 


??_C@_1CA@IENBEMHD@?$AAC?$AAl?$AAa?$AAs?$AAs?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr?$AAe?$AAd@NNGAKEGL@ proc near
					; DATA XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+160o
		inc	ebx
		add	[eax+eax+61h], ch
		add	[ebx+0], dh
		jnb	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[esi+0], ah
		imul	eax, [eax], 750067h
		jb	short $+2
		add	gs:[eax+eax+0],	ah

loc_8BA753:				; DATA XREF: _PnpCtxGetCachedNodeBaseKey+176o
		add	[ebx+0], dl
??_C@_1CA@IENBEMHD@?$AAC?$AAl?$AAa?$AAs?$AAs?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr?$AAe?$AAd@NNGAKEGL@ endp

		add	gs:[edx+0], dh
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BM@GNHLLIBL@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAI?$AAn?$AAf?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@:
					; DATA XREF: PiDevCfgMigrateRootDevice(x,x,x)+83o
					; PiDevCfgQueryDeviceMigrationNode(x,x,x)+1E3o
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		dec	ecx
		add	[esi+0], ch
		db	66h
		add	[esi+0], cl
		popa
		add	[ebp+0], ch
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1BE@EOAKIEOD@?$AAL?$AAo?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AAs@NNGAKEGL@:
					; DATA XREF: PiDevCfgClearDeviceMigrationNode(x,x)+29Do
					; PiDevCfgMigrateDevice(x,x,x,x,x,x)+128o
		dec	esp
		add	[edi+0], ch
		arpl	[eax], ax
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], dh
; 
		db 2 dup(0)
; 

??_C@_1EA@MFAHDJFD@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAM@NNGAKEGL@:
					; DATA XREF: PiDevCfgOpenDeviceMigrationKey(x,x,x)+5Do
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+44h], bl
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		dec	ebp
		add	[ecx+0], ch
		add	[bp+si+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax+eax+44h], bl
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BE@MANDFMJD@?$AAC?$AAl?$AAa?$AAs?$AAs?$AAG?$AAu?$AAi?$AAd@NNGAKEGL@:
					; DATA XREF: PiDevCfgClearDeviceMigrationNode(x,x)+B7o
					; PiDevCfgQueryDeviceMigrationNode(x,x,x)+11Ao
		inc	ebx
		add	[eax+eax+61h], ch
		add	[ebx+0], dh
		jnb	short $+2
		inc	edi
		add	[ebp+0], dh
		imul	eax, [eax], 64h

??_C@_1BM@BIEIEELI@?$AAC?$AAo?$AAm?$AAp?$AAa?$AAt?$AAi?$AAb?$AAl?$AAe?$AAI?$AAd?$AAs@NNGAKEGL@:
					; DATA XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+13Eo
					; PAGE:00A3FCA8o
		inc	ebx
		add	[edi+0], ch
		insd
		add	[eax+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		dec	ecx
		add	[eax+eax+73h], ah
; 
		db 0
		db 2 dup(0)
; 

??_C@_1BI@ELGHKGG@?$AAH?$AAa?$AAr?$AAd?$AAw?$AAa?$AAr?$AAe?$AAI?$AAd?$AAs@NNGAKEGL@:
					; DATA XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+125o
					; PAGE:off_A3FCA4o
		dec	eax
		add	[ecx+0], ah
		jb	short $+2
		add	fs:[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[ecx+0], cl
		add	fs:[ebx+0], dh
; 
		db 2 dup(0)
??_C@_1BE@NAMCHGKG@?$AAD?$AAu?$AAp?$AAl?$AAi?$AAc?$AAa?$AAt?$AAe@NNGAKEGL@ dd offset loc_750044
					; DATA XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+858o
					; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+8BCo
		dw 70h
aLicate:
		unicode	0, <licate>,0
; 

??_C@_1BA@DDDLNJJL@?$AAP?$AAr?$AAe?$AAs?$AAe?$AAn?$AAt@NNGAKEGL@:
					; DATA XREF: PiDevCfgQueryDeviceMigrationNode(x,x,x)+1EDo
		push	eax
		add	[edx+0], dh
		add	gs:[ebx+0], dh
		add	gs:[esi+0], ch
		jz	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BK@MGFHJELK@?$AAL?$AAo?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AAI?$AAn?$AAf?$AAo@NNGAKEGL@:
					; DATA XREF: PiDevCfgQueryDeviceMigrationNode(x,x,x)+1BEo
					; PiCreateDriverSwDeviceCallback(x,x,x,x)+21Fo
		dec	esp
		add	[edi+0], ch
		arpl	[eax], ax
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ecx+0], cl
		outsb
		add	[esi+0], ah
		outsd
; 
		db 3 dup(0)
??_C@_1BM@JIENPPCJ@?$AAB?$AAu?$AAs?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAD?$AAe?$AAs?$AAc@NNGAKEGL@ dd offset loc_750042
					; DATA XREF: PiDevCfgQueryDeviceMigrationNode(x,x,x)+1AEo
aSdevicedesc:
		unicode	0, <sDeviceDesc>,0
??_C@_1BK@JKLHPNBO@?$AAC?$AAa?$AAp?$AAa?$AAb?$AAi?$AAl?$AAi?$AAt?$AAi?$AAe?$AAs@NNGAKEGL@:
					; DATA XREF: WmipQueryWmiDataBlock+130131o
					; PiDevCfgQueryDeviceMigrationNode(x,x,x)+19Eo	...
		unicode	0, <Capabilities>,0
; 

??_C@_1BA@KACDEPEO@?$AAP?$AAe?$AAr?$AAs?$AAi?$AAs?$AAt@NNGAKEGL@:
					; DATA XREF: PiDevCfgClearDeviceMigrationNode(x,x)+FFo
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 740073h
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1BC@JDKNNDON@?$AAS?$AAO?$AAF?$AAT?$AAW?$AAA?$AAR?$AAE@NNGAKEGL@:
					; DATA XREF: PiDrvDbSetupNodes+E1o
					; PiDevCfgResolveVariableKeyHandle(x,x,x):loc_97D048o ...
		push	ebx
		add	[edi+0], cl
		inc	esi
		add	[eax+eax+57h], dl
		add	[ecx+0], al
		push	edx
		add	[ebp+0], al
; 
		dw 0
; 

??_C@_1DC@KILCGNCG@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+ECo
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		pop	ecx
		add	[ebx+0], dl
		push	esp
		add	[ebp+0], al
		dec	ebp
; 
		db 0
		db 2 dup(0)
; 

??_C@_1BA@HPKJFNOK@?$AAK?$AAe?$AAy?$AAR?$AAo?$AAo?$AAt@NNGAKEGL@:
					; DATA XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+3Eo
		dec	ebx
		add	[ebp+0], ah
		jns	short $+2
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+0], dh
		add	[ebx+0], cl	; DATA XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+28Ao
		add	gs:[ecx+0], bh
		push	eax
		add	[ecx+0], ah
		jz	short $+2
; 
		dw 68h
		db 2 dup(0)
; 

??_C@_1DG@IFIHIIDF@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+3C3o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[eax+0], cl
		inc	ecx
		add	[edx+0], dl
		inc	esp
		add	[edi+0], dl
		inc	ecx
		add	[edx+0], dl
		inc	ebp
; 
		db 3 dup(0)
; wchar_t ??_C
??_C@_1BC@BDFNFELL@?$AAH?$AAA?$AAR?$AAD?$AAW?$AAA?$AAR?$AAE@NNGAKEGL@:
					; DATA XREF: PiDevCfgResolveVariableKeyHandle(x,x,x):loc_97D0C3o
		unicode	0, <HARDWARE>,0
; 

??_C@_1DG@FHHAPGD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+342o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		dec	edi
		add	[esi+0], al
		push	esp
		add	[edi+0], dl
		inc	ecx
		add	[edx+0], dl
		inc	ebp
; 
		db 3 dup(0)
??_C@_1M@LJBKIHIF@?$AAV?$AAa?$AAl?$AAu?$AAe@NNGAKEGL@:
					; DATA XREF: PiDevCfgResolveVariable(x,x,x)+340o
		unicode	0, <Value>,0
??_C@_1O@LAFNABMH@?$AAT?$AAo?$AAk?$AAe?$AAn?$AAs@NNGAKEGL@:
					; DATA XREF: PiDevCfgResolveVariableExpression(x,x,x)+4Fo
		unicode	0, <Tokens>,0
; 

??_C@_1BK@DPGDNAK@?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAy?$AAG?$AAu?$AAi?$AAd@NNGAKEGL@:
					; DATA XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+15o
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+0], dh
		add	gs:[edx+0], dh
		jz	short $+2
		jns	short $+2
		inc	edi
		add	[ebp+0], dh
		imul	eax, [eax], 64h
; 
??_C@_1O@FDFOMCPN@?$AAF?$AAo?$AAr?$AAm?$AAa?$AAt@NNGAKEGL@:
					; DATA XREF: PiDevCfgResolveVariableFormatString(x,x,x)+21o
		unicode	0, <Format>,0
??_C@_1BA@GHOECOCL@?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt@NNGAKEGL@ db 'D',0
					; DATA XREF: _CmGetInterfaceClassMappedPropertyFromRegValue+12Co
					; NtSetDefaultLocale+BA86Co ...
aEfault:
		unicode	0, <efault>,0
; 

??_C@_1O@FAOGBCMN@?$AAS?$AAw?$AAi?$AAt?$AAc?$AAh@NNGAKEGL@:
					; DATA XREF: PiDevCfgResolveVariableSwitchCase(x,x,x)+1Fo
		push	ebx
		add	[edi+0], dh
		imul	eax, [eax], 630074h
; 
		dd 68h
; 

??_C@_1O@JDLOHAN@?$AAD?$AAe?$AAl?$AAe?$AAt?$AAe@NNGAKEGL@:
					; DATA XREF: PiDevCfgResolveVariableKeyCopy(x,x,x)+39o
		inc	esp
		add	[ebp+0], ah
		insb
		add	[ebp+0], ah
		jz	short $+2
		add	gs:[eax], al
		add	[eax+eax+65h], al
					; DATA XREF: PiDevCfgResolveVariableKeyValue(x,x,x)+E5o
		add	[esi+0], ah
		popa
		add	[ebp+0], dh
		insb
		add	[eax+eax+56h], dh
		add	[ecx+0], ah
		insb
		add	[ebp+0], dh
		add	gs:[eax], al
		add	[esi+0], dl	; DATA XREF: PiDevCfgResolveVariableKeyValue(x,x,x)+41o
		popa
		add	[eax+eax+75h], ch
		add	[ebp+0], ah
		dec	esi
		add	[ecx+0], ah
		insd
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1BG@OPBALPIK@?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAy?$AAI?$AAd@NNGAKEGL@:
					; DATA XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+CBo
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+0], dh
		add	gs:[edx+0], dh
		jz	short $+2
		jns	short $+2
		dec	ecx
		add	[eax+eax+0], ah
		add	[eax+eax+52h], bl
					; DATA XREF: PnpProfileUpdateHardwareProfile(x)+3Fo
		add	[ebp+0], ah
		add	[bx+di+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ecx+0], cl
		inc	esp
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		db	66h
		add	[ecx+0], ch
		add	[si+0],	al
		inc	edx
; 
		db 0
		db 2 dup(0)
; 

??_C@_1BO@KGPNNPCC@?$AAE?$AAj?$AAe?$AAc?$AAt?$AAa?$AAb?$AAl?$AAe?$AAD?$AAo?$AAc?$AAk?$AAs@NNGAKEGL@:
					; DATA XREF: PnpProfileUpdateHardwareProfile(x)+D5o
		inc	ebp
		add	[edx+0], ch
		add	gs:[ebx+0], ah
		jz	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		inc	esp
		add	[edi+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 73h
; 
		db 3 dup(0)
??_C@_1BA@LEPEEO@?$AAP?$AAh?$AAa?$AAn?$AAt?$AAo?$AAm@NNGAKEGL@:
					; DATA XREF: PiCMValidateDeviceInstance+1AAo
					; IopInitializeDeviceInstanceKey+18o ...
		unicode	0, <Phantom>,0
; 

; char ??_C
??_C@_0BI@PNOHNGJF@Beginning?5handle?5dump?3?6@NNGAKEGL@:
					; DATA XREF: PnpCollectOpenHandles(x,x,x)+18o
		inc	edx
		imul	ebp, gs:[bp+6Eh], 20676E69h
		push	6C646E61h
		and	gs:[ebp+esi*2+6Dh], ah
		jo	short near ptr loc_8BAB2B+5
		or	al, [eax]

; char ??_C
??_C@_0DK@KHKIOIMC@?5?5DeviceObject?3?$CFp?5ProcessID?3?$CFdT@NNGAKEGL@:
					; DATA XREF: PnpCollectOpenHandlesCallBack(x,x,x,x,x)+22o
		and	[eax], ah
		inc	esp
		db	65h
		jbe	short near ptr loc_8BAB66+1
		arpl	[ebp+4Fh], sp
		bound	ebp, [edx+65h]
		arpl	[edx+edi+25h], si
		jo	short near ptr loc_8BAB29+1
		push	eax
		jb	short near ptr ??_C@_1BI@EIJDOAKI@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAP?$AAn?$AAp@NNGAKEGL@+4
		arpl	[ebp+73h], sp
		jnb	short loc_8BAB5B
		inc	esp
		cmp	ah, ds:46205464h
		imul	ebp, [ebp+4Fh],	63656A62h
		jz	short loc_8BAB5D
		and	eax, 61482070h
		outsb

loc_8BAB29:				; CODE XREF: PAGE:008BAB08j
		db	64h
		insb

loc_8BAB2B:				; CODE XREF: PAGE:008BAAF4j
		cmp	ah, gs:0A5464h

; char ??_C
??_C@_0CJ@KOBJPJNL@Dump?5complete?5?9?5?$CFd?5total?5handle@NNGAKEGL@:
					; DATA XREF: PnpCollectOpenHandles(x,x,x)+66o
		inc	esp
		jnz	short near ptr ??_C@_1BK@NBLOFKLI@?$AA?2?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AAr?$AAo?$AAo?$AAt?$AA?2@NNGAKEGL@+12h
		jo	short loc_8BAB57
		arpl	[edi+6Dh], bp
		jo	short near ptr ??_C@_1BK@NBLOFKLI@?$AA?2?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AAr?$AAo?$AAo?$AAt?$AA?2@NNGAKEGL@+18h
		db	65h
		jz	short near ptr ??_C@_1BK@NBLOFKLI@?$AA?2?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AAr?$AAo?$AAo?$AAt?$AA?2@NNGAKEGL@+14h
		and	ds:20642520h, ch
		jz	short near ptr loc_8BABB5+1
		jz	short ??_C@_1BA@DOOOBNCO@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AA0?$AA4?$AAu@NNGAKEGL@
		insb
		and	[eax+61h], ch
		outsb
		db	64h
		insb
		db	65h
		jnb	short near ptr loc_8BAB72+1
		outsw
		jnz	short near ptr loc_8BABC3+2

loc_8BAB57:				; CODE XREF: PAGE:008BAB35j
		db	64h
		or	al, cs:[eax]

loc_8BAB5B:				; CODE XREF: PAGE:008BAB10j
		int	3		; Trap to Debugger

??_C@_1BM@MGIANELL@?$AAR?$AAe?$AAp?$AAl?$AAa?$AAc?$AAe?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: PnprGetPluginDriverImagePath(x)+95o
		push	edx

loc_8BAB5D:				; CODE XREF: PAGE:008BAB21j
		add	[ebp+0], ah
		jo	short $+2
		insb
		add	[ecx+0], ah

loc_8BAB66:				; CODE XREF: PAGE:008BAAFBj
		arpl	[eax], ax
		add	gs:[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2

loc_8BAB72:				; CODE XREF: PAGE:008BAB50j
		add	gs:[edx+0], dh
; 
		dw 0
??_C@_1BI@EIJDOAKI@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAP?$AAn?$AAp@NNGAKEGL@:
					; CODE XREF: PAGE:008BAB0Bj
					; DATA XREF: PnprGetPluginDriverImagePath(x)+4Bo ...
		unicode	0, <Control\Pnp>,0
??_C@_1BK@NBLOFKLI@?$AA?2?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AAr?$AAo?$AAo?$AAt?$AA?2@NNGAKEGL@:
					; DATA XREF: PnprGetPluginDriverImagePath(x):loc_9819BCo
		unicode	0, <\systemroot\>,0
; 

; wchar_t ??_C
??_C@_1BA@DOOOBNCO@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AA0?$AA4?$AAu@NNGAKEGL@:
					; CODE XREF: PAGE:008BAB47j
					; DATA XREF: PiCMGenerateDeviceInstance(x,x,x,x)+14Do
		and	eax, 5C007300h
		add	ds:34003000h, ah

loc_8BABB5:				; CODE XREF: PAGE:008BAB45j
		add	[ebp+0], dh
; 
		db 2 dup(0)
; 

??_C@_1EK@JDAEMMIE@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAI?$AAD?$AAC?$AAo?$AAn?$AAf?$AAi@NNGAKEGL@:
					; DATA XREF: PiCMDeleteDeviceKey(x,x,x,x,x,x)+FFo
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh

loc_8BABC3:				; CODE XREF: PAGE:008BAB55j
		add	[edi+0], ch
		insb
		add	[eax+eax+49h], bl
		add	[eax+eax+43h], al
		add	[edi+0], ch
		outsb
		add	[esi+0], ah
		imul	eax, [eax], 440067h
		inc	edx
		add	[eax+eax+48h], bl
		add	[ecx+0], ah
		jb	short $+2
		add	fs:[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[eax], ah
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[esi+0], ah
		imul	eax, [eax], 65006Ch
		jnb	short $+2
; 
		dw 0
; 

??_C@_17KCCDBGFJ@?$AAI?$AAs?$AAa@NNGAKEGL@: ; DATA XREF: .text:00404CC0o
		dec	ecx
		add	[ebx+0], dh
		popa
; 
		db 3 dup(0)
; 

??_C@_1BC@FBOHHDN@?$AAI?$AAn?$AAt?$AAe?$AAr?$AAn?$AAa?$AAl@NNGAKEGL@:
					; DATA XREF: .text:off_404CBCo
		dec	ecx
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edx+0], dh
		outsb
		add	[ecx+0], ah
		insb
; 
		db 0
		db 2 dup(0)
; 

??_C@_1O@GFMAFCFP@?$AAP?$AAC?$AAI?$AAB?$AAu?$AAs@NNGAKEGL@:
		push	eax
		add	[ebx+0], al
		dec	ecx
		add	[edx+0], al
		jnz	short $+2
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BK@ECAGBAMG@?$AAT?$AAu?$AAr?$AAb?$AAo?$AAC?$AAh?$AAa?$AAn?$AAn?$AAe?$AAl@NNGAKEGL@:
					; DATA XREF: .text:00404CCCo
		push	esp
		add	[ebp+0], dh
		jb	short $+2
		bound	eax, [eax]
		outsd
		add	[ebx+0], al
		push	6E006100h
		add	[esi+0], ch
		add	gs:[eax+eax+0],	ch

loc_8BAC45:				; DATA XREF: .text:00404CC8o
		add	[ebp+0], cl
		imul	eax, [eax], 720063h
		outsd
		add	[ebx+0], al
		push	6E006100h
		add	[esi+0], ch
		add	gs:[eax+eax+0],	ch

loc_8BAC5F:				; DATA XREF: .text:00404CC4o
		add	[ebp+0], al
		imul	eax, [eax], 610073h
; 
		db 2 dup(0)
; 

??_C@_19CACFHNLK@?$AAC?$AAB?$AAu?$AAs@NNGAKEGL@:
		inc	ebx
		add	[edx+0], al
		jnz	short $+2
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BE@PKJMBDKF@?$AAP?$AAC?$AAM?$AAC?$AAI?$AAA?$AAB?$AAu?$AAs@NNGAKEGL@:
		push	eax
		add	[ebx+0], al
		dec	ebp
		add	[ebx+0], al
		dec	ecx
		add	[ecx+0], al
		inc	edx
		add	[ebp+0], dh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1M@EMFEFDC@?$AAN?$AAu?$AAB?$AAu?$AAs@NNGAKEGL@:
		dec	esi
		add	[ebp+0], dh
		inc	edx
		add	[ebp+0], dh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1O@GOAPCKHJ@?$AAV?$AAM?$AAE?$AAB?$AAu?$AAs@NNGAKEGL@:
		push	esi
		add	[ebp+0], cl
		inc	ebp
		add	[edx+0], al
		jnz	short $+2
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1CC@HCLOMPJO@?$AAI?$AAn?$AAt?$AAe?$AAr?$AAn?$AAa?$AAl?$AAP?$AAo?$AAw?$AAe?$AAr?$AAB?$AAu@NNGAKEGL@:
		dec	ecx
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edx+0], dh
		outsb
		add	[ecx+0], ah
		insb
		add	[eax+0], dl
		outsd
		add	[edi+0], dh
		add	gs:[edx+0], dh
		inc	edx
		add	[ebp+0], dh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1CE@OJGNDCFN@?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo?$AAr?$AAI?$AAn?$AAt?$AAe?$AAr?$AAn@NNGAKEGL@:
		push	eax
		add	[edx+0], dh
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		outsd
		add	[edx+0], dh
		dec	ecx
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edx+0], dh
		outsb
		add	[ecx+0], ah
		insb
; 
		db 3 dup(0)
; 

??_C@_1BA@GADLHJGG@?$AAM?$AAP?$AAS?$AAA?$AAB?$AAu?$AAs@NNGAKEGL@:
		dec	ebp
		add	[eax+0], dl
		push	ebx
		add	[ecx+0], al
		inc	edx
		add	[ebp+0], dh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1O@MPAOCBGE@?$AAM?$AAP?$AAI?$AAB?$AAu?$AAs@NNGAKEGL@:
		dec	ebp
		add	[eax+0], dl
		dec	ecx
		add	[edx+0], al
		jnz	short $+2
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BC@EIDCNHE@?$AAD?$AAE?$AAT?$AAE?$AAC?$AAT?$AAE?$AAD@NNGAKEGL@:
					; DATA XREF: IopCreateLegacyDeviceIds(x,x,x)+BBo
					; IopCreateLegacyDeviceIds(x,x,x)+EFo
		inc	esp
		add	[ebp+0], al
		push	esp
		add	[ebp+0], al
		inc	ebx
		add	[eax+eax+45h], dl
		add	[eax+eax+0], al
		add	[edi+0], cl
		jz	short $+2
		push	72006500h
; 
		db 3 dup(0)
; 

??_C@_1O@CANEPJJD@?$AAP?$AAN?$AAP?$AAB?$AAu?$AAs@NNGAKEGL@:
		push	eax
		add	[esi+0], cl
		push	eax
		add	[edx+0], al
		jnz	short $+2
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BE@NCECHPIP@?$AAP?$AAN?$AAP?$AAI?$AAS?$AAA?$AAB?$AAu?$AAs@NNGAKEGL@:
		push	eax
		add	[esi+0], cl
		push	eax
		add	[ecx+0], cl
		push	ebx
		add	[ecx+0], al
		inc	edx
		add	[ebp+0], dh
		jnb	short $+2
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1BI@DECEDFF@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@:
					; DATA XREF: IopGetLegacyVetoListDrivers+10Bo
		pop	esp
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		pop	esp
		add	ds:73007700h, ah
; 
		db 0
		db 2 dup(0)
; 

??_C@_1BA@DCJJIJNE@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: IopGetLegacyVetoListDrivers+43o
		pop	esp
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
; 
		db 2 dup(0)
; wchar_t ??_C
??_C@_1BA@CHNIAAL@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAZ@NNGAKEGL@ dd offset loc_770025
					; DATA XREF: IopCreateLegacyDeviceIds(x,x,x)+F5o
					; PiDrvDbResolveNodeFilePaths(x,x)+D9o
		dw 73h
aWz_0:
		unicode	0, <\%wZ>,0
; wchar_t ??_C
??_C@_1BG@IIJBKLDM@?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAZ@NNGAKEGL@ dd offset loc_770025
					; DATA XREF: IopCreateLegacyDeviceIds(x,x,x)+C0o
		dw 73h
		dd offset loc_770025
aSWz:
		unicode	0, <s\%wZ>,0
??_C@_1BK@MCMDOHI@?$AAF?$AAo?$AAr?$AAc?$AAe?$AAd?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg@NNGAKEGL@:
					; DATA XREF: PnpReadDeviceConfiguration+25o
		unicode	0, <ForcedConfig>,0
??_C@_1CK@JHJFKBFG@?$AAO?$AAv?$AAe?$AAr?$AAr?$AAi?$AAd?$AAe?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAV@NNGAKEGL@ dd offset loc_76004F
					; DATA XREF: PnpGetDeviceResourcesFromRegistry+DFo
		dw 65h
aRrideconfigvec:
		unicode	0, <rrideConfigVector>,0
; 

??_C@_0EC@EPJBAAAK@?5?5?5?5for?5IRP_MN_QUERY_LEGACY_BUS@NNGAKEGL@:
					; DATA XREF: IopQueryLegacyBusInformation+89B81o
		and	[eax], ah
		and	[eax], ah
		outsw
		jb	short loc_8BAE00
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	ecx
		push	ebp
		inc	ebp
		push	edx
		pop	ecx
		pop	edi
		dec	esp
		inc	ebp
		inc	edi
		inc	ecx
		inc	ebx
		pop	ecx
		pop	edi
		inc	edx
		push	ebp
		push	ebx
		pop	edi
		dec	ecx
		dec	esi
		inc	esi
		dec	edi
		push	edx
		dec	ebp
		inc	ecx
		push	esp

loc_8BAE00:				; CODE XREF: PAGE:008BADDEj
		dec	ecx
		dec	edi
		dec	esi
		sub	al, 20h
		popa
		outsb
		and	fs:[ecx+20h], ah
		dec	esi
		push	ebp
		dec	esp
		dec	esp
		and	[eax+4Fh], dl
		dec	ecx
		dec	esi
		push	esp
		inc	ebp
		push	edx
		or	al, cs:[eax]

??_C@_0EH@NFBHGJOA@?$CK?$CK?$CK?5IopQueryLegacyBusInformatio@NNGAKEGL@:
					; DATA XREF: IopQueryLegacyBusInformation+89B77o
		sub	ch, [edx]
		sub	ah, [eax]
		dec	ecx
		outsd
		jo	short loc_8BAE73
		jnz	short near ptr loc_8BAE87+2
		jb	short near ptr ??_C@_1BG@OFLIBHPP@?$AA?$EA?$AA?$CF?$AAs?$AA?0?$AA?$CD?$AA?$CF?$AAs?$AA?$DL?$AA?$CF?$AAs@NNGAKEGL@+7
		dec	esp
		db	65h, 67h
		popa
		arpl	[ecx+42h], di
		jnz	short near ptr ??_C@_1BG@OFLIBHPP@?$AA?$EA?$AA?$CF?$AAs?$AA?0?$AA?$CD?$AA?$CF?$AAs?$AA?$DL?$AA?$CF?$AAs@NNGAKEGL@+0Ah
		dec	ecx
		outsb
		outsw
		jb	short near ptr ??_C@_1BG@OFLIBHPP@?$AA?$EA?$AA?$CF?$AAs?$AA?0?$AA?$CD?$AA?$CF?$AAs?$AA?$DL?$AA?$CF?$AAs@NNGAKEGL@+0Ah
		popa
		jz	short near ptr ??_C@_1BG@OFLIBHPP@?$AA?$EA?$AA?$CF?$AAs?$AA?0?$AA?$CD?$AA?$CF?$AAs?$AA?$DL?$AA?$CF?$AAs@NNGAKEGL@+9
		outsd
		outsb
		and	ds:69724420h, ch
		jbe	short near ptr ??_C@_1BG@OFLIBHPP@?$AA?$EA?$AA?$CF?$AAs?$AA?0?$AA?$CD?$AA?$CF?$AAs?$AA?$DL?$AA?$CF?$AAs@NNGAKEGL@+0Fh
		jb	short near ptr loc_8BAE63+1
		and	eax, 72205A77h
		db	65h
		jz	short near ptr loc_8BAEBF+2
		jb	short near ptr loc_8BAEBB+1
		db	65h
		and	fs:[ebx+54h], dl
		inc	ecx
		push	esp
		push	ebp
		push	ebx
		pop	edi
		push	ebx
		push	ebp
		inc	ebx
		inc	ebx
		inc	ebp
		push	ebx
		push	ebx
		or	al, [eax]
		int	3		; Trap to Debugger

??_C@_1CK@GIAJHCOH@?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAe?$AAd?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAV@NNGAKEGL@:
					; DATA XREF: IopQueryDeviceResources+1F8o
		inc	esi

loc_8BAE63:				; CODE XREF: PAGE:008BAE42j
		add	[ecx+0], ch
		insb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		add	gs:[eax+eax+43h], ah

loc_8BAE73:				; CODE XREF: PAGE:008BAE20j
		add	[edi+0], ch
		outsb
		add	[esi+0], ah
		imul	eax, [eax], 560067h
		add	gs:[ebx+0], ah
		jz	short $+2
		outsd

loc_8BAE87:				; CODE XREF: PAGE:008BAE22j
		add	[edx+0], dh
; 
		dw 0
; wchar_t ??_C
??_C@_1M@FMABBLFH@?$AA?$DL?$AA?$CI?$AA?$CF?$AAs?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: PiNormalizeDeviceText+2DFo
		unicode	0, <;(%s)>,0
; wchar_t ??_C
??_C@_1BG@OFLIBHPP@?$AA?$EA?$AA?$CF?$AAs?$AA?0?$AA?$CD?$AA?$CF?$AAs?$AA?$DL?$AA?$CF?$AAs@NNGAKEGL@:
					; CODE XREF: PAGE:008BAE24j
					; PAGE:008BAE36j ...
		unicode	0, <@%s,#%s;%s>,0
; wchar_t ??_C
??_C@_1M@MNAMHDH@?$AA1?$AA3?$AA9?$AA4?$AA?2@NNGAKEGL@ db '1',0
					; DATA XREF: PiHotSwapGetDefaultBusRemovalPolicy+39o
a394:
		unicode	0, <394\>,0
; 

; wchar_t ??_C
??_C@_19FLKKDFNN@?$AAU?$AAS?$AAB?$AA?2@NNGAKEGL@:
					; DATA XREF: PiHotSwapGetDefaultBusRemovalPolicy+14o
		push	ebp

loc_8BAEBB:				; CODE XREF: PAGE:008BAE4Cj
		add	[ebx+0], dl
		inc	edx

loc_8BAEBF:				; CODE XREF: PAGE:008BAE49j
		add	[eax+eax+0], bl
		add	[eax+0], dl	; DATA XREF: PiHotSwapGetDefaultBusRemovalPolicy+8715Co
		inc	ebx
		add	[ebp+0], cl
		inc	ebx
		add	[ecx+0], cl
		inc	ecx
; 
		db 0
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_19KLPPDPHB@?$AAP?$AAC?$AAI?$AA?2@NNGAKEGL@:
					; DATA XREF: PiHotSwapGetDefaultBusRemovalPolicy+93o
		push	eax
		add	[ebx+0], al
		dec	ecx
		add	[eax+eax+0], bl
; 
		db 0
; wchar_t ??_C
??_C@_1BA@EOIJBEEM@?$AAP?$AAC?$AAM?$AAC?$AAI?$AAA?$AA?2@NNGAKEGL@:
					; DATA XREF: PiHotSwapGetDefaultBusRemovalPolicy+74o
		unicode	0, <PCMCIA\>,0
; 

; wchar_t ??_C
??_C@_1M@MIMPIDIL@?$AAS?$AAB?$AAP?$AA2?$AA?2@NNGAKEGL@:
					; DATA XREF: PiHotSwapGetDefaultBusRemovalPolicy+57o
		push	ebx
		add	[edx+0], al
		push	eax
		add	[edx], dh
		add	[eax+eax+0], bl
; 
		db 0
??_C@_1BG@EBHKFNFD@?$AAP?$AAn?$AAp?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: PnpBuildCmResourceList+3BDo
		unicode	0, <PnpManager>,0
; 

??_C@_13HGPDMIBE@?$AA?$DP@NNGAKEGL@:	; DATA XREF: PiControlGetDeviceStack(x,x,x,x):loc_988C2Ao
					; PiControlGetDeviceStack(x,x,x,x):loc_988C3Eo	...
		aas
; 
		db 0
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_15DDHGOCBH@?$AA?4?$AA?4@NNGAKEGL@:
					; DATA XREF: IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+111o
		add	cs:[esi], ch
; 
		db 3 dup(0)
; 

; wchar_t ??_C
??_C@_13JOFGPIOO@?$AA?4@NNGAKEGL@:	; DATA XREF: SdbpCreateSearchDBContext(x,x,x,x,x,x)+16Co
					; IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+100o
		add	cs:[eax], al
; 
		db 0
; 

; wchar_t ??_C
??_C@_1BA@DOCMHFOO@?$AA?$CF?$AAw?$AAs?$AA?$CG?$AA?$CF?$AAw?$AAs@NNGAKEGL@:
					; DATA XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+6B5o
		and	eax, 73007700h
		add	[esi], ah
		add	ds:73007700h, ah
; 
		db 3 dup(0)
??_C@_1BI@HJOCIGHC@?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAI?$AAd@NNGAKEGL@:
					; DATA XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+1F3o
		unicode	0, <ContainerId>,0
; 

; wchar_t ??_C
??_C@_1BM@DLCGNMPA@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAs@NNGAKEGL@:
					; DATA XREF: PiDrvDbRegisterNodeCallback+9C6C8o
		and	eax, 73007700h
		add	[eax+eax+25h], bl
		add	[edi+0], dh
		jnb	short $+2
		and	eax, 73007700h
		add	ds:73007700h, ah
; 
		db 3 dup(0)
??_C@_1BM@PNGDECLI@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAS?$AAt?$AAo?$AAr?$AAe?$AAs@NNGAKEGL@:
					; DATA XREF: PiDrvDbEnumDriverStoreNodes+10o
					; PiDrvDbRegisterNodeCallback+9C6C3o ...
		unicode	0, <\DriverStores>,0
; 

??_C@_1CE@FCOONEBJ@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA3?$AA2?$AA?2?$AAc?$AAo?$AAn?$AAf?$AAi@NNGAKEGL@:
					; DATA XREF: PiDrvDbRegisterNode+9E221o
					; PiDrvDbRegisterNodeCallback+9C6B9o
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		xor	eax, [eax]
		xor	al, [eax]
		pop	esp
		add	[ebx+0], ah
		outsd
		add	[esi+0], ch
		db	66h
		add	[ecx+0], ch
		add	[si+0],	bl
; 
		dw 0
; void ??_C
??_C@_1DK@NGNMMHOD@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@:
					; DATA XREF: PiDrvDbCreateNode+EFo
		unicode	0, <\SystemRoot\System32\config\>,0
; wchar_t ??_C
??_C@_1CG@GOLKLNMC@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@NNGAKEGL@ db '\',0
					; DATA XREF: PiDrvDbCreateNode+95o
					; _RegRtlCreateTreeTransacted+117E5Co ...
aRegistryMach_1:
		unicode	0, <REGISTRY\MACHINE\>,0
; wchar_t ??_C
??_C@_1BA@FKNPIBNG@?$AA?$CF?$AAw?$AAZ?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@	dd offset loc_770025
					; DATA XREF: PiDrvDbRegisterNode+99o
aZWs:
		unicode	0, <Z\%ws>,0
??_C@_1BO@JJFLMBDN@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAD?$AAa?$AAt?$AAa?$AAb?$AAa?$AAs?$AAe@NNGAKEGL@:
					; DATA XREF: PiDrvDbLoadNodeWorkerCallback+72o
					; PiDrvDbRegisterNode+8Eo ...
		unicode	0, <DriverDatabase>,0
; 

??_C@_1CG@PBFGLLJO@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAS?$AAe?$AAt?$AA0?$AA0?$AA1?$AA?2?$AAE@NNGAKEGL@:
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+30h], dh
		add	[eax], dh
		add	[ecx], dh
		add	[eax+eax+45h], bl
		add	[esi+0], ch
		jnz	short $+2
		insd
; 
		db 3 dup(0)
; 

??_C@_1O@PMDCHDHI@?$AAS?$AAe?$AAl?$AAe?$AAc?$AAt@NNGAKEGL@:
					; DATA XREF: _SysCtxOpenControlSet+872FEo
					; _SysCtxOpenControlSet+87326o
		push	ebx
		add	[ebp+0], ah
		insb
		add	[ebp+0], ah
		arpl	[eax], ax
		jz	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BA@MPCNLPLA@?$AAD?$AAR?$AAI?$AAV?$AAE?$AAR?$AAS@NNGAKEGL@:
					; DATA XREF: PiDrvDbSetupNodeHive(x,x)+21Fo
		inc	esp
		add	[edx+0], dl
		dec	ecx
		add	[esi+0], dl
		inc	ebp
		add	[edx+0], dl
		push	ebx
; 
		db 0
		db 2 dup(0)
; 

??_C@_1JA@ONBDNKIN@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@:
					; DATA XREF: PiDrvDbOverlayNodeHive(x,x,x)+E8o
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+65h], dh
		add	[ebx+0], dl
		add	gs:[eax+0], dh
		popa
		add	[edx+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax+eax+50h], bl
		add	[esi+0], ch
		push	eax
		add	[eax+eax+44h], bl
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		dec	eax
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edi+0], cl
		jbe	short $+2
		add	gs:[edx+0], dh
		insb
		add	[ecx+0], ah
		jns	short $+2
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1CO@IHJNBOPF@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAS?$AAe?$AAt?$AA0?$AA0?$AA1?$AA?2?$AAS@NNGAKEGL@:
					; DATA XREF: PiDrvDbOverlayNodeHive(x,x,x)+8Bo
					; PiDrvDbOverlayNodeHive(x,x,x)+B1o ...
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+30h], dh
		add	[eax], dh
		add	[ecx], dh
		add	[eax+eax+53h], bl
		add	[ebp+0], ah
		jb	short $+2
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
; 
		dw 0
??_C@_1M@IEBOLHNI@?$AAW?$AAi?$AAn?$AAP?$AAE@NNGAKEGL@:
					; DATA XREF: PiDrvDbQuerySystemPathWin32(x,x)+295o
		unicode	0, <WinPE>,0
??_C@_1BM@OCDIALJA@?$AAI?$AAn?$AAs?$AAt?$AAR?$AAo?$AAo?$AAt?$AAD?$AAr?$AAi?$AAv?$AAe@NNGAKEGL@:
					; DATA XREF: PiDrvDbQuerySystemPathWin32(x,x)+278o
		unicode	0, <InstRootDrive>,0
??_C@_1BG@OJDKBFIC@?$AAC?$AA?3?$AA?2?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs@NNGAKEGL@:
					; DATA XREF: PiDrvDbQuerySystemPathWin32(x,x)+20Ao
		unicode	0, <C:\Windows>,0
; 

; wchar_t ??_C
??_C@_1BI@OMNCDEIM@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt@NNGAKEGL@:
					; DATA XREF: MiDriverLoadSucceeded+DBo
					; PiDrvDbResolveNodeFilePaths(x,x)+88o	...
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+0], dh
		add	[eax+eax+72h], al ; DATA XREF: PiDrvDbQuerySyncNodesUpdated(x,x)+4Do
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		popa
		add	[edx+0], ah
		popa
		add	[ebx+0], dh
		add	gs:[ebp+0], dl
		jo	short $+2
		add	fs:[ecx+0], ah
		jz	short $+2
		add	gs:[ebx+0], dh
; 
		db 2 dup(0)
; 

; void ??_C
??_C@_1GA@GJKBFJNO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: PiDrvDbQuerySyncNodesUpdated(x,x)+46o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		popa
		add	[edx+0], ah
		popa
		add	[ebx+0], dh
		add	gs:[eax+eax+55h], bl
		add	[eax+0], dh
		add	fs:[ecx+0], ah
		jz	short $+2
		add	gs:[ebx+0], dh
; 
		db 2 dup(0)
; wchar_t ??_C
??_C@_1M@LBIBGIJG@?$AA?$CF?$AAu?$AA?0?$AA?$CF?$AAu@NNGAKEGL@ dd	offset loc_750024+1
					; DATA XREF: ExProcessorCounterSetCallback+FEo
					; ExProcessorCounterSetCallback+1F2o ...
		align 4
		dd offset loc_750024+1
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_1BO@LEMCLNMN@?$AAU?$AAn?$AAk?$AAn?$AAo?$AAw?$AAn?$AA_?$AAM?$AAo?$AAd?$AAu?$AAl?$AAe@NNGAKEGL@ proc near
					; DATA XREF: KiTraceLogNmiCallback(x)+1Fo
		push	ebp
		add	[esi+0], ch
		imul	eax, [eax], 6Eh
		add	[edi+0], ch
		ja	short $+2
		outsb
??_C@_1BO@LEMCLNMN@?$AAU?$AAn?$AAk?$AAn?$AAo?$AAw?$AAn?$AA_?$AAM?$AAo?$AAd?$AAu?$AAl?$AAe@NNGAKEGL@ endp

		add	[edi+0], bl
		dec	ebp
		add	[edi+0], ch
		add	fs:[ebp+0], dh
		insb
		add	[ebp+0], ah
; 
		dw 0
; wchar_t ??_C
??_C@_1O@NKAIMMPD@?$AA_?$AAT?$AAo?$AAt?$AAa?$AAl@NNGAKEGL@:
					; DATA XREF: ExProcessorCounterSetCallback:loc_76874Ao
					; KiSynchNumaCounterSetCallback(x,x,x):loc_98FEEEo
		unicode	0, <_Total>,0
; wchar_t ??_C
??_C@_1BE@KIJPPDLH@?$AA?$CF?$AAu?$AA?0?$AA_?$AAT?$AAo?$AAt?$AAa?$AAl@NNGAKEGL@ dd offset loc_750024+1
					; DATA XREF: ExProcessorCounterSetCallback+9C4o
					; KiSynchNumaCounterSetCallback(x,x,x)+183o
		align 10h
a_total:
		unicode	0, <_Total>,0
; 

??_C@_1CO@FHBOFCJN@?$AA?2?$AAC?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk?$AA?2?$AAP?$AAr?$AAo?$AAc?$AAe@NNGAKEGL@:
					; DATA XREF: KeRegisterProcessorChangeCallback+30o
		pop	esp
		add	[ebx+0], al
		popa
		add	[eax+eax+6Ch], ch
		add	[edx+0], ah
		popa
		add	[ebx+0], ah
		imul	eax, [eax], 5Ch
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		outsd
		add	[edx+0], dh
		inc	ecx
		add	[eax+eax+64h], ah
; 
		db 3 dup(0)
; char ??_C[]
??_C@_0DD@IINLDOPB@KSE?3?5Query?5device?5?$FL?$CFws?0?5?$CFws?$FN?3?5f@NNGAKEGL@ db 'KSE: Query device [%ws, %ws]: found in cache %08x',0Ah,0
					; DATA XREF: KseQueryDeviceData+124o
					; KseQueryDeviceData+6B75Eo
		align 10h
??_C@_1IC@OOOCOOLB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: KseSetDeviceFlags(x,x,x,x)+92o
		unicode	0, <\Registry\Machine\System\CurrentControlSet\Control\Compat>
		unicode	0, <ibility>,0
; 

??_C@_1JA@BMMOANL@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: KsepDbQueryRegistryDeviceData+3Do
					; KseSetDeviceFlags(x,x,x,x)+71o ...
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], al
		outsd
		add	[ebp+0], ch
		jo	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edx+0], ah
		imul	eax, [eax], 69006Ch
		jz	short $+2
		jns	short $+2
		pop	esp
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
; 
		db 2 dup(0)
; char ??_C[]
??_C@_0FE@PGGAJCKD@KSE?3?5Ending?5shim?5?$FL0x?$CF08X?$FN?5unreg@NNGAKEGL@ db 'KSE: Ending shim [0x%08X] unregistration. Shim object [0x%08X] re'
					; DATA XREF: KseUnregisterShim(x,x,x)+B7o
					; KseUnregisterShim(x,x,x)+CCo
		db 'f count is not 0.',0Ah,0
; char ??_C[]
??_C@_0CL@NFECGAAK@KSE?3?5Succeeded?5shim?5?$FL0x?$CF08X?$FN?5re@NNGAKEGL@ db 'KSE: Succeeded shim [0x%08X] registration',0Ah,0
					; DATA XREF: KseRegisterShimEx+12Fo
					; KseRegisterShimEx+8CC5Fo
		align 2

; char ??_C
??_C@_0CL@CABHPPDE@KSE?3?5Attempt?5to?5re?9register?5shi@NNGAKEGL@:
					; DATA XREF: KseRegisterShimEx+8CC16o
					; KseRegisterShimEx+8CC2Co
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		inc	ecx
		jz	short near ptr loc_8BB4CC+2
		db	65h
		insd
		jo	short near ptr loc_8BB4CC+6
		and	[edi+ebp*2+20h], dh
		jb	short near ptr loc_8BB4C8+1
		sub	eax, 69676572h
		jnb	short loc_8BB4DF
		db	65h
		jb	short loc_8BB48E
		jnb	short near ptr loc_8BB4D7+1
		imul	ebp, [ebp+20h],	2578305Bh
		xor	[eax], bh
		pop	eax
		pop	ebp
		or	al, [eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0CB@FKCCKKCN@KSE?3?5Shim?5?$FL0x?$CF08X?$FN?5is?5not?5valid@NNGAKEGL@:
					; DATA XREF: KseRegisterShimEx+8CB82o
					; KseRegisterShimEx+8CB95o
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		push	ebx
		push	5B206D69h
		xor	[eax+25h], bh
		xor	[eax], bh

loc_8BB48E:				; CODE XREF: PAGE:008BB46Bj
		pop	eax
		pop	ebp
		and	[ecx+73h], ch
		and	[esi+6Fh], ch
		jz	short loc_8BB4B8
		jbe	short loc_8BB4FB
		insb
; 
		db 69h
; 
		or	al, fs:[eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0DL@CKPAJMKP@KSE?3?5Failed?5shim?5?$FL0x?$CF08X?$FN?5unreg@NNGAKEGL@:
					; DATA XREF: KseUnregisterShim(x,x,x)+1A0o
					; KseUnregisterShim(x,x,x)+1B4o
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		inc	esi
		popa
		imul	ebp, [ebp+64h],	69687320h
		insd
		and	[ebx+30h], bl
		js	short near ptr loc_8BB4D7+3
		xor	[eax], bh
		pop	eax

loc_8BB4B8:				; CODE XREF: PAGE:008BB496j
		pop	ebp
		and	[ebp+6Eh], dh
		jb	short near ptr loc_8BB520+3
		imul	esi, [bp+di+74h], 69746172h
		outsd
		outsb

loc_8BB4C8:				; CODE XREF: PAGE:008BB462j
		and	cs:[ebx+68h], dl

loc_8BB4CC:				; CODE XREF: PAGE:008BB458j
					; PAGE:008BB45Cj
		imul	ebp, [ebp+20h],	20746F6Eh
		outsw
		jnz	short loc_8BB545

loc_8BB4D7:				; CODE XREF: PAGE:008BB46Ej
					; PAGE:008BB4B3j
		db	64h
		or	al, cs:[eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0CO@KLNFPNOL@KSE?3?5Succeeded?5shim?5?$FL0x?$CF08X?$FN?5un@NNGAKEGL@:
					; DATA XREF: KseUnregisterShim(x,x,x)+138o
					; KseUnregisterShim(x,x,x)+14Co
		dec	ebx
		push	ebx
		inc	ebp

loc_8BB4DF:				; CODE XREF: PAGE:008BB469j
		cmp	ah, [eax]
		push	ebx
		jnz	short near ptr loc_8BB545+2
		arpl	[ebp+65h], sp
		db	64h, 65h
		and	fs:[ebx+68h], dh
		imul	ebp, [ebp+20h],	2578305Bh
		xor	[eax], bh
		pop	eax
		pop	ebp
		and	[ebp+6Eh], dh

loc_8BB4FB:				; CODE XREF: PAGE:008BB498j
		jb	short loc_8BB562
		imul	esi, [bp+di+74h], 69746172h
		outsd
		outsb
		or	al, cs:[eax]

; char ??_C
??_C@_0DB@EDPECHCA@KSE?3?5Cannot?5resolve?5registry?5sh@NNGAKEGL@:
					; DATA XREF: KsepEngineGetShimsFromRegistry+AF520o
					; KsepEngineGetShimsFromRegistry+AF530o
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		inc	ebx
		popa
		outsb
		outsb
		outsd
		jz	short loc_8BB536
		jb	short near ptr loc_8BB57C+1
		jnb	short loc_8BB589
		insb
		jbe	short near ptr loc_8BB57C+6
		and	[edx+65h], dh

loc_8BB520:				; CODE XREF: PAGE:008BB4BCj
		imul	esi, [bp+di+74h], 73207972h
		push	20736D69h
		jz	short loc_8BB59E
		and	[ebx+64h], dl
		bound	edi, [edx]
		and	[eax], dh

loc_8BB536:				; CODE XREF: PAGE:008BB514j
		js	short near ptr loc_8BB55C+1
		js	short loc_8BB544
		add	ah, cl

; char ??_C
??_C@_0CD@NGLBONJA@KSE?3?5Applied?5?$CFd?5shim?$CIs?$CJ?5to?5?$FL?$CFws@NNGAKEGL@:
					; DATA XREF: KseDriverLoadImage(x)+16Eo
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		inc	ecx
		jo	short loc_8BB5B4

loc_8BB544:				; CODE XREF: PAGE:008BB538j
		insb

loc_8BB545:				; CODE XREF: PAGE:008BB4D5j
					; PAGE:008BB4E2j
		imul	esp, [ebp+64h],	20642520h
		jnb	short loc_8BB5B6
		imul	ebp, [ebp+28h],	74202973h
		outsd
		and	[ebx+25h], bl
		ja	short loc_8BB5CE
		pop	ebp

loc_8BB55C:				; CODE XREF: PAGE:loc_8BB536j
		or	al, cs:[eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0CJ@NHCFFINH@KSE?3?5driver?5blocked?5from?5loadin@NNGAKEGL@:
					; DATA XREF: KseDriverLoadImage(x)+116o
		dec	ebx
		push	ebx

loc_8BB562:				; CODE XREF: PAGE:loc_8BB4FBj
		inc	ebp
		cmp	ah, [eax]
		db	64h
		jb	short near ptr loc_8BB5CE+3
		jbe	short near ptr loc_8BB5CE+1
		jb	short loc_8BB58C
		bound	ebp, [edi+ebp*2+63h]
		imul	esp, [ebp+64h],	20h
		db	66h
		jb	short near ptr loc_8BB5E3+3
		insd
		and	[edi+ebp*2+61h], ch

loc_8BB57C:				; CODE XREF: PAGE:008BB516j
					; PAGE:008BB51Bj
		imul	ebp, fs:[esi+67h], 77255B20h
		jnb	short loc_8BB5E3
		or	al, cs:[eax]

loc_8BB589:				; CODE XREF: PAGE:008BB518j
		int	3		; Trap to Debugger

; char ??_C
??_C@_0DO@FIPHHPDP@KSE?3?5Failed?5to?5resolve?5hooks?5fo@NNGAKEGL@:
					; DATA XREF: KsepResolveApplicableShimsForDriver(x,x)+408o
					; KsepResolveApplicableShimsForDriver(x,x)+41Fo
		dec	ebx
		push	ebx

loc_8BB58C:				; CODE XREF: PAGE:008BB56Aj
		inc	ebp
		cmp	ah, [eax]
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		jb	short near ptr loc_8BB5FF+1
		jnb	short near ptr loc_8BB609+3
		insb

loc_8BB59E:				; CODE XREF: PAGE:008BB52Dj
		jbe	short loc_8BB605
		and	[eax+6Fh], ch
		outsd
		imul	esi, [ebx+20h],	66h
		outsd
		jb	short loc_8BB5CB
		jnb	short near ptr loc_8BB614+1
		imul	ebp, [ebp+20h],	2578305Bh

loc_8BB5B4:				; CODE XREF: PAGE:008BB542j
		xor	[eax], bh

loc_8BB5B6:				; CODE XREF: PAGE:008BB54Cj
		pop	eax
		pop	ebp
		and	cs:[ebx+74h], dl
		popa
		jz	short loc_8BB634
		jnb	short near ptr loc_8BB5DA+7
		xor	[eax+25h], bh
		js	short loc_8BB5F4
		or	al, [eax]

; char ??_C
??_C@_0DK@JPBPOEHM@KSE?3?5The?5provider?5did?5not?5regis@NNGAKEGL@:
					; DATA XREF: KsepResolveApplicableShimsForDriver(x,x)+268o
					; KsepResolveApplicableShimsForDriver(x,x)+27Do
		dec	ebx
		push	ebx
		inc	ebp

loc_8BB5CB:				; CODE XREF: PAGE:008BB5A9j
		cmp	ah, [eax]
		push	esp

loc_8BB5CE:				; CODE XREF: PAGE:008BB559j
					; PAGE:008BB568j ...
		push	72702065h
		outsd
		jbe	short loc_8BB63F
		db	64h, 65h
		jb	short near ptr loc_8BB5F8+2

loc_8BB5DA:				; CODE XREF: PAGE:008BB5BFj
		imul	esp, fs:[eax+6Eh], 7220746Fh

loc_8BB5E3:				; CODE XREF: PAGE:008BB584j
					; PAGE:008BB574j
		imul	esi, gs:[bp+di+74h], 73207265h
		push	5B206D69h
		xor	[eax+25h], bh

loc_8BB5F4:				; CODE XREF: PAGE:008BB5C4j
		xor	[eax], bh
		pop	eax
		pop	ebp

loc_8BB5F8:				; CODE XREF: PAGE:008BB5D6j
		and	[ecx+6Eh], ch
		and	[ecx+ebp*2+6Dh], dh

loc_8BB5FF:				; CODE XREF: PAGE:008BB599j
		or	al, gs:[eax]

; char ??_C
??_C@_0DO@GGEELECN@KSE?3?5Failed?5to?5load?5provider?5fo@NNGAKEGL@:
					; DATA XREF: KsepResolveApplicableShimsForDriver(x,x)+1CCo
					; KsepResolveApplicableShimsForDriver(x,x)+1E3o
		dec	ebx
		push	ebx
		inc	ebp

loc_8BB605:				; CODE XREF: PAGE:loc_8BB59Ej
		cmp	ah, [eax]
		inc	esi
		popa

loc_8BB609:				; CODE XREF: PAGE:008BB59Bj
		imul	ebp, [ebp+64h],	206F7420h
		insb
		outsd
		popa

loc_8BB614:				; CODE XREF: PAGE:008BB5ABj
		and	fs:[eax+72h], dh
		outsd
		jbe	short near ptr loc_8BB682+2
		db	64h, 65h
		jb	short loc_8BB63F
		outsw
		jb	short loc_8BB643
		jnb	short near ptr loc_8BB68A+3
		imul	ebp, [ebp+20h],	2578305Bh
		xor	[eax], bh
		pop	eax
		pop	ebp
		and	cs:[ebx+74h], dl

loc_8BB634:				; CODE XREF: PAGE:008BB5BDj
		popa
		jz	short loc_8BB6AC
		jnb	short near ptr loc_8BB66D+6
		and	[eax], dh
		js	short loc_8BB662
		js	short loc_8BB649

loc_8BB63F:				; CODE XREF: PAGE:008BB5D4j
					; PAGE:008BB61Bj
					; DATA XREF: ...
		add	[ebx+53h], cl
		inc	ebp

loc_8BB643:				; CODE XREF: PAGE:008BB621j
		cmp	ah, [eax]
		outs	dx, dword ptr [si]
		jz	short loc_8BB669

loc_8BB649:				; CODE XREF: PAGE:008BB63Dj
		jnb	short near ptr loc_8BB6B2+1
		imul	ebp, [ebp+28h],	66202973h
		outsd
		jb	short loc_8BB675
		db	64h
		jb	short near ptr loc_8BB6C0+1
		jbe	short loc_8BB6BF
		jb	short loc_8BB67C
		pop	ebx
		and	eax, 0A5D7377h

loc_8BB662:				; CODE XREF: PAGE:008BB63Bj
		add	ah, cl

; char ??_C
??_C@_0CM@GMLHMFCH@KSE?3?5Applied?5shim?5?$FL0x?$CF08X?$FN?5to?5d@NNGAKEGL@:
					; DATA XREF: KsepApplyShimsToDriver(x,x,x,x)+E3o
					; KsepApplyShimsToDriver(x,x,x,x)+FFo
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]

loc_8BB669:				; CODE XREF: PAGE:008BB647j
		inc	ecx
		jo	short near ptr loc_8BB6DA+2
		insb

loc_8BB66D:				; CODE XREF: PAGE:008BB637j
		imul	esp, [ebp+64h],	69687320h
		insd

loc_8BB675:				; CODE XREF: PAGE:008BB653j
		and	[ebx+30h], bl
		js	short loc_8BB69F
		xor	[eax], bh

loc_8BB67C:				; CODE XREF: PAGE:008BB65Aj
		pop	eax
		pop	ebp
		and	[edi+ebp*2+20h], dh

loc_8BB682:				; CODE XREF: PAGE:008BB619j
		db	64h
		jb	short near ptr loc_8BB6ED+1
		jbe	short near ptr loc_8BB6EB+1
		jb	short near ptr loc_8BB6A8+1
		pop	ebx

loc_8BB68A:				; CODE XREF: PAGE:008BB623j
		and	eax, 0A5D7377h
; 
		db 0
; 

; char ??_C
??_C@_0CJ@EMNNCJLL@KSE?3?5Failed?5to?5patch?5driver?5?$FL?$CFw@NNGAKEGL@:
					; DATA XREF: KsepApplyShimsToDriver(x,x,x,x)+216o
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h

loc_8BB69F:				; CODE XREF: PAGE:008BB678j
		jo	short near ptr loc_8BB700+2
		jz	short near ptr loc_8BB700+6
		push	69726420h

loc_8BB6A8:				; CODE XREF: PAGE:008BB687j
		jbe	short near ptr loc_8BB70E+1
		jb	short near ptr loc_8BB6CA+2

loc_8BB6AC:				; CODE XREF: PAGE:008BB635j
		pop	ebx
		and	eax, 3A5D7377h

loc_8BB6B2:				; CODE XREF: PAGE:loc_8BB649j
		and	[eax], dh
		js	short near ptr loc_8BB6DA+1
		js	short loc_8BB6C2
		add	ah, cl

; char ??_C
??_C@_0CG@GICNOBIL@KSE?3?5Driver?5blocked?5with?5?$FL?$CFws?$FN?3@NNGAKEGL@:
					; DATA XREF: KsepApplyShimsToDriver(x,x,x,x)+1B8o
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]

loc_8BB6BF:				; CODE XREF: PAGE:008BB658j
		inc	esp

loc_8BB6C0:				; CODE XREF: PAGE:008BB655j
		jb	short near ptr loc_8BB729+2

loc_8BB6C2:				; CODE XREF: PAGE:008BB6B6j
		jbe	short loc_8BB729
		jb	short loc_8BB6E6
		bound	ebp, [edi+ebp*2+63h]

loc_8BB6CA:				; CODE XREF: PAGE:008BB6AAj
		imul	esp, [ebp+64h],	20h
		ja	short loc_8BB739
		jz	short loc_8BB73A
		and	[ebx+25h], bl
		ja	short loc_8BB74A
		pop	ebp
		cmp	ah, [eax]

loc_8BB6DA:				; CODE XREF: PAGE:008BB6B4j
					; PAGE:008BB66Aj
		xor	[eax+25h], bh
		js	short near ptr loc_8BB6E8+1
		add	[ebx+53h], cl	; DATA XREF: KsepResolveApplicableShimsForDriver(x,x)+344o
		inc	ebp
		cmp	ah, [eax]
		push	ebx

loc_8BB6E6:				; CODE XREF: PAGE:008BB6C4j
		jnz	short loc_8BB74B

loc_8BB6E8:				; CODE XREF: PAGE:008BB6DDj
		arpl	[ebp+73h], sp

loc_8BB6EB:				; CODE XREF: PAGE:008BB685j
		jnb	short loc_8BB753

loc_8BB6ED:				; CODE XREF: PAGE:loc_8BB682j
		jnz	short near ptr loc_8BB75A+1
		insb
		jns	short near ptr loc_8BB710+2
		jb	short near ptr loc_8BB758+1
		jnb	short loc_8BB765
		insb
		jbe	short near ptr loc_8BB75D+1
		and	fs:68732064h, ah

loc_8BB700:				; CODE XREF: PAGE:loc_8BB69Fj
					; PAGE:008BB6A1j
		imul	ebp, [ebp+28h],	0A2E2973h
		add	[ebx+75h], al	; DATA XREF: KsepGetShimCallbacksForDriver+B07BEo
		jb	short near ptr loc_8BB77D+1
		outs	dx, byte ptr gs:[esi]

loc_8BB70E:				; CODE XREF: PAGE:loc_8BB6A8j
		jz	short near ptr loc_8BB762+1

loc_8BB710:				; CODE XREF: PAGE:008BB6F0j
		push	21206D69h
		cmp	eax, 4C554E20h
		dec	esp
		add	[ecx+6Fh], cl	; DATA XREF: KsepGetShimCallbacksForDriver+B073Bo
		inc	ebx
		popa
		insb
		insb
		bound	esp, [ecx+63h]
		imul	esi, [ebx+20h],	21h

loc_8BB729:				; CODE XREF: PAGE:loc_8BB6C2j
					; PAGE:loc_8BB6C0j
		cmp	eax, 4C554E20h
		dec	esp
; 
		db 0
; 

??_C@_0CB@IMKMNFAK@minkernel?2ntos?2kshim?2kseloader?4@NNGAKEGL@:
					; DATA XREF: KsepGetShimCallbacksForDriver+B0736o
					; KsepGetShimCallbacksForDriver+B07B9o	...
		insd
		imul	ebp, [esi+6Bh],	656E7265h
		insb

loc_8BB739:				; CODE XREF: PAGE:008BB6CEj
		pop	esp

loc_8BB73A:				; CODE XREF: PAGE:008BB6D0j
		outsb
		jz	short loc_8BB7AC
		jnb	short loc_8BB79B
		imul	esi, [ebx+68h],	69h
		insd
		pop	esp
		imul	esi, [ebx+65h],	6Ch
		outsd

loc_8BB74A:				; CODE XREF: PAGE:008BB6D5j
		popa

loc_8BB74B:				; CODE XREF: PAGE:loc_8BB6E6j
		db	64h, 65h
		jb	short loc_8BB77D
		arpl	[eax], ax
		int	3		; Trap to Debugger

; char ??_C
??_C@_0DB@MOKEJO@KSE?3?5Successfully?5applied?5shims@NNGAKEGL@:
					; DATA XREF: KsepApplyShimsToDriver(x,x,x,x)+15Ao
		dec	ebx

loc_8BB753:				; CODE XREF: PAGE:loc_8BB6EBj
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		push	ebx

loc_8BB758:				; CODE XREF: PAGE:008BB6F2j
		jnz	short near ptr loc_8BB7BC+1

loc_8BB75A:				; CODE XREF: PAGE:loc_8BB6EDj
		arpl	[ebp+73h], sp

loc_8BB75D:				; CODE XREF: PAGE:008BB6F7j
		jnb	short near ptr loc_8BB7C3+2
		jnz	short near ptr loc_8BB7CB+2
		insb

loc_8BB762:				; CODE XREF: PAGE:loc_8BB70Ej
		jns	short ??_C@_0CB@KONNGALH@KSE?3?5GetShimCallbacks?5succeeded@NNGAKEGL@
		popa

loc_8BB765:				; CODE XREF: PAGE:008BB6F4j
		jo	short loc_8BB7D7
		insb
		imul	esp, [ebp+64h],	69687320h
		insd
		jnb	short loc_8BB792
		jz	short near ptr loc_8BB7DD+6
		and	[edx+esi*2+69h], ah
		jbe	short near ptr loc_8BB7DD+2
		jb	short near ptr loc_8BB79B+1
		pop	ebx

loc_8BB77D:				; CODE XREF: PAGE:loc_8BB74Bj
					; PAGE:008BB70Aj
		and	eax, 0A5D7377h
		add	ah, cl

; char ??_C
??_C@_0CB@KONNGALH@KSE?3?5GetShimCallbacks?5succeeded@NNGAKEGL@:
					; CODE XREF: PAGE:loc_8BB762j
					; DATA XREF: KsepGetShimCallbacksForDriver+B0A64o
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		inc	edi
		db	65h
		jz	short near ptr loc_8BB7DD+3
		push	61436D69h

loc_8BB792:				; CODE XREF: PAGE:008BB770j
		insb
		insb
		bound	esp, [ecx+63h]
		imul	esi, [ebx+20h],	73h

loc_8BB79B:				; CODE XREF: PAGE:008BB73Dj
					; PAGE:008BB77Aj
		jnz	short loc_8BB800
		arpl	[ebp+65h], sp
		db	64h, 65h
		or	al, fs:[eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0CM@PNBGCPNA@KSE?3?5Invalid?5callback?5code?5enco@NNGAKEGL@:
					; DATA XREF: KsepGetShimCallbacksForDriver+B08B1o
					; KsepGetShimCallbacksForDriver+B08C3o
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		dec	ecx

loc_8BB7AC:				; CODE XREF: PAGE:008BB73Bj
		outsb
		jbe	short loc_8BB810
		insb
		imul	esp, [eax+63h],	626C6C61h
		popa
		arpl	[ebx+20h], bp

loc_8BB7BC:				; CODE XREF: PAGE:loc_8BB758j
		arpl	[edi+64h], bp
		and	gs:[ebp+6Eh], ah

loc_8BB7C3:				; CODE XREF: PAGE:loc_8BB75Dj
		arpl	[edi+75h], bp
		outsb
		jz	short loc_8BB82E
		jb	short near ptr loc_8BB82E+2

loc_8BB7CB:				; CODE XREF: PAGE:008BB75Fj
		cmp	ah, fs:[eax]
		and	eax, 4B000A75h	; DATA XREF: KsepGetShimCallbacksForDriver+B09B1o
					; KsepGetShimCallbacksForDriver:loc_8FCC45o
		push	ebx
		inc	ebp
		cmp	ah, [eax]

loc_8BB7D7:				; CODE XREF: PAGE:loc_8BB765j
		push	esp
		ja	short near ptr loc_8BB847+2
		and	[ebx+68h], dh

loc_8BB7DD:				; CODE XREF: PAGE:008BB778j
					; PAGE:008BB78Aj ...
		imul	ebp, [ebp+73h],	65726120h
		and	[eax+6Fh], ch
		outsd
		imul	ebp, [ecx+6Eh],	67h
		and	[ebx+61h], dh
		insd
		and	gs:[ebx+61h], ah
		insb
		insb
		bound	esp, [ecx+63h]
		imul	esp, [ecx], 20h
		or	al, [eax]

; char ??_C
??_C@_0DD@NHMKKKIL@KSE?3?5Shimmed?5driver?5unload?5noti@NNGAKEGL@:
					; DATA XREF: KseDriverUnloadImage+AF4B3o
		dec	ebx
		push	ebx

loc_8BB800:				; CODE XREF: PAGE:loc_8BB79Bj
		inc	ebp
		cmp	ah, [eax]
		push	ebx
		push	656D6D69h
		and	fs:[edx+esi*2+69h], ah
		jbe	short near ptr loc_8BB870+5

loc_8BB810:				; CODE XREF: PAGE:008BB7ADj
		jb	short ??_C@_0FA@OMDCIEJP@KSE?3?5Cleaned?5up?5dangling?5shim?5o@NNGAKEGL@
		jnz	short ??_C@_0BN@OACNHOHA@RegisteredShim?9?$DORefCount?5?$DO?50@NNGAKEGL@
		insb
		outsd
		popa
		and	fs:[esi+6Fh], ch
		jz	short near ptr loc_8BB883+3
		imul	sp, [ebx+61h], 6974h
		outsd
		outsb
		and	[eax+72h], dh
		outsd
		arpl	[ebp+73h], sp
		jnb	short loc_8BB893

loc_8BB82E:				; CODE XREF: PAGE:008BB7C7j
					; PAGE:008BB7C9j
		or	al, fs:[eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0FA@OMDCIEJP@KSE?3?5Cleaned?5up?5dangling?5shim?5o@NNGAKEGL@:
					; CODE XREF: PAGE:loc_8BB810j
					; DATA XREF: KseDriverUnloadImage+AF45Eo ...
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		inc	ebx
		insb
		db	65h
		popa
		outsb
		db	65h
		and	fs:[ebp+70h], dh
		and	[ecx+6Eh], ah
		ins	byte ptr es:[di], dx

loc_8BB847:				; CODE XREF: PAGE:008BB7D8j
		imul	ebp, [esi+67h],	69687320h
		insd
		and	[edi+62h], ch
		push	65h
		arpl	[eax+5Bh], si
		xor	[eax+25h], bh
		xor	[eax], bh
		pop	eax
		pop	ebp
		and	[eax], ch
		jnz	short near ptr ??_C@_0EA@FDFKMGIG@KSE?3?5Callback?5shimming?5?9?5missin@NNGAKEGL@+7
		jb	short near ptr ??_C@_0EA@FDFKMGIG@KSE?3?5Callback?5shimming?5?9?5missin@NNGAKEGL@ ; "KSE: Callback shimming - missing driver"...
		imul	esi, [bp+di+74h], 64657265h
		and	[edi+68h], dh

loc_8BB870:				; CODE XREF: PAGE:008BB80Ej
		imul	ebp, [ebp+20h],	63666572h
		outsd
		jnz	short near ptr ??_C@_0EA@FDFKMGIG@KSE?3?5Callback?5shimming?5?9?5missin@NNGAKEGL@+1Fh
		jz	short near ptr loc_8BB89B+2
		db	3Eh
		xor	[ecx], ch
		or	al, [eax]

??_C@_0BN@OACNHOHA@RegisteredShim?9?$DORefCount?5?$DO?50@NNGAKEGL@:
					; CODE XREF: PAGE:008BB812j
					; DATA XREF: KseDriverUnloadImage+AF355o
		push	edx

loc_8BB883:				; CODE XREF: PAGE:008BB81Bj
		imul	esi, gs:[bp+di+74h], 64657265h
		push	ebx
		push	3E2D6D69h
		push	edx

loc_8BB893:				; CODE XREF: PAGE:008BB82Cj
		db	65h
		inc	bx
		outsd
		jnz	short near ptr ??_C@_0EA@FDFKMGIG@KSE?3?5Callback?5shimming?5?9?5missin@NNGAKEGL@+3Dh
		jz	short near ptr loc_8BB8BA+1

loc_8BB89B:				; CODE XREF: PAGE:008BB87Bj
		db	3Eh
		and	[eax], dh
		add	ah, cl

; char ??_C
??_C@_0CJ@IOKAEDJA@KSE?3?5Hooked?5callbacks?5for?5drive@NNGAKEGL@:
					; DATA XREF: KseShimDriverIoCallbacks+B0790o
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		dec	eax
		outsd
		outsd
		imul	esp, [ebp+64h],	20h
		arpl	[ecx+6Ch], sp
		insb
		bound	esp, [ecx+63h]
		imul	esi, [ebx+20h],	66h
		outsd
		jb	short near ptr ??_C@_0EA@FDFKMGIG@KSE?3?5Callback?5shimming?5?9?5missin@NNGAKEGL@+10h

loc_8BB8BA:				; CODE XREF: PAGE:008BB899j
		db	64h
		jb	short near ptr loc_8BB925+1
		jbe	short near ptr loc_8BB922+2
		jb	short near ptr ??_C@_0EA@FDFKMGIG@KSE?3?5Callback?5shimming?5?9?5missin@NNGAKEGL@+17h
		pop	ebx
		and	eax, 2E5D7377h
		or	al, [eax]
		int	3		; Trap to Debugger
; 
??_C@_0EA@FDFKMGIG@KSE?3?5Callback?5shimming?5?9?5missin@NNGAKEGL@ db 'KSE: Callback shimming - missing driver object or driver name.',0Ah,0
					; CODE XREF: PAGE:008BB863j
					; PAGE:008BB861j
					; DATA XREF: ...
; 

; char ??_C
??_C@_0ED@FLFLFABM@KSE?3?5Cannot?5add?5hardware?5id?5unt@NNGAKEGL@:
					; DATA XREF: KseAddHardwareId+6C541o
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		inc	ebx
		popa
		outsb
		outsb
		outsd
		jz	short near ptr loc_8BB932+4
		popa
		db	64h
		and	fs:[eax+61h], ch
		jb	short loc_8BB982
		ja	short loc_8BB981
		jb	short loc_8BB987

loc_8BB922:				; CODE XREF: PAGE:008BB8BDj
		and	[ecx+64h], ch

loc_8BB925:				; CODE XREF: PAGE:loc_8BB8BAj
		and	[ebp+6Eh], dh
		jz	short loc_8BB993
		insb
		and	[eax+ebp*2+65h], dh
		and	[ebx+73h], ch

loc_8BB932:				; CODE XREF: PAGE:008BB914j
		push	65206D69h
		outsb
		imul	ebp, [bp+65h], 20736920h
		imul	ebp, [esi+69h],	6C616974h
		imul	edi, [edx+65h],	0CC000A64h

; char ??_C
??_C@_0DC@IMHFKBEN@KSE?3?5SdbInitDatabaseInMemory?5fa@NNGAKEGL@:
					; CODE XREF: _CmGetMatchingDeviceInterfaceList+83898p
					; DATA XREF: KsepSdbBootInitialize+8397Co
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		push	ebx
		bound	ecx, fs:[ecx+6Eh]
		imul	esi, [esp+eax*2+61h], 61626174h
		jnb	short loc_8BB9C7
		dec	ecx
		outsb
		dec	ebp
		db	65h
		insd
		outsd
		jb	short near ptr loc_8BB9E0+3
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	72756420h
		imul	ebp, [esi+67h],	6F6F6220h
		jz	short near ptr loc_8BB99E+1
		or	al, [eax]

; char ??_C
??_C@_0DP@NPGLAOMH@KSE?3?5Failed?5to?5allocate?5memory?5@NNGAKEGL@:
					; DATA XREF: KsepSdbBootInitialize+83922o
		dec	ebx

loc_8BB981:				; CODE XREF: PAGE:008BB91Ej
		push	ebx

loc_8BB982:				; CODE XREF: PAGE:008BB91Cj
		inc	ebp
		cmp	ah, [eax]
		inc	esi
		popa

loc_8BB987:				; CODE XREF: PAGE:008BB920j
		imul	ebp, [ebp+64h],	206F7420h
		popa
		insb
		insb
		outsd

loc_8BB993:				; CODE XREF: PAGE:008BB928j
		arpl	[ecx+74h], sp
		and	gs:[ebp+65h], ch
		insd
		outsd
		jb	short near ptr ??_C@_0CJ@EBFFHOCD@KSE?3?5ZwOpenFile?5failed?5opening?5@NNGAKEGL@+0Dh

loc_8BB99E:				; CODE XREF: PAGE:008BB97Cj
		and	[esi+6Fh], ah
		jb	short loc_8BB9C3
		jnb	short near ptr ??_C@_0CJ@EBFFHOCD@KSE?3?5ZwOpenFile?5failed?5opening?5@NNGAKEGL@+3
		imul	ebp, [ebp+20h],	61746164h
		bound	esp, [ecx+73h]
		and	gs:[ebp+esi*2+72h], ah
		imul	ebp, [esi+67h],	6F6F6220h
		jz	short near ptr loc_8BB9DA+4
		or	al, [eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0CM@LMJONFN@KSE?3?5Failed?5to?5delete?5patch?5shi@NNGAKEGL@:
					; DATA XREF: KsepDeletePatchSdb()+59o
		dec	ebx
		push	ebx
		inc	ebp

loc_8BB9C3:				; CODE XREF: PAGE:008BB9A1j
		cmp	ah, [eax]
		inc	esi
		popa

loc_8BB9C7:				; CODE XREF: PAGE:008BB960j
		imul	ebp, [ebp+64h],	206F7420h
		db	64h, 65h
		insb
		db	65h
		jz	short near ptr loc_8BBA39+1
		and	[eax+61h], dh
		jz	short loc_8BBA3D

loc_8BB9DA:				; CODE XREF: PAGE:008BB9BBj
		push	69687320h
		insd

loc_8BB9E0:				; CODE XREF: PAGE:008BB968j
		and	[ecx+74h], ah
		popa
		bound	esp, [ecx+73h]
		and	gs:[edx], ecx
		add	[ebx+53h], cl	; DATA XREF: KsepSdbMapToMemory+AF2B0o
					; KsepSdbMapToMemory:loc_8FE60Eo
		inc	ebp
		cmp	ah, [eax]
		pop	edx
		ja	short near ptr loc_8BBA35+2
		jb	short near ptr loc_8BBA55+6
		popa
		jz	short loc_8BBA5E
		push	ebx
		arpl	gs:[ecx+ebp*2+6Fh], si
		outsb
		and	[esi+61h], al
; 
		db 69h
		dd 2164656Ch
		db 0Ah,	0
; char ??_C[]
??_C@_0CJ@EBFFHOCD@KSE?3?5ZwOpenFile?5failed?5opening?5@NNGAKEGL@ db 'KSE: ZwOpenFile failed opening DB file!',0Ah,0
					; CODE XREF: PAGE:008BB9A3j
					; PAGE:008BB99Cj
					; DATA XREF: ...
		align 4

;  S U B	R O U T	I N E 


??_C@_0BP@KBJLCIJO@DbHandleIn?5?$DN?$DN?5KsepShimDbHandle@NNGAKEGL@ proc near
					; DATA XREF: KseShimDatabaseClose+AFCC2o
		inc	esp

loc_8BBA35:				; CODE XREF: PAGE:008BB9F2j
		bound	ecx, [eax+61h]
		outsb

loc_8BBA39:				; CODE XREF: PAGE:008BB9D2j
		db	64h
		insb
		db	65h
		dec	ecx

loc_8BBA3D:				; CODE XREF: PAGE:008BB9D8j
		outsb
		and	ds:734B203Dh, bh
		db	65h
		jo	short near ptr loc_8BBA99+1
		push	62446D69h
		dec	eax
		popa
		outsb
		db	64h
		insb
		db	65h
		add	ah, cl
??_C@_0BP@KBJLCIJO@DbHandleIn?5?$DN?$DN?5KsepShimDbHandle@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BO@PKNCBPOC@minkernel?2ntos?2kshim?2ksesdb?4c@NNGAKEGL@ proc near
					; DATA XREF: KseShimDatabaseClose+AFCBDo
		insd

loc_8BBA55:				; CODE XREF: PAGE:008BB9F4j
		imul	ebp, [esi+6Bh],	656E7265h
		insb
		pop	esp

loc_8BBA5E:				; CODE XREF: PAGE:008BB9F7j
		outsb
		jz	short loc_8BBAD0
		jnb	short loc_8BBABF
		imul	esi, [ebx+68h],	69h
		insd
		pop	esp
		imul	esi, [ebx+65h],	73h
		bound	ebp, fs:[esi]
		arpl	[eax], ax

??_C@_0DF@PGNHHABD@KSE?3?5ZwQueryInformationFile?5fai@NNGAKEGL@:
					; DATA XREF: KsepShimDatabaseTime+7D052o
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		pop	edx
		ja	short near ptr loc_8BBAC7+4
		jnz	short loc_8BBAE1
		jb	short loc_8BBAF7
		dec	ecx
		outsb
		outsw
		jb	short near ptr loc_8BBAF0+1
		popa
		jz	short loc_8BBAF0
		outsd
		outsb
		inc	esi
		imul	ebp, [ebp+20h],	6C696166h
		db	65h
		and	fs:[edi+65h], ah
		jz	short loc_8BBB0D

loc_8BBA99:				; CODE XREF: ??_C@_0BP@KBJLCIJO@DbHandleIn?5?$DN?$DN?5KsepShimDbHandle@NNGAKEGL@+10j
		imul	ebp, [esi+67h],	20424420h
		imul	bp, [ebp+21h], 0Ah
		int	3		; Trap to Debugger
??_C@_0BO@PKNCBPOC@minkernel?2ntos?2kshim?2ksesdb?4c@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


; char ??_C
??_C@_0CG@DMMNINDB@KSE?3?5SdbInitDatabaseInMemory?5Fa@NNGAKEGL@	proc near
					; DATA XREF: KsepSdbMapToMemory+AF3BAo
					; KsepSdbMapToMemory:loc_8FE718o

arg_55		= dword	ptr  59h

		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		push	ebx
		bound	ecx, fs:[ecx+6Eh]
		imul	esi, [esp+eax*2+8+arg_55], 61626174h
		jnb	short loc_8BBB21
		dec	ecx
		outsb
		dec	ebp

loc_8BBABF:				; CODE XREF: ??_C@_0BO@PKNCBPOC@minkernel?2ntos?2kshim?2ksesdb?4c@NNGAKEGL@+Dj
		db	65h
		insd
		outsd
		jb	short near ptr loc_8BBB39+4
		and	[esi+61h], al

loc_8BBAC7:				; CODE XREF: ??_C@_0BO@PKNCBPOC@minkernel?2ntos?2kshim?2ksesdb?4c@NNGAKEGL@+24j
					; DATA XREF: KsepSdbMapToMemory+AF359o	...
		imul	ebp, [ebp+64h],	4B000A21h
		push	ebx

loc_8BBAD0:				; CODE XREF: ??_C@_0BO@PKNCBPOC@minkernel?2ntos?2kshim?2ksesdb?4c@NNGAKEGL@+Bj
		inc	ebp
		cmp	ah, [eax]
		push	ebp
		outsb
		popa
		bound	ebp, [ebp+20h]
		jz	short near ptr loc_8BBB47+4
		and	[ebp+61h], ch
		jo	short loc_8BBB01

loc_8BBAE1:				; CODE XREF: ??_C@_0BO@PKNCBPOC@minkernel?2ntos?2kshim?2ksesdb?4c@NNGAKEGL@+26j
		jbe	short near ptr loc_8BBB47+5
		db	65h
		ja	short near ptr loc_8BBB05+1
		outsd
		db	66h
		and	[ebx+65h], dh
		arpl	[ecx+ebp*2+6Fh], si
		outsb

loc_8BBAF0:				; CODE XREF: ??_C@_0BO@PKNCBPOC@minkernel?2ntos?2kshim?2ksesdb?4c@NNGAKEGL@+31j
					; ??_C@_0BO@PKNCBPOC@minkernel?2ntos?2kshim?2ksesdb?4c@NNGAKEGL@+2Ej
		and	[edx], ecx
		add	ah, cl

; char ??_C
??_C@_0CF@BHLNKHBJ@KSE?3?5ObRefByHandle?$CIsection?$CJ?5fai@NNGAKEGL@:
					; DATA XREF: KsepSdbMapToMemory+AF2FFo
					; KsepSdbMapToMemory:loc_8FE65Do
		dec	ebx
		push	ebx
		inc	ebp

loc_8BBAF7:				; CODE XREF: ??_C@_0BO@PKNCBPOC@minkernel?2ntos?2kshim?2ksesdb?4c@NNGAKEGL@+28j
		cmp	ah, [eax]
		dec	edi
		bound	edx, [edx+65h]
		inc	dx
		jns	short near ptr loc_8BBB47+2

loc_8BBB01:				; CODE XREF: ??_C@_0CG@DMMNINDB@KSE?3?5SdbInitDatabaseInMemory?5Fa@NNGAKEGL@+37j
		popa
		outsb
		db	64h
		insb

loc_8BBB05:				; CODE XREF: ??_C@_0CG@DMMNINDB@KSE?3?5SdbInitDatabaseInMemory?5Fa@NNGAKEGL@+3Bj
		sub	gs:[ebx+65h], dh
		arpl	[ecx+ebp*2+6Fh], si

loc_8BBB0D:				; CODE XREF: ??_C@_0BO@PKNCBPOC@minkernel?2ntos?2kshim?2ksesdb?4c@NNGAKEGL@+43j
		outsb
		sub	[eax], esp
		popaw
		imul	ebp, [ebp+64h],	0CC000A21h

??_C@_0BF@IPJAJFEJ@ResultString?5?$CB?$DN?5NULL@NNGAKEGL@:
					; DATA XREF: KsepStringConcatenate+AF685o
		push	edx
		db	65h
		jnb	short near ptr loc_8BBB8D+6
		insb
		jz	short loc_8BBB74

loc_8BBB21:				; CODE XREF: ??_C@_0CG@DMMNINDB@KSE?3?5SdbInitDatabaseInMemory?5Fa@NNGAKEGL@+12j
		jz	short near ptr loc_8BBB94+1
		imul	ebp, [esi+67h],	203D2120h
		dec	esi
		push	ebp
		dec	esp
		dec	esp
		add	ah, cl
??_C@_0CG@DMMNINDB@KSE?3?5SdbInitDatabaseInMemory?5Fa@NNGAKEGL@	endp


;  S U B	R O U T	I N E 


??_C@_0BF@LFGACLEE@SourceString?5?$CB?$DN?5NULL@NNGAKEGL@ proc near
					; DATA XREF: KsepStringDuplicate+6C183o
					; KsepStringTransform+6B830o ...
		push	ebx
		outsd
		jnz	short near ptr loc_8BBBA5+1
		arpl	[ebp+53h], sp
		jz	short near ptr loc_8BBBA7+4

loc_8BBB39:				; CODE XREF: ??_C@_0CG@DMMNINDB@KSE?3?5SdbInitDatabaseInMemory?5Fa@NNGAKEGL@+1Aj
		imul	ebp, [esi+67h],	203D2120h
		dec	esi
		push	ebp
		dec	esp
		dec	esp
		add	ah, cl

??_C@_0BP@MHONLNCD@minkernel?2ntos?2kshim?2ksemisc?4c@NNGAKEGL@:
					; DATA XREF: KsepStringDuplicate+6C17Eo
					; KsepStringTransform+6B7D6o ...
		insd

loc_8BBB47:				; CODE XREF: ??_C@_0CG@DMMNINDB@KSE?3?5SdbInitDatabaseInMemory?5Fa@NNGAKEGL@+57j
					; ??_C@_0CG@DMMNINDB@KSE?3?5SdbInitDatabaseInMemory?5Fa@NNGAKEGL@+32j ...
		imul	ebp, [esi+6Bh],	656E7265h
		insb
		pop	esp
		outsb
		jz	short loc_8BBBC2
		jnb	short loc_8BBBB1
		imul	esi, [ebx+68h],	69h
		insd
		pop	esp
		imul	esi, [ebx+65h],	6Dh
		imul	esi, [ebx+63h],	0CC00632Eh
??_C@_0BF@LFGACLEE@SourceString?5?$CB?$DN?5NULL@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0P@FNKIDPLG@String?5?$CB?$DN?5NULL@NNGAKEGL@ proc	near
					; DATA XREF: KsepStringFree+AF542o

; FUNCTION CHUNK AT 008BBC19 SIZE 00000009 BYTES

		push	ebx
		jz	short near ptr loc_8BBBDA+1
		imul	ebp, [esi+67h],	203D2120h
		dec	esi
		push	ebp
		dec	esp
		dec	esp

loc_8BBB74:				; CODE XREF: ??_C@_0CG@DMMNINDB@KSE?3?5SdbInitDatabaseInMemory?5Fa@NNGAKEGL@+77j
		add	ah, cl

??_C@_0BF@KKGDEIMI@TargetString?5?$CB?$DN?5NULL@NNGAKEGL@:
					; DATA XREF: KsepStringTransform+6B7DBo
		push	esp
		popa
		jb	short loc_8BBBE1
		db	65h
		jz	short near ptr loc_8BBBCB+5
		jz	short loc_8BBBF1
		imul	ebp, [esi+67h],	203D2120h
		dec	esi
		push	ebp
		dec	esp
		dec	esp
		add	ah, cl

??_C@_0BE@LHNGPILI@RightString?5?$CB?$DN?5NULL@NNGAKEGL@:
					; DATA XREF: KsepStringConcatenate+AF72Eo
		push	edx

loc_8BBB8D:				; CODE XREF: ??_C@_0CG@DMMNINDB@KSE?3?5SdbInitDatabaseInMemory?5Fa@NNGAKEGL@+73j
		imul	esp, [edi+68h],	72745374h

loc_8BBB94:				; CODE XREF: ??_C@_0CG@DMMNINDB@KSE?3?5SdbInitDatabaseInMemory?5Fa@NNGAKEGL@:loc_8BBB21j
		imul	ebp, [esi+67h],	203D2120h
		dec	esi
		push	ebp
		dec	esp
		dec	esp
		add	[ebp+66h], cl	; DATA XREF: KsepStringConcatenate+AF6DBo
		jz	short near ptr loc_8BBBF5+3

loc_8BBBA5:				; CODE XREF: ??_C@_0BF@LFGACLEE@SourceString?5?$CB?$DN?5NULL@NNGAKEGL@+2j
		jz	short loc_8BBC19

loc_8BBBA7:				; CODE XREF: ??_C@_0BF@LFGACLEE@SourceString?5?$CB?$DN?5NULL@NNGAKEGL@+7j
		imul	ebp, [esi+67h],	203D2120h
		dec	esi
		push	ebp
		dec	esp

loc_8BBBB1:				; CODE XREF: ??_C@_0BF@LFGACLEE@SourceString?5?$CB?$DN?5NULL@NNGAKEGL@+23j
		dec	esp
		add	ah, cl

??_C@_0BL@NOBLOGNK@Count?5?$DN?$DN?5StringsVectorSize@NNGAKEGL@:
					; DATA XREF: KsepStringSplitMultiString(x,x,x,x)+195o
		inc	ebx
		outsd
		jnz	short near ptr ??_C@_1JA@BBOFJBHB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+2
		jz	short loc_8BBBDA
		cmp	eax, 7453203Dh
		jb	short near ptr ??_C@_1JA@BBOFJBHB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+6
		outsb

loc_8BBBC2:				; CODE XREF: ??_C@_0BF@LFGACLEE@SourceString?5?$CB?$DN?5NULL@NNGAKEGL@+21j
		db	67h
		jnb	near ptr 0BC1Bh
		arpl	gs:[edi+ebp*2+72h], si
		push	ebx

loc_8BBBCB:				; CODE XREF: ??_C@_0P@FNKIDPLG@String?5?$CB?$DN?5NULL@NNGAKEGL@+14j
					; DATA XREF: KsepStringSplitMultiString(x,x,x,x)+C2o
		imul	edi, [edx+65h],	754ECC00h
		insb
		insb
		inc	ebx
		outsd
		jnz	short near ptr ??_C@_1JA@BBOFJBHB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+22h
		jz	short near ptr loc_8BBBF5+5

loc_8BBBDA:				; CODE XREF: ??_C@_0P@FNKIDPLG@String?5?$CB?$DN?5NULL@NNGAKEGL@+52j
					; ??_C@_0P@FNKIDPLG@String?5?$CB?$DN?5NULL@NNGAKEGL@+1j
		db	3Eh
		cmp	eax, 0CC003220h

??_C@_0BD@MJDCKHCM@EnginePath?5?$CB?$DN?5NULL@NNGAKEGL@:
					; DATA XREF: KsepRegistryOpenKey+AF671o
					; KsepRegistryCreateKey(x,x,x)+70o
		inc	ebp

loc_8BBBE1:				; CODE XREF: ??_C@_0P@FNKIDPLG@String?5?$CB?$DN?5NULL@NNGAKEGL@+12j
		outsb
		imul	ebp, [bp+65h], 68746150h
		and	[ecx], ah
		cmp	eax, 4C554E20h

loc_8BBBF1:				; CODE XREF: ??_C@_0P@FNKIDPLG@String?5?$CB?$DN?5NULL@NNGAKEGL@+17j
		dec	esp
		add	ah, cl

??_C@_0CD@GDPINNHE@minkernel?2ntos?2kshim?2kseregistr@NNGAKEGL@:
					; DATA XREF: KsepRegistryOpenKey+AF66Co
					; KsepRegistryOpenKey+AF6C2o ...
		insd

loc_8BBBF5:				; CODE XREF: ??_C@_0P@FNKIDPLG@String?5?$CB?$DN?5NULL@NNGAKEGL@+3Dj
					; ??_C@_0P@FNKIDPLG@String?5?$CB?$DN?5NULL@NNGAKEGL@+72j
		imul	ebp, [esi+6Bh],	656E7265h
		insb
		pop	esp
		outsb
		jz	short near ptr ??_C@_1JA@BBOFJBHB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+4Ch
		jnb	short near ptr ??_C@_1JA@BBOFJBHB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+3Bh
		imul	esi, [ebx+68h],	69h
		insd
		pop	esp
		imul	esi, [ebx+65h],	72h
		imul	esi, gs:[bp+di+74h], 632E7972h
		add	ah, cl
??_C@_0P@FNKIDPLG@String?5?$CB?$DN?5NULL@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_1M@PLLFNIO@?$AAS?$AAh?$AAi?$AAm?$AAs@NNGAKEGL@ proc near
					; DATA XREF: KsepRegistryQueryDriverShims+AF666o
		push	ebx
??_C@_1M@PLLFNIO@?$AAS?$AAh?$AAi?$AAm?$AAs@NNGAKEGL@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0P@FNKIDPLG@String?5?$CB?$DN?5NULL@NNGAKEGL@

loc_8BBC19:				; CODE XREF: ??_C@_0P@FNKIDPLG@String?5?$CB?$DN?5NULL@NNGAKEGL@:loc_8BBBA5j
		add	[eax+0], ch
		imul	eax, [eax], 73006Dh
; END OF FUNCTION CHUNK	FOR ??_C@_0P@FNKIDPLG@String?5?$CB?$DN?5NULL@NNGAKEGL@
; 
		dw 0
??_C@_1JA@BBOFJBHB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; CODE XREF: ??_C@_0P@FNKIDPLG@String?5?$CB?$DN?5NULL@NNGAKEGL@+50j
					; ??_C@_0P@FNKIDPLG@String?5?$CB?$DN?5NULL@NNGAKEGL@+59j
					; DATA XREF: ...
		unicode	0, <\Registry\Machine\System\CurrentControlSet\Control\Compat>
		unicode	0, <ibility\Driver>,0
; 

??_C@_0O@PAGCFJBO@Value?5?$CB?$DN?5NULL@NNGAKEGL@:
					; DATA XREF: KsepRegistryQueryDWORD+8AD1Do
		push	esi
		popa
		insb
		jnz	short near ptr ??_C@_0BF@GHHEJLCO@ActualLength?5?$CB?$DN?5NULL@NNGAKEGL@+14h
		and	[ecx], ah
		cmp	eax, 4C554E20h
		dec	esp
; 
		db 0
??_C@_0BC@LLGAOKNE@KeyHandle?5?$CB?$DN?5NULL@NNGAKEGL@ db 'KeyHandle != NULL',0
					; DATA XREF: KsepRegistryQueryDWORD+8ACCAo
					; KsepRegistryQuerySZ+8ACECo ...
; 

??_C@_0BC@NBPPGFMM@SearchKey?5?$CB?$DN?5NULL@NNGAKEGL@:
					; DATA XREF: KsepRegistryCreateKey(x,x,x)+C1o
		push	ebx
		db	65h
		popa
		jb	short near ptr ??_C@_1BE@PJBJJIKA@?$AAA?$AAL?$AAP?$AAC?$AA?5?$AAP?$AAo?$AAr?$AAt@NNGAKEGL@+8
		push	2079654Bh
		and	ds:4C554E20h, edi
		dec	esp
; 
		db 0
; 

??_C@_0P@MJKECDDF@Handle?5?$CB?$DN?5NULL@NNGAKEGL@: ; DATA XREF: KsepRegistryOpenKey+AF6C7o
					; KsepRegistryCreateKey(x,x,x)+112o
		dec	eax
		popa
		outsb
		db	64h
		insb
		and	gs:[ecx], ah
		cmp	eax, 4C554E20h
		dec	esp
		add	ah, cl
; 
??_C@_0BE@EEDFCNFH@?$CBNT_SUCCESS?$CIStatus?$CJ@NNGAKEGL@ db '!NT_SUCCESS(Status)',0
					; DATA XREF: KsepRegistryQuerySZ+8ADF2o
					; KsepRegistryQueryValue(x,x,x,x,x,x)+186o
??_C@_0BF@GHHEJLCO@ActualLength?5?$CB?$DN?5NULL@NNGAKEGL@ db 'ActualLength != NULL',0
					; DATA XREF: KsepRegistryQuerySZ+8AD97o
					; KsepRegistryQueryValue(x,x,x,x,x,x)+10Ao
		align 10h
??_C@_0BE@MEPHNDGO@ValueBuffer?5?$CB?$DN?5NULL@NNGAKEGL@ db 'ValueBuffer != NULL',0
					; DATA XREF: KsepRegistryQuerySZ+8AD42o
					; KsepRegistryQueryValue(x,x,x,x,x,x)+B8o
??_C@_1BE@PJBJJIKA@?$AAA?$AAL?$AAP?$AAC?$AA?5?$AAP?$AAo?$AAr?$AAt@NNGAKEGL@:
					; CODE XREF: PAGE:008BBCD7j
					; DATA XREF: AlpcpInitSystem+7Co
		unicode	0, <ALPC Port>,0
; 

; char ??_C
??_C@_0BL@MGEADHAH@ALPC?3?5View?5?$EA?5?$CFp?5is?5stuck?4?6@NNGAKEGL@:
					; DATA XREF: AlpcpCleanupProcessViews+17E3EEo
		inc	ecx
		dec	esp
		push	eax
		inc	ebx
		cmp	ah, [eax]
		push	esi
		imul	esp, [ebp+77h],	25204020h
		jo	short near ptr ??_C@_1BM@FMDCFHKI@?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@NNGAKEGL@+14h
		imul	esi, [ebx+20h],	63757473h
		imul	ebp, [esi], 0Ah
		add	ah, cl
; 
??_C@_1BM@FMDCFHKI@?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: MiForceCrashForInvalidAccess(x,x)+CFo
		unicode	0, <MemoryManager>,0
??_C@_1EA@PMBMBAFM@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy?$AAM?$AAi@NNGAKEGL@:
					; DATA XREF: MmCreateMirror()+32o
		unicode	0, <Kernel-MemoryMirroringSupported>,0
; void ??_C
??_C@_06CNEAIGOF@16STUB@NNGAKEGL@ db '16STUB',0
					; DATA XREF: MiComputeBadImageHeaderType(x,x,x)+91o
		align 4

; void ??_C
??_C@_08KNIDAOLM@DOSCALLS@NNGAKEGL@:	; DATA XREF: MiCheckDosCalls(x,x)+63o
		inc	esp
		dec	edi
		push	ebx
		inc	ebx
		inc	ecx
		dec	esp
		dec	esp
		push	ebx
		add	ah, cl

??_C@_0BG@JOIBLAI@SectionAlignmentIssue@NNGAKEGL@:
					; DATA XREF: MiLogCreateImageFileMapFailure(x,x,x,x)+48o
		push	ebx
		arpl	gs:[ecx+ebp*2+6Fh], si
		outsb
		inc	ecx
		insb
		imul	esp, [edi+6Eh],	746E656Dh
		dec	ecx
		jnb	short near ptr loc_8BBE56+2
		jnz	short ??_C@_1BO@GMLPGBG@?$AAf?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAl?$AAo?$AAa?$AAd@NNGAKEGL@
		add	[ecx], dh	; DATA XREF: MiComputeBadImageHeaderType(x,x,x)+17Bo
		sub	eax, 20332D32h
		push	eax
		jb	short loc_8BBE56
		insb
		outsd
		popa
		db	64h, 65h
		jb	short $+4

; void ??_C
??_C@_0CF@NMFFENGC@Copyright?5?$CIC?$CJ?5Rational?5Systems?0@NNGAKEGL@:
					; DATA XREF: MiComputeBadImageHeaderType(x,x,x)+12Co
		inc	ebx
		outsd
		jo	short near ptr loc_8BBE74+1
		jb	short near ptr loc_8BBE66+1
		db	67h
		push	43282074h
		sub	[eax], esp
		push	edx
		popa
		jz	short near ptr loc_8BBE71+2
		outsd
		outsb
		popa
		insb
		and	[ebx+79h], dl
		jnb	short near ptr loc_8BBE84+3
		db	65h
		insd
		jnb	short loc_8BBE43
		and	[ecx+6Eh], cl
		arpl	[esi], bp
		add	ah, cl

; void ??_C
??_C@_0BI@PEGINIPD@Phar?5Lap?5Software?0?5Inc?4@NNGAKEGL@:
					; DATA XREF: MiComputeBadImageHeaderType(x,x,x)+C8o
		push	eax
		push	4C207261h
		popa
		jo	short near ptr loc_8BBE43+4
		push	ebx
		outsd
		db	66h
		jz	short loc_8BBEA3
		popa
		jb	short loc_8BBE94
		sub	al, 20h
		dec	ecx
		outsb
		arpl	[esi], bp
		add	ds:5A007700h, ah ; DATA	XREF: MiDriverLoadSucceeded+B1084o
; 
		db 0
		db 2 dup(0)
; wchar_t ??_C
??_C@_1O@CJCOHIOA@?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAZ@NNGAKEGL@ dd offset loc_770025
					; DATA XREF: MiDriverLoadSucceeded+117o
		db 73h
; 

loc_8BBE43:				; CODE XREF: PAGE:008BBE15j
					; PAGE:008BBE25j
		add	ds:5A007700h, ah
; 
		db 3 dup(0)
; 

??_C@_1BO@GMLPGBG@?$AAf?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAl?$AAo?$AAa?$AAd@NNGAKEGL@:
					; CODE XREF: PAGE:008BBDE5j
					; DATA XREF: MiLogFailedDriverLoad(x,x,x,x)+126o
		db	66h
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch

loc_8BBE56:				; CODE XREF: PAGE:008BBDEFj
					; PAGE:008BBDE3j
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[eax+eax+6Fh], ch
		add	[ecx+0], ah

loc_8BBE66:				; CODE XREF: PAGE:008BBDFCj
		add	fs:[eax], al
		add	[ebx+0], ah	; DATA XREF: MiLogFailedDriverLoad(x,x,x,x):loc_998BD0o
		popa
		add	[esi+0], ch
		outsb

loc_8BBE71:				; CODE XREF: PAGE:008BBE08j
		add	[edi+0], ch

loc_8BBE74:				; CODE XREF: PAGE:008BBDFAj
		jz	short $+2
		and	[eax], al
		db	66h
		add	[ecx+0], ch
		outsb
		add	[eax+eax+0], ah

loc_8BBE81:				; DATA XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+380o
		add	[ebx+65h], dl

loc_8BBE84:				; CODE XREF: PAGE:008BBE11j
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		push	edi
		pop	eax
		popa
		bound	ebp, [ebp+0]

; char ??_C
??_C@_0CH@HOAINNBL@MmLoadSystemImage?3?5Pulled?5?$CFwZ?5f@NNGAKEGL@:
					; DATA XREF: MiCreateSectionForDriver+AF3FFo
		dec	ebp
		insd
		dec	esp
		outsd

loc_8BBE94:				; CODE XREF: PAGE:008BBE2Dj
		popa
		db	64h
		push	ebx
		jns	short near ptr loc_8BBF0B+1
		jz	short near ptr loc_8BBEFF+1
		insd
		dec	ecx
		insd
		popa
		cmp	ah, gs:[bx+si]

loc_8BBEA3:				; CODE XREF: PAGE:008BBE29j
		push	eax
		jnz	short loc_8BBF12
		insb
		db	65h
		and	fs:66205A77h, ah
		jb	short loc_8BBF20
		insd
		and	[ebx+64h], ch
		or	al, [eax]
		int	3		; Trap to Debugger

??_C@_1DA@JJABBNCH@?$AAC?$AAl?$AAe?$AAa?$AAr?$AAP?$AAa?$AAg?$AAe?$AAF?$AAi?$AAl?$AAe?$AAA?$AAt@NNGAKEGL@:
					; DATA XREF: MmZeroPageFileAtShutdown()+36o
		inc	ebx
		add	[eax+eax+65h], ch
		add	[ecx+0], ah
		jb	short $+2
		push	eax
		add	[ecx+0], ah
		add	[di+0],	ah
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		inc	ecx
		add	[eax+eax+53h], dh
		add	[eax+0], ch
		jnz	short $+2
		jz	short $+2
		add	fs:[edi+0], ch
		ja	short $+2
		outsb
; 
		db 3 dup(0)
; 

??_C@_1KK@IBFBOAIN@?$AA?2?$AAr?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAm?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: MmZeroPageFileAtShutdown()+21o
		pop	esp
		add	[edx+0], dh
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], ch
		popa

loc_8BBEFF:				; CODE XREF: PAGE:008BBE99j
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp

loc_8BBF0B:				; CODE XREF: PAGE:008BBE97j
		add	[ebx+0], dl
		pop	ecx
		add	[ebx+0], dl

loc_8BBF12:				; CODE XREF: PAGE:008BBEA4j
		push	esp
		add	[ebp+0], al
		dec	ebp
		add	[eax+eax+43h], bl
		add	[ebp+0], dh
		jb	short $+2

loc_8BBF20:				; CODE XREF: PAGE:008BBEAFj
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ebp+0], cl
		add	gs:[ebp+0], ch
		outsd
		add	[edx+0], dh
		jns	short $+2
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+0], dh
; 
		db 0
; 

??_C@_1DM@EOIDMIEH@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@:
					; DATA XREF: MiResolveImageReferences+4Eo
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+5Ch], dh
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		xor	eax, [eax]
		xor	al, [eax]
		pop	esp
		add	[eax+eax+72h], ah
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		jnb	short $+2
		pop	esp
; 
		db 0
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_0BK@CNBJDBMN@UnwritableImportDirectory@NNGAKEGL@ proc near
					; DATA XREF: MiResolveImageImports+B123Co

; FUNCTION CHUNK AT 008BC04B SIZE 00000010 BYTES
; FUNCTION CHUNK AT 008BC075 SIZE 0000000A BYTES

		push	ebp
		outsb
		ja	short near ptr loc_8BC041+3
		imul	esi, [ecx+62h],	6D49656Ch
		jo	short loc_8BC04B
		jb	short loc_8BC052
		inc	esp
		imul	esi, [edx+65h],	726F7463h
		jns	short $+2
??_C@_0BK@CNBJDBMN@UnwritableImportDirectory@NNGAKEGL@ endp


??_C@_0O@GIMHGJOJ@UnwritableIAT@NNGAKEGL@: ; DATA XREF:	MiResolveImageImports+B1224o
		push	ebp
		outsb
		ja	short near ptr loc_8BC05D+1
		imul	esi, [ecx+62h],	4149656Ch
		push	esp
; 
		db 0
??_C@_0O@PDDHICKK@DllInitialize@NNGAKEGL@ db 'DllInitialize',0
					; DATA XREF: MmCallDllInitialize+12o
; 

??_C@_09ICCHCNIA@DllUnload@NNGAKEGL@:	; DATA XREF: MiUnloadApproved+AA0E8o
		inc	esp
		insb
		insb
		push	ebp
		outsb
		insb
		outsd
		popa

loc_8BC00C:				; DATA XREF: MiResolveImageReferences+290o
		add	fs:[eax+61h], ch
		insb
; 
		db 0
; char ??_C[]
??_C@_08PBNAIBKE@ntoskrnl@NNGAKEGL@ db 'ntoskrnl',0
					; DATA XREF: MiResolveImageReferences+278o
		align 4
??_C@_1CA@JICPFAMK@?$AAI?$AAm?$AAa?$AAg?$AAe?$AA?5?$AAn?$AAo?$AAt?$AA?5?$AAf?$AAo?$AAu?$AAn?$AAd@NNGAKEGL@:
					; DATA XREF: MiLogPinDriverAddress+C6o
		unicode	0, <Image not found>,0

;  S U B	R O U T	I N E 


??_C@_0CA@HHHJFCFN@?7Found?5object?5?$CFp?$CIhandle?5?$CF08lx?$CJ?6@NNGAKEGL@ proc near
					; DATA XREF: ObpShutdownCloseHandleProcedure(x,x,x,x)+37o

; FUNCTION CHUNK AT 008BC0AF SIZE 00000008 BYTES

		or	[esi+6Fh], eax
		jnz	short loc_8BC0AF

loc_8BC041:				; CODE XREF: ??_C@_0BK@CNBJDBMN@UnwritableImportDirectory@NNGAKEGL@+2j
		and	fs:[edi+62h], ch
		push	65h
		arpl	[eax+25h], si
??_C@_0CA@HHHJFCFN@?7Found?5object?5?$CFp?$CIhandle?5?$CF08lx?$CJ?6@NNGAKEGL@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BK@CNBJDBMN@UnwritableImportDirectory@NNGAKEGL@

loc_8BC04B:				; CODE XREF: ??_C@_0BK@CNBJDBMN@UnwritableImportDirectory@NNGAKEGL@+Cj
		jo	short loc_8BC075
		push	6C646E61h

loc_8BC052:				; CODE XREF: ??_C@_0BK@CNBJDBMN@UnwritableImportDirectory@NNGAKEGL@+Ej
		and	gs:786C3830h, ah
		sub	[edx], ecx
; END OF FUNCTION CHUNK	FOR ??_C@_0BK@CNBJDBMN@UnwritableImportDirectory@NNGAKEGL@
; 
		db 0

;  S U B	R O U T	I N E 


??_C@_1BG@OFEBIDHK@?$AAG?$AAL?$AAO?$AAB?$AAA?$AAL?$AAR?$AAO?$AAO?$AAT@NNGAKEGL@	proc near
					; DATA XREF: ObShutdownSystem(x):loc_9A2ECDo
		inc	edi

loc_8BC05D:				; CODE XREF: PAGE:008BBFEAj
		add	[eax+eax+4Fh], cl
		add	[edx+0], al
		inc	ecx
		add	[eax+eax+52h], cl
		add	[edi+0], cl
		dec	edi
		add	[eax+eax+0], dl

loc_8BC071:				; DATA XREF: SeGetTokenDeviceMap+13Eo
					; EtwTracePsIoRateControl+18CB9Fo ...
		add	[edi+0], al
		insb
??_C@_1BG@OFEBIDHK@?$AAG?$AAL?$AAO?$AAB?$AAA?$AAL?$AAR?$AAO?$AAO?$AAT@NNGAKEGL@	endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BK@CNBJDBMN@UnwritableImportDirectory@NNGAKEGL@

loc_8BC075:				; CODE XREF: ??_C@_0BK@CNBJDBMN@UnwritableImportDirectory@NNGAKEGL@:loc_8BC04Bj
		add	[edi+0], ch
		bound	eax, [eax]
		popa
		add	[eax+eax+0], ch
; END OF FUNCTION CHUNK	FOR ??_C@_0BK@CNBJDBMN@UnwritableImportDirectory@NNGAKEGL@
; 
		db 0
; 

??_C@_1BG@NKCPFBJK@?$AAD?$AAo?$AAs?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAs@NNGAKEGL@:
					; DATA XREF: ObShutdownSystem(x)+43o
		inc	esp
		add	[edi+0], ch
		jnb	short $+2
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
; 
		db 2 dup(0)
; 

; char ??_C
??_C@_0BM@GKKEIPNA@Error?5creating?5object?5type?6@NNGAKEGL@:
					; DATA XREF: ObCreateObjectTypeEx:loc_928794o
		inc	ebp
		jb	short near ptr ??_C@_1FA@CHOKCDEG@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@+23h
		outsd
		jb	short near ptr loc_8BC0BB+1
		arpl	[edx+65h], si
		popa
		jz	short near ptr ??_C@_1FA@CHOKCDEG@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@+23h
		outsb
		and	[bx+62h], ch
		push	65h
		arpl	[eax+74h], si
		jns	short near ptr ??_C@_1FA@CHOKCDEG@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@+37h
; START	OF FUNCTION CHUNK FOR ??_C@_0CA@HHHJFCFN@?7Found?5object?5?$CFp?$CIhandle?5?$CF08lx?$CJ?6@NNGAKEGL@

loc_8BC0AF:				; CODE XREF: ??_C@_0CA@HHHJFCFN@?7Found?5object?5?$CFp?$CIhandle?5?$CF08lx?$CJ?6@NNGAKEGL@+3j
		or	al, gs:[eax]

??_C@_17LGKOMLJ@?$AA?4?$AA?4?$AA?4@NNGAKEGL@: ;	DATA XREF: ObQueryNameStringMode:loc_925B52r
		add	cs:[esi], ch
		add	[esi], ch	; DATA XREF: ObQueryNameStringMode+ECBB9r
; END OF FUNCTION CHUNK	FOR ??_C@_0CA@HHHJFCFN@?7Found?5object?5?$CFp?$CIhandle?5?$CF08lx?$CJ?6@NNGAKEGL@
; 
		db 0
		db 2 dup(0)
; 

; char ??_C
??_C@_0CO@CHACDCHL@ObpPushRefDerefInfo?5?9?5ObpStackT@NNGAKEGL@:
					; DATA XREF: ObpPushRefDerefInfo(x,x,x,x,x,x):loc_9A4D75o
		dec	edi

loc_8BC0BB:				; CODE XREF: PAGE:008BC09Aj
		bound	esi, [eax+50h]
		jnz	short near ptr ??_C@_1FA@CHOKCDEG@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@+4Bh
		push	44666552h
		db	65h
		jb	short near ptr ??_C@_1FA@CHOKCDEG@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@+45h
		dec	cx
		outsb
		outsw
		and	ds:70624F20h, ch
		push	ebx
		jz	short near ptr ??_C@_1FA@CHOKCDEG@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@+4Fh
		arpl	[ebx+54h], bp
		popa
		bound	ebp, [ebp+20h]
		outsd
		jbe	short near ptr ??_C@_0M@PEBBHHKC@KernelSpace@NNGAKEGL@+6
		jb	short near ptr ??_C@_0M@PEBBHHKC@KernelSpace@NNGAKEGL@+9
		insb
		outsd
		ja	short near ptr ??_C@_1FA@CHOKCDEG@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@+9
; 
		db 0
??_C@_1FA@CHOKCDEG@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@:
					; CODE XREF: PAGE:008BC0E5j
					; DATA XREF: PfTAllocateBuffers+C2o
		unicode	0, <\KernelObjects\SuperfetchScenarioNotify>,0

;  S U B	R O U T	I N E 


??_C@_07FFOFCADM@Session@NNGAKEGL@ proc	near ; DATA XREF: PfpPrivSourceEnum(x,x,x)+312o
		push	ebx
		db	65h
		jnb	short near ptr ??_C@_1BM@LEAOIFGH@?$AAO?$AAp?$AA?9?$AA?$CF?$AA?4?$AA1?$AA7?$AAs?$AA?9?$AA?$CF?$AA0?$AA8?$AAX@NNGAKEGL@+7
??_C@_07FFOFCADM@Session@NNGAKEGL@ endp

; 
		dd offset unk_6E6F69
??_C@_0M@PEBBHHKC@KernelSpace@NNGAKEGL@	db 'KernelSpace',0 ; CODE XREF: PAGE:008BC0DFj
					; PAGE:008BC0E1j
					; DATA XREF: ...
??_C@_1BC@FBKCDMNG@?$AAB?$AAa?$AAs?$AAe?$AAT?$AAi?$AAm?$AAe@NNGAKEGL@:
					; DATA XREF: PfpSetBaseTime+52o
					; PfSetSuperfetchInformation+13752Co ...
		unicode	0, <BaseTime>,0
; 

??_C@_1EK@EHHBPNBG@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@:
					; DATA XREF: PfTStart+ECo
		pop	esp
		add	[ebx+0], cl
		add	gs:[edx+0], dh
		outsb
		add	[ebp+0], ah
		insb
		add	[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
		pop	esp
		add	[ebx+0], dl
		jnz	short $+2
		jo	short $+2
		add	gs:[edx+0], dh
		db	66h
		add	[ebp+0], ah
		jz	short $+2
		arpl	[eax], ax
		push	72005400h
		add	[ecx+0], ah
		arpl	[eax], ax
		add	gs:[ebx+0], dh
		push	edx
		add	[ebp+0], ah
		popa
		add	[eax+eax+79h], ah
; 
		db 3 dup(0)
; wchar_t ??_C
??_C@_1BM@LEAOIFGH@?$AAO?$AAp?$AA?9?$AA?$CF?$AA?4?$AA1?$AA7?$AAs?$AA?9?$AA?$CF?$AA0?$AA8?$AAX@NNGAKEGL@:
					; CODE XREF: ??_C@_07FFOFCADM@Session@NNGAKEGL@+1j
					; DATA XREF: PfSnOperationProcess+C2o
		unicode	0, <Op-%.17s-%08X>,0
??_C@_15FLFCPLEC@?$AAp?$AAf@NNGAKEGL@:	; DATA XREF: PfSnGetPrefetchInstructions+A4o
		unicode	0, <pf>,0
; wchar_t ??_C
??_C@_1CA@CDDODOJL@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAw?$AAs?$AA?9?$AA?$CF?$AA0?$AA8?$AAX?$AA?4?$AA?$CF?$AAw?$AAs@NNGAKEGL@	db '%',0
					; DATA XREF: PfSnGetPrefetchInstructions+B2o
aSWs08x_Ws:
		unicode	0, <s\%ws-%08X.%ws>,0
; 

; wchar_t ??_C
??_C@_17CHCGIDNB@?$AA?$CF?$AAs?$AA?2@NNGAKEGL@:	; DATA XREF: PfSnOpenVolumesForPrefetch+30Bo
		and	eax, 5C007300h
; 
		db 0
		db 2 dup(0)
; 

??_C@_1BG@FNKMPIDB@?$AA?1?$AAp?$AAr?$AAe?$AAf?$AAe?$AAt?$AAc?$AAh?$AA?3@NNGAKEGL@:
					; DATA XREF: PfSnParsePrefetchParam+19o
		das
		add	[eax+0], dh
		jb	short $+2
		add	gs:[esi+0], ah
		add	gs:[eax+eax+63h], dh
		add	[eax+0], ch
		cmp	al, [eax]
; 
		dw 0
; wchar_t ??_C
??_C@_1DE@ONODJGGB@?$AA?2?$AAV?$AAO?$AAL?$AAU?$AAM?$AAE?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?$CF?$AA0@NNGAKEGL@:
					; DATA XREF: PfVerifyScenarioBuffer+54Fo
		unicode	0, <\VOLUME{%08lx%08lx-%08lx}>,0
??_C@_1CC@HFKJICAM@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAS?$AAu?$AAp?$AAe?$AAr?$AAf?$AAe?$AAt?$AAc@NNGAKEGL@:
					; DATA XREF: PfpParametersRead+2Ao
		unicode	0, <EnableSuperfetch>,0
??_C@_1DC@HGPDJOGO@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAt?$AAc?$AAh?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@NNGAKEGL@ db 'P',0
					; DATA XREF: PfpParametersRead+CCo
aRefetchtimeout:
		unicode	0, <refetchTimeoutHiberBoot>,0
; 

??_C@_1NA@JBNHLOOM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: PfpParametersWatcher(x)+84o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ebp+0], cl
		add	gs:[ebp+0], ch
		outsd
		add	[edx+0], dh
		jns	short $+2
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+5Ch], dh
		add	[eax+0], dl
		jb	short $+2
		add	gs:[esi+0], ah
		add	gs:[eax+eax+63h], dh
		add	[eax+0], ch
		push	eax
		add	[ecx+0], ah
		jb	short $+2
		popa
		add	[ebp+0], ch
		add	gs:[eax+eax+65h], dh
		add	[edx+0], dh
		jnb	short $+2
; 
		dw 0

;  S U B	R O U T	I N E 


??_C@_1CO@IGFOGBCM@?$AAS?$AAa?$AAv?$AAe?$AAd?$AAS?$AAe?$AAc?$AAt?$AAI?$AAn?$AAf?$AAo?$AAT?$AAr@NNGAKEGL@ proc near
					; DATA XREF: PfpParametersRead+65o
		push	ebx
		add	[ecx+0], ah
		jbe	short $+2
		add	gs:[eax+eax+53h], ah
		add	[ebp+0], ah
		arpl	[eax], ax
??_C@_1CO@IGFOGBCM@?$AAS?$AAa?$AAv?$AAe?$AAd?$AAS?$AAe?$AAc?$AAt?$AAI?$AAn?$AAf?$AAo?$AAT?$AAr@NNGAKEGL@ endp

		jz	short $+2
		dec	ecx
		add	[esi+0], ch
		db	66h
		add	[edi+0], ch
		push	esp
		add	[edx+0], dh
		popa
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		dec	ebp
		add	[ecx+0], ah
		js	short $+2
; 
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_1DC@HNLGHJPA@?$AAS?$AAa?$AAv?$AAe?$AAd?$AAP?$AAa?$AAg?$AAe?$AAA?$AAc?$AAc?$AAe?$AAs?$AAs@NNGAKEGL@ proc near
					; DATA XREF: PfpParametersRead+7Do
		push	ebx
		add	[ecx+0], ah
		jbe	short $+2
		add	gs:[eax+eax+50h], ah
		add	[ecx+0], ah
		add	[di+0],	ah
		inc	ecx
		add	[ebx+0], ah
		arpl	[eax], ax
??_C@_1DC@HNLGHJPA@?$AAS?$AAa?$AAv?$AAe?$AAd?$AAP?$AAa?$AAg?$AAe?$AAA?$AAc?$AAc?$AAe?$AAs?$AAs@NNGAKEGL@ endp

		add	gs:[ebx+0], dh
		jnb	short $+2
		push	esp
		add	[edx+0], dh
		popa
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		dec	ebp
		add	[ecx+0], ah
		js	short $+2
; 
		dw 0
??_C@_1CO@PPFJHOGF@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAt?$AAc?$AAh?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@NNGAKEGL@:
					; DATA XREF: PfpParametersRead+9Ao
		unicode	0, <PrefetchTimeoutStandby>,0
??_C@_1DC@LHKMKNKA@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAt?$AAc?$AAh?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@NNGAKEGL@ db 'P',0
					; DATA XREF: PfpParametersRead+B3o
aRefetchtimeo_0:
		unicode	0, <refetchTimeoutHibernate>,0
??_C@_1BK@JNOPGJGM@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAt?$AAc?$AAh?$AAR?$AAo?$AAo?$AAt@NNGAKEGL@:
					; DATA XREF: PfSnParametersRead+1DBo
		unicode	0, <PrefetchRoot>,0
??_C@_1BM@PAENGAEN@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAt?$AAc?$AAh?$AAF?$AAl?$AAa?$AAg?$AAs@NNGAKEGL@ db 'P',0
					; DATA XREF: PfSnParametersRead+200o
aRefetchflags:
		unicode	0, <refetchFlags>,0
; 

??_C@_1CG@DPODCKAI@?$AAM?$AAa?$AAx?$AAN?$AAu?$AAm?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AAT?$AAr?$AAa@NNGAKEGL@:
					; DATA XREF: PfSnParametersRead+221o
		dec	ebp
		add	[ecx+0], ah
		js	short $+2
		dec	esi
		add	[ebp+0], dh
		insd
		add	[ecx+0], al
		arpl	[eax], ax
		jz	short $+2
		imul	eax, [eax], 650076h
		push	esp
		add	[edx+0], dh
		popa
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
; 
		dw 0
??_C@_1CE@EIPBMMNL@?$AAM?$AAa?$AAx?$AAN?$AAu?$AAm?$AAS?$AAa?$AAv?$AAe?$AAd?$AAT?$AAr?$AAa?$AAc@NNGAKEGL@:
					; DATA XREF: PfSnParametersRead+242o
		unicode	0, <MaxNumSavedTraces>,0
??_C@_1CC@GCKPOFNI@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAP?$AAr?$AAe?$AAf?$AAe?$AAt?$AAc?$AAh?$AAe@NNGAKEGL@:
					; DATA XREF: PfSnParametersRead+40o
		unicode	0, <EnablePrefetcher>,0
??_C@_1BI@IDFHKOAN@?$AAM?$AAa?$AAx?$AAN?$AAu?$AAm?$AAP?$AAa?$AAg?$AAe?$AAs@NNGAKEGL@ db	'M',0
					; DATA XREF: PfSnParametersRead+C3o
		dd offset loc_780060+1
		dd offset loc_75004D+1
aMpages:
		unicode	0, <mPages>,0
; 

??_C@_1BO@ELFNNOI@?$AAM?$AAa?$AAx?$AAN?$AAu?$AAm?$AAS?$AAe?$AAc?$AAt?$AAi?$AAo?$AAn?$AAs@NNGAKEGL@:
					; DATA XREF: PfSnParametersRead+116o
		dec	ebp
		add	[ecx+0], ah
		js	short $+2
		dec	esi
		add	[ebp+0], dh
		insd
		add	[ebx+0], dl
		add	gs:[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dw 0
??_C@_1BI@KFJDPHNK@?$AAT?$AAi?$AAm?$AAe?$AAr?$AAP?$AAe?$AAr?$AAi?$AAo?$AAd@NNGAKEGL@:
					; DATA XREF: PfSnParametersRead+169o
		unicode	0, <TimerPeriod>,0
??_C@_1BO@OABOJJKM@?$AAH?$AAo?$AAs?$AAt?$AAi?$AAn?$AAg?$AAA?$AAp?$AAp?$AAL?$AAi?$AAs?$AAt@NNGAKEGL@:
					; DATA XREF: PfSnParametersRead+267o
		unicode	0, <HostingAppList>,0
??_C@_1CA@GHDNPJP@?$AAN?$AAu?$AAm?$AAT?$AAr?$AAa?$AAc?$AAe?$AAP?$AAe?$AAr?$AAi?$AAo?$AAd?$AAs@NNGAKEGL@	dd offset loc_75004D+1
					; DATA XREF: PfSnParametersRead+29Fo
		dw 6Dh
aTraceperiods:
		unicode	0, <TracePeriods>,0
; 

??_C@_1CE@CKHKEBFM@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAW?$AAi?$AAn?$AAr?$AAe?$AAs?$AAu@NNGAKEGL@:
					; DATA XREF: PopLoadResumeContext(x)+15o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+57h], bl
		add	[ecx+0], ch
		outsb
		add	[edx+0], dh
		add	gs:[ebx+0], dh
		jnz	short $+2
		insd
		add	[ebp+0], ah
; 
		db 2 dup(0)
; 

??_C@_1BM@DBOPHHKE@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAC?$AAo?$AAn?$AAt?$AAe?$AAx?$AAt@NNGAKEGL@:
					; DATA XREF: PopLoadResumeContext(x)+3Ao
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+65h], dh
		add	[eax+0], bh
		jz	short $+2
; 
		db 2 dup(0)
; 

??_C@_1IG@IMCPMLBL@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: PopIsRemoteDesktopEnabled()+40o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		pop	ecx
		add	[ebx+0], dl
		push	esp
		add	[ebp+0], al
		dec	ebp
		add	[eax+eax+43h], bl
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+eax+65h], dl
		add	[edx+0], dh
		insd
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ah
		insb
		add	[eax], ah
		add	[ebx+0], dl
		add	gs:[edx+0], dh
		jbe	short $+2
		add	gs:[edx+0], dh
; 
		dw 0
??_C@_15CMBHNMLL@?$AA?5?$AA?$CI@NNGAKEGL@: ; DATA XREF:	PopGenerateDeviceFriendlyName+AAo
					; SshpGenerateDeviceFriendlyName(x,x,x,x)+158o
		unicode	0, < (>,0
; 

??_C@_1CG@MAGDEAFE@?$AAf?$AAD?$AAe?$AAn?$AAy?$AAT?$AAS?$AAC?$AAo?$AAn?$AAn?$AAe?$AAc?$AAt?$AAi@NNGAKEGL@:
					; DATA XREF: PopIsRemoteDesktopEnabled()+1Co
		db	66h
		add	[eax+eax+65h], al
		add	[esi+0], ch
		jns	short $+2
		push	esp
		add	[ebx+0], dl
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[esi+0], ch
		add	gs:[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dw 0
; 

??_C@_13DIBMAFH@?$AA?$CJ@NNGAKEGL@:	; DATA XREF: PopGenerateDeviceFriendlyName+CCo
					; SshpGenerateDeviceFriendlyName(x,x,x,x)+193o	...
		sub	[eax], eax
; 
		dw 0
??_C@_0CL@DBJKDPMB@Device?5using?5PO_FX_VERSION_V1?3?5@NNGAKEGL@ db 'Device using PO_FX_VERSION_V1: devobj 0x%p',0
					; DATA XREF: PoFxRegisterDevice+44o
		align 10h
??_C@_0BB@OOMNGHGK@?5?9?5Driver?3?5?$CC?$CFwZ?$CC@NNGAKEGL@ db ' - Driver: "%wZ"',0
					; DATA XREF: PoFxRegisterDevice+5Do
		align 2

??_C@_01EEMJAFIK@?6@NNGAKEGL@:		; DATA XREF: PoFxRegisterDevice+6Bo
		or	al, [eax]
; 
??_C@_17FMFAKLCM@?$AAH?$AAL?$AAT@NNGAKEGL@: ; DATA XREF: PpmIdleRegisterDefaultStates+6Do
		unicode	0, <HLT>,0
; 

??_C@_1CC@EDNLIPOI@?$AAE?$AAn?$AAl?$AAi?$AAg?$AAh?$AAt?$AAe?$AAn?$AAe?$AAd?$AA?5?$AAI?$AAd?$AAl@NNGAKEGL@:
					; DATA XREF: PpmIdleRegisterDefaultStates+9F27Fo
		inc	ebp
		add	[esi+0], ch
		insb
		add	[ecx+0], ch
		add	[bx+si+0], ch
		jz	short $+2
		add	gs:[esi+0], ch
		add	gs:[eax+eax+20h], ah
		add	[ecx+0], cl
		add	fs:[eax+eax+65h], ch
; 
		db 0
		db 2 dup(0)
; 

??_C@_1CC@KHNMNELN@?$AAI?$AAD?$AA_?$AAC?$AAA?$AAP?$AA_?$AAS?$AAC?$AAR?$AAE?$AAE?$AAN?$AAO?$AAF@NNGAKEGL@:
					; DATA XREF: NtPowerInformation:loc_8D5D93o
		dec	ecx
		add	[eax+eax+5Fh], al
		add	[ebx+0], al
		inc	ecx
		add	[eax+0], dl
		pop	edi
		add	[ebx+0], dl
		inc	ebx
		add	[edx+0], dl
		inc	ebp
		add	[ebp+0], al
		dec	esi
		add	[edi+0], cl
		inc	esi
		add	[esi+0], al
; 
		dw 0
; 

??_C@_1DM@COFKHHLB@?$AAI?$AAn?$AAv?$AAa?$AAl?$AAi?$AAd?$AAD?$AAi?$AAs?$AAp?$AAl?$AAa?$AAy?$AAS@NNGAKEGL@:
					; DATA XREF: NtPowerInformation+172303o
		dec	ecx
		add	[esi+0], ch
		jbe	short $+2
		popa
		add	[eax+eax+69h], ch
		add	[eax+eax+44h], ah
		add	[ecx+0], ch
		jnb	short $+2
		jo	short $+2
		insb
		add	[ecx+0], ah
		jns	short $+2
		push	ebx
		add	[eax+eax+61h], dh
		add	[eax+eax+65h], dh
		add	[eax+eax+72h], dl
		add	[ecx+0], ah
		outsb
		add	[ebx+0], dh
		imul	eax, [eax], 690074h
		outsd
		add	[esi+0], ch
; 
		dw 0
; 

??_C@_1DA@PGKGIAIP@?$AAt?$AAe?$AAr?$AAm?$AAi?$AAn?$AAa?$AAl?$AAP?$AAo?$AAw?$AAe?$AAr?$AAM?$AAa@NNGAKEGL@:
					; DATA XREF: NtPowerInformation+17267Bo
		jz	short $+2
		add	gs:[edx+0], dh
		insd
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ah
		insb
		add	[eax+0], dl
		outsd
		add	[edi+0], dh
		add	gs:[edx+0], dh
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+0], dh
; 
		db 0
; 

??_C@_1CC@KMIMNONK@?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAm?$AAe?$AAn@NNGAKEGL@:
					; DATA XREF: PopPowerInformationInternal+1711A9o
					; NtSetSystemTime(x,x)+43o
		jnb	short $+2
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+0], dh
; 
		db 0
??_C@_1DC@DPPPMAFH@?$AAM?$AAu?$AAl?$AAt?$AAi?$AAP?$AAh?$AAa?$AAs?$AAe?$AAR?$AAe?$AAs?$AAu?$AAm@NNGAKEGL@ dd offset loc_75004D
					; DATA XREF: PopEnableHiberFile(x,x):loc_886284o
		dd offset loc_74006A+2
		dw 69h
aPhaseresumedis:
		unicode	0, <PhaseResumeDisabled>,0
??_C@_1BM@HAIPEBMH@?$AA?2?$AAh?$AAi?$AAb?$AAe?$AAr?$AAf?$AAi?$AAl?$AA?4?$AAs?$AAy?$AAs@NNGAKEGL@:
					; DATA XREF: PopBcdSetupResumeObject+7Bo
					; PopCreateHiberFile(x,x)+5Fo
		unicode	0, <\hiberfil.sys>,0
??_C@_1O@LMKGIIBC@?$AAh?$AAi?$AAb?$AAe?$AAr?$AA_@NNGAKEGL@:
					; DATA XREF: IoGetDumpStack(x,x,x,x)+1Ao
		unicode	0, <hiber_>,0
; 

??_C@_1BK@BGJMKJDB@?$AAM?$AAa?$AAx?$AAH?$AAu?$AAf?$AAf?$AAR?$AAa?$AAt?$AAi?$AAo@NNGAKEGL@:
					; DATA XREF: PopEnableHiberFile(x,x)+1ABo
		dec	ebp
		add	[ecx+0], ah
		js	short $+2
		dec	eax
		add	[ebp+0], dh
		db	66h
		add	[esi+0], ah
		push	edx
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6Fh
; 
??_C@_1DA@DMELBCDN@?$AAH?$AAy?$AAb?$AAr?$AAi?$AAd?$AAB?$AAo?$AAo?$AAt?$AAA?$AAn?$AAi?$AAm?$AAa@NNGAKEGL@ dd offset loc_790047+1
					; DATA XREF: PopDiagTraceHiberStats+342o
					; PopEnableHiberFile(x,x):loc_886236o
aBridbootanimat:
		unicode	0, <bridBootAnimationTime>,0
; 

; wchar_t ??_C
??_C@_15EAECJAPL@?$AA?$CK?$AA?$DP@NNGAKEGL@:
					; DATA XREF: PoThermalCounterSetCallback(x,x,x)+57o
		sub	al, [eax]
		aas
; 
		db 0
		db 2 dup(0)
; 

??_C@_0FJ@PBIKHEAM@Thermal?5Zone?5?$CFS?5?$CI?$CFp?$CJ?3?5Above?5cri@NNGAKEGL@:
					; DATA XREF: PopCheckThermalPolicy+8A93Bo
		push	esp
		push	616D7265h
		insb
		and	[edx+6Fh], bl
		outsb
		and	gs:25282053h, ah
		jo	short loc_8BC847
		cmp	ah, [eax]
		inc	ecx
		bound	ebp, [edi+76h]
		and	gs:[ebx+72h], ah
		imul	esi, [ecx+ebp*2+63h], 74206C61h
		db	65h
		insd
		jo	short near ptr ??_C@_1BO@GJIFCJPM@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAI?$AAo?$AAC?$AAp?$AAu?$AAT?$AAi?$AAm?$AAe@NNGAKEGL@+9
		jb	short near ptr ??_C@_1BO@GJIFCJPM@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAI?$AAo?$AAC?$AAp?$AAu?$AAT?$AAi?$AAm?$AAe@NNGAKEGL@+7
		jz	short near ptr ??_C@_1BO@GJIFCJPM@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAI?$AAo?$AAC?$AAp?$AAu?$AAT?$AAi?$AAm?$AAe@NNGAKEGL@+1Dh
		jb	short near ptr ??_C@_1BO@GJIFCJPM@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAI?$AAo?$AAC?$AAp?$AAu?$AAT?$AAi?$AAm?$AAe@NNGAKEGL@+0Fh
		and	[eax], ch
		pop	edi
		push	esp
		dec	ebp
		push	eax
		and	ds:5F202C64h, ah
		inc	ebx

loc_8BC847:				; CODE XREF: PAGE:008BC81Cj
		push	edx
		push	esp
		and	ds:202E2964h, ah
		push	ebx
		push	6F647475h
		ja	short near ptr loc_8BC8C4+1
		and	[ecx+6Eh], ch
		imul	esi, [ecx+ebp*2+61h], 0A646574h
		add	ah, cl
; 
??_C@_1CM@LNOAPIGD@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAI?$AAo?$AAC@NNGAKEGL@:
					; DATA XREF: PopDiagTraceHiberStats+2CBo
		unicode	0, <KernelResumeIoCpuTime>,0
??_C@_1BO@GJIFCJPM@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAI?$AAo?$AAC?$AAp?$AAu?$AAT?$AAi?$AAm?$AAe@NNGAKEGL@:
					; CODE XREF: PAGE:008BC834j
					; PAGE:008BC832j ...
		unicode	0, <HiberIoCpuTime>,0
; 

??_C@_1O@IBNPCBAA@?$AAa?$AAc?$AAt?$AAi?$AAv?$AAe@NNGAKEGL@:
					; DATA XREF: PopDiagTraceThermalCoolingMode+8AB63o
		popa
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 650076h
; 
		dw 0
; 

??_C@_1BA@INHNFGAO@?$AAp?$AAa?$AAs?$AAs?$AAi?$AAv?$AAe@NNGAKEGL@:
					; DATA XREF: PopDiagTraceThermalCoolingMode+8AB70o
		jo	short $+2
		popa
		add	[ebx+0], dh
		jnb	short $+2

loc_8BC8C4:				; CODE XREF: PAGE:008BC855j
		imul	eax, [eax], 650076h
; 
		dw 0
; 

??_C@_0BM@FKLINOIP@Kernel_OSStateChange_Reboot@NNGAKEGL@: ; DATA XREF: .data:off_6B3598o
		dec	ebx
		db	65h
		jb	short loc_8BC93E
		db	65h
		insb
		pop	edi
		dec	edi
		push	ebx
		push	ebx
		jz	short near ptr loc_8BC935+4
		jz	short loc_8BC93F
		inc	ebx
		push	65676E61h
		pop	edi
		push	edx
		bound	ebp, gs:[edi+6Fh]
		jz	short $+2

??_C@_0BO@MAGOKJBG@Kernel_OSStateChange_Shutdown@NNGAKEGL@: ; DATA XREF: .data:off_6B3558o
		dec	ebx
		db	65h
		jb	short near ptr ??_C@_1DA@NALLNOML@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAC?$AAo?$AAm?$AAp?$AAl?$AAe?$AAt?$AAe?$AAT@NNGAKEGL@+16h
		db	65h
		insb
		pop	edi
		dec	edi
		push	ebx
		push	ebx
		jz	short near ptr ??_C@_1DA@NALLNOML@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAC?$AAo?$AAm?$AAp?$AAl?$AAe?$AAt?$AAe?$AAT@NNGAKEGL@+11h
		jz	short near ptr ??_C@_1DA@NALLNOML@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAC?$AAo?$AAm?$AAp?$AAl?$AAe?$AAt?$AAe?$AAT@NNGAKEGL@+17h
		inc	ebx
		push	65676E61h
		pop	edi
		push	ebx
		push	6F647475h
		ja	short near ptr ??_C@_1DA@NALLNOML@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAC?$AAo?$AAm?$AAp?$AAl?$AAe?$AAt?$AAe?$AAT@NNGAKEGL@+2Fh

loc_8BC905:				; DATA XREF: .data:off_6B2AF0o
		add	[ebx+65h], cl
		jb	short loc_8BC978
		db	65h
		insb
		pop	edi
		dec	edi
		push	ebx
		push	ebx
		jz	short near ptr ??_C@_1DA@NALLNOML@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAC?$AAo?$AAm?$AAp?$AAl?$AAe?$AAt?$AAe?$AAT@NNGAKEGL@+2Fh
		jz	short loc_8BC979
		inc	ebx
		push	65676E61h
		pop	edi
		dec	eax
		imul	esp, [edx+65h],	6F6F6272h
		jz	short $+2
		int	3		; Trap to Debugger

??_C@_0BN@PKPNHAOJ@Kernel_OSStateChange_Standby@NNGAKEGL@: ; DATA XREF:	.data:off_6B3548o
		dec	ebx
		db	65h
		jb	short near ptr loc_8BC997+1
		db	65h
		insb
		pop	edi
		dec	edi
		push	ebx
		push	ebx
		jz	short loc_8BC993
		jz	short loc_8BC999
		inc	ebx

loc_8BC935:				; CODE XREF: PAGE:008BC8D6j
		push	65676E61h
		pop	edi
		push	ebx
		jz	short near ptr ??_C@_0CJ@NGLEBKHO@PopCoalescing?3?5FLUSH?5notificati@NNGAKEGL@+3

loc_8BC93E:				; CODE XREF: PAGE:008BC8CDj
		outsb

loc_8BC93F:				; CODE XREF: PAGE:008BC8D8j
		bound	edi, fs:[ecx+0]
		int	3		; Trap to Debugger
; 
??_C@_1DA@NALLNOML@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAC?$AAo?$AAm?$AAp?$AAl?$AAe?$AAt?$AAe?$AAT@NNGAKEGL@:
					; DATA XREF: PopDiagTraceHiberStats+38Bo
		unicode	0, <ResumeCompleteTimestamp>,0
; 

??_C@_0CH@BAMFGFLD@PopCoalescing?3?5OFF?5notification@NNGAKEGL@:
					; DATA XREF: PopDiagTraceIoCoalescingOff()o
		push	eax
		outsd
		jo	short near ptr ??_C@_0CJ@NGLEBKHO@PopCoalescing?3?5FLUSH?5notificati@NNGAKEGL@+1Fh

loc_8BC978:				; CODE XREF: PAGE:008BC908j
		outsd

loc_8BC979:				; CODE XREF: PAGE:008BC912j
		popa
		insb
		db	65h
		jnb	short near ptr loc_8BC9DC+5
		imul	ebp, [esi+67h],	464F203Ah
		inc	esi
		and	[esi+6Fh], ch
		jz	short loc_8BC9F4
		imul	sp, [ebx+61h], 6974h
		outsd
		outsb

loc_8BC993:				; CODE XREF: PAGE:008BC930j
		and	[ebx+65h], dh
		outsb

loc_8BC997:				; CODE XREF: PAGE:008BC927j
		jz	short loc_8BC9C7

loc_8BC999:				; CODE XREF: PAGE:008BC932j
		or	al, [eax]
		int	3		; Trap to Debugger
; 
??_C@_0CJ@NGLEBKHO@PopCoalescing?3?5FLUSH?5notificati@NNGAKEGL@	db 'PopCoalescing: FLUSH notification sent.',0Ah,0
					; CODE XREF: PAGE:008BC93Cj
					; DATA XREF: PopDiagTraceIoCoalescingFlush()o
		align 2

??_C@_0HF@KKFAOMK@PopCoalescing?3?5ON?5notification?5@NNGAKEGL@:
					; DATA XREF: PopDiagTraceIoCoalescingOn(x,x,x,x)+29o
		push	eax

loc_8BC9C7:				; CODE XREF: PAGE:loc_8BC997j
		outsd
		jo	short loc_8BCA0D
		outsd
		popa
		insb
		db	65h
		jnb	short loc_8BCA33
		imul	ebp, [esi+67h],	4E4F203Ah
		and	[esi+6Fh], ch
		jz	short loc_8BCA45

loc_8BC9DC:				; CODE XREF: PAGE:008BC97Bj
		imul	sp, [ebx+61h], 6974h
		outsd
		outsb
		and	[ebx+65h], dh
		outsb
		jz	short loc_8BCA0A
		sub	[ebx+70h], dh
		imul	ebp, [esi+64h],	206E776Fh

loc_8BC9F4:				; CODE XREF: PAGE:008BC989j
		jz	short near ptr loc_8BCA5D+2
		insd
		outs	dx, dword ptr gs:[esi]
		jnz	short loc_8BCA6F
		cmp	ah, ds:74202C75h
		imul	ebp, [ebp+65h],	6E692072h
		jz	short loc_8BCA6F

loc_8BCA0A:				; CODE XREF: PAGE:008BC9E8j
		jb	short loc_8BCA82
		popa

loc_8BCA0D:				; CODE XREF: PAGE:008BC9C8j
		insb
		cmp	ah, [eax]
		and	eax, 66202C75h
		insb
		jnz	short near ptr loc_8BCA8A+1
		push	6C656420h
		popa
		jns	short loc_8BCA40
		imul	ebp, [esi+74h],	61767265h
		insb
		cmp	ah, ds:45202C75h
		outsb
		outsw
		jb	short near ptr loc_8BCA95+1

loc_8BCA33:				; CODE XREF: PAGE:008BC9CDj
		db	65h
		cmp	ah, fs:0A2975h
		int	3		; Trap to Debugger

??_C@_0CD@FCKDPJKO@Kernel_OSStateChange_StandbyRes@NNGAKEGL@: ;	DATA XREF: .data:off_6B3568o
		dec	ebx
		db	65h
		jb	short loc_8BCAAE

loc_8BCA40:				; CODE XREF: PAGE:008BCA1Ej
		db	65h
		insb
		pop	edi
		dec	edi
		push	ebx

loc_8BCA45:				; CODE XREF: PAGE:008BC9DAj
		push	ebx
		jz	short near ptr loc_8BCAA8+1
		jz	short near ptr loc_8BCAAE+1
		inc	ebx
		push	65676E61h
		pop	edi
		push	ebx
		jz	short near ptr loc_8BCAB3+2
		outsb
		bound	edi, fs:[ecx+52h]
		db	65h
		jnb	short near ptr loc_8BCAD0+1
		insd

loc_8BCA5D:				; CODE XREF: PAGE:loc_8BC9F4j
		db	65h
		add	ah, cl

??_C@_0CF@PKCAICNE@Kernel_OSStateChange_HibernateR@NNGAKEGL@: ;	DATA XREF: .data:off_6B3528o
		dec	ebx
		db	65h
		jb	short loc_8BCAD2
		db	65h
		insb
		pop	edi
		dec	edi
		push	ebx
		push	ebx
		jz	short loc_8BCACD
		jz	short loc_8BCAD3
		inc	ebx

loc_8BCA6F:				; CODE XREF: PAGE:008BC9F9j
					; PAGE:008BCA08j
		push	65676E61h
		pop	edi
		dec	eax
		imul	esp, [edx+65h],	74616E72h
		db	65h
		push	edx
		db	65h
		jnb	short near ptr loc_8BCAF6+1

loc_8BCA82:				; CODE XREF: PAGE:loc_8BCA0Aj
		insd
		db	65h
		add	ah, cl

??_C@_0BO@GJLIHBGE@Kernel_OSStateChange_CSResume@NNGAKEGL@: ; DATA XREF: .data:off_6B3518o
		dec	ebx
		db	65h
		jb	short loc_8BCAF8

loc_8BCA8A:				; CODE XREF: PAGE:008BCA16j
		db	65h
		insb
		pop	edi
		dec	edi
		push	ebx
		push	ebx
		jz	short loc_8BCAF3
		jz	short near ptr loc_8BCAF8+1
		inc	ebx

loc_8BCA95:				; CODE XREF: PAGE:008BCA31j
		push	65676E61h
		pop	edi
		inc	ebx
		push	ebx
		push	edx
		db	65h
		jnb	short near ptr loc_8BCB13+3
		insd

loc_8BCAA2:				; DATA XREF: .data:off_6B3508o
		add	gs:[ebx+65h], cl
		jb	short near ptr loc_8BCB13+3

loc_8BCAA8:				; CODE XREF: PAGE:008BCA46j
		db	65h
		insb
		pop	edi
		dec	edi
		push	ebx
		push	ebx

loc_8BCAAE:				; CODE XREF: PAGE:008BCA3Dj
					; PAGE:008BCA48j
		jz	short near ptr loc_8BCB10+1
		jz	short near ptr loc_8BCB13+4
		inc	ebx

loc_8BCAB3:				; CODE XREF: PAGE:008BCA52j
		push	65676E61h
		pop	edi
		dec	eax
		jns	short loc_8BCB1E
		jb	short loc_8BCB27
		db	64h
		push	ebx
		insb
		db	65h, 65h
		jo	short near ptr loc_8BCB13+4
		db	65h
		jnb	short near ptr loc_8BCB3C+1
		insd
		db	65h
		add	ah, cl

??_C@_0BP@BPFAGDNN@Kernel_OSStateChange_Hibernate@NNGAKEGL@: ; DATA XREF: .data:off_6B3538o
		dec	ebx

loc_8BCACD:				; CODE XREF: PAGE:008BCA6Aj
		db	65h
		jb	short near ptr loc_8BCB3C+2

loc_8BCAD0:				; CODE XREF: PAGE:008BCA59j
		db	65h
		insb

loc_8BCAD2:				; CODE XREF: PAGE:008BCA61j
		pop	edi

loc_8BCAD3:				; CODE XREF: PAGE:008BCA6Cj
		dec	edi
		push	ebx
		push	ebx
		jz	short near ptr loc_8BCB35+4
		jz	short near ptr loc_8BCB3C+3
		inc	ebx
		push	65676E61h
		pop	edi
		dec	eax
		imul	esp, [edx+65h],	74616E72h
		db	65h
		add	ah, cl

??_C@_0BI@FGNKIGCJ@Kernel_OSStateChange_CS@NNGAKEGL@: ;	DATA XREF: .data:off_6B3588o
		dec	ebx
		db	65h
		jb	short near ptr loc_8BCB5C+2
		db	65h
		insb
		pop	edi

loc_8BCAF3:				; CODE XREF: PAGE:008BCA90j
		dec	edi
		push	ebx
		push	ebx

loc_8BCAF6:				; CODE XREF: PAGE:008BCA7Fj
		jz	short near ptr loc_8BCB58+1

loc_8BCAF8:				; CODE XREF: PAGE:008BCA87j
					; PAGE:008BCA92j
		jz	short near ptr loc_8BCB5C+3
		inc	ebx
		push	65676E61h
		pop	edi
		inc	ebx
		push	ebx

loc_8BCB03:				; DATA XREF: .data:off_6B3578o
		add	[ebx+65h], cl
		jb	short near ptr loc_8BCB74+2
		db	65h
		insb
		pop	edi
		dec	edi
		push	ebx
		push	ebx
		jz	short near ptr loc_8BCB70+1

loc_8BCB10:				; CODE XREF: PAGE:loc_8BCAAEj
		jz	short near ptr loc_8BCB74+3
		inc	ebx

loc_8BCB13:				; CODE XREF: PAGE:008BCA9Ej
					; PAGE:008BCAA6j ...
		push	65676E61h
		pop	edi
		dec	eax
		jns	short near ptr loc_8BCB7D+1
		jb	short loc_8BCB87

loc_8BCB1E:				; CODE XREF: PAGE:008BCABAj
		db	64h
		push	ebx
		insb
		db	65h, 65h
		jo	short $+4
		int	3		; Trap to Debugger

??_C@_0CF@HAHHMNLJ@Kernel_OSStateChange_HiberbootR@NNGAKEGL@: ;	DATA XREF: .data:off_6B2B00o
		dec	ebx

loc_8BCB27:				; CODE XREF: PAGE:008BCABCj
		db	65h
		jb	short loc_8BCB98
		db	65h
		insb
		pop	edi
		dec	edi
		push	ebx
		push	ebx
		jz	short near ptr loc_8BCB8E+5
		jz	short loc_8BCB99
		inc	ebx

loc_8BCB35:				; CODE XREF: PAGE:008BCAD6j
		push	65676E61h
		pop	edi
		dec	eax

loc_8BCB3C:				; CODE XREF: PAGE:008BCAC5j
					; PAGE:loc_8BCACDj ...
		imul	esp, [edx+65h],	6F6F6272h
		jz	short near ptr loc_8BCB96+1
		db	65h
		jnb	short loc_8BCBBD
		insd
		db	65h
		add	ah, cl

??_C@_1DK@JPPMLNFP@?$AAL?$AAa?$AAs?$AAt?$AAL?$AAo?$AAg?$AAO?$AAf?$AAf?$AAE?$AAn?$AAd?$AAT?$AAi@NNGAKEGL@:
					; DATA XREF: PopDiagTracePerfTrackData+A6509o
		dec	esp
		add	[ecx+0], ah
		jnb	short $+2
		jz	short $+2
		dec	esp
		add	[edi+0], ch

loc_8BCB58:				; CODE XREF: PAGE:loc_8BCAF6j
		add	[bx+0],	cl

loc_8BCB5C:				; CODE XREF: PAGE:008BCAEDj
					; PAGE:loc_8BCAF8j
		db	66h
		add	[esi+0], ah
		inc	ebp
		add	[esi+0], ch
		add	fs:[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[eax+0], dl

loc_8BCB70:				; CODE XREF: PAGE:008BCB0Ej
		add	gs:[edx+0], dh

loc_8BCB74:				; CODE XREF: PAGE:008BCB06j
					; PAGE:loc_8BCB10j
		db	66h
		add	[ebx+0], al
		outsd
		add	[ebp+0], dh
		outsb

loc_8BCB7D:				; CODE XREF: PAGE:008BCB1Aj
		add	[eax+eax+65h], dh
		add	[edx+0], dh
; 
		db 2 dup(0)
; 

??_C@_1JA@IMHLFALN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: PopDiagTracePerfTrackData+A651Co
		pop	esp

loc_8BCB87:				; CODE XREF: PAGE:008BCB1Cj
		add	[edx+0], dl
		add	gs:[edi+0], ah

loc_8BCB8E:				; CODE XREF: PAGE:008BCB30j
		imul	eax, [eax], 740073h
		jb	short $+2

loc_8BCB96:				; CODE XREF: PAGE:008BCB43j
		jns	short $+2

loc_8BCB98:				; CODE XREF: PAGE:loc_8BCB27j
		pop	esp

loc_8BCB99:				; CODE XREF: PAGE:008BCB32j
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		outsd
		add	[esi+0], ah
		jz	short $+2
		ja	short $+2
		popa
		add	[edx+0], dh
		add	gs:[eax+eax+4Dh], bl

loc_8BCBBD:				; CODE XREF: PAGE:008BCB45j
		add	[ecx+0], ch
		arpl	[eax], ax
		jb	short $+2
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		pop	esp
		add	[edi+0], dl
		imul	eax, [eax], 64006Eh
		outsd
		add	[edi+0], dh
		jnb	short $+2
		and	[eax], al
		dec	esi
		add	[eax+eax+5Ch], dl
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		pop	esp
		add	[edi+0], dl
		imul	eax, [eax], 6C006Eh
		outsd
		add	[edi+0], ah
		outsd
		add	[esi+0], ch
; 
		db 2 dup(0)
; 

??_C@_0BG@GDLPOEEB@PoBatteryLevelUnknown@NNGAKEGL@:
					; DATA XREF: PopBatteryApplyCompositeState+A0518o
		push	eax
		outsd
		inc	edx
		popa
		jz	short near ptr ??_C@_0HL@GFDDDPIA@?6Composite?5Status?6?$HM?9?9?5PowerStat@NNGAKEGL@+24h
		db	65h
		jb	short near ptr ??_C@_0HL@GFDDDPIA@?6Composite?5Status?6?$HM?9?9?5PowerStat@NNGAKEGL@+2Ch
		dec	esp
		db	65h
		jbe	short near ptr ??_C@_0HL@GFDDDPIA@?6Composite?5Status?6?$HM?9?9?5PowerStat@NNGAKEGL@+1Ch
		insb
		push	ebp
		outsb
		imul	ebp, [esi+6Fh],	77h
		outsb
		add	[eax+6Fh], dl	; DATA XREF: PopBatteryApplyCompositeState+A0524o
		inc	edx
		popa
		jz	short near ptr ??_C@_0HL@GFDDDPIA@?6Composite?5Status?6?$HM?9?9?5PowerStat@NNGAKEGL@+3Ah
		db	65h
		jb	short near ptr ??_C@_0HL@GFDDDPIA@?6Composite?5Status?6?$HM?9?9?5PowerStat@NNGAKEGL@+42h
		dec	esp
		db	65h
		jbe	short near ptr ??_C@_0HL@GFDDDPIA@?6Composite?5Status?6?$HM?9?9?5PowerStat@NNGAKEGL@+32h
		insb
		inc	ebx
		jb	short near ptr ??_C@_0HL@GFDDDPIA@?6Composite?5Status?6?$HM?9?9?5PowerStat@NNGAKEGL@+3Ah
		jz	short near ptr ??_C@_0HL@GFDDDPIA@?6Composite?5Status?6?$HM?9?9?5PowerStat@NNGAKEGL@+3Ch
		arpl	[ecx+6Ch], sp
		add	ah, cl

??_C@_0BC@KHACHKGG@PoBatteryLevelLow@NNGAKEGL@:
					; DATA XREF: PopBatteryApplyCompositeState+A0530o
		push	eax
		outsd
		inc	edx
		popa
		jz	short near ptr ??_C@_0HL@GFDDDPIA@?6Composite?5Status?6?$HM?9?9?5PowerStat@NNGAKEGL@+52h
		db	65h
		jb	short near ptr ??_C@_0HL@GFDDDPIA@?6Composite?5Status?6?$HM?9?9?5PowerStat@NNGAKEGL@+5Ah
		dec	esp
		db	65h
		jbe	short near ptr ??_C@_0HL@GFDDDPIA@?6Composite?5Status?6?$HM?9?9?5PowerStat@NNGAKEGL@+4Ah
		insb
		dec	esp
		outsd
		ja	short $+2

??_C@_0BF@GBOKHDFO@PoBatteryLevelNormal@NNGAKEGL@:
					; DATA XREF: PopBatteryApplyCompositeState:loc_90961Bo
		push	eax
		outsd
		inc	edx
		popa
		jz	short near ptr ??_C@_0HL@GFDDDPIA@?6Composite?5Status?6?$HM?9?9?5PowerStat@NNGAKEGL@+64h
		db	65h
		jb	short near ptr ??_C@_0HL@GFDDDPIA@?6Composite?5Status?6?$HM?9?9?5PowerStat@NNGAKEGL@+6Ch
		dec	esp
		db	65h
		jbe	short near ptr ??_C@_0HL@GFDDDPIA@?6Composite?5Status?6?$HM?9?9?5PowerStat@NNGAKEGL@+5Ch
		insb
		dec	esi
		outsd
		jb	short near ptr ??_C@_0HL@GFDDDPIA@?6Composite?5Status?6?$HM?9?9?5PowerStat@NNGAKEGL@+69h
		popa
		insb
		add	ah, cl
; 
; char ??_C[]
??_C@_0HL@GFDDDPIA@?6Composite?5Status?6?$HM?9?9?5PowerStat@NNGAKEGL@ db 0Ah
					; DATA XREF: PopBatteryApplyCompositeState+DDo
		db 'Composite Status',0Ah
		db '|-- PowerState = 0x%08x',0Ah
		db '|-- Capacity   = %u',0Ah
		db '|-- Voltage    = %u',0Ah
		db '|-- Rate       = %d',0Ah
		db '|-- Est Time   = %u',0Ah,0
		align 4

; char ??_C
??_C@_0DC@JKFKDJC@?6Battery?5Triggers?5?$FL?$CFp?$FN?6?$HM?9?5High?5@NNGAKEGL@:
					; DATA XREF: PopBatteryQueryStatus(x,x)+BEo
		or	al, [edx+61h]
		jz	short near ptr loc_8BCD60+1
		db	65h
		jb	short loc_8BCD69
		and	[edx+esi*2+69h], dl
		db	67h, 67h, 65h
		jb	short near ptr loc_8BCD69+3
		and	[ebx+25h], bl
		jo	short near ptr loc_8BCD59+2
		or	bh, [ebp+ebp+20h]
		dec	eax
		imul	esp, [edi+68h],	25203D20h
		jnz	short near ptr loc_8BCD14+2
		jl	short near ptr loc_8BCD39+2
		and	[edi+ebp*2+77h], cl
		and	[eax], ah

loc_8BCD14:				; CODE XREF: PAGE:008BCD0Aj
		cmp	eax, 0A752520h
		add	[edx], cl	; DATA XREF: PopBatteryUpdateCompositeInformation()+B9o
		inc	ebx
		outsd
		insd
		jo	short near ptr loc_8BCD8E+1
		jnb	short near ptr loc_8BCD87+4
		jz	short near ptr loc_8BCD87+2
		and	[ecx+6Eh], cl
		outsw
		jb	short loc_8BCD98
		popa
		jz	short near ptr loc_8BCD96+1
		outsd
		outsb
		or	bh, [ebp+ebp+2Dh]
		and	[ebx+61h], al
		jo	short near ptr loc_8BCD99+1

loc_8BCD39:				; CODE XREF: PAGE:008BCD0Cj
		bound	ebp, [ecx+6Ch]
		imul	esi, [ecx+ebp*2+65h], 20202073h
		and	[eax], ah
		and	[eax], ah
		and	ds:25783020h, bh
		xor	[eax], bh
		js	short near ptr loc_8BCD59+3
		jl	short near ptr loc_8BCD80+1
		sub	eax, 73654420h

loc_8BCD59:				; CODE XREF: PAGE:008BCCFCj
					; PAGE:008BCD50j
		imul	esp, [edi+6Eh],	61436465h

loc_8BCD60:				; CODE XREF: PAGE:008BCCEBj
		jo	short near ptr loc_8BCDC1+2
		arpl	[ecx+74h], bp
		jns	short loc_8BCD87
		and	[eax], ah

loc_8BCD69:				; CODE XREF: PAGE:008BCCEDj
					; PAGE:008BCCF4j
		and	ds:0A752520h, bh
		jl	short loc_8BCD9E
		sub	eax, 6C754620h
		insb
		inc	ebx
		push	65677261h
		db	64h
		inc	ebx
		popa

loc_8BCD80:				; CODE XREF: PAGE:008BCD52j
		jo	short near ptr byte_8BCDE3
		arpl	[ecx+74h], bp
		jns	short near ptr loc_8BCDA4+3

loc_8BCD87:				; CODE XREF: PAGE:008BCD65j
					; PAGE:008BCD22j ...
		cmp	eax, 0A752520h
		jl	short loc_8BCDBB

loc_8BCD8E:				; CODE XREF: PAGE:008BCD1Ej
		sub	eax, 66654420h
		popa
		jnz	short near ptr loc_8BCE01+1

loc_8BCD96:				; CODE XREF: PAGE:008BCD2Cj
		jz	short near ptr loc_8BCDD3+6

loc_8BCD98:				; CODE XREF: PAGE:008BCD29j
		insb

loc_8BCD99:				; CODE XREF: PAGE:008BCD37j
		db	65h
		jb	short near ptr loc_8BCE0F+1
		xor	[eax], esp

loc_8BCD9E:				; CODE XREF: PAGE:008BCD6Fj
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah

loc_8BCDA4:				; CODE XREF: PAGE:008BCD85j
		cmp	eax, 0A752520h
		jl	short near ptr loc_8BCDD3+5
		sub	eax, 66654420h
		popa
		jnz	short near ptr loc_8BCE1E+1
		jz	short near ptr loc_8BCDF5+1
		insb
		db	65h
		jb	short near ptr loc_8BCE2C+1
		xor	ah, [eax]

loc_8BCDBB:				; CODE XREF: PAGE:008BCD8Cj
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah

loc_8BCDC1:				; CODE XREF: PAGE:loc_8BCD60j
		cmp	eax, 0A752520h
		jl	short loc_8BCDF5
		sub	eax, 69724320h
		jz	short near ptr loc_8BCE34+4
		arpl	[ecx+6Ch], sp
		inc	edx

loc_8BCDD3:				; CODE XREF: PAGE:008BCDA9j
					; PAGE:loc_8BCD96j
		imul	esp, [ecx+73h],	20202020h
		and	[eax], ah
		and	[eax], ah
		cmp	eax, 0A752520h
; 
byte_8BCDE3	db 0			; CODE XREF: PAGE:loc_8BCD80j
; 

; char ??_C
??_C@_0HO@MIEEEJEB@?6Battery?5Status?5?$FL?$CFp?$FN?6?$HM?9?9?5PowerS@NNGAKEGL@:
					; DATA XREF: PopBatteryWorker+9FF27o
		or	al, [edx+61h]
		jz	short near ptr loc_8BCE5B+2
		db	65h
		jb	short near ptr loc_8BCE64+1
		and	[ebx+74h], dl
		popa
		jz	short loc_8BCE67
		jnb	short near ptr loc_8BCE13+1
		pop	ebx

loc_8BCDF5:				; CODE XREF: PAGE:008BCDC6j
					; PAGE:008BCDB3j
		and	eax, 7C0A5D70h
		sub	eax, 6F50202Dh
		ja	short near ptr loc_8BCE64+2

loc_8BCE01:				; CODE XREF: PAGE:008BCD94j
		jb	short near ptr loc_8BCE54+2
		jz	short near ptr loc_8BCE64+2
		jz	short ??_C@_0BA@BEMFFGJJ@?$DMInvalid?5Value?$DO@NNGAKEGL@
		and	ds:25783020h, bh
		xor	[eax], bh

loc_8BCE0F:				; CODE XREF: PAGE:loc_8BCD99j
		js	short near ptr loc_8BCE19+2
		jl	short loc_8BCE40

loc_8BCE13:				; CODE XREF: PAGE:008BCDF2j
		sub	eax, 70614320h
		popa

loc_8BCE19:				; CODE XREF: PAGE:loc_8BCE0Fj
		arpl	[ecx+74h], bp
		jns	short near ptr loc_8BCE3B+3

loc_8BCE1E:				; CODE XREF: PAGE:008BCDB1j
		and	[eax], ah
		cmp	eax, 0A752520h
		jl	short loc_8BCE54
		sub	eax, 6C6F5620h

loc_8BCE2C:				; CODE XREF: PAGE:008BCDB6j
		jz	short near ptr ??_C@_0N@EOKLPMEM@rechargeable@NNGAKEGL@+1
		and	gs:[bx+si], ah
		and	[eax], ah

loc_8BCE34:				; CODE XREF: PAGE:008BCDCDj
		cmp	eax, 0A752520h
		jl	short near ptr loc_8BCE67+1

loc_8BCE3B:				; CODE XREF: PAGE:008BCE1Cj
		sub	eax, 74615220h

loc_8BCE40:				; CODE XREF: PAGE:008BCE11j
		and	gs:[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	ds:0A642520h, bh
		jl	short near ptr loc_8BCE7A+2
		sub	eax, 74734520h

loc_8BCE54:				; CODE XREF: PAGE:008BCE25j
					; PAGE:loc_8BCE01j
		and	[ecx+ebp*2+6Dh], dl
		and	gs:[eax], ah

loc_8BCE5B:				; CODE XREF: PAGE:008BCDE7j
		and	ds:0A752520h, bh
; 
		db 0
; 

??_C@_08KKBGCHG@AC?5Power@NNGAKEGL@:	; DATA XREF: PopBatteryCheckCompositeCapacity:loc_869506o
					; PopBatteryWorker+A0329o ...
		inc	ecx
		inc	ebx

loc_8BCE64:				; CODE XREF: PAGE:008BCDE9j
					; PAGE:008BCDFFj ...
		and	[eax+6Fh], dl

loc_8BCE67:				; CODE XREF: PAGE:008BCDF0j
					; PAGE:008BCE39j
		ja	short near ptr loc_8BCECD+1
		jb	short $+2
		int	3		; Trap to Debugger

??_C@_0BA@BEMFFGJJ@?$DMInvalid?5Value?$DO@NNGAKEGL@: ; CODE XREF: PAGE:008BCE05j
					; DATA XREF: PopBatteryApplyCompositeState+A0541o
		cmp	al, 49h
		outsb
		jbe	short near ptr loc_8BCECD+5
		insb
		imul	esp, [eax+56h],	65756C61h

loc_8BCE7A:				; CODE XREF: PAGE:008BCE4Dj
					; DATA XREF: PopBatteryInitialize(x)+79o
		db	3Eh
		add	[esi+6Fh], ch
		outsb
		sub	eax, 68636572h
		popa
		jb	short near ptr loc_8BCEEA+4
		db	65h
		popa
		bound	ebp, [ebp+0]
		int	3		; Trap to Debugger

??_C@_0N@EOKLPMEM@rechargeable@NNGAKEGL@: ; CODE XREF: PAGE:loc_8BCE2Cj
					; DATA XREF: PopBatteryInitialize(x)+80o
		jb	short near ptr loc_8BCEF4+1
		arpl	[eax+61h], bp
		jb	short near ptr loc_8BCEFB+1
		db	65h
		popa
		bound	ebp, [ebp+0]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0BEB@BEBGFMCD@?6Battery?5Information?5?$FL?$CFp?$FN?6?$HM?9?9?5T@NNGAKEGL@:
					; DATA XREF: PopBatteryInitialize(x)+A3o
		or	al, [edx+61h]
		jz	short near ptr loc_8BCF13+2
		db	65h
		jb	short near ptr loc_8BCF19+4
		and	[ecx+6Eh], cl
		outsw
		jb	short loc_8BCF18
		popa
		jz	short near ptr loc_8BCF13+4
		outsd
		outsb
		and	[ebx+25h], bl
		jo	short near ptr loc_8BCF11+1
		or	bh, [ebp+ebp+2Dh]
		and	[ecx+67h], dl
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah

loc_8BCECD:				; CODE XREF: PAGE:loc_8BCE67j
					; PAGE:008BCE6Fj
		and	ds:0A752520h, bh
		jl	short near ptr loc_8BCF00+2
		sub	eax, 70614320h
		popa
		bound	ebp, [ecx+6Ch]
		imul	esi, [ecx+ebp*2+65h], 20202073h
		and	[eax], ah
		and	[eax], ah

loc_8BCEEA:				; CODE XREF: PAGE:008BCE85j
		and	ds:25783020h, bh
		xor	[eax], bh
		js	short near ptr loc_8BCEFB+3

loc_8BCEF4:				; CODE XREF: PAGE:??_C@_0N@EOKLPMEM@rechargeable@NNGAKEGL@j
		jl	short near ptr loc_8BCF22+1
		sub	eax, 63655420h

loc_8BCEFB:				; CODE XREF: PAGE:008BCE93j
					; PAGE:008BCEF2j
		push	6F6C6F6Eh

loc_8BCF00:				; CODE XREF: PAGE:008BCED3j
		db	67h
		jns	near ptr 0CF23h
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	ds:0A732520h, bh

loc_8BCF11:				; CODE XREF: PAGE:008BCEB3j
		jl	short near ptr loc_8BCF3E+2

loc_8BCF13:				; CODE XREF: PAGE:008BCE9Fj
					; PAGE:008BCEACj
		sub	eax, 65684320h

loc_8BCF18:				; CODE XREF: PAGE:008BCEA9j
		insd

loc_8BCF19:				; CODE XREF: PAGE:008BCEA1j
		imul	esi, [ebx+74h],	20207972h
		and	[eax], ah

loc_8BCF22:				; CODE XREF: PAGE:loc_8BCEF4j
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	ds:0A732520h, bh
		jl	short near ptr loc_8BCF5C+1
		sub	eax, 73654420h
		imul	esp, [edi+6Eh],	61436465h
		jo	short near ptr loc_8BCF9D+2

loc_8BCF3E:				; CODE XREF: PAGE:loc_8BCF11j
		arpl	[ecx+74h], bp
		jns	short loc_8BCF63
		and	[eax], ah
		and	ds:0A752520h, bh
		jl	short loc_8BCF7A
		sub	eax, 6C754620h
		insb
		inc	ebx
		push	65677261h
		db	64h
		inc	ebx
		popa

loc_8BCF5C:				; CODE XREF: PAGE:008BCF2Ej
		jo	short loc_8BCFBF
		arpl	[ecx+74h], bp
		jns	short near ptr loc_8BCF80+3

loc_8BCF63:				; CODE XREF: PAGE:008BCF41j
		cmp	eax, 0A752520h
		jl	short loc_8BCF97
		sub	eax, 66654420h
		popa
		jnz	short ??_C@_0BB@PMCEFKNF@Battery?5Critical@NNGAKEGL@
		jz	short near ptr loc_8BCFAF+6
		insb
		db	65h
		jb	short near ptr loc_8BCFE8+4
		xor	[eax], esp

loc_8BCF7A:				; CODE XREF: PAGE:008BCF4Bj
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah

loc_8BCF80:				; CODE XREF: PAGE:008BCF61j
		cmp	eax, 0A752520h
		jl	short near ptr loc_8BCFAF+5
		sub	eax, 66654420h
		popa
		jnz	short loc_8BCFFB
		jz	short loc_8BCFD2
		insb
		db	65h
		jb	short near ptr loc_8BD002+7
		xor	ah, [eax]

loc_8BCF97:				; CODE XREF: PAGE:008BCF68j
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah

loc_8BCF9D:				; CODE XREF: PAGE:008BCF3Cj
		cmp	eax, 0A752520h
		jl	short near ptr loc_8BCFD0+1
		sub	eax, 69724320h
		jz	short near ptr loc_8BD012+2
		arpl	[ecx+6Ch], sp
		inc	edx

loc_8BCFAF:				; CODE XREF: PAGE:008BCF85j
					; PAGE:008BCF72j
		imul	esp, [ecx+73h],	20202020h
		and	[eax], ah
		and	[eax], ah
		cmp	eax, 0A752520h

loc_8BCFBF:				; CODE XREF: PAGE:loc_8BCF5Cj
		jl	short near ptr loc_8BCFE8+6
		sub	eax, 63794320h
		insb
		db	65h
		inc	ebx
		outsd
		jnz	short ??_C@_0CA@NILBEDJH@Battery?5charging?5state?5adequate@NNGAKEGL@
		jz	short near ptr loc_8BCFE8+6
		and	[eax], ah

loc_8BCFD0:				; CODE XREF: PAGE:008BCFA2j
		and	[eax], ah

loc_8BCFD2:				; CODE XREF: PAGE:008BCF8Fj
		and	[eax], ah
		and	[eax], ah
		and	ds:0A752520h, bh
		add	ah, cl

??_C@_0BB@PMCEFKNF@Battery?5Critical@NNGAKEGL@:	; CODE XREF: PAGE:008BCF70j
					; DATA XREF: PopBatteryWorker+A03A0o ...
		inc	edx
		popa
		jz	short loc_8BD056
		db	65h
		jb	short loc_8BD05E
		and	[ebx+72h], al

loc_8BCFE8:				; CODE XREF: PAGE:008BCF75j
					; PAGE:loc_8BCFBFj ...
		imul	esi, [ecx+ebp*2+63h], 0CC006C61h

??_C@_0BN@OMAGIAMP@Battery?5charge?5limiting?5mode@NNGAKEGL@:
					; DATA XREF: PopBatteryWorker+A03B8o
					; PopAccountCbEnergyChange+A06DBo ...
		inc	edx
		popa
		jz	short loc_8BD068
		db	65h
		jb	short near ptr loc_8BD06F+1
		and	[ebx+68h], ah
		popa

loc_8BCFFB:				; CODE XREF: PAGE:008BCF8Dj
		jb	short ??_C@_0BE@HBALMBOB@Battery?5Discharging@NNGAKEGL@
		and	gs:[ecx+ebp*2+6Dh], ch

loc_8BD002:				; CODE XREF: PAGE:008BCF92j
		imul	esi, [ecx+ebp*2+6Eh], 6F6D2067h
		db	64h, 65h
		add	ah, cl

??_C@_0CM@BIFDFPBB@Battery?5charging?5state?5power?5su@NNGAKEGL@:
					; DATA XREF: PopBatteryWorker+A03D0o
					; PopAccountCbEnergyChange+A06F2o ...
		inc	edx
		popa
		jz	short near ptr loc_8BD085+1

loc_8BD012:				; CODE XREF: PAGE:008BCFA9j
		db	65h
		jb	short loc_8BD08E
		and	[ebx+68h], ah
		popa
		jb	short near ptr loc_8BD081+1
		imul	ebp, [esi+67h],	61747320h
		jz	short near ptr loc_8BD087+2
		and	[eax+6Fh], dh
		ja	short loc_8BD08E
		jb	short near ptr loc_8BD047+4
		jnb	short loc_8BD0A2
		jo	short near ptr loc_8BD09D+2
		insb
		jns	short near ptr loc_8BD050+2
		jo	short near ptr loc_8BD0A5+1
		db	65h
		jnb	short near ptr loc_8BD09B+1
		outsb
		jz	short $+2

??_C@_0CA@NILBEDJH@Battery?5charging?5state?5adequate@NNGAKEGL@: ; CODE	XREF: PAGE:008BCFCAj
					; DATA XREF: PopBatteryWorker+A03EDo ...
		inc	edx
		popa
		jz	short near ptr loc_8BD0AF+3
		db	65h
		jb	short near ptr loc_8BD0B8+2
		and	[ebx+68h], ah
		popa
		jb	short loc_8BD0AE

loc_8BD047:				; CODE XREF: PAGE:008BD029j
		imul	ebp, [esi+67h],	61747320h
		jz	short loc_8BD0B5

loc_8BD050:				; CODE XREF: PAGE:008BD030j
		and	[ecx+64h], ah
		db	65h
		jno	short near ptr loc_8BD0CA+1

loc_8BD056:				; CODE XREF: PAGE:008BCFE0j
		popa
		jz	short near ptr loc_8BD0BD+1
		add	[ebx+eax*2+20h], al ; DATA XREF: PopBatteryWorker+A035Ao
					; PopAccountCbEnergyChange+A0686o ...
		push	eax

loc_8BD05E:				; CODE XREF: PAGE:008BCFE2j
		outsd
		ja	short near ptr loc_8BD0C2+4
		jb	short $+2
		int	3		; Trap to Debugger

??_C@_0BE@HBALMBOB@Battery?5Discharging@NNGAKEGL@: ; CODE XREF:	PAGE:loc_8BCFFBj
					; DATA XREF: PopBatteryWorker+A0370o ...
		inc	edx
		popa
		jz	short near ptr loc_8BD0DB+1

loc_8BD068:				; CODE XREF: PAGE:008BCFF2j
		db	65h
		jb	short near ptr loc_8BD0E1+3
		and	[ecx+ebp*2+73h], al

loc_8BD06F:				; CODE XREF: PAGE:008BCFF4j
		arpl	[eax+61h], bp
		jb	short loc_8BD0DB
		imul	ebp, [esi+67h],	42002D00h ; DATA XREF: PopBatteryWorker+A036Bo
					; PopAccountCbEnergyChange+A0592o ...
		popa
		jz	short near ptr loc_8BD0ED+5
		db	65h
		jb	short near ptr loc_8BD0F9+1

loc_8BD081:				; CODE XREF: PAGE:008BD019j
		and	[ebx+68h], al
		popa

loc_8BD085:				; CODE XREF: PAGE:008BD010j
		jb	short near ptr loc_8BD0ED+1

loc_8BD087:				; CODE XREF: PAGE:008BD022j
					; DATA XREF: PopEstimateChargeTime()+194o
		imul	ebp, [esi+67h],	6843CC00h

loc_8BD08E:				; CODE XREF: PAGE:loc_8BD012j
					; PAGE:008BD027j
		popa
		jb	short near ptr loc_8BD0F7+1
		and	gs:[ecx+ebp*2+6Dh], dh
		cmp	ah, gs:[eax]
		push	edx
		popa

loc_8BD09B:				; CODE XREF: PAGE:008BD034j
		jz	short near ptr loc_8BD101+1

loc_8BD09D:				; CODE XREF: PAGE:008BD02Dj
		cmp	eax, 646C6C25h

loc_8BD0A2:				; CODE XREF: PAGE:008BD02Bj
		and	[ebx+61h], al

loc_8BD0A5:				; CODE XREF: PAGE:008BD032j
		jo	short loc_8BD0FB
		outsd
		inc	ebx
		push	6C253D67h

loc_8BD0AE:				; CODE XREF: PAGE:008BD045j
		insb

loc_8BD0AF:				; CODE XREF: PAGE:008BD03Cj
		and	fs:[ebp+61h], cl
		js	short near ptr loc_8BD106+1

loc_8BD0B5:				; CODE XREF: PAGE:008BD04Ej
		popa
		jz	short loc_8BD11D

loc_8BD0B8:				; CODE XREF: PAGE:008BD03Ej
		cmp	eax, 646C6C25h

loc_8BD0BD:				; CODE XREF: PAGE:008BD057j
		and	[ebp+73h], al
		jz	short near ptr loc_8BD0FE+1

loc_8BD0C2:				; CODE XREF: PAGE:008BD05Fj
		and	eax, 0A646C6Ch
		add	[edx+61h], al	; DATA XREF: PopBatteryEstimatesSpoiled():loc_9B2906o

loc_8BD0CA:				; CODE XREF: PAGE:008BD053j
		jz	short near ptr loc_8BD13F+1
		db	65h
		jb	short loc_8BD148
		and	[ebp+73h], ah
		jz	short near ptr loc_8BD137+6
		insd
		popa
		jz	short near ptr loc_8BD137+6
		and	[ebx+75h], dh

loc_8BD0DB:				; CODE XREF: PAGE:008BD072j
					; PAGE:008BD066j
		jo	short near ptr loc_8BD14A+3
		jb	short near ptr loc_8BD142+2
		jnb	short near ptr loc_8BD152+2

loc_8BD0E1:				; CODE XREF: PAGE:loc_8BD068j
		db	65h
		or	al, fs:[eax]
		int	3		; Trap to Debugger

??_C@_0N@MEHIGHAC@indefinitely@NNGAKEGL@: ; DATA XREF: PopSpoilBatteryEstimate(x,x)+49o
		imul	ebp, [esi+64h],	6E696665h

loc_8BD0ED:				; CODE XREF: PAGE:loc_8BD085j
					; PAGE:008BD07Cj
					; DATA XREF: ...
		imul	esi, [ebp+6Ch],	74CC0079h
		db	65h
		insd

loc_8BD0F7:				; CODE XREF: PAGE:008BD08Fj
		jo	short near ptr loc_8BD164+4

loc_8BD0F9:				; CODE XREF: PAGE:008BD07Ej
		jb	short near ptr loc_8BD15B+1

loc_8BD0FB:				; CODE XREF: PAGE:loc_8BD0A5j
		jb	short near ptr loc_8BD164+2
		insb

loc_8BD0FE:				; CODE XREF: PAGE:008BD0C0j
		jns	short $+2

??_C@_0BH@BFPPAGEL@Relative?5Capacity?5Unit@NNGAKEGL@: ; DATA XREF: PopBatteryWorker+A0500o
					; PopAccountCbEnergyChange+A05CAo ...
		push	edx

loc_8BD101:				; CODE XREF: PAGE:loc_8BD09Bj
		db	65h
		insb
		popa
		jz	short loc_8BD16F

loc_8BD106:				; CODE XREF: PAGE:008BD0B3j
		jbe	short loc_8BD16D
		and	[ebx+61h], al
		jo	short loc_8BD16E
		arpl	[ecx+74h], bp
		jns	short loc_8BD132
		push	ebp
		outsb
		imul	esi, [eax+eax-34h], 2068576Dh ;	DATA XREF: PopBatteryWorker+A0597o
		push	ebp

loc_8BD11D:				; CODE XREF: PAGE:008BD0B6j
		outsb

loc_8BD11E:				; DATA XREF: PopSpoilBatteryEstimate(x,x)+5Fo
		imul	esi, [eax+eax-34h], 74746142h
		db	65h
		jb	short near ptr ??_C@_0CF@FJDBEHMB@PopPep?3?5register?5device?5?$CI0x?$CFp?0?5@NNGAKEGL@+10h
		and	[ebp+73h], ah
		jz	short near ptr ??_C@_0CF@FJDBEHMB@PopPep?3?5register?5device?5?$CI0x?$CFp?0?5@NNGAKEGL@+5
		insd
		popa
		jz	short near ptr ??_C@_0CF@FJDBEHMB@PopPep?3?5register?5device?5?$CI0x?$CFp?0?5@NNGAKEGL@+5

loc_8BD132:				; CODE XREF: PAGE:008BD110j
		jnb	short near ptr loc_8BD152+2
		jnb	short near ptr ??_C@_0CF@FJDBEHMB@PopPep?3?5register?5device?5?$CI0x?$CFp?0?5@NNGAKEGL@+14h
		outsd

loc_8BD137:				; CODE XREF: PAGE:008BD0D2j
					; PAGE:008BD0D6j
		imul	ebp, [ebp+64h],	20732520h

loc_8BD13F:				; CODE XREF: PAGE:loc_8BD0CAj
		bound	edi, [ecx+20h]

loc_8BD142:				; CODE XREF: PAGE:008BD0DDj
		and	eax, 6D203B64h
		popa

loc_8BD148:				; CODE XREF: PAGE:008BD0CCj
		jnb	short near ptr ??_C@_0CF@FJDBEHMB@PopPep?3?5register?5device?5?$CI0x?$CFp?0?5@NNGAKEGL@+23h

loc_8BD14A:				; CODE XREF: PAGE:loc_8BD0DBj
		cmp	eax, 0A7825h
		int	3		; Trap to Debugger

??_C@_0BL@IEGKJEJE@Energy?5Counter?5Unavailable@NNGAKEGL@:
					; DATA XREF: PopAccountCbEnergyChange+A059Do
					; PopAccountBatteryEnergyChange(x)+19Do
		inc	ebp
		outsb

loc_8BD152:				; CODE XREF: PAGE:008BD0DFj
					; PAGE:loc_8BD132j
		db	65h
		jb	short loc_8BD1BC
		jns	short near ptr loc_8BD175+2
		inc	ebx
		outsd
		jnz	short near ptr loc_8BD1C4+5

loc_8BD15B:				; CODE XREF: PAGE:loc_8BD0F9j
		jz	short loc_8BD1C2
		jb	short near ptr loc_8BD17E+1
		push	ebp
		outsb
		popa
		jbe	short near ptr loc_8BD1C4+1

loc_8BD164:				; CODE XREF: PAGE:loc_8BD0FBj
					; PAGE:loc_8BD0F7j
		imul	ebp, [ecx+62h],	0CC00656Ch

??_C@_0BA@DBAOEMLN@FCC?5Unavailable@NNGAKEGL@: ; DATA XREF: PopAccountCbEnergyChange+A05E1o
					; PopAccountBatteryEnergyChange(x)+23Ao
		inc	esi

loc_8BD16D:				; CODE XREF: PAGE:loc_8BD106j
		inc	ebx

loc_8BD16E:				; CODE XREF: PAGE:008BD10Bj
		inc	ebx

loc_8BD16F:				; CODE XREF: PAGE:008BD104j
		and	[ebp+6Eh], dl
		popa
		jbe	short loc_8BD1D6

loc_8BD175:				; CODE XREF: PAGE:008BD155j
					; DATA XREF: PopAccountCbEnergyChange+A05F8o ...
		imul	ebp, [ecx+62h],	4300656Ch
		popa

loc_8BD17E:				; CODE XREF: PAGE:008BD15Dj
		jo	short near ptr loc_8BD1DE+3
		arpl	[ecx+74h], bp
		jns	short near ptr ??_C@_0CF@FJDBEHMB@PopPep?3?5register?5device?5?$CI0x?$CFp?0?5@NNGAKEGL@+13h
		push	ebp
		outsb
		popa
		jbe	short near ptr loc_8BD1EA+1
		imul	ebp, [ecx+62h],	0CC00656Ch
; 
; char ??_C[]
??_C@_0CF@FJDBEHMB@PopPep?3?5register?5device?5?$CI0x?$CFp?0?5@NNGAKEGL@ db 'PopPep: register device (0x%p, %wZ)',0Ah,0
					; CODE XREF: PAGE:008BD12Cj
					; PAGE:008BD130j
					; DATA XREF: ...
		align 4

; char ??_C
??_C@_0CC@JGJLDCMO@PopPep?3?5unregister?5device?5?$CI0x?$CFp@NNGAKEGL@:
					; DATA XREF: PopPepUnregisterDevice(x)+8o
		push	eax
		outsd
		jo	short near ptr loc_8BD20B+1

loc_8BD1BC:				; CODE XREF: PAGE:loc_8BD152j
		db	65h
		jo	short near ptr ??_C@_0BG@HKNPJPGK@Deferring?5doze?5to?5S4?6@NNGAKEGL@+5
		and	[ebp+6Eh], dh

loc_8BD1C2:				; CODE XREF: PAGE:loc_8BD15Bj
		jb	short loc_8BD229

loc_8BD1C4:				; CODE XREF: PAGE:008BD162j
					; PAGE:008BD159j
		imul	esi, [bp+di+74h], 64207265h
		db	65h
		jbe	short loc_8BD238
		arpl	[ebp+20h], sp
		sub	[eax], dh
		js	short near ptr ??_C@_0BG@HKNPJPGK@Deferring?5doze?5to?5S4?6@NNGAKEGL@+7

loc_8BD1D6:				; CODE XREF: PAGE:008BD173j
		jo	short near ptr ??_C@_0BG@HKNPJPGK@Deferring?5doze?5to?5S4?6@NNGAKEGL@+0Dh
		or	al, [eax]

??_C@_1BK@BDJAGJBB@?$AAD?$AAr?$AAi?$AAp?$AAs?$AAD?$AAi?$AAv?$AAe?$AAr?$AAg?$AAe@NNGAKEGL@:
					; DATA XREF: PopDripsWatchdogCheckHwDivergence(x,x,x,x)+8Eo
		inc	esp
		add	[edx+0], dh

loc_8BD1DE:				; CODE XREF: PAGE:loc_8BD17Ej
		imul	eax, [eax], 730070h
		inc	esp
		add	[ecx+0], ch
		jbe	short $+2

loc_8BD1EA:				; CODE XREF: PAGE:008BD188j
		add	gs:[edx+0], dh
		add	[di+0],	ah
; 
		dw 0
??_C@_0BG@HKNPJPGK@Deferring?5doze?5to?5S4?6@NNGAKEGL@ db 'Deferring doze to S4',0Ah,0
					; CODE XREF: PAGE:loc_8BD1BCj
					; PAGE:008BD1D4j ...
; 

??_C@_1KE@DHGFLKAG@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@NNGAKEGL@:
					; DATA XREF: PopDetectSimulatedHeteroProcessors+2Bo
		pop	esp

loc_8BD20B:				; CODE XREF: PAGE:008BD1BAj
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		inc	ecx
		add	[ebx+0], al
		dec	eax
		add	[ecx+0], cl
		dec	esi

loc_8BD229:				; CODE XREF: PAGE:loc_8BD1C2j
		add	[ebp+0], al
		pop	esp
		add	[ebx+0], dl
		pop	ecx
		add	[ebx+0], dl
		push	esp
		add	[ebp+0], al

loc_8BD238:				; CODE XREF: PAGE:008BD1CCj
		dec	ebp
		add	[eax+eax+43h], bl
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ebx+0], cl
		add	gs:[edx+0], dh
		outsb
		add	[ebp+0], ah
		insb
		add	[eax+eax+4Bh], bl
		add	[edi+0], al
		jb	short $+2
		outsd
		add	[ebp+0], dh
		jo	short $+2
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1CG@NAOAFBPG@?$AAS?$AAm?$AAa?$AAl?$AAl?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo?$AAr?$AAM@NNGAKEGL@:
					; DATA XREF: PopDetectSimulatedHeteroProcessors+8E9BAo
		push	ebx
		add	[ebp+0], ch
		popa
		add	[eax+eax+6Ch], ch
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		outsd
		add	[edx+0], dh
		dec	ebp
		add	[ecx+0], ah
		jnb	short $+2
		imul	eax, [eax], 0
; 
		db 0
??_C@_1GG@MENCCAOO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@NNGAKEGL@:
					; DATA XREF: PopConfigureHeteroPolicies(x,x)+1E5o
		unicode	0, <\Registry\MACHINE\SYSTEM\CurrentControlSet\Control>,0
; 

??_C@_1BO@PKDNPFIL@?$AAP?$AAP?$AAM?$AA_?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo?$AAr?$AA_@NNGAKEGL@:
					; DATA XREF: PpmWmiRegisterInfo+7Eo
		push	eax
		add	[eax+0], dl
		dec	ebp
		add	[edi+0], bl
		push	eax
		add	[edx+0], dh
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		outsd
		add	[edx+0], dh
		pop	edi
; 
		db 3 dup(0)
; wchar_t ??_C
??_C@_19HEPLDNLP@?$AA?$CF?$AAs?$AA?$CF?$AAd@NNGAKEGL@: ; DATA XREF: PpmWmiRegisterInfo+88o
		unicode	0, <%s%d>,0
; 

; char ??_C
??_C@_0EA@HAJBOCIE@Power?5button?5hold?5update?5?$CIdown?3@NNGAKEGL@:
					; DATA XREF: PopPublishPowerButtonState(x)+13o
		push	eax
		outsd
		ja	short loc_8BD3CB
		jb	short near ptr loc_8BD387+1
		bound	esi, [ebp+74h]
		jz	short near ptr ??_C@_1DM@EGKJDIJH@?$AAT?$AAi?$AAm?$AAe?$AAr?$AA?$CI?$AAC?$AAo?$AAm?$AAp?$AAo?$AAn?$AAe?$AAn?$AAt@NNGAKEGL@+4
		outsb
		and	[eax+6Fh], ch
		insb
		and	fs:[ebp+70h], dh
		db	64h
		popa
		jz	short near ptr ??_C@_1DM@EGKJDIJH@?$AAT?$AAi?$AAm?$AAe?$AAr?$AA?$CI?$AAC?$AAo?$AAm?$AAp?$AAo?$AAn?$AAe?$AAn?$AAt@NNGAKEGL@+7
		and	[eax], ch
		outs	dx, dword ptr fs:[esi]
		ja	short near ptr ??_C@_1DM@EGKJDIJH@?$AAT?$AAi?$AAm?$AAe?$AAr?$AA?$CI?$AAC?$AAo?$AAm?$AAp?$AAo?$AAn?$AAe?$AAn?$AAt@NNGAKEGL@+16h
		cmp	ah, [eax]
		and	eax, 74202C64h

loc_8BD387:				; CODE XREF: PAGE:008BD366j
		imul	ebp, [ebp+65h],	6425203Ah
		and	[ebp+73h], ch
		sub	al, 20h
		jnb	short near ptr ??_C@_1DM@EGKJDIJH@?$AAT?$AAi?$AAm?$AAe?$AAr?$AA?$CI?$AAC?$AAo?$AAm?$AAp?$AAo?$AAn?$AAe?$AAn?$AAt@NNGAKEGL@+22h
		jno	short near ptr ??_C@_1DM@EGKJDIJH@?$AAT?$AAi?$AAm?$AAe?$AAr?$AA?$CI?$AAC?$AAo?$AAm?$AAp?$AAo?$AAn?$AAe?$AAn?$AAt@NNGAKEGL@+34h
		outs	dx, byte ptr gs:[esi]
		arpl	[ebp+3Ah], sp
		and	ds:0A2964h, ah
; 
??_C@_1BM@BCFBFHLN@?$AA?$DM?$AAu?$AAn?$AAs?$AAp?$AAe?$AAc?$AAi?$AAf?$AAi?$AAe?$AAd?$AA?$DO@NNGAKEGL@ dd	offset loc_75003C
					; DATA XREF: PpmEventTraceCoordinatedIdleStates()+DEo
					; PpmEventTraceProcessorIdle(x)+16Do
		dw 6Eh
aSpecified:
		unicode	0, <specified>
		dw 3Eh
		unicode	0, <>,0
; 

; void ??_C
??_C@_15JOGBDECP@?$AA?0?$AA?5@NNGAKEGL@:
					; DATA XREF: PopIdleWakeGenerateDescriptionString(x,x)+219o
					; AdtpBuildReplacementString(x,x)+41o
		sub	al, 0
		and	[eax], al
; 
		dw 0
; 

; wchar_t ??_C
??_C@_1BE@OMOPHHFG@?$AA?$CF?$AAs?$AA?$CL?$AA0?$AAx?$AA?$CF?$AA0?$AA8?$AAX@NNGAKEGL@:
					; DATA XREF: PopIdleWakeSystemImageCallback(x,x)+81o
		and	eax, 2B007300h
		add	[eax], dh

loc_8BD3CB:				; CODE XREF: PAGE:008BD364j
		add	[eax+0], bh
		and	eax, 38003000h
		add	[eax+0], bl
; 
		dw 0
??_C@_1DM@EGKJDIJH@?$AAT?$AAi?$AAm?$AAe?$AAr?$AA?$CI?$AAC?$AAo?$AAm?$AAp?$AAo?$AAn?$AAe?$AAn?$AAt@NNGAKEGL@:
					; CODE XREF: PAGE:008BD36Bj
					; PAGE:008BD378j
					; DATA XREF: ...
		unicode	0, <Timer(Component:Index): %d:%d>,0
??_C@_1DC@FCCKNOPN@?$AAT?$AAi?$AAm?$AAe?$AAr?$AA?$CI?$AAN?$AAa?$AAm?$AAe?$AA?3?$AAI?$AAn?$AAd?$AAe@NNGAKEGL@:
					; DATA XREF: PopIdleWakeGenerateDescriptionString(x,x)+13Bo
		unicode	0, <Timer(Name:Index): %s:%s>,0
; wchar_t ??_C
??_C@_1DC@JPOELBNL@?$AAT?$AAi?$AAm?$AAe?$AAr?$AA?$CI?$AAN?$AAa?$AAm?$AAe?$AA?3?$AAI?$AAn?$AAd?$AAe@NNGAKEGL@ db	'T',0
					; DATA XREF: PopIdleWakeGenerateDescriptionString(x,x)+145o
aImerNameIndexS:
		unicode	0, <imer(Name:Index): %s:%d>,0
??_C@_1BI@BGBJMENA@?$AAI?$AAn?$AAt?$AAe?$AAr?$AAr?$AAu?$AAp?$AAt?$AA?3?$AA?5@NNGAKEGL@:
					; DATA XREF: PopIdleWakeGenerateDescriptionString(x,x)+1E5o
		unicode	0, <Interrupt: >,0
??_C@_0CE@KAAOFAEO@PopAdaptive?3?5Session?5?$CFu?5is?5star@NNGAKEGL@ db	'PopAdaptive: Session %u is started',0Ah,0
					; DATA XREF: PopSessionCreated(x)+6o
??_C@_0CD@NJJOGIFI@PopAdaptive?3?5Session?5?$CFu?5is?5clos@NNGAKEGL@ db	'PopAdaptive: Session %u is closed',0Ah,0
					; DATA XREF: PopSessionClosed(x)+6o
		align 4
??_C@_09NJLBODLJ@Connected@NNGAKEGL@ db	'Connected',0
					; DATA XREF: PopSessionConnectionChange(x,x,x)+18o
??_C@_06GFKCFIPE@Locked@NNGAKEGL@ db 'Locked',0
					; DATA XREF: PopSessionWinlogonNotification(x,x)+36o
		align 2

;  S U B	R O U T	I N E 


??_C@_08CMNOBMAI@Unlocked@NNGAKEGL@ proc near
					; DATA XREF: PopSessionWinlogonNotification(x,x)+3Fo
		push	ebp
		outsb
??_C@_08CMNOBMAI@Unlocked@NNGAKEGL@ endp

		insb
		outsd
		arpl	[ebx+65h], bp
		db	64h
		add	ah, cl
; 
??_C@_0CH@NLKNEIKC@PopAdaptive?3?$DO?$DO?$DO?$DO?$DO?5?$CFs?5session?5?$CFu@NNGAKEGL@ db 'PopAdaptive:>>>>> %s session %u is %s',0Ah,0
					; DATA XREF: PopSessionWinlogonNotification(x,x)+55o
		align 4
??_C@_06MAFFGDO@Active@NNGAKEGL@ db 'Active',0 ; DATA XREF: PopSessionInputChange(x,x,x)+Co
		align 4
??_C@_0N@NFBNFHML@Disconnected@NNGAKEGL@ db 'Disconnected',0
					; DATA XREF: PopSessionConnectionChange(x,x,x):loc_86F5ECo
		align 2
??_C@_07PGLPGHFC@Console@NNGAKEGL@ db 'Console',0
					; DATA XREF: PopSessionInputChange(x,x,x)+29o
					; PopSessionConnectionChange(x,x,x):loc_86F5AFo ...
??_C@_06MHHFENDB@Remote@NNGAKEGL@ db 'Remote',0
					; DATA XREF: PopSessionInputChange(x,x,x):loc_840FF8o
					; PopSessionConnectionChange(x,x,x)+2Ao ...
		align 2
??_C@_0CG@IDDEKBJG@PopAdaptive?3?$DO?$DO?$DO?$DO?$DO?$CFs?5session?5?$CFu?5@NNGAKEGL@ db 'PopAdaptive:>>>>>%s session %u is %s',0Ah,0
					; DATA XREF: PopSessionConnectionChange(x,x,x)+32o
; 

??_C@_0CN@FOABAFD@PopAdaptive?3?5?$CFsSession?5?$CFu?5displ@NNGAKEGL@:
					; DATA XREF: PopSetSessionDisplayStatus(x,x,x)+2Fo
		push	eax
		outsd
		jo	short near ptr loc_8BD5A7+6
		db	64h
		popa
		jo	short near ptr ??_C@_0EA@LNCIJMCD@PopAdaptive?3?5Global?5user?5presen@NNGAKEGL@+14h
		imul	esi, [esi+65h],	7325203Ah
		push	ebx
		db	65h
		jnb	short near ptr ??_C@_0EA@LNCIJMCD@PopAdaptive?3?5Global?5user?5presen@NNGAKEGL@+1Eh
		imul	ebp, [edi+6Eh],	20752520h
		imul	esi, fs:[ebx+70h], 2079616Ch
		jnb	short near ptr ??_C@_0EA@LNCIJMCD@PopAdaptive?3?5Global?5user?5presen@NNGAKEGL@+30h
		popa
		jz	short near ptr ??_C@_0EA@LNCIJMCD@PopAdaptive?3?5Global?5user?5presen@NNGAKEGL@+24h
		cmp	ah, [eax]
		and	eax, 0CC000A75h

??_C@_0DK@LPHCJPDP@PopAdaptive?3?5Session?5?$CFu?5user?5pr@NNGAKEGL@:
					; DATA XREF: PopSetSessionUserStatus(x,x)+2Co
		push	eax
		outsd
		jo	short near ptr ??_C@_0EA@LNCIJMCD@PopAdaptive?3?5Global?5user?5presen@NNGAKEGL@+0Bh
		db	64h
		popa
		jo	short near ptr ??_C@_0CN@MDILNJAB@PopAdaptive?3?5?$DO?$DO?$DO?$DO?$DO?5Policy?5param@NNGAKEGL@+2
		imul	esi, [esi+65h],	6553203Ah
		jnb	short near ptr ??_C@_0CN@MDILNJAB@PopAdaptive?3?5?$DO?$DO?$DO?$DO?$DO?5Policy?5param@NNGAKEGL@+0Ah

loc_8BD5A7:				; CODE XREF: PAGE:008BD56Aj
		imul	ebp, [edi+6Eh],	20752520h
		jnz	short near ptr ??_C@_0CN@MDILNJAB@PopAdaptive?3?5?$DO?$DO?$DO?$DO?$DO?5Policy?5param@NNGAKEGL@+13h
		db	65h
		jb	short near ptr ??_C@_0EA@LNCIJMCD@PopAdaptive?3?5Global?5user?5presen@NNGAKEGL@+3
		jo	short near ptr ??_C@_0CN@MDILNJAB@PopAdaptive?3?5?$DO?$DO?$DO?$DO?$DO?5Policy?5param@NNGAKEGL@+17h
		db	65h
		jnb	short near ptr ??_C@_0CN@MDILNJAB@PopAdaptive?3?5?$DO?$DO?$DO?$DO?$DO?5Policy?5param@NNGAKEGL@+0Dh
		outsb
		arpl	[ebp+2Fh], sp
		popa
		arpl	[ecx+ebp*2+76h], si
		imul	esi, [ecx+edi*2+20h], 74617473h
		cmp	ah, gs:[eax]
; 
		dd 0A5325h
??_C@_0EA@LNCIJMCD@PopAdaptive?3?5Global?5user?5presen@NNGAKEGL@ db 'PopAdaptive: Global user presence/activity state: %S id: %I32u',0Ah,0
					; CODE XREF: PAGE:008BD5B0j
					; PAGE:008BD598j
					; DATA XREF: ...
??_C@_0CN@MDILNJAB@PopAdaptive?3?5?$DO?$DO?$DO?$DO?$DO?5Policy?5param@NNGAKEGL@	db 'PopAdaptive: >>>>> Policy parameters change',0Ah,0
					; CODE XREF: PAGE:008BD59Cj
					; PAGE:008BD5A5j ...
		align 2
??_C@_07NPCGECPI@Passive@NNGAKEGL@ db 'Passive',0
					; DATA XREF: PopSessionInputChange(x,x,x)+1Co
??_C@_0CN@DEKNCEJP@PopAdaptive?3?$DO?$DO?$DO?$DO?$DO?5?$CFs?5session?5?$CFu@NNGAKEGL@ db 'PopAdaptive:>>>>> %s session %u input is %s',0Ah,0
					; DATA XREF: PopSessionInputChange(x,x,x)+36o
		align 4
??_C@_05BBJIGCBD@?$DO?$DO?$DO?$DO?$DO@NNGAKEGL@	dd 3E3E3E3Eh
					; DATA XREF: PopSetSessionDisplayStatus(x,x,x)+20o
		db 3Eh,	0
; 

??_C@_00CNPNBAHC@@NNGAKEGL@:		; DATA XREF: PopUpdateTimeouts(x,x,x)+36o
					; PopUpdateTimeouts(x,x,x)+70o	...
		add	ah, cl
; 
??_C@_08IMIDLJHM@Computed@NNGAKEGL@ db 'Computed',0
					; DATA XREF: PopUpdateTimeouts(x,x,x):loc_8412B6o
		align 2
??_C@_04HIBGFPH@NULL@NNGAKEGL@ db 'NULL',0 ; DATA XREF: PopUpdateTimeouts(x,x,x):loc_8412C9o
		align 4
??_C@_0EK@LADGLMEH@PopAdaptive?3?5Console?5session?5?$CFu@NNGAKEGL@ db 'PopAdaptive: Console session %u timeouts: %s%s Display:%u,: %s%sI'
					; DATA XREF: PopUpdateTimeouts(x,x,x)+8Co
		db 'nput:%u',0Ah,0
??_C@_1CC@GFDAHDL@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAU?$AAs?$AAe?$AAr?$AAP?$AAr?$AAe?$AAs?$AAe?$AAn@NNGAKEGL@	db 'P',0
					; DATA XREF: PopPrintUserActivityPresence(x):loc_8415E5o
		dd offset loc_77006B+4
aEruserpresent:
		unicode	0, <erUserPresent>,0
??_C@_0CE@EMIHCFNH@PopAdaptive?3?5Input?5timeout?3?5?$CFu?9@NNGAKEGL@ db 'PopAdaptive: Input timeout: %u->%u',0Ah,0
					; DATA XREF: PopCheckConsoleTimeouts()+51o
??_C@_0CG@JOMKCNGF@PopAdaptive?3?5Display?5timeout?3?5?$CF@NNGAKEGL@ db	'PopAdaptive: Display timeout: %u->%u',0Ah,0
					; DATA XREF: PopCheckConsoleTimeouts()+C6o
??_C@_06BCNFPLAD@Zeroed@NNGAKEGL@ db 'Zeroed',0
					; DATA XREF: PopUpdateTimeouts(x,x,x):loc_841295o
		align 2

??_C@_06FFEJIFDJ@?5NULL?5@NNGAKEGL@:	; DATA XREF: PopUpdateTimeouts(x,x,x):loc_8412B1o
		and	[esi+55h], cl
		dec	esp
		dec	esp
		and	[eax], al
		int	3		; Trap to Debugger

??_C@_1CI@BEOFJHFK@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAU?$AAs?$AAe?$AAr?$AAN?$AAo?$AAt?$AAP?$AAr?$AAe@NNGAKEGL@:
					; DATA XREF: PopPrintUserActivityPresence(x):loc_8415F1o
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		push	ebp
		add	[ebx+0], dh
		add	gs:[edx+0], dh
		dec	esi
		add	[edi+0], ch
		jz	short $+2
		push	eax
		add	[edx+0], dh
		add	gs:[ebx+0], dh
		add	gs:[esi+0], ch
		jz	short $+2
; 
		db 2 dup(0)
; 

??_C@_1CE@KDFOPCHJ@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAU?$AAs?$AAe?$AAr?$AAI?$AAn?$AAa?$AAc?$AAt?$AAi@NNGAKEGL@:
					; DATA XREF: PopPrintUserActivityPresence(x)+Fo
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		push	ebp
		add	[ebx+0], dh
		add	gs:[edx+0], dh
		dec	ecx
		add	[esi+0], ch
		popa
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 650076h
; 
		db 2 dup(0)
; 

??_C@_1BA@EOKOFGEP@?$AAI?$AAn?$AAv?$AAa?$AAl?$AAi?$AAd@NNGAKEGL@:
					; DATA XREF: PopPrintUserActivityPresence(x):loc_8415EBo
		dec	ecx
		add	[esi+0], ch
		jbe	short $+2
		popa
		add	[eax+eax+69h], ch
		add	[eax+eax+0], ah
		add	[eax+0], dl	; DATA XREF: PopWin32CalloutWatchdogCallbackLiveDump(x,x,x,x,x,x)+19o
		outsd
		add	[edi+0], dl
		xor	eax, [eax]
		xor	al, [eax]
		imul	eax, [eax], 57h
		add	[ecx+0], ah
		jz	short $+2
		arpl	[eax], ax
		push	6F006400h
		add	[edi+0], ah
; 
		dw 0
??_C@_1HA@HJKOIFFF@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: PopCadTriggerDriverLoad(x)+26o
		unicode	0, <\Registry\Machine\System\CurrentControlSet\Services\CAD>,0
??_C@_1BM@OFPLGABH@?$AAw?$AAi?$AAn?$AAr?$AAe?$AAs?$AAu?$AAm?$AAe?$AA?4?$AAe?$AAf?$AAi@NNGAKEGL@:
					; DATA XREF: PopBcdSetDefaultResumeObjectElements+10Bo
		unicode	0, <winresume.efi>,0
??_C@_1BM@JGPBLMEE@?$AAw?$AAi?$AAn?$AAr?$AAe?$AAs?$AAu?$AAm?$AAe?$AA?4?$AAe?$AAx?$AAe@NNGAKEGL@:
					; DATA XREF: PopBcdSetDefaultResumeObjectElements+118o
		unicode	0, <winresume.exe>,0
??_C@_15NLNBCPEE@?$AAv?$AA1@NNGAKEGL@:	; DATA XREF: PpmRegisterSpmSettings(x)+28o
		unicode	0, <v1>,0
; 

??_C@_1BM@DADMLMO@?$AAV?$AAi?$AAd?$AAe?$AAo?$AAB?$AAa?$AAt?$AAc?$AAh?$AAi?$AAn?$AAg@NNGAKEGL@:
					; DATA XREF: PpmRegisterSpmSettings(x):loc_9BA9DFo
		push	esi
		add	[ecx+0], ch
		add	fs:[ebp+0], ah
		outsd
		add	[edx+0], al
		popa
		add	[eax+eax+63h], dh
		add	[eax+0], ch
		imul	eax, [eax], 67006Eh
; 
		db 2 dup(0)
; 

??_C@_1CK@NDPAMCI@?$AAP?$AAS?$AA4?$AA?5?$AAT?$AAr?$AAa?$AAn?$AAs?$AAi?$AAt?$AAi?$AAo?$AAn?$AA?5@NNGAKEGL@:
					; DATA XREF: PopDirectedDripsDiagRundownDevices()+E9o
		push	eax
		add	[ebx+0], dl
		xor	al, 0
		and	[eax], al
		push	esp
		add	[edx+0], dh
		popa
		add	[esi+0], ch
		jnb	short $+2
		imul	eax, [eax], 690074h
		outsd
		add	[esi+0], ch
		and	[eax], al
		inc	ebx
		add	[edi+0], ch
		jnz	short $+2
		outsb
		add	[eax+eax+0], dh
; 
		db 0
??_C@_1BO@ONJLICHL@?$AAP?$AAr?$AAo?$AAb?$AAl?$AAe?$AAm?$AA?5?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@NNGAKEGL@:
					; DATA XREF: PopDirectedDripsDiagRundownDevices()+115o
		unicode	0, <Problem Device>,0
??_C@_1DC@LOGLNINF@?$AAI?$AAn?$AAi?$AAt?$AAi?$AAa?$AAt?$AAe?$AAd?$AA?5?$AAP?$AAS?$AA4?$AA?5?$AAT@NNGAKEGL@ db 'I',0
					; DATA XREF: PopDirectedDripsDiagRundownDevices()+145o
aNitiatedPs4Tra:
		unicode	0, <nitiated PS4 Transition>,0
??_C@_19ELAAHEEL@?$AAT?$AAR?$AAU?$AAE@NNGAKEGL@:
					; DATA XREF: PopDirectedDripsDiagCreateBlockerEntryBoolean(x,x,x)+1Eo
		unicode	0, <TRUE>,0
; wchar_t ??_C
??_C@_15GANGMFKL@?$AA?$CF?$AAs@NNGAKEGL@ db '%',0
					; DATA XREF: _CmGetCommonClassRegKeyPath+117E6Eo
					; PopDirectedDripsDiagCreateBlockerEntryBoolean(x,x,x)+25o ...
aS_0:
		unicode	0, <s>,0
??_C@_1CK@JLMDIOGK@?$AAD?$AAF?$AAX?$AA?5?$AAT?$AAr?$AAa?$AAn?$AAs?$AAi?$AAt?$AAi?$AAo?$AAn?$AA?5@NNGAKEGL@:
					; DATA XREF: PopDirectedDripsDiagRundownDevices()+BFo
		unicode	0, <DFX	Transition Count>,0
; 

??_C@_0BE@FGNJKCLK@Delete?5PowerRequest@NNGAKEGL@:
					; DATA XREF: PopStatsDeletePowerRequest(x)+2Ao
		inc	esp
		db	65h
		insb
		db	65h
		jz	short near ptr loc_8BD9B4+1
		and	[eax+6Fh], dl
		ja	short loc_8BD9BA
		jb	short near ptr loc_8BD9A8+1
		db	65h
		jno	short near ptr loc_8BD9CD+2
		db	65h
		jnb	short loc_8BD9D1

loc_8BD95D:				; DATA XREF: PopStatsMarkPowerRequestActive(x,x)+5Ao
		add	[eax+6Fh], dl
		ja	short near ptr loc_8BD9C5+2
		jb	short near ptr loc_8BD9B4+2
		db	65h
		jno	short near ptr loc_8BD9DB+1
		db	65h
		jnb	short near ptr loc_8BD9DD+1
		and	[ebx+65h], dl
		jz	short $+2
		int	3		; Trap to Debugger

??_C@_0BD@LCGDJIEH@PowerRequest?5Clear@NNGAKEGL@:
					; DATA XREF: PopStatsMarkPowerRequestInactive(x,x)+5Ao
		push	eax
		outsd
		ja	short near ptr loc_8BD9D8+1
		jb	short loc_8BD9C8
		db	65h
		jno	short loc_8BD9EE
		db	65h
		jnb	short loc_8BD9F0
		and	[ebx+6Ch], al
		db	65h
		popa
		jb	short $+2
		int	3		; Trap to Debugger

??_C@_0BP@JDFINCKB@Power?5Request?5Blocking?5Started@NNGAKEGL@:
					; DATA XREF: PopStatsNotifyPowerRequestBlocking(x)+85o
		push	eax
		outsd
		ja	short loc_8BD9ED
		jb	short loc_8BD9AA
		push	edx
		db	65h
		jno	short loc_8BDA03
		db	65h
		jnb	short near ptr loc_8BDA03+2
		and	[edx+6Ch], al
		outsd
		arpl	[ebx+69h], bp
		outsb
		and	[bp+di+74h], dl
		popa
		jb	short loc_8BDA14
		db	65h, 64h
		add	ah, cl

??_C@_0BE@GFOKILEK@Create?5PowerRequest@NNGAKEGL@:
					; DATA XREF: PopStatsCreatePowerRequest(x)+43o
		inc	ebx
		jb	short loc_8BDA0C
		popa

loc_8BD9A8:				; CODE XREF: PAGE:008BD955j
		jz	short near ptr loc_8BDA0D+2

loc_8BD9AA:				; CODE XREF: PAGE:008BD988j
		and	[eax+6Fh], dl
		ja	short loc_8BDA14
		jb	short loc_8BDA03
		db	65h
		jno	short loc_8BDA29

loc_8BD9B4:				; CODE XREF: PAGE:008BD94Dj
					; PAGE:008BD962j
		db	65h
		jnb	short near ptr loc_8BDA29+2
; 
		db 0
; 

??_C@_0BN@FFEOBLLB@Power?5Request?5Blocking?5Ended@NNGAKEGL@:
					; DATA XREF: PopStatsNotifyPowerRequestBlocking(x)+49o
		push	eax
		outsd

loc_8BD9BA:				; CODE XREF: PAGE:008BD953j
		ja	short near ptr loc_8BDA1F+2
		jb	short near ptr loc_8BD9DD+1
		push	edx
		db	65h
		jno	short near ptr loc_8BDA34+3
		db	65h
		jnb	short near ptr loc_8BDA38+1

loc_8BD9C5:				; CODE XREF: PAGE:008BD960j
		and	[edx+6Ch], al

loc_8BD9C8:				; CODE XREF: PAGE:008BD974j
		outsd
		arpl	[ebx+69h], bp
		outsb

loc_8BD9CD:				; CODE XREF: PAGE:008BD957j
		and	[di+6Eh], al

loc_8BD9D1:				; CODE XREF: PAGE:008BD95Aj
		db	64h, 65h, 64h
		add	ah, cl

??_C@_08NOLPACJD@CS?5Entry@NNGAKEGL@:	; DATA XREF: PopStatsNotifyPowerRequestCsState(x,x,x)+17o
		inc	ebx
		push	ebx

loc_8BD9D8:				; CODE XREF: PAGE:008BD972j
		and	[ebp+6Eh], al

loc_8BD9DB:				; CODE XREF: PAGE:008BD964j
		jz	short loc_8BDA4F

loc_8BD9DD:				; CODE XREF: PAGE:008BD967j
					; PAGE:008BD9BCj
		jns	short $+2
		int	3		; Trap to Debugger

??_C@_07BKJDAAJD@CS?5Exit@NNGAKEGL@:	; DATA XREF: PopStatsNotifyPowerRequestCsState(x,x,x)+1Eo
		inc	ebx
		push	ebx
		and	[ebp+78h], al
		imul	esi, [eax+eax+53h], 7065656Ch
					; DATA XREF: PopPublishAndPurgePowerRequestStats(x,x,x)+144o

loc_8BD9ED:				; CODE XREF: PAGE:008BD986j
		push	ebx

loc_8BD9EE:				; CODE XREF: PAGE:008BD976j
		jz	short near ptr loc_8BDA63+2

loc_8BD9F0:				; CODE XREF: PAGE:008BD979j
		db	64h
		jns	short near ptr loc_8BDA12+1
		inc	edx
		insb
		outsd
		arpl	[ebx+65h], bp
		jb	short near ptr loc_8BDA19+2
		inc	ebp
		jbe	short loc_8BDA63
		outsb
		jz	short $+2
		int	3		; Trap to Debugger

??_C@_1BM@GHLLGMBK@?$AAD?$AAr?$AAi?$AAp?$AAs?$AAW?$AAa?$AAt?$AAc?$AAh?$AAd?$AAo?$AAg@NNGAKEGL@:
					; DATA XREF: PopDeepSleepWatchdogTakeAction(x,x)+85o
					; PopDripsWatchdogTakeAction(x,x,x)+24Fo
		inc	esp

loc_8BDA03:				; CODE XREF: PAGE:008BD98Bj
					; PAGE:008BD9AFj ...
		add	[edx+0], dh
		imul	eax, [eax], 730070h

loc_8BDA0C:				; CODE XREF: PAGE:008BD9A5j
		push	edi

loc_8BDA0D:				; CODE XREF: PAGE:loc_8BD9A8j
		add	[ecx+0], ah
		jz	short $+2

loc_8BDA12:				; CODE XREF: PAGE:loc_8BD9F0j
		arpl	[eax], ax

loc_8BDA14:				; CODE XREF: PAGE:008BD99Ej
					; PAGE:008BD9ADj
		push	6F006400h

loc_8BDA19:				; CODE XREF: PAGE:008BD9F9j
		add	[edi+0], ah
; 
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_1EE@LOGFODBK@?$AAS?$AAl?$AAe?$AAe?$AAp?$AAS?$AAt?$AAu?$AAd?$AAy?$AAS?$AAe?$AAs?$AAs?$AAi@NNGAKEGL@ proc near
					; DATA XREF: SshpQueryRegistryValues()+24o
		push	ebx

loc_8BDA1F:				; CODE XREF: PAGE:loc_8BD9BAj
		add	[eax+eax+65h], ch
		add	[ebp+0], ah
		jo	short $+2
		push	ebx

loc_8BDA29:				; CODE XREF: PAGE:008BD9B1j
					; PAGE:loc_8BD9B4j
		add	[eax+eax+75h], dh
		add	[eax+eax+79h], ah
		add	[ebx+0], dl

loc_8BDA34:				; CODE XREF: PAGE:008BD9BFj
		add	gs:[ebx+0], dh

loc_8BDA38:				; CODE XREF: PAGE:008BD9C2j
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ebx+0], dh
		push	6C006F00h

loc_8BDA4F:				; CODE XREF: PAGE:loc_8BD9DBj
		add	[eax+eax+53h], ah
		add	[ebp+0], ah
		arpl	[eax], ax
??_C@_1EE@LOGFODBK@?$AAS?$AAl?$AAe?$AAe?$AAp?$AAS?$AAt?$AAu?$AAd?$AAy?$AAS?$AAe?$AAs?$AAs?$AAi@NNGAKEGL@ endp

		outsd
		add	[esi+0], ch
		add	fs:[ebx+0], dh
; 
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_1EC@HFINLDMB@?$AAS?$AAl?$AAe?$AAe?$AAp?$AAs?$AAt?$AAu?$AAd?$AAy?$AAA?$AAc?$AAt?$AAi?$AAv@NNGAKEGL@ proc near
					; DATA XREF: SshpQueryRegistryValues()+10o
		push	ebx

loc_8BDA63:				; CODE XREF: PAGE:008BD9FCj
					; PAGE:loc_8BD9EEj
		add	[eax+eax+65h], ch
		add	[ebp+0], ah
		jo	short $+2
		jnb	short $+2
		jz	short $+2
		jnz	short $+2
		add	fs:[ecx+0], bh
		inc	ecx
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 650076h
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ebx+0], dh
		push	6C006F00h
		add	[eax+eax+50h], ah
		add	[ebp+0], ah
		jb	short $+2
		arpl	[eax], ax
??_C@_1EC@HFINLDMB@?$AAS?$AAl?$AAe?$AAe?$AAp?$AAs?$AAt?$AAu?$AAd?$AAy?$AAA?$AAc?$AAt?$AAi?$AAv@NNGAKEGL@ endp

		add	gs:[esi+0], ch
		jz	short $+2
; 
		dw 0

;  S U B	R O U T	I N E 


; void ??_C
??_C@_1GO@EIGBCGIE@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@ proc near
					; DATA XREF: SshpQueryRegistryULong(x,x,x)+30o
		push	ebx
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
??_C@_1GO@EIGBCGIE@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@ endp

		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[eax+0], dl
		outsd
		add	[edi+0], dh
		add	gs:[edx+0], dh
; 
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_1CG@NPABGACC@?$AAS?$AAl?$AAe?$AAe?$AAp?$AAS?$AAt?$AAu?$AAd?$AAy?$AAS?$AAe?$AAt?$AAt?$AAi@NNGAKEGL@ proc near
					; DATA XREF: SshpQueryRegistryULong(x,x,x)+36o
		push	ebx
		add	[eax+eax+65h], ch
		add	[ebp+0], ah
		jo	short $+2
		push	ebx
		add	[eax+eax+75h], dh
		add	[eax+eax+79h], ah
		add	[ebx+0], dl
		add	gs:[eax+eax+74h], dh
		add	[ecx+0], ch
		outsb
??_C@_1CG@NPABGACC@?$AAS?$AAl?$AAe?$AAe?$AAp?$AAS?$AAt?$AAu?$AAd?$AAy?$AAS?$AAe?$AAt?$AAt?$AAi@NNGAKEGL@ endp

		add	[edi+0], ah
		jnb	short $+2
; 
		dw 0
??_C@_1CG@ECHCOIBH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: SshpQueryRegistryULong(x,x,x)+4Ao
		unicode	0, <\Registry\Machine\>,0
; wchar_t ??_C
??_C@_1M@DPFIGAIG@?$AA?5?$AA?$CI?$AA?$CF?$AAd?$AA?$CJ@NNGAKEGL@	db ' ',0
					; DATA XREF: SshpGenerateDeviceFriendlyName(x,x,x,x)+B8o
aD_0:
		unicode	0, <(%d)>,0
; 

??_C@_0BH@DOLIBDDI@TtmNotifyDeviceArrival@NNGAKEGL@:
					; DATA XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x):loc_9BFBD0o
					; TtmNotifyDeviceArrival(x,x,x,x,x,x):loc_9BFC99o ...
		push	esp
		jz	short near ptr ??_C@_0BB@JGKHLLGE@TtmiAssignDevice@NNGAKEGL@+4
		dec	esi
		outsd
		jz	short near ptr ??_C@_0BB@JGKHLLGE@TtmiAssignDevice@NNGAKEGL@+4
		db	66h
		jns	short near ptr ??_C@_0CD@KMMNFJNH@TtmiPublishDeviceEnumerationEve@NNGAKEGL@+6
		db	65h
		jbe	short near ptr ??_C@_0BB@JGKHLLGE@TtmiAssignDevice@NNGAKEGL@+0Ah
		arpl	[ebp+41h], sp
		jb	short near ptr ??_C@_0BL@CELAKALM@TtmiSetInputWakeCapability@NNGAKEGL@+6
		imul	esi, [esi+61h],	54CC006Ch
					; DATA XREF: TtmNotifyDeviceDeparture(x,x,x)+2Ao
		jz	short near ptr ??_C@_0BL@CELAKALM@TtmiSetInputWakeCapability@NNGAKEGL@+0Ah
		dec	esi
		outsd
		jz	short near ptr ??_C@_0BL@CELAKALM@TtmiSetInputWakeCapability@NNGAKEGL@+0Ah
		db	66h
		jns	short near ptr ??_C@_0CD@KMMNFJNH@TtmiPublishDeviceEnumerationEve@NNGAKEGL@+1Eh
		db	65h
		jbe	short near ptr ??_C@_0BL@CELAKALM@TtmiSetInputWakeCapability@NNGAKEGL@+10h
		arpl	[ebp+44h], sp
		db	65h
		jo	short near ptr ??_C@_0BL@CELAKALM@TtmiSetInputWakeCapability@NNGAKEGL@+0Eh
		jb	short near ptr loc_8BDC09+2
		jnz	short near ptr loc_8BDC09+2
		db	65h
		add	ah, cl

??_C@_0BF@EMLFFGPB@TtmNotifyDeviceInput@NNGAKEGL@:
					; DATA XREF: TtmNotifyDeviceInput(x,x,x,x):loc_9BFEC9o
		push	esp
		jz	short near ptr loc_8BDC09+3
		dec	esi
		outsd
		jz	short near ptr loc_8BDC09+3
		db	66h
		jns	short near ptr ??_C@_0BL@CELAKALM@TtmiSetInputWakeCapability@NNGAKEGL@+2
		db	65h
		jbe	short near ptr loc_8BDC11+1
		arpl	[ebp+49h], sp
		outsb
		jo	short near ptr ??_C@_0BL@HAIHHJGF@TtmpCallAssignedToTerminal@NNGAKEGL@+8
		jz	short $+2
		int	3		; Trap to Debugger
; 
??_C@_0CD@KMMNFJNH@TtmiPublishDeviceEnumerationEve@NNGAKEGL@ db	'TtmiPublishDeviceEnumerationEvents',0
					; CODE XREF: PAGE:008BDB71j
					; DATA XREF: TtmiPublishDeviceEnumerationEvents(x,x)+4Eo
		align 2
??_C@_0BB@JGKHLLGE@TtmiAssignDevice@NNGAKEGL@ db 'TtmiAssignDevice',0
					; CODE XREF: PAGE:008BDB6Bj
					; PAGE:008BDB6Fj ...
		align 4
??_C@_0BL@CELAKALM@TtmiSetInputWakeCapability@NNGAKEGL@	db 'TtmiSetInputWakeCapability',0
					; CODE XREF: PAGE:008BDBA3j
					; PAGE:008BDB7Aj ...
		align 4

??_C@_1BI@CHIFCFNN@?$AAT?$AAT?$AAM?$AAD?$AAC?$AAa?$AAl?$AAl?$AAo?$AAu?$AAt@NNGAKEGL@:
					; DATA XREF: TtmpCalloutWatchdogCallback(x,x,x,x,x,x)+80o
		push	esp
		add	[eax+eax+4Dh], dl

loc_8BDC09:				; CODE XREF: PAGE:008BDB95j
					; PAGE:008BDB97j ...
		add	[eax+eax+43h], al
		add	[ecx+0], ah
		insb

loc_8BDC11:				; CODE XREF: PAGE:008BDBA6j
		add	[eax+eax+6Fh], ch
		add	[ebp+0], dh
		jz	short $+2
; 
		dw 0
??_C@_0BL@HAIHHJGF@TtmpCallAssignedToTerminal@NNGAKEGL@	db 'TtmpCallAssignedToTerminal',0
					; CODE XREF: PAGE:008BDBADj
					; DATA XREF: TtmpCallAssignedToTerminal(x,x)+58o
		align 4
??_C@_0BI@GCEDGMJO@TtmpCallSetDisplayState@NNGAKEGL@ db	'TtmpCallSetDisplayState',0
					; DATA XREF: TtmpCallSetDisplayState(x,x,x)+5Bo
; 

??_C@_0BF@JFHECOGP@TtmpCallSetInputMode@NNGAKEGL@:
					; DATA XREF: TtmpCallSetInputMode(x,x,x)+52o
		push	esp
		jz	short near ptr loc_8BDCBF+1
		jo	short near ptr ??_C@_0CL@EACOCOHK@TtmpCommitTerminalDisplayStateU@NNGAKEGL@+0Ah
		popa
		insb
		insb
		push	ebx
		db	65h
		jz	short near ptr ??_C@_0CL@EACOCOHK@TtmpCommitTerminalDisplayStateU@NNGAKEGL@+17h
		outsb
		jo	short near ptr loc_8BDCD3+1
		jz	short near ptr ??_C@_0CL@EACOCOHK@TtmpCommitTerminalDisplayStateU@NNGAKEGL@+20h
		outsd
		db	64h, 65h
		add	ah, cl
; 
??_C@_0CI@EOPJHCKE@TtmpQueueTerminalDisplayStateOn@NNGAKEGL@ db	'TtmpQueueTerminalDisplayStateOntoDevice',0
					; DATA XREF: TtmpQueueTerminalDisplayStateOntoDevice(x,x,x):loc_9C0CDAo
??_C@_0CL@EACOCOHK@TtmpCommitTerminalDisplayStateU@NNGAKEGL@ db	'TtmpCommitTerminalDisplayStateUpdateWorker',0
					; CODE XREF: PAGE:008BDC53j
					; DATA XREF: TtmpCommitTerminalDisplayStateUpdateWorker(x,x)+94o
		align 2

??_C@_0BG@BFKCPEJA@TtmpPushTerminalState@NNGAKEGL@:
					; DATA XREF: TtmpPushTerminalState(x,x)+34o
		push	esp
		jz	short near ptr ??_C@_0BO@DJAIEDEC@TtmiReferenceTerminalByHandle@NNGAKEGL@+1Ch
		jo	short near ptr ??_C@_0BO@DJAIEDEC@TtmiReferenceTerminalByHandle@NNGAKEGL@+1

loc_8BDCBF:				; CODE XREF: PAGE:008BDC51j
		jnz	short near ptr loc_8BDD2F+5
		push	6D726554h
		imul	ebp, [esi+61h],	6174536Ch
		jz	short near ptr loc_8BDD2F+5
		add	[eax+eax+65h], dl ; DATA XREF: TtmInit+836D0o

loc_8BDCD3:				; CODE XREF: PAGE:008BDC5Dj
		add	[edx+0], dh
		insd
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ah
		insb
; 
		db 0
		db 2 dup(0)
; 

??_C@_0BD@GLEDGKEL@TtmiCreateTerminal@NNGAKEGL@:
					; DATA XREF: TtmiCreateTerminal(x,x,x,x,x,x)+56o
					; TtmiCreateTerminal(x,x,x,x,x,x)+1BBo
		push	esp
		jz	short loc_8BDD52
		imul	eax, [ebx+72h],	65746165h
		push	esp
		db	65h
		jb	short near ptr loc_8BDD5C+1
		imul	ebp, [esi+61h],	54CC006Ch
					; DATA XREF: TtmiOpenDefaultTerminal(x,x,x,x)+6Fo
		jz	short loc_8BDD66
		imul	ecx, [edi+70h],	65446E65h
		popaw
		jnz	short loc_8BDD70
		jz	short near ptr loc_8BDD59+1
		db	65h
		jb	short loc_8BDD76
; 
aInal		db 'inal',0
??_C@_0BO@DJAIEDEC@TtmiReferenceTerminalByHandle@NNGAKEGL@ db 'TtmiReferenceTerminalByHandle',0
					; CODE XREF: PAGE:008BDCBDj
					; DATA XREF: TtmiReferenceTerminalByHandle(x,x,x,x)+35o
; 

??_C@_0BL@IKIKMBNF@TtmiTerminalMonitorControl@NNGAKEGL@:
					; DATA XREF: TtmiTerminalMonitorControl(x,x,x,x)+2Ao
		push	esp
		jz	short near ptr loc_8BDD99+3

loc_8BDD2F:				; CODE XREF: PAGE:loc_8BDCBFj
					; PAGE:008BDCCDj
		imul	edx, [ebp+72h],	616E696Dh
		insb
		dec	ebp
		outsd
		outsb
		imul	esi, [edi+ebp*2+72h], 746E6F43h
		jb	short near ptr loc_8BDDB3+1
		insb
		add	ah, cl

??_C@_0DB@BBINAPKO@TtmpWriteDisplayRequiredPowerRe@NNGAKEGL@:
					; DATA XREF: TtmpWriteDisplayRequiredPowerRequestUpdatedEvent(x,x,x)+77o
		push	esp
		jz	short near ptr loc_8BDDB7+1
		jo	short near ptr loc_8BDDA3+1
		jb	short near ptr loc_8BDDB7+1
		jz	short near ptr loc_8BDDB5+1
		inc	esp

loc_8BDD52:				; CODE XREF: PAGE:008BDCE3j
		imul	esi, [ebx+70h],	5279616Ch

loc_8BDD59:				; CODE XREF: PAGE:008BDD04j
		db	65h
		jno	short loc_8BDDD1

loc_8BDD5C:				; CODE XREF: PAGE:008BDCEDj
		imul	esi, [edx+65h],	776F5064h
		db	65h
		jb	short near ptr loc_8BDDB7+1

loc_8BDD66:				; CODE XREF: PAGE:008BDCF7j
		db	65h
		jno	short near ptr loc_8BDDDD+1
		db	65h
		jnb	short near ptr loc_8BDDDD+3
		push	ebp
		jo	short near ptr loc_8BDDD1+2
		popa

loc_8BDD70:				; CODE XREF: PAGE:008BDD02j
		jz	short loc_8BDDD7
		db	64h
		inc	ebp
		jbe	short loc_8BDDDB

loc_8BDD76:				; CODE XREF: PAGE:008BDD06j
		outsb
		jz	short $+2
		int	3		; Trap to Debugger

??_C@_0BL@NMBCILAH@TtmpSetDisplayRequestEnded@NNGAKEGL@:
					; DATA XREF: TtmpSetDisplayRequestEnded(x,x)+80o
					; TtmpSetDisplayRequestEnded(x,x)+A4o
		push	esp
		jz	short near ptr loc_8BDDE9+1
		jo	short near ptr loc_8BDDD1+1
		db	65h
		jz	short near ptr loc_8BDDC4+2
		imul	esi, [ebx+70h],	5279616Ch
		db	65h
		jno	short loc_8BDE01
		db	65h
		jnb	short loc_8BDE03
		inc	ebp
		outsb
		db	64h, 65h, 64h
		add	ah, cl

??_C@_0BL@OLPLCIPG@TtmiSetDisplayPowerRequest@NNGAKEGL@:
					; DATA XREF: TtmiSetDisplayPowerRequest(x,x,x,x):loc_9C2819o
		push	esp
		jz	short loc_8BDE06

loc_8BDD99:				; CODE XREF: PAGE:008BDD2Dj
		imul	edx, [ebx+65h],	73694474h
		jo	short loc_8BDE0E
		popa

loc_8BDDA3:				; CODE XREF: PAGE:008BDD4Bj
		jns	short near ptr loc_8BDDF4+1
		outsd
		ja	short loc_8BDE0D
		jb	short near ptr loc_8BDDF9+3
		db	65h
		jno	short loc_8BDE22
		db	65h
		jnb	short loc_8BDE24
		add	ah, cl

??_C@_0CG@MIPDLOBK@TtmpUpdateDisplayRequiredPowerR@NNGAKEGL@:
					; DATA XREF: TtmpUpdateDisplayRequiredPowerRequest(x,x,x):loc_9C3596o
		push	esp

loc_8BDDB3:				; CODE XREF: PAGE:008BDD43j
		jz	short loc_8BDE22

loc_8BDDB5:				; CODE XREF: PAGE:008BDD4Fj
		jo	short near ptr loc_8BDE0B+1

loc_8BDDB7:				; CODE XREF: PAGE:008BDD49j
					; PAGE:008BDD4Dj ...
		jo	short near ptr loc_8BDE1B+2
		popa
		jz	short near ptr loc_8BDE1B+6
		inc	esp
		imul	esi, [ebx+70h],	5279616Ch

loc_8BDDC4:				; CODE XREF: PAGE:008BDD7Fj
		db	65h
		jno	short near ptr ??_C@_0BC@BCJCLPBN@TtmpSessionWorker@NNGAKEGL@+0Ah
		imul	esi, [edx+65h],	776F5064h
		db	65h
		jb	short near ptr loc_8BDE22+1

loc_8BDDD1:				; CODE XREF: PAGE:loc_8BDD59j
					; PAGE:008BDD7Dj ...
		db	65h
		jno	short loc_8BDE49
		db	65h
		jnb	short loc_8BDE4B

loc_8BDDD7:				; CODE XREF: PAGE:loc_8BDD70j
					; DATA XREF: TtmpFindPowerRequestEntryById(x,x,x)+B5o
		add	[esp+esi*2+6Dh], dl

loc_8BDDDB:				; CODE XREF: PAGE:008BDD74j
		jo	short near ptr loc_8BDE22+1

loc_8BDDDD:				; CODE XREF: PAGE:loc_8BDD66j
					; PAGE:008BDD69j
		imul	ebp, [esi+64h],	65776F50h
		jb	short near ptr ??_C@_0BC@BCJCLPBN@TtmpSessionWorker@NNGAKEGL@+6
		db	65h
		jno	short near ptr loc_8BDE5D+1

loc_8BDDE9:				; CODE XREF: PAGE:008BDD7Bj
		db	65h
		jnb	short near ptr loc_8BDE5F+1
		inc	ebp
		outsb
		jz	short ??_C@_0BG@JEEPDNHE@TtmInitCurrentSession@NNGAKEGL@
		jns	short near ptr ??_C@_0BC@BCJCLPBN@TtmpSessionWorker@NNGAKEGL@+2
		jns	short near ptr ??_C@_0BC@BCJCLPBN@TtmpSessionWorker@NNGAKEGL@+0Bh

loc_8BDDF4:				; CODE XREF: PAGE:loc_8BDDA3j
					; DATA XREF: TtmiWriteEnumerationEventsToQueue(x,x)+24o
		add	fs:[esp+esi*2+6Dh], dl

loc_8BDDF9:				; CODE XREF: PAGE:008BDDA8j
		imul	edx, [edi+72h],	45657469h
		outsb

loc_8BDE01:				; CODE XREF: PAGE:008BDD89j
		jnz	short near ptr loc_8BDE6F+1

loc_8BDE03:				; CODE XREF: PAGE:008BDD8Cj
		db	65h
		jb	short loc_8BDE67

loc_8BDE06:				; CODE XREF: PAGE:008BDD97j
		jz	short loc_8BDE71
		outsd
		outsb
		inc	ebp

loc_8BDE0B:				; CODE XREF: PAGE:loc_8BDDB5j
		jbe	short near ptr loc_8BDE71+1

loc_8BDE0D:				; CODE XREF: PAGE:008BDDA6j
		outsb

loc_8BDE0E:				; CODE XREF: PAGE:008BDDA0j
		jz	short near ptr loc_8BDE82+1
		push	esp
		outsd
		push	ecx
		jnz	short near ptr loc_8BDE74+6
		jnz	short near ptr loc_8BDE7B+1
		add	[esp+esi*2+6Dh], dl ; DATA XREF: TtmiWriteEventToAllQueues(x,x)+2Eo

loc_8BDE1B:				; CODE XREF: PAGE:loc_8BDDB7j
					; PAGE:008BDDBAj
		imul	edx, [edi+72h],	45657469h

loc_8BDE22:				; CODE XREF: PAGE:008BDDAAj
					; PAGE:loc_8BDDB3j ...
		jbe	short near ptr loc_8BDE87+2

loc_8BDE24:				; CODE XREF: PAGE:008BDDADj
		outsb
		jz	short loc_8BDE7B
		outsd
		inc	ecx
		insb
		insb
		push	ecx
		jnz	short loc_8BDE93
		jnz	short near ptr loc_8BDE93+2
		jnb	short $+2
; 
??_C@_0BC@BCJCLPBN@TtmpSessionWorker@NNGAKEGL@ db 'TtmpSessionWorker',0
					; CODE XREF: PAGE:008BDDF0j
					; PAGE:008BDDE4j ...
; 

??_C@_0BN@OFKAFAOH@TtmNotifyLowPowerStateExited@NNGAKEGL@:
					; DATA XREF: TtmNotifyLowPowerStateExited(x)+22o
		push	esp
		jz	short loc_8BDEB4
		dec	esi
		outsd

loc_8BDE49:				; CODE XREF: PAGE:loc_8BDDD1j
		jz	short loc_8BDEB4

loc_8BDE4B:				; CODE XREF: PAGE:008BDDD4j
		db	66h
		jns	short near ptr loc_8BDE96+4
		outsd
		ja	short near ptr loc_8BDE9D+4
		outsd
		ja	short loc_8BDEB9
		jb	short loc_8BDEA9
		jz	short loc_8BDEB9
		jz	short near ptr loc_8BDEBC+3
		inc	ebp
		js	short near ptr loc_8BDEC5+1

loc_8BDE5D:				; CODE XREF: PAGE:008BDDE6j
		jz	short near ptr loc_8BDEC3+1

loc_8BDE5F:				; CODE XREF: PAGE:loc_8BDDE9j
		db	64h
		add	ah, cl

??_C@_0BG@JEEPDNHE@TtmInitCurrentSession@NNGAKEGL@: ; CODE XREF: PAGE:008BDDEEj
					; DATA XREF: TtmInitCurrentSession()+55o ...
		push	esp
		jz	short near ptr loc_8BDED0+2
		dec	ecx
		outsb

loc_8BDE67:				; CODE XREF: PAGE:loc_8BDE03j
		imul	esi, [ebx+eax*2+75h], 6E657272h

loc_8BDE6F:				; CODE XREF: PAGE:loc_8BDE01j
		jz	short near ptr loc_8BDEC3+1

loc_8BDE71:				; CODE XREF: PAGE:loc_8BDE06j
					; PAGE:loc_8BDE0Bj
		db	65h
		jnb	short loc_8BDEE7

loc_8BDE74:				; CODE XREF: PAGE:008BDE13j
					; DATA XREF: TtmiCreateTerminal(x,x,x,x,x,x)+45o
		imul	ebp, [edi+6Eh],	6D745400h

loc_8BDE7B:				; CODE XREF: PAGE:008BDE25j
					; PAGE:008BDE15j
		imul	eax, [ecx+63h],	72697571h

loc_8BDE82:				; CODE XREF: PAGE:loc_8BDE0Ej
		db	65h
		push	esp
		db	65h
		jb	short loc_8BDEF4

loc_8BDE87:				; CODE XREF: PAGE:loc_8BDE22j
		imul	ebp, [esi+61h],	64496Ch

??_C@_0BH@LDFBAIGP@TtmpAcquireSessionById@NNGAKEGL@:
					; DATA XREF: TtmpAcquireSessionById(x,x)+2Ao
					; TtmpAcquireSessionById(x,x)+6Eo
		push	esp
		jz	short near ptr loc_8BDEFD+1
		jo	short near ptr loc_8BDED3+1

loc_8BDE93:				; CODE XREF: PAGE:008BDE2Cj
					; PAGE:008BDE2Ej
		arpl	[ecx+75h], si

loc_8BDE96:				; CODE XREF: PAGE:loc_8BDE4Bj
		imul	esi, [edx+65h],	73736553h

loc_8BDE9D:				; CODE XREF: PAGE:008BDE4Fj
		imul	ebp, [edi+6Eh],	64497942h
		add	ah, cl

??_C@_0BK@CMMGJFEO@TtmiAcquireCurrentSession@NNGAKEGL@:
					; DATA XREF: TtmiAcquireCurrentSession(x)+25o
		push	esp
		jz	short near ptr loc_8BDF11+5

loc_8BDEA9:				; CODE XREF: PAGE:008BDE54j
		imul	eax, [ecx+63h],	72697571h
		db	65h
		inc	ebx
		jnz	short loc_8BDF26

loc_8BDEB4:				; CODE XREF: PAGE:008BDE45j
					; PAGE:loc_8BDE49j
		jb	short near ptr loc_8BDF1A+1
		outsb
		jz	short near ptr loc_8BDF0B+1

loc_8BDEB9:				; CODE XREF: PAGE:008BDE52j
					; PAGE:008BDE56j
		db	65h
		jnb	short near ptr loc_8BDF2E+1

loc_8BDEBC:				; CODE XREF: PAGE:008BDE58j
					; DATA XREF: TtmpUpdatePowerRequestAttribute(x,x,x,x,x,x)+29o
		imul	ebp, [edi+6Eh],	6D745400h

loc_8BDEC3:				; CODE XREF: PAGE:loc_8BDE5Dj
					; PAGE:loc_8BDE6Fj
		jo	short loc_8BDF1A

loc_8BDEC5:				; CODE XREF: PAGE:008BDE5Bj
		jo	short near ptr loc_8BDF27+4
		popa
		jz	short near ptr loc_8BDF2E+1
		push	eax
		outsd
		ja	short near ptr loc_8BDF31+2
		jb	short near ptr loc_8BDF1F+3

loc_8BDED0:				; CODE XREF: PAGE:008BDE63j
		db	65h
		jno	short near ptr loc_8BDF42+6

loc_8BDED3:				; CODE XREF: PAGE:008BDE91j
		db	65h
		jnb	short loc_8BDF4A
		inc	ecx
		jz	short loc_8BDF4D
		jb	short near ptr loc_8BDF42+2
		bound	esi, [ebp+74h]
		add	gs:[esp+esi*2+6Dh], dl
					; DATA XREF: TtmNotifySessionPowerRequestDeleted(x,x)+34o
		dec	esi
		outsd
		jz	short loc_8BDF50

loc_8BDEE7:				; CODE XREF: PAGE:loc_8BDE71j
		db	66h
		jns	short loc_8BDF3D
		db	65h
		jnb	short loc_8BDF60
		imul	ebp, [edi+6Eh],	65776F50h

loc_8BDEF4:				; CODE XREF: PAGE:008BDE84j
		jb	short near ptr loc_8BDF42+6
		db	65h
		jno	short ??_C@_0BN@NGIINBFO@TtmNotifySessionDisplayBurst@NNGAKEGL@
		db	65h
		jnb	short near ptr loc_8BDF6F+1
		inc	esp

loc_8BDEFD:				; CODE XREF: PAGE:008BDE8Fj
		db	65h
		insb
		db	65h
		jz	short loc_8BDF67
		add	fs:[esp+esi*2+6Dh], dl
					; DATA XREF: TtmNotifySessionDisplayRequiredChange(x,x,x)+39o
		dec	esi
		outsd
		jz	short near ptr loc_8BDF73+1

loc_8BDF0B:				; CODE XREF: PAGE:008BDEB7j
		db	66h
		jns	short near ptr loc_8BDF60+1
		db	65h
		jnb	short loc_8BDF84

loc_8BDF11:				; CODE XREF: PAGE:008BDEA7j
		imul	ebp, [edi+6Eh],	70736944h
		insb
		popa

loc_8BDF1A:				; CODE XREF: PAGE:loc_8BDEC3j
					; PAGE:loc_8BDEB4j
		jns	short ??_C@_0BN@NGIINBFO@TtmNotifySessionDisplayBurst@NNGAKEGL@
		db	65h
		jno	short near ptr loc_8BDF93+1

loc_8BDF1F:				; CODE XREF: PAGE:008BDECEj
		imul	esi, [edx+65h],	61684364h

loc_8BDF26:				; CODE XREF: PAGE:008BDEB2j
		outsb

loc_8BDF27:				; CODE XREF: PAGE:loc_8BDEC5j
					; DATA XREF: TtmGetSessionDisplayRequiredCount(x)+39o
		add	gs:[si+74h], dl
		insd
		inc	edi

loc_8BDF2E:				; CODE XREF: PAGE:loc_8BDEB9j
					; PAGE:008BDEC8j
		db	65h
		jz	short loc_8BDF84

loc_8BDF31:				; CODE XREF: PAGE:008BDECCj
		db	65h
		jnb	short near ptr loc_8BDFA6+1
		imul	ebp, [edi+6Eh],	70736944h
		insb
		popa

loc_8BDF3D:				; CODE XREF: PAGE:loc_8BDEE7j
		jns	short loc_8BDF91
		db	65h
		jno	short near ptr loc_8BDFB6+1

loc_8BDF42:				; CODE XREF: PAGE:008BDED9j
					; PAGE:loc_8BDED0j ...
		imul	esi, [edx+65h],	756F4364h
		outsb

loc_8BDF4A:				; CODE XREF: PAGE:loc_8BDED3j
		jz	short $+2

??_C@_0CB@CKBAICGM@TtmNotifySessionPowerStateChang@NNGAKEGL@:
					; DATA XREF: TtmNotifySessionPowerStateChange(x,x)+23o
		push	esp

loc_8BDF4D:				; CODE XREF: PAGE:008BDED7j
		jz	short near ptr loc_8BDFBB+1
		dec	esi

loc_8BDF50:				; CODE XREF: PAGE:008BDEE5j
		outsd
		jz	short near ptr loc_8BDFBB+1
		db	66h
		jns	short loc_8BDFA9
		db	65h
		jnb	short loc_8BDFCC
		imul	ebp, [edi+6Eh],	65776F50h

loc_8BDF60:				; CODE XREF: PAGE:008BDEEAj
					; PAGE:loc_8BDF0Bj
		jb	short near ptr loc_8BDFB4+1
		jz	short near ptr loc_8BDFC4+1
		jz	short loc_8BDFCB
		inc	ebx

loc_8BDF67:				; CODE XREF: PAGE:008BDEFFj
		push	65676E61h
		add	ah, cl

??_C@_0BN@NGIINBFO@TtmNotifySessionDisplayBurst@NNGAKEGL@: ; CODE XREF:	PAGE:008BDEF6j
					; PAGE:loc_8BDF1Aj
					; DATA XREF: ...
		push	esp

loc_8BDF6F:				; CODE XREF: PAGE:008BDEF9j
		jz	short loc_8BDFDE
		dec	esi
		outsd

loc_8BDF73:				; CODE XREF: PAGE:008BDF09j
		jz	short loc_8BDFDE
		db	66h
		jns	short loc_8BDFCB
		db	65h
		jnb	short near ptr loc_8BDFEC+2
		imul	ebp, [edi+6Eh],	70736944h
		insb
		popa

loc_8BDF84:				; CODE XREF: PAGE:008BDF0Ej
					; PAGE:loc_8BDF2Ej
		jns	short near ptr loc_8BDFC4+4
		jnz	short near ptr loc_8BDFF6+4
		jnb	short near ptr loc_8BDFFD+1
		add	ah, cl

??_C@_0BM@NKHGFOL@TtmNotifyConsoleUserPresent@NNGAKEGL@:
					; DATA XREF: TtmNotifyConsoleUserPresent(x,x)+29o
		push	esp
		jz	short near ptr loc_8BDFF6+6
		dec	esi
		outsd

loc_8BDF91:				; CODE XREF: PAGE:loc_8BDF3Dj
		jz	short near ptr loc_8BDFF6+6

loc_8BDF93:				; CODE XREF: PAGE:008BDF1Cj
		db	66h
		jns	short near ptr loc_8BDFD8+1
		outsd
		outsb
		jnb	short near ptr loc_8BE003+6
		insb
		db	65h
		push	ebp
		jnb	short near ptr loc_8BE003+1
		jb	short near ptr loc_8BDFEF+2
		jb	short near ptr loc_8BE003+5
		jnb	short loc_8BE00A
		outsb

loc_8BDFA6:				; CODE XREF: PAGE:loc_8BDF31j
		jz	short $+2

??_C@_0CA@DCLMPIDB@TtmpInsertPowerRequestToSession@NNGAKEGL@:
					; DATA XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x):loc_9C2E24o
					; TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+2A7o
		push	esp

loc_8BDFA9:				; CODE XREF: PAGE:008BDF53j
		jz	short near ptr loc_8BE017+1
		jo	short loc_8BDFF6
		outsb
		jnb	short near ptr loc_8BE013+2
		jb	short loc_8BE026
		push	eax
		outsd

loc_8BDFB4:				; CODE XREF: PAGE:loc_8BDF60j
		ja	short near ptr loc_8BE019+2

loc_8BDFB6:				; CODE XREF: PAGE:008BDF3Fj
		jb	short loc_8BE00A
		db	65h
		jno	short ??_C@_0BN@OJIDHFAI@TtmpDispatchCreateEventQueue@NNGAKEGL@

loc_8BDFBB:				; CODE XREF: PAGE:loc_8BDF4Dj
					; PAGE:008BDF51j
		db	65h
		jnb	short near ptr loc_8BE031+1
		push	esp
		outsd
		push	ebx
		db	65h
		jnb	short near ptr loc_8BE035+2

loc_8BDFC4:				; CODE XREF: PAGE:008BDF62j
					; PAGE:loc_8BDF84j
					; DATA XREF: ...
		imul	ebp, [edi+6Eh],	6D745400h

loc_8BDFCB:				; CODE XREF: PAGE:008BDF64j
					; PAGE:008BDF75j
		push	ebx

loc_8BDFCC:				; CODE XREF: PAGE:008BDF56j
		db	65h
		jnb	short loc_8BE042
		imul	ebp, [edi+6Eh],	696E6F4Dh
		jz	short near ptr loc_8BE046+1

loc_8BDFD8:				; CODE XREF: PAGE:loc_8BDF93j
		jb	short near ptr loc_8BE019+4
		outsd
		outsb
		jz	short near ptr loc_8BE04F+1

loc_8BDFDE:				; CODE XREF: PAGE:loc_8BDF6Fj
					; PAGE:loc_8BDF73j
		outsd
		insb
		add	ah, cl

??_C@_0BO@JAKBMKC@TtmNotifySessionTerminalInput@NNGAKEGL@:
					; DATA XREF: TtmNotifySessionTerminalInput(x,x,x)+24o
		push	esp
		jz	short near ptr loc_8BE051+1
		dec	esi
		outsd
		jz	short near ptr loc_8BE051+1
		db	66h
		jns	short loc_8BE03F

loc_8BDFEC:				; CODE XREF: PAGE:008BDF78j
		db	65h
		jnb	short near ptr loc_8BE061+1

loc_8BDFEF:				; CODE XREF: PAGE:008BDF9Fj
		imul	ebp, [edi+6Eh],	6D726554h

loc_8BDFF6:				; CODE XREF: PAGE:008BDFABj
					; PAGE:008BDF86j ...
		imul	ebp, [esi+61h],	706E496Ch

loc_8BDFFD:				; CODE XREF: PAGE:008BDF88j
		jnz	short near ptr loc_8BE071+2
		add	[esp+esi*2+6Dh], dl ; DATA XREF: TtmiSessionsRundown()+28o

loc_8BE003:				; CODE XREF: PAGE:008BDF9Dj
					; PAGE:008BDFA1j ...
		imul	edx, [ebx+65h],	6F697373h

loc_8BE00A:				; CODE XREF: PAGE:008BDFA3j
					; PAGE:loc_8BDFB6j
		outsb
		jnb	short near ptr loc_8BE05E+1
		jnz	short near ptr loc_8BE07C+1
		outs	dx, dword ptr fs:[esi]
		ja	short near ptr loc_8BE07C+5

loc_8BE013:				; CODE XREF: PAGE:008BDFAEj
					; DATA XREF: TtmpDispatchCreateTerminal(x,x)+37o ...
		add	[esp+esi*2+6Dh], dl

loc_8BE017:				; CODE XREF: PAGE:loc_8BDFA9j
		jo	short near ptr loc_8BE05B+2

loc_8BE019:				; CODE XREF: PAGE:loc_8BDFB4j
					; PAGE:loc_8BDFD8j
		imul	esi, [ebx+70h],	68637461h
		inc	ebx
		jb	short near ptr loc_8BE087+1
		popa
		jz	short loc_8BE08B

loc_8BE026:				; CODE XREF: PAGE:008BDFB0j
		push	esp
		db	65h
		jb	short loc_8BE097
; 
aInal_0		db 'inal',0
		align 10h

??_C@_0BN@OJIDHFAI@TtmpDispatchCreateEventQueue@NNGAKEGL@: ; CODE XREF:	PAGE:008BDFB8j
					; DATA XREF: TtmpDispatchCreateEventQueue(x,x)+3Do ...
		push	esp

loc_8BE031:				; CODE XREF: PAGE:loc_8BDFBBj
		jz	short near ptr loc_8BE09F+1
		jo	short loc_8BE079

loc_8BE035:				; CODE XREF: PAGE:008BDFC1j
		imul	esi, [ebx+70h],	68637461h
		inc	ebx
		jb	short near ptr loc_8BE0A2+2

loc_8BE03F:				; CODE XREF: PAGE:008BDFE9j
		popa
		jz	short near ptr loc_8BE0A2+5

loc_8BE042:				; CODE XREF: PAGE:loc_8BDFCCj
		inc	ebp
		jbe	short near ptr loc_8BE0A9+1
		outsb

loc_8BE046:				; CODE XREF: PAGE:008BDFD6j
		jz	short near ptr loc_8BE097+2
		jnz	short loc_8BE0AF
		jnz	short loc_8BE0B1
		add	ah, cl

??_C@_0BN@DLFLDOIN@TtmpDispatchGetTerminalEvent@NNGAKEGL@:
					; DATA XREF: TtmpDispatchGetTerminalEvent(x,x)+62o
		push	esp

loc_8BE04F:				; CODE XREF: PAGE:008BDFDCj
		jz	short loc_8BE0BE

loc_8BE051:				; CODE XREF: PAGE:008BDFE3j
					; PAGE:008BDFE7j
		jo	short loc_8BE097
		imul	esi, [ebx+70h],	68637461h
		inc	edi

loc_8BE05B:				; CODE XREF: PAGE:loc_8BE017j
		db	65h
		jz	short near ptr loc_8BE0B1+1

loc_8BE05E:				; CODE XREF: PAGE:008BE00Bj
		db	65h
		jb	short near ptr loc_8BE0CD+1

loc_8BE061:				; CODE XREF: PAGE:loc_8BDFECj
		imul	ebp, [esi+61h],	6576456Ch
		outsb
		jz	short $+2
		int	3		; Trap to Debugger

??_C@_0BM@GPIGGCHB@TtmpDispatchSetDisplayState@NNGAKEGL@:
					; DATA XREF: TtmpDispatchSetDisplayState(x)+34o
		push	esp
		jz	short near ptr loc_8BE0D8+4
		jo	short near ptr loc_8BE0B3+2

loc_8BE071:				; CODE XREF: PAGE:loc_8BDFFDj
		imul	esi, [ebx+70h],	68637461h
		push	ebx

loc_8BE079:				; CODE XREF: PAGE:008BE033j
		db	65h
		jz	short near ptr loc_8BE0BF+1

loc_8BE07C:				; CODE XREF: PAGE:008BE00Dj
					; PAGE:008BE011j
		imul	esi, [ebx+70h],	5379616Ch
		jz	short near ptr loc_8BE0E4+2
		jz	short ??_C@_0CD@DFJIPKNB@TtmpDispatchSetInputWakeCapabil@NNGAKEGL@

loc_8BE087:				; CODE XREF: PAGE:008BE021j
					; DATA XREF: TtmpAcquireSessionFromTerminalHandle(x,x,x,x,x)+40o
		add	[esp+esi*2+6Dh], dl

loc_8BE08B:				; CODE XREF: PAGE:008BE024j
		jo	short near ptr loc_8BE0CD+1
		arpl	[ecx+75h], si
		imul	esi, [edx+65h],	73736553h

loc_8BE097:				; CODE XREF: PAGE:008BE027j
					; PAGE:loc_8BE051j ...
		imul	ebp, [edi+6Eh],	6D6F7246h
		push	esp

loc_8BE09F:				; CODE XREF: PAGE:loc_8BE031j
		db	65h
		jb	short near ptr loc_8BE10B+4

loc_8BE0A2:				; CODE XREF: PAGE:008BE03Dj
					; PAGE:008BE040j
		imul	ebp, [esi+61h],	6E61486Ch

loc_8BE0A9:				; CODE XREF: PAGE:008BE043j
		db	64h
		insb
		db	65h
		add	ah, cl

??_C@_0BJ@GAHIIGFP@TtmpDispatchOpenTerminal@NNGAKEGL@:
					; DATA XREF: TtmpDispatchOpenTerminal(x,x)+28o
		push	esp

loc_8BE0AF:				; CODE XREF: PAGE:008BE048j
		jz	short loc_8BE11E

loc_8BE0B1:				; CODE XREF: PAGE:008BE04Aj
					; PAGE:loc_8BE05Bj
		jo	short near ptr loc_8BE0F1+6

loc_8BE0B3:				; CODE XREF: PAGE:008BE06Fj
		imul	esi, [ebx+70h],	68637461h
		dec	edi
		jo	short near ptr loc_8BE121+1
		outsb

loc_8BE0BE:				; CODE XREF: PAGE:loc_8BE04Fj
		push	esp

loc_8BE0BF:				; CODE XREF: PAGE:loc_8BE079j
		db	65h
		jb	short near ptr loc_8BE12D+2
		imul	ebp, [esi+61h],	54CC006Ch
					; DATA XREF: TtmpDispatchSetDisplayPowerRequest(x)+34o
		jz	short near ptr loc_8BE137+1
		jo	short near ptr loc_8BE10B+6

loc_8BE0CD:				; CODE XREF: PAGE:loc_8BE05Ej
					; PAGE:loc_8BE08Bj
		imul	esi, [ebx+70h],	68637461h
		push	ebx
		db	65h
		jz	short loc_8BE11C

loc_8BE0D8:				; CODE XREF: PAGE:008BE06Dj
		imul	esi, [ebx+70h],	5079616Ch
		outsd
		ja	short near ptr loc_8BE145+2
		jb	short near ptr loc_8BE130+6

loc_8BE0E4:				; CODE XREF: PAGE:008BE083j
		db	65h
		jno	short near ptr loc_8BE15B+1
		db	65h
		jnb	short near ptr loc_8BE15B+3
		add	ah, cl

??_C@_0CD@DFJIPKNB@TtmpDispatchSetInputWakeCapabil@NNGAKEGL@: ;	CODE XREF: PAGE:008BE085j
					; DATA XREF: TtmpDispatchSetInputWakeCapability(x)+34o
		push	esp
		jz	short near ptr loc_8BE15B+1
		jo	short near ptr loc_8BE130+5

loc_8BE0F1:				; CODE XREF: PAGE:loc_8BE0B1j
		imul	esi, [ebx+70h],	68637461h
		push	ebx
		db	65h
		jz	short loc_8BE145
		outsb
		jo	short near ptr loc_8BE173+1
		jz	short loc_8BE158
		popa
		imul	esp, [ebp+43h],	61h
		jo	short loc_8BE169
		bound	ebp, [ecx+6Ch]

loc_8BE10B:				; CODE XREF: PAGE:loc_8BE09Fj
					; PAGE:008BE0CBj
					; DATA XREF: ...
		imul	esi, [ecx+edi*2+0], 6D7454CCh
		inc	esp
		imul	esi, [ebx+70h],	68637461h
		inc	ecx

loc_8BE11C:				; CODE XREF: PAGE:008BE0D5j
		jo	short loc_8BE187

loc_8BE11E:				; CODE XREF: PAGE:loc_8BE0AFj
		add	ah, cl

??_C@_0BP@MLGNHNPH@TtmpDispatchSetDisplayTimeouts@NNGAKEGL@:
					; DATA XREF: TtmpDispatchSetDisplayTimeouts(x)+3Fo
		push	esp

loc_8BE121:				; CODE XREF: PAGE:008BE0BBj
		jz	short loc_8BE190
		jo	short loc_8BE169
		imul	esi, [ebx+70h],	68637461h
		push	ebx

loc_8BE12D:				; CODE XREF: PAGE:loc_8BE0BFj
		db	65h
		jz	short near ptr loc_8BE173+1

loc_8BE130:				; CODE XREF: PAGE:008BE0EFj
					; PAGE:008BE0E2j
		imul	esi, [ebx+70h],	5479616Ch

loc_8BE137:				; CODE XREF: PAGE:008BE0C9j
		imul	ebp, [ebp+65h],	7374756Fh
		add	ah, cl

??_C@_0BM@IMHPPNOC@TtmpDispatchEvacuateDevices@NNGAKEGL@:
					; DATA XREF: TtmpDispatchEvacuateDevices(x)+32o
		push	esp
		jz	short loc_8BE1B0
		jo	short loc_8BE189

loc_8BE145:				; CODE XREF: PAGE:008BE0F9j
					; PAGE:008BE0E0j
		imul	esi, [ebx+70h],	68637461h
		inc	ebp
		jbe	short loc_8BE1B0
		arpl	[ebp+61h], si
		jz	short loc_8BE1B9
		inc	esp
		db	65h
		jbe	short near ptr loc_8BE1C0+1

loc_8BE158:				; CODE XREF: PAGE:008BE0FFj
		arpl	[ebp+73h], sp

loc_8BE15B:				; CODE XREF: PAGE:loc_8BE0E4j
					; PAGE:008BE0EDj ...
		add	[esp+esi*2+6Dh], dl
		jo	short loc_8BE1A5
		imul	esi, [ebx+70h],	68637461h
		push	ebx

loc_8BE169:				; CODE XREF: PAGE:008BE106j
					; PAGE:008BE123j
		db	65h
		jz	short loc_8BE1B0
		db	65h
		popaw
		jnz	short loc_8BE1DD
		jz	short near ptr loc_8BE1B6+1

loc_8BE173:				; CODE XREF: PAGE:008BE0FDj
					; PAGE:loc_8BE12Dj
		db	65h
		jbe	short near ptr loc_8BE1DD+2
		arpl	[ebp+41h], sp
		jnb	short near ptr loc_8BE1ED+1
		imul	esp, [edi+6Eh],	746E656Dh
		add	ah, cl

??_C@_0BJ@IJIIOIGH@TtmpDispatchAssignDevice@NNGAKEGL@:
					; DATA XREF: TtmpDispatchAssignDevice(x)+34o
		push	esp
		jz	short near ptr loc_8BE1F1+3

loc_8BE187:				; CODE XREF: PAGE:loc_8BE11Cj
		jo	short near ptr loc_8BE1C7+6

loc_8BE189:				; CODE XREF: PAGE:008BE143j
		imul	esi, [ebx+70h],	68637461h

loc_8BE190:				; CODE XREF: PAGE:loc_8BE121j
		inc	ecx
		jnb	short loc_8BE206
		imul	esp, [edi+6Eh],	69766544h
		arpl	[ebp+0], sp
		int	3		; Trap to Debugger

??_C@_1CG@BCIHPCJG@?$AAT?$AAe?$AAr?$AAm?$AAi?$AAn?$AAa?$AAl?$AAE?$AAv?$AAe?$AAn?$AAt?$AAQ?$AAu@NNGAKEGL@:
					; DATA XREF: TtmInit+83621o
		push	esp
		add	[ebp+0], ah
		jb	short $+2
		insd

loc_8BE1A5:				; CODE XREF: PAGE:008BE15Fj
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ah
		insb
		add	[ebp+0], al

loc_8BE1B0:				; CODE XREF: PAGE:008BE141j
					; PAGE:008BE14Dj ...
		jbe	short $+2
		add	gs:[esi+0], ch

loc_8BE1B6:				; CODE XREF: PAGE:008BE171j
		jz	short $+2
		push	ecx

loc_8BE1B9:				; CODE XREF: PAGE:008BE152j
		add	[ebp+0], dh
		add	gs:[ebp+0], dh

loc_8BE1C0:				; CODE XREF: PAGE:008BE155j
		add	gs:[eax], al
		add	[esp+esi*2+6Dh], dl
					; DATA XREF: TtmpDispatchGetTerminalEvent(x,x)+4Do

loc_8BE1C7:				; CODE XREF: PAGE:loc_8BE187j
		imul	edx, [edx+65h],	65726566h
		outsb
		arpl	[ebp+51h], sp
		jnz	short near ptr loc_8BE237+2
		jnz	short loc_8BE23B
		inc	edx
		jns	short near ptr loc_8BE21B+6
		popa
		outsb
		db	64h
		insb

loc_8BE1DD:				; CODE XREF: PAGE:008BE16Fj
					; PAGE:loc_8BE173j
		db	65h
		add	ah, cl

??_C@_0BM@OGGHEBOD@TtmiWriteEventToSingleQueue@NNGAKEGL@:
					; DATA XREF: TtmiRetrieveEventFromQueue(x,x)+102o
		push	esp
		jz	short near ptr ??_C@_1IE@LJHLBMJB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+4
		imul	edx, [edi+72h],	45657469h
		jbe	short near ptr ??_C@_1IE@LJHLBMJB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+5
		outsb

loc_8BE1ED:				; CODE XREF: PAGE:008BE179j
		jz	short near ptr loc_8BE241+2
		outsd
		push	ebx

loc_8BE1F1:				; CODE XREF: PAGE:008BE185j
		imul	ebp, [esi+67h],	7551656Ch
		db	65h
		jnz	short near ptr ??_C@_1IE@LJHLBMJB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+14h
		add	[esp+esi*2+6Dh], dl ; DATA XREF: TtmiRetrieveEventFromQueue(x,x)+3Fo
		imul	edx, [edx+65h],	65697274h

loc_8BE206:				; CODE XREF: PAGE:008BE191j
		jbe	short near ptr ??_C@_1IE@LJHLBMJB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+21h
		inc	ebp
		jbe	short near ptr ??_C@_1IE@LJHLBMJB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+24h
		outsb
		jz	short near ptr ??_C@_1IE@LJHLBMJB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+8
		jb	short near ptr ??_C@_1IE@LJHLBMJB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+33h
		insd
		push	ecx
		jnz	short near ptr ??_C@_1IE@LJHLBMJB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+2Dh
		jnz	short near ptr ??_C@_1IE@LJHLBMJB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+2Fh
		add	ah, cl

??_C@_0BF@KNIHPJH@TtmiCreateEventQueue@NNGAKEGL@: ; DATA XREF: TtmiCreateEventQueue(x,x)+6Ao
		push	esp
		jz	short near ptr ??_C@_1IE@LJHLBMJB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+3Ch

loc_8BE21B:				; CODE XREF: PAGE:008BE1D7j
		imul	eax, [ebx+72h],	65746165h
		inc	ebp
		jbe	short near ptr ??_C@_1IE@LJHLBMJB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+3Eh
		outsb
		jz	short near ptr ??_C@_1IE@LJHLBMJB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+2Dh
		jnz	short near ptr ??_C@_1IE@LJHLBMJB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+43h
		jnz	short near ptr ??_C@_1IE@LJHLBMJB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+45h
		add	ah, cl

??_C@_1BO@DLGJDBIE@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAC?$AAp?$AAu?$AAQ?$AAu?$AAo?$AAt?$AAa@NNGAKEGL@:
					; DATA XREF: PspIsDfssEnabled+56o
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb

loc_8BE237:				; CODE XREF: PAGE:008BE1D2j
		add	[ebp+0], ah
		inc	ebx

loc_8BE23B:				; CODE XREF: PAGE:008BE1D4j
		add	[eax+0], dh
		jnz	short $+2
		push	ecx

loc_8BE241:				; CODE XREF: PAGE:loc_8BE1EDj
		add	[ebp+0], dh
		outsd
		add	[eax+eax+61h], dh
; 
		db 3 dup(0)
??_C@_1IE@LJHLBMJB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; CODE XREF: PAGE:008BE1E1j
					; PAGE:008BE1EAj ...
		unicode	0, <\Registry\Machine\SYSTEM\CurrentControlSet\Control\LsaInf>
		unicode	0, <ormation>,0

;  S U B	R O U T	I N E 


??_C@_1BK@ICAHHPJE@?$AAU?$AAA?$AAC?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAe?$AAd@NNGAKEGL@ proc near
					; DATA XREF: PsBootPhaseComplete+40o
		push	ebp
		add	[ecx+0], al
		inc	ebx
		add	[ecx+0], cl
		outsb
??_C@_1BK@ICAHHPJE@?$AAU?$AAA?$AAC?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAe?$AAd@NNGAKEGL@ endp

		add	[ebx+0], dh
		jz	short $+2
		popa
		add	[eax+eax+6Ch], ch
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 0
; 

??_C@_1CE@KAIDKDBK@?$AAD?$AAe?$AAv?$AAO?$AAv?$AAe?$AAr?$AAr?$AAi?$AAd?$AAe?$AAE?$AAn?$AAa?$AAb@NNGAKEGL@:
					; DATA XREF: PsBootPhaseComplete+30o
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		dec	edi
		add	[esi+0], dh
		add	gs:[edx+0], dh
		jb	short $+2
		imul	eax, [eax], 650064h
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
; 
		db 2 dup(0)
; 

??_C@_1CC@OLECMBJN@?$AAM?$AAa?$AAx?$AAL?$AAo?$AAa?$AAd?$AAe?$AAr?$AAT?$AAh?$AAr?$AAe?$AAa?$AAd@NNGAKEGL@:
					; DATA XREF: PsBootPhaseComplete+CAo
		dec	ebp
		add	[ecx+0], ah
		js	short $+2
		dec	esp
		add	[edi+0], ch
		popa
		add	[eax+eax+65h], ah
		add	[edx+0], dh
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ecx+0], ah
		add	fs:[ebx+0], dh
; 
		dw 0
??_C@_1EA@DIFBALL@?$AAN?$AAo?$AAR?$AAe?$AAm?$AAo?$AAt?$AAe?$AAT?$AAh?$AAr?$AAe?$AAa?$AAd?$AAB@NNGAKEGL@:
					; DATA XREF: PsBootPhaseComplete+DDo
		unicode	0, <NoRemoteThreadBeforeProcessInit>,0
??_C@_1JI@FLCAMDIB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: PsBootPhaseComplete+4Eo
		unicode	0, <\Registry\Machine\Software\Microsoft\Windows\CurrentVersi>
		unicode	0, <on\Policies\System>,0
??_C@_1BE@PBGLAGDD@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAL?$AAU?$AAA@NNGAKEGL@:
					; DATA XREF: PsBootPhaseComplete+56o
		unicode	0, <EnableLUA>,0
??_C@_1CK@KFCEJEJF@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAV?$AAi?$AAr?$AAt?$AAu?$AAa?$AAl?$AAi?$AAz@NNGAKEGL@:
					; DATA XREF: PsBootPhaseComplete+64o
		unicode	0, <EnableVirtualization>,0
??_C@_1DC@PMGBICCE@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAe?$AAr@NNGAKEGL@ db 'E',0
					; DATA XREF: PsBootPhaseComplete+ABo
aNableinstaller:
		unicode	0, <nableInstallerDetection>,0
??_C@_1BO@EDPDEJHE@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAO?$AAp?$AAt?$AAi?$AAo?$AAn?$AAs@NNGAKEGL@:
					; DATA XREF: PspSiloGetSuiteMaskStringFromRegistry(x)+37o
		unicode	0, <ProductOptions>,0
??_C@_1BI@LIHNICPI@?$AAT?$AAS?$AAA?$AAp?$AAp?$AAC?$AAo?$AAm?$AAp?$AAa?$AAt@NNGAKEGL@ db	'T',0
					; DATA XREF: PspSiloGetMultiUserTsFromRegistry(x)+2Ao
aSappcompat:
		unicode	0, <SAppCompat>,0
; 

??_C@_1CA@BFNKNOIB@?$AAT?$AAe?$AAr?$AAm?$AAi?$AAn?$AAa?$AAl?$AA?5?$AAS?$AAe?$AAr?$AAv?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: PspSiloGetMultiUserTsFromRegistry(x)+34o
		push	esp
		add	[ebp+0], ah
		jb	short $+2
		insd
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ah
		insb
		add	[eax], ah
		add	[ebx+0], dl
		add	gs:[edx+0], dh
		jbe	short $+2
		add	gs:[edx+0], dh
; 
		db 2 dup(0)
; 

??_C@_1EM@FKFCCHGE@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@:
					; DATA XREF: PspSiloLoadApiSets(x)+Co
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+5Ch], dh
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		xor	eax, [eax]
		xor	al, [eax]
		pop	esp
		add	[ecx+0], al
		jo	short $+2
		imul	eax, [eax], 650053h
		jz	short $+2
		push	ebx
		add	[ebx+0], ah
		push	6D006500h
		add	[ecx+0], ah
		add	cs:[eax+eax+6Ch], ah
		add	[eax+eax+0], ch
; 
		db 0
; 

??_C@_1BK@HJNBLNLJ@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAS?$AAu?$AAi?$AAt?$AAe@NNGAKEGL@:
					; DATA XREF: PspSiloGetSuiteMaskStringFromRegistry(x)+2Do
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+75h], ah
		add	[ebx+0], ah
		jz	short $+2
		push	ebx
		add	[ebp+0], dh
		imul	eax, [eax], 650074h
; 
		dw 0
; 

; wchar_t ??_C
??_C@_1GC@IAMDDNOD@?$AA?2?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAs?$AA?2?$AA?$CF?$AAd?$AA?2?$AAB?$AAa@NNGAKEGL@:
					; DATA XREF: PspShutdownCsrProcess(x,x,x)+57o
		pop	esp
		add	[ebx+0], dl
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
		pop	esp
		add	ds:5C006400h, ah
		add	[edx+0], al
		popa
		add	[ebx+0], dh
		add	gs:[esi+0], cl
		popa
		add	[ebp+0], ch
		add	gs:[eax+eax+4Fh], ah
		add	[edx+0], ah
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
		pop	esp
		add	[ebp+0], al
		jbe	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		push	ebx
		add	[eax+0], ch
		jnz	short $+2
		jz	short $+2
		add	fs:[edi+0], ch
		ja	short $+2
		outsb
		add	[ebx+0], al
		push	ebx
		add	[edx+0], dl
		push	ebx
		add	[ebx+0], dl
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1FK@NCPHCDPH@?$AA?2?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAs?$AA?2?$AA?$CF?$AAd?$AA?2?$AAB?$AAa@NNGAKEGL@:
					; DATA XREF: PspShutdownCsrProcess(x,x,x)+CEo
		pop	esp
		add	[ebx+0], dl
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
		pop	esp
		add	ds:5C006400h, ah
		add	[edx+0], al
		popa
		add	[ebx+0], dh
		add	gs:[esi+0], cl
		popa
		add	[ebp+0], ch
		add	gs:[eax+eax+4Fh], ah
		add	[edx+0], ah
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
		pop	esp
		add	[ebp+0], al
		jbe	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		push	edx
		add	[ecx+0], ch
		jz	short $+2
		inc	ebp
		add	[eax+0], bh
		imul	eax, [eax], 650074h
		add	fs:[eax], al
; 
		db 0
??_C@_1BK@JHMIDBDI@?$AAO?$AAC?$AAF?$AAW?$AA_?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAd@NNGAKEGL@:
					; DATA XREF: PspQueryForwardersEnabled()+26o
		unicode	0, <OCFW_Enabled>,0
??_C@_1HG@MMHJMIMI@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ db '\',0
					; DATA XREF: PspQueryForwardersEnabled()+38o
aRegistryMach_2:
		unicode	0, <Registry\Machine\SYSTEM\CurrentControlSet\Control\OneCore>
		unicode	0, <>,0
; 

??_C@_0BF@DEPLDBNI@Kernel_Process_Crash@NNGAKEGL@: ; DATA XREF:	.data:off_6B2AE0o
		dec	ebx
		db	65h
		jb	short loc_8BE6F2
		db	65h
		insb
		pop	edi
		push	eax
		jb	short near ptr loc_8BE6F7+2
		arpl	[ebp+73h], sp
		jnb	short near ptr ??_C@_1BK@ELALMENO@?$AAP?$AAa?$AAg?$AAe?$AAP?$AAr?$AAi?$AAo?$AAr?$AAi?$AAt?$AAy@NNGAKEGL@ ; "P"
		inc	ebx
		jb	short near ptr loc_8BE6F2+1
		jnb	short near ptr loc_8BE6FA+2
		add	ah, cl

??_C@_0BE@MGAPJEAL@Kernel_Process_Hang@NNGAKEGL@: ; DATA XREF: .data:off_6B3688o
		dec	ebx
		db	65h
		jb	short near ptr ??_C@_1CC@PFOHGJKI@?$AAC?$AAp?$AAu?$AAP?$AAr?$AAi?$AAo?$AAr?$AAi?$AAt?$AAy?$AAC?$AAl?$AAa?$AAs@NNGAKEGL@	; "CpuPriorityClass"
		db	65h
		insb
		pop	edi
		push	eax
		jb	short near ptr ??_C@_1CC@PFOHGJKI@?$AAC?$AAp?$AAu?$AAP?$AAr?$AAi?$AAo?$AAr?$AAi?$AAt?$AAy?$AAC?$AAl?$AAa?$AAs@NNGAKEGL@+7
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_8BE700+4
		dec	eax
		popa
		outsb

loc_8BE6A8:				; DATA XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7C6o
		add	[si+0],	al
		add	gs:[edx+0], ah
		jnz	short $+2
		add	[bx+0],	ah
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1BM@LBJILCNA@?$AAU?$AAs?$AAe?$AAL?$AAa?$AAr?$AAg?$AAe?$AAP?$AAa?$AAg?$AAe?$AAs@NNGAKEGL@:
					; DATA XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+813o
		push	ebp
		add	[ebx+0], dh
		add	gs:[eax+eax+61h], cl
		add	[edx+0], dh
		add	[di+0],	ah
		push	eax
		add	[ecx+0], ah
		add	[di+0],	ah
		jnb	short $+2
; 
		dw 0
??_C@_1BG@GPFBNIMC@?$AAI?$AAo?$AAP?$AAr?$AAi?$AAo?$AAr?$AAi?$AAt?$AAy@NNGAKEGL@:
					; DATA XREF: PspReadIFEOPerfOptions+1Fo
		unicode	0, <IoPriority>,0
??_C@_1BK@ELALMENO@?$AAP?$AAa?$AAg?$AAe?$AAP?$AAr?$AAi?$AAo?$AAr?$AAi?$AAt?$AAy@NNGAKEGL@ db 'P',0
					; CODE XREF: PAGE:008BE68Dj
					; DATA XREF: PspReadIFEOPerfOptions+36o
aA_0		db 'a',0
; 

loc_8BE6F2:				; CODE XREF: PAGE:008BE681j
					; PAGE:008BE690j
		add	[di+0],	ah
		push	eax

loc_8BE6F7:				; CODE XREF: PAGE:008BE688j
		add	[edx+0], dh

loc_8BE6FA:				; CODE XREF: PAGE:008BE692j
		imul	eax, [eax], 72006Fh

loc_8BE700:				; CODE XREF: PAGE:008BE6A3j
		imul	eax, [eax], 790074h
; 
		dw 0
??_C@_1CC@PFOHGJKI@?$AAC?$AAp?$AAu?$AAP?$AAr?$AAi?$AAo?$AAr?$AAi?$AAt?$AAy?$AAC?$AAl?$AAa?$AAs@NNGAKEGL@:
					; CODE XREF: PAGE:008BE697j
					; PAGE:008BE69Ej
					; DATA XREF: ...
		unicode	0, <CpuPriorityClass>,0
??_C@_1CI@MMFMNCAG@?$AAW?$AAo?$AAr?$AAk?$AAi?$AAn?$AAg?$AAS?$AAe?$AAt?$AAL?$AAi?$AAm?$AAi?$AAt@NNGAKEGL@ db 'W',0
					; DATA XREF: PspReadIFEOPerfOptions+68o
aOrkingsetlimit:
		unicode	0, <orkingSetLimitInKB>,0
; 

??_C@_1BE@GJOFHIHD@?$AAn?$AAt?$AAd?$AAl?$AAl?$AA?4?$AAd?$AAl?$AAl@NNGAKEGL@:
					; DATA XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8A7o
		outsb
		add	[eax+eax+64h], dh
		add	[eax+eax+6Ch], ch
		add	[esi], ch
		add	[eax+eax+6Ch], ah
		add	[eax+eax+0], ch

loc_8BE765:				; DATA XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+91Ao
		add	[esi+0], al
		outsd
		add	[edx+0], dh
		arpl	[eax], ax
		add	gs:[edi+0], dl
		popa
		add	[ebx+0], ch
		add	gs:[ebx+0], al
		push	72006100h
		add	[edi+0], ah
		add	gs:[eax], al

loc_8BE785:				; DATA XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+946o
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+9ADo
		add	[ecx+0], al
		insb
		add	[eax+eax+6Fh], ch
		add	[edi+0], dh
		add	gs:[eax+eax+43h], ah
		add	[eax+0], dh
		jnz	short $+2
		push	ebx
		add	[ebp+0], ah
		jz	short $+2
		jnb	short $+2
; 
		dw 0
??_C@_1BI@OGLLNOMI@?$AAN?$AAo?$AAd?$AAe?$AAO?$AAp?$AAt?$AAi?$AAo?$AAn?$AAs@NNGAKEGL@:
					; DATA XREF: PspReadIFEONodeOptions+13o
		unicode	0, <NodeOptions>,0
; 

??_C@_1CE@NNPBFBMJ@?$AAM?$AAi?$AAt?$AAi?$AAg?$AAa?$AAt?$AAi?$AAo?$AAn?$AAO?$AAp?$AAt?$AAi?$AAo@NNGAKEGL@:
					; DATA XREF: PspReadIFEOMitigationOptions(x,x)+2Co
		dec	ebp
		add	[ecx+0], ch
		jz	short $+2
		imul	eax, [eax], 610067h
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		dec	edi
		add	[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dw 0
??_C@_1CO@GNDGOBAE@?$AAM?$AAi?$AAt?$AAi?$AAg?$AAa?$AAt?$AAi?$AAo?$AAn?$AAA?$AAu?$AAd?$AAi?$AAt@NNGAKEGL@:
					; DATA XREF: PspReadIFEOMitigationAuditOptions+2Co
		unicode	0, <MitigationAuditOptions>,0
; 

??_C@_0CK@PGHPCIEJ@Terminating?5critical?5thread?50x?$CF@NNGAKEGL@:
					; DATA XREF: PspTerminateThreadByPointer+143BCDo
		push	esp
		db	65h
		jb	short near ptr loc_8BE87D+2
		imul	ebp, [esi+61h],	676E6974h
		and	[ebx+72h], ah
		imul	esi, [ecx+ebp*2+63h], 74206C61h
		push	64616572h
		and	[eax], dh
		js	short near ptr loc_8BE850+2
		jo	short near ptr loc_8BE84E+1
		sub	[ecx+6Eh], ch
		and	ds:0A2973h, ah

??_C@_0CI@EJAHBKOC@Terminating?5critical?5process?50x@NNGAKEGL@:
					; DATA XREF: PspTerminateAllThreads+143B15o
		push	esp
		db	65h
		jb	short loc_8BE8A9
		imul	ebp, [esi+61h],	676E6974h
		and	[ebx+72h], ah
		imul	esi, [ecx+ebp*2+63h], 70206C61h

loc_8BE84E:				; CODE XREF: PAGE:008BE82Dj
		jb	short near ptr loc_8BE8BE+1

loc_8BE850:				; CODE XREF: PAGE:008BE82Bj
		arpl	[ebp+73h], sp
		jnb	short loc_8BE875
		xor	[eax+25h], bh
		jo	short near ptr loc_8BE879+1
		sub	ds:0A2973h, ah

??_C@_0BI@JHHLMHGI@Break?0?5or?5Ignore?5?$CIbi?$CJ?$DP?5@NNGAKEGL@:
					; DATA XREF: PspCatchCriticalBreak(x,x,x,x,x)+7Bo
		inc	edx
		jb	short near ptr byte_8BE8C8
		popa
		imul	ebp, [eax], 6Fh
		jb	short near ptr loc_8BE889+1
		dec	ecx
		outs	dx, byte ptr [si]
		outsd
		jb	short near ptr loc_8BE8D3+2
		and	[eax], ch
		bound	ebp, [ecx+29h]

loc_8BE875:				; CODE XREF: PAGE:008BE853j
		aas
		and	[eax], al

??_C@_0CF@EKPBODLC@Critical?5thread?50x?$CFp?5?$CIin?5?$CFs?$CJ?5ex@NNGAKEGL@:
					; DATA XREF: PspExitThread+16861Fo
		inc	ebx

loc_8BE879:				; CODE XREF: PAGE:008BE858j
		jb	short near ptr loc_8BE8E2+2
		jz	short near ptr loc_8BE8E2+4

loc_8BE87D:				; CODE XREF: PAGE:008BE80Fj
		arpl	[ecx+6Ch], sp
		and	[eax+ebp*2+72h], dh
		db	65h
		popa
		and	fs:[eax], dh

loc_8BE889:				; CODE XREF: PAGE:008BE868j
		js	short near ptr loc_8BE8AF+1
		jo	short loc_8BE8AD
		sub	[ecx+6Eh], ch
		and	ds:65202973h, ah
		js	short loc_8BE901
		jz	short near ptr loc_8BE8FD+2
		or	al, fs:[eax]
		int	3		; Trap to Debugger

??_C@_0CD@MKHINBEL@Critical?5process?50x?$CFp?5?$CI?$CFs?$CJ?5exit@NNGAKEGL@:
					; DATA XREF: PspExitThread+168641o
		inc	ebx
		jb	short loc_8BE90A
		jz	short near ptr loc_8BE90A+2
		arpl	[ecx+6Ch], sp
		and	[eax+72h], dh

loc_8BE8A9:				; CODE XREF: PAGE:008BE839j
		outsd
		arpl	[ebp+73h], sp

loc_8BE8AD:				; CODE XREF: PAGE:008BE88Bj
		jnb	short loc_8BE8CF

loc_8BE8AF:				; CODE XREF: PAGE:loc_8BE889j
		xor	[eax+25h], bh
		jo	short near ptr loc_8BE8D3+1
		sub	ds:65202973h, ah
		js	short near ptr loc_8BE923+2
		jz	short loc_8BE923

loc_8BE8BE:				; CODE XREF: PAGE:loc_8BE84Ej
		or	al, fs:[eax]
		int	3		; Trap to Debugger
; 
??_C@_17BPAADKPP@?$AAR?$AAA?$AAW@NNGAKEGL@ dd offset loc_41004E+4
					; DATA XREF: RawQueryFsAttributeInfo(x,x,x)+1Er
					; RawMountVolume+127r
word_8BE8C6	dw 57h			; DATA XREF: RawQueryFsAttributeInfo(x,x,x)+26r
					; RawMountVolume+12Fr
byte_8BE8C8	db 2 dup(0)		; CODE XREF: PAGE:008BE861j
; 

; wchar_t ??_C
??_C@_1CI@HJIJDFAH@?$AA?2?$AAN?$AAL?$AAS?$AA?2?$AAN?$AAl?$AAs?$AAS?$AAe?$AAc?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@:
					; DATA XREF: RtlpInitNlsSectionName(x,x,x,x,x)+Co
		pop	esp
		add	[esi+0], cl
		dec	esp

loc_8BE8CF:				; CODE XREF: PAGE:loc_8BE8ADj
		add	[ebx+0], dl
		pop	esp

loc_8BE8D3:				; CODE XREF: PAGE:008BE8B2j
					; PAGE:008BE86Ej
		add	[esi+0], cl
		insb
		add	[ebx+0], dh
		push	ebx
		add	[ebp+0], ah
		arpl	[eax], ax
		jz	short $+2

loc_8BE8E2:				; CODE XREF: PAGE:loc_8BE879j
					; PAGE:008BE87Bj
		imul	eax, [eax], 6E006Fh
		inc	ebx
		add	[eax+0], dl
		and	eax, 6400h

loc_8BE8F1:				; DATA XREF: RtlpInitNlsSectionName(x,x,x,x,x)+3Co
		add	[eax+eax+4Eh], bl
		add	[eax+eax+53h], cl
		add	[eax+eax+4Eh], bl

loc_8BE8FD:				; CODE XREF: PAGE:008BE898j
		add	[eax+eax+73h], ch

loc_8BE901:				; CODE XREF: PAGE:008BE896j
		add	[ebx+0], dl
		add	gs:[ebx+0], ah
		jz	short $+2

loc_8BE90A:				; CODE XREF: PAGE:008BE89Fj
					; PAGE:008BE8A1j
		imul	eax, [eax], 6E006Fh
		dec	esi
		add	[edi+0], cl
		push	edx
		add	[ebp+0], cl
		and	eax, 38002E00h
		add	[eax+0], bh
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1EA@HNKNGHFI@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@:
					; DATA XREF: RtlpInitNlsFileName+5Bo
		pop	esp

loc_8BE923:				; CODE XREF: PAGE:008BE8BCj
					; PAGE:008BE8BAj
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+5Ch], dh
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		xor	eax, [eax]
		xor	al, [eax]
		pop	esp
		add	[ebx+0], ah
		pop	edi
		add	ds:33002E00h, ah
		add	[eax+eax+2Eh], ah
		add	[esi+0], ch
		insb
		add	[ebx+0], dh
; 
		db 2 dup(0)
; 

??_C@_1IK@PPFMMLKE@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: RtlpInitNlsFileName+99o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[esi+0], cl
		insb
		add	[ebx+0], dh
		pop	esp
		add	[esi+0], cl
		outsd
		add	[edx+0], dh
		insd
		add	[ecx+0], ah
		insb
		add	[ecx+0], ch
		jp	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
; 
		db 3 dup(0)
; wchar_t ??_C
??_C@_1DA@DNHKEGIO@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@:
					; DATA XREF: RtlpInitNlsFileName+178o
		unicode	0, <\SystemRoot\System32\%s>,0
; 

??_C@_1BE@BICGMBFB@?$AAU?$AAs?$AAe?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: RtlpProcessIFEOKeyFilter+3Eo
		push	ebp
		add	[ebx+0], dh
		add	gs:[esi+0], al
		imul	eax, [eax], 74006Ch
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1BO@JOOJEFDK@?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAF?$AAu?$AAl?$AAl?$AAP?$AAa?$AAt?$AAh@NNGAKEGL@:
					; DATA XREF: RtlpProcessIFEOKeyFilter+1271A2o
		inc	esi
		add	[ecx+0], ch
		insb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		inc	esi
		add	[ebp+0], dh
		insb
		add	[eax+eax+50h], ch
		add	[ecx+0], ah
		jz	short $+2
; 
		dw 68h
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_17JCBKHJFJ@?$AAM?$AAU?$AAI@NNGAKEGL@:
					; DATA XREF: LdrpSearchResourceSection_U(x,x,x,x,x)+161o
					; LdrResGetRCConfig+1Ao
		dec	ebp
		add	[ebp+0], dl
		dec	ecx
; 
		db 0
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_19PBHPHAE@?$AA?$CF?$AA?$CF?$AA?$CF?$AAu@NNGAKEGL@:
					; DATA XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+367o
		and	eax, 25002500h
		add	[ebp+0], dh
; 
		dw 0
; 

; wchar_t ??_C
??_C@_1BC@DNCBBMLH@?$AA?$CF?$AA?$CF?$AA?$CF?$AAu?$AA?$CB?$AA?$CF?$AAs?$AA?$CB@NNGAKEGL@:
					; DATA XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+342o
		and	eax, 25002500h
		add	[ebp+0], dh
		and	[eax], eax
		and	eax, 21007300h
; 
		db 0
		db 2 dup(0)
; 

??_C@_15IDAJILIG@?$AAh?$AAc@NNGAKEGL@:	; DATA XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+3D9o
		push	6300h
		add	[eax+0], ch	; DATA XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+404o
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_17OGKEIBAI@?$AA?$CD?$AA?$CF?$AAu@NNGAKEGL@: ; DATA XREF: RtlQueryAtomInAtomTable+15Eo
		and	eax, [eax]
		and	eax, 7500h

loc_8BEA85:				; DATA XREF: RtlConvertSidToUnicodeString+4Do
		add	[ebx+0], dl
		sub	eax, 2D003100h
; 
		db 3 dup(0)
; 

; wchar_t ??_C
??_C@_1BE@BNDIFIKI@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAl?$AAd?$AA?2?$AA?$CF?$AAs@NNGAKEGL@:
					; DATA XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+360o
		and	eax, 5C007300h
		add	ds:64006C00h, ah
		add	[eax+eax+25h], bl
		add	[ebx+0], dh
; 
		dw 0
; 

??_C@_1CE@NPBNEBGN@?$AA?2?$AAB?$AAa?$AAs?$AAe?$AAN?$AAa?$AAm?$AAe?$AAd?$AAO?$AAb?$AAj?$AAe?$AAc@NNGAKEGL@:
					; DATA XREF: RtlpGetTokenNamedObjectPath(x,x,x,x):loc_9D263Co
		pop	esp
		add	[edx+0], al
		popa
		add	[ebx+0], dh
		add	gs:[esi+0], cl
		popa
		add	[ebp+0], ch
		add	gs:[eax+eax+4Fh], ah
		add	[edx+0], ah
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
; 
		dw 0
; 

??_C@_1DE@ECFPHGNH@?$AA?2?$AAA?$AAp?$AAp?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAN?$AAa@NNGAKEGL@:
					; DATA XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+38Ao
		pop	esp
		add	[ecx+0], al
		jo	short $+2
		jo	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+61h], dh
		add	[ecx+0], ch
		outsb
		add	[ebp+0], ah
		jb	short $+2
		dec	esi
		add	[ecx+0], ah
		insd
		add	[ebp+0], ah
		add	fs:[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
; 
		dw 0
; wchar_t ??_C
??_C@_1CK@LDAJCDKF@?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AA?2?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?2@NNGAKEGL@:
					; DATA XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+398o
		unicode	0, <Global\Session\%ld%s>,0
; void ??_C
??_C@_15OEMMNBIC@?$AA0?$AAx@NNGAKEGL@ dd offset	loc_78002E+2
					; DATA XREF: LocalConvertAclToString+418o
					; RtlConvertSidToUnicodeString:loc_924D5Co ...
		align 4
; wchar_t ??_C
??_C@_1BO@FFPNCKK@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAu?$AA?9?$AA?$CF?$AAu?$AA?9?$AA?$CF?$AAu?$AA?9?$AA?$CF?$AAu@NNGAKEGL@:
					; DATA XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+2F8o
		unicode	0, <%s\%u-%u-%u-%u>,0
; 

??_C@_1DC@JGKFLOCH@?$AAA?$AAp?$AAp?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAN?$AAa?$AAm@NNGAKEGL@:
					; DATA XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+34Do
					; RtlpGetTokenNamedObjectPath(x,x,x,x):loc_9D2674o
		inc	ecx
		add	[eax+0], dh
		jo	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+61h], dh
		add	[ecx+0], ch
		outsb
		add	[ebp+0], ah
		jb	short $+2
		dec	esi
		add	[ecx+0], ah
		insd
		add	[ebp+0], ah
		add	fs:[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
; 
		dw 0
; 

??_C@_1CC@GOIMJBIF@?$AAB?$AAa?$AAs?$AAe?$AAN?$AAa?$AAm?$AAe?$AAd?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt@NNGAKEGL@:
					; DATA XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+354o
		inc	edx
		add	[ecx+0], ah
		jnb	short $+2
		add	gs:[esi+0], cl
		popa
		add	[ebp+0], ch
		add	gs:[eax+eax+4Fh], ah
		add	[edx+0], ah
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1KO@ILBBOJJH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: PAGE:00A40910o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+65h], dh
		add	[ebx+0], dl
		add	gs:[eax+0], dh
		popa
		add	[edx+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax+eax+52h], bl
		add	[ebp+0], ah
		add	fs:[ecx+0], ch
		jb	short $+2
		add	gs:[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		dec	ebp
		add	[ecx+0], ah
		jo	short $+2
		pop	esp
		add	[ebx+0], cl
		add	gs:[ecx+0], bh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1LA@PLBLPNML@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: PAGE:00A40918o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+65h], dh
		add	[ebx+0], dl
		add	gs:[eax+0], dh
		popa
		add	[edx+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax+eax+52h], bl
		add	[ebp+0], ah
		add	fs:[ecx+0], ch
		jb	short $+2
		add	gs:[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		dec	ebp
		add	[ecx+0], ah
		jo	short $+2
		pop	esp
		add	[esi+0], al
		imul	eax, [eax], 65006Ch
		jnb	short $+2
; 
		dw 0
??_C@_1BK@CIGKBGGO@?$AAT?$AAa?$AAr?$AAg?$AAe?$AAt?$AAN?$AAt?$AAP?$AAa?$AAt?$AAh@NNGAKEGL@:
					; DATA XREF: ExpRefreshTimeZoneInformation(x)+25Co
					; RtlpGetTimeZoneInfoHandle+64o ...
		unicode	0, <TargetNtPath>,0
??_C@_1IO@LDLHHDBF@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ db '\',0
					; DATA XREF: RtlCapabilityCheck(x,x,x)+D3o
aRegistryMach_9:
		unicode	0, <Registry\Machine\Software\Microsoft\SecurityManager\Admin>
		unicode	0, <Capabilities>,0
; 

??_C@_0DN@BGIBODAP@RtlpQueryRegistryValues?3?5Miscom@NNGAKEGL@:
					; DATA XREF: RtlpQueryRegistryValues+132E16o
					; RtlpQueryRegistryValues+132E53o
		push	edx
		jz	short near ptr ??_C@_1DI@PGKLJCOI@?$AAT?$AAi?$AAm?$AAe?$AAZ?$AAo?$AAn?$AAe?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa@NNGAKEGL@+13h
		jo	short loc_8BEDFA
		jnz	short near ptr ??_C@_1DI@PGKLJCOI@?$AAT?$AAi?$AAm?$AAe?$AAZ?$AAo?$AAn?$AAe?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa@NNGAKEGL@+10h
		jb	short near ptr ??_C@_1DI@PGKLJCOI@?$AAT?$AAi?$AAm?$AAe?$AAZ?$AAo?$AAn?$AAe?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa@NNGAKEGL@+26h
		push	edx
		imul	esi, gs:[bp+di+74h], 61567972h
		insb
		jnz	short near ptr ??_C@_1DI@PGKLJCOI@?$AAT?$AAi?$AAm?$AAe?$AAZ?$AAo?$AAn?$AAe?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa@NNGAKEGL@+1Fh
		jnb	short loc_8BEDF6
		and	[ebp+69h], cl
		jnb	short near ptr ??_C@_1DI@PGKLJCOI@?$AAT?$AAi?$AAm?$AAe?$AAZ?$AAo?$AAn?$AAe?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa@NNGAKEGL@+24h
		outsd
		insd
		jo	short near ptr ??_C@_1CI@GMLPCOJB@?$AAT?$AAi?$AAm?$AAe?$AAZ?$AAo?$AAn?$AAe?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa@NNGAKEGL@+2
		jz	short near ptr ??_C@_1DI@PGKLJCOI@?$AAT?$AAi?$AAm?$AAe?$AAZ?$AAo?$AAn?$AAe?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa@NNGAKEGL@+2Ch
		and	fs:[edx+75h], ah
		db	66h, 66h, 65h
		jb	short near ptr loc_8BEDEF+1
		jnb	short near ptr ??_C@_1CI@GMLPCOJB@?$AAT?$AAi?$AAm?$AAe?$AAZ?$AAo?$AAn?$AAe?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa@NNGAKEGL@+3
		jp	short near ptr ??_C@_1CI@GMLPCOJB@?$AAT?$AAi?$AAm?$AAe?$AAZ?$AAo?$AAn?$AAe?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa@NNGAKEGL@+1
		and	[ecx+74h], ah
		and	[ecx+ebp*2+6Eh], ch
		and	gs:0CC000A64h, ah

??_C@_1BO@EAFFNCKE@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AAT?$AAi?$AAm?$AAe?$AAB?$AAi?$AAa?$AAs@NNGAKEGL@:
					; DATA XREF: RtlSetActiveTimeBias+134C9Do
		inc	ecx
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 650076h
		push	esp

loc_8BEDEF:				; CODE XREF: PAGE:008BEDCBj
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah

loc_8BEDF6:				; CODE XREF: PAGE:008BEDBAj
		inc	edx
		add	[ecx+0], ch

loc_8BEDFA:				; CODE XREF: PAGE:008BEDA7j
		popa
		add	[ebx+0], dh
; 
		dw 0
??_C@_1DI@PGKLJCOI@?$AAT?$AAi?$AAm?$AAe?$AAZ?$AAo?$AAn?$AAe?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa@NNGAKEGL@:
					; DATA XREF: ExpRefreshTimeZoneInformation(x)+261o
					; RtlpGetTimeZoneInfoHandle+69o
		unicode	0, <TimeZoneInformationSettings>,0
??_C@_1CI@GMLPCOJB@?$AAT?$AAi?$AAm?$AAe?$AAZ?$AAo?$AAn?$AAe?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa@NNGAKEGL@:
					; CODE XREF: PAGE:008BEDD2j
					; PAGE:008BEDC3j ...
		unicode	0, <TimeZoneInformation>,0
??_C@_17LIOBIM@?$AAT?$AAZ?$AAI@NNGAKEGL@: ; DATA XREF: RtlpUpdateDynamicTimeZones+A3o
					; RtlpUpdateDynamicTimeZones+8FF9Do
		unicode	0, <TZI>,0
??_C@_1BG@DHBIEIAA@?$AAT?$AAi?$AAm?$AAe?$AA?5?$AAZ?$AAo?$AAn?$AAe?$AAs@NNGAKEGL@:
					; DATA XREF: RtlpUpdateDynamicTimeZones+B3o
		unicode	0, <Time Zones>,0

;  S U B	R O U T	I N E 


??_C@_0CK@BNECCOKI@?$CB?$CICheckedFlags?5?$CG?5?$HOHEAP_CREATE_V@NNGAKEGL@ proc	near
					; DATA XREF: RtlCreateHeap+11AF40o

; FUNCTION CHUNK AT 008BEEF6 SIZE 0000002E BYTES

		and	[eax], ebp
		inc	ebx
		push	656B6365h
		db	64h
		inc	esi
		insb
		popa
		db	67h
		jnb	near ptr 0EEADh
		and	es:[esi+48h], bh
		inc	ebp
		inc	ecx
		push	eax
		pop	edi
		inc	ebx
		push	edx
		inc	ebp
		inc	ecx
		push	esp
		inc	ebp
		pop	edi
		push	esi
		inc	ecx
		dec	esp
		dec	ecx
		inc	esp
		pop	edi
		dec	ebp
		inc	ecx
		push	ebx
		dec	ebx
		sub	[eax], eax

??_C@_0BF@JMLBIMHL@?$CIHeapHandle?5?$CB?$DN?5NULL?$CJ@NNGAKEGL@:
					; DATA XREF: RtlDestroyHeap+A5F7Fo
		sub	[eax+65h], cl
		popa
		jo	short loc_8BEEF6
		popa
		outsb
		db	64h
		insb
		and	gs:[ecx], ah
		cmp	eax, 4C554E20h
		dec	esp
		sub	[eax], eax
		int	3		; Trap to Debugger
??_C@_0CK@BNECCOKI@?$CB?$CICheckedFlags?5?$CG?5?$HOHEAP_CREATE_V@NNGAKEGL@ endp


??_C@_1DE@LIBHJBEH@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?5?$AAV?$AAo?$AAl?$AAu?$AAm?$AAe?$AA?5?$AAI@NNGAKEGL@:
					; DATA XREF: RtlCreateSystemVolumeInformationFolder(x)+14o
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		and	[eax], al
		push	esi
		add	[edi+0], ch
		insb
		add	[ebp+0], dh
		insd
		add	[ebp+0], ah
		and	[eax], al
		dec	ecx
		add	[esi+0], ch
		db	66h
		add	[edi+0], ch
		jb	short $+2
		insd
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
; 
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_0CF@NPDALNAN@?$CB?$CB?$CB?5RTLMUI?3?5Reusing?5LocaleBuffe@NNGAKEGL@ proc near
					; DATA XREF: RtlLCIDToCultureName(x,x)+1Co
		and	[ecx], esp
		and	[eax], esp
??_C@_0CF@NPDALNAN@?$CB?$CB?$CB?5RTLMUI?3?5Reusing?5LocaleBuffe@NNGAKEGL@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0CK@BNECCOKI@?$CB?$CICheckedFlags?5?$CG?5?$HOHEAP_CREATE_V@NNGAKEGL@

loc_8BEEF6:				; CODE XREF: ??_C@_0CK@BNECCOKI@?$CB?$CICheckedFlags?5?$CG?5?$HOHEAP_CREATE_V@NNGAKEGL@+2Ej
		push	edx
		push	esp
		dec	esp
		dec	ebp
		push	ebp
		dec	ecx
		cmp	ah, [eax]
		push	edx
		db	65h
		jnz	short near ptr ??_C@_1BK@GPNIFMAA@?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAL?$AAe?$AAn?$AAg?$AAt?$AAh@NNGAKEGL@+9
		imul	ebp, [esi+67h],	636F4C20h
		popa
		insb
		db	65h
		inc	edx
		jnz	short near ptr ??_C@_1BK@GPNIFMAA@?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAL?$AAe?$AAn?$AAg?$AAt?$AAh@NNGAKEGL@+9
		db	66h, 65h
		jb	short near ptr ??_C@_1DK@HJHMGPGD@?$AAM?$AAi?$AAc?$AAr?$AAo?$AAs?$AAo?$AAf?$AAt?$AA?5?$AAP?$AAr?$AAi?$AAm?$AAi@NNGAKEGL@+0Bh
		and	[ecx], esp
		and	[eax], eax
		int	3		; Trap to Debugger

; char ??_C
??_C@_0L@KLDLBCKA@2147483647@NNGAKEGL@:	; DATA XREF: RtlValidateCorrelationVector(x)+8Co
		xor	dh, [ecx]
		xor	al, 37h
		xor	al, 38h
		xor	esi, [esi]
		xor	al, 37h
		add	ah, cl
; END OF FUNCTION CHUNK	FOR ??_C@_0CK@BNECCOKI@?$CB?$CICheckedFlags?5?$CG?5?$HOHEAP_CREATE_V@NNGAKEGL@
; 
??_C@_02DPKJAMEF@?$CFd@NNGAKEGL@ dd 0CC006425h
					; DATA XREF: RtlIncrementCorrelationVector(x)+48o
					; RtlIncrementCorrelationVector(x)+60o
??_C@_1DK@HJHMGPGD@?$AAM?$AAi?$AAc?$AAr?$AAo?$AAs?$AAo?$AAf?$AAt?$AA?5?$AAP?$AAr?$AAi?$AAm?$AAi@NNGAKEGL@:
					; CODE XREF: ??_C@_0CK@BNECCOKI@?$CB?$CICheckedFlags?5?$CG?5?$HOHEAP_CREATE_V@NNGAKEGL@+91j
					; DATA XREF: RtlGenerateClass5Guid+5Co
		unicode	0, <Microsoft Primitive	Provider>,0
; 

??_C@_19DILNDFJH@?$AAS?$AAH?$AAA?$AA1@NNGAKEGL@: ; DATA	XREF: RtlGenerateClass5Guid+61o
		push	ebx
		add	[eax+0], cl
		inc	ecx
		add	[ecx], dh
; 
		db 3 dup(0)
??_C@_1BK@GPNIFMAA@?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAL?$AAe?$AAn?$AAg?$AAt?$AAh@NNGAKEGL@:
					; CODE XREF: ??_C@_0CK@BNECCOKI@?$CB?$CICheckedFlags?5?$CG?5?$HOHEAP_CREATE_V@NNGAKEGL@+81j
					; ??_C@_0CK@BNECCOKI@?$CB?$CICheckedFlags?5?$CG?5?$HOHEAP_CREATE_V@NNGAKEGL@+8Fj
					; DATA XREF: ...
		unicode	0, <ObjectLength>,0
??_C@_1M@PFFFELPH@?$AAW?$AAi?$AAn?$AAN?$AAt@NNGAKEGL@ db 'W',0
					; DATA XREF: RtlpGetNtProductTypeFromRegistry(x)+83o
aInnt:
		unicode	0, <inNt>,0
; 

??_C@_1IE@CPEFALAA@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: RtlpGetNtProductTypeFromRegistry(x)+58o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[eax+eax+75h], ah
		add	[ebx+0], ah
		jz	short $+2
		dec	edi
		add	[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BI@JPCMFPH@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAT?$AAy?$AAp?$AAe@NNGAKEGL@:
					; DATA XREF: RtlpGetNtProductTypeFromRegistry(x)+66o
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+75h], ah
		add	[ebx+0], ah
		jz	short $+2
		push	esp
		add	[ecx+0], bh
		jo	short $+2
		add	gs:[eax], al
		add	[eax+eax+61h], cl
					; DATA XREF: RtlpGetNtProductTypeFromRegistry(x)+71o
		add	[esi+0], ch
		insd
		add	[ecx+0], ah
		outsb
		add	[esi+0], cl
		jz	short $+2
; 
		dw 0

;  S U B	R O U T	I N E 


??_C@_1BC@GNJGMHML@?$AAS?$AAe?$AAr?$AAv?$AAe?$AAr?$AAN?$AAt@NNGAKEGL@ proc near
					; DATA XREF: RtlpGetNtProductTypeFromRegistry(x)+7Co
		push	ebx
		add	[ebp+0], ah
		jb	short $+2
		jbe	short $+2
		add	gs:[edx+0], dh
		dec	esi
		add	[eax+eax+0], dh
		add	[ebx+0], al	; DATA XREF: RtlOsDeploymentState(x)+74o
		outsd
??_C@_1BC@GNJGMHML@?$AAS?$AAe?$AAr?$AAv?$AAe?$AAr?$AAN?$AAt@NNGAKEGL@ endp

		add	[ebp+0], ch
		jo	short $+2
		popa
		add	[ebx+0], ah
		jz	short $+2
; 
		db 2 dup(0)
; char ??_C[]
??_C@_0P@OBFFLNHC@MINTCBIGNOREKD@NNGAKEGL@ db 'MINTCBIGNOREKD',0
					; DATA XREF: SepIsOptionPresent+5o
		align 2

??_C@_1CC@EFNOOOGP@?$AAM?$AAS?$AAE?$AAL?$AAA?$AAM?$AAC?$AAE?$AAR?$AAT?$AAI?$AAN?$AAF?$AAO?$AAI@NNGAKEGL@:
					; DATA XREF: SeRegisterElamCertResources(x,x,x,x)+Ao
		dec	ebp
		add	[ebx+0], dl
		inc	ebp
		add	[eax+eax+41h], cl
		add	[ebp+0], cl
		inc	ebx
		add	[ebp+0], al
		push	edx
		add	[eax+eax+49h], dl
		add	[esi+0], cl
		inc	esi
		add	[edi+0], cl
		dec	ecx
		add	[eax+eax+0], al
; 
		db 0
; 

??_C@_1FG@HCKJDJMN@?$AAW?$AAS?$AAL?$AAi?$AAc?$AAe?$AAn?$AAs?$AAi?$AAn?$AAg?$AAS?$AAe?$AAr?$AAv@NNGAKEGL@:
					; DATA XREF: .data:006B36D4o
		push	edi
		add	[ebx+0], dl
		dec	esp
		add	[ecx+0], ch
		arpl	[eax], ax
		add	gs:[esi+0], ch
		jnb	short $+2
		imul	eax, [eax], 67006Eh
		push	ebx
		add	[ebp+0], ah
		jb	short $+2
		jbe	short $+2
		imul	eax, [eax], 650063h
		sub	eax, 4F004C00h
		add	[edx+0], al
		push	ebx
		add	[ecx+0], ch
		add	fs:[ebp+0], ah
		insb
		add	[edi+0], ch
		popa
		add	[eax+eax+69h], ah
		add	[esi+0], ch
		add	[bx+di+0], al
		arpl	[eax], ax
		jz	short $+2
		imul	eax, [eax], 610076h
		jz	short $+2
		add	gs:[eax+eax+0],	ah
		add	[ecx+0], al	; DATA XREF: SepIsImageInMinTcbList+126849o
		jnz	short $+2
		add	fs:[ecx+0], ch
		jz	short $+2
		dec	esp
		add	[ebp+0], ah
		jbe	short $+2
		add	gs:[eax+eax+0],	ch

loc_8BF0FF:				; DATA XREF: SeRegisterElamCertResources(x,x,x,x)+23o
		add	[ebp+0], cl
		dec	ecx
		add	[ebx+0], al
		push	edx
		add	[edi+0], cl
		push	ebx
		add	[edi+0], cl
		inc	esi
		add	[eax+eax+45h], dl
		add	[eax+eax+41h], cl
		add	[ebp+0], cl
		inc	ebx
		add	[ebp+0], al
		push	edx
		add	[eax+eax+49h], dl
		add	[esi+0], al
		dec	ecx
		add	[ebx+0], al
		inc	ecx
		add	[eax+eax+45h], dl
		add	[ecx+0], cl
		dec	esi
		add	[esi+0], al
		dec	edi
; 
		db 0
		db 2 dup(0)
??_C@_0BL@ELDGEOIE@minkernel?2ntos?2se?2rmmain?4c@NNGAKEGL@ db 'minkernel\ntos\se\rmmain.c',0
					; DATA XREF: SepRmVerifyLsaProtectionLevel+8CDBEo
					; SeRmCleanupSiloState(x)+16o
		align 2

??_C@_1CM@IGDPDBMK@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA_?$AAL?$AAs?$AAa?$AA_?$AAP?$AAp?$AAl?$AA_@NNGAKEGL@:
					; DATA XREF: SepRmVerifyLsaProtectionLevel+1Do
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	[edi+0], bl
		dec	esp
		add	[ebx+0], dh
		popa
		add	[edi+0], bl
		push	eax
		add	[eax+0], dh
		insb
		add	[edi+0], bl
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[esi+0], ah
		imul	eax, [eax], 67h

??_C@_1CE@KFPIKEIA@?$AA?2?$AAS?$AAe?$AAL?$AAs?$AAa?$AAC?$AAo?$AAm?$AAm?$AAa?$AAn?$AAd?$AAP?$AAo@NNGAKEGL@:
					; DATA XREF: SepRmLsaConnectRequest+173o
		pop	esp
		add	[ebx+0], dl
		add	gs:[eax+eax+73h], cl
		add	[ecx+0], ah
		inc	ebx
		add	[edi+0], ch
		insd
		add	[ebp+0], ch
		popa
		add	[esi+0], ch
		add	fs:[eax+0], dl
		outsd
		add	[edx+0], dh
		jz	short $+2
; 
		db 2 dup(0)
; 

??_C@_0BP@HPNNBFHI@LSA_AUTHENTICATION_INITIALIZED@NNGAKEGL@:
					; DATA XREF: SepInitializationPhase1()+16Fo
		dec	esp
		push	ebx
		inc	ecx
		pop	edi
		inc	ecx
		push	ebp
		push	esp
		dec	eax
		inc	ebp
		dec	esi
		push	esp
		dec	ecx
		inc	ebx
		inc	ecx
		push	esp
		dec	ecx
		dec	edi
		dec	esi
		pop	edi
		dec	ecx
		dec	esi
		dec	ecx
		push	esp
		dec	ecx
		inc	ecx
		dec	esp
		dec	ecx
		pop	edx
		inc	ebp
		inc	esp
		add	ah, cl

??_C@_09OFABOBDM@?2Security@NNGAKEGL@:	; DATA XREF: SepInitializationPhase1():loc_896B0Eo
		pop	esp
		push	ebx
		arpl	gs:[ebp+72h], si
; 
		dd offset loc_797469
??_C@_0BL@PEIKBMNL@?6Token?5number?50x?$CFx?5?$DN?50x?$CFp?6@NNGAKEGL@ db 0Ah
					; DATA XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+8F2o
					; SepDuplicateToken(x,x,x,x,x,x,x,x)+948o
		db 'Token number 0x%x = 0x%p',0Ah,0
		align 4

??_C@_13IMODFHAA@?$AA?9@NNGAKEGL@:	; DATA XREF: AdtpBuildLogonIdStrings+2Eo
					; SeAuditBootConfiguration:loc_8A1D11o	...
		sub	eax, 53000000h
		add	[ebp+0], cl
		inc	ecx
		add	[edx+0], dl
		push	esp
		add	[eax+eax+4Fh], cl
		add	[ebx+0], al
		dec	ebx
		add	[ebp+0], al
		push	edx
		add	[edx], bh
		add	[edi], ch
		add	[edi], ch
		add	[ebx+0], dl
		dec	ebp
		add	[ecx+0], al
		push	edx
		add	[eax+eax+53h], dl
		add	[ebx+0], al
		push	edx
		add	[ebp+0], al
		inc	ebp
		add	[esi+0], cl
		dec	edi
		add	[edx+0], dl
		dec	ecx
		add	[edi+0], al
		dec	ecx
		add	[esi+0], cl
		inc	ebx
		add	[eax+eax+41h], cl
		add	[ecx+0], cl
		dec	ebp
; 
		db 0
		db 2 dup(0)
; 

??_C@_1BO@HJJIOICK@?$AAP?$AAO?$AAL?$AAI?$AAC?$AAY?$AAA?$AAP?$AAP?$AAI?$AAD?$AA?3?$AA?1?$AA?1@NNGAKEGL@:
					; DATA XREF: SepAddTokenOriginClaim(x,x,x)+Fo
		push	eax
		add	[edi+0], cl
		dec	esp
		add	[ecx+0], cl
		inc	ebx
		add	[ecx+0], bl
		inc	ecx
		add	[eax+0], dl
		push	eax
		add	[ecx+0], cl
		inc	esp
		add	[edx], bh
		add	[edi], ch
		add	[edi], ch
; 
		db 3 dup(0)
??_C@_1FK@FPMGJMB@?$AAA?$AAn?$AAo?$AAn?$AAy?$AAm?$AAo?$AAu?$AAs?$AAA?$AAp?$AAp?$AAC?$AAo?$AAn@NNGAKEGL@:
					; DATA XREF: PspAddSchedulingGroupToJobChain+196o
		unicode	0, <AnonymousAppContainerImpersonationLevelCheck>,0
??_C@_1DE@CKOBBNBJ@?$AAE?$AAv?$AAe?$AAr?$AAy?$AAo?$AAn?$AAe?$AAI?$AAn?$AAc?$AAl?$AAu?$AAd?$AAe@NNGAKEGL@ dd offset loc_760043+2
					; DATA XREF: PspAddSchedulingGroupToJobChain+1E4o
		dw 65h
		dd offset loc_790072
aOneincludesano:
		unicode	0, <oneIncludesAnonymous>,0
; 

??_C@_1GO@BNNKBEEN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: SepRegQueryDwordValue(x,x,x)+11o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+eax+73h], cl
		add	[ecx+0], ah
; 
		dw 0
??_C@_1EE@FDNCMIA@?$AA?2?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAs?$AA?2?$AA?$CF?$AAd?$AA?2?$AAD?$AAo@NNGAKEGL@:
					; DATA XREF: SeGetTokenDeviceMap+9Co
					; SepCleanupLUIDDeviceMapDirectory+A6o
		unicode	0, <\Sessions\%d\DosDevices\%08x-%08x>,0
??_C@_1BE@MJMHDIJM@?$AA?2?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AA?$DP?$AA?$DP@NNGAKEGL@:
					; DATA XREF: SeGetTokenDeviceMap+14Fo
		unicode	0, <\Global??>,0

;  S U B	R O U T	I N E 


; wchar_t ??_C
??_C@_1BK@KDPOKCA@?$AAS?$AAy?$AAm?$AAb?$AAo?$AAl?$AAi?$AAc?$AAL?$AAi?$AAn?$AAk@NNGAKEGL@ proc near
					; DATA XREF: BiIsValidDiskDevice+19o
					; SepCleanupLUIDDeviceMapDirectory+186o ...
		push	ebx
		add	[ecx+0], bh
		insd
??_C@_1BK@KDPOKCA@?$AAS?$AAy?$AAm?$AAb?$AAo?$AAl?$AAi?$AAc?$AAL?$AAi?$AAn?$AAk@NNGAKEGL@ endp

		add	[edx+0], ah
		outsd
		add	[eax+eax+69h], ch
		add	[ebx+0], ah
		dec	esp
		add	[ecx+0], ch
		outsb
		add	[ebx+0], ch
; 
		db 2 dup(0)
; 

??_C@_1CC@DJOPDNMF@?$AAT?$AAS?$AAA?$AA?3?$AA?1?$AA?1?$AAP?$AAr?$AAo?$AAc?$AAU?$AAn?$AAi?$AAq?$AAu@NNGAKEGL@:
					; DATA XREF: SepSetProcessUniqueAttribute(x)+4Fo
		push	esp
		add	[ebx+0], dl
		inc	ecx
		add	[edx], bh
		add	[edi], ch
		add	[edi], ch
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[ebx+0], ah
		push	ebp
		add	[esi+0], ch
		imul	eax, [eax], 750071h
		add	gs:[eax], al
; 
		db 0
; wchar_t ??_C
??_C@_1BK@JJANIBL@?$AA?2?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAs?$AA?2?$AA?$CF?$AAd@NNGAKEGL@:
					; DATA XREF: SepValidateReferencedCachedHandles+B6o
					; SepValidateReferencedCachedHandles+128275o
		unicode	0, <\Sessions\%d>,0
; wchar_t ??_C
??_C@_1BI@NJNFIEDN@?$AA?$CF?$AAu?$AA?9?$AA?$CF?$AAu?$AA?9?$AA?$CF?$AAu?$AA?9?$AA?$CF?$AAu@NNGAKEGL@ dd offset loc_750024+1
					; DATA XREF: SepValidateReferencedCachedHandles+311o
		dw 2Dh
		dd offset loc_750024+1
aUU:
		unicode	0, <-%u-%u>,0
; 

??_C@_1CC@LOHLDOPL@?$AAC?$AAr?$AAa?$AAs?$AAh?$AAO?$AAn?$AAA?$AAu?$AAd?$AAi?$AAt?$AAF?$AAa?$AAi@NNGAKEGL@:
					; DATA XREF: SepAdtInitializeCrashOnFail()+18o
					; SepAuditFailed(x)+41o
		inc	ebx
		add	[edx+0], dh
		popa
		add	[ebx+0], dh
		push	6E004F00h
		add	[ecx+0], al
		jnz	short $+2
		add	fs:[ecx+0], ch
		jz	short $+2
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 6Ch

??_C@_1KO@LFEDCLJF@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: SepReadAndPopulateCapes+8CBDDo
					; SepReadAndPopulateCapes+8CE75o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+eax+73h], cl
		add	[ecx+0], ah
		pop	esp
		add	[ebx+0], al
		add	gs:[esi+0], ch
		jz	short $+2
		jb	short $+2
		popa
		add	[eax+eax+69h], ch
		add	[edx+0], bh
		add	gs:[eax+eax+41h], ah
		add	[ebx+0], ah
		arpl	[eax], ax
		add	gs:[ebx+0], dh
		jnb	short $+2
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 730065h
		pop	esp
		add	[ebx+0], al
		inc	ecx
		add	[eax+0], dl
		inc	ebp
		add	[ebx+0], dh
; 
		db 2 dup(0)
; 

??_C@_1KM@DMAJKNMF@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: SepAuditFailed(x)+236o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+eax+73h], cl
		add	[ecx+0], ah
		pop	esp
		add	[ebx+0], al
		add	gs:[esi+0], ch
		jz	short $+2
		jb	short $+2
		popa
		add	[eax+eax+69h], ch
		add	[edx+0], bh
		add	gs:[eax+eax+41h], ah
		add	[ebx+0], ah
		arpl	[eax], ax
		add	gs:[ebx+0], dh
		jnb	short $+2
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 730065h
		pop	esp
		add	[ebx+0], al
		inc	ecx
		add	[eax+0], dl
		jnb	short $+2
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1M@PIGKLJLL@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAd@NNGAKEGL@:
					; DATA XREF: SepReadAndPopulateCapes+8CBE2o
					; SepReadAndPopulateCapes+8CE7Ao
		and	eax, 5C007300h
		add	large ds:6400h,	ah

loc_8BF5A1:				; DATA XREF: SepAdtOpenEtwReadyEvent(x)+Ao
		add	[eax+eax+41h], bl
		add	[eax+eax+54h], al
		add	[edi+0], bl
		inc	ebp
		add	[eax+eax+57h], dl
		add	[edi+0], bl
		inc	ebx
		add	[eax+0], cl
		inc	ecx
		add	[esi+0], cl
		dec	esi
		add	[ebp+0], al
		dec	esp
		add	[edi+0], bl
		dec	ecx
		add	[esi+0], cl
		dec	ecx
		add	[eax+eax+0], dl

loc_8BF5CD:				; DATA XREF: SepAdtInitializePrivilegeAuditing()+17o
		add	[esi+0], al
		jnz	short $+2
		insb
		add	[eax+eax+50h], ch
		add	[edx+0], dh
		imul	eax, [eax], 690076h
		insb
		add	[ebp+0], ah
		add	[di+0],	ah
		inc	ecx
		add	[ebp+0], dh
		add	fs:[ecx+0], ch
		jz	short $+2
		imul	eax, [eax], 67006Eh
; 
		db 2 dup(0)
; 

??_C@_1O@OLLLPIHG@?$AAB?$AAo?$AAu?$AAn?$AAd?$AAs@NNGAKEGL@:
					; DATA XREF: SepAdtInitializeBounds()+1Fo
		inc	edx
		add	[edi+0], ch
		jnz	short $+2
		outsb
		add	[eax+eax+73h], ah
; 
		db 3 dup(0)
; wchar_t ??_C
??_C@_15DCAAPKNL@?$AAE?$AAA@NNGAKEGL@:	; DATA XREF: LookupSidInTable+EDo
		unicode	0, <EA>,0
; 

??_C@_13HADIAKP@?$AAS@NNGAKEGL@:	; DATA XREF: LocalConvertSDToStringSD_Rev1+1242BCo
					; LocalConvertSDToStringSD_Rev1+1242D4o
		push	ebx
; 
		db 0
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_15MMAMLPML@?$AAR?$AAO@NNGAKEGL@:	; DATA XREF: LookupSidInTable+119o
		push	edx
		add	[edi+0], cl
; 
		dw 0
; 

; wchar_t ??_C
??_C@_15OHIPBLFN@?$AAS?$AAA@NNGAKEGL@:	; DATA XREF: .data:006B2038o
					; LookupSidInTable+101o ...
		push	ebx
		add	[ecx+0], al
; 
		db 2 dup(0)
; 

??_C@_13BNMMGIII@?$AAO@NNGAKEGL@:	; DATA XREF: LocalConvertSDToStringSD_Rev1+124219o
		dec	edi
; 
		db 0
		db 2 dup(0)
; 

??_C@_13MKMNOPIJ@?$AAD@NNGAKEGL@:	; DATA XREF: .data:006B2238o
					; LocalConvertSDToStringSD_Rev1+215o ...
		inc	esp
; 
		db 0
		db 2 dup(0)
; 

??_C@_13NIHIEAGH@?$AAG@NNGAKEGL@:	; DATA XREF: LocalConvertSDToStringSD_Rev1+12424Fo
		inc	edi
; 
		db 0
		db 2 dup(0)
; 

??_C@_15JELLGJLB@?$AAW?$AAP@NNGAKEGL@:	; DATA XREF: .data:006B20A8o
		push	edi
		add	[eax+0], dl
; 
		dw 0
; 

??_C@_15MEHGPIAC@?$AAR?$AAP@NNGAKEGL@:	; DATA XREF: .data:006B2098o
		push	edx
		add	[eax+0], dl
; 
		db 2 dup(0)
; 

??_C@_15FDFFOBPF@?$AAD?$AAC@NNGAKEGL@:	; DATA XREF: .data:006B20C8o
		inc	esp
		add	[ebx+0], al
; 
		dw 0
; 

??_C@_15EOFANBEN@?$AAC?$AAC@NNGAKEGL@:	; DATA XREF: .data:006B20B8o
		inc	ebx
		add	[ebx+0], al
; 
		db 2 dup(0)
; 

??_C@_15CNLFACFL@?$AAN?$AAW@NNGAKEGL@:	; DATA XREF: .data:off_6B2068o
		dec	esi
		add	[edi+0], dl
; 
		dw 0
; 

; wchar_t ??_C
??_C@_15PJFMCJHO@?$AAD?$AAA@NNGAKEGL@:	; DATA XREF: LookupSidInTable+123A0Do
		inc	esp
		add	[ecx+0], al
; 
		db 2 dup(0)
; 

??_C@_15HFNGBCAN@?$AAN?$AAX@NNGAKEGL@:	; DATA XREF: .data:006B2088o
		dec	esi
		add	[eax+0], bl
; 
		dw 0
; 

??_C@_15BKGLPCGJ@?$AAN?$AAR@NNGAKEGL@:	; DATA XREF: .data:006B2078o
		dec	esi
		add	[edx+0], dl
; 
		db 2 dup(0)
; 

??_C@_15IGNKAAHD@?$AAR?$AAC@NNGAKEGL@:	; DATA XREF: .data:006B2128o
		push	edx
		add	[ebx+0], al
; 
		dw 0
; 

??_C@_15KGPFOBLH@?$AAC?$AAR@NNGAKEGL@:	; DATA XREF: .data:006B2008o
					; .data:006B2118o
		inc	ebx
		add	[edx+0], dl
; 
		db 2 dup(0)
; 

??_C@_15JMMBCOHI@?$AAW?$AAO@NNGAKEGL@:	; DATA XREF: .data:006B2148o
		push	edi
		add	[edi+0], cl
; 
		dw 0
; 

??_C@_15ELMAKJHJ@?$AAW?$AAD@NNGAKEGL@:	; DATA XREF: .data:006B2138o
		push	edi
		add	[eax+eax+0], al

loc_8BF671:				; DATA XREF: .data:006B20E8o
		add	[ebx+0], dl
		push	edi
; 
		db 3 dup(0)
; 

??_C@_15LPAGGDJI@?$AAL?$AAC@NNGAKEGL@:	; DATA XREF: .data:006B20D8o
		dec	esp
		add	[ebx+0], al
; 
		db 2 dup(0)
; 

??_C@_15JOJLIOND@?$AAD?$AAT@NNGAKEGL@:	; DATA XREF: .data:006B2108o
		inc	esp
		add	[eax+eax+0], dl

loc_8BF683:				; DATA XREF: .data:006B20F8o
		add	[eax+eax+4Fh], cl
; 
		db 0
		db 2 dup(0)
; 

??_C@_15LEJEIIHF@?$AAF?$AAA@NNGAKEGL@:	; DATA XREF: .data:006B2050o
					; .data:006B21A8o
		inc	esi
		add	[ecx+0], al
; 
		dw 0
; 

??_C@_15FCNJEDMF@?$AAG?$AAX@NNGAKEGL@:	; DATA XREF: .data:006B2198o
		inc	edi
		add	[eax+0], bl
; 
		db 2 dup(0)
; 

??_C@_15MBOGIADG@?$AAF?$AAW@NNGAKEGL@:	; DATA XREF: .data:006B21C8o
		inc	esi
		add	[edi+0], dl
; 
		dw 0
; 

??_C@_15PGDIHAAE@?$AAF?$AAR@NNGAKEGL@:	; DATA XREF: .data:006B21B8o
		inc	esi
		add	[edx+0], dl
; 
		db 2 dup(0)
; 

??_C@_15HPMIFLNA@?$AAG?$AAA@NNGAKEGL@:	; DATA XREF: .data:006B2168o
		inc	edi
		add	[ecx+0], al
; 
		dw 0
; 

??_C@_15NAFBOLGP@?$AAS?$AAD@NNGAKEGL@:	; DATA XREF: .data:006B2158o
		push	ebx
		add	[eax+eax+0], al

loc_8BF6AD:				; DATA XREF: .data:006B2188o
		add	[edi+0], al
		push	edi
; 
		db 3 dup(0)
; 

??_C@_15DNGEKDKB@?$AAG?$AAR@NNGAKEGL@:	; DATA XREF: .data:006B2178o
		inc	edi
		add	[edx+0], dl
; 
		db 2 dup(0)
; 

??_C@_13PNBDBPLL@?$AAA@NNGAKEGL@:	; DATA XREF: .data:off_6B2228o
		inc	ecx
; 
		db 0
		db 2 dup(0)
; 

??_C@_15CFBLIDLO@?$AAK?$AAX@NNGAKEGL@:	; DATA XREF: .data:006B2218o
		dec	ebx
		add	[eax+0], bl
; 
		dw 0
; 

??_C@_15KEEFCJIP@?$AAO?$AAD@NNGAKEGL@:	; DATA XREF: .data:006B2258o
		dec	edi
		add	[eax+eax+0], al

loc_8BF6C9:				; DATA XREF: .data:006B2248o
		add	[edi+0], cl
		inc	ecx
; 
		db 3 dup(0)
; 

??_C@_15IAKJLKL@?$AAK?$AAA@NNGAKEGL@:	; DATA XREF: .data:006B21E8o
		dec	ebx
		add	[ecx+0], al
; 
		db 2 dup(0)
; 

??_C@_15JJIFJAGA@?$AAF?$AAX@NNGAKEGL@:	; DATA XREF: .data:006B21D8o
		inc	esi
		add	[eax+0], bl
; 
		dw 0
; 

??_C@_15HNHIJDOI@?$AAK?$AAW@NNGAKEGL@:	; DATA XREF: .data:006B2208o
		dec	ebx
		add	[edi+0], dl
; 
		db 2 dup(0)
; 

??_C@_15EKKGGDNK@?$AAK?$AAR@NNGAKEGL@:	; DATA XREF: .data:006B21F8o
		dec	ebx
		add	[edx+0], dl
; 
		dw 0
; 

??_C@_15IOAPDDI@?$AAT?$AAL@NNGAKEGL@:	; DATA XREF: .data:006B22B8o
		push	esp
		add	[eax+eax+0], cl

loc_8BF6ED:				; DATA XREF: .data:006B22A8o
		add	[ebp+0], cl
		dec	esp
; 
		db 3 dup(0)
; wchar_t ??_C
??_C@_15INEIOLJO@?$AAX?$AAA@NNGAKEGL@:	; DATA XREF: .data:006B22D8o
					; FContainCallBackAce+20o
		unicode	0, <XA>,0
; wchar_t ??_C
??_C@_15EGPOFAKI@?$AAF?$AAL@NNGAKEGL@ db 'F',0 ; DATA XREF: .data:006B22C8o
					; FContainCallBackAce+9Co
		unicode	0, <L>,0
; 

??_C@_15FLPLGABA@?$AAA?$AAL@NNGAKEGL@:	; DATA XREF: .data:006B2278o
		inc	ecx
		add	[eax+eax+0], cl
; 
		db 0
; 

??_C@_15HGOKHIAF@?$AAA?$AAU@NNGAKEGL@:	; DATA XREF: .data:006B2268o
		inc	ecx
		add	[ebp+0], dl
; 
		dw 0
; 

??_C@_15GBPBABGA@?$AAO?$AAL@NNGAKEGL@:	; DATA XREF: .data:006B2298o
		dec	edi
		add	[eax+eax+0], cl
; 
		db 0
; 

??_C@_15EMOABJHF@?$AAO?$AAU@NNGAKEGL@:	; DATA XREF: .data:006B2288o
		dec	edi
		add	[ebp+0], dl
; 
		dw 0
; 

??_C@_15CBONDBCJ@?$AAC?$AAI@NNGAKEGL@:	; DATA XREF: .data:off_6B1F90o
		inc	ebx
		add	[ecx+0], cl
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_15MAIAEKJF@?$AAZ?$AAA@NNGAKEGL@:	; DATA XREF: .data:006B2328o
					; FContainCallBackAce+88o
		pop	edx
		add	[ecx+0], al
; 
		dw 0
; 

??_C@_15LAGCDKOC@?$AAN?$AAP@NNGAKEGL@:	; DATA XREF: .data:006B1FC0o
		dec	esi
		add	[eax+0], dl
; 
		db 2 dup(0)
; 

??_C@_15FGCPPBFC@?$AAO?$AAI@NNGAKEGL@:	; DATA XREF: .data:006B1FA8o
		dec	edi
		add	[ecx+0], cl
; 
		dw 0
; wchar_t ??_C
??_C@_15CMNDMIPI@?$AAR?$AAA@NNGAKEGL@:	; DATA XREF: .data:006B22F8o
					; FContainCallBackAce+4Co
		unicode	0, <RA>,0
; 

; wchar_t ??_C
??_C@_15LKJGBLKM@?$AAX?$AAD@NNGAKEGL@:	; DATA XREF: .data:006B22E8o
					; FContainCallBackAce+38o
		pop	eax
		add	[eax+eax+0], al
; 
		db 0
; wchar_t ??_C
??_C@_15FCDDCLFG@?$AAX?$AAU@NNGAKEGL@:	; DATA XREF: .data:006B2318o
					; FContainCallBackAce+74o
		unicode	0, <XU>,0
; 

; wchar_t ??_C
??_C@_15PCKCLKH@?$AAS?$AAP@NNGAKEGL@:	; DATA XREF: .data:006B2308o
					; FContainCallBackAce+60o
		push	ebx
		add	[eax+0], dl
; 
		dw 0
; 

??_C@_1O@KEANMPML@?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAc@NNGAKEGL@:
					; DATA XREF: LocalConvertSDToStringSD_Rev1+124297o
					; LocalConvertSDToStringSD_Rev1+1242D9o
		and	eax, 73007700h
		add	ds:63007700h, ah
; 
		db 0
		db 2 dup(0)
??_C@_1BE@OCEKOCCF@?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAc?$AA?$CF?$AAw?$AAs@NNGAKEGL@ dd offset loc_770025
					; DATA XREF: LocalConvertSDToStringSD_Rev1+21Ao
					; LocalConvertSDToStringSD_Rev1+12421Eo ...
		dw 73h
		dd offset loc_770025
aCWs:
		unicode	0, <c%ws>,0
; 

; void ??_C
??_C@_13EHOOFIKC@?$AA?$HN@NNGAKEGL@:	; DATA XREF: SddlpUuidFromString(x,x)+7Co
					; AdtpBuildSidListString(x,x,x,x,x,x)+203o ...
		jge	short $+2
; 
		db 2 dup(0)
; 

??_C@_15HCBMMKJC@?$AAI?$AAD@NNGAKEGL@:	; DATA XREF: .data:006B1FF0o
		dec	ecx
		add	[eax+eax+0], al

loc_8BF773:				; DATA XREF: .data:006B1FD8o
		add	[ecx+0], cl
		dec	edi
; 
		db 0
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1CE@KMLBPDC@?$AAN?$AAO?$AA_?$AAA?$AAC?$AAC?$AAE?$AAS?$AAS?$AA_?$AAC?$AAO?$AAN?$AAT?$AAR@NNGAKEGL@:
					; DATA XREF: LocalGetAclForString+A9o
					; LocalConvertAclToString+123F80o
		dec	esi
		add	[edi+0], cl
		pop	edi
		add	[ecx+0], al
		inc	ebx
		add	[ebx+0], al
		inc	ebp
		add	[ebx+0], dl
		push	ebx
		add	[edi+0], bl
		inc	ebx
		add	[edi+0], cl
		dec	esi
		add	[eax+eax+52h], dl
		add	[edi+0], cl
		dec	esp
; 
		db 0
		db 2 dup(0)
; 

??_C@_15BCCPBLBP@?$AAT?$AAP@NNGAKEGL@:	; DATA XREF: .data:006B2020o
		push	esp
		add	[eax+0], dl
; 
		dw 0
; wchar_t ??_C
??_C@_15CFPBOLCN@?$AAT?$AAU@NNGAKEGL@:	; DATA XREF: GetValueType(x,x,x)+40o
		unicode	0, <TU>,0
; 

; wchar_t ??_C
??_C@_15DPDOADAK@?$AAT?$AAI@NNGAKEGL@:	; DATA XREF: GetValueType(x,x,x)+25o
		push	esp
		add	[ecx+0], cl
; 
		dw 0
; wchar_t ??_C
??_C@_15JKLEPB@?$AAT?$AAS@NNGAKEGL@:	; DATA XREF: GetValueType(x,x,x)+70o
		unicode	0, <TS>,0
; 

; wchar_t ??_C
??_C@_15MNFENLNH@?$AAT?$AAD@NNGAKEGL@:	; DATA XREF: GetValueType(x,x,x)+56o
		push	esp
		add	[eax+eax+0], al
		add	[eax+0], al	; DATA XREF: GetAttributeName(x,x,x)+17o
					; GetAttributeName(x,x,x)+146o	...
; 
		dw 0
; wchar_t ??_C
??_C@_1BG@ILPAMDME@?$AA?$EA?$AAR?$AAE?$AAS?$AAO?$AAU?$AAR?$AAC?$AAE?$AA?4@NNGAKEGL@:
					; DATA XREF: GetPrintableAttributeName+12411Fo
					; GetAttributeName(x,x,x)+9Bo
		unicode	0, <@RESOURCE.>,0
; 

; wchar_t ??_C
??_C@_1BC@BELPDGGJ@?$AA?$EA?$AAD?$AAE?$AAV?$AAI?$AAC?$AAE?$AA?4@NNGAKEGL@:
					; DATA XREF: LocalpGetStringForCondition+123F81o
					; GetPrintableAttributeName+124117o ...
		inc	eax
		add	[eax+eax+45h], al
		add	[esi+0], dl
		dec	ecx
		add	[ebx+0], al
		inc	ebp
		add	[esi], ch
; 
		db 3 dup(0)
; 

; wchar_t ??_C
??_C@_15OIDPIEAL@?$AAT?$AAB@NNGAKEGL@:	; DATA XREF: GetValueType(x,x,x)+A4o
		push	esp
		add	[edx+0], al
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_15NHJLDDPA@?$AAT?$AAX@NNGAKEGL@:	; DATA XREF: GetValueType(x,x,x)+8Ao
		push	esp
		add	[eax+0], bl
; 
		dw 0
; 

??_C@_1M@NOBIFNHC@?$AA?5?$AA?$CI?$AA?$CJ?$AA?$HL?$AA?$HN@NNGAKEGL@:
					; DATA XREF: GetOperatorIndexByName(x)+18o
		and	[eax], al
		sub	[eax], al
		sub	[eax], eax
		jnp	short $+2
		jge	short $+2
; 
		dw 0
; 

??_C@_1M@BENFCOCA@?$AA?$CF?$AAI?$AA6?$AA4?$AAx@NNGAKEGL@:
					; DATA XREF: GetPrintableOperandValue+124121o
		and	eax, 36004900h
		add	[eax+eax], dh
		js	short $+2
; 
		dw 0
; 

??_C@_1M@NJBLEBAG@?$AA?$CF?$AAI?$AA6?$AA4?$AAo@NNGAKEGL@:
					; DATA XREF: GetPrintableOperandValue+12410Fo
		and	eax, 36004900h
		add	[eax+eax], dh
		outsd
; 
		db 3 dup(0)
; 

; wchar_t ??_C
??_C@_1BC@CNNNAONL@?$AAS?$AAI?$AAD?$AA?$CI?$AA?$CF?$AAl?$AAs?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: GetPrintableOperandValue+123DC8o
		push	ebx
		add	[ecx+0], cl
		inc	esp
		add	[eax], ch
		add	ds:73006C00h, ah
		add	[ecx], ch
; 
		db 0
		db 2 dup(0)
; 

??_C@_1M@OGLPPGPN@?$AA?$CF?$AAI?$AA6?$AA4?$AAu@NNGAKEGL@:
					; DATA XREF: GetPrintableOperandValue:loc_90FB47o
		and	eax, 36004900h
		add	[eax+eax], dh
		jnz	short $+2
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1BA@DDPCKNJI@?$AA?$EA?$AAT?$AAO?$AAK?$AAE?$AAN?$AA?4@NNGAKEGL@:
					; DATA XREF: LocalpGetStringForCondition+123F95o
					; GetPrintableAttributeName+12414Fo ...
		inc	eax
		add	[eax+eax+4Fh], dl
		add	[ebx+0], cl
		inc	ebp
		add	[esi+0], cl
		add	cs:[eax], al
; 
		db 0
; 

; wchar_t ??_C
??_C@_1O@PJNANMOG@?$AA?$EA?$AAU?$AAS?$AAE?$AAR?$AA?4@NNGAKEGL@:
					; DATA XREF: LocalpGetStringForCondition+123F6Do
					; GetPrintableAttributeName+124147o ...
		inc	eax
		add	[ebp+0], dl
		push	ebx
		add	[ebp+0], al
		push	edx
		add	[esi], ch
; 
		db 3 dup(0)
; 

; wchar_t ??_C
??_C@_17HNFFEAHN@?$AAS?$AAI?$AAD@NNGAKEGL@:
					; DATA XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+2A2o
		push	ebx
		add	[ecx+0], cl
		inc	esp
; 
		db 3 dup(0)
; 

; wchar_t ??_C
??_C@_1M@OEKLHGCN@?$AA?$CI?$AA?$CF?$AAl?$AAs?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: EncloseSubCondition+123CE1o
		sub	[eax], al
		and	eax, 73006C00h
		add	[ecx], ch
; 
		db 3 dup(0)
; 

??_C@_1BC@DENFCPFO@?$AA?$CI?$AA?$CF?$AAl?$AAs?$AA?$CF?$AAl?$AAs?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: LocalpGetStringForCondition+123F46o
		sub	[eax], al
		and	eax, 73006C00h
		add	ds:73006C00h, ah
		add	[ecx], ch
; 
		db 0
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1M@DNOAINIG@?$AA?$CF?$AAl?$AAs?$AA?0?$AA?5@NNGAKEGL@:
					; DATA XREF: GetPrintableOperandValue+123F1Ao
		and	eax, 73006C00h
		add	[eax+eax], ch
		and	[eax], al
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1BM@HKDMMLMD@?$AA?$CI?$AA?$CF?$AAl?$AAs?$AA?5?$AA?$CF?$AAl?$AAs?$AA?5?$AA?$CF?$AAl?$AAs?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: LocalpGetStringForCondition+218o
		sub	[eax], al
		and	eax, 73006C00h
		add	[eax], ah
		add	ds:73006C00h, ah
		add	[eax], ah
		add	ds:73006C00h, ah
		add	[ecx], ch
; 
		db 0
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1BE@KAFBMKIO@?$AA?$CI?$AA?$CF?$AAl?$AAs?$AA?5?$AA?$CF?$AAl?$AAs?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: LocalpGetStringForCondition+123FBAo
		sub	[eax], al
		and	eax, 73006C00h
		add	[eax], ah
		add	ds:73006C00h, ah
		add	[ecx], ch
; 
		db 0
		db 2 dup(0)
; 

??_C@_1CC@MHOEJLNL@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAR?$AAd?$AAy?$AAB?$AAo?$AAo?$AAs@NNGAKEGL@:
					; DATA XREF: SmpUtilsGetControlDevice(x,x,x)+10o
		pop	esp
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		pop	esp
		add	[edx+0], dl
		add	fs:[ecx+0], bh
		inc	edx
		add	[edi+0], ch
		outsd
		add	[ebx+0], dh
		jz	short $+2
; 
		dw 0
; 

??_C@_1BO@PEEFAFOD@?$AAE?$AAn?$AAc?$AAr?$AAy?$AAp?$AAt?$AAi?$AAo?$AAn?$AAM?$AAo?$AAd?$AAe@NNGAKEGL@:
					; DATA XREF: SmKmRegParamsLoad(x)+16o
		inc	ebp
		add	[esi+0], ch
		arpl	[eax], ax
		jb	short $+2
		jns	short $+2
		jo	short $+2
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		dec	ebp
		add	[edi+0], ch
		add	fs:[ebp+0], ah
; 
		db 2 dup(0)
; 

??_C@_1MK@ENOAMLHH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: SmKmRegParamsLoad(x)+4Bo
					; SmcCacheManagerStart(x,x)+79o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ebp+0], cl
		add	gs:[ebp+0], ch
		outsd
		add	[edx+0], dh
		jns	short $+2
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+5Ch], dh
		add	[ebx+0], dl
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[eax+0], dl
		popa
		add	[edx+0], dh
		popa
		add	[ebp+0], ch
		add	gs:[eax+eax+65h], dh
		add	[edx+0], dh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1CA@PIKFPGMG@?$AAE?$AAn?$AAc?$AAr?$AAy?$AAp?$AAt?$AAi?$AAo?$AAn?$AAS?$AAc?$AAo?$AAp?$AAe@NNGAKEGL@:
					; DATA XREF: SmKmRegParamsLoad(x)+63o
		inc	ebp
		add	[esi+0], ch
		arpl	[eax], ax
		jb	short $+2
		jns	short $+2
		jo	short $+2
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		push	ebx
		add	[ebx+0], ah
		outsd
		add	[eax+0], dh
		add	gs:[eax], al
		add	[ecx+0], al	; DATA XREF: SmCrEncStart(x,x,x,x)+12o
		inc	ebp
		add	[ebx+0], dl
; 
		dw 0
??_C@_1BK@BCJKEJJO@?$AAC?$AAh?$AAa?$AAi?$AAn?$AAi?$AAn?$AAg?$AAM?$AAo?$AAd?$AAe@NNGAKEGL@:
					; DATA XREF: SmCrEncStart(x,x,x,x)+FFo
		unicode	0, <ChainingMode>,0
; 

??_C@_1BI@JJDKEEML@?$AAB?$AAl?$AAo?$AAc?$AAk?$AAL?$AAe?$AAn?$AAg?$AAt?$AAh@NNGAKEGL@:
					; DATA XREF: SmCrEncStart(x,x,x,x)+31o
		inc	edx
		add	[eax+eax+6Fh], ch
		add	[ebx+0], ah
		imul	eax, [eax], 4Ch
		add	[ebp+0], ah
		outsb
		add	[edi+0], ah
		jz	short $+2
; 
		dw 68h
		db 2 dup(0)
; 

??_C@_1CA@PIHAAGPJ@?$AAC?$AAh?$AAa?$AAi?$AAn?$AAi?$AAn?$AAg?$AAM?$AAo?$AAd?$AAe?$AAC?$AAC?$AAM@NNGAKEGL@:
					; DATA XREF: SmCrEncStart(x,x,x,x)+106o
		inc	ebx
		add	[eax+0], ch
		popa
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ch
		outsb
		add	[edi+0], ah
		dec	ebp
		add	[edi+0], ch
		add	fs:[ebp+0], ah
		inc	ebx
		add	[ebx+0], al
		dec	ebp
; 
		db 0
		db 2 dup(0)
; 

??_C@_1NO@EEHJNDKA@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: SmcCacheManagerStart(x,x)+D4o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ebp+0], cl
		add	gs:[ebp+0], ch
		outsd
		add	[edx+0], dh
		jns	short $+2
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+5Ch], dh
		add	[ebx+0], dl
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[eax+0], dl
		popa
		add	[edx+0], dh
		popa
		add	[ebp+0], ch
		add	gs:[eax+eax+65h], dh
		add	[edx+0], dh
		jnb	short $+2
		pop	esp
		add	[ebx+0], al
		popa
		add	[ebx+0], ah
		push	49006500h
		add	[esi+0], ch
		db	66h
		add	[edi+0], ch
; 
		dw 0
??_C@_1CO@GCKPAJAM@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAP?$AAh?$AAy?$AAs?$AAi?$AAc?$AAa@NNGAKEGL@:
					; DATA XREF: VdmpInitialize(x)+73o
		unicode	0, <\Device\PhysicalMemory>,0
; 

??_C@_1FC@PKMDBHLJ@?$AAD?$AAi?$AAa?$AAg?$AAn?$AAo?$AAs?$AAt?$AAi?$AAc?$AAs?$AA?2?$AAP?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: PerfDiagpProxyWorker:loc_7DFE2Do
					; PerfDiagpUpdatePerfDiagLoggerEnableFlags(x,x)+49o
		inc	esp
		add	[ecx+0], ch
		popa
		add	[edi+0], ah
		outsb
		add	[edi+0], ch
		jnb	short $+2
		jz	short $+2
		imul	eax, [eax], 730063h
		pop	esp
		add	[eax+0], dl
		add	gs:[edx+0], dh
		db	66h
		add	[edi+0], ch
		jb	short $+2
		insd
		add	[ecx+0], ah
		outsb
		add	[ebx+0], ah
		add	gs:[eax+eax+42h], bl
		add	[edi+0], ch
		outsd
		add	[eax+eax+43h], dh
		add	[ebx+0], cl
		inc	ebx
		add	[eax+eax+53h], cl
		add	[ebp+0], ah
		jz	short $+2
		jz	short $+2
		imul	eax, [eax], 67006Eh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1CA@DEFPGLJP@?$AAP?$AAe?$AAr?$AAf?$AAD?$AAi?$AAa?$AAg?$AA?5?$AAL?$AAo?$AAg?$AAg?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: PerfDiagpInitializeLoggerInfo(x,x)+4Co
					; PerfDiagpStartPerfDiagLogger(x)+5Fo
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		db	66h
		add	[eax+eax+69h], al
		add	[ecx+0], ah
		add	[bx+si], ah
		add	[eax+eax+6Fh], cl
		add	[edi+0], ah
		add	[di+0],	ah
		jb	short $+2
; 
		dw 0
??_C@_1GI@CKLLCKKA@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: PerfDiagpStartPerfDiagLogger(x)+37o
		unicode	0, <\Registry\Machine\System\CurrentControlSet\Control\>,0
??_C@_1DA@EEFDJGGO@?$AAD?$AAi?$AAa?$AAg?$AAn?$AAo?$AAs?$AAt?$AAi?$AAc?$AAs?$AA?2?$AAP?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: PerfDiagpSaveActiveDCLLogFileName+CBo
					; PerfDiagpSaveActiveDCLLogFileName+A61C7o ...
		unicode	0, <Diagnostics\Performance>,0
??_C@_1CE@BPONIBHD@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AAS?$AAh?$AAu?$AAt?$AAd?$AAo?$AAw?$AAn?$AAD@NNGAKEGL@:
					; DATA XREF: PerfDiagpSaveActiveDCLLogFileName+C6o
					; PerfDiagpSaveActiveDCLLogFileName:loc_905B7Ao ...
		unicode	0, <ActiveShutdownDCL>,0
??_C@_1CE@MEENLKDH@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAF?$AAl?$AAa@NNGAKEGL@:
					; DATA XREF: PerfDiagpProxyWorker:loc_7DFE26o
					; EtwStartAutoLogger+49Co
		unicode	0, <EnableKernelFlags>,0
??_C@_1EC@PDKCPLOK@?$AAW?$AAa?$AAi?$AAt?$AAi?$AAn?$AAg?$AAF?$AAo?$AAr?$AAL?$AAo?$AAg?$AAo?$AAn@NNGAKEGL@:
					; DATA XREF: PerfDiagpProxyWorker:loc_7DFDDCo
		unicode	0, <WaitingForLogonEnableKernelFlags>,0
??_C@_1FK@BKPNCEDA@?$AAD?$AAi?$AAa?$AAg?$AAn?$AAo?$AAs?$AAt?$AAi?$AAc?$AAs?$AA?2?$AAP?$AAe?$AAr@NNGAKEGL@ db 'D',0
					; DATA XREF: PerfDiagpProxyWorker+F9o
aIagnosticsPerf:
		unicode	0, <iagnostics\Performance\ShutdownCKCLSettings>,0
??_C@_1GG@HCHEFAFD@?$AAD?$AAi?$AAa?$AAg?$AAn?$AAo?$AAs?$AAt?$AAi?$AAc?$AAs?$AA?2?$AAP?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: PerfDiagpProxyWorker:loc_7DFE34o
		unicode	0, <Diagnostics\Performance\SecondaryLogonCKCLSettings>,0
??_C@_1JG@PGFGANOH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ db '\',0
					; DATA XREF: PerfDiagpIsTracingAllowed()+19o
aRegistryMac_10:
		unicode	0, <Registry\Machine\System\CurrentControlSet\Control\Diagnos>
		unicode	0, <tics\Performance>,0
??_C@_1BM@EGPIEMAI@?$AAW?$AAd?$AAi?$AAC?$AAo?$AAn?$AAt?$AAe?$AAx?$AAt?$AAL?$AAo?$AAg@NNGAKEGL@:
					; DATA XREF: WdipSemGetLoggerIds()+3Fo
					; PerfDiagpSaveActiveDCLLogFileName+4Bo
		unicode	0, <WdiContextLog>,0
; 

??_C@_1DC@FCKDDIPN@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAD?$AAi?$AAa?$AAg?$AAn?$AAo?$AAs?$AAt@NNGAKEGL@:
					; DATA XREF: PerfDiagpIsTracingAllowed()+36o
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		inc	esp
		add	[ecx+0], ch
		popa
		add	[edi+0], ah
		outsb
		add	[edi+0], ch
		jnb	short $+2
		jz	short $+2
		imul	eax, [eax], 540063h
		jb	short $+2
		popa
		add	[ebx+0], ah
		imul	eax, [eax], 67006Eh
; 
		db 2 dup(0)
; 

??_C@_1BE@CMBKOPGC@?$AAS?$AAE?$AAM?$AAU?$AAp?$AAd?$AAa?$AAt?$AAe@NNGAKEGL@:
					; DATA XREF: WdipSemDeleteValueFromRegistry(x,x)+16o
		push	ebx
		add	[ebp+0], al
		dec	ebp
		add	[ebp+0], dl
		jo	short $+2
		add	fs:[ecx+0], ah
		jz	short $+2
		add	gs:[eax], al

loc_8BFE91:				; DATA XREF: WdipSemLoadConfigInfo+5Bo
		add	[ebx+0], dl
		inc	ebp
		add	[ebp+0], cl
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		dec	edi
		add	[ebp+0], dh
		jz	short $+2
		push	esi
		add	[ecx+0], ah
		insb
		endp

		add	[ebp+0], dh
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1BA@DJIMNDKE@?$AAK?$AAe?$AAy?$AAw?$AAo?$AAr?$AAd@NNGAKEGL@:
					; DATA XREF: WdipSemLoadNextEndEvent+255o
					; WdipSemLoadNextContextProvider+19Fo ...
		dec	ebx
		add	[ebp+0], ah
		jns	short $+2
		ja	short $+2
		outsd
		add	[edx+0], dh
		add	fs:[eax], al

loc_8BFEC1:				; DATA XREF: WdipSemLoadNextEndEvent+218o
					; WdipSemLoadNextContextProvider+162o ...
		add	[eax+eax+65h], cl
		add	[esi+0], dh
		add	gs:[eax+eax+0],	ch
; 
		db 0

;  S U B	R O U T	I N E 


??_C@_1BA@GKCNOEEH@?$AAD?$AAi?$AAa?$AAg?$AAL?$AAo?$AAg@NNGAKEGL@ proc near
					; DATA XREF: WdipSemGetLoggerIds()+Fo
		inc	esp
		add	[ecx+0], ch
		popa
		add	[edi+0], ah
		dec	esp
		add	[edi+0], ch
		add	[bx+si], al

loc_8BFEDD:				; DATA XREF: WdipSemLoadConfigInfo+38o
		add	[ebx+0], dl
??_C@_1BA@GKCNOEEH@?$AAD?$AAi?$AAa?$AAg?$AAL?$AAo?$AAg@NNGAKEGL@ endp

		inc	ebp
		add	[ebp+0], cl
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 0
??_C@_1HM@CHDHGGFH@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@NNGAKEGL@:
					; DATA XREF: WdipSemLoadConfigInfo+15o
		unicode	0, <\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\Control\WDI\Co>
		unicode	0, <nfig>,0
??_C@_1O@BJPKKLLM@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg@NNGAKEGL@:
					; DATA XREF: WdipSemLoadScenarioTable+1D7o
		unicode	0, <Config>,0
; 

??_C@_1IC@EKLNPIEE@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@NNGAKEGL@:
					; DATA XREF: WdipSemLoadScenarioTable+98o
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
		pop	esp
		add	[ebx+0], al
		push	ebp
		add	[edx+0], dl
		push	edx
		add	[ebp+0], al
		dec	esi
		add	[eax+eax+43h], dl
		add	[edi+0], cl
		dec	esi
		add	[eax+eax+52h], dl
		add	[edi+0], cl
		dec	esp
		add	[ebx+0], dl
		inc	ebp
		add	[eax+eax+5Ch], dl
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[edi+0], dl
		inc	esp
		add	[ecx+0], cl
		pop	esp
		add	[ebx+0], dl
		arpl	[eax], ax
		add	gs:[esi+0], ch
		popa
		add	[edx+0], dh
		imul	eax, [eax], 73006Fh
; 
		dw 0
; 

??_C@_1DM@OJNCOCJI@?$AAS?$AAc?$AAe?$AAn?$AAa?$AAr?$AAi?$AAo?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAi@NNGAKEGL@:
					; DATA XREF: WdipSemLoadScenarioTable+355o
		push	ebx
		add	[ebx+0], ah
		add	gs:[esi+0], ch
		popa
		add	[edx+0], dh
		imul	eax, [eax], 45006Fh
		js	short $+2
		add	gs:[ebx+0], ah
		jnz	short $+2
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		imul	eax, [eax], 740063h
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dw 0

;  S U B	R O U T	I N E 


??_C@_1DC@HIPLPNKJ@?$AAS?$AAc?$AAe?$AAn?$AAa?$AAr?$AAi?$AAo?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAi@NNGAKEGL@ proc near
					; DATA XREF: WdipSemLoadScenarioTable+32Bo
					; WdipSemLoadGroupPolicy+95240o ...
		push	ebx
		add	[ebx+0], ah
		add	gs:[esi+0], ch
		popa
		add	[edx+0], dh
		imul	eax, [eax], 45006Fh
		js	short $+2
		add	gs:[ebx+0], ah
		jnz	short $+2
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
??_C@_1DC@HIPLPNKJ@?$AAS?$AAc?$AAe?$AAn?$AAa?$AAr?$AAi?$AAo?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAi@NNGAKEGL@ endp

		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 0
; 

??_C@_1BO@BKEADOJP@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAy@NNGAKEGL@:
					; DATA XREF: EtwpEnableAutoLoggerProvider+30Ao
					; WdipSemLoadNextEndEvent+29Do	...
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+0], dh
		add	gs:[edx+0], dh
		jz	short $+2
		jns	short $+2
; 
		dw 0
??_C@_1BK@BMNPCGJG@?$AAC?$AAa?$AAp?$AAt?$AAu?$AAr?$AAe?$AAS?$AAt?$AAa?$AAt?$AAe@NNGAKEGL@:
					; DATA XREF: WdipSemLoadNextContextProvider+1E7o
		unicode	0, <CaptureState>,0
; 

??_C@_1CC@GNJGIMBM@?$AAC?$AAo?$AAn?$AAt?$AAe?$AAx?$AAt?$AAP?$AAr?$AAo?$AAv?$AAi?$AAd?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: WdipSemLoadNextScenario+436o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+65h], dh
		add	[eax+0], bh
		jz	short $+2
		push	eax
		add	[edx+0], dh
		outsd
		add	[esi+0], dh
		imul	eax, [eax], 650064h
		jb	short $+2
		jnb	short $+2
; 
		dw 0
??_C@_1BE@OIDFIPDC@?$AAE?$AAn?$AAd?$AAE?$AAv?$AAe?$AAn?$AAt?$AAs@NNGAKEGL@:
					; DATA XREF: WdipSemLoadNextScenario+2F9o
		unicode	0, <EndEvents>,0
??_C@_1CA@EPMAPCPA@?$AAI?$AAn?$AAs?$AAt?$AAr?$AAu?$AAm?$AAe?$AAn?$AAt?$AAa?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@:
					; DATA XREF: WdipSemLoadScenarioTable+207o
		unicode	0, <Instrumentation>,0
; 

??_C@_1CO@LFGCHFN@?$AAS?$AAc?$AAe?$AAn?$AAa?$AAr?$AAi?$AAo?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@NNGAKEGL@:
					; DATA XREF: WdipSemLoadScenarioTable+94CA1o
		push	ebx
		add	[ebx+0], ah
		add	gs:[esi+0], ch
		popa
		add	[edx+0], dh
		imul	eax, [eax], 54006Fh
		imul	eax, [eax], 65006Dh
		outsd
		add	[ebp+0], dh
		jz	short $+2
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 0
; 

??_C@_1HE@LEFGKEGL@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@NNGAKEGL@:
					; DATA XREF: WdipSemLoadGroupPolicy+1Ao
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[edi+0], cl
		inc	esi
		add	[eax+eax+57h], dl
		add	[ecx+0], al
		push	edx
		add	[ebp+0], al
		pop	esp
		add	[eax+0], dl
		outsd
		add	[eax+eax+69h], ch
		add	[ebx+0], ah
		imul	eax, [eax], 730065h
		pop	esp
		add	[ebp+0], cl
		imul	eax, [eax], 720063h
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		pop	esp
		add	[edi+0], dl
		imul	eax, [eax], 64006Eh
		outsd
		add	[edi+0], dh
		jnb	short $+2
		pop	esp
		add	[edi+0], dl
		inc	esp
		add	[ecx+0], cl
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_13COJANIEC@?$AA0@NNGAKEGL@:	; DATA XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B385Ao
					; _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+18Do
		xor	[eax], al
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1GC@MIJCAPDC@?$AA?$CF?$AA0?$AA8?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAx?$AA?9@NNGAKEGL@:
					; DATA XREF: WmipSecurityMethod+11Do
					; EtwpGetSecurityDescriptorByGuid(x,x)+54o ...
		and	eax, 38003000h
		add	[eax+0], bh
		sub	eax, 30002500h
		add	[eax+eax], dh
		js	short $+2
		sub	eax, 30002500h
		add	[eax+eax], dh
		js	short $+2
		sub	eax, 30002500h
		add	[edx], dh
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		sub	eax, 30002500h
		add	[edx], dh
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
; 
		dw 0
; void ??_C
??_C@_1BE@BICDJNGE@?$AA?2?$AAW?$AAm?$AAi?$AAG?$AAu?$AAi?$AAd?$AA?2@NNGAKEGL@:
					; DATA XREF: WmipOpenGuidObject(x,x,x,x)+29o
					; IoWMIOpenBlock(x,x,x)+2Bo
		unicode	0, <\WmiGuid\>,0
; 

; wchar_t ??_C
??_C@_1O@EFAMNDNG@?$AA?$CF?$AAw?$AAs?$AA_?$AA?$CF?$AAd@NNGAKEGL@:
					; DATA XREF: IoWMIDeviceObjectToInstanceName(x,x,x)+68o
		and	eax, 73007700h
		add	[edi+0], bl
		and	eax, 6400h
; 
		db 0
; 

??_C@_1BI@HMDFEAOI@?$AAH?$AAi?$AAd?$AAe?$AAM?$AAa?$AAc?$AAh?$AAi?$AAn?$AAe@NNGAKEGL@:
					; DATA XREF: WmipGetRegistryHideMachine:loc_8EF656o
		dec	eax
		add	[ecx+0], ch
		add	fs:[ebp+0], ah
		dec	ebp
		add	[ecx+0], ah
		arpl	[eax], ax
		push	6E006900h
		add	[ebp+0], ah
; 
		db 2 dup(0)
; 

??_C@_1II@OLBDKLDD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: WmipGetRegistryHideMachine+10o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		pop	ecx
		add	[ebx+0], dl
		push	esp
		add	[ebp+0], al
		dec	ebp
		add	[eax+eax+43h], bl
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[edi+0], dl
		dec	ebp
		add	[ecx+0], cl
		pop	esp
		add	[edx+0], dl
		add	gs:[ebx+0], dh
		jz	short $+2
		jb	short $+2
		imul	eax, [eax], 740063h
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		db 2 dup(0)
; 

; void ??_C
??_C@_06NMLBEHN@_1394_@NNGAKEGL@:	; DATA XREF: WmipParseSysIdTable(x,x,x,x,x,x,x)+9Bo
		pop	edi
		xor	[ebx], esi
		cmp	[edi+ebx*2], esi
		add	ah, cl

; void ??_C
??_C@_06LHBCBDBA@_UUID_@NNGAKEGL@:	; DATA XREF: WmipParseSysIdTable(x,x,x,x,x,x,x)+78o
		pop	edi
		push	ebp
		push	ebp
		dec	ecx
		inc	esp
		pop	edi
		add	ah, cl

; wchar_t ??_C
??_C@_1M@NBNHGJDL@?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAd@NNGAKEGL@:
					; DATA XREF: WmipGenerateBinaryMofNotification(x,x)+167o
		and	eax, 73007700h
		add	large ds:6400h,	ah

loc_8C02E1:				; DATA XREF: WmipSendGuidUpdateNotifications(x,x,x)+90o
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		push	ebp
		add	[eax+0], dl
		inc	esp
		add	[ecx+0], al
		push	esp
		add	[ebp+0], al
		dec	ecx
		add	[esi+0], cl
		inc	esi
		add	[edi+0], cl
; 
		db 2 dup(0)
; 

??_C@_1BK@FCPONPHF@?$AAW?$AAM?$AAI?$AA?2?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy@NNGAKEGL@:
					; DATA XREF: WmipGetGuidSecurityDescriptor+68o
					; WmipSaveGuidSecurityDescriptor+71o
		push	edi
		add	[ebp+0], cl
		dec	ecx
		add	[eax+eax+53h], bl
		add	[ebp+0], ah
		arpl	[eax], ax
		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 790074h
; 
		dw 0
??_C@_1CA@GCICNJFG@?$AAE?$AAT?$AAW?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AAP?$AAa?$AAt?$AAh@NNGAKEGL@:
					; DATA XREF: WmipGetGuidSecurityDescriptor+99o
					; WmipSaveGuidSecurityDescriptor+3Bo
		unicode	0, <ETWSecurityPath>,0
??_C@_1EK@ELAFIBPG@?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA?9?$AA0?$AA0?$AA0?$AA0?$AA?9?$AA0@NNGAKEGL@:
					; DATA XREF: WmipGetGuidSecurityDescriptor+71o
		unicode	0, <00000000-0000-0000-0000-000000000000>,0
; 

??_C@_1CC@CBGHPEEO@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAr?$AAr?$AAe?$AAd?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl@NNGAKEGL@:
					; DATA XREF: WmipQueryWmiDataBlock+130125o
		push	eax
		add	[edx+0], dh
		add	gs:[esi+0], ah
		add	gs:[edx+0], dh
		jb	short $+2
		add	gs:[eax+eax+50h], ah
		add	[edx+0], dh
		outsd
		add	[esi+0], ah
		imul	eax, [eax], 65006Ch
; 
		dw 0
; 

??_C@_1CC@MBMHMCGC@?$AAB?$AAo?$AAo?$AAt?$AAA?$AAr?$AAc?$AAh?$AAi?$AAt?$AAe?$AAc?$AAt?$AAu?$AAr@NNGAKEGL@:
					; DATA XREF: WmipQueryWmiDataBlock+130119o
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+41h], dh
		add	[edx+0], dh
		arpl	[eax], ax
		push	74006900h
		add	[ebp+0], ah
		arpl	[eax], ax
		jz	short $+2
		jnz	short $+2
		jb	short $+2
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1FM@BFBPAOJP@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: WmipQueryWmiDataBlock+1300FEo
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[eax+0], cl
		popa
		add	[edx+0], dh
		add	fs:[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[eax+eax+44h], bl
		add	[ebp+0], ah
		jnb	short $+2
		arpl	[eax], ax
		jb	short $+2
		imul	eax, [eax], 740070h
		imul	eax, [eax], 6E006Fh
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
; 
		db 2 dup(0)
??_C@_0L@NABPFONB@SMBiosData@NNGAKEGL@ db 'SMBiosData',0
					; DATA XREF: WmipQueryWmiRegInfo(x,x,x,x)+12o
		align 2
; wchar_t ??_C
??_C@_1BE@PFDEHHDC@?$AA?$CF?$AAw?$AAZ?$AA?$CF?$AAw?$AAc?$AA?$CF?$AAw?$AAZ@NNGAKEGL@ dd offset loc_770025
					; DATA XREF: EtwpQueryPsmKey(x,x,x)+79o
		dw 5Ah
		dd offset loc_770025
aCWz:
		unicode	0, <c%wZ>,0
; 

; wchar_t ??_C
??_C@_1CA@LCLGDEEM@?$AA?$CF?$AAw?$AAZ?$AA?$CF?$AAw?$AAc?$AA?$CF?$AAw?$AAZ?$AA?$CF?$AAw?$AAc?$AA?$CF?$AAw?$AAZ@NNGAKEGL@:
					; DATA XREF: EtwpQueryPsmKey(x,x,x)+53o
		and	eax, 5A007700h
		add	ds:63007700h, ah
		add	ds:5A007700h, ah
		add	ds:63007700h, ah
		add	ds:5A007700h, ah
; 
		db 0
		db 2 dup(0)
; 

??_C@_0BB@EIOCKFLG@ETW_TelCov_Trace@NNGAKEGL@: ; DATA XREF: .data:off_6B3738o
					; .data:off_6B3758o
		inc	ebp
		push	esp
		push	edi
		pop	edi
		push	esp
		db	65h
		insb
		inc	ebx
		outsd
		jbe	short near ptr ??_C@_1BO@DGNLKEMN@?$AAo?$AAe?$AAm?$AAs?$AAv?$AAc?$AAh?$AAo?$AAs?$AAt?$AA?4?$AAe?$AAx?$AAe@NNGAKEGL@ ; "oemsvchost.exe"
		push	esp
		jb	short near ptr ??_C@_1BO@DGNLKEMN@?$AAo?$AAe?$AAm?$AAs?$AAv?$AAc?$AAh?$AAo?$AAs?$AAt?$AA?4?$AAe?$AAx?$AAe@NNGAKEGL@+5
		arpl	[ebp+0], sp
		int	3		; Trap to Debugger

??_C@_0BA@CPIFCMIM@ETW_TelCov_Boot@NNGAKEGL@: ;	DATA XREF: .data:off_6B3008o
		inc	ebp
		push	esp
		push	edi
		pop	edi
		push	esp
		db	65h
		insb
		inc	ebx
		outsd
		jbe	short near ptr ??_C@_1BO@DGNLKEMN@?$AAo?$AAe?$AAm?$AAs?$AAv?$AAc?$AAh?$AAo?$AAs?$AAt?$AA?4?$AAe?$AAx?$AAe@NNGAKEGL@+12h
		inc	edx
		outsd
		outsd
		jz	short $+2

??_C@_0BB@OBDPMNIP@ETW_TelCov_Reset@NNGAKEGL@: ; DATA XREF: .data:off_6B3748o
		inc	ebp
		push	esp
		push	edi
		pop	edi
		push	esp
		db	65h
		insb
		inc	ebx
		outsd
		jbe	short near ptr ??_C@_15MAOEGKJF@?$AA?$CF?$AAS@NNGAKEGL@+4
		push	edx
		db	65h
		jnb	short near ptr loc_8C04F6+2
		jz	short $+2
		int	3		; Trap to Debugger

??_C@_0BD@JBKJLFHL@ETW_TelCov_ResetCP@NNGAKEGL@: ; DATA	XREF: .data:off_6B3768o
		inc	ebp
		push	esp
		push	edi
		pop	edi
		push	esp
		db	65h
		insb
		inc	ebx
		outsd
		jbe	short loc_8C0500
		push	edx
		db	65h
		jnb	short loc_8C050A
		jz	short ??_C@_15MAOEGKJF@?$AA?$CF?$AAS@NNGAKEGL@
		push	eax
		add	ah, cl

??_C@_1CC@DPPHACFF@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAF?$AAi?$AAl?$AAe?$AAI?$AAn?$AAf@NNGAKEGL@:
					; DATA XREF: EtwpUpdateFileInfoDriverRegistration(x)+34o
		pop	esp
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		pop	esp
		add	[esi+0], al
		imul	eax, [eax], 65006Ch
		dec	ecx
		add	[esi+0], ch
		db	66h
		add	[edi+0], ch
; 
		dw 0
; wchar_t ??_C
??_C@_1BO@DGNLKEMN@?$AAo?$AAe?$AAm?$AAs?$AAv?$AAc?$AAh?$AAo?$AAs?$AAt?$AA?4?$AAe?$AAx?$AAe@NNGAKEGL@:
					; CODE XREF: PAGE:008C046Bj
					; PAGE:008C046Ej
					; DATA XREF: ...
		unicode	0, <oemsvchost.exe>,0
; 

; wchar_t ??_C
??_C@_15MAOEGKJF@?$AA?$CF?$AAS@NNGAKEGL@: ; CODE XREF: PAGE:008C04A5j
					; PAGE:008C048Dj
					; DATA XREF: ...
		and	eax, 5300h
		add	[eax+eax+52h], bl
					; DATA XREF: EtwpUpdateFileInfoDriverState:loc_90D3F2o
					; EtwpUpdateFileInfoDriverState:loc_90D43Eo ...
		add	[ebp+0], ah

loc_8C04F6:				; CODE XREF: PAGE:008C0490j
		add	[bx+di+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2

loc_8C0500:				; CODE XREF: PAGE:008C049Fj
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah

loc_8C050A:				; CODE XREF: PAGE:008C04A2j
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], dl
		add	gs:[edx+0], dh
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
		pop	esp
		add	[esi+0], al
		imul	eax, [eax], 65006Ch
		dec	ecx
		add	[esi+0], ch
		db	66h
		add	[edi+0], ch
; 
		db 2 dup(0)
; wchar_t ??_C
??_C@_1BI@GOFOEOMC@?$AAs?$AAv?$AAc?$AAh?$AAo?$AAs?$AAt?$AA?4?$AAe?$AAx?$AAe@NNGAKEGL@ dd offset	loc_760072+1
					; DATA XREF: EtwpAppStateChangeSummaryShouldLogCommandLine+3Bo
		dw 63h
aHost_exe:
		unicode	0, <host.exe>,0
; wchar_t ??_C
??_C@_1CE@KHBCIFLE@?$AAE?$AAv?$AAe?$AAn?$AAt?$AAl?$AAo?$AAg?$AA?9?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi@NNGAKEGL@ dd offset loc_760043+2
					; DATA XREF: EtwpStartLogger+2D7o
					; EtwpStartLogger+B2Co
		dw 65h
		dd offset loc_74006D+1
aLogSecurity:
		unicode	0, <log-Security>,0
; 

; void ??_C
??_C@_1DO@EIIFEDGL@?$AAC?$AAi?$AAr?$AAc?$AAu?$AAl?$AAa?$AAr?$AA?5?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl@NNGAKEGL@:
					; DATA XREF: EtwpStartLogger+B9Ao
		inc	ebx
		add	[ecx+0], ch
		jb	short $+2
		arpl	[eax], ax
		jnz	short $+2
		insb
		add	[ecx+0], ah
		jb	short $+2
		and	[eax], al
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	[eax], ah
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		add	gs:[eax+0], bh
		jz	short $+2
		and	[eax], al
		dec	esp
		add	[edi+0], ch
		add	[bx+0],	ah
		add	gs:[edx+0], dh
; 
		dw 0
; 

; void ??_C
??_C@_1CC@EOPECBIH@?$AAN?$AAT?$AA?5?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?5?$AAL?$AAo?$AAg?$AAg?$AAe@NNGAKEGL@:
					; DATA XREF: EtwpStartLogger+12093Fo
					; EtwpStartLogger+120A18o
		dec	esi
		add	[eax+eax+20h], dl
		add	[ebx+0], cl
		add	gs:[edx+0], dh
		outsb
		add	[ebp+0], ah
		insb
		add	[eax], ah
		add	[eax+eax+6Fh], cl
		add	[edi+0], ah
		add	[di+0],	ah
		jb	short $+2
; 
		db 2 dup(0)
; wchar_t ??_C
??_C@_1BK@GDKGNMAK@?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAs@NNGAKEGL@ dd offset	loc_770025
					; DATA XREF: EtwpExpandFileName+1D2o
		dw 73h
		dd offset loc_770025
aSWsWs:
		unicode	0, <s%ws%ws>,0
??_C@_1DA@PAFEKHDO@?$AA?2?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AA3?$AA2?$AA?2?$AAL?$AAo?$AAg?$AAf?$AAi@NNGAKEGL@:
					; DATA XREF: EtwpExpandFileName+1C7o
		unicode	0, <\system32\Logfiles\WMI\>,0
; 

; wchar_t ??_C
??_C@_17EEOGHOKP@?$AA?$CF?$AAw?$AAs@NNGAKEGL@: ; DATA XREF: EtwpExpandFileName+AA85Ao
					; LkmdTelCreateReport(x,x,x,x,x,x)+82o
		and	eax, 73007700h
; 
		db 3 dup(0)
; wchar_t ??_C
??_C@_1BE@MFOEGDMN@?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAs@NNGAKEGL@ dd offset loc_770025
					; DATA XREF: EtwpExpandFileName+10Eo
aSWsWs_0:
		unicode	0, <s%ws%ws>,0
; wchar_t ??_C
??_C@_1O@PEBEJIFE@?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAs@NNGAKEGL@ dd offset loc_770025
					; DATA XREF: EtwpCreateNtFileName+75o
					; EtwpExpandFileName+AA843o
aSWs:
		unicode	0, <s%ws>,0
; 

??_C@_1BA@OFNNPBJK@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAU?$AAN?$AAC@NNGAKEGL@:
					; DATA XREF: EtwpCreateNtFileName+131E46o
		pop	esp
		add	[edi], bh
		add	[edi], bh
		add	[eax+eax+55h], bl
		add	[esi+0], cl
		inc	ebx
; 
		db 0
		db 2 dup(0)
; 

??_C@_19DEKJANFJ@?$AA?4?$AAe?$AAt?$AAl@NNGAKEGL@: ; DATA XREF: EtwpExpandFileName+1BFo
		add	cs:[ebp+0], ah
		jz	short $+2
		insb
; 
		db 3 dup(0)
; void ??_C
??_C@_1BK@HCAHJHON@?$AA?$CF?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?$CF@NNGAKEGL@:
					; DATA XREF: EtwpExpandFileName+21o
					; EtwStartAutoLogger:loc_86A746o
		unicode	0, <%SystemRoot%>,0
; 

??_C@_1BC@GMMNMBBO@?$AAS?$AAt?$AAe?$AAp?$AAp?$AAi?$AAn?$AAg@NNGAKEGL@:
					; DATA XREF: EtwpAddMicroarchitecturalPmcToRegistry(x,x)+48o
					; EtwpGetPmcCpuHierarchyRegistry(x,x,x)+45o ...
		push	ebx
		add	[eax+eax+65h], dh
		add	[eax+0], dh
		jo	short $+2
		imul	eax, [eax], 67006Eh
; 
		dw 0
??_C@_1M@HHGCKIGA@?$AAM?$AAo?$AAd?$AAe?$AAl@NNGAKEGL@:
					; DATA XREF: EtwpAddMicroarchitecturalPmcToRegistry(x,x)+40o
					; EtwpGetPmcCpuHierarchyRegistry(x,x,x)+3Eo ...
		unicode	0, <Model>,0
??_C@_19ENIPABFF@?$AAU?$AAn?$AAi?$AAt@NNGAKEGL@:
					; DATA XREF: EtwpAddMicroarchitecturalPmcToPmcGroup(x,x)+15Eo
					; EtwpLoadMicroarchitecturalProfileSource(x,x,x)+A5o
		unicode	0, <Unit>,0
??_C@_1M@JJBFPLJB@?$AAE?$AAv?$AAe?$AAn?$AAt@NNGAKEGL@ dd offset	loc_760043+2
					; DATA XREF: EtwpAddMicroarchitecturalPmcToPmcGroup(x,x)+115o
					; EtwpLoadMicroarchitecturalProfileSource(x,x,x)+8Co
		dw 65h
		dd offset loc_74006D+1
		db 2 dup(0)
; 

??_C@_1IK@FCPDDGMM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: EtwpLoadMicroarchitecturalPmcs+38o
					; EtwpLoadMicroarchitecturalPmcs+83A8Ao ...
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[edi+0], dl
		dec	ebp
		add	[ecx+0], cl
		pop	esp
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[esi+0], ah
		imul	eax, [eax], 65006Ch
		push	ebx
		add	[edi+0], ch
		jnz	short $+2
		jb	short $+2
		arpl	[eax], ax
		add	gs:[eax], al
; 
		db 0
; wchar_t ??_C
??_C@_1M@GPDJLPMI@?$AA?4?$AA?$CF?$AA0?$AA3?$AAd@NNGAKEGL@:
					; DATA XREF: EtwpExpandFileName+187o
		unicode	0, <.%03d>,0
??_C@_1O@KGHEAOHP@?$AAF?$AAa?$AAm?$AAi?$AAl?$AAy@NNGAKEGL@:
					; DATA XREF: EtwpAddMicroarchitecturalPmcToRegistry(x,x)+25o
					; EtwpGetPmcCpuHierarchyRegistry(x,x,x)+37o ...
		unicode	0, <Family>,0
; wchar_t ??_C
??_C@_1BA@NPEHGALP@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@	dd offset loc_770025
					; DATA XREF: EtwpEnableAutoLoggerProvider+17Co
					; EtwpEnumerateAutologgerPath+1A1o ...
		dw 73h
aWs:
		unicode	0, <\%ws>,0
; 

??_C@_1BI@PPAIMHKI@?$AAC?$AAM?$AAa?$AAs?$AAk?$AAI?$AAn?$AAv?$AAe?$AAr?$AAt@NNGAKEGL@:
					; DATA XREF: EtwpAddMicroarchitecturalPmcToPmcGroup(x,x)+1D2o
					; EtwpLoadMicroarchitecturalProfileSource(x,x,x)+1EFo
		inc	ebx
		add	[ebp+0], cl
		popa
		add	[ebx+0], dh
		imul	eax, [eax], 49h
		add	[esi+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		jz	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BE@FBOMIBJN@?$AAA?$AAn?$AAy?$AAT?$AAh?$AAr?$AAe?$AAa?$AAd@NNGAKEGL@:
					; DATA XREF: EtwpAddMicroarchitecturalPmcToPmcGroup(x,x)+202o
					; EtwpLoadMicroarchitecturalProfileSource(x,x,x)+1B1o
		inc	ecx
		add	[esi+0], ch
		jns	short $+2
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ecx+0], ah
		add	fs:[eax], al
; 
		db 0
; wchar_t ??_C
??_C@_1BG@FJAHPAA@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAs?$AA?3?$AA?$CF?$AAd@NNGAKEGL@ dd offset loc_770025
					; DATA XREF: EtwpAddMicroarchitecturalPmcToRegistry(x,x)+C0o
		dw 73h
aWsD:
		unicode	0, <\%ws:%d>,0
??_C@_1BK@NGNFGMBN@?$AAA?$AAr?$AAc?$AAh?$AAi?$AAt?$AAe?$AAc?$AAt?$AAu?$AAr?$AAe@NNGAKEGL@:
					; DATA XREF: EtwpAddMicroarchitecturalPmcToRegistry(x,x)+B6o
					; EtwpAddMicroarchitecturalPmcToRegistry(x,x)+14Do ...
		unicode	0, <Architecture>,0
??_C@_1BG@OMCKMKBD@?$AAA?$AAl?$AAl?$AAo?$AAw?$AAs?$AAH?$AAa?$AAl?$AAt@NNGAKEGL@	db 'A',0
					; DATA XREF: EtwpLoadMicroarchitecturalProfileSource(x,x,x)+166o
aLlowshalt:
		unicode	0, <llowsHalt>,0
??_C@_1BC@KKEAFNKD@?$AAI?$AAn?$AAt?$AAe?$AAr?$AAv?$AAa?$AAl@NNGAKEGL@:
					; DATA XREF: EtwpAddMicroarchitecturalPmcToPmcGroup(x,x)+CEo
					; EtwpLoadMicroarchitecturalProfileSource(x,x,x)+14Do
		unicode	0, <Interval>,0
??_C@_1BG@BHHFLBAJ@?$AAE?$AAd?$AAg?$AAe?$AAD?$AAe?$AAt?$AAe?$AAc?$AAt@NNGAKEGL@	db 'E',0
					; DATA XREF: EtwpAddMicroarchitecturalPmcToPmcGroup(x,x)+232o
					; EtwpLoadMicroarchitecturalProfileSource(x,x,x)+198o
aDgedetect:
		unicode	0, <dgeDetect>,0
??_C@_1M@NFEDHPMI@?$AAC?$AAM?$AAa?$AAs?$AAk@NNGAKEGL@:
					; DATA XREF: EtwpAddMicroarchitecturalPmcToPmcGroup(x,x)+19Co
					; EtwpLoadMicroarchitecturalProfileSource(x,x,x)+17Fo
		unicode	0, <CMask>,0
; wchar_t ??_C
??_C@_1BG@HEJOFNII@?$AA?$CF?$AAw?$AAs?$AA?9?$AA?$CF?$AAw?$AAs?$AA?3?$AA?$CF?$AAd@NNGAKEGL@ dd offset loc_770025
					; DATA XREF: EtwpAddMicroarchitecturalPmcToRegistry(x,x)+E2o
aSWsD:
		unicode	0, <s-%ws:%d>,0
; 

??_C@_1O@NDIKAOGF@?$AA4?$AA2?$AA5?$AA5?$AA0?$AA0@NNGAKEGL@:
					; DATA XREF: EtwpRegTraceEnableCallback(x,x,x,x,x,x,x,x,x)+46o
		xor	al, 0
		xor	al, [eax]
		xor	eax, 30003500h
		add	[eax], dh
; 
		db 3 dup(0)
??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)+4Co
					; EtwTimLogBlockNonCetBinaries(x,x,x,x,x,x)+15Do ...
		unicode	0, <(null)>,0
??_C@_0CG@CANMAEPM@wmitrace?3?5EtwpStopTrace?5failed?3@NNGAKEGL@ db 'wmitrace: EtwpStopTrace failed: 0x%x',0Ah,0
					; DATA XREF: EtwWmitraceWorker()+1E3o
; char ??_C[]
??_C@_0CH@NNKBILGH@wmitrace?3?5EtwpQueryTrace?5failed@NNGAKEGL@	db 'wmitrace: EtwpQueryTrace failed: 0x%x',0Ah,0
					; DATA XREF: EtwWmitraceWorker()+1B4o
		align 4
??_C@_0CL@HDKKLBEP@wmitrace?3?5failed?5to?5enable?5KD_F@NNGAKEGL@ db 'wmitrace: failed to enable KD_FILTER 0x%x',0Ah,0
					; DATA XREF: EtwWmitraceWorker()+18Eo
		align 4
; char ??_C[]
??_C@_0CH@GEGPOHNN@wmitrace?3?5EtwpStartTrace?5failed@NNGAKEGL@	db 'wmitrace: EtwpStartTrace failed: 0x%x',0Ah,0
					; DATA XREF: EtwWmitraceWorker()+28Do
		align 10h

;  S U B	R O U T	I N E 


; char ??_C
??_C@_0CO@JHHBNHEL@Unknown?5command?5passed?5to?5EtwWm@NNGAKEGL@ proc near
					; DATA XREF: EtwWmitraceWorker():loc_9F8862o
		push	ebp
		outsb
??_C@_0CO@JHHBNHEL@Unknown?5command?5passed?5to?5EtwWm@NNGAKEGL@ endp

		imul	ebp, [esi+6Fh],	77h
		outsb
		and	[ebx+6Fh], ah
		insd
		insd
		popa
		outsb
		and	fs:[eax+61h], dh
		jnb	short loc_8C0997
		db	65h
		and	fs:[edi+ebp*2+20h], dh
		inc	ebp
		jz	short near ptr loc_8C09A3+1
		push	edi
		insd
		imul	esi, [edx+esi*2+61h], 6F576563h
		jb	short near ptr loc_8C09A3+1
		db	65h
		jb	short near ptr loc_8C0969+1
		or	al, [eax]

??_C@_0CK@GHJJALFO@wmitrace?3?5EtwpEnableTraceEx?5fai@NNGAKEGL@:
					; DATA XREF: EtwWmitraceWorker()+12Co
		ja	short loc_8C09AD
		imul	esi, [edx+esi*2+61h], 203A6563h
		inc	ebp
		jz	short near ptr loc_8C09BF+3
		jo	short ??_C@_1CE@NMNLGNJL@?$AAE?$AAT?$AAW?$AAA?$AAu?$AAt?$AAo?$AAL?$AAo?$AAg?$AAg?$AAe?$AAr?$AAP?$AAa@NNGAKEGL@
		outsb
		popa
		bound	ebp, [ebp+54h]
		jb	short ??_C@_1BK@IDOACBDN@?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AAL?$AAo?$AAg?$AAg?$AAe?$AAr@NNGAKEGL@
		arpl	[ebp+45h], sp
		js	short near ptr loc_8C0976+4
		popaw
		imul	ebp, [ebp+64h],	7830203Ah
; 
		dd 0A7825h
; 

??_C@_1CK@IBJMKJMK@?$AAE?$AAt?$AAw?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAD?$AAe?$AAm?$AAu?$AAx@NNGAKEGL@:
					; DATA XREF: EtwpInitializePrivateSessionDemuxObject()+3Bo
		inc	ebp

loc_8C0969:				; CODE XREF: PAGE:008C0939j
		add	[eax+eax+77h], dh
		add	[ebx+0], dl
		add	gs:[ebx+0], dh
		jnb	short $+2

loc_8C0976:				; CODE XREF: PAGE:008C0958j
		imul	eax, [eax], 6E006Fh
		inc	esp
		add	[ebp+0], ah
		insd
		add	[ebp+0], dh
		js	short $+2
		inc	ebp
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		jns	short $+2
; 
		db 2 dup(0)
; 

??_C@_1CE@NMNLGNJL@?$AAE?$AAT?$AAW?$AAA?$AAu?$AAt?$AAo?$AAL?$AAo?$AAg?$AAg?$AAe?$AAr?$AAP?$AAa@NNGAKEGL@:
					; CODE XREF: PAGE:008C094Bj
					; DATA XREF: EtwpInitializeAutoLoggers+A4o
		inc	ebp
		add	[eax+eax+57h], dl

loc_8C0997:				; CODE XREF: PAGE:008C0922j
		add	[ecx+0], al
		jnz	short $+2
		jz	short $+2
		outsd
		add	[eax+eax+6Fh], cl

loc_8C09A3:				; CODE XREF: PAGE:008C092Bj
					; PAGE:008C0937j
		add	[edi+0], ah
		add	[di+0],	ah
		jb	short $+2
		push	eax

loc_8C09AD:				; CODE XREF: PAGE:??_C@_0CK@GHJJALFO@wmitrace?3?5EtwpEnableTraceEx?5fai@NNGAKEGL@j
		add	[ecx+0], ah
		jz	short $+2
; 
		dw 68h
		db 2 dup(0)
; 

??_C@_1BK@IDOACBDN@?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AAL?$AAo?$AAg?$AAg?$AAe?$AAr@NNGAKEGL@:
					; CODE XREF: PAGE:008C0953j
					; DATA XREF: EtwStartAutoLogger+885o ...
		inc	edi
		add	[eax+eax+6Fh], ch
		add	[edx+0], ah
		popa

loc_8C09BF:				; CODE XREF: PAGE:008C0949j
		add	[eax+eax+4Ch], ch
		add	[edi+0], ch
		add	[bx+0],	ah
		add	gs:[edx+0], dh
; 
		dw 0
??_C@_1BE@IPKAIGMO@?$AAI?$AAm?$AAm?$AAu?$AAt?$AAa?$AAb?$AAl?$AAe@NNGAKEGL@:
					; DATA XREF: EtwStartAutoLogger+243o
		unicode	0, <Immutable>,0
??_C@_1CI@DFBOJNPN@?$AAE?$AAT?$AAW?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AAL?$AAo?$AAg?$AAg?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: EtwpInitializeAutoLoggers+E0o
		unicode	0, <ETWGlobalLoggerPath>,0
??_C@_1II@DHOKGAJM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: EtwpInitializeAutoLoggers+32o
		unicode	0, <\Registry\Machine\System\CurrentControlSet\Control\WMI\Gl>
		unicode	0, <obalLogger>,0
??_C@_1IE@LAHHDNMO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: EtwpInitializeAutoLoggers+24o
		unicode	0, <\Registry\Machine\System\CurrentControlSet\Control\WMI\Au>
		unicode	0, <toLogger>,0
??_C@_1BC@PKFGPGJB@?$AAF?$AAi?$AAl?$AAe?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@:
					; DATA XREF: EtwStartAutoLogger+472o
					; ApiSetpLoadSchemaExtension+68o
		unicode	0, <FileName>,0
??_C@_1BO@EMFAPBIG@?$AAM?$AAa?$AAx?$AAi?$AAm?$AAu?$AAm?$AAB?$AAu?$AAf?$AAf?$AAe?$AAr?$AAs@NNGAKEGL@ db 'M',0
					; DATA XREF: EtwStartAutoLogger+45Co
		dd offset loc_780060+1
aImumbuffers:
		unicode	0, <imumBuffers>,0
??_C@_1BE@ILKEBGME@?$AAC?$AAl?$AAo?$AAc?$AAk?$AAT?$AAy?$AAp?$AAe@NNGAKEGL@:
					; DATA XREF: EtwStartAutoLogger+599o
		unicode	0, <ClockType>,0

;  S U B	R O U T	I N E 


??_C@_1CG@MJEJKPEK@?$AAS?$AAt?$AAa?$AAc?$AAk?$AAW?$AAa?$AAl?$AAk?$AAi?$AAn?$AAg?$AAF?$AAi?$AAl@NNGAKEGL@ proc near
					; DATA XREF: EtwStartAutoLogger+4BAo
		push	ebx
		add	[eax+eax+61h], dh
		add	[ebx+0], ah
		imul	eax, [eax], 57h
		add	[ecx+0], ah
		insb
??_C@_1CG@MJEJKPEK@?$AAS?$AAt?$AAa?$AAc?$AAk?$AAW?$AAa?$AAl?$AAk?$AAi?$AAn?$AAg?$AAF?$AAi?$AAl@NNGAKEGL@ endp

		add	[ebx+0], ch
		imul	eax, [eax], 67006Eh
		inc	esi
		add	[ecx+0], ch
		insb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
; 
		db 2 dup(0)
??_C@_1BG@CPCOOOKL@?$AAB?$AAu?$AAf?$AAf?$AAe?$AAr?$AAS?$AAi?$AAz?$AAe@NNGAKEGL@	dd offset loc_750042
					; DATA XREF: EtwStartAutoLogger+41Ao
		dw 66h
aFersize:
		unicode	0, <ferSize>,0
??_C@_1BO@HOFFIHNI@?$AAF?$AAl?$AAu?$AAs?$AAh?$AAT?$AAh?$AAr?$AAe?$AAs?$AAh?$AAo?$AAl?$AAd@NNGAKEGL@:
					; DATA XREF: EtwStartAutoLogger+2F8o
		unicode	0, <FlushThreshold>,0
??_C@_1BG@LHINJEKI@?$AAF?$AAl?$AAu?$AAs?$AAh?$AAT?$AAi?$AAm?$AAe?$AAr@NNGAKEGL@	db 'F',0
					; DATA XREF: EtwStartAutoLogger+446o
		dd offset loc_75006C
aShtimer:
		unicode	0, <shTimer>,0
??_C@_1BO@NEHDJPKH@?$AAM?$AAi?$AAn?$AAi?$AAm?$AAu?$AAm?$AAB?$AAu?$AAf?$AAf?$AAe?$AAr?$AAs@NNGAKEGL@:
					; DATA XREF: EtwStartAutoLogger+430o
		unicode	0, <MinimumBuffers>,0
??_C@_1BA@IJANDGNA@?$AAF?$AAi?$AAl?$AAe?$AAM?$AAa?$AAx@NNGAKEGL@ db 'F',0
					; DATA XREF: EtwStartAutoLogger+659o
aIlemax:
		unicode	0, <ileMax>,0
; 

??_C@_1BI@MGELNINL@?$AAF?$AAi?$AAl?$AAe?$AAC?$AAo?$AAu?$AAn?$AAt?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: EtwStartAutoLogger+63Co
					; EtwStartAutoLogger+A93o ...
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		inc	ebx
		add	[edi+0], ch
		jnz	short $+2
		outsb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
; 
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_1BK@BNNAGKMF@?$AAS?$AAt?$AAa?$AAc?$AAk?$AAC?$AAa?$AAc?$AAh?$AAi?$AAn?$AAg@NNGAKEGL@ proc near
					; DATA XREF: EtwStartAutoLogger+73Bo
		push	ebx
		add	[eax+eax+61h], dh
		add	[ebx+0], ah
		imul	eax, [eax], 43h
		add	[ecx+0], ah
		arpl	[eax], ax
??_C@_1BK@BNNAGKMF@?$AAS?$AAt?$AAa?$AAc?$AAk?$AAC?$AAa?$AAc?$AAh?$AAi?$AAn?$AAg@NNGAKEGL@ endp

		push	6E006900h
		add	[edi+0], ah
; 
		dw 0
??_C@_1BM@HCNKBIBB@?$AAP?$AAo?$AAo?$AAl?$AAT?$AAa?$AAg?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: EtwStartAutoLogger+676o
		unicode	0, <PoolTagFilter>,0
??_C@_1BI@CKOCKMJL@?$AAL?$AAo?$AAg?$AAF?$AAi?$AAl?$AAe?$AAM?$AAo?$AAd?$AAe@NNGAKEGL@:
					; DATA XREF: EtwStartAutoLogger+5DFo
		unicode	0, <LogFileMode>,0
??_C@_1BI@DKPILFAP@?$AAM?$AAa?$AAx?$AAF?$AAi?$AAl?$AAe?$AAS?$AAi?$AAz?$AAe@NNGAKEGL@:
					; DATA XREF: EtwStartAutoLogger+5BCo
		unicode	0, <MaxFileSize>,0
??_C@_19BPBMCKGC@?$AAG?$AAu?$AAi?$AAd@NNGAKEGL@	dd offset loc_750047
					; DATA XREF: EtwStartAutoLogger+61Fo
; 
		imul	eax, [eax], 64h

??_C@_1DG@KDJAEHHA@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAR?$AAe?$AAa?$AAl?$AAt?$AAi?$AAm?$AAe@NNGAKEGL@:
					; DATA XREF: EtwStartAutoLogger+602o
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		push	edx
		add	[ebp+0], ah
		popa
		add	[eax+eax+74h], ch
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 740073h
		add	gs:[esi+0], ch
		arpl	[eax], ax
		add	gs:[eax], al
		add	[esi+0], al	; DATA XREF: EtwpGetAutoLoggerEventNameFilter+88CA9o
					; EtwpGetAutoLoggerLevelKwFilter+87482o
		imul	eax, [eax], 74006Ch
		add	gs:[edx+0], dh
		dec	ecx
		add	[esi+0], ch
; 
		db 2 dup(0)
; 

??_C@_1CA@DABEMIJN@?$AAM?$AAa?$AAt?$AAc?$AAh?$AAA?$AAl?$AAl?$AAK?$AAe?$AAy?$AAw?$AAo?$AAr?$AAd@NNGAKEGL@:
					; DATA XREF: EtwpEnableAutoLoggerProvider+356o
					; EtwpGetAutoLoggerEventNameFilter+88C95o ...
		dec	ebp
		add	[ecx+0], ah
		jz	short $+2
		arpl	[eax], ax
		push	6C004100h
		add	[eax+eax+4Bh], ch
		add	[ebp+0], ah
		jns	short $+2
		ja	short $+2
		outsd
		add	[edx+0], dh
		add	fs:[eax], al
		add	[esi+0], cl	; DATA XREF: EtwpGetAutoLoggerEventNameFilter+88CBDo
		popa
		add	[ebp+0], ch
		add	gs:[ebx+0], dh
; 
		db 2 dup(0)
; 

??_C@_1BE@LJMECDMA@?$AAN?$AAa?$AAm?$AAe?$AAC?$AAo?$AAu?$AAn?$AAt@NNGAKEGL@:
					; DATA XREF: EtwpGetAutoLoggerEventNameFilter+88CB3o
		dec	esi
		add	[ecx+0], ah
		insd
		add	[ebp+0], ah
		inc	ebx
		add	[edi+0], ch
		jnz	short $+2
		outsb
		add	[eax+eax+0], dh

loc_8C0D09:				; DATA XREF: EtwStartAutoLogger+759o
		add	[eax+eax+69h], al
		add	[ebx+0], dh
		popa
		add	[eax+eax+6Ch], ch
		add	[edi+0], ch
		ja	short $+2
		dec	esp
		add	[ecx+0], ch
		jnb	short $+2
		jz	short $+2
; 
		dw 0
??_C@_1CO@GGLLDGKO@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AAP@NNGAKEGL@:
					; DATA XREF: EtwStartAutoLogger+74Fo
		unicode	0, <EnableSecurityProvider>,0
; 

??_C@_1CA@DAIDIDOO@?$AAM?$AAa?$AAt?$AAc?$AAh?$AAA?$AAn?$AAy?$AAK?$AAe?$AAy?$AAw?$AAo?$AAr?$AAd@NNGAKEGL@:
					; DATA XREF: EtwpEnableAutoLoggerProvider+34Co
					; EtwpGetAutoLoggerEventNameFilter+88B88o ...
		dec	ebp
		add	[ecx+0], ah
		jz	short $+2
		arpl	[eax], ax
		push	6E004100h
		add	[ecx+0], bh
		dec	ebx
		add	[ebp+0], ah
		jns	short $+2
		ja	short $+2
		outsd
		add	[edx+0], dh
		add	fs:[eax], al
; 
		db 0
; 

??_C@_1BE@NFPMBJME@?$AAV?$AA2?$AAO?$AAp?$AAt?$AAi?$AAo?$AAn?$AAs@NNGAKEGL@:
					; DATA XREF: EtwStartAutoLogger+76Co
		push	esi
		add	[edx], dh
		add	[edi+0], cl
		jo	short $+2
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		db 2 dup(0)
??_C@_1CA@FODMMKIP@?$AAE?$AAv?$AAe?$AAn?$AAt?$AAI?$AAd?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAI?$AAn@NNGAKEGL@ dd offset loc_760043+2
					; DATA XREF: EtwpGetAutoLoggerProviderFilter+439o
		dw 65h
		dd offset loc_74006D+1
aIdfilterin:
		unicode	0, <IdFilterIn>,0
; 

??_C@_1DG@NJNDNLDI@?$AAP?$AAa?$AAc?$AAk?$AAa?$AAg?$AAe?$AAR?$AAe?$AAl?$AAa?$AAt?$AAi?$AAv?$AAe@NNGAKEGL@:
					; DATA XREF: EtwpGetAutoLoggerProviderFilter+425o
		push	eax
		add	[ecx+0], ah
		arpl	[eax], ax
		imul	eax, [eax], 61h
		add	[edi+0], ah
		add	gs:[edx+0], dl
		add	gs:[eax+eax+61h], ch
		add	[eax+eax+69h], dh
		add	[esi+0], dh
		add	gs:[ecx+0], al
		jo	short $+2
		jo	short $+2
		dec	ecx
		add	[eax+eax+46h], ah
		add	[ecx+0], ch
		insb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
; 
		dw 0
; 

??_C@_1CG@CPJPKDBI@?$AAS?$AAc?$AAh?$AAe?$AAm?$AAa?$AAt?$AAi?$AAz?$AAe?$AAd?$AAF?$AAi?$AAl?$AAt@NNGAKEGL@:
					; DATA XREF: EtwpGetAutoLoggerProviderFilter+471o
		push	ebx
		add	[ebx+0], ah
		push	6D006500h
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 65007Ah
		add	fs:[esi+0], al
		imul	eax, [eax], 74006Ch
		add	gs:[edx+0], dh
		jnb	short $+2
; 
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_1CE@LAJLDKOH@?$AAS?$AAt?$AAa?$AAc?$AAk?$AAW?$AAa?$AAl?$AAk?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr@NNGAKEGL@ proc near
					; DATA XREF: EtwpGetAutoLoggerProviderFilter+44Do
		push	ebx
		add	[eax+eax+61h], dh
		add	[ebx+0], ah
		imul	eax, [eax], 57h
		add	[ecx+0], ah
		insb
??_C@_1CE@LAJLDKOH@?$AAS?$AAt?$AAa?$AAc?$AAk?$AAW?$AAa?$AAl?$AAk?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr@NNGAKEGL@ endp

		add	[ebx+0], ch
		inc	esi
		add	[ecx+0], ch
		insb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		dec	ecx
		add	[esi+0], ch
; 
		db 2 dup(0)
; wchar_t ??_C
??_C@_1BI@GHNFACD@?$AA?$CF?$AAw?$AAs?$AA?2?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@NNGAKEGL@	dd offset loc_770025
					; DATA XREF: EtwpGetAutoLoggerProviderFilter+12Ao
					; EtwpGetAutoLoggerProviderFilter+8CA27o
		dw 73h
aFilters:
		unicode	0, <\Filters>,0
; wchar_t ??_C
??_C@_1CO@KJDELHKH@?$AA?$CF?$AAw?$AAs?$AA?2?$AAS?$AAt?$AAa?$AAc?$AAk?$AAL?$AAe?$AAv?$AAe?$AAl?$AAK@NNGAKEGL@ dd	offset loc_770025
					; DATA XREF: EtwpGetAutoLoggerLevelKwFilter+96o
					; EtwpGetAutoLoggerLevelKwFilter+872ECo
		dw 73h
aStacklevelkwfi:
		unicode	0, <\StackLevelKwFilter>,0
??_C@_1CA@FNMGOGNM@?$AAP?$AAa?$AAc?$AAk?$AAa?$AAg?$AAe?$AAI?$AAd?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: EtwpGetAutoLoggerProviderFilter+411o
		unicode	0, <PackageIdFilter>,0
??_C@_1BE@FDHBJBK@?$AAE?$AAx?$AAe?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr@NNGAKEGL@ dd offset loc_780040+5
					; DATA XREF: EtwpGetAutoLoggerProviderFilter+3F7o
aEfilter:
		unicode	0, <eFilter>,0
??_C@_1BI@GEJCFFBF@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAL?$AAe?$AAv?$AAe?$AAl@NNGAKEGL@:
					; DATA XREF: EtwpEnableAutoLoggerProvider+320o
		unicode	0, <EnableLevel>,0

;  S U B	R O U T	I N E 


??_C@_1CA@OEDNFPID@?$AAS?$AAt?$AAa?$AAc?$AAk?$AAN?$AAa?$AAm?$AAe?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr@NNGAKEGL@ proc near
					; DATA XREF: EtwpGetAutoLoggerProviderFilter+64Co
		push	ebx
		add	[eax+eax+61h], dh
		add	[ebx+0], ah
		imul	eax, [eax], 4Eh
		add	[ecx+0], ah
		insd
??_C@_1CA@OEDNFPID@?$AAS?$AAt?$AAa?$AAc?$AAk?$AAN?$AAa?$AAm?$AAe?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr@NNGAKEGL@ endp

		add	[ebp+0], ah
		inc	esi
		add	[ecx+0], ch
		insb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
; 
		dw 0
; 

??_C@_1BK@KDBPPJPB@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAS?$AAt?$AAa?$AAt?$AAu?$AAs@NNGAKEGL@:
					; DATA XREF: EtwpEnumerateKeyProviders+A0155o
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		push	ebx
		add	[eax+eax+61h], dh
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
; 
		db 2 dup(0)
; 

??_C@_1BI@EBHMEIEO@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAF?$AAl?$AAa?$AAg?$AAs@NNGAKEGL@:
					; DATA XREF: EtwpEnableAutoLoggerProvider+336o
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		inc	esi
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		jnb	short $+2
; 
		db 2 dup(0)
??_C@_1BC@KAOGBLIA@?$AAE?$AAv?$AAe?$AAn?$AAt?$AAI?$AAd?$AAs@NNGAKEGL@ dd offset	loc_760043+2
					; DATA XREF: EtwpGetAutoLoggerProviderFilter+4EDo
		dw 65h
		dd offset loc_74006D+1
aIds:
		unicode	0, <Ids>,0
??_C@_1CA@BIAIEJGA@?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: EtwpGetAutoLoggerProviderFilter+48Do
		unicode	0, <ContainerFilter>,0
??_C@_1CA@MKODHNDA@?$AAE?$AAv?$AAe?$AAn?$AAt?$AAN?$AAa?$AAm?$AAe?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr@NNGAKEGL@ dd offset loc_760043+2
					; DATA XREF: EtwpGetAutoLoggerProviderFilter+632o
aEntnamefilter:
		unicode	0, <entNameFilter>,0

;  S U B	R O U T	I N E 


??_C@_1BK@DBPDLNFG@?$AAS?$AAt?$AAa?$AAc?$AAk?$AAW?$AAa?$AAl?$AAk?$AAI?$AAd?$AAs@NNGAKEGL@ proc near
					; DATA XREF: EtwpGetAutoLoggerProviderFilter+54Bo
		push	ebx
		add	[eax+eax+61h], dh
		add	[ebx+0], ah
		imul	eax, [eax], 57h
		add	[ecx+0], ah
		insb
??_C@_1BK@DBPDLNFG@?$AAS?$AAt?$AAa?$AAc?$AAk?$AAW?$AAa?$AAl?$AAk?$AAI?$AAd?$AAs@NNGAKEGL@ endp

		add	[ebx+0], ch
		dec	ecx
		add	[eax+eax+73h], ah
; 
		db 0
		db 2 dup(0)
; wchar_t ??_C
??_C@_1BK@GCMGPE@?$AAE?$AAt?$AAw?$AAR?$AAT?$AA?$CF?$AAw?$AAs?$AA?4?$AAe?$AAt?$AAl@NNGAKEGL@ dd offset loc_740045
					; DATA XREF: EtwpRealtimeCreateLogfile+7Ao
		dw 77h
aRtWs_etl:
		unicode	0, <RT%ws.etl>,0
??_C@_19PBDICKGO@?$AAH?$AAo?$AAs?$AAt@NNGAKEGL@:
					; DATA XREF: EtwpApplyContainerFilter(x,x)+26o
		unicode	0, <Host>,0
; 

??_C@_1O@EKJBMENL@?$AAL?$AAo?$AAc?$AAa?$AAl?$AAe@NNGAKEGL@:
					; DATA XREF: NtSetDefaultLocale+66o
		dec	esp
		add	[edi+0], ch
		arpl	[eax], ax
		popa
		add	[eax+eax+65h], ch
; 
		db 3 dup(0)
; 

??_C@_1GG@KFEAKJAE@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?5?$AAP?$AAa?$AAn?$AAe?$AAl?$AA?2?$AAD@NNGAKEGL@:
					; DATA XREF: ExpSetPendingUILanguage+BA885o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax], ah
		add	[eax+0], dl
		popa
		add	[esi+0], ch
		add	gs:[eax+eax+5Ch], ch
		add	[eax+eax+65h], al
		add	[ebx+0], dh
		imul	eax, [eax], 74h
		add	[edi+0], ch
		jo	short $+2
		pop	esp
		add	[eax+eax+61h], cl
		add	[esi+0], ch
		add	[di+0],	dh
		popa
		add	[edi+0], ah
		add	gs:[ebx+0], al
		outsd
		add	[esi+0], ch
		db	66h
		add	[ecx+0], ch
		add	[di+0],	dh
		jb	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax+0], dl
		add	gs:[esi+0], ch
		add	fs:[ecx+0], ch
		outsb
		add	[edi+0], ah
; 
		db 2 dup(0)
; 

??_C@_1CK@CDBMDBEP@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAr?$AAr?$AAe?$AAd?$AAU?$AAI?$AAL?$AAa?$AAn?$AAg@NNGAKEGL@:
					; DATA XREF: ExpSetPendingUILanguage+253o
					; ExpSetPendingUILanguage+BA7F0o ...
		push	eax
		add	[edx+0], dh
		add	gs:[esi+0], ah
		add	gs:[edx+0], dh
		jb	short $+2
		add	gs:[eax+eax+55h], ah
		add	[ecx+0], cl
		dec	esp
		add	[ecx+0], ah
		outsb
		add	[edi+0], ah
		jnz	short $+2
		popa
		add	[edi+0], ah
		add	gs:[ebx+0], dh
; 
		dw 0
??_C@_1EA@FMIONCIH@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?5?$AAP?$AAa?$AAn?$AAe?$AAl?$AA?2?$AAD@NNGAKEGL@:
					; DATA XREF: ExpSetPendingUILanguage:loc_871DF2o
		unicode	0, <Control Panel\Desktop\MuiCached>,0
; 

??_C@_1FI@DIKMNOCP@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?5?$AAP?$AAa?$AAn?$AAe?$AAl?$AA?2?$AAD@NNGAKEGL@:
					; DATA XREF: ExpSetPendingUILanguage+BA929o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax], ah
		add	[eax+0], dl
		popa
		add	[esi+0], ch
		add	gs:[eax+eax+5Ch], ch
		add	[eax+eax+65h], al
		add	[ebx+0], dh
		imul	eax, [eax], 74h
		add	[edi+0], ch
		jo	short $+2
		pop	esp
		add	[eax+eax+61h], cl
		add	[esi+0], ch
		add	[di+0],	dh
		popa
		add	[edi+0], ah
		add	gs:[ebx+0], al
		outsd
		add	[esi+0], ch
		db	66h
		add	[ecx+0], ch
		add	[di+0],	dh
		jb	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
; 
		db 3 dup(0)
; 

??_C@_1IA@MCGGGFDM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: NtSetDefaultLocale+BA864o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[esi+0], cl
		insb
		add	[ebx+0], dh
		pop	esp
		add	[eax+eax+61h], cl
		add	[esi+0], ch
		add	[di+0],	dh
		popa
		add	[edi+0], ah
		add	gs:[eax], al
; 
		db 0
??_C@_1DI@HFDNKLGP@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?5?$AAP?$AAa?$AAn?$AAe?$AAl?$AA?2?$AAI@NNGAKEGL@:
					; DATA XREF: NtSetDefaultLocale+5Eo
		unicode	0, <Control Panel\International>,0
??_C@_1DI@FJENBGDK@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAr?$AAr?$AAe?$AAd?$AAU?$AAI?$AAL?$AAa?$AAn?$AAg@NNGAKEGL@:
					; DATA XREF: ExpSetPendingUILanguage+149o
		unicode	0, <PreferredUILanguagesPending>,0
??_C@_1CM@FDDKAFMM@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?5?$AAP?$AAa?$AAn?$AAe?$AAl?$AA?2?$AAD@NNGAKEGL@:
					; DATA XREF: ExpSetPendingUILanguage+D7o
		unicode	0, <Control Panel\Desktop>,0
; 

??_C@_0EH@NNGDDGGC@?$CK?$CK?$CK?5MUI?3?5Failed?5to?5delete?5value@NNGAKEGL@:
					; DATA XREF: ExpSetPendingUILanguage+BAAF1o
		sub	ch, [edx]
		sub	ah, [eax]
		dec	ebp
		push	ebp
		dec	ecx
		cmp	ah, [eax]
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		db	64h, 65h
		insb
		db	65h
		jz	short near ptr ??_C@_1DK@EOBOFKDB@?$AAM?$AAa?$AAc?$AAh?$AAi?$AAn?$AAe?$AAL?$AAa?$AAn?$AAg?$AAu?$AAa?$AAg?$AAe@NNGAKEGL@+36h
		and	[esi+61h], dh
		insb
		jnz	short loc_8C1270
		and	ds:72662053h, ah
		outsd
		insd
		and	[ebp+61h], cl
		arpl	[eax+69h], bp
		outsb
		db	65h
		dec	esp
		popa
		outsb
		db	67h
		jnz	near ptr 1282h
		db	67h, 65h
		inc	ebx
		outsd
		outsb
		imul	sp, [edi+75h], 6172h
		jz	short loc_8C1297
		outsd
		outsb
		and	[edx], ecx
		add	ah, cl
; 
??_C@_1DK@EOBOFKDB@?$AAM?$AAa?$AAc?$AAh?$AAi?$AAn?$AAe?$AAL?$AAa?$AAn?$AAg?$AAu?$AAa?$AAg?$AAe@NNGAKEGL@:
					; DATA XREF: ExpSetPendingUILanguage:loc_871FA9o
					; ExpSetPendingUILanguage+BABB5o
		unicode	0, <MachineLanguageConfiguration>,0
; 

??_C@_0DO@KLNFOCHH@?$CK?$CK?$CK?5MUI?3?5Can?8t?5copy?5language?5na@NNGAKEGL@:
					; DATA XREF: ExpSetPendingUILanguage+BAC99o
		sub	ch, [edx]

loc_8C1270:				; CODE XREF: PAGE:008C1209j
		sub	ah, [eax]
		dec	ebp
		push	ebp
		dec	ecx
		cmp	ah, [eax]
		inc	ebx
		popa
		outsb
		daa
		jz	short loc_8C129D
		arpl	[edi+70h], bp
		jns	short near ptr loc_8C129F+3
		insb
		popa
		outsb
		db	67h
		jnz	near ptr 12E9h
		and	gs:[bp+61h], ch
		insd
		and	gs:[esi+6Fh], ah
		jb	short near ptr ??_C@_1KM@IAIDLDJP@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@+8
		dec	esp
		popa
		outsb

loc_8C1297:				; CODE XREF: PAGE:008C122Cj
		db	67h
		jnz	near ptr 12FBh
		db	67h, 65h
		inc	ebx

loc_8C129D:				; CODE XREF: PAGE:008C127Bj
		outsd
		outsb

loc_8C129F:				; CODE XREF: PAGE:008C1280j
		imul	sp, [edi+20h], 7469h
		db	65h
		insd
; 
		db 20h
		dd 0A7525h
??_C@_1KM@IAIDLDJP@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; CODE XREF: PAGE:008C1292j
					; DATA XREF: ExpSetPendingUILanguage:loc_872014o ...
		unicode	0, <\Registry\Machine\System\CurrentControlSet\Control\MUI\Se>
		unicode	0, <ttings\LanguageConfiguration>,0
??_C@_1DI@CNCPGFIN@?$AAM?$AAa?$AAc?$AAh?$AAi?$AAn?$AAe?$AAP?$AAr?$AAe?$AAf?$AAe?$AAr?$AAr?$AAe@NNGAKEGL@:
					; DATA XREF: ExpSetPendingUILanguage:loc_871F62o
					; ExpSetPendingUILanguage+BA9E6o
		unicode	0, <MachinePreferredUILanguages>,0
??_C@_1IA@GPBHBJN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: ExpSetPendingUILanguage+1EEo
		unicode	0, <\Registry\Machine\System\CurrentControlSet\Control\MUI\Se>
		unicode	0, <ttings>,0
; 

; char ??_C
??_C@_0DA@PENNLMJM@sysinfo?3?5Can?8t?5set?5MachinePrefe@NNGAKEGL@:
					; DATA XREF: ExpSetPendingUILanguage:loc_92C6D0o
		jnb	short near ptr loc_8C1488+3
		jnb	short loc_8C147D
		outsb
		outsw
		cmp	ah, [eax]
		inc	ebx
		popa
		outsb
		daa
		jz	short near ptr byte_8C143F
		jnb	short near ptr loc_8C1484+2
		jz	short near ptr loc_8C1442+1
		dec	ebp
		popa
		arpl	[eax+69h], bp
		outsb
		db	65h
		push	eax
		jb	short loc_8C1492
		db	66h, 65h
		jb	short loc_8C14A3
		db	65h, 64h
		push	ebp
		dec	ecx
		dec	esp
		popa
		outsb
		db	67h
		jnz	near ptr 149Ch
		db	67h, 65h
		jnb	near ptr 1449h
; 
byte_8C143F	db 0			; CODE XREF: PAGE:008C141Dj
; 

; char ??_C
??_C@_0EA@DMLFMMEC@sysinfo?3?5Can?8t?5set?5MachinePrefe@NNGAKEGL@:
					; DATA XREF: ExpSetPendingUILanguage+BAA33o
		jnb	short near ptr loc_8C14BA+1

loc_8C1442:				; CODE XREF: PAGE:008C1421j
		jnb	short near ptr loc_8C14AC+1
		outsb
		outsw
		cmp	ah, [eax]
		inc	ebx
		popa
		outsb
		daa
		jz	short loc_8C146F
		jnb	short loc_8C14B6
		jz	short near ptr loc_8C1472+1
		dec	ebp
		popa
		arpl	[eax+69h], bp
		outsb
		db	65h
		push	eax
		jb	short near ptr loc_8C14C1+1
		db	66h, 65h
		jb	short near ptr loc_8C14D0+3
		db	65h, 64h
		push	ebp
		dec	ecx
		dec	esp
		popa
		outsb
		db	67h
		jnz	near ptr 14CCh
		db	67h, 65h
		jnb	near ptr 148Fh

loc_8C146F:				; CODE XREF: PAGE:008C144Dj
		db	64h
		jnz	short near ptr loc_8C14D5+2

loc_8C1472:				; CODE XREF: PAGE:008C1451j
		and	[edi+ebp*2+20h], dh
		db	65h
		jb	short loc_8C14EB
		outsd
		jb	short near ptr loc_8C149A+2
; 
		db 25h
; 

loc_8C147D:				; CODE XREF: PAGE:008C1412j
		or	al, fs:[eax]

??_C@_1HG@OLNFIFKD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: PAGE:007B451Co
		pop	esp
		add	[edx+0], dl

loc_8C1484:				; CODE XREF: PAGE:008C141Fj
		add	gs:[edi+0], ah

loc_8C1488:				; CODE XREF: PAGE:??_C@_0DA@PENNLMJM@sysinfo?3?5Can?8t?5set?5MachinePrefe@NNGAKEGL@j
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2

loc_8C1492:				; CODE XREF: PAGE:008C142Bj
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah

loc_8C149A:				; CODE XREF: PAGE:008C147Aj
		push	6E006900h
		add	[ebp+0], ah
		pop	esp

loc_8C14A3:				; CODE XREF: PAGE:008C142Dj
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2

loc_8C14AC:				; CODE XREF: PAGE:loc_8C1442j
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2

loc_8C14B6:				; CODE XREF: PAGE:008C144Fj
		jb	short $+2
		jb	short $+2

loc_8C14BA:				; CODE XREF: PAGE:??_C@_0EA@DMLFMMEC@sysinfo?3?5Can?8t?5set?5MachinePrefe@NNGAKEGL@j
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx

loc_8C14C1:				; CODE XREF: PAGE:008C145Bj
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl

loc_8C14D0:				; CODE XREF: PAGE:008C145Dj
		add	gs:[eax+eax+5Ch], dh

loc_8C14D5:				; CODE XREF: PAGE:loc_8C146Fj
		add	[ebx+0], dl
		add	gs:[edx+0], dh
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
		pop	esp
		add	[ebx+0], ah
		outsd

loc_8C14EB:				; CODE XREF: PAGE:008C1476j
		add	[esi+0], ch
		add	fs:[edx+0], dh
		jbe	short $+2
; 
		db 2 dup(0)
; 

??_C@_0DO@JHBFNICF@?$CK?$CK?$CK?5MUI?3?5Can?8t?5copy?5language?5na@NNGAKEGL@:
					; DATA XREF: ExpSetPendingUILanguage+BAC77o
		sub	ch, [edx]
		sub	ah, [eax]
		dec	ebp
		push	ebp
		dec	ecx
		cmp	ah, [eax]
		inc	ebx
		popa
		outsb
		daa
		jz	short loc_8C1525
		arpl	[edi+70h], bp
		jns	short near ptr loc_8C1527+3
		insb
		popa
		outsb
		db	67h
		jnz	near ptr 1571h
		and	gs:[bp+61h], ch
		insd
		and	gs:[esi+6Fh], ah
		jb	short loc_8C153C
		dec	esp
		popa
		outsb
		db	67h
		jnz	near ptr 1583h
		db	67h, 65h
		inc	ebx

loc_8C1525:				; CODE XREF: PAGE:008C1503j
		outsd
		outsb

loc_8C1527:				; CODE XREF: PAGE:008C1508j
		imul	sp, [edi+20h], 7469h
		db	65h
		insd
; 
		db 20h
		dd 0A5325h
??_C@_1EG@MFPCCJEE@?$AAe?$AAx?$AAt?$AA?9?$AAm?$AAs?$AA?9?$AAw?$AAi?$AAn?$AA?9?$AAs?$AAe?$AAs?$AAs@NNGAKEGL@ dd offset loc_780060+5
					; DATA XREF: ExIsMultiSessionSku+25o
		dd 2D0074h
; 

loc_8C153C:				; CODE XREF: PAGE:008C151Aj
		insd
		add	[ebx+0], dh
		sub	eax, 69007700h
		add	[esi+0], ch
		sub	eax, 65007300h
		add	[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		sub	eax, 74007700h
		add	[ebx+0], dh
		popa
		add	[eax+0], dh
		imul	eax, [eax], 320033h
		sub	eax, 31006C00h
		add	ds:2D003100h, ch
		add	[eax], dh
; 
		db 0
		db 2 dup(0)
??_C@_1DA@LMDDKGAG@?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr?$AAO?$AAf?$AAI?$AAn?$AAi?$AAt?$AAi?$AAa?$AAl@NNGAKEGL@ dd offset loc_75004D+1
					; DATA XREF: ExpGetNumberOfInitialSessionsFromRegistry(x)+29o
		dw 6Dh
aBerofinitialse:
		unicode	0, <berOfInitialSessions>,0

;  S U B	R O U T	I N E 


??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@NNGAKEGL@ proc near
					; DATA XREF: ExpGetNumberOfInitialSessionsFromRegistry(x)+33o
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@NNGAKEGL@ endp

		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1CM@BIAGPLBJ@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAE?$AAx?$AAp?$AAi?$AAr?$AAa?$AAt?$AAi@NNGAKEGL@:
					; DATA XREF: ExGetExpirationDate+42o
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	ds:78004500h, ch
		add	[eax+0], dh
		imul	eax, [eax], 610072h
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1BI@INEKAINN@?$AAl?$AAo?$AAc?$AA2?$AA0?$AA0?$AA8?$AA?4?$AAn?$AAl?$AAs@NNGAKEGL@:
					; DATA XREF: ExpGetGlobalLocaleSection+17978Eo
		insb
		add	[edi+0], ch
		arpl	[eax], ax
		xor	al, [eax]
		xor	[eax], al
		xor	[eax], al
		cmp	[eax], al
		add	cs:[esi+0], ch
		insb
		add	[ebx+0], dh
; 
		db 2 dup(0)
; 

; void ??_C
??_C@_1CM@JIIAJDGD@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@:
					; DATA XREF: ExpGetGlobalLocaleSection+1797A3o
					; ApiSetpConstructPathToExtension:loc_A13545o
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+5Ch], dh
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		xor	eax, [eax]
		xor	al, [eax]
		pop	esp
; 
		db 0
		db 2 dup(0)
; 

??_C@_1EK@PAILGCFE@?$AAM?$AAi?$AAc?$AAr?$AAo?$AAs?$AAo?$AAf?$AAt?$AA?4?$AAf?$AAi?$AAr?$AAm?$AAw@NNGAKEGL@:
					; DATA XREF: ExpFirmwareAccessAppContainerCheck(x)+6Do
		dec	ebp
		add	[ecx+0], ch
		arpl	[eax], ax
		jb	short $+2
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		add	cs:[esi+0], ah
		imul	eax, [eax], 6D0072h
		ja	short $+2
		popa
		add	[edx+0], dh
		add	gs:[edx+0], dl
		add	gs:[ecx+0], ah
		add	fs:[edi+0], bl
		arpl	[eax], ax
		ja	short $+2
		xor	eax, 31006E00h
		add	[eax+0], ch
		xor	al, [eax]
		jz	short $+2
		js	short $+2
		jns	short $+2
		add	gs:[edi+0], dh
		jns	short $+2
; 
		dw 0
??_C@_1EM@LIJBLPKM@?$AAM?$AAi?$AAc?$AAr?$AAo?$AAs?$AAo?$AAf?$AAt?$AA?4?$AAf?$AAi?$AAr?$AAm?$AAw@NNGAKEGL@:
					; DATA XREF: ExpFirmwareAccessAppContainerCheck(x)+9Ao
		unicode	0, <Microsoft.firmwareWrite_cw5n1h2txyewy>,0
??_C@_1O@JECJKAGA@?$AAs?$AAm?$AAb?$AAi?$AAo?$AAs@NNGAKEGL@:
					; DATA XREF: ExpFirmwareAccessAppContainerCheck(x)+3Bo
		unicode	0, <smbios>,0
; 

??_C@_1BI@LBNGELID@?$AAB?$AAo?$AAo?$AAt?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt@NNGAKEGL@:
					; DATA XREF: NtQueryBootOptions(x,x)+160o
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+43h], dh
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BC@HGEHGBBD@?$AAB?$AAo?$AAo?$AAt?$AAN?$AAe?$AAx?$AAt@NNGAKEGL@:
					; DATA XREF: NtQueryBootOptions(x,x)+1AEo
					; NtSetBootOptions(x,x)+15Ao ...
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+4Eh], dh
		add	[ebp+0], ah
		js	short $+2
		jz	short $+2
; 
		dw 0
??_C@_1BE@CHCFCNKI@?$AAB?$AAo?$AAo?$AAt?$AAO?$AAr?$AAd?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: NtQueryBootEntryOrder(x,x)+112o
					; NtSetBootEntryOrder(x,x)+12Co
		unicode	0, <BootOrder>,0
; 

??_C@_1BA@BKONPLFM@?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@NNGAKEGL@:
					; DATA XREF: NtQueryBootOptions(x,x)+F7o
					; NtSetBootOptions(x,x)+139o ...
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
; 
		dw 0
??_C@_1BC@HAMKBGJJ@?$AAB?$AAo?$AAo?$AAt?$AA?$CF?$AA0?$AA4?$AAx@NNGAKEGL@:
					; DATA XREF: ExpSetBootEntry(x,x,x)+40Ao
					; ExpSetBootEntry(x,x,x)+50Ao ...
		unicode	0, <Boot%04x>,0
; char ??_C[]
??_C@_07LHJOABLP@WINDOWS@NNGAKEGL@ db 'WINDOWS',0 ; DATA XREF: ExpSetBootEntry(x,x,x)+18Fo
					; NtEnumerateBootEntries(x,x)+3D6o ...
; 

; wchar_t ??_C
??_C@_1BA@BMJDNNAL@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA_@NNGAKEGL@:
					; DATA XREF: NtSetSystemEnvironmentValueEx(x,x,x,x,x)+1A2o
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	[edi+0], bl
; 
		db 2 dup(0)
; 

??_C@_1BC@NAPILJKH@?$AAB?$AAo?$AAo?$AAt?$AA?$CF?$AA0?$AA4?$AAX@NNGAKEGL@:
					; DATA XREF: ExpSetBootEntry(x,x,x)+44Do
					; ExpSetBootEntry(x,x,x)+4BFo ...
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+25h], dh
		add	[eax], dh
		add	[eax+eax], dh
		pop	eax
; 
		db 3 dup(0)
??_C@_19HGGOABND@?$AA?$CF?$AA0?$AA8?$AAx@NNGAKEGL@:
					; DATA XREF: ExpCreateOutputSIGNATURE(x,x,x,x,x,x,x,x)+FCo
		unicode	0, <%08x>,0
; 

??_C@_1DC@LDEPDMGP@?$AA?9?$AA?$CF?$AA0?$AA8?$AAx?$AA?9?$AA?$CF?$AA0?$AA1?$AA6?$AAI?$AA6?$AA4?$AAx?$AA?9@NNGAKEGL@:
					; DATA XREF: ExpCreateOutputSIGNATURE(x,x,x,x,x,x,x,x)+145o
		sub	eax, 30002500h
		add	[eax], bh
		add	[eax+0], bh
		sub	eax, 30002500h
		add	[ecx], dh
		add	[esi], dh
		add	[ecx+0], cl
		add	ss:[eax+eax], dh
		js	short $+2
		sub	eax, 30002500h
		add	[ecx], dh
		add	[esi], dh
		add	[ecx+0], cl
		add	ss:[eax+eax], dh
		js	short $+2
		sub	[eax], eax
; 
		dw 0
??_C@_1BG@LICCKJDG@?$AAs?$AAi?$AAg?$AAn?$AAa?$AAt?$AAu?$AAr?$AAe?$AA?$CI@NNGAKEGL@:
					; DATA XREF: ExpCreateOutputSIGNATURE(x,x,x,x,x,x,x,x):loc_A08378o
					; ExpParseArcPathName(x,x,x,x,x)+3Do
		unicode	0, <signature(>,0
; 

??_C@_1BE@HOPMDIJK@?$AA?2?$AAA?$AAr?$AAc?$AAN?$AAa?$AAm?$AAe?$AA?2@NNGAKEGL@:
					; DATA XREF: SiGetBootDeviceName+CAo
					; ExpConvertArcName(x,x,x,x,x,x):loc_A07C7Bo ...
		pop	esp
		add	[ecx+0], al
		jb	short $+2
		arpl	[eax], ax
		dec	esi
		add	[ecx+0], ah
		insd
		add	[ebp+0], ah
		pop	esp
; 
		db 0
		db 2 dup(0)
; 

??_C@_1BG@IKNMHBCC@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?$CF?$AA0?$AA4?$AAx@NNGAKEGL@:
					; DATA XREF: ExpSetDriverEntry(x,x,x)+2BBo
					; ExpSetDriverEntry(x,x,x)+3BBo ...
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		and	eax, 34003000h
		add	[eax+0], bh
; 
		dw 0
; wchar_t ??_C
??_C@_1EC@CDJBOKNM@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi?$AAs@NNGAKEGL@:
					; DATA XREF: ExpConvertSignatureName(x,x,x,x,x,x)+19Fo
					; ExpTranslateEfiPath(x,x,x,x)+25Do ...
		unicode	0, <\Device\Harddisk%lu\Partition%lu>,0
; 

??_C@_1BI@PDMCFEDG@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAO?$AAr?$AAd?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: NtQueryDriverEntryOrder(x,x)+112o
					; NtSetDriverEntryOrder(x,x)+12Co
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		dec	edi
		add	[edx+0], dh
		add	fs:[ebp+0], ah
		jb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BG@CKOONOBM@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?$CF?$AA0?$AA4?$AAX@NNGAKEGL@:
					; DATA XREF: ExpSetDriverEntry(x,x,x)+2FEo
					; ExpSetDriverEntry(x,x,x)+370o ...
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		and	eax, 34003000h
		add	[eax+0], bl
; 
		dw 0
; 

??_C@_1BC@OAEIEHDI@?$AA?2?$AAA?$AAr?$AAc?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@:
					; DATA XREF: ExpFindArcName(x,x):loc_A084F3o
		pop	esp
		add	[ecx+0], al
		jb	short $+2
		arpl	[eax], ax
		dec	esi
		add	[ecx+0], ah
		insd
		add	[ebp+0], ah
; 
		db 2 dup(0)
; 

??_C@_1DO@MBBMDLHJ@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi?$AAs@NNGAKEGL@:
					; DATA XREF: ExpFindDiskSignature(x,x,x,x,x,x)+96o
					; ExpGetDriveGeometry(x,x)+3Co
		pop	esp
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		pop	esp
		add	[eax+0], cl
		popa
		add	[edx+0], dh
		add	fs:[eax+eax+69h], ah
		add	[ebx+0], dh
		imul	eax, [eax], 25h
		add	[eax+eax+75h], ch
		add	[eax+eax+50h], bl
		add	[ecx+0], ah
		jb	short $+2
		jz	short $+2
		imul	eax, [eax], 690074h
		outsd
		add	[esi+0], ch
		xor	[eax], al
; 
		dw 0
??_C@_1BK@FCNHCKCD@?$AAI?$AAo?$AAT?$AAh?$AAr?$AAe?$AAa?$AAd?$AAp?$AAo?$AAo?$AAl@NNGAKEGL@:
					; DATA XREF: ExpIoPoolDeadlockWorker(x)+19o
		unicode	0, <IoThreadpool>,0
; 

; void ??_C
??_C@_1JK@FPNBIBFK@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: ExpUuidLoadSequenceNumber(x)+5Eo
					; ExpUuidSaveSequenceNumber(x)+63o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ebp+0], al
		js	short $+2
		add	gs:[ebx+0], ah
		jnz	short $+2
		jz	short $+2
		imul	eax, [eax], 650076h
; 
		dw 0
; 

??_C@_1CA@FGPEOOAL@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAi?$AAv?$AAe@NNGAKEGL@:
					; DATA XREF: ExpUuidLoadSequenceNumber(x)+64o
					; ExpUuidSaveSequenceNumber(x)+69o
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	[ebp+0], al
		js	short $+2
		add	gs:[ebx+0], ah
		jnz	short $+2
		jz	short $+2
		imul	eax, [eax], 650076h
; 
		dw 0
; 

??_C@_17EOAFFENH@?$AAp?$AAc?$AAw@NNGAKEGL@: ; DATA XREF: ExpPcwDisabledStatus()+5Ao
		jo	short $+2
		arpl	[eax], ax
		ja	short $+2
; 
		dw 0
; char ??_C[]
??_C@_0DO@LNDAPJAM@COV?3?5Max?5paged?5pool?5size?5?$CI?$CFu?$CJ?5r@NNGAKEGL@ db	'COV: Max paged pool size (%u) reached, coverage lost for %wZ',0Ah,0
					; DATA XREF: ExpCovCreateUnloadedModuleEntry(x)+B2o
; 

??_C@_0DI@BMJCJOBG@COV?3?5Entry?5created?5for?5?$CFwZ?5in?5E@NNGAKEGL@:
					; DATA XREF: ExpCovCreateUnloadedModuleEntry(x)+1A2o
		inc	ebx
		dec	edi
		push	esi
		cmp	ah, [eax]
		inc	ebp
		outsb
		jz	short near ptr loc_8C1A38+1
		jns	short near ptr loc_8C19E7+2
		arpl	[edx+65h], si
		popa
		jz	short loc_8C1A34
		and	fs:[esi+6Fh], ah
		jb	short near ptr loc_8C19F1+4
		and	eax, 69205A77h
		outsb
		and	[ebp+78h], al
		jo	short loc_8C1A23
		outsd
		jbe	short loc_8C1A38
		outsb
		insb
		outsd
		popa

loc_8C19E7:				; CODE XREF: PAGE:008C19C7j
		db	64h, 65h, 64h
		dec	ebp
		outsd
		db	64h
		jnz	short loc_8C1A5B
		db	65h
		dec	esp

loc_8C19F1:				; CODE XREF: PAGE:008C19D3j
					; DATA XREF: ExpCovCreateUnloadedModuleEntry(x)+2Fo ...
		imul	esi, [ebx+74h],	4F43000Ah
		push	esi
		cmp	ah, [eax]
		inc	ecx
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		imul	ebp, [edi+6Eh],	69616620h
		insb
		jnz	short near ptr loc_8C1A7C+2
		db	65h
		and	cs:[ecx+74h], al
		popa
		and	[esi+6Fh], ah
		jb	short loc_8C1A38
		and	eax, 6D205A77h
		popa
		jns	short loc_8C1A40
		bound	esp, [ebp+20h]

loc_8C1A23:				; CODE XREF: PAGE:008C19DEj
		insb
		outsd
		jnb	short loc_8C1A9B
		or	al, [eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0DI@KOLBMLLB@COV?3?5Overflow?5when?5calculating?5@NNGAKEGL@:
					; DATA XREF: ExpCovCreateUnloadedModuleEntry(x):loc_A0D95Ao
		inc	ebx
		dec	edi
		push	esi
		cmp	ah, [eax]
		dec	edi
		jbe	short loc_8C1A97
		jb	short near ptr loc_8C1A99+1

loc_8C1A34:				; CODE XREF: PAGE:008C19CDj
		insb
		outsd
		ja	short loc_8C1A58

loc_8C1A38:				; CODE XREF: PAGE:008C19E1j
					; PAGE:008C1A16j ...
		ja	short near ptr loc_8C1AA0+2
		outs	dx, byte ptr gs:[esi]
		and	[ebx+61h], ah
		insb

loc_8C1A40:				; CODE XREF: PAGE:008C1A1Ej
		arpl	[ebp+6Ch], si
		popa
		jz	short near ptr loc_8C1AAD+2
		outsb
		and	[bx+si+61h], dh
		db	65h
		and	fs:[bx+si+6Fh],	dh
		outsd
		insb
		and	[ebx+69h], dh
		jp	short near ptr loc_8C1ABB+2

loc_8C1A58:				; CODE XREF: PAGE:008C1A36j
		and	[esi+6Fh], ah

loc_8C1A5B:				; CODE XREF: PAGE:008C19ECj
		jb	short near ptr loc_8C1A7C+1
		and	eax, 0A5A77h

; char ??_C
??_C@_0DD@CDEHOJBL@COV?3?5Malformed?5coverage?5section@NNGAKEGL@:
					; DATA XREF: ExpCovGetSectionInfo+B1AA6o
		inc	ebx
		dec	edi
		push	esi
		cmp	ah, [eax]
		dec	ebp
		popa
		insb
		outsw
		jb	short loc_8C1ADB
		db	65h
		and	fs:[ebx+6Fh], ah
		jbe	short near ptr loc_8C1AD9+1
		jb	short loc_8C1AD8
		and	gs:[bp+di+65h],	dh

loc_8C1A7C:				; CODE XREF: PAGE:loc_8C1A5Bj
					; PAGE:008C1A0Aj
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		and	[ecx+74h], ah
		and	[ecx+6Dh], cl
		popa
		db	67h, 65h
		inc	edx
		popa
		jnb	short near ptr loc_8C1AF2+1
		and	[eax], dh
		js	short near ptr loc_8C1AB5+2
		jo	short loc_8C1A9E
		add	ah, cl

; char ??_C
??_C@_0DM@MMGIBEFD@COV?3?5Stored?5coverage?5section?5in@NNGAKEGL@:
					; DATA XREF: ExCovAddInfoToLoaderEntry+B1937o
		inc	ebx

loc_8C1A97:				; CODE XREF: PAGE:008C1A30j
		dec	edi
		push	esi

loc_8C1A99:				; CODE XREF: PAGE:008C1A32j
		cmp	ah, [eax]

loc_8C1A9B:				; CODE XREF: PAGE:008C1A25j
		push	ebx
		jz	short loc_8C1B0D

loc_8C1A9E:				; CODE XREF: PAGE:008C1A92j
		jb	short loc_8C1B05

loc_8C1AA0:				; CODE XREF: PAGE:loc_8C1A38j
		and	fs:[ebx+6Fh], ah
		jbe	short near ptr loc_8C1B0A+1
		jb	short near ptr loc_8C1B05+4
		and	gs:[bp+di+65h],	dh

loc_8C1AAD:				; CODE XREF: PAGE:008C1A44j
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		and	[ecx+6Eh], ch

loc_8C1AB5:				; CODE XREF: PAGE:008C1A90j
		and	[eax+73h], dl
		dec	esp
		outsd
		popa

loc_8C1ABB:				; CODE XREF: PAGE:008C1A56j
		db	64h, 65h, 64h
		dec	ebp
		outsd
		db	64h
		jnz	short loc_8C1B2F
		db	65h
		dec	esp
		imul	esi, [ebx+74h],	20746120h
		xor	[eax+25h], bh
		jo	short loc_8C1ADB
		add	[ebx+4Fh], al	; DATA XREF: ExpCovReadFriendlyName(x,x,x)+22o
		push	esi
		cmp	ah, [eax]
		dec	ecx

loc_8C1AD8:				; CODE XREF: PAGE:008C1A75j
		outsb

loc_8C1AD9:				; CODE XREF: PAGE:008C1A73j
		jnb	short loc_8C1B4F

loc_8C1ADB:				; CODE XREF: PAGE:008C1A6Cj
					; PAGE:008C1ACFj
		jb	short near ptr loc_8C1B4F+3
		insd
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_8C1B3F+4
		jz	short loc_8C1B4D
		outsd
		outsb
		and	[esi+65h], dl
		jb	short near ptr ??_C@_0EH@MPAFNILB@COV?3?5Overflow?5when?5calculating?5@NNGAKEGL@+0Ah
		imul	ebp, [edi+6Eh],	6C752520h

loc_8C1AF2:				; CODE XREF: PAGE:008C1A8Cj
		and	[ecx+73h], ch
		and	[esi+6Fh], ch
		jz	short near ptr loc_8C1B18+2
		jns	short near ptr ??_C@_0EH@MPAFNILB@COV?3?5Overflow?5when?5calculating?5@NNGAKEGL@+0Dh
		jz	short loc_8C1B1E
		jnb	short near ptr ??_C@_0EH@MPAFNILB@COV?3?5Overflow?5when?5calculating?5@NNGAKEGL@+21h
		jo	short near ptr ??_C@_0EH@MPAFNILB@COV?3?5Overflow?5when?5calculating?5@NNGAKEGL@+1Eh
		outsd
		jb	short near ptr ??_C@_0EH@MPAFNILB@COV?3?5Overflow?5when?5calculating?5@NNGAKEGL@+25h

loc_8C1B05:				; CODE XREF: PAGE:loc_8C1A9Ej
					; PAGE:008C1AA6j
		db	65h
		and	fs:[ecx+6Eh], ch

loc_8C1B0A:				; CODE XREF: PAGE:008C1AA4j
		and	[ebx+65h], ch

loc_8C1B0D:				; CODE XREF: PAGE:008C1A9Cj
		jb	short near ptr ??_C@_0EH@MPAFNILB@COV?3?5Overflow?5when?5calculating?5@NNGAKEGL@+29h
		db	65h
		insb
		and	[eax+65h], ch
		outsb
		arpl	[ebp+20h], sp

loc_8C1B18:				; CODE XREF: PAGE:008C1AF8j
		db	64h, 65h
		popaw
		jnz	short near ptr ??_C@_0EH@MPAFNILB@COV?3?5Overflow?5when?5calculating?5@NNGAKEGL@+36h

loc_8C1B1E:				; CODE XREF: PAGE:008C1AFCj
		jz	short near ptr ??_C@_0EH@MPAFNILB@COV?3?5Overflow?5when?5calculating?5@NNGAKEGL@+35h
		outsb
		and	[si+6Fh], dh
		and	[edx+69h], ah
		outsb
		popa
		jb	short near ptr ??_C@_0DO@OMLOAAAP@COV?3?5Overflow?5when?5calculating?5@NNGAKEGL@+9
		and	[esi+61h], ch

loc_8C1B2F:				; CODE XREF: PAGE:008C1AC0j
		insd
		and	gs:[ecx+6Eh], ch
		jnb	short near ptr ??_C@_0DO@OMLOAAAP@COV?3?5Overflow?5when?5calculating?5@NNGAKEGL@+0Eh
		db	65h
		popa
		and	fs:[edi+66h], ch
		and	[esi+72h], ah

loc_8C1B3F:				; CODE XREF: PAGE:008C1AE0j
		imul	esp, [ebp+6Eh],	20796C64h
		outsb
		popa
		insd
		and	gs:[esi+6Fh], ah

loc_8C1B4D:				; CODE XREF: PAGE:008C1AE2j
		jb	short near ptr ??_C@_0EH@MPAFNILB@COV?3?5Overflow?5when?5calculating?5@NNGAKEGL@+1Bh

loc_8C1B4F:				; CODE XREF: PAGE:loc_8C1AD9j
					; PAGE:loc_8C1ADBj
		and	eax, 0A5A77h
; 
; char ??_C[]
??_C@_0EH@MPAFNILB@COV?3?5Overflow?5when?5calculating?5@NNGAKEGL@ db 'COV: Overflow when calculating RequiredLengthForCurrentModule for'
					; CODE XREF: PAGE:008C1AE9j
					; PAGE:008C1AFAj
					; DATA XREF: ...
		db ' %wZ',0Ah,0
		align 4
; char ??_C[]
??_C@_0DO@OMLOAAAP@COV?3?5Overflow?5when?5calculating?5@NNGAKEGL@ db 'COV: Overflow when calculating total required length for %wZ',0Ah,0
					; CODE XREF: PAGE:008C1B2Aj
					; PAGE:008C1B34j
					; DATA XREF: ...
; 

; char ??_C
??_C@_0CJ@HJBHOMNE@COV?3?5Entry?5for?5same?5versioned?5?$CF@NNGAKEGL@:
					; DATA XREF: MiUnloadSystemImage+14B64Bo
					; MiUnloadSystemImage+14B7F7o ...
		inc	ebx
		dec	edi
		push	esi
		cmp	ah, [eax]
		inc	ebp
		outsb
		jz	short near ptr loc_8C1C52+3
		jns	short loc_8C1C05
		outsw
		jb	short loc_8C1C09
		jnb	short near ptr loc_8C1C4A+2
		insd
		and	gs:[esi+65h], dh
		jb	short near ptr loc_8C1C63+2
		imul	ebp, [edi+6Eh],	25206465h
		ja	short near ptr loc_8C1C52+3
		and	[esi+6Fh], ah
		jnz	short near ptr loc_8C1C6D+1
		or	al, fs:[eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0CO@HLOHHDKP@COV?3?5Entry?5for?5different?5versio@NNGAKEGL@:
					; DATA XREF: MiUnloadSystemImage+14B693o
					; MiUnloadSystemImage+14B874o ...
		inc	ebx

loc_8C1C05:				; CODE XREF: PAGE:008C1BE3j
		dec	edi
		push	esi
		cmp	ah, [eax]

loc_8C1C09:				; CODE XREF: PAGE:008C1BE7j
		inc	ebp
		outsb
		jz	short near ptr ??_C@_1CC@IEGFOIJJ@?$AAC?$AAM?$AAF?$AAL?$AAa?$AAs?$AAt?$AAS?$AAt?$AAa?$AAr?$AAt?$AAT?$AAi?$AAm@NNGAKEGL@+3
		jns	short loc_8C1C2F
		outsw
		jb	short loc_8C1C33
		imul	esp, fs:[esi+66h], 6E657265h
		jz	short near ptr loc_8C1C3C+1
		jbe	short near ptr ??_C@_1CC@IEGFOIJJ@?$AAC?$AAM?$AAF?$AAL?$AAa?$AAs?$AAt?$AAS?$AAt?$AAa?$AAr?$AAt?$AAT?$AAi?$AAm@NNGAKEGL@+8
		jb	short near ptr ??_C@_1CC@IEGFOIJJ@?$AAC?$AAM?$AAF?$AAL?$AAa?$AAs?$AAt?$AAS?$AAt?$AAa?$AAr?$AAt?$AAT?$AAi?$AAm@NNGAKEGL@+18h
		imul	ebp, [edi+6Eh],	25206465h
		ja	short near ptr ??_C@_1CC@IEGFOIJJ@?$AAC?$AAM?$AAF?$AAL?$AAa?$AAs?$AAt?$AAS?$AAt?$AAa?$AAr?$AAt?$AAT?$AAi?$AAm@NNGAKEGL@+8
		and	[esi+6Fh], ah
		jnz	short near ptr ??_C@_1CC@IEGFOIJJ@?$AAC?$AAM?$AAF?$AAL?$AAa?$AAs?$AAt?$AAS?$AAt?$AAa?$AAr?$AAt?$AAT?$AAi?$AAm@NNGAKEGL@+21h

loc_8C1C2F:				; CODE XREF: PAGE:008C1C0Dj
		or	al, fs:[eax]

; char ??_C
??_C@_0DA@CJCIDJGH@ExpKdPullRemoteFileForUser?3?5Pul@NNGAKEGL@:
					; DATA XREF: ExpKdPullRemoteFileForUser(x)+407o
		inc	ebp

loc_8C1C33:				; CODE XREF: PAGE:008C1C11j
		js	short near ptr loc_8C1CA3+2
		dec	ebx
		db	64h
		push	eax
		jnz	short loc_8C1CA6
		insb
		push	edx

loc_8C1C3C:				; CODE XREF: PAGE:008C1C1Bj
		db	65h
		insd
		outsd
		jz	short loc_8C1CA6
		inc	esi
		imul	ebp, [ebp+46h],	7355726Fh

loc_8C1C4A:				; CODE XREF: PAGE:008C1BE9j
		db	65h
		jb	short near ptr ??_C@_1CC@IEGFOIJJ@?$AAC?$AAM?$AAF?$AAL?$AAa?$AAs?$AAt?$AAS?$AAt?$AAa?$AAr?$AAt?$AAT?$AAi?$AAm@NNGAKEGL@+0Bh
		and	[eax+75h], dl
		insb
		insb

loc_8C1C52:				; CODE XREF: PAGE:008C1BE1j
					; PAGE:008C1BF9j
		db	65h
		and	fs:66205A77h, ah
		jb	short loc_8C1CCB
		insd
		and	[ebx+64h], ch
		or	al, [eax]

??_C@_1BK@GCJNNPH@?$AAC?$AAM?$AAF?$AAS?$AAt?$AAa?$AAr?$AAt?$AAT?$AAi?$AAm?$AAe@NNGAKEGL@:
					; DATA XREF: CMFRegisterEventTime(x):loc_A1080Fo
					; CMFRegisterEventTime(x):loc_A10823o
		inc	ebx

loc_8C1C63:				; CODE XREF: PAGE:008C1BF0j
		add	[ebp+0], cl
		inc	esi
		add	[ebx+0], dl
		jz	short $+2
		popa

loc_8C1C6D:				; CODE XREF: PAGE:008C1BFEj
		add	[edx+0], dh
		jz	short $+2
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
		dw 0
??_C@_1CC@IEGFOIJJ@?$AAC?$AAM?$AAF?$AAL?$AAa?$AAs?$AAt?$AAS?$AAt?$AAa?$AAr?$AAt?$AAT?$AAi?$AAm@NNGAKEGL@:
					; CODE XREF: PAGE:008C1C0Bj
					; PAGE:008C1C1Dj ...
		unicode	0, <CMFLastStartTime>,0
; 

??_C@_1HO@HPCDOJBK@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@NNGAKEGL@:
					; DATA XREF: CMFRegisterEventTime(x)+1Eo
		pop	esp
		add	[edx+0], dl
		inc	ebp

loc_8C1CA3:				; CODE XREF: PAGE:loc_8C1C33j
		add	[edi+0], al

loc_8C1CA6:				; CODE XREF: PAGE:008C1C38j
					; PAGE:008C1C3Fj
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl

loc_8C1CCB:				; CODE XREF: PAGE:008C1C5Aj
		add	[ebp+0], cl
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], al
		dec	ebp
		add	[esi+0], al
		pop	esp
		add	[ebx+0], dl
		jno	short $+2
		insd
		add	[eax+eax+61h], al
		add	[eax+eax+61h], dh
; 
		db 3 dup(0)
; 

; wchar_t ??_C
??_C@_1DA@KEPEHAO@?$AA?$CF?$AAs?$AA?2?$AAr?$AAc?$AA?$CF?$AA0?$AA4?$AAu?$AA?2?$AAs?$AAe?$AAg?$AAm?$AAe@NNGAKEGL@:
					; DATA XREF: CMFSystemThreadRoutine(x)+F4o
		and	eax, 5C007300h
		add	[edx+0], dh
		arpl	[eax], ax
		and	eax, 34003000h
		add	[ebp+0], dh
		pop	esp
		add	[ebx+0], dh
		add	gs:[edi+0], ah
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+25h], dh
		add	[ebp+0], dh
		add	cs:[ebx+0], ah
		insd
		add	[esi+0], ah
; 
		dw 0
; 

; wchar_t ??_C
??_C@_1CO@FCIFCGHL@?$AA?$CF?$AAs?$AA?2?$AAr?$AAc?$AA?$CF?$AA0?$AA4?$AAu?$AA?2?$AAr?$AAe?$AAs?$AAc?$AAa@NNGAKEGL@:
					; DATA XREF: CMFFlushHitsFile(x,x)+C3o
					; CMFSystemThreadRoutine(x)+124o
		and	eax, 5C007300h
		add	[edx+0], dh
		arpl	[eax], ax
		and	eax, 34003000h
		add	[ebp+0], dh
		pop	esp
		add	[edx+0], dh
		add	gs:[ebx+0], dh
		arpl	[eax], ax
		popa
		add	[ebx+0], ah
		push	2E006500h
		add	[eax+0], ch
		imul	eax, [eax], 74h

??_C@_1CO@CAEBGMOI@?$AA?$CF?$AAs?$AA?2?$AAr?$AAc?$AA?$CF?$AA0?$AA4?$AAu?$AA?2?$AAr?$AAe?$AAs?$AAc?$AAa@NNGAKEGL@:
					; DATA XREF: CMFSystemThreadRoutine(x)+9Do
		and	eax, 5C007300h
		add	[edx+0], dh
		arpl	[eax], ax
		and	eax, 34003000h
		add	[ebp+0], dh
		pop	esp
		add	[edx+0], dh
		add	gs:[ebx+0], dh
		arpl	[eax], ax
		popa
		add	[ebx+0], ah
		push	2E006500h
		add	[eax+eax+69h], ah
		add	[edx+0], dh
; 
		dw 0
??_C@_1BI@OHJGJLDO@?$AAC?$AAM?$AAF?$AAS?$AAt?$AAo?$AAp?$AAT?$AAi?$AAm?$AAe@NNGAKEGL@:
					; DATA XREF: CMFRegisterEventTime(x):loc_A10808o
		unicode	0, <CMFStopTime>,0
??_C@_1CK@DHBGEEEI@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAR?$AAe?$AAs@NNGAKEGL@:
					; DATA XREF: CMFFlushHitsFile(x,x)+BEo
					; CMFSystemThreadRoutine(x)+98o ...
		unicode	0, <\SystemRoot\Rescache>,0

;  S U B	R O U T	I N E 


??_C@_1CA@HHFNNGD@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAS?$AAt?$AAa?$AAr?$AAt?$AAT?$AAi?$AAm?$AAe@NNGAKEGL@	proc near
					; DATA XREF: CMFRegisterEventTime(x):loc_A10886o
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	ebx
		add	[eax+eax+61h], dh
		add	[edx+0], dh
		jz	short $+2
		push	esp
		add	[ecx+0], ch
		insd
??_C@_1CA@HHFNNGD@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAS?$AAt?$AAa?$AAr?$AAt?$AAT?$AAi?$AAm?$AAe@NNGAKEGL@	endp

		add	[ebp+0], ah
; 
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_1CI@GJIDLDKO@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAL?$AAa?$AAs?$AAt?$AAS?$AAt?$AAa?$AAr?$AAt@NNGAKEGL@ proc near
					; DATA XREF: CMFRegisterEventTime(x)+16Do
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		dec	esp
		add	[ecx+0], ah
		jnb	short $+2
		jz	short $+2
		push	ebx
		add	[eax+eax+61h], dh
		add	[edx+0], dh
		jz	short $+2
		push	esp
		add	[ecx+0], ch
		insd
??_C@_1CI@GJIDLDKO@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAL?$AAa?$AAs?$AAt?$AAS?$AAt?$AAa?$AAr?$AAt@NNGAKEGL@ endp

		add	[ebp+0], ah
; 
		db 2 dup(0)
; 

; void ??_C
??_C@_1DE@CEBLELHA@?$AA_?$AAC?$AAl?$AAa?$AAs?$AAs?$AAe?$AAs?$AA?2?$AAN?$AAo?$AAt?$AAi?$AAf?$AAi@NNGAKEGL@:
					; DATA XREF: ExpWnfGetPermanentPerUserDataStoreHandle(x,x)+A7o
		pop	edi
		add	[ebx+0], al
		insb
		add	[ecx+0], ah
		jnb	short $+2
		jnb	short $+2
		add	gs:[ebx+0], dh
		pop	esp
		add	[esi+0], cl
		outsd
		add	[eax+eax+69h], dh
		add	[esi+0], ah
		imul	eax, [eax], 610063h
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		popa
; 
		db 0
		db 2 dup(0)
??_C@_0BO@GODKNNIN@RemoveErrorSourceDeviceDriver@NNGAKEGL@ db 'RemoveErrorSourceDeviceDriver',0
					; DATA XREF: WheaRemoveErrorSourceDeviceDriver(x)+80o
; 

??_C@_1BI@ICKPNKKL@?$AAW?$AAH?$AAE?$AAA?$AA?2?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@NNGAKEGL@:
					; DATA XREF: WheapCommitPolicy()+5Eo
		push	edi
		add	[eax+0], cl
		inc	ebp
		add	[ecx+0], al
		pop	esp
		add	[eax+0], dl
		outsd
		add	[eax+eax+69h], ch
		add	[ebx+0], ah
		jns	short $+2
; 
		dw 0
; 

??_C@_19MBPIHHGH@?$AAW?$AAH?$AAE?$AAA@NNGAKEGL@:
					; DATA XREF: LkmdTelCreateReport(x,x,x,x,x,x)+7Do
		push	edi
		add	[eax+0], cl
		inc	ebp
		add	[ecx+0], al
; 
		db 2 dup(0)
; 

??_C@_1LE@LDGAKFIO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: ApiSetpOpenSchemaExtensionsRootNode+1Ao
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ecx+0], al
		jo	short $+2
		imul	eax, [eax], 650053h
		jz	short $+2
		push	ebx
		add	[ebx+0], ah
		push	6D006500h
		add	[ecx+0], ah
		inc	ebp
		add	[eax+0], bh
		jz	short $+2
		add	gs:[esi+0], ch
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		db 2 dup(0)
; 

; char ??_C
??_C@_07LICFLFBF@?4apiset@NNGAKEGL@:	; DATA XREF: ApiSetpFindImageSection+26o
		db	2Eh
		popa
		jo	short near ptr loc_8C1FC4+3
		jnb	short near ptr loc_8C1FC4+1
		jz	short $+2

??_C@_1JG@FCMCEFGE@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: KIsUnlockSettingEnabled+4Bo
					; KIsUnlockSettingEnabled+97o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		dec	edi
		add	[esi+0], al
		push	esp
		add	[edi+0], dl
		inc	ecx
		add	[edx+0], dl
		inc	ebp
		add	[eax+eax+4Dh], bl
		add	[ecx+0], ch
		arpl	[eax], ax
		jb	short $+2
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		pop	esp
		add	[edi+0], dl
		imul	eax, [eax], 64006Eh
		outsd
		add	[edi+0], dh
		jnb	short $+2
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2

loc_8C1FC4:				; CODE XREF: PAGE:008C1F5Ej
					; PAGE:008C1F5Cj
		add	gs:[esi+0], ch
		jz	short $+2
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		pop	esp
		add	[ecx+0], al
		jo	short $+2
		jo	short $+2
		dec	ebp
		add	[edi+0], ch
		add	fs:[ebp+0], ah
		insb
		add	[ebp+0], dl
		outsb
		add	[eax+eax+6Fh], ch
		add	[ebx+0], ah
		imul	eax, [eax], 0
; 
		db 0
??_C@_1BO@MGAGFEKD@?$AAA?$AAp?$AAp?$AAM?$AAo?$AAd?$AAe?$AAl?$AAU?$AAn?$AAl?$AAo?$AAc?$AAk@NNGAKEGL@:
					; DATA XREF: KIsUnlockSettingEnabled+9Do
		unicode	0, <AppModelUnlock>,0
; 

??_C@_1EE@BPAKLPIP@?$AAA?$AAl?$AAl?$AAo?$AAw?$AAD?$AAe?$AAv?$AAe?$AAl?$AAo?$AAp?$AAm?$AAe?$AAn@NNGAKEGL@:
					; DATA XREF: ExQueryFastCacheDevLicense+1Co
		inc	ecx
		add	[eax+eax+6Ch], ch
		add	[edi+0], ch
		ja	short $+2
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		add	gs:[eax+eax+6Fh], ch
		add	[eax+0], dh
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+57h], dh
		add	[ecx+0], ch
		jz	short $+2
		push	75006F00h
		add	[eax+eax+44h], dh
		add	[ebp+0], ah
		jbe	short $+2
		dec	esp
		add	[ecx+0], ch
		arpl	[eax], ax
		add	gs:[esi+0], ch
		jnb	short $+2
		add	gs:[eax], al
		add	[ecx+0], al	; DATA XREF: KIsSideloadingEnabled(x)+49o
		insb
		add	[eax+eax+6Fh], ch
		add	[edi+0], dh
		inc	ecx
		add	[eax+eax+6Ch], ch
		add	[eax+eax+72h], dl
		add	[ebp+0], dh
		jnb	short $+2
		jz	short $+2
		add	gs:[eax+eax+41h], ah
		add	[eax+0], dh
		jo	short $+2
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1HG@FBAFABN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: KIsUnlockSettingEnabled+2Ao
					; KIsSideloadingEnabled(x)+26o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		dec	edi
		add	[esi+0], al
		push	esp
		add	[edi+0], dl
		inc	ecx
		add	[edx+0], dl
		inc	ebp
		add	[eax+eax+50h], bl
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 730065h
		pop	esp
		add	[ebp+0], cl
		imul	eax, [eax], 720063h
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		pop	esp
		add	[edi+0], dl
		imul	eax, [eax], 64006Eh
		outsd
		add	[edi+0], dh
		jnb	short $+2
		pop	esp
		add	[ecx+0], al
		jo	short $+2
		jo	short $+2
		js	short $+2
; 
		dw 0
??_C@_1BK@IJBLJGGE@?$AAA?$AAp?$AAp?$AAx?$AAP?$AAo?$AAl?$AAi?$AAc?$AAi?$AAe?$AAs@NNGAKEGL@:
					; DATA XREF: KIsUnlockSettingEnabled+33o
					; KIsSideloadingEnabled(x)+40o
		unicode	0, <AppxPolicies>,0

;  S U B	R O U T	I N E 


??_C@_1EA@KEBBLPOF@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AA?9?$AAS?$AAP?$AAP?$AA?9?$AAG?$AAe@NNGAKEGL@ proc	near
					; DATA XREF: sub_787DE0+5EAo
					; SPCallServerHandleWaitForDisplayWindow+C9o
		push	ebx
		add	[ebp+0], ah
		arpl	[eax], ax
??_C@_1EA@KEBBLPOF@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AA?9?$AAS?$AAP?$AAP?$AA?9?$AAG?$AAe@NNGAKEGL@ endp

		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 790074h
		sub	eax, 50005300h
		add	[eax+0], dl
		sub	eax, 65004700h
		add	[esi+0], ch
		jnz	short $+2
		imul	eax, [eax], 65006Eh
		dec	esp
		add	[edi+0], ch
		arpl	[eax], ax
		popa
		add	[eax+eax+53h], ch
		add	[eax+eax+61h], dh
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
; 
		db 2 dup(0)
; 

??_C@_1O@HECGKAIN@?$AAS?$AAH?$AAA?$AA2?$AA5?$AA6@NNGAKEGL@: ; DATA XREF: sub_8820B8+35o
		push	ebx
		add	[eax+0], cl
		inc	ecx
		add	[edx], dh
		add	large ds:3600h,	dh
		add	[eax+0], cl	; DATA XREF: sub_A1AD6F+4Co
		popa
		add	[ebx+0], dh
		push	69004400h
		add	[edi+0], ah
		add	gs:[ebx+0], dh
		jz	short $+2
		dec	esp
		add	[ebp+0], ah
		outsb
		add	[edi+0], ah
		jz	short $+2
; 
		dw 68h
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@ proc near
					; DATA XREF: SdbReleaseDatabase+AF35Do

arg_38		= dword	ptr  40h

; FUNCTION CHUNK AT 008C2206 SIZE 00000027 BYTES
; FUNCTION CHUNK AT 008C224D SIZE 00000003 BYTES

		push	ebx
		inc	esp
		inc	edx
		and	[eax+61h], cl
		outsb
		db	64h
		insb
		and	gs:[ebx+6Fh], ah
		jnz	short near ptr loc_8C21FD+2
		jz	short loc_8C21B3
		ja	short loc_8C21F6
		jnb	short loc_8C21B7
		db	64h
		arpl	gs:[edx+65h], si
		insd
		outs	dx, byte ptr gs:[esi]
		jz	short loc_8C2206
		and	fs:[ecx+66h], ah
		jz	short near ptr loc_8C220A+2
		jb	short loc_8C21C9
		jp	short ??_C@_0BO@BKONLPA@Failed?5to?5get?5the?5database?5id@NNGAKEGL@
		jb	short near ptr loc_8C221A+2
		db	2Eh
		add	ah, cl

??_C@_0EE@JDBHMHFA@Attempt?5to?5release?5SDB?5handle?5t@NNGAKEGL@:
					; DATA XREF: SdbReleaseDatabase:loc_8FEB98o
		inc	ecx
		jz	short near ptr loc_8C2226+1

loc_8C21B3:				; CODE XREF: ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@+Fj
		db	65h
		insd
		jo	short near ptr loc_8C2229+2

loc_8C21B7:				; CODE XREF: ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@+13j
		and	[edi+ebp*2+20h], dh
		jb	short near ptr loc_8C2220+2
		insb
		db	65h
		popa
		jnb	short near ptr loc_8C2226+1
		and	[ebx+44h], dl
		inc	edx
		and	[eax+61h], ch

loc_8C21C9:				; CODE XREF: ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@+25j
		outsb
		db	64h
		insb
		and	gs:[eax+ebp*2+61h], dh
		jz	short loc_8C21F3
		jnb	short near ptr loc_8C2248+1
		imul	ebp, [esp+ebp*2-20h+arg_38], 20736168h
		jnz	short loc_8C224D
		jb	short near ptr loc_8C2244+2
		insb
		db	65h
		popa
		jnb	short near ptr loc_8C224A+1
		and	fs:[ebp+esi*2+70h], ah
		insb
		imul	esp, [ebx+61h],	2E736574h

loc_8C21F3:				; CODE XREF: ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@+4Fj
					; DATA XREF: SdbReleaseDatabase+Eo
		add	[ebp+6Eh], al

loc_8C21F6:				; CODE XREF: ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@+11j
		jz	short near ptr loc_8C225A+3
		jb	short near ptr loc_8C2226+2
		add	ah, cl
??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BD@JBPJCCEK@SdbReleaseDatabase@NNGAKEGL@	proc near
					; DATA XREF: SdbReleaseDatabase+15o
		push	ebx

loc_8C21FD:				; CODE XREF: ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@+Dj
		bound	edx, fs:[edx+65h]
??_C@_0BD@JBPJCCEK@SdbReleaseDatabase@NNGAKEGL@	endp

		insb
		db	65h
		popa
		jnb	short near ptr loc_8C2269+2
; START	OF FUNCTION CHUNK FOR ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@

loc_8C2206:				; CODE XREF: ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@+1Dj
		inc	esp
		popa
		jz	short near ptr loc_8C2269+2

loc_8C220A:				; CODE XREF: ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@+23j
		bound	esp, [ecx+73h]
		db	65h
		add	ah, cl

??_C@_0BO@BKONLPA@Failed?5to?5get?5the?5database?5id@NNGAKEGL@:
					; CODE XREF: ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@+27j
					; DATA XREF: SdbGetDatabaseID:loc_8FD9A7o
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h

loc_8C221A:				; CODE XREF: ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@+29j
		db	67h, 65h
		jz	near ptr 223Eh
		jz	short loc_8C2288

loc_8C2220:				; CODE XREF: ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@+39j
		and	gs:[ecx+74h], ah
		popa

loc_8C2226:				; CODE XREF: ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@+2Fj
					; ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@+3Ej	...
		bound	esp, [ecx+73h]

loc_8C2229:				; CODE XREF: ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@+33j
		and	gs:[ecx+64h], ch
; END OF FUNCTION CHUNK	FOR ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@
; 
		db 0

;  S U B	R O U T	I N E 


??_C@_0CB@BBOOADBN@Failed?5to?5read?5database?5id?50x?$CFl@NNGAKEGL@ proc near
					; DATA XREF: SdbGetDatabaseID+AFDDEo
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		jb	short near ptr loc_8C2298+7
		popa
		and	fs:[ecx+74h], ah
		popa
		bound	esp, [ecx+73h]

loc_8C2244:				; CODE XREF: ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@+5Dj
		and	gs:[ecx+64h], ch

loc_8C2248:				; CODE XREF: ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@+51j
		and	[eax], dh

loc_8C224A:				; CODE XREF: ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@+62j
		js	short near ptr loc_8C2270+1
		insb
??_C@_0CB@BBOOADBN@Failed?5to?5read?5database?5id?50x?$CFl@NNGAKEGL@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@

loc_8C224D:				; CODE XREF: ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@+5Bj
		js	short $+2
		int	3		; Trap to Debugger
; END OF FUNCTION CHUNK	FOR ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@

;  S U B	R O U T	I N E 


??_C@_0BH@OMOHPKII@Failed?5to?5get?5root?5tag@NNGAKEGL@	proc near
					; DATA XREF: SdbGetDatabaseID:loc_8FD99Bo
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h

loc_8C225A:				; CODE XREF: ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@:loc_8C21F6j
		db	67h, 65h
		jz	near ptr 227Eh
		jb	short near ptr loc_8C22CD+2
		outsd
		jz	short loc_8C2283
		jz	short near ptr loc_8C22C3+3
		db	67h
		add	ah, cl
??_C@_0BH@OMOHPKII@Failed?5to?5get?5root?5tag@NNGAKEGL@	endp


;  S U B	R O U T	I N E 


??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@ proc near
					; DATA XREF: SdbGetDatabaseID:loc_8FD9B1o
					; SdbGetDatabaseID+AFDE8o
		push	ebx

loc_8C2269:				; CODE XREF: PAGE:008C2204j
					; ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@+86j
		bound	eax, fs:[edi+65h]
		jz	short near ptr loc_8C22B2+1
		popa

loc_8C2270:				; CODE XREF: ??_C@_0CB@BBOOADBN@Failed?5to?5read?5database?5id?50x?$CFl@NNGAKEGL@:loc_8C224Aj
		jz	short loc_8C22D3
		bound	esp, [ecx+73h]
		db	65h
		dec	ecx
		inc	esp
		add	ah, cl

??_C@_0BL@NBLFIGNK@Can?8t?5read?5database?5header@NNGAKEGL@:
					; DATA XREF: SdbpOpenDatabaseInMemory:loc_8FEA6Do
		inc	ebx
		popa
		outsb
		daa
		jz	short loc_8C22A0
		jb	short near ptr loc_8C22E6+1
		popa

loc_8C2283:				; CODE XREF: ??_C@_0BH@OMOHPKII@Failed?5to?5get?5root?5tag@NNGAKEGL@+11j
		and	fs:[ecx+74h], ah

loc_8C2288:				; CODE XREF: ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@+9Cj
		popa
		bound	esp, [ecx+73h]
		and	gs:[eax+65h], ch
		popa
		db	64h, 65h
		jb	short $+4
		int	3		; Trap to Debugger

??_C@_0CK@LKALPFJL@Failed?5to?5get?5database?5tag?0?5db?5@NNGAKEGL@:
					; DATA XREF: SdbGetDatabaseEdition:loc_8FE598o
		inc	esi
		popa

loc_8C2298:				; CODE XREF: ??_C@_0CB@BBOOADBN@Failed?5to?5read?5database?5id?50x?$CFl@NNGAKEGL@+Aj
		imul	ebp, [ebp+64h],	206F7420h

loc_8C22A0:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+16j
		db	67h, 65h
		jz	near ptr 22C4h
		db	64h
		popa
		jz	short near ptr loc_8C2308+1
		bound	esp, [ecx+73h]
		and	gs:[ecx+67h], dh
		sub	al, 20h

loc_8C22B2:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+5j
		bound	esp, fs:[eax]
		imul	esi, [ebx+20h],	72726F63h
		jnz	short near ptr loc_8C232C+2
		jz	short $+2

??_C@_0EO@JEMFMFJL@Trying?5to?5read?5mapped?5data?5past@NNGAKEGL@:
					; DATA XREF: SdbpGetMappedTagData+AFAD7o
		push	esp
		jb	short near ptr loc_8C233B+1

loc_8C22C3:				; CODE XREF: ??_C@_0BH@OMOHPKII@Failed?5to?5get?5root?5tag@NNGAKEGL@+13j
		imul	ebp, [esi+67h],	206F7420h
		jb	short near ptr loc_8C2330+1
		popa

loc_8C22CD:				; CODE XREF: ??_C@_0BH@OMOHPKII@Failed?5to?5get?5root?5tag@NNGAKEGL@+Ej
		and	fs:[ebp+61h], ch
		jo	short near ptr loc_8C2342+1

loc_8C22D3:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@:loc_8C2270j
		db	65h
		and	fs:[ecx+74h], ah
		popa
		and	[eax+61h], dh
		jnb	short loc_8C2353
		and	[eax+ebp*2+65h], dh
		and	[ebp+6Eh], ah

loc_8C22E6:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+18j
		and	fs:[edi+66h], ch
		and	[eax+ebp*2+65h], dh
		and	[ecx+74h], ah
		popa
		bound	esp, [ecx+73h]
		and	gs:[edi+66h], ch
		db	66h
		jnb	short near ptr loc_8C235F+3
		jz	short loc_8C231F
		xor	[eax+25h], bh
		js	short near ptr loc_8C2322+2
		jnb	short near ptr loc_8C236E+1
		jp	short near ptr loc_8C236C+1

loc_8C2308:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+3Ej
		and	[eax], dh
		js	short near ptr loc_8C2330+1
		js	short $+2

??_C@_0BC@HKOOPOLO@SdbpGetMappedData@NNGAKEGL@:	; DATA XREF: SdbpGetMappedTagData+AFAE1o
		push	ebx
		bound	esi, fs:[eax+47h]
		db	65h
		jz	short loc_8C2363
		popa
		jo	short loc_8C2389
		db	65h, 64h
		inc	esp
		popa
		jz	short loc_8C2380

loc_8C231F:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+95j
					; DATA XREF: SdbpReadMappedData+AF880o	...
		add	[ebx+64h], dl

loc_8C2322:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+9Aj
		bound	esi, [eax+52h]
		db	65h
		popa
		db	64h
		dec	ebp
		popa
		jo	short near ptr loc_8C239B+1

loc_8C232C:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+54j
		db	65h, 64h
		inc	esp
		popa

loc_8C2330:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+62j
					; ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+A2j
		jz	short near ptr loc_8C238F+4
		add	ah, cl

??_C@_0EN@ELOPGLPH@Attempt?5to?5read?5past?5the?5end?5of@NNGAKEGL@:
					; DATA XREF: SdbpReadMappedData+AF896o
		inc	ecx
		jz	short loc_8C23AB
		db	65h
		insd
		jo	short near ptr loc_8C23AE+1

loc_8C233B:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+59j
		and	[edi+ebp*2+20h], dh
		jb	short loc_8C23A6
		popa

loc_8C2342:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+69j
		and	fs:[eax+61h], dh
		jnb	short near ptr loc_8C23BB+1
		and	[eax+ebp*2+65h], dh
		and	[ebp+6Eh], ah
		and	fs:[edi+66h], ch

loc_8C2353:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+75j
		and	[eax+ebp*2+65h], dh
		and	[ecx+74h], ah
		popa
		bound	esp, [ecx+73h]

loc_8C235F:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+92j
		and	gs:[edi+66h], ch

loc_8C2363:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+ABj
		db	66h
		jnb	short loc_8C23CB
		jz	short near ptr loc_8C2387+1
		xor	[eax+25h], bh
		insb

loc_8C236C:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+9Ej
		js	short near ptr loc_8C238B+3

loc_8C236E:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+9Cj
		jnb	short loc_8C23D9
		jp	short loc_8C23D7
		and	[eax], dh
		js	short loc_8C239B
		insb
		js	short near ptr loc_8C2397+2
		sub	[eax], dh
		js	short near ptr loc_8C239F+3
		insb
		js	short near ptr loc_8C23A8+1

loc_8C2380:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+B5j
		add	ah, cl
??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@ proc near
					; DATA XREF: SdbpReadMappedData:loc_8FDE10o

arg_2BD		= dword	ptr  2C1h

		dec	edi
		db	66h, 66h
		jnb	short near ptr loc_8C23EA+2

loc_8C2387:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+FEj
		jz	short near ptr loc_8C23A8+1

loc_8C2389:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+AFj
		popa
		outsb

loc_8C238B:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@:loc_8C236Cj
		and	fs:[edx+65h], dh

loc_8C238F:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@:loc_8C2330j
		imul	ebp, [bx+6Eh], 7A697320h

loc_8C2397:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+10Fj
		and	gs:[ecx+64h], ah

loc_8C239B:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+10Cj
					; ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+C2j
		and	fs:[ebp+70h], dh

loc_8C239F:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+113j
		and	[edi+ebp*2+20h], dh
		arpl	[ecx+75h], sp

loc_8C23A6:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+D7j
		jnb	short near ptr loc_8C2406+7

loc_8C23A8:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+116j
					; ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@:loc_8C2387j
		and	[ecx+6Eh], ah

loc_8C23AB:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+CDj
		and	[ecx+6Eh], ch

loc_8C23AE:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+D1j
		jz	short loc_8C2415
		db	67h, 65h
		jb	near ptr 23D4h
		outsd
		jbe	short loc_8C241C
		jb	short near ptr loc_8C241C+3
		insb
		outsd

loc_8C23BB:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+DEj
		ja	short near ptr loc_8C23D9+4
		outsd
		jb	short near ptr loc_8C23D9+7
		jnz	short near ptr loc_8C242F+1
		db	64h, 65h
		jb	short near ptr loc_8C242A+2
		insb
		outsd
		ja	short $+2

??_C@_0BG@DGNFNDAB@SdbGetDatabaseEdition@NNGAKEGL@:
					; DATA XREF: SdbGetDatabaseEdition+AF2ECo
		push	ebx

loc_8C23CB:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@:loc_8C2363j
		bound	eax, fs:[edi+65h]
		jz	short loc_8C2415
		popa
		jz	short loc_8C2435
		bound	esp, [ecx+73h]

loc_8C23D7:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@+108j
		db	65h
		inc	ebp

loc_8C23D9:				; CODE XREF: ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@:loc_8C236Ej
					; ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@:loc_8C23BBj ...
		imul	esi, fs:[ecx+ebp*2+6Fh], 6146006Eh
		imul	ebp, [ebp+64h],	206F7420h

loc_8C23EA:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+1j
		arpl	[edx+65h], si
		popa
		jz	short loc_8C2455
		and	[esi+69h], ah
		insb
		and	gs:[ebp+61h], ch
		jo	short near ptr loc_8C2468+2
		imul	ebp, [esi+67h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0DD@LMDIBKL@Failed?5to?5open?5SDB?5?9?5File?5size?5@NNGAKEGL@:
					; DATA XREF: SdbOpenDatabaseEx(x,x,x,x):loc_A1E8D1o
		inc	esi
		popa

loc_8C2406:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@:loc_8C23A6j
		imul	ebp, [ebp+64h],	206F7420h
		outsd
		jo	short near ptr loc_8C2474+2
		outsb
		and	[ebx+44h], dl

loc_8C2415:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@:loc_8C23AEj
					; ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+4Dj
		inc	edx
		and	ds:6C694620h, ch

loc_8C241C:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+33j
					; ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+35j
		and	gs:[ebx+69h], dh
		jp	short loc_8C2487
		and	[edi+ebp*2+6Fh], dh
		and	[ecx+72h], ch

loc_8C242A:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+40j
		and	gs:[bx+72h], ch

loc_8C242F:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+3Ej
		and	[ebx+6Dh], dh
		popa
		insb
		insb

loc_8C2435:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+50j
		db	2Eh
		add	ah, cl

??_C@_0BC@OLOFFDGE@SdbOpenDatabaseEx@NNGAKEGL@:	; DATA XREF: SdbOpenDatabaseEx(x,x,x,x)+2Eo
					; SdbOpenDatabaseEx(x,x,x,x)+5Ao ...
		push	ebx
		bound	ecx, fs:[edi+70h]
		outs	dx, byte ptr gs:[esi]
		inc	esp
		popa
		jz	short ??_C@_0DJ@PJIHKOPL@MajorVersion?5mismatch?0?5MajorVer@NNGAKEGL@
		bound	esp, [ecx+73h]
		db	65h
		inc	ebp
		js	short $+2

??_C@_0CA@IINJBIKG@Failed?5to?5allocate?5DB?5structure@NNGAKEGL@:
					; DATA XREF: SdbpOpenDatabaseInMemory:loc_8FEA52o
					; SdbOpenDatabaseEx(x,x,x,x)+50o
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		popa

loc_8C2455:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+6Cj
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		and	gs:[edx+eax*2+20h], al
		jnb	short loc_8C24D6
		jb	short near ptr loc_8C24D8+1
		arpl	[ebp+esi*2+72h], si

loc_8C2468:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+76j
					; DATA XREF: SdbpValidateAndApplyCompatFlags:loc_8FEA34o
		add	gs:[esi+61h], al
		imul	ebp, [ebp+64h],	206F7420h

loc_8C2474:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+8Dj
		db	67h, 65h
		jz	near ptr 2498h
		jz	short near ptr loc_8C24DF+3
		and	gs:[ecx+74h], ah
		popa
		bound	esp, [ecx+73h]
		and	gs:[ecx+44h], cl

loc_8C2487:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+9Ej
					; DATA XREF: SdbOpenDatabaseEx(x,x,x,x)+24o
		add	[esi+6Ch], al
		popa
		db	67h
		jnb	near ptr 24C8h
		and	eax, 44203B64h
		popa
		jz	short loc_8C24F7
		bound	esp, [ecx+73h]
		db	65h
		push	eax
		popa
		jz	short near ptr loc_8C2505+1
		cmp	ah, ds:0CC007377h

??_C@_0DJ@PJIHKOPL@MajorVersion?5mismatch?0?5MajorVer@NNGAKEGL@:
					; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+BFj
					; DATA XREF: SdbpValidateAndApplyCompatFlags+AF372o
		dec	ebp
		popa
		push	6Fh
		jb	short loc_8C2500
		db	65h
		jb	short near ptr loc_8C251D+3
		imul	ebp, [edi+6Eh],	73696D20h
		insd
		popa
		jz	short near ptr loc_8C2519+2
		push	614D202Ch
		push	6Fh
		jb	short near ptr loc_8C2516+1
		db	65h
		jb	short loc_8C2537
		imul	ebp, [edi+6Eh],	25783020h
		insb
		js	short loc_8C24EE
		inc	ebp
		js	short loc_8C2541
		arpl	gs:[ebp+64h], si

loc_8C24D6:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+DEj
		and	[eax], dh

loc_8C24D8:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+E0j
		js	short loc_8C24FF
		insb
		js	short $+2
		int	3		; Trap to Debugger

??_C@_0CA@NCGKJNJB@SdbpValidateAndApplyCompatFlags@NNGAKEGL@:
					; DATA XREF: SdbpValidateAndApplyCompatFlags+AF37Co
					; SdbpValidateAndApplyCompatFlags+AF3A6o
		push	ebx

loc_8C24DF:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+F6j
		bound	esi, fs:[eax+56h]
		popa
		insb
		imul	esp, [ecx+74h],	646E4165h
		inc	ecx

loc_8C24EE:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+14Aj
		jo	short near ptr loc_8C2559+7
		insb
		jns	short ??_C@_0BO@JBCGLKOO@Failed?5to?5allocate?5sdbcontext@NNGAKEGL@
		outsd
		insd
		jo	short near ptr loc_8C2556+2

loc_8C24F7:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+112j
		jz	short near ptr loc_8C2538+7
		insb
		popa
		db	67h
		jnb	near ptr 24FEh

??_C@_0BN@COLBLNAK@Unable?5to?5open?5main?5database@NNGAKEGL@:
					; DATA XREF: SdbInitDatabaseInMemory:loc_8FEB3Co
		push	ebp

loc_8C24FF:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@:loc_8C24D8j
		outsb

loc_8C2500:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+126j
		popa
		bound	ebp, [ebp+20h]

loc_8C2505:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+11Aj
		jz	short loc_8C2576
		and	[edi+70h], ch
		outs	dx, byte ptr gs:[esi]
		and	[ebp+61h], ch
		imul	ebp, [esi+20h],	61746164h

loc_8C2516:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+13Dj
		bound	esp, [ecx+73h]

loc_8C2519:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+134j
		db	65h
		add	ah, cl

??_C@_0BJ@GELLJEDM@SdbpOpenDatabaseInMemory@NNGAKEGL@:
					; DATA XREF: SdbpOpenDatabaseInMemory+AF384o
					; SdbpOpenDatabaseInMemory+AF39Fo
		push	ebx

loc_8C251D:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+128j
		bound	esi, fs:[eax+4Fh]
		jo	short near ptr loc_8C2586+2
		outsb
		inc	esp
		popa
		jz	short near ptr loc_8C2586+3
		bound	esp, [ecx+73h]
		db	65h
		dec	ecx
		outsb
		dec	ebp
		db	65h
		insd
		outsd
		jb	short near ptr loc_8C25AC+1
		add	ah, cl

??_C@_0BO@JBCGLKOO@Failed?5to?5allocate?5sdbcontext@NNGAKEGL@:
					; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+16Fj
					; DATA XREF: SdbInitDatabaseInMemory:loc_8FEB0Ao
		inc	esi

loc_8C2537:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+13Fj
		popa

loc_8C2538:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@:loc_8C24F7j
		imul	ebp, [ebp+64h],	206F7420h
		popa

loc_8C2541:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+14Dj
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		and	gs:[ebx+64h], dh
		bound	esp, [ebx+6Fh]
		outsb
		jz	short near ptr loc_8C25B3+3
		js	short near ptr loc_8C25C5+2
		add	[ebx+64h], dl	; DATA XREF: SdbInitDatabaseInMemory+AF38Eo
					; SdbInitDatabaseInMemory+AF3C0o

loc_8C2556:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+173j
		bound	ecx, [ecx+6Eh]

loc_8C2559:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@:loc_8C24EEj
		imul	esi, [esp+eax*2-260h+arg_2BD], 61626174h
		jnb	short loc_8C25C8
		dec	ecx
		outsb
		dec	ebp
		db	65h
		insd
		outsd
		jb	short loc_8C25E4
		add	[ebp+61h], cl	; DATA XREF: SdbOpenDatabaseEx(x,x,x,x)+133o
		imul	esp, [bp+di+20h], 73656F64h

loc_8C2576:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@:loc_8C2505j
		and	[esi+6Fh], ch
		jz	short loc_8C259B
		insd
		popa
		jz	short loc_8C25E2
		push	76206120h
		popa
		insb

loc_8C2586:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+19Fj
					; ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+1A4j
		imul	esp, [eax+76h],	65756C61h
		cmp	ah, [eax]
		xor	[eax+25h], bh
		insb
		js	short $+2

??_C@_0DP@MOGONKPB@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@:
					; DATA XREF: SdbOpenDatabaseEx(x,x,x,x)+14Fo
		push	ebx
		bound	esi, fs:[eax+4Fh]

loc_8C259B:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+1F7j
		jo	short near ptr loc_8C2601+1
		outsb
		inc	ebx
		outsd
		insd
		jo	short near ptr loc_8C2613+2
		db	65h
		jnb	short near ptr loc_8C2613+6
		db	65h, 64h
		inc	esp
		popa
		jz	short loc_8C260D

loc_8C25AC:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+1B0j
		bound	esp, [ecx+73h]
		and	gs:[esi+61h], ah

loc_8C25B3:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+1CDj
		imul	ebp, [ebp+64h],	206F7420h
		outsd
		jo	short near ptr loc_8C2621+2
		outsb
		and	[ebx+6Fh], ah
		insd
		jo	short near ptr loc_8C2636+1

loc_8C25C5:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+1CFj
		db	65h
		jnb	short near ptr loc_8C263A+1

loc_8C25C8:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+1DFj
		db	65h
		and	fs:[ecx+74h], ah
		popa
		bound	esp, [ecx+73h]
		db	65h, 2Eh
		add	ah, cl

??_C@_0BH@KGGJNBJB@Failed?5to?5map?5SDB?5?$FL?$CFx?$FN@NNGAKEGL@:
					; DATA XREF: SdbOpenDatabaseEx(x,x,x,x)+E1o
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		insd
		popa

loc_8C25E2:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+1FBj
		jo	short loc_8C2604

loc_8C25E4:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+1E7j
		push	ebx
		inc	esp
		inc	edx
		and	[ebx+25h], bl
		js	short near ptr loc_8C2645+4
		add	ah, cl

??_C@_0BP@DEIGBGOF@Failed?5to?5read?5database?5header@NNGAKEGL@:
					; DATA XREF: SdbOpenDatabaseEx(x,x,x,x)+112o
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		jb	short loc_8C265F
		popa
		and	fs:[ecx+74h], ah
		popa

loc_8C2601:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@:loc_8C259Bj
		bound	esp, [ecx+73h]

loc_8C2604:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@:loc_8C25E2j
		and	gs:[eax+65h], ch
		popa
		db	64h, 65h
		jb	short $+4

loc_8C260D:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+228j
		int	3		; Trap to Debugger

??_C@_0BB@HMGGCEBG@Invalid?5argument@NNGAKEGL@:
					; DATA XREF: SdbpCreateSearchPathPartsFromPath:loc_92EE59o
		dec	ecx
		outsb
		jbe	short loc_8C2673
		insb

loc_8C2613:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+21Fj
					; ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+221j
		imul	esp, [eax+61h],	6D756772h
		outs	dx, byte ptr gs:[esi]
		jz	short $+2
		int	3		; Trap to Debugger

??_C@_0CC@DNOBBHPD@SdbpCreateSearchPathPartsFromPa@NNGAKEGL@:
					; DATA XREF: SdbpCreateSearchPathPartsFromPath+91EDBo
					; SdbpCreateSearchPathPartsFromPath+91F17o
		push	ebx

loc_8C2621:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+23Aj
		bound	esi, fs:[eax+43h]
		jb	short near ptr loc_8C268A+2
		popa
		jz	short near ptr loc_8C268D+2
		push	ebx
		db	65h
		popa
		jb	short near ptr loc_8C268D+5
		push	68746150h
		push	eax
		popa

loc_8C2636:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+241j
		jb	short near ptr loc_8C26AB+1
		jnb	short near ptr loc_8C267F+1

loc_8C263A:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@:loc_8C25C5j
		jb	short loc_8C26AB
		insd
		push	eax
		popa
		jz	short loc_8C26A9
		add	[edx+esi*2+79h], dl ; DATA XREF: SdbGetNextChild:loc_8FDD59o

loc_8C2645:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+268j
		imul	ebp, [esi+67h],	206F7420h
		outsd
		jo	short loc_8C26B4
		jb	short loc_8C26B2
		jz	short near ptr loc_8C26B7+1
		and	[edi+6Eh], ch
		and	[esi+6Fh], ch
		outsb
		sub	eax, 7473696Ch

loc_8C265F:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+276j
		sub	al, 20h
		outsb
		outsd
		outsb
		sub	eax, 746F6F72h
		and	[ecx+67h], dh
		add	[ebx+64h], dl	; DATA XREF: SdbGetNextChild+AF979o
		bound	eax, [edi+65h]

loc_8C2673:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+28Ej
		jz	short loc_8C26C3
		db	65h
		js	short loc_8C26EC
		inc	ebx
		push	(offset	loc_646C68+1)

??_C@_0BN@MMDIANPF@Reading?5from?5unfinished?5list@NNGAKEGL@:
					; DATA XREF: SdbpGetNextTagId:loc_8FDD93o
		push	edx

loc_8C267F:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+2B6j
		db	65h
		popa
		imul	ebp, fs:[esi+67h], 6F726620h
		insd

loc_8C268A:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+2A3j
		and	[ebp+6Eh], dh

loc_8C268D:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+2A6j
					; ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+2ABj
		imul	bp, [esi+69h], 6873h
		db	65h
		and	fs:[ecx+ebp*2+73h], ch
		jz	short $+2
		int	3		; Trap to Debugger

??_C@_0BB@OGLNMMEN@SdbpGetNextTagId@NNGAKEGL@: ; DATA XREF: SdbpGetNextTagId+AF92Bo
		push	ebx
		bound	esi, fs:[eax+47h]
		db	65h
		jz	short near ptr loc_8C26EE+4
		db	65h
		js	short near ptr loc_8C271A+1
		push	esp
		popa

loc_8C26A9:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+2BDj
		db	67h
		dec	ecx

loc_8C26AB:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@:loc_8C263Aj
					; ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@:loc_8C2636j
		db	64h
		add	ah, cl

??_C@_0BD@GBHBBJKK@Error?5reading?5data@NNGAKEGL@:
					; DATA XREF: SdbGetTagFromTagID:loc_8FDDF3o
					; SdbpReadStringRef:loc_8FEC7Ao
		inc	ebp
		jb	short near ptr loc_8C271D+6
		outsd

loc_8C26B2:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+2CDj
		jb	short loc_8C26D4

loc_8C26B4:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+2CBj
		jb	short near ptr loc_8C271A+1
		popa

loc_8C26B7:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+2CFj
		imul	ebp, fs:[esi+67h], 74616420h
		popa
		add	ah, cl

??_C@_0BD@BBDOGMGI@SdbGetTagFromTagID@NNGAKEGL@: ; DATA	XREF: SdbGetTagFromTagID+AF887o
		push	ebx

loc_8C26C3:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@:loc_8C2673j
		bound	eax, fs:[edi+65h]
		jz	short loc_8C271D
		popa
		db	67h
		inc	esi
		jb	short near ptr loc_8C2739+4
		insd
		push	esp
		popa
		db	67h
		dec	ecx
		inc	esp

loc_8C26D4:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@:loc_8C26B2j
		add	ah, cl

??_C@_0CF@LECMDEAC@Failed?5to?5allocate?5search?5path?5@NNGAKEGL@:
					; DATA XREF: SdbpCreateSearchPathPartsFromPath:loc_92EE95o
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		popa
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		and	gs:[ebx+65h], dh
		popa

loc_8C26EC:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+2F3j
		jb	short loc_8C2751

loc_8C26EE:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+31Fj
		push	74617020h
		push	72617020h
		jz	short loc_8C276D
		add	ah, cl
??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@ proc near ; DATA XREF: sub_8FEBBC+3Do

; FUNCTION CHUNK AT 008C2963 SIZE 0000010E BYTES

		push	ebx
		push	78456D69h
		arpl	[ebp+70h], sp
		jz	short near ptr loc_8C276E+2
		outsd
		outsb
		dec	eax
		popa
		outsb
		db	64h
		insb
		db	65h
		jb	short $+3
		int	3		; Trap to Debugger

??_C@_0FK@ENLKOOIG@Shim?5Exception?5?$CF?$CDx?5in?5module?5?$CC?$CF@NNGAKEGL@:
					; DATA XREF: sub_8FEBBC+33o
		push	ebx
		push	45206D69h
		js	short loc_8C277D

loc_8C271A:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+322j
					; ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@:loc_8C26B4j
		db	65h
		jo	short loc_8C2791

loc_8C271D:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+345j
					; ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+32Dj
		imul	ebp, [edi+6Eh],	78232520h
		and	[ecx+6Eh], ch
		and	[ebp+6Fh], ch
		db	64h
		jnz	short near ptr loc_8C2797+2
		and	gs:[edx], ah
		and	eax, 2C227368h
		and	[ecx+ebp*2+6Eh], ch

loc_8C2739:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+34Aj
		and	gs:61202C64h, ah
		jz	short near ptr loc_8C275F+3
		popa
		db	64h, 64h
		jb	short near ptr loc_8C27A9+3
		jnb	short near ptr loc_8C27BB+1
		and	ds:202E7849h, ah
		db	66h
		insb

loc_8C2751:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@:loc_8C26ECj
		popa
		db	67h
		jnb	near ptr 278Fh
		and	eax, 202E7823h
		and	[ebp+78h], esp
		jb	short near ptr loc_8C277D+2

loc_8C275F:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+44j
		and	eax, 21207023h
		arpl	[eax+72h], di
		and	ds:46007023h, ah
					; DATA XREF: SdbpInitializeSearchDBContext:loc_92EE39o

loc_8C276D:				; CODE XREF: ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@+376j
		popa

loc_8C276E:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+9j
		imul	ebp, [ebp+64h],	206F7420h
		popa
		insb
		insb
		outsd
		arpl	[ecx+74h], sp

loc_8C277D:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+1Cj
					; ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+61j
		and	gs:[eax+72h], dh
		outsd
		arpl	[ebp+73h], sp
		jnb	short loc_8C27A7
		push	6F747369h
		jb	short near ptr loc_8C2804+3
		and	[edx+75h], ah

loc_8C2791:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@:loc_8C271Aj
		db	66h, 66h, 65h
		jb	short $+5

??_C@_0BO@POGEIBOE@SdbpInitializeSearchDBContext@NNGAKEGL@:
					; DATA XREF: SdbpInitializeSearchDBContext:loc_92EE43o
		push	ebx

loc_8C2797:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+2Ej
		bound	esi, fs:[eax+49h]
		outsb
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		push	ebx
		db	65h
		popa

loc_8C27A7:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+89j
		jb	short loc_8C280C

loc_8C27A9:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+47j
		push	6F434244h
		outsb
		jz	short near ptr loc_8C2815+1
		js	short loc_8C2827

loc_8C27B3:				; DATA XREF: SdbpCreateSearchDBContext(x,x,x,x,x,x)+105o
		add	[ebp+6Eh], dl
		popa
		bound	ebp, [ebp+20h]

loc_8C27BB:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+4Bj
		jz	short loc_8C282C
		and	[ecx+6Ch], ah
		insb
		outsd
		arpl	[ecx+74h], sp
		and	gs:[ebp+65h], ch
		insd
		outsd
		jb	short loc_8C2846
		and	[esi+6Fh], ah
		jb	short near ptr loc_8C27F1+1
		db	66h
		jnz	short near ptr loc_8C283E+3
		insb
		and	[esi+61h], ch
		insd

loc_8C27DA:				; DATA XREF: SdbpCreateSearchDBContext(x,x,x,x,x,x)+9Do
					; SdbpCreateSearchDBContext(x,x,x,x,x,x)+E3o ...
		add	gs:[ebx+64h], dl
		bound	esi, [eax+43h]
		jb	short loc_8C2848
		popa
		jz	short near ptr loc_8C284A+1
		push	ebx
		db	65h
		popa
		jb	short ??_C@_0CE@JCOOOONA@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@
		push	6F434244h
		outsb

loc_8C27F1:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+D4j
		jz	short loc_8C2858
		js	short near ptr loc_8C2868+1

loc_8C27F5:				; DATA XREF: SdbpCreateSearchDBContext(x,x,x,x,x,x)+D9o
		add	[ebp+6Eh], dl
		popa
		bound	ebp, [ebp+20h]
		jz	short near ptr loc_8C2868+6
		and	[eax+61h], dh
		jb	short loc_8C2877

loc_8C2804:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+90j
		and	gs:[ebp+78h], ah
		arpl	gs:[ebp+74h], si

loc_8C280C:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@:loc_8C27A7j
		popa
		bound	ebp, [ebp+20h]
		jo	short loc_8C2874
		jz	short loc_8C287D

loc_8C2815:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+B3j
		and	[esi+6Fh], ah
		jb	short near ptr loc_8C2839+1
		and	ah, ds:227377h

??_C@_0CN@HKBNFJHO@Unable?5to?5allocate?5memory?5for?5d@NNGAKEGL@:
					; DATA XREF: SdbpCreateSearchDBContext(x,x,x,x,x,x)+93o
		push	ebp
		outsb
		popa
		bound	ebp, [ebp+20h]

loc_8C2827:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+B5j
		jz	short loc_8C2898
		and	[ecx+6Ch], ah

loc_8C282C:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@:loc_8C27BBj
		insb
		outsd
		arpl	[ecx+74h], sp
		and	gs:[ebp+65h], ch
		insd
		outsd
		jb	short near ptr loc_8C28B0+2

loc_8C2839:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+11Cj
		and	[esi+6Fh], ah
		jb	short near ptr loc_8C285D+1

loc_8C283E:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+D6j
		imul	esi, fs:[edx+65h], 726F7463h

loc_8C2846:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+CFj
		jns	short loc_8C2868

loc_8C2848:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+E5j
		jo	short near ptr loc_8C28AA+1

loc_8C284A:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+E8j
		jz	short near ptr loc_8C28B3+1
		add	ah, cl

??_C@_0CE@JCOOOONA@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@:
					; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+EDj
					; DATA XREF: SdbpResolveMatchingFile+9218Co ...
		inc	ecx
		jnb	short loc_8C28BD
		inc	ebp
		outsb
		jbe	short near ptr loc_8C2899+3
		db	65h
		jz	short near ptr loc_8C28A5+3

loc_8C2858:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@:loc_8C27F1j
		jb	short near ptr loc_8C28C2+7
		arpl	[ebp+73h], sp

loc_8C285D:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+140j
		jnb	short loc_8C28B6
		outsd
		ja	short near ptr loc_8C28AA+1
		outsb
		outsw
		and	[esi+61h], ah

loc_8C2868:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@:loc_8C2846j
					; ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+F7j ...
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	[ecx+73h], al	; DATA XREF: SdbpResolveMatchingFile+92199o

loc_8C2874:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+115j
		insb
		inc	ebp
		outsb

loc_8C2877:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+106j
		jbe	short near ptr loc_8C28BD+1
		js	short near ptr loc_8C28E9+2
		popa
		outsb

loc_8C287D:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+117j
		db	64h
		push	ebx
		jz	short loc_8C28F3
		imul	ebp, [esi+67h],	66203273h
		popa
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0BK@MOBDPHHJ@Invalid?5match?5file?5length@NNGAKEGL@:
					; DATA XREF: SdbpResolveMatchingFile:loc_92E79Do
		dec	ecx
		outsb
		jbe	short near ptr loc_8C28F8+1

loc_8C2898:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@:loc_8C2827j
		insb

loc_8C2899:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+157j
		imul	esp, [eax+6Dh],	68637461h
		and	[esi+69h], ah
		insb

loc_8C28A5:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+159j
		and	gs:[ebp+6Eh], ch

loc_8C28AA:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@:loc_8C2848j
					; ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+164j
		db	67h
		jz	near ptr 2915h
		add	[ebx+64h], dl	; DATA XREF: SdbpResolveMatchingFile+92177o
					; SdbpResolveMatchingFile:loc_92E7D3o ...

loc_8C28B0:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+13Bj
		bound	esi, [eax+52h]

loc_8C28B3:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@:loc_8C284Aj
		db	65h
		jnb	short near ptr loc_8C2924+1

loc_8C28B6:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@:loc_8C285Dj
		insb
		jbe	short near ptr loc_8C291D+1
		dec	ebp
		popa
		jz	short near ptr loc_8C291F+1

loc_8C28BD:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+153j
					; ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@:loc_8C2877j
		push	46676E69h

loc_8C28C2:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@:loc_8C2858j
					; DATA XREF: SdbpGetExeEntryFlags:loc_9335A0o
		imul	ebp, [ebp+0], 70626453h
		inc	edi
		db	65h
		jz	short near ptr loc_8C2912+1
		js	short loc_8C2935
		inc	ebp
		outsb
		jz	short loc_8C2946
		jns	short near ptr loc_8C291A+2
		insb
		popa
		db	67h
		jnb	near ptr 28DBh
		int	3		; Trap to Debugger

??_C@_0CH@BBAMENNN@Failed?5to?5read?5the?5GUID?5for?5tiE@NNGAKEGL@:
					; DATA XREF: SdbpGetExeEntryFlags+8A53Eo
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		jb	short loc_8C294D
		popa

loc_8C28E9:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+17Dj
		and	fs:[eax+ebp*2+65h], dh
		and	[edi+55h], al
		dec	ecx
		inc	esp

loc_8C28F3:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+183j
		and	[esi+6Fh], ah
		jb	short near ptr loc_8C2912+6

loc_8C28F8:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+19Aj
		jz	short loc_8C2963
		inc	ebp
		js	short near ptr loc_8C295A+8
		and	[eax], dh
		js	short loc_8C2926
		js	short $+2
		int	3		; Trap to Debugger

??_C@_0CD@BOEHPKLM@Failed?5to?5retrieve?5process?5hist@NNGAKEGL@:
					; DATA XREF: SdbpInitializeSearchDBContext+91F5Fo
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		jb	short loc_8C2975
		jz	short near ptr loc_8C2981+3

loc_8C2912:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+1CFj
					; ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+1FAj
		imul	esp, [ebp+76h],	72702065h
		outsd

loc_8C291A:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+1D8j
		arpl	[ebp+73h], sp

loc_8C291D:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+1BBj
		jnb	short loc_8C293F

loc_8C291F:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+1BFj
		push	6F747369h

loc_8C2924:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@:loc_8C28B3j
		jb	short near ptr loc_8C299B+4

loc_8C2926:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+203j
		add	ah, cl

??_C@_0CJ@GFAHPFCA@Failed?5to?5read?5TAG_EXE_ID?5for?5t@NNGAKEGL@:
					; DATA XREF: SdbpGetExeEntryFlags+8A531o
					; SdbReadEntryInformation(x,x,x)+80o
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		jb	short near ptr loc_8C2998+1
		popa

loc_8C2935:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+1D2j
		and	fs:[ecx+eax*2+47h], dl
		pop	edi
		inc	ebp
		pop	eax
		inc	ebp
		pop	edi

loc_8C293F:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@:loc_8C291Dj
		dec	ecx
		inc	esp
		and	[esi+6Fh], ah
		jb	short near ptr loc_8C2965+1

loc_8C2946:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+1D6j
		jz	short near ptr loc_8C29B0+1
		inc	ebp
		js	short loc_8C29B0
		and	[eax], dh

loc_8C294D:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+1EAj
		js	short ??_C@_0BI@KFGKGOFP@Failed?5to?5read?5key?5path@NNGAKEGL@
		js	short $+2
		int	3		; Trap to Debugger
??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0CC@CENPHDLK@SdbpGetRegistryMatchingAttribut@NNGAKEGL@ proc near
					; DATA XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x):loc_A203B0o
					; SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+260o ...
		push	ebx
		bound	esi, fs:[eax+47h]
		db	65h
		jz	short near ptr loc_8C29A8+4

loc_8C295A:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+1FFj
		imul	esi, gs:[bp+di+74h], 614D7972h
??_C@_0CC@CENPHDLK@SdbpGetRegistryMatchingAttribut@NNGAKEGL@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@

loc_8C2963:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@:loc_8C28F8j
		jz	short loc_8C29C8

loc_8C2965:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+248j
		push	41676E69h
		jz	short near ptr loc_8C29DF+1
		jb	short loc_8C29D7
		bound	esi, [ebp+74h]
		db	65h
		jnb	short $+3

??_C@_0BI@KFGKGOFP@Failed?5to?5read?5key?5path@NNGAKEGL@:
					; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@:loc_8C294Dj
					; DATA XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x):loc_A2054Eo
		inc	esi

loc_8C2975:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+212j
		popa
		imul	ebp, [ebp+64h],	206F7420h
		jb	short near ptr loc_8C29DF+6
		popa

loc_8C2981:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+214j
		and	fs:[ebx+65h], ch
		jns	short loc_8C29A7
		jo	short near ptr loc_8C29E7+3
		jz	short loc_8C29F3
		add	[ecx+73h], al	; DATA XREF: SdbpResolveMatchingFile+9224Bo
		insb
		push	eax
		popa
		jz	short loc_8C29FB
		inc	ebx
		insb
		db	65h
		popa
		outsb

loc_8C2998:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+236j
		and	[esi+61h], ah

loc_8C299B:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@:loc_8C2924j
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0BL@MDKIPEHO@Failed?5to?5get?5key?5path?5tag@NNGAKEGL@:
					; DATA XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+66o
		inc	esi

loc_8C29A7:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+289j
		popa

loc_8C29A8:				; CODE XREF: ??_C@_0CC@CENPHDLK@SdbpGetRegistryMatchingAttribut@NNGAKEGL@+5j
		imul	ebp, [ebp+64h],	206F7420h

loc_8C29B0:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+24Dj
					; ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@:loc_8C2946j
		db	67h, 65h
		jz	near ptr 29D4h
		imul	esp, [ebp+79h],	20h
		jo	short loc_8C2A1B
		jz	short near ptr loc_8C2A23+1
		and	[ecx+67h], dh
		add	ah, cl

??_C@_0O@NALGGDJF@Out?5of?5memory@NNGAKEGL@: ; DATA XREF: AslStringDuplicate:loc_8FDA1Do
					; AslStringUpcaseToMultiByteN:loc_8FE0F3o ...
		dec	edi
		jnz	short loc_8C2A39
		and	[edi+66h], ch

loc_8C29C8:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@:loc_8C2963j
		and	[ebp+65h], ch
		insd
		outsd
		jb	short loc_8C2A48
		add	[ecx+73h], al	; DATA XREF: SdbpResolveMatchingFile+9226Do
		insb
		inc	ebp
		outsb
		jbe	short near ptr loc_8C2A1B+1

loc_8C29D7:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+270j
		js	short near ptr loc_8C2A48+1
		popa
		outsb
		db	64h
		push	ebx
		jz	short loc_8C2A51

loc_8C29DF:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+26Ej
					; ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+282j
		imul	ebp, [esi+67h],	66203273h
		popa

loc_8C29E7:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+28Bj
		imul	ebp, [ebp+64h],	206F7420h
		db	65h
		js	short loc_8C2A62
		popa

loc_8C29F3:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+28Dj
		outsb
		and	fs:[ebx+74h], dh
		jb	short loc_8C2A63
		outsb

loc_8C29FB:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+295j
		db	67h
		jnb	near ptr 2A1Eh
		outsw
		jb	short loc_8C2A22
		and	eax, 5B207377h
		and	eax, 0CC005D78h

??_C@_0BC@IOBBHNBA@Invalid?5path?5size@NNGAKEGL@:
					; DATA XREF: SdbpResolveMatchingFile+921CCo
					; SdbpResolveMatchingFile+921EBo ...
		dec	ecx
		outsb
		jbe	short loc_8C2A71
		insb
		imul	esp, [eax+70h],	20687461h
		jnb	short near ptr ??_C@_0CH@ENLBMAPM@Failed?5to?5get?5TAG_REG_VALUE_DAT@NNGAKEGL@+0Ah

loc_8C2A1B:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+2BCj
					; ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+2D9j
		jp	short near ptr ??_C@_0CH@ENLBMAPM@Failed?5to?5get?5TAG_REG_VALUE_DAT@NNGAKEGL@+8
		add	[ecx+6Eh], cl	; DATA XREF: SdbpResolveMatchingFile:loc_92E83Bo
		jbe	short near ptr ??_C@_0CH@ENLBMAPM@Failed?5to?5get?5TAG_REG_VALUE_DAT@NNGAKEGL@+9

loc_8C2A22:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+304j
		insb

loc_8C2A23:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+2BEj
		imul	esp, [eax+62h],	65666675h
		jb	short near ptr loc_8C2A4C+1
		jnb	short near ptr ??_C@_0CH@ENLBMAPM@Failed?5to?5get?5TAG_REG_VALUE_DAT@NNGAKEGL@+1Eh
		jp	short near ptr ??_C@_0CH@ENLBMAPM@Failed?5to?5get?5TAG_REG_VALUE_DAT@NNGAKEGL@+1Ch
		add	[ebp+6Eh], dl	; DATA XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x):loc_A2053Fo
		imul	ebp, [esi+6Fh],	77h
		outsb

loc_8C2A39:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+2C7j
		and	[edx+65h], dh
		imul	esi, [bp+di+74h], 76207972h
		popa
		insb
		jnz	short near ptr loc_8C2AAC+1

loc_8C2A48:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+2D1j
					; ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@:loc_8C29D7j
		and	[ecx+edi*2+70h], dh

loc_8C2A4C:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+32Fj
					; DATA XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+36o
		add	gs:[eax+eax+62h], ah

loc_8C2A51:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+2E1j
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2

loc_8C2A62:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+2F3j
		inc	esp

loc_8C2A63:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+2FCj
		add	[ebp+0], ah
		db	66h
		add	[ecx+0], ah
		jnz	short $+2
		insb
		add	[eax+eax+4Eh], dh
; END OF FUNCTION CHUNK	FOR ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@

loc_8C2A71:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+312j
		add	[ecx+0], ah
		insd
		add	[ebp+0], ah
; 
		db 2 dup(0)
??_C@_0CH@ENLBMAPM@Failed?5to?5get?5TAG_REG_VALUE_DAT@NNGAKEGL@	db 'Failed to get TAG_REG_VALUE_DATA_QWORD',0
					; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@:loc_8C2A1Bj
					; ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+324j ...
		align 2

??_C@_0CI@NHLCACFB@Failed?5to?5get?5TAG_REG_VALUE_DAT@NNGAKEGL@:
					; DATA XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+1E1o
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h

loc_8C2AAC:				; CODE XREF: ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@+34Aj
		db	67h, 65h
		jz	near ptr 2AD0h
		push	esp
		inc	ecx
		inc	edi
		pop	edi
		push	edx
		inc	ebp
		inc	edi
		pop	edi
		push	esi
		inc	ecx
		dec	esp
		push	ebp
		inc	ebp
		pop	edi
		inc	esp
		inc	ecx
		push	esp
		inc	ecx
		pop	edi
		inc	edx
		dec	ecx
		dec	esi
		inc	ecx
		push	edx
		pop	ecx
		add	[esi+61h], al	; DATA XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+200o
					; SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+256o
		imul	ebp, [ebp+64h],	206F7420h
		jb	short loc_8C2B3B
		popa
		and	fs:[esi+61h], dh
		insb
		jnz	short loc_8C2B43
		and	[ecx+74h], ah
		popa
		add	[esi+61h], al	; DATA XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+1ADo
		imul	ebp, [ebp+64h],	206F7420h
		db	67h, 65h
		jz	near ptr 2B12h
		push	esp
		inc	ecx
		inc	edi
		pop	edi
		push	edx
		inc	ebp
		inc	edi
		pop	edi
		push	esi
		inc	ecx
		dec	esp
		push	ebp
		inc	ebp
		pop	edi
		inc	esp
		inc	ecx
		push	esp
		inc	ecx
		pop	edi
		inc	esp
		push	edi
		dec	edi
		push	edx
		inc	esp
		add	ah, cl

??_C@_0BK@FFANNGGM@Failed?5to?5read?5value?5type@NNGAKEGL@:
					; DATA XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+D8o
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		jb	short near ptr loc_8C2B7B+2
		popa
		and	fs:[esi+61h], dh
		insb
		jnz	short loc_8C2B85
		and	[ecx+edi*2+70h], dh
		add	gs:[esi+61h], al
					; DATA XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+234o
		imul	ebp, [ebp+64h],	206F7420h
		db	67h, 65h
		jz	near ptr 2B54h
		push	esp
		inc	ecx
		inc	edi
		pop	edi
		push	edx
		inc	ebp
		inc	edi

loc_8C2B3B:				; CODE XREF: PAGE:008C2AD4j
		pop	edi
		push	esi
		inc	ecx
		dec	esp
		push	ebp
		inc	ebp
		pop	edi
		inc	esp

loc_8C2B43:				; CODE XREF: PAGE:008C2ADCj
		inc	ecx
		push	esp
		inc	ecx
		pop	edi
		push	ebx
		pop	edx
		add	[ebx+64h], dl	; DATA XREF: SdbpCheckMatchingRegistryEntry(x,x,x,x,x,x,x,x,x,x)+87o
					; SdbpCheckMatchingRegistryEntry(x,x,x,x,x,x,x,x,x,x)+11Eo
		bound	esi, [eax+43h]
		push	4D6B6365h
		popa
		jz	short near ptr loc_8C2BB7+3
		push	52676E69h
		imul	esi, gs:[bp+di+74h], 6E457972h
		jz	short loc_8C2BD9
		jns	short $+2
		int	3		; Trap to Debugger

??_C@_0CK@OOILAFO@Failed?5to?5get?5processor?5archite@NNGAKEGL@:
					; DATA XREF: SdbpCheckMatchingRegistryEntry(x,x,x,x,x,x,x,x,x,x)+114o
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		db	67h, 65h
		jz	near ptr 2B98h
		jo	short near ptr ??_C@_0BF@JLNLEIIN@Failed?5to?5read?5value@NNGAKEGL@+0Ch
		outsd

loc_8C2B7B:				; CODE XREF: PAGE:008C2B16j
		arpl	[ebp+73h], sp
		jnb	short near ptr ??_C@_0BF@JLNLEIIN@Failed?5to?5read?5value@NNGAKEGL@+0Fh
		jb	short near ptr loc_8C2B9F+3
		popa
		jb	short near ptr ??_C@_0BF@JLNLEIIN@Failed?5to?5read?5value@NNGAKEGL@+8

loc_8C2B85:				; CODE XREF: PAGE:008C2B1Ej
		push	63657469h
		jz	short near ptr loc_8C2C00+1
		jb	short near ptr ??_C@_0BF@JLNLEIIN@Failed?5to?5read?5value@NNGAKEGL@+13h
		and	[ebx+25h], bl
		js	short near ptr ??_C@_0BF@JLNLEIIN@Failed?5to?5read?5value@NNGAKEGL@+10h
		add	[eax+eax+52h], bl
					; DATA XREF: SdbpCheckMatchingRegistryEntry(x,x,x,x,x,x,x,x,x,x)+4Ao
		add	[ebp+0], al
		inc	edi
		add	[ecx+0], cl
		push	ebx

loc_8C2B9F:				; CODE XREF: PAGE:008C2B80j
		add	[eax+eax+52h], dl
		add	[ecx+0], bl
		pop	esp
		add	[ebp+0], cl
		inc	ecx
		add	[ebx+0], al
		dec	eax
		add	[ecx+0], cl
		dec	esi
		add	[ebp+0], al
		pop	esp

loc_8C2BB7:				; CODE XREF: PAGE:008C2B55j
		add	large ds:7300h,	ah
		add	[esi+61h], al	; DATA XREF: SdbpCheckMatchingRegistryEntry(x,x,x,x,x,x,x,x,x,x)+7Do
		imul	ebp, [ebp+64h],	206F7420h
		arpl	[edi+6Eh], bp
		jnb	short near ptr loc_8C2C3F+2
		jb	short loc_8C2C44
		arpl	[eax+66h], si
		jnz	short near ptr loc_8C2C3F+2
		insb
		and	[ebx+65h], ch

loc_8C2BD9:				; CODE XREF: PAGE:008C2B65j
		jns	short near ptr loc_8C2BF8+3
		jo	short near ptr loc_8C2C3D+1
		jz	short near ptr loc_8C2C44+3
; 
		db 0
??_C@_0BF@JLNLEIIN@Failed?5to?5read?5value@NNGAKEGL@ db	'Failed to read value',0
					; CODE XREF: PAGE:008C2B83j
					; PAGE:008C2B78j ...
		align 2

;  S U B	R O U T	I N E 


??_C@_0CB@NOENIKHC@Unknown?5registry?5value?5data?5typ@NNGAKEGL@ proc near
					; DATA XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x):loc_A1F5C4o
		push	ebp
		outsb
??_C@_0CB@NOENIKHC@Unknown?5registry?5value?5data?5typ@NNGAKEGL@ endp


loc_8C2BF8:				; CODE XREF: PAGE:loc_8C2BD9j
		imul	ebp, [esi+6Fh],	77h
		outsb
		and	[edx+65h], dh

loc_8C2C00:				; CODE XREF: PAGE:008C2B8Aj
		imul	esi, [bp+di+74h], 76207972h
		popa
		insb
		jnz	short near ptr ??_C@_0CG@JELBPBFJ@Failed?5to?5get?5MATCHING_TEXT?5fil@NNGAKEGL@+1Fh
		and	[ecx+74h], ah
		popa
		and	[ecx+edi*2+70h], dh
		db	65h
		add	ah, cl
; 
??_C@_0BK@JNHKJALB@Failed?5to?5allocate?5memory@NNGAKEGL@ db 'Failed to allocate memory',0
					; DATA XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+A6o
					; SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+17Ao ...

;  S U B	R O U T	I N E 


??_C@_0BP@IOIMNEOA@SdbpCheckMatchingRegistryValue@NNGAKEGL@ proc near
					; DATA XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+B0o
					; SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x):loc_A1F413o
		push	ebx
		bound	esi, fs:[eax+43h]
??_C@_0BP@IOIMNEOA@SdbpCheckMatchingRegistryValue@NNGAKEGL@ endp

		push	4D6B6365h
		popa

loc_8C2C3D:				; CODE XREF: PAGE:008C2BDBj
		jz	short near ptr loc_8C2CA1+1

loc_8C2C3F:				; CODE XREF: PAGE:008C2BCBj
					; PAGE:008C2BD3j
		push	52676E69h

loc_8C2C44:				; CODE XREF: PAGE:008C2BCDj
					; PAGE:008C2BDDj
		imul	esi, gs:[bp+di+74h], 61567972h
		insb
		jnz	short near ptr loc_8C2CB2+3
		add	ah, cl
; 
??_C@_0CG@JELBPBFJ@Failed?5to?5get?5MATCHING_TEXT?5fil@NNGAKEGL@ db 'Failed to get MATCHING_TEXT file path',0
					; DATA XREF: SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+43o

;  S U B	R O U T	I N E 


??_C@_0BO@OFDLBECN@SdbpGetMatchingTextAttributes@NNGAKEGL@ proc	near
					; DATA XREF: SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x):loc_A20166o
					; SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+18Eo

; FUNCTION CHUNK AT 008C2CE6 SIZE 00000072 BYTES

		push	ebx
		bound	esi, fs:[eax+47h]
		db	65h
		jz	short near ptr loc_8C2CCC+1
		popa
		jz	short loc_8C2CE6
		push	54676E69h
		db	65h
		js	short near ptr loc_8C2CFE+1
		inc	ecx
		jz	short near ptr loc_8C2D01+1
		jb	short loc_8C2CF9
		bound	esi, [ebp+74h]
		db	65h
		jnb	short $+3
??_C@_0BO@OFDLBECN@SdbpGetMatchingTextAttributes@NNGAKEGL@ endp


??_C@_0BK@HKIGDGDG@SdbpCheckMatchingRegistry@NNGAKEGL@:
					; DATA XREF: SdbpCheckMatchingRegistry(x,x,x,x,x,x,x):loc_A1F125o
		push	ebx
		bound	esi, fs:[eax+43h]
		push	4D6B6365h
		popa

loc_8C2CA1:				; CODE XREF: PAGE:loc_8C2C3Dj
		jz	short ??_C@_0CC@POBNGMOF@Failed?5to?5read?5MATCHING_REG?5ent@NNGAKEGL@
		push	52676E69h
; 
aEgistry	db 'egistry',0

;  S U B	R O U T	I N E 


??_C@_0CD@CMJHNGOF@Failed?5to?5check?5MATCHING_REG?5en@NNGAKEGL@ proc near
					; DATA XREF: SdbpCheckMatchingRegistry(x,x,x,x,x,x,x)+A1o
		inc	esi
		popa

loc_8C2CB2:				; CODE XREF: PAGE:008C2C4Ej
		imul	ebp, [ebp+64h],	206F7420h
		arpl	[eax+65h], bp
		arpl	[ebx+20h], bp
		dec	ebp
		inc	ecx
		push	esp
		inc	ebx
		dec	eax
		dec	ecx
		dec	esi
		inc	edi
		pop	edi
		push	edx
		inc	ebp
		inc	edi

loc_8C2CCC:				; CODE XREF: ??_C@_0BO@OFDLBECN@SdbpGetMatchingTextAttributes@NNGAKEGL@+5j
		and	[ebp+6Eh], ah
		jz	short loc_8C2D43
		jns	short $+2
		int	3		; Trap to Debugger

??_C@_0DB@EIHOIBJC@Failed?5to?5check?5MATCHING_WILDCA@NNGAKEGL@:
					; DATA XREF: SdbpCheckMatchingWildcardRegistry(x,x,x,x,x,x,x)+A1o
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		arpl	[eax+65h], bp
		arpl	[ebx+20h], bp
		dec	ebp
		inc	ecx
??_C@_0CD@CMJHNGOF@Failed?5to?5check?5MATCHING_REG?5en@NNGAKEGL@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BO@OFDLBECN@SdbpGetMatchingTextAttributes@NNGAKEGL@

loc_8C2CE6:				; CODE XREF: ??_C@_0BO@OFDLBECN@SdbpGetMatchingTextAttributes@NNGAKEGL@+9j
		push	esp
		inc	ebx
		dec	eax
		dec	ecx
		dec	esi
		inc	edi
		pop	edi
		push	edi
		dec	ecx
		dec	esp
		inc	esp
		inc	ebx
		inc	ecx
		push	edx
		inc	esp
		pop	edi
		push	edx
		inc	ebp
		inc	edi

loc_8C2CF9:				; CODE XREF: ??_C@_0BO@OFDLBECN@SdbpGetMatchingTextAttributes@NNGAKEGL@+16j
		dec	ecx
		push	ebx
		push	esp
		push	edx
		pop	ecx

loc_8C2CFE:				; CODE XREF: ??_C@_0BO@OFDLBECN@SdbpGetMatchingTextAttributes@NNGAKEGL@+10j
		and	[ebp+6Eh], ah

loc_8C2D01:				; CODE XREF: ??_C@_0BO@OFDLBECN@SdbpGetMatchingTextAttributes@NNGAKEGL@+14j
		jz	short near ptr loc_8C2D72+3
		jns	short $+2
		int	3		; Trap to Debugger

??_C@_0CC@POBNGMOF@Failed?5to?5read?5MATCHING_REG?5ent@NNGAKEGL@:
					; CODE XREF: PAGE:loc_8C2CA1j
					; DATA XREF: SdbpCheckMatchingRegistry(x,x,x,x,x,x,x)+5Eo
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		jb	short near ptr loc_8C2D72+5
		popa
		and	fs:[ebp+41h], cl
		push	esp
		inc	ebx
		dec	eax
		dec	ecx
		dec	esi
		inc	edi
		pop	edi
		push	edx
		inc	ebp
		inc	edi
		and	[ebp+6Eh], ah
		jz	short ??_C@_0CF@DDPIMIDA@Failed?5to?5initialize?5SEARCHDBCO@NNGAKEGL@
		jns	short $+2

??_C@_0DA@IPBPJHH@Failed?5to?5read?5MATCHING_WILDCAR@NNGAKEGL@:
					; DATA XREF: SdbpCheckMatchingWildcardRegistry(x,x,x,x,x,x,x)+5Eo
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		jb	short loc_8C2D99
		popa
		and	fs:[ebp+41h], cl
		push	esp
		inc	ebx
		dec	eax
		dec	ecx
		dec	esi
		inc	edi
		pop	edi
		push	edi
		dec	ecx
		dec	esp

loc_8C2D43:				; CODE XREF: ??_C@_0CD@CMJHNGOF@Failed?5to?5check?5MATCHING_REG?5en@NNGAKEGL@+1Fj
		inc	esp
		inc	ebx
		inc	ecx
		push	edx
		inc	esp
		pop	edi
		push	edx
		inc	ebp
		inc	edi
		dec	ecx
		push	ebx
		push	esp
		push	edx
		pop	ecx
		and	[ebp+6Eh], ah
		jz	short loc_8C2DC8
		jns	short $+2
; END OF FUNCTION CHUNK	FOR ??_C@_0BO@OFDLBECN@SdbpGetMatchingTextAttributes@NNGAKEGL@

;  S U B	R O U T	I N E 


??_C@_0CC@GNBGCCDF@SdbpCheckMatchingWildcardRegist@NNGAKEGL@ proc near
					; DATA XREF: SdbpCheckMatchingWildcardRegistry(x,x,x,x,x,x,x):loc_A1FCCDo

arg_73		= dword	ptr  7Bh

		push	ebx
		bound	esi, fs:[eax+43h]
		push	4D6B6365h
		popa
		jz	short loc_8C2DC8
		push	57676E69h
		imul	ebp, [esp-18h+arg_73], 52647261h

loc_8C2D72:				; CODE XREF: ??_C@_0BO@OFDLBECN@SdbpGetMatchingTextAttributes@NNGAKEGL@:loc_8C2D01j
					; ??_C@_0BO@OFDLBECN@SdbpGetMatchingTextAttributes@NNGAKEGL@+98j
					; DATA XREF: ...
		imul	esi, gs:[bp+di+74h], 46007972h
		popa
		imul	ebp, [ebp+64h],	206F7420h
		jb	short near ptr loc_8C2DEA+1
		popa
		and	fs:[ebp+6Eh], ah
		arpl	[edi+64h], bp
		imul	ebp, [esi+67h],	70797420h
		db	65h
		add	ah, cl
??_C@_0CC@GNBGCCDF@SdbpCheckMatchingWildcardRegist@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0CF@DDPIMIDA@Failed?5to?5initialize?5SEARCHDBCO@NNGAKEGL@	proc near
					; CODE XREF: ??_C@_0BO@OFDLBECN@SdbpGetMatchingTextAttributes@NNGAKEGL@+ACj
					; DATA XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+114o ...
		inc	esi

loc_8C2D99:				; CODE XREF: ??_C@_0BO@OFDLBECN@SdbpGetMatchingTextAttributes@NNGAKEGL@+BAj
		popa
		imul	ebp, [ebp+64h],	206F7420h
		imul	ebp, [esi+69h],	6C616974h
		imul	edi, [edx+65h],	41455320h
		push	edx
		inc	ebx
		dec	eax
		inc	esp
		inc	edx
		inc	ebx
		dec	edi
		dec	esi
		push	esp
		inc	ebp
		pop	eax
		push	esp
		add	ah, cl

??_C@_0CC@MGLCBEGO@Failed?5to?5read?5matching?5text?5bl@NNGAKEGL@:
					; DATA XREF: SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+F1o
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h

loc_8C2DC8:				; CODE XREF: ??_C@_0BO@OFDLBECN@SdbpGetMatchingTextAttributes@NNGAKEGL@+DCj
					; ??_C@_0CC@GNBGCCDF@SdbpCheckMatchingWildcardRegist@NNGAKEGL@+Bj
		jb	short near ptr loc_8C2E2E+1
		popa
		and	fs:[ebp+61h], ch
		jz	short near ptr loc_8C2E31+3
		push	20676E69h
		jz	short near ptr loc_8C2E3C+1
		js	short near ptr loc_8C2E4A+4
		and	[edx+6Ch], ah
		outsd
		bound	eax, [eax]
??_C@_0CF@DDPIMIDA@Failed?5to?5initialize?5SEARCHDBCO@NNGAKEGL@	endp


;  S U B	R O U T	I N E 


??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@ proc near
					; DATA XREF: SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+113o

; FUNCTION CHUNK AT 008C2EEE SIZE 00000027 BYTES

		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h

loc_8C2DEA:				; CODE XREF: ??_C@_0CC@GNBGCCDF@SdbpCheckMatchingWildcardRegist@NNGAKEGL@+2Cj
		jb	short near ptr loc_8C2E4A+7
		popa
		and	fs:[ebp+78h], dh
		jz	short loc_8C2E14
		outs	dx, byte ptr gs:[esi]
		arpl	[edi+64h], bp
		imul	ebp, [esi+67h],	6146CC00h
					; DATA XREF: SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+B0o
		imul	ebp, [ebp+64h],	206F7420h
		db	67h, 65h
		jz	near ptr 2E2Ch
		jz	short near ptr loc_8C2E72+1
		js	short loc_8C2E84
		and	[edi+ebp*2+20h], dh

loc_8C2E14:				; CODE XREF: ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@+12j
		insd
		popa
		jz	short near ptr loc_8C2E7A+1
		push	6F6C6220h
		bound	eax, [eax]
		int	3		; Trap to Debugger

??_C@_0CI@OJKHAKHB@Failed?5to?5allocate?5memory?5for?5t@NNGAKEGL@:
					; DATA XREF: SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+CBo
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		popa
		insb
		insb
		outsd

loc_8C2E2E:				; CODE XREF: ??_C@_0CF@DDPIMIDA@Failed?5to?5initialize?5SEARCHDBCO@NNGAKEGL@:loc_8C2DC8j
		arpl	[ecx+74h], sp

loc_8C2E31:				; CODE XREF: ??_C@_0CF@DDPIMIDA@Failed?5to?5initialize?5SEARCHDBCO@NNGAKEGL@+37j
		and	gs:[ebp+65h], ch
		insd
		outsd
		jb	short ??_C@_0BG@PMEDILFH@SdbpCheckMatchingText@NNGAKEGL@
		and	[esi+6Fh], ah

loc_8C2E3C:				; CODE XREF: ??_C@_0CF@DDPIMIDA@Failed?5to?5initialize?5SEARCHDBCO@NNGAKEGL@+3Ej
		jb	short loc_8C2E5E
		jz	short loc_8C2EA5
		js	short near ptr loc_8C2EB3+3
		and	[edx+6Ch], ah
		outsd
		bound	eax, [eax]

??_C@_0CH@DKPEDAPC@Failed?5to?5read?5MATCHING_TEXT?5fi@NNGAKEGL@:
					; DATA XREF: SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+187o
		inc	esi
		popa

loc_8C2E4A:				; CODE XREF: ??_C@_0CF@DDPIMIDA@Failed?5to?5initialize?5SEARCHDBCO@NNGAKEGL@+40j
					; ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@:loc_8C2DEAj
		imul	ebp, [ebp+64h],	206F7420h
		jb	short near ptr loc_8C2EB7+2
		popa
		and	fs:[ebp+41h], cl
		push	esp
		inc	ebx
		dec	eax
		dec	ecx
		dec	esi

loc_8C2E5E:				; CODE XREF: ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@:loc_8C2E3Cj
		inc	edi
		pop	edi
		push	esp
		inc	ebp
		pop	eax
		push	esp
		and	[esi+69h], ah
		insb
		and	gs:[eax+61h], dh
		jz	short near ptr loc_8C2ED3+3
		add	ah, cl

??_C@_0BN@IOMIMCFC@Failed?5to?5read?5text?5to?5match@NNGAKEGL@:
					; DATA XREF: SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+94o
		inc	esi
		popa

loc_8C2E72:				; CODE XREF: ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@+2Cj
		imul	ebp, [ebp+64h],	206F7420h

loc_8C2E7A:				; CODE XREF: ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@+36j
		jb	short near ptr loc_8C2EE0+1
		popa
		and	fs:[ebp+78h], dh
		jz	short loc_8C2EA4

loc_8C2E84:				; CODE XREF: ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@+2Ej
		jz	short near ptr loc_8C2EF3+2
		and	[ebp+61h], ch
		jz	short loc_8C2EEE
		push	6146CC00h	; DATA XREF: SdbpCheckMatchingText(x,x,x,x,x,x,x)+4Co
		imul	ebp, [ebp+64h],	206F7420h
		jb	short near ptr loc_8C2EFA+5
		popa
		and	fs:[ebp+41h], cl
		push	esp
		inc	ebx
		dec	eax
		dec	ecx
		dec	esi

loc_8C2EA4:				; CODE XREF: ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@+A2j
		inc	edi

loc_8C2EA5:				; CODE XREF: ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@+5Ej
		pop	edi
		push	esp
		inc	ebp
		pop	eax
		push	esp
		and	[ebp+6Eh], ah
		jz	short loc_8C2F21
		jns	short $+2
		int	3		; Trap to Debugger
??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BG@PMEDILFH@SdbpCheckMatchingText@NNGAKEGL@ proc	near
					; CODE XREF: ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@+57j
					; DATA XREF: SdbpCheckMatchingText(x,x,x,x,x,x,x)+56o ...
		push	ebx

loc_8C2EB3:				; CODE XREF: ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@+60j
		bound	esi, fs:[eax+43h]

loc_8C2EB7:				; CODE XREF: ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@+72j
		push	4D6B6365h
		popa
		jz	short loc_8C2F22
		push	54676E69h
		db	65h
		js	short loc_8C2F3B
		add	[edi+76h], cl	; DATA XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x):loc_A1F9B0o
		db	65h
		jb	short near ptr loc_8C2F31+2
		insb
		outsd
		ja	short near ptr loc_8C2EEF+2
		outs	dx, dword ptr fs:[esi]

loc_8C2ED3:				; CODE XREF: ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@+8Cj
		imul	ebp, [esi+67h],	696F7020h
		outsb
		jz	short near ptr loc_8C2F41+1
		jb	short near ptr loc_8C2EFA+5
		popa

loc_8C2EE0:				; CODE XREF: ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@:loc_8C2E7Aj
					; DATA XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x):loc_A1F9A1o
		db	64h
		imul	esi, fs:[ecx+ebp*2+6Fh], 6E55006Eh
		imul	ebp, [esi+6Fh],	77h
??_C@_0BG@PMEDILFH@SdbpCheckMatchingText@NNGAKEGL@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@

loc_8C2EEE:				; CODE XREF: ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@+A9j
		outsb

loc_8C2EEF:				; CODE XREF: ??_C@_0BG@PMEDILFH@SdbpCheckMatchingText@NNGAKEGL@+1Dj
		and	[esi+69h], ah
		insb

loc_8C2EF3:				; CODE XREF: ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@:loc_8C2E84j
		and	gs:[ebp+6Eh], ah
		arpl	[edi+64h], bp

loc_8C2EFA:				; CODE XREF: ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@+B8j
					; ??_C@_0BG@PMEDILFH@SdbpCheckMatchingText@NNGAKEGL@+2Bj
					; DATA XREF: ...
		imul	ebp, [esi+67h],	69614600h
		insb
		db	65h
		and	fs:[edi+ebp*2+20h], dh
		insd
		popa
		jo	short loc_8C2F2C
		imul	bp, [ebp+20h], 255Bh
		js	short near ptr loc_8C2F71+1
; END OF FUNCTION CHUNK	FOR ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@
; 
		db 0

;  S U B	R O U T	I N E 


??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@	proc near
					; DATA XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x):loc_A1F9BFo

arg_1D7		= dword	ptr  1DBh
arg_20B		= dword	ptr  20Fh

; FUNCTION CHUNK AT 008C3232 SIZE 00000004 BYTES
; FUNCTION CHUNK AT 008C3297 SIZE 000000BB BYTES

		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		popa

loc_8C2F21:				; CODE XREF: ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@+CDj
		insb

loc_8C2F22:				; CODE XREF: ??_C@_0BG@PMEDILFH@SdbpCheckMatchingText@NNGAKEGL@+Bj
		insb
		outsd
		arpl	[ecx+74h], sp
		and	gs:[ebp+6Dh], dh

loc_8C2F2C:				; CODE XREF: ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@+12Aj
		jo	short near ptr loc_8C2F4D+1
		bound	esi, [ebp+66h]

loc_8C2F31:				; CODE XREF: ??_C@_0BG@PMEDILFH@SdbpCheckMatchingText@NNGAKEGL@+18j
		db	66h, 65h
		jb	short $+4
		int	3		; Trap to Debugger

??_C@_0BL@EOPMKEHA@SdbpCheckMatchingTextEntry@NNGAKEGL@:
					; DATA XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x):loc_A1F6FBo
					; SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+18Co ...
		push	ebx
		bound	esi, fs:[eax+43h]

loc_8C2F3B:				; CODE XREF: ??_C@_0BG@PMEDILFH@SdbpCheckMatchingText@NNGAKEGL@+12j
		push	4D6B6365h
		popa

loc_8C2F41:				; CODE XREF: ??_C@_0BG@PMEDILFH@SdbpCheckMatchingText@NNGAKEGL@+29j
		jz	short loc_8C2FA6
		push	54676E69h
		db	65h
		js	short loc_8C2FBF
		inc	ebp
		outsb

loc_8C2F4D:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@:loc_8C2F2Cj
		jz	short loc_8C2FC1
		jns	short $+2
		int	3		; Trap to Debugger

??_C@_0CF@OMCJMENO@Failed?5to?5resolve?5matching?5text@NNGAKEGL@:
					; DATA XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x):loc_A1F9CEo
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		jb	short near ptr loc_8C2FC1+2
		jnb	short near ptr loc_8C2FCD+2
		insb
		jbe	short near ptr loc_8C2FC5+3
		and	[ebp+61h], ch
		jz	short near ptr loc_8C2FCA+1
		push	20676E69h
		jz	short near ptr loc_8C2FD1+3
		js	short loc_8C2FE5

loc_8C2F71:				; CODE XREF: ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@+133j
		and	[esi+69h], ah
		insb
		db	65h
		add	ah, cl

??_C@_0BH@PEIOPMEE@SdbpCheckSdbCapability@NNGAKEGL@:
					; DATA XREF: SdbpCheckSdbCapability(x,x,x,x,x,x,x)+3Bo
		push	ebx
		bound	esi, fs:[eax+43h]
		push	536B6365h
		bound	eax, fs:[ebx+61h]
		jo	short loc_8C2FE9
		bound	ebp, [ecx+6Ch]
		imul	esi, [ecx+edi*2+0], 696146CCh
					; DATA XREF: SdbpCheckMatchingDevice(x,x,x,x,x,x,x)+65o
		insb
		db	65h
		and	fs:[edi+ebp*2+20h], dh
		db	67h, 65h
		jz	near ptr 2FBEh
		dec	eax
		push	edi
		dec	ecx
		inc	esp
		add	ah, cl

??_C@_0CL@CODINPLA@Failed?5to?5get?5the?5string?5from?5t@NNGAKEGL@:
					; DATA XREF: SdbpCheckSdbCapability(x,x,x,x,x,x,x)+31o
					; SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+67o ...
		inc	esi
		popa

loc_8C2FA6:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@:loc_8C2F41j
		imul	ebp, [ebp+64h],	206F7420h
		db	67h, 65h
		jz	near ptr 2FD2h
		jz	short loc_8C301C
		and	gs:[ebx+74h], dh
		jb	short loc_8C3023
		outsb
		and	[bp+72h], ah

loc_8C2FBF:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+32j
		outsd
		insd

loc_8C2FC1:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@:loc_8C2F4Dj
					; ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+46j
		and	[eax+ebp*2+65h], dh

loc_8C2FC5:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+4Bj
		and	[ecx+74h], ah
		popa

loc_8C2FCA:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+50j
		bound	esp, [ecx+73h]

loc_8C2FCD:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+48j
		db	65h
		add	ah, cl

??_C@_0BI@KHBGCKAO@SdbpCheckMatchingDevice@NNGAKEGL@:
					; DATA XREF: SdbpCheckMatchingDevice(x,x,x,x,x,x,x):loc_A1EEEAo
		push	ebx

loc_8C2FD1:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+57j
		bound	esi, fs:[eax+43h]
		push	4D6B6365h
		popa
		jz	short near ptr loc_8C303E+2
		push	44676E69h
		db	65h
		jbe	short near ptr loc_8C3049+5

loc_8C2FE5:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+59j
		arpl	[ebp+0], sp

??_C@_0BO@FMBINIHJ@Failed?5to?5read?5HWID?5attribute@NNGAKEGL@:
					; DATA XREF: SdbpCheckMatchingDevice(x,x,x,x,x,x,x)+4Bo
		inc	esi

loc_8C2FE9:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+70j
		popa
		imul	ebp, [ebp+64h],	206F7420h
		jb	short loc_8C3059
		popa
		and	fs:[eax+57h], cl
		dec	ecx
		inc	esp
		and	[ecx+74h], ah
		jz	short near ptr loc_8C3070+2
		imul	esp, [edx+75h],	46006574h
					; DATA XREF: SdbpCheckMatchingText(x,x,x,x,x,x,x)+90o
		popa
		imul	ebp, [ebp+64h],	206F7420h
		arpl	[eax+65h], bp
		arpl	[ebx+20h], bp
		dec	ebp
		inc	ecx
		push	esp
		inc	ebx
		dec	eax
		dec	ecx

loc_8C301C:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+9Cj
		dec	esi
		inc	edi
		pop	edi
		push	esp
		inc	ebp
		pop	eax
		push	esp

loc_8C3023:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+A2j
		and	[ebp+6Eh], ah
		jz	short near ptr loc_8C3099+1
		jns	short $+2

??_C@_0CD@LALAIDGB@No?5device?5query?5callback?5specif@NNGAKEGL@:
					; DATA XREF: SdbpCheckMatchingDevice(x,x,x,x,x,x,x)+1Co
		dec	esi
		outsd
		and	[ebp+76h], ah
		imul	esp, [ebx+65h],	65757120h
		jb	short near ptr loc_8C30B1+1
		and	[ebx+61h], ah
		insb
		insb

loc_8C303E:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+C5j
		bound	esp, [ecx+63h]
		imul	esp, [eax], 73h
		jo	short near ptr loc_8C30A6+5
		arpl	[ecx+66h], bp

loc_8C3049:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+CCj
					; DATA XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x):loc_89C429o	...
		imul	esp, [ebp+64h],	6453CC00h
		bound	esi, [eax+43h]
		push	4D6B6365h
		popa

loc_8C3059:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+DCj
		jz	short near ptr loc_8C30BD+1
		push	46676E69h

loc_8C3060:				; DATA XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+C0o
		imul	ebp, [ebp+73h],	6146CC00h
		imul	ebp, [ebp+64h],	206F7420h

loc_8C3070:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+E8j
		arpl	[eax+65h], bp
		arpl	[ebx+20h], bp
		imul	bp, [ebp+20h], 7461h
		jz	short loc_8C30F1
		imul	esp, [edx+75h],	20736574h
		pop	ebx
		and	eax, 0CC005D78h

??_C@_0BF@OIHNIAP@SdbpCheckMatchingDir@NNGAKEGL@:
					; DATA XREF: SdbpCheckMatchingDir(x,x,x,x,x,x,x):loc_A1EF9Ao
		push	ebx
		bound	esi, fs:[eax+43h]
		push	4D6B6365h
		popa
		jz	short loc_8C30FC

loc_8C3099:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+110j
		push	44676E69h
		imul	esi, [edx+0], 696146CCh
					; DATA XREF: SdbpCheckMatchingDir(x,x,x,x,x,x,x):loc_A1F0AEo
		insb

loc_8C30A6:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+12Ej
		db	65h
		and	fs:[edi+ebp*2+20h], dh
		jb	short near ptr loc_8C3112+1
		jnb	short near ptr loc_8C3118+7
		insb

loc_8C30B1:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+121j
		jbe	short loc_8C3118
		and	[ebp+61h], ch
		jz	short near ptr loc_8C3118+3
		push	20676E69h

loc_8C30BD:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@:loc_8C3059j
					; DATA XREF: SdbpCheckExe(x,x,x,x,x,x,x,x)+8Fo
		imul	esi, fs:[edx+0], 656854CCh
		and	[esi+75h], ch
		insd
		bound	esp, [ebp+72h]
		and	[edi+66h], ch
		and	[ebp+61h], ch
		jz	short near ptr loc_8C3134+3
		push	20676E69h
		inc	ebp
		pop	eax
		inc	ebp
		jnb	short near ptr loc_8C30FD+1
		db	65h
		js	short near ptr loc_8C3143+1
		db	65h, 65h, 64h, 65h
		and	fs:[eax+ebp*2+65h], dh
		and	[ebp+61h], ch
		js	short loc_8C310F
		popa
		insb

loc_8C30F1:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+167j
		insb
		outsd
		ja	short near ptr loc_8C3157+3
		db	64h
		add	ah, cl

??_C@_0DJ@BEFCHLOA@AslPathWildcardFindFirst?1Next?5f@NNGAKEGL@:
					; DATA XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+1B2o
		inc	ecx
		jnb	short near ptr loc_8C3164+3
		push	eax

loc_8C30FC:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+181j
		popa

loc_8C30FD:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+1C6j
		jz	short near ptr loc_8C3164+3
		push	edi
		imul	ebp, [esp-178h+arg_1D7], 46647261h
		imul	ebp, [esi+64h],	73726946h

loc_8C310F:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+1D7j
		jz	short loc_8C3140
		dec	esi

loc_8C3112:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+196j
		db	65h
		js	short near ptr loc_8C3186+3
		and	[esi+61h], ah

loc_8C3118:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@:loc_8C30B1j
					; ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+1A0j	...
		imul	ebp, [ebp+64h],	206F7420h
		imul	bp, [esi+64h], 6120h
		and	[esi+69h], ah
		insb
		and	gs:[ebx+25h], bl
		js	short loc_8C318D
		add	ah, cl

??_C@_0CA@GEALLKGN@Failed?5to?5resolve?5matching?5file@NNGAKEGL@:
					; DATA XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x):loc_89C610o
					; SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x):loc_A1FC46o
		inc	esi
		popa

loc_8C3134:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+1BCj
		imul	ebp, [ebp+64h],	206F7420h
		jb	short near ptr loc_8C31A2+1
		jnb	short near ptr loc_8C31AE+1

loc_8C3140:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@:loc_8C310Fj
		insb
		jbe	short near ptr loc_8C31A6+2

loc_8C3143:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+1C8j
		and	[ebp+61h], ch
		jz	short near ptr loc_8C31A6+5
		push	20676E69h
		imul	bp, [ebp+0], 6453h
					; DATA XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x):loc_A1FA8Fo
					; SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+1BCo ...
		bound	esi, [eax+43h]

loc_8C3157:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+1DDj
		push	4D6B6365h
		popa
		jz	short loc_8C31C2
		push	57676E69h

loc_8C3164:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+1E3j
					; ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@:loc_8C30FDj
		imul	ebp, [esp-1ACh+arg_20B], 46647261h
		imul	ebp, [ebp+73h],	6F4ECC00h ; DATA XREF: SdbpSearchDB+AF744o
					; SdbpSearchDB:loc_8FDED2o
		and	[ecx+eax*2+54h], al
		inc	ecx
		inc	edx
		inc	ecx
		push	ebx
		inc	ebp
		and	[ecx+67h], dh
		and	[esi+6Fh], ah
		jnz	short near ptr loc_8C31F1+3

loc_8C3186:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@:loc_8C3112j
					; DATA XREF: SdbpSearchDB:loc_8FDEDCo
		add	fs:[ebx+64h], dl
		bound	esi, [eax+53h]

loc_8C318D:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+218j
		db	65h
		popa
		jb	short near ptr loc_8C31F1+3
		push	0CC004244h

??_C@_0N@CCNBMNPH@SdbpCheckExe@NNGAKEGL@: ; DATA XREF: SdbpCheckExe(x,x,x,x,x,x,x,x)+99o
		push	ebx
		bound	esi, fs:[eax+43h]
		push	456B6365h
		js	short near ptr loc_8C3205+2

loc_8C31A2:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+226j
		add	ah, cl

??_C@_0DH@KCAJCNBK@Failed?5to?5initialize?5file?5mappi@NNGAKEGL@:
					; DATA XREF: SdbGetDatabaseMatch+AFDB3o
		inc	esi
		popa

loc_8C31A6:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+22Bj
					; ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+230j
		imul	ebp, [ebp+64h],	206F7420h

loc_8C31AE:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+228j
		imul	ebp, [esi+69h],	6C616974h
		imul	edi, [edx+65h],	6C696620h
		and	gs:[ebp+61h], ch
		jo	short loc_8C3232

loc_8C31C2:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+247j
		imul	ebp, [esi+67h],	6F726620h
		insd
		and	[ecx+6Dh], ch
		popa
		and	gs:[bp+69h], dh
		db	65h
		ja	short near ptr loc_8C31F5+1
		pop	ebx
		and	eax, 0CC005D78h
??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@	endp


;  S U B	R O U T	I N E 


??_C@_0BE@BEOLDIOM@SdbGetDatabaseMatch@NNGAKEGL@ proc near
					; DATA XREF: SdbGetDatabaseMatch+B9o
					; SdbGetDatabaseMatch:loc_8FD34Eo ...
		push	ebx
		bound	eax, fs:[edi+65h]
??_C@_0BE@BEOLDIOM@SdbGetDatabaseMatch@NNGAKEGL@ endp

		jz	short near ptr loc_8C3223+4
		popa
		jz	short loc_8C3247
		bound	esp, [ecx+73h]
		db	65h
		dec	ebp
		popa
		jz	short near ptr loc_8C324E+3
; 
		dw 68h

;  S U B	R O U T	I N E 


??_C@_0BL@IBJIFFMD@SdbpCheckPackageAttributes@NNGAKEGL@	proc near
					; DATA XREF: SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+219o

; FUNCTION CHUNK AT 008C3277 SIZE 00000011 BYTES
; FUNCTION CHUNK AT 008C3289 SIZE 0000000E BYTES

		push	ebx

loc_8C31F1:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+26Ej
					; ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+279j
		bound	esi, fs:[eax+43h]

loc_8C31F5:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+2BDj
		push	506B6365h
		popa
		arpl	[ebx+61h], bp
		db	67h, 65h
		inc	ecx
		jz	short loc_8C3277
		jb	short loc_8C326E

loc_8C3205:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+28Aj
		bound	esi, [ebp+74h]
		db	65h
		jnb	short $+3
		int	3		; Trap to Debugger

??_C@_0CM@KNENAJOM@Failed?5to?5find?5Attribute?5to?5use@NNGAKEGL@:
					; DATA XREF: SdbpCheckPackageAttributes(x,x,x,x,x,x,x):loc_A1FFE4o
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		imul	bp, [esi+64h], 4120h
		jz	short loc_8C3292
		jb	short loc_8C3289
		bound	esi, [ebp+74h]

loc_8C3223:				; CODE XREF: PAGE:008C31E1j
		and	gs:[edi+ebp*2+20h], dh
		jnz	short loc_8C329D
		and	gs:[esi+6Fh], ah
		jb	short near ptr loc_8C324E+2
		jnb	short near ptr loc_8C3294+2
??_C@_0BL@IBJIFFMD@SdbpCheckPackageAttributes@NNGAKEGL@	endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@

loc_8C3232:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+2AAj
		bound	esp, [eax]
		jz	short loc_8C3297
; END OF FUNCTION CHUNK	FOR ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@
; 
		dw 67h

;  S U B	R O U T	I N E 


??_C@_0BE@BDIMHFPA@SdbQueryDataExTagID@NNGAKEGL@ proc near
					; DATA XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+34o
					; SdbQueryDataExTagID(x,x,x,x,x,x,x)+80o ...
		push	ebx
		bound	edx, fs:[ecx+75h]
		db	65h
		jb	short loc_8C32B9
		inc	esp
		popa
		jz	short near ptr loc_8C32A4+1
		inc	ebp
		js	short loc_8C329B

loc_8C3247:				; CODE XREF: PAGE:008C31E4j
		popa
		db	67h
		dec	ecx
		inc	esp
		add	[esi+61h], al	; DATA XREF: SdbGetDatabaseMatchEx:loc_8FDAF7o
					; SdbGetDatabaseMatchEx+AFC82o

loc_8C324E:				; CODE XREF: ??_C@_0BL@IBJIFFMD@SdbpCheckPackageAttributes@NNGAKEGL@+3Ej
					; PAGE:008C31ECj
		imul	ebp, [ebp+64h],	206F7420h
		arpl	[edi+6Eh], bp
		jbe	short near ptr loc_8C32BE+2
		jb	short loc_8C32D1
		and	[ecx+ebp*2+4Bh], dh
		dec	edi
		bound	ebp, [edx+65h]
		arpl	[eax+74h], si
		outsd
		and	[edx+esi*2+4Bh], dh

loc_8C326E:				; CODE XREF: ??_C@_0BL@IBJIFFMD@SdbpCheckPackageAttributes@NNGAKEGL@+13j
		dec	edi
		bound	ebp, [edx+65h]
		arpl	[eax+eax-34h], si
??_C@_0BE@BDIMHFPA@SdbQueryDataExTagID@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BG@ELHOKMEA@SdbGetDatabaseMatchEx@NNGAKEGL@ proc	near
					; DATA XREF: SdbGetDatabaseMatchEx:loc_8FDB24o
		push	ebx
??_C@_0BG@ELHOKMEA@SdbGetDatabaseMatchEx@NNGAKEGL@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BL@IBJIFFMD@SdbpCheckPackageAttributes@NNGAKEGL@

loc_8C3277:				; CODE XREF: ??_C@_0BL@IBJIFFMD@SdbpCheckPackageAttributes@NNGAKEGL@+11j
		bound	eax, fs:[edi+65h]
		jz	short near ptr loc_8C32BE+3
		popa
		jz	short near ptr loc_8C32E0+1
		bound	esp, [ecx+73h]
		db	65h
		dec	ebp
		popa
		jz	short loc_8C32EB
; END OF FUNCTION CHUNK	FOR ??_C@_0BL@IBJIFFMD@SdbpCheckPackageAttributes@NNGAKEGL@
; 
		db 68h
; 
; START	OF FUNCTION CHUNK FOR ??_C@_0BL@IBJIFFMD@SdbpCheckPackageAttributes@NNGAKEGL@

loc_8C3289:				; CODE XREF: ??_C@_0BL@IBJIFFMD@SdbpCheckPackageAttributes@NNGAKEGL@+2Ej
		inc	ebp
		js	short $+2

??_C@_0DA@NCEAGMKL@The?5database?5has?5more?5matches?5t@NNGAKEGL@:
					; DATA XREF: SdbGetDatabaseMatch:loc_8FD380o
		push	esp
		push	61642065h

loc_8C3292:				; CODE XREF: ??_C@_0BL@IBJIFFMD@SdbpCheckPackageAttributes@NNGAKEGL@+2Cj
		jz	short near ptr loc_8C32F1+4

loc_8C3294:				; CODE XREF: ??_C@_0BL@IBJIFFMD@SdbpCheckPackageAttributes@NNGAKEGL@+40j
		bound	esp, [ecx+73h]
; END OF FUNCTION CHUNK	FOR ??_C@_0BL@IBJIFFMD@SdbpCheckPackageAttributes@NNGAKEGL@
; START	OF FUNCTION CHUNK FOR ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@

loc_8C3297:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+31Ej
		and	gs:[eax+61h], ch

loc_8C329B:				; CODE XREF: ??_C@_0BE@BDIMHFPA@SdbQueryDataExTagID@NNGAKEGL@+Dj
		jnb	short near ptr loc_8C32BB+2

loc_8C329D:				; CODE XREF: ??_C@_0BL@IBJIFFMD@SdbpCheckPackageAttributes@NNGAKEGL@+38j
		insd
		outsd
		jb	short near ptr loc_8C3303+3
		and	[ebp+61h], ch

loc_8C32A4:				; CODE XREF: ??_C@_0BE@BDIMHFPA@SdbQueryDataExTagID@NNGAKEGL@+Aj
		jz	short near ptr loc_8C3303+6
		push	74207365h
		push	53206E61h
		inc	esp
		inc	edx
		pop	edi
		dec	ebp
		inc	ecx
		pop	eax
		pop	edi
		inc	ebp
		pop	eax

loc_8C32B9:				; CODE XREF: ??_C@_0BE@BDIMHFPA@SdbQueryDataExTagID@NNGAKEGL@+5j
		inc	ebp
		push	ebx

loc_8C32BB:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@:loc_8C329Bj
					; DATA XREF: SdbGetDatabaseMatch+AFE4Ao
		add	[esi+61h], al

loc_8C32BE:				; CODE XREF: ??_C@_0BE@BDIMHFPA@SdbQueryDataExTagID@NNGAKEGL@+21j
					; ??_C@_0BL@IBJIFFMD@SdbpCheckPackageAttributes@NNGAKEGL@+8Bj
		imul	ebp, [ebp+64h],	206F7420h
		arpl	[edi+6Eh], bp
		jbe	short ??_C@_0CB@GDMDDNIA@The?5entry?50x?$CFx?5contains?5no?5valu@NNGAKEGL@
		jb	short near ptr loc_8C333F+2
		and	[ecx+67h], dh

loc_8C32D1:				; CODE XREF: ??_C@_0BE@BDIMHFPA@SdbQueryDataExTagID@NNGAKEGL@+23j
		imul	esp, [eax+74h],	6174206Fh
		db	67h
		jb	near ptr 3341h
		db	66h		; DATA XREF: SdbGetDatabaseMatch+AFDC0o
		add	[esi+61h], al

loc_8C32E0:				; CODE XREF: ??_C@_0BL@IBJIFFMD@SdbpCheckPackageAttributes@NNGAKEGL@+8Ej
		imul	ebp, [ebp+64h],	206F7420h
		arpl	[edx+65h], si

loc_8C32EB:				; CODE XREF: ??_C@_0BL@IBJIFFMD@SdbpCheckPackageAttributes@NNGAKEGL@+96j
		popa
		jz	short loc_8C3353
		and	[ecx+6Eh], ch

loc_8C32F1:				; CODE XREF: ??_C@_0BL@IBJIFFMD@SdbpCheckPackageAttributes@NNGAKEGL@:loc_8C3292j
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		and	[esi+69h], ah
		insb
		and	gs:[ebp+61h], ch
		jo	short loc_8C3373

loc_8C3303:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+389j
					; ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@:loc_8C32A4j
		imul	ebp, [esi+67h],	78255B20h
		pop	ebp
		add	[esi+61h], al	; DATA XREF: SdbGetDatabaseMatch:loc_8FD362o
		imul	ebp, [ebp+64h],	206F7420h
		arpl	[edx+65h], si
		popa
		jz	short loc_8C3381
		and	[ebx+65h], dh
		popa
		jb	short near ptr loc_8C3381+4
		push	20424420h
		arpl	[edi+6Eh], bp
		jz	short loc_8C3391
		js	short loc_8C33A2
		add	ah, cl

??_C@_0CB@GDMDDNIA@The?5entry?50x?$CFx?5contains?5no?5valu@NNGAKEGL@:
					; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+3B3j
					; DATA XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+1D5o
		push	esp
		push	6E652065h
		jz	short near ptr loc_8C33A9+1
		jns	short loc_8C335A
		xor	[eax+25h], bh
		js	short loc_8C335F

loc_8C333F:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+3B5j
		arpl	[edi+6Eh], bp
		jz	short near ptr loc_8C33A4+1
		imul	ebp, [esi+73h],	206F6E20h
		jbe	short loc_8C33AE
		insb
		jnz	short loc_8C33B5
		add	ah, cl
; END OF FUNCTION CHUNK	FOR ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@

;  S U B	R O U T	I N E 


??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@ proc near
					; DATA XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+282o
		push	esp

loc_8C3353:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+3D6j
		push	6E652065h
		jz	short near ptr loc_8C33C8+4

loc_8C335A:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+422j
		jns	short loc_8C337C
		xor	[eax+25h], bh

loc_8C335F:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+427j
		js	short loc_8C3381
		arpl	[edi+6Eh], bp
		jz	short near ptr loc_8C33C6+1
		imul	ebp, [esi+73h],	64616220h
		and	[ebx+74h], dh
		jb	short near ptr loc_8C33D9+2
		outsb

loc_8C3373:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+3EBj
		and	[bp+61h], dh
		insb
		jnz	short near ptr loc_8C33DE+1
		and	[eax], dh

loc_8C337C:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@:loc_8C335Aj
		js	short near ptr loc_8C33A2+1
		js	short $+2

??_C@_0DD@OJKICILA@The?5entry?50x?$CFx?5does?5not?5have?5va@NNGAKEGL@:
					; DATA XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+135o
		push	esp

loc_8C3381:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+404j
					; ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@:loc_8C335Fj ...
		push	6E652065h
		jz	short near ptr loc_8C33F8+2
		jns	short near ptr loc_8C33A9+1
		xor	[eax+25h], bh
		js	short near ptr loc_8C33AE+1
		outs	dx, dword ptr fs:[esi]

loc_8C3391:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+414j
		db	65h
		jnb	short ??_C@_0DH@CJPEJPEJ@The?5entry?50x?$CFx?5contains?5bad?5val@NNGAKEGL@
		outsb
		outsd
		jz	short near ptr loc_8C33B5+3
		push	20657661h
		jbe	short loc_8C3400
		insb
		jnz	short near ptr loc_8C3405+2

loc_8C33A2:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+416j
					; ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@:loc_8C337Cj
		jz	short loc_8C341D

loc_8C33A4:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+42Cj
		jo	short near ptr loc_8C340A+1
		and	[ecx+6Eh], ch

loc_8C33A9:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+420j
					; ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+36j
		outsw
		jb	short near ptr loc_8C3419+1
		popa

loc_8C33AE:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+435j
					; ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+3Bj
		jz	short loc_8C3419
		outsd
		outsb
		add	ah, cl

??_C@_0DH@CJPEJPEJ@The?5entry?50x?$CFx?5contains?5bad?5val@NNGAKEGL@:
					; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@:loc_8C3391j
					; DATA XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+186o
		push	esp

loc_8C33B5:				; CODE XREF: ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@+438j
					; ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+44j
		push	6E652065h
		jz	short near ptr loc_8C342D+1
		jns	short loc_8C33DE
		xor	[eax+25h], bh
		js	short loc_8C33E3
		arpl	[edi+6Eh], bp

loc_8C33C6:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+12j
		jz	short loc_8C3429

loc_8C33C8:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+6j
		imul	ebp, [esi+73h],	64616220h
		and	[esi+61h], dh
		insb
		jnz	short near ptr loc_8C3439+1
		jz	short near ptr loc_8C344B+5
		jo	short loc_8C343E

loc_8C33D9:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+1Ej
		and	[ecx+6Eh], ch
		outsw

loc_8C33DE:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+6Aj
					; ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+26j
		jb	short near ptr loc_8C344B+2
		popa
		jz	short near ptr loc_8C344B+1

loc_8C33E3:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+6Fj
		outsd
		outsb
		and	[eax], dh
		js	short near ptr loc_8C340A+4
		js	short $+2
		int	3		; Trap to Debugger

??_C@_0DF@DOHFJIJC@One?5of?5lpBuffer?5or?5lpcbBufferSi@NNGAKEGL@:
					; DATA XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+2Ao
		dec	edi
		outsb
		and	gs:[edi+66h], ch
		and	[eax+esi*2+42h], ch
		jnz	short ??_C@_0CH@LFOAJKPD@Failed?5to?5read?5GUID?5referenced?5@NNGAKEGL@

loc_8C33F8:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+34j
		db	66h, 65h
		jb	short loc_8C341C
		outsd
		jb	short loc_8C341F
		insb

loc_8C3400:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+4Bj
		jo	short near ptr loc_8C3460+5
		bound	eax, [edx+75h]

loc_8C3405:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+4Ej
		db	66h, 66h, 65h
		jb	short near ptr loc_8C3459+4

loc_8C340A:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@:loc_8C33A4j
					; ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+95j
		imul	edi, [edx+65h],	6F687320h
		jnz	short loc_8C347F
		and	fs:[esi+6Fh], ch
		jz	short loc_8C3439

loc_8C3419:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@:loc_8C33AEj
					; ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+59j
		bound	esp, [ebp+20h]

loc_8C341C:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@:loc_8C33F8j
		outsb

loc_8C341D:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@:loc_8C33A2j
		jnz	short near ptr loc_8C3488+3

loc_8C341F:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+ABj
		insb
		add	ah, cl

??_C@_0DM@EFDBMOEF@Cannot?5allocate?5temporary?5buffe@NNGAKEGL@:
					; DATA XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+76o
		inc	ebx
		popa
		outsb
		outsb
		outsd
		jz	short loc_8C3449

loc_8C3429:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@:loc_8C33C6j
		popa
		insb
		insb
		outsd

loc_8C342D:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+68j
		arpl	[ecx+74h], sp
		and	gs:[ebp+6Dh], dh
		jo	short near ptr loc_8C34A5+1
		jb	short near ptr loc_8C3499+1

loc_8C3439:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+C5j
					; ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+81j
		jb	short loc_8C34B4
		and	[edx+75h], ah

loc_8C343E:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+85j
		db	66h, 66h, 65h
		jb	short near ptr loc_8C3460+3
		outsw
		jb	short near ptr loc_8C3460+7
		jo	short near ptr loc_8C34A8+2

loc_8C3449:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+D5j
		jb	short near ptr loc_8C34BB+3

loc_8C344B:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+8Fj
					; ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@:loc_8C33DEj ...
		imul	ebp, [esi+67h],	65687420h
		and	[esi+61h], ch
		insd
		and	gs:[edx], ah

loc_8C3459:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@:loc_8C3405j
		and	eax, 227377h

??_C@_0CH@LFOAJKPD@Failed?5to?5read?5GUID?5referenced?5@NNGAKEGL@:
					; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+A4j
					; DATA XREF: SdbReadEntryInformation(x,x,x)+B6o
		inc	esi
		popa

loc_8C3460:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@:loc_8C343Ej
					; ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@:loc_8C3400j ...
		imul	ebp, [ebp+64h],	206F7420h
		jb	short loc_8C34CF
		popa
		and	fs:[edi+55h], al
		dec	ecx
		inc	esp
		and	[edx+65h], dh
		db	66h, 65h
		jb	short near ptr loc_8C34DC+1
		outsb
		arpl	[ebp+64h], sp
		and	[edx+79h], ah

loc_8C347F:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+BFj
		and	[eax], dh
		js	short loc_8C34A8
		js	short $+2
		int	3		; Trap to Debugger

??_C@_0CE@IBKPPHLF@Failed?5to?5read?5GUID?5of?5the?5data@NNGAKEGL@:
					; DATA XREF: SdbReadEntryInformation(x,x,x)+D0o
		inc	esi
		popa

loc_8C3488:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@:loc_8C341Dj
		imul	ebp, [ebp+64h],	206F7420h
		jb	short loc_8C34F7
		popa
		and	fs:[edi+55h], al
		dec	ecx
		inc	esp

loc_8C3499:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+E5j
		and	[edi+66h], ch
		and	[eax+ebp*2+65h], dh
		and	[ecx+74h], ah
		popa

loc_8C34A5:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+E3j
		bound	esp, [ecx+73h]

loc_8C34A8:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+12Fj
					; ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+F5j
					; DATA XREF: ...
		add	gs:[ebx+64h], dl
		bound	edx, [ecx+75h]
		db	65h
		jb	short near ptr loc_8C3524+7
		inc	esp
		popa

loc_8C34B4:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@:loc_8C3439j
		jz	short loc_8C3517
		inc	ebp
		js	short $+2
		int	3		; Trap to Debugger
??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@ proc near
					; DATA XREF: SdbReadEntryInformation(x,x,x):loc_A1ED33o
					; SdbReadEntryInformation(x,x,x)+8Ao ...
		push	ebx

loc_8C34BB:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@:loc_8C3449j
		bound	edx, fs:[edx+65h]
		popa
		db	64h
		inc	ebp
		outsb
		jz	short loc_8C3537
		jns	short near ptr loc_8C350F+1
		outsb
		outsw
		jb	short loc_8C3539
		popa
		jz	short near ptr loc_8C3537+1

loc_8C34CF:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+116j
		outsd
		outsb
		add	[eax+ebp*2+65h], dl
					; DATA XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+264o
		and	[ebp+6Eh], ah
		jz	short ??_C@_0CJ@MKJAMLMD@Can?8t?5get?5the?5name?5string?5for?5t@NNGAKEGL@
		jns	short loc_8C34FC

loc_8C34DC:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+122j
		xor	[eax+25h], bh
		js	short loc_8C3501
		arpl	[edi+6Eh], bp
		jz	short loc_8C3547
		imul	ebp, [esi+73h],	64616220h
		and	[edx+69h], ah
		outsb
		popa
		jb	short near ptr loc_8C356C+1
		and	[esi+61h], dh

loc_8C34F7:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+13Ej
		insb
		jnz	short near ptr loc_8C355D+2
		and	[eax], dh

loc_8C34FC:				; CODE XREF: ??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@+20j
		js	short near ptr loc_8C3520+3
		js	short $+2

??_C@_0CH@KHIGAPEJ@Failed?5to?5convert?5tagref?50x?$CFx?5t@NNGAKEGL@:
					; DATA XREF: SdbQueryDataEx(x,x,x,x,x,x,x)+28o
					; SdbReadEntryInformation(x,x,x)+47o
		inc	esi

loc_8C3501:				; CODE XREF: ??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@+25j
		popa
		imul	ebp, [ebp+64h],	206F7420h
		arpl	[edi+6Eh], bp
		jbe	short loc_8C3574

loc_8C350F:				; CODE XREF: ??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@+Bj
		jb	short loc_8C3585
		and	[ecx+67h], dh
		jb	short loc_8C357C

loc_8C3517:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@:loc_8C34B4j
		db	66h
		and	[eax], dh
		js	short loc_8C3541
		js	short near ptr loc_8C353D+1
		jz	short loc_8C358F

loc_8C3520:				; CODE XREF: ??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@:loc_8C34FCj
		and	[ecx+67h], dh

loc_8C3524:				; CODE XREF: ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@+15Dj
					; DATA XREF: SdbFindNextTag:loc_8FDC32o ...
		imul	esp, [eax+eax-34h], 61766E49h
		insb
		imul	esp, [eax+74h],	64696761h
		and	[eax], dh

loc_8C3537:				; CODE XREF: ??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@+9j
					; ??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@+13j
		js	short near ptr loc_8C355D+1

loc_8C3539:				; CODE XREF: ??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@+10j
		insb
		js	short $+2
??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0P@FPAMPNAO@SdbFindNextTag@NNGAKEGL@ proc	near ; DATA XREF: SdbFindNextTag+AFAEDo
		push	ebx

loc_8C353D:				; CODE XREF: ??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@+62j
		bound	eax, fs:[esi+69h]

loc_8C3541:				; CODE XREF: ??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@+60j
		outsb
		db	64h
		dec	esi
		db	65h
		js	short loc_8C35BB

loc_8C3547:				; CODE XREF: ??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@+2Aj
		push	esp
		popa
		db	67h
		add	ah, cl

??_C@_0CJ@MKJAMLMD@Can?8t?5get?5the?5name?5string?5for?5t@NNGAKEGL@:
					; CODE XREF: ??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@+1Ej
					; DATA XREF: SdbpFindMatchingName+AF2BEo
		inc	ebx
		popa
		outsb
		daa
		jz	short near ptr loc_8C356C+6
		db	67h, 65h
		jz	near ptr 3576h
		jz	short near ptr loc_8C35BB+5
		and	gs:[esi+61h], ch
		insd

loc_8C355D:				; CODE XREF: ??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@:loc_8C3537j
					; ??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@+3Ej
		and	gs:[ebx+74h], dh
		jb	short ??_C@_0CG@ILCHFAAO@Can?8t?5get?5the?5name?5string?5tagid@NNGAKEGL@
		outsb
		and	[bp+6Fh], ah
		jb	short near ptr loc_8C3589+1
		jz	short loc_8C35CD

loc_8C356C:				; CODE XREF: ??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@+38j
					; ??_C@_0P@FPAMPNAO@SdbFindNextTag@NNGAKEGL@+14j
		imul	esp, [si+20h], 78257830h

loc_8C3574:				; CODE XREF: ??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@+53j
		add	ah, cl
??_C@_0P@FPAMPNAO@SdbFindNextTag@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0CK@NAHMHKEF@The?5tag?50x?$CFx?5was?5not?5found?5unde@NNGAKEGL@ proc near
					; DATA XREF: SdbpFindMatchingName+AF2DFo
		push	esp
		push	61742065h

loc_8C357C:				; CODE XREF: ??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@+5Bj
		and	[bx+si], dh
		js	short near ptr loc_8C35A5+1
		js	short near ptr loc_8C35A1+2
		ja	short near ptr loc_8C35E4+2

loc_8C3585:				; CODE XREF: ??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@:loc_8C350Fj
		jnb	short near ptr loc_8C35A5+2
		outsb
		outsd

loc_8C3589:				; CODE XREF: ??_C@_0P@FPAMPNAO@SdbFindNextTag@NNGAKEGL@+2Cj
		jz	short near ptr loc_8C35A5+6
		outsw
		jnz	short near ptr loc_8C35FC+1

loc_8C358F:				; CODE XREF: ??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@+64j
		and	fs:[ebp+6Eh], dh
		db	64h, 65h
		jb	short loc_8C35B7
		jz	short near ptr loc_8C35F8+2
		and	[bx+si], dh
		js	short loc_8C35C3
		js	short $+2

??_C@_0BF@OOLJGFD@SdbpFindMatchingName@NNGAKEGL@: ; DATA XREF: SdbpFindMatchingName+AF2C8o
					; SdbpFindMatchingName+AF2E9o
		push	ebx

loc_8C35A1:				; CODE XREF: ??_C@_0CK@NAHMHKEF@The?5tag?50x?$CFx?5was?5not?5found?5unde@NNGAKEGL@+Bj
		bound	esi, fs:[eax+46h]

loc_8C35A5:				; CODE XREF: ??_C@_0CK@NAHMHKEF@The?5tag?50x?$CFx?5was?5not?5found?5unde@NNGAKEGL@+9j
					; ??_C@_0CK@NAHMHKEF@The?5tag?50x?$CFx?5was?5not?5found?5unde@NNGAKEGL@:loc_8C3585j ...
		imul	ebp, [esi+64h],	6374614Dh
		push	4E676E69h
		popa
		insd
		db	65h
		add	ah, cl
??_C@_0CK@NAHMHKEF@The?5tag?50x?$CFx?5was?5not?5found?5unde@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BF@FGMJDGGO@SdbpFindNextNamedTag@NNGAKEGL@ proc near
					; DATA XREF: SdbpFindNextNamedTag(x,x,x,x,x)+31o
					; SdbpFindNextNamedTag(x,x,x,x,x)+A5o
		push	ebx

loc_8C35B7:				; CODE XREF: ??_C@_0CK@NAHMHKEF@The?5tag?50x?$CFx?5was?5not?5found?5unde@NNGAKEGL@+1Dj
		bound	esi, fs:[eax+46h]

loc_8C35BB:				; CODE XREF: ??_C@_0P@FPAMPNAO@SdbFindNextTag@NNGAKEGL@+8j
					; ??_C@_0P@FPAMPNAO@SdbFindNextTag@NNGAKEGL@+1Aj
		imul	ebp, [esi+64h],	7478654Eh
		dec	esi

loc_8C35C3:				; CODE XREF: ??_C@_0CK@NAHMHKEF@The?5tag?50x?$CFx?5was?5not?5found?5unde@NNGAKEGL@+26j
		popa
		insd
		db	65h, 64h
		push	esp
		popa
		db	67h
		add	ah, cl

??_C@_0CG@ILCHFAAO@Can?8t?5get?5the?5name?5string?5tagid@NNGAKEGL@:
					; CODE XREF: ??_C@_0P@FPAMPNAO@SdbFindNextTag@NNGAKEGL@+25j
					; DATA XREF: SdbpFindNextNamedTag(x,x,x,x,x)+9Bo
		inc	ebx

loc_8C35CD:				; CODE XREF: ??_C@_0P@FPAMPNAO@SdbFindNextTag@NNGAKEGL@+2Ej
		popa
		outsb
		daa
		jz	short ??_C@_0BK@BHKCJLNO@Can?8t?5get?5the?5name?5string@NNGAKEGL@
		db	67h, 65h
		jz	near ptr 35F6h
		jz	short loc_8C3640
		and	gs:[esi+61h], ch
		insd
		and	gs:[ebx+74h], dh
		jb	short near ptr loc_8C364A+2
		outsb

loc_8C35E4:				; CODE XREF: ??_C@_0CK@NAHMHKEF@The?5tag?50x?$CFx?5was?5not?5found?5unde@NNGAKEGL@+Dj
		and	[si+61h], dh
		imul	esp, [si+20h], 6C257830h
		js	short $+2

??_C@_0BK@BHKCJLNO@Can?8t?5get?5the?5name?5string@NNGAKEGL@:
					; CODE XREF: ??_C@_0BF@FGMJDGGO@SdbpFindNextNamedTag@NNGAKEGL@+1Aj
					; DATA XREF: SdbFindFirstNamedTag(x,x,x,x,x):loc_A206FEo
		inc	ebx
		popa
		outsb
		daa
		jz	short near ptr loc_8C3614+4

loc_8C35F8:				; CODE XREF: ??_C@_0CK@NAHMHKEF@The?5tag?50x?$CFx?5was?5not?5found?5unde@NNGAKEGL@+21j
		db	67h, 65h
		jz	near ptr 361Ch

loc_8C35FC:				; CODE XREF: ??_C@_0CK@NAHMHKEF@The?5tag?50x?$CFx?5was?5not?5found?5unde@NNGAKEGL@+17j
		jz	short loc_8C3666
		and	gs:[esi+61h], ch
		insd
		and	gs:[ebx+74h], dh
		jb	short near ptr loc_8C366D+5
		outsb
		add	[bp+di+64h], dl	; DATA XREF: SdbFindFirstNamedTag(x,x,x,x,x)+76o
		bound	eax, [esi+69h]
		outsb
		db	64h
		inc	esi

loc_8C3614:				; CODE XREF: ??_C@_0BF@FGMJDGGO@SdbpFindNextNamedTag@NNGAKEGL@+40j
		imul	esi, [edx+73h],	6D614E74h
		db	65h, 64h
		push	esp
		popa
		db	67h
		add	ah, cl
??_C@_0BF@FGMJDGGO@SdbpFindNextNamedTag@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BD@MJHGMCAF@SdbpGetTagHeadSize@NNGAKEGL@	proc near
					; DATA XREF: SdbpGetTagHeadSize+AF946o
		push	ebx
		bound	esi, fs:[eax+47h]
		db	65h
		jz	short near ptr loc_8C3678+6
		popa
		db	67h
		dec	eax
		db	65h
		popa
		db	64h
		push	ebx
		imul	edi, [edx+65h],	6154CC00h ; DATA XREF: SdbReadDWORDTag+AFB01o
					; SdbReadWORDTag+AFAB1o ...
		db	67h
		dec	ecx
		inc	esp
		and	[eax], dh
		js	short near ptr loc_8C3662+2
		pop	eax

loc_8C3640:				; CODE XREF: ??_C@_0BF@FGMJDGGO@SdbpFindNextNamedTag@NNGAKEGL@+20j
		sub	al, 20h
		push	esp
		popa
		and	[bx+si], dh
		js	short near ptr loc_8C366D+1
		pop	eax

loc_8C364A:				; CODE XREF: ??_C@_0BF@FGMJDGGO@SdbpFindNextNamedTag@NNGAKEGL@+2Bj
		and	[esi+6Fh], ch
		jz	short near ptr loc_8C366D+2
		outsd
		db	66h
		and	[eax+ebp*2+65h], dh
		and	[ebp+78h], ah
		jo	short loc_8C36BF
		arpl	[ebp+64h], si
		and	[ecx+edi*2+70h], dh

loc_8C3662:				; CODE XREF: ??_C@_0BD@MJHGMCAF@SdbpGetTagHeadSize@NNGAKEGL@+1Bj
					; DATA XREF: SdbpGetTagHeadSize:loc_8FDD79o
		add	gs:[ebp+72h], al

loc_8C3666:				; CODE XREF: ??_C@_0BF@FGMJDGGO@SdbpFindNextNamedTag@NNGAKEGL@:loc_8C35FCj
		jb	short loc_8C36D7
		jb	short near ptr loc_8C3689+1
		jb	short loc_8C36D1
		popa

loc_8C366D:				; CODE XREF: ??_C@_0BD@MJHGMCAF@SdbpGetTagHeadSize@NNGAKEGL@+25j
					; ??_C@_0BD@MJHGMCAF@SdbpGetTagHeadSize@NNGAKEGL@+2Bj ...
		imul	ebp, fs:[esi+67h], 67617420h
		add	[esi+61h], al	; DATA XREF: SdbReadGUIDTag(x,x,x,x,x,x)+1Eo

loc_8C3678:				; CODE XREF: ??_C@_0BD@MJHGMCAF@SdbpGetTagHeadSize@NNGAKEGL@+5j
		imul	ebp, [ebp+64h],	206F7420h
		jb	short loc_8C36E7
		popa
		and	fs:[edi+55h], al
		dec	ecx
		inc	esp

loc_8C3689:				; CODE XREF: ??_C@_0BD@MJHGMCAF@SdbpGetTagHeadSize@NNGAKEGL@+46j
					; DATA XREF: SdbReadGUIDTag(x,x,x,x,x,x)+28o
		add	[ebx+64h], dl
		bound	edx, [edx+65h]
		popa
		db	64h
		inc	edi
		push	ebp
		dec	ecx
		inc	esp
		push	esp
		popa
		db	67h
		add	ah, cl
??_C@_0BD@MJHGMCAF@SdbpGetTagHeadSize@NNGAKEGL@	endp


;  S U B	R O U T	I N E 


??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@ proc near ; DATA XREF: SdbReadDWORDTag+AFB0Bo

; FUNCTION CHUNK AT 008C377F SIZE 00000046 BYTES

		push	ebx
		bound	edx, fs:[edx+65h]
		popa
		db	64h
		inc	esp
		push	edi
		dec	edi
		push	edx
		inc	esp
		push	esp
		popa
		add	[bp+di+64h], dl	; DATA XREF: SdbReadQWORDTag+867F3o
		bound	edx, [edx+65h]
		popa
		db	64h
		push	ecx
		push	edi
		dec	edi
		push	edx
		inc	esp
		push	esp
		popa
		add	[bp+di+64h], dl	; DATA XREF: SdbReadWORDTag+AFABBo
		bound	edx, [edx+65h]

loc_8C36BF:				; CODE XREF: ??_C@_0BD@MJHGMCAF@SdbpGetTagHeadSize@NNGAKEGL@+36j
		popa
		db	64h
		push	edi
		dec	edi
		push	edx
		inc	esp
		push	esp
		popa
		db	67h
		add	ah, cl

??_C@_0CG@PDEBNNFA@Buffer?5too?5small?4?5Avail?3?5?$CFd?0?5Ne@NNGAKEGL@:
					; DATA XREF: SdbpReadTagData+AFA84o
		inc	edx
		jnz	short near ptr loc_8C3730+3
		db	66h, 65h
		jb	short near ptr loc_8C36ED+4

loc_8C36D1:				; CODE XREF: ??_C@_0BD@MJHGMCAF@SdbpGetTagHeadSize@NNGAKEGL@+48j
		jz	short near ptr loc_8C3741+1
		outsd
		and	[ebx+6Dh], dh

loc_8C36D7:				; CODE XREF: ??_C@_0BD@MJHGMCAF@SdbpGetTagHeadSize@NNGAKEGL@:loc_8C3666j
		popa
		insb
		insb
		and	cs:[ecx+76h], al
		popa
		imul	ebp, [edx+edi+20h], 202C6425h

loc_8C36E7:				; CODE XREF: ??_C@_0BD@MJHGMCAF@SdbpGetTagHeadSize@NNGAKEGL@+5Ej
		dec	esi
		db	65h, 65h
		cmp	ah, fs:[eax]

loc_8C36ED:				; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+33j
					; DATA XREF: SdbpReadTagData+AFA8Eo ...
		and	eax, 64530064h
		bound	esi, [eax+52h]
		db	65h
		popa
		db	64h
		push	esp
		popa
		db	67h
		inc	esp
		popa
		jz	short near ptr loc_8C375F+1
		add	[ebx+64h], dl	; DATA XREF: SdbGetTagDataSize+AF8E8o
					; SdbGetTagDataSize+AF906o
		bound	eax, [edi+65h]
		jz	short near ptr loc_8C375A+1
		popa
		db	67h
		inc	esp
		popa
		jz	short near ptr loc_8C3767+7
		push	ebx
		imul	edi, [edx+65h],	72724500h ; DATA XREF: SdbGetTagDataSize:loc_8FDDB4o
					; SdbGetTagDataSize:loc_8FDDD2o
		outsd
		jb	short near ptr loc_8C3734+4
		jb	short loc_8C377F
		popa
		imul	ebp, fs:[esi+67h], 7A697320h
		and	gs:[ecx+74h], ah
		popa
		add	[ebp+72h], al	; DATA XREF: SdbpGetMappedTagData:loc_8FDC14o
		jb	short near ptr loc_8C379B+2
		jb	short loc_8C3750

loc_8C3730:				; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+31j
		db	67h, 65h
		jz	near ptr 37A8h

loc_8C3734:				; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+7Cj
		imul	ebp, [esi+67h],	72747020h
		and	[edi+ebp*2+20h], dh
		jz	short loc_8C37A2

loc_8C3741:				; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@:loc_8C36D1j
		and	[si+61h], ah
		jz	short near ptr loc_8C37A5+3
		add	[ebx+64h], dl	; DATA XREF: SdbpGetMappedTagData+AFAFCo
		bound	esi, [eax+47h]
		db	65h
		jz	short near ptr loc_8C379B+2

loc_8C3750:				; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+94j
		popa
		jo	short near ptr loc_8C37C2+1
		db	65h, 64h
		push	esp
		popa
		db	67h
		inc	esp
		popa

loc_8C375A:				; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+6Bj
		jz	short near ptr loc_8C37BA+3
		add	ah, cl

??_C@_0BH@MDHELOIN@Error?5reading?5tag?5data@NNGAKEGL@:
					; DATA XREF: SdbpReadTagData:loc_8FDC99o
		inc	ebp

loc_8C375F:				; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+63j
		jb	short loc_8C37D3
		outsd
		jb	short near ptr loc_8C377F+5
		jb	short near ptr byte_8C37CB
		popa

loc_8C3767:				; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+71j
		imul	ebp, fs:[esi+67h], 67617420h
		and	[ecx+74h], ah
		popa
		add	ah, cl
??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BD@COEPMOEJ@SdbGetStringTagPtr@NNGAKEGL@	proc near
					; DATA XREF: SdbGetStringTagPtr:loc_8FED6Co
		push	ebx
		bound	eax, fs:[edi+65h]
		jz	short near ptr loc_8C37CD+3
		jz	short near ptr loc_8C37EF+2
??_C@_0BD@COEPMOEJ@SdbGetStringTagPtr@NNGAKEGL@	endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@

loc_8C377F:				; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+7Ej
					; ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+C8j
		imul	ebp, [esi+67h],	50676154h
		jz	short loc_8C37FA
		add	ah, cl

??_C@_0DG@GGNJABMO@PDB?5was?5not?5supplied?5for?5InitOn@NNGAKEGL@:
					; DATA XREF: InitOnceGetStringTableOffset:loc_8FF20Bo
		push	eax
		inc	esp
		inc	edx
		and	[edi+61h], dh
		jnb	short near ptr loc_8C37B1+1
		outsb
		outsd
		jz	short near ptr loc_8C37B1+5
		jnb	short near ptr loc_8C380C+1
		jo	short near ptr loc_8C3809+1
		insb

loc_8C379B:				; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+92j
					; ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+B3j
		imul	esp, [ebp+64h],	726F6620h

loc_8C37A2:				; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+A5j
		and	[ecx+6Eh], cl

loc_8C37A5:				; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+ABj
		imul	esi, [edi+ecx*2+6Eh], 65476563h
		jz	short loc_8C3802
		jz	short loc_8C3823

loc_8C37B1:				; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+F6j
					; ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+FAj
		imul	ebp, [esi+67h],	6C626154h
		db	65h
		dec	edi

loc_8C37BA:				; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@:loc_8C375Aj
		db	66h, 66h
		jnb	short loc_8C3823
		jz	short $+2

??_C@_0M@CDOJHNDI@Invalid?5pdb@NNGAKEGL@: ; DATA XREF: SdbGetStringTagPtr:loc_8FED56o
		dec	ecx
		outsb

loc_8C37C2:				; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+B7j
		jbe	short near ptr loc_8C3824+1
		insb
; END OF FUNCTION CHUNK	FOR ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@
; 
		db 69h,	64h, 20h
		db 70h,	64h, 62h
byte_8C37CB	db 0			; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+CAj

;  S U B	R O U T	I N E 


??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@ proc near
					; DATA XREF: SdbpReadStringRef+AF371o
					; SdbpReadStringRef+AF38Co
		push	ebx

loc_8C37CD:				; CODE XREF: ??_C@_0BD@COEPMOEJ@SdbGetStringTagPtr@NNGAKEGL@+5j
		bound	esi, fs:[eax+52h]
		db	65h
		popa

loc_8C37D3:				; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@:loc_8C375Fj
		db	64h
		push	ebx
		jz	short near ptr loc_8C3847+2
		imul	ebp, [esi+67h],	666552h

??_C@_0BI@LALNJILA@Error?5getting?5StringRef@NNGAKEGL@:
					; DATA XREF: SdbGetStringTagPtr:loc_8FED62o
		inc	ebp
		jb	short loc_8C3853
		outsd
		jb	short loc_8C3804
		db	67h, 65h
		jz	near ptr 385Ch
		imul	ebp, [esi+67h],	72745320h

loc_8C37EF:				; CODE XREF: ??_C@_0BD@COEPMOEJ@SdbGetStringTagPtr@NNGAKEGL@+7j
		imul	ebp, [esi+67h],	666552h

??_C@_0CK@EFGNGJNF@TagID?50x?$CF08X?0?5Tag?5?$CF04X?5not?5STRI@NNGAKEGL@:
					; DATA XREF: SdbpReadStringRef+AF367o
		push	esp
		popa
		db	67h
		dec	ecx

loc_8C37FA:				; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+ECj
		inc	esp
		and	[eax], dh
		js	short loc_8C3824
		xor	[eax], bh
		pop	eax

loc_8C3802:				; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+113j
		sub	al, 20h

loc_8C3804:				; CODE XREF: ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@+16j
		push	esp
		popa
		and	[di], ah

loc_8C3809:				; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+FEj
		xor	[eax+ebx*2], dh

loc_8C380C:				; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+FCj
		and	[esi+6Fh], ch
		jz	short near ptr loc_8C3830+1
		push	ebx
		push	esp
		push	edx
		dec	ecx
		dec	esi
		inc	edi
		push	edx
		inc	ebp
		inc	esi
		and	[ecx+edi*2+70h], dh
		add	gs:[eax+75h], dl
					; DATA XREF: SdbpGetStringTableItemFromStringRef:loc_8FECE8o
		insb

loc_8C3823:				; CODE XREF: ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@+115j
					; ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@:loc_8C37BAj
		insb

loc_8C3824:				; CODE XREF: ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@+31j
					; ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@:loc_8C37C2j
		db	65h
		and	fs:[edi+75h], ch
		jz	short near ptr loc_8C384A+1
		popa
		and	[esi+6Fh], ch
		outsb

loc_8C3830:				; CODE XREF: ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@+43j
		sub	eax, 69727473h
		outsb
		db	67h
		jz	near ptr 389Ah
		bound	ebp, [ebp+20h]
		imul	esi, [ebp+6Dh],	62645300h
					; DATA XREF: SdbpGetMappedStringFromTable:loc_8FED39o
		jo	short loc_8C388E

loc_8C3847:				; CODE XREF: ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@+9j
		db	65h
		jz	short loc_8C389D

loc_8C384A:				; CODE XREF: ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@+5Dj
		jz	short near ptr loc_8C38B9+5
		imul	ebp, [esi+67h],	6C626154h

loc_8C3853:				; CODE XREF: ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@+13j
		db	65h
		dec	ecx
		jz	short near ptr loc_8C38B9+3
		insd
		inc	esi
		jb	short near ptr loc_8C38C9+1
		insd
		push	ebx
		jz	short near ptr loc_8C38D0+1
		imul	ebp, [esi+67h],	20666552h
		popaw
		imul	ebp, [ebp+64h],	206F7420h
		db	67h, 65h
		jz	near ptr 3894h
		jz	short near ptr loc_8C38D0+7
		imul	esp, [si+20h], 20726F66h
		jnb	short near ptr loc_8C38F0+4
		jb	short loc_8C38EB
		outsb
		and	[bp+si+65h], dh
		db	66h
		add	ah, cl

??_C@_0ED@DCMDCLGF@RtlRunOnceExecuteOnce?5failed?5fo@NNGAKEGL@:
					; DATA XREF: SdbpGetStringTableItemFromStringRef+AF38Bo
		push	edx
		jz	short loc_8C38F9
		push	edx

loc_8C388E:				; CODE XREF: ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@+79j
		jnz	short near ptr loc_8C38FB+3
		dec	edi
		outsb
		arpl	[ebp+45h], sp
		js	short near ptr loc_8C38FB+1
		arpl	[ebp+74h], si
		db	65h
		dec	edi
		outsb

loc_8C389D:				; CODE XREF: ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@:loc_8C3847j
		arpl	[ebp+20h], sp
		popaw
		imul	ebp, [ebp+64h],	726F6620h
		and	[ecx+6Eh], cl
		imul	esi, [edi+ecx*2+6Eh], 65476563h
		jz	short near ptr loc_8C3909+1
		jz	short near ptr loc_8C3925+6

loc_8C38B9:				; CODE XREF: ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@+89j
					; ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@:loc_8C384Aj
		imul	ebp, [esi+67h],	6C626154h
		db	65h
		dec	edi
		db	66h, 66h
		jnb	short near ptr loc_8C3925+6
		jz	short near ptr loc_8C38E5+3
		pop	ebx

loc_8C38C9:				; CODE XREF: ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@+8Dj
		and	eax, 0CC005D78h
??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@ proc near
					; DATA XREF: SdbpGetStringTableItemFromStringRef:loc_8FED08o

; FUNCTION CHUNK AT 008C3A1B SIZE 00000050 BYTES

		dec	ecx
		outsb

loc_8C38D0:				; CODE XREF: ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@+91j
					; ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@+A8j
		imul	esi, [edi+ecx*2+6Eh], 65476563h
		jz	short loc_8C392D
		jz	short near ptr loc_8C3949+5
		imul	ebp, [esi+67h],	6C626154h
		db	65h
		dec	edi

loc_8C38E5:				; CODE XREF: ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@+FAj
		db	66h, 66h
		jnb	short near ptr loc_8C3949+5
		jz	short loc_8C390B

loc_8C38EB:				; CODE XREF: ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@+B4j
		jnb	short near ptr loc_8C395E+4
		arpl	[ebx+65h], sp

loc_8C38F0:				; CODE XREF: ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@+B2j
		db	65h, 64h, 65h
		and	fs:[edx+75h], ah
		jz	short near ptr loc_8C3918+1

loc_8C38F9:				; CODE XREF: ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@+BFj
		popaw

loc_8C38FB:				; CODE XREF: ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@+C9j
					; ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@:loc_8C388Ej
		imul	ebp, [ebp+64h],	206F7420h
		imul	bp, [esi+64h], 7320h

loc_8C3909:				; CODE XREF: ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@+E9j
		jz	short loc_8C397D

loc_8C390B:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+1Bj
		imul	ebp, [esi+67h],	62617420h
		insb
		db	65h
		add	ah, cl

??_C@_0BF@BCCGBNAE@No?5stringtable?5in?5DB@NNGAKEGL@:
					; DATA XREF: SdbpGetStringTableItemFromStringRef+AF362o
					; InitOnceGetStringTableOffset:loc_8FF24Bo
		dec	esi
		outsd

loc_8C3918:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+29j
		and	[ebx+74h], dh
		jb	short loc_8C3986
		outsb
		db	67h
		jz	near ptr 3982h
		bound	ebp, [ebp+20h]

loc_8C3925:				; CODE XREF: ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@+EBj
					; ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@+F6j
		imul	ebp, [esi+20h],	0CC004244h

??_C@_0CE@BMLDKOE@SdbpGetStringTableItemFromStrin@NNGAKEGL@:
					; DATA XREF: SdbpGetStringTableItemFromStringRef+AF36Co
					; SdbpGetStringTableItemFromStringRef+AF395o ...
		push	ebx

loc_8C392D:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+Aj
		bound	esi, fs:[eax+47h]
		db	65h
		jz	short near ptr loc_8C3986+1
		jz	short loc_8C39A8
		imul	ebp, [esi+67h],	6C626154h
		db	65h
		dec	ecx
		jz	short loc_8C39A6
		insd
		inc	esi
		jb	short loc_8C39B4
		insd
		push	ebx
		jz	short near ptr loc_8C39B7+4

loc_8C3949:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+Cj
					; ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@:loc_8C38E5j
		imul	ebp, [esi+67h],	666552h

??_C@_0BN@JIAHKIEA@InitOnceGetStringTableOffset@NNGAKEGL@:
					; DATA XREF: InitOnceGetStringTableOffset+AF4B7o
					; InitOnceGetStringTableOffset+AF4D7o ...
		dec	ecx
		outsb
		imul	esi, [edi+ecx*2+6Eh], 65476563h
		jz	short loc_8C39AF
		jz	short near ptr loc_8C39CB+5

loc_8C395E:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@:loc_8C38EBj
		imul	ebp, [esi+67h],	6C626154h
		db	65h
		dec	edi
		db	66h, 66h
		jnb	short near ptr loc_8C39CB+5
		jz	short $+2
		int	3		; Trap to Debugger

??_C@_0EA@EKDDGMOF@No?5return?5context?5was?5supplied?5@NNGAKEGL@:
					; DATA XREF: InitOnceGetStringTableOffset:loc_8FF22Bo
		dec	esi
		outsd
		and	[edx+65h], dh
		jz	short near ptr loc_8C39E8+2
		jb	short near ptr loc_8C39E4+1
		and	[ebx+6Fh], ah
		outsb
		jz	short near ptr loc_8C39E1+1

loc_8C397D:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@:loc_8C3909j
		js	short loc_8C39F3
		and	[edi+61h], dh
		jnb	short near ptr loc_8C399F+5
		jnb	short near ptr loc_8C39F9+2

loc_8C3986:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+4Dj
					; ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+63j
		jo	short loc_8C39F8
		insb
		imul	esp, [ebp+64h],	726F6620h
		and	[ecx+6Eh], cl
		imul	esi, [edi+ecx*2+6Eh], 65476563h
		jz	short near ptr loc_8C39EE+2
		jz	short near ptr loc_8C3A0F+2

loc_8C399F:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+B4j
		imul	ebp, [esi+67h],	6C626154h

loc_8C39A6:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+71j
		db	65h
		dec	edi

loc_8C39A8:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+66j
		db	66h, 66h
		jnb	short near ptr loc_8C3A0F+2
		jz	short $+2

??_C@_0BF@BPPGAGIB@Error?5reading?5buffer@NNGAKEGL@:
					; DATA XREF: SdbReadBinaryTag:loc_8FE9E7o
		inc	ebp

loc_8C39AF:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+8Cj
		jb	short near ptr loc_8C3A22+1
		outsd
		jb	short loc_8C39D4

loc_8C39B4:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+75j
		jb	short loc_8C3A1B
		popa

loc_8C39B7:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+79j
		imul	ebp, fs:[esi+67h], 66756220h
		db	66h, 65h
		jb	short $+4
		int	3		; Trap to Debugger
??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BE@GHDFKEEC@SdbGetBinaryTagData@NNGAKEGL@ proc near
					; DATA XREF: SdbGetBinaryTagData(x,x)+37o

; FUNCTION CHUNK AT 008C3A13 SIZE 00000008 BYTES

		push	ebx
		bound	eax, fs:[edi+65h]
		jz	short near ptr loc_8C3A08+5

loc_8C39CB:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+8Ej
					; ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+99j
		imul	ebp, [esi+61h],	61547972h
		db	67h
		inc	esp

loc_8C39D4:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+E4j
		popa
		jz	short near ptr loc_8C3A37+1
		add	[ecx+67h], dl	; DATA XREF: SdbReadBinaryTag+AF37Ao
					; SdbGetBinaryTagData(x,x)+2Do
		dec	ecx
		inc	esp
		and	[eax], dh
		js	short loc_8C3A06

loc_8C39E1:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+ADj
		xor	[eax], bh
		pop	eax

loc_8C39E4:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+A7j
		sub	al, 20h
		push	esp
		popa

loc_8C39E8:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+A5j
		and	[di], ah
		xor	[eax+ebx*2], dh

loc_8C39EE:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+CDj
		and	[esi+6Fh], ch
		jz	short loc_8C3A13

loc_8C39F3:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@:loc_8C397Dj
		inc	edx
		dec	ecx
		dec	esi
		inc	ecx
		push	edx

loc_8C39F8:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@:loc_8C3986j
		pop	ecx

loc_8C39F9:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+B6j
		and	[ecx+edi*2+70h], dh
		db	65h
		add	ah, cl
??_C@_0BE@GHDFKEEC@SdbGetBinaryTagData@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BB@LJNHMANB@SdbReadBinaryTag@NNGAKEGL@ proc near	; DATA XREF: SdbReadBinaryTag+AF384o
					; SdbReadBinaryTag+AF39Fo
		push	ebx
		bound	edx, fs:[edx+65h]
		popa

loc_8C3A06:				; CODE XREF: ??_C@_0BE@GHDFKEEC@SdbGetBinaryTagData@NNGAKEGL@+1Bj
		db	64h
		inc	edx

loc_8C3A08:				; CODE XREF: ??_C@_0BE@GHDFKEEC@SdbGetBinaryTagData@NNGAKEGL@+5j
		imul	ebp, [esi+61h],	61547972h

loc_8C3A0F:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+CFj
					; ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@:loc_8C39A8j
		db	67h
		add	ah, cl
??_C@_0BB@LJNHMANB@SdbReadBinaryTag@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BN@OPBEPIGD@SdbpGetMappedStringFromTable@NNGAKEGL@ proc near
					; DATA XREF: SdbpGetMappedStringFromTable+AF36Do
		push	ebx
??_C@_0BN@OPBEPIGD@SdbpGetMappedStringFromTable@NNGAKEGL@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BE@GHDFKEEC@SdbGetBinaryTagData@NNGAKEGL@

loc_8C3A13:				; CODE XREF: ??_C@_0BE@GHDFKEEC@SdbGetBinaryTagData@NNGAKEGL@+2Dj
		bound	esi, fs:[eax+47h]
		db	65h
		jz	short loc_8C3A67
		popa
; END OF FUNCTION CHUNK	FOR ??_C@_0BE@GHDFKEEC@SdbGetBinaryTagData@NNGAKEGL@
; START	OF FUNCTION CHUNK FOR ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@

loc_8C3A1B:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@:loc_8C39B4j
		jo	short near ptr loc_8C3A89+4
		db	65h, 64h
		push	ebx
		jz	short near ptr loc_8C3A93+1

loc_8C3A22:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@:loc_8C39AFj
		imul	ebp, [esi+67h],	6D6F7246h
		push	esp
		popa
		bound	ebp, [ebp+0]
		int	3		; Trap to Debugger

??_C@_07PANBMHCG@Bad?5PDB@NNGAKEGL@:	; DATA XREF: SdbTagIDToTagRef:loc_936B95o
		inc	edx
		popa
		and	fs:[eax+44h], dl
		inc	edx

loc_8C3A37:				; CODE XREF: ??_C@_0BE@GHDFKEEC@SdbGetBinaryTagData@NNGAKEGL@+11j
					; DATA XREF: SdbTagIDToTagRef+84C5Bo
		add	[ebx+64h], dl
		bound	edx, [ecx+67h]
		dec	ecx
		inc	esp
		push	esp
		outsd
		push	esp
		popa
		db	67h
		push	edx
		db	65h, 66h
		add	ah, cl

??_C@_1CE@DAGHINBE@?$AA_?$AA_?$AAP?$AAR?$AAO?$AAC?$AAE?$AAS?$AAS?$AA_?$AAH?$AAI?$AAS?$AAT?$AAO@NNGAKEGL@:
					; DATA XREF: SdbpGetProcessHistory(x,x,x)+4Ao
					; SdbpGetProcessHistory(x,x,x)+C1o
		pop	edi
		add	[edi+0], bl
		push	eax
		add	[edx+0], dl
		dec	edi
		add	[ebx+0], al
		inc	ebp
		add	[ebx+0], dl
		push	ebx
		add	[edi+0], bl
		dec	eax
		add	[ecx+0], cl
		push	ebx
		add	[eax+eax+4Fh], dl

loc_8C3A67:				; CODE XREF: ??_C@_0BE@GHDFKEEC@SdbGetBinaryTagData@NNGAKEGL@+53j
		add	[edx+0], dl
		pop	ecx
; END OF FUNCTION CHUNK	FOR ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@
; 
		db 0
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_0CK@DJJDHFIA@Unable?5to?5allocate?5process?5hist@NNGAKEGL@ proc near
					; DATA XREF: SdbpGetProcessHistory(x,x,x)+8Co
		push	ebp
		outsb
??_C@_0CK@DJJDHFIA@Unable?5to?5allocate?5process?5hist@NNGAKEGL@ endp

		popa
		bound	ebp, [ebp+20h]
		jz	short near ptr loc_8C3AE5+1
		and	[ecx+6Ch], ah
		insb
		outsd
		arpl	[ecx+74h], sp
		and	gs:[eax+72h], dh
		outsd
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_8C3AA7+2

loc_8C3A89:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@:loc_8C3A1Bj
		push	6F747369h
		jb	short loc_8C3B09
		and	[edx+75h], ah

loc_8C3A93:				; CODE XREF: ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@+152j
		db	66h, 66h, 65h
		jb	short $+5

;  S U B	R O U T	I N E 


??_C@_0BG@JPAHFGJG@SdbpGetProcessHistory@NNGAKEGL@ proc	near
					; DATA XREF: SdbpGetProcessHistory(x,x,x)+96o
		push	ebx
		bound	esi, fs:[eax+47h]
??_C@_0BG@JPAHFGJG@SdbpGetProcessHistory@NNGAKEGL@ endp

		db	65h
		jz	short near ptr loc_8C3AEF+1
		jb	short near ptr loc_8C3B0F+2
		arpl	[ebp+73h], sp
		jnb	short loc_8C3AEF

loc_8C3AA7:				; CODE XREF: PAGE:008C3A87j
		imul	esi, [ebx+74h],	79726Fh

;  S U B	R O U T	I N E 


??_C@_0DC@EODMJGNB@SdbGuestTargetPlatformFlagsToRu@NNGAKEGL@ proc near
					; DATA XREF: SdbGuestTargetPlatformFlagsToRuntimePlatformFlags(x)+28o
		push	ebx
		bound	eax, fs:[edi+75h]
??_C@_0DC@EODMJGNB@SdbGuestTargetPlatformFlagsToRu@NNGAKEGL@ endp

		db	65h
		jnb	short loc_8C3B2A
		push	esp
		popa
		jb	short near ptr loc_8C3B1F+2
		db	65h
		jz	short loc_8C3B0D
		insb
		popa
		jz	short near ptr loc_8C3B22+5
		outsd
		jb	short near ptr loc_8C3B30+1
		inc	esi
		insb
		popa
		db	67h
		jnb	near ptr 3B1Eh
		outsd
		push	edx
		jnz	short loc_8C3B3C
		jz	short near ptr loc_8C3B37+2
		insd
		db	65h
		push	eax
		insb
		popa
		jz	short near ptr loc_8C3B3C+1
		outsd
		jb	short loc_8C3B47
		inc	esi
		insb
		popa
		db	67h
		jnb	near ptr 3AE0h

;  S U B	R O U T	I N E 


??_C@_0CH@COPFLLI@SdbGuestHostArchsToRuntimePlatf@NNGAKEGL@ proc near
					; DATA XREF: SdbGuestHostArchsToRuntimePlatformFlag(x,x)+44o
		push	ebx
		bound	eax, fs:[edi+75h]

loc_8C3AE5:				; CODE XREF: PAGE:008C3A75j
		db	65h
		jnb	short near ptr loc_8C3B57+5
		dec	eax
		outsd
		jnb	short near ptr loc_8C3B5F+1
		inc	ecx
		jb	short loc_8C3B52

loc_8C3AEF:				; CODE XREF: PAGE:008C3AA5j
					; PAGE:008C3A9Dj
		push	526F5473h
		jnz	short loc_8C3B64
		jz	short near ptr loc_8C3B5F+2
		insd
		db	65h
		push	eax
		insb
		popa
		jz	short near ptr loc_8C3B64+1
		outsd
		jb	short near ptr loc_8C3B6D+2
		inc	esi
		insb
		popa
		db	67h
		add	ah, cl
??_C@_0CH@COPFLLI@SdbGuestHostArchsToRuntimePlatf@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@ proc near
					; DATA XREF: SdbGuestHostArchsToRuntimePlatformFlag(x,x)+3Ao
					; SdbGuestTargetPlatformFlagsToRuntimePlatformFlags(x)+1Eo

; FUNCTION CHUNK AT 008C3BD4 SIZE 00000096 BYTES

		inc	ecx

loc_8C3B09:				; CODE XREF: PAGE:008C3A8Ej
		jnb	short near ptr loc_8C3B75+2
		inc	ebp
		outsb

loc_8C3B0D:				; CODE XREF: PAGE:008C3ABAj
		jbe	short near ptr loc_8C3B52+4

loc_8C3B0F:				; CODE XREF: PAGE:008C3AA0j
		db	65h
		jz	short near ptr loc_8C3B5F+3
		jb	short loc_8C3B83
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_8C3B6D+3
		outsd
		ja	short near ptr loc_8C3B64+1
		outsb
		outsw

loc_8C3B1F:				; CODE XREF: PAGE:008C3AB8j
		and	[esi+61h], ah

loc_8C3B22:				; CODE XREF: PAGE:008C3ABFj
		imul	ebp, [ebp+64h],	206F7420h

loc_8C3B2A:				; CODE XREF: PAGE:008C3AB3j
		db	64h, 65h
		jz	short loc_8C3B93
		jb	short near ptr loc_8C3B9B+2

loc_8C3B30:				; CODE XREF: PAGE:008C3AC2j
		imul	ebp, [esi+65h],	6F727020h

loc_8C3B37:				; CODE XREF: PAGE:008C3ACEj
		arpl	[ebp+73h], sp
		jnb	short loc_8C3BAB

loc_8C3B3C:				; CODE XREF: PAGE:008C3ACCj
					; PAGE:008C3AD5j
		jb	short loc_8C3B5E
		imul	ebp, [esi+66h],	255B206Fh
		js	short near ptr loc_8C3BA1+3

loc_8C3B47:				; CODE XREF: PAGE:008C3AD8j
					; DATA XREF: SdbpOpenLocalDatabaseEx(x,x,x,x,x)+D4o
		add	[ecx+74h], al
		popa
		bound	esp, [ecx+73h]
		and	gs:[edx], ah

loc_8C3B52:				; CODE XREF: ??_C@_0CH@COPFLLI@SdbGuestHostArchsToRuntimePlatf@NNGAKEGL@+Dj
					; ??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@:loc_8C3B0Dj
		and	eax, 20227377h

loc_8C3B57:				; CODE XREF: ??_C@_0CH@COPFLLI@SdbGuestHostArchsToRuntimePlatf@NNGAKEGL@:loc_8C3AE5j
		imul	esi, [ebx+20h],	20746F6Eh

loc_8C3B5E:				; CODE XREF: ??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@:loc_8C3B3Cj
		outsd

loc_8C3B5F:				; CODE XREF: ??_C@_0CH@COPFLLI@SdbGuestHostArchsToRuntimePlatf@NNGAKEGL@+Aj
					; ??_C@_0CH@COPFLLI@SdbGuestHostArchsToRuntimePlatf@NNGAKEGL@+16j ...
		db	66h
		and	[eax+ebp*2+65h], dh

loc_8C3B64:				; CODE XREF: ??_C@_0CH@COPFLLI@SdbGuestHostArchsToRuntimePlatf@NNGAKEGL@+14j
					; ??_C@_0CH@COPFLLI@SdbGuestHostArchsToRuntimePlatf@NNGAKEGL@+1Dj ...
		and	[ebx+61h], dh
		insd
		and	gs:[ecx+edi*2+70h], dh

loc_8C3B6D:				; CODE XREF: ??_C@_0CH@COPFLLI@SdbGuestHostArchsToRuntimePlatf@NNGAKEGL@+20j
					; ??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@+Fj
		and	gs:[ecx+73h], ah
		and	[eax+ebp*2+65h], dh

loc_8C3B75:				; CODE XREF: ??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@:loc_8C3B09j
		and	[ebp+61h], ch
		imul	ebp, [esi+20h],	455845h
		int	3		; Trap to Debugger

??_C@_0DC@EIBCFMBP@Cannot?5resolve?5database?0?5the?5pa@NNGAKEGL@:
					; DATA XREF: SdbpOpenLocalDatabaseEx(x,x,x,x,x)+18Ao
		inc	ebx
		popa
		outsb

loc_8C3B83:				; CODE XREF: ??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@+Aj
		outsb
		outsd
		jz	short near ptr loc_8C3BA5+2
		jb	short near ptr loc_8C3BED+1
		jnb	short near ptr loc_8C3BF8+2
		insb
		jbe	short near ptr loc_8C3BF0+3
		and	[ecx+74h], ah
		popa

loc_8C3B93:				; CODE XREF: ??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@:loc_8C3B2Aj
		bound	esp, [ecx+73h]
		db	65h
		sub	al, 20h
		jz	short near ptr loc_8C3C02+1

loc_8C3B9B:				; CODE XREF: ??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@+26j
		and	gs:[eax+61h], dh
		jz	short near ptr loc_8C3C07+2

loc_8C3BA1:				; CODE XREF: ??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@+3Dj
		and	[ebp+6Eh], ch

loc_8C3BA5:				; CODE XREF: ??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@+7Dj
		db	67h
		jz	near ptr 3C10h
		and	[ecx+73h], ch

loc_8C3BAB:				; CODE XREF: ??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@+32j
		and	[eax], dh
		js	short loc_8C3BD4
		insb
		js	short $+2
??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BI@JKJMGENA@SdbpOpenLocalDatabaseEx@NNGAKEGL@ proc near
					; DATA XREF: SdbpOpenLocalDatabaseEx(x,x,x,x,x)+DEo
					; SdbpOpenLocalDatabaseEx(x,x,x,x,x)+107o ...
		push	ebx
		bound	esi, fs:[eax+4Fh]
		jo	short near ptr loc_8C3C1C+2
		outsb
		dec	esp
		outsd
		arpl	[ecx+6Ch], sp
		inc	esp
		popa
		jz	short near ptr loc_8C3C23+1
		bound	esp, [ecx+73h]
		db	65h
		inc	ebp
		js	short $+2

??_C@_0BA@FCOGLIBF@Bad?5index?50x?$CFlx@NNGAKEGL@:
					; DATA XREF: SdbpOpenLocalDatabaseEx(x,x,x,x,x)+65o
		inc	edx
		popa
		and	fs:[ecx+6Eh], ch
		db	64h, 65h
		js	short near ptr loc_8C3BF0+4
??_C@_0BI@JKJMGENA@SdbpOpenLocalDatabaseEx@NNGAKEGL@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@

loc_8C3BD4:				; CODE XREF: ??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@+A5j
		xor	[eax+25h], bh
		insb
		js	short $+2

??_C@_0BI@GIECIBFC@Failed?5to?5open?5database@NNGAKEGL@:
					; DATA XREF: SdbpOpenLocalDatabaseEx(x,x,x,x,x)+FDo
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		outsd
		jo	short loc_8C3C4C
		outsb
		and	[ecx+74h], ah
		popa

loc_8C3BED:				; CODE XREF: ??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@+7Fj
		bound	esp, [ecx+73h]

loc_8C3BF0:				; CODE XREF: ??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@+84j
					; ??_C@_0BI@JKJMGENA@SdbpOpenLocalDatabaseEx@NNGAKEGL@+1Ej
					; DATA XREF: ...
		add	gs:[eax+eax+53h], bl
		add	[edi+0], ch

loc_8C3BF8:				; CODE XREF: ??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@+81j
		db	66h
		add	[eax+eax+77h], dh
		add	[ecx+0], ah
		jb	short $+2

loc_8C3C02:				; CODE XREF: ??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@+91j
		add	gs:[eax+eax+4Dh], bl

loc_8C3C07:				; CODE XREF: ??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@+97j
		add	[ecx+0], ch
		arpl	[eax], ax
		jb	short $+2
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		pop	esp
		add	[edi+0], dl

loc_8C3C1C:				; CODE XREF: ??_C@_0BI@JKJMGENA@SdbpOpenLocalDatabaseEx@NNGAKEGL@+5j
		imul	eax, [eax], 64006Eh
		outsd

loc_8C3C23:				; CODE XREF: ??_C@_0BI@JKJMGENA@SdbpOpenLocalDatabaseEx@NNGAKEGL@+Fj
		add	[edi+0], dh
		jnb	short $+2
		and	[eax], al
		dec	esi
		add	[eax+eax+5Ch], dl
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh

loc_8C3C4C:				; CODE XREF: ??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@+DDj
		pop	esp
		add	[ecx+0], al
		jo	short $+2
		jo	short $+2
		inc	ebx
		add	[edi+0], ch
		insd
		add	[eax+0], dh
		popa
		add	[eax+eax+46h], dh
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		jnb	short $+2
; END OF FUNCTION CHUNK	FOR ??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@
; 
		dw 0
; 

??_C@_1BE@MMECJMEH@?$AA?2?$AAA?$AAp?$AAp?$AAP?$AAa?$AAt?$AAc?$AAh@NNGAKEGL@:
					; DATA XREF: SdbpGetPathAppPatch(x,x,x,x)+25o
		pop	esp
		add	[ecx+0], al
		jo	short $+2
		jo	short $+2
		push	eax
		add	[ecx+0], ah
		jz	short $+2
		arpl	[eax], ax
; 
		dd 68h

;  S U B	R O U T	I N E 


??_C@_0BL@IPDIPDIN@AslPathCombine?5failed?5?$FL?$CFx?$FN@NNGAKEGL@ proc	near
					; DATA XREF: SdbpGetPathAppPatch(x,x,x,x)+68o
					; SdbpGetPathAppraiser(x,x,x,x)+87o ...
		inc	ecx
		jnb	short near ptr loc_8C3CEE+1
		push	eax
		popa
		jz	short near ptr loc_8C3CEE+1
		inc	ebx
		outsd
		insd
		bound	ebp, [ecx+6Eh]
		and	gs:[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl
??_C@_0BL@IPDIPDIN@AslPathCombine?5failed?5?$FL?$CFx?$FN@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@ proc near
					; DATA XREF: AslpEnvResolveVars+920BBo
					; AslpEnvResolveVars+920D0o ...

; FUNCTION CHUNK AT 008C3D33 SIZE 0000001F BYTES
; FUNCTION CHUNK AT 008C3D9A SIZE 00000004 BYTES
; FUNCTION CHUNK AT 008C3DA8 SIZE 0000000B BYTES

		push	edx
		jz	short near ptr ??_C@_0BM@KAMLNOAN@AslGuidToString?5failed?5?$FL?$CFx?$FN@NNGAKEGL@+7
		push	ebx
		jz	short near ptr ??_C@_0BM@KAMLNOAN@AslGuidToString?5failed?5?$FL?$CFx?$FN@NNGAKEGL@+10h
		imul	ebp, [esi+67h],	43686343h
		popa
		jz	short near ptr byte_8C3D03
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0CF@OLEHGKON@SdbpGetProcessHostGuestArchitec@NNGAKEGL@:
					; DATA XREF: SdbpGetProcessHostGuestArchitectures(x,x,x)+38o
		push	ebx
		bound	esi, fs:[eax+47h]
		db	65h
		jz	short near ptr ??_C@_0BM@KAMLNOAN@AslGuidToString?5failed?5?$FL?$CFx?$FN@NNGAKEGL@+0Eh
		jb	short loc_8C3D33
		arpl	[ebp+73h], sp
		jnb	short near ptr ??_C@_0BM@KAMLNOAN@AslGuidToString?5failed?5?$FL?$CFx?$FN@NNGAKEGL@+0Dh
		outsd
		jnb	short near ptr loc_8C3D3F+1
		inc	edi
		jnz	short near ptr loc_8C3D33+1
		jnb	short loc_8C3D45
		inc	ecx
		jb	short loc_8C3D37
		push	63657469h
		jz	short loc_8C3D50
		jb	short near ptr loc_8C3D41+1
		jnb	short $+2
		int	3		; Trap to Debugger
??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@ endp


??_C@_0BJ@GFHGNMMI@SdbpGetCustomSdbFileName@NNGAKEGL@:
					; DATA XREF: SdbpGetCustomSdbFileName(x,x,x):loc_A2103Fo
		push	ebx
		bound	esi, fs:[eax+47h]
		db	65h
		jz	short near ptr loc_8C3D2A+1
		jnz	short loc_8C3D5D
		jz	short loc_8C3D5B
		insd
		push	ebx

loc_8C3CEE:				; CODE XREF: ??_C@_0BL@IPDIPDIN@AslPathCombine?5failed?5?$FL?$CFx?$FN@NNGAKEGL@+1j
					; ??_C@_0BL@IPDIPDIN@AslPathCombine?5failed?5?$FL?$CFx?$FN@NNGAKEGL@+5j
		bound	eax, fs:[esi+69h]
		insb
		db	65h
		dec	esi
		popa
		insd
		db	65h
		add	ah, cl

??_C@_19GNHEEAFN@?$AA?4?$AAs?$AAd?$AAb@NNGAKEGL@:
					; DATA XREF: SdbpGetCustomSdbFileName(x,x,x):loc_A21050o
		add	cs:[ebx+0], dh
		add	fs:[edx+0], ah
; 
		db 0
byte_8C3D03	db 0			; CODE XREF: ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@+Ej
??_C@_0BM@KAMLNOAN@AslGuidToString?5failed?5?$FL?$CFx?$FN@NNGAKEGL@ db 'AslGuidToString failed [%x]',0
					; CODE XREF: ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@+1j
					; ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@+2Bj ...

;  S U B	R O U T	I N E 


??_C@_0DB@LPCMCBIC@SdbpGetProcessHostGuestArchitec@NNGAKEGL@ proc near
					; DATA XREF: SdbpGetPathAppraiser(x,x,x,x)+C0o
					; SdbpGetPathSystem(x,x,x,x)+25o
		push	ebx
		bound	esi, fs:[eax+47h]
??_C@_0DB@LPCMCBIC@SdbpGetProcessHostGuestArchitec@NNGAKEGL@ endp

		db	65h
		jz	short near ptr loc_8C3D77+1
		jb	short near ptr loc_8C3D98+1

loc_8C3D2A:				; CODE XREF: PAGE:008C3CE5j
		arpl	[ebp+73h], sp
		jnb	short loc_8C3D77
		outsd
		jnb	short loc_8C3DA6
		inc	edi
; START	OF FUNCTION CHUNK FOR ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@

loc_8C3D33:				; CODE XREF: ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@+26j
					; ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@+31j
		jnz	short loc_8C3D9A
		jnb	short loc_8C3DAB

loc_8C3D37:				; CODE XREF: ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@+36j
		inc	ecx
		jb	short near ptr loc_8C3D9A+3
		push	63657469h

loc_8C3D3F:				; CODE XREF: ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@+2Ej
		jz	short ??_C@_0BF@OKGMJLIO@SdbpGetPathCustomSdb@NNGAKEGL@

loc_8C3D41:				; CODE XREF: ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@+3Fj
		jb	short loc_8C3DA8
		jnb	short near ptr byte_8C3D65

loc_8C3D45:				; CODE XREF: ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@+33j
		popaw
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp

loc_8C3D50:				; CODE XREF: ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@+3Dj
		add	ah, cl
; END OF FUNCTION CHUNK	FOR ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@

??_C@_0BE@MLFMMAEH@SdbpGetPathAppPatch@NNGAKEGL@:
					; DATA XREF: SdbpGetPathAppPatch(x,x,x,x):loc_A21112o
		push	ebx
		bound	esi, fs:[eax+47h]
		db	65h
		jz	short loc_8C3DAA
		popa

loc_8C3D5B:				; CODE XREF: PAGE:008C3CEAj
		jz	short near ptr loc_8C3DC4+1

loc_8C3D5D:				; CODE XREF: PAGE:008C3CE8j
		inc	ecx
		jo	short near ptr loc_8C3DCD+3
		push	eax
		popa
		jz	short sub_8C3DC7
; 
		db 68h
byte_8C3D65	db 0			; CODE XREF: ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@+A7j

;  S U B	R O U T	I N E 


??_C@_0CD@JEFPKOCA@AslPathToSystemPathBuf?5failed?5?$FL@NNGAKEGL@ proc near
					; DATA XREF: SdbpGetPathAppPatch(x,x,x,x)+8Co
					; AslEnvGetSysNativeDirPathForGuestBuf(x,x,x,x,x)+72o ...
		inc	ecx
		jnb	short loc_8C3DD5
		push	eax
		popa
		jz	short loc_8C3DD5
		push	esp
		outsd
		push	ebx
		jns	short loc_8C3DE5
		jz	short near ptr loc_8C3DD8+1
		insd
		push	eax
		popa

loc_8C3D77:				; CODE XREF: PAGE:008C3D2Dj
					; PAGE:008C3D25j
		jz	short loc_8C3DE1
		inc	edx
		jnz	short loc_8C3DE2
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_1BG@KDDEGGCL@?$AA?2?$AAa?$AAp?$AAp?$AAr?$AAa?$AAi?$AAs?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: SdbpGetPathAppraiser(x,x,x,x)+27o
		pop	esp
		add	[ecx+0], ah
		jo	short $+2
		jo	short $+2
		jb	short $+2
		popa
		add	[ecx+0], ch

loc_8C3D98:				; CODE XREF: PAGE:008C3D28j
		jnb	short $+2
??_C@_0CD@JEFPKOCA@AslPathToSystemPathBuf?5failed?5?$FL@NNGAKEGL@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@

loc_8C3D9A:				; CODE XREF: ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@:loc_8C3D33j
					; ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@+9Cj
		add	gs:[edx+0], dh
; END OF FUNCTION CHUNK	FOR ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
; 
		dw 0

;  S U B	R O U T	I N E 


??_C@_1BG@GDIBOBAP@?$AA?2?$AAC?$AAu?$AAs?$AAt?$AAo?$AAm?$AAS?$AAD?$AAB@NNGAKEGL@ proc near
					; DATA XREF: SdbpGetPathCustomSdb(x,x,x,x)+27o
		pop	esp
		add	[ebx+0], al
		jnz	short $+2

loc_8C3DA6:				; CODE XREF: PAGE:008C3D30j
		jnb	short $+2
??_C@_1BG@GDIBOBAP@?$AA?2?$AAC?$AAu?$AAs?$AAt?$AAo?$AAm?$AAS?$AAD?$AAB@NNGAKEGL@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@

loc_8C3DA8:				; CODE XREF: ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@:loc_8C3D41j
		jz	short $+2

loc_8C3DAA:				; CODE XREF: PAGE:008C3D57j
		outsd

loc_8C3DAB:				; CODE XREF: ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@+99j
		add	[ebp+0], ch
		push	ebx
		add	[eax+eax+42h], al
; END OF FUNCTION CHUNK	FOR ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
; 
		db 0
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_0BF@OKGMJLIO@SdbpGetPathCustomSdb@NNGAKEGL@ proc near
					; CODE XREF: ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@:loc_8C3D3Fj
					; DATA XREF: SdbpGetPathCustomSdb(x,x,x,x)+74o
		push	ebx
		bound	esi, fs:[eax+47h]
??_C@_0BF@OKGMJLIO@SdbpGetPathCustomSdb@NNGAKEGL@ endp

		db	65h
		jz	short near ptr loc_8C3E0C+2
		popa
		jz	short near ptr loc_8C3E27+2
		inc	ebx
		jnz	short loc_8C3E37

loc_8C3DC4:				; CODE XREF: PAGE:loc_8C3D5Bj
		jz	short loc_8C3E35
		insd

;  S U B	R O U T	I N E 


sub_8C3DC7	proc near		; CODE XREF: PAGE:008C3D62j
		push	ebx
		bound	eax, fs:[eax]
		int	3		; Trap to Debugger
sub_8C3DC7	endp


;  S U B	R O U T	I N E 


??_C@_0BC@FMFCMILN@SdbpGetPathSystem@NNGAKEGL@ proc near
					; DATA XREF: SdbpGetPathSystem(x,x,x,x):loc_A21336o
		push	ebx

loc_8C3DCD:				; CODE XREF: PAGE:008C3D5Ej
		bound	esi, fs:[eax+47h]
		db	65h
		jz	short loc_8C3E24
		popa

loc_8C3DD5:				; CODE XREF: ??_C@_0CD@JEFPKOCA@AslPathToSystemPathBuf?5failed?5?$FL@NNGAKEGL@+1j
					; ??_C@_0CD@JEFPKOCA@AslPathToSystemPathBuf?5failed?5?$FL@NNGAKEGL@+5j
		jz	short near ptr loc_8C3E3C+3
		push	ebx

loc_8C3DD8:				; CODE XREF: ??_C@_0CD@JEFPKOCA@AslPathToSystemPathBuf?5failed?5?$FL@NNGAKEGL@+Cj
		jns	short near ptr loc_8C3E4C+1
		jz	short loc_8C3E41
		insd
		add	[ecx+73h], al	; DATA XREF: SdbpGetPathSystem(x,x,x,x)+4Do
		insb

loc_8C3DE1:				; CODE XREF: ??_C@_0CD@JEFPKOCA@AslPathToSystemPathBuf?5failed?5?$FL@NNGAKEGL@:loc_8C3D77j
		inc	ebp

loc_8C3DE2:				; CODE XREF: ??_C@_0CD@JEFPKOCA@AslPathToSystemPathBuf?5failed?5?$FL@NNGAKEGL@+14j
		outsb
		jbe	short near ptr loc_8C3E2B+1

loc_8C3DE5:				; CODE XREF: ??_C@_0CD@JEFPKOCA@AslPathToSystemPathBuf?5failed?5?$FL@NNGAKEGL@+Aj
		db	65h
		jz	short loc_8C3E3B
		jns	short near ptr loc_8C3E5A+3
		jz	short near ptr loc_8C3E50+1
		insd
		xor	esi, [edx]
		inc	esp
		imul	esi, [edx+50h],	42687461h
		jnz	short near ptr loc_8C3E5A+5
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	[ecx+73h], al	; DATA XREF: AslFileMappingCreate+AFC02o
					; AslFileMappingCreateFromImageView+8AD99o ...
		insb
		push	ebx
		jz	short near ptr loc_8C3E7C+2

loc_8C3E0C:				; CODE XREF: PAGE:008C3DBBj
		imul	ebp, [esi+67h],	6C707544h
		imul	esp, [ebx+61h],	66206574h
		popa
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp

loc_8C3E24:				; CODE XREF: ??_C@_0BC@FMFCMILN@SdbpGetPathSystem@NNGAKEGL@+5j
		add	ah, cl
??_C@_0BC@FMFCMILN@SdbpGetPathSystem@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@ proc near
					; DATA XREF: SdbpGetSystemSdbFilePath(x,x,x,x,x,x)+A9o

; FUNCTION CHUNK AT 008C3F49 SIZE 0000010D BYTES

		inc	edi

loc_8C3E27:				; CODE XREF: PAGE:008C3DBFj
		db	65h
		jz	short loc_8C3E7A
		popa

loc_8C3E2B:				; CODE XREF: ??_C@_0BC@FMFCMILN@SdbpGetPathSystem@NNGAKEGL@+17j
		jz	short near ptr loc_8C3E94+1
		inc	esi
		jnz	short near ptr loc_8C3E9D+1
		arpl	[ecx+ebp*2+6Fh], si
		outsb

loc_8C3E35:				; CODE XREF: PAGE:loc_8C3DC4j
		and	[eax], ch

loc_8C3E37:				; CODE XREF: PAGE:008C3DC2j
		outsw
		jb	short near ptr loc_8C3E5A+1

loc_8C3E3B:				; CODE XREF: ??_C@_0BC@FMFCMILN@SdbpGetPathSystem@NNGAKEGL@:loc_8C3DE5j
		push	ebx

loc_8C3E3C:				; CODE XREF: ??_C@_0BC@FMFCMILN@SdbpGetPathSystem@NNGAKEGL@:loc_8C3DD5j
		bound	eax, fs:[esi+69h]
		insb

loc_8C3E41:				; CODE XREF: ??_C@_0BC@FMFCMILN@SdbpGetPathSystem@NNGAKEGL@+Ej
		db	65h
		push	esp
		jns	short near ptr loc_8C3EAF+6
		and	gs:49202C64h, ah

loc_8C3E4C:				; CODE XREF: ??_C@_0BC@FMFCMILN@SdbpGetPathSystem@NNGAKEGL@:loc_8C3DD8j
		jnb	short near ptr loc_8C3E98+2
		jz	short loc_8C3EA2

loc_8C3E50:				; CODE XREF: ??_C@_0BC@FMFCMILN@SdbpGetPathSystem@NNGAKEGL@+1Ej
		jnb	short near ptr loc_8C3E7F+6
		cmp	ah, [eax]
		and	eax, 66202964h
		popa

loc_8C3E5A:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+13j
					; ??_C@_0BC@FMFCMILN@SdbpGetPathSystem@NNGAKEGL@+1Cj ...
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	[ebx+64h], dl	; DATA XREF: SdbGetPathCustomSdb(x,x,x,x)+72o
		bound	esi, [eax+47h]
		db	65h
		jz	short near ptr loc_8C3EBE+1
		jns	short loc_8C3EE1
		jz	short near ptr loc_8C3ED4+1
		insd
		push	ebx
		bound	eax, fs:[esi+69h]
		insb
		db	65h
		push	eax
		popa

loc_8C3E7A:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@:loc_8C3E27j
		jz	short loc_8C3EE4

loc_8C3E7C:				; CODE XREF: ??_C@_0BC@FMFCMILN@SdbpGetPathSystem@NNGAKEGL@+3Ej
		and	[esi+61h], ah

loc_8C3E7F:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@:loc_8C3E50j
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0BJ@HFHDPNEL@SdbpGetSystemSdbFilePath@NNGAKEGL@:
					; DATA XREF: SdbpGetSystemSdbFilePath(x,x,x,x,x,x)+4Co
					; SdbpGetSystemSdbFilePath(x,x,x,x,x,x)+73o ...
		push	ebx
		bound	esi, fs:[eax+47h]
		db	65h
		jz	short near ptr loc_8C3EE4+1
		jns	short loc_8C3F07

loc_8C3E94:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@:loc_8C3E2Bj
		jz	short near ptr loc_8C3EF7+4
		insd
		push	ebx

loc_8C3E98:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@:loc_8C3E4Cj
		bound	eax, fs:[esi+69h]
		insb

loc_8C3E9D:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+8j
		db	65h
		push	eax
		popa
		jz	short near ptr loc_8C3F09+1

loc_8C3EA2:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+28j
		add	ah, cl

??_C@_0DC@PFAPBPOE@SdbFileDetails?5missing?5function@NNGAKEGL@:
					; DATA XREF: SdbpGetSystemSdbFilePath(x,x,x,x,x,x)+69o
		push	ebx
		bound	eax, fs:[esi+69h]
		insb
		db	65h
		inc	esp
		db	65h
		jz	short near ptr loc_8C3F09+7

loc_8C3EAF:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+1Dj
		imul	ebp, [ebx+esi*2+20h], 7373696Dh
		imul	ebp, [esi+67h],	6E756620h

loc_8C3EBE:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+43j
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		and	[eax+6Fh], dh
		imul	ebp, [esi+74h],	66207265h
		outsd
		jb	short near ptr loc_8C3EED+3
		jo	short near ptr loc_8C3F30+3
		jz	short near ptr loc_8C3F39+3

loc_8C3ED4:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+48j
					; DATA XREF: SdbpGetPathAppraiser(x,x,x,x):loc_A211C5o
		add	cs:[ebx+64h], dl
		bound	esi, [eax+47h]
		db	65h
		jz	short loc_8C3F2E
		popa
		jz	short loc_8C3F49

loc_8C3EE1:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+46j
		inc	ecx
		jo	short near ptr loc_8C3F53+1

loc_8C3EE4:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@:loc_8C3E7Aj
					; ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+69j
		jb	short near ptr loc_8C3F46+1
		imul	esi, [ebx+65h],	53CC0072h
					; DATA XREF: SdbpGetSystemSdbFilePath(x,x,x,x,x,x)+42o

loc_8C3EED:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+A8j
		bound	eax, fs:[esi+69h]
		insb
		db	65h
		inc	esp
		db	65h
		jz	short loc_8C3F58

loc_8C3EF7:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@:loc_8C3E94j
		imul	ebp, [ebx+esi*2+20h], 7373696Dh
		imul	ebp, [esi+67h],	72726120h
		popa

loc_8C3F07:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+6Cj
		jns	short near ptr loc_8C3F27+2

loc_8C3F09:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+7Aj
					; ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+86j
		imul	esi, [ebp+6Dh],	726F6620h
		and	[ebx+64h], dl
		bound	eax, [esi+69h]
		insb
		db	65h
		push	esp
		jns	short loc_8C3F8C
		cmp	ah, gs:[eax]
		and	eax, 64530064h	; DATA XREF: SdbGetPathCustomSdb(x,x,x,x)+41o
		bound	esi, [eax+47h]

loc_8C3F27:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@:loc_8C3F07j
		db	65h
		jz	short near ptr loc_8C3F6C+1
		jnz	short loc_8C3F9F
		jz	short near ptr loc_8C3F9C+1

loc_8C3F2E:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+B5j
		insd
		push	ebx

loc_8C3F30:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+AAj
		bound	eax, fs:[esi+69h]
		insb
		db	65h
		dec	esi
		popa
		insd

loc_8C3F39:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+ACj
		and	gs:[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp

loc_8C3F46:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@:loc_8C3EE4j
		add	ah, cl
??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BE@MNHDHJED@SdbGetPathCustomSdb@NNGAKEGL@ proc near
					; DATA XREF: SdbGetPathCustomSdb(x,x,x,x):loc_A20CF8o
		push	ebx
??_C@_0BE@MNHDHJED@SdbGetPathCustomSdb@NNGAKEGL@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@

loc_8C3F49:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+B9j
		bound	eax, fs:[edi+65h]
		jz	short loc_8C3F9F
		popa
		jz	short near ptr loc_8C3FB9+1
		inc	ebx

loc_8C3F53:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+BCj
		jnz	short loc_8C3FC8
		jz	short near ptr loc_8C3FC5+1
		insd

loc_8C3F58:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+CEj
		push	ebx
		bound	eax, fs:[eax]

??_C@_0CB@HAJBCKAO@Failed?5to?5get?5database?5type?5?$FL?$CFx@NNGAKEGL@:
					; DATA XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+1FFo
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		db	67h, 65h
		jz	near ptr 3F8Ah
		db	64h
		popa

loc_8C3F6C:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@:loc_8C3F27j
		jz	short near ptr loc_8C3FCE+1
		bound	esp, [ecx+73h]
		and	gs:[ecx+edi*2+70h], dh
		and	gs:[ebx+25h], bl
		js	short loc_8C3FD9
		add	ah, cl

??_C@_0CE@HLHNCJNF@Failed?5to?5get?5runtime?5platform?5@NNGAKEGL@:
					; DATA XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+242o
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		db	67h, 65h
		jz	near ptr 3FACh

loc_8C3F8C:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+F4j
		jb	short near ptr loc_8C4001+2
		outsb
		jz	short loc_8C3FFA
		insd
		and	gs:[eax+6Ch], dh
		popa
		jz	short near ptr loc_8C3FFD+2
		outsd
		jb	short near ptr loc_8C4008+1

loc_8C3F9C:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+106j
		and	[ebx+25h], bl

loc_8C3F9F:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+104j
					; ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+127j
		js	short near ptr loc_8C3FFD+1
		add	[eax+eax+52h], bl
					; DATA XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+164o
		add	[ebp+0], ah
		add	[bx+di+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa

loc_8C3FB9:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+12Aj
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp

loc_8C3FC5:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+12Fj
		add	[ebx+0], dl

loc_8C3FC8:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@:loc_8C3F53j
		outsd
		add	[esi+0], ah
		jz	short $+2

loc_8C3FCE:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@:loc_8C3F6Cj
		ja	short $+2
		popa
		add	[edx+0], dh
		add	gs:[eax+eax+4Dh], bl

loc_8C3FD9:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+154j
		add	[ecx+0], ch
		arpl	[eax], ax
		jb	short $+2
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		pop	esp
		add	[edi+0], dl
		imul	eax, [eax], 64006Eh
		outsd
		add	[edi+0], dh
		jnb	short $+2

loc_8C3FFA:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+169j
		and	[eax], al
		dec	esi

loc_8C3FFD:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@:loc_8C3F9Fj
					; ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+171j
		add	[eax+eax+5Ch], dl

loc_8C4001:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@:loc_8C3F8Cj
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2

loc_8C4008:				; CODE XREF: ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@+174j
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		pop	esp
		add	[ecx+0], al
		jo	short $+2
		jo	short $+2
		inc	ebx
		add	[edi+0], ch
		insd
		add	[eax+0], dh
		popa
		add	[eax+eax+46h], dh
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		jnb	short $+2
		pop	esp
		add	[ecx+0], cl
		outsb
		add	[ebx+0], dh
		jz	short $+2
		popa
		add	[eax+eax+6Ch], ch
		add	[ebp+0], ah
		add	fs:[ebx+0], dl
		inc	esp
		add	[edx+0], al
; END OF FUNCTION CHUNK	FOR ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@
; 
		dw 0
??_C@_0BO@OHGFJCDI@Failed?5to?5open?5Key?5?$CC?$CFws?$CC?5?$FL?$CFx?$FN@NNGAKEGL@ db 'Failed to open Key "%ws" [%x]',0
					; DATA XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+1C5o

;  S U B	R O U T	I N E 


??_C@_0CG@CEIAABEP@Failed?5to?5convert?5guid?5to?5strin@NNGAKEGL@ proc near
					; DATA XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+7Co
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		arpl	[edi+6Eh], bp
		jbe	short loc_8C40EA
		jb	short near ptr loc_8C40F9+2
		and	[edi+75h], ah
		imul	esp, [eax+74h],	7473206Fh
		jb	short loc_8C40FD
		outsb
		and	[bp+di+25h], bl
		js	short ??_C@_0DF@OGEFBPKL@SdbGetPathCustomSdb?5failed?5to?5g@NNGAKEGL@
		add	[esi+61h], al	; DATA XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+149o
		imul	ebp, [ebp+64h],	206F7420h
		popa
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		and	gs:6220646Ch, ah
		jns	short near ptr loc_8C4129+1
		db	65h
		jnb	short near ptr loc_8C40D7+2
		outsw
		jb	short near ptr loc_8C40DC+1
		imul	esp, [ebp+79h],	20h
		jo	short near ptr loc_8C4122+2
		jz	short near ptr loc_8C412B+2
		add	[ebx+64h], dl	; DATA XREF: SdbResolveDatabaseEx(x,x,x,x,x,x):loc_A20E2Bo
		bound	eax, [edi+65h]
		jz	short near ptr loc_8C411C+1
		popa
		jz	short near ptr loc_8C4135+3
		push	ebx
		jns	short near ptr loc_8C4144+2
		jz	short loc_8C413A
		insd
		push	ebx

loc_8C40D7:				; CODE XREF: ??_C@_0CG@CEIAABEP@Failed?5to?5convert?5guid?5to?5strin@NNGAKEGL@+40j
		bound	esp, fs:[eax]
		popaw

loc_8C40DC:				; CODE XREF: ??_C@_0CG@CEIAABEP@Failed?5to?5convert?5guid?5to?5strin@NNGAKEGL@+45j
					; DATA XREF: SdbResolveDatabaseEx(x,x,x,x,x,x):loc_A20DCBo ...
		imul	ebp, [ebp+64h],	6453002Eh
		bound	edx, [edx+65h]
		jnb	short near ptr loc_8C4152+6
		insb

loc_8C40EA:				; CODE XREF: ??_C@_0CG@CEIAABEP@Failed?5to?5convert?5guid?5to?5strin@NNGAKEGL@+Dj
		jbe	short near ptr loc_8C414A+7
		inc	esp
		popa
		jz	short near ptr loc_8C414A+7
		bound	esp, [ecx+73h]
		db	65h
		inc	ebp
		js	short $+2
		int	3		; Trap to Debugger
??_C@_0CG@CEIAABEP@Failed?5to?5convert?5guid?5to?5strin@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0DF@OGEFBPKL@SdbGetPathCustomSdb?5failed?5to?5g@NNGAKEGL@	proc near
					; CODE XREF: ??_C@_0CG@CEIAABEP@Failed?5to?5convert?5guid?5to?5strin@NNGAKEGL@+23j
					; DATA XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+26Ao
		push	ebx

loc_8C40F9:				; CODE XREF: ??_C@_0CG@CEIAABEP@Failed?5to?5convert?5guid?5to?5strin@NNGAKEGL@+Fj
		bound	eax, fs:[edi+65h]

loc_8C40FD:				; CODE XREF: ??_C@_0CG@CEIAABEP@Failed?5to?5convert?5guid?5to?5strin@NNGAKEGL@+1Cj
		jz	short near ptr loc_8C414A+5
		popa
		jz	short near ptr loc_8C4169+1
		inc	ebx
		jnz	short loc_8C4178
		jz	short near ptr loc_8C4175+1
		insd
		push	ebx
		bound	esp, fs:[eax]
		popaw
		imul	ebp, [ebp+64h],	206F7420h
		db	67h, 65h
		jz	near ptr 413Ah
		jz	short near ptr loc_8C4182+2

loc_8C411C:				; CODE XREF: ??_C@_0CG@CEIAABEP@Failed?5to?5convert?5guid?5to?5strin@NNGAKEGL@+55j
		and	gs:[ecx+74h], ah
		popa

loc_8C4122:				; CODE XREF: ??_C@_0CG@CEIAABEP@Failed?5to?5convert?5guid?5to?5strin@NNGAKEGL@+4Bj
		bound	esp, [ecx+73h]
		and	gs:[eax+61h], dh

loc_8C4129:				; CODE XREF: ??_C@_0CG@CEIAABEP@Failed?5to?5convert?5guid?5to?5strin@NNGAKEGL@+3Ej
		jz	short loc_8C4193

loc_8C412B:				; CODE XREF: ??_C@_0CG@CEIAABEP@Failed?5to?5convert?5guid?5to?5strin@NNGAKEGL@+4Dj
		db	2Eh
		add	ah, cl
??_C@_0DF@OGEFBPKL@SdbGetPathCustomSdb?5failed?5to?5g@NNGAKEGL@	endp


;  S U B	R O U T	I N E 


??_C@_0BP@FEFPKLNB@SDB?5file?5too?5small?5to?5be?5valid@NNGAKEGL@ proc near
					; DATA XREF: SdbpOpenCompressedDatabase(x,x,x)+4Eo
		push	ebx
		inc	esp
		inc	edx
		and	[esi+69h], ah
		insb

loc_8C4135:				; CODE XREF: ??_C@_0CG@CEIAABEP@Failed?5to?5convert?5guid?5to?5strin@NNGAKEGL@+58j
		and	gs:[edi+ebp*2+6Fh], dh

loc_8C413A:				; CODE XREF: ??_C@_0CG@CEIAABEP@Failed?5to?5convert?5guid?5to?5strin@NNGAKEGL@+5Dj
		and	[ebx+6Dh], dh
		popa
		insb
		insb
		and	[edi+ebp*2+20h], dh

loc_8C4144:				; CODE XREF: ??_C@_0CG@CEIAABEP@Failed?5to?5convert?5guid?5to?5strin@NNGAKEGL@+5Bj
		bound	esp, [ebp+20h]
		jbe	short near ptr loc_8C41A9+1
		insb

loc_8C414A:				; CODE XREF: ??_C@_0DF@OGEFBPKL@SdbGetPathCustomSdb?5failed?5to?5g@NNGAKEGL@:loc_8C40FDj
					; ??_C@_0CG@CEIAABEP@Failed?5to?5convert?5guid?5to?5strin@NNGAKEGL@:loc_8C40EAj ...
		imul	esp, [eax+eax-34h], 20424453h

loc_8C4152:				; CODE XREF: ??_C@_0CG@CEIAABEP@Failed?5to?5convert?5guid?5to?5strin@NNGAKEGL@+71j
		imul	esi, [ebx+20h],	20746F6Eh
		arpl	[edi+6Dh], bp
		jo	short near ptr loc_8C41CE+2
		db	65h
		jnb	short near ptr loc_8C41D1+3
		db	65h		; DATA XREF: SdbpOpenCompressedDatabase(x,x,x)+27o
		add	fs:[esi+6Fh], cl
		and	[ebp+78h], ah

loc_8C4169:				; CODE XREF: ??_C@_0DF@OGEFBPKL@SdbGetPathCustomSdb?5failed?5to?5g@NNGAKEGL@+8j
		jo	short loc_8C41CC
		outsb
		and	fs:[ebx+61h], ah
		insb
		insb
		bound	esp, [ecx+63h]

loc_8C4175:				; CODE XREF: ??_C@_0DF@OGEFBPKL@SdbGetPathCustomSdb?5failed?5to?5g@NNGAKEGL@+Dj
		imul	esp, [eax], 6Dh

loc_8C4178:				; CODE XREF: ??_C@_0DF@OGEFBPKL@SdbGetPathCustomSdb?5failed?5to?5g@NNGAKEGL@+Bj
		db	65h
		jz	short near ptr loc_8C41E1+2
		outsd
		and	fs:[ebx+65h], dh
		jz	short loc_8C41B0

loc_8C4182:				; CODE XREF: ??_C@_0DF@OGEFBPKL@SdbGetPathCustomSdb?5failed?5to?5g@NNGAKEGL@+22j
		and	[ebx+61h], al
		outsb
		outsb
		outsd
		jz	short near ptr loc_8C41A9+1
		db	65h
		js	short near ptr loc_8C41FB+2
		popa
		outsb
		and	fs:[edx+44h], bl

loc_8C4193:				; CODE XREF: ??_C@_0DF@OGEFBPKL@SdbGetPathCustomSdb?5failed?5to?5g@NNGAKEGL@:loc_8C4129j
		inc	edx
		and	[esi+69h], ah
		insb
		db	65h, 2Eh
		add	ah, cl
??_C@_0BP@FEFPKLNB@SDB?5file?5too?5small?5to?5be?5valid@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BL@JHLABFDA@SdbpOpenCompressedDatabase@NNGAKEGL@	proc near
					; DATA XREF: SdbpOpenCompressedDatabase(x,x,x):loc_A2150Fo
					; SdbpOpenCompressedDatabase(x,x,x)+F5o
		push	ebx
		bound	esi, fs:[eax+4Fh]
		jo	short loc_8C4208
		outsb
		inc	ebx
		outsd
		insd
		jo	short near ptr loc_8C4218+3

loc_8C41A9:				; CODE XREF: ??_C@_0BP@FEFPKLNB@SDB?5file?5too?5small?5to?5be?5valid@NNGAKEGL@+19j
					; ??_C@_0BP@FEFPKLNB@SDB?5file?5too?5small?5to?5be?5valid@NNGAKEGL@+5Aj
		db	65h
		jnb	short near ptr loc_8C4218+7
		db	65h, 64h
		inc	esp
		popa

loc_8C41B0:				; CODE XREF: ??_C@_0BP@FEFPKLNB@SDB?5file?5too?5small?5to?5be?5valid@NNGAKEGL@+52j
		jz	short near ptr loc_8C4211+2
		bound	esp, [ecx+73h]
		db	65h
		add	ah, cl
??_C@_0BL@JHLABFDA@SdbpOpenCompressedDatabase@NNGAKEGL@	endp


;  S U B	R O U T	I N E 


??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@ proc near
					; DATA XREF: SdbpOpenCompressedDatabase(x,x,x)+BCo

; FUNCTION CHUNK AT 008C422F SIZE 000000DE BYTES
; FUNCTION CHUNK AT 008C4322 SIZE 00000026 BYTES
; FUNCTION CHUNK AT 008C4388 SIZE 00000031 BYTES

		push	ebx
		bound	esi, fs:[eax+4Fh]
		jo	short loc_8C4224
		outsb
		inc	ebx
		outsd
		insd
		jo	short near ptr loc_8C4235+2
		db	65h
		jnb	short near ptr loc_8C4238+3
		db	65h, 64h
		inc	esp
		popa

loc_8C41CC:				; CODE XREF: ??_C@_0BP@FEFPKLNB@SDB?5file?5too?5small?5to?5be?5valid@NNGAKEGL@:loc_8C4169j
		jz	short loc_8C422F

loc_8C41CE:				; CODE XREF: ??_C@_0BP@FEFPKLNB@SDB?5file?5too?5small?5to?5be?5valid@NNGAKEGL@+2Ej
		bound	esp, [ecx+73h]

loc_8C41D1:				; CODE XREF: ??_C@_0BP@FEFPKLNB@SDB?5file?5too?5small?5to?5be?5valid@NNGAKEGL@+30j
		and	gs:[esi+61h], ah
		imul	ebp, [ebp+64h],	206F7420h
		popa
		insb
		insb
		outsd

loc_8C41E1:				; CODE XREF: ??_C@_0BP@FEFPKLNB@SDB?5file?5too?5small?5to?5be?5valid@NNGAKEGL@:loc_8C4178j
		arpl	[ecx+74h], sp
		and	gs:[ebp+78h], ah
		jo	short loc_8C424B
		outsb
		db	64h, 65h
		and	fs:[edx+75h], ah
		db	66h, 66h, 65h
		jb	short near ptr loc_8C4214+2
		sub	eax, 74756F20h

loc_8C41FB:				; CODE XREF: ??_C@_0BP@FEFPKLNB@SDB?5file?5too?5small?5to?5be?5valid@NNGAKEGL@+5Cj
		and	[edi+66h], ch
		and	[ebp+65h], ch
		insd
		outsd
		jb	short near ptr loc_8C427A+4
		add	[ebp+78h], al	; DATA XREF: SdbpOpenCompressedDatabase(x,x,x)+EBo

loc_8C4208:				; CODE XREF: ??_C@_0BL@JHLABFDA@SdbpOpenCompressedDatabase@NNGAKEGL@+5j
		jo	short loc_8C426B
		outsb
		and	fs:[ebx+61h], ah
		insb
		insb

loc_8C4211:				; CODE XREF: ??_C@_0BL@JHLABFDA@SdbpOpenCompressedDatabase@NNGAKEGL@:loc_8C41B0j
		bound	esp, [ecx+63h]

loc_8C4214:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+39j
		imul	esp, [eax], 66h
		popa

loc_8C4218:				; CODE XREF: ??_C@_0BL@JHLABFDA@SdbpOpenCompressedDatabase@NNGAKEGL@+Bj
					; ??_C@_0BL@JHLABFDA@SdbpOpenCompressedDatabase@NNGAKEGL@:loc_8C41A9j
		imul	ebp, [ebp+64h],	206F7420h
		db	65h
		js	short near ptr loc_8C4290+3
		popa

loc_8C4224:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+5j
		outsb
		and	fs:[ebx+44h], dl
		inc	edx
		add	ah, cl
??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0DN@KMAJDPML@SDB?5compression?5algorithm?5does?5@NNGAKEGL@ proc near
					; DATA XREF: SdbpOpenCompressedDatabase(x,x,x)+85o
		push	ebx
		inc	esp
		inc	edx
??_C@_0DN@KMAJDPML@SDB?5compression?5algorithm?5does?5@NNGAKEGL@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@

loc_8C422F:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@:loc_8C41CCj
		and	[ebx+6Fh], ah
		insd
		jo	short loc_8C42A7

loc_8C4235:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+Bj
		db	65h
		jnb	short near ptr loc_8C42AA+1

loc_8C4238:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+Dj
		imul	ebp, [edi+6Eh],	676C6120h
		outsd
		jb	short near ptr loc_8C42AA+1
		jz	short loc_8C42AC
		insd
		and	[edi+ebp*2+65h], ah
		jnb	short loc_8C426B

loc_8C424B:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+30j
		outsb
		outsd
		jz	short loc_8C426F
		insd
		popa
		jz	short near ptr loc_8C42B5+1
		push	6C616320h
		insb
		bound	esp, [ecx+63h]
		imul	esp, [eax], 61h
		insb
		outs	dx, dword ptr [si]
		jb	short loc_8C42CD
		jz	short near ptr loc_8C42CD+1
		insd
		db	2Eh
		add	ah, cl

??_C@_0DG@DAKFPAHP@Expanded?5SDB?5file?5too?5small?5or?5@NNGAKEGL@:
					; DATA XREF: SdbpOpenCompressedDatabase(x,x,x)+A4o
		inc	ebp

loc_8C426B:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@:loc_8C4208j
					; ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+91j
		js	short near ptr loc_8C42D7+6
		popa
		outsb

loc_8C426F:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+95j
		db	64h, 65h
		and	fs:[ebx+44h], dl
		inc	edx
		and	[esi+69h], ah
		insb

loc_8C427A:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+4Bj
		and	gs:[edi+ebp*2+6Fh], dh
		and	[ebx+6Dh], dh
		popa
		insb
		insb
		and	[edi+72h], ch
		and	[edi+ebp*2+6Fh], dh
		and	[ecx+72h], ch

loc_8C4290:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+68j
		and	gs:[si+6Fh], dh
		and	[edx+65h], ah
		and	[esi+61h], dh
		insb
		imul	esp, [esi+ebp+0], 70626453h
					; DATA XREF: SdbpQueryAppCompatFlagsByExeID+8A4A2o
					; SdbpQueryAppCompatFlagsByExeID+8A4E1o
		push	ecx
		jnz	short loc_8C430C

loc_8C42A7:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+7Bj
		jb	short loc_8C4322
		inc	ecx

loc_8C42AA:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@:loc_8C4235j
					; ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+88j
		jo	short near ptr loc_8C431B+1

loc_8C42AC:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+8Aj
		inc	ebx
		outsd
		insd
		jo	short near ptr loc_8C4310+2
		jz	short near ptr loc_8C42F4+5
		insb
		popa

loc_8C42B5:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+99j
		db	67h
		jnb	near ptr 42FAh
		jns	short loc_8C42FF
		js	short near ptr loc_8C431F+2
		dec	ecx
		inc	esp
		add	ah, cl

??_C@_0DA@DPCBJIIG@AslRegistryGetUInt32?5failed?5for@NNGAKEGL@:
					; DATA XREF: SdbpQueryAppCompatFlagsByExeID+8A4DAo
		inc	ecx
		jnb	short loc_8C432F
		push	edx
		imul	esi, gs:[bp+di+74h], 65477972h

loc_8C42CD:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+AAj
					; ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+ACj
		jz	short near ptr loc_8C4323+1
		dec	ecx
		outsb
		jz	short near ptr loc_8C4304+2
		xor	ah, [eax]
		popaw

loc_8C42D7:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@:loc_8C426Bj
		imul	ebp, [ebp+64h],	726F6620h
		and	[ebx+65h], ch
		jns	short near ptr loc_8C431D+1
		and	[edi], ah
		and	eax, 20277377h
		pop	ebx
		and	eax, 41005D78h	; DATA XREF: SdbpQueryAppCompatFlagsByExeID+8A49Bo
		jnb	short near ptr ??_C@_0BN@MAJDMDHG@Attribute?5size?5doesn?8t?5match@NNGAKEGL@+17h
		push	edx

loc_8C42F4:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+F9j
		imul	esi, gs:[bp+di+74h], 65477972h
		jz	short near ptr ??_C@_0BN@MAJDMDHG@Attribute?5size?5doesn?8t?5match@NNGAKEGL@+2

loc_8C42FF:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+100j
		db	65h
		jns	short loc_8C4322
		popaw

loc_8C4304:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+119j
		imul	ebp, [ebp+64h],	78255B20h

loc_8C430C:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+EDj
		pop	ebp
; END OF FUNCTION CHUNK	FOR ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@
; 
		db 0

;  S U B	R O U T	I N E 


??_C@_0CI@PFNDBMLC@Failed?5to?5convert?5EXE?5id?5to?5str@NNGAKEGL@ proc	near
					; DATA XREF: SdbGetEntryFlags+8A4FDo
		inc	esi
		popa

loc_8C4310:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+F7j
		imul	ebp, [ebp+64h],	206F7420h
		arpl	[edi+6Eh], bp

loc_8C431B:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@:loc_8C42AAj
		jbe	short near ptr loc_8C437F+3

loc_8C431D:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+12Aj
		jb	short near ptr loc_8C438F+4

loc_8C431F:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+102j
		and	[ebp+58h], al
??_C@_0CI@PFNDBMLC@Failed?5to?5convert?5EXE?5id?5to?5str@NNGAKEGL@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@

loc_8C4322:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@:loc_8C42A7j
					; ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@:loc_8C42FFj
		inc	ebp

loc_8C4323:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@:loc_8C42CDj
		and	[ecx+64h], ch
		and	[edi+ebp*2+20h], dh
		jnb	short near ptr loc_8C439C+4
		jb	short loc_8C4397
		outsb

loc_8C432F:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+109j
		and	[bp+di+25h], bl
		js	short near ptr loc_8C438F+3
		add	[ebx+64h], dl	; DATA XREF: SdbGetEntryFlags+8A504o
		bound	eax, [edi+65h]
		jz	short near ptr loc_8C437F+3
		outsb
		jz	short near ptr loc_8C43B0+2
		jns	short loc_8C4388
		insb
		popa
		db	67h
		jnb	near ptr 4347h
		int	3		; Trap to Debugger
; END OF FUNCTION CHUNK	FOR ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@
; 
??_C@_0BN@MAJDMDHG@Attribute?5size?5doesn?8t?5match@NNGAKEGL@ db 'Attribute size doesn',27h,'t match',0
					; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+145j
					; DATA XREF: SdbpCheckAttribute(x,x,x,x,x)+5Bo	...
		align 2

;  S U B	R O U T	I N E 


??_C@_0BD@EDJAJPBP@SdbpCheckAttribute@NNGAKEGL@	proc near
					; DATA XREF: SdbpCheckAttribute(x,x,x,x,x):loc_A218C7o
					; SdbpCheckAttribute(x,x,x,x,x):loc_A219FAo
		push	ebx
		bound	esi, fs:[eax+43h]
??_C@_0BD@EDJAJPBP@SdbpCheckAttribute@NNGAKEGL@	endp

		push	416B6365h
		jz	short loc_8C43E6
		jb	short near ptr loc_8C43DC+1
		bound	esi, [ebp+74h]
		db	65h
		add	ah, cl

;  S U B	R O U T	I N E 


??_C@_0BP@NLPCOOD@SdbpCheckAttribute?5failed?5?$FL?$CFx?$FN@NNGAKEGL@ proc near
					; DATA XREF: SdbpCheckAllAttributes(x,x,x,x,x)+1D0o
		push	ebx
		bound	esi, fs:[eax+43h]
??_C@_0BP@NLPCOOD@SdbpCheckAttribute?5failed?5?$FL?$CFx?$FN@NNGAKEGL@ endp


loc_8C437F:				; CODE XREF: ??_C@_0CI@PFNDBMLC@Failed?5to?5convert?5EXE?5id?5to?5str@NNGAKEGL@:loc_8C431Bj
					; ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+183j
		push	416B6365h
		jz	short near ptr loc_8C43F9+1
		jb	short loc_8C43F1
; START	OF FUNCTION CHUNK FOR ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@

loc_8C4388:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+188j
		bound	esi, [ebp+74h]
		and	gs:[esi+61h], ah

loc_8C438F:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+17Bj
					; ??_C@_0CI@PFNDBMLC@Failed?5to?5convert?5EXE?5id?5to?5str@NNGAKEGL@:loc_8C431Dj
		imul	ebp, [ebp+64h],	78255B20h

loc_8C4397:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+174j
		pop	ebp
		add	ah, cl

??_C@_0CA@NOHMNGME@Failed?5to?5get?5attribute?5?$CFd?5?$FL?$CFx?$FN@NNGAKEGL@:
					; DATA XREF: SdbpCheckAllAttributes(x,x,x,x,x)+1F3o
		inc	esi
		popa

loc_8C439C:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+172j
		imul	ebp, [ebp+64h],	206F7420h
		db	67h, 65h
		jz	near ptr 43C8h
		popa
		jz	short loc_8C441F
		jb	short loc_8C4416
		bound	esi, [ebp+74h]

loc_8C43B0:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+186j
		and	gs:255B2064h, ah
		js	short loc_8C4416
; END OF FUNCTION CHUNK	FOR ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@
; 
		db 0

;  S U B	R O U T	I N E 


??_C@_0BH@LGBLGPBK@SdbpCheckAllAttributes@NNGAKEGL@ proc near
					; DATA XREF: SdbpCheckAllAttributes(x,x,x,x,x)+1DAo
					; SdbpCheckAllAttributes(x,x,x,x,x)+1FDo
		push	ebx
		bound	esi, fs:[eax+43h]
		push	416B6365h
		insb
		insb
		inc	ecx
		jz	short loc_8C443D
		jb	short loc_8C4434
		bound	esi, [ebp+74h]
		db	65h
		jnb	short $+3
		int	3		; Trap to Debugger

??_C@_0DL@FBMDICIO@Failed?5to?5get?5the?5pointer?5to?5in@NNGAKEGL@:
					; DATA XREF: SdbpGetFirstIndexedRecord+AFB54o
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h

loc_8C43DC:				; CODE XREF: PAGE:008C4372j
		db	67h, 65h
		jz	near ptr 4400h
		jz	short near ptr loc_8C4448+2
		and	gs:[eax+6Fh], dh

loc_8C43E6:				; CODE XREF: PAGE:008C4370j
		imul	ebp, [esi+74h],	74207265h
		outsd
		and	[ecx+6Eh], ch

loc_8C43F1:				; CODE XREF: PAGE:008C4386j
		db	64h, 65h
		js	short near ptr loc_8C4413+2
		db	64h
		popa
		jz	short near ptr loc_8C4459+1

loc_8C43F9:				; CODE XREF: PAGE:008C4384j
		sub	al, 20h
		imul	ebp, [esi+64h],	74207865h
		popa
		imul	esp, [si+20h], 6C257830h
		js	short $+2
		int	3		; Trap to Debugger
??_C@_0BH@LGBLGPBK@SdbpCheckAllAttributes@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BJ@MNECNDBL@SdbpGetNextIndexedRecord@NNGAKEGL@ proc near
					; DATA XREF: SdbpGetNextIndexedRecord:loc_8FF17Do
		push	ebx
		bound	esi, fs:[eax+47h]

loc_8C4413:				; CODE XREF: ??_C@_0BH@LGBLGPBK@SdbpCheckAllAttributes@NNGAKEGL@:loc_8C43F1j
		db	65h
		jz	short near ptr loc_8C4462+2

loc_8C4416:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+1F3j
					; ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+1FFj
		db	65h
		js	short near ptr loc_8C448C+1
		dec	ecx
		outsb
		db	64h, 65h
		js	short ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@

loc_8C441F:				; CODE XREF: ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@+1F1j
		db	64h
		push	edx
		arpl	gs:[edi+72h], bp
		db	64h
		add	ah, cl

??_C@_0CC@MAMOALIP@The?5tag?50x?$CFlx?5is?5not?5an?5index?5t@NNGAKEGL@:
					; DATA XREF: SdbpGetFirstIndexedRecord+AFB47o
					; KseDriverUnloadImage+AF500o
		push	esp
		push	61742065h
		and	[bx+si], dh
		js	short near ptr loc_8C4452+6
		insb

loc_8C4434:				; CODE XREF: ??_C@_0BH@LGBLGPBK@SdbpCheckAllAttributes@NNGAKEGL@+Fj
		js	short near ptr loc_8C4452+4
		imul	esi, [ebx+20h],	20746F6Eh

loc_8C443D:				; CODE XREF: ??_C@_0BH@LGBLGPBK@SdbpCheckAllAttributes@NNGAKEGL@+Dj
		popa
		outsb
		and	[ecx+6Eh], ch
		db	64h, 65h
		js	short loc_8C4466
		jz	short near ptr loc_8C44A8+1

loc_8C4448:				; CODE XREF: ??_C@_0BH@LGBLGPBK@SdbpCheckAllAttributes@NNGAKEGL@+26j
					; DATA XREF: SdbpGetFirstIndexedRecord:loc_8FDB9Ao
		add	[bp+di+64h], dl
		bound	esi, [eax+47h]
		db	65h
		jz	short near ptr loc_8C4493+5

loc_8C4452:				; CODE XREF: ??_C@_0BJ@MNECNDBL@SdbpGetNextIndexedRecord@NNGAKEGL@:loc_8C4434j
					; ??_C@_0BJ@MNECNDBL@SdbpGetNextIndexedRecord@NNGAKEGL@+23j
		imul	esi, [edx+73h],	646E4974h

loc_8C4459:				; CODE XREF: ??_C@_0BH@LGBLGPBK@SdbpCheckAllAttributes@NNGAKEGL@+3Dj
		db	65h
		js	short near ptr loc_8C44BD+4
		db	64h
		push	edx
		arpl	gs:[edi+72h], bp

loc_8C4462:				; CODE XREF: ??_C@_0BJ@MNECNDBL@SdbpGetNextIndexedRecord@NNGAKEGL@:loc_8C4413j
					; DATA XREF: SdbFindFirstStringIndexedTag+AFB9Ao
		add	fs:[ecx+6Eh], cl

loc_8C4466:				; CODE XREF: ??_C@_0BJ@MNECNDBL@SdbpGetNextIndexedRecord@NNGAKEGL@+34j
		db	64h, 65h
		js	short loc_8C448A
		outsb
		outsd
		jz	short near ptr loc_8C448C+2
		outsw
		jnz	short near ptr loc_8C44DE+2
		and	fs:[eax], dh
		js	short loc_8C449C
		insb
		js	short loc_8C449A
		dec	ebx
		db	65h
		jns	short loc_8C449E
		xor	[eax+25h], bh
		insb
		js	short $+2
??_C@_0BJ@MNECNDBL@SdbpGetNextIndexedRecord@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@ proc near
					; CODE XREF: ??_C@_0BJ@MNECNDBL@SdbpGetNextIndexedRecord@NNGAKEGL@+Dj
					; DATA XREF: SdbFindFirstStringIndexedTag+AFBA4o

arg_CF		= dword	ptr  0D7h

; FUNCTION CHUNK AT 008C4541 SIZE 0000000B BYTES
; FUNCTION CHUNK AT 008C4550 SIZE 00000194 BYTES

		push	ebx
		bound	eax, fs:[esi+69h]
		outsb

loc_8C448A:				; CODE XREF: ??_C@_0BJ@MNECNDBL@SdbpGetNextIndexedRecord@NNGAKEGL@:loc_8C4466j
		db	64h
		inc	esi

loc_8C448C:				; CODE XREF: ??_C@_0BJ@MNECNDBL@SdbpGetNextIndexedRecord@NNGAKEGL@:loc_8C4416j
					; ??_C@_0BJ@MNECNDBL@SdbpGetNextIndexedRecord@NNGAKEGL@+5Ej
		imul	esi, [edx+73h],	72745374h

loc_8C4493:				; CODE XREF: ??_C@_0BJ@MNECNDBL@SdbpGetNextIndexedRecord@NNGAKEGL@+41j
		imul	ebp, [esi+67h],	65646E49h

loc_8C449A:				; CODE XREF: ??_C@_0BJ@MNECNDBL@SdbpGetNextIndexedRecord@NNGAKEGL@+6Aj
		js	short loc_8C4501

loc_8C449C:				; CODE XREF: ??_C@_0BJ@MNECNDBL@SdbpGetNextIndexedRecord@NNGAKEGL@+67j
		db	64h
		push	esp

loc_8C449E:				; CODE XREF: ??_C@_0BJ@MNECNDBL@SdbpGetNextIndexedRecord@NNGAKEGL@+6Dj
		popa
		db	67h
		add	ah, cl

??_C@_0CN@DLEDMNBL@PDB?5was?5not?5supplied?5for?5InitOn@NNGAKEGL@:
					; DATA XREF: InitOnceScanIndexes:loc_8FDCB9o
		push	eax
		inc	esp
		inc	edx
		and	[edi+61h], dh

loc_8C44A8:				; CODE XREF: ??_C@_0BJ@MNECNDBL@SdbpGetNextIndexedRecord@NNGAKEGL@+38j
		jnb	short near ptr loc_8C44C9+1
		outsb
		outsd
		jz	short near ptr loc_8C44CD+1
		jnb	short near ptr loc_8C4523+2
		jo	short near ptr loc_8C4521+1
		insb
		imul	esp, [ebp+64h],	726F6620h
		and	[ecx+6Eh], cl

loc_8C44BD:				; CODE XREF: ??_C@_0BJ@MNECNDBL@SdbpGetNextIndexedRecord@NNGAKEGL@:loc_8C4459j
		imul	esi, [edi+ecx*2+6Eh], 63536563h
		popa
		outsb
		dec	ecx
		outsb

loc_8C44C9:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@:loc_8C44A8j
		db	64h, 65h
		js	short near ptr loc_8C452F+3

loc_8C44CD:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+28j
		jnb	short $+2
		int	3		; Trap to Debugger

??_C@_0BE@MFGMCOON@InitOnceScanIndexes@NNGAKEGL@:
					; DATA XREF: InitOnceScanIndexes:loc_8FDCCFo
					; InitOnceScanIndexes:loc_8FDD02o ...
		dec	ecx
		outsb
		imul	esi, [edi+ecx*2+6Eh], 63536563h
		popa
		outsb
		dec	ecx
		outsb

loc_8C44DE:				; CODE XREF: ??_C@_0BJ@MNECNDBL@SdbpGetNextIndexedRecord@NNGAKEGL@+62j
		db	64h, 65h
		js	short near ptr loc_8C4543+4
		jnb	short $+2

??_C@_0CF@EGNAAOEO@Failed?5to?5convert?5name?5to?5multi@NNGAKEGL@:
					; DATA XREF: SdbpFindFirstIndexedWildCardTag:loc_8FDA92o
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		arpl	[edi+6Eh], bp
		jbe	short loc_8C4558
		jb	short loc_8C4569
		and	[esi+61h], ch
		insd
		and	gs:[edi+ebp*2+20h], dh
		insd
		jnz	short near ptr loc_8C456B+2

loc_8C4501:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@:loc_8C449Aj
		jz	short near ptr loc_8C456B+1
		sub	eax, 65747962h
		add	ah, cl

??_C@_0CE@KINBPPGK@Failed?5to?5get?5index?5by?5tag?5id?50@NNGAKEGL@:
					; DATA XREF: SdbpFindFirstIndexedWildCardTag+AFD8Eo
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		db	67h, 65h
		jz	near ptr 4538h
		imul	ebp, [esi+64h],	62207865h
		jns	short loc_8C4541

loc_8C4521:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+2Cj
		jz	short near ptr loc_8C4580+4

loc_8C4523:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+2Aj
		and	[bx+di+64h], ch
		and	[eax], dh
		js	short loc_8C4550
		insb
		js	short $+2
??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0CA@MKAJGAKM@SdbpFindFirstIndexedWildCardTag@NNGAKEGL@ proc near
					; DATA XREF: SdbpFindFirstIndexedWildCardTag+AFD5Ao
					; SdbpFindFirstIndexedWildCardTag+AFD78o ...
		push	ebx

loc_8C452F:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@:loc_8C44C9j
		bound	esi, fs:[eax+46h]
		imul	ebp, [esi+64h],	73726946h
		jz	short near ptr loc_8C4580+5
		outsb
		db	64h, 65h
		js	short near ptr loc_8C45A5+1
??_C@_0CA@MKAJGAKM@SdbpFindFirstIndexedWildCardTag@NNGAKEGL@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@

loc_8C4541:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+9Bj
		db	64h
		push	edi

loc_8C4543:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@:loc_8C44DEj
		imul	ebp, [esp-94h+arg_CF], 54647261h
		popa
; END OF FUNCTION CHUNK	FOR ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@
; 
		db 67h,	0

;  S U B	R O U T	I N E 


??_C@_0CP@NDDLDDHN@Failed?5to?5get?5an?5index?5for?5tag?5@NNGAKEGL@ proc near
					; DATA XREF: SdbpFindFirstIndexedWildCardTag+AFD50o
		inc	esi
		popa
??_C@_0CP@NDDLDDHN@Failed?5to?5get?5an?5index?5for?5tag?5@NNGAKEGL@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@

loc_8C4550:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+A5j
		imul	ebp, [ebp+64h],	206F7420h

loc_8C4558:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+6Dj
		db	67h, 65h
		jz	near ptr 457Ch
		popa
		outsb
		and	[ecx+6Eh], ch
		db	64h, 65h
		js	short near ptr loc_8C4580+5
		outsw
		jb	short near ptr loc_8C4588+1

loc_8C4569:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+6Fj
		jz	short loc_8C45CC

loc_8C456B:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@:loc_8C4501j
					; ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+7Bj
		and	[bx+si], dh
		js	short loc_8C4595
		insb
		js	short near ptr loc_8C458E+5
		imul	esp, [ebp+79h],	20h
		xor	[eax+25h], bh
		insb
		js	short $+2
		int	3		; Trap to Debugger

??_C@_0DD@LMANNPAC@Failed?5to?5get?5pointer?5to?5the?5in@NNGAKEGL@:
					; DATA XREF: SdbpGetNextIndexedRecord+AF4A9o
		inc	esi
		popa

loc_8C4580:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@:loc_8C4521j
					; ??_C@_0CA@MKAJGAKM@SdbpFindFirstIndexedWildCardTag@NNGAKEGL@+Cj ...
		imul	ebp, [ebp+64h],	206F7420h

loc_8C4588:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+E3j
		db	67h, 65h
		jz	near ptr 45ACh
		jo	short loc_8C45FD

loc_8C458E:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+EDj
		imul	ebp, [esi+74h],	74207265h

loc_8C4595:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+EAj
		outsd
		and	[eax+ebp*2+65h], dh
		and	[ecx+6Eh], ch
		db	64h, 65h
		js	short loc_8C45C1
		db	64h
		popa
		jz	short loc_8C4606

loc_8C45A5:				; CODE XREF: ??_C@_0CA@MKAJGAKM@SdbpFindFirstIndexedWildCardTag@NNGAKEGL@+Fj
		and	[ecx+67h], dh
		imul	esp, [eax+78h],	786C25h
		int	3		; Trap to Debugger

??_C@_0BN@GCFFLLIE@Index?5missing?5TAG_INDEX_BITS@NNGAKEGL@:
					; DATA XREF: InitOnceScanIndexes+AFAB3o
		dec	ecx
		outsb
		db	64h, 65h
		js	short loc_8C45D8
		insd
		imul	esi, [ebx+73h],	20676E69h
		push	esp

loc_8C45C1:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+119j
		inc	ecx
		inc	edi
		pop	edi
		dec	ecx
		dec	esi
		inc	esp
		inc	ebp
		pop	eax
		pop	edi
		inc	edx
		dec	ecx

loc_8C45CC:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@:loc_8C4569j
		push	esp
		push	ebx
		add	ah, cl

??_C@_0DK@DNDEGMAH@RtlRunOnceExecuteOnce?5failed?5fo@NNGAKEGL@:
					; DATA XREF: SdbGetIndex+AF867o
		push	edx
		jz	short loc_8C463F
		push	edx
		jnz	short loc_8C4644
		dec	edi
		outsb

loc_8C45D8:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+130j
		arpl	[ebp+45h], sp
		js	short near ptr loc_8C4641+1
		arpl	[ebp+74h], si
		db	65h
		dec	edi
		outsb
		arpl	[ebp+20h], sp
		popaw
		imul	ebp, [ebp+64h],	726F6620h
		and	[ecx+6Eh], cl
		imul	esi, [edi+ecx*2+6Eh], 63536563h
		popa
		outsb

loc_8C45FD:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+108j
		dec	ecx
		outsb
		db	64h, 65h
		js	short loc_8C4668
		jnb	short loc_8C4625
		pop	ebx

loc_8C4606:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+11Fj
					; DATA XREF: InitOnceScanIndexes:loc_8FDD41o
		and	eax, 49005D78h
		outsb
		db	64h, 65h
		js	short near ptr loc_8C462D+3
		insd
		imul	esi, [ebx+73h],	20676E69h
		push	esp
		inc	ecx
		inc	edi
		pop	edi
		dec	ecx
		dec	esi
		inc	esp
		inc	ebp
		pop	eax
		pop	edi
		push	esp
		inc	ecx
		inc	edi

loc_8C4625:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+17Fj
					; DATA XREF: InitOnceScanIndexes:loc_8FDD35o
		add	[ecx+6Eh], cl
		db	64h, 65h
		js	short near ptr loc_8C464B+1
		insd

loc_8C462D:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+188j
		imul	esi, [ebx+73h],	20676E69h
		push	esp
		inc	ecx
		inc	edi
		pop	edi
		dec	ecx
		dec	esi
		inc	esp
		inc	ebp
		pop	eax
		pop	edi
		dec	ebx

loc_8C463F:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+14Dj
		inc	ebp
		pop	ecx

loc_8C4641:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+157j
					; DATA XREF: InitOnceScanIndexes+AFAD7o
		add	[edx+6Fh], dl

loc_8C4644:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+150j
		outsd
		jz	short near ptr loc_8C4660+7
		arpl	[eax+69h], bp
		insb

loc_8C464B:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+1A4j
		and	fs:[ecx+67h], dh
		and	[ecx+73h], ch
		and	[esi+6Fh], ch
		jz	short near ptr loc_8C4673+5
		imul	ebp, [esi+64h],	74207865h
		popa

loc_8C4660:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+1C1j
		imul	esp, [si+20h], 6C257830h

loc_8C4668:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+17Bj
		js	short $+2

??_C@_0EB@LJPIIMCB@Too?5many?5indexes?5in?5file?3?5recom@NNGAKEGL@:
					; DATA XREF: InitOnceScanIndexes:loc_8FDD4Do
		push	esp
		outsd
		outsd
		and	[ebp+61h], ch
		outsb
		jns	short near ptr loc_8C4690+3

loc_8C4673:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+1D2j
		imul	ebp, [esi+64h],	73657865h
		and	[ecx+6Eh], ch
		and	[esi+69h], ah
		insb
		cmp	ah, gs:[eax]
		jb	short near ptr loc_8C46E6+5
		arpl	[edi+6Dh], bp
		jo	short loc_8C46F4
		insb
		and	gs:[ecx+6Eh], ah

loc_8C4690:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+1EDj
		and	fs:[ecx+6Eh], ch
		arpl	[edx+65h], si
		popa
		jnb	short near ptr loc_8C46F8+7
		and	[ebx+44h], dl
		inc	edx
		pop	edi
		dec	ebp
		inc	ecx
		pop	eax
		pop	edi
		dec	ecx
		dec	esi
		inc	esp
		inc	ebp
		pop	eax
		inc	ebp
		push	ebx
		add	ah, cl

??_C@_0DH@NGAMOJOE@No?5return?5context?5was?5supplied?5@NNGAKEGL@:
					; DATA XREF: InitOnceScanIndexes:loc_8FDCC5o
		dec	esi
		outsd
		and	[edx+65h], dh
		jz	short near ptr loc_8C4722+6
		jb	short near ptr loc_8C4722+1
		and	[ebx+6Fh], ah
		outsb
		jz	short loc_8C4720
		js	short loc_8C4731
		and	[edi+61h], dh
		jnb	short near ptr loc_8C46E1+1
		jnb	short near ptr loc_8C4738+1
		jo	short ??_C@_0CG@LALKBFHG@Failed?5to?5upcase?5unicode?5string@NNGAKEGL@
		insb
		imul	esp, [ebp+64h],	726F6620h
		and	[ecx+6Eh], cl
		imul	esi, [edi+ecx*2+6Eh], 63536563h
		popa
		outsb
		dec	ecx
		outsb
		db	64h, 65h
		js	short near ptr loc_8C4745+1

loc_8C46E1:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+23Cj
		jnb	short $+2
		int	3		; Trap to Debugger
; END OF FUNCTION CHUNK	FOR ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@

;  S U B	R O U T	I N E 


??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@ proc	near
					; DATA XREF: InitOnceScanIndexes:loc_8FDCE5o

arg_3C		= dword	ptr  40h

; FUNCTION CHUNK AT 008C4722 SIZE 0000012E BYTES

		inc	esi
		popa

loc_8C46E6:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+200j
		imul	ebp, [ebp+64h],	206F7420h
		db	67h, 65h
		jz	near ptr 4712h
		jz	short near ptr loc_8C475B+1

loc_8C46F4:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+205j
		and	gs:[ebx+68h], ah

loc_8C46F8:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+214j
		imul	ebp, [esp-20h+arg_3C], 65646E69h
		js	short loc_8C4722
		db	66h
		jb	short near ptr loc_8C4770+4
		insd
		and	[edx+6Fh], dh
		outsd
		jz	short $+2
??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BM@OMOLFLGG@SdbMakeIndexKeyFromStringEx@NNGAKEGL@ proc near
					; DATA XREF: SdbMakeIndexKeyFromStringEx(x,x)+BBo
		push	ebx
		bound	ecx, fs:[ebp+61h]
		imul	esp, [ebp+49h],	6Eh
		db	64h, 65h
		js	short loc_8C4764
		db	65h
		jns	short near ptr loc_8C4761+1
		jb	short near ptr loc_8C4787+6
		insd
		push	ebx

loc_8C4720:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+235j
		jz	short loc_8C4794
??_C@_0BM@OMOLFLGG@SdbMakeIndexKeyFromStringEx@NNGAKEGL@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@

loc_8C4722:				; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@+1Cj
					; ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+22Fj ...
		imul	ebp, [esi+67h],	53007845h
		bound	esi, fs:[eax+47h]
		db	65h
		jz	short near ptr loc_8C4778+1
		outsb

loc_8C4731:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+237j
		db	64h, 65h
		js	short $+4
		int	3		; Trap to Debugger

??_C@_0CG@LALKBFHG@Failed?5to?5upcase?5unicode?5string@NNGAKEGL@:
					; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+240j
					; DATA XREF: SdbMakeIndexKeyFromStringEx(x,x)+B1o
		inc	esi
		popa

loc_8C4738:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+23Ej
		imul	ebp, [ebp+64h],	206F7420h
		jnz	short near ptr loc_8C47AF+3
		arpl	[ecx+73h], sp

loc_8C4745:				; CODE XREF: ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@+259j
		and	gs:[ebp+6Eh], dh
		imul	esp, [ebx+6Fh],	73206564h
		jz	short near ptr loc_8C47BD+7
		imul	ebp, [esi+67h],	77252220h
		jnb	short near ptr loc_8C477A+3

loc_8C475B:				; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@+Ej
					; DATA XREF: SdbGetIndex+AF871o
		add	[ebx+64h], dl
		bound	eax, [edi+65h]

loc_8C4761:				; CODE XREF: ??_C@_0BM@OMOLFLGG@SdbMakeIndexKeyFromStringEx@NNGAKEGL@+Dj
		jz	short near ptr loc_8C47A8+4
		outsb

loc_8C4764:				; CODE XREF: ??_C@_0BM@OMOLFLGG@SdbMakeIndexKeyFromStringEx@NNGAKEGL@+9j
		db	64h, 65h
		js	short $+4

??_C@_0DF@LGEIFGCE@Index?5tagid?50x?$CFlx?5is?5not?5referr@NNGAKEGL@:
					; DATA XREF: SdbpGetIndex+AFBB1o
		dec	ecx
		outsb
		db	64h, 65h
		js	short loc_8C478E
		jz	short loc_8C47D1

loc_8C4770:				; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@+1Ej
		imul	esp, [si+20h], 6C257830h

loc_8C4778:				; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@+49j
		js	short near ptr loc_8C4798+2

loc_8C477A:				; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@+75j
		imul	esi, [ebx+20h],	20746F6Eh
		jb	short loc_8C47E8
		db	66h, 65h
		jb	short near ptr loc_8C47F8+1

loc_8C4787:				; CODE XREF: ??_C@_0BM@OMOLFLGG@SdbMakeIndexKeyFromStringEx@NNGAKEGL@+10j
		imul	ebp, [esi+67h],	206F7420h

loc_8C478E:				; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@+86j
		jz	short loc_8C47F8
		and	gs:[ecx+6Eh], ch

loc_8C4794:				; CODE XREF: ??_C@_0BM@OMOLFLGG@SdbMakeIndexKeyFromStringEx@NNGAKEGL@:loc_8C4720j
		db	64h, 65h
		js	short loc_8C47B8

loc_8C4798:				; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@:loc_8C4778j
		bound	ebp, [ecx+74h]
		jnb	short $+2
		int	3		; Trap to Debugger

??_C@_0CJ@JMPLFPEH@RtlAnsiStringToUnicodeString?5fa@NNGAKEGL@:
					; DATA XREF: AslStringAnsiToUnicode(x,x)+A9o
		push	edx
		jz	short loc_8C480D
		inc	ecx
		outsb
		jnb	short loc_8C480E
		push	ebx
		jz	short loc_8C481A

loc_8C47A8:				; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@:loc_8C4761j
		imul	ebp, [esi+67h],	6E556F54h

loc_8C47AF:				; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@+5Cj
		imul	esp, [ebx+6Fh],	74536564h
		jb	short near ptr loc_8C4820+1

loc_8C47B8:				; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@:loc_8C4794j
		outsb
		and	[bp+61h], ah

loc_8C47BD:				; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@+6Cj
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0CJ@FKBOKAKO@Ansi?5string?5is?5too?5long?5to?5conv@NNGAKEGL@:
					; DATA XREF: AslStringAnsiToUnicode(x,x)+3Bo
		inc	ecx
		outsb
		jnb	short near ptr loc_8C4834+1
		and	[ebx+74h], dh
		jb	short near ptr loc_8C4836+4

loc_8C47D1:				; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@+8Aj
		outsb
		and	[bx+di+73h], ch
		and	[edi+ebp*2+6Fh], dh
		and	[edi+ebp*2+6Eh], ch
		and	[si+6Fh], dh
		and	[ebx+6Fh], ah
		outsb
		jbe	short loc_8C484D

loc_8C47E8:				; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@+9Dj
		jb	short near ptr ??_C@_1HM@GHDLPNLE@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAh?$AAx?$AA?9?$AA?$CF?$AA0@NNGAKEGL@+0Eh
		and	[ecx+74h], ah
		and	ds:41CC0064h, ah
					; DATA XREF: AslStringAnsiToUnicode(x,x):loc_A21D27o
					; AslStringAnsiToUnicode(x,x)+74o
		jnb	short near ptr ??_C@_1HM@GHDLPNLE@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAh?$AAx?$AA?9?$AA?$CF?$AA0@NNGAKEGL@+11h
		push	ebx
		jz	short near ptr ??_C@_1HM@GHDLPNLE@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAh?$AAx?$AA?9?$AA?$CF?$AA0@NNGAKEGL@+1Ah

loc_8C47F8:				; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@:loc_8C478Ej
					; ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@+9Fj
		imul	ebp, [esi+67h],	69736E41h
		push	esp
		outsd
		push	ebp
		outsb
		imul	esp, [ebx+6Fh],	0CC006564h

??_C@_0CA@FFNDHPE@RtlStringCchPrintfW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@:
					; DATA XREF: AslGuidToString+8A3B8o
					; AslGuidToString_UStr(x,x)+95o ...
		push	edx
		jz	short near ptr ??_C@_1HM@GHDLPNLE@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAh?$AAx?$AA?9?$AA?$CF?$AA0@NNGAKEGL@+29h

loc_8C480D:				; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@+BBj
		push	ebx

loc_8C480E:				; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@+BFj
		jz	short near ptr ??_C@_1HM@GHDLPNLE@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAh?$AAx?$AA?9?$AA?$CF?$AA0@NNGAKEGL@+32h
		imul	ebp, [esi+67h],	50686343h
		jb	short near ptr ??_C@_1HM@GHDLPNLE@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAh?$AAx?$AA?9?$AA?$CF?$AA0@NNGAKEGL@+32h
		outsb

loc_8C481A:				; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@+C2j
		jz	short near ptr ??_C@_1HM@GHDLPNLE@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAh?$AAx?$AA?9?$AA?$CF?$AA0@NNGAKEGL@+32h
		push	edi
		and	[esi+61h], ah

loc_8C4820:				; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@+D2j
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	[ecx+73h], al	; DATA XREF: AslGuidToString+8A3C2o
		insb
		inc	edi
		jnz	short near ptr ??_C@_1HM@GHDLPNLE@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAh?$AAx?$AA?9?$AA?$CF?$AA0@NNGAKEGL@+49h
		db	64h
		push	esp
		outsd
		push	ebx

loc_8C4834:				; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@+E6j
		jz	short near ptr ??_C@_1HM@GHDLPNLE@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAh?$AAx?$AA?9?$AA?$CF?$AA0@NNGAKEGL@+58h

loc_8C4836:				; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@+EBj
					; DATA XREF: AslGuidToString_UStr(x,x)+2Co ...
		imul	ebp, [esi+67h],	6C734100h
		inc	edi
		jnz	short near ptr ??_C@_1HM@GHDLPNLE@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAh?$AAx?$AA?9?$AA?$CF?$AA0@NNGAKEGL@+59h
		db	64h
		push	esp
		outsd
		push	ebx
		jz	short near ptr ??_C@_1HM@GHDLPNLE@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAh?$AAx?$AA?9?$AA?$CF?$AA0@NNGAKEGL@+68h
		imul	ebp, [esi+67h],	7453555Fh

loc_8C484D:				; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@+102j
		jb	short $+2
		int	3		; Trap to Debugger
; END OF FUNCTION CHUNK	FOR ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@
; 
; wchar_t ??_C
??_C@_1HM@GHDLPNLE@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAh?$AAx?$AA?9?$AA?$CF?$AA0@NNGAKEGL@:
					; CODE XREF: ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@:loc_8C47E8j
					; DATA XREF: AslGuidToString+3Do ...
		unicode	0, <{%08lx-%04hx-%04hx-%02hx%02hx-%02hx%02hx%02hx%02hx%02hx%0>
		unicode	0, <2hx}>,0
; 

??_C@_0BD@NJPGHOHJ@AslStringDuplicate@NNGAKEGL@: ; DATA	XREF: AslStringDuplicate:loc_8FD9FCo
					; AslStringDuplicate+AFDBBo ...
		inc	ecx
		jnb	short near ptr byte_8C493B
		push	ebx
		jz	short near ptr loc_8C4943+1
		imul	ebp, [esi+67h],	6C707544h
		imul	esp, [ebx+61h],	0CC006574h

??_C@_0BO@LFCDCAJH@RtlStringCchCopyW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@:
					; DATA XREF: AslPathSplit+11B355o
					; AslPathSplit+11B374o	...
		push	edx
		jz	short near ptr loc_8C494E+1
		push	ebx
		jz	short near ptr loc_8C4955+3
		imul	ebp, [esi+67h],	43686343h
		outsd
		jo	short near ptr loc_8C4965+4
		push	edi
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	[edx+74h], dl	; DATA XREF: AslStringDuplicate+AFD79o
		insb
		push	ebx
		jz	short loc_8C4976
		imul	ebp, [esi+67h],	4C686343h
		outs	dx, byte ptr gs:[esi]
		db	67h
		jz	near ptr 4978h
		push	edi
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	[ebx+49h], dl	; DATA XREF: AslStringDuplicate+AFD86o
					; AslStringDuplicate+AFDA5o
		pop	edx
		inc	ebp
		pop	edi
		push	esp
		and	[ecx+72h], ah
		imul	esi, [eax+ebp*2+6Dh], 63697465h
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
; 
byte_8C493B	db 0			; CODE XREF: PAGE:008C48CDj
; 

??_C@_0CD@JCPPHMHK@RtlUpcaseUnicodeString?5failed?5?$FL@NNGAKEGL@:
					; DATA XREF: AslStringUpcaseToMultiByteN+AF785o
		push	edx
		jz	short near ptr ??_C@_0CL@KEPLONEJ@AslRegistryOpenSubKey?5passed?5ba@NNGAKEGL@+5
		push	ebp
		jo	short near ptr byte_8C49A5
		popa

loc_8C4943:				; CODE XREF: PAGE:008C48D0j
		jnb	short near ptr ??_C@_0CL@KEPLONEJ@AslRegistryOpenSubKey?5passed?5ba@NNGAKEGL@+4
		push	ebp
		outsb
		imul	esp, [ebx+6Fh],	74536564h

loc_8C494E:				; CODE XREF: PAGE:008C48E1j
		jb	short near ptr ??_C@_0CL@KEPLONEJ@AslRegistryOpenSubKey?5passed?5ba@NNGAKEGL@+13h
		outsb
		and	[bp+61h], ah

loc_8C4955:				; CODE XREF: PAGE:008C48E4j
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0CJ@HGKEFLOG@RtlUnicodeStringToAnsiString?5fa@NNGAKEGL@:
					; DATA XREF: AslStringUpcaseToMultiByteN+AF792o
		push	edx
		jz	short near ptr ??_C@_0CL@KEPLONEJ@AslRegistryOpenSubKey?5passed?5ba@NNGAKEGL@+29h
		push	ebp
		outsb

loc_8C4965:				; CODE XREF: PAGE:008C48EEj
		imul	esp, [ebx+6Fh],	74536564h
		jb	short near ptr ??_C@_0BD@BBKBCNOK@Invalid?5value?5type@NNGAKEGL@+5
		outsb
		db	67h
		push	esp
		outsd
		inc	ecx
		outsb
		jnb	short near ptr ??_C@_0BD@BBKBCNOK@Invalid?5value?5type@NNGAKEGL@+0Dh

loc_8C4976:				; CODE XREF: PAGE:008C4902j
		push	ebx
		jz	short loc_8C49EB
		imul	ebp, [esi+67h],	69616620h
		insb
		db	65h
		and	fs:[ebx+25h], bl
		js	short loc_8C49E5
		add	ah, cl

??_C@_0BM@NEFIOBOM@AslStringUpcaseToMultiByteN@NNGAKEGL@:
					; DATA XREF: AslStringUpcaseToMultiByteN+AF76Bo
					; AslStringUpcaseToMultiByteN:loc_8FE12Eo
		inc	ecx
		jnb	short near ptr loc_8C49F7+2
		push	ebx
		jz	short near ptr loc_8C49FF+3
		imul	ebp, [esi+67h],	61637055h
		jnb	short loc_8C49FE
		push	esp
		outsd
		dec	ebp
		jnz	short near ptr ??_C@_0BP@PMIDEKOL@Failed?5to?5query?5key?5value?5?$FL?$CFx?$FN@NNGAKEGL@ ; "Failed to query key	value [%x]"
		jz	short near ptr loc_8C4A08+1
		inc	edx
		jns	short near ptr ??_C@_0BP@PMIDEKOL@Failed?5to?5query?5key?5value?5?$FL?$CFx?$FN@NNGAKEGL@+0Dh
		db	65h
		dec	esi
; 
byte_8C49A5	db 0			; CODE XREF: PAGE:008C4940j
??_C@_0CL@KEPLONEJ@AslRegistryOpenSubKey?5passed?5ba@NNGAKEGL@ db 'AslRegistryOpenSubKey passed bad Path [%x]',0
					; CODE XREF: PAGE:loc_8C4943j
					; PAGE:008C493Dj
					; DATA XREF: ...
		align 2
??_C@_0BD@BBKBCNOK@Invalid?5value?5type@NNGAKEGL@ db 'Invalid value type',0
					; CODE XREF: PAGE:008C496Cj
					; PAGE:008C4974j
					; DATA XREF: ...
; 

loc_8C49E5:				; CODE XREF: PAGE:008C4986j
		int	3		; Trap to Debugger

??_C@_0CD@LDGCFCIP@RtlInitUnicodeStringEx?5failed?5?$FL@NNGAKEGL@:
					; DATA XREF: AslRegistryGetUInt32(x,x,x)+29o
		push	edx
		jz	short near ptr ??_C@_0BG@KMCFDHP@AslRegistryOpenSubKey@NNGAKEGL@+11h
		dec	ecx
		outsb

loc_8C49EB:				; CODE XREF: PAGE:008C4977j
		imul	esi, [ebp+edx*2+6Eh], 646F6369h
		db	65h
		push	ebx
		jz	short loc_8C4A69

loc_8C49F7:				; CODE XREF: PAGE:008C498Bj
		imul	ebp, [esi+67h],	66207845h

loc_8C49FE:				; CODE XREF: PAGE:008C4997j
		popa

loc_8C49FF:				; CODE XREF: PAGE:008C498Ej
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp

loc_8C4A08:				; CODE XREF: PAGE:008C499Ej
		add	ah, cl
; 
??_C@_0BP@PMIDEKOL@Failed?5to?5query?5key?5value?5?$FL?$CFx?$FN@NNGAKEGL@ db 'Failed to query key value [%x]',0
					; CODE XREF: PAGE:008C499Cj
					; PAGE:008C49A1j
					; DATA XREF: ...
		align 2
??_C@_0BK@GEIFCLB@AslRegistryGetUInt32_UStr@NNGAKEGL@ db 'AslRegistryGetUInt32_UStr',0
					; DATA XREF: AslRegistryGetUInt32_UStr(x,x,x)+57o
					; AslRegistryGetUInt32_UStr(x,x,x)+87o
??_C@_0BG@KMCFDHP@AslRegistryOpenSubKey@NNGAKEGL@ db 'AslRegistryOpenSubKey',0
					; DATA XREF: AslRegistryOpenSubKey(x,x,x,x)+36o
??_C@_1CE@NMBJJGCH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ db '\',0
					; DATA XREF: BiUnloadHiveByName+36o
					; BiLoadHive+59o ...
aRegist:
		unicode	0, <Regist>
		db 72h
; 

loc_8C4A69:				; CODE XREF: PAGE:008C49F5j
		add	[ecx+0], bh
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
; 
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_0DA@BGOMJCLG@Failed?5to?5allocate?5?$CFd?5bytes?5for@NNGAKEGL@ proc near
					; DATA XREF: AslRegistryBuildMachinePath+8A453o
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		popa
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		and	gs:79622064h, ah
		jz	short near ptr loc_8C4AF8+5
		jnb	short near ptr loc_8C4AB2+8
		outsw
		jb	short loc_8C4ABE
		jnz	short near ptr loc_8C4B0F+4
		db	65h
		jb	short loc_8C4AC3
		imul	esp, [ebp+79h],	20h
		bound	esi, [ebp+66h]
		db	66h, 65h
		jb	short $+4
??_C@_0DA@BGOMJCLG@Failed?5to?5allocate?5?$CFd?5bytes?5for@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BF@GLMGGLJH@AslRegistryGetUInt32@NNGAKEGL@ proc near
					; DATA XREF: AslRegistryGetUInt32(x,x,x)+33o
		inc	ecx
		jnb	short loc_8C4B1D
		push	edx

loc_8C4AB2:				; CODE XREF: ??_C@_0DA@BGOMJCLG@Failed?5to?5allocate?5?$CFd?5bytes?5for@NNGAKEGL@+1Aj
		imul	esi, gs:[bp+di+74h], 65477972h
		jz	short near ptr loc_8C4B0F+3
		dec	ecx

loc_8C4ABE:				; CODE XREF: ??_C@_0DA@BGOMJCLG@Failed?5to?5allocate?5?$CFd?5bytes?5for@NNGAKEGL@+1Ej
		outsb
		jz	short ??_C@_0CN@KKHNGCDN@AslRegistryBuildUserPath?5failed@NNGAKEGL@
		xor	al, [eax]

loc_8C4AC3:				; CODE XREF: ??_C@_0DA@BGOMJCLG@Failed?5to?5allocate?5?$CFd?5bytes?5for@NNGAKEGL@+22j
		int	3		; Trap to Debugger
??_C@_0BF@GLMGGLJH@AslRegistryGetUInt32@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@ proc	near
					; DATA XREF: AslRegistryGetKey+8A4BFo

arg_59		= dword	ptr  5Dh
arg_75		= dword	ptr  79h
arg_89		= dword	ptr  8Dh
arg_A1		= dword	ptr  0A5h

		dec	esi
		jz	short near ptr loc_8C4B0F+7
		jo	short near ptr loc_8C4B26+8
		outsb
		dec	ebx
		db	65h
		jns	short near ptr loc_8C4AE6+8
		popaw
		imul	ebp, [ebp+64h],	726F6620h
		and	ds:5B207377h, ah
		and	eax, 41005D78h	; DATA XREF: AslRegistryGetKey:loc_9336ABo
		jnb	short loc_8C4B51
		push	edx

loc_8C4AE6:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+7j
		imul	esi, gs:[bp+di+74h], 65477972h
		jz	short ??_C@_0DA@HFFCFNMM@AslRegistryBuildMachinePath?5fai@NNGAKEGL@
		db	65h
		jns	short $+3

??_C@_0CN@KKHNGCDN@AslRegistryBuildUserPath?5failed@NNGAKEGL@:
					; CODE XREF: ??_C@_0BF@GLMGGLJH@AslRegistryGetUInt32@NNGAKEGL@+11j
					; DATA XREF: AslRegistryGetKey+8A4DFo
		inc	ecx
		jnb	short near ptr loc_8C4B62+1
		push	edx

loc_8C4AF8:				; CODE XREF: ??_C@_0DA@BGOMJCLG@Failed?5to?5allocate?5?$CFd?5bytes?5for@NNGAKEGL@+18j
		imul	esi, gs:[bp+di+74h], 75427972h
		imul	ebp, [esp-8+arg_59], 50726573h
		popa
		jz	short near ptr loc_8C4B70+4
		and	[esi+61h], ah

loc_8C4B0F:				; CODE XREF: ??_C@_0BF@GLMGGLJH@AslRegistryGetUInt32@NNGAKEGL@+Dj
					; ??_C@_0DA@BGOMJCLG@Failed?5to?5allocate?5?$CFd?5bytes?5for@NNGAKEGL@+20j ...
		imul	ebp, [ebp+64h],	726F6620h
		and	ds:5B207377h, ah

loc_8C4B1D:				; CODE XREF: ??_C@_0BF@GLMGGLJH@AslRegistryGetUInt32@NNGAKEGL@+1j
		and	eax, 0CC005D78h

??_C@_0BJ@MEOLBDOB@AslRegistryBuildUserPath@NNGAKEGL@:
					; DATA XREF: AslRegistryBuildUserPath+8A408o
					; AslRegistryBuildUserPath+8A426o
		inc	ecx
		jnb	short near ptr loc_8C4B90+1
		push	edx

loc_8C4B26:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+3j
		imul	esi, gs:[bp+di+74h], 75427972h
		imul	ebp, [esp-24h+arg_75], 50726573h
		popa
		jz	short near ptr loc_8C4BA1+1
		add	ah, cl

??_C@_0DA@HFFCFNMM@AslRegistryBuildMachinePath?5fai@NNGAKEGL@:
					; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+2Bj
					; DATA XREF: AslRegistryGetKey+8A4B1o
		inc	ecx
		jnb	short near ptr loc_8C4BA6+5
		push	edx
		imul	esi, gs:[bp+di+74h], 75427972h
		imul	ebp, [esp-40h+arg_89], 69686361h

loc_8C4B51:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+1Fj
		outsb
		db	65h
		push	eax
		popa
		jz	short loc_8C4BBF
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	726F6620h

loc_8C4B62:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+31j
		and	ds:5B207377h, ah
		and	eax, 41005D78h	; DATA XREF: AslRegistryBuildMachinePath+8A45Do
		jnb	short near ptr loc_8C4BDA+1
		push	edx

loc_8C4B70:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+46j
		imul	esi, gs:[bp+di+74h], 75427972h
		imul	ebp, [esp-58h+arg_A1], 69686361h
		outsb
		db	65h
		push	eax
		popa
		jz	short near ptr loc_8C4BEE+1
		add	[edx+74h], dl	; DATA XREF: AslRegistryBuildUserPath+8A3FEo
		insb
		inc	esi
		outsd
		jb	short loc_8C4BFC
		popa

loc_8C4B90:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+5Fj
		jz	short loc_8C4BD5
		jnz	short near ptr loc_8C4C05+1
		jb	short near ptr loc_8C4BF4+7
		outsb
		jz	short loc_8C4BEE
		jnb	short near ptr loc_8C4BFC+4
		jb	short near ptr loc_8C4BE7+1
		db	65h
		jns	short ??_C@_0CO@ODFLHDNN@RtlFileMapInitializeByFilePath?5@NNGAKEGL@
		popa

loc_8C4BA1:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+74j
		jz	short near ptr loc_8C4C07+4
		and	[esi+61h], ah

loc_8C4BA6:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+79j
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	[edx+77h], bl	; DATA XREF: AslpFileLargeMapCreate(x,x)+6Eo
		inc	ebx
		jb	short loc_8C4C1A
		popa
		jz	short near ptr loc_8C4C1A+3
		push	ebx
		arpl	gs:[ecx+ebp*2+6Fh], si
		outsb

loc_8C4BBF:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+91j
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	[esi+74h], cl	; DATA XREF: AslFileMappingCreate+AFC0Co
		push	ecx
		jnz	short near ptr loc_8C4C35+1
		jb	short near ptr loc_8C4C4B+1
		dec	ecx
		outsb

loc_8C4BD5:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@:loc_8C4B90j
		outsw
		jb	short loc_8C4C46
		popa

loc_8C4BDA:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+A9j
		jz	short near ptr loc_8C4C44+1
		outsd
		outsb
		inc	esi
		imul	ebp, [ebp+20h],	6C696166h

loc_8C4BE7:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+D7j
		db	65h
		and	fs:[ebx+25h], bl
		js	short loc_8C4C4B

loc_8C4BEE:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+D3j
					; ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+C1j
		add	ah, cl

??_C@_0CO@ODFLHDNN@RtlFileMapInitializeByFilePath?5@NNGAKEGL@:
					; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+D9j
					; DATA XREF: AslFileMappingCreate+AFC62o ...
		push	edx
		jz	short near ptr loc_8C4C5A+5
		inc	esi

loc_8C4BF4:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+D0j
		imul	ebp, [ebp+4Dh],	6E497061h

loc_8C4BFC:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+C9j
					; ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+D5j
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		inc	edx

loc_8C4C05:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+CEj
		jns	short near ptr loc_8C4C4B+2

loc_8C4C07:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@:loc_8C4BA1j
		imul	ebp, [ebp+50h],	20687461h
		popaw
		imul	ebp, [ebp+64h],	20532520h
		pop	ebx

loc_8C4C1A:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+EFj
					; ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+F2j
					; DATA XREF: ...
		and	eax, 41005D78h
		jnb	short near ptr loc_8C4C8A+3
		inc	esi
		imul	ebp, [ebp+4Dh],	69707061h
		outsb
		db	67h
		inc	ebx
		jb	short near ptr loc_8C4C92+2
		popa
		jz	short near ptr loc_8C4C92+5
		add	ah, cl

??_C@_0CB@GHEHFDAF@AslFileMappingEnsure?5failed?5?$FL?$CFx@NNGAKEGL@:
					; DATA XREF: AslFileMappingGetFileKindDetail(x,x)+3Co
					; AslFileMappingGetImageTypeEx(x,x,x,x,x)+46o ...
		inc	ecx

loc_8C4C35:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+10Bj
		jnb	short loc_8C4CA3
		inc	esi
		imul	ebp, [ebp+4Dh],	69707061h
		outsb
		db	67h
		inc	ebp
		outsb

loc_8C4C44:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@:loc_8C4BDAj
		jnb	short near ptr loc_8C4CBA+1

loc_8C4C46:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+113j
		jb	short loc_8C4CAD
		and	[esi+61h], ah

loc_8C4C4B:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+128j
					; ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+10Dj ...
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0BF@GCAEIEGC@AslFileMappingEnsure@NNGAKEGL@: ; DATA XREF:	AslFileMappingEnsure(x)+76o
		inc	ecx
		jnb	short loc_8C4CC5
		inc	esi

loc_8C4C5A:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+12Dj
		imul	ebp, [ebp+4Dh],	69707061h
		outsb
		db	67h
		inc	ebp
		outsb
		jnb	short loc_8C4CDD
		jb	short near ptr loc_8C4CCB+4
		add	ah, cl

??_C@_0CC@LALKCCNO@AslFileMappingCreateFromImageVi@NNGAKEGL@:
					; DATA XREF: AslFileMappingCreateFromImageView+8ADA3o
					; AslFileMappingCreateFromImageView+8ADC4o
		inc	ecx
		jnb	short near ptr loc_8C4CD9+2
		inc	esi
		imul	ebp, [ebp+4Dh],	69707061h
		outsb
		db	67h
		inc	ebx
		jb	short near ptr loc_8C4CE1+1
		popa
		jz	short loc_8C4CE5
		inc	esi
		jb	short near ptr loc_8C4CF0+2
		insd
		dec	ecx
		insd
		popa
		db	67h, 65h
		push	esi

loc_8C4C8A:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+15Bj
					; DATA XREF: AslFileMappingEnsureMappedAs(x,x)+77o
		imul	esp, [ebp+77h],	6C734100h
		inc	esi

loc_8C4C92:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+169j
					; ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+16Cj
		imul	ebp, [ebp+4Dh],	69707061h
		outsb
		db	67h
		inc	ebp
		outsb
		jnb	short near ptr loc_8C4D0F+6
		jb	short near ptr loc_8C4D06+1
		dec	ebp

loc_8C4CA3:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@:loc_8C4C35j
		popa
		jo	short near ptr loc_8C4D0F+7
		db	65h, 64h
		inc	ecx
		jnb	short $+2
		int	3		; Trap to Debugger

??_C@_0DD@GJMEFMID@File?5size?5is?50?5bytes?5yet?5ImageV@NNGAKEGL@:
					; DATA XREF: AslFileMappingCreate+AFCABo
		inc	esi

loc_8C4CAD:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@:loc_8C4C46j
		imul	ebp, [ebp+20h],	657A6973h
		and	[ecx+73h], ch
		and	[eax], dh

loc_8C4CBA:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@:loc_8C4C44j
		and	[edx+79h], ah
		jz	short near ptr loc_8C4D1D+7
		jnb	short loc_8C4CE1
		jns	short near ptr loc_8C4D27+1
		jz	short loc_8C4CE5

loc_8C4CC5:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+193j
		dec	ecx
		insd
		popa
		db	67h, 65h
		push	esi

loc_8C4CCB:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+1A4j
		imul	esp, [ebp+77h],	65736142h
		and	[edi+61h], dh
		jnb	short near ptr loc_8C4CF3+4
		jo	short loc_8C4D4B

loc_8C4CD9:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+1A9j
		db	65h
		jnb	short near ptr loc_8C4D40+1
		outsb

loc_8C4CDD:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+1A2j
		jz	short $+2
		int	3		; Trap to Debugger

??_C@_0CK@IADOKJDF@AslpFileMappingGetFileKind?5fail@NNGAKEGL@:
					; DATA XREF: AslFileMappingCreate+AFCE3o
					; AslFileMappingCreateFromImageView+8ADBAo ...
		inc	ecx

loc_8C4CE1:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+1FBj
					; ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+1B7j
		jnb	short loc_8C4D4F
		jo	short near ptr loc_8C4D2A+1

loc_8C4CE5:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+1BAj
					; ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+1FFj
		imul	ebp, [ebp+4Dh],	69707061h
		outsb
		db	67h
		inc	edi

loc_8C4CF0:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+1BDj
		db	65h
		jz	short near ptr loc_8C4D38+1

loc_8C4CF3:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+211j
		imul	ebp, [ebp+4Bh],	20646E69h
		popaw
		imul	ebp, [ebp+64h],	20532520h
		pop	ebx

loc_8C4D06:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+1DCj
					; DATA XREF: sub_932100+14o ...
		and	eax, 41005D78h
		jnb	short near ptr loc_8C4D74+5
		jo	short loc_8C4D55

loc_8C4D0F:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+1DAj
					; ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+1E0j
		imul	ebp, [ebp+4Dh],	69707061h
		outsb
		db	67h
		inc	edi
		db	65h
		jz	short loc_8C4D63

loc_8C4D1D:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+1F9j
		imul	ebp, [ebp+4Bh],	646E69h
		int	3		; Trap to Debugger

??_C@_0CA@FHIHKCPF@AslFileMappingGetFileKindDetail@NNGAKEGL@:
					; DATA XREF: AslFileMappingGetFileKindDetail(x,x):loc_A22454o
		inc	ecx

loc_8C4D27:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+1FDj
		jnb	short loc_8C4D95
		inc	esi

loc_8C4D2A:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+21Fj
		imul	ebp, [ebp+4Dh],	69707061h
		outsb
		db	67h
		inc	edi
		db	65h
		jz	short near ptr loc_8C4D7D+1

loc_8C4D38:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@:loc_8C4CF0j
		imul	ebp, [ebp+4Bh],	44646E69h

loc_8C4D40:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@:loc_8C4CD9j
		db	65h
		jz	short loc_8C4DA4

loc_8C4D43:				; DATA XREF: AslpFileGetNtHeaderAttributes(x,x,x,x,x,x,x,x,x)+D8o
					; AslpFileQueryExportName_Vb(x,x)+135o	...
		imul	ebp, [eax+eax+45h], 70656378h

loc_8C4D4B:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+213j
		jz	short near ptr loc_8C4DB2+4
		outsd
		outsb

loc_8C4D4F:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@:loc_8C4CE1j
		and	[ebp+6Eh], ah
		arpl	[edi+75h], bp

loc_8C4D55:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+249j
		outsb
		jz	short loc_8C4DBD
		jb	short near ptr loc_8C4DBD+2
		and	fs:[ebx+25h], bl
		js	short loc_8C4DBD
		add	ah, cl

??_C@_0BK@JBDFECNJ@File?5mapping?5invalid?5?$FL?$CFx?$FN@NNGAKEGL@:
					; DATA XREF: AslpFileMappingGetFileKind+8AD84o
					; AslpFileGetImageNtHeader(x,x)+67o
		inc	esi

loc_8C4D63:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+256j
		imul	ebp, [ebp+20h],	7070616Dh
		imul	ebp, [esi+67h],	766E6920h
		popa
		insb

loc_8C4D74:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+247j
		imul	esp, [eax+5Bh],	5D7825h

??_C@_0CF@GGCNCAGG@AslpFileGetImageNtHeader?5failed@NNGAKEGL@:
					; DATA XREF: AslpFileGetNtHeaderAttributes(x,x,x,x,x,x,x,x,x)+26o
					; AslpFileQueryExportName_Vb(x,x)+2Fo ...
		inc	ecx

loc_8C4D7D:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+271j
		jnb	short near ptr loc_8C4DE7+4
		jo	short near ptr loc_8C4DC6+1
		imul	ebp, [ebp+47h],	6D497465h
		popa
		db	67h, 65h
		dec	esi
		jz	short near ptr loc_8C4DD6+1
		db	65h
		popa
		db	64h, 65h
		jb	short near ptr loc_8C4DB2+3

loc_8C4D95:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@:loc_8C4D27j
		popaw
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0BP@GNNEOEPF@Failed?5to?5find?5the?5Cor20Header@NNGAKEGL@:
					; DATA XREF: AslFileMappingGetImageTypeEx(x,x,x,x,x)+E7o
		inc	esi
		popa

loc_8C4DA4:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@:loc_8C4D40j
		imul	ebp, [ebp+64h],	206F7420h
		imul	bp, [esi+64h], 7420h

loc_8C4DB2:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+2CDj
					; ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@:loc_8C4D4Bj
		push	6F432065h
		jb	short near ptr loc_8C4DE7+4
		xor	[eax+65h], cl
		popa

loc_8C4DBD:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+292j
					; ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+29Aj ...
		db	64h, 65h
		jb	short $+4
		int	3		; Trap to Debugger
??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@ proc near
					; DATA XREF: AslFileMappingGetImageTypeEx(x,x,x,x,x):loc_A225BDo
					; AslFileMappingGetImageTypeEx(x,x,x,x,x)+F1o ...

arg_1C3		= dword	ptr  1C7h
arg_263		= dword	ptr  267h
arg_27F		= dword	ptr  283h
arg_29B		= dword	ptr  29Fh
arg_2D3		= dword	ptr  2D7h
arg_2F3		= dword	ptr  2F7h
arg_30F		= dword	ptr  313h
arg_373		= dword	ptr  377h
arg_38B		= dword	ptr  38Fh
arg_3A7		= dword	ptr  3ABh

; FUNCTION CHUNK AT 008C4E4B SIZE 00000455 BYTES
; FUNCTION CHUNK AT 008C52A5 SIZE 0000000F BYTES
; FUNCTION CHUNK AT 008C52D8 SIZE 00000008 BYTES

		inc	ecx
		jnb	short near ptr loc_8C4E30+1
		inc	esi

loc_8C4DC6:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+2BBj
		imul	ebp, [ebp+4Dh],	69707061h
		outsb
		db	67h
		inc	edi
		db	65h
		jz	short near ptr loc_8C4E1B+2
		insd
		popa

loc_8C4DD6:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+2C9j
		db	67h, 65h
		push	esp
		jns	short loc_8C4E4B
		db	65h
		inc	ebp
		js	short $+2
		int	3		; Trap to Debugger
??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


??_C@_0BM@LFKGHHKF@Unhandled?5ASL_FILE_KIND?3?5?$CFd@NNGAKEGL@ proc near
					; DATA XREF: AslFileMappingGetFileKindDetail(x,x)+80o
		push	ebp
		outsb
		push	6C646E61h

loc_8C4DE7:				; CODE XREF: ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@:loc_8C4D7Dj
					; ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@+2F3j
		db	65h
		and	fs:[ecx+53h], al
		dec	esp
		pop	edi
		inc	esi
		dec	ecx
		dec	esp
		inc	ebp
		pop	edi
		dec	ebx
		dec	ecx
		dec	esi
		inc	esp
		cmp	ah, [eax]
		and	eax, 73410064h	; DATA XREF: AslFileMappingGetFileKindDetail(x,x)+AEo
		insb
		inc	esi
		imul	ebp, [ebp+4Dh],	69707061h
		outsb
		db	67h
		inc	edi
		db	65h
		jz	short near ptr loc_8C4E56+1
		insd
		popa
		db	67h, 65h
		push	esp
		jns	short loc_8C4E85
		db	65h
		inc	ebp
		js	short near ptr loc_8C4E38+1
		popaw

loc_8C4E1B:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+Fj
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0BH@JIFINNLN@AslPathToNetworkPathNt@NNGAKEGL@:
					; DATA XREF: AslPathToNetworkPathNt+91F4Do
		inc	ecx
		jnb	short near ptr loc_8C4E91+4
		push	eax
		popa
		jz	short near ptr loc_8C4E91+4
		push	esp
		outsd
		dec	esi

loc_8C4E30:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+1j
		db	65h
		jz	short near ptr loc_8C4EA4+6
		outsd
		jb	short near ptr loc_8C4EA0+1
		push	eax
		popa

loc_8C4E38:				; CODE XREF: ??_C@_0BM@LFKGHHKF@Unhandled?5ASL_FILE_KIND?3?5?$CFd@NNGAKEGL@+37j
		jz	short near ptr loc_8C4EA0+2
		dec	esi
		jz	short $+2
		int	3		; Trap to Debugger

??_C@_1BC@MAMPPFNN@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAU?$AAN?$AAC?$AA?2@NNGAKEGL@:
					; DATA XREF: AslPathToNetworkPathNt:loc_92EC1Do
					; AslPathToNetworkPathNt:loc_92EC7Do
		pop	esp
		add	[edi], bh
		add	[edi], bh
		add	[eax+eax+55h], bl
		add	[esi+0], cl
		inc	ebx
??_C@_0BM@LFKGHHKF@Unhandled?5ASL_FILE_KIND?3?5?$CFd@NNGAKEGL@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@

loc_8C4E4B:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+17j
		add	[eax+eax+0], bl
		add	[edx+74h], dl	; DATA XREF: AslPathSplit+11B348o
					; AslPathSplit+11B381o
		insb
		push	ebx
		jz	short near ptr loc_8C4EC7+1

loc_8C4E56:				; CODE XREF: ??_C@_0BM@LFKGHHKF@Unhandled?5ASL_FILE_KIND?3?5?$CFd@NNGAKEGL@+2Bj
		imul	ebp, [esi+67h],	43686343h
		outsd
		jo	short loc_8C4ED9
		dec	esi
		push	edi
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0N@PFKILGJP@AslPathSplit@NNGAKEGL@: ; DATA XREF: AslPathSplit:loc_8F857Do
		inc	ecx
		jnb	short loc_8C4EDF
		push	eax
		popa
		jz	short loc_8C4EDF
		push	ebx
		jo	short near ptr loc_8C4EE4+2
		imul	esi, [eax+eax-34h], 506C7341h
					; DATA XREF: AslPathCleanUstr(x):loc_A229F5o
		popa
		jz	short loc_8C4EED

loc_8C4E85:				; CODE XREF: ??_C@_0BM@LFKGHHKF@Unhandled?5ASL_FILE_KIND?3?5?$CFd@NNGAKEGL@+33j
		inc	ebx
		insb
		db	65h
		popa
		outsb
		push	ebp
		jnb	short loc_8C4F01
		jb	short near ptr loc_8C4EAB+4
		popaw

loc_8C4E91:				; CODE XREF: ??_C@_0BM@LFKGHHKF@Unhandled?5ASL_FILE_KIND?3?5?$CFd@NNGAKEGL@+47j
					; ??_C@_0BM@LFKGHHKF@Unhandled?5ASL_FILE_KIND?3?5?$CFd@NNGAKEGL@+4Bj
		imul	ebp, [ebp+64h],	74697720h
		push	756F7320h
		jb	short near ptr loc_8C4F02+1

loc_8C4EA0:				; CODE XREF: ??_C@_0BM@LFKGHHKF@Unhandled?5ASL_FILE_KIND?3?5?$CFd@NNGAKEGL@+54j
					; ??_C@_0BM@LFKGHHKF@Unhandled?5ASL_FILE_KIND?3?5?$CFd@NNGAKEGL@:loc_8C4E38j
		and	gs:[eax+6Fh], dh

loc_8C4EA4:				; CODE XREF: ??_C@_0BM@LFKGHHKF@Unhandled?5ASL_FILE_KIND?3?5?$CFd@NNGAKEGL@:loc_8C4E30j
		imul	ebp, [esi+74h],	62207265h

loc_8C4EAB:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+CBj
		db	65h
		push	20646E69h
		db	64h, 65h
		jnb	short loc_8C4F29
		imul	ebp, [esi+61h],	6E6F6974h
		and	[eax+6Fh], dh
		imul	ebp, [esi+74h],	2E7265h

; wchar_t ??_C
??_C@_15LEKKCGMK@?$AA?2?$AA?2@NNGAKEGL@: ; DATA	XREF: AslPathClean+91F70o
		pop	esp

loc_8C4EC7:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+92j
		add	[eax+eax+0], bl
		add	[ecx+73h], al	; DATA XREF: AslPathCleanUstr(x)+2B8o
					; AslpPathWildcardMakeLeaves(x)+15Fo
		insb
		jo	short near ptr loc_8C4F1C+5
		popa
		jz	short near ptr loc_8C4F3B+1
		inc	edi
		db	65h
		jz	short near ptr loc_8C4F1C+2
		outsd

loc_8C4ED9:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+9Cj
		jb	short near ptr loc_8C4F47+1
		popa
		jz	short loc_8C4F27
		outsb

loc_8C4EDF:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+AFj
					; ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+B3j
		outsw
		and	[esi+61h], ah

loc_8C4EE4:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+B6j
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp

loc_8C4EED:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+C1j
					; DATA XREF: AslPathCleanUstr(x)+29Do ...
		add	[ecx+73h], al
		insb
		push	eax
		popa
		jz	short near ptr loc_8C4F57+6
		inc	ebx
		insb
		db	65h
		popa
		outsb
		push	ebp
		jnb	short loc_8C4F71
		jb	short $+2
		int	3		; Trap to Debugger

??_C@_0BK@PABECCHN@Failed?5to?5cat?5string?5?$FL?$CFx?$FN@NNGAKEGL@:
					; DATA XREF: AslPathToSystemPathBuf(x,x,x)+5Bo
		inc	esi

loc_8C4F01:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+C9j
		popa

loc_8C4F02:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+DCj
		imul	ebp, [ebp+64h],	206F7420h
		arpl	[ecx+74h], sp
		and	[ebx+74h], dh
		jb	short near ptr loc_8C4F79+2
		outsb
		and	[bp+di+25h], bl
		js	short loc_8C4F76
		add	[esi+61h], al	; DATA XREF: AslPathToSystemPathBuf(x,x,x)+30o

loc_8C4F1C:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+113j
					; ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+10Dj
		imul	ebp, [ebp+64h],	206F7420h
		arpl	[edi+70h], bp

loc_8C4F27:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+11Aj
		jns	short loc_8C4F49

loc_8C4F29:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+EFj
		jnb	short near ptr loc_8C4F9C+3
		jb	short ??_C@_0BO@EGIGDNGO@RtlStringCbCopyNW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		outsb
		and	[bp+di+25h], bl
		js	short near ptr loc_8C4F8B+6
		add	ah, cl

??_C@_0BH@FBHBCBNC@AslPathToSystemPathBuf@NNGAKEGL@:
					; DATA XREF: AslPathToSystemPathBuf(x,x,x)+3Ao
					; AslPathToSystemPathBuf(x,x,x)+65o
		inc	ecx
		jnb	short loc_8C4FA5
		push	eax
		popa

loc_8C4F3B:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+110j
		jz	short loc_8C4FA5
		push	esp
		outsd
		push	ebx
		jns	short near ptr loc_8C4FB3+2
		jz	short near ptr loc_8C4FA7+2
		insd
		push	eax
		popa

loc_8C4F47:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@:loc_8C4ED9j
		jz	short near ptr loc_8C4FAA+7

loc_8C4F49:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@:loc_8C4F27j
		inc	edx
		jnz	short loc_8C4FB2
		add	ah, cl

??_C@_0BN@EJJJFBGC@An?5RtlString?5API?5failed?5?$FL?$CFx?$FN@NNGAKEGL@:
					; DATA XREF: AslPathCombine(x,x,x,x)+F4o
		inc	ecx
		outsb
		and	[edx+74h], dl
		insb
		push	ebx
		jz	short near ptr loc_8C4FC4+5

loc_8C4F57:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+131j
		imul	ebp, [esi+67h],	49504120h
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0P@HNMKLMPG@AslPathCombine@NNGAKEGL@: ; DATA XREF: AslPathCombine(x,x,x,x)+FEo
		inc	ecx
		jnb	short loc_8C4FDB
		push	eax
		popa

loc_8C4F71:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+139j
		jz	short loc_8C4FDB
		inc	ebx
		outsd
		insd

loc_8C4F76:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+155j
		bound	ebp, [ecx+6Eh]

loc_8C4F79:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+14Ej
		db	65h
		add	ah, cl

??_C@_0BJ@MDGLKPJG@RtlUShortAdd?5failed?5?$FL?$CFx?$FN@NNGAKEGL@:
					; DATA XREF: AslPathWildcardFindFirst(x,x,x,x)+DFo
					; AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+85o ...
		push	edx
		jz	short near ptr loc_8C4FEA+1
		push	ebp
		push	ebx
		push	4174726Fh
		db	64h
		and	fs:[esi+61h], ah

loc_8C4F8B:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+170j
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0BO@EGIGDNGO@RtlStringCbCopyNW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@:
					; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+169j
					; DATA XREF: AslPathWildcardFindFirst(x,x,x,x)+11Do ...
		push	edx
		jz	short loc_8C5005
		push	ebx
		jz	short near ptr loc_8C500D+1

loc_8C4F9C:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@:loc_8C4F29j
		imul	ebp, [esi+67h],	6F436243h
		jo	short loc_8C501E

loc_8C4FA5:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+175j
					; ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@:loc_8C4F3Bj
		dec	esi
		push	edi

loc_8C4FA7:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+180j
		and	[esi+61h], ah

loc_8C4FAA:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@:loc_8C4F47j
		imul	ebp, [ebp+64h],	78255B20h

loc_8C4FB2:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+188j
		pop	ebp

loc_8C4FB3:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+17Ej
					; DATA XREF: AslPathWildcardFindFirst(x,x,x,x):loc_A22C86o ...
		add	[ecx+73h], al
		insb
		push	eax
		popa
		jz	short loc_8C5023
		push	edi
		imul	ebp, [esp-164h+arg_1C3], 46647261h

loc_8C4FC4:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+193j
		imul	ebp, [esi+64h],	73726946h
		jz	short $+2
		int	3		; Trap to Debugger

??_C@_0BN@CGGIFPNM@AslPathCleanUstr?5failed?5?$FL?$CFx?$FN@NNGAKEGL@:
					; DATA XREF: AslPathWildcardFindFirst(x,x,x,x)+AEo
		inc	ecx
		jnb	short near ptr loc_8C503A+3
		push	eax
		popa
		jz	short near ptr loc_8C503A+3
		inc	ebx
		insb
		db	65h
		popa
		outsb
		push	ebp

loc_8C4FDB:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+1ABj
					; ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@:loc_8C4F71j
		jnb	short loc_8C5051
		jb	short near ptr loc_8C4FFE+1
		popaw
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp

loc_8C4FEA:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+1BBj
		add	ah, cl

??_C@_0BO@PAMJCGGK@RtlCreateUnicodeString?5failed@NNGAKEGL@:
					; DATA XREF: AslPathWildcardFindFirst(x,x,x,x)+79o
		push	edx
		jz	short loc_8C505B
		inc	ebx
		jb	short near ptr loc_8C5056+1
		popa
		jz	short near ptr loc_8C5059+1
		push	ebp
		outsb
		imul	esp, [ebx+6Fh],	74536564h

loc_8C4FFE:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+21Bj
		jb	short loc_8C5069
		outsb
		and	[bp+61h], ah

loc_8C5005:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+1D5j
					; DATA XREF: AslPathWildcardFindNext(x,x,x)+C5o
		imul	ebp, [ebp+64h],	646F4E00h

loc_8C500D:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+1D8j
		and	gs:[edi+6Eh], ch
		and	[eax+ebp*2+65h], dh
		and	[ebx+74h], dh
		popa
		arpl	[ebx+20h], bp
		ja	short near ptr loc_8C5081+6

loc_8C501E:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+1E1j
		jz	short near ptr loc_8C5081+7
		and	[ecx+6Eh], ch

loc_8C5023:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+1F7j
		jbe	short near ptr loc_8C5081+5
		insb
		imul	esp, [eax+68h],	6C646E61h
		db	65h, 2Eh
		add	ah, cl

??_C@_0DE@OOMHCHCG@NtQueryDirectoryFile?5failed?5to?5@NNGAKEGL@:
					; DATA XREF: AslPathWildcardFindNext(x,x,x)+309o
		dec	esi
		jz	short near ptr loc_8C5081+5
		jnz	short loc_8C509C
		jb	short near ptr loc_8C50AD+5
		inc	esp

loc_8C503A:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+20Dj
					; ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+211j
		imul	esi, [edx+65h],	726F7463h
		jns	short loc_8C5089
		imul	ebp, [ebp+20h],	6C696166h
		db	65h
		and	fs:[edi+ebp*2+20h], dh

loc_8C5051:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@:loc_8C4FDBj
		jno	short near ptr loc_8C50C5+3
		db	65h
		jb	short near ptr loc_8C50CD+2

loc_8C5056:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+22Ej
		and	[esi+65h], ch

loc_8C5059:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+231j
		js	short near ptr loc_8C50CD+2

loc_8C505B:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+22Bj
		and	[esi+69h], ah
		insb
		and	gs:[ebx+25h], bl
		js	short loc_8C50C2
		add	[ecx+73h], al	; DATA XREF: AslPathWildcardFindNext(x,x,x)+75Bo
		insb

loc_8C5069:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@:loc_8C4FFEj
		jo	short loc_8C50BB
		popa
		jz	short loc_8C50D6
		push	edi
		imul	ebp, [esp-204h+arg_263], 50647261h
		db	65h
		imul	ecx, gs:[esi+6Fh], 64h
		and	gs:[esi+61h], ah

loc_8C5081:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@:loc_8C5023j
					; ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+271j ...
		imul	ebp, [ebp+64h],	78255B20h

loc_8C5089:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+27Fj
		pop	ebp
		add	ah, cl

??_C@_0BI@KNFLDNF@AslPathWildcardFindNext@NNGAKEGL@:
					; DATA XREF: AslPathWildcardFindNext(x,x,x)+CFo
					; AslPathWildcardFindNext(x,x,x)+313o ...
		inc	ecx
		jnb	short near ptr loc_8C50F9+2
		push	eax
		popa
		jz	short near ptr loc_8C50F9+2
		push	edi
		imul	ebp, [esp-220h+arg_27F], 46647261h

loc_8C509C:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+273j
		imul	ebp, [esi+64h],	7478654Eh
		add	[ecx+73h], al	; DATA XREF: AslPathWildcardFindFirst(x,x,x,x)+366o
		insb
		jo	short loc_8C50F9
		popa
		jz	short near ptr loc_8C510E+6
		push	edi

loc_8C50AD:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+275j
		imul	ebp, [esp-23Ch+arg_29B], 41647261h
		insb
		insb
		outsd
		arpl	[ebp+61h], cx

loc_8C50BB:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@:loc_8C5069j
		jz	short near ptr loc_8C5119+7
		push	65646F4Eh

loc_8C50C2:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+2A1j
		and	[esi+61h], ah

loc_8C50C5:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@:loc_8C5051j
		imul	ebp, [ebp+64h],	206F7420h

loc_8C50CD:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+291j
					; ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@:loc_8C5059j
		arpl	[edx+65h], si
		popa
		jz	short near ptr loc_8C5137+1
		and	[edx+6Fh], dh

loc_8C50D6:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+2AAj
		outsd
		jz	short loc_8C50F9
		outsd
		db	66h
		and	[eax+61h], dh
		jz	short loc_8C5148
		and	[ebx+25h], bl
		js	short near ptr loc_8C5140+2
		add	[ecx+73h], al	; DATA XREF: AslPathWildcardFindFirst(x,x,x,x)+4AEo
					; AslPathWildcardFindNext(x,x,x)+664o
		insb
		jo	short near ptr loc_8C5137+4
		popa
		jz	short loc_8C5156
		push	edi
		imul	ebp, [esp-274h+arg_2D3], 50647261h
		jnz	short loc_8C516C

loc_8C50F9:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+2E5j
					; ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+315j ...
		push	65646F4Eh
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0CC@NDNNDPAJ@Failed?5to?5split?5the?5wildcard?5pa@NNGAKEGL@:
					; DATA XREF: AslPathWildcardFindFirst(x,x,x,x)+137o
		inc	esi
		popa

loc_8C510E:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+2E8j
		imul	ebp, [ebp+64h],	206F7420h
		jnb	short loc_8C5188
		insb

loc_8C5119:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@:loc_8C50BBj
		imul	esi, [eax+74h],	77206568h
		imul	ebp, [esp-294h+arg_2F3], 20647261h
		jo	short loc_8C518C
		jz	short loc_8C5195
		add	[ecx+73h], al	; DATA XREF: AslPathWildcardFindFirst(x,x,x,x)+330o
		insb
		jo	short near ptr loc_8C5180+3
		popa
		jz	short near ptr loc_8C519B+3
		push	edi

loc_8C5137:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+30Fj
					; ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+327j
		imul	ebp, [esp-2B0h+arg_30F], 49647261h
		outsb

loc_8C5140:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+321j
		imul	esi, [ebx+edx*2+74h], 206B6361h

loc_8C5148:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+31Cj
		popaw
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	[edx+74h], dl	; DATA XREF: AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+14Co

loc_8C5156:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+32Aj
		insb
		push	ebp
		outsb
		imul	esp, [ebx+6Fh],	74536564h
		jb	short near ptr loc_8C51CA+1
		outsb
		db	67h
		inc	ebx
		bound	eax, [ebx+61h]
		jz	short loc_8C51BD
		jz	short near ptr loc_8C51DD+1

loc_8C516C:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+335j
		imul	ebp, [esi+67h],	6166204Eh
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0BI@LPPODAJD@Failed?5to?5open?5dir?5?$FL?$CFx?$FN@NNGAKEGL@:
					; DATA XREF: AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+195o
		inc	esi
		popa

loc_8C5180:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+36Fj
		imul	ebp, [ebp+64h],	206F7420h

loc_8C5188:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+354j
		outsd
		jo	short near ptr loc_8C51EE+2
		outsb

loc_8C518C:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+367j
		and	[ecx+ebp*2+72h], ah
		and	[ebx+25h], bl
		js	short near ptr loc_8C51F1+1

loc_8C5195:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+369j
					; DATA XREF: AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+F0o
		add	[edx+74h], dl
		insb
		push	ebp
		outsb

loc_8C519B:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+372j
		imul	esp, [ebx+6Fh],	74536564h
		jb	short loc_8C520D
		outsb
		db	67h
		inc	ebx
		outsd
		jo	short near ptr loc_8C521D+6
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0CG@LPADCGAM@RtlUnicodeStringCatString?5faile@NNGAKEGL@:
					; DATA XREF: AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+122o
		push	edx
		jz	short loc_8C5227
		push	ebp
		outsb

loc_8C51BD:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+3A6j
		imul	esp, [ebx+6Fh],	74536564h
		jb	short loc_8C522F
		outsb
		db	67h
		inc	ebx
		popa

loc_8C51CA:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+39Ej
		jz	short near ptr loc_8C521D+2
		jz	short near ptr loc_8C523F+1
		imul	ebp, [esi+67h],	69616620h
		insb
		db	65h
		and	fs:[ebx+25h], bl
		js	short near ptr loc_8C5237+3

loc_8C51DD:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+3A8j
					; DATA XREF: AslPathWildcardFindNext(x,x,x)+6EFo ...
		add	[edx+74h], dl
		insb
		push	ebx
		jz	short near ptr loc_8C5255+1
		imul	ebp, [esi+67h],	61436243h
		jz	short near ptr loc_8C5237+4
		push	edi

loc_8C51EE:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+3C7j
		and	[esi+61h], ah

loc_8C51F1:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+3D1j
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0BP@NAHNFMLD@AslpPathWildcardAllocMatchNode@NNGAKEGL@:
					; DATA XREF: AslpPathWildcardAllocMatchNode(x,x,x,x,x,x):loc_A23C15o
		inc	ecx
		jnb	short loc_8C526B
		jo	short near ptr loc_8C5250+1
		popa
		jz	short near ptr loc_8C526B+1
		push	edi
		imul	ebp, [esp-314h+arg_373], 41647261h

loc_8C520D:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+3E0j
		insb
		insb
		outsd
		arpl	[ebp+61h], cx
		jz	short near ptr loc_8C5271+7
		push	65646F4Eh
		add	ah, cl

??_C@_0CA@NNDPHLIO@FilePath?3?5?8?$CFws?8?5?5Pattern?3?5?8?$CFws?8@NNGAKEGL@:
					; DATA XREF: AslPathWildcardFindNext(x,x,x)+328o
		inc	esi

loc_8C521D:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@:loc_8C51CAj
					; ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+3E6j
		imul	ebp, [ebp+50h],	3A687461h
		and	[edi], ah

loc_8C5227:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+3F7j
		and	eax, 20277377h
		and	[eax+61h], dl

loc_8C522F:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+402j
		jz	short loc_8C52A5
		db	65h
		jb	short near ptr ??_C@_1BG@MCEEPJDG@?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AAr?$AAo?$AAo?$AAt@NNGAKEGL@+2
		cmp	ah, [eax]
		daa

loc_8C5237:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+419j
					; ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+429j
		and	eax, 277377h

??_C@_0CL@HJAMGFDB@AslpPathWildcardAllocMatchNode?5@NNGAKEGL@:
					; DATA XREF: AslPathWildcardFindNext(x,x,x)+683o
		inc	ecx
		jnb	short near ptr loc_8C52A9+2

loc_8C523F:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+40Aj
		jo	short near ptr loc_8C5290+1
		popa
		jz	short loc_8C52AC
		push	edi
		imul	ebp, [esp-32Ch+arg_38B], 41647261h
		insb
		insb
		outsd

loc_8C5250:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+43Dj
		arpl	[ebp+61h], cx
		jz	short near ptr ??_C@_1CM@JBIGCHCD@?$AA?$CF?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AAr?$AAo?$AAo?$AAt?$AA?$CF?$AA?2?$AAs?$AAy@NNGAKEGL@+2

loc_8C5255:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+420j
		push	65646F4Eh
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0BL@DFNMDNKJ@AslpPathWildcardMakeLeaves@NNGAKEGL@:
					; DATA XREF: AslpPathWildcardMakeLeaves(x)+169o
		inc	ecx
		jnb	short near ptr loc_8C52D6+1

loc_8C526B:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+43Bj
					; ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+440j
		jo	short near ptr loc_8C52BB+2
		popa
		jz	short loc_8C52D8
		push	edi

loc_8C5271:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+451j
		imul	ebp, [esp-348h+arg_3A7], 4D647261h
		popa
		imul	esp, [ebp+4Ch],	65h
		popa
		jbe	short near ptr ??_C@_1BI@CLEAEAIO@?$AA?$CF?$AAs?$AAy?$AAs?$AAn?$AAa?$AAt?$AAi?$AAv?$AAe?$AA?$CF@NNGAKEGL@+4
		jnb	short $+2
		int	3		; Trap to Debugger

??_C@_0BL@JLFODMA@AslEnvVarQuery?5failed?5?$FL?$CFx?$FN@NNGAKEGL@:
					; DATA XREF: AslEnvExpandStrings+92016o
		inc	ecx
		jnb	short near ptr loc_8C52F0+3
		inc	ebp
		outsb
		jbe	short near ptr byte_8C52E1
		popa
		jb	short near ptr loc_8C52DE+1
		jnz	short near ptr loc_8C52F0+5

loc_8C5290:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@:loc_8C523Fj
		jb	short near ptr loc_8C5309+2
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl
; END OF FUNCTION CHUNK	FOR ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@
; 
; wchar_t ??_C
??_C@_1BG@MCEEPJDG@?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AAr?$AAo?$AAo?$AAt@NNGAKEGL@	dd offset loc_790072+1
					; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+46Fj
					; DATA XREF: AslEnvVarQuery+11o ...
		db 73h
; 
; START	OF FUNCTION CHUNK FOR ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@

loc_8C52A5:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@:loc_8C522Fj
		add	[eax+eax+65h], dh

loc_8C52A9:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+47Bj
		add	[ebp+0], ch

loc_8C52AC:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+480j
		jb	short $+2
		outsd
		add	[edi+0], ch
		jz	short $+2
; END OF FUNCTION CHUNK	FOR ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@
; 
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_1CM@JBIGCHCD@?$AA?$CF?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AAr?$AAo?$AAo?$AAt?$AA?$CF?$AA?2?$AAs?$AAy@NNGAKEGL@	proc near
					; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+491j
					; DATA XREF: .data:off_6B306Co	...
		and	eax, 79007300h

loc_8C52BB:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@:loc_8C526Bj
		add	[ebx+0], dh
		jz	short $+2
		add	gs:[ebp+0], ch
		jb	short $+2
		outsd
		add	[edi+0], ch
		jz	short $+2
		and	eax, 73005C00h
		add	[ecx+0], bh
		jnb	short $+2

loc_8C52D6:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+4A7j
		jz	short $+2
??_C@_1CM@JBIGCHCD@?$AA?$CF?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AAr?$AAo?$AAo?$AAt?$AA?$CF?$AA?2?$AAs?$AAy@NNGAKEGL@	endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@

loc_8C52D8:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+4ACj
		add	gs:[ebp+0], ch
		xor	eax, [eax]

loc_8C52DE:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+4CAj
		xor	al, [eax]
; END OF FUNCTION CHUNK	FOR ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@
; 
		db 0
byte_8C52E1	db 0			; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+4C7j
; 

??_C@_1BI@CLEAEAIO@?$AA?$CF?$AAs?$AAy?$AAs?$AAn?$AAa?$AAt?$AAi?$AAv?$AAe?$AA?$CF@NNGAKEGL@:
					; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+4BDj
					; DATA XREF: .data:006B3078o
		and	eax, 79007300h
		add	[ebx+0], dh
		outsb
		add	[ecx+0], ah
		jz	short $+2

loc_8C52F0:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+4C3j
					; ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@+4CCj
		imul	eax, [eax], 650076h
; 
		dw 25h
		db 2 dup(0)
; 

??_C@_0CA@IDIOIIBO@AslEnvExpandStrings?5failed?5?$FL?$CFx?$FN@NNGAKEGL@:
					; DATA XREF: AslEnvExpandStrings2+92146o
		inc	ecx
		jnb	short loc_8C5369
		inc	ebp
		outsb
		jbe	short ??_C@_0BP@FBDBOKFK@AslpEnvResolveVars?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		js	short loc_8C5373
		popa
		outsb
		db	64h
		push	ebx
		jz	short near ptr loc_8C5375+6

loc_8C5309:				; CODE XREF: ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@:loc_8C5290j
		imul	ebp, [esi+67h],	61662073h
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
; 
		db 0
; 

??_C@_1BG@IBFJLDBC@?$AA?$CF?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AA3?$AA2?$AA?$CF@NNGAKEGL@:
					; DATA XREF: .data:off_6B3068o
		and	eax, 79007300h
		add	[ebx+0], dh
		jz	short $+2
		add	gs:[ebp+0], ch
		xor	eax, [eax]
		xor	al, [eax]
		and	eax, 41000000h	; DATA XREF: AslEnvExpandStrings2:loc_92E936o
					; AslEnvExpandStrings2:loc_92E962o
		jnb	short near ptr loc_8C5399+6
		inc	ebp
		outsb
		jbe	short loc_8C537C
		js	short loc_8C53A9
		popa
		outsb
		db	64h
		push	ebx
		jz	short near ptr loc_8C53B0+1
		imul	ebp, [esi+67h],	0CC003273h

??_C@_0BP@FBDBOKFK@AslpEnvResolveVars?5failed?5?$FL?$CFx?$FN@NNGAKEGL@:
					; CODE XREF: PAGE:008C52FFj
					; DATA XREF: AslEnvExpandStrings2+92139o
		inc	ecx
		jnb	short loc_8C53B5
		jo	short near ptr loc_8C538F+1
		outsb
		jbe	short near ptr loc_8C5399+7
		db	65h
		jnb	short near ptr loc_8C53BE+2
		insb
		jbe	short loc_8C53B9
		push	esi
		popa
		jb	short loc_8C53CB
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0BE@MJPLEBLE@AslEnvExpandStrings@NNGAKEGL@: ; DATA XREF: AslEnvExpandStrings+92020o
		inc	ecx
		jnb	short near ptr loc_8C53CF+6

loc_8C5369:				; CODE XREF: PAGE:008C52FBj
		inc	ebp
		outsb
		jbe	short near ptr loc_8C53B0+2
		js	short near ptr loc_8C53DD+2
		popa
		outsb
		db	64h
		push	ebx

loc_8C5373:				; CODE XREF: PAGE:008C5301j
		jz	short loc_8C53E7

loc_8C5375:				; CODE XREF: PAGE:008C5307j
					; DATA XREF: AslEnvExpandStrings2:loc_92E916o
		imul	ebp, [esi+67h],	73410073h

loc_8C537C:				; CODE XREF: PAGE:008C5335j
		insb
		jo	short loc_8C53C4
		outsb
		jbe	short near ptr loc_8C53CF+5
		db	65h
		jnb	short loc_8C53F4
		insb
		jbe	short near ptr loc_8C53EC+1
		push	esi
		popa
		jb	short near ptr loc_8C53FB+4
		and	[esi+61h], ah

loc_8C538F:				; CODE XREF: PAGE:008C5349j
		imul	ebp, [ebp+64h],	206F7420h
		popaw

loc_8C5399:				; CODE XREF: PAGE:008C5331j
					; PAGE:008C534Cj
		imul	ebp, [eax+70h],	65706F72h
		jb	short near ptr loc_8C540A+5
		jns	short loc_8C53C5
		outsw
		jb	short near ptr loc_8C53C8+1

loc_8C53A9:				; CODE XREF: PAGE:008C5337j
		outsb
		jnz	short loc_8C5418
		insb
		and	[edx+75h], ah

loc_8C53B0:				; CODE XREF: PAGE:008C533Dj
					; PAGE:008C536Bj
		db	66h, 66h, 65h
		jb	short $+5

loc_8C53B5:				; CODE XREF: PAGE:008C5347j
		int	3		; Trap to Debugger

??_C@_0BD@FJEPFPIH@AslpEnvResolveVars@NNGAKEGL@: ; DATA	XREF: AslpEnvResolveVars+92068o
					; AslpEnvResolveVars:loc_92EA21o
		inc	ecx
		jnb	short loc_8C5425

loc_8C53B9:				; CODE XREF: PAGE:008C5352j
		jo	short loc_8C5400
		outsb
		jbe	short loc_8C5410

loc_8C53BE:				; CODE XREF: PAGE:008C534Ej
		db	65h
		jnb	short loc_8C5430
		insb
		jbe	short loc_8C5429

loc_8C53C4:				; CODE XREF: PAGE:008C537Dj
		push	esi

loc_8C53C5:				; CODE XREF: PAGE:008C53A3j
		popa
		jb	short loc_8C543B

loc_8C53C8:				; CODE XREF: PAGE:008C53A7j
		add	ah, cl

??_C@_0HA@EFIDDFNE@Invalid?5combination?5of?5Host?1Cur@NNGAKEGL@:
					; DATA XREF: AslpEnvResolveVars+9205Eo
		dec	ecx

loc_8C53CB:				; CODE XREF: PAGE:008C5356j
		outsb
		jbe	short near ptr loc_8C542E+1
		insb

loc_8C53CF:				; CODE XREF: PAGE:008C5380j
					; PAGE:008C5367j
		imul	esp, [eax+63h],	69626D6Fh
		outsb
		popa
		jz	short loc_8C5444
		outsd
		outsb

loc_8C53DD:				; CODE XREF: PAGE:008C536Dj
		and	[edi+66h], ch
		and	[eax+6Fh], cl
		jnb	short near ptr loc_8C5458+1
		das
		inc	ebx

loc_8C53E7:				; CODE XREF: PAGE:loc_8C5373j
		jnz	short near ptr loc_8C545A+1
		jb	short near ptr loc_8C544F+1
		outsb

loc_8C53EC:				; CODE XREF: PAGE:008C5386j
		jz	short near ptr loc_8C540A+4
		jo	short near ptr loc_8C5460+2
		outsd
		arpl	[ebp+73h], sp

loc_8C53F4:				; CODE XREF: PAGE:008C5382j
		jnb	short loc_8C5465
		jb	short loc_8C5418
		popa
		jb	short near ptr loc_8C545A+4

loc_8C53FB:				; CODE XREF: PAGE:008C538Aj
		push	63657469h

loc_8C5400:				; CODE XREF: PAGE:loc_8C53B9j
		jz	short near ptr loc_8C5476+1
		jb	short near ptr loc_8C5468+1
		jnb	short near ptr loc_8C5425+1
		jo	short near ptr loc_8C5468+1
		jnb	short near ptr loc_8C547C+1

loc_8C540A:				; CODE XREF: PAGE:loc_8C53ECj
					; PAGE:008C53A1j
		db	65h
		and	fs:[edi+ebp*2+20h], dh

loc_8C5410:				; CODE XREF: PAGE:008C53BCj
		inc	ecx
		jnb	short near ptr loc_8C547C+3
		jo	short loc_8C545A
		outsb
		jbe	short loc_8C546A

loc_8C5418:				; CODE XREF: PAGE:008C53AAj
					; PAGE:008C53F6j
		db	65h
		jnb	short loc_8C548A
		insb
		jbe	short near ptr loc_8C5481+2
		push	esi
		popa
		jb	short loc_8C5495
		and	[eax+6Fh], cl

loc_8C5425:				; CODE XREF: PAGE:008C53B7j
					; PAGE:008C5404j
		jnb	short near ptr byte_8C549B
		cmp	ah, [eax]

loc_8C5429:				; CODE XREF: PAGE:008C53C2j
		and	eax, 43203478h

loc_8C542E:				; CODE XREF: PAGE:008C53CCj
		jnz	short near ptr loc_8C54A1+1

loc_8C5430:				; CODE XREF: PAGE:loc_8C53BEj
		jb	short near ptr loc_8C5495+2
		outsb
		jz	short near ptr loc_8C546E+1

loc_8C5435:				; DATA XREF: .data:006B3098o
		and	ds:25003478h, ah

loc_8C543B:				; CODE XREF: PAGE:008C53C6j
		add	[eax+0], dh
		jb	short $+2
		outsd
		add	[edi+0], ah

loc_8C5444:				; CODE XREF: PAGE:008C53D9j
		jb	short $+2
		popa
		add	[ebp+0], ch
		db	66h
		add	[ecx+0], ch
		insb

loc_8C544F:				; CODE XREF: PAGE:008C53E9j
		add	[ebp+0], ah
		jnb	short $+2
		outsb
		add	[ecx+0], ah

loc_8C5458:				; CODE XREF: PAGE:008C53E3j
		jz	short $+2

loc_8C545A:				; CODE XREF: PAGE:008C5413j
					; PAGE:loc_8C53E7j ...
		imul	eax, [eax], 650076h

loc_8C5460:				; CODE XREF: PAGE:008C53EEj
					; DATA XREF: .data:006B309Co
		and	eax, 25000000h

loc_8C5465:				; CODE XREF: PAGE:loc_8C53F4j
		add	[ebx+0], dh

loc_8C5468:				; CODE XREF: PAGE:008C5402j
					; PAGE:008C5406j
		jns	short $+2

loc_8C546A:				; CODE XREF: PAGE:008C5416j
		jnb	short $+2
		jz	short $+2

loc_8C546E:				; CODE XREF: PAGE:008C5433j
		add	gs:[ebp+0], ch
		add	fs:[edx+0], dh

loc_8C5476:				; CODE XREF: PAGE:loc_8C5400j
		imul	eax, [eax], 650076h

loc_8C547C:				; CODE XREF: PAGE:008C5408j
					; PAGE:008C5411j
		and	eax, 50005C00h

loc_8C5481:				; CODE XREF: PAGE:008C541Cj
		add	[edx+0], dh
		outsd
		add	[edi+0], ah
		jb	short $+2

loc_8C548A:				; CODE XREF: PAGE:loc_8C5418j
		popa
		add	[ebp+0], ch
		and	[eax], al
		inc	esi
		add	[ecx+0], ch
		insb

loc_8C5495:				; CODE XREF: PAGE:008C5420j
					; PAGE:loc_8C5430j
		add	[ebp+0], ah
		jnb	short $+2
; 
		db 0
byte_8C549B	db 0			; CODE XREF: PAGE:loc_8C5425j
; 

??_C@_1BC@CGIBIBCK@?$AA?$CF?$AAw?$AAi?$AAn?$AAd?$AAi?$AAr?$AA?$CF@NNGAKEGL@:
					; DATA XREF: .data:006B3088o
		and	eax, 69007700h

loc_8C54A1:				; CODE XREF: PAGE:loc_8C542Ej
		add	[esi+0], ch
		add	fs:[ecx+0], ch
		jb	short $+2
; 
		dw 25h
		db 2 dup(0)
; 

??_C@_1BK@JEOALCGP@?$AA?$CF?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AAr?$AAo?$AAo?$AAt?$AA?$CF@NNGAKEGL@:
					; DATA XREF: .data:006B308Co
					; AslpEnvResolveVars+DBo
		and	eax, 79007300h
		add	[ebx+0], dh
		jz	short $+2
		add	gs:[ebp+0], ch
		jb	short $+2
		outsd
		add	[edi+0], ch
		jz	short $+2
		and	eax, 41000000h	; DATA XREF: AslEnvGetSysNativeDirPathForGuestBuf(x,x,x,x,x):loc_A24096o
		jnb	short near ptr ??_C@_0BM@NMMIKIII@AslEnvGetSystem32DirPathBuf@NNGAKEGL@+0Dh
		inc	ebp
		outsb
		jbe	short near ptr loc_8C5515+1
		db	65h
		jz	short near ptr loc_8C5522+3
		jns	short loc_8C5547
		dec	esi
		popa
		jz	short near ptr ??_C@_0BM@NMMIKIII@AslEnvGetSystem32DirPathBuf@NNGAKEGL@+17h
		jbe	short near ptr ??_C@_0BM@NMMIKIII@AslEnvGetSystem32DirPathBuf@NNGAKEGL@+15h
		inc	esp
		imul	esi, [edx+50h],	46687461h
		outsd
		jb	short near ptr ??_C@_0BM@NMMIKIII@AslEnvGetSystem32DirPathBuf@NNGAKEGL@+2
		jnz	short near ptr loc_8C554B+1
		jnb	short near ptr byte_8C555D
		inc	edx
		jnz	short loc_8C5552
		add	ah, cl

??_C@_0CF@MHINMGAF@ZwQuerySystemInformation?5failed@NNGAKEGL@:
					; DATA XREF: AslEnvGetProcessWowInfo+91F65o
					; AslEnvGetProcessWowInfo+91F72o
		pop	edx
		ja	short near ptr ??_C@_0BM@NMMIKIII@AslEnvGetSystem32DirPathBuf@NNGAKEGL@+18h
		jnz	short loc_8C5558
		jb	short near ptr ??_C@_0CC@BMJNLKJB@AslEnvVerifyGuestProcessorSuppo@NNGAKEGL@+10h
		push	ebx
		jns	short near ptr ??_C@_0CC@BMJNLKJB@AslEnvVerifyGuestProcessorSuppo@NNGAKEGL@+0Dh
		jz	short near ptr ??_C@_0CC@BMJNLKJB@AslEnvVerifyGuestProcessorSuppo@NNGAKEGL@+1
		insd
		dec	ecx
		outsb
		outsw
		jb	short near ptr ??_C@_0CC@BMJNLKJB@AslEnvVerifyGuestProcessorSuppo@NNGAKEGL@+10h
		popa
		jz	short near ptr ??_C@_0CC@BMJNLKJB@AslEnvVerifyGuestProcessorSuppo@NNGAKEGL@+0Fh
		outsd
		outsb
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_1BG@LEIPKKKH@?$AA?2?$AAS?$AAy?$AAs?$AAN?$AAa?$AAt?$AAi?$AAv?$AAe@NNGAKEGL@:
					; DATA XREF: AslEnvGetSysNativeDirPathForGuestBuf(x,x,x,x,x)+58o
		pop	esp

loc_8C5515:				; CODE XREF: PAGE:008C54CDj
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		dec	esi
		add	[ecx+0], ah
		jz	short $+2

loc_8C5522:				; CODE XREF: PAGE:008C54CFj
		imul	eax, [eax], 650076h
; 
		db 2 dup(0)
??_C@_0BM@NMMIKIII@AslEnvGetSystem32DirPathBuf@NNGAKEGL@ db 'AslEnvGetSystem32DirPathBuf',0
					; CODE XREF: PAGE:008C54E3j
					; PAGE:008C54C9j
					; DATA XREF: ...
; 

??_C@_0BI@EDMELJOD@AslEnvGetProcessWowInfo@NNGAKEGL@:
					; DATA XREF: AslEnvGetProcessWowInfo:loc_92EC0Ao
		inc	ecx

loc_8C5547:				; CODE XREF: PAGE:008C54D2j
		jnb	short near ptr loc_8C55B2+3
		inc	ebp
		outsb

loc_8C554B:				; CODE XREF: PAGE:008C54E5j
		jbe	short near ptr ??_C@_0CC@BEMDKDC@AslpFileGetModuleType?5failed?5?$FL?$CF@NNGAKEGL@+14h
		db	65h
		jz	short near ptr ??_C@_0CC@BEMDKDC@AslpFileGetModuleType?5failed?5?$FL?$CF@NNGAKEGL@+20h
		jb	short loc_8C55C1

loc_8C5552:				; CODE XREF: PAGE:008C54EAj
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_8C55A7+7
		outsd

loc_8C5558:				; CODE XREF: PAGE:008C54F1j
		ja	short loc_8C55A3
		outsb
		outsw
; 
byte_8C555D	db 0			; CODE XREF: PAGE:008C54E7j
??_C@_0CC@BMJNLKJB@AslEnvVerifyGuestProcessorSuppo@NNGAKEGL@ db	'AslEnvVerifyGuestProcessorSupport',0
					; CODE XREF: PAGE:008C54F8j
					; PAGE:008C54F6j ...
??_C@_0CC@BEMDKDC@AslpFileGetModuleType?5failed?5?$FL?$CF@NNGAKEGL@ db 'AslpFileGetModuleType failed [%x]',0
					; DATA XREF: AslFileAllocAndGetAttributes(x,x,x,x)+2E5o
; 

??_C@_0CP@DAOJOCEB@AslpFileGetFileKindDetailAttrib@NNGAKEGL@:
					; DATA XREF: AslFileAllocAndGetAttributes(x,x,x,x)+210o
					; AslpFileGetClrVersionAttribute(x,x)+92o
		inc	ecx

loc_8C55A3:				; CODE XREF: PAGE:loc_8C5558j
		jnb	short near ptr loc_8C560E+3
		jo	short near ptr loc_8C55EC+1

loc_8C55A7:				; CODE XREF: PAGE:008C5555j
		imul	ebp, [ebp+47h],	69467465h
		insb
		db	65h
		dec	ebx

loc_8C55B2:				; CODE XREF: PAGE:loc_8C5547j
		imul	ebp, [esi+64h],	61746544h
		imul	ebp, [ecx+eax*2+74h], 62697274h

loc_8C55C1:				; CODE XREF: PAGE:008C5550j
		jnz	short loc_8C5637
		and	gs:[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0CG@NCLAMMOD@AslpFileGetSizeAttributes?5faile@NNGAKEGL@:
					; DATA XREF: AslFileAllocAndGetAttributes(x,x,x,x)+16Ao
		inc	ecx
		jnb	short near ptr loc_8C563B+6
		jo	short near ptr loc_8C5617+6
		imul	ebp, [ebp+47h],	69537465h
		jp	short near ptr loc_8C5644+2
		inc	ecx
		jz	short near ptr loc_8C5656+2
		jb	short near ptr loc_8C5648+7
		bound	esi, [ebp+74h]
		db	65h
		jnb	short near ptr loc_8C5607+5

loc_8C55EC:				; CODE XREF: PAGE:008C55A5j
		popaw
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	[ecx+73h], al	; DATA XREF: AslFileAllocAndGetAttributes(x,x,x,x)+19Ao
		insb
		jo	short loc_8C5643
		imul	ebp, [ebp+47h],	65567465h
		jb	short near ptr loc_8C5675+5

loc_8C5607:				; CODE XREF: PAGE:008C55E9j
		imul	ebp, [edi+6Eh],	72747441h

loc_8C560E:				; CODE XREF: PAGE:loc_8C55A3j
		imul	esp, [edx+75h],	20736574h
		popaw

loc_8C5617:				; CODE XREF: PAGE:008C55D5j
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0DA@KDDLGLDA@AslpFileLargeEnsureLargeFileMap@NNGAKEGL@:
					; DATA XREF: AslFileAllocAndGetAttributes(x,x,x,x)+E5o
		inc	ecx
		jnb	short near ptr loc_8C5690+1
		jo	short near ptr loc_8C566C+1
		imul	ebp, [ebp+4Ch],	65677261h
		inc	ebp
		outsb
		jnb	short near ptr loc_8C56A7+1
		jb	short near ptr loc_8C5699+1
		dec	esp
		popa

loc_8C5637:				; CODE XREF: PAGE:loc_8C55C1j
		jb	short near ptr loc_8C569F+1
		db	65h
		inc	esi

loc_8C563B:				; CODE XREF: PAGE:008C55D3j
		imul	ebp, [ebp+4Dh],	69707061h

loc_8C5643:				; CODE XREF: PAGE:008C55FBj
		outsb

loc_8C5644:				; CODE XREF: PAGE:008C55DFj
		and	[bp+61h], ah

loc_8C5648:				; CODE XREF: PAGE:008C55E4j
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	[ecx+73h], al	; DATA XREF: AslFileAllocAndGetAttributes(x,x,x,x):loc_A24349o
					; AslFileAllocAndGetAttributes(x,x,x,x)+1A4o
		insb
		inc	esi

loc_8C5656:				; CODE XREF: PAGE:008C55E2j
		imul	ebp, [ebp+41h],	636F6C6Ch
		inc	ecx
		outsb
		db	64h
		inc	edi
		db	65h
		jz	short near ptr loc_8C569F+7
		jz	short near ptr loc_8C56DA+1
		jb	short near ptr loc_8C56CB+7
		bound	esi, [ebp+74h]

loc_8C566C:				; CODE XREF: PAGE:008C5625j
		db	65h
		jnb	short $+3
		int	3		; Trap to Debugger

??_C@_0CK@CHCIOBLK@AslpFileGetChecksumAttributes?5f@NNGAKEGL@:
					; DATA XREF: AslFileAllocAndGetAttributes(x,x,x,x)+2F5o
		inc	ecx
		jnb	short loc_8C56DF
		jo	short loc_8C56BB

loc_8C5675:				; CODE XREF: PAGE:008C5605j
		imul	ebp, [ebp+47h],	68437465h
		arpl	gs:[ebx+73h], bp
		jnz	short near ptr loc_8C56EF+1
		inc	ecx
		jz	short near ptr loc_8C56F5+5
		jb	short near ptr loc_8C56EF+2
		bound	esi, [ebp+74h]
		db	65h
		jnb	short near ptr loc_8C56AC+2
		popaw

loc_8C5690:				; CODE XREF: PAGE:008C5623j
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp

loc_8C5699:				; CODE XREF: PAGE:008C5633j
					; DATA XREF: AslFileAllocAndGetAttributes(x,x,x,x)+290o
		add	[ecx+73h], al
		insb
		jo	short near ptr loc_8C56E3+2

loc_8C569F:				; CODE XREF: PAGE:loc_8C5637j
					; PAGE:008C5662j
		imul	ebp, [ebp+47h],	6C437465h

loc_8C56A7:				; CODE XREF: PAGE:008C5631j
		jb	short near ptr loc_8C56FE+1
		db	65h
		jb	short loc_8C571F

loc_8C56AC:				; CODE XREF: PAGE:008C568Bj
		imul	ebp, [edi+6Eh],	72747441h
		imul	esp, [edx+75h],	66206574h
		popa

loc_8C56BB:				; CODE XREF: PAGE:008C5673j
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0CK@JGKPMHMO@AslpFileGetHeaderAttributesNE?5f@NNGAKEGL@:
					; DATA XREF: AslFileAllocAndGetAttributes(x,x,x,x)+2AFo
		inc	ecx
		jnb	short loc_8C5735
		jo	short near ptr loc_8C5710+1

loc_8C56CB:				; CODE XREF: PAGE:008C5667j
		imul	ebp, [ebp+47h],	65487465h
		popa
		db	64h, 65h
		jb	short loc_8C5719
		jz	short near ptr loc_8C574D+1

loc_8C56DA:				; CODE XREF: PAGE:008C5665j
		jb	short near ptr loc_8C573E+7
		bound	esi, [ebp+74h]

loc_8C56DF:				; CODE XREF: PAGE:008C5671j
		db	65h
		jnb	short loc_8C5730
		inc	ebp

loc_8C56E3:				; CODE XREF: PAGE:008C569Dj
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp

loc_8C56EF:				; CODE XREF: PAGE:008C5681j
					; PAGE:008C5686j
					; DATA XREF: ...
		add	[ecx+73h], al
		insb
		jo	short near ptr loc_8C5739+2

loc_8C56F5:				; CODE XREF: PAGE:008C5684j
		imul	ebp, [ebp+47h],	65487465h
		popa

loc_8C56FE:				; CODE XREF: PAGE:loc_8C56A7j
		db	64h, 65h
		jb	short near ptr loc_8C573E+5
		jz	short near ptr loc_8C5775+3
		jb	short near ptr loc_8C576B+4
		bound	esi, [ebp+74h]
		db	65h
		jnb	short near ptr loc_8C5757+5
		inc	ebp
		and	[esi+61h], ah

loc_8C5710:				; CODE XREF: PAGE:008C56C9j
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp

loc_8C5719:				; CODE XREF: PAGE:008C56D4j
					; DATA XREF: AslFileAllocAndGetAttributes(x,x,x,x)+252o ...
		add	[ecx+73h], al
		insb
		jo	short loc_8C5765

loc_8C571F:				; CODE XREF: PAGE:008C56A9j
		imul	ebp, [ebp+47h],	65507465h
		inc	ebp
		js	short near ptr loc_8C5799+1
		outsd
		jb	short near ptr loc_8C579B+6
		dec	esi
		popa
		insd

loc_8C5730:				; CODE XREF: PAGE:loc_8C56DFj
		db	65h
		inc	ebp
		js	short loc_8C5799
		push	edi

loc_8C5735:				; CODE XREF: PAGE:008C56C7j
		jb	short loc_8C5798
		jo	short near ptr loc_8C57A5+4

loc_8C5739:				; CODE XREF: PAGE:008C56F3j
		db	65h
		jb	short near ptr loc_8C5757+5
		popaw

loc_8C573E:				; CODE XREF: PAGE:loc_8C56FEj
					; PAGE:loc_8C56DAj
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	[ecx+73h], al	; DATA XREF: AslpFileGetVersionAttributes(x,x)+23o
		insb
		jo	short near ptr loc_8C578C+7

loc_8C574D:				; CODE XREF: PAGE:008C56D8j
		imul	ebp, [ebp+47h],	65567465h
		jb	short ??_C@_0BP@PMJGBMEO@LdrResFindResource?5failed?5?$FL?$CFx?$FN@NNGAKEGL@

loc_8C5757:				; CODE XREF: PAGE:008C5709j
					; PAGE:loc_8C5739j
		imul	ebp, [edi+6Eh],	72747441h
		imul	esp, [edx+75h],	736574h

loc_8C5765:				; CODE XREF: PAGE:008C571Dj
		int	3		; Trap to Debugger

??_C@_0DA@JAHKPBMF@AslpFileMakeStringVersionAttrib@NNGAKEGL@:
					; DATA XREF: AslpFileGetVersionAttributes(x,x)+6Eo
		inc	ecx
		jnb	short near ptr loc_8C57D1+4
		jo	short near ptr loc_8C57B0+1

loc_8C576B:				; CODE XREF: PAGE:008C5704j
		imul	ebp, [ebp+4Dh],	53656B61h
		jz	short loc_8C57E7

loc_8C5775:				; CODE XREF: PAGE:008C5702j
		imul	ebp, [esi+67h],	73726556h
		imul	ebp, [edi+6Eh],	72747441h
		imul	esp, [edx+75h],	20736574h
		popaw

loc_8C578C:				; CODE XREF: PAGE:008C574Bj
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	[ecx+73h], al	; DATA XREF: AslpFileGetVersionAttributes(x,x)+36o

loc_8C5798:				; CODE XREF: PAGE:loc_8C5735j
		insb

loc_8C5799:				; CODE XREF: PAGE:008C5732j
					; PAGE:008C5728j
		jo	short near ptr loc_8C57DF+2

loc_8C579B:				; CODE XREF: PAGE:008C572Bj
		imul	ebp, [ebp+47h],	65567465h
		jb	short loc_8C5818

loc_8C57A5:				; CODE XREF: PAGE:008C5737j
		imul	ebp, [edi+6Eh],	636F6C42h
		imul	esp, [eax], 66h
		popa

loc_8C57B0:				; CODE XREF: PAGE:008C5769j
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	[eax], dh	; DATA XREF: AdtpBuildHexInt64String(x,x,x,x,x,x)+36o
		add	[eax+0], bh
		and	eax, 36004900h
		add	[eax+eax], dh
		pop	eax
; 
		db 0
		db 2 dup(0)
; 

??_C@_0BP@PMJGBMEO@LdrResFindResource?5failed?5?$FL?$CFx?$FN@NNGAKEGL@:
					; CODE XREF: PAGE:008C5755j
					; DATA XREF: AslpFileGetVersionBlock(x,x,x)+22Bo
		dec	esp
		db	64h
		jb	short loc_8C5820
		db	65h
		jnb	short near ptr loc_8C5815+2

loc_8C57D1:				; CODE XREF: PAGE:008C5767j
		imul	ebp, [esi+64h],	6F736552h
		jnz	short near ptr ??_C@_0DB@HCBHNBKL@?$CFls?5version?5block?5after?5re?9mapp@NNGAKEGL@+24h
		arpl	[ebp+20h], sp
		popaw

loc_8C57DF:				; CODE XREF: PAGE:loc_8C5799j
		imul	ebp, [ebp+64h],	78255B20h

loc_8C57E7:				; CODE XREF: PAGE:008C5773j
		pop	ebp
		add	ah, cl

??_C@_0CD@MLDHNGPC@LdrResFindResource?5failed?5?$CFls?5?$FL@NNGAKEGL@:
					; DATA XREF: AslpFileGetVersionBlock(x,x,x)+268o
		dec	esp
		db	64h
		jb	short near ptr ??_C@_0DB@HCBHNBKL@?$CFls?5version?5block?5after?5re?9mapp@NNGAKEGL@+18h
		db	65h
		jnb	short near ptr ??_C@_0DB@HCBHNBKL@?$CFls?5version?5block?5after?5re?9mapp@NNGAKEGL@+0Fh
		imul	ebp, [esi+64h],	6F736552h
		jnz	short near ptr loc_8C586B+1
		arpl	[ebp+20h], sp
		popaw
		imul	ebp, [ebp+64h],	736C2520h
		and	[ebx+25h], bl
		js	short near ptr loc_8C5867+2
		add	ah, cl

??_C@_1BK@GKLIJHC@?$AAD?$AAi?$AAd?$AA?5?$AAn?$AAo?$AAt?$AA?5?$AAf?$AAi?$AAn?$AAd@NNGAKEGL@:
					; DATA XREF: AslpFileGetVersionBlock(x,x,x)+206o
		inc	esp
		add	[ecx+0], ch
		add	fs:[eax], ah

loc_8C5815:				; CODE XREF: PAGE:008C57CEj
		add	[esi+0], ch

loc_8C5818:				; CODE XREF: PAGE:008C57A3j
		outsd
		add	[eax+eax+20h], dh
		add	[esi+0], ah

loc_8C5820:				; CODE XREF: PAGE:008C57CBj
		imul	eax, [eax], 64006Eh
; 
		dw 0
??_C@_0DB@HCBHNBKL@?$CFls?5version?5block?5after?5re?9mapp@NNGAKEGL@ db	'%ls version block after re-mapping as image [%x]',0
					; CODE XREF: PAGE:008C57EEj
					; DATA XREF: AslpFileGetVersionBlock(x,x,x)+20Do
		align 2

??_C@_0DC@DPKBOOEO@Re?9mapped?5file?5as?5image?5to?5get?5@NNGAKEGL@:
					; DATA XREF: AslpFileGetVersionBlock(x,x,x)+1C0o
		push	edx
		db	65h
		sub	eax, 7070616Dh
		db	65h
		and	fs:[esi+69h], ah
		insb

loc_8C5867:				; CODE XREF: PAGE:008C580Aj
		and	gs:[ecx+73h], ah

loc_8C586B:				; CODE XREF: PAGE:008C57F8j
		and	[ecx+6Dh], ch
		popa
		and	gs:[si+6Fh], dh
		and	[edi+65h], ah
		jz	short near ptr loc_8C5897+2
		jbe	short loc_8C58E0
		jb	short loc_8C58F0
		imul	ebp, [edi+6Eh],	6F6C6220h
		arpl	[ebx+3Ah], bp
		and	ds:4600736Ch, ah ; DATA	XREF: AslpFileGetVersionBlock(x,x,x)+1FFo
		add	[edi+0], ch
		jnz	short $+2
		outsb
		add	[eax+eax+0], ah

loc_8C5897:				; CODE XREF: PAGE:008C5877j
					; DATA XREF: AslpFileGetVersionBlock(x,x,x)+6Fo ...
		add	[ecx+73h], al
		insb
		jo	short near ptr loc_8C58E2+1
		imul	ebp, [ebp+47h],	65567465h
		jb	short near ptr ??_C@_0BG@NGDGBFBB@Version?5block?5invalid@NNGAKEGL@+0Eh
		imul	ebp, [edi+6Eh],	636F6C42h
		imul	eax, [eax], 52h	; DATA XREF: AslpFileGetChecksumAttributes(x,x)+ACo
					; AslpFileGetVersionBlock(x,x,x)+1A0o
		jz	short near ptr ??_C@_0BG@NGDGBFBB@Version?5block?5invalid@NNGAKEGL@+13h
		inc	esi
		imul	ebp, [ebp+4Dh],	614D7061h
		jo	short near ptr ??_C@_0BG@NGDGBFBB@Version?5block?5invalid@NNGAKEGL@+8
		imul	esp, [ebp+77h],	69616620h
		insb
		db	65h
		and	fs:[ebx+25h], bl
		js	short near ptr loc_8C5928+2
; 
		db 0
; 

??_C@_1BO@OKEPMKJE@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@NNGAKEGL@:
					; DATA XREF: .text:off_404204o
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+75h], ah
		add	[ebx+0], ah
		jz	short $+2
		push	esi
		add	[ebp+0], ah

loc_8C58E0:				; CODE XREF: PAGE:008C5879j
		jb	short $+2

loc_8C58E2:				; CODE XREF: PAGE:008C589Bj
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dw 0
; 

??_C@_1CA@JGBAIPOO@?$AAF?$AAi?$AAl?$AAe?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@:
					; DATA XREF: .text:0040420Co
		inc	esi
		add	[ecx+0], ch

loc_8C58F0:				; CODE XREF: PAGE:008C587Bj
		insb
		add	[ebp+0], ah
		inc	esp
		add	[ebp+0], ah
		jnb	short $+2
		arpl	[eax], ax
		jb	short $+2
		imul	eax, [eax], 740070h
		imul	eax, [eax], 6E006Fh
; 
		dw 0
??_C@_0BG@NGDGBFBB@Version?5block?5invalid@NNGAKEGL@ db	'Version block invalid',0
					; CODE XREF: PAGE:008C58BCj
					; PAGE:008C58A5j
					; DATA XREF: ...
; 

??_C@_0DC@KHINOBN@Exception?5retrieving?5version?5bl@NNGAKEGL@:
					; DATA XREF: AslpFileGetVersionBlock(x,x,x)+3D1o
		inc	ebp
		js	short loc_8C5988
		db	65h
		jo	short near ptr loc_8C5997+5

loc_8C5928:				; CODE XREF: PAGE:008C58CBj
		imul	ebp, [edi+6Eh],	74657220h
		jb	short near ptr loc_8C5997+3
		db	65h
		jbe	short near ptr loc_8C5997+6
		outsb
		and	[bp+65h], dh
		jb	short loc_8C59AE
		imul	ebp, [edi+6Eh],	6F6C6220h
		arpl	[ebx+20h], bp
		pop	ebx
		and	eax, 66205D78h
		outsd
		jb	short near ptr loc_8C596C+2
		daa
		and	eax, 27736Ch

??_C@_0BL@FACOOBH@Version?5block?5out?5of?5range@NNGAKEGL@:
					; DATA XREF: AslpFileGetVersionBlock(x,x,x):loc_A25942o
					; AslpFileGetVersionBlock(x,x,x):loc_A259E5o
		push	esi
		db	65h
		jb	short loc_8C59CB
		imul	ebp, [edi+6Eh],	6F6C6220h
		arpl	[ebx+20h], bp
		outsd
		jnz	short near ptr loc_8C59D6+3
		and	[edi+66h], ch
		and	[edx+61h], dh
		outsb

loc_8C596C:				; CODE XREF: PAGE:008C594Cj
		db	67h, 65h
		add	ah, cl

; wchar_t ??_C
??_C@_1CA@FOECMPGO@?$AAV?$AAS?$AA_?$AAV?$AAE?$AAR?$AAS?$AAI?$AAO?$AAN?$AA_?$AAI?$AAN?$AAF?$AAO@NNGAKEGL@:
					; DATA XREF: AslpFileGetVersionBlock(x,x,x)+2FCo
		push	esi
		add	[ebx+0], dl
		pop	edi
		add	[esi+0], dl
		inc	ebp
		add	[edx+0], dl
		push	ebx
		add	[ecx+0], cl
		dec	edi
		add	[esi+0], cl
		pop	edi
		add	[ecx+0], cl

loc_8C5988:				; CODE XREF: PAGE:008C5923j
		dec	esi
		add	[esi+0], al
		dec	edi
; 
		db 3 dup(0)
; 

??_C@_0EB@PANFBJOL@LdrResFindResource?5returned?5nul@NNGAKEGL@:
					; DATA XREF: AslpFileGetVersionBlock(x,x,x)+247o
		dec	esp
		db	64h
		jb	short loc_8C59E6
		db	65h
		jnb	short loc_8C59DD

loc_8C5997:				; CODE XREF: PAGE:008C592Fj
					; PAGE:008C5925j ...
		imul	ebp, [esi+64h],	6F736552h
		jnz	short loc_8C5A12
		arpl	[ebp+20h], sp
		jb	short near ptr loc_8C5A07+3
		jz	short near ptr loc_8C5A18+4
		jb	short near ptr loc_8C5A16+1
		db	65h
		and	fs:[esi+75h], ch

loc_8C59AE:				; CODE XREF: PAGE:008C5939j
		insb
		insb
		and	[esi+65h], dh
		jb	short near ptr loc_8C5A25+3
		imul	ebp, [edi+6Eh],	6F6C6220h
		arpl	[ebx+20h], bp
		ja	short near ptr loc_8C5A25+5
		jz	short near ptr loc_8C5A25+6
		and	[ebx+74h], dh
		popa
		jz	short near ptr loc_8C5A38+6
		jnb	short near ptr loc_8C5A02+3

loc_8C59CB:				; CODE XREF: PAGE:008C5955j
		and	[ebx+25h], bl
		js	short loc_8C5A2D
		add	ah, cl

??_C@_0BL@MHNFPBOP@Version?5block?5has?5bad?5size@NNGAKEGL@:
					; DATA XREF: AslpFileGetVersionBlock(x,x,x)+29Eo
		push	esi
		db	65h
		jb	short near ptr loc_8C5A48+1

loc_8C59D6:				; CODE XREF: PAGE:008C5963j
		imul	ebp, [edi+6Eh],	6F6C6220h

loc_8C59DD:				; CODE XREF: PAGE:008C5994j
		arpl	[ebx+20h], bp
		push	62207361h
		popa

loc_8C59E6:				; CODE XREF: PAGE:008C5991j
		and	fs:[ebx+69h], dh
		jp	short loc_8C5A51
		add	ah, cl

??_C@_1DC@HCLBMGIA@?$AA?2?$AAV?$AAa?$AAr?$AAF?$AAi?$AAl?$AAe?$AAI?$AAn?$AAf?$AAo?$AA?2?$AAT?$AAr@NNGAKEGL@:
					; DATA XREF: AslpFileMakeStringVersionAttributes(x,x)+6Fo
		pop	esp
		add	[esi+0], dl
		popa
		add	[edx+0], dh
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		dec	ecx
		add	[esi+0], ch

loc_8C5A02:				; CODE XREF: PAGE:008C59C9j
		db	66h
		add	[edi+0], ch
		pop	esp

loc_8C5A07:				; CODE XREF: PAGE:008C59A3j
		add	[eax+eax+72h], dl
		add	[ecx+0], ah
		outsb
		add	[ebx+0], dh

loc_8C5A12:				; CODE XREF: PAGE:008C599Ej
		insb
		add	[ecx+0], ah

loc_8C5A16:				; CODE XREF: PAGE:008C59A7j
		jz	short $+2

loc_8C5A18:				; CODE XREF: PAGE:008C59A5j
		imul	eax, [eax], 6E006Fh
; 
		dw 0
; 

??_C@_0CC@NIKDGGIJ@AslpFileVerQueryBlock?5failed?5?$FL?$CF@NNGAKEGL@:
					; DATA XREF: AslpFileMakeStringVersionAttributes(x,x)+98o
					; AslpFileQueryVersionString(x,x,x,x,x,x)+E0o ...
		inc	ecx
		jnb	short near ptr loc_8C5A8A+5
		jo	short near ptr loc_8C5A6A+1

loc_8C5A25:				; CODE XREF: PAGE:008C59B3j
					; PAGE:008C59BFj ...
		imul	ebp, [ebp+56h],	75517265h

loc_8C5A2D:				; CODE XREF: PAGE:008C59CEj
		db	65h
		jb	short near ptr loc_8C5AA4+5
		inc	edx
		insb
		outsd
		arpl	[ebx+20h], bp
		popaw

loc_8C5A38:				; CODE XREF: PAGE:008C59C7j
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
; 
		db 0
; 

??_C@_1BK@OCJLMIBB@?$AAI?$AAn?$AAt?$AAe?$AAr?$AAn?$AAa?$AAl?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@:
					; DATA XREF: .text:00404234o
		dec	ecx
		add	[esi+0], ch
		jz	short $+2

loc_8C5A48:				; CODE XREF: PAGE:008C59D3j
		add	gs:[edx+0], dh
		outsb
		add	[ecx+0], ah
		insb

loc_8C5A51:				; CODE XREF: PAGE:008C59EAj
		add	[esi+0], cl
		popa
		add	[ebp+0], ch
		add	gs:[eax], al

loc_8C5A5B:				; DATA XREF: .text:0040423Co
		add	[eax+eax+65h], cl
		add	[edi+0], ah
		popa
		add	[eax+eax+43h], ch
		add	[edi+0], ch

loc_8C5A6A:				; CODE XREF: PAGE:008C5A23j
		jo	short $+2
		jns	short $+2
		jb	short $+2
		imul	eax, [eax], 680067h
		jz	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BI@HCCAONKE@?$AAF?$AAi?$AAl?$AAe?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@NNGAKEGL@:
					; DATA XREF: .text:00404224o
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2

loc_8C5A8A:				; CODE XREF: PAGE:008C5A21j
		imul	eax, [eax], 6E006Fh
; 
		db 2 dup(0)
; 

??_C@_1CC@CHBCEHAO@?$AAO?$AAr?$AAi?$AAg?$AAi?$AAn?$AAa?$AAl?$AAF?$AAi?$AAl?$AAe?$AAn?$AAa?$AAm@NNGAKEGL@:
					; DATA XREF: .text:0040422Co
		dec	edi
		add	[edx+0], dh
		imul	eax, [eax], 690067h
		outsb
		add	[ecx+0], ah
		insb
		add	[esi+0], al

loc_8C5AA4:				; CODE XREF: PAGE:loc_8C5A2Dj
		imul	eax, [eax], 65006Ch
		outsb
		add	[ecx+0], ah
		insd
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1BI@KBKGFMKH@?$AAC?$AAo?$AAm?$AAp?$AAa?$AAn?$AAy?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@:
					; DATA XREF: .text:00404214o
		inc	ebx
		add	[edi+0], ch
		insd
		add	[eax+0], dh
		popa
		add	[esi+0], ch
		jns	short $+2
		dec	esi
		add	[ecx+0], ah
		insd
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1BI@CJGIOPAN@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@:
					; DATA XREF: .text:0040421Co
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+75h], ah
		add	[ebx+0], ah
		jz	short $+2
		dec	esi
		add	[ecx+0], ah
		insd
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1DE@OJGPGHCL@?$AA?2?$AAS?$AAt?$AAr?$AAi?$AAn?$AAg?$AAF?$AAi?$AAl?$AAe?$AAI?$AAn?$AAf?$AAo@NNGAKEGL@:
		pop	esp
		add	[ebx+0], dl
		jz	short $+2
		jb	short $+2
		imul	eax, [eax], 67006Eh
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		dec	ecx
		add	[esi+0], ch
		db	66h
		add	[edi+0], ch
		pop	esp
		add	[eax], dh
		add	[eax], dh
		add	[eax], dh
		add	[eax], dh
		add	[eax], dh
		add	[eax+eax], dh
		inc	edx
		add	[eax], dh
		add	[eax+eax+0], bl
		add	[eax+eax+53h], bl
		add	[eax+eax+72h], dh
		add	[ecx+0], ch
		outsb
		add	[edi+0], ah
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		dec	ecx
		add	[esi+0], ch
		db	66h
		add	[edi+0], ch
		pop	esp
		add	[eax], dh
		add	[eax], dh
		add	[eax], dh
		add	[eax], dh
		add	[eax], dh
		add	[eax+eax], dh
		inc	ebp
		add	[eax+eax], dh
		pop	esp
; 
		db 3 dup(0)
; 

??_C@_0BJ@DLBDCGBP@VersionBlock?5is?5too?5long@NNGAKEGL@:
					; DATA XREF: AslpFileVerQueryBlock(x,x,x,x)+7Fo
		push	esi
		db	65h
		jb	short loc_8C5BC3
		imul	ebp, [edi+6Eh],	636F6C42h
		imul	esp, [eax], 69h
		jnb	short near ptr loc_8C5B7A+2
		jz	short near ptr loc_8C5BC7+6
		outsd
		and	[edi+ebp*2+6Eh], ch
		db	67h
		add	ah, cl

??_C@_0BN@OIJGCAOH@VersionBlock?5not?5long?5enough@NNGAKEGL@:
					; DATA XREF: AslpFileVerQueryBlock(x,x,x,x)+AAo
		push	esi
		db	65h
		jb	short near ptr loc_8C5BD8+5
		imul	ebp, [edi+6Eh],	636F6C42h
		imul	esp, [eax], 6Eh
		outsd
		jz	short near ptr loc_8C5B95+2
		insb
		outsd
		outsb

loc_8C5B7A:				; CODE XREF: PAGE:008C5B5Aj
		and	[di+6Eh], ah
		outsd
		jnz	short near ptr loc_8C5BE7+1
		push	7341CC00h	; DATA XREF: AslpFileMakeStringVersionAttributes(x,x)+1C6o
		insb
		jo	short loc_8C5BCF
		imul	ebp, [ebp+51h],	79726575h
		push	esi
		db	65h
		jb	short ??_C@_0BO@ECMFKLEM@AslpFileGetHeaderAttributesNE@NNGAKEGL@

loc_8C5B95:				; CODE XREF: PAGE:008C5B75j
		imul	ebp, [edi+6Eh],	69727453h
		outsb
		and	[bp+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0BG@IJCNELEP@AslpFileVerQueryBlock@NNGAKEGL@:
					; DATA XREF: AslpFileVerQueryBlock(x,x,x,x)+2Co
					; AslpFileVerQueryBlock(x,x,x,x)+5Eo ...
		inc	ecx
		jnb	short near ptr loc_8C5C1A+1
		jo	short near ptr loc_8C5BF5+2
		imul	ebp, [ebp+56h],	75517265h
		db	65h
		jb	short near ptr loc_8C5C34+1
		inc	edx
		insb
		outsd
		arpl	[ebx+0], bp

??_C@_0CE@OAAMAOIJ@AslpFileMakeStringVersionAttrib@NNGAKEGL@:
					; DATA XREF: AslpFileMakeStringVersionAttributes(x,x):loc_A25F2Do
		inc	ecx

loc_8C5BC3:				; CODE XREF: PAGE:008C5B4Dj
		jnb	short near ptr loc_8C5C2B+6
		jo	short loc_8C5C0D

loc_8C5BC7:				; CODE XREF: PAGE:008C5B5Cj
		imul	ebp, [ebp+4Dh],	53656B61h

loc_8C5BCF:				; CODE XREF: PAGE:008C5B87j
		jz	short near ptr loc_8C5C41+2
		imul	ebp, [esi+67h],	73726556h

loc_8C5BD8:				; CODE XREF: PAGE:008C5B67j
		imul	ebp, [edi+6Eh],	72747441h
		imul	esp, [edx+75h],	736574h

??_C@_0CB@KOMIGNHG@AslStringXmlSanitize?5failed?5?$FL?$CFx@NNGAKEGL@:
					; DATA XREF: AslpFileGetClrVersionAttribute(x,x)+114o
					; AslpFileGetHeaderAttributesNE(x,x)+B9o ...
		inc	ecx

loc_8C5BE7:				; CODE XREF: PAGE:008C5B7Fj
		jnb	short loc_8C5C55
		push	ebx
		jz	short loc_8C5C5E
		imul	ebp, [esi+67h],	536C6D58h
		popa
		outsb

loc_8C5BF5:				; CODE XREF: PAGE:008C5BAFj
		imul	esi, [ecx+ebp*2+7Ah], 61662065h
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0BO@ECMFKLEM@AslpFileGetHeaderAttributesNE@NNGAKEGL@: ; CODE XREF: PAGE:008C5B92j
					; DATA XREF: AslpFileGetHeaderAttributesNE(x,x):loc_A24FD7o
		inc	ecx
		jnb	short near ptr loc_8C5C74+3
		jo	short near ptr loc_8C5C52+1

loc_8C5C0D:				; CODE XREF: PAGE:008C5BC5j
		imul	ebp, [ebp+47h],	65487465h
		popa
		db	64h, 65h
		jb	short near ptr loc_8C5C5A+1

loc_8C5C1A:				; CODE XREF: PAGE:008C5BADj
		jz	short near ptr loc_8C5C89+7
		jb	short loc_8C5C87
		bound	esi, [ebp+74h]
		db	65h
		jnb	short near ptr loc_8C5C6B+7
		inc	ebp

loc_8C5C25:				; DATA XREF: AslpFileGetNtHeaderAttributes(x,x,x,x,x,x,x,x,x)+30o
					; AslpFileGetNtHeaderAttributes(x,x,x,x,x,x,x,x,x)+E2o
		add	[ecx+73h], al
		insb
		jo	short near ptr loc_8C5C6B+6

loc_8C5C2B:				; CODE XREF: PAGE:loc_8C5BC3j
		imul	ebp, [ebp+47h],	744E7465h
		dec	eax

loc_8C5C34:				; CODE XREF: PAGE:008C5BB9j
		db	65h
		popa
		db	64h, 65h
		jb	short near ptr loc_8C5C7A+1
		jz	short near ptr loc_8C5CAF+1
		jb	short near ptr loc_8C5CA6+1
		bound	esi, [ebp+74h]

loc_8C5C41:				; CODE XREF: PAGE:loc_8C5BCFj
		db	65h
		jnb	short $+3

??_C@_0CC@HPCEKKIJ@AslpFileGetPeExportNameExeWrapp@NNGAKEGL@:
					; DATA XREF: AslpFileGetPeExportNameExeWrapper(x,x):loc_A25499o
		inc	ecx
		jnb	short loc_8C5CB3
		jo	short near ptr loc_8C5C89+6
		imul	ebp, [ebp+47h],	65507465h
		inc	ebp

loc_8C5C52:				; CODE XREF: PAGE:008C5C0Bj
		js	short near ptr loc_8C5CBF+5
		outsd

loc_8C5C55:				; CODE XREF: PAGE:loc_8C5BE7j
		jb	short near ptr loc_8C5CC8+3
		dec	esi
		popa
		insd

loc_8C5C5A:				; CODE XREF: PAGE:008C5C16j
		db	65h
		inc	ebp
		js	short near ptr loc_8C5CBF+4

loc_8C5C5E:				; CODE XREF: PAGE:008C5BEAj
		push	edi
		jb	short near ptr loc_8C5CBF+3
		jo	short near ptr loc_8C5CD1+2
		db	65h
		jb	short $+3

??_C@_0BO@FEHNCFDG@AslpFileGetHeaderAttributesPE@NNGAKEGL@:
					; DATA XREF: AslpFileGetHeaderAttributesPE(x,x)+3Eo
		inc	ecx
		jnb	short near ptr loc_8C5CD1+4
		jo	short near ptr loc_8C5CAF+2

loc_8C5C6B:				; CODE XREF: PAGE:008C5C29j
					; PAGE:008C5C21j
		imul	ebp, [ebp+47h],	65487465h
		popa

loc_8C5C74:				; CODE XREF: PAGE:008C5C09j
		db	64h, 65h
		jb	short near ptr loc_8C5CB7+2
		jz	short loc_8C5CEE

loc_8C5C7A:				; CODE XREF: PAGE:008C5C36j
		jb	short near ptr loc_8C5CE3+2
		bound	esi, [ebp+74h]
		db	65h
		jnb	short near ptr loc_8C5CD1+1
		inc	ebp
		add	[ecx+73h], al	; DATA XREF: AslpFileQueryVersionString(x,x,x,x,x,x):loc_A26387o
		insb

loc_8C5C87:				; CODE XREF: PAGE:008C5C1Cj
		jo	short near ptr loc_8C5CCD+2

loc_8C5C89:				; CODE XREF: PAGE:008C5C47j
					; PAGE:loc_8C5C1Aj
		imul	ebp, [ebp+51h],	79726575h
		push	esi
		db	65h
		jb	short near ptr loc_8C5D07+1
		imul	ebp, [edi+6Eh],	69727453h
		outsb
		db	67h
		add	ah, cl

; wchar_t ??_C
??_C@_1DI@IKFJEGJK@?$AA?2?$AAS?$AAt?$AAr?$AAi?$AAn?$AAg?$AAF?$AAi?$AAl?$AAe?$AAI?$AAn?$AAf?$AAo@NNGAKEGL@:
					; DATA XREF: AslpFileQueryVersionString(x,x,x,x,x,x)+132o
		pop	esp
		add	[ebx+0], dl
		jz	short $+2

loc_8C5CA6:				; CODE XREF: PAGE:008C5C3Cj
		jb	short $+2
		imul	eax, [eax], 67006Eh
		inc	esi

loc_8C5CAF:				; CODE XREF: PAGE:008C5C3Aj
					; PAGE:008C5C69j
		add	[ecx+0], ch
		insb

loc_8C5CB3:				; CODE XREF: PAGE:008C5C45j
		add	[ebp+0], ah
		dec	ecx

loc_8C5CB7:				; CODE XREF: PAGE:loc_8C5C74j
		add	[esi+0], ch
		db	66h
		add	[edi+0], ch
		pop	esp

loc_8C5CBF:				; CODE XREF: PAGE:008C5C5Fj
					; PAGE:008C5C5Cj ...
		add	ds:34003000h, ah
		add	[eax+0], bl

loc_8C5CC8:				; CODE XREF: PAGE:loc_8C5C55j
		and	eax, 34003000h

loc_8C5CCD:				; CODE XREF: PAGE:loc_8C5C87j
		add	[eax+0], bl
		pop	esp

loc_8C5CD1:				; CODE XREF: PAGE:008C5C7Fj
					; PAGE:008C5C61j ...
		add	large ds:7300h,	ah
		add	[eax+eax+53h], bl
		add	[eax+eax+72h], dh
		add	[ecx+0], ch
		outsb

loc_8C5CE3:				; CODE XREF: PAGE:loc_8C5C7Aj
		add	[edi+0], ah
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah

loc_8C5CEE:				; CODE XREF: PAGE:008C5C78j
		dec	ecx
		add	[esi+0], ch
		db	66h
		add	[edi+0], ch
		pop	esp
		add	[eax], dh
		add	[eax+eax], dh
		xor	[eax], al
		cmp	[eax], eax
		xor	[eax], al
		xor	al, 0
		inc	edx
		add	[eax], dh

loc_8C5D07:				; CODE XREF: PAGE:008C5C92j
		add	[eax+eax+0], bl
; 
		db 0
; 

??_C@_1DE@NNMFAEGC@?$AA?2?$AAS?$AAt?$AAr?$AAi?$AAn?$AAg?$AAF?$AAi?$AAl?$AAe?$AAI?$AAn?$AAf?$AAo@NNGAKEGL@:
		pop	esp
		add	[ebx+0], dl
		jz	short $+2
		jb	short $+2
		imul	eax, [eax], 67006Eh
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		dec	ecx
		add	[esi+0], ch
		db	66h
		add	[edi+0], ch
		pop	esp
		add	[eax], dh
		add	[eax+eax], dh
		xor	[eax], al
		cmp	[eax], eax
		xor	[eax], al
		xor	al, 0
		inc	ebp
		add	[eax+eax], dh
		pop	esp
; 
		db 3 dup(0)
; 

??_C@_0BN@JELEGGGH@AslpFileHasActiveMarkWrapper@NNGAKEGL@:
					; DATA XREF: AslpFileHasActiveMarkWrapper(x,x,x)+150o
		inc	ecx
		jnb	short loc_8C5DAF
		jo	short near ptr ??_C@_0CJ@OLKHAPFK@AslpFileHasActiveMarkWrapper?5fa@NNGAKEGL@+27h
		imul	ebp, [ebp+48h],	63417361h
		jz	short near ptr loc_8C5DB3+5
		jbe	short near ptr loc_8C5DB3+3
		dec	ebp
		popa
		jb	short loc_8C5DC0
		push	edi
		jb	short near ptr loc_8C5DB3+6
		jo	short near ptr loc_8C5DC8+2
		db	65h
		jb	short $+3
		int	3		; Trap to Debugger

; char ??_C
??_C@_04MBIOBMOF@?4ps4@NNGAKEGL@:	; DATA XREF: AslpHasStarForceWrapper(x)+2Do
		db	2Eh
		jo	short near ptr loc_8C5DCD+7
		xor	al, 0
		int	3		; Trap to Debugger
; 
??_C@_0CJ@OLKHAPFK@AslpFileHasActiveMarkWrapper?5fa@NNGAKEGL@ db 'AslpFileHasActiveMarkWrapper failed [%x]',0
					; DATA XREF: AslpFileGetExeWrapper(x,x)+B7o
		align 2

; char ??_C
??_C@_08EFCIKEPK@?4securom@NNGAKEGL@:	; DATA XREF: AslpFileHasSecuromWrapper(x)+2Do
		db	2Eh
		jnb	short near ptr loc_8C5DF3+3
		arpl	[ebp+72h], si
		outsd
		insd
		add	ah, cl

??_C@_0BG@HGDCKIPM@AslpFileGetExeWrapper@NNGAKEGL@:
					; DATA XREF: AslpFileGetExeWrapper(x,x)+47o
					; AslpFileGetExeWrapper(x,x)+A5o ...
		inc	ecx
		jnb	short loc_8C5E07
		jo	short near ptr loc_8C5DE2+1
		imul	ebp, [ebp+47h],	78457465h
		db	65h
		push	edi
		jb	short near ptr loc_8C5E09+1
		jo	short loc_8C5E1B
		db	65h
		jb	short $+3

??_C@_0DL@MCGFOHLO@AslpFileHasActiveMarkWrapper?5fa@NNGAKEGL@:
					; DATA XREF: AslpFileGetExeWrapper(x,x)+9Bo
		inc	ecx

loc_8C5DAF:				; CODE XREF: PAGE:008C5D41j
		jnb	short near ptr loc_8C5E1B+2
		jo	short near ptr loc_8C5DF3+6

loc_8C5DB3:				; CODE XREF: PAGE:008C5D4Fj
					; PAGE:008C5D4Dj ...
		imul	ebp, [ebp+48h],	63417361h
		jz	short loc_8C5E26
		jbe	short loc_8C5E24
		dec	ebp

loc_8C5DC0:				; CODE XREF: PAGE:008C5D53j
		popa
		jb	short near ptr loc_8C5E2A+4
		push	edi
		jb	short near ptr loc_8C5E26+1
		jo	short loc_8C5E38

loc_8C5DC8:				; CODE XREF: PAGE:008C5D58j
		db	65h
		jb	short loc_8C5DEB
		popaw

loc_8C5DCD:				; CODE XREF: PAGE:??_C@_04MBIOBMOF@?4ps4@NNGAKEGL@j
		imul	ebp, [ebp+64h],	69462820h
		insb
		db	65h
		push	ebx
		imul	edi, [edx+65h],	4925203Ah
		db	36h
		xor	al, 75h

loc_8C5DE2:				; CODE XREF: PAGE:008C5D9Bj
		sub	[eax], esp
		pop	ebx
		and	eax, 0CC005D78h

??_C@_0BL@MMANKHCP@File?5mapping?5not?5a?5PE?5?$FL?$CFx?$FN@NNGAKEGL@:
					; DATA XREF: AslpFileGetImageNtHeader(x,x)+1Ao
		inc	esi

loc_8C5DEB:				; CODE XREF: PAGE:loc_8C5DC8j
		imul	ebp, [ebp+20h],	7070616Dh

loc_8C5DF3:				; CODE XREF: PAGE:??_C@_08EFCIKEPK@?4securom@NNGAKEGL@j
					; PAGE:008C5DB1j
		imul	ebp, [esi+67h],	746F6E20h
		and	[ecx+20h], ah
		push	eax
		inc	ebp
		and	[ebx+25h], bl
		js	short near ptr loc_8C5E60+1
		add	ah, cl

??_C@_0BJ@PNILLELB@AslpFileGetImageNtHeader@NNGAKEGL@:
					; DATA XREF: AslpFileGetImageNtHeader(x,x)+24o
					; AslpFileGetImageNtHeader(x,x):loc_A2540Fo
		inc	ecx

loc_8C5E07:				; CODE XREF: PAGE:008C5D99j
		jnb	short loc_8C5E75

loc_8C5E09:				; CODE XREF: PAGE:008C5DA7j
		jo	short loc_8C5E51
		imul	ebp, [ebp+47h],	6D497465h
		popa
		db	67h, 65h
		dec	esi
		jz	short near ptr loc_8C5E60+1
		db	65h
		popa

loc_8C5E1B:				; CODE XREF: PAGE:008C5DA9j
					; PAGE:loc_8C5DAFj
		db	64h, 65h
		jb	short $+4
		int	3		; Trap to Debugger

??_C@_0DB@FMAOEGHG@Export?5directory?5invalid?5or?5inv@NNGAKEGL@:
					; DATA XREF: AslpFileQueryExportName_Vb(x,x)+D6o
		inc	ebp
		js	short loc_8C5E93
		outsd

loc_8C5E24:				; CODE XREF: PAGE:008C5DBDj
		jb	short loc_8C5E9A

loc_8C5E26:				; CODE XREF: PAGE:008C5DBBj
					; PAGE:008C5DC4j
		and	[ecx+ebp*2+72h], ah

loc_8C5E2A:				; CODE XREF: PAGE:008C5DC1j
		arpl	gs:[edi+ebp*2+72h], si
		jns	short loc_8C5E51
		imul	ebp, [esi+76h],	64696C61h

loc_8C5E38:				; CODE XREF: PAGE:008C5DC6j
		and	[edi+72h], ch
		and	[ecx+6Eh], ch
		jbe	short near ptr loc_8C5E9D+4
		insb
		imul	esp, [eax+69h],	6567616Dh
		and	[esi+6Fh], ah
		jb	short loc_8C5EBB
		popa
		jz	short $+2

loc_8C5E51:				; CODE XREF: PAGE:loc_8C5E09j
					; PAGE:008C5E2Fj
		int	3		; Trap to Debugger

??_C@_0BO@CLFDFHEN@RtlStringCchCopyA?5failed?5?$FL?$CFx?$FN@NNGAKEGL@:
					; DATA XREF: AslpFileQueryExportName_Vb(x,x)+B8o
		push	edx
		jz	short near ptr loc_8C5EC0+1
		push	ebx
		jz	short near ptr loc_8C5EC9+1
		imul	ebp, [esi+67h],	43686343h
		outsd

loc_8C5E60:				; CODE XREF: PAGE:008C5E02j
					; PAGE:008C5E17j
		jo	short near ptr loc_8C5ED8+3
		inc	ecx
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp

loc_8C5E6F:				; DATA XREF: AslpFileQueryExportName_Vb(x,x)+102o
		add	[edx+74h], dl
		insb
		dec	ecx
		insd

loc_8C5E75:				; CODE XREF: PAGE:loc_8C5E07j
		popa
		db	67h, 65h
		inc	esp
		imul	esi, [edx+65h],	726F7463h
		jns	short near ptr loc_8C5EC4+3
		outsb
		jz	short near ptr loc_8C5EF4+3
		jns	short near ptr loc_8C5ED8+3
		outsd
		inc	esp
		popa
		jz	short near ptr loc_8C5EEB+2
		and	[edx+65h], dh
		jz	short near ptr loc_8C5F05+1
		jb	short near ptr loc_8C5EFE+3

loc_8C5E93:				; CODE XREF: PAGE:008C5E21j
		db	65h
		and	fs:[ebp+78h], al
		jo	short loc_8C5F09

loc_8C5E9A:				; CODE XREF: PAGE:loc_8C5E24j
		jb	short loc_8C5F10
		inc	esp

loc_8C5E9D:				; CODE XREF: PAGE:008C5E3Ej
		imul	esi, [edx+65h],	726F7463h
		jns	short near ptr loc_8C5EC4+2
		jz	short loc_8C5F10
		popa
		jz	short loc_8C5ECB
		ja	short loc_8C5F0E
		jnb	short near ptr loc_8C5ECD+2
		jz	short near ptr loc_8C5F1A+6
		outsd
		and	[ebx+6Dh], dh
		popa
		insb
		insb
		add	ah, cl

??_C@_0FJ@OHHJCKPF@Export?5directory?5pointer?5invali@NNGAKEGL@:
					; DATA XREF: AslpFileQueryExportName_Vb(x,x)+EAo
		inc	ebp

loc_8C5EBB:				; CODE XREF: PAGE:008C5E4Cj
		js	short loc_8C5F2D
		outsd
		jb	short near ptr loc_8C5F2D+7

loc_8C5EC0:				; CODE XREF: PAGE:008C5E53j
		and	[ecx+ebp*2+72h], ah

loc_8C5EC4:				; CODE XREF: PAGE:008C5EA4j
					; PAGE:008C5E80j
		arpl	gs:[edi+ebp*2+72h], si

loc_8C5EC9:				; CODE XREF: PAGE:008C5E56j
		jns	short loc_8C5EEB

loc_8C5ECB:				; CODE XREF: PAGE:008C5EA9j
		jo	short near ptr loc_8C5F3B+1

loc_8C5ECD:				; CODE XREF: PAGE:008C5EADj
		imul	ebp, [esi+74h],	69207265h
		outsb
		jbe	short ??_C@_0BL@NLHJLBPA@AslpFileQueryExportName_Vb@NNGAKEGL@
		insb

loc_8C5ED8:				; CODE XREF: PAGE:loc_8C5E60j
					; PAGE:008C5E85j
		imul	esp, [eax+28h],	6E696F70h
		jz	short loc_8C5F55
		and	[edi+ebp*2+20h], dh
		insb
		outsd
		arpl	[ecx+74h], sp

loc_8C5EEB:				; CODE XREF: PAGE:loc_8C5EC9j
					; PAGE:008C5E8Aj
		imul	ebp, [edi+6Eh],	74756F20h
		jnb	short near ptr loc_8C5F59+4

loc_8C5EF4:				; CODE XREF: PAGE:008C5E83j
		db	64h
		and	gs:[esi+69h], ah
		insb
		sub	gs:[eax], ebp

loc_8C5EFE:				; CODE XREF: PAGE:008C5E91j
		imul	ebp, [esi+76h],	64696C61h

loc_8C5F05:				; CODE XREF: PAGE:008C5E8Fj
		and	[ecx+6Dh], ch
		popa

loc_8C5F09:				; CODE XREF: PAGE:008C5E98j
		and	gs:[bp+6Fh], ah

loc_8C5F0E:				; CODE XREF: PAGE:008C5EABj
		jb	short loc_8C5F7D

loc_8C5F10:				; CODE XREF: PAGE:loc_8C5E9Aj
					; PAGE:008C5EA6j
		popa
		jz	short $+2
		int	3		; Trap to Debugger

??_C@_0CD@HDIACEIF@AslStringAnsiToUnicode?5failed?5?$FL@NNGAKEGL@:
					; DATA XREF: AslpFileGet16BitDescription(x,x)+75o
					; AslpFileGet16BitModuleName(x,x)+75o ...
		inc	ecx
		jnb	short near ptr loc_8C5F7D+6
		push	ebx
		jz	short loc_8C5F8C

loc_8C5F1A:				; CODE XREF: PAGE:008C5EAFj
		imul	ebp, [esi+67h],	69736E41h
		push	esp
		outsd
		push	ebp
		outsb
		imul	esp, [ebx+6Fh],	66206564h
		popa

loc_8C5F2D:				; CODE XREF: PAGE:loc_8C5EBBj
					; PAGE:008C5EBEj
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0BL@NLHJLBPA@AslpFileQueryExportName_Vb@NNGAKEGL@: ; CODE	XREF: PAGE:008C5ED5j
					; DATA XREF: AslpFileQueryExportName_Vb(x,x):loc_73A7A6o ...
		inc	ecx
		jnb	short loc_8C5FA7

loc_8C5F3B:				; CODE XREF: PAGE:loc_8C5ECBj
		jo	short near ptr loc_8C5F7D+6
		imul	ebp, [ebp+51h],	79726575h
		inc	ebp
		js	short near ptr loc_8C5FB1+7
		outsd
		jb	short loc_8C5FBF
		dec	esi
		popa
		insd
		db	65h
		pop	edi
		push	esi
		bound	eax, [eax]
		int	3		; Trap to Debugger

??_C@_0CE@GHMPLADB@AslpFileQueryExportName?5failed?5@NNGAKEGL@:
					; DATA XREF: AslpFileGetExportName(x,x)+55o
		inc	ecx

loc_8C5F55:				; CODE XREF: PAGE:008C5EE0j
		jnb	short near ptr loc_8C5FC2+1
		jo	short near ptr loc_8C5F9E+1

loc_8C5F59:				; CODE XREF: PAGE:008C5EF2j
		imul	ebp, [ebp+51h],	79726575h
		inc	ebp
		js	short near ptr loc_8C5FD3+1
		outsd
		jb	short near ptr loc_8C5FDA+1
		dec	esi
		popa
		insd
		and	gs:[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	[ecx+73h], al	; DATA XREF: AslpFileGetExportName(x,x):loc_A24EF6o
		insb
		jo	short near ptr loc_8C5FC2+1

loc_8C5F7D:				; CODE XREF: PAGE:loc_8C5F0Ej
					; PAGE:008C5F15j ...
		imul	ebp, [ebp+47h],	78457465h
		jo	short loc_8C5FF6
		jb	short near ptr loc_8C5FF9+4
		dec	esi
		popa
		insd

loc_8C5F8C:				; CODE XREF: PAGE:008C5F18j
					; DATA XREF: AslpFileQuery16BitModuleName(x,x):loc_A2611Co ...
		add	gs:[ecx+73h], al
		insb
		jo	short near ptr loc_8C5FD8+1
		imul	ebp, [ebp+51h],	79726575h
		xor	[esi], esi
		inc	edx

loc_8C5F9E:				; CODE XREF: PAGE:008C5F57j
		imul	esi, [ebp+ecx*2+6Fh], 656C7564h
		dec	esi

loc_8C5FA7:				; CODE XREF: PAGE:008C5F39j
		popa
		insd
		db	65h
		add	ah, cl

??_C@_0FA@BMENCCAD@AslpFileGetChecksumAttributes?5c@NNGAKEGL@:
					; DATA XREF: AslpFileGetChecksumAttributes(x,x)+1Fo
		inc	ecx
		jnb	short near ptr loc_8C6017+4
		jo	short loc_8C5FF7

loc_8C5FB1:				; CODE XREF: PAGE:008C5F46j
		imul	ebp, [ebp+47h],	68437465h
		arpl	gs:[ebx+73h], bp
		jnz	short loc_8C602C

loc_8C5FBF:				; CODE XREF: PAGE:008C5F49j
		inc	ecx
		jz	short near ptr loc_8C6035+1

loc_8C5FC2:				; CODE XREF: PAGE:loc_8C5F55j
					; PAGE:008C5F7Bj
		jb	short near ptr loc_8C602C+1
		bound	esi, [ebp+74h]
		db	65h
		jnb	short near ptr loc_8C5FE7+3
		arpl	[ecx+6Ch], sp
		insb
		db	65h
		and	fs:[edi+69h], dh

loc_8C5FD3:				; CODE XREF: PAGE:008C5F62j
		jz	short loc_8C603D
		and	[ecx+20h], ah

loc_8C5FD8:				; CODE XREF: PAGE:008C5F91j
		jo	short near ptr loc_8C6035+6

loc_8C5FDA:				; CODE XREF: PAGE:008C5F65j
		jb	short near ptr loc_8C604F+1
		imul	esp, [ecx+6Ch],	65697620h
		ja	short loc_8C6005
		ja	short loc_8C604F

loc_8C5FE7:				; CODE XREF: PAGE:008C5FC7j
		imul	esp, [ebx+68h],	20736920h
		outsb
		outsd
		jz	short near ptr loc_8C600E+4
		jnb	short near ptr loc_8C6068+1
		jo	short near ptr loc_8C605F+7

loc_8C5FF6:				; CODE XREF: PAGE:008C5F85j
		outsd

loc_8C5FF7:				; CODE XREF: PAGE:008C5FAFj
		jb	short near ptr loc_8C6068+5

loc_8C5FF9:				; CODE XREF: PAGE:008C5F87j
					; DATA XREF: AslpFileQuery16BitDescription(x,x):loc_A25FC5o ...
		db	65h
		add	fs:[esi+69h], al
		insb
		and	gs:[ebp+61h], ch
		jo	short near ptr loc_8C6073+2

loc_8C6005:				; CODE XREF: PAGE:008C5FE3j
		imul	ebp, [esi+67h],	766E6920h
		popa
		insb

loc_8C600E:				; CODE XREF: PAGE:008C5FF0j
					; DATA XREF: AslpFileQuery16BitDescription(x,x):loc_A26000o ...
		imul	esp, [eax+eax-34h], 706C7341h
		inc	esi

loc_8C6017:				; CODE XREF: PAGE:008C5FADj
		imul	ebp, [ebp+51h],	79726575h
		xor	[esi], esi
		inc	edx
		imul	esi, [esp+eax*2+65h], 69726373h
		jo	short near ptr loc_8C609F+1

loc_8C602C:				; CODE XREF: PAGE:008C5FBDj
					; PAGE:loc_8C5FC2j
					; DATA XREF: ...
		imul	ebp, [edi+6Eh],	6C734100h
		jo	short loc_8C607B

loc_8C6035:				; CODE XREF: PAGE:008C5FC0j
					; PAGE:loc_8C5FD8j
		imul	ebp, [ebp+51h],	79726575h

loc_8C603D:				; CODE XREF: PAGE:loc_8C5FD3j
		xor	[esi], esi
		inc	edx
		imul	esi, [ebp+ecx*2+6Fh], 656C7564h
		dec	esi
		popa
		insd
		and	gs:[esi+61h], ah

loc_8C604F:				; CODE XREF: PAGE:008C5FE5j
					; PAGE:loc_8C5FDAj
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0BL@EJPFEEEP@AslpFileGet16BitModuleName@NNGAKEGL@:
					; DATA XREF: AslpFileGet16BitModuleName(x,x):loc_A2474Fo
		inc	ecx
		jnb	short loc_8C60C9
		jo	short loc_8C60A5

loc_8C605F:				; CODE XREF: PAGE:008C5FF4j
		imul	ebp, [ebp+47h],	36317465h
		inc	edx

loc_8C6068:				; CODE XREF: PAGE:008C5FF2j
					; PAGE:loc_8C5FF7j
		imul	esi, [ebp+ecx*2+6Fh], 656C7564h
		dec	esi
		popa
		insd

loc_8C6073:				; CODE XREF: PAGE:008C6003j
		db	65h
		add	ah, cl

??_C@_0CK@NDCMLJOK@AslpFileQuery16BitDescription?5f@NNGAKEGL@:
					; DATA XREF: AslpFileGet16BitDescription(x,x)+55o
		inc	ecx
		jnb	short near ptr loc_8C60E1+4
		jo	short loc_8C60C1

loc_8C607B:				; CODE XREF: PAGE:008C6033j
		imul	ebp, [ebp+51h],	79726575h
		xor	[esi], esi
		inc	edx
		imul	esi, [esp+eax*2+65h], 69726373h
		jo	short near ptr loc_8C6103+1
		imul	ebp, [edi+6Eh],	69616620h
		insb
		db	65h
		and	fs:[ebx+25h], bl
		js	short near ptr loc_8C60FB+1

loc_8C609F:				; CODE XREF: PAGE:008C602Aj
					; DATA XREF: AslpFileGet16BitDescription(x,x):loc_A246B1o
		add	[ecx+73h], al
		insb
		jo	short loc_8C60EB

loc_8C60A5:				; CODE XREF: PAGE:008C605Dj
		imul	ebp, [ebp+47h],	36317465h
		inc	edx
		imul	esi, [esp+eax*2+65h], 69726373h
		jo	short near ptr loc_8C612B+1
		imul	ebp, [edi+6Eh],	6C734100h
					; DATA XREF: AslpFileGetClrVersionAttribute(x,x):loc_A24B85o
		jo	short near ptr loc_8C6103+4

loc_8C60C1:				; CODE XREF: PAGE:008C6079j
		imul	ebp, [ebp+47h],	6C437465h

loc_8C60C9:				; CODE XREF: PAGE:008C605Bj
		jb	short near ptr loc_8C611F+2
		db	65h
		jb	short near ptr loc_8C6140+1
		imul	ebp, [edi+6Eh],	72747441h
		imul	esp, [edx+75h],	0CC006574h

??_C@_0CC@HLMBHAHE@AslpFileGetClrVersion?5failed?5?$FL?$CF@NNGAKEGL@:
					; DATA XREF: AslpFileGetClrVersionAttribute(x,x)+CCo
		inc	ecx
		jnb	short near ptr loc_8C6149+2
		jo	short near ptr loc_8C6126+1

loc_8C60E1:				; CODE XREF: PAGE:008C6077j
		imul	ebp, [ebp+47h],	6C437465h
		jb	short near ptr loc_8C6140+1

loc_8C60EB:				; CODE XREF: PAGE:008C60A3j
		db	65h
		jb	short near ptr loc_8C6160+1
		imul	ebp, [edi+6Eh],	69616620h
		insb
		db	65h
		and	fs:[ebx+25h], bl

loc_8C60FB:				; CODE XREF: PAGE:008C609Dj
		js	short loc_8C615A
		add	[ecx+73h], al	; DATA XREF: AslpFileGetChecksum(x,x)+ACo
		insb
		jo	short loc_8C6149

loc_8C6103:				; CODE XREF: PAGE:008C608Ej
					; PAGE:008C60BFj
		imul	ebp, [ebp+47h],	68437465h
		arpl	gs:[ebx+73h], bp
		jnz	short near ptr loc_8C617B+3
		add	[ecx+73h], al	; DATA XREF: AslpFileGetCrcChecksum(x,x)+7Bo
		insb
		jo	short near ptr loc_8C615A+3
		imul	ebp, [ebp+47h],	72437465h

loc_8C611F:				; CODE XREF: PAGE:loc_8C60C9j
		arpl	[ebx+68h], ax
		arpl	gs:[ebx+73h], bp

loc_8C6126:				; CODE XREF: PAGE:008C60DFj
		jnz	short near ptr loc_8C6190+5
		add	ah, cl

??_C@_0CA@ECIAAMCP@AslpFileGetChecksum?5failed?5?$FL?$CFx?$FN@NNGAKEGL@:
					; DATA XREF: AslpFileGetChecksumAttributes(x,x)+D3o
		inc	ecx

loc_8C612B:				; CODE XREF: PAGE:008C60B6j
		jnb	short loc_8C6199
		jo	short near ptr loc_8C6173+2
		imul	ebp, [ebp+47h],	68437465h
		arpl	gs:[ebx+73h], bp
		jnz	short near ptr loc_8C61A9+1
		and	[esi+61h], ah

loc_8C6140:				; CODE XREF: PAGE:008C60CBj
					; PAGE:008C60E9j
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp

loc_8C6149:				; CODE XREF: PAGE:008C6101j
					; PAGE:008C60DDj
					; DATA XREF: ...
		add	[ecx+73h], al
		insb
		jo	short near ptr loc_8C6190+5
		imul	ebp, [ebp+47h],	72437465h
		arpl	[ebx+68h], ax

loc_8C615A:				; CODE XREF: PAGE:loc_8C60FBj
					; PAGE:008C6115j
		arpl	gs:[ebx+73h], bp
		jnz	short loc_8C61CD

loc_8C6160:				; CODE XREF: PAGE:loc_8C60EBj
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0BO@PDLAAKIB@AslpFileGetChecksumAttributes@NNGAKEGL@:
					; DATA XREF: AslpFileGetChecksumAttributes(x,x)+29o
					; AslpFileGetChecksumAttributes(x,x):loc_A248B7o
		inc	ecx
		jnb	short loc_8C61DD
		jo	short loc_8C61B9

loc_8C6173:				; CODE XREF: PAGE:008C612Dj
		imul	ebp, [ebp+47h],	68437465h

loc_8C617B:				; CODE XREF: PAGE:008C610Fj
		arpl	gs:[ebx+73h], bp
		jnz	short near ptr loc_8C61E9+5
		inc	ecx
		jz	short loc_8C61F8
		jb	short near ptr loc_8C61E9+6
		bound	esi, [ebp+74h]
		db	65h
		jnb	short $+3

??_C@_0CJ@NGKNMDF@AslFileMappingEnsureMappedAs?5fa@NNGAKEGL@:
					; DATA XREF: AslpFileGetChecksumAttributes(x,x)+6Bo
		inc	ecx
		jnb	short near ptr loc_8C61F8+3
		inc	esi

loc_8C6190:				; CODE XREF: PAGE:loc_8C6126j
					; PAGE:008C614Dj
		imul	ebp, [ebp+4Dh],	69707061h
		outsb

loc_8C6199:				; CODE XREF: PAGE:loc_8C612Bj
		db	67h
		inc	ebp
		outsb
		jnb	short near ptr loc_8C6210+3
		jb	short near ptr loc_8C6202+3
		dec	ebp
		popa
		jo	short near ptr loc_8C6210+4
		db	65h, 64h
		inc	ecx
		jnb	short near ptr loc_8C61C6+3

loc_8C61A9:				; CODE XREF: PAGE:008C613Bj
		popaw
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0CD@IEAEKNMD@AslpFileGetFileKindDetailAttrib@NNGAKEGL@:
					; DATA XREF: AslpFileGetFileKindDetailAttribute(x,x)+28o
		inc	ecx
		jnb	short near ptr loc_8C6223+2

loc_8C61B9:				; CODE XREF: PAGE:008C6171j
		jo	short loc_8C6201
		imul	ebp, [ebp+47h],	69467465h
		insb
		db	65h
		dec	ebx

loc_8C61C6:				; CODE XREF: PAGE:008C61A7j
		imul	ebp, [esi+64h],	61746544h

loc_8C61CD:				; CODE XREF: PAGE:008C615Ej
		imul	ebp, [ecx+eax*2+74h], 62697274h
		jnz	short near ptr loc_8C624A+1
		db	65h
		add	ah, cl

??_C@_0CE@HKAOIBJK@CLR?5version?5string?5null?5or?5too?5@NNGAKEGL@:
					; DATA XREF: AslpFileGetClrVersion(x,x):loc_A24AD1o
		inc	ebx
		dec	esp
		push	edx

loc_8C61DD:				; CODE XREF: PAGE:008C616Fj
		and	[esi+65h], dh
		jb	short loc_8C6255
		imul	ebp, [edi+6Eh],	72747320h

loc_8C61E9:				; CODE XREF: PAGE:008C617Fj
					; PAGE:008C6184j
		imul	ebp, [esi+67h],	6C756E20h
		insb
		and	[edi+72h], ch
		and	[edi+ebp*2+6Fh], dh

loc_8C61F8:				; CODE XREF: PAGE:008C6182j
					; PAGE:008C618Dj
		and	[edi+ebp*2+6Eh], ch
		add	[bx+di+73h], al	; DATA XREF: AslpFileGetFileKindDetailAttribute(x,x)+1Eo
		insb

loc_8C6201:				; CODE XREF: PAGE:loc_8C61B9j
		inc	esi

loc_8C6202:				; CODE XREF: PAGE:008C619Ej
		imul	ebp, [ebp+4Dh],	69707061h
		outsb
		db	67h
		inc	edi
		db	65h
		jz	short near ptr loc_8C6255+1

loc_8C6210:				; CODE XREF: PAGE:008C619Cj
					; PAGE:008C61A2j
		imul	ebp, [ebp+4Bh],	44646E69h
		db	65h
		jz	short loc_8C627C
		imul	ebp, [ebx+esi*2+20h], 6C696166h

loc_8C6223:				; CODE XREF: PAGE:008C61B7j
		db	65h
		and	fs:[ebx+25h], bl
		js	short loc_8C6287
		add	ah, cl

??_C@_0DD@FHOOCCGJ@Invalid?5COR20?5Metadata?5virtual?5@NNGAKEGL@:
					; DATA XREF: AslpFileGetClrVersion(x,x)+EAo
		dec	ecx
		outsb
		jbe	short loc_8C6291
		insb
		imul	esp, [eax+43h],	3032524Fh
		and	[ebp+65h], cl
		jz	short near ptr loc_8C629D+2
		db	64h
		popa
		jz	short near ptr loc_8C62A0+3
		and	[esi+69h], dh
		jb	short loc_8C62BB
		jnz	short near ptr loc_8C62A9+1
		insb

loc_8C624A:				; CODE XREF: PAGE:008C61D5j
		and	[ecx+64h], ah
		db	64h
		jb	short near ptr loc_8C62B4+1
		jnb	short loc_8C62C5
		and	[ebp+6Eh], ah

loc_8C6255:				; CODE XREF: PAGE:008C61E0j
					; PAGE:008C620Dj
		arpl	[edi+75h], bp
		outsb
		jz	short near ptr loc_8C62BF+1
		jb	short loc_8C62C2
		db	64h
		add	ah, cl

??_C@_0CN@DHBHKMFP@Invalid?5COR20?5Metadata?5signatur@NNGAKEGL@:
					; DATA XREF: AslpFileGetClrVersion(x,x)+103o
		dec	ecx
		outsb
		jbe	short loc_8C62C5
		insb
		imul	esp, [eax+43h],	3032524Fh
		and	[ebp+65h], cl
		jz	short loc_8C62D3
		db	64h
		popa
		jz	short near ptr loc_8C62D5+2
		and	[ebx+69h], dh
		outs	dx, byte ptr [si]
		popa

loc_8C627C:				; CODE XREF: PAGE:008C6218j
		jz	short near ptr loc_8C62F0+3
		jb	short near ptr loc_8C62E1+4
		and	[ebp+6Eh], ah
		arpl	[edi+75h], bp
		outsb

loc_8C6287:				; CODE XREF: PAGE:008C6228j
		jz	short near ptr loc_8C62ED+1
		jb	short loc_8C62F0
		db	64h
		add	ah, cl

??_C@_0BG@BCKDAEDA@AslpFileGetClrVersion@NNGAKEGL@:
					; DATA XREF: AslpFileGetClrVersion(x,x)+35o
					; AslpFileGetClrVersion(x,x)+B5o ...
		inc	ecx
		jnb	short loc_8C62FD

loc_8C6291:				; CODE XREF: PAGE:008C622Ej
		jo	short loc_8C62D9
		imul	ebp, [ebp+47h],	6C437465h
		jb	short near ptr loc_8C62F0+3

loc_8C629D:				; CODE XREF: PAGE:008C623Cj
		db	65h
		jb	short near ptr loc_8C6312+1

loc_8C62A0:				; CODE XREF: PAGE:008C6240j
					; DATA XREF: AslpFileGetClrVersion(x,x)+A3o
		imul	ebp, [edi+6Eh],	766E4900h
		popa
		insb

loc_8C62A9:				; CODE XREF: PAGE:008C6247j
		imul	esp, [eax+43h],	44204D4Fh
		db	65h
		jnb	short near ptr loc_8C6312+5

loc_8C62B4:				; CODE XREF: PAGE:008C624Dj
		jb	short near ptr loc_8C631E+1
		jo	short near ptr loc_8C632B+1
		outsd
		jb	short loc_8C62DB

loc_8C62BB:				; CODE XREF: PAGE:008C6245j
		jbe	short near ptr loc_8C6321+5
		jb	short loc_8C6333

loc_8C62BF:				; CODE XREF: PAGE:008C6259j
		jnz	short near ptr loc_8C6321+1
		insb

loc_8C62C2:				; CODE XREF: PAGE:008C625Bj
		and	[ecx+64h], ah

loc_8C62C5:				; CODE XREF: PAGE:008C6250j
					; PAGE:008C6262j
		db	64h
		jb	short loc_8C632D
		jnb	short loc_8C633D
		and	[ebp+6Eh], ah
		arpl	[edi+75h], bp
		outsb
		jz	short near ptr loc_8C6336+2

loc_8C62D3:				; CODE XREF: PAGE:008C6270j
		jb	short near ptr loc_8C6339+1

loc_8C62D5:				; CODE XREF: PAGE:008C6274j
		db	64h
		add	ah, cl

??_C@_0DE@CHEICMFI@MmSecureVirtualMemory?5failed?5to@NNGAKEGL@:
					; DATA XREF: AslpFileLargeMapCreate(x,x)+F0o
		dec	ebp

loc_8C62D9:				; CODE XREF: PAGE:loc_8C6291j
		insd
		push	ebx

loc_8C62DB:				; CODE XREF: PAGE:008C62B9j
		arpl	gs:[ebp+72h], si
		db	65h
		push	esi

loc_8C62E1:				; CODE XREF: PAGE:008C627Ej
		imul	esi, [edx+74h],	4D6C6175h
		db	65h
		insd
		outsd
		jb	short loc_8C6366

loc_8C62ED:				; CODE XREF: PAGE:loc_8C6287j
		and	[esi+61h], ah

loc_8C62F0:				; CODE XREF: PAGE:008C6289j
					; PAGE:loc_8C627Cj ...
		imul	ebp, [ebp+64h],	206F7420h
		jnb	short near ptr loc_8C635E+1
		arpl	[ebp+72h], si

loc_8C62FD:				; CODE XREF: PAGE:008C628Fj
		and	gs:[eax+ebp*2+65h], dh
		and	[ebp+6Eh], ah
		and	fs:[esi+69h], dh
		db	65h
		ja	short $+3

??_C@_0DM@DNPNPCFE@ZwMapViewOfSection?5failed?5to?5ma@NNGAKEGL@:
					; DATA XREF: AslpFileLargeMapCreate(x,x)+167o
		pop	edx
		ja	short loc_8C635C
		popa
		jo	short near ptr loc_8C6366+2

loc_8C6312:				; CODE XREF: PAGE:loc_8C629Dj
					; PAGE:008C62B1j
		imul	esp, [ebp+77h],	6553664Fh
		arpl	[ecx+ebp*2+6Fh], si
		outsb

loc_8C631E:				; CODE XREF: PAGE:loc_8C62B4j
		and	[esi+61h], ah

loc_8C6321:				; CODE XREF: PAGE:loc_8C62BFj
					; PAGE:loc_8C62BBj
		imul	ebp, [ebp+64h],	206F7420h
		insd
		popa

loc_8C632B:				; CODE XREF: PAGE:008C62B6j
		jo	short loc_8C634D

loc_8C632D:				; CODE XREF: PAGE:loc_8C62C5j
		jz	short loc_8C6397
		and	gs:[ebx+74h], dh

loc_8C6333:				; CODE XREF: PAGE:008C62BDj
		popa
		jb	short near ptr loc_8C63A8+2

loc_8C6336:				; CODE XREF: PAGE:008C62D1j
		and	[edi+66h], ch

loc_8C6339:				; CODE XREF: PAGE:loc_8C62D3j
		and	[eax+ebp*2+65h], dh

loc_8C633D:				; CODE XREF: PAGE:008C62C8j
		and	[esi+69h], ah
		insb
		and	gs:[ebx+25h], bl
		js	short near ptr loc_8C639F+5
		add	[ecx+73h], al	; DATA XREF: AslpFileLargeMapCreate(x,x):loc_A26B90o
					; AslpFileLargeMapCreate(x,x):loc_A26C12o
		insb
		jo	short loc_8C6393

loc_8C634D:				; CODE XREF: PAGE:loc_8C632Bj
		imul	ebp, [ebp+4Ch],	65677261h
		dec	ebp
		popa
		jo	short loc_8C639C
		jb	short near ptr loc_8C63BF+1
		popa

loc_8C635C:				; CODE XREF: PAGE:008C630Dj
		jz	short near ptr loc_8C63BF+4

loc_8C635E:				; CODE XREF: PAGE:008C62F8j
		add	ah, cl

??_C@_0DK@GKAIOMFA@ZwMapViewOfSection?5failed?5to?5ma@NNGAKEGL@:
					; DATA XREF: AslpFileLargeMapCreate(x,x)+D0o
		pop	edx
		ja	short loc_8C63B0
		popa
		jo	short near ptr loc_8C63BA+2

loc_8C6366:				; CODE XREF: PAGE:008C62EBj
					; PAGE:008C6310j
		imul	esp, [ebp+77h],	6553664Fh
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	206F7420h
		insd
		popa
		jo	short near ptr loc_8C639F+2
		jz	short near ptr loc_8C63E9+2
		and	gs:[ebp+6Eh], ah
		and	fs:[edi+66h], ch
		and	[eax+ebp*2+65h], dh
		and	[esi+69h], ah
		insb

loc_8C6393:				; CODE XREF: PAGE:008C634Bj
		and	gs:[ebx+25h], bl

loc_8C6397:				; CODE XREF: PAGE:loc_8C632Dj
		js	short near ptr loc_8C63F5+1
		add	[ecx+73h], al	; DATA XREF: AslpFileLargeEnsureLargeFileMapping(x,x)+73o

loc_8C639C:				; CODE XREF: PAGE:008C6357j
		insb
		jo	short loc_8C63E5

loc_8C639F:				; CODE XREF: PAGE:008C637Fj
					; PAGE:008C6345j
		imul	ebp, [ebp+4Ch],	65677261h
		inc	edi

loc_8C63A8:				; CODE XREF: PAGE:008C6334j
		db	65h
		jz	short near ptr loc_8C63E9+5
		push	736B6365h

loc_8C63B0:				; CODE XREF: PAGE:008C6361j
		jnz	short near ptr loc_8C641D+2
		inc	ecx
		jz	short near ptr loc_8C6423+6
		jb	short loc_8C6420
		bound	esi, [ebp+74h]

loc_8C63BA:				; CODE XREF: PAGE:008C6364j
		db	65h
		jnb	short near ptr loc_8C63D8+5
		popaw

loc_8C63BF:				; CODE XREF: PAGE:008C6359j
					; PAGE:loc_8C635Cj
		imul	ebp, [ebp+64h],	206F7420h
		db	67h, 65h
		jz	near ptr 63EBh
		arpl	[eax+65h], bp
		arpl	[ebx+73h], bp
		jnz	short loc_8C6440
		and	[ecx+74h], ah
		jz	short near ptr loc_8C6449+1

loc_8C63D8:				; CODE XREF: PAGE:loc_8C63BAj
		imul	esp, [edx+75h],	20736574h
		pop	ebx
		and	eax, 41005D78h	; DATA XREF: AslpFileLargeEnsureLargeFileMapping(x,x)+7Do

loc_8C63E5:				; CODE XREF: PAGE:008C639Dj
		jnb	short near ptr loc_8C644F+4
		jo	short near ptr loc_8C642D+2

loc_8C63E9:				; CODE XREF: PAGE:008C6381j
					; PAGE:loc_8C63A8j
		imul	ebp, [ebp+4Ch],	65677261h
		inc	ebp
		outsb
		jnb	short near ptr loc_8C6469+1

loc_8C63F5:				; CODE XREF: PAGE:loc_8C6397j
		jb	short near ptr loc_8C645B+1
		dec	esp
		popa
		jb	short near ptr loc_8C645E+4
		db	65h
		inc	esi
		imul	ebp, [ebp+4Dh],	69707061h
		outsb
		add	[bp+di+72h], al	; DATA XREF: AslpFileLargeGetCrcChecksum(x,x)+D8o
		arpl	[esi+69h], ax
		insb
		db	65h
		push	ebx
		jz	short loc_8C6473
		jb	short near ptr loc_8C6486+2
		and	[eax], ah
		cmp	ah, [eax]
		and	eax, 75343649h

loc_8C641D:				; CODE XREF: PAGE:loc_8C63B0j
					; DATA XREF: AslpFileLargeGetCrcChecksum(x,x)+F3o
		add	[esi+69h], dl

loc_8C6420:				; CODE XREF: PAGE:008C63B5j
		db	65h
		ja	short loc_8C6469

loc_8C6423:				; CODE XREF: PAGE:008C63B3j
		imul	ebp, [ebp+4Fh],	65736666h
		jz	short near ptr loc_8C6465+2

loc_8C642D:				; CODE XREF: PAGE:008C63E7j
		and	ds:75343649h, ah
		add	[esi+69h], al	; DATA XREF: AslpFileLargeGetCrcChecksum(x,x)+B0o
		insb
		db	65h
		push	ebx
		imul	edi, [edx+65h],	20202020h

loc_8C6440:				; CODE XREF: PAGE:008C63D1j
		and	[eax], ah
		cmp	ah, [eax]
		and	eax, 75343649h

loc_8C6449:				; CODE XREF: PAGE:008C63D6j
					; DATA XREF: AslpFileLargeGetCrcChecksum(x,x)+BAo ...
		add	[ecx+73h], al
		insb
		jo	short near ptr loc_8C648F+6

loc_8C644F:				; CODE XREF: PAGE:loc_8C63E5j
		imul	ebp, [ebp+4Ch],	65677261h
		inc	edi
		db	65h
		jz	short near ptr loc_8C649B+3

loc_8C645B:				; CODE XREF: PAGE:loc_8C63F5j
		jb	short near ptr loc_8C64BC+4
		inc	ebx

loc_8C645E:				; CODE XREF: PAGE:008C63F9j
		push	736B6365h
		jnz	short loc_8C64D2

loc_8C6465:				; CODE XREF: PAGE:008C642Bj
					; DATA XREF: AslpFileLargeGetChecksumAttributes(x,x)+2Eo ...
		add	[ecx+73h], al
		insb

loc_8C6469:				; CODE XREF: PAGE:loc_8C6420j
					; PAGE:008C63F3j
		jo	short near ptr loc_8C64AD+4
		imul	ebp, [ebp+4Ch],	65677261h

loc_8C6473:				; CODE XREF: PAGE:008C6410j
		inc	edi
		db	65h
		jz	short near ptr loc_8C64B9+1
		push	736B6365h
		jnz	short loc_8C64EB
		inc	ecx
		jz	short loc_8C64F5
		jb	short near ptr loc_8C64EB+1
		bound	esi, [ebp+74h]

loc_8C6486:				; CODE XREF: PAGE:008C6412j
		db	65h
		jnb	short $+3
		int	3		; Trap to Debugger

??_C@_0BJ@HBFAEJPP@AslpFileLargeGetChecksum@NNGAKEGL@:
					; DATA XREF: AslpFileLargeGetChecksum(x,x)+ABo
		inc	ecx
		jnb	short near ptr loc_8C64F5+4
		jo	short near ptr loc_8C64D4+1

loc_8C648F:				; CODE XREF: PAGE:008C644Dj
		imul	ebp, [ebp+4Ch],	65677261h
		inc	edi
		db	65h
		jz	short near ptr loc_8C64DD+1

loc_8C649B:				; CODE XREF: PAGE:008C6458j
		push	736B6365h
		jnz	short near ptr loc_8C650E+1
		add	ah, cl

??_C@_0DG@GNMNFDCD@MmSecureVirtualMemory?5failed?5to@NNGAKEGL@:
					; DATA XREF: AslpFileLargeMapCreate(x,x)+18Ao
		dec	ebp
		insd
		push	ebx
		arpl	gs:[ebp+72h], si
		db	65h
		push	esi

loc_8C64AD:				; CODE XREF: PAGE:loc_8C6469j
		imul	esi, [edx+74h],	4D6C6175h
		db	65h
		insd
		outsd
		jb	short loc_8C6532

loc_8C64B9:				; CODE XREF: PAGE:008C6474j
		and	[esi+61h], ah

loc_8C64BC:				; CODE XREF: PAGE:loc_8C645Bj
		imul	ebp, [ebp+64h],	206F7420h
		jnb	short near ptr loc_8C652A+1
		arpl	[ebp+72h], si
		and	gs:[eax+ebp*2+65h], dh
		and	[ebx+74h], dh
		popa

loc_8C64D2:				; CODE XREF: PAGE:008C6463j
		jb	short near ptr loc_8C6543+5

loc_8C64D4:				; CODE XREF: PAGE:008C648Dj
		and	[esi+69h], dh
		db	65h
		ja	short $+3

??_C@_0CF@NKLIOJAG@AslpFileLargeGetChecksum?5failed@NNGAKEGL@:
					; DATA XREF: AslpFileLargeGetChecksumAttributes(x,x)+24o
		inc	ecx
		jnb	short near ptr loc_8C6543+6

loc_8C64DD:				; CODE XREF: PAGE:008C6498j
		jo	short loc_8C6525
		imul	ebp, [ebp+4Ch],	65677261h
		inc	edi
		db	65h
		jz	short loc_8C652E

loc_8C64EB:				; CODE XREF: PAGE:008C647Cj
					; PAGE:008C6481j
		push	736B6365h
		jnz	short near ptr loc_8C655E+1
		and	[esi+61h], ah

loc_8C64F5:				; CODE XREF: PAGE:008C647Fj
					; PAGE:008C648Bj
		imul	ebp, [ebp+64h],	78255B20h
		pop	ebp
		add	ah, cl

??_C@_0DJ@GHPJJPKH@Alignment?5error?5in?5the?5end?5of?5f@NNGAKEGL@:
					; DATA XREF: AslpFileLargeGetCrcChecksum(x,x)+139o
		inc	ecx
		insb
		imul	esp, [edi+6Eh],	746E656Dh
		and	[ebp+72h], ah
		jb	short near ptr loc_8C657B+2

loc_8C650E:				; CODE XREF: PAGE:008C64A0j
		jb	short near ptr loc_8C652F+1
		imul	ebp, [esi+20h],	20656874h
		outs	dx, byte ptr gs:[esi]
		and	fs:[edi+66h], ch
		and	[esi+69h], ah
		insb
		and	gs:[esi+69h], dh

loc_8C6525:				; CODE XREF: PAGE:loc_8C64DDj
		db	65h
		ja	short near ptr loc_8C6543+5
		outsw

loc_8C652A:				; CODE XREF: PAGE:008C64C4j
		jb	short near ptr loc_8C654A+2
		inc	ebx
		push	edx

loc_8C652E:				; CODE XREF: PAGE:008C64E8j
		inc	ebx

loc_8C652F:				; CODE XREF: PAGE:loc_8C650Ej
		and	[ebx+68h], ah

loc_8C6532:				; CODE XREF: PAGE:008C64B7j
		arpl	gs:[ebx+73h], bp
		jnz	short loc_8C65A5
		add	ah, cl

??_C@_0BD@GMBLCEKJ@ViewFileSize?5?5?3?5?$CFu@NNGAKEGL@:
					; DATA XREF: AslpFileLargeGetCrcChecksum(x,x)+10Eo
		push	esi
		imul	esp, [ebp+77h],	656C6946h
		push	ebx

loc_8C6543:				; CODE XREF: PAGE:loc_8C64D2j
					; PAGE:loc_8C6525j ...
		imul	edi, [edx+65h],	203A2020h

loc_8C654A:				; CODE XREF: PAGE:loc_8C652Aj
					; DATA XREF: AslpFileLargeGetCrcChecksum(x,x)+128o
		and	eax, 43CC0075h
		jb	short near ptr ??_C@_1O@HLIMJNPL@?$AA?$AN?$AA?6?$AA?7?$AA?7?$AA?$CF?$AA?$HL@NNGAKEGL@+2
		push	esi
		imul	esp, [ebp+77h],	7366664Fh
		db	65h
		jz	short near ptr loc_8C657B+1
		cmp	ah, [eax]

loc_8C655E:				; CODE XREF: PAGE:008C64F0j
		and	eax, 75343649h

loc_8C6563:				; DATA XREF: AuthzBasepInitializeSystemSecurityAttributes(x)+1Eo
		add	[edi+0], dl
		dec	ecx
		add	[esi+0], cl
		cmp	al, [eax]
		das
		add	[edi], ch
		add	[ecx+0], cl
		push	ebx
		add	[ebp+0], cl
		push	ebp
		add	[eax+eax+54h], cl

loc_8C657B:				; CODE XREF: PAGE:008C6559j
					; PAGE:008C650Cj
		add	[ecx+0], cl
		push	ebx
		add	[ebp+0], al
		push	ebx
		add	[ebx+0], dl
		dec	ecx
		add	[edi+0], cl
		dec	esi
		add	[ebx+0], dl
		dec	ebx
		add	[ebp+0], dl
; 
		dw 0
; 

; wchar_t ??_C
??_C@_1BC@JBLGCGBA@?$AA?$DM?$AA0?$AAx?$AA?$CF?$AA0?$AA8?$AAX?$AA?$DO@NNGAKEGL@:
					; DATA XREF: AdtpBuildSecurityDescriptorUnicodeString(x,x,x,x,x,x,x)+74o
		cmp	al, 0
		xor	[eax], al
		js	short $+2
		and	eax, 38003000h
		add	[eax+0], bl
		db	3Eh
		add	[eax], al

loc_8C65A5:				; CODE XREF: PAGE:008C6536j
					; DATA XREF: AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)+6Fo
		add	ds:9000A00h, cl
		add	[ecx], cl
		add	[ecx], cl
; 
		db 0
		db 2 dup(0)
; 

; void ??_C
??_C@_1O@HLIMJNPL@?$AA?$AN?$AA?6?$AA?7?$AA?7?$AA?$CF?$AA?$HL@NNGAKEGL@:
					; CODE XREF: PAGE:008C654Fj
					; DATA XREF: AdtpBuildSidListString(x,x,x,x,x,x)+1DFo
		or	eax, 9000A00h
		add	[ecx], cl
		add	large ds:7B00h,	ah
; 
		db 0
; wchar_t ??_C
??_C@_1O@PEHDFMOI@?$AA?$CF?$AA?$CF?$AA?$CF?$AA?$CF?$AA?$CF?$AAu@NNGAKEGL@:
					; DATA XREF: AdtpBuildMessageString+39o
					; AdtpBuildSecurityDescriptorUnicodeString(x,x,x,x,x,x,x)+C2o
		unicode	0, <%%%%%u>,0
; void ??_C
??_C@_19CCEMBOLD@?$AA?$AN?$AA?6?$AA?7?$AA?7@NNGAKEGL@ db 0Dh,0
					; DATA XREF: AdtpBuildStringListString(x,x,x,x,x,x):loc_A2819Eo
		dw 0Ah
		dw 9
		dw 9
		unicode	0, <>,0
??_C@_1IM@HLFDLGLG@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: AdtpObjsInitialize+E2o
		unicode	0, <\Registry\Machine\System\CurrentControlSet\Services\Event>
		unicode	0, <Log\Security>,0
??_C@_1O@MKNEDAKB@?$AA?$AN?$AA?6?$AA?7?$AA?7?$AA?7?$AA?7@NNGAKEGL@:
					; DATA XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x):loc_A28550o
		dw 0Dh
		dw 0Ah
		dw 9
		dw 9
		dw 9
		dw 9
		unicode	0, <>,0
; 

??_C@_15JGNEDFBN@?$AA?3?$AA?7@NNGAKEGL@:
					; DATA XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+A3o
		cmp	al, [eax]
		or	[eax], eax
; 
		dw 0
; 

??_C@_19KFCILJCK@?$AA?7?$AA?7?$AA?7?$AA?7@NNGAKEGL@:
		or	[eax], eax
		or	[eax], eax
		or	[eax], eax
		or	[eax], eax
; 
		db 2 dup(0)
; 

??_C@_1M@JEHOPNL@?$AA?9?$AA?9?$AA?9?$AA?$AN?$AA?6@NNGAKEGL@:
					; DATA XREF: AdtpBuildObjectTypeStrings(x,x,x,x,x,x)+7Bo
		sub	eax, 2D002D00h
		add	large ds:0A00h,	cl
; 
		db 0
; 

??_C@_15BEDKEABO@?$AA?7?$AA?7@NNGAKEGL@:
		or	[eax], eax
		or	[eax], eax
; 
		dw 0
; 

??_C@_17NPJFCFPP@?$AA?7?$AA?7?$AA?7@NNGAKEGL@:
		or	[eax], eax
		or	[eax], eax
		or	[eax], eax
; 
		dw 0
??_C@_1BI@OADGGPMJ@?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAN?$AAa?$AAm?$AAe?$AAs@NNGAKEGL@:
					; DATA XREF: AdtpObjsInitialize+26Fo
		unicode	0, <ObjectNames>,0
; 

??_C@_13KDLDGPGJ@?$AA?7@NNGAKEGL@:
		or	[eax], eax
; 
		dw 0
??_C@_1DC@MPDDGCGD@?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt?$AAo?$AAr?$AAy?$AA?5?$AAS?$AAe?$AAr?$AAv?$AAi@NNGAKEGL@:
					; DATA XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x):loc_A2874Fo
		unicode	0, <Directory Service Object>,0
; 

; void ??_C
??_C@_1O@FAFOOFGK@?$AA?$AN?$AA?6?$AA?7?$AA?7?$AA?$CF?$AA?$CF@NNGAKEGL@:
					; DATA XREF: AdtpBuildUserAccountControlString(x,x,x,x,x,x,x,x)+18Fo
		or	eax, 9000A00h
		add	[ecx], cl
		add	large ds:2500h,	ah
; 
		db 0
; void ??_C
??_C@_15IOLAJFNF@?$AA?$CF?$AA?$CF@NNGAKEGL@:
					; DATA XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+145o
					; AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+197o ...
		unicode	0, <%%>,0
??_C@_15DEMLGGK@?$AAD?$AAS@NNGAKEGL@ db	'D',0
					; DATA XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+25Fo
aS_1:
		unicode	0, <S>,0
??_C@_1BO@LJHGOKGD@?$AA?2?$AAD?$AAo?$AAs?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAs?$AA?2?$AAA?$AA?3@NNGAKEGL@:
					; DATA XREF: sub_574F78+9o
		unicode	0, <\DosDevices\A:>,0
??_C@_1IC@GNJOCBBO@?$AAB?$AAc?$AAd?$AAO?$AAp?$AAe?$AAn?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAS?$AAt@NNGAKEGL@ db 'B',0
					; DATA XREF: BcdOpenSystemStore(x)+13o
aCdopensystemst:
		unicode	0, <cdOpenSystemStore: Failed to acquire BCD sync mutant.Stat>
		unicode	0, <us:	%x>,0
; 

??_C@_1FI@JMOEDDGI@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAg?$AAe?$AAt?$AA?5?$AAs@NNGAKEGL@:
					; DATA XREF: BcdGetSystemStorePath+A2A5Do
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[edi+0], ah
		add	gs:[eax+eax+20h], dh
		add	[ebx+0], dh
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		and	[eax], al
		jnb	short $+2
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[eax], ah
		add	[eax+0], dh
		popa
		add	[eax+eax+68h], dh
		add	[esi], ch
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h

loc_8C67FB:				; DATA XREF: BcdOpenStore+44o
		add	[ebx+0], dl
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[eax], ah
		add	[edi+0], dh
		imul	eax, [eax], 6C006Ch
		and	[eax], al
		bound	eax, [eax]
		endp

		add	gs:[eax], ah
		add	[ebx+0], dh
		jns	short $+2
		outsb
		add	[ebx+0], ah
		push	6F007200h
		add	[esi+0], ch
		imul	eax, [eax], 65007Ah
		add	fs:[eax], ah
		add	[edi+0], dh
		imul	eax, [eax], 680074h
		and	[eax], al
		db	66h
		add	[ecx+0], ch
		jb	short $+2
		insd
		add	[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[esi], ch
; 
		db 3 dup(0)
; 

??_C@_1FA@PPLIENGI@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAo?$AAp?$AAe?$AAn?$AA?5@NNGAKEGL@:
					; DATA XREF: BcdOpenStore+A2B2Co
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[edi+0], ch
		jo	short $+2
		add	gs:[esi+0], ch
		and	[eax], al
		jnb	short $+2
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		and	[eax], al
		jnb	short $+2
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[esi], ch
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
; 

??_C@_1KE@DMKAGBMK@?$AAB?$AAc?$AAd?$AAO?$AAp?$AAe?$AAn?$AAS?$AAt?$AAo?$AAr?$AAe?$AA?3?$AA?5?$AAF@NNGAKEGL@:
					; DATA XREF: BcdOpenStore+A2B15o
		inc	edx
		add	[ebx+0], ah
		add	fs:[edi+0], cl
		jo	short $+2
		add	gs:[esi+0], ch
		push	ebx
		add	[eax+eax+6Fh], dh
		add	[edx+0], dh
		add	gs:[edx], bh
		add	[eax], ah
		add	[esi+0], al
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ecx+0], ah
		arpl	[eax], ax
		jno	short $+2
		jnz	short $+2
		imul	eax, [eax], 650072h
		and	[eax], al
		inc	edx
		add	[ebx+0], al
		inc	esp
		add	[eax], ah
		add	[ebx+0], dh
		jns	short $+2
		outsb
		add	[ebx+0], ah
		and	[eax], al
		dec	ebp
		add	[ebp+0], dh
		jz	short $+2
		popa
		add	[esi+0], ch
		jz	short $+2
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[edx], bh
		add	[eax], ah
		add	ds:73007700h, ah
		add	[esi+0], al
		insb
		add	[ecx+0], ah
		add	[bp+di+0], dh
		cmp	al, [eax]
		and	[eax], al
		xor	[eax], al
		js	short $+2
		and	eax, 20007800h
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
??_C@_1DG@IMJCJDCP@?$AAO?$AAp?$AAe?$AAn?$AAi?$AAn?$AAg?$AA?5?$AAs?$AAt?$AAo?$AAr?$AAe?$AA?4?$AA?5@NNGAKEGL@:
					; DATA XREF: BcdOpenStore+2Do
		unicode	0, <Opening store. Flags: 0x%x>,0
; 

??_C@_19CIJIHAKK@?$AAN?$AAU?$AAL?$AAL@NNGAKEGL@: ; DATA	XREF: BcdOpenStore+A2B10o
					; ConvertDevpropertyToString(x,x,x,x):loc_A3AFFAo
		dec	esi
		add	[ebp+0], dl
		dec	esp
		add	[eax+eax+0], cl
		add	[esi+0], al	; DATA XREF: BcdForciblyUnloadStore+A64A4o
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ebp+0], ah
		js	short $+2
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		and	[eax], al
		jnz	short $+2
		outsb
		add	[eax+eax+6Fh], ch
		add	[ecx+0], ah
		add	fs:[eax], ah
		add	[ecx+0], ah
		insb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], dh
		and	[eax], al
		jz	short $+2
		outsd
		add	[eax], ah
		add	[esi+0], ah
		imul	eax, [eax], 6D0072h
		ja	short $+2
		popa
		add	[edx+0], dh
		add	gs:[esi], ch
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
; 

??_C@_1EG@OHPMMJHC@?$AAE?$AAx?$AAp?$AAo?$AAr?$AAt?$AAi?$AAn?$AAg?$AA?5?$AAa?$AAl?$AAt?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: BiCloseStore:loc_9035D5o
		inc	ebp
		add	[eax+0], bh
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		imul	eax, [eax], 67006Eh
		and	[eax], al
		popa
		add	[eax+eax+74h], ch
		add	[ebp+0], ah
		jb	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], dh
		and	[eax], al
		jz	short $+2
		outsd
		add	[eax], ah
		add	[esi+0], ah
		imul	eax, [eax], 6D0072h
		ja	short $+2
		popa
		add	[edx+0], dh
		add	gs:[esi], ch
; 
		db 0
		db 2 dup(0)
; 

??_C@_1IM@KDHDNKKJ@?$AAB?$AAc?$AAd?$AAF?$AAo?$AAr?$AAc?$AAi?$AAb?$AAl?$AAy?$AAU?$AAn?$AAl?$AAo@NNGAKEGL@:
					; DATA XREF: BcdForciblyUnloadStore+A648Do
		inc	edx
		add	[ebx+0], ah
		add	fs:[esi+0], al
		outsd
		add	[edx+0], dh
		arpl	[eax], ax
		imul	eax, [eax], 6C0062h
		jns	short $+2
		push	ebp
		add	[esi+0], ch
		insb
		add	[edi+0], ch
		popa
		add	[eax+eax+53h], ah
		add	[eax+eax+6Fh], dh
		add	[edx+0], dh
		add	gs:[edx], bh
		add	[eax], ah
		add	[esi+0], al
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ecx+0], ah
		arpl	[eax], ax
		jno	short $+2
		jnz	short $+2
		imul	eax, [eax], 650072h
		and	[eax], al
		inc	edx
		add	[ebx+0], al
		inc	esp
		add	[eax], ah
		add	[ebx+0], dh
		jns	short $+2
		outsb
		add	[ebx+0], ah
		and	[eax], al
		insd
		add	[ebp+0], dh
		jz	short $+2
		popa
		add	[esi+0], ch
		jz	short $+2
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
??_C@_1EM@OIPDGHPJ@?$AAE?$AAx?$AAp?$AAo?$AAr?$AAt?$AAi?$AAn?$AAg?$AA?5?$AAf?$AAo?$AAr?$AAc?$AAi@NNGAKEGL@ dd offset loc_780040+5
					; DATA XREF: BcdForciblyUnloadStore+37o
		dw 70h
aOrtingForcible:
		unicode	0, <orting forcible unload to firmware>,0
; 

??_C@_1HK@OHPJHCML@?$AAB?$AAc?$AAd?$AAC?$AAl?$AAo?$AAs?$AAe?$AAS?$AAt?$AAo?$AAr?$AAe?$AA?3?$AA?5@NNGAKEGL@:
					; DATA XREF: BcdCloseStore+A2AA5o
		inc	edx
		add	[ebx+0], ah
		add	fs:[ebx+0], al
		insb
		add	[edi+0], ch
		jnb	short $+2
		add	gs:[ebx+0], dl
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[edx], bh
		add	[eax], ah
		add	[esi+0], al
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ecx+0], ah
		arpl	[eax], ax
		jno	short $+2
		jnz	short $+2
		imul	eax, [eax], 650072h
		and	[eax], al
		inc	edx
		add	[ebx+0], al
		inc	esp
		add	[eax], ah
		add	[ebx+0], dh
		jns	short $+2
		outsb
		add	[ebx+0], ah
		and	[eax], al
		insd
		add	[ebp+0], dh
		jz	short $+2
		popa
		add	[esi+0], ch
		jz	short $+2
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
??_C@_1DG@JAFNKMKP@?$AAC?$AAl?$AAo?$AAs?$AAi?$AAn?$AAg?$AA?5?$AAs?$AAt?$AAo?$AAr?$AAe?$AA?4?$AA?5@NNGAKEGL@:
					; DATA XREF: BcdCloseStore+45o
		unicode	0, <Closing store. Flags: 0x%x>,0
; 

??_C@_1CO@NBIMBNIG@?$AAL?$AAo?$AAa?$AAd?$AAe?$AAd?$AA?5?$AAh?$AAi?$AAv?$AAe?$AA?5?$AAa?$AAt?$AA?5@NNGAKEGL@:
					; DATA XREF: BiAddStoreFromFile+6Ao
		dec	esp
		add	[edi+0], ch
		popa
		add	[eax+eax+65h], ah
		add	[eax+eax+20h], ah
		add	[eax+0], ch
		imul	eax, [eax], 650076h
		and	[eax], al
		popa
		add	[eax+eax+20h], dh
		add	[edx+0], al
		inc	ebx
		add	[eax+eax+25h], al
		add	[eax], dh
		add	[eax], bh
		add	[eax+eax+0], ah
; 
		db 0
; 

??_C@_1GK@NBGLBMAJ@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAl?$AAo?$AAa?$AAd?$AA?5@NNGAKEGL@:
					; DATA XREF: BiAddStoreFromFile+A300Do
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[eax+eax+6Fh], ch
		add	[ecx+0], ah
		add	fs:[eax], ah
		add	[eax+0], ch
		imul	eax, [eax], 650076h
		and	[eax], al
		imul	eax, [eax], 74006Eh
		outsd
		add	[eax], ah
		add	[ebx+0], ch
		add	gs:[ecx+0], bh
		and	[eax], al
		and	eax, 73007700h
		add	[eax], ah
		add	[esi+0], ah
		jb	short $+2
		outsd
		add	[ebp+0], ch
		and	[eax], al
		and	eax, 2E007300h
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h

loc_8C6C61:				; DATA XREF: BiAddStoreFromFile+3Bo
		add	[edx+0], al
		inc	ebx
		add	[eax+eax+25h], al
		add	[eax], dh
		add	[eax], bh
		add	[eax+eax+0], ah

loc_8C6C71:				; DATA XREF: BiMarkTreatAsSystemStore+75o
					; BiIsSystemStore(x)+1Fo ...
		add	[eax+eax+72h], dl
		add	[ebp+0], ah
		popa
		add	[eax+eax+41h], dh
		add	[ebx+0], dh
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
; 
		db 2 dup(0)
; 

??_C@_1GK@NKBLNBBA@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAe?$AAx?$AAp?$AAo?$AAr@NNGAKEGL@:
					; DATA XREF: BiCloseStore+A2FD4o
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ebp+0], ah
		js	short $+2
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		and	[eax], al
		popa
		add	[eax+eax+74h], ch
		add	[ebp+0], ah
		jb	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], dh
		and	[eax], al
		jz	short $+2
		outsd
		add	[eax], ah
		add	[esi+0], ah
		imul	eax, [eax], 6D0072h
		ja	short $+2
		popa
		add	[edx+0], dh
		add	gs:[esi], ch
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
??_C@_1BA@PCNMLPEP@?$AAK?$AAe?$AAy?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@:
					; DATA XREF: BiUnloadHiveByHandle(x,x)+2Bo
					; BiAddStoreFromFile+B0o
		unicode	0, <KeyName>,0
; 

??_C@_1JK@ICGMJJA@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAo?$AAp?$AAe?$AAn?$AA?5@NNGAKEGL@:
					; DATA XREF: BiAddStoreFromFile+A30D1o
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[edi+0], ch
		jo	short $+2
		add	gs:[esi+0], ch
		and	[eax], al
		add	fs:[ebp+0], ah
		jnb	short $+2
		arpl	[eax], ax
		jb	short $+2
		imul	eax, [eax], 740070h
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		imul	eax, [eax], 65h
		add	[ecx+0], bh
		and	[eax], al
		db	66h
		add	[edi+0], ch
		jb	short $+2
		and	[eax], al
		jnb	short $+2
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[esi], ch
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[edx], bh
		add	[eax], ah
		add	ds:20007300h, ah
		add	[ebx+0], dl
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[ebx+0], cl
		add	gs:[ecx+0], bh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 73007700h
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
; 

??_C@_1JA@LHPLIIFE@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAs?$AAe?$AAt?$AA?5?$AAd@NNGAKEGL@:
					; DATA XREF: BiAddStoreFromFile+A30E2o
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ebx+0], dh
		add	gs:[eax+eax+20h], dh
		add	[eax+eax+65h], ah
		add	[ebx+0], dh
		arpl	[eax], ax
		jb	short $+2
		imul	eax, [eax], 740070h
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		imul	eax, [eax], 65h
		add	[ecx+0], bh
		and	[eax], al
		jbe	short $+2
		popa
		add	[eax+eax+75h], ch
		add	[ebp+0], ah
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[edx], bh
		add	[eax], ah
		add	ds:20007300h, ah
		add	[ebx+0], dl
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[ebx+0], cl
		add	gs:[ecx+0], bh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 73007700h
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
		add	[esi+0], al	; DATA XREF: BiAddStoreFromFile+A3064o
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ch
		jz	short $+2
		imul	eax, [eax], 6C0061h
		imul	eax, [eax], 65007Ah
		and	[eax], al
		add	fs:[ebp+0], ah
		jnb	short $+2
		arpl	[eax], ax
		jb	short $+2
		imul	eax, [eax], 740070h
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		imul	eax, [eax], 65h
		add	[ecx+0], bh
		and	[eax], al
		db	66h
		add	[edi+0], ch
		jb	short $+2
		and	[eax], al
		jnb	short $+2
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[esi], ch
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[edx], bh
		add	[eax], ah
		add	ds:20007300h, ah
		add	[ebx+0], dl
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[ebx+0], cl
		add	gs:[ecx+0], bh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 73007700h
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
; 

??_C@_1FG@CJJHKDMI@?$AAA?$AA?5?$AAv?$AAa?$AAl?$AAi?$AAd?$AA?5?$AAs?$AAt?$AAo?$AAr?$AAe?$AA?5?$AAm@NNGAKEGL@:
					; DATA XREF: BiAddStoreFromFile+A30B3o
		inc	ecx
		add	[eax], ah
		add	[esi+0], dh
		popa
		add	[eax+eax+69h], ch
		add	[eax+eax+20h], ah
		add	[ebx+0], dh
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[eax], ah
		add	[ebp+0], ch
		jnz	short $+2
		jnb	short $+2
		jz	short $+2
		and	[eax], al
		push	76006100h
		add	[ebp+0], ah
		and	[eax], al
		popa
		add	[eax], ah
		add	[eax+eax+65h], ah
		add	[ebx+0], dh
		arpl	[eax], ax
		jb	short $+2
		imul	eax, [eax], 740070h
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		imul	eax, [eax], 65h
		add	[ecx+0], bh
		add	cs:[eax], al

loc_8C6F2D:				; DATA XREF: BcdOpenObject+84o
					; BiAddStoreFromFile+A3031o ...
		add	[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1JO@GOAKEPKG@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAi?$AAn?$AAi?$AAt?$AAi@NNGAKEGL@:
					; DATA XREF: BiAddStoreFromFile+A3053o
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ch
		jz	short $+2
		imul	eax, [eax], 6C0061h
		imul	eax, [eax], 65007Ah
		and	[eax], al
		outsd
		add	[edx+0], ah
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
		and	[eax], al
		imul	eax, [eax], 65h
		add	[ecx+0], bh
		and	[eax], al
		db	66h
		add	[edi+0], ch
		jb	short $+2
		and	[eax], al
		jnb	short $+2
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[esi], ch
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[edx], bh
		add	[eax], ah
		add	ds:20007300h, ah
		add	[ebx+0], dl
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[ebx+0], cl
		add	gs:[ecx+0], bh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 73007700h
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
		add	[eax+eax+6Fh], dl ; DATA XREF: BiAddStoreFromFile+A2FE7o
		add	[edi+0], ch
		and	[eax], al
		insd
		add	[ecx+0], ah
		outsb
		add	[ecx+0], bh
		and	[eax], al
		jnz	short $+2
		outsb
		add	[ebp+0], ah
		js	short $+2
		jo	short $+2
		insb
		add	[ecx+0], ah
		imul	eax, [eax], 65006Eh
		add	fs:[eax], ah
		add	[esi+0], ah
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], dh
		jb	short $+2
		add	gs:[ebx+0], dh
		add	cs:[eax], ah
		add	[esi+0], al
		imul	eax, [eax], 65006Ch
		cmp	al, [eax]
		and	[eax], al
		and	eax, 20007300h
		add	[eax+eax+61h], cl
		add	[ebx+0], dh
		jz	short $+2
		and	[eax], al
		jnb	short $+2
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
; 

??_C@_1HO@GNIINMFH@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAf?$AAi?$AAn?$AAd?$AA?5@NNGAKEGL@:
					; DATA XREF: BiAddStoreFromFile+A2F8Bo
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[esi+0], ah
		imul	eax, [eax], 64006Eh
		and	[eax], al
		popa
		add	[eax], ah
		add	[ebx+0], ch
		add	gs:[ecx+0], bh
		and	[eax], al
		jz	short $+2
		outsd
		add	[eax], ah
		add	[eax+eax+6Fh], ch
		add	[ecx+0], ah
		add	fs:[eax], ah
		add	[ebx+0], dh
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[eax], ah
		add	ds:2E007300h, ah
		add	[eax], ah
		add	[eax+eax+61h], cl
		add	[ebx+0], dh
		jz	short $+2
		and	[eax], al
		popa
		add	[eax+eax+74h], dh
		add	[ebp+0], ah
		insd
		add	[eax+0], dh
		jz	short $+2
		add	gs:[eax+eax+20h], ah
		add	[ebx+0], ch
		add	gs:[ecx+0], bh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 73007700h
; 
		db 0
		db 2 dup(0)
; 

??_C@_1EE@OJEMMLOB@?$AAO?$AAp?$AAe?$AAn?$AAi?$AAn?$AAg?$AA?5?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?5@NNGAKEGL@:
					; DATA XREF: BiOpenSystemStore+1Bo
		dec	edi
		add	[eax+0], dh
		add	gs:[esi+0], ch
		imul	eax, [eax], 67006Eh
		and	[eax], al
		jnb	short $+2
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		and	[eax], al
		jnb	short $+2
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[esi], ch
		add	[eax], ah
		add	[esi+0], al
		insb
		add	[ecx+0], ah
		add	[bp+di+0], dh
		cmp	al, [eax]
		and	[eax], al
		xor	[eax], al
		js	short $+2
		and	eax, 7800h

loc_8C710D:				; DATA XREF: BiOpenSystemStore+1B1o
		add	[esi+0], al
		outsd
		add	[ebp+0], dh
		outsb
		add	[eax+eax+20h], ah
		add	[eax+eax+6Fh], ch
		add	[ecx+0], ah
		add	fs:[ebp+0], ah
		add	fs:[eax], ah
		add	[ebx+0], dh
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[eax], ah
		add	[ecx+0], ah
		jz	short $+2
		and	[eax], al
		imul	eax, [eax], 65h
		add	[ecx+0], bh
		and	[eax], al
		and	eax, 7300h
; 
		db 0
; 

??_C@_1GE@BKEKDECN@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAm?$AAa?$AAr?$AAk?$AA?5@NNGAKEGL@:
					; DATA XREF: BiLoadSystemStore+A305Bo
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ebp+0], ch
		popa
		add	[edx+0], dh
		imul	eax, [eax], 20h
		add	[ebx+0], dh
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		and	[eax], al
		jnb	short $+2
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[esi], ch
		add	[eax], ah
		add	[esi+0], al
		imul	eax, [eax], 65006Ch
		cmp	al, [eax]
		and	[eax], al
		and	eax, 73007700h
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
; 

??_C@_1FO@CPLCCCHE@?$AAF?$AAi?$AAl?$AAe?$AA?5?$AAi?$AAs?$AA?5?$AAn?$AAo?$AAt?$AA?5?$AAs?$AAy?$AAs@NNGAKEGL@:
					; DATA XREF: BiLoadSystemStore+A307Bo
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		and	[eax], al
		imul	eax, [eax], 200073h
		outsb
		add	[edi+0], ch
		jz	short $+2
		and	[eax], al
		jnb	short $+2
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		and	[eax], al
		jnb	short $+2
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[esi], ch
		add	[eax], ah
		add	[esi+0], al
		imul	eax, [eax], 65006Ch
		cmp	al, [eax]
		and	[eax], al
		and	eax, 73007700h
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h

loc_8C7209:				; DATA XREF: BiCleanupLoadedStores+6Bo
					; BiOpenSystemStore+9Co
		add	[edx+0], al
		inc	ebx
		add	[eax+eax+0], al
; 
		db 0

;  S U B	R O U T	I N E 


??_C@_1HG@EJMNDF@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAa?$AAd?$AAd?$AA?5?$AAs@NNGAKEGL@ proc near
					; DATA XREF: BiLoadSystemStore+A3022o
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ecx+0], ah
		add	fs:[eax+eax+20h], ah
		add	[ebx+0], dh
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		and	[eax], al
		jnb	short $+2
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[eax], ah
		add	[esi+0], ah
		jb	short $+2
		outsd
		add	[ebp+0], ch
		and	[eax], al
		db	66h
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	cs:[eax], ah
		add	[esi+0], al
		imul	eax, [eax], 65006Ch
		cmp	al, [eax]
		and	[eax], al
		and	eax, 73007700h
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
		add	[esi+0], al	; DATA XREF: BiOpenSystemStore+A24BFo
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[edx+0], ah
		imul	eax, [eax], 64006Eh
		and	[eax], al
		ja	short $+2
		imul	eax, [eax], 680074h
		and	[eax], al
		db	66h
		add	[ecx+0], ch
		jb	short $+2
		insd
		add	[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[esi], ch
		add	[eax], ah
		add	[esi+0], al
		insb
		add	[ecx+0], ah
		add	[bp+di+0], dh
		cmp	al, [eax]
		and	[eax], al
		xor	[eax], al
		js	short $+2
		and	eax, 20007800h
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
		add	[edx+0], al	; DATA XREF: BcdFlushStore+A5B10o
		arpl	[eax], ax
		add	fs:[esi+0], al
		insb
		add	[ebp+0], dh
		jnb	short $+2
		push	74005300h
		add	[edi+0], ch
		jb	short $+2
		add	gs:[edx], bh
		add	[eax], ah
		add	[esi+0], al
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ecx+0], ah
		arpl	[eax], ax
		jno	short $+2
		jnz	short $+2
		imul	eax, [eax], 650072h
		and	[eax], al
		inc	edx
		add	[ebx+0], al
		inc	esp
		add	[eax], ah
		add	[ebx+0], dh
		jns	short $+2
		outsb
		add	[ebx+0], ah
		and	[eax], al
		insd
		add	[ebp+0], dh
		jz	short $+2
		popa
		add	[esi+0], ch
		jz	short $+2
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
		add	[ebx+0], dl	; DATA XREF: BiOpenSystemStore:loc_9043CDo
		jo	short $+2
		add	gs:[ebx+0], ah
		imul	eax, [eax], 690066h
		add	gs:[eax+eax+20h], ah
		add	[esi+0], ah
		insb
		add	[ecx+0], ah
		add	[bp+di+0], dh
		and	[eax], al
		jo	short $+2
		jb	short $+2
		add	gs:[esi+0], dh
		add	gs:[esi+0], ch
		jz	short $+2
		and	[eax], al
		outsd
		add	[eax+0], dh
		add	gs:[esi+0], ch
		imul	eax, [eax], 67006Eh
		and	[eax], al
		jnz	short $+2
		outsb
		add	[eax+eax+6Fh], ch
		add	[ecx+0], ah
		add	fs:[ebp+0], ah
		add	fs:[eax], ah
		add	[ebx+0], dh
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		and	[eax], al
		jnb	short $+2
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[eax], al

loc_8C73D7:				; DATA XREF: BiOpenSystemStore+10Eo
		add	[ebx+0], dl
??_C@_1HG@EJMNDF@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAa?$AAd?$AAd?$AA?5?$AAs@NNGAKEGL@ endp

		jns	short $+2
		outsb
		add	[ebx+0], ah
		push	6F007200h
		add	[esi+0], ch
		imul	eax, [eax], 69007Ah
		outsb
		add	[edi+0], ah
		and	[eax], al
		jnb	short $+2
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[eax], ah
		add	[edi+0], dh
		imul	eax, [eax], 680074h
		and	[eax], al
		db	66h
		add	[ecx+0], ch
		jb	short $+2
		insd
		add	[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[eax], al

loc_8C741B:				; DATA XREF: BiOpenSystemStore+1FAo
		add	[ebx+0], dl
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[eax], ah
		add	ds:20007300h, ah
		add	[ecx+0], ch
		jnb	short $+2
		and	[eax], al
		jz	short $+2
		push	20006500h
		add	[ebx+0], dh
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		and	[eax], al
		jnb	short $+2
		jz	short $+2
		outsd
		endp

		add	[edx+0], dh
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1EO@GNKAIEIC@?$AAT?$AAh?$AAe?$AA?5?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?5?$AAs?$AAt?$AAo?$AAr@NNGAKEGL@:
					; DATA XREF: BiOpenSystemStore+C5o
		push	esp
		add	[eax+0], ch
		add	gs:[eax], ah
		add	[ebx+0], dh
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		and	[eax], al
		jnb	short $+2
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[eax], ah
		add	[ecx+0], ch
		jnb	short $+2
		and	[eax], al
		outsb
		add	[edi+0], ch
		jz	short $+2
		and	[eax], al
		popa
		add	[eax+eax+72h], ch
		add	[ebp+0], ah
		popa
		add	[eax+eax+79h], ah
		add	[eax], ah
		add	[eax+eax+6Fh], ch
		add	[ecx+0], ah
		add	fs:[ebp+0], ah
		add	fs:[eax], al
; 
		db 0
; 

??_C@_1FA@MKEEABKA@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAo?$AAp?$AAe?$AAn?$AA?5@NNGAKEGL@:
					; DATA XREF: BcdOpenObject+A2335o
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[edi+0], ch
		jo	short $+2
		add	gs:[esi+0], ch
		and	[eax], al
		outsd
		add	[edx+0], ah
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		daa
		add	[ebx+0], dh
		and	[eax], al
		imul	eax, [eax], 65h
		add	[ecx+0], bh
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
??_C@_1FG@FFBPIKFN@?$AAC?$AAr?$AAe?$AAa?$AAt?$AAi?$AAn?$AAg?$AA?5?$AAo?$AAb?$AAj?$AAe?$AAc?$AAt@NNGAKEGL@:
					; DATA XREF: BiCreateObject(x,x,x,x,x)+4Co
		unicode	0, <Creating object. Version: %d. Type:	0x%08x>,0
; 

??_C@_1GA@BMFPLOJK@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAu?$AAp?$AAd?$AAa?$AAt@NNGAKEGL@:
					; DATA XREF: BcdOpenObject+A22E4o
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ebp+0], dh
		jo	short $+2
		add	fs:[ecx+0], ah
		jz	short $+2
		add	gs:[eax], ah
		add	[edi+0], ch
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		and	[eax], al
		inc	edi
		add	[ebp+0], dl
		dec	ecx
		add	[eax+eax+20h], al
		add	[ebx+0], dh
		jz	short $+2
		jb	short $+2
		imul	eax, [eax], 67006Eh
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h

loc_8C75A9:				; DATA XREF: BcdOpenObject+146o
		add	[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		and	[eax], al
		popa
		add	[eax+eax+69h], ch
		add	[ecx+0], ah
		jnb	short $+2
		and	[eax], al
		jb	short $+2
		add	gs:[ebx+0], dh
		outsd
		add	[eax+eax+76h], ch
		add	[ebp+0], ah
		jnb	short $+2
		and	[eax], al
		jz	short $+2
		outsd
		add	[eax], ah
		add	large ds:7300h,	ah
		add	[esi+0], al	; DATA XREF: BcdOpenObject+A22F7o
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[edi+0], ch
		jo	short $+2
		add	gs:[esi+0], ch
		and	[eax], al
		imul	eax, [eax], 65h
		add	[ecx+0], bh
		and	[eax], al
		db	66h
		add	[edi+0], ch
		jb	short $+2
		and	[eax], al
		popa
		add	[eax+eax+6Ch], ch
		add	[eax], ah
		add	[edi+0], ch
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
		add	[esi+0], al	; DATA XREF: BcdOpenObject+A22FFo
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[edi+0], ah
		add	gs:[eax+eax+20h], dh
		add	[ecx+0], ah
		insb
		add	[ecx+0], ch
		popa
		add	[ebx+0], dh
		add	gs:[eax+eax+20h], ah
		add	[ecx+0], ch
		add	fs:[ebp+0], ah
		outsb
		add	[eax+eax+69h], dh
		add	[esi+0], ah
		imul	eax, [eax], 720065h
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
; 

??_C@_1FI@PDDFMHFP@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAg?$AAe?$AAt?$AA?5?$AAo@NNGAKEGL@:
					; DATA XREF: BcdOpenObject+A22DCo
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[edi+0], ah
		add	gs:[eax+eax+20h], dh
		add	[edi+0], ch
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		and	[eax], al
		imul	eax, [eax], 650064h
		outsb
		add	[eax+eax+69h], dh
		add	[esi+0], ah
		imul	eax, [eax], 720065h
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h

loc_8C76F1:				; DATA XREF: BcdOpenObject+6Do
		add	[edi+0], cl
		jo	short $+2
		add	gs:[esi+0], ch
		imul	eax, [eax], 67006Eh
		and	[eax], al
		outsd
		add	[edx+0], ah
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		and	[eax], al
		and	eax, 7300h

loc_8C7715:				; DATA XREF: BiDeleteElement+5Bo
					; BcdGetElementDataWithFlags+A7o ...
		add	[ebp+0], al
		insb
		add	[ebp+0], ah
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+73h], dh
; 
		db 3 dup(0)
??_C@_1DA@COAMFJPD@?$AAG?$AAe?$AAn?$AAe?$AAr?$AAa?$AAt?$AAi?$AAn?$AAg?$AA?5?$AAo?$AAb?$AAj?$AAe@NNGAKEGL@:
					; DATA XREF: BiCreateObject(x,x,x,x,x):loc_A29050o
		unicode	0, <Generating object GUID.>,0
??_C@_1CA@CKEBPLDC@?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AA?5?$AAG?$AAU?$AAI?$AAD?$AA?3?$AA?5?$AA?$CF?$AAs@NNGAKEGL@:
					; DATA XREF: BiCreateObject(x,x,x,x,x)+DCo
		unicode	0, <Object GUID: %s>,0
??_C@_1BA@DLALOCKE@?$AAE?$AAl?$AAe?$AAm?$AAe?$AAn?$AAt@NNGAKEGL@:
					; DATA XREF: BcdGetElementDataWithFlags+119o
					; BcdSetElementDataWithFlags+122o
		unicode	0, <Element>,0
; 

??_C@_1LM@EBMDGPOP@?$AAB?$AAc?$AAd?$AAG?$AAe?$AAt?$AAE?$AAl?$AAe?$AAm?$AAe?$AAn?$AAt?$AAD?$AAa@NNGAKEGL@:
					; DATA XREF: BcdGetElementDataWithFlags+A1FCFo
		inc	edx
		add	[ebx+0], ah
		add	fs:[edi+0], al
		add	gs:[eax+eax+45h], dh
		add	[eax+eax+65h], ch
		add	[ebp+0], ch
		add	gs:[esi+0], ch
		jz	short $+2
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		popa
		add	[edi+0], dl
		imul	eax, [eax], 680074h
		inc	esi
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		jnb	short $+2
		cmp	al, [eax]
		and	[eax], al
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[edi+0], ah
		add	gs:[eax+eax+20h], dh
		add	[edx+0], dh
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		and	[eax], al
		jbe	short $+2
		popa
		add	[eax+eax+75h], ch
		add	[ebp+0], ah
		add	cs:[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		cmp	al, [eax]
		and	[eax], al
		and	eax, 73007700h
		add	[eax], ah
		add	[edx+0], dl
		add	gs:[edi+0], ah
		and	[eax], al
		jz	short $+2
		jns	short $+2
		jo	short $+2
		add	gs:[edx], bh
		add	[eax], ah
		add	ds:75006C00h, ah
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
; 

??_C@_1JO@HHKLDKGJ@?$AAB?$AAc?$AAd?$AAG?$AAe?$AAt?$AAE?$AAl?$AAe?$AAm?$AAe?$AAn?$AAt?$AAD?$AAa@NNGAKEGL@:
					; DATA XREF: BcdGetElementDataWithFlags+A1FACo
		inc	edx
		add	[ebx+0], ah
		add	fs:[edi+0], al
		add	gs:[eax+eax+45h], dh
		add	[eax+eax+65h], ch
		add	[ebp+0], ch
		add	gs:[esi+0], ch
		jz	short $+2
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		popa
		add	[edi+0], dl
		imul	eax, [eax], 680074h
		inc	esi
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		jnb	short $+2
		cmp	al, [eax]
		and	[eax], al
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[edi+0], ch
		jo	short $+2
		add	gs:[esi+0], ch
		and	[eax], al
		add	gs:[eax+eax+65h], ch
		add	[ebp+0], ch
		add	gs:[esi+0], ch
		jz	short $+2
		jnb	short $+2
		and	[eax], al
		imul	eax, [eax], 65h
		add	[ecx+0], bh
		add	cs:[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		cmp	al, [eax]
		and	[eax], al
		and	eax, 73007700h
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
; 

??_C@_1KA@HLCLNLCE@?$AAB?$AAc?$AAd?$AAG?$AAe?$AAt?$AAE?$AAl?$AAe?$AAm?$AAe?$AAn?$AAt?$AAD?$AAa@NNGAKEGL@:
					; DATA XREF: BcdGetElementDataWithFlags+1AAo
		inc	edx
		add	[ebx+0], ah
		add	fs:[edi+0], al
		add	gs:[eax+eax+45h], dh
		add	[eax+eax+65h], ch
		add	[ebp+0], ch
		add	gs:[esi+0], ch
		jz	short $+2
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		popa
		add	[edi+0], dl
		imul	eax, [eax], 680074h
		inc	esi
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		jnb	short $+2
		cmp	al, [eax]
		and	[eax], al
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[edi+0], ch
		jo	short $+2
		add	gs:[esi+0], ch
		and	[eax], al
		imul	eax, [eax], 65h
		add	[ecx+0], bh
		add	cs:[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		cmp	al, [eax]
		and	[eax], al
		and	eax, 73007700h
		add	[eax], ah
		add	[eax+eax+79h], dl
		add	[eax+0], dh
		add	gs:[edx], bh
		add	[eax], ah
		add	ds:73007700h, ah
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
		add	[edx+0], al	; DATA XREF: BcdGetElementDataWithFlags+A1F94o
		arpl	[eax], ax
		add	fs:[edi+0], al
		add	gs:[eax+eax+45h], dh
		add	[eax+eax+65h], ch
		add	[ebp+0], ch
		add	gs:[esi+0], ch
		jz	short $+2
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		popa
		add	[edi+0], dl
		imul	eax, [eax], 680074h
		inc	esi
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		jnb	short $+2
		cmp	al, [eax]
		and	[eax], al
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ecx+0], ah
		arpl	[eax], ax
		jno	short $+2
		jnz	short $+2
		imul	eax, [eax], 650072h
		and	[eax], al
		inc	edx
		add	[ebx+0], al
		inc	esp
		add	[eax], ah
		add	[ebx+0], dh
		jns	short $+2
		outsb
		add	[ebx+0], ah
		and	[eax], al
		insd
		add	[ebp+0], dh
		jz	short $+2
		popa
		add	[esi+0], ch
		jz	short $+2
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
; 

??_C@_17HDJIHIPC@?$AAN?$AA?1?$AAA@NNGAKEGL@: ; DATA XREF: BcdGetElementDataWithFlags+82o
		dec	esi
		add	[edi], ch
		add	[ecx+0], al
; 
		db 2 dup(0)
; 

??_C@_1HC@IKFAJEGO@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAo?$AAp?$AAe?$AAn?$AA?5@NNGAKEGL@:
					; DATA XREF: BiDeleteElement+A28A1o
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[edi+0], ch
		jo	short $+2
		add	gs:[esi+0], ch
		and	[eax], al
		imul	eax, [eax], 65h
		add	[ecx+0], bh
		and	[eax], al
		db	66h
		add	[edi+0], ch
		jb	short $+2
		and	[eax], al
		popa
		add	[eax+eax+6Ch], ch
		add	[eax], ah
		add	[edi+0], ch
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		daa
		add	[ebx+0], dh
		and	[eax], al
		add	gs:[eax+eax+65h], ch
		add	[ebp+0], ch
		add	gs:[esi+0], ch
		jz	short $+2
		jnb	short $+2
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
??_C@_1GM@IPBIONFL@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAo?$AAp?$AAe?$AAn?$AA?5@NNGAKEGL@:
					; DATA XREF: BiDeleteElement+121o
					; BiDeleteElement+A28C5o
		unicode	0, <Failed to open element %ws key for delete. Status: %x>,0
; 

??_C@_1GO@IGGIJOKF@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAs?$AAe?$AAt?$AA?5?$AAr@NNGAKEGL@:
					; DATA XREF: BcdSetElementDataWithFlags+A1D78o
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ebx+0], dh
		add	gs:[eax+eax+20h], dh
		add	[edx+0], dh
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		and	[eax], al
		add	fs:[ecx+0], ah
		jz	short $+2
		popa
		add	[eax], ah
		add	[esi+0], ah
		outsd
		add	[edx+0], dh
		and	[eax], al
		add	gs:[eax+eax+65h], ch
		add	[ebp+0], ch
		add	gs:[esi+0], ch
		jz	short $+2
		and	[eax], al
		and	eax, 2E007300h
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
; 

??_C@_1CM@NIKMCPNF@?$AAD?$AAe?$AAl?$AAe?$AAt?$AAi?$AAn?$AAg?$AA?5?$AAe?$AAl?$AAe?$AAm?$AAe?$AAn@NNGAKEGL@:
					; DATA XREF: BiDeleteElement+3Eo
		inc	esp
		add	[ebp+0], ah
		insb
		add	[ebp+0], ah
		jz	short $+2
		imul	eax, [eax], 67006Eh
		and	[eax], al
		add	gs:[eax+eax+65h], ch
		add	[ebp+0], ch
		add	gs:[esi+0], ch
		jz	short $+2
		and	[eax], al
		and	eax, 38003000h
		add	[eax+0], bh
; 
		db 2 dup(0)
; 

??_C@_1FM@MCOPBIDM@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAo?$AAp?$AAe?$AAn?$AA?5@NNGAKEGL@:
					; DATA XREF: BcdSetElementDataWithFlags+A1D4Do
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[edi+0], ch
		jo	short $+2
		add	gs:[esi+0], ch
		and	[eax], al
		imul	eax, [eax], 65h
		add	[ecx+0], bh
		and	[eax], al
		db	66h
		add	[edi+0], ch
		jb	short $+2
		and	[eax], al
		add	gs:[eax+eax+65h], ch
		add	[ebp+0], ch
		add	gs:[esi+0], ch
		jz	short $+2
		and	[eax], al
		and	eax, 2E007300h
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
; 

??_C@_1GE@MOGGGLMO@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAc?$AAo?$AAn?$AAv?$AAe@NNGAKEGL@:
					; DATA XREF: BcdSetElementDataWithFlags+A1D6Bo
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ebx+0], ah
		outsd
		add	[esi+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		jz	short $+2
		and	[eax], al
		add	fs:[ecx+0], ah
		jz	short $+2
		popa
		add	[eax], ah
		add	[esi+0], ah
		outsd
		add	[edx+0], dh
		and	[eax], al
		add	gs:[eax+eax+65h], ch
		add	[ebp+0], ch
		add	gs:[esi+0], ch
		jz	short $+2
		and	[eax], al
		and	eax, 2E007300h
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h

loc_8C7C55:				; DATA XREF: BcdSetElementDataWithFlags+72o
		add	[ebx+0], dl
		add	gs:[eax+eax+74h], dh
		add	[ecx+0], ch
		outsb
		add	[edi+0], ah
		and	[eax], al
		add	gs:[eax+eax+65h], ch
		add	[ebp+0], ch
		add	gs:[esi+0], ch
		jz	short $+2
		and	[eax], al
		and	eax, 38003000h
		add	[eax+0], bh
; 
		dw 0
; 

??_C@_1GK@DGBKFFHL@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAo?$AAp?$AAe?$AAn?$AA?5@NNGAKEGL@:
					; DATA XREF: BcdSetElementDataWithFlags+A1D29o
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[edi+0], ch
		jo	short $+2
		add	gs:[esi+0], ch
		and	[eax], al
		imul	eax, [eax], 65h
		add	[ecx+0], bh
		and	[eax], al
		db	66h
		add	[edi+0], ch
		jb	short $+2
		and	[eax], al
		outsd
		add	[edx+0], ah
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		daa
		add	[ebx+0], dh
		and	[eax], al
		add	gs:[eax+eax+65h], ch
		add	[ebp+0], ch
		add	gs:[esi+0], ch
		jz	short $+2
		jnb	short $+2
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h

loc_8C7CE9:				; DATA XREF: BcdGetSystemStorePath+4Eo
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		and	[eax], al
		jo	short $+2
		popa
		add	[edx+0], dh
		jz	short $+2
		imul	eax, [eax], 690074h
		outsd
		endp

		add	[esi+0], ch
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7300h
; 
		db 0
??_C@_1CC@MDJGBMLK@?$AAF?$AAi?$AAr?$AAm?$AAw?$AAa?$AAr?$AAe?$AAV?$AAa?$AAr?$AAi?$AAa?$AAb?$AAl@NNGAKEGL@:
					; DATA XREF: BiCreateEfiEntry(x,x)+A1o
					; BiCreateEfiEntry(x,x)+111o ...
		unicode	0, <FirmwareVariable>,0

;  S U B	R O U T	I N E 


??_C@_1CM@NIKLLOAB@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?5?$AAs?$AAt?$AAo?$AAr?$AAe?$AA?5?$AAp?$AAa@NNGAKEGL@ proc	near
					; DATA XREF: BcdGetSystemStorePath+27o
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		and	[eax], al
		jnb	short $+2
		jz	short $+2
		outsd
??_C@_1CM@NIKLLOAB@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?5?$AAs?$AAt?$AAo?$AAr?$AAe?$AA?5?$AAp?$AAa@NNGAKEGL@ endp

		add	[edx+0], dh
		add	gs:[eax], ah
		add	[eax+0], dh
		popa
		add	[eax+eax+68h], dh
		add	[edx], bh
		add	[eax], ah
		add	large ds:7300h,	ah
; 
		db 0
; 

??_C@_1FG@JFDBELFL@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAg?$AAe?$AAt?$AA?5?$AAs@NNGAKEGL@:
					; DATA XREF: BcdGetSystemStorePath+A2A72o
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[edi+0], ah
		add	gs:[eax+eax+20h], dh
		add	[ebx+0], dh
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		and	[eax], al
		jo	short $+2
		popa
		add	[edx+0], dh
		jz	short $+2
		imul	eax, [eax], 690074h
		outsd
		add	[esi+0], ch
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
; 

??_C@_1HC@IHHDHBPH@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAo?$AAp?$AAe?$AAn?$AA?5?$AAn?$AAe?$AAw@NNGAKEGL@:
					; DATA XREF: BiLoadHive+A2FA2o
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[edi+0], ch
		jo	short $+2
		add	gs:[esi+0], ch
		and	[eax], al
		outsb
		add	[ebp+0], ah
		ja	short $+2
		insb
		add	[ecx+0], bh
		and	[eax], al
		insb
		add	[edi+0], ch
		popa
		add	[eax+eax+65h], ah
		add	[eax+eax+20h], ah
		add	[ebx+0], ch
		add	gs:[ecx+0], bh
		and	[eax], al
		and	eax, 73007700h
		add	[esi], ch
		add	[eax], ah
		add	[esi+0], al
		insb
		add	[ecx+0], ah
		add	[bp+di+0], dh
		cmp	al, [eax]
		and	[eax], al
		xor	[eax], al
		js	short $+2
		and	eax, 20007800h
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
; 

??_C@_1GO@MDEDFILO@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAa?$AAc?$AAq?$AAu?$AAi@NNGAKEGL@:
					; DATA XREF: BiLoadHive+A2F08o
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ecx+0], ah
		arpl	[eax], ax
		jno	short $+2
		jnz	short $+2
		imul	eax, [eax], 650072h
		and	[eax], al
		jo	short $+2
		add	gs:[edx+0], dh
		insd
		add	[ecx+0], ch
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
		and	[eax], al
		jz	short $+2
		outsd
		add	[eax], ah
		add	[eax+eax+6Fh], ch
		add	[ecx+0], ah
		add	fs:[eax], ah
		add	[eax+0], ch
		imul	eax, [eax], 650076h
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
		add	[esi+0], al	; DATA XREF: BiLoadHive+A2F58o
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], ch
		add	[ecx+0], ah
		add	fs:[eax], ah
		add	[ebx+0], ch
		add	gs:[ecx+0], bh
		and	[eax], al
		and	eax, 73007700h
		add	[esi], ch
		add	[eax], ah
		add	[esi+0], al
		insb
		add	[ecx+0], ah
		add	[bp+di+0], dh
		cmp	al, [eax]
		and	[eax], al
		xor	[eax], al
		js	short $+2
		and	eax, 20007800h
		add	[esi+0], al
		imul	eax, [eax], 65006Ch
		cmp	al, [eax]
		and	[eax], al
		and	eax, 20007300h
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
		add	[esi+0], al	; DATA XREF: BiLoadHive+A2EEBo
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[edi+0], ch
		jo	short $+2
		add	gs:[esi+0], ch
		and	[eax], al
		imul	eax, [eax], 65h
		add	[ecx+0], bh
		and	[eax], al
		and	eax, 73007700h
		add	[esi], ch
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
		add	[eax+eax+52h], bl ; DATA XREF: BiIsPortableWorkspaceBoot()+15o
		add	[ebp+0], ah
		add	[bx+di+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebp+0], cl
		imul	eax, [eax], 69006Eh
		dec	esi
		add	[eax+eax+0], dl

loc_8C7FB5:				; DATA XREF: SiGetBootDeviceNameFromRegistry(x,x)+1Do
					; SiIsWinPEBoot()+20o ...
		add	[eax+eax+52h], bl
		add	[ebp+0], ah
		add	[bx+di+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		pop	ecx
		add	[ebx+0], dl
		push	esp
		add	[ebp+0], al
		dec	ebp
		add	[eax+eax+43h], bl
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+0], ch

loc_8C801B:				; DATA XREF: SiIsWinPEBoot()+2Eo
					; BiIsWinPEBoot()+30o
		add	[ebp+0], cl
		dec	ecx
		add	[esi+0], cl
		dec	ecx
		add	[esi+0], cl
		push	esp
; 
		db 0
		db 2 dup(0)
; 

??_C@_1DA@IFMDNCPF@?$AAP?$AAo?$AAr?$AAt?$AAa?$AAb?$AAl?$AAe?$AAO?$AAp?$AAe?$AAr?$AAa?$AAt?$AAi@NNGAKEGL@:
					; DATA XREF: BiIsPortableWorkspaceBoot()+3Bo
		push	eax
		add	[edi+0], ch
		jb	short $+2
		jz	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		dec	edi
		add	[eax+0], dh
		add	gs:[edx+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[esi+0], ch
		add	[bp+di+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
; 
		db 2 dup(0)
; 

??_C@_1CG@BLIBLCJE@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAS?$AAt?$AAa?$AAr?$AAt?$AAO?$AAp?$AAt?$AAi@NNGAKEGL@:
					; DATA XREF: SiIsWinPEBoot()+12o
					; BiIsWinPEBoot()+1Do
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	ebx
		add	[eax+eax+61h], dh
		add	[edx+0], dh
		jz	short $+2
		dec	edi
		add	[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dw 0
; wchar_t ??_C
??_C@_1BE@DNDHOCGP@?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt?$AAo?$AAr?$AAy@NNGAKEGL@:
					; DATA XREF: BiIsValidDiskDevice+8o
					; SiIsValidDiskDevice(x,x)+8o
		unicode	0, <Directory>,0
; wchar_t ??_C
??_C@_1BC@PEHNMCKA@?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi?$AAs?$AAk@NNGAKEGL@:
					; DATA XREF: BiIsValidDiskDevice+31o
					; SiIsValidDiskDevice(x,x)+2Co
		unicode	0, <Harddisk>,0
; wchar_t ??_C
??_C@_1DA@FBMBGMIJ@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AA?$CF?$AAs?$AA?2?$AAP?$AAa?$AAr?$AAt@NNGAKEGL@ db '\',0
					; DATA XREF: BiGetNtPartitionPath+1BEo
					; BiGetNtPartitionPath+252o ...
aDeviceSPartiti:
		unicode	0, <Device\%s\Partition%lu>,0
; 

; wchar_t ??_C
??_C@_1CK@HJDFLMHG@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAP?$AAh?$AAy?$AAs?$AAi?$AAc?$AAa?$AAl?$AAD?$AAr?$AAi@NNGAKEGL@:
					; DATA XREF: BiGetPhysicalDriveName(x,x)+A7o
		pop	esp
		add	[edi], bh
		add	[edi], bh
		add	[eax+eax+50h], bl
		add	[eax+0], ch
		jns	short $+2
		jnb	short $+2
		imul	eax, [eax], 610063h
		insb
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:75006C00h, ah
; 
		db 3 dup(0)
; wchar_t ??_C
??_C@_1CO@JFDIPJLA@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi?$AAs@NNGAKEGL@:
					; DATA XREF: BiCreatePartitionDevice+A1C4Bo
					; BiCreateFileDeviceElement(x,x,x)+12o
		unicode	0, <\Device\HarddiskVolume>,0
; 

??_C@_1BA@CCLAPIHO@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@NNGAKEGL@:
					; DATA XREF: BiGetNtPartitionPath:loc_861275o
					; SiGetEfiSystemDevice(x,x,x)+AAo
		pop	esp
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
; 
		db 2 dup(0)
; 

??_C@_1DM@JCLOENPL@?$AAB?$AAi?$AAn?$AAd?$AAi?$AAn?$AAg?$AA?5?$AAE?$AAF?$AAI?$AA?5?$AAn?$AAa?$AAm@NNGAKEGL@:
					; DATA XREF: BiBindEfiNamespaceObjects(x)+9o
		inc	edx
		add	[ecx+0], ch
		outsb
		add	[eax+eax+69h], ah
		add	[esi+0], ch
		add	[bx+si], ah
		add	[ebp+0], al
		inc	esi
		add	[ecx+0], cl
		and	[eax], al
		outsb
		add	[ecx+0], ah
		insd
		add	[ebp+0], ah
		jnb	short $+2
		jo	short $+2
		popa
		add	[ebx+0], ah
		add	gs:[eax], ah
		add	[edi+0], ch
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1EI@CKKEMGAG@?$AAB?$AAi?$AAB?$AAi?$AAn?$AAd?$AAE?$AAf?$AAi?$AAN?$AAa?$AAm?$AAe?$AAs?$AAp@NNGAKEGL@:
					; DATA XREF: BiBindEfiNamespaceObjects(x)+50o
		inc	edx
		add	[ecx+0], ch
		inc	edx
		add	[ecx+0], ch
		outsb
		add	[eax+eax+45h], ah
		add	[esi+0], ah
		imul	eax, [eax], 61004Eh
		insd
		add	[ebp+0], ah
		jnb	short $+2
		jo	short $+2
		popa
		add	[ebx+0], ah
		add	gs:[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
		and	[eax], al
		db	66h
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	large ds:7800h,	ah
; 
		db 0
; 

??_C@_1DO@EJCDHKOL@?$AAB?$AAi?$AAB?$AAi?$AAn?$AAd?$AAE?$AAf?$AAi?$AAB?$AAo?$AAo?$AAt?$AAM?$AAa@NNGAKEGL@:
					; DATA XREF: BiBindEfiBootManager(x,x)+1B9o
		inc	edx
		add	[ecx+0], ch
		inc	edx
		add	[ecx+0], ch
		outsb
		add	[eax+eax+45h], ah
		add	[esi+0], ah
		imul	eax, [eax], 6F0042h
		outsd
		add	[eax+eax+4Dh], dh
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		and	[eax], al
		db	66h
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	large ds:7800h,	ah
		add	[edx+0], al	; DATA XREF: BiBindEfiEntries(x,x)+38o
		outsd
		add	[edi+0], ch
		jz	short $+2
		and	[eax], al
		add	gs:[esi+0], ch
		jz	short $+2
		jb	short $+2
		jns	short $+2
		and	[eax], al
		add	gs:[eax+0], bh
		imul	eax, [eax], 740073h
		jnb	short $+2
		and	[eax], al
		db	66h
		add	[edi+0], ch
		jb	short $+2
		and	[eax], al
		inc	esp
		add	[edi+0], ch
		outsb
		add	[eax+eax+53h], dh
		add	[ecx+0], bh
		outsb
		add	[ebx+0], ah
		and	[eax], al
		ja	short $+2
		imul	eax, [eax], 680074h
		and	[eax], al
		dec	ecx
		add	[eax+eax+20h], al
		add	[eax], dh
		add	[eax+0], bh
		and	eax, 7800h
; 
		db 0
; 

??_C@_1DA@FADLAHEF@?$AA?2?$AAE?$AAF?$AAI?$AA?2?$AAM?$AAi?$AAc?$AAr?$AAo?$AAs?$AAo?$AAf?$AAt?$AA?2@NNGAKEGL@:
					; DATA XREF: BcdGetSystemStorePath+A2A4Do
		pop	esp
		add	[ebp+0], al
		inc	esi
		add	[ecx+0], cl
		pop	esp
		add	[ebp+0], cl
		imul	eax, [eax], 720063h
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		pop	esp
		add	[edx+0], al
		outsd
		add	[edi+0], ch
		jz	short $+2
		pop	esp
		add	[edx+0], al
		inc	ebx
		add	[eax+eax+0], al
		add	[edx+0], al	; DATA XREF: BiBuildIdentifierList(x,x,x)+545o
		imul	eax, [eax], 750042h
		imul	eax, [eax], 64006Ch
		dec	ecx
		add	[eax+eax+65h], ah
		add	[esi+0], ch
		jz	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		dec	esp
		add	[ecx+0], ch
		jnb	short $+2
		jz	short $+2
		and	[eax], al
		db	66h
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	large ds:7800h,	ah
		add	[ebp+0], al	; DATA XREF: BiExportStoreAlterationsToEfi(x)+9o
		js	short $+2
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		imul	eax, [eax], 67006Eh
		and	[eax], al
		jnb	short $+2
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[eax], ah
		add	[ecx+0], ah
		insb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], dh
		and	[eax], al
		jz	short $+2
		outsd
		add	[eax], ah
		add	[ebp+0], ah
		db	66h
		add	[ecx+0], ch
; 
		db 2 dup(0)
; 

??_C@_1FA@COMALIMP@?$AAB?$AAi?$AAE?$AAx?$AAp?$AAo?$AAr?$AAt?$AAS?$AAt?$AAo?$AAr?$AAe?$AAA?$AAl@NNGAKEGL@:
					; DATA XREF: BiExportStoreAlterationsToEfi(x)+55o
		inc	edx
		add	[ecx+0], ch
		inc	ebp
		add	[eax+0], bh
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		push	ebx
		add	[eax+eax+6Fh], dh
		add	[edx+0], dh
		add	gs:[ecx+0], al
		insb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], dh
		push	esp
		add	[edi+0], ch
		inc	ebp
		add	[esi+0], ah
		imul	eax, [eax], 660020h
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	large ds:7800h,	ah
; 
		db 0
; 

??_C@_1DK@EFCNLFKL@?$AAB?$AAi?$AAE?$AAx?$AAp?$AAo?$AAr?$AAt?$AAB?$AAc?$AAd?$AAO?$AAb?$AAj?$AAe@NNGAKEGL@:
					; DATA XREF: BiExportBcdObjects(x,x)+E9o
		inc	edx
		add	[ecx+0], ch
		inc	ebp
		add	[eax+0], bh
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		inc	edx
		add	[ebx+0], ah
		add	fs:[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
		and	[eax], al
		db	66h
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	large ds:7800h,	ah
; 
		db 0
??_C@_1EE@FJNEFEPL@?$AAB?$AAi?$AAE?$AAx?$AAp?$AAo?$AAr?$AAt?$AAE?$AAf?$AAi?$AAB?$AAo?$AAo?$AAt@NNGAKEGL@:
					; DATA XREF: BiExportEfiBootManager(x,x,x)+2E3o
		unicode	0, <BiExportEfiBootManager failed: %x>,0
??_C@_1DI@CDFHKDHD@?$AAC?$AAr?$AAe?$AAa?$AAt?$AAe?$AAd?$AA?5?$AAn?$AAe?$AAw?$AA?5?$AAb?$AAo?$AAo@NNGAKEGL@:
					; DATA XREF: BiCreateEfiEntry(x,x)+FCo
		unicode	0, <Created new	boot entry 0x%x>,0
??_C@_1DG@CHHIIJIE@?$AAB?$AAi?$AAC?$AAr?$AAe?$AAa?$AAt?$AAe?$AAE?$AAf?$AAi?$AAE?$AAn?$AAt?$AAr@NNGAKEGL@:
					; DATA XREF: BiCreateEfiEntry(x,x)+14Bo
		unicode	0, <BiCreateEfiEntry failed %x>,0
??_C@_1DG@JDHODPKM@?$AAB?$AAi?$AAB?$AAi?$AAn?$AAd?$AAE?$AAf?$AAi?$AAE?$AAn?$AAt?$AAr?$AAi?$AAe@NNGAKEGL@ db 'B',0
					; DATA XREF: BiBindEfiEntries(x,x)+103o
aIbindefientrie:
		unicode	0, <iBindEfiEntries failed %x>,0
; 

??_C@_1FM@ILDKKABF@?$AAC?$AAr?$AAe?$AAa?$AAt?$AAe?$AAd?$AA?5?$AAb?$AAo?$AAo?$AAt?$AA?5?$AAe?$AAn@NNGAKEGL@:
					; DATA XREF: BiCreateEfiEntry(x,x)+8Co
		inc	ebx
		add	[edx+0], dh
		add	gs:[ecx+0], ah
		jz	short $+2
		add	gs:[eax+eax+20h], ah
		add	[edx+0], ah
		outsd
		add	[edi+0], ch
		jz	short $+2
		and	[eax], al
		add	gs:[esi+0], ch
		jz	short $+2
		jb	short $+2
		jns	short $+2
		and	[eax], al
		xor	[eax], al
		js	short $+2
		and	eax, 20007800h
		add	[ebp+0], dh
		jnb	short $+2
		imul	eax, [eax], 67006Eh
		and	[eax], al
		arpl	[eax], ax
		popa
		add	[ebx+0], ah
		push	64006500h
		add	[eax], ah
		add	[esi+0], dh
		popa
		add	[edx+0], dh
		imul	eax, [eax], 620061h
		insb
		add	[ebp+0], ah
; 
		dw 0
??_C@_1FC@IKHACEFF@?$AAT?$AAr?$AAa?$AAn?$AAs?$AAl?$AAa?$AAt?$AAe?$AAd?$AA?5?$AAa?$AA?5?$AAD?$AAo@NNGAKEGL@:
					; DATA XREF: BiTranslateBootEntryId(x,x,x)+32o
		unicode	0, <Translated a DontSync entry	with ID	0x%x>,0
; 

??_C@_1FA@HPKMDCCM@?$AAT?$AAr?$AAa?$AAn?$AAs?$AAl?$AAa?$AAt?$AAe?$AAd?$AA?5?$AAa?$AA?5?$AAD?$AAo@NNGAKEGL@:
					; DATA XREF: BiTranslateObjectIdentifier(x,x,x)+31o
		push	esp
		add	[edx+0], dh
		popa
		add	[esi+0], ch
		jnb	short $+2
		insb
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[eax+eax+20h], ah
		add	[ecx+0], ah
		and	[eax], al
		inc	esp
		add	[edi+0], ch
		outsb
		add	[eax+eax+53h], dh
		add	[ecx+0], bh
		outsb
		add	[ebx+0], ah
		and	[eax], al
		outsd
		add	[edx+0], ah
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		and	[eax], al
		jz	short $+2
		outsd
		add	[eax], ah
		add	[ecx+0], cl
		inc	esp
		add	[eax], ah
		add	[eax], dh
		add	[eax+0], bh
		and	eax, 7800h
		add	[edx+0], al	; DATA XREF: BiUpdateEfiEntry(x,x)+110o
		imul	eax, [eax], 700055h
		add	fs:[ecx+0], ah
		jz	short $+2
		add	gs:[ebp+0], al
		db	66h
		add	[ecx+0], ch
		inc	ebp
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		jns	short $+2
		and	[eax], al
		db	66h
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	large ds:7800h,	ah
; 
		db 0
; wchar_t ??_C
??_C@_1BG@IHEHAJI@?$AAB?$AAC?$AAD?$AAO?$AAB?$AAJ?$AAE?$AAC?$AAT?$AA?$DN@NNGAKEGL@:
					; DATA XREF: BiCreateBootEntry(x,x)+2CBo
					; BiGetObjectReferenceFromEfiEntry(x,x)+66o ...
		unicode	0, <BCDOBJECT=>,0
; 

??_C@_1FG@BBCBCAPA@?$AAB?$AAi?$AAS?$AAp?$AAa?$AAc?$AAe?$AAs?$AAU?$AAp?$AAd?$AAa?$AAt?$AAe?$AAP@NNGAKEGL@:
					; DATA XREF: BiUpdateEfiEntry(x,x)+7Eo
		inc	edx
		add	[ecx+0], ch
		push	ebx
		add	[eax+0], dh
		popa
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		push	ebp
		add	[eax+0], dh
		add	fs:[ecx+0], ah
		jz	short $+2
		add	gs:[eax+0], dl
		push	73007900h
		add	[ecx+0], ch
		arpl	[eax], ax
		popa
		add	[eax+eax+44h], ch
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		push	eax
		add	[ecx+0], ah
		jz	short $+2
		push	66002000h
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	large ds:7800h,	ah
		add	[esi+0], al	; DATA XREF: BiEnumerateBootEntries(x,x)+8Co
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ebp+0], ah
		outsb
		add	[ebp+0], dh
		insd
		add	[ebp+0], ah
		jb	short $+2
		popa
		add	[eax+eax+65h], dh
		add	[eax], ah
		add	[edx+0], ah
		outsd
		add	[edi+0], ch
		jz	short $+2
		and	[eax], al
		add	gs:[esi+0], ch
		jz	short $+2
		jb	short $+2
		imul	eax, [eax], 730065h
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
; 

??_C@_1DC@NCCLAKLN@?$AAD?$AAe?$AAl?$AAe?$AAt?$AAi?$AAn?$AAg?$AA?5?$AAb?$AAo?$AAo?$AAt?$AA?5?$AAe@NNGAKEGL@:
					; DATA XREF: BiDeleteBootEntry(x)+14o
		inc	esp
		add	[ebp+0], ah
		insb
		add	[ebp+0], ah
		jz	short $+2
		imul	eax, [eax], 67006Eh
		and	[eax], al
		bound	eax, [eax]
		outsd
		add	[edi+0], ch
		jz	short $+2
		and	[eax], al
		add	gs:[esi+0], ch
		jz	short $+2
		jb	short $+2
		jns	short $+2
		and	[eax], al
		xor	[eax], al
		js	short $+2
		and	eax, 7800h
; 
		db 0
??_C@_19LJDFFCJJ@?$AA?$CF?$AAs?$AA?$CF?$AAs@NNGAKEGL@: ; DATA XREF: SiGetBootDeviceName+CFo
					; BiCreateBootEntry(x,x)+2D9o
		unicode	0, <%s%s>,0
; 

??_C@_1EK@DADMEGIB@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAa?$AAd?$AAd?$AA?5?$AAb@NNGAKEGL@:
					; DATA XREF: BiAddBootEntry(x,x)+36o
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ecx+0], ah
		add	fs:[eax+eax+20h], ah
		add	[edx+0], ah
		outsd
		add	[edi+0], ch
		jz	short $+2
		and	[eax], al
		add	gs:[esi+0], ch
		jz	short $+2
		jb	short $+2
		jns	short $+2
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
??_C@_1KA@IBHAJMFM@?$AAB?$AAi?$AAC?$AAr?$AAe?$AAa?$AAt?$AAe?$AAB?$AAo?$AAo?$AAt?$AAE?$AAn?$AAt@NNGAKEGL@:
					; DATA XREF: BiCreateBootEntry(x,x)+87o
		unicode	0, <BiCreateBootEntry: Could not retrieve BCD Object applicat>
		unicode	0, <ion	device.	Status:	%x>,0
??_C@_1JM@LOPNJMKF@?$AAB?$AAi?$AAC?$AAr?$AAe?$AAa?$AAt?$AAe?$AAB?$AAo?$AAo?$AAt?$AAE?$AAn?$AAt@NNGAKEGL@:
					; DATA XREF: BiCreateBootEntry(x,x)+B9o
		unicode	0, <BiCreateBootEntry: Could not retrieve BCD Object applicat>
		unicode	0, <ion	path. Status: %x>,0
??_C@_1KK@IILAFCHP@?$AAB?$AAi?$AAC?$AAr?$AAe?$AAa?$AAt?$AAe?$AAB?$AAo?$AAo?$AAt?$AAE?$AAn?$AAt@NNGAKEGL@:
					; DATA XREF: BiCreateBootEntry(x,x)+55o
		unicode	0, <BiCreateBootEntry: Could not retrieve BCD Object applicat>
		unicode	0, <ion	description. Status: %x>,0
; 

??_C@_1FK@GDCDCJIK@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAq?$AAu?$AAe?$AAr?$AAy@NNGAKEGL@:
					; DATA XREF: BiQueryBootEntryOrder(x,x)+6Fo
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ecx+0], dh
		jnz	short $+2
		add	gs:[edx+0], dh
		jns	short $+2
		and	[eax], al
		bound	eax, [eax]
		outsd
		add	[edi+0], ch
		jz	short $+2
		and	[eax], al
		add	gs:[esi+0], ch
		jz	short $+2
		jb	short $+2
		jns	short $+2
		and	[eax], al
		outsd
		add	[edx+0], dh
		add	fs:[ebp+0], ah
		jb	short $+2
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
		add	[esi+0], al	; DATA XREF: BiQueryBootOptions(x,x)+71o
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ecx+0], dh
		jnz	short $+2
		add	gs:[edx+0], dh
		jns	short $+2
		and	[eax], al
		bound	eax, [eax]
		outsd
		add	[edi+0], ch
		jz	short $+2
		and	[eax], al
		outsd
		add	[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
		add	[esi+0], al	; DATA XREF: BiSetBootEntryOrder(x,x)+36o
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ebx+0], dh
		add	gs:[eax+eax+20h], dh
		add	[edx+0], ah
		outsd
		add	[edi+0], ch
		jz	short $+2
		and	[eax], al
		add	gs:[esi+0], ch
		jz	short $+2
		jb	short $+2
		jns	short $+2
		and	[eax], al
		outsd
		add	[edx+0], dh
		add	fs:[ebp+0], ah
		jb	short $+2
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
		add	[esi+0], al	; DATA XREF: BiSetBootOptions(x,x)+36o
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ebx+0], dh
		add	gs:[eax+eax+20h], dh
		add	[edx+0], ah
		outsd
		add	[edi+0], ch
		jz	short $+2
		and	[eax], al
		outsd
		add	[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
; 

??_C@_1FI@CPKADNBM@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAd?$AAe?$AAl?$AAe?$AAt@NNGAKEGL@:
					; DATA XREF: BiDeleteEfiVariable(x)+AAo
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[eax+eax+65h], ah
		add	[eax+eax+65h], ch
		add	[eax+eax+65h], dh
		add	[eax], ah
		add	[edx], ah
		add	ds:73007700h, ah
		add	[edx], ah
		add	[eax], ah
		add	[esi+0], dh
		popa
		add	[edx+0], dh
		imul	eax, [eax], 620061h
		insb
		add	[ebp+0], ah
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
		add	[esi+0], al	; DATA XREF: BiModifyBootEntry(x)+34o
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ebp+0], ch
		outsd
		add	[eax+eax+69h], ah
		add	[esi+0], ah
		jns	short $+2
		and	[eax], al
		bound	eax, [eax]
		outsd
		add	[edi+0], ch
		jz	short $+2
		and	[eax], al
		add	gs:[esi+0], ch
		jz	short $+2
		jb	short $+2
		jns	short $+2
		and	[eax], al
		xor	[eax], al
		js	short $+2
		and	eax, 2E007800h
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
; 

??_C@_1FK@DFNGLIPH@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAd?$AAe?$AAl?$AAe?$AAt@NNGAKEGL@:
					; DATA XREF: BiDeleteBootEntry(x)+42o
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 65006Ch
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[eax+eax+65h], ah
		add	[eax+eax+65h], ch
		add	[eax+eax+65h], dh
		add	[eax], ah
		add	[edx+0], ah
		outsd
		add	[edi+0], ch
		jz	short $+2
		and	[eax], al
		add	gs:[esi+0], ch
		jz	short $+2
		jb	short $+2
		jns	short $+2
		and	[eax], al
		xor	[eax], al
		js	short $+2
		and	eax, 2E007800h
		add	[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
		add	[esi+0], al	; DATA XREF: BiDeleteEfiVariable(x)+8Ao
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ecx+0], dh
		jnz	short $+2
		add	gs:[edx+0], dh
		jns	short $+2
		and	[eax], al
		and	al, [eax]
		and	eax, 73007700h
		add	[edx], ah
		add	[eax], ah
		add	[esi+0], dh
		popa
		add	[edx+0], dh
		imul	eax, [eax], 620061h
		insb
		add	[ebp+0], ah
		add	cs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
		cmp	al, [eax]
		and	[eax], al
		and	eax, 7800h
; 
		db 0
??_C@_1BE@FGPPDGFO@?$AA?2?$AAB?$AAo?$AAo?$AAt?$AA?2?$AAB?$AAC?$AAD@NNGAKEGL@:
					; DATA XREF: BcdGetSystemStorePath+21o
		unicode	0, <\Boot\BCD>,0
??_C@_1CK@LADPALDF@?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AAS?$AAy?$AAs?$AAP?$AAa?$AAr?$AAt?$AAD@NNGAKEGL@:
					; DATA XREF: SiGetSystemPartition(x,x)+Fo
					; SiGetSystemDisk(x,x)+1Eo
		unicode	0, <WindowsSysPartDevice>,0
; 

??_C@_1CG@EEKKLGPP@?$AAF?$AAi?$AAr?$AAm?$AAw?$AAa?$AAr?$AAe?$AAB?$AAo?$AAo?$AAt?$AAD?$AAe?$AAv@NNGAKEGL@:
					; DATA XREF: SiGetFirmwareSystemPartition+2Eo
					; SiGetFirmwareSystemPartition+1293A9o	...
		inc	esi
		add	[ecx+0], ch
		jb	short $+2
		insd
		add	[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[edx+0], al
		outsd
		add	[edi+0], ch
		jz	short $+2
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
; 
		dw 0
??_C@_1CI@PAILJJFK@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAP?$AAh?$AAy?$AAs?$AAi?$AAc?$AAa?$AAl?$AAD?$AAr?$AAi@NNGAKEGL@:
					; DATA XREF: SiFindSystemPartition(x)+24o
		unicode	0, <\??\PhysicalDrive%d>,0
; 

; wchar_t ??_C
??_C@_1BE@DLNCBOIL@?$AAp?$AAa?$AAr?$AAt?$AAi?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@:
					; DATA XREF: SiGetBootDeviceName:loc_8F17A2o
		jo	short $+2
		popa
		add	[edx+0], dh
		jz	short $+2
		imul	eax, [eax], 690074h
		outsd
		add	[esi+0], ch
; 
		dw 0
??_C@_1FA@CDDKIFEO@?$AAm?$AAu?$AAl?$AAt?$AAi?$AA?$CI?$AA?$CF?$AAd?$AA?$CJ?$AAd?$AAi?$AAs?$AAk?$AA?$CI?$AA?$CF@NNGAKEGL@	dd offset loc_75006C+1
					; DATA XREF: SiGetBootDeviceName+7Ao
		dd offset loc_74006A+2
aIDDiskDRdiskDP:
		unicode	0, <i(%d)disk(%d)rdisk(%d)partition(%d)>,0
; 

; wchar_t ??_C
??_C@_1EC@LNDFLFLH@?$AA?2?$AAE?$AAF?$AAI?$AA?2?$AAM?$AAi?$AAc?$AAr?$AAo?$AAs?$AAo?$AAf?$AAt?$AA?2@NNGAKEGL@:
					; DATA XREF: SiIsValidWindowsBootEntry(x,x)+3Ao
		pop	esp
		add	[ebp+0], al
		inc	esi
		add	[ecx+0], cl
		pop	esp
		add	[ebp+0], cl
		imul	eax, [eax], 720063h
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		pop	esp
		add	[edx+0], al
		outsd
		add	[edi+0], ch
		jz	short $+2
		pop	esp
		add	[edx+0], ah
		outsd
		add	[edi+0], ch
		jz	short $+2
		insd
		add	[edi+0], ah
		db	66h
		add	[edi+0], dh
		add	cs:[ebp+0], ah
		db	66h
		add	[ecx+0], ch
; 
		db 2 dup(0)
; 

??_C@_1CA@BCILKFEE@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAP?$AAa?$AAr?$AAt?$AAi?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@:
					; DATA XREF: SiDisambiguateSystemDevice(x,x)+17o
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	eax
		add	[ecx+0], ah
		jb	short $+2
		jz	short $+2
		imul	eax, [eax], 690074h
		outsd
		add	[esi+0], ch
; 
		db 2 dup(0)
; 

??_C@_1HG@BDMNOANN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: SiDisambiguateSystemDevice(x,x)+2Bo
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		pop	ecx
		add	[ebx+0], dl
		push	esp
		add	[ebp+0], al
		dec	ebp
		add	[eax+eax+43h], bl
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jo	short $+2
		popa
		add	[edx+0], dh
		jz	short $+2
; 
		dw 0
??_C@_1EC@DDFPLGMM@?$AA?2?$AAA?$AAr?$AAc?$AAN?$AAa?$AAm?$AAe?$AA?2?$AAm?$AAu?$AAl?$AAt?$AAi?$AA?$CI@NNGAKEGL@:
					; DATA XREF: SiGetBiosSystemDisk(x)+33o
		unicode	0, <\ArcName\multi(0)disk(0)rdisk(1)>,0
; 

??_C@_1DG@NPLCAPOH@?$AAm?$AAu?$AAl?$AAt?$AAi?$AA?$CI?$AA?$CF?$AAd?$AA?$CJ?$AAd?$AAi?$AAs?$AAk?$AA?$CI?$AA?$CF@NNGAKEGL@:
					; DATA XREF: SiIsWinPeHardDiskZeroUfdBoot()+78o
		insd
		add	[ebp+0], dh
		insb
		add	[eax+eax+69h], dh
		add	[eax], ch
		add	ds:29006400h, ah
		add	[eax+eax+69h], ah
		add	[ebx+0], dh
		imul	eax, [eax], 28h
		add	ds:29006400h, ah
		add	[edx+0], dh
		add	fs:[ecx+0], ch
		jnb	short $+2
		imul	eax, [eax], 28h
		add	ds:29006400h, ah
; 
		db 3 dup(0)
??_C@_1CA@KOFIMBAB@?$AA?$CF?$AAs?$AA?2?$AAP?$AAa?$AAr?$AAt?$AAi?$AAt?$AAi?$AAo?$AAn?$AA?$CF?$AAl?$AAu@NNGAKEGL@:
					; DATA XREF: SiGetBiosSystemPartition(x)+102o
		unicode	0, <%s\Partition%lu>,0
; wchar_t ??_C
??_C@_1BI@LDJIHBPK@?$AA?2?$AAP?$AAa?$AAr?$AAt?$AAi?$AAt?$AAi?$AAo?$AAn?$AA0@NNGAKEGL@:
					; DATA XREF: SiGetBiosSystemPartition(x)+50o
		unicode	0, <\Partition0>,0
??_C@_1EC@PIADGFGJ@?$AA?2?$AAA?$AAr?$AAc?$AAN?$AAa?$AAm?$AAe?$AA?2?$AAm?$AAu?$AAl?$AAt?$AAi?$AA?$CI@NNGAKEGL@:
					; DATA XREF: SiGetBiosSystemDisk(x):loc_A2D834o
					; SiIsWinPeHardDiskZeroUfdBoot()+A3o
		unicode	0, <\ArcName\multi(0)disk(0)rdisk(0)>,0
; 

??_C@_1DO@IICHHBAO@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAC?$AAr?$AAi?$AAt?$AAi?$AAc?$AAa@NNGAKEGL@:
					; CODE XREF: _CmOpenDeviceRegKey+115A14p
					; DATA XREF: _PnpCtxGetCachedNodeBaseKey+115CBDo
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+43h], bl
		add	[edx+0], dh
		imul	eax, [eax], 690074h
		arpl	[eax], ax
		popa
		add	[eax+eax+44h], ch
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		popa
		add	[edx+0], ah
		popa
		add	[ebx+0], dh
		add	gs:[eax], al
; 
		db 0
??_C@_1CK@JPNJFHHG@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAP@NNGAKEGL@:
					; DATA XREF: _PnpCtxGetCachedNodeBaseKey+1C4o
		unicode	0, <Control\DevicePanels>,0
; 

??_C@_1DC@BCICPNAD@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC@NNGAKEGL@:
					; DATA XREF: _PnpCtxGetCachedNodeBaseKey+1B7o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+44h], bl
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+61h], dh
		add	[ecx+0], ch
		outsb
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
; 
		dw 0
??_C@_1DC@NFGPPJLC@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI@NNGAKEGL@:
					; DATA XREF: _PnpCtxGetCachedNodeBaseKey+1A0o
		unicode	0, <Control\DeviceInterfaces>,0
??_C@_1CM@KFMFNMGE@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC@NNGAKEGL@ db 'C',0
					; DATA XREF: _PnpCtxGetCachedNodeBaseKey+190o
					; _PnpCtxGetCachedNodeBaseKey+1A7o
aOntrolDevicecl:
		unicode	0, <ontrol\DeviceClasses>,0
; 

??_C@_1BM@DIAIFPKI@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAC?$AAl?$AAa?$AAs?$AAs@NNGAKEGL@:
					; DATA XREF: _PnpCtxGetCachedNodeBaseKey+183o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+43h], bl
		add	[eax+eax+61h], ch
		add	[ebx+0], dh
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BO@LMKEOBGK@?$AAH?$AAa?$AAr?$AAd?$AAw?$AAa?$AAr?$AAe?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg@NNGAKEGL@:
					; DATA XREF: _PnpCtxGetCachedNodeBaseKey+B8o
		dec	eax
		add	[ecx+0], ah
		jb	short $+2
		add	fs:[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[ebx+0], al
		outsd
		add	[esi+0], ch
		db	66h
		add	[ecx+0], ch
		add	[bx+si], al
; 
		db 0
??_C@_1DG@KMHIMGCI@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAC?$AAo?$AAD?$AAe?$AAv?$AAi?$AAc@NNGAKEGL@:
					; DATA XREF: _PnpCtxGetCachedNodeBaseKey+1D1o
		unicode	0, <Control\CoDeviceInstallers>,0
; 

; wchar_t ??_C
??_C@_1BI@GNPPDLIB@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@:
					; DATA XREF: _CmGetDeviceSoftwareKeyPath+12602Do
					; _CmGetDeviceInterfaceRegKeyPath+11AD42o
		and	eax, 5C007300h
		add	ds:5C007300h, ah
		add	ds:5C007300h, ah
		add	large ds:7300h,	ah

loc_8C8FD1:				; DATA XREF: _CmGetDeviceInstanceKeyPath+95o
					; _CmGetDeviceSoftwareKeyPath+126028o ...
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		endp

		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[eax+0], cl
		popa
		add	[edx+0], dh
		add	fs:[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[eax], ah
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[esi+0], ah
		imul	eax, [eax], 65006Ch
		jnb	short $+2
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
; 
		dw 0

;  S U B	R O U T	I N E 


??_C@_1DM@BNJPOICG@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@ proc near
					; DATA XREF: _CmGetDeviceHardwareKeyPath+4Eo
					; _CmGetDeviceInstanceKeyPath+38o ...
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
??_C@_1DM@BNJPOICG@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@ endp

		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebp+0], al
		outsb
		add	[ebp+0], dh
		insd
; 
		db 3 dup(0)
; 

??_C@_1CE@IFGFIICE@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAP?$AAa?$AAr?$AAa?$AAm?$AAe?$AAt?$AAe@NNGAKEGL@:
					; DATA XREF: _CmGetDeviceSoftwareKeyPath+12601Do
					; _CmGetDeviceSoftwareKeyPath+1260A0o ...
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		and	[eax], al
		push	eax
		add	[ecx+0], ah
		jb	short $+2
		popa
		add	[ebp+0], ch
		add	gs:[eax+eax+65h], dh
		add	[edx+0], dh
		jnb	short $+2
; 
		dw 0
; 

; wchar_t ??_C
??_C@_19HPAAKKFB@?$AAZ?$AAZ?$AAZ?$AAZ@NNGAKEGL@:
					; DATA XREF: _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+2Fo
		pop	edx
		add	[edx+0], bl
		pop	edx
		add	[edx+0], bl
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_19BCMMBPBA@?$AA9?$AA9?$AA9?$AAA@NNGAKEGL@:
					; DATA XREF: _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+13o
		cmp	[eax], eax
		cmp	[eax], eax
		cmp	[eax], eax
		inc	ecx
; 
		db 3 dup(0)
; 

??_C@_1BA@JGFNDEFA@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl@NNGAKEGL@:
					; DATA XREF: _CmGetDeviceControlKeyPath(x,x,x,x,x,x,x,x)+37o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
; 
		db 3 dup(0)
??_C@_1CE@JDBBMLAG@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?5?$AAP?$AAa?$AAr?$AAa?$AAm?$AAe?$AAt?$AAe@NNGAKEGL@:
					; DATA XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+245o
					; _CmGetDeviceHardwareKeyPath+48o ...
		unicode	0, <Device Parameters>,0

;  S U B	R O U T	I N E 


; wchar_t ??_C
??_C@_1BM@OHMKBCBF@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AA0?$AA4?$AAu?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@ proc near
					; DATA XREF: _CmGetDeviceSoftwareKeyPath+126050o
					; _CmGetDeviceHardwareKeyPath+120C4Do ...
		and	eax, 5C007300h
		add	ds:34003000h, ah
		add	[ebp+0], dh
		pop	esp
		add	ds:5C007300h, ah
		add	large ds:7300h,	ah

loc_8C90FB:				; DATA XREF: _CmGetDeviceSoftwareKeyPath+71o
					; _CmGetCommonClassRegKeyPath+CDo ...
		add	[ebx+0], dl
??_C@_1BM@OHMKBCBF@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AA0?$AA4?$AAu?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@ endp

		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], al
		insb
		add	[ecx+0], ah
		jnb	short $+2
		jnb	short $+2
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1CC@NAAEOCPD@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AA0?$AA4?$AAu?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF@NNGAKEGL@:
					; DATA XREF: _CmGetDeviceSoftwareKeyPath+1260B1o
					; _CmGetDeviceInterfaceRegKeyPath+11AD7Ao
		and	eax, 5C007300h
		add	ds:34003000h, ah
		add	[ebp+0], dh
		pop	esp
		add	ds:5C007300h, ah
		add	ds:5C007300h, ah
		add	large ds:7300h,	ah
; 
		db 0
; 

??_C@_1FG@MPFEKKOF@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@:
					; DATA XREF: _CmGetDeviceSoftwareKeyPath+12604Bo
					; _CmGetDeviceSoftwareKeyPath+1260ACo ...
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[eax+0], cl
		popa
		add	[edx+0], dh
		add	fs:[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[eax], ah
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[esi+0], ah
		imul	eax, [eax], 65006Ch
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_15IHPGJGAA@?$AA?2?$AA?$CD@NNGAKEGL@: ; DATA XREF:	_CmGetDeviceInterfaceSubkeyPath+143o
		pop	esp
		add	[ebx], ah
; 
		db 3 dup(0)
; 

; wchar_t ??_C
??_C@_1BG@JBOBLEJK@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AA0?$AA4?$AAu?$AA?2?$AA?$CF?$AAs@NNGAKEGL@:
					; DATA XREF: _CmGetCommonClassRegKeyPath+117E4Eo
		and	eax, 5C007300h
		add	ds:34003000h, ah
		add	[ebp+0], dh
		pop	esp
		add	large ds:7300h,	ah

loc_8C91DD:				; DATA XREF: _CmGetCommonClassRegKeyPath+3Fo
					; _CmGetDeviceInterfaceRegKeyPath+12Fo	...
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		endp

		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		inc	ebx
		add	[eax+eax+61h], ch
		add	[ebx+0], dh
		jnb	short $+2
		add	gs:[ebx+0], dh
; 
		dw 0
??_C@_1BO@HPNNFMNF@?$AAB?$AAa?$AAs?$AAe?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAs@NNGAKEGL@:
					; DATA XREF: _CmAddDeviceToContainerWorker+63o
					; _CmIsDeviceInContainer+58o ...
		unicode	0, <BaseContainers>,0

;  S U B	R O U T	I N E 


; wchar_t ??_C
??_C@_1GK@OAJGGHAA@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@ proc near
					; DATA XREF: _CmGetDeviceContainerRegKeyPath(x,x,x,x,x,x,x,x)+49o
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
??_C@_1GK@OAJGGHAA@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@ endp

		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+61h], dh
		add	[ecx+0], ch
		outsb
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		pop	esp
		add	large ds:7300h,	ah
; 
		db 0
??_C@_1BO@PDEOPOFH@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe@NNGAKEGL@:
					; DATA XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+144o
					; _CmDeviceClassesSubkeyCallback+9772Bo ...
		unicode	0, <DeviceInstance>,0
; 

; wchar_t ??_C
??_C@_1BI@FONNLNOC@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AA0?$AA4?$AAX?$AA?2?$AA?$CF?$AAu@NNGAKEGL@:
					; DATA XREF: _CmBuildDevicePanelId(x,x,x,x,x)+2Eo
		and	eax, 73007700h
		add	[eax+eax+25h], bl
		add	[eax], dh
		add	[eax+eax], dh
		pop	eax
		add	[eax+eax+25h], bl
		add	[ebp+0], dh
; 
		db 2 dup(0)
; 

??_C@_1CM@NLBDFOE@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAP@NNGAKEGL@:
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+44h], bl
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		push	eax
		add	[ecx+0], ah
		outsb
		add	[ebp+0], ah
		insb
		add	[ebx+0], dh
		pop	esp
; 
		db 0
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1GC@DIEKECLA@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@:
					; DATA XREF: _CmGetDevicePanelRegKeyPath(x,x,x,x,x,x,x,x)+50o
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		push	eax
		add	[ecx+0], ah
		outsb
		add	[ebp+0], ah
		insb
		add	[ebx+0], dh
		pop	esp
		add	large ds:7300h,	ah
; 
		db 0
??_C@_1M@BMEDKCKL@?$AA?$CF?$AA0?$AA4?$AAl?$AAX@NNGAKEGL@:
					; DATA XREF: _PnpSetPropertyWorker+C2o
		unicode	0, <%04lX>,0
; wchar_t ??_C
??_C@_1HE@PLLNIKMH@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAx?$AA?9?$AA?$CF?$AA0?$AA4@NNGAKEGL@:
					; DATA XREF: _PnpGetGenericStoreProperty(x,x,x,x,x,x,x,x,x)+B3o
					; _PnpDeletePropertyWorker+7Fo	...
		unicode	0, <{%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}\%04lX>
		unicode	0, <>,0
; 

; wchar_t ??_C
??_C@_1BC@GPHOKLFC@?$AA?$CF?$AAd?$AA?9?$AA?$CF?$AAd?$AA?9?$AA?$CF?$AAd@NNGAKEGL@:
					; DATA XREF: _CmSetDeviceMappedPropertyFromDriverKeyRegValue(x,x,x,x,x,x)+145o
		and	eax, 2D006400h
		add	ds:2D006400h, ah
		add	large ds:6400h,	ah
		add	[edx], ch	; DATA XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+97o
					; _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+94o
		add	[eax+eax+6Fh], cl
		add	[edi+0], dh
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1O@FGNJOLJB@?$AA?$CK?$AAU?$AAp?$AAp?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+7Bo
					; _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+78o
		sub	al, [eax]
		push	ebp
		add	[eax+0], dh
		jo	short $+2
		add	gs:[edx+0], dh
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1BO@KHANIFDG@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAS?$AAe?$AAt?$AA?$CF?$AA0?$AA3?$AAd@NNGAKEGL@:
					; DATA XREF: _SysCtxOpenControlSet+873B5o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+25h], dh
		add	[eax], dh
		add	[ebx], dh
		add	[eax+eax+0], ah

loc_8C9453:				; DATA XREF: .text:off_405028o
		add	[eax+eax+52h], bl
		add	[ebp+0], al
		inc	edi
		add	[ecx+0], cl
		push	ebx
		add	[eax+eax+52h], dl
		add	[ecx+0], bl
		pop	esp
		add	[ebp+0], cl
		inc	ecx
		add	[ebx+0], al
		dec	eax
		add	[ecx+0], cl
		dec	esi
		add	[ebp+0], al
		pop	esp
		add	[ebx+0], dl
		pop	ecx
		add	[ebx+0], dl
		push	esp
		add	[ebp+0], al
		dec	ebp
		add	[eax+eax+43h], bl
		add	[ebp+0], dl
		push	edx
		add	[edx+0], dl
		inc	ebp
		add	[esi+0], cl
		push	esp
		add	[ebx+0], al
		dec	edi
		add	[esi+0], cl
		push	esp
		add	[edx+0], dl
		dec	edi
		add	[eax+eax+53h], cl
		add	[ebp+0], al
		push	esp
		add	[eax+eax+48h], bl
		add	[ecx+0], al
		push	edx
		add	[eax+eax+57h], al
		add	[ecx+0], al
		push	edx
		add	[ebp+0], al
		and	[eax], al
		push	eax
		add	[edx+0], dl
		dec	edi
		add	[esi+0], al
		dec	ecx
		add	[eax+eax+45h], cl
		add	[ebx+0], dl
		pop	esp
		add	[ebx+0], al
		push	ebp
		add	[edx+0], dl
		push	edx
		add	[ebp+0], al
		dec	esi
		add	[eax+eax+0], dl

loc_8C94DD:				; DATA XREF: .text:off_405020o
		add	[eax+eax+52h], bl
		add	[ebp+0], al
		inc	edi
		add	[ecx+0], cl
		push	ebx
		add	[eax+eax+52h], dl
		add	[ecx+0], bl
		pop	esp
		add	[ebp+0], cl
		inc	ecx
		add	[ebx+0], al
		dec	eax
		add	[ecx+0], cl
		dec	esi
		add	[ebp+0], al
		pop	esp
		add	[ebx+0], dl
		dec	edi
		add	[esi+0], al
		push	esp
		add	[edi+0], dl
		inc	ecx
		add	[edx+0], dl
		inc	ebp
		add	[eax+eax+43h], bl
		add	[eax+eax+41h], cl
		add	[ebx+0], dl
		push	ebx
		add	[ebp+0], al
		push	ebx
; 
		db 3 dup(0)
; 

??_C@_1CE@BGEMHEPM@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@NNGAKEGL@:
					; DATA XREF: .text:off_403DFCo
					; DrvDbCreateDatabaseNode+9C735o
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
; 
		db 3 dup(0)
; wchar_t ??_C
??_C@_1CE@PEJPMNIN@?$AAM?$AAi?$AAc?$AAr?$AAo?$AAs?$AAo?$AAf?$AAt?$AA?5?$AAW?$AAi?$AAn?$AAd?$AAo@NNGAKEGL@:
					; DATA XREF: DrvDbGetDriverPackageMappedProperty+300o
					; DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+2B9o ...
		unicode	0, <Microsoft Windows>,0
??_C@_1BA@LIACFDLB@?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@NNGAKEGL@:
					; DATA XREF: DrvDbGetDriverPackageMappedProperty+17Ao
					; DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+1C6o ...
		unicode	0, <Version>,0
; 

??_C@_1M@IGDBBKDM@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CK@NNGAKEGL@:
					; DATA XREF: DrvDbBuildDeviceIdDriverInfMatch+AE78Do
		and	eax, 73007700h
		add	[eax+eax+2Ah], bl
; 
		db 3 dup(0)
; wchar_t ??_C
??_C@_17MBIMHFNH@?$AA?2?$AA?$CF?$AAX@NNGAKEGL@:
					; DATA XREF: DrvDbBuildDeviceIdDriverInfMatch+6Ao
		unicode	0, <\%X>,0
; wchar_t ??_C
??_C@_1O@HBHOJDCM@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAX@NNGAKEGL@ dd offset loc_770025
					; DATA XREF: DrvDbBuildDeviceIdDriverInfMatch+32o
aSX:
		unicode	0, <s\%X>,0
; 

; wchar_t ??_C
??_C@_1BI@OAILGCEN@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@:
					; DATA XREF: DrvDbCreateDatabaseNode+9C73Ao
		and	eax, 73007700h
		add	[eax+eax+25h], bl
		add	[edi+0], dh
		jnb	short $+2
		pop	esp
		add	ds:73007700h, ah
; 
		db 0
		db 2 dup(0)
; 

??_C@_1O@INIEDEDF@?$AA?$CI?$AAN?$AAU?$AAL?$AAL?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: ConvertDevpropcompkeyToString(x,x,x,x)+98o
		sub	[eax], al
		dec	esi
		add	[ebp+0], dl
		dec	esp
		add	[eax+eax+29h], cl
; 
		db 3 dup(0)
??_C@_1M@KADDDLPH@?$AAI?$AAN?$AAT?$AA3?$AA2@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B02Co
		unicode	0, <INT32>,0
; 

??_C@_1O@GLFPBHPD@?$AAU?$AAI?$AAN?$AAT?$AA1?$AA6@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B022o
		push	ebp
		add	[ecx+0], cl
		dec	esi
		add	[eax+eax+31h], dl
		add	[esi], dh
; 
		db 0
		db 2 dup(0)
; 

??_C@_1M@GCJJANKL@?$AAI?$AAN?$AAT?$AA1?$AA6@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B018o
		dec	ecx
		add	[esi+0], cl
		push	esp
		add	[ecx], dh
		add	[esi], dh
; 
		db 0
		db 2 dup(0)
; 

??_C@_19PHIGEKBH@?$AAB?$AAY?$AAT?$AAE@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B00Eo
		inc	edx
		add	[ecx+0], bl
		push	esp
		add	[ebp+0], al
; 
		dw 0
; 

??_C@_1M@CEDMGMPC@?$AAS?$AAB?$AAY?$AAT?$AAE@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B004o
		push	ebx
		add	[edx+0], al
		pop	ecx
		add	[eax+eax+45h], dl
; 
		db 3 dup(0)
??_C@_1M@DDJCIMGP@?$AAE?$AAM?$AAP?$AAT?$AAY@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3AFF0o
		unicode	0, <EMPTY>,0
; 

; wchar_t ??_C
??_C@_1CC@CKHDNODK@?$AA?$FL?$AA?$CI?$AA?$CF?$AAs?$AA?5?$AA?$CF?$AA3?$AAd?$AA?$CJ?$AA?5?$AA?$CF?$AAs?$AA?5?$AA?$CF?$AAs@NNGAKEGL@:
					; DATA XREF: ConvertDevpropcompkeyToString(x,x,x,x)+B5o
		pop	ebx
		add	[eax], ch
		add	ds:20007300h, ah
		add	ds:64003300h, ah
		add	[ecx], ch
		add	[eax], ah
		add	ds:20007300h, ah
		add	ds:5D007300h, ah
; 
		db 0
		db 2 dup(0)
; 

??_C@_19PIJILKAI@?$AAU?$AAs?$AAe?$AAr@NNGAKEGL@:
					; DATA XREF: ConvertDevpropcompkeyToString(x,x,x,x)+A6o
		push	ebp
		add	[ebx+0], dh
		add	gs:[edx+0], dh
; 
		dw 0
??_C@_1BG@LMIOOFJP@?$AAG?$AAU?$AAI?$AAD?$AA_?$AAA?$AAR?$AAR?$AAA?$AAY@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B0F3o
		unicode	0, <GUID_ARRAY>,0
; 

??_C@_19EBPEOCDM@?$AAG?$AAU?$AAI?$AAD@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B072o
		inc	edi
		add	[ebp+0], dl
		dec	ecx
		add	[eax+eax+0], al
; 
		db 0
??_C@_1BA@KOBNDHFB@?$AAD?$AAE?$AAC?$AAI?$AAM?$AAA?$AAL@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B068o
		unicode	0, <DECIMAL>,0
; 

??_C@_1O@NEHDDMNH@?$AAD?$AAO?$AAU?$AAB?$AAL?$AAE@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B05Eo
		inc	esp
		add	[edi+0], cl
		push	ebp
		add	[edx+0], al
		dec	esp
		add	[ebp+0], al
; 
		db 2 dup(0)
; 

??_C@_1M@KPCEFNND@?$AAF?$AAL?$AAO?$AAA?$AAT@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B054o
		inc	esi
		add	[eax+eax+4Fh], cl
		add	[ecx+0], al
		push	esp
; 
		db 0
		db 2 dup(0)
; 

??_C@_1O@NMFDOPMA@?$AAU?$AAI?$AAN?$AAT?$AA6?$AA4@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B04Ao
		push	ebp
		add	[ecx+0], cl
		dec	esi
		add	[eax+eax+36h], dl
		add	[eax+eax], dh
; 
		dw 0
??_C@_1M@NFJFPFJI@?$AAI?$AAN?$AAT?$AA6?$AA4@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B040o
		unicode	0, <INT64>,0
; 

??_C@_1O@KJPFCBKP@?$AAU?$AAI?$AAN?$AAT?$AA3?$AA2@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B036o
		push	ebp
		add	[ecx+0], cl
		dec	esi
		add	[eax+eax+33h], dl
		add	[edx], dh
; 
		db 0
		db 2 dup(0)
; 

??_C@_1DG@OCDNNEBM@?$AAS?$AAE?$AAC?$AAU?$AAR?$AAI?$AAT?$AAY?$AA_?$AAD?$AAE?$AAS?$AAC?$AAR?$AAI@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B0A3o
		push	ebx
		add	[ebp+0], al
		inc	ebx
		add	[ebp+0], dl
		push	edx
		add	[ecx+0], cl
		push	esp
		add	[ecx+0], bl
		pop	edi
		add	[eax+eax+45h], al
		add	[ebx+0], dl
		inc	ebx
		add	[edx+0], dl
		dec	ecx
		add	[eax+0], dl
		push	esp
		add	[edi+0], cl
		push	edx
		add	[edi+0], bl
		push	ebx
		add	[eax+eax+52h], dl
		add	[ecx+0], cl
		dec	esi
		add	[edi+0], al
; 
		dw 0
; 

??_C@_1CI@KFCNFMPF@?$AAS?$AAE?$AAC?$AAU?$AAR?$AAI?$AAT?$AAY?$AA_?$AAD?$AAE?$AAS?$AAC?$AAR?$AAI@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B09Co
		push	ebx
		add	[ebp+0], al
		inc	ebx
		add	[ebp+0], dl
		push	edx
		add	[ecx+0], cl
		push	esp
		add	[ecx+0], bl
		pop	edi
		add	[eax+eax+45h], al
		add	[ebx+0], dl
		inc	ebx
		add	[edx+0], dl
		dec	ecx
		add	[eax+0], dl
		push	esp
		add	[edi+0], cl
		push	edx
; 
		db 3 dup(0)
; 

??_C@_1BI@CHLHLCJC@?$AAS?$AAT?$AAR?$AAI?$AAN?$AAG?$AA_?$AAL?$AAI?$AAS?$AAT@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B0ECo
		push	ebx
		add	[eax+eax+52h], dl
		add	[ecx+0], cl
		dec	esi
		add	[edi+0], al
		pop	edi
		add	[eax+eax+49h], cl
		add	[ebx+0], dl
		push	esp
; 
		db 3 dup(0)
; 

??_C@_1O@PCPBINCG@?$AAS?$AAT?$AAR?$AAI?$AAN?$AAG@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B095o
		push	ebx
		add	[eax+eax+52h], dl
		add	[ecx+0], cl
		dec	esi
		add	[edi+0], al
; 
		db 2 dup(0)
; 

??_C@_1BA@LFHENBNF@?$AAB?$AAO?$AAO?$AAL?$AAE?$AAA?$AAN@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B08Eo
		inc	edx
		add	[edi+0], cl
		dec	edi
		add	[eax+eax+45h], cl
		add	[ecx+0], al
		dec	esi
; 
		db 0
		db 2 dup(0)
; 

??_C@_1BC@IFLNOMAG@?$AAF?$AAI?$AAL?$AAE?$AAT?$AAI?$AAM?$AAE@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B087o
		inc	esi
		add	[ecx+0], cl
		dec	esp
		add	[ebp+0], al
		push	esp
		add	[ecx+0], cl
		dec	ebp
		add	[ebp+0], al
; 
		dw 0
??_C@_19FFMGBAMO@?$AAD?$AAA?$AAT?$AAE@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B080o
		unicode	0, <DATE>,0
; 

??_C@_1BC@BHIHGHLA@?$AAC?$AAU?$AAR?$AAR?$AAE?$AAN?$AAC?$AAY@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B079o
		inc	ebx
		add	[ebp+0], dl
		push	edx
		add	[edx+0], dl
		inc	ebp
		add	[esi+0], cl
		inc	ebx
		add	[ecx+0], bl
; 
		dw 0
; 

??_C@_1BC@BABHGDAK@?$AA?$CI?$AA0?$AAx?$AA?$CF?$AA?4?$AA4?$AAx?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x)+2A2o
		sub	[eax], al
		xor	[eax], al
		js	short $+2
		and	eax, 34002E00h
		add	[eax+0], bh
		sub	[eax], eax
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1BC@NGHIGKIN@?$AA?$CI?$AA0?$AAx?$AA?$CF?$AA?4?$AA2?$AAx?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x)+254o
		sub	[eax], al
		xor	[eax], al
		js	short $+2
		and	eax, 32002E00h
		add	[eax+0], bh
		sub	[eax], eax
; 
		dw 0
; 

??_C@_1CA@DHJFKEDL@?$AAS?$AAT?$AAR?$AAI?$AAN?$AAG?$AA_?$AAI?$AAN?$AAD?$AAI?$AAR?$AAE?$AAC?$AAT@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B0C6o
		push	ebx
		add	[eax+eax+52h], dl
		add	[ecx+0], cl
		dec	esi
		add	[edi+0], al
		pop	edi
		add	[ecx+0], cl
		dec	esi
		add	[eax+eax+49h], al
		add	[edx+0], dl
		inc	ebp
		add	[ebx+0], al
		push	esp
; 
		db 3 dup(0)
; 

??_C@_1BC@GGNEPBCH@?$AAN?$AAT?$AAS?$AAT?$AAA?$AAT?$AAU?$AAS@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B0BFo
		dec	esi
		add	[eax+eax+53h], dl
		add	[eax+eax+41h], dl
		add	[eax+eax+55h], dl
		add	[ebx+0], dl
; 
		db 2 dup(0)
; 

??_C@_1M@BJACCECO@?$AAE?$AAR?$AAR?$AAO?$AAR@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B0B8o
		inc	ebp
		add	[edx+0], dl
		push	edx
		add	[edi+0], cl
		push	edx
; 
		db 0
		db 2 dup(0)
; 

??_C@_1O@LBFOCELB@?$AAB?$AAI?$AAN?$AAA?$AAR?$AAY@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B0CDo
		inc	edx
		add	[ecx+0], cl
		dec	esi
		add	[ecx+0], al
		push	edx
		add	[ecx+0], bl
; 
		dw 0
??_C@_1BI@GJGNKFIH@?$AAD?$AAE?$AAV?$AAP?$AAR?$AAO?$AAP?$AAT?$AAY?$AAP?$AAE@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B0B1o
		unicode	0, <DEVPROPTYPE>,0
??_C@_1BG@CNKBHCPN@?$AAD?$AAE?$AAV?$AAP?$AAR?$AAO?$AAP?$AAK?$AAE?$AAY@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x):loc_A3B0AAo
		unicode	0, <DEVPROPKEY>,0
; wchar_t ??_C
??_C@_19FIMGCOBE@?$AA?$FL?$AA?$CF?$AAs?$AA?$FN@NNGAKEGL@ db '[',0
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x)+3EBo
aS_2:
		unicode	0, <%s]>,0
??_C@_19KBOFCHEE@?$AA?$CI?$AA?$CF?$AAs?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x)+390o
		unicode	0, <(%s)>,0
; 

??_C@_1BA@LIFFHPCA@?$AA?$CI?$AAF?$AAA?$AAL?$AAS?$AAE?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x)+315o
		sub	[eax], al
		inc	esi
		add	[ecx+0], al
		dec	esp
		add	[ebx+0], dl
		inc	ebp
		add	[ecx], ch
; 
		db 0
		db 2 dup(0)
; 

??_C@_1O@MNIMFBBJ@?$AA?$CI?$AAT?$AAR?$AAU?$AAE?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x)+30Eo
		sub	[eax], al
		push	esp
		add	[edx+0], dl
		push	ebp
		add	[ebp+0], al
		sub	[eax], eax
; 
		dw 0
; wchar_t ??_C
??_C@_1GK@MCFCFGIP@?$AA?$CI?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAx?$AA?9?$AA?$CF?$AA0?$AA4@NNGAKEGL@ dd offset loc_7B0027+1
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x)+4BEo
a08x04x04x02x02:
		unicode	0, <%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x})>,0
; 

??_C@_1O@MHNOFLPK@?$AA?$CI?$AA?$CF?$AA?4?$AA6?$AAe?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x)+304o
		sub	[eax], al
		and	eax, 36002E00h
		add	[ebp+0], ah
		sub	[eax], eax
; 
		dw 0
; wchar_t ??_C
??_C@_1BK@NDKFDMJO@?$AA?$CI?$AA0?$AAx?$AA?$CF?$AA?4?$AA1?$AA6?$AAI?$AA6?$AA4?$AAx?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x)+2CBo
		unicode	0, <(0x%.16I64x)>,0
; 

??_C@_1BC@EHLIHGEF@?$AA?$CI?$AA0?$AAx?$AA?$CF?$AA?4?$AA8?$AAx?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: ConvertDevpropertyToString(x,x,x,x)+2B5o
		sub	[eax], al
		xor	[eax], al
		js	short $+2
		and	eax, 38002E00h
		add	[eax+0], bh
		sub	[eax], eax
; 
		dw 0
; 

??_C@_19DLOJGGMG@?$AA?$CI?$AA?$DN?$AA?$DN?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: ExpressionConvertToString(x,x,x,x):loc_A3B71Eo
		sub	[eax], al
		cmp	eax, 29003D00h
; 
		db 0
		db 2 dup(0)
; 

??_C@_1BC@IPPBMIKC@?$AA?$CI?$AAE?$AAx?$AAi?$AAs?$AAt?$AAs?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: ExpressionConvertToString(x,x,x,x):loc_A3B717o
		sub	[eax], al
		inc	ebp
		add	[eax+0], bh
		imul	eax, [eax], 740073h
		jnb	short $+2
		sub	[eax], eax
; 
		dw 0
??_C@_1BM@LGOPPIEI@?$AA?$CI?$AAI?$AAG?$AAN?$AAO?$AAR?$AAE?$AA_?$AAC?$AAA?$AAS?$AAE?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: ExpressionConvertToString(x,x,x,x)+18Bo
		unicode	0, <(IGNORE_CASE)>,0
; 

??_C@_1M@KAPMNJJB@?$AA?$CI?$AAN?$AAO?$AAT?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: ExpressionConvertToString(x,x,x,x)+13Fo
		sub	[eax], al
		dec	esi
		add	[edi+0], cl
		push	esp
		add	[ecx], ch
; 
		db 3 dup(0)
??_C@_15JEEKIBPF@?$AA?$FL?$AA?$HL@NNGAKEGL@ dd offset loc_7B0059+2
					; DATA XREF: ExpressionConvertToString(x,x,x,x)+F0o
		db 2 dup(0)
; 

??_C@_19JOCCLNOL@?$AAN?$AAO?$AAT?$AA?$CI@NNGAKEGL@:
					; DATA XREF: ExpressionConvertToString(x,x,x,x):loc_A3B593o
		dec	esi
		add	[edi+0], cl
		push	esp
		add	[eax], ch
; 
		db 3 dup(0)
; 

??_C@_17EOKANOPK@?$AAO?$AAR?$AA?$CI@NNGAKEGL@:
					; DATA XREF: ExpressionConvertToString(x,x,x,x):loc_A3B59Ao
		dec	edi
		add	[edx+0], dl
		sub	[eax], al
; 
		dw 0
??_C@_19KAFFOEGD@?$AAA?$AAN?$AAD?$AA?$CI@NNGAKEGL@:
					; DATA XREF: ExpressionConvertToString(x,x,x,x):loc_A3B5A1o
		unicode	0, <AND(>,0
; 

??_C@_1BI@EILENIFL@?$AA?$CI?$AAe?$AAn?$AAd?$AAs?$AA_?$AAw?$AAi?$AAt?$AAh?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: ExpressionConvertToString(x,x,x,x):loc_A3B756o
		sub	[eax], al
		add	gs:[esi+0], ch
		add	fs:[ebx+0], dh
		pop	edi
		add	[edi+0], dh
		imul	eax, [eax], 680074h
		sub	[eax], eax
; 
		db 2 dup(0)
; 

??_C@_1BM@MPDDCFMI@?$AA?$CI?$AAb?$AAe?$AAg?$AAi?$AAn?$AAs?$AA_?$AAw?$AAi?$AAt?$AAh?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: ExpressionConvertToString(x,x,x,x):loc_A3B74Fo
		sub	[eax], al
		bound	eax, [eax]
		add	gs:[edi+0], ah
		imul	eax, [eax], 73006Eh
		pop	edi
		add	[edi+0], dh
		imul	eax, [eax], 680074h
		sub	[eax], eax
; 
		db 2 dup(0)
; 

??_C@_17BBJEHEHL@?$AA?$CI?$AA?$HM?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: ExpressionConvertToString(x,x,x,x):loc_A3B748o
		sub	[eax], al
		jl	short $+2
		sub	[eax], eax
; 
		db 2 dup(0)
; 

??_C@_17LMIBFPOK@?$AA?$CI?$AA?$CG?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: ExpressionConvertToString(x,x,x,x):loc_A3B741o
		sub	[eax], al
		add	es:[ecx], ch
; 
		db 0
		db 2 dup(0)
; 

??_C@_19PHEDGGFI@?$AA?$CI?$AA?$DM?$AA?$DN?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: ExpressionConvertToString(x,x,x,x):loc_A3B73Ao
		sub	[eax], al
		cmp	al, 0
		cmp	eax, 2900h
		add	[eax], ch	; DATA XREF: ExpressionConvertToString(x,x,x,x):loc_A3B733o
		add	[esi], bh
		add	large ds:2900h,	bh
		add	[eax], ch	; DATA XREF: ExpressionConvertToString(x,x,x,x):loc_A3B72Co
		add	[eax+eax], bh
		sub	[eax], eax
; 
		db 2 dup(0)
; 

??_C@_17FDAENPBM@?$AA?$CI?$AA?$DO?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: ExpressionConvertToString(x,x,x,x):loc_A3B725o
		sub	[eax], al
		db	3Eh
		add	[ecx], ch
; 
		db 0
		db 2 dup(0)
; 

??_C@_13OHNMPHJM@?$AA?$FN@NNGAKEGL@:	; DATA XREF: ExpressionConvertToString(x,x,x,x)+309o
		pop	ebp
; 
		db 0
		db 2 dup(0)
; 

??_C@_1CC@JBMFGBFB@?$AA?$CI?$AAa?$AAr?$AAr?$AAa?$AAy?$AA_?$AAc?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAs@NNGAKEGL@:
					; DATA XREF: ExpressionConvertToString(x,x,x,x)+266o
		sub	[eax], al
		popa
		add	[edx+0], dh
		jb	short $+2
		popa
		add	[ecx+0], bh
		pop	edi
		add	[ebx+0], ah
		outsd
		add	[esi+0], ch
		jz	short $+2
		popa
		add	[ecx+0], ch
		outsb
		add	[ebx+0], dh
		sub	[eax], eax
; 
		dw 0
; 

??_C@_1CA@EKNKOPMG@?$AA?$CI?$AAl?$AAi?$AAs?$AAt?$AA_?$AAc?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAs?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: ExpressionConvertToString(x,x,x,x):loc_A3B764o
		sub	[eax], al
		insb
		add	[ecx+0], ch
		jnb	short $+2
		jz	short $+2
		pop	edi
		add	[ebx+0], ah
		outsd
		add	[esi+0], ch
		jz	short $+2
		popa
		add	[ecx+0], ch
		outsb
		add	[ebx+0], dh
		sub	[eax], eax
; 
		dw 0
??_C@_1BG@BGPLEOMO@?$AA?$CI?$AAc?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAs?$AA?$CJ@NNGAKEGL@:
					; DATA XREF: ExpressionConvertToString(x,x,x,x):loc_A3B75Do
		unicode	0, <(contains)>,0
; 

??_C@_1CA@PEJJNCFJ@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAa?$AAh?$AAc?$AAa?$AAc?$AAh?$AAe@NNGAKEGL@:
					; DATA XREF: NtApphelpCacheControl:loc_83A4A2o
		pop	esp
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		pop	esp
		add	[ecx+0], ah
		push	61006300h
		add	[ebx+0], ah
		push	6500h

loc_8C9A29:				; DATA XREF: ArbBuildAssignmentOrdering+117o
		add	[ecx+0], al
		insb
		add	[eax+eax+6Fh], ch
		add	[ebx+0], ah
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[edi+0], cl
		jb	short $+2
		add	fs:[ebp+0], ah
		jb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1HI@MHCMANAK@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: ArbBuildAssignmentOrdering+C6o
					; ArbAddInaccessibleAllocationRange+3Fo ...
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ecx+0], al
		jb	short $+2
		bound	eax, [eax]
		imul	eax, [eax], 650074h
		jb	short $+2
		jnb	short $+2
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_19OLEIDBPB@?$AAR?$AAO?$AAO?$AAT@NNGAKEGL@: ; DATA	XREF: ArbShareDriverExclusive+5Ao
					; ArbShareDriverExclusive+69466o
		push	edx
		add	[edi+0], cl
		dec	edi
		add	[eax+eax+0], dl
; 
		db 0
??_C@_1BM@MLHHFGPB@?$AAM?$AAm?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAR?$AAa?$AAn?$AAg?$AAe@NNGAKEGL@:
					; DATA XREF: ArbAddMmConfigRangeAsBootReserved+DDo
		unicode	0, <MmConfigRange>,0
??_C@_1CE@NKBPPJBA@?$AAI?$AAn?$AAa?$AAc?$AAc?$AAe?$AAs?$AAs?$AAi?$AAb?$AAl?$AAe?$AAR?$AAa?$AAn@NNGAKEGL@:
					; DATA XREF: ArbAddInaccessibleAllocationRange+89o
		unicode	0, <InaccessibleRange>,0
??_C@_1CE@MAKBJKNC@?$AAR?$AAe?$AAs?$AAe?$AAr?$AAv?$AAe?$AAd?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc@NNGAKEGL@:
					; DATA XREF: ArbBuildAssignmentOrdering+233o
					; ArbAddMmConfigRangeAsBootReserved+B3o
		unicode	0, <ReservedResources>,0
; 

??_C@_1DC@HBEOHGCL@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAL?$AAa?$AAs@NNGAKEGL@:
					; DATA XREF: NtEnableLastKnownGood()+25Fo
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+5Ch], dh
		add	[eax+eax+61h], cl
		add	[ebx+0], dh
		jz	short $+2
		inc	edi
		add	[edi+0], ch
		outsd
		add	[eax+eax+2Eh], ah
		add	[eax+eax+6Dh], dl
		add	[eax+0], dh
; 
		db 2 dup(0)
; 

??_C@_1CK@BMHMHDCI@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAL?$AAa?$AAs@NNGAKEGL@:
					; DATA XREF: NtEnableLastKnownGood():loc_A3CA18o
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+5Ch], dh
		add	[eax+eax+61h], cl
		add	[ebx+0], dh
		jz	short $+2
		inc	edi
		add	[edi+0], ch
		outsd
		add	[eax+eax+0], ah
; 
		db 0
; 

??_C@_1HI@JJAPFIHO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: NtEnableLastKnownGood():loc_A3C9CCo
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[eax+eax+61h], cl
		add	[ebx+0], dh
		jz	short $+2
		dec	ebx
		add	[esi+0], ch
		outsd
		add	[edi+0], dh
		outsb
		add	[edi+0], al
		outsd
		add	[edi+0], ch
		add	fs:[edx+0], dl
		add	gs:[ebx+0], ah
		outsd
		add	[esi+0], dh
		add	gs:[edx+0], dh
		jns	short $+2
		pop	esp
		add	[eax+eax+61h], cl
		add	[ebx+0], dh
		jz	short $+2
		inc	edi
		add	[edi+0], ch
		outsd
		add	[eax+eax+2Eh], ah
		add	[eax+eax+6Dh], dl
		add	[eax+0], dh
; 
		dw 0
; 

??_C@_1HA@JIFMKPBK@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: NtEnableLastKnownGood()+17Co
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[eax+eax+61h], cl
		add	[ebx+0], dh
		jz	short $+2
		dec	ebx
		add	[esi+0], ch
		outsd
		add	[edi+0], dh
		outsb
		add	[edi+0], al
		outsd
		add	[edi+0], ch
		add	fs:[edx+0], dl
		add	gs:[ebx+0], ah
		outsd
		add	[esi+0], dh
		add	gs:[edx+0], dh
		jns	short $+2
		pop	esp
		add	[eax+eax+61h], cl
		add	[ebx+0], dh
		jz	short $+2
		inc	edi
		add	[edi+0], ch
		outsd
		add	[eax+eax+0], ah
		add	[eax+eax+69h], al ; DATA XREF: NtDisableLastKnownGood()+D4o
					; NtEnableLastKnownGood()+116o
		add	[ebx+0], dh
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		dec	esp
		add	[ebx+0], cl
		inc	edi
; 
		db 0
		db 2 dup(0)
; 

??_C@_1IG@EEKPLJNI@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: _RtlpMuiRegLoadInstalled+98o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebp+0], cl
		push	ebp
		add	[ecx+0], cl
		pop	esp
		add	[ebp+0], dl
		dec	ecx
		add	[eax+eax+61h], cl
		add	[esi+0], ch
		add	[di+0],	dh
		popa
		add	[edi+0], ah
		add	gs:[ebx+0], dh
; 
		dw 0
??_C@_1CA@EOGMNDBN@?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt?$AAF?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk@NNGAKEGL@:
					; DATA XREF: _RtlpMuiRegInitLIPLanguage(x,x,x)+9Eo
					; _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x):loc_A3E88Ao
		unicode	0, <DefaultFallback>,0
??_C@_1HG@DLPFCGIL@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: RtlpLoadLanguageConfigList+36o
		unicode	0, <\Registry\Machine\Software\Policies\Microsoft\MUI\Setting>
		unicode	0, <s>,0
??_C@_1DA@LMPHJKLA@?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAL?$AAa?$AAn?$AAg?$AAu?$AAa?$AAg?$AAe@NNGAKEGL@ db 'I',0
					; DATA XREF: RtlpLoadInstallLanguageFallback+8Eo
aNstalllanguage:
		unicode	0, <nstallLanguageFallback>,0
; 

??_C@_1IA@LECPAJIF@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@:
					; DATA XREF: RtlpLoadInstallLanguageFallback+6Eo
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[esi+0], cl
		dec	esp
		add	[ebx+0], dl
		pop	esp
		add	[eax+eax+61h], cl
		add	[esi+0], ch
		add	[di+0],	dh
		popa
		add	[edi+0], ah
		add	gs:[eax], al
		add	[edx], ch	; DATA XREF: sub_92BAF1+19o
		sub	ch, [edx]
		and	[edx+74h], dl
		insb
		jo	short loc_8C9EAC
		jnz	short near ptr loc_8C9EC9+1
		push	edx
		db	65h, 67h
		dec	esp
		outsd
		popa
		db	64h
		dec	esp
		imul	esp, [ebx+49h],	726F666Eh
		insd
		popa
		jz	short near ptr loc_8C9EDB+2
		outsd
		outsb
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	74697720h
		push	61747320h
		jz	short loc_8C9EFD
		jnb	short loc_8C9EAA
		and	eax, 45CC0078h	; DATA XREF: EtwpEventTracingCounterSetCallback(x,x,x)+3Bo
		add	[esi+0], dh
		add	gs:[esi+0], ch
		jz	short $+2
		push	esp
		add	[edx+0], dh
		popa
		add	[ebx+0], ah
		imul	eax, [eax], 67006Eh
		inc	ebx
		add	[edi+0], ch

loc_8C9EAA:				; CODE XREF: PAGE:008C9E88j
		jnz	short $+2

loc_8C9EAC:				; CODE XREF: PAGE:008C9E5Dj
		outsb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		push	ebx
		add	[ebp+0], ah
		jz	short $+2
; 
		dw 0

;  S U B	R O U T	I N E 


; char ??_C
??_C@_0DC@NDBFJGLB@LKMDTEL?3?5WerLiveCancelReport?5fa@NNGAKEGL@	proc near
					; DATA XREF: LkmdTelCreateReport(x,x,x,x,x,x)+163o
		dec	esp
		dec	ebx
		dec	ebp
		inc	esp
		push	esp
		inc	ebp
		dec	esp
		cmp	ah, [eax]
		push	edi
		db	65h
		jb	short near ptr loc_8C9F14+1

loc_8C9EC9:				; CODE XREF: PAGE:008C9E5Fj
		imul	esi, [esi+65h],	636E6143h
		db	65h
		insb
		push	edx
		db	65h
		jo	short near ptr loc_8C9F41+4
		jb	short near ptr loc_8C9F4B+1
		and	[esi+61h], ah

loc_8C9EDB:				; CODE XREF: PAGE:008C9E72j
		imul	ebp, [ebp+64h],	7473202Ch
		popa
		jz	short near ptr loc_8C9F59+2
		jnb	short loc_8C9F08
		xor	[eax+25h], bh
		pop	eax
		or	al, [eax]
??_C@_0DC@NDBFJGLB@LKMDTEL?3?5WerLiveCancelReport?5fa@NNGAKEGL@	endp


;  S U B	R O U T	I N E 


; char ??_C
??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@ proc near
					; DATA XREF: LkmdTelCreateReport(x,x,x,x,x,x)+DDo
		dec	esp
		dec	ebx
		dec	ebp
		inc	esp
		push	esp
		inc	ebp
		dec	esp
		cmp	ah, [eax]
		push	edi
		db	65h
		jb	short loc_8C9F4B
		outsd
		insb

loc_8C9EFD:				; CODE XREF: PAGE:008C9E86j
		imul	esp, [ebx+79h],	20736920h
		push	edi
		db	65h
		jb	short loc_8C9F54

loc_8C9F08:				; CODE XREF: ??_C@_0DC@NDBFJGLB@LKMDTEL?3?5WerLiveCancelReport?5fa@NNGAKEGL@+2Aj
		imul	esi, [esi+65h],	6E72654Bh
		db	65h
		insb
		push	eax
		outsd
		insb

loc_8C9F14:				; CODE XREF: ??_C@_0DC@NDBFJGLB@LKMDTEL?3?5WerLiveCancelReport?5fa@NNGAKEGL@+Aj
		imul	esp, [ebx+79h],	75446F4Eh
		insd
		jo	short loc_8C9F4A
		and	[esi+6Fh], ch
		and	[ebp+esi*2+6Dh], ah
		jo	short near ptr loc_8C9F41+6
		imul	esi, [ebx+20h],	6F6C6C61h
		ja	short near ptr loc_8C9F92+3
		db	64h
		or	al, cs:[eax]

; char ??_C
??_C@_0DM@MDCGBJNP@LKMDTEL?3?5WerLiveKernelCreateRep@NNGAKEGL@:
					; DATA XREF: LkmdTelCreateReport(x,x,x,x,x,x)+C3o
		dec	esp
		dec	ebx
		dec	ebp
		inc	esp
		push	esp
		inc	ebp
		dec	esp
		cmp	ah, [eax]
		push	edi
		db	65h
		jb	short near ptr loc_8C9F8C+1

loc_8C9F41:				; CODE XREF: ??_C@_0DC@NDBFJGLB@LKMDTEL?3?5WerLiveCancelReport?5fa@NNGAKEGL@+17j
					; ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+37j
		imul	esi, [esi+65h],	6E72654Bh
		db	65h
		insb

loc_8C9F4A:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+2Ej
		inc	ebx

loc_8C9F4B:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+Aj
					; ??_C@_0DC@NDBFJGLB@LKMDTEL?3?5WerLiveCancelReport?5fa@NNGAKEGL@+1Aj
		jb	short loc_8C9FB2
		popa
		jz	short loc_8C9FB5
		push	edx
		db	65h
		jo	short loc_8C9FC3

loc_8C9F54:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+17j
		jb	short near ptr loc_8C9FC8+2
		and	[esi+61h], ah

loc_8C9F59:				; CODE XREF: ??_C@_0DC@NDBFJGLB@LKMDTEL?3?5WerLiveCancelReport?5fa@NNGAKEGL@+28j
		imul	ebp, [ebp+64h],	74697720h
		push	61747320h
		jz	short loc_8C9FDD
		jnb	short near ptr loc_8C9F84+6
		xor	[eax+25h], bh
		pop	eax
		or	al, [eax]

; char ??_C
??_C@_0EN@BDGICLBJ@LKMDTEL?3?5LkmdTelSubmitReport?3?5W@NNGAKEGL@:
					; DATA XREF: LkmdTelSubmitReport(x)+2Co
		dec	esp
		dec	ebx
		dec	ebp
		inc	esp
		push	esp
		inc	ebp
		dec	esp
		cmp	ah, [eax]
		dec	esp
		imul	ebp, [ebp+64h],	54h
		db	65h
		insb
		push	ebx
		jnz	short loc_8C9FE5
		insd

loc_8C9F84:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+7Aj
		imul	esi, [edx+edx*2+65h], 74726F70h

loc_8C9F8C:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+50j
		cmp	ah, [eax]
		push	edi
		db	65h
		jb	short near ptr loc_8C9FDD+1

loc_8C9F92:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+40j
		imul	esi, [esi+65h],	6E72654Bh
		db	65h
		insb
		push	ebx
		jnz	short near ptr loc_8C9FFF+1
		insd
		imul	esi, [edx+edx*2+65h], 74726F70h
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	7473202Ch

loc_8C9FB2:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@:loc_8C9F4Bj
		popa
		jz	short near ptr loc_8CA023+7

loc_8C9FB5:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+60j
		jnb	short near ptr loc_8C9FD2+5
		xor	[eax+25h], bh
		pop	eax
		or	al, [eax]
		int	3		; Trap to Debugger

??_C@_0EJ@KNFLKGLB@LKMDTEL?3?5LkmdTelSubmitReport?3?5L@NNGAKEGL@:
					; DATA XREF: LkmdTelSubmitReport(x)+13o
		dec	esp
		dec	ebx
		dec	ebp
		inc	esp
		push	esp

loc_8C9FC3:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+63j
		inc	ebp
		dec	esp
		cmp	ah, [eax]
		dec	esp

loc_8C9FC8:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@:loc_8C9F54j
		imul	ebp, [ebp+64h],	54h
		db	65h
		insb
		push	ebx
		jnz	short loc_8CA033
		insd

loc_8C9FD2:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@:loc_8C9FB5j
		imul	esi, [edx+edx*2+65h], 74726F70h
		cmp	ah, [eax]
		dec	esp

loc_8C9FDD:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+78j
					; ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+A1j
		imul	ebp, [ebp+64h],	54h
		db	65h
		insb
		jo	short loc_8CA03C

loc_8C9FE5:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+93j
		jb	short near ptr loc_8CA04F+1
		jz	short near ptr loc_8CA04D+1
		inc	esp
		jnz	short loc_8CA059
		jo	short near ptr loc_8CA033+1
		imul	ebp, [ebp+20h],	6C696166h
		db	65h, 64h
		sub	al, 20h
		jnb	short near ptr loc_8CA06C+4
		popa
		jz	short loc_8CA074

loc_8C9FFF:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+AEj
		jnb	short loc_8CA021
		xor	[eax+25h], bh
		pop	eax
		or	al, [eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0EP@JAKBNMKN@LKMDTEL?3?5LkmdTelpWriteDumpFile?3@NNGAKEGL@:
					; DATA XREF: LkmdTelpWriteDumpFile(x)+33o
		dec	esp
		dec	ebx
		dec	ebp
		inc	esp
		push	esp
		inc	ebp
		dec	esp
		cmp	ah, [eax]
		dec	esp
		imul	ebp, [ebp+64h],	54h
		db	65h
		insb
		jo	short near ptr loc_8CA06C+5
		jb	short loc_8CA085
		jz	short loc_8CA083
		inc	esp
		jnz	short near ptr loc_8CA08D+1

loc_8CA021:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@:loc_8C9FFFj
		jo	short loc_8CA069

loc_8CA023:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+C5j
		imul	ebp, [ebp+3Ah],	72655720h
		dec	esp
		imul	esi, [esi+65h],	6E72654Bh

loc_8CA033:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+E1j
					; ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+FEj
		db	65h
		insb
		dec	edi
		jo	short near ptr loc_8CA09C+1
		outsb
		inc	esp
		jnz	short loc_8CA0A9

loc_8CA03C:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+F5j
		jo	short loc_8CA084
		imul	ebp, [ebp+20h],	6C696166h
		db	65h, 64h
		sub	al, 20h
		jnb	short loc_8CA0C0
		popa

loc_8CA04D:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+F9j
		jz	short near ptr loc_8CA0C3+1

loc_8CA04F:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@:loc_8C9FE5j
		jnb	short near ptr loc_8CA06C+5
		xor	[eax+25h], bh
		pop	eax
		or	al, [eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0EM@FOEELLKM@LKMDTEL?3?5LkmdTelSubmitReport?3?5W@NNGAKEGL@:
					; DATA XREF: LkmdTelSubmitReport(x)+73o
		dec	esp

loc_8CA059:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+FCj
		dec	ebx
		dec	ebp
		inc	esp
		push	esp
		inc	ebp
		dec	esp
		cmp	ah, [eax]
		dec	esp
		imul	ebp, [ebp+64h],	54h
		db	65h
		insb
		push	ebx

loc_8CA069:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@:loc_8CA021j
		jnz	short loc_8CA0CD
		insd

loc_8CA06C:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+10Cj
					; ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+12Aj ...
		imul	esi, [edx+edx*2+65h], 74726F70h

loc_8CA074:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+10Fj
		cmp	ah, [eax]
		push	edi
		db	65h
		jb	short loc_8CA0C6
		imul	esi, [esi+65h],	6E72654Bh
		db	65h
		insb

loc_8CA083:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+12Ej
		inc	ebx

loc_8CA084:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@:loc_8CA03Cj
		insb

loc_8CA085:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+12Cj
		outsd
		jnb	short near ptr loc_8CA0EB+2
		dec	eax
		popa
		outsb
		db	64h
		insb

loc_8CA08D:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+131j
		and	gs:[esi+61h], ah
		imul	ebp, [ebp+64h],	7473202Ch
		popa
		jz	short loc_8CA111

loc_8CA09C:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+148j
		jnb	short near ptr loc_8CA0B8+6
		xor	[eax+25h], bh
		pop	eax
		or	al, [eax]
??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@ endp


;  S U B	R O U T	I N E 


; char ??_C
??_C@_0EN@BGMPLCFC@LKMDTEL?3?5LkmdTelSubmitReport?3?5W@NNGAKEGL@ proc near
					; DATA XREF: LkmdTelSubmitReport(x)+54o
		dec	esp
		dec	ebx
		dec	ebp
		inc	esp
		push	esp

loc_8CA0A9:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+14Cj
		inc	ebp
		dec	esp
		cmp	ah, [eax]
		dec	esp
		imul	ebp, [ebp+64h],	54h
		db	65h
		insb
		push	ebx
		jnz	short loc_8CA119
		insd

loc_8CA0B8:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@:loc_8CA09Cj
		imul	esi, [edx+edx*2+65h], 74726F70h

loc_8CA0C0:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+15Cj
		cmp	ah, [eax]
		push	edi

loc_8CA0C3:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@:loc_8CA04Dj
		db	65h
		jb	short near ptr loc_8CA111+1

loc_8CA0C6:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+189j
		imul	esi, [esi+65h],	6E72654Bh

loc_8CA0CD:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@:loc_8CA069j
		db	65h
		insb
		inc	ebx
		popa
		outsb
		arpl	[ebp+6Ch], sp
		push	edx
		db	65h
		jo	short near ptr loc_8CA147+1
		jb	short near ptr loc_8CA14E+1
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	7473202Ch
		popa
		jz	short near ptr loc_8CA15D+1
		jnb	short near ptr loc_8CA108+3

loc_8CA0EB:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+198j
		xor	[eax+25h], bh
		pop	eax
		or	al, [eax]
??_C@_0EN@BGMPLCFC@LKMDTEL?3?5LkmdTelSubmitReport?3?5W@NNGAKEGL@ endp

; START	OF FUNCTION CHUNK FOR ObpDeleteNameCheck

loc_8CA0F1:				; CODE XREF: ObpDeleteNameCheck+FEj
					; ObpDeleteNameCheck+112j
		lea	ecx, [esp+30h+var_18]
		call	_ObpReleaseLookupContext@4 ; ObpReleaseLookupContext(x)
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_8CA108:				; CODE XREF: ??_C@_0EN@BGMPLCFC@LKMDTEL?3?5LkmdTelSubmitReport?3?5W@NNGAKEGL@+45j
		push	[esp+30h+var_24]
		call	_ObDereferenceObject@4 ; ObDereferenceObject(x)

loc_8CA111:				; CODE XREF: ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@+1ACj
					; ??_C@_0EN@BGMPLCFC@LKMDTEL?3?5LkmdTelSubmitReport?3?5W@NNGAKEGL@:loc_8CA0C3j
		jmp	loc_748B80
; 

loc_8CA116:				; CODE XREF: ObpDeleteNameCheck+14Aj
		lea	ecx, [esi+18h]

loc_8CA119:				; CODE XREF: ??_C@_0EN@BGMPLCFC@LKMDTEL?3?5LkmdTelSubmitReport?3?5W@NNGAKEGL@+11j
		call	ObpDeleteSymbolicLinkName
		mov	ecx, [edi]
		jmp	loc_748C84
; 

loc_8CA125:				; CODE XREF: ObpDeleteNameCheck+177j
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	esi, [esp+30h+var_20]
		jmp	loc_748CAF
; 

loc_8CA135:				; CODE XREF: ObpDeleteNameCheck+1B0j
		mov	ecx, esi
		call	ObpMarkDirectoryObjectsTemporary

loc_8CA13C:				; CODE XREF: ObpDeleteNameCheck+181625j
		call	ObpRemovePendingDirectoryItem
		mov	edi, eax
		test	edi, edi
		jz	short loc_8CA157

loc_8CA147:				; CODE XREF: ??_C@_0EN@BGMPLCFC@LKMDTEL?3?5LkmdTelSubmitReport?3?5W@NNGAKEGL@+32j
		mov	ecx, edi
		call	ObpMarkDirectoryObjectsTemporary

loc_8CA14E:				; CODE XREF: ??_C@_0EN@BGMPLCFC@LKMDTEL?3?5LkmdTelSubmitReport?3?5W@NNGAKEGL@+35j
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	short loc_8CA13C
; 

loc_8CA157:				; CODE XREF: ObpDeleteNameCheck+181615j
		push	esi
		call	_ObDereferenceObject@4 ; ObDereferenceObject(x)

loc_8CA15D:				; CODE XREF: ??_C@_0EN@BGMPLCFC@LKMDTEL?3?5LkmdTelSubmitReport?3?5W@NNGAKEGL@+43j
		jmp	loc_748BBB
; END OF FUNCTION CHUNK	FOR ObpDeleteNameCheck
; 
; START	OF FUNCTION CHUNK FOR PsInvokeWin32Callout

loc_8CA162:				; CODE XREF: PsInvokeWin32Callout+32j
		sub	eax, 1
		jz	short loc_8CA171
		mov	eax, 0C000000Dh
		jmp	loc_777CD2
; 

loc_8CA171:				; CODE XREF: PsInvokeWin32Callout+1524BBj
		xor	ecx, ecx
		jmp	loc_777D08
; END OF FUNCTION CHUNK	FOR PsInvokeWin32Callout
; 
; START	OF FUNCTION CHUNK FOR IopWaitAndAcquireFileObjectLock

loc_8CA178:				; CODE XREF: IopWaitAndAcquireFileObjectLock+97j
		mov	eax, large fs:124h
		lea	edx, [ebp+var_C]
		push	1
		push	ecx
		push	ebx
		movsx	eax, byte ptr [eax+87h]
		mov	ecx, ebx
		mov	[ebp+arg_0], eax
		lea	eax, [ebp+arg_0]
		push	eax
		call	KeSetEventBoostPriorityEx
		jmp	loc_7AE623
; END OF FUNCTION CHUNK	FOR IopWaitAndAcquireFileObjectLock
; 
; START	OF FUNCTION CHUNK FOR ObpReleaseHandleInfo

loc_8CA19F:				; CODE XREF: ObpReleaseHandleInfo+17j
		mov	esi, [edi+4]
		mov	edx, esi
		mov	ecx, [ebp+arg_0]
		and	edx, 0FFFFFFh
		lea	eax, [esi-1]
		xor	eax, esi
		mov	[ecx], edx
		and	eax, 0FFFFFFh
		xor	eax, esi
		jmp	loc_7B244A
; END OF FUNCTION CHUNK	FOR ObpReleaseHandleInfo

;  S U B	R O U T	I N E 


sub_8CA1C0	proc near		; DATA XREF: .text:006A3A7Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8CA1C0	endp


;  S U B	R O U T	I N E 


sub_8CA1CE	proc near		; DATA XREF: .text:006A3A80o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	edi, edi
		jmp	loc_7C82FD
sub_8CA1CE	endp

; 
; START	OF FUNCTION CHUNK FOR CcMapDataCommon

loc_8CA1E2:				; CODE XREF: CcMapDataCommon+40j
		lea	eax, [esp+20h+var_8]
		push	eax
		push	[ebp+arg_C]
		lea	eax, [esp+28h+var_10]
		push	eax
		push	edi
		push	ebx
		push	1
		push	[ebp+arg_0]
		call	CcPinFileData
		test	al, al
		jnz	loc_7C9266
		inc	large dword ptr	fs:68Ch
		jmp	loc_7C9271
; END OF FUNCTION CHUNK	FOR CcMapDataCommon
; 
; START	OF FUNCTION CHUNK FOR CmpConstructNameWithStatus

loc_8CA20F:				; CODE XREF: CmpConstructNameWithStatus+49j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_805213
; 

loc_8CA220:				; CODE XREF: CmpConstructNameWithStatus+79j
		test	dword ptr [ebx+68h], 40000h
		jnz	loc_805290
		jmp	loc_805243
; END OF FUNCTION CHUNK	FOR CmpConstructNameWithStatus
; 
; START	OF FUNCTION CHUNK FOR CmpAcquireShutdownRundown

loc_8CA232:				; CODE XREF: CmpAcquireShutdownRundown+1Dj
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_818C23
; END OF FUNCTION CHUNK	FOR CmpAcquireShutdownRundown

;  S U B	R O U T	I N E 


sub_8CA243	proc near		; CODE XREF: AlpcpExposeAttributes+45j
		push	ebx
		mov	edx, 40000000h
		mov	ecx, esi
		call	_AlpcpGetMessageAttributeOffset@8 ; AlpcpGetMessageAttributeOffset(x,x)
		mov	edx, [ebp+8]
		add	eax, edi
		push	eax
		call	@AlpcpExposeViewAttribute@16 ; AlpcpExposeViewAttribute(x,x,x,x)
		jmp	loc_8338CB
sub_8CA243	endp


;  S U B	R O U T	I N E 


sub_8CA260	proc near		; CODE XREF: AlpcpExposeAttributes+75j

arg_8		= dword	ptr  10h

		push	ebx
		mov	edx, 10000000h
		mov	ecx, esi
		call	_AlpcpGetMessageAttributeOffset@8 ; AlpcpGetMessageAttributeOffset(x,x)
		mov	edx, [ebp+8]
		add	eax, edi
		mov	ecx, [esp+arg_8]
		push	eax
		call	AlpcpExposeHandleAttribute
		jmp	loc_8338FB
sub_8CA260	endp

; 
; START	OF FUNCTION CHUNK FOR VrpCleanupNamespace

loc_8CA281:				; CODE XREF: VrpCleanupNamespace+21j
		mov	eax, [ebx+2Ch]
		test	eax, eax
		jz	short loc_8CA293
		push	72615452h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8CA293:				; CODE XREF: VrpCleanupNamespace+18FA16j
		push	6
		pop	ecx
		xor	eax, eax
		rep stosd
		jmp	loc_73A8C8
; END OF FUNCTION CHUNK	FOR VrpCleanupNamespace
; 
; START	OF FUNCTION CHUNK FOR VrpUnloadDifferencingHive

loc_8CA29F:				; CODE XREF: VrpUnloadDifferencingHive+22j
		mov	ebx, 0C0000034h
		jmp	loc_73AA1B
; 

loc_8CA2A9:				; CODE XREF: VrpUnloadDifferencingHive+6Ej
		test	cl, 4
		jnz	loc_73A984
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_73A984
; 

loc_8CA2BE:				; CODE XREF: VrpUnloadDifferencingHive+B0j
		push	1
		lea	eax, [ebp+var_1C]
		push	eax
		call	_ZwUnloadKey2@8	; ZwUnloadKey2(x,x)
		mov	ebx, eax
		jmp	loc_73A9C6
; 

loc_8CA2D0:				; CODE XREF: VrpUnloadDifferencingHive+CFj
		or	dword ptr [esi+1Ch], 1
		inc	dword ptr [esi+10h]
		cmp	dword ptr [esi+10h], 1
		ja	loc_73A9E5
		mov	ecx, esi
		call	_VrpReferenceDiffHiveEntryUnsafe@4 ; VrpReferenceDiffHiveEntryUnsafe(x)
		jmp	loc_73A9E5
; 

loc_8CA2ED:				; CODE XREF: VrpUnloadDifferencingHive+EBj
		test	al, 4
		jnz	loc_73AA01
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_73AA01
; END OF FUNCTION CHUNK	FOR VrpUnloadDifferencingHive
; 
; START	OF FUNCTION CHUNK FOR VrpDereferenceDiffHiveEntryUnsafe

loc_8CA301:				; CODE XREF: VrpDereferenceDiffHiveEntryUnsafe+Dj
		push	0Eh
		pop	ecx
		jz	short loc_8CA308
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8CA308:				; CODE XREF: VrpDereferenceDiffHiveEntryUnsafe+18F8DEj
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8CA30A:				; CODE XREF: VrpDereferenceDiffHiveEntry+13j
		mov	eax, esi
		lock cmpxchg [edi], edx
		mov	edx, eax
		cmp	edx, esi
		jz	short loc_8CA31E
		mov	esi, edx
		dec	edx
		jmp	loc_73AA5B
; 

loc_8CA31E:				; CODE XREF: VrpDereferenceDiffHiveEntryUnsafe+18F8EEj
		pop	edi
		pop	esi
		pop	ebx
		retn
; END OF FUNCTION CHUNK	FOR VrpDereferenceDiffHiveEntryUnsafe
; 
; START	OF FUNCTION CHUNK FOR VrpDereferenceDiffHiveEntryWithLock

loc_8CA322:				; CODE XREF: VrpDereferenceDiffHiveEntryWithLock+1Cj
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_73AB45
; END OF FUNCTION CHUNK	FOR VrpDereferenceDiffHiveEntryWithLock
; 
; START	OF FUNCTION CHUNK FOR VrpFindDiffHiveEntryForMountPointWithLock

loc_8CA32C:				; CODE XREF: VrpFindDiffHiveEntryForMountPointWithLock+F6j
					; VrpFindDiffHiveEntryForMountPointWithLock+18F73Bj
		mov	esi, [esi]
		test	esi, 1
		jnz	loc_73AD07
		mov	eax, [esi+4]
		and	eax, ecx
		cmp	ebx, eax
		jz	loc_73ACCC
		jmp	short loc_8CA32C
; END OF FUNCTION CHUNK	FOR VrpFindDiffHiveEntryForMountPointWithLock
; 
; START	OF FUNCTION CHUNK FOR VrpHandleIoctlUnloadDynamicallyLoadedHives

loc_8CA349:				; CODE XREF: VrpHandleIoctlUnloadDynamicallyLoadedHives+19j
		mov	esi, 0C000000Dh
		jmp	loc_73AE29
; 

loc_8CA353:				; CODE XREF: VrpHandleIoctlUnloadDynamicallyLoadedHives+6Cj
		mov	esi, 0C000000Dh
		jmp	loc_73AE18
; 

loc_8CA35D:				; CODE XREF: VrpHandleIoctlUnloadDynamicallyLoadedHives+86j
		cmp	esi, 0C0000225h
		jnz	loc_73AE18
		mov	esi, ebx
		jmp	loc_73AE18
; 

loc_8CA370:				; CODE XREF: VrpHandleIoctlUnloadDynamicallyLoadedHives+99j
		mov	ecx, edi
		mov	esi, 0C0000056h
		call	VrpUnlockJobContextExclusive
		jmp	loc_73AE18
; 

loc_8CA381:				; CODE XREF: VrpHandleIoctlUnloadDynamicallyLoadedHives+D9j
		and	[ebp+var_20], 0
		add	eax, 0Ch
		and	[ebp+var_14], 0
		and	[ebp+var_10], 0
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_24]
		push	1
		push	eax
		mov	[ebp+var_24], 18h
		mov	[ebp+var_18], 240h
		call	_ZwUnloadKey2@8	; ZwUnloadKey2(x,x)
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	VrpDestroyNamespaceNode
		mov	esi, [edi+20h]
		jmp	loc_73AE04
; END OF FUNCTION CHUNK	FOR VrpHandleIoctlUnloadDynamicallyLoadedHives
; 
; START	OF FUNCTION CHUNK FOR VrpAddNamespaceNodeToList

loc_8CA3BE:				; CODE XREF: VrpAddNamespaceNodeToList+23j
		mov	eax, 0C0000035h
		jmp	loc_73AF03
; 

loc_8CA3C8:				; CODE XREF: VrpAddNamespaceNodeToList+3Dj
		cmp	ebx, ecx
		jb	loc_8CA4C2
		lea	edx, [ebx+1]
		cmp	edx, ecx
		jbe	loc_8CA571
		mov	eax, [esi+28h]
		dec	eax
		lea	ebx, [eax+edx]
		mov	[ebp+var_18], ebx
		cmp	ebx, edx
		mov	ebx, [ebp+var_C]
		jb	loc_73AECC
		mov	edx, [esi+1Ch]
		not	eax
		and	eax, [ebp+var_18]
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		mov	[ebp+var_14], eax
		mov	eax, ecx
		mov	[ebp+var_18], edx
		lea	ecx, [ebp+var_8]
		mul	edx
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_8CA45B
		mov	eax, [ebp+var_18]
		lea	ecx, [ebp+var_4]
		mul	[ebp+var_14]
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_8CA45B
		mov	eax, [esi+2Ch]
		mov	[ebp+var_10], eax
		push	72615452h
		push	[ebp+var_4]
		push	1
		test	eax, eax
		jnz	short loc_8CA45F
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_8CA4B2
		push	[ebp+var_4]	; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_8CA4A1
; 

loc_8CA45B:				; CODE XREF: VrpAddNamespaceNodeToList+18F5E4j
					; VrpAddNamespaceNodeToList+18F5F8j
		mov	eax, edi
		jmp	short loc_8CA4BA
; 

loc_8CA45F:				; CODE XREF: VrpAddNamespaceNodeToList+18F60Cj
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_8CA4B2
		push	[ebp+var_4]	; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		test	ebx, ebx
		jz	short loc_8CA4B2
		mov	eax, [ebp+var_8]
		cmp	eax, [ebp+var_4]
		jb	short loc_8CA487
		mov	eax, [ebp+var_4]

loc_8CA487:				; CODE XREF: VrpAddNamespaceNodeToList+18F650j
		push	eax		; size_t
		push	[ebp+var_10]	; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	72615452h
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8CA4A1:				; CODE XREF: VrpAddNamespaceNodeToList+18F627j
		test	ebx, ebx
		jz	short loc_8CA4B2
		mov	eax, [ebp+var_14]
		mov	[esi+24h], eax
		xor	eax, eax
		mov	[esi+2Ch], ebx
		jmp	short loc_8CA4B7
; 

loc_8CA4B2:				; CODE XREF: VrpAddNamespaceNodeToList+18F617j
					; VrpAddNamespaceNodeToList+18F636j ...
		mov	eax, 8007000Eh

loc_8CA4B7:				; CODE XREF: VrpAddNamespaceNodeToList+18F67Ej
		mov	ebx, [ebp+var_C]

loc_8CA4BA:				; CODE XREF: VrpAddNamespaceNodeToList+18F62Bj
		test	eax, eax
		jnz	loc_73AF03

loc_8CA4C2:				; CODE XREF: VrpAddNamespaceNodeToList+18F598j
		mov	eax, [esi+1Ch]
		lea	ecx, [ebp+var_14]
		and	[ebp+var_14], 0
		mul	ebx
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	loc_73AECC
		mov	ecx, [esi+2Ch]
		mov	eax, [ebp+var_14]
		add	eax, ecx
		cmp	eax, ecx
		jb	loc_73AECC
		mov	ecx, [ebp+var_1C]
		mov	[eax], ecx
		jmp	loc_73AEFE
; 

loc_8CA4F7:				; CODE XREF: VrpAddNamespaceNodeToList+45j
		inc	ebx
		cmp	ebx, ecx
		jbe	short loc_8CA571
		mov	eax, [esi+28h]
		dec	eax
		lea	edx, [eax+ebx]
		cmp	edx, ebx
		jb	loc_73AECC
		mov	ebx, [esi+1Ch]
		not	eax
		and	[ebp+var_14], 0
		and	eax, edx
		and	[ebp+var_4], 0
		mov	[ebp+var_C], eax
		mov	eax, ecx
		mul	ebx
		lea	ecx, [ebp+var_14]
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_8CA57B
		mov	eax, ebx
		lea	ecx, [ebp+var_4]
		mul	[ebp+var_C]
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_8CA57B
		mov	eax, [esi+2Ch]
		mov	[ebp+var_10], eax
		push	72615452h
		push	[ebp+var_4]
		push	1
		test	eax, eax
		jnz	short loc_8CA57F
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_8CA5D2
		push	[ebp+var_4]	; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_8CA5C1
; 

loc_8CA571:				; CODE XREF: VrpAddNamespaceNodeToList+18F5A3j
					; VrpAddNamespaceNodeToList+18F6C8j
		mov	eax, 80070057h
		jmp	loc_73AF03
; 

loc_8CA57B:				; CODE XREF: VrpAddNamespaceNodeToList+18F6FBj
					; VrpAddNamespaceNodeToList+18F70Ej
		mov	eax, edi
		jmp	short loc_8CA5D7
; 

loc_8CA57F:				; CODE XREF: VrpAddNamespaceNodeToList+18F722j
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_8CA5D2
		push	[ebp+var_4]	; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		test	ebx, ebx
		jz	short loc_8CA5D2
		mov	eax, [ebp+var_14]
		cmp	eax, [ebp+var_4]
		jb	short loc_8CA5A7
		mov	eax, [ebp+var_4]

loc_8CA5A7:				; CODE XREF: VrpAddNamespaceNodeToList+18F770j
		push	eax		; size_t
		push	[ebp+var_10]	; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	72615452h
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8CA5C1:				; CODE XREF: VrpAddNamespaceNodeToList+18F73Dj
		test	ebx, ebx
		jz	short loc_8CA5D2
		mov	eax, [ebp+var_C]
		mov	[esi+24h], eax
		xor	eax, eax
		mov	[esi+2Ch], ebx
		jmp	short loc_8CA5D7
; 

loc_8CA5D2:				; CODE XREF: VrpAddNamespaceNodeToList+18F72Dj
					; VrpAddNamespaceNodeToList+18F756j ...
		mov	eax, 8007000Eh

loc_8CA5D7:				; CODE XREF: VrpAddNamespaceNodeToList+18F74Bj
					; VrpAddNamespaceNodeToList+18F79Ej
		test	eax, eax
		jnz	loc_73AF03
		jmp	loc_73AE7D
; END OF FUNCTION CHUNK	FOR VrpAddNamespaceNodeToList
; 
; START	OF FUNCTION CHUNK FOR VrpIoctlDeviceDispatch

loc_8CA5E4:				; CODE XREF: VrpIoctlDeviceDispatch+45j
		cmp	_VrpAllowContainerNesting, 0
		jnz	loc_73AF53
		cmp	dword_6B2370, 2
		mov	edi, 0C0000010h
		jbe	loc_73AFAB
		and	[esp+68h+var_14], 0
		lea	eax, [esp+68h+var_5C]
		and	[esp+68h+var_C], 0
		mov	[esp+68h+var_18], eax
		lea	eax, [esp+68h+var_38]
		push	eax
		push	3
		push	0
		lea	eax, [esp+74h+var_58]
		mov	[esp+74h+var_5C], esi
		push	eax
		push	offset loc_41B095
		push	offset dword_6B2370
		mov	[esp+80h+var_10], 4
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_73AFAB
; 

loc_8CA643:				; CODE XREF: VrpIoctlDeviceDispatch+61j
		and	[esp+68h+var_14], 0
		lea	eax, [esp+68h+var_5C]
		and	[esp+68h+var_C], 0
		mov	[esp+68h+var_18], eax
		lea	eax, [esp+68h+var_38]
		push	eax
		push	3
		lea	eax, [esp+70h+var_48]
		mov	[esp+70h+var_5C], esi
		push	eax
		lea	eax, [esp+74h+var_58]
		mov	[esp+74h+var_10], ecx
		push	eax
		push	offset loc_41B049
		push	offset dword_6B2370
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		mov	eax, dword_6B2370
		push	4
		pop	ecx
		jmp	loc_73AF6F
; 

loc_8CA68A:				; CODE XREF: VrpIoctlDeviceDispatch+88j
		sub	esi, ecx
		jnz	short loc_8CA6E6
		movzx	eax, byte ptr [ebx+20h]
		sub	esp, 0Ch
		mov	edx, [edi+8]
		mov	ecx, [ebx+0Ch]
		push	eax
		call	_VrpHandleIoctlModifyFlags@24 ;	VrpHandleIoctlModifyFlags(x,x,x,x,x,x)
		jmp	loc_73AFA9
; 

loc_8CA6A6:				; CODE XREF: VrpIoctlDeviceDispatch+74j
		movzx	eax, byte ptr [ebx+20h]
		sub	esp, 0Ch
		mov	edx, [edi+8]
		mov	ecx, [ebx+0Ch]
		push	eax
		call	_VrpHandleIoctlCreateMultipleNamespaceNodes@24 ; VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)
		jmp	loc_73AFA9
; 

loc_8CA6BE:				; CODE XREF: VrpIoctlDeviceDispatch+104j
		sub	esi, ecx
		jz	loc_8CA747
		sub	esi, ecx
		jz	short loc_8CA72F
		sub	esi, ecx
		jnz	short loc_8CA6E6
		movzx	eax, byte ptr [ebx+20h]
		sub	esp, 0Ch
		mov	edx, [edi+8]
		mov	ecx, [ebx+0Ch]
		push	eax
		call	_VrpHandleIoctlUnloadDifferencingHiveForHost@24	; VrpHandleIoctlUnloadDifferencingHiveForHost(x,x,x,x,x,x)
		jmp	loc_73AFA9
; 

loc_8CA6E6:				; CODE XREF: VrpIoctlDeviceDispatch+18F784j
					; VrpIoctlDeviceDispatch+18F7C4j
		cmp	eax, 2
		jbe	short loc_8CA725
		mov	eax, [edi+0Ch]
		and	[esp+68h+var_14], 0
		and	[esp+68h+var_C], 0
		mov	[esp+68h+var_5C], eax
		lea	eax, [esp+68h+var_5C]
		mov	[esp+68h+var_18], eax
		lea	eax, [esp+68h+var_38]
		push	eax
		push	3
		push	0
		lea	eax, [esp+74h+var_58]
		mov	[esp+74h+var_10], ecx
		push	eax
		push	offset loc_41B01D
		push	offset dword_6B2370
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_8CA725:				; CODE XREF: VrpIoctlDeviceDispatch+18F7E1j
		mov	edi, 0C0000010h
		jmp	loc_73AFAB
; 

loc_8CA72F:				; CODE XREF: VrpIoctlDeviceDispatch+18F7C0j
		movzx	eax, byte ptr [ebx+20h]
		sub	esp, 0Ch
		mov	edx, [edi+8]
		mov	ecx, [ebx+0Ch]
		push	eax
		call	_VrpHandleIoctlLoadDifferencingHiveForHost@24 ;	VrpHandleIoctlLoadDifferencingHiveForHost(x,x,x,x,x,x)
		jmp	loc_73AFA9
; 

loc_8CA747:				; CODE XREF: VrpIoctlDeviceDispatch+18F7B8j
		mov	ecx, [ebx+0Ch]
		lea	eax, [ebx+1Ch]
		mov	edx, [edi+8]
		push	eax
		movzx	eax, byte ptr [ebx+20h]
		push	ecx
		push	ecx
		push	eax
		call	_VrpHandleIoctlGetVirtualRootKey@24 ; VrpHandleIoctlGetVirtualRootKey(x,x,x,x,x,x)
		jmp	loc_73AFA9
; 

loc_8CA762:				; CODE XREF: VrpIoctlDeviceDispatch+B8j
		and	[esp+68h+var_14], 0
		lea	eax, [esp+68h+var_5C]
		and	[esp+68h+var_C], 0
		mov	[esp+68h+var_18], eax
		lea	eax, [esp+68h+var_38]
		push	eax
		push	3
		push	0
		lea	eax, [esp+74h+var_58]
		mov	[esp+74h+var_5C], edi
		push	eax
		push	offset loc_41B06E
		push	offset dword_6B2370
		mov	[esp+80h+var_10], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_73AFC6
; END OF FUNCTION CHUNK	FOR VrpIoctlDeviceDispatch
; 
; START	OF FUNCTION CHUNK FOR VrpDestroyNamespaceNode

loc_8CA79E:				; CODE XREF: VrpDestroyNamespaceNode+159j
		mov	eax, ecx
		shr	eax, 2
		cmp	edx, eax
		jnb	loc_73B0D9
		and	[ebp+var_18], 0
		mov	eax, ecx
		and	[ebp+var_4], 0
		shr	eax, 1
		mov	[ebp+var_10], eax
		mov	eax, ecx
		mul	edi
		lea	ecx, [ebp+var_18]
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	loc_73B0D9
		mov	eax, edi
		lea	ecx, [ebp+var_4]
		mul	[ebp+var_10]
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	loc_73B0D9
		mov	eax, [esi+2Ch]
		mov	[ebp+var_14], eax
		push	72615452h
		push	[ebp+var_4]
		push	[ebp+var_8]
		test	eax, eax
		jnz	short loc_8CA81B
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_73B0D9
		push	[ebp+var_4]	; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_8CA865
; 

loc_8CA81B:				; CODE XREF: VrpDestroyNamespaceNode+18F7D2j
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_73B0D9
		push	[ebp+var_4]	; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		test	edi, edi
		jz	loc_73B0D9
		mov	eax, [ebp+var_18]
		cmp	eax, [ebp+var_4]
		jb	short loc_8CA84B
		mov	eax, [ebp+var_4]

loc_8CA84B:				; CODE XREF: VrpDestroyNamespaceNode+18F81Ej
		push	eax		; size_t
		push	[ebp+var_14]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	72615452h
		push	[ebp+var_14]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8CA865:				; CODE XREF: VrpDestroyNamespaceNode+18F7F1j
		test	edi, edi
		jz	loc_73B0D9
		mov	eax, [ebp+var_10]
		mov	[esi+2Ch], edi
		mov	[esi+24h], eax
		jmp	loc_73B0D9
; 

loc_8CA87B:				; CODE XREF: VrpDestroyNamespaceNode+C0j
		lea	eax, [ebx+14h]
		mov	[ebp+var_34], 18h
		mov	[ebp+var_2C], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_34]
		mov	[ebp+var_8], ecx
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_8]
		mov	[ebp+var_30], ecx
		push	eax
		mov	[ebp+var_28], 240h
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_73B0EE
		push	[ebp+var_8]
		call	_ZwDeleteKey@4	; ZwDeleteKey(x)
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_73B0EE
; 

loc_8CA8CC:				; CODE XREF: VrpDestroyNamespaceNode+D0j
		push	esi
		push	eax
		call	ObDereferenceObjectDeferDeleteWithTag
		jmp	loc_73B0FE
; END OF FUNCTION CHUNK	FOR VrpDestroyNamespaceNode
; 
; START	OF FUNCTION CHUNK FOR VrpCreateNamespaceNode

loc_8CA8D8:				; CODE XREF: VrpCreateNamespaceNode+29j
		mov	esi, 0C0000056h
		jmp	loc_73B2F8
; 

loc_8CA8E2:				; CODE XREF: VrpCreateNamespaceNode+3Aj
					; VrpCreateNamespaceNode+6Fj
		mov	esi, 0C000000Dh
		jmp	loc_73B2F8
; 

loc_8CA8EC:				; CODE XREF: VrpCreateNamespaceNode+95j
		mov	esi, 0C000009Ah
		jmp	loc_73B2F8
; 

loc_8CA8F6:				; CODE XREF: VrpCreateNamespaceNode+CFj
					; VrpCreateNamespaceNode+10Aj
		mov	esi, 0C000009Ah

loc_8CA8FB:				; CODE XREF: VrpCreateNamespaceNode+1EBj
					; VrpCreateNamespaceNode+1F5j
		mov	eax, [ebx+4]
		test	eax, eax
		jz	short loc_8CA90D
		push	67655256h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8CA90D:				; CODE XREF: VrpCreateNamespaceNode+18F774j
		mov	eax, [ebx+10h]
		test	eax, eax
		jz	short loc_8CA91F
		push	67655256h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8CA91F:				; CODE XREF: VrpCreateNamespaceNode+18F786j
		mov	eax, [ebx+18h]
		test	eax, eax
		jz	short loc_8CA931
		push	67655256h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8CA931:				; CODE XREF: VrpCreateNamespaceNode+18F798j
		push	67655256h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_73B2F8
; 

loc_8CA941:				; CODE XREF: VrpCreateNamespaceNode+15Cj
		mov	edx, 67655256h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		jmp	loc_73B2EE
; END OF FUNCTION CHUNK	FOR VrpCreateNamespaceNode

;  S U B	R O U T	I N E 


sub_8CA952	proc near		; DATA XREF: .text:006A00D4o
		mov	edx, [ebp-24h]
		mov	ecx, [ebp-14h]
		call	_CmpCallbackFatalFilter@8 ; CmpCallbackFatalFilter(x,x)

loc_8CA95D:				; DATA XREF: .text:006A00D8o
		mov	esp, [ebp-18h]
		jmp	loc_73BC3F
sub_8CA952	endp

; 
; START	OF FUNCTION CHUNK FOR VrpRegistryCallback

loc_8CA965:				; CODE XREF: VrpRegistryCallback+1C7j
		mov	eax, [esp+30h+var_20]
		mov	eax, [eax]
		mov	[esp+30h+var_20], eax
		cmp	eax, ebx
		jnz	loc_73BE12
		xor	ecx, ecx
		jmp	loc_73BD08
; 

loc_8CA97E:				; CODE XREF: VrpRegistryCallback+FCj
					; DATA XREF: PAGE:0073BE84o
		mov	ecx, edi
		call	_VrpPreQueryKeyName@8 ;	VrpPreQueryKeyName(x,x)
		jmp	loc_73BCDE
; 

loc_8CA98A:				; CODE XREF: VrpRegistryCallback+FCj
					; DATA XREF: PAGE:0073BE74o
		mov	edx, ebx
		mov	ecx, edi
		call	_VrpPreLoadKey@8 ; VrpPreLoadKey(x,x)
		jmp	loc_73BCDE
; 

loc_8CA998:				; CODE XREF: VrpRegistryCallback+FCj
					; DATA XREF: PAGE:0073BE78o
		mov	edx, ebx
		mov	ecx, edi
		call	_VrpPreUnloadKey@8 ; VrpPreUnloadKey(x,x)
		jmp	loc_73BCDE
; 

loc_8CA9A6:				; CODE XREF: VrpRegistryCallback+FCj
					; DATA XREF: PAGE:0073BE7Co
		mov	edx, ebx
		mov	ecx, edi
		call	_VrpPostUnloadKey@8 ; VrpPostUnloadKey(x,x)
		jmp	loc_73BCDE
; 

loc_8CA9B4:				; CODE XREF: VrpRegistryCallback+FCj
					; DATA XREF: PAGE:0073BE70o
		mov	edx, ebx
		call	_VrpPreFlushKey@8 ; VrpPreFlushKey(x,x)
		jmp	loc_73BCDE
; END OF FUNCTION CHUNK	FOR VrpRegistryCallback
; 
; START	OF FUNCTION CHUNK FOR VrpGetContextsForNotifyInfo

loc_8CA9C0:				; CODE XREF: VrpGetContextsForNotifyInfo+8j
					; VrpGetContextsForNotifyInfo+15j
					; DATA XREF: ...
		xor	ecx, ecx
		xor	edx, edx
		jmp	loc_73BEE2
; END OF FUNCTION CHUNK	FOR VrpGetContextsForNotifyInfo
; 
; START	OF FUNCTION CHUNK FOR VrpTranslatePath

loc_8CA9C9:				; CODE XREF: VrpTranslatePath+F0j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_73C8FA
; 

loc_8CA9D6:				; CODE XREF: VrpTranslatePath+15Aj
		mov	edx, 67655256h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		push	11h
		xor	edx, edx
		lea	ebx, [edi+10h]
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_8CA9FA
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8CA9FA:				; CODE XREF: VrpTranslatePath+18E1EDj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	edi, [ebp+var_1C]
		jz	short loc_8CAA1E
		mov	edx, 67655256h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_8CAA1E:				; CODE XREF: VrpTranslatePath+18E20Cj
		mov	edi, esi
		xor	ebx, ebx
		jmp	loc_73C855
; 

loc_8CAA27:				; CODE XREF: VrpTranslatePath+7Ej
		mov	esi, 0C0000034h
		jmp	loc_73CA82
; 

loc_8CAA31:				; CODE XREF: VrpTranslatePath+2A9j
		mov	edx, 67655256h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		jmp	loc_73CAB3
; 

loc_8CAA42:				; CODE XREF: VrpTranslatePath+2B4j
		mov	ecx, [ebp+arg_4]
		cmp	eax, [ecx+4]
		jz	loc_73CABE
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_73CABE
; END OF FUNCTION CHUNK	FOR VrpTranslatePath
; 
; START	OF FUNCTION CHUNK FOR VrpFindNamespaceNode

loc_8CAA5B:				; CODE XREF: VrpFindNamespaceNode+3Bj
					; VrpFindNamespaceNode+4Ej
		xor	edx, edx
		jmp	loc_73CB58
; END OF FUNCTION CHUNK	FOR VrpFindNamespaceNode
; 
; START	OF FUNCTION CHUNK FOR CmSetCallbackObjectContext

loc_8CAA62:				; CODE XREF: CmSetCallbackObjectContext+76j
		mov	eax, [ecx]
		mov	[ebp+var_8], eax
		mov	eax, [ecx+4]
		mov	[ebp+arg_C], eax

loc_8CAA6D:				; CODE XREF: CmSetCallbackObjectContext+18DBEEj
		mov	edx, [ebx+10h]
		mov	eax, [ebx+14h]
		cmp	edx, [ebp+var_8]
		jnz	short loc_8CAA95
		cmp	eax, [ebp+arg_C]
		jnz	short loc_8CAA95
		mov	ecx, [ebp+arg_8]
		lea	eax, [ebx+20h]
		xchg	ecx, [eax]
		test	esi, esi
		jz	short loc_8CAA8B
		mov	[esi], ecx

loc_8CAA8B:				; CODE XREF: CmSetCallbackObjectContext+18DBC7j
		mov	ecx, [ebp+arg_4]
		xor	edi, edi
		jmp	loc_73CF3C
; 

loc_8CAA95:				; CODE XREF: CmSetCallbackObjectContext+18DBB6j
					; CmSetCallbackObjectContext+18DBBBj
		cmp	eax, [ebp+arg_C]
		jl	loc_73CF3C
		jg	short loc_8CAAA9
		cmp	edx, [ebp+var_8]
		jb	loc_73CF3C

loc_8CAAA9:				; CODE XREF: CmSetCallbackObjectContext+18DBDEj
		mov	ebx, [ebx]
		cmp	ebx, [ebp+var_C]
		jnz	short loc_8CAA6D
		jmp	loc_73CF3C
; 

loc_8CAAB5:				; CODE XREF: CmSetCallbackObjectContext+D4j
		mov	edi, 0C000009Ah
		jmp	loc_73CFEA
; 

loc_8CAABF:				; CODE XREF: CmSetCallbackObjectContext+BAj
		mov	edi, 0C00000F0h
		jmp	loc_73CFEA
; 

loc_8CAAC9:				; CODE XREF: CmSetCallbackObjectContext+18j
					; CmSetCallbackObjectContext+24j
		mov	eax, 0C00000EFh
		jmp	loc_73D01D
; END OF FUNCTION CHUNK	FOR CmSetCallbackObjectContext

;  S U B	R O U T	I N E 


sub_8CAAD3	proc near		; CODE XREF: VRegEnabledInJob+17j
		push	ebx
		push	_VrpSiloContextSlot
		push	esi
		call	PsGetPermanentSiloContext
		test	eax, eax
		jns	short loc_8CAAFE
		test	esi, esi
		jz	loc_73D0C5
		mov	ecx, [esi+244h]
		call	_PspGetJobSilo@4 ; PspGetJobSilo(x)
		mov	esi, eax
		jmp	loc_73D0C5
; 

loc_8CAAFE:				; CODE XREF: sub_8CAAD3+Fj
		xor	eax, eax
		inc	eax
		jmp	loc_73D0CF
sub_8CAAD3	endp

; 
; START	OF FUNCTION CHUNK FOR VrpPostQueryKey

loc_8CAB06:				; CODE XREF: VrpPostQueryKey+56j
		cmp	esi, 0C0000023h
		jz	loc_73D130
		cmp	esi, 80000005h
		jnz	loc_73D27A
		jmp	loc_73D130
; 

loc_8CAB23:				; CODE XREF: VrpPostQueryKey+1B8j
		cmp	eax, 1
		jz	loc_73D140
		cmp	eax, 8
		jz	loc_73D140
		jmp	loc_73D27A
; 

loc_8CAB3A:				; CODE XREF: VrpPostQueryKey+73j
		lea	ecx, [edi+10h]
		mov	[ebp+var_88], eax
		lea	eax, [ebp+var_88]
		mov	[ebp+var_34], edx
		mov	[ebp+var_38], eax
		mov	[ebp+var_30], 4
		mov	[ebp+var_2C], edx
		cmp	[edi+14h], edx
		jnz	short loc_8CAB63
		mov	ecx, (offset loc_403A20+4)

loc_8CAB63:				; CODE XREF: VrpPostQueryKey+18DA88j
		lea	eax, [ebp+var_10]
		mov	[ebp+var_24], edx
		mov	[ebp+var_28], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_18], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	5
		push	edx
		lea	eax, [ebp+var_78]
		mov	[ebp+var_20], 2
		push	eax
		push	offset byte_41B1D5
		push	offset dword_6B2370
		mov	[ebp+var_1C], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_C], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		mov	cl, [ebp+var_79]
		jmp	loc_73D14D
; 

loc_8CABAA:				; CODE XREF: VrpPostQueryKey+124j
		cmp	esi, 80000005h
		jz	loc_73D1FE
		cmp	esi, 0C0000023h
		jnz	loc_73D27A
		jmp	loc_73D1FE
; 

loc_8CABC7:				; CODE XREF: VrpPostQueryKey+16Dj
		xor	edx, edx
		lea	ecx, [edi+10h]
		cmp	[edi+14h], edx
		jnz	short loc_8CABD6
		mov	ecx, (offset loc_403A20+4)

loc_8CABD6:				; CODE XREF: VrpPostQueryKey+18DAFBj
		lea	eax, [ebp+var_30]
		mov	[ebp+var_44], edx
		mov	[ebp+var_48], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_38], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_30], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_88]
		push	4
		pop	ecx
		mov	[ebp+var_88], eax
		lea	eax, [ebp+var_88]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	6
		push	edx
		lea	eax, [ebp+var_78]
		mov	[ebp+var_40], 2
		push	eax
		push	offset loc_41B393
		push	offset dword_6B2370
		mov	[ebp+var_3C], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_73D27A
; 

loc_8CAC56:				; CODE XREF: VrpPostQueryKey+A1j
					; VrpPostQueryKey+BDj ...
		cmp	esi, 0C0000503h
		jz	loc_73D247
		push	2
		pop	ebx
		cmp	dword_6B2370, ebx
		jbe	loc_73D247
		xor	edx, edx
		lea	ecx, [edi+10h]
		cmp	[edi+14h], edx
		jnz	short loc_8CAC80
		mov	ecx, (offset loc_403A20+4)

loc_8CAC80:				; CODE XREF: VrpPostQueryKey+18DBA5j
		lea	eax, [ebp+var_20]
		mov	[ebp+var_34], edx
		mov	[ebp+var_38], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_28], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	5
		push	edx
		lea	eax, [ebp+var_78]
		mov	[ebp+var_30], ebx
		push	eax
		push	offset loc_41B337
		push	offset dword_6B2370
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_8C], esi
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_73D247
; END OF FUNCTION CHUNK	FOR VrpPostQueryKey

;  S U B	R O U T	I N E 


sub_8CACDC	proc near		; DATA XREF: .text:006A00F4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8CACDC	endp


;  S U B	R O U T	I N E 


sub_8CACEA	proc near		; DATA XREF: .text:006A00F8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-1Ch]
		jmp	loc_73D2BD
sub_8CACEA	endp

; 
; START	OF FUNCTION CHUNK FOR VrpHandleIoctlCreateNamespaceNode

loc_8CACF5:				; CODE XREF: VrpHandleIoctlCreateNamespaceNode+3Dj
					; VrpHandleIoctlCreateNamespaceNode+5Fj ...
		mov	esi, 0C000000Dh
		jmp	loc_73D785
; 

loc_8CACFF:				; CODE XREF: VrpHandleIoctlCreateNamespaceNode+F6j
					; VrpHandleIoctlCreateNamespaceNode+126j
		mov	esi, 0C000000Dh
		jmp	loc_73D773
; 

loc_8CAD09:				; CODE XREF: VrpHandleIoctlCreateNamespaceNode+49j
					; VrpHandleIoctlCreateNamespaceNode+56j
		mov	ebx, [esp+38h+var_24]
		mov	esi, 0C000000Dh

loc_8CAD12:				; CODE XREF: VrpHandleIoctlCreateNamespaceNode+1A2j
					; VrpHandleIoctlCreateNamespaceNode+1B5j ...
		test	edi, edi
		jz	short loc_8CAD1F
		mov	edx, edi
		mov	ecx, ebx
		call	VrpDestroyNamespaceNode

loc_8CAD1F:				; CODE XREF: VrpHandleIoctlCreateNamespaceNode+18D794j
		cmp	[esp+38h+var_18], 0
		jz	loc_73D773
		jmp	loc_73D74E
; 

loc_8CAD2F:				; CODE XREF: VrpHandleIoctlCreateNamespaceNode+1DAj
		test	al, 4
		jnz	loc_73D760
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_73D760
; END OF FUNCTION CHUNK	FOR VrpHandleIoctlCreateNamespaceNode
; 
; START	OF FUNCTION CHUNK FOR VrpHandleIoctlLoadDifferencingHive

loc_8CAD43:				; CODE XREF: VrpHandleIoctlLoadDifferencingHive+45j
					; VrpHandleIoctlLoadDifferencingHive+61j
		mov	esi, 0C0000061h
		jmp	loc_73DA2A
; 

loc_8CAD4D:				; CODE XREF: VrpHandleIoctlLoadDifferencingHive+15Fj
		mov	esi, 0C000000Dh
		jmp	loc_73DA19
; 

loc_8CAD57:				; CODE XREF: VrpHandleIoctlLoadDifferencingHive+18Dj
		mov	esi, 0C0000056h
		jmp	loc_73DA43
; 

loc_8CAD61:				; CODE XREF: VrpHandleIoctlLoadDifferencingHive+1DEj
		lea	ecx, [ebp+var_20]
		mov	esi, 0C000009Ah
		call	VrpUnloadDifferencingHive
		jmp	loc_73DA43
; END OF FUNCTION CHUNK	FOR VrpHandleIoctlLoadDifferencingHive
; 
; START	OF FUNCTION CHUNK FOR VrpUnlockJobContextExclusive

loc_8CAD73:				; CODE XREF: VrpUnlockJobContextExclusive+Fj
		test	al, 4
		jnz	loc_73DA61
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_73DA61
; END OF FUNCTION CHUNK	FOR VrpUnlockJobContextExclusive
; 
; START	OF FUNCTION CHUNK FOR PspStorageMakeSlotReadOnly

loc_8CAD87:				; CODE XREF: PspStorageMakeSlotReadOnly+4Dj
		test	al, 4
		jnz	loc_73DDAD
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_73DDAD
; END OF FUNCTION CHUNK	FOR PspStorageMakeSlotReadOnly
; 
; START	OF FUNCTION CHUNK FOR CmGetRootKeyObjectForSilo

loc_8CAD9B:				; CODE XREF: CmGetRootKeyObjectForSilo+20j
					; CmGetRootKeyObjectForSilo+2Bj
		mov	ecx, ds:_CmpRegistryRootObject
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, ds:_CmpRegistryRootObject
		jmp	loc_73DDFB
; END OF FUNCTION CHUNK	FOR CmGetRootKeyObjectForSilo
; 
; START	OF FUNCTION CHUNK FOR VrpIncrementSiloCount

loc_8CADB0:				; CODE XREF: VrpIncrementSiloCount+65j
		test	dl, 4
		jnz	loc_73DEE3
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_73DEE3
; END OF FUNCTION CHUNK	FOR VrpIncrementSiloCount
; 
; START	OF FUNCTION CHUNK FOR PoTraceSystemTimerResolution

loc_8CADC5:				; CODE XREF: PoTraceSystemTimerResolution+28j
		push	offset _POP_ETW_EVENT_TIME_RESOLUTION_REQUEST_RUNDOWN
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	short loc_8CADEE
		push	offset _POP_ETW_EVENT_TIME_RESOLUTION_STACK_RUNDOWN
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	short loc_8CADEE
		xor	ebx, ebx
		mov	al, bl
		jmp	loc_73E1A2
; 

loc_8CADEE:				; CODE XREF: PoTraceSystemTimerResolution+18CC6Dj
					; PoTraceSystemTimerResolution+18CC7Dj
		mov	al, 1
		jmp	loc_73E1A0
; 

loc_8CADF5:				; CODE XREF: PoTraceSystemTimerResolution+47j
		mov	esi, [ebp+var_84]
		mov	edi, [esi+1C0h]
		mov	ax, [edi]
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_90], eax
		mov	eax, [esi+380h]
		mov	[ebp+var_84], eax
		mov	[ebp+var_88], ebx
		mov	dl, [ebp+var_7D]
		test	dl, dl
		jnz	short loc_8CAE65
		mov	eax, large fs:124h
		test	dword ptr [eax+58h], 400h
		jnz	short loc_8CAE49
		cmp	byte ptr [eax+16Ah], 1
		jz	short loc_8CAE49
		mov	eax, [eax+0A8h]
		jmp	short loc_8CAE4B
; 

loc_8CAE49:				; CODE XREF: PoTraceSystemTimerResolution+18CCD0j
					; PoTraceSystemTimerResolution+18CCD9j
		mov	eax, ebx

loc_8CAE4B:				; CODE XREF: PoTraceSystemTimerResolution+18CCE1j
		test	eax, eax
		jz	short loc_8CAE65
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [eax+0F60h]
		mov	[ebp+var_88], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_8CAE65:				; CODE XREF: PoTraceSystemTimerResolution+18CCC1j
					; PoTraceSystemTimerResolution+18CCE7j
		mov	eax, [esi+0E4h]
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_7C], eax
		mov	[ebp+var_78], ebx
		push	4
		pop	ecx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_70], ebx
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_6C], eax
		mov	[ebp+var_68], ebx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_60], ebx
		lea	eax, [ebp+var_90]
		mov	[ebp+var_5C], eax
		mov	[ebp+var_58], ebx
		mov	[ebp+var_54], 2
		mov	[ebp+var_50], ebx
		movzx	ecx, word ptr [edi]
		mov	eax, [edi+4]
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], ebx
		mov	eax, ecx
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], ebx
		test	dl, dl
		jnz	short loc_8CAEF3
		lea	eax, [ebp+var_88]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_7C]
		push	eax
		push	5
		push	ebx
		push	offset _POP_ETW_EVENT_STRS
		jmp	loc_8CAF6F
; END OF FUNCTION CHUNK	FOR PoTraceSystemTimerResolution

;  S U B	R O U T	I N E 


sub_8CAEE0	proc near		; DATA XREF: .text:006A013Co
		xor	eax, eax
		inc	eax
		retn
sub_8CAEE0	endp


;  S U B	R O U T	I N E 


sub_8CAEE4	proc near		; DATA XREF: .text:006A0140o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_73E1B3
sub_8CAEE4	endp

; 
; START	OF FUNCTION CHUNK FOR PoTraceSystemTimerResolution

loc_8CAEF3:				; CODE XREF: PoTraceSystemTimerResolution+18CD5Ej
		test	dword ptr [esi+0FCh], 1000h
		jz	short loc_8CAF1C
		lea	eax, [ebp+var_7C]
		push	eax
		push	4
		push	ebx
		push	offset _POP_ETW_EVENT_TIME_RESOLUTION_REQUEST_RUNDOWN
		push	dword_6C1D74
		push	_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_8CAF1C:				; CODE XREF: PoTraceSystemTimerResolution+18CD97j
		mov	edx, [esi+37Ch]
		test	edx, edx
		jz	loc_73E1B3
		cmp	[edx], ebx
		jz	loc_73E1B3
		mov	eax, [esi+384h]
		mov	[ebp+var_84], eax
		mov	ecx, [edx]
		mov	[ebp+var_94], ecx
		lea	eax, [ebp+var_94]
		mov	[ebp+var_3C], eax
		lea	eax, [edx+4]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], ebx
		mov	eax, ecx
		shl	eax, 2
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], ebx
		lea	eax, [ebp+var_7C]
		push	eax
		push	6
		push	ebx
		push	offset _POP_ETW_EVENT_TIME_RESOLUTION_STACK_RUNDOWN

loc_8CAF6F:				; CODE XREF: PoTraceSystemTimerResolution+18CD75j
		push	dword_6C1D74
		push	_PopDiagHandle
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], 4
		mov	[ebp+var_30], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_73E1B3
; END OF FUNCTION CHUNK	FOR PoTraceSystemTimerResolution
; 
; START	OF FUNCTION CHUNK FOR PoDiagCaptureUsermodeStack

loc_8CAF92:				; CODE XREF: PoDiagCaptureUsermodeStack+39j
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi
		jmp	loc_73E205
; END OF FUNCTION CHUNK	FOR PoDiagCaptureUsermodeStack
; 
; START	OF FUNCTION CHUNK FOR CmpFreeCallbackObjectContexts

loc_8CAFA0:				; CODE XREF: CmpFreeCallbackObjectContexts+55j
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		cmp	_CallbackListDeleteEvent, ecx
		jz	loc_73E267
		xor	edx, edx
		mov	ecx, offset _CallbackListDeleteEvent
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	loc_73E267
; END OF FUNCTION CHUNK	FOR CmpFreeCallbackObjectContexts
; 
; START	OF FUNCTION CHUNK FOR PspSetJobIoRateControl

loc_8CAFC9:				; CODE XREF: PspSetJobIoRateControl+A2j
		lea	eax, [ebp+var_C]
		mov	edx, ecx
		push	eax
		lea	eax, [ebp+var_2+1]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_2]
		push	eax
		call	_PspSetJobIoRateControlForVolume@20 ; PspSetJobIoRateControlForVolume(x,x,x,x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		js	loc_73E3D8
		mov	cl, byte ptr [ebp+var_2+1]
		jmp	loc_73E3BF
; 

loc_8CAFF1:				; CODE XREF: PspSetJobIoRateControl+44j
		mov	eax, [esi+354h]
		test	eax, eax
		jz	short loc_8CAFFE
		mov	[ebp+var_C], eax

loc_8CAFFE:				; CODE XREF: PspSetJobIoRateControl+18CD13j
		mov	ecx, esi
		call	PspJobIoRateControlDisable
		mov	edi, eax
		jmp	loc_73E3CD
; 

loc_8CB00C:				; CODE XREF: PspSetJobIoRateControl+146j
		test	al, 4
		jnz	loc_73E432
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_73E432
; END OF FUNCTION CHUNK	FOR PspSetJobIoRateControl
; 
; START	OF FUNCTION CHUNK FOR EtwTracePsIoRateControl

loc_8CB020:				; CODE XREF: EtwTracePsIoRateControl+41j
		mov	edx, [esi+18h]
		test	edx, edx
		jnz	short loc_8CB02C
		mov	edx, (offset loc_8BC071+1)

loc_8CB02C:				; CODE XREF: EtwTracePsIoRateControl+18CB9Dj
		and	[ebp+var_118], 0
		mov	ecx, edx
		lea	eax, [ecx+2]
		mov	[ebp+var_11C], eax

loc_8CB03E:				; CODE XREF: EtwTracePsIoRateControl+18CBC3j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_118]
		jnz	short loc_8CB03E
		lea	eax, [ebp+var_120]
		sub	ecx, [ebp+var_11C]
		mov	[ebp+var_114], eax
		xor	eax, eax
		mov	[ebp+var_110], eax
		mov	[ebp+var_108], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_104], eax
		xor	eax, eax
		mov	[ebp+var_100], eax
		mov	[ebp+var_F8], eax
		mov	[ebp+var_F0], eax
		mov	[ebp+var_E8], eax
		lea	eax, [esi+8]
		mov	[ebp+var_E4], eax
		xor	eax, eax
		mov	[ebp+var_E0], eax
		mov	[ebp+var_D8], eax
		lea	eax, [esi+40h]
		mov	[ebp+var_D4], eax
		xor	eax, eax
		mov	[ebp+var_D0], eax
		mov	[ebp+var_C8], eax
		lea	eax, [esi+10h]
		mov	[ebp+var_C4], eax
		xor	eax, eax
		mov	[ebp+var_C0], eax
		mov	[ebp+var_B8], eax
		lea	eax, [esi+30h]
		mov	[ebp+var_B4], eax
		xor	eax, eax
		mov	[ebp+var_B0], eax
		mov	[ebp+var_A8], eax
		lea	eax, [esi+48h]
		mov	[ebp+var_A4], eax
		xor	eax, eax
		mov	[ebp+var_A0], eax
		mov	[ebp+var_98], eax
		lea	eax, [esi+28h]
		mov	[ebp+var_94], eax
		xor	eax, eax
		mov	[ebp+var_90], eax
		mov	[ebp+var_88], eax
		lea	eax, [esi+38h]
		mov	[ebp+var_84], eax
		xor	eax, eax
		mov	[ebp+var_80], eax
		mov	[ebp+var_78], eax
		lea	eax, [esi+50h]
		mov	[ebp+var_74], eax
		xor	eax, eax
		mov	[ebp+var_70], eax
		mov	[ebp+var_68], eax
		lea	eax, [esi+58h]
		mov	[ebp+var_64], eax
		xor	eax, eax
		mov	[ebp+var_60], eax
		mov	[ebp+var_58], eax
		lea	eax, [esi+60h]
		mov	[ebp+var_54], eax
		xor	eax, eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_48], eax
		lea	eax, [esi+68h]
		sar	ecx, 1
		mov	[ebp+var_F4], esi
		xor	esi, esi
		mov	[ebp+var_10C], 4
		mov	[ebp+var_FC], 4
		mov	[ebp+var_EC], 8
		mov	[ebp+var_DC], 8
		mov	[ebp+var_CC], 8
		mov	[ebp+var_BC], 8
		mov	[ebp+var_AC], 8
		mov	[ebp+var_9C], 8
		mov	[ebp+var_8C], 8
		mov	[ebp+var_7C], 8
		mov	[ebp+var_6C], 8
		mov	[ebp+var_5C], 8
		mov	[ebp+var_4C], 8
		mov	[ebp+var_44], eax
		push	4
		lea	eax, ds:2[ecx*2]
		mov	[ebp+var_34], ebx
		pop	ebx
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_114]
		push	eax
		push	11h
		push	esi
		push	edi
		push	dword_6BC18C
		mov	[ebp+var_40], esi
		push	_EtwpPsProvRegHandle
		mov	[ebp+var_3C], 8
		mov	[ebp+var_38], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_73E4CF
; END OF FUNCTION CHUNK	FOR EtwTracePsIoRateControl
; 
; START	OF FUNCTION CHUNK FOR PspIoRateEntryActivate

loc_8CB23A:				; CODE XREF: PspIoRateEntryActivate+54j
		push	eax
		lea	eax, [esp+4Ch+var_28]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		push	ebx
		push	20h
		push	1
		push	7
		push	ebx
		lea	eax, [esp+60h+var_28]
		mov	[esp+60h+var_18], 18h
		mov	[esp+60h+var_10], eax
		lea	eax, [esp+60h+var_20]
		push	ebx
		push	eax
		lea	eax, [esp+68h+var_18]
		mov	[esp+68h+var_14], ebx
		push	eax
		push	100080h
		lea	eax, [esp+70h+var_3C]
		mov	[esp+70h+var_C], 240h
		push	eax
		mov	[esp+74h+var_8], ebx
		mov	[esp+74h+var_4], ebx
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_73E598
		mov	ecx, [esp+48h+var_30]
		mov	edx, [ecx+328h]
		call	IoDiskIoAttributionAllocate
		mov	esi, eax
		test	esi, esi
		jnz	short loc_8CB2B5
		mov	edi, 0C000009Ah
		jmp	loc_73E598
; 

loc_8CB2B5:				; CODE XREF: PspIoRateEntryActivate+18CDC1j
		mov	ecx, esi
		call	_IoStartDiskIoAttributionForContext@4 ;	IoStartDiskIoAttributionForContext(x)
		mov	ecx, [esp+48h+var_3C]
		mov	eax, esi
		jmp	loc_73E548
; 

loc_8CB2C7:				; CODE XREF: PspIoRateEntryActivate+82j
		mov	ecx, edi
		call	PspIoRateEntryDeactivate
		mov	eax, [ebp+arg_4]
		mov	byte ptr [eax],	1
		jmp	loc_73E570
; 

loc_8CB2D9:				; CODE XREF: PspIoRateEntryActivate+A6j
		mov	ecx, esi
		call	_IoStopDiskIoAttributionForContext@4 ; IoStopDiskIoAttributionForContext(x)
		mov	ecx, esi
		call	_IoDiskIoAttributionDereference@4 ; IoDiskIoAttributionDereference(x)
		jmp	loc_73E594
; 

loc_8CB2EC:				; CODE XREF: PspIoRateEntryActivate+B5j
		push	[esp+48h+var_3C]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_73E5A3
; END OF FUNCTION CHUNK	FOR PspIoRateEntryActivate
; 
; START	OF FUNCTION CHUNK FOR PspIoRateEntryDeactivate

loc_8CB2FA:				; CODE XREF: PspIoRateEntryDeactivate+1Ej
		call	_IoStopDiskIoAttributionForContext@4 ; IoStopDiskIoAttributionForContext(x)
		mov	ecx, [esi+18h]
		call	_IoDiskIoAttributionDereference@4 ; IoDiskIoAttributionDereference(x)
		and	dword ptr [esi+18h], 0
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR PspIoRateEntryDeactivate
; 
; START	OF FUNCTION CHUNK FOR CmQuerySingleFeatureConfiguration

loc_8CB30D:				; CODE XREF: CmQuerySingleFeatureConfiguration+17j
		mov	esi, 0C0000004h
		jmp	loc_73E673
; 

loc_8CB317:				; CODE XREF: CmQuerySingleFeatureConfiguration+5Fj
		cmp	esi, 0C0000225h
		jz	loc_73E649
		jmp	loc_73E673
; END OF FUNCTION CHUNK	FOR CmQuerySingleFeatureConfiguration

;  S U B	R O U T	I N E 


sub_8CB328	proc near		; DATA XREF: .text:006A0168o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8CB328	endp


;  S U B	R O U T	I N E 


sub_8CB338	proc near		; DATA XREF: .text:006A016Co

; FUNCTION CHUNK AT 008CB39F SIZE 0000000F BYTES

		mov	esi, [ebp-1Ch]
		jmp	short loc_8CB39F
sub_8CB338	endp

; 
; START	OF FUNCTION CHUNK FOR CmQuerySingleFeatureConfiguration

loc_8CB33D:				; CODE XREF: CmQuerySingleFeatureConfiguration+53j
		mov	[ebp+ms_exc.disabled], 2
		push	6
		pop	ecx
		xor	eax, eax
		mov	edx, [ebp+arg_0]
		mov	edi, edx
		rep stosd
		mov	eax, [ebp+var_30]
		mov	[edx], eax
		mov	eax, [ebp+var_2C]
		mov	[edx+4], eax
		lea	edi, [edx+8]
		lea	esi, [ebp+var_3C]
		movsd
		movsd
		movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+arg_8]
		mov	[eax], ebx
		xor	esi, esi
		jmp	loc_73E673
; END OF FUNCTION CHUNK	FOR CmQuerySingleFeatureConfiguration

;  S U B	R O U T	I N E 


sub_8CB377	proc near		; DATA XREF: .text:006A0174o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8CB377	endp


;  S U B	R O U T	I N E 


sub_8CB387	proc near		; DATA XREF: .text:006A0178o
		mov	esi, [ebp-20h]
		jmp	short loc_8CB39F
sub_8CB387	endp

; 

loc_8CB38C:				; DATA XREF: .text:006A015Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_8CB39C:				; DATA XREF: .text:006A0160o
		mov	esi, [ebp-24h]
; START	OF FUNCTION CHUNK FOR sub_8CB338

loc_8CB39F:				; CODE XREF: sub_8CB338+3j
					; sub_8CB387+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_73E673
; END OF FUNCTION CHUNK	FOR sub_8CB338
; 
; START	OF FUNCTION CHUNK FOR CmpEnumerateLayeredKey

loc_8CB3AE:				; CODE XREF: CmpEnumerateLayeredKey+F0j
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		jmp	loc_73E875
; 

loc_8CB3B8:				; CODE XREF: CmpEnumerateLayeredKey+16Aj
		mov	bl, byte ptr [ebp+var_120]
		jmp	loc_73E8EA
; 

loc_8CB3C3:				; CODE XREF: CmpEnumerateLayeredKey+17Ej
		mov	ebx, [ebp+var_118]
		test	esi, esi
		jnz	short loc_8CB3DC
		lea	eax, [ebx+30h]
		xchg	esi, [eax]
		mov	[ebp+var_10C], esi
		test	esi, esi
		jz	short loc_8CB409

loc_8CB3DC:				; CODE XREF: CmpEnumerateLayeredKey+18CC51j
		mov	edx, esi
		lea	ecx, [ebp+var_134]
		call	_CmpKeyEnumStackVerifyResumeContext@8 ;	CmpKeyEnumStackVerifyResumeContext(x,x)
		cmp	eax, 0C0000059h
		jz	short loc_8CB3FB
		mov	eax, [ebp+var_11C]
		cmp	[esi+4], eax
		jbe	short loc_8CB409

loc_8CB3FB:				; CODE XREF: CmpEnumerateLayeredKey+18CC74j
		mov	[ebp+var_124], esi
		xor	esi, esi
		mov	[ebp+var_10C], esi

loc_8CB409:				; CODE XREF: CmpEnumerateLayeredKey+18CC60j
					; CmpEnumerateLayeredKey+18CC7Fj
		push	esi
		push	ebx
		lea	edx, [ebp+var_134]
		lea	ecx, [ebp+var_108]
		call	_CmpKeyEnumStackStartFromKcbStack@16 ; CmpKeyEnumStackStartFromKcbStack(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8CB553
		test	esi, esi
		jz	short loc_8CB43D
		mov	ebx, [esi+4]
		mov	[ebp+var_124], esi
		xor	esi, esi
		mov	[ebp+var_10C], esi
		jmp	short loc_8CB43F
; 

loc_8CB43D:				; CODE XREF: CmpEnumerateLayeredKey+18CCAEj
		xor	ebx, ebx

loc_8CB43F:				; CODE XREF: CmpEnumerateLayeredKey+18CCC1j
		lea	ecx, [ebp+var_108]
		call	_CmpKeyEnumStackAdvance@4 ; CmpKeyEnumStackAdvance(x)
		mov	edi, eax
		test	edi, edi
		js	loc_8CB553
		cmp	ebx, [ebp+var_11C]
		jnb	loc_8CB4F0
		xor	edi, edi
		mov	[ebp+var_114], edi

loc_8CB468:				; CODE XREF: CmpEnumerateLayeredKey+18CD70j
		call	_CmpIsRegistryLockContended@0 ;	CmpIsRegistryLockContended()
		test	al, al
		jz	short loc_8CB4C5
		cmp	edi, 0Ah
		jb	short loc_8CB4C5
		cmp	[ebp+arg_14], 0
		jz	short loc_8CB4C5
		lea	eax, [ebp+var_10C]
		push	eax
		push	[ebp+var_120]
		lea	edx, [ebp+var_108]
		push	ebx
		lea	ecx, [ebp+var_134]
		call	_CmpKeyEnumStackCreateResumeContext@20 ; CmpKeyEnumStackCreateResumeContext(x,x,x,x,x)
		mov	ebx, [ebp+var_110]
		mov	edi, eax
		test	edi, edi
		js	loc_8CB548
		mov	ecx, [ebp+var_138]
		xor	esi, esi
		mov	eax, [ebp+var_10C]
		mov	edi, 0C000022Dh
		mov	[ecx], eax
		jmp	loc_73E985
; 

loc_8CB4C5:				; CODE XREF: CmpEnumerateLayeredKey+18CCF5j
					; CmpEnumerateLayeredKey+18CCFAj ...
		lea	ecx, [ebp+var_108]
		call	_CmpKeyEnumStackAdvance@4 ; CmpKeyEnumStackAdvance(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_8CB553
		mov	edi, [ebp+var_114]
		inc	ebx
		inc	edi
		mov	[ebp+var_114], edi
		cmp	ebx, [ebp+var_11C]
		jb	loc_8CB468

loc_8CB4F0:				; CODE XREF: CmpEnumerateLayeredKey+18CCE0j
		lea	eax, [ebp+var_10C]
		push	eax
		push	0
		push	ebx
		lea	edx, [ebp+var_108]
		lea	ecx, [ebp+var_134]
		call	_CmpKeyEnumStackCreateResumeContext@20 ; CmpKeyEnumStackCreateResumeContext(x,x,x,x,x)
		mov	esi, [ebp+var_10C]
		test	eax, eax
		js	short loc_8CB520
		mov	eax, [ebp+var_118]
		add	eax, 30h
		xchg	esi, [eax]

loc_8CB520:				; CODE XREF: CmpEnumerateLayeredKey+18CD99j
		push	[ebp+var_13C]
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_100]
		push	[ebp+arg_8]
		push	[ebp+var_140]
		call	_CmpQueryKeyDataFromKeyNodeStack@20 ; CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)
		mov	ebx, [ebp+var_110]
		jmp	loc_73E97D
; 

loc_8CB548:				; CODE XREF: CmpEnumerateLayeredKey+18CD2Bj
		mov	esi, [ebp+var_10C]
		jmp	loc_73E985
; 

loc_8CB553:				; CODE XREF: CmpEnumerateLayeredKey+18CCA6j
					; CmpEnumerateLayeredKey+18CCD4j ...
		mov	ebx, [ebp+var_110]
		jmp	loc_73E985
; 

loc_8CB55E:				; CODE XREF: CmpEnumerateLayeredKey+265j
		push	0
		lea	edx, [ebp+var_160]
		mov	ecx, esi
		call	_CmpKeyEnumStackFreeResumeContext@12 ; CmpKeyEnumStackFreeResumeContext(x,x,x)
		jmp	loc_73E9E5
; 

loc_8CB572:				; CODE XREF: CmpEnumerateLayeredKey+273j
		push	0
		lea	edx, [ebp+var_160]
		mov	ecx, eax
		call	_CmpKeyEnumStackFreeResumeContext@12 ; CmpKeyEnumStackFreeResumeContext(x,x,x)
		jmp	loc_73E9F3
; END OF FUNCTION CHUNK	FOR CmpEnumerateLayeredKey
; 
; START	OF FUNCTION CHUNK FOR CmpKeyEnumStackEntryCleanup

loc_8CB586:				; CODE XREF: CmpKeyEnumStackEntryCleanup+Fj
		mov	edx, [esi]
		lea	eax, [esi+8]
		push	eax
		push	edx
		call	dword ptr [edx+8]
		jmp	loc_73EAFB
; 

loc_8CB595:				; CODE XREF: CmpKeyEnumStackEntryCleanup+25j
		mov	ecx, [esi]
		lea	eax, [ebx-20h]
		push	eax
		push	ecx
		call	dword ptr [ecx+8]
		mov	eax, [ebp+var_4]
		jmp	loc_73EB11
; 

loc_8CB5A7:				; CODE XREF: CmpKeyEnumStackEntryCleanup+2Ej
		mov	eax, [esi]
		push	ebx
		push	eax
		call	dword ptr [eax+8]
		mov	eax, [ebp+var_4]
		jmp	loc_73EB1A
; END OF FUNCTION CHUNK	FOR CmpKeyEnumStackEntryCleanup
; 
; START	OF FUNCTION CHUNK FOR CmpKeyEnumStackGetEntryAtLayerHeight

loc_8CB5B6:				; CODE XREF: CmpKeyEnumStackGetEntryAtLayerHeight+7j
		add	eax, 0FFFFFFFEh
		imul	eax, 60h
		add	eax, [ecx+0F8h]
		retn
; END OF FUNCTION CHUNK	FOR CmpKeyEnumStackGetEntryAtLayerHeight
; 
; START	OF FUNCTION CHUNK FOR CmpCleanupKeyNodeStack

loc_8CB5C3:				; CODE XREF: CmpCleanupKeyNodeStack+1Cj
		mov	ecx, [eax]
		add	eax, 0Ch
		push	eax
		push	ecx
		call	dword ptr [ecx+8]
		jmp	loc_73EB66
; END OF FUNCTION CHUNK	FOR CmpCleanupKeyNodeStack
; 
; START	OF FUNCTION CHUNK FOR CmpKeyNodeStackGetEntryAtLayerHeight

loc_8CB5D2:				; CODE XREF: CmpKeyNodeStackGetEntryAtLayerHeight+4j
		lea	eax, [edx-2]
		cwde
		imul	eax, 14h
		add	eax, [ecx+2Ch]
		retn
; END OF FUNCTION CHUNK	FOR CmpKeyNodeStackGetEntryAtLayerHeight
; 
; START	OF FUNCTION CHUNK FOR CmpFindKcbInHashEntryByName

loc_8CB5DD:				; CODE XREF: CmpFindKcbInHashEntryByName+58j
		mov	[ebp+var_8], edx
		lea	edx, [ebp+var_C]
		mov	word ptr [ebp+var_C], cx
		mov	word ptr [ebp+var_C+2],	cx
		mov	ecx, [ebp+arg_4]
		call	CmpCompareUnicodeString
		jmp	loc_73EC35
; END OF FUNCTION CHUNK	FOR CmpFindKcbInHashEntryByName
; 
; START	OF FUNCTION CHUNK FOR MiValidateUserCallTarget

loc_8CB5F8:				; CODE XREF: MiValidateUserCallTarget+1Aj
		sub	eax, 1
		jz	short loc_8CB605
		sub	eax, 1
		jmp	loc_73ED32
; 

loc_8CB605:				; CODE XREF: MiValidateUserCallTarget+18C8EFj
		call	_MiIsProcessCfgExportSuppressionEnabled@0 ; MiIsProcessCfgExportSuppressionEnabled()
		test	eax, eax
		jnz	loc_73ED37
		jmp	loc_73ED2C
; END OF FUNCTION CHUNK	FOR MiValidateUserCallTarget
; 
; START	OF FUNCTION CHUNK FOR EtwTiLogMapExecView

loc_8CB617:				; CODE XREF: EtwTiLogMapExecView+5Bj
		push	2
		pop	ecx
		jmp	loc_73EDCF
; END OF FUNCTION CHUNK	FOR EtwTiLogMapExecView
; 
; START	OF FUNCTION CHUNK FOR PspStorageEmptyNonReadonly

loc_8CB61F:				; CODE XREF: PspStorageEmptyNonReadonly+18j
		mov	edx, 100h
		call	PspStorageEmptyArrayNonReadonly
		add	edi, eax
		jmp	loc_73EF46
; END OF FUNCTION CHUNK	FOR PspStorageEmptyNonReadonly
; 
; START	OF FUNCTION CHUNK FOR IopGetRelatedFileName

loc_8CB630:				; CODE XREF: IopGetRelatedFileName+8Bj
		mov	esi, [ebp+var_14]
		jmp	loc_73EF7E
; 

loc_8CB638:				; CODE XREF: IopGetRelatedFileName+24j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edi, edi
		jmp	loc_73EF86
; 

loc_8CB647:				; CODE XREF: IopGetRelatedFileName+9Bj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ebx, ebx
		jmp	loc_73EFFD
; 

loc_8CB656:				; CODE XREF: IopGetRelatedFileName+C1j
		mov	esi, 0C000009Ah
		jmp	loc_73F0DA
; 

loc_8CB660:				; CODE XREF: IopGetRelatedFileName+AAj
					; IopGetRelatedFileName+117j
		mov	esi, 0C0000106h
		jmp	loc_73F0CE
; 

loc_8CB66A:				; CODE XREF: IopGetRelatedFileName+47j
		mov	esi, 0C000009Ah
		jmp	loc_73F0E6
; 

loc_8CB674:				; CODE XREF: IopGetRelatedFileName+30j
		mov	esi, 0C0000106h
		jmp	loc_73F0DA
; END OF FUNCTION CHUNK	FOR IopGetRelatedFileName
; 
; START	OF FUNCTION CHUNK FOR IoQueryInformationByName

loc_8CB67E:				; CODE XREF: IoQueryInformationByName+9Bj
		cmp	byte ptr [ebp+var_CC], bl
		jnz	loc_73F19D
		push	47h
		pop	edi
		mov	[ebp+var_BD], 1
		jmp	loc_73F19D
; 

loc_8CB699:				; CODE XREF: IoQueryInformationByName+A4j
		cmp	edi, 46h
		jz	loc_73F1A6
		cmp	edi, 47h
		jz	loc_73F1A6
		mov	eax, 0C000000Dh
		jmp	loc_73F343
; 

loc_8CB6B5:				; CODE XREF: IoQueryInformationByName+157j
		or	[ebp+var_140], 1
		jmp	loc_73F259
; 

loc_8CB6C1:				; CODE XREF: IoQueryInformationByName+19Ej
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		mov	[ebp+var_104], eax
		jmp	loc_73F2A0
; 

loc_8CB6D1:				; CODE XREF: IoQueryInformationByName+1B0j
		mov	[ebp+ms_exc.disabled], ebx
		mov	edx, [ebp+var_C4]
		call	IopVerifierExAllocatePoolWithQuota
		mov	[ebp+var_130], eax
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi
		jmp	loc_73F2BB
; 

loc_8CB6F0:				; CODE XREF: IoQueryInformationByName+220j
		test	esi, esi
		js	short sub_8CB737
		mov	[ebp+ms_exc.disabled], 1
		push	[ebp+var_FC]	; size_t
		push	[ebp+var_130]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], edi
		jmp	short sub_8CB737
; END OF FUNCTION CHUNK	FOR IoQueryInformationByName

;  S U B	R O U T	I N E 


sub_8CB715	proc near		; DATA XREF: .text:006A01E0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0DCh], eax
		xor	eax, eax
		inc	eax
		retn
sub_8CB715	endp


;  S U B	R O U T	I N E 


sub_8CB726	proc near		; DATA XREF: .text:006A01E4o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0DCh]
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		xor	ebx, ebx
sub_8CB726	endp


;  S U B	R O U T	I N E 


sub_8CB737	proc near		; CODE XREF: IoQueryInformationByName+18C5F6j
					; IoQueryInformationByName+18C617j
		push	ebx
		push	dword ptr [ebp-130h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_73F322
sub_8CB737	endp


;  S U B	R O U T	I N E 


sub_8CB748	proc near		; DATA XREF: .text:006A01ECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0E0h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8CB748	endp


;  S U B	R O U T	I N E 


sub_8CB759	proc near		; DATA XREF: .text:006A01F0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0E0h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_73F341
sub_8CB759	endp

; 

loc_8CB76E:				; DATA XREF: .text:006A01D4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0E4h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8CB77F:				; DATA XREF: .text:006A01D8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0E4h]
		jmp	loc_73F343
; 
; START	OF FUNCTION CHUNK FOR IopGetNetworkOpenInformation

loc_8CB794:				; CODE XREF: IopGetNetworkOpenInformation+4Fj
		push	1
		lea	eax, [esp+5Ch+var_4C]
		mov	ecx, ebx
		push	eax
		lea	eax, [esp+60h+var_20]
		push	eax
		push	0
		push	18h
		push	5
		pop	edx
		call	IopQueryXxxInformation
		mov	edx, eax
		test	edx, edx
		js	loc_73F3AB
		mov	ecx, [esi+44h]
		mov	eax, [esp+58h+var_48]
		mov	[ecx], eax
		mov	eax, [esp+58h+var_44]
		mov	[ecx+4], eax
		mov	ecx, [esi+44h]
		mov	eax, [esp+58h+var_40]
		mov	[ecx+8], eax
		mov	eax, [esp+58h+var_3C]
		mov	[ecx+0Ch], eax
		mov	ecx, [esi+44h]
		mov	eax, [esp+58h+var_38]
		mov	[ecx+10h], eax
		mov	eax, [esp+58h+var_34]
		mov	[ecx+14h], eax
		mov	ecx, [esi+44h]
		mov	eax, [esp+58h+var_30]
		mov	[ecx+18h], eax
		mov	eax, [esp+58h+var_2C]
		mov	[ecx+1Ch], eax
		mov	ecx, [esi+44h]
		mov	eax, [esp+58h+var_20]
		mov	[ecx+20h], eax
		mov	eax, [esp+58h+var_1C]
		mov	[ecx+24h], eax
		mov	ecx, [esi+44h]
		mov	eax, [esp+58h+var_18]
		mov	[ecx+28h], eax
		mov	eax, [esp+58h+var_14]
		mov	[ecx+2Ch], eax
		mov	ecx, [esi+44h]
		mov	eax, [esp+58h+var_28]
		mov	[ecx+30h], eax
		jmp	loc_73F3AB
; END OF FUNCTION CHUNK	FOR IopGetNetworkOpenInformation
; 
; START	OF FUNCTION CHUNK FOR HvlQueryVsmProtectionInfo

loc_8CB82C:				; CODE XREF: HvlQueryVsmProtectionInfo+22j
		mov	esi, 0C00000F0h
		jmp	loc_73F6F2
; 

loc_8CB836:				; CODE XREF: HvlQueryVsmProtectionInfo+3Fj
		mov	ecx, ds:_HvlpFlags
		test	cl, 2
		jnz	short loc_8CB861
		shr	ecx, 6
		and	ecx, 1
		jnz	short loc_8CB852
		call	_KeIsCetCapable@0 ; KeIsCetCapable()
		test	al, al
		jz	short loc_8CB856

loc_8CB852:				; CODE XREF: HvlQueryVsmProtectionInfo+18C1F7j
		mov	byte ptr [ebp+var_30], 1

loc_8CB856:				; CODE XREF: HvlQueryVsmProtectionInfo+18C200j
		test	ecx, ecx
		setnz	byte ptr [ebp+var_30+1]
		jmp	loc_73F6A1
; 

loc_8CB861:				; CODE XREF: HvlQueryVsmProtectionInfo+18C1EFj
		test	al, al
		jz	loc_73F695
		mov	eax, ds:_HvlpFlags
		test	al, 2
		jz	loc_73F695
		lea	eax, [ebp+var_2C]
		push	eax
		call	_HviGetHardwareFeatures@4 ; HviGetHardwareFeatures(x)
		mov	al, byte ptr [ebp+var_2C]
		shr	al, 7
		mov	byte ptr [ebp+var_30+1], al
		jmp	loc_73F69E
; END OF FUNCTION CHUNK	FOR HvlQueryVsmProtectionInfo

;  S U B	R O U T	I N E 


sub_8CB88D	proc near		; DATA XREF: .text:006A020Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8CB88D	endp


;  S U B	R O U T	I N E 


sub_8CB89B	proc near		; DATA XREF: .text:006A0210o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-3Ch]
		jmp	loc_73F6CB
sub_8CB89B	endp


;  S U B	R O U T	I N E 


sub_8CB8A6	proc near		; DATA XREF: .text:006A022Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8CB8A6	endp


;  S U B	R O U T	I N E 


sub_8CB8B4	proc near		; DATA XREF: .text:006A0230o

; FUNCTION CHUNK AT 008CB8DD SIZE 00000003 BYTES

		mov	esi, [ebp-20h]
		jmp	short loc_8CB8DD
sub_8CB8B4	endp

; 
; START	OF FUNCTION CHUNK FOR NtOpenJobObject

loc_8CB8B9:				; CODE XREF: NtOpenJobObject+63j
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jmp	short loc_8CB8E0
; END OF FUNCTION CHUNK	FOR NtOpenJobObject

;  S U B	R O U T	I N E 


sub_8CB8CA	proc near		; DATA XREF: .text:006A0238o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8CB8CA	endp


;  S U B	R O U T	I N E 


sub_8CB8DA	proc near		; DATA XREF: .text:006A023Co
		mov	esi, [ebp-28h]
sub_8CB8DA	endp

; START	OF FUNCTION CHUNK FOR sub_8CB8B4

loc_8CB8DD:				; CODE XREF: sub_8CB8B4+3j
		mov	esp, [ebp-18h]
; END OF FUNCTION CHUNK	FOR sub_8CB8B4
; START	OF FUNCTION CHUNK FOR NtOpenJobObject

loc_8CB8E0:				; CODE XREF: NtOpenJobObject+18C1CEj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_73F763
; 

loc_8CB8EC:				; CODE XREF: NtOpenJobObject+73j
		push	722h
		push	esi
		xor	edx, edx
		xor	ecx, ecx
		call	@EtwTraceJob@16	; EtwTraceJob(x,x,x,x)
		jmp	loc_73F773
; END OF FUNCTION CHUNK	FOR NtOpenJobObject
; 
; START	OF FUNCTION CHUNK FOR VrpRegistryDispatch

loc_8CB900:				; CODE XREF: VrpRegistryDispatch+18j
		sub	eax, 10h
		jz	loc_73F9E6
		mov	esi, 0C0000010h
		jmp	loc_73F9E8
; END OF FUNCTION CHUNK	FOR VrpRegistryDispatch
; 
; START	OF FUNCTION CHUNK FOR CmGetKeyFlags

loc_8CB913:				; CODE XREF: CmGetKeyFlags+17j
		lea	eax, [ecx+70h]
		mov	[ebp+var_4], eax
		push	edi

loc_8CB91A:				; CODE XREF: CmGetKeyFlags+18BE72j
					; CmGetKeyFlags+18BE78j
		push	ecx
		lea	edx, [ebp+var_8]
		mov	ecx, eax
		call	CmListGetPrevElement
		mov	edi, eax
		test	edi, edi
		jz	short loc_8CB945
		mov	ecx, [edi+1Ch]
		mov	edx, ebx
		call	CmEqualTrans
		test	al, al
		mov	eax, [ebp+var_4]
		jz	short loc_8CB91A
		cmp	dword ptr [edi+24h], 7
		jnz	short loc_8CB91A
		mov	esi, [edi+30h]

loc_8CB945:				; CODE XREF: CmGetKeyFlags+18BE61j
		pop	edi
		jmp	loc_73FAE5
; END OF FUNCTION CHUNK	FOR CmGetKeyFlags
; 
; START	OF FUNCTION CHUNK FOR PspEnableProcessWakeCounters

loc_8CB94B:				; CODE XREF: PspEnableProcessWakeCounters+1Fj
		and	[ebp+var_4], 0
		push	ebx
		lea	ebx, [esi+1B8h]
		mov	esi, [ebp+var_4]

loc_8CB959:				; CODE XREF: PspEnableProcessWakeCounters+18BE97j
		lea	edx, [edi+468h]
		mov	edi, 80000000h
		lea	edx, [edx+esi*4]
		mov	eax, [edx]

loc_8CB969:				; CODE XREF: PspEnableProcessWakeCounters+18BE85j
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_8CB969
		add	[ebx], eax
		mov	edi, [ebp+arg_0]
		adc	dword ptr [ebx+4], 0
		inc	esi
		lea	ebx, [ebx+8]
		cmp	esi, 7
		jb	short loc_8CB959
		lea	edx, [edi+48Ch]
		mov	ebx, 80000000h
		mov	eax, [edx]

loc_8CB992:				; CODE XREF: PspEnableProcessWakeCounters+18BEAEj
		mov	ecx, eax
		or	ecx, ebx
		lock cmpxchg [edx], ecx
		jnz	short loc_8CB992
		mov	esi, [ebp+var_8]
		pop	ebx
		add	[esi+1F0h], eax
		adc	dword ptr [esi+1F4h], 0
		jmp	loc_73FB11
; END OF FUNCTION CHUNK	FOR PspEnableProcessWakeCounters
; 
; START	OF FUNCTION CHUNK FOR CmpRecordUnloadEventForHive

loc_8CB9B2:				; CODE XREF: CmpRecordUnloadEventForHive+31j
		shl	eax, 2
		push	eax		; size_t
		push	dword ptr [esi+6D4h] ; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	0
		push	dword ptr [esi+6D4h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi+6D0h]
		jmp	loc_73FB6F
; END OF FUNCTION CHUNK	FOR CmpRecordUnloadEventForHive
; 
; START	OF FUNCTION CHUNK FOR CmpSearchForOpenSubKeys

loc_8CB9DD:				; CODE XREF: CmpSearchForOpenSubKeys+1Dj
		push	eax
		lea	edx, [ebp+var_8]
		mov	esi, offset _CmpSearchAndCountWorker@8 ; CmpSearchAndCountWorker(x,x)
		mov	bl, 1
		call	_CmpDumpKeyBodyList@12 ; CmpDumpKeyBodyList(x,x,x)
		jmp	loc_73FC16
; END OF FUNCTION CHUNK	FOR CmpSearchForOpenSubKeys
; 
; START	OF FUNCTION CHUNK FOR CmpRunDownCmRM

loc_8CB9F2:				; CODE XREF: CmpRunDownCmRM+4Fj
					; CmpRunDownCmRM+18BD6Aj
		cmp	[edx+10h], esi
		mov	edi, edx
		mov	edx, [edx]
		jnz	short loc_8CBA2C
		cmp	[edx+4], edi
		jnz	loc_73FDE6
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	loc_73FDE6
		mov	[eax], edx
		lea	ecx, [ebp+var_8]
		mov	[edx+4], eax
		mov	eax, [ebp+var_4]
		cmp	[eax], ecx
		jnz	loc_73FDE6
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	[ebp+var_4], edi

loc_8CBA2C:				; CODE XREF: CmpRunDownCmRM+18BD31j
		cmp	edx, offset _CmpLazyCommitListHead
		jnz	short loc_8CB9F2
		xor	edi, edi
		jmp	loc_73FD1D
; 

loc_8CBA3B:				; CODE XREF: CmpRunDownCmRM+92j
		push	edi
		push	4
		add	edx, 0FFFFFFF0h
		mov	ecx, esi
		call	_CmpCleanupTransactionState@16 ; CmpCleanupTransactionState(x,x,x,x)
		jmp	loc_73FD33
; END OF FUNCTION CHUNK	FOR CmpRunDownCmRM
; 
; START	OF FUNCTION CHUNK FOR CmpStopRMLog

loc_8CBA4D:				; CODE XREF: CmpStopRMLog+29j
		cmp	[esi+38h], edi
		jz	short loc_8CBA66
		push	edi
		mov	ecx, esi
		call	CmpLogCheckpoint
		push	dword ptr [esi+38h]
		call	ds:__imp__ClfsDeleteMarshallingArea@4 ;	ClfsDeleteMarshallingArea(x)
		mov	[esi+38h], edi

loc_8CBA66:				; CODE XREF: CmpStopRMLog+18BBCAj
		cmp	esi, _CmRmSystem
		jz	short loc_8CBA7E
		lea	eax, [esi+8]
		cmp	[eax], eax
		jnz	short loc_8CBA7E
		push	dword ptr [esi+34h]
		call	ds:__imp__ClfsDeleteLogByPointer@4 ; ClfsDeleteLogByPointer(x)

loc_8CBA7E:				; CODE XREF: CmpStopRMLog+18BBE6j
					; CmpStopRMLog+18BBEDj
		push	dword ptr [esi+34h]
		call	ds:__imp__ClfsCloseLogFileObject@4 ; ClfsCloseLogFileObject(x)
		mov	[esi+34h], edi
		jmp	loc_73FEB5
; END OF FUNCTION CHUNK	FOR CmpStopRMLog
; 
; START	OF FUNCTION CHUNK FOR CmpReferenceKeyControlBlockLockNotHeld

loc_8CBA8F:				; CODE XREF: CmpReferenceKeyControlBlockLockNotHeld+10j
		push	0
		push	0
		push	esi
		push	24h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8CBA9E:				; CODE XREF: CmpReferenceKeyControlBlock+Ej
		push	0
		push	0
		push	ecx
		push	20h
		jmp	short loc_8CBAAE
; END OF FUNCTION CHUNK	FOR CmpReferenceKeyControlBlockLockNotHeld
; 
; START	OF FUNCTION CHUNK FOR CmpReferenceKeyControlBlock

loc_8CBAA7:				; CODE XREF: CmpReferenceKeyControlBlock+1Cj
		push	0
		push	0
		push	ecx
		push	24h

loc_8CBAAE:				; CODE XREF: CmpReferenceKeyControlBlockLockNotHeld+18BBA7j
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8CBAB6:				; CODE XREF: CmpEnumerateAllOpenSubKeys+7Fj
		cmp	[edi+440h], esi
		jbe	loc_73FFFD
		mov	ebx, esi

loc_8CBAC4:				; CODE XREF: CmpReferenceKeyControlBlock+18BBB0j
		push	[ebp+arg_4]
		mov	edx, [edi+43Ch]
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_10]
		add	edx, ebx
		call	_CmpEnumerateKcbCacheBucket@16 ; CmpEnumerateKcbCacheBucket(x,x,x,x)
		cmp	eax, 1
		jz	loc_73FFFD
		cmp	eax, 2
		jnz	short loc_8CBAEC
		dec	esi
		sub	ebx, 0Ch

loc_8CBAEC:				; CODE XREF: CmpReferenceKeyControlBlock+18BBA0j
		inc	esi
		add	ebx, 0Ch
		cmp	esi, [edi+440h]
		jb	short loc_8CBAC4
		jmp	loc_73FFFD
; END OF FUNCTION CHUNK	FOR CmpReferenceKeyControlBlock
; 
; START	OF FUNCTION CHUNK FOR CmpFreeKeyControlBlock

loc_8CBAFD:				; CODE XREF: CmpFreeKeyControlBlock+51j
		push	0
		push	0
		push	esi
		push	11h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8CBB0B:				; CODE XREF: CmpFreeKeyControlBlock+5Ej
		push	0
		push	1
		push	esi
		push	11h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8CBB19:				; CODE XREF: CmpFreeKeyControlBlock+6Dj
		and	ecx, 0FFFFFFFEh
		jmp	loc_740193
; END OF FUNCTION CHUNK	FOR CmpFreeKeyControlBlock
; 
; START	OF FUNCTION CHUNK FOR CmUnloadKey

loc_8CBB21:				; CODE XREF: CmUnloadKey+E7j
		mov	esi, 0C0000189h
		jmp	short loc_8CBB40
; END OF FUNCTION CHUNK	FOR CmUnloadKey

;  S U B	R O U T	I N E 


sub_8CBB28	proc near		; DATA XREF: .text:006A0258o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-118h]
		mov	[ebp-11Ch], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
sub_8CBB28	endp

; START	OF FUNCTION CHUNK FOR CmUnloadKey

loc_8CBB40:				; CODE XREF: CmUnloadKey+18B880j
					; CmUnloadKey+18B8A6j ...
		mov	al, bl
		jmp	loc_7405AB
; 

loc_8CBB47:				; CODE XREF: CmUnloadKey+106j
		mov	esi, 0C0000061h
		jmp	short loc_8CBB40
; 

loc_8CBB4E:				; CODE XREF: CmUnloadKey+112j
		mov	esi, 0C000000Dh
		jmp	short loc_8CBB40
; 

loc_8CBB55:				; CODE XREF: CmUnloadKey+129j
		mov	ecx, edx
		test	dl, 3
		jnz	short loc_8CBB75
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_8CBB67
		mov	ecx, eax

loc_8CBB67:				; CODE XREF: CmUnloadKey+18B8BDj
		nop
		mov	al, [ecx]
		mov	al, [ebp+var_D2]
		jmp	loc_7403D5
; 

loc_8CBB75:				; CODE XREF: CmUnloadKey+18B8B4j
					; CmUnloadKey+18B924j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_8CBB7A:				; CODE XREF: CmUnloadKey+13Ej
		mov	[ebp+var_108], ebx
		mov	[ebp+var_104], ebx
		mov	edx, [ebp+var_12C]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_8CBB97
		mov	edx, eax

loc_8CBB97:				; CODE XREF: CmUnloadKey+18B8EDj
		nop
		mov	ecx, [edx]
		mov	[ebp+var_108], ecx
		mov	edx, [edx+4]
		mov	[ebp+var_104], edx
		mov	eax, [ebp+var_108]
		mov	[ebp+var_DC], eax
		mov	[ebp+var_D8], edx
		movzx	eax, cx
		test	ax, ax
		jz	loc_7403FE
		test	dl, 1
		jnz	short loc_8CBB75
		lea	ecx, [edx+eax]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_8CBBE0
		cmp	ecx, edx
		jnb	loc_7403FE

loc_8CBBE0:				; CODE XREF: CmUnloadKey+18B930j
		mov	[eax], bl
		jmp	loc_7403FE
; 

loc_8CBBE7:				; CODE XREF: CmUnloadKey+180j
		mov	esi, 0C000009Ah
		mov	[ebp+var_11C], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_7405A5
; 

loc_8CBBFE:				; CODE XREF: CmUnloadKey+164j
		push	ebx
		lea	eax, [ebp+var_DC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	loc_740450
; 

loc_8CBC10:				; CODE XREF: CmUnloadKey+1D0j
		lea	eax, [ebp+var_E8]
		push	eax
		push	ebx
		push	1
		mov	ecx, [ebp+var_130]
		call	_CmConvertHandleToKernelHandle@20 ; CmConvertHandleToKernelHandle(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7405A5
		mov	eax, [ebp+var_E8]
		mov	[ebp+var_130], eax
		jmp	loc_74047C
; 

loc_8CBC40:				; CODE XREF: CmUnloadKey+211j
		mov	esi, 0C000000Dh
		jmp	loc_7404BD
; 

loc_8CBC4A:				; CODE XREF: CmUnloadKey+2B5j
		cmp	esi, 0C0000503h
		jnz	loc_7405A5
		mov	esi, ebx
		jmp	loc_7405A5
; 

loc_8CBC5D:				; CODE XREF: CmUnloadKey+2F9j
		lea	ecx, [ebp+var_114]
		call	_CmpRetryBackOff@4 ; CmpRetryBackOff(x)
		jmp	loc_740574
; 

loc_8CBC6D:				; CODE XREF: CmUnloadKey+2D5j
		mov	esi, 0C0000189h
		jmp	loc_7405A5
; END OF FUNCTION CHUNK	FOR CmUnloadKey

;  S U B	R O U T	I N E 


sub_8CBC77	proc near		; DATA XREF: .text:006A0254o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-118h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8CBC77	endp

; 
; START	OF FUNCTION CHUNK FOR CmUnloadKey

loc_8CBC88:				; CODE XREF: CmUnloadKey+35Fj
		push	[ebp+var_E8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_74060B
; END OF FUNCTION CHUNK	FOR CmUnloadKey
; 
; START	OF FUNCTION CHUNK FOR CmpFlushNotify

loc_8CBC98:				; CODE XREF: CmpFlushNotify+45j
		cmp	[ebp+var_1], 0

loc_8CBC9C:				; CODE XREF: CmpFlushNotify+98j
		jnz	loc_7406CF
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8CBCB6
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8CBCB6:				; CODE XREF: CmpFlushNotify+18B66Dj
		mov	ecx, esi
		call	KeAbPostRelease
		jmp	loc_7406CF
; 

loc_8CBCC2:				; CODE XREF: CmpFlushNotify+3Dj
		push	[ebp+arg_0]
		push	0
		push	0
		push	10Bh
		push	ecx
		mov	ecx, edi
		call	CmpPostNotify
		mov	edi, [ebx+0Ch]
		jmp	loc_740683
; 

loc_8CBCDE:				; CODE XREF: CmpFlushNotify+7Aj
		test	al, 4
		jnz	loc_7406C0
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7406C0
; END OF FUNCTION CHUNK	FOR CmpFlushNotify
; 
; START	OF FUNCTION CHUNK FOR CmpPerformUnloadKey

loc_8CBCF2:				; CODE XREF: CmpPerformUnloadKey+9Cj
		mov	esi, 0C0000022h

loc_8CBCF7:				; CODE XREF: CmpPerformUnloadKey+AFj
					; CmpPerformUnloadKey+11Aj ...
		mov	edx, [esp+70h+var_60]
		test	dl, 4
		jnz	short loc_8CBD10
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		mov	edx, [esp+70h+var_60]
		or	edx, 4
		mov	[esp+70h+var_60], edx

loc_8CBD10:				; CODE XREF: CmpPerformUnloadKey+18B5F0j
		test	dl, 2
		jnz	short loc_8CBD21
		mov	cl, 1
		call	CmpLockRegistryFreezeAware
		or	[esp+70h+var_60], 2

loc_8CBD21:				; CODE XREF: CmpPerformUnloadKey+18B605j
		cmp	byte ptr [esp+0Fh], 0
		jz	loc_740867
		xor	ecx, ecx
		lea	eax, [edi+430h]
		xchg	ecx, [eax]
		and	dword ptr [ebx+4], 0FFFBFFFFh
		jmp	loc_740947
; 

loc_8CBD42:				; CODE XREF: CmpPerformUnloadKey+BCj
		mov	esi, 0C0000425h
		jmp	short loc_8CBCF7
; 

loc_8CBD49:				; CODE XREF: CmpPerformUnloadKey+D4j
		test	eax, eax
		jz	short loc_8CBD5A
		test	byte ptr [edi+980h], 20h
		jnz	loc_7407E8

loc_8CBD5A:				; CODE XREF: CmpPerformUnloadKey+18B63Dj
		mov	esi, 0C0000189h
		jmp	short loc_8CBCF7
; 

loc_8CBD61:				; CODE XREF: CmpPerformUnloadKey+E7j
		mov	esi, 0C000009Ah
		jmp	short loc_8CBCF7
; 

loc_8CBD68:				; CODE XREF: CmpPerformUnloadKey+18B674j
		push	3
		pop	ecx
		call	_CmpLogUnsupportedOperation@4 ;	CmpLogUnsupportedOperation(x)

loc_8CBD70:				; CODE XREF: CmpPerformUnloadKey+139j
		mov	esi, 0C0000121h
		jmp	short loc_8CBCF7
; 

loc_8CBD77:				; CODE XREF: CmpPerformUnloadKey+289j
		add	eax, 10h
		cmp	[eax], eax
		jz	loc_74099D
		jmp	short loc_8CBD68
; 

loc_8CBD84:				; CODE XREF: CmpPerformUnloadKey+2A4j
					; CmpPerformUnloadKey+2C8j
		lea	eax, [esp+70h+var_4C]
		mov	ecx, ebx
		push	eax
		push	0Ah
		pop	edx
		call	_CmpLogTransactionAbortedForRollbackPacket@12 ;	CmpLogTransactionAbortedForRollbackPacket(x,x,x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		and	[esp+70h+var_60], 0
		lea	ecx, [esp+70h+var_4C]
		xor	edx, edx
		call	_CmpAbortRollbackPacket@8 ; CmpAbortRollbackPacket(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8CBCF7
		mov	esi, 0C000022Dh
		jmp	loc_8CBCF7
; 

loc_8CBDC1:				; CODE XREF: CmpPerformUnloadKey+1BFj
		mov	ecx, edi
		call	_CmpUnfreezeHive@4 ; CmpUnfreezeHive(x)
		inc	_CmpActiveAppHiveUnloadCount
		mov	eax, [esp+70h+var_58]
		mov	[esp+70h+var_60], eax
		jmp	loc_7408D3
; 

loc_8CBDDB:				; CODE XREF: CmpPerformUnloadKey+209j
		lea	edx, [esp+70h+var_4C]
		call	CmSnapshotRMTxArray
		mov	esi, eax
		test	esi, esi
		js	loc_8CBCF7
		lea	eax, [esp+70h+var_4C]
		mov	ecx, ebx
		push	eax
		push	9
		pop	edx
		call	_CmpLogTransactionAbortedForRollbackPacket@12 ;	CmpLogTransactionAbortedForRollbackPacket(x,x,x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		and	[esp+70h+var_60], 0
		lea	edx, [esp+70h+var_62]
		lea	ecx, [esp+70h+var_4C]
		call	_CmpAbortRollbackPacket@8 ; CmpAbortRollbackPacket(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8CBCF7
		lea	ecx, [esp+70h+var_4C]
		call	CmpCleanupRollbackPacket
		mov	esi, [esp+70h+var_3C]
		lea	edi, [esp+70h+var_4C]
		xor	eax, eax
		cmp	[esp+70h+var_62], 0
		stosd
		stosd
		stosd
		jz	short loc_8CBE4B
		mov	ecx, [esi+9A0h]
		call	_CmObliterateRMTxArray@4 ; CmObliterateRMTxArray(x)

loc_8CBE4B:				; CODE XREF: CmpPerformUnloadKey+18B730j
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		mov	ecx, [esi+9A0h]
		xor	dl, dl
		call	_CmCloseRmHandle@8 ; CmCloseRmHandle(x,x)
		mov	ecx, [esi+9A0h]
		mov	[esp+70h+var_5C], eax
		call	_CmCloseTmHandle@8 ; CmCloseTmHandle(x,x)
		mov	edi, eax
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		mov	eax, [esp+70h+var_5C]
		test	eax, eax
		jz	short loc_8CBE81
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_8CBE81:				; CODE XREF: CmpPerformUnloadKey+18B76Bj
		test	edi, edi
		jz	short loc_8CBE8B
		push	edi
		call	_ZwClose@4	; ZwClose(x)

loc_8CBE8B:				; CODE XREF: CmpPerformUnloadKey+18B775j
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		mov	ecx, [esi+9A0h]
		mov	dl, 1
		call	_CmShutdownCmRM@8 ; CmShutdownCmRM(x,x)
		mov	cl, 1
		call	CmpLockRegistryFreezeAware
		mov	[esp+70h+var_58], 6
		jmp	loc_74091D
; END OF FUNCTION CHUNK	FOR CmpPerformUnloadKey
; 
; START	OF FUNCTION CHUNK FOR CmpUpdateSystemHiveHysteresis

loc_8CBEB1:				; CODE XREF: CmpUpdateSystemHiveHysteresis+40j
		cmp	_CmpSystemHiveHysteresisHighSeen, 0
		jnz	loc_740BF6
		cmp	_CmpSystemHiveHysteresisLowSeen, 1
		mov	_CmpSystemHiveHysteresisHighSeen, 1
		jnz	loc_740BF6
		mov	ecx, eax
		call	_CmpDoQueueSystemHiveHysteresis@4 ; CmpDoQueueSystemHiveHysteresis(x)
		cmp	al, 1
		jnz	short loc_8CBF21

loc_8CBEDD:				; CODE XREF: CmpUpdateSystemHiveHysteresis+18B339j
		mov	_CmpSystemHiveHysteresisLowSeen, 0
		jmp	loc_740BF6
; 

loc_8CBEE9:				; CODE XREF: CmpUpdateSystemHiveHysteresis+32j
		cmp	_CmpSystemHiveHysteresisLowSeen, 0
		jnz	loc_740BF6
		cmp	eax, _CmpSystemHiveHysteresisLow
		jnb	loc_740BF6
		cmp	_CmpSystemHiveHysteresisHighSeen, 1
		mov	_CmpSystemHiveHysteresisLowSeen, 1
		jnz	loc_740BF6
		mov	ecx, eax
		call	_CmpDoQueueSystemHiveHysteresis@4 ; CmpDoQueueSystemHiveHysteresis(x)
		cmp	al, 1
		jnz	short loc_8CBEDD

loc_8CBF21:				; CODE XREF: CmpUpdateSystemHiveHysteresis+18B2F5j
		mov	_CmpSystemHiveHysteresisHighSeen, 0
		jmp	loc_740BF6
; END OF FUNCTION CHUNK	FOR CmpUpdateSystemHiveHysteresis
; 
; START	OF FUNCTION CHUNK FOR CmpDoFileSetSizeEx

loc_8CBF2D:				; CODE XREF: CmpDoFileSetSizeEx+C2j
					; CmpDoFileSetSizeEx+E7j
		mov	eax, [esp+40h+var_2C]
		mov	ds:_CmRegistryIODebug, 3
		mov	ds:dword_A943F4, eax
		mov	ds:dword_A943F8, edi
		jmp	loc_740D19
; END OF FUNCTION CHUNK	FOR CmpDoFileSetSizeEx
; 
; START	OF FUNCTION CHUNK FOR CmpGetLastSetFileSize

loc_8CBF4B:				; CODE XREF: CmpGetLastSetFileSize+26j
		cmp	edx, 1
		jz	loc_740D6D
		xor	eax, eax
		xor	edx, edx
		retn
; END OF FUNCTION CHUNK	FOR CmpGetLastSetFileSize
; 
; START	OF FUNCTION CHUNK FOR CmpAdjustRequestedFileSize

loc_8CBF59:				; CODE XREF: CmpAdjustRequestedFileSize+30j
		mov	eax, [ebp+arg_8]
		jmp	loc_740E20
; 

loc_8CBF61:				; CODE XREF: CmpAdjustRequestedFileSize+94j
		cmp	eax, 1
		jz	loc_740DDB
		jmp	loc_740DEF
; END OF FUNCTION CHUNK	FOR CmpAdjustRequestedFileSize
; 
; START	OF FUNCTION CHUNK FOR HvWriteHivePrimaryFile

loc_8CBF6F:				; CODE XREF: HvWriteHivePrimaryFile+36j
		cmp	[esi+44h], ecx
		jz	loc_74123E
		mov	ecx, [esi+20h]
		mov	eax, [esi+0C8h]
		mov	[ecx+28h], eax
		mov	[ecx+2Ch], edx
		jmp	loc_74113E
; 

loc_8CBF8C:				; CODE XREF: HvWriteHivePrimaryFile+6Aj
					; HvWriteHivePrimaryFile+9Cj
		mov	edi, 0C0000001h
		jmp	loc_74121A
; 

loc_8CBF96:				; CODE XREF: HvWriteHivePrimaryFile+A4j
		imul	eax, [esi+44h],	0Ch
		push	62534D43h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_20], ebx
		test	ebx, ebx
		jnz	short loc_8CBFBA
		mov	edi, 0C0000017h
		jmp	loc_741217
; 

loc_8CBFBA:				; CODE XREF: HvWriteHivePrimaryFile+18AEBEj
		xor	edi, edi
		and	[ebp+var_1C], edi
		cmp	[esi+44h], edi
		jbe	loc_7411A6
		lea	eax, [ebx+8]
		lea	ecx, [esi+3Ch]
		mov	[ebp+var_18], eax
		mov	ebx, eax

loc_8CBFD3:				; CODE XREF: HvWriteHivePrimaryFile+18AF22j
		push	0
		lea	eax, [ebp+var_8]
		mov	edx, ecx
		push	eax
		lea	eax, [ebp+var_14]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	HvpFindNextDirtyBlock
		test	al, al
		jz	short loc_8CC014
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_10]
		mov	[ebx-8], ecx
		mov	[ebx-4], eax
		mov	eax, [ebp+var_14]
		add	ecx, eax
		mov	[ebx], eax
		inc	edi
		add	ebx, 0Ch
		mov	[ebp+var_8], ecx
		lea	ecx, [esi+3Ch]
		cmp	edi, [esi+44h]
		jb	short loc_8CBFD3

loc_8CC014:				; CODE XREF: HvWriteHivePrimaryFile+18AF00j
		mov	ebx, [ebp+var_20]
		jmp	loc_7411A6
; 

loc_8CC01C:				; CODE XREF: HvWriteHivePrimaryFile+121j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_741217
; END OF FUNCTION CHUNK	FOR HvWriteHivePrimaryFile
; 
; START	OF FUNCTION CHUNK FOR HvpFinishPrimaryWrite

loc_8CC029:				; CODE XREF: HvpFinishPrimaryWrite+24j
					; HvpFinishPrimaryWrite+37j
		cmp	[ebp+arg_4], 0
		jnz	loc_74128B
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		lea	ecx, [esi+24h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	dl, [ebp+var_2]
		mov	[ebp+var_1], 1
		jmp	loc_74128B
; 

loc_8CC04E:				; CODE XREF: HvpFinishPrimaryWrite+3Fj
		test	ebx, ebx
		jnz	loc_741297
		lea	eax, [esi+4B0h]
		mov	edx, 0C000014Dh
		push	eax
		mov	ecx, offset _REG_EVENT_FLUSH_IO_FAIL
		call	_CmpLogEvent@12	; CmpLogEvent(x,x,x)
		or	dword ptr [esi+64h], 100h
		jmp	loc_741297
; 

loc_8CC078:				; CODE XREF: HvpFinishPrimaryWrite+58j
		lea	eax, [edi+edi]
		xor	eax, ecx
		and	eax, 2
		xor	eax, ecx
		mov	[esi+9D0h], eax
		jmp	loc_7412AC
; 

loc_8CC08D:				; CODE XREF: HvpFinishPrimaryWrite+62j
		add	esi, 24h
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8CC0A4
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8CC0A4:				; CODE XREF: HvpFinishPrimaryWrite+18AE4Dj
		mov	ecx, esi
		call	KeAbPostRelease
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		jmp	loc_7412B6
; END OF FUNCTION CHUNK	FOR HvpFinishPrimaryWrite
; 
; START	OF FUNCTION CHUNK FOR CmpTraceHiveFlushWrotePrimaryFile

loc_8CC0B5:				; CODE XREF: CmpTraceHiveFlushWrotePrimaryFile+3Fj
		push	4
		pop	ecx
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_28], eax
		xor	edx, edx
		lea	eax, [ebp+var_40]
		mov	[ebp+var_24], edx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	2
		push	edx
		lea	eax, [ebp+var_38]
		mov	[ebp+var_1C], edx
		push	eax
		push	esi
		push	edi
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_74130B
; END OF FUNCTION CHUNK	FOR CmpTraceHiveFlushWrotePrimaryFile
; 
; START	OF FUNCTION CHUNK FOR HvTruncateAllLogFilesIfRequired

loc_8CC0EF:				; CODE XREF: HvTruncateAllLogFilesIfRequired+4Aj
		xor	esi, esi
		xor	edx, edx
		push	esi
		push	esi
		push	esi
		inc	edx
		jmp	short loc_8CC0FF
; 

loc_8CC0F9:				; CODE XREF: HvTruncateAllLogFilesIfRequired+26j
		push	esi
		push	esi
		push	esi
		push	5
		pop	edx

loc_8CC0FF:				; CODE XREF: HvTruncateAllLogFilesIfRequired+18ADDDj
		mov	ecx, edi
		call	CmpDoFileSetSizeEx
		jmp	loc_741346
; END OF FUNCTION CHUNK	FOR HvTruncateAllLogFilesIfRequired
; 
; START	OF FUNCTION CHUNK FOR HvValidateOrInvalidatePrimaryFileHeader

loc_8CC10B:				; CODE XREF: HvValidateOrInvalidatePrimaryFileHeader+2Fj
		push	6F494D43h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+arg_4], edi
		test	edi, edi
		jnz	short loc_8CC12B
		mov	edi, 0C0000017h
		jmp	loc_74140F
; 

loc_8CC12B:				; CODE XREF: HvValidateOrInvalidatePrimaryFileHeader+18ADB5j
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	esi, [ebx+20h]
		mov	ecx, 80h
		rep movsd
		mov	esi, [ebp+arg_4]
		add	esp, 0Ch
		mov	edi, [ebp+var_8]
		jmp	loc_7413A5
; 

loc_8CC14C:				; CODE XREF: HvValidateOrInvalidatePrimaryFileHeader+9Fj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_74140F
; END OF FUNCTION CHUNK	FOR HvValidateOrInvalidatePrimaryFileHeader
; 
; START	OF FUNCTION CHUNK FOR CmpDoReconcileNextHive

loc_8CC159:				; CODE XREF: CmpDoReconcileNextHive+11Ej
		mov	eax, [ebp+arg_0]
		mov	ecx, 989680h
		mov	byte ptr [eax],	1
		mov	eax, dword_6B15AC
		mul	ecx
		mov	edi, eax
		mov	ebx, edx
		add	edi, [esp+20h+var_C]
		adc	ebx, [esp+20h+var_8]
		jmp	loc_7414AF
; 

loc_8CC17C:				; CODE XREF: CmpDoReconcileNextHive+6Fj
					; CmpDoReconcileNextHive+79j
		mov	[esp+20h+var_10], edi
		mov	[esp+20h+var_4], ebx
		jmp	loc_7414C9
; END OF FUNCTION CHUNK	FOR CmpDoReconcileNextHive
; 
; START	OF FUNCTION CHUNK FOR HvpAddBin

loc_8CC189:				; CODE XREF: HvpAddBin+3A1j
		push	267h
		push	esi
		push	ebx
		push	1
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8CC199:				; CODE XREF: HvpAddBin+1F4j
		lea	eax, [edi+40FFFh]
		and	eax, 0FFFC0000h
		sub	eax, 1000h
		mov	[ebp+var_1C], eax
		lea	esi, [eax+edx]
		sub	eax, edi
		mov	[ebp+var_24], esi
		mov	[ebp+var_14], eax
		jmp	loc_741677
; 

loc_8CC1BC:				; CODE XREF: HvpAddBin+246j
		cmp	[ebx+9D4h], esi
		mov	esi, [ebp+var_24]
		jnz	loc_74182B
		mov	[ebx+9D4h], edi
		jmp	loc_74182B
; 

loc_8CC1D6:				; CODE XREF: HvpAddBin+101j
		test	dl, dl
		jz	short loc_8CC22A
		mov	ecx, eax
		mov	[ebp+var_1], dl
		call	CmpClaimGlobalQuota
		test	al, al
		jz	loc_8CC30A
		mov	dl, [ebp+var_2]
		lea	ecx, [ebx+0A0h]
		mov	eax, [ebp+var_14]
		mov	[ebp+var_1], dl
		lea	edx, [ebp+var_18]
		push	edx
		push	eax
		mov	edx, edi
		mov	[ebp+var_2C], eax
		call	HvpViewMapPromoteRangeToMapping
		test	eax, eax
		js	loc_8CC30A
		mov	al, [ebp+var_2]
		lea	ecx, [ebx+0A0h]
		push	[ebp+var_14]
		mov	edx, edi
		mov	[ebp+var_1], al
		call	_HvpViewMapCOWAndUnsealRange@12	; HvpViewMapCOWAndUnsealRange(x,x,x)
		jmp	short loc_8CC25A
; 

loc_8CC22A:				; CODE XREF: HvpAddBin+18ABFCj
		lea	edx, [ebp+var_18]
		mov	[ebp+var_1], 0
		push	edx
		push	30324D43h
		push	ecx
		mov	edx, eax
		mov	ecx, ebx
		call	_HvpAllocateBin@20 ; HvpAllocateBin(x,x,x,x,x)
		test	eax, eax
		js	loc_8CC30A
		mov	edx, [ebp+var_14]
		push	1
		push	[ebp+var_18]
		mov	[ebp+var_1], 0
		call	_HvpProtectBin@16 ; HvpProtectBin(x,x,x,x)

loc_8CC25A:				; CODE XREF: HvpAddBin+18AC4Cj
		test	eax, eax
		js	loc_8CC30A
		push	[ebp+var_14]	; size_t
		push	0		; int
		push	[ebp+var_18]	; void *
		call	_memset
		mov	edx, [ebp+var_18]
		add	esp, 0Ch
		mov	eax, [ebp+var_14]
		xor	ecx, ecx
		mov	[edx+8], eax
		mov	eax, edi
		and	eax, 7FFFFFFFh
		mov	dword ptr [edx], 6E696268h
		mov	[edx+4], eax
		mov	eax, [ebp+var_14]
		push	31324D43h
		push	ecx
		add	eax, 0FFFFFFE0h
		mov	[edx+1Ch], ecx
		push	10h
		mov	[edx+20h], eax
		call	dword ptr [ebx+0Ch]
		mov	dl, [ebp+var_2]
		mov	ecx, eax
		mov	[ebp+var_28], ecx
		mov	[ebp+var_1], dl
		test	ecx, ecx
		jz	short loc_8CC30A
		mov	eax, [ebp+var_14]
		mov	[ecx+8], eax
		mov	[ecx+0Ch], edi
		jmp	loc_7416E3
; 

loc_8CC2C1:				; CODE XREF: HvpAddBin+192j
		push	[ebp+var_28]
		add	eax, edi
		sub	edx, edi
		push	[ebp+var_34]
		mov	ecx, ebx
		push	eax
		push	edx
		mov	edx, [ebp+var_18]
		call	HvpPointMapEntriesToBuffer
		mov	eax, [ebp+var_30]
		add	eax, 258h
		add	eax, ebx
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_7419C5
		mov	edx, [ebp+var_28]
		mov	[edx+4], eax
		mov	[edx], ecx
		mov	[ecx+4], edx
		mov	[eax], edx
		mov	eax, [ebp+var_34]
		mov	edx, [ebp+var_1C]
		mov	byte ptr [ebp+var_34], al
		mov	eax, [ebp+var_14]
		jmp	loc_74177A
; 

loc_8CC30A:				; CODE XREF: HvpAddBin+12Aj
					; HvpAddBin+143j ...
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, ebx
		call	_HvpAdjustHiveFreeDisplay@12 ; HvpAdjustHiveFreeDisplay(x,x,x)
		mov	esi, [ebp+var_24]

loc_8CC319:				; CODE XREF: HvpAddBin+E0j
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		push	edi
		push	esi
		call	_HvpShrinkMap@16 ; HvpShrinkMap(x,x,x,x)
		cmp	[ebp+var_4], 0
		mov	eax, [ebp+var_30]
		mov	[eax+ebx+0C8h],	edi
		jz	short loc_8CC371
		mov	eax, [ebx+30h]
		lea	ecx, [ebx+2Ch]
		shr	edi, 9
		mov	[ecx], edi
		mov	[ecx+4], eax
		mov	esi, [ebx+34h]
		push	ecx
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	[ebx+34h], eax
		mov	ecx, offset _CmpDirtySectorCount
		sub	eax, esi
		lock xadd [ecx], eax
		mov	eax, [ebx+40h]
		lea	ecx, [ebx+3Ch]
		push	ecx
		mov	[ecx], edi
		mov	[ecx+4], eax
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	edi, [ebp+var_38]
		mov	[ebx+44h], eax

loc_8CC371:				; CODE XREF: HvpAddBin+18AD57j
		cmp	[ebp+var_1], 0
		jz	short loc_8CC384
		lea	ecx, [ebx+0A0h]
		mov	edx, edi
		call	_HvpViewMapShrinkStorage@8 ; HvpViewMapShrinkStorage(x,x)

loc_8CC384:				; CODE XREF: HvpAddBin+18AD99j
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	short loc_8CC3A7
		cmp	[ebp+var_2], 0
		jnz	short loc_8CC3A7
		mov	esi, [ebp+var_1C]
		sub	esi, edi
		push	ecx
		mov	edx, esi
		mov	ecx, eax
		call	_CmpProtectPool@12 ; CmpProtectPool(x,x,x)
		push	esi
		push	[ebp+var_18]
		call	dword ptr [ebx+10h]

loc_8CC3A7:				; CODE XREF: HvpAddBin+18ADADj
					; HvpAddBin+18ADB3j
		mov	eax, [ebp+var_28]
		test	eax, eax
		jz	short loc_8CC3B4
		push	10h
		push	eax
		call	dword ptr [ebx+10h]

loc_8CC3B4:				; CODE XREF: HvpAddBin+18ADD0j
		mov	edi, [ebp+var_20]
		test	edi, edi
		jz	short loc_8CC3D6
		cmp	[ebp+var_2], 0
		jnz	short loc_8CC3D6
		mov	esi, [ebp+var_24]
		sub	esi, [ebp+var_1C]
		push	ecx
		mov	edx, esi
		mov	ecx, edi
		call	_CmpProtectPool@12 ; CmpProtectPool(x,x,x)
		push	esi
		push	edi
		call	dword ptr [ebx+10h]

loc_8CC3D6:				; CODE XREF: HvpAddBin+18ADDDj
					; HvpAddBin+18ADE3j
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jz	loc_7419B2
		mov	ecx, eax
		call	CmpReleaseGlobalQuota
		mov	edi, [ebp+var_3C]
		jmp	loc_74199C
; 

loc_8CC3F0:				; CODE XREF: HvpAddBin+3CAj
		imul	eax, [ebp+arg_0], 19Ch
		add	eax, 258h
		add	eax, ebx
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_7419C5
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[ecx+4], edi
		mov	[eax], edi
		jmp	loc_7419B2
; END OF FUNCTION CHUNK	FOR HvpAddBin
; 
; START	OF FUNCTION CHUNK FOR HvpExpandMap

loc_8CC418:				; CODE XREF: HvpExpandMap+2Fj
		test	esi, esi
		jnz	short loc_8CC478
		imul	ecx, edx, 19Ch
		lea	edx, [ebx+0D0h]
		add	edx, ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+arg_0], edx
		cmp	[ecx+ebx+0CCh],	edx
		jnz	short loc_8CC478
		push	38314D43h
		push	edi
		push	1000h
		call	dword ptr [ebx+0Ch]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_741AA4
		push	1000h		; size_t
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	ecx, [ebp+var_8]
		mov	eax, [eax]
		mov	[ecx], eax
		mov	eax, [ebp+var_C]
		mov	[eax+ebx+0CCh],	ecx
		mov	eax, [ebp+arg_4]

loc_8CC478:				; CODE XREF: HvpExpandMap+18A9FEj
					; HvpExpandMap+18AA1Bj
		imul	ecx, [ebp+var_4], 19Ch
		inc	esi
		push	eax
		push	esi
		mov	[ebp+arg_0], ecx
		mov	edx, [ecx+ebx+0CCh]
		mov	ecx, ebx
		call	_HvpAllocateMap@16 ; HvpAllocateMap(x,x,x,x)
		test	al, al
		jnz	loc_741A51
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		push	[ebp+arg_4]
		mov	edi, 0C0000017h
		push	esi
		mov	edx, [edx+ebx+0CCh]
		call	_HvpFreeMap@16	; HvpFreeMap(x,x,x,x)
		jmp	loc_741A51
; END OF FUNCTION CHUNK	FOR HvpExpandMap
; 
; START	OF FUNCTION CHUNK FOR CmpCanGrowHive

loc_8CC4BA:				; CODE XREF: CmpCanGrowHive+52j
		cmp	ds:_CmpSystemQuotaWarningPopupDisplayed, 0
		jnz	loc_741AC1
		cmp	_ExReadyForErrors, 0
		jz	loc_741AC1
		push	20204D43h
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_741AC1
		and	dword ptr [eax], 0
		push	1
		push	eax
		mov	ds:_CmpSystemQuotaWarningPopupDisplayed, 1
		mov	dword ptr [eax+8], offset _CmpQuotaWarningWorker@4 ; CmpQuotaWarningWorker(x)
		mov	[eax+0Ch], eax
		call	ExQueueWorkItem
		jmp	loc_741AC1
; END OF FUNCTION CHUNK	FOR CmpCanGrowHive
; 
; START	OF FUNCTION CHUNK FOR CmpGenerateFlushControlData

loc_8CC50E:				; CODE XREF: CmpGenerateFlushControlData+58j
		or	ebx, 82h
		mov	[esi], ebx
		jmp	loc_741B96
; 

loc_8CC51B:				; CODE XREF: CmpGenerateFlushControlData+C7j
		or	dword ptr [esi], 2
		jmp	loc_741C4F
; 

loc_8CC523:				; CODE XREF: CmpGenerateFlushControlData+D7j
		mov	ebx, [esi]
		mov	ecx, edi
		mov	eax, ebx
		or	eax, 2
		mov	[esi], eax
		call	_HvIsCurrentLogSwappable@4 ; HvIsCurrentLogSwappable(x)
		test	al, al
		jz	short loc_8CC53C
		or	ebx, 22h
		jmp	short loc_8CC53F
; 

loc_8CC53C:				; CODE XREF: CmpGenerateFlushControlData+18A9FDj
		or	ebx, 42h

loc_8CC53F:				; CODE XREF: CmpGenerateFlushControlData+18AA02j
		mov	[esi], ebx
		jmp	loc_741C15
; 

loc_8CC546:				; CODE XREF: CmpGenerateFlushControlData+CFj
		or	dword ptr [esi], 42h
		jmp	loc_741C15
; 

loc_8CC54E:				; CODE XREF: CmpGenerateFlushControlData+1DFj
		or	ebx, 504h
		mov	[esi], ebx
		jmp	loc_741C23
; 

loc_8CC55B:				; CODE XREF: CmpGenerateFlushControlData+1F5j
		or	ebx, 5
		test	byte ptr [ebp+arg_0], 4
		mov	[esi], ebx
		jz	loc_741C20
		or	ebx, 400h
		jmp	loc_741D36
; END OF FUNCTION CHUNK	FOR CmpGenerateFlushControlData
; 
; START	OF FUNCTION CHUNK FOR HvGetEffectiveLogSizeCapForHive

loc_8CC575:				; CODE XREF: HvGetEffectiveLogSizeCapForHive+48j
		cmp	ecx, 80000h
		jb	loc_741E80
		cmp	ecx, eax
		jnb	loc_741E80
		mov	eax, ecx
		jmp	loc_741E80
; END OF FUNCTION CHUNK	FOR HvGetEffectiveLogSizeCapForHive
; 
; START	OF FUNCTION CHUNK FOR HvGetHiveLogFileStatus

loc_8CC590:				; CODE XREF: HvGetHiveLogFileStatus+58j
					; HvGetHiveLogFileStatus+64j
		mov	al, 1
		jmp	loc_741F04
; 

loc_8CC597:				; CODE XREF: HvGetHiveLogFileStatus+7Ej
		or	edx, 4
		mov	[esi], edx
		jmp	loc_741F1C
; 

loc_8CC5A1:				; CODE XREF: HvGetHiveLogFileStatus+88j
		or	edx, 8
		mov	[esi], edx
		jmp	loc_741F26
; END OF FUNCTION CHUNK	FOR HvGetHiveLogFileStatus
; 
; START	OF FUNCTION CHUNK FOR HvpGenerateLogEntry

loc_8CC5AB:				; CODE XREF: HvpGenerateLogEntry+8Cj
		mov	esi, 0C0000017h
		jmp	loc_742113
; 

loc_8CC5B5:				; CODE XREF: HvpGenerateLogEntry+14Bj
		test	edi, edi
		jz	short loc_8CC5D5
		lea	esi, [ebx+4]

loc_8CC5BC:				; CODE XREF: HvpGenerateLogEntry+18A611j
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_8CC5CD
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi], 0

loc_8CC5CD:				; CODE XREF: HvpGenerateLogEntry+18A5FEj
		add	esi, 0Ch
		sub	edi, 1
		jnz	short loc_8CC5BC

loc_8CC5D5:				; CODE XREF: HvpGenerateLogEntry+18A5F5j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_24]
		jmp	loc_742113
; END OF FUNCTION CHUNK	FOR HvpGenerateLogEntry
; 
; START	OF FUNCTION CHUNK FOR HvpGenerateLogEntryChecksums

loc_8CC5E5:				; CODE XREF: HvpGenerateLogEntryChecksums+57j
		lea	edi, [ebx+10h]
		lea	ebx, [eax-1]

loc_8CC5EB:				; CODE XREF: HvpGenerateLogEntryChecksums+18A4D0j
		push	dword ptr [edi+4] ; int
		mov	edx, [edi]	; void *
		lea	ecx, [ebp+var_28] ; int
		call	@SymCryptMarvin32Append@12 ; SymCryptMarvin32Append(x,x,x)
		lea	edi, [edi+0Ch]
		sub	ebx, 1
		jnz	short loc_8CC5EB
		jmp	loc_74218B
; END OF FUNCTION CHUNK	FOR HvpGenerateLogEntryChecksums
; 
; START	OF FUNCTION CHUNK FOR HvFreeHivePartial

loc_8CC605:				; CODE XREF: HvFreeHivePartial+62j
		xor	ecx, ecx
		jmp	loc_742322
; 

loc_8CC60C:				; CODE XREF: HvFreeHivePartial+6Cj
		mov	ecx, [ebp+var_4]
		jmp	loc_742351
; 

loc_8CC614:				; CODE XREF: HvFreeHivePartial+A1j
		call	CmpReleaseGlobalQuota
		jmp	loc_742378
; 

loc_8CC61E:				; CODE XREF: HvFreeHivePartial+139j
		push	dword ptr [ebx+0C8h]
		mov	edi, esi
		mov	ecx, ebx
		and	edi, 7FFFFFFFh
		mov	edx, edi
		call	CmpUpdateSystemHiveHysteresis
		test	dword ptr [ebx+64h], 20000h
		jz	loc_7423F7
		lea	ecx, [ebx+0A0h]
		mov	edx, edi
		call	_HvpViewMapShrinkStorage@8 ; HvpViewMapShrinkStorage(x,x)
		jmp	loc_7423F7
; 

loc_8CC654:				; CODE XREF: HvFreeHivePartial+156j
		add	ebx, 2Ch
		shr	esi, 9
		mov	[ebp+var_18], esi
		mov	eax, [ebp+var_18]
		mov	esi, [ebx]
		sub	esi, eax
		push	esi
		push	eax
		push	ebx
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		mov	edi, [ebp+var_C]
		push	esi
		mov	esi, [ebp+var_18]
		add	edi, 3Ch
		push	esi
		push	edi
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		mov	ecx, [ebp+var_C]
		push	ebx
		mov	eax, [ecx+30h]
		mov	[ebx], esi
		mov	[ebx+4], eax
		mov	eax, [ecx+40h]
		mov	[edi], esi
		mov	[edi+4], eax
		mov	esi, [ecx+34h]
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	ebx, [ebp+var_C]
		push	edi
		mov	[ebx+34h], eax
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	[ebx+44h], eax
		mov	ecx, offset _CmpDirtySectorCount
		mov	eax, [ebx+34h]
		sub	eax, esi
		lock xadd [ecx], eax
		mov	eax, [ebp+var_10]
		mov	edx, [eax+ebx+0C8h]
		mov	eax, [ebp+arg_0]
		jmp	loc_742414
; 

loc_8CC6C8:				; CODE XREF: HvFreeHivePartial+D9j
		push	19Eh
		jmp	short loc_8CC6D4
; 

loc_8CC6CF:				; CODE XREF: HvFreeHivePartial+57j
		push	165h

loc_8CC6D4:				; CODE XREF: HvFreeHivePartial+18A415j
		push	edi
		push	ebx
		push	1
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8CC6E0:				; CODE XREF: HvStoreModifiedData+52j
					; HvStoreModifiedData+6Cj
		xor	esi, esi
		inc	esi
		jmp	loc_7425D9
; END OF FUNCTION CHUNK	FOR HvFreeHivePartial
; 
; START	OF FUNCTION CHUNK FOR HvStoreModifiedData

loc_8CC6E8:				; CODE XREF: HvStoreModifiedData+8Fj
		push	2
		pop	esi
		jmp	loc_7425D9
; 

loc_8CC6F0:				; CODE XREF: HvStoreModifiedData+C4j
		mov	edi, [ebp+var_30]
		mov	ebx, [ebp+var_2C]
		push	2
		pop	esi
		mov	[ebp+var_C], edi
		jmp	loc_7425A5
; 

loc_8CC701:				; CODE XREF: HvStoreModifiedData+1C7j
					; HvStoreModifiedData+213j ...
		push	2
		pop	esi
		jmp	loc_74259F
; 

loc_8CC709:				; CODE XREF: HvStoreModifiedData+176j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7425B0
; 

loc_8CC716:				; CODE XREF: HvStoreModifiedData+17Ej
		test	edi, edi
		jz	short loc_8CC73F
		mov	eax, [ebp+var_C]
		lea	edi, [ebx+4]

loc_8CC720:				; CODE XREF: HvStoreModifiedData+18A309j
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_8CC734
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi], 0
		mov	eax, [ebp+var_C]

loc_8CC734:				; CODE XREF: HvStoreModifiedData+18A2F0j
		add	edi, 0Ch
		sub	eax, 1
		mov	[ebp+var_C], eax
		jnz	short loc_8CC720

loc_8CC73F:				; CODE XREF: HvStoreModifiedData+18A2E4j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7425B8
; 

loc_8CC74C:				; CODE XREF: HvStoreModifiedData+189j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7425C3
; 

loc_8CC759:				; CODE XREF: HvStoreModifiedData+194j
		cmp	[ebp+var_14], 0
		jbe	short loc_8CC77E
		lea	edi, [ebx+4]
		mov	ebx, [ebp+var_14]

loc_8CC765:				; CODE XREF: HvStoreModifiedData+18A345j
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_8CC773
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8CC773:				; CODE XREF: HvStoreModifiedData+18A335j
		add	edi, 0Ch
		sub	ebx, 1
		jnz	short loc_8CC765
		mov	ebx, [ebp+var_24]

loc_8CC77E:				; CODE XREF: HvStoreModifiedData+18A329j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7425CE
; 

loc_8CC78B:				; CODE XREF: HvStoreModifiedData+19Fj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7425D9
; END OF FUNCTION CHUNK	FOR HvStoreModifiedData
; 
; START	OF FUNCTION CHUNK FOR CmpCleanupRollbackPacket

loc_8CC798:				; CODE XREF: CmpCleanupRollbackPacket+Aj
					; CmpCleanupRollbackPacket+18A002j
		mov	ecx, [edi+8]
		mov	ecx, [ecx+esi*4]
		test	ecx, ecx
		jz	short loc_8CC7AF
		test	cl, 1
		jz	short loc_8CC7AA
		and	ecx, 0FFFFFFFEh

loc_8CC7AA:				; CODE XREF: CmpCleanupRollbackPacket+189FF5j
		call	ObfDereferenceObject

loc_8CC7AF:				; CODE XREF: CmpCleanupRollbackPacket+189FF0j
		inc	esi
		cmp	esi, [edi]
		jb	short loc_8CC798
		jmp	loc_7427C0
; END OF FUNCTION CHUNK	FOR CmpCleanupRollbackPacket
; 
; START	OF FUNCTION CHUNK FOR CmpWorkerEngineWorker

loc_8CC7B9:				; CODE XREF: CmpWorkerEngineWorker+52j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7427DC
; END OF FUNCTION CHUNK	FOR CmpWorkerEngineWorker
; 
; START	OF FUNCTION CHUNK FOR CmpVolumeContextDecrementRefCount

loc_8CC7C6:				; CODE XREF: CmpVolumeContextDecrementRefCount+14j
		jz	short loc_8CC7CD
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8CC7CD:				; CODE XREF: CmpVolumeContextDecrementRefCount:loc_8CC7C6j
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		or	eax, 0FFFFFFFFh
		mov	edx, eax
		lock xadd [ebx], edx
		dec	edx
		test	edx, edx
		jg	short loc_8CC7EB
		jz	short loc_8CC806
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8CC7EB:				; CODE XREF: CmpVolumeContextDecrementRefCount+189F80j
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8CC7FC
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8CC7FC:				; CODE XREF: CmpVolumeContextDecrementRefCount+189F91j
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	KeAbPostRelease
; 

loc_8CC806:				; CODE XREF: CmpVolumeContextDecrementRefCount+189F82j
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_8CC842
		mov	edx, [esi+4]
		cmp	[edx], esi
		jnz	short loc_8CC842
		mov	[edx], ecx
		mov	[ecx+4], edx
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8CC82A
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8CC82A:				; CODE XREF: CmpVolumeContextDecrementRefCount+189FBFj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, esi
		call	_CmpVolumeContextCleanup@4 ; CmpVolumeContextCleanup(x)
		pop	edi
		mov	ecx, esi
		pop	esi
		pop	ebx
		jmp	_CmpFreePool@4	; CmpFreePool(x)
; 

loc_8CC842:				; CODE XREF: CmpVolumeContextDecrementRefCount+189FA9j
					; CmpVolumeContextDecrementRefCount+189FB0j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8CC847:				; CODE XREF: CmpRecordRMRecoveryMode+11j
		mov	edx, [esi+20h]
		add	eax, 8
		mov	ecx, [edx+90h]
		cmp	[eax], eax
		jnz	short loc_8CC85C
		and	ecx, 0FFFFFFFEh
		jmp	short loc_8CC861
; 

loc_8CC85C:				; CODE XREF: CmpVolumeContextDecrementRefCount+189FF3j
		xor	ebx, ebx
		inc	ebx
		or	ecx, ebx

loc_8CC861:				; CODE XREF: CmpVolumeContextDecrementRefCount+189FF8j
		mov	[edx+90h], ecx
		mov	ecx, esi
		call	_HvMarkBaseBlockDirty@4	; HvMarkBaseBlockDirty(x)
		jmp	loc_7428A9
; END OF FUNCTION CHUNK	FOR CmpVolumeContextDecrementRefCount
; 
; START	OF FUNCTION CHUNK FOR CmpTraceHiveUnloadStart

loc_8CC873:				; CODE XREF: CmpTraceHiveUnloadStart+41j
		mov	eax, [ebx+4]
		xor	ecx, ecx
		mov	[ebp+var_5C], ecx
		mov	edx, ecx
		test	eax, eax
		jz	short loc_8CC891
		mov	[ebp+var_48], eax
		inc	edx
		movzx	eax, word ptr [ebx]
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], ecx

loc_8CC891:				; CODE XREF: CmpTraceHiveUnloadStart+189FCFj
		mov	esi, [ebp+var_60]
		lea	ebx, [ebp+var_5C]
		mov	eax, edx
		add	eax, eax
		inc	edx
		push	2
		mov	[ebp+eax*8+var_48], ebx
		pop	ebx
		mov	[ebp+eax*8+var_44], ecx
		mov	[ebp+eax*8+var_40], ebx
		mov	[ebp+eax*8+var_3C], ecx
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_8CC8D2
		mov	ecx, edx
		add	ecx, ecx
		and	[ebp+ecx*8+var_44], 0
		and	[ebp+ecx*8+var_3C], 0
		inc	edx
		mov	[ebp+ecx*8+var_48], eax
		movzx	eax, word ptr [esi]
		mov	[ebp+ecx*8+var_40], eax
		xor	ecx, ecx

loc_8CC8D2:				; CODE XREF: CmpTraceHiveUnloadStart+18A004j
		mov	eax, edx
		lea	esi, [ebp+var_5C]
		add	eax, eax
		mov	[ebp+eax*8+var_48], esi
		mov	[ebp+eax*8+var_44], ecx
		mov	[ebp+eax*8+var_40], ebx
		mov	[ebp+eax*8+var_3C], ecx
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [edx+1]
		push	eax
		push	ecx
		lea	eax, [ebp+var_58]
		push	eax
		push	edi
		push	[ebp+var_64]
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_7428F7
; END OF FUNCTION CHUNK	FOR CmpTraceHiveUnloadStart
; 
; START	OF FUNCTION CHUNK FOR CmpLateUnloadHiveWorker

loc_8CC904:				; CODE XREF: CmpLateUnloadHiveWorker+4Fj
		push	17h
		jmp	short loc_8CC90C
; 

loc_8CC908:				; CODE XREF: CmpLateUnloadHiveWorker+60j
		push	18h
		mov	ecx, ebx

loc_8CC90C:				; CODE XREF: CmpLateUnloadHiveWorker+189F4Ej
		pop	edx
		call	_CmpLogUnload@8	; CmpLogUnload(x,x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		jmp	short loc_8CC923
; 

loc_8CC91E:				; CODE XREF: CmpLateUnloadHiveWorker+189FA5j
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_8CC923:				; CODE XREF: CmpLateUnloadHiveWorker+189F64j
					; CmpLateUnloadHiveWorker+189FA3j
		mov	ecx, ebx
		call	_CmpDereferenceHive@4 ;	CmpDereferenceHive(x)
		jmp	loc_742AAA
; 

loc_8CC92F:				; CODE XREF: CmpLateUnloadHiveWorker+6Dj
		push	19h
		pop	edx
		mov	ecx, ebx
		call	_CmpLogUnload@8	; CmpLogUnload(x,x)
		jmp	loc_742A94
; 

loc_8CC93E:				; CODE XREF: CmpLateUnloadHiveWorker+9Aj
		test	byte ptr [ebx+980h], 20h
		jz	short loc_8CC94C
		call	CmpDecrementAppHiveUnloadCount

loc_8CC94C:				; CODE XREF: CmpLateUnloadHiveWorker+189F8Dj
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		cmp	[esp+30h+var_21], 0
		jz	short loc_8CC923
		jmp	short loc_8CC91E
; END OF FUNCTION CHUNK	FOR CmpLateUnloadHiveWorker
; 
; START	OF FUNCTION CHUNK FOR CmpTraceHiveUnloadStop

loc_8CC95F:				; CODE XREF: CmpTraceHiveUnloadStop+3Cj
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_10], 4
		mov	[ebp+var_18], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_18]
		mov	[ebp+var_14], ecx
		push	eax
		push	1
		push	ecx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_C], ecx
		push	eax
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_742CE2
; END OF FUNCTION CHUNK	FOR CmpTraceHiveUnloadStop
; 
; START	OF FUNCTION CHUNK FOR CmpInitializeActualFileSizes

loc_8CC98B:				; CODE XREF: CmpInitializeActualFileSizes+29j
		push	edi
		xor	edx, edx
		call	_CmpLogFailureToGetFileSize@12 ; CmpLogFailureToGetFileSize(x,x,x)
		jmp	loc_74316B
; 

loc_8CC998:				; CODE XREF: CmpInitializeActualFileSizes+45j
		mov	eax, [esi+20h]
		mov	eax, [eax+28h]
		add	eax, 1000h

loc_8CC9A3:				; CODE XREF: CmpInitializeActualFileSizes+54j
					; CmpInitializeActualFileSizes+5Cj
		and	dword ptr [esi+494h], 0
		mov	[esi+490h], eax
		jmp	loc_7430FC
; 

loc_8CC9B5:				; CODE XREF: CmpInitializeActualFileSizes+E8j
		xor	edx, edx
		push	eax
		inc	edx
		call	_CmpLogFailureToGetFileSize@12 ; CmpLogFailureToGetFileSize(x,x,x)
		xor	eax, eax
		xor	ecx, ecx
		jmp	loc_74318E
; 

loc_8CC9C7:				; CODE XREF: CmpInitializeActualFileSizes+8Fj
		push	eax
		push	4
		pop	edx
		call	_CmpLogFailureToGetFileSize@12 ; CmpLogFailureToGetFileSize(x,x,x)
		xor	eax, eax
		xor	ecx, ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], ecx
		jmp	loc_743135
; 

loc_8CC9DF:				; CODE XREF: CmpInitializeActualFileSizes+B7j
		push	eax
		push	5
		pop	edx
		call	_CmpLogFailureToGetFileSize@12 ; CmpLogFailureToGetFileSize(x,x,x)
		xor	eax, eax
		xor	ecx, ecx
		jmp	loc_74315D
; END OF FUNCTION CHUNK	FOR CmpInitializeActualFileSizes
; 
; START	OF FUNCTION CHUNK FOR CmpTraceHiveMountBaseFileMounted

loc_8CC9F1:				; CODE XREF: CmpTraceHiveMountBaseFileMounted+3Dj
		xor	eax, eax
		lea	edx, [ebp+var_50]
		xor	esi, esi
		mov	[ebp+var_50], eax
		mov	ecx, ebx
		mov	[ebp+var_4C], esi
		call	CmpQueryNameString
		test	eax, eax
		js	loc_743245
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_38], eax
		movzx	eax, word ptr [ebp+var_50]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_54]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	3
		push	esi
		lea	eax, [ebp+var_48]
		mov	[ebp+var_34], esi
		push	eax
		push	ds:dword_A93DD4
		mov	[ebp+var_2C], esi
		push	ds:_EtwpRegTraceHandle
		mov	[ebp+var_54], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], 2
		mov	[ebp+var_1C], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		lea	eax, [ebp+var_50]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	loc_743245
; END OF FUNCTION CHUNK	FOR CmpTraceHiveMountBaseFileMounted
; 
; START	OF FUNCTION CHUNK FOR HvLoadHive

loc_8CCA73:				; CODE XREF: HvLoadHive+2DCj
		push	8
		push	eax
		push	6
		xor	edx, edx
		mov	ecx, edi
		call	SetFailureLocation
		jmp	loc_7432ED
; 

loc_8CCA86:				; CODE XREF: HvLoadHive+B8j
		push	0
		jmp	short loc_8CCA8C
; 

loc_8CCA8A:				; CODE XREF: HvLoadHive+18992Fj
		push	30h

loc_8CCA8C:				; CODE XREF: HvLoadHive+189834j
		mov	eax, 0C000009Ah
		jmp	short loc_8CCA9A
; 

loc_8CCA93:				; CODE XREF: HvLoadHive+159j
					; HvLoadHive+161j
		mov	eax, 0C000014Ch
		push	70h

loc_8CCA9A:				; CODE XREF: HvLoadHive+18983Dj
					; HvLoadHive+189877j
		mov	esi, eax
		push	eax
		jmp	loc_8CCD88
; 

loc_8CCAA2:				; CODE XREF: HvLoadHive+C1j
		mov	esi, 0C000014Dh
		push	8
		jmp	loc_8CCD87
; 

loc_8CCAAE:				; CODE XREF: HvLoadHive+C9j
		mov	esi, 0C000015Ch
		push	10h
		jmp	loc_8CCD87
; 

loc_8CCABA:				; CODE XREF: HvLoadHive+D2j
					; HvLoadHive+DBj
		cmp	dword ptr [ebx+68h], 0
		jnz	loc_743335
		mov	eax, 0C000014Ch
		push	20h
		jmp	short loc_8CCA9A
; 

loc_8CCACD:				; CODE XREF: HvLoadHive+F6j
		and	[ebp+var_98], 0
		jmp	short loc_8CCADF
; 

loc_8CCAD6:				; CODE XREF: HvLoadHive+EDj
		mov	eax, [eax+8]
		mov	[ebp+var_98], eax

loc_8CCADF:				; CODE XREF: HvLoadHive+189880j
		mov	[ebp+var_EC], ebx
		cmp	[ebx+68h], edx
		jnz	short loc_8CCB10
		lea	eax, [ebp+var_EC]
		mov	[ebp+var_E0], edx
		mov	esi, edx
		mov	[ebp+var_C8], edx
		mov	[ebp+var_C4], offset _HvpRecoverDataReadRoutine@16 ; HvpRecoverDataReadRoutine(x,x,x,x)
		mov	[ebp+var_C0], eax
		jmp	short loc_8CCB68
; 

loc_8CCB10:				; CODE XREF: HvLoadHive+189894j
		push	2
		pop	esi
		push	4
		pop	eax
		mov	[ebp+var_E0], eax
		mov	edx, offset _HvpRecoverDataReadRoutine@16 ; HvpRecoverDataReadRoutine(x,x,x,x)
		mov	[ebp+var_C8], eax
		lea	eax, [ebp+var_EC]
		mov	[ebp+var_C4], edx
		mov	[ebp+var_B8], edx
		xor	edx, edx
		mov	[ebp+var_C0], eax
		inc	edx
		lea	eax, [ebp+var_DC]
		mov	[ebp+var_DC], ebx
		mov	[ebp+var_D0], 5
		mov	[ebp+var_BC], 5
		mov	[ebp+var_B4], eax

loc_8CCB68:				; CODE XREF: HvLoadHive+1898BAj
		cmp	ecx, 4
		jnz	short loc_8CCB92
		push	34334D43h
		push	edx
		push	1000h
		call	dword ptr [ebx+0Ch]
		mov	[ebp+var_9C], eax
		test	eax, eax
		jz	loc_8CCA8A
		mov	byte ptr [ebp+var_94], 1
		jmp	short loc_8CCB9F
; 

loc_8CCB92:				; CODE XREF: HvLoadHive+189917j
		mov	eax, [ebp+var_9C]
		mov	byte ptr [ebp+var_94], 0

loc_8CCB9F:				; CODE XREF: HvLoadHive+18993Cj
		mov	edx, [ebp+var_98]
		lea	ecx, [ebp+var_A8]
		push	eax
		lea	eax, [ebp+var_88]
		push	eax
		lea	eax, [ebp+var_AC]
		push	eax
		lea	eax, [ebp+var_C8]
		push	eax
		push	esi
		push	[ebp+var_94]
		call	_HvAnalyzeLogFiles@32 ;	HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_8CCBDA
		push	38h
		jmp	loc_8CCD87
; 

loc_8CCBDA:				; CODE XREF: HvLoadHive+18997Dj
		cmp	[ebp+var_B0], 4
		jnz	short loc_8CCBFE
		or	word ptr [ebx+90h], 40h
		xor	ecx, ecx
		mov	eax, [ebp+var_9C]
		mov	[ebp+var_9C], ecx
		jmp	loc_743350
; 

loc_8CCBFE:				; CODE XREF: HvLoadHive+18998Dj
		mov	eax, [ebp+var_8C]
		jmp	loc_743350
; 

loc_8CCC09:				; CODE XREF: HvLoadHive+14Bj
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_8CCC1F
		test	byte ptr _CmpBootType, 6
		jz	loc_7433A5

loc_8CCC1F:				; CODE XREF: HvLoadHive+1899BCj
		cmp	dword_6B2348, 5
		jbe	loc_8CCCCB
		push	2000h
		push	0
		mov	ecx, offset dword_6B2348
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_8CCCCB
		mov	eax, [ebp+var_98]
		xor	ecx, ecx
		add	eax, 1000h
		mov	[ebp+var_34], ecx
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_98]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_A0]
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_94]
		push	4
		pop	edx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	5
		push	ecx
		push	ecx
		push	offset word_41A8EA
		push	offset dword_6B2348
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_A8], 1000000h
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], 8
		mov	[ebp+var_C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		mov	esi, [ebx+20h]

loc_8CCCCB:				; CODE XREF: HvLoadHive+1899D2j
					; HvLoadHive+1899EBj
		or	dword ptr [esi+0FF8h], 4
		mov	ecx, [ebp+var_A0]
		mov	eax, [ebx+20h]
		add	ecx, 0FFFFF000h
		and	ecx, 0FFFFF000h
		mov	[eax+28h], ecx
		mov	esi, [ebx+20h]
		jmp	loc_7433A5
; 

loc_8CCCF2:				; CODE XREF: HvLoadHive+172j
		push	84h
		jmp	loc_8CCD87
; 

loc_8CCCFC:				; CODE XREF: HvLoadHive+1BEj
		push	88h
		push	esi
		jmp	loc_8CCD8A
; 

loc_8CCD07:				; CODE XREF: HvLoadHive+1D5j
		push	8Ch
		jmp	short loc_8CCD87
; 

loc_8CCD0E:				; CODE XREF: HvLoadHive+181j
		mov	eax, [ebx+20h]
		push	ecx
		push	dword ptr [eax+28h]
		push	ecx
		mov	ecx, ebx
		call	_HvpMapHiveImageFromFile@20 ; HvpMapHiveImageFromFile(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_74342F
		push	90h
		jmp	short loc_8CCD87
; 

loc_8CCD2E:				; CODE XREF: HvLoadHive+1F4j
		push	edi
		lea	eax, [ebp+var_88]
		mov	ecx, ebx
		push	eax
		call	_HvpPerformLogFileRecovery@16 ;	HvpPerformLogFileRecovery(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_8CCD4A
		push	0A0h
		jmp	short loc_8CCD87
; 

loc_8CCD4A:				; CODE XREF: HvLoadHive+189AEDj
		mov	edx, [ebx+20h]
		mov	[ebp+var_8D], 1
		jmp	loc_743464
; 

loc_8CCD59:				; CODE XREF: HvLoadHive+220j
		push	0B0h
		jmp	short loc_8CCD87
; 

loc_8CCD60:				; CODE XREF: HvLoadHive+236j
		mov	al, 1
		jmp	loc_74349E
; 

loc_8CCD67:				; CODE XREF: HvLoadHive+23Ej
		push	0C0h
		jmp	short loc_8CCD87
; 

loc_8CCD6E:				; CODE XREF: HvLoadHive+251j
					; HvLoadHive+259j
		mov	esi, ecx
		jmp	loc_7434B5
; 

loc_8CCD75:				; CODE XREF: HvLoadHive+269j
		or	eax, 10000h
		mov	[ebx+64h], eax
		jmp	loc_7434C3
; 

loc_8CCD82:				; CODE XREF: HvLoadHive+12Ej
		push	80h

loc_8CCD87:				; CODE XREF: HvLoadHive+189855j
					; HvLoadHive+189861j ...
		push	esi

loc_8CCD88:				; CODE XREF: HvLoadHive+189849j
		xor	edx, edx

loc_8CCD8A:				; CODE XREF: HvLoadHive+189AAEj
		push	6
		mov	ecx, edi
		call	SetFailureLocation
		jmp	loc_7434D6
; END OF FUNCTION CHUNK	FOR HvLoadHive
; 
; START	OF FUNCTION CHUNK FOR HvpGetHiveHeader

loc_8CCD98:				; CODE XREF: HvpGetHiveHeader+4Dj
					; HvpGetHiveHeader+18985Fj
		push	7
		jmp	short loc_8CCDAC
; 

loc_8CCD9C:				; CODE XREF: HvpGetHiveHeader+189877j
		mov	ecx, [ebp+arg_0]
		mov	eax, [esi+14h]
		push	4
		mov	[ecx], eax
		mov	eax, [esi+18h]
		mov	[ecx+4], eax

loc_8CCDAC:				; CODE XREF: HvpGetHiveHeader+189824j
		pop	edi

loc_8CCDAD:				; CODE XREF: HvpGetHiveHeader+E9j
		push	dword ptr [ebx+48h]
		push	esi
		call	dword ptr [ebx+10h]
		jmp	loc_74364B
; 

loc_8CCDB9:				; CODE XREF: HvpGetHiveHeader+59j
					; HvpGetHiveHeader+6Cj	...
		mov	eax, [ebx+4Ch]
		shl	eax, 9
		push	eax
		push	esi
		push	edi
		push	0
		push	ebx
		call	dword ptr [ebx+18h]
		cmp	eax, 0C0000011h
		jz	loc_74365D
		test	eax, eax
		js	short loc_8CCD98
		cmp	dword ptr [esi], 6E696268h
		jnz	loc_74365D
		cmp	dword ptr [esi+4], 0
		jnz	loc_74365D
		jmp	short loc_8CCD9C
; END OF FUNCTION CHUNK	FOR HvpGetHiveHeader
; 
; START	OF FUNCTION CHUNK FOR HvCheckAndUpdateHiveBackupTimeStamp

loc_8CCDEF:				; CODE XREF: HvCheckAndUpdateHiveBackupTimeStamp+10j
		push	13D4h
		push	0
		push	esi
		push	1
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8CCE01:				; CODE XREF: HvpTruncateBins+5Fj
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredExclusiveLite
		test	al, al
		jz	loc_7439FD
		jmp	loc_743A0A
; END OF FUNCTION CHUNK	FOR HvCheckAndUpdateHiveBackupTimeStamp
; 
; START	OF FUNCTION CHUNK FOR HvpTruncateBins

loc_8CCE18:				; CODE XREF: HvpTruncateBins+3Dj
		push	138Fh
		push	[ebp+var_8]
		push	ebx
		push	1
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8CCE2B:				; CODE XREF: CmpMarkIndexDirty+76j
		lea	eax, [ebp+var_24]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	short loc_8CCE6E
; END OF FUNCTION CHUNK	FOR HvpTruncateBins
; 
; START	OF FUNCTION CHUNK FOR CmpMarkIndexDirty

loc_8CCE35:				; CODE XREF: CmpMarkIndexDirty+47j
		mov	byte ptr [ebp+var_14], bl
		lea	ebx, [edi+4Ch]
		mov	word ptr [ebp+var_1C], ax
		mov	word ptr [ebp+var_1C+2], ax
		mov	[ebp+var_18], ebx
		jmp	loc_743B45
; 

loc_8CCE4B:				; CODE XREF: CmpMarkIndexDirty+FAj
					; CmpMarkIndexDirty+177j
		test	edi, edi
		jz	loc_743C0B
		lea	eax, [ebp+var_2C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	loc_743C0B
; 

loc_8CCE60:				; CODE XREF: CmpMarkIndexDirty+A4j
					; CmpMarkIndexDirty+15Dj
		cmp	byte ptr [ebp+var_14], 0
		jz	short loc_8CCE6E
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8CCE6E:				; CODE XREF: CmpMarkIndexDirty+39j
					; HvpTruncateBins+18949Bj ...
		xor	al, al
		jmp	loc_743BE8
; END OF FUNCTION CHUNK	FOR CmpMarkIndexDirty
; 
; START	OF FUNCTION CHUNK FOR CmpFreeKeyBody

loc_8CCE75:				; CODE XREF: CmpFreeKeyBody+3Aj
		mov	edx, [edi+30h]
		mov	ecx, esi
		call	HvFreeCell
		jmp	loc_743D5C
; END OF FUNCTION CHUNK	FOR CmpFreeKeyBody
; 
; START	OF FUNCTION CHUNK FOR HvpInitMap

loc_8CCE84:				; CODE XREF: HvpInitMap+2Cj
		mov	ebx, 0C000014Ch
		push	0
		push	ebx
		jmp	short loc_8CCE9B
; 

loc_8CCE8E:				; CODE XREF: HvpInitMap+70j
		mov	ecx, [ebp+var_4]
		mov	eax, 0C0000017h
		push	10h
		mov	ebx, eax
		push	eax

loc_8CCE9B:				; CODE XREF: HvpInitMap+188AA8j
		xor	edx, edx
		push	5
		call	SetFailureLocation
		jmp	loc_8CCF3B
; 

loc_8CCEA9:				; CODE XREF: HvpInitMap+39j
		mov	[ebp+var_8], ebx
		jmp	loc_74442C
; 

loc_8CCEB1:				; CODE XREF: HvpInitMap+59j
		push	4
		pop	edi
		jmp	loc_744443
; 

loc_8CCEB9:				; CODE XREF: HvpInitMap+84j
		mov	eax, 0C0000017h
		jmp	short loc_8CCEC5
; 

loc_8CCEC0:				; CODE XREF: HvpInitMap+D9j
		mov	eax, 0C000009Ah

loc_8CCEC5:				; CODE XREF: HvpInitMap+188ADAj
		push	20h
		jmp	short loc_8CCED0
; 

loc_8CCEC9:				; CODE XREF: HvpInitMap+11Ej
		mov	eax, 0C000009Ah
		push	30h

loc_8CCED0:				; CODE XREF: HvpInitMap+188AE3j
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		push	eax
		push	5
		mov	ebx, eax
		call	SetFailureLocation
		jmp	short loc_8CCF11
; 

loc_8CCEE1:				; CODE XREF: HvpInitMap+144j
		mov	ecx, [ebp+var_4]
		mov	eax, 0C000009Ah
		push	40h
		push	eax
		push	5
		xor	edx, edx
		mov	ebx, eax
		call	SetFailureLocation
		push	[ebp+var_8]
		mov	edx, [ebp+var_10]
		mov	ecx, esi
		push	0
		call	_HvpFreeMap@16	; HvpFreeMap(x,x,x,x)
		push	1000h
		push	[ebp+var_10]
		call	dword ptr [esi+10h]

loc_8CCF11:				; CODE XREF: HvpInitMap+188AFBj
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_8CCF26
		cmp	[esi+30h], eax
		jnz	short loc_8CCF21
		and	dword ptr [esi+30h], 0

loc_8CCF21:				; CODE XREF: HvpInitMap+188B37j
		push	edi
		push	eax
		call	dword ptr [esi+10h]

loc_8CCF26:				; CODE XREF: HvpInitMap+188B32j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_8CCF3B
		cmp	[esi+40h], eax
		jnz	short loc_8CCF36
		and	dword ptr [esi+40h], 0

loc_8CCF36:				; CODE XREF: HvpInitMap+188B4Cj
		push	edi
		push	eax
		call	dword ptr [esi+10h]

loc_8CCF3B:				; CODE XREF: HvpInitMap+188AC0j
					; HvpInitMap+188B47j
		mov	eax, ebx
		jmp	loc_7444E9
; END OF FUNCTION CHUNK	FOR HvpInitMap
; 
; START	OF FUNCTION CHUNK FOR CmpAddSecurityCellToCache

loc_8CCF42:				; CODE XREF: CmpAddSecurityCellToCache+172j
		mov	[edi+4CCh], esi
		mov	[edi+4C4h], eax
		jmp	short loc_8CCF58
; 

loc_8CCF50:				; CODE XREF: CmpAddSecurityCellToCache+60j
					; CmpAddSecurityCellToCache+75j
		lea	eax, [ebp+var_14]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_8CCF58:				; CODE XREF: CmpAddSecurityCellToCache+51j
					; CmpAddSecurityCellToCache+188A1Cj
		mov	eax, 0C000009Ah
		jmp	loc_744654
; 

loc_8CCF62:				; CODE XREF: CmpAddSecurityCellToCache+238j
					; CmpAddSecurityCellToCache+241j
		push	edx
		push	esi
		call	_CmSiGetMemoryAllocationGranularity@0 ;	CmSiGetMemoryAllocationGranularity()
		mov	ecx, eax
		xor	eax, eax
		push	eax
		pop	edx
		neg	ecx
		adc	eax, edx
		and	ecx, [ebp+var_10]
		neg	eax
		and	eax, edx
		lea	edx, [ebp+var_14]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_18]
		call	HvpViewMapCreateView
		mov	[ebp+var_1C], eax
		test	eax, eax
		js	loc_8CD2DE
		mov	ecx, [ebp+var_18]
		xor	eax, eax
		push	eax
		push	[ebp+var_8]
		push	esi
		mov	esi, [ebp+var_14]
		mov	edx, esi
		push	eax
		push	[ebp+var_10]
		call	HvpViewMapMakeViewRangeValid
		mov	[ebp+var_1C], eax
		test	eax, eax
		js	loc_8CD2E1
		mov	ecx, [ebp+var_10]
		xor	eax, eax
		mov	[ebp+var_1C], eax
		xor	esi, esi
		mov	eax, [ebp+var_8]
		mov	edx, ecx
		cmp	esi, eax
		ja	loc_8CD060
		jb	short loc_8CCFD7
		cmp	ecx, [ebp+arg_0]
		jnb	loc_8CD060

loc_8CCFD7:				; CODE XREF: CmpAddSecurityCellToCache+188A9Aj
					; CmpAddSecurityCellToCache+188B1Ej ...
		test	byte ptr [ebx+4], 1
		mov	esi, [ebx]
		jz	short loc_8CCFEB
		test	esi, esi
		jz	short loc_8CCFE7
		xor	esi, ebx
		jmp	short loc_8CCFEB
; 

loc_8CCFE7:				; CODE XREF: CmpAddSecurityCellToCache+188AAFj
		xor	eax, eax
		mov	esi, eax

loc_8CCFEB:				; CODE XREF: CmpAddSecurityCellToCache+188AABj
					; CmpAddSecurityCellToCache+188AB3j
		movzx	ecx, byte ptr [ebx+4]
		and	ecx, 1
		test	esi, esi
		jz	short loc_8CD02D
		mov	ebx, [ebp+var_1C]

loc_8CCFF9:				; CODE XREF: CmpAddSecurityCellToCache+188AF6j
		cmp	ebx, [esi+24h]
		jl	short loc_8CD016
		jg	short loc_8CD005
		cmp	edx, [esi+20h]
		jb	short loc_8CD016

loc_8CD005:				; CODE XREF: CmpAddSecurityCellToCache+188ACCj
		cmp	ebx, [esi+2Ch]
		jl	short loc_8CD02A
		jg	short loc_8CD011
		cmp	edx, [esi+28h]
		jb	short loc_8CD02A

loc_8CD011:				; CODE XREF: CmpAddSecurityCellToCache+188AD8j
		mov	eax, [esi+4]
		jmp	short loc_8CD018
; 

loc_8CD016:				; CODE XREF: CmpAddSecurityCellToCache+188ACAj
					; CmpAddSecurityCellToCache+188AD1j
		mov	eax, [esi]

loc_8CD018:				; CODE XREF: CmpAddSecurityCellToCache+188AE2j
		test	ecx, ecx
		jz	short loc_8CD024
		test	eax, eax
		jz	short loc_8CD024
		xor	esi, eax
		jmp	short loc_8CD026
; 

loc_8CD024:				; CODE XREF: CmpAddSecurityCellToCache+188AE8j
					; CmpAddSecurityCellToCache+188AECj
		mov	esi, eax

loc_8CD026:				; CODE XREF: CmpAddSecurityCellToCache+188AF0j
		test	esi, esi
		jnz	short loc_8CCFF9

loc_8CD02A:				; CODE XREF: CmpAddSecurityCellToCache+188AD6j
					; CmpAddSecurityCellToCache+188ADDj
		mov	ebx, [ebp+var_4]

loc_8CD02D:				; CODE XREF: CmpAddSecurityCellToCache+188AC2j
		mov	edx, [ebp+var_14]
		mov	ecx, [ebp+var_18]
		push	esi
		call	_HvpViewMapMigrateCOWData@12 ; HvpViewMapMigrateCOWData(x,x,x)
		mov	[ebp+var_1C], eax
		test	eax, eax
		js	loc_8CD2DE
		mov	eax, [esi+2Ch]
		mov	edx, [esi+28h]
		mov	[ebp+var_1C], eax
		cmp	eax, [ebp+var_8]
		jl	short loc_8CCFD7
		jg	short loc_8CD05D
		cmp	edx, [ebp+arg_0]
		jb	loc_8CCFD7

loc_8CD05D:				; CODE XREF: CmpAddSecurityCellToCache+188B20j
		mov	eax, [ebp+var_8]

loc_8CD060:				; CODE XREF: CmpAddSecurityCellToCache+188A94j
					; CmpAddSecurityCellToCache+188A9Fj
		mov	edx, [ebp+arg_0]
		mov	esi, [ebx]
		sub	edx, 1
		push	0
		pop	ecx
		sbb	eax, ecx
		test	byte ptr [ebx+4], 1
		mov	[ebp+var_20], eax
		jz	short loc_8CD080
		test	esi, esi
		jz	short loc_8CD07E
		xor	esi, ebx
		jmp	short loc_8CD080
; 

loc_8CD07E:				; CODE XREF: CmpAddSecurityCellToCache+188B46j
		mov	esi, ecx

loc_8CD080:				; CODE XREF: CmpAddSecurityCellToCache+188B42j
					; CmpAddSecurityCellToCache+188B4Aj
		movzx	ecx, byte ptr [ebx+4]
		and	ecx, 1
		test	esi, esi
		jz	short loc_8CD0C2
		mov	ebx, [ebp+var_20]

loc_8CD08E:				; CODE XREF: CmpAddSecurityCellToCache+188B8Bj
		cmp	ebx, [esi+24h]
		jl	short loc_8CD0AB
		jg	short loc_8CD09A
		cmp	edx, [esi+20h]
		jb	short loc_8CD0AB

loc_8CD09A:				; CODE XREF: CmpAddSecurityCellToCache+188B61j
		cmp	ebx, [esi+2Ch]
		jl	short loc_8CD0BF
		jg	short loc_8CD0A6
		cmp	edx, [esi+28h]
		jb	short loc_8CD0BF

loc_8CD0A6:				; CODE XREF: CmpAddSecurityCellToCache+188B6Dj
		mov	eax, [esi+4]
		jmp	short loc_8CD0AD
; 

loc_8CD0AB:				; CODE XREF: CmpAddSecurityCellToCache+188B5Fj
					; CmpAddSecurityCellToCache+188B66j
		mov	eax, [esi]

loc_8CD0AD:				; CODE XREF: CmpAddSecurityCellToCache+188B77j
		test	ecx, ecx
		jz	short loc_8CD0B9
		test	eax, eax
		jz	short loc_8CD0B9
		xor	esi, eax
		jmp	short loc_8CD0BB
; 

loc_8CD0B9:				; CODE XREF: CmpAddSecurityCellToCache+188B7Dj
					; CmpAddSecurityCellToCache+188B81j
		mov	esi, eax

loc_8CD0BB:				; CODE XREF: CmpAddSecurityCellToCache+188B85j
		test	esi, esi
		jnz	short loc_8CD08E

loc_8CD0BF:				; CODE XREF: CmpAddSecurityCellToCache+188B6Bj
					; CmpAddSecurityCellToCache+188B72j
		mov	ebx, [ebp+var_4]

loc_8CD0C2:				; CODE XREF: CmpAddSecurityCellToCache+188B57j
		mov	ecx, [edi+2Ch]
		mov	eax, [edi+28h]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_20], ecx
		cmp	ecx, [esi+24h]
		jg	loc_8CD181
		jge	loc_8CD178

loc_8CD0DD:				; CODE XREF: CmpAddSecurityCellToCache+188C3Ej
					; CmpAddSecurityCellToCache+188C49j
		test	byte ptr [ebx+4], 1
		mov	ebx, [ebx]
		jz	short loc_8CD0F4
		test	ebx, ebx
		jz	short loc_8CD0F0
		mov	eax, [ebp+var_4]
		xor	ebx, eax
		jmp	short loc_8CD0F7
; 

loc_8CD0F0:				; CODE XREF: CmpAddSecurityCellToCache+188BB5j
		xor	eax, eax
		mov	ebx, eax

loc_8CD0F4:				; CODE XREF: CmpAddSecurityCellToCache+188BB1j
		mov	eax, [ebp+var_4]

loc_8CD0F7:				; CODE XREF: CmpAddSecurityCellToCache+188BBCj
		movzx	edx, byte ptr [eax+4]
		and	edx, 1
		test	ebx, ebx
		jz	short loc_8CD13F
		mov	eax, [ebp+var_1C]
		mov	edi, [ebp+var_20]

loc_8CD108:				; CODE XREF: CmpAddSecurityCellToCache+188C05j
		cmp	edi, [ebx+24h]
		jl	short loc_8CD125
		jg	short loc_8CD114
		cmp	eax, [ebx+20h]
		jb	short loc_8CD125

loc_8CD114:				; CODE XREF: CmpAddSecurityCellToCache+188BDBj
		cmp	edi, [ebx+2Ch]
		jl	short loc_8CD139
		jg	short loc_8CD120
		cmp	eax, [ebx+28h]
		jb	short loc_8CD139

loc_8CD120:				; CODE XREF: CmpAddSecurityCellToCache+188BE7j
		mov	ecx, [ebx+4]
		jmp	short loc_8CD127
; 

loc_8CD125:				; CODE XREF: CmpAddSecurityCellToCache+188BD9j
					; CmpAddSecurityCellToCache+188BE0j
		mov	ecx, [ebx]

loc_8CD127:				; CODE XREF: CmpAddSecurityCellToCache+188BF1j
		test	edx, edx
		jz	short loc_8CD133
		test	ecx, ecx
		jz	short loc_8CD133
		xor	ebx, ecx
		jmp	short loc_8CD135
; 

loc_8CD133:				; CODE XREF: CmpAddSecurityCellToCache+188BF7j
					; CmpAddSecurityCellToCache+188BFBj
		mov	ebx, ecx

loc_8CD135:				; CODE XREF: CmpAddSecurityCellToCache+188BFFj
		test	ebx, ebx
		jnz	short loc_8CD108

loc_8CD139:				; CODE XREF: CmpAddSecurityCellToCache+188BE5j
					; CmpAddSecurityCellToCache+188BECj
		mov	edi, [ebp+var_C]
		mov	eax, [ebp+var_4]

loc_8CD13F:				; CODE XREF: CmpAddSecurityCellToCache+188BCEj
		push	ebx
		push	eax
		call	RtlRbRemoveNode
		mov	eax, [ebp+var_24]
		lea	ecx, [ebp+var_28]
		cmp	[eax], ecx
		jnz	loc_8CD2D9
		mov	[ebx], ecx
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	[ebp+var_24], ebx
		mov	ecx, [ebx+2Ch]
		mov	eax, [ebx+28h]
		mov	ebx, [ebp+var_4]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_20], ecx
		cmp	ecx, [esi+24h]
		jl	loc_8CD0DD
		jg	short loc_8CD181

loc_8CD178:				; CODE XREF: CmpAddSecurityCellToCache+188BA5j
		cmp	eax, [esi+20h]
		jb	loc_8CD0DD

loc_8CD181:				; CODE XREF: CmpAddSecurityCellToCache+188B9Fj
					; CmpAddSecurityCellToCache+188C44j
		mov	ecx, [ebp+var_10]
		cmp	[edi+20h], ecx
		jnz	short loc_8CD1B4
		xor	edx, edx
		cmp	[edi+24h], edx
		jnz	short loc_8CD1B4
		push	edi
		push	ebx
		call	RtlRbRemoveNode
		mov	eax, [ebp+var_24]
		lea	ecx, [ebp+var_28]
		cmp	[eax], ecx
		jnz	loc_8CD2D9
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	[ebp+var_24], edi
		mov	edi, [ebp+var_18]
		jmp	short loc_8CD1CA
; 

loc_8CD1B4:				; CODE XREF: CmpAddSecurityCellToCache+188C55j
					; CmpAddSecurityCellToCache+188C5Cj
		push	dword ptr [edi+2Ch]
		xor	eax, eax
		mov	edx, edi
		push	dword ptr [edi+28h]
		mov	edi, [ebp+var_18]
		push	eax
		push	ecx
		mov	ecx, edi
		call	_HvpViewMapMakeViewRangeInvalid@24 ; HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)

loc_8CD1CA:				; CODE XREF: CmpAddSecurityCellToCache+188C80j
		mov	ecx, [ebp+arg_0]
		cmp	[esi+28h], ecx
		jnz	short loc_8CD1FB
		mov	eax, [esi+2Ch]
		cmp	eax, [ebp+var_8]
		jnz	short loc_8CD1FB
		push	esi
		push	ebx
		call	RtlRbRemoveNode
		mov	eax, [ebp+var_24]
		lea	ecx, [ebp+var_28]
		cmp	[eax], ecx
		jnz	loc_8CD2D9
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[ebp+var_24], esi
		jmp	short loc_8CD20E
; 

loc_8CD1FB:				; CODE XREF: CmpAddSecurityCellToCache+188C9Ej
					; CmpAddSecurityCellToCache+188CA6j
		push	[ebp+var_8]
		mov	edx, esi
		push	ecx
		push	dword ptr [esi+24h]
		mov	ecx, edi
		push	dword ptr [esi+20h]
		call	_HvpViewMapMakeViewRangeInvalid@24 ; HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)

loc_8CD20E:				; CODE XREF: CmpAddSecurityCellToCache+188CC7j
		test	byte ptr [ebx+4], 1
		mov	eax, [ebx]
		jz	short loc_8CD220
		test	eax, eax
		jz	short loc_8CD21E
		xor	eax, ebx
		jmp	short loc_8CD220
; 

loc_8CD21E:				; CODE XREF: CmpAddSecurityCellToCache+188CE6j
		xor	eax, eax

loc_8CD220:				; CODE XREF: CmpAddSecurityCellToCache+188CE2j
					; CmpAddSecurityCellToCache+188CEAj
		movzx	edx, byte ptr [ebx+4]
		xor	ecx, ecx
		and	edx, 1
		mov	byte ptr [ebp+arg_0], cl
		test	eax, eax
		jz	short loc_8CD275
		mov	ecx, [ebp+var_14]
		mov	esi, [ecx+20h]
		mov	edi, [ecx+24h]

loc_8CD239:				; CODE XREF: CmpAddSecurityCellToCache+188D3Cj
		cmp	edi, [eax+24h]
		jl	short loc_8CD25C
		jg	short loc_8CD245
		cmp	esi, [eax+20h]
		jb	short loc_8CD25C

loc_8CD245:				; CODE XREF: CmpAddSecurityCellToCache+188D0Cj
		mov	ecx, [eax+4]
		test	edx, edx
		jz	short loc_8CD252
		test	ecx, ecx
		jz	short loc_8CD256
		xor	ecx, eax

loc_8CD252:				; CODE XREF: CmpAddSecurityCellToCache+188D18j
		test	ecx, ecx
		jnz	short loc_8CD26C

loc_8CD256:				; CODE XREF: CmpAddSecurityCellToCache+188D1Cj
		mov	byte ptr [ebp+arg_0], 1
		jmp	short loc_8CD275
; 

loc_8CD25C:				; CODE XREF: CmpAddSecurityCellToCache+188D0Aj
					; CmpAddSecurityCellToCache+188D11j
		mov	ecx, [eax]
		test	edx, edx
		jz	short loc_8CD268
		test	ecx, ecx
		jz	short loc_8CD270
		xor	ecx, eax

loc_8CD268:				; CODE XREF: CmpAddSecurityCellToCache+188D2Ej
		test	ecx, ecx
		jz	short loc_8CD270

loc_8CD26C:				; CODE XREF: CmpAddSecurityCellToCache+188D22j
		mov	eax, ecx
		jmp	short loc_8CD239
; 

loc_8CD270:				; CODE XREF: CmpAddSecurityCellToCache+188D32j
					; CmpAddSecurityCellToCache+188D38j
		xor	ecx, ecx
		mov	byte ptr [ebp+arg_0], cl

loc_8CD275:				; CODE XREF: CmpAddSecurityCellToCache+188CFCj
					; CmpAddSecurityCellToCache+188D28j
		mov	edi, [ebp+var_14]
		push	edi
		push	[ebp+arg_0]
		push	eax
		push	ebx
		call	RtlRbInsertNodeEx
		jmp	short loc_8CD29F
; 

loc_8CD285:				; CODE XREF: CmpAddSecurityCellToCache+188D8Cj
		mov	eax, [esi+30h]
		test	eax, eax
		jz	short loc_8CD298
		push	eax
		mov	eax, [ebp+var_18]
		mov	edx, [eax+18h]
		call	_CmSiUnmapViewOfSection@12 ; CmSiUnmapViewOfSection(x,x,x)

loc_8CD298:				; CODE XREF: CmpAddSecurityCellToCache+188D58j
		mov	ecx, esi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_8CD29F:				; CODE XREF: CmpAddSecurityCellToCache+188D51j
		mov	esi, [ebp+var_28]
		lea	eax, [ebp+var_28]
		cmp	[esi+4], eax
		jnz	short loc_8CD2D9
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_8CD2D9
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_28], eax
		mov	[eax+4], ecx
		mov	eax, ecx
		cmp	esi, eax
		jnz	short loc_8CD285
		mov	ecx, [edi+30h]
		mov	eax, [ebp+arg_4]
		sub	ecx, [edi+10h]
		add	ecx, [ebp+var_10]
		mov	[eax], ecx
		xor	ecx, ecx
		mov	eax, ecx
		mov	esi, ecx
		mov	[ebp+var_1C], eax
		jmp	short loc_8CD2E1
; 

loc_8CD2D9:				; CODE XREF: CmpAddSecurityCellToCache+188C1Cj
					; CmpAddSecurityCellToCache+188C6Dj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8CD2DE:				; CODE XREF: CmpAddSecurityCellToCache+188A5Aj
					; CmpAddSecurityCellToCache+188B0Cj
		mov	esi, [ebp+var_14]

loc_8CD2E1:				; CODE XREF: CmpAddSecurityCellToCache+188A7Dj
					; CmpAddSecurityCellToCache+188DA5j
		test	esi, esi
		jz	loc_744789
		mov	eax, [esi+30h]
		test	eax, eax
		jz	short loc_8CD2FC
		push	eax
		mov	eax, [ebp+var_18]
		mov	edx, [eax+18h]
		call	_CmSiUnmapViewOfSection@12 ; CmSiUnmapViewOfSection(x,x,x)

loc_8CD2FC:				; CODE XREF: CmpAddSecurityCellToCache+188DBCj
		mov	ecx, esi
		call	_CmpFreePool@4	; CmpFreePool(x)
		mov	eax, [ebp+var_1C]
		jmp	loc_744789
; END OF FUNCTION CHUNK	FOR CmpAddSecurityCellToCache
; 
; START	OF FUNCTION CHUNK FOR CmpFreeKeyByCell

loc_8CD30B:				; CODE XREF: CmpFreeKeyByCell+4Aj
		mov	edi, 0C000017Dh
		jmp	loc_744988
; 

loc_8CD315:				; CODE XREF: CmpFreeKeyByCell+78j
					; CmpFreeKeyByCell+8Ej	...
		mov	edi, 0C000009Ah
		jmp	loc_744980
; 

loc_8CD31F:				; CODE XREF: CmpFreeKeyByCell+120j
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	loc_744988
; END OF FUNCTION CHUNK	FOR CmpFreeKeyByCell
; 
; START	OF FUNCTION CHUNK FOR CmpAddSubKeyToList

loc_8CD32C:				; CODE XREF: CmpAddSubKeyToList+49j
		lea	ecx, [edi+4Ch]
		mov	[ebp+var_5], bl
		mov	word ptr [ebp+var_24], ax
		mov	word ptr [ebp+var_24+2], ax
		mov	[ebp+var_20], ecx
		jmp	loc_744C9B
; 

loc_8CD342:				; CODE XREF: CmpAddSubKeyToList+C4j
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		push	eax
		mov	eax, [ebp+arg_0]
		mov	ecx, esi
		shr	eax, 1Fh
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_CmpSelectLeaf@20 ; CmpSelectLeaf(x,x,x,x,x)
		cmp	eax, 0FFFFFFFFh
		jnz	loc_744CD1
		jmp	loc_744CF6
; 

loc_8CD369:				; CODE XREF: CmpAddSubKeyToList+114j
		lea	eax, [ebp+var_2C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	loc_744D1E
; END OF FUNCTION CHUNK	FOR CmpAddSubKeyToList
; 
; START	OF FUNCTION CHUNK FOR CmpAddValueToListEx

loc_8CD376:				; CODE XREF: CmpAddValueToListEx+5Bj
		mov	eax, [edx+esi*4-4]
		mov	[edx+esi*4], eax
		dec	esi
		jmp	loc_744D81
; END OF FUNCTION CHUNK	FOR CmpAddValueToListEx
; 
; START	OF FUNCTION CHUNK FOR CmpSetValueDataNew

loc_8CD383:				; CODE XREF: CmpSetValueDataNew+EEj
		mov	edx, [ebp+arg_0]

loc_8CD386:				; CODE XREF: CmpSetValueDataNew+126j
		test	edx, edx
		jz	short loc_8CD3C2
		movzx	eax, word ptr [edi+2]
		mov	ecx, eax
		jmp	short loc_8CD3B5
; 

loc_8CD392:				; CODE XREF: CmpSetValueDataNew+18849Cj
		movzx	ecx, cx
		mov	eax, ecx
		mov	edx, [edx+ecx*4]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_8CD3AA
		mov	ecx, esi
		call	HvFreeCell
		movzx	eax, word ptr [edi+2]

loc_8CD3AA:				; CODE XREF: CmpSetValueDataNew+188481j
		mov	edx, [ebp+arg_0]
		dec	eax
		mov	[edi+2], ax
		movzx	ecx, ax

loc_8CD3B5:				; CODE XREF: CmpSetValueDataNew+188474j
		test	ax, ax
		jnz	short loc_8CD392
		lea	eax, [ebp+var_20]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_8CD3C2:				; CODE XREF: CmpSetValueDataNew+18846Cj
		mov	edx, [edi+4]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_8CD3D1
		mov	ecx, esi
		call	HvFreeCell

loc_8CD3D1:				; CODE XREF: CmpSetValueDataNew+1884ACj
		lea	eax, [ebp+var_28]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	ebx, [ebp+arg_8]
		mov	ecx, esi
		mov	edx, [ebx]
		call	HvFreeCell
		or	dword ptr [ebx], 0FFFFFFFFh

loc_8CD3E8:				; CODE XREF: CmpSetValueDataNew+53j
					; CmpSetValueDataNew+A8j
		mov	eax, 0C000009Ah
		jmp	loc_744F8C
; END OF FUNCTION CHUNK	FOR CmpSetValueDataNew
; 
; START	OF FUNCTION CHUNK FOR HvpFindNextDirtyBlock

loc_8CD3F2:				; CODE XREF: HvpFindNextDirtyBlock+1A4j
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0
		jmp	loc_745187
; 

loc_8CD3FD:				; CODE XREF: HvpFindNextDirtyBlock+6Aj
		push	1287h
		push	esi
		jmp	short loc_8CD40B
; 

loc_8CD405:				; CODE XREF: HvpFindNextDirtyBlock+109j
		push	12F1h
		push	ebx

loc_8CD40B:				; CODE XREF: HvpFindNextDirtyBlock+188365j
		push	[ebp+var_4]
		push	1
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8CD417:				; CODE XREF: HvpFindNextDirtyBlock+C7j
		mov	edx, esi
		mov	[ebp+arg_4], esi
		jmp	loc_74516B
; END OF FUNCTION CHUNK	FOR HvpFindNextDirtyBlock
; 
; START	OF FUNCTION CHUNK FOR HvpPointMapEntriesToBuffer

loc_8CD421:				; CODE XREF: HvpPointMapEntriesToBuffer+2Ej
		push	20Ah
		push	ebx
		push	[ebp+var_4]
		push	1
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8CD434:				; CODE XREF: CmpSetValueKeyNew+57j
		mov	edx, edi
		mov	ecx, esi
		call	_CmpFreeValue@8	; CmpFreeValue(x,x)

loc_8CD43D:				; CODE XREF: CmpSetValueKeyNew+3Dj
		mov	eax, 0C000009Ah
		jmp	loc_74556B
; END OF FUNCTION CHUNK	FOR HvpPointMapEntriesToBuffer
; 
; START	OF FUNCTION CHUNK FOR CmpAddValueKeyNew

loc_8CD447:				; CODE XREF: CmpAddValueKeyNew+87j
		mov	edx, [ebp+var_8]
		mov	ecx, ebx
		call	HvFreeCell
		or	esi, 0FFFFFFFFh
		jmp	loc_745613
; END OF FUNCTION CHUNK	FOR CmpAddValueKeyNew
; 
; START	OF FUNCTION CHUNK FOR CmpCopyName

loc_8CD459:				; CODE XREF: CmpCopyName+29j
		movzx	eax, dx
		push	eax		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcpy
		mov	ax, [ebx]
		add	esp, 0Ch
		jmp	loc_745697
; END OF FUNCTION CHUNK	FOR CmpCopyName
; 
; START	OF FUNCTION CHUNK FOR HvFreeCell

loc_8CD46F:				; CODE XREF: HvFreeCell+34j
		push	62Eh
		push	esi
		push	edi
		push	1
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8CD47F:				; CODE XREF: HvFreeCell+4Dj
		mov	edx, ebx
		mov	ecx, edi
		call	_HvClearBinTrimStatus@8	; HvClearBinTrimStatus(x,x)
		mov	ecx, [ebp+var_4]
		jmp	loc_7457B3
; END OF FUNCTION CHUNK	FOR HvFreeCell
; 
; START	OF FUNCTION CHUNK FOR HvHiveCleanup

loc_8CD490:				; CODE XREF: HvHiveCleanup+1BCj
		call	_CmpFreeBootRegistry@0 ; CmpFreeBootRegistry()
		jmp	loc_745A3D
; 

loc_8CD49A:				; CODE XREF: HvHiveCleanup+EEj
		xor	ebx, ebx
		jmp	loc_745A54
; END OF FUNCTION CHUNK	FOR HvHiveCleanup
; 
; START	OF FUNCTION CHUNK FOR CmpReleaseGlobalQuota

loc_8CD4A1:				; CODE XREF: CmpReleaseGlobalQuota+6j
		push	0
		push	0
		push	1
		push	0Dh
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8CD4B1:				; CODE XREF: HvpSetRangeProtection+5Aj
		mov	eax, 1000h
		sub	edi, eax
		mov	esi, eax
		jmp	loc_745B7D
; END OF FUNCTION CHUNK	FOR CmpReleaseGlobalQuota
; 
; START	OF FUNCTION CHUNK FOR HvpSetRangeProtection

loc_8CD4BF:				; CODE XREF: HvpSetRangeProtection+27j
		xor	eax, eax

loc_8CD4C1:				; CODE XREF: HvpSetRangeProtection+E0j
		cmp	[ebp+arg_4], 4
		jz	loc_745C10
		jmp	loc_745B7B
; 

loc_8CD4D0:				; CODE XREF: HvpSetRangeProtection+49j
		push	40Ch
		push	ebx
		push	esi
		push	1
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8CD4E1:				; CODE XREF: HvpRemapAndEnlistHiveBins+2Bj
		mov	eax, ecx
		mov	[ebp+var_10], ecx
		jmp	loc_745C91
; END OF FUNCTION CHUNK	FOR HvpSetRangeProtection
; 
; START	OF FUNCTION CHUNK FOR HvpRemapAndEnlistHiveBins

loc_8CD4EB:				; CODE XREF: HvpRemapAndEnlistHiveBins+6Bj
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_8CD4FD
		test	byte ptr _CmpBootType, 6
		jz	short loc_8CD551

loc_8CD4FD:				; CODE XREF: HvpRemapAndEnlistHiveBins+1878A0j
		push	0
		push	1000h
		mov	edx, edi
		mov	ecx, ebx
		call	HvpMarkDirty
		test	al, al
		jz	short loc_8CD55B
		push	1000h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, edi
		mov	dword ptr [esi+8], 1000h
		add	esp, 0Ch
		mov	dword ptr [esi], 6E696268h
		and	eax, 7FFFFFFFh
		mov	dword ptr [esi+20h], 0FE0h
		mov	[esi+4], eax
		mov	[ebp+var_1], 1
		jmp	loc_745CC3
; 

loc_8CD548:				; CODE XREF: HvpRemapAndEnlistHiveBins+90j
		mov	[ebp+var_1], 1
		jmp	loc_745CEC
; 

loc_8CD551:				; CODE XREF: HvpRemapAndEnlistHiveBins+1878A9j
					; HvpRemapAndEnlistHiveBins+187947j
		mov	esi, 0C000014Ch
		jmp	loc_745D16
; 

loc_8CD55B:				; CODE XREF: HvpRemapAndEnlistHiveBins+1878BDj
					; HvpRemapAndEnlistHiveBins+18795Bj
		mov	esi, 0C000009Ah
		jmp	loc_745D16
; 

loc_8CD565:				; CODE XREF: HvpRemapAndEnlistHiveBins+ABj
		mov	edx, edi
		mov	ecx, ebx
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		push	[ebp+var_14]
		mov	edx, edi
		mov	[ebp+var_10], eax
		mov	esi, [eax+4]
		and	esi, 0FFFFFFF0h
		mov	ecx, esi
		mov	[ebp+var_20], esi
		call	_HvpValidateLoadedBin@12 ; HvpValidateLoadedBin(x,x,x)
		test	al, al
		jnz	short loc_8CD5E1
		cmp	ds:_CmpSelfHeal, al
		jnz	short loc_8CD59B
		test	byte ptr _CmpBootType, 6
		jz	short loc_8CD551

loc_8CD59B:				; CODE XREF: HvpRemapAndEnlistHiveBins+18793Ej
		push	0
		push	1000h
		mov	edx, edi
		mov	ecx, ebx
		call	HvpMarkDirty
		test	al, al
		jz	short loc_8CD55B
		push	1000h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, edi
		mov	dword ptr [esi+8], 1000h
		add	esp, 0Ch
		mov	dword ptr [esi], 6E696268h
		and	eax, 7FFFFFFFh
		mov	dword ptr [esi+20h], 0FE0h
		mov	[esi+4], eax
		mov	[ebp+var_1], 1

loc_8CD5E1:				; CODE XREF: HvpRemapAndEnlistHiveBins+187936j
		mov	eax, [esi+8]
		cmp	eax, 1000h
		jz	loc_8CD6EB
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_8], eax
		push	ecx
		push	31334D43h
		push	0
		mov	edx, eax
		mov	ecx, ebx
		call	_HvpAllocateBin@20 ; HvpAllocateBin(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_745D0B
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	loc_8CD6A3
		mov	ecx, edi
		mov	edi, [ebp+var_C]
		sub	ecx, edi
		dec	eax
		shr	eax, 0Ch
		inc	eax
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_24], eax
		mov	esi, eax

loc_8CD62F:				; CODE XREF: HvpRemapAndEnlistHiveBins+187A49j
		lea	edx, [edi+ecx]
		mov	ecx, ebx
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		mov	[ebp+var_10], eax
		push	1000h		; size_t
		mov	eax, [eax+4]
		and	eax, 0FFFFFFF0h
		push	eax		; void *
		push	edi		; void *
		mov	[ebp+var_20], eax
		call	_memcpy
		mov	eax, [ebp+var_10]
		add	esp, 0Ch
		test	byte ptr [eax+4], 8
		jz	short loc_8CD678
		push	ecx
		mov	ecx, [ebp+var_20]
		mov	edx, 1000h
		call	_CmpProtectPool@12 ; CmpProtectPool(x,x,x)
		push	1000h
		push	[ebp+var_20]
		call	dword ptr [ebx+10h]
		jmp	short loc_8CD682
; 

loc_8CD678:				; CODE XREF: HvpRemapAndEnlistHiveBins+187A09j
		mov	ecx, 1000h
		call	CmpReleaseGlobalQuota

loc_8CD682:				; CODE XREF: HvpRemapAndEnlistHiveBins+187A24j
		mov	eax, [ebp+var_10]
		xor	ecx, ecx
		add	edi, 1000h
		mov	[eax], ecx
		mov	[eax+4], ecx
		mov	[eax+8], ecx
		mov	ecx, [ebp+var_1C]
		sub	esi, 1
		jnz	short loc_8CD62F
		mov	edi, [ebp+var_18]
		mov	eax, [ebp+var_8]

loc_8CD6A3:				; CODE XREF: HvpRemapAndEnlistHiveBins+1879C3j
		mov	esi, [ebp+var_C]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	_HvIsRangeDirty@12 ; HvIsRangeDirty(x,x,x)
		test	al, al
		jnz	short loc_8CD6C9
		mov	edx, [ebp+var_8]
		push	0
		push	esi
		call	_HvpProtectBin@16 ; HvpProtectBin(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_745D0B

loc_8CD6C9:				; CODE XREF: HvpRemapAndEnlistHiveBins+187A60j
		mov	edx, [ebp+var_C]
		mov	ecx, ebx
		push	0
		push	1
		push	edi
		push	[ebp+var_8]
		call	HvpPointMapEntriesToBuffer
		mov	eax, [ebp+var_10]
		mov	esi, [eax+4]
		and	esi, 0FFFFFFF0h
		and	[ebp+var_C], 0
		mov	[ebp+var_20], esi

loc_8CD6EB:				; CODE XREF: HvpRemapAndEnlistHiveBins+187997j
		push	0
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	HvpEnlistFreeCells
		mov	esi, eax
		cmp	esi, 40000009h
		jnz	short loc_8CD707
		mov	[ebp+var_1], 1
		jmp	short loc_8CD70F
; 

loc_8CD707:				; CODE XREF: HvpRemapAndEnlistHiveBins+187AADj
		test	esi, esi
		js	loc_745D16

loc_8CD70F:				; CODE XREF: HvpRemapAndEnlistHiveBins+187AB3j
		mov	eax, [ebp+var_20]
		add	edi, [eax+8]
		mov	[ebp+var_18], edi
		jmp	loc_745CFA
; 

loc_8CD71D:				; CODE XREF: HvpRemapAndEnlistHiveBins+BEj
		mov	edx, [ebp+var_8]
		push	ecx
		mov	ecx, edi
		call	_CmpProtectPool@12 ; CmpProtectPool(x,x,x)
		push	[ebp+var_8]
		push	edi
		call	dword ptr [ebx+10h]
		jmp	loc_745D16
; END OF FUNCTION CHUNK	FOR HvpRemapAndEnlistHiveBins
; 
; START	OF FUNCTION CHUNK FOR HvpEnlistFreeCells

loc_8CD734:				; CODE XREF: HvpEnlistFreeCells+45j
					; HvpEnlistFreeCells+4Dj ...
		test	[ebp+arg_4], 20000h
		jnz	loc_8CD7D0
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_8CD753
		test	byte ptr _CmpBootType, 6
		jz	short loc_8CD7D0

loc_8CD753:				; CODE XREF: HvpEnlistFreeCells+1879D8j
		mov	ecx, [ebp+var_8]
		mov	ebx, edi
		mov	edi, [ebp+arg_0]
		sub	ebx, esi
		push	0
		add	edi, esi
		push	ebx
		mov	edx, edi
		call	HvpMarkDirty
		test	al, al
		jz	short loc_8CD7B3
		mov	eax, [ebp+var_C]
		push	ebx		; size_t
		add	eax, esi
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_C]
		add	esp, 0Ch
		mov	ecx, [ebp+var_10]
		mov	edx, 1
		mov	[ebp+var_1], 1
		mov	[eax+esi], ebx
		mov	eax, [ebp+var_8]
		push	20h
		push	40000009h
		push	1Ah
		mov	eax, [eax+20h]
		or	dword ptr [eax+0FF8h], 4
		call	SetFailureLocation
		mov	edx, [ebp+var_8]
		jmp	loc_745DFD
; 

loc_8CD7B3:				; CODE XREF: HvpEnlistFreeCells+1879FBj
		mov	ecx, [ebp+var_10]
		xor	edx, edx
		push	10h
		push	0C000009Ah
		push	1Ah
		call	SetFailureLocation
		mov	eax, 0C000009Ah
		jmp	loc_745DF4
; 

loc_8CD7D0:				; CODE XREF: HvpEnlistFreeCells+1879CBj
					; HvpEnlistFreeCells+1879E1j
		mov	ecx, [ebp+var_10]
		xor	edx, edx
		push	0
		push	0C000014Ch
		push	1Ah
		call	SetFailureLocation
		mov	eax, 0C000014Ch
		jmp	loc_745DF4
; END OF FUNCTION CHUNK	FOR HvpEnlistFreeCells
; 
; START	OF FUNCTION CHUNK FOR HvCheckHive

loc_8CD7ED:				; CODE XREF: HvCheckHive+B0j
		test	esi, esi
		jz	loc_745F44
		push	30h
		push	ebx
		jmp	short loc_8CD80C
; 

loc_8CD7FA:				; CODE XREF: HvCheckHive+69j
					; HvCheckHive+72j ...
		mov	eax, 0C000014Ch
		mov	ebx, eax
		test	esi, esi
		jz	loc_745F44
		push	20h
		push	eax

loc_8CD80C:				; CODE XREF: HvCheckHive+18799Ej
		push	10h
		xor	edx, edx
		mov	ecx, esi
		call	SetFailureLocation
		mov	eax, [ebp+var_4]
		mov	[esi+0F8h], eax
		mov	eax, [ebp+arg_C]
		mov	[esi+0FCh], edi
		mov	[esi+100h], eax
		jmp	loc_745F44
; 

loc_8CD834:				; CODE XREF: HvCheckHive+3Ej
		mov	eax, 0C000014Ch
		mov	ebx, eax
		test	esi, esi
		jz	loc_745F44
		push	0
		push	eax
		push	10h
		xor	edx, edx
		mov	ecx, esi
		call	SetFailureLocation
		mov	eax, [ebp+var_4]
		mov	[esi+0F8h], eax
		mov	[esi+0FCh], edi
		jmp	loc_745F44
; END OF FUNCTION CHUNK	FOR HvCheckHive
; 
; START	OF FUNCTION CHUNK FOR HvpDoAllocateCell

loc_8CD865:				; CODE XREF: HvpDoAllocateCell+17Ej
		mov	eax, esi
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2

loc_8CD86F:				; CODE XREF: HvpDoAllocateCell+1E1j
		jnz	short loc_8CD878
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8CD878:				; CODE XREF: HvpDoAllocateCell:loc_8CD86Fj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	eax, esi
		jmp	loc_7461A7
; 

loc_8CD886:				; CODE XREF: HvpDoAllocateCell+103j
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		jmp	loc_7461A4
; END OF FUNCTION CHUNK	FOR HvpDoAllocateCell
; 
; START	OF FUNCTION CHUNK FOR HvpFindFreeCell

loc_8CD893:				; CODE XREF: HvpFindFreeCell+ADj
		push	480h
		push	esi
		push	[ebp+var_4]
		push	1
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8CD8A6:				; CODE XREF: HvpRemoveFreeCellHint+20j
		push	310h
		push	esi
		push	ebx
		push	1
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8CD8B7:				; CODE XREF: HvpAddFreeCellHint+13j
		push	2B9h
		push	esi
		push	ebx
		push	1
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8CD8C8:				; CODE XREF: HvpMarkCellDirty+63j
		push	270h
		push	ebx
		push	esi
		push	1
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8CD8D8:				; CODE XREF: HvpMarkCellDirty+46j
					; HvpMarkCellDirty+52j
		cmp	byte ptr [ebp+arg_0], 0
		jnz	loc_746682
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8CD8F6
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8CD8F6:				; CODE XREF: HvpFindFreeCell+18767Fj
		mov	ecx, edi
		call	KeAbPostRelease
		jmp	loc_746682
; END OF FUNCTION CHUNK	FOR HvpFindFreeCell
; 
; START	OF FUNCTION CHUNK FOR HvpMarkDirty

loc_8CD902:				; CODE XREF: HvpMarkDirty+80j
		lea	esi, [eax-1]
		jmp	loc_746716
; 

loc_8CD90A:				; CODE XREF: HvpMarkDirty+11Fj
		xor	al, al
		jmp	loc_746776
; 

loc_8CD911:				; CODE XREF: HvpMarkDirty+15Bj
		mov	eax, [ebp+arg_4]
		mov	edx, 1
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_54], 0
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], 0
		mov	[ebp+var_40], 4
		mov	[ebp+var_3C], 0
		mov	ecx, [ebx+4BCh]
		test	ecx, ecx
		jz	short loc_8CD968
		movzx	eax, word ptr [ebx+4B8h]
		mov	edx, 2
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], 0
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], 0

loc_8CD968:				; CODE XREF: HvpMarkDirty+1872B6j
		mov	eax, edx
		lea	ecx, [ebp+var_54]
		add	eax, eax
		push	offset loc_501902
		push	928h
		push	41000000h
		mov	[ebp+eax*8+var_48], ecx
		lea	ecx, [ebp+var_4C]
		mov	[ebp+eax*8+var_44], 0
		mov	[ebp+eax*8+var_40], 2
		mov	[ebp+eax*8+var_3C], 0
		lea	eax, [edx+1]
		add	eax, eax
		add	edx, 2
		mov	[ebp+eax*8+var_48], ecx
		lea	ecx, [ebp+var_48]
		mov	[ebp+eax*8+var_44], 0
		mov	[ebp+eax*8+var_40], 4
		mov	[ebp+eax*8+var_3C], 0
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_7467F1
; 

loc_8CD9CE:				; CODE XREF: HvpMarkDirty+181j
		call	_CmpForceFlushForCoalescing@0 ;	CmpForceFlushForCoalescing()
		jmp	loc_746744
; END OF FUNCTION CHUNK	FOR HvpMarkDirty
; 
; START	OF FUNCTION CHUNK FOR HvpEnlistFreeCell

loc_8CD9D8:				; CODE XREF: HvpEnlistFreeCell+93j
		mov	edi, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		jmp	loc_746878
; END OF FUNCTION CHUNK	FOR HvpEnlistFreeCell
; 
; START	OF FUNCTION CHUNK FOR HvpAdjustBitmap

loc_8CD9E3:				; CODE XREF: HvpAdjustBitmap+26j
		mov	edi, ebx
		jmp	loc_746AA4
; 

loc_8CD9EA:				; CODE XREF: HvpAdjustBitmap+84j
		push	ebx		; size_t
		push	esi		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		push	ebx
		push	esi
		call	dword ptr [eax+10h]
		jmp	loc_746AF6
; END OF FUNCTION CHUNK	FOR HvpAdjustBitmap
; 
; START	OF FUNCTION CHUNK FOR CmpAllocate

loc_8CDA02:				; CODE XREF: CmpAllocate+31j
		mov	ecx, [ebp+arg_0]
		call	CmpReleaseGlobalQuota
		jmp	loc_746B67
; END OF FUNCTION CHUNK	FOR CmpAllocate
; 
; START	OF FUNCTION CHUNK FOR CmpClaimGlobalQuota

loc_8CDA0F:				; CODE XREF: CmpClaimGlobalQuota+31j
		cmp	ds:_CmpQuotaWarningPopupDisplayed, 0
		jnz	loc_746BA9
		cmp	_ExReadyForErrors, 0
		jz	loc_746BA9
		push	20204D43h
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_746BA9
		and	dword ptr [eax], 0
		push	1
		push	eax
		mov	ds:_CmpQuotaWarningPopupDisplayed, 1
		mov	dword ptr [eax+8], offset _CmpQuotaWarningWorker@4 ; CmpQuotaWarningWorker(x)
		mov	[eax+0Ch], eax
		call	ExQueueWorkItem
		jmp	loc_746BA9
; END OF FUNCTION CHUNK	FOR CmpClaimGlobalQuota
; 
; START	OF FUNCTION CHUNK FOR CmpUpdateGlobalQuotaAllowed

loc_8CDA63:				; CODE XREF: CmpUpdateGlobalQuotaAllowed+20j
		mov	eax, [ebp+var_4]
		xor	edx, edx
		push	3
		pop	ecx
		div	ecx
		mov	ecx, eax
		mov	eax, 7FFFFFFFh
		cmp	ecx, eax
		ja	short loc_8CDA81
		mov	eax, 1000000h
		cmp	ecx, eax
		jnb	short loc_8CDA83

loc_8CDA81:				; CODE XREF: CmpUpdateGlobalQuotaAllowed+186EC4j
		mov	ecx, eax

loc_8CDA83:				; CODE XREF: CmpUpdateGlobalQuotaAllowed+186ECDj
		mov	eax, [ebp+var_4]
		xor	edx, edx
		mov	ds:_CmpSizeOfPagedPoolInBytes, eax
		mov	eax, ecx
		push	64h
		mov	ds:_CmpGlobalQuota, ecx
		mov	ds:_CmpGlobalQuotaAllowed, ecx
		pop	ecx
		div	ecx
		imul	eax, 5Fh
		mov	ds:_CmpGlobalQuotaWarning, eax
		leave
		retn
; END OF FUNCTION CHUNK	FOR CmpUpdateGlobalQuotaAllowed
; 
; START	OF FUNCTION CHUNK FOR CmpPopulateKeyNodeInformation

loc_8CDAAA:				; CODE XREF: CmpPopulateKeyNodeInformation+15j
		mov	eax, edx
		jmp	loc_746DEF
; 

loc_8CDAB1:				; CODE XREF: CmpPopulateKeyNodeInformation+32j
		add	esi, 3
		and	esi, 0FFFFFFFCh
		mov	ebx, esi
		add	esi, edi
		jmp	loc_746E08
; 

loc_8CDAC0:				; CODE XREF: CmpPopulateKeyNodeInformation+43j
		mov	eax, 0C0000023h
		jmp	loc_746E85
; 

loc_8CDACA:				; CODE XREF: CmpPopulateKeyNodeInformation+82j
		cmp	[ebp+arg_4], eax
		ja	short loc_8CDAD2
		mov	eax, [ebp+arg_4]

loc_8CDAD2:				; CODE XREF: CmpPopulateKeyNodeInformation+186CFFj
		push	eax		; size_t
		lea	eax, [ecx+4Ch]
		push	eax		; void *
		lea	eax, [edx+18h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_746E6A
; 

loc_8CDAE8:				; CODE XREF: CmpPopulateKeyNodeInformation+A7j
		mov	ecx, [ebp+arg_8]
		add	ecx, ebx
		cmp	eax, edi
		ja	short loc_8CDAF3
		mov	edi, eax

loc_8CDAF3:				; CODE XREF: CmpPopulateKeyNodeInformation+186D21j
		push	edi		; size_t
		push	[ebp+arg_0]	; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_746E7B
; END OF FUNCTION CHUNK	FOR CmpPopulateKeyNodeInformation
; 
; START	OF FUNCTION CHUNK FOR CmpFreeValueData

loc_8CDB05:				; CODE XREF: CmpFreeValueData+8Aj
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_8CDB0D:				; CODE XREF: CmpFreeValueData+6Cj
		xor	al, al
		jmp	loc_746F10
; END OF FUNCTION CHUNK	FOR CmpFreeValueData
; 
; START	OF FUNCTION CHUNK FOR HvpViewMapMakeViewRangeCOWByCaller

loc_8CDB14:				; CODE XREF: HvpViewMapMakeViewRangeCOWByCaller+E9j
					; HvpViewMapMakeViewRangeCOWByCaller+186B3Ej ...
		mov	ecx, [ebx+10h]
		mov	eax, edi
		sub	eax, ecx
		shr	eax, 0Ch
		test	byte ptr [eax+ebx+38h],	6
		jnz	short loc_8CDB46
		lea	eax, [ebp+var_C]
		push	eax
		push	80000002h
		mov	eax, edi
		sub	eax, ecx
		add	eax, [ebx+30h]
		push	1000h
		push	eax
		mov	eax, [ebp+var_10]
		mov	edx, [eax+18h]
		call	_CmSiProtectViewOfSection@24 ; CmSiProtectViewOfSection(x,x,x,x,x,x)

loc_8CDB46:				; CODE XREF: HvpViewMapMakeViewRangeCOWByCaller+186B0Fj
		add	edi, 1000h
		adc	esi, 0
		cmp	esi, [ebp+arg_C]
		jl	short loc_8CDB14
		jg	short loc_8CDB5B
		cmp	edi, [ebp+arg_8]
		jb	short loc_8CDB14

loc_8CDB5B:				; CODE XREF: HvpViewMapMakeViewRangeCOWByCaller+186B40j
		mov	eax, [ebp+arg_4]
		jmp	loc_7470DF
; END OF FUNCTION CHUNK	FOR HvpViewMapMakeViewRangeCOWByCaller

;  S U B	R O U T	I N E 


sub_8CDB63	proc near		; DATA XREF: .text:006A0294o
		lea	edx, [ebp-24h]
		mov	ecx, [ebp-14h]
		call	_HvpInpageErrorFilter@8	; HvpInpageErrorFilter(x,x)
		retn
sub_8CDB63	endp


;  S U B	R O U T	I N E 


sub_8CDB6F	proc near		; DATA XREF: .text:006A0298o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-24h]
		jmp	loc_747199
sub_8CDB6F	endp


;  S U B	R O U T	I N E 


sub_8CDB81	proc near		; CODE XREF: CmpMarkKeyDirty+69j
		push	ebx
		push	ebx
		mov	ecx, esi
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_747594
		jmp	loc_74745D
sub_8CDB81	endp

; 
; START	OF FUNCTION CHUNK FOR CmpSetValueKeyExisting

loc_8CDB97:				; CODE XREF: CmpSetValueKeyExisting+F0j
					; CmpSetValueKeyExisting+1E5j ...
		mov	edi, 0C000009Ah
		jmp	loc_7476FB
; 

loc_8CDBA1:				; CODE XREF: CmpSetValueKeyExisting+141j
		push	[ebp+var_C]
		mov	edx, [ebp+var_10]
		mov	ecx, ebx
		call	CmpFreeValueData
		jmp	loc_7476F9
; 

loc_8CDBB3:				; CODE XREF: CmpSetValueKeyExisting+252j
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	CmpSetValueDataNew
		mov	edi, eax
		test	edi, edi
		js	loc_7476FB
		cmp	word ptr [ebp+arg_0], 0
		jz	short loc_8CDBE3
		cmp	[ebp+var_C], 0
		jz	short loc_8CDBE3
		mov	edx, [esi+8]
		mov	ecx, ebx
		call	HvFreeCell

loc_8CDBE3:				; CODE XREF: CmpSetValueKeyExisting+18661Fj
					; CmpSetValueKeyExisting+186625j
		mov	eax, [ebp+var_18]
		mov	[ebp+var_10], eax
		jmp	loc_747820
; 

loc_8CDBEE:				; CODE XREF: CmpSetValueKeyExisting+27j
					; CmpSetValueKeyExisting+ACj
		mov	eax, 0C000017Dh
		jmp	loc_7476FD
; END OF FUNCTION CHUNK	FOR CmpSetValueKeyExisting
; 
; START	OF FUNCTION CHUNK FOR ExpWnfLookupPermanentName

loc_8CDBF8:				; CODE XREF: ExpWnfLookupPermanentName+149j
		push	20666E57h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_747A95
; 

loc_8CDC08:				; CODE XREF: ExpWnfLookupPermanentName+BBj
					; ExpWnfLookupPermanentName+E0j ...
		mov	esi, 0C0000001h
		jmp	loc_747AC1
; 

loc_8CDC12:				; CODE XREF: ExpWnfLookupPermanentName+17Fj
		push	20666E57h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_747A67
; END OF FUNCTION CHUNK	FOR ExpWnfLookupPermanentName
; 
; START	OF FUNCTION CHUNK FOR ExpWnfGetNameStoreRegistryRoot

loc_8CDC22:				; CODE XREF: ExpWnfGetNameStoreRegistryRoot+114j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, edi
		jmp	loc_747B15
; 

loc_8CDC31:				; CODE XREF: ExpWnfGetNameStoreRegistryRoot+DFj
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_747B0F
; END OF FUNCTION CHUNK	FOR ExpWnfGetNameStoreRegistryRoot
; 
; START	OF FUNCTION CHUNK FOR RtlIsNameLegalDOS8Dot3

loc_8CDC3E:				; CODE XREF: RtlIsNameLegalDOS8Dot3+15Dj
		cmp	byte ptr [eax+1], 2Eh
		jnz	loc_747DDC

loc_8CDC48:				; CODE XREF: RtlIsNameLegalDOS8Dot3+146j
		test	edi, edi
		jz	short loc_8CDC50
		xor	eax, eax
		mov	[edi], al

loc_8CDC50:				; CODE XREF: RtlIsNameLegalDOS8Dot3+185EF2j
		mov	al, dl
		jmp	loc_747D8D
; 

loc_8CDC57:				; CODE XREF: RtlIsNameLegalDOS8Dot3+A2j
		xor	ecx, ecx
		cmp	ds:_NlsOemLeadByteInfoTable[esi*2], cx
		mov	ecx, [ebp+var_18]
		jz	loc_747E00
		test	bh, bh
		jnz	short loc_8CDC77
		cmp	edx, 7
		jnb	loc_747D8B

loc_8CDC77:				; CODE XREF: RtlIsNameLegalDOS8Dot3+185F14j
		lea	eax, [ecx-1]
		cmp	edx, eax
		jz	loc_747D8B
		inc	edx
		jmp	loc_747E34
; END OF FUNCTION CHUNK	FOR RtlIsNameLegalDOS8Dot3
; 
; START	OF FUNCTION CHUNK FOR RtlUpcaseUnicodeStringToCountedOemString

loc_8CDC88:				; CODE XREF: RtlUpcaseUnicodeStringToCountedOemString+1Dj
		xor	ecx, ecx
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	[eax+4], edi
		xor	eax, eax
		jmp	loc_747F6C
; 

loc_8CDC99:				; CODE XREF: RtlUpcaseUnicodeStringToCountedOemString+28j
		mov	eax, 0C00000F0h
		jmp	loc_747F6C
; 

loc_8CDCA3:				; CODE XREF: RtlUpcaseUnicodeStringToCountedOemString+3Bj
		mov	[ebx+2], cx
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[ebx+4], eax
		test	eax, eax
		jnz	loc_747F0F
		mov	eax, 0C0000017h
		jmp	loc_747F6C
; 

loc_8CDCC2:				; CODE XREF: RtlUpcaseUnicodeStringToCountedOemString+45j
		mov	eax, 80000005h
		jmp	loc_747F6C
; 

loc_8CDCCC:				; CODE XREF: RtlUpcaseUnicodeStringToCountedOemString+84j
		mov	esi, 0C0000162h
		mov	[ebp+var_1C], esi
		jmp	loc_747F4E
; END OF FUNCTION CHUNK	FOR RtlUpcaseUnicodeStringToCountedOemString

;  S U B	R O U T	I N E 


sub_8CDCD9	proc near		; DATA XREF: .text:006A02B8o
		xor	edi, edi
		mov	ebx, [ebp+8]
		mov	esi, [ebp-1Ch]
		jmp	sub_747F7E
sub_8CDCD9	endp

; 
; START	OF FUNCTION CHUNK FOR sub_747F7E

loc_8CDCE6:				; CODE XREF: sub_747F7E+3j
					; sub_747F7E+Bj
		cmp	byte ptr [ebp+10h], 0
		jz	locret_747F8F
		push	dword ptr [ebx+4]
		call	_ExFreePool@4	; ExFreePool(x)
		mov	[ebx+4], edi
		retn
; END OF FUNCTION CHUNK	FOR sub_747F7E
; 
; START	OF FUNCTION CHUNK FOR RtlUpcaseUnicodeToOemN

loc_8CDCFC:				; CODE XREF: RtlUpcaseUnicodeToOemN+1Aj
		push	esi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_UpcaseUnicodeToUTF8NHelper@20 ; UpcaseUnicodeToUTF8NHelper(x,x,x,x,x)
		jmp	loc_747FDA
; 

loc_8CDD0D:				; CODE XREF: RtlUpcaseUnicodeToOemN+26j
		push	esi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_UpcaseUnicodeToMultiByteNHelper@20 ; UpcaseUnicodeToMultiByteNHelper(x,x,x,x,x)
		jmp	loc_747FDA
; END OF FUNCTION CHUNK	FOR RtlUpcaseUnicodeToOemN
; 
; START	OF FUNCTION CHUNK FOR RtlAnsiStringToUnicodeString

loc_8CDD1E:				; CODE XREF: RtlAnsiStringToUnicodeString+1Ej
		mov	eax, 0C00000F0h
		jmp	loc_748090
; END OF FUNCTION CHUNK	FOR RtlAnsiStringToUnicodeString

;  S U B	R O U T	I N E 


sub_8CDD28	proc near		; DATA XREF: .text:006A02D8o
		mov	edi, [ebp+8]
		mov	ebx, [ebp-1Ch]
		jmp	sub_7480BA
sub_8CDD28	endp

; 
; START	OF FUNCTION CHUNK FOR sub_7480BA

loc_8CDD33:				; CODE XREF: sub_7480BA+4j
					; sub_7480BA+Cj
		cmp	byte ptr [ebp+10h], 0
		jz	locret_7480CC
		push	dword ptr [edi+4]
		call	_ExFreePool@4	; ExFreePool(x)
		and	dword ptr [edi+4], 0
		retn
; END OF FUNCTION CHUNK	FOR sub_7480BA
; 
; START	OF FUNCTION CHUNK FOR RtlAnsiStringToUnicodeString

loc_8CDD4A:				; CODE XREF: RtlAnsiStringToUnicodeString+46j
					; RtlAnsiStringToUnicodeString+4Fj
		mov	eax, 80000005h
		jmp	loc_748090
; END OF FUNCTION CHUNK	FOR RtlAnsiStringToUnicodeString
; 
; START	OF FUNCTION CHUNK FOR RtlMultiByteToUnicodeN

loc_8CDD54:				; CODE XREF: RtlMultiByteToUnicodeN+Ej
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jnz	short loc_8CDD5E
		lea	eax, [ebp+arg_8]

loc_8CDD5E:				; CODE XREF: RtlMultiByteToUnicodeN+185C87j
		cmp	[ebp+arg_10], 0
		jnz	short loc_8CDD6C
		and	dword ptr [eax], 0
		jmp	loc_748134
; 

loc_8CDD6C:				; CODE XREF: RtlMultiByteToUnicodeN+185C90j
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	RtlUTF8ToUnicodeN
		jmp	loc_748134
; 

loc_8CDD83:				; CODE XREF: RtlMultiByteToUnicodeN+22j
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		mov	eax, ds:_NlsMbAnsiCodePageTables
		mov	[ebp+arg_0], ecx
		mov	[ebp+arg_4], eax
		test	edx, edx
		jz	short loc_8CDDF9
		mov	edi, [ebp+arg_10]
		mov	ebx, [ebp+arg_C]

loc_8CDD9D:				; CODE XREF: RtlMultiByteToUnicodeN+185D18j
		test	edi, edi
		jz	short loc_8CDDF6
		movzx	ecx, byte ptr [ebx]
		dec	edx
		add	ecx, ecx
		dec	edi
		mov	[ebp+arg_10], ecx
		movzx	eax, ds:_NlsLeadByteInfoTable[ecx]
		mov	ecx, eax
		mov	[ebp+arg_C], ecx
		mov	ecx, [ebp+arg_10]
		test	ax, ax
		jz	short loc_8CDDD6
		test	edi, edi
		jz	short loc_8CDDEE
		inc	ebx
		movzx	eax, ax
		dec	edi
		movzx	ecx, byte ptr [ebx]
		add	ecx, eax
		mov	eax, [ebp+arg_4]
		movzx	ecx, word ptr [eax+ecx*2]
		jmp	short loc_8CDDDF
; 

loc_8CDDD6:				; CODE XREF: RtlMultiByteToUnicodeN+185CEBj
		mov	eax, ds:_NlsAnsiToUnicodeData
		movzx	ecx, word ptr [ecx+eax]

loc_8CDDDF:				; CODE XREF: RtlMultiByteToUnicodeN+185D02j
		inc	ebx
		mov	[esi], cx
		lea	eax, [esi+2]
		mov	esi, eax
		test	edx, edx
		jnz	short loc_8CDD9D
		jmp	short loc_8CDDF6
; 

loc_8CDDEE:				; CODE XREF: RtlMultiByteToUnicodeN+185CEFj
		xor	eax, eax
		mov	[esi], ax
		add	esi, 2

loc_8CDDF6:				; CODE XREF: RtlMultiByteToUnicodeN+185CCDj
					; RtlMultiByteToUnicodeN+185D1Aj
		mov	ecx, [ebp+arg_0]

loc_8CDDF9:				; CODE XREF: RtlMultiByteToUnicodeN+185CC3j
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	loc_748131
		sub	esi, ecx
		mov	[eax], esi
		jmp	loc_748131
; END OF FUNCTION CHUNK	FOR RtlMultiByteToUnicodeN
; 
; START	OF FUNCTION CHUNK FOR RtlMultiByteToUnicodeSize

loc_8CDE0D:				; CODE XREF: RtlMultiByteToUnicodeSize+14j
		cmp	[ebp+arg_8], esi
		jnz	short loc_8CDE1C
		mov	eax, [ebp+arg_0]
		mov	[eax], edi
		jmp	loc_74819D
; 

loc_8CDE1C:				; CODE XREF: RtlMultiByteToUnicodeSize+185CA4j
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edi
		push	edi
		call	RtlUTF8ToUnicodeN
		jmp	loc_74819D
; 

loc_8CDE31:				; CODE XREF: RtlMultiByteToUnicodeSize+20j
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	loc_748198
		mov	edx, [ebp+arg_4]

loc_8CDE3F:				; CODE XREF: RtlMultiByteToUnicodeSize+185CEDj
		movzx	eax, byte ptr [edx]
		dec	ecx
		inc	edx
		cmp	ds:_NlsLeadByteInfoTable[eax*2], di
		jz	short loc_8CDE54
		test	ecx, ecx
		jz	short loc_8CDE60
		dec	ecx
		inc	edx

loc_8CDE54:				; CODE XREF: RtlMultiByteToUnicodeSize+185CE0j
		add	esi, 2
		test	ecx, ecx
		jnz	short loc_8CDE3F
		jmp	loc_748198
; 

loc_8CDE60:				; CODE XREF: RtlMultiByteToUnicodeSize+185CE4j
		add	esi, 2
		jmp	loc_748198
; END OF FUNCTION CHUNK	FOR RtlMultiByteToUnicodeSize
; 
; START	OF FUNCTION CHUNK FOR RtlpDidUnicodeToOemWork

loc_8CDE68:				; CODE XREF: RtlpDidUnicodeToOemWork+4Cj
		mov	eax, [edx+4]
		mov	ax, [eax+ecx*2]
		cmp	ax, ds:_OemTransUniDefaultChar
		jnz	loc_748200
		jmp	loc_7481F8
; 

loc_8CDE81:				; CODE XREF: RtlpDidUnicodeToOemWork+29j
		mov	edx, ebx
		test	esi, esi
		jz	loc_7481FD
		mov	eax, [edi+4]
		mov	edi, ebx
		mov	[ebp+var_8], eax

loc_8CDE93:				; CODE XREF: RtlpDidUnicodeToOemWork+185D66j
		mov	cl, [eax+edx]
		movzx	eax, cl
		cmp	ds:_NlsOemLeadByteInfoTable[eax*2], bx
		jz	short loc_8CDED6
		lea	eax, [edx+1]
		mov	[ebp+var_C], eax
		cmp	eax, esi
		jnb	short loc_8CDED6
		mov	eax, [ebp+var_8]
		movsx	cx, cl
		movzx	edx, byte ptr [eax+edx+1]
		mov	eax, 100h
		movzx	ecx, cx
		imul	ecx, eax
		add	dx, cx
		movzx	eax, dx
		mov	edx, [ebp+var_C]
		cmp	ax, ds:_OemDefaultChar
		jmp	short loc_8CDEE4
; 

loc_8CDED6:				; CODE XREF: RtlpDidUnicodeToOemWork+185CFBj
					; RtlpDidUnicodeToOemWork+185D05j
		mov	ax, ds:_OemDefaultChar
		movsx	ecx, cl
		movzx	eax, al
		cmp	ecx, eax

loc_8CDEE4:				; CODE XREF: RtlpDidUnicodeToOemWork+185D2Ej
		jnz	short loc_8CDEFD
		mov	eax, [ebp+var_4]
		mov	eax, [eax+4]
		mov	ax, [edi+eax]
		cmp	ax, ds:_OemTransUniDefaultChar
		jnz	loc_748200

loc_8CDEFD:				; CODE XREF: RtlpDidUnicodeToOemWork:loc_8CDEE4j
		inc	edx
		add	edi, 2
		cmp	edx, esi
		jnb	loc_7481FD
		mov	eax, [ebp+var_8]
		jmp	short loc_8CDE93
; END OF FUNCTION CHUNK	FOR RtlpDidUnicodeToOemWork
; 
; START	OF FUNCTION CHUNK FOR RtlCompareString

loc_8CDF0E:				; CODE XREF: RtlCompareString+84j
					; RtlCompareString+185CE8j
		mov	cl, [esi]
		mov	al, [edi+esi]
		cmp	cl, al
		jnz	loc_74829E
		inc	esi
		cmp	esi, edx
		jb	short loc_8CDF0E
		jmp	loc_74827D
; END OF FUNCTION CHUNK	FOR RtlCompareString
; 
; START	OF FUNCTION CHUNK FOR ExpQueryModuleInformation

loc_8CDF25:				; CODE XREF: ExpQueryModuleInformation+7Cj
		mov	eax, 0C0000001h
		jmp	loc_74845A
; 

loc_8CDF2F:				; CODE XREF: ExpQueryModuleInformation+DAj
		cmp	eax, 80000005h
		jz	loc_7483D0
		mov	byte ptr [esi],	0
		xor	eax, eax
		mov	[ebx+1Ah], ax
		jmp	loc_7483FC
; END OF FUNCTION CHUNK	FOR ExpQueryModuleInformation

;  S U B	R O U T	I N E 


sub_8CDF48	proc near		; DATA XREF: .text:006A02F4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		mov	eax, large fs:124h
		mov	[ebp-34h], eax
		mov	eax, [ebp-34h]
		mov	al, [eax+15Ah]
		mov	[ebp-19h], al
		mov	cl, [ebp-19h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_8CDF48	endp


;  S U B	R O U T	I N E 


sub_8CDF72	proc near		; DATA XREF: .text:006A02F8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-38h]
		jmp	loc_74845A
sub_8CDF72	endp


;  S U B	R O U T	I N E 


sub_8CDF84	proc near		; DATA XREF: .text:006A0300o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44h], eax
		mov	eax, large fs:124h
		mov	[ebp-40h], eax
		mov	eax, [ebp-40h]
		mov	al, [eax+15Ah]
		mov	[ebp-1Ah], al
		mov	cl, [ebp-1Ah]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_8CDF84	endp


;  S U B	R O U T	I N E 


sub_8CDFAE	proc near		; DATA XREF: .text:006A0304o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-44h]
		jmp	loc_74845A
sub_8CDFAE	endp

; 
; START	OF FUNCTION CHUNK FOR RtlUnicodeStringToAnsiString

loc_8CDFC0:				; CODE XREF: RtlUnicodeStringToAnsiString+5Fj
		mov	eax, 0C00000F0h
		jmp	loc_74855F
; 

loc_8CDFCA:				; CODE XREF: RtlUnicodeStringToAnsiString+7Dj
		test	cx, cx
		jnz	short loc_8CDFD9
		mov	eax, 80000005h
		jmp	loc_74855F
; 

loc_8CDFD9:				; CODE XREF: RtlUnicodeStringToAnsiString+185B4Dj
		mov	ebx, 80000005h
		mov	[ebp+var_28], ebx
		lea	eax, [ecx-1]
		mov	[edi], ax
		jmp	loc_748503
; END OF FUNCTION CHUNK	FOR RtlUnicodeStringToAnsiString

;  S U B	R O U T	I N E 


sub_8CDFEC	proc near		; DATA XREF: .text:006A0320o
		mov	edi, [ebp+8]
		mov	esi, [ebp-24h]
		mov	ebx, [ebp-28h]
		jmp	sub_74858F
sub_8CDFEC	endp

; 
; START	OF FUNCTION CHUNK FOR sub_74858F

loc_8CDFFA:				; CODE XREF: sub_74858F+4j
					; sub_74858F+Cj
		cmp	byte ptr [ebp+10h], 0
		jz	locret_7485A1
		mov	eax, [edi+4]
		push	eax
		call	_ExFreePool@4	; ExFreePool(x)
		mov	dword ptr [edi+4], 0
		retn
; END OF FUNCTION CHUNK	FOR sub_74858F
; 
; START	OF FUNCTION CHUNK FOR RtlUnicodeToMultiByteN

loc_8CE015:				; CODE XREF: RtlUnicodeToMultiByteN+Ej
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jnz	short loc_8CE01F
		lea	eax, [ebp+arg_8]

loc_8CE01F:				; CODE XREF: RtlUnicodeToMultiByteN+185A6Aj
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jnz	short loc_8CE02D
		mov	[eax], ecx
		jmp	loc_748612
; 

loc_8CE02D:				; CODE XREF: RtlUnicodeToMultiByteN+185A74j
		push	ecx
		push	[ebp+arg_C]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	RtlUnicodeToUTF8N
		jmp	loc_748612
; 

loc_8CE042:				; CODE XREF: RtlUnicodeToMultiByteN+22j
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		mov	[ebp+arg_10], ecx
		test	edx, edx
		jz	short loc_8CE08D
		mov	ebx, [ebp+arg_C]
		mov	edi, [ebp+arg_4]

loc_8CE054:				; CODE XREF: RtlUnicodeToMultiByteN+185AD8j
		test	edi, edi
		jz	short loc_8CE08A
		movzx	ecx, word ptr [ebx]
		add	ebx, 2
		mov	eax, ds:_NlsUnicodeToMbAnsiData
		movzx	eax, word ptr [eax+ecx*2]
		mov	ecx, eax
		mov	[ebp+arg_0], eax
		shr	ecx, 8
		test	cl, cl
		jz	short loc_8CE081
		mov	eax, edi
		dec	edi
		cmp	eax, 2
		jb	short loc_8CE08A
		mov	eax, [ebp+arg_0]
		mov	[esi], cl
		inc	esi

loc_8CE081:				; CODE XREF: RtlUnicodeToMultiByteN+185AC1j
		mov	[esi], al
		dec	edi
		inc	esi
		sub	edx, 1
		jnz	short loc_8CE054

loc_8CE08A:				; CODE XREF: RtlUnicodeToMultiByteN+185AA6j
					; RtlUnicodeToMultiByteN+185AC9j
		mov	ecx, [ebp+arg_10]

loc_8CE08D:				; CODE XREF: RtlUnicodeToMultiByteN+185A9Cj
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	loc_74860F
		sub	esi, ecx
		mov	[eax], esi
		jmp	loc_74860F
; END OF FUNCTION CHUNK	FOR RtlUnicodeToMultiByteN
; 
; START	OF FUNCTION CHUNK FOR RtlUnicodeToMultiByteSize

loc_8CE0A1:				; CODE XREF: RtlUnicodeToMultiByteSize+14j
		test	eax, eax
		jz	loc_74864B
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	0
		push	0
		call	RtlUnicodeToUTF8N
		jmp	loc_748650
; 

loc_8CE0BE:				; CODE XREF: RtlUnicodeToMultiByteSize+23j
		test	eax, eax
		jz	loc_74864B
		push	edi
		mov	edi, [ebp+arg_4]

loc_8CE0CA:				; CODE XREF: RtlUnicodeToMultiByteSize+185ACAj
		movzx	edx, word ptr [edi]
		lea	edi, [edi+2]
		mov	ecx, ds:_NlsUnicodeToMbAnsiData
		movzx	edx, word ptr [ecx+edx*2]
		xor	ecx, ecx
		shr	edx, 8
		test	dl, dl
		setnz	cl
		inc	ecx
		add	esi, ecx
		sub	eax, 1
		jnz	short loc_8CE0CA
		pop	edi
		jmp	loc_74864B
; END OF FUNCTION CHUNK	FOR RtlUnicodeToMultiByteSize
; 
; START	OF FUNCTION CHUNK FOR RtlUpcaseUnicodeToMultiByteN

loc_8CE0F2:				; CODE XREF: RtlUpcaseUnicodeToMultiByteN+1Aj
		push	esi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_UpcaseUnicodeToUTF8NHelper@20 ; UpcaseUnicodeToUTF8NHelper(x,x,x,x,x)
		jmp	loc_748714
; 

loc_8CE103:				; CODE XREF: RtlUpcaseUnicodeToMultiByteN+26j
		push	esi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_UpcaseUnicodeToMultiByteNHelper@20 ; UpcaseUnicodeToMultiByteNHelper(x,x,x,x,x)
		jmp	loc_748714
; END OF FUNCTION CHUNK	FOR RtlUpcaseUnicodeToMultiByteN
; 
; START	OF FUNCTION CHUNK FOR RtlAnsiCharToUnicodeChar

loc_8CE114:				; CODE XREF: RtlAnsiCharToUnicodeChar+22j
		cmp	cl, 0C0h
		jb	loc_748756
		cmp	cl, 0E0h
		jnb	short loc_8CE12C
		mov	esi, 2
		jmp	loc_74875B
; 

loc_8CE12C:				; CODE XREF: RtlAnsiCharToUnicodeChar+185A00j
		cmp	cl, 0F0h
		jnb	short loc_8CE13B
		mov	esi, 3
		jmp	loc_74875B
; 

loc_8CE13B:				; CODE XREF: RtlAnsiCharToUnicodeChar+185A0Fj
		cmp	cl, 0F8h
		sbb	esi, esi
		and	esi, 3
		inc	esi
		jmp	loc_74875B
; 

loc_8CE149:				; CODE XREF: RtlAnsiCharToUnicodeChar+4Aj
		push	esi
		push	ebx
		lea	eax, [ebp+arg_0]
		push	eax
		push	2
		lea	eax, [ebp+var_8]
		push	eax
		call	RtlUTF8ToUnicodeN
		jmp	loc_7487A5
; 

loc_8CE15F:				; CODE XREF: RtlAnsiCharToUnicodeChar+5Bj
		mov	eax, ds:_NlsMbAnsiCodePageTables
		mov	ecx, esi
		mov	[ebp+var_10], eax

loc_8CE169:				; CODE XREF: RtlAnsiCharToUnicodeChar+185AB9j
		test	ecx, ecx
		jz	loc_7487A5
		movzx	eax, byte ptr [ebx]
		dec	edx
		add	eax, eax
		dec	ecx
		mov	[ebp+var_14], eax
		movzx	eax, ds:_NlsLeadByteInfoTable[eax]
		mov	edi, eax
		mov	[ebp+var_C], edi
		mov	edi, [ebp+arg_0]
		test	ax, ax
		jz	short loc_8CE1AC
		test	ecx, ecx
		jz	short loc_8CE1E0
		inc	ebx
		movzx	eax, ax
		dec	ecx
		mov	[ebp+var_14], ecx
		movzx	ecx, byte ptr [ebx]
		add	ecx, eax
		mov	eax, [ebp+var_10]
		movzx	eax, word ptr [eax+ecx*2]
		mov	ecx, [ebp+var_14]
		jmp	short loc_8CE1B8
; 

loc_8CE1AC:				; CODE XREF: RtlAnsiCharToUnicodeChar+185A6Dj
		mov	eax, ds:_NlsAnsiToUnicodeData
		mov	edi, [ebp+var_14]
		movzx	eax, word ptr [edi+eax]

loc_8CE1B8:				; CODE XREF: RtlAnsiCharToUnicodeChar+185A8Aj
		mov	edi, [ebp+var_4]
		inc	ebx
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_4]
		add	eax, 2
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_C]
		mov	[edi], ax
		mov	eax, [ebp+var_14]
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_4], eax
		test	edx, edx
		jnz	short loc_8CE169
		jmp	loc_7487A5
; 

loc_8CE1E0:				; CODE XREF: RtlAnsiCharToUnicodeChar+185A71j
		mov	eax, [ebp+var_4]
		xor	ecx, ecx
		mov	[eax], cx
		jmp	loc_7487A5
; END OF FUNCTION CHUNK	FOR RtlAnsiCharToUnicodeChar

;  S U B	R O U T	I N E 


sub_8CE1ED	proc near		; DATA XREF: .text:006A033Co
		mov	eax, 1
		retn
sub_8CE1ED	endp


;  S U B	R O U T	I N E 


sub_8CE1F3	proc near		; DATA XREF: .text:006A0340o
		mov	esp, [ebp-18h]
		jmp	loc_74882A
sub_8CE1F3	endp

; 
; START	OF FUNCTION CHUNK FOR RtlLargeIntegerToChar

loc_8CE1FB:				; CODE XREF: RtlLargeIntegerToChar+47j
		mov	eax, 0C000000Dh
		jmp	loc_748943
; 

loc_8CE205:				; CODE XREF: RtlLargeIntegerToChar+34j
		push	3
		jmp	loc_7488BD
; 

loc_8CE20C:				; CODE XREF: RtlLargeIntegerToChar+2Bj
		xor	edi, edi
		inc	edi
		mov	ebx, edi
		jmp	loc_7488C1
; 

loc_8CE216:				; CODE XREF: RtlLargeIntegerToChar+21j
		push	0Ah
		pop	esi

loc_8CE219:				; CODE XREF: RtlLargeIntegerToChar+3Ej
		xor	ebx, ebx
		xor	edi, edi
		jmp	loc_7488C6
; 

loc_8CE222:				; CODE XREF: RtlLargeIntegerToChar+65j
					; RtlLargeIntegerToChar+1859DDj
		lea	edx, [ebp+var_6C]
		push	edx
		push	esi
		push	ecx
		push	eax
		call	_RtlExtendedLargeIntegerDivide@16 ; RtlExtendedLargeIntegerDivide(x,x,x,x)
		mov	ebx, edx
		mov	[ebp+var_70], ebx
		mov	edx, [ebp+var_68]
		dec	edx
		mov	[ebp+var_68], edx
		mov	ecx, [ebp+var_6C]
		mov	cl, ds:_RtlpIntegerChars[ecx]
		mov	[edx], cl
		mov	ecx, eax
		or	ecx, ebx
		mov	ecx, ebx
		jnz	short loc_8CE222
		jmp	loc_748909
; 

loc_8CE252:				; CODE XREF: RtlLargeIntegerToChar+A8j
		neg	edi
		cmp	ebx, edi
		jge	loc_74891E
		sub	edi, ebx
		mov	esi, edi
		push	esi		; size_t
		push	30h		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	edi, ebx
		mov	eax, [ebp+var_64]
		add	eax, esi
		mov	[ebp+var_64], eax
		mov	edx, [ebp+var_68]
		jmp	loc_74891C
; END OF FUNCTION CHUNK	FOR RtlLargeIntegerToChar

;  S U B	R O U T	I N E 


sub_8CE27E	proc near		; DATA XREF: .text:006A035Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-74h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8CE27E	endp


;  S U B	R O U T	I N E 


sub_8CE28C	proc near		; DATA XREF: .text:006A0360o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-74h]
		jmp	loc_748943
sub_8CE28C	endp

; 
; START	OF FUNCTION CHUNK FOR CmpIssueNewDirtyCallback

loc_8CE29E:				; CODE XREF: CmpIssueNewDirtyCallback+Aj
		cmp	_CmpCoalescingCallbackActive, 0
		jz	loc_748EA0
		push	ecx
		mov	ecx, _CmpCoalescingRegistration
		xor	edx, edx
		call	_PoIssueCoalescingNotification@12 ; PoIssueCoalescingNotification(x,x,x)
		pop	ecx
		retn
; END OF FUNCTION CHUNK	FOR CmpIssueNewDirtyCallback
; 
; START	OF FUNCTION CHUNK FOR RtlUnicodeToOemN

loc_8CE2BB:				; CODE XREF: RtlUnicodeToOemN+Fj
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jnz	short loc_8CE2C5
		lea	eax, [ebp+arg_8]

loc_8CE2C5:				; CODE XREF: RtlUnicodeToOemN+1853D0j
		xor	esi, esi
		cmp	[ebp+arg_10], esi
		jnz	short loc_8CE2D0
		mov	[eax], esi
		jmp	short loc_8CE2EE
; 

loc_8CE2D0:				; CODE XREF: RtlUnicodeToOemN+1853DAj
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	RtlUnicodeToUTF8N
		cmp	eax, 0C0000023h
		jnz	short loc_8CE2EE
		mov	esi, 80000005h

loc_8CE2EE:				; CODE XREF: RtlUnicodeToOemN+1853DEj
					; RtlUnicodeToOemN+1853F7j
		mov	eax, esi
		jmp	loc_748F61
; 

loc_8CE2F5:				; CODE XREF: RtlUnicodeToOemN+28j
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		mov	[ebp+arg_10], ecx
		test	edi, edi
		jz	short loc_8CE33D
		mov	ebx, [ebp+arg_C]

loc_8CE304:				; CODE XREF: RtlUnicodeToOemN+185448j
		test	edx, edx
		jz	short loc_8CE33A
		movzx	ecx, word ptr [ebx]
		add	ebx, 2
		mov	eax, ds:_NlsUnicodeToMbOemData
		movzx	eax, word ptr [eax+ecx*2]
		mov	ecx, eax
		mov	[ebp+arg_4], eax
		shr	ecx, 8
		test	cl, cl
		jz	short loc_8CE331
		mov	eax, edx
		dec	edx
		cmp	eax, 2
		jb	short loc_8CE33A
		mov	eax, [ebp+arg_4]
		mov	[esi], cl
		inc	esi

loc_8CE331:				; CODE XREF: RtlUnicodeToOemN+185431j
		mov	[esi], al
		inc	esi
		dec	edx
		sub	edi, 1
		jnz	short loc_8CE304

loc_8CE33A:				; CODE XREF: RtlUnicodeToOemN+185416j
					; RtlUnicodeToOemN+185439j
		mov	ecx, [ebp+arg_10]

loc_8CE33D:				; CODE XREF: RtlUnicodeToOemN+18540Fj
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	loc_748F56
		sub	esi, ecx
		mov	[eax], esi
		jmp	loc_748F56
; END OF FUNCTION CHUNK	FOR RtlUnicodeToOemN
; 
; START	OF FUNCTION CHUNK FOR RtlUnicodeStringToCountedOemString

loc_8CE351:				; CODE XREF: RtlUnicodeStringToCountedOemString+18j
		xor	ecx, ecx
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		and	[eax+4], ecx
		xor	eax, eax
		jmp	loc_749010
; 

loc_8CE362:				; CODE XREF: RtlUnicodeStringToCountedOemString+23j
		mov	eax, 0C00000F0h
		jmp	loc_749010
; 

loc_8CE36C:				; CODE XREF: RtlUnicodeStringToCountedOemString+36j
		mov	[edi+2], cx
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[edi+4], eax
		test	eax, eax
		jnz	loc_748FB2
		mov	eax, 0C0000017h
		jmp	loc_749010
; 

loc_8CE38B:				; CODE XREF: RtlUnicodeStringToCountedOemString+40j
		mov	eax, 80000005h
		jmp	loc_749010
; 

loc_8CE395:				; CODE XREF: RtlUnicodeStringToCountedOemString+80j
		mov	esi, 0C0000162h
		mov	[ebp+var_1C], esi
		jmp	loc_748FF2
; END OF FUNCTION CHUNK	FOR RtlUnicodeStringToCountedOemString

;  S U B	R O U T	I N E 


sub_8CE3A2	proc near		; DATA XREF: .text:006A0380o
		mov	edi, [ebp+8]
		mov	esi, [ebp-1Ch]
		jmp	sub_749022
sub_8CE3A2	endp

; 
; START	OF FUNCTION CHUNK FOR sub_749022

loc_8CE3AD:				; CODE XREF: sub_749022+4j
					; sub_749022+Cj
		cmp	byte ptr [ebp+10h], 0
		jz	locret_749034
		push	dword ptr [edi+4]
		call	_ExFreePool@4	; ExFreePool(x)
		and	dword ptr [edi+4], 0
		retn
; END OF FUNCTION CHUNK	FOR sub_749022
; 
; START	OF FUNCTION CHUNK FOR HvpViewMapMakeViewRangeValid

loc_8CE3C4:				; CODE XREF: HvpViewMapMakeViewRangeValid+155j
		mov	[esi+20h], edi
		mov	[esi+24h], edx
		jmp	loc_749158
; 

loc_8CE3CF:				; CODE XREF: HvpViewMapMakeViewRangeValid+13Cj
					; HvpViewMapMakeViewRangeValid+186j ...
		lea	eax, [ebp+var_C]
		push	eax
		mov	eax, [ebp+var_8]
		push	80000001h
		push	edi
		push	[ebp+var_10]
		mov	edx, [eax+18h]
		call	_CmSiProtectViewOfSection@24 ; CmSiProtectViewOfSection(x,x,x,x,x,x)
		jmp	loc_74915A
; END OF FUNCTION CHUNK	FOR HvpViewMapMakeViewRangeValid
; 
; START	OF FUNCTION CHUNK FOR HvpViewMapCreateView

loc_8CE3EC:				; CODE XREF: HvpViewMapCreateView+33j
		mov	edi, 0C000009Ah
		jmp	loc_7492AA
; 

loc_8CE3F6:				; CODE XREF: HvpViewMapCreateView+B0j
		mov	eax, [esi+30h]
		test	eax, eax
		jz	short loc_8CE406
		mov	edx, [ebx+18h]
		push	eax
		call	_CmSiUnmapViewOfSection@12 ; CmSiUnmapViewOfSection(x,x,x)

loc_8CE406:				; CODE XREF: HvpViewMapCreateView+185207j
		mov	ecx, esi
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	loc_7492AA
; END OF FUNCTION CHUNK	FOR HvpViewMapCreateView
; 
; START	OF FUNCTION CHUNK FOR HvpViewMapCreateViewsForRegion

loc_8CE412:				; CODE XREF: HvpViewMapCreateViewsForRegion+C5j
		mov	ecx, [ebp+var_10]
		test	ecx, ecx
		jl	short loc_8CE446
		mov	eax, [ebp+var_C]
		jg	short loc_8CE423
		cmp	eax, [ebp+var_18]
		jbe	short loc_8CE446

loc_8CE423:				; CODE XREF: HvpViewMapCreateViewsForRegion+185164j
		push	0
		push	2
		push	ecx
		push	eax
		call	__alldiv
		mov	esi, [ebp+var_8]
		mov	ecx, eax
		mov	edi, [ebp+var_14]
		mov	ebx, edx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], ebx
		jmp	loc_7493D7
; 

loc_8CE446:				; CODE XREF: HvpViewMapCreateViewsForRegion+18515Fj
					; HvpViewMapCreateViewsForRegion+185169j
		mov	esi, [ebp+var_8]
		jmp	loc_7494C2
; 

loc_8CE44E:				; CODE XREF: HvpViewMapCreateViewsForRegion+20Cj
		mov	eax, [esi+30h]
		test	eax, eax
		jz	short loc_8CE461
		push	eax
		mov	eax, [ebp+var_4]
		mov	edx, [eax+18h]
		call	_CmSiUnmapViewOfSection@12 ; CmSiUnmapViewOfSection(x,x,x)

loc_8CE461:				; CODE XREF: HvpViewMapCreateViewsForRegion+18519Bj
		mov	ecx, esi
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	loc_7494CA
; 

loc_8CE46D:				; CODE XREF: HvpViewMapCreateViewsForRegion+1851F6j
		mov	eax, [esi+30h]
		test	eax, eax
		jz	short loc_8CE480
		push	eax
		mov	eax, [ebp+var_4]
		mov	edx, [eax+18h]
		call	_CmSiUnmapViewOfSection@12 ; CmSiUnmapViewOfSection(x,x,x)

loc_8CE480:				; CODE XREF: HvpViewMapCreateViewsForRegion+1851BAj
		mov	ecx, esi
		call	_CmpFreePool@4	; CmpFreePool(x)
		mov	esi, [ebp+var_38]

loc_8CE48A:				; CODE XREF: HvpViewMapCreateViewsForRegion+21Aj
		lea	eax, [ebp+var_38]
		cmp	[esi+4], eax
		jnz	loc_7494F8
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_7494F8
		lea	ecx, [ebp+var_38]
		mov	[ebp+var_38], eax
		mov	[eax+4], ecx
		mov	eax, ecx
		cmp	esi, eax
		jnz	short loc_8CE46D
		jmp	loc_7494D8
; END OF FUNCTION CHUNK	FOR HvpViewMapCreateViewsForRegion
; 
; START	OF FUNCTION CHUNK FOR HvUnlockHiveWriter

loc_8CE4B5:				; CODE XREF: HvUnlockHiveWriter+Fj
		test	al, 4
		jnz	loc_749DBF
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_749DBF
; END OF FUNCTION CHUNK	FOR HvUnlockHiveWriter
; 
; START	OF FUNCTION CHUNK FOR CmpReorganizeHive

loc_8CE4C9:				; CODE XREF: CmpReorganizeHive+8Fj
		mov	esi, 0C0000189h

loc_8CE4CE:				; CODE XREF: CmpReorganizeHive+159j
		cmp	dword_6B2348, 5
		jbe	loc_749E42
		push	4000h
		xor	ebx, ebx
		mov	ecx, offset dword_6B2348
		push	ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_749E42
		lea	eax, [ebp+var_14C]
		mov	[ebp+var_14C], esi
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_154]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	4
		push	ebx
		push	ebx
		push	offset dword_41A6DC
		push	offset dword_6B2348
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], 4
		mov	[ebp+var_20], ebx
		mov	[ebp+var_154], 1000000h
		mov	[ebp+var_150], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], 8
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_749E42
; 

loc_8CE553:				; CODE XREF: CmpReorganizeHive+205j
		mov	eax, [ebx+20h]
		xor	edx, edx
		mov	ecx, [eax+0A8h]
		mov	eax, [eax+0ACh]
		cmp	ecx, 2
		jnz	short loc_8CE571
		cmp	eax, edx
		jz	loc_749E74

loc_8CE571:				; CODE XREF: CmpReorganizeHive+184795j
		cmp	ecx, 1
		jnz	short loc_8CE57E
		cmp	eax, edx
		jz	loc_749E74

loc_8CE57E:				; CODE XREF: CmpReorganizeHive+1847A2j
					; CmpReorganizeHive+184806j
		mov	esi, edx
		jmp	loc_749F10
; 

loc_8CE585:				; CODE XREF: CmpReorganizeHive+171j
		lea	eax, [ecx+30h]
		mov	[ebp+var_150], eax
		xor	eax, eax
		mov	esi, [ebp+var_150]
		mov	ecx, eax
		xor	ebx, ebx

loc_8CE59A:				; CODE XREF: CmpReorganizeHive+1847D6j
		movzx	eax, cx
		cmp	[esi+eax*2], bx
		jz	short loc_8CE5AA
		inc	ecx
		cmp	cx, 1Fh
		jb	short loc_8CE59A

loc_8CE5AA:				; CODE XREF: CmpReorganizeHive+1847CFj
		mov	ebx, [ebp+var_168]
		lea	eax, [ecx+ecx]
		mov	esi, [ebp+var_160]
		lea	ecx, [ebp+var_154]
		mov	word ptr [ebp+var_154],	ax
		mov	[ebp+var_158], ecx
		jmp	loc_749F4F
; 

loc_8CE5D1:				; CODE XREF: CmpReorganizeHive+195j
					; CmpReorganizeHive+1A5j
		mov	eax, [ebx+20h]
		cmp	dword ptr [eax+24h], 0FFFFFFFFh
		jz	short loc_8CE57E
		or	edi, 1
		lea	ecx, [ebp+var_178]
		mov	edx, ebx
		mov	[ebp+var_144], edi
		call	_CmpCreateEmptyHiveClone@8 ; CmpCreateEmptyHiveClone(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8CEBA5
		mov	edx, [ebx+20h]
		xor	eax, eax
		mov	edi, [ebp+var_178]
		push	eax
		push	ecx
		mov	edx, [edx+24h]
		mov	ecx, ebx
		push	6
		push	0FFFFFFFFh
		push	edi
		call	_CmpCopyKeyPartial@28 ;	CmpCopyKeyPartial(x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0FFFFFFFFh
		jz	loc_8CE8F4
		mov	eax, [edi+20h]
		mov	ecx, edi
		mov	[eax+24h], esi
		call	_HvMarkBaseBlockDirty@4	; HvMarkBaseBlockDirty(x)
		mov	edx, [ebx+20h]
		xor	eax, eax
		push	eax
		push	42h
		push	esi
		mov	edx, [edx+24h]
		mov	ecx, ebx
		push	edi
		call	_CmpCopySyncTree@24 ; CmpCopySyncTree(x,x,x,x,x,x)
		test	al, al
		jz	loc_8CE8F4
		xor	ecx, ecx
		mov	edx, 154h
		push	33394D43h
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_16C], esi
		test	esi, esi
		jz	loc_8CE8F4
		push	154h		; size_t
		xor	eax, eax
		push	eax		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	edx, 1F0000h
		mov	ecx, edi
		push	esi
		call	_CmCheckRegistry@12 ; CmCheckRegistry(x,x,x)
		mov	esi, eax
		mov	[ebp+var_14C], esi
		test	esi, esi
		jns	loc_8CE8FE
		cmp	dword_6B2348, 5
		jbe	loc_8CE893
		push	4000h
		xor	eax, eax
		mov	ecx, offset dword_6B2348
		push	eax
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_8CE893
		push	4
		mov	[ebp+var_170], esi
		lea	eax, [ebp+var_170]
		mov	[ebp+var_11C], eax
		xor	edx, edx
		pop	esi
		mov	[ebp+var_114], esi
		mov	esi, [ebp+var_16C]
		mov	[ebp+var_118], edx
		mov	[ebp+var_110], edx
		mov	[ebp+var_108], edx
		lea	ecx, [esi+4]
		mov	[ebp+var_100], edx
		movzx	edi, word ptr [ecx]
		lea	edx, [esi+6]
		movzx	ebx, word ptr [edx]
		mov	eax, edi
		mov	[ebp+var_180], eax
		add	esi, 132h
		lea	eax, [ebp+var_180]
		mov	[ebp+var_DC], ecx
		mov	ecx, [ebp+var_16C]
		mov	[ebp+var_10C], eax
		mov	eax, ebx
		mov	[ebp+var_158], eax
		lea	eax, [ebp+var_158]
		mov	[ebp+var_FC], eax
		xor	eax, eax
		mov	[ebp+var_F8], eax
		mov	[ebp+var_F0], eax
		mov	al, [esi]
		mov	[ebp+var_13D], al
		movzx	eax, al
		mov	[ebp+var_148], eax
		lea	eax, [ebp+var_148]
		mov	[ebp+var_EC], eax
		xor	eax, eax
		mov	[ebp+var_E8], eax
		mov	[ebp+var_E0], eax
		mov	[ebp+var_D8], eax
		mov	[ebp+var_D0], eax
		lea	eax, [ecx+8]
		mov	[ebp+var_CC], eax
		xor	eax, eax
		mov	[ebp+var_C8], eax
		mov	[ebp+var_C0], eax
		lea	eax, [ecx+68h]
		mov	[ebp+var_AC], eax
		lea	eax, [ecx+134h]
		imul	edi, 0Ch
		mov	[ebp+var_8C], eax
		movzx	eax, [ebp+var_13D]
		mov	[ebp+var_BC], edx
		xor	edx, edx
		imul	ebx, 0Ch
		shl	eax, 3
		push	2
		mov	[ebp+var_C4], edi
		pop	edi
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_154]
		mov	[ebp+var_104], 2
		mov	[ebp+var_F4], 2
		mov	[ebp+var_E4], 2
		mov	[ebp+var_D4], 2
		mov	[ebp+var_B8], edx
		mov	[ebp+var_B4], edi
		mov	[ebp+var_B0], edx
		mov	[ebp+var_A8], edx
		mov	[ebp+var_A4], ebx
		mov	[ebp+var_A0], edx
		mov	[ebp+var_9C], esi
		mov	[ebp+var_98], edx
		mov	[ebp+var_94], edi
		mov	[ebp+var_90], edx
		mov	[ebp+var_88], edx
		mov	[ebp+var_80], edx
		mov	[ebp+var_154], 1000000h
		mov	[ebp+var_150], edx
		mov	[ebp+var_7C], eax
		mov	[ebp+var_78], edx
		lea	eax, [ebp+var_13C]
		mov	[ebp+var_74], 8
		push	eax
		push	0Dh
		push	edx
		push	edx
		push	offset word_41A71E
		push	offset dword_6B2348
		mov	[ebp+var_70], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		mov	ebx, [ebp+var_168]
		mov	esi, [ebp+var_14C]

loc_8CE893:				; CODE XREF: CmpReorganizeHive+1848CFj
					; CmpReorganizeHive+1848E9j
		cmp	esi, 0C000014Ch
		jz	short loc_8CE8A7
		cmp	esi, 8000002Ah
		jnz	loc_8CEBA5

loc_8CE8A7:				; CODE XREF: CmpReorganizeHive+184AC7j
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, ebx
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	ecx, ebx
		call	_HvLockHiveWriter@4 ; HvLockHiveWriter(x)
		mov	ecx, ebx
		call	_HvMarkBaseBlockDirty@4	; HvMarkBaseBlockDirty(x)
		mov	eax, [ebx+20h]
		mov	edi, [ebp+var_144]
		mov	ecx, [ebp+var_160]
		mov	[eax+0A8h], edi
		mov	[eax+0ACh], ecx
		mov	ecx, ebx
		call	HvUnlockHiveWriter
		mov	ecx, ebx
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		jmp	loc_8CEBA5
; 

loc_8CE8F4:				; CODE XREF: CmpReorganizeHive+184849j
					; CmpReorganizeHive+184872j ...
		mov	esi, 0C000009Ah
		jmp	loc_8CEBA5
; 

loc_8CE8FE:				; CODE XREF: CmpReorganizeHive+1848C2j
		mov	eax, [ebx+20h]
		test	byte ptr [eax+0FF8h], 4
		jnz	loc_8CEA13
		mov	eax, [edi+0BECh]
		mov	esi, [ebx+0BECh]
		mov	[ebp+var_148], eax
		cmp	esi, eax
		jz	loc_8CEA13
		cmp	dword_6B2348, 5
		jbe	loc_8CE9C1
		push	4000h
		xor	eax, eax
		mov	edi, offset dword_6B2348
		push	eax
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_8CE9C1
		lea	eax, [ebp+var_14C]
		mov	[ebp+var_14C], esi
		mov	[ebp+var_3C], eax
		xor	ecx, ecx
		mov	eax, [ebp+var_148]
		mov	[ebp+var_148], eax
		lea	eax, [ebp+var_148]
		push	4
		pop	esi
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_154]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	5
		push	ecx
		push	ecx
		push	offset dword_41A674
		push	edi
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_154], 1000000h
		mov	[ebp+var_150], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], 8
		mov	[ebp+var_10], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_8CE9C1:				; CODE XREF: CmpReorganizeHive+184B5Dj
					; CmpReorganizeHive+184B79j
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, ebx
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	ecx, ebx
		call	_HvLockHiveWriter@4 ; HvLockHiveWriter(x)
		mov	ecx, ebx
		call	_HvMarkBaseBlockDirty@4	; HvMarkBaseBlockDirty(x)
		mov	eax, [ebx+20h]
		mov	edi, [ebp+var_144]
		mov	ecx, [ebp+var_160]
		mov	[eax+0A8h], edi
		mov	[eax+0ACh], ecx
		mov	ecx, ebx
		call	HvUnlockHiveWriter
		mov	ecx, ebx
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	esi, 0C000014Ch
		jmp	loc_8CEBA5
; 

loc_8CEA13:				; CODE XREF: CmpReorganizeHive+184B36j
					; CmpReorganizeHive+184B50j
		xor	eax, eax
		mov	edx, edi
		mov	[edi+1Ch], eax
		mov	ecx, ebx
		mov	eax, [edi+0C8h]
		mov	esi, [ebx+0C8h]
		mov	[ebp+var_168], eax
		call	_CmpSwapHiveStorage@8 ;	CmpSwapHiveStorage(x,x)
		cmp	dword_6B2348, 5
		jbe	loc_8CEB01
		push	4000h
		xor	eax, eax
		mov	edi, offset dword_6B2348
		push	eax
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_8CEB01
		mov	ecx, [ebx+20h]
		push	4
		pop	edx
		mov	eax, [ecx+0A8h]
		mov	[ebp+var_174], eax
		mov	eax, [ecx+0ACh]
		xor	ecx, ecx
		mov	[ebp+var_170], eax
		lea	eax, [ebp+var_174]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_14C]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+var_168]
		mov	[ebp+var_148], eax
		lea	eax, [ebp+var_148]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_184]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	6
		push	ecx
		push	ecx
		push	offset word_41A61E
		push	edi
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], 8
		mov	[ebp+var_40], ecx
		mov	[ebp+var_14C], esi
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_184], 1000000h
		mov	[ebp+var_180], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], 8
		mov	[ebp+var_10], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_8CEB01:				; CODE XREF: CmpReorganizeHive+184C68j
					; CmpReorganizeHive+184C84j
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, ebx
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	ecx, ebx
		call	_HvLockHiveWriter@4 ; HvLockHiveWriter(x)
		mov	ecx, ebx
		call	_HvMarkBaseBlockDirty@4	; HvMarkBaseBlockDirty(x)
		mov	eax, [ebx+20h]
		mov	edi, [ebp+var_144]
		mov	ecx, [ebp+var_160]
		mov	[eax+0A8h], edi
		mov	[eax+0ACh], ecx
		mov	ecx, ebx
		call	HvUnlockHiveWriter
		mov	ecx, ebx
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	ebx, [ebp+var_168]
		mov	edx, esi
		mov	ecx, [ebp+var_158]
		push	ebx
		call	_CmpLogReorganizeEvent@12 ; CmpLogReorganizeEvent(x,x,x)
		cmp	ebx, esi
		jnb	short loc_8CEBA1
		xor	ecx, ecx
		cmp	_CmpFirstReorganize, cl
		jz	short loc_8CEB8E
		mov	eax, [ebp+var_160]
		mov	_CmpReorganizeTotalBytesSaved, ecx
		mov	dword_6FDE74, ecx
		mov	_CmpReorganizeLastRun, edi
		mov	dword_6FDF34, eax
		mov	_CmpFirstReorganize, cl

loc_8CEB8E:				; CODE XREF: CmpReorganizeHive+184D97j
		sub	esi, ebx
		add	_CmpReorganizeTotalBytesSaved, esi
		adc	dword_6FDE74, ecx
		call	CmpUpdateReorganizeRegistryValues

loc_8CEBA1:				; CODE XREF: CmpReorganizeHive+184D8Dj
		xor	eax, eax
		mov	esi, eax

loc_8CEBA5:				; CODE XREF: CmpReorganizeHive+184822j
					; CmpReorganizeHive+184ACFj ...
		mov	ecx, [ebp+var_178]
		test	ecx, ecx
		jz	loc_749F10
		call	_CmpDestroyHive@4 ; CmpDestroyHive(x)
		jmp	loc_749F10
; 

loc_8CEBBD:				; CODE XREF: CmpReorganizeHive+14Bj
		mov	ecx, eax
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	loc_749F23
; END OF FUNCTION CHUNK	FOR CmpReorganizeHive
; 
; START	OF FUNCTION CHUNK FOR HvHiveStartFileBacked

loc_8CEBC9:				; CODE XREF: HvHiveStartFileBacked+143j
		mov	esi, 0C000009Ah
		push	10h
		jmp	short loc_8CEBD4
; 

loc_8CEBD2:				; CODE XREF: HvHiveStartFileBacked+DFj
		push	40h

loc_8CEBD4:				; CODE XREF: HvHiveStartFileBacked+184AE8j
		mov	ecx, [ebp+arg_28]
		xor	edx, edx
		push	esi
		push	18h
		call	SetFailureLocation
		jmp	loc_74A203
; 

loc_8CEBE6:				; CODE XREF: HvHiveStartFileBacked+18Fj
		mov	dword ptr [esi+90h], 2
		jmp	loc_74A27D
; 

loc_8CEBF5:				; CODE XREF: HvHiveStartFileBacked+1CAj
		lea	edi, [esi+70h]
		mov	esi, eax
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+arg_0]
		mov	esi, eax
		lea	edi, [edi+80h]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+arg_0]
		jmp	loc_74A2B8
; 

loc_8CEC15:				; CODE XREF: HvHiveStartFileBacked+1D4j
		lea	edi, [esi+94h]
		mov	esi, [ebp+arg_1C]
		movsd
		movsd
		movsd
		movsd
		jmp	loc_74A2C2
; 

loc_8CEC27:				; CODE XREF: HvHiveStartFileBacked+EEj
		test	esi, esi
		jz	loc_74A1DC
		mov	byte ptr [esi],	1
		jmp	loc_74A1DC
; 

loc_8CEC37:				; CODE XREF: HvHiveStartFileBacked+10Bj
		mov	ecx, ebx
		call	_HvMarkBaseBlockDirty@4	; HvMarkBaseBlockDirty(x)
		test	esi, esi
		jz	short loc_8CEC45
		mov	byte ptr [esi],	1

loc_8CEC45:				; CODE XREF: HvHiveStartFileBacked+184B58j
		mov	eax, [ebx+20h]
		and	dword ptr [eax+90h], 0FFFFFFFEh
		mov	ecx, [ebx+20h]
		jmp	loc_74A1F9
; END OF FUNCTION CHUNK	FOR HvHiveStartFileBacked
; 
; START	OF FUNCTION CHUNK FOR CmpVolumeManagerGetContextForFile

loc_8CEC57:				; CODE XREF: CmpVolumeManagerGetContextForFile+71j
					; CmpVolumeManagerGetContextForFile+7Dj ...
		lea	eax, [ebp+var_18]
		mov	edi, offset _CmpVolumeManager
		push	eax
		xor	edx, edx
		mov	ecx, edi
		call	CmpVolumeContextCreate
		mov	esi, eax
		test	esi, esi
		js	loc_74A4EE
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		jmp	loc_74A4B7
; 

loc_8CEC81:				; CODE XREF: CmpVolumeManagerGetContextForFile+C1j
		mov	ecx, ebx
		call	_CmpVolumeContextFree@4	; CmpVolumeContextFree(x)
		jmp	loc_74A45B
; END OF FUNCTION CHUNK	FOR CmpVolumeManagerGetContextForFile
; 
; START	OF FUNCTION CHUNK FOR CmpVolumeManagerGetContextForGuidUnsafe

loc_8CEC8D:				; CODE XREF: CmpVolumeManagerGetContextForGuidUnsafe+2Aj
		mov	esi, [esi]
		cmp	esi, ebx
		jz	loc_74A53A
		mov	eax, [ebp+var_4]
		jmp	loc_74A50F
; END OF FUNCTION CHUNK	FOR CmpVolumeManagerGetContextForGuidUnsafe
; 
; START	OF FUNCTION CHUNK FOR IoVolumeDeviceToGuidPath

loc_8CEC9F:				; CODE XREF: IoVolumeDeviceToGuidPath+54j
		cmp	eax, 2
		jz	loc_74A62C
		cmp	eax, 24h
		jz	loc_74A62C
		cmp	eax, 1Fh
		jz	loc_74A62C
		mov	ecx, 0C000000Dh
		jmp	loc_74A6CF
; 

loc_8CECC4:				; CODE XREF: IoVolumeDeviceToGuidPath+8Ej
		mov	ecx, 0C000009Ah
		jmp	loc_74A6CF
; 

loc_8CECCE:				; CODE XREF: IoVolumeDeviceToGuidPath+A5j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+250h+var_218]
		push	eax
		call	KeWaitForSingleObject
		mov	ecx, [esp+240h+var_220]
		jmp	loc_74A67D
; END OF FUNCTION CHUNK	FOR IoVolumeDeviceToGuidPath
; 
; START	OF FUNCTION CHUNK FOR IoVolumeDeviceNameToGuidPath

loc_8CECE7:				; CODE XREF: IoVolumeDeviceNameToGuidPath+61j
		mov	esi, 0C000000Dh
		jmp	loc_74A9B0
; 

loc_8CECF1:				; CODE XREF: IoVolumeDeviceNameToGuidPath+83j
		mov	esi, 0C000009Ah
		jmp	loc_74A9B0
; 

loc_8CECFB:				; CODE XREF: IoVolumeDeviceNameToGuidPath+26Fj
		xor	eax, eax
		mov	[esi], eax

loc_8CECFF:				; CODE XREF: IoVolumeDeviceNameToGuidPath+13Bj
					; IoVolumeDeviceNameToGuidPath+18Ej ...
		mov	esi, 0C000009Ah
		jmp	loc_74A986
; 

loc_8CED09:				; CODE XREF: IoVolumeDeviceNameToGuidPath+154j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+80h+var_38]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esp+70h+var_50]
		jmp	loc_74A84A
; 

loc_8CED22:				; CODE XREF: IoVolumeDeviceNameToGuidPath+177j
		mov	esi, 0C0000206h
		jmp	loc_74A986
; 

loc_8CED2C:				; CODE XREF: IoVolumeDeviceNameToGuidPath+1E6j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+80h+var_38]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esp+70h+var_50]
		jmp	loc_74A8DC
; END OF FUNCTION CHUNK	FOR IoVolumeDeviceNameToGuidPath
; 
; START	OF FUNCTION CHUNK FOR IopSynchronousCall

loc_8CED45:				; CODE XREF: IopSynchronousCall+51j
		mov	esi, 0C000009Ah
		jmp	loc_74AA9D
; END OF FUNCTION CHUNK	FOR IopSynchronousCall
; 
; START	OF FUNCTION CHUNK FOR CmpGetVolumeClusterSize

loc_8CED4F:				; CODE XREF: CmpGetVolumeClusterSize+10Cj
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	ebx
		call	KeWaitForSingleObject
		mov	esi, [edi+18h]
		jmp	loc_74AC06
; 

loc_8CED63:				; CODE XREF: CmpGetVolumeClusterSize+99j
		mov	esi, 0C000000Dh
		jmp	loc_74AC0E
; 

loc_8CED6D:				; CODE XREF: CmpGetVolumeClusterSize+AEj
		xor	edi, edi

loc_8CED6F:				; CODE XREF: CmpGetVolumeClusterSize+11Ej
					; CmpGetVolumeClusterSize+13Cj
		push	3
		push	18h
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		push	[ebp+var_48]
		call	_ZwQueryVolumeInformationFile@20 ; ZwQueryVolumeInformationFile(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_74AC58
		mov	ecx, [ebp+var_24]
		jmp	loc_74AC36
; END OF FUNCTION CHUNK	FOR CmpGetVolumeClusterSize
; 
; START	OF FUNCTION CHUNK FOR CmpTraceHiveMountStop

loc_8CED95:				; CODE XREF: CmpTraceHiveMountStop+3Cj
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_10], 4
		mov	[ebp+var_18], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_18]
		mov	[ebp+var_14], ecx
		push	eax
		push	1
		push	ecx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_C], ecx
		push	eax
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_74AD92
; END OF FUNCTION CHUNK	FOR CmpTraceHiveMountStop
; 
; START	OF FUNCTION CHUNK FOR CmpTraceHiveMountStart

loc_8CEDC1:				; CODE XREF: CmpTraceHiveMountStart+39j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_74ADDF
; END OF FUNCTION CHUNK	FOR CmpTraceHiveMountStart
; 
; START	OF FUNCTION CHUNK FOR MmGetSystemRoutineAddress

loc_8CEDD6:				; CODE XREF: MmGetSystemRoutineAddress+20j
		push	offset _MiShortTime
		push	esi
		push	esi
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	loc_74AE0C
; END OF FUNCTION CHUNK	FOR MmGetSystemRoutineAddress
; 
; START	OF FUNCTION CHUNK FOR WmipForwardWmiIrp

loc_8CEDE7:				; CODE XREF: WmipForwardWmiIrp+3Aj
		mov	ecx, edi
		call	WmipUnreferenceRegEntry

loc_8CEDEE:				; CODE XREF: WmipForwardWmiIrp+2Cj
		cmp	bl, 1
		jz	short loc_8CEE01
		mov	eax, 0C0000001h
		cmp	bl, 2
		jnz	loc_74B089

loc_8CEE01:				; CODE XREF: WmipForwardWmiIrp+183EB7j
		mov	eax, 0C0000296h
		jmp	loc_74B089
; 

loc_8CEE0B:				; CODE XREF: WmipForwardWmiIrp+74j
					; WmipForwardWmiIrp+92j
		cmp	dword ptr [edi+0Ch], 0
		jz	loc_74AFD2
		mov	ecx, _WmipServiceDeviceObject
		mov	[esp+28h+var_1C], ecx
		jmp	loc_74AFD6
; 

loc_8CEE24:				; CODE XREF: WmipForwardWmiIrp+179j
		mov	ecx, edi
		call	WmipUnreferenceRegEntry
		mov	cl, bh
		call	_WmipUpdateDeviceStackSize@4 ; WmipUpdateDeviceStackSize(x)
		mov	esi, 0C0000298h
		jmp	loc_74B07E
; 

loc_8CEE3C:				; CODE XREF: WmipForwardWmiIrp+121j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+38h+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esp+28h+var_18]
		mov	esi, [eax+18h]
		jmp	loc_74B065
; END OF FUNCTION CHUNK	FOR WmipForwardWmiIrp
; 
; START	OF FUNCTION CHUNK FOR CmpFileFlushAndPurge

loc_8CEE58:				; CODE XREF: CmpFileFlushAndPurge+94j
		mov	esi, 0C000009Ah
		jmp	loc_74B1FB
; END OF FUNCTION CHUNK	FOR CmpFileFlushAndPurge
; 
; START	OF FUNCTION CHUNK FOR CmpTraceHiveFlushWroteLogFile

loc_8CEE62:				; CODE XREF: CmpTraceHiveFlushWroteLogFile+43j
		push	4
		pop	ecx
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_28], eax
		xor	edx, edx
		lea	eax, [ebp+var_40]
		mov	[ebp+var_24], edx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	2
		push	edx
		lea	eax, [ebp+var_38]
		mov	[ebp+var_1C], edx
		push	eax
		push	esi
		push	edi
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_74B277
; END OF FUNCTION CHUNK	FOR CmpTraceHiveFlushWroteLogFile
; 
; START	OF FUNCTION CHUNK FOR HvWriteLogFile

loc_8CEE9C:				; CODE XREF: HvWriteLogFile+1Fj
					; HvWriteLogFile+2Dj
		mov	eax, 0C000000Dh
		jmp	loc_74B35C
; END OF FUNCTION CHUNK	FOR HvWriteLogFile
; 
; START	OF FUNCTION CHUNK FOR SeCheckForCriticalAceRemoval

loc_8CEEA6:				; CODE XREF: SeCheckForCriticalAceRemoval+98j
		mov	eax, [esp+60h+var_4E+2]
		lea	edx, [esp+60h+var_10]
		movzx	ecx, word ptr [eax]
		mov	eax, [eax+4]
		mov	[esp+60h+var_18], eax
		mov	eax, ecx
		mov	[esp+60h+var_10], eax
		lea	eax, [esp+60h+var_48]
		push	eax
		push	4
		push	ebx
		push	ebx
		push	(offset	loc_422AE9+7)
		push	edi
		mov	[esp+78h+var_28], edx
		mov	[esp+78h+var_24], ebx
		mov	[esp+78h+var_20], 2
		mov	[esp+78h+var_1C], ebx
		mov	[esp+78h+var_14], ebx
		mov	[esp+78h+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_74B3BF
; END OF FUNCTION CHUNK	FOR SeCheckForCriticalAceRemoval
; 
; START	OF FUNCTION CHUNK FOR CmGetKCBCacheSecurity

loc_8CEEF3:				; CODE XREF: CmGetKCBCacheSecurity+38j
					; CmGetKCBCacheSecurity+1835BFj
		mov	ecx, [ebx+1Ch]
		mov	edx, edi
		call	CmEqualTrans
		test	al, al
		jz	short loc_8CEF0F
		cmp	dword ptr [ebx+24h], 9
		jnz	short loc_8CEF0F
		mov	eax, [ebx+30h]
		jmp	loc_74B9A0
; 

loc_8CEF0F:				; CODE XREF: CmGetKCBCacheSecurity+18359Fj
					; CmGetKCBCacheSecurity+1835A5j
		push	ecx
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_4]
		call	CmListGetPrevElement
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_8CEEF3
		jmp	loc_74B99E
; END OF FUNCTION CHUNK	FOR CmGetKCBCacheSecurity
; 
; START	OF FUNCTION CHUNK FOR CmpTraceSecurityChanging

loc_8CEF26:				; CODE XREF: CmpTraceSecurityChanging+5Fj
		mov	ecx, ebx
		call	_RtlLengthSecurityDescriptorStrict@4 ; RtlLengthSecurityDescriptorStrict(x)
		mov	esi, eax
		mov	eax, 0FFFFh
		cmp	esi, eax
		jbe	short loc_8CEF3A
		mov	esi, eax

loc_8CEF3A:				; CODE XREF: CmpTraceSecurityChanging+182FAAj
		mov	ecx, [ebp+var_C8]
		call	_RtlLengthSecurityDescriptorStrict@4 ; RtlLengthSecurityDescriptorStrict(x)
		mov	ebx, eax
		mov	eax, 0FFFFh
		cmp	ebx, eax
		jbe	short loc_8CEF52
		mov	ebx, eax

loc_8CEF52:				; CODE XREF: CmpTraceSecurityChanging+182FC2j
		mov	ecx, [ebp+var_CC]
		call	_RtlLengthSecurityDescriptorStrict@4 ; RtlLengthSecurityDescriptorStrict(x)
		mov	ecx, 0FFFFh
		mov	[ebp+var_C0], eax
		cmp	eax, ecx
		jbe	short loc_8CEF72
		mov	[ebp+var_C0], ecx

loc_8CEF72:				; CODE XREF: CmpTraceSecurityChanging+182FDEj
		cmp	dword_6B2348, 5
		jbe	loc_74BFF1
		push	0
		push	2
		mov	ecx, offset dword_6B2348
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_74BFF1
		movzx	ecx, word ptr [edi]
		lea	edx, [ebp+var_84]
		mov	eax, [edi+4]
		mov	[ebp+var_8C], eax
		mov	eax, ecx
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_7C], eax
		mov	eax, [ebp+var_C4]
		mov	[ebp+var_6C], eax
		movzx	eax, si
		mov	[ebp+var_64], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_C4]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_34]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+var_C8]
		mov	[ebp+var_3C], eax
		movzx	eax, bx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+var_CC]
		push	2
		pop	ecx
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_C0]
		movzx	eax, ax
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_BC]
		push	eax
		push	0Bh
		mov	[ebp+var_9C], edx
		xor	edx, edx
		push	edx
		push	edx
		push	offset loc_41A1DD
		push	offset dword_6B2348
		mov	[ebp+var_98], edx
		mov	[ebp+var_94], 2
		mov	[ebp+var_90], edx
		mov	[ebp+var_88], edx
		mov	[ebp+var_80], edx
		mov	[ebp+var_78], edx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_70], edx
		mov	[ebp+var_68], edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_58], edx
		mov	[ebp+var_54], 4
		mov	[ebp+var_50], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_74BFF1
; END OF FUNCTION CHUNK	FOR CmpTraceSecurityChanging
; 
; START	OF FUNCTION CHUNK FOR CmpInitializeKcbCache

loc_8CF089:				; CODE XREF: CmpInitializeKcbCache+1Bj
		mov	eax, 0C000000Dh
		jmp	loc_74C13B
; 

loc_8CF093:				; CODE XREF: CmpInitializeKcbCache+2Cj
		mov	ebx, 0C000000Dh
		jmp	loc_74C119
; 

loc_8CF09D:				; CODE XREF: CmpInitializeKcbCache+4Aj
		mov	eax, [ebp+var_4]
		jmp	loc_74C140
; END OF FUNCTION CHUNK	FOR CmpInitializeKcbCache
; 
; START	OF FUNCTION CHUNK FOR CmpDoFileWrite

loc_8CF0A5:				; CODE XREF: CmpDoFileWrite+42j
		mov	ebx, 0C000009Ah
		jmp	loc_74C34F
; 

loc_8CF0AF:				; CODE XREF: CmpDoFileWrite+110j
		mov	eax, [esp+38h+var_28]
		mov	ecx, 10000h
		cmp	eax, ecx
		jnb	short loc_8CF0C2
		mov	[esp+38h+var_1C], eax
		jmp	short loc_8CF0C8
; 

loc_8CF0C2:				; CODE XREF: CmpDoFileWrite+182F36j
		mov	eax, ecx
		mov	[esp+38h+var_1C], ecx

loc_8CF0C8:				; CODE XREF: CmpDoFileWrite+182F3Cj
		xor	edx, edx
		lea	ecx, [esp+38h+var_8]
		push	edx
		push	ecx
		push	eax
		push	[esp+44h+var_24]
		lea	eax, [esi+800h]
		lea	eax, [eax+edi*8]
		push	eax
		push	edx
		push	edx
		push	dword ptr [esi+edi*4]
		push	[esp+58h+var_20]
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_74C2ED
		mov	ebx, [esp+38h+var_1C]
		jmp	loc_74C29A
; 

loc_8CF100:				; CODE XREF: CmpDoFileWrite+161j
		xor	ebx, ebx
		lea	eax, [esi+200h]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esi+100h]
		push	eax
		push	40h
		call	KeWaitForMultipleObjects
		mov	edi, ebx
		lea	eax, [esi+800h]
		mov	ecx, ebx

loc_8CF126:				; CODE XREF: CmpDoFileWrite+182FB3j
		mov	ebx, [eax]
		test	ebx, ebx
		js	loc_74C30F
		inc	ecx
		add	eax, 8
		cmp	ecx, 40h
		jb	short loc_8CF126
		jmp	loc_74C2EB
; END OF FUNCTION CHUNK	FOR CmpDoFileWrite
; 
; START	OF FUNCTION CHUNK FOR CmpLinkHiveToMaster

loc_8CF13E:				; CODE XREF: CmpLinkHiveToMaster+E7j
		push	10h
		push	edi
		push	1Eh
		xor	edx, edx
		mov	ecx, esi
		call	SetFailureLocation
		jmp	loc_74C6E4
; 

loc_8CF151:				; CODE XREF: CmpLinkHiveToMaster+1A6j
		mov	edi, [ebp+var_108]
		xor	edx, edx
		push	20h
		push	eax
		push	1Eh
		mov	ecx, edi
		call	SetFailureLocation
		push	0Eh
		add	edi, 11Ch
		lea	esi, [ebp+var_5C]
		pop	ecx
		rep movsd
		mov	edi, [ebp+var_E4]
		jmp	loc_74C6E4
; 

loc_8CF17E:				; CODE XREF: CmpLinkHiveToMaster+217j
					; CmpLinkHiveToMaster+235j
		mov	edi, 0C000009Ah
		jmp	short loc_8CF1C6
; 

loc_8CF185:				; CODE XREF: CmpLinkHiveToMaster+297j
		push	edi
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	edx, edi
		mov	ecx, ebx
		call	CmpRecordUnloadEventForHive
		jmp	loc_74C695
; 

loc_8CF199:				; CODE XREF: CmpLinkHiveToMaster+2A4j
		mov	ecx, [esi+8]
		mov	dl, 21h
		call	_CmpEtwDumpKcb@8 ; CmpEtwDumpKcb(x,x)
		jmp	loc_74C6A2
; 

loc_8CF1A8:				; CODE XREF: CmpLinkHiveToMaster+2F0j
		xor	esi, esi
		cmp	[ebp+var_D9], 0
		jz	loc_74C6EE
		lea	ecx, [ebp+var_1C]
		call	CmpAttachToRegistryProcess
		mov	byte ptr [ebp+var_EC], 0

loc_8CF1C6:				; CODE XREF: CmpLinkHiveToMaster+182D8Bj
		cmp	[ebp+arg_20], 0
		jnz	short loc_8CF1D1
		call	_CmpLockRegistry@0 ; CmpLockRegistry()

loc_8CF1D1:				; CODE XREF: CmpLinkHiveToMaster+182DD2j
		mov	edx, [esi+8]
		lea	eax, [ebp+var_FC]
		push	eax
		mov	ecx, ebx
		call	_CmpRemoveHiveFromNamespace@12 ; CmpRemoveHiveFromNamespace(x,x,x)
		xor	dl, dl
		lea	ecx, [ebp+var_FC]
		call	CmpDrainDelayDerefContext
		cmp	[ebp+arg_20], 0
		jnz	short loc_8CF1FA
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_8CF1FA:				; CODE XREF: CmpLinkHiveToMaster+182DFBj
		cmp	byte ptr [ebp+var_EC], 0
		jz	loc_74C6EE
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_74C6EE
; 

loc_8CF216:				; CODE XREF: CmpLinkHiveToMaster+327j
		mov	edx, [ebp+var_F4]
		mov	ecx, ebx
		call	_CmpLogHiveLinkEvent@8 ; CmpLogHiveLinkEvent(x,x)
		jmp	loc_74C725
; END OF FUNCTION CHUNK	FOR CmpLinkHiveToMaster
; 
; START	OF FUNCTION CHUNK FOR CmpGetSymbolicLinkTarget

loc_8CF228:				; CODE XREF: CmpGetSymbolicLinkTarget+164j
		movzx	edx, word ptr [ecx+2]
		jmp	loc_74D32F
; 

loc_8CF231:				; CODE XREF: CmpGetSymbolicLinkTarget+196j
		mov	eax, [edx+0Ch]
		mov	edi, [eax+edi*4-8]
		jmp	loc_74C930
; 

loc_8CF23D:				; CODE XREF: CmpGetSymbolicLinkTarget+1CCj
		mov	cl, 1
		and	ebx, 0FFFFFFFEh
		jmp	loc_74C962
; 

loc_8CF247:				; CODE XREF: CmpGetSymbolicLinkTarget+217j
		mov	eax, [edi+0Ch]
		mov	ecx, [eax+ecx*4-8]
		jmp	loc_74C9B1
; 

loc_8CF253:				; CODE XREF: CmpGetSymbolicLinkTarget+299j
		mov	esi, 0C0000034h
		jmp	loc_74D0E5
; 

loc_8CF25D:				; CODE XREF: CmpGetSymbolicLinkTarget+2B1j
		mov	bl, [ebp+var_75]
		mov	esi, 0C000009Ah
		jmp	loc_74CC3A
; 

loc_8CF26A:				; CODE XREF: CmpGetSymbolicLinkTarget+371j
		test	bx, bx
		jnz	loc_74CB98
		test	ax, ax
		jnz	loc_74CB98
		jmp	loc_74CB07
; 

loc_8CF281:				; CODE XREF: CmpGetSymbolicLinkTarget+3BEj
		test	bx, bx
		jnz	loc_74CB8F
		test	ax, ax
		jnz	loc_74CB8F
		jmp	loc_74CB54
; 

loc_8CF298:				; CODE XREF: CmpGetSymbolicLinkTarget+1D4j
					; CmpGetSymbolicLinkTarget+1DCj
		mov	eax, [ebp+var_8C]
		mov	bl, [ebp+var_8D]
		mov	[ebp+var_7C], eax
		jmp	loc_74CC85
; 

loc_8CF2AC:				; CODE XREF: CmpGetSymbolicLinkTarget+530j
		mov	eax, [edx+0Ch]
		mov	esi, [eax+esi*4-8]
		jmp	loc_74CCCA
; 

loc_8CF2B8:				; CODE XREF: CmpGetSymbolicLinkTarget+56Fj
		cmp	dword ptr [esi+94h], 0
		lea	edx, [esi+94h]
		jnz	short loc_8CF2D6
		mov	[ebp+var_94], 0FFFFFFFFh
		jmp	loc_74D339
; 

loc_8CF2D6:				; CODE XREF: CmpGetSymbolicLinkTarget+182B35j
		mov	ecx, [esi+10h]
		lea	eax, [ebp+var_94]
		push	eax
		push	0
		push	0
		push	offset _CmSymbolicLinkValueName
		call	_CmpFindNameInListWithStatus@24	; CmpFindNameInListWithStatus(x,x,x,x,x,x)
		mov	esi, eax
		jmp	loc_74CD4C
; 

loc_8CF2F5:				; CODE XREF: CmpGetSymbolicLinkTarget+5BEj
		cmp	esi, 0C0000034h
		jnz	short loc_8CF350
		jmp	loc_74D339
; 

loc_8CF302:				; CODE XREF: CmpGetSymbolicLinkTarget+633j
		mov	esi, 0C000009Ah
		jmp	short loc_8CF350
; 

loc_8CF309:				; CODE XREF: CmpGetSymbolicLinkTarget+6D4j
		mov	bl, [ebp+var_75]
		mov	esi, 0C000009Ah
		mov	edi, [ebp+var_7C]
		jmp	loc_74CC0D
; 

loc_8CF319:				; CODE XREF: CmpGetSymbolicLinkTarget+6FFj
		push	0
		push	[ebp+var_98]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_9C]
		jmp	loc_74CEA8
; 

loc_8CF331:				; CODE XREF: CmpGetSymbolicLinkTarget+882j
		mov	eax, [ebp+var_8C]
		mov	[ebp+var_7C], eax
		jmp	loc_74D037
; 

loc_8CF33F:				; CODE XREF: CmpGetSymbolicLinkTarget+928j
		mov	ecx, esi
		call	_CmpUnlockHashEntryByKcb@4 ; CmpUnlockHashEntryByKcb(x)
		jmp	loc_74D0BE
; 

loc_8CF34B:				; CODE XREF: CmpGetSymbolicLinkTarget+514j
					; CmpGetSymbolicLinkTarget+54Cj ...
		mov	esi, 0C0000034h

loc_8CF350:				; CODE XREF: CmpGetSymbolicLinkTarget+182B6Bj
					; CmpGetSymbolicLinkTarget+182B77j
		mov	edi, [ebp+var_7C]
		jmp	loc_74D0E5
; 

loc_8CF358:				; CODE XREF: CmpGetSymbolicLinkTarget+477j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_80]
		jmp	loc_74CC0D
; 

loc_8CF368:				; CODE XREF: CmpGetSymbolicLinkTarget+B4Dj
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_74D2F6
; 

loc_8CF375:				; CODE XREF: CmpGetSymbolicLinkTarget+49Aj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_74CC30
; 

loc_8CF382:				; CODE XREF: CmpGetSymbolicLinkTarget+4A4j
		mov	ecx, [ebp+var_88]
		call	CmpUnlockKcbStack
		jmp	loc_74CC3A
; 

loc_8CF392:				; CODE XREF: CmpGetSymbolicLinkTarget+4ACj
		test	bl, bl
		jz	short loc_8CF39D
		mov	ecx, edi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)

loc_8CF39D:				; CODE XREF: CmpGetSymbolicLinkTarget+182C04j
		mov	ecx, edi
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)
		jmp	loc_74CC42
; 

loc_8CF3A9:				; CODE XREF: CmpGetSymbolicLinkTarget+4BAj
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	loc_74CC50
; 

loc_8CF3B3:				; CODE XREF: CmpGetSymbolicLinkTarget+4C4j
		mov	edx, large fs:20h
		mov	ecx, [edx+5E0h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	short loc_8CF3F3
		inc	dword ptr [ecx+18h]
		mov	ecx, [edx+5E4h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	short loc_8CF3F3
		push	[ebp+var_14]
		mov	eax, [ecx+2Ch]
		inc	dword ptr [ecx+18h]
		call	eax
		jmp	loc_74CC5A
; 

loc_8CF3F3:				; CODE XREF: CmpGetSymbolicLinkTarget+182C3Bj
					; CmpGetSymbolicLinkTarget+182C51j
		mov	edx, [ebp+var_14]
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		jmp	loc_74CC5A
; END OF FUNCTION CHUNK	FOR CmpGetSymbolicLinkTarget
; 
; START	OF FUNCTION CHUNK FOR CmpReferenceKeyControlBlockUnsafe

loc_8CF400:				; CODE XREF: CmpReferenceKeyControlBlockUnsafe+8j
		xor	eax, eax
		push	eax
		push	eax
		push	ecx
		push	24h
		jmp	short loc_8CF410
; 

loc_8CF409:				; CODE XREF: CmpReferenceKeyControlBlockUnsafe+11j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	15h

loc_8CF410:				; CODE XREF: CmpReferenceKeyControlBlockUnsafe+1820ABj
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8CF418:				; CODE XREF: CmpGetLastHive+30j
		mov	esi, [esi+4]
		cmp	esi, offset _CmpHiveListHead
		jnz	loc_74D395
		jmp	loc_74D3AC
; END OF FUNCTION CHUNK	FOR CmpReferenceKeyControlBlockUnsafe
; 
; START	OF FUNCTION CHUNK FOR CmpPostApc

loc_8CF42C:				; CODE XREF: CmpPostApc+20j
		push	ecx
		push	offset ??_C@_0DD@BGFPCJCC@IoStatusBlock?5pointing?5onto?5its@NNGAKEGL@ ; "IoStatusBlock	pointing onto itself Asyn"...
		call	_DbgPrint
		pop	ecx
		pop	ecx
		cmp	_KdDebuggerEnabled, 0
		jz	loc_74D3E4
		cmp	_KdDebuggerNotPresent, 0
		jnz	loc_74D3E4
		int	3		; Trap to Debugger
		jmp	loc_74D3E4
; 

loc_8CF459:				; CODE XREF: CmpPostApc+45j
		push	ecx
		push	offset ??_C@_0DD@BGFPCJCC@IoStatusBlock?5pointing?5onto?5its@NNGAKEGL@ ; "IoStatusBlock	pointing onto itself Asyn"...
		call	_DbgPrint
		pop	ecx
		pop	ecx
		cmp	_KdDebuggerEnabled, 0
		jz	loc_74D409
		cmp	_KdDebuggerNotPresent, 0
		jnz	loc_74D409
		int	3		; Trap to Debugger
		jmp	loc_74D409
; END OF FUNCTION CHUNK	FOR CmpPostApc

;  S U B	R O U T	I N E 


sub_8CF486	proc near		; DATA XREF: .text:006A039Co
		xor	eax, eax
		inc	eax
		retn
sub_8CF486	endp


;  S U B	R O U T	I N E 


sub_8CF48A	proc near		; DATA XREF: .text:006A03A0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp+18h]
		jmp	loc_74D410
sub_8CF48A	endp

; 
; START	OF FUNCTION CHUNK FOR CmpPostApc

loc_8CF49C:				; CODE XREF: CmpPostApc+65j
		push	ecx
		push	offset ??_C@_0DD@BGFPCJCC@IoStatusBlock?5pointing?5onto?5its@NNGAKEGL@ ; "IoStatusBlock	pointing onto itself Asyn"...
		call	_DbgPrint
		pop	ecx
		pop	ecx
		cmp	_KdDebuggerEnabled, 0
		jz	loc_74D429
		cmp	_KdDebuggerNotPresent, 0
		jnz	loc_74D429
		int	3		; Trap to Debugger
		jmp	loc_74D429
; END OF FUNCTION CHUNK	FOR CmpPostApc
; 
; START	OF FUNCTION CHUNK FOR NtDeleteKey

loc_8CF4C9:				; CODE XREF: NtDeleteKey+57j
		mov	edx, 20000h
		lea	ecx, [esp+98h+var_28]
		call	@EtwGetKernelTraceTimestamp@8 ;	EtwGetKernelTraceTimestamp(x,x)
		jmp	loc_74D51F
; 

loc_8CF4DC:				; CODE XREF: NtDeleteKey+9Ej
		mov	ebx, 0C0000189h
		jmp	loc_74D6CA
; 

loc_8CF4E6:				; CODE XREF: NtDeleteKey+C8j
		lea	eax, [esp+98h+var_58]
		push	eax
		call	SeCaptureSubjectContext
		lea	edx, [esp+98h+var_78]
		lea	ecx, [esp+98h+var_58]
		call	CmDoVirtualTest
		test	al, al
		jnz	short loc_8CF516
		mov	esi, [esp+98h+var_84]
		mov	ebx, edi

loc_8CF507:				; CODE XREF: NtDeleteKey+1CBj
					; NtDeleteKey+182077j ...
		lea	eax, [esp+98h+var_58]
		push	eax
		call	SeReleaseSubjectContext
		jmp	loc_74D693
; 

loc_8CF516:				; CODE XREF: NtDeleteKey+18203Dj
		lea	eax, [esp+98h+var_60]
		mov	edx, 20019h
		push	eax
		lea	eax, [esp+9Ch+var_84]
		push	eax
		push	[esp+0A0h+var_7C]
		push	ecx
		mov	ecx, esi
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, [esp+98h+var_84]
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_8CF507
		mov	ecx, esi
		call	_CmKeyBodyNeedsVirtualImage@4 ;	CmKeyBodyNeedsVirtualImage(x)
		test	al, al
		jnz	short loc_8CF54A
		mov	ebx, edi
		jmp	short loc_8CF507
; 

loc_8CF54A:				; CODE XREF: NtDeleteKey+182082j
		mov	[esp+98h+var_87], 1
		jmp	loc_74D594
; 

loc_8CF554:				; CODE XREF: NtDeleteKey+11Aj
		cmp	ebx, 0C0000503h
		jnz	loc_74D688
		xor	ebx, ebx
		jmp	loc_74D688
; 

loc_8CF567:				; CODE XREF: NtDeleteKey+12Cj
		test	esi, esi
		jz	loc_74D5F4
		mov	eax, [esi+8]
		mov	[esp+98h+var_6C], eax
		jmp	loc_74D5F4
; 

loc_8CF57B:				; CODE XREF: NtDeleteKey+150j
					; NtDeleteKey+166j
		push	11h
		xor	ebx, ebx
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jz	short loc_8CF592
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8CF592:				; CODE XREF: NtDeleteKey+1820C7j
		mov	ecx, edi
		call	KeAbPostRelease
		jmp	loc_74D688
; 

loc_8CF59E:				; CODE XREF: NtDeleteKey+1A8j
		mov	dl, [esp+98h+var_7E]
		lea	eax, [esp+98h+var_78]
		push	eax
		lea	eax, [esp+9Ch+var_58]
		push	eax
		push	10000h
		lea	ecx, [esp+0A4h+var_84]
		call	_CmKeyBodyRemapToVirtual@20 ; CmKeyBodyRemapToVirtual(x,x,x,x,x)
		mov	esi, [esp+98h+var_84]
		mov	ebx, eax
		test	ebx, ebx
		js	loc_74D688
		cmp	_CmpVEEnabled, 0
		jz	short loc_8CF5E1
		mov	eax, [esi+8]
		test	dword ptr [eax+68h], 1000000h
		jnz	loc_74D670

loc_8CF5E1:				; CODE XREF: NtDeleteKey+18Cj
					; NtDeleteKey+19Dj ...
		mov	ebx, 0C0000022h
		jmp	loc_74D688
; 

loc_8CF5EB:				; CODE XREF: NtDeleteKey+1C0j
		cmp	dword ptr [esi+20h], 0
		jnz	short loc_8CF606
		cmp	dword ptr [esi+24h], 0
		jnz	short loc_8CF606
		push	[esp+98h+var_70]
		push	esi
		call	_SeDeleteObjectAuditAlarm@8 ; SeDeleteObjectAuditAlarm(x,x)
		jmp	loc_74D688
; 

loc_8CF606:				; CODE XREF: NtDeleteKey+18212Dj
					; NtDeleteKey+182133j
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		lea	edx, [esp+98h+var_74]
		mov	ecx, esi
		call	CmpTransSearchAddTransFromKeyBody
		mov	esi, [esp+98h+var_74]
		lea	edi, [esp+98h+var_38]
		lea	esi, [esi+2Ch]
		movsd
		movsd
		movsd
		movsd
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	esi, [esp+98h+var_84]
		lea	eax, [esp+98h+var_38]
		push	eax
		push	[esp+9Ch+var_70]
		push	esi
		call	_SeDeleteObjectAuditAlarmWithTransaction@12 ; SeDeleteObjectAuditAlarmWithTransaction(x,x,x)
		jmp	loc_74D688
; 

loc_8CF642:				; CODE XREF: NtDeleteKey+20Fj
		push	0
		push	[esp+9Ch+var_6C]
		lea	ecx, [esp+0A0h+var_28]
		push	0
		push	ebx
		push	ecx
		push	0Ch
		call	eax
		jmp	loc_74D6D7
; END OF FUNCTION CHUNK	FOR NtDeleteKey
; 
; START	OF FUNCTION CHUNK FOR CmDeleteKey

loc_8CF659:				; CODE XREF: CmDeleteKey+EAj
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		jmp	loc_74D7FD
; 

loc_8CF663:				; CODE XREF: CmDeleteKey+190j
					; CmDeleteKey+199j
		lea	edx, [ebp+var_4C]
		mov	ecx, edi
		call	CmpTransSearchAddTransFromKeyBody
		mov	esi, eax
		test	esi, esi
		js	loc_74D9FA
		mov	eax, [ebx+10h]
		test	byte ptr [eax+64h], 2
		jnz	loc_8CF854
		mov	edi, [ebp+var_4C]
		mov	edx, edi
		mov	ecx, [ebp+var_8C]
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	loc_74D9F8
		test	edi, edi
		jnz	loc_74D8B5
		jmp	loc_74D8AA
; 

loc_8CF6A9:				; CODE XREF: CmDeleteKey+1A7j
		add	eax, 10h
		cmp	[eax], eax
		jz	loc_74D8B5
		cmp	[ebp+var_1F], 0
		jnz	loc_74D8B5
		lea	ecx, [ebp+var_88]
		mov	[ebp+var_1F], 1
		call	CmpUnlockKcbStack
		lea	ecx, [ebp+var_68]
		call	CmpUnlockKcbStack
		mov	ecx, ebx
		mov	[ebp+var_1E], 0
		call	_CmpUnlockHashEntryByKcb@4 ; CmpUnlockHashEntryByKcb(x)
		lea	ecx, [ebp+var_88]
		mov	[ebp+var_1D], 0
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		xor	eax, eax
		lea	edi, [ebp+var_88]
		stosd
		lea	ecx, [ebp+var_68]
		or	esi, 0FFFFFFFFh
		stosd
		stosd
		stosd
		mov	word ptr [ebp+var_88+2], si
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		xor	eax, eax
		lea	edi, [ebp+var_68]
		stosd
		stosd
		stosd
		stosd
		mov	word ptr [ebp+var_68+2], si
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		jmp	loc_74D7E1
; 

loc_8CF724:				; CODE XREF: CmDeleteKey+1B5j
		mov	ecx, edi
		call	CmEqualTrans
		test	al, al
		jz	loc_74DAB1
		jmp	loc_74D8C3
; 

loc_8CF738:				; CODE XREF: CmDeleteKey+1D0j
					; CmDeleteKey+1DEj ...
		lea	eax, [ebp+var_30]
		push	eax
		lea	edx, [ebp+var_34]
		call	_CmpSnapshotTxOwnerArray@12 ; CmpSnapshotTxOwnerArray(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_74D9FA
		cmp	[ebp+var_1E], 0
		jz	short loc_8CF76B
		lea	ecx, [ebp+var_88]
		call	CmpUnlockKcbStack
		lea	ecx, [ebp+var_68]
		call	CmpUnlockKcbStack
		mov	[ebp+var_1E], 0

loc_8CF76B:				; CODE XREF: CmDeleteKey+18204Aj
		cmp	[ebp+var_1D], 0
		jz	short loc_8CF778
		mov	ecx, ebx
		call	_CmpUnlockHashEntryByKcb@4 ; CmpUnlockHashEntryByKcb(x)

loc_8CF778:				; CODE XREF: CmDeleteKey+182067j
		xor	dl, dl
		mov	[ebp+var_1D], 0
		lea	ecx, [ebp+var_2C]
		call	CmpDrainDelayDerefContext
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	edx, [ebp+var_30]
		lea	eax, [ebp+var_50]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_34]
		mov	[ebp+var_20], 0
		call	_CmpRollbackTransactionArray@16	; CmpRollbackTransactionArray(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_74D7E1
		mov	al, [ebp+var_1D]
		mov	[ebp+var_1D], al
		jmp	loc_74D9FA
; 

loc_8CF7B4:				; CODE XREF: CmDeleteKey+1BDj
		call	_CmpAllocateUnitOfWork@0 ; CmpAllocateUnitOfWork()
		mov	esi, eax
		mov	[ebp+var_3C], esi
		test	esi, esi
		jz	loc_8CF85E
		call	_CmpAllocateUnitOfWork@0 ; CmpAllocateUnitOfWork()
		mov	[ebp+var_38], eax
		test	eax, eax
		jz	loc_8CF85E
		mov	edx, [ebx+24h]
		mov	ecx, esi
		call	_CmpTransEnlistUowInKcb@8 ; CmpTransEnlistUowInKcb(x,x)
		mov	edx, edi
		mov	ecx, esi
		call	CmpTransEnlistUowInCmTrans
		mov	esi, eax
		test	esi, esi
		js	loc_74D9FA
		mov	ecx, [ebp+var_38]
		mov	edx, ebx
		call	_CmpTransEnlistUowInKcb@8 ; CmpTransEnlistUowInKcb(x,x)
		mov	ecx, [ebp+var_38]
		mov	edx, edi
		call	CmpTransEnlistUowInCmTrans
		mov	esi, eax
		test	esi, esi
		js	loc_74D9FA
		mov	edx, [ebp+var_3C]
		push	ecx
		mov	ecx, [ebx+24h]
		add	ecx, 84h
		call	CmpLockIXLockIntent
		test	al, al
		jz	short loc_8CF854
		mov	esi, [ebp+var_38]
		lea	ecx, [ebx+84h]
		push	0
		mov	edx, esi
		call	CmpLockIXLockExclusive
		test	al, al
		jz	short loc_8CF854
		push	1
		lea	ecx, [ebx+8Ch]
		mov	edx, esi
		call	CmpLockIXLockExclusive
		test	al, al
		jnz	loc_74D8FC

loc_8CF854:				; CODE XREF: CmDeleteKey+181F76j
					; CmDeleteKey+18211Dj ...
		mov	esi, 0C0190001h
		jmp	loc_74D9FA
; 

loc_8CF85E:				; CODE XREF: CmDeleteKey+1820B8j
					; CmDeleteKey+1820C8j
		mov	esi, 0C000009Ah
		jmp	loc_74D9FA
; 

loc_8CF868:				; CODE XREF: CmDeleteKey+245j
		mov	eax, [ebp+var_3C]
		mov	dword ptr [eax+24h], 3
		mov	[eax+30h], ebx
		mov	dword ptr [esi+24h], 2
		mov	[esi+2Ch], eax
		mov	ecx, [ebx+10h]
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		xor	edx, edx
		mov	[ebp+var_21], 0
		inc	edx
		mov	ecx, esi
		call	_CmAddLogForAction@8 ; CmAddLogForAction(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_74D9FA
		xor	eax, eax
		lea	ecx, [ebp+var_68]
		mov	[ebp+var_38], eax
		mov	edx, edi
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	1
		call	_CmpReportNotifyForKcbStack@16 ; CmpReportNotifyForKcbStack(x,x,x,x)
		jmp	loc_74D9F8
; 

loc_8CF8BC:				; CODE XREF: CmDeleteKey+250j
		add	eax, 10h
		cmp	[eax], eax
		jz	loc_74D95E
		lea	edx, [ebp+var_9C]
		mov	ecx, ebx
		call	_CmpPrepareDiscardAndReplaceKcbAndUnbackedHigherLayers@8 ; CmpPrepareDiscardAndReplaceKcbAndUnbackedHigherLayers(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_74D9FA
		lea	eax, [ebp+var_44]
		xor	edx, edx
		push	eax
		push	1
		lea	ecx, [ebp+var_68]
		call	_CmpReportNotifyForKcbStack@16 ; CmpReportNotifyForKcbStack(x,x,x,x)
		mov	edx, [ebx+14h]
		mov	ecx, [ebx+10h]
		push	1
		call	CmpFreeKeyByCell
		mov	esi, eax
		test	esi, esi
		js	loc_74D9FA
		push	1
		lea	eax, [ebp+var_2C]
		mov	ecx, ebx
		push	eax
		call	_CmpFlushNotifiesOnAllUnbackedHigherLayerKcbs@16 ; CmpFlushNotifiesOnAllUnbackedHigherLayerKcbs(x,x,x,x)
		push	0
		lea	eax, [ebp+var_2C]
		mov	ecx, ebx
		push	eax
		push	8
		pop	edx
		call	CmpFlushNotifiesOnKeyBodyList
		mov	ecx, [ebx+24h]
		mov	dl, 1
		call	CmpCleanUpSubKeyInfo
		mov	ecx, [ebx+24h]
		lea	edx, [ebp+var_58]
		push	1
		call	CmpGetKeyNodeForKcb
		mov	edx, [ebx+24h]
		mov	cx, [eax+34h]
		mov	[edx+60h], cx
		mov	ecx, [ebx+24h]
		mov	edx, [ebp+var_70]
		add	dword ptr [ecx+0A8h], 1
		adc	dword ptr [ecx+0ACh], 0
		mov	ecx, [ebp+var_6C]
		mov	[eax+8], ecx
		mov	[eax+4], edx
		mov	eax, [ebx+24h]
		mov	[eax+58h], edx
		mov	[eax+5Ch], ecx
		lea	ecx, [ebp+var_58]
		mov	eax, [ebx+24h]
		push	ecx
		mov	eax, [eax+10h]
		push	eax
		call	dword ptr [eax+8]
		lea	edx, [ebp+var_2C]
		mov	ecx, ebx
		call	_CmpMarkKeyUnbacked@8 ;	CmpMarkKeyUnbacked(x,x)
		lea	eax, [ebp+var_2C]
		mov	ecx, ebx
		push	eax
		lea	edx, [ebp+var_9C]
		call	_CmpCommitDiscardAndReplaceKcbAndUnbackedHigherLayers@12 ; CmpCommitDiscardAndReplaceKcbAndUnbackedHigherLayers(x,x,x)
		jmp	loc_74D9F8
; 

loc_8CF998:				; CODE XREF: CmDeleteKey+120j
		lea	eax, [ebp+var_2C]
		mov	ecx, edi
		push	eax
		lea	edx, [ebp+var_44]
		call	_CmDeleteLayeredKey@12 ; CmDeleteLayeredKey(x,x,x)
		mov	esi, eax
		jmp	loc_74D9FA
; 

loc_8CF9AD:				; CODE XREF: CmDeleteKey+10Bj
		mov	esi, 0C0000022h
		jmp	loc_74D9FA
; 

loc_8CF9B7:				; CODE XREF: CmDeleteKey+E0j
		xor	eax, eax
		mov	esi, 0C0000189h
		mov	[ebp+var_20], al
		jmp	loc_74D9FA
; 

loc_8CF9C6:				; CODE XREF: CmDeleteKey+31Dj
		mov	ecx, edi
		call	CmpRundownUnitOfWork
		push	77554D43h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_74DA2B
; 

loc_8CF9DD:				; CODE XREF: CmDeleteKey+328j
		mov	ecx, edi
		call	CmpRundownUnitOfWork
		push	77554D43h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_74DA36
; END OF FUNCTION CHUNK	FOR CmDeleteKey

;  S U B	R O U T	I N E 


sub_8CF9F4	proc near		; CODE XREF: CmpGetKeyNodeForKcb+3Fj
		push	ebx
		push	ecx
		call	dword ptr [ecx+8]
		mov	ecx, [edi+10h]
		xor	edx, edx
		add	ecx, 24h
		call	ExAcquirePushLockSharedEx
		mov	eax, [edi+14h]
		mov	ecx, [edi+10h]
		push	ebx
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		push	dword ptr [edi+14h]
		mov	ecx, [edi+10h]
		mov	esi, eax
		mov	edx, esi
		call	_CmpUpdateKeyNodeAccessBits@12 ; CmpUpdateKeyNodeAccessBits(x,x,x)
		mov	edi, [edi+10h]
		xor	edx, edx
		push	11h
		add	edi, 24h
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_8CFA3C
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8CFA3C:				; CODE XREF: sub_8CF9F4+3Fj
		mov	ecx, edi
		call	KeAbPostRelease
		jmp	loc_74DAF9
sub_8CF9F4	endp

; 
; START	OF FUNCTION CHUNK FOR CmpCleanupDiscardReplaceContext

loc_8CFA48:				; CODE XREF: CmpCleanupDiscardReplaceContext+Dj
		lea	edi, [esi+8]
		cmp	[edi], edi
		jz	loc_74DB85
		push	0
		push	1
		push	esi
		push	ebx
		push	offset _CmpCleanupDiscardReplacePost@12	; CmpCleanupDiscardReplacePost(x,x,x)
		mov	edx, offset _CmpPrepareDiscardReplacePre@8 ; CmpPrepareDiscardReplacePre(x,x)
		call	_CmpEnumerateAllHigherLayerKcbs@28 ; CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)
		cmp	[edi], edi
		jz	loc_74DB85
		push	esi
		push	ebx
		push	dword ptr [esi]
		call	_CmpCleanupDiscardReplacePost@12 ; CmpCleanupDiscardReplacePost(x,x,x)
		jmp	loc_74DB85
; END OF FUNCTION CHUNK	FOR CmpCleanupDiscardReplaceContext

;  S U B	R O U T	I N E 


sub_8CFA7E	proc near		; CODE XREF: CmGetVisibleSubkeyCount+19j
		push	ebx
		push	edi
		lea	ebx, [ecx+70h]

loc_8CFA83:				; CODE XREF: sub_8CFA7E+24j
					; sub_8CFA7E+2Fj ...
		push	10h
		lea	edx, [ebp-4]
		mov	ecx, ebx
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_8CFAB7
		mov	edx, [ebp+8]
		mov	ecx, [edi+1Ch]
		call	CmEqualTrans
		test	al, al
		jz	short loc_8CFA83
		mov	eax, [edi+24h]
		cmp	eax, 1
		jnz	short loc_8CFAAF
		inc	esi
		jmp	short loc_8CFA83
; 

loc_8CFAAF:				; CODE XREF: sub_8CFA7E+2Cj
		cmp	eax, 3
		jnz	short loc_8CFA83
		dec	esi
		jmp	short loc_8CFA83
; 

loc_8CFAB7:				; CODE XREF: sub_8CFA7E+15j
		pop	edi
		pop	ebx
		jmp	loc_74DBA9
sub_8CFA7E	endp

; 
; START	OF FUNCTION CHUNK FOR CmLoadDifferencingKey

loc_8CFABE:				; CODE XREF: CmLoadDifferencingKey+127j
		mov	esi, 0C0000189h
		jmp	loc_74E2C5
; 

loc_8CFAC8:				; CODE XREF: CmLoadDifferencingKey+8ECj
		mov	esi, 0C00000F8h
		jmp	loc_74E2C5
; 

loc_8CFAD2:				; CODE XREF: CmLoadDifferencingKey+79Cj
		mov	esi, 0C0000061h
		jmp	loc_74E2C5
; 

loc_8CFADC:				; CODE XREF: CmLoadDifferencingKey+19Aj
					; CmLoadDifferencingKey+1BDj
		mov	esi, 0C00000F5h
		jmp	loc_74E2C5
; 

loc_8CFAE6:				; CODE XREF: CmLoadDifferencingKey+1C9j
		mov	esi, 0C00000F3h
		jmp	loc_74E2C5
; 

loc_8CFAF0:				; CODE XREF: CmLoadDifferencingKey+216j
		mov	ecx, eax
		jmp	loc_74DE50
; 

loc_8CFAF7:				; CODE XREF: CmLoadDifferencingKey+231j
		mov	eax, edx
		jmp	loc_74DE6B
; 

loc_8CFAFE:				; CODE XREF: CmLoadDifferencingKey+7BDj
		mov	esi, 0C00000EFh
		jmp	short loc_8CFB0A
; 

loc_8CFB05:				; CODE XREF: CmLoadDifferencingKey+2F8j
		mov	esi, 0C000009Ah

loc_8CFB0A:				; CODE XREF: CmLoadDifferencingKey+181ECFj
		mov	[ebp+var_124], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_74E2C5
; 

loc_8CFB1C:				; CODE XREF: CmLoadDifferencingKey+27Dj
		mov	edx, eax
		jmp	loc_74DEB7
; 

loc_8CFB23:				; CODE XREF: CmLoadDifferencingKey+2C2j
					; CmLoadDifferencingKey+2CAj
		mov	[ecx], bl
		jmp	loc_74DF04
; 

loc_8CFB2A:				; CODE XREF: CmLoadDifferencingKey+2DCj
		push	ebx
		lea	eax, [ebp+var_E8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	loc_74DF56
; 

loc_8CFB3C:				; CODE XREF: CmLoadDifferencingKey+354j
		mov	eax, ds:_ExEventObjectType
		mov	[ebp+var_148], ebx
		push	ebx
		lea	edx, [ebp+var_148]
		push	edx
		push	edi
		push	eax
		push	2
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_148]
		mov	[ebp+var_108], eax
		test	esi, esi
		js	loc_74E2C5
		jmp	loc_74DF8E
; 

loc_8CFB74:				; CODE XREF: CmLoadDifferencingKey+370j
		mov	eax, ds:_SeTokenObjectType
		mov	[ebp+var_134], ebx
		push	ebx
		lea	edx, [ebp+var_134]
		push	edx
		push	edi
		push	eax
		push	4
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_134]
		mov	[ebp+var_104], eax
		test	esi, esi
		js	loc_74E2C5
		mov	eax, [eax+0A8h]
		cmp	eax, 2
		jz	loc_74DFAA
		mov	esi, 0C00000A8h
		jmp	loc_74E2C5
; 

loc_8CFBC0:				; CODE XREF: CmLoadDifferencingKey+3EEj
					; CmLoadDifferencingKey+400j
		mov	edi, [ebp+arg_0]
		jmp	loc_74E0F6
; 

loc_8CFBC8:				; CODE XREF: CmLoadDifferencingKey+4C4j
		cmp	esi, 0C0000503h
		jnz	loc_74E185
		mov	esi, ebx
		mov	[ebp+var_DE], 1
		jmp	loc_74E185
; END OF FUNCTION CHUNK	FOR CmLoadDifferencingKey

;  S U B	R O U T	I N E 


sub_8CFBE2	proc near		; DATA XREF: .text:006A03C8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-15Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8CFBE2	endp


;  S U B	R O U T	I N E 


sub_8CFBF3	proc near		; DATA XREF: .text:006A03CCo
		mov	esp, [ebp-18h]
		mov	esi, [ebp-15Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	edi, [ebp+8]
		jmp	loc_74E281
sub_8CFBF3	endp

; 
; START	OF FUNCTION CHUNK FOR CmLoadDifferencingKey

loc_8CFC0D:				; CODE XREF: CmLoadDifferencingKey+673j
		test	edi, 800h
		jz	loc_74E2C5
		mov	esi, ebx
		jmp	loc_74E2C5
; END OF FUNCTION CHUNK	FOR CmLoadDifferencingKey

;  S U B	R O U T	I N E 


sub_8CFC20	proc near		; DATA XREF: .text:006A03BCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-184h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8CFC20	endp


;  S U B	R O U T	I N E 


sub_8CFC31	proc near		; DATA XREF: .text:006A03C0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-184h]
		mov	[ebp-124h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		jmp	loc_74E2C5
sub_8CFC31	endp

; 
; START	OF FUNCTION CHUNK FOR CmLoadDifferencingKey

loc_8CFC4E:				; CODE XREF: CmLoadDifferencingKey+699j
		mov	edx, esi
		call	CmReleaseLoadKeyContext
		jmp	loc_74E2D3
; 

loc_8CFC5A:				; CODE XREF: CmLoadDifferencingKey+6E0j
		call	ObfDereferenceObject
		jmp	loc_74E31A
; 

loc_8CFC64:				; CODE XREF: CmLoadDifferencingKey+6FCj
		call	ObfDereferenceObject
		jmp	loc_74E336
; 

loc_8CFC6E:				; CODE XREF: CmLoadDifferencingKey+70Aj
		call	ObfDereferenceObject
		jmp	loc_74E344
; END OF FUNCTION CHUNK	FOR CmLoadDifferencingKey
; 
; START	OF FUNCTION CHUNK FOR CmpTraceHiveLoadStop

loc_8CFC78:				; CODE XREF: CmpTraceHiveLoadStop+43j
		lea	eax, [esp+38h+var_2C]
		mov	[esp+38h+var_10], 4
		mov	[esp+38h+var_18], eax
		xor	ecx, ecx
		lea	eax, [esp+38h+var_18]
		mov	[esp+38h+var_14], ecx
		push	eax
		push	1
		push	ecx
		lea	eax, [esp+44h+var_28]
		mov	[esp+44h+var_C], ecx
		push	eax
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_74E59F
; END OF FUNCTION CHUNK	FOR CmpTraceHiveLoadStop
; 
; START	OF FUNCTION CHUNK FOR NtDeleteValueKey

loc_8CFCAB:				; CODE XREF: NtDeleteValueKey+5Ej
		mov	edx, 20000h
		lea	ecx, [ebp+var_40]
		call	@EtwGetKernelTraceTimestamp@8 ;	EtwGetKernelTraceTimestamp(x,x)
		jmp	loc_74E614
; 

loc_8CFCBD:				; CODE XREF: NtDeleteValueKey+A0j
		mov	esi, 0C0000189h
		mov	al, bl
		jmp	loc_74E824
; 

loc_8CFCC9:				; CODE XREF: NtDeleteValueKey+320j
		lea	eax, [ebp+var_8C]
		push	eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	[ebp+var_68]
		push	ecx
		mov	edx, 20019h
		mov	ecx, [ebp+var_70]
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_60], esi
		test	esi, esi
		js	loc_74E8D8
		mov	ecx, [ebp+var_4C]
		call	_CmKeyBodyNeedsVirtualImage@4 ;	CmKeyBodyNeedsVirtualImage(x)
		test	al, al
		jz	loc_74E8D6
		mov	dl, 1
		mov	[ebp+var_41], dl
		jmp	loc_74E683
; 

loc_8CFD0C:				; CODE XREF: NtDeleteValueKey+E3j
		mov	ecx, [ebp+var_4C]
		test	ecx, ecx
		jz	loc_74E699
		mov	eax, [ecx+8]
		mov	[ebp+var_74], eax
		jmp	loc_74E699
; 

loc_8CFD22:				; CODE XREF: NtDeleteValueKey+10Cj
		mov	eax, ecx
		jmp	loc_74E6C2
; 

loc_8CFD29:				; CODE XREF: NtDeleteValueKey+14Dj
					; NtDeleteValueKey+155j
		mov	[eax], bl
		mov	ecx, [ebp+var_50]
		jmp	loc_74E70B
; 

loc_8CFD33:				; CODE XREF: NtDeleteValueKey+196j
		mov	esi, 0C000009Ah
		mov	[ebp+var_60], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_74E821
; 

loc_8CFD47:				; CODE XREF: NtDeleteValueKey+1C2j
		xor	eax, eax
		mov	word ptr [ebp+var_54], ax
		mov	esi, 0C000000Dh
		jmp	short loc_8CFD59
; 

loc_8CFD54:				; CODE XREF: NtDeleteValueKey+1D2j
		mov	esi, 0C0000022h

loc_8CFD59:				; CODE XREF: NtDeleteValueKey+1817A2j
		mov	al, dl
		jmp	loc_74E824
; 

loc_8CFD60:				; CODE XREF: NtDeleteValueKey+1E9j
		mov	ecx, 0FFFEh
		add	si, cx
		mov	word ptr [ebp+var_54], si
		sub	eax, 2
		jmp	loc_74E791
; 

loc_8CFD74:				; CODE XREF: NtDeleteValueKey+23Bj
		lea	esi, [eax+3FFFFAFDh]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jmp	loc_74E821
; 

loc_8CFD85:				; CODE XREF: NtDeleteValueKey+249j
		lea	eax, [ebp+var_6C]
		push	eax
		lea	eax, [ebp+var_A0]
		push	eax
		push	2
		mov	dl, [ebp+var_45]
		lea	ecx, [ebp+var_4C]
		call	_CmKeyBodyRemapToVirtual@20 ; CmKeyBodyRemapToVirtual(x,x,x,x,x)
		mov	esi, eax
		mov	cl, [ebp+var_41]
		mov	al, cl
		test	esi, esi
		js	loc_74E824
		cmp	_CmpVEEnabled, 0
		jz	short loc_8CFDC8
		mov	eax, [ebp+var_4C]
		mov	eax, [eax+8]
		test	dword ptr [eax+68h], 1000000h
		jnz	loc_74E7FF

loc_8CFDC8:				; CODE XREF: NtDeleteValueKey+181803j
		mov	esi, 0C0000022h
		mov	al, cl
		jmp	loc_74E824
; END OF FUNCTION CHUNK	FOR NtDeleteValueKey

;  S U B	R O U T	I N E 


sub_8CFDD4	proc near		; DATA XREF: .text:006A03E4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-90h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8CFDD4	endp


;  S U B	R O U T	I N E 


sub_8CFDE5	proc near		; DATA XREF: .text:006A03E8o
		mov	esp, [ebp-18h]
		xor	eax, eax
		mov	[ebp-54h], ax
		xor	ebx, ebx
		mov	[ebp-50h], ebx
		mov	esi, [ebp-90h]
		mov	[ebp-60h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	cl, bl
		mov	[ebp-44h], cl
		mov	[ebp-43h], cl
		jmp	loc_74E821
sub_8CFDE5	endp

; 
; START	OF FUNCTION CHUNK FOR NtDeleteValueKey

loc_8CFE10:				; CODE XREF: NtDeleteValueKey+2BAj
		lea	ecx, [ebp+var_54]
		push	ecx
		push	[ebp+var_74]
		push	ebx
		push	esi
		lea	ecx, [ebp+var_40]
		push	ecx
		push	0Fh
		call	eax
		jmp	loc_74E870
; END OF FUNCTION CHUNK	FOR NtDeleteValueKey
; 
; START	OF FUNCTION CHUNK FOR CmDeleteValueKey

loc_8CFE26:				; CODE XREF: CmDeleteValueKey+142j
					; CmDeleteValueKey+14Bj
		xor	edx, edx
		mov	ecx, edi
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	loc_8D01E7
		lea	edx, [esp+0C0h+var_A4]
		mov	ecx, edi
		call	CmpTransSearchAddTransFromKeyBody
		mov	esi, eax
		test	esi, esi
		js	loc_74EB56
		mov	eax, [ebx+10h]
		test	byte ptr [eax+64h], 2
		jz	loc_74EA47
		mov	esi, 0C0190001h
		jmp	loc_74EB56
; 

loc_8CFE63:				; CODE XREF: CmDeleteValueKey+168j
		call	_CmpAllocateUnitOfWork@0 ; CmpAllocateUnitOfWork()
		mov	[esp+0C0h+var_98], eax
		test	eax, eax
		jz	loc_8D01CD
		mov	edx, ebx
		mov	ecx, eax
		call	_CmpTransEnlistUowInKcb@8 ; CmpTransEnlistUowInKcb(x,x)
		mov	edi, [esp+0C0h+var_98]
		mov	edx, esi
		mov	ecx, edi
		call	CmpTransEnlistUowInCmTrans
		mov	esi, eax
		test	esi, esi
		js	loc_74EB51
		push	ecx
		lea	ecx, [ebx+84h]
		mov	edx, edi
		call	CmpLockIXLockIntent
		test	al, al
		jz	loc_8D01C3
		push	1
		lea	ecx, [ebx+8Ch]
		mov	edx, edi
		call	CmpLockIXLockExclusive
		test	al, al
		jz	loc_8D01C3
		mov	ecx, [ebx+10h]
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	esi, [esp+0C0h+var_A4]
		lea	eax, [esp+13h]
		push	eax
		mov	edx, esi
		mov	[esp+0C4h+var_B0], 1
		mov	ecx, ebx
		call	CmpCloneKCBValueListForTrans
		test	al, al
		jz	loc_8D01B9
		mov	ecx, [ebx+10h]
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		jmp	loc_74EA82
; 

loc_8CFEF5:				; CODE XREF: CmDeleteValueKey+1CEj
		cmp	[edi+9Ch], esi
		jnz	loc_74EACA
		mov	ecx, [edi+10h]
		lea	eax, [esp+0C0h+var_A8]
		push	eax
		lea	eax, [esp+0C4h+var_8C]
		push	eax
		push	0
		lea	eax, [ebp+arg_4]
		push	eax
		lea	edx, [edi+94h]
		call	_CmpFindNameInListWithStatus@24	; CmpFindNameInListWithStatus(x,x,x,x,x,x)
		mov	esi, eax
		jmp	loc_74EB00
; 

loc_8CFF26:				; CODE XREF: CmDeleteValueKey+23Dj
		mov	esi, [esp+0D4h+var_B8]
		jmp	loc_74EA8F
; 

loc_8CFF2F:				; CODE XREF: CmDeleteValueKey+356j
		lea	ecx, [esp+0E8h+var_A8]
		call	CmpUnlockKcbStack
		push	1
		xor	dl, dl
		mov	byte ptr [esp+0ECh+var_D8+1], 0
		lea	ecx, [esp+0ECh+var_A8]
		call	_CmpPromoteKey@12 ; CmpPromoteKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8CFFD8
		mov	edi, [esp+0E8h+var_BC]
		jmp	loc_74EA47
; 

loc_8CFF5D:				; CODE XREF: CmDeleteValueKey+178j
					; CmDeleteValueKey+186j
		lea	eax, [esp+0C0h+var_90]
		push	eax
		lea	edx, [esp+0C4h+var_9C]
		call	_CmpSnapshotTxOwnerArray@12 ; CmpSnapshotTxOwnerArray(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8CFFD3
		push	[esp+0C0h+var_9C]
		xor	edx, edx
		push	ecx
		push	1
		mov	ecx, ebx
		call	CmpLogTransactionAbortedWithChildName
		lea	ecx, [esp+0C0h+var_80]
		call	CmpUnlockKcbStack
		lea	ecx, [esp+0C0h+var_80]
		mov	[esp+0C0h+var_AF], 0
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		xor	eax, eax
		lea	edi, [esp+0C0h+var_80]
		stosd
		stosd
		stosd
		stosd
		or	eax, 0FFFFFFFFh
		mov	word ptr [esp+0C0h+var_80+2], ax
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	edx, [esp+0C0h+var_90]
		lea	eax, [esp+0C0h+var_54]
		push	eax
		push	ecx
		mov	ecx, [esp+0C8h+var_9C]
		mov	[esp+0C8h+var_AE], 0
		call	_CmpRollbackTransactionArray@16	; CmpRollbackTransactionArray(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_74E9D9
		jmp	short loc_8CFFD8
; 

loc_8CFFD3:				; CODE XREF: CmDeleteValueKey+218j
					; CmDeleteValueKey+181679j
		mov	[esp+0D4h+var_C3], 1

loc_8CFFD8:				; CODE XREF: CmDeleteValueKey+181658j
					; CmDeleteValueKey+1816DBj
		mov	[esp+0D4h+var_C4], 0
		jmp	loc_74EB5C
; 

loc_8CFFE2:				; CODE XREF: CmDeleteValueKey+38Dj
		mov	esi, 0C000017Dh
		jmp	loc_74EDFB
; 

loc_8CFFEC:				; CODE XREF: CmDeleteValueKey+3BAj
		mov	edx, [esp+0F4h+var_D8]
		lea	eax, [esp+0F4h+var_84]
		push	eax
		push	32414D43h
		lea	ecx, [esp+0FCh+var_B4]
		call	_CmpSnapshotKcbStackSecurity@16	; CmpSnapshotKcbStackSecurity(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_74EDDE
		mov	edx, [esp+0F4h+var_DC]
		lea	eax, [esp+0F4h+var_68]
		push	31414D43h
		push	eax
		mov	eax, [esp+0FCh+var_E0]
		mov	ecx, [eax+10h]
		call	_CmpGetValueForAudit@16	; CmpGetValueForAudit(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_74EDDE
		mov	esi, [esp+0F4h+var_D4]
		jmp	loc_74ECB6
; 

loc_8D003D:				; CODE XREF: CmDeleteValueKey+3E7j
					; CmDeleteValueKey+3FEj ...
		mov	esi, 0C000017Dh
		jmp	loc_74EDDE
; 

loc_8D0047:				; CODE XREF: CmDeleteValueKey+441j
					; CmDeleteValueKey+18179Bj
		mov	esi, 0C000017Dh
		jmp	loc_74EDD6
; 

loc_8D0051:				; CODE XREF: CmDeleteValueKey+3DAj
		call	HvpMarkCellDirty
		cmp	ebx, [esp+0F4h+var_E0]
		jnz	short loc_8D00CF
		test	al, al
		jz	short loc_8D003D
		mov	edi, [esp+0F4h+var_DC]
		xor	eax, eax
		mov	ecx, [ebx+10h]
		mov	edx, edi
		push	eax
		push	eax
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_8D003D
		mov	eax, [ebx+10h]
		lea	ecx, [esp+0F4h+var_BC]
		push	ecx
		push	edi
		push	eax
		call	dword ptr [eax+4]
		mov	ecx, [ebx+10h]
		mov	edi, eax
		mov	edx, edi
		call	_CmpMarkValueDataDirty@8 ; CmpMarkValueDataDirty(x,x)
		test	al, al
		jz	short loc_8D0047
		push	dword ptr [edi+4]
		mov	edx, [edi+8]
		mov	ecx, [ebx+10h]
		call	CmpFreeValueData
		xor	eax, eax
		or	ecx, 0FFFFFFFFh
		mov	[edi+0Ch], eax
		mov	[edi+4], eax
		mov	[edi+8], ecx
		mov	ecx, dword ptr [esp+100h+var_B0]
		push	2
		pop	eax
		or	[edi+10h], ax
		mov	eax, [esp+100h+var_AC]
		mov	[esi+4], ecx
		mov	[esi+8], eax
		mov	[ebx+58h], ecx
		mov	[ebx+5Ch], eax
		jmp	loc_74ED91
; 

loc_8D00CF:				; CODE XREF: CmDeleteValueKey+181764j
		test	al, al
		jz	loc_8D003D
		mov	eax, [ebx+14h]
		mov	edx, esi
		mov	ecx, [ebx+10h]
		shr	eax, 1Fh
		push	eax
		push	dword ptr [esi+24h]
		lea	eax, [ebp+arg_4]
		push	eax
		call	_CmpSetValueKeyTombstone@20 ; CmpSetValueKeyTombstone(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_74EDDE
		mov	esi, [esp+0F4h+var_D4]
		mov	eax, [esp+0F4h+var_A0]
		mov	ecx, [esp+0F4h+var_A4]
		mov	[esi+4], ecx
		mov	[esi+8], eax
		mov	[ebx+58h], ecx
		mov	[ebx+5Ch], eax
		movzx	eax, word ptr [ebp+arg_4]
		cmp	[esi+3Ch], eax
		jnb	loc_74ED91
		mov	[esi+3Ch], eax
		mov	ax, word ptr [ebp+arg_4]
		mov	[ebx+62h], ax
		jmp	loc_74ED91
; 

loc_8D012E:				; CODE XREF: CmDeleteValueKey+3C7j
		lea	ecx, [esp+0F4h+var_90]
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		mov	ecx, [ebx+10h]
		xor	eax, eax
		mov	[esp+0FCh+var_DC], eax
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		mov	ecx, [esp+0FCh+var_D4]
		xor	eax, eax
		xor	edx, edx
		mov	byte ptr [esp+0FCh+var_EC], al
		mov	eax, [esp+0FCh+var_E4]
		inc	edx
		mov	dword ptr [ecx+24h], 6
		mov	[ecx+30h], eax
		call	_CmAddLogForAction@8 ; CmAddLogForAction(x,x)
		mov	esi, eax
		mov	byte ptr [esp+0FCh+var_EC+1], 1
		test	esi, esi
		js	loc_74EB5C
		mov	ecx, [ebx+10h]
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	edx, [esp+0FCh+var_C8]
		lea	eax, [ebx+94h]
		mov	ecx, [ebx+10h]
		push	eax
		call	_CmpRemoveValueFromList@12 ; CmpRemoveValueFromList(x,x,x)
		jmp	loc_74EDA8
; 

loc_8D0194:				; CODE XREF: CmDeleteValueKey+33Fj
		xor	eax, eax
		mov	esi, 0C0000034h
		mov	byte ptr [esp+0E0h+var_D0], al
		jmp	loc_74EDD6
; 

loc_8D01A4:				; CODE XREF: CmDeleteValueKey+4E2j
		mov	eax, [esp+108h+var_F4]
		lea	ecx, [esp+108h+var_D0]
		push	ecx
		mov	eax, [eax+10h]
		push	eax
		call	dword ptr [eax+8]
		jmp	loc_74EDDE
; 

loc_8D01B9:				; CODE XREF: CmDeleteValueKey+1815ECj
		mov	esi, 0C000009Ah
		jmp	loc_74EDFB
; 

loc_8D01C3:				; CODE XREF: CmDeleteValueKey+1815AEj
					; CmDeleteValueKey+1815C5j
		mov	esi, 0C0190001h
		jmp	loc_74EB51
; 

loc_8D01CD:				; CODE XREF: CmDeleteValueKey+181578j
		xor	eax, eax
		mov	[esp+0C0h+var_AF], 1
		mov	esi, 0C000009Ah
		mov	[esp+0C0h+var_B0], al
		jmp	loc_74EB6A
; 

loc_8D01E2:				; CODE XREF: CmDeleteValueKey+160j
		mov	[esp+0C0h+var_AF], 1

loc_8D01E7:				; CODE XREF: CmDeleteValueKey+18153Bj
		xor	eax, eax
		mov	[esp+0C0h+var_B0], al
		mov	al, [edi+1Ch]
		and	al, 1
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 2A9h
		add	esi, 0C000017Ch
		jmp	loc_74EB5C
; 

loc_8D020A:				; CODE XREF: CmDeleteValueKey+129j
		xor	ecx, ecx
		jmp	short loc_8D0229
; 

loc_8D020E:				; CODE XREF: CmDeleteValueKey+114j
		xor	eax, eax
		mov	esi, 0C0000022h
		mov	[esp+0C0h+var_AF], al
		jmp	loc_74EB58
; 

loc_8D021E:				; CODE XREF: CmDeleteValueKey+EAj
		xor	ecx, ecx
		mov	esi, 0C0000189h
		mov	[esp+0C0h+var_AE], cl

loc_8D0229:				; CODE XREF: CmDeleteValueKey+181916j
		mov	[esp+0C0h+var_B0], cl
		mov	[esp+0C0h+var_AF], cl
		jmp	loc_74EB5C
; 

loc_8D0236:				; CODE XREF: CmDeleteValueKey+26Cj
		mov	ecx, eax
		call	CmpRundownUnitOfWork
		mov	eax, [esp+0D4h+var_AC]
		push	77554D43h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_74EB68
; 

loc_8D0251:				; CODE XREF: CmDeleteValueKey+279j
		mov	edx, [ebx+98h]
		or	edi, 0FFFFFFFFh
		cmp	edx, edi
		jz	short loc_8D0268
		mov	ecx, [ebx+10h]
		call	HvFreeCell
		xor	eax, eax

loc_8D0268:				; CODE XREF: CmDeleteValueKey+181966j
		mov	[ebx+98h], edi
		mov	[ebx+94h], eax
		mov	[ebx+9Ch], eax
		jmp	loc_74EB75
; 

loc_8D027F:				; CODE XREF: CmDeleteValueKey+284j
		mov	ecx, [ebx+10h]
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		jmp	loc_74EB80
; 

loc_8D028C:				; CODE XREF: CmDeleteValueKey+519j
		test	edi, edi
		jz	loc_74EBCB
		push	2
		pop	eax
		push	eax
		lea	eax, [esp+0D8h+var_48]
		mov	edx, edi
		push	eax
		push	[esp+0DCh+var_4C]
		lea	eax, [ebp+arg_4]
		xor	ecx, ecx
		push	[esp+0E0h+var_A8]
		push	eax
		xor	eax, eax
		push	eax
		call	_SeAdtRegistryValueChangedAuditAlarm@32	; SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)
		jmp	loc_74EBCB
; 

loc_8D02C0:				; CODE XREF: CmDeleteValueKey+2DEj
		mov	edx, 34414D43h
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
		jmp	loc_74EBDA
; 

loc_8D02CF:				; CODE XREF: CmDeleteValueKey+2E6j
		mov	edx, 33414D43h
		mov	ecx, edi
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
		jmp	loc_74EBE2
; END OF FUNCTION CHUNK	FOR CmDeleteValueKey
; 
; START	OF FUNCTION CHUNK FOR CmpCloseKeyObject

loc_8D02E0:				; CODE XREF: CmpCloseKeyObject+66j
		mov	edx, 20000h
		lea	ecx, [esp+48h+var_28]
		call	@EtwGetKernelTraceTimestamp@8 ;	EtwGetKernelTraceTimestamp(x,x)
		cmp	ds:_CmpTraceRoutine, ebx
		jz	loc_74EE9C
		test	esi, esi
		jz	loc_74EE9C
		mov	ebx, [esi+8]
		jmp	loc_74EE9C
; 

loc_8D030A:				; CODE XREF: CmpCloseKeyObject+EBj
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		jmp	loc_74EF95
; 

loc_8D0319:				; CODE XREF: CmpCloseKeyObject+87j
		push	0
		push	ebx
		push	0
		push	0
		lea	ecx, [esp+58h+var_28]
		push	ecx
		push	1Bh
		call	eax
		jmp	loc_74EEBD
; END OF FUNCTION CHUNK	FOR CmpCloseKeyObject
; 
; START	OF FUNCTION CHUNK FOR CmpReportNotifyHelper

loc_8D032E:				; CODE XREF: CmpReportNotifyHelper+27j
		mov	eax, [ecx+0Ch]
		mov	ebx, [eax+edx*4-8]
		jmp	loc_74F031
; 

loc_8D033A:				; CODE XREF: CmpReportNotifyHelper+D2j
		push	eax
		call	_CmpTransIsTransActive@4 ; CmpTransIsTransActive(x)
		test	eax, eax
		jz	loc_74F117
		jmp	loc_74F0D8
; END OF FUNCTION CHUNK	FOR CmpReportNotifyHelper
; 

loc_8D034D:				; CODE XREF: PAGE:0074F308j
		lea	eax, [esi+10h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_74F450
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_74F450
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		lea	edx, [esi+8]
		mov	[esp+13h], al
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	loc_74F450
		mov	ecx, [edx+4]
		cmp	[ecx], edx
		jnz	loc_74F450
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	cl, [esp+13h]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	dword ptr [esi+1Ch], 1
		jz	loc_74F2D3
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_8D03C9
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	loc_74F450
		mov	[eax], edi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[edi+4], eax
		and	dword ptr [esi+18h], 0

loc_8D03C9:				; CODE XREF: PAGE:008D03AEj
		mov	ecx, esi
		call	_CmpFreePostBlock@4 ; CmpFreePostBlock(x)
		jmp	loc_74F2D3
; 

loc_8D03D5:				; CODE XREF: PAGE:0074F34Dj
		mov	eax, [esi+20h]
		and	dword ptr [esi], 0
		push	0
		push	0
		mov	[eax+10h], ecx
		push	dword ptr [esi+20h]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_74F2D3
; 
; START	OF FUNCTION CHUNK FOR CmpTraceHiveLoadStart

loc_8D03EF:				; CODE XREF: CmpTraceHiveLoadStart+46j
		mov	eax, [ebx+4]
		xor	ecx, ecx
		mov	[esp+60h+var_38], eax
		movzx	eax, word ptr [ebx]
		mov	[esp+60h+var_30], eax
		lea	eax, [esp+60h+var_50]
		mov	[esp+60h+var_28], eax
		lea	eax, [esp+60h+var_4C]
		mov	[esp+60h+var_18], eax
		lea	eax, [esp+60h+var_38]
		push	eax
		push	3
		push	ecx
		lea	eax, [esp+6Ch+var_48]
		mov	[esp+6Ch+var_50], ecx
		push	eax
		push	esi
		push	edi
		mov	[esp+78h+var_34], ecx
		mov	[esp+78h+var_2C], ecx
		mov	[esp+78h+var_24], ecx
		mov	[esp+78h+var_20], 2
		mov	[esp+78h+var_1C], ecx
		mov	[esp+78h+var_14], ecx
		mov	[esp+78h+var_10], 4
		mov	[esp+78h+var_C], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_74F5CE
; END OF FUNCTION CHUNK	FOR CmpTraceHiveLoadStart
; 
; START	OF FUNCTION CHUNK FOR CmpNameFromAttributes

loc_8D0454:				; CODE XREF: CmpNameFromAttributes+5Fj
		mov	ecx, esi
		jmp	loc_74F6A9
; 

loc_8D045B:				; CODE XREF: CmpNameFromAttributes+92j
		mov	eax, ecx
		jmp	loc_74F6DC
; 

loc_8D0462:				; CODE XREF: CmpNameFromAttributes+104j
		mov	edx, [ebp+var_230]
		jns	short loc_8D0480
		cmp	dl, 1
		jnz	short loc_8D0480
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000008h
		jmp	loc_74F797
; 

loc_8D0480:				; CODE XREF: CmpNameFromAttributes+180E24j
					; CmpNameFromAttributes+180E29j
		test	eax, eax
		jz	short loc_8D04A5
		push	2
		pop	edi
		push	5Ch
		pop	esi
		cmp	cx, di
		jb	short loc_8D04A8
		cmp	[eax], si
		jnz	short loc_8D04A8

loc_8D0494:				; CODE XREF: CmpNameFromAttributes+F6j
					; CmpNameFromAttributes+10Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000003Bh
		jmp	loc_74F797
; 

loc_8D04A5:				; CODE XREF: CmpNameFromAttributes+180E3Ej
		push	5Ch
		pop	esi

loc_8D04A8:				; CODE XREF: CmpNameFromAttributes+180E49j
					; CmpNameFromAttributes+180E4Ej
		lea	eax, [ebp+var_268]
		push	eax
		push	1
		push	20h
		push	edx
		push	[ebp+var_268]
		call	_IoConvertFileHandleToKernelHandle@20 ;	IoConvertFileHandleToKernelHandle(x,x,x,x,x)
		mov	[ebp+var_228], eax
		test	eax, eax
		jns	short loc_8D04D5
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_74F797
; 

loc_8D04D5:				; CODE XREF: CmpNameFromAttributes+180E83j
		lea	eax, [ebp+var_23C]
		push	eax
		push	200h
		lea	eax, [ebp+var_224]
		push	eax
		push	1
		push	[ebp+var_268]
		call	_ZwQueryObject@20 ; ZwQueryObject(x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_228], edi
		push	[ebp+var_268]
		call	_ZwClose@4	; ZwClose(x)
		test	edi, edi
		jns	short loc_8D051A
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, edi
		jmp	loc_74F797
; 

loc_8D051A:				; CODE XREF: CmpNameFromAttributes+180EC6j
		mov	ecx, [ebp+var_224]
		mov	[ebp+var_238], ecx
		mov	eax, [ebp+var_220]
		mov	[ebp+var_234], eax
		xor	eax, eax
		mov	[ebx], ax
		movzx	ecx, cx
		mov	eax, [ebp+var_240]
		movzx	eax, ax
		add	eax, 2
		add	eax, ecx
		mov	[ebp+var_244], eax
		cmp	eax, 0FFFFh
		jbe	short loc_8D0566
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000039h
		jmp	loc_74F797
; 

loc_8D0566:				; CODE XREF: CmpNameFromAttributes+180F0Fj
		mov	[ebx+2], ax
		push	6E664D43h
		movzx	eax, ax
		push	eax
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	[ebx+4], eax
		test	eax, eax
		jnz	short loc_8D0592
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000009Ah
		jmp	loc_74F797
; 

loc_8D0592:				; CODE XREF: CmpNameFromAttributes+180F3Bj
		lea	eax, [ebp+var_238]
		push	eax
		push	ebx
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	[ebp+var_228], eax
		movzx	eax, word ptr [ebx]
		test	ax, ax
		jz	short loc_8D05C1
		mov	ecx, [ebx+4]
		cmp	[eax+ecx-2], si
		jz	short loc_8D05C1
		mov	[eax+ecx], si
		push	2
		pop	eax
		add	[ebx], ax

loc_8D05C1:				; CODE XREF: CmpNameFromAttributes+180F67j
					; CmpNameFromAttributes+180F71j
		lea	eax, [ebp+var_254]
		push	eax
		push	ebx
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		jmp	loc_74F788
; END OF FUNCTION CHUNK	FOR CmpNameFromAttributes

;  S U B	R O U T	I N E 


sub_8D05D5	proc near		; DATA XREF: .text:006A0404o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-248h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D05D5	endp


;  S U B	R O U T	I N E 


sub_8D05E6	proc near		; DATA XREF: .text:006A0408o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-248h]
		mov	[ebp-228h], esi
		mov	edi, [ebp-24Ch]
		mov	eax, [edi+4]
		test	eax, eax
		jz	loc_74F78E
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi+4], 0
		jmp	loc_74F78E
sub_8D05E6	endp

; 
; START	OF FUNCTION CHUNK FOR ObDeleteCapturedInsertInfo

loc_8D0617:				; CODE XREF: ObDeleteCapturedInsertInfo+1Bj
		movzx	eax, byte ptr [edx+8]
		push	1
		push	eax
		push	ecx
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)
		mov	eax, [esi-8]
		and	dword ptr [eax+18h], 0
		mov	edx, [esi-8]
		jmp	loc_7506F1
; END OF FUNCTION CHUNK	FOR ObDeleteCapturedInsertInfo
; 
; START	OF FUNCTION CHUNK FOR CmReleaseLoadKeyContext

loc_8D0633:				; CODE XREF: CmReleaseLoadKeyContext+Ej
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	eax, [esi+10h]
		mov	ecx, esi
		cmp	byte ptr [eax+6DCh], 1
		jnz	short loc_8D065A
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)
		mov	ecx, [esi+10h]
		call	CmpDoQueueLateUnloadWorker
		jmp	short loc_8D065F
; 

loc_8D065A:				; CODE XREF: CmReleaseLoadKeyContext+17FF0Fj
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)

loc_8D065F:				; CODE XREF: CmReleaseLoadKeyContext+17FF1Ej
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		jmp	loc_75075F
; END OF FUNCTION CHUNK	FOR CmReleaseLoadKeyContext
; 
; START	OF FUNCTION CHUNK FOR CmpCleanUpSubKeyInfo

loc_8D066E:				; CODE XREF: CmpCleanUpSubKeyInfo+1Aj
		test	al, 4
		jz	short loc_8D067F
		push	6E494D43h
		push	dword ptr [esi+3Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8D067F:				; CODE XREF: CmpCleanUpSubKeyInfo+17FDF4j
		mov	ax, [esi+4]
		mov	ecx, 0FFF8h
		and	ax, cx
		jmp	loc_75089C
; END OF FUNCTION CHUNK	FOR CmpCleanUpSubKeyInfo
; 
; START	OF FUNCTION CHUNK FOR CmpAssignSecurityToKcb

loc_8D0690:				; CODE XREF: CmpAssignSecurityToKcb+49j
		and	dword ptr [esi+2Ch], 0
		cmp	[ebp+arg_8], 0
		jz	short loc_8D06A1
		xor	bl, bl
		jmp	loc_750948
; 

loc_8D06A1:				; CODE XREF: CmpAssignSecurityToKcb+17FDB8j
		push	edi
		push	esi
		push	ebx
		push	4
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8D06AE:				; CODE XREF: CmpFlushNotifiesOnKeyBodyList+81j
		push	0
		mov	dl, bl
		lea	ecx, [esi-14h]
		call	CmpFlushNotify
		jmp	loc_7509EF
; END OF FUNCTION CHUNK	FOR CmpAssignSecurityToKcb
; 
; START	OF FUNCTION CHUNK FOR CmpFlushNotifiesOnKeyBodyList

loc_8D06BF:				; CODE XREF: CmpFlushNotifiesOnKeyBodyList+90j
		mov	edx, [ebp+arg_0]
		push	1
		call	_CmpKeyEnumStackFreeResumeContext@12 ; CmpKeyEnumStackFreeResumeContext(x,x,x)
		jmp	loc_7509FE
; 

loc_8D06CE:				; CODE XREF: CmpFlushNotifiesOnKeyBodyList+52j
		mov	dl, [ebp+arg_4]
		mov	ecx, esi
		push	0
		call	CmpFlushNotify
		jmp	loc_7509C0
; 

loc_8D06DF:				; CODE XREF: CmpFlushNotifiesOnKeyBodyList+61j
		mov	edx, [ebp+arg_0]
		push	1
		call	_CmpKeyEnumStackFreeResumeContext@12 ; CmpKeyEnumStackFreeResumeContext(x,x,x)
		jmp	loc_7509CF
; END OF FUNCTION CHUNK	FOR CmpFlushNotifiesOnKeyBodyList
; 
; START	OF FUNCTION CHUNK FOR CmpDoFlushNextHive

loc_8D06EE:				; CODE XREF: CmpDoFlushNextHive+24j
		xor	al, al
		jmp	loc_750B29
; 

loc_8D06F5:				; CODE XREF: CmpDoFlushNextHive+14Dj
		mov	eax, [ebp+arg_0]
		mov	ecx, 989680h
		mov	byte ptr [eax],	1
		mov	eax, dword_6B1534
		mul	ecx
		mov	edi, eax
		mov	ebx, edx
		jmp	loc_750BA4
; END OF FUNCTION CHUNK	FOR CmpDoFlushNextHive
; 
; START	OF FUNCTION CHUNK FOR CmpDoQueueLateUnloadWorker

loc_8D0710:				; CODE XREF: CmpDoQueueLateUnloadWorker+4Dj
		test	al, 4
		jnz	loc_750CB3
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_750CB3
; END OF FUNCTION CHUNK	FOR CmpDoQueueLateUnloadWorker
; 
; START	OF FUNCTION CHUNK FOR CmpLockRegistryFreezeAware

loc_8D0724:				; CODE XREF: CmpLockRegistryFreezeAware+35j
		mov	edi, offset _CmpFreezeListLock

loc_8D0729:				; CODE XREF: CmpLockRegistryFreezeAware+17FA63j
		lea	eax, [ebp+var_10]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, dword_6CDFE4
		mov	ecx, offset _CmpFreezeThawWaitListHead
		cmp	[eax], ecx
		jnz	short loc_8D0794
		mov	[ebp+var_18], ecx
		xor	edx, edx
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_14], eax
		mov	[eax], ecx
		mov	eax, ecx
		mov	ecx, edi
		mov	dword_6CDFE4, eax
		call	ExReleasePushLockEx
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		push	esi
		push	esi
		push	esi
		push	esi
		lea	eax, [ebp+var_10]
		push	eax
		call	KeWaitForSingleObject
		test	bl, bl
		jz	short loc_8D0781
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		jmp	short loc_8D0786
; 

loc_8D0781:				; CODE XREF: CmpLockRegistryFreezeAware+17FA4Ej
		call	_CmpLockRegistry@0 ; CmpLockRegistry()

loc_8D0786:				; CODE XREF: CmpLockRegistryFreezeAware+17FA55j
		cmp	_CmpFreezeThawState, 1
		jz	short loc_8D0729
		jmp	loc_750D65
; 

loc_8D0794:				; CODE XREF: CmpLockRegistryFreezeAware+17FA1Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8D0799:				; CODE XREF: CmpTraceHiveFlushStop+3Cj
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_10], 4
		mov	[ebp+var_18], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_18]
		mov	[ebp+var_14], ecx
		push	eax
		push	1
		push	ecx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_C], ecx
		push	eax
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_750EFA
; END OF FUNCTION CHUNK	FOR CmpLockRegistryFreezeAware
; 
; START	OF FUNCTION CHUNK FOR PspValidateJobAssignmentProcessLimits

loc_8D07C5:				; CODE XREF: PspValidateJobAssignmentProcessLimits+61j
		call	_PspCheckJobAccessState@8 ; PspCheckJobAccessState(x,x)
		test	eax, eax
		js	loc_750F96
		jmp	loc_750F5E
; 

loc_8D07D7:				; CODE XREF: PspValidateJobAssignmentProcessLimits+7Dj
		push	0FFFFFFDFh
		pop	ecx
		lea	eax, [edi+0F8h]
		lock and [eax],	ecx
		cmp	dword ptr [esi+0D4h], 0
		jz	loc_750FCF
		test	byte ptr [esi+1A8h], 8
		jz	loc_750FCF
		push	1
		push	0
		push	3
		pop	edx
		mov	ecx, esi
		call	_PspSendJobNotification@16 ; PspSendJobNotification(x,x,x,x)
		jmp	loc_750FCF
; 

loc_8D0810:				; CODE XREF: PspValidateJobAssignmentProcessLimits+2Fj
		cmp	dword ptr [esi+4], 0
		jnz	loc_750FCF
		jmp	loc_750F7B
; END OF FUNCTION CHUNK	FOR PspValidateJobAssignmentProcessLimits
; 
; START	OF FUNCTION CHUNK FOR PspEstablishJobHierarchy

loc_8D081F:				; CODE XREF: PspEstablishJobHierarchy+97j
		sub	eax, 1
		jz	loc_751073
		sub	eax, 1
		jz	short loc_8D083D
		sub	eax, 1
		jz	loc_751073
		mov	ebx, 0C000000Dh
		jmp	short loc_8D084A
; 

loc_8D083D:				; CODE XREF: PspEstablishJobHierarchy+17F855j
		lea	eax, [esi+314h]
		lock bts dword ptr [eax], 0

loc_8D0848:				; CODE XREF: PspEstablishJobHierarchy+85j
		xor	ebx, ebx

loc_8D084A:				; CODE XREF: PspEstablishJobHierarchy+17F865j
		mov	edi, edx
		jmp	loc_75103A
; 

loc_8D0851:				; CODE XREF: PspEstablishJobHierarchy+B1j
		push	624A7350h
		lea	eax, ds:0FFFFFFF8h[eax*4]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jnz	loc_75108D
		mov	eax, 0C000009Ah
		jmp	loc_751051
; 

loc_8D087C:				; CODE XREF: PspEstablishJobHierarchy+BBj
		cmp	[ebp+arg_4], 5
		jnz	loc_7510AA
		jmp	loc_751097
; 

loc_8D088B:				; CODE XREF: PspEstablishJobHierarchy+DCj
		call	KeRemoveSchedulingGroup
		test	byte ptr [edi+310h], 20h
		jnz	short loc_8D08C2
		xor	edx, edx
		mov	ecx, edi
		call	PspAddSchedulingGroupToJobChain
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_8D08C2
		mov	ecx, [esi+21Ch]
		xor	edx, edx
		add	ecx, 40h
		push	dword ptr [ecx+4]
		push	dword ptr [ecx]
		call	KeInsertSchedulingGroup
		jmp	loc_75120B
; 

loc_8D08C2:				; CODE XREF: PspEstablishJobHierarchy+17F8C1j
					; PspEstablishJobHierarchy+17F8D0j
		mov	ecx, [esi+21Ch]
		mov	edx, [edi+21Ch]
		add	ecx, 40h
		add	edx, 40h
		push	dword ptr [ecx+4]
		push	dword ptr [ecx]
		call	KeInsertSchedulingGroup
		jmp	loc_7510C6
; 

loc_8D08E3:				; CODE XREF: PspEstablishJobHierarchy+F6j
		mov	ecx, edi
		jmp	loc_7510D2
; 

loc_8D08EA:				; CODE XREF: PspEstablishJobHierarchy+153j
		mov	edx, [ebp+var_8]
		cmp	eax, 3
		jbe	short loc_8D090D
		mov	ecx, [edi+254h]
		dec	ecx

loc_8D08F9:				; CODE XREF: PspEstablishJobHierarchy+17F935j
		sub	ecx, 1
		jz	short loc_8D090D
		mov	eax, [edi+258h]
		mov	eax, [eax+ecx*4-4]
		mov	[edx+ecx*4], eax
		jmp	short loc_8D08F9
; 

loc_8D090D:				; CODE XREF: PspEstablishJobHierarchy+17F91Aj
					; PspEstablishJobHierarchy+17F926j
		mov	eax, [edi+244h]
		and	[ebp+var_8], 0
		mov	[edx], eax
		mov	[esi+258h], edx
		jmp	loc_75112F
; 

loc_8D0924:				; CODE XREF: PspEstablishJobHierarchy+1F3j
		push	ecx
		mov	ecx, esi
		call	_PspSetEffectiveRateControlJob@12 ; PspSetEffectiveRateControlJob(x,x,x)
		mov	eax, [ebp+arg_0]
		jmp	loc_7511CF
; 

loc_8D0934:				; CODE XREF: PspEstablishJobHierarchy+213j
					; PspEstablishJobHierarchy+21Bj
		push	5
		lea	eax, [ebp+var_14]
		mov	[ebp+var_C], 1
		push	eax
		push	0
		push	0
		mov	edx, offset PspSetJobIoAttributionJobPreCallback
		mov	[ebp+var_10], edi
		mov	ecx, esi
		call	PspEnumJobsAndProcessesInJobHierarchy
		jmp	loc_751203
; 

loc_8D0956:				; CODE XREF: PspEstablishJobHierarchy+227j
		cmp	[ebp+arg_4], 4
		jnz	loc_751203
		mov	ecx, [esi+328h]
		mov	edx, ebx
		call	_IoSetDiskIoAttributionOnProcess@8 ; IoSetDiskIoAttributionOnProcess(x,x)
		jmp	loc_751203
; 

loc_8D0972:				; CODE XREF: PspEstablishJobHierarchy+23Aj
		push	624A7350h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_751216
; 

loc_8D0982:				; CODE XREF: PspEstablishJobHierarchy+8Ej
		mov	ecx, [ebp+arg_0]
		call	PspUnlinkJobProcess
		mov	edx, ebx
		mov	ecx, esi
		call	MmLinkJobProcess
		mov	edi, 73507350h
		mov	ecx, esi
		mov	edx, edi
		call	ObfReferenceObjectWithTag
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		call	ObfDereferenceObjectWithTag
		cmp	dword ptr [esi+324h], 0
		mov	ecx, [esi+328h]
		jnz	short loc_8D09C4
		test	ecx, ecx
		jz	short loc_8D09CB
		mov	ecx, [ecx+328h]

loc_8D09C4:				; CODE XREF: PspEstablishJobHierarchy+17F9E2j
		mov	edx, ebx
		call	_IoSetDiskIoAttributionOnProcess@8 ; IoSetDiskIoAttributionOnProcess(x,x)

loc_8D09CB:				; CODE XREF: PspEstablishJobHierarchy+17F9E6j
		xor	ebx, ebx
		jmp	loc_751216
; 

loc_8D09D2:				; CODE XREF: PspEstablishJobHierarchy+2Bj
		mov	edi, [ebp+var_4]
		jmp	loc_75101F
; 

loc_8D09DA:				; CODE XREF: PspEstablishJobHierarchy+5Ej
		mov	ecx, [ecx+328h]
		jmp	loc_751229
; 

loc_8D09E5:				; CODE XREF: PspEstablishJobHierarchy+73j
		push	edi
		call	_PsGetProcessSessionId@4 ; PsGetProcessSessionId(x)
		test	eax, eax
		jz	loc_75104F
		push	[ebp+arg_4]
		mov	edx, edi
		mov	ecx, esi
		call	_PspEstablishDfssHierarchy@12 ;	PspEstablishDfssHierarchy(x,x,x)
		jmp	loc_75104F
; END OF FUNCTION CHUNK	FOR PspEstablishJobHierarchy
; 
; START	OF FUNCTION CHUNK FOR MmLinkJobProcess

loc_8D0A04:				; CODE XREF: MmLinkJobProcess+7Dj
		mov	edi, 0C000009Ah
		mov	[ebp+var_4], edi
		jmp	loc_75130D
; 

loc_8D0A11:				; CODE XREF: MmLinkJobProcess+CDj
					; MmLinkJobProcess+17F7FFj
		mov	eax, [ebp+var_20]
		lea	ecx, [ebp+var_20]
		cmp	eax, ecx
		jz	loc_75132C
		cmp	[eax+4], ecx
		jnz	loc_7513F6
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_7513F6
		push	0
		add	eax, 0FFFFFFE8h
		mov	[ebp+var_20], ecx
		lea	edx, [ebp+var_20]
		push	eax
		mov	[ecx+4], edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_8D0A11
; 

loc_8D0A49:				; CODE XREF: MmLinkJobProcess+17Bj
		lea	esi, [ebx+420h]
		jmp	short loc_8D0A5D
; 

loc_8D0A51:				; CODE XREF: MmLinkJobProcess+17F819j
		mov	ecx, [eax+8]
		mov	edx, ebx
		push	1
		call	MiRemoveSharedCommitNode

loc_8D0A5D:				; CODE XREF: MmLinkJobProcess+17F807j
		mov	eax, [esi]
		cmp	eax, esi
		jnz	short loc_8D0A51
		mov	eax, [ebp+var_10]
		push	0FFFFFFF7h
		pop	ecx
		lock and [eax],	ecx
		push	10h
		pop	ecx
		lock or	[eax], ecx
		jmp	loc_7513C9
; END OF FUNCTION CHUNK	FOR MmLinkJobProcess
; 
; START	OF FUNCTION CHUNK FOR PspBindProcessSessionToJob

loc_8D0A77:				; CODE XREF: PspBindProcessSessionToJob+37j
		cmp	eax, edx
		jz	loc_751418

loc_8D0A7F:				; CODE XREF: PspBindProcessSessionToJob+25j
		pop	edi
		mov	ecx, esi
		pop	esi
		pop	ebx
		jmp	@PspConvertJobToMixed@8	; PspConvertJobToMixed(x,x)
; END OF FUNCTION CHUNK	FOR PspBindProcessSessionToJob
; 
; START	OF FUNCTION CHUNK FOR MmAssignProcessToJob

loc_8D0A89:				; CODE XREF: MmAssignProcessToJob+5Fj
		test	byte ptr [ebx+3A8h], 1
		jnz	loc_751689
		mov	[ebp+var_21], 0
		jmp	loc_7516CC
; END OF FUNCTION CHUNK	FOR MmAssignProcessToJob
; 
; START	OF FUNCTION CHUNK FOR PspApplyWorkingSetLimitsToProcess

loc_8D0A9F:				; CODE XREF: PspApplyWorkingSetLimitsToProcess+98j
		push	1
		push	0
		push	[ebp+var_48]
		push	[ebp+var_4C]
		call	_MmAdjustWorkingSetSize@16 ; MmAdjustWorkingSetSize(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	loc_75179C
		mov	eax, 0FFFFFEFFh
		lock and [edi],	eax
		or	edx, 0FFFFFFFFh
		mov	edi, offset dword_6BEF18
		lock xadd [edi], edx
		and	dl, 6
		cmp	dl, 2
		jnz	short loc_8D0ADB
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8D0ADB:				; CODE XREF: PspApplyWorkingSetLimitsToProcess+17F3D4j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_3C]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_751811
; END OF FUNCTION CHUNK	FOR PspApplyWorkingSetLimitsToProcess

;  S U B	R O U T	I N E 


sub_8D0AEF	proc near		; DATA XREF: .text:006A0424o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-50h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D0AEF	endp


;  S U B	R O U T	I N E 


sub_8D0AFD	proc near		; DATA XREF: .text:006A0428o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-50h]
		jmp	loc_751802
sub_8D0AFD	endp

; 
; START	OF FUNCTION CHUNK FOR PspRequestProcessExecutionState

loc_8D0B08:				; CODE XREF: PspRequestProcessExecutionState+11j
		test	[ebp+arg_0], 1
		mov	esi, 10000000h
		jz	loc_7520B2
		jmp	loc_7520AD
; END OF FUNCTION CHUNK	FOR PspRequestProcessExecutionState
; 
; START	OF FUNCTION CHUNK FOR PspApplyJobLimitsToProcess

loc_8D0B1C:				; CODE XREF: PspApplyJobLimitsToProcess+30j
		mov	al, [edi+1A4h]
		xor	edx, edx
		cmp	byte ptr [esi+2A2h], 2
		mov	ecx, esi
		mov	[esi+1BBh], al
		setz	dl
		call	_PspSetProcessPriorityByClass@8	; PspSetProcessPriorityByClass(x,x)
		xor	eax, eax
		jmp	loc_75212A
; 

loc_8D0B42:				; CODE XREF: PspApplyJobLimitsToProcess+42j
		lea	ecx, [ebp+var_8]
		xor	edx, edx
		push	ecx
		push	eax
		lea	eax, [edi+15Ch]
		inc	edx
		push	eax
		mov	ecx, esi
		call	_PspSetProcessAffinitySafe@20 ;	PspSetProcessAffinitySafe(x,x,x,x,x)
		test	eax, eax
		js	loc_75213C
		cmp	[ebp+var_8], 0
		jz	loc_75213C
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		call	PspWritePebAffinityInfo
		jmp	loc_75213C
; 

loc_8D0B79:				; CODE XREF: PspApplyJobLimitsToProcess+9Dj
		mov	dl, byte ptr ds:_PspJobSchedulingClasses[ebx]
		mov	ecx, esi
		call	_KeSetQuantumProcess@8 ; KeSetQuantumProcess(x,x)
		jmp	loc_752197
; END OF FUNCTION CHUNK	FOR PspApplyJobLimitsToProcess
; 
; START	OF FUNCTION CHUNK FOR PspUnlinkJobProcess

loc_8D0B8B:				; CODE XREF: PspUnlinkJobProcess+Dj
		push	edi
		lea	edi, [edx+1C4h]

loc_8D0B92:				; CODE XREF: PspUnlinkJobProcess+17E958j
		cmp	[ecx+8], edi
		jnz	short loc_8D0BA0
		mov	eax, [edx+1C8h]
		mov	[ecx+8], eax

loc_8D0BA0:				; CODE XREF: PspUnlinkJobProcess+17E949j
		mov	ecx, [ecx]
		cmp	ecx, esi
		jnz	short loc_8D0B92
		pop	edi
		jmp	loc_75225F
; END OF FUNCTION CHUNK	FOR PspUnlinkJobProcess
; 
; START	OF FUNCTION CHUNK FOR PspUpdateJobPeakProcessMemory

loc_8D0BAC:				; CODE XREF: PspUpdateJobPeakProcessMemory+15j
					; PspUpdateJobPeakProcessMemory+17E744j
		mov	edx, eax
		mov	ecx, esi
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	loc_75248A
		cmp	esi, eax
		ja	short loc_8D0BAC
		jmp	loc_75248A
; END OF FUNCTION CHUNK	FOR PspUpdateJobPeakProcessMemory
; 
; START	OF FUNCTION CHUNK FOR EtwQueryProcessTelemetryInfo

loc_8D0BC5:				; CODE XREF: EtwQueryProcessTelemetryInfo+81j
		mov	[ebp+var_210], (offset loc_403A20+4)
		jmp	loc_752549
; 

loc_8D0BD4:				; CODE XREF: EtwQueryProcessTelemetryInfo+183j
		mov	esi, 0C0000004h
		jmp	loc_7526E9
; END OF FUNCTION CHUNK	FOR EtwQueryProcessTelemetryInfo

;  S U B	R O U T	I N E 


sub_8D0BDE	proc near		; DATA XREF: .text:006A0444o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-234h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D0BDE	endp


;  S U B	R O U T	I N E 


sub_8D0BEF	proc near		; DATA XREF: .text:006A0448o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-234h]
		mov	[ebp-218h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	edi, edi
		mov	ebx, [ebp-238h]
		jmp	loc_7526FC
sub_8D0BEF	endp

; 
; START	OF FUNCTION CHUNK FOR RtlInternEntryDereference

loc_8D0C12:				; CODE XREF: RtlInternEntryDereference:loc_752865j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_752861
; END OF FUNCTION CHUNK	FOR RtlInternEntryDereference
; 
; START	OF FUNCTION CHUNK FOR WbRemoveWarbirdProcess

loc_8D0C1C:				; CODE XREF: WbRemoveWarbirdProcess+7Fj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	esi, eax
		lock bts dword ptr [ebx], 0
		jnb	short loc_8D0C48
		push	ebx
		mov	edx, esi
		mov	ecx, ebx
		call	ExfAcquirePushLockExclusiveEx

loc_8D0C48:				; CODE XREF: WbRemoveWarbirdProcess+17E340j
		test	esi, esi
		jz	short loc_8D0C50
		or	byte ptr [esi+0Eh], 1

loc_8D0C50:				; CODE XREF: WbRemoveWarbirdProcess+17E34Ej
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		push	0FFFFFFFFh
		push	4
		mov	ecx, offset unk_6D6BC0
		call	sub_A1DCCB
		mov	esi, eax
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8D0C7A
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8D0C7A:				; CODE XREF: WbRemoveWarbirdProcess+17E375j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [ebp+var_4]
		call	sub_A1B39D
		jmp	loc_752981
; END OF FUNCTION CHUNK	FOR WbRemoveWarbirdProcess
; 
; START	OF FUNCTION CHUNK FOR WbFindWarbirdProcess

loc_8D0C9A:				; CODE XREF: WbFindWarbirdProcess+2Bj
		test	edi, edi
		jz	loc_7529CF
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_8D0CDE
		push	ebx
		lea	edi, [ecx+88h]
		push	esi

loc_8D0CB1:				; CODE XREF: WbFindWarbirdProcess+17E32Ej
					; WbFindWarbirdProcess+17E333j
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[ebp+var_8], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_8D0CB1
		cmp	edx, [ebp+var_8]
		jnz	short loc_8D0CB1
		mov	ecx, [ebp+var_4]
		mov	edi, [ebp+var_C]
		mov	eax, [ebp+var_10]
		pop	esi
		pop	ebx

loc_8D0CDE:				; CODE XREF: WbFindWarbirdProcess+17E309j
		mov	[edi], ecx
		jmp	loc_7529CF
; END OF FUNCTION CHUNK	FOR WbFindWarbirdProcess
; 
; START	OF FUNCTION CHUNK FOR WbFindLookupEntry

loc_8D0CE5:				; CODE XREF: WbFindLookupEntry+21j
					; WbFindLookupEntry+17E352j
		push	[ebp+arg_0]
		lea	eax, [edi+ecx]
		mov	ecx, [ebx+0Ch]
		push	[ebp+var_8]
		cdq
		sub	eax, edx
		mov	edx, [ebx]
		mov	esi, eax
		sar	esi, 1
		imul	edx, esi
		mov	ecx, [edx+ecx]
		push	ecx
		call	dword ptr [ebx+14h]
		mov	ecx, eax
		or	ecx, edx
		jz	short loc_8D0D32
		test	edx, edx
		jg	short loc_8D0D1C
		jl	short loc_8D0D14
		test	eax, eax
		jnb	short loc_8D0D1C

loc_8D0D14:				; CODE XREF: WbFindLookupEntry+17E33Aj
		mov	ecx, [ebp+var_4]
		lea	edi, [esi-1]
		jmp	short loc_8D0D24
; 

loc_8D0D1C:				; CODE XREF: WbFindLookupEntry+17E338j
					; WbFindLookupEntry+17E33Ej
		lea	ecx, [esi+1]
		mov	[ebp+var_4], ecx
		mov	esi, ecx

loc_8D0D24:				; CODE XREF: WbFindLookupEntry+17E346j
		cmp	ecx, edi
		jle	short loc_8D0CE5
		mov	eax, 0C0000272h
		jmp	loc_7529FB
; 

loc_8D0D32:				; CODE XREF: WbFindLookupEntry+17E334j
		xor	eax, eax
		jmp	loc_7529FB
; 

loc_8D0D39:				; CODE XREF: WbFindLookupEntry+37j
		mov	edx, [ebx]
		mov	ecx, [ebx+0Ch]
		imul	edx, esi
		mov	ecx, [edx+ecx]
		mov	[edi], ecx
		jmp	loc_752A11
; END OF FUNCTION CHUNK	FOR WbFindLookupEntry
; 
; START	OF FUNCTION CHUNK FOR EtwExitProcess

loc_8D0D4B:				; CODE XREF: EtwExitProcess+39j
		and	dword ptr [edi+4B0h], 0
		mov	dl, 1
		mov	ecx, esi
		call	_EtwpCovSampProcessCleanup@8 ; EtwpCovSampProcessCleanup(x,x)
		push	56777445h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_752ADF
; END OF FUNCTION CHUNK	FOR EtwExitProcess
; 
; START	OF FUNCTION CHUNK FOR AlpcpCleanupProcessViews

loc_8D0D6B:				; CODE XREF: AlpcpCleanupProcessViews+59j
		add	esi, 0FFFFFFD4h
		cmp	eax, esi
		jz	short loc_8D0D82
		xor	eax, eax
		mov	dword ptr [esp+38h+var_20], esi
		xor	ebx, ebx
		mov	[esp+38h+var_28], eax
		mov	[esp+38h+var_24], ebx

loc_8D0D82:				; CODE XREF: AlpcpCleanupProcessViews+17E258j
		mov	eax, [esp+38h+var_2C]
		sub	ecx, esi
		inc	eax
		neg	ecx
		sbb	ecx, ecx
		not	ecx
		and	ecx, eax
		mov	[esp+38h+var_2C], ecx
		mov	ecx, esi
		call	AlpcpReferenceBlob
		neg	eax
		sbb	eax, eax
		and	eax, esi
		mov	[esp+38h+var_8], eax
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8D0DBA
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8D0DBA:				; CODE XREF: AlpcpCleanupProcessViews+17E299j
		mov	ecx, edi
		call	KeAbPostRelease
		cmp	[esp+38h+var_28], 0
		jnz	loc_8D0E58
		test	ebx, ebx
		jnz	loc_8D0E58

loc_8D0DD4:				; CODE XREF: AlpcpCleanupProcessViews+17E33Bj
		and	[esp+38h+var_10], 0
		mov	edx, 0FFDF03B0h
		and	[esp+38h+var_C], 0
		mov	eax, 0FFDF000Ch
		mov	esi, [edx]
		mov	ecx, [edx+4]
		mov	ebx, [eax]
		add	eax, 0FFFFFFFCh
		mov	[esp+38h+var_24], esi
		mov	[esp+38h+var_1C], ecx
		mov	edi, [eax]
		mov	eax, 0FFDF0010h
		mov	eax, [eax]
		cmp	ebx, eax
		jz	short loc_8D0E2B
		mov	edx, 0FFDF000Ch
		lea	ecx, [edx-4]
		lea	esi, [edx+4]

loc_8D0E12:				; CODE XREF: AlpcpCleanupProcessViews+17E304j
		pause
		mov	ebx, [edx]
		mov	edi, [ecx]
		mov	eax, [esi]
		cmp	ebx, eax
		jnz	short loc_8D0E12
		mov	ecx, [esp+38h+var_1C]
		mov	edx, 0FFDF03B0h
		mov	esi, [esp+38h+var_24]

loc_8D0E2B:				; CODE XREF: AlpcpCleanupProcessViews+17E2EDj
		mov	eax, [edx]
		mov	edx, [edx+4]
		cmp	esi, eax
		jnz	short loc_8D0E51
		cmp	ecx, edx
		jnz	short loc_8D0E51
		mov	eax, [esp+38h+var_2C]
		sub	edi, esi
		mov	[esp+38h+var_28], edi
		mov	edi, [esp+38h+var_18]
		sbb	ebx, ecx
		mov	[esp+38h+var_2C], eax
		jmp	loc_8D0F2E
; 

loc_8D0E51:				; CODE XREF: AlpcpCleanupProcessViews+17E31Aj
					; AlpcpCleanupProcessViews+17E31Ej
		pause
		jmp	loc_8D0DD4
; 

loc_8D0E58:				; CODE XREF: AlpcpCleanupProcessViews+17E2AEj
					; AlpcpCleanupProcessViews+17E2B6j
		cmp	[esp+38h+var_2C], 64h
		jbe	loc_8D0F32
		mov	esi, 0FFDF03B0h
		mov	ebx, 0FFDF0008h

loc_8D0E6D:				; CODE XREF: AlpcpCleanupProcessViews+17E447j
		mov	eax, [esi]
		mov	edi, 0FFDF000Ch
		and	[esp+38h+var_10], 0
		and	[esp+38h+var_C], 0
		mov	[esp+38h+var_14], eax
		mov	eax, [esi+4]
		mov	ecx, [edi]
		mov	edx, [ebx]
		mov	[esp+38h+var_1C], eax
		lea	eax, [edi+4]
		mov	eax, [eax]
		cmp	ecx, eax
		jz	short loc_8D0EB4
		lea	esi, [edi-4]

loc_8D0E99:				; CODE XREF: AlpcpCleanupProcessViews+17E390j
		pause
		mov	ecx, [edi]
		mov	eax, 0FFDF0010h
		mov	edx, [esi]
		mov	eax, [eax]
		cmp	ecx, eax
		jnz	short loc_8D0E99
		mov	esi, 0FFDF03B0h
		mov	ebx, 0FFDF0008h

loc_8D0EB4:				; CODE XREF: AlpcpCleanupProcessViews+17E37Cj
		mov	eax, [esi]
		mov	edi, [esi+4]
		mov	[esp+38h+var_10], edi
		mov	edi, [esp+38h+var_14]
		cmp	edi, eax
		jnz	loc_8D0F5D
		mov	eax, [esp+38h+var_10]
		cmp	[esp+38h+var_1C], eax
		jnz	loc_8D0F5D
		mov	ebx, [esp+38h+var_24]
		sub	edx, edi
		mov	eax, [esp+38h+var_2C]
		sbb	ecx, [esp+38h+var_1C]
		sub	edx, [esp+38h+var_28]
		mov	edi, [esp+38h+var_18]
		sbb	ecx, ebx
		mov	[esp+38h+var_2C], eax
		mov	[esp+38h+var_C], ecx
		jnz	short loc_8D0F01
		cmp	edx, 23C34600h
		jbe	short loc_8D0F32

loc_8D0F01:				; CODE XREF: AlpcpCleanupProcessViews+17E3DFj
		mov	eax, dword ptr [esp+38h+var_20]
		push	eax		; char
		push	offset ??_C@_0BL@MGEADHAH@ALPC?3?5View?5?$EA?5?$CFp?5is?5stuck?4?6@NNGAKEGL@ ; char *
		push	0		; int
		push	69h		; int
		call	_DbgPrintEx
		add	esp, 10h
		cmp	_KdDebuggerEnabled, 0
		jz	short loc_8D0F21
		int	3		; Trap to Debugger

loc_8D0F21:				; CODE XREF: AlpcpCleanupProcessViews+17E406j
		and	[esp+38h+var_2C], 0
		xor	eax, eax
		mov	[esp+38h+var_28], eax
		xor	ebx, ebx

loc_8D0F2E:				; CODE XREF: AlpcpCleanupProcessViews+17E334j
		mov	[esp+38h+var_24], ebx

loc_8D0F32:				; CODE XREF: AlpcpCleanupProcessViews+17E345j
					; AlpcpCleanupProcessViews+17E3E7j
		mov	esi, [esp+38h+var_8]
		test	esi, esi
		jz	short loc_8D0F4B
		mov	ecx, esi
		call	_AlpcpForceUnlinkSecureView@4 ;	AlpcpForceUnlinkSecureView(x)
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	AlpcpDereferenceBlobEx

loc_8D0F4B:				; CODE XREF: AlpcpCleanupProcessViews+17E420j
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [esp+38h+var_4]
		jmp	loc_752B67
; 

loc_8D0F5D:				; CODE XREF: AlpcpCleanupProcessViews+17E3ABj
					; AlpcpCleanupProcessViews+17E3B9j
		pause
		jmp	loc_8D0E6D
; END OF FUNCTION CHUNK	FOR AlpcpCleanupProcessViews
; 
; START	OF FUNCTION CHUNK FOR ExpWnfDeleteProcessContext

loc_8D0F64:				; CODE XREF: ExpWnfDeleteProcessContext+F4j
		add	eax, 0FFFFFFB4h
		mov	[ebp+var_4], eax
		lea	ecx, [eax+4]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	eax, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8D0F85
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8D0F85:				; CODE XREF: ExpWnfDeleteProcessContext+17E398j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_4]
		push	0
		push	0
		push	10h
		pop	edx
		call	_ExpWnfNotifyNameSubscribers@16	; ExpWnfNotifyNameSubscribers(x,x,x,x)
		mov	eax, [ebp+var_4]
		mov	edx, eax
		push	1
		mov	ecx, [eax+20h]
		call	ExpWnfDeleteNameInstance
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	[ebp+var_4], eax
		lock bts dword ptr [edi], 0
		jnb	short loc_8D0FCC
		push	edi
		mov	edx, eax
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_4]

loc_8D0FCC:				; CODE XREF: ExpWnfDeleteProcessContext+17E3D9j
		test	eax, eax
		jz	loc_752CD4
		or	byte ptr [eax+0Eh], 1
		jmp	loc_752CD4
; END OF FUNCTION CHUNK	FOR ExpWnfDeleteProcessContext
; 
; START	OF FUNCTION CHUNK FOR PspProcessDelete

loc_8D0FDD:				; CODE XREF: PspProcessDelete+A0j
		call	ObfDereferenceObject
		and	dword ptr [esi+190h], 0
		jmp	loc_752F14
; 

loc_8D0FEE:				; CODE XREF: PspProcessDelete+D4j
		cmp	dword ptr [edi+8], 0
		jz	short loc_8D1008
		push	dword ptr [edi+4]
		push	esi
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		mov	edx, [edi+4]
		mov	ecx, [edi+8]
		call	PspFreeLdtMemory

loc_8D1008:				; CODE XREF: PspProcessDelete+17E184j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_752F48
; 

loc_8D1015:				; CODE XREF: PspProcessDelete+E2j
		mov	eax, [edi]
		mov	[esp+30h+var_24], eax
		test	eax, eax
		jz	short loc_8D1050
		mov	ebx, [eax]
		test	ebx, ebx
		jz	short loc_8D1039

loc_8D1025:				; CODE XREF: PspProcessDelete+17E1C5j
		mov	eax, ebx
		mov	ebx, [ebx]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		jnz	short loc_8D1025
		mov	eax, [esp+30h+var_24]

loc_8D1039:				; CODE XREF: PspProcessDelete+17E1B5j
		add	eax, 4
		push	eax
		call	ExDeleteResourceLite
		push	0
		push	[esp+34h+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi], 0

loc_8D1050:				; CODE XREF: PspProcessDelete+17E1AFj
		cmp	dword ptr [edi+90h], 0
		jz	short loc_8D106E
		push	2Ch
		push	esi
		call	_PsReturnProcessPagedPoolQuota@8 ; PsReturnProcessPagedPoolQuota(x,x)
		push	0
		push	dword ptr [edi+90h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8D106E:				; CODE XREF: PspProcessDelete+17E1E9j
		lea	ecx, [edi+88h]
		xor	ebx, ebx
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	short loc_8D10C4

loc_8D107C:				; CODE XREF: PspProcessDelete+17E249j
		mov	ecx, eax
		mov	eax, [eax]
		mov	[esp+30h+var_24], eax
		cmp	[eax+4], ecx
		jnz	loc_75309C
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_75309C
		push	0
		mov	[edx], eax
		push	ecx
		mov	[eax+4], edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+30h+var_24]
		lea	ecx, [edi+88h]
		add	ebx, 90h
		cmp	eax, ecx
		jnz	short loc_8D107C
		test	ebx, ebx
		jz	short loc_8D10C4
		push	ebx
		push	esi
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)

loc_8D10C4:				; CODE XREF: PspProcessDelete+17E20Cj
					; PspProcessDelete+17E24Dj
		push	0C0h
		push	esi
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, [esp+30h+var_20]
		xor	edi, edi
		mov	[esi+0F4h], edi
		jmp	loc_752F56
; 

loc_8D10E8:				; CODE XREF: PspProcessDelete+109j
		push	esi
		call	dword_6BEDEC
		jmp	loc_752F7D
; 

loc_8D10F4:				; CODE XREF: PspProcessDelete+187j
		push	17h
		call	_KeBugCheck@4	; KeBugCheck(x)

loc_8D10FB:				; CODE XREF: PspProcessDelete+1B5j
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	3018h
		push	esi
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		jmp	loc_753029
; 

loc_8D1112:				; CODE XREF: PspProcessDelete+1FBj
		call	_VmpProcessContextCleanup@4 ; VmpProcessContextCleanup(x)
		push	edi
		push	dword ptr [esi+3E4h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_75306F
; END OF FUNCTION CHUNK	FOR PspProcessDelete
; 
; START	OF FUNCTION CHUNK FOR EtwpWriteProcessStarted

loc_8D1128:				; CODE XREF: EtwpWriteProcessStarted+2Dj
		mov	esi, (offset loc_403A20+4)
		jmp	loc_7533ED
; 

loc_8D1132:				; CODE XREF: EtwpWriteProcessStarted+287j
		mov	ecx, ds:_SeNullSid
		jmp	loc_753649
; END OF FUNCTION CHUNK	FOR EtwpWriteProcessStarted
; 
; START	OF FUNCTION CHUNK FOR EtwpWriteAppStateChange

loc_8D113D:				; CODE XREF: EtwpWriteAppStateChange+34j
		lea	eax, [ebp+var_38]
		mov	[ebp+var_18], esi
		push	eax
		xor	ecx, ecx
		mov	[ebp+var_10], 62h
		push	3
		push	ecx
		push	ecx
		push	(offset	loc_4238E4+6)
		push	edi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_7536F0
; END OF FUNCTION CHUNK	FOR EtwpWriteAppStateChange
; 
; START	OF FUNCTION CHUNK FOR EtwTraceAppStateChange

loc_8D1167:				; CODE XREF: EtwTraceAppStateChange+80j
		lea	edx, [ebp+var_92]
		mov	ecx, esi
		call	EtwpInitStateChangeInfo
		mov	al, [edi+34h]
		mov	ecx, [edi]
		mov	[ebp+var_241], al
		mov	byte ptr [ebp+var_92], al
		mov	al, [edi+30h]
		mov	byte ptr [ebp+var_92+1], al
		mov	eax, [edi+4]
		mov	[ebp+var_250], ecx
		sub	ecx, [edi+10h]
		push	0
		mov	[ebp+var_258], eax
		sbb	eax, [edi+14h]
		push	2710h
		push	eax
		push	ecx
		call	__aulldiv
		mov	edi, [edi+20h]
		mov	ecx, edi
		mov	[ebp+var_65], edx
		mov	edx, [ebp+var_248]
		mov	[ebp+var_69], eax
		push	0
		push	2710h
		sub	ecx, [edx+18h]
		mov	esi, [edx+24h]
		mov	eax, esi
		sbb	eax, [edx+1Ch]
		push	eax
		push	ecx
		call	__aulldiv
		mov	ecx, [ebp+var_250]
		mov	[ebp+var_5D], edx
		mov	edx, [ebp+var_24C]
		mov	[ebp+var_61], eax
		mov	eax, [ebp+var_258]
		push	0
		sub	ecx, [edx+3F0h]
		push	2710h
		sbb	eax, [edx+3F4h]
		push	eax
		push	ecx
		call	__aulldiv
		push	0
		push	2710h
		push	esi
		push	edi
		mov	[ebp+var_59], eax
		mov	[ebp+var_55], edx
		call	__aulldiv
		mov	[ebp+var_51], eax
		mov	eax, [ebp+var_248]
		push	0
		push	2710h
		mov	[ebp+var_4D], edx
		push	dword ptr [eax+2Ch]
		push	dword ptr [eax+28h]
		call	__aulldiv
		cmp	[ebp+var_241], 3
		mov	[ebp+var_49], eax
		mov	[ebp+var_45], edx
		jz	short loc_8D1265
		lea	ecx, [ebp+var_92]
		call	EtwpWriteAppStateChange
		and	[ebp+var_248], 0
		jmp	loc_8D1374
; 

loc_8D1265:				; CODE XREF: EtwTraceAppStateChange+17DB4Ej
		push	68h		; size_t
		lea	eax, [ebp+var_2D0]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	esi, [ebp+var_24C]
		lea	edx, [ebp+var_2D0]
		add	esp, 0Ch
		mov	ecx, esi
		call	PsQueryStatisticsProcess
		xor	edx, edx
		mov	ecx, esi
		call	_ObGetProcessHandleCount@8 ; ObGetProcessHandleCount(x,x)
		mov	[ebp+var_30], eax
		mov	ecx, 1000h
		mov	eax, [esi+224h]
		or	edi, 0FFFFFFFFh
		mul	ecx
		mov	[ebp+var_2C], eax
		mov	eax, [esi+228h]
		mov	[ebp+var_28], edx
		mul	ecx
		xor	ecx, ecx
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], edx
		cmp	[ebp+var_2A4], ecx
		jg	short loc_8D12D6
		mov	eax, [ebp+var_2A8]
		jl	short loc_8D12D1
		cmp	eax, edi
		jnb	short loc_8D12D6

loc_8D12D1:				; CODE XREF: EtwTraceAppStateChange+17DBCDj
		mov	[ebp+var_14], eax
		jmp	short loc_8D12D9
; 

loc_8D12D6:				; CODE XREF: EtwTraceAppStateChange+17DBC5j
					; EtwTraceAppStateChange+17DBD1j
		mov	[ebp+var_14], edi

loc_8D12D9:				; CODE XREF: EtwTraceAppStateChange+17DBD6j
		cmp	[ebp+var_29C], ecx
		jg	short loc_8D12F2
		mov	eax, [ebp+var_2A0]
		jl	short loc_8D12ED
		cmp	eax, edi
		jnb	short loc_8D12F2

loc_8D12ED:				; CODE XREF: EtwTraceAppStateChange+17DBE9j
		mov	[ebp+var_10], eax
		jmp	short loc_8D12F5
; 

loc_8D12F2:				; CODE XREF: EtwTraceAppStateChange+17DBE1j
					; EtwTraceAppStateChange+17DBEDj
		mov	[ebp+var_10], edi

loc_8D12F5:				; CODE XREF: EtwTraceAppStateChange+17DBF2j
		push	ecx
		push	400h
		push	[ebp+var_28C]
		push	[ebp+var_290]
		call	__alldiv
		test	edx, edx
		jg	short loc_8D131B
		jl	short loc_8D1316
		cmp	eax, edi
		jnb	short loc_8D131B

loc_8D1316:				; CODE XREF: EtwTraceAppStateChange+17DC12j
		mov	[ebp+var_C], eax
		jmp	short loc_8D131E
; 

loc_8D131B:				; CODE XREF: EtwTraceAppStateChange+17DC10j
					; EtwTraceAppStateChange+17DC16j
		mov	[ebp+var_C], edi

loc_8D131E:				; CODE XREF: EtwTraceAppStateChange+17DC1Bj
		push	0
		push	400h
		push	[ebp+var_284]
		push	[ebp+var_288]
		call	__alldiv
		test	edx, edx
		jg	short loc_8D1345
		jl	short loc_8D1340
		cmp	eax, edi
		jnb	short loc_8D1345

loc_8D1340:				; CODE XREF: EtwTraceAppStateChange+17DC3Cj
		mov	[ebp+var_8], eax
		jmp	short loc_8D1348
; 

loc_8D1345:				; CODE XREF: EtwTraceAppStateChange+17DC3Aj
					; EtwTraceAppStateChange+17DC40j
		mov	[ebp+var_8], edi

loc_8D1348:				; CODE XREF: EtwTraceAppStateChange+17DC45j
		mov	eax, [ebp+var_2B8]
		lea	edx, [ebp+var_92]
		mov	[ebp+var_1C], eax
		mov	ecx, esi
		mov	eax, [ebp+var_2B4]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_30]
		push	eax
		call	EtwpWriteAppStateChangeWithStats
		lea	eax, [ebp+var_30]
		mov	[ebp+var_248], eax

loc_8D1374:				; CODE XREF: EtwTraceAppStateChange+17DB62j
		cmp	dword_6B2A18, 0
		jbe	loc_753784
		push	4000h
		push	0
		mov	ecx, offset dword_6B2A18
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_753784
		push	18Ch		; size_t
		lea	eax, [ebp+var_240]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	edi, [ebp+var_AC]
		xor	eax, eax
		xor	edx, edx
		mov	[ebp+var_264], edx
		mov	[ebp+var_260], edx
		push	6
		pop	ecx
		rep stosd
		mov	eax, large fs:124h
		mov	edi, [ebp+var_24C]
		mov	[ebp+var_254], edx
		mov	[ebp+var_250], edx
		mov	[ebp+var_241], dl
		mov	[ebp+var_258], edx
		cmp	[eax+80h], edi
		jz	short loc_8D1426
		lea	ecx, [edi+0F0h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_8D141F
		lea	eax, [ebp+var_AC]
		xor	edx, edx
		push	eax
		mov	ecx, edi
		call	KiStackAttachProcess
		mov	[ebp+var_241], 1
		jmp	short loc_8D1426
; 

loc_8D141F:				; CODE XREF: EtwTraceAppStateChange+17DD06j
		mov	byte ptr [ebp+var_25C],	0

loc_8D1426:				; CODE XREF: EtwTraceAppStateChange+17DCF7j
					; EtwTraceAppStateChange+17DD1Fj
		push	edi
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	esi, eax
		lea	edx, [ebp+var_240]
		lea	eax, [ebp+var_258]
		mov	ecx, esi
		push	eax
		call	_EtwpQueryTokenPackageInfo@12 ;	EtwpQueryTokenPackageInfo(x,x,x)
		lea	ecx, [edi+12Ch]
		mov	edx, esi
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		cmp	byte ptr [ebp+var_25C],	0
		jz	short loc_8D1486
		cmp	dword ptr [edi+17Ch], 0
		jz	short loc_8D1479
		mov	ecx, edi
		call	EtwpAppStateChangeSummaryShouldLogCommandLine
		test	al, al
		jz	short loc_8D1479
		lea	edx, [ebp+var_254]
		mov	ecx, edi
		call	EtwpQueryProcessCommandLine

loc_8D1479:				; CODE XREF: EtwTraceAppStateChange+17DD61j
					; EtwTraceAppStateChange+17DD6Cj
		lea	edx, [ebp+var_264]
		mov	ecx, edi
		call	EtwpQueryProcessOtherInfo

loc_8D1486:				; CODE XREF: EtwTraceAppStateChange+17DD58j
		cmp	[ebp+var_241], 0
		jz	short loc_8D14A7
		xor	edx, edx
		lea	ecx, [ebp+var_AC]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		lea	ecx, [edi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_8D14A7:				; CODE XREF: EtwTraceAppStateChange+17DD8Fj
		lea	eax, [ebp+var_254]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_264]
		push	eax
		lea	eax, [ebp+var_240]
		push	eax
		push	[ebp+var_248]
		lea	edx, [ebp+var_92]
		call	EtwpWriteAppStateChangeSummary
		cmp	[ebp+var_250], 0
		jz	loc_753784
		push	0
		push	[ebp+var_250]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_753784
; END OF FUNCTION CHUNK	FOR EtwTraceAppStateChange
; 
; START	OF FUNCTION CHUNK FOR CmpInitHiveFromFile

loc_8D14EE:				; CODE XREF: CmpInitHiveFromFile+B7j
		lea	eax, [ebp+var_10]
		mov	[ebp+var_24], ebx
		mov	[ebp+var_28], eax
		mov	eax, [esi+4]
		mov	[ebp+var_18], eax
		movzx	eax, word ptr [esi]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	4
		push	ebx
		push	ebx
		push	(offset	loc_419960+4)
		push	edi
		mov	[ebp+var_20], 2
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_753855
; 

loc_8D152B:				; CODE XREF: CmpInitHiveFromFile+5B5j
		xor	edi, edi
		mov	[ebp+var_C4], edi
		test	al, al
		jz	loc_753A5F
		push	30h
		jmp	loc_75391A
; 

loc_8D1542:				; CODE XREF: CmpInitHiveFromFile+2E4j
		push	edi
		call	_ZwClose@4	; ZwClose(x)
		xor	edi, edi
		mov	[ebp+var_C4], edi
		jmp	loc_753D91
; 

loc_8D1555:				; CODE XREF: CmpInitHiveFromFile+5FBj
		push	ebx
		call	_ZwClose@4	; ZwClose(x)
		xor	ebx, ebx
		mov	[ebp+var_D0], ebx
		jmp	loc_753D99
; 

loc_8D1568:				; CODE XREF: CmpInitHiveFromFile+2D4j
		cmp	ecx, 1
		jnz	loc_753A82
		mov	eax, edi
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_E0], eax
		jmp	loc_753A82
; 

loc_8D1584:				; CODE XREF: CmpInitHiveFromFile+315j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	bl, bl
		jnz	loc_753AB3
		mov	edi, [ebp+var_C4]
		mov	esi, 0C0000189h
		mov	ebx, [ebp+var_D0]
		jmp	loc_75392A
; 

loc_8D15AE:				; CODE XREF: CmpInitHiveFromFile+3B3j
		push	[ebp+var_D8]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_D8], 0
		test	edi, edi
		jz	short loc_8D15D2
		push	edi
		call	_ZwClose@4	; ZwClose(x)
		xor	edi, edi
		mov	[ebp+var_C4], edi

loc_8D15D2:				; CODE XREF: CmpInitHiveFromFile+17DE2Aj
		mov	esi, [ebp+var_D4]
		test	ebx, ebx
		jz	loc_7538C9
		push	ebx
		call	_ZwClose@4	; ZwClose(x)
		xor	ebx, ebx
		mov	[ebp+var_D0], ebx
		jmp	loc_7538C9
; 

loc_8D15F3:				; CODE XREF: CmpInitHiveFromFile+55Bj
		push	20h
		jmp	loc_75391A
; 

loc_8D15FA:				; CODE XREF: CmpInitHiveFromFile+3BBj
		push	60h
		jmp	loc_75391A
; 

loc_8D1601:				; CODE XREF: CmpInitHiveFromFile+63Dj
		mov	ecx, [ebp+var_C8]
		xor	edx, edx
		push	0E6h
		push	esi
		push	1
		inc	edx
		call	SetFailureLocation
		jmp	loc_753B78
; 

loc_8D161C:				; CODE XREF: CmpInitHiveFromFile+456j
		push	esi
		mov	edx, 8000002Ah
		mov	ecx, offset _REG_EVENT_SELFHEAL
		call	_CmpLogEvent@12	; CmpLogEvent(x,x,x)
		jmp	loc_753BF4
; 

loc_8D1631:				; CODE XREF: CmpInitHiveFromFile+1E7j
		lea	eax, [ebp+var_CC]
		mov	[ebp+var_CC], esi
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	3
		push	ebx
		push	ebx
		push	offset loc_41993A
		push	offset dword_6B2348
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_753985
; END OF FUNCTION CHUNK	FOR CmpInitHiveFromFile
; 
; START	OF FUNCTION CHUNK FOR CmpFlushHive

loc_8D1665:				; CODE XREF: CmpFlushHive+114j
		mov	eax, [ebx+4B4h]
		xor	ecx, ecx
		mov	[ebp+var_D0], ecx
		mov	edx, ecx
		test	eax, eax
		jz	short loc_8D1693
		mov	[ebp+var_88], eax
		inc	edx
		movzx	eax, word ptr [ebx+4B0h]
		mov	[ebp+var_84], ecx
		mov	[ebp+var_80], eax
		mov	[ebp+var_7C], ecx

loc_8D1693:				; CODE XREF: CmpFlushHive+17D89Dj
		mov	eax, edx
		lea	esi, [ebp+var_D0]
		add	eax, eax
		inc	edx
		mov	[ebp+eax*8+var_88], esi
		mov	[ebp+eax*8+var_84], ecx
		mov	[ebp+eax*8+var_80], 2
		mov	[ebp+eax*8+var_7C], ecx
		mov	eax, [ebx+4BCh]
		test	eax, eax
		jz	short loc_8D16E8
		mov	ecx, edx
		add	ecx, ecx
		and	[ebp+ecx*8+var_84], 0
		and	[ebp+ecx*8+var_7C], 0
		inc	edx
		mov	[ebp+ecx*8+var_88], eax
		movzx	eax, word ptr [ebx+4B8h]
		mov	[ebp+ecx*8+var_80], eax
		xor	ecx, ecx

loc_8D16E8:				; CODE XREF: CmpFlushHive+17D8E6j
		mov	eax, edx
		lea	esi, [ebp+var_D0]
		add	eax, eax
		mov	[ebp+eax*8+var_84], ecx
		mov	[ebp+eax*8+var_7C], ecx
		lea	ecx, [ebp+var_D4]
		mov	[ebp+eax*8+var_88], esi
		mov	esi, [ebp+var_C8]
		mov	[ebp+eax*8+var_80], 2
		lea	eax, [edx+1]
		add	eax, eax
		mov	[ebp+eax*8+var_88], ecx
		xor	ecx, ecx
		mov	[ebp+eax*8+var_84], ecx
		mov	[ebp+eax*8+var_80], 4
		mov	[ebp+eax*8+var_7C], ecx
		lea	eax, [ebp+var_88]
		push	eax
		lea	eax, [edx+2]
		push	eax
		push	ecx
		lea	eax, [ebp+var_B8]
		push	eax
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_753EF4
; 

loc_8D1758:				; CODE XREF: CmpFlushHive+1C4j
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		jmp	loc_753FAB
; 

loc_8D1762:				; CODE XREF: CmpFlushHive+659j
		test	al, 4
		jz	loc_7545EB
		jmp	loc_753FC6
; 

loc_8D176F:				; CODE XREF: CmpFlushHive+66Ej
					; CmpFlushHive+6B8j
		mov	edx, esi
		mov	ecx, ebx
		call	_CmpWaitOnHiveWriteQueue@8 ; CmpWaitOnHiveWriteQueue(x,x)
		mov	esi, [ebp+var_CC]
		jmp	short loc_8D17D0
; 

loc_8D1780:				; CODE XREF: CmpFlushHive+204j
		test	edx, edx
		jz	short loc_8D1788
		xor	edi, edi
		jmp	short loc_8D179F
; 

loc_8D1788:				; CODE XREF: CmpFlushHive+17D9A8j
		cmp	dword ptr [ebx+34h], 0
		jnz	short loc_8D179C
		cmp	byte ptr [ebx+83h], 0
		jnz	short loc_8D179C
		push	2
		pop	edi
		jmp	short loc_8D179F
; 

loc_8D179C:				; CODE XREF: CmpFlushHive+17D9B2j
					; CmpFlushHive+17D9BBj
		xor	edi, edi
		inc	edi

loc_8D179F:				; CODE XREF: CmpFlushHive+17D9ACj
					; CmpFlushHive+17D9C0j
		mov	edx, ecx
		mov	ecx, ebx
		call	_CmpWaitOnHiveWriteQueue@8 ; CmpWaitOnHiveWriteQueue(x,x)
		mov	esi, eax
		mov	[ebp+var_CC], esi
		test	esi, esi
		js	short loc_8D17CA
		mov	eax, [ebp+var_C8]
		add	eax, edi
		mov	edi, [ebp+var_D4]
		mov	[ebp+var_C8], eax
		jmp	short loc_8D17D6
; 

loc_8D17CA:				; CODE XREF: CmpFlushHive+17D9D8j
		mov	edi, [ebp+var_D4]

loc_8D17D0:				; CODE XREF: CmpFlushHive+17D9A4j
		mov	eax, [ebp+var_C8]

loc_8D17D6:				; CODE XREF: CmpFlushHive+17D9EEj
		cmp	eax, 2
		jnb	loc_753F00
		mov	ecx, [ebp+var_D8]
		jmp	loc_753F9C
; 

loc_8D17EA:				; CODE XREF: CmpFlushHive+2E1j
		call	HvUnlockHiveWriter

loc_8D17EF:				; CODE XREF: CmpFlushHive+17DA3Bj
		mov	eax, [ebp+var_20]
		jmp	short loc_8D17FC
; 

loc_8D17F4:				; CODE XREF: CmpFlushHive+17DA30j
		mov	eax, [ebp+var_20]
		xor	esi, esi
		or	eax, 2

loc_8D17FC:				; CODE XREF: CmpFlushHive+17DA18j
		mov	[ebp+var_BC], eax
		jmp	loc_75432E
; 

loc_8D1807:				; CODE XREF: CmpFlushHive+312j
		sub	ecx, 1
		jz	short loc_8D17F4
		sub	ecx, 1
		jnz	loc_7540F8
		jmp	short loc_8D17EF
; 

loc_8D1817:				; CODE XREF: CmpFlushHive+320j
		mov	ecx, [ebx+9D4h]
		mov	edi, [ebx+0C8h]
		mov	[ebp+var_CC], ecx
		cmp	edi, ecx
		ja	short loc_8D183D
		and	eax, 0FFFFFF7Fh
		mov	[ebp+var_C0], eax
		jmp	loc_754100
; 

loc_8D183D:				; CODE XREF: CmpFlushHive+17DA51j
		add	edi, 1000h
		and	dword ptr [ebx+9D4h], 0
		jmp	loc_75410C
; 

loc_8D184F:				; CODE XREF: CmpFlushHive+345j
		xor	edx, edx
		inc	edx
		call	_CmpLogFlushPhaseStart@8 ; CmpLogFlushPhaseStart(x,x)
		push	[ebp+var_D0]
		mov	edx, edi
		mov	ecx, ebx
		call	_HvExtendHivePrimaryFileValidDataLength@12 ; HvExtendHivePrimaryFileValidDataLength(x,x,x)
		mov	esi, eax
		xor	edx, edx
		push	esi
		inc	edx
		call	_CmpLogFlushPhaseEnd@12	; CmpLogFlushPhaseEnd(x,x,x)
		mov	eax, [ebp+var_20]
		test	esi, esi
		js	short loc_8D1880
		or	eax, 21h
		jmp	loc_754128
; 

loc_8D1880:				; CODE XREF: CmpFlushHive+17DA9Cj
		mov	[ebp+var_BC], eax
		jmp	loc_754243
; 

loc_8D188B:				; CODE XREF: CmpFlushHive+71Bj
		or	[ebp+var_C0], 400h
		jmp	loc_754243
; 

loc_8D189A:				; CODE XREF: CmpFlushHive+483j
		test	al, al
		jns	loc_754263
		test	cl, 1
		jnz	loc_754263
		mov	edx, [ebp+var_CC]
		mov	[ebx+9D4h], edx
		jmp	loc_754263
; 

loc_8D18BC:				; CODE XREF: CmpFlushHive+494j
		test	cl, 2
		jz	loc_75428A
		test	eax, 400h
		jz	loc_75428A
		mov	eax, [ebp+var_DC]
		sub	[ebx+74h], eax
		dec	dword ptr [ebx+6Ch]
		and	ecx, 0FFFFFFFDh
		mov	[ebp+var_BC], ecx
		jmp	loc_75428A
; 

loc_8D18EA:				; CODE XREF: CmpFlushHive+4C4j
		call	_HvFoldBackUnreconciledData@4 ;	HvFoldBackUnreconciledData(x)
		jmp	loc_7542E6
; 

loc_8D18F4:				; CODE XREF: CmpFlushHive+536j
		mov	ecx, ebx
		call	_HvFoldBackDirtyData@4 ; HvFoldBackDirtyData(x)
		jmp	loc_754328
; END OF FUNCTION CHUNK	FOR CmpFlushHive
; 
; START	OF FUNCTION CHUNK FOR EtwpWriteAppStateChangeSummary

loc_8D1900:				; CODE XREF: EtwpWriteAppStateChangeSummary+53j
		and	[ebp+var_261], 0
		mov	eax, 101h
		mov	[ebp+var_265], 1
		jmp	loc_7546BC
; 

loc_8D191B:				; CODE XREF: EtwpWriteAppStateChangeSummary+CDj
		mov	ecx, [ebp+var_26C]
		xor	eax, eax
		mov	[ebp+var_220], 8
		mov	[ebp+var_210], 8
		mov	[ebp+var_200], 8
		mov	dl, [ecx]
		test	dl, dl
		mov	[ebp+var_266], dl
		mov	[ebp+var_1F0], 8
		setz	al
		mov	[ebp+var_1E0], 8
		and	[ebp+var_274], 0
		and	[ebp+var_224], 0
		and	[ebp+var_21C], 0
		mov	[ebp+var_278], eax
		lea	eax, [ebp+var_278]
		mov	[ebp+var_228], eax
		xor	eax, eax
		cmp	dl, 1
		mov	[ebp+var_1D0], 8
		mov	[ebp+var_1C0], 8
		setz	al
		and	[ebp+var_27C], 0
		and	[ebp+var_214], 0
		and	[ebp+var_20C], 0
		mov	[ebp+var_280], eax
		lea	eax, [ebp+var_280]
		mov	[ebp+var_218], eax
		xor	eax, eax
		cmp	dl, 2
		setz	al
		and	[ebp+var_284], 0
		and	[ebp+var_204], 0
		and	[ebp+var_1FC], 0
		mov	[ebp+var_288], eax
		lea	eax, [ebp+var_288]
		mov	[ebp+var_208], eax
		xor	eax, eax
		cmp	dl, 3
		setz	al
		and	[ebp+var_28C], 0
		and	[ebp+var_1F4], 0
		and	[ebp+var_1EC], 0
		mov	[ebp+var_290], eax
		lea	eax, [ebp+var_290]
		mov	[ebp+var_1F8], eax
		xor	eax, eax
		cmp	dl, 4
		setz	al
		and	[ebp+var_294], 0
		and	[ebp+var_1E4], 0
		and	[ebp+var_1DC], 0
		mov	[ebp+var_298], eax
		lea	eax, [ebp+var_298]
		mov	[ebp+var_1E8], eax
		xor	eax, eax
		cmp	dl, 5
		setz	al
		and	[ebp+var_29C], 0
		and	[ebp+var_1D4], 0
		and	[ebp+var_1CC], 0
		mov	[ebp+var_2A0], eax
		lea	eax, [ebp+var_2A0]
		mov	[ebp+var_1D8], eax
		xor	eax, eax
		cmp	dl, 6
		setz	al
		xor	edx, edx
		mov	[ebp+var_2A8], eax
		lea	eax, [ebp+var_2A8]
		mov	[ebp+var_1C8], eax
		mov	eax, [ecx+29h]
		mov	[ebp+var_2B0], eax
		mov	eax, [ecx+2Dh]
		mov	[ebp+var_2AC], eax
		lea	eax, [ebp+var_2B0]
		mov	[ebp+var_2A4], edx
		mov	[ebp+var_1C4], edx
		mov	[ebp+var_1BC], edx
		mov	[ebp+var_1B8], eax
		mov	[ebp+var_1B4], edx
		mov	eax, [ecx+31h]
		mov	[ebp+var_2B8], eax
		mov	eax, [ecx+35h]
		mov	[ebp+var_2B4], eax
		lea	eax, [ebp+var_2B8]
		mov	[ebp+var_1A8], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_1B0], 8
		mov	[ebp+var_1AC], edx
		mov	[ebp+var_1A4], edx
		mov	[ebp+var_1A0], 8
		mov	[ebp+var_19C], edx
		test	eax, eax
		jnz	short loc_8D1B29
		mov	ecx, edx
		jmp	short loc_8D1B36
; 

loc_8D1B29:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D4C5j
		test	byte ptr [ebx+3A7h], 7
		push	0
		pop	ecx
		setnz	cl

loc_8D1B36:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D4C9j
		mov	[ebp+var_2C0], ecx
		lea	ecx, [ebp+var_2C0]
		mov	[ebp+var_2BC], edx
		mov	[ebp+var_198], ecx
		mov	[ebp+var_194], edx
		mov	[ebp+var_190], 8
		mov	[ebp+var_18C], edx
		test	eax, eax
		jnz	short loc_8D1B6C
		mov	ecx, edx
		jmp	short loc_8D1B79
; 

loc_8D1B6C:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D508j
		test	byte ptr [ebx+3A7h], 38h
		push	0
		pop	ecx
		setnz	cl

loc_8D1B79:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D50Cj
		mov	[ebp+var_2C8], ecx
		lea	ecx, [ebp+var_2C8]
		mov	[ebp+var_188], ecx
		mov	ecx, edx
		mov	[ebp+var_2C4], edx
		mov	[ebp+var_184], edx
		mov	[ebp+var_180], 8
		mov	[ebp+var_17C], edx
		test	eax, eax
		jz	short loc_8D1BAF
		mov	ecx, [eax]

loc_8D1BAF:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D54Dj
		mov	[ebp+var_2D0], ecx
		lea	ecx, [ebp+var_2D0]
		mov	[ebp+var_2CC], edx
		mov	[ebp+var_178], ecx
		mov	[ebp+var_174], edx
		mov	[ebp+var_170], 8
		mov	[ebp+var_16C], edx
		test	eax, eax
		jnz	short loc_8D1BE5
		mov	ecx, edx
		jmp	short loc_8D1BEB
; 

loc_8D1BE5:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D581j
		mov	ecx, [eax+4]
		mov	edx, [eax+8]

loc_8D1BEB:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D585j
		and	[ebp+var_164], 0
		and	[ebp+var_15C], 0
		mov	[ebp+var_2D8], ecx
		lea	ecx, [ebp+var_2D8]
		mov	[ebp+var_2D4], edx
		mov	[ebp+var_168], ecx
		mov	[ebp+var_160], 8
		test	eax, eax
		jnz	short loc_8D1C25
		xor	ecx, ecx
		xor	edx, edx
		jmp	short loc_8D1C2B
; 

loc_8D1C25:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D5BFj
		mov	ecx, [eax+0Ch]
		mov	edx, [eax+10h]

loc_8D1C2B:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D5C5j
		mov	[ebp+var_2E0], ecx
		lea	ecx, [ebp+var_2E0]
		mov	[ebp+var_2DC], edx
		xor	edx, edx
		mov	[ebp+var_158], ecx
		mov	ecx, edx
		mov	[ebp+var_154], edx
		mov	[ebp+var_150], 8
		mov	[ebp+var_14C], edx
		test	eax, eax
		jz	short loc_8D1C64
		mov	ecx, [eax+1Ch]

loc_8D1C64:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D601j
		mov	[ebp+var_2E8], ecx
		lea	ecx, [ebp+var_2E8]
		mov	[ebp+var_148], ecx
		mov	ecx, edx
		mov	[ebp+var_2E4], edx
		mov	[ebp+var_144], edx
		mov	[ebp+var_140], 8
		mov	[ebp+var_13C], edx
		test	eax, eax
		jz	short loc_8D1C9B
		mov	ecx, [eax+24h]

loc_8D1C9B:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D638j
		mov	[ebp+var_2F0], ecx
		lea	ecx, [ebp+var_2F0]
		mov	[ebp+var_138], ecx
		mov	ecx, edx
		mov	[ebp+var_2EC], edx
		mov	[ebp+var_134], edx
		mov	[ebp+var_130], 8
		mov	[ebp+var_12C], edx
		test	eax, eax
		jz	short loc_8D1CD2
		mov	ecx, [eax+20h]

loc_8D1CD2:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D66Fj
		mov	[ebp+var_2F8], ecx
		lea	ecx, [ebp+var_2F8]
		mov	[ebp+var_128], ecx
		mov	ecx, edx
		mov	[ebp+var_2F4], edx
		mov	[ebp+var_124], edx
		mov	[ebp+var_120], 8
		mov	[ebp+var_11C], edx
		test	eax, eax
		jz	short loc_8D1D09
		mov	ecx, [eax+28h]

loc_8D1D09:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D6A6j
		mov	[ebp+var_300], ecx
		lea	ecx, [ebp+var_300]
		mov	[ebp+var_2FC], edx
		mov	[ebp+var_118], ecx
		mov	[ebp+var_114], edx
		mov	[ebp+var_110], 8
		mov	[ebp+var_10C], edx
		test	eax, eax
		jnz	short loc_8D1D3F
		mov	ecx, edx
		jmp	short loc_8D1D45
; 

loc_8D1D3F:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D6DBj
		mov	ecx, [eax+14h]
		mov	edx, [eax+18h]

loc_8D1D45:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D6DFj
		mov	[ebp+var_308], ecx
		lea	ecx, [ebp+var_308]
		mov	[ebp+var_304], edx
		xor	edx, edx
		mov	[ebp+var_108], ecx
		mov	[ebp+var_104], edx
		mov	[ebp+var_100], 8
		mov	[ebp+var_FC], edx
		test	eax, eax
		jnz	short loc_8D1D7D
		mov	ecx, edx
		jmp	short loc_8D1D82
; 

loc_8D1D7D:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D719j
		mov	ecx, edi
		shr	ecx, 1Fh

loc_8D1D82:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D71Dj
		mov	[ebp+var_310], ecx
		lea	ecx, [ebp+var_310]
		mov	[ebp+var_30C], edx
		mov	[ebp+var_F8], ecx
		mov	[ebp+var_F4], edx
		mov	[ebp+var_F0], 8
		mov	[ebp+var_EC], edx
		test	eax, eax
		jnz	short loc_8D1DB8
		mov	ecx, edx
		jmp	short loc_8D1DBF
; 

loc_8D1DB8:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D754j
		xor	ecx, ecx
		test	edi, edi
		setz	cl

loc_8D1DBF:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D758j
		mov	[ebp+var_318], ecx
		lea	ecx, [ebp+var_318]
		mov	[ebp+var_314], edx
		mov	[ebp+var_E8], ecx
		mov	[ebp+var_E4], edx
		mov	[ebp+var_E0], 8
		mov	[ebp+var_DC], edx
		test	eax, eax
		jnz	short loc_8D1DF5
		mov	ecx, edx
		jmp	short loc_8D1DFD
; 

loc_8D1DF5:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D791j
		xor	ecx, ecx
		cmp	edi, 1
		setz	cl

loc_8D1DFD:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D795j
		mov	[ebp+var_320], ecx
		lea	ecx, [ebp+var_320]
		mov	[ebp+var_D8], ecx
		mov	[ebp+var_31C], edx
		mov	[ebp+var_D4], edx
		mov	[ebp+var_CC], edx
		push	8
		pop	ecx
		mov	[ebp+var_D0], ecx
		test	eax, eax
		jnz	short loc_8D1E32
		mov	eax, edx
		jmp	short loc_8D1E3F
; 

loc_8D1E32:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D7CEj
		movzx	eax, byte ptr [ebx+3A7h]
		shr	eax, 6
		and	eax, 1

loc_8D1E3F:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D7D2j
		cmp	[ebp+var_266], 3
		mov	[ebp+var_328], eax
		lea	eax, [ebp+var_328]
		mov	[ebp+var_324], edx
		mov	[ebp+var_C8], eax
		mov	[ebp+var_C4], edx
		mov	[ebp+var_C0], ecx
		mov	[ebp+var_BC], edx
		jnz	short loc_8D1E7A
		mov	eax, [ebx+298h]
		jmp	short loc_8D1E7C
; 

loc_8D1E7A:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D812j
		mov	eax, edx

loc_8D1E7C:				; CODE XREF: EtwpWriteAppStateChangeSummary+17D81Aj
		mov	[ebp+var_330], eax
		lea	eax, [ebp+var_330]
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_90]
		mov	[ebp+var_A8], eax
		mov	eax, [esi+4]
		mov	[ebp+var_98], eax
		movzx	eax, word ptr [esi]
		mov	esi, [ebp+var_270]
		push	2
		mov	[ebp+var_32C], edx
		mov	[ebp+var_B4], edx
		mov	[ebp+var_B0], ecx
		lea	ecx, [ebp+var_88]
		mov	[ebp+var_AC], edx
		mov	[ebp+var_A4], edx
		pop	edi
		mov	[ebp+var_9C], edx
		mov	[ebp+var_94], edx
		mov	[ebp+var_8C], edx
		lea	edx, [esi+8]
		mov	[ebp+var_A0], edi
		mov	[ebp+var_90], eax
		call	_tlgCreate1Sz_wchar_t
		lea	edx, [esi+108h]
		lea	ecx, [ebp+var_78]
		call	_tlgCreate1Sz_wchar_t
		mov	ecx, [ebp+arg_8]
		xor	ebx, ebx
		push	4
		pop	edx
		mov	[ebp+var_60], edx
		mov	eax, [ecx]
		mov	[ebp+var_270], eax
		lea	eax, [ebp+var_270]
		mov	[ebp+var_68], eax
		mov	eax, [ecx+4]
		mov	ecx, [ebp+arg_C]
		mov	[ebp+var_26C], eax
		lea	eax, [ebp+var_26C]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_30]
		mov	[ebp+var_48], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_38], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_265]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_338]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_248]
		push	eax
		push	24h
		mov	[ebp+var_50], edx
		mov	edx, offset loc_423266
		push	ecx
		mov	ecx, offset dword_6B2A18
		mov	[ebp+var_64], ebx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], 1Dh
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_338], 3000000h
		mov	[ebp+var_334], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], 8
		mov	[ebp+var_C], ebx
		call	__tlgWriteAgg@20 ; _tlgWriteAgg(x,x,x,x,x)
		jmp	loc_754731
; END OF FUNCTION CHUNK	FOR EtwpWriteAppStateChangeSummary
; 
; START	OF FUNCTION CHUNK FOR CmpOpenHiveFile

loc_8D1FC2:				; CODE XREF: CmpOpenHiveFile+B8j
		mov	eax, 0C000000Dh
		jmp	loc_754A1B
; 

loc_8D1FCC:				; CODE XREF: CmpOpenHiveFile+324j
		mov	esi, 0C000009Ah
		jmp	loc_754A09
; 

loc_8D1FD6:				; CODE XREF: CmpOpenHiveFile+140j
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_8C]
		push	ecx
		lea	ecx, [ebp+var_90]
		mov	[ebp+var_80], eax
		push	ecx
		lea	ecx, [ebp+var_94]
		push	ecx
		push	eax
		call	_PsReferenceImpersonationToken@16 ; PsReferenceImpersonationToken(x,x,x,x)
		mov	[ebp+var_68], eax
		mov	eax, [ebp+var_84]
		mov	ecx, [eax+0ACh]
		push	ecx
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	eax
		push	[ebp+var_80]
		call	PsImpersonateClient
		test	eax, eax
		js	loc_754AF5
		mov	ecx, [ebp+arg_8]
		or	ecx, 40h
		mov	[ebp+var_51], 1
		mov	[ebp+arg_8], ecx
		jmp	loc_7548A6
; 

loc_8D2031:				; CODE XREF: CmpOpenHiveFile+1B5j
		push	edi
		push	[ebp+var_7C]
		lea	eax, [ebp+var_78]
		push	eax
		lea	edx, [ebp+var_C8]
		lea	ecx, [ebp+var_50]
		call	_CmpOpenFileWithExtremePrejudice@20 ; CmpOpenFileWithExtremePrejudice(x,x,x,x,x)
		mov	esi, eax
		jmp	loc_75491B
; 

loc_8D204E:				; CODE XREF: CmpOpenHiveFile+1BFj
		mov	eax, [ebp+var_68]
		test	eax, eax
		jz	short loc_8D2089
		push	[ebp+var_8C]
		push	[ebp+var_90]
		push	[ebp+var_94]
		push	eax
		push	[ebp+var_80]
		call	PsImpersonateClient
		test	eax, eax
		jns	loc_754925
		xor	eax, eax
		push	eax
		push	eax
		mov	eax, [ebp+var_68]
		push	eax
		push	26h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8D2089:				; CODE XREF: CmpOpenHiveFile+17D8F3j
		call	_PsRevertToSelf@0 ; PsRevertToSelf()
		jmp	loc_754925
; 

loc_8D2093:				; CODE XREF: CmpOpenHiveFile+433j
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+var_70]
		call	KeWaitForSingleObject
		mov	esi, [ebp+var_78]
		jmp	loc_754B99
; 

loc_8D20A7:				; CODE XREF: CmpOpenHiveFile+44Dj
		push	[ebp+var_50]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7549EB
; 

loc_8D20B4:				; CODE XREF: CmpOpenHiveFile+242j
		push	2
		pop	edi
		jmp	loc_7549A8
; 

loc_8D20BC:				; CODE XREF: CmpOpenHiveFile+26Ej
					; CmpOpenHiveFile+3AAj
		push	[ebp+var_50]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_754AF5
; 

loc_8D20C9:				; CODE XREF: CmpOpenHiveFile+2A3j
		mov	ecx, eax
		call	ObfDereferenceObject
		jmp	loc_754A09
; END OF FUNCTION CHUNK	FOR CmpOpenHiveFile
; 
; START	OF FUNCTION CHUNK FOR PsSetProcessTelemetryAppState

loc_8D20D5:				; CODE XREF: PsSetProcessTelemetryAppState+1AAj
		cmp	eax, 1
		jnz	loc_754DF2
		push	6
		pop	ebx
		jmp	loc_754DF2
; 

loc_8D20E6:				; CODE XREF: PsSetProcessTelemetryAppState+145j
		xor	edi, edi
		jmp	loc_754C7C
; END OF FUNCTION CHUNK	FOR PsSetProcessTelemetryAppState
; 
; START	OF FUNCTION CHUNK FOR PopEtProcessSnapshotCreate

loc_8D20ED:				; CODE XREF: PopEtProcessSnapshotCreate+1DFj
		mov	esi, [ebp+var_14]
		mov	edi, [ebp+var_18]

loc_8D20F3:				; CODE XREF: PopEtProcessSnapshotCreate+33j
		inc	dword ptr [edi+23Ch]
		mov	ebx, 0C000009Ah
		test	esi, esi
		jz	loc_754EFF
		lea	ecx, [esi+8]
		call	_PopEtAggregateKeyCleanup@4 ; PopEtAggregateKeyCleanup(x)
		push	54456F50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_754EFF
; END OF FUNCTION CHUNK	FOR PopEtProcessSnapshotCreate
; 
; START	OF FUNCTION CHUNK FOR PopEtAggregateKeyCopyFromProcess

loc_8D211E:				; CODE XREF: PopEtAggregateKeyCopyFromProcess+3Cj
		push	edi
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		mov	[ebp+var_C], eax
		mov	eax, [edi+3E8h]
		mov	[ebp+var_14], eax
		mov	eax, [edi+3ECh]
		mov	[ebp+var_10], eax
		jmp	loc_7550AA
; END OF FUNCTION CHUNK	FOR PopEtAggregateKeyCopyFromProcess
; 
; START	OF FUNCTION CHUNK FOR PspChangeProcessExecutionState

loc_8D213E:				; CODE XREF: PspChangeProcessExecutionState+9Ej
		mov	edx, eax
		test	eax, 40000000h
		jz	loc_75513C
		jmp	loc_755150
; 

loc_8D2150:				; CODE XREF: PspChangeProcessExecutionState+F4j
		mov	ecx, edi
		call	ObfDereferenceObject
		xor	edi, edi
		jmp	loc_7551DA
; 

loc_8D215E:				; CODE XREF: PspChangeProcessExecutionState+1F6j
		cmp	eax, 0C0000099h
		jnz	short loc_8D2169
		mov	[esp+58h+var_3C], eax

loc_8D2169:				; CODE XREF: PspChangeProcessExecutionState+17D083j
		mov	esi, ebx
		and	esi, 0FFFFFFFDh
		jmp	loc_755212
; 

loc_8D2173:				; CODE XREF: PspChangeProcessExecutionState+144j
		cmp	ebx, esi
		jnz	loc_755184
		jmp	loc_75522A
; 

loc_8D2180:				; CODE XREF: PspChangeProcessExecutionState+169j
		mov	edx, eax
		jmp	loc_755218
; END OF FUNCTION CHUNK	FOR PspChangeProcessExecutionState
; 
; START	OF FUNCTION CHUNK FOR PopEtEnumEnergyTrackers

loc_8D2187:				; CODE XREF: PopEtEnumEnergyTrackers+18j
		mov	edx, 74456F50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		jmp	loc_755314
; END OF FUNCTION CHUNK	FOR PopEtEnumEnergyTrackers

;  S U B	R O U T	I N E 


sub_8D2198	proc near		; DATA XREF: .text:006A0464o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8D2198	endp


;  S U B	R O U T	I N E 


sub_8D21A8	proc near		; DATA XREF: .text:006A0468o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-1Ch]
		jmp	loc_75544E
sub_8D21A8	endp

; 
; START	OF FUNCTION CHUNK FOR PspRemoveProcessFromJobChain

loc_8D21B3:				; CODE XREF: PspRemoveProcessFromJobChain+25j
		test	byte ptr [ebp+arg_0], 1
		jz	loc_755660
		jmp	loc_755523
; 

loc_8D21C2:				; CODE XREF: PspRemoveProcessFromJobChain+8Dj
		push	dword ptr [ebp+0Ch]
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_EtwTraceJobRemoveProcess@12 ; EtwTraceJobRemoveProcess(x,x,x)
		jmp	loc_75558B
; 

loc_8D21D4:				; CODE XREF: PspRemoveProcessFromJobChain+D6j
		test	al, al
		jz	loc_7555D4
		inc	dword ptr [esi+94h]
		jmp	loc_7555D4
; 

loc_8D21E7:				; CODE XREF: PspRemoveProcessFromJobChain+E1j
		mov	eax, [edx]
		test	eax, eax
		jz	short loc_8D21F5
		cmp	eax, esi
		jnz	loc_7555DF

loc_8D21F5:				; CODE XREF: PspRemoveProcessFromJobChain+17CCF3j
		cmp	[esi+0D4h], ebx
		jz	loc_7555DF
		mov	ecx, [edx+4]
		xor	eax, eax
		inc	eax
		shl	eax, cl
		test	[esi+1A8h], eax
		jz	loc_7555DF
		push	ebx
		push	dword ptr [edx+8]
		mov	edx, ecx
		mov	ecx, esi
		call	_PspSendJobNotification@16 ; PspSendJobNotification(x,x,x,x)
		jmp	loc_7555DF
; 

loc_8D2227:				; CODE XREF: PspRemoveProcessFromJobChain+1DAj
		lea	ecx, [esi+260h]
		lea	edx, [ebp+var_88]
		call	_PspSubtractAccountingValues@8 ; PspSubtractAccountingValues(x,x)
		mov	[ebp+var_C], 2
		jmp	loc_7555E8
; END OF FUNCTION CHUNK	FOR PspRemoveProcessFromJobChain
; 
; START	OF FUNCTION CHUNK FOR PsEnumProcesses

loc_8D2244:				; CODE XREF: PsEnumProcesses+27j
		mov	edx, 6E457350h
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_7557D5
; END OF FUNCTION CHUNK	FOR PsEnumProcesses
; 
; START	OF FUNCTION CHUNK FOR ExGetNextProcess

loc_8D2255:				; CODE XREF: ExGetNextProcess+2Bj
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		push	ds:_PsProcessType
		push	400h
		push	0
		push	200h
		push	esi
		call	ObOpenObjectByPointer
		test	eax, eax
		js	loc_755E18
		push	0
		push	[ebp+var_4]
		call	ObCloseHandle
		jmp	loc_755E39
; END OF FUNCTION CHUNK	FOR ExGetNextProcess

;  S U B	R O U T	I N E 


sub_8D228A	proc near		; DATA XREF: .text:006A04A4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D228A	endp


;  S U B	R O U T	I N E 


sub_8D2298	proc near		; DATA XREF: .text:006A04A8o
		mov	esp, [ebp-18h]
		mov	edx, [ebp-1Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_755F31
sub_8D2298	endp

; 
; START	OF FUNCTION CHUNK FOR PopEtProcessSnapshotUpdate

loc_8D22AA:				; CODE XREF: PopEtProcessSnapshotUpdate+A0j
		xor	eax, eax
		jmp	loc_756181
; END OF FUNCTION CHUNK	FOR PopEtProcessSnapshotUpdate
; 
; START	OF FUNCTION CHUNK FOR PopEtAggregateGet

loc_8D22B1:				; CODE XREF: PopEtAggregateGet+38j
		inc	dword ptr [esi+240h]
		jmp	short loc_8D22E1
; 

loc_8D22B9:				; CODE XREF: PopEtAggregateGet+20Aj
		mov	edi, [ebp+var_C]
		mov	esi, 0C000009Ah
		jmp	loc_75697A
; 

loc_8D22C6:				; CODE XREF: PopEtAggregateGet+E6j
		lea	ecx, [edi+8]
		call	_PopEtAggregateKeyCleanup@4 ; PopEtAggregateKeyCleanup(x)
		push	54456F50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_756982
; 

loc_8D22DE:				; CODE XREF: PopEtAggregateGet+EEj
		mov	esi, [ebp+var_14]

loc_8D22E1:				; CODE XREF: PopEtAggregateGet+54j
					; PopEtAggregateGet+17BA21j
		mov	eax, [ebp+arg_0]
		lea	edi, [esi+38h]
		inc	dword ptr [esi+234h]
		mov	[eax], edi
		mov	eax, [esi+254h]
		test	al, 4
		jnz	loc_75698A
		or	eax, 4
		mov	[esi+254h], eax
		or	eax, 0FFFFFFFFh
		mov	ecx, [ebx+4]
		mov	edx, ecx
		and	ecx, 1Fh
		shr	edx, 5
		shl	eax, cl
		and	eax, [edi+4]
		mov	[ebp+var_20], eax
		mov	[ebp+arg_0], eax
		movzx	eax, al
		add	eax, offset unk_B15DCB
		imul	ecx, eax, 25h
		mov	eax, [ebp+var_20]
		movzx	eax, ah
		add	ecx, eax
		movzx	eax, byte ptr [ebp+arg_0+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+arg_0+3]
		imul	ecx, 25h
		add	ecx, eax
		dec	edx
		and	edx, ecx
		mov	ecx, [ebx+8]
		mov	eax, [ecx+edx*4]
		mov	[edi], eax
		mov	[ecx+edx*4], edi
		inc	dword ptr [ebx]
		jmp	loc_75698A
; END OF FUNCTION CHUNK	FOR PopEtAggregateGet
; 
; START	OF FUNCTION CHUNK FOR PspQueryJobHierarchyAccountingInformation

loc_8D2359:				; CODE XREF: PspQueryJobHierarchyAccountingInformation+351j
		push	110h		; size_t
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_756F7D
; END OF FUNCTION CHUNK	FOR PspQueryJobHierarchyAccountingInformation
; 
; START	OF FUNCTION CHUNK FOR PspLockRootJobFromProcess

loc_8D236D:				; CODE XREF: PspLockRootJobFromProcess+33j
					; PspLockRootJobFromProcess+45j
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		mov	edx, edi
		jmp	loc_756FD9
; END OF FUNCTION CHUNK	FOR PspLockRootJobFromProcess
; 

loc_8D237E:				; CODE XREF: PAGE:0075724Fj
		dec	eax
		sub	eax, 1
		jz	loc_757255
		sub	eax, 6
		jz	loc_757255
		sub	eax, 3
		jz	loc_757255
		sub	eax, 11h
		jz	loc_757255
		sub	eax, 6
		jz	loc_757255

loc_8D23AC:				; CODE XREF: PAGE:0075725Dj
					; PAGE:loc_757270j ...
		mov	eax, 0C0000004h
		jmp	loc_7573F2
; 

loc_8D23B6:				; CODE XREF: PAGE:0075741Ej
		mov	ecx, [ebp-54Ch]
		mov	eax, ecx
		sub	eax, 1
		jnz	short loc_8D23AC
		mov	dword ptr [ebp-550h], 1
		jmp	loc_75727C
; 

loc_8D23D2:				; CODE XREF: PAGE:007572CFj
					; PAGE:007572D7j
		mov	[ecx], bl
		jmp	loc_7572DD
; 

loc_8D23D9:				; CODE XREF: PAGE:0075742Aj
		mov	ecx, eax
		jmp	loc_757430
; 

loc_8D23E0:				; DATA XREF: .text:006A04C4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5E0h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8D23F1:				; DATA XREF: .text:006A04C8o
		mov	eax, [ebp-5E0h]
		jmp	loc_8D2C2A
; 

loc_8D23FC:				; CODE XREF: PAGE:00757B01j
		cmp	edx, 1Fh
		jz	loc_75733A
		cmp	edx, 27h
		jz	loc_75733A
		mov	eax, 0C0000022h
		jmp	loc_7573F2
; 

loc_8D2418:				; CODE XREF: PAGE:00757579j
		mov	eax, [ebx+0C0h]
		mov	[ebp-1A4h], eax
		jmp	loc_757585
; 

loc_8D2429:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757CBEo
		mov	edx, edi
		mov	ecx, ebx
		call	_PspLockJobShared@8 ; PspLockJobShared(x,x)
		mov	eax, [ebx+0CCh]
		mov	[ebp-5A8h], eax
		mov	edx, edi
		mov	ecx, ebx
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		xor	esi, esi
		mov	edi, esi
		lea	esi, [ebp-5A8h]
		jmp	loc_7573A6
; 

loc_8D2456:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757CC2o
		xor	eax, eax
		lea	edi, [ebp-618h]
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		inc	eax
		mov	[ebp-541h], al
		mov	[ebp-4], eax
		push	5
		pop	ecx
		lea	esi, [ebp-618h]
		mov	edi, [ebp-55Ch]
		rep movsd
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_8D24B1
; 

loc_8D2489:				; DATA XREF: .text:006A0504o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-5D0h]
		mov	[ebp-560h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-558h]
		mov	eax, [ebp-574h]
		mov	[ebp-548h], eax

loc_8D24B1:				; CODE XREF: PAGE:008D2487j
					; PAGE:008D2B9Aj
		mov	edi, [ebp-560h]
		jmp	loc_7573A0
; 

loc_8D24BC:				; DATA XREF: .text:006A04D0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5DCh], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8D24CD:				; DATA XREF: .text:006A04D4o
		mov	edi, [ebp-5DCh]
		and	dword ptr [ebp-56Ch], 0
		jmp	short loc_8D24E2
; 

loc_8D24DC:				; DATA XREF: .text:006A04ECo
		mov	edi, [ebp-5E4h]

loc_8D24E2:				; CODE XREF: PAGE:008D24DAj
					; PAGE:008D2645j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-558h]
		mov	eax, [ebp-574h]
		mov	[ebp-548h], eax
		jmp	loc_7573A0
; 

loc_8D2503:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757CCAo
		mov	ecx, edi
		call	_PspLockJobListShared@4	; PspLockJobListShared(x)
		mov	ecx, edi
		call	_PspUnlockJobListShared@4 ; PspUnlockJobListShared(x)
		xor	esi, esi
		mov	edi, esi
		lea	esi, [ebp-5D8h]
		jmp	loc_7573A6
; 

loc_8D2520:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757CC6o
		mov	eax, [ebx+0D0h]
		mov	[ebp-5A4h], eax
		mov	edi, ecx
		lea	esi, [ebp-5A4h]
		jmp	loc_7573A6
; 

loc_8D2539:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757CCEo
		cmp	[ebp-57Ch], ecx
		jz	loc_8D264A
		mov	eax, [ebp-54Ch]
		test	al, 1
		jnz	loc_8D264A
		mov	edx, edi
		mov	ecx, ebx
		call	_PspLockJobShared@8 ; PspLockJobShared(x,x)
		xor	esi, esi
		mov	ecx, esi
		mov	[ebp-560h], esi
		movzx	eax, word ptr [ebx+0B8h]
		mov	[ebp-570h], eax
		xor	edx, edx
		cmp	dx, ax
		jnb	short loc_8D25A6
		lea	edx, [ebx+0C0h]
		mov	eax, [ebp-5A0h]

loc_8D2586:				; CODE XREF: PAGE:008D259Ej
		cmp	[edx], esi
		jz	short loc_8D2593
		mov	[ebp+ecx*2-590h], ax
		inc	ecx

loc_8D2593:				; CODE XREF: PAGE:008D2588j
		inc	eax
		add	edx, 4
		cmp	ax, [ebp-570h]
		jb	short loc_8D2586
		mov	[ebp-560h], ecx

loc_8D25A6:				; CODE XREF: PAGE:008D2578j
		mov	edx, edi
		mov	ecx, ebx
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		mov	eax, [ebp-560h]
		lea	ecx, [eax+eax]
		mov	[ebp-56Ch], ecx
		mov	byte ptr [ebp-541h], 1
		mov	eax, [ebp-54Ch]
		cmp	ecx, eax
		ja	short loc_8D25D5
		mov	[ebp-550h], ecx

loc_8D25D5:				; CODE XREF: PAGE:008D25CDj
		mov	dword ptr [ebp-4], 2
		cmp	eax, ecx
		sbb	edi, edi
		and	edi, 0C0000023h
		lea	eax, [ebp-590h]
		jmp	short loc_8D260D
; 

loc_8D25EE:				; CODE XREF: PAGE:008D2711j
		mov	[ebp-550h], edi

loc_8D25F4:				; CODE XREF: PAGE:008D270Bj
		sbb	edi, edi
		and	edi, 0C0000023h
		mov	byte ptr [ebp-541h], 1
		mov	dword ptr [ebp-4], 3
		lea	eax, [ebp-28h]

loc_8D260D:				; CODE XREF: PAGE:008D25ECj
		push	dword ptr [ebp-550h]
		push	eax
		push	dword ptr [ebp-55Ch]
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7573A0
; 

loc_8D262E:				; DATA XREF: .text:006A04DCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5E8h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8D263F:				; DATA XREF: .text:006A04E0o
		mov	edi, [ebp-5E8h]
		jmp	loc_8D24E2
; 

loc_8D264A:				; CODE XREF: PAGE:008D253Fj
					; PAGE:008D254Dj
		mov	edi, 0C000000Dh
		jmp	short loc_8D2656
; 

loc_8D2651:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757D32o
		mov	edi, 0C0000003h

loc_8D2656:				; CODE XREF: PAGE:008D264Fj
					; PAGE:008D2930j ...
		mov	esi, ecx
		jmp	loc_7573A6
; 

loc_8D265D:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757CDAo
		cmp	[ebp-57Ch], ecx
		jz	loc_8D2727
		mov	eax, [ebp-54Ch]
		xor	edx, edx
		push	0Ch
		pop	ecx
		div	ecx
		test	edx, edx
		jnz	loc_8D2727
		mov	edx, edi
		mov	ecx, ebx
		call	_PspLockJobShared@8 ; PspLockJobShared(x,x)
		lea	edi, [ebp-34h]
		test	byte ptr [ebx+0B0h], 10h
		mov	esi, offset _KeActiveProcessors
		jz	short loc_8D269E
		lea	esi, [ebx+0B8h]

loc_8D269E:				; CODE XREF: PAGE:008D2696j
		movsd
		movsd
		movsd
		mov	edx, [ebp-580h]
		mov	ecx, ebx
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		movzx	eax, word ptr [ebp-34h]
		imul	edi, eax, 0Ch
		push	edi
		xor	esi, esi
		push	esi
		lea	eax, [ebp-28h]
		push	eax
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		cmp	ax, [ebp-34h]
		jnb	short loc_8D26F7
		lea	ecx, [ebp-28h]
		lea	esi, [ebp-2Ch]
		mov	edx, [ebp-5A0h]
		mov	bx, [ebp-34h]

loc_8D26DD:				; CODE XREF: PAGE:008D26EFj
		mov	[ecx+4], dx
		mov	eax, [esi]
		mov	[ecx], eax
		inc	edx
		lea	esi, [esi+4]
		lea	ecx, [ecx+0Ch]
		cmp	dx, bx
		jb	short loc_8D26DD
		mov	ebx, [ebp-568h]

loc_8D26F7:				; CODE XREF: PAGE:008D26CBj
		mov	[ebp-56Ch], edi
		mov	eax, [ebp-54Ch]
		cmp	eax, edi
		mov	[ebp-550h], eax
		jb	loc_8D25F4
		jmp	loc_8D25EE
; 

loc_8D2716:				; DATA XREF: .text:006A04E8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5E4h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8D2727:				; CODE XREF: PAGE:008D2663j
					; PAGE:008D2678j
		mov	edi, 0C000000Dh
		jmp	loc_7573A0
; 

loc_8D2731:				; CODE XREF: PAGE:007579E6j
		cmp	eax, 30h
		jz	short loc_8D2741
		lea	eax, [ebp-13Ch]
		jmp	loc_7579FF
; 

loc_8D2741:				; CODE XREF: PAGE:008D2734j
		lea	edx, [ebp-218h]
		lea	ecx, [ebp-13Ch]
		call	_PspConvertJobNotificationLimitToV1@8 ;	PspConvertJobNotificationLimitToV1(x,x)
		mov	eax, edx
		jmp	loc_7579FF
; 

loc_8D2759:				; CODE XREF: PAGE:00757774j
		mov	[ebp-8Ch], ecx
		mov	[ebp-88h], esi
		jmp	loc_75778C
; 

loc_8D276A:				; CODE XREF: PAGE:00757796j
		mov	[ebp-7Ch], ecx
		mov	[ebp-78h], esi
		jmp	loc_7577A8
; 

loc_8D2775:				; CODE XREF: PAGE:007577B2j
		mov	[ebp-6Ch], ecx
		mov	[ebp-68h], esi
		jmp	loc_7577C4
; 

loc_8D2780:				; CODE XREF: PAGE:00757825j
		mov	byte ptr [ebp+edi-584h], 1
		jmp	loc_75782D
; 

loc_8D278D:				; CODE XREF: PAGE:00757853j
		mov	edx, [edx+edi*4+3Ch]
		jmp	loc_75785C
; 

loc_8D2796:				; CODE XREF: PAGE:007578D8j
		cmp	eax, 50h
		jnz	short loc_8D27B3
		lea	edx, [ebp-328h]
		lea	ecx, [ebp-9Ch]
		call	_PspConvertJobLimitViolationToV1@8 ; PspConvertJobLimitViolationToV1(x,x)
		mov	eax, edx
		jmp	loc_7578F1
; 

loc_8D27B3:				; CODE XREF: PAGE:008D2799j
		lea	eax, [ebp-9Ch]
		jmp	loc_7578F1
; 

loc_8D27BE:				; CODE XREF: PAGE:00757909j
		push	726h
		push	esi
		lea	eax, [ebp-560h]
		push	eax
		lea	eax, [ebp-9Ch]
		push	eax
		mov	edx, [ebp-578h]
		mov	ecx, ebx
		call	_EtwTraceJobSetQuery@24	; EtwTraceJobSetQuery(x,x,x,x,x,x)
		jmp	loc_7573A0
; 

loc_8D27E4:				; CODE XREF: PAGE:00757BF2j
		mov	eax, [eax+18h]
		mov	[ebp-5C4h], eax
		mov	eax, ecx
		and	eax, 4
		or	eax, 2
		shr	eax, 1
		test	cl, 1
		jz	short loc_8D27FF
		or	eax, 4

loc_8D27FF:				; CODE XREF: PAGE:008D27FAj
		test	cl, 2
		jz	short loc_8D2807
		or	eax, 8

loc_8D2807:				; CODE XREF: PAGE:008D2802j
		test	cl, 20h
		jz	short loc_8D280F
		or	eax, 10h

loc_8D280F:				; CODE XREF: PAGE:008D280Aj
		mov	[ebp-5C8h], eax
		jmp	loc_757B5C
; 

loc_8D281A:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757CEAo
		mov	dword ptr [ebp-0BCh], 7
		xor	eax, eax
		mov	[ebp-0B6h], ax
		mov	edx, edi
		mov	ecx, ebx
		call	_PspLockJobShared@8 ; PspLockJobShared(x,x)
		mov	ecx, [ebx+310h]
		mov	eax, ecx
		shr	eax, 9
		xor	edx, edx
		inc	edx
		and	al, dl
		mov	[ebp-0B8h], al
		shr	ecx, 13h
		and	cl, dl
		mov	[ebp-0B7h], cl
		mov	eax, [ebx+1F8h]
		mov	[ebp-0B4h], eax
		mov	eax, [ebx+1FCh]
		mov	[ebp-0B0h], eax
		mov	edx, edi
		mov	ecx, ebx
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		xor	esi, esi
		mov	edi, esi
		lea	esi, [ebp-0BCh]
		jmp	loc_7573A6
; 

loc_8D2887:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757CF6o
		mov	edx, [ebp-55Ch]
		mov	ecx, ebx
		call	_PspQueryJobHierarchyInterferenceCount@8 ; PspQueryJobHierarchyInterferenceCount(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_8D28A6
		mov	byte ptr [ebp-541h], 1
		push	8
		pop	esi
		jmp	short loc_8D28A8
; 

loc_8D28A6:				; CODE XREF: PAGE:008D2898j
		xor	esi, esi

loc_8D28A8:				; CODE XREF: PAGE:008D28A4j
		mov	[ebp-56Ch], esi
		jmp	loc_7573A0
; 

loc_8D28B3:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757D0Ao
		mov	edx, edi
		mov	ecx, ebx
		call	_PspLockJobShared@8 ; PspLockJobShared(x,x)
		mov	edx, [ebx+30Ch]
		test	edx, edx
		jz	short loc_8D2913
		xor	ecx, ecx
		inc	ecx
		mov	[ebp-0A4h], ecx
		mov	eax, [edx+20h]
		mov	[ebp-570h], eax
		test	al, cl
		jz	short loc_8D28FD
		push	3
		pop	ecx
		mov	[ebp-0A4h], ecx
		mov	eax, [edx+18h]
		mov	[ebp-0ACh], eax
		mov	eax, [edx+1Ch]
		mov	[ebp-0A8h], eax
		mov	eax, [ebp-570h]

loc_8D28FD:				; CODE XREF: PAGE:008D28DAj
		test	al, 2
		jz	short loc_8D2913
		or	ecx, 4
		mov	[ebp-0A4h], ecx
		mov	al, [edx+28h]
		mov	[ebp-0A0h], al

loc_8D2913:				; CODE XREF: PAGE:008D28C4j
					; PAGE:008D28FFj
		mov	edx, edi
		mov	ecx, ebx
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		xor	esi, esi
		mov	edi, esi
		lea	esi, [ebp-0ACh]
		jmp	loc_7573A6
; 

loc_8D292B:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757D06o
		mov	edi, 0C0000002h
		jmp	loc_8D2656
; 

loc_8D2935:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757D26o
		lea	esi, [ebx+2E8h]
		lea	edi, [ebp-14Ch]
		movsd
		movsd
		movsd
		movsd
		mov	edi, ecx
		lea	esi, [ebp-14Ch]
		jmp	loc_7573A6
; 

loc_8D2952:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757D0Eo
		test	dword ptr [ebx+310h], 40000000h
		jnz	short loc_8D2968
		mov	edi, 0C0000509h
		jmp	loc_8D2656
; 

loc_8D2968:				; CODE XREF: PAGE:008D295Cj
		mov	eax, [ebx+2D4h]
		mov	[ebp-0CCh], eax
		push	ebx
		call	_PsGetParentSilo@4 ; PsGetParentSilo(x)
		mov	esi, eax
		push	esi
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jnz	short loc_8D2996
		mov	eax, [esi+2D4h]
		mov	[ebp-0C8h], eax
		xor	esi, esi
		jmp	short loc_8D299E
; 

loc_8D2996:				; CODE XREF: PAGE:008D2984j
		xor	esi, esi
		mov	[ebp-0C8h], esi

loc_8D299E:				; CODE XREF: PAGE:008D2994j
		mov	eax, [ebx+2C8h]
		mov	[ebp-0C4h], eax
		mov	ecx, ebx
		call	_PspIsSiloInServerSilo@4 ; PspIsSiloInServerSilo(x)
		mov	[ebp-0C0h], al
		mov	edi, esi
		lea	esi, [ebp-0CCh]
		jmp	loc_7573A6
; 

loc_8D29C4:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757D12o
		mov	ecx, ebx
		call	_PspGetJobSilo@4 ; PspGetJobSilo(x)
		test	eax, eax
		jnz	short loc_8D29DB
		mov	edi, 0C0000509h
		mov	esi, edx
		jmp	loc_7573A6
; 

loc_8D29DB:				; CODE XREF: PAGE:008D29CDj
		lea	edx, [ebp-598h]
		mov	ecx, eax
		call	_ObGetSiloRootDirectoryPath@8 ;	ObGetSiloRootDirectoryPath(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_7573A0
		mov	byte ptr [ebp-541h], 1
		mov	eax, [ebp-598h]
		movzx	eax, ax
		mov	[ebp-570h], eax
		lea	ecx, [eax+8]
		mov	[ebp-588h], ecx
		mov	[ebp-550h], ecx
		cmp	ecx, [ebp-54Ch]
		ja	short loc_8D2A9E
		mov	dword ptr [ebp-4], 4
		mov	edx, [ebp-55Ch]
		mov	eax, [ebp-598h]
		mov	[edx], ax
		mov	[edx+2], ax
		lea	eax, [edx+8]
		mov	[edx+4], eax
		push	dword ptr [ebp-570h]
		push	dword ptr [ebp-594h]
		push	eax
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [ebp-57Ch]
		test	ecx, ecx
		jz	short loc_8D2A66
		mov	eax, [ebp-588h]
		mov	[ecx], eax

loc_8D2A66:				; CODE XREF: PAGE:008D2A5Cj
		mov	[ebp-4], esi
		jmp	short loc_8D2AA3
; 

loc_8D2A6B:				; DATA XREF: .text:006A04F4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5CCh], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8D2A7C:				; DATA XREF: .text:006A04F8o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-5CCh]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	esi, esi
		mov	ebx, [ebp-558h]
		mov	eax, esi
		mov	[ebp-548h], eax
		jmp	short loc_8D2AA5
; 

loc_8D2A9E:				; CODE XREF: PAGE:008D2A1Dj
		mov	edi, 0C0000023h

loc_8D2AA3:				; CODE XREF: PAGE:008D2A69j
		xor	esi, esi

loc_8D2AA5:				; CODE XREF: PAGE:008D2A9Cj
		push	esi
		push	dword ptr [ebp-594h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7573A0
; 

loc_8D2AB6:				; CODE XREF: PAGE:00757C9Cj
		mov	ecx, [edi+2F8h]
		mov	eax, [ecx+280h]
		mov	[ebp-5FCh], eax
		mov	eax, [ecx+284h]
		mov	[ebp-5F8h], eax
		mov	al, [ecx+2A4h]
		mov	[ebp-5F4h], al
		xor	esi, esi
		cmp	byte ptr [ebp-561h], 0
		jnz	short loc_8D2B25
		mov	[ebp-568h], esi
		lea	edx, [ebp-604h]
		lea	ecx, [ebp-568h]
		call	_MmQueryApiSetSchema@8 ; MmQueryApiSetSchema(x,x)
		mov	ecx, edi
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	eax, [eax+25Ch]
		mov	[ebp-5F0h], eax
		mov	eax, [ebp-568h]
		mov	eax, [eax]
		mov	[ebp-5ECh], eax
		jmp	short loc_8D2B31
; 

loc_8D2B25:				; CODE XREF: PAGE:008D2AE9j
		mov	[ebp-5F0h], esi
		mov	[ebp-5ECh], esi

loc_8D2B31:				; CODE XREF: PAGE:008D2B23j
		push	edi
		call	_PsGetServerSiloServiceSessionId@4 ; PsGetServerSiloServiceSessionId(x)
		mov	[ebp-600h], eax
		mov	edi, esi
		lea	esi, [ebp-600h]
		jmp	loc_7573A6
; 

loc_8D2B4A:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757D1Ao
		test	ebx, ebx
		jz	short loc_8D2B63
		lea	eax, [ebp-58Ch]
		push	eax
		push	ebx
		call	PsGetJobServerSilo
		mov	eax, [ebp-58Ch]
		jmp	short loc_8D2B68
; 

loc_8D2B63:				; CODE XREF: PAGE:008D2B4Cj
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)

loc_8D2B68:				; CODE XREF: PAGE:008D2B61j
		mov	dword ptr [ebp-4], 5
		push	dword ptr [ebp-550h]
		mov	ecx, eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		push	dword ptr [eax+28Ch]
		push	dword ptr [ebp-55Ch]
		call	_memcpy
		add	esp, 0Ch
		mov	byte ptr [ebp-541h], 1
		mov	[ebp-4], esi
		jmp	loc_8D24B1
; 

loc_8D2B9F:				; DATA XREF: .text:006A0500o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5D0h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8D2BB0:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757D22o
		mov	edi, ecx
		lea	esi, [ebp-562h]
		jmp	loc_7573A6
; 

loc_8D2BBD:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757D2Ao
		mov	edx, edi
		mov	ecx, ebx
		call	_PspLockJobShared@8 ; PspLockJobShared(x,x)
		mov	eax, [ebx+3A8h]
		mov	[ebp-5B0h], eax
		mov	eax, [ebx+3ACh]
		mov	[ebp-5ACh], eax
		mov	edx, edi
		mov	ecx, ebx
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		xor	esi, esi
		mov	edi, esi
		lea	esi, [ebp-5B0h]
		jmp	loc_7573A6
; 

loc_8D2BF6:				; CODE XREF: PAGE:0075736Fj
					; DATA XREF: PAGE:00757D2Eo
		mov	eax, [ebx+314h]
		shr	eax, 1
		and	al, 1
		mov	[ebp-552h], al
		lea	esi, [ebp-552h]
		mov	edi, ecx
		jmp	loc_7573A6
; 

loc_8D2C13:				; DATA XREF: .text:006A050Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5D4h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8D2C24:				; DATA XREF: .text:006A0510o
		mov	eax, [ebp-5D4h]

loc_8D2C2A:				; CODE XREF: PAGE:008D23F7j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7573F2
; 

loc_8D2C39:				; CODE XREF: PAGE:007571FCj
		mov	eax, 0C0000003h
		jmp	loc_7573F2
; 
; START	OF FUNCTION CHUNK FOR PspEnforceLimits

loc_8D2C43:				; CODE XREF: PspEnforceLimits+AEj
		push	edi
		push	edi
		push	edi
		push	edi
		push	4
		lea	eax, [ebp+var_44]
		mov	[ebp+var_44], edi
		push	eax
		push	offset _WNF_PS_WAKE_CHARGE_RESOURCE_POLICY
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	ecx, ds:_PspNoWakeChargeReferencedProcess
		mov	edx, 624A7350h
		call	ObfDereferenceObjectWithTag
		mov	ds:_PspNoWakeChargeReferencedProcess, edi
		jmp	loc_757E27
; END OF FUNCTION CHUNK	FOR PspEnforceLimits
; 
; START	OF FUNCTION CHUNK FOR PspChargeJobWakeCounter

loc_8D2C75:				; CODE XREF: PspChargeJobWakeCounter+19Aj
		cmp	_KdDebuggerEnabled, al
		jz	loc_75810E
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	loc_75810E
; 

loc_8D2C88:				; CODE XREF: PspChargeJobWakeCounter+1B0j
		push	[ebp+arg_14]
		mov	edx, [ebp+arg_0]
		push	[ebp+arg_10]
		mov	ecx, [ebp+var_10]
		push	eax
		push	eax
		call	_EtwTraceWakeCounter@24	; EtwTraceWakeCounter(x,x,x,x,x,x)
		jmp	loc_758028
; END OF FUNCTION CHUNK	FOR PspChargeJobWakeCounter
; 
; START	OF FUNCTION CHUNK FOR PspEnumJobsAndProcessesInJobHierarchy

loc_8D2CA0:				; CODE XREF: PspEnumJobsAndProcessesInJobHierarchy+101j
		mov	edx, 6E457350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	esi, [esi+244h]
		jmp	loc_758221
; END OF FUNCTION CHUNK	FOR PspEnumJobsAndProcessesInJobHierarchy
; 
; START	OF FUNCTION CHUNK FOR PspEnforceLimitsJobPostCallback

loc_8D2CB7:				; CODE XREF: PspEnforceLimitsJobPostCallback+ECj
		mov	eax, [ebx+0A0h]
		mov	[esp+118h+var_F0], eax
		mov	eax, [ebx+0A4h]
		mov	[esp+118h+var_EC], eax
		jmp	loc_7583B2
; 

loc_8D2CD0:				; CODE XREF: PspEnforceLimitsJobPostCallback+133j
		mov	edx, [esp+118h+var_70]
		mov	eax, [esp+118h+var_6C]
		add	edx, esi
		adc	eax, [esp+118h+var_100]
		cmp	eax, [esp+118h+var_44]
		jb	loc_7583E9
		ja	short loc_8D2D00
		cmp	edx, [esp+118h+var_48]
		jbe	loc_7583E9

loc_8D2D00:				; CODE XREF: PspEnforceLimitsJobPostCallback+17AA41j
		mov	ecx, 10000h
		mov	[esp+118h+var_108], ecx
		jmp	loc_7583E9
; 

loc_8D2D0E:				; CODE XREF: PspEnforceLimitsJobPostCallback+149j
		mov	edx, [esp+118h+var_68]
		add	edx, [esp+118h+var_D4]
		mov	eax, [esp+118h+var_64]
		adc	eax, [esp+118h+var_D0]
		cmp	eax, [esp+118h+var_3C]
		jb	loc_7583FF
		ja	short loc_8D2D3B
		cmp	edx, esi
		jbe	loc_7583FF

loc_8D2D3B:				; CODE XREF: PspEnforceLimitsJobPostCallback+17AA81j
		or	ecx, 20000h
		mov	[esp+118h+var_108], ecx
		jmp	loc_7583FF
; 

loc_8D2D4A:				; CODE XREF: PspEnforceLimitsJobPostCallback+15Fj
		mov	edx, [esp+118h+var_A8]
		add	edx, [esp+118h+var_CC]
		mov	eax, [esp+118h+var_A4]
		adc	eax, [esp+118h+var_FC]
		cmp	eax, [esp+118h+var_34]
		jb	loc_758415
		ja	short loc_8D2D71
		cmp	edx, esi
		jbe	loc_758415

loc_8D2D71:				; CODE XREF: PspEnforceLimitsJobPostCallback+17AAB7j
		or	ecx, 4
		mov	[esp+118h+var_108], ecx
		jmp	loc_758415
; 

loc_8D2D7D:				; CODE XREF: PspEnforceLimitsJobPostCallback+1B7j
		mov	eax, [edx-0Ch]
		cmp	eax, [ebx+edx]
		jnz	short loc_8D2D92
		cmp	[edx], ecx
		jb	short loc_8D2D92
		mov	ecx, esi
		call	_PspRateControlLimitFlag@4 ; PspRateControlLimitFlag(x)
		or	edi, eax

loc_8D2D92:				; CODE XREF: PspEnforceLimitsJobPostCallback+17AAD3j
					; PspEnforceLimitsJobPostCallback+17AAD7j
		mov	eax, [esp+118h+var_100]
		jmp	loc_75846D
; 

loc_8D2D9B:				; CODE XREF: PspEnforceLimitsJobPostCallback+368j
		mov	edx, [esp+118h+var_48]
		mov	[ecx], edx
		mov	edx, [esp+118h+var_44]
		mov	[ecx+4], edx
		jmp	loc_75861E
; 

loc_8D2DB3:				; CODE XREF: PspEnforceLimitsJobPostCallback+373j
		mov	edx, [esp+118h+var_40]
		mov	[ecx+8], edx
		mov	edx, [esp+118h+var_3C]
		mov	[ecx+0Ch], edx
		jmp	loc_758629
; 

loc_8D2DCC:				; CODE XREF: PspEnforceLimitsJobPostCallback+37Bj
		mov	edx, [esp+118h+var_38]
		mov	[ecx+10h], edx
		mov	edx, [esp+118h+var_34]
		mov	[ecx+14h], edx
		jmp	loc_758631
; 

loc_8D2DE5:				; CODE XREF: PspEnforceLimitsJobPostCallback+3C0j
		mov	eax, [esp+edx*4+118h+var_20]
		mov	[esi-0Ch], eax
		mov	eax, [esi+ebx]
		mov	[esi], eax
		jmp	loc_758676
; 

loc_8D2DF9:				; CODE XREF: PspEnforceLimitsJobPostCallback+1DFj
		test	byte ptr [ecx+0F8h], 1
		lea	eax, [ecx+0F8h]
		jnz	short loc_8D2E3F
		mov	ecx, 0FFFFFFDFh
		lock and [eax],	ecx
		mov	ecx, [edi+0Ch]
		lea	edx, [esp+118h+var_BC]
		mov	eax, [edi+8]
		push	0C0000044h
		mov	[esp+11Ch+var_BC], eax
		mov	[esp+11Ch+var_B8], 2
		mov	eax, [ecx+0E4h]
		push	0Eh
		mov	[esp+120h+var_B4], eax
		call	PspRemoveProcessFromJobChain
		mov	ecx, [edi+0Ch]

loc_8D2E3F:				; CODE XREF: PspEnforceLimitsJobPostCallback+17AB56j
		call	ObfDereferenceObject
		jmp	loc_758495
; 

loc_8D2E49:				; CODE XREF: PspEnforceLimitsJobPostCallback+1F1j
		mov	eax, [esp+118h+var_A8]
		add	eax, [esp+118h+var_C8]
		mov	esi, [esp+118h+var_A4]
		adc	esi, [esp+118h+var_C4]
		cmp	esi, edx
		jb	loc_7584A7
		ja	short loc_8D2E6B
		cmp	eax, ecx
		jbe	loc_7584A7

loc_8D2E6B:				; CODE XREF: PspEnforceLimitsJobPostCallback+17ABB1j
		mov	eax, [esp+118h+var_C0]
		sub	eax, 0
		jz	short loc_8D2EED
		sub	eax, 1
		jnz	loc_7584A7
		mov	esi, [esp+118h+var_104]
		mov	ecx, ebx
		mov	edx, esi
		call	_PspLockJobShared@8 ; PspLockJobShared(x,x)
		cmp	dword ptr [ebx+0D4h], 0
		jz	short loc_8D2ED1
		test	byte ptr [ebx+1A8h], 2
		jz	short loc_8D2ED1
		push	0
		push	0
		mov	edx, 1
		mov	ecx, ebx
		call	_PspSendJobNotification@16 ; PspSendJobNotification(x,x,x,x)
		test	eax, eax
		js	loc_8D2F3B
		and	dword ptr [ebx+0B0h], 0FFFFFFFBh
		mov	dword ptr [ebx+0A0h], 0
		mov	dword ptr [ebx+0A4h], 0
		jmp	short loc_8D2F3B
; 

loc_8D2ED1:				; CODE XREF: PspEnforceLimitsJobPostCallback+17ABE1j
					; PspEnforceLimitsJobPostCallback+17ABEAj
		mov	edx, esi
		mov	ecx, ebx
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		push	1
		mov	edx, 0C0000044h
		mov	ecx, ebx
		call	PspTerminateAllProcessesInJobHierarchy
		jmp	loc_7584A7
; 

loc_8D2EED:				; CODE XREF: PspEnforceLimitsJobPostCallback+17ABC2j
		push	1
		mov	edx, 0C0000044h
		mov	ecx, ebx
		call	PspTerminateAllProcessesInJobHierarchy
		test	al, al
		jz	loc_7584A7
		mov	esi, [esp+118h+var_104]
		mov	ecx, ebx
		mov	edx, esi
		call	_PspLockJobExclusive@8 ; PspLockJobExclusive(x,x)
		cmp	dword ptr [ebx+90h], 0
		jnz	short loc_8D2F3B
		cmp	dword ptr [ebx+0D4h], 0
		jz	short loc_8D2F3B
		test	byte ptr [ebx+1A8h], 2
		jz	short loc_8D2F3B
		push	0
		push	0
		mov	edx, 1
		mov	ecx, ebx
		call	_PspSendJobNotification@16 ; PspSendJobNotification(x,x,x,x)

loc_8D2F3B:				; CODE XREF: PspEnforceLimitsJobPostCallback+17ABFEj
					; PspEnforceLimitsJobPostCallback+17AC1Fj ...
		mov	edx, esi
		mov	ecx, ebx
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		jmp	loc_7584A7
; 

loc_8D2F49:				; CODE XREF: PspEnforceLimitsJobPostCallback+21Bj
					; PspEnforceLimitsJobPostCallback+223j
		xor	ecx, ecx
		call	_PspSendNoWakeChargeLimitNotification@4	; PspSendNoWakeChargeLimitNotification(x)
		mov	byte ptr [edi+30h], 1
		jmp	loc_7584F5
; 

loc_8D2F59:				; CODE XREF: PspEnforceLimitsJobPostCallback+235j
					; PspEnforceLimitsJobPostCallback+23Fj
		mov	ecx, ebx
		call	_PspSendNoWakeChargeLimitNotification@4	; PspSendNoWakeChargeLimitNotification(x)
		jmp	loc_7584F5
; END OF FUNCTION CHUNK	FOR PspEnforceLimitsJobPostCallback
; 
; START	OF FUNCTION CHUNK FOR PspQueryRateControlHistory

loc_8D2F65:				; CODE XREF: PspQueryRateControlHistory+75j
		mov	[ebp+var_20], 1
		lea	ecx, [ebp+var_24]
		mov	eax, [ebx+24h]
		mov	[ebp+var_24], eax
		call	_PspNetRateControlDispatch@4 ; PspNetRateControlDispatch(x)
		test	eax, eax
		js	loc_758978
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_14]
		mov	edi, [ebp+var_10]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_18]
		jmp	loc_7589CE
; 

loc_8D2F96:				; CODE XREF: PspQueryRateControlHistory+CBj
		mov	eax, 927C0h
		jmp	loc_7589EC
; 

loc_8D2FA0:				; CODE XREF: PspQueryRateControlHistory+C2j
		mov	eax, 0EA60h
		jmp	loc_7589EC
; 

loc_8D2FAA:				; CODE XREF: PspQueryRateControlHistory+FAj
		push	624A7350h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [ebx+0Ch], 0
		and	dword ptr [ebx+10h], 0
		xor	ecx, ecx
		jmp	loc_758A16
; 

loc_8D2FC4:				; CODE XREF: PspQueryRateControlHistory+187j
		push	dword ptr [ebx+10h] ; size_t
		push	0		; int
		push	dword ptr [ebx+0Ch] ; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_758978
; END OF FUNCTION CHUNK	FOR PspQueryRateControlHistory
; 
; START	OF FUNCTION CHUNK FOR PspGetEffectiveNoWakeCharge

loc_8D2FD9:				; CODE XREF: PspGetEffectiveNoWakeCharge+B9j
		mov	ecx, [ebp+arg_0]
		add	eax, 310h
		lock or	[eax], ecx
		jmp	loc_758BE7
; END OF FUNCTION CHUNK	FOR PspGetEffectiveNoWakeCharge
; 
; START	OF FUNCTION CHUNK FOR PspLockRootJobShared

loc_8D2FE9:				; CODE XREF: PspLockRootJobShared+39j
		add	ecx, 20h
		call	ExReleaseResourceLite
		jmp	loc_758C0A
; END OF FUNCTION CHUNK	FOR PspLockRootJobShared
; 
; START	OF FUNCTION CHUNK FOR PspEnforceLimitsProcessCallback

loc_8D2FF6:				; CODE XREF: PspEnforceLimitsProcessCallback+67j
		cmp	[esp+70h+var_5C], edx
		jb	loc_758C67
		ja	short loc_8D300C
		cmp	[esp+70h+var_60], ecx
		jbe	loc_758C67

loc_8D300C:				; CODE XREF: PspEnforceLimitsProcessCallback+17A3C2j
		mov	edx, 624A7350h
		mov	ecx, esi
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jz	loc_758C67
		mov	[edi+0Ch], esi
		jmp	loc_758C67
; END OF FUNCTION CHUNK	FOR PspEnforceLimitsProcessCallback
; 
; START	OF FUNCTION CHUNK FOR NtSetInformationJobObject

loc_8D3028:				; CODE XREF: NtSetInformationJobObject+1B4j
		cmp	ecx, 0Bh
		jz	short loc_8D3032
		cmp	ecx, 0Eh
		jnz	short loc_8D303A

loc_8D3032:				; CODE XREF: NtSetInformationJobObject+17A1F3j
		cmp	esi, eax
		jnb	loc_758FF2
; END OF FUNCTION CHUNK	FOR NtSetInformationJobObject
; START	OF FUNCTION CHUNK FOR sub_759647

loc_8D303A:				; CODE XREF: NtSetInformationJobObject+52Cj
					; sub_759647+66Dj ...
		mov	eax, 0C0000004h
		jmp	loc_759165
; END OF FUNCTION CHUNK	FOR sub_759647
; 
; START	OF FUNCTION CHUNK FOR NtSetInformationJobObject

loc_8D3044:				; CODE XREF: NtSetInformationJobObject+11DDj
		sub	eax, 30h
		jmp	loc_759CAE
; END OF FUNCTION CHUNK	FOR NtSetInformationJobObject
; 
; START	OF FUNCTION CHUNK FOR sub_759647

loc_8D304C:				; CODE XREF: sub_759647-5FEj
					; sub_759647-5F6j
		mov	[edx], bl
		jmp	loc_759057
; END OF FUNCTION CHUNK	FOR sub_759647

;  S U B	R O U T	I N E 


sub_8D3053	proc near		; DATA XREF: .text:006A052Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-254h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D3053	endp


;  S U B	R O U T	I N E 


sub_8D3064	proc near		; DATA XREF: .text:006A0530o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-254h]
		jmp	loc_759165
sub_8D3064	endp

; 
; START	OF FUNCTION CHUNK FOR sub_759647

loc_8D3079:				; CODE XREF: sub_759647-634j
		mov	edi, [ebp-1C0h]
		mov	[ebp-18Ch], edi
		jmp	loc_75905E
; 

loc_8D308A:				; CODE XREF: sub_759647-5E1j
		mov	eax, 0C0000008h
		jmp	loc_759165
; 

loc_8D3094:				; CODE XREF: sub_759647+3B3j
		mov	eax, [ebp-0E8h]
		cmp	eax, 6
		ja	loc_8D3ADA
		cmp	eax, 3
		jz	short loc_8D30AD
		cmp	eax, 4
		jnz	short loc_8D30EF

loc_8D30AD:				; CODE XREF: sub_759647+179A5Fj
		push	ds:dword_A949F4
		push	ds:_SeIncreaseBasePriorityPrivilege
		push	dword ptr [ebp-19Ch]
		push	2
		pop	edx
		mov	ecx, [ebp-1B0h]
		call	_SeCheckPrivilegedObject@20 ; SeCheckPrivilegedObject(x,x,x,x,x)
		mov	cl, al
		xor	edx, edx
		inc	edx
		and	cl, dl
		mov	al, cl
		shl	al, 2
		mov	[ebp-17Ah], al
		test	cl, cl
		jz	short loc_8D30FA
		mov	ecx, [ebp-0FCh]
		mov	eax, [ebp-0E8h]

loc_8D30EF:				; CODE XREF: sub_759647+179A64j
		mov	[ebp-5D7h], al
		jmp	loc_759A06
; 

loc_8D30FA:				; CODE XREF: sub_759647+179A9Aj
					; sub_759647+179B03j ...
		mov	esi, 0C0000061h
		jmp	loc_8D42FA
; 

loc_8D3104:				; CODE XREF: sub_759647+3C1j
		mov	esi, [ebp-0E4h]
		cmp	esi, 0Ah
		jnb	loc_8D3ADA
		cmp	esi, 5
		jbe	short loc_8D3152
		push	ds:dword_A949F4
		push	ds:_SeIncreaseBasePriorityPrivilege
		push	dword ptr [ebp-19Ch]
		push	2
		pop	edx
		mov	ecx, [ebp-1B0h]
		call	_SeCheckPrivilegedObject@20 ; SeCheckPrivilegedObject(x,x,x,x,x)
		mov	cl, al
		and	cl, 1
		mov	al, cl
		shl	al, 2
		mov	[ebp-17Ah], al
		test	cl, cl
		jz	short loc_8D30FA
		mov	ecx, [ebp-0FCh]

loc_8D3152:				; CODE XREF: sub_759647+179ACFj
		mov	[ebp-690h], esi
		jmp	loc_759A18
; 

loc_8D315D:				; CODE XREF: sub_759647+3D4j
		mov	edx, [ebp-10Ch]
		mov	eax, edx
		mov	esi, [ebp-108h]
		or	eax, esi
		jz	loc_8D3ADA
		mov	[ebp-6E4h], edx
		mov	[ebp-6E0h], esi
		jmp	loc_759A2D
; 

loc_8D3184:				; CODE XREF: sub_759647+3F1j
		mov	edx, [ebp-104h]
		mov	eax, edx
		mov	esi, [ebp-100h]
		or	eax, esi
		jz	loc_8D3ADA
		mov	[ebp-6DCh], edx
		mov	[ebp-6D8h], esi
		jmp	loc_759A3E
; 

loc_8D31AB:				; CODE XREF: sub_759647+3FAj
		mov	esi, [ebp-0F8h]
		test	esi, esi
		jnz	short loc_8D31C1
		cmp	[ebp-0F4h], edi
		jz	loc_8D3ADA

loc_8D31C1:				; CODE XREF: sub_759647+179B6Cj
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_8D31D2
		cmp	[ebp-0F4h], esi
		jz	loc_8D3ADA

loc_8D31D2:				; CODE XREF: sub_759647+179B7Dj
		cmp	esi, [ebp-0F4h]
		ja	loc_8D3ADA
		cmp	esi, 14000h
		jb	loc_8D3ADA
		cmp	esi, ds:_PspMinimumWorkingSet
		jbe	short loc_8D3217
		push	dword ptr [ebp-19Ch]
		push	ds:dword_A949F4
		push	ds:_SeIncreaseBasePriorityPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_8D30FA
		mov	ecx, [ebp-0FCh]

loc_8D3217:				; CODE XREF: sub_759647+179BA9j
		mov	[ebp-6D4h], esi
		mov	eax, [ebp-0F4h]
		mov	[ebp-6D0h], eax
		jmp	loc_759A53
; 

loc_8D322E:				; CODE XREF: sub_759647+437j
		mov	eax, [ebp-9Ch]
		cmp	eax, 1000h
		jb	loc_8D3ADA
		shr	eax, 0Ch
		mov	[ebp-62Ch], eax
		jmp	loc_759A8A
; 

loc_8D324D:				; CODE XREF: sub_759647+45Ej
		test	byte ptr [ebx+310h], 2
		jnz	loc_8D3F56
		cmp	[ebp-0ECh], edi
		jz	loc_8D3F56
		cmp	[ebx+0C4h], edi
		jnz	short loc_8D32C2
		push	614A7350h
		push	14h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp-180h], esi
		test	esi, esi
		jz	loc_8D3335
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		push	0
		push	14h
		pop	edx
		call	PsChargeSharedPoolQuota
		mov	[ebp-190h], eax
		test	eax, eax
		jz	loc_8D333F
		mov	ebx, [ebp-178h]
		mov	eax, [ebp-188h]
		mov	[ebp-1A8h], eax

loc_8D32C2:				; CODE XREF: sub_759647+179C25j
		mov	edi, [ebp-198h]
		mov	eax, [edi+80h]
		lea	ecx, [ebp-1D8h]
		push	ecx
		push	eax
		push	edi
		call	SeCaptureSubjectContextEx
		lea	edx, [ebp-1D8h]
		mov	[ebp-18Ch], edx
		cmp	byte ptr [ebp-179h], 0
		jz	short loc_8D335B
		xor	ecx, ecx
		inc	ecx
		mov	[ebp-30h], ecx
		mov	[ebp-2Ch], ecx
		mov	eax, ds:_SeDebugPrivilege
		mov	[ebp-28h], eax
		mov	eax, ds:dword_A94A14
		mov	[ebp-24h], eax
		and	dword ptr [ebp-20h], 0
		push	ecx
		mov	eax, edx
		push	eax
		lea	eax, [ebp-30h]
		push	eax
		call	_SePrivilegeCheck@12 ; SePrivilegeCheck(x,x,x)
		movzx	eax, al
		mov	ecx, [ebp-1DCh]
		xor	eax, ecx
		xor	edx, edx
		inc	edx
		and	eax, edx
		xor	ecx, eax
		mov	[ebp-1DCh], ecx
		jmp	short loc_8D3362
; 

loc_8D3335:				; CODE XREF: sub_759647+8CEj
					; sub_759647+179C3Fj ...
		mov	esi, 0C000009Ah
		jmp	loc_759144
; 

loc_8D333F:				; CODE XREF: sub_759647+179C63j
					; sub_759647+17A273j
		push	614A7350h
		jmp	short loc_8D334B
; 

loc_8D3346:				; CODE XREF: sub_759647+8F6j
		push	624A7350h

loc_8D334B:				; CODE XREF: sub_759647+179CFDj
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, 0C000009Ah
		jmp	loc_8D42FA
; 

loc_8D335B:				; CODE XREF: sub_759647+179CA8j
		or	dword ptr [ebp-1DCh], 1

loc_8D3362:				; CODE XREF: sub_759647+179CECj
		or	byte ptr [ebp-17Ah], 2
		mov	edi, [ebp-180h]
		jmp	loc_759AAB
; 

loc_8D3374:				; CODE XREF: sub_759647+481j
		mov	eax, [ebx+0B0h]
		and	eax, 4
		or	[ebp-6CCh], eax
		mov	eax, [ebx+0A0h]
		mov	[ebp-6DCh], eax
		mov	eax, [ebx+0A4h]
		mov	[ebp-6D8h], eax
		jmp	loc_759ADC
; 

loc_8D33A0:				; CODE XREF: sub_759647+4ABj
		test	byte ptr [ebx+310h], 2
		jnz	short loc_8D33CE
		test	byte ptr [ebx+0B0h], 10h
		jz	short loc_8D33D8
		lea	eax, [ebx+0B8h]
		push	eax
		lea	eax, [ebp-280h]
		push	eax
		call	_KeFirstGroupAffinityEx@8 ; KeFirstGroupAffinityEx(x,x)
		mov	ax, [ebp-27Ch]
		jmp	short loc_8D33E5
; 

loc_8D33CE:				; CODE XREF: sub_759647+179D60j
					; sub_759647+179DBAj ...
		mov	esi, 0C000000Dh
		jmp	loc_759C5C
; 

loc_8D33D8:				; CODE XREF: sub_759647+179D69j
		mov	eax, large fs:20h
		movzx	eax, byte ptr [eax+3C5h]

loc_8D33E5:				; CODE XREF: sub_759647+179D85j
		movzx	eax, ax
		mov	ecx, ds:dword_70E328[eax*4]
		mov	edx, [ebp-0ECh]
		mov	eax, edx
		and	eax, ecx
		mov	ebx, [ebp-178h]
		cmp	edx, eax
		jnz	short loc_8D33CE
		or	[ebp-6BCh], edx
		push	1
		lea	eax, [ebp-1DCh]
		push	eax
		push	offset _PspSetAffinityLimitCallback@8 ;	PspSetAffinityLimitCallback(x,x)
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	PspEnumJobsAndProcessesInJobHierarchy
		mov	esi, eax
		mov	[ebp-1A8h], esi
		test	esi, esi
		js	loc_759C5C
		mov	eax, [ebx+0C4h]
		test	eax, eax
		jnz	short loc_8D3464
		mov	[ebx+0C4h], edi
		mov	eax, [ebp-190h]
		mov	[ebx+0C8h], eax
		and	dword ptr [ebp-180h], 0
		and	dword ptr [ebp-18Ch], 0
		mov	eax, [ebx+0C4h]
		jmp	short loc_8D347D
; 

loc_8D3464:				; CODE XREF: sub_759647+179DF3j
		lea	esi, [eax+4]
		lea	edi, [ebp-2BCh]
		movsd
		movsd
		movsd
		movsd
		lea	edx, [ebp-2BCh]
		mov	[ebp-18Ch], edx

loc_8D347D:				; CODE XREF: sub_759647+179E1Bj
		push	5
		pop	ecx
		lea	esi, [ebp-1DCh]
		mov	edi, eax
		rep movsd
		jmp	loc_759B03
; 

loc_8D348F:				; CODE XREF: sub_759647+4B6j
		test	byte ptr [ebx+310h], 2
		jz	loc_8D33CE
		jmp	loc_759B03
; 

loc_8D34A1:				; CODE XREF: sub_759647+4C5j
		test	[ebp-6CCh], al
		jnz	loc_759B12
		call	_PspLockUnlockWorkingSetChangeExclusiveUnsafe@0	; PspLockUnlockWorkingSetChangeExclusiveUnsafe()
		jmp	loc_759B12
; 

loc_8D34B7:				; CODE XREF: sub_759647+508j
		lea	edi, [ebx+0B8h]
		lea	esi, [ebp-6C4h]
		movsd
		movsd
		movsd
		jmp	loc_759B55
; 

loc_8D34CB:				; CODE XREF: sub_759647+5CEj
		push	1
		push	esi
		mov	edx, offset _PspSetJobTimeLimitCallback@8 ; PspSetJobTimeLimitCallback(x,x)
		mov	ecx, ebx
		call	_PspEnumProcessesInJobHierarchy@16 ; PspEnumProcessesInJobHierarchy(x,x,x,x)
		xor	eax, eax
		mov	[ebx+70h], eax
		mov	[ebx+74h], eax
		mov	[ebx+78h], eax
		mov	[ebx+7Ch], eax
		push	ebx
		call	_KeResetEvent@4	; KeResetEvent(x)
		jmp	loc_759C1B
; 

loc_8D34F3:				; CODE XREF: sub_759647+5DBj
		call	_PspUpdateEnforcementTimer@4 ; PspUpdateEnforcementTimer(x)
		jmp	loc_759C28
; 

loc_8D34FD:				; CODE XREF: sub_759647+5EAj
		or	[ebp-17Ah], al
		jmp	loc_759C37
; 

loc_8D3508:				; CODE XREF: sub_759647+61Cj
		xor	edx, edx
		mov	ecx, offset dword_6BEF18
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [ebx+310h]
		mov	ecx, 100h
		lock or	[eax], ecx
		lea	eax, [ebx+18h]
		mov	edi, [eax]

loc_8D3527:				; CODE XREF: sub_759647+179F01j
		cmp	edi, eax
		jz	loc_759C69
		lea	ecx, [edi-1C4h]
		test	byte ptr [ecx+0F8h], 1
		jnz	short loc_8D3546
		call	_PspAddProcessToWorkingSetChangeList@4 ; PspAddProcessToWorkingSetChangeList(x)
		lea	eax, [ebx+18h]

loc_8D3546:				; CODE XREF: sub_759647+179EF5j
		mov	edi, [edi]
		jmp	short loc_8D3527
; 

loc_8D354A:				; CODE XREF: sub_759647+634j
		mov	ecx, ebx
		call	_PspApplyWorkingSetLimits@8 ; PspApplyWorkingSetLimits(x,x)
		jmp	loc_759C81
; 

loc_8D3556:				; CODE XREF: sub_759647+642j
		push	eax
		call	SeReleaseSubjectContext
		jmp	loc_759C8F
; END OF FUNCTION CHUNK	FOR sub_759647

;  S U B	R O U T	I N E 


sub_8D3561	proc near		; DATA XREF: .text:006A0538o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-258h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D3561	endp


;  S U B	R O U T	I N E 


sub_8D3572	proc near		; DATA XREF: .text:006A053Co
		mov	esi, [ebp-258h]
		jmp	short loc_8D3580
; 

loc_8D357A:				; DATA XREF: .text:006A0650o
		mov	esi, [ebp-250h]

loc_8D3580:				; CODE XREF: sub_8D3572+6j
					; sub_8D35B4+6j ...
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_8D42FA
sub_8D3572	endp

; 
; START	OF FUNCTION CHUNK FOR sub_759647

loc_8D358F:				; CODE XREF: sub_759647+AC5j
		mov	esi, 0C00000BBh
		jmp	loc_75A1BD
; 

loc_8D3599:				; CODE XREF: sub_759647+AD3j
		mov	esi, 0C0000022h
		jmp	loc_75A1BD
; END OF FUNCTION CHUNK	FOR sub_759647

;  S U B	R O U T	I N E 


sub_8D35A3	proc near		; DATA XREF: .text:006A0544o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-25Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D35A3	endp


;  S U B	R O U T	I N E 


sub_8D35B4	proc near		; DATA XREF: .text:006A0548o
		mov	esi, [ebp-25Ch]
		jmp	short loc_8D3580
sub_8D35B4	endp

; 
; START	OF FUNCTION CHUNK FOR sub_759647

loc_8D35BC:				; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A2C8o
		mov	dword ptr [ebp-4], 3
		push	5
		pop	ecx
		mov	esi, edi
		lea	edi, [ebp-2ECh]
		rep movsd
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		mov	esi, [ebp-2ECh]
		and	esi, 0FFFFFFF0h
		neg	esi
		sbb	esi, esi
		and	esi, 0FFFFFF52h
		add	esi, 0C00000BBh
		jmp	loc_8D42FA
; END OF FUNCTION CHUNK	FOR sub_759647

;  S U B	R O U T	I N E 


sub_8D35F4	proc near		; DATA XREF: .text:006A0550o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-260h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D35F4	endp


;  S U B	R O U T	I N E 


sub_8D3605	proc near		; DATA XREF: .text:006A0554o
		mov	esi, [ebp-260h]
		jmp	loc_8D3580
sub_8D3605	endp

; 
; START	OF FUNCTION CHUNK FOR sub_759647

loc_8D3610:				; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A2CCo
		mov	dword ptr [ebp-4], 4
		mov	esi, [edi]
		mov	[ebp-2C0h], esi
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		xor	eax, eax
		inc	eax
		mov	ebx, [ebp-178h]
		cmp	esi, eax
		ja	loc_8D3F56
		lea	edi, [ebx+20h]
		push	eax
		push	edi
		call	ExAcquireResourceExclusiveLite
		mov	[ebx+0D0h], esi
		mov	ecx, edi
		call	ExReleaseResourceLite
		jmp	loc_759D0E
; END OF FUNCTION CHUNK	FOR sub_759647

;  S U B	R O U T	I N E 


sub_8D3652	proc near		; DATA XREF: .text:006A055Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-264h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D3652	endp


;  S U B	R O U T	I N E 


sub_8D3663	proc near		; DATA XREF: .text:006A0560o
		mov	esi, [ebp-264h]
		jmp	loc_8D3580
sub_8D3663	endp

; 
; START	OF FUNCTION CHUNK FOR sub_759647

loc_8D366E:				; CODE XREF: sub_759647-9Fj
		mov	esi, 0C000009Ah
		jmp	short loc_8D3692
; 

loc_8D3675:				; CODE XREF: sub_759647-86j
					; sub_759647+87Ej
		lea	ecx, [ebx+20h]
		call	ExReleaseResourceLite
		mov	edx, 624A7350h
		mov	ecx, [ebp-1A0h]
		call	ObfDereferenceObjectWithTag
		mov	esi, 0C000000Dh

loc_8D3692:				; CODE XREF: sub_759647-C7j
					; sub_759647+17A02Cj
		mov	edi, [ebp-180h]
		jmp	loc_75963A
; 

loc_8D369D:				; CODE XREF: sub_759647-BAj
		mov	edi, [ebp-180h]
		jmp	loc_7595AE
; 

loc_8D36A8:				; CODE XREF: sub_759647-6Aj
		mov	edi, [ebp-180h]
		jmp	loc_7595EB
; END OF FUNCTION CHUNK	FOR sub_759647

;  S U B	R O U T	I N E 


sub_8D36B3	proc near		; DATA XREF: .text:006A0568o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-268h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D36B3	endp


;  S U B	R O U T	I N E 


sub_8D36C4	proc near		; DATA XREF: .text:006A056Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-268h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-178h]
		mov	edi, [ebp-1A4h]
		jmp	loc_75963A
sub_8D36C4	endp

; 
; START	OF FUNCTION CHUNK FOR sub_759647

loc_8D36E5:				; CODE XREF: sub_759647-5j
		and	dword ptr [edi+1Ch], 0
		mov	ecx, edi
		call	_IopFreeMiniCompletionPacket@4 ; IopFreeMiniCompletionPacket(x)
		jmp	loc_759144
; 

loc_8D36F5:				; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A2D4o
		mov	[ebp-1B0h], ebx
		mov	[ebp-18Ch], ebx
		mov	[ebp-190h], ebx
		xor	ecx, ecx
		cmp	dword ptr [ebp+0Ch], 0Eh
		setz	cl
		dec	ecx
		and	ecx, 0FFFFFFF6h
		add	ecx, 0Ch
		mov	[ebp-184h], ecx
		mov	eax, [ebp-180h]
		xor	edx, edx
		div	ecx
		mov	[ebp-1A4h], eax
		test	edx, edx
		jz	short loc_8D373B
		mov	esi, 0C0000004h
		jmp	loc_8D42FA
; 

loc_8D373B:				; CODE XREF: sub_759647+17A0E8j
		mov	[ebp-20Ch], eax
		lea	eax, [ebp-84h]
		push	eax
		call	_KeInitializeAffinityEx@4 ; KeInitializeAffinityEx(x)
		call	_KeQueryActiveGroupCount@0 ; KeQueryActiveGroupCount()
		dec	ax
		movzx	edx, ax
		mov	[ebp-194h], edx
		mov	dword ptr [ebp-4], 6
		mov	ecx, [ebp-184h]
		mov	eax, [ebp-1A4h]

loc_8D3770:				; CODE XREF: sub_759647+17A1C1j
		test	eax, eax
		jz	loc_8D3818
		cmp	dword ptr [ebp+0Ch], 0Eh
		jnz	short loc_8D3798
		mov	esi, edi
		lea	edi, [ebp-280h]
		movsd
		movsd
		movsd
		movzx	edx, word ptr [ebp-27Ch]
		mov	eax, [ebp-280h]
		jmp	short loc_8D37B3
; 

loc_8D3798:				; CODE XREF: sub_759647+17A135j
		movzx	eax, word ptr [edi]
		mov	[ebp-1ACh], eax
		cmp	ax, dx
		ja	short loc_8D380D
		mov	eax, ds:dword_70E328[eax*4]
		mov	edx, [ebp-1ACh]

loc_8D37B3:				; CODE XREF: sub_759647+17A14Fj
		mov	[ebp-184h], eax
		cmp	dx, [ebp-194h]
		ja	short loc_8D380D
		movzx	eax, dx
		cmp	[ebp+eax*4-7Ch], ebx
		jnz	short loc_8D380D
		mov	eax, ds:dword_70E328[eax*4]
		mov	edx, [ebp-184h]
		and	eax, edx
		cmp	edx, eax
		jnz	short loc_8D380D
		or	[ebp-7Ch], edx
		mov	eax, [ebp-20Ch]
		dec	eax
		mov	[ebp-20Ch], eax
		mov	edi, [ebp-1C0h]
		add	edi, ecx
		mov	[ebp-1C0h], edi
		mov	esi, [ebp-188h]
		mov	edx, [ebp-194h]
		jmp	loc_8D3770
; 

loc_8D380D:				; CODE XREF: sub_759647+17A15Dj
					; sub_759647+17A179j ...
		mov	esi, 0C000000Dh
		mov	[ebp-188h], esi

loc_8D3818:				; CODE XREF: sub_759647+17A12Bj
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		jmp	short loc_8D385F
; END OF FUNCTION CHUNK	FOR sub_759647

;  S U B	R O U T	I N E 


sub_8D3820	proc near		; DATA XREF: .text:006A0574o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-274h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D3820	endp


;  S U B	R O U T	I N E 


sub_8D3831	proc near		; DATA XREF: .text:006A0578o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-274h]
		mov	[ebp-188h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1B0h]
		mov	[ebp-18Ch], eax
		mov	al, [ebp-19Ch]
		mov	[ebp-179h], al
sub_8D3831	endp

; START	OF FUNCTION CHUNK FOR sub_759647

loc_8D385F:				; CODE XREF: sub_759647+17A1D7j
		mov	ebx, [ebp-178h]
		test	esi, esi
		js	loc_759144
		lea	eax, [ebx+0C4h]
		mov	[ebp-194h], eax
		cmp	dword ptr [eax], 0
		jnz	short loc_8D38C6
		push	614A7350h
		push	14h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp-18Ch], esi
		test	esi, esi
		jz	loc_8D3335
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		push	0
		push	14h
		pop	edx
		call	PsChargeSharedPoolQuota
		mov	[ebp-190h], eax
		test	eax, eax
		jz	loc_8D333F
		mov	ebx, [ebp-178h]

loc_8D38C6:				; CODE XREF: sub_759647+17A235j
		lea	eax, [ebp-1D8h]
		push	eax
		mov	edi, [ebp-198h]
		push	dword ptr [edi+80h]
		push	edi
		call	SeCaptureSubjectContextEx
		lea	edi, [ebp-1D8h]
		cmp	byte ptr [ebp-179h], 0
		jz	short loc_8D3932
		xor	ecx, ecx
		inc	ecx
		mov	[ebp-30h], ecx
		mov	[ebp-2Ch], ecx
		mov	eax, ds:_SeDebugPrivilege
		mov	[ebp-28h], eax
		mov	eax, ds:dword_A94A14
		mov	[ebp-24h], eax
		and	dword ptr [ebp-20h], 0
		push	ecx
		mov	eax, edi
		push	eax
		lea	eax, [ebp-30h]
		push	eax
		call	_SePrivilegeCheck@12 ; SePrivilegeCheck(x,x,x)
		movzx	eax, al
		mov	ecx, [ebp-1DCh]
		xor	eax, ecx
		xor	edx, edx
		inc	edx
		and	eax, edx
		xor	ecx, eax
		mov	[ebp-1DCh], ecx
		jmp	short loc_8D3939
; 

loc_8D3932:				; CODE XREF: sub_759647+17A2A5j
		or	dword ptr [ebp-1DCh], 1

loc_8D3939:				; CODE XREF: sub_759647+17A2E9j
		lea	eax, [ebx+20h]
		push	1
		push	eax
		call	ExAcquireResourceExclusiveLite
		push	1
		lea	eax, [ebp-1DCh]
		push	eax
		push	offset _PspSetAffinityLimitCallback@8 ;	PspSetAffinityLimitCallback(x,x)
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	PspEnumJobsAndProcessesInJobHierarchy
		mov	esi, eax
		mov	[ebp-1A8h], esi
		test	esi, esi
		js	loc_8D3A4B
		mov	ecx, [ebp-194h]
		mov	edx, [ecx]
		test	edx, edx
		jnz	short loc_8D399D
		mov	eax, [ebp-18Ch]
		mov	[ecx], eax
		mov	eax, [ebp-190h]
		mov	[ebx+0C8h], eax
		and	[ebp-18Ch], edx
		and	[ebp-184h], edx
		mov	edx, [ecx]
		jmp	short loc_8D39B6
; 

loc_8D399D:				; CODE XREF: sub_759647+17A330j
		lea	esi, [edx+4]
		lea	edi, [ebp-2BCh]
		movsd
		movsd
		movsd
		movsd
		lea	eax, [ebp-2BCh]
		mov	[ebp-184h], eax

loc_8D39B6:				; CODE XREF: sub_759647+17A354j
		push	5
		pop	ecx
		lea	esi, [ebp-1DCh]
		mov	edi, edx
		rep movsd
		mov	[ebp-1E8h], ebx
		mov	eax, [ebx+0B0h]
		mov	[ebp-1E0h], eax
		push	0FFFFFFEFh
		pop	eax
		mov	[ebp-1E4h], eax
		lea	edi, [ebx+0B8h]
		lea	esi, [ebp-84h]
		movsd
		movsd
		movsd
		cmp	dword ptr [ebp+0Ch], 0Eh
		jnz	short loc_8D3A10
		cmp	dword ptr [ebx+0C0h], 0
		jnz	short loc_8D3A10
		and	[ebx+0B0h], eax
		push	0FFFFFFFDh
		pop	ecx
		lea	eax, [ebx+310h]
		lock and [eax],	ecx
		jmp	short loc_8D3A23
; 

loc_8D3A10:				; CODE XREF: sub_759647+17A3AAj
					; sub_759647+17A3B3j
		or	dword ptr [ebx+0B0h], 10h
		push	2
		pop	ecx
		lea	eax, [ebx+310h]
		lock or	[eax], ecx

loc_8D3A23:				; CODE XREF: sub_759647+17A3C7j
		push	5
		lea	eax, [ebp-1E8h]
		push	eax
		push	offset PspSetJobLimitsProcessCallback
		push	0
		mov	edx, offset PspSetJobLimitsJobPreCallback
		mov	ecx, ebx
		call	PspEnumJobsAndProcessesInJobHierarchy
		mov	esi, [ebp-1A8h]
		mov	edi, [ebp-184h]

loc_8D3A4B:				; CODE XREF: sub_759647+17A320j
		lea	ecx, [ebx+20h]
		call	ExReleaseResourceLite
		test	edi, edi
		jz	short loc_8D3A5D
		push	edi
		call	SeReleaseSubjectContext

loc_8D3A5D:				; CODE XREF: sub_759647+17A40Ej
		mov	eax, [ebp-18Ch]
		jmp	loc_759C95
; 

loc_8D3A68:				; CODE XREF: sub_759647+656j
		push	614A7350h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	14h
		pop	edx
		mov	ecx, [ebp-190h]
		call	PsReturnSharedPoolQuota
		jmp	loc_759144
; 

loc_8D3A88:				; CODE XREF: sub_759647-4C0j
		cmp	eax, 30h
		jz	short loc_8D3AA5
		push	eax		; size_t
		push	edi		; void *
		lea	eax, [ebp-78h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, 1F8204h
		jmp	loc_7591B1
; 

loc_8D3AA5:				; CODE XREF: sub_759647+17A444j
		push	0Ch
		pop	ecx
		mov	esi, [ebp-194h]
		lea	edi, [ebp-13Ch]
		rep movsd
		lea	edx, [ebp-78h]
		lea	ecx, [ebp-13Ch]
		call	_PspConvertJobNotificationLimitFromV1@8	; PspConvertJobNotificationLimitFromV1(x,x)
		mov	eax, 70204h
		jmp	loc_7591B1
; 

loc_8D3ACE:				; CODE XREF: sub_759647-41Fj
		mov	eax, [ebp-68h]
		or	eax, [ebp-64h]
		jnz	loc_759234

loc_8D3ADA:				; CODE XREF: sub_759647-483j
					; sub_759647-46Aj ...
		mov	esi, 0C000000Dh
		jmp	loc_8D42FA
; 

loc_8D3AE4:				; CODE XREF: sub_759647-40Dj
		mov	eax, [ebp-78h]
		or	eax, [ebp-74h]
		jnz	loc_759246
		jmp	short loc_8D3ADA
; 

loc_8D3AF2:				; CODE XREF: sub_759647-3FBj
		mov	eax, [ebp-70h]
		or	eax, [ebp-6Ch]
		jnz	loc_759258
		jmp	short loc_8D3ADA
; 

loc_8D3B00:				; CODE XREF: sub_759647-3BDj
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_8D3ADA
		cmp	ecx, 3
		jg	short loc_8D3ADA
		mov	eax, [edx]
		test	eax, eax
		jz	short loc_8D3ADA
		cmp	eax, 3
		jg	short loc_8D3ADA
		jmp	loc_759297
; 

loc_8D3B1B:				; CODE XREF: sub_759647-378j
		push	624A7350h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		mov	edx, 88h
		mov	ecx, [ebp-1A0h]
		call	PsReturnSharedPoolQuota
		jmp	loc_7592D5
; 

loc_8D3B3D:				; CODE XREF: sub_759647+851j
		test	ecx, ecx
		jz	loc_7593D4
		jmp	loc_7593C9
; 

loc_8D3B4A:				; CODE XREF: sub_759647-269j
		push	725h
		push	0
		push	0
		lea	eax, [ebp-78h]
		push	eax
		mov	edx, [ebp+0Ch]
		mov	ecx, ebx
		call	_EtwTraceJobSetQuery@24	; EtwTraceJobSetQuery(x,x,x,x,x,x)
		jmp	loc_7593E4
; END OF FUNCTION CHUNK	FOR sub_759647

;  S U B	R O U T	I N E 


sub_8D3B66	proc near		; DATA XREF: .text:006A0580o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-284h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D3B66	endp


;  S U B	R O U T	I N E 


sub_8D3B77	proc near		; DATA XREF: .text:006A0584o
		mov	esi, [ebp-284h]
		jmp	loc_8D3580
sub_8D3B77	endp

; 
; START	OF FUNCTION CHUNK FOR sub_759647

loc_8D3B82:				; CODE XREF: sub_759647+954j
		test	cl, 4
		jnz	loc_8D3ADA
		mov	eax, esi
		shr	eax, 10h
		cmp	ax, si
		jb	loc_8D3ADA
		mov	edi, 2710h
		cmp	ax, di
		jbe	loc_759789
		jmp	loc_8D3ADA
; 

loc_8D3BAC:				; CODE XREF: sub_759647+182j
		mov	esi, 0C000009Ah
		jmp	loc_7598A7
; 

loc_8D3BB6:				; CODE XREF: sub_759647+79Fj
		mov	esi, 0C000000Dh
		jmp	loc_7598A7
; 

loc_8D3BC0:				; CODE XREF: sub_759647+97Fj
		mov	[ebp-1B6h], di
		jmp	loc_759822
; 

loc_8D3BCC:				; CODE XREF: sub_759647+1EAj
		mov	eax, [ebx+21Ch]
		or	[eax+14h], edi
		jmp	loc_759837
; 

loc_8D3BDA:				; CODE XREF: sub_759647+221j
		mov	ecx, [ebx+21Ch]
		test	ecx, ecx
		jz	loc_7598A7
		push	2
		pop	edx
		call	_PspFreeRateControl@8 ;	PspFreeRateControl(x,x)
		and	dword ptr [ebx+21Ch], 0
		jmp	loc_7598A7
; 

loc_8D3BFC:				; CODE XREF: sub_759647+9AAj
		call	KeSetSchedulingGroupCpuRates
		jmp	loc_759877
; 

loc_8D3C06:				; CODE XREF: sub_759647+25Aj
		push	725h
		push	0
		push	0
		lea	eax, [ebp-200h]
		push	eax
		push	0Fh
		pop	edx
		mov	ecx, ebx
		call	_EtwTraceJobSetQuery@24	; EtwTraceJobSetQuery(x,x,x,x,x,x)
		jmp	loc_7598A7
; END OF FUNCTION CHUNK	FOR sub_759647

;  S U B	R O U T	I N E 


sub_8D3C25	proc near		; DATA XREF: .text:006A058Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-288h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D3C25	endp


;  S U B	R O U T	I N E 


sub_8D3C36	proc near		; DATA XREF: .text:006A0590o
		mov	esi, [ebp-288h]
		jmp	loc_8D3580
sub_8D3C36	endp


;  S U B	R O U T	I N E 


sub_8D3C41	proc near		; DATA XREF: .text:006A05A4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D3C41	endp


;  S U B	R O U T	I N E 


sub_8D3C52	proc near		; DATA XREF: .text:006A05A8o
		mov	esi, [ebp-28Ch]
		jmp	loc_8D3580
sub_8D3C52	endp

; 

loc_8D3C5D:				; DATA XREF: .text:006A0598o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-290h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8D3C6E:				; DATA XREF: .text:006A059Co
		mov	esi, [ebp-290h]
		jmp	loc_8D3580
; 

loc_8D3C79:				; DATA XREF: .text:006A05B0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-294h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8D3C8A:				; DATA XREF: .text:006A05B4o
		mov	esi, [ebp-294h]
		jmp	loc_8D3580

;  S U B	R O U T	I N E 


sub_8D3C95	proc near		; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A31Co
		mov	esi, 0C00000BBh
		jmp	loc_8D42FA
sub_8D3C95	endp


;  S U B	R O U T	I N E 


sub_8D3C9F	proc near		; DATA XREF: .text:006A05BCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-298h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D3C9F	endp


;  S U B	R O U T	I N E 


sub_8D3CB0	proc near		; DATA XREF: .text:006A05C0o
		mov	esi, [ebp-298h]
		jmp	loc_8D3580
sub_8D3CB0	endp

; 
; START	OF FUNCTION CHUNK FOR sub_759647

loc_8D3CBB:				; CODE XREF: sub_759647+71Ej
					; sub_759647+726j
		mov	esi, 0C00000BBh
		jmp	loc_759DD2
; 

loc_8D3CC5:				; CODE XREF: sub_759647+701j
					; sub_759647+713j ...
		mov	esi, 0C000000Dh
		jmp	loc_759DD2
; END OF FUNCTION CHUNK	FOR sub_759647

;  S U B	R O U T	I N E 


sub_8D3CCF	proc near		; DATA XREF: .text:006A05C8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-29Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D3CCF	endp


;  S U B	R O U T	I N E 


sub_8D3CE0	proc near		; DATA XREF: .text:006A05CCo
		mov	esi, [ebp-29Ch]
		jmp	loc_8D3580
sub_8D3CE0	endp

; 
; START	OF FUNCTION CHUNK FOR sub_759647

loc_8D3CEB:				; CODE XREF: sub_759647+2DDj
		mov	esi, 0C000000Dh
		jmp	loc_759959
; END OF FUNCTION CHUNK	FOR sub_759647

;  S U B	R O U T	I N E 


sub_8D3CF5	proc near		; DATA XREF: .text:006A05D4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2A0h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D3CF5	endp


;  S U B	R O U T	I N E 


sub_8D3D06	proc near		; DATA XREF: .text:006A05D8o
		mov	esi, [ebp-2A0h]
		jmp	loc_8D3580
sub_8D3D06	endp

; 
; START	OF FUNCTION CHUNK FOR sub_759647

loc_8D3D11:				; CODE XREF: sub_759647+890j
		mov	esi, 0C000000Dh
		mov	[ebp-188h], esi
		mov	[ebp-4], edi
		jmp	loc_8D42FA
; END OF FUNCTION CHUNK	FOR sub_759647

;  S U B	R O U T	I N E 


sub_8D3D24	proc near		; DATA XREF: .text:006A05E0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-224h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D3D24	endp


;  S U B	R O U T	I N E 


sub_8D3D35	proc near		; DATA XREF: .text:006A05E4o
		mov	esi, [ebp-224h]
		mov	[ebp-188h], esi
		jmp	loc_8D3580
sub_8D3D35	endp


;  S U B	R O U T	I N E 


sub_8D3D46	proc near		; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A2FCo
		push	ebx
		xor	edx, edx
		mov	ebx, [ebp-178h]
		mov	ecx, ebx
		call	_PspLockJobMemoryLimitsExclusive@12 ; PspLockJobMemoryLimitsExclusive(x,x,x)
		xor	eax, eax
		mov	[ebx+158h], eax
		mov	[ebx+154h], eax
		push	eax
		xor	edx, edx
		mov	ecx, ebx
		call	_PspUnlockJobMemoryLimitsExclusive@12 ;	PspUnlockJobMemoryLimitsExclusive(x,x,x)
		jmp	loc_759142
sub_8D3D46	endp


;  S U B	R O U T	I N E 


sub_8D3D73	proc near		; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A304o
		mov	ebx, [ebp-178h]
		push	ebx
		mov	edx, [ebp-180h]
		mov	ecx, edi
		call	_PspSetNetRateControl@12 ; PspSetNetRateControl(x,x,x)
		jmp	loc_75A265
sub_8D3D73	endp

; 
; START	OF FUNCTION CHUNK FOR sub_75A01A

loc_8D3D8C:				; CODE XREF: sub_75A01A+26j
		mov	dx, [ebp-350h]
		xor	ecx, ecx
		inc	ecx
		test	dx, dx
		jz	short loc_8D3E09
		test	al, cl
		jnz	loc_75A2B8
		movzx	edi, dx
		mov	esi, [ebp-35Ch]
		add	edi, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		ja	short loc_8D3DBB
		cmp	edi, esi
		jnb	short loc_8D3DC4

loc_8D3DBB:				; CODE XREF: sub_75A01A+179D9Bj
		mov	[eax], bl
		mov	dx, [ebp-350h]

loc_8D3DC4:				; CODE XREF: sub_75A01A+179D9Fj
		test	dx, dx
		jz	short loc_8D3E09
		test	dl, cl
		jnz	short loc_8D3E09
		mov	[ebp-228h], ecx
		cmp	[ebp-179h], cl
		jnz	short loc_8D3DE4
		push	9
		pop	ecx
		mov	[ebp-228h], ecx

loc_8D3DE4:				; CODE XREF: sub_75A01A+179DBFj
		push	624A7350h
		movzx	eax, dx
		add	eax, 2
		push	eax
		push	ecx
		call	ExAllocatePoolWithQuotaTag
		mov	edi, eax
		mov	[ebp-21Ch], edi
		test	edi, edi
		jnz	short loc_8D3E1C
		mov	esi, 0C0000017h
		jmp	short loc_8D3E0E
; 

loc_8D3E09:				; CODE XREF: sub_75A01A+179D7Fj
					; sub_75A01A+179DADj ...
		mov	esi, 0C000000Dh

loc_8D3E0E:				; CODE XREF: sub_75A01A+179DEDj
		mov	[ebp-188h], esi
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		jmp	short loc_8D3E88
; 

loc_8D3E1C:				; CODE XREF: sub_75A01A+179DE6j
		movzx	eax, word ptr [ebp-350h]
		push	eax		; size_t
		push	dword ptr [ebp-35Ch] ; void *
		mov	edi, [ebp-21Ch]
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		movzx	eax, word ptr [ebp-350h]
		shr	eax, 1
		xor	ecx, ecx
		mov	[edi+eax*2], cx
		mov	[ebp-35Ch], edi
		jmp	loc_75A046
; 

loc_8D3E53:				; CODE XREF: sub_75A01A+3Cj
		mov	esi, 0C000000Dh
		jmp	short loc_8D3E88
; 

loc_8D3E5A:				; CODE XREF: sub_75A01A+73j
		mov	esi, 0C0000022h
		jmp	short loc_8D3E88
; END OF FUNCTION CHUNK	FOR sub_75A01A

;  S U B	R O U T	I N E 


sub_8D3E61	proc near		; DATA XREF: .text:006A05ECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-22Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D3E61	endp


;  S U B	R O U T	I N E 


sub_8D3E72	proc near		; DATA XREF: .text:006A05F0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-22Ch]
		mov	[ebp-188h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
sub_8D3E72	endp

; START	OF FUNCTION CHUNK FOR sub_75A01A

loc_8D3E88:				; CODE XREF: sub_75A01A+179E00j
					; sub_75A01A+179E3Ej ...
		mov	ebx, [ebp-178h]
		jmp	loc_75A0A8
; 

loc_8D3E93:				; CODE XREF: sub_75A01A+9Cj
		push	0
		push	edi
		jmp	short loc_8D3E9E
; END OF FUNCTION CHUNK	FOR sub_75A01A
; 
; START	OF FUNCTION CHUNK FOR sub_8D40FD

loc_8D3E98:				; CODE XREF: sub_8D40FD+152j
		push	72537350h
		push	eax
; END OF FUNCTION CHUNK	FOR sub_8D40FD
; START	OF FUNCTION CHUNK FOR sub_75A01A

loc_8D3E9E:				; CODE XREF: sub_75A01A+179E7Cj
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_759144
; END OF FUNCTION CHUNK	FOR sub_75A01A
; 
; START	OF FUNCTION CHUNK FOR sub_75A26C

loc_8D3EA8:				; CODE XREF: sub_75A26C+19j
		mov	esi, 0C0000021h
		jmp	loc_759DD2
; END OF FUNCTION CHUNK	FOR sub_75A26C

;  S U B	R O U T	I N E 


sub_8D3EB2	proc near		; DATA XREF: .text:006A05F8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-230h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D3EB2	endp


;  S U B	R O U T	I N E 


sub_8D3EC3	proc near		; DATA XREF: .text:006A05FCo
		mov	esp, [ebp-18h]
		mov	esi, [ebp-230h]
		mov	ebx, [ebp-178h]
		lea	ecx, [ebx+20h]
		call	ExReleaseResourceLite
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_759144
sub_8D3EC3	endp


;  S U B	R O U T	I N E 


sub_8D3EE6	proc near		; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A30Co
		push	dword ptr [ebp-19Ch]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		mov	ebx, [ebp-178h]
		test	al, al
		jz	short loc_8D3F42
		test	dword ptr [ebx+310h], 40000000h
		jz	short loc_8D3F4C
		push	4
		pop	edx
		mov	ecx, ebx
		call	_PspSetJobSiloThreadImpersonationPolicy@8 ; PspSetJobSiloThreadImpersonationPolicy(x,x)
		test	al, al
		jz	short loc_8D3F56
		mov	dword ptr [ebp-4], 12h
		mov	edx, [edi]
		mov	[ebp-2D0h], edx
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		mov	ecx, ebx
		call	_ObCreateSiloRootDirectory@8 ; ObCreateSiloRootDirectory(x,x)
		jmp	loc_75A265
; 

loc_8D3F42:				; CODE XREF: sub_8D3EE6+1Fj
					; sub_8D3F7C+1Fj ...
		mov	esi, 0C0000061h
		jmp	loc_759144
; 

loc_8D3F4C:				; CODE XREF: sub_8D3EE6+2Bj
					; sub_8D3F7C+2Bj ...
		mov	esi, 0C0000509h
		jmp	loc_759144
; 

loc_8D3F56:				; CODE XREF: sub_759647-53Fj
					; sub_759647+179C0Dj ...
		mov	esi, 0C000000Dh
		jmp	loc_759144
sub_8D3EE6	endp


;  S U B	R O U T	I N E 


sub_8D3F60	proc near		; DATA XREF: .text:006A0604o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-234h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D3F60	endp


;  S U B	R O U T	I N E 


sub_8D3F71	proc near		; DATA XREF: .text:006A0608o
		mov	esi, [ebp-234h]
		jmp	loc_8D3580
sub_8D3F71	endp


;  S U B	R O U T	I N E 


sub_8D3F7C	proc near		; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A310o
		push	dword ptr [ebp-19Ch]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		mov	ebx, [ebp-178h]
		test	al, al
		jz	short loc_8D3F42
		test	dword ptr [ebx+310h], 40000000h
		jz	short loc_8D3F4C
		push	4
		pop	edx
		mov	ecx, ebx
		call	_PspSetJobSiloThreadImpersonationPolicy@8 ; PspSetJobSiloThreadImpersonationPolicy(x,x)
		test	al, al
		jz	short loc_8D3F56
		mov	dword ptr [ebp-4], 13h
		mov	ecx, [edi]
		mov	[ebp-2D4h], ecx
		mov	al, [edi+4]
		mov	[ebp-238h], al
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		push	dword ptr [ebp-238h]
		push	ecx
		mov	dl, [ebp-179h]
		mov	ecx, ebx
		call	_PspConvertSiloToServerSilo@16 ; PspConvertSiloToServerSilo(x,x,x,x)
		jmp	loc_75A265
sub_8D3F7C	endp


;  S U B	R O U T	I N E 


sub_8D3FEE	proc near		; DATA XREF: .text:006A0610o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-23Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D3FEE	endp


;  S U B	R O U T	I N E 


sub_8D3FFF	proc near		; DATA XREF: .text:006A0614o
		mov	esi, [ebp-23Ch]
		jmp	loc_8D3580
sub_8D3FFF	endp


;  S U B	R O U T	I N E 


sub_8D400A	proc near		; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A314o
		mov	dword ptr [ebp-4], 14h
		mov	edx, [edi]
		mov	[ebp-2D8h], edx
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		mov	ebx, [ebp-178h]
		mov	ecx, ebx
		call	_PspJobIsAppSilo@4 ; PspJobIsAppSilo(x)
		test	al, al
		jz	loc_8D3F56
		cmp	edx, 2
		jnz	loc_8D3F56
		lea	edi, [ebx+20h]
		push	1
		push	edi
		call	ExAcquireResourceExclusiveLite
		cmp	dword ptr [ebx+2C8h], 0
		jz	short loc_8D405B
		mov	esi, 0C000050Fh
		jmp	loc_759DD2
; 

loc_8D405B:				; CODE XREF: sub_8D400A+45j
		lea	eax, [ebx+310h]
		lock bts dword ptr [eax], 1Dh
		jnb	short loc_8D4072
		mov	esi, 0FFh
		jmp	loc_759DD2
; 

loc_8D4072:				; CODE XREF: sub_8D400A+5Cj
		mov	ecx, ebx
		call	_PspHardDereferenceSiloWorker@4	; PspHardDereferenceSiloWorker(x)
		jmp	loc_759DD0
sub_8D400A	endp


;  S U B	R O U T	I N E 


sub_8D407E	proc near		; DATA XREF: .text:006A061Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-240h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D407E	endp


;  S U B	R O U T	I N E 


sub_8D408F	proc near		; DATA XREF: .text:006A0620o
		mov	esi, [ebp-240h]
		jmp	loc_8D3580
sub_8D408F	endp

; 
; START	OF FUNCTION CHUNK FOR sub_759647

loc_8D409A:				; CODE XREF: sub_759647+2Ej
		mov	esi, 0C000000Dh
		jmp	short loc_8D40D3
; 

loc_8D40A1:				; CODE XREF: sub_759647+86j
		mov	al, [ebp-179h]
		jmp	loc_7596F0
; END OF FUNCTION CHUNK	FOR sub_759647

;  S U B	R O U T	I N E 


sub_8D40AC	proc near		; DATA XREF: .text:006A0628o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-244h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D40AC	endp


;  S U B	R O U T	I N E 


sub_8D40BD	proc near		; DATA XREF: .text:006A062Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-244h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	al, [ebp-179h]
sub_8D40BD	endp

; START	OF FUNCTION CHUNK FOR sub_759647

loc_8D40D3:				; CODE XREF: sub_759647+17AA58j
		mov	ebx, [ebp-178h]
		jmp	loc_7596F0
; 

loc_8D40DE:				; CODE XREF: sub_759647+B1j
		push	ecx
		lea	edx, [ebp-1BCh]
		mov	ecx, ebx
		call	_PspUnlockJobConditionally@12 ;	PspUnlockJobConditionally(x,x,x)
		mov	edx, [ebp-198h]
		mov	ecx, [ebp-1BCh]
		jmp	loc_75A1D2
; END OF FUNCTION CHUNK	FOR sub_759647

;  S U B	R O U T	I N E 


sub_8D40FD	proc near		; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A324o

; FUNCTION CHUNK AT 008D3E98 SIZE 00000006 BYTES

		mov	ebx, [ebp-178h]
		test	dword ptr [ebx+310h], 40000000h
		jz	loc_8D3F4C
		and	[ebp-1ECh], esi
		mov	dword ptr [ebp-4], 16h
		mov	edx, [edi]
		mov	[ebp-190h], edx
		mov	[ebp-208h], edx
		mov	eax, [edi+4]
		mov	[ebp-194h], eax
		mov	[ebp-204h], eax
		test	eax, eax
		jz	loc_8D4201
		test	dx, dx
		jz	loc_8D4201
		mov	ecx, 208h
		cmp	dx, cx
		jnb	loc_8D4201
		xor	ecx, ecx
		inc	ecx
		test	dl, cl
		jnz	loc_8D4201
		cmp	[ebp-179h], cl
		jnz	short loc_8D4193
		test	al, cl
		jnz	loc_75A2B8
		movzx	eax, dx
		mov	esi, [ebp-194h]
		add	eax, esi
		mov	edi, ds:_MmUserProbeAddress
		cmp	eax, edi
		ja	short loc_8D4190
		cmp	eax, esi
		jnb	short loc_8D4193

loc_8D4190:				; CODE XREF: sub_8D40FD+8Dj
		mov	byte ptr [edi],	0

loc_8D4193:				; CODE XREF: sub_8D40FD+70j
					; sub_8D40FD+91j
		movzx	edi, dx
		push	72537350h
		push	edi
		push	ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp-1ECh], esi
		test	esi, esi
		jnz	short loc_8D41B5
		mov	esi, 0C000009Ah
		jmp	short loc_8D4206
; 

loc_8D41B5:				; CODE XREF: sub_8D40FD+AFj
		push	edi		; size_t
		push	dword ptr [ebp-194h] ; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		mov	eax, [ebp-190h]
		movzx	edi, ax
		shr	edi, 1
		push	edi
		push	esi
		call	_wcsnlen
		pop	ecx
		pop	ecx
		cmp	eax, edi
		jz	short loc_8D41EA
		mov	esi, 0C000000Dh
		jmp	short loc_8D4241
; 

loc_8D41EA:				; CODE XREF: sub_8D40FD+E4j
		mov	[ebp-204h], esi
		lea	edx, [ebp-208h]
		mov	ecx, ebx
		call	_PspAssignSiloSystemRootPath@8 ; PspAssignSiloSystemRootPath(x,x)
		mov	esi, eax
		jmp	short loc_8D4241
; 

loc_8D4201:				; CODE XREF: sub_8D40FD+42j
					; sub_8D40FD+4Bj ...
		mov	esi, 0C000000Dh

loc_8D4206:				; CODE XREF: sub_8D40FD+B6j
		mov	[ebp-188h], esi
		push	0FFFFFFFEh
		pop	edi
		jmp	loc_7594D3
; 

loc_8D4214:				; DATA XREF: .text:006A0634o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-248h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8D4225:				; DATA XREF: .text:006A0638o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-248h]
		mov	[ebp-188h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-178h]

loc_8D4241:				; CODE XREF: sub_8D40FD+EBj
					; sub_8D40FD+102j
		mov	eax, [ebp-1ECh]
		test	eax, eax
		jz	loc_759144
		jmp	loc_8D3E98
sub_8D40FD	endp


;  S U B	R O U T	I N E 


sub_8D4254	proc near		; DATA XREF: .text:006A0640o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D4254	endp


;  S U B	R O U T	I N E 


sub_8D4265	proc near		; DATA XREF: .text:006A0644o
		mov	esi, [ebp-24Ch]
		jmp	loc_8D3580
sub_8D4265	endp


;  S U B	R O U T	I N E 


sub_8D4270	proc near		; CODE XREF: sub_759647-56Cj
					; DATA XREF: PAGE:0075A32Co
		mov	dword ptr [ebp-4], 18h
		mov	al, [edi]
		mov	[ebp-1C5h], al
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		cmp	al, 1
		jnz	loc_8D3ADA
		push	dword ptr [ebp-19Ch]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		mov	ebx, [ebp-178h]
		test	al, al
		jz	loc_8D3F42
		test	dword ptr [ebx+310h], 40000000h
		jz	loc_8D3F56
		push	2
		pop	edx
		mov	ecx, ebx
		call	_PspSetJobSiloThreadImpersonationPolicy@8 ; PspSetJobSiloThreadImpersonationPolicy(x,x)
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 3FFFFFDEh
		add	esi, 0C0000022h
		jmp	loc_759144
sub_8D4270	endp


;  S U B	R O U T	I N E 


sub_8D42E4	proc near		; DATA XREF: .text:006A064Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-250h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D42E4	endp


;  S U B	R O U T	I N E 


sub_8D42F5	proc near		; CODE XREF: sub_759647-579j
					; sub_759647-56Cj
					; DATA XREF: ...
		mov	esi, 0C0000003h

loc_8D42FA:				; CODE XREF: sub_759647+179AB8j
					; sub_759647+179D0Fj ...
		mov	ebx, [ebp-178h]
		jmp	loc_759144
sub_8D42F5	endp

; 
; START	OF FUNCTION CHUNK FOR sub_75A01A

loc_8D4305:				; CODE XREF: sub_75A01A-EC9j
		test	ds:_PerfGlobalGroupMask, 80000h
		jz	loc_759157
		push	727h
		push	esi
		push	0
		push	0
		mov	edx, [ebp+0Ch]
		mov	ecx, ebx
		call	_EtwTraceJobSetQuery@24	; EtwTraceJobSetQuery(x,x,x,x,x,x)
		jmp	loc_759157
; END OF FUNCTION CHUNK	FOR sub_75A01A
; 
; START	OF FUNCTION CHUNK FOR NtSetInformationJobObject

loc_8D432E:				; CODE XREF: NtSetInformationJobObject+188j
		mov	eax, 0C0000003h
		jmp	loc_759165
; END OF FUNCTION CHUNK	FOR NtSetInformationJobObject
; 
; START	OF FUNCTION CHUNK FOR ExpCopyProcessInfo

loc_8D4338:				; CODE XREF: ExpCopyProcessInfo+89j
		lea	ecx, [esi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_75A708
; END OF FUNCTION CHUNK	FOR ExpCopyProcessInfo

;  S U B	R O U T	I N E 


sub_8D4348	proc near		; DATA XREF: .text:006A066Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		mov	eax, large fs:124h
		mov	[ebp-34h], eax
		mov	eax, [ebp-34h]
		mov	al, [eax+15Ah]
		mov	[ebp-19h], al
		mov	al, [ebp-19h]
		xor	ecx, ecx
		test	al, al
		setnz	cl
		mov	eax, ecx
		retn
sub_8D4348	endp


;  S U B	R O U T	I N E 


sub_8D4374	proc near		; DATA XREF: .text:006A0670o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-38h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_75A6E2
sub_8D4374	endp

; 
; START	OF FUNCTION CHUNK FOR PsQueryStatisticsProcess

loc_8D4386:				; CODE XREF: PsQueryStatisticsProcess+1BEj
					; PsQueryStatisticsProcess+179C71j
		pause
		mov	eax, [edi+34h]
		mov	ecx, [edi+30h]
		cmp	eax, [edi+38h]
		jnz	short loc_8D4386
		jmp	loc_75A8E4
; END OF FUNCTION CHUNK	FOR PsQueryStatisticsProcess
; 
; START	OF FUNCTION CHUNK FOR ExHandleTableQuery

loc_8D4398:				; CODE XREF: ExHandleTableQuery+3Dj
		mov	ecx, eax
		jmp	loc_75A9D3
; END OF FUNCTION CHUNK	FOR ExHandleTableQuery

;  S U B	R O U T	I N E 


sub_8D439F	proc near		; DATA XREF: .text:006A068Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8D439F	endp


;  S U B	R O U T	I N E 


sub_8D43AF	proc near		; DATA XREF: .text:006A0690o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-1Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_75AB1E
sub_8D43AF	endp

; 
; START	OF FUNCTION CHUNK FOR PspLockJobChain

loc_8D43C1:				; CODE XREF: PspLockJobChain+55j
		mov	eax, [edi+248h]
		push	1
		add	eax, 20h
		push	eax
		call	ExAcquireResourceExclusiveLite
		mov	eax, [edi+254h]
		cmp	eax, 2
		jbe	loc_75AB99
		add	eax, 0FFFFFFFEh
		jz	loc_75AB99
		mov	ebx, eax

loc_8D43EC:				; CODE XREF: PspLockJobChain+1798C6j
		mov	eax, [edi+258h]
		push	1
		mov	eax, [eax+ebx*4-4]
		add	eax, 20h
		push	eax
		call	ExAcquireResourceExclusiveLite
		sub	ebx, 1
		jnz	short loc_8D43EC
		mov	ebx, [ebp+arg_0]
		jmp	loc_75AB99
; END OF FUNCTION CHUNK	FOR PspLockJobChain
; 
; START	OF FUNCTION CHUNK FOR PspUnlockJobChain

loc_8D440E:				; CODE XREF: PspUnlockJobChain+15j
		mov	ecx, [esi+248h]
		lea	ecx, [ecx+20h]
		call	ExReleaseResourceLite
		mov	eax, [esi+254h]
		jmp	loc_75ABC7
; 

loc_8D4427:				; CODE XREF: PspUnlockJobChain+1Ej
		lea	edi, [eax-2]
		test	edi, edi
		jz	loc_75ABD0

loc_8D4432:				; CODE XREF: PspUnlockJobChain+17989Bj
		mov	eax, [esi+258h]
		mov	ecx, [eax+edi*4-4]
		add	ecx, 20h
		call	ExReleaseResourceLite
		sub	edi, 1
		jnz	short loc_8D4432
		mov	eax, [esi+254h]
		jmp	loc_75ABD0
; END OF FUNCTION CHUNK	FOR PspUnlockJobChain
; 
; START	OF FUNCTION CHUNK FOR ExpGetGlobalLocaleSection

loc_8D4454:				; CODE XREF: ExpGetGlobalLocaleSection+CEj
		cmp	[esp+278h+var_220], 4
		jnz	loc_75ADC4
		cmp	[esp+278h+var_21C], 4
		jnz	loc_75ADC4
		mov	ebx, [esp+278h+var_218]
		mov	[esp+278h+var_240], ebx
		lea	esi, [ebx-500100h]
		neg	esi
		sbb	esi, esi
		not	esi
		and	esi, offset ??_C@_1BI@INEKAINN@?$AAl?$AAo?$AAc?$AA2?$AA0?$AA0?$AA8?$AA?4?$AAn?$AAl?$AAs@NNGAKEGL@
		jz	loc_8D4511
		mov	ebx, 104h
		lea	ecx, [esp+278h+var_210]
		push	offset ??_C@_1CM@JIIAJDGD@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@
		mov	edx, ebx
		call	RtlStringCchCopyW
		test	eax, eax
		js	short loc_8D4511
		push	esi
		mov	edx, ebx
		lea	ecx, [esp+27Ch+var_210]
		call	_RtlStringCchCatW@12 ; RtlStringCchCatW(x,x,x)
		test	eax, eax
		js	short loc_8D4511
		lea	eax, [esp+278h+var_210]
		push	eax
		lea	eax, [esp+27Ch+var_234]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	ebx, ebx
		mov	[esp+278h+var_260], edi
		push	ebx
		lea	eax, [esp+27Ch+var_234]
		mov	[esp+27Ch+var_25C], ebx
		mov	[esp+27Ch+var_258], eax
		lea	eax, [esp+27Ch+var_22C]
		push	1
		push	eax
		lea	eax, [esp+284h+var_260]
		mov	[esp+284h+var_254], 240h
		push	eax
		push	100000h
		lea	eax, [esp+28Ch+var_268]
		mov	[esp+28Ch+var_250], ebx
		push	eax
		mov	[esp+290h+var_24C], ebx
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_75ADC4
		mov	[esp+278h+var_268], ebx
		jmp	loc_75ADC4
; 

loc_8D4511:				; CODE XREF: ExpGetGlobalLocaleSection+179794j
					; ExpGetGlobalLocaleSection+1797B1j ...
		xor	ebx, ebx
		jmp	loc_75ADC4
; 

loc_8D4518:				; CODE XREF: ExpGetGlobalLocaleSection+1D4j
		test	esi, esi
		jz	loc_75AEE4
		mov	ecx, [esp+278h+var_264]
		call	ObfDereferenceObject
		mov	ecx, esi
		mov	edi, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		jmp	loc_75AEE4
; END OF FUNCTION CHUNK	FOR ExpGetGlobalLocaleSection
; 
; START	OF FUNCTION CHUNK FOR NtInitializeNlsFiles

loc_8D4537:				; CODE XREF: NtInitializeNlsFiles+22j
		mov	eax, 0C00000BBh
		jmp	loc_75AFF0
; 

loc_8D4541:				; CODE XREF: NtInitializeNlsFiles+37j
		mov	ecx, eax
		jmp	loc_75AF55
; 

loc_8D4548:				; CODE XREF: NtInitializeNlsFiles+4Dj
		mov	ecx, eax
		jmp	loc_75AF6B
; END OF FUNCTION CHUNK	FOR NtInitializeNlsFiles

;  S U B	R O U T	I N E 


sub_8D454F	proc near		; DATA XREF: .text:006A06B8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8D454F	endp


;  S U B	R O U T	I N E 


sub_8D455F	proc near		; DATA XREF: .text:006A06BCo
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-2Ch]
		jmp	loc_75AFE7
sub_8D455F	endp

; 

loc_8D456A:				; DATA XREF: .text:006A06ACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8D4578:				; DATA XREF: .text:006A06B0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-30h]
		jmp	loc_75AFF0
; 
; START	OF FUNCTION CHUNK FOR PspSetupReservedUserMappings

loc_8D458A:				; CODE XREF: PspSetupReservedUserMappings+22j
					; PspSetupReservedUserMappings+2Ej
		push	edx
		xor	edx, edx
		call	KiStackAttachProcess
		test	esi, esi
		jz	short loc_8D45D5
		mov	[ebp+var_8], 4
		cmp	esi, 20h
		jz	short loc_8D45B0
		cmp	esi, 40h
		jnz	short loc_8D45B7
		mov	[ebp+var_4], 0FFFF00h
		jmp	short loc_8D45B7
; 

loc_8D45B0:				; CODE XREF: PspSetupReservedUserMappings+179532j
		mov	[ebp+var_4], 0FFF00h

loc_8D45B7:				; CODE XREF: PspSetupReservedUserMappings+179537j
					; PspSetupReservedUserMappings+179540j
		push	4
		push	2000h
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		lea	eax, [ebp+var_8]
		push	eax
		push	0FFFFFFFFh
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_8D460C

loc_8D45D5:				; CODE XREF: PspSetupReservedUserMappings+179526j
		xor	esi, esi
		cmp	[edi+9Ch], esi
		jbe	short loc_8D460C

loc_8D45DF:				; CODE XREF: PspSetupReservedUserMappings+17959Cj
		mov	eax, [edi+0A8h]
		push	4
		push	2000h
		lea	ecx, [eax+esi*8]
		lea	eax, [ecx+4]
		push	eax
		push	0
		push	ecx
		push	0FFFFFFFFh
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_8D460C
		inc	esi
		cmp	esi, [edi+9Ch]
		jb	short loc_8D45DF

loc_8D460C:				; CODE XREF: PspSetupReservedUserMappings+179565j
					; PspSetupReservedUserMappings+17956Fj	...
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	eax, ebx
		jmp	loc_75B0A4
; END OF FUNCTION CHUNK	FOR PspSetupReservedUserMappings
; 
; START	OF FUNCTION CHUNK FOR PspSetupUserProcessAddressSpace

loc_8D461D:				; CODE XREF: PspSetupUserProcessAddressSpace+6Ej
		or	esi, 8000h
		mov	[edi+8], esi
		jmp	loc_75B120
; 

loc_8D462B:				; CODE XREF: PspSetupUserProcessAddressSpace+9Cj
		or	esi, 20000000h
		mov	[edi+8], esi
		jmp	loc_75B14E
; END OF FUNCTION CHUNK	FOR PspSetupUserProcessAddressSpace
; 
; START	OF FUNCTION CHUNK FOR PspMapSiloSharedDataView

loc_8D4639:				; CODE XREF: PspMapSiloSharedDataView+1Ej
		xor	esi, esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_20], esi
		mov	eax, [ebx+2F8h]
		mov	eax, [eax+290h]
		push	2
		push	400000h
		push	1
		lea	ecx, [ebp+var_20]
		push	ecx
		lea	ecx, [ebp+var_30]
		push	ecx
		push	esi
		push	esi
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	edi
		push	eax
		call	MmMapViewOfSection
		test	eax, eax
		js	loc_75B270
		mov	ecx, [edi+17Ch]
		mov	[ebp+ms_exc.disabled], esi
		mov	eax, [ebp+var_1C]
		mov	[ecx+50h], eax
		jmp	short loc_8D469E
; END OF FUNCTION CHUNK	FOR PspMapSiloSharedDataView

;  S U B	R O U T	I N E 


sub_8D468A	proc near		; DATA XREF: .text:006A06D4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D468A	endp


;  S U B	R O U T	I N E 


sub_8D4698	proc near		; DATA XREF: .text:006A06D8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-24h]
sub_8D4698	endp

; START	OF FUNCTION CHUNK FOR PspMapSiloSharedDataView

loc_8D469E:				; CODE XREF: PspMapSiloSharedDataView+17943Ej
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi
		jmp	loc_75B270
; END OF FUNCTION CHUNK	FOR PspMapSiloSharedDataView
; 
; START	OF FUNCTION CHUNK FOR MmMapApiSetView

loc_8D46AC:				; CODE XREF: MmMapApiSetView+2Cj
		mov	ecx, edi
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	eax, [eax+258h]
		jmp	loc_75B2B7
; END OF FUNCTION CHUNK	FOR MmMapApiSetView

;  S U B	R O U T	I N E 


sub_8D46BE	proc near		; DATA XREF: .text:006A06F4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D46BE	endp


;  S U B	R O U T	I N E 


sub_8D46CC	proc near		; DATA XREF: .text:006A06F8o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-24h]
		jmp	loc_75B2EA
sub_8D46CC	endp

; 
; START	OF FUNCTION CHUNK FOR MmMapViewOfSection

loc_8D46D7:				; CODE XREF: MmMapViewOfSection+5Fj
		cmp	dword ptr [esi], 0
		jnz	short loc_8D46E7
		inc	dword_6D3104
		jmp	loc_75B891
; 

loc_8D46E7:				; CODE XREF: MmMapViewOfSection+178EB6j
		inc	dword_6D3108
		jmp	loc_75B891
; END OF FUNCTION CHUNK	FOR MmMapViewOfSection
; 
; START	OF FUNCTION CHUNK FOR PspWritePebAffinityInfo

loc_8D46F2:				; CODE XREF: PspWritePebAffinityInfo+36j
		cmp	esi, [edx+80h]
		jz	short loc_8D4702
		push	3
		pop	eax
		mov	[ebp+var_38], eax
		jmp	short loc_8D4715
; 

loc_8D4702:				; CODE XREF: PspWritePebAffinityInfo+178D5Ej
		cmp	esi, [edx+150h]
		jz	short loc_8D4710
		push	2
		pop	eax
		mov	[ebp+var_38], eax

loc_8D4710:				; CODE XREF: PspWritePebAffinityInfo+178D6Ej
		cmp	eax, 2
		jb	short loc_8D472B

loc_8D4715:				; CODE XREF: PspWritePebAffinityInfo+178D66j
		lea	ecx, [esi+0F0h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_75BA26
		mov	eax, [ebp+var_38]

loc_8D472B:				; CODE XREF: PspWritePebAffinityInfo+178D79j
		test	al, 1
		jz	loc_75B9D6
		lea	eax, [ebp+var_34]
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	KiStackAttachProcess
		mov	eax, [ebp+var_38]
		jmp	loc_75B9D6
; END OF FUNCTION CHUNK	FOR PspWritePebAffinityInfo

;  S U B	R O U T	I N E 


sub_8D4748	proc near		; DATA XREF: .text:006A074Co
		xor	eax, eax
		inc	eax
		retn
sub_8D4748	endp


;  S U B	R O U T	I N E 


sub_8D474C	proc near		; DATA XREF: .text:006A0750o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-44h]
		jmp	loc_75BA03
sub_8D474C	endp

; 
; START	OF FUNCTION CHUNK FOR PspWritePebAffinityInfo

loc_8D475E:				; CODE XREF: PspWritePebAffinityInfo+86j
		test	al, 1
		jz	short loc_8D476C
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_8D476C:				; CODE XREF: PspWritePebAffinityInfo+178DC6j
		cmp	[ebp+var_50], 2
		jb	loc_75BA26
		lea	ecx, [esi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_75BA26
; END OF FUNCTION CHUNK	FOR PspWritePebAffinityInfo
; 
; START	OF FUNCTION CHUNK FOR PspPrepareSystemDllInitBlock

loc_8D4786:				; CODE XREF: PspPrepareSystemDllInitBlock+43j
		xor	eax, eax
		rep stosd
		pop	ecx
		lea	edi, [ebp+var_60]
		rep stosd
		jmp	loc_75BA93
; 

loc_8D4795:				; CODE XREF: PspPrepareSystemDllInitBlock+68j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000059h
		jmp	loc_75BB38
; END OF FUNCTION CHUNK	FOR PspPrepareSystemDllInitBlock

;  S U B	R O U T	I N E 


sub_8D47A6	proc near		; DATA XREF: .text:006A076Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D47A6	endp


;  S U B	R O U T	I N E 


sub_8D47B4	proc near		; DATA XREF: .text:006A0770o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-28h]
		jmp	loc_75BB2E
sub_8D47B4	endp

; 
; START	OF FUNCTION CHUNK FOR PspCopyAndFixupParameters

loc_8D47BF:				; CODE XREF: PspCopyAndFixupParameters:loc_75BCF3j
		xor	ecx, ecx
		mov	[ebp+var_1C], ecx
		mov	eax, 0C0000008h
		jmp	loc_75BD18
; 

loc_8D47CE:				; CODE XREF: PspCopyAndFixupParameters+1C8j
		lea	ecx, [ebx+18h]
		cmp	[ebp+var_20], ecx
		jz	loc_75BCB7
		jmp	loc_75BD22
; 

loc_8D47DF:				; CODE XREF: PspCopyAndFixupParameters+10Bj
		add	eax, edi
		mov	[esi+8Ch], eax
		jmp	loc_75BC63
; 

loc_8D47EC:				; CODE XREF: PspCopyAndFixupParameters+119j
		add	eax, edi
		mov	[esi+2A8h], eax
		jmp	loc_75BC71
; 

loc_8D47F9:				; CODE XREF: PspCopyAndFixupParameters+127j
		add	eax, edi
		mov	[esi+2B0h], eax
		jmp	loc_75BC7F
; 

loc_8D4806:				; CODE XREF: PspCopyAndFixupParameters+135j
		add	eax, edi
		mov	[esi+2B4h], eax
		jmp	loc_75BC8D
; END OF FUNCTION CHUNK	FOR PspCopyAndFixupParameters

;  S U B	R O U T	I N E 


sub_8D4813	proc near		; DATA XREF: .text:006A078Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D4813	endp


;  S U B	R O U T	I N E 


sub_8D4821	proc near		; DATA XREF: .text:006A0790o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-34h]
		jmp	loc_75BCB7
sub_8D4821	endp

; 
; START	OF FUNCTION CHUNK FOR PopEtGetProcessAppId

loc_8D4833:				; CODE XREF: PopEtGetProcessAppId+6Cj
					; PopEtGetProcessAppId+75j
		mov	edx, esi

loc_8D4835:				; CODE XREF: PopEtGetProcessAppId+178A10j
		mov	cl, [ebx+edx+1ACh]
		movzx	eax, cl
		mov	word ptr [ebp+edx*2+var_24], ax
		test	cl, cl
		jz	short loc_8D484E
		inc	edx
		cmp	edx, 0Fh
		jb	short loc_8D4835

loc_8D484E:				; CODE XREF: PopEtGetProcessAppId+178A0Aj
		xor	eax, eax
		mov	[ebp+var_8], ax
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_208]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	edi, [ebp+var_208]
		jmp	loc_75BEB7
; 

loc_8D486F:				; CODE XREF: PopEtGetProcessAppId+14Cj
		test	dword ptr [esi+0Ch], 3FFh
		jz	loc_75BF8E
		mov	ecx, _PopEtGlobals
		mov	edx, esi
		lea	ecx, [ecx+20h]
		call	RtlInternEntryDereference
		jmp	loc_75BF8E
; END OF FUNCTION CHUNK	FOR PopEtGetProcessAppId
; 
; START	OF FUNCTION CHUNK FOR RtlInternTableIntern

loc_8D4891:				; CODE XREF: RtlInternTableIntern+8Bj
		xor	edi, edi
		jmp	loc_75C0C3
; 

loc_8D4898:				; CODE XREF: RtlInternTableIntern+A0j
					; RtlInternTableIntern+ACj
		push	[ebp+var_4]
		mov	edx, ebx
		mov	ecx, esi
		push	edi
		call	RtlpInternEntryFind
		mov	edi, eax
		test	edi, edi
		jnz	loc_75C1C5
		jmp	loc_75C124
; 

loc_8D48B4:				; CODE XREF: RtlInternTableIntern+273j
		xor	edi, edi
		jmp	loc_75C1C5
; 

loc_8D48BB:				; CODE XREF: RtlInternTableIntern+167j
		mov	eax, [esi+0Ch]
		push	ecx
		push	esi
		call	dword ptr [eax+4]
		jmp	loc_75C0C3
; 

loc_8D48C8:				; CODE XREF: RtlInternTableIntern+5Aj
		xor	edx, edx
		cmp	[ebx+8], edx
		jbe	short loc_8D48E5
		xor	ecx, ecx

loc_8D48D1:				; CODE XREF: RtlInternTableIntern+17886Ej
		mov	eax, [ebx+4]
		lea	ecx, [ecx+10h]
		and	dword ptr [eax+ecx-0Ch], 0
		inc	edx
		cmp	edx, [ebx+8]
		jb	short loc_8D48D1
		mov	ecx, [ebx+0Ch]

loc_8D48E5:				; CODE XREF: RtlInternTableIntern+17885Bj
		and	ecx, 0FFFFFFFEh
		mov	[ebx+0Ch], ecx
		jmp	loc_75C0D2
; END OF FUNCTION CHUNK	FOR RtlInternTableIntern
; 
; START	OF FUNCTION CHUNK FOR RtlpInternEntryFind

loc_8D48F0:				; CODE XREF: RtlpInternEntryFind+AFj
		cmp	ecx, 1
		jz	loc_75C45B
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_75C45B
; END OF FUNCTION CHUNK	FOR RtlpInternEntryFind
; 
; START	OF FUNCTION CHUNK FOR RtlpInternEntryHash

loc_8D4903:				; CODE XREF: RtlpInternEntryHash+4Dj
					; RtlpInternEntryHash+BDj
		sub	edi, 1
		jz	loc_75C539
		sub	edi, 1
		jz	loc_75C530
		sub	edi, 1
		jz	short loc_8D4956
		sub	edi, 1
		jz	short loc_8D494D
		sub	edi, 1
		jz	short loc_8D4944
		sub	edi, 1
		jz	short loc_8D493B
		sub	edi, 1
		jnz	loc_75C541
		movzx	eax, byte ptr [edx]
		imul	esi, 25h
		add	esi, eax
		inc	edx

loc_8D493B:				; CODE XREF: RtlpInternEntryHash+1784B9j
		movzx	eax, byte ptr [edx]
		imul	esi, 25h
		add	esi, eax
		inc	edx

loc_8D4944:				; CODE XREF: RtlpInternEntryHash+1784B4j
		movzx	eax, byte ptr [edx]
		imul	esi, 25h
		add	esi, eax
		inc	edx

loc_8D494D:				; CODE XREF: RtlpInternEntryHash+1784AFj
		movzx	eax, byte ptr [edx]
		imul	esi, 25h
		add	esi, eax
		inc	edx

loc_8D4956:				; CODE XREF: RtlpInternEntryHash+1784AAj
		movzx	eax, byte ptr [edx]
		imul	esi, 25h
		add	esi, eax
		inc	edx
		jmp	loc_75C530
; END OF FUNCTION CHUNK	FOR RtlpInternEntryHash

;  S U B	R O U T	I N E 


sub_8D4964	proc near		; DATA XREF: .text:006A07ACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D4964	endp


;  S U B	R O U T	I N E 


sub_8D4972	proc near		; DATA XREF: .text:006A07B0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-1Ch]
		jmp	loc_75C654
sub_8D4972	endp

; 
; START	OF FUNCTION CHUNK FOR PspInitializeFullProcessImageName

loc_8D497D:				; CODE XREF: PspInitializeFullProcessImageName+4Cj
		mov	ecx, [edi+15Ch]
		test	ecx, ecx
		jz	short loc_8D49A7
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	ecx, eax
		call	MiReferenceControlAreaFile
		mov	ebx, eax
		jmp	loc_75C72D
; 

loc_8D499A:				; CODE XREF: PspInitializeFullProcessImageName+15Dj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_75C7D7
; 

loc_8D49A7:				; CODE XREF: PspInitializeFullProcessImageName+1782ADj
		mov	edi, 0C00000BBh
		jmp	loc_75C7D7
; 

loc_8D49B1:				; CODE XREF: PspInitializeFullProcessImageName+17Dj
		mov	edi, 0C0000017h
		jmp	loc_75C7DB
; END OF FUNCTION CHUNK	FOR PspInitializeFullProcessImageName
; 
; START	OF FUNCTION CHUNK FOR ExSweepHandleTable

loc_8D49BB:				; CODE XREF: ExSweepHandleTable+3Cj
		lea	eax, [ebp+var_20]
		xor	edx, edx
		push	eax
		mov	ecx, ebx
		call	KiStackAttachProcess
		mov	edx, [ebp+var_28]
		mov	[ebp+var_21], 1
		jmp	loc_75CB42
; 

loc_8D49D4:				; CODE XREF: ExSweepHandleTable+69j
		mov	ecx, [ebp+var_28]
		push	edx
		mov	edx, edi
		call	_ExpBlockOnLockedHandleEntry@12	; ExpBlockOnLockedHandleEntry(x,x,x)
		jmp	loc_75CB60
; 

loc_8D49E4:				; CODE XREF: ExSweepHandleTable+F3j
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_75CBF9
; END OF FUNCTION CHUNK	FOR ExSweepHandleTable
; 
; START	OF FUNCTION CHUNK FOR ExpFreeHandleTable

loc_8D49F3:				; CODE XREF: ExpFreeHandleTable+52j
		xor	eax, eax
		mov	[ebp+var_C], eax

loc_8D49F8:				; CODE XREF: ExpFreeHandleTable+177DBEj
		mov	ebx, [edi+eax*4]
		test	ebx, ebx
		jz	short loc_8D4A46
		xor	eax, eax
		mov	[ebp+var_8], eax

loc_8D4A04:				; CODE XREF: ExpFreeHandleTable+177D98j
		mov	edx, [ebx+eax*4]
		test	edx, edx
		jz	short loc_8D4A20
		mov	ecx, esi
		call	ExpFreeLowLevelTable
		mov	eax, [ebp+var_8]
		inc	eax
		mov	[ebp+var_8], eax
		cmp	eax, 400h
		jb	short loc_8D4A04

loc_8D4A20:				; CODE XREF: ExpFreeHandleTable+177D83j
		push	6274624Fh
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jz	short loc_8D4A3A
		push	1000h
		push	esi
		call	_PsReturnProcessPagedPoolQuota@8 ; PsReturnProcessPagedPoolQuota(x,x)

loc_8D4A3A:				; CODE XREF: ExpFreeHandleTable+177DA7j
		mov	eax, [ebp+var_C]
		inc	eax
		mov	[ebp+var_C], eax
		cmp	eax, 20h
		jb	short loc_8D49F8

loc_8D4A46:				; CODE XREF: ExpFreeHandleTable+177D77j
		push	6274624Fh
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, [ebp+var_4]
		test	esi, esi
		jz	loc_75CCAF
		push	80h
		push	esi
		call	_PsReturnProcessPagedPoolQuota@8 ; PsReturnProcessPagedPoolQuota(x,x)
		jmp	loc_75CCAF
; END OF FUNCTION CHUNK	FOR ExpFreeHandleTable
; 
; START	OF FUNCTION CHUNK FOR ExpFreeLowLevelTable

loc_8D4A6C:				; CODE XREF: ExpFreeLowLevelTable+12j
		push	6274624Fh
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jz	loc_75CD38
		push	ebx
		push	esi
		call	_PsReturnProcessPagedPoolQuota@8 ; PsReturnProcessPagedPoolQuota(x,x)
		jmp	loc_75CD38
; END OF FUNCTION CHUNK	FOR ExpFreeLowLevelTable
; 
; START	OF FUNCTION CHUNK FOR EtwTraceProcess

loc_8D4A8B:				; CODE XREF: EtwTraceProcess+8Dj
		mov	ecx, esi
		call	_EtwpLogProcessPerfCtrs@4 ; EtwpLogProcessPerfCtrs(x)
		jmp	loc_75D071
; END OF FUNCTION CHUNK	FOR EtwTraceProcess
; 
; START	OF FUNCTION CHUNK FOR EtwpWriteProcessEvent

loc_8D4A97:				; CODE XREF: EtwpWriteProcessEvent+96j
		mov	byte ptr [ebp+var_D5], dl
		jmp	loc_75D219
; END OF FUNCTION CHUNK	FOR EtwpWriteProcessEvent
; 
; START	OF FUNCTION CHUNK FOR EtwpPsProvTraceProcess

loc_8D4AA2:				; CODE XREF: EtwpPsProvTraceProcess+6A2j
		sub	eax, 1
		jnz	loc_75D6FB
		mov	[ebp+var_1A4], offset _ProcessRundown
		jmp	loc_75D3BA
; 

loc_8D4ABA:				; CODE XREF: EtwpPsProvTraceProcess+613j
		mov	edx, ecx
		jmp	loc_75D92B
; 

loc_8D4AC1:				; CODE XREF: EtwpPsProvTraceProcess+335j
					; EtwpPsProvTraceProcess+33Ej
		lea	eax, [esi+1ACh]
		push	eax		; char
		push	offset ??_C@_15MAOEGKJF@?$AA?$CF?$AAS@NNGAKEGL@	; wchar_t *
		lea	eax, [ebp+var_28]
		push	0Fh		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 10h
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_208]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_208]
		jmp	loc_75D656
; 

loc_8D4AF6:				; CODE XREF: EtwpPsProvTraceProcess+346j
		mov	eax, (offset loc_403A20+4)
		jmp	loc_75D65E
; END OF FUNCTION CHUNK	FOR EtwpPsProvTraceProcess
; 
; START	OF FUNCTION CHUNK FOR EtwpBuildProcessEvent

loc_8D4B00:				; CODE XREF: EtwpBuildProcessEvent+B7j
		push	4
		mov	ecx, offset _EtwpNull
		pop	eax
		mov	[ebp+arg_C], ecx
		jmp	loc_75DAFA
; 

loc_8D4B10:				; CODE XREF: EtwpBuildProcessEvent+21Cj
		lea	ecx, [esi+1ACh]
		jmp	loc_75DB28
; END OF FUNCTION CHUNK	FOR EtwpBuildProcessEvent

;  S U B	R O U T	I N E 


sub_8D4B1B	proc near		; DATA XREF: .text:006A07CCo
		xor	eax, eax
		inc	eax
		retn
sub_8D4B1B	endp


;  S U B	R O U T	I N E 


sub_8D4B1F	proc near		; DATA XREF: .text:006A07D0o
		mov	esp, [ebp-18h]
		jmp	loc_75DD86
sub_8D4B1F	endp

; 
; START	OF FUNCTION CHUNK FOR EtwpQueryProcessCommandLine

loc_8D4B27:				; CODE XREF: EtwpQueryProcessCommandLine+50j
		mov	ecx, eax
		jmp	loc_75DDF4
; 

loc_8D4B2E:				; CODE XREF: EtwpQueryProcessCommandLine+9Cj
					; EtwpQueryProcessCommandLine+A4j
		mov	[edx], bl
		jmp	loc_75DE48
; 

loc_8D4B35:				; CODE XREF: EtwpQueryProcessCommandLine+80j
		xor	esi, esi
		mov	word ptr [ebp+var_3C], si

loc_8D4B3B:				; CODE XREF: EtwpQueryProcessCommandLine+78j
		mov	ecx, [ebp+var_20]
		jmp	loc_75DE59
; 

loc_8D4B43:				; CODE XREF: EtwpQueryProcessCommandLine+EBj
		mov	esi, 0C000009Ah
		jmp	loc_75DF18
; END OF FUNCTION CHUNK	FOR EtwpQueryProcessCommandLine

;  S U B	R O U T	I N E 


sub_8D4B4D	proc near		; DATA XREF: .text:006A07F8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D4B4D	endp


;  S U B	R O U T	I N E 


sub_8D4B5B	proc near		; DATA XREF: .text:006A07FCo
		mov	esi, [ebp-30h]
		jmp	loc_75DF34
sub_8D4B5B	endp


;  S U B	R O U T	I N E 


sub_8D4B63	proc near		; CODE XREF: EtwpQueryProcessCommandLine+180j
		push	ebx
		push	dword ptr [edi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[edi+4], ebx
		xor	eax, eax
		mov	[edi+2], ax
		jmp	loc_75DEDB
sub_8D4B63	endp

; 
; START	OF FUNCTION CHUNK FOR MmCreateProcessAddressSpace

loc_8D4B7A:				; CODE XREF: MmCreateProcessAddressSpace+22j
		mov	eax, [edi+498h]
		mov	ebx, [eax]
		jmp	loc_75DFC3
; 

loc_8D4B87:				; CODE XREF: MmCreateProcessAddressSpace+81j
		push	1
		push	[ebp+arg_4]
		lea	eax, [ebp+arg_0]
		push	eax
		lea	edx, [esp+2Ch+var_C]
		call	MiCheckWsLimits
		mov	edx, [ebp+arg_0]
		lea	ecx, [edi+240h]
		mov	esi, [esp+20h+var_C]
		jmp	loc_75E01D
; 

loc_8D4BAB:				; CODE XREF: MmCreateProcessAddressSpace+91j
		or	byte ptr [ecx+60h], 40h
		jmp	loc_75E02D
; 

loc_8D4BB4:				; CODE XREF: MmCreateProcessAddressSpace+101j
		xor	edx, edx
		call	MiDeleteProcessShadow

loc_8D4BBB:				; CODE XREF: MmCreateProcessAddressSpace+EEj
		mov	ecx, [edi+194h]
		test	ecx, ecx
		jz	short loc_8D4BD1
		call	MiPaeFree
		and	dword ptr [edi+194h], 0

loc_8D4BD1:				; CODE XREF: MmCreateProcessAddressSpace+DCj
					; MmCreateProcessAddressSpace+176C2Dj
		mov	edx, [esp+20h+var_4]
		mov	ecx, offset dword_6D35E0
		push	1
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_8D4BE1:				; CODE XREF: MmCreateProcessAddressSpace+CDj
		mov	edx, esi
		mov	ecx, ebx
		call	_MiReturnResident@8 ; MiReturnResident(x,x)

loc_8D4BEA:				; CODE XREF: MmCreateProcessAddressSpace+B4j
		push	esi
		mov	ecx, edi
		call	_PsReturnProcessQuota@12 ; PsReturnProcessQuota(x,x,x)

loc_8D4BF2:				; CODE XREF: MmCreateProcessAddressSpace+A1j
		push	5
		pop	edx
		mov	ecx, ebx
		call	MiReturnCommit
		jmp	loc_75E193
; 

loc_8D4C01:				; CODE XREF: MmCreateProcessAddressSpace+195j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_8D4C3B
		xor	eax, eax
		inc	eax
		cmp	byte ptr word_6D07B8+1,	0
		mov	[esp+20h+var_10], eax
		jnz	loc_75E135

loc_8D4C1E:				; CODE XREF: MmCreateProcessAddressSpace+176CBBj
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		mov	eax, [esp+20h+var_10]
		jz	loc_75E135
		or	edx, 80000000h
		jmp	loc_75E135
; 

loc_8D4C3B:				; CODE XREF: MmCreateProcessAddressSpace+176C72j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_8D4C1E
		jmp	loc_75E131
; 

loc_8D4C58:				; CODE XREF: MmCreateProcessAddressSpace+1A7j
		push	edx
		push	esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		mov	ecx, [esp+20h+var_4]
		jmp	loc_75E143
; END OF FUNCTION CHUNK	FOR MmCreateProcessAddressSpace
; 
; START	OF FUNCTION CHUNK FOR MiJoinSession

loc_8D4C68:				; CODE XREF: MiJoinSession+3Aj
		mov	esi, eax
		test	eax, eax
		jnz	loc_75E1C7
		jmp	loc_75E1E4
; END OF FUNCTION CHUNK	FOR MiJoinSession
; 
; START	OF FUNCTION CHUNK FOR PspProcessClose

loc_8D4C77:				; CODE XREF: PspProcessClose+31j
		mov	eax, [ecx+0FCh]
		test	eax, 40000008h
		jz	loc_7607D1
		mov	edx, 0C000010Ah
		mov	ecx, edi
		call	_PsTerminateProcess@8 ;	PsTerminateProcess(x,x)
		jmp	loc_7607D1
; END OF FUNCTION CHUNK	FOR PspProcessClose

;  S U B	R O U T	I N E 


sub_8D4C99	proc near		; CODE XREF: PspReadIFEOMitigationAuditOptions+3Cj

arg_C		= dword	ptr  10h

		sub	esp, 18h
		lea	esi, [esp+18h+arg_C]
		push	6
		pop	ecx
		mov	edi, esp
		rep movsd
		call	_PspValidateMitigationAuditOptions@24 ;	PspValidateMitigationAuditOptions(x,x,x,x,x,x)
		test	eax, eax
		js	loc_76095E
		push	6
		pop	ecx
		lea	esi, [esp+arg_C]
		mov	edi, ebx
		rep movsd
		jmp	loc_76095E
sub_8D4C99	endp

; 
; START	OF FUNCTION CHUNK FOR PspComputeQuantum

loc_8D4CC4:				; CODE XREF: PspComputeQuantum+30j
		mov	eax, [ecx+190h]
		cmp	eax, 0Ah
		jb	short loc_8D4CD5
		mov	eax, [ecx+0ECh]

loc_8D4CD5:				; CODE XREF: PspComputeQuantum+174275j
		mov	al, byte ptr ds:_PspJobSchedulingClasses[eax]
		retn
; END OF FUNCTION CHUNK	FOR PspComputeQuantum
; 
; START	OF FUNCTION CHUNK FOR PspInitializeProcessSecurity

loc_8D4CDC:				; CODE XREF: PspInitializeProcessSecurity+D1j
		mov	[ebx+4], ecx
		mov	eax, ecx
		jmp	loc_760B6A
; 

loc_8D4CE6:				; CODE XREF: PspInitializeProcessSecurity+10Aj
		xor	eax, eax
		xor	edx, edx
		nop
		mov	edi, [esp+40h+var_2C]
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [edi]
		or	eax, edx
		jz	loc_760BE3
		jmp	loc_760BA0
; END OF FUNCTION CHUNK	FOR PspInitializeProcessSecurity
; 
; START	OF FUNCTION CHUNK FOR MmInitializeProcessAddressSpace

loc_8D4D04:				; CODE XREF: MmInitializeProcessAddressSpace+6Cj
		mov	eax, 0C000009Ah
		jmp	loc_760F64
; 

loc_8D4D0E:				; CODE XREF: MmInitializeProcessAddressSpace+C7j
		test	eax, 10000000h
		jnz	loc_760E61
		mov	ecx, ebx
		call	_MiInitializeLockedPagesTracking@4 ; MiInitializeLockedPagesTracking(x)
		jmp	loc_760E61
; 

loc_8D4D25:				; CODE XREF: MmInitializeProcessAddressSpace+155j
		mov	esi, 0C000009Ah

loc_8D4D2A:				; CODE XREF: MmInitializeProcessAddressSpace+12Fj
					; MmInitializeProcessAddressSpace+184j	...
		mov	ecx, [esp+0B0h+var_90]
		call	_MiReturnProcessVads@4 ; MiReturnProcessVads(x)
		jmp	loc_760F54
; 

loc_8D4D38:				; CODE XREF: MmInitializeProcessAddressSpace+262j
		call	MiSessionCreate
		mov	esi, eax
		jmp	loc_760FFE
; 

loc_8D4D44:				; CODE XREF: MmInitializeProcessAddressSpace+273j
		xor	ecx, ecx
		xor	edx, edx
		jmp	loc_76101B
; END OF FUNCTION CHUNK	FOR MmInitializeProcessAddressSpace
; 
; START	OF FUNCTION CHUNK FOR MiUpdateVadBits

loc_8D4D4D:				; CODE XREF: MiUpdateVadBits+25j
					; MiUpdateVadBits+173A75j
		mov	ecx, esi
		call	_MiSetVadBits@4	; MiSetVadBits(x)
		mov	eax, [esi+4]
		mov	ecx, esi
		test	eax, eax
		jz	short loc_8D4D77
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_8D4D7F

loc_8D4D65:				; CODE XREF: MiUpdateVadBits+173A53j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_8D4D65
		jmp	short loc_8D4D7F
; 

loc_8D4D71:				; CODE XREF: MiUpdateVadBits+173A63j
		cmp	[esi], ecx
		jz	short loc_8D4D7F
		mov	ecx, esi

loc_8D4D77:				; CODE XREF: MiUpdateVadBits+173A41j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_8D4D71

loc_8D4D7F:				; CODE XREF: MiUpdateVadBits+173A49j
					; MiUpdateVadBits+173A55j ...
		test	esi, esi
		jz	loc_761345
		mov	eax, [esi+0Ch]
		shl	eax, 0Ch
		cmp	eax, edi
		jb	short loc_8D4D4D
		jmp	loc_761345
; END OF FUNCTION CHUNK	FOR MiUpdateVadBits
; 
; START	OF FUNCTION CHUNK FOR MiComputeProcessUserVa

loc_8D4D96:				; CODE XREF: MiComputeProcessUserVa+6Fj
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	eax, [eax]
		mov	eax, [eax+24h]
		test	byte ptr [eax+1Ch], 20h
		jnz	loc_7613C5
		mov	[edx], esi
		mov	esi, ebx
		jmp	loc_7613C5
; 

loc_8D4DB3:				; CODE XREF: MiComputeProcessUserVa+7Cj
		cmp	esi, 80000000h
		jbe	loc_7613D2
		mov	ecx, 200000h
		lea	eax, [edi+0FCh]
		lock or	[eax], ecx
		jmp	loc_7613D2
; END OF FUNCTION CHUNK	FOR MiComputeProcessUserVa
; 
; START	OF FUNCTION CHUNK FOR MiAllocateProcessVads

loc_8D4DD2:				; CODE XREF: MiAllocateProcessVads+58j
		mov	ecx, [ebp+var_4]
		lea	edx, [edi-1]
		push	0
		mov	ecx, [ecx+1CCh]
		call	MiAllocateVad
		test	eax, eax
		jz	loc_761509
		mov	[eax], esi
		mov	esi, eax
		jmp	loc_7614FE
; END OF FUNCTION CHUNK	FOR MiAllocateProcessVads
; 
; START	OF FUNCTION CHUNK FOR MiAllocateVad

loc_8D4DF6:				; CODE XREF: MiAllocateVad+98j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8D4DFE:				; CODE XREF: MiAllocateVad+25j
		xor	eax, eax
		jmp	loc_7615B4
; 

loc_8D4E05:				; CODE XREF: MiAllocateVad+59j
		test	[ebp+arg_0], 2
		jz	short loc_8D4E21
		and	ecx, 0FFFFFC7Fh
		mov	edx, 0FFFFDh
		or	ecx, 0C00h
		jmp	loc_76157D
; 

loc_8D4E21:				; CODE XREF: MiAllocateVad+1738F5j
		mov	edx, 0FFFFFh
		jmp	loc_76157D
; END OF FUNCTION CHUNK	FOR MiAllocateVad
; 
; START	OF FUNCTION CHUNK FOR MiMapProcessExecutable

loc_8D4E2B:				; CODE XREF: MiMapProcessExecutable+30j
		mov	eax, 0C0000049h
		jmp	loc_76168A
; 

loc_8D4E35:				; CODE XREF: MiMapProcessExecutable+A5j
		lea	edx, [ebp+var_18]
		call	_MiFillPteHierarchy@8 ;	MiFillPteHierarchy(x,x)
		push	2
		pop	eax

loc_8D4E40:				; CODE XREF: MiMapProcessExecutable+1738C3j
		mov	ecx, [ebp+eax*4+var_1C]
		dec	eax
		mov	[ebp+var_C], eax
		mov	edx, [ecx]
		nop
		mov	eax, [ecx+4]
		mov	[ebp+var_10], eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_8D4E68
		push	[ebp+var_10]
		push	edx
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	[ebp+var_10], eax
		mov	edx, eax

loc_8D4E68:				; CODE XREF: MiMapProcessExecutable+17389Aj
		mov	ecx, edx
		and	ecx, 1
		or	ecx, esi
		jz	short loc_8D4E88
		and	edx, 80h
		or	edx, esi
		jnz	short loc_8D4E85
		mov	eax, [ebp+var_C]
		cmp	eax, 1
		jnz	short loc_8D4E40
		jmp	short loc_8D4E88
; 

loc_8D4E85:				; CODE XREF: MiMapProcessExecutable+1738BBj
		xor	esi, esi
		inc	esi

loc_8D4E88:				; CODE XREF: MiMapProcessExecutable+1738B1j
					; MiMapProcessExecutable+1738C5j
		mov	ecx, [ebx+8]
		mov	eax, [ecx]
		test	esi, esi
		jnz	short loc_8D4E9B
		and	eax, 0FFFFFFEFh
		mov	[ecx], eax
		jmp	loc_761669
; 

loc_8D4E9B:				; CODE XREF: MiMapProcessExecutable+1738D1j
		and	al, 20h
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	esi, eax
		jmp	loc_761669
; END OF FUNCTION CHUNK	FOR MiMapProcessExecutable
; 
; START	OF FUNCTION CHUNK FOR PsMapSystemDlls

loc_8D4EAB:				; CODE XREF: PsMapSystemDlls+37j
		xor	edi, edi
		lea	eax, [ebp+var_1C]
		inc	edi
		xor	edx, edx
		push	eax
		mov	ecx, esi
		mov	[ebp+var_20], edi
		call	KiStackAttachProcess
		xor	ecx, ecx
		jmp	loc_7617FE
; 

loc_8D4EC5:				; CODE XREF: PsMapSystemDlls+5Aj
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_76181E
; END OF FUNCTION CHUNK	FOR PsMapSystemDlls
; 
; START	OF FUNCTION CHUNK FOR MiAllocateNewSubAllocatedRegion

loc_8D4ED4:				; CODE XREF: MiAllocateNewSubAllocatedRegion+1736A5j
		xor	edi, edi
		jmp	loc_7618E8
; 

loc_8D4EDB:				; CODE XREF: MiAllocateNewSubAllocatedRegion+D2j
		mov	ecx, [esp+40h+var_2C]
		mov	eax, 10000h
		cmp	ecx, eax
		jnz	short loc_8D4EEC
		shr	ebx, 1
		jmp	short loc_8D4EF2
; 

loc_8D4EEC:				; CODE XREF: MiAllocateNewSubAllocatedRegion+173696j
		mov	ecx, eax
		mov	[esp+40h+var_2C], ecx

loc_8D4EF2:				; CODE XREF: MiAllocateNewSubAllocatedRegion+17369Aj
		cmp	ebx, 10h
		jnb	short loc_8D4ED4
		jmp	loc_761928
; 

loc_8D4EFC:				; CODE XREF: MiAllocateNewSubAllocatedRegion+185j
		mov	edi, 0C000009Ah

loc_8D4F01:				; CODE XREF: MiAllocateNewSubAllocatedRegion+199j
					; MiAllocateNewSubAllocatedRegion+208j
		cmp	[esp+40h+var_20], 0
		jz	short loc_8D4F13
		push	40h
		mov	edx, esi
		mov	ecx, ebx
		call	_MiFreeVadEventBitmap@12 ; MiFreeVadEventBitmap(x,x,x)

loc_8D4F13:				; CODE XREF: MiAllocateNewSubAllocatedRegion+1736B6j
		mov	eax, [esp+40h+var_14]
		test	eax, eax
		jz	short loc_8D4F23
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8D4F23:				; CODE XREF: MiAllocateNewSubAllocatedRegion+123j
					; MiAllocateNewSubAllocatedRegion+1736C9j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_761A5E
; 

loc_8D4F30:				; CODE XREF: MiAllocateNewSubAllocatedRegion+1C3j
		push	[esp+40h+var_24]
		mov	edx, [esp+44h+var_10]
		mov	ecx, [esp+44h+var_8]
		call	MiAdvanceVadHint
		jmp	loc_761A19
; 

loc_8D4F46:				; CODE XREF: MiAllocateNewSubAllocatedRegion+39j
					; MiAllocateNewSubAllocatedRegion+53j
		mov	eax, 0C0000017h
		jmp	loc_761A60
; END OF FUNCTION CHUNK	FOR MiAllocateNewSubAllocatedRegion
; 
; START	OF FUNCTION CHUNK FOR MiFreeToSubAllocatedRegion

loc_8D4F50:				; CODE XREF: MiFreeToSubAllocatedRegion+7Ej
		cmp	ecx, edi
		jnb	loc_761B62
		mov	eax, [ebp+var_8]
		lea	edx, [esi+8]
		mov	ecx, [esi+1Ch]
		and	ecx, 3
		mov	eax, [eax+24Ch]
		lea	eax, [eax+ecx*8]
		add	eax, 7Ch
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_8D4FAE
		mov	[edx], ecx
		mov	[edx+4], eax
		mov	[ecx+4], edx
		mov	[eax], edx
		mov	edx, [esi+14h]
		jmp	loc_761B62
; 

loc_8D4F89:				; CODE XREF: MiFreeToSubAllocatedRegion+E5j
		mov	esi, [ebp+var_C]
		lea	eax, [esi+0Ch]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_8D4FAE
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_8D4FAE
		mov	[edx], ecx
		mov	[ecx+4], edx
		and	dword ptr [eax], 0
		and	dword ptr [esi+10h], 0
		jmp	loc_761BD9
; 

loc_8D4FAE:				; CODE XREF: MiFreeToSubAllocatedRegion+173497j
					; MiFreeToSubAllocatedRegion+1734B6j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8D4FB3:				; CODE XREF: MiFreeToSubAllocatedRegion+10Aj
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	_MiDeleteVad@12	; MiDeleteVad(x,x,x)
		jmp	loc_761BF5
; END OF FUNCTION CHUNK	FOR MiFreeToSubAllocatedRegion
; 
; START	OF FUNCTION CHUNK FOR MiCreateVadEventBitmap

loc_8D4FC3:				; CODE XREF: MiCreateVadEventBitmap+49j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		jmp	loc_761C6C
; END OF FUNCTION CHUNK	FOR MiCreateVadEventBitmap
; 
; START	OF FUNCTION CHUNK FOR PspMapSystemDll

loc_8D4FD2:				; CODE XREF: PspMapSystemDll+BEj
		mov	eax, [ebp+var_C]
		cmp	eax, ds:_PsInitialSystemProcess
		jz	loc_761D44
		mov	edi, 0C0000018h
		jmp	loc_761D40
; END OF FUNCTION CHUNK	FOR PspMapSystemDll
; 
		align 4
		db 0CCh
; 
; START	OF FUNCTION CHUNK FOR MiMapViewOfSectionExCommon

loc_8D4FED:				; CODE XREF: MiMapViewOfSectionExCommon+A7j
		cmp	[ebp+var_48], 0
		jnz	short loc_8D4FFE
		inc	dword_6D3104
		jmp	loc_761F64
; 

loc_8D4FFE:				; CODE XREF: MiMapViewOfSectionExCommon+17324Dj
		inc	dword_6D3108
		jmp	loc_761F64
; 

loc_8D5009:				; CODE XREF: MiMapViewOfSectionExCommon+DDj
		mov	esi, 0C000000Dh

loc_8D500E:				; CODE XREF: MiMapViewOfSectionExCommon+C8j
					; MiMapViewOfSectionExCommon+105j ...
		cmp	[ebp+var_48], 0
		jnz	short loc_8D5057
		inc	dword_6D3104
		jmp	loc_761F58
; 

loc_8D501F:				; CODE XREF: MiMapViewOfSectionExCommon+1DCj
		push	dword ptr [ebx+1Ch]
		push	dword ptr [ebx+18h]
		push	[ebp+var_44]
		push	[ebp+var_48]
		mov	dl, [ebx+30h]
		mov	ecx, [ebp+var_30]
		call	EtwTiLogMapExecView
		jmp	loc_761F23
; END OF FUNCTION CHUNK	FOR MiMapViewOfSectionExCommon

;  S U B	R O U T	I N E 


sub_8D503B	proc near		; DATA XREF: .text:006A0834o
		mov	ebx, [ebp-1Ch]
		xor	eax, eax
		inc	eax
		retn
sub_8D503B	endp


;  S U B	R O U T	I N E 


sub_8D5042	proc near		; DATA XREF: .text:006A0838o
		mov	ebx, [ebp-1Ch]
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-24h]
		jmp	loc_761F50
sub_8D5042	endp

; 
; START	OF FUNCTION CHUNK FOR MiMapViewOfSectionExCommon

loc_8D5057:				; CODE XREF: MiMapViewOfSectionExCommon+17326Ej
		inc	dword_6D3108
		jmp	loc_761F58
; 

loc_8D5062:				; CODE XREF: MiMapViewOfSectionExCommon+1B8j
		mov	ecx, [ebp+var_34]
		call	ObfDereferenceObject
		mov	edx, 77566D4Dh
		mov	ecx, [ebp+var_30]
		call	ObfDereferenceObjectWithTag
		jmp	loc_761F62
; END OF FUNCTION CHUNK	FOR MiMapViewOfSectionExCommon
; 
; START	OF FUNCTION CHUNK FOR MiMapExParametersInitialize

loc_8D507C:				; CODE XREF: MiMapExParametersInitialize+31j
		cmp	[ebx], esi
		jnz	loc_762088
		cmp	[ebx+4], esi
		jnz	loc_762088
		or	dword ptr [edi+28h], 4000000h
		or	dword ptr [edi+30h], 2
		mov	dword ptr [edi+8], 1000h
		jmp	loc_761FBD
; 

loc_8D50A4:				; CODE XREF: MiMapExParametersInitialize+4Dj
		test	edx, edx
		jnz	loc_762088
		cmp	[ebx+4], esi
		jnz	loc_762088
		cmp	[ebx+8], esi
		jnz	loc_762088
		jmp	loc_761FD9
; 

loc_8D50C3:				; CODE XREF: MiMapExParametersInitialize+AAj
		test	dword ptr [eax+1Ch], 420h
		jnz	loc_762088
		jmp	loc_762036
; 

loc_8D50D5:				; CODE XREF: MiMapExParametersInitialize+B6j
		test	byte ptr [eax+1Ch], 20h
		jz	loc_762042
		test	byte ptr [edi+30h], 1
		jnz	loc_762088
		jmp	loc_762042
; END OF FUNCTION CHUNK	FOR MiMapExParametersInitialize
; 
; START	OF FUNCTION CHUNK FOR MmAllocateVirtualMemory

loc_8D50EE:				; CODE XREF: MmAllocateVirtualMemory+73j
		mov	ecx, eax
		jmp	loc_762159
; 

loc_8D50F5:				; CODE XREF: MmAllocateVirtualMemory+89j
		mov	ecx, eax
		jmp	loc_76216F
; 

loc_8D50FC:				; CODE XREF: MmAllocateVirtualMemory+64j
		mov	edi, [ebp+arg_0]
		jmp	loc_762173
; END OF FUNCTION CHUNK	FOR MmAllocateVirtualMemory

;  S U B	R O U T	I N E 


sub_8D5104	proc near		; DATA XREF: .text:006A0860o
		mov	eax, 1
		retn
sub_8D5104	endp


;  S U B	R O U T	I N E 


sub_8D510A	proc near		; DATA XREF: .text:006A0864o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp+8]
		jmp	loc_7621E2
sub_8D510A	endp

; 

loc_8D511C:				; DATA XREF: .text:006A0854o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		mov	eax, large fs:124h
		mov	[ebp-30h], eax
		mov	eax, [ebp-30h]
		mov	al, [eax+15Ah]
		mov	[ebp-1Dh], al
		mov	cl, [ebp-1Dh]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
; 

loc_8D5146:				; DATA XREF: .text:006A0858o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-34h]
		jmp	loc_7621DB
; 
; START	OF FUNCTION CHUNK FOR MiCaptureAllocateMapExtendedParameters

loc_8D5151:				; CODE XREF: MiCaptureAllocateMapExtendedParameters+47j
		mov	eax, 0C000000Dh
		jmp	loc_76222B
; 

loc_8D515B:				; CODE XREF: MiCaptureAllocateMapExtendedParameters+156j
		mov	eax, [esi+8]
		mov	[edi+18h], eax
		mov	byte ptr [edi+1Ch], 1
		jmp	loc_76231D
; 

loc_8D516A:				; CODE XREF: MiCaptureAllocateMapExtendedParameters+14Dj
		mov	eax, [esi+8]
		mov	[edi+0Ch], eax
		test	eax, eax
		jnz	loc_76231D
		jmp	loc_76236C
; 

loc_8D517D:				; CODE XREF: MiCaptureAllocateMapExtendedParameters+144j
		and	[ebp+var_40], 0
		and	[ebp+var_3C], 0
		mov	eax, [esi+8]
		mov	ecx, [esi+0Ch]
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], ecx
		test	ecx, ecx
		jnz	short loc_8D519A
		cmp	eax, 0FFFFFFFFh
		jbe	short loc_8D51D0

loc_8D519A:				; CODE XREF: MiCaptureAllocateMapExtendedParameters+172F9Bj
		mov	[ebp+var_24], eax
		test	ecx, ecx
		jg	loc_76236C
		jl	short loc_8D51AB
		test	eax, eax
		jnb	short loc_8D51BE

loc_8D51AB:				; CODE XREF: MiCaptureAllocateMapExtendedParameters+172FADj
		and	ecx, 7FFFFFFFh
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], ecx
		mov	byte ptr [edi+1Dh], 1
		mov	[ebp+var_24], eax

loc_8D51BE:				; CODE XREF: MiCaptureAllocateMapExtendedParameters+172FB1j
		test	ecx, ecx
		jnz	loc_76236C
		cmp	[ebp+var_24], 0FFFFFFFFh
		ja	loc_76236C

loc_8D51D0:				; CODE XREF: MiCaptureAllocateMapExtendedParameters+172FA0j
		mov	[edi+10h], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_76236C
		inc	eax
		mov	[edi+10h], eax
		jmp	loc_76231D
; END OF FUNCTION CHUNK	FOR MiCaptureAllocateMapExtendedParameters

;  S U B	R O U T	I N E 


sub_8D51E5	proc near		; DATA XREF: .text:006A0880o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-2Ch]
sub_8D51E5	endp

; START	OF FUNCTION CHUNK FOR MiCaptureAllocateMapExtendedParameters

loc_8D51EB:				; CODE XREF: MiCaptureAllocateMapExtendedParameters+179j
		mov	[ebp+var_1C], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_76222B
; END OF FUNCTION CHUNK	FOR MiCaptureAllocateMapExtendedParameters

;  S U B	R O U T	I N E 


sub_8D51FA	proc near		; DATA XREF: .text:006A087Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8D51FA	endp

; 
; START	OF FUNCTION CHUNK FOR DbgkMapViewOfSection

loc_8D520A:				; CODE XREF: DbgkMapViewOfSection+5Dj
		mov	edi, large fs:124h
		test	dword ptr [edi+58h], 400h
		jnz	short loc_8D522B
		cmp	byte ptr [edi+16Ah], 1
		jz	short loc_8D522B
		mov	edi, [edi+0A8h]
		jmp	short loc_8D522D
; 

loc_8D522B:				; CODE XREF: DbgkMapViewOfSection+172E94j
					; DbgkMapViewOfSection+172E9Dj
		mov	edi, esi

loc_8D522D:				; CODE XREF: DbgkMapViewOfSection+172EA5j
		test	edi, edi
		jz	short loc_8D5257
		mov	eax, [ebp+var_D0]
		cmp	eax, [ecx+150h]
		jnz	short loc_8D5257
		mov	ecx, edi
		call	_DbgkpSuppressDbgMsg@4 ; DbgkpSuppressDbgMsg(x)
		test	eax, eax
		jnz	loc_7623E7
		lea	eax, [edi+14h]
		mov	[ebp+var_9C], eax

loc_8D5257:				; CODE XREF: DbgkMapViewOfSection+172EABj
					; DbgkMapViewOfSection+172EB9j
		mov	eax, [ebp+var_D4]
		test	eax, eax
		jz	short loc_8D5270
		mov	ecx, eax
		call	_DbgkpSectionToFileHandle@4 ; DbgkpSectionToFileHandle(x)
		mov	[ebp+var_AC], eax
		jmp	short loc_8D5276
; 

loc_8D5270:				; CODE XREF: DbgkMapViewOfSection+172EDBj
		mov	[ebp+var_AC], esi

loc_8D5276:				; CODE XREF: DbgkMapViewOfSection+172EEAj
		mov	[ebp+var_A8], ebx
		mov	[ebp+var_A4], esi
		mov	[ebp+var_A0], esi
		mov	[ebp+ms_exc.disabled], esi
		test	ebx, ebx
		jz	short loc_8D5299
		push	ebx
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	ecx, eax
		jmp	short loc_8D529B
; 

loc_8D5299:				; CODE XREF: DbgkMapViewOfSection+172F09j
		mov	ecx, esi

loc_8D529B:				; CODE XREF: DbgkMapViewOfSection+172F13j
		test	ecx, ecx
		jz	short loc_8D52CE
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_A4], eax
		mov	eax, [ecx+10h]
		mov	[ebp+var_A0], eax
		jmp	short loc_8D52CE
; END OF FUNCTION CHUNK	FOR DbgkMapViewOfSection

;  S U B	R O U T	I N E 


sub_8D52B3	proc near		; DATA XREF: .text:006A089Co
		xor	eax, eax
		inc	eax
		retn
sub_8D52B3	endp


;  S U B	R O U T	I N E 


sub_8D52B7	proc near		; DATA XREF: .text:006A08A0o
		mov	esp, [ebp-18h]
		xor	esi, esi
		mov	[ebp-0A4h], esi
		mov	[ebp-0A0h], esi
		mov	[ebp-9Ch], esi
sub_8D52B7	endp

; START	OF FUNCTION CHUNK FOR DbgkMapViewOfSection

loc_8D52CE:				; CODE XREF: DbgkMapViewOfSection+172F19j
					; DbgkMapViewOfSection+172F2Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+var_CC], 34001Ch
		mov	[ebp+var_C8], 8
		mov	[ebp+var_B4], 5
		lea	eax, [ebp+var_CC]
		push	eax
		xor	edx, edx
		inc	edx
		mov	ecx, [ebp+var_D0]
		call	_DbgkpSendApiMessage@12	; DbgkpSendApiMessage(x,x,x)
		cmp	[ebp+var_AC], 0
		jz	loc_7623E7
		push	esi
		push	[ebp+var_AC]
		call	ObCloseHandle
		jmp	loc_7623E7
; END OF FUNCTION CHUNK	FOR DbgkMapViewOfSection
; 
; START	OF FUNCTION CHUNK FOR MiGetUserReservationHighestAddress

loc_8D5326:				; CODE XREF: MiGetUserReservationHighestAddress+10j
		or	esi, 0FFFFFFFFh
		mov	ecx, edx
		shr	esi, cl
		cmp	esi, eax
		jbe	loc_762410
		mov	esi, eax
		jmp	loc_762410
; END OF FUNCTION CHUNK	FOR MiGetUserReservationHighestAddress
; 
; START	OF FUNCTION CHUNK FOR PspReferenceSystemDll

loc_8D533C:				; CODE XREF: PspReferenceSystemDll+13j
		mov	eax, large fs:124h
		push	edi
		mov	[ebp+var_4], eax
		dec	word ptr [eax+13Ch]
		nop
		lea	edi, [ebx+4]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	ecx, ebx
		call	@ObFastReferenceObjectLocked@4 ; ObFastReferenceObjectLocked(x)
		push	11h
		mov	esi, eax
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_8D5378
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8D5378:				; CODE XREF: PspReferenceSystemDll+172F47j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_4]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		jmp	loc_762441
; END OF FUNCTION CHUNK	FOR PspReferenceSystemDll
; 
; START	OF FUNCTION CHUNK FOR MiDeleteVadBitmap

loc_8D538D:				; CODE XREF: MiDeleteVadBitmap+1Fj
		push	0
		push	eax
		push	esi
		push	3455h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8D539E:				; CODE XREF: MmDeleteProcessAddressSpace+2Dj
		test	edi, edi
		jz	short loc_8D53DB
		cmp	[edi+8], esi
		jz	short loc_8D53DB
		cmp	dword ptr [edi+10h], 1
		jnz	short loc_8D53DB
		mov	ecx, [edi]
		mov	eax, esi
		jmp	short loc_8D53B7
; 

loc_8D53B3:				; CODE XREF: MiDeleteVadBitmap+172F71j
		mov	eax, ecx
		mov	ecx, [ecx]

loc_8D53B7:				; CODE XREF: MiDeleteVadBitmap+172F69j
		test	ecx, ecx
		jnz	short loc_8D53B3
		test	eax, eax
		jnz	short loc_8D53CE
		mov	ecx, [edi+4]
		mov	eax, esi
		jmp	short loc_8D53CA
; 

loc_8D53C6:				; CODE XREF: MiDeleteVadBitmap+172F84j
		mov	eax, ecx
		mov	ecx, [ecx]

loc_8D53CA:				; CODE XREF: MiDeleteVadBitmap+172F7Cj
		test	ecx, ecx
		jnz	short loc_8D53C6

loc_8D53CE:				; CODE XREF: MiDeleteVadBitmap+172F75j
		push	edx
		push	dword ptr [eax+0Ch]
		push	esi
		push	eax
		push	0CBh
		jmp	short loc_8D53E1
; 

loc_8D53DB:				; CODE XREF: MiDeleteVadBitmap+172F58j
					; MiDeleteVadBitmap+172F5Dj ...
		push	edi
		push	edx
		push	ebx
		push	esi
		push	76h

loc_8D53E1:				; CODE XREF: MiDeleteVadBitmap+172F91j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; END OF FUNCTION CHUNK	FOR MiDeleteVadBitmap
; START	OF FUNCTION CHUNK FOR MmDeleteProcessAddressSpace

loc_8D53E6:				; CODE XREF: MmDeleteProcessAddressSpace+35j
		mov	ebx, edi

loc_8D53E8:				; CODE XREF: MmDeleteProcessAddressSpace+172EDFj
					; MmDeleteProcessAddressSpace+172EE8j
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_8D5403

loc_8D53EE:				; CODE XREF: MmDeleteProcessAddressSpace+172ED2j
		mov	ecx, eax
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_8D53EE
		test	ecx, ecx
		jz	short loc_8D5403
		push	esi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_8D53E8
; 

loc_8D5403:				; CODE XREF: MmDeleteProcessAddressSpace+172ECAj
					; MmDeleteProcessAddressSpace+172ED6j
		cmp	ebx, edi
		jnz	short loc_8D540C
		lea	ebx, [edi+4]
		jmp	short loc_8D53E8
; 

loc_8D540C:				; CODE XREF: MmDeleteProcessAddressSpace+172EE3j
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, [ebp+var_4]
		jmp	loc_76255D
; 

loc_8D541B:				; CODE XREF: MmDeleteProcessAddressSpace+80j
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[edi+14h], esi
		jmp	loc_7625A8
; END OF FUNCTION CHUNK	FOR MmDeleteProcessAddressSpace
; 
; START	OF FUNCTION CHUNK FOR MiReleaseProcessReferenceToSessionDataPage

loc_8D542A:				; CODE XREF: MiReleaseProcessReferenceToSessionDataPage+2Aj
		call	_MiUnlinkSessionList@4 ; MiUnlinkSessionList(x)
		imul	esi, [ebx+18h],	1Ch
		xor	edx, edx
		mov	eax, [ebx+8]
		inc	edx
		mov	[ebp+var_24], eax
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		xor	edx, edx
		mov	ecx, esi
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		mov	ecx, ebx
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		xor	esi, esi
		mov	[ebp+var_30], eax
		mov	ebx, esi
		mov	ecx, eax

loc_8D5462:				; CODE XREF: MiReleaseProcessReferenceToSessionDataPage+172E58j
		mov	edi, [ecx]
		nop
		mov	edx, [ecx+4]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_8D547A
		push	edx
		push	edi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	edi, eax

loc_8D547A:				; CODE XREF: MiReleaseProcessReferenceToSessionDataPage+172E2Dj
		shrd	edi, edx, 0Ch
		push	8
		and	edi, 1FFFFFFh
		imul	eax, edi, 1Ch
		pop	edx
		add	ecx, edx
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+ebx*4+var_10], eax
		inc	ebx
		cmp	ebx, 3
		jb	short loc_8D5462
		test	dword ptr ds:byte_70EFC4, 400000h
		mov	ebx, [ebp+var_28]
		mov	edi, [ebp+var_24]
		jz	short loc_8D54DD
		push	offset byte_401802
		mov	[ebp+var_18], edx
		lea	eax, [ebp+var_2C]
		push	24Eh
		xor	edx, edx
		mov	[ebp+var_28], edi
		push	20400000h
		inc	edx
		mov	[ebp+var_2C], ebx
		lea	ecx, [ebp+var_20]
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], esi
		mov	[ebp+var_14], esi
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_8D54DD:				; CODE XREF: MiReleaseProcessReferenceToSessionDataPage+172E6Aj
		mov	edx, [ebp+var_30]
		mov	ecx, offset dword_6D35E0
		push	3
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_8D54EC:				; CODE XREF: MiReleaseProcessReferenceToSessionDataPage+172EB7j
		mov	ecx, [ebp+esi*4+var_10]
		call	_MiReturnPfnReferenceCount@4 ; MiReturnPfnReferenceCount(x)
		inc	esi
		cmp	esi, 3
		jb	short loc_8D54EC
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		mov	ebx, offset dword_6D05C0
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, dword_6D35C8
		mov	ecx, edi
		shr	ecx, 3
		and	edi, 7
		add	ecx, [eax+4]
		movsx	eax, byte ptr [ecx]
		btr	eax, edi
		mov	[ecx], al
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8D5544
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8D5544:				; CODE XREF: MiReleaseProcessReferenceToSessionDataPage+172EF9j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_762672
; END OF FUNCTION CHUNK	FOR MiReleaseProcessReferenceToSessionDataPage
; 
; START	OF FUNCTION CHUNK FOR NtTerminateProcess

loc_8D5557:				; CODE XREF: NtTerminateProcess+FFj
		mov	edx, edi
		mov	ecx, ebx
		call	PspUnlockProcessExclusive
		push	1
		push	[ebp+arg_4]
		push	edi
		call	PspTerminateThreadByPointer
		xor	eax, eax
		jmp	loc_7627C1
; 

loc_8D5572:				; CODE XREF: NtTerminateProcess+C8j
					; NtTerminateProcess+D4j
		mov	eax, 0C00000BBh
		jmp	loc_7627C1
; END OF FUNCTION CHUNK	FOR NtTerminateProcess
; 
; START	OF FUNCTION CHUNK FOR PspTerminateProcess

loc_8D557C:				; CODE XREF: PspTerminateProcess+A6j
		mov	ecx, dword_6BEDF4
		test	ecx, ecx
		jz	short loc_8D5593
		test	al, 8
		jnz	short loc_8D5593
		push	edi
		push	ebx
		call	ecx
		jmp	loc_762891
; 

loc_8D5593:				; CODE XREF: PspTerminateProcess+172DA8j
					; PspTerminateProcess+172DACj
		xor	dl, dl
		mov	ecx, ebx
		mov	esi, 122h
		call	_PspRundownSingleProcess@8 ; PspRundownSingleProcess(x,x)
		jmp	loc_762893
; END OF FUNCTION CHUNK	FOR PspTerminateProcess
; 
; START	OF FUNCTION CHUNK FOR EtwTraceThreadSetName

loc_8D55A6:				; CODE XREF: EtwTraceThreadSetName+4Bj
					; EtwTraceThreadSetName+56j
		mov	[ebp+var_24], offset _EtwpNull
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], edi
		jmp	loc_76296D
; END OF FUNCTION CHUNK	FOR EtwTraceThreadSetName
; 
; START	OF FUNCTION CHUNK FOR MiReadImageHeaders

loc_8D55BB:				; CODE XREF: MiReadImageHeaders+D3j
					; MiReadImageHeaders+172B87j
		mov	eax, [edi+0Ch]
		mov	ecx, eax
		mov	edx, [edi+8]
		and	ecx, 0FFFh
		mov	[ebp+arg_4], eax
		mov	eax, [edi+14h]
		add	eax, 0FFFh
		add	ecx, eax
		shr	ecx, 0Ch
		lea	eax, [ecx+edx]
		cmp	esi, eax
		jnb	short loc_8D562F
		lea	eax, [ebx+esi]
		cmp	eax, edx
		jbe	short loc_8D562F
		cmp	edx, esi
		ja	short loc_8D560A
		mov	eax, esi
		sub	eax, edx
		sub	ecx, eax
		cmp	ecx, ebx
		jbe	short loc_8D55F7
		mov	ecx, ebx

loc_8D55F7:				; CODE XREF: MiReadImageHeaders+172B47j
		shl	ecx, 0Ch
		shl	eax, 0Ch
		add	eax, [ebp+arg_4]
		push	ecx
		push	eax
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax+0Ch]
		jmp	short loc_8D5627
; 

loc_8D560A:				; CODE XREF: MiReadImageHeaders+172B3Dj
		sub	edx, esi
		mov	eax, ebx
		sub	eax, edx
		cmp	eax, ecx
		jbe	short loc_8D5616
		mov	eax, ecx

loc_8D5616:				; CODE XREF: MiReadImageHeaders+172B66j
		shl	eax, 0Ch
		push	eax		; size_t
		mov	eax, [ebp+arg_0]
		push	[ebp+arg_4]	; void *
		shl	edx, 0Ch
		add	edx, [eax+0Ch]
		push	edx		; void *

loc_8D5627:				; CODE XREF: MiReadImageHeaders+172B5Cj
		call	_memcpy
		add	esp, 0Ch

loc_8D562F:				; CODE XREF: MiReadImageHeaders+172B32j
					; MiReadImageHeaders+172B39j
		mov	edi, [edi]
		test	edi, edi
		jnz	short loc_8D55BB
		mov	esi, [ebp+var_4]
		jmp	loc_762B59
; 

loc_8D563D:				; CODE XREF: MiReadImageHeaders+95j
		xor	edx, edx
		mov	dword_6CF4F4, 20h
		mov	ecx, esi
		call	_MiIsRetryIoStatus@8 ; MiIsRetryIoStatus(x,x)
		test	eax, eax
		jnz	loc_762B59
		cmp	esi, 0C0000054h
		jz	loc_762B59
		cmp	esi, 0C0000267h
		jz	loc_762B59
		mov	esi, 0C0000020h
		jmp	loc_762B59
; END OF FUNCTION CHUNK	FOR MiReadImageHeaders
; 
; START	OF FUNCTION CHUNK FOR MiPfExecuteReadList

loc_8D567A:				; CODE XREF: MiPfExecuteReadList+59j
		mov	ecx, [esi+7Ch]
		mov	eax, [ecx+1Ch]
		jmp	loc_762D07
; 

loc_8D5685:				; CODE XREF: MiPfExecuteReadList+7Ej
		mov	eax, 800h
		test	[ecx+74h], ax
		jz	loc_762D2A
		xor	eax, eax
		jmp	loc_762D53
; 

loc_8D569B:				; CODE XREF: MiPfExecuteReadList+94j
		push	eax
		push	ecx
		lea	edx, [esi+0A8h]
		or	edx, edi
		lea	ecx, [esi+38h]
		call	_SmPageRead@16	; SmPageRead(x,x,x,x)
		jmp	loc_762D53
; 

loc_8D56B2:				; CODE XREF: MiPfExecuteReadList+B3j
		mov	[esi+30h], eax
		xor	eax, eax
		push	eax
		push	eax
		mov	[esi+34h], eax
		lea	eax, [esi+10h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_762D5F
; END OF FUNCTION CHUNK	FOR MiPfExecuteReadList
; 
; START	OF FUNCTION CHUNK FOR AlpcpSignalPortAndUnlock

loc_8D56CA:				; CODE XREF: AlpcpSignalPortAndUnlock+25j
		lea	edi, [esi+8Ch]
		cmp	[edi], edi
		jz	loc_8D5768
		lea	ebx, [esi+88h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi]
		cmp	eax, edi
		jz	short loc_8D5717
		lea	edi, [eax-31Ch]
		and	dword ptr [edi+318h], 0
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_8D5712
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_8D5712
		mov	[ecx], edx
		mov	[edx+4], ecx
		and	dword ptr [eax], 0
		jmp	short loc_8D5719
; 

loc_8D5712:				; CODE XREF: AlpcpSignalPortAndUnlock+1727A3j
					; AlpcpSignalPortAndUnlock+1727AAj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8D5717:				; CODE XREF: AlpcpSignalPortAndUnlock+17278Fj
		xor	edi, edi

loc_8D5719:				; CODE XREF: AlpcpSignalPortAndUnlock+1727B4j
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8D572D
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8D572D:				; CODE XREF: AlpcpSignalPortAndUnlock+1727C8j
		mov	ecx, ebx
		call	KeAbPostRelease
		test	edi, edi
		jz	short loc_8D5768
		push	11h
		add	esi, 0D0h
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_8D5753
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8D5753:				; CODE XREF: AlpcpSignalPortAndUnlock+1727EEj
		mov	ecx, esi
		call	KeAbPostRelease
		push	2
		push	ecx
		lea	ecx, [edi+2B4h]
		jmp	loc_762FAA
; 

loc_8D5768:				; CODE XREF: AlpcpSignalPortAndUnlock+172776j
					; AlpcpSignalPortAndUnlock+1727DAj
		push	11h
		add	esi, 0D0h
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_8D5783
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8D5783:				; CODE XREF: AlpcpSignalPortAndUnlock+17281Ej
		pop	edi
		mov	ecx, esi
		pop	esi
		pop	ebx
		jmp	KeAbPostRelease
; END OF FUNCTION CHUNK	FOR AlpcpSignalPortAndUnlock
; 
; START	OF FUNCTION CHUNK FOR CcMdlRead

loc_8D578D:				; CODE XREF: CcMdlRead+F7j
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_8D5797:				; CODE XREF: CcMdlRead+117j
					; CcMdlRead+1727DBj
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_8D57A1
		mov	ecx, eax
		jmp	short loc_8D5797
; 

loc_8D57A1:				; CODE XREF: CcMdlRead+1727D7j
		mov	edx, [ebp+var_1C]
		mov	[ecx], edx
		jmp	loc_7630E6
; END OF FUNCTION CHUNK	FOR CcMdlRead

;  S U B	R O U T	I N E 


sub_8D57AB	proc near		; DATA XREF: .text:006A0910o
		xor	esi, esi
		mov	edi, [ebp+8]
		mov	ebx, [ebp-4Ch]
		mov	edx, [ebp-50h]
		mov	ecx, [ebp-54h]
		mov	[ebp-28h], ecx
		jmp	sub_76314E
sub_8D57AB	endp

; 
; START	OF FUNCTION CHUNK FOR sub_76314E

loc_8D57C1:				; CODE XREF: sub_76314E+16j
		mov	ecx, [ebp-24h]
		test	ecx, ecx
		jz	short loc_8D57CD
		call	CcFreeVirtualAddress

loc_8D57CD:				; CODE XREF: sub_76314E+172678j
		cmp	dword ptr [ebp-1Ch], 0
		jz	short loc_8D57DB
		push	dword ptr [ebp-1Ch]
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_8D57DB:				; CODE XREF: sub_76314E+172683j
		mov	edi, [ebp+14h]

loc_8D57DE:				; CODE XREF: sub_76314E+1726A7j
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_8D57F7
		mov	esi, [eax]
		push	eax
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	dword ptr [edi]
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		mov	[edi], esi
		jmp	short loc_8D57DE
; 

loc_8D57F7:				; CODE XREF: sub_76314E+172694j
		push	1
		push	8
		pop	edx
		mov	ecx, ebx
		call	CcUpdateSharedCacheMapFlag
		retn
; 

loc_8D5804:				; CODE XREF: sub_76314E+39j
		push	esi
		push	8
		pop	edx
		mov	ecx, ebx
		call	CcUpdateSharedCacheMapFlag
		jmp	loc_76318D
; END OF FUNCTION CHUNK	FOR sub_76314E
; 
; START	OF FUNCTION CHUNK FOR PopCheckResiliencyScenarios

loc_8D5814:				; CODE XREF: PopCheckResiliencyScenarios+30j
		mov	cl, _PopPdcIdleResiliency
		mov	dl, _PopPdcIoCoalescing
		mov	[ebp+var_1], cl
		call	_PopDeepSleepEnabled@0 ; PopDeepSleepEnabled()
		test	al, al
		jz	loc_7637B3
		test	cl, cl
		jz	short loc_8D5843
		call	_PpmGetDeepSleepPlatformStateIndex@0 ; PpmGetDeepSleepPlatformStateIndex()
		mov	_PpmDripsStateIndex, eax
		jmp	loc_7637B3
; 

loc_8D5843:				; CODE XREF: PopCheckResiliencyScenarios+1720DEj
		or	_PpmDripsStateIndex, 0FFFFFFFFh
		jmp	loc_7637B3
; 

loc_8D584F:				; CODE XREF: PopCheckResiliencyScenarios+76j
		test	al, al
		jz	loc_7637D0
		xor	ecx, ecx
		call	PopDeepSleepClearDisengageReason
		jmp	loc_7637E4
; 

loc_8D5863:				; CODE XREF: PopCheckResiliencyScenarios+8Aj
		call	_PopDeepSleepEnabled@0 ; PopDeepSleepEnabled()
		test	al, al
		jnz	loc_7637E4
		mov	esi, offset _PopFxSystemLatencyLock
		mov	ecx, esi
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		mov	al, [ebp+var_1]
		cmp	_PopIdleResiliencyIsEngagedWithoutDeepSleep, al
		jz	short loc_8D5891
		mov	_PopIdleResiliencyIsEngagedWithoutDeepSleep, al
		call	PoFxSendSystemLatencyUpdate

loc_8D5891:				; CODE XREF: PopCheckResiliencyScenarios+172131j
		mov	ecx, esi
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		jmp	loc_7637E4
; 

loc_8D589D:				; CODE XREF: PopCheckResiliencyScenarios+93j
		mov	al, _PopCoalescingState
		add	bl, bl
		and	al, 0FDh
		or	al, bl
		mov	_PopCoalescingState, al
		call	_PopEnsureCoalescingWorkerWillRun@0 ; PopEnsureCoalescingWorkerWillRun()
		jmp	loc_7637ED
; END OF FUNCTION CHUNK	FOR PopCheckResiliencyScenarios
; 
; START	OF FUNCTION CHUNK FOR PnpNotifyTargetDeviceChange

loc_8D58B7:				; CODE XREF: PnpNotifyTargetDeviceChange+5Fj
		mov	word ptr [ebp+var_1C], ax
		lea	edi, [ebp+var_18]
		push	18h
		mov	esi, ebx
		pop	eax
		mov	word ptr [ebp+var_1C+2], ax
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_24]
		jmp	loc_76386C
; 

loc_8D58D3:				; CODE XREF: PnpNotifyTargetDeviceChange+79j
					; PnpNotifyTargetDeviceChange+8Bj
		mov	ebx, [esi+144h]
		mov	[ebp+var_1D], 1
		jmp	loc_76389F
; 

loc_8D58E2:				; CODE XREF: PnpNotifyTargetDeviceChange+E8j
		mov	ecx, [ebp+var_30]
		call	_IopGetSessionIdFromPDO@4 ; IopGetSessionIdFromPDO(x)
		mov	[ebp+var_3C], eax
		jmp	loc_7638F2
; 

loc_8D58F2:				; CODE XREF: PnpNotifyTargetDeviceChange+111j
		cmp	[ebx+0Ch], eax
		jz	loc_76391B

loc_8D58FB:				; CODE XREF: PnpNotifyTargetDeviceChange+11Bj
		mov	ecx, [ebx+28h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_763963
; 

loc_8D590D:				; CODE XREF: PnpNotifyTargetDeviceChange+156j
		mov	eax, (offset loc_4055E5+3)
		cmp	edi, eax
		jz	short loc_8D5928
		push	10h		; Length
		push	eax		; Source2
		push	edi		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 10h
		jnz	loc_763960

loc_8D5928:				; CODE XREF: PnpNotifyTargetDeviceChange+172110j
		mov	ecx, [ebp+var_38]
		test	ecx, ecx
		jz	short loc_8D5934
		mov	eax, [ebx+1Ch]
		mov	[ecx], eax

loc_8D5934:				; CODE XREF: PnpNotifyTargetDeviceChange+172129j
		mov	esi, offset _GUID_TARGET_DEVICE_REMOVE_CANCELLED
		mov	[ebp+var_38], ebx
		lea	edi, [ebp+var_18]
		mov	ecx, offset _PnpTargetDeviceNotifyLock
		movsd
		movsd
		movsd
		movsd
		call	@KeAcquireGuardedMutex@4 ; KeAcquireGuardedMutex(x)

loc_8D594D:				; CODE XREF: PnpNotifyTargetDeviceChange+1721D9j
		or	esi, 0FFFFFFFFh
		mov	edi, ebx
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		push	eax
		call	_PsGetServerSiloServiceSessionId@4 ; PsGetServerSiloServiceSessionId(x)
		cmp	[ebx+0Ch], eax
		jz	short loc_8D596C
		mov	ecx, [ebp+var_30]
		call	_IopGetSessionIdFromPDO@4 ; IopGetSessionIdFromPDO(x)
		mov	esi, eax

loc_8D596C:				; CODE XREF: PnpNotifyTargetDeviceChange+17215Cj
		inc	word ptr [ebx+20h]
		mov	ecx, offset _PnpTargetDeviceNotifyLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	dword ptr [ebx+28h]
		call	ExAcquireResourceExclusiveLite
		cmp	esi, 0FFFFFFFFh
		jz	short loc_8D5993
		cmp	[ebx+0Ch], esi
		jnz	short loc_8D59AB

loc_8D5993:				; CODE XREF: PnpNotifyTargetDeviceChange+172188j
		cmp	byte ptr [ebx+22h], 0
		jnz	short loc_8D59AB
		mov	eax, [ebx+2Ch]
		lea	edx, [ebp+var_1C]
		push	0
		mov	ecx, ebx
		mov	[ebp+var_8], eax
		call	PnpNotifyDriverCallback

loc_8D59AB:				; CODE XREF: PnpNotifyTargetDeviceChange+17218Dj
					; PnpNotifyTargetDeviceChange+172193j
		mov	ecx, [ebx+28h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, offset _PnpTargetDeviceNotifyLock
		call	@KeAcquireGuardedMutex@4 ; KeAcquireGuardedMutex(x)
		mov	ebx, [ebx+4]
		mov	ecx, edi
		call	_PnpDereferenceNotify@4	; PnpDereferenceNotify(x)
		mov	eax, [ebp+var_38]
		cmp	edi, eax
		jnz	short loc_8D59DA
		mov	ecx, eax
		call	_PnpDereferenceNotify@4	; PnpDereferenceNotify(x)

loc_8D59DA:				; CODE XREF: PnpNotifyTargetDeviceChange+1721CDj
		cmp	ebx, [ebp+var_2C]
		jnz	loc_8D594D
		mov	esi, [ebp+var_24]
		jmp	loc_7638AE
; END OF FUNCTION CHUNK	FOR PnpNotifyTargetDeviceChange
; 
; START	OF FUNCTION CHUNK FOR PiUEventCacheObjectProperties

loc_8D59EB:				; CODE XREF: PiUEventCacheObjectProperties+14Fj
		mov	esi, [ebp+var_10]
		push	59706E50h
		push	dword ptr [esi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi], 0
		jmp	loc_763A51
; END OF FUNCTION CHUNK	FOR PiUEventCacheObjectProperties
; 

loc_8D5A02:				; CODE XREF: PAGE:00763B45j
		mov	edi, 0C0000189h
		jmp	loc_763C98
; 

loc_8D5A0C:				; CODE XREF: PAGE:00763CBCj
		lea	ecx, [ebx+6Ch]
		call	_PiUEventSendDeviceInstallNotification@4 ; PiUEventSendDeviceInstallNotification(x)
		jmp	loc_763B55
; 

loc_8D5A19:				; CODE XREF: PAGE:00763BCCj
		mov	eax, [ebx+1Ch]
		mov	ecx, esi
		mov	[esi+10h], eax
		mov	eax, [ebx+20h]
		mov	[esi+14h], eax
		call	_PiUEventInitializeVeto@4 ; PiUEventInitializeVeto(x)
		jmp	short loc_8D5A43
; 

loc_8D5A2E:				; CODE XREF: PAGE:00763BD7j
		and	[ecx], edi
		jmp	loc_763BDD
; 

loc_8D5A35:				; CODE XREF: PAGE:00763BE2j
		mov	eax, [ecx+4]
		xor	ecx, ecx
		mov	[eax], cx
		mov	eax, [ebx+20h]
		mov	[eax], cx

loc_8D5A43:				; CODE XREF: PAGE:008D5A2Cj
		mov	al, [ebp-2]
		jmp	loc_763BE8
; 

loc_8D5A4B:				; CODE XREF: PAGE:00763BEBj
					; PAGE:00763BF3j
		push	59706E50h
		push	10h
		push	200h
		mov	byte ptr [ebp-1], 1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+0Ch], eax
		test	eax, eax
		jz	short loc_8D5AB1
		push	0
		push	0
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	ecx, esi
		call	_PiUEventReferenceEventEntry@4 ; PiUEventReferenceEventEntry(x)
		jmp	loc_763BF9
; 

loc_8D5A7D:				; CODE XREF: PAGE:00763C74j
		mov	ebx, offset _PiUEventUsermodeEventQueueLock
		mov	ecx, ebx
		call	ExAcquireFastMutex
		mov	edx, [esi]
		cmp	[edx+4], esi
		jnz	loc_763CC1
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	loc_763CC1
		mov	[eax], edx
		mov	ecx, ebx
		mov	[edx+4], eax
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		cmp	byte ptr [ebp-1], 0
		jz	short loc_8D5ABD

loc_8D5AB1:				; CODE XREF: PAGE:008D5A65j
		cmp	[esi+0Ch], edi
		jz	short loc_8D5ABD
		mov	ecx, esi
		call	PiUEventDereferenceEventEntry

loc_8D5ABD:				; CODE XREF: PAGE:00763BB0j
					; PAGE:008D5AAFj ...
		mov	ecx, esi
		call	_PiUEventFreeEventEntry@4 ; PiUEventFreeEventEntry(x)

loc_8D5AC4:				; CODE XREF: PAGE:00763B86j
		mov	edi, 0C000009Ah
		jmp	loc_763C98
; 

loc_8D5ACE:				; CODE XREF: PAGE:00763C92j
		mov	eax, [esi+0Ch]
		xor	ecx, ecx
		or	dword ptr [ebp-0Ch], 0FFFFFFFFh
		push	ecx
		mov	[ebp-14h], eax
		lea	eax, [ebp-10h]
		push	eax
		push	1
		push	ecx
		push	ecx
		push	1
		lea	eax, [ebp-18h]
		mov	dword ptr [ebp-18h], offset _PnpShutdownEvent
		push	eax
		push	2
		mov	dword ptr [ebp-10h], 0EE1E5D00h
		call	KeWaitForMultipleObjects
		mov	edi, eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		mov	[ebp-8], eax
		lea	eax, [ebp-8]
		push	4
		push	eax
		push	offset _WNF_PNPB_AWAITING_RESPONSE
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		test	edi, edi
		jnz	short loc_8D5B24
		mov	edi, 0C0000189h
		jmp	short loc_8D5B52
; 

loc_8D5B24:				; CODE XREF: PAGE:008D5B1Bj
		cmp	edi, 1
		jnz	short loc_8D5B42
		cmp	byte ptr [ebp-2], 0
		jz	short loc_8D5B3E
		mov	eax, [ebx+1Ch]
		cmp	dword ptr [eax], 0
		jz	short loc_8D5B3E
		mov	edi, 0C0000120h
		jmp	short loc_8D5B52
; 

loc_8D5B3E:				; CODE XREF: PAGE:008D5B2Dj
					; PAGE:008D5B35j
		xor	edi, edi
		jmp	short loc_8D5B52
; 

loc_8D5B42:				; CODE XREF: PAGE:008D5B27j
		sub	edi, 102h
		neg	edi
		sbb	edi, edi
		and	edi, 0C0000001h

loc_8D5B52:				; CODE XREF: PAGE:008D5B22j
					; PAGE:008D5B3Cj ...
		mov	ebx, offset _PiUEventUsermodeEventQueueLock
		mov	ecx, ebx
		call	ExAcquireFastMutex
		and	dword ptr [esi+10h], 0
		mov	ecx, ebx
		and	dword ptr [esi+14h], 0
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, esi
		call	PiUEventDereferenceEventEntry
		jmp	loc_763C98
; 
; START	OF FUNCTION CHUNK FOR PnpCompleteDeviceEvent

loc_8D5B79:				; CODE XREF: PnpCompleteDeviceEvent+27j
		lea	eax, [ebp+var_10]
		push	eax
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	loc_763D02
; 

loc_8D5B8B:				; CODE XREF: PnpCompleteDeviceEvent+171EC3j
		lea	eax, [ebp+var_10]
		push	eax
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	eax, [esi+30h]

loc_8D5B9B:				; CODE XREF: PnpCompleteDeviceEvent+32j
		xor	ecx, ecx
		add	eax, 28h
		inc	ecx
		xchg	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_8D5B8B
		jmp	loc_763D1A
; 

loc_8D5BAC:				; CODE XREF: PnpCompleteDeviceEvent+47j
		cmp	byte ptr [eax+2Ch], 0
		jz	loc_763D2F

loc_8D5BB6:				; CODE XREF: PnpCompleteDeviceEvent+3Cj
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	loc_763D4B
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_763D4B
; 

loc_8D5BCE:				; CODE XREF: PnpCompleteDeviceEvent+54j
		mov	ecx, [ebp+var_4]
		push	0
		push	0
		mov	[eax], ecx
		push	dword ptr [esi+10h]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_763D44
; 

loc_8D5BE4:				; CODE XREF: PnpCompleteDeviceEvent+5Cj
		cmp	dword ptr [esi+58h], 1
		jnz	loc_763D44
		mov	ecx, [ebp+var_4]
		mov	[eax], ecx
		jmp	loc_763D44
; 

loc_8D5BF8:				; CODE XREF: PnpCompleteDeviceEvent+7Aj
		mov	eax, edi
		lock xadd [ecx+24h], eax
		jnz	loc_763D62
		push	ebx
		push	dword ptr [esi+30h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_763D62
; END OF FUNCTION CHUNK	FOR PnpCompleteDeviceEvent
; 

loc_8D5C13:				; CODE XREF: PAGE:00763DE3j
		mov	esi, offset _PnpNotificationInProgressLock
		mov	ecx, esi
		call	ExAcquireFastMutex
		push	ebx
		push	ebx
		push	offset _PnpEventQueueEmpty
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, esi
		mov	ds:_PnpNotificationInProgress, bl
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	_PnpDeviceEventThread, ebx
		jmp	loc_763F4A
; 

loc_8D5C43:				; CODE XREF: PAGE:00763F6Fj
		mov	esi, 0C000000Eh
		jmp	loc_763E60
; 

loc_8D5C4D:				; CODE XREF: PAGE:00763E67j
		xor	ecx, ecx
		mov	edx, offset _PnpDeviceActionThread
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	loc_763E6D
		mov	esi, 0C0000189h
		jmp	loc_763E6D
; 

loc_8D5C6C:				; CODE XREF: PAGE:00763E8Aj
					; DATA XREF: PAGE:off_763FE0o
		mov	ecx, ebx	; case 0x0
		call	PiUEventNotifyUserMode
		mov	esi, eax
		test	esi, esi
		js	loc_763EA0	; case 0x6
		push	dword ptr [ebx+20h]
		mov	edx, [ebx+1Ch]
		lea	ecx, [ebx+48h]
		call	_PnpNotifyHwProfileChange@12 ; PnpNotifyHwProfileChange(x,x,x)
		jmp	loc_763EA0	; case 0x6
; 

loc_8D5C90:				; CODE XREF: PAGE:00763E84j
					; PAGE:00763E8Aj
					; DATA XREF: ...
		mov	esi, 0C0000001h	; default
		jmp	loc_763EA0	; case 0x6

;  S U B	R O U T	I N E 


sub_8D5C9A	proc near		; CODE XREF: PnpCancelWatchdog+21j
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [edi+38h]
		push	eax
		call	KeWaitForSingleObject
		jmp	loc_7641D7
sub_8D5C9A	endp

; 
; START	OF FUNCTION CHUNK FOR PnpCancelWatchdog

loc_8D5CAC:				; CODE XREF: PnpCancelWatchdog+42j
		pop	edi
		mov	ecx, esi
		xor	dl, dl
		pop	esi
		pop	ebx
		jmp	_PnpWatchdogEtwWrite@8 ; PnpWatchdogEtwWrite(x,x)
; END OF FUNCTION CHUNK	FOR PnpCancelWatchdog
; 
; START	OF FUNCTION CHUNK FOR PnpWatchdogTimerAllocate

loc_8D5CB8:				; CODE XREF: PnpWatchdogTimerAllocate+22j
		cmp	[ebx+14h], esi
		jz	loc_764288
		cmp	ecx, eax
		jbe	loc_764288
		jmp	loc_764256
; END OF FUNCTION CHUNK	FOR PnpWatchdogTimerAllocate

;  S U B	R O U T	I N E 


sub_8D5CCE	proc near		; CODE XREF: WdtpAllocateTimer+3Fj
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, edi
		jmp	loc_7642DE
sub_8D5CCE	endp

; 
; START	OF FUNCTION CHUNK FOR PnpRecordBlackboxPnpEventWorkerInformation

loc_8D5CDC:				; CODE XREF: PnpRecordBlackboxPnpEventWorkerInformation+26j
		push	48h
		pop	edi
		push	4B706E50h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_764310
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		mov	edx, [ebp+var_8]
		mov	dword ptr [esi], 1
		mov	[esi+4], edi
		mov	eax, [ebx+8]
		mov	[esi+10h], eax
		mov	eax, [ebx+44h]
		push	0
		push	2710h
		sub	ecx, [eax]
		sbb	edx, [eax+4]
		push	edx
		push	ecx
		call	__aulldiv
		mov	[esi+0Ch], eax
		xor	ecx, ecx
		mov	eax, [ebx+68h]
		mov	[esi+18h], eax
		mov	[esi+1Ch], ecx
		mov	eax, [ebx+58h]
		mov	[esi+20h], eax
		mov	eax, _PnpDeviceEventThread
		mov	[esi+30h], eax
		mov	[esi+28h], ebx
		mov	[esi+2Ch], ecx
		mov	[esi+34h], ecx
		mov	eax, _PnpDeviceActionThread
		mov	[esi+38h], eax
		mov	eax, _PnpDelayedRemoveWorkerThread
		mov	[esi+3Ch], ecx
		mov	[esi+40h], eax
		mov	[esi+44h], ecx
		jmp	loc_764312
; 

loc_8D5D70:				; CODE XREF: PnpRecordBlackboxPnpEventWorkerInformation+52j
		push	4B706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_76433C
; END OF FUNCTION CHUNK	FOR PnpRecordBlackboxPnpEventWorkerInformation
; 
; START	OF FUNCTION CHUNK FOR NtPowerInformation

loc_8D5D80:				; CODE XREF: NtPowerInformation+94Aj
		cmp	esi, 49h
		jz	short loc_8D5D93
		cmp	esi, 58h
		jz	short loc_8D5D93
		test	al, al
		jnz	short loc_8D5DAB
		jmp	loc_764C92
; 

loc_8D5D93:				; CODE XREF: NtPowerInformation+171A41j
					; NtPowerInformation+171A46j
		mov	ecx, offset ??_C@_1CC@KHNMNELN@?$AAI?$AAD?$AA_?$AAC?$AAA?$AAP?$AA_?$AAS?$AAC?$AAR?$AAE?$AAE?$AAN?$AAO?$AAF@NNGAKEGL@
		call	_PopCapabilityCheck@4 ;	PopCapabilityCheck(x)
		mov	[ebp+var_38D], al
		test	al, al
		jnz	loc_764C92

loc_8D5DAB:				; CODE XREF: NtPowerInformation+D45j
					; NtPowerInformation+11ACj ...
		mov	esi, 0C0000022h
		jmp	short loc_8D5DB7
; 

loc_8D5DB2:				; CODE XREF: NtPowerInformation+171B65j
		mov	esi, 0C0000061h

loc_8D5DB7:				; CODE XREF: NtPowerInformation+171A6Ej
					; NtPowerInformation+171A8Cj
		mov	[ebp+var_388], esi

loc_8D5DBD:				; CODE XREF: NtPowerInformation+870j
					; NtPowerInformation+939j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_8D5F21
; 

loc_8D5DC9:				; CODE XREF: NtPowerInformation+5C1j
		mov	esi, 0C00000BBh
		jmp	short loc_8D5DB7
; 

loc_8D5DD0:				; CODE XREF: NtPowerInformation+AB4j
		cmp	esi, 2
		jz	loc_76498A
		cmp	esi, 3
		jz	loc_76498A
		cmp	esi, 48h
		jz	loc_76498A
		cmp	esi, 49h
		jz	loc_76498A
		cmp	esi, 2Dh
		jz	loc_76498A
		cmp	esi, 0Bh
		jz	loc_76498A
		cmp	esi, 26h
		jz	loc_76498A
		cmp	esi, 37h
		jz	loc_76498A
		cmp	esi, 30h
		jz	loc_76498A
		cmp	esi, 3Ch
		jz	loc_76498A
		cmp	esi, 40h
		jz	loc_76498A
		cmp	esi, 39h
		jz	loc_76498A
		cmp	esi, 42h
		jz	loc_76498A
		cmp	esi, 4Bh
		jz	loc_76498A
		cmp	esi, 56h
		jz	loc_76498A
		cmp	esi, 58h
		jz	loc_76498A
		cmp	esi, 5Ah
		jz	loc_76498A
		cmp	esi, 0Ah
		jnz	short loc_8D5E7B
		mov	eax, ds:_SeCreatePagefilePrivilege
		mov	ecx, ds:dword_A94A0C
		jmp	short loc_8D5E86
; 

loc_8D5E7B:				; CODE XREF: NtPowerInformation+171B2Aj
		mov	eax, ds:_SeShutdownPrivilege
		mov	ecx, ds:dword_A949BC

loc_8D5E86:				; CODE XREF: NtPowerInformation+171B37j
		mov	[ebp+var_3B4], ecx
		mov	[ebp+var_3B8], eax
		push	[ebp+var_38C]
		push	ecx
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	loc_76498A
		jmp	loc_8D5DB2
; 

loc_8D5EAC:				; CODE XREF: NtPowerInformation+657j
					; NtPowerInformation+65Fj
		mov	byte ptr [ecx],	0
		jmp	loc_7649A7
; 

loc_8D5EB4:				; CODE XREF: NtPowerInformation+803j
		mov	esi, 0C000009Ah
		mov	[ebp+var_388], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_76487A
; END OF FUNCTION CHUNK	FOR NtPowerInformation

;  S U B	R O U T	I N E 


sub_8D5ECB	proc near		; DATA XREF: .text:006A094Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3ACh], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D5ECB	endp


;  S U B	R O U T	I N E 


sub_8D5EDC	proc near		; DATA XREF: .text:006A0950o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-3ACh]
		mov	[ebp-388h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-364h]
		mov	ebx, [ebp-384h]
		mov	cl, [ebp-37Dh]
		jmp	short loc_8D5F11
sub_8D5EDC	endp

; 
; START	OF FUNCTION CHUNK FOR NtPowerInformation

loc_8D5F06:				; CODE XREF: NtPowerInformation+10E0j
		mov	esi, 0C000009Ah
		mov	cl, [ebp+var_365]

loc_8D5F11:				; CODE XREF: sub_8D5EDC+28j
		mov	[ebp+var_365], cl
		jmp	loc_76487A
; 

loc_8D5F1C:				; CODE XREF: NtPowerInformation+F8j
					; NtPowerInformation+101j ...
		mov	esi, 0C0000022h

loc_8D5F21:				; CODE XREF: NtPowerInformation+171A82j
		mov	ebx, [ebp+var_384]
		jmp	loc_76487A
; 

loc_8D5F2C:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007658BEo
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	_PopShutdownButtonPressTime, eax
		mov	dword_6C362C, edx
		jmp	loc_764A30
; 

loc_8D5F44:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:off_7657A6o ...
		test	ebx, ebx
		jnz	short loc_8D5F58
		cmp	[ebp+var_360], ebx
		jz	loc_765531
		test	ebx, ebx
		jz	short loc_8D5F7E

loc_8D5F58:				; CODE XREF: NtPowerInformation+171C04j
		mov	eax, [ebp+var_36C]
		cmp	eax, 0E8h
		jb	loc_76579B
		push	eax
		push	ebx
		xor	dl, dl
		xor	cl, cl
		call	PopApplyPolicy
		mov	esi, eax
		test	esi, esi
		js	loc_76487A

loc_8D5F7E:				; CODE XREF: NtPowerInformation+171C14j
		mov	[ebp+var_375+1], offset	unk_6C2C24
		jmp	short loc_8D5F96
; 

loc_8D5F8A:				; CODE XREF: NtPowerInformation+171D09j
		lea	eax, [ebp+var_35C]
		mov	[ebp+var_375+1], eax

loc_8D5F96:				; CODE XREF: NtPowerInformation+171C46j
		mov	[ebp+var_370], 0E8h
		jmp	loc_764A30
; 

loc_8D5FA5:				; CODE XREF: NtPowerInformation+4AAj
					; NtPowerInformation+172276j
					; DATA XREF: ...
		mov	esi, 0C0000002h
		jmp	loc_76487A
; 

loc_8D5FAF:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007657CAo
		test	ebx, ebx
		jnz	short loc_8D5FC3
		cmp	[ebp+var_360], ebx
		jz	loc_765531
		test	ebx, ebx
		jz	short loc_8D5FF6

loc_8D5FC3:				; CODE XREF: NtPowerInformation+171C6Fj
		cmp	[ebp+var_36C], 18h
		jb	loc_76579B
		mov	edx, ebx
		call	_PopApplyAdminPolicy@8 ; PopApplyAdminPolicy(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_76487A
		call	PopResetCurrentPolicies
		mov	esi, eax
		mov	edi, [ebp+var_364]
		test	esi, esi
		js	loc_76487A

loc_8D5FF6:				; CODE XREF: NtPowerInformation+171C7Fj
		mov	[ebp+var_375+1], offset	_PopAdminPolicy
		mov	[ebp+var_370], 18h
		jmp	loc_764A30
; 

loc_8D600F:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007657AEo ...
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_360], 0
		jz	loc_765531
		cmp	[ebp+var_36C], 0E8h
		jb	loc_76579B
		lea	edx, [ebp+var_35C]
		mov	ecx, ebx
		call	PopVerifySystemPowerPolicy
		mov	esi, eax
		test	esi, esi
		js	loc_76487A
		jmp	loc_8D5F8A
; 

loc_8D6050:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007657C6o
		test	ebx, ebx
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jz	loc_765531
		mov	eax, _PopPolicy
		mov	[ebp+var_375+1], eax
		mov	[ebp+var_370], 0E8h
		jmp	loc_76482A
; 

loc_8D6080:				; CODE XREF: NtPowerInformation+8C1j
					; NtPowerInformation+8D5j
		test	byte ptr _PopSimulate, dl
		jz	loc_765531
		cmp	[ebp+var_36C], 4Ch
		jb	loc_76579B
		push	13h
		pop	ecx
		mov	esi, ebx
		mov	edi, offset _PopCapabilities
		rep movsd
		call	PopResetCurrentPolicies
		mov	esi, eax
		mov	edi, [ebp+var_364]
		test	esi, esi
		js	loc_76487A
		xor	edx, edx
		inc	edx
		jmp	loc_764C1D
; 

loc_8D60C2:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007658FEo
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_360], 0
		jz	loc_765531
		push	0
		mov	edx, [ebp+var_36C]
		mov	ecx, ebx
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_76487A
		lea	edx, [ebp+var_35C]
		mov	ecx, ebx
		call	_PopBatteryDeviceState@8 ; PopBatteryDeviceState(x,x)
		mov	esi, eax
		mov	eax, [ebp+var_364]
		mov	edi, eax
		test	esi, esi
		js	loc_76487A
		lea	ecx, [ebp+var_35C]
		mov	[ebp+var_375+1], ecx
		mov	[ebp+var_370], 34h

loc_8D6125:				; CODE XREF: NtPowerInformation+17203Fj
		mov	esi, [ebp+var_360]
		jmp	loc_764830
; 

loc_8D6130:				; CODE XREF: NtPowerInformation+E1Aj
		push	3
		mov	eax, _PopSimulate
		and	al, 40h
		movzx	ecx, al
		neg	ecx
		sbb	ecx, ecx
		not	ecx
		and	ecx, offset word_6C2E24
		jmp	loc_7654AE
; 

loc_8D614D:				; CODE XREF: NtPowerInformation+E11j
		push	2
		mov	eax, _PopSimulate
		and	al, 8
		movzx	ecx, al
		neg	ecx
		sbb	ecx, ecx
		not	ecx
		and	ecx, offset byte_6C2E23
		jmp	loc_7654AE
; 

loc_8D616A:				; CODE XREF: NtPowerInformation+1256j
		cmp	dword ptr [ebx], 0
		jnz	loc_765531
		jmp	loc_76559E
; 

loc_8D6178:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007657CEo
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_360], 0
		jnz	loc_765531
		cmp	[ebp+var_36C], edx
		jb	loc_76579B
		push	3
		pop	ecx
		call	_PopAcquireTransitionLock@4 ; PopAcquireTransitionLock(x)
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	dl, 1
		mov	cl, [ebx]
		call	_PopEnableHiberFile@8 ;	PopEnableHiberFile(x,x)
		mov	esi, eax
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		push	3
		pop	ecx
		call	_PopReleaseTransitionLock@4 ; PopReleaseTransitionLock(x)
		jmp	loc_764A28
; 

loc_8D61C3:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:00765872o
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_360], 0
		jz	loc_765531
		cmp	[ebp+var_36C], 4
		jb	loc_76579B
		push	5
		pop	ecx
		call	_PopAcquireTransitionLock@4 ; PopAcquireTransitionLock(x)
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		lea	edx, [ebp+var_3A8]
		mov	ecx, [ebx]
		call	_PopSetHiberFileSize@8 ; PopSetHiberFileSize(x,x)
		mov	esi, eax
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		push	5
		jmp	short loc_8D622D
; 

loc_8D620A:				; CODE XREF: NtPowerInformation+171F36j
		push	6
		pop	ecx
		call	_PopAcquireTransitionLock@4 ; PopAcquireTransitionLock(x)
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		lea	edx, [ebp+var_3A8]
		mov	ecx, [ebx]
		call	_PopSetHiberFileType@8 ; PopSetHiberFileType(x,x)
		mov	esi, eax
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		push	6

loc_8D622D:				; CODE XREF: NtPowerInformation+171EC6j
		pop	ecx
		call	_PopReleaseTransitionLock@4 ; PopReleaseTransitionLock(x)
		test	esi, esi
		js	loc_76487A
		lea	eax, [ebp+var_3A8]
		mov	[ebp+var_375+1], eax
		mov	[ebp+var_370], 8
		jmp	loc_764A30
; 

loc_8D6256:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:0076590Ao
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_360], 0
		jz	loc_765531
		cmp	[ebp+var_36C], 4
		jb	loc_76579B
		jmp	short loc_8D620A
; 

loc_8D627A:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:00765802o
		test	ebx, ebx
		jnz	loc_765531
		cmp	[ebp+var_360], ebx
		jz	loc_765531
		lea	edx, [ebp+var_394]
		lea	ecx, [ebp+var_39C]
		call	PopLoggingInformation
		mov	esi, eax
		test	esi, esi
		js	loc_76487A
		mov	eax, [ebp+var_39C]
		mov	[ebp+var_375+1], eax
		mov	eax, [ebp+var_394]
		mov	[ebp+var_370], eax
		jmp	loc_764A30
; 

loc_8D62C6:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:0076580Ao
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_360], 0
		jnz	loc_765531
		cmp	[ebp+var_37C], 0
		jnz	loc_765531
		cmp	[ebp+var_36C], 1Ch
		jb	loc_765531
		mov	ecx, [ebx+18h]
		test	ecx, ecx
		jz	loc_765531
		mov	eax, [ebx+14h]
		cmp	eax, 3
		jge	loc_765531
		test	eax, eax
		js	loc_765531
		cmp	[ebx], edx
		jz	short loc_8D6322
		mov	esi, 0C0000058h
		jmp	loc_76487A
; 

loc_8D6322:				; CODE XREF: NtPowerInformation+171FD4j
		lea	eax, [ebp+var_370]
		push	eax
		mov	edx, ecx
		push	1Ch
		pop	ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_76487A
		mov	eax, [ebp+var_36C]
		cmp	eax, [ebp+var_370]
		jnb	short loc_8D6356
		mov	edi, [ebp+var_364]
		jmp	loc_765531
; 

loc_8D6356:				; CODE XREF: NtPowerInformation+172007j
		lea	eax, [ebx+1Ch]
		push	eax		; void *
		push	dword ptr [ebx+18h] ; Length
		push	dword ptr [ebx+14h] ; int
		call	_PopGetSessionId@0 ; PopGetSessionId()
		lea	ecx, [ebx+4]
		mov	edx, eax
		call	PopSetPowerSettingValue
		mov	esi, eax
		mov	eax, [ebp+var_364]
		mov	edi, eax
		test	esi, esi
		js	loc_76487A
		jmp	loc_8D6125
; 

loc_8D6386:				; CODE XREF: NtPowerInformation+B03j
					; NtPowerInformation+172129j ...
		mov	esi, 0C0000022h
		jmp	loc_76487A
; 

loc_8D6390:				; CODE XREF: NtPowerInformation+C6Cj
					; NtPowerInformation+172095j ...
		mov	esi, 0C000009Ah
		jmp	loc_76487A
; 

loc_8D639A:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:00765836o
		mov	esi, [ebp+var_360]
		test	esi, esi
		jz	loc_765531
		mov	eax, dword_6C24B4
		test	eax, eax
		jz	short loc_8D6413
		cmp	dword_6C24B0, 0
		jz	short loc_8D6413
		add	eax, 8
		mov	[ebp+var_370], eax
		push	206D654Dh
		push	eax
		push	edx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_38C], eax
		test	eax, eax
		jz	short loc_8D6390
		mov	[ebp+var_375+1], eax
		mov	byte ptr [ebp+var_375],	1
		push	dword_6C24B4	; size_t
		push	dword_6C24B0	; void *
		add	eax, 8
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, dword_6C24B4
		shr	eax, 4
		mov	ecx, [ebp+var_38C]
		mov	[ecx], eax
		jmp	loc_76482A
; 

loc_8D6413:				; CODE XREF: NtPowerInformation+17206Dj
					; NtPowerInformation+172076j
		mov	esi, 0C0000225h
		jmp	loc_76487A
; 

loc_8D641D:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:0076583Eo
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_360], 0
		jnz	loc_765531
		mov	eax, [ebp+var_36C]
		cmp	eax, 8
		jnz	short loc_8D6449
		mov	ecx, ebx
		call	_PpmSetSimulatedLoad@4 ; PpmSetSimulatedLoad(x)
		jmp	loc_764A26
; 

loc_8D6449:				; CODE XREF: NtPowerInformation+1720F9j
		cmp	eax, 4
		jnz	short loc_8D645A
		mov	ecx, ebx
		call	_PpmClearSimulatedLoad@4 ; PpmClearSimulatedLoad(x)
		jmp	loc_764A26
; 

loc_8D645A:				; CODE XREF: NtPowerInformation+17210Aj
					; NtPowerInformation+172169j ...
		mov	esi, 0C000000Dh
		jmp	loc_764A28
; 

loc_8D6464:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:00765866o
		cmp	_KdDebuggerEnabled, 0
		jz	loc_8D6386
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_360], 0
		jnz	loc_765531
		mov	eax, [ebp+var_36C]
		cmp	eax, 0Ch
		jnz	short loc_8D6495
		xor	edx, edx
		jmp	short loc_8D649C
; 

loc_8D6495:				; CODE XREF: NtPowerInformation+17214Dj
		cmp	eax, ecx
		jnz	short loc_8D64A8
		lea	edx, [ebx+0Ch]

loc_8D649C:				; CODE XREF: NtPowerInformation+172151j
		mov	ecx, ebx
		call	_PpmParkApplyForcedMask@8 ; PpmParkApplyForcedMask(x,x)
		jmp	loc_764A26
; 

loc_8D64A8:				; CODE XREF: NtPowerInformation+172155j
		cmp	eax, 2
		jnz	short loc_8D645A
		mov	ecx, ebx
		call	_PpmParkClearForcedMask@4 ; PpmParkClearForcedMask(x)
		jmp	loc_764A26
; 

loc_8D64B9:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:00765842o
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_360], 0
		jnz	loc_765531
		cmp	[ebp+var_36C], 0Ch
		jnz	loc_765531
		push	206D654Dh
		push	0Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax	; Length
		test	edx, edx
		jz	loc_8D6390
		mov	esi, ebx
		mov	edi, edx
		movsd
		movsd
		movsd
		mov	ecx, edx
		mov	esi, offset _PopShutdownNotificationCallback
		xor	eax, eax
		lock cmpxchg [esi], ecx
		test	eax, eax
		jz	loc_764A30
		push	206D654Dh
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, 0C0000001h
		jmp	loc_764874
; 

loc_8D6527:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:00765846o
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_36C], 4
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jnz	loc_765531
		xor	eax, eax
		cmp	[ebx], eax
		setnz	al
		mov	[ebp+var_398], eax
		lea	eax, [ebp+var_398]
		push	eax		; void *
		push	4
		pop	edx
		mov	ecx, (offset loc_408958+4) ; int
		call	_PopSetPowerSettingValueAcDc@12	; PopSetPowerSettingValueAcDc(x,x,x)
		jmp	loc_76482A
; 

loc_8D6570:				; CODE XREF: NtPowerInformation+131Fj
		call	_TtmCleanupCurrentSession@0 ; TtmCleanupCurrentSession()
		jmp	loc_76482A
; 

loc_8D657A:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007658A6o
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_36C], 8
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jnz	loc_765531
		call	_PopGetSessionId@0 ; PopGetSessionId()
		mov	edx, ebx
		mov	ecx, eax
		call	_PopSessionWinlogonNotification@8 ; PopSessionWinlogonNotification(x,x)
		jmp	loc_76482A
; 

loc_8D65B0:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:0076588Ao
		push	ecx
		call	_ExVerifySuite@4 ; ExVerifySuite(x)
		test	al, al
		jz	loc_8D5FA5
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_36C], 1
		jnz	loc_765531
		cmp	[ebp+var_360], 0
		jnz	loc_765531
		mov	cl, [ebx]
		call	_PopUserPresentOverride@4 ; PopUserPresentOverride(x)
		mov	esi, eax
		test	esi, esi
		jns	loc_764A30
		jmp	loc_76487A
; 

loc_8D65F6:				; CODE XREF: NtPowerInformation+F67j
		mov	[ebp+var_334], 1
		jmp	loc_7652AF
; 

loc_8D6602:				; CODE XREF: NtPowerInformation+F7Aj
		call	_TtmInitCurrentSession@0 ; TtmInitCurrentSession()
		mov	esi, eax
		test	esi, esi
		js	loc_76487A
		call	_PopNotifySessionUserPowerRequestsPresent@0 ; PopNotifySessionUserPowerRequestsPresent()
		mov	esi, [ebp+var_360]
		jmp	loc_7652C2
; 

loc_8D6621:				; CODE XREF: NtPowerInformation+1122j
		cmp	_PopConsoleDisplayState, 0
		jnz	short loc_8D664F
		cmp	dword ptr [ebx+4], 2
		jnz	short loc_8D664F
		xor	eax, eax
		push	eax		; int
		push	eax		; int
		push	eax		; int
		push	eax		; int
		push	dword ptr [ebx]	; int
		push	dword ptr [ebx+8] ; int
		push	801h		; int
		push	0A0h		; int
		push	offset ??_C@_1DM@COFKHHLB@?$AAI?$AAn?$AAv?$AAa?$AAl?$AAi?$AAd?$AAD?$AAi?$AAs?$AAp?$AAl?$AAa?$AAy?$AAS@NNGAKEGL@	; int
		call	_DbgkWerCaptureLiveKernelDump@36 ; DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)

loc_8D664F:				; CODE XREF: NtPowerInformation+1722E6j
					; NtPowerInformation+1722ECj
		cmp	_PopPlatformAoAc, 0
		jz	loc_76546A
		cmp	dword ptr [ebx+4], 2
		jz	loc_76546A
		mov	edx, [ebx+8]
		mov	cl, [ebx+0Fh]
		call	_PopProcessSessionDisplayStateChange@8 ; PopProcessSessionDisplayStateChange(x,x)
		jmp	loc_76546A
; 

loc_8D6676:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007658FAo
		mov	edx, [ebx+4]
		mov	ecx, [ebx]
		cmp	byte ptr [ebx+8], 0
		jz	short loc_8D668B
		call	PoSetPowerRequestInternal
		jmp	loc_764A30
; 

loc_8D668B:				; CODE XREF: NtPowerInformation+17233Dj
		call	PoClearPowerRequestInternal
		jmp	loc_764A30
; 

loc_8D6695:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:0076585Ao
		test	ebx, ebx
		jnz	loc_765531
		cmp	[ebp+var_360], ebx
		jz	loc_765531
		lea	edx, [ebp+var_370]
		lea	ecx, [ebp+var_375+1]
		call	_PopGetPowerRequestListInfo@8 ;	PopGetPowerRequestListInfo(x,x)
		jmp	short loc_8D66CD
; 

loc_8D66BC:				; CODE XREF: NtPowerInformation+1723C6j
		lea	edx, [ebp+var_370]
		lea	ecx, [ebp+var_375+1]
		call	_ExGetWakeTimerList@8 ;	ExGetWakeTimerList(x,x)

loc_8D66CD:				; CODE XREF: NtPowerInformation+172378j
		mov	esi, eax
		test	esi, esi
		js	loc_76487A
		mov	byte ptr [ebp+var_375],	1
		jmp	loc_764A30
; 

loc_8D66E3:				; CODE XREF: NtPowerInformation+105Aj
		cmp	esi, 0C0000120h
		jnz	loc_76487A
		jmp	loc_764A30
; 

loc_8D66F4:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:0076586Eo
		test	ebx, ebx
		jnz	loc_765531
		cmp	[ebp+var_360], ebx
		jz	loc_765531
		jmp	short loc_8D66BC
; 

loc_8D670A:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:00765882o
		cmp	_KdDebuggerEnabled, 0
		jz	loc_8D6386
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_360], 0
		jnz	loc_765531
		mov	eax, [ebp+var_36C]
		cmp	eax, 8
		jnz	short loc_8D6743
		mov	ecx, ebx
		call	_PpmSetSimulatedIdle@4 ; PpmSetSimulatedIdle(x)
		jmp	loc_764A26
; 

loc_8D6743:				; CODE XREF: NtPowerInformation+1723F3j
		cmp	eax, 4
		jnz	loc_8D645A
		mov	ecx, ebx
		call	_PpmClearSimulatedIdle@4 ; PpmClearSimulatedIdle(x)
		jmp	loc_764A26
; 

loc_8D6758:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:00765886o
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_360], 0
		jz	loc_765531
		cmp	[ebp+var_36C], 8
		jnz	loc_76579B
		cmp	[ebp+var_37C], 4
		jnz	loc_76579B
		lea	eax, [ebp+var_35C]
		push	eax
		mov	edx, [ebx+4]
		mov	ecx, [ebx]
		call	_PpmParkSetLpiCap@12 ; PpmParkSetLpiCap(x,x,x)
		jmp	loc_764D20
; 

loc_8D679D:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:00765896o
		test	ebx, ebx
		jz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jnz	loc_765531
		cmp	[ebp+var_36C], 8
		jb	loc_76579B
		mov	ecx, ebx
		call	PopEnforceResiliencyScenarios
		jmp	loc_76482A
; 

loc_8D67CC:				; CODE XREF: NtPowerInformation+C25j
		cmp	[ebp+var_37C], 0
		jnz	loc_765531
		jmp	loc_764F6D
; 

loc_8D67DE:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007658CAo ...
		test	ebx, ebx
		jnz	loc_765531
		cmp	[ebp+var_360], ebx
		jnz	loc_765531
		xor	ecx, ecx
		cmp	esi, 58h
		setz	cl
		dec	ecx
		and	ecx, 0FFFFFFF4h
		add	ecx, 17h
		call	_PopScreenOff@4	; PopScreenOff(x)
		xor	esi, esi
		jmp	loc_76487A
; 

loc_8D680D:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007658CEo
		cmp	[ebp+var_376], 0
		jnz	loc_8D6386
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_36C], 0Ch
		jnz	loc_765531
		cmp	[ebp+var_360], 0
		jnz	loc_765531
		cmp	[ebp+var_37C], 0
		jnz	loc_765531
		mov	ecx, ebx
		call	_PopPdcCsDeviceNotification@4 ;	PopPdcCsDeviceNotification(x)
		jmp	loc_764B21
; 

loc_8D6855:				; CODE XREF: NtPowerInformation+13CBj
		mov	esi, 0C0000001h
		jmp	loc_76487A
; 

loc_8D685F:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007658DEo
		cmp	[ebp+var_376], dl
		jnz	loc_8D6386
		mov	esi, [ebp+var_360]
		test	esi, esi
		jnz	loc_765531
		cmp	[ebp+var_37C], esi
		jnz	loc_765531
		test	ebx, ebx
		jz	short loc_8D68A2
		cmp	[ebp+var_36C], 4
		jnz	loc_765531
		mov	ecx, ebx
		call	_PpmSetExitLatencySamplingPercentage@4 ; PpmSetExitLatencySamplingPercentage(x)
		jmp	loc_76482A
; 

loc_8D68A2:				; CODE XREF: NtPowerInformation+172545j
		call	_PpmClearExitLatencySamplingPercentage@0 ; PpmClearExitLatencySamplingPercentage()
		jmp	loc_76482A
; 

loc_8D68AC:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007658DAo
		test	ebx, ebx
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jnz	loc_765531
		mov	al, _PopErrataReportingIncorrectLidState
		mov	[ebp+var_37E], al
		call	_TtmIsEnabled@0	; TtmIsEnabled()
		test	al, al
		jz	short loc_8D68EA
		call	_PopGetSessionId@0 ; PopGetSessionId()
		push	6
		pop	edx
		mov	ecx, eax
		call	_TtmNotifySessionDisplayBurst@8	; TtmNotifySessionDisplayBurst(x,x)
		jmp	loc_76482A
; 

loc_8D68EA:				; CODE XREF: NtPowerInformation+172592j
		xor	al, al
		mov	byte ptr [ebp+var_394],	al
		cmp	_PopLidOpened, al
		jnz	short loc_8D690A
		cmp	_PopConsoleExternalDisplayConnected, al
		jnz	short loc_8D690A
		mov	al, dl
		mov	byte ptr [ebp+var_394],	al

loc_8D690A:				; CODE XREF: NtPowerInformation+1725B6j
					; NtPowerInformation+1725BEj
		test	al, al
		jnz	short loc_8D6919
		push	6
		pop	edx
		push	0Ah
		pop	ecx
		call	PopEventCalloutDispatch

loc_8D6919:				; CODE XREF: NtPowerInformation+1725CAj
		cmp	[ebp+var_37E], 0
		jnz	loc_76482A
		push	[ebp+var_394]
		call	_PopDiagTraceDisplayBurstWin32kCallout@12 ; PopDiagTraceDisplayBurstWin32kCallout(x,x,x)
		jmp	loc_76482A
; 

loc_8D6936:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:007658F6o
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_360], 0
		jnz	loc_765531
		mov	ecx, [ebp+var_36C]
		cmp	ecx, 10h
		jb	loc_76579B
		movzx	eax, word ptr [ebx+0Ch]
		lea	eax, ds:0Eh[eax*2]
		cmp	ecx, eax
		jb	loc_76579B
		mov	ecx, ebx
		call	_PopThermalProcessUsermodeEvent@4 ; PopThermalProcessUsermodeEvent(x)
		jmp	loc_764A26
; 

loc_8D6979:				; CODE XREF: NtPowerInformation+6AEj
		cmp	ecx, 1000h
		jl	loc_765531
		cmp	ecx, 100Ah
		jg	loc_765531
		jmp	loc_7649F6
; 

loc_8D6996:				; CODE XREF: NtPowerInformation+6BAj
		cmp	ecx, 100Ah
		jg	loc_764A02
		push	[ebp+var_38C]
		push	ds:dword_A949BC
		push	ds:_SeShutdownPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_8D69D5
		mov	ecx, offset ??_C@_1DA@PGKGIAIP@?$AAt?$AAe?$AAr?$AAm?$AAi?$AAn?$AAa?$AAl?$AAP?$AAo?$AAw?$AAe?$AAr?$AAM?$AAa@NNGAKEGL@
		call	_PopCapabilityCheck@4 ;	PopCapabilityCheck(x)
		test	al, al
		jnz	short loc_8D69D5
		mov	esi, 0C0000061h
		jmp	loc_76487A
; 

loc_8D69D5:				; CODE XREF: NtPowerInformation+172679j
					; NtPowerInformation+172687j
		lea	eax, [ebp+var_375]
		push	eax
		lea	eax, [ebp+var_370]
		push	eax
		lea	eax, [ebp+var_375+1]
		push	eax
		push	[ebp+var_37C]
		mov	eax, [ebp+var_360]
		push	eax
		push	esi
		mov	edx, ebx
		mov	ecx, [ebp+var_398]
		call	_TtmDispatchApi@32 ; TtmDispatchApi(x,x,x,x,x,x,x,x)
		jmp	loc_764A26
; 

loc_8D6A0A:				; CODE XREF: NtPowerInformation+4AAj
					; DATA XREF: PAGE:0076590Eo
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_36C], 4
		jb	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jnz	loc_765531
		cmp	[ebx], esi
		setnz	cl
		call	_PopUpdatePowerButtonHoldState@4 ; PopUpdatePowerButtonHoldState(x)
		jmp	loc_76482A
; 

loc_8D6A3C:				; CODE XREF: NtPowerInformation+B33j
		test	ebx, ebx
		jz	loc_765531
		cmp	[ebp+var_36C], 0B8h
		jnz	loc_765531
		mov	esi, [ebp+var_360]
		test	esi, esi
		jz	loc_765531
		mov	ecx, ebx
		call	_PopFxIsDevicePotentialDripsConstraint@4 ; PopFxIsDevicePotentialDripsConstraint(x)
		mov	byte ptr [ebp+var_35C],	al
		lea	eax, [ebp+var_35C]
		jmp	loc_7650D8
; 

loc_8D6A7A:				; CODE XREF: NtPowerInformation+507j
		mov	esi, 0C0000023h
		mov	edi, eax
		jmp	loc_76487A
; END OF FUNCTION CHUNK	FOR NtPowerInformation

;  S U B	R O U T	I N E 


sub_8D6A86	proc near		; DATA XREF: .text:006A0958o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3B0h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D6A86	endp


;  S U B	R O U T	I N E 


sub_8D6A97	proc near		; DATA XREF: .text:006A095Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-3B0h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-364h]
		mov	ebx, [ebp-384h]
		mov	al, [ebp-37Dh]
		mov	[ebp-365h], al
		jmp	loc_76487A
sub_8D6A97	endp

; 
; START	OF FUNCTION CHUNK FOR NtPowerInformation

loc_8D6AC4:				; CODE XREF: NtPowerInformation+53Fj
		push	0
		push	[ebp+var_39C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_764887
; END OF FUNCTION CHUNK	FOR NtPowerInformation
; 
; START	OF FUNCTION CHUNK FOR PopPowerInformationInternal

loc_8D6AD6:				; CODE XREF: PopPowerInformationInternal+17Bj
		call	_PopIsRunningAsLocalSystem@0 ; PopIsRunningAsLocalSystem()
		jmp	short loc_8D6AE2
; 

loc_8D6ADD:				; CODE XREF: PopPowerInformationInternal+1711A5j
		call	_EtwpCoverageUserIsAdmin@0 ; EtwpCoverageUserIsAdmin()

loc_8D6AE2:				; CODE XREF: PopPowerInformationInternal+171167j
		test	al, al
		jnz	loc_765A7D

loc_8D6AEA:				; CODE XREF: PopPowerInformationInternal+183j
					; PopPowerInformationInternal+18Cj ...
		mov	esi, 0C0000022h
		jmp	loc_765AD6
; 

loc_8D6AF4:				; CODE XREF: PopPowerInformationInternal+21Cj
					; PopPowerInformationInternal+225j ...
		call	_EtwpCoverageUserIsAdmin@0 ; EtwpCoverageUserIsAdmin()
		test	al, al
		jz	short loc_8D6AEA
		jmp	loc_765BDE
; 

loc_8D6B02:				; CODE XREF: PopPowerInformationInternal+26Dj
					; PopPowerInformationInternal+276j
		call	_PopIsRunningAsLocalSystem@0 ; PopIsRunningAsLocalSystem()
		test	al, al
		jz	short loc_8D6AEA
		jmp	loc_765BF0
; 

loc_8D6B10:				; CODE XREF: PopPowerInformationInternal+27Fj
					; PopPowerInformationInternal+3F7j
		call	_PopCheckTestsigningEnabled@0 ;	PopCheckTestsigningEnabled()
		test	al, al
		jz	short loc_8D6AEA
		jmp	short loc_8D6ADD
; 

loc_8D6B1B:				; CODE XREF: PopPowerInformationInternal+297j
		push	ecx
		push	ecx
		mov	edx, offset ??_C@_1CC@KMIMNONK@?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAm?$AAe?$AAn@NNGAKEGL@
		lea	ecx, [esp+70h+var_2C]
		call	RtlUnicodeStringInitWorker
		lea	eax, [esp+68h+var_41]
		push	eax
		lea	eax, [esp+6Ch+var_2C]
		push	eax
		push	0
		call	_RtlCapabilityCheckForSingleSessionSku@12 ; RtlCapabilityCheckForSingleSessionSku(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_765AD6
		cmp	byte ptr [esp+68h+var_41], 0
		jz	short loc_8D6AEA
		mov	esi, [esp+68h+var_4D+1]
		jmp	loc_765A7D
; 

loc_8D6B56:				; CODE XREF: PopPowerInformationInternal+4F5j
		push	ebx
		push	eax
		jmp	loc_8D7538
; 

loc_8D6B5D:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_4], 0	; case 0x1
		jz	loc_765C83
		mov	ebx, 206D654Dh
		push	ebx
		push	8
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8D704B
		mov	ecx, edi
		call	_PopS0LowPowerIdleInfo@4 ; PopS0LowPowerIdleInfo(x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_8D6B94
		push	ebx
		push	edi
		jmp	loc_8D7538
; 

loc_8D6B94:				; CODE XREF: PopPowerInformationInternal+171217j
		mov	ecx, [esp+68h+var_4D+1]
		mov	[ecx], edi
		jmp	loc_765E75
; 

loc_8D6B9F:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 10h ; case	0x3
		jb	loc_765C83
		cmp	[ebp+arg_4], 0
		jnz	loc_8D72A5	; default
		test	byte ptr _PopSimulate, 1
		jz	loc_8D72A5	; default
		push	dword ptr [edi+0Ch]
		xor	ecx, ecx
		push	dword ptr [edi+8]
		call	_PopUpdateSmartUserPresencePredictions@12 ; PopUpdateSmartUserPresencePredictions(x,x,x)
		jmp	loc_765AD4
; 

loc_8D6BD2:				; CODE XREF: PopPowerInformationInternal+44Fj
		call	RtlIsMultiSessionSku
		test	al, al
		jz	loc_765DC9
		mov	al, 1
		jmp	loc_765DCB
; 

loc_8D6BE6:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 0Ch ; case	0x5
		jb	loc_765C83
		cmp	[ebp+arg_4], 0
		jnz	loc_8D72A5	; default
		push	dword ptr [edi+8]
		call	PoLatencySensitivityHint
		jmp	loc_765AD4
; 

loc_8D6C07:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 0Ch ; case	0x6
		jb	loc_765C83
		cmp	[ebp+arg_4], 0
		jnz	loc_8D72A5	; default
		mov	cl, [edi+8]
		call	_PopNetUpdateStandbyRequest@4 ;	PopNetUpdateStandbyRequest(x)
		jmp	loc_765D57
; 

loc_8D6C28:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 14h ; case	0x13
		jnz	loc_8D72A5	; default
		cmp	[ebp+arg_4], 0
		jnz	loc_8D72A5	; default
		mov	dl, [edi+0Ch]
		mov	ecx, [edi+8]
		call	_TtmNotifySessionPowerStateChange@8 ; TtmNotifySessionPowerStateChange(x,x)
		mov	al, [edi+0Ch]
		xor	ebx, ebx
		test	al, al
		mov	byte ptr [esp+68h+var_4D], al
		setnz	bl
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		cmp	byte ptr [edi+0Dh], 0
		jz	short loc_8D6C7A
		mov	ecx, ebx
		call	_PopSetDisplayStatus@4 ; PopSetDisplayStatus(x)
		mov	ecx, ebx
		call	_PopUpdateConsoleDisplayState@4	; PopUpdateConsoleDisplayState(x)
		cmp	byte ptr [esp+68h+var_4D], 0
		jz	short loc_8D6C7A
		call	PopPowerAggregatorNotifyDisplayPoweredOn

loc_8D6C7A:				; CODE XREF: PopPowerInformationInternal+1712EAj
					; PopPowerInformationInternal+1712FFj
		push	dword ptr [edi+10h]
		cmp	byte ptr [edi+0Ch], 0
		movzx	eax, byte ptr [edi+0Dh]
		mov	edx, [edi+8]
		setz	cl
		push	eax
		call	_PopDiagTraceSessionDisplayStateChange@16 ; PopDiagTraceSessionDisplayStateChange(x,x,x,x)
		xor	esi, esi
		jmp	short loc_8D6CCA
; 

loc_8D6C95:				; CODE XREF: PopPowerInformationInternal+17192Bj
					; PopPowerInformationInternal+17193Fj
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		xor	eax, eax
		mov	edx, 80h
		push	ebx
		mov	ecx, offset _PopTimeBrokerExpirationReason
		mov	_PopTimeBrokerExpirationReason,	ax
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		mov	esi, eax
		mov	eax, [edi+88h]
		mov	_PopTimeBrokerExpirationDueTime, eax
		mov	eax, [edi+8Ch]
		mov	dword_6C359C, eax

loc_8D6CCA:				; CODE XREF: PopPowerInformationInternal+17131Fj
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		jmp	loc_765AD6
; 

loc_8D6CD4:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 4	; case 0x8
		jb	loc_765C83
		cmp	[ebp+arg_4], 0
		jnz	loc_8D72A5	; default
		mov	cl, [edi+8]
		call	_PopUpdateBackgroundCoolingStatus@4 ; PopUpdateBackgroundCoolingStatus(x)
		jmp	loc_765D57
; 

loc_8D6CF5:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	_PopPlatformAoAc, 0 ; case 0x12
		jz	loc_765C57	; case 0x21
		cmp	[ebp+arg_4], 0
		jz	loc_765C83
		push	206D654Dh
		mov	ebx, 3B0h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8D704B
		mov	ecx, edi
		call	_PopQueryBootSessionStandbyActivationInfo@4 ; PopQueryBootSessionStandbyActivationInfo(x)
		mov	esi, eax
		test	esi, esi
		js	loc_765AD6
		mov	ecx, [esp+68h+var_4D+1]
		mov	[ecx], edi
		mov	ecx, [esp+68h+var_58]
		mov	[ecx], ebx
		jmp	loc_765E7F
; 

loc_8D6D4A:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 14h ; case	0x14
		jnz	loc_8D72A5	; default
		cmp	[ebp+arg_4], 0
		jnz	loc_8D72A5	; default
		movzx	eax, byte ptr [edi+10h]
		mov	edx, [edi+0Ch]
		mov	ecx, [edi+8]
		push	eax
		call	_TtmNotifySessionTerminalInput@12 ; TtmNotifySessionTerminalInput(x,x,x)
		jmp	loc_765AD4
; 

loc_8D6D73:				; CODE XREF: PopPowerInformationInternal+12Fj
		cmp	[edi+34h], dl
		jnz	short loc_8D6D94
		cmp	[edi+0Ch], edx
		jz	short loc_8D6D94
		mov	eax, [edi+18h]
		mov	_PopBsdPowerWatchdogArmed, 1
		mov	_PopBsdLastPowerWatchdogStage, eax
		jmp	loc_765AA9
; 

loc_8D6D94:				; CODE XREF: PopPowerInformationInternal+171402j
					; PopPowerInformationInternal+171407j
		mov	_PopBsdPowerWatchdogArmed, edx
		jmp	loc_765AA9
; 

loc_8D6D9F:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 8	; case 0x16
		jb	loc_765C83
		cmp	[ebp+arg_4], 0
		jz	loc_765C83
		push	206D654Dh
		push	30h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8D704B
		push	30h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	esi, offset _PopBsdPhysicalPowerButtonInfoAtBoot
		jmp	short loc_8D6DEB
; 

loc_8D6DDC:				; CODE XREF: PopPowerInformationInternal+171691j
		push	30h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	esi, offset _PopFirmwareResetReason

loc_8D6DEB:				; CODE XREF: PopPowerInformationInternal+171466j
		add	esp, 0Ch
		mov	edi, ebx
		push	0Ch
		pop	ecx
		rep movsd
		mov	ecx, [esp+74h+var_58]
		mov	[ecx], ebx
		mov	ecx, [esp+10h]
		mov	dword ptr [ecx], 30h
		jmp	loc_765C6F
; 

loc_8D6E0A:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 28h ; case	0x18
		jb	loc_765C83
		cmp	[ebp+arg_4], 0
		jnz	loc_8D72A5	; default
		cmp	_PopVideoHighPrecisionBrightnessEnabled, 0
		mov	esi, [edi+0Ch]
		jnz	short loc_8D6E60
		cmp	esi, 0FFFFFFFFh
		jz	short loc_8D6E69
		xor	eax, eax
		mov	_PopVideoHighPrecisionBrightnessEnabled, 1
		push	eax
		push	eax
		push	eax
		push	eax
		push	1
		push	offset _PopVideoHighPrecisionBrightnessEnabled
		push	offset _WNF_PO_BASIC_BRIGHTNESS_ENGINE_DISABLED
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	ecx, offset _POP_ETW_EVENT_BASIC_BRIGHTNESS_ENGINE_OFF
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		cmp	_PopVideoHighPrecisionBrightnessEnabled, 0
		jz	short loc_8D6E69

loc_8D6E60:				; CODE XREF: PopPowerInformationInternal+1714B4j
		cmp	esi, 0FFFFFFFFh
		jz	loc_765C57	; case 0x21

loc_8D6E69:				; CODE XREF: PopPowerInformationInternal+1714B9j
					; PopPowerInformationInternal+1714EAj
		mov	eax, [edi+8]
		mov	[esp+68h+var_24], eax
		mov	eax, [edi+0Ch]
		mov	[esp+68h+var_20], eax
		mov	eax, [edi+10h]
		mov	[esp+68h+var_1C], eax
		mov	eax, [edi+14h]
		mov	[esp+68h+var_18], eax
		mov	eax, [edi+18h]
		mov	[esp+68h+var_14], eax
		mov	eax, [edi+1Ch]
		mov	[esp+68h+var_10], eax
		mov	eax, [edi+20h]
		mov	[esp+68h+var_C], eax
		mov	eax, [edi+24h]
		mov	[esp+68h+var_8], eax
		lea	eax, [esp+68h+var_24]
		push	eax
		push	20h
		pop	edx
		push	4
		pop	ecx
		call	_PopBroadcastSessionInfo@12 ; PopBroadcastSessionInfo(x,x,x)
		jmp	loc_765AD4
; 

loc_8D6EB6:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 0Ch ; case	0x19
		jb	loc_765C83
		cmp	[ebp+arg_4], 0
		jnz	loc_8D72A5	; default
		cmp	byte ptr [edi+8], 0
		jz	short loc_8D6EDA
		call	_PopScreenOn@4	; PopScreenOn(x)
		jmp	loc_765AD4
; 

loc_8D6EDA:				; CODE XREF: PopPowerInformationInternal+17155Aj
		push	1Eh
		pop	ecx
		call	_PopScreenOff@4	; PopScreenOff(x)
		jmp	loc_765AD4
; 

loc_8D6EE7:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 0Ch ; case	0x1A
		jb	loc_765C83
		cmp	[ebp+arg_4], 0
		jnz	loc_8D72A5	; default
		mov	ebx, offset _PpmPerfPolicyLock
		mov	ecx, ebx
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		cmp	byte ptr [edi+8], 0
		mov	eax, ds:_PpmPerfQosDisableRefcount
		jz	short loc_8D6F2B
		cmp	eax, 0FFFFFFFFh
		jnb	short loc_8D6F21
		inc	eax
		xor	esi, esi
		mov	ds:_PpmPerfQosDisableRefcount, eax
		jmp	short loc_8D6F26
; 

loc_8D6F21:				; CODE XREF: PopPowerInformationInternal+1715A1j
		mov	esi, 0C0000095h

loc_8D6F26:				; CODE XREF: PopPowerInformationInternal+1715ABj
		cmp	eax, 1
		jmp	short loc_8D6F40
; 

loc_8D6F2B:				; CODE XREF: PopPowerInformationInternal+17159Cj
		test	eax, eax
		jz	short loc_8D6F39
		dec	eax
		xor	esi, esi
		mov	ds:_PpmPerfQosDisableRefcount, eax
		jmp	short loc_8D6F3E
; 

loc_8D6F39:				; CODE XREF: PopPowerInformationInternal+1715B9j
		mov	esi, 0C00000BBh

loc_8D6F3E:				; CODE XREF: PopPowerInformationInternal+1715C3j
		test	eax, eax

loc_8D6F40:				; CODE XREF: PopPowerInformationInternal+1715B5j
		jnz	short loc_8D6F4E
		xor	cl, cl
		call	PpmPerfUpdateDomainPolicy
		jmp	loc_765AD6
; 

loc_8D6F4E:				; CODE XREF: PopPowerInformationInternal:loc_8D6F40j
		mov	ecx, ebx
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		jmp	loc_765AD6
; 

loc_8D6F5A:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 8	; case 0x1E
		jb	loc_765C83
		cmp	[ebp+arg_4], 0
		jz	loc_765C83
		push	206D654Dh
		push	3
		pop	edi
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8D704B
		mov	byte ptr [ecx+2], 0
		mov	al, ds:_PpmPerfQosSupportedAndConfigured
		mov	[ecx], al
		mov	al, ds:_PpmPerfSchedulerDirectedPerfStatesSupported
		mov	[ecx+1], al
		cmp	ds:_PpmPerfQosGroupPolicyDisable, 0
		setnz	al
		mov	[ecx+2], al
		mov	[esi], ecx
		mov	ecx, [esp+68h+var_58]
		mov	[ecx], edi
		jmp	loc_765C6F
; 

loc_8D6FB5:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 0Ch ; case	0x1C
		jnz	loc_8D72A5	; default
		mov	eax, [edi+8]
		mov	ecx, offset _GUID_ADAPTIVE_INPUT_CONTROLLER_STATE ; int
		mov	[esp+68h+var_30], eax
		lea	eax, [esp+68h+var_30]
		push	eax		; void *
		push	4
		pop	edx
		call	_PopSetPowerSettingValueAcDc@12	; PopSetPowerSettingValueAcDc(x,x,x)
		jmp	loc_765AD4
; 

loc_8D6FDD:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 8	; case 0x1D
		jb	loc_765C83
		cmp	[ebp+arg_4], 0
		jz	loc_765C83
		push	206D654Dh
		push	30h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_8D704B
		jmp	loc_8D6DDC
; 

loc_8D700A:				; CODE XREF: PopPowerInformationInternal+345j
		mov	eax, [edi+8]
		test	eax, eax
		jz	loc_8D72A5	; default
		push	4
		pop	ecx
		mul	ecx
		lea	ecx, [esp+68h+var_48]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_765AD6
		push	206D654Dh
		push	[esp+6Ch+var_48]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+68h+var_41+1], eax
		test	eax, eax
		jnz	loc_765CC3

loc_8D704B:				; CODE XREF: PopPowerInformationInternal+332j
					; PopPowerInformationInternal+442j ...
		mov	esi, 0C000009Ah
		jmp	loc_765AD6
; 

loc_8D7055:				; CODE XREF: PopPowerInformationInternal+361j
					; PopPowerInformationInternal+3BDj ...
		mov	esi, 0C000000Dh

loc_8D705A:				; CODE XREF: PopPowerInformationInternal+374j
		mov	edx, [esp+68h+var_41+1]
		jmp	loc_765CFC
; 

loc_8D7063:				; CODE XREF: PopPowerInformationInternal+357j
		cmp	ebx, 22h
		jnz	short loc_8D707A
		cmp	dword ptr [edi+8], 0
		jz	short loc_8D7055
		mov	ecx, edi
		call	_PopBootStatCheckIntegrity@4 ; PopBootStatCheckIntegrity(x)
		jmp	loc_765CE4
; 

loc_8D707A:				; CODE XREF: PopPowerInformationInternal+1716F2j
		cmp	ebx, 23h
		jnz	short loc_8D7089
		call	_PopBootStatRestoreDefaults@4 ;	PopBootStatRestoreDefaults(x)
		jmp	loc_765CE4
; 

loc_8D7089:				; CODE XREF: PopPowerInformationInternal+171709j
		cmp	ebx, 26h
		jnz	short loc_8D7098
		call	_PopBootStatUnlock@4 ; PopBootStatUnlock(x)
		jmp	loc_765CE4
; 

loc_8D7098:				; CODE XREF: PopPowerInformationInternal+171718j
		mov	esi, 0C00000BBh
		jmp	loc_765CE6
; 

loc_8D70A2:				; CODE XREF: PopPowerInformationInternal+380j
		mov	ecx, [esp+68h+var_4D+1]
		mov	eax, [esp+68h+var_48]
		mov	[ecx], edx
		xor	edx, edx
		mov	ecx, [esp+68h+var_58]
		mov	[ecx], eax
		mov	eax, [esp+68h+var_54]
		mov	byte ptr [eax],	1
		jmp	loc_765CFA
; 

loc_8D70C0:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		call	_PopIsRunningInVm@0 ; case 0x24
		test	al, al
		jz	loc_765C57	; case 0x21
		cmp	[ebp+arg_0], 0Ch
		jb	loc_765C83
		cmp	[ebp+arg_4], 0
		jnz	loc_8D72A5	; default
		mov	cl, [edi+8]
		call	_PopEsHostStateChange@4	; PopEsHostStateChange(x)
		jmp	loc_765AD4
; 

loc_8D70EE:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 8	; case 0x25
		jb	loc_765C83
		cmp	[ebp+arg_4], 0
		jz	loc_765C83
		push	206D654Dh
		push	4
		pop	ebx
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8D704B
		mov	eax, dword_6C26C4
		mov	[ecx], eax
		mov	[esi], ecx
		jmp	loc_765C69
; 

loc_8D712A:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 0Ch ; case	0x27
		jnz	loc_8D72A5	; default
		mov	cl, [edi+8]
		call	_PopUpdateWakeOnVoiceState@4 ; PopUpdateWakeOnVoiceState(x)
		jmp	loc_765D57
; 

loc_8D7141:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 10h ; case	0x28
		jnz	loc_8D72A5	; default
		cmp	dword ptr [edi+8], 0
		jnz	loc_8D72A5	; default
		cmp	byte ptr [edi+0Ch], 0
		push	7
		pop	ecx
		jz	short loc_8D7168
		call	PopDeepSleepSetDisengageReason
		jmp	loc_765AD4
; 

loc_8D7168:				; CODE XREF: PopPowerInformationInternal+1717E8j
		call	PopDeepSleepClearDisengageReason
		jmp	loc_765AD4
; 

loc_8D7172:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 0Ch ; case	0x29
		jnz	loc_8D72A5	; default
		cmp	[ebp+arg_4], 0
		jz	loc_765C83
		push	206D654Dh
		push	1
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8D704B
		mov	eax, [edi+8]
		test	eax, eax
		jz	short loc_8D71B0
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_8D71B2
; 

loc_8D71B0:				; CODE XREF: PopPowerInformationInternal+17182Fj
		xor	eax, eax

loc_8D71B2:				; CODE XREF: PopPowerInformationInternal+17183Aj
		test	eax, eax
		jz	short loc_8D71C7
		mov	eax, [eax+28h]
		test	eax, eax
		jz	short loc_8D71C7
		cmp	dword ptr [eax+24h], 0
		jz	short loc_8D71C7
		mov	al, 1
		jmp	short loc_8D71D0
; 

loc_8D71C7:				; CODE XREF: PopPowerInformationInternal+171840j
					; PopPowerInformationInternal+171847j ...
		xor	al, al
		jmp	short loc_8D71D0
; 

loc_8D71CB:				; CODE XREF: PopPowerInformationInternal+171B52j
		mov	al, _PopLastBootSucceeded

loc_8D71D0:				; CODE XREF: PopPowerInformationInternal+171851j
					; PopPowerInformationInternal+171855j ...
		mov	[ecx], al
		mov	[esi], ecx
		jmp	loc_765DCF
; 

loc_8D71D9:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 8	; case 0x2A
		jb	loc_765C83
		cmp	[ebp+arg_4], 0
		jz	loc_765C83
		push	206D654Dh
		push	20h
		pop	ebx
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_8D704B
		mov	esi, offset _PopBsdPowerTransitionExtensionAtBoot
		jmp	loc_765EBE
; 

loc_8D7211:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		mov	esi, [ebp+arg_0] ; case	0x2B
		cmp	esi, 0Ch
		jz	short loc_8D7222
		cmp	esi, 8
		jnz	loc_8D72A5	; default

loc_8D7222:				; CODE XREF: PopPowerInformationInternal+1718A3j
		cmp	[ebp+arg_4], 0
		jz	loc_765C83
		mov	ebx, 206D654Dh
		push	ebx
		push	8
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+68h+var_48], ecx
		test	ecx, ecx
		jz	loc_8D704B
		and	dword ptr [ecx], 0
		lea	eax, [edi+8]
		and	dword ptr [ecx+4], 0
		sub	esi, 0Ch
		neg	esi
		mov	edx, ecx
		sbb	esi, esi
		not	esi
		and	esi, eax
		mov	ecx, esi
		call	_PpmPerfGetBrandedFrequency@8 ;	PpmPerfGetBrandedFrequency(x,x)
		jmp	loc_765E61
; 

loc_8D726C:				; CODE XREF: PopPowerInformationInternal+2DDj
		lea	eax, [esp+68h+var_3C]
		mov	edx, 80h
		lea	ebx, [edi+8]
		push	eax
		mov	ecx, ebx
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_765AD6
		cmp	[esp+68h+var_3C], 0
		mov	eax, [edi+88h]
		mov	ecx, [edi+8Ch]
		jnz	short loc_8D72AF
		or	eax, ecx
		jz	loc_8D6C95

loc_8D72A5:				; CODE XREF: PopPowerInformationInternal+103j
					; PopPowerInformationInternal:loc_765A7Dj ...
		mov	esi, 0C000000Dh	; default
		jmp	loc_765AD6
; 

loc_8D72AF:				; CODE XREF: PopPowerInformationInternal+171927j
		or	eax, ecx
		jz	short loc_8D72A5 ; default
		jmp	loc_8D6C95
; 

loc_8D72B8:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 14h ; case	0x2E
		jnz	short loc_8D72A5 ; default
		cmp	[ebp+arg_4], 0
		jnz	short loc_8D72A5 ; default
		push	dword ptr [edi+0Ch]
		mov	edx, [edi+8]
		mov	ecx, [edi+10h]
		call	_PopNotifySessionUserPowerRequestAttributed@12 ; PopNotifySessionUserPowerRequestAttributed(x,x,x)
		jmp	loc_765AD4
; 

loc_8D72D7:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 14h ; case	0x2F
		jb	loc_765C83
		cmp	[ebp+arg_4], 0
		jnz	short loc_8D72A5 ; default
		cmp	dword ptr [edi+4], 0
		jnz	short loc_8D7302
		movzx	eax, byte ptr [edi+10h]
		mov	edx, [edi+0Ch]
		mov	ecx, [edi+8]
		push	eax
		call	_PpmInternalProcessorIdleVeto@12 ; PpmInternalProcessorIdleVeto(x,x,x)
		jmp	loc_765D57
; 

loc_8D7302:				; CODE XREF: PopPowerInformationInternal+171977j
					; PopPowerInformationInternal+1719ACj
		mov	esi, 0C0000059h
		jmp	loc_765AD6
; 

loc_8D730C:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 10h ; case	0x30
		jb	loc_765C83
		cmp	[ebp+arg_4], 0
		jnz	short loc_8D72A5 ; default
		cmp	dword ptr [edi+4], 0
		jnz	short loc_8D7302
		mov	dl, [edi+0Ch]
		mov	ecx, [edi+8]
		call	_PpmInternalPlatformIdleVeto@8 ; PpmInternalPlatformIdleVeto(x,x)
		jmp	loc_765D57
; 

loc_8D7332:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_4], 0	; case 0x31
		jz	loc_765C83
		push	206D654Dh
		push	1
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8D704B
		call	_PopQueryPowerButtonBugcheckEnabled@0 ;	PopQueryPowerButtonBugcheckEnabled()
		jmp	loc_765DCB
; 

loc_8D735E:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_4], 0	; case 0x32
		jz	loc_765C83
		push	206D654Dh
		push	1
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8D704B
		mov	al, _PopAutoChkCausedReboot
		jmp	loc_8D71D0
; 

loc_8D738A:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 10h ; case	0x33
		jb	loc_765C83
		mov	eax, [edi+8]
		mov	_PopWakeAlarmTimeOverride, eax
		mov	eax, [edi+0Ch]
		mov	dword_6C219C, eax
		jmp	loc_765AD4
; 

loc_8D73A9:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		mov	ecx, [esp+68h+var_58] ;	case 0x35
		mov	edx, [ebp+arg_0]
		push	esi
		push	ecx
		push	edi
		mov	ecx, ebx
		call	_PopDirectedDripsUmPowerInformationInternal@20 ; PopDirectedDripsUmPowerInformationInternal(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_765AD6
		mov	ecx, [esp+68h+var_4D+1]
		cmp	dword ptr [ecx], 0
		jz	loc_765AD6
		jmp	loc_765E7F
; 

loc_8D73D6:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 10h ; case	0x3B
		jb	loc_8D72A5	; default
		push	dword ptr [edi+0Ch]
		push	dword ptr [edi+8]
		call	_PoDirectedDripsClearDeviceFlags@8 ; PoDirectedDripsClearDeviceFlags(x,x)
		jmp	loc_765D57
; 

loc_8D73F0:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_4], 0	; case 0x39
		jnz	loc_8D72A5	; default
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_PopPlRegisterPowerPlane@8 ; PopPlRegisterPowerPlane(x,x)
		jmp	loc_765D57
; 

loc_8D7409:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_4], 0	; case 0x3C
		jz	loc_765C83
		push	8
		pop	ecx
		call	_PopAcquireTransitionLock@4 ; PopAcquireTransitionLock(x)
		lea	edx, [esp+68h+var_38]
		lea	ecx, [esp+68h+var_34]
		call	_PopReadResumeContext@8	; PopReadResumeContext(x,x)
		push	8
		pop	ecx
		mov	esi, eax
		call	_PopReleaseTransitionLock@4 ; PopReleaseTransitionLock(x)
		test	esi, esi
		js	loc_765AD6
		mov	ecx, [esp+68h+var_4D+1]
		mov	eax, [esp+68h+var_38]
		mov	[ecx], eax
		mov	ecx, [esp+68h+var_58]
		mov	eax, [esp+68h+var_34]
		mov	[ecx], eax
		jmp	loc_765C6F
; 

loc_8D7453:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 0Ch ; case	0x3D
		jb	loc_8D72A5	; default
		cmp	[ebp+arg_4], 0
		jz	loc_765C83
		push	8
		pop	ecx
		call	_PopAcquireTransitionLock@4 ; PopAcquireTransitionLock(x)
		mov	ecx, [edi+8]
		xor	edx, edx
		push	esi
		inc	edx
		call	_PopReadPagesFromHiberFile@12 ;	PopReadPagesFromHiberFile(x,x,x)
		push	8
		pop	ecx
		mov	esi, eax
		call	_PopReleaseTransitionLock@4 ; PopReleaseTransitionLock(x)
		test	esi, esi
		jns	short loc_8D7495
		mov	ecx, [esp+68h+var_4D+1]
		and	dword ptr [ecx], 0
		jmp	loc_765AD6
; 

loc_8D7495:				; CODE XREF: PopPowerInformationInternal+171B13j
		mov	ecx, [esp+68h+var_58]
		mov	dword ptr [ecx], 1000h
		jmp	loc_765C6F
; 

loc_8D74A4:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_4], 0	; case 0x3E
		jz	loc_765C83
		push	206D654Dh
		push	1
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8D704B
		jmp	loc_8D71CB
; 

loc_8D74CB:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		cmp	[ebp+arg_0], 0Ch ; case	0x41
		jnz	loc_8D72A5	; default
		mov	ecx, [edi+8]
		test	ecx, ecx
		jz	loc_8D72A5	; default
		call	_PopFxClearDeviceConstraints@4 ; PopFxClearDeviceConstraints(x)
		mov	esi, eax
		test	esi, esi
		js	loc_765AD6
		jmp	loc_765AD4
; 

loc_8D74F4:				; CODE XREF: PopPowerInformationInternal:loc_765A7Dj
					; DATA XREF: PAGE:off_765EFCo
		mov	edi, [esp+68h+var_58] ;	case 0x43
		push	206D654Dh
		push	4
		pop	ebx
		and	dword ptr [edi], 0
		and	dword ptr [esi], 0
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_8D704B
		and	dword ptr [ecx], 0
		mov	eax, _PopDisableInboxPepGeneratedConstraintsOverride
		mov	[ecx], eax
		mov	[esi], ecx
		mov	[edi], ebx
		jmp	loc_765AD4
; 

loc_8D752B:				; CODE XREF: PopPowerInformationInternal+73j
					; PopPowerInformationInternal+7Cj ...
		mov	esi, 0C00000BBh
		jmp	loc_765CFC
; 

loc_8D7535:				; CODE XREF: PopPowerInformationInternal+390j
		push	0
		push	edx

loc_8D7538:				; CODE XREF: PopPowerInformationInternal+1711E4j
					; PopPowerInformationInternal+17121Bj
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_765AD6
; END OF FUNCTION CHUNK	FOR PopPowerInformationInternal
; 
; START	OF FUNCTION CHUNK FOR PopBlackBoxUpdate

loc_8D7542:				; CODE XREF: PopBlackBoxUpdate+114j
					; PopBlackBoxUpdate+11Cj
		mov	[ecx], al
		jmp	loc_76612E
; 

loc_8D7549:				; CODE XREF: PopBlackBoxUpdate+133j
		mov	eax, large fs:124h
		mov	eax, [eax+150h]
		mov	byte ptr [ebp+var_24], 61h
		mov	al, [eax+3A6h]
		mov	byte ptr [ebp+var_2C], al
		push	[ebp+var_24]
		push	[ebp+var_2C]
		call	_RtlTestProtectedAccess@8 ; RtlTestProtectedAccess(x,x)
		test	al, al
		jnz	loc_766045
		mov	esi, 0C0000022h
		jmp	loc_7660A8
; END OF FUNCTION CHUNK	FOR PopBlackBoxUpdate

;  S U B	R O U T	I N E 


sub_8D757F	proc near		; DATA XREF: .text:006A0974o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D757F	endp


;  S U B	R O U T	I N E 


sub_8D758D	proc near		; DATA XREF: .text:006A0978o
		mov	esi, [ebp-30h]
		jmp	short loc_8D75A0
; 

loc_8D7592:				; DATA XREF: .text:006A0984o
		mov	esi, [ebp-34h]
		mov	eax, [ebp-38h]
		and	dword ptr [eax+34h], 0
		and	dword ptr [eax+38h], 0

loc_8D75A0:				; CODE XREF: sub_8D758D+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7660A8
sub_8D758D	endp

; 
; START	OF FUNCTION CHUNK FOR PopBlackBoxUpdate

loc_8D75AF:				; CODE XREF: PopBlackBoxUpdate+19Ej
		mov	esi, 0C000009Ah
		jmp	loc_7660A8
; END OF FUNCTION CHUNK	FOR PopBlackBoxUpdate

;  S U B	R O U T	I N E 


sub_8D75B9	proc near		; DATA XREF: .text:006A0980o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D75B9	endp

; 
; START	OF FUNCTION CHUNK FOR PopBlackBoxUpdate

loc_8D75C7:				; CODE XREF: PopBlackBoxUpdate+B0j
		test	al, 4
		jnz	loc_7660C2
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7660C2
; END OF FUNCTION CHUNK	FOR PopBlackBoxUpdate
; 
; START	OF FUNCTION CHUNK FOR PopCapturePlatformRole

loc_8D75DB:				; CODE XREF: PopCapturePlatformRole+7j
		xor	edx, edx
		cmp	dword_6C2528, edx
		push	esi
		setnbe	dl
		mov	esi, offset _PopPlatformRole
		xor	eax, eax
		lea	ecx, [edx+1]
		lock cmpxchg [esi], ecx
		pop	esi
		test	eax, eax
		jnz	locret_7661CD
		lea	eax, [edx+1]
		retn
; END OF FUNCTION CHUNK	FOR PopCapturePlatformRole
; 
; START	OF FUNCTION CHUNK FOR PopGetSettingNotificationName

loc_8D7602:				; CODE XREF: PopGetSettingNotificationName+FEj
					; PopGetSettingNotificationName+10Dj
		mov	esi, 0C000000Dh
		jmp	loc_766274
; END OF FUNCTION CHUNK	FOR PopGetSettingNotificationName

;  S U B	R O U T	I N E 


sub_8D760C	proc near		; DATA XREF: .text:006A099Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D760C	endp


;  S U B	R O U T	I N E 


sub_8D761A	proc near		; DATA XREF: .text:006A09A0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-34h]
		jmp	loc_76626A
sub_8D761A	endp

; 
; START	OF FUNCTION CHUNK FOR PopUmpoProcessMessages

loc_8D7625:				; CODE XREF: PopUmpoProcessMessages+43j
		mov	esi, 0C000009Ah
		jmp	loc_7664EA
; END OF FUNCTION CHUNK	FOR PopUmpoProcessMessages

;  S U B	R O U T	I N E 


sub_8D762F	proc near		; CODE XREF: PopUmpoProcessMessage+E4j

arg_C		= dword	ptr  20h
arg_24		= dword	ptr  38h

		push	ebx
		push	ebx
		push	edi
		push	ebx
		lea	eax, [esp+arg_24]
		push	eax
		lea	eax, [esp+4+arg_C]
		push	eax
		push	ebx
		push	_PopAlpcServerPort
		push	offset _PopAlpcClientPort
		call	_ZwAlpcAcceptConnectPort@36 ; ZwAlpcAcceptConnectPort(x,x,x,x,x,x,x,x,x)
		jmp	loc_766548
sub_8D762F	endp

; 
; START	OF FUNCTION CHUNK FOR PopUmpoProcessMessage

loc_8D7653:				; CODE XREF: PopUmpoProcessMessage+70j
		xor	ebx, ebx
		mov	cl, 1
		mov	_PopUmpoAlpcClientConnected, bl
		call	_PopAcquireUmpoPushLock@4 ; PopAcquireUmpoPushLock(x)
		mov	esi, _PopAlpcClientPort
		xor	edx, edx
		mov	ecx, offset _PopUmpoPushLock
		mov	_PopAlpcClientPort, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	esi
		call	_ZwClose@4	; ZwClose(x)
		mov	esi, 0C0000700h
		jmp	loc_766548
; 

loc_8D768F:				; CODE XREF: PopUmpoProcessMessage+2Bj
					; PopUmpoProcessMessage+3Ej
		push	edx
		push	ebx
		push	_PopAlpcServerPort
		call	_ZwAlpcCancelMessage@12	; ZwAlpcCancelMessage(x,x,x)
		jmp	loc_766546
; END OF FUNCTION CHUNK	FOR PopUmpoProcessMessage
; 
; START	OF FUNCTION CHUNK FOR PopUmpoProcessPowerMessage

loc_8D76A1:				; CODE XREF: PopUmpoProcessPowerMessage+39j
		mov	ecx, [ecx+4]
		call	_PopIdleTriggerAdaptiveStandbyAction@4 ; PopIdleTriggerAdaptiveStandbyAction(x)
		jmp	loc_766600
; 

loc_8D76AE:				; CODE XREF: PopUmpoProcessPowerMessage+51j
		cmp	dword ptr [ecx+8], 12h
		jnz	loc_766600
		push	0
		xor	edx, edx
		push	5
		inc	edx
		pop	ecx
		call	PfPowerActionNotify
		jmp	loc_766600
; END OF FUNCTION CHUNK	FOR PopUmpoProcessPowerMessage
; 
; START	OF FUNCTION CHUNK FOR PopSetPowerSettingValue

loc_8D76CA:				; CODE XREF: PopSetPowerSettingValue+3Ej
		mov	eax, 0C000009Ah
		jmp	loc_76689F
; 

loc_8D76D4:				; CODE XREF: PopSetPowerSettingValue+252j
		mov	ebx, 0C000009Ah
		jmp	loc_76684E
; 

loc_8D76DE:				; CODE XREF: PopSetPowerSettingValue+179j
		mov	ebx, 0C000009Ah
		jmp	loc_76684B
; END OF FUNCTION CHUNK	FOR PopSetPowerSettingValue
; 
; START	OF FUNCTION CHUNK FOR PopValidatePowerSettingData

loc_8D76E8:				; CODE XREF: PopValidatePowerSettingData+70j
		cmp	_PopPlatformAoAc, 0
		jnz	loc_766C4E
		push	0Fh
		pop	ecx
		cmp	eax, ecx
		jnb	loc_766C4E
		mov	[esi], ecx
		xor	edi, edi
		jmp	loc_766C4E
; 

loc_8D7709:				; CODE XREF: PopValidatePowerSettingData+84j
		push	1Eh
		pop	ecx
		cmp	eax, ecx
		jnb	loc_766C64
		mov	[esi], ecx
		xor	edi, edi
		jmp	loc_766C64
; 

loc_8D771D:				; CODE XREF: PopValidatePowerSettingData+98j
		push	3Ch
		pop	ecx
		cmp	eax, ecx
		jnb	loc_766C7A
		mov	[esi], ecx
		xor	edi, edi
		jmp	loc_766C7A
; END OF FUNCTION CHUNK	FOR PopValidatePowerSettingData
; 
; START	OF FUNCTION CHUNK FOR PpmSetProfilePolicySetting

loc_8D7731:				; CODE XREF: PpmSetProfilePolicySetting+292j
		mov	eax, [ebp+var_34]
		cmp	eax, [ebp+var_30]
		jnz	loc_766F58
		mov	[ebp+var_19], 1
		jmp	loc_766F58
; 

loc_8D7746:				; CODE XREF: PpmSetProfilePolicySetting+120j
		movzx	ecx, _PpmProfileCount
		mov	al, bl
		mov	[ebp+var_24], ebx
		mov	[ebp+var_44], ecx
		test	ecx, ecx
		jz	short loc_8D7796
		mov	eax, _PpmProfiles
		mov	[ebp+var_28], eax

loc_8D7761:				; CODE XREF: PpmSetProfilePolicySetting+170ACEj
		push	10h		; size_t
		push	[ebp+var_2C]	; void *
		mov	[ebp+var_3C], eax
		add	eax, 8
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_8D7794
		mov	ecx, [ebp+var_24]
		mov	eax, [ebp+var_28]
		inc	ecx
		add	eax, 228h
		mov	[ebp+var_24], ecx
		mov	[ebp+var_28], eax
		cmp	ecx, [ebp+var_44]
		jb	short loc_8D7761
		mov	al, bl
		jmp	short loc_8D7796
; 

loc_8D7794:				; CODE XREF: PpmSetProfilePolicySetting+170AB7j
		mov	al, 1

loc_8D7796:				; CODE XREF: PpmSetProfilePolicySetting+170A97j
					; PpmSetProfilePolicySetting+170AD2j
		test	al, al
		jnz	short loc_8D77D3
		test	byte ptr [edi+19h], 1
		jz	short loc_8D77AF
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		jmp	loc_766D81
; 

loc_8D77AF:				; CODE XREF: PpmSetProfilePolicySetting+170ADEj
		cmp	dword_6C2ADC, ebx
		jz	short loc_8D77BD
		mov	dword_6C2ADC, ebx

loc_8D77BD:				; CODE XREF: PpmSetProfilePolicySetting+170AF5j
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_766D81
; 

loc_8D77D3:				; CODE XREF: PpmSetProfilePolicySetting+170AD8j
		imul	eax, [ebp+var_30], 0F0h
		mov	edx, [ebp+var_3C]
		add	eax, 20h
		add	edx, eax
		mov	eax, [edi+14h]
		mov	[ebp+var_2C], eax
		imul	eax, esi
		mov	[ebp+var_44], edx
		add	eax, [edi+10h]
		add	eax, edx
		test	byte ptr [edi+19h], 4
		mov	[ebp+var_24], eax
		jz	short loc_8D7815
		test	esi, esi
		jnz	short loc_8D7815
		mov	ecx, [edx+8]
		mov	eax, [edx+0Ch]
		and	ecx, [ebp+var_38]
		and	eax, [ebp+var_20]
		or	ecx, eax
		jnz	short loc_8D7815
		xor	eax, eax
		inc	eax
		jmp	short loc_8D7817
; 

loc_8D7815:				; CODE XREF: PpmSetProfilePolicySetting+170B3Aj
					; PpmSetProfilePolicySetting+170B3Ej ...
		mov	eax, esi

loc_8D7817:				; CODE XREF: PpmSetProfilePolicySetting+170B53j
		push	[ebp+arg_8]
		mov	ecx, edi
		push	[ebp+arg_4]
		push	eax
		push	esi
		call	PpmInfoAdjustSetting
		mov	ecx, [ebp+var_44]
		mov	edx, [ebp+var_38]
		or	[ecx+esi*8], edx
		mov	edx, [ebp+var_20]
		or	[ecx+esi*8+4], edx
		test	al, al
		jz	loc_766E3C
		mov	edx, [edi]
		push	ebx
		push	[ebp+var_30]
		push	[ebp+var_2C]
		push	[ebp+var_24]
		push	esi
		mov	esi, [ebp+var_3C]
		push	dword ptr [edi+4]
		mov	cl, [esi+4]
		call	PpmEventTraceProfileSetting
		mov	eax, [ebp+var_30]
		mov	ecx, [ebp+var_34]
		cmp	[ebp+var_40], esi
		jnz	short loc_8D786C
		cmp	ecx, eax
		jnz	short loc_8D786C
		mov	[ebp+var_19], 1

loc_8D786C:				; CODE XREF: PpmSetProfilePolicySetting+170BA2j
					; PpmSetProfilePolicySetting+170BA6j
		cmp	_PpmBackgroundProfile, esi
		jz	short loc_8D7888
		cmp	_PpmMultimediaQosProfile, esi
		jz	short loc_8D7888
		cmp	_PpmEntryLevelPerfProfile, esi
		jnz	loc_766E3C

loc_8D7888:				; CODE XREF: PpmSetProfilePolicySetting+170BB2j
					; PpmSetProfilePolicySetting+170BBAj
		cmp	ecx, eax
		jnz	loc_766E3C
		mov	byte ptr [ebp+var_48], 1
		jmp	loc_766E3C
; 

loc_8D7899:				; CODE XREF: PpmSetProfilePolicySetting+32j
					; PpmSetProfilePolicySetting+3Bj
		mov	ebx, 0C000000Dh
		jmp	loc_766E49
; END OF FUNCTION CHUNK	FOR PpmSetProfilePolicySetting
; 
; START	OF FUNCTION CHUNK FOR PpmInfoAdjustSetting

loc_8D78A3:				; CODE XREF: PpmInfoAdjustSetting+6Aj
		mov	ecx, [edi+34h]
		call	_PpmPerfComputePerfReductionTolerance@4	; PpmPerfComputePerfReductionTolerance(x)
		mov	[edi+3Ch], eax
		jmp	loc_767017
; END OF FUNCTION CHUNK	FOR PpmInfoAdjustSetting
; 
; START	OF FUNCTION CHUNK FOR PpmInfoWriteData

loc_8D78B3:				; CODE XREF: PpmInfoWriteData+64j
		mov	edi, ebx
		mov	[ebp+var_8], ebx
		jmp	loc_767086
; END OF FUNCTION CHUNK	FOR PpmInfoWriteData
; 
; START	OF FUNCTION CHUNK FOR PpmInfoApplySettingUpdate

loc_8D78BD:				; CODE XREF: PpmInfoApplySettingUpdate+1Bj
		cmp	ds:_PpmPerfSchedulerDirectedPerfStatesSupported, 0
		jz	loc_76710B
		cmp	[ebp+arg_0], 0
		jnz	loc_767142
		jmp	loc_76710B
; 

loc_8D78D9:				; CODE XREF: PpmInfoApplySettingUpdate+7Bj
		push	edi
		push	edi
		mov	edx, offset _PpmApplyIdlePolicyChanges@12 ; PpmApplyIdlePolicyChanges(x,x,x)
		mov	ecx, offset _KeActiveProcessors
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)
		jmp	loc_767121
; END OF FUNCTION CHUNK	FOR PpmInfoApplySettingUpdate
; 
; START	OF FUNCTION CHUNK FOR ExCheckFullProcessInformationAccess

loc_8D78EF:				; CODE XREF: ExCheckFullProcessInformationAccess+2Cj
					; ExCheckFullProcessInformationAccess+41j ...
		lea	eax, [ebp+var_1]
		push	eax
		push	ds:_SeAliasAdminsSid
		push	ebx
		call	_RtlCheckTokenMembership@12 ; RtlCheckTokenMembership(x,x,x)
		test	eax, eax
		js	loc_7672A5
		cmp	byte ptr [ebp+var_1], bl
		jz	loc_7672A5
		jmp	loc_7672A0
; END OF FUNCTION CHUNK	FOR ExCheckFullProcessInformationAccess
; 
; START	OF FUNCTION CHUNK FOR IoCheckLinkShareAccess

loc_8D7915:				; CODE XREF: IoCheckLinkShareAccess+1CBj
					; IoCheckLinkShareAccess+1DEj ...
		mov	eax, 0C000000Dh
		jmp	loc_76739A
; 

loc_8D791F:				; CODE XREF: IoCheckLinkShareAccess+9Bj
		mov	bl, byte ptr [ebp+arg_4]
		mov	byte ptr [ebp+arg_0+3],	bl
		test	bl, bl
		mov	ebx, [ebp+arg_14]
		jnz	loc_7673D1
		mov	byte ptr [ebp+arg_0+3],	1
		jmp	loc_7673D1
; 

loc_8D7939:				; CODE XREF: IoCheckLinkShareAccess+112j
		test	al, al
		jnz	loc_7674D5
		mov	esi, [ebp+arg_10]
		jmp	loc_767472
; END OF FUNCTION CHUNK	FOR IoCheckLinkShareAccess
; 
; START	OF FUNCTION CHUNK FOR PfSnBeginTrace

loc_8D7949:				; CODE XREF: PfSnBeginTrace+26j
		mov	esi, 0C00000A3h
		jmp	loc_76794C
; 

loc_8D7953:				; CODE XREF: PfSnBeginTrace+46j
		mov	esi, 0C000009Ah
		jmp	loc_76794B
; 

loc_8D795D:				; CODE XREF: PfSnBeginTrace+14Cj
		mov	esi, 0C000000Dh
		jmp	loc_767947
; 

loc_8D7967:				; CODE XREF: PfSnBeginTrace+159j
		mov	[ebx+0F8h], eax
		jmp	loc_7678DD
; 

loc_8D7972:				; CODE XREF: PfSnBeginTrace+16Bj
		mov	esi, 0C000009Ah
		jmp	loc_767947
; 

loc_8D797C:				; CODE XREF: PfSnBeginTrace+1ADj
		push	eax
		mov	[ebx+12Ch], eax
		call	_PsGetThreadId@4 ; PsGetThreadId(x)
		mov	[ebx+130h], eax
		jmp	loc_767931
; END OF FUNCTION CHUNK	FOR PfSnBeginTrace
; 
; START	OF FUNCTION CHUNK FOR NtCreateTimer

loc_8D7993:				; CODE XREF: NtCreateTimer+1Ej
		mov	eax, 0C00000F2h
		jmp	loc_767AB3
; 

loc_8D799D:				; CODE XREF: NtCreateTimer+44j
		mov	ecx, eax
		jmp	loc_7679E4
; END OF FUNCTION CHUNK	FOR NtCreateTimer

;  S U B	R O U T	I N E 


sub_8D79A4	proc near		; DATA XREF: .text:006A09BCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D79A4	endp


;  S U B	R O U T	I N E 


sub_8D79B2	proc near		; DATA XREF: .text:006A09C0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-24h]
		jmp	loc_767AB3
sub_8D79B2	endp

; 
; START	OF FUNCTION CHUNK FOR NtCreateTimer

loc_8D79C4:				; CODE XREF: NtCreateTimer+136j
		mov	[ebp+arg_8], 20h
		jmp	loc_767B0B
; END OF FUNCTION CHUNK	FOR NtCreateTimer

;  S U B	R O U T	I N E 


sub_8D79D0	proc near		; DATA XREF: .text:006A09C8o
		xor	eax, eax
		inc	eax
		retn
sub_8D79D0	endp


;  S U B	R O U T	I N E 


sub_8D79D4	proc near		; DATA XREF: .text:006A09CCo
		mov	esp, [ebp-18h]
		jmp	loc_767AA9
sub_8D79D4	endp

; 
; START	OF FUNCTION CHUNK FOR ExProcessorCounterSetCallback

loc_8D79DC:				; CODE XREF: ExProcessorCounterSetCallback+B9j
		xor	ecx, ecx
		mov	[esp+2F8h+var_2E9], 0
		inc	ecx
		jmp	loc_767C20
; 

loc_8D79E9:				; CODE XREF: ExProcessorCounterSetCallback+111j
		mov	ebx, [esi+0Ch]
		cmp	ebx, ds:_KeNumberProcessors
		jb	short loc_8D79FE
		mov	eax, 0C0000225h
		jmp	loc_7687A8
; 

loc_8D79FE:				; CODE XREF: ExProcessorCounterSetCallback+16FE98j
		mov	dl, [esp+2F8h+var_2E9]
		lea	eax, [esp+2F8h+var_E8]
		mov	ecx, ds:_KiProcessorBlock[ebx*4]
		push	eax
		push	[esp+2FCh+var_2E4]
		push	[esp+300h+var_2E0]
		call	ExpQueryProcessorInformationCounters
		mov	eax, [esi+8]
		lea	ecx, [esp+2F8h+var_E8]
		mov	[esp+2F8h+var_2A0], ecx
		lea	ecx, [esp+2F8h+var_2A0]
		push	ecx
		push	1
		push	ebx
		push	eax
		push	edi
		mov	[esp+30Ch+var_29C], 0C8h
		call	_PcwAddInstance@20 ; PcwAddInstance(x,x,x,x,x)
		test	eax, eax
		js	loc_7687A8
		jmp	loc_7687BF
; 

loc_8D7A50:				; CODE XREF: ExProcessorCounterSetCallback+8Fj
		mov	edi, [esi+14h]
		mov	[esp+2F8h+var_2C0], edi
		jmp	loc_767C71
; 

loc_8D7A5C:				; CODE XREF: ExProcessorCounterSetCallback+1ACj
		or	esi, 0FFFFFFFFh
		jmp	loc_767D0F
; 

loc_8D7A64:				; CODE XREF: ExProcessorCounterSetCallback+9A8j
		mov	eax, ecx
		cdq
		mov	esi, edx
		mov	edi, eax
		push	esi
		push	edi
		push	[esp+300h+var_2D4]
		push	[esp+304h+var_2D0]
		call	__aulldiv
		push	esi
		push	edi
		push	[esp+300h+var_2CC]
		mov	[esp+304h+var_1E8], eax
		push	[esp+304h+var_2C8]
		call	__aulldiv
		push	esi
		push	edi
		push	[esp+300h+var_1DC]
		mov	[esp+304h+var_1E4], eax
		push	[esp+304h+var_1E0]
		call	__aulldiv
		push	esi
		push	edi
		push	[esp+300h+var_1D4]
		mov	[esp+304h+var_1E0], eax
		push	[esp+304h+var_1D8]
		mov	[esp+308h+var_1DC], edx
		call	__aulldiv
		push	esi
		push	edi
		push	[esp+300h+var_1B4]
		mov	[esp+304h+var_1D8], eax
		push	[esp+304h+var_1B8]
		mov	[esp+308h+var_1D4], edx
		call	__aulldiv
		mov	ecx, [esp+2F8h+var_2C4]
		mov	[esp+2F8h+var_1B8], eax
		mov	[esp+2F8h+var_1B4], edx
		jmp	loc_768508
; 

loc_8D7B09:				; CODE XREF: ExProcessorCounterSetCallback+9B3j
		mov	eax, [esp+2F8h+var_1C0]
		xor	edx, edx
		div	ecx
		mov	[esp+2F8h+var_1C0], eax
		jmp	loc_768513
; 

loc_8D7B20:				; CODE XREF: ExProcessorCounterSetCallback+BDFj
		push	0
		push	ebx
		push	[esp+300h+var_2B8]
		push	[esp+304h+var_2B4]
		call	__aulldiv
		push	0
		push	ebx
		push	[esp+300h+var_2A8]
		mov	[esp+304h+var_120], eax
		push	esi
		call	__aulldiv
		xor	esi, esi
		mov	[esp+2F8h+var_11C], eax
		push	esi
		push	ebx
		push	[esp+300h+var_114]
		push	[esp+304h+var_118]
		call	__aulldiv
		push	esi
		push	ebx
		push	[esp+300h+var_10C]
		mov	[esp+304h+var_118], eax
		push	[esp+304h+var_110]
		mov	[esp+308h+var_114], edx
		call	__aulldiv
		push	esi
		push	ebx
		push	[esp+300h+var_EC]
		mov	[esp+304h+var_110], eax
		push	[esp+304h+var_F0]
		mov	[esp+308h+var_10C], edx
		call	__aulldiv
		mov	[esp+2F8h+var_F0], eax
		mov	[esp+2F8h+var_EC], edx
		jmp	loc_76873F
; 

loc_8D7BBB:				; CODE XREF: ExProcessorCounterSetCallback+BEAj
		mov	eax, [esp+2F8h+var_F8]
		xor	edx, edx
		div	ebx
		mov	[esp+2F8h+var_F8], eax
		jmp	loc_76874A
; END OF FUNCTION CHUNK	FOR ExProcessorCounterSetCallback
; 
; START	OF FUNCTION CHUNK FOR ExpQueryProcessorInformationCounters

loc_8D7BD2:				; CODE XREF: ExpQueryProcessorInformationCounters+5Aj
		mov	ebx, [ebp+var_74]
		mov	eax, edx
		mov	ecx, edx
		xor	esi, esi
		mov	[ebx], edx
		mov	[ebx+4], edx
		mov	[ebx+48h], edx
		mov	[ebx+4Ch], edx
		mov	[ebx+50h], edx
		mov	[ebx+54h], edx
		mov	[ebx+58h], edx
		mov	[ebx+5Ch], edx
		mov	[ebx+60h], edx
		mov	[ebx+64h], edx
		mov	[ebx+68h], edx
		mov	[ebx+6Ch], edx
		mov	[ebx+70h], edx
		mov	[ebx+74h], edx
		mov	[ebx+78h], edx
		mov	[ebx+7Ch], edx
		jmp	loc_7688D2
; 

loc_8D7C0F:				; CODE XREF: ExpQueryProcessorInformationCounters+1D0j
					; ExpQueryProcessorInformationCounters+1D8j
		push	0
		push	eax
		lea	edx, [ebp+var_A4]
		lea	ecx, [ebp+var_70]
		call	PoGetPerfStateAndParkingInfo
		jmp	loc_7689A2
; END OF FUNCTION CHUNK	FOR ExpQueryProcessorInformationCounters
; 
; START	OF FUNCTION CHUNK FOR ExpQueryNumaProcessorMap

loc_8D7C25:				; CODE XREF: ExpQueryNumaProcessorMap+19j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_8D7C2E
		mov	[eax], ecx

loc_8D7C2E:				; CODE XREF: ExpQueryNumaProcessorMap+16F1E6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_768ACB
; END OF FUNCTION CHUNK	FOR ExpQueryNumaProcessorMap

;  S U B	R O U T	I N E 


sub_8D7C3F	proc near		; DATA XREF: .text:006A09E4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8D7C3F	endp


;  S U B	R O U T	I N E 


sub_8D7C4F	proc near		; DATA XREF: .text:006A09E8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_768ACB
sub_8D7C4F	endp

; 
; START	OF FUNCTION CHUNK FOR RawDispatch

loc_8D7C61:				; CODE XREF: RawDispatch+61j
		jbe	short loc_8D7C8F
		cmp	eax, 4
		jbe	loc_768B92
		cmp	eax, 5
		jnz	short loc_8D7C8F
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	_RawQueryInformation@12	; RawQueryInformation(x,x,x)
		jmp	loc_768B4F
; 

loc_8D7C80:				; CODE XREF: RawDispatch+54j
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	_RawSetInformation@12 ;	RawSetInformation(x,x,x)
		jmp	loc_768B4F
; 

loc_8D7C8F:				; CODE XREF: RawDispatch+AEj
					; RawDispatch+127j ...
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	22h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8D7C9A:				; CODE XREF: RawDispatch+131j
		mov	eax, 80000011h
		mov	[ebp+var_1C], eax
		mov	[esi+18h], eax
		mov	dl, 1
		mov	ecx, esi
		call	IofCompleteRequest
		jmp	loc_768B52
; 

loc_8D7CB3:				; CODE XREF: RawDispatch+14Bj
		mov	eax, 0C000026Eh
		mov	[ebp+var_1C], eax
		mov	[esi+18h], eax
		mov	dl, 1
		mov	ecx, esi
		call	IofCompleteRequest
		mov	ecx, [ebp+arg_4]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	loc_768B52
; END OF FUNCTION CHUNK	FOR RawDispatch

;  S U B	R O U T	I N E 


sub_8D7CD4	proc near		; DATA XREF: .text:006A0A04o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		push	eax
		call	_FsRtlIsNtstatusExpected@4 ; FsRtlIsNtstatusExpected(x)
		xor	ecx, ecx
		test	al, al
		setnz	cl
		mov	eax, ecx
		retn
sub_8D7CD4	endp


;  S U B	R O U T	I N E 


sub_8D7CEE	proc near		; DATA XREF: .text:006A0A08o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-20h]
		jmp	loc_768B4F
sub_8D7CEE	endp

; 
; START	OF FUNCTION CHUNK FOR RawReadWriteDeviceControl

loc_8D7CF9:				; CODE XREF: RawReadWriteDeviceControl+22j
		cmp	cl, 1Bh
		jnz	short loc_8D7D2C
		lea	ecx, [ebx+0A0h]
		call	ExAcquireFastMutex
		dec	dword ptr [ebx+50h]
		xor	esi, esi
		cmp	[ebx+4Ch], esi
		jnz	short loc_8D7D21
		push	esi
		xor	edx, edx
		mov	ecx, ebx
		call	RawInitiateDeleteVolume
		test	al, al
		jnz	short loc_8D7D2C

loc_8D7D21:				; CODE XREF: RawReadWriteDeviceControl+16F067j
		lea	ecx, [ebx+0A0h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_8D7D2C:				; CODE XREF: RawReadWriteDeviceControl+16F052j
					; RawReadWriteDeviceControl+16F075j
		mov	esi, 0C000026Eh
		jmp	short loc_8D7D48
; 

loc_8D7D33:				; CODE XREF: RawReadWriteDeviceControl+2Bj
					; RawReadWriteDeviceControl+34j
		xor	esi, esi
		cmp	[edx+4], esi
		jnz	loc_768CE4
		mov	edx, [edx+18h]
		mov	ecx, ebx
		call	_RawEndOperation@8 ; RawEndOperation(x,x)

loc_8D7D48:				; CODE XREF: RawReadWriteDeviceControl+16F087j
		mov	dl, 1
		mov	[edi+18h], esi
		mov	ecx, edi
		call	IofCompleteRequest
		mov	eax, esi
		jmp	loc_768D14
; END OF FUNCTION CHUNK	FOR RawReadWriteDeviceControl
; 
; START	OF FUNCTION CHUNK FOR RawCleanup

loc_8D7D5B:				; CODE XREF: RawCleanup+38j
		and	dword ptr [esi+48h], 0FFFFFFFEh
		and	dword ptr [esi+98h], 0
		mov	eax, [edi+18h]
		mov	[ebp+var_1], 1
		jmp	loc_768D5A
; 

loc_8D7D72:				; CODE XREF: RawCleanup+44j
		and	dword ptr [esi+94h], 0
		xor	edx, edx
		push	0
		inc	edx
		mov	ecx, esi
		call	RawInitiateDeleteVolume
		jmp	loc_768D66
; 

loc_8D7D8A:				; CODE XREF: RawCleanup+59j
		push	5
		push	dword ptr [edi+18h]
		call	_FsRtlNotifyVolumeEvent@8 ; FsRtlNotifyVolumeEvent(x,x)
		jmp	loc_768D7B
; END OF FUNCTION CHUNK	FOR RawCleanup
; 
; START	OF FUNCTION CHUNK FOR RawCreate

loc_8D7D99:				; CODE XREF: RawCreate+5Bj
		mov	edi, 0C0000022h
		jmp	short loc_8D7DA5
; 

loc_8D7DA0:				; CODE XREF: RawCreate+63j
		mov	edi, 0C000026Eh

loc_8D7DA5:				; CODE XREF: RawCreate+104j
					; RawCreate+16F00Cj
		xor	eax, eax
		jmp	short loc_8D7DB0
; 

loc_8D7DA9:				; CODE XREF: RawCreate+47j
					; RawCreate+50j
		xor	eax, eax

loc_8D7DAB:				; CODE XREF: RawCreate+29j
					; RawCreate+32j
		mov	edi, 0C000000Dh

loc_8D7DB0:				; CODE XREF: RawCreate+16F015j
		mov	[ebx+1Ch], eax
		jmp	loc_768E59
; 

loc_8D7DB8:				; CODE XREF: RawCreate+CAj
		push	1
		xor	edx, edx
		mov	ecx, esi
		call	RawInitiateDeleteVolume
		test	al, al
		jnz	loc_768E6D
		jmp	loc_768E62
; END OF FUNCTION CHUNK	FOR RawCreate
; 
; START	OF FUNCTION CHUNK FOR RawQueryVolumeInformation

loc_8D7DD0:				; CODE XREF: RawQueryVolumeInformation+65j
		sub	eax, 6
		jz	short loc_8D7DDF
		mov	esi, 0C000000Dh
		jmp	loc_768F81
; 

loc_8D7DDF:				; CODE XREF: RawQueryVolumeInformation+16EE83j
		mov	eax, [ecx+8Ch]
		push	edx
		push	dword ptr [eax+0Ch]
		call	FsRtlGetSectorSizeInformation
		mov	esi, eax
		test	esi, esi
		js	loc_768F81
		mov	eax, [ebp+var_4]
		add	eax, 0FFFFFFE4h
		mov	[ebp+arg_0], eax
		jmp	loc_768F81
; 

loc_8D7E06:				; CODE XREF: RawQueryVolumeInformation+5Cj
		lea	eax, [ebp+arg_0]
		push	eax
		push	edx
		mov	edx, [edi+18h]
		call	_RawQueryFsDeviceInfo@16 ; RawQueryFsDeviceInfo(x,x,x,x)
		jmp	loc_768F7F
; 

loc_8D7E18:				; CODE XREF: RawQueryVolumeInformation+53j
		lea	eax, [ebp+arg_0]
		push	eax
		push	edx
		mov	edx, [edi+18h]
		call	_RawQueryFsSizeInfo@16 ; RawQueryFsSizeInfo(x,x,x,x)
		jmp	loc_768F7F
; END OF FUNCTION CHUNK	FOR RawQueryVolumeInformation
; 
; START	OF FUNCTION CHUNK FOR PfSnPrefetchScenario

loc_8D7E2A:				; CODE XREF: PfSnPrefetchScenario+6Bj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_769037
; END OF FUNCTION CHUNK	FOR PfSnPrefetchScenario
; 
; START	OF FUNCTION CHUNK FOR PfSnPreallocatePrefetchHeader

loc_8D7E37:				; CODE XREF: PfSnPreallocatePrefetchHeader+29j
		mov	eax, 0C000009Ah
		jmp	loc_76913B
; END OF FUNCTION CHUNK	FOR PfSnPreallocatePrefetchHeader
; 
; START	OF FUNCTION CHUNK FOR PfSnPrefetchSections

loc_8D7E41:				; CODE XREF: PfSnPrefetchSections+45j
					; PfSnPrefetchSections+58j
		mov	esi, 0C000000Dh
		jmp	loc_769434
; END OF FUNCTION CHUNK	FOR PfSnPrefetchSections
; 
; START	OF FUNCTION CHUNK FOR PfSnLogPrefetchSectionsStop

loc_8D7E4B:				; CODE XREF: PfSnLogPrefetchSectionsStop+62j
		lea	eax, [ebp+var_94]
		push	eax
		lea	eax, [ebp+var_9C]
		push	eax
		lea	edx, [esi+50h]
		lea	ecx, [esi+10h]
		call	_PfSnBuildScenarioEventDescriptors@16 ;	PfSnBuildScenarioEventDescriptors(x,x,x,x)
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_50], ebx
		mov	[ebp+var_54], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_98]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_A8]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_94]
		push	eax
		push	9
		push	ebx
		push	edi
		push	dword_6D49EC
		mov	[ebp+var_4C], ecx
		push	dword_6D49E8
		mov	[ebp+var_48], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], 1
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], 8
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_7694DC
; END OF FUNCTION CHUNK	FOR PfSnLogPrefetchSectionsStop
; 
; START	OF FUNCTION CHUNK FOR PfSnLogGetReadListsStop

loc_8D7EE4:				; CODE XREF: PfSnLogGetReadListsStop+3Fj
		lea	eax, [ebp+var_44]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		lea	edx, [esi+50h]
		lea	ecx, [esi+10h]
		call	_PfSnBuildScenarioEventDescriptors@16 ;	PfSnBuildScenarioEventDescriptors(x,x,x,x)
		lea	eax, [ebp+var_44]
		push	eax
		push	4
		push	0
		push	edi
		push	dword_6D49EC
		push	dword_6D49E8
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_7695C7
; END OF FUNCTION CHUNK	FOR PfSnLogGetReadListsStop
; 
; START	OF FUNCTION CHUNK FOR PfSnLogGetReadListsStart

loc_8D7F16:				; CODE XREF: PfSnLogGetReadListsStart+44j
		lea	eax, [ebp+var_54]
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		lea	edx, [esi+50h]
		lea	ecx, [esi+10h]
		call	_PfSnBuildScenarioEventDescriptors@16 ;	PfSnBuildScenarioEventDescriptors(x,x,x,x)
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_10], edi
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		push	edi
		push	ebx
		push	dword_6D49EC
		mov	[ebp+var_C], 4
		push	dword_6D49E8
		mov	[ebp+var_8], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_769620
; END OF FUNCTION CHUNK	FOR PfSnLogGetReadListsStart
; 
; START	OF FUNCTION CHUNK FOR PfSnLogPrefetchSectionsStart

loc_8D7F5A:				; CODE XREF: PfSnLogPrefetchSectionsStart+4Aj
		lea	eax, [ebp+var_74]
		push	eax
		lea	eax, [ebp+var_7C]
		push	eax
		lea	edx, [esi+50h]
		lea	ecx, [esi+10h]
		call	_PfSnBuildScenarioEventDescriptors@16 ;	PfSnBuildScenarioEventDescriptors(x,x,x,x)
		lea	eax, [ebp+var_80]
		mov	[ebp+var_30], ebx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_0]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	7
		push	ebx
		push	edi
		push	dword_6D49EC
		mov	[ebp+var_2C], ecx
		push	dword_6D49E8
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], 1
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_769680
; END OF FUNCTION CHUNK	FOR PfSnLogPrefetchSectionsStart
; 
; START	OF FUNCTION CHUNK FOR PfSnGetPrefetchInstructions

loc_8D7FBF:				; CODE XREF: PfSnGetPrefetchInstructions+9Bj
		push	11h
		mov	esi, 0C000009Ah
		xor	edx, edx
		pop	eax
		mov	edi, offset unk_6D4858
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_8D7FDE
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8D7FDE:				; CODE XREF: PfSnGetPrefetchInstructions+16E8E1j
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_769931
; 

loc_8D7FEF:				; CODE XREF: PfSnGetPrefetchInstructions+181j
		mov	esi, 0C000009Ah
		jmp	loc_769931
; 

loc_8D7FF9:				; CODE XREF: PfSnGetPrefetchInstructions+159j
					; PfSnGetPrefetchInstructions+161j ...
		mov	esi, 0C0000001h
		jmp	loc_769931
; 

loc_8D8003:				; CODE XREF: PfSnGetPrefetchInstructions+224j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_76991E
; END OF FUNCTION CHUNK	FOR PfSnGetPrefetchInstructions
; 
; START	OF FUNCTION CHUNK FOR PfVerifyScenarioBuffer

loc_8D8010:				; CODE XREF: PfVerifyScenarioBuffer+40j
		mov	esi, 0Ah
		jmp	loc_769D13
; 

loc_8D801A:				; CODE XREF: PfVerifyScenarioBuffer+4Cj
		mov	esi, 0Fh
		jmp	loc_769D13
; 

loc_8D8024:				; CODE XREF: PfVerifyScenarioBuffer+6Ej
		mov	esi, 19h
		jmp	loc_769D13
; 

loc_8D802E:				; CODE XREF: PfVerifyScenarioBuffer+77j
		mov	esi, 1Ah
		jmp	loc_769D13
; 

loc_8D8038:				; CODE XREF: PfVerifyScenarioBuffer+102j
		mov	esi, 25h
		jmp	loc_769D13
; 

loc_8D8042:				; CODE XREF: PfVerifyScenarioBuffer+113j
		mov	esi, 26h
		jmp	loc_769D13
; 

loc_8D804C:				; CODE XREF: PfVerifyScenarioBuffer+15Bj
		mov	esi, 2Fh
		jmp	loc_769D13
; 

loc_8D8056:				; CODE XREF: PfVerifyScenarioBuffer+19Cj
		mov	esi, 39h
		jmp	loc_769D13
; 

loc_8D8060:				; CODE XREF: PfVerifyScenarioBuffer+1D6j
		mov	esi, 48h
		jmp	loc_769D13
; 

loc_8D806A:				; CODE XREF: PfVerifyScenarioBuffer+236j
		mov	esi, 4Ch
		jmp	loc_769D13
; 

loc_8D8074:				; CODE XREF: PfVerifyScenarioBuffer+2E7j
		test	edx, edx
		jz	loc_769C3D
		mov	bl, [ebp+var_55]
		mov	esi, 98h
		jmp	loc_769D13
; 

loc_8D8089:				; CODE XREF: PfVerifyScenarioBuffer+2F5j
		cmp	ebx, 0FFFFFFFFh
		jz	loc_769C4B
		mov	bl, [ebp+var_55]
		mov	esi, 99h
		jmp	loc_769D13
; 

loc_8D809F:				; CODE XREF: PfVerifyScenarioBuffer+31Fj
		mov	bl, [ebp+var_55]
		mov	esi, 9Bh
		jmp	loc_769D13
; 

loc_8D80AC:				; CODE XREF: PfVerifyScenarioBuffer+330j
		mov	bl, [ebp+var_55]
		mov	esi, 9Dh
		jmp	loc_769D13
; 

loc_8D80B9:				; CODE XREF: PfVerifyScenarioBuffer+392j
		mov	bl, [ebp+var_55]
		mov	esi, 0A5h
		jmp	loc_769D13
; 

loc_8D80C6:				; CODE XREF: PfVerifyScenarioBuffer+3B1j
		mov	bl, [ebp+var_55]
		mov	esi, 0A7h
		jmp	loc_769D13
; 

loc_8D80D3:				; CODE XREF: PfVerifyScenarioBuffer+772j
		mov	bl, [ebp+var_55]
		mov	esi, 0AFh
		jmp	loc_769D13
; 

loc_8D80E0:				; CODE XREF: PfVerifyScenarioBuffer+375j
					; PfVerifyScenarioBuffer+37Ej
		mov	bl, [ebp+var_55]
		mov	esi, 0A0h
		jmp	loc_769D13
; 

loc_8D80ED:				; CODE XREF: PfVerifyScenarioBuffer+451j
					; PfVerifyScenarioBuffer+45Fj
		mov	bl, [ebp+var_55]
		mov	esi, 0BBh
		jmp	loc_769D13
; 

loc_8D80FA:				; CODE XREF: PfVerifyScenarioBuffer+43Aj
		mov	bl, [ebp+var_55]
		mov	esi, 0B9h
		jmp	loc_769D13
; 

loc_8D8107:				; CODE XREF: PfVerifyScenarioBuffer+2D0j
		mov	bl, [ebp+var_55]
		mov	esi, 96h
		jmp	loc_769D13
; 

loc_8D8114:				; CODE XREF: PfVerifyScenarioBuffer+2C5j
		mov	bl, [ebp+var_55]
		mov	esi, 8Ch
		jmp	loc_769D13
; 

loc_8D8121:				; CODE XREF: PfVerifyScenarioBuffer+2B6j
		mov	bl, [ebp+var_55]
		mov	esi, 78h
		jmp	loc_769D13
; 

loc_8D812E:				; CODE XREF: PfVerifyScenarioBuffer+2A5j
					; PfVerifyScenarioBuffer+2ADj
		mov	bl, [ebp+var_55]
		mov	esi, 6Eh
		jmp	loc_769D13
; 

loc_8D813B:				; CODE XREF: PfVerifyScenarioBuffer+297j
		mov	bl, [ebp+var_55]
		mov	esi, 64h
		jmp	loc_769D13
; 

loc_8D8148:				; CODE XREF: PfVerifyScenarioBuffer+28Bj
		mov	bl, [ebp+var_55]
		mov	esi, 5Ah
		jmp	loc_769D13
; 

loc_8D8155:				; CODE XREF: PfVerifyScenarioBuffer+276j
					; PfVerifyScenarioBuffer+281j
		mov	bl, [ebp+var_55]
		mov	esi, 50h
		jmp	loc_769D13
; 

loc_8D8162:				; CODE XREF: PfVerifyScenarioBuffer+26Bj
		mov	bl, [ebp+var_55]
		mov	esi, 4Dh
		jmp	loc_769D13
; 

loc_8D816F:				; CODE XREF: PfVerifyScenarioBuffer+486j
		mov	esi, 0BEh
		jmp	loc_769D13
; 

loc_8D8179:				; CODE XREF: PfVerifyScenarioBuffer+7B2j
		mov	bl, [ebp+var_55]
		mov	esi, 0C0h
		jmp	loc_769D13
; 

loc_8D8186:				; CODE XREF: PfVerifyScenarioBuffer+6E4j
		mov	bl, [ebp+var_55]
		mov	esi, 140h
		jmp	loc_769D13
; 

loc_8D8193:				; CODE XREF: PfVerifyScenarioBuffer+6D0j
					; PfVerifyScenarioBuffer+6D9j
		mov	bl, [ebp+var_55]
		mov	esi, 136h
		jmp	loc_769D13
; 

loc_8D81A0:				; CODE XREF: PfVerifyScenarioBuffer+6C1j
		mov	bl, [ebp+var_55]
		mov	esi, 12Ch
		jmp	loc_769D13
; 

loc_8D81AD:				; CODE XREF: PfVerifyScenarioBuffer+6A8j
					; PfVerifyScenarioBuffer+6B1j
		mov	bl, [ebp+var_55]
		mov	esi, 122h
		jmp	loc_769D13
; 

loc_8D81BA:				; CODE XREF: PfVerifyScenarioBuffer+693j
					; PfVerifyScenarioBuffer+69Cj
		mov	bl, [ebp+var_55]
		mov	esi, 11Dh
		jmp	loc_769D13
; 

loc_8D81C7:				; CODE XREF: PfVerifyScenarioBuffer+67Ej
		mov	bl, [ebp+var_55]
		mov	esi, 11Bh
		jmp	loc_769D13
; 

loc_8D81D4:				; CODE XREF: PfVerifyScenarioBuffer+66Cj
		mov	bl, [ebp+var_55]
		mov	esi, 119h
		jmp	loc_769D13
; 

loc_8D81E1:				; CODE XREF: PfVerifyScenarioBuffer+650j
		mov	bl, [ebp+var_55]
		mov	esi, 118h
		jmp	loc_769D13
; 

loc_8D81EE:				; CODE XREF: PfVerifyScenarioBuffer+641j
		mov	bl, [ebp+var_55]
		mov	esi, 10Eh
		jmp	loc_769D13
; 

loc_8D81FB:				; CODE XREF: PfVerifyScenarioBuffer+629j
		mov	bl, [ebp+var_55]
		mov	esi, 109h
		jmp	loc_769D13
; 

loc_8D8208:				; CODE XREF: PfVerifyScenarioBuffer+5EEj
		mov	bl, [ebp+var_55]
		mov	esi, 104h
		jmp	loc_769D13
; 

loc_8D8215:				; CODE XREF: PfVerifyScenarioBuffer+5DFj
		mov	bl, [ebp+var_55]
		mov	esi, 0FAh
		jmp	loc_769D13
; 

loc_8D8222:				; CODE XREF: PfVerifyScenarioBuffer+5CDj
					; PfVerifyScenarioBuffer+5D6j
		mov	bl, [ebp+var_55]
		mov	esi, 0F5h
		jmp	loc_769D13
; 

loc_8D822F:				; CODE XREF: PfVerifyScenarioBuffer+5C0j
		mov	bl, [ebp+var_55]
		mov	esi, 0F0h
		jmp	loc_769D13
; 

loc_8D823C:				; CODE XREF: PfVerifyScenarioBuffer+5A8j
					; PfVerifyScenarioBuffer+5B1j
		mov	bl, [ebp+var_55]
		mov	esi, 0E6h
		jmp	loc_769D13
; 

loc_8D8249:				; CODE XREF: PfVerifyScenarioBuffer+59Dj
		mov	bl, [ebp+var_55]
		mov	esi, 0E1h
		jmp	loc_769D13
; 

loc_8D8256:				; CODE XREF: PfVerifyScenarioBuffer+590j
		mov	bl, [ebp+var_55]
		mov	esi, 0DEh
		jmp	loc_769D13
; 

loc_8D8263:				; CODE XREF: PfVerifyScenarioBuffer+525j
		mov	bl, [ebp+var_55]
		mov	esi, 0DCh
		jmp	loc_769D13
; 

loc_8D8270:				; CODE XREF: PfVerifyScenarioBuffer+512j
					; PfVerifyScenarioBuffer+51Bj
		mov	bl, [ebp+var_55]
		mov	esi, 0D2h
		jmp	loc_769D13
; 

loc_8D827D:				; CODE XREF: PfVerifyScenarioBuffer+4F7j
					; PfVerifyScenarioBuffer+500j
		mov	bl, [ebp+var_55]
		mov	esi, 0C8h
		jmp	loc_769D13
; 

loc_8D828A:				; CODE XREF: PfVerifyScenarioBuffer+4EEj
		mov	bl, [ebp+var_55]
		mov	esi, 0C3h
		jmp	loc_769D13
; 

loc_8D8297:				; CODE XREF: PfVerifyScenarioBuffer+499j
		mov	ebx, [ebp+var_5C]
		jmp	loc_76A067
; 

loc_8D829F:				; CODE XREF: PfVerifyScenarioBuffer+71Aj
		mov	bl, [ebp+var_55]
		mov	esi, 14Ah
		jmp	loc_769D13
; 

loc_8D82AC:				; CODE XREF: PfVerifyScenarioBuffer+725j
		mov	bl, [ebp+var_55]
		mov	esi, 154h
		jmp	loc_769D13
; 

loc_8D82B9:				; CODE XREF: PfVerifyScenarioBuffer+733j
		mov	ecx, 1
		jmp	loc_76A08B
; 

loc_8D82C3:				; CODE XREF: PfVerifyScenarioBuffer+743j
		mov	edi, 1
		jmp	loc_76A09B
; 

loc_8D82CD:				; CODE XREF: PfVerifyScenarioBuffer+74Dj
		mov	bl, [ebp+var_55]
		mov	esi, 15Eh
		jmp	loc_769D13
; 

loc_8D82DA:				; CODE XREF: PfVerifyScenarioBuffer+763j
		mov	bl, [ebp+var_55]
		mov	esi, 168h
		jmp	loc_769D13
; 

loc_8D82E7:				; CODE XREF: PfVerifyScenarioBuffer+21Bj
					; PfVerifyScenarioBuffer+224j
		mov	esi, 4Bh
		jmp	loc_769D13
; 

loc_8D82F1:				; CODE XREF: PfVerifyScenarioBuffer+1F8j
					; PfVerifyScenarioBuffer+201j
		mov	esi, 4Ah
		jmp	loc_769D13
; 

loc_8D82FB:				; CODE XREF: PfVerifyScenarioBuffer+1DEj
					; PfVerifyScenarioBuffer+1E7j
		mov	esi, 49h
		jmp	loc_769D13
; 

loc_8D8305:				; CODE XREF: PfVerifyScenarioBuffer+1BDj
					; PfVerifyScenarioBuffer+1C6j
		mov	esi, 46h
		jmp	loc_769D13
; 

loc_8D830F:				; CODE XREF: PfVerifyScenarioBuffer+1A4j
					; PfVerifyScenarioBuffer+1AFj
		mov	esi, 3Ch
		jmp	loc_769D13
; 

loc_8D8319:				; CODE XREF: PfVerifyScenarioBuffer+17Cj
					; PfVerifyScenarioBuffer+185j
		mov	esi, 37h
		jmp	loc_769D13
; 

loc_8D8323:				; CODE XREF: PfVerifyScenarioBuffer+163j
					; PfVerifyScenarioBuffer+16Cj
		mov	esi, 32h
		jmp	loc_769D13
; 

loc_8D832D:				; CODE XREF: PfVerifyScenarioBuffer+13Fj
					; PfVerifyScenarioBuffer+148j
		mov	esi, 2Dh
		jmp	loc_769D13
; 

loc_8D8337:				; CODE XREF: PfVerifyScenarioBuffer+11Bj
					; PfVerifyScenarioBuffer+128j
		mov	esi, 28h
		jmp	loc_769D13
; 

loc_8D8341:				; CODE XREF: PfVerifyScenarioBuffer+F2j
		mov	esi, 23h
		jmp	loc_769D13
; 

loc_8D834B:				; CODE XREF: PfVerifyScenarioBuffer+D2j
					; PfVerifyScenarioBuffer+DAj ...
		mov	esi, 21h
		jmp	loc_769D13
; 

loc_8D8355:				; CODE XREF: PfVerifyScenarioBuffer+95j
					; PfVerifyScenarioBuffer+A6j ...
		mov	esi, 1Eh
		jmp	loc_769D13
; 

loc_8D835F:				; CODE XREF: PfVerifyScenarioBuffer+81j
		mov	esi, 1Bh
		jmp	loc_769D13
; 

loc_8D8369:				; CODE XREF: PfVerifyScenarioBuffer+55j
					; PfVerifyScenarioBuffer+62j
		mov	esi, 14h
		jmp	loc_769D13
; END OF FUNCTION CHUNK	FOR PfVerifyScenarioBuffer
; 
; START	OF FUNCTION CHUNK FOR PfSnLogEndTrace

loc_8D8373:				; CODE XREF: PfSnLogEndTrace+41j
		lea	eax, [ebp+var_54]
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		lea	edx, [esi+4Ch]
		lea	ecx, [esi+0Ch]
		call	_PfSnBuildScenarioEventDescriptors@16 ;	PfSnBuildScenarioEventDescriptors(x,x,x,x)
		lea	eax, [esi+118h]
		mov	[ebp+var_10], edi
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		push	edi
		push	ebx
		push	dword_6D49EC
		mov	[ebp+var_C], 4
		push	dword_6D49E8
		mov	[ebp+var_8], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_76A1BF
; END OF FUNCTION CHUNK	FOR PfSnLogEndTrace
; 
; START	OF FUNCTION CHUNK FOR PfSnBuildDumpFromTrace

loc_8D83BA:				; CODE XREF: PfSnBuildDumpFromTrace+27j
		mov	edi, 0C0000023h
		jmp	short loc_8D83C6
; 

loc_8D83C1:				; CODE XREF: PfSnBuildDumpFromTrace+34j
		mov	edi, 0C0190019h

loc_8D83C6:				; CODE XREF: PfSnBuildDumpFromTrace+16E1F1j
		xor	esi, esi
		mov	ebx, ecx
		jmp	short loc_8D83E0
; 

loc_8D83CC:				; CODE XREF: PfSnBuildDumpFromTrace+71j
		mov	ebx, [ebp+var_4]
		mov	edi, 0C000009Ah
		jmp	short loc_8D83E0
; 

loc_8D83D6:				; CODE XREF: PfSnBuildDumpFromTrace+1C8j
		mov	ebx, [ebp+var_4]
		mov	edi, 0C0000001h
		mov	esi, [ebx]

loc_8D83E0:				; CODE XREF: PfSnBuildDumpFromTrace+16E1FCj
					; PfSnBuildDumpFromTrace+16E206j
		test	esi, esi
		jz	loc_76A39E
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [ebx], 0
		jmp	loc_76A39E
; END OF FUNCTION CHUNK	FOR PfSnBuildDumpFromTrace
; 
; START	OF FUNCTION CHUNK FOR PfVerifyTraceBuffer

loc_8D83F8:				; CODE XREF: PfVerifyTraceBuffer+19j
		push	0Ah
		jmp	short loc_8D841E
; 

loc_8D83FC:				; CODE XREF: PfVerifyTraceBuffer+22j
		push	0Fh
		jmp	short loc_8D841E
; 

loc_8D8400:				; CODE XREF: PfVerifyTraceBuffer+44j
		push	17h
		jmp	short loc_8D841E
; 

loc_8D8404:				; CODE XREF: PfVerifyTraceBuffer+77j
		push	23h
		jmp	short loc_8D841E
; 

loc_8D8408:				; CODE XREF: PfVerifyTraceBuffer+87j
		push	25h
		jmp	short loc_8D841E
; 

loc_8D840C:				; CODE XREF: PfVerifyTraceBuffer+94j
		push	26h
		jmp	short loc_8D841E
; 

loc_8D8410:				; CODE XREF: PfVerifyTraceBuffer+9Cj
					; PfVerifyTraceBuffer+A7j
		push	28h
		jmp	short loc_8D841E
; 

loc_8D8414:				; CODE XREF: PfVerifyTraceBuffer+5Dj
					; PfVerifyTraceBuffer+6Ej
		push	1Eh
		jmp	short loc_8D841E
; 

loc_8D8418:				; CODE XREF: PfVerifyTraceBuffer+4Ej
		push	19h
		jmp	short loc_8D841E
; 

loc_8D841C:				; CODE XREF: PfVerifyTraceBuffer+2Bj
					; PfVerifyTraceBuffer+38j
		push	14h

loc_8D841E:				; CODE XREF: PfVerifyTraceBuffer+10Bj
					; PfVerifyTraceBuffer+112j ...
		mov	al, [ebp+var_1]
		pop	edx
		jmp	loc_76A488
; END OF FUNCTION CHUNK	FOR PfVerifyTraceBuffer
; 
; START	OF FUNCTION CHUNK FOR PfSnEndTrace

loc_8D8427:				; CODE XREF: PfSnEndTrace+46j
		mov	[esi+0E8h], eax
		mov	edx, eax
		jmp	loc_76A672
; 

loc_8D8434:				; CODE XREF: PfSnEndTrace+140j
		mov	[esi+0ECh], edi
		mov	ecx, edi
		jmp	loc_76A76C
; 

loc_8D8441:				; CODE XREF: PfSnEndTrace+14Ej
		sub	eax, edx
		add	[esi+ecx*4+0BCh], eax
		jmp	loc_76A69F
; 

loc_8D844F:				; CODE XREF: PfSnEndTrace+191j
		mov	edi, 80000022h
		jmp	loc_76A6B5
; 

loc_8D8459:				; CODE XREF: PfSnEndTrace+CEj
		mov	ecx, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_76A74B
; 

loc_8D846D:				; CODE XREF: PfSnEndTrace+266j
		xor	eax, eax
		jmp	loc_76A897
; 

loc_8D8474:				; CODE XREF: PfSnEndTrace+2ECj
		or	eax, 1
		jmp	loc_76A918
; 

loc_8D847C:				; CODE XREF: PfSnEndTrace+305j
		xor	edi, edi
		inc	edi
		jmp	loc_76A934
; 

loc_8D8484:				; CODE XREF: PfSnEndTrace+2FDj
		xor	edi, edi
		and	eax, 0FFFFFFFDh
		jmp	loc_76A970
; 

loc_8D848E:				; CODE XREF: PfSnEndTrace+34Dj
		test	al, 2
		jnz	loc_76A979
		mov	eax, [esi+7Ch]
		mov	ecx, 1388h
		add	eax, 3D8h
		xchg	ecx, [eax]
		jmp	short loc_8D84C3
; 

loc_8D84A7:				; CODE XREF: PfSnEndTrace+16DEA0j
		xor	eax, eax
		lea	edx, [esp+98h+var_80]
		inc	eax
		mov	ecx, edi
		shl	eax, cl
		mov	ecx, esi
		push	eax
		call	_PfSnAsyncPrefetchStep@12 ; PfSnAsyncPrefetchStep(x,x,x)
		test	eax, eax
		js	loc_76A979
		inc	edi

loc_8D84C3:				; CODE XREF: PfSnEndTrace+16DE7Fj
		cmp	edi, [ebx+7Ch]
		jb	short loc_8D84A7
		jmp	loc_76A979
; 

loc_8D84CD:				; CODE XREF: PfSnEndTrace+3AFj
		mov	ecx, [esi+10h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	edx, offset _PfSnEvt_SyncPrefetchingDone_Info
		mov	ecx, ebx
		call	PfSnLogAsyncWorker
		jmp	loc_76A9DB
; END OF FUNCTION CHUNK	FOR PfSnEndTrace
; 
; START	OF FUNCTION CHUNK FOR PfSnLogAsyncWorker

loc_8D84E6:				; CODE XREF: PfSnLogAsyncWorker+3Ej
		lea	eax, [ebp+var_54]
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		lea	edx, [esi+50h]
		lea	ecx, [esi+10h]
		call	_PfSnBuildScenarioEventDescriptors@16 ;	PfSnBuildScenarioEventDescriptors(x,x,x,x)
		push	4
		pop	ecx
		cmp	edi, offset _PfSnEvt_AsyncWorker_Start
		jnz	short loc_8D8516
		lea	eax, [esi+7Ch]
		mov	[ebp+var_C], ecx
		push	5
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		pop	ecx

loc_8D8516:				; CODE XREF: PfSnLogAsyncWorker+16DAC6j
		lea	eax, [ebp+var_54]
		push	eax
		push	ecx
		push	ebx
		push	edi
		push	dword_6D49EC
		push	dword_6D49E8
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_76AA80
; END OF FUNCTION CHUNK	FOR PfSnLogAsyncWorker
; 
; START	OF FUNCTION CHUNK FOR PfpFlushEventBuffers

loc_8D8533:				; CODE XREF: PfpFlushEventBuffers+83j
		mov	eax, [ecx+0Ch]
		sub	eax, edi
		push	eax		; size_t
		lea	eax, [ebx+18h]
		push	edi		; void *
		push	eax		; void *
		call	_memmove
		add	esp, 0Ch
		mov	ecx, ebx
		call	PfTFullEventListAdd
		test	esi, esi
		jz	loc_76AB6A

loc_8D8555:				; CODE XREF: PfpFlushEventBuffers+16DA20j
		mov	ecx, esi
		mov	esi, [esi]
		call	PfTFullEventListAdd
		test	esi, esi
		jnz	short loc_8D8555
		jmp	loc_76AB6A
; END OF FUNCTION CHUNK	FOR PfpFlushEventBuffers
; 
; START	OF FUNCTION CHUNK FOR PfpCopyEvent

loc_8D8567:				; CODE XREF: PfpCopyEvent+ACj
		mov	eax, 0C0000188h
		jmp	loc_76ACC7
; 

loc_8D8571:				; CODE XREF: PfpCopyEvent+F7j
		mov	eax, 0C000009Ah
		jmp	loc_76ACC7
; END OF FUNCTION CHUNK	FOR PfpCopyEvent
; 
; START	OF FUNCTION CHUNK FOR PfpFlushBuffers

loc_8D857B:				; CODE XREF: PfpFlushBuffers+2E4j
		mov	eax, [ebp+var_18]
		mov	[ebp+var_20], 0C000009Ah
		mov	[ebx+20h], eax
		jmp	loc_76AF20
; END OF FUNCTION CHUNK	FOR PfpFlushBuffers
; 
; START	OF FUNCTION CHUNK FOR PfpLogPageAccess

loc_8D858D:				; CODE XREF: PfpLogPageAccess+3A9j
		mov	[ebp+var_4], 0FFFFh
		jmp	loc_76B503
; 

loc_8D8599:				; CODE XREF: PfpLogPageAccess+41Aj
		mov	[ebp+var_8], 0FFFFh
		jmp	loc_76B591
; END OF FUNCTION CHUNK	FOR PfpLogPageAccess
; 
; START	OF FUNCTION CHUNK FOR PfTAcquireLogEntry

loc_8D85A5:				; CODE XREF: PfTAcquireLogEntry+41j
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		mov	dword ptr [ecx], 0FFFFh
		jmp	loc_76B64C
; END OF FUNCTION CHUNK	FOR PfTAcquireLogEntry
; 
; START	OF FUNCTION CHUNK FOR PfTReplaceCurrentBuffer

loc_8D85B5:				; CODE XREF: PfTReplaceCurrentBuffer+6Cj
		imul	eax, edx, 14h
		lea	ecx, [esi+23h]
		and	ecx, 0FFFFFFFCh
		or	dword ptr [ecx+eax], 0FFFFFFFFh
		jmp	loc_76B691
; END OF FUNCTION CHUNK	FOR PfTReplaceCurrentBuffer
; 
; START	OF FUNCTION CHUNK FOR PfTCreateTraceDump

loc_8D85C7:				; CODE XREF: PfTCreateTraceDump+62j
		mov	esi, 0C000009Ah
		jmp	loc_76BB57
; 

loc_8D85D1:				; CODE XREF: PfTCreateTraceDump+5DDj
		mov	ecx, dword_6D42BC
		mov	[ebp+var_4], ecx
		jmp	loc_76BD33
; 

loc_8D85DF:				; CODE XREF: PfTCreateTraceDump+1D2j
		mov	esi, 0C000009Ah
		jmp	loc_76BB4D
; 

loc_8D85E9:				; CODE XREF: PfTCreateTraceDump+597j
		xor	eax, eax
		jmp	loc_76BA90
; 

loc_8D85F0:				; CODE XREF: PfTCreateTraceDump+4EEj
		lea	eax, [edi-1]
		mov	[ebp+var_8], eax
		mov	word ptr [ebp+var_5C], ax
		jmp	loc_76BACA
; 

loc_8D85FF:				; CODE XREF: PfTCreateTraceDump+554j
		lea	eax, [edi-1]
		mov	[ebp+var_8], eax
		mov	word ptr [ebp+var_5C], ax
		jmp	loc_76BAFE
; 

loc_8D860E:				; CODE XREF: PfTCreateTraceDump+28Ej
		mov	edi, [ebp+var_4]
		mov	eax, [ebp+var_40]
		jmp	loc_76BB21
; 

loc_8D8619:				; CODE XREF: PfTCreateTraceDump+256j
		mov	edi, [ebp+var_4]
		jmp	loc_76BB24
; END OF FUNCTION CHUNK	FOR PfTCreateTraceDump
; 
; START	OF FUNCTION CHUNK FOR KiSchedulerApcTerminate

loc_8D8621:				; CODE XREF: KiSchedulerApcTerminate+21j
		mov	ecx, large fs:124h
		mov	edx, [esp+8+var_4]
		mov	ecx, [ecx+80h]
		call	_PsTerminateProcess@8 ;	PsTerminateProcess(x,x)
		jmp	loc_76C153
; END OF FUNCTION CHUNK	FOR KiSchedulerApcTerminate
; 
; START	OF FUNCTION CHUNK FOR PfSnIsHostingApplication

loc_8D863C:				; CODE XREF: PfSnIsHostingApplication+AFj
					; PfSnIsHostingApplication+C2j
		add	eax, 2
		push	edi		; wchar_t *
		push	eax		; wchar_t *
		call	_wcsstr
		pop	ecx
		pop	ecx
		push	2Ch
		pop	ecx
		test	eax, eax
		jnz	loc_76C54E
		jmp	loc_76C525
; END OF FUNCTION CHUNK	FOR PfSnIsHostingApplication
; 
; START	OF FUNCTION CHUNK FOR PfSnParsePrefetchParam

loc_8D8658:				; CODE XREF: PfSnParsePrefetchParam+48j
					; PfSnParsePrefetchParam+50j
		mov	[eax], bl
		jmp	loc_76C65A
; 

loc_8D865F:				; CODE XREF: PfSnParsePrefetchParam+B9j
		mov	ebx, 0C000000Dh
		jmp	loc_76C66D
; 

loc_8D8669:				; CODE XREF: PfSnParsePrefetchParam+EFj
		mov	ebx, 0C000000Dh
		jmp	loc_76C677
; END OF FUNCTION CHUNK	FOR PfSnParsePrefetchParam

;  S U B	R O U T	I N E 


sub_8D8673	proc near		; DATA XREF: .text:006A0A24o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D8673	endp


;  S U B	R O U T	I N E 


sub_8D8681	proc near		; DATA XREF: .text:006A0A28o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-5Ch]
		jmp	loc_76C66D
sub_8D8681	endp


;  S U B	R O U T	I N E 


sub_8D868C	proc near		; DATA XREF: .text:006A0A44o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D868C	endp


;  S U B	R O U T	I N E 


sub_8D869A	proc near		; DATA XREF: .text:006A0A48o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-1Ch]
sub_8D869A	endp

; START	OF FUNCTION CHUNK FOR PfSnCaptureParamBlockString

loc_8D86A0:				; CODE XREF: PfSnCaptureParamBlockString+5Aj
		mov	[ebp+var_20], esi
		jmp	loc_76C793
; END OF FUNCTION CHUNK	FOR PfSnCaptureParamBlockString

;  S U B	R O U T	I N E 


sub_8D86A8	proc near		; DATA XREF: .text:006A0A64o
		xor	eax, eax
		inc	eax
		retn
sub_8D86A8	endp


;  S U B	R O U T	I N E 


sub_8D86AC	proc near		; DATA XREF: .text:006A0A68o
		mov	esp, [ebp-18h]
		xor	eax, eax
		mov	[ebp-1Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_76C808
sub_8D86AC	endp

; 
; START	OF FUNCTION CHUNK FOR PfSnCheckModernApp

loc_8D86C0:				; CODE XREF: PfSnCheckModernApp+D2j
					; PfSnCheckModernApp+144j
		sub	edi, 1
		jz	loc_76C9F4
		sub	edi, 1
		jz	loc_76C9EB
		sub	edi, 1
		jz	short loc_8D8713
		sub	edi, 1
		jz	short loc_8D870A
		sub	edi, 1
		jz	short loc_8D8701
		sub	edi, 1
		jz	short loc_8D86F8
		sub	edi, 1
		jnz	loc_76C9FC
		movzx	eax, byte ptr [ebx]
		imul	esi, 25h
		add	esi, eax
		inc	ebx

loc_8D86F8:				; CODE XREF: PfSnCheckModernApp+16BEBEj
		movzx	eax, byte ptr [ebx]
		imul	esi, 25h
		add	esi, eax
		inc	ebx

loc_8D8701:				; CODE XREF: PfSnCheckModernApp+16BEB9j
		movzx	eax, byte ptr [ebx]
		imul	esi, 25h
		add	esi, eax
		inc	ebx

loc_8D870A:				; CODE XREF: PfSnCheckModernApp+16BEB4j
		movzx	eax, byte ptr [ebx]
		imul	esi, 25h
		add	esi, eax
		inc	ebx

loc_8D8713:				; CODE XREF: PfSnCheckModernApp+16BEAFj
		movzx	eax, byte ptr [ebx]
		imul	esi, 25h
		add	esi, eax
		inc	ebx
		jmp	loc_76C9EB
; 

loc_8D8721:				; CODE XREF: PfSnCheckModernApp+1C0j
					; PfSnCheckModernApp+1E8j
		sub	ebx, 1
		jz	short loc_8D877A
		sub	ebx, 1
		jz	short loc_8D8771
		sub	ebx, 1
		jz	short loc_8D8768
		sub	ebx, 1
		jz	short loc_8D875F
		sub	ebx, 1
		jz	short loc_8D8756
		sub	ebx, 1
		jz	short loc_8D874D
		sub	ebx, 1
		jnz	short loc_8D8782
		movzx	eax, byte ptr [edi]
		imul	edx, 25h
		add	edx, eax
		inc	edi

loc_8D874D:				; CODE XREF: PfSnCheckModernApp+16BF17j
		movzx	eax, byte ptr [edi]
		imul	edx, 25h
		add	edx, eax
		inc	edi

loc_8D8756:				; CODE XREF: PfSnCheckModernApp+16BF12j
		movzx	eax, byte ptr [edi]
		imul	edx, 25h
		add	edx, eax
		inc	edi

loc_8D875F:				; CODE XREF: PfSnCheckModernApp+16BF0Dj
		movzx	eax, byte ptr [edi]
		imul	edx, 25h
		add	edx, eax
		inc	edi

loc_8D8768:				; CODE XREF: PfSnCheckModernApp+16BF08j
		movzx	eax, byte ptr [edi]
		imul	edx, 25h
		add	edx, eax
		inc	edi

loc_8D8771:				; CODE XREF: PfSnCheckModernApp+16BF03j
		movzx	eax, byte ptr [edi]
		imul	edx, 25h
		add	edx, eax
		inc	edi

loc_8D877A:				; CODE XREF: PfSnCheckModernApp+16BEFEj
		movzx	eax, byte ptr [edi]
		imul	edx, 25h
		add	edx, eax

loc_8D8782:				; CODE XREF: PfSnCheckModernApp+16BF1Cj
		xor	eax, eax
		lea	edi, [edx+esi]
		inc	eax
		jmp	loc_76C8A7
; END OF FUNCTION CHUNK	FOR PfSnCheckModernApp
; 
; START	OF FUNCTION CHUNK FOR PfSnBeginScenario

loc_8D878D:				; CODE XREF: PfSnBeginScenario+78j
		mov	edi, [ebp+var_14]
		mov	ebx, ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+arg_4], 0C00000C1h
		jmp	loc_76CAF1
; 

loc_8D87A1:				; CODE XREF: PfSnBeginScenario+9Aj
		and	eax, 0FFFFFFFDh
		mov	[ebp+var_18], 9
		mov	[ebp+var_C], eax
		jmp	loc_76CAC0
; 

loc_8D87B3:				; CODE XREF: PfSnBeginScenario+B7j
		and	eax, 0FFFFFFFEh
		push	8
		mov	[ebp+var_C], eax
		pop	ebx
		jmp	loc_76CAD7
; 

loc_8D87C1:				; CODE XREF: PfSnBeginScenario+272j
		xor	ebx, ebx
		cmp	eax, 0C00000A3h
		setnz	bl
		add	ebx, 14h
		jmp	loc_76CB6F
; 

loc_8D87D3:				; CODE XREF: PfSnBeginScenario+E0j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_76CB00
; END OF FUNCTION CHUNK	FOR PfSnBeginScenario
; 
; START	OF FUNCTION CHUNK FOR PfSnLogScenarioDecision

loc_8D87E0:				; CODE XREF: PfSnLogScenarioDecision+ECj
					; PfSnLogScenarioDecision+F4j
		push	edi
		push	989680h
		push	ecx
		push	eax
		call	__alldiv
		mov	ecx, eax
		jmp	loc_76CDA1
; END OF FUNCTION CHUNK	FOR PfSnLogScenarioDecision
; 
; START	OF FUNCTION CHUNK FOR DbgkFlushErrorPort

loc_8D87F4:				; CODE XREF: DbgkFlushErrorPort+23j
		mov	ebx, large fs:124h
		push	edi
		xor	edi, edi
		dec	word ptr [ebx+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebp+var_4]
		cmp	eax, [esi+8]
		jnz	short loc_8D881D
		mov	edi, [esi+4]
		lock inc dword ptr [edi]

loc_8D881D:				; CODE XREF: DbgkFlushErrorPort+16BA35j
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_8D8832
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8D8832:				; CODE XREF: DbgkFlushErrorPort+16BA49j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, ebx
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		test	edi, edi
		jz	short loc_8D8855
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	_DbgkpRemoveErrorPort@12 ; DbgkpRemoveErrorPort(x,x,x)
		mov	ecx, edi
		call	_DbgkpDereferenceErrorPort@4 ; DbgkpDereferenceErrorPort(x)

loc_8D8855:				; CODE XREF: DbgkFlushErrorPort+16BA62j
		pop	edi
		jmp	loc_76CE09
; END OF FUNCTION CHUNK	FOR DbgkFlushErrorPort
; 
; START	OF FUNCTION CHUNK FOR PspExitProcess

loc_8D885B:				; CODE XREF: PspExitProcess+51j
		cmp	dword ptr [esi+3D4h], 0
		jz	loc_76CE7F
		jmp	loc_76CE65
; 

loc_8D886D:				; CODE XREF: PspExitProcess+B4j
		call	ObfDereferenceObject
		mov	[esi+1BCh], edi
		jmp	loc_76CE93
; END OF FUNCTION CHUNK	FOR PspExitProcess
; 
; START	OF FUNCTION CHUNK FOR PfProcessCreateNotification

loc_8D887D:				; CODE XREF: PfProcessCreateNotification+Bj
		mov	eax, 0C00000BBh
		jmp	loc_76CF5B
; END OF FUNCTION CHUNK	FOR PfProcessCreateNotification
; 
; START	OF FUNCTION CHUNK FOR PfSnBeginAppLaunch

loc_8D8887:				; CODE XREF: PfSnBeginAppLaunch+6Aj
		lea	eax, [esp+178h+var_160]
		push	eax
		push	[esp+17Ch+var_15C]
		call	PfCalculateProcessHash
		mov	ebx, [esp+178h+var_160]
		mov	edi, eax
		test	edi, edi
		js	loc_76D102
		mov	ecx, ebx
		jmp	loc_76CFEA
; 

loc_8D88AA:				; CODE XREF: PfSnBeginAppLaunch+88j
		mov	edi, 0C000000Dh
		jmp	loc_76D102
; END OF FUNCTION CHUNK	FOR PfSnBeginAppLaunch
; 
; START	OF FUNCTION CHUNK FOR PfCalculateProcessHash

loc_8D88B4:				; CODE XREF: PfCalculateProcessHash+4Cj
		mov	esi, 0C0000272h
		jmp	loc_76D298
; 

loc_8D88BE:				; CODE XREF: PfCalculateProcessHash+77j
					; PfCalculateProcessHash+E7j
		sub	edi, 1
		jz	loc_76D269
		sub	edi, 1
		jz	loc_76D260
		sub	edi, 1
		jz	short loc_8D8911
		sub	edi, 1
		jz	short loc_8D8908
		sub	edi, 1
		jz	short loc_8D88FF
		sub	edi, 1
		jz	short loc_8D88F6
		sub	edi, 1
		jnz	loc_76D271
		movzx	eax, byte ptr [esi]
		imul	edx, 25h
		add	edx, eax
		inc	esi

loc_8D88F6:				; CODE XREF: PfCalculateProcessHash+16B76Ej
		movzx	eax, byte ptr [esi]
		imul	edx, 25h
		add	edx, eax
		inc	esi

loc_8D88FF:				; CODE XREF: PfCalculateProcessHash+16B769j
		movzx	eax, byte ptr [esi]
		imul	edx, 25h
		add	edx, eax
		inc	esi

loc_8D8908:				; CODE XREF: PfCalculateProcessHash+16B764j
		movzx	eax, byte ptr [esi]
		imul	edx, 25h
		add	edx, eax
		inc	esi

loc_8D8911:				; CODE XREF: PfCalculateProcessHash+16B75Fj
		movzx	eax, byte ptr [esi]
		imul	edx, 25h
		add	edx, eax
		inc	esi
		jmp	loc_76D260
; END OF FUNCTION CHUNK	FOR PfCalculateProcessHash
; 
; START	OF FUNCTION CHUNK FOR PfSnLogStreamCreate

loc_8D891F:				; CODE XREF: PfSnLogStreamCreate+23j
		mov	ebx, 0C00000BBh
		jmp	loc_76D3E9
; END OF FUNCTION CHUNK	FOR PfSnLogStreamCreate
; 
; START	OF FUNCTION CHUNK FOR PfSnLogHelper

loc_8D8929:				; CODE XREF: PfSnLogHelper+2Dj
		lea	ecx, [esi+104h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_76D42B
; END OF FUNCTION CHUNK	FOR PfSnLogHelper
; 
; START	OF FUNCTION CHUNK FOR RtlUpcaseUnicodeString

loc_8D8939:				; CODE XREF: RtlUpcaseUnicodeString+4Bj
		mov	eax, 80000005h
		jmp	loc_76D51A
; END OF FUNCTION CHUNK	FOR RtlUpcaseUnicodeString

;  S U B	R O U T	I N E 


sub_8D8943	proc near		; DATA XREF: .text:006A0A88o
		mov	edi, [ebp+8]
		mov	eax, [ebp+0Ch]
		jmp	sub_76D58B
sub_8D8943	endp

; 
; START	OF FUNCTION CHUNK FOR sub_76D58B

loc_8D894E:				; CODE XREF: sub_76D58B+4j
		cmp	byte ptr [ebp+10h], 0
		jz	locret_76D595
		mov	eax, [edi+4]
		push	eax
		call	_ExFreePool@4	; ExFreePool(x)
		mov	dword ptr [edi+4], 0
		mov	eax, [ebp+0Ch]
		retn
; END OF FUNCTION CHUNK	FOR sub_76D58B
; 
; START	OF FUNCTION CHUNK FOR PsGetAllocatedFullProcessImageNameEx

loc_8D896C:				; CODE XREF: PsGetAllocatedFullProcessImageNameEx+Dj
		mov	esi, dword_6BEE00
		test	esi, esi
		jz	loc_76D5CD
		push	edx
		push	ecx
		call	esi
		jmp	loc_76D5DC
; END OF FUNCTION CHUNK	FOR PsGetAllocatedFullProcessImageNameEx
; 
; START	OF FUNCTION CHUNK FOR PfGetCompletedTrace

loc_8D8983:				; CODE XREF: PfGetCompletedTrace+A2j
		call	_PFP_CAN_DO_ACCESS_LOGGING@0 ; PFP_CAN_DO_ACCESS_LOGGING()
		test	eax, eax
		jz	loc_76D6F0
		push	2
		mov	edx, offset _PfKernelGlobals
		mov	ecx, offset _PfTGlobals
		call	_PfTAccessTracingStart@12 ; PfTAccessTracingStart(x,x,x)
		push	ebx
		push	ebx
		push	offset unk_6FB60C
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_76D6F0
; END OF FUNCTION CHUNK	FOR PfGetCompletedTrace

;  S U B	R O U T	I N E 


sub_8D89B2	proc near		; DATA XREF: .text:006A0AA4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D89B2	endp


;  S U B	R O U T	I N E 


sub_8D89C0	proc near		; DATA XREF: .text:006A0AA8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-40h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-20h]
		jmp	loc_76D796
sub_8D89C0	endp

; 
; START	OF FUNCTION CHUNK FOR PfGetCompletedTrace

loc_8D89D5:				; CODE XREF: PfGetCompletedTrace+158j
		mov	[ebp+var_28], eax
		mov	ecx, edi
		call	ExAcquireFastMutex
		mov	eax, [ebp+var_34]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_76D81A
		mov	[ebx], ecx
		mov	[ebx+4], eax
		mov	[ecx+4], ebx
		mov	[eax], ebx
		mov	eax, [ebp+var_24]
		inc	dword ptr [eax]
		jmp	loc_76D7B7
; END OF FUNCTION CHUNK	FOR PfGetCompletedTrace
; 

loc_8D8A01:				; CODE XREF: PAGE:0076D909j
		inc	dword_6D448C
		jmp	loc_76D87F
; 

loc_8D8A0C:				; CODE XREF: PAGE:0076D86Fj
		inc	dword_6D4488
		jmp	loc_76D875
; 

loc_8D8A17:				; CODE XREF: PAGE:0076D898j
		mov	ecx, [edi+14h]
		lea	eax, [esp+10h]
		push	eax
		call	_PfTTraceListTrim@12 ; PfTTraceListTrim(x,x,x)
		jmp	loc_76D89E
; 

loc_8D8A29:				; CODE XREF: PAGE:0076D8B7j
		push	2
		mov	ecx, offset _PfTGlobals
		call	_PfTAccessTracingCleanup@12 ; PfTAccessTracingCleanup(x,x,x)
		jmp	loc_76D8BD
; 

loc_8D8A3A:				; CODE XREF: PAGE:0076D8DEj
		lea	eax, [esp+10h]
		cmp	[ecx+4], eax
		jnz	loc_76D916
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	loc_76D916
		lea	edx, [esp+10h]
		mov	[esp+10h], eax
		mov	[eax+4], edx
		call	_PfTFreeTraceDump@4 ; PfTFreeTraceDump(x)
		jmp	loc_76D8D4
; 
; START	OF FUNCTION CHUNK FOR RtlpCreateUserThreadEx

loc_8D8A67:				; CODE XREF: RtlpCreateUserThreadEx+4Bj
		mov	eax, 0C000000Dh
		jmp	loc_76DA7B
; 

loc_8D8A71:				; CODE XREF: RtlpCreateUserThreadEx+59j
		or	eax, 2
		jmp	loc_76D9D5
; 

loc_8D8A79:				; CODE XREF: RtlpCreateUserThreadEx+62j
		or	eax, 4
		jmp	loc_76D9DE
; 

loc_8D8A81:				; CODE XREF: RtlpCreateUserThreadEx+73j
		or	eax, 20h
		jmp	loc_76D9EF
; 

loc_8D8A89:				; CODE XREF: RtlpCreateUserThreadEx+7Cj
		or	eax, 40h
		jmp	loc_76D9F8
; 

loc_8D8A91:				; CODE XREF: RtlpCreateUserThreadEx+E9j
		push	[ebp+var_2C]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_76DA6A
; END OF FUNCTION CHUNK	FOR RtlpCreateUserThreadEx
; 
; START	OF FUNCTION CHUNK FOR ObCloseHandle

loc_8D8A9E:				; CODE XREF: ObCloseHandle+17j
		test	bl, bl
		jnz	loc_76DAAF
		mov	ecx, [ebp+arg_0]
		xor	dl, dl
		call	_ObpIsKernelHandle@8 ; ObpIsKernelHandle(x,x)
		test	al, al
		jnz	loc_76DAAF
		call	_VfCheckUserHandle@4 ; VfCheckUserHandle(x)
		jmp	loc_76DAAF
; END OF FUNCTION CHUNK	FOR ObCloseHandle
; 
; START	OF FUNCTION CHUNK FOR ObpCloseHandle

loc_8D8AC2:				; CODE XREF: ObpCloseHandle+5Aj
		mov	ecx, [ebp+var_10]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		test	edi, edi
		jg	short loc_8D8AD7
		cmp	edi, 0FFFFFFFAh
		jge	loc_8D8B6C

loc_8D8AD7:				; CODE XREF: ObpCloseHandle+16B00Cj
		lea	eax, [ebp+var_1]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp-3]
		call	ExQueryHandleExceptionsPermanency
		test	byte ptr [esi+1Ch], 10h
		jz	short loc_8D8AFD
		cmp	byte ptr [ebp+var_1], 0
		jz	short loc_8D8AFD
		push	[ebp+var_C]
		mov	edx, edi
		mov	ecx, esi
		call	ExHandleLogBadReference

loc_8D8AFD:				; CODE XREF: ObpCloseHandle+16B029j
					; ObpCloseHandle+16B02Fj
		cmp	byte ptr [ebp+var_C], 0
		jz	short loc_8D8B3C
		test	_NtGlobalFlag, 400000h
		jnz	short loc_8D8B1E
		cmp	dword ptr [ebx+190h], 0
		jnz	short loc_8D8B1E
		cmp	dword ptr [esi+54h], 0
		jz	short loc_8D8B6C

loc_8D8B1E:				; CODE XREF: ObpCloseHandle+16B04Dj
					; ObpCloseHandle+16B056j
		call	_KeIsAttachedProcess@0 ; KeIsAttachedProcess()
		test	al, al
		jnz	short loc_8D8B35
		push	0C0000008h
		call	_KeRaiseUserException@4	; KeRaiseUserException(x)
		mov	esi, eax
		jmp	short loc_8D8B7C
; 

loc_8D8B35:				; CODE XREF: ObpCloseHandle+16B065j
		mov	esi, 0C0000008h
		jmp	short loc_8D8B7C
; 

loc_8D8B3C:				; CODE XREF: ObpCloseHandle+16B041j
		mov	eax, [ebp+var_10]
		mov	eax, [eax+2FCh]
		test	al, 1
		jnz	short loc_8D8B6C
		cmp	dword ptr [ebx+17Ch], 0
		jz	short loc_8D8B6C
		cmp	_KdDebuggerEnabled, 0
		jz	short loc_8D8B6C
		push	0
		push	0
		push	1
		push	edi
		push	93h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8D8B6C:				; CODE XREF: ObpCloseHandle+16B011j
					; ObpCloseHandle+16B05Cj ...
		push	5
		lea	eax, [edi+6]
		pop	ecx
		cmp	ecx, eax
		sbb	esi, esi
		and	esi, 0C0000008h

loc_8D8B7C:				; CODE XREF: ObpCloseHandle+16B073j
					; ObpCloseHandle+16B07Aj
		mov	edi, [ebp+var_8]
		jmp	loc_76DB35
; END OF FUNCTION CHUNK	FOR ObpCloseHandle

;  S U B	R O U T	I N E 


sub_8D8B84	proc near		; DATA XREF: .text:006A0AC4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8D8B84	endp


;  S U B	R O U T	I N E 


sub_8D8B94	proc near		; DATA XREF: .text:006A0AC8o
		mov	esp, [ebp-18h]
		mov	edx, [ebp-20h]
		jmp	loc_76DBE6
sub_8D8B94	endp


;  S U B	R O U T	I N E 


sub_8D8B9F	proc near		; DATA XREF: .text:006A0AE4o
		xor	eax, eax
		inc	eax
		retn
sub_8D8B9F	endp


;  S U B	R O U T	I N E 


sub_8D8BA3	proc near		; DATA XREF: .text:006A0AE8o
		jmp	short loc_8D8BA9
; 

loc_8D8BA5:				; DATA XREF: .text:006A0AF0o
		xor	eax, eax
		inc	eax
		retn
; 

loc_8D8BA9:				; CODE XREF: sub_8D8BA3j
					; DATA XREF: .text:006A0AF4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-88h]
		xor	ebx, ebx
		jmp	loc_76DD16
sub_8D8BA3	endp


;  S U B	R O U T	I N E 


sub_8D8BC0	proc near		; DATA XREF: .text:006A0B0Co
		xor	eax, eax
		inc	eax
		retn
sub_8D8BC0	endp


;  S U B	R O U T	I N E 


sub_8D8BC4	proc near		; DATA XREF: .text:006A0B10o
		jmp	short loc_8D8BCA
; 

loc_8D8BC6:				; DATA XREF: .text:006A0B18o
		xor	eax, eax
		inc	eax
		retn
; 

loc_8D8BCA:				; CODE XREF: sub_8D8BC4j
					; DATA XREF: .text:006A0B1Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	esi, esi
		jmp	loc_76DEAB
sub_8D8BC4	endp


;  S U B	R O U T	I N E 


sub_8D8BDB	proc near		; DATA XREF: .text:006A0B24o
		xor	eax, eax
		inc	eax
		retn
sub_8D8BDB	endp


;  S U B	R O U T	I N E 


sub_8D8BDF	proc near		; DATA XREF: .text:006A0B28o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	esi, esi
		push	4
		pop	ebx
		jmp	loc_76DF74
sub_8D8BDF	endp

; 
; START	OF FUNCTION CHUNK FOR PspUserThreadStartup

loc_8D8BF3:				; CODE XREF: PspUserThreadStartup+42j
		push	1
		push	0C000004Bh
		push	ebx
		call	PspTerminateThreadByPointer
		jmp	loc_76F1AC
; END OF FUNCTION CHUNK	FOR PspUserThreadStartup

;  S U B	R O U T	I N E 


sub_8D8C05	proc near		; DATA XREF: .text:006A0B6Co
		xor	eax, eax
		inc	eax
		retn
sub_8D8C05	endp


;  S U B	R O U T	I N E 


sub_8D8C09	proc near		; DATA XREF: .text:006A0B70o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	edi, edi
		mov	esi, [ebp-24h]
		mov	[ebp-20h], esi
		mov	ebx, [ebp-1Ch]
		jmp	loc_76F1E0
sub_8D8C09	endp

; 
; START	OF FUNCTION CHUNK FOR PspUserThreadStartup

loc_8D8C23:				; CODE XREF: PspUserThreadStartup+5Bj
		mov	ecx, ebx
		call	_DbgkCreateMinimalThread@4 ; DbgkCreateMinimalThread(x)
		jmp	loc_76F1FE
; END OF FUNCTION CHUNK	FOR PspUserThreadStartup

;  S U B	R O U T	I N E 


sub_8D8C2F	proc near		; DATA XREF: .text:006A0B8Co
		xor	eax, eax
		inc	eax
		retn
sub_8D8C2F	endp


;  S U B	R O U T	I N E 


sub_8D8C33	proc near		; DATA XREF: .text:006A0B90o
		mov	esp, [ebp-18h]
		xor	esi, esi
		mov	[ebp-0E0h], esi
		jmp	loc_76F38E
sub_8D8C33	endp

; 
; START	OF FUNCTION CHUNK FOR DbgkCreateThread

loc_8D8C43:				; CODE XREF: DbgkCreateThread+14Ej
		cmp	[ebx+2], si
		jz	loc_76F3FE
		jmp	loc_76F40E
; END OF FUNCTION CHUNK	FOR DbgkCreateThread

;  S U B	R O U T	I N E 


sub_8D8C52	proc near		; DATA XREF: .text:006A0B98o
		xor	eax, eax
		inc	eax
		retn
sub_8D8C52	endp


;  S U B	R O U T	I N E 


sub_8D8C56	proc near		; DATA XREF: .text:006A0B9Co
		mov	esp, [ebp-18h]
		xor	esi, esi
		mov	[ebp-0E0h], esi
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		mov	ebx, [ebp-0D0h]
		jmp	loc_76F449
sub_8D8C56	endp

; 
; START	OF FUNCTION CHUNK FOR DbgkCreateThread

loc_8D8C72:				; CODE XREF: DbgkCreateThread+6Ej
		test	byte ptr [ebp+var_F8], 1
		jnz	loc_8D8D8C
		mov	[ebp+var_BC], esi
		mov	[ebp+var_B8], esi
		mov	[ebp+var_B4], esi
		mov	[ebp+var_B0], esi
		mov	[ebp+var_A8], esi
		mov	[ebp+var_90], esi
		mov	[ebp+var_A4], esi
		mov	ecx, [ebx+15Ch]
		call	_DbgkpSectionToFileHandle@4 ; DbgkpSectionToFileHandle(x)
		mov	[ebp+var_A0], eax
		mov	eax, [ebx+160h]
		mov	[ebp+var_9C], eax
		mov	[ebp+var_8C], esi
		mov	[ebp+var_98], esi
		mov	[ebp+var_94], esi
		mov	[ebp+ms_exc.disabled], 2
		push	dword ptr [ebx+160h]
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jz	short loc_8D8D0C
		mov	ecx, [eax+34h]
		add	ecx, [eax+28h]
		mov	[ebp+var_8C], ecx
		mov	ecx, [eax+0Ch]
		mov	[ebp+var_98], ecx
		mov	eax, [eax+10h]
		mov	[ebp+var_94], eax

loc_8D8D0C:				; CODE XREF: DbgkCreateThread+169A32j
		mov	[ebp+ms_exc.disabled], edi
		jmp	short loc_8D8D33
; END OF FUNCTION CHUNK	FOR DbgkCreateThread

;  S U B	R O U T	I N E 


sub_8D8D11	proc near		; DATA XREF: .text:006A0BA4o
		xor	eax, eax
		inc	eax
		retn
sub_8D8D11	endp


;  S U B	R O U T	I N E 


sub_8D8D15	proc near		; DATA XREF: .text:006A0BA8o
		mov	esp, [ebp-18h]
		xor	esi, esi
		mov	[ebp-8Ch], esi
		mov	[ebp-98h], esi
		mov	[ebp-94h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
sub_8D8D15	endp

; START	OF FUNCTION CHUNK FOR DbgkCreateThread

loc_8D8D33:				; CODE XREF: DbgkCreateThread+169A55j
		mov	[ebp+var_C4], 3C0024h
		mov	[ebp+var_C0], 8
		mov	[ebp+var_AC], 2
		lea	eax, [ebp+var_C4]
		push	eax
		xor	edx, edx
		mov	ecx, [ebp+var_CC]
		call	_DbgkpSendApiMessage@12	; DbgkpSendApiMessage(x,x,x)
		cmp	[ebp+var_A0], 0
		jz	short loc_8D8D7A
		push	esi
		push	[ebp+var_A0]
		call	ObCloseHandle

loc_8D8D7A:				; CODE XREF: DbgkCreateThread+169AB2j
		lea	eax, [ebp+var_C4]
		push	eax
		xor	edx, edx
		xor	ecx, ecx
		call	_DbgkSendSystemDllMessages@12 ;	DbgkSendSystemDllMessages(x,x,x)
		jmp	short loc_8D8DFD
; 

loc_8D8D8C:				; CODE XREF: DbgkCreateThread+1699BFj
		mov	edi, [ebp+var_D4]
		test	byte ptr [edi+2FCh], 4
		jnz	short loc_8D8DFD
		mov	[ebp+var_BC], esi
		mov	[ebp+var_B8], esi
		mov	[ebp+var_B4], esi
		mov	[ebp+var_B0], esi
		mov	[ebp+var_A8], esi
		mov	[ebp+var_A4], esi
		xor	edx, edx
		mov	ecx, edi
		call	_PsQueryThreadStartAddress@8 ; PsQueryThreadStartAddress(x,x)
		mov	[ebp+var_A0], eax
		mov	[ebp+var_C4], 280010h
		mov	[ebp+var_C0], 8
		mov	[ebp+var_AC], 1
		lea	eax, [ebp+var_C4]
		push	eax
		xor	edx, edx
		inc	edx
		mov	ecx, ebx
		call	_DbgkpSendApiMessage@12	; DbgkpSendApiMessage(x,x,x)

loc_8D8DFD:				; CODE XREF: DbgkCreateThread+169AD0j
					; DbgkCreateThread+169ADFj
		mov	edi, [ebp+var_D4]
		test	byte ptr [edi+300h], 10h
		jz	loc_76F32E
		push	esi
		mov	edx, edi
		mov	ecx, [ebp+var_CC]
		call	_DbgkpPostModuleMessages@12 ; DbgkpPostModuleMessages(x,x,x)
		jmp	loc_76F32E
; END OF FUNCTION CHUNK	FOR DbgkCreateThread
; 
; START	OF FUNCTION CHUNK FOR PspWriteTebIdealProcessor

loc_8D8E23:				; CODE XREF: PspWriteTebIdealProcessor+42j
		lea	ecx, [esi+2ECh]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_76F56F
		mov	[ebp+var_36], 1
		mov	edx, [ebp+var_44]
		jmp	loc_76F4F6
; 

loc_8D8E42:				; CODE XREF: PspWriteTebIdealProcessor+51j
		lea	eax, [ebp+var_34]
		push	eax
		xor	edx, edx
		mov	ecx, edi
		call	KiStackAttachProcess
		mov	[ebp+var_35], 1
		jmp	loc_76F505
; END OF FUNCTION CHUNK	FOR PspWriteTebIdealProcessor

;  S U B	R O U T	I N E 


sub_8D8E58	proc near		; DATA XREF: .text:006A0BC4o
		xor	eax, eax
		inc	eax
		retn
sub_8D8E58	endp


;  S U B	R O U T	I N E 


sub_8D8E5C	proc near		; DATA XREF: .text:006A0BC8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp-4Ch]
		jmp	loc_76F530
sub_8D8E5C	endp

; 
; START	OF FUNCTION CHUNK FOR PspWriteTebIdealProcessor

loc_8D8E70:				; CODE XREF: PspWriteTebIdealProcessor+B1j
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_76F565
; 

loc_8D8E7F:				; CODE XREF: PspWriteTebIdealProcessor+BBj
		lea	ecx, [esi+2ECh]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_76F56F
; END OF FUNCTION CHUNK	FOR PspWriteTebIdealProcessor
; 
; START	OF FUNCTION CHUNK FOR PspInitializeThunkContext

loc_8D8E8F:				; CODE XREF: PspInitializeThunkContext+14Dj
		mov	[eax], bl
		jmp	loc_76F825
; 

loc_8D8E96:				; CODE XREF: PspInitializeThunkContext+134j
					; PspInitializeThunkContext+140j
		push	4
		push	esi
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		jmp	loc_76F83E
; END OF FUNCTION CHUNK	FOR PspInitializeThunkContext

;  S U B	R O U T	I N E 


sub_8D8EA4	proc near		; DATA XREF: .text:006A0BE4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-354h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D8EA4	endp


;  S U B	R O U T	I N E 


sub_8D8EB5	proc near		; DATA XREF: .text:006A0BE8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-354h]
		mov	[ebp-340h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		jmp	loc_76F8A7
sub_8D8EB5	endp

; 
; START	OF FUNCTION CHUNK FOR PspInitializeThunkContext

loc_8D8ED2:				; CODE XREF: PspInitializeThunkContext+1FCj
		mov	eax, ds:_PspLoaderInitRoutine
		mov	[ebp+var_32C], eax
		mov	[ebp+var_338], esi
		mov	[ebp+var_328], ebx
		mov	[ebp+var_330], ebx
		push	ebx
		push	1
		mov	ecx, edi
		call	_PspGetBaseTrapFrame@8 ; PspGetBaseTrapFrame(x,x)
		push	eax
		push	ebx
		lea	eax, [ebp+var_338]
		push	eax
		call	KiDispatchException
		jmp	loc_76F8D4
; END OF FUNCTION CHUNK	FOR PspInitializeThunkContext
; 
; START	OF FUNCTION CHUNK FOR PspSetContextThreadInternal

loc_8D8F0C:				; CODE XREF: PspSetContextThreadInternal+41j
		and	[ebp+ms_exc.disabled], 0
		mov	eax, esi
		mov	ecx, ds:_MmUserProbeAddress
		cmp	esi, ecx
		jb	short loc_8D8F1E
		mov	eax, ecx

loc_8D8F1E:				; CODE XREF: PspSetContextThreadInternal+16962Cj
		nop
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_76F93A
; END OF FUNCTION CHUNK	FOR PspSetContextThreadInternal

;  S U B	R O U T	I N E 


sub_8D8F30	proc near		; DATA XREF: .text:006A0C04o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D8F30	endp


;  S U B	R O U T	I N E 


sub_8D8F3E	proc near		; DATA XREF: .text:006A0C08o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-34h]
		jmp	loc_76F9E6
sub_8D8F3E	endp

; 
; START	OF FUNCTION CHUNK FOR PspSetContextThreadInternal

loc_8D8F50:				; CODE XREF: PspSetContextThreadInternal+60j
		lea	edx, [ebp+var_28]
		mov	ebx, [ebp+var_24]
		mov	ecx, ebx
		call	_RtlGetExtendedContextLength@8 ; RtlGetExtendedContextLength(x,x)
		test	eax, eax
		js	loc_76F9E6
		mov	eax, [ebp+var_28]
		call	__alloca_probe_16
		mov	[ebp+ms_exc.old_esp], esp
		mov	eax, esp
		mov	[ebp+var_44], eax
		push	[ebp+var_28]	; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_2C]
		push	eax
		mov	edx, ebx
		mov	ecx, [ebp+var_44]
		call	_RtlInitializeExtendedContext@12 ; RtlInitializeExtendedContext(x,x,x)
		test	eax, eax
		js	loc_76F9E6
		mov	ecx, [ebp+var_2C]
		lea	eax, [ecx-2CCh]
		mov	[ebp+var_44], eax
		push	0
		push	esi
		push	ebx
		push	ecx
		mov	dl, 1
		call	RtlpReadExtendedContext
		test	eax, eax
		jns	loc_76F957
		jmp	loc_76F9E6
; 

loc_8D8FBE:				; CODE XREF: PspSetContextThreadInternal+77j
		mov	esi, 0C0000030h
		jmp	loc_76F9E4
; 

loc_8D8FC8:				; CODE XREF: PspSetContextThreadInternal+8Fj
		mov	bl, al
		push	[ebp+var_30]
		call	_IoThreadToProcess@4 ; IoThreadToProcess(x)
		mov	esi, eax
		push	edi
		call	_IoThreadToProcess@4 ; IoThreadToProcess(x)
		cmp	eax, esi
		jnz	loc_76F983
		sub	esp, 0Ch
		mov	edx, [ebp+var_44]
		mov	ecx, edi
		call	_KeVerifyContextRecord@20 ; KeVerifyContextRecord(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_76F9E4
		mov	bl, [ebp+var_5B]
		or	bl, 4
		jmp	loc_76F983
; 

loc_8D9004:				; CODE XREF: PspSetContextThreadInternal+A7j
		or	al, 1
		mov	[ebp+var_5B], al
		lea	ecx, [ebp+var_54]
		call	@KeInitializeGate@8 ; KeInitializeGate(x,x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset PspGetSetContextSpecialApc
		push	eax
		push	edi
		lea	eax, [ebp+var_8C]
		push	eax
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		push	2
		push	edi
		push	1
		lea	eax, [ebp+var_8C]
		push	eax
		call	KeInsertQueueApc
		test	al, al
		jnz	short loc_8D9049
		mov	esi, 0C0000001h
		jmp	loc_76F9E4
; 

loc_8D9049:				; CODE XREF: PspSetContextThreadInternal+16974Fj
		push	ecx
		xor	edx, edx
		lea	ecx, [ebp+var_54]
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		jmp	loc_76F9D1
; 

loc_8D9059:				; CODE XREF: PspSetContextThreadInternal+F0j
		cmp	bh, 1
		jnz	loc_76F9E4
		push	[ebp+var_24]
		push	[ebp+var_44]
		mov	eax, large fs:124h
		mov	edx, edi
		mov	cl, [eax+15Ah]
		call	_EtwTiLogSetContextThread@16 ; EtwTiLogSetContextThread(x,x,x,x)
		jmp	loc_76F9E4
; END OF FUNCTION CHUNK	FOR PspSetContextThreadInternal
; 
; START	OF FUNCTION CHUNK FOR PspGetContextThreadInternal

loc_8D9080:				; CODE XREF: PspGetContextThreadInternal+116j
		mov	eax, ecx
		jmp	loc_76FB1A
; END OF FUNCTION CHUNK	FOR PspGetContextThreadInternal

;  S U B	R O U T	I N E 


sub_8D9087	proc near		; DATA XREF: .text:006A0C24o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-50h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D9087	endp


;  S U B	R O U T	I N E 


sub_8D9095	proc near		; DATA XREF: .text:006A0C28o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-50h]
		jmp	loc_76FAEF
sub_8D9095	endp

; 
; START	OF FUNCTION CHUNK FOR PspGetContextThreadInternal

loc_8D90A7:				; CODE XREF: PspGetContextThreadInternal+8Cj
		mov	eax, 0C0000030h
		jmp	loc_76FAEF
; 

loc_8D90B1:				; CODE XREF: PspGetContextThreadInternal+1DAj
		mov	eax, 0C0000001h
		jmp	loc_76FAEF
; END OF FUNCTION CHUNK	FOR PspGetContextThreadInternal
; 
; START	OF FUNCTION CHUNK FOR PspGetSetContextSpecialApc

loc_8D90BB:				; CODE XREF: PspGetSetContextSpecialApc+11j
		mov	edi, [ecx+6Ch]
		test	edi, edi
		jz	short loc_8D90D5
		test	dword ptr [edi+70h], 20000h
		jnz	short loc_8D90D5
		test	byte ptr [edi+6Ch], 1
		jz	loc_76FC0C

loc_8D90D5:				; CODE XREF: PspGetSetContextSpecialApc+1694D2j
					; PspGetSetContextSpecialApc+1694DBj
		mov	eax, 0C0000001h
		jmp	loc_76FC2F
; 

loc_8D90DF:				; CODE XREF: PspGetSetContextSpecialApc+38j
		and	eax, 0E7FFFFFFh
		or	eax, 80000000h
		mov	[ebx], eax
		mov	cl, [edi+0Fh]
		cmp	cl, 2
		jnz	short loc_8D90FA
		or	eax, 10000000h
		jmp	short loc_8D9107
; 

loc_8D90FA:				; CODE XREF: PspGetSetContextSpecialApc+169503j
		test	cl, cl
		jz	loc_76FC2C
		or	eax, 8000000h

loc_8D9107:				; CODE XREF: PspGetSetContextSpecialApc+16950Aj
		mov	[ebx], eax
		jmp	loc_76FC2C
; END OF FUNCTION CHUNK	FOR PspGetSetContextSpecialApc
; 
; START	OF FUNCTION CHUNK FOR PspAdjustContextForInstrumentation

loc_8D910E:				; CODE XREF: PspAdjustContextForInstrumentation+20j
		mov	edx, [edx+0A8h]
		and	[ebp+var_20], 0
		and	[ebp+ms_exc.disabled], 0
		cmp	byte ptr [edx+1B8h], 0
		jz	short loc_8D9131
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_76FC82
; 

loc_8D9131:				; CODE XREF: PspAdjustContextForInstrumentation+1694C7j
		mov	eax, [edx+1ACh]
		mov	[ebp+var_20], eax
		mov	ecx, [ebp+var_1C]
		mov	eax, [ecx+0B8h]
		mov	[edx+1B0h], eax
		mov	eax, [ecx+0C4h]
		mov	[edx+1B4h], eax
		jmp	short loc_8D915E
; END OF FUNCTION CHUNK	FOR PspAdjustContextForInstrumentation

;  S U B	R O U T	I N E 


sub_8D9157	proc near		; DATA XREF: .text:006A0C44o
		xor	eax, eax
		inc	eax
		retn
sub_8D9157	endp


;  S U B	R O U T	I N E 


sub_8D915B	proc near		; DATA XREF: .text:006A0C48o
		mov	esp, [ebp-18h]
sub_8D915B	endp

; START	OF FUNCTION CHUNK FOR PspAdjustContextForInstrumentation

loc_8D915E:				; CODE XREF: PspAdjustContextForInstrumentation+1694F9j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+var_24]
		mov	[ecx+0B8h], eax
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	loc_76FC82
		mov	[ecx+0C4h], eax
		jmp	loc_76FC82
; END OF FUNCTION CHUNK	FOR PspAdjustContextForInstrumentation
; 
; START	OF FUNCTION CHUNK FOR NtCreateThreadEx

loc_8D9187:				; CODE XREF: NtCreateThreadEx+64j
		mov	eax, 0C00000F5h
		jmp	loc_76FE6F
; END OF FUNCTION CHUNK	FOR NtCreateThreadEx

;  S U B	R O U T	I N E 


sub_8D9191	proc near		; DATA XREF: .text:006A0C64o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-180h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D9191	endp


;  S U B	R O U T	I N E 


sub_8D91A2	proc near		; DATA XREF: .text:006A0C68o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-180h]
		jmp	loc_76FE6F
sub_8D91A2	endp

; 
; START	OF FUNCTION CHUNK FOR PspDeleteCreateProcessContext

loc_8D91B7:				; CODE XREF: PspDeleteCreateProcessContext+67j
		lea	eax, [esi+0A0h]
		cmp	ecx, eax
		jz	loc_76FF17
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_76FF17
; 

loc_8D91D1:				; CODE XREF: PspDeleteCreateProcessContext+83j
		push	edi
		mov	edi, ebx
		cmp	[esi+0F8h], ebx
		jbe	short loc_8D9202
		mov	edx, eax

loc_8D91DE:				; CODE XREF: PspDeleteCreateProcessContext+169354j
		mov	ecx, [eax+edi*4]
		test	ecx, ecx
		jz	short loc_8D91F7
		mov	edx, 6C4A7350h
		call	ObfDereferenceObjectWithTag
		mov	eax, [esi+0F0h]
		mov	edx, eax

loc_8D91F7:				; CODE XREF: PspDeleteCreateProcessContext+169339j
		inc	edi
		cmp	edi, [esi+0F8h]
		jb	short loc_8D91DE
		mov	eax, edx

loc_8D9202:				; CODE XREF: PspDeleteCreateProcessContext+169330j
		push	6C4A7350h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		jmp	loc_76FF33
; 

loc_8D9213:				; CODE XREF: PspDeleteCreateProcessContext+91j
		push	dword ptr [esi+0F4h] ; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	ebx
		push	dword ptr [esi+0ECh]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_76FF41
; 

loc_8D9234:				; CODE XREF: PspDeleteCreateProcessContext+9Fj
		push	dword ptr [esi+108h] ; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	ebx
		push	dword ptr [esi+104h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_76FF4F
; 

loc_8D9255:				; CODE XREF: PspDeleteCreateProcessContext+ADj
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_8D9260
		push	ebx
		push	ecx
		jmp	short loc_8D9269
; 

loc_8D9260:				; CODE XREF: PspDeleteCreateProcessContext+1693B0j
		mov	eax, [eax+0Ch]
		test	eax, eax
		jz	short loc_8D926E
		push	ebx
		push	eax

loc_8D9269:				; CODE XREF: PspDeleteCreateProcessContext+1693B4j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8D926E:				; CODE XREF: PspDeleteCreateProcessContext+1693BBj
		push	ebx
		push	dword ptr [esi+10Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_76FF5D
; END OF FUNCTION CHUNK	FOR PspDeleteCreateProcessContext
; 
; START	OF FUNCTION CHUNK FOR PspCreateThread

loc_8D927F:				; CODE XREF: PspCreateThread+2C0j
		mov	eax, 0C0000001h
		jmp	loc_77029B
; 

loc_8D9289:				; CODE XREF: PspCreateThread+303j
		test	byte ptr [esi+490h], 1
		jnz	short loc_8D92B4
		test	byte ptr [edx+490h], 1
		jnz	short loc_8D92B4
		mov	eax, 4000h
		test	[esi+494h], eax
		jnz	short loc_8D92B4
		test	[edx+494h], eax
		jz	loc_77016F

loc_8D92B4:				; CODE XREF: PspCreateThread+169280j
					; PspCreateThread+169289j ...
		mov	eax, 0C0000022h
		jmp	loc_77029B
; 

loc_8D92BE:				; CODE XREF: PspCreateThread+213j
		lea	ecx, [esi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, ebx
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		jmp	loc_770340
; END OF FUNCTION CHUNK	FOR PspCreateThread
; 
; START	OF FUNCTION CHUNK FOR PspCreateObjectHandle

loc_8D92D5:				; CODE XREF: PspCreateObjectHandle+3Dj
		movzx	eax, byte ptr [esi+13Ch]
		push	eax
		push	1
		push	ecx
		push	dword ptr [esi+14h]
		lea	eax, [esi+1Ch]
		push	eax
		push	dword ptr [ebx]
		call	_SePrivilegeObjectAuditAlarm@24	; SePrivilegeObjectAuditAlarm(x,x,x,x,x,x)
		jmp	loc_770BAB
; END OF FUNCTION CHUNK	FOR PspCreateObjectHandle
; 
; START	OF FUNCTION CHUNK FOR PspAllocateThread

loc_8D92F3:				; CODE XREF: PspAllocateThread+70j
		mov	[ebp+var_64], ebx
		jmp	loc_770C33
; 

loc_8D92FB:				; CODE XREF: PspAllocateThread+4CAj
		mov	edi, [ebp+var_5C]
		or	edi, 1000h
		mov	[ecx+4], edi
		movzx	eax, byte ptr [eax+3C5h]
		mov	[ecx+0C8h], ax
		mov	edi, [ebp+var_3C]
		movzx	eax, byte ptr [edi+3C5h]
		mov	eax, ds:dword_70E328[eax*4]
		mov	[ecx+0C4h], eax
		jmp	loc_7710A6
; 

loc_8D9331:				; CODE XREF: PspAllocateThread+DFj
		mov	edi, 0C000000Dh

loc_8D9336:				; CODE XREF: PspAllocateThread+11Ej
					; PspAllocateThread+17Bj ...
		mov	edx, 72437350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		jmp	short loc_8D939D
; END OF FUNCTION CHUNK	FOR PspAllocateThread

;  S U B	R O U T	I N E 


sub_8D9344	proc near		; DATA XREF: .text:006A0CC4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-78h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D9344	endp


;  S U B	R O U T	I N E 


sub_8D9352	proc near		; DATA XREF: .text:006A0CC8o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-78h]
		mov	[ebp-68h], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp-6Ch]
		mov	[ebp-40h], esi
		mov	eax, [ebp-7Ch]
		mov	[ebp-50h], eax
		jmp	loc_770CD4
sub_8D9352	endp

; 
; START	OF FUNCTION CHUNK FOR PspAllocateThread

loc_8D9375:				; CODE XREF: PspAllocateThread+154j
		add	eax, 3
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_4C], eax
		lea	eax, [eax+ecx*4]
		mov	[ebp+var_3C], eax
		jmp	loc_770D12
; 

loc_8D9389:				; CODE XREF: PspAllocateThread+168A00j
		mov	edx, 72437350h
		mov	ecx, [ebp+var_40]
		call	ObfDereferenceObjectWithTag

loc_8D9396:				; CODE XREF: PspAllocateThread+1689FAj
		mov	ecx, esi
		call	ObfDereferenceObject

loc_8D939D:				; CODE XREF: PspAllocateThread+16878Aj
		mov	eax, edi
		jmp	loc_770F69
; 

loc_8D93A4:				; CODE XREF: PspAllocateThread+1BBj
		or	dword ptr [esi+2FCh], 20000h
		add	eax, esi
		mov	[esi+38Ch], eax
		jmp	loc_770D79
; 

loc_8D93BB:				; CODE XREF: PspAllocateThread+1E2j
		or	dword ptr [esi+2FCh], 4
		mov	eax, [ecx]
		jmp	loc_770DA0
; 

loc_8D93C9:				; CODE XREF: PspAllocateThread+1EDj
		or	dword ptr [esi+58h], 200000h
		jmp	loc_770DAB
; 

loc_8D93D5:				; CODE XREF: PspAllocateThread+2CDj
		or	eax, 0FFFFFFFFh
		lea	edi, [esi+2F0h]
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8D93EF
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8D93EF:				; CODE XREF: PspAllocateThread+16882Ej
		mov	ecx, edi
		call	KeAbPostRelease
		mov	edi, 0C000009Ah
		jmp	loc_8D9569
; 

loc_8D9400:				; CODE XREF: PspAllocateThread+2F5j
		or	ecx, 8
		movzx	eax, cx
		mov	[ebp+var_3C], eax
		jmp	loc_770EB3
; 

loc_8D940E:				; CODE XREF: PspAllocateThread+309j
		or	eax, 4000h
		mov	[ebp+var_3C], eax
		jmp	loc_770EC7
; END OF FUNCTION CHUNK	FOR PspAllocateThread

;  S U B	R O U T	I N E 


sub_8D941B	proc near		; DATA XREF: .text:006A0CD0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-80h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D941B	endp


;  S U B	R O U T	I N E 


sub_8D9429	proc near		; DATA XREF: .text:006A0CD4o

; FUNCTION CHUNK AT 008D952E SIZE 0000001A BYTES

		mov	edi, [ebp-80h]
		mov	[ebp-68h], edi
		jmp	loc_8D952E
sub_8D9429	endp

; 
; START	OF FUNCTION CHUNK FOR PspAllocateThread

loc_8D9434:				; CODE XREF: PspAllocateThread+314j
		mov	eax, [ebp+var_40]
		cmp	[eax+3D4h], ebx
		jz	short loc_8D9476
		mov	eax, [ebp+var_48]
		mov	eax, [eax+0B8h]
		mov	[esi+298h], eax
		mov	[esi+2DCh], eax
		mov	ecx, [ebp+var_84]
		mov	eax, [ecx+4]
		mov	[esi+380h], eax
		mov	eax, [ecx+8]
		mov	[esi+384h], eax
		lock bts dword ptr [esi], 1Ah
		jmp	loc_770F32
; 

loc_8D9476:				; CODE XREF: PspAllocateThread+168885j
		mov	edx, [ebp+var_88]
		mov	eax, [edx+0A8h]
		mov	[ebp+var_50], eax
		mov	[ebp+var_58], eax
		mov	ecx, esi
		call	_PspInitClonedThread@8 ; PspInitClonedThread(x,x)
		lea	eax, [ebp+var_38]
		push	eax
		xor	edx, edx
		mov	ecx, [ebp+var_40]
		call	KiStackAttachProcess
		push	4
		push	1000h
		push	[ebp+var_50]
		call	_MmSecureVirtualMemory@12 ; MmSecureVirtualMemory(x,x,x)
		test	eax, eax
		jz	loc_8D9548
		mov	[ebp+ms_exc.disabled], 2
		lea	ecx, [esi+2ACh]
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		mov	edx, [ebp+var_50]
		mov	[edx+20h], eax
		mov	[edx+24h], ecx
		lea	ecx, [esi+2ACh]
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		mov	[edx+6B4h], eax
		mov	[edx+6B8h], ecx
		mov	[edx+0F9Ch], ebx
		mov	[edx+0FC4h], ebx
		mov	eax, 62Ch
		and	[edx+0FCAh], ax
		movzx	eax, word ptr [edx+0FCAh]
		or	eax, [ebp+var_3C]
		or	eax, 40h
		mov	[edx+0FCAh], ax
		jmp	loc_770F9F
; END OF FUNCTION CHUNK	FOR PspAllocateThread

;  S U B	R O U T	I N E 


sub_8D9517	proc near		; DATA XREF: .text:006A0CDCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-8Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D9517	endp


;  S U B	R O U T	I N E 


sub_8D9528	proc near		; DATA XREF: .text:006A0CE0o
		mov	edi, [ebp-8Ch]
sub_8D9528	endp

; START	OF FUNCTION CHUNK FOR sub_8D9429

loc_8D952E:				; CODE XREF: sub_8D9429+6j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp-60h]
		mov	eax, [ebp-6Ch]
		mov	[ebp-40h], eax
		jmp	loc_770FA6
; END OF FUNCTION CHUNK	FOR sub_8D9429
; 
; START	OF FUNCTION CHUNK FOR PspAllocateThread

loc_8D9548:				; CODE XREF: PspAllocateThread+1688F6j
		mov	edi, 0C0000141h
		jmp	loc_770FA6
; 

loc_8D9552:				; CODE XREF: PspAllocateThread+3A1j
		mov	eax, [ebp+var_58]
		test	eax, eax
		jz	short loc_8D9569
		cmp	[ebp+var_70], 0
		jz	short loc_8D9569
		mov	edx, eax
		mov	ecx, [ebp+var_40]
		call	_MmDeleteTeb@8	; MmDeleteTeb(x,x)

loc_8D9569:				; CODE XREF: PspAllocateThread+330j
					; PspAllocateThread+351j ...
		mov	eax, [ebp+var_70]
		test	eax, eax
		jz	short loc_8D9581
		cmp	byte ptr [eax],	0
		jz	short loc_8D9581
		push	eax
		push	[ebp+var_64]
		mov	ecx, [ebp+var_40]
		call	_PspDeleteUserStack@16 ; PspDeleteUserStack(x,x,x,x)

loc_8D9581:				; CODE XREF: PspAllocateThread+1689B6j
					; PspAllocateThread+1689BBj
		cmp	[esi+2B0h], ebx
		jz	short loc_8D95AC
		lea	ecx, [esi+2F0h]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8D95A7
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [esi+2F0h]

loc_8D95A7:				; CODE XREF: PspAllocateThread+1689E2j
		call	KeAbPostRelease

loc_8D95AC:				; CODE XREF: PspAllocateThread+1689CFj
		cmp	[esi+150h], ebx
		jnz	loc_8D9396
		jmp	loc_8D9389
; END OF FUNCTION CHUNK	FOR PspAllocateThread
; 
; START	OF FUNCTION CHUNK FOR PspExitThread

loc_8D95BD:				; CODE XREF: PspExitThread+55j
		push	edi
		movzx	eax, byte ptr [edi+16Ah]
		push	eax
		push	ecx
		push	esi
		push	5
		jmp	short loc_8D95D5
; 

loc_8D95CC:				; CODE XREF: PspExitThread+22Aj
		push	ebx
		push	ebx
		push	edi
		push	ebx
		push	94h

loc_8D95D5:				; CODE XREF: PspExitThread+1684E6j
					; PspExitThread+1684FFj ...
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8D95DA:				; CODE XREF: PspExitThread+6Aj
		push	ebx
		push	ebx
		push	ebx
		push	edi
		push	0E9h
		jmp	short loc_8D95D5
; 

loc_8D95E5:				; CODE XREF: PspExitThread+78j
		push	1
		push	ebx
		push	eax
		push	ebx
		push	20h
		jmp	short loc_8D95D5
; 

loc_8D95EE:				; CODE XREF: PspExitThread+84j
		xor	edx, edx
		mov	ecx, edi
		call	KeSetThreadChargeOnlySchedulingGroup
		mov	edx, 79517350h
		mov	ecx, [edi+290h]
		call	ObfDereferenceObjectWithTag
		mov	[edi+290h], ebx
		jmp	loc_77116E
; 

loc_8D9612:				; CODE XREF: PspExitThread+395j
		mov	eax, [ebp+var_20]
		cmp	eax, 0C000004Bh
		jnz	short loc_8D9622
		mov	eax, [esi+1E4h]

loc_8D9622:				; CODE XREF: PspExitThread+168536j
		mov	[esi+34Ch], eax
		jmp	loc_77147F
; 

loc_8D962D:				; CODE XREF: PspExitThread+160j
		mov	cl, 1
		jmp	loc_77124A
; 

loc_8D9634:				; CODE XREF: PspExitThread+168j
		push	0FFFFFFFDh
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	[ebp+var_2C], eax
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	ecx, [ebp+var_2C]
		cmp	ecx, eax
		jz	short loc_8D968E
		lea	edx, [ecx-18h]
		mov	ecx, edx
		shr	ecx, 8
		movzx	ecx, cl
		movzx	eax, byte ptr [edx+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		mov	ecx, [ebp+var_2C]
		cmp	eax, ds:_PsJobType
		jnz	short loc_8D968E
		test	byte ptr [ecx+314h], 2
		jz	short loc_8D968E
		mov	edx, 6D497350h
		call	ObfDereferenceObjectWithTag
		jmp	loc_771252
; 

loc_8D968E:				; CODE XREF: PspExitThread+168564j
					; PspExitThread+168590j ...
		push	1
		push	esi
		push	ecx
		push	edi
		push	1CBh
		jmp	loc_8D95D5
; 

loc_8D969D:				; CODE XREF: PspExitThread+174j
		test	dword ptr [edi+58h], 400h
		jnz	loc_77125E
		cmp	[ebp+var_19], bl
		jz	short loc_8D96BF
		mov	ecx, [esi+34Ch]
		call	_DbgkExitProcess@4 ; DbgkExitProcess(x)
		jmp	loc_77125E
; 

loc_8D96BF:				; CODE XREF: PspExitThread+1685C9j
		mov	ecx, [ebp+var_20]
		call	_DbgkExitThread@4 ; DbgkExitThread(x)
		jmp	loc_77125E
; 

loc_8D96CC:				; CODE XREF: PspExitThread+180j
		test	byte ptr [edi+2FCh], 20h
		jz	loc_77126A
		mov	eax, [edi+150h]
		mov	eax, [eax+0FCh]
		test	eax, 40000008h
		jnz	loc_77126A
		push	[ebp+var_20]
		push	esi
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		push	eax
		lea	eax, [esi+1ACh]
		push	eax
		mov	edx, edi
		mov	ecx, offset ??_C@_0CF@EKPBODLC@Critical?5thread?50x?$CFp?5?$CIin?5?$CFs?$CJ?5ex@NNGAKEGL@
		call	_PspCatchCriticalBreak@20 ; PspCatchCriticalBreak(x,x,x,x,x)
		jmp	loc_77126A
; 

loc_8D9712:				; CODE XREF: PspExitThread+3EEj
		push	[ebp+var_20]
		push	esi
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		push	eax
		lea	eax, [esi+1ACh]
		push	eax
		mov	edx, esi
		mov	ecx, offset ??_C@_0CD@MKHINBEL@Critical?5process?50x?$CFp?5?$CI?$CFs?$CJ?5exit@NNGAKEGL@
		call	_PspCatchCriticalBreak@20 ; PspCatchCriticalBreak(x,x,x,x,x)
		jmp	loc_771273
; 

loc_8D9734:				; CODE XREF: PspExitThread+56Cj
					; PspExitThread+577j
		push	offset _PspShortTime
		push	ebx
		push	ebx
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	loc_77163F
; 

loc_8D9745:				; CODE XREF: PspExitThread+1F6j
					; PspExitThread+201j
		push	offset _PspShortTime
		push	ebx
		push	ebx
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	loc_7712CB
; 

loc_8D9756:				; CODE XREF: PspExitThread+27Dj
		call	@ExfAcquireReleasePushLockExclusive@4 ;	ExfAcquireReleasePushLockExclusive(x)
		jmp	loc_771367
; 

loc_8D9760:				; CODE XREF: PspExitThread+33Cj
		push	1
		push	eax
		call	ObCloseHandle
		jmp	loc_771426
; END OF FUNCTION CHUNK	FOR PspExitThread

;  S U B	R O U T	I N E 


sub_8D976D	proc near		; DATA XREF: .text:006A0D1Co
		xor	eax, eax
		inc	eax
		retn
sub_8D976D	endp


;  S U B	R O U T	I N E 


sub_8D9771	proc near		; DATA XREF: .text:006A0D20o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp-44h]
		mov	edi, [ebp-38h]
		jmp	loc_77142D
sub_8D9771	endp

; 
; START	OF FUNCTION CHUNK FOR PspExitThread

loc_8D9788:				; CODE XREF: PspExitThread+2AEj
		call	KeQuerySystemTime
		jmp	loc_77139D
; 

loc_8D9792:				; CODE XREF: PspExitThread+44Dj
		mov	edx, [esi+34Ch]
		mov	ecx, esi
		call	_SeAuditProcessExit@8 ;	SeAuditProcessExit(x,x)
		jmp	loc_771537
; 

loc_8D97A4:				; CODE XREF: PspExitThread+467j
		mov	ecx, esi
		call	_VdmRundownDpcs@4 ; VdmRundownDpcs(x)
		jmp	loc_771551
; 

loc_8D97B0:				; CODE XREF: PspExitThread+2D0j
		mov	eax, ds:_PspLegoNotifyRoutine
		test	eax, eax
		jz	loc_7713BA
		push	edi
		call	eax
		jmp	loc_7713BA
; END OF FUNCTION CHUNK	FOR PspExitThread
; 
; START	OF FUNCTION CHUNK FOR KeRundownApcQueues

loc_8D97C5:				; CODE XREF: KeRundownApcQueues+5Dj
					; KeRundownApcQueues+168030j
		lea	ecx, [edi-0Ch]
		mov	edi, [edi]
		mov	eax, [ecx+18h]
		test	eax, eax
		jz	short loc_8D97D6
		push	ecx
		call	eax
		jmp	short loc_8D97DE
; 

loc_8D97D6:				; CODE XREF: KeRundownApcQueues+16801Fj
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8D97DE:				; CODE XREF: KeRundownApcQueues+168024j
		cmp	edi, ebx
		jnz	short loc_8D97C5
		jmp	loc_7717E8
; 

loc_8D97E7:				; CODE XREF: KeRundownApcQueues+45j
					; KeRundownApcQueues+51j
		push	0
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	dword ptr [esi+13Ch]
		push	edi
		push	20h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8D9802:				; CODE XREF: CmNotifyRunDown+A8j
		push	ecx
		push	offset ??_C@_0DD@BGFPCJCC@IoStatusBlock?5pointing?5onto?5its@NNGAKEGL@ ; "IoStatusBlock	pointing onto itself Asyn"...
		call	_DbgPrint
		pop	ecx
		pop	ecx
		cmp	_KdDebuggerEnabled, 0
		jz	loc_7718C0
		cmp	_KdDebuggerNotPresent, 0
		jnz	loc_7718C0
		int	3		; Trap to Debugger
		jmp	loc_7718C0
; END OF FUNCTION CHUNK	FOR KeRundownApcQueues
; 
; START	OF FUNCTION CHUNK FOR CmNotifyRunDown

loc_8D982F:				; CODE XREF: CmNotifyRunDown+CCj
		push	ecx
		push	offset ??_C@_0DD@BGFPCJCC@IoStatusBlock?5pointing?5onto?5its@NNGAKEGL@ ; "IoStatusBlock	pointing onto itself Asyn"...
		call	_DbgPrint
		pop	ecx
		pop	ecx
		cmp	_KdDebuggerEnabled, 0
		jz	loc_7718E4
		cmp	_KdDebuggerNotPresent, 0
		jnz	loc_7718E4
		int	3		; Trap to Debugger
		jmp	loc_7718E4
; END OF FUNCTION CHUNK	FOR CmNotifyRunDown

;  S U B	R O U T	I N E 


sub_8D985C	proc near		; DATA XREF: .text:006A0D3Co
		xor	eax, eax
		inc	eax
		retn
sub_8D985C	endp


;  S U B	R O U T	I N E 


sub_8D9860	proc near		; DATA XREF: .text:006A0D40o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-24h]
		jmp	loc_7718EB
sub_8D9860	endp

; 
; START	OF FUNCTION CHUNK FOR CmNotifyRunDown

loc_8D9872:				; CODE XREF: CmNotifyRunDown+90j
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_771968
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		jmp	loc_771864
; END OF FUNCTION CHUNK	FOR CmNotifyRunDown
; 
; START	OF FUNCTION CHUNK FOR IoCancelThreadIo

loc_8D988C:				; CODE XREF: IoCancelThreadIo+71j
		call	edi
		lea	eax, [ebp+var_18]
		push	eax
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	ecx, [ebp+var_8]
		mov	eax, ecx
		inc	ecx
		mov	[ebp+var_8], ecx
		cmp	eax, [ebp+var_C]
		jbe	loc_7719D7
		call	_IopDisassociateThreadIrp@0 ; IopDisassociateThreadIrp()
		jmp	loc_7719D7
; END OF FUNCTION CHUNK	FOR IoCancelThreadIo
; 
; START	OF FUNCTION CHUNK FOR NtCreateSemaphore

loc_8D98B7:				; CODE XREF: NtCreateSemaphore+34j
		mov	ecx, eax
		jmp	loc_771A24
; END OF FUNCTION CHUNK	FOR NtCreateSemaphore

;  S U B	R O U T	I N E 


sub_8D98BE	proc near		; DATA XREF: .text:006A0D5Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D98BE	endp


;  S U B	R O U T	I N E 


sub_8D98CC	proc near		; DATA XREF: .text:006A0D60o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-24h]
		jmp	loc_771ABD
sub_8D98CC	endp


;  S U B	R O U T	I N E 


sub_8D98DE	proc near		; DATA XREF: .text:006A0D68o
		xor	eax, eax
		inc	eax
		retn
sub_8D98DE	endp


;  S U B	R O U T	I N E 


sub_8D98E2	proc near		; DATA XREF: .text:006A0D6Co
		mov	esp, [ebp-18h]
		jmp	loc_771AB3
sub_8D98E2	endp

; 
; START	OF FUNCTION CHUNK FOR NtCreateSemaphore

loc_8D98EA:				; CODE XREF: NtCreateSemaphore+B4j
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jmp	loc_771ABA
; 

loc_8D98F7:				; CODE XREF: NtCreateSemaphore+4Bj
					; NtCreateSemaphore+56j ...
		mov	eax, 0C000000Dh
		jmp	loc_771ABD
; END OF FUNCTION CHUNK	FOR NtCreateSemaphore
; 
; START	OF FUNCTION CHUNK FOR RtlGuardIsValidStackPointer

loc_8D9901:				; CODE XREF: RtlGuardIsValidStackPointer+Ej
		mov	edx, large fs:124h
		test	dword ptr [edx+58h], 400h
		jnz	short loc_8D9925
		cmp	byte ptr [edx+16Ah], 1
		jz	short loc_8D9925
		mov	edx, [edx+0A8h]
		jmp	loc_771B3E
; 

loc_8D9925:				; CODE XREF: RtlGuardIsValidStackPointer+167DE5j
					; RtlGuardIsValidStackPointer+167DEEj
		xor	edx, edx
		jmp	loc_771B3E
; END OF FUNCTION CHUNK	FOR RtlGuardIsValidStackPointer

;  S U B	R O U T	I N E 


sub_8D992C	proc near		; DATA XREF: .text:006A0DECo
		xor	eax, eax
		inc	eax
		retn
sub_8D992C	endp


;  S U B	R O U T	I N E 


sub_8D9930	proc near		; DATA XREF: .text:006A0DF0o
		mov	esp, [ebp-18h]
		jmp	loc_771B6A
sub_8D9930	endp

; 
; START	OF FUNCTION CHUNK FOR MmCreateTeb

loc_8D9938:				; CODE XREF: MmCreateTeb+41j
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_771C54
; END OF FUNCTION CHUNK	FOR MmCreateTeb

;  S U B	R O U T	I N E 


sub_8D9947	proc near		; DATA XREF: .text:006A0E0Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D9947	endp


;  S U B	R O U T	I N E 


sub_8D9955	proc near		; DATA XREF: .text:006A0E10o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-40h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-38h]
		jmp	loc_771C45
sub_8D9955	endp

; 
; START	OF FUNCTION CHUNK FOR MiAllocateFromSubAllocatedRegion

loc_8D996A:				; CODE XREF: MiAllocateFromSubAllocatedRegion+69j
		mov	edi, 0C000010Ah

loc_8D996F:				; CODE XREF: MiAllocateFromSubAllocatedRegion+18Aj
		mov	edx, [esp+30h+var_20]
		mov	ecx, ebx
		call	UNLOCK_ADDRESS_SPACE
		mov	ecx, ebx
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, edi
		jmp	loc_771DEF
; 

loc_8D9988:				; CODE XREF: MiAllocateFromSubAllocatedRegion+ACj
		mov	edi, [edi]
		cmp	edi, [esp+30h+var_14]
		jnz	loc_771D17
		jmp	loc_771DF8
; 

loc_8D9999:				; CODE XREF: MiAllocateFromSubAllocatedRegion+D0j
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	short loc_8D99B4
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	short loc_8D99B4
		mov	[ecx], eax
		mov	[eax+4], ecx
		and	dword ptr [edi], 0
		jmp	loc_771D5C
; 

loc_8D99B4:				; CODE XREF: MiAllocateFromSubAllocatedRegion+167D18j
					; MiAllocateFromSubAllocatedRegion+167D1Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8D99B9:				; CODE XREF: MiAllocateFromSubAllocatedRegion+125j
		call	MiUnlockAndDereferenceVad
		mov	eax, 0C000010Ah
		jmp	loc_771DEF
; 

loc_8D99C8:				; CODE XREF: MiAllocateFromSubAllocatedRegion+157j
		push	[esp+54h+var_34]
		push	edi
		call	MiFreeToSubAllocatedRegion
		jmp	loc_771DED
; END OF FUNCTION CHUNK	FOR MiAllocateFromSubAllocatedRegion
; 
; START	OF FUNCTION CHUNK FOR PspSetupUserStack

loc_8D99D7:				; CODE XREF: PspSetupUserStack+41j
		shl	eax, 18h
		or	edi, eax
		jmp	loc_771E67
; 

loc_8D99E1:				; CODE XREF: PspSetupUserStack+6Bj
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	eax, edi
		jmp	loc_771ED7
; END OF FUNCTION CHUNK	FOR PspSetupUserStack
; 
; START	OF FUNCTION CHUNK FOR RtlCreateUserStack

loc_8D99F2:				; CODE XREF: RtlCreateUserStack+2Ej
		mov	eax, 0C000000Dh
		jmp	loc_772046
; 

loc_8D99FC:				; CODE XREF: RtlCreateUserStack+67j
		mov	eax, 4000h
		jmp	loc_771F59
; 

loc_8D9A06:				; CODE XREF: RtlCreateUserStack+118j
					; RtlCreateUserStack+152j
		mov	eax, [edi+10h]
		mov	[ebp+var_3C], eax
		and	[ebp+var_38], 0
		push	8000h
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		push	0FFFFFFFFh
		call	_ZwFreeVirtualMemory@16	; ZwFreeVirtualMemory(x,x,x,x)
		mov	eax, ebx
		jmp	loc_772046
; END OF FUNCTION CHUNK	FOR RtlCreateUserStack

;  S U B	R O U T	I N E 


sub_8D9A2B	proc near		; DATA XREF: .text:006A0E38o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D9A2B	endp


;  S U B	R O U T	I N E 


sub_8D9A39	proc near		; DATA XREF: .text:006A0E3Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-40h]
		jmp	loc_772046
sub_8D9A39	endp

; 
; START	OF FUNCTION CHUNK FOR RtlCreateUserStack

loc_8D9A4B:				; CODE XREF: RtlCreateUserStack+189j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000007Bh
		jmp	loc_772046
; END OF FUNCTION CHUNK	FOR RtlCreateUserStack

;  S U B	R O U T	I N E 


sub_8D9A5C	proc near		; DATA XREF: .text:006A0E2Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8D9A5C	endp


;  S U B	R O U T	I N E 


sub_8D9A6A	proc near		; DATA XREF: .text:006A0E30o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-44h]
		jmp	loc_772046
sub_8D9A6A	endp


;  S U B	R O U T	I N E 


sub_8D9A7C	proc near		; DATA XREF: .text:006A0E60o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8D9A7C	endp


;  S U B	R O U T	I N E 


sub_8D9A8C	proc near		; DATA XREF: .text:006A0E64o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-28h]
		jmp	loc_77215A
sub_8D9A8C	endp

; 

loc_8D9A9E:				; DATA XREF: .text:006A0E54o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8D9AAC:				; DATA XREF: .text:006A0E58o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2Ch]
		jmp	loc_77215A
; 
; START	OF FUNCTION CHUNK FOR PsResumeThread

loc_8D9ABE:				; CODE XREF: PsResumeThread+3Dj
		push	0
		push	esi
		xor	ecx, ecx
		call	_EtwTiLogSuspendResumeThread@16	; EtwTiLogSuspendResumeThread(x,x,x,x)
		jmp	loc_7721D1
; END OF FUNCTION CHUNK	FOR PsResumeThread
; 
; START	OF FUNCTION CHUNK FOR ExpWnfDeleteSubscription

loc_8D9ACD:				; CODE XREF: ExpWnfDeleteSubscription+2AFj
		test	[edi+50h], eax
		jz	loc_772331
		jmp	loc_77249F
; 

loc_8D9ADB:				; CODE XREF: ExpWnfDeleteSubscription+218j
		xor	ebx, ebx
		and	[ebp+var_C], ebx
		jmp	loc_772368
; END OF FUNCTION CHUNK	FOR ExpWnfDeleteSubscription
; 
; START	OF FUNCTION CHUNK FOR EtwTiLogReadWriteVm

loc_8D9AE5:				; CODE XREF: EtwTiLogReadWriteVm+86j
		mov	edi, offset _THREATINT_READVM_REMOTE
		jmp	loc_7725BD
; END OF FUNCTION CHUNK	FOR EtwTiLogReadWriteVm
; 
; START	OF FUNCTION CHUNK FOR EtwTiLogAllocExecVm

loc_8D9AEF:				; CODE XREF: EtwTiLogAllocExecVm+6Bj
		push	2
		pop	ecx
		jmp	loc_77274B
; END OF FUNCTION CHUNK	FOR EtwTiLogAllocExecVm
; 
; START	OF FUNCTION CHUNK FOR EtwTiLogProtectExecVm

loc_8D9AF7:				; CODE XREF: EtwTiLogProtectExecVm+8Bj
		lea	eax, [ebp+var_1C]
		mov	edx, esi
		push	eax
		lea	ecx, [ebp+var_19C]
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		mov	edx, large fs:124h
		mov	esi, eax
		mov	ecx, esi
		lea	eax, [ebp+var_19C]
		shl	ecx, 4
		add	ecx, eax
		call	_EtwpTiFillThreadIdentity@8 ; EtwpTiFillThreadIdentity(x,x)
		add	esi, eax
		lea	ecx, [ebp+var_19C]
		lea	eax, [ebp+var_14]
		mov	edx, ebx
		push	eax
		mov	eax, esi
		shl	eax, 4
		add	ecx, eax
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		mov	edx, [ebp+var_1A4]
		lea	ecx, [ebp+var_19C]
		add	esi, eax
		lea	eax, [ebp+var_C]
		push	eax
		mov	eax, esi
		shl	eax, 4
		add	ecx, eax
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		add	esi, eax
		lea	ecx, [ebp+arg_0]
		xor	ebx, ebx
		mov	eax, esi
		add	eax, eax
		push	4
		pop	edx
		mov	[ebp+eax*8+var_19C], ecx
		lea	ecx, [ebp+arg_4]
		mov	[ebp+eax*8+var_198], ebx
		mov	[ebp+eax*8+var_194], edx
		mov	[ebp+eax*8+var_190], ebx
		lea	eax, [esi+1]
		add	eax, eax
		mov	[ebp+eax*8+var_19C], ecx
		lea	ecx, [ebp+arg_8]
		mov	[ebp+eax*8+var_198], ebx
		mov	[ebp+eax*8+var_194], edx
		mov	[ebp+eax*8+var_190], ebx
		lea	eax, [esi+2]
		add	eax, eax
		mov	[ebp+eax*8+var_19C], ecx
		lea	ecx, [ebp+arg_C]
		mov	[ebp+eax*8+var_198], ebx
		mov	[ebp+eax*8+var_194], edx
		mov	[ebp+eax*8+var_190], ebx
		lea	eax, [esi+3]
		add	eax, eax
		mov	[ebp+eax*8+var_19C], ecx
		mov	[ebp+eax*8+var_198], ebx
		mov	[ebp+eax*8+var_194], edx
		mov	[ebp+eax*8+var_190], ebx
		lea	eax, [ebp+var_19C]
		push	eax
		lea	eax, [esi+4]
		push	eax
		push	ebx
		push	edi
		push	dword_6BC124
		push	_EtwThreatIntProvRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_772929
; END OF FUNCTION CHUNK	FOR EtwTiLogProtectExecVm
; 
; START	OF FUNCTION CHUNK FOR MiArbitraryCodeBlocked

loc_8D9C14:				; CODE XREF: MiArbitraryCodeBlocked+1Aj
		test	[eax+2FCh], edx
		jnz	loc_772960
		mov	ecx, 80000000h
		call	EtwTraceMemoryAcg
		push	2
		mov	edx, esi
		pop	ecx
		call	_EtwTimLogProhibitDynamicCode@8	; EtwTimLogProhibitDynamicCode(x,x)
		mov	eax, 0C0000604h
		pop	esi
		retn
; 

loc_8D9C3B:				; CODE XREF: MiArbitraryCodeBlocked+26j
		test	[eax+2FCh], edx
		jnz	loc_77296C
		xor	ecx, ecx
		mov	edx, esi
		inc	ecx
		call	_EtwTimLogProhibitDynamicCode@8	; EtwTimLogProhibitDynamicCode(x,x)
		jmp	loc_77296C
; END OF FUNCTION CHUNK	FOR MiArbitraryCodeBlocked
; 
; START	OF FUNCTION CHUNK FOR PerfLogImageUnload

loc_8D9C56:				; CODE XREF: PerfLogImageUnload+34j
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	_EtwpCoverageSamplerUnloadImage@12 ; EtwpCoverageSamplerUnloadImage(x,x,x)
		jmp	loc_773EF4
; END OF FUNCTION CHUNK	FOR PerfLogImageUnload

;  S U B	R O U T	I N E 


sub_8D9C69	proc near		; DATA XREF: .text:006A0F1Co
		xor	eax, eax
		inc	eax
		retn
sub_8D9C69	endp


;  S U B	R O U T	I N E 


sub_8D9C6D	proc near		; DATA XREF: .text:006A0F20o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	esi, esi
		mov	ebx, [ebp-2Ch]
		jmp	loc_773F21
sub_8D9C6D	endp

; 
; START	OF FUNCTION CHUNK FOR PerfLogImageUnload

loc_8D9C81:				; CODE XREF: PerfLogImageUnload+73j
		call	_KeAreAllApcsDisabled@0	; KeAreAllApcsDisabled()
		test	al, al
		jnz	loc_773F33
		mov	eax, 400h
		jmp	short loc_8D9CA8
; 

loc_8D9C95:				; CODE XREF: PerfLogImageUnload+F8j
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_8D9CA3:				; CODE XREF: PerfLogImageUnload+8Ej
		mov	eax, 200h

loc_8D9CA8:				; CODE XREF: PerfLogImageUnload+165DD9j
		mov	ecx, _FltMgrCallbacks
		test	ecx, ecx
		jz	loc_773FCA
		lea	edx, [ebp+var_24]
		push	edx
		lea	edx, [ebp+var_34]
		push	edx
		push	eax
		push	ebx
		call	dword ptr [ecx+0Ch]
		test	eax, eax
		js	loc_773FCA
		lea	eax, [ebp+var_34]
		mov	[ebp+var_28], eax
		jmp	loc_773FCA
; 

loc_8D9CD6:				; CODE XREF: PerfLogImageUnload+139j
		push	[ebp+var_24]
		mov	eax, _FltMgrCallbacks
		call	dword ptr [eax+10h]
		jmp	loc_773FB8
; END OF FUNCTION CHUNK	FOR PerfLogImageUnload
; 
; START	OF FUNCTION CHUNK FOR DbgkUnMapViewOfSection

loc_8D9CE6:				; CODE XREF: DbgkUnMapViewOfSection+58j
		mov	eax, large fs:124h
		test	dword ptr [eax+58h], 400h
		jnz	short loc_8D9D04
		cmp	byte ptr [eax+16Ah], 1
		jz	short loc_8D9D04
		mov	esi, [eax+0A8h]

loc_8D9D04:				; CODE XREF: DbgkUnMapViewOfSection+165CFBj
					; DbgkUnMapViewOfSection+165D04j
		test	esi, esi
		jz	short loc_8D9D1F
		cmp	edi, [ecx+150h]
		jnz	short loc_8D9D1F
		mov	ecx, esi
		call	_DbgkpSuppressDbgMsg@4 ; DbgkpSuppressDbgMsg(x)
		test	eax, eax
		jnz	loc_774056

loc_8D9D1F:				; CODE XREF: DbgkUnMapViewOfSection+165D0Ej
					; DbgkUnMapViewOfSection+165D16j
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_90], ebx
		xor	edx, edx
		mov	[ebp+var_B0], 24000Ch
		push	eax
		inc	edx
		mov	[ebp+var_AC], 8
		mov	ecx, edi
		mov	[ebp+var_98], 6
		call	_DbgkpSendApiMessage@12	; DbgkpSendApiMessage(x,x,x)
		jmp	loc_774056
; END OF FUNCTION CHUNK	FOR DbgkUnMapViewOfSection
; 
; START	OF FUNCTION CHUNK FOR AlpcpDoPortCleanup

loc_8D9D59:				; CODE XREF: AlpcpDoPortCleanup+9Bj
		add	edi, 88h
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx

loc_8D9D68:				; CODE XREF: AlpcpDoPortCleanup+165A77j
		mov	eax, [ebp+var_4]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_8D9DA2
		and	dword ptr [ecx-4], 0
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_8D9D9D
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	short loc_8D9D9D
		mov	[eax], edx
		mov	[edx+4], eax
		xor	edx, edx
		and	dword ptr [ecx], 0
		inc	edx
		push	2
		push	ecx
		push	1
		add	ecx, 0FFFFFF98h
		call	KeReleaseSemaphoreEx
		jmp	short loc_8D9D68
; 

loc_8D9D9D:				; CODE XREF: AlpcpDoPortCleanup+165A56j
					; AlpcpDoPortCleanup+165A5Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8D9DA2:				; CODE XREF: AlpcpDoPortCleanup+165A4Bj
		mov	eax, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8D9DB5
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8D9DB5:				; CODE XREF: AlpcpDoPortCleanup+165A88j
		mov	ecx, edi
		call	KeAbPostRelease
		jmp	loc_7743C5
; END OF FUNCTION CHUNK	FOR AlpcpDoPortCleanup
; 
; START	OF FUNCTION CHUNK FOR AlpcpFlushQueue

loc_8D9DC1:				; CODE XREF: AlpcpFlushQueue+B8j
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_8D9DD1
		mov	ecx, ebx
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_8D9DD1:				; CODE XREF: AlpcpFlushQueue+1657C0j
		mov	ecx, ebx
		call	AlpcpUnlockBlob
		jmp	loc_7746D4
; END OF FUNCTION CHUNK	FOR AlpcpFlushQueue
; 
; START	OF FUNCTION CHUNK FOR AlpcpDisconnectPort

loc_8D9DDD:				; CODE XREF: AlpcpDisconnectPort+258j
		dec	word ptr [edi-0Eh]
		lea	ecx, [ebx+0D0h]
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_8D9E00
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		lea	ecx, [ebx+0D0h]

loc_8D9E00:				; CODE XREF: AlpcpDisconnectPort+165623j
		call	KeAbPostRelease
		jmp	loc_774A59
; 

loc_8D9E0A:				; CODE XREF: AlpcpDisconnectPort+23Ej
		dec	word ptr [edi-0Eh]
		jmp	loc_774A59
; END OF FUNCTION CHUNK	FOR AlpcpDisconnectPort
; 
; START	OF FUNCTION CHUNK FOR AlpcpCancelMessagesByRequestor

loc_8D9E13:				; CODE XREF: AlpcpCancelMessagesByRequestor+BAj
		xor	eax, eax
		jmp	loc_774ADF
; 

loc_8D9E1A:				; CODE XREF: AlpcpCancelMessagesByRequestor+FCj
		push	2
		pop	ecx
		mov	eax, esi
		cmp	ebx, ecx
		jbe	short loc_8D9E35
		cmp	ebx, 3
		mov	ebx, [ebp+var_4]
		jz	short loc_8D9E30
		add	ebx, 7Ch
		jmp	short loc_8D9E3B
; 

loc_8D9E30:				; CODE XREF: AlpcpCancelMessagesByRequestor+165381j
		add	ebx, 70h
		jmp	short loc_8D9E3B
; 

loc_8D9E35:				; CODE XREF: AlpcpCancelMessagesByRequestor+165379j
		mov	ebx, [ebp+var_4]
		add	ebx, 5Ch

loc_8D9E3B:				; CODE XREF: AlpcpCancelMessagesByRequestor+165386j
					; AlpcpCancelMessagesByRequestor+16538Bj
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, cl
		jnz	short loc_8D9E4C
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8D9E4C:				; CODE XREF: AlpcpCancelMessagesByRequestor+16539Bj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, edi
		mov	[ebp+var_C], 1
		call	AlpcpLockForCachedReferenceBlob
		mov	ebx, [ebp+arg_4]
		cmp	ebx, 2
		jbe	short loc_8D9E7C
		xor	eax, eax
		cmp	ebx, 3
		push	0Ch
		setz	al
		dec	eax
		pop	ecx
		and	eax, ecx
		add	eax, 70h
		jmp	short loc_8D9E7F
; 

loc_8D9E7C:				; CODE XREF: AlpcpCancelMessagesByRequestor+1653BFj
		push	5Ch
		pop	eax

loc_8D9E7F:				; CODE XREF: AlpcpCancelMessagesByRequestor+1653D2j
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		add	ecx, eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_8]
		cmp	[edi+0Ch], eax
		jnz	short loc_8D9EA4
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx]
		jmp	short loc_8D9EA0
; 

loc_8D9E9A:				; CODE XREF: AlpcpCancelMessagesByRequestor+1653FAj
		cmp	eax, edi
		jz	short loc_8D9EC4
		mov	eax, [eax]

loc_8D9EA0:				; CODE XREF: AlpcpCancelMessagesByRequestor+1653F0j
		cmp	eax, ecx
		jnz	short loc_8D9E9A

loc_8D9EA4:				; CODE XREF: AlpcpCancelMessagesByRequestor+1653E9j
		dec	word ptr [edi-0Eh]
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_8D9EB8
		mov	ecx, edi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_8D9EB8:				; CODE XREF: AlpcpCancelMessagesByRequestor+165407j
		mov	ecx, edi
		call	AlpcpUnlockBlob
		mov	edi, [ebp+arg_0]
		jmp	short loc_8D9EDE
; 

loc_8D9EC4:				; CODE XREF: AlpcpCancelMessagesByRequestor+1653F4j
		mov	[ebp+var_14], 1
		jmp	loc_774BBA
; 

loc_8D9ED0:				; CODE XREF: AlpcpCancelMessagesByRequestor+16544Aj
		mov	ecx, edi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_8D9ED7:				; CODE XREF: AlpcpCancelMessagesByRequestor+165448j
		mov	ecx, edi
		call	AlpcpUnlockBlob

loc_8D9EDE:				; CODE XREF: AlpcpCancelMessagesByRequestor+16541Aj
		mov	edi, [edi]
		jmp	loc_774C79
; 

loc_8D9EE5:				; CODE XREF: AlpcpCancelMessagesByRequestor+108j
		dec	word ptr [edi-0Eh]
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_8D9ED7
		jmp	short loc_8D9ED0
; 

loc_8D9EF4:				; CODE XREF: AlpcpCancelMessagesByRequestor+150j
		xor	ecx, ecx
		lea	eax, [edx+314h]
		xchg	ecx, [eax]
		cmp	ecx, edi
		jnz	short loc_8D9F26
		push	2
		push	ecx
		mov	ecx, [edi+10h]
		xor	edx, edx
		push	1
		add	ecx, 2B4h
		inc	edx
		call	KeReleaseSemaphoreEx
		and	dword ptr [edi+10h], 0
		add	word ptr [edi-0Eh], 0FFFDh
		jmp	loc_774C1F
; 

loc_8D9F26:				; CODE XREF: AlpcpCancelMessagesByRequestor+15Bj
					; AlpcpCancelMessagesByRequestor+165458j
		dec	word ptr [edi-0Eh]
		jmp	loc_774C1F
; 

loc_8D9F2F:				; CODE XREF: AlpcpCancelMessagesByRequestor+1AEj
		push	dword ptr [edi+90h]
		push	eax
		call	_PsReleaseProcessWakeCounter@8 ; PsReleaseProcessWakeCounter(x,x)
		and	dword ptr [edi+74h], 0
		jmp	loc_774C5C
; 

loc_8D9F44:				; CODE XREF: AlpcpCancelMessagesByRequestor+1C3j
		mov	ecx, [ebp+var_18]
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)
		jmp	loc_774C71
; END OF FUNCTION CHUNK	FOR AlpcpCancelMessagesByRequestor
; 
; START	OF FUNCTION CHUNK FOR AlpcpLockForCachedReferenceBlob

loc_8D9F51:				; CODE XREF: AlpcpLockForCachedReferenceBlob+25j
		push	edx
		push	26h
		push	esi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8D9F5F:				; CODE XREF: MmSecureVirtualMemoryAgainstWrites+70j
		lea	ecx, [ebp-20h]
		xor	edx, edx
		push	ecx
		mov	ecx, eax
		call	KiStackAttachProcess
		jmp	loc_7751BB
; END OF FUNCTION CHUNK	FOR AlpcpLockForCachedReferenceBlob
; 
; START	OF FUNCTION CHUNK FOR MmSecureVirtualMemoryAgainstWrites

loc_8D9F71:				; CODE XREF: MmSecureVirtualMemoryAgainstWrites+F5j
		test	al, 20h
		jz	loc_775256
		jmp	loc_77523D
; 

loc_8D9F7E:				; CODE XREF: MmSecureVirtualMemoryAgainstWrites+13Cj
		push	[ebp+var_24]
		mov	edx, ebx
		mov	ecx, esi
		call	_MiUnsecureVirtualMemoryAgainstWrites@12 ; MiUnsecureVirtualMemoryAgainstWrites(x,x,x)
		jmp	loc_775284
; 

loc_8D9F8F:				; CODE XREF: MmSecureVirtualMemoryAgainstWrites+14Dj
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_775295
; END OF FUNCTION CHUNK	FOR MmSecureVirtualMemoryAgainstWrites
; 
; START	OF FUNCTION CHUNK FOR MiIsRangeFullyCommitted

loc_8D9F9E:				; CODE XREF: MiIsRangeFullyCommitted+7Ej
		mov	edx, [edi+1Ch]
		mov	eax, [edi+4]
		dec	edx
		lea	edx, [eax+edx*8]
		jmp	loc_775341
; 

loc_8D9FAD:				; CODE XREF: MiIsRangeFullyCommitted+C3j
		mov	edi, [edi+8]
		mov	esi, [edi+4]
		test	esi, esi
		jnz	loc_775335
		xor	ebx, ebx
		jmp	loc_775383
; END OF FUNCTION CHUNK	FOR MiIsRangeFullyCommitted
; 
; START	OF FUNCTION CHUNK FOR MiCheckSecuredVad

loc_8D9FC2:				; CODE XREF: MiCheckSecuredVad+2Fj
		mov	ecx, esi
		call	_MiGetVadPageSize@4 ; MiGetVadPageSize(x)
		cmp	eax, 200h
		jb	loc_775417
		xor	eax, eax
		jmp	loc_775498
; 

loc_8D9FDB:				; CODE XREF: MiCheckSecuredVad+5Fj
		cmp	byte ptr [ebx+10h], 1
		jnz	loc_775492
		jmp	loc_775447
; 

loc_8D9FEA:				; CODE XREF: MiCheckSecuredVad+85j
		mov	eax, [esi+1Ch]
		and	eax, 5100000h
		cmp	eax, 4100000h
		jnz	loc_77546D
		mov	eax, [ebx+0Ch]
		or	eax, 10h
		cmp	eax, 11h
		jnz	loc_7754E7
		mov	eax, [ebp+var_8]
		shr	eax, 0Ch
		cmp	[esi+0Ch], eax
		jz	loc_7754E7
		mov	eax, [ebp+var_4]
		shr	eax, 0Ch
		cmp	[esi+10h], eax
		jz	loc_7754E7
		jmp	loc_775492
; 

loc_8DA02F:				; CODE XREF: MiCheckSecuredVad+D2j
					; MiCheckSecuredVad+110j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	byte ptr [eax+3A8h], 1
		jz	loc_7754E7
		jmp	loc_7754C4
; END OF FUNCTION CHUNK	FOR MiCheckSecuredVad

;  S U B	R O U T	I N E 


sub_8DA04D	proc near		; DATA XREF: .text:006A0F5Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8DA04D	endp


;  S U B	R O U T	I N E 


sub_8DA05B	proc near		; DATA XREF: .text:006A0F60o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_775547
sub_8DA05B	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpCaptureViewAttributeInternal

loc_8DA06D:				; CODE XREF: AlpcpCaptureViewAttributeInternal+1Cj
		mov	eax, 0C000000Dh
		jmp	loc_775659
; 

loc_8DA077:				; CODE XREF: AlpcpCaptureViewAttributeInternal+7Bj
		mov	eax, 0C0000141h
		jmp	loc_775659
; 

loc_8DA081:				; CODE XREF: AlpcpCaptureViewAttributeInternal+E3j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	AlpcpDereferenceBlobEx
		jmp	loc_775649
; END OF FUNCTION CHUNK	FOR AlpcpCaptureViewAttributeInternal
; 
; START	OF FUNCTION CHUNK FOR AlpcpPrepareViewForDelivery

loc_8DA090:				; CODE XREF: AlpcpPrepareViewForDelivery+99j
		mov	eax, [edi+20h]
		mov	[ebp+var_2C], eax
		cmp	eax, esi
		jnz	short loc_8DA09F
		mov	eax, [eax]
		mov	[ebp+var_2C], eax

loc_8DA09F:				; CODE XREF: AlpcpPrepareViewForDelivery+164A26j
		mov	eax, [esi+24h]
		test	al, 8
		jnz	short loc_8DA0C2
		push	dword ptr [esi+18h]
		mov	edx, [esi+14h]
		mov	ecx, [esi+10h]
		call	MmSecureVirtualMemoryAgainstWrites
		test	eax, eax
		jz	loc_7756BF
		mov	[esi+20h], eax
		mov	eax, [esi+24h]

loc_8DA0C2:				; CODE XREF: AlpcpPrepareViewForDelivery+164A32j
		and	eax, 0FFFFFFFEh
		mov	ecx, esi
		mov	[esi+24h], eax
		call	AlpcpReferenceBlob
		mov	eax, [ebp+var_2C]
		or	dword ptr [edi+18h], 1
		mov	[edi+28h], esi
		mov	[edi+2Ch], eax
		jmp	loc_7756BF
; 

loc_8DA0E1:				; CODE XREF: AlpcpPrepareViewForDelivery+42j
		mov	eax, [edi+28h]
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	short loc_8DA120
		cmp	[eax+20h], ebx
		jz	short loc_8DA119
		lea	ecx, [ebp+var_20]
		xor	edx, edx
		push	ecx
		mov	ecx, [eax+10h]
		call	KiStackAttachProcess
		mov	eax, [ebp+var_28]
		push	dword ptr [eax+20h]
		call	_MmUnsecureVirtualMemory@4 ; MmUnsecureVirtualMemory(x)
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	eax, [ebp+var_28]
		mov	[eax+20h], ebx

loc_8DA119:				; CODE XREF: AlpcpPrepareViewForDelivery+164A7Cj
		or	dword ptr [eax+24h], 1
		mov	[edi+28h], ebx

loc_8DA120:				; CODE XREF: AlpcpPrepareViewForDelivery+164A77j
		and	dword ptr [edi+18h], 0FFFFFFFEh
		mov	[edi+2Ch], ebx
		jmp	loc_7756BF
; 

loc_8DA12C:				; CODE XREF: AlpcpPrepareViewForDelivery+6Bj
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	AlpcpDereferenceBlobEx
		jmp	loc_7756E3
; END OF FUNCTION CHUNK	FOR AlpcpPrepareViewForDelivery
; 
; START	OF FUNCTION CHUNK FOR AlpcpExposeViewAttributeInSenderContext

loc_8DA13B:				; CODE XREF: AlpcpExposeViewAttributeInSenderContext+56j
		mov	ecx, esi
		call	AlpcpReferenceBlob
		test	eax, eax
		jg	loc_7758B8
		mov	ecx, ebx
		call	AlpcpUnlockBlob
		mov	ecx, ebx
		call	AlpcpLockForCachedReferenceBlob
		jmp	loc_7758A1
; 

loc_8DA15D:				; CODE XREF: AlpcpExposeViewAttributeInSenderContext+71j
		cmp	esi, [ebx+28h]
		jnz	loc_7758D3
		mov	eax, [edi+24h]
		test	al, 8
		jnz	short loc_8DA1CF
		push	dword ptr [edi+18h]
		mov	edx, [edi+14h]
		mov	ecx, [edi+10h]
		call	MmSecureVirtualMemoryAgainstWrites
		test	eax, eax
		jnz	short loc_8DA1C9
		cmp	[esi+20h], eax
		jz	short loc_8DA1AA
		mov	ecx, [esi+10h]
		lea	eax, [esp+40h+var_1C]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		push	dword ptr [esi+20h]
		call	_MmUnsecureVirtualMemory@4 ; MmUnsecureVirtualMemory(x)
		xor	edx, edx
		lea	ecx, [esp+40h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		and	dword ptr [esi+20h], 0

loc_8DA1AA:				; CODE XREF: AlpcpExposeViewAttributeInSenderContext+164926j
		or	dword ptr [esi+24h], 1
		xor	edx, edx
		inc	edx
		mov	ecx, esi
		call	AlpcpDereferenceBlobEx
		and	dword ptr [ebx+28h], 0
		and	dword ptr [ebx+2Ch], 0
		and	dword ptr [ebx+18h], 0FFFFFFFEh
		jmp	loc_775932
; 

loc_8DA1C9:				; CODE XREF: AlpcpExposeViewAttributeInSenderContext+164921j
		mov	[edi+20h], eax
		mov	eax, [edi+24h]

loc_8DA1CF:				; CODE XREF: AlpcpExposeViewAttributeInSenderContext+16490Fj
		and	eax, 0FFFFFFFEh
		mov	ecx, edi
		mov	[edi+24h], eax
		call	AlpcpReferenceBlob
		cmp	dword ptr [esi+20h], 0
		jz	short loc_8DA208
		mov	ecx, [esi+10h]
		lea	eax, [esp+40h+var_1C]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		push	dword ptr [esi+20h]
		call	_MmUnsecureVirtualMemory@4 ; MmUnsecureVirtualMemory(x)
		xor	edx, edx
		lea	ecx, [esp+40h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		and	dword ptr [esi+20h], 0

loc_8DA208:				; CODE XREF: AlpcpExposeViewAttributeInSenderContext+164984j
		or	dword ptr [esi+24h], 1
		xor	edx, edx
		inc	edx
		mov	[ebx+28h], edi
		mov	ecx, esi
		mov	[ebx+2Ch], esi
		call	AlpcpDereferenceBlobEx
		jmp	loc_775932
; 

loc_8DA221:				; CODE XREF: AlpcpExposeViewAttributeInSenderContext+B0j
		mov	[ebx+2Ch], esi
		jmp	loc_775932
; 

loc_8DA229:				; CODE XREF: AlpcpExposeViewAttributeInSenderContext+CCj
		mov	ecx, edi
		call	_AlpcpRestoreWriteAccess@4 ; AlpcpRestoreWriteAccess(x)
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	AlpcpDereferenceBlobEx
		jmp	loc_77599C
; END OF FUNCTION CHUNK	FOR AlpcpExposeViewAttributeInSenderContext
; 
; START	OF FUNCTION CHUNK FOR NtAlpcCreateSecurityContext

loc_8DA23F:				; CODE XREF: NtAlpcCreateSecurityContext+5Ej
		mov	esi, 0C000000Dh
		jmp	loc_775B2C
; 

loc_8DA249:				; CODE XREF: NtAlpcCreateSecurityContext+98j
		mov	byte ptr [eax],	0
		jmp	loc_775A5E
; 

loc_8DA251:				; CODE XREF: NtAlpcCreateSecurityContext+C3j
		mov	ecx, eax
		jmp	loc_775A89
; END OF FUNCTION CHUNK	FOR NtAlpcCreateSecurityContext

;  S U B	R O U T	I N E 


sub_8DA258	proc near		; DATA XREF: .text:006A0F7Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		mov	eax, 1
		retn
sub_8DA258	endp


;  S U B	R O U T	I N E 


sub_8DA268	proc near		; DATA XREF: .text:006A0F80o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-24h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_775B2C
sub_8DA268	endp

; 
; START	OF FUNCTION CHUNK FOR NtAlpcCreateSecurityContext

loc_8DA27A:				; CODE XREF: NtAlpcCreateSecurityContext+10Aj
		mov	ecx, [ebp+var_20]
		mov	eax, [ecx+9Ch]
		mov	[ebp+var_38], eax
		mov	eax, [ecx+0A0h]
		mov	[ebp+var_34], eax
		mov	eax, [ecx+0A4h]
		mov	[ebp+var_30], eax
		jmp	loc_775AD0
; END OF FUNCTION CHUNK	FOR NtAlpcCreateSecurityContext

;  S U B	R O U T	I N E 


sub_8DA29D	proc near		; DATA XREF: .text:006A0F88o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		mov	eax, 1
		retn
sub_8DA29D	endp


;  S U B	R O U T	I N E 


sub_8DA2AD	proc near		; DATA XREF: .text:006A0F8Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-2Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-1Ch]
		jmp	loc_775B10
sub_8DA2AD	endp

; 
; START	OF FUNCTION CHUNK FOR NtAlpcCreateSecurityContext

loc_8DA2C2:				; CODE XREF: NtAlpcCreateSecurityContext+152j
		mov	ecx, edi
		call	AlpcpDeleteBlob
		test	al, al
		jz	loc_775B18
		mov	edx, 1
		mov	ecx, edi
		call	AlpcpDereferenceBlobEx
		jmp	loc_775B18
; END OF FUNCTION CHUNK	FOR NtAlpcCreateSecurityContext
; 
; START	OF FUNCTION CHUNK FOR NtAlpcDeleteSecurityContext

loc_8DA2E2:				; CODE XREF: NtAlpcDeleteSecurityContext+19j
		mov	esi, 0C000000Dh
		jmp	loc_775C2A
; END OF FUNCTION CHUNK	FOR NtAlpcDeleteSecurityContext
; 
; START	OF FUNCTION CHUNK FOR AlpcpDereferenceBlobEx

loc_8DA2EC:				; CODE XREF: AlpcpDereferenceBlobEx:loc_775C7Aj
		push	eax
		push	21h
		push	edi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8DA2FA:				; CODE XREF: AlpcViewDestroyProcedure+A0j
		push	dword ptr [esi+14h]
		call	_MmUnmapViewInSystemSpace@4 ; MmUnmapViewInSystemSpace(x)
		jmp	loc_775E4E
; END OF FUNCTION CHUNK	FOR AlpcpDereferenceBlobEx
; 
; START	OF FUNCTION CHUNK FOR NtUnmapViewOfSectionEx

loc_8DA307:				; CODE XREF: NtUnmapViewOfSectionEx+21j
		mov	eax, 0C00000F1h
		jmp	loc_77600A
; 

loc_8DA311:				; CODE XREF: NtUnmapViewOfSectionEx+2Aj
		mov	edi, 4000000h
		jmp	loc_775FA0
; END OF FUNCTION CHUNK	FOR NtUnmapViewOfSectionEx
; 
; START	OF FUNCTION CHUNK FOR MiUnmapViewOfSection

loc_8DA31B:				; CODE XREF: MiUnmapViewOfSection+66j
		mov	eax, esi
		and	eax, 0FFFFF000h
		cmp	esi, eax
		jz	loc_77608C
		mov	eax, 0C00000F0h
		jmp	loc_776141
; 

loc_8DA334:				; CODE XREF: MiUnmapViewOfSection+89j
		mov	ebx, [esp+48h+var_38]
		xor	edi, edi
		cmp	ebx, 0C00000A0h
		jnz	loc_77612C
		mov	ebx, 0C0000019h
		jmp	loc_77612C
; 

loc_8DA350:				; CODE XREF: MiUnmapViewOfSection+280j
		mov	ebx, 0C0000019h
		jmp	short loc_8DA3A5
; 

loc_8DA357:				; CODE XREF: MiUnmapViewOfSection+D1j
		mov	eax, [esp+48h+var_28]
		cmp	[esp+48h+var_34], eax
		jnz	short loc_8DA3A0
		mov	edx, 80h
		mov	ecx, esi
		call	_MiLocateVadEvent@8 ; MiLocateVadEvent(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_8DA3A0
		mov	eax, [ecx+4]
		xor	edx, edx
		mov	dword ptr [ecx+4], 0
		mov	[esp+48h+var_30], eax
		lea	ecx, [eax+18h]
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esp+48h+var_30]
		mov	eax, [esi+0Ch]
		mov	[ecx+0Ch], eax
		mov	eax, [esi+10h]
		mov	[ecx+10h], eax
		jmp	loc_7760F7
; 

loc_8DA3A0:				; CODE XREF: MiUnmapViewOfSection+16433Fj
					; MiUnmapViewOfSection+164351j
		mov	ebx, 0C0000018h

loc_8DA3A5:				; CODE XREF: MiUnmapViewOfSection+183j
					; MiUnmapViewOfSection+164335j
		mov	ecx, esi
		call	MiUnlockAndDereferenceVad
		mov	edi, [esp+48h+var_3C]
		jmp	loc_77612C
; END OF FUNCTION CHUNK	FOR MiUnmapViewOfSection
; 
; START	OF FUNCTION CHUNK FOR MiUnmapVad

loc_8DA3B5:				; CODE XREF: MiUnmapVad+26j
		cmp	dword ptr [esi+2Ch], 0
		jz	loc_7762DC
		mov	edx, 426h
		mov	ecx, esi
		call	_MiLogMapFileEvent@8 ; MiLogMapFileEvent(x,x)
		jmp	loc_7762DC
; END OF FUNCTION CHUNK	FOR MiUnmapVad
; 
; START	OF FUNCTION CHUNK FOR AlpcpCreateSecurityContext

loc_8DA3D0:				; CODE XREF: AlpcpCreateSecurityContext+163E03j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8DA3D7:				; CODE XREF: AlpcpCreateSecurityContext+163DFDj
		mov	ecx, edi
		call	KeAbPostRelease
		and	dword ptr [esi], 0
		mov	ecx, esi
		call	@AlpcpEndInitialization@4 ; AlpcpEndInitialization(x)
		push	2
		pop	edx
		mov	ecx, esi
		call	AlpcpDereferenceBlobEx

loc_8DA3F2:				; CODE XREF: AlpcpCreateSecurityContext+2Cj
		mov	eax, 0C000009Ah
		jmp	loc_77676B
; 

loc_8DA3FC:				; CODE XREF: AlpcpCreateSecurityContext+52j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	AlpcpDereferenceBlobEx
		mov	eax, [ebp+var_4]
		jmp	loc_77676B
; 

loc_8DA40E:				; CODE XREF: AlpcpCreateSecurityContext+70j
		push	68h
		pop	edx
		call	_AlpcpReleasePagedPoolQuota@8 ;	AlpcpReleasePagedPoolQuota(x,x)
		mov	edi, [ebp+arg_4]
		jmp	short loc_8DA43C
; 

loc_8DA41B:				; CODE XREF: AlpcpCreateSecurityContext+9Fj
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jz	short loc_8DA430
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8DA430:				; CODE XREF: AlpcpCreateSecurityContext+163DCBj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	edi, 0C000009Ah

loc_8DA43C:				; CODE XREF: AlpcpCreateSecurityContext+163DBDj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	AlpcpDereferenceBlobEx
		mov	eax, edi
		jmp	loc_77676B
; 

loc_8DA44D:				; CODE XREF: AlpcpCreateSecurityContext+D3j
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jz	loc_8DA3D7
		jmp	loc_8DA3D0
; END OF FUNCTION CHUNK	FOR AlpcpCreateSecurityContext
; 
; START	OF FUNCTION CHUNK FOR AlpcpCaptureSecurityAttribute

loc_8DA464:				; CODE XREF: AlpcpCaptureSecurityAttribute+45j
		mov	esi, eax
		jmp	loc_7767C7
; END OF FUNCTION CHUNK	FOR AlpcpCaptureSecurityAttribute

;  S U B	R O U T	I N E 


sub_8DA46B	proc near		; DATA XREF: .text:006A0FA4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8DA46B	endp


;  S U B	R O U T	I N E 


sub_8DA479	proc near		; DATA XREF: .text:006A0FA8o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-2Ch]
		mov	[ebp-30h], eax
		jmp	loc_7767F1
sub_8DA479	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpCaptureSecurityAttributeInternal

loc_8DA487:				; CODE XREF: AlpcpCaptureSecurityAttributeInternal+5Bj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	AlpcpDereferenceBlobEx
		mov	eax, 0C0000022h
		jmp	loc_7768AF
; 

loc_8DA49B:				; CODE XREF: AlpcpCaptureSecurityAttributeInternal+67j
		mov	ecx, esi
		call	AlpcpDeleteBlob
		test	al, al
		jz	short loc_8DA4B0
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	AlpcpDereferenceBlobEx

loc_8DA4B0:				; CODE XREF: AlpcpCaptureSecurityAttributeInternal+163C6Aj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	AlpcpDereferenceBlobEx
		mov	esi, ebx
		jmp	loc_7768A7
; 

loc_8DA4C1:				; CODE XREF: AlpcpCaptureSecurityAttributeInternal+1Aj
					; AlpcpCaptureSecurityAttributeInternal+2Bj
		mov	eax, 0C000000Dh
		jmp	loc_7768AF
; END OF FUNCTION CHUNK	FOR AlpcpCaptureSecurityAttributeInternal
; 
; START	OF FUNCTION CHUNK FOR AlpcReferenceBlobByHandle

loc_8DA4CB:				; CODE XREF: AlpcReferenceBlobByHandle+5Ej
		lea	ecx, [esi-4]
		mov	[ebp+arg_0], 0
		xor	edx, edx
		lea	eax, [ebp+arg_0]
		lock or	[eax], edx
		mov	edx, [ecx]
		test	dl, 1
		jz	loc_776974
		call	@ExfAcquireReleasePushLockExclusive@4 ;	ExfAcquireReleasePushLockExclusive(x)
		jmp	loc_776974
; END OF FUNCTION CHUNK	FOR AlpcReferenceBlobByHandle
; 
; START	OF FUNCTION CHUNK FOR AlpcpReferenceBlob

loc_8DA4F2:				; CODE XREF: AlpcpReferenceBlob+Dj
		test	eax, eax
		jz	loc_7769CB
		push	eax
		push	20h
		push	esi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8DA508:				; CODE XREF: AlpcpDeleteBlob+17j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8DA51C
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8DA51C:				; CODE XREF: AlpcpReferenceBlob+163B69j
		mov	ecx, esi
		call	KeAbPostRelease
		xor	al, al
		jmp	loc_776C85
; END OF FUNCTION CHUNK	FOR AlpcpReferenceBlob
; 
; START	OF FUNCTION CHUNK FOR MmMapSecureViewOfSection

loc_8DA52A:				; CODE XREF: MmMapSecureViewOfSection+3Fj
					; MmMapSecureViewOfSection+68j
		cmp	dword ptr [edi], 0
		jnz	short loc_8DA53A
		inc	dword_6D3104
		jmp	loc_776D07
; 

loc_8DA53A:				; CODE XREF: MmMapSecureViewOfSection+16389Bj
		inc	dword_6D3108
		jmp	loc_776D07
; END OF FUNCTION CHUNK	FOR MmMapSecureViewOfSection
; 
; START	OF FUNCTION CHUNK FOR RtlQueryAtomInAtomTable

loc_8DA545:				; CODE XREF: RtlQueryAtomInAtomTable+37j
		mov	eax, 0C000000Dh
		jmp	loc_776E5D
; 

loc_8DA54F:				; CODE XREF: RtlQueryAtomInAtomTable+13Cj
		mov	esi, 0C000000Dh
		jmp	short loc_8DA57A
; 

loc_8DA556:				; CODE XREF: RtlQueryAtomInAtomTable+14Cj
		mov	dword ptr [eax], 1
		jmp	loc_776E9E
; 

loc_8DA561:				; CODE XREF: RtlQueryAtomInAtomTable+17Ej
		cmp	eax, 2
		jb	short loc_8DA56E
		lea	edi, [eax-2]
		jmp	loc_776ED0
; 

loc_8DA56E:				; CODE XREF: RtlQueryAtomInAtomTable+163818j
		xor	edi, edi
		jmp	loc_776ED0
; 

loc_8DA575:				; CODE XREF: RtlQueryAtomInAtomTable+BFj
					; RtlQueryAtomInAtomTable+186j
		mov	esi, 0C0000023h

loc_8DA57A:				; CODE XREF: RtlQueryAtomInAtomTable+163808j
		mov	[ebp+var_40], esi
		jmp	loc_776E31
; END OF FUNCTION CHUNK	FOR RtlQueryAtomInAtomTable

;  S U B	R O U T	I N E 


sub_8DA582	proc near		; DATA XREF: .text:006A0FC4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8DA582	endp


;  S U B	R O U T	I N E 


sub_8DA590	proc near		; DATA XREF: .text:006A0FC8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-5Ch]
		mov	[ebp-40h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		or	eax, 0FFFFFFFFh
		jmp	loc_776E3B
sub_8DA590	endp

; 
; START	OF FUNCTION CHUNK FOR MiMapViewOfImageSection

loc_8DA5A8:				; CODE XREF: MiMapViewOfImageSection+57j
		mov	ecx, dword_6CF508
		cmp	ecx, [edx+2Ch]
		jnz	loc_7770AD
		mov	ecx, [esp+0A0h+var_78]
		mov	edx, dword_6CF50C
		mov	ecx, [ecx+24h]
		cmp	edx, [ecx+34h]
		jnz	loc_7770AD
		int	3		; Trap to Debugger
		jmp	loc_7770AD
; 

loc_8DA5D3:				; CODE XREF: MiMapViewOfImageSection+74Bj
		mov	eax, 0C0000045h
		jmp	loc_7776B8
; 

loc_8DA5DD:				; CODE XREF: MiMapViewOfImageSection+7B8j
		test	al, 8
		jz	loc_777135
		mov	eax, 0C0000269h
		jmp	loc_7776B8
; 

loc_8DA5EF:				; CODE XREF: MiMapViewOfImageSection+119j
		mov	ecx, [ebx+40h]
		call	MiArbitraryCodeBlocked
		test	eax, eax
		js	loc_7776B8
		jmp	loc_777176
; 

loc_8DA604:				; CODE XREF: MiMapViewOfImageSection+15Dj
		mov	ecx, [esp+0A0h+var_80]
		call	_MiDereferenceControlArea@4 ; MiDereferenceControlArea(x)
		mov	eax, 0C000009Ah
		jmp	loc_7776B8
; 

loc_8DA617:				; CODE XREF: MiMapViewOfImageSection+17Bj
		xor	ecx, ecx
		jmp	loc_7771D6
; 

loc_8DA61E:				; CODE XREF: MiMapViewOfImageSection+225j
		cmp	[esp+0A0h+var_7C], 200000h
		jz	loc_77727B
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		jmp	loc_777284
; 

loc_8DA636:				; CODE XREF: MiMapViewOfImageSection+28Fj
		mov	esi, 0C000010Ah
		jmp	loc_8DA6E2
; 

loc_8DA640:				; CODE XREF: MiMapViewOfImageSection+299j
		cmp	[esp+0A0h+var_7C], 200000h
		jz	loc_7772EF
		mov	eax, [ebx+4]
		mov	edx, [esp+0A0h+var_8C]
		push	eax
		mov	eax, [ebx]
		push	eax
		push	[esp+0A8h+var_88]
		call	MiIsVaRangeAvailable
		test	eax, eax
		jnz	loc_777325
		mov	esi, 0C0000018h
		jmp	short loc_8DA6E2
; 

loc_8DA671:				; CODE XREF: MiMapViewOfImageSection+2ABj
		mov	esi, 0C0000017h
		jmp	short loc_8DA6E2
; 

loc_8DA678:				; CODE XREF: MiMapViewOfImageSection+6B8j
		cmp	ecx, 80000000h
		jb	loc_77770E
		mov	ecx, 7FFFFFFFh
		mov	[esp+0A0h+var_60], ecx
		jmp	loc_77770E
; 

loc_8DA692:				; CODE XREF: MiMapViewOfImageSection+6C2j
		mov	eax, 0C0000017h
		mov	[esp+0A0h+var_8C], eax
		jmp	short loc_8DA6A1
; 

loc_8DA69D:				; CODE XREF: MiMapViewOfImageSection+6FCj
		mov	ecx, [esp+0A0h+var_60]

loc_8DA6A1:				; CODE XREF: MiMapViewOfImageSection+16364Bj
		mov	edx, [ebx+4]
		cmp	ecx, edx
		jz	short loc_8DA6D6
		lea	eax, [esp+0A0h+var_74]
		push	eax
		lea	eax, [esp+0A4h+var_54]
		push	eax
		mov	eax, [edi+1Ch]
		push	0
		shr	eax, 7
		and	eax, 1Fh
		push	eax
		push	ecx
		push	[esp+0B4h+var_7C]
		mov	ecx, [ebx+14h]
		push	[esp+0B8h+var_88]
		push	edx
		mov	edx, [ebx]
		call	_MiSelectUserAddress@40	; MiSelectUserAddress(x,x,x,x,x,x,x,x,x,x)
		mov	[esp+0A0h+var_8C], eax

loc_8DA6D6:				; CODE XREF: MiMapViewOfImageSection+163656j
		test	eax, eax
		jns	loc_777325

loc_8DA6DE:				; CODE XREF: MiMapViewOfImageSection+3FBj
					; MiMapViewOfImageSection+8A8j	...
		mov	esi, [esp+0A0h+var_8C]

loc_8DA6E2:				; CODE XREF: MiMapViewOfImageSection+1635EBj
					; MiMapViewOfImageSection+16361Fj ...
		mov	ecx, [esp+0A0h+var_90]

loc_8DA6E6:				; CODE XREF: MiMapViewOfImageSection+16374Bj
					; MiMapViewOfImageSection+163771j ...
		mov	ebx, [esp+0A0h+var_84]
		test	cl, cl
		jns	short loc_8DA704
		mov	ecx, ebx
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [esp+0A0h+var_80]
		mov	edx, eax
		call	_MiDereferencePerSessionProtos@8 ; MiDereferencePerSessionProtos(x,x)
		mov	ecx, [esp+0A0h+var_90]

loc_8DA704:				; CODE XREF: MiMapViewOfImageSection+16369Cj
		test	ecx, 100h
		jz	short loc_8DA719
		mov	ecx, [esp+0A0h+var_80]
		call	_MiReturnCrossPartitionControlAreaCharges@4 ; MiReturnCrossPartitionControlAreaCharges(x)
		mov	ecx, [esp+0A0h+var_90]

loc_8DA719:				; CODE XREF: MiMapViewOfImageSection+1636BAj
		test	cl, 40h
		jz	short loc_8DA72B
		mov	ecx, [esp+0A0h+var_80]
		mov	edx, ebx
		push	0
		call	MiRemoveSharedCommitNode

loc_8DA72B:				; CODE XREF: MiMapViewOfImageSection+1636CCj
		mov	ecx, [esp+0A0h+var_6C]
		mov	edx, ebx
		call	UNLOCK_ADDRESS_SPACE
		test	edi, edi
		jz	short loc_8DA74E
		mov	ecx, [edi+48h]
		test	ecx, ecx
		jz	short loc_8DA746
		call	ObfDereferenceObject

loc_8DA746:				; CODE XREF: MiMapViewOfImageSection+1636EFj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8DA74E:				; CODE XREF: MiMapViewOfImageSection+1636E8j
		mov	ecx, [esp+0A0h+var_80]
		call	_MiDereferenceControlArea@4 ; MiDereferenceControlArea(x)

loc_8DA757:				; CODE XREF: MiMapViewOfImageSection+16385Ej
					; MiMapViewOfImageSection+16386Aj
		mov	eax, esi
		jmp	loc_7776B8
; 

loc_8DA75E:				; CODE XREF: MiMapViewOfImageSection+336j
					; MiMapViewOfImageSection+340j
		mov	ebx, [esp+0A0h+var_60]
		mov	edx, [esp+0A0h+var_68]

loc_8DA766:				; CODE XREF: MiMapViewOfImageSection+163723j
					; MiMapViewOfImageSection+163729j
		mov	edx, [edx+8]
		sub	ecx, ebx
		sbb	eax, 0
		mov	ebx, [edx+1Ch]
		test	eax, eax
		ja	short loc_8DA766
		jb	short loc_8DA77B
		cmp	ecx, ebx
		jnb	short loc_8DA766

loc_8DA77B:				; CODE XREF: MiMapViewOfImageSection+163725j
		mov	ebx, [esp+0A0h+var_4C]
		mov	[esp+0A0h+var_68], edx
		mov	edx, [esp+0A0h+var_8C]
		jmp	loc_777396
; 

loc_8DA78C:				; CODE XREF: MiMapViewOfImageSection+88Dj
		mov	esi, 0C000009Ah
		jmp	loc_8DA6E2
; 

loc_8DA796:				; CODE XREF: MiMapViewOfImageSection+72Fj
		mov	esi, 0C0000018h
		jmp	loc_8DA6E6
; 

loc_8DA7A0:				; CODE XREF: MiMapViewOfImageSection+38Cj
		mov	eax, [ecx+24Ch]
		mov	byte ptr [eax+84h], 1
		jmp	loc_7773E2
; 

loc_8DA7B2:				; CODE XREF: MiMapViewOfImageSection+3CDj
		mov	edx, 208h
		jmp	loc_777423
; 

loc_8DA7BC:				; CODE XREF: MiMapViewOfImageSection+3DAj
		mov	esi, 0C000060Bh
		jmp	loc_8DA6E6
; 

loc_8DA7C6:				; CODE XREF: MiMapViewOfImageSection+3E3j
		mov	ecx, [esp+0A0h+var_68]
		push	21h
		call	MiReferenceActiveSubsection
		mov	[esp+0A0h+var_8C], eax
		test	eax, eax
		js	loc_8DA6DE
		or	[esp+0A0h+var_90], 100h
		jmp	loc_777439
; 

loc_8DA7EA:				; CODE XREF: MiMapViewOfImageSection+444j
					; MiMapViewOfImageSection+451j
		mov	eax, 4000000Eh
		mov	[esp+0A0h+var_88], eax
		jmp	loc_7774AB
; 

loc_8DA7F8:				; CODE XREF: MiMapViewOfImageSection+465j
		mov	edx, 425h
		mov	ecx, edi
		call	_MiLogMapFileEvent@8 ; MiLogMapFileEvent(x,x)
		mov	eax, [esp+0A0h+var_88]
		jmp	loc_7774BB
; 

loc_8DA80D:				; CODE XREF: MiMapViewOfImageSection+4E0j
		mov	eax, 800h
		jmp	loc_777538
; 

loc_8DA817:				; CODE XREF: MiMapViewOfImageSection+51Bj
		or	[esp+0A0h+var_40], 80000h
		jmp	loc_777571
; 

loc_8DA824:				; CODE XREF: MiMapViewOfImageSection+5B2j
		mov	eax, [ebx+34h]
		cmp	eax, 1
		jz	short loc_8DA844
		cmp	eax, 80000001h
		jz	short loc_8DA844
		cmp	eax, 2
		jz	short loc_8DA844
		cmp	eax, 4
		jz	short loc_8DA844
		mov	esi, 0C0000045h
		jmp	short loc_8DA88A
; 

loc_8DA844:				; CODE XREF: MiMapViewOfImageSection+1637DAj
					; MiMapViewOfImageSection+1637E1j ...
		mov	edx, [esp+0A0h+var_74]
		lea	ecx, [esp+0A0h+var_70]
		push	ecx
		push	0
		push	eax
		mov	eax, [ebx+0Ch]
		mov	ecx, edi
		push	eax
		call	_MiSecureVad@24	; MiSecureVad(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8DA88A
		mov	ecx, [esp+0A0h+var_84]
		xor	ecx, dword_6D061C
		mov	eax, [ebx+38h]
		xor	ecx, [esp+0A0h+var_70]
		xor	esi, esi
		mov	[eax], ecx
		mov	eax, [esp+0A0h+var_90]
		jmp	loc_777608
; 

loc_8DA87F:				; CODE XREF: MiMapViewOfImageSection+5E5j
		mov	esi, 0C000009Ah
		jmp	short loc_8DA88A
; 

loc_8DA886:				; CODE XREF: MiMapViewOfImageSection+5A4j
		mov	esi, [esp+0A0h+var_60]

loc_8DA88A:				; CODE XREF: MiMapViewOfImageSection+1637F2j
					; MiMapViewOfImageSection+16380Fj ...
		mov	ecx, edi
		call	_MiReferenceVad@4 ; MiReferenceVad(x)
		mov	ecx, [esp+0A0h+var_7C]
		test	ecx, ecx
		jz	short loc_8DA89E
		call	ObfDereferenceObject

loc_8DA89E:				; CODE XREF: MiMapViewOfImageSection+163847j
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	MiUnmapVad
		mov	eax, [ebx+38h]
		test	eax, eax
		jz	loc_8DA757
		mov	dword ptr [eax], 0
		jmp	loc_8DA757
; 

loc_8DA8BF:				; CODE XREF: MiMapViewOfImageSection+3B8j
		mov	esi, [esp+0A0h+var_8C]
		jmp	loc_8DA6E6
; END OF FUNCTION CHUNK	FOR MiMapViewOfImageSection
; 
; START	OF FUNCTION CHUNK FOR MiReferenceFileObjectForMap

loc_8DA8C8:				; CODE XREF: MiReferenceFileObjectForMap+9j
		and	ebx, 0FFFFFFFCh
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		jmp	loc_777999
; END OF FUNCTION CHUNK	FOR MiReferenceFileObjectForMap
; 
; START	OF FUNCTION CHUNK FOR MiCommitVadCfgBits

loc_8DA8D7:				; CODE XREF: MiCommitVadCfgBits+89j
		lea	eax, [ebp+var_1]
		mov	[ebp+arg_0], eax
		jmp	loc_777A8B
; END OF FUNCTION CHUNK	FOR MiCommitVadCfgBits
; 
; START	OF FUNCTION CHUNK FOR MiIsVaRangeAvailable

loc_8DA8E2:				; CODE XREF: MiIsVaRangeAvailable+11j
		test	dword ptr [ecx+0FCh], 1000000h
		jnz	loc_777C85
		cmp	dword ptr [ecx+3D4h], 0
		jz	loc_777CA5
		jmp	loc_777C85
; END OF FUNCTION CHUNK	FOR MiIsVaRangeAvailable
; 
; START	OF FUNCTION CHUNK FOR NtFindAtom

loc_8DA904:				; CODE XREF: NtFindAtom+71j
		mov	eax, 0C0000022h
		jmp	loc_777ED8
; 

loc_8DA90E:				; CODE XREF: NtFindAtom+7Dj
		mov	eax, 0C000000Dh
		jmp	loc_777ED8
; 

loc_8DA918:				; CODE XREF: NtFindAtom+B9j
		mov	ecx, eax
		jmp	loc_777E2F
; 

loc_8DA91F:				; CODE XREF: NtFindAtom+EAj
					; NtFindAtom+F2j
		mov	byte ptr [ecx],	0
		jmp	loc_777E68
; END OF FUNCTION CHUNK	FOR NtFindAtom

;  S U B	R O U T	I N E 


sub_8DA927	proc near		; DATA XREF: .text:006A0FE4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-230h], eax
		mov	eax, 1
		retn
sub_8DA927	endp


;  S U B	R O U T	I N E 


sub_8DA93A	proc near		; DATA XREF: .text:006A0FE8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-230h]
		jmp	loc_777ED8
sub_8DA93A	endp


;  S U B	R O U T	I N E 


sub_8DA94F	proc near		; DATA XREF: .text:006A0FF0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-234h], eax
		mov	eax, 1
		retn
sub_8DA94F	endp


;  S U B	R O U T	I N E 


sub_8DA962	proc near		; DATA XREF: .text:006A0FF4o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-234h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_777ED6
sub_8DA962	endp

; 
; START	OF FUNCTION CHUNK FOR PspCallProcessNotifyRoutines

loc_8DA977:				; CODE XREF: PspCallProcessNotifyRoutines+79j
		mov	[ebp+var_44], 2
		jmp	loc_777F87
; 

loc_8DA983:				; CODE XREF: PspCallProcessNotifyRoutines+A8j
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ecx
		test	esi, esi
		jz	loc_778007
		mov	ecx, [esi+114h]
		test	ecx, ecx
		jz	loc_778007
		mov	eax, [ecx]
		mov	[ebp+var_34], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_30], eax
		mov	eax, [ecx+8]
		jmp	loc_778004
; 

loc_8DA9B5:				; CODE XREF: PspCallProcessNotifyRoutines+B0j
					; PspCallProcessNotifyRoutines+BBj
		lea	eax, [ebp+var_8]
		mov	[ebp+var_1], 1
		push	eax
		push	ebx
		call	_PsReferenceProcessFilePointer@8 ; PsReferenceProcessFilePointer(x,x)
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		jmp	loc_777FCC
; 

loc_8DA9CD:				; CODE XREF: PspCallProcessNotifyRoutines+C9j
					; PspCallProcessNotifyRoutines+D3j
		add	eax, 30h
		jmp	loc_777FEB
; 

loc_8DA9D5:				; CODE XREF: PspCallProcessNotifyRoutines+E8j
					; PspCallProcessNotifyRoutines+F3j
		mov	[ebp+var_2C], ecx
		jmp	loc_778007
; 

loc_8DA9DD:				; CODE XREF: PspCallProcessNotifyRoutines+191j
		test	al, 4
		jz	loc_7780B4
		jmp	loc_77809F
; 

loc_8DA9EA:				; CODE XREF: PspCallProcessNotifyRoutines+1C9j
		mov	edx, eax
		mov	[ebp+var_1C], eax
		mov	ecx, ebx
		call	_PsTerminateProcess@8 ;	PsTerminateProcess(x,x)
		jmp	loc_77804D
; 

loc_8DA9FB:				; CODE XREF: PspCallProcessNotifyRoutines+170j
		test	esi, esi
		jz	short loc_8DAA09
		cmp	dword ptr [esi+20h], 0
		jl	loc_77807E

loc_8DAA09:				; CODE XREF: PspCallProcessNotifyRoutines+162AF5j
		push	esi
		push	dword ptr [ebx+0E4h]
		push	ebx
		call	dword ptr [edi]
		mov	ecx, ds:_PspDamExtensionHost
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)
		jmp	loc_77807E
; 

loc_8DAA23:				; CODE XREF: PspCallProcessNotifyRoutines+17Aj
		mov	ecx, [ebp+var_8]
		call	ObfDereferenceObject
		jmp	loc_778088
; END OF FUNCTION CHUNK	FOR PspCallProcessNotifyRoutines
; 
; START	OF FUNCTION CHUNK FOR PspCallThreadNotifyRoutines

loc_8DAA30:				; CODE XREF: PspCallThreadNotifyRoutines+1Aj
		mov	[ebp+var_1], 1
		jmp	loc_778134
; 

loc_8DAA39:				; CODE XREF: PspCallThreadNotifyRoutines+92j
		test	byte ptr [ebx+8], 2
		jz	loc_7781C6
		jmp	loc_7781A8
; 

loc_8DAA48:				; CODE XREF: PspCallThreadNotifyRoutines+CCj
		test	al, 2
		jz	loc_778201
		jmp	loc_7781E2
; END OF FUNCTION CHUNK	FOR PspCallThreadNotifyRoutines
; 
; START	OF FUNCTION CHUNK FOR PsCallImageNotifyRoutines

loc_8DAA55:				; CODE XREF: PsCallImageNotifyRoutines+3Dj
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	loc_7782D3
; 

loc_8DAA5C:				; CODE XREF: PsCallImageNotifyRoutines+4Dj
					; PsCallImageNotifyRoutines+68j
		mov	ecx, [ebp+var_4]
		jmp	loc_778304
; END OF FUNCTION CHUNK	FOR PsCallImageNotifyRoutines
; 
; START	OF FUNCTION CHUNK FOR RtlLookupAtomInAtomTable

loc_8DAA64:				; CODE XREF: RtlLookupAtomInAtomTable+141j
		xor	eax, eax
		mov	[ebp+var_20], eax
		mov	edi, 0C000000Dh
		jmp	loc_778519
; 

loc_8DAA73:				; CODE XREF: RtlLookupAtomInAtomTable+97j
		mov	edi, 0C0000033h
		jmp	loc_7784F8
; 

loc_8DAA7D:				; CODE XREF: RtlLookupAtomInAtomTable+D1j
		mov	edi, 0C0000008h
		jmp	loc_7784F8
; END OF FUNCTION CHUNK	FOR RtlLookupAtomInAtomTable

;  S U B	R O U T	I N E 


sub_8DAA87	proc near		; DATA XREF: .text:006A100Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		mov	eax, 1
		retn
sub_8DAA87	endp


;  S U B	R O U T	I N E 


sub_8DAA97	proc near		; DATA XREF: .text:006A1010o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-28h]
		mov	[ebp-1Ch], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp+8]
		jmp	loc_7784C4
sub_8DAA97	endp

; 
; START	OF FUNCTION CHUNK FOR RtlLookupAtomInAtomTable

loc_8DAAAF:				; CODE XREF: RtlLookupAtomInAtomTable+48j
					; RtlLookupAtomInAtomTable+54j
		mov	eax, 0C000000Dh
		jmp	loc_7784DF
; END OF FUNCTION CHUNK	FOR RtlLookupAtomInAtomTable
; 
; START	OF FUNCTION CHUNK FOR RtlGetIntegerAtom

loc_8DAAB9:				; CODE XREF: RtlGetIntegerAtom+19j
		movzx	ecx, ax
		mov	eax, 0C000h
		mov	edx, ecx
		cmp	dx, ax
		jnb	loc_778553
		test	dx, dx
		jnz	short loc_8DAAD3
		mov	ecx, eax

loc_8DAAD3:				; CODE XREF: RtlGetIntegerAtom+1625A1j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	loc_7785BE
		mov	[eax], cx
		jmp	loc_7785BE
; END OF FUNCTION CHUNK	FOR RtlGetIntegerAtom
; 
; START	OF FUNCTION CHUNK FOR RtlpHashStringToAtom

loc_8DAAE6:				; CODE XREF: RtlpHashStringToAtom+1Bj
		movzx	edx, bx
		mov	eax, 0C000h
		cmp	dx, ax
		jb	short loc_8DAB03
		and	edx, 3FFFh
		call	_RtlpAtomMapAtomToHandleEntry@8	; RtlpAtomMapAtomToHandleEntry(x,x)
		mov	ecx, [ebp+var_4]
		mov	edi, eax

loc_8DAB03:				; CODE XREF: RtlpHashStringToAtom+162521j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_8DAB10
		mov	dword ptr [eax], 0

loc_8DAB10:				; CODE XREF: RtlpHashStringToAtom+162538j
		test	edi, edi
		jz	loc_7786AA
		jmp	loc_778693
; 

loc_8DAB1D:				; CODE XREF: RtlpHashStringToAtom+71j
		xor	ebx, ebx
		xor	edi, edi
		jmp	loc_778685
; END OF FUNCTION CHUNK	FOR RtlpHashStringToAtom

;  S U B	R O U T	I N E 


sub_8DAB26	proc near		; DATA XREF: .text:006A102Co
		mov	eax, 1
		retn
sub_8DAB26	endp


;  S U B	R O U T	I N E 


sub_8DAB2C	proc near		; DATA XREF: .text:006A1030o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-88h]
		mov	edi, [ebp-8Ch]
		jmp	loc_778842
sub_8DAB2C	endp

; 
; START	OF FUNCTION CHUNK FOR EtwpEnumerateAddressSpace

loc_8DAB47:				; CODE XREF: EtwpEnumerateAddressSpace+8Aj
		or	ebx, 4
		mov	[ebp+var_50], ebx
		jmp	loc_7789B0
; 

loc_8DAB52:				; CODE XREF: EtwpEnumerateAddressSpace+2FEj
		or	ebx, 2
		mov	[ebp+var_50], ebx
		jmp	loc_7789B8
; 

loc_8DAB5D:				; CODE XREF: EtwpEnumerateAddressSpace+9Aj
		xor	edx, edx
		jmp	loc_778BDA
; 

loc_8DAB64:				; CODE XREF: EtwpEnumerateAddressSpace+EBj
		and	ebx, 0FFFFFFFEh
		mov	[ebp+var_50], ebx
		jz	loc_778BDA
		jmp	loc_778A11
; 

loc_8DAB75:				; CODE XREF: EtwpEnumerateAddressSpace+14Aj
		mov	[ebp+var_78], 1
		mov	ecx, [esi+4]
		mov	eax, ecx
		shr	eax, 1
		and	eax, 1Fh
		mov	[ebp+var_74], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_90], eax
		mov	eax, ecx
		and	eax, 0FFFFFFC0h
		mov	[esi+4], eax
		and	ecx, 1
		mov	[ebp+var_70], ecx
		jmp	loc_778A76
; 

loc_8DABA5:				; CODE XREF: EtwpEnumerateAddressSpace+185j
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	loc_778AAB
; 

loc_8DABAC:				; CODE XREF: EtwpEnumerateAddressSpace+194j
					; EtwpEnumerateAddressSpace+1B6j
		mov	ecx, [esi]
		push	0
		lea	eax, [ebp+var_4C]
		push	eax
		push	2000h
		mov	edx, [ebp+var_48]
		call	ObQueryNameStringMode
		mov	[ebp+var_88], eax
		jmp	loc_778ADC
; 

loc_8DABCC:				; CODE XREF: EtwpEnumerateAddressSpace+1F3j
		mov	ecx, [ebp+var_68]
		mov	edx, [ebp+var_BC]
		mov	eax, [ebp+var_C0]
		jmp	loc_778B31
; END OF FUNCTION CHUNK	FOR EtwpEnumerateAddressSpace

;  S U B	R O U T	I N E 


sub_8DABE0	proc near		; DATA XREF: .text:006A104Co
		mov	eax, 1
		retn
sub_8DABE0	endp


;  S U B	R O U T	I N E 


sub_8DABE6	proc near		; DATA XREF: .text:006A1050o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0A0h]
		mov	[ebp-48h], eax
		mov	eax, [ebp-0A4h]
		mov	[ebp-54h], eax
		mov	esi, [ebp-9Ch]
		mov	edi, [ebp-80h]
		mov	ebx, [ebp-84h]
		mov	edx, [ebp-0A8h]
		mov	eax, [ebp-0ACh]
		mov	ecx, [ebp-0B0h]
		mov	[ebp-5Ch], ecx
		mov	ecx, [ebp-0B4h]
		mov	[ebp-58h], ecx
		mov	ecx, [ebp-68h]
		jmp	loc_778B38
sub_8DABE6	endp

; 
; START	OF FUNCTION CHUNK FOR EtwpEnumerateAddressSpace

loc_8DAC37:				; CODE XREF: EtwpEnumerateAddressSpace+25Cj
		mov	ebx, eax
		mov	eax, [esi+4]
		mov	[ebp+var_84], eax
		mov	eax, [esi+8]
		mov	[ebp+var_D0], eax
		mov	edx, [esi+0Ch]
		mov	eax, [esi+10h]
		mov	[ebp+var_C8], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_C4], eax
		mov	ecx, 8
		xor	eax, eax
		mov	edi, esi
		rep stosd
		mov	eax, [ebp+var_5C]
		mov	eax, [eax+0E4h]
		mov	[esi+18h], eax
		mov	eax, [ebx+0Ch]
		mov	[esi+4], eax
		mov	eax, [ebp+var_84]
		mov	[esi], eax
		mov	[esi+10h], edx
		mov	eax, [ebp+var_90]
		mov	[esi+14h], eax
		mov	edx, [ebp+var_70]
		and	edx, 1
		xor	eax, eax
		shld	eax, edx, 5
		shl	edx, 5
		mov	eax, [ebp+var_74]
		and	eax, 1Fh
		or	edx, eax
		xor	ecx, ecx
		shl	edx, 10h
		mov	eax, [esi+0Ch]
		and	eax, 0FF40FFFFh
		or	[esi+8], ecx
		or	edx, eax
		or	edx, 400000h
		mov	[esi+0Ch], edx
		mov	eax, [ebp+var_7C]
		movzx	eax, ax
		mov	[ebp+var_60], eax
		mov	[ebp+var_64], 8000h
		lea	ebx, [ecx+3]
		mov	[ebp+var_4C], 1Ch
		mov	eax, [ebp+var_80]
		jmp	loc_778B88
; 

loc_8DACE5:				; CODE XREF: EtwpEnumerateAddressSpace+273j
		mov	eax, [ebp+var_4C]
		mov	edi, [ebp+var_54]
		mov	edx, [ebp+var_60]
		jmp	short loc_8DAD44
; 

loc_8DACF0:				; CODE XREF: EtwpEnumerateAddressSpace+140j
		cmp	eax, 2
		jnz	short loc_8DAD27
		mov	eax, [ebp+var_98]
		movzx	edx, ax
		mov	[ebp+var_60], edx
		mov	[ebp+var_64], 20008000h
		cmp	[ebp+var_58], ebx
		jz	short loc_8DAD14
		mov	eax, 14h
		jmp	short loc_8DAD41
; 

loc_8DAD14:				; CODE XREF: EtwpEnumerateAddressSpace+1623EBj
		mov	[ebp+var_4C], 10h
		mov	dword ptr [esi+0Ch], 8000h
		mov	eax, [ebp+var_4C]
		jmp	short loc_8DAD44
; 

loc_8DAD27:				; CODE XREF: EtwpEnumerateAddressSpace+1623D3j
		mov	eax, [ebp+var_7C]
		movzx	edx, ax
		mov	[ebp+var_60], edx
		mov	[ebp+var_64], 8000h
		mov	ebx, 3
		mov	eax, 1Ch

loc_8DAD41:				; CODE XREF: EtwpEnumerateAddressSpace+1623F2j
		mov	[ebp+var_4C], eax

loc_8DAD44:				; CODE XREF: EtwpEnumerateAddressSpace+1623CEj
					; EtwpEnumerateAddressSpace+162405j
		cmp	[ebp+var_58], 0
		jz	short loc_8DAD89
		mov	ecx, 501802h
		test	ebx, ebx
		jz	short loc_8DAD5B
		mov	ecx, ebx
		or	ecx, offset loc_501800

loc_8DAD5B:				; CODE XREF: EtwpEnumerateAddressSpace+162431j
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], 0
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], 0
		push	ecx
		push	edx
		push	1
		mov	eax, [edi]
		push	eax
		mov	edx, [edi+2E4h]
		lea	ecx, [ebp+var_34]
		call	EtwpLogKernelEvent
		jmp	loc_778B99
; 

loc_8DAD89:				; CODE XREF: EtwpEnumerateAddressSpace+162428j
		mov	ecx, offset loc_501902
		test	ebx, ebx
		jz	short loc_8DAD9A
		mov	ecx, ebx
		or	ecx, 501900h

loc_8DAD9A:				; CODE XREF: EtwpEnumerateAddressSpace+162470j
		mov	[ebp+var_44], esi
		mov	[ebp+var_40], 0
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], 0
		push	ecx
		push	edx
		push	[ebp+var_64]
		mov	edx, 1
		lea	ecx, [ebp+var_44]
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_778B99
; END OF FUNCTION CHUNK	FOR EtwpEnumerateAddressSpace
; 
; START	OF FUNCTION CHUNK FOR MmEnumerateAddressSpaceAndReferenceImages

loc_8DADC5:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+39j
		or	eax, 2
		mov	[ebp+var_20], eax
		jmp	loc_778CAF
; 

loc_8DADD0:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+42j
		or	eax, 4
		mov	[ebp+var_20], eax
		jmp	loc_778CB8
; 

loc_8DADDB:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+1DFj
		mov	eax, [ebx+0Ch]
		mov	edx, [ebp+var_24]
		shl	eax, 0Ch
		mov	[edx], eax
		mov	eax, [ebx+10h]
		sub	eax, [ebx+0Ch]
		inc	eax
		shl	eax, 0Ch
		mov	[edx+4], eax
		mov	ecx, [ebx+20h]
		mov	eax, ecx
		and	eax, 7FFFFFFFh
		shl	ecx, 0Ch
		cmp	eax, 0FFFFDh
		sbb	eax, eax
		and	eax, ecx
		mov	[edx+10h], eax
		mov	eax, [ebp+var_2C]
		mov	eax, [eax+0E4h]
		mov	[edx+8], eax
		mov	dword ptr [edx+0Ch], 2000h
		sub	edi, 3
		jz	short loc_8DAE67
		sub	edi, 1
		jz	short loc_8DAE59
		mov	eax, [ebx+1Ch]
		mov	ecx, 2000h
		test	eax, 100000h
		jz	short loc_8DAE89
		test	eax, 400000h
		jnz	short loc_8DAE4B
		and	eax, 0C0000h
		cmp	eax, 80000h
		jb	short loc_8DAE89

loc_8DAE4B:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+1621CDj
		mov	dword ptr [edx+0Ch], 20002000h
		mov	ecx, 20002000h
		jmp	short loc_8DAE89
; 

loc_8DAE59:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+1621B7j
		mov	dword ptr [edx+0Ch], 802000h
		mov	ecx, 802000h
		jmp	short loc_8DAE89
; 

loc_8DAE67:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+1621B2j
		mov	eax, [ebx+1Ch]
		and	eax, 3100000h
		cmp	eax, 2100000h
		jnz	short loc_8DAE7D
		mov	ecx, 2000h
		jmp	short loc_8DAE89
; 

loc_8DAE7D:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+162204j
		mov	dword ptr [edx+0Ch], offset off_402000
		mov	ecx, offset off_402000

loc_8DAE89:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+1621C6j
					; MmEnumerateAddressSpaceAndReferenceImages+1621D9j ...
		mov	eax, [ebx+1Ch]
		and	eax, 300000h
		cmp	eax, 300000h
		jnz	short loc_8DAEA1
		or	ecx, 200000h
		mov	[edx+0Ch], ecx

loc_8DAEA1:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+162226j
		mov	eax, [edx]
		and	eax, 0FFFFFFFEh
		or	eax, 2
		mov	[edx], eax
		jmp	loc_778E39
; 

loc_8DAEB0:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+1C3j
		mov	eax, [ebx+28h]
		mov	ecx, [edx+4]
		shr	eax, 18h
		and	ecx, 0FFFFFFFEh
		and	eax, 1
		or	ecx, eax
		mov	[edx+4], ecx
		mov	eax, [ebx+1Ch]
		shr	eax, 6
		xor	eax, ecx
		and	eax, 3Eh
		xor	eax, ecx
		mov	[edx+4], eax
		mov	eax, [ebx+20h]
		shl	eax, 0Ch
		mov	[edx+10h], eax
		jmp	loc_778E39
; 

loc_8DAEE2:				; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+251j
		mov	edi, [ebp+var_24]
		mov	ecx, ebx
		mov	edx, edi
		call	_MiFillMapFileInfo@8 ; MiFillMapFileInfo(x,x)
		mov	eax, [edi]
		and	eax, 0FFFFFFFDh
		or	eax, 1
		mov	[edi], eax
		jmp	loc_778E39
; END OF FUNCTION CHUNK	FOR MmEnumerateAddressSpaceAndReferenceImages
; 
; START	OF FUNCTION CHUNK FOR PsIsImageNotifyEnabled

loc_8DAEFD:				; CODE XREF: PsIsImageNotifyEnabled+7j
		test	byte ptr ds:_PerfGlobalGroupMask, 4
		jnz	loc_778F05
		xor	al, al
		retn
; END OF FUNCTION CHUNK	FOR PsIsImageNotifyEnabled
; 
; START	OF FUNCTION CHUNK FOR MiMarkSharedImageCfgBits

loc_8DAF0D:				; CODE XREF: MiMarkSharedImageCfgBits+98j
		mov	esi, [esp+50h+var_34]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8DAF25
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8DAF25:				; CODE XREF: MiMarkSharedImageCfgBits+16200Cj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	eax, 0C000010Ah
		jmp	loc_77904D
; END OF FUNCTION CHUNK	FOR MiMarkSharedImageCfgBits
; 
; START	OF FUNCTION CHUNK FOR MiPopulateCfgBitMap

loc_8DAF36:				; CODE XREF: MiPopulateCfgBitMap+67j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8DAF4A
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8DAF4A:				; CODE XREF: MiPopulateCfgBitMap+161E25j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	eax, 0C000010Ah
		jmp	loc_7791BC
; END OF FUNCTION CHUNK	FOR MiPopulateCfgBitMap
; 
; START	OF FUNCTION CHUNK FOR MiCopyToCfgBitMap

loc_8DAF5B:				; CODE XREF: MiCopyToCfgBitMap+411j
		mov	[ebp+var_3C], 100h
		mov	eax, 100h
		call	__alloca_probe_16
		mov	[ebp+var_18], esp
		mov	edx, esp
		jmp	loc_779272
; 

loc_8DAF76:				; CODE XREF: MiCopyToCfgBitMap+45Ej
		add	esi, edx
		mov	[ebp+var_34], esi
		add	[ebp+var_30], eax
		sub	[ebp+arg_18], eax
		jmp	loc_779644
; 

loc_8DAF86:				; CODE XREF: MiCopyToCfgBitMap+438j
		mov	edi, [ebp+var_3C]
		jmp	loc_77964A
; END OF FUNCTION CHUNK	FOR MiCopyToCfgBitMap

;  S U B	R O U T	I N E 


sub_8DAF8E	proc near		; DATA XREF: .text:006A1094o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-64h], eax
		mov	eax, 1
		retn
sub_8DAF8E	endp


;  S U B	R O U T	I N E 


sub_8DAF9E	proc near		; DATA XREF: .text:006A1098o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-64h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
sub_8DAF9E	endp

; START	OF FUNCTION CHUNK FOR MiCopyToCfgBitMap

loc_8DAFAB:				; CODE XREF: MiCopyToCfgBitMap+103j
					; MiCopyToCfgBitMap+11Dj
		mov	edx, [ebp+var_24]
		mov	edi, [ebp+var_2C]
		jmp	loc_779331
; 

loc_8DAFB6:				; CODE XREF: MiCopyToCfgBitMap+2E1j
		mov	eax, esi
		jmp	loc_7794CA
; 

loc_8DAFBD:				; CODE XREF: MiCopyToCfgBitMap+351j
		mov	eax, 1
		jmp	loc_7794DE
; 

loc_8DAFC7:				; CODE XREF: MiCopyToCfgBitMap+321j
		push	edi
		push	ebx
		push	[ebp+var_2C]
		push	43666720h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8DAFD8:				; CODE XREF: MiCopyToCfgBitMap+39Dj
		mov	ecx, [ebp+var_30]
		cmp	ecx, edx
		jz	loc_779346
		cmp	esi, 0C0000006h
		jz	loc_779346
		mov	eax, edx
		and	eax, 0FFFFF000h
		mov	ebx, ecx
		sub	ebx, eax
		shr	ebx, 0Ch
		jmp	loc_779583
; END OF FUNCTION CHUNK	FOR MiCopyToCfgBitMap
; 
; START	OF FUNCTION CHUNK FOR CcMapAndCopyFromCache

loc_8DB002:				; CODE XREF: CcMapAndCopyFromCache+6Dj
		cmp	byte ptr [ebp+arg_0], 0
		jz	loc_77989F
		jmp	loc_7797F8
; 

loc_8DB011:				; CODE XREF: CcMapAndCopyFromCache+C6j
		mov	[esp+30h+var_C], 1
		jmp	loc_779831
; 

loc_8DB01B:				; CODE XREF: CcMapAndCopyFromCache+117j
		mov	ecx, [esp+30h+var_1C]
		mov	edx, 8
		push	1
		call	CcUpdateSharedCacheMapFlag
		push	edi
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_8DB031:				; CODE XREF: CcMapAndCopyFromCache+125j
		push	0
		mov	edx, 8
		mov	ecx, ebx
		call	CcUpdateSharedCacheMapFlag
		jmp	loc_77988B
; END OF FUNCTION CHUNK	FOR CcMapAndCopyFromCache
; 
; START	OF FUNCTION CHUNK FOR MmHardFaultBytesRequired

loc_8DB044:				; CODE XREF: MmHardFaultBytesRequired+BBj
		push	edx
		push	edi
		call	_IS_PTE_NOT_DEMAND_ZERO@8 ; IS_PTE_NOT_DEMAND_ZERO(x,x)
		test	eax, eax
		jnz	loc_779980
		jmp	loc_779948
; END OF FUNCTION CHUNK	FOR MmHardFaultBytesRequired
; 
; START	OF FUNCTION CHUNK FOR CcMapData

loc_8DB058:				; CODE XREF: CcMapData+6Fj
		mov	eax, large fs:124h
		movzx	eax, byte ptr [eax+309h]
		add	eax, 2
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], eax
		mov	eax, large fs:124h
		mov	byte ptr [eax+309h], 1
		jmp	loc_779A25
; END OF FUNCTION CHUNK	FOR CcMapData

;  S U B	R O U T	I N E 


sub_8DB080	proc near		; DATA XREF: .text:006A1100o
		mov	ebx, [ebp+14h]
		mov	ecx, [ebp-24h]
		jmp	sub_779A89
sub_8DB080	endp

; 
; START	OF FUNCTION CHUNK FOR sub_779A89

loc_8DB08B:				; CODE XREF: sub_779A89+6j
		mov	eax, large fs:124h
		sub	cl, 2
		mov	[eax+309h], cl
		jmp	loc_779A95
; 

loc_8DB09F:				; CODE XREF: sub_779A89+10j
		mov	ecx, [ebp-1Ch]
		test	ecx, ecx
		jz	locret_779A9F
		push	0
		mov	dl, 1
		call	CcUnpinFileDataEx
		jmp	locret_779A9F
; END OF FUNCTION CHUNK	FOR sub_779A89
; 
; START	OF FUNCTION CHUNK FOR MiReleaseVadEventBlocks

loc_8DB0B8:				; CODE XREF: MiReleaseVadEventBlocks+7Aj
		xor	eax, eax
		mov	[ebp+var_4], 1
		cmp	[ebp+var_8], eax
		mov	edx, esi
		mov	ecx, edi
		setnz	al
		push	eax
		push	ebx
		call	_MiFreeLargePageView@16	; MiFreeLargePageView(x,x,x,x)
		mov	eax, [ebx+24h]
		jmp	loc_779B30
; 

loc_8DB0DA:				; CODE XREF: MiReleaseVadEventBlocks+91j
		mov	ecx, ebx
		call	_MiFreeAweView@4 ; MiFreeAweView(x)
		mov	eax, [ebx+24h]
		jmp	loc_779B47
; 

loc_8DB0E9:				; CODE XREF: MiReleaseVadEventBlocks+5Aj
					; MiReleaseVadEventBlocks+68j
		test	cl, 70h
		jnz	loc_779AEE
		cmp	[ebp+var_4], 0
		jnz	loc_779AEE
		xor	eax, eax
		mov	edx, esi
		cmp	[ebp+var_8], eax
		mov	ecx, edi
		setnz	al
		push	eax
		push	0
		call	_MiFreeLargePageView@16	; MiFreeLargePageView(x,x,x,x)
		jmp	loc_779AEE
; END OF FUNCTION CHUNK	FOR MiReleaseVadEventBlocks
; 
; START	OF FUNCTION CHUNK FOR MiRemoveVadCharges

loc_8DB115:				; CODE XREF: MiRemoveVadCharges+3Fj
		mov	ecx, [esi+1Ch]
		and	ecx, 70h
		cmp	cl, 50h
		jz	loc_779BD5
		mov	ecx, esi
		mov	[ebp+var_8], 1
		call	MiVadCommitCrossPartition
		mov	edx, eax
		jmp	loc_779BD5
; 

loc_8DB139:				; CODE XREF: MiRemoveVadCharges+BBj
		neg	edi
		lea	eax, [ebx+35Ch]
		lock xadd [eax], edi
		jmp	loc_779C08
; 

loc_8DB14A:				; CODE XREF: MiRemoveVadCharges+D0j
		cmp	edx, ecx
		jbe	short loc_8DB15C
		sub	edx, ecx
		mov	dword ptr [eax+8], 0
		jmp	loc_779C66
; 

loc_8DB15C:				; CODE XREF: MiRemoveVadCharges+1615BCj
		sub	ecx, edx
		mov	[eax+8], ecx
		jmp	loc_779C0F
; END OF FUNCTION CHUNK	FOR MiRemoveVadCharges
; 
; START	OF FUNCTION CHUNK FOR MiReturnVadQuota

loc_8DB166:				; CODE XREF: MiReturnVadQuota+4Fj
		push	28h
		push	esi
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		jmp	loc_779CE7
; END OF FUNCTION CHUNK	FOR MiReturnVadQuota
; 
; START	OF FUNCTION CHUNK FOR HvCheckBin

loc_8DB173:				; CODE XREF: HvCheckBin+77j
		mov	ebx, [ebp+arg_10]
		mov	esi, 0C000014Ch
		test	ebx, ebx
		jz	loc_779DDB
		push	30h
		jmp	short loc_8DB19D
; 

loc_8DB187:				; CODE XREF: HvCheckBin+4Ej
					; HvCheckBin+5Cj
		mov	ebx, [ebp+arg_10]
		mov	esi, 0C000014Ch
		test	ebx, ebx
		jz	loc_779DDB
		push	20h
		jmp	short loc_8DB19D
; 

loc_8DB19B:				; CODE XREF: HvCheckBin+1614C8j
		push	50h

loc_8DB19D:				; CODE XREF: HvCheckBin+161485j
					; HvCheckBin+161499j
		push	0C000014Ch
		push	11h
		xor	edx, edx
		mov	ecx, ebx
		call	SetFailureLocation
		mov	[ebx+114h], edi
		jmp	loc_779DDB
; 

loc_8DB1B8:				; CODE XREF: HvCheckBin+180j
		mov	ebx, [ebp+arg_10]
		mov	esi, 0C000014Ch
		test	ebx, ebx
		jz	loc_779DDB
		jmp	short loc_8DB19B
; 

loc_8DB1CA:				; CODE XREF: HvCheckBin+15Aj
					; HvCheckBin+168j ...
		mov	ebx, [ebp+arg_10]
		test	ebx, ebx
		jz	short loc_8DB1E9
		push	40h
		push	0C000014Ch
		push	11h
		xor	edx, edx
		mov	ecx, ebx
		call	SetFailureLocation
		mov	[ebx+114h], edi

loc_8DB1E9:				; CODE XREF: HvCheckBin+1614CFj
		mov	eax, 3Ch
		jmp	loc_779DDD
; 

loc_8DB1F3:				; CODE XREF: HvCheckBin+BFj
		push	60h
		jmp	short loc_8DB1F9
; 

loc_8DB1F7:				; CODE XREF: HvCheckBin+CAj
		push	70h

loc_8DB1F9:				; CODE XREF: HvCheckBin+1614F5j
		mov	ecx, [ebp+arg_10]
		mov	esi, 0C000014Ch
		push	esi
		push	11h
		xor	edx, edx
		call	SetFailureLocation
		jmp	loc_779DDB
; END OF FUNCTION CHUNK	FOR HvCheckBin
; 
; START	OF FUNCTION CHUNK FOR MiInsertVadCharges

loc_8DB210:				; CODE XREF: MiInsertVadCharges+96j
		mov	ebx, [ebp+var_4]
		push	4Ch
		push	ebx
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		mov	eax, [ebp+var_C]
		jmp	loc_77A094
; 

loc_8DB223:				; CODE XREF: MiInsertVadCharges+AAj
		and	ecx, 3100000h
		cmp	ecx, 2100000h
		jnz	short loc_8DB235
		xor	eax, eax
		jmp	short loc_8DB244
; 

loc_8DB235:				; CODE XREF: MiInsertVadCharges+16133Fj
		mov	edx, 100h
		mov	ecx, edi
		call	_MiLocateVadEvent@8 ; MiLocateVadEvent(x,x)
		add	eax, 4

loc_8DB244:				; CODE XREF: MiInsertVadCharges+161343j
		mov	edx, eax
		mov	ecx, edi
		call	_MiComputeAweCharges@8 ; MiComputeAweCharges(x,x)
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		jmp	loc_77A0C8
; 

loc_8DB257:				; CODE XREF: MiInsertVadCharges+1F1j
		mov	ebx, [ebp+var_4]
		mov	eax, 0C000009Ah
		xor	esi, esi
		mov	[ebp+var_8], eax
		jmp	short loc_8DB27E
; 

loc_8DB266:				; CODE XREF: MiInsertVadCharges+1B3j
		push	28h
		push	edx
		call	_PsChargeProcessNonPagedPoolQuota@8 ; PsChargeProcessNonPagedPoolQuota(x,x)
		test	eax, eax
		js	loc_77A094
		jmp	loc_77A0E7
; 

loc_8DB27B:				; CODE XREF: MiInsertVadCharges+109j
		mov	esi, [ebp+var_C]

loc_8DB27E:				; CODE XREF: MiInsertVadCharges+161374j
		mov	ecx, [edi+20h]
		and	ecx, 7FFFFFFFh
		cmp	ecx, 0FFFFDh
		jnb	short loc_8DB29A
		push	4Ch
		push	ebx
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		mov	eax, [ebp+var_8]

loc_8DB29A:				; CODE XREF: MiInsertVadCharges+16139Dj
		mov	ecx, [ebp+var_10]
		test	ecx, ecx
		jz	short loc_8DB2AB
		push	ecx
		push	ebx
		call	_PsReturnProcessPagedPoolQuota@8 ; PsReturnProcessPagedPoolQuota(x,x)
		mov	eax, [ebp+var_8]

loc_8DB2AB:				; CODE XREF: MiInsertVadCharges+1613AFj
		test	esi, esi
		jz	loc_77A094
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	edx, esi
		mov	ecx, eax
		call	_MiReturnResident@8 ; MiReturnResident(x,x)
		mov	eax, [ebp+var_8]
		jmp	loc_77A094
; 

loc_8DB2C9:				; CODE XREF: MiInsertVadCharges+17Ej
		mov	edx, eax
		mov	[ebp+var_C], 1
		jmp	loc_77A074
; 

loc_8DB2D7:				; CODE XREF: MiInsertVadCharges+189j
		mov	ecx, [ebp+var_10]
		dec	ecx
		mov	[ebp+var_C], 1
		jmp	loc_77A07F
; 

loc_8DB2E7:				; CODE XREF: MiInsertVadCharges+15Ej
					; MiInsertVadCharges+16Dj ...
		mov	eax, [ebp+var_4]
		inc	edx
		add	esi, 24h
		mov	[ebp+var_8], edx
		cmp	edx, [eax]
		jb	loc_77A040
		jmp	loc_77A092
; END OF FUNCTION CHUNK	FOR MiInsertVadCharges
; 
; START	OF FUNCTION CHUNK FOR MiMapViewOfSection

loc_8DB2FE:				; CODE XREF: MiMapViewOfSection+362j
		test	dword ptr [esi+28h], 2000000h
		jz	loc_77AA16
		jmp	loc_77A958
; 

loc_8DB310:				; CODE XREF: MiMapViewOfSection+385j
		and	ebx, 0DFFFFFFFh
		mov	[ebp+var_64], ebx
		mov	[eax], ebx
		jmp	loc_77A75C
; 

loc_8DB320:				; CODE XREF: MiMapViewOfSection+511j
		test	byte ptr [esi+30h], 2
		jnz	short loc_8DB35A
		and	eax, 0FFFFF000h
		mov	[ecx], eax
		jmp	loc_77A7F6
; 

loc_8DB332:				; CODE XREF: MiMapViewOfSection+1E9j
		cmp	dword ptr [ebx+20h], 0
		jz	loc_77A7DF
		mov	eax, 10000h
		jmp	loc_77A7DF
; 

loc_8DB346:				; CODE XREF: MiMapViewOfSection+21Ej
		test	byte ptr [esi+30h], 2
		jnz	short loc_8DB35A
		neg	edx
		and	edx, edi
		mov	[ebx], edx
		mov	ecx, [esi+0Ch]
		jmp	loc_77A814
; 

loc_8DB35A:				; CODE XREF: MiMapViewOfSection+D0j
					; MiMapViewOfSection+DBj ...
		mov	eax, 0C0000220h
		jmp	loc_77A930
; 

loc_8DB364:				; CODE XREF: MiMapViewOfSection+256j
		xor	eax, eax
		test	ebx, ebx
		setnz	al
		add	eax, 0C0000017h
		jmp	loc_77A930
; 

loc_8DB375:				; CODE XREF: MiMapViewOfSection+262j
		test	dword ptr [edx], 2000h
		jz	loc_77AA16
		jmp	loc_77A858
; 

loc_8DB386:				; CODE XREF: MiMapViewOfSection+139j
					; MiMapViewOfSection+4BCj
		mov	eax, 0C000004Eh
		jmp	loc_77A930
; 

loc_8DB390:				; CODE XREF: MiMapViewOfSection+2A2j
		mov	ecx, [ebp+var_54]
		test	dword ptr [ecx+1Ch], 420h
		jnz	loc_77AA16
		test	edx, 0FFFFDFFFh
		jnz	loc_77AA16
		test	ebx, ebx
		jz	loc_77AA16
		mov	eax, [ebp+var_48]
		mov	ecx, [eax]
		mov	eax, ecx
		and	eax, 0FFFFF000h
		cmp	ecx, eax
		jnz	loc_77AA16
		cmp	[ebp+var_5C], edi
		jz	loc_77AA16
		jmp	loc_77A898
; 

loc_8DB3D6:				; CODE XREF: MiMapViewOfSection+2B7j
		and	ecx, 0FFFFFBFFh
		or	ecx, 200h
		mov	[esi+18h], ecx
		movzx	edi, word ptr [ebx+8]
		jmp	loc_77A8AD
; 

loc_8DB3EE:				; CODE XREF: MiMapViewOfSection+2D6j
		mov	eax, 0C0000045h
		jmp	loc_77A930
; 

loc_8DB3F8:				; CODE XREF: MiMapViewOfSection+2F3j
		test	dword ptr [ecx+2FCh], 40000h
		jnz	loc_77A8E9
		test	byte ptr [edi+20h], 20h
		jz	short loc_8DB41E
		and	edx, 0DFFFFFFFh
		mov	ecx, [ebp+var_58]
		mov	[ecx], edx
		jmp	loc_77A8E9
; 

loc_8DB41E:				; CODE XREF: MiMapViewOfSection+160E1Cj
		test	bl, 2
		jz	loc_77A8E9
		mov	ecx, eax
		call	MiArbitraryCodeBlocked
		jmp	loc_77A930
; 

loc_8DB433:				; CODE XREF: MiMapViewOfSection+3C2j
		and	eax, 0DFFFFFFFh
		mov	[esi+14h], eax
		push	0
		push	ebx
		push	[ebp+arg_C]
		mov	eax, [ebp+var_40]
		push	eax
		push	[ebp+var_44]
		lea	eax, [ebp+var_50]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp+var_54]
		call	MiMapViewOfImageSection
		mov	[ebp+var_6C], eax
		test	edi, edi
		jns	short loc_8DB46A
		mov	ecx, [ebp+var_50]
		mov	[ebp+var_4C], ecx
		mov	edi, eax
		jmp	loc_77A9B8
; 

loc_8DB46A:				; CODE XREF: MiMapViewOfSection+160E6Bj
		test	eax, eax
		jns	short loc_8DB488
		push	0
		push	0
		mov	edx, [ebp+var_4C]
		mov	ecx, [ebp+var_60]
		call	MiUnmapViewOfSection
		mov	edi, [ebp+var_40]
		mov	ecx, [ebp+var_54]
		jmp	loc_77A990
; 

loc_8DB488:				; CODE XREF: MiMapViewOfSection+160E7Cj
		mov	[ebp+var_4], 0
		push	[ebp+var_5C]	; size_t
		push	[ebp+var_50]	; void *
		push	[ebp+var_4C]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	edx, [ebp+var_6C]
		mov	ecx, [ebp+var_60]
		jmp	short loc_8DB4F0
; END OF FUNCTION CHUNK	FOR MiMapViewOfSection

;  S U B	R O U T	I N E 


sub_8DB4AF	proc near		; DATA XREF: .text:006A113Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-74h], eax
		mov	eax, 1
		retn
sub_8DB4AF	endp


;  S U B	R O U T	I N E 


sub_8DB4BF	proc near		; DATA XREF: .text:006A1140o
		mov	esp, [ebp-18h]
		mov	edx, [ebp-74h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-78h]
		mov	[ebp-40h], eax
		mov	ebx, [ebp-68h]
		mov	edi, [ebp-64h]
		mov	eax, [ebp-58h]
		mov	[ebp-5Ch], eax
		mov	ecx, [ebp-7Ch]
		mov	[ebp-60h], ecx
		mov	esi, [ebp-80h]
		mov	eax, [ebp-84h]
		mov	[ebp-48h], eax
sub_8DB4BF	endp

; START	OF FUNCTION CHUNK FOR MiMapViewOfSection

loc_8DB4F0:				; CODE XREF: MiMapViewOfSection+160EBDj
		push	0
		push	0
		test	edx, edx
		js	short loc_8DB505
		mov	edx, [ebp+var_50]
		call	MiUnmapViewOfSection
		jmp	loc_77A9B8
; 

loc_8DB505:				; CODE XREF: MiMapViewOfSection+160F06j
		mov	edx, [ebp+var_4C]
		call	MiUnmapViewOfSection
		push	0
		push	0
		mov	edx, [ebp+var_50]
		mov	ecx, [ebp+var_60]
		call	MiUnmapViewOfSection
		mov	edi, [ebp+var_40]
		mov	ecx, [ebp+var_54]
		jmp	loc_77A990
; END OF FUNCTION CHUNK	FOR MiMapViewOfSection
; 
; START	OF FUNCTION CHUNK FOR NtAllocateVirtualMemory

loc_8DB527:				; CODE XREF: NtAllocateVirtualMemory+7Dj
		mov	ecx, eax
		jmp	loc_77ABB3
; 

loc_8DB52E:				; CODE XREF: NtAllocateVirtualMemory+93j
		mov	ecx, eax
		jmp	loc_77ABC9
; END OF FUNCTION CHUNK	FOR NtAllocateVirtualMemory

;  S U B	R O U T	I N E 


sub_8DB535	proc near		; DATA XREF: .text:006A1168o
		mov	eax, large fs:124h
		mov	[ebp-2Ch], eax
		mov	eax, [ebp-2Ch]
		mov	al, [eax+15Ah]
		mov	[ebp-19h], al
		mov	cl, [ebp-19h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_8DB535	endp


;  S U B	R O U T	I N E 


sub_8DB555	proc near		; DATA XREF: .text:006A116Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp+14h]
		jmp	loc_77AC37
sub_8DB555	endp

; 

loc_8DB567:				; DATA XREF: .text:006A115Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		mov	eax, large fs:124h
		mov	[ebp-30h], eax
		mov	eax, [ebp-30h]
		mov	al, [eax+15Ah]
		mov	[ebp-1Ah], al
		mov	cl, [ebp-1Ah]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
; 

loc_8DB591:				; DATA XREF: .text:006A1160o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-34h]
		jmp	loc_77AC39
; 
; START	OF FUNCTION CHUNK FOR MmProtectVirtualMemory

loc_8DB5A3:				; CODE XREF: MmProtectVirtualMemory+53j
		call	_xHalProcessorFreeze@0 ; xHalProcessorFreeze()
		mov	[ebp+var_8], eax
		mov	[ebp+var_14], eax
		test	eax, eax
		jns	loc_77AE89
		mov	ebx, eax
		jmp	loc_8DB829
; 

loc_8DB5BD:				; CODE XREF: MmProtectVirtualMemory+466j
		mov	eax, 0C00000F2h
		jmp	loc_77B179
; 

loc_8DB5C7:				; CODE XREF: MmProtectVirtualMemory+7Fj
		cmp	eax, 80000000h
		jz	short loc_8DB5D5
		cmp	eax, 10000000h
		jnz	short loc_8DB5E1

loc_8DB5D5:				; CODE XREF: MmProtectVirtualMemory+16079Cj
		mov	[ebp+var_4], 18h
		jmp	loc_77AEC8
; 

loc_8DB5E1:				; CODE XREF: MmProtectVirtualMemory+92j
					; MmProtectVirtualMemory+1607A3j
		mov	eax, 0C0000045h
		jmp	loc_77B179
; 

loc_8DB5EB:				; CODE XREF: MmProtectVirtualMemory+C7j
		mov	ebx, [ebp+var_14]
		cmp	ebx, 0C00000A0h
		jnz	loc_8DB829
		mov	ebx, 0C0000018h
		jmp	loc_8DB829
; 

loc_8DB604:				; CODE XREF: MmProtectVirtualMemory+E6j
		cmp	[ebp+var_18], 0
		jnz	loc_77AF26

loc_8DB60E:				; CODE XREF: MmProtectVirtualMemory+F0j
					; MmProtectVirtualMemory+142j ...
		mov	ebx, 0C0000045h
		jmp	loc_8DB822
; 

loc_8DB618:				; CODE XREF: MmProtectVirtualMemory+42Fj
		mov	eax, large fs:124h
		mov	ecx, edi
		mov	edx, [ebp+var_1C]
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_38], al
		push	[ebp+var_38]
		push	[ebp+var_4]
		push	[ebp+var_2C]
		call	MiCheckSecuredVad
		mov	[ebp+var_8], eax
		test	eax, eax
		js	loc_8DB81F
		mov	[ebp+var_14], 1
		jmp	loc_77B265
; 

loc_8DB651:				; CODE XREF: MmProtectVirtualMemory+123j
					; MmProtectVirtualMemory+3CDj ...
		mov	eax, edx
		and	eax, offset loc_500000
		cmp	eax, offset loc_500000
		jnz	short loc_8DB680
		mov	ecx, edi
		call	_MiGetVadPageSize@4 ; MiGetVadPageSize(x)
		shl	eax, 0Ch
		lea	ecx, [esi+1]
		or	ecx, [ebp+var_1C]
		dec	eax
		test	eax, ecx
		jnz	loc_8DB818
		mov	ecx, [ebp+var_38]
		jmp	loc_77AF59
; 

loc_8DB680:				; CODE XREF: MmProtectVirtualMemory+16082Dj
		mov	ebx, [ebp+var_4]
		shr	edx, 7
		and	edx, 1Fh
		cmp	ebx, edx
		jnz	loc_8DB818
		mov	ecx, edi
		call	MiUnlockAndDereferenceVad
		mov	eax, [ebp+arg_8]
		sub	esi, eax
		mov	ecx, [ebp+arg_4]
		inc	esi
		mov	[ecx], esi
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_C]
		mov	eax, ds:_MmProtectToValue[ebx*4]
		mov	[ecx], eax
		jmp	loc_77B177
; 

loc_8DB6B9:				; CODE XREF: MmProtectVirtualMemory+158j
		mov	ebx, [ebp+arg_8]
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+var_18]
		mov	edx, esi
		mov	ecx, ebx
		push	[ebp+var_4]
		call	_MiProtectAweRegion@20 ; MiProtectAweRegion(x,x,x,x,x)
		mov	[ebp+arg_8], eax
		test	eax, eax
		js	loc_8DB818
		mov	ecx, edi
		call	MiUnlockAndDereferenceVad
		mov	eax, [ebp+arg_4]
		sub	esi, ebx
		mov	ecx, [ebp+arg_C]
		inc	esi
		mov	[eax], esi
		mov	eax, [ebp+arg_0]
		mov	[eax], ebx
		mov	eax, [ebp+var_C]
		mov	[ecx], eax
		mov	eax, [ebp+arg_8]
		jmp	loc_77B179
; 

loc_8DB6FE:				; CODE XREF: MmProtectVirtualMemory+176j
		cmp	[ebp+var_14], 0
		jnz	loc_77AFAC
		mov	eax, large fs:124h
		mov	ecx, edi
		mov	edx, [ebp+var_1C]
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_38], al
		push	[ebp+var_38]
		push	[ebp+var_4]
		push	[ebp+var_2C]
		call	MiCheckSecuredVad
		mov	[ebp+var_8], eax
		test	eax, eax
		js	loc_8DB81F
		mov	eax, [ebp+var_10]
		jmp	loc_77AFAC
; 

loc_8DB73D:				; CODE XREF: MmProtectVirtualMemory+1EBj
		cmp	ebx, 80h
		jz	short loc_8DB74A
		cmp	ebx, 8
		jnz	short loc_8DB7B5

loc_8DB74A:				; CODE XREF: MmProtectVirtualMemory+160913j
		mov	ecx, edi
		call	MiUnlockAndDereferenceVad
		mov	eax, [ebp+arg_8]
		sub	esi, eax
		mov	ecx, [ebp+arg_4]
		inc	esi
		mov	[ecx], esi
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_C]
		mov	eax, ds:_MmProtectToValue[eax*4]
		mov	[ecx], eax
		xor	eax, eax
		jmp	loc_77B179
; 

loc_8DB777:				; CODE XREF: MmProtectVirtualMemory+288j
		mov	eax, [ebp+var_30]
		jmp	loc_77B0CF
; 

loc_8DB77F:				; CODE XREF: MmProtectVirtualMemory+2A1j
		mov	[ebp+var_1C], 0
		jmp	loc_77B0DF
; 

loc_8DB78B:				; CODE XREF: MmProtectVirtualMemory+2B7j
		mov	eax, [eax+8]
		mov	[ebp+var_28], eax
		mov	esi, [eax+4]
		test	esi, esi
		jnz	loc_77B094
		mov	[ebp+var_1C], esi
		jmp	loc_77B0ED
; 

loc_8DB7A4:				; CODE XREF: MmProtectVirtualMemory+4C9j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_77B11D
; 

loc_8DB7AE:				; CODE XREF: MmProtectVirtualMemory+20Cj
					; MmProtectVirtualMemory+227j ...
		mov	ebx, 0C000002Dh
		jmp	short loc_8DB822
; 

loc_8DB7B5:				; CODE XREF: MmProtectVirtualMemory+1CAj
					; MmProtectVirtualMemory+160918j
		mov	ebx, 0C000004Eh
		jmp	short loc_8DB822
; 

loc_8DB7BC:				; CODE XREF: MmProtectVirtualMemory+3A3j
		test	ebx, 0FFFFF9F9h
		jnz	loc_8DB60E
		mov	edx, ecx
		and	ebx, 0FFFFF9FFh
		and	edx, 0C00h
		test	ecx, 380h
		setnz	cl
		cmp	edx, 0C00h
		setz	al
		test	cl, al
		jz	short loc_8DB7F4
		or	ebx, 400h
		jmp	short loc_8DB802
; 

loc_8DB7F4:				; CODE XREF: MmProtectVirtualMemory+1609BAj
		cmp	edx, 400h
		jnz	short loc_8DB802
		or	ebx, 200h

loc_8DB802:				; CODE XREF: MmProtectVirtualMemory+1609C2j
					; MmProtectVirtualMemory+1609CAj
		mov	ecx, ebx
		call	_MiMakeProtectionMask@4	; MiMakeProtectionMask(x)
		jmp	loc_77B1DC
; 

loc_8DB80E:				; CODE XREF: MmProtectVirtualMemory+341j
		mov	eax, 40000017h
		jmp	loc_77B179
; 

loc_8DB818:				; CODE XREF: MmProtectVirtualMemory+D3j
					; MmProtectVirtualMemory+161j ...
		mov	ebx, 0C0000018h
		jmp	short loc_8DB822
; 

loc_8DB81F:				; CODE XREF: MmProtectVirtualMemory+400j
					; MmProtectVirtualMemory+455j ...
		mov	ebx, [ebp+var_8]

loc_8DB822:				; CODE XREF: MmProtectVirtualMemory+318j
					; MmProtectVirtualMemory+4D3j ...
		mov	ecx, edi
		call	MiUnlockAndDereferenceVad

loc_8DB829:				; CODE XREF: MmProtectVirtualMemory+160788j
					; MmProtectVirtualMemory+1607C4j ...
		mov	eax, ebx
		jmp	loc_77B179
; END OF FUNCTION CHUNK	FOR MmProtectVirtualMemory
; 
; START	OF FUNCTION CHUNK FOR MiAllocateVirtualMemoryCommon

loc_8DB830:				; CODE XREF: MiAllocateVirtualMemoryCommon+7Cj
		cmp	ecx, 0FFFFFFFDh
		jnz	short loc_8DB83F
		mov	edi, 1
		jmp	loc_77B392
; 

loc_8DB83F:				; CODE XREF: MiAllocateVirtualMemoryCommon+160523j
		push	ecx
		lea	eax, [esp+7Ch+var_68]
		mov	edx, 2
		push	eax
		push	61566D4Dh
		push	[ebp+arg_14]
		call	_PsReferencePartitionByHandle@24 ; PsReferencePartitionByHandle(x,x,x,x,x,x)
		mov	edi, [esp+78h+var_68]
		mov	esi, eax
		test	esi, esi
		js	loc_77B3FD
		jmp	loc_77B392
; 

loc_8DB86A:				; CODE XREF: MiAllocateVirtualMemoryCommon+86j
		mov	eax, [ebp+arg_8]
		and	eax, 20400000h
		cmp	eax, 400000h
		jz	loc_77B39C
		mov	esi, 0C000000Dh
		jmp	loc_77B3FD
; 

loc_8DB887:				; CODE XREF: MiAllocateVirtualMemoryCommon+BDj
		cmp	edi, 1
		jz	loc_77B3D3
		mov	ecx, edi
		call	PsDereferencePartition
		jmp	loc_77B3D3
; END OF FUNCTION CHUNK	FOR MiAllocateVirtualMemoryCommon
; 
; START	OF FUNCTION CHUNK FOR MiAllocateVirtualMemoryPrepare

loc_8DB89C:				; CODE XREF: MiAllocateVirtualMemoryPrepare+42Bj
		cmp	ebx, 1000000h
		jnz	loc_77B921
		jmp	loc_77B851
; 

loc_8DB8AD:				; CODE XREF: MiAllocateVirtualMemoryPrepare+449j
		test	ebx, 40800000h
		jz	loc_77B87A
		jmp	loc_77B921
; 

loc_8DB8BE:				; CODE XREF: MiAllocateVirtualMemoryPrepare+454j
		test	ebx, 40C00000h
		jnz	loc_77B921
		jmp	loc_77B87A
; 

loc_8DB8CF:				; CODE XREF: MiAllocateVirtualMemoryPrepare+46Bj
		test	ebx, 2000h
		jz	loc_77B921
		test	ebx, 0FF8F9FFFh
		jnz	loc_77B921
		mov	ecx, edx
		call	_MiMakeProtectionMask@4	; MiMakeProtectionMask(x)
		cmp	eax, 0FFFFFFFFh
		jz	loc_77B94F
		mov	ecx, eax
		and	ecx, 0FFFFFFF8h
		cmp	ecx, 10h
		jz	loc_77B94F
		and	eax, 7
		cmp	eax, 4
		jz	short loc_8DB92D
		cmp	eax, 1
		jz	short loc_8DB92D
		mov	eax, 0C0000045h
		jmp	loc_77B926
; 

loc_8DB91C:				; CODE XREF: MiAllocateVirtualMemoryPrepare+477j
		test	ebx, 100000h
		jz	loc_77B89D
		jmp	loc_77B921
; 

loc_8DB92D:				; CODE XREF: MiAllocateVirtualMemoryPrepare+1604EBj
					; MiAllocateVirtualMemoryPrepare+1604F0j
		mov	ecx, [esp+40h+var_10]
		jmp	loc_77B89D
; 

loc_8DB936:				; CODE XREF: MiAllocateVirtualMemoryPrepare+483j
		test	ebx, 2000h
		jz	loc_77B921
		test	ebx, 0BFEBDFFFh
		jnz	loc_77B921
		cmp	edx, 1
		jz	loc_77B4A3
		jmp	loc_77B921
; 

loc_8DB95C:				; CODE XREF: MiAllocateVirtualMemoryPrepare+496j
		test	ebx, 2000h
		jz	loc_77B921
		test	ebx, 0DF9F8FFFh
		jnz	loc_77B921
		jmp	loc_77B4A3
; 

loc_8DB979:				; CODE XREF: MiAllocateVirtualMemoryPrepare+85j
		call	_xHalProcessorFreeze@0 ; xHalProcessorFreeze()
		mov	[esp+40h+var_2C], eax
		test	eax, eax
		js	loc_77B92A
		jmp	loc_77B4AB
; 

loc_8DB98F:				; CODE XREF: MiAllocateVirtualMemoryPrepare+A2j
		mov	eax, ebx
		and	eax, 20400000h
		cmp	eax, 20000000h
		jz	loc_77B4C8
		cmp	eax, 20400000h
		jnz	loc_77B921
		mov	eax, [edi+28h]
		and	eax, 2
		or	eax, 0
		jz	loc_77B921
		jmp	loc_77B4C8
; 

loc_8DB9C0:				; CODE XREF: MiAllocateVirtualMemoryPrepare+DEj
		mov	[esp+40h+var_28], 200000h
		jmp	loc_77B504
; 

loc_8DB9CD:				; CODE XREF: MiAllocateVirtualMemoryPrepare+EDj
		dec	eax
		test	[esp+40h+var_20], eax
		jnz	loc_77B921
		mov	eax, [esp+40h+var_20]
		test	al, 2
		jz	short loc_8DBA1C
		cmp	ecx, 20400000h
		jmp	short loc_8DB9F6
; 

loc_8DB9E8:				; CODE XREF: MiAllocateVirtualMemoryPrepare+160608j
		mov	[esp+40h+var_28], 200000h

loc_8DB9F0:				; CODE XREF: MiAllocateVirtualMemoryPrepare+160606j
		cmp	ecx, 20000000h

loc_8DB9F6:				; CODE XREF: MiAllocateVirtualMemoryPrepare+1605C6j
		jz	loc_77B52D
		cmp	ecx, 400000h
		jnz	loc_77B921

loc_8DBA08:				; CODE XREF: MiAllocateVirtualMemoryPrepare+107j
		mov	eax, edx
		and	eax, 0FFFFFFF0h
		or	eax, [esp+40h+var_8]
		jnz	loc_77B921
		jmp	loc_77B52D
; 

loc_8DBA1C:				; CODE XREF: MiAllocateVirtualMemoryPrepare+1605BEj
		test	al, 10h
		jnz	loc_77B921
		test	al, 8
		jz	short loc_8DB9F0
		jmp	short loc_8DB9E8
; 

loc_8DBA2A:				; CODE XREF: MiAllocateVirtualMemoryPrepare+140j
		lea	ecx, [ebp+arg_0]
		call	_MiValidateZeroBits@4 ;	MiValidateZeroBits(x)
		mov	[esp+40h+var_2C], eax
		test	eax, eax
		js	loc_77B92A
		mov	eax, [esp+40h+var_24]
		test	eax, eax
		jz	loc_77B566
		test	esi, esi
		jnz	loc_77B566
		mov	ecx, [esp+40h+var_14]
		call	MiGetUserReservationHighestAddress
		mov	[edi+4], eax
		mov	eax, [esp+40h+var_24]
		jmp	loc_77B566
; 

loc_8DBA67:				; CODE XREF: MiAllocateVirtualMemoryPrepare+158j
		mov	eax, [ebp+arg_24]
		or	dword ptr [eax+28h], 8000000h
		jmp	short loc_8DBA9A
; 

loc_8DBA73:				; CODE XREF: MiAllocateVirtualMemoryPrepare+160j
		cmp	dword ptr [edi], 0
		jnz	loc_77B921
		cmp	dword ptr [edi+4], 0
		jnz	loc_77B921
		cmp	dword ptr [edi+8], 0
		jnz	loc_77B921
		mov	eax, [ebp+arg_24]
		or	dword ptr [eax+28h], 4000000h

loc_8DBA9A:				; CODE XREF: MiAllocateVirtualMemoryPrepare+160651j
		mov	eax, [esp+40h+var_24]
		test	ecx, ecx
		jz	loc_77B586
		cmp	[esp+40h+var_20], 0
		jnz	loc_77B72B
		cmp	[esp+40h+var_1C], 20000000h
		jz	loc_77B72B
		mov	edx, 1000h
		mov	[esp+40h+var_28], edx
		jmp	loc_77B597
; 

loc_8DBACD:				; CODE XREF: MiAllocateVirtualMemoryPrepare+305j
		mov	ecx, [esp+40h+var_1C]
		cmp	ecx, 20400000h
		jz	loc_77B921
		cmp	ecx, 20000000h
		jz	loc_77B921
		mov	edx, 1000h
		mov	[esp+40h+var_28], edx
		jmp	loc_77B597
; 

loc_8DBAF7:				; CODE XREF: MiAllocateVirtualMemoryPrepare+4B6j
		cmp	ecx, 1000h
		jnz	loc_77B921
		jmp	loc_77B8DC
; 

loc_8DBB08:				; CODE XREF: MiAllocateVirtualMemoryPrepare+31Dj
					; MiAllocateVirtualMemoryPrepare+32Ej
		lea	eax, [edx-1]
		test	eax, ecx
		jnz	loc_77B921
		jmp	loc_77B5B8
; 

loc_8DBB18:				; CODE XREF: MiAllocateVirtualMemoryPrepare+339j
		mov	eax, esi
		or	eax, ecx
		test	eax, 0FFFh

loc_8DBB21:				; CODE XREF: MiAllocateVirtualMemoryPrepare+16071Aj
		jz	loc_77B606
		jmp	loc_77B921
; 

loc_8DBB2C:				; CODE XREF: MiAllocateVirtualMemoryPrepare+349j
		mov	edi, [ebp+arg_10]
		mov	eax, esi
		or	eax, ecx
		mov	ecx, [esp+40h+var_28]
		dec	ecx
		test	eax, ecx
		jmp	short loc_8DBB21
; 

loc_8DBB3C:				; CODE XREF: MiAllocateVirtualMemoryPrepare+35Cj
					; MiAllocateVirtualMemoryPrepare+367j
		lea	edx, [esi+ecx]
		jmp	loc_77B606
; 

loc_8DBB44:				; CODE XREF: MiAllocateVirtualMemoryPrepare+3B2j
		mov	ecx, [esp+40h+var_C]
		dec	ecx
		jmp	loc_77B7D8
; 

loc_8DBB4E:				; CODE XREF: MiAllocateVirtualMemoryPrepare+3C7j
		test	al, 2
		jnz	loc_77B655
		test	al, 8
		jz	loc_77B655
		and	ecx, 0FFE00000h
		dec	ecx
		mov	[edi+4], ecx
		jmp	loc_77B655
; 

loc_8DBB6D:				; CODE XREF: MiAllocateVirtualMemoryPrepare+20Aj
		cmp	ecx, ds:_MmHighestUserAddress
		ja	loc_77B921
		lea	eax, [ecx+1]
		test	eax, 0FFFh
		jnz	loc_77B921
		jmp	loc_77B655
; 

loc_8DBB8C:				; CODE XREF: MiAllocateVirtualMemoryPrepare+274j
		cmp	[esp+40h+var_20], 0
		jnz	loc_77B69A
		cmp	[esp+40h+var_1C], 20000000h
		jnz	loc_77B921
		jmp	loc_77B69A
; 

loc_8DBBAA:				; CODE XREF: MiAllocateVirtualMemoryPrepare+516j
		mov	edx, 6D566D4Dh
		call	ObfDereferenceObjectWithTag
		mov	eax, [esp+40h+var_2C]
		jmp	loc_77B709
; END OF FUNCTION CHUNK	FOR MiAllocateVirtualMemoryPrepare
; 
; START	OF FUNCTION CHUNK FOR MiAllocateVirtualMemory

loc_8DBBBD:				; CODE XREF: MiAllocateVirtualMemory+5Aj
		cmp	edx, 1
		jz	loc_77B9C0
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	ecx, [edx]
		sub	ecx, eax
		neg	ecx
		sbb	ecx, ecx
		and	edx, ecx
		mov	[ebp+var_3C], edx
		jmp	loc_77B9C0
; 

loc_8DBBDD:				; CODE XREF: MiAllocateVirtualMemory+A1j
					; MiAllocateVirtualMemory+40Bj
		mov	eax, 0C0000045h
		jmp	loc_77BBEE
; 

loc_8DBBE7:				; CODE XREF: MiAllocateVirtualMemory+C1j
		cmp	edx, 2
		jnb	loc_77BA27

loc_8DBBF0:				; CODE XREF: MiAllocateVirtualMemory+1602E5j
		mov	edi, 0C000000Dh
		jmp	loc_77BC1F
; 

loc_8DBBFA:				; CODE XREF: MiAllocateVirtualMemory+D0j
		mov	eax, [esi+3Ch]
		cmp	dword ptr [eax+3D4h], 0
		jnz	loc_77BA36
		mov	edi, 0C000000Dh
		jmp	loc_77BC1F
; 

loc_8DBC14:				; CODE XREF: MiAllocateVirtualMemory+DCj
		test	al, 2
		jz	short loc_8DBC1F
		mov	ecx, 0FFFFh
		jmp	short loc_8DBC2F
; 

loc_8DBC1F:				; CODE XREF: MiAllocateVirtualMemory+1602B6j
		and	al, 8
		movzx	ecx, al
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 200000h
		dec	ecx

loc_8DBC2F:				; CODE XREF: MiAllocateVirtualMemory+1602BDj
		mov	eax, [esi+4]
		inc	eax
		mov	[ebp+var_44], ecx
		test	eax, ecx
		mov	eax, [ebp+var_44]
		setz	cl
		test	[esi], eax
		setz	al
		test	cl, al
		jz	short loc_8DBBF0
		and	edi, 20400000h
		cmp	edi, 400000h
		jz	loc_77BA54

loc_8DBC59:				; CODE XREF: MiAllocateVirtualMemory+EEj
		or	edx, 10h
		mov	[ebp+var_30], edx
		jmp	loc_77BA54
; 

loc_8DBC64:				; CODE XREF: MiAllocateVirtualMemory+F7j
		movzx	eax, byte ptr [esi+44h]
		push	eax
		mov	eax, ds:dword_A94A5C
		push	eax
		mov	eax, ds:_SeLockMemoryPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	loc_77BA5D
		mov	edi, 0C0000061h
		jmp	loc_77BC1F
; 

loc_8DBC8C:				; CODE XREF: MiAllocateVirtualMemory+120j
		mov	edi, 0C000000Dh
		jmp	loc_77BC1F
; 

loc_8DBC96:				; CODE XREF: MiAllocateVirtualMemory+12Aj
		mov	edi, 0C000000Dh
		jmp	loc_77BC1F
; 

loc_8DBCA0:				; CODE XREF: MiAllocateVirtualMemory+15Dj
		mov	edi, [ebp+var_4C]
		cmp	edi, 0C00000A0h
		jnz	loc_77BC1F
		mov	edi, 0C0000018h
		jmp	loc_77BC1F
; 

loc_8DBCB9:				; CODE XREF: MiAllocateVirtualMemory+166j
		mov	edi, 0C0000018h
		jmp	loc_77BE24
; 

loc_8DBCC3:				; CODE XREF: MiAllocateVirtualMemory+17Fj
		mov	edi, 0C0000018h
		jmp	loc_77BE24
; 

loc_8DBCCD:				; CODE XREF: MiAllocateVirtualMemory+19Cj
		and	ecx, 70h
		cmp	cl, 30h
		jnz	short loc_8DBCEC
		push	[ebp+var_2C]
		mov	eax, [esi+14h]
		push	eax
		push	[ebp+var_38]
		push	edx
		mov	edx, ebx
		call	_MiCommitEnclavePages@24 ; MiCommitEnclavePages(x,x,x,x,x,x)
		jmp	loc_77BD2A
; 

loc_8DBCEC:				; CODE XREF: MiAllocateVirtualMemory+160373j
		test	dword ptr [esi+28h], 10000000h
		jnz	loc_77BB02
		mov	edi, 0C00000A0h
		jmp	loc_77BE24
; 

loc_8DBD03:				; CODE XREF: MiAllocateVirtualMemory+1ABj
		mov	eax, [ebx+1Ch]
		and	eax, offset loc_500000
		cmp	eax, offset loc_500000
		jz	short loc_8DBD1C
		mov	edi, 0C0000018h
		jmp	loc_77BE24
; 

loc_8DBD1C:				; CODE XREF: MiAllocateVirtualMemory+1603B0j
		mov	ecx, ebx
		call	_MiGetVadPageSize@4 ; MiGetVadPageSize(x)
		mov	ecx, [ebp+var_38]
		shl	eax, 0Ch
		inc	ecx
		or	ecx, [ebp+var_24]
		dec	eax
		test	eax, ecx
		jz	loc_77BB11
		mov	edi, 0C000000Dh
		jmp	loc_77BE24
; 

loc_8DBD40:				; CODE XREF: MiAllocateVirtualMemory+1BEj
		mov	edi, 0C0000018h
		jmp	loc_77BE24
; 

loc_8DBD4A:				; CODE XREF: MiAllocateVirtualMemory+49Dj
		cmp	edi, 400h
		jnz	loc_77BE0C
		or	edx, 200h
		jmp	loc_77BE09
; 

loc_8DBD61:				; CODE XREF: MiAllocateVirtualMemory+337j
		movzx	eax, byte ptr [esi+44h]
		mov	ecx, ebx
		mov	edx, [ebp+var_24]
		push	eax
		push	[ebp+var_2C]
		mov	eax, [esi+0Ch]
		push	eax
		call	MiCheckSecuredVad
		mov	edi, eax
		test	edi, edi
		js	loc_77BE24
		or	[ebp+var_30], 4
		jmp	loc_77BC9D
; 

loc_8DBD8A:				; CODE XREF: MiAllocateVirtualMemory+3A5j
		cmp	dword ptr [ebx+44h], 0
		jl	short loc_8DBD9A
		mov	edi, 0C0000021h
		jmp	loc_77BE24
; 

loc_8DBD9A:				; CODE XREF: MiAllocateVirtualMemory+16042Ej
		mov	ebx, [ebx+28h]
		xor	edi, edi
		mov	ecx, [ebp+var_44]
		and	ebx, 0FFFFFFh
		mov	eax, [ebp+var_38]
		shld	edi, ebx, 10h
		push	0
		mov	ecx, [ecx+0Ch]
		shl	ecx, 0Ch
		sub	eax, ecx
		shl	ebx, 10h
		mov	ecx, [ebp+var_3C]
		cdq
		add	eax, ebx
		adc	edx, edi
		add	eax, 1
		mov	[ebp+var_84], eax
		adc	edx, 0
		mov	[ebp+var_80], edx
		xor	edx, edx
		call	_MiFlushAcquire@12 ; MiFlushAcquire(x,x,x)
		mov	ebx, [ebp+var_44]
		test	eax, eax
		jnz	short loc_8DBDEB
		mov	edi, 0C000009Ah
		jmp	loc_77BE24
; 

loc_8DBDEB:				; CODE XREF: MiAllocateVirtualMemory+16047Fj
		xor	ecx, ecx
		test	dword ptr [ebx+1Ch], 100000h
		mov	[ebp+var_34], ecx
		jnz	short loc_8DBE0A
		mov	eax, [ebx+48h]
		test	eax, eax
		jz	short loc_8DBE0A
		mov	ecx, eax
		mov	[ebp+var_34], eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_8DBE0A:				; CODE XREF: MiAllocateVirtualMemory+160497j
					; MiAllocateVirtualMemory+16049Ej
		mov	ecx, [ebp+var_50]
		mov	edx, ebx
		call	MiUnlockVad
		xor	eax, eax
		lea	edi, [ebp+var_AC]
		mov	ecx, 0Ah
		rep stosd
		mov	eax, [ebp+var_3C]
		mov	ecx, [ebp+var_34]
		mov	edx, [eax+1Ch]
		test	ecx, ecx
		jz	short loc_8DBE3F
		mov	eax, ecx
		test	dl, 20h
		jz	short loc_8DBE3C
		or	eax, 1
		jmp	short loc_8DBE3F
; 

loc_8DBE3C:				; CODE XREF: MiAllocateVirtualMemory+1604D5j
		or	eax, 2

loc_8DBE3F:				; CODE XREF: MiAllocateVirtualMemory+1604CEj
					; MiAllocateVirtualMemory+1604DAj
		mov	[ebp+var_98], eax
		lea	ecx, [ebp+var_AC]
		mov	eax, [ebp+var_88]
		and	eax, 0FFFFF004h
		mov	[ebp+var_8C], edx
		or	eax, 4
		lea	edx, [ebp+var_84]
		push	0
		mov	[ebp+var_88], eax
		call	MmExtendSection
		mov	ecx, [ebp+var_34]
		mov	edi, eax
		test	ecx, ecx
		jz	short loc_8DBE80
		call	ObfDereferenceObject

loc_8DBE80:				; CODE XREF: MiAllocateVirtualMemory+160519j
		mov	ecx, [ebp+var_50]
		mov	edx, ebx
		call	_MiLockVad@8	; MiLockVad(x,x)
		mov	ecx, [ebp+var_3C]
		xor	edx, edx
		push	0
		call	_MiFlushRelease@12 ; MiFlushRelease(x,x,x)
		test	edi, edi
		js	loc_77BE24
		mov	ecx, ebx
		call	_MiVadDeleted@4	; MiVadDeleted(x)
		cmp	eax, 1
		jz	loc_77BE24
		mov	ecx, [ebx+0Ch]
		mov	edx, [ebp+var_60]
		cmp	edx, ecx
		jb	loc_77BE24
		mov	eax, [ebx+10h]
		cmp	edx, eax
		ja	loc_77BE24
		mov	edx, [ebp+var_64]
		cmp	edx, eax
		ja	loc_77BE24
		cmp	edx, ecx
		jb	loc_77BE24
		test	byte ptr [ebx+1Ch], 8
		jz	short loc_8DBEFE
		movzx	eax, byte ptr [esi+44h]
		mov	ecx, ebx
		mov	edx, [ebp+var_24]
		push	eax
		push	[ebp+var_2C]
		mov	eax, [esi+0Ch]
		push	eax
		call	MiCheckSecuredVad
		test	eax, eax
		js	loc_77BE24

loc_8DBEFE:				; CODE XREF: MiAllocateVirtualMemory+16057Ej
		cmp	dword ptr [ebx+44h], 0
		jge	loc_77BE24
		mov	ecx, [esi+3Ch]
		lea	eax, [ebp+var_54]
		push	eax
		lea	eax, [ebp+var_58]
		mov	edx, ebx
		push	eax
		mov	eax, [esi+18h]
		push	0
		push	eax
		push	[ebp+var_38]
		push	[ebp+var_24]
		call	_MiSetProtectionOnSection@32 ; MiSetProtectionOnSection(x,x,x,x,x,x,x,x)
		mov	edi, eax
		jmp	loc_77BE24
; 

loc_8DBF2D:				; CODE XREF: MiAllocateVirtualMemory+271j
		mov	eax, [esi+14h]
		test	eax, 3000h
		jz	short loc_8DBF61
		test	byte ptr [esi+28h], 1
		mov	ecx, [ebp+var_74]
		movzx	ecx, word ptr [ecx]
		jz	short loc_8DBF48
		mov	eax, 2000h

loc_8DBF48:				; CODE XREF: MiAllocateVirtualMemory+1605E1j
		push	[ebp+var_48]
		mov	edx, [esi+0Ch]
		push	ecx
		mov	ecx, [ebp+var_24]
		push	eax
		mov	eax, [esi+3Ch]
		push	eax
		call	_PerfInfoLogVirtualAlloc@24 ; PerfInfoLogVirtualAlloc(x,x,x,x,x,x)
		jmp	loc_77BBD7
; 

loc_8DBF61:				; CODE XREF: MiAllocateVirtualMemory+1605D5j
		test	eax, 1080000h
		jz	loc_77BBD7
		mov	edx, [esi+0Ch]
		mov	ecx, [ebp+var_24]
		push	eax
		call	_MiLogMemResetInfo@12 ;	MiLogMemResetInfo(x,x,x)
		jmp	loc_77BBD7
; 

loc_8DBF7D:				; CODE XREF: MiAllocateVirtualMemory+2C9j
		test	dword ptr [esi+14h], 1000000h
		jz	loc_77BC2F
		cmp	edi, 0C0000434h
		jnz	loc_77BC2F
		mov	edx, [esi+0Ch]
		mov	ecx, [ebp+var_24]
		push	0
		call	_MiLogMemResetInfo@12 ;	MiLogMemResetInfo(x,x,x)
		jmp	loc_77BC2F
; 

loc_8DBFA8:				; CODE XREF: MiAllocateVirtualMemory+2D5j
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_77BBEC
; END OF FUNCTION CHUNK	FOR MiAllocateVirtualMemory
; 
; START	OF FUNCTION CHUNK FOR NtProtectVirtualMemory

loc_8DBFB7:				; CODE XREF: NtProtectVirtualMemory+A0j
		mov	eax, 0C0000045h
		jmp	loc_77C08C
; 

loc_8DBFC1:				; CODE XREF: NtProtectVirtualMemory+79j
					; NtProtectVirtualMemory+85j
		mov	[ebp+var_50], 18h
		jmp	loc_77BF49
; 

loc_8DBFCD:				; CODE XREF: NtProtectVirtualMemory+DCj
		mov	edx, eax
		jmp	loc_77BF82
; 

loc_8DBFD4:				; CODE XREF: NtProtectVirtualMemory+EFj
		mov	edx, eax
		jmp	loc_77BF95
; 

loc_8DBFDB:				; CODE XREF: NtProtectVirtualMemory+102j
		mov	edx, eax
		jmp	loc_77BFA8
; END OF FUNCTION CHUNK	FOR NtProtectVirtualMemory

;  S U B	R O U T	I N E 


sub_8DBFE2	proc near		; DATA XREF: .text:006A1184o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5Ch], eax
		mov	eax, 1
		retn
sub_8DBFE2	endp


;  S U B	R O U T	I N E 


sub_8DBFF2	proc near		; DATA XREF: .text:006A1188o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-5Ch]
		jmp	loc_77C08C
sub_8DBFF2	endp

; 
; START	OF FUNCTION CHUNK FOR NtProtectVirtualMemory

loc_8DC004:				; CODE XREF: NtProtectVirtualMemory+127j
		mov	eax, 0C00000F0h
		jmp	loc_77C08C
; 

loc_8DC00E:				; CODE XREF: NtProtectVirtualMemory+16Ej
		lea	eax, [ebp+var_34]
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	KiStackAttachProcess
		mov	[ebp+var_40], 1
		jmp	loc_77C01B
; 

loc_8DC027:				; CODE XREF: NtProtectVirtualMemory+19Aj
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_77C040
; END OF FUNCTION CHUNK	FOR NtProtectVirtualMemory

;  S U B	R O U T	I N E 


sub_8DC036	proc near		; DATA XREF: .text:006A1190o
		mov	eax, 1
		retn
sub_8DC036	endp


;  S U B	R O U T	I N E 


sub_8DC03C	proc near		; DATA XREF: .text:006A1194o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-4Ch]
		jmp	loc_77C08A
sub_8DC03C	endp

; 
; START	OF FUNCTION CHUNK FOR NtProtectVirtualMemory

loc_8DC04E:				; CODE XREF: NtProtectVirtualMemory+132j
					; NtProtectVirtualMemory+13Aj
		mov	eax, 0C00000F1h
		jmp	loc_77C08C
; END OF FUNCTION CHUNK	FOR NtProtectVirtualMemory
; 
; START	OF FUNCTION CHUNK FOR MiChargeFullProcessCommitment

loc_8DC058:				; CODE XREF: MiChargeFullProcessCommitment+2Dj
		mov	ebx, 0C000012Ch
		mov	ecx, 1
		jmp	short loc_8DC07C
; 

loc_8DC064:				; CODE XREF: MiChargeFullProcessCommitment+42j
		mov	ecx, 2
		jmp	short loc_8DC077
; 

loc_8DC06B:				; CODE XREF: MiChargeFullProcessCommitment+66j
		mov	ecx, 3
		jmp	short loc_8DC077
; 

loc_8DC072:				; CODE XREF: MiChargeFullProcessCommitment+82j
		mov	ecx, 4

loc_8DC077:				; CODE XREF: MiChargeFullProcessCommitment+15FF99j
					; MiChargeFullProcessCommitment+15FFA0j
		mov	ebx, 0C000012Dh

loc_8DC07C:				; CODE XREF: MiChargeFullProcessCommitment+15FF92j
		mov	[ebp+var_8], ecx
		mov	al, [ebp+var_1]
		test	al, 1
		jz	short loc_8DC0A4
		cmp	esi, ds:_PsInitialSystemProcess
		jz	short loc_8DC0A4
		mov	ecx, [esi+188h]
		mov	edx, esi
		push	edi
		push	2
		call	PspReturnQuota
		mov	al, [ebp+var_1]
		mov	ecx, [ebp+var_8]

loc_8DC0A4:				; CODE XREF: MiChargeFullProcessCommitment+15FFB4j
					; MiChargeFullProcessCommitment+15FFBCj
		test	al, 2
		jz	short loc_8DC0B7
		mov	edx, edi
		mov	ecx, esi
		call	_MiReturnProcessCommitment@8 ; MiReturnProcessCommitment(x,x)
		mov	al, [ebp+var_1]
		mov	ecx, [ebp+var_8]

loc_8DC0B7:				; CODE XREF: MiChargeFullProcessCommitment+15FFD6j
		cmp	al, 4
		jb	short loc_8DC0CF
		push	0
		mov	edx, edi
		mov	ecx, 2
		push	esi
		neg	edx
		call	PspChangeJobMemoryUsageByProcess
		mov	ecx, [ebp+var_8]

loc_8DC0CF:				; CODE XREF: MiChargeFullProcessCommitment+15FFE9j
		push	ecx
		push	edi
		mov	ecx, esi
		call	_MiCommitRequestFailed@16 ; MiCommitRequestFailed(x,x,x,x)
		mov	eax, ebx
		jmp	loc_77C15A
; END OF FUNCTION CHUNK	FOR MiChargeFullProcessCommitment
; 
; START	OF FUNCTION CHUNK FOR MiFindEmptyAddressRange

loc_8DC0DF:				; CODE XREF: MiFindEmptyAddressRange+214j
		mov	[ebp+var_4], 1
		jmp	loc_77C1CC
; 

loc_8DC0EB:				; CODE XREF: MiFindEmptyAddressRange+107j
					; MiFindEmptyAddressRange+112j
		mov	ecx, [ebp+arg_18]
		mov	eax, [ebp+var_4]
		mov	dword ptr [ecx], 0
		jmp	loc_77C227
; 

loc_8DC0FC:				; CODE XREF: MiFindEmptyAddressRange+130j
		mov	edx, [ebp+arg_0]
		jmp	loc_77C210
; 

loc_8DC104:				; CODE XREF: MiFindEmptyAddressRange+159j
		mov	eax, [ebp+var_8]
		shl	eax, 10h
		cmp	ecx, eax
		jbe	loc_77C2CF
		mov	ecx, eax
		mov	[ebp+arg_C], ecx
		jmp	loc_77C2CF
; 

loc_8DC11C:				; CODE XREF: MiFindEmptyAddressRange+164j
		mov	eax, ebx
		mov	[ebp+arg_18], ebx
		jmp	loc_77C2DF
; 

loc_8DC126:				; CODE XREF: MiFindEmptyAddressRange+171j
		mov	edx, [ebp+var_10]
		test	byte ptr [edx+490h], 20h
		mov	edx, [ebp+arg_0]
		jz	short loc_8DC144
		mov	[ebp+arg_18], 3FFFFFFFh
		cmp	ecx, 3FFFFFFFh
		ja	short loc_8DC14B

loc_8DC144:				; CODE XREF: MiFindEmptyAddressRange+15FFC3j
		mov	[ebp+arg_18], 0FFFFFFh

loc_8DC14B:				; CODE XREF: MiFindEmptyAddressRange+15FFD2j
		and	eax, [ebp+arg_18]
		mov	[ebp+arg_18], eax
		jz	short loc_8DC157
		cmp	eax, ecx
		jbe	short loc_8DC15F

loc_8DC157:				; CODE XREF: MiFindEmptyAddressRange+15FFE1j
		mov	eax, 10000h
		mov	[ebp+arg_18], eax

loc_8DC15F:				; CODE XREF: MiFindEmptyAddressRange+15FFE5j
		cmp	eax, esi
		mov	esi, [ebp+arg_10]
		jnb	short loc_8DC174
		cmp	esi, 1
		jnz	short loc_8DC174
		mov	eax, [ebp+var_4]
		shl	eax, 10h
		mov	[ebp+arg_18], eax

loc_8DC174:				; CODE XREF: MiFindEmptyAddressRange+15FFF4j
					; MiFindEmptyAddressRange+15FFF9j
		cmp	eax, ebx
		jnb	loc_77C2EA
		mov	eax, ebx
		mov	[ebp+arg_18], eax
		jmp	loc_77C2EA
; END OF FUNCTION CHUNK	FOR MiFindEmptyAddressRange
; 
; START	OF FUNCTION CHUNK FOR MiRelocateImagePfn

loc_8DC186:				; CODE XREF: MiRelocateImagePfn+85j
		mov	eax, [ebp+var_4]
		test	eax, eax
		jnz	short loc_8DC197
		mov	eax, 0C000009Ah
		jmp	loc_77C550
; 

loc_8DC197:				; CODE XREF: MiRelocateImagePfn+15FDABj
		mov	[ebp+arg_8], eax
		jmp	loc_77C46B
; 

loc_8DC19F:				; CODE XREF: MiRelocateImagePfn+C3j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_8DC1D9
		cmp	byte ptr word_6D07B8+1,	0
		mov	eax, [ebp+arg_4]
		mov	[ebp+arg_0], 1
		jnz	loc_77C4AC

loc_8DC1BF:				; CODE XREF: MiRelocateImagePfn+15FE18j
		and	eax, 1
		or	eax, 0
		mov	eax, [ebp+arg_4]
		jz	loc_77C4AC
		or	edx, 80000000h
		jmp	loc_77C4AC
; 

loc_8DC1D9:				; CODE XREF: MiRelocateImagePfn+15FDC6j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		mov	eax, [ebp+arg_4]
		jz	loc_77C4AC
		jmp	short loc_8DC1BF
; 

loc_8DC1FA:				; CODE XREF: MiRelocateImagePfn+D6j
		push	edx
		push	eax
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_77C4BC
; 

loc_8DC206:				; CODE XREF: MiRelocateImagePfn+15Aj
		mov	eax, ds:_ZeroPte
		mov	[ecx], eax
		nop
		mov	eax, ds:dword_40F9FC
		xor	edx, edx
		mov	[ecx+4], eax
		mov	ecx, esi
		push	1
		call	KeFlushSingleTb
		jmp	loc_77C54E
; END OF FUNCTION CHUNK	FOR MiRelocateImagePfn
; 
; START	OF FUNCTION CHUNK FOR MiPerformFixups

loc_8DC226:				; CODE XREF: MiPerformFixups+AEj
		add	eax, 4
		add	edx, 1000h
		jmp	loc_77C5B8
; 

loc_8DC234:				; CODE XREF: MiPerformFixups+4Bj
		call	_MiApplyRawFixups@16 ; MiApplyRawFixups(x,x,x,x)
		jmp	loc_77C5E6
; 

loc_8DC23E:				; CODE XREF: MiPerformFixups+7Bj
		mov	eax, [ebp+var_4]
		add	eax, 4
		add	edx, 1000h
		jmp	loc_77C5B8
; END OF FUNCTION CHUNK	FOR MiPerformFixups
; 
; START	OF FUNCTION CHUNK FOR MiApplyCompressedFixups

loc_8DC24F:				; CODE XREF: MiApplyCompressedFixups+E2j
		push	esi
		push	[ebp+var_8]
		push	[ebp+var_C]
		push	31h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8DC25F:				; CODE XREF: MiApplyCompressedFixups+76j
		push	[ebp+arg_0]
		push	[ebp+var_8]
		push	[ebp+var_C]
		push	31h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8DC272:				; CODE XREF: MiReserveUserMemory+2Aj
		mov	eax, 0C000000Dh
		jmp	loc_77CB2C
; END OF FUNCTION CHUNK	FOR MiApplyCompressedFixups
; 
; START	OF FUNCTION CHUNK FOR MiReserveUserMemory

loc_8DC27C:				; CODE XREF: MiReserveUserMemory+48j
		mov	[ebp+var_C], 10h
		jmp	loc_77C85E
; 

loc_8DC288:				; CODE XREF: MiReserveUserMemory+5Fj
		test	ds:_MiFlags, 100000h
		jz	loc_77C87F
		jmp	loc_77C875
; 

loc_8DC29D:				; CODE XREF: MiReserveUserMemory+78j
		mov	eax, 1
		jmp	loc_77C890
; 

loc_8DC2A7:				; CODE XREF: MiReserveUserMemory+A7j
		mov	eax, 0C000009Ah
		jmp	loc_77CB2C
; 

loc_8DC2B1:				; CODE XREF: MiReserveUserMemory+E8j
		mov	eax, [esi+3Ch]
		mov	eax, [eax+24Ch]
		mov	byte ptr [eax+84h], 1
		mov	ecx, [edi+1Ch]
		jmp	loc_77C900
; 

loc_8DC2C9:				; CODE XREF: MiReserveUserMemory+129j
		or	eax, 4000000h
		mov	[edi+1Ch], eax
		jmp	loc_77C93F
; 

loc_8DC2D6:				; CODE XREF: MiReserveUserMemory+13Ej
		mov	ecx, 0FFFFDh
		jmp	loc_77C957
; 

loc_8DC2E0:				; CODE XREF: MiReserveUserMemory+16Fj
		mov	eax, [esi+54h]
		mov	edx, [esi+50h]
		mov	[ebp+var_24], eax
		mov	eax, edx
		and	eax, 10h
		or	eax, 0
		jz	short loc_8DC2FC
		mov	[ebp+var_18], 3
		jmp	short loc_8DC323
; 

loc_8DC2FC:				; CODE XREF: MiReserveUserMemory+15FAE1j
		mov	[ebp+var_18], 2
		jmp	short loc_8DC323
; 

loc_8DC305:				; CODE XREF: MiReserveUserMemory+17Aj
		mov	eax, [esi+54h]
		mov	edx, [esi+50h]
		mov	[ebp+var_24], eax
		mov	eax, edx
		and	eax, 2
		mov	[ebp+var_18], 1
		or	eax, 0
		jz	loc_77C9A7

loc_8DC323:				; CODE XREF: MiReserveUserMemory+15FAEAj
					; MiReserveUserMemory+15FAF3j
		mov	eax, edx
		and	eax, 4
		or	eax, 0
		jz	short loc_8DC384
		and	edx, 1Ah
		or	edx, 0
		jz	short loc_8DC371
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_8DC340
		mov	eax, [eax]
		jmp	short loc_8DC345
; 

loc_8DC340:				; CODE XREF: MiReserveUserMemory+15FB2Aj
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)

loc_8DC345:				; CODE XREF: MiReserveUserMemory+15FB2Ej
		test	byte ptr [eax+4], 40h
		jz	short loc_8DC371
		movzx	eax, byte ptr [esi+44h]
		push	eax
		mov	eax, ds:dword_A949B4
		push	eax
		mov	eax, ds:_SeTcbPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_8DC37D
		mov	[ebp+var_4], 0C0000061h
		jmp	loc_77CC89
; 

loc_8DC371:				; CODE XREF: MiReserveUserMemory+15FB23j
					; MiReserveUserMemory+15FB39j
		mov	[ebp+var_4], 0C000000Dh
		jmp	loc_77CC8C
; 

loc_8DC37D:				; CODE XREF: MiReserveUserMemory+15FB53j
		or	dword ptr [edi+1Ch], 800000h

loc_8DC384:				; CODE XREF: MiReserveUserMemory+15FB1Bj
		mov	ecx, [esi+3Ch]
		mov	edx, edi
		push	0
		push	[ebp+var_1C]
		call	_MiCreateLargePageVad@16 ; MiCreateLargePageVad(x,x,x,x)
		mov	edx, eax
		mov	[ebp+var_4], edx
		mov	[ebp+var_14], edx
		test	edx, edx
		js	loc_77CC89
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_8DC3B5
		mov	eax, [eax]
		mov	cx, [eax]
		mov	eax, [ebp+arg_C]
		mov	[eax], cx

loc_8DC3B5:				; CODE XREF: MiReserveUserMemory+15FB98j
		mov	eax, [esi+50h]
		and	eax, 1Ah
		or	eax, 0
		jz	loc_77C9A7
		or	dword ptr [edi+1Ch], 400000h
		jmp	loc_77C9A7
; 

loc_8DC3D0:				; CODE XREF: MiReserveUserMemory+185j
		mov	edx, [ebp+arg_0]
		mov	eax, edx
		and	eax, 7
		mov	[ebp+var_24], eax
		mov	eax, edx
		and	eax, 0FFFFFFF8h
		cmp	eax, 10h
		jz	short loc_8DC423
		mov	eax, [ebp+var_24]
		cmp	eax, 4
		jz	short loc_8DC3F2
		cmp	eax, 1
		jnz	short loc_8DC423

loc_8DC3F2:				; CODE XREF: MiReserveUserMemory+15FBDBj
		mov	eax, [esi+50h]
		and	eax, 1
		or	eax, 0
		jz	short loc_8DC42F
		cmp	dword ptr [esi+48h], 0
		jz	short loc_8DC423
		mov	ecx, [esi+1Ch]
		mov	eax, edx
		test	ecx, 1C000h
		jz	short loc_8DC413
		or	eax, 2

loc_8DC413:				; CODE XREF: MiReserveUserMemory+15FBFEj
		test	ecx, 12000h
		jz	short loc_8DC431
		and	eax, 0FFFFFFFEh
		or	eax, 4
		jmp	short loc_8DC431
; 

loc_8DC423:				; CODE XREF: MiReserveUserMemory+15FBD3j
					; MiReserveUserMemory+15FBE0j ...
		mov	[ebp+var_4], 0C0000045h
		jmp	loc_77CC8C
; 

loc_8DC42F:				; CODE XREF: MiReserveUserMemory+15FBEBj
		mov	eax, edx

loc_8DC431:				; CODE XREF: MiReserveUserMemory+15FC09j
					; MiReserveUserMemory+15FC11j
		push	[ebp+arg_C]
		mov	edx, eax
		mov	ecx, edi
		push	esi
		call	_MiCreateUserPhysicalView@16 ; MiCreateUserPhysicalView(x,x,x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jns	short loc_8DC451
		mov	[ebp+var_4], 0C000009Ah
		jmp	loc_77CC89
; 

loc_8DC451:				; CODE XREF: MiReserveUserMemory+15FC33j
		mov	eax, [edi+1Ch]
		and	eax, 0FFFFFFBFh
		or	eax, 30h
		and	eax, 0FDFFFFFFh
		jmp	loc_77CCCB
; 

loc_8DC464:				; CODE XREF: MiReserveUserMemory+1C1j
		mov	eax, [esi+14h]
		and	eax, 20400000h
		cmp	eax, 400000h
		jz	short loc_8DC48D
		and	ecx, offset loc_500000
		cmp	ecx, offset loc_500000
		jz	short loc_8DC48D
		mov	[ebp+var_4], 0C00000BBh
		jmp	loc_77CC89
; 

loc_8DC48D:				; CODE XREF: MiReserveUserMemory+15FC61j
					; MiReserveUserMemory+15FC6Fj
		cmp	dword ptr [esi+1Ch], 0
		jnz	loc_77C9E0
		mov	[ebp+var_4], 0C0000045h
		jmp	loc_77CC89
; 

loc_8DC4A3:				; CODE XREF: MiReserveUserMemory+1CAj
		mov	[ebp+var_4], 0C0000045h
		jmp	loc_77CC89
; 

loc_8DC4AF:				; CODE XREF: MiReserveUserMemory+1DCj
		mov	ecx, edi
		call	_MiCreatePlaceholderStorage@4 ;	MiCreatePlaceholderStorage(x)
		mov	edx, eax
		mov	[ebp+var_4], edx
		mov	[ebp+var_14], edx
		test	edx, edx
		js	loc_77CC79
		mov	eax, [ebp+var_C]
		or	eax, 8
		jmp	loc_77C9F5
; 

loc_8DC4D1:				; CODE XREF: MiReserveUserMemory+203j
		mov	[ebp+var_4], 0C000010Ah
		jmp	loc_77CC79
; 

loc_8DC4DD:				; CODE XREF: MiReserveUserMemory+210j
		mov	edx, [esi+4]
		test	eax, 4000000h
		jz	short loc_8DC513
		mov	ecx, [esi]
		lea	eax, [ebp+var_14]
		push	eax
		movzx	eax, byte ptr [esi+44h]
		push	eax
		call	_MiFindPlaceholderVadToReplace@16 ; MiFindPlaceholderVadToReplace(x,x,x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	short loc_8DC508
		mov	eax, [esi]
		mov	[ebp+arg_C], eax
		mov	eax, [esi+4]
		jmp	short loc_8DC53C
; 

loc_8DC508:				; CODE XREF: MiReserveUserMemory+15FCECj
		mov	ecx, [ebp+var_14]
		mov	[ebp+var_4], ecx
		jmp	loc_77CC79
; 

loc_8DC513:				; CODE XREF: MiReserveUserMemory+15FCD5j
		mov	eax, [esi]
		push	edx
		mov	[ebp+arg_C], eax
		push	eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_18], edx
		mov	edx, [ebp+arg_C]
		push	eax
		call	MiIsVaRangeAvailable
		test	eax, eax
		jnz	short loc_8DC539
		mov	[ebp+var_4], 0C0000018h
		jmp	loc_77CC79
; 

loc_8DC539:				; CODE XREF: MiReserveUserMemory+15FD1Bj
		mov	eax, [ebp+var_18]

loc_8DC53C:				; CODE XREF: MiReserveUserMemory+15FCF6j
		mov	ebx, [ebp+arg_C]
		jmp	loc_77CA5D
; 

loc_8DC544:				; CODE XREF: MiReserveUserMemory+26Aj
		mov	edx, [esi+1Ch]
		mov	ecx, edi
		call	_MiStoreGraphicsProtectionInVad@8 ; MiStoreGraphicsProtectionInVad(x,x)
		mov	[ebp+var_4], 0C00000BBh
		jmp	loc_77CC79
; 

loc_8DC55A:				; CODE XREF: MiReserveUserMemory+473j
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		call	MiUnlockVad
		jmp	loc_77CC89
; 

loc_8DC569:				; CODE XREF: MiReserveUserMemory+28Dj
		push	[ebp+var_2C]
		mov	edx, [esi+3Ch]
		mov	ecx, eax
		or	[ebp+var_C], 1
		call	_MiPreparePlaceholderVadReplacement@12 ; MiPreparePlaceholderVadReplacement(x,x,x)
		xor	edx, edx
		lea	ecx, [edi+18h]
		call	ExAcquirePushLockExclusiveEx
		jmp	loc_77CAAD
; 

loc_8DC589:				; CODE XREF: MiReserveUserMemory+2FAj
		mov	edi, [ebp+var_30]
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8DC5A0
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8DC5A0:				; CODE XREF: MiReserveUserMemory+15FD87j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	edx, [esi+3Ch]
		mov	ecx, [ebp+var_8]
		call	UNLOCK_ADDRESS_SPACE_UNORDERED
		jmp	loc_8DC655
; 

loc_8DC5B7:				; CODE XREF: MiReserveUserMemory+39Cj
					; MiReserveUserMemory+3ACj
		cmp	dword ptr [edi+20h], 0
		jge	loc_77CBC2
		push	[ebp+var_1C]
		mov	dl, [esi+24h]
		mov	ecx, edi
		call	_MiMapUserLargePages@12	; MiMapUserLargePages(x,x,x)
		mov	[ebp+arg_4], eax
		test	eax, eax
		jns	loc_77CBC2

loc_8DC5D9:				; CODE XREF: MiReserveUserMemory+387j
		mov	edx, [ebp+var_10]
		mov	ecx, edi
		push	0
		call	_MiDeleteVad@12	; MiDeleteVad(x,x,x)
		mov	eax, [ebp+arg_4]
		jmp	loc_77CB2C
; 

loc_8DC5ED:				; CODE XREF: MiReserveUserMemory+3E9j
		mov	edx, [edi+0Ch]
		mov	ecx, edi
		push	1
		push	eax
		mov	eax, [edi+10h]
		shl	eax, 0Ch
		or	eax, 0FFFh
		shl	edx, 0Ch
		push	eax
		call	MiAddSecureEntry
		test	eax, eax
		jnz	loc_77CC2C
		mov	esi, 0C000009Ah
		jmp	short loc_8DC63D
; 

loc_8DC618:				; CODE XREF: MiReserveUserMemory+3F4j
		cmp	eax, 1
		jz	loc_77CC0A
		cmp	eax, 2
		jz	loc_77CC0A
		cmp	eax, 4
		jz	loc_77CC0A
		mov	esi, 0C0000045h
		jmp	short loc_8DC63D
; 

loc_8DC63A:				; CODE XREF: MiReserveUserMemory+413j
		mov	esi, [ebp+arg_4]

loc_8DC63D:				; CODE XREF: MiReserveUserMemory+15FE06j
					; MiReserveUserMemory+15FE28j
		mov	edx, [ebp+var_10]
		mov	ecx, edi
		push	0
		call	_MiDeleteVad@12	; MiDeleteVad(x,x,x)
		mov	eax, esi
		jmp	loc_77CB2C
; 

loc_8DC650:				; CODE XREF: MiReserveUserMemory+3BEj
		call	_MiUnlockAndDereferenceNestedVad@4 ; MiUnlockAndDereferenceNestedVad(x)

loc_8DC655:				; CODE XREF: MiReserveUserMemory+15FDA2j
		mov	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_10]
		push	0
		call	_MiFinishPlaceholderVadReplacement@12 ;	MiFinishPlaceholderVadReplacement(x,x,x)
		jmp	loc_77CB25
; 

loc_8DC667:				; CODE XREF: MiReserveUserMemory+52j
		mov	eax, 0C0000045h
		jmp	loc_77CB2C
; END OF FUNCTION CHUNK	FOR MiReserveUserMemory
; 
; START	OF FUNCTION CHUNK FOR MiAddSecureEntry

loc_8DC671:				; CODE XREF: MiAddSecureEntry+69j
		or	edi, 20h
		mov	[esi+4], edi
		jmp	loc_77CD9F
; 

loc_8DC67C:				; CODE XREF: MiAddSecureEntry+72j
		or	edi, 40h
		mov	[esi+4], edi
		jmp	loc_77CDA8
; 

loc_8DC687:				; CODE XREF: MiAddSecureEntry+7Bj
		or	edi, 80h
		mov	[esi+4], edi
		jmp	loc_77CDB1
; 

loc_8DC695:				; CODE XREF: MiAddSecureEntry+97j
		or	edi, 100h
		mov	[esi+4], edi
		jmp	loc_77CDCD
; END OF FUNCTION CHUNK	FOR MiAddSecureEntry
; 
; START	OF FUNCTION CHUNK FOR PfpPfnPrioRequest

loc_8DC6A3:				; CODE XREF: PfpPfnPrioRequest+118j
		cmp	eax, 16h
		jz	loc_77CF6E
		cmp	eax, 1Dh
		jz	loc_77CF6E
		mov	ebx, 0C0000003h
		jmp	loc_77CF43
; 

loc_8DC6BF:				; CODE XREF: PfpPfnPrioRequest+124j
		mov	ebx, 0C0000206h
		jmp	loc_77CF43
; 

loc_8DC6C9:				; CODE XREF: PfpPfnPrioRequest+146j
		cmp	eax, 1Dh
		jz	loc_77CFCE
		mov	edi, [ebp+var_1C]
		movzx	eax, word ptr [edi+6]
		push	eax
		movzx	eax, word ptr [edi+4]
		push	eax
		lea	edx, [edi+68h]
		mov	ecx, [edi+8]
		call	_MmRelocatePfnList@16 ;	MmRelocatePfnList(x,x,x,x)
		jmp	loc_77CFB2
; 

loc_8DC6EF:				; CODE XREF: PfpPfnPrioRequest+16Bj
					; PfpPfnPrioRequest+179j
		mov	[ebp+var_4], 1
		cmp	byte ptr [ebp+var_28], 0
		jz	loc_77CF13
		jmp	loc_77CF04
; END OF FUNCTION CHUNK	FOR PfpPfnPrioRequest

;  S U B	R O U T	I N E 


sub_8DC705	proc near		; DATA XREF: .text:006A12A8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		mov	eax, 1
		retn
sub_8DC705	endp


;  S U B	R O U T	I N E 


sub_8DC715	proc near		; DATA XREF: .text:006A12ACo
		mov	ebx, [ebp-2Ch]
		jmp	short loc_8DC737
sub_8DC715	endp

; 
; START	OF FUNCTION CHUNK FOR PfpPfnPrioRequest

loc_8DC71A:				; CODE XREF: PfpPfnPrioRequest+5Aj
		mov	ebx, 0C0000206h
		jmp	loc_77CF43
; END OF FUNCTION CHUNK	FOR PfpPfnPrioRequest

;  S U B	R O U T	I N E 


sub_8DC724	proc near		; DATA XREF: .text:006A129Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		mov	eax, 1
		retn
sub_8DC724	endp


;  S U B	R O U T	I N E 


sub_8DC734	proc near		; DATA XREF: .text:006A12A0o
		mov	ebx, [ebp-34h]

loc_8DC737:				; CODE XREF: sub_8DC715+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_77CFD5
sub_8DC734	endp

; 

loc_8DC746:				; CODE XREF: PAGE:0077D067j
					; PAGE:0077D06Fj
		mov	byte ptr [edx],	0
		jmp	loc_77D075
; 

loc_8DC74E:				; CODE XREF: PAGE:0077D0DFj
		mov	esi, 0C000009Ah
		jmp	loc_77D185
; 

loc_8DC758:				; CODE XREF: PAGE:0077D104j
		mov	esi, 0C000000Dh
		jmp	loc_77D185
; 

loc_8DC762:				; CODE XREF: PAGE:0077D11Dj
		mov	esi, 0C000000Dh
		jmp	loc_77D185
; 

loc_8DC76C:				; CODE XREF: PAGE:0077D126j
		mov	esi, 0C000000Dh
		jmp	loc_77D185
; 

loc_8DC776:				; DATA XREF: .text:006A12DCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		mov	eax, 1
		retn
; 

loc_8DC786:				; DATA XREF: .text:006A12E0o
		mov	esi, [ebp-30h]
		jmp	short loc_8DC7BF
; 

loc_8DC78B:				; DATA XREF: .text:006A12D0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		mov	eax, 1
		retn
; 

loc_8DC79B:				; DATA XREF: .text:006A12D4o
		mov	esi, [ebp-34h]
		jmp	short loc_8DC7BF
; 

loc_8DC7A0:				; CODE XREF: PAGE:0077D096j
					; PAGE:0077D09Fj ...
		mov	esi, 0C000000Dh
		xor	edx, edx
		jmp	loc_77D185
; 

loc_8DC7AC:				; DATA XREF: .text:006A12C4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		mov	eax, 1
		retn
; 

loc_8DC7BC:				; DATA XREF: .text:006A12C8o
		mov	esi, [ebp-38h]

loc_8DC7BF:				; CODE XREF: PAGE:008DC789j
					; PAGE:008DC79Ej
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, [ebp-1Ch]
		jmp	loc_77D185
; 

loc_8DC7D1:				; CODE XREF: PAGE:0077D187j
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_77D18D
; 

loc_8DC7DE:				; CODE XREF: PAGE:0077D211j
		mov	edi, 0C0000004h
		jmp	loc_77D2AA
; 

loc_8DC7E8:				; CODE XREF: PAGE:0077D2F6j
					; PAGE:0077D412j ...
		mov	edi, 0C0000206h
		jmp	loc_77D2AA
; 

loc_8DC7F2:				; CODE XREF: PAGE:0077D491j
		mov	byte ptr [ecx],	0
		jmp	loc_77D497
; 

loc_8DC7FA:				; DATA XREF: .text:006A1308o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-70h], eax
		mov	eax, 1
		retn
; 

loc_8DC80A:				; DATA XREF: .text:006A130Co
		mov	edi, [ebp-70h]
		jmp	loc_8DC90D
; 

loc_8DC812:				; DATA XREF: .text:006A1314o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-74h], eax
		mov	eax, 1
		retn
; 

loc_8DC822:				; DATA XREF: .text:006A1318o
		mov	edi, [ebp-74h]
		jmp	loc_8DC90D
; 

loc_8DC82A:				; CODE XREF: PAGE:0077D325j
		mov	byte ptr [eax],	0
		jmp	loc_77D32B
; 

loc_8DC832:				; CODE XREF: PAGE:0077D353j
		mov	edi, 0C0000059h
		jmp	loc_77D2AA
; 

loc_8DC83C:				; DATA XREF: .text:006A132Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-78h], eax
		mov	eax, 1
		retn
; 

loc_8DC84C:				; DATA XREF: .text:006A1330o
		mov	edi, [ebp-78h]
		jmp	loc_8DC90D
; 

loc_8DC854:				; DATA XREF: .text:006A1320o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-7Ch], eax
		mov	eax, 1
		retn
; 

loc_8DC864:				; DATA XREF: .text:006A1324o
		mov	edi, [ebp-7Ch]
		jmp	loc_8DC90D
; 

loc_8DC86C:				; CODE XREF: PAGE:0077D2DBj
					; DATA XREF: PAGE:0077D560o
		cmp	edx, 10h
		jnz	loc_8DC7E8
		lea	eax, [ebp-44h]
		push	eax
		xor	edx, edx
		xor	ecx, ecx
		call	_MmLogQueryCombineStats@12 ; MmLogQueryCombineStats(x,x,x)
		mov	dword ptr [ebp-4], 5
		test	bl, bl
		mov	ebx, [ebp-4Ch]
		jz	short loc_8DC89A
		push	4
		push	10h
		push	ebx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_8DC89A:				; CODE XREF: PAGE:008DC88Ej
		cmp	dword ptr [ebx], 1
		jz	short loc_8DC8A9
		mov	edi, 0C000000Dh
		mov	[ebp-50h], edi
		jmp	short loc_8DC910
; 

loc_8DC8A9:				; CODE XREF: PAGE:008DC89Dj
		mov	eax, [ebp-40h]
		mov	[ebx+4], eax
		mov	eax, [ebp-2Ch]
		mov	[ebx+8], eax
		mov	eax, [ebp-28h]
		mov	[ebx+0Ch], eax
		jmp	short loc_8DC910
; 

loc_8DC8BD:				; DATA XREF: .text:006A1338o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-80h], eax
		mov	eax, 1
		retn
; 

loc_8DC8CD:				; DATA XREF: .text:006A133Co
		mov	edi, [ebp-80h]
		mov	[ebp-50h], edi
		jmp	short loc_8DC90D
; 

loc_8DC8D5:				; CODE XREF: PAGE:0077D2DBj
					; DATA XREF: PAGE:0077D564o
		mov	eax, [ebp-48h]
		push	eax
		mov	dl, bl
		lea	ecx, [ebp-64h]
		call	_PfpQueryFileExtentsRequest@12 ; PfpQueryFileExtentsRequest(x,x,x)
		mov	edi, eax
		jmp	loc_77D2AA
; 

loc_8DC8EA:				; CODE XREF: PAGE:0077D2CEj
					; PAGE:0077D2DBj
					; DATA XREF: ...
		mov	edi, 0C0000003h
		jmp	loc_77D2AA
; 

loc_8DC8F4:				; DATA XREF: .text:006A12FCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-84h], eax
		mov	eax, 1
		retn
; 

loc_8DC907:				; DATA XREF: .text:006A1300o
		mov	edi, [ebp-84h]

loc_8DC90D:				; CODE XREF: PAGE:008DC80Dj
					; PAGE:008DC825j ...
		mov	esp, [ebp-18h]

loc_8DC910:				; CODE XREF: PAGE:008DC8A7j
					; PAGE:008DC8BBj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_77D2AA
; 
; START	OF FUNCTION CHUNK FOR NtQuerySystemInformation

loc_8DC91C:				; CODE XREF: NtQuerySystemInformation+70j
		cmp	ecx, 0D3h
		jle	loc_77D61F
		jmp	loc_77D5C6
; END OF FUNCTION CHUNK	FOR NtQuerySystemInformation
; 
; START	OF FUNCTION CHUNK FOR SPCallServerHandleAuthenticateCaller

loc_8DC92D:				; CODE XREF: SPCallServerHandleAuthenticateCaller+162j
		lea	eax, [ebp+var_4]
		mov	edx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7829AF
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_8DC950
		xor	esi, esi
		jmp	short loc_8DC958
; 

loc_8DC950:				; CODE XREF: SPCallServerHandleAuthenticateCaller+15A052j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_8DC958:				; CODE XREF: SPCallServerHandleAuthenticateCaller+15A056j
		mov	[ebp+var_4], ecx
		test	esi, esi
		js	loc_7829AF
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		mov	eax, [ebp+var_4]
		test	esi, esi
		jns	loc_7829C2
		jmp	loc_7829AF
; 

loc_8DC981:				; CODE XREF: SPCallServerHandleAuthenticateCaller+CDj
		and	[ebp+var_C], 0
		and	[ebp+var_8], 0
		jmp	loc_7829E0
; 

loc_8DC98E:				; CODE XREF: SPCallServerHandleAuthenticateCaller+EDj
		mov	esi, 0C000000Dh
		jmp	loc_782AED
; 

loc_8DC998:				; CODE XREF: SPCallServerHandleAuthenticateCaller+130j
		mov	esi, 0C0000017h
		jmp	loc_7829FE
; 

loc_8DC9A2:				; CODE XREF: SPCallServerHandleAuthenticateCaller+116j
		mov	ecx, [ebx]
		push	ebx
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_782AED
		inc	dword ptr [edi]
		jmp	loc_782A7F
; 

loc_8DC9BE:				; CODE XREF: SPCallServerHandleAuthenticateCaller+11Cj
		mov	ecx, [edi]
		mov	ebx, eax
		and	[ebp+arg_4], 0
		mov	[ebp+arg_0], ebx
		mov	[ebp+var_18], ecx
		test	ecx, ecx
		jnz	loc_782AB2

loc_8DC9D4:				; CODE XREF: SPCallServerHandleAuthenticateCaller+201j
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	loc_782AE8
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [ebx+8]
		cmp	eax, ecx
		ja	short loc_8DC9FC
		mov	dword ptr [ebx], 4
		and	[edx], esi
		inc	dword ptr [edi]
		jmp	loc_782A78
; 

loc_8DC9FC:				; CODE XREF: SPCallServerHandleAuthenticateCaller+15A0F3j
					; SPCallServerHandleAuthenticateCaller+15A159j
		mov	esi, 0C0000023h
		jmp	loc_782AED
; 

loc_8DCA06:				; CODE XREF: SPCallServerHandleAuthenticateCaller+18Fj
		mov	ecx, [ebx]
		push	ebx
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_782AED
		inc	dword ptr [edi]
		xor	esi, esi
		jmp	loc_782AED
; 

loc_8DCA24:				; CODE XREF: SPCallServerHandleAuthenticateCaller+195j
		mov	ecx, [edi]
		mov	ebx, eax
		and	[ebp+arg_4], 0
		mov	[ebp+arg_0], ebx
		mov	[ebp+var_18], ecx
		test	ecx, ecx
		jnz	loc_782ADE

loc_8DCA3A:				; CODE XREF: SPCallServerHandleAuthenticateCaller+209j
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	loc_782AE8
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [ebx+0Ch]
		cmp	eax, ecx
		ja	short loc_8DC9FC
		mov	eax, [ebp+var_C]
		mov	dword ptr [ebx], 8
		mov	[edx], eax
		mov	eax, [ebp+var_8]
		mov	[edx+4], eax
		inc	dword ptr [edi]
		jmp	loc_782AED
; END OF FUNCTION CHUNK	FOR SPCallServerHandleAuthenticateCaller
; 
; START	OF FUNCTION CHUNK FOR SPCallServerHandleUpdatePolicies

loc_8DCA6B:				; CODE XREF: SPCallServerHandleUpdatePolicies+E8j
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_782B9B
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_8DCA8E
		xor	esi, esi
		jmp	short loc_8DCA96
; 

loc_8DCA8E:				; CODE XREF: SPCallServerHandleUpdatePolicies+159F82j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_8DCA96:				; CODE XREF: SPCallServerHandleUpdatePolicies+159F86j
		mov	[ebp+var_4], ecx
		test	esi, esi
		js	loc_782B9B
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		mov	eax, [ebp+var_4]
		test	esi, esi
		jns	loc_782BAA
		jmp	loc_782B9B
; 

loc_8DCABF:				; CODE XREF: SPCallServerHandleUpdatePolicies+59j
		mov	eax, ebx
		jmp	loc_782BA2
; 

loc_8DCAC6:				; CODE XREF: SPCallServerHandleUpdatePolicies+A7j
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	short loc_8DCAD7
		mov	esi, 0C000000Dh
		jmp	loc_8DCBC9
; 

loc_8DCAD7:				; CODE XREF: SPCallServerHandleUpdatePolicies+159FC5j
		mov	eax, [edi+8]
		mov	[ebp+var_20], eax
		test	eax, eax
		jnz	short loc_8DCAFD
		lea	ecx, [edi+4]
		push	ecx
		mov	ecx, [ecx]
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_8DCE88
		inc	dword ptr [edi]
		jmp	short loc_8DCB67
; 

loc_8DCAFD:				; CODE XREF: SPCallServerHandleUpdatePolicies+159FD9j
		mov	ecx, [edi]
		mov	ebx, eax
		and	[ebp+arg_0], 0
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		jz	short loc_8DCB40

loc_8DCB0F:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A035j
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_8DCB75
		lea	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_8DCE88
		mov	ecx, [ebp+arg_0]
		mov	ebx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+arg_0], ecx
		cmp	ecx, [ebp+var_28]
		jb	short loc_8DCB0F
		mov	eax, [ebp+var_20]

loc_8DCB40:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A007j
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	short loc_8DCBC4
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [ebx+8]
		cmp	eax, ecx
		ja	short loc_8DCB7C
		mov	dword ptr [ebx], 4
		and	[edx], esi
		inc	dword ptr [edi]

loc_8DCB5F:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A074j
		test	esi, esi
		js	loc_8DCE88

loc_8DCB67:				; CODE XREF: SPCallServerHandleUpdatePolicies+159FF5j
		mov	eax, [edi+4]
		test	eax, eax
		jnz	short loc_8DCB83
		mov	esi, 0C000003Eh
		jmp	short loc_8DCBC9
; 

loc_8DCB75:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A011j
		mov	esi, 0C0000095h
		jmp	short loc_8DCB5F
; 

loc_8DCB7C:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A04Dj
					; SPCallServerHandleUpdatePolicies+15A0B0j
		mov	esi, 0C0000023h
		jmp	short loc_8DCBC9
; 

loc_8DCB83:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A066j
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_8DCB9D
		mov	esi, 0C0000017h
		jmp	short loc_8DCBC9
; 

loc_8DCB9D:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A08Ej
		mov	[edi+8], edx
		and	dword ptr [edi], 0
		lea	ebx, [edx+4]
		cmp	ebx, edx
		jb	short loc_8DCBC4
		mov	ecx, [edi+4]
		lea	eax, [edx+8]
		add	ecx, edx
		xor	esi, esi
		cmp	eax, ecx
		ja	short loc_8DCB7C
		mov	dword ptr [edx], 4
		and	[ebx], esi
		inc	dword ptr [edi]
		jmp	short loc_8DCBC9
; 

loc_8DCBC4:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A03Fj
					; SPCallServerHandleUpdatePolicies+15A0A2j
		mov	esi, 0C0000095h

loc_8DCBC9:				; CODE XREF: SPCallServerHandleUpdatePolicies+159FCCj
					; SPCallServerHandleUpdatePolicies+15A06Dj ...
		test	esi, esi
		js	loc_8DCE88
		xor	esi, esi
		jmp	loc_8DCE88
; 

loc_8DCBD8:				; CODE XREF: SPCallServerHandleUpdatePolicies+BFj
					; SPCallServerHandleUpdatePolicies+15A0DBj
		mov	esi, edx
		mov	edx, edi
		jmp	short loc_8DCC1C
; 

loc_8DCBDE:				; CODE XREF: SPCallServerHandleUpdatePolicies+C5j
		cmp	dword ptr [ecx], 3
		jbe	short loc_8DCBD8
		xor	ebx, ebx
		jmp	loc_782D98
; 

loc_8DCBEA:				; CODE XREF: SPCallServerHandleUpdatePolicies+2BCj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_8DCBF7
		xor	esi, esi
		jmp	short loc_8DCBFF
; 

loc_8DCBF7:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A0EBj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_8DCBFF:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A0EFj
		test	esi, esi
		js	loc_782DD1
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	loc_782C04
; 

loc_8DCC16:				; CODE XREF: SPCallServerHandleUpdatePolicies+100j
		mov	ecx, [ebp+var_10]
		mov	edx, [ebp+var_14]

loc_8DCC1C:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A0D6j
		mov	ebx, edx
		jmp	loc_782C1D
; 

loc_8DCC23:				; CODE XREF: SPCallServerHandleUpdatePolicies+125j
					; SPCallServerHandleUpdatePolicies+13Aj
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	loc_8DCE53
		mov	eax, [edi+8]
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	loc_8DCE5A
		mov	ecx, [edi]
		mov	ebx, eax
		and	[ebp+arg_0], 0
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		jz	short loc_8DCCA2

loc_8DCC4E:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A174j
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_8DCC81
		lea	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_8DCE88
		mov	ecx, [ebp+arg_0]
		mov	ebx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+arg_0], ecx
		cmp	ecx, [ebp+var_28]
		jb	short loc_8DCC4E
		mov	eax, [ebp+var_20]
		jmp	short loc_8DCCA2
; 

loc_8DCC81:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A150j
					; SPCallServerHandleUpdatePolicies+15A322j
		mov	esi, 0C0000095h

loc_8DCC86:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A1C7j
		test	esi, esi
		js	loc_8DCE88

loc_8DCC8E:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A36Aj
		mov	eax, [edi+4]
		test	eax, eax
		jnz	short loc_8DCCCF

loc_8DCC95:				; CODE XREF: SPCallServerHandleUpdatePolicies+240j
		mov	esi, 0C000003Eh
		jmp	loc_8DCE88
; 

loc_8DCC9F:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A348j
		mov	eax, [ebp+var_20]

loc_8DCCA2:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A146j
					; SPCallServerHandleUpdatePolicies+15A179j ...
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	loc_8DCE83
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [ebx+8]
		cmp	eax, ecx
		ja	loc_8DCE75
		mov	dword ptr [ebx], 4
		mov	dword ptr [edx], 0C004D501h
		inc	dword ptr [edi]
		jmp	short loc_8DCC86
; 

loc_8DCCCF:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A18Dj
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_8DCE7C
		mov	[edi+8], edx
		and	dword ptr [edi], 0
		lea	ebx, [edx+4]
		cmp	ebx, edx
		jb	loc_8DCE83
		mov	ecx, [edi+4]
		lea	eax, [edx+8]
		add	ecx, edx
		xor	esi, esi
		cmp	eax, ecx
		ja	loc_8DCE75
		mov	dword ptr [edx], 4
		mov	dword ptr [ebx], 0C004D501h

loc_8DCD15:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A2EEj
		inc	dword ptr [edi]
		jmp	loc_8DCE88
; 

loc_8DCD1C:				; CODE XREF: SPCallServerHandleUpdatePolicies+171j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	loc_782C7F
; 

loc_8DCD29:				; CODE XREF: SPCallServerHandleUpdatePolicies+1A7j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	loc_782CB5
; 

loc_8DCD36:				; CODE XREF: SPCallServerHandleUpdatePolicies+17Ej
					; SPCallServerHandleUpdatePolicies+191j ...
		mov	eax, [ebp+var_1C]
		mov	ebx, eax
		jmp	loc_782CC7
; 

loc_8DCD40:				; CODE XREF: SPCallServerHandleUpdatePolicies+1E9j
		or	eax, 10000000h
		mov	[ebp+arg_0], eax
		jmp	loc_782CF9
; 

loc_8DCD4D:				; CODE XREF: SPCallServerHandleUpdatePolicies+1E1j
		mov	[ebp+arg_0], 4004D601h
		jmp	loc_782CF9
; 

loc_8DCD59:				; CODE XREF: SPCallServerHandleUpdatePolicies+1D6j
		mov	[ebp+arg_0], 4004D602h
		jmp	loc_782CF9
; 

loc_8DCD65:				; CODE XREF: SPCallServerHandleUpdatePolicies+204j
					; SPCallServerHandleUpdatePolicies+220j
		mov	ecx, [eax]
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	ebx, [ebp+arg_0]
		mov	esi, eax
		test	esi, esi
		js	loc_8DCE88
		inc	dword ptr [edi]
		jmp	loc_782D41
; 

loc_8DCD84:				; CODE XREF: SPCallServerHandleUpdatePolicies+226j
		mov	eax, [edi]
		and	[ebp+var_20], 0
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_28], eax
		test	eax, eax
		jnz	loc_782D8C

loc_8DCD98:				; CODE XREF: SPCallServerHandleUpdatePolicies+280j
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	loc_8DCE83
		mov	ecx, [edi+4]
		lea	eax, [ebx+8]
		add	ecx, [edi+8]
		xor	esi, esi
		cmp	eax, ecx
		ja	loc_8DCE75
		mov	dword ptr [ebx], 4
		mov	ebx, [ebp+arg_0]
		mov	[edx], ebx
		inc	dword ptr [edi]
		jmp	loc_782D39
; 

loc_8DCDC8:				; CODE XREF: SPCallServerHandleUpdatePolicies+25Dj
		mov	[edi+8], edx
		and	dword ptr [edi], 0
		lea	eax, [edx+4]
		cmp	eax, edx
		jb	loc_8DCE83
		mov	ecx, [edi+4]
		lea	eax, [edx+8]
		add	ecx, edx
		xor	esi, esi
		cmp	eax, ecx
		ja	loc_8DCE75
		mov	dword ptr [edx], 4
		mov	[edx+4], ebx
		jmp	loc_8DCD15
; 

loc_8DCDF9:				; CODE XREF: SPCallServerHandleUpdatePolicies+142j
					; SPCallServerHandleUpdatePolicies+14Ej
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_8DCE53
		mov	eax, [edi+8]
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	short loc_8DCE5A
		mov	ecx, [edi]
		mov	ebx, eax
		and	[ebp+arg_0], 0
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		jz	loc_8DCCA2

loc_8DCE20:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A346j
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	loc_8DCC81
		lea	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_8DCE88
		mov	ecx, [ebp+arg_0]
		mov	ebx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+arg_0], ecx
		cmp	ecx, [ebp+var_28]
		jb	short loc_8DCE20
		jmp	loc_8DCC9F
; 

loc_8DCE53:				; CODE XREF: SPCallServerHandleUpdatePolicies+159j
					; SPCallServerHandleUpdatePolicies+162j ...
		mov	esi, 0C000000Dh
		jmp	short loc_8DCE88
; 

loc_8DCE5A:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A130j
					; SPCallServerHandleUpdatePolicies+15A302j
		lea	ecx, [edi+4]
		push	ecx
		mov	ecx, [ecx]
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_8DCE88
		inc	dword ptr [edi]
		jmp	loc_8DCC8E
; 

loc_8DCE75:				; CODE XREF: SPCallServerHandleUpdatePolicies+109j
					; SPCallServerHandleUpdatePolicies+15A1B3j ...
		mov	esi, 0C0000023h
		jmp	short loc_8DCE88
; 

loc_8DCE7C:				; CODE XREF: SPCallServerHandleUpdatePolicies+257j
					; SPCallServerHandleUpdatePolicies+15A1DAj
		mov	esi, 0C0000017h
		jmp	short loc_8DCE88
; 

loc_8DCE83:				; CODE XREF: SPCallServerHandleUpdatePolicies+15A1A1j
					; SPCallServerHandleUpdatePolicies+15A1EBj ...
		mov	esi, 0C0000095h

loc_8DCE88:				; CODE XREF: SPCallServerHandleUpdatePolicies+33j
					; SPCallServerHandleUpdatePolicies+9Ej	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; END OF FUNCTION CHUNK	FOR SPCallServerHandleUpdatePolicies
; 
; START	OF FUNCTION CHUNK FOR ExUpdateLicenseData

loc_8DCE91:				; CODE XREF: ExUpdateLicenseData+1Aj
		mov	edx, [ebp+arg_0]
		call	_SLUpdateLicenseDataInternal@12	; SLUpdateLicenseDataInternal(x,x,x)
		jmp	loc_782E04
; END OF FUNCTION CHUNK	FOR ExUpdateLicenseData
; 
; START	OF FUNCTION CHUNK FOR ExpSetKernelDataProtection

loc_8DCE9E:				; CODE XREF: ExpSetKernelDataProtection+1Cj
		mov	ebx, 0C000000Dh
		jmp	loc_782EC9
; 

loc_8DCEA8:				; CODE XREF: ExpSetKernelDataProtection+34j
		mov	ebx, esi
		jmp	loc_782EC9
; 

loc_8DCEAF:				; CODE XREF: ExpSetKernelDataProtection+114j
					; ExpSetKernelDataProtection+12Dj
		mov	ebx, 0C0000017h
		mov	[ebp+var_1C], ebx
		jmp	loc_782EBD
; END OF FUNCTION CHUNK	FOR ExpSetKernelDataProtection

;  S U B	R O U T	I N E 


sub_8DCEBC	proc near		; DATA XREF: .text:006A1A08o
		xor	esi, esi
		mov	ebx, [ebp-1Ch]
		mov	edi, [ebp-24h]
		jmp	sub_782FB1
sub_8DCEBC	endp

; 
; START	OF FUNCTION CHUNK FOR sub_782FB1

loc_8DCEC9:				; CODE XREF: sub_782FB1+15j
		test	al, 4
		jnz	loc_782FCC
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+10h]
		jmp	loc_782FCC
; END OF FUNCTION CHUNK	FOR sub_782FB1
; 
; START	OF FUNCTION CHUNK FOR ExpSetKernelDataProtection

loc_8DCEDE:				; CODE XREF: ExpSetKernelDataProtection+BDj
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_782ED1
; 

loc_8DCEEA:				; CODE XREF: ExpSetKernelDataProtection+C8j
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_782EDC
; END OF FUNCTION CHUNK	FOR ExpSetKernelDataProtection
; 
; START	OF FUNCTION CHUNK FOR SPCallServerHandleGetAppPolicyValue

loc_8DCEF6:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+4Bj
					; SPCallServerHandleGetAppPolicyValue+54j
		mov	esi, ecx
		jmp	loc_783528
; 

loc_8DCEFD:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+8Cj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_8DCF0A
		xor	esi, esi
		jmp	short loc_8DCF12
; 

loc_8DCF0A:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+159F02j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_8DCF12:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+159F06j
		test	esi, esi
		js	short loc_8DCF25
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	loc_78350B
; 

loc_8DCF25:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+6Aj
					; SPCallServerHandleGetAppPolicyValue+7Dj ...
		mov	eax, edi
		jmp	loc_78350B
; 

loc_8DCF2C:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+510j
		mov	esi, 0C0000023h
		jmp	loc_78340C
; 

loc_8DCF36:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+540j
		cmp	dword ptr [edx], 4
		jbe	loc_783548
		and	[ebp+var_20], edi
		jmp	loc_783939
; 

loc_8DCF47:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+931j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_8DCF54
		xor	esi, esi
		jmp	short loc_8DCF5C
; 

loc_8DCF54:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+159F4Cj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_8DCF5C:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+159F50j
		test	esi, esi
		js	loc_783174
		jmp	loc_7838DA
; 

loc_8DCF69:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+8F4j
		mov	eax, edi
		xor	ecx, ecx
		shr	eax, 1
		cmp	cx, [ebx+eax*2-2]
		jnz	loc_7838FC
		lea	eax, [ebp+var_24]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	_StringCbLengthW@12 ; StringCbLengthW(x,x,x)
		test	eax, eax
		js	loc_7838FC
		mov	ecx, [ebp+var_24]
		lea	eax, [ecx+2]
		cmp	eax, edi
		jnz	loc_7838FC
		shr	ecx, 1
		jmp	loc_78317A
; 

loc_8DCFA4:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+1A0j
		mov	esi, 0C0000017h

loc_8DCFA9:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+8FFj
		test	esi, esi
		js	loc_78340C
		jmp	loc_7831B6
; 

loc_8DCFB6:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+DEj
					; SPCallServerHandleGetAppPolicyValue+E7j ...
		mov	esi, 0C000000Dh
		jmp	loc_7833E8
; 

loc_8DCFC0:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+1D4j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	loc_7831DE
; 

loc_8DCFCD:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+20Aj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	loc_783214
; 

loc_8DCFDA:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+23Aj
					; SPCallServerHandleGetAppPolicyValue+243j
		mov	esi, 0C000000Dh
		jmp	loc_7830D3
; 

loc_8DCFE4:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+24Bj
					; SPCallServerHandleGetAppPolicyValue+15A014j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_8DCFF1
		xor	esi, esi
		jmp	short loc_8DCFF9
; 

loc_8DCFF1:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+159FE9j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_8DCFF9:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+159FEDj
		mov	[ebp+var_18], ecx
		test	esi, esi
		js	short loc_8DD02A
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_8DD02A
		mov	eax, [ebp+var_18]
		inc	ebx
		cmp	ebx, 6
		jb	short loc_8DCFE4
		jmp	loc_78309D
; 

loc_8DD01D:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+A2j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	loc_7830AC
; 

loc_8DD02A:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+ACj
					; SPCallServerHandleGetAppPolicyValue+159FFCj ...
		mov	eax, [ebp+var_14]
		jmp	loc_7830BE
; 

loc_8DD032:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+C3j
					; SPCallServerHandleGetAppPolicyValue+297j ...
		mov	esi, 0C0000023h
		jmp	loc_7833E8
; 

loc_8DD03C:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+F6j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	loc_783100
; 

loc_8DD049:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+12Cj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	loc_783136
; 

loc_8DD056:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+15Cj
					; SPCallServerHandleGetAppPolicyValue+165j
		mov	esi, 0C000000Dh
		mov	ebx, edi
		jmp	loc_783589
; 

loc_8DD062:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+16Dj
					; SPCallServerHandleGetAppPolicyValue+15A092j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_8DD06F
		xor	esi, esi
		jmp	short loc_8DD077
; 

loc_8DD06F:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+15A067j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_8DD077:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+15A06Bj
		mov	[ebp+var_18], ecx
		test	esi, esi
		js	short loc_8DD0A8
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_8DD0A8
		mov	eax, [ebp+var_18]
		inc	ebx
		cmp	ebx, 8
		jb	short loc_8DD062
		jmp	loc_783552
; 

loc_8DD09B:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+557j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	loc_783561
; 

loc_8DD0A8:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+561j
					; SPCallServerHandleGetAppPolicyValue+15A07Aj ...
		mov	eax, [ebp+var_14]
		jmp	loc_783573
; 

loc_8DD0B0:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+573j
		mov	ebx, [ebp+var_C]
		jmp	loc_783589
; 

loc_8DD0B8:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+5ADj
		mov	esi, 0C0000017h
		jmp	loc_7833E8
; 

loc_8DD0C2:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+593j
		mov	edi, [ebp+var_10]
		inc	esi
		jmp	loc_7835C0
; 

loc_8DD0CB:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+5C5j
		mov	eax, 0C00000BBh
		jmp	loc_7835F7
; 

loc_8DD0D5:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+7E4j
		mov	esi, 0C0000017h
		jmp	loc_78378C
; 

loc_8DD0DF:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+8B6j
		mov	eax, [ebp+var_54]
		jmp	loc_7838CA
; 

loc_8DD0E7:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+8D3j
		mov	ecx, [ebx]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [edx+8]
		cmp	eax, ecx
		ja	loc_8DD032
		mov	eax, [ebp+var_14]
		mov	dword ptr [edx], 4
		mov	[edx+4], eax
		inc	dword ptr [edi]
		jmp	loc_7837CE
; 

loc_8DD10B:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+888j
		mov	ecx, [ebx]
		lea	eax, [edx+0Ch]
		add	ecx, [ebp+var_54]
		xor	esi, esi
		cmp	eax, ecx
		ja	loc_8DD032
		mov	eax, [ebp+var_40]
		mov	dword ptr [edx], 8
		mov	[edx+4], eax
		mov	eax, [ebp+var_44]
		mov	[edx+8], eax
		inc	dword ptr [edi]
		jmp	loc_78384D
; 

loc_8DD136:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+329j
		test	ecx, ecx
		jz	loc_783339

loc_8DD13E:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+331j
		mov	esi, 0C000000Dh
		jmp	loc_7832BB
; 

loc_8DD148:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+33Fj
		lea	edx, [ecx+4]
		cmp	edx, 4
		jb	loc_78336B
		mov	ecx, [ebx]
		push	ebx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_7833E8
		inc	dword ptr [edi]
		jmp	loc_7832C3
; 

loc_8DD16D:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+45Ej
		mov	eax, [ebp+var_54]
		jmp	loc_7834DB
; 

loc_8DD175:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+4E4j
		mov	ecx, [ebx]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [edx+8]
		cmp	eax, ecx
		ja	loc_8DD032
		mov	eax, [ebp+var_40]
		mov	dword ptr [edx], 4
		mov	[edx+4], eax
		inc	dword ptr [edi]
		jmp	loc_783300
; 

loc_8DD199:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+4B6j
		mov	eax, [ebp+var_54]
		jmp	loc_7834EB
; 

loc_8DD1A1:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+4F4j
		mov	ecx, [ebx]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [edx+8]
		cmp	eax, ecx
		ja	loc_8DD032
		mov	eax, [ebp+var_40]
		mov	dword ptr [edx], 4
		mov	[edx+4], eax
		inc	dword ptr [edi]
		jmp	loc_783486
; 

loc_8DD1C5:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+434j
		mov	eax, [ebp+var_54]
		jmp	loc_7834FB
; 

loc_8DD1CD:				; CODE XREF: SPCallServerHandleGetAppPolicyValue+504j
		mov	ecx, [ebx]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [edx+8]
		cmp	eax, ecx
		ja	loc_8DD032
		mov	eax, [ebp+var_40]
		mov	dword ptr [edx], 4
		mov	[edx+4], eax
		inc	dword ptr [edi]
		jmp	loc_7833E8
; END OF FUNCTION CHUNK	FOR SPCallServerHandleGetAppPolicyValue
; 
; START	OF FUNCTION CHUNK FOR SPCallServerHandleIsAppLicensed

loc_8DD1F1:				; CODE XREF: SPCallServerHandleIsAppLicensed+4Dj
					; SPCallServerHandleIsAppLicensed+55j
		mov	ebx, 0C000000Dh
		jmp	loc_783B51
; 

loc_8DD1FB:				; CODE XREF: SPCallServerHandleIsAppLicensed+66j
					; SPCallServerHandleIsAppLicensed+6Fj
		mov	ebx, 0C000000Dh
		jmp	loc_783BD4
; 

loc_8DD205:				; CODE XREF: SPCallServerHandleIsAppLicensed+A9j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_8DD212
		xor	ebx, ebx
		jmp	short loc_8DD21A
; 

loc_8DD212:				; CODE XREF: SPCallServerHandleIsAppLicensed+1598C0j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_8DD21A:				; CODE XREF: SPCallServerHandleIsAppLicensed+1598C4j
		test	ebx, ebx
		js	short loc_8DD22D
		mov	esi, edx
		mov	eax, edx
		neg	esi
		sbb	esi, esi
		and	esi, ecx
		jmp	loc_783BB6
; 

loc_8DD22D:				; CODE XREF: SPCallServerHandleIsAppLicensed+87j
					; SPCallServerHandleIsAppLicensed+9Aj ...
		mov	eax, [ebp+var_18]
		jmp	loc_783BB6
; 

loc_8DD235:				; CODE XREF: SPCallServerHandleIsAppLicensed+271j
					; SPCallServerHandleIsAppLicensed+2D5j
		mov	ebx, 0C0000023h
		jmp	loc_783B51
; 

loc_8DD23F:				; CODE XREF: SPCallServerHandleIsAppLicensed+297j
					; SPCallServerHandleIsAppLicensed+2A0j
		mov	ebx, 0C000000Dh
		jmp	loc_783C2F
; 

loc_8DD249:				; CODE XREF: SPCallServerHandleIsAppLicensed+2A8j
					; SPCallServerHandleIsAppLicensed+15992Fj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_8DD256
		xor	ebx, ebx
		jmp	short loc_8DD25E
; 

loc_8DD256:				; CODE XREF: SPCallServerHandleIsAppLicensed+159904j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_8DD25E:				; CODE XREF: SPCallServerHandleIsAppLicensed+159908j
		mov	[ebp+var_18], ecx
		test	ebx, ebx
		js	short loc_8DD28F
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_8DD28F
		mov	eax, [ebp+var_18]
		inc	edi
		cmp	edi, 4
		jb	short loc_8DD249
		jmp	loc_783BF9
; 

loc_8DD282:				; CODE XREF: SPCallServerHandleIsAppLicensed+2B4j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	loc_783C08
; 

loc_8DD28F:				; CODE XREF: SPCallServerHandleIsAppLicensed+2BEj
					; SPCallServerHandleIsAppLicensed+159917j ...
		mov	eax, [ebp+var_1C]
		jmp	loc_783C1A
; 

loc_8DD297:				; CODE XREF: SPCallServerHandleIsAppLicensed+2FDj
		mov	edx, [ebp+var_20]
		cmp	dword ptr [edx], 5
		jbe	loc_783C4F
		and	[ebp+var_1C], ecx
		jmp	loc_783F8F
; 

loc_8DD2AB:				; CODE XREF: SPCallServerHandleIsAppLicensed+63Dj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_8DD2B8
		xor	ebx, ebx
		jmp	short loc_8DD2C0
; 

loc_8DD2B8:				; CODE XREF: SPCallServerHandleIsAppLicensed+159966j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_8DD2C0:				; CODE XREF: SPCallServerHandleIsAppLicensed+15996Aj
		test	ebx, ebx
		js	loc_783C56
		jmp	loc_783F06
; 

loc_8DD2CD:				; CODE XREF: SPCallServerHandleIsAppLicensed+31Ej
					; SPCallServerHandleIsAppLicensed+5CEj	...
		mov	ebx, 0C000003Eh
		jmp	short loc_8DD30B
; 

loc_8DD2D4:				; CODE XREF: SPCallServerHandleIsAppLicensed+5E0j
		mov	eax, edi
		xor	ecx, ecx
		shr	eax, 1
		cmp	cx, [esi+eax*2-2]
		jnz	short loc_8DD2CD
		lea	eax, [ebp+var_24]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	_StringCbLengthW@12 ; StringCbLengthW(x,x,x)
		test	eax, eax
		js	short loc_8DD2CD
		mov	ecx, [ebp+var_24]
		lea	eax, [ecx+2]
		cmp	eax, edi
		jnz	short loc_8DD2CD
		mov	[ebp+var_2C], esi
		shr	ecx, 1
		jmp	loc_783C59
; 

loc_8DD306:				; CODE XREF: SPCallServerHandleIsAppLicensed+335j
		mov	ebx, 0C0000017h

loc_8DD30B:				; CODE XREF: SPCallServerHandleIsAppLicensed+159986j
		test	ebx, ebx
		js	loc_783B51
		jmp	loc_783C97
; 

loc_8DD318:				; CODE XREF: SPCallServerHandleIsAppLicensed+363j
		cmp	dword ptr [edx], 6
		jbe	loc_783CB5
		and	[ebp+var_2C], ecx
		jmp	loc_783FD5
; 

loc_8DD329:				; CODE XREF: SPCallServerHandleIsAppLicensed+683j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_8DD336
		xor	ebx, ebx
		jmp	short loc_8DD33E
; 

loc_8DD336:				; CODE XREF: SPCallServerHandleIsAppLicensed+1599E4j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_8DD33E:				; CODE XREF: SPCallServerHandleIsAppLicensed+1599E8j
		test	ebx, ebx
		js	loc_783A04
		jmp	loc_783F31
; 

loc_8DD34B:				; CODE XREF: SPCallServerHandleIsAppLicensed+CCj
					; SPCallServerHandleIsAppLicensed+5F9j	...
		mov	ebx, 0C000003Eh
		jmp	short loc_8DD389
; 

loc_8DD352:				; CODE XREF: SPCallServerHandleIsAppLicensed+60Bj
		mov	eax, edi
		xor	ecx, ecx
		shr	eax, 1
		cmp	cx, [esi+eax*2-2]
		jnz	short loc_8DD34B
		lea	eax, [ebp+var_1C]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	_StringCbLengthW@12 ; StringCbLengthW(x,x,x)
		test	eax, eax
		js	short loc_8DD34B
		mov	ecx, [ebp+var_1C]
		lea	eax, [ecx+2]
		cmp	eax, edi
		jnz	short loc_8DD34B
		mov	[ebp+var_24], esi
		shr	ecx, 1
		jmp	loc_783A07
; 

loc_8DD384:				; CODE XREF: SPCallServerHandleIsAppLicensed+E3j
		mov	ebx, 0C0000017h

loc_8DD389:				; CODE XREF: SPCallServerHandleIsAppLicensed+159A04j
		test	ebx, ebx
		js	loc_783B2D
		jmp	loc_783A45
; 

loc_8DD396:				; CODE XREF: SPCallServerHandleIsAppLicensed+101j
					; SPCallServerHandleIsAppLicensed+10Fj
		mov	ebx, 0C000000Dh
		jmp	loc_783B2D
; 

loc_8DD3A0:				; CODE XREF: SPCallServerHandleIsAppLicensed+120j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	loc_783A74
; 

loc_8DD3AD:				; CODE XREF: SPCallServerHandleIsAppLicensed+156j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	loc_783AAA
; 

loc_8DD3BA:				; CODE XREF: SPCallServerHandleIsAppLicensed+17Cj
		mov	ebx, 0C000000Dh
		mov	ecx, eax
		jmp	loc_783CF6
; 

loc_8DD3C6:				; CODE XREF: SPCallServerHandleIsAppLicensed+185j
					; SPCallServerHandleIsAppLicensed+159AB8j
		mov	edx, [edi]
		lea	ecx, [edi+4]
		cmp	ecx, edi
		jb	short loc_8DD3D3
		xor	ebx, ebx
		jmp	short loc_8DD3DB
; 

loc_8DD3D3:				; CODE XREF: SPCallServerHandleIsAppLicensed+159A81j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_8DD3DB:				; CODE XREF: SPCallServerHandleIsAppLicensed+159A85j
		mov	[ebp+var_18], ecx
		test	ebx, ebx
		js	short loc_8DD413
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_8DD413
		mov	eax, [ebp+var_2C]
		inc	eax
		mov	[ebp+var_2C], eax
		cmp	eax, 8
		jnb	loc_783CBF
		mov	edi, [ebp+var_18]
		jmp	short loc_8DD3C6
; 

loc_8DD406:				; CODE XREF: SPCallServerHandleIsAppLicensed+37Dj
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	loc_783CD1
; 

loc_8DD413:				; CODE XREF: SPCallServerHandleIsAppLicensed+387j
					; SPCallServerHandleIsAppLicensed+159A94j ...
		mov	eax, esi
		jmp	loc_783CE3
; 

loc_8DD41A:				; CODE XREF: SPCallServerHandleIsAppLicensed+1C7j
					; SPCallServerHandleIsAppLicensed+3A2j	...
		mov	ebx, 0C0000023h
		jmp	loc_783B2D
; 

loc_8DD424:				; CODE XREF: SPCallServerHandleIsAppLicensed+399j
		mov	ecx, [ebp+var_50]
		jmp	loc_783CF6
; 

loc_8DD42C:				; CODE XREF: SPCallServerHandleIsAppLicensed+3B9j
		mov	eax, 0C000A281h
		jmp	loc_783D21
; 

loc_8DD436:				; CODE XREF: SPCallServerHandleIsAppLicensed+3F0j
		mov	eax, [ebp+var_3C]
		jmp	loc_783D48
; 

loc_8DD43E:				; CODE XREF: SPCallServerHandleIsAppLicensed+4AFj
		mov	ebx, 0C000003Eh
		jmp	loc_783B2D
; 

loc_8DD448:				; CODE XREF: SPCallServerHandleIsAppLicensed+4C6j
		mov	ebx, 0C0000017h
		jmp	loc_783B2D
; 

loc_8DD452:				; CODE XREF: SPCallServerHandleIsAppLicensed+4E6j
		mov	ecx, [edi]
		lea	eax, [edx+8]
		add	ecx, edx
		cmp	eax, ecx
		ja	short loc_8DD41A
		jmp	loc_783EE5
; 

loc_8DD462:				; CODE XREF: SPCallServerHandleIsAppLicensed+568j
		mov	eax, [ebp+var_28]
		jmp	loc_783ED5
; 

loc_8DD46A:				; CODE XREF: SPCallServerHandleIsAppLicensed+594j
		mov	ecx, [edi]
		xor	ebx, ebx
		add	ecx, eax
		lea	eax, [esi+0Ch]
		cmp	eax, ecx
		ja	short loc_8DD41A
		mov	eax, [ebp+var_5C]
		mov	dword ptr [esi], 8
		mov	esi, [ebp+var_34]
		mov	[edx], eax
		mov	eax, [ebp+var_44]
		mov	[edx+4], eax
		inc	dword ptr [esi]
		jmp	loc_783E89
; 

loc_8DD492:				; CODE XREF: SPCallServerHandleIsAppLicensed+233j
		mov	ecx, [edi]
		push	edi
		push	14h
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_783B2D
		inc	dword ptr [esi]
		xor	ebx, ebx
		jmp	loc_783B2D
; END OF FUNCTION CHUNK	FOR SPCallServerHandleIsAppLicensed
; 
; START	OF FUNCTION CHUNK FOR SPCallServerHandleClepKdf

loc_8DD4B0:				; CODE XREF: SPCallServerHandleClepKdf+3Cj
					; SPCallServerHandleClepKdf+44j ...
		mov	edx, 0C000000Dh
		jmp	loc_784473
; 

loc_8DD4BA:				; CODE XREF: SPCallServerHandleClepKdf+C7j
					; SPCallServerHandleClepKdf+41Aj ...
		mov	edx, 0C0000023h
		jmp	loc_784473
; 

loc_8DD4C4:				; CODE XREF: SPCallServerHandleClepKdf+109j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	loc_784151
; 

loc_8DD4D1:				; CODE XREF: SPCallServerHandleClepKdf+141j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	loc_784189
; 

loc_8DD4DE:				; CODE XREF: SPCallServerHandleClepKdf+17Dj
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	loc_7841C5
; 

loc_8DD4EB:				; CODE XREF: SPCallServerHandleClepKdf+1B5j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	loc_7841FD
; 

loc_8DD4F8:				; CODE XREF: SPCallServerHandleClepKdf+18Aj
					; SPCallServerHandleClepKdf+19Fj ...
		mov	edi, [ebp+var_3C]
		jmp	loc_784210
; 

loc_8DD500:				; CODE XREF: SPCallServerHandleClepKdf+1EEj
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	loc_784236
; 

loc_8DD50D:				; CODE XREF: SPCallServerHandleClepKdf+22Bj
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh
		jmp	loc_784273
; 

loc_8DD51A:				; CODE XREF: SPCallServerHandleClepKdf+1FBj
					; SPCallServerHandleClepKdf+210j ...
		mov	esi, [ebp+var_34]
		jmp	loc_784284
; 

loc_8DD522:				; CODE XREF: SPCallServerHandleClepKdf+253j
		mov	esi, 0C00000BBh
		jmp	loc_7842B1
; 

loc_8DD52C:				; CODE XREF: SPCallServerHandleClepKdf+35Dj
		mov	edx, 0C000003Eh
		jmp	loc_784473
; 

loc_8DD536:				; CODE XREF: SPCallServerHandleClepKdf+374j
		mov	edx, 0C0000017h
		jmp	loc_784473
; 

loc_8DD540:				; CODE XREF: SPCallServerHandleClepKdf+461j
		mov	ecx, [edi]
		push	edi
		push	24h
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_784473
		inc	dword ptr [ebx]
		xor	edx, edx
		jmp	loc_784473
; END OF FUNCTION CHUNK	FOR SPCallServerHandleClepKdf
; 
; START	OF FUNCTION CHUNK FOR ExpGetKernelDataProtection

loc_8DD55E:				; CODE XREF: ExpGetKernelDataProtection+16j
		mov	ebx, 0C000000Dh
		jmp	loc_78475A
; 

loc_8DD568:				; CODE XREF: ExpGetKernelDataProtection+37j
		mov	ebx, 0C0000225h
		mov	[ebp+var_1C], ebx
		jmp	loc_78474E
; END OF FUNCTION CHUNK	FOR ExpGetKernelDataProtection

;  S U B	R O U T	I N E 


sub_8DD575	proc near		; DATA XREF: .text:006A1A28o
		mov	ebx, [ebp-1Ch]
		jmp	sub_78476E
sub_8DD575	endp

; 
; START	OF FUNCTION CHUNK FOR WarbirdKmDecryptPointer

loc_8DD57D:				; CODE XREF: WarbirdKmDecryptPointer+4Ej
		mov	ecx, edx
		shl	eax, cl
		or	[ebp+var_1C], eax
		jmp	loc_7847F2
; 

loc_8DD589:				; CODE XREF: WarbirdKmDecryptPointer+A6j
		rol	ebx, 8
		mov	ecx, ebx
		jmp	loc_784847
; END OF FUNCTION CHUNK	FOR WarbirdKmDecryptPointer
; 

loc_8DD593:				; CODE XREF: PAGE:00788C45j
		mov	ebx, 0C0000017h
		jmp	loc_788DC4
; 

loc_8DD59D:				; CODE XREF: PAGE:00788C62j
		mov	eax, ecx
		jmp	loc_788C68
; 

loc_8DD5A4:				; CODE XREF: PAGE:00788CA5j
					; PAGE:00788CADj
		mov	byte ptr [edx],	0
		jmp	loc_788CB3
; 

loc_8DD5AC:				; CODE XREF: PAGE:00788CCBj
		mov	ebx, 0C0000017h
		jmp	short loc_8DD5D0
; 

loc_8DD5B3:				; CODE XREF: PAGE:00788CF5j
		mov	ecx, eax
		jmp	loc_788CFB
; 

loc_8DD5BA:				; CODE XREF: PAGE:00788D27j
		mov	ebx, 0C0000017h
		jmp	loc_788D4A
; 

loc_8DD5C4:				; CODE XREF: PAGE:00788D39j
		mov	edx, eax
		jmp	loc_788D3F
; 

loc_8DD5CB:				; CODE XREF: PAGE:00788C76j
					; PAGE:00788C84j ...
		mov	ebx, 0C000000Dh

loc_8DD5D0:				; CODE XREF: PAGE:008DD5B1j
		mov	esi, [ebp+0Ch]
		jmp	loc_788D4A
; 

loc_8DD5D8:				; DATA XREF: .text:006A1A44o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		mov	eax, 1
		retn
; 

loc_8DD5E8:				; DATA XREF: .text:006A1A48o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-34h]
		mov	[ebp-20h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp+14h]
		mov	esi, [ebp+0Ch]
		jmp	loc_788D54
; 

loc_8DD603:				; CODE XREF: PAGE:00788D6Aj
		lea	eax, [ebp-2Ch]
		push	eax
		push	edi
		push	dword ptr [ebp-24h]
		lea	eax, [ebp-28h]
		push	eax
		lea	edx, [ebp-40h]
		call	SLQueryLicenseValueInternal
		jmp	loc_788D83
; 

loc_8DD61C:				; CODE XREF: PAGE:00788DAAj
		mov	ebx, 0C0000023h
		mov	[ebp-20h], ebx
		jmp	loc_788DBD
; 

loc_8DD629:				; DATA XREF: .text:006A1A50o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		mov	eax, 1
		retn
; 

loc_8DD639:				; DATA XREF: .text:006A1A54o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-38h]
		mov	[ebp-20h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_788DC4
; 
; START	OF FUNCTION CHUNK FOR FsRtlCancellableWaitForMultipleObjects

loc_8DD64E:				; CODE XREF: FsRtlCancellableWaitForMultipleObjects+A9j
		mov	eax, [ebp+arg_14]
		test	eax, eax
		jz	short loc_8DD665
		cmp	byte ptr [eax+24h], 0
		jz	short loc_8DD665
		mov	eax, 0C0000120h
		jmp	loc_788EA1
; 

loc_8DD665:				; CODE XREF: FsRtlCancellableWaitForMultipleObjects+154831j
					; FsRtlCancellableWaitForMultipleObjects+154837j
		test	esi, esi
		jz	loc_788E7C
		cmp	dword ptr [esi+4], 0
		jg	short loc_8DD6BE
		jl	short loc_8DD67A
		cmp	dword ptr [esi], 0
		jnb	short loc_8DD6BE

loc_8DD67A:				; CODE XREF: FsRtlCancellableWaitForMultipleObjects+154851j
		lea	eax, [esp+18h+var_8]
		push	eax
		call	KeQueryTickCount
		cmp	[esp+18h+var_4], ebx
		jg	short loc_8DD6DE
		jl	short loc_8DD692
		cmp	[esp+18h+var_8], edi
		jnb	short loc_8DD6DE

loc_8DD692:				; CODE XREF: FsRtlCancellableWaitForMultipleObjects+154868j
		call	_KeQueryTimeIncrement@0	; KeQueryTimeIncrement()
		mov	edx, edi
		mov	ecx, ebx
		sub	edx, [esp+18h+var_8]
		sbb	ecx, [esp+18h+var_4]
		push	ecx
		push	edx
		push	0
		push	eax
		call	__allmul
		neg	eax
		mov	[esi], eax
		adc	edx, 0
		neg	edx
		mov	[esi+4], edx
		jmp	loc_788E7C
; 

loc_8DD6BE:				; CODE XREF: FsRtlCancellableWaitForMultipleObjects+15484Fj
					; FsRtlCancellableWaitForMultipleObjects+154856j
		lea	eax, [esp+18h+var_8]
		push	eax
		call	KeQuerySystemTime
		cmp	[esp+18h+var_4], ebx
		jg	short loc_8DD6DE
		jl	loc_788E7C
		cmp	[esp+18h+var_8], edi
		jb	loc_788E7C

loc_8DD6DE:				; CODE XREF: FsRtlCancellableWaitForMultipleObjects+154866j
					; FsRtlCancellableWaitForMultipleObjects+15486Ej ...
		mov	eax, 102h
		jmp	loc_788EA1
; END OF FUNCTION CHUNK	FOR FsRtlCancellableWaitForMultipleObjects
; 
; START	OF FUNCTION CHUNK FOR NtWaitForMultipleObjects

loc_8DD6E8:				; CODE XREF: NtWaitForMultipleObjects+CDj
					; NtWaitForMultipleObjects+D5j
		mov	byte ptr [ecx],	0
		jmp	loc_788FBB
; END OF FUNCTION CHUNK	FOR NtWaitForMultipleObjects

;  S U B	R O U T	I N E 


sub_8DD6F0	proc near		; DATA XREF: .text:006A1A6Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-130h], eax
		mov	eax, 1
		retn
sub_8DD6F0	endp


;  S U B	R O U T	I N E 


sub_8DD703	proc near		; DATA XREF: .text:006A1A70o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-130h]
		jmp	loc_788FF6
sub_8DD703	endp

; 
; START	OF FUNCTION CHUNK FOR NtWaitForMultipleObjects

loc_8DD718:				; CODE XREF: NtWaitForMultipleObjects+76j
					; NtWaitForMultipleObjects+7Fj
		mov	eax, 0C00000EFh
		jmp	loc_788FF6
; END OF FUNCTION CHUNK	FOR NtWaitForMultipleObjects
; 
; START	OF FUNCTION CHUNK FOR ObWaitForMultipleObjects

loc_8DD722:				; CODE XREF: ObWaitForMultipleObjects+3F9j
		push	0
		call	_KeSetKernelStackSwapEnable@4 ;	KeSetKernelStackSwapEnable(x)
		mov	byte ptr [ebp+var_264],	al
		mov	eax, esi
		call	__alloca_probe_16
		mov	[ebp+var_18], esp
		mov	[ebp+var_23C], esp
		jmp	loc_789124
; 

loc_8DD744:				; CODE XREF: ObWaitForMultipleObjects+100j
		mov	ecx, eax
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		mov	[ebp+var_258], eax
		test	eax, eax
		jz	short loc_8DD761
		mov	[ebp+var_21E], 1
		jmp	loc_789172
; 

loc_8DD761:				; CODE XREF: ObWaitForMultipleObjects+1546F3j
		xor	eax, eax
		mov	[ebp+var_224], eax
		test	edi, edi
		jz	loc_789172
		mov	dl, [ebp+arg_8]

loc_8DD774:				; CODE XREF: ObWaitForMultipleObjects+154735j
		mov	ecx, [ebp+var_244]
		mov	ecx, [ecx+eax*4]
		call	_ObpIsKernelHandle@8 ; ObpIsKernelHandle(x,x)
		test	al, al
		jz	short loc_8DD79C
		mov	eax, [ebp+var_224]
		inc	eax
		mov	[ebp+var_224], eax
		cmp	eax, edi
		jb	short loc_8DD774
		jmp	loc_789175
; 

loc_8DD79C:				; CODE XREF: ObWaitForMultipleObjects+154724j
		mov	edi, 0C000010Ah
		jmp	loc_789371
; 

loc_8DD7A6:				; CODE XREF: ObWaitForMultipleObjects+3B5j
		neg	eax
		lock xadd [edi], eax
		jmp	loc_78921B
; 

loc_8DD7B1:				; CODE XREF: ObWaitForMultipleObjects+4ADj
		xor	edx, edx
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	loc_78921B
; 

loc_8DD7BD:				; CODE XREF: ObWaitForMultipleObjects+5FFj
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_268],	al
		push	[ebp+var_268]
		mov	edx, ebx
		mov	ecx, [ebp+var_22C]
		call	ExHandleLogBadReference
		mov	edi, [ebp+var_234]
		jmp	loc_789665
; 

loc_8DD7ED:				; CODE XREF: ObWaitForMultipleObjects+5EDj
		mov	eax, [ebp+var_240]
		movzx	eax, word ptr [eax+7Eh]
		mov	edx, [eax+ebx]
		jmp	loc_7892C4
; 

loc_8DD7FF:				; CODE XREF: ObWaitForMultipleObjects+200j
		mov	edi, 0C0000022h
		jmp	loc_789566
; 

loc_8DD809:				; CODE XREF: ObWaitForMultipleObjects+29Dj
		mov	[ebp+var_21E], 0
		mov	ecx, [ebp+var_250]
		add	ecx, 0F0h
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, [ebp+var_230]
		jmp	loc_789303
; 

loc_8DD82C:				; CODE XREF: ObWaitForMultipleObjects+57Fj
		mov	edi, 0C0000030h
		jmp	loc_789371
; END OF FUNCTION CHUNK	FOR ObWaitForMultipleObjects

;  S U B	R O U T	I N E 


sub_8DD836	proc near		; DATA XREF: .text:006A1A8Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	ecx, [eax]
		mov	[ebp-270h], ecx
		xor	eax, eax
		cmp	ecx, 0C0000191h
		setz	al
		retn
sub_8DD836	endp


;  S U B	R O U T	I N E 


sub_8DD84F	proc near		; DATA XREF: .text:006A1A90o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-270h]
		mov	[ebp-274h], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-278h]
		mov	[ebp-250h], eax
		mov	al, [ebp-225h]
		mov	[ebp-21Dh], al
		mov	esi, [ebp-22Ch]
		mov	ebx, [ebp-238h]
		jmp	loc_789377
sub_8DD84F	endp

; 
; START	OF FUNCTION CHUNK FOR ObWaitForMultipleObjects

loc_8DD88E:				; CODE XREF: ObWaitForMultipleObjects+631j
		mov	ecx, [ebp+var_250]
		lea	ecx, [ecx+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_789697
; 

loc_8DD8A4:				; CODE XREF: ObWaitForMultipleObjects+412j
		push	[ebp+var_264]
		call	_KeSetKernelStackSwapEnable@4 ;	KeSetKernelStackSwapEnable(x)
		jmp	loc_7893B2
; END OF FUNCTION CHUNK	FOR ObWaitForMultipleObjects
; 
; START	OF FUNCTION CHUNK FOR PfCheckDeprioritizeFile

loc_8DD8B4:				; CODE XREF: PfCheckDeprioritizeFile+98j
		mov	ecx, esi
		jmp	loc_789755
; 

loc_8DD8BB:				; CODE XREF: PfCheckDeprioritizeFile+54j
					; PfCheckDeprioritizeFile+A9j
		push	11h
		xor	edx, edx
		mov	ebx, offset unk_6D48DC
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_8DD8D5
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8DD8D5:				; CODE XREF: PfCheckDeprioritizeFile+15421Ej
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_789849
; END OF FUNCTION CHUNK	FOR PfCheckDeprioritizeFile
; 
; START	OF FUNCTION CHUNK FOR ExDupHandleTable

loc_8DD8E6:				; CODE XREF: ExDupHandleTable+2Ej
					; ExDupHandleTable+71j
		mov	edx, 1
		call	ExCreateHandleTable
		mov	[esi], eax
		test	eax, eax
		jz	short loc_8DD908
		xor	eax, eax
		jmp	loc_789ACB
; 

loc_8DD8FD:				; CODE XREF: ExDupHandleTable+2ABj
		call	ExpFreeHandleTable
		mov	dword ptr [esi], 0

loc_8DD908:				; CODE XREF: ExDupHandleTable+84j
					; ExDupHandleTable+154024j
		mov	eax, 0C000009Ah
		jmp	loc_789ACB
; 

loc_8DD912:				; CODE XREF: ExDupHandleTable+22Dj
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		call	_ExUnlockHandleTableEntry@8 ; ExUnlockHandleTableEntry(x,x)
		jmp	loc_789A00
; 

loc_8DD921:				; CODE XREF: ExDupHandleTable+135j
		mov	[ebp+var_4], 0C000000Dh
		jmp	loc_789A0B
; 

loc_8DD92D:				; CODE XREF: ExDupHandleTable+26Aj
		mov	[ebp+var_4], 0
		jmp	loc_789A0B
; 

loc_8DD939:				; CODE XREF: ExDupHandleTable+289j
		mov	edx, large fs:124h
		mov	ecx, [ebp+var_C]
		push	1
		push	[ebp+var_10]
		call	_ExpUpdateDebugInfo@16 ; ExpUpdateDebugInfo(x,x,x,x)
		jmp	loc_789A22
; 

loc_8DD952:				; CODE XREF: ExDupHandleTable+114j
		lea	ecx, ds:0[eax*8]
		mov	eax, 1000h
		sub	eax, ecx
		push	eax		; size_t
		mov	eax, [ebp+var_30]
		add	eax, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+var_C]
		add	esp, 0Ch
		jmp	loc_789A44
; 

loc_8DD979:				; CODE XREF: ExDupHandleTable+193j
		or	byte ptr [ecx+1Ch], 4
		lea	eax, [ecx+10h]
		mov	[eax+4], eax
		mov	[eax], eax
		jmp	loc_789AC1
; 

loc_8DD98A:				; CODE XREF: ExDupHandleTable+1C1j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8DD991:				; CODE XREF: ExpDuplicateSingleHandle+33j
		mov	ecx, ebx
		call	_ExpGetHandleExtraInfo@8 ; ExpGetHandleExtraInfo(x,x)
		test	eax, eax
		jz	loc_789C25
		cmp	dword ptr [eax], 0
		jnz	short loc_8DD9AF
		cmp	dword ptr [eax+4], 0
		jz	loc_789C25

loc_8DD9AF:				; CODE XREF: ExDupHandleTable+1540D3j
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		push	eax
		call	_ExpSetHandleExtraInfo@12 ; ExpSetHandleExtraInfo(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_8DD9E4
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		inc	ecx
		lock xadd [eax], ecx
		and	[ebp+arg_C], 0
		lea	ecx, [ebx+20h]
		xor	edx, edx
		lea	eax, [ebp+arg_C]
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	short loc_8DD9F7
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	short loc_8DD9F7
; 

loc_8DD9E4:				; CODE XREF: ExDupHandleTable+1540EEj
		mov	esi, [ebp+var_4]
		jmp	loc_789C25
; END OF FUNCTION CHUNK	FOR ExDupHandleTable
; 
; START	OF FUNCTION CHUNK FOR ExpDuplicateSingleHandle

loc_8DD9EC:				; CODE XREF: ExpDuplicateSingleHandle+4Cj
		cmp	[ebp+arg_10], 0
		jnz	short loc_8DD9F7
		mov	esi, 107h

loc_8DD9F7:				; CODE XREF: ExDupHandleTable+15410Bj
					; ExDupHandleTable+154112j ...
		and	dword ptr [edi], 0
		and	dword ptr [edi+4], 0
		jmp	loc_789C3E
; END OF FUNCTION CHUNK	FOR ExpDuplicateSingleHandle
; 
; START	OF FUNCTION CHUNK FOR ObInheritObjectHandle

loc_8DDA03:				; CODE XREF: ObInheritObjectHandle+6Bj
		mov	edx, [ebp+var_8]
		mov	eax, edx
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [edx+0Ch]
		mov	edx, [ebp+var_C]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		push	ds:_ObTypeIndexTable[ecx*4]
		mov	ecx, edx
		push	dword ptr [ebx+0E4h]
		push	dword ptr [ebx+170h]
		push	edi
		call	_EtwTraceDuplicateHandle@24 ; EtwTraceDuplicateHandle(x,x,x,x,x,x)
		jmp	loc_789CB9
; END OF FUNCTION CHUNK	FOR ObInheritObjectHandle
; 
; START	OF FUNCTION CHUNK FOR CcUnmapVacb

loc_8DDA40:				; CODE XREF: CcUnmapVacb+D1j
		mov	ecx, eax
		xor	eax, edi
		cmp	eax, 7
		jb	loc_789D94
		jmp	loc_789E53
; 

loc_8DDA52:				; CODE XREF: CcUnmapVacb+72j
		or	ebx, 2
		jmp	loc_789D4C
; END OF FUNCTION CHUNK	FOR CcUnmapVacb
; 
; START	OF FUNCTION CHUNK FOR CcPinRead

loc_8DDA5A:				; CODE XREF: CcPinRead+9Aj
		inc	large dword ptr	fs:694h
		mov	[ebp+var_19], 0
		jmp	loc_78A02D
; END OF FUNCTION CHUNK	FOR CcPinRead

;  S U B	R O U T	I N E 

; Attributes: thunk

sub_8DDA6A	proc near		; DATA XREF: .text:006A1AF0o
		jmp	sub_78A093
sub_8DDA6A	endp

; 
; START	OF FUNCTION CHUNK FOR sub_78A093

loc_8DDA6F:				; CODE XREF: sub_78A093+18j
		cmp	dword ptr [ebp-20h], 0
		jz	locret_78A0B1
		push	dword ptr [ebp-20h]
		call	_CcUnpinData@4	; CcUnpinData(x)
		jmp	locret_78A0B1
; END OF FUNCTION CHUNK	FOR sub_78A093
; 
; START	OF FUNCTION CHUNK FOR CcPinMappedData

loc_8DDA86:				; CODE XREF: CcPinMappedData+A8j
		lea	ecx, [ebp+var_20]
		mov	[ebp+arg_4], ecx
		mov	ecx, [ebp+var_24]
		cmp	ecx, [ebp+arg_4]
		jnz	short loc_8DDAA5
		push	eax
		mov	ecx, edi
		call	_CcAllocateObcb@12 ; CcAllocateObcb(x,x,x)
		mov	[ebp+var_20], eax
		lea	ecx, [eax+10h]
		mov	[ebp+var_24], ecx

loc_8DDAA5:				; CODE XREF: CcPinMappedData+1539D2j
		mov	eax, [ebp+var_30]
		mov	edx, [ebp+var_38]
		sub	eax, edx
		mov	ecx, [ebp+arg_8]
		add	ecx, eax
		mov	[ebp+arg_8], ecx
		mov	[ebp+var_30], edx
		mov	eax, [ebp+var_34]
		mov	[ebp+var_2C], eax
		mov	edx, [ebp+var_24]
		add	edx, 4
		mov	[ebp+var_24], edx
		jmp	loc_78A174
; 

loc_8DDACC:				; CODE XREF: CcPinMappedData+BEj
		mov	al, 1
		jmp	loc_78A186
; 

loc_8DDAD3:				; CODE XREF: CcPinMappedData+9Aj
		mov	al, byte ptr [ebp+arg_C]
		and	al, 1
		movzx	eax, al
		push	eax
		lea	eax, [ecx+38h]
		push	eax
		call	ExAcquireSharedStarveExclusive
		test	al, al
		jz	loc_78A210
		jmp	loc_78A1CA
; END OF FUNCTION CHUNK	FOR CcPinMappedData

;  S U B	R O U T	I N E 


sub_8DDAF2	proc near		; DATA XREF: .text:006A1B10o
		mov	esi, [ebp+18h]
		mov	bl, [ebp-19h]
		jmp	sub_78A207
sub_8DDAF2	endp

; 
; START	OF FUNCTION CHUNK FOR sub_78A207

loc_8DDAFD:				; CODE XREF: sub_78A207+2j
		inc	dword ptr [esi]
		mov	eax, [ebp-20h]
		test	eax, eax
		jz	locret_78A20F
		push	eax
		call	_CcUnpinData@4	; CcUnpinData(x)
		jmp	locret_78A20F
; END OF FUNCTION CHUNK	FOR sub_78A207
; 
; START	OF FUNCTION CHUNK FOR MiSegmentDelete

loc_8DDB15:				; CODE XREF: MiSegmentDelete+D8j
		mov	ecx, large fs:124h
		mov	edx, [esi+18h]
		push	dword ptr [ecx+80h]
		mov	ecx, [ebx+20h]
		and	ecx, 0FFFFFFF8h
		add	ecx, 30h
		call	_DbgUnLoadImageSymbolsUnicode@12 ; DbgUnLoadImageSymbolsUnicode(x,x,x)
		jmp	loc_78A2F2
; 

loc_8DDB38:				; CODE XREF: MiSegmentDelete+4Fj
		xor	edx, edx
		mov	ecx, ebx
		call	_MiLogSectionCreate@8 ;	MiLogSectionCreate(x,x)
		jmp	loc_78A269
; END OF FUNCTION CHUNK	FOR MiSegmentDelete
; 
; START	OF FUNCTION CHUNK FOR MiAllocateProcessShadow

loc_8DDB46:				; CODE XREF: MiAllocateProcessShadow+44j
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	_MiReleaseNonPagedResources@8 ;	MiReleaseNonPagedResources(x,x)

loc_8DDB50:				; CODE XREF: MiAllocateProcessShadow+2Dj
		mov	eax, 0C000009Ah
		jmp	loc_78A3E3
; END OF FUNCTION CHUNK	FOR MiAllocateProcessShadow
; 
; START	OF FUNCTION CHUNK FOR MiMapImageInSystemSpace

loc_8DDB5A:				; CODE XREF: MiMapImageInSystemSpace+3Cj
		mov	eax, 0C000007Bh
		jmp	loc_78A508
; 

loc_8DDB64:				; CODE XREF: MiMapImageInSystemSpace+4Aj
		push	21h
		lea	ecx, [ebx+50h]
		mov	edx, 288h
		call	MiReferenceActiveSubsection
		test	eax, eax
		js	loc_78A508
		mov	ecx, [ebp+arg_0]
		mov	eax, ebx
		jmp	loc_78A43C
; 

loc_8DDB85:				; CODE XREF: MiMapImageInSystemSpace+84j
		mov	ecx, eax
		or	ecx, 1
		mov	[ebp+var_30], ecx
		jmp	loc_78A477
; 

loc_8DDB92:				; CODE XREF: MiMapImageInSystemSpace+103j
		test	byte ptr [ebp+var_8], 2
		jnz	short loc_8DDBB1
		cmp	dword ptr [edi+4], 0
		jz	loc_78A508

loc_8DDBA2:				; CODE XREF: MiMapImageInSystemSpace+15380Fj
		mov	ecx, ebx
		call	_MiReturnCrossPartitionControlAreaCharges@4 ; MiReturnCrossPartitionControlAreaCharges(x)

loc_8DDBA9:				; CODE XREF: MiMapImageInSystemSpace+15380Dj
		mov	eax, [ebp+arg_0]
		jmp	loc_78A508
; 

loc_8DDBB1:				; CODE XREF: MiMapImageInSystemSpace+1537ACj
		and	[ebp+var_14], 0
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		lea	ecx, [edi+10h]
		xor	edx, edx
		push	ecx
		mov	eax, [eax+64h]
		mov	eax, [eax+34h]
		mov	ecx, eax
		mov	[ebp+var_10], eax
		call	KiStackAttachProcess
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_C]
		mov	ecx, ebx
		push	eax
		call	_MiMapImageInSystemProcess@16 ;	MiMapImageInSystemProcess(x,x,x,x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		jns	short loc_8DDBFB
		xor	edx, edx
		lea	ecx, [edi+10h]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		cmp	dword ptr [edi+4], 0
		jz	short loc_8DDBA9
		jmp	short loc_8DDBA2
; 

loc_8DDBFB:				; CODE XREF: MiMapImageInSystemSpace+1537FDj
		mov	eax, [ebp+var_10]
		add	eax, 240h
		jmp	loc_78A4FB
; END OF FUNCTION CHUNK	FOR MiMapImageInSystemSpace
; 
; START	OF FUNCTION CHUNK FOR MiUnmapImageInSystemSpace

loc_8DDC08:				; CODE XREF: MiUnmapImageInSystemSpace+Dj
		mov	ecx, large fs:124h
		push	0
		push	0
		mov	ecx, [ecx+80h]
		call	MiUnmapViewOfSection
		lea	ecx, [esi+10h]
		xor	edx, edx
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_78A547
; END OF FUNCTION CHUNK	FOR MiUnmapImageInSystemSpace
; 
; START	OF FUNCTION CHUNK FOR MiCommitPagefileBackedSection

loc_8DDC2D:				; CODE XREF: MiCommitPagefileBackedSection+2Bj
		mov	eax, 0C000004Eh
		jmp	loc_78A5F7
; 

loc_8DDC37:				; CODE XREF: MiCommitPagefileBackedSection+6Bj
		mov	[ebp+var_C], ebx
		mov	ecx, ebx
		jmp	short loc_8DDC4E
; 

loc_8DDC3E:				; CODE XREF: MiCommitPagefileBackedSection+153706j
		mov	eax, [ebp+var_C]
		cmp	eax, [ebp+var_8]
		jz	short loc_8DDC63
		mov	eax, [eax+8]
		mov	ecx, eax
		mov	[ebp+var_C], eax

loc_8DDC4E:				; CODE XREF: MiCommitPagefileBackedSection+1536E6j
		push	0
		push	1
		push	8
		pop	edx
		call	MiAddViewsForSection
		test	eax, eax
		jns	short loc_8DDC3E
		jmp	loc_78A5F7
; 

loc_8DDC63:				; CODE XREF: MiCommitPagefileBackedSection+1536EEj
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_78A5CA
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		mov	ecx, edi
		call	MiGetProtoPteAddress
		mov	ebx, [ebp+var_4]
		jmp	loc_78A5CA
; END OF FUNCTION CHUNK	FOR MiCommitPagefileBackedSection
; 
; START	OF FUNCTION CHUNK FOR MiAllocateTopLevelPage

loc_8DDC86:				; CODE XREF: MiAllocateTopLevelPage+57j
		mov	ecx, esi
		call	_MiWaitForFreePage@8 ; MiWaitForFreePage(x,x)
		jmp	loc_78A64C
; 

loc_8DDC92:				; CODE XREF: MiAllocateTopLevelPage+E7j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_8DDCCC
		xor	eax, eax
		inc	eax
		cmp	byte ptr word_6D07B8+1,	0
		mov	[esp+28h+var_1C], eax
		jnz	loc_78A6F7

loc_8DDCAF:				; CODE XREF: MiAllocateTopLevelPage+1536DCj
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		mov	eax, [esp+28h+var_1C]
		jz	loc_78A6F7
		or	edx, 80000000h
		jmp	loc_78A6F7
; 

loc_8DDCCC:				; CODE XREF: MiAllocateTopLevelPage+153693j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_8DDCAF
		jmp	loc_78A6F3
; 

loc_8DDCE9:				; CODE XREF: MiAllocateTopLevelPage+F9j
		push	edx
		push	edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		mov	ecx, [esp+28h+var_10]
		jmp	loc_78A705
; 

loc_8DDCF9:				; CODE XREF: MiAllocateTopLevelPage+11Bj
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		mov	ecx, [esp+28h+var_18]
		test	eax, eax
		jz	short loc_8DDD2F
		xor	edx, edx
		inc	edx
		cmp	byte ptr word_6D07B8+1,	0
		jnz	loc_78A72B

loc_8DDD16:				; CODE XREF: MiAllocateTopLevelPage+153745j
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	loc_78A72B
		or	ebx, 80000000h
		jmp	loc_78A72B
; 

loc_8DDD2F:				; CODE XREF: MiAllocateTopLevelPage+1536FEj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_78A72B
		jmp	short loc_8DDD16
; 

loc_8DDD4D:				; CODE XREF: MiAllocateTopLevelPage+12Dj
		push	ebx
		push	ecx
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_78A739
; END OF FUNCTION CHUNK	FOR MiAllocateTopLevelPage
; 
; START	OF FUNCTION CHUNK FOR MiInitializePageDirectoryPages

loc_8DDD5B:				; CODE XREF: MiInitializePageDirectoryPages+66j
		mov	ecx, ebx
		call	_MiWaitForFreePage@8 ; MiWaitForFreePage(x,x)
		jmp	loc_78A79B
; END OF FUNCTION CHUNK	FOR MiInitializePageDirectoryPages

;  S U B	R O U T	I N E 


sub_8DDD67	proc near		; DATA XREF: .text:006A1B6Co
		mov	eax, 1
		retn
sub_8DDD67	endp


;  S U B	R O U T	I N E 


sub_8DDD6D	proc near		; DATA XREF: .text:006A1B70o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-0D0h]
		mov	edx, edi
		mov	[ebp-0D8h], edx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-0C4h]
		mov	ebx, [ebp-0D4h]
		mov	esi, [ebp-0DCh]
		mov	[ebp-0C0h], esi
		jmp	loc_78AAE3
sub_8DDD6D	endp

; 
; START	OF FUNCTION CHUNK FOR MiChargeSegmentCommit

loc_8DDDA2:				; CODE XREF: MiChargeSegmentCommit+F3j
		mov	esi, [ebp+var_8]
		or	eax, 0FFFFFFFFh
		add	esi, 1Ch
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8DDDBC
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8DDDBC:				; CODE XREF: MiChargeSegmentCommit+1531A3j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_C]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		xor	eax, eax
		jmp	loc_78ACE7
; END OF FUNCTION CHUNK	FOR MiChargeSegmentCommit
; 
; START	OF FUNCTION CHUNK FOR MiUpdateCfgSystemWideBitmapWorker

loc_8DDDD2:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+E7j
		mov	esi, 0C000012Dh
		jmp	loc_78B036
; 

loc_8DDDDC:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+1EEj
		mov	eax, esi
		jmp	loc_78AFB7
; 

loc_8DDDE3:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+22Dj
		mov	eax, 1
		jmp	loc_78AFCC
; 

loc_8DDDED:				; CODE XREF: MiUpdateCfgSystemWideBitmapWorker+221j
		push	edi
		lea	eax, [ebp+var_14]
		push	eax
		push	ebx
		push	43666720h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8DDE00:				; CODE XREF: MiMapViewInSystemSpace+17j
		mov	eax, 0C00000F4h
		jmp	loc_78B180
; END OF FUNCTION CHUNK	FOR MiUpdateCfgSystemWideBitmapWorker
; 
; START	OF FUNCTION CHUNK FOR MiMapViewInSystemSpace

loc_8DDE0A:				; CODE XREF: MiMapViewInSystemSpace+A6j
					; MiMapViewInSystemSpace+E1j
		mov	ecx, [ebp+var_C]
		call	_MiDereferenceControlArea@4 ; MiDereferenceControlArea(x)
		mov	eax, esi
		jmp	loc_78B180
; END OF FUNCTION CHUNK	FOR MiMapViewInSystemSpace
; 
; START	OF FUNCTION CHUNK FOR MiPfAllocateMdls

loc_8DDE19:				; CODE XREF: MiPfAllocateMdls+1F9j
		or	dword ptr [eax+78h], 8000h
		jmp	loc_78B3AF
; 

loc_8DDE25:				; CODE XREF: MiPfAllocateMdls+210j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8DDE2C:				; CODE XREF: MiPfAllocateMdls+28Cj
		mov	ecx, [ebp+var_10]
		call	_MiFreeInPageSupportBlock@4 ; MiFreeInPageSupportBlock(x)

loc_8DDE34:				; CODE XREF: MiPfAllocateMdls+122j
		mov	eax, 0C000009Ah
		jmp	loc_78B3E2
; END OF FUNCTION CHUNK	FOR MiPfAllocateMdls
; 
; START	OF FUNCTION CHUNK FOR MiAddMappedPtes

loc_8DDE3E:				; CODE XREF: MiAddMappedPtes+25j
		test	ds:_MiFlags, 8000h
		jz	loc_78B59B
		test	byte ptr [edi+1Ch], 20h
		jnz	loc_78B5A2
		jmp	loc_78B59B
; 

loc_8DDE5D:				; CODE XREF: MiAddMappedPtes+68j
		mov	eax, 0C000001Fh
		jmp	loc_78B697
; 

loc_8DDE67:				; CODE XREF: MiAddMappedPtes+72j
		test	dword ptr [edi+1Ch], 4000000h
		jnz	loc_78B6B4
		jmp	loc_78B5E8
; 

loc_8DDE79:				; CODE XREF: MiAddMappedPtes+120j
		mov	ecx, [ebp+arg_4]
		movzx	eax, word ptr [ecx+10h]
		mov	[ebp+var_18], eax
		test	al, 4
		jz	loc_78B61D
		movzx	eax, word ptr [ecx+12h]
		mov	ebx, edx
		mov	ecx, [ecx+18h]
		shr	eax, 4
		shl	ecx, 9
		add	ecx, eax
		mov	eax, ecx
		and	eax, 0FFFh
		neg	eax
		sbb	eax, eax
		shr	ecx, 0Ch
		neg	eax
		add	eax, ecx
		mov	ecx, [ebp+var_18]
		shr	ecx, 1
		and	ecx, 1Fh
		lea	eax, [edi+eax*8]
		sub	ebx, eax
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		sar	ebx, 3
		mov	eax, [eax+24h]
		and	eax, 3FFFFFFFh
		sub	ebx, eax
		call	_MiMakeDemandZeroPte@4 ; MiMakeDemandZeroPte(x)
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], edx
		jmp	loc_78B615
; 

loc_8DDEE1:				; CODE XREF: MiAddMappedPtes+A7j
		cmp	edi, [ebp+var_8]
		jb	loc_78B61D
		mov	eax, [ebp+var_C]
		dec	ebx
		mov	edx, [ebp+var_10]
		jmp	loc_78B627
; 

loc_8DDEF6:				; CODE XREF: MiAddMappedPtes+D3j
		mov	edx, [ebp+arg_0]
		mov	eax, [edx]
		mov	ecx, [eax+4]
		mov	eax, [edx+54h]
		lea	ebx, [eax+ecx*8]
		cmp	edi, ebx
		jnb	loc_78B695

loc_8DDF0C:				; CODE XREF: MiAddMappedPtes+1529BAj
		mov	ecx, edi
		call	_MiMakePrototypePteDirect@4 ; MiMakePrototypePteDirect(x)
		mov	[esi], eax
		nop
		mov	[esi+4], edx
		add	esi, 8
		cmp	esi, [ebp+var_4]
		jnb	loc_78B695
		add	edi, 8
		cmp	edi, ebx
		jb	short loc_8DDF0C
		jmp	loc_78B695
; END OF FUNCTION CHUNK	FOR MiAddMappedPtes
; 
; START	OF FUNCTION CHUNK FOR MiLockVadRange

loc_8DDF31:				; CODE XREF: MiLockVadRange+37j
		call	_LOCK_ADDRESS_SPACE@8 ;	LOCK_ADDRESS_SPACE(x,x)
		jmp	loc_78B7D6
; 

loc_8DDF3B:				; CODE XREF: MiLockVadRange+127j
		test	ebx, ebx
		jnz	short loc_8DDF48
		mov	[esp+30h+var_20], edi
		jmp	loc_78B84B
; 

loc_8DDF48:				; CODE XREF: MiLockVadRange+1527A9j
		lea	eax, [edx+1]
		cmp	eax, [ebx+0Ch]
		jz	loc_78B84B
		mov	[esp+30h+var_20], edi
		jmp	loc_78B8C1
; 

loc_8DDF5D:				; CODE XREF: MiLockVadRange+DFj
					; MiLockVadRange+EAj
		mov	ebx, [esp+30h+var_10]
		mov	ecx, ebx
		call	_MiReferenceVad@4 ; MiReferenceVad(x)
		cmp	[esp+30h+var_18], ebx
		jz	short loc_8DDFD5
		mov	edi, [esp+30h+var_18]

loc_8DDF72:				; CODE XREF: MiLockVadRange+15283Dj
		mov	esi, [edi+4]
		mov	ecx, edi
		test	esi, esi
		jz	short loc_8DDF8D
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_8DDFA0

loc_8DDF81:				; CODE XREF: MiLockVadRange+1527F5j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_8DDF81
		jmp	short loc_8DDFA0
; 

loc_8DDF8D:				; CODE XREF: MiLockVadRange+1527E5j
		mov	esi, [edi+8]
		jmp	short loc_8DDF9B
; 

loc_8DDF92:				; CODE XREF: MiLockVadRange+15280Aj
		cmp	[esi], ecx
		jz	short loc_8DDFA0
		mov	ecx, esi
		mov	esi, [esi+8]

loc_8DDF9B:				; CODE XREF: MiLockVadRange+1527FCj
		and	esi, 0FFFFFFFCh
		jnz	short loc_8DDF92

loc_8DDFA0:				; CODE XREF: MiLockVadRange+1527EBj
					; MiLockVadRange+1527F7j ...
		mov	ecx, edi
		call	_MiVadIsCfgBitmap@4 ; MiVadIsCfgBitmap(x)
		test	eax, eax
		jnz	short loc_8DDFCD
		lea	ecx, [edi+18h]
		or	eax, 0FFFFFFFFh
		mov	[esp+30h+var_10], ecx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8DDFC8
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [esp+30h+var_10]

loc_8DDFC8:				; CODE XREF: MiLockVadRange+152829j
		call	KeAbPostRelease

loc_8DDFCD:				; CODE XREF: MiLockVadRange+152815j
		mov	edi, esi
		cmp	esi, ebx
		jnz	short loc_8DDF72
		xor	edi, edi

loc_8DDFD5:				; CODE XREF: MiLockVadRange+1527D8j
		cmp	[ebp+arg_4], 0
		mov	edx, [esp+30h+var_C]
		mov	ecx, [esp+30h+var_1C]
		jz	short loc_8DDFEA
		call	UNLOCK_ADDRESS_SPACE_UNORDERED
		jmp	short loc_8DDFEF
; 

loc_8DDFEA:				; CODE XREF: MiLockVadRange+15284Dj
		call	_UNLOCK_ADDRESS_SPACE_SHARED_UNORDERED@8 ; UNLOCK_ADDRESS_SPACE_SHARED_UNORDERED(x,x)

loc_8DDFEF:				; CODE XREF: MiLockVadRange+152854j
		mov	ecx, ebx
		call	_MiVadDeleted@4	; MiVadDeleted(x)
		cmp	eax, 1
		jnz	short loc_8DE000
		call	_MiWaitForVadDeletion@4	; MiWaitForVadDeletion(x)

loc_8DE000:				; CODE XREF: MiLockVadRange+152865j
		mov	ecx, ebx
		call	MiUnlockAndDereferenceVad
		mov	ebx, [esp+30h+var_C]
		mov	eax, [esp+30h+var_1C]
		mov	esi, [esp+30h+var_20]
		jmp	loc_78B7C3
; 

loc_8DE018:				; CODE XREF: MiLockVadRange+165j
		mov	edx, ecx
		mov	ecx, [esp+30h+var_1C]
		call	_MiLockVad@8	; MiLockVad(x,x)
		jmp	loc_78B909
; END OF FUNCTION CHUNK	FOR MiLockVadRange
; 
; START	OF FUNCTION CHUNK FOR MiLockUnlockCommon

loc_8DE028:				; CODE XREF: MiLockUnlockCommon+49j
		mov	ecx, eax
		jmp	loc_78B993
; 

loc_8DE02F:				; CODE XREF: MiLockUnlockCommon+5Dj
		mov	ecx, eax
		jmp	loc_78B9A7
; 

loc_8DE036:				; CODE XREF: MiLockUnlockCommon+B3j
		push	[ebp+var_20]
		push	ds:dword_A94A5C
		push	ds:_SeLockMemoryPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	loc_78B9FD
		mov	edx, 6D566D4Dh
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObjectWithTag
		mov	eax, 0C0000061h
		jmp	loc_78BA11
; END OF FUNCTION CHUNK	FOR MiLockUnlockCommon

;  S U B	R O U T	I N E 


sub_8DE069	proc near		; DATA XREF: .text:006A1BACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8DE069	endp


;  S U B	R O U T	I N E 


sub_8DE079	proc near		; DATA XREF: .text:006A1BB0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-24h]
		jmp	loc_78BA11
sub_8DE079	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlReleaseFileForCcFlush

loc_8DE08B:				; CODE XREF: FsRtlReleaseFileForCcFlush+E8j
		lea	ecx, [esi-126h]
		neg	ecx
		sbb	ecx, ecx
		and	esi, ecx
		jmp	loc_78BB85
; 

loc_8DE09C:				; CODE XREF: FsRtlReleaseFileForCcFlush+12Bj
					; FsRtlReleaseFileForCcFlush+134j ...
		mov	esi, 0C0000010h
		jmp	loc_78BB75
; END OF FUNCTION CHUNK	FOR FsRtlReleaseFileForCcFlush
; 
; START	OF FUNCTION CHUNK FOR FsRtlAcquireFileForCcFlushEx

loc_8DE0A6:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+10Aj
		lea	eax, [esi-126h]
		neg	eax
		sbb	eax, eax
		and	esi, eax
		jmp	loc_78BDD5
; 

loc_8DE0B7:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+14Fj
					; FsRtlAcquireFileForCcFlushEx+158j ...
		mov	esi, 0C0000010h
		jmp	loc_78BDC1
; 

loc_8DE0C1:				; CODE XREF: FsRtlAcquireFileForCcFlushEx+1BBj
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_78BE13
; END OF FUNCTION CHUNK	FOR FsRtlAcquireFileForCcFlushEx

;  S U B	R O U T	I N E 


sub_8DE0CB	proc near		; DATA XREF: .text:006A1BF4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		mov	eax, 1
		retn
sub_8DE0CB	endp


;  S U B	R O U T	I N E 


sub_8DE0DB	proc near		; DATA XREF: .text:006A1BF8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_78BF6A
sub_8DE0DB	endp

; 
; START	OF FUNCTION CHUNK FOR NtDelayExecution

loc_8DE0ED:				; CODE XREF: NtDelayExecution+46j
		mov	ecx, [ebp+arg_4]
		mov	eax, [ecx]
		mov	[ebp+var_28], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_24], eax
		jmp	loc_78BF5B
; END OF FUNCTION CHUNK	FOR NtDelayExecution
; 
; START	OF FUNCTION CHUNK FOR MiShareExistingControlArea

loc_8DE100:				; CODE XREF: MiShareExistingControlArea+72j
		mov	eax, [edi+60h]
		or	eax, [edi+64h]
		jnz	loc_78C042
		mov	eax, 0C000011Eh
		jmp	loc_78C059
; END OF FUNCTION CHUNK	FOR MiShareExistingControlArea
; 
; START	OF FUNCTION CHUNK FOR MiCallCreateSectionFilters

loc_8DE116:				; CODE XREF: MiCallCreateSectionFilters+38j
		push	edi
		call	FsRtlReleaseFile
		mov	eax, 0C0000427h
		jmp	loc_78C106
; END OF FUNCTION CHUNK	FOR MiCallCreateSectionFilters
; 
; START	OF FUNCTION CHUNK FOR FsRtlReleaseFile

loc_8DE126:				; CODE XREF: FsRtlReleaseFile+AEj
		test	dl, dl
		jnz	loc_78C2C4
		mov	edx, [ebp+var_138]
		mov	[ebp+var_144], ebx
		jmp	loc_78C326
; 

loc_8DE13F:				; CODE XREF: FsRtlReleaseFile+104j
		push	[ebp+var_128]
		call	_IoGetDeviceAttachmentBaseRef@4	; IoGetDeviceAttachmentBaseRef(x)
		mov	edx, [ebp+var_138]
		mov	[ebp+var_140], eax
		mov	[ebp+var_132], 1
		mov	esi, [eax+8]
		mov	ecx, [esi+28h]
		mov	esi, [esi+18h]
		mov	esi, [esi+18h]
		jmp	loc_78C320
; 

loc_8DE16E:				; CODE XREF: FsRtlReleaseFile+134j
					; FsRtlReleaseFile+13Dj ...
		mov	edi, 0C0000010h
		jmp	loc_78C367
; 

loc_8DE178:				; CODE XREF: FsRtlReleaseFile+161j
		mov	ecx, [ebp+var_140]
		call	ObfDereferenceObject

loc_8DE183:				; CODE XREF: FsRtlReleaseFile+1D3j
		mov	edx, [ebp+var_138]
		jmp	loc_78C377
; 

loc_8DE18E:				; CODE XREF: FsRtlReleaseFile+16Dj
		test	bl, 1
		jz	loc_78C383
		mov	eax, [edx+0Ch]
		test	eax, eax
		jz	short loc_8DE1AA
		mov	ecx, [eax+8]
		test	ecx, ecx
		jz	short loc_8DE1AA
		call	ExReleaseResourceLite

loc_8DE1AA:				; CODE XREF: FsRtlReleaseFile+151F8Cj
					; FsRtlReleaseFile+151F93j
		xor	edi, edi
		jmp	loc_78C383
; END OF FUNCTION CHUNK	FOR FsRtlReleaseFile
; 
; START	OF FUNCTION CHUNK FOR FsRtlAcquireFileExclusiveCommon

loc_8DE1B1:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+9Aj
					; FsRtlAcquireFileExclusiveCommon+A3j
		cmp	eax, 10h
		jb	short loc_8DE1BF
		cmp	[ebx+0Ch], esi
		jnz	loc_78C499

loc_8DE1BF:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+8Fj
					; FsRtlAcquireFileExclusiveCommon+151DC4j
		mov	al, [ebp+var_129]
		jmp	loc_78C49B
; 

loc_8DE1CA:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+B3j
		test	al, al
		jnz	loc_78C4A9
		mov	eax, large fs:124h
		xor	edi, edi
		dec	word ptr [eax+13Ch]
		nop
		jmp	loc_78C53D
; 

loc_8DE1E7:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+151j
		test	edi, edi
		jz	short loc_8DE234
		test	[ebp+var_104], 4
		mov	eax, [ebp+var_11C]
		mov	[ebp+var_130], eax
		jz	short loc_8DE23A
		push	[ebp+var_120]
		call	_IoGetDeviceAttachmentBaseRef@4	; IoGetDeviceAttachmentBaseRef(x)
		mov	edx, eax
		mov	[ebp+var_140], eax
		mov	[ebp+var_12A], 1
		mov	eax, [edx+8]
		mov	ecx, [eax+28h]
		mov	eax, [eax+18h]
		mov	[ebp+var_134], ecx
		mov	ebx, [eax+18h]
		mov	eax, [ebp+var_130]
		jmp	short loc_8DE240
; 

loc_8DE234:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+151DF9j
		mov	eax, [ebp+var_130]

loc_8DE23A:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+151E0Ej
		mov	ecx, [ebp+var_134]

loc_8DE240:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+151E42j
		test	ebx, ebx
		jz	short loc_8DE262
		mov	ecx, [ebx]
		cmp	ecx, 0Ch
		jb	short loc_8DE251
		cmp	dword ptr [ebx+8], 0
		jnz	short loc_8DE28F

loc_8DE251:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+151E59j
		cmp	ecx, 10h
		jb	short loc_8DE25C
		cmp	dword ptr [ebx+0Ch], 0
		jnz	short loc_8DE28F

loc_8DE25C:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+151E64j
		mov	ecx, [ebp+var_134]

loc_8DE262:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+151E52j
		test	ecx, ecx
		jz	short loc_8DE283
		cmp	dword ptr [ecx], 30h
		jb	short loc_8DE283
		mov	ecx, [ecx+2Ch]
		test	ecx, ecx
		jz	short loc_8DE283
		push	eax
		call	ecx
		mov	eax, [ebp+var_130]
		mov	edx, [ebp+var_140]
		jmp	short loc_8DE288
; 

loc_8DE283:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+151E74j
					; FsRtlAcquireFileExclusiveCommon+151E79j ...
		mov	esi, 0C0000010h

loc_8DE288:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+151E91j
		or	[ebp+var_13C], 1

loc_8DE28F:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+151E5Fj
					; FsRtlAcquireFileExclusiveCommon+151E6Aj
		cmp	[ebp+var_12A], 0
		jz	loc_78C559
		mov	ecx, edx
		call	ObfDereferenceObject
		jmp	loc_78C553
; 

loc_8DE2A8:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+16Fj
		test	byte ptr [ebp+var_13C],	1
		jz	loc_78C565
		mov	eax, [eax+0Ch]
		test	eax, eax
		jz	short loc_8DE2CB
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_8DE2CB
		push	1
		push	eax
		call	ExAcquireResourceExclusiveLite

loc_8DE2CB:				; CODE XREF: FsRtlAcquireFileExclusiveCommon+151ECAj
					; FsRtlAcquireFileExclusiveCommon+151ED1j
		xor	esi, esi
		jmp	loc_78C565
; END OF FUNCTION CHUNK	FOR FsRtlAcquireFileExclusiveCommon
; 
; START	OF FUNCTION CHUNK FOR MiRelocateImageAgain

loc_8DE2D2:				; CODE XREF: MiRelocateImageAgain+94j
		or	dword ptr [esi+34h], 400000h
		jmp	loc_78C8A6
; 

loc_8DE2DE:				; CODE XREF: MiRelocateImageAgain+151AC5j
		mov	ebx, 0C00000BBh

loc_8DE2E3:				; CODE XREF: MiRelocateImageAgain+D0j
					; MiRelocateImageAgain+151ACFj
		lea	eax, [ebp+var_2C]
		xor	edx, edx
		push	eax
		mov	ecx, esi
		call	MiImageUnused
		jmp	loc_78C8A6
; 

loc_8DE2F5:				; CODE XREF: MiRelocateImageAgain+FFj
		test	dword ptr [esi+34h], 0C0000h
		jz	loc_78C953
		mov	eax, [ebp+var_18]
		mov	ecx, dword_6BEA60
		mov	eax, [eax+14h]
		and	eax, 0FFFFFFF8h
		test	ecx, ecx
		jz	short loc_8DE2DE
		push	edi
		push	eax
		call	ecx
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_8DE2E3
		jmp	loc_78C953
; END OF FUNCTION CHUNK	FOR MiRelocateImageAgain
; 
; START	OF FUNCTION CHUNK FOR FsRtlGetFileSize

loc_8DE324:				; CODE XREF: FsRtlGetFileSize+C6j
		mov	eax, 0C000009Ah
		jmp	loc_78CA11
; 

loc_8DE32E:				; CODE XREF: FsRtlGetFileSize+12Fj
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+60h+var_30]
		push	eax
		call	KeWaitForSingleObject
		jmp	loc_78CABD
; 

loc_8DE343:				; CODE XREF: FsRtlGetFileSize+72j
		mov	eax, 0C00000BAh
		jmp	loc_78CA11
; END OF FUNCTION CHUNK	FOR FsRtlGetFileSize
; 
; START	OF FUNCTION CHUNK FOR MiFreeReadListPages

loc_8DE34D:				; CODE XREF: MiFreeReadListPages+3Bj
		mov	ebx, [ebp+var_8]
		mov	edi, eax

loc_8DE352:				; CODE XREF: MiFreeReadListPages+15180Cj
		call	_MiGetPfnLink@4	; MiGetPfnLink(x)
		mov	[esi], eax
		test	ebx, ebx
		jnz	short loc_8DE362
		mov	ebx, offset _MiSystemPartition

loc_8DE362:				; CODE XREF: MiFreeReadListPages+1517FBj
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)
		mov	ecx, [esi]
		inc	edi
		test	ecx, ecx
		jnz	short loc_8DE352
		mov	[ebp+var_4], edi
		mov	edi, [ebp+var_C]
		mov	eax, [ebp+var_4]
		mov	[ebp+var_8], ebx
		mov	ebx, [ebp+var_10]
		jmp	loc_78CBA1
; END OF FUNCTION CHUNK	FOR MiFreeReadListPages
; 
; START	OF FUNCTION CHUNK FOR KeUserModeCallback

loc_8DE382:				; CODE XREF: KeUserModeCallback+4Dj
		push	0
		push	0
		push	0
		push	esi
		push	107h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8DE393:				; CODE XREF: KeUserModeCallback+5Dj
		push	0
		push	0
		call	edi
		movzx	eax, al
		push	eax
		mov	eax, [ebp+4]
		push	eax
		push	4Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8DE3A8:				; CODE XREF: KeUserModeCallback+90j
		mov	[esi+1BFh], cl
		mov	eax, 0C00000FDh
		jmp	loc_78CDE0
; 

loc_8DE3B8:				; CODE XREF: KeUserModeCallback+BDj
		dec	byte ptr [esi+1BFh]
		mov	eax, 0C0000017h
		jmp	loc_78CDE0
; END OF FUNCTION CHUNK	FOR KeUserModeCallback

;  S U B	R O U T	I N E 


sub_8DE3C8	proc near		; DATA XREF: .text:006A1CB0o
		mov	eax, 1
		retn
sub_8DE3C8	endp


;  S U B	R O U T	I N E 


sub_8DE3CE	proc near		; DATA XREF: .text:006A1CB4o
		mov	esp, [ebp-18h]
		mov	eax, 1
		mov	[ebp-30h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-34h]
		mov	[ebp-20h], ecx
		mov	edi, [ebp+0Ch]
		mov	esi, [ebp-28h]
		mov	ecx, [ebp-38h]
		mov	[ebp-1Ch], ecx
		mov	ebx, [ebp-24h]
		jmp	loc_78CDBA
sub_8DE3CE	endp

; 

loc_8DE3FA:				; DATA XREF: .text:006A1CA4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3Ch], eax
		mov	eax, 1
		retn
; 

loc_8DE40A:				; DATA XREF: .text:006A1CA8o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-3Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-28h]
		mov	ebx, [ebp-24h]
		jmp	loc_78CDCF
; 
; START	OF FUNCTION CHUNK FOR KeUserModeCallback

loc_8DE422:				; CODE XREF: KeUserModeCallback+6Bj
					; KeUserModeCallback+78j
		push	0
		mov	eax, [esi+13Ch]
		push	eax
		movzx	eax, cl
		push	eax
		mov	eax, [ebp+4]
		push	eax
		push	1
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8DE43B:				; CODE XREF: RtlpReadExtendedContext+AEj
		test	edi, 100000h
		jz	short loc_8DE45C
		mov	eax, 10h
		mov	[ebp+var_44], eax
		mov	ecx, [ebp+var_38]
		add	ecx, 4D0h
		mov	[ebp+var_48], ecx
		jmp	loc_78CED8
; 

loc_8DE45C:				; CODE XREF: KeUserModeCallback+151831j
		test	edi, 200000h
		jz	short loc_8DE47D
		mov	eax, 8
		mov	[ebp+var_44], eax
		mov	ecx, [ebp+var_38]
		add	ecx, 1A0h
		mov	[ebp+var_48], ecx
		jmp	loc_78CED8
; 

loc_8DE47D:				; CODE XREF: KeUserModeCallback+151852j
		test	edi, 400000h
		jz	short loc_8DE49E
		mov	eax, 10h
		mov	[ebp+var_44], eax
		mov	ecx, [ebp+var_38]
		add	ecx, 390h
		mov	[ebp+var_48], ecx
		jmp	loc_78CED8
; 

loc_8DE49E:				; CODE XREF: KeUserModeCallback+151873j
		xor	ecx, ecx
		xor	eax, eax
		jmp	loc_78CED8
; END OF FUNCTION CHUNK	FOR KeUserModeCallback
; 
; START	OF FUNCTION CHUNK FOR RtlpReadExtendedContext

loc_8DE4A7:				; CODE XREF: RtlpReadExtendedContext+104j
		mov	eax, [ebp+var_40]

loc_8DE4AA:				; CODE XREF: RtlpReadExtendedContext+F7j
		mov	byte ptr [eax],	0
		jmp	loc_78CF1A
; 

loc_8DE4B2:				; CODE XREF: RtlpReadExtendedContext+134j
		test	edi, 100000h
		jz	short loc_8DE4C2
		mov	[eax+30h], edi
		jmp	loc_78CF4C
; 

loc_8DE4C2:				; CODE XREF: RtlpReadExtendedContext+1516A8j
		test	edi, 200000h
		jnz	loc_78CF4A
		test	edi, 400000h
		jz	loc_78CF4C
		jmp	loc_78CF4A
; 

loc_8DE4DF:				; CODE XREF: RtlpReadExtendedContext+1CCj
		mov	ecx, ds:0FFDF0708h
		or	ecx, [edi]
		mov	eax, ds:0FFDF070Ch
		or	eax, [edi+4]
		or	eax, 80000000h
		and	[edx+8], ecx
		and	[edx+0Ch], eax
		jmp	loc_78CFF0
; END OF FUNCTION CHUNK	FOR RtlpReadExtendedContext

;  S U B	R O U T	I N E 


sub_8DE4FF	proc near		; DATA XREF: .text:006A1CCCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5Ch], eax
		mov	eax, 1
		retn
sub_8DE4FF	endp


;  S U B	R O U T	I N E 


sub_8DE50F	proc near		; DATA XREF: .text:006A1CD0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-5Ch]
		mov	[ebp-54h], esi
		jmp	loc_78CF50
sub_8DE50F	endp

; 
; START	OF FUNCTION CHUNK FOR RtlCopyContext

loc_8DE51D:				; CODE XREF: RtlCopyContext+A7j
		test	ebx, 10000h
		jz	loc_78D0BD
		mov	eax, [ebp+arg_0]
		lea	edi, [edx+2CCh]
		add	eax, 2CCh
		jmp	loc_78D0BF
; 

loc_8DE53C:				; CODE XREF: RtlCopyContext+B3j
		push	eax
		push	eax
		push	edi
		mov	edx, edi
		mov	cl, 1
		call	RtlpCopyXStateChunk
		mov	esi, eax
		jmp	loc_78D0C9
; END OF FUNCTION CHUNK	FOR RtlCopyContext
; 
; START	OF FUNCTION CHUNK FOR RtlpReadExtendedContextLayout

loc_8DE54F:				; CODE XREF: RtlpReadExtendedContextLayout+1Cj
		test	esi, 100000h
		jz	short loc_8DE566
		lea	ebx, [ecx+4D0h]
		mov	dword ptr [edx+0Ch], 4D0h
		jmp	short loc_8DE596
; 

loc_8DE566:				; CODE XREF: RtlpReadExtendedContextLayout+15147Bj
		test	esi, 200000h
		jz	short loc_8DE57D
		lea	ebx, [ecx+1A0h]
		mov	dword ptr [edx+0Ch], 1A0h
		jmp	short loc_8DE596
; 

loc_8DE57D:				; CODE XREF: RtlpReadExtendedContextLayout+151492j
		test	esi, 400000h
		jz	loc_78D11B
		lea	ebx, [ecx+390h]
		mov	dword ptr [edx+0Ch], 390h

loc_8DE596:				; CODE XREF: RtlpReadExtendedContextLayout+15148Aj
					; RtlpReadExtendedContextLayout+1514A1j
		mov	eax, ecx
		sub	eax, ebx
		mov	[edx+8], eax
		jmp	loc_78D11B
; 

loc_8DE5A2:				; CODE XREF: RtlpReadExtendedContextLayout+8Cj
		mov	ecx, eax
		jmp	loc_78D16C
; 

loc_8DE5A9:				; CODE XREF: RtlpReadExtendedContextLayout+C4j
		cmp	esi, ebx
		jb	loc_78D256
		jmp	loc_78D1AC
; 

loc_8DE5B6:				; CODE XREF: RtlpReadExtendedContextLayout+10Ej
		cmp	esi, ebx
		jb	loc_78D1F2
		jmp	loc_78D256
; 

loc_8DE5C3:				; CODE XREF: RtlpReadExtendedContextLayout+12Dj
		mov	eax, [edx+14h]
		add	eax, ecx
		cmp	eax, esi
		jg	loc_78D256
		sub	esi, ecx
		add	esi, edi
		mov	[edx+4], esi
		mov	[edx], ecx
		jmp	loc_78D215
; 

loc_8DE5DE:				; CODE XREF: RtlpReadExtendedContextLayout+151j
		cmp	ecx, ebx
		jb	loc_78D256
		jmp	loc_78D235
; END OF FUNCTION CHUNK	FOR RtlpReadExtendedContextLayout

;  S U B	R O U T	I N E 


sub_8DE5EB	proc near		; DATA XREF: .text:006A1D0Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8DE5EB	endp


;  S U B	R O U T	I N E 


sub_8DE5F9	proc near		; DATA XREF: .text:006A1D10o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_78D135
sub_8DE5F9	endp

; 
; START	OF FUNCTION CHUNK FOR MmPrefetchPagesEx

loc_8DE60B:				; CODE XREF: MmPrefetchPagesEx+48j
		mov	eax, 0C000009Ah
		jmp	loc_78D326
; 

loc_8DE615:				; CODE XREF: MmPrefetchPagesEx+88j
		mov	[esp+28h+var_10], eax
		mov	eax, [esp+28h+var_1C]
		jmp	loc_78D2FD
; 

loc_8DE622:				; CODE XREF: MmPrefetchPagesEx+112j
		call	_MiReleaseReadListResources@4 ;	MiReleaseReadListResources(x)
		push	0
		push	dword ptr [edi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi], 0
		jmp	loc_78D38E
; 

loc_8DE638:				; CODE XREF: MmPrefetchPagesEx+105j
		mov	[esp+28h+var_14], eax
		jmp	short loc_8DE67D
; 

loc_8DE63E:				; CODE XREF: MmPrefetchPagesEx+151419j
		cmp	dword ptr [edi], 0
		jz	short loc_8DE679

loc_8DE643:				; CODE XREF: MmPrefetchPagesEx+1513FEj
		mov	edx, [edi]
		lea	eax, [edx+48h]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_8DE666
		cmp	[ecx+4], eax
		jnz	short loc_8DE686
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_8DE686
		mov	[eax], edx
		mov	[edx+4], eax
		call	_MiFreeInPageSupportBlock@4 ; MiFreeInPageSupportBlock(x)
		jmp	short loc_8DE643
; 

loc_8DE666:				; CODE XREF: MmPrefetchPagesEx+1513E6j
		mov	ecx, edx
		call	_MiReleaseReadListResources@4 ;	MiReleaseReadListResources(x)
		push	0
		push	dword ptr [edi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi], 0

loc_8DE679:				; CODE XREF: MmPrefetchPagesEx+1513DBj
		inc	ebx
		add	edi, 4

loc_8DE67D:				; CODE XREF: MmPrefetchPagesEx+1513D6j
		cmp	ebx, esi
		jb	short loc_8DE63E
		jmp	loc_78D393
; 

loc_8DE686:				; CODE XREF: MmPrefetchPagesEx+1513EBj
					; MmPrefetchPagesEx+1513F2j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
; END OF FUNCTION CHUNK	FOR MmPrefetchPagesEx ;	AL = character to display
; START	OF FUNCTION CHUNK FOR MiPfPrepareReadList

loc_8DE68B:				; CODE XREF: MiPfPrepareReadList+97j
		mov	eax, 0C000009Ah
		jmp	loc_78D6C1
; 

loc_8DE695:				; CODE XREF: MiPfPrepareReadList+202j
		mov	eax, [ebp+var_10]
		test	dword ptr [eax+1Ch], 4000000h
		jnz	loc_78D687
		jmp	loc_78D648
; 

loc_8DE6AA:				; CODE XREF: MiPfPrepareReadList+455j
		mov	eax, [ebp+var_10]
		test	dword ptr [eax+1Ch], 4000000h
		jz	loc_78D89B
		mov	ebx, 1
		jmp	loc_78D89B
; 

loc_8DE6C4:				; CODE XREF: MiPfPrepareReadList+2BCj
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		call	_MiRefillPurgedExtents@8 ; MiRefillPurgedExtents(x,x)
		mov	[ebp+var_40], eax
		test	eax, eax
		jns	loc_78D684
		cmp	[ebp+var_18], 0
		jnz	loc_8DE79D
		mov	esi, 0C000009Ah
		jmp	loc_78D6AD
; 

loc_8DE6ED:				; CODE XREF: MiPfPrepareReadList+2A0j
		push	edx
		push	ebx
		call	_IS_PTE_NOT_DEMAND_ZERO@8 ; IS_PTE_NOT_DEMAND_ZERO(x,x)
		test	eax, eax
		jz	loc_78D684
		jmp	loc_78D70F
; 

loc_8DE701:				; CODE XREF: MiPfPrepareReadList+373j
		movzx	edx, word ptr [ebx+10h]
		mov	esi, [ebp+var_20]
		mov	ecx, esi
		push	0
		push	0FFFFFFFFh
		shr	edx, 1
		push	0
		and	edx, 1Fh
		call	_MiGetSlabPage@20 ; MiGetSlabPage(x,x,x,x,x)
		jmp	loc_78D7CA
; 

loc_8DE71F:				; CODE XREF: MiPfPrepareReadList+3ADj
		movzx	eax, word ptr [ebx+10h]
		xor	edx, edx
		mov	ecx, [ebp+var_20]
		shr	eax, 1
		and	eax, 1Fh
		push	eax
		call	_MiGetSlabAllocator@12 ; MiGetSlabAllocator(x,x,x)
		mov	ecx, esi
		mov	edx, [eax+1Ch]
		mov	edx, [edi+edx*4+18h]
		call	_MiSetPfnLink@8	; MiSetPfnLink(x,x)
		mov	eax, [eax+1Ch]
		mov	[edi+eax*4+18h], esi
		jmp	loc_78D800
; 

loc_8DE74D:				; CODE XREF: MiPfPrepareReadList+51Cj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8DE754:				; CODE XREF: MiPfPrepareReadList+50Bj
		mov	ecx, [ebp+var_4]
		push	0
		mov	eax, [ecx+1Ch]
		push	eax
		call	_MiRemoveViewsFromSectionWithPfn@16 ; MiRemoveViewsFromSectionWithPfn(x,x,x,x)
		jmp	loc_78D69D
; 

loc_8DE767:				; CODE XREF: MiPfPrepareReadList+38Dj
		push	1
		mov	edx, 1
		mov	ecx, esi
		call	_MiReturnFaultCharges@12 ; MiReturnFaultCharges(x,x,x)
		cmp	[ebp+var_18], 0
		jnz	loc_78D9EB
		mov	esi, 0C0000017h
		jmp	loc_78D6AD
; 

loc_8DE789:				; CODE XREF: MiPfPrepareReadList+34Ej
		cmp	[ebp+var_18], 0
		jnz	loc_78D9EB
		mov	esi, 0C000009Ah
		jmp	loc_78D6AD
; 

loc_8DE79D:				; CODE XREF: MiPfPrepareReadList+15129Dj
		mov	edi, [ebp+var_8]
		jmp	loc_78D9EB
; 

loc_8DE7A5:				; CODE XREF: MiPfPrepareReadList+5D2j
		mov	ecx, edi
		call	_MiReleaseReadListResources@4 ;	MiReleaseReadListResources(x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edi, edi
		jmp	loc_78DA1A
; 

loc_8DE7BB:				; CODE XREF: MiPfPrepareReadList+1AAj
		xor	esi, esi
		jmp	loc_78D6AD
; 

loc_8DE7C2:				; CODE XREF: MiPfPrepareReadList+39j
					; MiPfPrepareReadList+60j ...
		mov	eax, 0C00000EFh
		jmp	loc_78D6C1
; END OF FUNCTION CHUNK	FOR MiPfPrepareReadList
; 
; START	OF FUNCTION CHUNK FOR NtFreeVirtualMemory

loc_8DE7CC:				; CODE XREF: NtFreeVirtualMemory+6Dj
		mov	ecx, eax
		jmp	loc_78DB03
; END OF FUNCTION CHUNK	FOR NtFreeVirtualMemory

;  S U B	R O U T	I N E 


sub_8DE7D3	proc near		; DATA XREF: .text:006A1D38o
		mov	eax, 1
		retn
sub_8DE7D3	endp


;  S U B	R O U T	I N E 


sub_8DE7D9	proc near		; DATA XREF: .text:006A1D3Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp+10h]
		jmp	loc_78DB62
sub_8DE7D9	endp

; 

loc_8DE7EB:				; DATA XREF: .text:006A1D2Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		mov	eax, large fs:124h
		mov	[ebp-2Ch], eax
		mov	eax, [ebp-2Ch]
		mov	al, [eax+15Ah]
		mov	[ebp-19h], al
		mov	cl, [ebp-19h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
; 

loc_8DE815:				; DATA XREF: .text:006A1D30o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-30h]
		jmp	loc_78DB64
; 
; START	OF FUNCTION CHUNK FOR MiPfPrepareSequentialReadList

loc_8DE827:				; CODE XREF: MiPfPrepareSequentialReadList+585j
		test	eax, 4000000h
		jz	loc_78E6FD
		cmp	dword ptr [esi+0Ch], 0
		jnz	short loc_8DE840
		lea	esi, [edi-8]
		jmp	loc_78E506
; 

loc_8DE840:				; CODE XREF: MiPfPrepareSequentialReadList+1505C6j
		mov	edx, [ebp+arg_C]
		push	esi
		call	_MiGetSharedProtos@12 ;	MiGetSharedProtos(x,x,x)
		test	eax, eax
		jnz	short loc_8DE855
		lea	esi, [edi-8]
		jmp	loc_78E506
; 

loc_8DE855:				; CODE XREF: MiPfPrepareSequentialReadList+1505DBj
		mov	edx, [eax+24h]
		mov	[ebp+var_1C], edx
		jmp	loc_78E6FD
; 

loc_8DE860:				; CODE XREF: MiPfPrepareSequentialReadList+1DBj
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	_MiRefillPurgedExtents@8 ; MiRefillPurgedExtents(x,x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jns	loc_78E500

loc_8DE875:				; CODE XREF: MiPfPrepareSequentialReadList+255j
		mov	ecx, [ebp+var_4]
		mov	ebx, [ebp+var_C]
		mov	edi, [ebp+arg_4]
		test	ecx, ecx
		jnz	loc_78E51F
		mov	[ebp+var_18], 0C000009Ah
		jmp	loc_78E51F
; 

loc_8DE892:				; CODE XREF: MiPfPrepareSequentialReadList+270j
		movzx	edx, word ptr [ebx+10h]
		mov	ecx, edi
		push	20000h
		push	0FFFFFFFFh
		shr	edx, 1
		push	0
		and	edx, 1Fh
		call	_MiGetSlabPage@20 ; MiGetSlabPage(x,x,x,x,x)
		cmp	eax, 0FFFFFFFFh
		jz	loc_8DE94F
		lea	ecx, ds:0[eax*8]
		xor	edx, edx
		sub	ecx, eax
		mov	eax, ds:_MmPfnDatabase
		lea	edi, [eax+ecx*4]
		movzx	eax, word ptr [ebx+10h]
		mov	ecx, [ebp+arg_4]
		shr	eax, 1
		and	eax, 1Fh
		push	eax
		call	_MiGetSlabAllocator@12 ; MiGetSlabAllocator(x,x,x)
		mov	ebx, [ebp+var_10]
		mov	ecx, edi
		mov	edx, [eax+1Ch]
		mov	edx, [ebx+edx*4+18h]
		call	_MiSetPfnLink@8	; MiSetPfnLink(x,x)
		mov	eax, [eax+1Ch]
		mov	[ebx+eax*4+18h], edi
		jmp	loc_78E4FD
; 

loc_8DE8F6:				; CODE XREF: MiPfPrepareSequentialReadList+467j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8DE8FD:				; CODE XREF: MiPfPrepareSequentialReadList+45Cj
		mov	eax, [esi+1Ch]
		mov	ecx, esi
		push	0
		push	eax
		call	_MiRemoveViewsFromSectionWithPfn@16 ; MiRemoveViewsFromSectionWithPfn(x,x,x,x)
		mov	ecx, ebx
		call	_MiReleaseReadListResources@4 ;	MiReleaseReadListResources(x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8DE919:				; CODE XREF: MiPfPrepareSequentialReadList+9Dj
		mov	eax, 0C000009Ah
		jmp	loc_78E601
; 

loc_8DE923:				; CODE XREF: MiPfPrepareSequentialReadList+425j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_8DE936
		mov	ecx, [ebp+arg_4]
		mov	edx, eax
		push	1
		call	_MiReturnFaultCharges@12 ; MiReturnFaultCharges(x,x,x)

loc_8DE936:				; CODE XREF: MiPfPrepareSequentialReadList+1506B8j
		mov	ebx, [ebp+var_10]
		mov	ecx, ebx
		call	_MiReleaseReadListResources@4 ;	MiReleaseReadListResources(x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		jmp	loc_78E601
; 

loc_8DE94F:				; CODE XREF: MiPfPrepareSequentialReadList+15063Ej
		mov	ebx, [ebp+var_C]

loc_8DE952:				; CODE XREF: MiPfPrepareSequentialReadList+283j
		push	1
		mov	edx, 1
		mov	ecx, edi
		call	_MiReturnFaultCharges@12 ; MiReturnFaultCharges(x,x,x)
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jnz	loc_78E51F
		mov	[ebp+var_18], 0C0000017h
		jmp	loc_78E51F
; 

loc_8DE977:				; CODE XREF: MiPfPrepareSequentialReadList+181j
		xor	ebx, ebx
		xor	ecx, ecx
		jmp	loc_78E51C
; 

loc_8DE980:				; CODE XREF: MiPfPrepareSequentialReadList+2FCj
		mov	ecx, [ebp+arg_4]
		mov	edx, ebx
		push	1
		sub	edx, edi
		call	_MiReturnFaultCharges@12 ; MiReturnFaultCharges(x,x,x)
		mov	ecx, [ebp+var_4]
		sub	edi, ebx
		add	ecx, edi
		mov	[ebp+var_4], ecx
		jnz	loc_78E575
		mov	[ebp+var_18], 0C0000017h
		jmp	loc_78E575
; 

loc_8DE9AA:				; CODE XREF: MiPfPrepareSequentialReadList+2C4j
		mov	ebx, [ebp+var_10]
		jmp	loc_78E5C3
; 

loc_8DE9B2:				; CODE XREF: MiPfPrepareSequentialReadList+382j
		mov	ecx, ebx
		call	_MiReleaseReadListResources@4 ;	MiReleaseReadListResources(x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ebx, ebx
		jmp	loc_78E5FA
; 

loc_8DE9C8:				; CODE XREF: MiPfPrepareSequentialReadList+37j
					; MiPfPrepareSequentialReadList+41j
		mov	eax, 0C00000EFh
		jmp	loc_78E601
; END OF FUNCTION CHUNK	FOR MiPfPrepareSequentialReadList
; 
; START	OF FUNCTION CHUNK FOR MiPrepareVadDelete

loc_8DE9D2:				; CODE XREF: MiPrepareVadDelete+57j
		cmp	eax, 40h
		jnz	loc_78EA61
		jmp	loc_78EA15
; 

loc_8DE9E0:				; CODE XREF: MiPrepareVadDelete+32j
		mov	ecx, large fs:124h
		mov	edx, [ecx+80h]
		call	UNLOCK_ADDRESS_SPACE
		mov	byte ptr [edi],	0
		jmp	loc_78E9D2
; END OF FUNCTION CHUNK	FOR MiPrepareVadDelete
; 
; START	OF FUNCTION CHUNK FOR MiLogRelocationRva

loc_8DE9FA:				; CODE XREF: MiLogRelocationRva+93j
		mov	ecx, [ebp+arg_0]
		mov	edx, large fs:124h
		push	0
		push	edi
		mov	ecx, [ecx+0Ch]
		push	ebx
		push	esi
		call	_PfLogFileDataAccess@24	; PfLogFileDataAccess(x,x,x,x,x,x)
		jmp	loc_78EB17
; END OF FUNCTION CHUNK	FOR MiLogRelocationRva
; 
; START	OF FUNCTION CHUNK FOR MiCreateMdl

loc_8DEA16:				; CODE XREF: MiCreateMdl+50j
		shl	ebx, 0Ch
		mov	[esi+14h], ebx

loc_8DEA1C:				; CODE XREF: MiCreateMdl+8Cj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_MiDeleteImageCreationMdls@8 ; MiDeleteImageCreationMdls(x,x)
		jmp	loc_78F483
; END OF FUNCTION CHUNK	FOR MiCreateMdl
; 
; START	OF FUNCTION CHUNK FOR MiEnablePartitionMappedWrites

loc_8DEA2B:				; CODE XREF: MiEnablePartitionMappedWrites+95j
		mov	edi, 0C000012Dh

loc_8DEA30:				; CODE XREF: MiEnablePartitionMappedWrites+B9j
		cmp	[ebp+var_8], 5
		jnz	loc_78FB8F
		mov	ecx, esi
		call	_MiDeleteMappedMdls@4 ;	MiDeleteMappedMdls(x)
		jmp	loc_78FB8F
; END OF FUNCTION CHUNK	FOR MiEnablePartitionMappedWrites
; 
; START	OF FUNCTION CHUNK FOR MiCreateDataFileMap

loc_8DEA46:				; CODE XREF: MiCreateDataFileMap+2B8j
		mov	eax, 0C0000020h
		jmp	loc_78FE42
; 

loc_8DEA50:				; CODE XREF: MiCreateDataFileMap+353j
		mov	eax, 0C000011Eh
		jmp	loc_78FE42
; 

loc_8DEA5A:				; CODE XREF: MiCreateDataFileMap+3Fj
					; MiCreateDataFileMap+4Bj ...
		mov	eax, 0C0000040h
		jmp	loc_78FE42
; 

loc_8DEA64:				; CODE XREF: MiCreateDataFileMap+A0j
		push	0
		push	ebx
		jmp	short loc_8DEAE7
; 

loc_8DEA69:				; CODE XREF: MiCreateDataFileMap+B1j
		test	edi, edi
		jnz	short loc_8DEA7C
		mov	ecx, [ebp+arg_8]
		cmp	ecx, 200h
		jbe	loc_78FC5A

loc_8DEA7C:				; CODE XREF: MiCreateDataFileMap+14EECBj
		mov	ecx, [ebp+var_8]
		call	_MiComputeIdealFirstSubsection@4 ; MiComputeIdealFirstSubsection(x)
		shl	eax, 3
		mov	[ebp+arg_18], eax
		jmp	loc_78FC57
; 

loc_8DEA8F:				; CODE XREF: MiCreateDataFileMap+19Fj
		or	eax, 40000000h
		mov	[edx+1Ch], eax
		jmp	loc_78FD5F
; 

loc_8DEA9C:				; CODE XREF: MiCreateDataFileMap+1ACj
		or	[ebx+8], di
		mov	[ebp+arg_18], 0Eh
		jmp	loc_78FD5F
; 

loc_8DEAAC:				; CODE XREF: MiCreateDataFileMap+1B9j
		mov	eax, 4000h
		mov	[ebp+arg_18], 1Eh
		or	[ebx+8], ax
		jmp	loc_78FD5F
; 

loc_8DEAC1:				; CODE XREF: MiCreateDataFileMap+337j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [ebp+var_4]
		mov	eax, [edi+58h]
		test	eax, eax
		jz	short loc_8DEAE4

loc_8DEAD3:				; CODE XREF: MiCreateDataFileMap+14EF42j
		mov	esi, [eax+8]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		test	esi, esi
		jnz	short loc_8DEAD3

loc_8DEAE4:				; CODE XREF: MiCreateDataFileMap+14EF31j
		push	0
		push	edi

loc_8DEAE7:				; CODE XREF: MiCreateDataFileMap+14EEC7j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8DEAEC:				; CODE XREF: MiCreateDataFileMap+80j
		mov	eax, 0C000009Ah
		jmp	loc_78FE42
; END OF FUNCTION CHUNK	FOR MiCreateDataFileMap
; 
; START	OF FUNCTION CHUNK FOR MiVerifyImageHeader

loc_8DEAF6:				; CODE XREF: MiVerifyImageHeader+11j
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	_MiComputeBadImageHeaderType@12	; MiComputeBadImageHeaderType(x,x,x)
		jmp	loc_79010B
; 

loc_8DEB08:				; CODE XREF: MiVerifyImageHeader+1Dj
		cmp	[ebx+14h], cx
		jnz	loc_78FF1B
		mov	dword_6CF4F4, 46h
		mov	eax, 0C0000130h
		jmp	loc_79010B
; 

loc_8DEB26:				; CODE XREF: MiVerifyImageHeader+27j
		mov	dword_6CF4F4, 47h
		jmp	short loc_8DEB3C
; 

loc_8DEB32:				; CODE XREF: MiVerifyImageHeader+30j
		mov	dword_6CF4F4, 48h

loc_8DEB3C:				; CODE XREF: MiVerifyImageHeader+14EC38j
		mov	eax, 0C000007Bh
		jmp	loc_79010B
; 

loc_8DEB46:				; CODE XREF: MiVerifyImageHeader:loc_790051j
		mov	eax, dword_6CF508
		cmp	eax, [esi+34h]
		jnz	loc_790057
		mov	eax, dword_6CF50C
		cmp	eax, [esi+0Ch]
		jnz	loc_790057
		int	3		; Trap to Debugger
		jmp	loc_790057
; 

loc_8DEB68:				; CODE XREF: MiVerifyImageHeader+255j
		mov	dword_6CF4F4, 4Bh
		jmp	loc_79016E
; 

loc_8DEB77:				; CODE XREF: MiVerifyImageHeader:loc_790072j
		cmp	ecx, [esi+8]
		jz	loc_790078
		mov	dword_6CF4F4, 4Ch
		jmp	loc_79016E
; 

loc_8DEB8F:				; CODE XREF: MiVerifyImageHeader+182j
		mov	dword_6CF4F4, 4Dh
		jmp	loc_79016E
; 

loc_8DEB9E:				; CODE XREF: MiVerifyImageHeader+190j
		mov	dword_6CF4F4, 4Eh
		jmp	loc_79016E
; 

loc_8DEBAD:				; CODE XREF: MiVerifyImageHeader+19Bj
		mov	dword_6CF4F4, 4Fh
		jmp	loc_79016E
; 

loc_8DEBBC:				; CODE XREF: MiVerifyImageHeader+1A3j
		mov	dword_6CF4F4, 50h
		jmp	loc_79016E
; 

loc_8DEBCB:				; CODE XREF: MiVerifyImageHeader+1B2j
		mov	dword_6CF4F4, 51h
		jmp	loc_79016E
; 

loc_8DEBDA:				; CODE XREF: MiVerifyImageHeader+1C6j
		mov	edi, 1C4h
		cmp	ax, di
		jz	loc_7900C4
		mov	dword_6CF4F4, 52h
		jmp	loc_79016E
; 

loc_8DEBF7:				; CODE XREF: MiVerifyImageHeader+1D1j
		mov	dword_6CF4F4, 54h
		jmp	loc_79016E
; 

loc_8DEC06:				; CODE XREF: MiVerifyImageHeader+1DCj
		mov	dword_6CF4F4, 55h
		jmp	loc_79016E
; 

loc_8DEC15:				; CODE XREF: MiVerifyImageHeader+1EFj
		test	dl, 1
		jz	short loc_8DEC29
		mov	dword_6CF4F4, 58h
		jmp	loc_79016E
; 

loc_8DEC29:				; CODE XREF: MiVerifyImageHeader+14ED20j
		mov	ax, [esi+30h]
		mov	ecx, 140h
		and	ax, cx
		cmp	ax, cx
		jz	loc_790108
		mov	dword_6CF4F4, 59h
		jmp	loc_79016E
; END OF FUNCTION CHUNK	FOR MiVerifyImageHeader
; 
; START	OF FUNCTION CHUNK FOR MiBuildImageControlArea

loc_8DEC4D:				; CODE XREF: MiBuildImageControlArea+32j
		mov	eax, 0C000007Bh
		jmp	loc_7904CF
; 

loc_8DEC57:				; CODE XREF: MiBuildImageControlArea+47j
		xor	esi, esi
		inc	esi
		jmp	loc_7901C3
; 

loc_8DEC5F:				; CODE XREF: MiBuildImageControlArea+87j
		mov	dword_6CF4F4, 1Ah
		mov	eax, 0C000009Ah
		jmp	loc_7904CE
; 

loc_8DEC73:				; CODE XREF: MiBuildImageControlArea+C7j
		mov	dword_6CF4F4, 1Bh
		mov	edi, 0C000009Ah
		jmp	short loc_8DECAE
; 

loc_8DEC84:				; CODE XREF: MiBuildImageControlArea+FBj
		mov	dword_6CF4F4, 1Ch
		mov	edi, 0C000009Ah

loc_8DEC93:				; CODE XREF: MiBuildImageControlArea+3A5j
					; MiBuildImageControlArea+14EC3Aj
		test	esi, esi
		jz	short loc_8DEC9E
		push	ecx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8DEC9E:				; CODE XREF: MiBuildImageControlArea+14EB1Fj
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_8DECAE
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8DECAE:				; CODE XREF: MiBuildImageControlArea+14EB0Cj
					; MiBuildImageControlArea+14EB2Dj
		xor	eax, eax
		push	eax
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		jmp	loc_7904CD
; 

loc_8DECC0:				; CODE XREF: MiBuildImageControlArea+240j
		mov	[ebx+1Ch], edi
		mov	eax, [edx+0Ch]
		mov	edx, [ebp+arg_C]
		mov	ecx, [edx]
		mov	edx, [edx+4]
		cmp	[ebp+var_1C], edx
		mov	[ebp+arg_4], edx
		mov	edx, [ebp+var_8]
		ja	short loc_8DECEB
		jb	short loc_8DECDF
		cmp	eax, ecx
		jnb	short loc_8DECEB

loc_8DECDF:				; CODE XREF: MiBuildImageControlArea+14EB63j
		shr	eax, 9
		mov	[ebx+18h], eax
		mov	cx, [edx+0Ch]
		jmp	short loc_8DECFB
; 

loc_8DECEB:				; CODE XREF: MiBuildImageControlArea+14EB61j
					; MiBuildImageControlArea+14EB67j
		mov	eax, [ebp+arg_4]
		shrd	ecx, eax, 9
		mov	eax, [ebp+arg_C]
		mov	[ebx+18h], ecx
		mov	cx, [eax]

loc_8DECFB:				; CODE XREF: MiBuildImageControlArea+14EB73j
		mov	eax, 1FFh
		and	cx, ax
		mov	ax, [ebx+12h]
		and	ax, 0Fh
		shl	cx, 4
		or	cx, ax
		movzx	eax, cx
		mov	ecx, 0FFCFh
		mov	[ebx+12h], ax
		mov	eax, [ebp+var_10]
		or	byte ptr [eax+23h], 8
		mov	byte ptr [eax+22h], 1
		mov	ax, [ebx+10h]
		and	ax, cx
		mov	ecx, ebx
		or	ax, 0Eh
		mov	[ebx+10h], ax
		call	_MiMakeSubsectionPte@4 ; MiMakeSubsectionPte(x)
		push	7
		pop	ecx
		mov	ebx, eax
		mov	[ebp+arg_4], edx
		call	_MiMakeDemandZeroPte@4 ; MiMakeDemandZeroPte(x)
		mov	[ebp+arg_0], eax
		xor	eax, eax
		mov	[ebp+var_1C], edx
		mov	ecx, eax
		test	edi, edi
		jz	short loc_8DED8C
		mov	edx, [ebp+arg_C]
		mov	eax, edi
		mov	edi, [ebp+arg_4]

loc_8DED62:				; CODE XREF: MiBuildImageControlArea+14EC11j
		cmp	ecx, [edx]
		jnb	short loc_8DED6D
		mov	[esi], ebx
		mov	[esi+4], edi
		jmp	short loc_8DED7B
; 

loc_8DED6D:				; CODE XREF: MiBuildImageControlArea+14EBEEj
		mov	edx, [ebp+arg_0]
		mov	[esi], edx
		mov	edx, [ebp+var_1C]
		mov	[esi+4], edx
		mov	edx, [ebp+arg_C]

loc_8DED7B:				; CODE XREF: MiBuildImageControlArea+14EBF5j
		add	ecx, 1000h
		add	esi, 8
		sub	eax, 1
		jnz	short loc_8DED62
		mov	edi, [ebp+var_14]

loc_8DED8C:				; CODE XREF: MiBuildImageControlArea+14EBE2j
		mov	edx, [ebp+var_8]
		mov	eax, edi
		shl	eax, 3
		sub	esi, eax
		mov	eax, [ebp+var_4]
		mov	[eax+20h], edi
		jmp	loc_7904A0
; 

loc_8DEDA1:				; CODE XREF: MiBuildImageControlArea+24Bj
		mov	dword_6CF4F4, 1Dh
		mov	edi, 0C000007Bh
		jmp	loc_8DEC93
; 

loc_8DEDB5:				; CODE XREF: MiBuildImageControlArea+25Fj
		mov	dword_6CF4F4, 1Eh
		jmp	short loc_8DEDCB
; 

loc_8DEDC1:				; CODE XREF: MiBuildImageControlArea+298j
		mov	dword_6CF4F4, 1Fh

loc_8DEDCB:				; CODE XREF: MiBuildImageControlArea+14EC49j
		mov	edi, 0C000007Bh
		jmp	loc_790519
; END OF FUNCTION CHUNK	FOR MiBuildImageControlArea
; 
; START	OF FUNCTION CHUNK FOR MiParseImageSectionHeaders

loc_8DEDD5:				; CODE XREF: MiParseImageSectionHeaders+37j
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_8DEE05
		add	ebx, 10h

loc_8DEDDF:				; CODE XREF: MiParseImageSectionHeaders+14E8E3j
		mov	edx, [ebx-8]
		mov	esi, [ebx]
		test	edx, edx
		jnz	short loc_8DEDEA
		mov	edx, esi

loc_8DEDEA:				; CODE XREF: MiParseImageSectionHeaders+14E8C6j
		mov	edi, [ebx+4]
		lea	eax, [edi+esi]
		cmp	eax, edi
		jb	short loc_8DEE2A
		cmp	edi, [ebx-4]
		jnz	short loc_8DEE16
		cmp	edx, esi
		ja	short loc_8DEE16
		add	ebx, 28h
		sub	ecx, 1
		jnz	short loc_8DEDDF

loc_8DEE05:				; CODE XREF: MiParseImageSectionHeaders+14E8BAj
		mov	eax, [ebp+var_18]
		mov	ecx, [ebp+var_4]
		mov	eax, [eax+4]
		mov	[ecx+48h], eax
		jmp	loc_79078F
; 

loc_8DEE16:				; CODE XREF: MiParseImageSectionHeaders+14E8D7j
					; MiParseImageSectionHeaders+14E8DBj
		mov	dword_6CF4F4, 11h
		mov	eax, 0C000007Bh
		jmp	loc_790791
; 

loc_8DEE2A:				; CODE XREF: MiParseImageSectionHeaders+14E8D2j
		mov	dword_6CF4F4, 10h
		mov	eax, 0C000007Bh
		jmp	loc_790791
; 

loc_8DEE3E:				; CODE XREF: MiParseImageSectionHeaders+91j
		mov	[ebp+var_1C], eax
		jmp	loc_7905B7
; 

loc_8DEE46:				; CODE XREF: MiParseImageSectionHeaders+306j
		test	esi, 10000h
		jnz	short loc_8DEE6E
		mov	dword ptr [ecx], 0
		jmp	loc_7905C2
; 

loc_8DEE59:				; CODE XREF: MiParseImageSectionHeaders+2CEj
		mov	[ebx+44h], edx
		mov	ecx, edx
		jmp	loc_790633
; 

loc_8DEE63:				; CODE XREF: MiParseImageSectionHeaders+296j
		mov	ecx, [ebp+var_18]
		inc	dword ptr [ecx+0Ch]
		jmp	loc_7907BC
; 

loc_8DEE6E:				; CODE XREF: MiParseImageSectionHeaders+14E92Cj
		mov	dword_6CF4F4, 12h
		mov	eax, 0C000007Bh
		jmp	loc_790791
; 

loc_8DEE82:				; CODE XREF: MiParseImageSectionHeaders+148j
		mov	dword_6CF4F4, 17h
		mov	eax, 0C000007Bh
		jmp	loc_790791
; 

loc_8DEE96:				; CODE XREF: MiParseImageSectionHeaders+101j
		mov	dword_6CF4F4, 16h
		mov	eax, 0C000007Bh
		jmp	loc_790791
; 

loc_8DEEAA:				; CODE XREF: MiParseImageSectionHeaders+E7j
		mov	dword_6CF4F4, 15h
		mov	eax, 0C000007Bh
		jmp	loc_790791
; 

loc_8DEEBE:				; CODE XREF: MiParseImageSectionHeaders+CCj
					; MiParseImageSectionHeaders+D7j
		mov	dword_6CF4F4, 14h
		mov	eax, 0C000007Bh
		jmp	loc_790791
; 

loc_8DEED2:				; CODE XREF: MiParseImageSectionHeaders+A8j
		mov	dword_6CF4F4, 13h
		mov	eax, 0C000007Bh
		jmp	loc_790791
; 

loc_8DEEE6:				; CODE XREF: MiParseImageSectionHeaders+258j
		mov	dword_6CF4F4, 18h
		mov	eax, 0C000007Bh
		jmp	loc_790791
; 

loc_8DEEFA:				; CODE XREF: MiParseImageSectionHeaders+269j
		mov	dword_6CF4F4, 19h
		mov	eax, 0C000007Bh
		jmp	loc_790791
; END OF FUNCTION CHUNK	FOR MiParseImageSectionHeaders
; 
; START	OF FUNCTION CHUNK FOR MiInitializePrototypePtes

loc_8DEF0E:				; CODE XREF: MiInitializePrototypePtes+8Bj
		push	2
		push	1
		lea	edx, [ebp+var_10]
		mov	[ebp+var_10], edi
		lea	ecx, [ebp+var_40]
		mov	[ebp+var_C], esi
		call	_MiInitializeFaultVaListCore@16	; MiInitializeFaultVaListCore(x,x,x,x)
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+1Ch]
		shr	eax, 14h
		and	eax, 3Fh
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_40]
		or	eax, 1
		push	eax
		push	0
		push	edi
		push	2
		call	MmAccessFault
		jmp	loc_7910A1
; END OF FUNCTION CHUNK	FOR MiInitializePrototypePtes
; 
; START	OF FUNCTION CHUNK FOR MiRelocateImage

loc_8DEF48:				; CODE XREF: MiRelocateImage+77j
		mov	[ebp+var_68], 0C000007Bh
		mov	[ebp+var_7C], 1000h
		jmp	loc_7911FE
; 

loc_8DEF5B:				; CODE XREF: MiRelocateImage+CDj
		test	ebx, ebx
		jz	loc_7916F2

loc_8DEF63:				; CODE XREF: MiRelocateImage+103j
					; MiRelocateImage+10Cj	...
		mov	eax, [ebp+var_68]
		jmp	loc_7916D4
; 

loc_8DEF6B:				; CODE XREF: MiRelocateImage+1DAj
		mov	eax, 0C000009Ah
		jmp	loc_7916D4
; 

loc_8DEF75:				; CODE XREF: MiRelocateImage+23Dj
		push	0
		push	[ebp+var_4C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edx, edx
		mov	ecx, edi
		call	_MiSetDeleteOnClose@8 ;	MiSetDeleteOnClose(x,x)
		jmp	loc_79171D
; 

loc_8DEF8D:				; CODE XREF: MiRelocateImage+281j
		push	0
		push	[ebp+var_4C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8DF313
; 

loc_8DEF9C:				; CODE XREF: MiRelocateImage+2A3j
		mov	ecx, edi
		call	_MiFreeImageLoadConfig@4 ; MiFreeImageLoadConfig(x)
		push	0
		push	[ebp+var_4C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[ebp+arg_4], 0
		jnz	loc_8DF313
		mov	esi, [ebp+var_68]
		jmp	loc_8DF313
; 

loc_8DEFBF:				; CODE XREF: MiRelocateImage+2E0j
		sub	eax, ecx
		jmp	loc_791438
; 

loc_8DEFC6:				; CODE XREF: MiRelocateImage+38Fj
		and	eax, 0FFFFFFFBh
		mov	[ebp+var_48], eax
		jmp	loc_7914E5
; 

loc_8DEFD1:				; CODE XREF: MiRelocateImage+3BBj
		sub	edx, 8
		mov	[ebp+var_74], edx
		and	eax, 0FFFFFFFBh
		jmp	loc_791576
; 

loc_8DEFDF:				; CODE XREF: MiRelocateImage+3CBj
		mov	ecx, [ebp+var_50]
		test	dword ptr [ecx+34h], 0C0000h
		jz	loc_791521
		mov	[ebp+var_B0], 0
		mov	[ebp+var_AC], 0
		push	0
		push	esi
		lea	edx, [ebp+var_B0]
		call	MiOffsetToProtos
		test	byte ptr [eax+10h], 4
		jnz	short loc_8DF01F
		mov	edx, [ebp+var_74]
		jmp	loc_791521
; 

loc_8DF01F:				; CODE XREF: MiRelocateImage+14DEC5j
		mov	esi, 0C000007Bh
		mov	ebx, [ebp+var_4C]
		mov	edi, [ebp+var_50]
		jmp	loc_7916BF
; 

loc_8DF02F:				; CODE XREF: MiRelocateImage+417j
		mov	ebx, [ebp+var_4C]
		mov	edi, [ebp+var_50]
		cmp	esi, 0C0000269h
		jnz	short loc_8DF044
		xor	esi, esi
		jmp	loc_7916BF
; 

loc_8DF044:				; CODE XREF: MiRelocateImage+14DEEBj
		mov	eax, [ebp+var_48]
		cmp	esi, 0C000007Bh
		jnz	loc_7916C2
		mov	esi, [ebp+var_68]
		jmp	loc_7916C2
; 

loc_8DF05B:				; CODE XREF: MiRelocateImage+364j
		cmp	edx, 8
		jnz	short loc_8DF068
		sub	[ebp+var_58], edx
		jmp	loc_791583
; 

loc_8DF068:				; CODE XREF: MiRelocateImage+36Fj
					; MiRelocateImage+378j	...
		mov	esi, [ebp+var_68]
		mov	ebx, [ebp+var_4C]
		mov	edi, [ebp+var_50]
		jmp	loc_7916C2
; END OF FUNCTION CHUNK	FOR MiRelocateImage

;  S U B	R O U T	I N E 


sub_8DF076	proc near		; DATA XREF: .text:006A1D54o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0A4h], eax
		mov	eax, 1
		retn
sub_8DF076	endp


;  S U B	R O U T	I N E 


sub_8DF089	proc near		; DATA XREF: .text:006A1D58o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0A4h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-88h]
		mov	[ebp-6Ch], eax
		mov	ebx, [ebp-8Ch]
		mov	edi, [ebp-90h]
		mov	eax, [ebp-64h]
		mov	[ebp-48h], eax
		jmp	loc_7916C2
sub_8DF089	endp

; 
; START	OF FUNCTION CHUNK FOR MiRelocateImage

loc_8DF0B9:				; CODE XREF: MiRelocateImage+488j
		lea	edx, [ebx+40h]
		jmp	loc_7915F6
; 

loc_8DF0C1:				; CODE XREF: MiRelocateImage+4B7j
		xor	ecx, ecx
		mov	[ebp+var_58], ecx
		mov	[ebp+var_64], ecx
		mov	esi, [ebp+var_70]
		mov	edi, [esi+28h]
		mov	eax, [ebx+1Ch]
		cmp	[ebp+var_54], eax
		jbe	short loc_8DF0DA
		mov	[ebp+var_54], eax

loc_8DF0DA:				; CODE XREF: MiRelocateImage+14DF85j
		xor	ebx, ebx
		cmp	[ebp+var_54], ecx
		jbe	loc_8DF1FB
		mov	esi, [ebp+var_54]

loc_8DF0E8:				; CODE XREF: MiRelocateImage+14E0A2j
		cmp	dword ptr [edx+ebx*4], 0
		jz	loc_8DF1EC
		mov	esi, [edi]
		nop
		mov	edx, [edi+4]
		mov	ecx, edi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_8DF10C
		push	edx
		push	esi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	esi, eax

loc_8DF10C:				; CODE XREF: MiRelocateImage+14DFB1j
		mov	eax, esi
		and	eax, 400h
		or	eax, 0
		jnz	loc_8DF222
		mov	eax, esi
		and	eax, 800h
		or	eax, 0
		jz	loc_8DF1E3
		mov	[ebp+var_90], esi
		mov	[ebp+var_7C], edx
		mov	eax, dword_6D0700
		mov	[ebp+var_8C], eax
		mov	ecx, dword_6D0704
		mov	[ebp+var_88], ecx
		or	eax, ecx
		mov	ecx, esi
		jz	short loc_8DF17B
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_8DF173
		mov	esi, [ebp+var_8C]
		not	esi
		mov	edx, [ebp+var_88]
		not	edx
		and	esi, ecx
		and	edx, [ebp+var_7C]
		jmp	short loc_8DF17B
; 

loc_8DF173:				; CODE XREF: MiRelocateImage+14E00Aj
		mov	esi, ecx
		and	esi, 0FFFFFFEFh
		mov	edx, [ebp+var_7C]

loc_8DF17B:				; CODE XREF: MiRelocateImage+14E000j
					; MiRelocateImage+14E021j
		shrd	esi, edx, 0Ch
		and	esi, 3FFFFFFh
		lea	ecx, ds:0[esi*8]
		sub	ecx, esi
		mov	eax, ds:_MmPfnDatabase
		lea	esi, [eax+ecx*4]
		mov	eax, [esi+8]
		and	eax, 400h
		or	eax, 0
		jz	short loc_8DF1B6
		mov	eax, [esi+0Ch]
		push	eax
		mov	eax, [esi+8]
		push	eax
		call	_MiGetSubsectionFromPte@8 ; MiGetSubsectionFromPte(x,x)
		test	byte ptr [eax+12h], 2
		jnz	short loc_8DF1E3

loc_8DF1B6:				; CODE XREF: MiRelocateImage+14E051j
		xor	edx, edx
		mov	ecx, esi
		call	_MiSetLeafPfnBuddy@8 ; MiSetLeafPfnBuddy(x,x)
		mov	eax, [ebp+var_4C]
		cmp	dword ptr [eax+3Ch], 0
		jnz	short loc_8DF1CD
		mov	[eax+3Ch], esi
		jmp	short loc_8DF1D7
; 

loc_8DF1CD:				; CODE XREF: MiRelocateImage+14E076j
		mov	edx, esi
		mov	ecx, [ebp+var_64]
		call	_MiSetLeafPfnBuddy@8 ; MiSetLeafPfnBuddy(x,x)

loc_8DF1D7:				; CODE XREF: MiRelocateImage+14E07Bj
		mov	[ebp+var_64], esi
		mov	ecx, [ebp+var_58]
		inc	ecx
		mov	[ebp+var_58], ecx
		jmp	short loc_8DF1E6
; 

loc_8DF1E3:				; CODE XREF: MiRelocateImage+14DFD6j
					; MiRelocateImage+14E064j
		mov	ecx, [ebp+var_58]

loc_8DF1E6:				; CODE XREF: MiRelocateImage+14E091j
		mov	edx, [ebp+var_60]
		mov	esi, [ebp+var_54]

loc_8DF1EC:				; CODE XREF: MiRelocateImage+14DF9Cj
		inc	ebx
		add	edi, 8
		cmp	ebx, esi
		jb	loc_8DF0E8
		mov	esi, [ebp+var_70]

loc_8DF1FB:				; CODE XREF: MiRelocateImage+14DF8Fj
		push	0
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	edx, ecx
		mov	ecx, eax
		call	MiChargeCommit
		test	eax, eax
		jnz	short loc_8DF239
		mov	ebx, [ebp+var_4C]
		mov	[ebx+3Ch], eax
		mov	esi, 0C000009Ah
		mov	edi, [ebp+var_50]
		jmp	loc_7916BF
; 

loc_8DF222:				; CODE XREF: MiRelocateImage+14DFC6j
		mov	ebx, [ebp+var_4C]
		mov	dword ptr [ebx+3Ch], 0
		mov	esi, 0C0000709h
		mov	edi, [ebp+var_50]
		jmp	loc_7916BF
; 

loc_8DF239:				; CODE XREF: MiRelocateImage+14E0BDj
		mov	ebx, [ebp+var_6C]
		dec	word ptr [ebx+13Eh]
		nop
		add	esi, 1Ch
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [ebp+var_58]
		mov	edi, [ebp+var_50]
		mov	ecx, edi
		call	_MiUpdateControlAreaCommitCount@8 ; MiUpdateControlAreaCommitCount(x,x)
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8DF271
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8DF271:				; CODE XREF: MiRelocateImage+14E118j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, ebx
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+var_48]
		mov	ebx, [ebp+var_4C]
		jmp	loc_79160D
; 

loc_8DF28A:				; CODE XREF: MiRelocateImage+4F8j
		xor	edx, edx
		mov	ecx, edi
		call	_MiSetDeleteOnClose@8 ;	MiSetDeleteOnClose(x,x)
		mov	edx, [ebp+var_78]
		jmp	loc_79164E
; 

loc_8DF29B:				; CODE XREF: MiRelocateImage+508j
		test	dword ptr [edi+34h], 0C0000h
		jz	loc_79165E
		mov	eax, [esi+14h]
		and	eax, 0FFFFFFF8h
		mov	ecx, dword_6BEA60
		test	ecx, ecx
		jnz	short loc_8DF2BF
		mov	esi, 0C00000BBh
		jmp	short loc_8DF2C5
; 

loc_8DF2BF:				; CODE XREF: MiRelocateImage+14E166j
		push	edx
		push	eax
		call	ecx
		mov	esi, eax

loc_8DF2C5:				; CODE XREF: MiRelocateImage+14E16Dj
		test	esi, esi
		js	loc_7916A1
		jmp	loc_79165E
; 

loc_8DF2D2:				; CODE XREF: MiRelocateImage+530j
		cmp	dword ptr [ebx+38h], 0
		jnz	loc_791686
		xor	esi, esi
		jmp	loc_7916A1
; 

loc_8DF2E3:				; CODE XREF: MiRelocateImage+53Dj
		push	esi
		push	8
		xor	edx, edx
		mov	ecx, edi
		call	_MiWalkEntireImage@16 ;	MiWalkEntireImage(x,x,x,x)
		xor	ecx, ecx
		call	_MiColdPageSizeSupported@4 ; MiColdPageSizeSupported(x)
		test	eax, eax
		jz	loc_791693
		mov	ecx, edi
		call	_MiMakeUnusedImageExtentsCold@4	; MiMakeUnusedImageExtentsCold(x)
		jmp	loc_791693
; 

loc_8DF30A:				; CODE XREF: MiRelocateImage+574j
		mov	edx, ebx

loc_8DF30C:				; CODE XREF: MiRelocateImage+2C3j
		mov	ecx, edi
		call	MiFreeRelocations

loc_8DF313:				; CODE XREF: MiRelocateImage+14DE47j
					; MiRelocateImage+14DE61j ...
		mov	eax, [ebp+var_48]
		jmp	loc_7916CA
; 

loc_8DF31B:				; CODE XREF: MiRelocateImage+57Cj
		lea	ecx, [ebp+var_44]
		call	MiUnmapImageInSystemSpace
		mov	edx, [ebp+var_84]
		mov	ecx, [ebp+var_6C]
		call	_PsRevertToUserPagePriorityThread@8 ; PsRevertToUserPagePriorityThread(x,x)
		jmp	loc_7916D2
; END OF FUNCTION CHUNK	FOR MiRelocateImage
; 
; START	OF FUNCTION CHUNK FOR MiScanRelocationPage

loc_8DF336:				; CODE XREF: MiScanRelocationPage+8Aj
		add	eax, ecx
		cmp	eax, 0FFEh
		jbe	loc_791840

loc_8DF343:				; CODE XREF: MiScanRelocationPage+69j
					; MiScanRelocationPage+96j
		mov	eax, 0C0000269h
		jmp	loc_79185E
; 

loc_8DF34D:				; CODE XREF: MiScanRelocationPage+FDj
		mov	ecx, [ebp+arg_8]
		test	dword ptr [ecx+34h], 0C0000h
		jz	loc_7918B3
		mov	eax, esi
		mov	[ebp+var_28], 0
		cdq
		add	eax, [ebp+var_4]
		mov	[ebp+var_24], 0
		adc	edx, 0
		add	eax, ebx
		adc	edx, 0
		push	edx
		push	eax
		lea	edx, [ebp+var_28]
		call	MiOffsetToProtos
		test	byte ptr [eax+10h], 4
		jnz	loc_7918C3
		jmp	loc_7918B3
; END OF FUNCTION CHUNK	FOR MiScanRelocationPage
; 
; START	OF FUNCTION CHUNK FOR MiSelectImageBase

loc_8DF392:				; CODE XREF: MiSelectImageBase+15Fj
		mov	eax, 0C000001Fh
		jmp	loc_791E49
; 

loc_8DF39C:				; CODE XREF: MiSelectImageBase+40j
		mov	[ebp+arg_4], edi
		jmp	loc_791E7F
; 

loc_8DF3A4:				; CODE XREF: MiSelectImageBase+17Ej
		mov	eax, 0C000009Ah
		jmp	loc_791E49
; END OF FUNCTION CHUNK	FOR MiSelectImageBase
; 
; START	OF FUNCTION CHUNK FOR MiObtainRelocationBits

loc_8DF3AE:				; CODE XREF: MiObtainRelocationBits+48j
		push	esi
		push	ebx
		push	ecx
		call	RtlFindClearBitsAndSet
		mov	[ebp+var_4], eax
		cmp	eax, esi
		jz	short loc_8DF403
		push	ebx
		push	esi
		push	dword ptr [edi]
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		mov	eax, [ebp+var_4]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_8DF3D8
		push	ebx
		push	eax
		push	dword ptr [edi+4]
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)

loc_8DF3D8:				; CODE XREF: MiObtainRelocationBits+14D4CEj
		push	[ebp+arg_0]
		push	ebx
		push	dword ptr [edi]
		call	RtlFindClearBits
		mov	esi, eax
		or	eax, 0FFFFFFFFh
		cmp	esi, eax
		jz	loc_791F4C
		push	ebx
		push	esi
		push	dword ptr [edi]
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		push	ebx
		push	esi
		push	dword ptr [edi+4]
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)

loc_8DF403:				; CODE XREF: MiObtainRelocationBits+14D4BDj
		or	eax, 0FFFFFFFFh
		jmp	loc_791F4C
; END OF FUNCTION CHUNK	FOR MiObtainRelocationBits

;  S U B	R O U T	I N E 


sub_8DF40B	proc near		; DATA XREF: .text:006A1DACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-19Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8DF40B	endp


;  S U B	R O U T	I N E 


sub_8DF41C	proc near		; DATA XREF: .text:006A1DB0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-19Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-184h]
		mov	ebx, [ebp-180h]
		jmp	loc_7926BF
sub_8DF41C	endp


;  S U B	R O U T	I N E 


sub_8DF43D	proc near		; DATA XREF: .text:006A1DB8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1A0h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8DF43D	endp


;  S U B	R O U T	I N E 


sub_8DF44E	proc near		; DATA XREF: .text:006A1DBCo
		mov	esp, [ebp-18h]
		mov	esi, [ebp-1A0h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-184h]
		mov	ebx, [ebp-180h]
		jmp	loc_79253F
sub_8DF44E	endp

; 
; START	OF FUNCTION CHUNK FOR RtlCreateRvaList

loc_8DF46F:				; CODE XREF: RtlCreateRvaList+82j
		mov	esi, 0C000009Ah
		jmp	loc_792C98
; 

loc_8DF479:				; CODE XREF: RtlCreateRvaList+100j
		push	4C617652h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edi, edi
		jmp	loc_792C98
; END OF FUNCTION CHUNK	FOR RtlCreateRvaList
; 
; START	OF FUNCTION CHUNK FOR RtlpCompressRvaList

loc_8DF48B:				; CODE XREF: RtlpCompressRvaList+38j
		mov	eax, 0C000000Dh
		jmp	loc_792E27
; 

loc_8DF495:				; CODE XREF: RtlpCompressRvaList+90j
		mov	eax, 0C000007Bh
		jmp	loc_792E21
; END OF FUNCTION CHUNK	FOR RtlpCompressRvaList
; 
; START	OF FUNCTION CHUNK FOR MiImageRvaRawEnumNext

loc_8DF49F:				; CODE XREF: MiImageRvaRawEnumNext+BEj
		mov	ecx, [ebp+var_14]
		not	ecx
		and	ecx, 1
		test	byte ptr [ebp+var_14], 2
		mov	[ebp+var_10], ecx
		mov	ecx, [ebp+var_8]
		jz	loc_792F14
		or	[ebp+var_10], 2
		jmp	loc_792F14
; 

loc_8DF4C0:				; CODE XREF: MiImageRvaRawEnumNext+9Dj
					; MiImageRvaRawEnumNext+ABj
		xor	eax, eax
		mov	dword_6CF500, 0Eh
		jmp	loc_792F6D
; 

loc_8DF4D1:				; CODE XREF: MiImageRvaRawEnumNext+51j
		lea	eax, [esi+4]
		push	eax
		lea	ecx, [esi+10h]
		push	ecx
		push	edi
		call	edx
		jmp	loc_792F6D
; 

loc_8DF4E1:				; CODE XREF: MiImageRvaRawEnumNext+12Aj
		cmp	ecx, eax
		jb	loc_792F83
		mov	[ebp+var_C], edx
		jmp	loc_792F83
; END OF FUNCTION CHUNK	FOR MiImageRvaRawEnumNext
; 
; START	OF FUNCTION CHUNK FOR MiImageCfgRvaIteratorNext

loc_8DF4F1:				; CODE XREF: MiImageCfgRvaIteratorNext+69j
		not	ebx
		and	ebx, 1
		test	byte ptr [ebp+var_C], 2
		mov	[ebp+var_8], ebx
		jz	loc_79313F
		or	ebx, 2
		mov	[ebp+var_8], ebx
		jmp	loc_79313F
; 

loc_8DF50E:				; CODE XREF: MiImageCfgRvaIteratorNext+4Dj
					; MiImageCfgRvaIteratorNext+56j
		xor	esi, esi
		mov	dword_6CF500, 0Eh
		jmp	loc_793185
; END OF FUNCTION CHUNK	FOR MiImageCfgRvaIteratorNext
; 
; START	OF FUNCTION CHUNK FOR MmImageSectionPagable

loc_8DF51F:				; CODE XREF: MmImageSectionPagable+4Ej
		movzx	edx, _KdPageDebuggerSection
		jmp	loc_7933C0
; END OF FUNCTION CHUNK	FOR MmImageSectionPagable
; 
; START	OF FUNCTION CHUNK FOR MiSelectOverflowDllBase

loc_8DF52B:				; CODE XREF: MiSelectOverflowDllBase+22j
		xor	ecx, ecx
		inc	ecx
		call	ExGenRandom
		movzx	ecx, al
		shl	ecx, 10h
		cmp	edi, 1010000h
		jb	short loc_8DF559
		lea	edx, [esi+edi]
		cmp	edi, edx
		ja	short loc_8DF559
		mov	eax, ds:_MmHighestUserAddress
		inc	eax
		cmp	edx, eax
		ja	short loc_8DF559
		sub	edi, ecx
		jmp	loc_793492
; 

loc_8DF559:				; CODE XREF: MiSelectOverflowDllBase+14C13Dj
					; MiSelectOverflowDllBase+14C144j ...
		lea	eax, [ecx+10000h]
		jmp	loc_793494
; 

loc_8DF564:				; CODE XREF: MiSelectOverflowDllBase+7Bj
		test	al, 4
		jnz	loc_793483
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_793483
; END OF FUNCTION CHUNK	FOR MiSelectOverflowDllBase
; 
; START	OF FUNCTION CHUNK FOR SeValidateImageHeader

loc_8DF578:				; CODE XREF: SeValidateImageHeader+19j
		mov	esi, 0C0000428h
		jmp	loc_793B8F
; 

loc_8DF582:				; CODE XREF: SeValidateImageHeader+8Fj
		push	63734943h
		push	[ebp+var_4]
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_793B8F
; END OF FUNCTION CHUNK	FOR SeValidateImageHeader
; 
; START	OF FUNCTION CHUNK FOR MiRevertRelocations

loc_8DF596:				; CODE XREF: MiRevertRelocations+47j
		mov	ecx, [ebx]
		mov	ecx, [ecx+18h]
		sub	ecx, [eax]
		add	ecx, [ebp+var_10]
		mov	[ebp+var_8], ecx
		jmp	loc_793C10
; END OF FUNCTION CHUNK	FOR MiRevertRelocations
; 
; START	OF FUNCTION CHUNK FOR MiUnloadSystemImage

loc_8DF5A8:				; CODE XREF: MiUnloadSystemImage+F8j
		mov	[esp+0D0h+var_90], eax
		xor	eax, eax
		mov	[esp+0D0h+var_94], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _ExpCovPushLock
		call	@ExfAcquirePushLockExclusive@4 ; ExfAcquirePushLockExclusive(x)
		mov	edi, _ExpCovUnloadedModuleList
		mov	[esp+0D0h+var_BE], 0
		cmp	edi, offset _ExpCovUnloadedModuleList
		jz	loc_8DF6EF

loc_8DF5E1:				; CODE XREF: MiUnloadSystemImage+14B5F4j
		lea	ecx, [esp+0D0h+var_94]
		mov	esi, edi
		lea	eax, [ebx+24h]
		push	ecx
		mov	ecx, [ebx+48h]
		mov	edx, eax
		call	_ExpCovReadFriendlyName@12 ; ExpCovReadFriendlyName(x,x,x)
		test	eax, eax
		js	short loc_8DF61F
		push	1
		lea	eax, [esp+0D4h+var_94]
		push	eax
		lea	eax, [edi+10h]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jnz	short loc_8DF61F
		cmp	[esp+0D0h+var_90], eax
		jz	short loc_8DF63A
		lea	eax, [esp+0D0h+var_94]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	short loc_8DF63A
; 

loc_8DF61F:				; CODE XREF: MiUnloadSystemImage+14B5B3j
					; MiUnloadSystemImage+14B5C7j
		cmp	[esp+0D0h+var_90], 0
		jz	short loc_8DF630
		lea	eax, [esp+0D0h+var_94]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_8DF630:				; CODE XREF: MiUnloadSystemImage+14B5E0j
		mov	edi, [edi]
		cmp	edi, offset _ExpCovUnloadedModuleList
		jnz	short loc_8DF5E1

loc_8DF63A:				; CODE XREF: MiUnloadSystemImage+14B5CDj
					; MiUnloadSystemImage+14B5D9j
		test	esi, esi
		jz	loc_8DF6EF
		cmp	edi, offset _ExpCovUnloadedModuleList
		jz	loc_8DF6EF
		mov	ecx, [ebx+48h]
		mov	edi, [esi+1Ch]
		mov	[esp+0D0h+var_AC], ecx
		mov	eax, [ecx+4]
		cmp	eax, [edi+4]
		jnz	short loc_8DF6D3
		mov	eax, [ecx+18h]
		cmp	eax, [edi+18h]
		jnz	short loc_8DF6D3
		mov	eax, [ecx+1Ch]
		cmp	eax, [edi+1Ch]
		jnz	short loc_8DF6D3
		push	10h		; Length
		lea	eax, [edi+8]
		push	eax		; Source2
		lea	eax, [ecx+8]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 10h
		setnz	al
		dec	al
		and	al, 1
		lea	eax, [esi+8]
		jz	short loc_8DF6D6
		push	eax		; char
		push	offset ??_C@_0CJ@HJBHOMNE@COV?3?5Entry?5for?5same?5versioned?5?$CF@NNGAKEGL@ ; char *
		push	2		; int
		push	7Eh		; int
		call	_DbgPrintEx
		mov	eax, [esp+0E0h+var_AC]
		add	esp, 10h
		mov	ecx, [edi+20h]
		add	ecx, [esi+1Ch]
		xor	esi, esi
		mov	edx, [eax+20h]
		add	edx, [ebx+48h]
		test	dword ptr [edi+1Ch], 0FFFFFFFCh
		jbe	short loc_8DF6F4
		sub	edx, ecx

loc_8DF6BD:				; CODE XREF: MiUnloadSystemImage+14B68Bj
		mov	eax, [edx+ecx]
		lock or	[ecx], eax
		mov	eax, [edi+1Ch]
		inc	esi
		shr	eax, 2
		add	ecx, 4
		cmp	esi, eax
		jb	short loc_8DF6BD
		jmp	short loc_8DF6F4
; 

loc_8DF6D3:				; CODE XREF: MiUnloadSystemImage+14B61Aj
					; MiUnloadSystemImage+14B622j ...
		lea	eax, [esi+8]

loc_8DF6D6:				; CODE XREF: MiUnloadSystemImage+14B648j
		push	eax		; char
		push	offset ??_C@_0CO@HLOHHDKP@COV?3?5Entry?5for?5different?5versio@NNGAKEGL@ ; char	*
		push	2		; int
		push	7Eh		; int
		call	_DbgPrintEx
		add	esp, 10h
		mov	ecx, esi
		call	_ExpCovDeleteUnloadedModuleEntry@4 ; ExpCovDeleteUnloadedModuleEntry(x)

loc_8DF6EF:				; CODE XREF: MiUnloadSystemImage+14B597j
					; MiUnloadSystemImage+14B5F8j ...
		mov	[esp+0D0h+var_BE], 1

loc_8DF6F4:				; CODE XREF: MiUnloadSystemImage+14B675j
					; MiUnloadSystemImage+14B68Dj
		mov	ecx, offset _ExpCovPushLock
		call	@ExfReleasePushLock@4 ;	ExfReleasePushLock(x)
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	[esp+0D0h+var_BE], 0
		jz	short loc_8DF711
		mov	ecx, ebx
		call	_ExpCovCreateUnloadedModuleEntry@4 ; ExpCovCreateUnloadedModuleEntry(x)

loc_8DF711:				; CODE XREF: MiUnloadSystemImage+14B6C4j
		mov	ecx, [esp+0D0h+var_B4]
		jmp	loc_794142
; 

loc_8DF71A:				; CODE XREF: MiUnloadSystemImage+14Ej
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	ecx, esi
		call	_MiDereferencePerSessionProtos@8 ; MiDereferencePerSessionProtos(x,x)
		jmp	loc_794198
; 

loc_8DF73A:				; CODE XREF: MiUnloadSystemImage+192j
		call	_MiGetPdeAddress@4 ; MiGetPdeAddress(x)
		cmp	eax, edx
		jnz	loc_7941DC
		sub	edx, 8
		jmp	loc_7941DC
; 

loc_8DF74F:				; CODE XREF: MiUnloadSystemImage+26Ej
		and	[esp+0D0h+var_88], 0
		xor	eax, eax
		mov	[esp+0D0h+var_8C], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _ExpCovPushLock
		call	@ExfAcquirePushLockExclusive@4 ; ExfAcquirePushLockExclusive(x)
		mov	eax, _ExpCovUnloadedModuleList
		mov	[esp+0D0h+var_BE], 0
		mov	[esp+0D0h+var_B4], eax
		cmp	eax, offset _ExpCovUnloadedModuleList
		jz	loc_8DF8D0

loc_8DF78B:				; CODE XREF: MiUnloadSystemImage+14B86Bj
		lea	ecx, [ebx+24h]
		mov	edi, eax
		lea	eax, [esp+0D0h+var_8C]
		mov	edx, ecx
		mov	ecx, [ebx+48h]
		push	eax
		call	_ExpCovReadFriendlyName@12 ; ExpCovReadFriendlyName(x,x,x)
		test	eax, eax
		js	loc_8DF889
		push	1
		lea	eax, [esp+0D4h+var_8C]
		push	eax
		mov	eax, [esp+0D8h+var_B4]
		add	eax, 10h
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jnz	loc_8DF889
		cmp	[esp+0D0h+var_88], eax
		jz	short loc_8DF7D3
		lea	eax, [esp+0D0h+var_8C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_8DF7D3:				; CODE XREF: MiUnloadSystemImage+14B783j
		mov	eax, [esp+0D0h+var_B4]

loc_8DF7D7:				; CODE XREF: MiUnloadSystemImage+14B865j
		test	edi, edi
		jz	loc_8DF8D0
		cmp	eax, offset _ExpCovUnloadedModuleList
		jz	loc_8DF8D0
		mov	edx, [ebx+48h]
		mov	ecx, [edi+1Ch]
		mov	[esp+0D0h+var_AC], edx
		mov	[esp+0D0h+var_A8], ecx
		mov	eax, [edx+4]
		cmp	eax, [ecx+4]
		jnz	loc_8DF8B4
		mov	eax, [edx+18h]
		cmp	eax, [ecx+18h]
		jnz	loc_8DF8B4
		mov	eax, [edx+1Ch]
		cmp	eax, [ecx+1Ch]
		jnz	loc_8DF8B4
		push	10h		; Length
		lea	eax, [ecx+8]
		push	eax		; Source2
		lea	eax, [edx+8]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 10h
		setnz	al
		dec	al
		and	al, 1
		lea	eax, [edi+8]
		jz	short loc_8DF8B7
		push	eax		; char
		push	offset ??_C@_0CJ@HJBHOMNE@COV?3?5Entry?5for?5same?5versioned?5?$CF@NNGAKEGL@ ; char *
		push	2		; int
		push	7Eh		; int
		call	_DbgPrintEx
		mov	edx, [esp+0E0h+var_A8]
		add	esp, 10h
		mov	eax, [esp+0D0h+var_AC]
		mov	ecx, [edx+20h]
		mov	eax, [eax+20h]
		add	ecx, [edi+1Ch]
		xor	edi, edi
		add	eax, [ebx+48h]
		test	dword ptr [edx+1Ch], 0FFFFFFFCh
		jbe	short loc_8DF8D5
		mov	esi, eax
		sub	esi, ecx

loc_8DF86F:				; CODE XREF: MiUnloadSystemImage+14B83Dj
		mov	eax, [esi+ecx]
		lock or	[ecx], eax
		mov	eax, [edx+1Ch]
		inc	edi
		shr	eax, 2
		add	ecx, 4
		cmp	edi, eax
		jb	short loc_8DF86F
		mov	esi, [esp+0D0h+var_B0]
		jmp	short loc_8DF8D5
; 

loc_8DF889:				; CODE XREF: MiUnloadSystemImage+14B75Dj
					; MiUnloadSystemImage+14B779j
		cmp	[esp+0D0h+var_88], 0
		jz	short loc_8DF89A
		lea	eax, [esp+0D0h+var_8C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_8DF89A:				; CODE XREF: MiUnloadSystemImage+14B84Aj
		mov	eax, [esp+0D0h+var_B4]
		mov	eax, [eax]
		mov	[esp+0D0h+var_B4], eax
		cmp	eax, offset _ExpCovUnloadedModuleList
		jz	loc_8DF7D7
		jmp	loc_8DF78B
; 

loc_8DF8B4:				; CODE XREF: MiUnloadSystemImage+14B7BAj
					; MiUnloadSystemImage+14B7C6j ...
		lea	eax, [edi+8]

loc_8DF8B7:				; CODE XREF: MiUnloadSystemImage+14B7F4j
		push	eax		; char
		push	offset ??_C@_0CO@HLOHHDKP@COV?3?5Entry?5for?5different?5versio@NNGAKEGL@ ; char	*
		push	2		; int
		push	7Eh		; int
		call	_DbgPrintEx
		add	esp, 10h
		mov	ecx, edi
		call	_ExpCovDeleteUnloadedModuleEntry@4 ; ExpCovDeleteUnloadedModuleEntry(x)

loc_8DF8D0:				; CODE XREF: MiUnloadSystemImage+14B741j
					; MiUnloadSystemImage+14B795j ...
		mov	[esp+0D0h+var_BE], 1

loc_8DF8D5:				; CODE XREF: MiUnloadSystemImage+14B825j
					; MiUnloadSystemImage+14B843j
		mov	ecx, offset _ExpCovPushLock
		call	@ExfReleasePushLock@4 ;	ExfReleasePushLock(x)
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	[esp+0D0h+var_BE], 0
		jz	short loc_8DF8F2
		mov	ecx, ebx
		call	_ExpCovCreateUnloadedModuleEntry@4 ; ExpCovCreateUnloadedModuleEntry(x)

loc_8DF8F2:				; CODE XREF: MiUnloadSystemImage+14B8A5j
		mov	edi, [esp+0D0h+var_BC]
		jmp	loc_7942B8
; 

loc_8DF8FB:				; CODE XREF: MiUnloadSystemImage+2EEj
		test	ds:byte_70EFC4,	1
		jz	short loc_8DF927
		push	6
		pop	edx
		xor	ecx, ecx
		call	_MiInitPerfMemoryFlags@8 ; MiInitPerfMemoryFlags(x,x)
		lea	ecx, [esi+1FFh]
		xor	edx, edx
		and	ecx, 0FFFFFE00h
		push	ecx
		mov	ecx, [esp+0D4h+var_BC]
		push	eax
		call	_MiLogPerfMemoryRangeEvent@16 ;	MiLogPerfMemoryRangeEvent(x,x,x,x)

loc_8DF927:				; CODE XREF: MiUnloadSystemImage+14B8BEj
		mov	edx, esi
		mov	esi, [esp+0D0h+var_BC]
		mov	ecx, esi
		call	_MiUnmapLargeDriver@8 ;	MiUnmapLargeDriver(x,x)
		mov	[esp+0D0h+var_BD], 1
		jmp	loc_7943A8
; 

loc_8DF93E:				; CODE XREF: MiUnloadSystemImage+497j
		push	ecx		; size_t
		push	0Ah		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_7944E1
; 

loc_8DF94F:				; CODE XREF: MiUnloadSystemImage+43Ej
		mov	ecx, edi
		call	_MiReturnCrossPartitionControlAreaCharges@4 ; MiReturnCrossPartitionControlAreaCharges(x)
		jmp	loc_794488
; END OF FUNCTION CHUNK	FOR MiUnloadSystemImage
; 
; START	OF FUNCTION CHUNK FOR ExLockUserBuffer

loc_8DF95B:				; CODE XREF: ExLockUserBuffer+B6j
		mov	ecx, esi
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)

loc_8DF962:				; CODE XREF: ExLockUserBuffer+3Aj
		mov	eax, 0C000009Ah
		jmp	loc_794723
; END OF FUNCTION CHUNK	FOR ExLockUserBuffer

;  S U B	R O U T	I N E 


sub_8DF96C	proc near		; DATA XREF: .text:006A1E34o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8DF96C	endp


;  S U B	R O U T	I N E 


sub_8DF97A	proc near		; DATA XREF: .text:006A1E38o
		mov	esp, [ebp-18h]
		push	0
		push	dword ptr [ebp-1Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_794723
sub_8DF97A	endp

; 
; START	OF FUNCTION CHUNK FOR PsThawProcess

loc_8DF996:				; CODE XREF: PsThawProcess+FAj
		push	3
		push	esi
		mov	edx, [ebp+var_20]
		xor	ecx, ecx
		call	_EtwTiLogSuspendResumeProcess@16 ; EtwTiLogSuspendResumeProcess(x,x,x,x)
		jmp	loc_79483A
; 

loc_8DF9A8:				; CODE XREF: PsThawProcess+117j
		test	edi, edi
		jz	loc_794857
		xor	dl, dl
		mov	ecx, esi
		call	_EtwTraceFreezeThawProcess@8 ; EtwTraceFreezeThawProcess(x,x)
		jmp	loc_794857
; END OF FUNCTION CHUNK	FOR PsThawProcess
; 
; START	OF FUNCTION CHUNK FOR PsFreezeProcess

loc_8DF9BE:				; CODE XREF: PsFreezeProcess+26j
		mov	ecx, esi
		call	_KeForceResumeProcess@4	; KeForceResumeProcess(x)
		jmp	loc_79496E
; 

loc_8DF9CA:				; CODE XREF: PsFreezeProcess+41j
		push	2
		push	esi
		mov	edx, edi
		xor	ecx, ecx
		call	_EtwTiLogSuspendResumeProcess@16 ; EtwTiLogSuspendResumeProcess(x,x,x,x)
		jmp	loc_7948E7
; 

loc_8DF9DB:				; CODE XREF: PsFreezeProcess+B7j
		mov	dl, 1
		mov	ecx, esi
		call	_EtwTraceFreezeThawProcess@8 ; EtwTraceFreezeThawProcess(x,x)
		jmp	loc_79495D
; END OF FUNCTION CHUNK	FOR PsFreezeProcess
; 
; START	OF FUNCTION CHUNK FOR PopGetSettingValue

loc_8DF9E9:				; CODE XREF: PopGetSettingValue+3Bj
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, 0C000000Dh
		jmp	loc_7949EA
; END OF FUNCTION CHUNK	FOR PopGetSettingValue

;  S U B	R O U T	I N E 


sub_8DF9FA	proc near		; DATA XREF: .text:006A1E74o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8DF9FA	endp


;  S U B	R O U T	I N E 


sub_8DFA08	proc near		; DATA XREF: .text:006A1E78o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-1Ch]
		mov	[ebp-20h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, offset _PopSettingLock
		jmp	loc_7949E1
sub_8DFA08	endp

; 
; START	OF FUNCTION CHUNK FOR PopMarshalSettingValues

loc_8DFA22:				; CODE XREF: PopMarshalSettingValues+88j
		mov	[edx], esi
		mov	[edx+4], esi
		mov	eax, esi
		jmp	loc_794AB2
; END OF FUNCTION CHUNK	FOR PopMarshalSettingValues

;  S U B	R O U T	I N E 


sub_8DFA2E	proc near		; DATA XREF: .text:006A1E98o
		xor	esi, esi
		mov	edi, [ebp-30h]
		jmp	sub_794B14
sub_8DFA2E	endp

; 
; START	OF FUNCTION CHUNK FOR sub_794B14

loc_8DFA38:				; CODE XREF: sub_794B14+13j
		push	74655350h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_794B2D
; END OF FUNCTION CHUNK	FOR sub_794B14
; 
; START	OF FUNCTION CHUNK FOR PopDispatchNotificationsToList

loc_8DFA48:				; CODE XREF: PopDispatchNotificationsToList+F8j
		or	eax, 1
		mov	[edi+24h], eax
		jmp	loc_794BA4
; 

loc_8DFA53:				; CODE XREF: PopDispatchNotificationsToList+46j
		cmp	[edi+4], ebx
		jnz	short loc_8DFA70
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jnz	short loc_8DFA70
		mov	[eax], edi
		mov	ecx, ebx
		mov	[edi+4], eax
		call	_PopFreeRegistration@4 ; PopFreeRegistration(x)
		jmp	loc_794BB2
; 

loc_8DFA70:				; CODE XREF: PopDispatchNotificationsToList+14AEF0j
					; PopDispatchNotificationsToList+14AEF7j
		push	3
		jmp	loc_794C6C
; END OF FUNCTION CHUNK	FOR PopDispatchNotificationsToList
; 
; START	OF FUNCTION CHUNK FOR PiPnpAddDeviceToPdoDeviceListEnumContext

loc_8DFA77:				; CODE XREF: PiPnpAddDeviceToPdoDeviceListEnumContext+6Ej
		mov	eax, [edi]
		lea	eax, ds:4[eax*4]
		push	eax		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	0
		push	dword ptr [edi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_794D6A
; END OF FUNCTION CHUNK	FOR PiPnpAddDeviceToPdoDeviceListEnumContext
; 
; START	OF FUNCTION CHUNK FOR MmEnumerateSystemImages

loc_8DFA9A:				; CODE XREF: MmEnumerateSystemImages+46j
		mov	eax, [eax+180h]
		mov	[esp+40h+var_30], eax
		jmp	loc_794E01
; 

loc_8DFAA9:				; CODE XREF: MmEnumerateSystemImages+E4j
		call	_MiSessionLookupImage@4	; MiSessionLookupImage(x)
		test	eax, eax
		jnz	loc_794E3D
		jmp	loc_794E9A
; END OF FUNCTION CHUNK	FOR MmEnumerateSystemImages
; 
; START	OF FUNCTION CHUNK FOR ExGetSessionPoolTagInformation

loc_8DFABB:				; CODE XREF: ExGetSessionPoolTagInformation+D4j
		cmp	ecx, eax
		jnz	loc_7950B9
		jmp	loc_795052
; 

loc_8DFAC8:				; CODE XREF: ExGetSessionPoolTagInformation+116j
					; ExGetSessionPoolTagInformation+11Fj
		mov	esi, 0C0000095h
		jmp	loc_795132
; END OF FUNCTION CHUNK	FOR ExGetSessionPoolTagInformation
; 
; START	OF FUNCTION CHUNK FOR PopIsDozeSupported

loc_8DFAD2:				; CODE XREF: PopIsDozeSupported+9j
		cmp	ds:_PopPromoteHibernateToShutdown, 0
		jz	loc_79547C
		jmp	loc_795475
; END OF FUNCTION CHUNK	FOR PopIsDozeSupported
; 
; START	OF FUNCTION CHUNK FOR PiControlGetDeviceDepth

loc_8DFAE4:				; CODE XREF: PiControlGetDeviceDepth+59j
		cmp	[ebp+var_4], 0
		jz	loc_7954F5
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7954F5
; END OF FUNCTION CHUNK	FOR PiControlGetDeviceDepth
; 
; START	OF FUNCTION CHUNK FOR PpHotSwapGetDevnodeRemovalPolicy

loc_8DFAFD:				; CODE XREF: PpHotSwapGetDevnodeRemovalPolicy+26j
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	_PiHotSwapGetDetachableNode@8 ;	PiHotSwapGetDetachableNode(x,x)
		mov	eax, [ebp+var_4]
		test	eax, eax
		jnz	short loc_8DFB16
		xor	esi, esi
		inc	esi
		jmp	loc_795539
; 

loc_8DFB16:				; CODE XREF: PpHotSwapGetDevnodeRemovalPolicy+14A608j
		mov	al, [eax+170h]
		not	al
		movzx	esi, al
		and	esi, 8
		or	esi, 10h
		shr	esi, 3
		jmp	loc_795539
; END OF FUNCTION CHUNK	FOR PpHotSwapGetDevnodeRemovalPolicy
; 
; START	OF FUNCTION CHUNK FOR IopDeleteDevice

loc_8DFB2F:				; CODE XREF: IopDeleteDevice+2Bj
		mov	ecx, [esi+8]
		mov	edx, esi
		call	IopCleanupNotifications
		jmp	loc_795595
; 

loc_8DFB3E:				; CODE XREF: IopDeleteDevice+3Aj
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7955A4
; END OF FUNCTION CHUNK	FOR IopDeleteDevice
; 
; START	OF FUNCTION CHUNK FOR IopDestroyDeviceNode

loc_8DFB4B:				; CODE XREF: IopDestroyDeviceNode+9j
		xor	ebx, ebx
		cmp	[esi+1D0h], ebx
		jz	loc_8DFBF5
		mov	edx, 1F4h
		lea	edi, [esi+14h]
		call	IoAddTriageDumpDataBlock
		cmp	[edi], bx
		jz	short loc_8DFB80
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [edi+4]
		call	IoAddTriageDumpDataBlock

loc_8DFB80:				; CODE XREF: IopDestroyDeviceNode+14A5B3j
		lea	edi, [esi+1Ch]
		cmp	[edi], bx
		jz	short loc_8DFB9D
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [esi+20h]
		call	IoAddTriageDumpDataBlock

loc_8DFB9D:				; CODE XREF: IopDestroyDeviceNode+14A5D0j
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_8DFBC3
		lea	ecx, [eax+1Ch]
		cmp	[ecx], bx
		jz	short loc_8DFBC3
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_8DFBC3:				; CODE XREF: IopDestroyDeviceNode+14A5ECj
					; IopDestroyDeviceNode+14A5F4j
		push	11h
		push	dword ptr [esi+1D0h]
		jmp	short loc_8DFBE6
; 

loc_8DFBCD:				; CODE XREF: IopDestroyDeviceNode+14A6A3j
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
; END OF FUNCTION CHUNK	FOR IopDestroyDeviceNode

;  S U B	R O U T	I N E 


sub_8DFBE4	proc near		; CODE XREF: IopDestroyDeviceNode+14A699j
					; IopDestroyDeviceNode+14A6A1j
		push	ebx
		push	ebx
sub_8DFBE4	endp

; START	OF FUNCTION CHUNK FOR IopDestroyDeviceNode

loc_8DFBE6:				; CODE XREF: IopDestroyDeviceNode+14A615j
		push	dword ptr [esi+10h]
		push	5
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8DFBF5:				; CODE XREF: IopDestroyDeviceNode+14A59Dj
		mov	eax, [esi+10h]
		test	dword ptr [eax+1Ch], 1000h
		jz	short loc_8DFC5E
		cmp	[esi+8], ebx
		jz	short loc_8DFC5E
		mov	edx, 1F4h
		lea	edi, [esi+14h]
		call	IoAddTriageDumpDataBlock
		cmp	[edi], bx
		jz	short loc_8DFC2D
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [edi+4]
		call	IoAddTriageDumpDataBlock

loc_8DFC2D:				; CODE XREF: IopDestroyDeviceNode+14A660j
		lea	edi, [esi+1Ch]
		cmp	[edi], bx
		jz	short loc_8DFC4A
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [esi+20h]
		call	IoAddTriageDumpDataBlock

loc_8DFC4A:				; CODE XREF: IopDestroyDeviceNode+14A67Dj
		mov	eax, [esi+8]
		test	eax, eax
		jz	short sub_8DFBE4
		lea	ecx, [eax+1Ch]
		cmp	[ecx], bx
		jz	short sub_8DFBE4
		jmp	loc_8DFBCD
; 

loc_8DFC5E:				; CODE XREF: IopDestroyDeviceNode+14A649j
					; IopDestroyDeviceNode+14A64Ej
		test	dword ptr [esi+10Ch], 20000h
		jz	short loc_8DFC80
		mov	edx, _PnpDriverObject
		or	ecx, 0FFFFFFFFh
		push	ebx
		push	ebx
		push	eax
		call	_IopLegacyResourceAllocation@20	; IopLegacyResourceAllocation(x,x,x,x,x)
		jmp	loc_7955C5
; 

loc_8DFC80:				; CODE XREF: IopDestroyDeviceNode+14A6B2j
		mov	ecx, [esi+124h]
		test	ecx, ecx
		jz	short loc_8DFC8F
		call	ObfDereferenceObject

loc_8DFC8F:				; CODE XREF: IopDestroyDeviceNode+14A6D2j
		cmp	[esi+1Ch], bx
		jz	short loc_8DFC9E
		push	ebx
		push	dword ptr [esi+20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8DFC9E:				; CODE XREF: IopDestroyDeviceNode+14A6DDj
		mov	ecx, esi
		call	PnpFreeDeviceInstancePath
		mov	edi, offset _PiResourceListLock
		mov	ecx, edi
		call	ExAcquireFastMutex
		mov	eax, [esi+128h]
		test	eax, eax
		jz	short loc_8DFCC2
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8DFCC2:				; CODE XREF: IopDestroyDeviceNode+14A703j
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, [esi+10h]
		xor	edx, edx
		call	IopUncacheInterfaceInformation
		lea	ebx, [esi+188h]

loc_8DFCD9:				; CODE XREF: IopDestroyDeviceNode+14A74Cj
		mov	edi, [ebx]
		cmp	edi, ebx
		jz	short loc_8DFD09
		cmp	[edi+4], ebx
		jnz	short loc_8DFD04
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	short loc_8DFD04
		mov	[ebx], eax
		push	0
		mov	[eax+4], ebx
		push	dword ptr [edi+0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_8DFCD9
; 

loc_8DFD04:				; CODE XREF: IopDestroyDeviceNode+14A72Cj
					; IopDestroyDeviceNode+14A733j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8DFD09:				; CODE XREF: IopDestroyDeviceNode+14A727j
		mov	eax, [esi+1CCh]
		test	eax, eax
		jz	short loc_8DFD1E
		push	62655250h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8DFD1E:				; CODE XREF: IopDestroyDeviceNode+14A75Bj
		mov	eax, [esi+10h]
		push	0
		push	esi
		mov	eax, [eax+0B0h]
		and	dword ptr [eax+14h], 0
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lock dec _IopNumberDeviceNodes
		jmp	loc_7955C5
; END OF FUNCTION CHUNK	FOR IopDestroyDeviceNode
; 
; START	OF FUNCTION CHUNK FOR PnpDeleteAllDependencyRelations

loc_8DFD3F:				; CODE XREF: PnpDeleteAllDependencyRelations+1Dj
		mov	ecx, esi
		call	PipAddDependentsToRebuildPowerRelationsQueue
		mov	ecx, esi
		call	_PipDeleteAllDependencyRelations@4 ; PipDeleteAllDependencyRelations(x)
		jmp	loc_7955ED
; END OF FUNCTION CHUNK	FOR PnpDeleteAllDependencyRelations
; 
; START	OF FUNCTION CHUNK FOR PopLogDisabledSleepReason

loc_8DFD52:				; CODE XREF: PopLogDisabledSleepReason+29j
					; PopLogDisabledSleepReason+14A750j
		or	esi, [eax+0Ch]
		inc	ebx
		mov	eax, [eax]
		cmp	eax, ecx
		jnz	short loc_8DFD52
		test	esi, esi
		jz	loc_795639
		mov	edi, ebx
		push	66756263h
		shl	edi, 3
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_8DFD86
		mov	edi, 0C000009Ah
		jmp	loc_795639
; 

loc_8DFD86:				; CODE XREF: PopLogDisabledSleepReason+14A770j
		mov	ecx, _PopDisableSleepList
		mov	edx, ebx
		jmp	short loc_8DFDA0
; 

loc_8DFD90:				; CODE XREF: PopLogDisabledSleepReason+14A79Cj
		mov	eax, [ecx+8]
		mov	[edx], eax
		lea	edx, [edx+8]
		mov	eax, [ecx+0Ch]
		mov	[edx-4], eax
		mov	ecx, [ecx]

loc_8DFDA0:				; CODE XREF: PopLogDisabledSleepReason+14A784j
		cmp	ecx, offset _PopDisableSleepList
		jnz	short loc_8DFD90
		push	edi		; int
		push	ebx		; void *
		mov	edx, esi
		push	0Dh
		pop	ecx
		call	PopLogSleepDisabled
		mov	edi, eax
		push	66756263h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_795639
; END OF FUNCTION CHUNK	FOR PopLogDisabledSleepReason
; 
; START	OF FUNCTION CHUNK FOR PopFilterCapabilities

loc_8DFDC6:				; CODE XREF: PopFilterCapabilities+37j
		mov	edx, [ebp+var_8]
		xor	eax, eax
		mov	[ebp+var_1], 1
		mov	esi, eax
		mov	ecx, edx
		cmp	[edx], ax
		jz	short loc_8DFDFB

loc_8DFDD8:				; CODE XREF: PopFilterCapabilities+14A7AFj
		lea	edi, [ecx+2]

loc_8DFDDB:				; CODE XREF: PopFilterCapabilities+14A79Bj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_10]
		jnz	short loc_8DFDDB
		sub	ecx, edi
		xor	eax, eax
		sar	ecx, 1
		lea	esi, [esi+ecx*2]
		add	esi, 2
		lea	ecx, [esi+edx]
		cmp	[ecx], ax
		jnz	short loc_8DFDD8

loc_8DFDFB:				; CODE XREF: PopFilterCapabilities+14A78Cj
		lea	eax, [esi+2]
		push	eax		; int
		push	edx		; void *
		push	1Fh
		pop	edx
		push	4
		pop	ecx
		call	PopLogSleepDisabled
		jmp	loc_795687
; 

loc_8DFE10:				; CODE XREF: PopFilterCapabilities+41j
		xor	eax, eax
		push	eax
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_795691
; 

loc_8DFE20:				; CODE XREF: PopFilterCapabilities+6Dj
		xor	eax, eax
		push	eax		; int
		push	eax		; void *
		push	10h
		pop	edx
		push	7
		pop	ecx
		call	PopLogSleepDisabled
		jmp	loc_7956C5
; 

loc_8DFE34:				; CODE XREF: PopFilterCapabilities+82j
		xor	eax, eax
		push	eax		; int
		push	eax		; void *
		push	7
		pop	edx
		push	0Eh
		pop	ecx
		call	PopLogSleepDisabled
		jmp	loc_7956DA
; END OF FUNCTION CHUNK	FOR PopFilterCapabilities
; 
; START	OF FUNCTION CHUNK FOR PopRemoveReasonRecordByReasonCode

loc_8DFE48:				; CODE XREF: PopRemoveReasonRecordByReasonCode+7j
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_8DFE67
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_8DFE67
		push	66756263h
		mov	[edx], ecx
		push	eax
		mov	[ecx+4], edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
; 

loc_8DFE67:				; CODE XREF: PopRemoveReasonRecordByReasonCode+14A6BFj
					; PopRemoveReasonRecordByReasonCode+14A6C6j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8DFE6C:				; CODE XREF: IoGetLegacyVetoList+80j
		test	esi, esi
		jz	loc_795850
		push	2
		pop	eax
		mov	[esp+arg_E], ax
		lea	edx, [esp+10h]
		xor	eax, eax
		mov	[esp+arg_10], offset ??_C@_11LOCGONAA@@NNGAKEGL@
		lea	ecx, [esp+arg_14]
		mov	[esp+arg_C], ax
		call	_IopAppendLegacyVeto@8 ; IopAppendLegacyVeto(x,x)
		mov	eax, [esp+arg_8]
		jmp	loc_795850
; END OF FUNCTION CHUNK	FOR PopRemoveReasonRecordByReasonCode
; 
; START	OF FUNCTION CHUNK FOR IoGetLegacyVetoList

loc_8DFEA1:				; CODE XREF: IoGetLegacyVetoList+4Bj
					; IoGetLegacyVetoList+78j ...
		test	esi, esi
		jz	loc_795858
		mov	ecx, [esi]
		test	ecx, ecx
		jz	loc_795858
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+28h+var_1C]
		mov	[esi], ebx
		jmp	loc_795858
; END OF FUNCTION CHUNK	FOR IoGetLegacyVetoList
; 
; START	OF FUNCTION CHUNK FOR PiControlGetPropertyData

loc_8DFEC5:				; CODE XREF: PiControlGetPropertyData+90j
		cmp	[esp+28h+var_4], edi
		jz	loc_795910
		push	0
		push	[esp+2Ch+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_795910
; 

loc_8DFEDF:				; CODE XREF: PiControlGetPropertyData+98j
					; PiControlGetPropertyData+ADj
		mov	esi, 0C000000Eh
		jmp	loc_7959C3
; 

loc_8DFEE9:				; CODE XREF: PiControlGetPropertyData+105j
					; DATA XREF: PAGE:00795A46o
		push	0Ch		; case 0x1
		jmp	loc_795988
; 

loc_8DFEF0:				; CODE XREF: PiControlGetPropertyData+105j
					; DATA XREF: PAGE:00795A5Eo
		push	10h		; case 0x7
		jmp	loc_795988
; 

loc_8DFEF7:				; CODE XREF: PiControlGetPropertyData+105j
					; DATA XREF: PAGE:00795A52o
		mov	ecx, [esp+28h+var_14] ;	case 0x4
		push	edi		; int
		mov	edi, [esp+2Ch+var_1C]
		push	edi		; int
		push	[esp+30h+var_18] ; size_t
		call	_PiControlGetDevicePowerData@20	; PiControlGetDevicePowerData(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 80000005h
		jnz	loc_7959A7
		mov	esi, 0C0000023h
		jmp	loc_7959A7
; 

loc_8DFF22:				; CODE XREF: PiControlGetPropertyData+105j
					; DATA XREF: PAGE:00795A5Ao
		mov	ecx, [esp+28h+var_14] ;	case 0x6
		lea	eax, [esp+28h+var_10]
		push	0
		push	edi
		mov	edi, [esp+30h+var_1C]
		mov	edx, [ecx+18h]
		mov	ecx, _PiPnpRtlCtx
		push	edi
		push	eax
		push	22h
		push	0
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8DFF5C
		cmp	[esp+28h+var_10], 4
		jz	short loc_8DFF5C
		mov	esi, 0C00000F0h
		jmp	loc_7959C3
; 

loc_8DFF5C:				; CODE XREF: PiControlGetPropertyData+14A6CFj
					; PiControlGetPropertyData+14A6D6j
		cmp	esi, 0C0000225h
		jnz	loc_7959A7
		mov	esi, 0C0000034h
		jmp	loc_7959A7
; 

loc_8DFF72:				; CODE XREF: PiControlGetPropertyData+105j
					; DATA XREF: PAGE:00795A66o
		cmp	[esp+28h+var_18], 4 ; case 0x9
		mov	edi, [esp+28h+var_1C]
		jb	short loc_8DFF8D
		mov	ecx, [esp+28h+var_14]
		xor	dl, dl
		push	edi
		call	PpHotSwapGetDevnodeRemovalPolicy
		xor	esi, esi
		jmp	short loc_8DFF92
; 

loc_8DFF8D:				; CODE XREF: PiControlGetPropertyData+14A701j
		mov	esi, 0C0000023h

loc_8DFF92:				; CODE XREF: PiControlGetPropertyData+14A711j
		mov	ecx, [ebp+arg_4]
		mov	dword ptr [ecx+10h], 4
		jmp	loc_7959A7
; 

loc_8DFFA1:				; CODE XREF: PiControlGetPropertyData+105j
					; DATA XREF: PAGE:00795A76o
		mov	edx, [esp+28h+var_18] ;	case 0xD
		mov	ecx, [esp+28h+var_14]
		push	edi
		mov	edi, [esp+2Ch+var_1C]
		push	edi
		call	_PiControlGetDeviceStack@16 ; PiControlGetDeviceStack(x,x,x,x)
		jmp	loc_7959A5
; 

loc_8DFFB9:				; CODE XREF: PiControlGetPropertyData+105j
					; DATA XREF: PAGE:00795A7Ao
		xor	edx, edx	; case 0xE
		jmp	short loc_8DFFC0
; 

loc_8DFFBD:				; CODE XREF: PiControlGetPropertyData+105j
					; DATA XREF: PAGE:00795A7Eo
		xor	edx, edx	; case 0xF
		inc	edx

loc_8DFFC0:				; CODE XREF: PiControlGetPropertyData+14A741j
		mov	eax, [esp+28h+var_18]
		mov	ecx, [esp+28h+var_14]
		push	edi
		mov	edi, [esp+2Ch+var_1C]
		shr	eax, 1
		push	eax
		push	edi
		call	_PnpGetDeviceDependencyList@20 ; PnpGetDeviceDependencyList(x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax+10h]
		add	ecx, ecx
		mov	[eax+10h], ecx
		test	esi, esi
		jns	short loc_8DFFF3
		cmp	esi, 0C0000023h
		jnz	loc_7959A7

loc_8DFFF3:				; CODE XREF: PiControlGetPropertyData+14A76Bj
		cmp	ecx, 2
		ja	loc_7959A7
		and	dword ptr [eax+10h], 0
		mov	esi, 0C0000034h
		jmp	loc_7959A7
; 

loc_8E000A:				; CODE XREF: PiControlGetPropertyData+FFj
					; PiControlGetPropertyData+105j
					; DATA XREF: ...
		mov	esi, 0C000000Dh	; default
		jmp	loc_795A20	; case 0xA
; 

loc_8E0014:				; CODE XREF: PiControlGetPropertyData+BEj
					; PiControlGetPropertyData+C9j
		mov	esi, 0C0000056h
		add	ebx, 0Ch
		jmp	loc_7959A7
; 

loc_8E0021:				; CODE XREF: PiControlGetPropertyData+168j
		test	edi, edi
		jz	loc_7959E8
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7959E8
; 

loc_8E0036:				; CODE XREF: PiControlGetPropertyData+39j
					; PiControlGetPropertyData+47j	...
		mov	eax, 0C000000Dh
		jmp	loc_7959EA
; END OF FUNCTION CHUNK	FOR PiControlGetPropertyData
; 
; START	OF FUNCTION CHUNK FOR PiGetRelatedDevice

loc_8E0040:				; CODE XREF: PiGetRelatedDevice+141j
		mov	edi, 0C000000Dh
		jmp	loc_795B17
; 

loc_8E004A:				; CODE XREF: PiGetRelatedDevice+115j
		cmp	dword ptr [esi+114h], 18h
		jnz	loc_795B54
		test	eax, edx
		jz	loc_795B54
		jmp	loc_795BC9
; 

loc_8E0064:				; CODE XREF: PiGetRelatedDevice+151j
		mov	eax, [esi+10Ch]
		test	eax, ecx
		jz	loc_795AE0
		cmp	dword ptr [esi+114h], 18h
		jnz	loc_795AE0
		test	eax, edx
		jz	loc_795AE0
		jmp	loc_795BC9
; 

loc_8E008C:				; CODE XREF: PiGetRelatedDevice+71j
					; DATA XREF: PAGE:_CmpPerflibPathStringo
		mov	edi, 0C0000023h
		add	ebx, 2
		jmp	loc_795B12
; END OF FUNCTION CHUNK	FOR PiGetRelatedDevice
; 
; START	OF FUNCTION CHUNK FOR PiControlGetRelatedDevice

loc_8E0099:				; CODE XREF: PiControlGetRelatedDevice+CAj
		cmp	[ebp+var_8], 0
		jz	short loc_8E00A9
		push	0
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E00A9:				; CODE XREF: PiControlGetRelatedDevice+14A4C1j
		test	ebx, ebx
		jz	loc_795CAC
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_795CAC
; 

loc_8E00BE:				; CODE XREF: PiControlGetRelatedDevice+22j
					; PiControlGetRelatedDevice+30j ...
		mov	eax, 0C000000Dh
		jmp	loc_795CB0
; END OF FUNCTION CHUNK	FOR PiControlGetRelatedDevice
; 
; START	OF FUNCTION CHUNK FOR PiControlGetSetDeviceStatus

loc_8E00C8:				; CODE XREF: PiControlGetSetDeviceStatus+99j
		cmp	[esp+38h+var_14], ebx
		jz	loc_795D7F
		push	0
		push	[esp+3Ch+var_14]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+38h+var_20]
		jmp	loc_795D7F
; 

loc_8E00E6:				; CODE XREF: PiControlGetSetDeviceStatus+CFj
		sub	eax, 1
		jz	loc_8E0174
		sub	eax, 1
		jz	short loc_8E00FE
		mov	esi, 0C0000010h
		jmp	loc_795DDB
; 

loc_8E00FE:				; CODE XREF: PiControlGetSetDeviceStatus+14A412j
		xor	ebx, ebx
		lea	eax, [esp+38h+var_10]
		push	ebx
		push	ebx
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	ecx, [esp+38h+var_20]
		lea	eax, [esp+38h+var_28]
		push	eax
		lea	eax, [esp+3Ch+var_24]
		xor	edx, edx
		push	eax
		lea	eax, [esp+40h+var_10]
		inc	edx
		push	eax
		push	ebx
		push	ebx
		call	PnpRequestDeviceAction
		mov	esi, eax
		test	esi, esi
		jns	short sub_8E013A

loc_8E012F:				; CODE XREF: PiControlGetSetDeviceStatus+14A523j
					; PiControlGetSetDeviceStatus+14A52Bj
		mov	edi, [esp+38h+var_28]
		jmp	loc_795DD3
; 

loc_8E0138:				; CODE XREF: PiControlGetSetDeviceStatus+14A531j
		xor	ebx, ebx
; END OF FUNCTION CHUNK	FOR PiControlGetSetDeviceStatus

;  S U B	R O U T	I N E 


sub_8E013A	proc near		; CODE XREF: PiControlGetSetDeviceStatus+14A44Dj

arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_24		= dword	ptr  2Ch

; FUNCTION CHUNK AT 008E0216 SIZE 00000028 BYTES

		push	ebx
		push	1
		push	ebx
		push	ebx
		lea	eax, [esp+0Ch+arg_24]
		push	eax
		call	KeWaitForSingleObject
		mov	edi, [esp-4+arg_C]
		mov	esi, eax
		cmp	esi, 101h
		jnz	loc_8E022D
		mov	ecx, edi
		call	_PnpRemoveDeviceActionRequestFromQueue@4 ; PnpRemoveDeviceActionRequestFromQueue(x)
		test	eax, eax
		jz	loc_8E0216
		mov	esi, 0C0000120h
		jmp	loc_795DD3
sub_8E013A	endp

; 
; START	OF FUNCTION CHUNK FOR PiControlGetSetDeviceStatus

loc_8E0174:				; CODE XREF: PiControlGetSetDeviceStatus+14A409j
		mov	ebx, [esp+38h+var_1C]
		test	ebx, ebx
		jnz	short loc_8E018A
		push	ebx
		push	ebx
		lea	eax, [esp+40h+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		jmp	short loc_8E01BA
; 

loc_8E018A:				; CODE XREF: PiControlGetSetDeviceStatus+14A49Aj
		push	55706E50h
		push	[ebp+arg_8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+38h+var_2C], edi
		test	edi, edi
		jnz	short loc_8E01AD
		mov	esi, 0C000009Ah
		jmp	loc_795DDB
; 

loc_8E01AD:				; CODE XREF: PiControlGetSetDeviceStatus+14A4C1j
		push	[ebp+arg_8]	; size_t
		push	esi		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_8E01BA:				; CODE XREF: PiControlGetSetDeviceStatus+14A4A8j
		mov	eax, ebx
		lea	ecx, [esp+38h+var_28]
		neg	eax
		lea	edx, [esp+38h+var_24]
		lea	esi, [esp+38h+var_10]
		sbb	eax, eax
		not	eax
		and	eax, ecx
		mov	ecx, ebx
		neg	ecx
		sbb	ecx, ecx
		not	ecx
		and	ecx, edx
		mov	edx, ebx
		neg	edx
		sbb	edx, edx
		not	edx
		and	edx, esi
		mov	esi, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_8E01ED
		mov	esi, edi

loc_8E01ED:				; CODE XREF: PiControlGetSetDeviceStatus+14A509j
		push	eax
		push	ecx
		mov	ecx, [esp+40h+var_20]
		push	edx
		push	esi
		push	0
		push	0Fh
		pop	edx
		call	PnpRequestDeviceAction
		mov	esi, eax
		test	ebx, ebx
		jnz	loc_8E012F
		test	esi, esi
		js	loc_8E012F
		jmp	loc_8E0138
; END OF FUNCTION CHUNK	FOR PiControlGetSetDeviceStatus
; 
; START	OF FUNCTION CHUNK FOR sub_8E013A

loc_8E0216:				; CODE XREF: sub_8E013A+2Aj
		mov	ecx, edi
		call	_PnpCancelDeviceActionRequest@4	; PnpCancelDeviceActionRequest(x)
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esp+0Ch+arg_24]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, eax

loc_8E022D:				; CODE XREF: sub_8E013A+1Bj
		test	esi, esi
		jnz	loc_795DD3
		mov	esi, [esp-4+arg_10]
		jmp	loc_795DD3
; END OF FUNCTION CHUNK	FOR sub_8E013A
; 
; START	OF FUNCTION CHUNK FOR PiControlGetSetDeviceStatus

loc_8E023E:				; CODE XREF: PiControlGetSetDeviceStatus+129j
		push	55706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_795DF3
; 

loc_8E024E:				; CODE XREF: PiControlGetSetDeviceStatus+45j
					; PiControlGetSetDeviceStatus+53j ...
		mov	eax, 0C000000Dh
		jmp	loc_795DF5
; END OF FUNCTION CHUNK	FOR PiControlGetSetDeviceStatus
; 
; START	OF FUNCTION CHUNK FOR PpDevNodeUnlockTree

loc_8E0258:				; CODE XREF: PpDevNodeUnlockTree+1Cj
		sub	ecx, 1
		jz	loc_795E46
		sub	ecx, 1
		jz	loc_795E46
		sub	ecx, 1
		jnz	loc_795E36
		push	offset _IopDeviceTreeLock
		call	ExConvertExclusiveToSharedLite
		jmp	loc_795E36
; END OF FUNCTION CHUNK	FOR PpDevNodeUnlockTree
; 
; START	OF FUNCTION CHUNK FOR PpDevNodeLockTree

loc_8E0282:				; CODE XREF: PpDevNodeLockTree+2Dj
		sub	ecx, 1
		jz	short loc_8E02F2
		sub	ecx, 1
		jz	short loc_8E02D7
		sub	ecx, 1
		jnz	loc_795EF0
		push	offset _IopDeviceTreeLock
		call	ExIsResourceAcquiredSharedLite
		mov	esi, eax
		mov	edi, esi
		test	esi, esi
		jz	loc_795EF0

loc_8E02AB:				; CODE XREF: PpDevNodeLockTree+14A3ECj
		mov	ecx, offset _IopDeviceTreeLock
		call	ExReleaseResourceLite
		sub	edi, 1
		jnz	short loc_8E02AB
		test	esi, esi
		jz	loc_795EF0

loc_8E02C2:				; CODE XREF: PpDevNodeLockTree+14A404j
		push	ebx
		push	offset _IopDeviceTreeLock
		call	ExAcquireResourceExclusiveLite
		sub	esi, 1
		jnz	short loc_8E02C2
		jmp	loc_795EF0
; 

loc_8E02D7:				; CODE XREF: PpDevNodeLockTree+14A3BEj
		push	ebx
		push	offset _PiEngineLock
		call	ExAcquireResourceExclusiveLite
		push	ebx
		push	offset _IopDeviceTreeLock
		call	ExAcquireResourceExclusiveLite
		jmp	loc_795EF0
; 

loc_8E02F2:				; CODE XREF: PpDevNodeLockTree+14A3B9j
		push	0
		push	offset _PiEngineLock
		call	ExAcquireResourceExclusiveLite
		test	al, al
		jnz	loc_795EE5
		xor	bl, bl
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_795EF0
; END OF FUNCTION CHUNK	FOR PpDevNodeLockTree
; 
; START	OF FUNCTION CHUNK FOR PiControlGetUserFlagsFromDeviceNode

loc_8E0312:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+53j
		or	esi, 40000h
		jmp	loc_795F65
; 

loc_8E031D:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+5Fj
		or	esi, 2000000h
		jmp	loc_795F71
; 

loc_8E0328:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+67j
		or	esi, 100h
		jmp	loc_795F79
; 

loc_8E0333:				; CODE XREF: PiControlGetUserFlagsFromDeviceNode+75j
		or	esi, 8000h
		jmp	loc_795F87
; END OF FUNCTION CHUNK	FOR PiControlGetUserFlagsFromDeviceNode
; 
; START	OF FUNCTION CHUNK FOR IoGetDeviceProperty

loc_8E033E:				; CODE XREF: IoGetDeviceProperty+184j
		mov	ebx, 0C000009Ah
		jmp	loc_796110
; 

loc_8E0348:				; CODE XREF: IoGetDeviceProperty+1BFj
		and	dword ptr [ecx], 0
		jmp	loc_796232
; 

loc_8E0350:				; CODE XREF: IoGetDeviceProperty+1CDj
		mov	ebx, edx
		jmp	loc_796232
; 

loc_8E0357:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:0079649Ao
		push	0Eh		; case 0xA
		jmp	loc_796128
; 

loc_8E035E:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:007964CAo
		push	25h		; case 0x16
		jmp	loc_796128
; 

loc_8E0365:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:0079647Eo
		mov	edi, [esp+80h+var_70] ;	case 0x3
		mov	eax, [ebp+arg_8]
		push	ebx
		push	edi
		push	ecx
		push	ecx
		mov	ecx, [esp+90h+var_68]
		mov	[ebx], eax
		call	_PiGetDeviceRegistryProperty@24	; PiGetDeviceRegistryProperty(x,x,x,x,x,x)
		mov	ebx, eax
		jmp	loc_796110
; 

loc_8E0382:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:00796492o
		push	0Ch		; case 0x8
		jmp	loc_796128
; 

loc_8E0389:				; CODE XREF: IoGetDeviceProperty+330j
		mov	eax, edx
		mov	ebx, edx
		jmp	loc_7963FD
; 

loc_8E0392:				; CODE XREF: IoGetDeviceProperty+388j
		xor	eax, eax
		inc	eax
		jmp	loc_7963E4
; 

loc_8E039A:				; CODE XREF: IoGetDeviceProperty+390j
		push	2
		pop	eax
		jmp	loc_7963E4
; 

loc_8E03A2:				; CODE XREF: IoGetDeviceProperty+3B5j
		cmp	ebx, 0C0000225h
		jz	loc_79617B
		cmp	ebx, 0C000000Eh
		jmp	loc_79610E
; 

loc_8E03B9:				; CODE XREF: IoGetDeviceProperty+98j
					; DATA XREF: PAGE:007964C2o
		mov	ecx, offset _PiResourceListLock	; case 0x14
		call	ExAcquireFastMutex
		mov	ecx, [esi+128h]
		test	ecx, ecx
		jz	short loc_8E03E7
		mov	eax, [ecx]
		mov	[ebx], eax
		cmp	eax, [ebp+arg_8]
		ja	loc_79628F
		push	dword ptr [ecx]
		mov	edi, [esp+84h+var_70]
		push	ecx
		push	edi
		jmp	loc_796349
; 

loc_8E03E7:				; CODE XREF: IoGetDeviceProperty+20Fj
					; IoGetDeviceProperty+221j ...
		and	dword ptr [ebx], 0
		jmp	loc_796351
; 

loc_8E03EF:				; CODE XREF: IoGetDeviceProperty+92j
		mov	ebx, 0C00000F0h	; default
		jmp	loc_796110
; 

loc_8E03F9:				; CODE XREF: IoGetDeviceProperty+79j
					; IoGetDeviceProperty+89j
		cmp	ecx, 12h
		jz	short loc_8E0414
		cmp	ecx, 0Fh
		jnz	short loc_8E0407
		test	esi, esi
		jnz	short loc_8E0414

loc_8E0407:				; CODE XREF: IoGetDeviceProperty+14A3BFj
		push	edx
		mov	edx, [ebp+4]
		push	edi
		push	2
		pop	ecx
		call	@PpvUtilFailDriver@16 ;	PpvUtilFailDriver(x,x,x,x)

loc_8E0414:				; CODE XREF: IoGetDeviceProperty+68j
					; IoGetDeviceProperty+A9j ...
		mov	ebx, 0C0000010h
		jmp	loc_796110
; END OF FUNCTION CHUNK	FOR IoGetDeviceProperty
; 
; START	OF FUNCTION CHUNK FOR PiGetDeviceRegProperty

loc_8E041E:				; CODE XREF: PiGetDeviceRegProperty+69j
		mov	esi, 0C00000F0h
		jmp	loc_79653D
; 

loc_8E0428:				; CODE XREF: PiGetDeviceRegProperty+97j
		mov	esi, 0C00000F0h
		jmp	loc_796546
; 

loc_8E0432:				; CODE XREF: PiGetDeviceRegProperty+B0j
		mov	esi, 0C000009Ah
		jmp	loc_796546
; 

loc_8E043C:				; CODE XREF: PiGetDeviceRegProperty+182j
		cmp	esi, 0C0000023h
		jnz	loc_7965EA
		mov	eax, [ebp+var_64]
		mov	[ebx], eax
		jmp	loc_7965EA
; 

loc_8E0452:				; CODE XREF: PiGetDeviceRegProperty+192j
		mov	esi, 0C00000F0h
		jmp	loc_7965EA
; 

loc_8E045C:				; CODE XREF: PiGetDeviceRegProperty+14Aj
		cmp	word ptr [eax+ecx*2-4],	29h
		jnz	loc_7965C1
		add	[ebp+var_6C], 4
		xor	eax, eax
		mov	[edx], ax
		xor	edx, edx
		mov	eax, [ebp+var_60]
		push	50h		; size_t
		push	edx		; int
		mov	[eax+ecx*2-4], dx
		lea	eax, [ebp+var_58]
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_6C]
		push	2Ch		; wchar_t
		push	eax		; wchar_t *
		mov	[ebp+var_58], eax
		mov	[ebp+var_7C], 1
		call	_wcschr
		add	esp, 14h
		jmp	short loc_8E04C3
; 

loc_8E04A1:				; CODE XREF: PiGetDeviceRegProperty+149FF7j
		xor	ecx, ecx
		mov	[eax], cx
		add	eax, 2
		mov	ecx, [ebp+var_7C]
		cmp	ecx, 13h
		jnb	short loc_8E04C9
		mov	[ebp+ecx*4+var_58], eax
		inc	ecx
		push	2Ch		; wchar_t
		push	eax		; wchar_t *
		mov	[ebp+var_7C], ecx
		call	_wcschr
		pop	ecx
		pop	ecx

loc_8E04C3:				; CODE XREF: PiGetDeviceRegProperty+149FD1j
		test	eax, eax
		jnz	short loc_8E04A1
		jmp	short loc_8E04CD
; 

loc_8E04C9:				; CODE XREF: PiGetDeviceRegProperty+149FE1j
		mov	[ebp+var_59], 1

loc_8E04CD:				; CODE XREF: PiGetDeviceRegProperty+149FF9j
		mov	eax, [ebp+var_60]
		jmp	loc_7965C1
; 

loc_8E04D5:				; CODE XREF: PiGetDeviceRegProperty+104j
		cmp	[ebp+var_59], 0
		jz	short loc_8E04E5
		mov	esi, 0C00000CDh
		jmp	loc_7965E8
; 

loc_8E04E5:				; CODE XREF: PiGetDeviceRegProperty+14A00Bj
		xor	ecx, ecx
		lea	eax, [ebp+var_58]
		push	ecx
		push	ebx
		push	edx
		push	[ebp+var_78]
		xor	edx, edx
		push	eax
		push	1
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_74]
		call	_RtlFormatMessageEx@40 ; RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		jmp	loc_7965E5
; END OF FUNCTION CHUNK	FOR PiGetDeviceRegProperty
; 
; START	OF FUNCTION CHUNK FOR PnpFindAlternateStringData

loc_8E0506:				; CODE XREF: PnpFindAlternateStringData+85j
		cmp	eax, 2Dh
		jz	loc_7966D1
		jmp	loc_796688
; END OF FUNCTION CHUNK	FOR PnpFindAlternateStringData
; 
; START	OF FUNCTION CHUNK FOR IopGetLegacyVetoListDeviceNode

loc_8E0514:				; CODE XREF: IopGetLegacyVetoListDeviceNode+12j
		cmp	dword ptr [edi], 0
		mov	eax, [edi+8]
		mov	dword ptr [eax], 1
		jz	loc_79672F
		lea	edx, [esi+14h]
		mov	ecx, edi
		call	_IopAppendLegacyVeto@8 ; IopAppendLegacyVeto(x,x)
		test	al, al
		jz	loc_79672F
		jmp	loc_796712
; END OF FUNCTION CHUNK	FOR IopGetLegacyVetoListDeviceNode
; 
; START	OF FUNCTION CHUNK FOR PopInvokeWin32Callout

loc_8E053D:				; CODE XREF: PopInvokeWin32Callout+75j
		cmp	esi, 2
		jnz	short loc_8E0555
		mov	ecx, edi
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_7968F3
		jmp	short loc_8E055C
; 

loc_8E0555:				; CODE XREF: PopInvokeWin32Callout+149D94j
		mov	[ebp+var_8], 0C000000Dh

loc_8E055C:				; CODE XREF: PopInvokeWin32Callout+149DA7j
		mov	bl, 1
		jmp	loc_7968F3
; 

loc_8E0563:				; CODE XREF: PopInvokeWin32Callout+94j
		or	[ebp+var_C], 0FFFFFFFFh
		jmp	loc_79684B
; END OF FUNCTION CHUNK	FOR PopInvokeWin32Callout
; 
; START	OF FUNCTION CHUNK FOR PopDispatchPowerSettingCallbacks

loc_8E056C:				; CODE XREF: PopDispatchPowerSettingCallbacks+45j
		mov	esi, [esi]
		jmp	loc_796A23
; 

loc_8E0573:				; CODE XREF: PopDispatchPowerSettingCallbacks+7Bj
		cmp	dword ptr [edi+28h], 0
		jnz	loc_796A67
		cmp	dword ptr [edi+2Ch], 0
		jnz	loc_796A67
		push	3
		mov	bl, 1
		lea	ecx, [edi+30h]
		pop	edx

loc_8E058F:				; CODE XREF: PopDispatchPowerSettingCallbacks+149BBBj
		cmp	dword ptr [ecx], 0
		lea	ecx, [ecx+4]
		setnz	al
		dec	al
		and	al, bl
		mov	bl, al
		sub	edx, 1
		jnz	short loc_8E058F
		jmp	loc_796A67
; 

loc_8E05A8:				; CODE XREF: PopDispatchPowerSettingCallbacks+85j
		cmp	[esi+4], edi
		jnz	short loc_8E05C9
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	short loc_8E05C9
		push	74655350h
		mov	[eax], esi
		push	edi
		mov	[esi+4], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_796A71
; 

loc_8E05C9:				; CODE XREF: PopDispatchPowerSettingCallbacks+149BC5j
					; PopDispatchPowerSettingCallbacks+149BCCj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8E05CE:				; CODE XREF: PopCallPowerSettingCallback+81j
		lea	eax, [ebp+var_70]
		mov	[ebp+var_4C], 10h
		mov	[ebp+var_64], eax
		xor	ecx, ecx
		lea	eax, [esi+14h]
		mov	[ebp+var_60], ecx
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_74]
		push	4
		mov	[ebp+var_44], eax
		lea	eax, [edi+0Ch]
		pop	edx
		mov	[ebp+var_34], eax
		mov	eax, [ebp+var_68]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	edx
		push	ecx
		push	offset _POP_ETW_EVENT_POWER_SETTING_CALLBACK_START
		push	ebx
		push	[ebp+var_6C]
		mov	[ebp+var_5C], edx
		mov	[ebp+var_58], ecx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_28], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_796B2F
; END OF FUNCTION CHUNK	FOR PopDispatchPowerSettingCallbacks
; 
; START	OF FUNCTION CHUNK FOR PopCallPowerSettingCallback

loc_8E062F:				; CODE XREF: PopCallPowerSettingCallback+D9j
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_1C], 4
		mov	[ebp+var_24], eax
		xor	ecx, ecx
		lea	eax, [esi+14h]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	ecx
		push	(offset	locret_4057EF+1)
		push	ebx
		push	[ebp+var_68]
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], 10h
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_796B87
; 

loc_8E0671:				; CODE XREF: PopCallPowerSettingCallback+102j
		push	74655350h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_796BB0
; 

loc_8E0681:				; CODE XREF: PopCallPowerSettingCallback+A8j
		movzx	eax, al
		push	eax
		movzx	eax, bl
		push	eax
		push	dword ptr [esi+38h]
		push	900h
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8E069C:				; CODE XREF: PopDiagTracePowerSetting+40j
		mov	eax, [ebp+var_48]
		xor	edx, edx
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_4]
		push	4
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_0]
		pop	ecx
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	edx
		push	esi
		push	edi
		push	ebx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], 10h
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_796C86
; END OF FUNCTION CHUNK	FOR PopCallPowerSettingCallback
; 
; START	OF FUNCTION CHUNK FOR MmAcquireSessionPoolRundown

loc_8E06FA:				; CODE XREF: MmAcquireSessionPoolRundown+42j
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_8E070F
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8E070F:				; CODE XREF: MmAcquireSessionPoolRundown+1499DAj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		xor	eax, eax
		jmp	loc_796D97
; END OF FUNCTION CHUNK	FOR MmAcquireSessionPoolRundown
; 
; START	OF FUNCTION CHUNK FOR ExCallSessionCallBack

loc_8E0724:				; CODE XREF: ExCallSessionCallBack+37j
		xor	ecx, ecx
		jmp	short loc_8E0788
; 

loc_8E0728:				; CODE XREF: ExCallSessionCallBack+14999Bj
		mov	ecx, esi
		call	_MmGetSessionId@4 ; MmGetSessionId(x)
		lea	edx, [ebp+var_1C]
		mov	[ebp+var_30], eax
		mov	ecx, esi
		call	MmAttachSession
		mov	[ebp+var_20], eax
		test	eax, eax
		js	short loc_8E077E
		call	_MmSessionGetWin32Callouts@0 ; MmSessionGetWin32Callouts()
		mov	ecx, eax
		mov	[ebp+var_24], eax
		call	ExReferenceCallBackBlock
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_8E0771
		push	[ebp+var_28]
		push	[ebp+var_2C]
		push	dword ptr [ebx+8]
		call	dword ptr [ebx+4]
		mov	ecx, [ebp+var_24]
		mov	edx, ebx
		mov	[ebp+var_20], eax
		call	_ExDereferenceCallBackBlock@8 ;	ExDereferenceCallBackBlock(x,x)

loc_8E0771:				; CODE XREF: ExCallSessionCallBack+149960j
		lea	edx, [ebp+var_1C]
		mov	ecx, esi
		call	MmDetachSession
		mov	eax, [ebp+var_20]

loc_8E077E:				; CODE XREF: ExCallSessionCallBack+14994Bj
		cmp	[ebp+var_30], 0
		jnz	short loc_8E0786
		mov	edi, eax

loc_8E0786:				; CODE XREF: ExCallSessionCallBack+14998Cj
		mov	ecx, esi

loc_8E0788:				; CODE XREF: ExCallSessionCallBack+149930j
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_8E0728
		jmp	loc_796E90
; END OF FUNCTION CHUNK	FOR ExCallSessionCallBack
; 
; START	OF FUNCTION CHUNK FOR PipGenerateContainerID

loc_8E0798:				; CODE XREF: PipGenerateContainerID+B8j
		push	ecx		; void *
		lea	eax, [ebp+var_74]
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jnz	loc_8723F8
		mov	esi, 0C000009Ah
		jmp	loc_872433
; 

loc_8E07B4:				; CODE XREF: PipGenerateContainerID+158j
		lea	eax, [ebp+var_74]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	short loc_8E07D3
; 

loc_8E07BF:				; CODE XREF: PipGenerateContainerID+141j
		mov	esi, 0C000009Ah
		jmp	short loc_8E07D3
; 

loc_8E07C6:				; CODE XREF: PipGenerateContainerID+122j
		cmp	esi, 0C0000023h
		jnz	short loc_8E07D3

loc_8E07CE:				; CODE XREF: PipGenerateContainerID+12Cj
		mov	esi, 0C000000Dh

loc_8E07D3:				; CODE XREF: PipGenerateContainerID+6E42Dj
					; PipGenerateContainerID+6E434j ...
		test	esi, esi
		js	short loc_8E07E5
		jmp	loc_8724EE
; 

loc_8E07DC:				; CODE XREF: PipGenerateContainerID+174j
					; PipGenerateContainerID+186j
		lea	eax, [ebp+var_74]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_8E07E5:				; CODE XREF: PipGenerateContainerID+C0j
					; PipGenerateContainerID+6E445j
		lea	eax, [ebp+Source2]
		push	eax
		call	ExUuidCreate
		mov	esi, eax
		test	esi, esi
		js	loc_872433
		lea	ecx, [ebp+Source2]
		jmp	loc_8723E5
; 

loc_8E0800:				; CODE XREF: PipGenerateContainerID+83j
		mov	esi, 0C000009Ah
		jmp	loc_87242A
; END OF FUNCTION CHUNK	FOR PipGenerateContainerID
; 
; START	OF FUNCTION CHUNK FOR PiCMGetRelatedDeviceInstance

loc_8E080A:				; CODE XREF: PiCMGetRelatedDeviceInstance+9Dj
		mov	esi, 0C000009Ah
		jmp	loc_796F5F
; 

loc_8E0814:				; CODE XREF: PiCMGetRelatedDeviceInstance+86j
		xor	ebx, ebx
		jmp	loc_796F5F
; 

loc_8E081B:				; CODE XREF: PiCMGetRelatedDeviceInstance+184j
		mov	esi, 0C000009Ah
		jmp	loc_79705D
; 

loc_8E0825:				; CODE XREF: PiCMGetRelatedDeviceInstance+47j
					; PiCMGetRelatedDeviceInstance+50j ...
		mov	esi, 0C000000Dh
		jmp	loc_796FA5
; END OF FUNCTION CHUNK	FOR PiCMGetRelatedDeviceInstance
; 
; START	OF FUNCTION CHUNK FOR _CmGetDeviceParent

loc_8E082F:				; CODE XREF: _CmGetDeviceParent+129j
		push	0Dh
		pop	eax
		mov	[edi], eax
		cmp	esi, eax
		jb	loc_797216
		push	900h
		push	0
		push	0
		push	offset ??_C@_1BK@CCOOHMCM@?$AAH?$AAT?$AAR?$AAE?$AAE?$AA?2?$AAR?$AAO?$AAO?$AAT?$AA?2?$AA0@NNGAKEGL@
		jmp	loc_79719C
; END OF FUNCTION CHUNK	FOR _CmGetDeviceParent
; 
; START	OF FUNCTION CHUNK FOR PipProcessStartPhase2

loc_8E084F:				; CODE XREF: PipProcessStartPhase2+Cj
		push	dword ptr [esi+18h]
		mov	edx, offset _KMPnPEvt_ProcessDeviceStart_Start
		push	2
		push	ecx
		call	_McTemplateK0dz_EtwWriteTransfer@20 ; McTemplateK0dz_EtwWriteTransfer(x,x,x,x,x)
		jmp	loc_872534
; 

loc_8E0864:				; CODE XREF: PipProcessStartPhase2+1Fj
		test	edi, edi
		js	short loc_8E0877
		push	2
		pop	edx
		mov	ecx, esi
		call	_PpProfileCommitTransitioningDock@8 ; PpProfileCommitTransitioningDock(x,x)
		jmp	loc_872547
; 

loc_8E0877:				; CODE XREF: PipProcessStartPhase2+6E344j
		call	_PpProfileCancelHardwareProfileTransition@0 ; PpProfileCancelHardwareProfileTransition()
		jmp	loc_872547
; 

loc_8E0881:				; CODE XREF: PipProcessStartPhase2+27j
		cmp	edi, 0C00002D2h
		jz	short loc_8E088E
		push	0Ah
		pop	ebx
		jmp	short loc_8E08A1
; 

loc_8E088E:				; CODE XREF: PipProcessStartPhase2+6E365j
		push	0Eh
		pop	ebx
		push	ecx
		mov	ecx, [esi+18h]
		push	0
		push	40000000h
		call	_PnpUpdateRebootRequiredReason@20 ; PnpUpdateRebootRequiredReason(x,x,x,x,x)

loc_8E08A1:				; CODE XREF: PipProcessStartPhase2+6E36Aj
		push	edi
		push	ebx
		xor	dl, dl
		mov	ecx, esi
		call	_PnpRequestDeviceRemoval@16 ; PnpRequestDeviceRemoval(x,x,x,x)
		cmp	dword ptr [esi+174h], 0
		jz	loc_87256C
		push	dword ptr [esi+10h]
		call	_IoRequestDeviceEject@4	; IoRequestDeviceEject(x)
		jmp	loc_87256C
; 

loc_8E08C6:				; CODE XREF: PipProcessStartPhase2+51j
		push	dword ptr [esi+18h]
		mov	edx, offset _KMPnPEvt_ProcessDeviceStart_Stop
		push	2
		push	ecx
		call	_McTemplateK0dz_EtwWriteTransfer@20 ; McTemplateK0dz_EtwWriteTransfer(x,x,x,x,x)
		jmp	loc_872579
; END OF FUNCTION CHUNK	FOR PipProcessStartPhase2
; 
; START	OF FUNCTION CHUNK FOR PiBuildDeviceNodeInstancePath

loc_8E08DB:				; CODE XREF: PiBuildDeviceNodeInstancePath+31j
		test	dword ptr [edi+10Ch], 2000h
		jz	short loc_8E08F4
		cmp	dword ptr [edi+114h], 2Ah
		jz	loc_8725E9

loc_8E08F4:				; CODE XREF: PiBuildDeviceNodeInstancePath+6E333j
		lea	ecx, [edi+14h]
		call	_PnpCleanupDeviceRegistryValues@4 ; PnpCleanupDeviceRegistryValues(x)
		jmp	loc_8725E9
; 

loc_8E0901:				; CODE XREF: PiBuildDeviceNodeInstancePath+C2j
		push	esi		; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_8E0918
		jmp	loc_87267A
; 

loc_8E0913:				; CODE XREF: PiBuildDeviceNodeInstancePath+16j
					; PiBuildDeviceNodeInstancePath+1Fj ...
		mov	ebx, 0C0000001h

loc_8E0918:				; CODE XREF: PiBuildDeviceNodeInstancePath+B7j
					; PiBuildDeviceNodeInstancePath+6E35Aj
		test	esi, esi
		jz	loc_87268B
		push	49706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_87268B
; END OF FUNCTION CHUNK	FOR PiBuildDeviceNodeInstancePath
; 
; START	OF FUNCTION CHUNK FOR PnpFreeDeviceInstancePath

loc_8E0930:				; CODE XREF: PnpFreeDeviceInstancePath+18j
		push	49706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8726BA
; END OF FUNCTION CHUNK	FOR PnpFreeDeviceInstancePath
; 
; START	OF FUNCTION CHUNK FOR _CmCreateDevice

loc_8E0940:				; CODE XREF: _CmCreateDevice+44j
		mov	[ebp+var_28], ecx
		test	ebx, ebx
		jz	loc_872797
		jmp	loc_872794
; 

loc_8E0950:				; CODE XREF: _CmCreateDevice+6Aj
		xor	edi, edi
		jmp	loc_8727CD
; 

loc_8E0957:				; CODE XREF: _CmCreateDevice+7Dj
		mov	esi, 0C00000E5h

loc_8E095C:				; CODE XREF: _CmCreateDevice+CAj
					; _CmCreateDevice+D2j
		cmp	[ebp+var_24], 0
		jz	loc_872827
		push	[ebp+var_24]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_872827
; END OF FUNCTION CHUNK	FOR _CmCreateDevice
; 
; START	OF FUNCTION CHUNK FOR _CmCreateDeviceWorker

loc_8E0973:				; CODE XREF: _CmCreateDeviceWorker+42j
		mov	eax, [ebp+arg_4]
		mov	edx, edi
		mov	ecx, ebx
		push	dword ptr [eax]
		push	1
		call	__CmRaiseCreateEvent@16	; _CmRaiseCreateEvent(x,x,x,x)
		jmp	loc_87289E
; END OF FUNCTION CHUNK	FOR _CmCreateDeviceWorker
; 
; START	OF FUNCTION CHUNK FOR PipNotifyDeviceDependencyList

loc_8E0988:				; CODE XREF: PipNotifyDeviceDependencyList+22j
		mov	edx, ebx
		mov	ecx, edi
		call	_PiListEntryToDependencyEdge@8 ; PiListEntryToDependencyEdge(x,x)
		mov	edi, [edi]
		test	ebx, ebx
		jnz	short loc_8E099E
		mov	edx, [eax+10h]
		xor	ecx, ecx
		jmp	short loc_8E09A3
; 

loc_8E099E:				; CODE XREF: PipNotifyDeviceDependencyList+6DF31j
		mov	ecx, [eax+14h]
		xor	edx, edx

loc_8E09A3:				; CODE XREF: PipNotifyDeviceDependencyList+6DF38j
		call	_PipNotifyDependenciesChanged@8	; PipNotifyDependenciesChanged(x,x)
		jmp	loc_872A84
; END OF FUNCTION CHUNK	FOR PipNotifyDeviceDependencyList
; 
; START	OF FUNCTION CHUNK FOR PiCreateDriverSwDevices

loc_8E09AD:				; CODE XREF: PiCreateDriverSwDevices+5Aj
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_10]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	offset _PiCreateDriverSwDeviceCallback@16 ; PiCreateDriverSwDeviceCallback(x,x,x,x)
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], ebx
		call	__PnpCtxRegEnumKeyWithCallback@16 ; _PnpCtxRegEnumKeyWithCallback(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_872B18
		cmp	[ebp+var_C], ebx
		jge	loc_872B18
		mov	esi, [ebp+var_C]
		jmp	loc_872B18
; 

loc_8E09E5:				; CODE XREF: PiCreateDriverSwDevices+6Dj
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_872B21
; END OF FUNCTION CHUNK	FOR PiCreateDriverSwDevices
; 
; START	OF FUNCTION CHUNK FOR PipProcessStartPhase3

loc_8E09F2:				; CODE XREF: PipProcessStartPhase3+1Fj
		push	dword ptr [esi+18h]
		mov	edx, offset _KMPnPEvt_ProcessDeviceStart_Start
		push	3
		push	ecx
		call	_McTemplateK0dz_EtwWriteTransfer@20 ; McTemplateK0dz_EtwWriteTransfer(x,x,x,x,x)
		jmp	loc_872B5B
; 

loc_8E0A07:				; CODE XREF: PipProcessStartPhase3+154j
		test	edi, edi
		jnz	loc_872C90
		mov	ebx, offset _PnpRegistryDeviceResource
		jmp	loc_872D9A
; 

loc_8E0A19:				; CODE XREF: PipProcessStartPhase3+1C5j
		test	al, 1
		jnz	loc_872D01
		jmp	short loc_8E0A28
; 

loc_8E0A23:				; CODE XREF: PipProcessStartPhase3+1A6j
					; PipProcessStartPhase3+1B0j ...
		xor	eax, eax
		mov	[ebp+var_C], eax

loc_8E0A28:				; CODE XREF: PipProcessStartPhase3+6DEEBj
		mov	[ebp+var_2], 1
		jmp	loc_872D01
; 

loc_8E0A31:				; CODE XREF: PipProcessStartPhase3+1D6j
		mov	dl, byte ptr [ebp+var_1]
		jmp	loc_872D32
; 

loc_8E0A39:				; CODE XREF: PipProcessStartPhase3+20Aj
		or	eax, 400h
		mov	[ebp+var_3], 1
		mov	[ebp+var_C], eax
		mov	[ebp+var_2], 1
		jmp	loc_872D46
; 

loc_8E0A4E:				; CODE XREF: PipProcessStartPhase3+243j
		mov	edx, [esi+18h]
		lea	eax, [ebp+var_C]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	4
		push	eax
		push	4
		push	0Bh
		push	[ebp+var_8]
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		jmp	loc_872D7F
; 

loc_8E0A70:				; CODE XREF: PipProcessStartPhase3+25Ej
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		push	0
		call	_PpDevCfgProcessDevice@12 ; PpDevCfgProcessDevice(x,x,x)
		jmp	loc_872D9A
; 

loc_8E0A81:				; CODE XREF: PipProcessStartPhase3+54j
		cmp	dword ptr [esi+114h], 9
		jnz	loc_872B90
		mov	edi, 0C0000001h
		jmp	loc_872C03
; 

loc_8E0A98:				; CODE XREF: PipProcessStartPhase3+C5j
		lea	ecx, [esi+14h]
		call	_PiAuditDeviceStart@4 ;	PiAuditDeviceStart(x)
		jmp	loc_872C01
; 

loc_8E0AA5:				; CODE XREF: PipProcessStartPhase3+E0j
		push	dword ptr [esi+18h]
		mov	edx, offset _KMPnPEvt_ProcessDeviceStart_Stop
		push	3
		push	ecx
		call	_McTemplateK0dz_EtwWriteTransfer@20 ; McTemplateK0dz_EtwWriteTransfer(x,x,x,x,x)
		jmp	loc_872C1C
; END OF FUNCTION CHUNK	FOR PipProcessStartPhase3
; 
; START	OF FUNCTION CHUNK FOR PnpSetPlugPlayEvent

loc_8E0ABA:				; CODE XREF: PnpSetPlugPlayEvent+DFj
		mov	esi, [ebp+var_10]
		mov	edx, 56706E50h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		jmp	loc_872F3B
; END OF FUNCTION CHUNK	FOR PnpSetPlugPlayEvent
; 
; START	OF FUNCTION CHUNK FOR _CmUpdateDevicePanel

loc_8E0ACE:				; CODE XREF: _CmUpdateDevicePanel+B2j
		mov	esi, 0C00000BBh
		jmp	loc_873270
; 

loc_8E0AD8:				; CODE XREF: _CmUpdateDevicePanel+EAj
		test	esi, esi
		js	loc_873258
		cmp	[ebp+var_60], 0
		jz	loc_8E0C19
		lea	eax, [ebp+var_18]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	__CmGetParentDeviceContainerId@12 ; _CmGetParentDeviceContainerId(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_873258
		mov	ecx, [ebp+var_60]
		mov	[ebp+var_69], 1
		call	__CmGetDevicePanelGroup@4 ; _CmGetDevicePanelGroup(x)
		mov	[ebp+var_78], eax
		mov	eax, [ecx+8]
		xor	ecx, ecx
		shr	eax, 3
		and	eax, 7
		cmp	eax, 7
		jnb	short loc_8E0B27
		mov	ecx, ds:dword_40F8EC[eax*4]

loc_8E0B27:				; CODE XREF: _CmUpdateDevicePanel+6DB22j
		push	52504E50h
		push	72h
		push	1
		mov	[ebp+var_7C], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_4C], eax
		test	eax, eax
		jnz	short loc_8E0B49
		mov	esi, 0C0000017h
		jmp	loc_873258
; 

loc_8E0B49:				; CODE XREF: _CmUpdateDevicePanel+6DB41j
		mov	edx, [ebp+var_78] ; int
		push	ecx		; int
		push	eax		; int
		push	[ebp+var_7C]	; int
		lea	ecx, [ebp+var_18] ; int
		call	__CmBuildDevicePanelId@20 ; _CmBuildDevicePanelId(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		push	10h
		pop	esi
		push	52504E50h
		push	esi
		jmp	short loc_8E0BB9
; 

loc_8E0B6E:				; CODE XREF: _CmUpdateDevicePanel+6DBCFj
		xor	edx, edx
		lea	ecx, [ebp+var_70]
		push	edx
		push	ecx
		push	esi
		push	eax
		lea	eax, [ebp+var_74]
		mov	ecx, ebx
		push	eax
		push	offset _DEVPKEY_Device_PhysicalDeviceLocationSpatial
		push	edx
		push	[ebp+var_51+1]
		mov	edx, edi
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_70]
		cmp	esi, 0C0000023h
		jnz	short loc_8E0BDC
		cmp	eax, [ebp+var_8C]
		jbe	short loc_8E0BD7
		mov	ecx, [ebp+var_5C]
		xor	eax, eax
		push	eax
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_70]
		push	52504E50h
		push	esi

loc_8E0BB9:				; CODE XREF: _CmUpdateDevicePanel+6DB70j
		push	1
		mov	[ebp+var_8C], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_5C], eax
		test	eax, eax
		jnz	short loc_8E0B6E

loc_8E0BCD:				; CODE XREF: _CmUpdateDevicePanel+108j
		mov	esi, 0C0000017h
		jmp	loc_87323E
; 

loc_8E0BD7:				; CODE XREF: _CmUpdateDevicePanel+6DBA6j
		mov	esi, 0C0000001h

loc_8E0BDC:				; CODE XREF: _CmUpdateDevicePanel+6DB9Ej
		cmp	esi, 0C0000225h
		jnz	short loc_8E0BF8
		mov	ecx, [ebp+var_5C]

loc_8E0BE7:				; CODE XREF: _CmUpdateDevicePanel+6DC0Ej
					; _CmUpdateDevicePanel+6DC13j ...
		xor	esi, esi
		push	esi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+var_5C], esi
		jmp	loc_8730F1
; 

loc_8E0BF8:				; CODE XREF: _CmUpdateDevicePanel+6DBE6j
		test	esi, esi
		js	loc_87323E
		cmp	[ebp+var_74], 1003h
		mov	ecx, [ebp+var_5C]
		jnz	short loc_8E0BE7
		cmp	eax, 10h
		jb	short loc_8E0BE7
		mov	eax, [ecx]
		and	al, 1Fh
		cmp	al, 1
		jb	short loc_8E0BE7

loc_8E0C19:				; CODE XREF: _CmUpdateDevicePanel+6DAE8j
		xor	esi, esi
		jmp	loc_8730F1
; 

loc_8E0C20:				; CODE XREF: _CmUpdateDevicePanel+136j
		test	esi, esi
		js	loc_87323E
		cmp	[ebp+var_74], 12h
		jnz	loc_873138
		cmp	[ebp+var_70], 2
		jb	loc_873138
		mov	eax, [ebp+var_58]
		jmp	loc_873149
; 

loc_8E0C44:				; CODE XREF: _CmUpdateDevicePanel+152j
		test	eax, eax
		jz	short loc_8E0C5D
		push	esi		; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		test	eax, eax
		mov	eax, [ebp+var_58]
		pop	ecx
		jnz	short loc_8E0C5D
		mov	cl, [ebp+var_61]
		jmp	short loc_8E0C62
; 

loc_8E0C5D:				; CODE XREF: _CmUpdateDevicePanel+15Aj
					; _CmUpdateDevicePanel+6DC4Aj ...
		mov	cl, 1
		mov	[ebp+var_61], cl

loc_8E0C62:				; CODE XREF: _CmUpdateDevicePanel+6DC5Fj
		test	eax, eax
		jz	short loc_8E0C85
		test	cl, cl
		jz	short loc_8E0C85
		push	ecx
		push	edi
		mov	edx, eax
		mov	ecx, ebx
		call	__CmRemovePanelDevice@16 ; _CmRemovePanelDevice(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		mov	esi, [ebp+var_4C]
		mov	eax, [ebp+var_58]

loc_8E0C85:				; CODE XREF: _CmUpdateDevicePanel+6DC68j
					; _CmUpdateDevicePanel+6DC6Cj
		test	esi, esi
		jz	loc_8E0D28
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_8E0C92:				; CODE XREF: _CmUpdateDevicePanel+6DCA3j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_A4]
		jnz	short loc_8E0C92
		sub	ecx, edx
		xor	edx, edx
		push	edx
		sar	ecx, 1
		lea	eax, ds:2[ecx*2]
		mov	ecx, ebx
		push	eax
		push	esi
		push	12h
		push	offset _DEVPKEY_Device_PanelId
		push	edx
		push	[ebp+var_51+1]
		mov	edx, edi
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		xor	ecx, ecx
		lea	eax, [ebp+var_78]
		push	ecx
		push	4
		push	eax
		push	7
		push	offset _DEVPKEY_Device_PanelGroup
		push	ecx
		push	[ebp+var_51+1]
		mov	edx, edi
		mov	ecx, ebx
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		xor	ecx, ecx
		lea	eax, [ebp+var_7C]
		push	ecx
		push	4
		push	eax
		push	7
		push	offset _DEVPKEY_Device_PanelSide
		push	ecx
		push	[ebp+var_51+1]
		mov	edx, edi
		mov	ecx, ebx
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		mov	esi, [ebp+var_51+1]
		jmp	short loc_8E0D7B
; 

loc_8E0D28:				; CODE XREF: _CmUpdateDevicePanel+6DC8Bj
		test	eax, eax
		jz	loc_87315C
		mov	esi, [ebp+var_51+1]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_PanelId
		push	eax
		push	esi
		push	1
		mov	edx, edi
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, edi
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_PanelGroup
		push	eax
		push	esi
		push	1
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, edi
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_PanelSide
		push	eax
		push	esi
		push	1
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)

loc_8E0D7B:				; CODE XREF: _CmUpdateDevicePanel+6DD2Aj
		cmp	[ebp+var_4C], 0
		jz	loc_8E0EAB
		mov	eax, [ebp+var_60]
		test	eax, eax
		jz	loc_8E0EAB
		mov	ecx, [ebp+var_5C]
		mov	edx, edi
		test	ecx, ecx
		jz	loc_8E0E34
		movzx	eax, word ptr [ecx+4]
		xor	ecx, ecx
		push	ecx
		push	4
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	7
		push	offset _DEVPKEY_Device_PanelWidth
		push	ecx
		push	esi
		push	1
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		mov	ecx, [ebp+var_5C]
		mov	edx, edi
		movzx	eax, word ptr [ecx+6]
		xor	ecx, ecx
		push	ecx
		push	4
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	7
		push	(offset	loc_4280C0+4)
		push	ecx
		push	[ebp+var_51+1]
		mov	ecx, ebx
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		mov	eax, [ebp+var_5C]
		xor	ecx, ecx
		push	ecx
		push	4
		mov	edx, edi
		movzx	eax, word ptr [eax+8]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	7
		push	offset _DEVPKEY_Device_PanelLength
		push	ecx
		push	[ebp+var_51+1]
		mov	ecx, ebx
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		jmp	loc_8E0EFA
; 

loc_8E0E34:				; CODE XREF: _CmUpdateDevicePanel+6DD9Bj
		movzx	eax, word ptr [eax+4]
		xor	ecx, ecx
		push	ecx
		push	4
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	7
		push	offset _DEVPKEY_Device_PanelWidth
		push	ecx
		push	esi
		push	1
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		mov	eax, [ebp+var_60]
		xor	ecx, ecx
		push	ecx
		push	4
		mov	edx, edi
		movzx	eax, word ptr [eax+6]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	7
		push	(offset	loc_4280C0+4)
		push	ecx
		push	[ebp+var_51+1]
		mov	ecx, ebx
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		mov	eax, [ebp+var_58]
		test	eax, eax
		jz	short loc_8E0EFD
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_PanelLength
		push	eax
		push	[ebp+var_51+1]
		jmp	short loc_8E0EEF
; 

loc_8E0EAB:				; CODE XREF: _CmUpdateDevicePanel+6DD83j
					; _CmUpdateDevicePanel+6DD8Ej
		mov	eax, [ebp+var_58]
		test	eax, eax
		jz	short loc_8E0EFD
		xor	eax, eax
		mov	edx, edi
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_PanelWidth
		push	eax
		push	esi
		push	1
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, edi
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_4280C0+4)
		push	eax
		push	esi
		push	1
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_PanelLength
		push	eax
		push	esi

loc_8E0EEF:				; CODE XREF: _CmUpdateDevicePanel+6DEADj
		push	1
		mov	edx, edi
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)

loc_8E0EFA:				; CODE XREF: _CmUpdateDevicePanel+6DE33j
		mov	eax, [ebp+var_58]

loc_8E0EFD:				; CODE XREF: _CmUpdateDevicePanel+6DE9Cj
					; _CmUpdateDevicePanel+6DEB4j
		cmp	[ebp+var_4C], 0
		mov	ecx, [ebp+var_60]
		jz	loc_87315F
		test	ecx, ecx
		jz	loc_87315F
		mov	edx, 0FFFFh
		cmp	[ecx+12h], dx
		jz	loc_87315F
		movzx	eax, word ptr [ecx+10h]
		cmp	eax, edx
		jz	loc_8E0FD6
		mov	edx, [ebp+var_5C]

loc_8E0F30:				; CODE XREF: _CmUpdateDevicePanel+168j
		test	edx, edx
		jz	loc_8E0FDE
		movzx	eax, word ptr [edx+0Ah]
		xor	ecx, ecx
		push	ecx
		push	4
		mov	[ebp+var_44], eax
		mov	edx, edi
		lea	eax, [ebp+var_44]
		push	eax
		push	7
		push	offset _DEVPKEY_Device_PanelPositionX
		push	ecx
		push	[ebp+var_51+1]
		mov	ecx, ebx
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		mov	eax, [ebp+var_5C]
		xor	ecx, ecx
		push	ecx
		push	4
		mov	edx, edi
		movzx	eax, word ptr [eax+0Ch]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	7
		push	offset _DEVPKEY_Device_PanelPositionY
		push	ecx
		push	[ebp+var_51+1]
		mov	ecx, ebx
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		mov	eax, [ebp+var_5C]
		xor	ecx, ecx
		push	ecx
		push	4
		mov	edx, edi
		movzx	eax, word ptr [eax+0Eh]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	7
		push	offset _DEVPKEY_Device_PanelPositionZ
		push	ecx
		push	[ebp+var_51+1]
		mov	ecx, ebx
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		mov	edx, [ebp+var_5C]
		jmp	loc_873172
; 

loc_8E0FD6:				; CODE XREF: _CmUpdateDevicePanel+6DF2Bj
		mov	eax, [ebp+var_58]
		jmp	loc_87315F
; 

loc_8E0FDE:				; CODE XREF: _CmUpdateDevicePanel+6DF36j
		movzx	eax, word ptr [ecx+12h]
		mov	edx, edi
		xor	ecx, ecx
		mov	[ebp+var_44], eax
		push	ecx
		push	4
		lea	eax, [ebp+var_44]
		push	eax
		push	7
		push	offset _DEVPKEY_Device_PanelPositionX
		push	ecx
		push	[ebp+var_51+1]
		mov	ecx, ebx
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		mov	eax, [ebp+var_60]
		xor	ecx, ecx
		push	ecx
		push	4
		mov	edx, edi
		movzx	eax, word ptr [eax+10h]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	7
		push	offset _DEVPKEY_Device_PanelPositionY
		push	ecx
		push	[ebp+var_51+1]
		mov	ecx, ebx
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		cmp	[ebp+var_58], 0
		mov	esi, [ebp+var_51+1]
		jnz	short loc_8E107F
		jmp	short loc_8E1097
; 

loc_8E104C:				; CODE XREF: _CmUpdateDevicePanel+170j
		mov	esi, [ebp+var_51+1]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_PanelPositionX
		push	eax
		push	esi
		push	1
		mov	edx, edi
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, edi
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_PanelPositionY
		push	eax
		push	esi
		push	1
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)

loc_8E107F:				; CODE XREF: _CmUpdateDevicePanel+6E04Cj
		xor	eax, eax
		mov	edx, edi
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_PanelPositionZ
		push	eax
		push	esi
		push	1
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)

loc_8E1097:				; CODE XREF: _CmUpdateDevicePanel+6E04Ej
		mov	edx, [ebp+var_5C]
		jmp	loc_873175
; 

loc_8E109F:				; CODE XREF: _CmUpdateDevicePanel+188j
		mov	ecx, [ebp+var_60]
		test	ecx, ecx
		jz	loc_87318A
		test	edx, edx
		jz	loc_8E11C3
		mov	eax, [edx]
		mov	ecx, 168h
		shr	eax, 5
		xor	edx, edx
		and	eax, 1FFh
		div	ecx
		xor	ecx, ecx
		lea	eax, [ebp+var_44]
		push	ecx
		push	4
		push	eax
		push	7
		push	offset _DEVPKEY_Device_PanelRotationX
		push	ecx
		push	esi
		mov	[ebp+var_44], edx
		mov	ecx, ebx
		push	1
		mov	edx, edi
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		mov	eax, [ebp+var_5C]
		xor	edx, edx
		mov	ecx, 168h
		mov	eax, [eax]
		shr	eax, 0Eh
		and	eax, 1FFh
		div	ecx
		xor	ecx, ecx
		lea	eax, [ebp+var_44]
		push	ecx
		push	4
		push	eax
		push	7
		push	offset _DEVPKEY_Device_PanelRotationY
		push	ecx
		push	[ebp+var_51+1]
		mov	[ebp+var_44], edx
		mov	ecx, ebx
		push	1
		mov	edx, edi
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		mov	eax, [ebp+var_5C]
		xor	edx, edx
		mov	ecx, 168h
		mov	eax, [eax]
		shr	eax, 17h
		div	ecx
		xor	ecx, ecx
		lea	eax, [ebp+var_44]
		push	ecx
		push	4
		push	eax
		push	7
		push	offset _DEVPKEY_Device_PanelRotationZ
		push	ecx
		push	[ebp+var_51+1]
		mov	[ebp+var_44], edx
		mov	ecx, ebx
		push	1
		mov	edx, edi
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		jmp	short loc_8E11B8
; 

loc_8E1170:				; CODE XREF: _CmUpdateDevicePanel+193j
		xor	eax, eax
		mov	edx, edi
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_PanelRotationX
		push	eax
		push	esi
		push	1
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, edi
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_PanelRotationY
		push	eax
		push	esi
		push	1
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, edi
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_PanelRotationZ
		push	eax
		push	esi
		push	1
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)

loc_8E11B8:				; CODE XREF: _CmUpdateDevicePanel+6E172j
		mov	eax, [ebp+var_4C]
		mov	ecx, [ebp+var_58]
		jmp	loc_873195
; 

loc_8E11C3:				; CODE XREF: _CmUpdateDevicePanel+6E0B0j
		mov	eax, [ecx+0Ch]
		xor	edx, edx
		shr	eax, 13h
		mov	ecx, 168h
		and	eax, 0Fh
		imul	eax, 2Dh
		div	ecx
		xor	ecx, ecx
		lea	eax, [ebp+var_44]
		push	ecx
		push	4
		push	eax
		push	7
		push	offset _DEVPKEY_Device_PanelRotationZ
		push	ecx
		push	esi
		mov	[ebp+var_44], edx
		mov	ecx, ebx
		push	1
		mov	edx, edi
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		mov	ecx, [ebp+var_58]
		mov	esi, [ebp+var_51+1]
		test	ecx, ecx
		jz	short loc_8E1247
		xor	eax, eax
		mov	edx, edi
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_PanelRotationX
		push	eax
		push	esi
		push	1
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, edi
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_PanelRotationY
		push	eax
		push	esi
		push	1
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	eax, [ebp+var_4C]
		mov	ecx, [ebp+var_58]
		jmp	loc_873198
; 

loc_8E1247:				; CODE XREF: _CmUpdateDevicePanel+6E20Ej
		mov	eax, [ebp+var_4C]
		jmp	loc_873198
; 

loc_8E124F:				; CODE XREF: _CmUpdateDevicePanel+19Ej
		mov	eax, [ebp+var_60]
		test	eax, eax
		jz	loc_8731A0
		mov	edx, [eax]
		test	dl, dl
		js	loc_8731A0
		movzx	ecx, byte ptr [eax+3]
		mov	eax, edx
		or	ecx, 0FFFFFF00h
		shr	eax, 10h
		shl	ecx, 8
		movzx	eax, al
		or	ecx, eax
		shr	edx, 8
		shl	ecx, 8
		movzx	eax, dl
		mov	edx, edi
		or	ecx, eax
		lea	eax, [ebp+var_44]
		mov	[ebp+var_44], ecx
		xor	ecx, ecx
		push	ecx
		push	4
		push	eax
		push	7
		push	(offset	loc_428020+4)
		push	ecx
		push	esi
		push	1
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		jmp	short loc_8E12CA
; 

loc_8E12B2:				; CODE XREF: _CmUpdateDevicePanel+1A6j
		xor	eax, eax
		mov	edx, edi
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_428020+4)
		push	eax
		push	esi
		push	1
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)

loc_8E12CA:				; CODE XREF: _CmUpdateDevicePanel+6E2B4j
		mov	ecx, [ebp+var_58]
		jmp	loc_8731A8
; 

loc_8E12D2:				; CODE XREF: _CmUpdateDevicePanel+1B0j
		mov	eax, [ebp+var_60]
		test	eax, eax
		jz	loc_8731B2
		mov	eax, [eax+8]
		xor	edx, edx
		shr	eax, 0Ah
		mov	ecx, edx
		and	eax, 0Fh
		cmp	eax, 9
		jnb	short loc_8E12F6
		mov	ecx, ds:dword_40F91C[eax*4]

loc_8E12F6:				; CODE XREF: _CmUpdateDevicePanel+6E2F1j
		push	edx
		push	4
		lea	eax, [ebp+var_44]
		mov	[ebp+var_44], ecx
		push	eax
		push	7
		push	offset _DEVPKEY_Device_PanelShape
		push	edx
		push	[ebp+var_51+1]
		mov	edx, edi
		mov	ecx, ebx
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		mov	ecx, [ebp+var_58]
		jmp	loc_8731BA
; 

loc_8E1328:				; CODE XREF: _CmUpdateDevicePanel+1B8j
		mov	esi, [ebp+var_51+1]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_PanelShape
		push	eax
		push	esi
		push	1
		mov	edx, edi
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_58]
		jmp	loc_8731BD
; 

loc_8E134B:				; CODE XREF: _CmUpdateDevicePanel+1C5j
		mov	eax, [ebp+var_60]
		test	eax, eax
		jz	loc_8731C7
		mov	eax, [eax+8]
		mov	edx, edi
		and	al, 1
		neg	al
		sbb	al, al
		xor	ecx, ecx
		push	ecx
		push	1
		mov	[ebp+var_6A], al
		lea	eax, [ebp+var_6A]
		push	eax
		push	11h
		push	offset _DEVPKEY_Device_PanelVisible
		push	ecx
		push	esi
		push	1
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		jmp	loc_8731CF
; 

loc_8E138E:				; CODE XREF: _CmUpdateDevicePanel+1CDj
		xor	eax, eax
		mov	edx, edi
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_PanelVisible
		push	eax
		push	esi
		push	1
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		jmp	loc_8731CF
; 

loc_8E13AB:				; CODE XREF: _CmUpdateDevicePanel+1D8j
		cmp	[ebp+var_61], 0
		jz	loc_8731DA
		push	ecx
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	__CmAddPanelDevice@16 ;	_CmAddPanelDevice(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_87323E
		jmp	loc_8731DA
; 

loc_8E13CF:				; CODE XREF: _CmUpdateDevicePanel+231j
		test	esi, esi
		js	loc_873237
		cmp	[ebp+var_69], 0
		jnz	short loc_8E13F8
		lea	eax, [ebp+var_18]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	__CmGetParentDeviceContainerId@12 ; _CmGetParentDeviceContainerId(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_873237
		mov	[ebp+var_69], 1

loc_8E13F8:				; CODE XREF: _CmUpdateDevicePanel+6E3DFj
		mov	ecx, [ebp+var_60]
		call	__CmGetDevicePanelGroup@4 ; _CmGetDevicePanelGroup(x)
		mov	esi, eax
		xor	eax, eax
		mov	[ebp+var_78], esi
		mov	edx, eax
		mov	ecx, [ecx+8]
		shr	ecx, 3
		and	ecx, 7
		cmp	ecx, 7
		jnb	short loc_8E141E
		mov	edx, ds:dword_40F8EC[ecx*4]

loc_8E141E:				; CODE XREF: _CmUpdateDevicePanel+6E419j
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_7C], edx
		test	eax, eax
		jnz	short loc_8E1447
		push	52504E50h
		push	72h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_4C], eax
		test	eax, eax
		jz	loc_8E1CE5
		mov	esi, [ebp+var_78]
		mov	edx, [ebp+var_7C]

loc_8E1447:				; CODE XREF: _CmUpdateDevicePanel+6E42Aj
		push	ecx		; int
		push	eax		; int
		push	edx		; int
		mov	edx, esi	; int
		lea	ecx, [ebp+var_18] ; int
		call	__CmBuildDevicePanelId@20 ; _CmBuildDevicePanelId(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_873237
		mov	edx, [ebp+var_4C]
		lea	eax, [ebp+var_51]
		push	ecx
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		push	ecx
		mov	ecx, ebx
		call	__CmCreateDevicePanel@24 ; _CmCreateDevicePanel(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_873237
		mov	eax, [ebp+var_60]
		xor	ecx, ecx
		mov	edx, [ebp+var_4C]
		push	ecx
		push	4
		movzx	eax, word ptr [eax+4]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	7
		push	offset _DEVPKEY_DevicePanel_Width
		push	ecx
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_873237
		mov	eax, [ebp+var_60]
		xor	ecx, ecx
		mov	edx, [ebp+var_4C]
		push	ecx
		push	4
		movzx	eax, word ptr [eax+6]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	7
		push	(offset	loc_427DB4+4)
		push	ecx
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_873237
		mov	eax, [ebp+var_60]
		mov	edx, [eax]
		test	dl, dl
		js	short loc_8E153E
		movzx	ecx, byte ptr [eax+3]
		mov	eax, edx
		or	ecx, 0FFFFFF00h
		shr	eax, 10h
		shl	ecx, 8
		movzx	eax, al
		or	ecx, eax
		shr	edx, 8
		shl	ecx, 8
		movzx	eax, dl
		mov	edx, [ebp+var_4C]
		or	ecx, eax
		mov	[ebp+var_44], ecx
		lea	eax, [ebp+var_44]
		xor	ecx, ecx
		push	ecx
		push	4
		push	eax
		push	7
		push	(offset	loc_427D53+1)
		push	ecx
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_873237
		jmp	short loc_8E155F
; 

loc_8E153E:				; CODE XREF: _CmUpdateDevicePanel+6E4EFj
		cmp	byte ptr [ebp+var_51], 0
		jnz	short loc_8E155F
		mov	edx, [ebp+var_4C]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_427D53+1)
		push	eax
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)

loc_8E155F:				; CODE XREF: _CmUpdateDevicePanel+6E540j
					; _CmUpdateDevicePanel+6E546j
		mov	eax, [ebp+var_68]
		test	eax, eax
		jnz	short loc_8E156E
		push	10h
		pop	esi
		mov	[ebp+var_80], esi
		jmp	short loc_8E1571
; 

loc_8E156E:				; CODE XREF: _CmUpdateDevicePanel+6E568j
		mov	esi, [ebp+var_80]

loc_8E1571:				; CODE XREF: _CmUpdateDevicePanel+6E570j
		xor	edx, edx

loc_8E1573:				; CODE XREF: _CmUpdateDevicePanel+6E5DEj
		test	eax, eax
		jnz	short loc_8E1591
		push	52504E50h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_68], eax
		test	eax, eax
		jz	loc_8E1CE5
		xor	edx, edx

loc_8E1591:				; CODE XREF: _CmUpdateDevicePanel+6E579j
		push	edx
		lea	ecx, [ebp+var_70]
		push	ecx
		push	esi
		push	eax
		lea	eax, [ebp+var_74]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_40]
		push	eax
		push	edx
		push	[ebp+var_51+1]
		mov	edx, edi
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_8E15E1
		mov	eax, [ebp+var_80]
		cmp	[ebp+var_70], eax
		jbe	short loc_8E15DC
		xor	eax, eax
		push	eax
		mov	eax, [ebp+var_68]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_70]
		xor	edx, edx
		mov	eax, edx
		mov	[ebp+var_80], esi
		mov	[ebp+var_68], eax
		jmp	short loc_8E1573
; 

loc_8E15DC:				; CODE XREF: _CmUpdateDevicePanel+6E5C3j
		mov	esi, 0C0000001h

loc_8E15E1:				; CODE XREF: _CmUpdateDevicePanel+6E5BBj
		cmp	esi, 0C0000225h
		jz	short loc_8E1605
		test	esi, esi
		js	loc_873237
		cmp	[ebp+var_74], 1003h
		jnz	short loc_8E1605
		cmp	[ebp+var_70], 10h
		jb	short loc_8E1605
		mov	eax, [ebp+var_68]
		jmp	short loc_8E160B
; 

loc_8E1605:				; CODE XREF: _CmUpdateDevicePanel+6E5EBj
					; _CmUpdateDevicePanel+6E5FCj ...
		mov	eax, [ebp+var_68]
		and	dword ptr [eax], 0FFFFFFE0h

loc_8E160B:				; CODE XREF: _CmUpdateDevicePanel+6E607j
		mov	ecx, [eax]
		mov	eax, ecx
		and	al, 1Fh
		cmp	al, 1
		jb	loc_8E1AF9
		shr	ecx, 5
		xor	edx, edx
		and	ecx, 0Fh
		mov	eax, edx
		cmp	ecx, 5
		jnb	short loc_8E162F
		mov	eax, ds:dword_40F948[ecx*4]

loc_8E162F:				; CODE XREF: _CmUpdateDevicePanel+6E62Aj
		push	edx
		push	4
		mov	[ebp+var_44], eax
		mov	ecx, ebx
		lea	eax, [ebp+var_44]
		push	eax
		push	7
		push	offset _DEVPKEY_DevicePanel_JointType
		push	edx
		push	[ebp+var_48]
		mov	edx, [ebp+var_4C]
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_873237
		mov	eax, [ebp+var_68]
		xor	edx, edx
		mov	ecx, edx
		mov	eax, [eax]
		shr	eax, 9
		and	eax, 7
		cmp	eax, 5
		jnb	short loc_8E1675
		mov	ecx, ds:dword_40F908[eax*4]

loc_8E1675:				; CODE XREF: _CmUpdateDevicePanel+6E670j
		push	edx
		push	4
		lea	eax, [ebp+var_44]
		mov	[ebp+var_44], ecx
		push	eax
		push	7
		push	(offset	loc_427D03+1)
		push	edx
		push	[ebp+var_48]
		mov	edx, [ebp+var_4C]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_873237
		mov	esi, [ebp+var_84]
		test	esi, esi
		jnz	short loc_8E16C8
		push	52504E50h
		push	72h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_84], esi
		test	esi, esi
		jz	loc_8E1CE5

loc_8E16C8:				; CODE XREF: _CmUpdateDevicePanel+6E6ACj
		mov	eax, [ebp+var_68]
		xor	edx, edx
		mov	ecx, [eax]
		shr	ecx, 14h
		and	ecx, 7
		cmp	ecx, 7
		jnb	short loc_8E16E1
		mov	edx, ds:dword_40F8EC[ecx*4]

loc_8E16E1:				; CODE XREF: _CmUpdateDevicePanel+6E6DCj
		push	ecx		; int
		mov	[ebp+var_44], edx
		lea	ecx, [ebp+var_18] ; int
		mov	eax, [eax]
		push	esi		; int
		shr	eax, 0Ch
		push	edx		; int
		movzx	edx, al		; int
		call	__CmBuildDevicePanelId@20 ; _CmBuildDevicePanelId(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_873237
		mov	esi, [ebp+var_84]
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_8E170C:				; CODE XREF: _CmUpdateDevicePanel+6E71Dj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_A4]
		jnz	short loc_8E170C
		sub	ecx, edx
		xor	edx, edx
		push	edx
		sar	ecx, 1
		lea	eax, ds:2[ecx*2]
		mov	ecx, ebx
		push	eax
		push	esi
		push	12h
		push	(offset	loc_427D17+1)
		push	edx
		push	[ebp+var_48]
		mov	edx, [ebp+var_4C]
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_873237
		mov	eax, [ebp+var_68]
		xor	edx, edx
		mov	ecx, edx
		mov	eax, [eax]
		shr	eax, 17h
		and	eax, 7
		cmp	eax, 5
		jnb	short loc_8E1767
		mov	ecx, ds:dword_40F908[eax*4]

loc_8E1767:				; CODE XREF: _CmUpdateDevicePanel+6E762j
		push	edx
		push	4
		lea	eax, [ebp+var_44]
		mov	[ebp+var_44], ecx
		push	eax
		push	7
		push	(offset	loc_427D2B+1)
		push	edx
		push	[ebp+var_48]
		mov	edx, [ebp+var_4C]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_873237
		mov	eax, [ebp+var_60]
		mov	edx, 0FFFFh
		movzx	ecx, word ptr [eax+12h]
		cmp	cx, dx
		jz	short loc_8E1819
		movzx	eax, word ptr [eax+10h]
		cmp	eax, edx
		jz	short loc_8E1819
		mov	edx, [ebp+var_4C]
		mov	eax, ecx
		xor	ecx, ecx
		mov	[ebp+var_44], eax
		push	ecx
		push	4
		lea	eax, [ebp+var_44]
		push	eax
		push	7
		push	(offset	loc_427D3F+1)
		push	ecx
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_873237
		mov	eax, [ebp+var_60]
		xor	ecx, ecx
		mov	edx, [ebp+var_4C]
		push	ecx
		push	4
		movzx	eax, word ptr [eax+10h]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	7
		push	(offset	loc_427CB3+1)
		push	ecx
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_873237
		cmp	byte ptr [ebp+var_51], 0
		jnz	short loc_8E1870
		mov	edx, [ebp+var_4C]
		jmp	short loc_8E1858
; 

loc_8E1819:				; CODE XREF: _CmUpdateDevicePanel+6E7A5j
					; _CmUpdateDevicePanel+6E7ADj
		cmp	byte ptr [ebp+var_51], 0
		jnz	short loc_8E1870
		mov	esi, [ebp+var_4C]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_427D3F+1)
		push	eax
		push	[ebp+var_48]
		mov	edx, esi
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, esi
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_427CB3+1)
		push	eax
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	edx, esi

loc_8E1858:				; CODE XREF: _CmUpdateDevicePanel+6E81Bj
		xor	eax, eax
		mov	ecx, ebx
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_427CC7+1)
		push	eax
		push	[ebp+var_48]
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)

loc_8E1870:				; CODE XREF: _CmUpdateDevicePanel+6E816j
					; _CmUpdateDevicePanel+6E821j
		mov	eax, [ebp+var_68]
		xor	ecx, ecx
		mov	edx, [ebp+var_4C]
		push	ecx
		push	4
		movzx	eax, word ptr [eax+8]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	7
		push	(offset	loc_427CDB+1)
		push	ecx
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_873237
		mov	eax, [ebp+var_68]
		xor	ecx, ecx
		mov	edx, [ebp+var_4C]
		push	ecx
		push	4
		movzx	eax, word ptr [eax+0Ah]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	7
		push	(offset	loc_427CEF+1)
		push	ecx
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_873237
		mov	eax, [ebp+var_68]
		xor	ecx, ecx
		mov	edx, [ebp+var_4C]
		push	ecx
		push	4
		movzx	eax, word ptr [eax+0Ch]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	7
		push	(offset	loc_427C63+1)
		push	ecx
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_873237
		mov	eax, [ebp+var_68]
		xor	edx, edx
		mov	ecx, 168h
		movzx	eax, word ptr [eax+0Eh]
		and	eax, 1FFh
		div	ecx
		xor	ecx, ecx
		lea	eax, [ebp+var_44]
		push	ecx
		push	4
		push	eax
		push	7
		push	(offset	loc_427C9F+1)
		push	ecx
		push	[ebp+var_48]
		mov	[ebp+var_44], edx
		mov	ecx, ebx
		mov	edx, [ebp+var_4C]
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_873237
		mov	eax, [ebp+var_68]
		xor	ecx, ecx
		mov	edx, [ebp+var_4C]
		push	ecx
		push	4
		mov	eax, [eax]
		shr	eax, 1Fh
		mov	eax, ds:dword_40F940[eax*4]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	7
		push	(offset	loc_427C13+1)
		push	ecx
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_873237
		mov	eax, [ebp+var_68]
		mov	eax, [eax]
		and	eax, 1E0h
		jbe	loc_8E1AE7
		cmp	eax, 80h
		ja	loc_8E1AE7
		mov	esi, [ebp+var_4C]
		lea	eax, [ebp+var_44]
		xor	ecx, ecx
		mov	edx, esi
		push	ecx
		push	4
		push	eax
		push	7
		push	(offset	loc_427C27+1)
		push	ecx
		push	[ebp+var_48]
		mov	[ebp+var_44], ecx
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_8E1CDA
		mov	eax, [ebp+var_68]
		movzx	ecx, word ptr [eax+4]
		movzx	edx, word ptr [eax+6]
		mov	eax, [eax]
		and	eax, 1E0h
		mov	[ebp+var_90], ecx
		cmp	eax, 20h
		jz	short loc_8E1A0A
		mov	eax, edx
		mov	ecx, 168h
		xor	edx, edx
		div	ecx
		mov	eax, [ebp+var_90]
		mov	ecx, edx
		xor	edx, edx
		div	[ebp+var_8C]

loc_8E1A0A:				; CODE XREF: _CmUpdateDevicePanel+6E9F1j
		add	ecx, edx
		lea	eax, [ebp+var_94]
		mov	[ebp+var_94], ecx
		mov	edx, esi
		xor	ecx, ecx
		push	ecx
		push	4
		push	eax
		push	7
		push	(offset	loc_427C3B+1)
		push	ecx
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_8E1CDA
		mov	eax, [ebp+var_68]
		movzx	edx, word ptr [eax+6]
		mov	eax, [eax]
		and	eax, 1E0h
		cmp	eax, 20h
		jz	short loc_8E1A5A
		mov	eax, edx
		mov	ecx, 168h
		xor	edx, edx
		div	ecx

loc_8E1A5A:				; CODE XREF: _CmUpdateDevicePanel+6EA51j
		xor	ecx, ecx
		mov	[ebp+var_98], edx
		push	ecx
		push	4
		lea	eax, [ebp+var_98]
		mov	edx, esi
		push	eax
		push	7
		push	(offset	loc_427C4F+1)
		push	ecx
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_8E1CDA
		xor	ecx, ecx
		lea	eax, [ebp+var_70]
		push	ecx
		push	eax
		push	4
		lea	eax, [ebp+var_44]
		mov	edx, esi
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		push	offset _DEVPKEY_DevicePanel_JointMovementPosition
		push	ecx
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8E1ACE
		cmp	[ebp+var_74], 7
		jnz	short loc_8E1ACE
		cmp	[ebp+var_70], 4
		jnz	short loc_8E1ACE
		mov	eax, [ebp+var_44]
		cmp	eax, [ebp+var_94]
		jbe	loc_8E1CDA

loc_8E1ACE:				; CODE XREF: _CmUpdateDevicePanel+6EAB5j
					; _CmUpdateDevicePanel+6EABBj ...
		xor	ecx, ecx
		lea	eax, [ebp+var_98]
		push	ecx
		push	4
		push	eax
		push	7
		push	offset _DEVPKEY_DevicePanel_JointMovementPosition
		push	ecx
		jmp	loc_8E1CCC
; 

loc_8E1AE7:				; CODE XREF: _CmUpdateDevicePanel+6E998j
					; _CmUpdateDevicePanel+6E9A3j
		cmp	byte ptr [ebp+var_51], 0
		jnz	loc_8E1CDA
		mov	esi, [ebp+var_4C]
		jmp	loc_8E1C72
; 

loc_8E1AF9:				; CODE XREF: _CmUpdateDevicePanel+6E617j
		cmp	byte ptr [ebp+var_51], 0
		jnz	loc_8E1CDA
		mov	esi, [ebp+var_4C]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_DevicePanel_JointType
		push	eax
		push	[ebp+var_48]
		mov	edx, esi
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, esi
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_427D03+1)
		push	eax
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, esi
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_427D17+1)
		push	eax
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, esi
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_427D2B+1)
		push	eax
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, esi
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_427D3F+1)
		push	eax
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, esi
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_427CB3+1)
		push	eax
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_427CC7+1)
		push	eax
		push	[ebp+var_48]
		push	6
		mov	edx, esi
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, esi
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_427CDB+1)
		push	eax
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, esi
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_427CEF+1)
		push	eax
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, esi
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_427C63+1)
		push	eax
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, esi
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_427C77+1)
		push	eax
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, esi
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_427C8B+1)
		push	eax
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, esi
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_427C9F+1)
		push	eax
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_427C13+1)
		push	eax
		push	[ebp+var_48]
		mov	edx, esi
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)

loc_8E1C72:				; CODE XREF: _CmUpdateDevicePanel+6EAF8j
		xor	eax, eax
		mov	edx, esi
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_427C27+1)
		push	eax
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, esi
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_427C3B+1)
		push	eax
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, esi
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_427C4F+1)
		push	eax
		push	[ebp+var_48]
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_DevicePanel_JointMovementPosition
		push	eax

loc_8E1CCC:				; CODE XREF: _CmUpdateDevicePanel+6EAE6j
		push	[ebp+var_48]
		mov	edx, esi
		mov	ecx, ebx
		push	6
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)

loc_8E1CDA:				; CODE XREF: _CmUpdateDevicePanel+6E9D0j
					; _CmUpdateDevicePanel+6EA3Aj ...
		inc	[ebp+var_1C]
		inc	[ebp+var_30]
		jmp	loc_8731FA
; 

loc_8E1CE5:				; CODE XREF: _CmUpdateDevicePanel+6E43Fj
					; _CmUpdateDevicePanel+6E58Dj ...
		mov	esi, 0C0000017h
		jmp	loc_873237
; END OF FUNCTION CHUNK	FOR _CmUpdateDevicePanel
; 
; START	OF FUNCTION CHUNK FOR _CmQueryDevicePanelPldProperty

loc_8E1CEF:				; CODE XREF: _CmQueryDevicePanelPldProperty+6Dj
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_4]
		jmp	loc_873339
; 

loc_8E1CFF:				; CODE XREF: _CmQueryDevicePanelPldProperty+86j
		mov	ecx, 0C0000017h
		jmp	loc_87331B
; 

loc_8E1D09:				; CODE XREF: _CmQueryDevicePanelPldProperty+C5j
		mov	eax, [ebp+arg_18]
		mov	[ebx], esi
		mov	[eax], edx
		jmp	loc_87331F
; END OF FUNCTION CHUNK	FOR _CmQueryDevicePanelPldProperty
; 
; START	OF FUNCTION CHUNK FOR PiDcUpdateDeviceContainerMembership

loc_8E1D15:				; CODE XREF: PiDcUpdateDeviceContainerMembership+9Dj
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_A8]
		push	eax
		lea	eax, [ebp+var_58]
		mov	edx, edi
		push	eax
		call	_CmGetDeviceContainerIdFromBase
		mov	esi, eax
		test	esi, esi
		js	loc_8734F8
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_58]
		push	edi
		push	eax
		lea	edx, [ebp+var_A8]
		call	__CmRemoveDeviceFromContainer@20 ; _CmRemoveDeviceFromContainer(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8734F8
		lea	edx, [ebp+var_A8]
		mov	ecx, edi
		call	_PiDcResetChildDeviceContainers@8 ; PiDcResetChildDeviceContainers(x,x)
		jmp	loc_87345F
; 

loc_8E1D6B:				; CODE XREF: PiDcUpdateDeviceContainerMembership+148j
		lea	ecx, [ebp+var_F9+1]
		call	_PiDcContainerRequiresConfiguration@4 ;	PiDcContainerRequiresConfiguration(x)
		jmp	loc_8734F8
; END OF FUNCTION CHUNK	FOR PiDcUpdateDeviceContainerMembership
; 
; START	OF FUNCTION CHUNK FOR _CmAddDeviceToContainer

loc_8E1D7B:				; CODE XREF: _CmAddDeviceToContainer+62j
		xor	ebx, ebx
		jmp	loc_87358D
; 

loc_8E1D82:				; CODE XREF: _CmAddDeviceToContainer+B5j
		mov	edx, [ebp+var_34]
		mov	ecx, edi
		push	5
		call	__PnpObjectRaiseDevicesChangeEvent@12 ;	_PnpObjectRaiseDevicesChangeEvent(x,x,x)
		jmp	loc_8735D5
; END OF FUNCTION CHUNK	FOR _CmAddDeviceToContainer
; 
; START	OF FUNCTION CHUNK FOR _CmAddDeviceToContainerWorker

loc_8E1D93:				; CODE XREF: _CmAddDeviceToContainerWorker+48j
		xor	ecx, ecx
		jmp	loc_873655
; 

loc_8E1D9A:				; CODE XREF: _CmAddDeviceToContainerWorker+79j
		xor	ecx, ecx
		jmp	loc_873686
; 

loc_8E1DA1:				; CODE XREF: _CmAddDeviceToContainerWorker+AAj
					; _CmAddDeviceToContainerWorker+118j
		test	esi, esi

loc_8E1DA3:				; CODE XREF: _CmAddDeviceToContainerWorker+DAj
		js	short loc_8E1DD6
		cmp	byte ptr [ebx],	0
		jnz	short loc_8E1DD6
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_8]
		push	0
		push	0
		push	0
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8E1DD6
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		push	offset _DEVPKEY_Device_ContainerId
		push	0
		push	0
		push	1
		call	_PnpObjectRaisePropertyChangeEvent

loc_8E1DD6:				; CODE XREF: _CmAddDeviceToContainerWorker+40j
					; _CmAddDeviceToContainerWorker+71j ...
		cmp	esi, 0C000017Ch
		jnz	short loc_8E1DE3
		mov	esi, 0C0000034h

loc_8E1DE3:				; CODE XREF: _CmAddDeviceToContainerWorker+6E7D8j
		test	esi, esi
		jns	loc_8736E7
		cmp	[ebp+var_14], 1
		jnz	short loc_8E1E0E
		test	edi, edi
		jz	short loc_8E1E02
		mov	eax, [edi+74h]
		test	eax, eax
		jz	short loc_8E1E02
		mov	ecx, [eax+4]
		push	ecx
		jmp	short loc_8E1E04
; 

loc_8E1E02:				; CODE XREF: _CmAddDeviceToContainerWorker+6E7EFj
					; _CmAddDeviceToContainerWorker+6E7F6j
		push	0

loc_8E1E04:				; CODE XREF: _CmAddDeviceToContainerWorker+6E7FCj
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		call	__RegRtlDeleteKeyTransacted@12 ; _RegRtlDeleteKeyTransacted(x,x,x)

loc_8E1E0E:				; CODE XREF: _CmAddDeviceToContainerWorker+6E7EBj
		cmp	[ebp+var_18], 1
		jnz	short loc_8E1E31
		test	edi, edi
		jz	short loc_8E1E25
		mov	eax, [edi+74h]
		test	eax, eax
		jz	short loc_8E1E25
		mov	ecx, [eax+4]
		push	ecx
		jmp	short loc_8E1E27
; 

loc_8E1E25:				; CODE XREF: _CmAddDeviceToContainerWorker+6E812j
					; _CmAddDeviceToContainerWorker+6E819j
		push	0

loc_8E1E27:				; CODE XREF: _CmAddDeviceToContainerWorker+6E81Fj
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		call	__RegRtlDeleteKeyTransacted@12 ; _RegRtlDeleteKeyTransacted(x,x,x)

loc_8E1E31:				; CODE XREF: _CmAddDeviceToContainerWorker+6E80Ej
		cmp	byte ptr [ebp+var_1], 1
		jnz	loc_8736E7
		mov	edx, [ebp+var_1C]
		push	ecx
		mov	ecx, edi
		call	__CmDeleteDeviceContainer@12 ; _CmDeleteDeviceContainer(x,x,x)
		jmp	loc_8736E7
; END OF FUNCTION CHUNK	FOR _CmAddDeviceToContainerWorker
; 
; START	OF FUNCTION CHUNK FOR _CmCreateDeviceContainer

loc_8E1E4B:				; CODE XREF: _CmCreateDeviceContainer+60j
		xor	edi, edi
		jmp	loc_87379B
; 

loc_8E1E52:				; CODE XREF: _CmCreateDeviceContainer+73j
		mov	esi, 0C00000E5h

loc_8E1E57:				; CODE XREF: _CmCreateDeviceContainer+C0j
					; _CmCreateDeviceContainer+C8j
		cmp	[ebp+var_24], 0
		jz	loc_8737F5
		push	[ebp+var_24]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8737F5
; END OF FUNCTION CHUNK	FOR _CmCreateDeviceContainer
; 
; START	OF FUNCTION CHUNK FOR _CmCreateDeviceContainerWorker

loc_8E1E6E:				; CODE XREF: _CmCreateDeviceContainerWorker+40j
		mov	eax, [ebp+arg_4]
		mov	edx, edi
		mov	ecx, ebx
		push	dword ptr [eax]
		push	5
		call	__CmRaiseCreateEvent@16	; _CmRaiseCreateEvent(x,x,x,x)
		jmp	loc_87386A
; END OF FUNCTION CHUNK	FOR _CmCreateDeviceContainerWorker

;  S U B	R O U T	I N E 


sub_8E1E83	proc near		; CODE XREF: PiProcessNewDeviceNode+B2j
		push	ebx
		push	ecx
		mov	edx, offset _KMPnPEvt_ProcessNewDevice_Start
		call	_McTemplateK0p_EtwWriteTransfer@16 ; McTemplateK0p_EtwWriteTransfer(x,x,x,x)
		jmp	loc_8739B6
sub_8E1E83	endp

; 
; START	OF FUNCTION CHUNK FOR PiProcessNewDeviceNode

loc_8E1E94:				; CODE XREF: PiProcessNewDeviceNode+13Dj
		mov	[ebp+var_88], 0C0000001h
		cmp	eax, 0C0040038h
		jz	loc_873A41
		mov	[ebp+var_88], eax
		jmp	loc_873A41
; 

loc_8E1EB4:				; CODE XREF: PiProcessNewDeviceNode+17Dj
		cmp	dword ptr [ebx+174h], 4
		jnz	short loc_8E1EC7
		mov	ecx, ebx
		call	_PpProfileCancelTransitioningDock@8 ; PpProfileCancelTransitioningDock(x,x)
		xor	edx, edx
		inc	edx

loc_8E1EC7:				; CODE XREF: PiProcessNewDeviceNode+6E5BDj
		mov	eax, edx
		xor	ecx, ecx
		jmp	loc_873A83
; 

loc_8E1ED0:				; CODE XREF: PiProcessNewDeviceNode+1C3j
		mov	eax, [ebp+var_F4]
		test	eax, eax
		jz	loc_873AC7
		xor	ecx, ecx
		inc	ecx
		cmp	word ptr [ebp+var_104+2], cx
		jnz	loc_873AC7
		lea	ecx, [ebp+var_D8]
		push	ecx
		push	[ebp+var_100]
		call	eax
		mov	eax, [ebp+var_F8]
		test	eax, eax
		jz	loc_873AC7
		push	[ebp+var_100]
		call	eax
		jmp	loc_873AC7
; 

loc_8E1F18:				; CODE XREF: PiProcessNewDeviceNode+218j
		cmp	dword ptr [ebx+114h], 9
		jz	loc_87432F
		jmp	loc_873B1C
; 

loc_8E1F2A:				; CODE XREF: PiProcessNewDeviceNode+A2Bj
		push	eax
		push	9
		pop	edx
		mov	ecx, ebx
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		mov	ecx, [ebx+8]
		mov	edx, 200000h
		call	PipSetDevNodeFlags
		mov	ecx, [ebx+8]
		add	ecx, 14h
		call	_PnpSetInvalidIDEvent@4	; PnpSetInvalidIDEvent(x)
		jmp	loc_87432F
; 

loc_8E1F52:				; CODE XREF: PiProcessNewDeviceNode+25Bj
		test	dword ptr [ebx+10Ch], 2000h
		mov	[ebp+var_88], esi
		jz	short loc_8E1F71
		cmp	dword ptr [ebx+114h], 9
		jz	loc_873B5F

loc_8E1F71:				; CODE XREF: PiProcessNewDeviceNode+6E664j
		mov	ecx, ebx
		cmp	esi, 0C000009Ah
		jnz	short loc_8E1F80
		push	esi
		push	3
		jmp	short loc_8E1F83
; 

loc_8E1F80:				; CODE XREF: PiProcessNewDeviceNode+6E67Bj
		push	esi
		push	13h

loc_8E1F83:				; CODE XREF: PiProcessNewDeviceNode+6E680j
		pop	edx
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		mov	eax, [ebp+var_68]
		jmp	loc_873B5F
; 

loc_8E1F91:				; CODE XREF: PiProcessNewDeviceNode+286j
		push	dword ptr [ebx+18h]
		push	ebx
		push	ecx
		call	_McTemplateK0pz_EtwWriteTransfer@20 ; McTemplateK0pz_EtwWriteTransfer(x,x,x,x,x)
		jmp	loc_873B8A
; 

loc_8E1FA0:				; CODE XREF: PiProcessNewDeviceNode+2ADj
		push	esi
		push	13h
		pop	edx
		mov	ecx, ebx
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		jmp	loc_873BC3
; 

loc_8E1FB0:				; CODE XREF: PiProcessNewDeviceNode+279j
					; PiProcessNewDeviceNode+2D3j
		mov	[ebp+var_88], esi
		jmp	loc_873BD7
; 

loc_8E1FBB:				; CODE XREF: PiProcessNewDeviceNode+308j
		mov	eax, [ebx+114h]
		cmp	eax, 9
		jz	loc_873C3F
		cmp	eax, 3
		jz	loc_873C3F
		cmp	eax, 13h
		jz	loc_873C3F
		jmp	loc_873C0C
; 

loc_8E1FE1:				; CODE XREF: PiProcessNewDeviceNode+32Bj
		cmp	esi, [ebp+var_94]
		jz	loc_8E2282
		cmp	[ebp+var_5B], 0
		jz	loc_8E2091
		push	edi
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_44], 0FFFFFFBFh
		xor	eax, eax
		push	eax
		mov	edi, eax
		mov	[ebp+var_5B], al
		push	2Ah
		pop	edx
		mov	ecx, ebx
		mov	[ebp+var_90], edi
		mov	[ebp+var_A4], edi
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		mov	edx, [ebp+var_68]
		mov	ecx, [ebp+var_9C]
		call	_PnpLogDuplicateDevice@8 ; PnpLogDuplicateDevice(x,x)
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	eax, [eax+8]
		cmp	eax, [ebx+8]
		jnz	short loc_8E2056
		mov	eax, [ebp+var_94]
		xor	ecx, ecx
		push	esi
		push	eax
		mov	edx, [eax+8]
		mov	edx, [edx+0A4h]
		call	@PpvUtilFailDriver@16 ;	PpvUtilFailDriver(x,x,x,x)

loc_8E2056:				; CODE XREF: PiProcessNewDeviceNode+6E73Ej
		mov	edx, 65706E50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	ecx, [ebx+8]
		lea	eax, [ebp+var_78]
		mov	edx, [ebp+var_68]
		push	eax
		mov	ecx, [ecx+10h]
		call	PipMakeGloballyUniqueId
		mov	esi, eax
		mov	eax, [ebp+var_68]
		test	eax, eax
		jz	short loc_8E2086
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E2086:				; CODE XREF: PiProcessNewDeviceNode+6E77Dj
		mov	eax, [ebp+var_78]
		mov	[ebp+var_68], eax
		jmp	loc_873B57
; 

loc_8E2091:				; CODE XREF: PiProcessNewDeviceNode+6E6F3j
		mov	ebx, [ebp+var_94]
		xor	ecx, ecx
		push	esi
		push	ebx
		mov	edx, [ebx+8]
		mov	edx, [edx+0A4h]
		call	@PpvUtilFailDriver@16 ;	PpvUtilFailDriver(x,x,x,x)
		movzx	edx, word ptr [ebx+2]
		mov	ecx, ebx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+8]
		test	ecx, ecx
		jz	short loc_8E20E8
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+8]
		xor	eax, eax
		add	ecx, 1Ch
		cmp	[ecx], ax
		jz	short loc_8E20E8
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_8E20E8:				; CODE XREF: PiProcessNewDeviceNode+6E7BBj
					; PiProcessNewDeviceNode+6E7D1j
		mov	eax, [ebx+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_8E218D
		mov	edx, 1F4h
		lea	edi, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		xor	edx, edx
		cmp	[edi], dx
		jz	short loc_8E2124
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [edi+4]
		call	IoAddTriageDumpDataBlock
		xor	edx, edx

loc_8E2124:				; CODE XREF: PiProcessNewDeviceNode+6E80Dj
		mov	ecx, [ebx+0B0h]
		mov	eax, [ecx+14h]
		cmp	[eax+1Ch], dx
		jz	short loc_8E215B
		push	2
		pop	edx
		lea	ecx, [eax+1Ch]
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebx+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+0B0h]
		xor	edx, edx

loc_8E215B:				; CODE XREF: PiProcessNewDeviceNode+6E833j
		mov	eax, [ecx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_8E218D
		lea	ecx, [eax+1Ch]
		cmp	[ecx], dx
		jz	short loc_8E218D
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebx+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_8E218D:				; CODE XREF: PiProcessNewDeviceNode+6E7F5j
					; PiProcessNewDeviceNode+6E865j ...
		movzx	edx, word ptr [esi+2]
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_8E21CC
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		xor	eax, eax
		add	ecx, 1Ch
		cmp	[ecx], ax
		jz	short loc_8E21CC
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_8E21CC:				; CODE XREF: PiProcessNewDeviceNode+6E89Fj
					; PiProcessNewDeviceNode+6E8B5j
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_8E2271
		mov	edx, 1F4h
		lea	edi, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		xor	edx, edx
		cmp	[edi], dx
		jz	short loc_8E2208
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [edi+4]
		call	IoAddTriageDumpDataBlock
		xor	edx, edx

loc_8E2208:				; CODE XREF: PiProcessNewDeviceNode+6E8F1j
		mov	ecx, [esi+0B0h]
		mov	eax, [ecx+14h]
		cmp	[eax+1Ch], dx
		jz	short loc_8E223F
		push	2
		pop	edx
		lea	ecx, [eax+1Ch]
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+0B0h]
		xor	edx, edx

loc_8E223F:				; CODE XREF: PiProcessNewDeviceNode+6E917j
		mov	eax, [ecx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_8E2271
		lea	ecx, [eax+1Ch]
		cmp	[ecx], dx
		jz	short loc_8E2271
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_8E2271:				; CODE XREF: PiProcessNewDeviceNode+6E8D9j
					; PiProcessNewDeviceNode+6E949j ...
		xor	eax, eax
		push	eax
		push	esi
		push	ebx
		inc	eax
		push	eax
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8E2282:				; CODE XREF: PiProcessNewDeviceNode+6E6E9j
		mov	edx, 65706E50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		jmp	loc_873C2F
; 

loc_8E2293:				; CODE XREF: PiProcessNewDeviceNode+314j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	eax, eax
		inc	eax
		push	eax
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceSharedLite
		test	edi, edi
		jz	short loc_8E22E6
		test	esi, esi
		jz	short loc_8E22E6
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_8E22B3:				; CODE XREF: PiProcessNewDeviceNode+6E9C2j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_A8]
		jnz	short loc_8E22B3
		push	[ebp+var_7C]
		sub	ecx, edx
		mov	edx, [ebx+18h]
		sar	ecx, 1
		lea	eax, ds:2[ecx*2]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	esi
		xor	eax, eax
		inc	eax
		push	eax
		push	eax
		push	edi
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)

loc_8E22E6:				; CODE XREF: PiProcessNewDeviceNode+6E9AAj
					; PiProcessNewDeviceNode+6E9AEj
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_873C2F
; 

loc_8E22FA:				; CODE XREF: PiProcessNewDeviceNode+33Bj
		cmp	dword ptr [ebx+114h], 2Ah
		jnz	loc_873C3F
		mov	ecx, ebx
		call	PipClearDevNodeProblem
		jmp	loc_873C3F
; 

loc_8E2313:				; CODE XREF: PiProcessNewDeviceNode+343j
		mov	esi, [ebp+var_7C]
		jmp	loc_873CEB
; 

loc_8E231B:				; CODE XREF: PiProcessNewDeviceNode+3F4j
		test	dword ptr [ebx+10Ch], 2000h
		jz	short loc_8E2341
		mov	eax, [ebx+114h]
		xor	ecx, ecx
		inc	ecx
		cmp	eax, ecx
		jz	loc_873CF8
		cmp	eax, 0Eh
		jz	loc_873CF8

loc_8E2341:				; CODE XREF: PiProcessNewDeviceNode+6EA27j
		push	1Dh
		pop	edx
		mov	ecx, ebx
		call	_PnpDisableDevice@8 ; PnpDisableDevice(x,x)
		jmp	loc_873CF8
; 

loc_8E2350:				; CODE XREF: PiProcessNewDeviceNode+404j
		mov	eax, [ebx+114h]
		cmp	eax, 9
		jz	loc_873E0F
		cmp	eax, 3
		jz	loc_873E0F
		cmp	eax, 13h
		jz	loc_873E0F
		jmp	loc_873D08
; 

loc_8E2376:				; CODE XREF: PiProcessNewDeviceNode+45Aj
		mov	edx, [ebx+18h]
		lea	eax, [ebp+var_D8]
		mov	ecx, _PiPnpRtlCtx
		push	esi
		push	8
		push	eax
		push	9
		push	offset _DEVPKEY_Device_ExtendedAddress
		xor	eax, eax
		push	eax
		push	edi
		inc	eax
		push	eax
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		jmp	loc_873D5E
; 

loc_8E23A0:				; CODE XREF: PiProcessNewDeviceNode+4C1j
		xor	ecx, ecx
		inc	ecx
		push	12h
		pop	edx
		test	al, cl
		jnz	short loc_8E23AD
		mov	byte ptr [ebp+var_5A+1], cl

loc_8E23AD:				; CODE XREF: PiProcessNewDeviceNode+6EAAAj
					; PiProcessNewDeviceNode+6EAE4j
		xor	ecx, ecx

loc_8E23AF:				; CODE XREF: PiProcessNewDeviceNode+6EAF3j
		test	[ebp+var_44], 100h
		jz	short loc_8E23F3
		mov	edx, [ebx+18h]
		or	eax, 400h
		mov	ecx, _PiPnpRtlCtx
		push	esi
		push	4
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_60]
		push	eax
		push	4
		push	0Bh
		push	edi
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		jmp	loc_873DCD
; 

loc_8E23DF:				; CODE XREF: PiProcessNewDeviceNode+4C9j
		push	1Ch
		pop	edx
		jmp	short loc_8E23AD
; 

loc_8E23E4:				; CODE XREF: PiProcessNewDeviceNode+49Cj
					; PiProcessNewDeviceNode+4A9j ...
		xor	ecx, ecx
		xor	edx, edx
		mov	eax, ecx
		inc	edx
		mov	[ebp+var_60], eax
		mov	byte ptr [ebp+var_5A+1], dl
		jmp	short loc_8E23AF
; 

loc_8E23F3:				; CODE XREF: PiProcessNewDeviceNode+6EAB8j
		cmp	edx, 1Ch
		jnz	short loc_8E2408
		mov	ecx, [ebx+18h]
		mov	edx, edi
		call	_PiDevCfgGetFailedInstallProblemStatus@8 ; PiDevCfgGetFailedInstallProblemStatus(x,x)
		push	eax
		push	1Ch
		pop	edx
		jmp	short loc_8E2409
; 

loc_8E2408:				; CODE XREF: PiProcessNewDeviceNode+6EAF8j
		push	ecx

loc_8E2409:				; CODE XREF: PiProcessNewDeviceNode+6EB08j
		mov	ecx, ebx
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		jmp	loc_873DCD
; 

loc_8E2415:				; CODE XREF: PiProcessNewDeviceNode+4DCj
		mov	[ebp+var_88], eax
		jmp	loc_873DE0
; 

loc_8E2420:				; CODE XREF: PiProcessNewDeviceNode+AF1j
		xor	eax, eax
		inc	eax
		mov	[ebp+var_69], al
		jmp	loc_873E00
; 

loc_8E242B:				; CODE XREF: PiProcessNewDeviceNode+B32j
		xor	eax, eax
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	esi, eax
		mov	[ebp+var_70], esi
		jmp	loc_873E78
; 

loc_8E2440:				; CODE XREF: PiProcessNewDeviceNode+5E4j
		xor	eax, eax
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_873EE8
; 

loc_8E244E:				; CODE XREF: PiProcessNewDeviceNode+5FBj
					; PiProcessNewDeviceNode+61Dj
		mov	edi, esi
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		mov	edi, [ebp+var_90]
		jmp	loc_873F21
; 

loc_8E2461:				; CODE XREF: PiProcessNewDeviceNode+74Aj
					; PiProcessNewDeviceNode+754j
		cmp	byte ptr [ebp+var_5A+1], 0
		jnz	short loc_8E2490
		mov	ecx, [ebx+18h]
		lea	eax, [ebp+var_C4]
		push	eax
		mov	edx, edi
		call	_PpDevCfgCheckDeviceNeedsUpdate@12 ; PpDevCfgCheckDeviceNeedsUpdate(x,x,x)
		mov	edx, [ebp+var_60]
		test	eax, eax
		js	short loc_8E248C
		mov	eax, [ebp+var_C4]
		or	edx, eax
		mov	[ebp+var_60], edx
		jmp	short loc_8E2499
; 

loc_8E248C:				; CODE XREF: PiProcessNewDeviceNode+6EB7Fj
		xor	eax, eax
		jmp	short loc_8E2499
; 

loc_8E2490:				; CODE XREF: PiProcessNewDeviceNode+6EB67j
		mov	edx, [ebp+var_60]
		mov	eax, [ebp+var_A0]

loc_8E2499:				; CODE XREF: PiProcessNewDeviceNode+6EB8Cj
					; PiProcessNewDeviceNode+6EB90j
		test	al, 20h
		setz	cl
		bt	edx, 12h
		setnb	al
		test	cl, al
		jnz	short loc_8E24CF
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_60]
		push	esi
		push	4
		push	eax
		push	4
		and	edx, 0FFFBFFFFh
		push	0Bh
		mov	[ebp+var_60], edx
		mov	edx, [ebx+18h]
		push	edi
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	edx, [ebp+var_60]

loc_8E24CF:				; CODE XREF: PiProcessNewDeviceNode+6EBA9j
		test	dl, 20h
		jz	loc_874058
		xor	eax, eax
		mov	ecx, ebx
		inc	eax
		mov	byte ptr [ebp+var_5A+1], al
		xor	eax, eax
		push	eax
		push	12h
		pop	edx
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		jmp	loc_874058
; 

loc_8E24F0:				; CODE XREF: PiProcessNewDeviceNode+817j
		mov	[ebp+var_88], eax
		jmp	loc_87411B
; 

loc_8E24FB:				; CODE XREF: PiProcessNewDeviceNode+830j
		cmp	dword ptr [ebx+114h], 0Eh
		jz	loc_87414B
		jmp	loc_874134
; 

loc_8E250D:				; CODE XREF: PiProcessNewDeviceNode+83Aj
		mov	esi, [ebp+var_64]
		xor	ecx, ecx
		mov	eax, [ebp+var_B4]
		inc	ecx
		cmp	esi, ecx
		jnz	short loc_8E251F
		or	eax, ecx

loc_8E251F:				; CODE XREF: PiProcessNewDeviceNode+6EC1Dj
		push	eax
		mov	edx, edi
		mov	ecx, ebx
		call	_PpDevCfgProcessDevice@12 ; PpDevCfgProcessDevice(x,x,x)
		jmp	loc_87414E
; 

loc_8E252E:				; CODE XREF: PiProcessNewDeviceNode+861j
		mov	eax, [ebx+114h]
		cmp	eax, 16h
		jz	loc_874173
		cmp	eax, 1Dh
		jz	loc_874173
		cmp	eax, 0Eh
		jz	loc_874173
		cmp	eax, 9
		jz	loc_874173
		cmp	eax, 3
		jz	loc_874173
		cmp	eax, 13h
		jz	loc_874173
		jmp	loc_874165
; 

loc_8E256F:				; CODE XREF: PiProcessNewDeviceNode+8A5j
		mov	eax, [ebx+114h]
		cmp	eax, 9
		jz	loc_87420A
		cmp	eax, 3
		jz	loc_87420A
		cmp	eax, 13h
		jz	loc_87420A
		jmp	loc_8741A9
; 

loc_8E2595:				; CODE XREF: PiProcessNewDeviceNode+906j
		push	eax
		push	13h
		pop	edx
		mov	ecx, ebx
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		jmp	loc_87420A
; 

loc_8E25A5:				; CODE XREF: PiProcessNewDeviceNode+916j
		mov	eax, [ebx+114h]
		cmp	eax, 9
		jz	loc_87425E
		cmp	eax, 3
		jz	loc_87425E
		jmp	loc_87421A
; 

loc_8E25C2:				; CODE XREF: PiProcessNewDeviceNode+9F1j
		push	ebx
		xor	eax, eax
		mov	edx, offset _KMPnPEvt_ProcessNewDevice_Stop
		push	eax
		call	_McTemplateK0p_EtwWriteTransfer@16 ; McTemplateK0p_EtwWriteTransfer(x,x,x,x)
		jmp	loc_8742F5
; 

loc_8E25D5:				; CODE XREF: PiProcessNewDeviceNode+A05j
		mov	edx, esi
		mov	ecx, ebx
		call	_PnpTraceDockDeviceEnumeration@8 ; PnpTraceDockDeviceEnumeration(x,x)
		jmp	loc_874309
; END OF FUNCTION CHUNK	FOR PiProcessNewDeviceNode
; 
; START	OF FUNCTION CHUNK FOR PnpQueryID

loc_8E25E3:				; CODE XREF: PnpQueryID+57j
		mov	esi, 0C0040038h
		jmp	loc_8744A3
; 

loc_8E25ED:				; CODE XREF: PnpQueryID+92j
					; PnpQueryID+9Aj ...
		push	esi
		push	9
		pop	edx
		mov	ecx, ebx
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		mov	ecx, [ebx+8]
		mov	edx, 200000h
		test	[ecx+10Ch], edx
		jnz	loc_8744EB
		call	PipSetDevNodeFlags
		mov	ecx, [ebx+8]
		add	ecx, 14h
		call	_PnpSetInvalidIDEvent@4	; PnpSetInvalidIDEvent(x)
		jmp	loc_8744EB
; 

loc_8E2621:				; CODE XREF: PnpQueryID+AFj
		cmp	esi, 0C000009Ah
		jz	loc_8744FB
		cmp	esi, 0C000000Eh
		jz	loc_8744FB
		mov	ecx, [ebx+8]
		lea	edx, [ebp+var_8]
		push	50h
		pop	eax
		push	4Eh
		mov	word ptr [ebp+var_8+2],	ax
		add	ecx, 1Ch
		pop	eax
		push	0		; size_t
		push	0		; void *
		push	esi		; int
		mov	word ptr [ebp+var_8], ax
		mov	[ebp+var_4], offset ??_C@_1FA@JJLOMFOH@?$AAf?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAI?$AAR?$AAP?$AA_?$AAM?$AAN?$AA_?$AAQ@NNGAKEGL@
		call	_PnpLogEvent@20	; PnpLogEvent(x,x,x,x,x)
		jmp	loc_8744FB
; 

loc_8E2666:				; CODE XREF: PnpQueryID+BEj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_4]
		and	dword ptr [ebx], 0
		and	dword ptr [eax], 0
		jmp	loc_8744A7
; END OF FUNCTION CHUNK	FOR PnpQueryID
; 
; START	OF FUNCTION CHUNK FOR PnpFixupID

loc_8E267C:				; CODE XREF: PnpFixupID+A0j
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_8E26EA
		push	28h
		pop	eax
		push	26h
		mov	word ptr [ebp+var_C+2],	ax
		pop	eax
		mov	word ptr [ebp+var_C], ax
		lea	eax, [ebp+var_10]
		push	4
		mov	[ebp+var_8], offset ??_C@_1CI@GMEBAAHF@?$AAt?$AAo?$AAo?$AA?5?$AAm?$AAa?$AAn?$AAy?$AA?5?$AAs?$AAe?$AAp?$AAa?$AAr?$AAa@NNGAKEGL@
		push	eax
		jmp	short loc_8E26DD
; 

loc_8E26A0:				; CODE XREF: PnpFixupID+3Cj
					; PnpFixupID+45j
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_8E26EA
		push	24h
		pop	eax
		push	22h
		mov	word ptr [ebp+var_C+2],	ax
		pop	eax
		push	2
		mov	[ebp+var_8], offset ??_C@_1CE@DJNCMLJD@?$AAi?$AAn?$AAv?$AAa?$AAl?$AAi?$AAd?$AA?5?$AAc?$AAh?$AAa?$AAr?$AAa?$AAc?$AAt@NNGAKEGL@
		push	esi
		jmp	short loc_8E26D9
; 

loc_8E26BD:				; CODE XREF: PnpFixupID+1Bj
					; PnpFixupID+5Cj ...
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_8E26EA
		push	72h
		pop	eax
		push	70h
		mov	word ptr [ebp+var_C+2],	ax
		pop	eax
		push	0		; size_t
		mov	[ebp+var_8], (offset loc_8B977F+1)
		push	0		; void *

loc_8E26D9:				; CODE XREF: PnpFixupID+6E149j
		mov	word ptr [ebp+var_C], ax

loc_8E26DD:				; CODE XREF: PnpFixupID+6E12Cj
		push	0C0040038h	; int
		lea	edx, [ebp+var_C]
		call	_PnpLogEvent@20	; PnpLogEvent(x,x,x,x,x)

loc_8E26EA:				; CODE XREF: PnpFixupID+6E10Fj
					; PnpFixupID+6E133j ...
		xor	eax, eax
		jmp	loc_8745EA
; END OF FUNCTION CHUNK	FOR PnpFixupID
; 
; START	OF FUNCTION CHUNK FOR PnpCheckDeviceIdsChanged

loc_8E26F1:				; CODE XREF: PnpCheckDeviceIdsChanged+33j
		push	edx
		lea	eax, [ebp+var_C]
		push	eax
		push	edx
		push	0F003Fh
		push	edx
		mov	edx, [ecx+18h]
		mov	ecx, _PiPnpRtlCtx
		push	10h
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_8747AB
		mov	esi, [ebp+var_C]
		mov	[ebp+var_14], esi
		jmp	loc_874659
; 

loc_8E2722:				; CODE XREF: PnpCheckDeviceIdsChanged+55j
					; PnpCheckDeviceIdsChanged+1D9j
		mov	esi, 0C000009Ah
		jmp	loc_8747AB
; 

loc_8E272C:				; CODE XREF: PnpCheckDeviceIdsChanged+118j
					; PnpCheckDeviceIdsChanged+130j
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+arg_8]
		mov	byte ptr [eax],	1
		jmp	loc_874779
; 

loc_8E273A:				; CODE XREF: PnpCheckDeviceIdsChanged+171j
					; PnpCheckDeviceIdsChanged+17Cj
		mov	byte ptr [eax],	1
		mov	al, 1
		jmp	short loc_8E2744
; 

loc_8E2741:				; CODE XREF: PnpCheckDeviceIdsChanged+163j
		mov	al, byte ptr [ebp+arg_8+3]

loc_8E2744:				; CODE XREF: PnpCheckDeviceIdsChanged+6E11Fj
		test	al, al
		jz	loc_8747A2
		jmp	short loc_8E2757
; 

loc_8E274E:				; CODE XREF: PnpCheckDeviceIdsChanged+9Fj
					; PnpCheckDeviceIdsChanged+ABj
		mov	eax, [ebp+arg_C]
		mov	ebx, [ebp+var_4]
		mov	byte ptr [eax],	1

loc_8E2757:				; CODE XREF: PnpCheckDeviceIdsChanged+6E12Cj
		cmp	[ebp+var_8], 0
		mov	edx, ebx
		jbe	short loc_8E2793
		xor	edi, edi

loc_8E2761:				; CODE XREF: PnpCheckDeviceIdsChanged+6E16Ej
		cmp	[edx], di
		jz	short loc_8E2790
		mov	ecx, edx
		lea	eax, [ecx+2]
		mov	[ebp+arg_8], eax

loc_8E276E:				; CODE XREF: PnpCheckDeviceIdsChanged+6E157j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_8E276E
		sub	ecx, [ebp+arg_8]
		sar	ecx, 1
		lea	edx, [edx+ecx*2]
		add	edx, 2
		mov	eax, edx
		sub	eax, ebx
		and	eax, 0FFFFFFFEh
		cmp	eax, [ebp+var_8]
		jb	short loc_8E2761

loc_8E2790:				; CODE XREF: PnpCheckDeviceIdsChanged+6E144j
		mov	edi, [ebp+arg_0]

loc_8E2793:				; CODE XREF: PnpCheckDeviceIdsChanged+6E13Dj
		test	edi, edi
		jz	loc_8747A2
		jmp	short loc_8E27B8
; 

loc_8E279D:				; CODE XREF: PnpCheckDeviceIdsChanged+6E19Dj
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_8E27A2:				; CODE XREF: PnpCheckDeviceIdsChanged+6E18Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_1C]
		jnz	short loc_8E27A2
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2

loc_8E27B8:				; CODE XREF: PnpCheckDeviceIdsChanged+6E17Bj
		xor	eax, eax
		cmp	[edi], ax
		jnz	short loc_8E279D
		jmp	loc_8747A2
; 

loc_8E27C4:				; CODE XREF: PnpCheckDeviceIdsChanged+94j
		mov	esi, 0C0000001h
		jmp	loc_8747D5
; 

loc_8E27CE:				; CODE XREF: PnpCheckDeviceIdsChanged+1AFj
		mov	eax, [ebp+arg_C]
		mov	byte ptr [eax],	1

loc_8E27D4:				; CODE XREF: PnpCheckDeviceIdsChanged+6E1D7j
		cmp	[edx], bx
		jz	loc_8747D5
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_8E27E2:				; CODE XREF: PnpCheckDeviceIdsChanged+6E1CBj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_8E27E2
		sub	ecx, edi
		sar	ecx, 1
		lea	edx, [edx+ecx*2]
		add	edx, 2
		jmp	short loc_8E27D4
; 

loc_8E27F9:				; CODE XREF: PnpCheckDeviceIdsChanged+18Fj
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8747B5
; END OF FUNCTION CHUNK	FOR PnpCheckDeviceIdsChanged
; 
; START	OF FUNCTION CHUNK FOR _CmGetDeviceContainerIdFromBase

loc_8E2806:				; CODE XREF: _CmGetDeviceContainerIdFromBase+99j
					; _CmGetDeviceContainerIdFromBase+6DD28j
		mov	ecx, [ebp+var_60]
		lea	eax, [ebp+var_68]
		push	eax
		lea	eax, [ebp+var_5A+2]
		mov	[ebp+var_68], 27h
		push	eax
		mov	edx, edi
		call	_RegRtlEnumKey
		mov	esi, eax
		cmp	esi, 8000001Ah
		jz	short loc_8E28A7
		cmp	esi, 0C0000023h
		jz	short loc_8E28A1
		test	esi, esi
		js	loc_874BFE
		lea	edx, [ebp+var_5A+2]
		call	__CmValidateDeviceContainerName@8 ; _CmValidateDeviceContainerName(x,x)
		mov	esi, eax
		cmp	esi, 0C0000033h
		jz	short loc_8E28A1
		test	esi, esi
		js	loc_874BFE
		mov	edx, [ebp+var_60]
		lea	eax, [ebp+var_5A+1]
		mov	ecx, [ebp+var_6C]
		push	eax
		lea	eax, [ebp+var_5A]
		push	eax
		push	[ebp+var_64]
		lea	eax, [ebp+var_5A+2]
		push	ebx
		push	eax
		call	_CmIsDeviceInContainer
		mov	esi, eax
		test	esi, esi
		js	loc_874BFE
		cmp	byte ptr [ebp+var_5A], 0
		jz	short loc_8E288F
		mov	ecx, [ebp+var_70]
		lea	eax, [ebp+var_5A+2]
		push	eax
		push	27h
		pop	edx
		call	RtlStringCchCopyW
		mov	esi, eax

loc_8E288F:				; CODE XREF: _CmGetDeviceContainerIdFromBase+6DD02j
		test	esi, esi
		js	loc_874BFE
		cmp	byte ptr [ebp+var_5A+1], 0
		jnz	loc_874BFE

loc_8E28A1:				; CODE XREF: _CmGetDeviceContainerIdFromBase+6DCB5j
					; _CmGetDeviceContainerIdFromBase+6DCCFj
		inc	edi
		jmp	loc_8E2806
; 

loc_8E28A7:				; CODE XREF: _CmGetDeviceContainerIdFromBase+6DCADj
		xor	esi, esi
		jmp	loc_874BFE
; END OF FUNCTION CHUNK	FOR _CmGetDeviceContainerIdFromBase
; 
; START	OF FUNCTION CHUNK FOR _CmIsDeviceInContainer

loc_8E28AE:				; CODE XREF: _CmIsDeviceInContainer+44j
		xor	ecx, ecx
		jmp	loc_874C65
; 

loc_8E28B5:				; CODE XREF: _CmIsDeviceInContainer+6Aj
		xor	ecx, ecx
		jmp	loc_874C8B
; END OF FUNCTION CHUNK	FOR _CmIsDeviceInContainer
; 
; START	OF FUNCTION CHUNK FOR PnpProcessTargetDeviceEvent

loc_8E28BC:				; CODE XREF: PnpProcessTargetDeviceEvent+1Fj
		mov	eax, [eax+0B0h]
		mov	edi, [eax+14h]
		jmp	loc_874D35
; 

loc_8E28CA:				; CODE XREF: PnpProcessTargetDeviceEvent+44j
					; PnpProcessTargetDeviceEvent+5Cj
		test	byte_6CD8BB, 8
		jz	short loc_8E28E1
		push	dword ptr [edi+18h]
		mov	edx, offset _KMPnPEvt_DeviceRemoval_Start
		push	ecx
		call	_McTemplateK0z_EtwWriteTransfer@16 ; McTemplateK0z_EtwWriteTransfer(x,x,x,x)

loc_8E28E1:				; CODE XREF: PnpProcessTargetDeviceEvent+6DBC3j
		mov	ecx, [ebp+var_4]
		call	_PnpProcessQueryRemoveAndEject@4 ; PnpProcessQueryRemoveAndEject(x)
		test	byte_6CD8BB, 8
		mov	esi, eax
		jz	loc_874D90
		push	dword ptr [edi+18h]
		mov	edx, offset _KMPnPEvt_DeviceRemoval_Stop
		push	ecx
		call	_McTemplateK0z_EtwWriteTransfer@16 ; McTemplateK0z_EtwWriteTransfer(x,x,x,x)
		jmp	loc_874D90
; 

loc_8E290B:				; CODE XREF: PnpProcessTargetDeviceEvent+74j
		push	10h		; size_t
		push	offset _GUID_DEVICE_NOOP ; void	*
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		neg	eax
		sbb	eax, eax
		and	esi, eax
		jmp	loc_874D90
; END OF FUNCTION CHUNK	FOR PnpProcessTargetDeviceEvent
; 
; START	OF FUNCTION CHUNK FOR PipAttemptDependentsStart

loc_8E2926:				; CODE XREF: PipAttemptDependentsStart+1Bj
		lea	eax, [ebp+var_8]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_4]
		call	_PiEnumerateDependentListEntry@12 ; PiEnumerateDependentListEntry(x,x,x)
		mov	ecx, [ebp+var_4]
		mov	esi, [esi]
		test	ecx, ecx
		jz	loc_874DE3
		call	_PipAttemptDependentStart@4 ; PipAttemptDependentStart(x)
		jmp	loc_874DE3
; END OF FUNCTION CHUNK	FOR PipAttemptDependentsStart
; 
; START	OF FUNCTION CHUNK FOR PiDmaGuardProcessNewDeviceNode

loc_8E294B:				; CODE XREF: PiDmaGuardProcessNewDeviceNode+38j
		mov	edx, 1F4h
		call	IoAddTriageDumpDataBlock
		cmp	[esi+14h], di
		jz	short loc_8E2972
		push	2
		pop	edx
		lea	ecx, [esi+14h]
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [esi+14h]
		mov	ecx, [esi+18h]
		call	IoAddTriageDumpDataBlock

loc_8E2972:				; CODE XREF: PiDmaGuardProcessNewDeviceNode+6D9EBj
		cmp	[esi+1Ch], di
		jz	short loc_8E298F
		push	2
		pop	edx
		lea	ecx, [esi+1Ch]
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [esi+1Ch]
		mov	ecx, [esi+20h]
		call	IoAddTriageDumpDataBlock

loc_8E298F:				; CODE XREF: PiDmaGuardProcessNewDeviceNode+6DA08j
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_8E29B5
		lea	ecx, [eax+1Ch]
		cmp	[ecx], di
		jz	short loc_8E29B5
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_8E29B5:				; CODE XREF: PiDmaGuardProcessNewDeviceNode+6DA26j
					; PiDmaGuardProcessNewDeviceNode+6DA2Ej
		push	dword ptr [esi+1C8h]
		push	dword ptr [ebx]
		push	esi
		push	11h
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8E29CB:				; CODE XREF: PiIommuGetInterface+1Ej
					; PiIommuGetInterface+2Ej ...
		movzx	edx, word ptr [esi+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_8E2A06
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_8E2A06
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_8E2A06:				; CODE XREF: PiDmaGuardProcessNewDeviceNode+6DA6Bj
					; PiDmaGuardProcessNewDeviceNode+6DA7Fj
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_8E2AA4
		mov	edx, 1F4h
		lea	edi, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		cmp	[edi], bx
		jz	short loc_8E2A3E
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [edi+4]
		call	IoAddTriageDumpDataBlock

loc_8E2A3E:				; CODE XREF: PiDmaGuardProcessNewDeviceNode+6DAB9j
		mov	edx, [esi+0B0h]
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_8E2A72
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [esi+0B0h]

loc_8E2A72:				; CODE XREF: PiDmaGuardProcessNewDeviceNode+6DADFj
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_8E2AA4
		lea	ecx, [eax+1Ch]
		cmp	[ecx], bx
		jz	short loc_8E2AA4
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_8E2AA4:				; CODE XREF: PiIommuGetInterface+Dj
					; PiPnpRtlPdoRaiseNtPlugPlayPropertyChangeEvent+Dj ...
		push	ebx
		push	ebx
		push	esi
		push	2
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8E2AB4:				; CODE XREF: PnpGetDeviceLocationStrings+5Aj
		mov	eax, 0C000000Eh
		jmp	loc_875597
; END OF FUNCTION CHUNK	FOR PiDmaGuardProcessNewDeviceNode
; 
; START	OF FUNCTION CHUNK FOR PnpGetDeviceLocationStrings

loc_8E2ABE:				; CODE XREF: PnpGetDeviceLocationStrings+88j
		mov	ebx, 0C000009Ah
		jmp	loc_875595
; 

loc_8E2AC8:				; CODE XREF: PnpGetDeviceLocationStrings+ADj
		mov	ebx, 0C000009Ah
		mov	[ebp+var_8], ebx
		jmp	loc_87554B
; 

loc_8E2AD5:				; CODE XREF: PnpGetDeviceLocationStrings+143j
		mov	ebx, 0C00000BBh
		mov	[ebp+var_8], ebx
		jmp	loc_875181
; 

loc_8E2AE2:				; CODE XREF: PnpGetDeviceLocationStrings+20Dj
		mov	ebx, 0C000009Ah
		mov	[ebp+var_8], ebx
		jmp	loc_8752D5
; 

loc_8E2AEF:				; CODE XREF: PnpGetDeviceLocationStrings+5DDj
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[ebp+var_C], eax
		jmp	loc_8752E8
; 

loc_8E2B02:				; CODE XREF: PnpGetDeviceLocationStrings+11Dj
		mov	ebx, 0C0000001h
		mov	[ebp+var_8], ebx
		jmp	loc_8752E8
; 

loc_8E2B0F:				; CODE XREF: PnpGetDeviceLocationStrings+330j
		mov	ebx, 0C000009Ah
		mov	[ebp+var_8], ebx
		jmp	loc_87554E
; 

loc_8E2B1C:				; CODE XREF: PnpGetDeviceLocationStrings+5C7j
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_875595
; 

loc_8E2B2A:				; CODE XREF: PnpGetDeviceLocationStrings+35j
					; PnpGetDeviceLocationStrings+3Dj ...
		mov	eax, 0C000000Dh
		jmp	loc_875597
; END OF FUNCTION CHUNK	FOR PnpGetDeviceLocationStrings
; 
; START	OF FUNCTION CHUNK FOR PnpQueryInterface

loc_8E2B34:				; CODE XREF: PnpQueryInterface+32j
		mov	eax, 0C000000Dh
		jmp	loc_875705
; 

loc_8E2B3E:				; CODE XREF: PnpQueryInterface+CFj
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+40h+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esp+30h+var_18]
		jmp	loc_8756F7
; END OF FUNCTION CHUNK	FOR PnpQueryInterface
; 
; START	OF FUNCTION CHUNK FOR PiDeviceRegistration

loc_8E2B57:				; CODE XREF: PiDeviceRegistration+3Bj
		mov	esi, 0C000000Dh
		jmp	loc_8758B6
; 

loc_8E2B61:				; CODE XREF: PiDeviceRegistration+4Ej
		lea	eax, [edx-2]
		mov	[ebx], ax
		jmp	loc_8757C8
; 

loc_8E2B6C:				; CODE XREF: PiDeviceRegistration+83j
		mov	esi, 0C000009Ah
		jmp	loc_8758B4
; END OF FUNCTION CHUNK	FOR PiDeviceRegistration
; 
; START	OF FUNCTION CHUNK FOR PpForEachDeviceInstanceDriver

loc_8E2B76:				; CODE XREF: PpForEachDeviceInstanceDriver+F4j
		mov	esi, 0C000009Ah
		jmp	loc_875A43
; 

loc_8E2B80:				; CODE XREF: PpForEachDeviceInstanceDriver+1C8j
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_5C]
		push	eax
		push	edi
		lea	eax, [ebp+var_70]
		push	eax
		push	ds:dword_404858[ebx]
		lea	edx, [ebp+var_58]
		push	[ebp+var_68]
		call	__CmGetInstallerClassRegProp@32	; _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)
		jmp	loc_875A1C
; 

loc_8E2BA6:				; CODE XREF: PpForEachDeviceInstanceDriver+150j
		xor	esi, esi
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_5C]
		push	20207050h
		push	eax
		push	1
		mov	[ebp+var_64], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8E2C64
		cmp	ds:byte_404860[ebx], 0
		mov	eax, ds:off_40485C[ebx]
		jz	short loc_8E2C38
		lea	edx, [ebp+var_58]
		test	eax, eax
		jz	short loc_8E2C18
		push	esi
		lea	ecx, [ebp+var_5C]
		push	ecx
		push	[ebp+var_64]
		lea	ecx, [ebp+var_78]
		push	edi
		push	ecx
		push	eax
		push	esi
		push	[ebp+var_68]
		push	2
		jmp	short loc_8E2C0B
; 

loc_8E2BF8:				; CODE XREF: PpForEachDeviceInstanceDriver+6D36Aj
		lea	ecx, [ebp+var_5C]
		push	ecx
		push	[ebp+var_64]
		lea	ecx, [ebp+var_78]
		push	edi
		push	ecx
		push	eax
		push	esi
		push	[ebp+var_6C]
		push	1

loc_8E2C0B:				; CODE XREF: PpForEachDeviceInstanceDriver+6D322j
		mov	ecx, _PiPnpRtlCtx
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		jmp	short loc_8E2C5D
; 

loc_8E2C18:				; CODE XREF: PpForEachDeviceInstanceDriver+6D30Cj
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_5C]
		push	eax
		push	edi
		lea	eax, [ebp+var_70]
		push	eax
		push	ds:dword_404858[ebx]
		push	[ebp+var_68]
		call	__CmGetInstallerClassRegProp@32	; _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)
		jmp	short loc_8E2C5D
; 

loc_8E2C38:				; CODE XREF: PpForEachDeviceInstanceDriver+6D305j
		mov	edx, [ebp+var_60]
		push	esi
		test	eax, eax
		jnz	short loc_8E2BF8
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_5C]
		push	eax
		push	edi
		lea	eax, [ebp+var_70]
		push	eax
		push	ds:dword_404858[ebx]
		push	[ebp+var_6C]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)

loc_8E2C5D:				; CODE XREF: PpForEachDeviceInstanceDriver+6D342j
					; PpForEachDeviceInstanceDriver+6D362j
		mov	esi, eax
		jmp	loc_875A2A
; 

loc_8E2C64:				; CODE XREF: PpForEachDeviceInstanceDriver+6D2F2j
		mov	esi, 0C000009Ah
		jmp	loc_875A40
; END OF FUNCTION CHUNK	FOR PpForEachDeviceInstanceDriver
; 
; START	OF FUNCTION CHUNK FOR PiForEachDriverQueryRoutine

loc_8E2C6E:				; CODE XREF: PiForEachDriverQueryRoutine+2Aj
		cmp	[esi], dx
		jz	loc_875B57
		mov	ebx, [ebp+arg_4]

loc_8E2C7A:				; CODE XREF: PiForEachDriverQueryRoutine+6D1CEj
		mov	edx, esi
		lea	ecx, [edx+2]

loc_8E2C7F:				; CODE XREF: PiForEachDriverQueryRoutine+6D17Bj
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [ebp+var_4]
		jnz	short loc_8E2C7F
		sub	edx, ecx
		lea	ecx, [ebp+arg_0]
		sar	edx, 1
		push	ecx
		mov	ecx, edi
		lea	eax, ds:2[edx*2]
		mov	edx, eax
		mov	[ebp+arg_4], eax
		call	_RtlULongPtrSub@12 ; RtlULongPtrSub(x,x,x)
		test	eax, eax
		js	short loc_8E2CE3
		push	esi
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	dword ptr [ebx+8]
		lea	eax, [ebp+var_C]
		push	eax
		push	dword ptr [ebx]
		call	dword ptr [ebx+4]
		test	eax, eax
		js	loc_875B57
		mov	edi, [ebp+arg_0]
		cmp	edi, 2
		jb	loc_875B57
		add	esi, [ebp+arg_4]
		xor	ecx, ecx
		cmp	[esi], cx
		jnz	short loc_8E2C7A
		jmp	loc_875B57
; 

loc_8E2CE3:				; CODE XREF: PiForEachDriverQueryRoutine+6D19Aj
		xor	eax, eax
		jmp	loc_875B57
; END OF FUNCTION CHUNK	FOR PiForEachDriverQueryRoutine
; 
; START	OF FUNCTION CHUNK FOR PiProcessDriverInstance

loc_8E2CEA:				; CODE XREF: PiProcessDriverInstance+B4j
		mov	ebx, eax
		jmp	loc_875C5D
; 

loc_8E2CF1:				; CODE XREF: PiProcessDriverInstance+D2j
		mov	ebx, [esp+48h+var_38]
		jmp	loc_875C5D
; 

loc_8E2CFA:				; CODE XREF: PiProcessDriverInstance+137j
		mov	word ptr [esp+48h+var_30], cx
		jmp	loc_875CAA
; 

loc_8E2D04:				; CODE XREF: PiProcessDriverInstance+8Aj
		test	cl, cl
		jnz	loc_875D35
		lea	eax, [esp+48h+var_24]
		push	eax
		push	esi
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		mov	edx, dword ptr [esp+48h+var_34]
		sub	edx, 1
		mov	dword ptr [esp+48h+var_34], edx
		jz	loc_875CD6
		push	[esp+48h+var_38]
		mov	ecx, esi
		call	_PiRearrangeDeviceInstances@12 ; PiRearrangeDeviceInstances(x,x,x)
		jmp	loc_875CD6
; 

loc_8E2D38:				; CODE XREF: PiProcessDriverInstance+1D1j
		lea	eax, [esp+48h+var_24]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	loc_875D3D
; END OF FUNCTION CHUNK	FOR PiProcessDriverInstance
; 
; START	OF FUNCTION CHUNK FOR PnpCallDriverQueryServiceHelper

loc_8E2D47:				; CODE XREF: PnpCallDriverQueryServiceHelper+33j
		mov	edi, [ebp+arg_8]
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	edx
		lea	eax, [ebp+var_8]
		mov	edx, edi
		push	eax
		push	[ebp+arg_0]
		push	esi
		call	__CmGetInstallerClassRegProp@32	; _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)
		jmp	loc_875DB0
; 

loc_8E2D67:				; CODE XREF: PnpCallDriverQueryServiceHelper+59j
		push	0
		push	dword ptr [ebx]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_14]
		push	6E657050h
		push	eax
		push	1
		mov	[ecx], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx], eax
		test	eax, eax
		jnz	short loc_8E2D95
		mov	eax, 0C000009Ah
		jmp	loc_875DE0
; 

loc_8E2D95:				; CODE XREF: PnpCallDriverQueryServiceHelper+6D02Dj
		cmp	[ebp+arg_4], 0
		mov	edx, edi
		jz	short loc_8E2DC4
		push	0
		lea	ecx, [ebp+var_4]
		push	ecx
		push	[ebp+var_4]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+arg_4]
		push	0
		push	esi
		push	[ebp+var_10]
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		jmp	loc_875DBB
; 

loc_8E2DC4:				; CODE XREF: PnpCallDriverQueryServiceHelper+6D03Fj
		cmp	[ebp+arg_10], 0
		jz	short loc_8E2DE8
		push	ecx
		lea	ecx, [ebp+var_4]
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_0]
		push	esi
		call	__CmGetInstallerClassRegProp@32	; _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)
		jmp	loc_875DBB
; 

loc_8E2DE8:				; CODE XREF: PnpCallDriverQueryServiceHelper+6D06Cj
		push	0
		lea	ecx, [ebp+var_4]
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_0]
		push	esi
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		jmp	loc_875DBB
; 

loc_8E2E07:				; CODE XREF: PnpCallDriverQueryServiceHelper+C4j
		cmp	[ebp+var_C], 12h
		jz	short loc_8E2E17
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		jmp	loc_875DCD
; 

loc_8E2E17:				; CODE XREF: PnpCallDriverQueryServiceHelper+6D0AFj
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_8], ecx
		jmp	loc_875DC8
; 

loc_8E2E22:				; CODE XREF: PnpCallDriverQueryServiceHelper+D7j
					; PnpCallDriverQueryServiceHelper+E3j
		mov	eax, 0C0000001h
		jmp	loc_875DE0
; END OF FUNCTION CHUNK	FOR PnpCallDriverQueryServiceHelper
; 
; START	OF FUNCTION CHUNK FOR PipCallDriverAddDeviceQueryRoutine

loc_8E2E2C:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+7Dj
		mov	eax, [ebp+var_24]
		mov	[ecx+1Ch], eax
		mov	eax, [ebp+var_20]
		mov	[ecx+20h], eax
		movzx	eax, word ptr [ebp+var_24+2]
		push	48706E50h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [edi]
		mov	[ecx+20h], eax
		mov	eax, [edi]
		mov	ecx, [eax+20h]
		test	ecx, ecx
		jz	short loc_8E2E6F
		movzx	eax, word ptr [ebp+var_24+2]
		push	eax		; size_t
		push	[ebp+var_20]	; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax
		jmp	loc_875F33
; 

loc_8E2E6F:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6CFA5j
		xor	ecx, ecx
		mov	esi, 0C0000001h
		mov	[eax+1Eh], cx
		mov	eax, [edi]
		mov	[eax+1Ch], cx
		mov	eax, [edi]
		and	[eax+20h], ecx
		jmp	loc_876000
; 

loc_8E2E8A:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+9Aj
		cmp	esi, 0C0000034h
		jnz	short loc_8E2E9B
		cmp	[ebp+arg_8], ebx
		jnz	short loc_8E2E9B
		xor	esi, esi
		jmp	short loc_8E2EA6
; 

loc_8E2E9B:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6CFE0j
					; PipCallDriverAddDeviceQueryRoutine+6CFE5j
		mov	ecx, [edi]
		push	esi
		push	13h
		pop	edx
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)

loc_8E2EA6:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6CFE9j
		mov	eax, [ebp+var_C]
		jmp	loc_875FDF
; 

loc_8E2EAE:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+B4j
		mov	ecx, [edi]
		push	esi
		push	13h
		jmp	short loc_8E2EB8
; 

loc_8E2EB5:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6D193j
		push	eax
		push	29h

loc_8E2EB8:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6D003j
					; PipCallDriverAddDeviceQueryRoutine+6D1A6j ...
		pop	edx
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		jmp	loc_875FDC
; 

loc_8E2EC3:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+EBj
		push	4
		pop	eax
		jmp	loc_875FA4
; 

loc_8E2ECB:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+25Cj
		cmp	esi, 0C000036Ch
		jz	short loc_8E2F07
		cmp	esi, 0C000036Bh
		jz	short loc_8E2F07
		cmp	[ebp+arg_0], 0
		jz	short loc_8E2EFF
		mov	eax, [edi+4]
		cmp	byte ptr [eax+4], 0
		jnz	short loc_8E2EFF
		mov	ecx, [ebp+var_8]
		call	_PnpCheckPossibleBootStartDriver@4 ; PnpCheckPossibleBootStartDriver(x)
		test	al, al
		jnz	short loc_8E2EFF
		mov	eax, [edi]
		mov	byte ptr [eax+1C0h], 1

loc_8E2EFF:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6D02Fj
					; PipCallDriverAddDeviceQueryRoutine+6D038j ...
		mov	ebx, [ebp+arg_4]
		jmp	loc_875FDC
; 

loc_8E2F07:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6D021j
					; PipCallDriverAddDeviceQueryRoutine+6D029j
		mov	ebx, [ebp+arg_4]
		jmp	loc_876124
; 

loc_8E2F0F:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+108j
		cmp	eax, 4
		jnz	loc_875FD7
		mov	ecx, [edi]
		test	dword ptr [ecx+10Ch], 6000h
		jnz	loc_875FD7
		push	0
		push	20h
		pop	edx
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		jmp	loc_875FD7
; 

loc_8E2F39:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+17Cj
		cmp	esi, 0C0000365h
		jnz	short loc_8E2F56
		mov	eax, 0C000009Ah
		cmp	[ebp+var_10], eax
		jnz	loc_876032
		mov	esi, eax
		jmp	loc_876032
; 

loc_8E2F56:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6D08Fj
		cmp	esi, 0C000009Ah
		jz	loc_876032
		cmp	esi, 0C000025Eh
		jz	loc_876032
		cmp	esi, 0C000038Eh
		jz	loc_876032
		cmp	esi, 0C000036Ch
		jz	loc_876032
		cmp	esi, 0C000036Bh
		jz	loc_876032
		cmp	esi, 0C000035Fh
		jz	loc_876032
		cmp	esi, 0C0000428h
		jz	loc_876032
		mov	esi, 0C000026Ch
		jmp	loc_876032
; 

loc_8E2FB4:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+19Bj
		cmp	_PnpBootMode, 0
		jz	short loc_8E2FEF
		cmp	esi, 0C0000365h
		jz	short loc_8E2FEF
		cmp	esi, 0C000035Fh
		jz	short loc_8E2FEF
		cmp	esi, 0C000036Bh
		jz	short loc_8E2FEF
		cmp	esi, 0C000036Ch
		jz	short loc_8E2FEF
		cmp	esi, 0C0000428h
		jz	short loc_8E2FEF
		mov	esi, 0C000026Ch
		jmp	loc_876124
; 

loc_8E2FEF:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+267j
					; PipCallDriverAddDeviceQueryRoutine+27Cj ...
		mov	edx, [edi]
		lea	eax, [ebp+var_2C]
		push	0
		push	eax
		push	esi
		add	edx, 14h
		mov	ecx, offset _KMPnPEvt_DriverLoad_Fail
		call	PnpDiagnosticTraceDeviceOperation
		mov	ecx, [edi]
		test	dword ptr [ecx+10Ch], 6000h
		jnz	loc_875FDC
		mov	eax, 0C0000365h
		cmp	esi, eax
		jg	short loc_8E3075
		jz	short loc_8E306B
		mov	eax, 0C000009Ah
		cmp	esi, eax
		jz	short loc_8E3063
		mov	eax, 0C0000160h
		cmp	esi, eax
		jz	short loc_8E305B
		cmp	esi, 0C000019Dh
		jz	short loc_8E3051
		mov	eax, 0C000025Eh
		cmp	esi, eax
		jz	loc_8E2EB5
		cmp	esi, 0C000026Ch
		jnz	short loc_8E309E

loc_8E3051:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6D18Aj
		push	[ebp+var_18]
		push	27h
		jmp	loc_8E2EB8
; 

loc_8E305B:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6D182j
		push	eax
		push	28h
		jmp	loc_8E2EB8
; 

loc_8E3063:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6D179j
		push	eax
		push	3
		jmp	loc_8E2EB8
; 

loc_8E306B:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6D170j
		push	[ebp+var_10]
		push	25h
		jmp	loc_8E2EB8
; 

loc_8E3075:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6D16Ej
		mov	eax, 0C000036Bh
		cmp	esi, eax
		jz	short loc_8E30BF
		cmp	esi, 0C000036Ch
		jz	short loc_8E30AE
		add	eax, 23h
		cmp	esi, eax
		jz	short loc_8E30A6
		mov	eax, 0C0000428h
		cmp	esi, eax
		jnz	short loc_8E309E
		push	eax
		push	34h
		jmp	loc_8E2EB8
; 

loc_8E309E:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6D19Fj
					; PipCallDriverAddDeviceQueryRoutine+6D1E4j
		push	esi
		push	1Fh
		jmp	loc_8E2EB8
; 

loc_8E30A6:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6D1DBj
		push	eax
		push	26h
		jmp	loc_8E2EB8
; 

loc_8E30AE:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6D1D4j
		mov	edx, 100000h
		call	PipSetDevNodeFlags

loc_8E30B8:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6D22Dj
		xor	esi, esi
		jmp	loc_875FDC
; 

loc_8E30BF:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+6D1CCj
		push	eax
		push	30h
		pop	edx
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		mov	ecx, [edi]
		mov	edx, 100000h
		call	PipSetDevNodeFlags
		jmp	loc_875FDC
; 

loc_8E30D9:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+1B0j
		cmp	[ebp+arg_8], 3
		jnz	short loc_8E30B8
		mov	ecx, [edi]
		mov	edx, 1000h
		call	PipSetDevNodeFlags
		push	ecx
		mov	ecx, [edi]
		mov	edx, 308h
		call	PipSetDevNodeState
		jmp	loc_875FD7
; 

loc_8E30FD:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+1C3j
		cmp	eax, 303h
		jnz	loc_875FD7
		jmp	loc_876079
; 

loc_8E310D:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+1E6j
		mov	esi, 0C000009Ah
		jmp	loc_875FDC
; 

loc_8E3117:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+14Aj
		mov	ecx, ebx
		call	ObfDereferenceObject
		jmp	loc_876000
; 

loc_8E3123:				; CODE XREF: PipCallDriverAddDeviceQueryRoutine+37j
					; PipCallDriverAddDeviceQueryRoutine+41j
		xor	eax, eax
		jmp	loc_876002
; END OF FUNCTION CHUNK	FOR PipCallDriverAddDeviceQueryRoutine
; 
; START	OF FUNCTION CHUNK FOR PipOpenServiceEnumKeys

loc_8E312A:				; CODE XREF: PipOpenServiceEnumKeys+66j
		mov	ecx, _PiPnpRtlCtx
		test	esi, esi
		jnz	short loc_8E3137
		lea	esi, [ecx+8]

loc_8E3137:				; CODE XREF: PipOpenServiceEnumKeys+6CF5Ej
		mov	esi, [esi]
		lea	eax, [ecx+8]
		cmp	esi, eax
		jz	short loc_8E3170
		test	esi, esi
		jz	short loc_8E3170
		lea	eax, [ebp+var_C]
		mov	edx, esi
		push	eax
		push	6
		call	_PnpCtxGetCachedNodeBaseKey
		test	eax, eax
		js	short loc_8E3165
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ecx
		jmp	loc_876210
; 

loc_8E3165:				; CODE XREF: PipOpenServiceEnumKeys+6CF7Fj
		cmp	eax, 8000001Ah
		jnz	loc_876240

loc_8E3170:				; CODE XREF: PipOpenServiceEnumKeys+6CF6Aj
					; PipOpenServiceEnumKeys+6CF6Ej
		mov	eax, 0C0000034h
		jmp	loc_876240
; 

loc_8E317A:				; CODE XREF: PipOpenServiceEnumKeys+C8j
		push	[ebp+var_10]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_876252
; END OF FUNCTION CHUNK	FOR PipOpenServiceEnumKeys
; 
; START	OF FUNCTION CHUNK FOR PnpGetServiceStartType

loc_8E3187:				; CODE XREF: PnpGetServiceStartType+28j
		mov	edx, dword_6FDFC0
		test	edx, edx
		jnz	short loc_8E31D3
		mov	eax, _PiPnpRtlCtx
		mov	ecx, esi
		test	eax, eax
		jz	short loc_8E319F
		mov	ecx, [eax+74h]

loc_8E319F:				; CODE XREF: PnpGetServiceStartType+6CEA6j
		push	offset dword_6FDFC0
		push	20019h
		push	esi
		push	offset ??_C@_1IK@ONEDDMHI@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@
		mov	edx, 80000002h
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		cmp	eax, 0C0000034h
		jnz	short loc_8E31CB
		or	edx, 0FFFFFFFFh
		mov	dword_6FDFC0, edx
		jmp	short loc_8E31DE
; 

loc_8E31CB:				; CODE XREF: PnpGetServiceStartType+6CECAj
		mov	edx, dword_6FDFC0
		jmp	short loc_8E31DE
; 

loc_8E31D3:				; CODE XREF: PnpGetServiceStartType+6CE9Bj
		cmp	edx, 0FFFFFFFFh
		jz	loc_876322
		mov	eax, esi

loc_8E31DE:				; CODE XREF: PnpGetServiceStartType+6CED5j
					; PnpGetServiceStartType+6CEDDj
		test	eax, eax
		js	loc_876322
		mov	eax, _PiPnpRtlCtx
		mov	ecx, esi
		test	eax, eax
		jz	short loc_8E31F4
		mov	ecx, [eax+74h]

loc_8E31F4:				; CODE XREF: PnpGetServiceStartType+6CEFBj
		lea	eax, [ebp+var_8]
		push	eax
		push	20019h
		push	esi
		push	edi
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8E3235
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+arg_0]
		push	eax
		push	ebx
		lea	eax, [ebp+var_4]
		mov	[ebp+arg_0], 4
		push	eax
		mov	edx, offset ??_C@_1M@IOJLKPKK@?$AAS?$AAt?$AAa?$AAr?$AAt@NNGAKEGL@
		call	_RegRtlQueryValue
		mov	edi, eax
		test	edi, edi
		js	short loc_8E3235
		cmp	[ebp+var_4], 4
		jz	loc_87634D

loc_8E3235:				; CODE XREF: PnpGetServiceStartType+6CF12j
					; PnpGetServiceStartType+6CF35j
		mov	ecx, dword_6FDFC4
		test	ecx, ecx
		jnz	short loc_8E3285
		mov	eax, _PiPnpRtlCtx
		mov	ecx, esi
		test	eax, eax
		jz	short loc_8E324D
		mov	ecx, [eax+74h]

loc_8E324D:				; CODE XREF: PnpGetServiceStartType+6CF54j
		mov	edx, dword_6FDFC0
		push	offset dword_6FDFC4
		push	20019h
		push	esi
		push	offset ??_C@_1BA@LOGOFDCJ@?$AA?$CK?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@NNGAKEGL@
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_8E327D
		or	ecx, 0FFFFFFFFh
		mov	dword_6FDFC4, ecx
		jmp	short loc_8E328E
; 

loc_8E327D:				; CODE XREF: PnpGetServiceStartType+6CF7Cj
		mov	ecx, dword_6FDFC4
		jmp	short loc_8E328E
; 

loc_8E3285:				; CODE XREF: PnpGetServiceStartType+6CF49j
		cmp	ecx, 0FFFFFFFFh
		jz	loc_876322

loc_8E328E:				; CODE XREF: PnpGetServiceStartType+6CF87j
					; PnpGetServiceStartType+6CF8Fj
		test	esi, esi
		js	loc_876322
		lea	eax, [ebp+arg_0]
		mov	[ebp+arg_0], 4
		push	eax
		push	ebx
		lea	eax, [ebp+var_4]
		mov	edx, offset ??_C@_1M@IOJLKPKK@?$AAS?$AAt?$AAa?$AAr?$AAt@NNGAKEGL@
		push	eax
		call	_RegRtlQueryValue
		mov	edi, eax
		test	edi, edi
		js	loc_876322
		cmp	[ebp+var_4], 4
		jz	loc_87634D
		jmp	loc_876322
; 

loc_8E32C9:				; CODE XREF: PnpGetServiceStartType+5Dj
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_876357
; END OF FUNCTION CHUNK	FOR PnpGetServiceStartType
; 
; START	OF FUNCTION CHUNK FOR PpHotSwapUpdateRemovalPolicy

loc_8E32D6:				; CODE XREF: PpHotSwapUpdateRemovalPolicy+B3j
					; PpHotSwapUpdateRemovalPolicy+BAj ...
		pop	ecx
		mov	[ebp+var_4], ecx
		jmp	loc_876422
; 

loc_8E32DF:				; CODE XREF: PpHotSwapUpdateRemovalPolicy+72j
		mov	eax, [esi+8]
		movzx	eax, byte ptr [eax+13Eh]
		cmp	ecx, eax
		jle	loc_87642A
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		jmp	loc_87642A
; 

loc_8E32FB:				; CODE XREF: PpHotSwapUpdateRemovalPolicy+ACj
		cmp	[ebp+var_C], edi
		jz	short loc_8E3305
		mov	eax, 0C00000F0h

loc_8E3305:				; CODE XREF: PpHotSwapUpdateRemovalPolicy+6CF4Cj
		test	eax, eax
		js	loc_8763E2
		mov	eax, [ebp+var_4]
		cmp	eax, 2
		jz	short loc_8E331E
		cmp	eax, 3
		jnz	loc_8763E2

loc_8E331E:				; CODE XREF: PpHotSwapUpdateRemovalPolicy+6CF61j
		mov	[esi+13Eh], al
		jmp	loc_8763E2
; END OF FUNCTION CHUNK	FOR PpHotSwapUpdateRemovalPolicy
; 
; START	OF FUNCTION CHUNK FOR PiQueryAndAllocateBootResources

loc_8E3329:				; CODE XREF: PiQueryAndAllocateBootResources+45j
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], ecx
		jmp	loc_8764DC
; 

loc_8E3334:				; CODE XREF: PiQueryAndAllocateBootResources+59j
		cmp	dword ptr [edi+114h], 9
		jz	loc_87652B
		jmp	loc_8764ED
; 

loc_8E3346:				; CODE XREF: PiQueryAndAllocateBootResources+61j
		cmp	dword ptr [edi+114h], 3
		jz	loc_87652B
		test	eax, eax
		jz	loc_8764F5
		cmp	dword ptr [edi+114h], 13h
		jz	loc_87652B
		jmp	loc_8764F5
; END OF FUNCTION CHUNK	FOR PiQueryAndAllocateBootResources
; 
; START	OF FUNCTION CHUNK FOR IopQueryDeviceResources

loc_8E336D:				; CODE XREF: IopQueryDeviceResources+54j
		push	[ebp+arg_4]
		xor	edx, edx
		push	ebx
		push	7
		call	PnpGetDeviceResourcesFromRegistry
		lea	ecx, [eax+3FFFFFCCh]
		neg	ecx
		sbb	ecx, ecx
		and	eax, ecx
		jmp	loc_876696
; 

loc_8E338B:				; CODE XREF: IopQueryDeviceResources+15Dj
		mov	eax, 0C0000017h
		jmp	loc_876696
; 

loc_8E3395:				; CODE XREF: IopQueryDeviceResources+CBj
		mov	esi, [ebp+var_4]
		jmp	loc_87670E
; 

loc_8E339D:				; CODE XREF: IopQueryDeviceResources+254j
		test	esi, esi
		jz	loc_876696
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_10]
		jmp	loc_876696
; 

loc_8E33B5:				; CODE XREF: IopQueryDeviceResources+AAj
		mov	edx, [ebx]
		test	edx, edx
		jz	loc_876729
		xor	edi, edi
		push	edi
		call	PnpCmResourcesToIoResources
		push	edi
		push	dword ptr [ebx]
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jz	short loc_8E33E3
		mov	edi, [ebp+arg_4]
		mov	[ebx], esi
		mov	eax, [esi]
		mov	[edi], eax
		jmp	loc_87672C
; 

loc_8E33E3:				; CODE XREF: IopQueryDeviceResources+6CDCDj
		mov	eax, [ebp+arg_4]
		mov	[ebx], edi
		mov	[eax], edi
		jmp	short loc_8E33F4
; 

loc_8E33EC:				; CODE XREF: IopQueryDeviceResources+19Fj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E33F4:				; CODE XREF: IopQueryDeviceResources+6CDE4j
		mov	eax, 0C000009Ah
		jmp	loc_876696
; 

loc_8E33FE:				; CODE XREF: IopQueryDeviceResources+184j
		mov	[edi], ecx
		mov	[ebx], ecx
		jmp	loc_8767C1
; 

loc_8E3407:				; CODE XREF: IopQueryDeviceResources+13Cj
		mov	eax, [esi]
		mov	[edi], eax
		jmp	loc_87674A
; END OF FUNCTION CHUNK	FOR IopQueryDeviceResources
; 
; START	OF FUNCTION CHUNK FOR PnpGetDeviceResourcesFromRegistry

loc_8E3410:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+28j
		test	edi, edi
		jz	short loc_8E341F
		mov	eax, [edi+0B0h]
		mov	edx, [eax+14h]
		jmp	short loc_8E3421
; 

loc_8E341F:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+6CB1Ej
		mov	edx, ecx

loc_8E3421:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+6CB29j
		mov	edx, [edx+18h]
		lea	eax, [ebp+var_4]
		push	ecx
		push	eax
		push	ecx
		push	20019h
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	13h
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_8E3464
		push	[ebp+arg_8]
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		push	ebx
		inc	edx
		call	PnpReadDeviceConfiguration
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		jns	loc_87698D

loc_8E3464:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+6CB4Dj
		xor	ecx, ecx
		jmp	loc_876922
; 

loc_8E346B:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+49j
		mov	edx, ecx
		jmp	loc_87694C
; 

loc_8E3472:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+A4j
		mov	edx, ecx
		jmp	loc_8769A7
; 

loc_8E3479:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+D9j
		test	[ebp+arg_0], 2
		jz	loc_8769F0
		mov	edx, offset ??_C@_1CE@CAEIBNIA@?$AAB?$AAa?$AAs?$AAi?$AAc?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAV?$AAe?$AAc?$AAt@NNGAKEGL@ ; "B"
		jmp	loc_8769D8
; 

loc_8E348D:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+F6j
		mov	edi, [ebp+var_8]
		cmp	dword ptr [edi+4], 0Ah
		jnz	short loc_8E34E5
		mov	eax, [edi+0Ch]
		test	eax, eax
		jz	short loc_8E34E5
		push	75737050h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx], eax
		test	eax, eax
		jz	short loc_8E34E0
		mov	ecx, [ebp+arg_8]
		mov	eax, [edi+0Ch]
		mov	[ecx], eax
		push	dword ptr [edi+0Ch] ; size_t
		mov	eax, [edi+8]
		add	eax, edi
		push	eax		; void *
		push	dword ptr [ebx]	; void *
		call	_memcpy
		mov	eax, [ebx]
		add	esp, 0Ch
		cmp	dword ptr [eax+4], 0FFFFFFFFh
		jnz	short loc_8E34E5
		and	dword ptr [eax+8], 0
		mov	dword ptr [eax+4], 1
		jmp	short loc_8E34E5
; 

loc_8E34E0:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+6CBBAj
		mov	esi, 0C00000F0h

loc_8E34E5:				; CODE XREF: PnpGetDeviceResourcesFromRegistry+6CBA0j
					; PnpGetDeviceResourcesFromRegistry+6CBA7j ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8769F0
; END OF FUNCTION CHUNK	FOR PnpGetDeviceResourcesFromRegistry
; 
; START	OF FUNCTION CHUNK FOR PnpInitializeSessionId

loc_8E34F2:				; CODE XREF: PnpInitializeSessionId+2Bj
		call	_IopGetSessionIdFromPDO@4 ; IopGetSessionIdFromPDO(x)
		mov	esi, eax
		mov	[ebp+var_4], esi
		jmp	loc_876ADB
; 

loc_8E3501:				; CODE XREF: PnpInitializeSessionId+47j
		push	4
		pop	ecx
		push	7
		lea	edx, [ebp+var_4]
		pop	esi
		jmp	loc_876AFD
; END OF FUNCTION CHUNK	FOR PnpInitializeSessionId
; 
; START	OF FUNCTION CHUNK FOR PnpIsDeviceInstanceEnabled

loc_8E350F:				; CODE XREF: PnpIsDeviceInstanceEnabled+53j
		mov	eax, [esi+114h]
		cmp	eax, 16h
		jz	loc_876C29
		cmp	eax, 1Dh
		jnz	loc_876B81
		jmp	loc_876C29
; 

loc_8E352C:				; CODE XREF: PnpIsDeviceInstanceEnabled+76j
		xor	ecx, ecx
		lea	eax, [ebp+var_8]
		push	ecx
		push	eax
		push	ecx
		push	20019h
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		mov	edx, ebx
		push	10h
		call	_CmOpenDeviceRegKey
		test	eax, eax
		js	loc_876C29
		mov	eax, [ebp+var_8]
		mov	[ebp+var_1C], edi
		jmp	loc_876BA4
; 

loc_8E355C:				; CODE XREF: PnpIsDeviceInstanceEnabled+C9j
		xor	edi, edi
		cmp	[ebp+arg_0], edi
		jz	loc_876BF7
		test	esi, esi
		jz	loc_876BF7
		cmp	dword ptr [esi+0ACh], 301h
		jz	loc_876BF7
		push	16h
		pop	edx
		mov	ecx, esi
		call	_PnpDisableDevice@8 ; PnpDisableDevice(x,x)
		jmp	loc_876BF7
; 

loc_8E358E:				; CODE XREF: PnpIsDeviceInstanceEnabled+E4j
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_876C12
; END OF FUNCTION CHUNK	FOR PnpIsDeviceInstanceEnabled
; 
; START	OF FUNCTION CHUNK FOR PnpGetDeviceInstanceCsConfigFlags

loc_8E359B:				; CODE XREF: PnpGetDeviceInstanceCsConfigFlags+59j
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		push	eax
		push	0
		mov	edx, offset ??_C@_1BM@NKKGOMEP@?$AAC?$AAS?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAF?$AAl?$AAa?$AAg?$AAs@NNGAKEGL@
		call	IopGetRegistryValue
		push	[ebp+var_8]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	loc_876C9B
		mov	ecx, [ebp+var_C]
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_8E35D7
		cmp	dword ptr [ecx+0Ch], 4
		jb	short loc_8E35D7
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		mov	[edi], eax

loc_8E35D7:				; CODE XREF: PnpGetDeviceInstanceCsConfigFlags+6C98Bj
					; PnpGetDeviceInstanceCsConfigFlags+6C991j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_876C9B
; END OF FUNCTION CHUNK	FOR PnpGetDeviceInstanceCsConfigFlags
; 
; START	OF FUNCTION CHUNK FOR PiQueryResourceRequirements

loc_8E35E4:				; CODE XREF: PiQueryResourceRequirements+44j
		cmp	dword ptr [edi+114h], 9
		jz	loc_876D28
		jmp	loc_876CEE
; 

loc_8E35F6:				; CODE XREF: PiQueryResourceRequirements+4Cj
		cmp	dword ptr [edi+114h], 3
		jz	loc_876D28
		test	eax, eax
		jz	loc_876CF6
		cmp	dword ptr [edi+114h], 13h
		jz	loc_876D28
		jmp	loc_876CF6
; 

loc_8E361D:				; CODE XREF: PiQueryResourceRequirements+E4j
		push	eax
		push	[ebp+var_4]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		jmp	loc_876DC6
; 

loc_8E362B:				; CODE XREF: PiQueryResourceRequirements+86j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_876D30
; END OF FUNCTION CHUNK	FOR PiQueryResourceRequirements
; 
; START	OF FUNCTION CHUNK FOR PpDevCfgProcessDeviceOperations

loc_8E3638:				; CODE XREF: PpDevCfgProcessDeviceOperations+82j
		test	edi, edi
		js	loc_876EC6
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_5C]
		mov	ecx, [ebx+18h]
		push	eax
		call	_PiDevCfgInitDeviceContext@12 ;	PiDevCfgInitDeviceContext(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_876EC6
		push	esi
		lea	eax, [ebp+var_14]
		mov	ecx, ebx
		push	eax
		push	0FFFFFFFFh
		push	[ebp+var_8]
		lea	edx, [ebp+var_5C]
		call	_PiDevCfgConfigureDeviceKeys@24	; PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_876EC6
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jz	short loc_8E368C
		mov	eax, [eax+74h]
		test	eax, eax
		jz	short loc_8E368C
		mov	eax, [eax+4]
		jmp	short loc_8E368E
; 

loc_8E368C:				; CODE XREF: PpDevCfgProcessDeviceOperations+6C842j
					; PpDevCfgProcessDeviceOperations+6C849j
		mov	eax, esi

loc_8E368E:				; CODE XREF: PpDevCfgProcessDeviceOperations+6C84Ej
		mov	ecx, [ebp+var_C]
		mov	edx, offset ??_C@_1CK@LLHOGJK@?$AAP?$AAe?$AAn?$AAd?$AAi?$AAn?$AAg?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr@NNGAKEGL@ ; "PendingConfiguration"
		push	esi
		push	eax
		call	_RegRtlDeleteTreeInternal
		cmp	[ebp+var_14], esi
		jz	loc_876EC6
		mov	edx, [ebx+18h]
		lea	eax, [ebp+var_10]
		mov	ecx, _PiPnpRtlCtx
		push	esi
		push	eax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_10], 4
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	0Bh
		push	[ebp+var_C]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8E36E0
		cmp	[ebp+var_18], 4
		jnz	short loc_8E36E0
		cmp	[ebp+var_10], 4
		jnz	short loc_8E36E0
		mov	esi, [ebp+var_4]

loc_8E36E0:				; CODE XREF: PpDevCfgProcessDeviceOperations+6C893j
					; PpDevCfgProcessDeviceOperations+6C899j ...
		or	esi, [ebp+var_14]
		lea	eax, [ebp+var_4]
		push	ecx
		push	4
		push	eax
		push	4
		push	0Bh
		lea	edx, [ebp+var_5C]
		mov	[ebp+var_4], esi
		call	_PiDevCfgSetDeviceRegProp@28 ; PiDevCfgSetDeviceRegProp(x,x,x,x,x,x,x)
		jmp	loc_876EC6
; 

loc_8E36FE:				; CODE XREF: PpDevCfgProcessDeviceOperations+8Ej
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_876ED0
; END OF FUNCTION CHUNK	FOR PpDevCfgProcessDeviceOperations
; 
; START	OF FUNCTION CHUNK FOR PiDevCfgFreeDeviceContext

loc_8E370B:				; CODE XREF: PiDevCfgFreeDeviceContext+9j
		mov	eax, [esi+8]
		test	eax, eax
		jz	loc_876EF5
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_876EF5
; END OF FUNCTION CHUNK	FOR PiDevCfgFreeDeviceContext
; 
; START	OF FUNCTION CHUNK FOR PiQueryRemovableDeviceOverride

loc_8E3721:				; CODE XREF: PiQueryRemovableDeviceOverride+C9j
					; PiQueryRemovableDeviceOverride+F0j
		push	[ebp+var_3C]
		call	_ZwClose@4	; ZwClose(x)
		or	byte ptr [edi+1B8h], 4
		mov	al, [edi+1B8h]
		mov	cl, al
		jmp	loc_8770B6
; 

loc_8E373D:				; CODE XREF: PiQueryRemovableDeviceOverride+87j
					; PiQueryRemovableDeviceOverride+FBj
		test	al, 2
		jz	loc_877120
		jmp	loc_8770C1
; 

loc_8E374A:				; CODE XREF: PiQueryRemovableDeviceOverride+135j
					; PiQueryRemovableDeviceOverride+15Aj
		mov	al, cl
		or	al, 2
		jmp	loc_877120
; 

loc_8E3753:				; CODE XREF: PiQueryRemovableDeviceOverride+1F2j
		mov	esi, 0C000009Ah
		jmp	loc_8771B8
; 

loc_8E375D:				; CODE XREF: PiQueryRemovableDeviceOverride+22Dj
		mov	ecx, [ebp+var_24]
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	6E697050h
		push	[ebp+var_20]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jnz	short loc_8E3784
		mov	esi, 0C000009Ah

loc_8E3784:				; CODE XREF: PiQueryRemovableDeviceOverride+6C7BDj
		mov	eax, [ebp+var_20]
		mov	[ebp+var_1C], eax
		test	esi, esi
		js	loc_877216
		mov	edx, [edi+8]
		lea	eax, [ebp+var_20]
		push	ebx
		push	eax
		push	ecx
		mov	edx, [edx+18h]
		lea	eax, [ebp+var_50]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	[ebp+var_4C]
		push	[ebp+var_48]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		jmp	loc_8771F3
; 

loc_8E37BA:				; CODE XREF: PiQueryRemovableDeviceOverride+23Bj
		mov	esi, 0C0000001h
		jmp	loc_877210
; 

loc_8E37C4:				; CODE XREF: PiQueryRemovableDeviceOverride+290j
		or	cl, 4
		mov	[eax+1B8h], cl
		mov	eax, [edi+8]
		jmp	loc_877256
; 

loc_8E37D5:				; CODE XREF: PiQueryRemovableDeviceOverride+16Dj
					; PiQueryRemovableDeviceOverride+2B7j
		cmp	[ebp+var_38], 1
		push	4
		mov	[ebp+var_2C], ebx
		pop	eax
		jnz	short loc_8E382C
		mov	word ptr [ebp+var_34+2], ax
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_34]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_7C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_2C]
		mov	word ptr [ebp+var_34], cx
		push	eax
		mov	[ebp+var_30], offset ??_C@_13BBDEGPLJ@?$AA?$CK@NNGAKEGL@
		mov	[ebp+var_7C], 18h
		mov	[ebp+var_70], 240h
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_68], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_8E38B5

loc_8E382C:				; CODE XREF: PiQueryRemovableDeviceOverride+6C81Fj
		lea	eax, [ebp+var_80]
		mov	ecx, edi
		push	eax
		lea	edx, [ebp+var_54]
		call	PnpGetDeviceLocationStrings
		mov	esi, eax
		test	esi, esi
		js	short loc_8E3861
		mov	edx, [ebp+var_3C]
		lea	eax, [ebp+var_2C]
		push	ecx
		push	eax
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_54]
		call	_PnpOpenFirstMatchingSubKey@24 ; PnpOpenFirstMatchingSubKey(x,x,x,x,x,x)
		push	ebx
		push	[ebp+var_54]
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jns	short loc_8E38B5

loc_8E3861:				; CODE XREF: PiQueryRemovableDeviceOverride+6C87Ej
		cmp	[ebp+var_38], 1
		push	4
		pop	edi
		jbe	short loc_8E38B8
		push	2
		pop	eax
		mov	word ptr [ebp+var_34], ax
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_34]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_7C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_2C]
		mov	word ptr [ebp+var_34+2], di
		push	eax
		mov	[ebp+var_30], offset ??_C@_13BBDEGPLJ@?$AA?$CK@NNGAKEGL@
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_7C], 18h
		mov	[ebp+var_70], 240h
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_68], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		jmp	short loc_8E38B8
; 

loc_8E38B5:				; CODE XREF: PiQueryRemovableDeviceOverride+6C866j
					; PiQueryRemovableDeviceOverride+6C89Fj
		push	4
		pop	edi

loc_8E38B8:				; CODE XREF: PiQueryRemovableDeviceOverride+6C8A8j
					; PiQueryRemovableDeviceOverride+6C8F3j
		push	[ebp+var_3C]
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	loc_877261
		push	14h
		pop	ecx
		push	12h
		pop	eax
		mov	word ptr [ebp+var_34], ax
		lea	eax, [ebp+var_84]
		push	eax
		push	ecx
		lea	eax, [ebp+var_18]
		mov	word ptr [ebp+var_34+2], cx
		push	eax
		push	2
		pop	eax
		push	eax
		lea	eax, [ebp+var_34]
		mov	[ebp+var_30], offset ??_C@_1BE@BCPLGAPH@?$AAR?$AAe?$AAm?$AAo?$AAv?$AAa?$AAb?$AAl?$AAe@NNGAKEGL@
		push	eax
		push	[ebp+var_2C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8E3913
		cmp	[ebp+var_14], edi
		jnz	short loc_8E390E
		cmp	[ebp+var_10], edi
		jnz	short loc_8E390E
		mov	ebx, [ebp+var_C]
		jmp	short loc_8E3913
; 

loc_8E390E:				; CODE XREF: PiQueryRemovableDeviceOverride+6C942j
					; PiQueryRemovableDeviceOverride+6C947j
		mov	esi, 0C0000001h

loc_8E3913:				; CODE XREF: PiQueryRemovableDeviceOverride+6C93Dj
					; PiQueryRemovableDeviceOverride+6C94Cj
		push	[ebp+var_2C]
		call	_ZwClose@4	; ZwClose(x)
		mov	ecx, [ebp+var_88]
		test	ebx, ebx
		setnz	al
		mov	[ecx], al
		jmp	loc_877261
; END OF FUNCTION CHUNK	FOR PiQueryRemovableDeviceOverride
; 
; START	OF FUNCTION CHUNK FOR PipFindDeviceOverrideEntry

loc_8E392D:				; CODE XREF: PipFindDeviceOverrideEntry+64j
		mov	esi, 0C000009Ah
		xor	edi, edi
		jmp	loc_877390
; 

loc_8E3939:				; CODE XREF: PipFindDeviceOverrideEntry+BDj
		mov	eax, edi
		mov	[ebp+var_C], eax
		jmp	loc_877342
; 

loc_8E3943:				; CODE XREF: PipFindDeviceOverrideEntry+143j
		mov	eax, [ebp+var_4]
		xor	edi, edi
		test	eax, eax
		jnz	short loc_8E3999
		lea	eax, [ebp+var_20]
		mov	[ebp+var_20], 860084h
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_40]
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_1C], offset ??_C@_1IG@GGMOEGCN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		push	eax
		mov	[ebp+var_4], edi
		mov	[ebp+var_40], 18h
		mov	[ebp+var_3C], edi
		mov	[ebp+var_34], 240h
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_877390
		mov	eax, [ebp+var_4]

loc_8E3999:				; CODE XREF: PipFindDeviceOverrideEntry+6C6CEj
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	20019h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], edi
		push	eax
		mov	[ebp+var_58], 18h
		mov	[ebp+var_4C], 240h
		mov	[ebp+var_48], edi
		mov	[ebp+var_44], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_877360
		push	[ebp+arg_0]
		push	[ebp+var_8]
		call	_PipCallbackHasDeviceOverrides@8 ; PipCallbackHasDeviceOverrides(x,x)
		test	al, al
		jnz	loc_877388
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		mov	esi, 0C0000034h
		jmp	loc_877360
; 

loc_8E39FA:				; CODE XREF: PipFindDeviceOverrideEntry+10Ej
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_877390
; 

loc_8E3A07:				; CODE XREF: PipFindDeviceOverrideEntry+118j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_87739A
; END OF FUNCTION CHUNK	FOR PipFindDeviceOverrideEntry
; 
; START	OF FUNCTION CHUNK FOR KseAddHardwareId

loc_8E3A14:				; CODE XREF: KseAddHardwareId+27j
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		mov	esi, offset ??_C@_0ED@FLFLFABM@KSE?3?5Cannot?5add?5hardware?5id?5unt@NNGAKEGL@
		test	_KsepDebugFlag,	2
		push	0Ah
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 2CBh
		mov	dword_6C7024[eax*8], 0C0000001h
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_8E3A5E
		push	esi		; char *
		push	0		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx

loc_8E3A5E:				; CODE XREF: KseAddHardwareId+6C570j
		push	esi		; char *
		push	0		; int
		call	_KsepLogError
		pop	ecx
		pop	ecx
		jmp	loc_8775A1
; 

loc_8E3A6D:				; CODE XREF: KseAddHardwareId+97j
		test	al, 4
		jnz	loc_87757F
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_87757F
; 

loc_8E3A81:				; CODE XREF: KseAddHardwareId+B2j
		test	esi, esi
		jz	loc_87759A
		lea	ecx, [esi+14h]
		call	KsepStringFree
		mov	ecx, esi
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
		jmp	loc_87759A
; END OF FUNCTION CHUNK	FOR KseAddHardwareId

;  S U B	R O U T	I N E 


sub_8E3A9D	proc near		; CODE XREF: PiFindDevInstMatch+B7j
		push	ebx
		push	esi

loc_8E3A9F:				; CODE XREF: PiFindDevInstMatch+6C547j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E3AA4:				; CODE XREF: PiFindDevInstMatch+9Dj
		mov	eax, 0C000009Ah
		jmp	loc_87760E
sub_8E3A9D	endp

; 
; START	OF FUNCTION CHUNK FOR PiFindDevInstMatch

loc_8E3AAE:				; CODE XREF: PiFindDevInstMatch+F4j
		mov	word ptr [ebp+var_24], cx
		jmp	loc_8776AC
; 

loc_8E3AB7:				; CODE XREF: PiFindDevInstMatch+11Bj
		cmp	eax, 80000005h
		jz	short loc_8E3AC9
		cmp	eax, 0C0000023h
		jnz	loc_87771C

loc_8E3AC9:				; CODE XREF: PiFindDevInstMatch+6C510j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_10]
		push	20207050h
		push	eax
		push	1
		mov	[ebp+var_14], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8E3AF0
		dec	ebx
		jmp	loc_87771C
; 

loc_8E3AF0:				; CODE XREF: PiFindDevInstMatch+6C53Cj
		push	0
		push	edi
		jmp	short loc_8E3A9F
; 

loc_8E3AF5:				; CODE XREF: PiFindDevInstMatch+16Aj
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_24]
		mov	[ecx], eax
		mov	eax, [ebp+var_20]
		mov	[ecx+4], eax
		mov	eax, [ebp+arg_8]
		mov	[eax], ebx
		jmp	loc_877726
; END OF FUNCTION CHUNK	FOR PiFindDevInstMatch
; 
; START	OF FUNCTION CHUNK FOR PiDevCfgProcessDeviceCallback

loc_8E3B0D:				; CODE XREF: PiDevCfgProcessDeviceCallback+C1j
		mov	edx, [esp+48h+var_38]
		lea	eax, [esp+48h+var_24]
		mov	ecx, [edi+18h]
		push	eax
		call	_PiDevCfgInitDeviceContext@12 ;	PiDevCfgInitDeviceContext(x,x,x)
		test	eax, eax
		js	loc_877851
		test	byte ptr ds:_PiDevCfgFlags, 2
		mov	edx, [esp+48h+var_3C]
		setnz	cl
		bt	edx, 0Ah
		setb	al
		test	cl, al
		jz	short loc_8E3B44
		and	edx, 0FFFFFFDFh
		jmp	short loc_8E3B5D
; 

loc_8E3B44:				; CODE XREF: PiDevCfgProcessDeviceCallback+6C3C5j
		lea	edx, [esp+48h+var_2C]
		lea	ecx, [esp+48h+var_24]
		call	_PiDevCfgCheckDeviceNeedsUpdate@8 ; PiDevCfgCheckDeviceNeedsUpdate(x,x)
		mov	edx, [esp+48h+var_3C]
		test	eax, eax
		js	short loc_8E3B5D
		or	edx, [esp+48h+var_2C]

loc_8E3B5D:				; CODE XREF: PiDevCfgProcessDeviceCallback+6C3CAj
					; PiDevCfgProcessDeviceCallback+6C3DFj
		push	ecx
		push	4
		lea	eax, [esp+50h+var_3C]
		and	edx, 0FFFBFFFFh
		push	eax
		push	4
		mov	[esp+58h+var_3C], edx
		lea	edx, [esp+58h+var_24]
		push	0Bh
		call	_PiDevCfgSetDeviceRegProp@28 ; PiDevCfgSetDeviceRegProp(x,x,x,x,x,x,x)
		mov	ebx, [esp+48h+var_3C]
		jmp	loc_87783F
; 

loc_8E3B85:				; CODE XREF: PiDevCfgProcessDeviceCallback+CAj
		mov	ecx, edi
		call	_PipAreDriversLoaded@4 ; PipAreDriversLoaded(x)
		test	eax, eax
		jz	short loc_8E3BB1
		push	ecx
		push	4
		lea	eax, [esp+50h+var_3C]
		and	ebx, 0FFFFFFFDh
		push	eax
		push	4
		push	0Bh
		lea	edx, [esp+5Ch+var_24]
		mov	[esp+5Ch+var_3C], ebx
		call	_PiDevCfgSetDeviceRegProp@28 ; PiDevCfgSetDeviceRegProp(x,x,x,x,x,x,x)
		jmp	loc_877851
; 

loc_8E3BB1:				; CODE XREF: PiDevCfgProcessDeviceCallback+6C416j
		push	63647050h
		push	10h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_877851
		mov	edx, [esp+48h+var_28]
		lea	ecx, [esi+8]
		xor	eax, eax
		mov	edi, esi
		stosd
		stosd
		stosd
		stosd
		call	_PnpDuplicateUnicodeString@8 ; PnpDuplicateUnicodeString(x,x)
		test	al, al
		jz	short loc_8E3C48
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jz	short loc_8E3BF0
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8E3BF0:				; CODE XREF: PiDevCfgProcessDeviceCallback+6C471j
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		jmp	loc_877851
; 

loc_8E3BFF:				; CODE XREF: PiDevCfgProcessDeviceCallback+D3j
		mov	ecx, [edi+10h]
		xor	ebx, ebx
		push	ebx
		push	ebx
		xor	edx, edx
		test	dword ptr [edi+10Ch], 6000h
		push	ebx
		push	ebx
		jz	short loc_8E3C34
		push	1
		inc	edx
		call	PnpRequestDeviceAction
		mov	ecx, [edi+10h]
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	1
		push	10h
		pop	edx
		call	PnpRequestDeviceAction
		jmp	loc_877851
; 

loc_8E3C34:				; CODE XREF: PiDevCfgProcessDeviceCallback+6C49Cj
		push	ebx
		push	ebx
		push	ebx
		push	0C0000495h
		push	12h
		push	ebx
		push	ebx
		push	ebx
		call	_PnpSetTargetDeviceRemove@56 ; PnpSetTargetDeviceRemove(x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		jmp	short loc_8E3C4A
; 

loc_8E3C48:				; CODE XREF: PiDevCfgProcessDeviceCallback+6C467j
		xor	ebx, ebx

loc_8E3C4A:				; CODE XREF: PiDevCfgProcessDeviceCallback+6C4CEj
		test	esi, esi
		jz	loc_877851
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_877851
; END OF FUNCTION CHUNK	FOR PiDevCfgProcessDeviceCallback
; 
; START	OF FUNCTION CHUNK FOR IopWriteResourceList

loc_8E3C5E:				; CODE XREF: IopWriteResourceList+52j
		push	[ebp+arg_4]
		mov	esi, [ebp+var_8]
		push	esi
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		jmp	loc_8778E9
; END OF FUNCTION CHUNK	FOR IopWriteResourceList
; 
; START	OF FUNCTION CHUNK FOR IopCreateRegistryKeyEx

loc_8E3C6F:				; CODE XREF: IopCreateRegistryKeyEx+69j
		test	esi, esi
		jz	loc_87797D
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		and	[ebp+var_20], 0
		mov	[ebp+var_1C], esi
		mov	[ebp+var_8], edx
		mov	eax, [ecx+4]
		movzx	ecx, word ptr [ecx]
		add	ecx, eax
		mov	[ebp+var_1], 1
		mov	[ebp+arg_0], eax
		mov	[ebp+var_14], ecx

loc_8E3C98:				; CODE XREF: IopCreateRegistryKeyEx+6C460j
		cmp	edx, 1
		jbe	short loc_8E3CB2
		mov	eax, [ebp+var_C]
		push	[ebp+eax*4+var_20]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_14]
		mov	edx, [ebp+var_8]

loc_8E3CB2:				; CODE XREF: IopCreateRegistryKeyEx+6C3A1j
		mov	[ebp+var_C], ebx
		lea	esi, [ebp+var_20]
		dec	ebx
		and	ebx, 1
		lea	esi, [esi+ebx*4]
		and	dword ptr [esi], 0
		mov	esi, eax
		cmp	eax, ecx
		jnb	short loc_8E3CD5

loc_8E3CC8:				; CODE XREF: IopCreateRegistryKeyEx+6C3D9j
		cmp	word ptr [esi],	5Ch
		jz	short loc_8E3CD5
		add	esi, 2
		cmp	esi, ecx
		jb	short loc_8E3CC8

loc_8E3CD5:				; CODE XREF: IopCreateRegistryKeyEx+6C3CCj
					; IopCreateRegistryKeyEx+6C3D2j
		mov	edi, esi
		sub	edi, eax
		jz	short loc_8E3D4D
		mov	[ebp+var_24], eax
		xor	ecx, ecx
		mov	eax, [ebp+var_C]
		mov	word ptr [ebp+var_28+2], di
		mov	word ptr [ebp+var_28], di
		mov	[ebp+var_40], 18h
		mov	eax, [ebp+eax*4+var_20]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+arg_8]
		lea	eax, [ebp+var_40]
		mov	[ebp+var_34], 240h
		push	ecx
		push	ecx
		push	eax
		push	[ebp+arg_4]
		lea	eax, [ebp+var_20]
		mov	[ebp+var_30], ecx
		lea	eax, [eax+ebx*4]
		mov	[ebp+var_2C], ecx
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	edx, [ebp+var_8]
		mov	edi, eax
		test	edi, edi
		js	short loc_8E3D60
		mov	ecx, [ebp+var_14]
		inc	edx
		mov	[ebp+var_8], edx
		cmp	esi, ecx
		jz	short loc_8E3D48
		lea	eax, [esi+2]
		mov	[ebp+arg_0], eax
		cmp	eax, ecx
		jz	short loc_8E3D52
		jmp	short loc_8E3D56
; 

loc_8E3D48:				; CODE XREF: IopCreateRegistryKeyEx+6C440j
		mov	eax, [ebp+arg_0]
		jmp	short loc_8E3D52
; 

loc_8E3D4D:				; CODE XREF: IopCreateRegistryKeyEx+6C3DFj
		mov	edi, 0C000000Dh

loc_8E3D52:				; CODE XREF: IopCreateRegistryKeyEx+6C44Aj
					; IopCreateRegistryKeyEx+6C451j
		mov	[ebp+var_1], 0

loc_8E3D56:				; CODE XREF: IopCreateRegistryKeyEx+6C44Cj
		cmp	[ebp+var_1], 0
		jnz	loc_8E3C98

loc_8E3D60:				; CODE XREF: IopCreateRegistryKeyEx+6C435j
		cmp	edx, 1
		jbe	loc_877969
		mov	eax, [ebp+var_C]
		push	[ebp+eax*4+var_20]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_877969
; END OF FUNCTION CHUNK	FOR IopCreateRegistryKeyEx
; 
; START	OF FUNCTION CHUNK FOR IopFilterResourceRequirementsCall

loc_8E3D7A:				; CODE XREF: IopFilterResourceRequirementsCall+9Aj
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [ebp+var_C]
		jmp	loc_877AC4
; 

loc_8E3D91:				; CODE XREF: IopFilterResourceRequirementsCall+35j
		mov	esi, 0C000009Ah
		jmp	loc_877ACC
; END OF FUNCTION CHUNK	FOR IopFilterResourceRequirementsCall
; 
; START	OF FUNCTION CHUNK FOR PnpGetResourceRequirementsForAssignTable

loc_8E3D9B:				; CODE XREF: PnpGetResourceRequirementsForAssignTable+4Cj
		mov	ebx, esi
		jmp	loc_877B43
; 

loc_8E3DA2:				; CODE XREF: PnpGetResourceRequirementsForAssignTable+6Fj
		mov	eax, [ebx+128h]
		test	eax, eax
		jz	loc_877B5D
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, 200h
		mov	[ebx+128h], esi
		mov	ecx, ebx
		call	PipClearDevNodeFlags
		or	dword ptr [edi-10h], 400h
		jmp	loc_877B5D
; 

loc_8E3DD5:				; CODE XREF: PnpGetResourceRequirementsForAssignTable+135j
		mov	edx, [ebx+11Ch]
		lea	eax, [ebp+var_10]
		mov	ecx, [edi]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	PnpFilterResourceRequirementsList
		test	eax, eax
		js	short loc_8E3DFC
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_8E3DFC
		mov	[edi], eax
		jmp	loc_877C23
; 

loc_8E3DFC:				; CODE XREF: PnpGetResourceRequirementsForAssignTable+6C304j
					; PnpGetResourceRequirementsForAssignTable+6C30Bj
		and	dword ptr [edi-10h], 0FFFFFDFFh
		jmp	loc_877C23
; 

loc_8E3E08:				; CODE XREF: PnpGetResourceRequirementsForAssignTable+166j
		lea	edx, [edi+14h]
		lea	ecx, [edi-14h]
		call	PnpFreeResourceRequirementsForAssignTable
		mov	eax, 0C0000182h
		jmp	loc_877B91
; END OF FUNCTION CHUNK	FOR PnpGetResourceRequirementsForAssignTable
; 
; START	OF FUNCTION CHUNK FOR PnpBusTypeGuidGetIndex

loc_8E3E1D:				; CODE XREF: PnpBusTypeGuidGetIndex+69j
		push	75737050h
		lea	eax, [ebx+1]
		shl	eax, 4
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_8E3E6C
		mov	eax, _PnpBusTypeGuidCount
		mov	edi, _PnpBusTypeGuidArray
		shl	eax, 4
		push	eax		; size_t
		push	edi		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		inc	_PnpBusTypeGuidCountMax
		test	edi, edi
		jz	short loc_8E3E61
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E3E61:				; CODE XREF: PnpBusTypeGuidGetIndex+6C1E1j
		mov	_PnpBusTypeGuidArray, esi
		jmp	loc_877CE5
; 

loc_8E3E6C:				; CODE XREF: PnpBusTypeGuidGetIndex+6C1BEj
		or	ebx, 0FFFFFFFFh
		jmp	loc_877CE5
; END OF FUNCTION CHUNK	FOR PnpBusTypeGuidGetIndex
; 
; START	OF FUNCTION CHUNK FOR KsepCacheInsert

loc_8E3E74:				; CODE XREF: KsepCacheInsert+64j
		mov	eax, [ecx]
		mov	edx, [eax]
		lea	edi, [eax-0Ch]
		cmp	[edx+4], eax
		jnz	loc_877D7F
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_877D7F
		mov	[ecx], edx
		lea	eax, [edi+4]
		mov	[edx+4], ecx
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_877D7F
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_877D7F
		mov	[ecx], edx
		mov	[edx+4], ecx
		dec	dword ptr [esi+4]
		inc	dword ptr [esi+2Ch]
		push	edi
		call	dword ptr [esi+38h]
		jmp	loc_877D76
; END OF FUNCTION CHUNK	FOR KsepCacheInsert
; 
; START	OF FUNCTION CHUNK FOR KsepStringDuplicate

loc_8E3EC1:				; CODE XREF: KsepStringDuplicate+14j
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		push	3
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 252h
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], cx
		jz	loc_877D9E
		push	edi
		push	ecx
		push	offset ??_C@_0BP@MHONLNCD@minkernel?2ntos?2kshim?2ksemisc?4c@NNGAKEGL@
		push	offset ??_C@_0BF@LFGACLEE@SourceString?5?$CB?$DN?5NULL@NNGAKEGL@
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		jmp	loc_877D9E
; END OF FUNCTION CHUNK	FOR KsepStringDuplicate
; 
; START	OF FUNCTION CHUNK FOR PiIommuAllocateExtension

loc_8E3F16:				; CODE XREF: PiIommuAllocateExtension+25j
		mov	edi, 0C000009Ah
		jmp	loc_877EE0
; 

loc_8E3F20:				; CODE XREF: PiIommuAllocateExtension+4Cj
		mov	edi, 0C00000BBh
		jmp	loc_877E81
; 

loc_8E3F2A:				; CODE XREF: PiIommuAllocateExtension+41j
					; PiIommuAllocateExtension+5Fj
		mov	ecx, esi
		call	_PiIommuFreeExtension@4	; PiIommuFreeExtension(x)
		xor	esi, esi
		jmp	loc_877EE0
; END OF FUNCTION CHUNK	FOR PiIommuAllocateExtension
; 
; START	OF FUNCTION CHUNK FOR PipIommuRetrieveDeviceId

loc_8E3F38:				; CODE XREF: PipIommuRetrieveDeviceId+1Bj
		mov	edi, 0C00000BBh
		jmp	loc_877F71
; 

loc_8E3F42:				; CODE XREF: PipIommuRetrieveDeviceId+69j
					; PipIommuRetrieveDeviceId+7Dj
		test	esi, esi
		jz	loc_877F71
		push	64706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi
		jmp	loc_877F71
; END OF FUNCTION CHUNK	FOR PipIommuRetrieveDeviceId
; 
; START	OF FUNCTION CHUNK FOR PipIommuValidateDeviceId

loc_8E3F5C:				; CODE XREF: PipIommuValidateDeviceId+2Cj
		push	eax
		push	edi
		push	ebx
		push	12h
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8E3F6C:				; CODE XREF: PipAddDependentsToRebuildPowerRelationsQueue+17j
		push	0
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	_PiEnumerateDependentListEntry@12 ; PiEnumerateDependentListEntry(x,x,x)
		mov	ecx, [ebp+var_4]
		mov	esi, [esi]
		test	ecx, ecx
		jz	loc_877FED
		call	_PipAddtoRebuildPowerRelationsQueue@4 ;	PipAddtoRebuildPowerRelationsQueue(x)
		jmp	loc_877FED
; END OF FUNCTION CHUNK	FOR PipIommuValidateDeviceId
; 
; START	OF FUNCTION CHUNK FOR PipQueryBindingResolution

loc_8E3F8F:				; CODE XREF: PipQueryBindingResolution+14j
		mov	eax, [ecx+4]
		test	eax, eax
		jz	loc_8780B8
		mov	eax, [eax+0B0h]
		mov	esi, [eax+2Ch]
		jmp	loc_8780B8
; END OF FUNCTION CHUNK	FOR PipQueryBindingResolution
; 
; START	OF FUNCTION CHUNK FOR PiValidatePowerRelations

loc_8E3FA8:				; CODE XREF: PiValidatePowerRelations+4Dj
		cmp	[edx+4], esi
		jnz	loc_8785E7
		mov	ebx, [edx]
		cmp	[ebx+4], edx
		jnz	loc_8785E7
		mov	[esi], ebx
		mov	[ebx+4], esi
		lea	esi, [esp+18h+var_8]
		mov	ebx, [esp+18h+var_4]
		cmp	[ebx], esi
		jnz	loc_8785E7
		mov	[edx], esi
		mov	[edx+4], ebx
		mov	[ebx], edx
		mov	[esp+18h+var_4], edx
		jmp	loc_878554
; 

loc_8E3FE1:				; CODE XREF: PiValidatePowerRelations+5Bj
		push	0
		push	dword ptr [ecx+10h]
		push	dword ptr [edi+10h]
		push	0Ch
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8E3FF6:				; CODE XREF: PiQueryPowerDependencyRelations+65j
		mov	ebx, [eax]
		cmp	ebx, eax
		jz	short loc_8E4034
		mov	edi, [ebp+var_4]

loc_8E3FFF:				; CODE XREF: PiValidatePowerRelations+6BB1Dj
		push	0
		lea	edx, [ebp+var_8]
		mov	ecx, ebx
		call	_PiEnumerateProviderListEntry@12 ; PiEnumerateProviderListEntry(x,x,x)
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_8E4027
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_8E4027
		add	eax, 5Ch
		cmp	[esi+14h], eax
		jz	short loc_8E402D

loc_8E4027:				; CODE XREF: PiValidatePowerRelations+6BB02j
					; PiValidatePowerRelations+6BB0Fj
		mov	ebx, [ebx]
		cmp	ebx, edi
		jnz	short loc_8E3FFF

loc_8E402D:				; CODE XREF: PiValidatePowerRelations+6BB17j
		cmp	ebx, edi
		mov	edi, [ebp+var_14]
		jnz	short loc_8E4078

loc_8E4034:				; CODE XREF: PiValidatePowerRelations+6BAECj
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_8E4123
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_8E4123
		mov	[ecx], eax
		mov	[eax+4], ecx
		lea	ecx, [esi+0Ch]
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	loc_8E4123
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	loc_8E4123
		push	72775044h
		mov	[eax], edx
		push	esi
		mov	[edx+4], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E4078:				; CODE XREF: PiValidatePowerRelations+6BB24j
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_4]
		jmp	loc_878621
; END OF FUNCTION CHUNK	FOR PiValidatePowerRelations
; 
; START	OF FUNCTION CHUNK FOR PiQueryPowerDependencyRelations

loc_8E4083:				; CODE XREF: PiQueryPowerDependencyRelations+6Dj
					; PiQueryPowerDependencyRelations+6BB2Cj
		push	0
		lea	edx, [ebp+var_8]
		mov	ecx, ebx
		call	_PiEnumerateProviderListEntry@12 ; PiEnumerateProviderListEntry(x,x,x)
		mov	eax, [ebp+var_8]
		mov	ebx, [ebx]
		test	eax, eax
		jz	short loc_8E4116
		mov	eax, [eax+0B0h]
		mov	ecx, [eax+14h]
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jz	short loc_8E4116
		cmp	dword ptr [ecx+8], 0
		jz	short loc_8E4116
		mov	eax, [edi]
		cmp	eax, edi
		jz	short loc_8E40C6
		add	ecx, 5Ch

loc_8E40B7:				; CODE XREF: PiQueryPowerDependencyRelations+6BAD4j
		cmp	[eax+14h], ecx
		jz	short loc_8E40C2
		mov	eax, [eax]
		cmp	eax, edi
		jnz	short loc_8E40B7

loc_8E40C2:				; CODE XREF: PiQueryPowerDependencyRelations+6BACEj
		cmp	eax, edi
		jnz	short loc_8E4116

loc_8E40C6:				; CODE XREF: PiQueryPowerDependencyRelations+6BAC6j
		push	72775044h
		push	1Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_8E4128
		mov	edx, [ebp+var_14]
		mov	ecx, [ebp+var_18]
		mov	[eax+8], ecx
		mov	byte ptr [eax+18h], 1
		lea	ecx, [edx+5Ch]
		mov	[eax+14h], ecx
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	short loc_8E4123
		mov	[eax], edi
		add	edx, 64h
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[edi+4], eax
		add	eax, 0Ch
		mov	ecx, [edx+4]
		cmp	[ecx], edx
		jnz	short loc_8E4123
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[edx+4], eax

loc_8E4116:				; CODE XREF: PiQueryPowerDependencyRelations+6BAAAj
					; PiQueryPowerDependencyRelations+6BABAj ...
		cmp	ebx, esi
		jnz	loc_8E4083
		jmp	loc_87862B
; 

loc_8E4123:				; CODE XREF: PiValidatePowerRelations+6BB2Bj
					; PiValidatePowerRelations+6BB36j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8E4128:				; CODE XREF: PiQueryPowerDependencyRelations+6BAEDj
		mov	[ebp+var_10], 0C000009Ah
		jmp	loc_87862B
; END OF FUNCTION CHUNK	FOR PiQueryPowerDependencyRelations
; 
; START	OF FUNCTION CHUNK FOR PipCheckIfAllProvidersHaveDevnodes

loc_8E4134:				; CODE XREF: PipCheckIfAllProvidersHaveDevnodes+1Aj
		push	0
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	_PiEnumerateProviderListEntry@12 ; PiEnumerateProviderListEntry(x,x,x)
		mov	ecx, [ebp+var_4]
		call	_PipIsDeviceReadyForPowerRelations@4 ; PipIsDeviceReadyForPowerRelations(x)
		test	al, al
		jz	short loc_8E4153
		mov	esi, [esi]
		jmp	loc_878682
; 

loc_8E4153:				; CODE XREF: PipCheckIfAllProvidersHaveDevnodes+6BAE0j
		xor	al, al
		jmp	loc_87868C
; END OF FUNCTION CHUNK	FOR PipCheckIfAllProvidersHaveDevnodes
; 
; START	OF FUNCTION CHUNK FOR PipCreateDependencyNode

loc_8E415A:				; CODE XREF: PipCreateDependencyNode+6Bj
		mov	edx, [ebx+4]
		mov	ecx, esi
		call	_PipAddBindingId@8 ; PipAddBindingId(x,x)
		mov	edi, eax
		test	edi, edi
		jns	loc_878717

loc_8E416E:				; CODE XREF: PipCreateDependencyNode+8Cj
		mov	ecx, esi
		call	_PipDeleteDependencyNode@4 ; PipDeleteDependencyNode(x)
		xor	esi, esi
		jmp	loc_878722
; END OF FUNCTION CHUNK	FOR PipCreateDependencyNode
; 
; START	OF FUNCTION CHUNK FOR IopCreateSecureDeviceClassSettings

loc_8E417C:				; CODE XREF: IopCreateSecureDeviceClassSettings+A0j
					; IopCreateSecureDeviceClassSettings+DCj ...
		cmp	esi, 0C0000034h
		jnz	loc_878A89
		jmp	loc_878A3F
; 

loc_8E418D:				; CODE XREF: IopCreateSecureDeviceClassSettings+17Dj
		cmp	[ebp+var_10], 0
		jz	short loc_8E419F
		push	[ebp+var_10]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_10], 0

loc_8E419F:				; CODE XREF: IopCreateSecureDeviceClassSettings+6B897j
		cmp	[ebp+var_8], 0
		jz	short loc_8E41B1
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_8], 0

loc_8E41B1:				; CODE XREF: IopCreateSecureDeviceClassSettings+6B8A9j
		lea	eax, [ebp+var_14]
		xor	edx, edx
		push	eax
		push	0
		push	0F003Fh
		lea	eax, [ebp+var_24]
		push	eax
		lea	ecx, [ebp+var_10]
		call	IopCreateRegistryKeyEx
		mov	esi, eax
		test	esi, esi
		js	loc_878A89

loc_8E41D4:				; CODE XREF: IopCreateSecureDeviceClassSettings+187j
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		push	eax
		push	0
		push	0F003Fh
		lea	eax, [ebp+var_2C]
		push	eax
		lea	ecx, [ebp+var_8]
		call	IopCreateRegistryKeyEx
		mov	esi, eax
		test	esi, esi
		js	loc_878A89
		cmp	[ebp+var_14], 2
		jnz	short loc_8E427B
		cmp	[ebp+var_C], 0
		jz	short loc_8E4210
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_C], 0

loc_8E4210:				; CODE XREF: IopCreateSecureDeviceClassSettings+6B908j
		push	offset ??_C@_1BG@COALCEMK@?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAi?$AAe?$AAs@NNGAKEGL@
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], ecx
		push	eax
		mov	[ebp+var_4C], 18h
		mov	[ebp+var_40], 240h
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8E426A
		mov	ecx, [ebp+var_C]
		mov	edx, ebx
		call	IopQuerySecureDeviceClassState
		jmp	loc_8E4313
; 

loc_8E426A:				; CODE XREF: IopCreateSecureDeviceClassSettings+6B95Fj
		cmp	esi, 0C0000034h
		jnz	loc_878A89
		jmp	loc_878A87
; 

loc_8E427B:				; CODE XREF: IopCreateSecureDeviceClassSettings+6B902j
		mov	esi, [ebp+var_1C]
		mov	esi, [esi+18h]
		add	esi, 0Ch
		jnz	short loc_8E4290
		mov	esi, 0C000009Ah
		jmp	loc_878A89
; 

loc_8E4290:				; CODE XREF: IopCreateSecureDeviceClassSettings+6B98Aj
		push	offset ??_C@_1M@OAHBGIFG@?$AAC?$AAl?$AAa?$AAs?$AAs@NNGAKEGL@
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	eax, word ptr [esi]
		add	eax, 2
		push	eax
		push	dword ptr [esi+4]
		lea	eax, [ebp+var_24]
		push	1
		push	0
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_878A89
		push	offset ??_C@_1BO@DAOBINHA@?$AAN?$AAo?$AAD?$AAi?$AAs?$AAp?$AAl?$AAa?$AAy?$AAC?$AAl?$AAa?$AAs?$AAs@NNGAKEGL@
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		mov	ebx, offset ??_C@_13JGCMLPCH@?$AA1@NNGAKEGL@
		lea	eax, [ebp+var_24]
		push	ebx
		push	1
		push	0
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_878A89
		push	offset ??_C@_1BG@OPOOGLJC@?$AAN?$AAo?$AAU?$AAs?$AAe?$AAC?$AAl?$AAa?$AAs?$AAs@NNGAKEGL@
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		push	ebx
		push	1
		push	0
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_8E4313:				; CODE XREF: IopCreateSecureDeviceClassSettings+6B96Bj
		mov	esi, eax
		jmp	loc_878A89
; END OF FUNCTION CHUNK	FOR IopCreateSecureDeviceClassSettings
; 
; START	OF FUNCTION CHUNK FOR IopGetPersistedStateLocation

loc_8E431A:				; CODE XREF: IopGetPersistedStateLocation+4Cj
		cmp	[ebp+var_4], ebx
		jbe	short loc_8E433F
		mov	ebx, [ebp+var_4]
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	63466F49h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, [ebp+var_8]
		jmp	loc_878AF7
; 

loc_8E433F:				; CODE XREF: IopGetPersistedStateLocation+6B84Bj
		mov	edi, 0C00000E5h
		jmp	loc_878B24
; 

loc_8E4349:				; CODE XREF: IopGetPersistedStateLocation+29j
		mov	edi, 0C000009Ah

loc_8E434E:				; CODE XREF: IopGetPersistedStateLocation+54j
		test	esi, esi
		jz	loc_878B2C
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi
		jmp	loc_878B2C
; END OF FUNCTION CHUNK	FOR IopGetPersistedStateLocation
; 
; START	OF FUNCTION CHUNK FOR IopQuerySecureDeviceClassState

loc_8E4365:				; CODE XREF: IopQuerySecureDeviceClassState+48j
		mov	ebx, 0C000014Ch
		jmp	loc_878C6F
; 

loc_8E436F:				; CODE XREF: IopQuerySecureDeviceClassState+3Bj
		cmp	ebx, 0C0000034h
		jnz	loc_878C6C
		mov	esi, [ebp+var_8]
		xor	ebx, ebx

loc_8E4380:				; CODE XREF: IopQuerySecureDeviceClassState+7Fj
		mov	edi, [ebp+var_10]
		jmp	loc_878BE4
; 

loc_8E4388:				; CODE XREF: IopQuerySecureDeviceClassState+C6j
		mov	ecx, [ebp+var_8]
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_8E43A2
		cmp	dword ptr [ecx+0Ch], 4
		jnz	short loc_8E43A2
		mov	eax, [ecx+8]
		or	dword ptr [edi], 1
		mov	eax, [ecx+eax]
		jmp	short loc_8E43A4
; 

loc_8E43A2:				; CODE XREF: IopQuerySecureDeviceClassState+6B855j
					; IopQuerySecureDeviceClassState+6B85Bj
		xor	eax, eax

loc_8E43A4:				; CODE XREF: IopQuerySecureDeviceClassState+6B866j
		push	0
		push	ecx
		mov	[edi+4], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi
		mov	[ebp+var_8], esi
		jmp	loc_878C11
; 

loc_8E43B9:				; CODE XREF: IopQuerySecureDeviceClassState+F3j
		mov	ecx, [ebp+var_8]
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_8E43D3
		cmp	dword ptr [ecx+0Ch], 4
		jnz	short loc_8E43D3
		mov	eax, [ecx+8]
		or	dword ptr [edi], 4
		mov	eax, [ecx+eax]
		jmp	short loc_8E43D5
; 

loc_8E43D3:				; CODE XREF: IopQuerySecureDeviceClassState+6B886j
					; IopQuerySecureDeviceClassState+6B88Cj
		xor	eax, eax

loc_8E43D5:				; CODE XREF: IopQuerySecureDeviceClassState+6B897j
		push	0
		push	ecx
		mov	[edi+0Ch], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi
		mov	[ebp+var_8], esi
		jmp	loc_878C3E
; 

loc_8E43EA:				; CODE XREF: IopQuerySecureDeviceClassState+120j
		mov	ecx, [ebp+var_8]
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_8E4404
		cmp	dword ptr [ecx+0Ch], 4
		jnz	short loc_8E4404
		mov	eax, [ecx+8]
		or	dword ptr [edi], 8
		mov	eax, [ecx+eax]
		jmp	short loc_8E4406
; 

loc_8E4404:				; CODE XREF: IopQuerySecureDeviceClassState+6B8B7j
					; IopQuerySecureDeviceClassState+6B8BDj
		xor	eax, eax

loc_8E4406:				; CODE XREF: IopQuerySecureDeviceClassState+6B8C8j
		push	0
		push	ecx
		mov	[edi+10h], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi
		jmp	loc_878C6F
; 

loc_8E4418:				; CODE XREF: IopQuerySecureDeviceClassState+146j
		mov	edi, [ebp+var_10]
		mov	eax, [edi+8]
		test	eax, eax
		jz	short loc_8E442A
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E442A:				; CODE XREF: IopQuerySecureDeviceClassState+6B8E6j
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		stosd
		jmp	loc_878C86
; 

loc_8E4436:				; CODE XREF: IopQuerySecureDeviceClassState+14Ej
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_878C8E
; END OF FUNCTION CHUNK	FOR IopQuerySecureDeviceClassState
; 
; START	OF FUNCTION CHUNK FOR KsepStringTransform

loc_8E4443:				; CODE XREF: KsepStringTransform+18j
		mov	eax, ebx
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		mov	word_6C7022[eax*8], cx
		mov	ecx, 31Dh
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_8E448E
		push	esi
		push	ecx
		push	offset ??_C@_0BP@MHONLNCD@minkernel?2ntos?2kshim?2ksemisc?4c@NNGAKEGL@
		push	offset ??_C@_0BF@KKGDEIMI@TargetString?5?$CB?$DN?5NULL@NNGAKEGL@
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		mov	edx, [ebp+var_4]

loc_8E448E:				; CODE XREF: KsepStringTransform+6B7D2j
		push	3
		pop	ecx
		jmp	loc_878CC4
; 

loc_8E4496:				; CODE XREF: KsepStringTransform+20j
		lock xadd _KsepHistoryErrorsIndex, ebx
		inc	ebx
		and	ebx, 3Fh
		mov	eax, 31Eh
		test	_KsepDebugFlag,	4
		mov	dword_6C7024[ebx*8], 0C0000420h
		mov	word_6C7022[ebx*8], cx
		mov	_KsepHistoryErrors[ebx*8], ax
		jz	loc_878CCC
		push	esi
		push	eax
		push	offset ??_C@_0BP@MHONLNCD@minkernel?2ntos?2kshim?2ksemisc?4c@NNGAKEGL@
		push	offset ??_C@_0BF@LFGACLEE@SourceString?5?$CB?$DN?5NULL@NNGAKEGL@
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		mov	edx, [ebp+var_4]
		jmp	loc_878CCC
; END OF FUNCTION CHUNK	FOR KsepStringTransform
; 
; START	OF FUNCTION CHUNK FOR KsepDbQueryRegistryDeviceData

loc_8E44E8:				; CODE XREF: KsepDbQueryRegistryDeviceData+49j
		mov	edx, [esp+20h+var_C]
		lea	ecx, [esp+20h+var_14]
		mov	[esp+20h+var_10], esi
		mov	esi, [ebp+arg_4]
		push	ecx		; int
		mov	ecx, [esp+24h+var_18]
		mov	eax, [esi]
		push	eax		; int
		push	[ebp+arg_8]	; void *
		mov	[esp+2Ch+var_14], eax
		lea	eax, [esp+2Ch+var_10]
		push	eax		; int
		call	_KsepRegistryQueryValue@24 ; KsepRegistryQueryValue(x,x,x,x,x,x)
		mov	edi, eax
		mov	eax, [esp+20h+var_14]
		mov	[esi], eax
		cmp	edi, 0C0000034h
		jz	loc_878D63
		test	edi, edi
		js	loc_878D68
		mov	eax, [ebp+arg_0]
		mov	ecx, [esp+20h+var_10]
		or	ecx, 10000000h
		or	[eax], ecx
		xor	edi, edi
		jmp	loc_878D68
; 

loc_8E4542:				; CODE XREF: KsepDbQueryRegistryDeviceData+59j
		push	[esp+20h+var_18]
		call	_ZwClose@4	; ZwClose(x)
		lock inc dword_6C6FBC
		jmp	loc_878D73
; END OF FUNCTION CHUNK	FOR KsepDbQueryRegistryDeviceData
; 
; START	OF FUNCTION CHUNK FOR KsepDbCacheQueryDevice

loc_8E4557:				; CODE XREF: KsepDbCacheQueryDevice+66j
		test	dl, 4
		jnz	loc_878DF2
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_878DF2
; END OF FUNCTION CHUNK	FOR KsepDbCacheQueryDevice
; 
; START	OF FUNCTION CHUNK FOR KseQueryDeviceData

loc_8E456C:				; CODE XREF: KseQueryDeviceData+78j
		call	_KseResetDeviceCache@0 ; KseResetDeviceCache()
		jmp	loc_878EC1
; 

loc_8E4576:				; CODE XREF: KseQueryDeviceData+D1j
		push	[ebp+var_4]
		call	_KsepCacheDeviceFree@4 ; KsepCacheDeviceFree(x)
		jmp	loc_878F01
; 

loc_8E4583:				; CODE XREF: KseQueryDeviceData+119j
		push	esi
		push	[ebp+arg_0]
		push	edi		; char
		push	offset ??_C@_0DD@IINLDOPB@KSE?3?5Query?5device?5?$FL?$CFws?0?5?$CFws?$FN?3?5f@NNGAKEGL@	; "KSE:	Query device [%ws, %ws]: found in "...
		push	ebx		; int
		call	_KsepDebugPrint
		add	esp, 14h
		jmp	loc_878F49
; 

loc_8E459B:				; CODE XREF: KseQueryDeviceData+2Dj
					; KseQueryDeviceData+38j ...
		mov	esi, 0C000000Dh
		jmp	loc_878ED2
; 

loc_8E45A5:				; CODE XREF: KseQueryDeviceData+15j
					; KseQueryDeviceData+22j
		mov	esi, 0C0000225h
		jmp	loc_878ED2
; END OF FUNCTION CHUNK	FOR KseQueryDeviceData
; 
; START	OF FUNCTION CHUNK FOR KseQueryDeviceFlags

loc_8E45AF:				; CODE XREF: KseQueryDeviceFlags+37j
					; KseQueryDeviceFlags+42j ...
		mov	ebx, 0C000000Dh
		jmp	loc_878FF2
; END OF FUNCTION CHUNK	FOR KseQueryDeviceFlags

;  S U B	R O U T	I N E 


sub_8E45B9	proc near		; CODE XREF: PnpBuildCmResourceList+DBj
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E45C0:				; CODE XREF: PnpBuildCmResourceList+A9j
		mov	dword ptr [esi+24h], 0C000009Ah
		jmp	short loc_8E4624
; 

loc_8E45C9:				; CODE XREF: PnpBuildCmResourceList+1E2j
		mov	esi, ebx
		jmp	loc_87925B
; 

loc_8E45D0:				; CODE XREF: PnpBuildCmResourceList+1AEj
		push	ebx

loc_8E45D1:				; CODE XREF: PnpBuildCmResourceList+210j
		push	dword ptr [ebp-244h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	ebx
		push	dword ptr [ebp-214h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		cmp	esi, 0C000022Dh
		mov	esi, [ebp-228h]
		setnz	al
		dec	eax
		and	eax, 193h
		add	eax, 0C000009Ah
		mov	[esi+24h], eax
		jmp	loc_879322
; 

loc_8E460C:				; CODE XREF: PnpBuildCmResourceList+3E8j
		lea	ecx, [ebp-200h]
		mov	[ebp-204h], ecx
		jmp	loc_87945E
; 

loc_8E461D:				; CODE XREF: PnpBuildCmResourceList+4Fj
					; PnpBuildCmResourceList+7Bj
		mov	dword ptr [esi+24h], 0C00000E5h

loc_8E4624:				; CODE XREF: sub_8E45B9+Ej
		mov	[esi+20h], ebx
		jmp	loc_879322
sub_8E45B9	endp

; 
; START	OF FUNCTION CHUNK FOR IopChildToRootTranslation

loc_8E462C:				; CODE XREF: IopChildToRootTranslation+4Dj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E4634:				; CODE XREF: IopChildToRootTranslation+36j
		mov	eax, 0C000009Ah
		jmp	loc_879649
; 

loc_8E463E:				; CODE XREF: IopChildToRootTranslation+5Cj
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+arg_0]
		call	_IopFindLegacyBusDeviceNode@8 ;	IopFindLegacyBusDeviceNode(x,x)
		and	[ebp+var_10], 0
		mov	ebx, eax
		mov	ecx, [ebp+var_8]
		jmp	loc_87959C
; 

loc_8E4657:				; CODE XREF: IopChildToRootTranslation+12Cj
		xor	ecx, ecx
		xor	edx, edx
		inc	ecx
		call	_IopFindLegacyBusDeviceNode@8 ;	IopFindLegacyBusDeviceNode(x,x)
		mov	ebx, eax
		jmp	loc_8795BC
; 

loc_8E4668:				; CODE XREF: IopChildToRootTranslation+E9j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		jmp	loc_879649
; END OF FUNCTION CHUNK	FOR IopChildToRootTranslation
; 
; START	OF FUNCTION CHUNK FOR IopResourceRequirementsListToReqList

loc_8E4681:				; CODE XREF: IopResourceRequirementsListToReqList+89j
		mov	esi, [ebp+var_3C]
		jmp	loc_879741
; 

loc_8E4689:				; CODE XREF: IopResourceRequirementsListToReqList+62j
					; IopResourceRequirementsListToReqList+6Aj ...
		mov	eax, 0C000000Dh
		jmp	loc_879AED
; 

loc_8E4693:				; CODE XREF: IopResourceRequirementsListToReqList+1F7j
		mov	eax, 0C000009Ah
		jmp	loc_879AED
; 

loc_8E469D:				; CODE XREF: IopResourceRequirementsListToReqList+241j
		xor	eax, eax
		inc	eax
		mov	[ebp+var_10], eax
		jmp	loc_8798F9
; 

loc_8E46A8:				; CODE XREF: IopResourceRequirementsListToReqList+2F1j
		mov	eax, [esi+8]
		mov	[ebp+var_10], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_8E46BA
		mov	[ebp+var_10], 1

loc_8E46BA:				; CODE XREF: IopResourceRequirementsListToReqList+6AFFFj
		mov	eax, [esi+0Ch]
		mov	[ebp+var_2C], eax
		jmp	loc_879B52
; 

loc_8E46C5:				; CODE XREF: IopResourceRequirementsListToReqList+3E8j
		mov	esi, [ebp+var_44]
		mov	ecx, [ebp+var_34]
		mov	edi, [ebp+var_40]
		dec	dword ptr [ebx+14h]
		mov	[ebp+var_C], esi
		call	_IopFreeReqAlternative@4 ; IopFreeReqAlternative(x)
		mov	eax, [ebp+var_30]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+var_8]
		jmp	loc_879AC0
; 

loc_8E46E7:				; CODE XREF: IopResourceRequirementsListToReqList+41Aj
		mov	ecx, ebx
		call	_IopFreeReqList@4 ; IopFreeReqList(x)
		jmp	loc_879AD2
; 

loc_8E46F3:				; CODE XREF: IopResourceRequirementsListToReqList+42Ej
		mov	ecx, ebx
		call	_IopFreeReqList@4 ; IopFreeReqList(x)
		jmp	loc_879AEB
; 

loc_8E46FF:				; CODE XREF: IopResourceRequirementsListToReqList+131j
					; IopResourceRequirementsListToReqList+157j ...
		mov	eax, 80000005h
		jmp	loc_879AED
; 

loc_8E4709:				; CODE XREF: IopResourceRequirementsListToReqList+2Aj
					; IopResourceRequirementsListToReqList+5Cj
		xor	eax, eax
		jmp	loc_879AED
; END OF FUNCTION CHUNK	FOR IopResourceRequirementsListToReqList
; 
; START	OF FUNCTION CHUNK FOR IopSetupArbiterAndTranslators

loc_8E4710:				; CODE XREF: IopSetupArbiterAndTranslators+40j
		mov	bl, 3
		mov	byte ptr [ebp+var_C], bl
		jmp	loc_879BC0
; 

loc_8E471A:				; CODE XREF: IopSetupArbiterAndTranslators+154j
		xor	ecx, ecx
		xor	edx, edx
		inc	ecx
		call	_IopFindLegacyBusDeviceNode@8 ;	IopFindLegacyBusDeviceNode(x,x)
		mov	esi, eax
		jmp	loc_879C8C
; 

loc_8E472B:				; CODE XREF: IopSetupArbiterAndTranslators+1FDj
		xor	edi, edi
		jmp	loc_879D88
; 

loc_8E4732:				; CODE XREF: IopSetupArbiterAndTranslators+23Bj
		xor	edi, edi
		mov	[ebp+var_10], edi
		jmp	loc_879E14
; 

loc_8E473C:				; CODE XREF: IopSetupArbiterAndTranslators+190j
		xor	bh, bh
		jmp	loc_879CE8
; 

loc_8E4743:				; CODE XREF: IopSetupArbiterAndTranslators+198j
		xor	edi, edi
		jmp	loc_879D23
; 

loc_8E474A:				; CODE XREF: IopSetupArbiterAndTranslators+1DAj
		xor	edi, edi
		mov	[ebp+var_10], edi
		jmp	loc_879E88
; 

loc_8E4754:				; CODE XREF: IopSetupArbiterAndTranslators+26Aj
		mov	bl, 3
		mov	byte ptr [ebp+var_C], bl
		jmp	loc_879DEA
; 

loc_8E475E:				; CODE XREF: IopSetupArbiterAndTranslators+2ACj
					; IopSetupArbiterAndTranslators+31Ej
		mov	eax, 0C000009Ah
		jmp	loc_879CE3
; 

loc_8E4768:				; CODE XREF: IopSetupArbiterAndTranslators+255j
		mov	eax, edx
		jmp	loc_879CE3
; 

loc_8E476F:				; CODE XREF: IopSetupArbiterAndTranslators+73j
					; IopSetupArbiterAndTranslators+161j
		mov	eax, 0C000008Ah
		jmp	loc_879CE3
; END OF FUNCTION CHUNK	FOR IopSetupArbiterAndTranslators
; 
; START	OF FUNCTION CHUNK FOR IopCallArbiter

loc_8E4779:				; CODE XREF: IopCallArbiter+21j
					; DATA XREF: PAGE:0087A044o
		xor	eax, eax
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	1
		push	dword ptr [edi+4]
		call	dword ptr [edi+10h]

loc_8E4790:				; CODE XREF: IopCallArbiter+21j
					; DATA XREF: PAGE:0087A064o
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_1C], ebx
		push	eax
		jmp	loc_87A017
; 

loc_8E479C:				; CODE XREF: IopCallArbiter+21j
					; DATA XREF: PAGE:0087A050o
		mov	ecx, 0C0000002h
		jmp	loc_87A00C
; 

loc_8E47A6:				; CODE XREF: IopCallArbiter+21j
					; DATA XREF: PAGE:0087A058o
		mov	ecx, ebx	; int
		mov	eax, [ecx]
		mov	[ebp+var_1C], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_18], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_14], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	6
		jmp	loc_87A018
; END OF FUNCTION CHUNK	FOR IopCallArbiter
; 
; START	OF FUNCTION CHUNK FOR IopQueryResourceHandlerInterface

loc_8E47CA:				; CODE XREF: IopQueryResourceHandlerInterface+7Fj
		mov	eax, 0C000009Ah
		jmp	loc_87A153
; 

loc_8E47D4:				; CODE XREF: IopQueryResourceHandlerInterface+115j
		sub	ebx, 1
		jz	loc_87A183
		mov	edi, 0C000000Dh
		jmp	loc_87A149
; 

loc_8E47E7:				; CODE XREF: IopQueryResourceHandlerInterface+3Bj
					; IopQueryResourceHandlerInterface+48j
		mov	eax, 0C00000BBh
		jmp	loc_87A153
; END OF FUNCTION CHUNK	FOR IopQueryResourceHandlerInterface
; 
; START	OF FUNCTION CHUNK FOR PnpReadDeviceConfiguration

loc_8E47F1:				; CODE XREF: PnpReadDeviceConfiguration+48j
		mov	eax, 0C00000F0h
		jmp	loc_87A1FE
; 

loc_8E47FB:				; CODE XREF: PnpReadDeviceConfiguration+1Aj
		mov	edx, (offset loc_8B9859+1)
		jmp	loc_87A1EA
; 

loc_8E4805:				; CODE XREF: PnpReadDeviceConfiguration+AEj
		and	dword ptr [eax+4], 0
		mov	dword ptr [eax], 1
		jmp	loc_87A274
; 

loc_8E4814:				; CODE XREF: PnpReadDeviceConfiguration+69j
		cmp	eax, 8
		jz	loc_87A299

loc_8E481D:				; CODE XREF: PnpReadDeviceConfiguration+5Ej
		mov	edi, 0C0000001h
		jmp	loc_87A299
; END OF FUNCTION CHUNK	FOR PnpReadDeviceConfiguration
; 
; START	OF FUNCTION CHUNK FOR KsepDbCacheReadDevice

loc_8E4827:				; CODE XREF: KsepDbCacheReadDevice+2Dj
		mov	edi, 0C0000017h
		jmp	loc_87A351
; 

loc_8E4831:				; CODE XREF: KsepDbCacheReadDevice+82j
		push	esi		; int
		push	[esp+1Ch+var_8]	; wchar_t *
		mov	edx, offset _KsepMatchMachineInfo ; int
		call	KsepDbCacheReadDeviceInternal
		test	eax, eax
		jns	loc_87A33A
		cmp	eax, 0C0000225h
		jnz	loc_87A342
		jmp	loc_87A33A
; END OF FUNCTION CHUNK	FOR KsepDbCacheReadDevice
; 
; START	OF FUNCTION CHUNK FOR KsepDbCacheReadDeviceInternal

loc_8E4858:				; CODE XREF: KsepDbCacheReadDeviceInternal+B4j
		lea	eax, [ebp+var_28]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	_KsepDbReadKData@12 ; KsepDbReadKData(x,x,x)
		test	eax, eax
		js	loc_87A39B
		push	[ebp+var_20]	; int
		mov	edx, [ebp+var_28]
		push	[ebp+var_24]	; int
		mov	ecx, [ebp+arg_4]
		push	[ebp+var_1C]	; void *
		call	KsepCacheDeviceInsertData
		test	eax, eax
		js	loc_87A39B
		push	edi
		mov	edx, ebx
		mov	ecx, esi
		call	SdbFindNextTag
		jmp	loc_87A412
; END OF FUNCTION CHUNK	FOR KsepDbCacheReadDeviceInternal
; 
; START	OF FUNCTION CHUNK FOR IopAllocateBootResourcesInternal

loc_8E4898:				; CODE XREF: IopAllocateBootResourcesInternal+23j
		xor	esi, esi
		jmp	loc_87A4A4
; 

loc_8E489F:				; CODE XREF: IopAllocateBootResourcesInternal+40j
		mov	edi, 0C0000001h
		jmp	loc_87A541
; 

loc_8E48A9:				; CODE XREF: IopAllocateBootResourcesInternal+A7j
		cmp	[esp+40h+var_C], edi
		jz	loc_87A529
		push	edi
		push	[esp+44h+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esp+40h+var_C], edi
		jmp	loc_87A529
; 

loc_8E48C6:				; CODE XREF: IopAllocateBootResourcesInternal+BFj
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+16Ch], edi
		jmp	loc_87A537
; 

loc_8E48D8:				; CODE XREF: IopAllocateBootResourcesInternal+EAj
		mov	eax, [esi+168h]
		test	eax, eax
		jz	short loc_8E48F1
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+168h], 0

loc_8E48F1:				; CODE XREF: IopAllocateBootResourcesInternal+6A46Ej
		mov	eax, [esi+16Ch]
		test	eax, eax
		jz	loc_87A562
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+16Ch], 0
		jmp	loc_87A562
; END OF FUNCTION CHUNK	FOR IopAllocateBootResourcesInternal
; 
; START	OF FUNCTION CHUNK FOR IopAddRemoveReqDescs

loc_8E4913:				; CODE XREF: IopAddRemoveReqDescs+97j
		mov	ecx, [ecx]
		cmp	ecx, edi
		jnz	loc_87A73D
		jmp	loc_87A749
; END OF FUNCTION CHUNK	FOR IopAddRemoveReqDescs
; 
; START	OF FUNCTION CHUNK FOR PnpCmResourcesToIoResources

loc_8E4922:				; CODE XREF: PnpCmResourcesToIoResources+35j
		mov	edx, [eax+4]
		dec	esi
		jmp	loc_87A7FD
; 

loc_8E492B:				; CODE XREF: PnpCmResourcesToIoResources+DDj
		xor	eax, eax
		mov	word ptr [edi],	0F001h
		xor	ebx, ebx
		mov	[edi+6], ax
		mov	[edi+2], ebx
		mov	eax, [edx]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_8E4945
		xor	eax, eax
		inc	eax

loc_8E4945:				; CODE XREF: PnpCmResourcesToIoResources+6A17Ej
		mov	[edi+8], eax
		mov	eax, [edx+4]
		mov	[edi+0Ch], eax
		mov	eax, [ebp+var_8]
		mov	[edi+10h], ebx
		add	edi, 20h
		jmp	loc_87A8A5
; 

loc_8E495C:				; CODE XREF: PnpCmResourcesToIoResources+1FAj
		mov	eax, [ebx+8]
		mov	[edi+8], eax
		mov	eax, [ebx+8]
		mov	[edi+0Ch], eax
		mov	eax, [ebx+4]
		mov	[edi+10h], eax
		movzx	eax, byte ptr [ebx+0Ch]
		mov	[edi+14h], eax
		jmp	loc_87A8F6
; 

loc_8E497A:				; CODE XREF: PnpCmResourcesToIoResources+124j
		mov	dword ptr [edi+0Ch], 0FFFFFFFEh
		movzx	eax, word ptr [ebx+6]
		and	dword ptr [edi+14h], 0
		not	eax
		mov	[edi+8], eax
		push	4
		pop	eax
		mov	[edi+10h], ax
		mov	ax, [ebx+4]
		mov	[edi+12h], ax
		mov	eax, [ebx+0Ch]
		mov	[edi+18h], eax
		jmp	loc_87A8F6
; 

loc_8E49A8:				; CODE XREF: PnpCmResourcesToIoResources+1Cj
					; PnpCmResourcesToIoResources+4Cj ...
		xor	eax, eax
		jmp	loc_87A926
; END OF FUNCTION CHUNK	FOR PnpCmResourcesToIoResources
; 
; START	OF FUNCTION CHUNK FOR PnpFreeResourceRequirementsForAssignTable

loc_8E49AF:				; CODE XREF: PnpFreeResourceRequirementsForAssignTable+29j
		mov	eax, [esi-4]
		test	eax, eax
		jz	loc_87AA63
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi-4], 0
		jmp	loc_87AA63
; END OF FUNCTION CHUNK	FOR PnpFreeResourceRequirementsForAssignTable
; 
; START	OF FUNCTION CHUNK FOR PnpAllocateResources

loc_8E49CB:				; CODE XREF: PnpAllocateResources+DEj
		mov	eax, edx
		jmp	loc_87AB5B
; 

loc_8E49D2:				; CODE XREF: PnpAllocateResources+133j
		xor	edx, edx
		jmp	loc_87ABB3
; 

loc_8E49D9:				; CODE XREF: PnpAllocateResources+236j
		or	edx, 20h
		mov	dword ptr [ecx+20h], 0C000022Dh
		dec	eax
		mov	[ecx], edx
		mov	[ebp+var_4], eax
		jmp	loc_87ABCA
; 

loc_8E49EE:				; CODE XREF: PnpAllocateResources+168j
		mov	esi, 0C0000001h
		jmp	loc_87AC8B
; 

loc_8E49F8:				; CODE XREF: PnpAllocateResources+1A8j
		and	[ebp+var_8], 0
		jmp	loc_87AC28
; 

loc_8E4A01:				; CODE XREF: PnpAllocateResources+1EBj
		mov	dword ptr [esi+24h], 0C0000018h
		jmp	loc_87AC6E
; 

loc_8E4A0D:				; CODE XREF: PnpAllocateResources+1CFj
		cmp	ecx, 0C000009Ah
		jz	loc_8E4A99
		cmp	[ebp+var_10], 0
		jnz	short loc_8E4A75
		test	byte ptr [edi+4], 80h
		jnz	short loc_8E4A75
		mov	ecx, [ebp+var_8]
		mov	edx, 40000h
		call	PipSetDevNodeFlags
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		push	0
		push	1
		call	_PnpRebalance@16 ; PnpRebalance(x,x,x,x)
		mov	ecx, [ebp+var_8]
		mov	edx, 40000h
		mov	[ebp+var_4], eax
		call	PipClearDevNodeFlags
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jns	short loc_8E4A85
		xor	eax, eax
		cmp	ecx, 0C0000908h
		setnz	al
		dec	eax
		and	eax, 8F0h
		add	eax, 0C0000018h
		mov	[esi+24h], eax
		jmp	loc_87AC6E
; 

loc_8E4A75:				; CODE XREF: PnpAllocateResources+69FAFj
					; PnpAllocateResources+69FB5j
		or	dword ptr [esi+4], 20h
		mov	dword ptr [esi+24h], 0C000022Dh
		jmp	loc_87AC6E
; 

loc_8E4A85:				; CODE XREF: PnpAllocateResources+69FE7j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_8E4A8F
		mov	byte ptr [eax],	1

loc_8E4A8F:				; CODE XREF: PnpAllocateResources+6A01Cj
		push	28h
		pop	eax
		add	esi, eax
		jmp	loc_87AC77
; 

loc_8E4A99:				; CODE XREF: PnpAllocateResources+69FA5j
		push	28h
		pop	eax
		jmp	loc_87AC77
; 

loc_8E4AA1:				; CODE XREF: PnpAllocateResources+20Bj
		mov	edx, 0C000009Ah
		cmp	ecx, edx
		jz	short loc_8E4AD0
		mov	eax, ebx
		lea	ecx, [esi+4]
		sub	eax, esi
		xor	edx, edx
		push	28h
		dec	eax
		pop	esi
		div	esi
		inc	eax

loc_8E4ABA:				; CODE XREF: PnpAllocateResources+6A05Bj
		or	dword ptr [ecx], 20h
		mov	dword ptr [ecx+20h], 0C000022Dh
		add	ecx, esi
		sub	eax, 1
		jnz	short loc_8E4ABA
		jmp	loc_87AC7F
; 

loc_8E4AD0:				; CODE XREF: PnpAllocateResources+6A03Aj
					; PnpAllocateResources+6A069j
		mov	[esi+24h], edx
		add	esi, eax
		cmp	esi, ebx
		jb	short loc_8E4AD0
		jmp	loc_87AC7F
; END OF FUNCTION CHUNK	FOR PnpAllocateResources
; 
; START	OF FUNCTION CHUNK FOR IopPnPDispatch

loc_8E4ADE:				; CODE XREF: IopPnPDispatch+188j
					; IopPnPDispatch+69E26j
					; DATA XREF: ...
		mov	esi, 0C0000001h	; case 0x4
		jmp	loc_87AFD0
; 

loc_8E4AE8:				; CODE XREF: IopPnPDispatch+188j
					; DATA XREF: PAGE:off_87B298o
		mov	ecx, [ebp+arg_0] ; case	0x2
		test	ecx, ecx
		jz	short loc_8E4AFA
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_8E4AFC
; 

loc_8E4AFA:				; CODE XREF: IopPnPDispatch+69C0Dj
		mov	eax, ebx

loc_8E4AFC:				; CODE XREF: IopPnPDispatch+69C18j
		test	eax, eax
		jz	short loc_8E4B0C
		test	dword ptr [eax+10Ch], 10000h
		jz	short loc_8E4B12

loc_8E4B0C:				; CODE XREF: IopPnPDispatch+69C1Ej
		push	ecx
		call	IoDeleteDevice

loc_8E4B12:				; CODE XREF: IopPnPDispatch+69C2Aj
		mov	eax, _IopRootDeviceNode
		push	5
		push	dword ptr [eax+10h]
		call	IoInvalidateDeviceRelations
		jmp	loc_87AFCE	; case 0x0
; 

loc_8E4B26:				; CODE XREF: IopPnPDispatch+1BFj
					; IopPnPDispatch+69C8Ej ...
		mov	esi, 0C000009Ah
		jmp	loc_87AFD0
; 

loc_8E4B30:				; CODE XREF: IopPnPDispatch+110j
		mov	eax, ebx
		jmp	loc_87AFFF
; 

loc_8E4B37:				; CODE XREF: IopPnPDispatch+371j
		sub	eax, 1
		jz	loc_87B263
		mov	esi, 0C000000Dh
		jmp	loc_87AFD0
; 

loc_8E4B4A:				; CODE XREF: IopPnPDispatch+1FAj
		mov	edx, ebx
		mov	[ebp+arg_0], ebx
		jmp	loc_87B0EC
; 

loc_8E4B54:				; CODE XREF: IopPnPDispatch+220j
		cmp	eax, 3
		jz	short loc_8E4BB8
		cmp	eax, 5
		jnz	short loc_8E4BB0
		push	64647050h
		push	4Eh
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_8E4B26
		push	13h
		pop	ecx
		mov	esi, offset ??_C@_1EO@EKIIDBMB@?$AA?$HL?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA?9?$AA0?$AA0?$AA0?$AA0?$AA?9@NNGAKEGL@ ; "{00000000-0000-0000-FFFF-FFFFFFFFFFFF}"
		mov	edi, eax
		rep movsd
		mov	ecx, eax
		movsw
		mov	edi, [ebp+arg_4]
		mov	esi, ebx
		jmp	loc_87AFD3
; 

loc_8E4B8A:				; CODE XREF: IopPnPDispatch+29Cj
		push	ebx
		push	[ebp+var_14]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_87B1EC
; 

loc_8E4B98:				; CODE XREF: IopPnPDispatch+2C8j
					; IopPnPDispatch+2D3j
		push	3Fh
		pop	eax
		mov	[edx], ax
		mov	edi, [ebp+var_8]
		jmp	loc_87B1B9
; 

loc_8E4BA6:				; CODE XREF: IopPnPDispatch+270j
		mov	esi, 0C000009Ah
		jmp	loc_87B1EC
; 

loc_8E4BB0:				; CODE XREF: IopPnPDispatch+217j
					; IopPnPDispatch+69C7Cj
		mov	ecx, [edi+1Ch]
		jmp	loc_87AFD3
; 

loc_8E4BB8:				; CODE XREF: IopPnPDispatch+211j
					; IopPnPDispatch+69C77j
		movzx	eax, word ptr [edx+14h]
		push	64647050h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_14], esi
		test	esi, esi
		jz	loc_8E4B26
		mov	eax, [ebp+arg_0]
		movzx	eax, word ptr [eax+14h]
		push	eax		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	ecx, esi
		mov	esi, ebx
		mov	edx, [eax+18h]
		movzx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_C]
		cmp	[eax+4], ebx
		mov	eax, [ebp+arg_0]
		jnz	short loc_8E4C50
		test	ax, ax
		jz	loc_87AFD3
		movzx	eax, ax
		mov	[ebp+arg_0], eax
		mov	[ebp+var_10], 5Ch

loc_8E4C19:				; CODE XREF: IopPnPDispatch+69D69j
		cmp	ax, word ptr [ebp+var_10]
		jnz	short loc_8E4C29
		inc	ebx
		cmp	ebx, 2
		jz	loc_87AFD3

loc_8E4C29:				; CODE XREF: IopPnPDispatch+69D3Dj
		mov	eax, [ebp+var_14]
		add	edx, 2
		mov	edi, [ebp+arg_0]
		mov	[eax], di
		add	eax, 2
		mov	[ebp+var_14], eax
		movzx	eax, word ptr [edx]
		mov	edi, eax
		mov	[ebp+arg_0], edi
		mov	edi, [ebp+arg_4]
		test	ax, ax
		jnz	short loc_8E4C19
		jmp	loc_87AFD3
; 

loc_8E4C50:				; CODE XREF: IopPnPDispatch+69D21j
		movzx	edi, ax
		mov	[ebp+arg_0], edi
		mov	edi, [ebp+arg_4]
		test	ax, ax
		jz	short loc_8E4C9C
		movzx	eax, ax
		push	5Ch
		mov	[ebp+arg_0], eax
		pop	eax
		mov	[ebp+var_10], eax

loc_8E4C6A:				; CODE XREF: IopPnPDispatch+69DBAj
		mov	edi, [ebp+arg_4]
		cmp	word ptr [ebp+arg_0], ax
		jnz	short loc_8E4C80
		inc	ebx
		cmp	ebx, 2
		jnz	short loc_8E4C80
		add	edx, ebx
		movzx	eax, word ptr [edx]
		jmp	short loc_8E4C9F
; 

loc_8E4C80:				; CODE XREF: IopPnPDispatch+69D91j
					; IopPnPDispatch+69D97j
		add	edx, 2
		movzx	eax, word ptr [edx]
		mov	edi, eax
		mov	[ebp+arg_0], edi
		mov	edi, [ebp+arg_4]
		test	ax, ax
		jz	loc_87AFD3
		mov	eax, [ebp+var_10]
		jmp	short loc_8E4C6A
; 

loc_8E4C9C:				; CODE XREF: IopPnPDispatch+69D7Cj
		mov	eax, [ebp+arg_0]

loc_8E4C9F:				; CODE XREF: IopPnPDispatch+69D9Ej
		test	ax, ax
		jz	loc_87AFD3
		movzx	ebx, ax
		mov	eax, [ebp+var_14]
		sub	edx, eax

loc_8E4CB0:				; CODE XREF: IopPnPDispatch+69DDDj
		mov	[eax], bx
		lea	eax, [eax+2]
		movzx	ebx, word ptr [edx+eax]
		test	bx, bx
		jnz	short loc_8E4CB0
		jmp	loc_87AFD3
; 

loc_8E4CC4:				; CODE XREF: IopPnPDispatch+4Ej
		xor	esi, esi
		inc	esi
		cmp	[ecx+4], esi
		jnz	loc_87AF46	; default
		cmp	[edi+1Ch], ebx
		jnz	loc_87AF46	; default
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_8E4CEE
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		mov	[ebp+arg_0], eax
		jmp	short loc_8E4CF3
; 

loc_8E4CEE:				; CODE XREF: IopPnPDispatch+69DFEj
		mov	eax, ebx
		mov	[ebp+arg_0], ebx

loc_8E4CF3:				; CODE XREF: IopPnPDispatch+69E0Cj
		lea	ecx, [ebp+var_8]
		push	ecx
		mov	ecx, [eax+18h]
		push	ebx
		push	0Eh
		push	esi
		call	PiGetDeviceRegProperty
		cmp	[ebp+var_8], ebx
		jz	loc_8E4ADE	; case 0x4
		push	64647050h
		push	[ebp+var_8]
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_4], esi
		test	esi, esi
		jz	loc_8E4B26
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		push	0Eh
		mov	ecx, [ecx+18h]
		push	1
		call	PiGetDeviceRegProperty
		mov	esi, eax
		test	esi, esi
		jns	loc_87AFD0
		cmp	esi, 0C0000225h
		jnz	short loc_8E4D52
		mov	esi, 0C0000034h

loc_8E4D52:				; CODE XREF: IopPnPDispatch+69E6Bj
		mov	ecx, [ebp+var_4]
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_8E4D91
; 

loc_8E4D5E:				; CODE XREF: IopPnPDispatch+45j
		lea	eax, [ebp+var_8]
		xor	edx, edx
		push	eax
		lea	eax, [ebp+var_10]
		inc	edx
		push	eax
		push	2
		jmp	short loc_8E4D79
; 

loc_8E4D6D:				; CODE XREF: IopPnPDispatch+3Cj
		lea	eax, [ebp+var_8]
		xor	edx, edx
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	4

loc_8E4D79:				; CODE XREF: IopPnPDispatch+69E8Bj
		mov	ecx, [ebp+arg_0]
		call	PnpGetDeviceResourcesFromRegistry
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	loc_87B204
		mov	esi, ebx

loc_8E4D91:				; CODE XREF: IopPnPDispatch+69E7Cj
		mov	ecx, ebx
		jmp	loc_87AFD3
; 

loc_8E4D98:				; CODE XREF: IopPnPDispatch+76j
		mov	[ebp+arg_0], ebx
		jmp	loc_87AF68
; 

loc_8E4DA0:				; CODE XREF: IopPnPDispatch+E5j
		cmp	[ebp+var_18], 4
		jnz	loc_87AFCB
		cmp	[ebp+var_8], 4
		jnz	loc_87AFCB
		mov	eax, [ebp+var_1C]
		mov	[esi+0Ch], eax
		jmp	loc_87AFCB
; END OF FUNCTION CHUNK	FOR IopPnPDispatch
; 
; START	OF FUNCTION CHUNK FOR PnpFindBestConfigurationWorker

loc_8E4DBF:				; CODE XREF: PnpFindBestConfigurationWorker+70j
		xor	edx, edx
		test	esi, esi
		jz	short loc_8E4DE1
		mov	ebx, [ebp+var_4]
		mov	ecx, esi
		add	ebx, 18h

loc_8E4DCD:				; CODE XREF: PnpFindBestConfigurationWorker+69ABEj
		mov	eax, [ebx]
		lea	ebx, [ebx+28h]
		mov	eax, [eax+0Ch]
		mov	eax, [eax]
		add	edx, [eax]
		sub	ecx, 1
		jnz	short loc_8E4DCD
		mov	ebx, [ebp+arg_0]

loc_8E4DE1:				; CODE XREF: PnpFindBestConfigurationWorker+69AA5j
		mov	ecx, [ebp+var_4]
		cmp	edx, [ebp+arg_4]
		jnb	loc_87B3AF
		push	1
		mov	[ebp+arg_4], edx
		mov	edx, esi
		push	ebx
		call	_IopSaveRestoreConfiguration@16	; IopSaveRestoreConfiguration(x,x,x,x)
		jmp	loc_87B3AF
; 

loc_8E4DFF:				; CODE XREF: PnpFindBestConfigurationWorker+82j
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		push	0
		mov	[ebx], eax
		mov	eax, [ebp+var_C]
		push	ebx
		mov	[ebx+4], eax
		call	_IopSaveRestoreConfiguration@16	; IopSaveRestoreConfiguration(x,x,x,x)
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		push	ebx
		call	_IopRetestConfiguration@12 ; IopRetestConfiguration(x,x,x)
		mov	edi, eax
		jmp	loc_87B3A6
; END OF FUNCTION CHUNK	FOR PnpFindBestConfigurationWorker
; 
; START	OF FUNCTION CHUNK FOR IopTestConfiguration

loc_8E4E26:				; CODE XREF: IopTestConfiguration+29j
		test	byte ptr [edi+8], 2
		jz	loc_87B485
		mov	ebx, 0C0000001h
		jmp	loc_87B49B
; END OF FUNCTION CHUNK	FOR IopTestConfiguration
; 
; START	OF FUNCTION CHUNK FOR PnpLookupArbitersNewResources

loc_8E4E3A:				; CODE XREF: PnpLookupArbitersNewResources+28j
		imul	eax, esi, 28h
		mov	edi, ebx
		lfence	eax
		mov	eax, [eax+ecx+18h]
		mov	eax, [eax+0Ch]
		mov	eax, [eax]
		mov	[ebp+var_8], eax
		mov	ecx, [eax+10h]
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	loc_8E4EF7
		mov	cl, [ebp+arg_4]
		lea	esi, [eax+14h]
		mov	[ebp+arg_0], esi
		mov	edx, esi
		mov	esi, [ebp+var_4]

loc_8E4E6A:				; CODE XREF: PnpLookupArbitersNewResources+699E2j
		mov	eax, [edx]
		mov	eax, [eax+14h]
		mov	al, [eax+50h]
		cmp	al, cl
		jz	short loc_8E4E7F
		cmp	al, 7
		jnz	short loc_8E4E80
		cmp	cl, 3
		jnz	short loc_8E4E80

loc_8E4E7F:				; CODE XREF: PnpLookupArbitersNewResources+699D0j
		inc	edi

loc_8E4E80:				; CODE XREF: PnpLookupArbitersNewResources+699D4j
					; PnpLookupArbitersNewResources+699D9j
		add	edx, 4
		sub	esi, 1
		jnz	short loc_8E4E6A
		mov	esi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_8E4EF7
		push	20207050h
		mov	eax, edi
		shl	eax, 4
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_8E4EB1
		mov	eax, 0C000009Ah
		jmp	loc_87B4D7
; 

loc_8E4EB1:				; CODE XREF: PnpLookupArbitersNewResources+69A01j
		mov	eax, [ebp+arg_C]
		mov	edx, [ebp+var_8]
		mov	[eax], edi
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		cmp	[edx+10h], ebx
		jbe	short loc_8E4EF7

loc_8E4EC3:				; CODE XREF: PnpLookupArbitersNewResources+69A51j
		mov	eax, [esi]
		mov	eax, [eax+14h]
		lea	edi, [eax+50h]
		mov	al, [ebp+arg_4]
		mov	ah, [edi]
		cmp	ah, al
		jz	short loc_8E4EDD
		cmp	ah, 7
		jnz	short loc_8E4EEB
		cmp	al, 3
		jnz	short loc_8E4EEB

loc_8E4EDD:				; CODE XREF: PnpLookupArbitersNewResources+69A2Ej
		mov	esi, edi
		mov	edi, ecx
		add	ecx, 10h
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+arg_0]

loc_8E4EEB:				; CODE XREF: PnpLookupArbitersNewResources+69A33j
					; PnpLookupArbitersNewResources+69A37j
		inc	ebx
		add	esi, 4
		mov	[ebp+arg_0], esi
		cmp	ebx, [edx+10h]
		jb	short loc_8E4EC3

loc_8E4EF7:				; CODE XREF: PnpLookupArbitersNewResources+699B2j
					; PnpLookupArbitersNewResources+699E9j	...
		xor	eax, eax
		jmp	loc_87B4D7
; END OF FUNCTION CHUNK	FOR PnpLookupArbitersNewResources
; 
; START	OF FUNCTION CHUNK FOR PnpBuildCmResourceLists

loc_8E4EFE:				; CODE XREF: PnpBuildCmResourceLists+17j
		mov	edi, ecx
		cmp	ecx, ebx
		jnb	loc_87B529

loc_8E4F08:				; CODE XREF: PnpBuildCmResourceLists+69A5Cj
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_8E4F19
		mov	eax, [eax+0B0h]
		mov	esi, [eax+14h]
		jmp	short loc_8E4F1B
; 

loc_8E4F19:				; CODE XREF: PnpBuildCmResourceLists+69A00j
		xor	esi, esi

loc_8E4F1B:				; CODE XREF: PnpBuildCmResourceLists+69A0Bj
		mov	ecx, offset _PiResourceListLock
		call	ExAcquireFastMutex
		mov	eax, [esi+11Ch]
		test	eax, eax
		jz	short loc_8E4F3E
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+11Ch], 0

loc_8E4F3E:				; CODE XREF: PnpBuildCmResourceLists+69A21j
		mov	eax, [esi+120h]
		test	eax, eax
		jz	short loc_8E4F57
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+120h], 0

loc_8E4F57:				; CODE XREF: PnpBuildCmResourceLists+69A3Aj
		mov	ecx, offset _PiResourceListLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		push	28h
		pop	eax
		add	edi, eax
		cmp	edi, ebx
		jb	short loc_8E4F08
		mov	ecx, [ebp+var_C]
		jmp	loc_87B529
; 

loc_8E4F72:				; CODE XREF: PnpBuildCmResourceLists+56j
		mov	dword ptr [esi], 0C0000001h
		jmp	loc_87B5C2
; 

loc_8E4F7D:				; CODE XREF: PnpBuildCmResourceLists+5Fj
		cmp	dword ptr [esi], 0C000022Dh
		jnz	loc_87B5C2
		jmp	loc_87B571
; 

loc_8E4F8E:				; CODE XREF: PnpBuildCmResourceLists+81j
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_8E4F9F
		mov	eax, [eax+0B0h]
		mov	ebx, [eax+14h]
		jmp	short loc_8E4FA1
; 

loc_8E4F9F:				; CODE XREF: PnpBuildCmResourceLists+69A86j
		xor	ebx, ebx

loc_8E4FA1:				; CODE XREF: PnpBuildCmResourceLists+69A91j
		test	dword ptr [esi-20h], 400h
		jz	short loc_8E4FB6
		mov	edx, 0C00h
		mov	ecx, ebx
		call	PipClearDevNodeFlags

loc_8E4FB6:				; CODE XREF: PnpBuildCmResourceLists+69A9Cj
		mov	ecx, offset _PiResourceListLock
		call	ExAcquireFastMutex
		mov	eax, [esi-8]
		mov	[ebx+11Ch], eax
		test	eax, eax
		jnz	short loc_8E4FD9
		mov	edx, 100h
		mov	ecx, ebx
		call	PipSetDevNodeFlags

loc_8E4FD9:				; CODE XREF: PnpBuildCmResourceLists+69ABFj
		mov	eax, [esi-4]
		mov	ecx, offset _PiResourceListLock
		mov	[ebx+120h], eax
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		lea	ebx, [esi-24h]
		jmp	loc_87B593
; 

loc_8E4FF4:				; CODE XREF: PnpBuildCmResourceLists+C3j
		mov	ebx, [ebp+var_14]
		cmp	edi, ecx
		mov	ecx, [ebp+var_C]
		jb	loc_87B52C
		jmp	loc_87B5D5
; END OF FUNCTION CHUNK	FOR PnpBuildCmResourceLists
; 
; START	OF FUNCTION CHUNK FOR IopTranslateAndAdjustReqDesc

loc_8E5007:				; CODE XREF: IopTranslateAndAdjustReqDesc+2Aj
		mov	eax, 0C000000Dh
		jmp	loc_87B93B
; 

loc_8E5011:				; CODE XREF: IopTranslateAndAdjustReqDesc+7Ej
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E5019:				; CODE XREF: IopTranslateAndAdjustReqDesc+4Dj
		mov	eax, 0C000009Ah
		jmp	loc_87B93A
; 

loc_8E5023:				; CODE XREF: IopTranslateAndAdjustReqDesc+10Ej
		mov	eax, [ebp+var_28]
		jmp	loc_87B7BF
; 

loc_8E502B:				; CODE XREF: IopTranslateAndAdjustReqDesc+D0j
					; IopTranslateAndAdjustReqDesc+DAj
		mov	edx, [ebp+var_10]
		mov	[ebx], edx
		xor	edx, edx
		and	dword ptr [ecx], 0
		inc	edx
		mov	bl, [ebp+var_1]
		jmp	loc_87B7EB
; 

loc_8E503E:				; CODE XREF: IopTranslateAndAdjustReqDesc+A4j
		mov	eax, 0C0000001h

loc_8E5043:				; CODE XREF: IopTranslateAndAdjustReqDesc+11Cj
		mov	[ebp+var_8], eax
		jmp	loc_87B828
; 

loc_8E504B:				; CODE XREF: IopTranslateAndAdjustReqDesc+155j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E5053:				; CODE XREF: IopTranslateAndAdjustReqDesc+139j
		mov	[ebp+var_8], 0C000009Ah
		jmp	loc_87B8F8
; 

loc_8E505F:				; CODE XREF: IopTranslateAndAdjustReqDesc+1B1j
		mov	esi, [ebp+var_18]
		mov	edi, ebx
		push	8
		pop	ecx
		rep movsd
		movzx	eax, byte ptr [ebx+1]
		sub	eax, 1
		jz	short loc_8E508D
		sub	eax, 1
		jz	short loc_8E50BD
		sub	eax, 1
		jz	short loc_8E508D
		sub	eax, 1
		jz	short loc_8E50BD
		push	2
		pop	ecx
		sub	eax, ecx
		jz	short loc_8E50B1
		sub	eax, 1
		jnz	short loc_8E50A3

loc_8E508D:				; CODE XREF: IopTranslateAndAdjustReqDesc+6996Aj
					; IopTranslateAndAdjustReqDesc+69974j
		and	dword ptr [ebx+14h], 0
		and	dword ptr [ebx+1Ch], 0
		mov	dword ptr [ebx+10h], 2
		mov	dword ptr [ebx+18h], 1

loc_8E50A3:				; CODE XREF: IopTranslateAndAdjustReqDesc+69985j
					; IopTranslateAndAdjustReqDesc+699B5j ...
		mov	edi, [ebp+var_24]
		mov	esi, [ebp+var_14]
		push	20h
		pop	eax
		jmp	loc_87B8D5
; 

loc_8E50B1:				; CODE XREF: IopTranslateAndAdjustReqDesc+69980j
		mov	[ebx+0Ch], ecx
		mov	dword ptr [ebx+10h], 1
		jmp	short loc_8E50A3
; 

loc_8E50BD:				; CODE XREF: IopTranslateAndAdjustReqDesc+6996Fj
					; IopTranslateAndAdjustReqDesc+69979j
		mov	dword ptr [ebx+8], 2
		mov	dword ptr [ebx+0Ch], 1
		jmp	short loc_8E50A3
; END OF FUNCTION CHUNK	FOR IopTranslateAndAdjustReqDesc
; 
; START	OF FUNCTION CHUNK FOR MmCallDllInitialize

loc_8E50CD:				; CODE XREF: MmCallDllInitialize+93j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E50D5:				; CODE XREF: MmCallDllInitialize+40j
		mov	eax, 0C0000106h
		jmp	loc_87BAAB
; 

loc_8E50DF:				; CODE XREF: MmCallDllInitialize+64j
		mov	eax, 0C000009Ah
		jmp	loc_87BAAB
; 

loc_8E50E9:				; CODE XREF: MmCallDllInitialize+9Fj
		mov	edi, 0C0000106h
		jmp	short loc_8E50F5
; 

loc_8E50F0:				; CODE XREF: MmCallDllInitialize+C1j
		mov	edi, 0C000009Ah

loc_8E50F5:				; CODE XREF: MmCallDllInitialize+697ACj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		jmp	loc_87BAAB
; END OF FUNCTION CHUNK	FOR MmCallDllInitialize
; 
; START	OF FUNCTION CHUNK FOR _CmGetDeviceMappedPropertyFromInstanceKeyRegValue

loc_8E5104:				; CODE XREF: _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+28j
		mov	[ebp+var_8], esi
		jmp	loc_87BAF3
; 

loc_8E510C:				; CODE XREF: _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+6Ej
		mov	ecx, [ebp+var_10]
		mov	edx, [ebp+var_14]

loc_8E5112:				; CODE XREF: _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+5Aj
		add	ecx, 10h
		mov	eax, esi
		add	ebx, 10h
		mov	[ebp+arg_10], eax
		mov	[ebp+var_10], ecx
		cmp	ecx, 20h
		jb	loc_87BB06
		jmp	loc_87BB2A
; 

loc_8E512E:				; CODE XREF: _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+7Aj
		mov	edi, 0C0000230h
		jmp	loc_87BBC7
; 

loc_8E5138:				; CODE XREF: _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+CBj
		mov	ecx, [ebp+arg_0]

loc_8E513B:				; CODE XREF: _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+B3j
		mov	esi, [ebp+var_8]
		mov	[ebp+arg_4], esi
		test	ebx, ebx
		jnz	short loc_8E5148
		mov	ebx, [ebp+var_4]

loc_8E5148:				; CODE XREF: _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+6968Fj
		lea	eax, [ebp+arg_4]
		mov	edx, ecx
		push	eax
		mov	eax, [ebp+arg_C]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	_RegRtlQueryValue
		mov	ecx, eax
		cmp	ecx, 0C0000034h
		jz	loc_87BBB4
		cmp	ecx, 0C000017Ch
		jz	loc_87BBB4
		mov	ebx, 0C0000023h
		test	ecx, ecx
		jz	short loc_8E518B
		cmp	ecx, ebx
		jz	short loc_8E518B
		mov	edi, ecx
		jmp	loc_87BBB9
; 

loc_8E518B:				; CODE XREF: _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+696CAj
					; _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+696CEj
		mov	edx, [ebp+arg_14]
		mov	eax, [ebp+arg_4]
		mov	[edx], eax
		mov	eax, [ebp+arg_10]
		mov	edx, [ebp+arg_8]
		mov	eax, [eax+4]
		mov	[edx], eax
		test	ecx, ecx
		jnz	short loc_8E51AA
		test	esi, esi
		jnz	loc_87BBB9

loc_8E51AA:				; CODE XREF: _CmGetDeviceMappedPropertyFromInstanceKeyRegValue+696ECj
		mov	edi, ebx
		jmp	loc_87BBB9
; END OF FUNCTION CHUNK	FOR _CmGetDeviceMappedPropertyFromInstanceKeyRegValue
; 
; START	OF FUNCTION CHUNK FOR ArbArbiterHandler

loc_8E51B1:				; CODE XREF: ArbArbiterHandler+33j
					; DATA XREF: PAGE:off_87BCBEo
		push	[ebp+arg_8]	; case 0x1
		push	esi
		call	dword ptr [esi+50h]
		jmp	loc_87BC47
; 

loc_8E51BD:				; CODE XREF: ArbArbiterHandler+33j
					; DATA XREF: PAGE:off_87BCBEo
		push	esi		; case 0x3
		call	dword ptr [esi+58h]
		jmp	loc_87BC47
; 

loc_8E51C6:				; CODE XREF: ArbArbiterHandler+33j
					; DATA XREF: PAGE:off_87BCBEo
		push	[ebp+arg_8]	; case 0x6
		push	esi
		call	dword ptr [esi+64h]
		jmp	loc_87BC47
; 

loc_8E51D2:				; CODE XREF: ArbArbiterHandler+33j
					; DATA XREF: PAGE:off_87BCBEo
		push	[ebp+arg_8]	; case 0x7
		push	esi
		call	dword ptr [esi+60h]
		jmp	loc_87BC47
; 

loc_8E51DE:				; CODE XREF: ArbArbiterHandler+33j
					; DATA XREF: PAGE:off_87BCBEo
		mov	edi, 0C0000002h	; case 0x4
		jmp	loc_87BC60
; 

loc_8E51E8:				; CODE XREF: ArbArbiterHandler+2Dj
		mov	edi, 0C000000Dh	; default
		jmp	loc_87BC49
; END OF FUNCTION CHUNK	FOR ArbArbiterHandler
; 
; START	OF FUNCTION CHUNK FOR ArbOverrideConflict

loc_8E51F2:				; CODE XREF: ArbOverrideConflict+B3j
		mov	eax, [esi+24h]
		test	byte ptr [eax+24h], 2
		jz	loc_87BDE7
		mov	eax, [ebp+arg_4]
		mov	bl, 1
		mov	[esi+4], eax
		mov	eax, [esi+18h]
		mov	[esi+8], eax
		mov	eax, [esi+1Ch]
		mov	[esi], edi
		mov	[esi+0Ch], eax
		jmp	loc_87BD9C
; END OF FUNCTION CHUNK	FOR ArbOverrideConflict
; 
; START	OF FUNCTION CHUNK FOR IopPortAddAllocation

loc_8E521A:				; CODE XREF: IopPortAddAllocation+62j
		mov	eax, [esi+20h]
		mov	ecx, [edi+10h]
		mov	ebx, [ebp+var_8]
		mov	edx, [ebp+var_4]
		push	dword ptr [eax+10h]
		mov	eax, [edi+24h]
		and	eax, 1
		mov	[ebp+arg_4], edx
		push	0
		lea	eax, ds:1[eax*2]
		push	eax
		mov	al, [esi+32h]
		or	al, 10h
		add	ecx, ebx
		movzx	eax, al
		push	eax
		mov	eax, [edi+14h]
		adc	eax, edx
		add	ecx, 0FFFFFFFFh
		adc	eax, 0FFFFFFFFh
		push	eax
		mov	eax, [ebp+arg_0]
		push	ecx
		push	edx
		push	ebx
		push	dword ptr [eax+18h]
		call	_RtlAddRange@36	; RtlAddRange(x,x,x,x,x,x,x,x,x)
		mov	eax, [ebp+arg_4]
		jmp	loc_87BE42
; END OF FUNCTION CHUNK	FOR IopPortAddAllocation
; 
; START	OF FUNCTION CHUNK FOR IopPortGetNextAlias

loc_8E5269:				; CODE XREF: IopPortGetNextAlias+8j
		mov	eax, 400h
		jmp	short loc_8E5275
; 

loc_8E5270:				; CODE XREF: IopPortGetNextAlias+11j
		mov	eax, 1000h

loc_8E5275:				; CODE XREF: IopPortGetNextAlias+69408j
		xor	ecx, ecx
		add	eax, [ebp+arg_0]
		adc	ecx, [ebp+arg_4]
		test	ecx, ecx
		ja	loc_87BE7D
		jb	short loc_8E5292
		cmp	eax, 0FFFFh
		ja	loc_87BE7D

loc_8E5292:				; CODE XREF: IopPortGetNextAlias+6941Fj
		mov	[edx], eax
		mov	al, 1
		mov	[edx+4], ecx
		jmp	loc_87BE7F
; END OF FUNCTION CHUNK	FOR IopPortGetNextAlias
; 
; START	OF FUNCTION CHUNK FOR ArbShareDriverExclusive

loc_8E529E:				; CODE XREF: ArbShareDriverExclusive+35j
		mov	[ebp+var_11], 1
		jmp	loc_87BEFF
; 

loc_8E52A7:				; CODE XREF: ArbShareDriverExclusive+6Fj
		or	ecx, 2
		mov	[ebp+var_11], 1
		jmp	loc_87BEFC
; 

loc_8E52B3:				; CODE XREF: ArbShareDriverExclusive+F4j
					; ArbShareDriverExclusive+FEj
		mov	eax, [edi+14h]
		test	eax, eax
		jz	loc_87BF3A
		cmp	[ebp+var_11], 0
		jz	short loc_8E5307
		mov	cl, [edi+19h]
		test	cl, 40h
		jnz	short loc_8E5302
		test	cl, 20h
		jnz	short loc_8E5340
		lea	ecx, [ebp+var_20]
		push	ecx
		lea	ecx, [ebp+var_10]
		push	ecx
		push	0Ah
		push	0Fh
		push	eax
		call	IoGetDeviceProperty
		test	eax, eax
		js	short loc_8E5340
		lea	eax, [ebp+var_10]
		push	offset ??_C@_19OLEIDBPB@?$AAR?$AAO?$AAO?$AAT@NNGAKEGL@ ; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_8E533C
		or	byte ptr [edi+19h], 40h
		mov	eax, [edi+14h]

loc_8E5302:				; CODE XREF: ArbShareDriverExclusive+69446j
		xor	cl, cl
		mov	[ebp+var_11], cl

loc_8E5307:				; CODE XREF: ArbShareDriverExclusive+6943Ej
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jz	loc_87BF3A
		mov	eax, [esi+20h]
		mov	eax, [eax+10h]
		mov	edi, [eax+10h]

loc_8E531B:				; CODE XREF: ArbShareDriverExclusive+694B1j
		mov	eax, edi
		test	eax, eax
		jz	short loc_8E5330
		mov	edx, [ecx+8]

loc_8E5324:				; CODE XREF: ArbShareDriverExclusive+694AAj
		cmp	edx, [eax+8]
		jz	short loc_8E5362
		mov	eax, [eax+10h]
		test	eax, eax
		jnz	short loc_8E5324

loc_8E5330:				; CODE XREF: ArbShareDriverExclusive+6949Bj
		mov	ecx, [ecx+10h]
		test	ecx, ecx
		jnz	short loc_8E531B
		jmp	loc_87BF3A
; 

loc_8E533C:				; CODE XREF: ArbShareDriverExclusive+69475j
		or	byte ptr [edi+19h], 20h

loc_8E5340:				; CODE XREF: ArbShareDriverExclusive+6944Bj
					; ArbShareDriverExclusive+69461j
		mov	eax, [esi+10h]
		mov	[esi], eax
		mov	eax, [esi+14h]
		mov	[esi+4], eax
		mov	eax, [esi+18h]
		mov	[esi+8], eax
		mov	eax, [esi+1Ch]
		mov	[esi+0Ch], eax
		mov	eax, [esi+24h]
		mov	eax, [eax+28h]
		cmp	[eax+2], bl
		jmp	short loc_8E5382
; 

loc_8E5362:				; CODE XREF: ArbShareDriverExclusive+694A3j
		mov	eax, [esi+10h]
		mov	ecx, [esi+24h]
		mov	[esi], eax
		mov	eax, [esi+14h]
		mov	[esi+4], eax
		mov	eax, [esi+18h]
		mov	[esi+8], eax
		mov	eax, [esi+1Ch]
		mov	[esi+0Ch], eax
		mov	ecx, [ecx+28h]
		cmp	[ecx+2], bl

loc_8E5382:				; CODE XREF: ArbShareDriverExclusive+694DCj
		jnz	short loc_8E5387
		or	[esi+32h], bl

loc_8E5387:				; CODE XREF: ArbShareDriverExclusive:loc_8E5382j
		mov	al, 1
		jmp	loc_87BF89
; END OF FUNCTION CHUNK	FOR ArbShareDriverExclusive
; 
; START	OF FUNCTION CHUNK FOR PnpFilterResourceRequirementsList

loc_8E538E:				; CODE XREF: PnpFilterResourceRequirementsList+53j
		mov	eax, 0C000009Ah
		jmp	loc_87C66A
; 

loc_8E5398:				; CODE XREF: PnpFilterResourceRequirementsList+96j
		mov	edi, [eax+4]
		jmp	loc_87C0E6
; 

loc_8E53A0:				; CODE XREF: PnpFilterResourceRequirementsList+103j
		inc	esi
		jmp	loc_87C0A7
; 

loc_8E53A6:				; CODE XREF: PnpFilterResourceRequirementsList+1E1j
		mov	[ebp+var_60], 1
		jmp	loc_87C185
; 

loc_8E53B2:				; CODE XREF: PnpFilterResourceRequirementsList+201j
		mov	eax, 0FFFFh
		mov	[edi], ax
		dec	dword ptr [ebx+1Ch]
		jmp	loc_87C164
; 

loc_8E53C2:				; CODE XREF: PnpFilterResourceRequirementsList+2F0j
					; PnpFilterResourceRequirementsList+2F9j
		mov	cl, al
		mov	[ebp+var_9], al
		jmp	loc_87C29D
; 

loc_8E53CC:				; CODE XREF: PnpFilterResourceRequirementsList+301j
					; PnpFilterResourceRequirementsList+309j
		mov	[ebp+var_A], cl
		jmp	loc_87C2AD
; 

loc_8E53D4:				; CODE XREF: PnpFilterResourceRequirementsList+6F0j
		sub	eax, 1
		jz	loc_87C41E
		and	[ebp+var_1C], edx
		and	[ebp+var_38], edx
		jmp	loc_87C307
; 

loc_8E53E8:				; CODE XREF: PnpFilterResourceRequirementsList+6E6j
		mov	eax, [ebp+var_18]
		mov	edx, [eax+4]
		jmp	loc_87C2E8
; 

loc_8E53F3:				; CODE XREF: PnpFilterResourceRequirementsList+57Aj
					; PnpFilterResourceRequirementsList+589j
		mov	edi, [ebp+var_4C]
		cmp	[ebp+var_40], edi
		mov	edi, [ebp+var_58]
		jb	loc_87C52D
		ja	short loc_8E540D
		cmp	eax, [ebp+var_50]
		jb	loc_87C52D

loc_8E540D:				; CODE XREF: PnpFilterResourceRequirementsList+69464j
		mov	ebx, [ebp+var_78]
		mov	edi, [ebp+var_10]
		add	ebx, 0FFFFFFFFh
		adc	[ebp+var_3C], 0FFFFFFFFh
		and	ebx, edx
		and	[ebp+var_3C], edi
		or	ebx, [ebp+var_3C]
		mov	edi, [ebp+var_58]
		mov	ebx, [ebp+var_14]
		jnz	loc_87C52D
		sub	ecx, 1
		jz	short loc_8E5455
		sub	ecx, 1
		jz	loc_8E54D8
		sub	ecx, 1
		jz	short loc_8E5455
		sub	ecx, 1
		jz	loc_8E54D8
		dec	ecx
		sub	ecx, 1
		jz	short loc_8E54CD
		sub	ecx, 1
		jnz	short loc_8E5472

loc_8E5455:				; CODE XREF: PnpFilterResourceRequirementsList+69493j
					; PnpFilterResourceRequirementsList+694A1j
		mov	ecx, [ebp+var_10]
		add	eax, edx
		mov	[esi+14h], ecx
		mov	ecx, [ebp+var_40]
		adc	ecx, [ebp+var_10]
		sub	eax, 1
		mov	[esi+10h], edx
		sbb	ecx, 0
		mov	[esi+18h], eax
		mov	[esi+1Ch], ecx

loc_8E5472:				; CODE XREF: PnpFilterResourceRequirementsList+694B5j
					; PnpFilterResourceRequirementsList+69538j ...
		inc	word ptr [edi]
		test	byte ptr [esi],	8
		mov	edx, [ebp+var_18]
		mov	byte ptr [esi+3], 80h
		mov	ax, [edx+2]
		mov	[esi+4], ax
		jz	short loc_8E54F6
		lea	eax, [esi-20h]
		lea	ecx, [edi+8]
		jmp	short loc_8E54F2
; 

loc_8E5491:				; CODE XREF: PnpFilterResourceRequirementsList+3D7j
					; PnpFilterResourceRequirementsList+3E0j
		and	[ebp+var_64], 0
		jmp	loc_87C384
; 

loc_8E549A:				; CODE XREF: PnpFilterResourceRequirementsList+3F0j
		lea	eax, [esi-20h]
		lea	ecx, [edi+8]
		jmp	short loc_8E54B5
; 

loc_8E54A2:				; CODE XREF: PnpFilterResourceRequirementsList+69519j
		mov	byte ptr [eax+1], 0
		dec	dword ptr [edi+4]
		cmp	byte ptr [eax],	8
		jnz	loc_87C394
		sub	eax, 20h

loc_8E54B5:				; CODE XREF: PnpFilterResourceRequirementsList+69502j
		cmp	eax, ecx
		jnb	short loc_8E54A2
		jmp	loc_87C394
; 

loc_8E54BE:				; CODE XREF: PnpFilterResourceRequirementsList+434j
		mov	byte ptr [esi+1], 0
		add	esi, 20h
		dec	dword ptr [edi+4]
		jmp	loc_87C3CB
; 

loc_8E54CD:				; CODE XREF: PnpFilterResourceRequirementsList+694B0j
		dec	eax
		mov	[esi+0Ch], edx
		add	eax, edx
		mov	[esi+10h], eax
		jmp	short loc_8E5472
; 

loc_8E54D8:				; CODE XREF: PnpFilterResourceRequirementsList+69498j
					; PnpFilterResourceRequirementsList+694A6j
		mov	eax, [ebp+var_1C]
		mov	[esi+8], edx
		mov	[esi+0Ch], eax
		jmp	short loc_8E5472
; 

loc_8E54E3:				; CODE XREF: PnpFilterResourceRequirementsList+69556j
		mov	byte ptr [eax+1], 0
		dec	dword ptr [edi+4]
		cmp	byte ptr [eax],	8
		jnz	short loc_8E54F6
		sub	eax, 20h

loc_8E54F2:				; CODE XREF: PnpFilterResourceRequirementsList+694F1j
		cmp	eax, ecx
		jnb	short loc_8E54E3

loc_8E54F6:				; CODE XREF: PnpFilterResourceRequirementsList+694E9j
					; PnpFilterResourceRequirementsList+6954Fj
		mov	eax, [ebp+var_8]
		mov	byte ptr [esi],	1
		jmp	short loc_8E550E
; 

loc_8E54FE:				; CODE XREF: PnpFilterResourceRequirementsList+69575j
		test	byte ptr [esi],	8
		jz	loc_87C3E2
		mov	byte ptr [esi+1], 0
		dec	dword ptr [edi+4]

loc_8E550E:				; CODE XREF: PnpFilterResourceRequirementsList+6955Ej
		add	esi, 20h
		cmp	esi, eax
		jb	short loc_8E54FE
		jmp	loc_87C3E2
; 

loc_8E551A:				; CODE XREF: PnpFilterResourceRequirementsList+24Aj
		mov	eax, [edx+4]
		jmp	loc_87C3F8
; 

loc_8E5522:				; CODE XREF: PnpFilterResourceRequirementsList+748j
		cmp	byte ptr [edi+9], 80h
		jz	loc_87C129
		jmp	loc_87C6EC
; 

loc_8E5531:				; CODE XREF: PnpFilterResourceRequirementsList+59Cj
		mov	edx, [ebp+var_5C]
		push	1
		call	PnpCmResourcesToIoResources
		mov	edx, [ebp+arg_0]
		xor	esi, esi
		mov	[edx], eax
		jmp	short loc_8E554C
; 

loc_8E5544:				; CODE XREF: PnpFilterResourceRequirementsList+5C8j
		mov	ebx, [ebp+var_14]
		mov	esi, 0C000009Ah

loc_8E554C:				; CODE XREF: PnpFilterResourceRequirementsList+695A4j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		jmp	loc_87C66A
; 

loc_8E555B:				; CODE XREF: PnpFilterResourceRequirementsList+5FFj
		mov	edx, [ebp+arg_4]
		and	dword ptr [edx], 0
		jmp	loc_87C5A3
; 

loc_8E5566:				; CODE XREF: PnpFilterResourceRequirementsList+64Aj
		add	dword ptr [ebx], 0FFFFFFE0h
		jmp	loc_87C60A
; 

loc_8E556E:				; CODE XREF: PnpFilterResourceRequirementsList+67j
					; PnpFilterResourceRequirementsList+71j ...
		mov	edx, [ebp+arg_0]
		mov	[edx], ebx
		jmp	loc_87C668
; 

loc_8E5578:				; CODE XREF: PnpFilterResourceRequirementsList+2Fj
					; PnpFilterResourceRequirementsList+38j
		test	edi, edi
		jz	loc_87C668
		cmp	[edi], ecx
		jz	loc_87C668
		push	1
		call	PnpCmResourcesToIoResources
		mov	[ebx], eax
		jmp	loc_87C668
; END OF FUNCTION CHUNK	FOR PnpFilterResourceRequirementsList
; 
; START	OF FUNCTION CHUNK FOR ArbBuildAssignmentOrdering

loc_8E5596:				; CODE XREF: ArbBuildAssignmentOrdering+16Cj
		mov	edx, [ebx+8]
		xor	ecx, ecx
		mov	eax, [ebx+0Ch]
		add	edx, ebx
		shr	eax, 1
		mov	[ebp+var_70], ecx
		cmp	[edx+eax*2-2], cx
		jnz	short loc_8E55CF
		mov	ecx, [ebp+var_30]
		lea	eax, [ebp+var_70]
		push	eax
		call	ArbpGetRegistryValue
		mov	esi, eax
		test	esi, esi
		js	short loc_8E55F5
		xor	esi, esi
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, [ebp+var_70]
		jmp	loc_87C892
; 

loc_8E55CF:				; CODE XREF: ArbBuildAssignmentOrdering+183j
					; ArbBuildAssignmentOrdering+295j ...
		mov	esi, 0C000000Dh
		jmp	short loc_8E55F5
; 

loc_8E55D6:				; CODE XREF: ArbBuildAssignmentOrdering+1DFj
		cmp	esi, 3
		jnz	loc_87C903
		jmp	loc_87CA5C
; 

loc_8E55E4:				; CODE XREF: ArbBuildAssignmentOrdering+31Ej
		cmp	esi, 3
		jnz	loc_87CA42
		jmp	loc_87CAB2
; 

loc_8E55F2:				; CODE XREF: ArbBuildAssignmentOrdering+8Fj
					; ArbBuildAssignmentOrdering+A1j ...
		mov	ebx, [ebp+var_2C]

loc_8E55F5:				; CODE XREF: ArbBuildAssignmentOrdering+15Aj
					; ArbBuildAssignmentOrdering+162j ...
		cmp	[ebp+var_34], 0
		jz	short loc_8E5603
		push	[ebp+var_34]
		call	_ZwClose@4	; ZwClose(x)

loc_8E5603:				; CODE XREF: ArbBuildAssignmentOrdering+68EDBj
		cmp	[ebp+var_30], 0
		jz	short loc_8E5611
		push	[ebp+var_30]
		call	_ZwClose@4	; ZwClose(x)

loc_8E5611:				; CODE XREF: ArbBuildAssignmentOrdering+68EE9j
		test	ebx, ebx
		jz	short loc_8E561D
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E561D:				; CODE XREF: ArbBuildAssignmentOrdering+68EF5j
		mov	eax, [edi+20h]
		xor	ebx, ebx
		test	eax, eax
		jz	short loc_8E5632
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ecx, ecx
		mov	[edi+1Ch], ecx

loc_8E5632:				; CODE XREF: ArbBuildAssignmentOrdering+68F06j
		mov	eax, [edi+28h]
		test	eax, eax
		jz	loc_87CB2B
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ecx, ecx
		mov	[edi+24h], ecx
		jmp	loc_87CB2B
; END OF FUNCTION CHUNK	FOR ArbBuildAssignmentOrdering
; 
; START	OF FUNCTION CHUNK FOR IopTranslateBusAddress

loc_8E564E:				; CODE XREF: IopTranslateBusAddress+42j
		cmp	eax, 2
		jz	loc_87CC28
		cmp	eax, 4
		jz	loc_87CC28
		cmp	eax, 6
		jz	loc_87CC28
		cmp	eax, 3
		jz	loc_87CC16
		jmp	loc_87CC40
; END OF FUNCTION CHUNK	FOR IopTranslateBusAddress
; 
; START	OF FUNCTION CHUNK FOR IopIrqTranslateOrdering

loc_8E5677:				; CODE XREF: IopIrqTranslateOrdering+50j
		mov	eax, [ebx+0Ch]
		lea	ecx, [ebp+var_8]
		push	ecx
		lea	ecx, [ebp-1]
		push	ecx
		push	eax
		push	eax
		push	0
		push	1
		call	esi
		cmp	[ebp+var_8], 0
		mov	[edi+0Ch], eax
		jnz	loc_87CC75
		jmp	loc_87CCA6
; END OF FUNCTION CHUNK	FOR IopIrqTranslateOrdering
; 
; START	OF FUNCTION CHUNK FOR ArbAddOrdering

loc_8E569C:				; CODE XREF: ArbAddOrdering+15j
					; ArbAddOrdering+1Ej
		mov	eax, 0C000000Dh
		jmp	loc_87CD0C
; END OF FUNCTION CHUNK	FOR ArbAddOrdering
; 
; START	OF FUNCTION CHUNK FOR ArbTestAllocation

loc_8E56A6:				; CODE XREF: ArbTestAllocation+15j
		push	dword ptr [edi+18h]
		push	eax
		push	dword ptr [ebx+4]
		push	edi
		call	dword ptr [edi+8Ch]
		jmp	loc_87CD8C
; 

loc_8E56B9:				; CODE XREF: ArbTestAllocation+7Cj
		mov	esi, 0C0000182h
		jmp	loc_87CE74
; 

loc_8E56C3:				; CODE XREF: ArbTestAllocation+BAj
		mov	ecx, [edx+4]
		mov	eax, [ebx]
		mov	[ecx], ebx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[edx+4], ebx
		mov	[ebx+4], ecx
		xor	cl, cl
		mov	[ebx], edx
		mov	ebx, [edx]
		jmp	loc_87CE26
; END OF FUNCTION CHUNK	FOR ArbTestAllocation
; 
; START	OF FUNCTION CHUNK FOR IopGenericScoreRequirement

loc_8E56E0:				; CODE XREF: IopGenericScoreRequirement+43j
		xor	edi, edi
		mov	ebx, esi
		inc	edi
		jmp	loc_87CEC7
; END OF FUNCTION CHUNK	FOR IopGenericScoreRequirement
; 

loc_8E56EA:				; CODE XREF: PAGE:0087CF70j
		cmp	[ebp+10h], edi
		jb	loc_87CF80
		ja	short loc_8E56FE
		cmp	[ebp+0Ch], eax
		jb	loc_87CF80

loc_8E56FE:				; CODE XREF: PAGE:008E56F3j
		mov	eax, [ebp+18h]
		cmp	eax, [ecx+0Ch]
		ja	loc_87CF80
		jb	short loc_8E5718
		mov	eax, [ebp+14h]
		cmp	eax, [ecx+8]
		ja	loc_87CF80

loc_8E5718:				; CODE XREF: PAGE:008E570Aj
		mov	eax, [ecx+10h]
		mov	esi, [eax]
		lea	edi, [eax-1Ch]
		sub	esi, 1Ch
		add	eax, 0FFFFFFF0h
		jmp	short loc_8E576F
; 

loc_8E5728:				; CODE XREF: PAGE:008E5777j
		mov	eax, [edi]
		cmp	eax, [ebp+0Ch]
		jnz	short loc_8E575F
		mov	eax, [edi+4]
		cmp	eax, [ebp+10h]
		jnz	short loc_8E575F
		mov	eax, [edi+8]
		cmp	eax, [ebp+14h]
		jnz	short loc_8E575F
		mov	eax, [edi+0Ch]
		cmp	eax, [ebp+18h]
		jnz	short loc_8E575F
		mov	eax, [ebp+1Ch]
		cmp	[edi+14h], eax
		jnz	short loc_8E575F
		mov	edx, ecx
		mov	ecx, edi
		call	RtlpDeleteFromMergedRange
		mov	edx, eax
		jmp	loc_87CFC5
; 

loc_8E575F:				; CODE XREF: PAGE:008E572Dj
					; PAGE:008E5735j ...
		mov	eax, [ebp-4]
		mov	esi, eax
		mov	edi, eax
		mov	esi, [esi+1Ch]
		sub	esi, 1Ch
		add	eax, 0Ch

loc_8E576F:				; CODE XREF: PAGE:008E5726j
		mov	[ebp-4], esi
		mov	esi, [ebp+8]
		cmp	ecx, eax
		jnz	short loc_8E5728
		jmp	loc_87CF80
; 
; START	OF FUNCTION CHUNK FOR ArbAllocateEntry

loc_8E577E:				; CODE XREF: ArbAllocateEntry+CAj
		and	eax, 0FFBFh
		mov	[esi+30h], ax
		jmp	loc_87D1E5
; 

loc_8E578C:				; CODE XREF: ArbAllocateEntry+100j
					; ArbAllocateEntry+10Ej
		call	KeQueryInterruptTime
		cmp	edx, [ebp+var_8]
		ja	loc_87D1B1
		jb	short loc_8E57A5
		cmp	eax, [ebp+var_C]
		ja	loc_87D1B1

loc_8E57A5:				; CODE XREF: ArbAllocateEntry+6863Cj
		mov	eax, [ebp+arg_0]
		mov	[esi+18h], ebx
		mov	[esi+1Ch], eax
		jmp	loc_87D1BA
; 

loc_8E57B3:				; CODE XREF: ArbAllocateEntry+6Ej
		mov	eax, [esi+20h]
		mov	dword ptr [eax+34h], 2
		jmp	loc_87D1DA
; 

loc_8E57C2:				; CODE XREF: ArbAllocateEntry+8Bj
		mov	al, 1
		mov	[ebp+var_2], al
		jmp	loc_87D1F2
; 

loc_8E57CC:				; CODE XREF: ArbAllocateEntry+153j
		push	0
		push	dword ptr [esi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+4], 0
		mov	eax, 0FFEFh
		and	[esi], ax
		jmp	loc_87D2B7
; END OF FUNCTION CHUNK	FOR ArbAllocateEntry
; 
; START	OF FUNCTION CHUNK FOR ArbGetNextAllocationRange

loc_8E57E7:				; CODE XREF: ArbGetNextAllocationRange+3Bj
		mov	eax, [ecx+20h]
		cmp	eax, [esi+20h]
		jge	short loc_8E57F1
		mov	esi, ecx

loc_8E57F1:				; CODE XREF: ArbGetNextAllocationRange+6850Dj
		add	ecx, 38h
		jmp	loc_87D319
; 

loc_8E57F9:				; CODE XREF: ArbGetNextAllocationRange+D4j
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_1C]
		mov	ebx, [ebp+var_10]
		mov	eax, [ebp+var_14]
		mov	[ebp+arg_4], edx
		jmp	loc_87D46F
; 

loc_8E580D:				; CODE XREF: ArbGetNextAllocationRange+13Cj
					; ArbGetNextAllocationRange+148j
		mov	[edi+24h], esi
		jmp	loc_87D2F1
; 

loc_8E5815:				; CODE XREF: ArbGetNextAllocationRange+217j
		mov	edx, [edi+24h]
		cmp	edx, esi
		mov	[ebp+var_20], edx
		mov	edx, [ebp+arg_4]
		jnz	loc_87D479
		mov	esi, [ebp+var_20]
		jmp	loc_87D2F1
; END OF FUNCTION CHUNK	FOR ArbGetNextAllocationRange
; 
; START	OF FUNCTION CHUNK FOR ArbpUpdatePriority

loc_8E582E:				; CODE XREF: ArbpUpdatePriority+152j
		test	ecx, ecx
		jle	short loc_8E5835
		dec	ecx
		jmp	short loc_8E5837
; 

loc_8E5835:				; CODE XREF: ArbpUpdatePriority+68334j
		not	ecx

loc_8E5837:				; CODE XREF: ArbpUpdatePriority+68337j
		mov	esi, [edi+20h]
		inc	ecx
		shl	ecx, 4
		add	ecx, esi
		jmp	loc_87D53E
; END OF FUNCTION CHUNK	FOR ArbpUpdatePriority
; 
; START	OF FUNCTION CHUNK FOR ArbpBuildAllocationStack

loc_8E5845:				; CODE XREF: ArbpBuildAllocationStack+29j
		dec	ecx
		jmp	loc_87D693
; END OF FUNCTION CHUNK	FOR ArbpBuildAllocationStack
; 
; START	OF FUNCTION CHUNK FOR ArbBootAllocation

loc_8E584B:				; CODE XREF: ArbBootAllocation+151j
		push	0
		push	[esp+0B4h+var_64]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0FFEFh
		and	[esp+0B0h+var_68], ax
		jmp	loc_87D8D1
; 

loc_8E5865:				; CODE XREF: ArbBootAllocation+125j
		push	dword ptr [esi+18h]
		call	_RtlFreeRangeList@4 ; RtlFreeRangeList(x)
		mov	eax, ebx
		jmp	loc_87D8F5
; END OF FUNCTION CHUNK	FOR ArbBootAllocation
; 
; START	OF FUNCTION CHUNK FOR RtlpDeleteFromMergedRange

loc_8E5874:				; CODE XREF: RtlpDeleteFromMergedRange+80j
		mov	edx, [ebp+var_C]
		add	edx, 0FFFFFFE4h
		lea	eax, [edx+1Ch]
		jmp	short loc_8E5889
; 

loc_8E587F:				; CODE XREF: RtlpDeleteFromMergedRange+67E05j
		call	RtlpAddToMergedRange
		mov	edx, edi
		lea	eax, [edi+1Ch]

loc_8E5889:				; CODE XREF: RtlpDeleteFromMergedRange+67DEBj
		mov	edi, [eax]
		lea	ecx, [ebp+var_C]
		sub	edi, 1Ch
		cmp	ecx, eax
		push	1
		mov	ecx, esi
		jnz	short loc_8E587F
		mov	edx, ebx
		call	RtlpAddToMergedRange
		jmp	loc_87DB62
; 

loc_8E58A5:				; CODE XREF: RtlpDeleteFromMergedRange+49j
					; RtlpDeleteFromMergedRange+A0j
		lea	eax, [esi+1Ch]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_87DB67
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_87DB67
		mov	[ecx], edx
		mov	[edx+4], ecx
		jmp	loc_87DB51
; END OF FUNCTION CHUNK	FOR RtlpDeleteFromMergedRange
; 

loc_8E58C8:				; CODE XREF: PAGE:0087DC42j
		lea	eax, [ebx+1Ch]
		mov	ecx, ebx
		cmp	edi, eax
		jz	loc_87DC48
		mov	edi, [esi+0Ch]
		mov	eax, [esi+8]
		mov	[ebp-18h], edi
		mov	edi, [ebp-8]
		mov	[ebp-1Ch], eax

loc_8E58E4:				; CODE XREF: PAGE:008E598Aj
		mov	esi, [ebp-18h]
		cmp	esi, [ecx+4]
		mov	esi, [ebp+8]
		jb	loc_87DC48
		ja	short loc_8E58FD
		cmp	eax, [ecx]
		jb	loc_87DC48

loc_8E58FD:				; CODE XREF: PAGE:008E58F3j
		test	byte ptr [ecx+1Ah], 1
		jz	loc_8E5995
		mov	eax, [ecx+10h]
		lea	edx, [eax-1Ch]
		add	eax, 0FFFFFFF0h
		cmp	ecx, eax
		jz	short loc_8E597C
		mov	eax, [esi]
		mov	[ebp-10h], eax
		mov	eax, [esi+4]
		mov	[ebp-0Ch], eax

loc_8E591F:				; CODE XREF: PAGE:008E5977j
		mov	eax, [edx+4]
		mov	edi, [edx]
		mov	[ebp-14h], eax
		cmp	eax, [ebp-0Ch]
		ja	short loc_8E5948
		jb	short loc_8E5933
		cmp	edi, [ebp-10h]
		jnb	short loc_8E5948

loc_8E5933:				; CODE XREF: PAGE:008E592Cj
		mov	eax, [edx+0Ch]
		cmp	eax, [ebp-0Ch]
		jb	short loc_8E596C
		ja	short loc_8E5945
		mov	eax, [edx+8]
		cmp	eax, [ebp-10h]
		jb	short loc_8E596C

loc_8E5945:				; CODE XREF: PAGE:008E593Bj
		mov	eax, [ebp-14h]

loc_8E5948:				; CODE XREF: PAGE:008E592Aj
					; PAGE:008E5931j
		cmp	[ebp-0Ch], eax
		ja	short loc_8E5960
		jb	short loc_8E5954
		cmp	[ebp-10h], edi
		jnb	short loc_8E5960

loc_8E5954:				; CODE XREF: PAGE:008E594Dj
		cmp	[ebp-18h], eax
		jb	short loc_8E596C
		ja	short loc_8E5960
		cmp	[ebp-1Ch], edi
		jb	short loc_8E596C

loc_8E5960:				; CODE XREF: PAGE:008E594Bj
					; PAGE:008E5952j ...
		cmp	byte ptr [ebp-1], 0
		jz	short loc_8E599F
		test	byte ptr [edx+19h], 1
		jz	short loc_8E599F

loc_8E596C:				; CODE XREF: PAGE:008E5939j
					; PAGE:008E5943j ...
		mov	edx, [edx+1Ch]
		sub	edx, 1Ch
		lea	eax, [edx+0Ch]
		cmp	ecx, eax
		jnz	short loc_8E591F
		mov	edi, [ebp-8]

loc_8E597C:				; CODE XREF: PAGE:008E5912j
		mov	dl, [ebp-1]

loc_8E597F:				; CODE XREF: PAGE:008E599Dj
		mov	eax, [ecx+1Ch]
		cmp	edi, eax
		lea	ecx, [eax-1Ch]
		mov	eax, [ebp-1Ch]
		jnz	loc_8E58E4
		jmp	loc_87DC48
; 

loc_8E5995:				; CODE XREF: PAGE:008E5901j
		test	dl, dl
		jz	short loc_8E599F
		test	byte ptr [ecx+19h], 1
		jnz	short loc_8E597F

loc_8E599F:				; CODE XREF: PAGE:008E5964j
					; PAGE:008E596Aj ...
		mov	eax, 0C0000282h
		jmp	loc_87DC6B
; 

loc_8E59A9:				; CODE XREF: PAGE:0087DC97j
		mov	eax, [esi+10h]
		lea	edx, [eax-1Ch]
		mov	eax, [eax]
		sub	eax, 1Ch
		mov	[ebp-1Ch], eax
		lea	eax, [edx+0Ch]
		jmp	short loc_8E59FD
; 

loc_8E59BC:				; CODE XREF: PAGE:008E59FFj
		lea	eax, [edx+1Ch]
		mov	ecx, [eax]
		mov	[ebp-18h], ecx
		cmp	[ecx+4], eax
		jnz	loc_87DCC6
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_87DCC6
		mov	eax, [ebp-18h]
		push	dword ptr [ebp+0Ch]
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	ecx, ebx
		call	RtlpAddToMergedRange
		mov	ecx, [ebp-1Ch]
		mov	eax, ecx
		mov	edx, ecx
		mov	ecx, [ecx+1Ch]
		sub	ecx, 1Ch
		add	eax, 0Ch
		mov	[ebp-1Ch], ecx

loc_8E59FD:				; CODE XREF: PAGE:008E59BAj
		cmp	esi, eax
		jnz	short loc_8E59BC
		lea	eax, [esi+1Ch]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_87DCC6
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_87DCC6
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, esi
		call	_RtlpFreeRangeListEntry@4 ; RtlpFreeRangeListEntry(x)
		jmp	loc_87DCBF
; 
; START	OF FUNCTION CHUNK FOR RtlpAddToMergedRange

loc_8E5A2B:				; CODE XREF: RtlpAddToMergedRange+6Fj
		mov	eax, 0C0000282h
		jmp	loc_87DDD3
; 

loc_8E5A35:				; CODE XREF: RtlpAddToMergedRange+26j
		mov	esi, ecx
		jmp	loc_87DD7C
; 

loc_8E5A3C:				; CODE XREF: RtlpAddToMergedRange+BCj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8E5A43:				; CODE XREF: RtlpConvertToMergedRange+14j
		mov	eax, [esi+10h]
		dec	dword ptr [eax]
		and	byte ptr [esi+19h], 0EFh
		jmp	loc_87DF9C
; END OF FUNCTION CHUNK	FOR RtlpAddToMergedRange
; 
; START	OF FUNCTION CHUNK FOR RtlCopyRangeList

loc_8E5A51:				; CODE XREF: RtlCopyRangeList+38j
		push	esi
		call	_RtlFreeRangeList@4 ; RtlFreeRangeList(x)
		mov	eax, 0C000009Ah
		jmp	loc_87E01D
; END OF FUNCTION CHUNK	FOR RtlCopyRangeList
; 
; START	OF FUNCTION CHUNK FOR RtlpCopyRangeListEntry

loc_8E5A61:				; CODE XREF: RtlpCopyRangeListEntry+6Bj
		mov	ecx, ebx
		call	_RtlpDeleteRangeListEntry@4 ; RtlpDeleteRangeListEntry(x)
		xor	eax, eax
		jmp	loc_87E067
; END OF FUNCTION CHUNK	FOR RtlpCopyRangeListEntry
; 
; START	OF FUNCTION CHUNK FOR ArbFindSuitableRange

loc_8E5A6F:				; CODE XREF: ArbFindSuitableRange+44j
		mov	[esi], ebx
		mov	[esi+4], edx
		mov	[esi+8], ebx
		mov	[esi+0Ch], edx
		jmp	loc_87E1B5
; 

loc_8E5A7F:				; CODE XREF: ArbFindSuitableRange+52j
					; ArbFindSuitableRange+5Bj
		or	byte ptr [esi+33h], 1
		jmp	loc_87E13D
; END OF FUNCTION CHUNK	FOR ArbFindSuitableRange
; 
; START	OF FUNCTION CHUNK FOR RtlFindRange

loc_8E5A88:				; CODE XREF: RtlFindRange+43j
					; RtlFindRange+53j ...
		mov	eax, 0C000000Dh
		jmp	loc_87E330
; END OF FUNCTION CHUNK	FOR RtlFindRange
; 
; START	OF FUNCTION CHUNK FOR RtlpIsRangeAvailable

loc_8E5A92:				; CODE XREF: RtlpIsRangeAvailable+B4j
		cmp	dword ptr [esi+14h], 0
		jz	loc_87E45E
		jmp	loc_87E4B6
; 

loc_8E5AA1:				; CODE XREF: RtlpIsRangeAvailable+BEj
		push	esi
		push	[ebp+arg_1C]
		call	[ebp+arg_20]
		test	al, al
		jz	loc_87E4C0
		jmp	loc_87E45E
; END OF FUNCTION CHUNK	FOR RtlpIsRangeAvailable
; 
; START	OF FUNCTION CHUNK FOR RtlGetNextRange

loc_8E5AB5:				; CODE XREF: RtlGetNextRange+11j
		mov	eax, 0C000000Dh
		jmp	loc_87E523
; 

loc_8E5ABF:				; CODE XREF: RtlGetNextRange+1Cj
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0
		mov	eax, 8000001Ah
		jmp	loc_87E523
; END OF FUNCTION CHUNK	FOR RtlGetNextRange
; 
; START	OF FUNCTION CHUNK FOR IopGenericUnpackRequirement

loc_8E5ACF:				; CODE XREF: IopGenericUnpackRequirement+38j
		cmp	[esi+1Ch], eax
		jl	loc_87E656
		mov	ecx, 0FFFFFFh
		jg	short loc_8E5AE8
		cmp	[esi+18h], ecx
		jbe	loc_87E656

loc_8E5AE8:				; CODE XREF: IopGenericUnpackRequirement+674C5j
		mov	[ebx], ecx
		mov	[ebx+4], eax
		jmp	loc_87E656
; END OF FUNCTION CHUNK	FOR IopGenericUnpackRequirement
; 
; START	OF FUNCTION CHUNK FOR ArbpGetRegistryValue

loc_8E5AF2:				; CODE XREF: ArbpGetRegistryValue+39j
		cmp	eax, 80000005h
		jz	loc_87E6A9
		mov	eax, 0C0000001h
		jmp	loc_87E6E3
; 

loc_8E5B07:				; CODE XREF: ArbpGetRegistryValue+6Cj
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		jmp	loc_87E6E3
; END OF FUNCTION CHUNK	FOR ArbpGetRegistryValue
; 
; START	OF FUNCTION CHUNK FOR ArbInitializeOrderingList

loc_8E5B15:				; CODE XREF: ArbInitializeOrderingList+2Fj
		xor	eax, eax
		mov	[esi+2], ax
		mov	eax, 0C000009Ah
		jmp	loc_87E730
; END OF FUNCTION CHUNK	FOR ArbInitializeOrderingList
; 
; START	OF FUNCTION CHUNK FOR ArbFreeOrderingList

loc_8E5B25:				; CODE XREF: ArbFreeOrderingList+Aj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_87E744
; END OF FUNCTION CHUNK	FOR ArbFreeOrderingList
; 
; START	OF FUNCTION CHUNK FOR ArbPruneOrdering

loc_8E5B32:				; CODE XREF: ArbPruneOrdering+19j
					; ArbPruneOrdering+25j
		mov	esi, 0C000000Dh
		jmp	short loc_8E5B62
; 

loc_8E5B39:				; CODE XREF: ArbPruneOrdering+48j
		mov	esi, 0C000009Ah
		jmp	short loc_8E5B62
; 

loc_8E5B40:				; CODE XREF: ArbPruneOrdering+CCj
		push	4C627241h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+arg_C], eax
		test	eax, eax
		jnz	short loc_8E5B69
		mov	esi, 0C000009Ah
		push	eax
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E5B62:				; CODE XREF: ArbPruneOrdering+6735Bj
					; ArbPruneOrdering+67362j
		mov	eax, esi
		jmp	loc_87E8CC
; 

loc_8E5B69:				; CODE XREF: ArbPruneOrdering+67376j
		mov	ecx, [ebx+4]
		test	ecx, ecx
		jz	short loc_8E5B7B
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_C]

loc_8E5B7B:				; CODE XREF: ArbPruneOrdering+67392j
		mov	ecx, [ebp+var_8]
		mov	[ebx+4], eax
		mov	[ebx+2], di
		jmp	loc_87E8B1
; END OF FUNCTION CHUNK	FOR ArbPruneOrdering
; 
; START	OF FUNCTION CHUNK FOR ArbInitializeArbiterInstance

loc_8E5B8A:				; CODE XREF: ArbInitializeArbiterInstance+2Fj
					; ArbInitializeArbiterInstance+55j ...
		mov	edi, 0C000009Ah

loc_8E5B8F:				; CODE XREF: ArbInitializeArbiterInstance+1F9j
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_8E5B9D
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E5B9D:				; CODE XREF: ArbInitializeArbiterInstance+671DEj
		mov	eax, [esi+98h]
		test	eax, eax
		jz	short loc_8E5BAE
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E5BAE:				; CODE XREF: ArbInitializeArbiterInstance+671EFj
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_8E5BBC
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E5BBC:				; CODE XREF: ArbInitializeArbiterInstance+671FDj
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_8E5BCA
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E5BCA:				; CODE XREF: ArbInitializeArbiterInstance+6720Bj
		mov	eax, [esi+38h]
		test	eax, eax
		jz	short loc_8E5BD8
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E5BD8:				; CODE XREF: ArbInitializeArbiterInstance+67219j
		mov	eax, edi
		jmp	loc_87EBB7
; END OF FUNCTION CHUNK	FOR ArbInitializeArbiterInstance
; 
; START	OF FUNCTION CHUNK FOR IopSelectNextConfiguration

loc_8E5BDF:				; CODE XREF: IopSelectNextConfiguration+91j
		mov	eax, [ebp+var_4]
		inc	ebx
		add	eax, 28h
		mov	[ebp+var_4], eax
		cmp	ebx, edi
		jb	loc_87ECBE
		jmp	loc_87ECE1
; END OF FUNCTION CHUNK	FOR IopSelectNextConfiguration
; 
; START	OF FUNCTION CHUNK FOR IopPortFindSuitableRange

loc_8E5BF6:				; CODE XREF: IopPortFindSuitableRange+29j
		mov	eax, [esi]
		mov	[esi+8], eax
		mov	eax, [esi+4]
		mov	[esi+0Ch], eax
		jmp	loc_87EDAA
; 

loc_8E5C06:				; CODE XREF: IopPortFindSuitableRange+A4j
		push	esi
		push	edi
		call	dword ptr [edi+88h]
		test	al, al
		jz	loc_87EDB5
		jmp	loc_87ED90
; END OF FUNCTION CHUNK	FOR IopPortFindSuitableRange
; 
; START	OF FUNCTION CHUNK FOR ArbAddInaccessibleAllocationRange

loc_8E5C1B:				; CODE XREF: ArbAddInaccessibleAllocationRange+AAj
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, esi
		jmp	loc_87EF64
; 

loc_8E5C2A:				; CODE XREF: ArbAddInaccessibleAllocationRange+CBj
					; ArbAddInaccessibleAllocationRange+FFj
		cmp	edi, 0C000009Ah
		jz	loc_87EF47
		mov	edi, ebx
		jmp	loc_87EF47
; 

loc_8E5C3D:				; CODE XREF: ArbAddInaccessibleAllocationRange+E9j
					; ArbAddInaccessibleAllocationRange+116j
		mov	edi, 0C000000Dh
		jmp	loc_87EF47
; 

loc_8E5C47:				; CODE XREF: ArbAddInaccessibleAllocationRange+14Bj
		cmp	dl, 7
		jnz	loc_87EF30
		cmp	[ebp+var_10], 3
		jnz	loc_87EF30
		jmp	loc_87EF0B
; END OF FUNCTION CHUNK	FOR ArbAddInaccessibleAllocationRange
; 
; START	OF FUNCTION CHUNK FOR IopDmaPackResource

loc_8E5C5F:				; CODE XREF: IopDmaPackResource+1Ej
		mov	eax, [edx+10h]
		mov	[ecx+4], eax
		mov	eax, [edx+8]
		mov	[ecx+8], eax
		mov	al, [edx+14h]
		mov	[ecx+0Ch], al
		jmp	loc_87EF98
; END OF FUNCTION CHUNK	FOR IopDmaPackResource
; 
; START	OF FUNCTION CHUNK FOR ArbAddMmConfigRangeAsBootReserved

loc_8E5C76:				; CODE XREF: ArbAddMmConfigRangeAsBootReserved+D0j
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, esi
		jmp	loc_87F177
; 

loc_8E5C85:				; CODE XREF: ArbAddMmConfigRangeAsBootReserved+EEj
		cmp	edi, 0C000009Ah
		jz	loc_87F15A
		mov	edi, ebx
		jmp	loc_87F15A
; 

loc_8E5C98:				; CODE XREF: ArbAddMmConfigRangeAsBootReserved+F8j
		mov	edi, 0C000000Dh
		jmp	loc_87F15A
; 

loc_8E5CA2:				; CODE XREF: ArbAddMmConfigRangeAsBootReserved+164j
		cmp	dl, 7
		jnz	loc_87F143
		cmp	[ebp+var_14], 3
		jnz	loc_87F143
		jmp	loc_87F120
; END OF FUNCTION CHUNK	FOR ArbAddMmConfigRangeAsBootReserved
; 
; START	OF FUNCTION CHUNK FOR MiCreatePfnBitMaps

loc_8E5CBA:				; CODE XREF: MiCreatePfnBitMaps+46j
		mov	[edi+4], esi
		jmp	loc_87F413
; 

loc_8E5CC2:				; CODE XREF: MiCreatePfnBitMaps+117j
		push	[ebp+var_C]
		mov	edx, [ebp+var_8]
		jmp	short loc_8E5CDD
; 

loc_8E5CCA:				; CODE XREF: MiCreatePfnBitMaps+176j
		push	[ebp+var_10]
		mov	edx, [ebp+var_C]
		jmp	short loc_8E5CD8
; 

loc_8E5CD2:				; CODE XREF: MiCreatePfnBitMaps+9Aj
		push	[ebp+var_18]
		mov	edx, [ebp+var_1C]

loc_8E5CD8:				; CODE XREF: MiCreatePfnBitMaps+66966j
		mov	ecx, offset dword_6D35E0

loc_8E5CDD:				; CODE XREF: MiCreatePfnBitMaps+6695Ej
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_8E5CE2:				; CODE XREF: MiCreatePfnBitMaps+81j
					; MiCreatePfnBitMaps+F0j ...
		mov	ecx, ebx
		call	_MiDeletePfnBitMaps@4 ;	MiDeletePfnBitMaps(x)
		jmp	loc_87F55B
; END OF FUNCTION CHUNK	FOR MiCreatePfnBitMaps
; 
; START	OF FUNCTION CHUNK FOR MiComputeNodeMemory

loc_8E5CEE:				; CODE XREF: MiComputeNodeMemory+37j
		and	[ebp+var_10], eax
		xor	ecx, ecx
		mov	[ebp+var_20], ecx
		test	edi, edi
		jnz	loc_87F71F
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		inc	edx
		call	MiReferencePageRuns
		mov	esi, eax
		mov	[ebp+var_14], esi
		mov	eax, [esi]
		inc	eax
		lea	eax, [esi+eax*8]
		mov	[ebp+var_10], eax
		jmp	loc_87F71F
; 

loc_8E5D1E:				; CODE XREF: MiComputeNodeMemory+A4j
		mov	ecx, [ebx]
		mov	[ebp+var_1C], ecx
		xor	ecx, ecx
		cmp	[ebp+var_1C], ecx
		jbe	loc_87F78C
		lea	esi, [ebx+0Ch]
		mov	[ebp+var_28], esi
		mov	ebx, esi
		mov	esi, [ebp+var_1C]

loc_8E5D39:				; CODE XREF: MiComputeNodeMemory+666D4j
		mov	edx, [ebp+var_10]
		cmp	[edx+ecx*8], edi
		mov	edx, [ebp+var_4]
		jnz	short loc_8E5D7A
		mov	eax, [ebp+var_10]
		mov	esi, [ebx-4]
		mov	eax, [eax+ecx*8+4]
		mov	[ebp+var_34], eax
		mov	eax, [ebx]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_C]
		cmp	edx, esi
		jbe	short loc_8E5D60
		mov	[ebp+var_4], esi

loc_8E5D60:				; CODE XREF: MiComputeNodeMemory+666AFj
		mov	edx, [ebp+var_28]
		dec	edx
		add	esi, edx
		cmp	eax, esi
		jnb	short loc_8E5D6D
		mov	[ebp+var_C], esi

loc_8E5D6D:				; CODE XREF: MiComputeNodeMemory+666BCj
		mov	edx, [ebp+var_34]
		mov	esi, [ebp+var_28]
		add	[ebp+edx*4+var_8], esi
		mov	esi, [ebp+var_1C]

loc_8E5D7A:				; CODE XREF: MiComputeNodeMemory+66696j
		inc	ecx
		add	ebx, 8
		cmp	ecx, esi
		jb	short loc_8E5D39
		mov	ebx, [ebp+var_14]
		jmp	loc_87F789
; END OF FUNCTION CHUNK	FOR MiComputeNodeMemory
; 
; START	OF FUNCTION CHUNK FOR MiInitializePartition

loc_8E5D8A:				; CODE XREF: MiInitializePartition+36j
		mov	dword ptr [esi+4], 20h
		jmp	loc_87F85A
; 

loc_8E5D96:				; CODE XREF: MiInitializePartition+18Dj
		mov	eax, ecx
		jmp	loc_87F9B1
; 

loc_8E5D9D:				; CODE XREF: MiInitializePartition+36Cj
		mov	ecx, esi
		call	MiInitializeCommitment
		jmp	loc_87FB90
; 

loc_8E5DA9:				; CODE XREF: MiInitializePartition+404j
		test	al, 4
		jnz	loc_87FC28
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_87FC28
; END OF FUNCTION CHUNK	FOR MiInitializePartition
; 
; START	OF FUNCTION CHUNK FOR MiInitializeChannelOrdering

loc_8E5DBD:				; CODE XREF: MiInitializeChannelOrdering+Cj
		mov	eax, [ebp+arg_0]
		mov	edx, [ecx+10h]
		push	esi
		imul	esi, eax, 280h
		cmp	ecx, offset _MiSystemPartition
		jnz	short loc_8E5DDA
		push	eax
		call	_MiInitializeSystemChannelOrdering@8 ; MiInitializeSystemChannelOrdering(x,x)
		jmp	short loc_8E5E0A
; 

loc_8E5DDA:				; CODE XREF: MiInitializeChannelOrdering+66056j
		mov	ecx, dword_6D4E50
		mov	al, [esi+ecx+203h]
		mov	[edx+esi+203h],	al
		mov	al, [esi+ecx+201h]
		mov	[edx+esi+201h],	al
		mov	al, [esi+ecx+202h]
		mov	[edx+esi+202h],	al

loc_8E5E0A:				; CODE XREF: MiInitializeChannelOrdering+6605Ej
		pop	esi
		jmp	loc_87FD8C
; END OF FUNCTION CHUNK	FOR MiInitializeChannelOrdering
; 
; START	OF FUNCTION CHUNK FOR TlgRegisterAggregateProviderEx

loc_8E5E10:				; CODE XREF: TlgRegisterAggregateProviderEx+1Aj
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, ebx
		call	_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 ; TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)
		jmp	loc_87FF39
; 

loc_8E5E21:				; CODE XREF: TlgRegisterAggregateProviderEx+5Aj
		mov	ecx, esi
		call	DestroyAggregateSession
		mov	eax, edi
		jmp	loc_87FF39
; 

loc_8E5E2F:				; CODE XREF: TlgRegisterAggregateProviderEx+7Aj
		push	eax
		mov	edx, edi
		mov	ecx, eax
		call	ExfAcquirePushLockExclusiveEx
		jmp	loc_87FEEE
; 

loc_8E5E3E:				; CODE XREF: TlgRegisterAggregateProviderEx+BCj
		test	al, 4
		jnz	loc_87FF30
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_87FF30
; END OF FUNCTION CHUNK	FOR TlgRegisterAggregateProviderEx
; 
; START	OF FUNCTION CHUNK FOR CreateTlgAggregateSession

loc_8E5E52:				; CODE XREF: CreateTlgAggregateSession+52j
		test	bl, bl
		jnz	loc_88009B
		jmp	loc_880026
; END OF FUNCTION CHUNK	FOR CreateTlgAggregateSession
; 
; START	OF FUNCTION CHUNK FOR MiWriteProtectSystemImages

loc_8E5E5F:				; CODE XREF: MiWriteProtectSystemImages+34j
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		cmp	dword ptr [eax+58h], 0
		jz	loc_880134
		test	dword ptr [esi+34h], 8000000h
		jnz	loc_88013B
		jmp	loc_880134
; END OF FUNCTION CHUNK	FOR MiWriteProtectSystemImages
; 
; START	OF FUNCTION CHUNK FOR MiProtectSystemImage

loc_8E5E80:				; CODE XREF: MiProtectSystemImage+55j
					; MiProtectSystemImage+65j
		mov	[ebp+var_50], edx
		jmp	loc_8801CF
; 

loc_8E5E88:				; CODE XREF: MiProtectSystemImage+14Cj
		cmp	edi, edx
		jbe	loc_8802A6
		mov	edx, [ebp+var_3C]
		mov	ecx, [ebp+var_50]
		call	MiComputeDriverProtection
		mov	ecx, [ebp+var_54]
		push	eax
		mov	eax, [ebp+var_34]
		mov	edx, eax
		push	eax
		call	_MiSetSystemCodeProtection@16 ;	MiSetSystemCodeProtection(x,x,x,x)
		mov	eax, [ebp+var_38]
		cmp	[ebp+var_34], eax
		jnz	short loc_8E5EB8
		add	eax, 8
		mov	[ebp+var_38], eax

loc_8E5EB8:				; CODE XREF: MiProtectSystemImage+65D5Cj
		xor	edx, edx
		and	[ebp+var_3C], edx
		mov	[ebp+var_34], edx
		jmp	loc_8802A6
; 

loc_8E5EC5:				; CODE XREF: MiProtectSystemImage+25Aj
		test	edi, 20000000h
		jnz	loc_8802C2
		jmp	loc_8803B4
; 

loc_8E5ED6:				; CODE XREF: MiProtectSystemImage+186j
		mov	ecx, edi
		mov	edx, eax
		or	ecx, [ebp+var_40]
		sub	esi, 8
		or	[ebp+var_3C], ecx
		mov	[ebp+var_34], edx
		jmp	loc_8802E0
; 

loc_8E5EEB:				; CODE XREF: MiProtectSystemImage+196j
		lea	esi, [eax-8]
		jmp	loc_8802F0
; END OF FUNCTION CHUNK	FOR MiProtectSystemImage
; 
; START	OF FUNCTION CHUNK FOR MiComputeDriverProtection

loc_8E5EF3:				; CODE XREF: MiComputeDriverProtection+3Dj
		xor	eax, eax
		test	ecx, ecx
		setnz	al
		lea	eax, ds:5[eax*2]
		jmp	loc_8803F7
; END OF FUNCTION CHUNK	FOR MiComputeDriverProtection
; 
; START	OF FUNCTION CHUNK FOR MiCreateMemoryEvent

loc_8E5F06:				; CODE XREF: MiCreateMemoryEvent+11Dj
		push	0
		push	eax
		call	ObCloseHandle
		jmp	loc_880643
; END OF FUNCTION CHUNK	FOR MiCreateMemoryEvent
; 
; START	OF FUNCTION CHUNK FOR ObpInitializeRootNamespace

loc_8E5F13:				; CODE XREF: ObpInitializeRootNamespace+50j
		lea	eax, [ebp+var_48]
		mov	[ebp+var_48], 18h
		push	eax
		push	0F000Fh
		lea	eax, [ebp+var_10]
		mov	[ebp+var_44], edi
		push	eax
		mov	[ebp+var_3C], 250h
		mov	[ebp+var_40], (offset loc_A40177+1)
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], edi
		call	_ZwOpenDirectoryObject@12 ; ZwOpenDirectoryObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_880775
		jmp	loc_8806B4
; 

loc_8E5F52:				; CODE XREF: ObpInitializeRootNamespace+C7j
		push	(offset	loc_A40183+5)
		push	eax
		push	0F0001h
		lea	eax, [ebp+var_C]
		push	eax
		call	_ZwCreateSymbolicLinkObject@16 ; ZwCreateSymbolicLinkObject(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_880775
		push	4
		lea	eax, [ebp+var_18]
		push	eax
		push	1
		push	[ebp+var_C]
		call	_ZwSetInformationSymbolicLink@16 ; ZwSetInformationSymbolicLink(x,x,x,x)
		mov	esi, eax
		jmp	loc_880762
; 

loc_8E5F87:				; CODE XREF: ObpInitializeRootNamespace+129j
		push	[ebp+var_10]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_88078D
; END OF FUNCTION CHUNK	FOR ObpInitializeRootNamespace
; 
; START	OF FUNCTION CHUNK FOR ObCreateKernelObjectsSD

loc_8E5F94:				; CODE XREF: ObCreateKernelObjectsSD+54j
		mov	esi, 0C000009Ah
		jmp	loc_88097D
; 

loc_8E5F9E:				; CODE XREF: ObCreateKernelObjectsSD+DDj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_88097D
; END OF FUNCTION CHUNK	FOR ObCreateKernelObjectsSD
; 
; START	OF FUNCTION CHUNK FOR ObpCreateDosDevicesDirectory

loc_8E5FAB:				; CODE XREF: ObpCreateDosDevicesDirectory+36j
		mov	eax, 0C000000Dh
		jmp	loc_880B26
; END OF FUNCTION CHUNK	FOR ObpCreateDosDevicesDirectory
; 
; START	OF FUNCTION CHUNK FOR ObpSetSiloDeviceMap

loc_8E5FB5:				; CODE XREF: ObpSetSiloDeviceMap+12j
		push	edi
		call	_PsGetEffectiveServerSilo@4 ; PsGetEffectiveServerSilo(x)
		xor	edx, edx
		jmp	loc_880B80
; END OF FUNCTION CHUNK	FOR ObpSetSiloDeviceMap
; 
; START	OF FUNCTION CHUNK FOR ObpGetDosDevicesProtection

loc_8E5FC2:				; CODE XREF: ObpGetDosDevicesProtection+23j
		push	_SeWorldSid
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	_SeLocalSystemSid
		mov	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	eax, 2Ch
		push	6C636144h
		lea	esi, [eax+esi*2]
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_8E604C
		push	2
		pop	edi
		push	edi		; int
		push	esi		; size_t
		push	ebx		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, _SeWorldSid
		mov	edx, edi
		push	0
		push	esi
		push	0E0000000h
		push	0
		mov	ecx, ebx
		call	RtlpAddKnownAce
		push	0
		push	_SeLocalSystemSid
		mov	edx, edi
		mov	ecx, ebx
		push	10000000h
		push	0
		call	RtlpAddKnownAce
		push	0
		push	esi
		push	10000000h
		push	0
		mov	edx, edi
		mov	ecx, ebx
		call	RtlpAddKnownAce
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		jmp	loc_880CE2
; 

loc_8E604C:				; CODE XREF: ObpGetDosDevicesProtection+72j
					; ObpGetDosDevicesProtection+65455j
		mov	eax, 0C0000017h
		jmp	loc_880CFE
; END OF FUNCTION CHUNK	FOR ObpGetDosDevicesProtection
; 
; START	OF FUNCTION CHUNK FOR MiCreateMemoryEventSD

loc_8E6056:				; CODE XREF: MiCreateMemoryEventSD+14Cj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_880E56
; END OF FUNCTION CHUNK	FOR MiCreateMemoryEventSD
; 
; START	OF FUNCTION CHUNK FOR NtSetDebugFilterState

loc_8E6063:				; CODE XREF: NtSetDebugFilterState+1Cj
		push	[esp+8+var_4]
		push	ds:dword_A94A14
		push	ds:_SeDebugPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	loc_880E80
		mov	eax, 0C0000022h
		jmp	loc_880EC4
; 

loc_8E608A:				; CODE XREF: NtSetDebugFilterState+2Fj
		cmp	eax, 0FFFFFFFFh
		jz	loc_880E9D
		mov	esi, ds:off_4044E4
		jmp	loc_880E9D
; END OF FUNCTION CHUNK	FOR NtSetDebugFilterState
; 
; START	OF FUNCTION CHUNK FOR MmProcessWorkingSetControl

loc_8E609E:				; CODE XREF: MmProcessWorkingSetControl+25j
		mov	eax, 0C0000004h
		jmp	loc_7974B0
; END OF FUNCTION CHUNK	FOR MmProcessWorkingSetControl

;  S U B	R O U T	I N E 


sub_8E60A8	proc near		; DATA XREF: .text:006A1ED4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-50h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E60A8	endp


;  S U B	R O U T	I N E 


sub_8E60B6	proc near		; DATA XREF: .text:006A1ED8o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-50h]
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		xor	ebx, ebx
		mov	[ebp-40h], ebx
		jmp	loc_797366
sub_8E60B6	endp

; 
; START	OF FUNCTION CHUNK FOR MmProcessWorkingSetControl

loc_8E60CC:				; CODE XREF: MmProcessWorkingSetControl+50j
		mov	eax, 0C0000059h
		jmp	loc_7974B0
; 

loc_8E60D6:				; CODE XREF: MmProcessWorkingSetControl+5Aj
		mov	eax, 0C000000Dh
		jmp	loc_7974B0
; 

loc_8E60E0:				; CODE XREF: MmProcessWorkingSetControl+64j
		push	[ebp+arg_4]
		push	ds:dword_A94A14
		push	ds:_SeDebugPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	loc_79738C
		mov	eax, 0C0000061h
		jmp	loc_7974B0
; 

loc_8E6106:				; CODE XREF: MmProcessWorkingSetControl+BDj
		mov	eax, [ebp+var_44]
		test	eax, edi
		jz	short loc_8E6117
		mov	esi, 0C000000Dh
		jmp	loc_797492
; 

loc_8E6117:				; CODE XREF: MmProcessWorkingSetControl+14EDE9j
		not	al
		and	al, 1
		mov	dl, al
		mov	ecx, ebx
		call	_PsSwapProcessWorkingSet@8 ; PsSwapProcessWorkingSet(x,x)
		mov	esi, eax
		jmp	loc_797492
; 

loc_8E612B:				; CODE XREF: MmProcessWorkingSetControl+D6j
		mov	esi, 0C000000Dh
		jmp	loc_79748F
; 

loc_8E6135:				; CODE XREF: MmProcessWorkingSetControl+E1j
		cmp	byte ptr [ebp+arg_4], 0
		jz	loc_797409

loc_8E613F:				; CODE XREF: MmProcessWorkingSetControl+FBj
					; MmProcessWorkingSetControl+10Aj ...
		mov	esi, 0C00000BBh
		jmp	loc_79748F
; 

loc_8E6149:				; CODE XREF: MmProcessWorkingSetControl+141j
		test	bl, 4
		jz	short loc_8E6151
		or	esi, 1

loc_8E6151:				; CODE XREF: MmProcessWorkingSetControl+14EE2Aj
		mov	edx, esi
		mov	ecx, [ebp+var_3C]
		call	_MiEmptyWorkingSet@8 ; MiEmptyWorkingSet(x,x)
		mov	esi, eax
		jmp	loc_79748F
; END OF FUNCTION CHUNK	FOR MmProcessWorkingSetControl
; 
; START	OF FUNCTION CHUNK FOR SmStoreCompressionStop

loc_8E6162:				; CODE XREF: SmStoreCompressionStop+3Aj
		mov	esi, ds:dword_718490
		jmp	loc_79750A
; 

loc_8E616D:				; CODE XREF: SmStoreCompressionStop+CFj
		push	2
		pop	ecx
		call	_SmSwapStore@4	; SmSwapStore(x)
		jmp	loc_79759B
; END OF FUNCTION CHUNK	FOR SmStoreCompressionStop
; 
; START	OF FUNCTION CHUNK FOR SmStoreCompressionStart

loc_8E617A:				; CODE XREF: SmStoreCompressionStart+2Dj
		mov	edx, ds:dword_718490
		cmp	edx, 0FFFFFFFFh
		jz	loc_7975F3
		jmp	loc_7975D5
; END OF FUNCTION CHUNK	FOR SmStoreCompressionStart

;  S U B	R O U T	I N E 


sub_8E618E	proc near		; CODE XREF: EtwTraceWorkingSetInSwapStoreFail+38j
		push	ebx
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		mov	[ebp-28h], eax
		xor	edx, edx
		push	4
		pop	ecx
		lea	eax, [ebp-28h]
		mov	[ebp-20h], edx
		mov	[ebp-24h], eax
		lea	eax, [ebp-2Ch]
		mov	[ebp-14h], eax
		lea	eax, [ebp-24h]
		push	eax
		push	2
		push	edx
		push	offset _KERNEL_MEM_EVENT_WS_INSWAP_STORE_FAIL
		push	esi
		push	edi
		mov	[ebp-1Ch], ecx
		mov	[ebp-18h], edx
		mov	[ebp-10h], edx
		mov	[ebp-0Ch], ecx
		mov	[ebp-8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_797738
sub_8E618E	endp

; 
; START	OF FUNCTION CHUNK FOR SmKmStoreAdd

loc_8E61D2:				; CODE XREF: SmKmStoreAdd+22Aj
					; SmKmStoreAdd+238j
		mov	ecx, [ebp+var_14]
		mov	eax, esi
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	loc_7979BF
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_14]
		jmp	loc_7979BF
; 

loc_8E61F2:				; CODE XREF: SmKmStoreAdd+249j
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)
		mov	[ebp+var_10], ebx
		jmp	loc_7979D1
; 

loc_8E6201:				; CODE XREF: SmKmStoreAdd+7Fj
		mov	ecx, [ebp+var_14]
		mov	eax, esi
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8E6218
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_14]

loc_8E6218:				; CODE XREF: SmKmStoreAdd+14EA8Cj
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebp+var_14]
		mov	edx, [ebp+var_18]
		mov	eax, [ebp+var_8]
		jmp	loc_7977D7
; 

loc_8E6230:				; CODE XREF: SmKmStoreAdd+8Aj
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_C]

loc_8E6236:				; CODE XREF: SmKmStoreAdd+42j
		inc	ecx
		mov	[ebp+var_C], ecx
		cmp	ecx, 20h
		jb	loc_7977AD
		jmp	loc_797812
; 

loc_8E6248:				; CODE XREF: SmKmStoreAdd+1BBj
		mov	ebx, 0C000009Ah
		jmp	loc_79791E
; 

loc_8E6252:				; CODE XREF: SmKmStoreAdd+97j
		mov	ebx, 0C0000099h
		jmp	loc_797913
; 

loc_8E625C:				; CODE XREF: SmKmStoreAdd+C7j
		cmp	[ecx+0ECh], esi
		jnz	short loc_8E6272
		mov	eax, [ebp+var_8]
		mov	[ecx+0ECh], eax
		jmp	loc_79784F
; 

loc_8E6272:				; CODE XREF: SmKmStoreAdd+14EAE0j
		mov	eax, esi
		lea	esi, [ecx+0E0h]
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8E628B
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8E628B:				; CODE XREF: SmKmStoreAdd+14EB00j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		add	edi, 8
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8E62AE
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8E62AE:				; CODE XREF: SmKmStoreAdd+14EB23j
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ebx, 0C000042Bh
		jmp	loc_797913
; 

loc_8E62C4:				; CODE XREF: SmKmStoreAdd+15Cj
		mov	edx, [edi]
		mov	ecx, eax
		push	offset _SmEventStoreCreate
		call	_SmKmEtwLogStoreChange@12 ; SmKmEtwLogStoreChange(x,x,x)
		jmp	loc_7978E4
; 

loc_8E62D7:				; CODE XREF: SmKmStoreAdd+196j
		mov	ecx, eax
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	loc_79791E
; END OF FUNCTION CHUNK	FOR SmKmStoreAdd
; 
; START	OF FUNCTION CHUNK FOR SmProcessCreateRequest

loc_8E62E3:				; CODE XREF: SmProcessCreateRequest+5Bj
		mov	esi, 0C0000206h
		jmp	loc_797C16
; 

loc_8E62ED:				; CODE XREF: SmProcessCreateRequest+69j
		mov	ecx, [ebp+var_6C]
		test	cl, 3
		jz	short loc_8E62FA
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_8E62FA:				; CODE XREF: SmProcessCreateRequest+14E917j
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_8E6305
		mov	[eax], bl

loc_8E6305:				; CODE XREF: SmProcessCreateRequest+14E925j
		mov	al, [ecx]
		mov	[ecx], al
		mov	al, [ecx+34h]
		mov	[ecx+34h], al
		mov	eax, [ebp+arg_4]
		jmp	loc_797A4B
; 

loc_8E6317:				; CODE XREF: SmProcessCreateRequest+F2j
		push	[ebp+arg_4]
		push	ds:dword_A94A5C
		push	ds:_SeLockMemoryPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	loc_797AD4
		mov	esi, 0C0000022h
		jmp	loc_797C50
; 

loc_8E633D:				; CODE XREF: SmProcessCreateRequest+122j
		mov	esi, 0C000009Ah
		jmp	loc_797C16
; END OF FUNCTION CHUNK	FOR SmProcessCreateRequest

;  S U B	R O U T	I N E 


sub_8E6347	proc near		; DATA XREF: .text:006A1F00o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-84h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E6347	endp


;  S U B	R O U T	I N E 


sub_8E6358	proc near		; DATA XREF: .text:006A1F04o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-84h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-70h]
		mov	ebx, [ebp-74h]
		mov	[ebp-60h], ebx
		mov	ebx, [ebp-68h]
		jmp	short loc_8E63AC
sub_8E6358	endp

; 
; START	OF FUNCTION CHUNK FOR SmProcessCreateRequest

loc_8E6376:				; CODE XREF: SmProcessCreateRequest+D4j
					; SmProcessCreateRequest+E0j ...
		mov	esi, 0C00000BBh
		jmp	loc_797C50
; END OF FUNCTION CHUNK	FOR SmProcessCreateRequest

;  S U B	R O U T	I N E 


sub_8E6380	proc near		; DATA XREF: .text:006A1EF4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-88h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E6380	endp


;  S U B	R O U T	I N E 


sub_8E6391	proc near		; DATA XREF: .text:006A1EF8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-88h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-70h]
		mov	ebx, [ebp-74h]
		mov	[ebp-60h], ebx
		mov	ebx, edi

loc_8E63AC:				; CODE XREF: sub_8E6358+1Cj
		mov	ecx, [ebp-78h]
		mov	[ebp-5Ch], ecx
		jmp	loc_797C19
sub_8E6391	endp

; 
; START	OF FUNCTION CHUNK FOR SmProcessCreateRequest

loc_8E63B7:				; CODE XREF: SmProcessCreateRequest+243j
		mov	edx, eax
		and	edx, 3FFh
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_797C25
; 

loc_8E63D1:				; CODE XREF: SmProcessCreateRequest+24Bj
		mov	ecx, edi
		call	SMKM_STORE_SM_TRAITS___SmStCleanup
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	loc_797C2D
; 

loc_8E63E4:				; CODE XREF: SmProcessCreateRequest+253j
		push	ecx
		push	[ebp+arg_4]
		mov	edx, [ebp+var_60]
		mov	ecx, [ebp+var_5C]
		call	SmKmStoreDelete
		jmp	loc_797C35
; END OF FUNCTION CHUNK	FOR SmProcessCreateRequest
; 
; START	OF FUNCTION CHUNK FOR PsCreateSystemThreadEx

loc_8E63F8:				; CODE XREF: PsCreateSystemThreadEx+88j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		call	edi
		movzx	eax, al
		shl	eax, 10h
		or	eax, 4
		push	eax
		push	0C8h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8E6414:				; CODE XREF: SmKmStoreCreatePrepare+24j
		test	eax, 300h
		jnz	short loc_8E6423
		cmp	[edi], dl
		jz	loc_797EE4

loc_8E6423:				; CODE XREF: PsCreateSystemThreadEx+14E785j
		mov	esi, 0C0000022h
		jmp	loc_797EFB
; END OF FUNCTION CHUNK	FOR PsCreateSystemThreadEx
; 
; START	OF FUNCTION CHUNK FOR SmKmStoreCreatePrepare

loc_8E642D:				; CODE XREF: SmKmStoreCreatePrepare+2Cj
		mov	ebx, [edi+20h]
		test	ebx, ebx
		jz	short loc_8E6453
		mov	edx, 4B456D73h
		mov	ecx, ebx
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		mov	edx, eax
		mov	[ebp+var_4], edx
		test	edx, edx
		jnz	short loc_8E6453
		mov	esi, 0C000009Ah
		jmp	loc_797EFB
; 

loc_8E6453:				; CODE XREF: SmKmStoreCreatePrepare+14E580j
					; SmKmStoreCreatePrepare+14E595j
		push	ebx		; size_t
		push	dword ptr [edi+1Ch] ; void *
		push	edx		; void *
		call	_memcpy
		mov	ecx, [edi+28h]
		add	esp, 0Ch
		mov	edx, [ebp+var_4]
		jmp	loc_797EE8
; END OF FUNCTION CHUNK	FOR SmKmStoreCreatePrepare
; 
; START	OF FUNCTION CHUNK FOR SmpKeyedStoreCreate

loc_8E646B:				; CODE XREF: SmpKeyedStoreCreate+48j
		mov	ebx, 0C000009Ah
		jmp	loc_7980A8
; 

loc_8E6475:				; CODE XREF: SmpKeyedStoreCreate+82j
		mov	ecx, [esp+18h+var_8]
		and	edi, 3FFh
		mov	edx, edi
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		mov	ecx, [esp+18h+var_8]
		push	1
		mov	edx, [eax]
		call	_SmKmStoreDeleteWhenEmpty@12 ; SmKmStoreDeleteWhenEmpty(x,x,x)
		mov	ecx, [esp+18h+var_8]
		mov	edx, edi
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_798092
; END OF FUNCTION CHUNK	FOR SmpKeyedStoreCreate
; 
; START	OF FUNCTION CHUNK FOR SmKmStoreDelete

loc_8E64AB:				; CODE XREF: SmKmStoreDelete+28j
		mov	edi, 0C0000059h
		jmp	loc_798244
; 

loc_8E64B5:				; CODE XREF: SmKmStoreDelete+7Ej
		mov	edx, [ebp+var_8]
		test	dl, 40h
		jnz	short loc_8E64F9
		test	dl, dl
		jns	loc_798186
		mov	edi, 0C0000022h
		jmp	short loc_8E64FE
; 

loc_8E64CC:				; CODE XREF: SmKmStoreDelete+A2j
		mov	edx, [edi]
		push	ecx
		mov	ecx, eax
		call	_SmKmEtwLogStoreStats@12 ; SmKmEtwLogStoreStats(x,x,x)
		mov	edx, [edi]
		mov	ecx, dword ptr [ebp+arg_0]
		push	offset _SmEventStoreDelete
		call	_SmKmEtwLogStoreChange@12 ; SmKmEtwLogStoreChange(x,x,x)
		jmp	loc_7981AA
; 

loc_8E64EA:				; CODE XREF: SmKmStoreDelete+E8j
		push	4
		push	edi
		push	esi
		call	dword ptr [esi+80h]
		jmp	loc_7981F0
; 

loc_8E64F9:				; CODE XREF: SmKmStoreDelete+5Fj
					; SmKmStoreDelete+6Cj ...
		mov	edi, 0C0000059h

loc_8E64FE:				; CODE XREF: SmKmStoreDelete+14E3C8j
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8E650F
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8E650F:				; CODE XREF: SmKmStoreDelete+14E404j
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_798244
; END OF FUNCTION CHUNK	FOR SmKmStoreDelete
; 
; START	OF FUNCTION CHUNK FOR EtwTraceWorkingSetSwap

loc_8E6520:				; CODE XREF: EtwTraceWorkingSetSwap+38j
		push	[ebp+var_68]
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		and	[ebp+var_60], 0
		mov	ecx, ebx
		and	[ebp+var_58], 0
		and	ecx, 1
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_64], eax
		push	4
		pop	edx
		mov	[ebp+var_5C], edx
		test	bl, 2
		jz	short loc_8E656C
		test	ecx, ecx
		mov	ecx, offset _KERNEL_MEM_EVENT_WS_INSWAP_START
		jnz	short loc_8E6557
		mov	ecx, offset _KERNEL_MEM_EVENT_WS_OUTSWAP_START

loc_8E6557:				; CODE XREF: EtwTraceWorkingSetSwap+14E280j
		mov	eax, [ebp+arg_0]
		xor	ebx, ebx
		mov	[ebp+var_54], eax
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], ebx
		push	2
		jmp	short loc_8E65E2
; 

loc_8E656C:				; CODE XREF: EtwTraceWorkingSetSwap+14E277j
		mov	edx, [ebp+arg_0]
		xor	ebx, ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], 4
		mov	[ebp+var_48], ebx
		lea	eax, [edx+10h]
		mov	[ebp+var_54], eax
		push	2
		pop	eax
		test	ecx, ecx
		jz	short loc_8E6592
		mov	ecx, offset _KERNEL_MEM_EVENT_WS_INSWAP_STOP
		jmp	short loc_8E65E3
; 

loc_8E6592:				; CODE XREF: EtwTraceWorkingSetSwap+14E2B9j
		lea	eax, [edx+4]
		mov	[ebp+var_44], edx
		mov	[ebp+var_34], eax
		mov	ecx, offset _KERNEL_MEM_EVENT_WS_OUTSWAP_STOP
		lea	eax, [edx+8]
		mov	[ebp+var_40], ebx
		mov	[ebp+var_24], eax
		lea	eax, [edx+0Ch]
		mov	[ebp+var_3C], 4
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], 4
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], 4
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], ebx
		push	6

loc_8E65E2:				; CODE XREF: EtwTraceWorkingSetSwap+14E29Aj
		pop	eax

loc_8E65E3:				; CODE XREF: EtwTraceWorkingSetSwap+14E2C0j
		lea	edx, [ebp+var_64]
		push	edx
		push	eax
		push	ebx
		push	ecx
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_79830E
; END OF FUNCTION CHUNK	FOR EtwTraceWorkingSetSwap
; 
; START	OF FUNCTION CHUNK FOR MiContractWsSwapPageFile

loc_8E65F6:				; CODE XREF: MiContractWsSwapPageFile+24j
		cmp	[ecx+18h], edx
		jb	loc_7983C6
		mov	eax, [ecx]
		sub	eax, edx
		cmp	eax, [ecx+8]
		jb	loc_7983C6
		xor	ecx, ecx
		xor	eax, eax
		push	edi
		lea	edi, [esi+2A8h]
		inc	ecx
		lock cmpxchg [edi], ecx
		test	eax, eax
		jnz	short loc_8E6645
		mov	ecx, [esi+64h]
		call	PsReferencePartitionSafe
		test	al, al
		jz	short loc_8E6641
		push	dword ptr [esi+64h]
		lea	ecx, [esi+298h]
		push	0FFFFFFFFh
		push	3
		pop	edx
		call	ExQueueWorkItemToPartition
		jmp	short loc_8E6645
; 

loc_8E6641:				; CODE XREF: MiContractWsSwapPageFile+14E28Ej
		xor	eax, eax
		xchg	eax, [edi]

loc_8E6645:				; CODE XREF: MiContractWsSwapPageFile+14E282j
					; MiContractWsSwapPageFile+14E2A3j
		pop	edi
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR MiContractWsSwapPageFile
; 
; START	OF FUNCTION CHUNK FOR NtQuerySection

loc_8E6648:				; CODE XREF: NtQuerySection+44j
		mov	ecx, eax
		jmp	loc_798412
; END OF FUNCTION CHUNK	FOR NtQuerySection

;  S U B	R O U T	I N E 


sub_8E664F	proc near		; DATA XREF: .text:006A1F1Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E664F	endp


;  S U B	R O U T	I N E 


sub_8E665D	proc near		; DATA XREF: .text:006A1F20o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_798486
sub_8E665D	endp

; 
; START	OF FUNCTION CHUNK FOR NtQuerySection

loc_8E666F:				; CODE XREF: NtQuerySection+D8j
		cmp	edi, 2
		jz	loc_798427
		cmp	edi, 3
		jz	loc_798427
		mov	eax, 0C0000003h
		jmp	loc_798486
; 

loc_8E668B:				; CODE XREF: NtQuerySection+62j
		mov	eax, 0C0000004h
		jmp	loc_798486
; END OF FUNCTION CHUNK	FOR NtQuerySection

;  S U B	R O U T	I N E 


sub_8E6695	proc near		; DATA XREF: .text:006A1F28o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E6695	endp


;  S U B	R O U T	I N E 


sub_8E66A3	proc near		; DATA XREF: .text:006A1F2Co
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-28h]
		jmp	loc_798475
sub_8E66A3	endp

; 
; START	OF FUNCTION CHUNK FOR NtPulseEvent

loc_8E66AE:				; CODE XREF: NtPulseEvent+22j
		test	bl, bl
		jz	loc_7988AA
		mov	[ebp+ms_exc.disabled], esi
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jb	short loc_8E66C6
		mov	ecx, eax

loc_8E66C6:				; CODE XREF: NtPulseEvent+14DE40j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_7988AA
; END OF FUNCTION CHUNK	FOR NtPulseEvent

;  S U B	R O U T	I N E 


sub_8E66D6	proc near		; DATA XREF: .text:006A1F64o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E66D6	endp


;  S U B	R O U T	I N E 


sub_8E66E4	proc near		; DATA XREF: .text:006A1F68o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_7988F6
sub_8E66E4	endp

; 
; START	OF FUNCTION CHUNK FOR NtPulseEvent

loc_8E66F6:				; CODE XREF: NtPulseEvent+5Fj
		test	bl, bl
		jz	short loc_8E6718
		mov	[ebp+ms_exc.disabled], 1
		mov	[edi], esi
		jmp	short loc_8E6708
; END OF FUNCTION CHUNK	FOR NtPulseEvent

;  S U B	R O U T	I N E 


sub_8E6705	proc near		; DATA XREF: .text:006A1F74o
		mov	esp, [ebp-18h]
sub_8E6705	endp

; START	OF FUNCTION CHUNK FOR NtPulseEvent

loc_8E6708:				; CODE XREF: NtPulseEvent+14DE81j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_7988E7
; END OF FUNCTION CHUNK	FOR NtPulseEvent

;  S U B	R O U T	I N E 


sub_8E6714	proc near		; DATA XREF: .text:006A1F70o
		xor	eax, eax
		inc	eax
		retn
sub_8E6714	endp

; 
; START	OF FUNCTION CHUNK FOR NtPulseEvent

loc_8E6718:				; CODE XREF: NtPulseEvent+14DE76j
		mov	[edi], esi
		jmp	loc_7988E7
; END OF FUNCTION CHUNK	FOR NtPulseEvent
; 
; START	OF FUNCTION CHUNK FOR IoCreateStreamFileObjectEx2

loc_8E671F:				; CODE XREF: IoCreateStreamFileObjectEx2+3Ej
		test	byte ptr [edi+2], 1
		jz	short loc_8E6732
		push	0C00000BBh
		jmp	short loc_8E672D
; 

loc_8E672C:				; CODE XREF: IoCreateStreamFileObjectEx2+14DA4Bj
		push	esi

loc_8E672D:				; CODE XREF: IoCreateStreamFileObjectEx2+14D9F4j
					; IoCreateStreamFileObjectEx2+14DA1Dj
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_8E6732:				; CODE XREF: IoCreateStreamFileObjectEx2+14D9EDj
		mov	eax, 0C00000BBh
		jmp	loc_798EC1
; 

loc_8E673C:				; CODE XREF: IoCreateStreamFileObjectEx2+56j
		mov	eax, [eax+4]
		mov	[esp+38h+var_24], eax
		jmp	loc_798DA1
; 

loc_8E6748:				; CODE XREF: IoCreateStreamFileObjectEx2+4Bj
					; IoCreateStreamFileObjectEx2+65j
		test	byte ptr [edi+2], 1
		jz	short loc_8E6755
		push	0C000000Dh
		jmp	short loc_8E672D
; 

loc_8E6755:				; CODE XREF: IoCreateStreamFileObjectEx2+14DA16j
		mov	eax, 0C000000Dh
		jmp	loc_798EC1
; 

loc_8E675F:				; CODE XREF: IoCreateStreamFileObjectEx2+CAj
		mov	ecx, [esp+38h+var_24]
		xor	dl, dl
		push	0
		call	IopDecrementDeviceObjectRef
		jmp	short loc_8E6777
; 

loc_8E676E:				; CODE XREF: IoCreateStreamFileObjectEx2+14DA7Fj
		mov	ecx, [esp+38h+var_28]
		call	ObfDereferenceObject

loc_8E6777:				; CODE XREF: IoCreateStreamFileObjectEx2+1B8j
					; IoCreateStreamFileObjectEx2+14DA36j ...
		test	byte ptr [edi+2], 1
		jz	loc_798EBF
		jmp	short loc_8E672C
; 

loc_8E6783:				; CODE XREF: IoCreateStreamFileObjectEx2+1BFj
		push	0
		push	[esp+3Ch+var_20]
		call	ObCloseHandle
		jmp	loc_798EAB
; 

loc_8E6793:				; CODE XREF: IoCreateStreamFileObjectEx2+17Aj
		mov	ecx, [esp+38h+var_28]
		xor	edx, edx
		push	eax		; int
		mov	[esp+3Ch+var_1C], eax
		inc	edx
		lea	eax, [esp+3Ch+var_1C]
		push	eax		; int
		push	1		; char
		push	10h		; size_t
		call	IopGetSetSpecificExtension
		mov	esi, eax
		test	esi, esi
		jns	short loc_8E67C5
		test	ebx, ebx
		jz	short loc_8E676E
		push	0
		push	dword ptr [ebx]
		call	ObCloseHandle
		and	dword ptr [ebx], 0
		jmp	short loc_8E6777
; 

loc_8E67C5:				; CODE XREF: IoCreateStreamFileObjectEx2+14DA7Bj
		mov	eax, [esp+38h+var_1C]
		mov	ecx, [edi+4]
		mov	[eax], ecx
		jmp	loc_798EB6
; END OF FUNCTION CHUNK	FOR IoCreateStreamFileObjectEx2
; 
; START	OF FUNCTION CHUNK FOR ExpQuerySystemPerformanceInformation

loc_8E67D3:				; CODE XREF: ExpQuerySystemPerformanceInformation+1FBj
		mov	[esp+1B8h+var_138], edx
		jmp	loc_799111
; 

loc_8E67DF:				; CODE XREF: ExpQuerySystemPerformanceInformation+3DAj
		mov	edx, eax
		jmp	loc_7992F0
; END OF FUNCTION CHUNK	FOR ExpQuerySystemPerformanceInformation
; 
; START	OF FUNCTION CHUNK FOR AlpcpAllocateCompletionPacketLookaside

loc_8E67E6:				; CODE XREF: AlpcpAllocateCompletionPacketLookaside+14D0CFj
					; AlpcpAllocateCompletionPacketLookaside+14D0ECj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E67EE:				; CODE XREF: AlpcpAllocateCompletionPacketLookaside+2Cj
		xor	eax, eax
		jmp	loc_7997AD
; 

loc_8E67F5:				; CODE XREF: AlpcpAllocateCompletionPacketLookaside+6Cj
		test	edi, edi
		jz	short loc_8E67E6
		imul	eax, edi, 0Ch
		lea	ebx, [esi+28h]
		add	ebx, eax

loc_8E6801:				; CODE XREF: AlpcpAllocateCompletionPacketLookaside+14D0EAj
		lea	ebx, [ebx-0Ch]
		mov	ecx, [ebx]
		and	dword ptr [ecx+1Ch], 0
		call	_IopFreeMiniCompletionPacket@4 ; IopFreeMiniCompletionPacket(x)
		sub	edi, 1
		jnz	short loc_8E6801
		jmp	short loc_8E67E6
; END OF FUNCTION CHUNK	FOR AlpcpAllocateCompletionPacketLookaside

;  S U B	R O U T	I N E 


sub_8E6816	proc near		; DATA XREF: .text:006A1FB4o
		xor	eax, eax
		inc	eax
		retn
sub_8E6816	endp


;  S U B	R O U T	I N E 


sub_8E681A	proc near		; DATA XREF: .text:006A1FB8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-20h]
		jmp	loc_79980B
sub_8E681A	endp

; 
; START	OF FUNCTION CHUNK FOR ObpCreateDirectoryObject

loc_8E682C:				; CODE XREF: ObpCreateDirectoryObject+26j
					; ObpCreateDirectoryObject+46j
		mov	esi, 0C00000F3h
		jmp	loc_799958
; 

loc_8E6836:				; CODE XREF: ObpCreateDirectoryObject+56j
		mov	ecx, eax
		jmp	loc_79991C
; END OF FUNCTION CHUNK	FOR ObpCreateDirectoryObject

;  S U B	R O U T	I N E 


sub_8E683D	proc near		; DATA XREF: .text:006A1FD4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E683D	endp


;  S U B	R O U T	I N E 


sub_8E684B	proc near		; DATA XREF: .text:006A1FD8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-34h]
		jmp	loc_7999F7
sub_8E684B	endp


;  S U B	R O U T	I N E 


sub_8E6856	proc near		; DATA XREF: .text:006A1FE0o
		xor	eax, eax
		inc	eax
		retn
sub_8E6856	endp


;  S U B	R O U T	I N E 


sub_8E685A	proc near		; DATA XREF: .text:006A1FE4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp+10h]
		jmp	loc_799958
sub_8E685A	endp

; 
; START	OF FUNCTION CHUNK FOR ObpCreateDirectoryObject

loc_8E686C:				; CODE XREF: ObpCreateDirectoryObject+9Dj
		call	ObfDereferenceObject
		jmp	loc_799963
; 

loc_8E6876:				; CODE XREF: ObpCreateDirectoryObject+A8j
		call	ObfDereferenceObject
		jmp	loc_79996E
; END OF FUNCTION CHUNK	FOR ObpCreateDirectoryObject
; 
; START	OF FUNCTION CHUNK FOR NtCreateTimer2

loc_8E6880:				; CODE XREF: NtCreateTimer2+20j
		mov	eax, 0C00000F2h
		jmp	loc_799B95
; 

loc_8E688A:				; CODE XREF: NtCreateTimer2+29j
		mov	eax, 0C00000F1h
		jmp	loc_799B95
; 

loc_8E6894:				; CODE XREF: NtCreateTimer2+67j
		mov	edx, eax
		jmp	loc_799B07
; END OF FUNCTION CHUNK	FOR NtCreateTimer2

;  S U B	R O U T	I N E 


sub_8E689B	proc near		; DATA XREF: .text:006A1FFCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E689B	endp


;  S U B	R O U T	I N E 


sub_8E68A9	proc near		; DATA XREF: .text:006A2000o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-24h]
		jmp	loc_799B95
sub_8E68A9	endp

; 
; START	OF FUNCTION CHUNK FOR NtCreateTimer2

loc_8E68BB:				; CODE XREF: NtCreateTimer2+53j
		test	ecx, ecx
		jz	loc_799B1A
		mov	eax, [ecx]
		mov	[ebp+arg_C], eax
		jmp	loc_799B1A
; END OF FUNCTION CHUNK	FOR NtCreateTimer2

;  S U B	R O U T	I N E 


sub_8E68CD	proc near		; DATA XREF: .text:006A2008o
		xor	eax, eax
		inc	eax
		retn
sub_8E68CD	endp


;  S U B	R O U T	I N E 


sub_8E68D1	proc near		; DATA XREF: .text:006A200Co
		mov	esp, [ebp-18h]
		jmp	loc_799B8B
sub_8E68D1	endp

; 
; START	OF FUNCTION CHUNK FOR NtCreateWorkerFactory

loc_8E68D9:				; CODE XREF: NtCreateWorkerFactory+3Aj
		mov	ecx, eax
		jmp	loc_799C36
; END OF FUNCTION CHUNK	FOR NtCreateWorkerFactory

;  S U B	R O U T	I N E 


sub_8E68E0	proc near		; DATA XREF: .text:006A2024o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E68E0	endp


;  S U B	R O U T	I N E 


sub_8E68EE	proc near		; DATA XREF: .text:006A2028o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-34h]
		jmp	loc_799E5E
sub_8E68EE	endp

; 
; START	OF FUNCTION CHUNK FOR NtCreateWorkerFactory

loc_8E6900:				; CODE XREF: NtCreateWorkerFactory+60j
		mov	edi, 0C0000017h
		jmp	short loc_8E6929
; 

loc_8E6907:				; CODE XREF: NtCreateWorkerFactory+E0j
		mov	edi, 0C000000Dh

loc_8E690C:				; CODE XREF: NtCreateWorkerFactory+105j
					; NtCreateWorkerFactory+14CD57j
		mov	edx, 66577845h
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObjectWithTag

loc_8E6919:				; CODE XREF: NtCreateWorkerFactory+C9j
		mov	ecx, [esi+4]
		call	ObfDereferenceObject

loc_8E6921:				; CODE XREF: NtCreateWorkerFactory+9Cj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E6929:				; CODE XREF: NtCreateWorkerFactory+14CD0Fj
		mov	eax, edi
		jmp	loc_799E5E
; 

loc_8E6930:				; CODE XREF: NtCreateWorkerFactory+11Bj
		mov	edi, 0C0000017h
		jmp	short loc_8E6943
; 

loc_8E6937:				; CODE XREF: NtCreateWorkerFactory+147j
		mov	ecx, [esi+8]
		and	dword ptr [ecx+1Ch], 0
		call	_IopFreeMiniCompletionPacket@4 ; IopFreeMiniCompletionPacket(x)

loc_8E6943:				; CODE XREF: NtCreateWorkerFactory+14CD3Fj
		push	0
		push	[ebp+var_24]
		call	ObCloseHandle
		jmp	short loc_8E690C
; 

loc_8E694F:				; CODE XREF: NtCreateWorkerFactory+17Ej
		mov	eax, 10000h
		jmp	loc_799D7A
; 

loc_8E6959:				; CODE XREF: NtCreateWorkerFactory+18Cj
		mov	eax, 1000h
		jmp	loc_799D88
; END OF FUNCTION CHUNK	FOR NtCreateWorkerFactory

;  S U B	R O U T	I N E 


sub_8E6963	proc near		; DATA XREF: .text:006A2030o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8E6963	endp


;  S U B	R O U T	I N E 


sub_8E6969	proc near		; DATA XREF: .text:006A2034o
		mov	esp, [ebp-18h]
		jmp	loc_799E54
sub_8E6969	endp

; 
; START	OF FUNCTION CHUNK FOR MmCreateSection

loc_8E6971:				; CODE XREF: MmCreateSection+25j
		and	ecx, 0FFFFFFE0h
		mov	[esp+18h+var_4], edi
		dec	eax
		mov	[esp+18h+var_10], 2
		xor	edx, edx
		mov	[esp+18h+var_C], edi
		mov	[esp+18h+var_8], eax
		lea	esi, [esp+18h+var_10]
		inc	edx
		jmp	loc_799EA1
; END OF FUNCTION CHUNK	FOR MmCreateSection
; 
; START	OF FUNCTION CHUNK FOR AlpcpValidateConnectionMessage

loc_8E6995:				; CODE XREF: AlpcpValidateConnectionMessage+2Fj
		mov	ax, [edx+0A8h]
		sub	ax, di
		mov	[esi], ax
		jmp	loc_79A771
; END OF FUNCTION CHUNK	FOR AlpcpValidateConnectionMessage
; 
; START	OF FUNCTION CHUNK FOR AlpcpReleaseAttributes

loc_8E69A7:				; CODE XREF: AlpcpReleaseAttributes+23j
		cmp	ecx, 4
		jb	short loc_8E69B9
		test	cl, 2
		jz	short loc_8E69B9
		and	ecx, 0FFFFFFFCh
		call	ObfDereferenceObject

loc_8E69B9:				; CODE XREF: AlpcpReleaseAttributes+14C1D8j
					; AlpcpReleaseAttributes+14C1DDj
		mov	[esi+1Ch], edi
		jmp	loc_79A7FB
; END OF FUNCTION CHUNK	FOR AlpcpReleaseAttributes
; 
; START	OF FUNCTION CHUNK FOR AlpcpConnectPort

loc_8E69C1:				; CODE XREF: AlpcpConnectPort+C6j
		mov	ecx, eax
		jmp	loc_79A970
; 

loc_8E69C8:				; CODE XREF: AlpcpConnectPort+DDj
		mov	edx, eax
		jmp	loc_79A987
; END OF FUNCTION CHUNK	FOR AlpcpConnectPort

;  S U B	R O U T	I N E 


sub_8E69CF	proc near		; DATA XREF: .text:006A2078o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-7Ch]
		mov	[ebp-4Ch], eax
sub_8E69CF	endp

; START	OF FUNCTION CHUNK FOR AlpcpConnectPort

loc_8E69D8:				; CODE XREF: AlpcpConnectPort+10Dj
					; AlpcpConnectPort+256j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_79AA09
; END OF FUNCTION CHUNK	FOR AlpcpConnectPort

;  S U B	R O U T	I N E 


sub_8E69E4	proc near		; DATA XREF: .text:006A2074o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-7Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E69E4	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpConnectPort

loc_8E69F2:				; CODE XREF: AlpcpConnectPort+26Bj
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [esi+1Ch]
		mov	eax, [ebp+var_68]
		mov	[eax], ecx
		jmp	short loc_8E6A0A
; END OF FUNCTION CHUNK	FOR AlpcpConnectPort

;  S U B	R O U T	I N E 


sub_8E6A03	proc near		; DATA XREF: .text:006A2080o
		xor	eax, eax
		inc	eax
		retn
sub_8E6A03	endp


;  S U B	R O U T	I N E 


sub_8E6A07	proc near		; DATA XREF: .text:006A2084o
		mov	esp, [ebp-18h]
sub_8E6A07	endp

; START	OF FUNCTION CHUNK FOR AlpcpConnectPort

loc_8E6A0A:				; CODE XREF: AlpcpConnectPort+14C15Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_79AA8A
; END OF FUNCTION CHUNK	FOR AlpcpConnectPort

;  S U B	R O U T	I N E 


sub_8E6A16	proc near		; DATA XREF: .text:006A208Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0A0h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E6A16	endp


;  S U B	R O U T	I N E 


sub_8E6A27	proc near		; DATA XREF: .text:006A2090o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-0A0h]
		mov	[ebp-4Ch], eax
		jmp	loc_79AA9F
sub_8E6A27	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpCreateClientPort

loc_8E6A38:				; CODE XREF: AlpcpCreateClientPort+6Aj
		mov	edi, 0C0000042h
		jmp	loc_79AE91
; 

loc_8E6A42:				; CODE XREF: AlpcpCreateClientPort+7Fj
		lea	edi, [ebx+0D0h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		and	dword ptr [ebx+0F4h], 0FFFFDFFFh
		mov	eax, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8E6A6E
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8E6A6E:				; CODE XREF: AlpcpCreateClientPort+14BF37j
		mov	ecx, edi
		call	KeAbPostRelease
		jmp	loc_79ABB3
; 

loc_8E6A7A:				; CODE XREF: AlpcpCreateClientPort+172j
		mov	ebx, 0C0000017h

loc_8E6A7F:				; CODE XREF: AlpcpCreateClientPort+151j
		mov	ecx, [ebp+var_8]
		call	ObfDereferenceObject
		jmp	short loc_8E6A97
; 

loc_8E6A89:				; CODE XREF: AlpcpCreateClientPort+26Aj
		mov	ecx, ebx
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)
		jmp	loc_79AD9E
; 

loc_8E6A95:				; CODE XREF: AlpcpCreateClientPort+2CCj
		mov	ebx, ecx

loc_8E6A97:				; CODE XREF: AlpcpCreateClientPort+31Ej
					; AlpcpCreateClientPort+14BF59j
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, ebx
		jmp	loc_79AE15
; END OF FUNCTION CHUNK	FOR AlpcpCreateClientPort
; 
; START	OF FUNCTION CHUNK FOR SeCopyClientToken

loc_8E6AA5:				; CODE XREF: SeCopyClientToken+B8j
		call	ObfDereferenceObject
		mov	ecx, [esp+28h+var_1C]
		jmp	loc_79B0FD
; END OF FUNCTION CHUNK	FOR SeCopyClientToken
; 
; START	OF FUNCTION CHUNK FOR NtDuplicateToken

loc_8E6AB3:				; CODE XREF: NtDuplicateToken+AAj
		mov	ecx, eax
		jmp	loc_79B210
; 

loc_8E6ABA:				; CODE XREF: NtDuplicateToken+98j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, 0C000000Dh
		jmp	loc_79B348
; END OF FUNCTION CHUNK	FOR NtDuplicateToken

;  S U B	R O U T	I N E 


sub_8E6ACB	proc near		; DATA XREF: .text:006A20ACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		mov	eax, 1
		retn
sub_8E6ACB	endp


;  S U B	R O U T	I N E 


sub_8E6ADB	proc near		; DATA XREF: .text:006A20B0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-30h]
		jmp	loc_79B348
sub_8E6ADB	endp

; 
; START	OF FUNCTION CHUNK FOR NtDuplicateToken

loc_8E6AED:				; CODE XREF: NtDuplicateToken+2C5j
					; NtDuplicateToken+2D5j
		mov	eax, [ebp+var_38]
		or	eax, 2001Fh
		and	eax, esi
		mov	[ebp+arg_14], eax
		jmp	loc_79B3A0
; END OF FUNCTION CHUNK	FOR NtDuplicateToken

;  S U B	R O U T	I N E 


sub_8E6AFF	proc near		; DATA XREF: .text:006A20B8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		mov	eax, 1
		retn
sub_8E6AFF	endp


;  S U B	R O U T	I N E 


sub_8E6B0F	proc near		; DATA XREF: .text:006A20BCo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-34h]
		jmp	loc_79B348
sub_8E6B0F	endp

; 
; START	OF FUNCTION CHUNK FOR RtlIsSandboxedToken

loc_8E6B21:				; CODE XREF: RtlIsSandboxedToken+71j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_8E6B2A
		mov	eax, [esi+8]

loc_8E6B2A:				; CODE XREF: RtlIsSandboxedToken+14B6E5j
		lea	ecx, [esp+28h+var_1C]
		push	ecx
		push	1Dh
		push	eax
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		test	eax, eax
		js	loc_79B4B9
		cmp	[esp+28h+var_1C], 0
		jnz	loc_79B4B9
		jmp	loc_79B4B7
; END OF FUNCTION CHUNK	FOR RtlIsSandboxedToken
; 

loc_8E6B4F:				; CODE XREF: PAGE:0079B536j
		mov	edx, eax
		jmp	loc_79B53C
; 

loc_8E6B56:				; CODE XREF: PAGE:0079B559j
		mov	eax, ecx
		jmp	loc_79B55F
; 

loc_8E6B5D:				; CODE XREF: PAGE:0079B56Fj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_79B5CD
; 

loc_8E6B69:				; DATA XREF: .text:006A20F4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8E6B77:				; DATA XREF: .text:006A20F8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_79B59F
; 
; START	OF FUNCTION CHUNK FOR AlpcpProcessConnectionRequest

loc_8E6B89:				; CODE XREF: AlpcpProcessConnectionRequest+38j
		mov	eax, 0C000000Dh
		jmp	loc_79BA1E
; 

loc_8E6B93:				; CODE XREF: AlpcpProcessConnectionRequest+1D6j
		mov	[eax], cl
		jmp	loc_79BA46
; 

loc_8E6B9A:				; CODE XREF: AlpcpProcessConnectionRequest+1EFj
		mov	esi, eax
		jmp	loc_79BA5F
; 

loc_8E6BA1:				; CODE XREF: AlpcpProcessConnectionRequest+20Cj
		mov	ecx, eax
		jmp	loc_79BA7C
; 

loc_8E6BA8:				; CODE XREF: AlpcpProcessConnectionRequest+221j
		mov	ecx, eax
		jmp	loc_79BA91
; 

loc_8E6BAF:				; CODE XREF: AlpcpProcessConnectionRequest+28Dj
		mov	ecx, eax
		jmp	loc_79BAFD
; END OF FUNCTION CHUNK	FOR AlpcpProcessConnectionRequest

;  S U B	R O U T	I N E 


sub_8E6BB6	proc near		; DATA XREF: .text:006A2114o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E6BB6	endp


;  S U B	R O U T	I N E 


sub_8E6BC4	proc near		; DATA XREF: .text:006A2118o

; FUNCTION CHUNK AT 008E6C6E SIZE 0000000F BYTES

		mov	eax, [ebp-30h]
		jmp	loc_8E6C6E
sub_8E6BC4	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpProcessConnectionRequest

loc_8E6BCC:				; CODE XREF: AlpcpProcessConnectionRequest+D0j
		mov	ecx, esi
		call	_AlpcpLogConnectRequest@4 ; AlpcpLogConnectRequest(x)
		jmp	loc_79B940
; 

loc_8E6BD8:				; CODE XREF: AlpcpProcessConnectionRequest+F2j
		cmp	_AlpcpLogEnabled, 0
		jz	short loc_8E6BEB
		mov	edx, eax
		mov	ecx, [ebp+arg_0]
		call	_AlpcpLogConnectFail@8 ; AlpcpLogConnectFail(x,x)

loc_8E6BEB:				; CODE XREF: AlpcpProcessConnectionRequest+14B375j
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_8E6BFB
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_8E6BFB:				; CODE XREF: AlpcpProcessConnectionRequest+14B388j
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	eax, dword ptr [ebp+arg_14]
		jmp	loc_79BA1E
; 

loc_8E6C0A:				; CODE XREF: AlpcpProcessConnectionRequest+2B1j
		mov	edx, eax
		mov	ecx, [ebp+arg_0]
		call	_AlpcpLogConnectFail@8 ; AlpcpLogConnectFail(x,x)
		mov	eax, dword ptr [ebp+arg_14]
		jmp	loc_79BB21
; 

loc_8E6C1C:				; CODE XREF: AlpcpProcessConnectionRequest+146j
		mov	ecx, [ebp+arg_0]
		call	_AlpcpLogConnectSuccess@4 ; AlpcpLogConnectSuccess(x)
		jmp	loc_79B9B6
; 

loc_8E6C29:				; CODE XREF: AlpcpProcessConnectionRequest+239j
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_8E6C39
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_8E6C39:				; CODE XREF: AlpcpProcessConnectionRequest+14B3C6j
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+arg_0]
		mov	[edi], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000023h
		jmp	loc_79BA1E
; END OF FUNCTION CHUNK	FOR AlpcpProcessConnectionRequest

;  S U B	R O U T	I N E 


sub_8E6C5D	proc near		; DATA XREF: .text:006A2120o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E6C5D	endp


;  S U B	R O U T	I N E 


sub_8E6C6B	proc near		; DATA XREF: .text:006A2124o
		mov	eax, [ebp-34h]
sub_8E6C6B	endp

; START	OF FUNCTION CHUNK FOR sub_8E6BC4

loc_8E6C6E:				; CODE XREF: sub_8E6BC4+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_79BA1E
; END OF FUNCTION CHUNK	FOR sub_8E6BC4
; 
; START	OF FUNCTION CHUNK FOR AlpcpProcessConnectionRequest

loc_8E6C7D:				; CODE XREF: AlpcpProcessConnectionRequest+25Bj
		mov	eax, 0FFFFC00Fh
		and	[ebx+4], ax
		jmp	loc_79BACB
; END OF FUNCTION CHUNK	FOR AlpcpProcessConnectionRequest

;  S U B	R O U T	I N E 


sub_8E6C8B	proc near		; DATA XREF: .text:006A212Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E6C8B	endp


;  S U B	R O U T	I N E 


sub_8E6C99	proc near		; DATA XREF: .text:006A2130o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-38h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_79BA05
sub_8E6C99	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpProcessConnectionRequest

loc_8E6CAB:				; CODE XREF: AlpcpProcessConnectionRequest+1A5j
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)
		jmp	loc_79BA15
; END OF FUNCTION CHUNK	FOR AlpcpProcessConnectionRequest
; 
; START	OF FUNCTION CHUNK FOR AlpcpDispatchConnectionRequest

loc_8E6CB7:				; CODE XREF: AlpcpDispatchConnectionRequest+77j
		push	11h
		pop	esi
		xor	ecx, ecx
		mov	eax, esi
		lock cmpxchg [edi], ecx
		cmp	eax, esi
		jz	short loc_8E6CCD
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8E6CCD:				; CODE XREF: AlpcpDispatchConnectionRequest+14B142j
		mov	ecx, edi
		call	KeAbPostRelease
		xor	ecx, ecx
		mov	eax, esi
		lock cmpxchg [ebx], ecx
		cmp	eax, esi
		jz	short loc_8E6CE7
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8E6CE7:				; CODE XREF: AlpcpDispatchConnectionRequest+14B15Cj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	esi, 0C0000037h
		jmp	loc_8E6DF8
; 

loc_8E6CF8:				; CODE XREF: AlpcpDispatchConnectionRequest+8Cj
		mov	eax, [ecx+4]
		test	dword ptr [eax+14h], 200h
		jnz	loc_79BC14
		mov	ecx, [edx+0Ch]
		mov	eax, ecx
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, ecx
		jz	loc_79BC14
		push	eax
		call	_PsGetProcessJob@4 ; PsGetProcessJob(x)
		test	eax, eax
		jz	short loc_8E6D76
		mov	ecx, eax
		call	_PsGetJobEffectiveFreezeCount@4	; PsGetJobEffectiveFreezeCount(x)
		test	eax, eax
		jz	short loc_8E6D76
		push	11h
		pop	esi
		xor	ecx, ecx
		mov	eax, esi
		lock cmpxchg [edi], ecx
		cmp	eax, esi
		jz	short loc_8E6D4B
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8E6D4B:				; CODE XREF: AlpcpDispatchConnectionRequest+14B1C0j
		mov	ecx, edi
		call	KeAbPostRelease
		xor	ecx, ecx
		mov	eax, esi
		lock cmpxchg [ebx], ecx
		cmp	eax, esi
		jz	short loc_8E6D65
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8E6D65:				; CODE XREF: AlpcpDispatchConnectionRequest+14B1DAj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	esi, 0C0000036h
		jmp	loc_8E6DF8
; 

loc_8E6D76:				; CODE XREF: AlpcpDispatchConnectionRequest+14B1A6j
					; AlpcpDispatchConnectionRequest+14B1B1j
		mov	edx, [ebp+var_4]
		jmp	loc_79BC14
; 

loc_8E6D7E:				; CODE XREF: AlpcpDispatchConnectionRequest+9Fj
		push	11h
		pop	esi
		xor	ecx, ecx
		mov	eax, esi
		lock cmpxchg [edi], ecx
		cmp	eax, esi
		jz	short loc_8E6D94
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8E6D94:				; CODE XREF: AlpcpDispatchConnectionRequest+14B209j
		mov	ecx, edi
		call	KeAbPostRelease
		xor	ecx, ecx
		mov	eax, esi
		lock cmpxchg [ebx], ecx
		cmp	eax, esi
		jz	short loc_8E6DAE
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8E6DAE:				; CODE XREF: AlpcpDispatchConnectionRequest+14B223j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	esi, 0C0000023h
		jmp	short loc_8E6DF8
; 

loc_8E6DBC:				; CODE XREF: AlpcpDispatchConnectionRequest+BEj
		push	11h
		pop	esi
		xor	ecx, ecx
		mov	eax, esi
		lock cmpxchg [edi], ecx
		cmp	eax, esi
		jz	short loc_8E6DD2
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8E6DD2:				; CODE XREF: AlpcpDispatchConnectionRequest+14B247j
		mov	ecx, edi
		call	KeAbPostRelease
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [ebx], edx
		cmp	eax, esi
		jz	short loc_8E6DEC
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8E6DEC:				; CODE XREF: AlpcpDispatchConnectionRequest+14B261j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	esi, 0C0000001h

loc_8E6DF8:				; CODE XREF: AlpcpDispatchConnectionRequest+14B171j
					; AlpcpDispatchConnectionRequest+14B1EFj ...
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject
		mov	eax, esi
		jmp	loc_79BCAA
; 

loc_8E6E07:				; CODE XREF: AlpcpDispatchConnectionRequest+3Fj
					; AlpcpDispatchConnectionRequest+58j
		push	11h
		pop	esi
		xor	edx, edx
		mov	eax, esi
		lock cmpxchg [edi], edx
		cmp	eax, esi
		jz	short loc_8E6E1D
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8E6E1D:				; CODE XREF: AlpcpDispatchConnectionRequest+14B292j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, 0C0000037h
		jmp	loc_79BCAA
; END OF FUNCTION CHUNK	FOR AlpcpDispatchConnectionRequest
; 
; START	OF FUNCTION CHUNK FOR AlpcpFormatConnectionRequest

loc_8E6E2E:				; CODE XREF: AlpcpFormatConnectionRequest+5Aj
					; AlpcpFormatConnectionRequest+112j
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_8E6E3E
		mov	ecx, edi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_8E6E3E:				; CODE XREF: AlpcpFormatConnectionRequest+14B185j
		mov	ecx, edi
		call	AlpcpUnlockBlob
		jmp	loc_79BD88
; END OF FUNCTION CHUNK	FOR AlpcpFormatConnectionRequest
; 
; START	OF FUNCTION CHUNK FOR AlpcpCheckConnectionSecurity

loc_8E6E4A:				; CODE XREF: AlpcpCheckConnectionSecurity+6Dj
		mov	eax, 0C00002A0h
		mov	[esp+80h+var_70], eax
		jmp	loc_79BE9F
; 

loc_8E6E58:				; CODE XREF: AlpcpCheckConnectionSecurity+ACj
		mov	esi, 0C00002A0h
		mov	[esp+80h+var_70], esi
		jmp	loc_79BEDE
; END OF FUNCTION CHUNK	FOR AlpcpCheckConnectionSecurity
; 
; START	OF FUNCTION CHUNK FOR SepNewTokenAsRestrictedAsProcessToken

loc_8E6E66:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+3Ej
		push	edi
		call	_SeTokenIsRestricted@4 ; SeTokenIsRestricted(x)
		test	al, al
		jz	loc_79C0D4
		jmp	loc_79BFD6
; 

loc_8E6E79:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+4Cj
		push	edi
		call	_SeTokenIsWriteRestricted@4 ; SeTokenIsWriteRestricted(x)
		test	al, al
		jz	loc_79C0D4
		jmp	loc_79BFE4
; 

loc_8E6E8C:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+5Aj
		mov	eax, [esi+80h]
		cmp	eax, [edi+80h]
		jb	loc_79C0D4
		jmp	loc_79BFF2
; 

loc_8E6EA3:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+ADj
		mov	ecx, [edi+80h]
		xor	ebx, ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_1C], ecx
		test	ecx, ecx
		jz	loc_79C045
		mov	edx, [esi+80h]
		mov	[ebp+var_8], edx

loc_8E6EC2:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+14AF8Bj
		xor	eax, eax
		mov	[ebp+var_4], eax
		test	edx, edx
		jz	short loc_8E6F0F
		mov	eax, [edi+98h]
		mov	edi, [ebp+var_4]
		mov	eax, [eax+ebx*8]
		mov	ebx, [esi+98h]
		mov	esi, [ebp+var_8]
		mov	[ebp+var_10], eax

loc_8E6EE3:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+14AF66j
		push	dword ptr [ebx]
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	short loc_8E6EFA
		mov	eax, [ebp+var_10]
		inc	edi
		add	ebx, 8
		cmp	edi, esi
		jb	short loc_8E6EE3

loc_8E6EFA:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+14AF5Bj
		mov	esi, [ebp+var_14]
		mov	ebx, [ebp+var_C]
		mov	ecx, [ebp+var_1C]
		mov	edx, [ebp+var_8]
		mov	[ebp+var_4], edi
		mov	edi, [ebp+var_18]
		mov	eax, [ebp+var_4]

loc_8E6F0F:				; CODE XREF: SepNewTokenAsRestrictedAsProcessToken+14AF37j
		cmp	eax, edx
		jz	loc_79C0D4
		inc	ebx
		mov	[ebp+var_C], ebx
		cmp	ebx, ecx
		jb	short loc_8E6EC2
		jmp	loc_79C045
; END OF FUNCTION CHUNK	FOR SepNewTokenAsRestrictedAsProcessToken
; 
; START	OF FUNCTION CHUNK FOR AlpcpProbeMessageAttributes

loc_8E6F24:				; CODE XREF: AlpcpProbeMessageAttributes+21j
		test	esi, 0A0000000h
		jnz	loc_79C1D5
		test	ecx, ecx
		jz	loc_79C202
		mov	eax, edx
		and	eax, 3
		cmp	ecx, 10000h
		jnb	short loc_8E6F60
		test	eax, eax
		jnz	loc_79C212
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_8E6F58
		mov	edx, eax

loc_8E6F58:				; CODE XREF: AlpcpProbeMessageAttributes+14ADA6j
		nop
		mov	al, [edx]
		jmp	loc_79C202
; 

loc_8E6F60:				; CODE XREF: AlpcpProbeMessageAttributes+14AD95j
		test	eax, eax
		jnz	loc_79C212
		mov	eax, ds:_MmUserProbeAddress
		add	ecx, edx
		cmp	ecx, eax
		ja	short loc_8E6F7B
		cmp	ecx, edx
		jnb	loc_79C202

loc_8E6F7B:				; CODE XREF: AlpcpProbeMessageAttributes+14ADC3j
		mov	byte ptr [eax],	0
		jmp	loc_79C202
; END OF FUNCTION CHUNK	FOR AlpcpProbeMessageAttributes
; 
; START	OF FUNCTION CHUNK FOR ObReferenceObjectByNameEx

loc_8E6F83:				; CODE XREF: ObReferenceObjectByNameEx+157j
		push	esi
		call	_ObDereferenceObject@4 ; ObDereferenceObject(x)
		mov	[esp+50h+var_44], 0C000000Dh
		jmp	loc_79C4A0
; 

loc_8E6F96:				; CODE XREF: ObReferenceObjectByNameEx+1C2j
		movzx	eax, byte ptr [edi+7Ch]
		push	1
		push	eax
		push	ecx
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)
		and	dword ptr [edi+8Ch], 0
		jmp	loc_79C4C2
; 

loc_8E6FAF:				; CODE XREF: ObReferenceObjectByNameEx+2Fj
					; ObReferenceObjectByNameEx+38j
		mov	eax, 0C000000Dh
		jmp	loc_79C4F7
; END OF FUNCTION CHUNK	FOR ObReferenceObjectByNameEx
; 
; START	OF FUNCTION CHUNK FOR ObpAdjustAccessMask

loc_8E6FB9:				; CODE XREF: ObpAdjustAccessMask+Bj
		push	esi
		call	_RtlValidSecurityDescriptor@4 ;	RtlValidSecurityDescriptor(x)
		test	al, al
		jnz	short loc_8E6FCD
		mov	eax, 0C0000079h
		jmp	loc_79C581
; 

loc_8E6FCD:				; CODE XREF: ObpAdjustAccessMask+14AA53j
		test	byte ptr [esi+2], 10h
		jz	loc_79C57F
		test	dword ptr [edi+14h], 1000000h
		jnz	loc_79C57F
		mov	ecx, esi
		call	SeObjectCreateSaclAccessBits
		or	[edi+10h], eax
		jmp	loc_79C57F
; END OF FUNCTION CHUNK	FOR ObpAdjustAccessMask
; 
; START	OF FUNCTION CHUNK FOR SeTokenIsAdmin

loc_8E6FF3:				; CODE XREF: SeTokenIsAdmin+44j
		xor	eax, eax
		xor	edx, edx
		push	eax
		push	eax
		push	1
		push	eax
		push	edi
		mov	ecx, esi
		call	_SepSidInToken@28 ; SepSidInToken(x,x,x,x,x,x,x)
		mov	bl, al
		jmp	loc_79C5D4
; END OF FUNCTION CHUNK	FOR SeTokenIsAdmin
; 
; START	OF FUNCTION CHUNK FOR ObpCheckObjectReference

loc_8E700B:				; CODE XREF: ObpCheckObjectReference+52j
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		xor	al, al
		jmp	loc_79C6B1
; END OF FUNCTION CHUNK	FOR ObpCheckObjectReference
; 
; START	OF FUNCTION CHUNK FOR SeObjectReferenceAuditAlarm

loc_8E7017:				; CODE XREF: SeObjectReferenceAuditAlarm+3Dj
		mov	ecx, [edi]
		mov	dword ptr [ebp+arg_14],	ecx
		test	ecx, ecx
		jnz	short loc_8E7026
		mov	eax, [edi+8]
		mov	dword ptr [ebp+arg_14],	eax

loc_8E7026:				; CODE XREF: SeObjectReferenceAuditAlarm+14A966j
		movzx	eax, word ptr [esi+2]
		mov	ecx, eax
		mov	[ebp+arg_0], ecx
		test	al, 10h
		jnz	short loc_8E7039
		mov	edx, ebx
		mov	ecx, ebx
		jmp	short loc_8E705B
; 

loc_8E7039:				; CODE XREF: SeObjectReferenceAuditAlarm+14A979j
		test	cx, cx
		mov	ecx, [esi+0Ch]
		mov	edx, ecx
		jns	short loc_8E704C
		neg	edx
		lea	eax, [ecx+esi]
		sbb	edx, edx
		and	edx, eax

loc_8E704C:				; CODE XREF: SeObjectReferenceAuditAlarm+14A989j
		cmp	word ptr [ebp+arg_0], bx
		jge	short loc_8E705B
		lea	eax, [ecx+esi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_8E705B:				; CODE XREF: SeObjectReferenceAuditAlarm+14A97Fj
					; SeObjectReferenceAuditAlarm+14A998j
		lea	eax, [ebp+var_2]
		push	eax
		lea	eax, [ebp-1]
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_8]
		push	dword ptr [ebp+arg_14]
		push	edx
		push	ecx
		call	_SeExamineSacl@28 ; SeExamineSacl(x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_8]
		lea	eax, [ecx-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [ecx-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		mov	edx, [edi]
		mov	dword ptr [ebp+arg_14],	eax
		test	edx, edx
		jnz	short loc_8E70A1
		mov	edx, [edi+8]

loc_8E70A1:				; CODE XREF: SeObjectReferenceAuditAlarm+14A9E4j
		movzx	eax, word ptr [esi+2]
		mov	ecx, eax
		test	al, 10h
		jz	short loc_8E70BC
		mov	ebx, [esi+0Ch]
		test	cx, cx
		jns	short loc_8E70BC
		lea	eax, [ebx+esi]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, eax

loc_8E70BC:				; CODE XREF: SeObjectReferenceAuditAlarm+14A9F1j
					; SeObjectReferenceAuditAlarm+14A9F9j
		mov	ecx, dword ptr [ebp+arg_14]
		lea	eax, [ebp+var_2]
		push	eax
		lea	eax, [ebp+var_2+1]
		add	ecx, 8
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_8]
		push	edx
		mov	edx, ebx
		call	_SeExamineGlobalSacl@28	; SeExamineGlobalSacl(x,x,x,x,x,x,x)
		cmp	byte ptr [ebp+var_2+1],	0
		jnz	short loc_8E70E8
		cmp	byte ptr [ebp+var_2], 0
		jz	loc_79C6D3

loc_8E70E8:				; CODE XREF: SeObjectReferenceAuditAlarm+14AA24j
		push	[ebp+arg_10]
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		push	[ebp+arg_8]
		call	_SepAdtObjectReferenceAuditAlarm@16 ; SepAdtObjectReferenceAuditAlarm(x,x,x,x)
		jmp	loc_79C6D3
; END OF FUNCTION CHUNK	FOR SeObjectReferenceAuditAlarm
; 
; START	OF FUNCTION CHUNK FOR NtPrivilegeCheck

loc_8E70FD:				; CODE XREF: NtPrivilegeCheck+62j
		mov	esi, 0C00000A5h

loc_8E7102:				; CODE XREF: NtPrivilegeCheck+171j
		call	ObfDereferenceObject
		mov	eax, esi
		jmp	loc_79C8CD
; 

loc_8E710E:				; CODE XREF: NtPrivilegeCheck+7Ej
		mov	byte ptr [eax],	0
		jmp	loc_79C7FA
; 

loc_8E7116:				; CODE XREF: NtPrivilegeCheck+A3j
		mov	esi, 0C000000Dh
		mov	[ebp+var_2C], esi
		jmp	loc_79C851
; 

loc_8E7123:				; CODE XREF: NtPrivilegeCheck+C8j
		mov	ecx, eax
		jmp	loc_79C844
; END OF FUNCTION CHUNK	FOR NtPrivilegeCheck

;  S U B	R O U T	I N E 


sub_8E712A	proc near		; DATA XREF: .text:006A216Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E712A	endp


;  S U B	R O U T	I N E 


sub_8E7138	proc near		; DATA XREF: .text:006A2170o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-38h]
		mov	[ebp-2Ch], esi
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		mov	ebx, [ebp+0Ch]
		jmp	loc_79C857
sub_8E7138	endp


;  S U B	R O U T	I N E 


sub_8E714F	proc near		; DATA XREF: .text:006A2178o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E714F	endp


;  S U B	R O U T	I N E 


sub_8E715D	proc near		; DATA XREF: .text:006A217Co
		mov	esp, [ebp-18h]
		push	ecx
		mov	dl, [ebp-28h]
		mov	ecx, [ebp-20h]
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3Ch]
		jmp	loc_79C8CD
sub_8E715D	endp

; 

loc_8E717B:				; CODE XREF: PAGE:0079C91Ej
		mov	eax, 0C000000Dh
		jmp	loc_79CAFA
; 

loc_8E7185:				; CODE XREF: PAGE:0079C957j
		mov	edx, eax
		jmp	loc_79C95D
; 

loc_8E718C:				; CODE XREF: PAGE:0079C97Bj
					; PAGE:0079C983j
		mov	byte ptr [eax],	0
		jmp	loc_79C989
; 

loc_8E7194:				; CODE XREF: PAGE:0079C9A5j
		mov	ecx, eax
		jmp	loc_79C9AB
; 

loc_8E719B:				; DATA XREF: .text:006A2194o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8E71A9:				; DATA XREF: .text:006A2198o
		mov	eax, [ebp-3Ch]
		jmp	short loc_8E71BF
; 

loc_8E71AE:				; DATA XREF: .text:006A21A0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8E71BC:				; DATA XREF: .text:006A21A4o
		mov	eax, [ebp-44h]

loc_8E71BF:				; CODE XREF: PAGE:008E71ACj
		mov	esp, [ebp-18h]
		jmp	short loc_8E7222
; 

loc_8E71C4:				; CODE XREF: PAGE:0079CA18j
		mov	ecx, [ebp-20h]
		test	ecx, ecx
		jz	short loc_8E71D4
		push	ecx
		mov	dl, [ebp+13h]
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)

loc_8E71D4:				; CODE XREF: PAGE:008E71C9j
		mov	eax, ebx
		jmp	loc_79CAFA
; 

loc_8E71DB:				; DATA XREF: .text:006A21ACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-50h], eax
		xor	eax, eax
		inc	eax
		retn
; 
byte_8E71E9	db 8Bh,	65h, 0E8h	; DATA XREF: .text:006A21B0o
		dd 0B46583h, 458DC933h,	809F0B4h, 8BD4758Bh, 6DE8304Eh
		dd 0E8FFC37Ch, 0FFC38238h, 41E8CE8Bh, 8BFFC385h, 0C985E04Dh
		dd 8A510974h, 93E8D055h, 8BFFEB5Fh
		db 45h,	0B0h
; 

loc_8E7222:				; CODE XREF: PAGE:008E71C2j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_79CAFA
; 

loc_8E722E:				; CODE XREF: PAGE:0079CA78j
		and	dword ptr [ebp-54h], 0
		xor	ecx, ecx
		lea	eax, [ebp-54h]
		lock or	[eax], ecx
		mov	ecx, [ebx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, ebx
		call	ObfDereferenceObject
		cmp	dword ptr [ebp-20h], 0
		jz	short loc_8E7260
		push	ecx
		mov	dl, [ebp+13h]
		mov	ecx, [ebp-20h]
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)

loc_8E7260:				; CODE XREF: PAGE:008E7252j
		mov	eax, 0C0000023h
		jmp	loc_79CAFA
; 

loc_8E726A:				; DATA XREF: .text:006A21B8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-60h], eax
		xor	eax, eax
		inc	eax
		retn
; 
dword_8E7278	dd 8BE8658Bh, 4E8DD475h, 2080E834h, 6583FFBFh, 0C93300A4h
					; DATA XREF: .text:006A21BCo
		dd 0F0A4458Dh, 4E8B0809h, 7BD6E830h, 0A1E8FFC3h, 8BFFC381h
		dd 84AAE8CEh, 4D8BFFC3h, 74C985E0h, 558A5109h, 5EFCE8D0h
		dd 45C7FFEBh, 0FFFFFEFCh, 0A0458BFFh, 0EB5835E9h
		db 0FFh
; 
; START	OF FUNCTION CHUNK FOR SepAdjustPrivileges

loc_8E72C5:				; CODE XREF: SepAdjustPrivileges+116j
		xor	esi, esi
		lea	eax, [ebp+var_1BC]
		mov	[ebp+var_374], esi
		mov	[ebp+var_390], eax

loc_8E72D9:				; CODE XREF: SepAdjustPrivileges+14A8B2j
		mov	eax, 1
		xor	edx, edx
		mov	ecx, esi
		call	__allshl
		mov	ecx, [ebx+4Ch]
		mov	edi, eax
		mov	eax, [ebx+48h]
		mov	esi, eax
		mov	[ebp+var_3AC], ecx
		and	esi, edi
		and	ecx, edx
		mov	[ebp+var_3A8], edx
		or	esi, ecx
		mov	[ebp+var_3B0], eax
		mov	cl, [ebp+var_36D]
		jz	loc_8E73E2
		test	cl, cl
		jz	loc_8E73D2
		mov	edx, [ebp+var_374]
		mov	ecx, ebx
		call	_SepTokenPrivilegeAttributes@8 ; SepTokenPrivilegeAttributes(x,x)
		inc	[ebp+var_398]
		mov	ecx, eax
		mov	eax, [ebp+var_374]
		cdq
		mov	[ebp+var_3B4], eax
		mov	eax, [ebp+var_390]
		mov	[ebp+var_38C], edx
		mov	edx, [ebp+var_3B4]
		mov	esi, [ebp+var_38C]
		mov	[eax], edx
		mov	[eax+4], esi
		mov	esi, [ebp+var_374]
		mov	[eax+8], ecx
		add	eax, 0Ch
		cmp	[ebp+var_380], 0
		mov	[ebp+var_390], eax
		jz	short loc_8E73AA
		mov	eax, [ebp+var_388]
		mov	esi, [ebp+var_380]
		mov	eax, [eax]
		lea	eax, [eax+eax*2]
		mov	[esi+eax*4+4], edx
		mov	edx, [ebp+var_38C]
		mov	[esi+eax*4+8], edx
		mov	edx, esi
		mov	esi, [ebp+var_374]
		mov	[edx+eax*4+0Ch], ecx
		mov	ecx, [ebx+48h]
		mov	edx, [ebx+4Ch]
		jmp	short loc_8E73B6
; 

loc_8E73AA:				; CODE XREF: SepAdjustPrivileges+14A835j
		mov	ecx, [ebp+var_3B0]
		mov	edx, [ebp+var_3AC]

loc_8E73B6:				; CODE XREF: SepAdjustPrivileges+14A868j
		mov	eax, [ebp+var_3A8]
		not	edi
		and	edi, ecx
		not	eax
		mov	cl, [ebp+var_36D]
		and	eax, edx
		mov	[ebx+48h], edi
		mov	[ebx+4Ch], eax
		jmp	short loc_8E73D8
; 

loc_8E73D2:				; CODE XREF: SepAdjustPrivileges+14A7D7j
		mov	esi, [ebp+var_374]

loc_8E73D8:				; CODE XREF: SepAdjustPrivileges+14A890j
		mov	eax, [ebp+var_388]
		inc	dword ptr [eax]
		jmp	short loc_8E73E8
; 

loc_8E73E2:				; CODE XREF: SepAdjustPrivileges+14A7CFj
		mov	esi, [ebp+var_374]

loc_8E73E8:				; CODE XREF: SepAdjustPrivileges+14A8A0j
		inc	esi
		mov	[ebp+var_374], esi
		cmp	esi, 24h
		jbe	loc_8E72D9
		jmp	loc_79CE7F
; 

loc_8E73FD:				; CODE XREF: SepAdjustPrivileges+599j
		and	eax, 800000h
		or	eax, edx
		jz	loc_79D0EC
		jmp	loc_79CFC5
; 

loc_8E740F:				; CODE XREF: SepAdjustPrivileges+398j
		mov	byte ptr [ebp+var_39C],	0
		jmp	loc_79CEE5
; END OF FUNCTION CHUNK	FOR SepAdjustPrivileges
; 
; START	OF FUNCTION CHUNK FOR SeCaptureLuidAndAttributesArray

loc_8E741B:				; CODE XREF: SeCaptureLuidAndAttributesArray+19j
		mov	eax, 0C000000Dh
		jmp	loc_79D180
; END OF FUNCTION CHUNK	FOR SeCaptureLuidAndAttributesArray

;  S U B	R O U T	I N E 


sub_8E7425	proc near		; DATA XREF: .text:006A21D4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E7425	endp


;  S U B	R O U T	I N E 


sub_8E7433	proc near		; DATA XREF: .text:006A21D8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_79D180
sub_8E7433	endp


;  S U B	R O U T	I N E 


sub_8E7445	proc near		; DATA XREF: .text:006A21E0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E7445	endp


;  S U B	R O U T	I N E 


sub_8E7453	proc near		; DATA XREF: .text:006A21E4o
		mov	esp, [ebp-18h]
		push	0
		mov	esi, [ebp+1Ch]
		push	dword ptr [esi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi], 0
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_79D180
sub_8E7453	endp

; 
; START	OF FUNCTION CHUNK FOR SepAccessCheckAndAuditAlarmWithAdminlessChecks

loc_8E7474:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+29Aj
		cmp	eax, 1
		jnz	loc_8E82A9
		mov	[ebp+var_120], 7
		jmp	loc_79D4BA
; 

loc_8E748C:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+2BCj
		mov	edi, 0C000005Ch
		jmp	loc_8E82AE
; 

loc_8E7496:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+2C9j
		mov	edi, 0C00000A5h
		jmp	loc_8E82AE
; 

loc_8E74A0:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+2DAj
		mov	eax, [ebp+var_64]
		test	eax, eax
		jnz	short loc_8E74B4
		mov	edi, 0C000000Dh
		mov	[ebp+var_5C], edi
		jmp	loc_79D55F
; 

loc_8E74B4:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A295j
		cmp	eax, 1000h
		jbe	short loc_8E74C8
		mov	edi, 0C000000Dh
		mov	[ebp+var_5C], edi
		jmp	loc_79D55F
; 

loc_8E74C8:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A2A9j
		lea	esi, ds:0[eax*4]
		push	4
		push	esi
		push	[ebp+var_E0]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	4
		push	esi
		mov	edx, [ebp+var_E4]
		push	edx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		jmp	loc_79D51E
; 

loc_8E74F1:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+2EDj
		mov	ecx, eax
		jmp	loc_79D503
; 

loc_8E74F8:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+304j
		mov	ecx, eax
		jmp	loc_79D51A
; 

loc_8E74FF:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+320j
		mov	ecx, eax
		jmp	loc_79D536
; END OF FUNCTION CHUNK	FOR SepAccessCheckAndAuditAlarmWithAdminlessChecks

;  S U B	R O U T	I N E 


sub_8E7506	proc near		; DATA XREF: .text:006A21FCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-150h], eax
		mov	eax, 1
		retn
sub_8E7506	endp


;  S U B	R O U T	I N E 


sub_8E7519	proc near		; DATA XREF: .text:006A2200o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-150h]
		mov	[ebp-5Ch], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-0C8h]
		mov	[ebp-0A8h], esi
		mov	eax, [ebp-13Ch]
		mov	[ebp-0D8h], eax
		mov	[ebp-0ECh], eax
		mov	[ebp-5Dh], al
		mov	[ebp-4Eh], al
		mov	[ebp-4Fh], al
		mov	eax, [ebp-108h]
		mov	[ebp-0D4h], eax
		mov	[ebp-55h], al
		mov	[ebp-4Dh], al
		mov	eax, [ebp-0A4h]
		mov	[ebp-7Ch], eax
		mov	[ebp-69h], al
		mov	eax, [ebp-154h]
		mov	[ebp-134h], eax
		mov	ecx, [ebp-158h]
		mov	al, [ebp-0B0h]
		mov	[ebp-56h], al
		jmp	loc_79D56F
sub_8E7519	endp

; 
; START	OF FUNCTION CHUNK FOR SepAccessCheckAndAuditAlarmWithAdminlessChecks

loc_8E7591:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+36Fj
		mov	eax, ds:_SeTokenObjectType
		mov	ecx, [ecx]
		mov	[ebp+var_78], 0
		push	0
		lea	edx, [ebp+var_78]
		push	edx
		push	ebx
		push	eax
		push	8
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		mov	eax, [ebp+var_78]
		mov	[ebp+var_128], eax
		test	edi, edi
		jns	short loc_8E75E5
		mov	[ebp+var_128], 0
		mov	ebx, [ebp+var_4C]
		mov	esi, ebx
		cmp	edi, 0C0000008h
		jz	loc_79DA55
		mov	[ebp+var_98], 1
		jmp	loc_79DA55
; 

loc_8E75E5:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A3ACj
		mov	[ebp+var_148], esi
		mov	esi, eax
		mov	[ebp+var_A8], esi
		mov	[ebp+var_C8], esi
		mov	[ebp+var_94], 1
		mov	al, [ebp+var_56]
		jmp	loc_79D585
; 

loc_8E7608:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+377j
		mov	esi, [ebp+var_C0]
		mov	[ebp+var_A8], esi
		jmp	loc_79D58D
; 

loc_8E7619:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+392j
		test	[ebp+arg_1C], 1
		jz	short loc_8E762B
		mov	byte ptr [ebp-95h], 1
		jmp	loc_79D5A8
; 

loc_8E762B:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A40Dj
		mov	edi, 0C0000061h
		jmp	loc_8E82AE
; 

loc_8E7635:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+39Fj
		mov	edi, 0C00000E6h
		jmp	loc_8E82AE
; 

loc_8E763F:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+3BDj
		mov	[ebp+var_6A+2],	0
		jmp	loc_8E82AE
; 

loc_8E764B:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+3C8j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+3DCj ...
		mov	edi, 0C0000079h
		jmp	loc_8E82AE
; 

loc_8E7655:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+3EFj
		mov	eax, [eax+8]
		jmp	loc_79D612
; 

loc_8E765D:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+41Ej
		mov	edx, eax
		jmp	loc_79D634
; END OF FUNCTION CHUNK	FOR SepAccessCheckAndAuditAlarmWithAdminlessChecks

;  S U B	R O U T	I N E 


sub_8E7664	proc near		; DATA XREF: .text:006A2208o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-15Ch], eax
		mov	eax, 1
		retn
sub_8E7664	endp


;  S U B	R O U T	I N E 


sub_8E7677	proc near		; DATA XREF: .text:006A220Co
		mov	esp, [ebp-18h]
		mov	edi, [ebp-15Ch]
		mov	[ebp-5Ch], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-13Ch]
		mov	[ebp-0D8h], eax
		mov	[ebp-0ECh], eax
		mov	[ebp-5Dh], al
		mov	[ebp-4Eh], al
		mov	[ebp-4Fh], al
		mov	eax, [ebp-108h]
		mov	[ebp-0D4h], eax
		mov	[ebp-55h], al
		mov	[ebp-4Dh], al
		mov	eax, [ebp-0A4h]
		mov	[ebp-7Ch], eax
		mov	esi, [ebp-84h]
		mov	[ebp-0A8h], esi
		mov	[ebp-69h], al
		mov	cl, [ebp-0B0h]
		mov	[ebp-56h], cl
		mov	ebx, [ebp-0B0h]
		jmp	loc_79D68C
sub_8E7677	endp

; 
; START	OF FUNCTION CHUNK FOR SepAccessCheckAndAuditAlarmWithAdminlessChecks

loc_8E76E3:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+489j
		lea	edx, [ebp+var_DC]
		push	edx
		push	1
		sub	esp, 0Ch
		mov	dl, cl
		mov	ecx, eax
		call	SeCaptureSid
		mov	edi, eax
		test	edi, edi
		jns	loc_79D69F
		mov	[ebp+var_DC], 0
		jmp	loc_8E82AE
; 

loc_8E7711:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+4EFj
		mov	byte ptr [ebp+var_87+2], 1
		jmp	short loc_8E7721
; 

loc_8E771A:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+52Ej
		mov	byte ptr [ebp+var_87+1], 1

loc_8E7721:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A508j
		test	edi, edi
		js	loc_79D7D3
		jmp	loc_79D744
; 

loc_8E772E:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+586j
		test	al, al
		jz	loc_79D7D3
		jmp	loc_79D79C
; 

loc_8E773B:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+5BDj
		mov	eax, [ebp+var_B4]
		mov	[ebp+var_78], eax
		test	eax, eax
		jz	loc_79D7DC
		mov	byte ptr [ebp+var_6A+1], 1
		jmp	loc_79D7DC
; 

loc_8E7755:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+5DAj
		cmp	[ebp+var_4D], 0
		jnz	loc_79D7F0
		mov	byte ptr [ebp+var_9C], 1
		mov	[ebp+var_74], edi
		cmp	byte ptr [ebp+arg_38], 0
		jz	loc_8E77F4
		push	61476553h
		mov	eax, [ebp+var_64]
		shl	eax, 3
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_4C], eax
		test	eax, eax
		jnz	short loc_8E77A9
		lea	eax, [ebp+var_C8]
		push	eax
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)
		mov	edi, 0C000009Ah

loc_8E779E:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A96Cj
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AA15j ...
		mov	ebx, [ebp+var_4C]
		mov	esi, [ebp+var_54]
		jmp	loc_79DA55
; 

loc_8E77A9:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A57Bj
		mov	[ebp+var_6B], 1
		mov	edi, [ebp+var_64]
		lea	eax, [eax+edi*4]
		mov	[ebp+var_70], eax
		xor	edx, edx
		mov	ecx, eax
		mov	ebx, [ebp+var_4C]
		sub	ebx, eax
		mov	[ebp+var_104], ebx
		mov	ebx, [ebp+arg_14]
		mov	esi, [ebp+var_104]

loc_8E77CE:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A5D4j
		cmp	edx, edi
		jnb	short loc_8E77E6
		mov	eax, [ebp+var_90]
		mov	[esi+ecx], eax
		mov	eax, [ebp+var_74]
		mov	[ecx], eax
		inc	edx
		add	ecx, 4
		jmp	short loc_8E77CE
; 

loc_8E77E6:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A5C0j
		mov	esi, [ebp+var_A8]
		mov	edi, [ebp+var_80]
		jmp	loc_79D915
; 

loc_8E77F4:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A55Dj
		lea	eax, [ebp+var_90]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_74]
		mov	[ebp+var_70], eax
		jmp	loc_79D915
; 

loc_8E7808:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+5FDj
		mov	eax, [ebp+var_6A+2]
		test	byte ptr [eax+2], 10h
		jz	loc_79D816
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_8E78AF
		mov	eax, [ebp+var_6A+2]
		movzx	ecx, word ptr [eax+2]
		test	cl, 10h
		jnz	short loc_8E7842
		xor	edx, edx
		mov	[ebp+var_D4], edx

loc_8E7837:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A65Fj
		mov	cl, byte ptr [ebp+var_AC]
		jmp	loc_79D816
; 

loc_8E7842:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A61Dj
		test	cx, cx
		jns	short loc_8E7864
		mov	ecx, [eax+0Ch]
		test	ecx, ecx
		jnz	short loc_8E785F
		mov	[ebp+var_D4], ecx
		mov	cl, byte ptr [ebp+var_AC]
		jmp	loc_79D816
; 

loc_8E785F:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A63Cj
		lea	edx, [ecx+eax]
		jmp	short loc_8E7867
; 

loc_8E7864:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A635j
		mov	edx, [eax+0Ch]

loc_8E7867:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A652j
		mov	[ebp+var_D4], edx
		test	edx, edx
		jz	short loc_8E7837
		mov	ecx, edx
		call	_SepGetScopedPolicySid@4 ; SepGetScopedPolicySid(x)
		test	eax, eax
		jz	short loc_8E78AF
		lea	edx, [ebp+var_FC]
		mov	ecx, eax
		call	_SepRmReferenceFindCap@8 ; SepRmReferenceFindCap(x,x)
		test	eax, eax
		jns	short loc_8E7898
		mov	eax, ds:_SepRmDefaultCap
		mov	[ebp+var_FC], eax

loc_8E7898:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A67Bj
		xor	edi, edi
		mov	[ebp+var_5C], edi
		mov	[ebp+var_6C], 1
		mov	eax, [ebp+var_6A+2]
		mov	cl, byte ptr [ebp+var_AC]
		jmp	loc_79D819
; 

loc_8E78AF:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A60Dj
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A66Aj
		mov	cl, byte ptr [ebp+var_AC]
		jmp	loc_79D813
; 

loc_8E78BA:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+943j
		xor	eax, eax
		jmp	loc_79DB6F
; 

loc_8E78C1:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+957j
		xor	eax, eax
		jmp	loc_79DB6F
; 

loc_8E78C8:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+94Cj
		mov	eax, [eax+10h]
		jmp	loc_79DB6F
; 

loc_8E78D0:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+B57j
		cmp	byte ptr [ebp+var_6A+1], 0
		jz	loc_79D83C
		jmp	loc_79DD6D
; 

loc_8E78DF:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+B67j
		cmp	[ebp+var_7C], 0
		jnz	loc_79D83C
		jmp	loc_79DD7D
; 

loc_8E78EE:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+B75j
		mov	eax, 0C0000022h
		mov	cl, 1
		xor	dl, dl
		jmp	loc_79DD91
; 

loc_8E78FC:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+B94j
		push	61476553h
		mov	eax, [ebp+var_64]
		shl	eax, 3
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_4C], eax
		test	eax, eax
		jnz	short loc_8E7932
		mov	edi, 0C000009Ah
		lea	eax, [ebp+var_C8]
		push	eax
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)
		mov	ebx, [ebp+var_4C]
		mov	esi, [ebp+var_54]
		jmp	loc_79DA55
; 

loc_8E7932:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A704j
		mov	[ebp+var_6B], 1
		mov	edi, [ebp+var_64]
		lea	eax, [eax+edi*4]
		mov	[ebp+var_70], eax
		xor	edx, edx
		mov	ecx, eax
		mov	esi, [ebp+var_4C]
		sub	esi, eax
		mov	[ebp+var_104], esi
		mov	esi, [ebp+var_A8]
		mov	ebx, [ebp+var_104]

loc_8E795A:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A760j
		cmp	edx, edi
		jnb	short loc_8E7972
		mov	eax, [ebp+var_90]
		mov	[ecx+ebx], eax
		mov	eax, [ebp+var_74]
		mov	[ecx], eax
		inc	edx
		add	ecx, 4
		jmp	short loc_8E795A
; 

loc_8E7972:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A74Cj
		mov	edi, [ebp+var_80]
		mov	ebx, [ebp+arg_14]
		jmp	loc_79D915
; 

loc_8E797D:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+640j
		push	61476553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_4C], edx
		test	edx, edx
		jnz	short loc_8E79AF
		mov	edi, 0C000009Ah
		lea	eax, [ebp+var_C8]
		push	eax
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)
		mov	ebx, [ebp+var_4C]
		mov	esi, [ebp+var_54]
		jmp	loc_79DA55
; 

loc_8E79AF:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A781j
		mov	[ebp+var_6B], 1
		mov	eax, [ebp+var_64]
		lea	edi, ds:0[eax*4]
		lea	eax, [edi+edx]
		mov	ecx, [ebp+arg_38]
		jmp	loc_79D86B
; 

loc_8E79C8:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+6C7j
		cmp	dword ptr [eax], 0
		jl	loc_79D8DD
		cmp	[ebp+var_6C], 0
		jz	loc_79D8DD
		cmp	byte ptr [ebp+arg_38], 0
		jz	short loc_8E7A2F
		push	61476553h
		push	[ebp+var_12C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_54], edx
		test	edx, edx
		jnz	short loc_8E7A24
		lea	eax, [ebp+var_C8]
		push	eax
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)
		lea	eax, [ebp+var_C8]
		push	eax
		call	SeReleaseSubjectContext
		mov	edi, 0C000009Ah
		mov	ebx, [ebp+var_4C]
		mov	esi, [ebp+var_54]
		jmp	loc_79DA55
; 

loc_8E7A24:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A7EAj
		lea	ecx, [edi+edx]
		mov	[ebp+var_D8], ecx
		jmp	short loc_8E7A44
; 

loc_8E7A2F:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A7CFj
		lea	eax, [ebp+var_160]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_164]
		mov	[ebp+var_D8], eax

loc_8E7A44:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A81Dj
		mov	eax, [ebp+var_64]
		test	eax, eax
		jz	short loc_8E7A70
		lea	ecx, [ebp+var_118]
		push	ecx
		mov	edx, eax
		mov	ecx, [ebp+var_B8]
		call	_SepCopyObjectTypeList@12 ; SepCopyObjectTypeList(x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_8E7A73
		mov	ebx, [ebp+var_4C]
		mov	esi, [ebp+var_54]
		jmp	loc_79DA55
; 

loc_8E7A70:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A839j
		mov	edi, [ebp+var_5C]

loc_8E7A73:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A853j
		mov	[ebp+var_5E], 0
		xor	eax, eax
		mov	ecx, [ebp+var_FC]
		add	ecx, 24h
		mov	edx, [ebp+var_B4]
		mov	[ebp+var_78], edx

loc_8E7A8B:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AB34j
		mov	[ebp+var_100], ecx
		mov	[ebp+var_108], eax
		mov	ebx, [ebp+var_FC]
		cmp	eax, [ebx+20h]
		mov	ebx, [ebp+arg_14]
		jnb	loc_8E7D49
		mov	ecx, [ecx]
		mov	[ebp+var_7C], ecx
		cmp	dword ptr [ecx+0Ch], 0
		jz	loc_8E7C44
		cmp	[ebp+var_D0], 0
		jnz	short loc_8E7ADD
		lea	edx, [ebp+var_D0]
		mov	ecx, [ebp+var_D4]
		call	AuthzBasepInitializeResourceClaimsFromSacl
		mov	ecx, [ebp+var_7C]
		test	eax, eax
		jns	short loc_8E7ADD
		mov	[ebp+var_5E], 1

loc_8E7ADD:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A8AFj
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A8C7j
		mov	eax, [esi+27Ch]
		test	eax, eax
		jz	short loc_8E7AF5
		mov	edx, [eax+12Ch]
		mov	[ebp+var_87+3],	edx
		jmp	short loc_8E7AFF
; 

loc_8E7AF5:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A8D5j
		mov	[ebp+var_87+3],	0

loc_8E7AFF:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A8E3j
		test	eax, eax
		jz	short loc_8E7B11
		mov	edx, [eax+124h]
		mov	[ebp+var_A4], edx
		jmp	short loc_8E7B1B
; 

loc_8E7B11:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A8F1j
		mov	[ebp+var_A4], 0

loc_8E7B1B:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A8FFj
		test	eax, eax
		jz	short loc_8E7B27
		mov	edi, [eax+128h]
		jmp	short loc_8E7B29
; 

loc_8E7B27:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A90Dj
		xor	edi, edi

loc_8E7B29:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A915j
		test	eax, eax
		jz	short loc_8E7B35
		mov	edx, [eax+120h]
		jmp	short loc_8E7B37
; 

loc_8E7B35:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A91Bj
		xor	edx, edx

loc_8E7B37:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A923j
		lea	eax, [ebp+var_10C]
		push	eax
		push	0
		push	1
		mov	eax, [ecx+8]
		push	eax
		mov	eax, [ecx+0Ch]
		push	eax
		push	[ebp+var_87+3]
		push	[ebp+var_A4]
		push	edi
		push	edx
		push	[ebp+var_D0]
		mov	edx, [esi+1DCh]
		mov	ecx, esi
		call	AuthzBasepEvaluateAceCondition
		mov	edi, eax
		cmp	[ebp+var_10C], 1
		jz	loc_8E7C3E
		test	edi, edi
		js	loc_8E779E
		push	esi
		call	_SeTokenIsRestricted@4 ; SeTokenIsRestricted(x)
		test	al, al
		jz	loc_8E7C2B
		mov	eax, [esi+27Ch]
		test	eax, eax
		jz	short loc_8E7BA8
		mov	ecx, [eax+12Ch]
		mov	[ebp+var_87+3],	ecx
		jmp	short loc_8E7BB2
; 

loc_8E7BA8:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A988j
		mov	[ebp+var_87+3],	0

loc_8E7BB2:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A996j
		test	eax, eax
		jz	short loc_8E7BC4
		mov	ecx, [eax+124h]
		mov	[ebp+var_A4], ecx
		jmp	short loc_8E7BCE
; 

loc_8E7BC4:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A9A4j
		mov	[ebp+var_A4], 0

loc_8E7BCE:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A9B2j
		test	eax, eax
		jz	short loc_8E7BDA
		mov	edi, [eax+128h]
		jmp	short loc_8E7BDC
; 

loc_8E7BDA:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A9C0j
		xor	edi, edi

loc_8E7BDC:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A9C8j
		test	eax, eax
		jz	short loc_8E7BE8
		mov	edx, [eax+120h]
		jmp	short loc_8E7BEA
; 

loc_8E7BE8:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A9CEj
		xor	edx, edx

loc_8E7BEA:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A9D6j
		lea	eax, [ebp+var_10C]
		push	eax
		push	1
		push	1
		mov	ecx, [ebp+var_7C]
		mov	eax, [ecx+8]
		push	eax
		mov	eax, [ecx+0Ch]
		push	eax
		push	[ebp+var_87+3]
		push	[ebp+var_A4]
		push	edi
		push	edx
		push	[ebp+var_D0]
		mov	edx, [esi+1DCh]
		mov	ecx, esi
		call	AuthzBasepEvaluateAceCondition
		mov	edi, eax
		test	edi, edi
		js	loc_8E779E

loc_8E7C2B:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A97Aj
		cmp	[ebp+var_5E], 0
		jnz	short loc_8E7C3E
		cmp	[ebp+var_10C], 1
		jnz	loc_8E7D31

loc_8E7C3E:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A964j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AA1Fj
		mov	edx, [ebp+var_78]
		mov	ecx, [ebp+var_7C]

loc_8E7C44:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A8A2j
		test	byte ptr [ecx+18h], 1
		jz	short loc_8E7C6A
		test	ebx, 2000000h
		jz	short loc_8E7C57
		mov	[ebp+var_7C], ebx
		jmp	short loc_8E7C5E
; 

loc_8E7C57:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AA40j
		mov	eax, edx
		or	eax, ebx
		mov	[ebp+var_7C], eax

loc_8E7C5E:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AA45j
		mov	[ebp+var_87+3],	0
		jmp	short loc_8E7C73
; 

loc_8E7C6A:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AA38j
		mov	[ebp+var_7C], ebx
		mov	[ebp+var_87+3],	edx

loc_8E7C73:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AA58j
		push	[ebp+var_D4]
		mov	edx, [ecx+10h]
		lea	ecx, [ebp+var_18C]
		call	_SepBuildCapeSecurityDescriptor@12 ; SepBuildCapeSecurityDescriptor(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8E779E
		push	[ebp+arg_3C]
		lea	eax, [ebp+var_96]
		push	eax
		lea	eax, [ebp+var_97]
		push	eax
		lea	eax, [ebp+var_D0]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		push	[ebp+var_AC]
		push	[ebp+arg_38]
		push	[ebp+var_D8]
		push	0
		push	[ebp+var_54]
		push	[ebp+var_B0]
		push	[ebp+var_87+3]
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_64]
		push	[ebp+var_118]
		push	[ebp+var_7C]
		push	[ebp+var_C8]
		push	[ebp+var_C0]
		mov	edx, [ebp+var_DC]
		lea	ecx, [ebp+var_18C]
		call	SepAccessCheck
		mov	ecx, [ebp+var_54]
		mov	eax, [ecx]
		cmp	[ebp+var_55], 0
		jnz	short loc_8E7D0D
		mov	[ebp+var_EC], eax
		jmp	short loc_8E7D13
; 

loc_8E7D0D:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AAF3j
		and	[ebp+var_EC], eax

loc_8E7D13:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AAFBj
		mov	eax, [ebp+var_118]
		test	eax, eax
		jz	short loc_8E7D2D
		push	[ebp+var_64]
		mov	edx, eax
		mov	ecx, [ebp+var_B8]
		call	_SepMergeObjectTypeListAccesses@12 ; SepMergeObjectTypeListAccesses(x,x,x)

loc_8E7D2D:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AB0Bj
		mov	[ebp+var_55], 1

loc_8E7D31:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AA28j
		mov	eax, [ebp+var_108]
		inc	eax
		mov	ecx, [ebp+var_100]
		add	ecx, 4
		mov	edx, [ebp+var_78]
		jmp	loc_8E7A8B
; 

loc_8E7D49:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A893j
		mov	al, [ebp+var_97]
		mov	byte ptr [ebp+var_8B], al
		mov	al, [ebp+var_96]
		mov	byte ptr [ebp+var_9C], al
		mov	eax, [ebp+var_EC]
		mov	ecx, [ebp+var_54]
		and	[ecx], eax
		test	eax, eax
		jnz	short loc_8E7D8A
		mov	eax, [ebp+var_D8]
		mov	dword ptr [eax], 0C0000022h
		mov	byte ptr [ebp+var_8B], 0
		mov	byte ptr [ebp+var_9C], 1

loc_8E7D8A:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AB5Ej
		mov	eax, [ebp+var_70]
		jmp	loc_79D8EC
; 

loc_8E7D92:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+BB8j
		cmp	[ebp+var_22], 0
		jnz	loc_79D90A
		call	_KeIsCetCapable@0 ; KeIsCetCapable()
		test	al, al
		jnz	loc_79D90A
		mov	eax, [ebp+var_70]
		jmp	loc_79DBE4
; 

loc_8E7DB1:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+9D8j
		mov	ecx, [ebp+var_64]
		jmp	loc_79DBF0
; 

loc_8E7DB9:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+6F4j
		cmp	[ebp+var_22], 0
		jnz	loc_79D90A
		cmp	[ebp+var_23], 0
		jnz	loc_79D90A
		call	_KeIsCetCapable@0 ; KeIsCetCapable()
		test	al, al
		jz	short loc_8E7E00
		cmp	[ebp+var_2C], 0
		jnz	short loc_8E7E00
		mov	[ebp+var_21], 1
		mov	byte ptr [ebp+var_8B], 1
		mov	byte ptr [ebp+var_9C], 0
		mov	[ebp+var_90], ebx
		mov	[ebp+var_74], 0
		jmp	loc_79D90A
; 

loc_8E7E00:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14ABC4j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14ABCAj
		mov	byte ptr [ebp+var_8B], 0
		mov	byte ptr [ebp+var_9C], 1
		mov	[ebp+var_90], 0
		mov	[ebp+var_74], 0C0000022h
		mov	eax, [ebp+arg_38]
		test	al, al
		jz	loc_79D90D
		mov	[ebp+var_87+3],	0
		mov	edx, [ebp+var_70]
		mov	esi, [ebp+var_4C]
		sub	esi, edx
		xor	eax, eax
		xor	ecx, ecx

loc_8E7E40:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AC53j
		cmp	eax, [ebp+var_64]
		jnb	short loc_8E7E65
		mov	[edx+esi], ecx
		mov	eax, [ebp+var_74]
		mov	[edx], eax
		mov	eax, [ebp+var_87+3]
		inc	eax
		mov	[ebp+var_87+3],	eax
		add	edx, 4
		mov	ecx, [ebp+var_90]
		jmp	short loc_8E7E40
; 

loc_8E7E65:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AC33j
		mov	esi, [ebp+var_A8]
		jmp	loc_79DC04
; 

loc_8E7E70:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+A01j
		mov	eax, [ebp+var_64]
		jmp	loc_79DC19
; 

loc_8E7E78:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+A2Aj
		mov	eax, [ebp+var_64]
		jmp	loc_79DC42
; 

loc_8E7E80:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+716j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+723j ...
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	eax, [esi+30h]
		push	eax
		call	ExAcquireResourceSharedLite
		cmp	[ebp+var_74], 0
		setnl	byte ptr [ebp+var_130]
		push	0
		push	[ebp+var_130]
		mov	eax, [ebp+var_78]
		or	eax, ebx
		push	eax
		push	[ebp+var_6A+2]
		lea	ecx, [ebp+var_C8]
		call	_SepLocateTokenTrustLevel@4 ; SepLocateTokenTrustLevel(x)
		push	eax
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	SeLogAccessFailure
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_79D94F
; 

loc_8E7ED5:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+B14j
		test	dword ptr [esi+0B0h], 4000h
		jz	loc_79D95D
		mov	edx, ebx
		lea	ecx, [ebp+var_38]
		call	SepLpacCausedAccessFailure
		test	al, al
		jz	loc_79D95D
		call	_SepLogLpacAccessFailure@4 ; SepLogLpacAccessFailure(x)
		jmp	loc_79D95D
; 

loc_8E7F01:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+763j
		mov	dl, byte ptr [ebp+var_8B]
		test	dl, dl
		jz	short loc_8E7F2D
		mov	[ebp+var_F0], 98h
		lea	eax, [ebp+var_C8]
		push	eax
		push	0
		mov	ecx, 98h
		call	SepAdtAuditThisEventWithContext
		mov	[ebp+var_4E], al
		jmp	short loc_8E7F30
; 

loc_8E7F2D:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14ACF9j
		mov	al, [ebp+var_4E]

loc_8E7F30:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AD1Bj
		cmp	byte ptr [ebp+var_9C], 0
		jz	loc_79D9BB
		mov	[ebp+var_F0], 98h
		lea	eax, [ebp+var_C8]
		push	eax
		push	[ebp+var_9C]
		xor	dl, dl
		mov	ecx, 98h
		call	SepAdtAuditThisEventWithContext
		mov	cl, al
		mov	[ebp+var_4F], cl
		mov	al, [ebp+var_4E]
		jmp	loc_79D9BE
; 

loc_8E7F6D:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+7B0j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+7B8j
		mov	ecx, [ebp+var_C8]
		test	ecx, ecx
		jnz	short loc_8E7F7D
		mov	ecx, [ebp+var_C0]

loc_8E7F7D:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AD65j
		mov	eax, [ebp+var_6A+2]
		movzx	esi, word ptr [eax+2]
		mov	edi, esi
		and	edi, 10h
		jnz	short loc_8E7F8F
		xor	edx, edx
		jmp	short loc_8E7F9D
; 

loc_8E7F8F:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AD79j
		mov	edx, [eax+0Ch]
		test	si, si
		jns	short loc_8E7F9D
		test	edx, edx
		jz	short loc_8E7F9D
		add	edx, eax

loc_8E7F9D:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AD7Dj
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AD85j ...
		test	di, di
		jnz	short loc_8E7FA6
		xor	eax, eax
		jmp	short loc_8E7FBD
; 

loc_8E7FA6:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AD90j
		test	si, si
		jns	short loc_8E7FBA
		mov	esi, [eax+0Ch]
		test	esi, esi
		jnz	short loc_8E7FB6
		xor	eax, eax
		jmp	short loc_8E7FBD
; 

loc_8E7FB6:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14ADA0j
		add	eax, esi
		jmp	short loc_8E7FBD
; 

loc_8E7FBA:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AD99j
		mov	eax, [eax+0Ch]

loc_8E7FBD:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AD94j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14ADA4j ...
		mov	esi, [ebp+var_78]
		or	esi, ebx
		lea	edi, [ebp+var_6A]
		push	edi
		lea	edi, [ebp+var_87]
		push	edi
		mov	ebx, [ebp+var_AC]
		push	ebx
		push	[ebp+var_DC]
		push	[ebp+var_4C]
		mov	edi, [ebp+var_70]
		push	edi
		push	[ebp+arg_38]
		push	[ebp+var_64]
		push	[ebp+var_B8]
		push	esi
		push	ecx
		mov	ecx, eax
		call	_SepExamineSaclEx@52 ; SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_C8]
		test	ecx, ecx
		jnz	short loc_8E8006
		mov	ecx, [ebp+var_C0]

loc_8E8006:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14ADEEj
		mov	eax, [ebp+var_6A+2]
		movzx	edx, word ptr [eax+2]
		test	dl, 10h
		jnz	short loc_8E8016
		xor	edx, edx
		jmp	short loc_8E8024
; 

loc_8E8016:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AE00j
		test	dx, dx
		mov	edx, [eax+0Ch]
		jns	short loc_8E8024
		test	edx, edx
		jz	short loc_8E8024
		add	edx, eax

loc_8E8024:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AE04j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AE0Cj ...
		lea	eax, [ebp+var_6A]
		push	eax
		lea	eax, [ebp+var_87]
		push	eax
		push	ebx
		push	[ebp+var_DC]
		push	[ebp+var_4C]
		push	edi
		mov	ebx, [ebp+arg_38]
		push	ebx
		push	[ebp+var_64]
		push	[ebp+var_B8]
		push	esi
		push	ecx
		mov	ecx, [ebp+var_CC]
		call	_SepExamineGlobalSaclEx@52 ; SepExamineGlobalSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, [ebp+var_120]
		mov	cl, [ebp+var_4F]
		jmp	loc_79D9D1
; 

loc_8E8062:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+7C9j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+7D2j
		cmp	byte ptr [ebp+var_8B], 0
		jz	short loc_8E806F
		mov	[ebp+var_5D], 1

loc_8E806F:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AE59j
		test	al, al
		jz	loc_8E80FA
		cmp	[ebp+var_4E], 0
		jz	short loc_8E80FA
		movzx	edx, bl
		neg	edx
		sbb	edx, edx
		mov	ecx, [ebp+var_4C]
		and	edx, ecx
		movzx	esi, byte ptr [ebp+var_8B]
		neg	esi
		sbb	esi, esi
		lea	eax, [ebp+var_124]
		and	esi, eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, [ecx]
		push	0
		push	0
		push	edx
		push	[ebp+var_64]
		push	[ebp+var_B8]
		push	edi
		mov	eax, [eax+0E4h]
		push	eax
		push	1
		push	[ebp+var_E8]
		push	ecx
		push	ecx
		push	[ebp+var_C0]
		push	[ebp+var_C8]
		push	[ebp+var_6A+2]
		push	[ebp+var_F8]
		push	[ebp+var_CC]
		push	esi
		mov	edx, [ebp+var_F4]
		mov	ecx, [ebp+var_F0]
		call	_SepAdtOpenObjectAuditAlarm@76 ; SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	cl, [ebp+var_4F]

loc_8E80FA:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AE61j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AE6Bj
		cmp	byte ptr [ebp+var_6A], 0
		jz	loc_79D9F5
		test	cl, cl
		jz	loc_79D9F5
		movzx	ecx, bl
		neg	ecx
		sbb	ecx, ecx
		mov	ebx, [ebp+var_4C]
		and	ecx, ebx
		movzx	edx, byte ptr [ebp+var_8B]
		neg	edx
		sbb	edx, edx
		lea	eax, [ebp+var_124]
		and	edx, eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	0
		push	0
		push	ecx
		push	[ebp+var_64]
		push	[ebp+var_B8]
		push	edi
		mov	eax, [eax+0E4h]
		push	eax
		push	0
		push	[ebp+var_E8]
		mov	eax, [ebp+arg_14]
		push	eax
		push	eax
		push	[ebp+var_C0]
		push	[ebp+var_C8]
		push	[ebp+var_6A+2]
		push	[ebp+var_F8]
		push	[ebp+var_CC]
		push	edx
		mov	edx, [ebp+var_F4]
		mov	ecx, [ebp+var_F0]
		call	_SepAdtOpenObjectAuditAlarm@76 ; SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		jmp	loc_79D9F8
; 

loc_8E818C:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+7FFj
		mov	[ebp+var_110], 0
		mov	eax, [ebp+var_70]
		xor	ecx, ecx
		mov	esi, [ebp+var_E0]
		mov	edi, [ebp+var_E4]
		mov	[ebp+var_110], ecx
		test	eax, eax
		jnz	short loc_8E81F9
		mov	edx, [ebp+var_74]

loc_8E81B4:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AFE7j
		cmp	ecx, [ebp+var_64]
		jnb	loc_79DA3B
		mov	[esi+ecx*4], edx
		mov	eax, [ebp+var_90]
		mov	[edi+ecx*4], eax
		cmp	_SepRmEnforceCap, 0
		jz	short loc_8E81ED
		cmp	[ebp+var_55], 0
		jz	short loc_8E81ED
		mov	edx, [ebp+var_74]
		test	edx, edx
		js	short loc_8E81F0
		mov	[esi+ecx*4], edx
		mov	eax, [ebp+var_90]
		and	[edi+ecx*4], eax
		jmp	short loc_8E81F0
; 

loc_8E81ED:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AFC0j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AFC6j
		mov	edx, [ebp+var_74]

loc_8E81F0:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AFCDj
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AFDBj
		inc	ecx
		mov	[ebp+var_110], ecx
		jmp	short loc_8E81B4
; 

loc_8E81F9:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AF9Fj
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14B033j
		cmp	ecx, [ebp+var_64]
		jnb	loc_79DA3B
		lea	edx, [eax+ecx*4]
		mov	eax, [edx]
		mov	[esi+ecx*4], eax
		mov	eax, [ebx+ecx*4]
		mov	[edi+ecx*4], eax
		cmp	_SepRmEnforceCap, 0
		jz	short loc_8E8239
		cmp	[ebp+var_55], 0
		jz	short loc_8E8239
		cmp	dword ptr [edx], 0
		jl	short loc_8E8239
		mov	eax, [ebp+var_D8]
		mov	eax, [eax+ecx*4]
		mov	[esi+ecx*4], eax
		mov	eax, [ebp+var_54]
		mov	eax, [eax+ecx*4]
		and	[edi+ecx*4], eax

loc_8E8239:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14B007j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14B00Dj ...
		inc	ecx
		mov	[ebp+var_110], ecx
		mov	eax, [ebp+var_70]
		jmp	short loc_8E81F9
; 

loc_8E8245:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+825j
		mov	esi, [ebp+var_54]
		cmp	[ebp+var_55], 0
		jz	loc_79DA3E
		cmp	[ebp+var_74], 0
		jl	loc_79DA3E
		mov	eax, [ebp+var_D8]
		mov	eax, [eax]
		mov	[ecx], eax
		mov	eax, [esi]
		and	[edx], eax
		jmp	loc_79DA3E
; END OF FUNCTION CHUNK	FOR SepAccessCheckAndAuditAlarmWithAdminlessChecks

;  S U B	R O U T	I N E 


sub_8E826F	proc near		; DATA XREF: .text:006A2214o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-168h], eax
		mov	eax, 1
		retn
sub_8E826F	endp


;  S U B	R O U T	I N E 


sub_8E8282	proc near		; DATA XREF: .text:006A2218o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-168h]
		mov	[ebp-5Ch], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	al, [ebp-0B0h]
		mov	[ebp-56h], al
		mov	ebx, [ebp-4Ch]
		mov	esi, [ebp-54h]
		jmp	loc_79DA55
sub_8E8282	endp

; 
; START	OF FUNCTION CHUNK FOR SepAccessCheckAndAuditAlarmWithAdminlessChecks

loc_8E82A9:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14A267j
		mov	edi, 0C000000Dh

loc_8E82AE:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+361j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+481j ...
		mov	ebx, [ebp+var_4C]
		mov	esi, ebx
		jmp	loc_79DA55
; 

loc_8E82B8:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+84Cj
		mov	ecx, [ebp+var_128]
		call	ObfDereferenceObject
		mov	eax, [ebp+var_148]
		mov	[ebp+var_C8], eax
		jmp	loc_79DA62
; 

loc_8E82D4:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+8BAj
		push	1
		mov	dl, [ebp+var_56]
		call	_SeReleaseSid@12 ; SeReleaseSid(x,x,x)
		jmp	loc_79DAD0
; 

loc_8E82E3:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+8C8j
		call	_SeFreeCapturedObjectTypeList@4	; SeFreeCapturedObjectTypeList(x)
		jmp	loc_79DADE
; 

loc_8E82ED:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+8D2j
		test	ebx, ebx
		jz	short loc_8E82F9
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E82F9:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+14B0DFj
		test	esi, esi
		jz	loc_79DAE8
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_79DAE8
; 

loc_8E830E:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+8DCj
		mov	ecx, [ebp+var_FC]
		call	_SepRmDereferenceCap@4 ; SepRmDereferenceCap(x)
		jmp	loc_79DAF2
; 

loc_8E831E:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+8EAj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_79DB00
; 

loc_8E832B:				; CODE XREF: SepAccessCheckAndAuditAlarmWithAdminlessChecks+901j
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+90Ej
		push	edi
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		jmp	loc_79DB24
; END OF FUNCTION CHUNK	FOR SepAccessCheckAndAuditAlarmWithAdminlessChecks
; 
; START	OF FUNCTION CHUNK FOR SepProbeAndCaptureString_U

loc_8E8336:				; CODE XREF: SepProbeAndCaptureString_U+28j
		mov	ecx, eax
		jmp	loc_79DE00
; END OF FUNCTION CHUNK	FOR SepProbeAndCaptureString_U

;  S U B	R O U T	I N E 


sub_8E833D	proc near		; DATA XREF: .text:006A2234o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8E833D	endp


;  S U B	R O U T	I N E 


sub_8E834D	proc near		; DATA XREF: .text:006A2238o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-24h]
		mov	[ebp-1Ch], eax
		mov	esi, [ebp-28h]
		mov	eax, [esi]
		test	eax, eax
		jz	loc_79DE7A
		xor	ebx, ebx
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi], ebx
		jmp	loc_79DE7A
sub_8E834D	endp

; 
; START	OF FUNCTION CHUNK FOR SepAdtAuditObjectAccessWithContext

loc_8E8373:				; CODE XREF: SepAdtAuditObjectAccessWithContext+39j
		test	ebx, ebx
		jnz	short loc_8E839C
		cmp	[ebp+arg_C], bl
		jnz	short loc_8E839C
		test	esi, esi
		jz	short loc_8E8394
		push	ebx
		push	esi
		push	offset _SepSamTypeNamePrefix
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_8E8394
		push	78h
		jmp	short loc_8E8396
; 

loc_8E8394:				; CODE XREF: SepAdtAuditObjectAccessWithContext+14A4CEj
					; SepAdtAuditObjectAccessWithContext+14A4DEj
		push	79h

loc_8E8396:				; CODE XREF: SepAdtAuditObjectAccessWithContext+14A4E2j
		pop	eax
		mov	[edi], ax
		jmp	short loc_8E83B1
; 

loc_8E839C:				; CODE XREF: SepAdtAuditObjectAccessWithContext+14A4C5j
					; SepAdtAuditObjectAccessWithContext+14A4CAj
		push	[ebp+arg_4]
		mov	edx, esi
		mov	ecx, ebx
		push	[ebp+arg_0]
		call	_SepAdtClassifyObjectIntoSubCategory@16	; SepAdtClassifyObjectIntoSubCategory(x,x,x,x)
		mov	[edi], ax
		movzx	eax, ax

loc_8E83B1:				; CODE XREF: SepAdtAuditObjectAccessWithContext+14A4EAj
		push	[ebp+arg_8]
		mov	dl, byte ptr [ebp+arg_0]
		push	[ebp+arg_4]
		movzx	ecx, ax
		call	SepAdtAuditThisEventWithContext
		jmp	loc_79DEEF
; END OF FUNCTION CHUNK	FOR SepAdtAuditObjectAccessWithContext
; 
; START	OF FUNCTION CHUNK FOR SepAdtPrivilegedServiceAuditAlarm

loc_8E83C7:				; CODE XREF: SepAdtPrivilegedServiceAuditAlarm+4Cj
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		lea	edx, [esp+2C8h+var_2BC]
		mov	ecx, [eax+0E4h]
		mov	[esp+2C8h+var_2A4], ecx
		mov	ecx, eax
		call	PsGetAllocatedFullProcessImageNameEx
		mov	edi, eax
		test	edi, edi
		js	loc_8E857B
		mov	esi, [ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		test	esi, esi
		jz	short loc_8E83FD
		mov	eax, [esi+94h]
		jmp	short loc_8E8403
; 

loc_8E83FD:				; CODE XREF: SepAdtPrivilegedServiceAuditAlarm+14A4F5j
		mov	eax, [ecx+94h]

loc_8E8403:				; CODE XREF: SepAdtPrivilegedServiceAuditAlarm+14A4FDj
		cmp	[esp+2C8h+var_2B8], 0
		mov	eax, [eax]
		mov	[esp+2C8h+var_2B0], eax
		mov	eax, [ecx+18h]
		mov	[esp+2C8h+var_2AC], eax
		mov	eax, [ecx+1Ch]
		mov	[esp+2C8h+var_2A8], eax
		jnz	short loc_8E8426
		mov	[esp+2C8h+var_2B8], offset _SeSubsystemName

loc_8E8426:				; CODE XREF: SepAdtPrivilegedServiceAuditAlarm+14A51Ej
		push	298h		; size_t
		lea	eax, [esp+2CCh+var_2A0]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ax, word ptr [esp+2D4h+var_2B4]
		add	esp, 0Ch
		cmp	[ebp+arg_10], 0
		mov	[esp+2C8h+var_290], ax
		mov	[esp+2C8h+var_29C], 1241h
		push	4
		pop	ecx
		push	8
		mov	[esp+2CCh+var_2A0], ecx
		pop	eax
		jnz	short loc_8E845F
		push	10h
		pop	eax

loc_8E845F:				; CODE XREF: SepAdtPrivilegedServiceAuditAlarm+14A55Cj
		mov	[esp+2C8h+var_288], ecx
		mov	ecx, [esp+2C8h+var_2B0]
		mov	[esp+2C8h+var_28E], ax
		mov	[esp+2C8h+var_278], ecx
		mov	[esp+2C8h+var_274], 1
		movzx	eax, byte ptr [ecx+1]
		mov	ecx, [esp+2C8h+var_2B8]
		mov	[esp+2C8h+var_264], ecx
		mov	[esp+2C8h+var_260], 5
		lea	eax, ds:8[eax*4]
		movzx	edx, word ptr [ecx]
		add	edx, 8
		mov	[esp+2C8h+var_284], eax
		mov	[esp+2C8h+var_270], edx
		push	8
		test	esi, esi
		jz	short loc_8E84BC
		mov	eax, [esi+18h]
		mov	[esp+2CCh+var_258], eax
		mov	eax, [esi+1Ch]
		mov	[esp+2CCh+var_25C], 8
		pop	esi
		jmp	short loc_8E84CD
; 

loc_8E84BC:				; CODE XREF: SepAdtPrivilegedServiceAuditAlarm+14A5A7j
		mov	eax, [esp+2CCh+var_2AC]
		pop	esi
		mov	[esp+2C8h+var_258], eax
		mov	eax, [esp+2C8h+var_2A8]
		mov	[esp+2C8h+var_25C], esi

loc_8E84CD:				; CODE XREF: SepAdtPrivilegedServiceAuditAlarm+14A5BCj
		mov	[esp+2C8h+var_254], eax
		xor	eax, eax
		inc	eax
		mov	[esp+2C8h+var_23C], ecx
		mov	ecx, [ebp+arg_0]
		mov	[esp+2C8h+var_24C], eax
		mov	[esp+2C8h+var_248], edx
		test	ecx, ecx
		jz	short loc_8E8507
		mov	[esp+2C8h+var_238], eax
		movzx	eax, word ptr [ecx]
		add	eax, esi
		mov	[esp+2C8h+var_228], ecx
		mov	[esp+2C8h+var_234], eax

loc_8E8507:				; CODE XREF: SepAdtPrivilegedServiceAuditAlarm+14A5EDj
		test	ebx, ebx
		jz	short loc_8E852B
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_8E852B
		imul	eax, 0Ch
		mov	[esp+2C8h+var_224], esi
		mov	[esp+2C8h+var_214], ebx
		add	eax, esi
		mov	[esp+2C8h+var_220], eax

loc_8E852B:				; CODE XREF: SepAdtPrivilegedServiceAuditAlarm+14A60Bj
					; SepAdtPrivilegedServiceAuditAlarm+14A611j
		mov	ecx, [esp+2C8h+var_2BC]
		mov	eax, [esp+2C8h+var_2A4]
		mov	[esp+2C8h+var_208], eax
		mov	[esp+2C8h+var_1EC], ecx
		movzx	eax, word ptr [ecx]
		lea	ecx, [esp+2C8h+var_2A0]
		add	eax, esi
		mov	[esp+2C8h+var_210], 0Bh
		mov	[esp+2C8h+var_20C], 4
		mov	[esp+2C8h+var_1FC], 2
		mov	[esp+2C8h+var_1F8], eax
		mov	[esp+2C8h+var_298], esi
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)

loc_8E857B:				; CODE XREF: SepAdtPrivilegedServiceAuditAlarm+14A4E7j
		cmp	[esp+2C8h+var_2BC], 0
		jz	short loc_8E858D
		push	0
		push	[esp+2CCh+var_2BC]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E858D:				; CODE XREF: SepAdtPrivilegedServiceAuditAlarm+14A682j
		test	edi, edi
		jns	loc_79DF50
		push	edi
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		jmp	loc_79DF50
; END OF FUNCTION CHUNK	FOR SepAdtPrivilegedServiceAuditAlarm
; 
; START	OF FUNCTION CHUNK FOR SepAdtPrivilegeObjectAuditAlarm

loc_8E85A0:				; CODE XREF: SepAdtPrivilegeObjectAuditAlarm+4Fj
		mov	esi, [ebp+arg_8]
		mov	edi, [ebp+arg_C]
		test	esi, esi
		jz	short loc_8E85B2
		mov	eax, [esi+94h]
		jmp	short loc_8E85B8
; 

loc_8E85B2:				; CODE XREF: SepAdtPrivilegeObjectAuditAlarm+14A640j
		mov	eax, [edi+94h]

loc_8E85B8:				; CODE XREF: SepAdtPrivilegeObjectAuditAlarm+14A648j
		mov	eax, [eax]
		push	eax
		push	_SeLocalSystemSid
		mov	[esp+2D0h+var_2B0], eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	loc_79DFBD
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		lea	edx, [esp+2C8h+var_2B8]
		mov	ecx, eax
		call	PsGetAllocatedFullProcessImageNameEx
		test	eax, eax
		jns	short loc_8E85F1
		push	eax
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		jmp	loc_79DFBD
; 

loc_8E85F1:				; CODE XREF: SepAdtPrivilegeObjectAuditAlarm+14A67Cj
		mov	eax, [edi+18h]
		mov	edi, [edi+1Ch]
		mov	[esp+2C8h+var_2AC], eax
		test	ebx, ebx
		jnz	short loc_8E8604
		mov	ebx, offset _SeSubsystemName

loc_8E8604:				; CODE XREF: SepAdtPrivilegeObjectAuditAlarm+14A695j
		push	298h		; size_t
		lea	eax, [esp+2CCh+var_2A0]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ax, word ptr [esp+2D4h+var_2B4]
		add	esp, 0Ch
		cmp	[ebp+arg_1C], 0
		mov	[esp+2C8h+var_290], ax
		mov	[esp+2C8h+var_29C], 1242h
		push	4
		pop	ecx
		push	8
		mov	[esp+2CCh+var_2A0], ecx
		pop	edx
		jz	short loc_8E8641
		mov	[esp+2C8h+var_28E], dx
		jmp	short loc_8E8649
; 

loc_8E8641:				; CODE XREF: SepAdtPrivilegeObjectAuditAlarm+14A6D0j
		push	10h
		pop	eax
		mov	[esp+2C8h+var_28E], ax

loc_8E8649:				; CODE XREF: SepAdtPrivilegeObjectAuditAlarm+14A6D7j
		mov	[esp+2C8h+var_288], ecx
		mov	ecx, [esp+2C8h+var_2B0]
		mov	[esp+2C8h+var_278], ecx
		mov	[esp+2C8h+var_274], 1
		mov	[esp+2C8h+var_264], ebx
		movzx	eax, byte ptr [ecx+1]
		movzx	ecx, word ptr [ebx]
		add	ecx, 8
		mov	[esp+2C8h+var_260], 5
		mov	[esp+2C8h+var_270], ecx
		mov	[esp+2C8h+var_25C], edx
		lea	eax, ds:8[eax*4]
		mov	[esp+2C8h+var_284], eax
		test	esi, esi
		jz	short loc_8E869A
		mov	eax, [esi+18h]
		mov	[esp+2C8h+var_258], eax
		mov	eax, [esi+1Ch]
		mov	[esp+2C8h+var_254], eax
		jmp	short loc_8E86A6
; 

loc_8E869A:				; CODE XREF: SepAdtPrivilegeObjectAuditAlarm+14A720j
		mov	eax, [esp+2C8h+var_2AC]
		mov	[esp+2C8h+var_258], eax
		mov	[esp+2C8h+var_254], edi

loc_8E86A6:				; CODE XREF: SepAdtPrivilegeObjectAuditAlarm+14A730j
		xor	eax, eax
		mov	[esp+2C8h+var_23C], ebx
		mov	ebx, [esp+2C8h+var_2A8]
		inc	eax
		mov	[esp+2C8h+var_24C], eax
		mov	[esp+2C8h+var_248], ecx
		test	ebx, ebx
		jz	short loc_8E86DD
		mov	[esp+2C8h+var_238], eax
		movzx	eax, word ptr [ebx]
		add	eax, edx
		mov	[esp+2C8h+var_228], ebx
		mov	[esp+2C8h+var_234], eax

loc_8E86DD:				; CODE XREF: SepAdtPrivilegeObjectAuditAlarm+14A759j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_8E8702
		movzx	eax, word ptr [ecx]
		add	eax, edx
		mov	[esp+2C8h+var_224], 2
		mov	[esp+2C8h+var_220], eax
		mov	[esp+2C8h+var_214], ecx

loc_8E8702:				; CODE XREF: SepAdtPrivilegeObjectAuditAlarm+14A77Aj
		mov	ecx, [ebp+arg_4]
		xor	dl, dl
		push	0Bh
		pop	edi
		push	4
		pop	esi
		mov	[esp+2C8h+var_210], edi
		mov	[esp+2C8h+var_20C], esi
		call	_ObpIsKernelHandle@8 ; ObpIsKernelHandle(x,x)
		test	al, al
		jz	short loc_8E872A
		xor	ecx, 80000000h

loc_8E872A:				; CODE XREF: SepAdtPrivilegeObjectAuditAlarm+14A7BAj
		mov	eax, [ebp+arg_14]
		and	ecx, 0FFFFFFFCh
		mov	[esp+2C8h+var_208], ecx
		mov	[esp+2C8h+var_1F8], esi
		mov	[esp+2C8h+var_1F4], eax
		test	ebx, ebx
		jz	short loc_8E875D
		mov	[esp+2C8h+var_1FC], 7
		mov	[esp+2C8h+var_1F0], esi
		jmp	short loc_8E8768
; 

loc_8E875D:				; CODE XREF: SepAdtPrivilegeObjectAuditAlarm+14A7DFj
		mov	[esp+2C8h+var_1FC], 3

loc_8E8768:				; CODE XREF: SepAdtPrivilegeObjectAuditAlarm+14A7F3j
		mov	ecx, [esp+2C8h+var_2A4]
		test	ecx, ecx
		jz	short loc_8E8795
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_8E8795
		imul	eax, 0Ch
		mov	[esp+2C8h+var_1E8], 8
		mov	[esp+2C8h+var_1D8], ecx
		add	eax, 8
		mov	[esp+2C8h+var_1E4], eax

loc_8E8795:				; CODE XREF: SepAdtPrivilegeObjectAuditAlarm+14A806j
					; SepAdtPrivilegeObjectAuditAlarm+14A80Cj
		mov	edx, [esp+2C8h+var_2B8]
		mov	eax, [ebp+arg_10]
		mov	[esp+2C8h+var_1D4], edi
		mov	[esp+2C8h+var_1D0], esi
		movzx	ecx, word ptr [edx]
		add	ecx, 8
		mov	[esp+2C8h+var_1CC], eax
		mov	[esp+2C8h+var_1BC], ecx
		lea	ecx, [esp+2C8h+var_2A0]
		mov	[esp+2C8h+var_1C0], 2
		mov	[esp+2C8h+var_1B0], edx
		mov	[esp+2C8h+var_298], edi
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)
		push	0
		push	[esp+2CCh+var_2B8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	al, 1
		jmp	loc_79DFBF
; END OF FUNCTION CHUNK	FOR SepAdtPrivilegeObjectAuditAlarm
; 
; START	OF FUNCTION CHUNK FOR SepAdtAuditPrivilegeUseWithContext

loc_8E87EF:				; CODE XREF: SepAdtAuditPrivilegeUseWithContext+4Fj
		cmp	[ebp+arg_4], 0
		jnz	short loc_8E881F
		lea	ebx, [esp+38h+var_10]
		mov	eax, ebx
		push	eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	eax
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	dl, [esp+38h+var_29]
		mov	dh, [esp+38h+var_2A]
		jmp	short loc_8E8822
; 

loc_8E881F:				; CODE XREF: SepAdtAuditPrivilegeUseWithContext+14A813j
		mov	ebx, [ebp+arg_4]

loc_8E8822:				; CODE XREF: SepAdtAuditPrivilegeUseWithContext+14A83Dj
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_8E8843
		mov	eax, [ebx+8]
		test	eax, eax
		jnz	short loc_8E8843
		push	0C000007Ch
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		mov	dl, [esp+38h+var_29]
		mov	dh, [esp+38h+var_2A]
		jmp	short loc_8E8854
; 

loc_8E8843:				; CODE XREF: SepAdtAuditPrivilegeUseWithContext+14A846j
					; SepAdtAuditPrivilegeUseWithContext+14A84Dj
		lea	ecx, [esp+38h+var_28]
		push	ecx
		push	eax
		push	esi
		mov	ecx, 1Fh
		call	_SepAdtIncorporatePerUserPolicy@20 ; SepAdtIncorporatePerUserPolicy(x,x,x,x,x)

loc_8E8854:				; CODE XREF: SepAdtAuditPrivilegeUseWithContext+14A861j
		cmp	[ebp+arg_4], 0
		jnz	short loc_8E8868
		push	ebx
		call	SeReleaseSubjectContext
		mov	dl, [esp+38h+var_29]
		mov	dh, [esp+38h+var_2A]

loc_8E8868:				; CODE XREF: SepAdtAuditPrivilegeUseWithContext+14A878j
		mov	bh, [esp+38h+var_28]
		jmp	loc_79E035
; 

loc_8E8871:				; CODE XREF: SepAdtAuditPrivilegeUseWithContext+7Fj
		cmp	[ebp+arg_4], 0
		jnz	short loc_8E88A7
		lea	eax, [esp+38h+var_20]
		push	eax
		mov	[esp+3Ch+var_26+2], eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	eax
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	dl, [esp+38h+var_29]
		lea	eax, [esp+38h+var_20]
		mov	dh, [esp+38h+var_2A]
		jmp	short loc_8E88AE
; 

loc_8E88A7:				; CODE XREF: SepAdtAuditPrivilegeUseWithContext+14A895j
		mov	eax, [ebp+arg_4]
		mov	[esp+38h+var_26+2], eax

loc_8E88AE:				; CODE XREF: SepAdtAuditPrivilegeUseWithContext+14A8C5j
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_8E88CB
		mov	ecx, [eax+8]
		test	ecx, ecx
		jnz	short loc_8E88CB
		push	0C000007Ch
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		mov	dh, [esp+38h+var_2A]
		jmp	short loc_8E88DC
; 

loc_8E88CB:				; CODE XREF: SepAdtAuditPrivilegeUseWithContext+14A8D2j
					; SepAdtAuditPrivilegeUseWithContext+14A8D9j
		lea	eax, [esp+11h]
		push	eax
		push	ecx
		push	esi
		mov	ecx, 20h
		call	_SepAdtIncorporatePerUserPolicy@20 ; SepAdtIncorporatePerUserPolicy(x,x,x,x,x)

loc_8E88DC:				; CODE XREF: SepAdtAuditPrivilegeUseWithContext+14A8E9j
		cmp	[ebp+arg_4], 0
		jnz	short loc_8E88F0
		mov	eax, [esp+38h+var_26+2]
		push	eax
		call	SeReleaseSubjectContext
		mov	dh, [esp+38h+var_2A]

loc_8E88F0:				; CODE XREF: SepAdtAuditPrivilegeUseWithContext+14A900j
		mov	bl, [esp+38h+var_27]
		jmp	loc_79E065
; 

loc_8E88F9:				; CODE XREF: SepAdtAuditPrivilegeUseWithContext+87j
					; SepAdtAuditPrivilegeUseWithContext+8Fj
		mov	edx, edi
		xor	ecx, ecx
		call	SepFilterPrivilegeAudits
		test	al, al
		jz	short loc_8E8961
		test	bh, bh
		jz	short loc_8E8917
		test	bl, bl
		jz	short loc_8E8917
		test	edi, edi
		jz	short loc_8E8917
		cmp	dword ptr [edi], 0
		jnz	short loc_8E8932

loc_8E8917:				; CODE XREF: SepAdtAuditPrivilegeUseWithContext+14A928j
					; SepAdtAuditPrivilegeUseWithContext+14A92Cj ...
		lea	eax, [esp+38h+var_26+1]
		mov	ecx, edi
		push	eax
		lea	edx, [esp+3Ch+var_26]
		call	_SepAdtCheckPrivilegeForSensitivity@12 ; SepAdtCheckPrivilegeForSensitivity(x,x,x)
		test	bh, bh
		jz	short loc_8E8944
		cmp	byte ptr [esp+38h+var_26], 0
		jz	short loc_8E8944

loc_8E8932:				; CODE XREF: SepAdtAuditPrivilegeUseWithContext+14A935j
		mov	ecx, [ebp+arg_8]
		mov	edx, 83h
		mov	al, 1
		mov	[ecx], dx
		jmp	loc_79E077
; 

loc_8E8944:				; CODE XREF: SepAdtAuditPrivilegeUseWithContext+14A949j
					; SepAdtAuditPrivilegeUseWithContext+14A950j
		test	bl, bl
		jz	short loc_8E8961
		cmp	byte ptr [esp+38h+var_26+1], 0
		jz	short loc_8E8961
		mov	ecx, [ebp+arg_8]
		mov	edx, 84h
		mov	al, 1
		mov	[ecx], dx
		jmp	loc_79E077
; 

loc_8E8961:				; CODE XREF: SepAdtAuditPrivilegeUseWithContext+14A924j
					; SepAdtAuditPrivilegeUseWithContext+14A966j ...
		mov	al, [esp+38h+var_2A]
		jmp	loc_79E077
; END OF FUNCTION CHUNK	FOR SepAdtAuditPrivilegeUseWithContext
; 
; START	OF FUNCTION CHUNK FOR SepAdtAuditThisEventWithContext

loc_8E896A:				; CODE XREF: SepAdtAuditThisEventWithContext+26j
		xor	edx, edx
		test	bl, bl
		setnz	dl
		cmp	byte ptr [ebp+arg_0], al
		jz	short loc_8E8979
		or	edx, 10h

loc_8E8979:				; CODE XREF: SepAdtAuditThisEventWithContext+14A8F4j
		push	[ebp+arg_4]
		call	SepAdtAuditThisEventByCategoryWithContext
		jmp	loc_79E0CA
; 

loc_8E8986:				; CODE XREF: SepAdtAuditThisEventWithContext+40j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	short loc_8E89B5
		lea	eax, [esp+20h+var_10]
		push	eax
		mov	[esp+24h+var_15+1], eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	eax
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		lea	eax, [esp+20h+var_10]
		jmp	short loc_8E89B9
; 

loc_8E89B5:				; CODE XREF: SepAdtAuditThisEventWithContext+14A90Bj
		mov	[esp+20h+var_15+1], eax

loc_8E89B9:				; CODE XREF: SepAdtAuditThisEventWithContext+14A933j
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_8E89D2
		mov	ecx, [eax+8]
		test	ecx, ecx
		jnz	short loc_8E89D2
		push	0C000007Ch
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		jmp	short loc_8E89E5
; 

loc_8E89D2:				; CODE XREF: SepAdtAuditThisEventWithContext+14A93Dj
					; SepAdtAuditThisEventWithContext+14A944j
		lea	eax, [esp+20h+var_15]
		mov	dl, bl
		push	eax
		push	ecx
		push	[ebp+arg_0]
		lea	ecx, [esi-64h]
		call	_SepAdtIncorporatePerUserPolicy@20 ; SepAdtIncorporatePerUserPolicy(x,x,x,x,x)

loc_8E89E5:				; CODE XREF: SepAdtAuditThisEventWithContext+14A950j
		cmp	[ebp+arg_4], 0
		jnz	loc_79E0C6
		mov	eax, [esp+20h+var_15+1]
		push	eax
		call	SeReleaseSubjectContext
		jmp	loc_79E0C6
; END OF FUNCTION CHUNK	FOR SepAdtAuditThisEventWithContext
; 
; START	OF FUNCTION CHUNK FOR SepAdtAuditThisEventByCategoryWithContext

loc_8E89FE:				; CODE XREF: SepAdtAuditThisEventByCategoryWithContext+37j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_8E8A2C
		lea	edi, [ebp+var_28]
		mov	eax, edi
		mov	[ebp+var_8], edi
		push	eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	eax
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	edx, [ebp+var_18]
		jmp	short loc_8E8A31
; 

loc_8E8A2C:				; CODE XREF: SepAdtAuditThisEventByCategoryWithContext+14A923j
		mov	edi, ecx
		mov	[ebp+var_8], ecx

loc_8E8A31:				; CODE XREF: SepAdtAuditThisEventByCategoryWithContext+14A94Aj
		mov	ecx, [edi]
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jnz	short loc_8E8A50
		mov	ecx, [edi+8]
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jnz	short loc_8E8A50
		push	0C000007Ch
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		jmp	short loc_8E8AAA
; 

loc_8E8A50:				; CODE XREF: SepAdtAuditThisEventByCategoryWithContext+14A958j
					; SepAdtAuditThisEventByCategoryWithContext+14A962j
		cmp	byte ptr [ecx+77h], 2
		jnz	short loc_8E8AAA
		xor	edi, edi
		xor	eax, eax
		mov	[ebp+var_C], edi
		mov	[ebp+var_10], eax
		test	esi, esi
		jz	short loc_8E8A7A
		xor	edx, edx

loc_8E8A66:				; CODE XREF: SepAdtAuditThisEventByCategoryWithContext+14A993j
		movzx	eax, ds:_AdtpPerCategoryCount[edx*2]
		inc	edx
		add	edi, eax
		cmp	edx, esi
		jb	short loc_8E8A66
		mov	edx, [ebp+var_18]
		xor	eax, eax

loc_8E8A7A:				; CODE XREF: SepAdtAuditThisEventByCategoryWithContext+14A982j
		movzx	esi, ds:_AdtpPerCategoryCount[esi*2]
		lea	ecx, [edi+esi]
		mov	[ebp+var_18], ecx
		cmp	edi, ecx
		mov	ecx, [ebp+var_14]
		jb	short loc_8E8ABF
		xor	ecx, ecx

loc_8E8A91:				; CODE XREF: SepAdtAuditThisEventByCategoryWithContext+14AA20j
		test	dl, 1
		jz	short loc_8E8A9B
		cmp	cx, si
		jz	short loc_8E8AA5

loc_8E8A9B:				; CODE XREF: SepAdtAuditThisEventByCategoryWithContext+14A9B4j
		test	dl, 10h
		jz	short loc_8E8AA7
		cmp	ax, si
		jnz	short loc_8E8AA7

loc_8E8AA5:				; CODE XREF: SepAdtAuditThisEventByCategoryWithContext+14A9B9j
					; SepAdtAuditThisEventByCategoryWithContext+14A9F9j ...
		mov	bl, 1

loc_8E8AA7:				; CODE XREF: SepAdtAuditThisEventByCategoryWithContext+14A9BEj
					; SepAdtAuditThisEventByCategoryWithContext+14A9C3j
		mov	edi, [ebp+var_8]

loc_8E8AAA:				; CODE XREF: SepAdtAuditThisEventByCategoryWithContext+14A96Ej
					; SepAdtAuditThisEventByCategoryWithContext+14A974j
		cmp	[ebp+arg_0], 0
		jnz	loc_79E11D
		push	edi
		call	SeReleaseSubjectContext
		jmp	loc_79E11D
; 

loc_8E8ABF:				; CODE XREF: SepAdtAuditThisEventByCategoryWithContext+14A9ADj
					; SepAdtAuditThisEventByCategoryWithContext+14AA25j
		mov	eax, edi
		shr	eax, 1
		movzx	eax, byte ptr [eax+ecx+58h]
		mov	ecx, edi
		and	ecx, 1
		shl	ecx, 2
		shr	eax, cl
		test	al, 1
		jz	short loc_8E8AE4
		test	dl, 2
		jnz	short loc_8E8AA5
		mov	ecx, [ebp+var_C]
		inc	ecx
		mov	[ebp+var_C], ecx
		jmp	short loc_8E8AE7
; 

loc_8E8AE4:				; CODE XREF: SepAdtAuditThisEventByCategoryWithContext+14A9F4j
		mov	ecx, [ebp+var_C]

loc_8E8AE7:				; CODE XREF: SepAdtAuditThisEventByCategoryWithContext+14AA02j
		test	al, 4
		jz	short loc_8E8AF9
		test	dl, 20h
		jnz	short loc_8E8AA5
		mov	eax, [ebp+var_10]
		inc	eax
		mov	[ebp+var_10], eax
		jmp	short loc_8E8AFC
; 

loc_8E8AF9:				; CODE XREF: SepAdtAuditThisEventByCategoryWithContext+14AA09j
		mov	eax, [ebp+var_10]

loc_8E8AFC:				; CODE XREF: SepAdtAuditThisEventByCategoryWithContext+14AA17j
		inc	edi
		cmp	edi, [ebp+var_18]
		jnb	short loc_8E8A91
		mov	ecx, [ebp+var_14]
		jmp	short loc_8E8ABF
; END OF FUNCTION CHUNK	FOR SepAdtAuditThisEventByCategoryWithContext
; 
; START	OF FUNCTION CHUNK FOR SepAdtTokenRightAdjusted

loc_8E8B07:				; CODE XREF: SepAdtTokenRightAdjusted+77j
		mov	edx, [ebp+arg_0]
		mov	ecx, [esp+2E8h+var_2C8]
		call	_SepAdtAuditablePrivilege@8 ; SepAdtAuditablePrivilege(x,x)
		mov	edi, [ebp+arg_8]
		test	al, al
		jnz	short loc_8E8B2D
		mov	ecx, [esp+2E8h+var_2CC]
		mov	edx, edi
		call	_SepAdtAuditablePrivilege@8 ; SepAdtAuditablePrivilege(x,x)
		test	al, al
		jz	loc_79E2B3

loc_8E8B2D:				; CODE XREF: SepAdtTokenRightAdjusted+14A8E2j
		push	298h		; size_t
		lea	eax, [esp+2ECh+var_2A0]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+2E8h+var_2A0], 5
		mov	eax, 8Bh
		mov	[esp+2E8h+var_29C], 125Fh
		mov	[esp+2E8h+var_290], ax
		push	8
		pop	eax
		cmp	[ebp+arg_C], bl
		jnz	short loc_8E8B66
		push	10h
		pop	eax

loc_8E8B66:				; CODE XREF: SepAdtTokenRightAdjusted+14A92Bj
		mov	[esp+2E8h+var_28E], ax
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		cmp	[eax+1C0h], ebx
		jz	loc_79E2B3
		mov	ecx, [eax+0E4h]
		lea	edx, [esp+2E8h+var_2D4]
		mov	[esp+2E8h+var_2B4], ecx
		mov	ecx, eax
		call	PsGetAllocatedFullProcessImageNameEx
		test	eax, eax
		js	loc_79E2B3
		mov	eax, esi
		test	esi, esi
		jnz	short loc_8E8BA3
		mov	eax, [esp+2E8h+var_2A8]

loc_8E8BA3:				; CODE XREF: SepAdtTokenRightAdjusted+14A967j
		mov	eax, [eax+94h]
		mov	eax, [eax]
		mov	[esp+2E8h+var_2C4], eax
		test	esi, esi
		jnz	short loc_8E8BB7
		mov	esi, [esp+2E8h+var_2A8]

loc_8E8BB7:				; CODE XREF: SepAdtTokenRightAdjusted+14A97Bj
		mov	eax, [esi+18h]
		mov	[esp+2E8h+var_2C0], eax
		mov	eax, [esi+1Ch]
		mov	[esp+2E8h+var_2BC], eax
		mov	eax, [esp+2E8h+var_2D0]
		mov	ecx, [eax+18h]
		mov	eax, [eax+1Ch]
		mov	[esp+2E8h+var_2D0], ecx
		mov	[esp+2E8h+var_2B8], eax
		test	edi, edi
		jz	short loc_8E8C21
		imul	eax, edi, 0Ch
		push	70416553h
		add	eax, 14h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[esp+2E8h+var_2D8], esi
		test	esi, esi
		jz	loc_79E2B7
		mov	eax, [ebp+arg_8]
		lea	ecx, [esi+8]
		mov	edx, [esp+2E8h+var_2CC]
		mov	dword ptr [esi+4], 1
		mov	[esi], edi

loc_8E8C0F:				; CODE XREF: SepAdtTokenRightAdjusted+14A9E9j
		mov	esi, edx
		mov	edi, ecx
		add	edx, 0Ch
		add	ecx, 0Ch
		movsd
		movsd
		movsd
		sub	eax, 1
		jnz	short loc_8E8C0F

loc_8E8C21:				; CODE XREF: SepAdtTokenRightAdjusted+14A9A3j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_8E8C6A
		imul	eax, 0Ch
		push	70416553h
		add	eax, 14h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_79E2B3
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebx+8]
		mov	edx, [esp+2E8h+var_2C8]
		mov	dword ptr [ebx+4], 1
		mov	[ebx], eax

loc_8E8C58:				; CODE XREF: SepAdtTokenRightAdjusted+14AA32j
		mov	esi, edx
		mov	edi, ecx
		add	edx, 0Ch
		add	ecx, 0Ch
		movsd
		movsd
		movsd
		sub	eax, 1
		jnz	short loc_8E8C58

loc_8E8C6A:				; CODE XREF: SepAdtTokenRightAdjusted+14A9F0j
		mov	ecx, [esp+2E8h+var_2C4]
		mov	esi, [esp+2E8h+var_2D8]
		push	4
		pop	edx
		movzx	eax, byte ptr [ecx+1]
		mov	[esp+2E8h+var_278], ecx
		mov	ecx, [esp+2E8h+var_2D4]
		push	8
		lea	eax, ds:8[eax*4]
		mov	[esp+2ECh+var_288], edx
		mov	[esp+2ECh+var_284], eax
		mov	eax, [esp+2ECh+var_2C0]
		mov	[esp+2ECh+var_258], eax
		mov	eax, [esp+2ECh+var_2BC]
		mov	[esp+2ECh+var_254], eax
		mov	eax, [esp+2ECh+var_2D0]
		mov	[esp+2ECh+var_244], eax
		mov	eax, [esp+2ECh+var_2B8]
		mov	[esp+2ECh+var_240], eax
		movzx	eax, word ptr [ecx]
		pop	edi
		add	eax, edi
		mov	[esp+2E8h+var_274], 1
		mov	[esp+2E8h+var_234], eax
		mov	eax, [esp+2E8h+var_2B4]
		mov	[esp+2E8h+var_270], 18h
		mov	[esp+2E8h+var_264], offset _SeSubsystemName
		mov	[esp+2E8h+var_260], 5
		mov	[esp+2E8h+var_25C], edi
		mov	[esp+2E8h+var_24C], 23h
		mov	[esp+2E8h+var_248], edi
		mov	[esp+2E8h+var_238], 2
		mov	[esp+2E8h+var_228], ecx
		mov	[esp+2E8h+var_224], 0Bh
		mov	[esp+2E8h+var_220], edx
		mov	[esp+2E8h+var_21C], eax
		test	esi, esi
		jz	short loc_8E8D61
		mov	eax, [esi]
		mov	[esp+2E8h+var_210], edi
		test	eax, eax
		jz	short loc_8E8D51
		imul	eax, 0Ch
		add	eax, edi
		jmp	short loc_8E8D53
; 

loc_8E8D51:				; CODE XREF: SepAdtTokenRightAdjusted+14AB12j
		mov	eax, edi

loc_8E8D53:				; CODE XREF: SepAdtTokenRightAdjusted+14AB19j
		mov	[esp+2E8h+var_20C], eax
		mov	[esp+2E8h+var_200], esi

loc_8E8D61:				; CODE XREF: SepAdtTokenRightAdjusted+14AB05j
		test	ebx, ebx
		jz	short loc_8E8D89
		mov	eax, [ebx]
		mov	[esp+2E8h+var_1FC], edi
		test	eax, eax
		jz	short loc_8E8D79
		imul	eax, 0Ch
		add	eax, edi
		jmp	short loc_8E8D7B
; 

loc_8E8D79:				; CODE XREF: SepAdtTokenRightAdjusted+14AB3Aj
		mov	eax, edi

loc_8E8D7B:				; CODE XREF: SepAdtTokenRightAdjusted+14AB41j
		mov	[esp+2E8h+var_1F8], eax
		mov	[esp+2E8h+var_1EC], ebx

loc_8E8D89:				; CODE XREF: SepAdtTokenRightAdjusted+14AB2Dj
		lea	ecx, [esp+2E8h+var_2A0]
		mov	[esp+2E8h+var_298], edi
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)
		jmp	loc_79E2B7
; 

loc_8E8D9B:				; CODE XREF: SepAdtTokenRightAdjusted+86j
		push	0
		push	[esp+2ECh+var_2D4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_79E2C2
; 

loc_8E8DAB:				; CODE XREF: SepAdtTokenRightAdjusted+8Ej
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_79E2CA
; 

loc_8E8DB8:				; CODE XREF: SepAdtTokenRightAdjusted+96j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_79E2D2
; END OF FUNCTION CHUNK	FOR SepAdtTokenRightAdjusted
; 
; START	OF FUNCTION CHUNK FOR SeAuditingWithTokenForSubcategory

loc_8E8DC5:				; CODE XREF: SeAuditingWithTokenForSubcategory+2Aj
		test	esi, esi
		jz	short loc_8E8DCD
		mov	eax, esi
		jmp	short loc_8E8DF3
; 

loc_8E8DCD:				; CODE XREF: SeAuditingWithTokenForSubcategory+14AAC9j
		lea	eax, [ebp+var_14]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_8E8DF3
		mov	eax, [ebp+var_C]

loc_8E8DF3:				; CODE XREF: SeAuditingWithTokenForSubcategory+14AACDj
					; SeAuditingWithTokenForSubcategory+14AAF0j
		lea	ecx, [ebp+var_1]
		mov	dl, 1
		push	ecx
		push	eax
		push	0
		lea	ecx, [ebx-64h]
		call	_SepAdtIncorporatePerUserPolicy@20 ; SepAdtIncorporatePerUserPolicy(x,x,x,x,x)
		test	esi, esi
		jnz	loc_79E32E
		lea	eax, [ebp+var_14]
		push	eax
		call	SeReleaseSubjectContext
		jmp	loc_79E32E
; END OF FUNCTION CHUNK	FOR SeAuditingWithTokenForSubcategory
; 
; START	OF FUNCTION CHUNK FOR PspInsertProcess

loc_8E8E1A:				; CODE XREF: PspInsertProcess+D7j
		mov	esi, 0C000010Ah
		jmp	short loc_8E8E8A
; 

loc_8E8E21:				; CODE XREF: PspInsertProcess+E4j
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_10]
		and	[ebp+var_10], 0
		push	0
		push	ecx
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_10], al
		push	[ebp+arg_10]
		mov	eax, ds:_DbgkDebugObjectType
		push	eax
		push	edx
		push	[ebp+arg_8]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_10]
		mov	[ebp+arg_8], eax
		test	esi, esi
		js	short loc_8E8E8A
		jmp	loc_79E483
; 

loc_8E8E5D:				; CODE XREF: PspInsertProcess+105j
		call	ObfDereferenceObject
		jmp	loc_79E49F
; 

loc_8E8E67:				; CODE XREF: PspInsertProcess+117j
		test	byte ptr [ebp+arg_4], 2
		jz	loc_79E4B1
		push	2
		lea	eax, [edi+0FCh]
		pop	ecx
		lock or	[eax], ecx
		jmp	loc_79E4B1
; 

loc_8E8E82:				; CODE XREF: PspInsertProcess+180j
					; PspInsertProcess+1A7j
		mov	ecx, [ebp+arg_14]
		call	_PspDeleteObjectAccessState@4 ;	PspDeleteObjectAccessState(x)

loc_8E8E8A:				; CODE XREF: PspInsertProcess+69j
					; PspInsertProcess+10Dj ...
		test	[ebp+arg_C], 1
		jz	short loc_8E8E9A
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		call	PspUnlockProcessExclusive

loc_8E8E9A:				; CODE XREF: PspInsertProcess+14AAFAj
		mov	eax, esi
		jmp	loc_79E550
; END OF FUNCTION CHUNK	FOR PspInsertProcess
; 
; START	OF FUNCTION CHUNK FOR ObCheckRefTraceProcess

loc_8E8EA1:				; CODE XREF: ObCheckRefTraceProcess+28j
		push	esi
		call	_PsGetProcessImageFileName@4 ; PsGetProcessImageFileName(x)
		push	eax
		lea	eax, [esp+1Ch+var_10]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		cmp	word ptr [esp+18h+var_10], 0
		jz	loc_79E5C0
		push	1
		lea	eax, [esp+1Ch+var_10]
		push	eax
		lea	eax, [esp+20h+var_8]
		push	eax
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	loc_79E5C2
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		mov	edi, offset _ObpStackTraceLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		test	byte ptr ds:_ObpTraceFlags, 20h
		jz	short loc_8E8F20
		push	1
		push	_ObpTraceProcessName
		lea	eax, [esp+20h+var_8]
		push	eax
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_8E8F20
		mov	ecx, 200h
		lea	eax, [esi+0F8h]
		lock or	[eax], ecx

loc_8E8F20:				; CODE XREF: ObCheckRefTraceProcess+14A968j
					; ObCheckRefTraceProcess+14A97Ej
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8E8F34
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8E8F34:				; CODE XREF: ObCheckRefTraceProcess+14A999j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		lea	eax, [esp+18h+var_8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	loc_79E5C0
; END OF FUNCTION CHUNK	FOR ObCheckRefTraceProcess
; 
; START	OF FUNCTION CHUNK FOR DbgkCopyProcessDebugPort

loc_8E8F56:				; CODE XREF: DbgkCopyProcessDebugPort+27j
		mov	ecx, offset _DbgkpProcessDebugPortMutex
		call	ExAcquireFastMutex
		mov	esi, [edi+190h]
		test	esi, esi
		jz	short loc_8E8F7E
		test	byte ptr [edi+0FCh], 2
		jnz	short loc_8E8F7C
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		jmp	short loc_8E8F7E
; 

loc_8E8F7C:				; CODE XREF: DbgkCopyProcessDebugPort+14A9A9j
		xor	esi, esi

loc_8E8F7E:				; CODE XREF: DbgkCopyProcessDebugPort+14A9A0j
					; DbgkCopyProcessDebugPort+14A9B2j
		mov	ecx, offset _DbgkpProcessDebugPortMutex
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	short loc_8E8F91
; 

loc_8E8F8A:				; CODE XREF: DbgkCopyProcessDebugPort+19j
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_8E8F91:				; CODE XREF: DbgkCopyProcessDebugPort+14A9C0j
		test	esi, esi
		jz	loc_79E5F5
		mov	eax, large fs:124h
		mov	edx, edi
		push	ebx
		mov	cl, [eax+15Ah]
		call	_DbgkpValidateDebugTarget@12 ; DbgkpValidateDebugTarget(x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_8E8FC1
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, edi
		jmp	loc_79E5FF
; 

loc_8E8FC1:				; CODE XREF: DbgkCopyProcessDebugPort+14A9E9j
		lea	ecx, [esi+10h]
		mov	byte ptr [ebp+arg_0+3],	0
		call	ExAcquireFastMutex
		test	byte ptr [esi+38h], 1
		jnz	short loc_8E8FDB
		mov	[ebx+190h], esi
		jmp	short loc_8E8FDF
; 

loc_8E8FDB:				; CODE XREF: DbgkCopyProcessDebugPort+14AA09j
		mov	byte ptr [ebp+arg_0+3],	1

loc_8E8FDF:				; CODE XREF: DbgkCopyProcessDebugPort+14AA11j
		lea	ecx, [esi+10h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		cmp	byte ptr [ebp+arg_0+3],	0
		jz	short loc_8E8FF6
		mov	ecx, esi
		call	ObfDereferenceObject
		xor	esi, esi

loc_8E8FF6:				; CODE XREF: DbgkCopyProcessDebugPort+14AA23j
		test	esi, esi
		jz	loc_79E5F5
		mov	ecx, ebx
		call	_DbgkpMarkProcessPeb@4 ; DbgkpMarkProcessPeb(x)
		test	esi, esi
		jmp	loc_79E5F5
; END OF FUNCTION CHUNK	FOR DbgkCopyProcessDebugPort
; 
; START	OF FUNCTION CHUNK FOR SepAddLuidToIndexEntry

loc_8E900C:				; CODE XREF: SepAddLuidToIndexEntry+29j
		mov	esi, 0C0000017h
		jmp	loc_79E7AF
; 

loc_8E9016:				; CODE XREF: SepAddLuidToIndexEntry+147j
		mov	esi, 0C0000017h
		jmp	short loc_8E904D
; 

loc_8E901D:				; CODE XREF: SepAddLuidToIndexEntry+96j
		xor	eax, eax
		inc	eax
		jmp	loc_79E74E
; 

loc_8E9025:				; CODE XREF: SepAddLuidToIndexEntry+A9j
		mov	eax, [ebp+var_4]
		mov	ecx, ebx
		shr	ecx, 3
		and	ebx, 7
		mov	esi, 0C0000017h
		add	ecx, [eax+4]
		movsx	eax, byte ptr [ecx]
		btr	eax, ebx
		mov	[ecx], al
		xor	eax, eax
		mov	[ebp+var_8], eax
		test	esi, esi
		jns	loc_79E785

loc_8E904D:				; CODE XREF: SepAddLuidToIndexEntry+156j
					; SepAddLuidToIndexEntry+14A969j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	loc_79E785
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_79E785
; END OF FUNCTION CHUNK	FOR SepAddLuidToIndexEntry
; 
; START	OF FUNCTION CHUNK FOR ObInitProcess

loc_8E906D:				; CODE XREF: ObInitProcess+40j
		lea	ecx, [esi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	esi, [esp+20h+var_10]
		test	esi, esi
		jz	short loc_8E9099
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	ExSweepHandleTable
		mov	ecx, esi
		call	_ExpRemoveHandleTable@4	; ExpRemoveHandleTable(x)
		mov	ecx, esi
		call	ExpFreeHandleTable

loc_8E9099:				; CODE XREF: ObInitProcess+14A82Cj
		mov	eax, [esp+20h+var_C]
		jmp	loc_79E8D1
; 

loc_8E90A2:				; CODE XREF: ObInitProcess+68j
		push	0
		lea	eax, [esp+24h+var_8]
		mov	[esp+24h+var_8], ebx
		push	eax
		push	offset _ObAuditInheritedHandleProcedure@16 ; ObAuditInheritedHandleProcedure(x,x,x,x)
		push	[esp+2Ch+var_10]
		mov	[esp+30h+var_4], esi
		call	ExEnumHandleTable
		jmp	loc_79E8C0
; 

loc_8E90C4:				; CODE XREF: ObInitProcess+50j
		and	dword ptr [ebx+18Ch], 0
		test	edi, edi
		jz	short loc_8E90DA
		lea	ecx, [esi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_8E90DA:				; CODE XREF: ObInitProcess+14A87Bj
		mov	eax, 0C000009Ah
		jmp	loc_79E8D1
; END OF FUNCTION CHUNK	FOR ObInitProcess
; 
; START	OF FUNCTION CHUNK FOR SeSubProcessToken

loc_8E90E4:				; CODE XREF: SeSubProcessToken+105j
					; SeSubProcessToken+112j
		test	byte ptr [ebx],	2
		mov	edi, 0C000049Dh
		mov	[ebp+var_16C], edi
		jz	short loc_8E916F
		mov	ecx, large fs:124h
		lea	eax, [ebp+var_168]
		push	0
		push	eax
		lea	eax, [ebp+var_158]
		push	eax
		lea	edx, [ebp+var_160]
		call	PsReferenceEffectiveToken
		cmp	[ebp+var_160], 2
		mov	esi, eax
		jnz	short loc_8E912A
		cmp	[ebp+var_168], 2
		jl	short loc_8E9164

loc_8E912A:				; CODE XREF: SeSubProcessToken+14A82Fj
		mov	ecx, esi
		call	_SeTokenIsNoChildProcessRestrictionEnforced@8 ;	SeTokenIsNoChildProcessRestrictionEnforced(x,x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, edi
		cmp	[ebp+var_160], 1
		mov	[ebp+var_16C], eax
		jnz	short loc_8E9164
		mov	eax, large fs:124h
		mov	edx, esi
		mov	ecx, [eax+80h]
		add	ecx, 12Ch
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		jmp	short loc_8E916F
; 

loc_8E9164:				; CODE XREF: SeSubProcessToken+14A838j
					; SeSubProcessToken+14A857j
		test	esi, esi
		jz	short loc_8E916F
		mov	ecx, esi
		call	ObfDereferenceObject

loc_8E916F:				; CODE XREF: SeSubProcessToken+14A802j
					; SeSubProcessToken+14A872j ...
		mov	edi, [ebx+8]
		mov	eax, [ebp+var_170]
		dec	edi
		neg	edi
		sbb	edi, edi
		and	edi, [ebp+var_16C]
		test	byte ptr [eax+3A8h], 1
		jz	short loc_8E9198
		mov	eax, [eax+3D4h]
		neg	eax
		sbb	eax, eax
		and	edi, eax

loc_8E9198:				; CODE XREF: SeSubProcessToken+14A89Aj
		test	edi, edi
		jns	loc_79EA08
		cmp	byte ptr [ebp+var_154],	0
		jz	short loc_8E91B4
		mov	eax, [ebx+0Ch]
		neg	eax
		sbb	eax, eax
		not	eax
		and	edi, eax

loc_8E91B4:				; CODE XREF: SeSubProcessToken+14A8B7j
		test	edi, edi
		jns	loc_79EA08
		mov	esi, [ebx+14h]
		mov	edx, esi
		mov	bl, byte ptr [ebp+var_154+2]
		neg	edx
		sbb	edx, edx
		lea	eax, [esi+40h]
		and	edx, eax
		lea	eax, [esi+38h]
		neg	esi
		push	edx
		mov	edx, [ebp+var_15C]
		sbb	esi, esi
		and	esi, eax
		xor	ecx, ecx
		test	bl, bl
		push	esi
		mov	edx, [edx+10h]
		setnz	cl
		inc	ecx
		call	_EtwTimLogProhibitChildProcessCreation@16 ; EtwTimLogProhibitChildProcessCreation(x,x,x,x)
		test	bl, bl
		jnz	loc_79EC4D
		mov	ebx, [ebp+var_15C]
		jmp	loc_79EA08
; 

loc_8E9204:				; CODE XREF: SeSubProcessToken+165j
		mov	[ebp+var_150], esi
		jmp	loc_79EC4D
; 

loc_8E920F:				; CODE XREF: SeSubProcessToken+401j
		mov	edx, [ecx+274h]
		mov	ecx, eax
		call	SepDereferenceLowBoxNumberEntry
		mov	eax, [ebp+var_150]
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		mov	[eax+274h], ecx
		mov	edx, esi
		mov	ecx, [ebp+var_150]
		call	_SepSetTokenSessionById@20 ; SepSetTokenSessionById(x,x,x,x,x)
		mov	eax, [ebp+var_150]
		mov	[eax+78h], esi
		mov	ecx, [ebp+var_150]
		mov	edx, [ecx+1E0h]
		call	SepSetTokenLowboxNumber
		mov	edi, eax
		test	edi, edi
		js	short loc_8E92D5
		mov	ecx, [ebp+var_150]
		jmp	loc_79EA74
; 

loc_8E9265:				; CODE XREF: SeSubProcessToken+41Fj
		mov	eax, [ebp+var_150]
		or	dword ptr [eax+0B0h], 100000h
		jmp	loc_79EAA2
; 

loc_8E927A:				; CODE XREF: SeSubProcessToken+28Cj
		mov	ecx, esi
		call	_SepSetTokenAllApplicationPackagesPolicy@8 ; SepSetTokenAllApplicationPackagesPolicy(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_8E92D5
		mov	esi, [ebp+var_150]
		jmp	loc_79EB82
; 

loc_8E9292:				; CODE XREF: SeSubProcessToken+29Aj
		mov	edx, [ebp+arg_18]
		mov	ecx, eax
		push	esi
		call	_SepAddTokenOriginClaim@12 ; SepAddTokenOriginClaim(x,x,x)
		mov	esi, [ebp+var_150]
		jmp	loc_79EB90
; 

loc_8E92A8:				; CODE XREF: SeSubProcessToken+2A8j
		push	dword ptr [eax+0Ch]
		mov	dl, [eax+10h]
		mov	ecx, esi
		push	dword ptr [eax+8]
		push	eax
		call	SepSetTokenBnoIsolation
		mov	edi, eax
		test	edi, edi
		js	short loc_8E92D5
		mov	esi, [ebp+var_150]
		jmp	loc_79EB9E
; 

loc_8E92CA:				; CODE XREF: SeSubProcessToken+30Cj
		mov	[ebp+var_150], ebx
		jmp	loc_79EC4D
; 

loc_8E92D5:				; CODE XREF: SeSubProcessToken+1C6j
					; SeSubProcessToken+200j ...
		mov	ecx, [ebp+var_150]
		test	ecx, ecx
		jz	loc_79EC55
		call	ObfDereferenceObject
		jmp	loc_79EC55
; END OF FUNCTION CHUNK	FOR SeSubProcessToken
; 
; START	OF FUNCTION CHUNK FOR ExpWnfDeleteNameInstance

loc_8E92ED:				; CODE XREF: ExpWnfDeleteNameInstance+42j
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8E9301
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8E9301:				; CODE XREF: ExpWnfDeleteNameInstance+14A59Ej
		mov	ecx, ebx
		call	KeAbPostRelease
		xor	eax, eax
		jmp	loc_79EF09
; END OF FUNCTION CHUNK	FOR ExpWnfDeleteNameInstance
; 
; START	OF FUNCTION CHUNK FOR NtDeleteWnfStateName

loc_8E930F:				; CODE XREF: NtDeleteWnfStateName+8Bj
		mov	esi, 0C000000Dh
		jmp	loc_79F22C
; 

loc_8E9319:				; CODE XREF: NtDeleteWnfStateName+13Bj
		mov	esi, 0C0000034h
		jmp	loc_79F20D
; 

loc_8E9323:				; CODE XREF: NtDeleteWnfStateName+272j
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		and	[ebp+var_20], 0
		jmp	loc_79F340
; 

loc_8E9334:				; CODE XREF: NtDeleteWnfStateName+111j
		mov	esi, 0C0000022h
		jmp	loc_79F22C
; 

loc_8E933E:				; CODE XREF: NtDeleteWnfStateName+15Ej
		push	[ebp+var_40]
		push	edx
		xor	ecx, ecx
		call	_ExpWnfDeletePermanentStateData@12 ; ExpWnfDeletePermanentStateData(x,x,x)
		jmp	loc_79F22C
; END OF FUNCTION CHUNK	FOR NtDeleteWnfStateName

;  S U B	R O U T	I N E 


sub_8E934E	proc near		; DATA XREF: .text:006A2254o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8E934E	endp


;  S U B	R O U T	I N E 


sub_8E935E	proc near		; DATA XREF: .text:006A2258o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-3Ch]
		mov	[ebp-34h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-30h]
		mov	ebx, [ebp-28h]
		jmp	loc_79F22C
sub_8E935E	endp

; 
; START	OF FUNCTION CHUNK FOR SepIsNgenImage

loc_8E9379:				; CODE XREF: SepIsNgenImage+3Ej
		mov	eax, [edi+4]
		push	8
		pop	ebx
		add	eax, ebx
		mov	[ebp+var_4], eax
		lea	eax, [ecx-8]
		mov	word ptr [ebp+var_8], ax
		mov	ax, [edi+2]
		sub	ax, bx
		xor	ebx, ebx
		mov	word ptr [ebp+var_8+2],	ax
		test	esi, esi
		jz	loc_79F375
		lea	edi, [edx+8]

loc_8E93A3:				; CODE XREF: SepIsNgenImage+14A075j
		push	1
		push	edi
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_8E93C0
		inc	ebx
		add	edi, 8
		cmp	ebx, esi
		jb	short loc_8E93A3
		jmp	loc_79F375
; 

loc_8E93C0:				; CODE XREF: SepIsNgenImage+14A06Dj
		mov	al, 1
		jmp	loc_79F377
; END OF FUNCTION CHUNK	FOR SepIsNgenImage
; 
; START	OF FUNCTION CHUNK FOR PspCaptureCreateInfo

loc_8E93C7:				; CODE XREF: PspCaptureCreateInfo+27j
		mov	[eax], dl
		jmp	loc_79F68B
; END OF FUNCTION CHUNK	FOR PspCaptureCreateInfo

;  S U B	R O U T	I N E 


sub_8E93CE	proc near		; DATA XREF: .text:006A2274o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E93CE	endp


;  S U B	R O U T	I N E 


sub_8E93DC	proc near		; DATA XREF: .text:006A2278o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-20h]
		jmp	loc_79F6F8
sub_8E93DC	endp

; 
; START	OF FUNCTION CHUNK FOR PspEstimateNewProcessServerSilo

loc_8E93E7:				; CODE XREF: PspEstimateNewProcessServerSilo+25j
					; PspEstimateNewProcessServerSilo+149CDFj
		push	dword ptr [ebx+esi*4]
		call	_PsGetEffectiveServerSilo@4 ; PsGetEffectiveServerSilo(x)
		mov	edi, eax
		push	edi
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jz	short loc_8E9406
		inc	esi
		cmp	esi, [ebp+arg_0]
		jb	short loc_8E93E7
		jmp	loc_79F74B
; 

loc_8E9406:				; CODE XREF: PspEstimateNewProcessServerSilo+149CD9j
		mov	eax, edi
		jmp	loc_79F750
; END OF FUNCTION CHUNK	FOR PspEstimateNewProcessServerSilo
; 
; START	OF FUNCTION CHUNK FOR NtCreateWnfStateName

loc_8E940D:				; CODE XREF: NtCreateWnfStateName+1CDj
		mov	[eax], dl
		jmp	loc_79F92F
; 

loc_8E9414:				; CODE XREF: NtCreateWnfStateName+1DFj
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_8E941F
		mov	esi, eax

loc_8E941F:				; CODE XREF: NtCreateWnfStateName+149CBFj
		lea	edi, [ebp+var_2C]
		movsd
		movsd
		movsd
		movsd
		nop
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_4C], eax
		jmp	loc_79F941
; 

loc_8E9432:				; CODE XREF: NtCreateWnfStateName+1E7j
		mov	[ebp+var_30], 0C0000005h

loc_8E9439:				; CODE XREF: NtCreateWnfStateName+203j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_79F8D9
; END OF FUNCTION CHUNK	FOR NtCreateWnfStateName

;  S U B	R O U T	I N E 


sub_8E9445	proc near		; DATA XREF: .text:006A2294o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-58h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8E9445	endp


;  S U B	R O U T	I N E 


sub_8E9455	proc near		; DATA XREF: .text:006A2298o
		mov	eax, [ebp-58h]
		jmp	short loc_8E945D
; 

loc_8E945A:				; DATA XREF: .text:006A22A4o
		mov	eax, [ebp-60h]

loc_8E945D:				; CODE XREF: sub_8E9455+3j
		mov	esp, [ebp-18h]
		mov	[ebp-30h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-54h]
		jmp	loc_79F8D9
sub_8E9455	endp

; 
; START	OF FUNCTION CHUNK FOR NtCreateWnfStateName

loc_8E9472:				; CODE XREF: NtCreateWnfStateName+A8j
		test	edi, edi
		jz	short loc_8E947B
		cmp	edi, 4
		jnz	short loc_8E948E

loc_8E947B:				; CODE XREF: NtCreateWnfStateName+149D18j
		cmp	byte ptr [ebp+arg_C], 0
		jz	loc_79F80A
		cmp	esi, 1
		jz	loc_79F80A

loc_8E948E:				; CODE XREF: NtCreateWnfStateName+8Aj
					; NtCreateWnfStateName+92j ...
		mov	[ebp+var_30], 0C000000Dh
		jmp	loc_79F8D9
; 

loc_8E949A:				; CODE XREF: NtCreateWnfStateName+24Fj
		mov	[ebp+var_30], 0C0000061h
		jmp	loc_79F8D9
; END OF FUNCTION CHUNK	FOR NtCreateWnfStateName

;  S U B	R O U T	I N E 


sub_8E94A6	proc near		; DATA XREF: .text:006A22A0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-60h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8E94A6	endp

; 
; START	OF FUNCTION CHUNK FOR ExpWnfGenerateStateName

loc_8E94B6:				; CODE XREF: ExpWnfGenerateStateName+112j
		lea	edx, [ebp+var_C]
		mov	ecx, esi
		call	_ExpWnfAllocateNextPersistentNameSequence@8 ; ExpWnfAllocateNextPersistentNameSequence(x,x)
		test	eax, eax
		js	loc_79FAAE
		mov	esi, [ebp+var_8]
		xor	ecx, ecx
		mov	edi, [ebp+var_C]
		jmp	loc_79FA4B
; 

loc_8E94D5:				; CODE XREF: ExpWnfGenerateStateName+8Ej
		mov	eax, 0C0000001h
		jmp	loc_79FAAE
; END OF FUNCTION CHUNK	FOR ExpWnfGenerateStateName
; 
; START	OF FUNCTION CHUNK FOR NtGetCompleteWnfStateSubscription

loc_8E94DF:				; CODE XREF: NtGetCompleteWnfStateSubscription+5Cj
		cmp	edi, 0C000022Dh
		jnz	loc_79FBC1
		jmp	loc_79FB40
; 

loc_8E94F0:				; CODE XREF: NtGetCompleteWnfStateSubscription+6Dj
		mov	ecx, eax
		jmp	loc_79FB51
; 

loc_8E94F7:				; CODE XREF: NtGetCompleteWnfStateSubscription+86j
		mov	edx, eax
		jmp	loc_79FB6A
; END OF FUNCTION CHUNK	FOR NtGetCompleteWnfStateSubscription

;  S U B	R O U T	I N E 


sub_8E94FE	proc near		; DATA XREF: .text:006A22BCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8E94FE	endp


;  S U B	R O U T	I N E 


sub_8E950E	proc near		; DATA XREF: .text:006A22C0o
		mov	esi, [ebp-2Ch]
		jmp	short loc_8E9526
; 

loc_8E9513:				; DATA XREF: .text:006A22C8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_8E9523:				; DATA XREF: .text:006A22CCo
		mov	esi, [ebp-30h]

loc_8E9526:				; CODE XREF: sub_8E950E+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_79FBC1
sub_8E950E	endp

; 
; START	OF FUNCTION CHUNK FOR ExpWnfDeliverThreadNotifications

loc_8E9535:				; CODE XREF: ExpWnfDeliverThreadNotifications+13Fj
		lea	edi, [edx+1Ch]
		mov	esi, eax
		movsd
		movsd
		movsd
		movsd
		or	esi, 0FFFFFFFFh
		mov	edi, [ebp+var_44]
		jmp	loc_79FD2D
; 

loc_8E9549:				; CODE XREF: ExpWnfDeliverThreadNotifications+19Aj
		cmp	[ebp+var_30], 8000001Ah
		jnz	loc_79FE11
		mov	[ebp+var_30], eax
		jmp	loc_79FE11
; END OF FUNCTION CHUNK	FOR ExpWnfDeliverThreadNotifications

;  S U B	R O U T	I N E 


sub_8E955E	proc near		; DATA XREF: .text:006A22E4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8E955E	endp


;  S U B	R O U T	I N E 


sub_8E956E	proc near		; DATA XREF: .text:006A22E8o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-4Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-3Ch]
		jmp	loc_79FDB1
sub_8E956E	endp

; 
; START	OF FUNCTION CHUNK FOR ExpWnfDeliverThreadNotifications

loc_8E9583:				; CODE XREF: ExpWnfDeliverThreadNotifications+F5j
					; ExpWnfDeliverThreadNotifications+1AFj
		mov	eax, [edi+4]
		mov	edi, eax
		mov	ecx, [ebp+var_28]
		mov	ecx, [ecx]
		mov	edx, [ebp+var_28]
		cmp	[ecx+4], edx
		jnz	loc_8E963F
		cmp	[eax], edx
		mov	edx, [ebp+var_2C]
		jnz	loc_8E963F
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	eax, [ebp+var_40]
		and	dword ptr [eax], 0
		mov	eax, [edx]
		and	dword ptr [edx], 0
		mov	ecx, [ebp+var_50]
		and	dword ptr [ecx+10h], 0
		test	ebx, ebx
		jz	loc_79FE11
		test	al, 1
		jz	short loc_8E9630
		mov	eax, esi
		lock xadd [ebx+5Ch], eax
		jnz	short loc_8E9630
		mov	edi, [ebp+var_1C]
		add	edi, 34h
		mov	eax, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8E95E9
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8E95E9:				; CODE XREF: ExpWnfDeliverThreadNotifications+1499F8j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	edi, [ebp+var_1C]
		add	edi, 28h
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_8E960B
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8E960B:				; CODE XREF: ExpWnfDeliverThreadNotifications+149A1Aj
		mov	ecx, edi
		call	KeAbPostRelease
		push	1
		push	1
		push	8
		pop	edx
		mov	ecx, ebx
		call	_ExpWnfNotifyNameSubscribers@16	; ExpWnfNotifyNameSubscribers(x,x,x,x)
		lea	ecx, [ebx+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, [ebp+var_1C]
		jmp	loc_79FC19
; 

loc_8E9630:				; CODE XREF: ExpWnfDeliverThreadNotifications+1499DDj
					; ExpWnfDeliverThreadNotifications+1499E6j
		lea	ecx, [ebx+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		xor	ebx, ebx
		jmp	loc_79FE11
; 

loc_8E963F:				; CODE XREF: ExpWnfDeliverThreadNotifications+1499ABj
					; ExpWnfDeliverThreadNotifications+1499B6j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8E9644:				; CODE XREF: ExpWnfDeliverThreadNotifications+201j
		lea	ecx, [ebx+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_79FDEF
; END OF FUNCTION CHUNK	FOR ExpWnfDeliverThreadNotifications
; 
; START	OF FUNCTION CHUNK FOR ExpWnfCompleteThreadSubscriptions

loc_8E9651:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+2Cj
		mov	eax, 0C000000Dh
		jmp	loc_79FFEF
; 

loc_8E965B:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+23Bj
		test	al, cl
		jnz	loc_79FF5A
		or	eax, ecx
		mov	[esi+0Ch], eax
		jmp	loc_79FF5A
; 

loc_8E966D:				; CODE XREF: ExpWnfCompleteThreadSubscriptions+F3j
		mov	[esi+8], eax
		jmp	loc_79FF55
; END OF FUNCTION CHUNK	FOR ExpWnfCompleteThreadSubscriptions
; 
; START	OF FUNCTION CHUNK FOR ExpNtUpdateWnfStateData

loc_8E9675:				; CODE XREF: ExpNtUpdateWnfStateData+B7j
					; ExpNtUpdateWnfStateData+BFj
		mov	[ecx], bl
		jmp	loc_7A017F
; 

loc_8E967C:				; CODE XREF: ExpNtUpdateWnfStateData+CAj
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_8E9688
		mov	eax, ecx

loc_8E9688:				; CODE XREF: ExpNtUpdateWnfStateData+1495CAj
		mov	esi, eax
		lea	edi, [ebp+var_3C]
		movsd
		movsd
		movsd
		movsd
		nop
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_70], eax
		mov	edi, [ebp+arg_0]
		jmp	loc_7A018A
; 

loc_8E96A0:				; CODE XREF: ExpNtUpdateWnfStateData+134j
		mov	eax, [ebp+var_6C]
		test	eax, eax
		jz	short loc_8E96AF
		cmp	ecx, [eax]
		jnz	loc_7A01F4

loc_8E96AF:				; CODE XREF: ExpNtUpdateWnfStateData+1495EBj
					; ExpNtUpdateWnfStateData+149603j
		mov	esi, 0C000000Dh
		jmp	loc_7A02AD
; 

loc_8E96B9:				; CODE XREF: ExpNtUpdateWnfStateData+13Ej
		cmp	[ebp+arg_10], 0
		jnz	short loc_8E96AF
		mov	ecx, [ebp+var_58]
		xor	ecx, 0A3BC0074h
		mov	eax, [ebp+var_54]
		xor	eax, 41C64E6Dh
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], eax
		push	edi
		push	[ebp+var_74]
		push	0FFFFFFFFh
		lea	eax, [ebp+var_24]
		push	eax
		xor	edx, edx
		inc	edx
		call	_ExpCrossVmWnfPush@24 ;	ExpCrossVmWnfPush(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000002h
		jnz	loc_7A02AD
		jmp	loc_7A01FE
; END OF FUNCTION CHUNK	FOR ExpNtUpdateWnfStateData

;  S U B	R O U T	I N E 


sub_8E96FB	proc near		; DATA XREF: .text:006A2310o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-7Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8E96FB	endp


;  S U B	R O U T	I N E 


sub_8E970B	proc near		; DATA XREF: .text:006A2314o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-7Ch]
		mov	[ebp-64h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		jmp	loc_7A0287
sub_8E970B	endp

; 
; START	OF FUNCTION CHUNK FOR ExpNtUpdateWnfStateData

loc_8E9722:				; CODE XREF: ExpNtUpdateWnfStateData+1D5j
		mov	ecx, [ebp+var_58]
		xor	ecx, 0A3BC0074h
		mov	eax, [ebp+var_54]
		xor	eax, 41C64E6Dh
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], eax
		mov	esi, [ebp+var_40]
		add	esi, 30h
		push	ebx
		xor	edx, edx
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	edi, eax
		push	11h
		pop	ecx
		xor	eax, eax
		lock cmpxchg [esi], ecx
		test	eax, eax
		jz	short loc_8E9762
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockSharedEx

loc_8E9762:				; CODE XREF: ExpNtUpdateWnfStateData+14969Cj
		test	edi, edi
		jz	short loc_8E976A
		or	byte ptr [edi+0Eh], 1

loc_8E976A:				; CODE XREF: ExpNtUpdateWnfStateData+1496AAj
		mov	eax, [ebp+var_40]
		mov	eax, [eax+34h]
		lea	ecx, [eax-1]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		jnz	short loc_8E9781
		mov	eax, ebx
		mov	ecx, ebx
		jmp	short loc_8E9787
; 

loc_8E9781:				; CODE XREF: ExpNtUpdateWnfStateData+1496BFj
		lea	eax, [ecx+10h]
		mov	ecx, [ecx+8]

loc_8E9787:				; CODE XREF: ExpNtUpdateWnfStateData+1496C5j
		push	ecx
		push	eax
		mov	eax, [ebp+var_40]
		push	dword ptr [eax+38h]
		lea	eax, [ebp+var_2C]
		push	eax
		xor	edx, edx
		call	_ExpCrossVmWnfPush@24 ;	ExpCrossVmWnfPush(x,x,x,x,x,x)
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_8E97AF
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8E97AF:				; CODE XREF: ExpNtUpdateWnfStateData+1496ECj
		mov	ecx, esi
		call	KeAbPostRelease
		jmp	loc_7A0295
; END OF FUNCTION CHUNK	FOR ExpNtUpdateWnfStateData

;  S U B	R O U T	I N E 


sub_8E97BB	proc near		; DATA XREF: .text:006A2304o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-80h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8E97BB	endp


;  S U B	R O U T	I N E 


sub_8E97CB	proc near		; DATA XREF: .text:006A2308o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-80h]
		mov	[ebp-64h], esi
		jmp	loc_7A03BD
sub_8E97CB	endp


;  S U B	R O U T	I N E 


sub_8E97D9	proc near		; DATA XREF: .text:006A232Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8E97D9	endp


;  S U B	R O U T	I N E 


sub_8E97E9	proc near		; DATA XREF: .text:006A2330o
		mov	edi, [ebp-1Ch]
		jmp	short loc_8E9801
; 

loc_8E97EE:				; DATA XREF: .text:006A2338o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_8E97FE:				; DATA XREF: .text:006A233Co
		mov	edi, [ebp-20h]

loc_8E9801:				; CODE XREF: sub_8E97E9+3j
		mov	esp, [ebp-18h]
		jmp	loc_7A0447
sub_8E97E9	endp

; 
; START	OF FUNCTION CHUNK FOR ExpWnfSubscribeWnfStateChange

loc_8E9809:				; CODE XREF: ExpWnfSubscribeWnfStateChange+5Bj
		mov	esi, 0C000000Dh
		jmp	loc_7A05DE
; END OF FUNCTION CHUNK	FOR ExpWnfSubscribeWnfStateChange

;  S U B	R O U T	I N E 


sub_8E9813	proc near		; DATA XREF: .text:006A2354o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8E9813	endp


;  S U B	R O U T	I N E 


sub_8E9823	proc near		; DATA XREF: .text:006A2358o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-40h]
		mov	[ebp-44h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7A05DE
sub_8E9823	endp

; 
; START	OF FUNCTION CHUNK FOR ExpWnfSubscribeWnfStateChange

loc_8E9838:				; CODE XREF: ExpWnfSubscribeWnfStateChange+1A2j
		push	20666E57h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7A0616
; END OF FUNCTION CHUNK	FOR ExpWnfSubscribeWnfStateChange
; 
; START	OF FUNCTION CHUNK FOR NtQueryWnfStateData

loc_8E9848:				; CODE XREF: NtQueryWnfStateData+E3j
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_7A0941
; 

loc_8E9854:				; CODE XREF: NtQueryWnfStateData+2BDj
		mov	ecx, eax
		jmp	loc_7A09B3
; 

loc_8E985B:				; CODE XREF: NtQueryWnfStateData+106j
		mov	ecx, eax
		jmp	loc_7A07FC
; 

loc_8E9862:				; CODE XREF: NtQueryWnfStateData+119j
		mov	ecx, eax
		jmp	loc_7A080F
; 

loc_8E9869:				; CODE XREF: NtQueryWnfStateData+12Ej
		mov	edx, eax
		jmp	loc_7A0824
; END OF FUNCTION CHUNK	FOR NtQueryWnfStateData

;  S U B	R O U T	I N E 


sub_8E9870	proc near		; DATA XREF: .text:006A2380o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-7Ch], eax
		mov	eax, large fs:124h
		mov	[ebp-78h], eax
		mov	eax, [ebp-78h]
		mov	al, [eax+15Ah]
		mov	[ebp-35h], al
		mov	cl, [ebp-35h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_8E9870	endp


;  S U B	R O U T	I N E 


sub_8E989A	proc near		; DATA XREF: .text:006A2384o
		mov	eax, [ebp-7Ch]
		jmp	loc_7A0AFE
sub_8E989A	endp

; 
; START	OF FUNCTION CHUNK FOR ExpCaptureWnfStateName

loc_8E98A2:				; CODE XREF: ExpCaptureWnfStateName+60j
		cmp	ecx, 2
		jz	loc_7A0BAC
		cmp	ecx, 4
		jnz	loc_7A0BC8
		jmp	loc_7A0BAC
; END OF FUNCTION CHUNK	FOR ExpCaptureWnfStateName
; 
; START	OF FUNCTION CHUNK FOR ExpWnfCreateNameInstance

loc_8E98B9:				; CODE XREF: ExpWnfCreateNameInstance+B2j
		push	20666E57h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8E98C4:				; CODE XREF: ExpWnfCreateNameInstance+5Bj
		mov	eax, 0C000009Ah
		jmp	loc_7A0DFF
; 

loc_8E98CE:				; CODE XREF: ExpWnfCreateNameInstance+2D0j
		push	20666E57h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7A0EA6
; END OF FUNCTION CHUNK	FOR ExpWnfCreateNameInstance
; 
; START	OF FUNCTION CHUNK FOR ExpWnfResolveScopeInstance

loc_8E98DE:				; CODE XREF: ExpWnfResolveScopeInstance+3B9j
		push	20666E57h
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7A1058
; 

loc_8E98EE:				; CODE XREF: ExpWnfResolveScopeInstance+147j
		mov	eax, 0C000009Ah
		jmp	loc_7A10C5
; 

loc_8E98F8:				; CODE XREF: ExpWnfResolveScopeInstance+BAj
		mov	eax, 0C0000034h
		jmp	loc_7A10B7
; 

loc_8E9902:				; CODE XREF: ExpWnfResolveScopeInstance+22Aj
		mov	eax, 0C0000034h
		jmp	loc_7A10B7
; 

loc_8E990C:				; CODE XREF: ExpWnfResolveScopeInstance+313j
		lea	ecx, [edi+4]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		movzx	ebx, al
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8E992B
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8E992B:				; CODE XREF: ExpWnfResolveScopeInstance+148932j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_14]
		xor	dl, dl
		call	_ExpWnfFreeScopeInstance@8 ; ExpWnfFreeScopeInstance(x,x)
		test	ebx, ebx
		jnz	loc_7A10B0
		mov	eax, 0C0000034h
		jmp	loc_7A10B7
; 

loc_8E994E:				; CODE XREF: ExpWnfResolveScopeInstance+32Cj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8E9955:				; DATA XREF: .text:006A23A0o
		mov	edi, [ebp+var_24]
		mov	esi, [ebp+var_20]
		jmp	sub_7A1571
; END OF FUNCTION CHUNK	FOR ExpWnfResolveScopeInstance
; 
; START	OF FUNCTION CHUNK FOR ExpWnfGetCurrentScopeInstance

loc_8E9960:				; CODE XREF: ExpWnfGetCurrentScopeInstance+7Dj
		mov	eax, large fs:124h
		mov	edi, [eax+80h]
		jmp	loc_7A1615
; 

loc_8E9971:				; CODE XREF: ExpWnfGetCurrentScopeInstance+47j
		mov	eax, large fs:124h
		mov	edi, [eax+80h]
		jmp	loc_7A15DF
; END OF FUNCTION CHUNK	FOR ExpWnfGetCurrentScopeInstance
; 

loc_8E9982:				; CODE XREF: PAGE:007A1703j
		mov	eax, 0C000009Ah
		jmp	loc_7A1938
; 

loc_8E998C:				; CODE XREF: PAGE:007A1824j
		or	esi, 0FFFFFFFFh
		mov	eax, esi
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8E99A3
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+10h]

loc_8E99A3:				; CODE XREF: PAGE:008E9999j
		call	KeAbPostRelease
		mov	esi, [ebp-8]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8E99BF
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8E99BF:				; CODE XREF: PAGE:008E99B6j
		mov	ecx, esi
		call	KeAbPostRelease
		push	20666E57h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C0000034h
		jmp	loc_7A1938
; 

loc_8E99DB:				; CODE XREF: PAGE:007A1854j
		mov	ecx, [ebp+10h]
		mov	eax, esi
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8E99F2
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+10h]

loc_8E99F2:				; CODE XREF: PAGE:008E99E8j
		call	KeAbPostRelease
		mov	ecx, [ebp-8]
		mov	eax, esi
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8E9A0E
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp-8]

loc_8E9A0E:				; CODE XREF: PAGE:008E9A04j
		call	KeAbPostRelease
		push	20666E57h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7A193F
; 
; START	OF FUNCTION CHUNK FOR ExpWnfUpdateSubscription

loc_8E9A23:				; CODE XREF: ExpWnfUpdateSubscription+93j
		mov	ecx, 1
		lock xadd [ebx+58h], ecx
		inc	ecx
		cmp	ecx, 1
		jnz	loc_7A1A99
		mov	ecx, [ebp+arg_10]
		mov	dword ptr [ecx], 1
		jmp	loc_7A1A99
; END OF FUNCTION CHUNK	FOR ExpWnfUpdateSubscription
; 
; START	OF FUNCTION CHUNK FOR ExpWnfQueryCurrentUserSID

loc_8E9A45:				; CODE XREF: ExpWnfQueryCurrentUserSID+8Fj
		test	esi, esi
		jz	short loc_8E9A50
		mov	ecx, esi
		call	ObfDereferenceObject

loc_8E9A50:				; CODE XREF: ExpWnfQueryCurrentUserSID+147EB3j
		mov	eax, 0C00000A5h
		jmp	loc_7A1BFA
; END OF FUNCTION CHUNK	FOR ExpWnfQueryCurrentUserSID
; 
; START	OF FUNCTION CHUNK FOR ExpWnfWriteStateData

loc_8E9A5A:				; CODE XREF: ExpWnfWriteStateData+185j
		mov	eax, 0C0000034h
		jmp	loc_7A1D96
; 

loc_8E9A64:				; CODE XREF: ExpWnfWriteStateData+199j
		mov	[ebp+var_60], 1
		lea	eax, [ebp+var_5C]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		jmp	loc_7A1E21
; 

loc_8E9A7B:				; CODE XREF: ExpWnfWriteStateData+1BFj
		xor	edx, edx
		lea	ecx, [ebp+var_5C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_7A1E43
; 

loc_8E9A8A:				; CODE XREF: ExpWnfWriteStateData+1C7j
		mov	eax, 0C000009Ah
		jmp	loc_7A1D96
; 

loc_8E9A94:				; CODE XREF: ExpWnfWriteStateData+BAj
		xor	eax, eax
		inc	eax
		jmp	loc_7A1D30
; 

loc_8E9A9C:				; CODE XREF: ExpWnfWriteStateData+2D7j
		mov	eax, [esi+34h]
		mov	[ebp+var_6C], eax
		and	dword ptr [esi+34h], 0
		jmp	loc_7A1D84
; END OF FUNCTION CHUNK	FOR ExpWnfWriteStateData

;  S U B	R O U T	I N E 


sub_8E9AAB	proc near		; DATA XREF: .text:006A23C0o
		or	eax, 0FFFFFFFFh
		mov	ebx, [ebp-68h]
		mov	esi, [ebp-84h]
		jmp	sub_7A1F8F
sub_8E9AAB	endp

; 
; START	OF FUNCTION CHUNK FOR sub_7A1F8F

loc_8E9ABC:				; CODE XREF: sub_7A1F8F+1Dj
		push	20666E57h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	locret_7A1FB2
; END OF FUNCTION CHUNK	FOR sub_7A1F8F
; 
; START	OF FUNCTION CHUNK FOR ExpWnfPopulateStateData

loc_8E9ACC:				; CODE XREF: ExpWnfPopulateStateData+140j
		push	edi
		push	offset _ExpWnfPopulateStateDataRemoteCallback@24 ; ExpWnfPopulateStateDataRemoteCallback(x,x,x,x,x,x)
		lea	ecx, [esp+50h+var_30]
		push	ecx
		call	dword ptr [eax+3Ch]
		mov	esi, eax
		mov	ecx, ebx
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)
		cmp	esi, 0C0000002h
		jz	loc_7A224B
		test	esi, esi
		jns	loc_7A2257
		mov	eax, esi
		jmp	loc_7A2259
; 

loc_8E9AFE:				; CODE XREF: ExpWnfPopulateStateData+C7j
		push	20666E57h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+48h+var_3C]
		lea	ebx, [eax-10h]
		jmp	loc_7A2271
; 

loc_8E9B15:				; CODE XREF: ExpWnfPopulateStateData+CFj
					; ExpWnfPopulateStateData+14Aj
		push	20666E57h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, ebx
		jmp	loc_7A2259
; 

loc_8E9B27:				; CODE XREF: ExpWnfPopulateStateData+70j
		mov	eax, 0C000009Ah
		jmp	loc_7A2259
; END OF FUNCTION CHUNK	FOR ExpWnfPopulateStateData
; 
; START	OF FUNCTION CHUNK FOR SeQuerySigningPolicy

loc_8E9B31:				; CODE XREF: SeQuerySigningPolicy+B8j
		cmp	_KdDebuggerEnabled, 0
		jz	loc_7A253D
		cmp	_KdDebuggerNotPresent, 0
		jnz	loc_7A253D

loc_8E9B4B:				; CODE XREF: SeQuerySigningPolicy+AEj
		mov	eax, dword_6BEA40
		test	eax, eax
		jz	short loc_8E9B5F
		push	8
		push	[ebp+var_4]
		call	eax
		test	eax, eax
		jnz	short loc_8E9B95

loc_8E9B5F:				; CODE XREF: SeQuerySigningPolicy+1476B2j
		mov	eax, [ebp+arg_10]
		test	byte ptr [eax],	7
		jz	short loc_8E9B95
		mov	al, [esi]
		and	al, 30h
		or	al, 8
		mov	[esi], al
		mov	ecx, dword_6BEA40
		test	ecx, ecx
		jz	short loc_8E9B8D
		mov	al, [edi]
		mov	byte ptr [ebp+arg_10], al
		push	[ebp+arg_10]
		push	8
		call	ecx
		test	eax, eax
		jnz	loc_7A253D

loc_8E9B8D:				; CODE XREF: SeQuerySigningPolicy+1476D7j
		mov	al, [edi]
		and	al, 30h
		or	al, 8
		jmp	short loc_8E9BC5
; 

loc_8E9B95:				; CODE XREF: SeQuerySigningPolicy+1476BDj
					; SeQuerySigningPolicy+1476C5j
		mov	al, [esi]
		and	bl, 0Fh
		and	al, 30h
		or	al, bl
		mov	[esi], al
		mov	ecx, dword_6BEA40
		test	ecx, ecx
		jz	short loc_8E9BBF
		mov	al, [edi]
		mov	byte ptr [ebp+arg_10], al
		push	[ebp+arg_10]
		push	[ebp+var_4]
		call	ecx
		test	eax, eax
		jnz	loc_7A253D

loc_8E9BBF:				; CODE XREF: SeQuerySigningPolicy+147708j
		mov	al, [edi]
		and	al, 30h
		or	al, bl

loc_8E9BC5:				; CODE XREF: SeQuerySigningPolicy+1476F3j
		mov	[edi], al
		jmp	loc_7A253D
; END OF FUNCTION CHUNK	FOR SeQuerySigningPolicy
; 
; START	OF FUNCTION CHUNK FOR SepIsMinTCB

loc_8E9BCC:				; CODE XREF: SepIsMinTCB+4Cj
		mov	eax, edi
		jmp	loc_7A25C0
; 

loc_8E9BD3:				; CODE XREF: SepIsMinTCB+E0j
		cmp	_KdDebuggerNotPresent, 0
		jnz	loc_7A25EB
		push	[ebp+arg_10]
		lea	eax, [ebp+var_18]
		mov	ecx, offset _SeMsMinTestTCBList
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	esi
		push	eax
		push	9
		pop	edx
		call	SepIsImageInMinTcbList
		jmp	loc_7A25EB
; END OF FUNCTION CHUNK	FOR SepIsMinTCB
; 
; START	OF FUNCTION CHUNK FOR FsRtlInsertExtraCreateParameter

loc_8E9C06:				; CODE XREF: FsRtlInsertExtraCreateParameter+1Fj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8E9C0D:				; CODE XREF: FsRtlAllocateExtraCreateParameter+22j
		mov	eax, 0C0000095h
		jmp	loc_7A2888
; END OF FUNCTION CHUNK	FOR FsRtlInsertExtraCreateParameter
; 
; START	OF FUNCTION CHUNK FOR FsRtlAllocateExtraCreateParameter

loc_8E9C17:				; CODE XREF: FsRtlAllocateExtraCreateParameter+4Fj
		or	eax, 8
		push	eax
		call	ExAllocatePoolWithQuotaTag
		jmp	loc_7A2845
; END OF FUNCTION CHUNK	FOR FsRtlAllocateExtraCreateParameter
; 
; START	OF FUNCTION CHUNK FOR FsRtlAllocateExtraCreateParameterList

loc_8E9C25:				; CODE XREF: FsRtlAllocateExtraCreateParameterList+13j
		push	6C655346h
		push	10h
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	edx, 2
		jmp	loc_7A28D2
; END OF FUNCTION CHUNK	FOR FsRtlAllocateExtraCreateParameterList
; 
; START	OF FUNCTION CHUNK FOR FsRtlpPrepareExtraCreateParametersForCreate

loc_8E9C3D:				; CODE XREF: FsRtlpPrepareExtraCreateParametersForCreate+18j
		push	ecx
		push	0
		push	0
		push	15h
		push	10Ch
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8E9C4F:				; CODE XREF: FsRtlFreeExtraCreateParameterList+3Aj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7A47D5
; END OF FUNCTION CHUNK	FOR FsRtlpPrepareExtraCreateParametersForCreate
; 
; START	OF FUNCTION CHUNK FOR AlpcpFreeMessageFunction

loc_8E9C5C:				; CODE XREF: AlpcpFreeMessageFunction+31j
		mov	edi, ds:_AlpcpSecondaryMessageTables
		test	edi, edi
		jz	loc_7A4927
		mov	eax, esi
		shr	eax, 1Ah
		mov	edi, [edi+eax*4]
		jmp	loc_7A4927
; END OF FUNCTION CHUNK	FOR AlpcpFreeMessageFunction
; 
; START	OF FUNCTION CHUNK FOR PspThreadDelete

loc_8E9C77:				; CODE XREF: PspThreadDelete+1Bj
		push	0
		push	eax
		push	esi
		push	1
		push	94h
		jmp	short loc_8E9C8F
; 

loc_8E9C84:				; CODE XREF: PspThreadDelete+55j
		push	0
		push	ecx
		push	esi
		push	14h

loc_8E9C8A:				; CODE XREF: PspThreadDelete+145349j
		push	1C6h

loc_8E9C8F:				; CODE XREF: PspThreadDelete+145318j
					; PspThreadDelete+14533Bj
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8E9C94:				; CODE XREF: PspThreadDelete+29j
		xor	edi, edi
		push	edi
		push	edi
		jmp	short loc_8E9C9E
; 

loc_8E9C9A:				; CODE XREF: PspThreadDelete+45j
		push	0
		push	2

loc_8E9C9E:				; CODE XREF: PspThreadDelete+14532Ej
					; PspThreadDelete+145341j
		push	eax
		push	esi
		push	13Ch
		jmp	short loc_8E9C8F
; 

loc_8E9CA7:				; CODE XREF: PspThreadDelete+37j
		push	0
		push	1
		jmp	short loc_8E9C9E
; 

loc_8E9CAD:				; CODE XREF: PspThreadDelete+65j
		push	0
		push	ecx
		push	esi
		push	15h
		jmp	short loc_8E9C8A
; 

loc_8E9CB5:				; CODE XREF: PspThreadDelete+70j
		push	edi
		mov	edx, offset _PspDeleteKernelStack@12 ; PspDeleteKernelStack(x,x,x)
		mov	ecx, esi
		call	_KeEnumerateKernelStackSegments@12 ; KeEnumerateKernelStackSegments(x,x,x)
		jmp	loc_7A49E0
; 

loc_8E9CC7:				; CODE XREF: PspThreadDelete+A0j
		push	17h
		call	_KeBugCheck@4	; KeBugCheck(x)
		int	3		; Trap to Debugger

loc_8E9CCF:				; CODE XREF: PspDeleteThreadSecurity+32j
		call	ObfDereferenceObject
		and	dword ptr [esi+368h], 0
		jmp	loc_7A4B74
; END OF FUNCTION CHUNK	FOR PspThreadDelete
; 
; START	OF FUNCTION CHUNK FOR ExDestroyHandle

loc_8E9CE0:				; CODE XREF: ExDestroyHandle+11j
		mov	edx, large fs:124h
		push	2
		push	edi
		call	_ExpUpdateDebugInfo@16 ; ExpUpdateDebugInfo(x,x,x,x)
		jmp	loc_7A4B93
; END OF FUNCTION CHUNK	FOR ExDestroyHandle
; 
; START	OF FUNCTION CHUNK FOR ExpFreeHandleTableEntry

loc_8E9CF4:				; CODE XREF: ExpFreeHandleTableEntry+11j
		mov	edx, [ebp+8]
		and	edx, 0FFFFFFFCh
		call	_ExpGetHandleExtraInfo@8 ; ExpGetHandleExtraInfo(x,x)
		test	eax, eax
		jz	loc_7A4BED
		mov	[eax], esi
		mov	[eax+4], esi
		jmp	loc_7A4BED
; END OF FUNCTION CHUNK	FOR ExpFreeHandleTableEntry
; 
; START	OF FUNCTION CHUNK FOR ExMapHandleToPointerEx

loc_8E9D11:				; CODE XREF: ExMapHandleToPointerEx+15j
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, ebx
		call	ExHandleLogBadReference
		jmp	loc_7A4C81
; END OF FUNCTION CHUNK	FOR ExMapHandleToPointerEx
; 
; START	OF FUNCTION CHUNK FOR IoCheckEaBufferValidity

loc_8E9D22:				; CODE XREF: IoCheckEaBufferValidity+11j
		mov	eax, [ebp+arg_8]
		and	dword ptr [eax], 0
		mov	eax, 80000014h
		jmp	loc_7A4CCE
; END OF FUNCTION CHUNK	FOR IoCheckEaBufferValidity
; 
; START	OF FUNCTION CHUNK FOR ObpGrantAccess

loc_8E9D32:				; CODE XREF: ObpGrantAccess+71j
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	ebx
		push	eax
		call	ObpAdjustCreatorAccessState
		test	eax, eax
		jns	loc_7A4D55
		jmp	loc_7A4D5F
; END OF FUNCTION CHUNK	FOR ObpGrantAccess
; 
; START	OF FUNCTION CHUNK FOR ObCheckObjectAccess

loc_8E9D4B:				; CODE XREF: ObCheckObjectAccess+61j
		mov	eax, [esi+10h]
		or	[esi+14h], eax
		mov	[esi+10h], ebx
		mov	bl, 1

loc_8E9D56:				; CODE XREF: ObCheckObjectAccess+53j
		mov	ecx, [ebp+arg_10]
		mov	al, bl
		mov	[ecx], edx
		jmp	loc_7A4E65
; END OF FUNCTION CHUNK	FOR ObCheckObjectAccess
; 
; START	OF FUNCTION CHUNK FOR ExEnableRaiseUMExceptionOnInvalidHandleClose

loc_8E9D62:				; CODE XREF: ExEnableRaiseUMExceptionOnInvalidHandleClose+2Ej
		cmp	eax, 1
		jnz	loc_7A4EBA
		or	byte ptr [esi+1Ch], 10h
		jmp	loc_7A4EBA
; END OF FUNCTION CHUNK	FOR ExEnableRaiseUMExceptionOnInvalidHandleClose
; 
; START	OF FUNCTION CHUNK FOR PspUpdateCreateInfo

loc_8E9D74:				; CODE XREF: PspUpdateCreateInfo+97j
		mov	[ebp+var_48], esi
		jmp	short loc_8E9D7C
; 

loc_8E9D79:				; CODE XREF: PspUpdateCreateInfo+7Ej
		mov	[ebp+var_4C], esi

loc_8E9D7C:				; CODE XREF: PspUpdateCreateInfo+144E93j
		test	edi, edi
		jns	loc_7A4F81

loc_8E9D84:				; CODE XREF: PspUpdateCreateInfo+16Dj
					; PspUpdateCreateInfo+18Cj ...
		mov	eax, [ebp+esi*4+var_4C]
		test	eax, eax
		jz	short loc_8E9D95
		push	[ebp+var_44]
		push	eax
		call	ObCloseHandle

loc_8E9D95:				; CODE XREF: PspUpdateCreateInfo+144EA6j
		inc	esi
		cmp	esi, 2
		jb	short loc_8E9D84
		mov	eax, edi
		jmp	loc_7A5078
; END OF FUNCTION CHUNK	FOR PspUpdateCreateInfo

;  S U B	R O U T	I N E 


sub_8E9DA2	proc near		; DATA XREF: .text:006A2478o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E9DA2	endp


;  S U B	R O U T	I N E 


sub_8E9DB0	proc near		; DATA XREF: .text:006A247Co
		mov	edi, [ebp-2Ch]
		jmp	short loc_8E9DB8
sub_8E9DB0	endp

; 

loc_8E9DB5:				; DATA XREF: .text:006A2464o
		mov	edi, [ebp-38h]
; START	OF FUNCTION CHUNK FOR sub_8E9E21

loc_8E9DB8:				; CODE XREF: sub_8E9DB0+3j
					; sub_8E9DFB+3j ...
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	esi, esi
		jmp	loc_7A504F
; END OF FUNCTION CHUNK	FOR sub_8E9E21
; 
; START	OF FUNCTION CHUNK FOR PspUpdateCreateInfo

loc_8E9DC9:				; CODE XREF: PspUpdateCreateInfo+57j
		lea	ecx, [ebp+var_4C]
		push	ecx
		lea	edx, [ebx+74h]
		mov	cl, al
		call	PspPropagateHandle
		mov	edi, eax
		test	edi, edi
		js	loc_7A50B0
		mov	[ebp+ms_exc.disabled], 2
		jmp	loc_7A50A5
; END OF FUNCTION CHUNK	FOR PspUpdateCreateInfo

;  S U B	R O U T	I N E 


sub_8E9DED	proc near		; DATA XREF: .text:006A246Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E9DED	endp


;  S U B	R O U T	I N E 


sub_8E9DFB	proc near		; DATA XREF: .text:006A2470o
		mov	edi, [ebp-30h]
		jmp	short loc_8E9DB8
sub_8E9DFB	endp

; 
; START	OF FUNCTION CHUNK FOR PspUpdateCreateInfo

loc_8E9E00:				; CODE XREF: PspUpdateCreateInfo+4Dj
		mov	[ebp+ms_exc.disabled], esi
		mov	cx, [ebx+3Ah]
		mov	eax, [ebp+var_24]
		mov	[eax+8], cx
		jmp	loc_7A5048
; END OF FUNCTION CHUNK	FOR PspUpdateCreateInfo

;  S U B	R O U T	I N E 


sub_8E9E13	proc near		; DATA XREF: .text:006A2454o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E9E13	endp


;  S U B	R O U T	I N E 


sub_8E9E21	proc near		; DATA XREF: .text:006A2458o

; FUNCTION CHUNK AT 008E9DB8 SIZE 00000011 BYTES

		mov	edi, [ebp-34h]
		jmp	short loc_8E9DB8
sub_8E9E21	endp


;  S U B	R O U T	I N E 


sub_8E9E26	proc near		; DATA XREF: .text:006A2460o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E9E26	endp


;  S U B	R O U T	I N E 


sub_8E9E34	proc near		; DATA XREF: .text:006A2484o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E9E34	endp


;  S U B	R O U T	I N E 


sub_8E9E42	proc near		; DATA XREF: .text:006A2488o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-40h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	esi, esi
		jmp	loc_7A506E
sub_8E9E42	endp

; 
; START	OF FUNCTION CHUNK FOR PspPropagateHandle

loc_8E9E56:				; CODE XREF: PspPropagateHandle+17j
		mov	eax, [ebp+arg_0]
		mov	[eax], edi
		xor	eax, eax
		mov	[edx], eax
		jmp	loc_7A50E5
; END OF FUNCTION CHUNK	FOR PspPropagateHandle
; 
; START	OF FUNCTION CHUNK FOR ExEnumHandleTable

loc_8E9E64:				; CODE XREF: ExEnumHandleTable+4Cj
		push	edx
		mov	edx, ebx
		mov	ecx, edi
		call	_ExpBlockOnLockedHandleEntry@12	; ExpBlockOnLockedHandleEntry(x,x,x)
		jmp	loc_7A51A0
; END OF FUNCTION CHUNK	FOR ExEnumHandleTable
; 
; START	OF FUNCTION CHUNK FOR ObpEnumFindHandleProcedure

loc_8E9E73:				; CODE XREF: ObpEnumFindHandleProcedure+7Aj
		mov	edx, 7
		mov	ecx, esi
		call	_ExGetHandleAttributes@8 ; ExGetHandleAttributes(x,x)
		cmp	[edi], eax
		jnz	short loc_8E9E94
		mov	eax, [esi+4]
		and	eax, 1FFFFFFh
		cmp	[edi+4], eax
		jz	loc_7A52A0

loc_8E9E94:				; CODE XREF: ObpEnumFindHandleProcedure+144C61j
		xor	bl, bl
		jmp	loc_7A5292
; END OF FUNCTION CHUNK	FOR ObpEnumFindHandleProcedure
; 
; START	OF FUNCTION CHUNK FOR NtAlpcQueryInformationMessage

loc_8E9E9B:				; CODE XREF: NtAlpcQueryInformationMessage+71j
		mov	esi, 0C000000Dh
		jmp	loc_7A53FF
; 

loc_8E9EA5:				; CODE XREF: NtAlpcQueryInformationMessage+BBj
		mov	esi, 0C0000703h
		jmp	loc_7A53E3
; 

loc_8E9EAF:				; CODE XREF: NtAlpcQueryInformationMessage+D0j
		push	edi
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		mov	edx, ebx
		mov	ecx, [ebp+var_1C]
		call	_AlpcpQueryTokenModifiedIdMessage@20 ; AlpcpQueryTokenModifiedIdMessage(x,x,x,x,x)
		jmp	loc_7A53E1
; 

loc_8E9EC5:				; CODE XREF: NtAlpcQueryInformationMessage+FEj
		mov	ecx, ebx
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)
		jmp	loc_7A53F0
; END OF FUNCTION CHUNK	FOR NtAlpcQueryInformationMessage

;  S U B	R O U T	I N E 


sub_8E9ED1	proc near		; DATA XREF: .text:006A24A4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8E9ED1	endp


;  S U B	R O U T	I N E 


sub_8E9EDF	proc near		; DATA XREF: .text:006A24A8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-30h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7A53FF
sub_8E9EDF	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpQueryHandleInformationMessage

loc_8E9EF1:				; CODE XREF: AlpcpQueryHandleInformationMessage+1Ej
		mov	eax, 0C0000004h
		jmp	loc_7A559E
; 

loc_8E9EFB:				; CODE XREF: AlpcpQueryHandleInformationMessage+69j
		mov	eax, 0C0000024h
		jmp	loc_7A559E
; END OF FUNCTION CHUNK	FOR AlpcpQueryHandleInformationMessage

;  S U B	R O U T	I N E 


sub_8E9F05	proc near		; DATA XREF: .text:006A24D0o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8E9F05	endp


;  S U B	R O U T	I N E 


sub_8E9F0B	proc near		; DATA XREF: .text:006A24D4o
		mov	esp, [ebp-18h]
		jmp	loc_7A5594
sub_8E9F0B	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpQueryHandleInformationMessage

loc_8E9F13:				; CODE XREF: AlpcpQueryHandleInformationMessage+3Bj
					; AlpcpQueryHandleInformationMessage+44j
		mov	eax, 0C0000008h
		jmp	loc_7A559E
; END OF FUNCTION CHUNK	FOR AlpcpQueryHandleInformationMessage

;  S U B	R O U T	I N E 


sub_8E9F1D	proc near		; DATA XREF: .text:006A24C4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8E9F1D	endp


;  S U B	R O U T	I N E 


sub_8E9F2D	proc near		; DATA XREF: .text:006A24C8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_7A559E
sub_8E9F2D	endp


;  S U B	R O U T	I N E 


sub_8E9F3F	proc near		; DATA XREF: .text:006A24ECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8E9F3F	endp


;  S U B	R O U T	I N E 


sub_8E9F4F	proc near		; DATA XREF: .text:006A24F0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_7A5601
sub_8E9F4F	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpCaptureHandleAttributeInternal

loc_8E9F61:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+163j
		mov	eax, 0C0000722h
		jmp	loc_7A574E
; 

loc_8E9F6B:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+18Dj
		mov	eax, 0C0000017h
		jmp	loc_7A574E
; 

loc_8E9F75:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+20Fj
		mov	esi, 0C000000Dh
		mov	[ebp+var_3C], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_7A573C
; END OF FUNCTION CHUNK	FOR AlpcpCaptureHandleAttributeInternal

;  S U B	R O U T	I N E 


sub_8E9F89	proc near		; DATA XREF: .text:006A250Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8E9F89	endp


;  S U B	R O U T	I N E 


sub_8E9F99	proc near		; DATA XREF: .text:006A2510o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-38h]
		mov	[ebp-3Ch], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-28h]
		mov	edi, [ebp-40h]
		jmp	loc_7A573C
sub_8E9F99	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpCaptureHandleAttributeInternal

loc_8E9FB4:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+61j
		mov	esi, 0C000009Ah
		jmp	loc_7A573C
; 

loc_8E9FBE:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+10Aj
		mov	esi, 0C0000022h
		jmp	loc_7A573C
; 

loc_8E9FC8:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+12Cj
		xor	edx, edx
		inc	edx
		mov	ecx, edi
		call	AlpcpDereferenceBlobEx
		jmp	loc_7A5744
; 

loc_8E9FD7:				; CODE XREF: AlpcpCaptureHandleAttributeInternal+2Bj
					; AlpcpCaptureHandleAttributeInternal+16Cj
		mov	eax, 0C000000Dh
		jmp	loc_7A574E
; END OF FUNCTION CHUNK	FOR AlpcpCaptureHandleAttributeInternal
; 
; START	OF FUNCTION CHUNK FOR ObCaptureObjectStateForDuplication

loc_8E9FE1:				; CODE XREF: ObCaptureObjectStateForDuplication+E6j
		lea	ecx, [esi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, [ebp+var_4]
		mov	edx, 7544624Fh
		call	ObfDereferenceObjectWithTag

loc_8E9FF9:				; CODE XREF: ObCaptureObjectStateForDuplication+32j
		mov	eax, 0C0000022h
		jmp	loc_7A5993
; 

loc_8EA003:				; CODE XREF: ObCaptureObjectStateForDuplication+3Fj
		mov	eax, 0C000010Ah
		jmp	loc_7A5993
; 

loc_8EA00D:				; CODE XREF: ObCaptureObjectStateForDuplication+73j
		xor	ecx, ecx
		jmp	loc_7A58D0
; 

loc_8EA014:				; CODE XREF: ObCaptureObjectStateForDuplication+CBj
		add	eax, 34h
		push	eax
		lea	eax, [ebp+arg_0]
		push	eax
		call	_RtlMapGenericMask@8 ; RtlMapGenericMask(x,x)
		mov	eax, [ebp+arg_4]
		jmp	loc_7A5925
; 

loc_8EA029:				; CODE XREF: ObCaptureObjectStateForDuplication+118j
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObjectWithTag
		jmp	loc_7A5990
; 

loc_8EA036:				; CODE XREF: ObCaptureObjectStateForDuplication+67j
		lea	ecx, [esi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	eax, ebx
		jmp	loc_7A5993
; END OF FUNCTION CHUNK	FOR ObCaptureObjectStateForDuplication
; 
; START	OF FUNCTION CHUNK FOR ObCompleteObjectDuplication

loc_8EA048:				; CODE XREF: ObCompleteObjectDuplication+25j
		mov	eax, 0C000010Ah
		jmp	loc_7A5AD1
; 

loc_8EA052:				; CODE XREF: ObCompleteObjectDuplication+15Ej
		mov	edx, [esp+30h+var_14]
		mov	ecx, edi
		lea	edx, [edx-18h]
		call	_ObpDecrementHandleCount@8 ; ObpDecrementHandleCount(x,x)

loc_8EA060:				; CODE XREF: ObCompleteObjectDuplication+5Bj
		lea	ecx, [edi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_7A5ACF
; 

loc_8EA070:				; CODE XREF: ObCompleteObjectDuplication+E0j
		push	7Ch
		xor	edx, edx
		pop	ecx
		call	SeAuditingWithTokenForSubcategory
		test	al, al
		jz	short loc_8EA0AF
		mov	edx, [esp+30h+var_1C]
		mov	ecx, [esi+4]
		push	edi
		push	dword ptr [esi]
		call	_SeAuditHandleDuplication@16 ; SeAuditHandleDuplication(x,x,x,x)
		jmp	short loc_8EA0AF
; 

loc_8EA08F:				; CODE XREF: ObCompleteObjectDuplication+D6j
		mov	ecx, [esi+8]
		mov	edx, 7544624Fh
		call	ObfDereferenceObjectWithTag
		mov	edx, [esp+30h+var_14]
		mov	ecx, edi
		lea	edx, [edx-18h]
		call	_ObpDecrementHandleCount@8 ; ObpDecrementHandleCount(x,x)
		mov	ebx, 0C000009Ah

loc_8EA0AF:				; CODE XREF: ObCompleteObjectDuplication+1446DAj
					; ObCompleteObjectDuplication+1446EBj
		mov	eax, [esp+30h+var_1C]
		jmp	loc_7A5A88
; 

loc_8EA0B8:				; CODE XREF: ObCompleteObjectDuplication+EBj
		or	eax, 80000000h
		mov	[esp+30h+var_1C], eax
		jmp	loc_7A5A93
; 

loc_8EA0C6:				; CODE XREF: ObCompleteObjectDuplication+104j
		mov	dl, [esp+30h+var_1D]
		lea	eax, [esp+30h+var_8]
		mov	ecx, [esi+8]
		push	eax
		push	[esp+34h+var_18]
		push	ebx
		call	_ObpPostInterceptHandleDuplicate@20 ; ObpPostInterceptHandleDuplicate(x,x,x,x,x)
		jmp	loc_7A5AAC
; 

loc_8EA0E1:				; CODE XREF: ObCompleteObjectDuplication+127j
		test	ebx, ebx
		js	loc_7A5ACF
		push	[esp+30h+var_C]
		mov	eax, [esi]
		push	dword ptr [edi+0E4h]
		mov	ecx, [esi+4]
		push	dword ptr [eax+0E4h]
		push	dword ptr [esi+8]
		call	_EtwTraceDuplicateHandle@24 ; EtwTraceDuplicateHandle(x,x,x,x,x,x)
		jmp	loc_7A5ACF
; END OF FUNCTION CHUNK	FOR ObCompleteObjectDuplication
; 
; START	OF FUNCTION CHUNK FOR NtDuplicateObject

loc_8EA10B:				; CODE XREF: NtDuplicateObject+74j
		mov	ecx, eax
		jmp	loc_7A5BAA
; END OF FUNCTION CHUNK	FOR NtDuplicateObject

;  S U B	R O U T	I N E 


sub_8EA112	proc near		; DATA XREF: .text:006A252Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		mov	eax, 1
		retn
sub_8EA112	endp


;  S U B	R O U T	I N E 


sub_8EA122	proc near		; DATA XREF: .text:006A2530o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-30h]
		jmp	loc_7A5C73
sub_8EA122	endp

; 
; START	OF FUNCTION CHUNK FOR NtDuplicateObject

loc_8EA134:				; CODE XREF: NtDuplicateObject+DEj
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		jmp	loc_7A5C17
; END OF FUNCTION CHUNK	FOR NtDuplicateObject

;  S U B	R O U T	I N E 


sub_8EA13E	proc near		; DATA XREF: .text:006A2538o
		mov	eax, large fs:124h
		mov	[ebp-34h], eax
		mov	eax, [ebp-34h]
		mov	al, [eax+15Ah]
		mov	[ebp-19h], al
		mov	cl, [ebp-19h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_8EA13E	endp


;  S U B	R O U T	I N E 


sub_8EA15E	proc near		; DATA XREF: .text:006A253Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp+8]
		mov	ebx, [ebp-20h]
		jmp	loc_7A5C4D
sub_8EA15E	endp

; 
; START	OF FUNCTION CHUNK FOR ObDuplicateObject

loc_8EA173:				; CODE XREF: ObDuplicateObject+351j
		mov	eax, 0C0000022h
		jmp	loc_7A5F65
; 

loc_8EA17D:				; CODE XREF: ObDuplicateObject+135j
		mov	eax, [ebp+arg_18]
		test	al, 1
		jz	short loc_8EA1A5
		lea	eax, [esp+1B0h+var_160]
		push	eax
		push	[esp+1B4h+var_1A0]
		call	KeStackAttachProcess
		push	[esp+1B0h+var_17C]
		call	NtClose
		lea	eax, [esp+1B0h+var_160]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)

loc_8EA1A5:				; CODE XREF: ObDuplicateObject+1444E2j
		mov	ecx, [esp+1B0h+var_1A0]
		lea	ecx, [ecx+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, [esp+1B0h+var_19C]
		mov	edx, 6E48624Fh
		call	ObfDereferenceObjectWithTag

loc_8EA1C2:				; CODE XREF: ObDuplicateObject+D6j
		mov	eax, 0C000010Ah
		jmp	loc_7A5F65
; 

loc_8EA1CC:				; CODE XREF: ObDuplicateObject+405j
					; ObDuplicateObject+412j
		mov	[esp+1B0h+var_18C], 0C0000022h
		xor	esi, esi
		jmp	loc_7A5EA0
; 

loc_8EA1DB:				; CODE XREF: ObDuplicateObject+485j
		mov	eax, [esi+30h]
		or	ebx, 4
		mov	eax, [eax+18h]
		mov	[esp+1B0h+var_16C], eax
		jmp	loc_7A5EBE
; 

loc_8EA1ED:				; CODE XREF: ObDuplicateObject+3B1j
		mov	ebx, [esp+1B0h+var_194]
		mov	ecx, ebx
		mov	edx, [esp+1B0h+var_178]
		call	_ObpDecrementHandleCount@8 ; ObpDecrementHandleCount(x,x)
		test	esi, esi
		jz	short loc_8EA206
		push	esi
		call	SeDeleteAccessState

loc_8EA206:				; CODE XREF: ObDuplicateObject+14455Ej
		mov	ecx, [esp+1B0h+var_1A0]
		lea	ecx, [ecx+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		lea	ecx, [ebx+0F0h]
		jmp	loc_7A5FB6
; 

loc_8EA220:				; CODE XREF: ObDuplicateObject+495j
		mov	eax, [eax]
		jmp	loc_7A613B
; 

loc_8EA227:				; CODE XREF: ObDuplicateObject+26Bj
		test	esi, esi
		jz	short loc_8EA237
		mov	edx, [esi+1Ch]
		test	edx, edx
		jnz	short loc_8EA239
		mov	edx, [esi+24h]
		jmp	short loc_8EA239
; 

loc_8EA237:				; CODE XREF: ObDuplicateObject+144589j
		xor	edx, edx

loc_8EA239:				; CODE XREF: ObDuplicateObject+144590j
					; ObDuplicateObject+144595j
		mov	ecx, 7Ch
		call	SeAuditingWithTokenForSubcategory
		mov	ebx, [esp+1B0h+var_194]
		mov	edx, [esp+1B0h+var_190]
		test	al, al
		jz	loc_7A5F15
		mov	ecx, [esp+1B0h+var_17C]
		push	ebx
		push	[esp+1B4h+var_1A0]
		call	_SeAuditHandleDuplication@16 ; SeAuditHandleDuplication(x,x,x,x)
		mov	edx, [esp+1B0h+var_190]
		jmp	loc_7A5F15
; 

loc_8EA26A:				; CODE XREF: ObDuplicateObject+25Aj
		mov	ebx, [esp+1B0h+var_194]
		mov	ecx, ebx
		mov	edx, [esp+1B0h+var_178]
		call	_ObpDecrementHandleCount@8 ; ObpDecrementHandleCount(x,x)
		mov	ecx, [esp+1B0h+var_19C]
		mov	edx, 6E48624Fh
		call	ObfDereferenceObjectWithTag
		mov	edx, [esp+1B0h+var_190]
		mov	[esp+1B0h+var_18C], 0C000009Ah
		jmp	loc_7A5F15
; 

loc_8EA298:				; CODE XREF: ObDuplicateObject+2BDj
		test	esi, esi
		js	loc_7A5F63
		push	[esp+1B0h+var_180]
		mov	eax, [ebx+0E4h]
		mov	edx, [esp+1B4h+var_190]
		mov	ecx, [esp+1B4h+var_17C]
		push	eax
		mov	eax, [edi+0E4h]
		push	eax
		push	[esp+1BCh+var_19C]
		call	_EtwTraceDuplicateHandle@24 ; EtwTraceDuplicateHandle(x,x,x,x,x,x)
		jmp	loc_7A5F63
; END OF FUNCTION CHUNK	FOR ObDuplicateObject
; 
; START	OF FUNCTION CHUNK FOR ObpReferenceProcessObjectByHandle

loc_8EA2C8:				; CODE XREF: ObpReferenceProcessObjectByHandle+93j
		mov	ecx, [ebp+arg_4]
		mov	edx, edi
		call	_ExpGetHandleExtraInfo@8 ; ExpGetHandleExtraInfo(x,x)
		mov	ecx, [esi]
		mov	edx, [esi+4]
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_4], edx
		test	eax, eax
		jz	loc_7A6319
		mov	edx, [ebp+arg_14]
		mov	ecx, [eax]
		mov	eax, [eax+4]
		mov	[edx], ecx
		mov	ecx, [ebp+arg_0]
		mov	[edx+4], eax
		mov	edx, [ebp+var_4]
		jmp	loc_7A6329
; 

loc_8EA2FD:				; CODE XREF: ObpReferenceProcessObjectByHandle+E2j
		push	eax
		push	10h
		lea	eax, [ebx+18h]
		push	eax
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8EA30E:				; CODE XREF: ExCreateHandleEx+29j
		or	edi, 2000000h
		jmp	loc_7A64CF
; END OF FUNCTION CHUNK	FOR ObpReferenceProcessObjectByHandle
; 
; START	OF FUNCTION CHUNK FOR ExCreateHandleEx

loc_8EA319:				; CODE XREF: ExCreateHandleEx+66j
					; ExCreateHandleEx+70j
		push	ecx
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		call	_ExpSetHandleExtraInfo@12 ; ExpSetHandleExtraInfo(x,x,x)
		test	eax, eax
		jz	short loc_8EA33B
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		push	esi
		call	ExpFreeHandleTableEntry
		xor	esi, esi
		jmp	loc_7A6528
; 

loc_8EA33B:				; CODE XREF: ExCreateHandleEx+143E86j
		mov	eax, [ebp+arg_0]
		jmp	loc_7A6516
; 

loc_8EA343:				; CODE XREF: ExCreateHandleEx+7Dj
		mov	edx, [ebp+var_8]
		push	1
		push	esi
		call	_ExpUpdateDebugInfo@16 ; ExpUpdateDebugInfo(x,x,x,x)
		mov	eax, [ebp+arg_0]
		jmp	loc_7A6523
; END OF FUNCTION CHUNK	FOR ExCreateHandleEx
; 
; START	OF FUNCTION CHUNK FOR PsEnumProcessThreads

loc_8EA356:				; CODE XREF: PsEnumProcessThreads+29j
		mov	edx, 6E457350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		jmp	loc_7A67D6
; END OF FUNCTION CHUNK	FOR PsEnumProcessThreads
; 
; START	OF FUNCTION CHUNK FOR NtTerminateThread

loc_8EA367:				; CODE XREF: NtTerminateThread+29j
		mov	eax, 0C00000DBh

loc_8EA36C:				; CODE XREF: NtTerminateThread+3Cj
					; NtTerminateThread+143BBBj
		pop	edi
		pop	esi
		leave
		retn	8
; 

loc_8EA372:				; CODE XREF: NtTerminateThread+46j
		mov	al, [edi+15Ah]
		push	0
		mov	byte ptr [ebp+arg_0], al
		lea	eax, [ebp+var_4]
		push	eax
		push	65547350h
		push	[ebp+arg_0]
		push	ds:_PsThreadType
		push	1
		push	ecx
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8EA36C
		cmp	[ebp+var_4], edi
		jnz	short loc_8EA3B4
		mov	ecx, [ebp+var_4]
		mov	edx, 65547350h
		call	ObfDereferenceObjectWithTag
		jmp	loc_7A680F
; 

loc_8EA3B4:				; CODE XREF: NtTerminateThread+143BC0j
		push	0
		push	[ebp+arg_4]
		push	[ebp+var_4]
		call	PspTerminateThreadByPointer
		mov	ecx, [ebp+var_4]
		mov	edx, 65547350h
		mov	esi, eax
		call	ObfDereferenceObjectWithTag
		jmp	loc_7A681A
; END OF FUNCTION CHUNK	FOR NtTerminateThread
; 
; START	OF FUNCTION CHUNK FOR PspTerminateThreadByPointer

loc_8EA3D5:				; CODE XREF: PspTerminateThreadByPointer+1Ej
		mov	eax, [edi+0FCh]
		test	eax, 40000008h
		jnz	loc_7A6850
		push	[ebp+arg_4]
		push	edi
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		push	eax
		lea	eax, [edi+1ACh]
		mov	edx, esi
		push	eax
		mov	ecx, offset ??_C@_0CK@PGHPCIEJ@Terminating?5critical?5thread?50x?$CF@NNGAKEGL@
		call	_PspCatchCriticalBreak@20 ; PspCatchCriticalBreak(x,x,x,x,x)
		jmp	loc_7A6850
; END OF FUNCTION CHUNK	FOR PspTerminateThreadByPointer
; 
; START	OF FUNCTION CHUNK FOR PspTerminateAllThreads

loc_8EA408:				; CODE XREF: PspTerminateAllThreads+1Cj
		push	[ebp+arg_0]
		push	esi
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		push	eax
		lea	eax, [esi+1ACh]
		mov	edx, esi
		push	eax
		mov	ecx, offset ??_C@_0CI@EJAHBKOC@Terminating?5critical?5process?50x@NNGAKEGL@
		call	_PspCatchCriticalBreak@20 ; PspCatchCriticalBreak(x,x,x,x,x)
		jmp	loc_7A6928
; 

loc_8EA42A:				; CODE XREF: PspTerminateAllThreads+168j
		cmp	esi, eax
		jz	loc_7A6A74
		jmp	loc_7A6ABA
; END OF FUNCTION CHUNK	FOR PspTerminateAllThreads
; 
; START	OF FUNCTION CHUNK FOR RtlpInheritAcl2

loc_8EA437:				; CODE XREF: RtlpInheritAcl2+138j
		mov	eax, ecx
		jmp	loc_7AB519
; 

loc_8EA43E:				; CODE XREF: RtlpInheritAcl2+142j
		test	eax, eax
		jz	loc_7AB378
		movzx	eax, word ptr [edi+4]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	edi
		call	_RtlFirstFreeAce@8 ; RtlFirstFreeAce(x,x)
		test	al, al
		jnz	loc_7AB378

loc_8EA45F:				; CODE XREF: RtlpInheritAcl2+2BFj
					; RtlpInheritAcl2+13F27Bj
		mov	eax, 0C000007Dh
		jmp	loc_7AB519
; 

loc_8EA469:				; CODE XREF: RtlpInheritAcl2+3F2j
		cmp	eax, 4
		jnz	loc_7AB5B8
		mov	eax, 0C0000077h
		jmp	loc_7AB519
; 

loc_8EA47C:				; CODE XREF: RtlpInheritAcl2+233j
		mov	[ebp+var_2], 1
		jmp	loc_7AB469
; 

loc_8EA485:				; CODE XREF: RtlpInheritAcl2+2A0j
		test	edx, edx
		jz	loc_7AB4DD
		cmp	[ebp+var_2], 0
		jz	loc_7AB4DD
		test	bl, bl
		jnz	loc_7AB4DD
		lea	eax, [ebp+var_28]
		push	eax
		push	edi
		call	_RtlFirstFreeAce@8 ; RtlFirstFreeAce(x,x)
		test	al, al
		jz	short loc_8EA45F
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	short loc_8EA4BA
		movzx	eax, word ptr [edi+2]
		add	eax, edi

loc_8EA4BA:				; CODE XREF: RtlpInheritAcl2+13F282j
		mov	ecx, [ebp+var_2C]
		sub	eax, ecx
		push	eax		; size_t
		push	ecx		; void *
		lea	eax, [edi+8]
		push	eax		; void *
		call	_memmove
		mov	eax, [ebp+var_30]
		add	esp, 0Ch
		sub	[edi+4], ax
		xor	ecx, ecx
		mov	edx, [ebp+var_8]
		jmp	loc_7AB4E0
; 

loc_8EA4DE:				; CODE XREF: RtlpInheritAcl2+191j
		mov	eax, 0C0000058h
		jmp	loc_7AB519
; END OF FUNCTION CHUNK	FOR RtlpInheritAcl2
; 
; START	OF FUNCTION CHUNK FOR RtlpGenerateInheritedAce

loc_8EA4E8:				; CODE XREF: RtlpGenerateInheritedAce+62j
					; RtlpGenerateInheritedAce+6Dj	...
		mov	eax, 0C000007Dh
		jmp	loc_7AB71A
; END OF FUNCTION CHUNK	FOR RtlpGenerateInheritedAce
; 
; START	OF FUNCTION CHUNK FOR RtlpCopyAces

loc_8EA4F2:				; CODE XREF: RtlpCopyAces+5Cj
		movzx	eax, word ptr [ebx+2]
		add	eax, ebx
		mov	[ebp+var_1C], eax

loc_8EA4FB:				; CODE XREF: RtlpCopyAces+13EC2Bj
		cmp	ecx, eax
		jnb	short loc_8EA56D
		movzx	eax, word ptr [ecx+2]
		inc	edi
		add	ecx, eax
		mov	eax, [ebp+var_1C]
		cmp	edi, edx
		jb	short loc_8EA4FB
		jmp	loc_7AB942
; 

loc_8EA512:				; CODE XREF: RtlpCopyAces+A8j
		test	byte ptr [edi+1], 10h
		jz	loc_7ABA57
		jmp	loc_7AB9A0
; 

loc_8EA521:				; CODE XREF: RtlpCopyAces+1F1j
		test	al, 10h
		jz	loc_7ABAD7
		mov	dl, 1
		jmp	loc_7ABAD7
; 

loc_8EA530:				; CODE XREF: RtlpCopyAces+330j
		test	al, al
		jnz	loc_7ABC16
		mov	al, byte ptr [ebp+var_F+2]
		jmp	loc_7ABB49
; 

loc_8EA540:				; CODE XREF: RtlpCopyAces+3EAj
		cmp	al, 4
		jz	loc_7ABA33
		cmp	al, 5
		jz	loc_7ABA33
		cmp	al, 6
		jz	loc_7ABA33
		cmp	al, 0Ah
		jz	loc_7ABA33
		mov	eax, [edx+0Ch]
		or	eax, 1000000h
		jmp	loc_7ABA36
; 

loc_8EA56D:				; CODE XREF: RtlpCopyAces+19Cj
					; RtlpCopyAces+22Cj ...
		mov	eax, 0C000007Dh
		jmp	loc_7ABA94
; END OF FUNCTION CHUNK	FOR RtlpCopyAces
; 
; START	OF FUNCTION CHUNK FOR RtlpCopyEffectiveAce

loc_8EA577:				; CODE XREF: RtlpCopyEffectiveAce+A4j
		mov	eax, [ebp+var_9C]
		mov	[ebp+var_94], eax
		jmp	loc_7ABD9A
; 

loc_8EA588:				; CODE XREF: RtlpCopyEffectiveAce+B1j
		mov	eax, [ebp+var_98]
		mov	[ebp+var_90], eax
		jmp	loc_7ABDA7
; 

loc_8EA599:				; CODE XREF: RtlpCopyEffectiveAce+FEj
		mov	byte ptr [ecx],	1
		jmp	loc_7ABE24
; 

loc_8EA5A1:				; CODE XREF: RtlpCopyEffectiveAce+347j
					; RtlpCopyEffectiveAce+350j
		mov	al, ah
		sub	al, 0Dh
		cmp	al, 1
		jbe	loc_7AC046
		cmp	ah, 4
		jnz	loc_8EA673
		lea	eax, [edx+0Ch]
		push	eax
		mov	[ebp+var_6C], eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		mov	ecx, [ebp+var_58]
		lea	edx, [ebp+var_54]
		add	ecx, 0Ch
		mov	[ebp+var_64], 0Ch
		add	eax, ecx
		mov	ecx, [ebp+var_6C]
		mov	[ebp+var_68], eax
		call	RtlEqualPrefixSid
		test	al, al
		jz	short loc_8EA656
		mov	ecx, [ebp+var_6C]
		mov	eax, [ecx+8]
		cmp	eax, 3		; switch 4 cases
		ja	short loc_8EA625 ; default
		jmp	ds:off_8EA803[eax*4] ; switch jump

loc_8EA5F5:				; DATA XREF: PAGE:off_8EA803o
		mov	eax, [ebp+var_9C] ; case 0x0
		jmp	short loc_8EA603
; 

loc_8EA5FD:				; CODE XREF: RtlpCopyEffectiveAce+13E8FEj
					; DATA XREF: PAGE:off_8EA803o
		mov	eax, [ebp+var_90] ; case 0x3

loc_8EA603:				; CODE XREF: RtlpCopyEffectiveAce+13E90Bj
					; RtlpCopyEffectiveAce+13E933j	...
		mov	[ebp+var_6C], eax
		movzx	eax, byte ptr [eax+1]
		lea	esi, [esi+eax*4]
		mov	eax, [ebp+var_60]
		add	esi, 0FFFFFFFCh
		mov	byte ptr [eax],	1
		jmp	loc_7AC079
; 

loc_8EA61B:				; CODE XREF: RtlpCopyEffectiveAce+13E8FEj
					; DATA XREF: PAGE:off_8EA803o
		mov	eax, [ebp+var_98] ; case 0x1
		test	eax, eax
		jnz	short loc_8EA603

loc_8EA625:				; CODE XREF: RtlpCopyEffectiveAce+13E8FCj
		mov	eax, [ebp+var_60] ; default
		mov	edx, [ebp+var_58]
		cmp	byte ptr [eax],	0
		jnz	loc_7AC07C
		movzx	eax, byte ptr [ecx+1]
		mov	[ebp+var_6C], 0
		lea	eax, ds:14h[eax*4]
		mov	[ebp+var_64], eax
		jmp	loc_7AC07C
; 

loc_8EA64E:				; CODE XREF: RtlpCopyEffectiveAce+13E8FEj
					; DATA XREF: PAGE:off_8EA803o
		mov	eax, [ebp+var_94] ; case 0x2
		jmp	short loc_8EA603
; 

loc_8EA656:				; CODE XREF: RtlpCopyEffectiveAce+13E8F1j
		mov	eax, [ebp+var_6C]
		mov	[ebp+var_6C], 0
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:14h[eax*4]
		mov	[ebp+var_64], eax
		jmp	loc_7AC079
; 

loc_8EA673:				; CODE XREF: RtlpCopyEffectiveAce+13E8C0j
		mov	eax, [edx+8]
		mov	ecx, eax
		and	eax, 1
		and	ecx, 2
		shl	eax, 4
		mov	[ebp+var_74], eax
		mov	eax, ecx
		neg	eax
		sbb	eax, eax
		and	eax, 10h
		add	eax, 0Ch
		add	eax, [ebp+var_74]
		mov	[ebp+var_64], eax
		add	eax, edx
		mov	[ebp+var_68], eax
		test	ecx, ecx
		jz	short loc_8EA6A9
		mov	eax, [ebp+var_74]
		lea	ecx, [edx+0Ch]
		add	ecx, eax
		jmp	short loc_8EA6AB
; 

loc_8EA6A9:				; CODE XREF: RtlpCopyEffectiveAce+13E9ADj
		xor	ecx, ecx	; void *

loc_8EA6AB:				; CODE XREF: RtlpCopyEffectiveAce+13E9B7j
		cmp	[ebp+var_78], 0
		jz	loc_7AC07C
		test	ecx, ecx
		jz	loc_7AC07C
		mov	edx, [ebp+arg_18] ; int
		test	edx, edx
		jz	loc_8EA74C
		push	[ebp+arg_1C]	; int
		call	_RtlpGuidPresentInGuidList@12 ;	RtlpGuidPresentInGuidList(x,x,x)
		test	al, al
		jz	short loc_8EA74C
		cmp	[ebp+arg_0], 0
		mov	eax, [ebp+var_78]
		mov	byte ptr [eax],	1
		jnz	short loc_8EA743
		mov	eax, [ebp+var_60]
		mov	ecx, [ebp+var_58]
		mov	byte ptr [eax],	1
		test	byte ptr [ecx+8], 1
		mov	eax, [ebp+var_64]
		jz	short loc_8EA712
		sub	eax, 10h
		sub	esi, 10h
		push	eax		; size_t
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_24]
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		mov	edx, [ebp+var_58]
		add	esp, 0Ch
		and	[ebp+var_1C], 0FFFFFFFDh
		jmp	short loc_8EA738
; 

loc_8EA712:				; CODE XREF: RtlpCopyEffectiveAce+13EA00j
		sub	eax, 14h
		sub	esi, 14h
		push	eax		; size_t
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_24]
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		mov	edx, [ebp+var_58]
		add	esp, 0Ch
		movzx	eax, byte ptr [edx]
		mov	al, ds:_RtlBaseAceType[eax]
		mov	byte ptr [ebp+var_24], al

loc_8EA738:				; CODE XREF: RtlpCopyEffectiveAce+13EA20j
		lea	eax, [ebp+var_24]
		mov	[ebp+var_80], eax
		jmp	loc_7AC07C
; 

loc_8EA743:				; CODE XREF: RtlpCopyEffectiveAce+13E9EEj
		mov	[ebp+var_6D], 1
		jmp	loc_7AC079
; 

loc_8EA74C:				; CODE XREF: RtlpCopyEffectiveAce+13E9D2j
					; RtlpCopyEffectiveAce+13E9E2j
		xor	esi, esi
		jmp	loc_7ABE35
; 

loc_8EA753:				; CODE XREF: RtlpCopyEffectiveAce+397j
		mov	eax, [ebp+var_98]
		test	eax, eax
		jz	loc_7ABEE8
		jmp	loc_7ABFB6
; 

loc_8EA766:				; CODE XREF: RtlpCopyEffectiveAce+1FFj
		cmp	byte ptr [eax],	0
		jz	loc_7ABEF5
		mov	eax, [ebp+var_58]
		mov	ecx, [ebp+var_64]
		test	byte ptr [eax+8], 1
		jz	short loc_8EA79E
		sub	ecx, 10h
		sub	esi, 10h
		push	ecx		; size_t
		push	eax		; void *
		lea	eax, [ebp+var_24]
		mov	[ebp+var_64], ecx
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	edx, [ebp+var_24]
		and	[ebp+var_1C], 0FFFFFFFDh
		jmp	loc_7ABEF8
; 

loc_8EA79E:				; CODE XREF: RtlpCopyEffectiveAce+13EA89j
		sub	ecx, 14h
		sub	esi, 14h
		push	ecx		; size_t
		push	eax		; void *
		lea	eax, [ebp+var_24]
		mov	[ebp+var_64], ecx
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+var_58]
		lea	edx, [ebp+var_24]
		add	esp, 0Ch
		movzx	eax, byte ptr [ecx]
		mov	al, ds:_RtlBaseAceType[eax]
		mov	byte ptr [ebp+var_24], al
		jmp	loc_7ABEF8
; 

loc_8EA7CC:				; CODE XREF: RtlpCopyEffectiveAce+240j
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcpy
		mov	eax, [ebp+var_6C]
		add	esp, 0Ch
		mov	edx, [ebp+var_80]
		movzx	eax, byte ptr [eax+1]
		lea	edx, [edx+eax*4]
		add	edx, 8
		mov	[ebp+var_80], edx
		jmp	loc_7ABF36
; 

loc_8EA7FA:				; CODE XREF: RtlpCopyEffectiveAce+13Aj
					; RtlpCopyEffectiveAce+286j
		xor	al, al
		jmp	loc_7ABE41
; END OF FUNCTION CHUNK	FOR RtlpCopyEffectiveAce
; 
		db 8Bh,	0FFh
off_8EA803	dd offset loc_8EA5F5	; DATA XREF: RtlpCopyEffectiveAce+13E8FEr
		dd offset loc_8EA61B	; jump table for switch	statement
		dd offset loc_8EA64E
		dd offset loc_8EA5FD
; 
; START	OF FUNCTION CHUNK FOR RtlEqualPrefixSid

loc_8EA813:				; CODE XREF: RtlEqualPrefixSid+7Ej
		push	6		; size_t
		lea	eax, [ebp+var_C]
		push	eax		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7AC15C
		push	5
		pop	ecx
		jmp	loc_7AC15F
; 

loc_8EA832:				; CODE XREF: RtlEqualPrefixSid+8Fj
		lea	edx, [edi+8]
		sub	esi, edi

loc_8EA837:				; CODE XREF: RtlEqualPrefixSid+13E770j
		mov	ecx, [edx]
		cmp	ecx, [esi+edx]
		jnz	loc_7AC129
		inc	ebx
		add	edx, 4
		cmp	ebx, eax
		jl	short loc_8EA837
		jmp	loc_7AC16D
; END OF FUNCTION CHUNK	FOR RtlEqualPrefixSid
; 
; START	OF FUNCTION CHUNK FOR PspChangeJobMemoryUsageByProcess

loc_8EA84F:				; CODE XREF: PspChangeJobMemoryUsageByProcess+83j
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		jmp	loc_7AC242
; 

loc_8EA859:				; CODE XREF: PspChangeJobMemoryUsageByProcess+E3j
					; PspChangeJobMemoryUsageByProcess+EBj
		cmp	[ebp+var_1], 0
		jz	short loc_8EA862

loc_8EA85F:				; CODE XREF: PspChangeJobMemoryUsageByProcess+13E6D0j
		mov	[ebp+var_1C], esi

loc_8EA862:				; CODE XREF: PspChangeJobMemoryUsageByProcess+13E6ADj
					; PspChangeJobMemoryUsageByProcess+13E6CEj
		mov	ebx, [ebp+var_18]
		mov	ecx, esi
		push	0
		mov	edx, ebx
		call	_PspUnlockJobMemoryLimitsExclusive@12 ;	PspUnlockJobMemoryLimitsExclusive(x,x,x)
		xor	al, al
		mov	[ebp+var_1], al
		jmp	loc_7AC361
; 

loc_8EA87A:				; CODE XREF: PspChangeJobMemoryUsageByProcess+224j
					; PspChangeJobMemoryUsageByProcess+232j
		cmp	[ebp+var_1], 0
		jz	short loc_8EA862
		jmp	short loc_8EA85F
; 

loc_8EA882:				; CODE XREF: PspChangeJobMemoryUsageByProcess+110j
		mov	ecx, [esi+150h]
		mov	[ebp+arg_4], ecx
		mov	ecx, 0FFFFFFFFh
		cmp	[ebp+var_C], edx
		jb	loc_7AC2C6
		ja	short loc_8EA8AC
		mov	ecx, [ebp+var_10]
		cmp	ecx, [ebp+arg_4]
		mov	ecx, 0FFFFFFFFh
		jbe	loc_7AC2C6

loc_8EA8AC:				; CODE XREF: PspChangeJobMemoryUsageByProcess+13E6E9j
		cmp	[ebp+var_8], edx
		jle	loc_7AC2C6
		mov	edx, 1
		jmp	loc_7AC2C6
; 

loc_8EA8BF:				; CODE XREF: PspChangeJobMemoryUsageByProcess+344j
					; PspChangeJobMemoryUsageByProcess+352j
		cmp	[ebp+var_8], 0
		jle	loc_7AC2D1

loc_8EA8C9:				; CODE XREF: PspChangeJobMemoryUsageByProcess+123j
		test	byte ptr [ebp+var_2C], 1
		mov	al, [ebp+var_1]
		jz	short loc_8EA8E0
		mov	[esi+208h], edi
		mov	[esi+20Ch], ebx
		jmp	short loc_8EA8EC
; 

loc_8EA8E0:				; CODE XREF: PspChangeJobMemoryUsageByProcess+13E720j
		test	al, al
		jz	short loc_8EA8EC
		xor	al, al
		mov	[ebp+var_1C], esi
		mov	[ebp+var_1], al

loc_8EA8EC:				; CODE XREF: PspChangeJobMemoryUsageByProcess+13E72Ej
					; PspChangeJobMemoryUsageByProcess+13E732j
		cmp	dword ptr [esi+0D4h], 0
		jz	loc_7AC2EC
		test	dword ptr [esi+1A8h], 200h
		jz	loc_7AC2EC
		mov	edx, [ebp+arg_0]
		add	edx, 0F8h
		mov	eax, [edx]
		and	al, 24h
		cmp	al, 4
		jnz	short loc_8EA93D
		mov	eax, 20h
		lock or	[edx], eax
		mov	eax, [ebp+arg_0]
		mov	edx, 0Ah
		push	1
		mov	ecx, esi
		mov	eax, [eax+0E4h]
		push	eax
		call	_PspSendJobNotification@16 ; PspSendJobNotification(x,x,x,x)
		or	ecx, 0FFFFFFFFh

loc_8EA93D:				; CODE XREF: PspChangeJobMemoryUsageByProcess+13E768j
		mov	al, [ebp+var_1]
		jmp	loc_7AC2EC
; 

loc_8EA945:				; CODE XREF: PspChangeJobMemoryUsageByProcess+15Aj
					; PspChangeJobMemoryUsageByProcess+163j
		or	edi, 0FFFFFFFFh
		xor	ebx, ebx
		jmp	loc_7AC319
; 

loc_8EA94F:				; CODE XREF: PspChangeJobMemoryUsageByProcess+2FAj
		cmp	ebx, eax
		ja	loc_7AC4A0
		jmp	loc_7AC4B0
; 

loc_8EA95C:				; CODE XREF: PspChangeJobMemoryUsageByProcess+1C7j
		mov	esi, [ebp+var_24]
		mov	edi, [ebp+var_1C]
		cmp	esi, edi
		jz	loc_7AC387

loc_8EA96A:				; CODE XREF: PspChangeJobMemoryUsageByProcess+13E7EAj
		push	0
		mov	edx, ebx
		mov	ecx, esi
		call	_PspLockJobMemoryLimitsExclusive@12 ; PspLockJobMemoryLimitsExclusive(x,x,x)
		mov	eax, [ebp+var_3C]
		mov	edx, ebx
		sub	[esi+208h], eax
		mov	ecx, esi
		mov	eax, [ebp+var_40]
		sbb	[esi+20Ch], eax
		push	0
		call	_PspUnlockJobMemoryLimitsExclusive@12 ;	PspUnlockJobMemoryLimitsExclusive(x,x,x)
		mov	esi, [esi+244h]
		cmp	esi, edi
		jnz	short loc_8EA96A
		or	ecx, 0FFFFFFFFh
		jmp	loc_7AC389
; 

loc_8EA9A4:				; CODE XREF: PspChangeJobMemoryUsageByProcess+363j
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_7AC3C1
; 

loc_8EA9AE:				; CODE XREF: PspChangeJobMemoryUsageByProcess+13j
					; PspChangeJobMemoryUsageByProcess+23j
		mov	al, 1
		jmp	loc_7AC3C5
; END OF FUNCTION CHUNK	FOR PspChangeJobMemoryUsageByProcess
; 
; START	OF FUNCTION CHUNK FOR ExpAllocateMidLevelTable

loc_8EA9B5:				; CODE XREF: ExpAllocateMidLevelTable+2Dj
		mov	edi, [edi+0Ch]
		push	6274624Fh
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		jz	loc_7AC5F8
		push	1000h
		push	edi
		call	_PsReturnProcessPagedPoolQuota@8 ; PsReturnProcessPagedPoolQuota(x,x)
		jmp	loc_7AC5F8
; END OF FUNCTION CHUNK	FOR ExpAllocateMidLevelTable
; 
; START	OF FUNCTION CHUNK FOR ExpAllocateHandleTableEntrySlow

loc_8EA9DB:				; CODE XREF: ExpAllocateHandleTableEntrySlow+78j
		mov	ecx, [edi+0Ch]
		mov	edx, 80h
		call	_ExpAllocateTablePagedPool@8 ; ExpAllocateTablePagedPool(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_7AC6B1
		push	esi
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	ExpAllocateMidLevelTable
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_8EAA29
		mov	esi, [edi+0Ch]
		push	6274624Fh
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jz	loc_7AC6B1
		push	80h
		push	esi
		call	_PsReturnProcessPagedPoolQuota@8 ; PsReturnProcessPagedPoolQuota(x,x)
		jmp	loc_7AC6B1
; 

loc_8EAA29:				; CODE XREF: ExpAllocateHandleTableEntrySlow+13E3E3j
		mov	eax, [ebp+var_C]
		mov	[ebx+4], ecx
		lea	ecx, [edi+8]
		mov	[ebx], eax
		or	ebx, 2
		xchg	ebx, [ecx]
		jmp	loc_7AC660
; 

loc_8EAA3E:				; CODE XREF: ExpAllocateHandleTableEntrySlow+67j
		shr	eax, 15h
		mov	[ebp+var_C], eax
		cmp	eax, 20h
		jnb	loc_7AC6B1
		mov	eax, [ebx+eax*4]
		mov	[ebp+var_8], eax
		push	esi
		test	eax, eax
		jnz	short loc_8EAA75
		lea	edx, [ebp+var_4]
		call	ExpAllocateMidLevelTable
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_7AC6B1
		mov	eax, [ebp+var_C]
		mov	[ebx+eax*4], ecx
		jmp	loc_7AC660
; 

loc_8EAA75:				; CODE XREF: ExpAllocateHandleTableEntrySlow+13E438j
		call	_ExpAllocateLowLevelTable@8 ; ExpAllocateLowLevelTable(x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_7AC6B1
		mov	ecx, [ebp+var_8]
		shr	esi, 0Bh
		and	esi, 3FFh
		mov	[ecx+esi*4], eax
		jmp	loc_7AC663
; END OF FUNCTION CHUNK	FOR ExpAllocateHandleTableEntrySlow
; 
; START	OF FUNCTION CHUNK FOR ExCreateHandleTable

loc_8EAA99:				; CODE XREF: ExCreateHandleTable+66j
		test	al, 4
		jnz	loc_7AC722
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7AC722
; END OF FUNCTION CHUNK	FOR ExCreateHandleTable
; 
; START	OF FUNCTION CHUNK FOR ExpAllocateHandleTable

loc_8EAAAD:				; CODE XREF: ExpAllocateHandleTable+45j
		push	6274624Fh
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7AC80F
; 

loc_8EAABD:				; CODE XREF: ExpAllocateHandleTable+96j
		push	6274624Fh
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		jz	loc_7AC80F
		push	80h
		push	ebx
		call	_PsReturnProcessPagedPoolQuota@8 ; PsReturnProcessPagedPoolQuota(x,x)
		jmp	loc_7AC80F
; END OF FUNCTION CHUNK	FOR ExpAllocateHandleTable
; 
; START	OF FUNCTION CHUNK FOR ExpAllocateTablePagedPoolNoZero

loc_8EAAE0:				; CODE XREF: ExpAllocateTablePagedPoolNoZero+29j
		push	6274624Fh
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi
		jmp	loc_7AC90D
; END OF FUNCTION CHUNK	FOR ExpAllocateTablePagedPoolNoZero
; 
; START	OF FUNCTION CHUNK FOR PspCaptureUserProcessParameters

loc_8EAAF2:				; CODE XREF: PspCaptureUserProcessParameters+6Bj
		mov	ecx, eax
		jmp	loc_7ACA91
; 

loc_8EAAF9:				; CODE XREF: PspCaptureUserProcessParameters+89j
					; PspCaptureUserProcessParameters+9Bj ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_8EAB00:				; CODE XREF: PspCaptureUserProcessParameters+106j
					; PspCaptureUserProcessParameters+13Aj	...
		mov	eax, 0C000000Dh
		jmp	loc_7ACE5B
; 

loc_8EAB0A:				; CODE XREF: PspCaptureUserProcessParameters+CAj
					; PspCaptureUserProcessParameters+D2j
		mov	[eax], bl
		jmp	loc_7ACAF8
; 

loc_8EAB11:				; CODE XREF: PspCaptureUserProcessParameters+131j
		mov	ax, word ptr [ebp+var_28]
		mov	word ptr [ebp+var_28+2], ax
		mov	[ebp+ms_exc.disabled], 2
		test	ax, ax
		jz	short loc_8EAB41
		movzx	eax, ax
		mov	ecx, [ebp+var_24]
		add	eax, ecx
		mov	[ebp+arg_8], eax
		mov	eax, ds:_MmUserProbeAddress
		cmp	[ebp+arg_8], eax
		ja	short loc_8EAB3F
		cmp	[ebp+arg_8], ecx
		jnb	short loc_8EAB41

loc_8EAB3F:				; CODE XREF: PspCaptureUserProcessParameters+13E118j
		mov	[eax], bl

loc_8EAB41:				; CODE XREF: PspCaptureUserProcessParameters+13E103j
					; PspCaptureUserProcessParameters+13E11Dj
		mov	[ebp+ms_exc.disabled], esi
		jmp	short loc_8EAB6C
; END OF FUNCTION CHUNK	FOR PspCaptureUserProcessParameters

;  S U B	R O U T	I N E 


sub_8EAB46	proc near		; DATA XREF: .text:006A292Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-88h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EAB46	endp


;  S U B	R O U T	I N E 


sub_8EAB57	proc near		; DATA XREF: .text:006A2930o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-88h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	edx, [ebp-20h]
sub_8EAB57	endp

; START	OF FUNCTION CHUNK FOR PspCaptureUserProcessParameters

loc_8EAB6C:				; CODE XREF: PspCaptureUserProcessParameters+13E124j
		test	edi, edi
		jns	loc_7ACB66
		jmp	short loc_8EAB80
; 

loc_8EAB76:				; CODE XREF: PspCaptureUserProcessParameters+2D1j
					; PspCaptureUserProcessParameters+2EAj	...
		mov	eax, [ebp+arg_8]

loc_8EAB79:				; CODE XREF: PspCaptureUserProcessParameters+293j
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8EAB80:				; CODE XREF: PspCaptureUserProcessParameters+13E154j
		mov	eax, edi
		jmp	loc_7ACE5B
; 

loc_8EAB87:				; CODE XREF: PspCaptureUserProcessParameters+1C3j
		test	byte ptr [esi+4], 2
		jz	loc_7ACBE9
		mov	eax, [esi+8]
		mov	[ebp+var_44], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_40], eax
		jmp	loc_7ACBFF
; 

loc_8EABA2:				; CODE XREF: PspCaptureUserProcessParameters+1E1j
		test	byte ptr [esi+4], 4
		jz	loc_7ACC07
		mov	ecx, [esi+10h]
		mov	eax, [esi+14h]
		mov	[ebp+var_80], eax
		jmp	loc_7ACC0C
; 

loc_8EABBA:				; CODE XREF: PspCaptureUserProcessParameters+238j
		test	byte ptr [esi+4], 1
		jz	loc_7ACC5E
		add	ecx, 3
		and	ecx, 0FFFFFFFCh
		mov	[ebp+var_2C], ecx
		lea	eax, [ebp+var_2C]
		push	eax
		mov	edx, [esi+1Ch]
		shl	edx, 3
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_8EAB00
		jmp	loc_7ACC5E
; 

loc_8EABE9:				; CODE XREF: PspCaptureUserProcessParameters+26Fj
		mov	eax, 0C000009Ah
		jmp	loc_7ACE5B
; END OF FUNCTION CHUNK	FOR PspCaptureUserProcessParameters

;  S U B	R O U T	I N E 


sub_8EABF3	proc near		; DATA XREF: .text:006A2938o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-8Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EABF3	endp


;  S U B	R O U T	I N E 


sub_8EAC04	proc near		; DATA XREF: .text:006A293Co
		mov	esp, [ebp-18h]
		mov	edi, [ebp-8Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	eax, [ebp+10h]
		jmp	loc_7ACCB1
sub_8EAC04	endp

; 
; START	OF FUNCTION CHUNK FOR PspCaptureUserProcessParameters

loc_8EAC1E:				; CODE XREF: PspCaptureUserProcessParameters+2B8j
		test	byte ptr [eax+4], 8
		jz	loc_7ACCDE
		mov	eax, [eax+20h]
		mov	[esi+2BCh], eax
		jmp	loc_7ACCDE
; 

loc_8EAC36:				; CODE XREF: PspCaptureUserProcessParameters+387j
		test	byte ptr [eax+4], 4
		jz	loc_7ACDAD
		lea	eax, [ebp+var_1C]
		push	eax
		lea	edx, [esi+2ACh]
		lea	ecx, [ebp+var_84]
		call	PspCopyUnicodeString
		jmp	loc_7ACDB9
; 

loc_8EAC5A:				; CODE XREF: PspCaptureUserProcessParameters+3ADj
		mov	ecx, [ebp+var_1C]
		mov	[esi+8Ch], ecx
		mov	[ebp+ms_exc.disabled], 4
		movzx	eax, word ptr [ebp+var_28]
		push	eax		; size_t
		push	edx		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_8EACA8
; END OF FUNCTION CHUNK	FOR PspCaptureUserProcessParameters

;  S U B	R O U T	I N E 


sub_8EAC82	proc near		; DATA XREF: .text:006A2944o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-90h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EAC82	endp


;  S U B	R O U T	I N E 


sub_8EAC93	proc near		; DATA XREF: .text:006A2948o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-90h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp+10h]
sub_8EAC93	endp

; START	OF FUNCTION CHUNK FOR PspCaptureUserProcessParameters

loc_8EACA8:				; CODE XREF: PspCaptureUserProcessParameters+13E260j
		test	edi, edi
		js	loc_8EAB76
		cmp	[ebp+var_1C], 0
		jz	loc_7ACDD3
		movzx	eax, word ptr [ebp+var_28]
		add	[ebp+var_1C], eax
		jmp	loc_7ACDD3
; 

loc_8EACC6:				; CODE XREF: PspCaptureUserProcessParameters+3C4j
		test	byte ptr [ecx+4], 1
		jz	loc_7ACDEA
		mov	edx, [ebp+var_1C]
		add	edx, 3
		and	edx, 0FFFFFFFCh
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], edx
		mov	[esi+2B4h], edx
		mov	eax, [ecx+1Ch]
		mov	[esi+2B8h], eax
		mov	eax, [ecx+1Ch]
		shl	eax, 3
		push	eax		; size_t
		push	dword ptr [ecx+18h] ; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jz	loc_7ACDEA
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+1Ch]
		lea	eax, [ecx+eax*8]
		mov	[ebp+var_1C], eax
		jmp	loc_7ACDEA
; 

loc_8EAD1D:				; CODE XREF: PspCaptureUserProcessParameters+3DCj
		push	eax		; size_t
		push	ebx		; int
		push	edx		; void *
		call	_memset
		add	esp, 0Ch
		cmp	[ebp+var_20], 0
		jz	loc_7ACE02
		mov	eax, [ebp+arg_0]
		add	[ebp+var_1C], eax
		jmp	loc_7ACE02
; END OF FUNCTION CHUNK	FOR PspCaptureUserProcessParameters

;  S U B	R O U T	I N E 


sub_8EAD3D	proc near		; DATA XREF: .text:006A2950o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-94h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EAD3D	endp


;  S U B	R O U T	I N E 


sub_8EAD4E	proc near		; DATA XREF: .text:006A2954o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-94h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp+10h]
		jmp	loc_7ACE21
sub_8EAD4E	endp

; 

loc_8EAD68:				; DATA XREF: .text:006A2920o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-9Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8EAD79:				; DATA XREF: .text:006A2924o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-9Ch]
		jmp	loc_7ACE5B
; 

loc_8EAD8E:				; DATA XREF: .text:006A2914o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0A0h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8EAD9F:				; DATA XREF: .text:006A2918o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0A0h]
		jmp	loc_7ACE5B
; 

loc_8EADB4:				; DATA XREF: .text:006A296Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8EADC2:				; DATA XREF: .text:006A2970o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_7ACF54
; 

loc_8EADD4:				; DATA XREF: .text:006A2998o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8EADE2:				; DATA XREF: .text:006A299Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_7ACFC0
; 

loc_8EADF4:				; DATA XREF: .text:006A298Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8EAE02:				; DATA XREF: .text:006A2990o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_7ACFC0
; 
; START	OF FUNCTION CHUNK FOR RtlpAllocateAtom

loc_8EAE14:				; CODE XREF: RtlpAllocateAtom+4Dj
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi
		jmp	loc_7AD043
; END OF FUNCTION CHUNK	FOR RtlpAllocateAtom
; 
; START	OF FUNCTION CHUNK FOR PspValidateEnvironmentBlock

loc_8EAE22:				; CODE XREF: PspValidateEnvironmentBlock+16j
		sub	esi, 2
		add	ecx, 2
		jmp	loc_7AD06C
; END OF FUNCTION CHUNK	FOR PspValidateEnvironmentBlock
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepGetInternalSecurityAttributesCopyoutBufferSize

loc_8EAE2D:				; CODE XREF: AuthzBasepGetInternalSecurityAttributesCopyoutBufferSize+14j
					; AuthzBasepGetInternalSecurityAttributesCopyoutBufferSize+1Cj
		mov	edx, 0C000000Dh
		jmp	loc_7AD9D6
; END OF FUNCTION CHUNK	FOR AuthzBasepGetInternalSecurityAttributesCopyoutBufferSize
; 
; START	OF FUNCTION CHUNK FOR RtlRemoveUnicodePrefix

loc_8EAE37:				; CODE XREF: RtlRemoveUnicodePrefix+24j
		mov	edx, 803h
		cmp	ax, dx
		jnz	loc_7ADC22
		mov	esi, [ecx+8]
		mov	eax, esi
		jmp	short loc_8EAE4E
; 

loc_8EAE4C:				; CODE XREF: RtlRemoveUnicodePrefix+13D2B7j
		mov	eax, edx

loc_8EAE4E:				; CODE XREF: RtlRemoveUnicodePrefix+13D2AEj
		mov	edx, [eax+8]
		cmp	edx, ecx
		jnz	short loc_8EAE4C
		mov	[eax+8], esi
		jmp	loc_7ADC22
; 

loc_8EAE5D:				; CODE XREF: RtlRemoveUnicodePrefix+30j
		mov	edx, eax
		jmp	short loc_8EAE63
; 

loc_8EAE61:				; CODE XREF: RtlRemoveUnicodePrefix+13D2CCj
		mov	edx, esi

loc_8EAE63:				; CODE XREF: RtlRemoveUnicodePrefix+13D2C3j
		mov	esi, [edx+8]
		cmp	esi, ecx
		jnz	short loc_8EAE61
		mov	[edx+8], eax
		lea	ebx, [ecx+0Ch]
		mov	ax, [ecx]
		mov	esi, ebx
		mov	[edx], ax
		mov	eax, [ecx+4]
		mov	[edx+4], eax
		lea	eax, [edx+0Ch]
		mov	edi, eax
		movsd
		movsd
		movsd
		mov	esi, [ebx]
		cmp	esi, ebx
		jnz	short loc_8EAEA1
		mov	[eax], eax
		mov	esi, [ecx+4]
		jmp	short loc_8EAE95
; 

loc_8EAE93:				; CODE XREF: RtlRemoveUnicodePrefix+13D2FEj
		mov	esi, edi

loc_8EAE95:				; CODE XREF: RtlRemoveUnicodePrefix+13D2F5j
		mov	edi, [esi+4]
		cmp	edi, ecx
		jnz	short loc_8EAE93
		mov	[esi+4], edx
		jmp	short loc_8EAEAE
; 

loc_8EAEA1:				; CODE XREF: RtlRemoveUnicodePrefix+13D2EEj
		cmp	[esi+4], ebx
		jnz	short loc_8EAEAB
		mov	[esi+4], eax
		jmp	short loc_8EAEAE
; 

loc_8EAEAB:				; CODE XREF: RtlRemoveUnicodePrefix+13D308j
		mov	[esi+8], eax

loc_8EAEAE:				; CODE XREF: RtlRemoveUnicodePrefix+13D303j
					; RtlRemoveUnicodePrefix+13D30Dj
		mov	ecx, [edx+10h]
		test	ecx, ecx
		jz	short loc_8EAEB7
		mov	[ecx], eax

loc_8EAEB7:				; CODE XREF: RtlRemoveUnicodePrefix+13D317j
		mov	ecx, [edx+14h]
		test	ecx, ecx
		jz	loc_7ADC21
		mov	[ecx], eax
		jmp	loc_7ADC21
; END OF FUNCTION CHUNK	FOR RtlRemoveUnicodePrefix
; 
; START	OF FUNCTION CHUNK FOR RtlInsertUnicodePrefix

loc_8EAEC9:				; CODE XREF: RtlInsertUnicodePrefix+ECj
		mov	eax, [ebp+arg_8]
		mov	eax, [eax+8]
		mov	[ebp+arg_8], eax
		cmp	eax, edi
		jnz	loc_7ADDDE
		and	dword ptr [esi+4], 0
		mov	eax, 803h
		mov	[esi], ax
		mov	eax, [edi+8]
		mov	[esi+8], eax
		mov	[edi+8], esi
		jmp	loc_7ADD8F
; END OF FUNCTION CHUNK	FOR RtlInsertUnicodePrefix
; 
; START	OF FUNCTION CHUNK FOR RtlFindUnicodePrefix

loc_8EAEF4:				; CODE XREF: RtlFindUnicodePrefix+C4j
		mov	ebx, [ebx+8]
		cmp	ebx, esi
		jnz	loc_7ADEBA
		jmp	loc_7ADE6C
; END OF FUNCTION CHUNK	FOR RtlFindUnicodePrefix
; 
; START	OF FUNCTION CHUNK FOR CompareUnicodeStrings

loc_8EAF04:				; CODE XREF: CompareUnicodeStrings+29j
		mov	eax, [eax+4]
		cmp	[eax], cx
		jnz	loc_7ADF0B
		cmp	ebx, 1
		jbe	loc_7ADFC9
		mov	eax, [edx+4]
		cmp	[eax], cx
		jz	loc_7AE029
		jmp	loc_7ADF0B
; END OF FUNCTION CHUNK	FOR CompareUnicodeStrings
; 

loc_8EAF2A:				; CODE XREF: PAGE:007AE0C0j
		push	offset _TunnelLookasideList
		call	_ExAllocateFromPagedLookasideList@4 ; ExAllocateFromPagedLookasideList(x)
		mov	esi, eax
		mov	[esp+18h], esi
		test	esi, esi
		jnz	loc_7AE0E6
		jmp	loc_7AE0C6
; 
; START	OF FUNCTION CHUNK FOR FsRtlFindInTunnelCacheEx

loc_8EAF47:				; CODE XREF: FsRtlFindInTunnelCacheEx+1Dj
		xor	al, al
		jmp	loc_7AE381
; END OF FUNCTION CHUNK	FOR FsRtlFindInTunnelCacheEx

;  S U B	R O U T	I N E 


sub_8EAF4E	proc near		; DATA XREF: .text:006A29B8o
		mov	bl, [ebp-19h]
		jmp	sub_7AE408
sub_8EAF4E	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlAllocateExtraCreateParameterFromLookasideList

loc_8EAF56:				; CODE XREF: FsRtlAllocateExtraCreateParameterFromLookasideList+2Ej
		push	[ebp+arg_14]
		push	[ebp+arg_4]
		push	[ebp+arg_C]
		push	edx
		push	ecx
		push	[ebp+arg_0]
		call	FsRtlAllocateExtraCreateParameter
		jmp	loc_7AE55B
; 

loc_8EAF6E:				; CODE XREF: FsRtlAllocateExtraCreateParameterFromLookasideList+ABj
		mov	eax, [ebp+arg_14]
		mov	dword ptr [eax], 0
		mov	eax, 0C000009Ah
		jmp	loc_7AE55B
; END OF FUNCTION CHUNK	FOR FsRtlAllocateExtraCreateParameterFromLookasideList
; 
; START	OF FUNCTION CHUNK FOR IopMountVolume

loc_8EAF81:				; CODE XREF: IopMountVolume+6Dj
		mov	eax, 0C0000189h
		jmp	loc_7AE800
; 

loc_8EAF8B:				; CODE XREF: IopMountVolume+77j
		call	_IoGetActivityIdThread@0 ; IoGetActivityIdThread()
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	ebx
		call	_IoVolumeDeviceToGuid@8	; IoVolumeDeviceToGuid(x,x)
		lea	eax, [ebp+var_3C]
		push	eax
		push	ebx
		call	IoVolumeDeviceToDosName
		jmp	loc_7AE6BD
; 

loc_8EAFAC:				; CODE XREF: IopMountVolume+A0j
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	[ebp+var_38], 0
		jz	loc_7AE7F4
		push	0
		push	[ebp+var_38]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7AE7F4
; 

loc_8EAFCA:				; CODE XREF: IopMountVolume+D4j
		mov	ecx, [ebp+var_30]
		lea	eax, [ebp+var_3C]
		push	eax
		lea	edx, [ebp+var_18]
		call	_IopLogEventIoMgrMountBegin@12 ; IopLogEventIoMgrMountBegin(x,x,x)
		mov	[ebp+var_1C], 1
		jmp	loc_7AE71A
; 

loc_8EAFE2:				; CODE XREF: IopMountVolume+119j
		cmp	eax, 24h
		jz	loc_7AE75F
		cmp	eax, 2
		jnz	short loc_8EAFFA
		mov	edi, offset _IopCdRomFileSystemQueueHead
		jmp	loc_7AE764
; 

loc_8EAFFA:				; CODE XREF: IopMountVolume+13C9AEj
		mov	edi, offset _IopTapeFileSystemQueueHead
		jmp	loc_7AE764
; 

loc_8EB004:				; CODE XREF: IopMountVolume+30Cj
		cmp	ecx, [edi]
		jnz	loc_7AE7AD
		jmp	loc_7AE79A
; 

loc_8EB011:				; CODE XREF: IopMountVolume+289j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_70]
		push	eax
		call	KeWaitForSingleObject
		jmp	loc_7AE8D6
; 

loc_8EB025:				; CODE XREF: IopMountVolume+2B0j
		push	0
		push	0
		push	offset _IopMountCompletionEvent
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_7AE8F6
; 

loc_8EB038:				; CODE XREF: IopMountVolume+352j
		mov	eax, [edi]
		lea	ecx, [ebp+var_50]
		mov	[ebp+var_50], eax
		mov	esi, 0C000014Fh
		mov	[ebp+var_24], ecx
		jmp	loc_7AE99B
; 

loc_8EB04D:				; CODE XREF: IopMountVolume+361j
		mov	ecx, [ebp+var_2C]
		mov	dl, 1
		call	IopIncrementDeviceObjectRefCount
		mov	ecx, offset _IopDatabaseResource
		call	ExReleaseResourceLite
		cmp	[ebp+arg_0], 0
		lea	esi, [ebx+9Ch]
		jnz	short loc_8EB07B
		push	0
		push	0
		push	esi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	[ebp+var_1A], 0

loc_8EB07B:				; CODE XREF: IopMountVolume+13CA2Bj
		mov	ecx, [ebp+var_28]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	ecx, [ebp+var_2C]
		call	_IopLoadFileSystemDriver@4 ; IopLoadFileSystemDriver(x)
		cmp	[ebp+arg_0], 0
		jnz	short loc_8EB0AE
		mov	eax, [ebp+var_28]
		mov	ecx, esi
		push	[ebp+arg_4]
		mov	dl, [eax+15Ah]
		call	IopWaitForLockAlertable
		mov	esi, eax
		test	esi, esi
		js	short loc_8EB118
		mov	[ebp+var_1A], 1

loc_8EB0AE:				; CODE XREF: IopMountVolume+13CA4Fj
		mov	eax, [ebp+var_28]
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _IopDatabaseResource
		call	ExAcquireResourceSharedLite
		mov	ecx, ebx
		call	IopQueryVpbFlagsSafe
		movzx	eax, ax
		test	al, 8
		jnz	short loc_8EB139
		test	al, 1
		jnz	short loc_8EB12A
		mov	eax, [edi]
		lea	ecx, [ebp+var_50]
		mov	[ebp+var_50], eax
		mov	esi, 0C000014Fh
		mov	[ebp+var_24], ecx
		jmp	loc_7AE9A7
; 

loc_8EB0EC:				; CODE XREF: IopMountVolume+373j
		push	esi
		call	_FsRtlIsTotalDeviceFailure@4 ; FsRtlIsTotalDeviceFailure(x)
		test	al, al
		jz	loc_7AE925
		cmp	[ebp+var_19], 0
		jz	loc_7AE7AD
		cmp	[ebp+var_60], edi
		jz	loc_7AE7AD
		mov	eax, [edi+4]
		mov	ecx, [eax+4]
		jmp	loc_7AE928
; 

loc_8EB118:				; CODE XREF: IopMountVolume+13CA68j
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObject
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_7AE7BF
; 

loc_8EB12A:				; CODE XREF: IopMountVolume+13CA95j
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObject
		xor	esi, esi
		jmp	loc_7AE7AD
; 

loc_8EB139:				; CODE XREF: IopMountVolume+13CA91j
		mov	esi, 0C00000C0h
		jmp	short loc_8EB145
; 

loc_8EB140:				; CODE XREF: IopMountVolume+212j
		mov	esi, 0C000009Ah

loc_8EB145:				; CODE XREF: IopMountVolume+138j
					; IopMountVolume+16Fj ...
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObject
		jmp	loc_7AE7B5
; 

loc_8EB152:				; CODE XREF: IopMountVolume+1A6j
		cmp	[ebp+var_1C], 0
		jz	short loc_8EB174
		mov	ecx, [ebp+var_30]
		lea	eax, [ebp+var_3C]
		lea	edx, [ebp+var_18]
		test	esi, esi
		js	short loc_8EB16D
		push	eax
		call	_IopLogEventIoMgrMountSucceeded@12 ; IopLogEventIoMgrMountSucceeded(x,x,x)
		jmp	short loc_8EB174
; 

loc_8EB16D:				; CODE XREF: IopMountVolume+13CB23j
		push	esi
		push	eax
		call	_IopLogEventIoMgrMountFailed@16	; IopLogEventIoMgrMountFailed(x,x,x,x)

loc_8EB174:				; CODE XREF: IopMountVolume+13CB16j
					; IopMountVolume+13CB2Bj
		cmp	[ebp+var_38], 0
		jz	loc_7AE7EC
		push	0
		push	[ebp+var_38]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7AE7EC
; 

loc_8EB18D:				; CODE XREF: IopMountVolume+1AEj
		test	dword ptr [ebx+1Ch], 100h
		jz	loc_7AE7F4
		cmp	_InitializationPhase, 2
		jnb	loc_7AE7F4
		push	0
		push	0
		push	esi
		push	ebx
		push	0EDh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8EB1B8:				; CODE XREF: CmpVEExecuteOpenLogic+76j
		mov	eax, [esi+4]
		and	eax, 7FE00000h
		cmp	eax, 0A00000h
		ja	short loc_8EB1D1
		mov	edi, 0C0000271h
		jmp	loc_7AEA81
; 

loc_8EB1D1:				; CODE XREF: IopMountVolume+13CB85j
		mov	edx, [ebp+arg_C]
		lea	eax, [ebx+0Ch]
		mov	cl, byte ptr [ebp+arg_8]
		push	eax
		call	CmpIsSystemEntity
		test	al, al
		jz	short loc_8EB1EE
		mov	edi, 0C0000271h
		jmp	loc_7AEA81
; 

loc_8EB1EE:				; CODE XREF: IopMountVolume+13CBA2j
		cmp	_CmpVEEnabled, 0
		jz	short loc_8EB20A
		test	dword ptr [esi+68h], 1000000h
		jz	short loc_8EB20A
		mov	edi, 0C0000271h
		jmp	loc_7AEA81
; 

loc_8EB20A:				; CODE XREF: IopMountVolume+13CBB5j
					; IopMountVolume+13CBBEj
		test	byte ptr [ebx+60h], 1
		jnz	short loc_8EB21C
		lea	ecx, [ebx+64h]
		call	CmpAttachToRegistryProcess
		or	dword ptr [ebx+60h], 1

loc_8EB21C:				; CODE XREF: IopMountVolume+13CBCEj
		lea	edx, [ebp+var_18]
		mov	ecx, esi
		call	_CmVirtualKCBToRealPath@8 ; CmVirtualKCBToRealPath(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_7AEA81
		lea	eax, [ebp+var_4]
		mov	edx, 10h
		push	eax
		xor	ecx, ecx
		call	CmpBlockHiveWrites
		mov	edi, eax
		test	edi, edi
		js	loc_8EB37C
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	10h
		push	0
		lea	edx, [ebp+var_18]
		call	_CmpFindPathByNameEx@24	; CmpFindPathByNameEx(x,x,x,x,x,x)
		push	[ebp+var_4]
		mov	edx, 10h
		xor	ecx, ecx
		mov	bl, al
		call	CmpUnblockHiveWrites
		test	bl, bl
		jz	short loc_8EB2AD
		mov	esi, [ebp+arg_4]
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_8EB287
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8EB287:				; CODE XREF: IopMountVolume+13CC3Dj
		mov	eax, [ebp+var_18]
		mov	[esi], eax
		mov	eax, [ebp+var_14]
		mov	[esi+4], eax
		lea	eax, [ebp+var_18]
		push	0
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_8]
		mov	edi, 104h
		or	dword ptr [eax], 8
		jmp	loc_7AEA81
; 

loc_8EB2AD:				; CODE XREF: IopMountVolume+13CC33j
		cmp	[ebp+arg_0], 0
		jnz	short loc_8EB2E4
		mov	ecx, esi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		lea	ecx, [esi+18h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	edx, edx
		mov	ecx, esi
		mov	[esi+1Ch], eax
		call	_CmpIsKeyDeleted@8 ; CmpIsKeyDeleted(x,x)
		test	al, al
		jz	short loc_8EB2E4
		mov	edi, 0C0000034h
		jmp	loc_7AEA81
; 

loc_8EB2E4:				; CODE XREF: IopMountVolume+13CC71j
					; IopMountVolume+13CC98j
		mov	ecx, [esi+10h]
		xor	edx, edx
		add	ecx, 24h
		call	ExAcquirePushLockSharedEx
		mov	ebx, [esi+10h]
		lea	ecx, [ebp+var_20]
		mov	eax, [esi+14h]
		push	ecx
		push	eax
		mov	eax, [ebx+4]
		push	ebx
		call	eax
		mov	edi, eax
		test	edi, edi
		jnz	short loc_8EB30F
		mov	edi, 0C000009Ah
		jmp	short loc_8EB34E
; 

loc_8EB30F:				; CODE XREF: IopMountVolume+13CCC6j
		mov	edx, [esi+14h]
		mov	ecx, [esi+10h]
		push	0
		push	1
		call	HvpMarkCellDirty
		test	al, al
		jnz	short loc_8EB329
		mov	edi, 0C000017Dh
		jmp	short loc_8EB341
; 

loc_8EB329:				; CODE XREF: IopMountVolume+13CCE0j
		mov	eax, 100h
		or	[edi+2], ax
		mov	edi, 104h
		or	[esi+6Ah], ax
		mov	eax, [ebp+var_8]
		or	dword ptr [eax], 8

loc_8EB341:				; CODE XREF: IopMountVolume+13CCE7j
		mov	eax, [esi+10h]
		lea	ecx, [ebp+var_20]
		push	ecx
		push	eax
		mov	eax, [eax+8]
		call	eax

loc_8EB34E:				; CODE XREF: IopMountVolume+13CCCDj
		test	ebx, ebx
		jz	loc_7AEA81
		lea	esi, [ebx+24h]
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_8EB370
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8EB370:				; CODE XREF: IopMountVolume+13CD27j
		mov	ecx, esi
		call	KeAbPostRelease
		jmp	loc_7AEA81
; 

loc_8EB37C:				; CODE XREF: IopMountVolume+13CC04j
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	loc_7AEA81
		push	eax
		mov	edx, 10h
		xor	ecx, ecx
		call	CmpUnblockHiveWrites
		jmp	loc_7AEA81
; END OF FUNCTION CHUNK	FOR IopMountVolume
; 
; START	OF FUNCTION CHUNK FOR CmpVEExecuteOpenLogic

loc_8EB399:				; CODE XREF: CmpVEExecuteOpenLogic+86j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7AEA8C
; END OF FUNCTION CHUNK	FOR CmpVEExecuteOpenLogic
; 
; START	OF FUNCTION CHUNK FOR PspNotificationPacketCallback

loc_8EB3A6:				; CODE XREF: PspNotificationPacketCallback+3Fj
		and	ecx, 0FFFEFFFFh
		test	dword ptr [edi+1A8h], 1000h
		jz	loc_7AEAF1
		push	0Ch
		jmp	loc_7AEBA9
; 

loc_8EB3C3:				; CODE XREF: PspNotificationPacketCallback+4Bj
		and	ecx, 0FFFF7FFFh
		test	byte ptr [edi+1A8h], 10h
		jz	loc_7AEAFD
		push	4
		pop	esi
		jmp	loc_7AEAFD
; 

loc_8EB3DE:				; CODE XREF: PspNotificationPacketCallback+60j
		mov	edx, eax
		jmp	loc_7AEAD5
; END OF FUNCTION CHUNK	FOR PspNotificationPacketCallback
; 
; START	OF FUNCTION CHUNK FOR PspJobNotificationWorker

loc_8EB3E5:				; CODE XREF: PspJobNotificationWorker+62j
		cmp	edi, 0FFFFFFFFh
		jnz	loc_7AEBBF
		jmp	loc_7AEC18
; END OF FUNCTION CHUNK	FOR PspJobNotificationWorker
; 
; START	OF FUNCTION CHUNK FOR PspSendReliableJobNotification

loc_8EB3F3:				; CODE XREF: PspSendReliableJobNotification+51j
		mov	edx, eax
		jmp	loc_7AECA5
; 

loc_8EB3FA:				; CODE XREF: PspSendReliableJobNotification+79j
		mov	edx, edi
		mov	ecx, esi
		call	_EtwTraceJobSendNotification@8 ; EtwTraceJobSendNotification(x,x)
		jmp	loc_7AECED
; END OF FUNCTION CHUNK	FOR PspSendReliableJobNotification
; 
; START	OF FUNCTION CHUNK FOR NtSetIoCompletionEx

loc_8EB408:				; CODE XREF: NtSetIoCompletionEx+86j
		mov	esi, 0C00000F0h
		jmp	short loc_8EB415
; 

loc_8EB40F:				; CODE XREF: NtSetIoCompletionEx+A8j
		mov	dword ptr [ebx], 0

loc_8EB415:				; CODE XREF: NtSetIoCompletionEx+13C69Dj
		test	ebx, ebx
		jz	loc_7AEE1E
		mov	ecx, ebx
		call	ObfDereferenceObject
		jmp	loc_7AEE1E
; END OF FUNCTION CHUNK	FOR NtSetIoCompletionEx
; 
; START	OF FUNCTION CHUNK FOR RtlpCombineAcls

loc_8EB429:				; CODE XREF: RtlpCombineAcls+5CDj
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		jmp	loc_7AF27C
; 

loc_8EB433:				; CODE XREF: RtlpCombineAcls+5Fj
					; RtlpCombineAcls+C6j
		mov	esi, 0C0000095h
		xor	ebx, ebx
		jmp	loc_7AF00C
; 

loc_8EB43F:				; CODE XREF: RtlpCombineAcls+4D6j
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		jmp	loc_7AF0FA
; 

loc_8EB449:				; CODE XREF: RtlpCombineAcls+2F5j
		movzx	edx, word ptr [ecx+2]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		js	loc_7AF455
		mov	eax, [ebp+arg_14]
		test	eax, eax
		jz	short loc_8EB471
		or	dword ptr [eax], 100h

loc_8EB471:				; CODE XREF: RtlpCombineAcls+13C629j
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+var_14]
		mov	edx, [ebp+var_18]
		movzx	eax, byte ptr [eax]
		cmp	eax, ebx
		jbe	loc_7AF13B
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		jmp	loc_7AF13B
; 

loc_8EB48F:				; CODE XREF: RtlpCombineAcls+547j
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		jmp	loc_7AF07B
; 

loc_8EB499:				; CODE XREF: RtlpCombineAcls+336j
		movzx	edx, word ptr [ecx+2]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		js	loc_7AF455
		mov	eax, [ebp+arg_14]
		test	eax, eax
		jz	short loc_8EB4BE
		or	dword ptr [eax], 40h

loc_8EB4BE:				; CODE XREF: RtlpCombineAcls+13C679j
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+var_14]
		mov	edx, [ebp+var_18]
		movzx	eax, byte ptr [eax]
		cmp	eax, ebx
		jbe	loc_7AF17C
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		jmp	loc_7AF17C
; 

loc_8EB4DC:				; CODE XREF: RtlpCombineAcls+E1j
		mov	ebx, [ebp+var_4]
		mov	esi, 0C0000017h
		jmp	loc_7AF00C
; 

loc_8EB4E9:				; CODE XREF: RtlpCombineAcls+EAj
		mov	esi, 0C0000023h
		jmp	short loc_8EB54B
; 

loc_8EB4F0:				; CODE XREF: RtlpCombineAcls+3B7j
		mov	edi, [ebp+arg_14]
		push	eax		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [ebp+arg_8]
		add	esp, 0Ch
		inc	word ptr [ebx+4]
		mov	edx, [ebp+arg_C]
		movzx	ecx, word ptr [eax+2]
		add	edi, ecx
		mov	eax, ecx
		mov	ecx, [ebp+arg_8]
		mov	[ebp+arg_14], edi
		jmp	loc_7AF1FD
; 

loc_8EB51B:				; CODE XREF: RtlpCombineAcls+3F7j
		mov	edi, [ebp+arg_14]
		push	eax		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [ebp+arg_8]
		add	esp, 0Ch
		inc	word ptr [ebx+4]
		mov	edx, [ebp+arg_C]
		movzx	ecx, word ptr [eax+2]
		add	edi, ecx
		mov	eax, ecx
		mov	ecx, [ebp+arg_8]
		mov	[ebp+arg_14], edi
		jmp	loc_7AF23D
; 

loc_8EB546:				; CODE XREF: RtlpCombineAcls+F6j
					; RtlpCombineAcls+FFj ...
		mov	esi, 0C000000Dh

loc_8EB54B:				; CODE XREF: RtlpCombineAcls+13C6AEj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ebx, ebx
		jmp	loc_7AF00C
; 

loc_8EB55A:				; CODE XREF: RtlpCombineAcls+3E8j
		mov	esi, eax
		jmp	loc_7AF00C
; END OF FUNCTION CHUNK	FOR RtlpCombineAcls

;  S U B	R O U T	I N E 


sub_8EB561	proc near		; DATA XREF: .text:006A2A34o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		mov	eax, 1
		retn
sub_8EB561	endp


;  S U B	R O U T	I N E 


sub_8EB571	proc near		; DATA XREF: .text:006A2A38o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_7AF880
sub_8EB571	endp

; 
; START	OF FUNCTION CHUNK FOR SeAdjustAccessStateForAccessConstraints

loc_8EB583:				; CODE XREF: SeAdjustAccessStateForAccessConstraints+3Ej
		cmp	eax, 100h
		jnz	short loc_8EB59C
		mov	eax, 1020019h
		mov	[ebp+arg_8], eax
		mov	eax, 10F0006h
		jmp	loc_7AF921
; 

loc_8EB59C:				; CODE XREF: SeAdjustAccessStateForAccessConstraints+13BCB8j
		xor	eax, eax
		mov	[ebp+arg_8], eax
		jmp	loc_7AF921
; 

loc_8EB5A6:				; CODE XREF: SeAdjustAccessStateForAccessConstraints+73j
		mov	edi, [ebp+var_10]
		jmp	loc_7AF949
; END OF FUNCTION CHUNK	FOR SeAdjustAccessStateForAccessConstraints
; 
; START	OF FUNCTION CHUNK FOR NtAlpcQueryInformation

loc_8EB5AE:				; CODE XREF: NtAlpcQueryInformation+48j
		mov	edx, 0C000000Dh
		mov	[ebp+arg_4], edx
		jmp	loc_7AFBA7
; END OF FUNCTION CHUNK	FOR NtAlpcQueryInformation

;  S U B	R O U T	I N E 


sub_8EB5BB	proc near		; DATA XREF: .text:006A2A54o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		mov	eax, 1
		retn
sub_8EB5BB	endp


;  S U B	R O U T	I N E 


sub_8EB5CB	proc near		; DATA XREF: .text:006A2A58o
		mov	esp, [ebp-18h]
		mov	edx, [ebp-20h]
		mov	[ebp+0Ch], edx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7AFBA7
sub_8EB5CB	endp

; 
; START	OF FUNCTION CHUNK FOR NtAlpcQueryInformation

loc_8EB5E0:				; CODE XREF: NtAlpcQueryInformation+DDj
		xor	edi, edi
		jmp	loc_7AFB80
; 

loc_8EB5E7:				; CODE XREF: NtAlpcQueryInformation+186j
					; DATA XREF: PAGE:007AFC94o
		push	[ebp+arg_8]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		mov	edx, ebx
		mov	ecx, edi
		call	_AlpcpPortQueryServerInfo@20 ; AlpcpPortQueryServerInfo(x,x,x,x,x)
		mov	edx, eax
		mov	[ebp+arg_4], edx
		jmp	loc_7AFB99
; 

loc_8EB603:				; CODE XREF: NtAlpcQueryInformation+179j
					; NtAlpcQueryInformation+186j
					; DATA XREF: ...
		mov	edx, 0C000000Dh
		mov	[ebp+arg_4], edx
		jmp	loc_7AFB99
; END OF FUNCTION CHUNK	FOR NtAlpcQueryInformation

;  S U B	R O U T	I N E 


sub_8EB610	proc near		; DATA XREF: .text:006A2A74o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		mov	eax, 1
		retn
sub_8EB610	endp


;  S U B	R O U T	I N E 


sub_8EB620	proc near		; DATA XREF: .text:006A2A78o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		mov	[ebp-1Ch], ecx
		jmp	loc_7AFD1E
sub_8EB620	endp


;  S U B	R O U T	I N E 


sub_8EB62E	proc near		; DATA XREF: .text:006A2A94o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EB62E	endp


;  S U B	R O U T	I N E 


sub_8EB63C	proc near		; DATA XREF: .text:006A2A98o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-20h]
		jmp	loc_7AFE08
sub_8EB63C	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpPortQueryConnectedSidInfo

loc_8EB647:				; CODE XREF: AlpcpPortQueryConnectedSidInfo+2Dj
		mov	eax, 0C000000Dh
		jmp	loc_7AFF67
; 

loc_8EB651:				; CODE XREF: AlpcpPortQueryConnectedSidInfo+41j
		mov	[edi], ebx
		jmp	loc_7AFE79
; END OF FUNCTION CHUNK	FOR AlpcpPortQueryConnectedSidInfo

;  S U B	R O U T	I N E 


sub_8EB658	proc near		; DATA XREF: .text:006A2AB4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-6Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EB658	endp


;  S U B	R O U T	I N E 


sub_8EB666	proc near		; DATA XREF: .text:006A2AB8o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-6Ch]
		mov	[ebp-70h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		jmp	loc_7AFE97
sub_8EB666	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpPortQueryConnectedSidInfo

loc_8EB67D:				; CODE XREF: AlpcpPortQueryConnectedSidInfo+36j
		test	edi, edi
		jz	short loc_8EB683
		mov	[edi], ebx

loc_8EB683:				; CODE XREF: AlpcpPortQueryConnectedSidInfo+13B84Dj
		mov	eax, [ebp+var_68]
		mov	[ebp+var_64], eax
		jmp	loc_7AFE9F
; 

loc_8EB68E:				; CODE XREF: AlpcpPortQueryConnectedSidInfo+D1j
		mov	esi, 0C0000037h
		jmp	loc_7AFF49
; END OF FUNCTION CHUNK	FOR AlpcpPortQueryConnectedSidInfo

;  S U B	R O U T	I N E 


sub_8EB698	proc near		; DATA XREF: .text:006A2AD4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EB698	endp


;  S U B	R O U T	I N E 


sub_8EB6A6	proc near		; DATA XREF: .text:006A2AD8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_7AFFF2
sub_8EB6A6	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpWaitForPortReferences

loc_8EB6B8:				; CODE XREF: AlpcpWaitForPortReferences+2Bj
		mov	eax, [edx]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	loc_7AFFE1
		mov	[eax], esi
		jmp	loc_7AFFE1
; 

loc_8EB6CF:				; CODE XREF: AlpcpWaitForPortReferences+5Aj
		push	esi
		push	1
		lea	eax, [ebp+var_34]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	edi, [ebx+0D0h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		cmp	[ebx+0F0h], esi
		jz	short loc_8EB6F9
		mov	ebx, 0C000000Dh
		jmp	short loc_8EB753
; 

loc_8EB6F9:				; CODE XREF: AlpcpWaitForPortReferences+13B760j
		mov	eax, [ebx+0ECh]
		cmp	eax, [ebp+var_24]
		jnz	short loc_8EB708
		mov	ebx, esi
		jmp	short loc_8EB753
; 

loc_8EB708:				; CODE XREF: AlpcpWaitForPortReferences+13B772j
		lea	eax, [ebp+var_34]
		mov	[ebx+0F0h], eax
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8EB725
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8EB725:				; CODE XREF: AlpcpWaitForPortReferences+13B78Cj
		mov	ecx, edi
		call	KeAbPostRelease

loc_8EB72C:				; CODE XREF: AlpcpWaitForPortReferences+13B7F3j
		push	esi
		push	1
		push	esi
		push	0Dh
		lea	eax, [ebp+var_34]
		push	eax
		call	KeWaitForSingleObject
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_8EB775

loc_8EB741:				; CODE XREF: AlpcpWaitForPortReferences+13B7FAj
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_20]
		mov	[eax+0F0h], esi

loc_8EB753:				; CODE XREF: AlpcpWaitForPortReferences+13B767j
					; AlpcpWaitForPortReferences+13B776j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8EB767
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8EB767:				; CODE XREF: AlpcpWaitForPortReferences+13B7CEj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, ebx
		jmp	loc_7AFFF2
; 

loc_8EB775:				; CODE XREF: AlpcpWaitForPortReferences+13B7AFj
		mov	eax, large fs:124h
		mov	eax, [eax+2FCh]
		test	al, 1
		jz	short loc_8EB72C
		mov	ebx, 0C000004Bh
		jmp	short loc_8EB741
; END OF FUNCTION CHUNK	FOR AlpcpWaitForPortReferences

;  S U B	R O U T	I N E 


sub_8EB78C	proc near		; DATA XREF: .text:006A2AF4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		mov	eax, 1
		retn
sub_8EB78C	endp


;  S U B	R O U T	I N E 


sub_8EB79C	proc near		; DATA XREF: .text:006A2AF8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2Ch]
		jmp	loc_7B0230
sub_8EB79C	endp

; 
; START	OF FUNCTION CHUNK FOR NtReleaseSemaphore

loc_8EB7AE:				; CODE XREF: NtReleaseSemaphore+5Aj
		mov	eax, 0C000000Dh
		jmp	loc_7B0230
; 

loc_8EB7B8:				; CODE XREF: NtReleaseSemaphore+12Cj
		mov	ecx, 1Eh
		call	_KiFatalFilter@8 ; KiFatalFilter(x,x)

loc_8EB7C2:				; DATA XREF: .text:006A2B0Co
		mov	eax, 1
		retn
; END OF FUNCTION CHUNK	FOR NtReleaseSemaphore
; 

loc_8EB7C8:				; DATA XREF: .text:006A2B10o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp+0Ch]
		jmp	loc_7B022E
; 
; START	OF FUNCTION CHUNK FOR NtReleaseSemaphore

loc_8EB7DA:				; CODE XREF: NtReleaseSemaphore+102j
		mov	eax, [ebp+var_20]
		mov	[ebx], eax
		jmp	loc_7B022E
; END OF FUNCTION CHUNK	FOR NtReleaseSemaphore

;  S U B	R O U T	I N E 


sub_8EB7E4	proc near		; DATA XREF: .text:006A2B38o
		mov	eax, 1
		retn
sub_8EB7E4	endp


;  S U B	R O U T	I N E 


sub_8EB7EA	proc near		; DATA XREF: .text:006A2B3Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-20h]
		mov	esi, [ebp+0Ch]
		jmp	loc_7B037A
sub_8EB7EA	endp

; 

loc_8EB7FF:				; DATA XREF: .text:006A2B2Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		mov	eax, 1
		retn
; 

loc_8EB80F:				; DATA XREF: .text:006A2B30o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-28h]
		jmp	loc_7B0387
; 
; START	OF FUNCTION CHUNK FOR CmpGetOrCreateContextForSiloNoRef

loc_8EB821:				; CODE XREF: CmpGetOrCreateContextForSiloNoRef+51j
		mov	ecx, [ebp+var_8]
		xor	esi, esi
		call	_CmpGetContextForSiloNoRef@4 ; CmpGetContextForSiloNoRef(x)
		mov	[ebx], eax
		jmp	loc_7B0433
; END OF FUNCTION CHUNK	FOR CmpGetOrCreateContextForSiloNoRef
; 
; START	OF FUNCTION CHUNK FOR PsInsertPermanentSiloContextEx

loc_8EB832:				; CODE XREF: PsInsertPermanentSiloContextEx+5Bj
		test	esi, esi
		jnz	short loc_8EB840
		mov	eax, 0C0000030h
		jmp	loc_7B04CB
; 

loc_8EB840:				; CODE XREF: PsInsertPermanentSiloContextEx+13B3E4j
		mov	edi, large fs:124h
		mov	ecx, esi
		mov	edx, edi
		call	_PspLockJobShared@8 ; PspLockJobShared(x,x)
		mov	ecx, esi
		call	_PspJobHasChildren@4 ; PspJobHasChildren(x)
		test	al, al
		jz	loc_7B04B1
		mov	ebx, 0C000050Fh
		jmp	loc_7B04C1
; 

loc_8EB869:				; CODE XREF: PsInsertPermanentSiloContextEx+73j
		mov	edx, edi
		mov	ecx, esi
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		jmp	loc_7B04C9
; END OF FUNCTION CHUNK	FOR PsInsertPermanentSiloContextEx
; 
; START	OF FUNCTION CHUNK FOR PspStorageInsertObject

loc_8EB877:				; CODE XREF: PspStorageInsertObject+6Cj
		mov	ecx, [ebp+arg_4]
		call	ObfDereferenceObject
		mov	eax, 0C00000BBh
		jmp	locret_7B055A
; END OF FUNCTION CHUNK	FOR PspStorageInsertObject
; 
; START	OF FUNCTION CHUNK FOR PspGetStorageArray

loc_8EB889:				; CODE XREF: PspGetStorageArray+1Dj
		cmp	dword ptr [esi+100h], 0
		jnz	loc_7B05AF
		mov	ecx, esi
		call	_PspLazyInitializeStorageExpansion@4 ; PspLazyInitializeStorageExpansion(x)
		test	eax, eax
		js	loc_7B05AF
		push	[ebp+arg_4]
		mov	edx, edi
		mov	ecx, esi
		push	ebx
		call	PspGetStorageArrayIfPossible
		jmp	loc_7B058B
; END OF FUNCTION CHUNK	FOR PspGetStorageArray
; 
; START	OF FUNCTION CHUNK FOR PsCreateSiloContext

loc_8EB8B7:				; CODE XREF: PsCreateSiloContext+1Bj
		mov	eax, 0C000000Dh
		jmp	loc_7B06C6
; END OF FUNCTION CHUNK	FOR PsCreateSiloContext
; 
; START	OF FUNCTION CHUNK FOR CmpGetRegistryNamespaceRootForSilo

loc_8EB8C1:				; CODE XREF: CmpGetRegistryNamespaceRootForSilo+3Cj
		mov	ecx, [esi+244h]
		call	_PspGetJobSilo@4 ; PspGetJobSilo(x)
		mov	esi, eax
		jmp	loc_7B0710
; END OF FUNCTION CHUNK	FOR CmpGetRegistryNamespaceRootForSilo
; 
; START	OF FUNCTION CHUNK FOR MiFindEmptyAddressRangeInTree

loc_8EB8D3:				; CODE XREF: MiFindEmptyAddressRangeInTree+42j
		push	0
		push	ecx
		mov	ecx, [ebp+arg_0]
		mov	edx, ebx
		call	_MiHonorRangeStraddleRequirement@16 ; MiHonorRangeStraddleRequirement(x,x,x,x)
		mov	edx, eax
		mov	[ebp+arg_0], eax
		jmp	loc_7B0798
; 

loc_8EB8EA:				; CODE XREF: MiFindEmptyAddressRangeInTree+68j
		mov	eax, [ebp+arg_10]
		shl	edx, 0Ch
		mov	[eax], edx
		xor	eax, eax
		jmp	loc_7B086C
; 

loc_8EB8F9:				; CODE XREF: MiFindEmptyAddressRangeInTree+143j
		mov	eax, [ebp+arg_10]
		shl	ecx, 0Ch
		mov	[eax], ecx
		xor	eax, eax
		jmp	loc_7B086C
; 

loc_8EB908:				; CODE XREF: MiFindEmptyAddressRangeInTree+CDj
		mov	edx, [ebp+var_4]
		push	0
		push	eax
		call	_MiHonorRangeStraddleRequirement@16 ; MiHonorRangeStraddleRequirement(x,x,x,x)
		mov	ecx, eax
		jmp	loc_7B0823
; 

loc_8EB91A:				; CODE XREF: MiFindEmptyAddressRangeInTree+ACj
		mov	ecx, [edx+10h]
		mov	eax, [ebp+arg_0]
		add	ecx, edi
		and	ecx, [ebp+var_8]
		cmp	ecx, eax
		jnb	short loc_8EB92B
		mov	ecx, eax

loc_8EB92B:				; CODE XREF: MiFindEmptyAddressRangeInTree+13B1D7j
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+var_4]
		test	eax, eax
		jz	short loc_8EB93F
		push	0
		push	eax
		call	_MiHonorRangeStraddleRequirement@16 ; MiHonorRangeStraddleRequirement(x,x,x,x)
		mov	ecx, eax

loc_8EB93F:				; CODE XREF: MiFindEmptyAddressRangeInTree+13B1E3j
		cmp	ebx, ecx
		jb	loc_7B0881
		sub	ebx, ecx
		inc	ebx
		cmp	edx, ebx
		ja	loc_7B0881
		jmp	loc_7B0862
; END OF FUNCTION CHUNK	FOR MiFindEmptyAddressRangeInTree
; 
; START	OF FUNCTION CHUNK FOR AlpcpFlushMessagesByRequestor

loc_8EB957:				; CODE XREF: AlpcpFlushMessagesByRequestor+D7j
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_8EB967
		mov	ecx, edi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_8EB967:				; CODE XREF: AlpcpFlushMessagesByRequestor+13AF94j
		mov	ecx, edi
		call	AlpcpUnlockBlob
		mov	edi, [ebp+var_4]
		jmp	loc_7B0AB8
; END OF FUNCTION CHUNK	FOR AlpcpFlushMessagesByRequestor
; 
; START	OF FUNCTION CHUNK FOR NtSecureConnectPort

loc_8EB976:				; CODE XREF: NtSecureConnectPort+D7j
		mov	ecx, eax
		jmp	loc_7B0C15
; 

loc_8EB97D:				; CODE XREF: NtSecureConnectPort+F2j
		mov	edx, ecx
		jmp	loc_7B0C30
; 

loc_8EB984:				; CODE XREF: NtSecureConnectPort+119j
		mov	esi, eax
		jmp	loc_7B0C57
; 

loc_8EB98B:				; CODE XREF: NtSecureConnectPort+132j
					; NtSecureConnectPort+175j
		mov	[ebp+var_30], 0C000000Dh
		jmp	short loc_8EB99D
; END OF FUNCTION CHUNK	FOR NtSecureConnectPort

;  S U B	R O U T	I N E 


sub_8EB994	proc near		; DATA XREF: .text:006A2B58o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-68h]
		mov	[ebp-30h], eax
sub_8EB994	endp

; START	OF FUNCTION CHUNK FOR NtSecureConnectPort

loc_8EB99D:				; CODE XREF: NtSecureConnectPort+13AE5Aj
					; NtSecureConnectPort+13AEAEj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_7B0EA7
; 

loc_8EB9A9:				; CODE XREF: NtSecureConnectPort+148j
		mov	byte ptr [eax],	0
		jmp	loc_7B0C86
; 

loc_8EB9B1:				; CODE XREF: NtSecureConnectPort+169j
		mov	eax, ecx
		jmp	loc_7B0CA7
; 

loc_8EB9B8:				; CODE XREF: NtSecureConnectPort+18Bj
		mov	byte ptr [eax],	0
		jmp	loc_7B0CC9
; 

loc_8EB9C0:				; CODE XREF: NtSecureConnectPort+1ABj
		mov	ecx, eax
		jmp	loc_7B0CE9
; 

loc_8EB9C7:				; CODE XREF: NtSecureConnectPort+1C2j
		mov	ecx, eax
		jmp	loc_7B0D00
; 

loc_8EB9CE:				; CODE XREF: NtSecureConnectPort+1DCj
		lea	ecx, [ebp+var_38]
		push	ecx
		push	1
		sub	esp, 0Ch
		mov	dl, [ebp+var_29]
		mov	ecx, eax
		call	SeCaptureSid
		mov	[ebp+var_30], eax
		test	eax, eax
		js	short loc_8EB99D
		jmp	loc_7B0D1A
; END OF FUNCTION CHUNK	FOR NtSecureConnectPort

;  S U B	R O U T	I N E 


sub_8EB9ED	proc near		; DATA XREF: .text:006A2B54o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-68h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EB9ED	endp

; 
; START	OF FUNCTION CHUNK FOR NtSecureConnectPort

loc_8EB9FB:				; CODE XREF: NtSecureConnectPort+218j
		mov	al, [ebp+var_29]
		test	al, al
		jz	short loc_8EBA0A
		cmp	al, 1
		jnz	loc_7B0D56

loc_8EBA0A:				; CODE XREF: NtSecureConnectPort+13AEC8j
		push	0
		push	[ebp+var_38]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7B0D56
; 

loc_8EBA19:				; CODE XREF: NtSecureConnectPort+282j
		mov	ecx, esi
		call	_AlpcpLogConnectRequest@4 ; AlpcpLogConnectRequest(x)
		jmp	loc_7B0DC0
; 

loc_8EBA25:				; CODE XREF: NtSecureConnectPort+2B3j
		cmp	_AlpcpLogEnabled, 0
		jz	short loc_8EBA38
		mov	edx, ebx
		mov	ecx, [ebp+var_34]
		call	_AlpcpLogConnectFail@8 ; AlpcpLogConnectFail(x,x)

loc_8EBA38:				; CODE XREF: NtSecureConnectPort+13AEF4j
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_8EBA48
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_8EBA48:				; CODE XREF: NtSecureConnectPort+13AF07j
		mov	ecx, esi
		call	AlpcpUnlockBlob
		jmp	loc_7B0E88
; 

loc_8EBA54:				; CODE XREF: NtSecureConnectPort+2E6j
		cmp	_AlpcpLogEnabled, 0
		jz	loc_7B0E88
		mov	edx, ebx
		mov	ecx, [ebp+var_34]
		call	_AlpcpLogConnectFail@8 ; AlpcpLogConnectFail(x,x)
		jmp	loc_7B0E88
; 

loc_8EBA70:				; CODE XREF: NtSecureConnectPort+2F2j
		mov	ecx, [ebp+var_34]
		call	_AlpcpLogConnectSuccess@4 ; AlpcpLogConnectSuccess(x)
		jmp	loc_7B0E30
; END OF FUNCTION CHUNK	FOR NtSecureConnectPort

;  S U B	R O U T	I N E 


sub_8EBA7D	proc near		; DATA XREF: .text:006A2B60o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-78h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EBA7D	endp


;  S U B	R O U T	I N E 


sub_8EBA8B	proc near		; DATA XREF: .text:006A2B64o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-78h]
		mov	[ebp-30h], ebx
		jmp	loc_7B0E81
sub_8EBA8B	endp

; 
; START	OF FUNCTION CHUNK FOR NtSecureConnectPort

loc_8EBA99:				; CODE XREF: NtSecureConnectPort+369j
		push	[ebp+var_58]
		call	NtClose
		jmp	loc_7B0EA7
; END OF FUNCTION CHUNK	FOR NtSecureConnectPort
; 
; START	OF FUNCTION CHUNK FOR AlpcpReceiveLegacyConnectionReply

loc_8EBAA6:				; CODE XREF: AlpcpReceiveLegacyConnectionReply+33j
		test	byte ptr [edi+0F4h], 10h
		jnz	short loc_8EBABB
		cmp	esi, 0C0000701h
		jnz	loc_7B0FDB

loc_8EBABB:				; CODE XREF: AlpcpReceiveLegacyConnectionReply+13ABA5j
		mov	esi, 0C0000041h
		jmp	loc_7B0FDB
; 

loc_8EBAC5:				; CODE XREF: AlpcpReceiveLegacyConnectionReply+70j
		mov	dword ptr [ecx], 0Ch
		mov	eax, [edx+14h]
		mov	[ecx+8], eax
		mov	eax, [edx+8]
		mov	eax, [eax+14h]
		mov	[ecx+4], eax
		jmp	loc_7B0F7E
; 

loc_8EBADF:				; CODE XREF: AlpcpReceiveLegacyConnectionReply+8Fj
		mov	[ebp+arg_4], eax
		mov	ax, [ecx]
		mov	[edx+80h], ax
		jmp	loc_7B0F9F
; END OF FUNCTION CHUNK	FOR AlpcpReceiveLegacyConnectionReply

;  S U B	R O U T	I N E 


sub_8EBAF1	proc near		; DATA XREF: .text:006A2B7Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EBAF1	endp


;  S U B	R O U T	I N E 


sub_8EBAFF	proc near		; DATA XREF: .text:006A2B80o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-24h]
		jmp	loc_7B0FB3
sub_8EBAFF	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpReceiveLegacyConnectionReply

loc_8EBB0A:				; CODE XREF: AlpcpReceiveLegacyConnectionReply+B8j
		mov	eax, [ebp+var_1C]
		mov	[eax+80h], cx
		jmp	loc_7B0FC6
; 

loc_8EBB19:				; CODE XREF: AlpcpReceiveLegacyConnectionReply+C5j
		mov	ecx, [ebp+var_1C]
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)
		jmp	loc_7B0FD3
; END OF FUNCTION CHUNK	FOR AlpcpReceiveLegacyConnectionReply
; 

loc_8EBB26:				; CODE XREF: PAGE:007B10C5j
		mov	byte ptr [eax],	0
		jmp	loc_7B10CB
; 

loc_8EBB2E:				; DATA XREF: .text:006A2B9Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		mov	eax, 1
		retn
; 

loc_8EBB3E:				; DATA XREF: .text:006A2BA0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-24h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7B1137
; 

loc_8EBB50:				; CODE XREF: PAGE:007B117Ej
		mov	dword ptr [ebp-30h], 10005h
		push	0
		call	@AlpcpSendMessage@16 ; AlpcpSendMessage(x,x,x,x)
		jmp	loc_7B1190
; 

loc_8EBB63:				; CODE XREF: PAGE:007B1196j
		mov	ecx, edi
		call	ObfDereferenceObject
		cmp	esi, 0C0000703h
		jnz	loc_7B1137
		mov	esi, 0C0000037h
		jmp	loc_7B1137
; 
; START	OF FUNCTION CHUNK FOR AlpcpReceiveLegacyMessage

loc_8EBB80:				; CODE XREF: AlpcpReceiveLegacyMessage+8Cj
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_8EBB8B
		mov	ecx, eax

loc_8EBB8B:				; CODE XREF: AlpcpReceiveLegacyMessage+13A9D7j
		nop
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], ecx
		lea	ecx, [ebp+var_4C]
		mov	[ebp+var_20], ecx
		mov	[ebp+arg_0], ecx
		jmp	loc_7B1242
; 

loc_8EBBA5:				; CODE XREF: AlpcpReceiveLegacyMessage+A6j
		mov	byte ptr [eax],	0
		jmp	loc_7B125C
; 

loc_8EBBAD:				; CODE XREF: AlpcpReceiveLegacyMessage+CCj
		mov	ecx, eax
		jmp	loc_7B1282
; END OF FUNCTION CHUNK	FOR AlpcpReceiveLegacyMessage

;  S U B	R O U T	I N E 


sub_8EBBB4	proc near		; DATA XREF: .text:006A2BBCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		mov	eax, 1
		retn
sub_8EBBB4	endp


;  S U B	R O U T	I N E 


sub_8EBBC4	proc near		; DATA XREF: .text:006A2BC0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-38h]
		jmp	loc_7B1393
sub_8EBBC4	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpReceiveLegacyMessage

loc_8EBBD6:				; CODE XREF: AlpcpReceiveLegacyMessage+239j
					; AlpcpReceiveLegacyMessage+248j
		xor	edx, edx
		mov	eax, 11h
		mov	esi, [ebp+arg_4]
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_8EBBF0
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8EBBF0:				; CODE XREF: AlpcpReceiveLegacyMessage+13AA37j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	eax, 0C0000037h
		jmp	loc_7B1393
; 

loc_8EBC01:				; CODE XREF: AlpcpReceiveLegacyMessage+125j
		mov	eax, [ebp+var_24]
		cmp	[esi+24h], eax
		jnz	short loc_8EBC17
		mov	dword ptr [esi+24h], 0
		mov	dword ptr [esi+20h], 0

loc_8EBC17:				; CODE XREF: AlpcpReceiveLegacyMessage+13AA57j
		push	10000h
		mov	edx, esi
		mov	ecx, eax
		call	@AlpcpCancelMessage@12 ; AlpcpCancelMessage(x,x,x)
		mov	[ebp+var_28], 0
		mov	ecx, [ebp+var_20]
		mov	esi, [ebp+var_30]
		jmp	loc_7B12B0
; END OF FUNCTION CHUNK	FOR AlpcpReceiveLegacyMessage

;  S U B	R O U T	I N E 


sub_8EBC37	proc near		; DATA XREF: .text:006A2BC8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		mov	eax, 1
		retn
sub_8EBC37	endp


;  S U B	R O U T	I N E 


sub_8EBC47	proc near		; DATA XREF: .text:006A2BCCo
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-40h]
		mov	[ebp+0Ch], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-44h]
		mov	esi, [ebp-28h]
		mov	eax, [ebp-34h]
		jmp	loc_7B135F
sub_8EBC47	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpReceiveLegacyMessage

loc_8EBC65:				; CODE XREF: AlpcpReceiveLegacyMessage+1C6j
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)
		jmp	loc_7B137C
; 

loc_8EBC71:				; CODE XREF: AlpcpReceiveLegacyMessage+1B1j
					; AlpcpReceiveLegacyMessage+1B9j
		mov	dword ptr [esi+6Ch], 0
		push	10000h
		mov	edx, esi
		mov	ecx, eax
		call	@AlpcpCancelMessage@12 ; AlpcpCancelMessage(x,x,x)
		jmp	loc_7B1383
; END OF FUNCTION CHUNK	FOR AlpcpReceiveLegacyMessage
; 
; START	OF FUNCTION CHUNK FOR AlpcpCompleteDeferSignalRequest

loc_8EBC8B:				; CODE XREF: AlpcpCompleteDeferSignalRequest+Fj
		push	0
		xor	dl, dl
		call	AlpcpSignal
		mov	ecx, [esi+10h]
		test	ecx, ecx
		jz	loc_7B1463
		pop	esi
		jmp	ObfDereferenceObject
; END OF FUNCTION CHUNK	FOR AlpcpCompleteDeferSignalRequest
; 
; START	OF FUNCTION CHUNK FOR AlpcpQueryRemoteView

loc_8EBCA5:				; CODE XREF: AlpcpQueryRemoteView+1Fj
					; AlpcpQueryRemoteView+2Aj
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx

loc_8EBCAE:				; CODE XREF: AlpcpQueryRemoteView+B7j
		cmp	eax, 11h
		jz	short loc_8EBCBA
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8EBCBA:				; CODE XREF: AlpcpQueryRemoteView+13A7F5j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	eax, 0C0000037h
		jmp	loc_7B155B
; END OF FUNCTION CHUNK	FOR AlpcpQueryRemoteView
; 
; START	OF FUNCTION CHUNK FOR NtReplyPort

loc_8EBCCB:				; CODE XREF: NtReplyPort+9Ej
		push	edi
		mov	[esp+40h+var_C], 10001h
		call	@AlpcpSendMessage@16 ; AlpcpSendMessage(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000703h
		jnz	loc_7B162B
		mov	esi, 0C0000037h
		jmp	loc_7B162B
; END OF FUNCTION CHUNK	FOR NtReplyPort
; 
; START	OF FUNCTION CHUNK FOR AlpcpReferenceReplyTargetPorts

loc_8EBCF1:				; CODE XREF: AlpcpReferenceReplyTargetPorts+38j
		mov	ecx, edi
		call	ObfDereferenceObject

loc_8EBCF8:				; CODE XREF: AlpcpReferenceReplyTargetPorts+30j
		test	esi, esi
		jz	short loc_8EBD03

loc_8EBCFC:				; CODE XREF: AlpcpReferenceReplyTargetPorts+5Cj
		mov	ecx, esi
		call	ObfDereferenceObject

loc_8EBD03:				; CODE XREF: AlpcpReferenceReplyTargetPorts+139AEAj
		mov	eax, 0C0000037h
		jmp	loc_7B2262
; END OF FUNCTION CHUNK	FOR AlpcpReferenceReplyTargetPorts
; 
; START	OF FUNCTION CHUNK FOR AlpcpLockCommunicationInfoForReply

loc_8EBD0D:				; CODE XREF: AlpcpLockCommunicationInfoForReply+1Aj
		mov	esi, [ebx+8]
		xor	edx, edx
		lea	ecx, [esi-4]
		call	ExAcquirePushLockSharedEx
		mov	eax, [esi]
		mov	edx, eax
		cmp	ebx, edi
		jz	loc_7B22A9
		jmp	loc_7B22C5
; END OF FUNCTION CHUNK	FOR AlpcpLockCommunicationInfoForReply
; 
; START	OF FUNCTION CHUNK FOR AlpcpReleaseMessageAttributesOnCancel

loc_8EBD2B:				; CODE XREF: AlpcpReleaseMessageAttributesOnCancel+1Ej
		xor	edx, edx
		inc	edx
		call	AlpcpDereferenceBlobEx
		mov	[esi+50h], ebx
		jmp	loc_7B22EE
; END OF FUNCTION CHUNK	FOR AlpcpReleaseMessageAttributesOnCancel
; 
; START	OF FUNCTION CHUNK FOR ObpLockHandleDataBaseEntry

loc_8EBD3B:				; CODE XREF: ObpLockHandleDataBaseEntry+ABj
		mov	eax, [eax+4]
		mov	esi, eax
		shr	esi, 18h
		and	eax, 0FFFFFFh
		add	esi, eax
		cmp	esi, 0FFFF01h
		jnb	loc_7B25C2
		jmp	loc_7B2531
; 

loc_8EBD5B:				; CODE XREF: ObpLockHandleDataBaseEntry+DEj
		mov	edx, [eax+4]
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		mov	ecx, edx
		and	edx, 0FFFFFFh
		shr	ecx, 18h
		add	edx, [ebp+var_4]
		add	ecx, edx
		mov	edx, [ebp+var_C]
		mov	[ebp+var_4], ecx
		jmp	loc_7B24F0
; END OF FUNCTION CHUNK	FOR ObpLockHandleDataBaseEntry
; 
; START	OF FUNCTION CHUNK FOR FsRtlOplockBreakH

loc_8EBD7E:				; CODE XREF: FsRtlOplockBreakH+60j
		xor	esi, esi
		mov	[ebp+var_20], esi
		jmp	loc_7B2777
; END OF FUNCTION CHUNK	FOR FsRtlOplockBreakH

;  S U B	R O U T	I N E 


sub_8EBD88	proc near		; DATA XREF: .text:006A2C10o
		mov	edi, [ebp-24h]
		mov	esi, [ebp-20h]
		jmp	sub_7B2788
sub_8EBD88	endp

; 
; START	OF FUNCTION CHUNK FOR PspThreadOpen

loc_8EBD93:				; CODE XREF: PspThreadOpen+44j
		cmp	dword ptr [ecx+3D4h], 0
		jnz	loc_7B2838
		test	bl, bl
		jz	loc_7B2838
		mov	eax, dword_6BEE08
		not	eax
		test	[esi], eax
		jz	loc_7B2838
		jmp	loc_7B287C
; END OF FUNCTION CHUNK	FOR PspThreadOpen
; 
; START	OF FUNCTION CHUNK FOR CmpFindSubKeyByNameWithStatus

loc_8EBDBC:				; CODE XREF: CmpFindSubKeyByNameWithStatus+5Cj
					; CmpFindSubKeyByNameWithStatus+13Ej
		mov	eax, 0C000009Ah
		jmp	loc_7B2AC1
; 

loc_8EBDC6:				; CODE XREF: CmpFindSubKeyByNameWithStatus+113j
		mov	ebx, 0C000009Ah
		jmp	loc_7B2AB5
; END OF FUNCTION CHUNK	FOR CmpFindSubKeyByNameWithStatus
; 
; START	OF FUNCTION CHUNK FOR NtAlpcOpenSenderThread

loc_8EBDD0:				; CODE XREF: NtAlpcOpenSenderThread+7Aj
		mov	ecx, eax
		jmp	loc_7B2C80
; 

loc_8EBDD7:				; CODE XREF: NtAlpcOpenSenderThread+8Ej
		mov	esi, eax
		jmp	loc_7B2C94
; 

loc_8EBDDE:				; CODE XREF: NtAlpcOpenSenderThread+A7j
		mov	esi, eax
		jmp	loc_7B2CAD
; END OF FUNCTION CHUNK	FOR NtAlpcOpenSenderThread

;  S U B	R O U T	I N E 


sub_8EBDE5	proc near		; DATA XREF: .text:006A2C4Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EBDE5	endp


;  S U B	R O U T	I N E 


sub_8EBDF3	proc near		; DATA XREF: .text:006A2C50o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-1Ch]
		call	ObfDereferenceObject
		mov	esi, [ebp-2Ch]
		jmp	loc_7B2D62
sub_8EBDF3	endp

; 
; START	OF FUNCTION CHUNK FOR NtAlpcOpenSenderThread

loc_8EBE06:				; CODE XREF: NtAlpcOpenSenderThread+65j
		push	6
		pop	ecx
		mov	esi, [ebp+arg_8]
		lea	edi, [ebp+var_48]
		rep movsd
		push	6
		pop	ecx
		mov	esi, [ebp+arg_14]
		lea	edi, [ebp+var_60]
		rep movsd
		mov	ebx, [ebp+arg_0]
		jmp	loc_7B2CBD
; 

loc_8EBE24:				; CODE XREF: NtAlpcOpenSenderThread+D6j
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	loc_7B2D69
; 

loc_8EBE30:				; CODE XREF: NtAlpcOpenSenderThread+E3j
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_8EBE40
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_8EBE40:				; CODE XREF: NtAlpcOpenSenderThread+139237j
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	esi, 0C0000703h
		jmp	loc_7B2D69
; 

loc_8EBE58:				; CODE XREF: NtAlpcOpenSenderThread+F1j
					; NtAlpcOpenSenderThread+10Bj
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_8EBE68
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_8EBE68:				; CODE XREF: NtAlpcOpenSenderThread+13925Fj
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	esi, 0C0000022h
		jmp	loc_7B2D69
; END OF FUNCTION CHUNK	FOR NtAlpcOpenSenderThread

;  S U B	R O U T	I N E 


sub_8EBE80	proc near		; DATA XREF: .text:006A2C58o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EBE80	endp


;  S U B	R O U T	I N E 


sub_8EBE8E	proc near		; DATA XREF: .text:006A2C5Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-30h]
		jmp	loc_7B2D62
sub_8EBE8E	endp

; 
; START	OF FUNCTION CHUNK FOR PsOpenThread

loc_8EBE99:				; CODE XREF: PsOpenThread+87j
		mov	ecx, eax
		jmp	loc_7B2E55
; 

loc_8EBEA0:				; CODE XREF: PsOpenThread+A6j
		mov	ecx, eax
		jmp	loc_7B2E74
; 

loc_8EBEA7:				; CODE XREF: PsOpenThread+EBj
		mov	edx, eax
		jmp	loc_7B2EB9
; 

loc_8EBEAE:				; CODE XREF: PsOpenThread+D3j
		xor	al, al
		mov	[ebp-1F2h], al
		jmp	loc_7B2EE1
; END OF FUNCTION CHUNK	FOR PsOpenThread

;  S U B	R O U T	I N E 


sub_8EBEBB	proc near		; DATA XREF: .text:006A2C74o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-218h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EBEBB	endp


;  S U B	R O U T	I N E 


sub_8EBECC	proc near		; DATA XREF: .text:006A2C78o
		mov	esi, [ebp-218h]
		jmp	short loc_8EBEDA
; 

loc_8EBED4:				; DATA XREF: .text:006A2C84o
		mov	esi, [ebp-230h]

loc_8EBEDA:				; CODE XREF: sub_8EBECC+6j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-214h]
		jmp	loc_7B303F
sub_8EBECC	endp

; 
; START	OF FUNCTION CHUNK FOR PsOpenThread

loc_8EBEEF:				; CODE XREF: PsOpenThread+175j
		cmp	[ebp+var_208], 0
		jnz	loc_7B2F43
		mov	byte ptr [ebp+var_20C],	1
		jmp	loc_7B2F4C
; 

loc_8EBF08:				; CODE XREF: PsOpenThread+1E0j
					; PsOpenThread+2B6j
		lea	ecx, [ebp+var_128]
		call	SepDeleteAccessState
		lea	eax, [ebp+var_10C]
		push	eax
		call	SeReleaseSubjectContext
		jmp	loc_7B303F
; 

loc_8EBF24:				; CODE XREF: PsOpenThread+271j
		cmp	dword_6B1F50, 5
		jbe	loc_7B303F
		push	4000h
		xor	ebx, ebx
		push	ebx
		mov	ecx, offset dword_6B1F50
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_7B303F
		push	[ebp+var_1F8]
		call	_PsGetThreadId@4 ; PsGetThreadId(x)
		mov	[ebp+var_220], eax
		lea	eax, [ebp+var_220]
		mov	[ebp+var_90], eax
		mov	[ebp+var_8C], ebx
		push	4
		pop	ecx
		mov	[ebp+var_88], ecx
		mov	[ebp+var_84], ebx
		mov	eax, [ebp+var_200]
		mov	[ebp+var_224], eax
		lea	eax, [ebp+var_224]
		mov	[ebp+var_80], eax
		mov	[ebp+var_7C], ebx
		mov	[ebp+var_78], ecx
		mov	[ebp+var_74], ebx
		mov	[ebp+var_228], edi
		lea	eax, [ebp+var_228]
		mov	[ebp+var_70], eax
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_68], ecx
		mov	[ebp+var_64], ebx
		mov	eax, [ebp+var_204]
		mov	[ebp+var_22C], eax
		lea	eax, [ebp+var_22C]
		mov	[ebp+var_60], eax
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], ecx
		mov	[ebp+var_54], ebx
		mov	al, [ebp+arg_8]
		mov	[ebp-1F3h], al
		lea	eax, [ebp-1F3h]
		mov	[ebp+var_50], eax
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_48], 1
		mov	[ebp+var_44], ebx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_1F4], al
		lea	eax, [ebp+var_1F4]
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], 1
		mov	[ebp+var_34], ebx
		mov	[ebp+var_238], 1000000h
		mov	[ebp+var_234], ebx
		lea	eax, [ebp+var_238]
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], 8
		mov	[ebp+var_24], ebx
		lea	eax, [ebp+var_B0]
		push	eax
		push	9
		push	ebx
		push	ebx
		push	offset loc_42294E
		push	offset dword_6B1F50
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_7B303F
; END OF FUNCTION CHUNK	FOR PsOpenThread

;  S U B	R O U T	I N E 


sub_8EC054	proc near		; DATA XREF: .text:006A2C80o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-230h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EC054	endp

; 
; START	OF FUNCTION CHUNK FOR PsOpenThread

loc_8EC065:				; CODE XREF: PsOpenThread+248j
		test	ebx, ebx
		jz	loc_7B303F
		cmp	esi, 0C0000022h
		jnz	loc_7B303F
		cmp	[ebp+var_208], 0
		jnz	loc_7B303F
		mov	[ebp+var_208], 1
		jmp	loc_7B2EFE
; 

loc_8EC095:				; CODE XREF: PsOpenThread+122j
					; PsOpenThread+12Aj
		mov	esi, 0C0000030h
		jmp	loc_7B303F
; END OF FUNCTION CHUNK	FOR PsOpenThread
; 
; START	OF FUNCTION CHUNK FOR PsLookupProcessThreadByCid

loc_8EC09F:				; CODE XREF: PsLookupProcessThreadByCid+2Cj
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, 0C000000Bh
		jmp	loc_7B31BE
; END OF FUNCTION CHUNK	FOR PsLookupProcessThreadByCid
; 
; START	OF FUNCTION CHUNK FOR PfSetSuperfetchInformation

loc_8EC0B0:				; CODE XREF: PfSetSuperfetchInformation+64j
		mov	ebx, 0C0000022h
		jmp	loc_7B4E9E
; 

loc_8EC0BA:				; CODE XREF: PfSetSuperfetchInformation+6Ej
		mov	ebx, 0C0000004h
		jmp	loc_7B4E9E
; END OF FUNCTION CHUNK	FOR PfSetSuperfetchInformation

;  S U B	R O U T	I N E 


sub_8EC0C4	proc near		; DATA XREF: .text:006A2E6Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EC0C4	endp


;  S U B	R O U T	I N E 


sub_8EC0D2	proc near		; DATA XREF: .text:006A2E70o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-4Ch]
		jmp	loc_7B4E3B
sub_8EC0D2	endp

; 
; START	OF FUNCTION CHUNK FOR PfSetSuperfetchInformation

loc_8EC0DD:				; CODE XREF: PfSetSuperfetchInformation+404j
		mov	eax, ecx
		jmp	loc_7B51BA
; END OF FUNCTION CHUNK	FOR PfSetSuperfetchInformation

;  S U B	R O U T	I N E 


sub_8EC0E4	proc near		; DATA XREF: .text:006A2E9Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-50h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EC0E4	endp


;  S U B	R O U T	I N E 


sub_8EC0F2	proc near		; DATA XREF: .text:006A2EA0o
		mov	ebx, [ebp-50h]
		jmp	loc_8EC200
sub_8EC0F2	endp

; 
; START	OF FUNCTION CHUNK FOR PfSetSuperfetchInformation

loc_8EC0FA:				; CODE XREF: PfSetSuperfetchInformation+3CBj
		cmp	[ebp+var_24], 4
		jnz	loc_8EC19C
		mov	[ebp+ms_exc.disabled], 5
		cmp	byte ptr [ebp+arg_4], 0
		jz	short loc_8EC12B
		mov	eax, [ebp+var_28]
		test	al, cl
		jnz	loc_7B52AA
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_8EC128
		mov	eax, ecx

loc_8EC128:				; CODE XREF: PfSetSuperfetchInformation+137374j
		nop
		mov	al, [eax]

loc_8EC12B:				; CODE XREF: PfSetSuperfetchInformation+13735Fj
		mov	ecx, [ebp+var_28]
		mov	ecx, [ecx]
		mov	[ebp+var_9C], ecx
		mov	[ebp+ms_exc.disabled], edx
		call	PfTSetTraceWorkerPriority
		cmp	eax, 1Fh
		jle	loc_7B520C
		mov	ebx, 0C0000189h
		jmp	loc_7B4E9E
; END OF FUNCTION CHUNK	FOR PfSetSuperfetchInformation

;  S U B	R O U T	I N E 


sub_8EC151	proc near		; DATA XREF: .text:006A2EA8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-54h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EC151	endp


;  S U B	R O U T	I N E 


sub_8EC15F	proc near		; DATA XREF: .text:006A2EACo
		mov	ebx, [ebp-54h]
		jmp	loc_8EC200
sub_8EC15F	endp

; 
; START	OF FUNCTION CHUNK FOR PfSetSuperfetchInformation

loc_8EC167:				; CODE XREF: PfSetSuperfetchInformation+284j
		mov	eax, [ebp+var_28]
		test	al, cl
		jnz	loc_7B52AA
		mov	esi, ds:_MmUserProbeAddress
		cmp	eax, esi
		jb	short loc_8EC17E
		mov	eax, esi

loc_8EC17E:				; CODE XREF: PfSetSuperfetchInformation+1373CAj
		nop
		mov	al, [eax]
		mov	eax, [ebp+arg_4]
		jmp	loc_7B503A
; END OF FUNCTION CHUNK	FOR PfSetSuperfetchInformation

;  S U B	R O U T	I N E 


sub_8EC189	proc near		; DATA XREF: .text:006A2E90o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-58h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EC189	endp


;  S U B	R O U T	I N E 


sub_8EC197	proc near		; DATA XREF: .text:006A2E94o
		mov	ebx, [ebp-58h]
		jmp	short loc_8EC200
sub_8EC197	endp

; 
; START	OF FUNCTION CHUNK FOR PfSetSuperfetchInformation

loc_8EC19C:				; CODE XREF: PfSetSuperfetchInformation+166j
					; PfSetSuperfetchInformation+1C6j ...
		mov	ebx, 0C0000206h
		jmp	loc_7B4E9E
; 

loc_8EC1A6:				; CODE XREF: PfSetSuperfetchInformation+2D8j
		mov	eax, esi
		jmp	loc_7B508E
; 

loc_8EC1AD:				; CODE XREF: PfSetSuperfetchInformation+324j
		push	0Ch
		jmp	loc_7B50E5
; 

loc_8EC1B4:				; CODE XREF: PfSetSuperfetchInformation+31Bj
		push	24h
		jmp	loc_7B50E5
; 

loc_8EC1BB:				; CODE XREF: PfSetSuperfetchInformation+35Ej
		mov	ebx, 0C000009Ah
		jmp	loc_7B4E9E
; 

loc_8EC1C5:				; CODE XREF: PfSetSuperfetchInformation+385j
					; PfSetSuperfetchInformation+38Dj
		mov	byte ptr [ecx],	0
		jmp	loc_7B5143
; END OF FUNCTION CHUNK	FOR PfSetSuperfetchInformation

;  S U B	R O U T	I N E 


sub_8EC1CD	proc near		; DATA XREF: .text:006A2E84o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EC1CD	endp


;  S U B	R O U T	I N E 


sub_8EC1DB	proc near		; DATA XREF: .text:006A2E88o
		mov	ebx, [ebp-5Ch]
		jmp	short loc_8EC200
sub_8EC1DB	endp

; 
; START	OF FUNCTION CHUNK FOR PfSetSuperfetchInformation

loc_8EC1E0:				; CODE XREF: PfSetSuperfetchInformation+313j
					; PfSetSuperfetchInformation+32Dj
		mov	ebx, 0C00000BBh
		jmp	loc_7B4E9E
; END OF FUNCTION CHUNK	FOR PfSetSuperfetchInformation

;  S U B	R O U T	I N E 


sub_8EC1EA	proc near		; DATA XREF: .text:006A2E78o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-60h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EC1EA	endp


;  S U B	R O U T	I N E 


sub_8EC1F8	proc near		; DATA XREF: .text:006A2E7Co
		mov	ebx, [ebp-60h]
		jmp	short loc_8EC200
; 

loc_8EC1FD:				; DATA XREF: .text:006A2EB8o
		mov	ebx, [ebp-74h]

loc_8EC200:				; CODE XREF: sub_8EC0F2+3j
					; sub_8EC15F+3j ...
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7B4E9E
sub_8EC1F8	endp

; 
; START	OF FUNCTION CHUNK FOR PfSetSuperfetchInformation

loc_8EC20F:				; CODE XREF: PfSetSuperfetchInformation+142j
		sub	eax, ecx
		jz	loc_7B4E8D

loc_8EC217:				; CODE XREF: PfSetSuperfetchInformation+3D5j
		mov	ebx, 0C0000003h
		jmp	loc_7B4E9E
; 

loc_8EC221:				; CODE XREF: PfSetSuperfetchInformation+18Dj
		mov	eax, ecx
		jmp	loc_7B4F43
; END OF FUNCTION CHUNK	FOR PfSetSuperfetchInformation

;  S U B	R O U T	I N E 


sub_8EC228	proc near		; DATA XREF: .text:006A2ED8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-64h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EC228	endp


;  S U B	R O U T	I N E 


sub_8EC236	proc near		; DATA XREF: .text:006A2EDCo
		mov	ebx, [ebp-64h]
		jmp	short loc_8EC200
sub_8EC236	endp

; 
; START	OF FUNCTION CHUNK FOR PfSetSuperfetchInformation

loc_8EC23B:				; CODE XREF: PfSetSuperfetchInformation+1EDj
		mov	eax, ecx
		jmp	loc_7B4FA3
; END OF FUNCTION CHUNK	FOR PfSetSuperfetchInformation

;  S U B	R O U T	I N E 


sub_8EC242	proc near		; DATA XREF: .text:006A2ECCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-6Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EC242	endp


;  S U B	R O U T	I N E 


sub_8EC250	proc near		; DATA XREF: .text:006A2ED0o
		mov	ebx, [ebp-6Ch]
		jmp	short loc_8EC200
sub_8EC250	endp

; 
; START	OF FUNCTION CHUNK FOR PfSetSuperfetchInformation

loc_8EC255:				; CODE XREF: PfSetSuperfetchInformation+4BFj
		mov	esi, [ebp+var_40]
		not	esi
		and	esi, dword_6D4284
		mov	ecx, ebx
		call	_PfTCleanup@8	; PfTCleanup(x,x)
		push	1		; char
		mov	ecx, ebx	; void *
		call	PfTInitialize
		jmp	loc_7B5280
; END OF FUNCTION CHUNK	FOR PfSetSuperfetchInformation

;  S U B	R O U T	I N E 


sub_8EC275	proc near		; DATA XREF: .text:006A2EC0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-70h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EC275	endp


;  S U B	R O U T	I N E 


sub_8EC283	proc near		; DATA XREF: .text:006A2EC4o
		mov	ebx, [ebp-70h]
		jmp	loc_8EC200
sub_8EC283	endp

; 
; START	OF FUNCTION CHUNK FOR PfSetSuperfetchInformation

loc_8EC28B:				; CODE XREF: PfSetSuperfetchInformation+11Dj
		cmp	[ebp+var_24], 4
		jnz	loc_8EC19C
		mov	[ebp+ms_exc.disabled], 6
		cmp	byte ptr [ebp+arg_4], 0
		jz	short loc_8EC2BC
		mov	eax, [ebp+var_28]
		test	al, 3
		jnz	loc_7B52AA
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_8EC2B9
		mov	eax, ecx

loc_8EC2B9:				; CODE XREF: PfSetSuperfetchInformation+137505j
		nop
		mov	al, [eax]

loc_8EC2BC:				; CODE XREF: PfSetSuperfetchInformation+1374F0j
		mov	eax, [ebp+var_28]
		mov	eax, [eax]
		mov	[ebp+var_A0], eax
		mov	[ebp+ms_exc.disabled], edx
		mov	ecx, dword_6D486C
		add	eax, ecx
		mov	[ebp+var_38], eax
		push	4
		lea	eax, [ebp+var_38]
		push	eax
		push	ecx
		mov	edx, offset ??_C@_1BC@FBKCDMNG@?$AAB?$AAa?$AAs?$AAe?$AAT?$AAi?$AAm?$AAe@NNGAKEGL@ ; "BaseTime"
		mov	ecx, dword_6D4684
		call	_PfpSetParameter@20 ; PfpSetParameter(x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7B4E9E
		mov	eax, [ebp+var_38]
		mov	dword_6D486C, eax
		jmp	loc_7B4E9E
; END OF FUNCTION CHUNK	FOR PfSetSuperfetchInformation

;  S U B	R O U T	I N E 


sub_8EC303	proc near		; DATA XREF: .text:006A2EB4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-74h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EC303	endp

; 
; START	OF FUNCTION CHUNK FOR PfSnSetPrefetcherInformation

loc_8EC311:				; CODE XREF: PfSnSetPrefetcherInformation+13j
		mov	esi, 0C0000004h
		jmp	loc_7B53A8
; 

loc_8EC31B:				; CODE XREF: PfSnSetPrefetcherInformation+7Bj
					; PfSnSetPrefetcherInformation+1EFj
		mov	esi, 0C0000022h
		jmp	loc_7B53A8
; 

loc_8EC325:				; CODE XREF: PfSnSetPrefetcherInformation+95j
		dec	esi
		sub	esi, 1
		jz	short loc_8EC335
		mov	esi, 0C0000003h
		jmp	loc_7B53A8
; 

loc_8EC335:				; CODE XREF: PfSnSetPrefetcherInformation+13706Bj
		cmp	[ebp+var_70], 0Ch
		jnz	short loc_8EC39D
		mov	[ebp+ms_exc.disabled], 4
		test	bl, bl
		jz	short loc_8EC360
		mov	eax, [ebp+var_74]
		test	al, 3
		jnz	loc_7B54B2
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_8EC35D
		mov	eax, ecx

loc_8EC35D:				; CODE XREF: PfSnSetPrefetcherInformation+13709Bj
		nop
		mov	al, [eax]

loc_8EC360:				; CODE XREF: PfSnSetPrefetcherInformation+137086j
		mov	esi, [ebp+var_74]
		lea	edi, [ebp+var_BC]
		movsd
		movsd
		movsd
		mov	[ebp+ms_exc.disabled], edx
		mov	dl, bl
		lea	ecx, [ebp+var_BC]
		call	_PfSnAppLaunchScenarioControl@8	; PfSnAppLaunchScenarioControl(x,x)
		jmp	loc_7B54A1
; END OF FUNCTION CHUNK	FOR PfSnSetPrefetcherInformation

;  S U B	R O U T	I N E 


sub_8EC381	proc near		; DATA XREF: .text:006A2F24o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-84h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EC381	endp


;  S U B	R O U T	I N E 


sub_8EC392	proc near		; DATA XREF: .text:006A2F28o
		mov	esi, [ebp-84h]
		jmp	loc_8EC421
sub_8EC392	endp

; 
; START	OF FUNCTION CHUNK FOR PfSnSetPrefetcherInformation

loc_8EC39D:				; CODE XREF: PfSnSetPrefetcherInformation+9Fj
					; PfSnSetPrefetcherInformation+13707Bj
		mov	esi, 0C0000206h
		jmp	loc_7B53A8
; 

loc_8EC3A7:				; CODE XREF: PfSnSetPrefetcherInformation+BFj
		mov	eax, ecx
		jmp	loc_7B5383
; END OF FUNCTION CHUNK	FOR PfSnSetPrefetcherInformation

;  S U B	R O U T	I N E 


sub_8EC3AE	proc near		; DATA XREF: .text:006A2F18o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-88h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EC3AE	endp


;  S U B	R O U T	I N E 


sub_8EC3BF	proc near		; DATA XREF: .text:006A2F1Co
		mov	esi, [ebp-88h]
		jmp	short loc_8EC421
sub_8EC3BF	endp

; 

loc_8EC3C7:				; DATA XREF: .text:006A2F0Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-8Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8EC3D8:				; DATA XREF: .text:006A2F10o
		mov	esi, [ebp-8Ch]
		jmp	short loc_8EC421
; 
; START	OF FUNCTION CHUNK FOR PfSnSetPrefetcherInformation

loc_8EC3E0:				; CODE XREF: PfSnSetPrefetcherInformation+12Bj
		mov	eax, ecx
		jmp	loc_7B53EF
; END OF FUNCTION CHUNK	FOR PfSnSetPrefetcherInformation

;  S U B	R O U T	I N E 


sub_8EC3E7	proc near		; DATA XREF: .text:006A2F00o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-90h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EC3E7	endp


;  S U B	R O U T	I N E 


sub_8EC3F8	proc near		; DATA XREF: .text:006A2F04o
		mov	esi, [ebp-90h]
		jmp	short loc_8EC421
sub_8EC3F8	endp

; 
; START	OF FUNCTION CHUNK FOR PfSnSetPrefetcherInformation

loc_8EC400:				; CODE XREF: PfSnSetPrefetcherInformation+31j
					; PfSnSetPrefetcherInformation+3Ej ...
		mov	esi, 0C000000Dh
		jmp	loc_7B53A8
; END OF FUNCTION CHUNK	FOR PfSnSetPrefetcherInformation

;  S U B	R O U T	I N E 


sub_8EC40A	proc near		; DATA XREF: .text:006A2EF4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-94h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EC40A	endp


;  S U B	R O U T	I N E 


sub_8EC41B	proc near		; DATA XREF: .text:006A2EF8o
		mov	esi, [ebp-94h]

loc_8EC421:				; CODE XREF: sub_8EC392+6j
					; sub_8EC3BF+6j ...
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7B53A8
sub_8EC41B	endp

; 
; START	OF FUNCTION CHUNK FOR PfpRpControlRequest

loc_8EC430:				; CODE XREF: PfpRpControlRequest+33j
		mov	esi, 0C0000080h
		jmp	loc_7B561F
; END OF FUNCTION CHUNK	FOR PfpRpControlRequest
; 
; START	OF FUNCTION CHUNK FOR PfpRpControlRequestCopy

loc_8EC43A:				; CODE XREF: PfpRpControlRequestCopy+5Aj
					; PfpRpControlRequestCopy+62j
		mov	byte ptr [esi],	0
		jmp	loc_7B5708
; 

loc_8EC442:				; CODE XREF: PfpRpControlRequestCopy+F8j
		mov	esi, 0C000000Dh
		jmp	loc_7B57D7
; END OF FUNCTION CHUNK	FOR PfpRpControlRequestCopy

;  S U B	R O U T	I N E 


sub_8EC44C	proc near		; DATA XREF: .text:006A2F50o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-60h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EC44C	endp


;  S U B	R O U T	I N E 


sub_8EC45A	proc near		; DATA XREF: .text:006A2F54o
		mov	esi, [ebp-60h]
		jmp	short loc_8EC47A
sub_8EC45A	endp

; 
; START	OF FUNCTION CHUNK FOR PfpRpControlRequestCopy

loc_8EC45F:				; CODE XREF: PfpRpControlRequestCopy+E6j
					; PfpRpControlRequestCopy+EFj
		mov	esi, 0C0000095h
		jmp	loc_7B57D7
; END OF FUNCTION CHUNK	FOR PfpRpControlRequestCopy

;  S U B	R O U T	I N E 


sub_8EC469	proc near		; DATA XREF: .text:006A2F44o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-64h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EC469	endp


;  S U B	R O U T	I N E 


sub_8EC477	proc near		; DATA XREF: .text:006A2F48o
		mov	esi, [ebp-64h]

loc_8EC47A:				; CODE XREF: sub_8EC45A+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-4Ch]
		mov	ebx, [ebp-48h]
		jmp	loc_7B57DA
sub_8EC477	endp

; 
; START	OF FUNCTION CHUNK FOR PfpRpControlRequestCopy

loc_8EC48F:				; CODE XREF: PfpRpControlRequestCopy+13Cj
		cmp	ebx, eax
		jz	loc_7B57E2
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7B57E2
; END OF FUNCTION CHUNK	FOR PfpRpControlRequestCopy
; 
; START	OF FUNCTION CHUNK FOR PfpRpCHashAddEntries

loc_8EC4A4:				; CODE XREF: PfpRpCHashAddEntries+85j
		xor	eax, eax
		jmp	loc_7B5ACA
; 

loc_8EC4AB:				; CODE XREF: PfpRpCHashAddEntries+1B0j
		mov	esi, [ebp+var_4]
		mov	edi, [ebp+var_24]
		jmp	loc_7B59E7
; END OF FUNCTION CHUNK	FOR PfpRpCHashAddEntries
; 
; START	OF FUNCTION CHUNK FOR PfpPrefetchRequest

loc_8EC4B6:				; CODE XREF: PfpPrefetchRequest+1Aj
		mov	esi, 0C0000003h
		jmp	loc_7B5CC9
; 

loc_8EC4C0:				; CODE XREF: PfpPrefetchRequest+26j
		mov	esi, 0C0000206h
		jmp	loc_7B5CC9
; 

loc_8EC4CA:				; CODE XREF: PfpPrefetchRequest+42j
		mov	esi, 0C000009Ah
		jmp	loc_7B5CC9
; 

loc_8EC4D4:				; CODE XREF: PfpPrefetchRequest+6Fj
					; PfpPrefetchRequest+77j
		mov	byte ptr [ecx],	0
		jmp	loc_7B5BED
; 

loc_8EC4DC:				; CODE XREF: PfpPrefetchRequest+9Fj
		mov	esi, 0C000007Bh
		jmp	loc_7B5CC9
; END OF FUNCTION CHUNK	FOR PfpPrefetchRequest

;  S U B	R O U T	I N E 


sub_8EC4E6	proc near		; DATA XREF: .text:006A2F78o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EC4E6	endp


;  S U B	R O U T	I N E 


sub_8EC4F4	proc near		; DATA XREF: .text:006A2F7Co
		mov	esi, [ebp-38h]
		jmp	short loc_8EC4FC
; 

loc_8EC4F9:				; DATA XREF: .text:006A2F70o
		mov	esi, [ebp-3Ch]

loc_8EC4FC:				; CODE XREF: sub_8EC4F4+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-2Ch]
		jmp	loc_7B5CC9
sub_8EC4F4	endp

; 

loc_8EC50E:				; DATA XREF: .text:006A2F6Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 
; START	OF FUNCTION CHUNK FOR PfpPrefetchRequestPerform

loc_8EC51C:				; CODE XREF: PfpPrefetchRequestPerform+82j
		mov	esi, 0C000009Ah
		jmp	loc_7B5F77
; 

loc_8EC526:				; CODE XREF: PfpPrefetchRequestPerform+A6j
		mov	dword ptr [eax+20h], 0FAh
		mov	eax, [esp+0A8h+var_64]
		mov	dword ptr [eax+1Ch], 0Fh
		jmp	loc_7B5DBC
; 

loc_8EC53D:				; CODE XREF: PfpPrefetchRequestPerform+DFj
		lock inc dword_6FB630
		mov	eax, [esp+0A8h+var_78]
		mov	eax, [eax+34h]
		test	eax, eax
		jnz	short loc_8EC553
		lea	eax, [esp+0A8h+var_88]

loc_8EC553:				; CODE XREF: PfpPrefetchRequestPerform+13684Fj
		push	0
		push	0
		mov	edx, ecx
		mov	ecx, offset unk_6D4870
		push	eax
		call	PfpScenCtxPrefetchAbortSet
		mov	esi, eax
		test	esi, esi
		js	loc_7B6015
		mov	eax, [esp+0A8h+var_78]
		cmp	dword ptr [eax+34h], 0
		jnz	loc_7B5DE3
		lea	ecx, [esp+0A8h+var_88]
		mov	[eax+34h], ecx
		jmp	loc_7B5DE3
; 

loc_8EC588:				; CODE XREF: PfpPrefetchRequestPerform+100j
					; PfpPrefetchRequestPerform+18Dj ...
		mov	esi, 0C000009Ah
		jmp	loc_7B6015
; 

loc_8EC592:				; CODE XREF: PfpPrefetchRequestPerform+19Bj
		mov	eax, [eax+0Ch]
		test	eax, eax
		jz	loc_7B5E9F
		imul	eax, 14h
		push	68466650h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+0A8h+var_74], eax
		test	eax, eax
		jz	short loc_8EC588
		mov	eax, [esp+0A8h+var_78]
		xor	esi, esi
		cmp	[eax+0Ch], esi
		jbe	loc_7B5E9F
		xor	edx, edx

loc_8EC5C6:				; CODE XREF: PfpPrefetchRequestPerform+1368E6j
		mov	ecx, [esp+0A8h+var_74]
		xor	eax, eax
		add	ecx, edx
		add	edx, 14h
		mov	edi, ecx
		stosd
		stosd
		stosd
		stosd
		stosd
		or	dword ptr [ecx+10h], 2
		inc	esi
		mov	eax, [esp+0A8h+var_78]
		cmp	esi, [eax+0Ch]
		jb	short loc_8EC5C6
		jmp	loc_7B5E9F
; 

loc_8EC5EB:				; CODE XREF: PfpPrefetchRequestPerform+237j
		xor	dl, dl
		call	_PfpPrefetchFiles@8 ; PfpPrefetchFiles(x,x)
		mov	esi, eax
		mov	ebx, 0C0000240h
		cmp	esi, ebx
		jz	loc_7B6015
		mov	edi, 0C000009Ah
		cmp	esi, edi
		jz	loc_7B6015
		cmp	esi, 0C0000017h
		jz	loc_7B6015
		lea	ecx, [esp+0A8h+var_78]
		call	_PfpCheckPrefetchAbort@4 ; PfpCheckPrefetchAbort(x)
		test	eax, eax
		jz	short loc_8EC62E
		mov	esi, ebx
		jmp	loc_7B6015
; 

loc_8EC62E:				; CODE XREF: PfpPrefetchRequestPerform+136927j
		mov	dl, 1
		lea	ecx, [esp+0A8h+var_78]
		call	_PfpPrefetchFiles@8 ; PfpPrefetchFiles(x,x)
		mov	esi, eax
		cmp	esi, ebx
		jz	loc_7B6015
		jmp	loc_7B5F53
; 

loc_8EC648:				; CODE XREF: PfpPrefetchRequestPerform+273j
		lock dec dword_6FB630
		push	eax
		push	1
		push	eax
		mov	ecx, offset unk_6D4870
		call	PfpScenCtxPrefetchAbortSet
		jmp	loc_7B5F77
; 

loc_8EC662:				; CODE XREF: PfpPrefetchRequestPerform+27Fj
		mov	edx, [esp+0A8h+var_78]
		mov	edi, ebx
		cmp	[edx+0Ch], ebx
		jbe	short loc_8EC691

loc_8EC66D:				; CODE XREF: PfpPrefetchRequestPerform+13698Fj
		mov	ecx, [esp+0A8h+var_74]
		add	ecx, ebx
		test	byte ptr [ecx+10h], 4
		jz	short loc_8EC686
		mov	edx, [esp+0A8h+var_64]
		call	_PfpOpenHandleClose@8 ;	PfpOpenHandleClose(x,x)
		mov	edx, [esp+0A8h+var_78]

loc_8EC686:				; CODE XREF: PfpPrefetchRequestPerform+136979j
		inc	edi
		add	ebx, 14h
		cmp	edi, [edx+0Ch]
		jb	short loc_8EC66D
		xor	ebx, ebx

loc_8EC691:				; CODE XREF: PfpPrefetchRequestPerform+13696Dj
		push	ebx
		push	[esp+0ACh+var_74]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7B5F83
; END OF FUNCTION CHUNK	FOR PfpPrefetchRequestPerform
; 
; START	OF FUNCTION CHUNK FOR PfpVolumeOpenAndVerify

loc_8EC6A0:				; CODE XREF: PfpVolumeOpenAndVerify+E4j
		push	edi
		push	edi
		push	edi
		push	1336h
		jmp	short loc_8EC6B4
; 

loc_8EC6AA:				; CODE XREF: PfpVolumeOpenAndVerify+19Bj
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	138Fh

loc_8EC6B4:				; CODE XREF: PfpVolumeOpenAndVerify+136684j
					; PfpVolumeOpenAndVerify+1366A2j
		push	191h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8EC6BE:				; CODE XREF: PfpVolumeOpenAndVerify+115j
		push	edi
		push	edi
		push	edi
		push	1346h
		jmp	short loc_8EC6B4
; 

loc_8EC6C8:				; CODE XREF: PfpVolumeOpenAndVerify+125j
		mov	esi, 0C00000BBh

loc_8EC6CD:				; CODE XREF: PfpVolumeOpenAndVerify+D8j
					; PfpVolumeOpenAndVerify+109j ...
		mov	edi, [ebp+var_28]
		jmp	loc_7B62EF
; 

loc_8EC6D5:				; CODE XREF: PfpVolumeOpenAndVerify+12Fj
		lea	eax, [ebp+var_40]
		push	eax
		push	[ebp+var_2C]
		call	_NtGetDevicePowerState@8 ; NtGetDevicePowerState(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8EC6CD
		cmp	[ebp+var_40], edi
		jz	loc_7B6159
		cmp	[ebp+var_40], 1
		jz	loc_7B6159
		mov	esi, 8000000Fh
		jmp	short loc_8EC6CD
; 

loc_8EC701:				; CODE XREF: PfpVolumeOpenAndVerify+16Aj
		cmp	dword ptr [ebx+8], 0
		jz	loc_7B61E8
		jmp	loc_7B6194
; 

loc_8EC710:				; CODE XREF: PfpVolumeOpenAndVerify+1EAj
		mov	esi, 0C000009Ah
		jmp	loc_7B62EF
; 

loc_8EC71A:				; CODE XREF: PfpVolumeOpenAndVerify+1A6j
					; PfpVolumeOpenAndVerify+1B2j ...
		mov	esi, 0C0000059h
		jmp	loc_7B62EF
; 

loc_8EC724:				; CODE XREF: PfpVolumeOpenAndVerify+28Bj
		push	[ebp+var_2C]
		call	NtClose
		jmp	loc_7B62B5
; 

loc_8EC731:				; CODE XREF: PfpVolumeOpenAndVerify+294j
		mov	edx, edi
		lea	ecx, [ebp+var_68]
		call	_PfpOpenHandleClose@8 ;	PfpOpenHandleClose(x,x)
		jmp	loc_7B62BE
; 

loc_8EC740:				; CODE XREF: PfpVolumeOpenAndVerify+29Ej
		mov	edx, edi
		lea	ecx, [ebp+var_54]
		call	_PfpOpenHandleClose@8 ;	PfpOpenHandleClose(x,x)
		jmp	loc_7B62C8
; END OF FUNCTION CHUNK	FOR PfpVolumeOpenAndVerify
; 
; START	OF FUNCTION CHUNK FOR PfPrefetchRequestVerifyRanges

loc_8EC74F:				; CODE XREF: PfPrefetchRequestVerifyRanges+19j
		test	edx, edx
		jz	loc_7B6579
		mov	eax, 4E20h
		jmp	loc_7B657B
; 

loc_8EC761:				; CODE XREF: PfPrefetchRequestVerifyRanges+21j
		mov	eax, 5208h
		jmp	loc_7B657B
; 

loc_8EC76B:				; CODE XREF: PfPrefetchRequestVerifyRanges+2Aj
		mov	eax, 55F0h
		jmp	loc_7B657B
; 

loc_8EC775:				; CODE XREF: PfPrefetchRequestVerifyRanges+43j
		mov	eax, 59D8h
		jmp	loc_7B657B
; END OF FUNCTION CHUNK	FOR PfPrefetchRequestVerifyRanges
; 
; START	OF FUNCTION CHUNK FOR PfPrefetchRequestVerify

loc_8EC77F:				; CODE XREF: PfPrefetchRequestVerify+23j
		mov	eax, 3E8h
		jmp	loc_7B6764
; 

loc_8EC789:				; CODE XREF: PfPrefetchRequestVerify+2Cj
		mov	eax, 5DCh
		jmp	loc_7B6764
; 

loc_8EC793:				; CODE XREF: PfPrefetchRequestVerify+37j
		mov	eax, 7D0h
		jmp	loc_7B6764
; 

loc_8EC79D:				; CODE XREF: PfPrefetchRequestVerify+41j
		mov	eax, 9C4h
		jmp	loc_7B6764
; 

loc_8EC7A7:				; CODE XREF: PfPrefetchRequestVerify+50j
		mov	eax, 0BB8h
		jmp	loc_7B6764
; 

loc_8EC7B1:				; CODE XREF: PfPrefetchRequestVerify+5Aj
		mov	eax, 0C80h
		jmp	loc_7B6764
; 

loc_8EC7BB:				; CODE XREF: PfPrefetchRequestVerify+64j
		mov	eax, 0D48h
		jmp	loc_7B6764
; 

loc_8EC7C5:				; CODE XREF: PfPrefetchRequestVerify+6Ej
		mov	eax, 0E10h
		jmp	loc_7B6764
; 

loc_8EC7CF:				; CODE XREF: PfPrefetchRequestVerify+A1j
		mov	eax, 30D4h
		jmp	loc_7B6764
; 

loc_8EC7D9:				; CODE XREF: PfPrefetchRequestVerify+12Bj
		cmp	[ecx+4], edi
		jz	loc_7B66E9
		jmp	loc_7B66D7
; 

loc_8EC7E7:				; CODE XREF: PfPrefetchRequestVerify+110j
		mov	eax, 3A98h
		jmp	loc_7B6764
; 

loc_8EC7F1:				; CODE XREF: PfPrefetchRequestVerify+F0j
		mov	eax, 36B0h
		jmp	loc_7B6764
; 

loc_8EC7FB:				; CODE XREF: PfPrefetchRequestVerify+E7j
		mov	eax, 32C8h
		jmp	loc_7B6764
; END OF FUNCTION CHUNK	FOR PfPrefetchRequestVerify
; 
; START	OF FUNCTION CHUNK FOR PfPrefetchRequestPrepareForVerify

loc_8EC805:				; CODE XREF: PfPrefetchRequestPrepareForVerify+2Fj
		mov	eax, 0FA0h
		jmp	loc_7B69E5
; 

loc_8EC80F:				; CODE XREF: PfPrefetchRequestPrepareForVerify+1FAj
		mov	eax, 1004h
		jmp	loc_7B69E5
; 

loc_8EC819:				; CODE XREF: PfPrefetchRequestPrepareForVerify+37j
		mov	eax, 1068h
		jmp	loc_7B69E5
; 

loc_8EC823:				; CODE XREF: PfPrefetchRequestPrepareForVerify+44j
		mov	eax, 10CCh
		jmp	loc_7B69E5
; 

loc_8EC82D:				; CODE XREF: PfPrefetchRequestPrepareForVerify+4Fj
					; PfPrefetchRequestPrepareForVerify+57j ...
		mov	eax, 1130h
		jmp	loc_7B69E5
; 

loc_8EC837:				; CODE XREF: PfPrefetchRequestPrepareForVerify+8Aj
		mov	eax, 1388h
		jmp	loc_7B69E5
; 

loc_8EC841:				; CODE XREF: PfPrefetchRequestPrepareForVerify+207j
		mov	eax, 13ECh
		jmp	loc_7B69E5
; 

loc_8EC84B:				; CODE XREF: PfPrefetchRequestPrepareForVerify+92j
		mov	eax, 1450h
		jmp	loc_7B69E5
; 

loc_8EC855:				; CODE XREF: PfPrefetchRequestPrepareForVerify+9Fj
		mov	eax, 14B4h
		jmp	loc_7B69E5
; 

loc_8EC85F:				; CODE XREF: PfPrefetchRequestPrepareForVerify+AAj
					; PfPrefetchRequestPrepareForVerify+B2j ...
		mov	eax, 1518h
		jmp	loc_7B69E5
; 

loc_8EC869:				; CODE XREF: PfPrefetchRequestPrepareForVerify+E6j
		mov	eax, 1770h
		jmp	loc_7B69E5
; 

loc_8EC873:				; CODE XREF: PfPrefetchRequestPrepareForVerify+DEj
		test	ecx, ecx
		jz	short loc_8EC89F
		mov	eax, 17D4h
		jmp	loc_7B69E5
; 

loc_8EC881:				; CODE XREF: PfPrefetchRequestPrepareForVerify+EEj
		mov	eax, 1838h
		jmp	loc_7B69E5
; 

loc_8EC88B:				; CODE XREF: PfPrefetchRequestPrepareForVerify+FBj
		mov	eax, 189Ch
		jmp	loc_7B69E5
; 

loc_8EC895:				; CODE XREF: PfPrefetchRequestPrepareForVerify+106j
					; PfPrefetchRequestPrepareForVerify+10Ej ...
		mov	eax, 1900h
		jmp	loc_7B69E5
; 

loc_8EC89F:				; CODE XREF: PfPrefetchRequestPrepareForVerify+13602Dj
		mov	edx, [ebp+arg_0]
		jmp	loc_7B697A
; 

loc_8EC8A7:				; CODE XREF: PfPrefetchRequestPrepareForVerify+1A6j
		mov	eax, 1B58h
		jmp	loc_7B69E5
; 

loc_8EC8B1:				; CODE XREF: PfPrefetchRequestPrepareForVerify+141j
		mov	eax, 1BBCh
		jmp	loc_7B69E5
; 

loc_8EC8BB:				; CODE XREF: PfPrefetchRequestPrepareForVerify+1AEj
		mov	eax, 1C20h
		jmp	loc_7B69E5
; 

loc_8EC8C5:				; CODE XREF: PfPrefetchRequestPrepareForVerify+1C2j
		mov	eax, 1C84h
		jmp	loc_7B69E5
; 

loc_8EC8CF:				; CODE XREF: PfPrefetchRequestPrepareForVerify+15Aj
		mov	eax, 1F40h
		jmp	loc_7B69E5
; 

loc_8EC8D9:				; CODE XREF: PfPrefetchRequestPrepareForVerify+214j
		mov	eax, 1FA4h
		jmp	loc_7B69E5
; 

loc_8EC8E3:				; CODE XREF: PfPrefetchRequestPrepareForVerify+162j
		mov	eax, 2008h
		jmp	loc_7B69E5
; 

loc_8EC8ED:				; CODE XREF: PfPrefetchRequestPrepareForVerify+16Aj
					; PfPrefetchRequestPrepareForVerify+172j ...
		mov	eax, 206Ch
		jmp	loc_7B69E5
; END OF FUNCTION CHUNK	FOR PfPrefetchRequestPrepareForVerify
; 
; START	OF FUNCTION CHUNK FOR SmSetStoreInformation

loc_8EC8F7:				; CODE XREF: SmSetStoreInformation+10j
		mov	eax, 0C0000004h
		jmp	loc_7B6AF1
; 

loc_8EC901:				; CODE XREF: SmSetStoreInformation+2Ej
		mov	eax, 0C000000Dh
		jmp	loc_7B6AF1
; 

loc_8EC90B:				; CODE XREF: SmSetStoreInformation+53j
		jz	loc_8EC99C
		sub	eax, 3
		jz	short loc_8EC986
		sub	eax, 1
		jz	short loc_8EC970
		sub	eax, 5
		jz	short loc_8EC95A
		sub	eax, 1
		jz	short loc_8EC944
		sub	eax, 1
		jnz	loc_8EC9C8
		push	esi
		push	[ebp+var_24]
		mov	edx, [ebp+var_28]
		mov	ecx, offset unk_718498
		call	_SmcProcessStoreCreateRequest@16 ; SmcProcessStoreCreateRequest(x,x,x,x)
		jmp	loc_7B6AF1
; 

loc_8EC944:				; CODE XREF: SmSetStoreInformation+135EB7j
		push	esi
		push	[ebp+var_24]
		mov	edx, [ebp+var_28]
		mov	ecx, offset unk_718498
		call	_SmcProcessDeleteRequest@16 ; SmcProcessDeleteRequest(x,x,x,x)
		jmp	loc_7B6AF1
; 

loc_8EC95A:				; CODE XREF: SmSetStoreInformation+135EB2j
		push	esi
		push	[ebp+var_24]
		mov	edx, [ebp+var_28]
		mov	ecx, offset unk_718498
		call	_SmcProcessCreateRequest@16 ; SmcProcessCreateRequest(x,x,x,x)
		jmp	loc_7B6AF1
; 

loc_8EC970:				; CODE XREF: SmSetStoreInformation+135EADj
		push	esi
		push	[ebp+var_24]
		mov	edx, [ebp+var_28]
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	_SmProcessDeleteRequest@16 ; SmProcessDeleteRequest(x,x,x,x)
		jmp	loc_7B6AF1
; 

loc_8EC986:				; CODE XREF: SmSetStoreInformation+135EA8j
		push	esi
		push	[ebp+var_24]
		mov	edx, [ebp+var_28]
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	SmProcessCreateRequest
		jmp	loc_7B6AF1
; 

loc_8EC99C:				; CODE XREF: SmSetStoreInformation:loc_8EC90Bj
		push	esi
		push	[ebp+var_24]
		mov	edx, [ebp+var_28]
		mov	ecx, offset unk_718498
		call	_SmcProcessStoreDeleteRequest@16 ; SmcProcessStoreDeleteRequest(x,x,x,x)
		jmp	loc_7B6AF1
; 

loc_8EC9B2:				; CODE XREF: SmSetStoreInformation+73j
		sub	eax, 1
		jnz	short loc_8EC9C8
		push	esi
		mov	edx, [ebp+var_24]
		mov	ecx, [ebp+var_28]
		call	_SmProcessSystemStoreTrimRequest@12 ; SmProcessSystemStoreTrimRequest(x,x,x)
		jmp	loc_7B6AF1
; 

loc_8EC9C8:				; CODE XREF: SmSetStoreInformation+135EBCj
					; SmSetStoreInformation+135F49j
		mov	eax, 0C0000003h
		jmp	loc_7B6AF1
; 

loc_8EC9D2:				; CODE XREF: SmSetStoreInformation+65j
		push	esi
		push	[ebp+var_24]
		mov	edx, [ebp+var_28]
		mov	ecx, offset unk_718498
		call	_SmcProcessResizeRequest@16 ; SmcProcessResizeRequest(x,x,x,x)
		jmp	loc_7B6AF1
; 

loc_8EC9E8:				; CODE XREF: SmSetStoreInformation+5Cj
		push	esi
		push	[ebp+var_24]
		mov	edx, [ebp+var_28]
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	_SmProcessResizeRequest@16 ; SmProcessResizeRequest(x,x,x,x)
		jmp	loc_7B6AF1
; END OF FUNCTION CHUNK	FOR SmSetStoreInformation

;  S U B	R O U T	I N E 


sub_8EC9FE	proc near		; DATA XREF: .text:006A2F94o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EC9FE	endp


;  S U B	R O U T	I N E 


sub_8ECA0C	proc near		; DATA XREF: .text:006A2F98o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-20h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7B6AF1
sub_8ECA0C	endp

; 
; START	OF FUNCTION CHUNK FOR SmProcessStoreMemoryPriorityRequest

loc_8ECA1E:				; CODE XREF: SmProcessStoreMemoryPriorityRequest+2Ej
		mov	esi, 0C0000206h
		jmp	loc_7B6BCD
; 

loc_8ECA28:				; CODE XREF: SmProcessStoreMemoryPriorityRequest+4Cj
		mov	[eax], cl
		jmp	loc_7B6B6A
; 

loc_8ECA2F:				; CODE XREF: SmProcessStoreMemoryPriorityRequest+ADj
		mov	eax, large fs:124h
		mov	ecx, [ebp+var_3C]
		cmp	[eax+80h], ecx
		jz	short loc_8ECA4D
		xor	edi, edi
		inc	edi
		lea	eax, [ebp+var_38]
		push	eax
		push	ecx
		call	KeStackAttachProcess

loc_8ECA4D:				; CODE XREF: SmProcessStoreMemoryPriorityRequest+135F26j
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_40], eax
		push	0
		push	0
		lea	edx, [ebp+var_40]
		mov	ecx, offset unk_718478
		call	_SmpKeyedStoreEntryGet@16 ; SmpKeyedStoreEntryGet(x,x,x,x)
		test	eax, eax
		jnz	short loc_8ECA72
		mov	esi, 0C00000C0h
		jmp	loc_7B6BCD
; 

loc_8ECA72:				; CODE XREF: SmProcessStoreMemoryPriorityRequest+135F4Ej
		movzx	edx, word ptr [eax+8]
		and	edx, 3FFh
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		mov	eax, [eax]
		mov	byte ptr [eax+10F7h], 1
		jmp	loc_7B6BCD
; END OF FUNCTION CHUNK	FOR SmProcessStoreMemoryPriorityRequest

;  S U B	R O U T	I N E 


sub_8ECA94	proc near		; DATA XREF: .text:006A2FB4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-48h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8ECA94	endp


;  S U B	R O U T	I N E 


sub_8ECAA2	proc near		; DATA XREF: .text:006A2FB8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-48h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-4Ch]
		jmp	loc_7B6BCD
sub_8ECAA2	endp

; 
; START	OF FUNCTION CHUNK FOR SmProcessStoreMemoryPriorityRequest

loc_8ECAB7:				; CODE XREF: SmProcessStoreMemoryPriorityRequest+B7j
		lea	eax, [ebp+var_38]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		jmp	loc_7B6BD5
; END OF FUNCTION CHUNK	FOR SmProcessStoreMemoryPriorityRequest
; 
; START	OF FUNCTION CHUNK FOR PfpRpCHashDeleteEntries

loc_8ECAC5:				; CODE XREF: PfpRpCHashDeleteEntries+3Aj
		xor	esi, esi
		jmp	loc_7B6D79
; 

loc_8ECACC:				; CODE XREF: PfpRpCHashDeleteEntries+52j
		mov	esi, 0C000009Ah
		jmp	loc_7B6D76
; 

loc_8ECAD6:				; CODE XREF: PfpRpCHashDeleteEntries+148j
		mov	ecx, ebx
		call	@ExfAcquireReleasePushLockExclusive@4 ;	ExfAcquireReleasePushLockExclusive(x)
		jmp	loc_7B6D5E
; END OF FUNCTION CHUNK	FOR PfpRpCHashDeleteEntries
; 
; START	OF FUNCTION CHUNK FOR PfpPrefetchPrivatePages

loc_8ECAE2:				; CODE XREF: PfpPrefetchPrivatePages+52j
		or	esi, 200h
		jmp	loc_7B6EF4
; 

loc_8ECAED:				; CODE XREF: PfpPrefetchPrivatePages+C4j
		mov	edx, [ebp+var_3C]
		mov	ecx, [ebp+var_2C]
		add	[ebx+50h], edx
		push	esi
		push	edi
		call	MmPrefetchVirtualMemory
		jmp	loc_7B6FEF
; 

loc_8ECB02:				; CODE XREF: PfpPrefetchPrivatePages+F8j
					; PfpPrefetchPrivatePages+10Bj
		mov	[ebp+var_14], 1
		jmp	loc_7B6FF2
; END OF FUNCTION CHUNK	FOR PfpPrefetchPrivatePages
; 
; START	OF FUNCTION CHUNK FOR MmPrefetchVirtualAddresses

loc_8ECB0E:				; CODE XREF: MmPrefetchVirtualAddresses+23j
		mov	eax, edx
		and	al, 6
		cmp	al, 2
		jnz	short loc_8ECB1B
		push	2
		pop	esi
		jmp	short loc_8ECB35
; 

loc_8ECB1B:				; CODE XREF: MmPrefetchVirtualAddresses+135AC8j
		mov	ecx, large fs:124h
		call	_MiGetEffectivePagePriorityThread@4 ; MiGetEffectivePagePriorityThread(x)
		mov	esi, eax
		and	esi, 7
		cmp	esi, 5
		jnb	loc_7B7078

loc_8ECB35:				; CODE XREF: MmPrefetchVirtualAddresses+135ACDj
		or	esi, 40h
		jmp	loc_7B7078
; 

loc_8ECB3D:				; CODE XREF: MmPrefetchVirtualAddresses+3Dj
		test	dl, 1
		jnz	loc_7B708F
		and	esi, 0FFFFFFEFh
		or	esi, 28h
		jmp	loc_7B708F
; END OF FUNCTION CHUNK	FOR MmPrefetchVirtualAddresses
; 
; START	OF FUNCTION CHUNK FOR MmPrefetchVirtualMemory

loc_8ECB51:				; CODE XREF: MmPrefetchVirtualMemory+4Bj
		xor	eax, eax
		inc	eax
		jmp	short loc_8ECBCE
; 

loc_8ECB56:				; CODE XREF: MmPrefetchVirtualMemory+73j
		mov	eax, 0C0000019h
		jmp	loc_7B7176
; 

loc_8ECB60:				; CODE XREF: MmPrefetchVirtualMemory+F9j
		mov	eax, 0C00000EFh
		jmp	loc_7B7176
; 

loc_8ECB6A:				; CODE XREF: MmPrefetchVirtualMemory+11Ej
		mov	eax, ds:_MmSessionObjectType
		lea	ecx, [esp+40h+var_30]
		push	esi
		push	ecx
		push	esi
		push	eax
		push	1
		push	ebx
		mov	[esp+58h+var_30], esi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [esp+40h+var_30]
		mov	[esp+40h+var_24], edi
		test	eax, eax
		js	loc_7B7176
		mov	ecx, [edi+10h]
		call	MiLockAndSelectSessionAttachProcess
		mov	[esp+40h+var_2C], eax
		test	eax, eax
		jz	short loc_8ECBBB
		lea	edx, [esp+40h+var_1C]
		mov	ecx, eax
		call	MmAttachSession
		test	eax, eax
		jns	short loc_8ECBC9
		mov	ecx, [esp+40h+var_2C]
		call	ObfDereferenceObject

loc_8ECBBB:				; CODE XREF: MmPrefetchVirtualMemory+135ADBj
		mov	ecx, edi
		call	ObfDereferenceObject
		xor	eax, eax
		jmp	loc_7B7176
; 

loc_8ECBC9:				; CODE XREF: MmPrefetchVirtualMemory+135AEAj
		call	_MiGetSessionVm@0 ; MiGetSessionVm()

loc_8ECBCE:				; CODE XREF: MmPrefetchVirtualMemory+135A8Ej
		mov	edi, [esp+3Ch+var_30]
		jmp	loc_7B7144
; 

loc_8ECBD7:				; CODE XREF: MmPrefetchVirtualMemory+A1j
		lea	edx, [esp+3Ch+var_18]
		mov	ecx, esi
		call	MmDetachSession
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	loc_7B716D
; 

loc_8ECBEE:				; CODE XREF: MmPrefetchVirtualMemory+CFj
		mov	eax, [esp+3Ch+var_20]
		test	eax, eax
		jz	loc_7B7172
		mov	ecx, eax
		call	ObfDereferenceObject
		jmp	loc_7B7172
; END OF FUNCTION CHUNK	FOR MmPrefetchVirtualMemory
; 
; START	OF FUNCTION CHUNK FOR PfpSourceGetPrefetchSupport

loc_8ECC06:				; CODE XREF: PfpSourceGetPrefetchSupport+6Cj
		mov	esi, 0C00000BBh
		jmp	loc_7B735F
; 

loc_8ECC10:				; CODE XREF: PfpSourceGetPrefetchSupport+63j
		push	dword ptr [esi+4] ; char
		lea	eax, [esp+0A4h+var_58]
		push	offset ??_C@_1DC@IFGNMEPF@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@ ; wchar_t *
		push	50h		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 10h
		lea	eax, [esp+0A0h+var_58]
		push	eax
		lea	eax, [esp+0A4h+var_60]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+0A0h+var_60]
		mov	[esp+0A0h+var_7C], 18h
		mov	[esp+0A0h+var_74], eax
		xor	ecx, ecx
		lea	eax, [esp+0A0h+var_7C]
		mov	[esp+0A0h+var_78], ecx
		push	eax
		push	0F0003h
		lea	eax, [esp+0A8h+var_8C]
		mov	[esp+0A8h+var_70], 200h
		push	eax
		mov	[esp+0ACh+var_6C], ecx
		mov	[esp+0ACh+var_68], ecx
		call	NtOpenSession
		mov	esi, eax
		mov	eax, [esp+0A0h+var_8C]
		test	esi, esi
		js	short loc_8ECC94
		mov	ecx, [esp+0A0h+var_84]
		and	[esp+0A0h+var_80], ebx
		mov	[ecx+4], eax
		jmp	loc_7B7345
; 

loc_8ECC8A:				; CODE XREF: PfpSourceGetPrefetchSupport+13Bj
		push	edi
		call	NtClose
		mov	eax, [esp+0A0h+var_80]

loc_8ECC94:				; CODE XREF: PfpSourceGetPrefetchSupport+135A5Aj
		test	eax, eax
		jz	loc_7B735F
		push	eax
		call	NtClose
		jmp	loc_7B735F
; END OF FUNCTION CHUNK	FOR PfpSourceGetPrefetchSupport
; 
; START	OF FUNCTION CHUNK FOR PfpSourceBuildVaArray

loc_8ECCA7:				; CODE XREF: PfpSourceBuildVaArray+1Aj
		mov	esi, 0C0000225h
		jmp	loc_7B7423
; 

loc_8ECCB1:				; CODE XREF: PfpSourceBuildVaArray+2Cj
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebx+8], esi
		mov	[ebx+4], esi
		jmp	loc_7B73BA
; END OF FUNCTION CHUNK	FOR PfpSourceBuildVaArray
; 
; START	OF FUNCTION CHUNK FOR NtManagePartition

loc_8ECCC3:				; CODE XREF: NtManagePartition+73j
		mov	esi, 0C0000003h
		jmp	loc_7B764E
; 

loc_8ECCCD:				; CODE XREF: NtManagePartition+83j
		mov	esi, 0C00000BBh
		jmp	loc_7B764E
; 

loc_8ECCD7:				; CODE XREF: NtManagePartition+96j
		mov	esi, 0C0000004h
		jmp	loc_7B764E
; 

loc_8ECCE1:				; CODE XREF: NtManagePartition+CDj
					; NtManagePartition+D5j
		mov	byte ptr [edx],	0
		jmp	loc_7B757B
; END OF FUNCTION CHUNK	FOR NtManagePartition
; 

loc_8ECCE9:				; DATA XREF: .text:006A2FD4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B0h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8ECCFA:				; DATA XREF: .text:006A2FD8o
		mov	esi, [ebp-0B0h]
		jmp	short loc_8ECD08
; 

loc_8ECD02:				; DATA XREF: .text:006A2FE4o
		mov	esi, [ebp-0BCh]

loc_8ECD08:				; CODE XREF: PAGE:008ECD00j
		mov	esp, [ebp-18h]
		jmp	loc_7B7647
; 
; START	OF FUNCTION CHUNK FOR NtManagePartition

loc_8ECD10:				; CODE XREF: NtManagePartition+135j
		push	ecx
		lea	ecx, [ebp+var_A8]
		push	ecx
		push	704D7350h
		push	ebx
		mov	edx, ds:_PspPartitionInfoDetails[eax*8]
		mov	ecx, [ebp+var_AC]
		call	_PsReferencePartitionByHandle@24 ; PsReferencePartitionByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7B764E
		mov	[ebp+var_A2], 1
		mov	eax, [ebp+var_A8]
		cmp	eax, [ebp+var_A0]
		jnz	short loc_8ECD63
		mov	esi, 0C000000Dh
		jmp	loc_7B764E
; 

loc_8ECD59:				; CODE XREF: NtManagePartition+142j
		mov	esi, 0C00000F0h
		jmp	loc_7B764E
; 

loc_8ECD63:				; CODE XREF: NtManagePartition+1358ADj
		mov	eax, [ebp+arg_8]
		jmp	loc_7B75E8
; END OF FUNCTION CHUNK	FOR NtManagePartition

;  S U B	R O U T	I N E 


sub_8ECD6B	proc near		; CODE XREF: NtManagePartition:loc_7B75E8j
					; DATA XREF: PAGE:007B76D0o
		push	ebx
		lea	eax, [ebp-9Ch]
		push	eax
		mov	edx, [ebp-0A8h]
		mov	ecx, [ebp-0A0h]
		call	_MmManagePartitionMoveMemory@16	; MmManagePartitionMoveMemory(x,x,x,x)
		jmp	loc_7B7600
sub_8ECD6B	endp


;  S U B	R O U T	I N E 


sub_8ECD89	proc near		; CODE XREF: NtManagePartition:loc_7B75E8j
					; DATA XREF: PAGE:007B76D4o
		mov	eax, [ebp-0A0h]
		mov	eax, [eax]
		push	eax		; int
		push	dword ptr [ebp-84h] ; int
		push	ebx		; int
		lea	eax, [edi+10h]
		push	eax		; void *
		lea	edx, [edi+8]
		mov	ecx, edi
		call	MiCreatePagingFile
		jmp	loc_7B7600
sub_8ECD89	endp


;  S U B	R O U T	I N E 


sub_8ECDAC	proc near		; CODE XREF: NtManagePartition:loc_7B75E8j
					; DATA XREF: PAGE:007B76D8o
		push	ebx
		push	edi
		lea	edx, [ebp-9Ch]
		mov	ecx, [ebp-0A0h]
		call	_MmManagePartitionCombineMemory@16 ; MmManagePartitionCombineMemory(x,x,x,x)
		jmp	loc_7B7600
sub_8ECDAC	endp


;  S U B	R O U T	I N E 


sub_8ECDC4	proc near		; CODE XREF: NtManagePartition:loc_7B75E8j
					; DATA XREF: PAGE:007B76DCo
		push	ebx
		push	edi
		lea	edx, [ebp-9Ch]
		mov	ecx, [ebp-0A0h]
		call	_MmManagePartitionInitialAddMemory@16 ;	MmManagePartitionInitialAddMemory(x,x,x,x)
		jmp	loc_7B7600
sub_8ECDC4	endp


;  S U B	R O U T	I N E 


sub_8ECDDC	proc near		; CODE XREF: NtManagePartition:loc_7B75E8j
					; DATA XREF: PAGE:007B76E4o
		push	ebx
		lea	edx, [ebp-9Ch]
		mov	ecx, [ebp-0A0h]
		call	_MmManagePartitionSetAttributes@12 ; MmManagePartitionSetAttributes(x,x,x)
		jmp	loc_7B7600
sub_8ECDDC	endp


;  S U B	R O U T	I N E 


sub_8ECDF3	proc near		; CODE XREF: NtManagePartition:loc_7B75E8j
					; DATA XREF: PAGE:007B76E8o
		push	ebx
		lea	edx, [ebp-9Ch]
		mov	ecx, [ebp-0A0h]
		call	_MmManagePartitionNodeInformation@12 ; MmManagePartitionNodeInformation(x,x,x)
		jmp	loc_7B7600
sub_8ECDF3	endp


;  S U B	R O U T	I N E 


sub_8ECE0A	proc near		; CODE XREF: NtManagePartition:loc_7B75E8j
					; DATA XREF: PAGE:007B76ECo
		push	ebx
		lea	edx, [ebp-9Ch]
		mov	ecx, [ebp-0A0h]
		call	_MmManagePartitionCreateLargePages@12 ;	MmManagePartitionCreateLargePages(x,x,x)
		jmp	loc_7B7600
sub_8ECE0A	endp


;  S U B	R O U T	I N E 


sub_8ECE21	proc near		; DATA XREF: .text:006A2FE0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0BCh], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8ECE21	endp

; 
; START	OF FUNCTION CHUNK FOR sub_7B76AF

loc_8ECE34:				; CODE XREF: sub_7B76AF-46j
		mov	ecx, [ebp-0A8h]
		call	PsDereferencePartition
		jmp	loc_7B766F
; END OF FUNCTION CHUNK	FOR sub_7B76AF
; 
; START	OF FUNCTION CHUNK FOR MmManagePartitionMemoryInformation

loc_8ECE44:				; CODE XREF: MmManagePartitionMemoryInformation+56j
		cmp	ecx, eax
		jb	loc_7B77C4

loc_8ECE4C:				; CODE XREF: MmManagePartitionMemoryInformation+43j
					; MmManagePartitionMemoryInformation+60j
		mov	eax, 0C000000Dh
		jmp	loc_7B798D
; 

loc_8ECE56:				; CODE XREF: MmManagePartitionMemoryInformation+EDj
		mov	[ebx+74h], ecx
		jmp	loc_7B785B
; 

loc_8ECE5E:				; CODE XREF: MmManagePartitionMemoryInformation+F9j
		mov	[ebx+1Ch], eax
		jmp	loc_7B7867
; 

loc_8ECE66:				; CODE XREF: MmManagePartitionMemoryInformation+101j
		mov	[ebx+14h], ecx
		jmp	loc_7B786F
; 

loc_8ECE6E:				; CODE XREF: MmManagePartitionMemoryInformation+6Fj
		xor	eax, eax
		push	8
		pop	ecx
		mov	[ebx+0Ch], eax
		mov	[ebx+10h], eax
		mov	[ebx+14h], eax
		mov	[ebx+18h], eax
		mov	[ebx+1Ch], eax
		mov	[ebx+74h], eax
		mov	[ebx+78h], eax
		rep stosd
		push	8
		mov	edi, edx
		mov	edx, [esp+0B4h+var_A0]
		pop	ecx
		rep stosd
		mov	esi, [ebx+4]
		lea	edi, [esi+1]
		jmp	loc_7B7878
; END OF FUNCTION CHUNK	FOR MmManagePartitionMemoryInformation
; 
; START	OF FUNCTION CHUNK FOR MiGetChannelInformation

loc_8ECEA0:				; CODE XREF: MiGetChannelInformation+6Aj
		xor	eax, eax

loc_8ECEA2:				; CODE XREF: MiGetChannelInformation+1354FAj
		cmp	byte ptr [ecx+eax+201h], 0
		jz	short loc_8ECEB7
		inc	eax
		cmp	eax, 1
		jb	short loc_8ECEA2
		jmp	loc_7B7A2A
; 

loc_8ECEB7:				; CODE XREF: MiGetChannelInformation+1354F4j
		mov	[edi+4], eax
		jmp	loc_7B7A2A
; END OF FUNCTION CHUNK	FOR MiGetChannelInformation
; 
; START	OF FUNCTION CHUNK FOR PfpRpCHashGrow

loc_8ECEBF:				; CODE XREF: PfpRpCHashGrow+5Fj
		mov	ebx, 0C000009Ah
		jmp	loc_7B7BFD
; 

loc_8ECEC9:				; CODE XREF: PfpRpCHashGrow+37j
		mov	eax, large fs:124h
		xor	ebx, ebx
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		jmp	loc_7B7BFD
; END OF FUNCTION CHUNK	FOR PfpRpCHashGrow
; 
; START	OF FUNCTION CHUNK FOR PfSnOperationProcess

loc_8ECEE8:				; CODE XREF: PfSnOperationProcess:loc_7B7D19j
					; PfSnOperationProcess+135240j
		mov	esi, 0C000000Dh
		jmp	loc_7B7DBC
; 

loc_8ECEF2:				; CODE XREF: PfSnOperationProcess+11Ej
		test	al, 3
		jnz	short loc_8ECEE8
		jmp	loc_7B7DD8
; 

loc_8ECEFB:				; CODE XREF: PfSnOperationProcess+B1j
		mov	esi, 0C00000E5h
		jmp	loc_7B7DB0
; 

loc_8ECF05:				; CODE XREF: PfSnOperationProcess+3Aj
					; PfSnOperationProcess+46j ...
		mov	esi, 0C000000Dh
		jmp	loc_7B7DB0
; END OF FUNCTION CHUNK	FOR PfSnOperationProcess
; 
; START	OF FUNCTION CHUNK FOR IopCopyOffloadCapable

loc_8ECF0F:				; CODE XREF: IopCopyOffloadCapable+14j
		push	dword ptr [ecx+4]
		call	_IoGetAttachedDevice@4 ; IoGetAttachedDevice(x)
		jmp	loc_7B803E
; 

loc_8ECF1C:				; CODE XREF: IopCopyOffloadCapable+34j
		test	byte ptr [ebp+var_4], 2
		jnz	loc_7B805E
		mov	eax, 0C000A2A2h
		jmp	loc_7B805E
; END OF FUNCTION CHUNK	FOR IopCopyOffloadCapable
; 
; START	OF FUNCTION CHUNK FOR ObpProcessRemoveObjectQueue

loc_8ECF30:				; CODE XREF: ObpProcessRemoveObjectQueue+70j
		xor	edx, edx
		mov	ecx, offset _ObpRemoveObjectWait
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	locret_7B80DE
; END OF FUNCTION CHUNK	FOR ObpProcessRemoveObjectQueue
; 
; START	OF FUNCTION CHUNK FOR ObpHandleRevocationBlockRemoveObject

loc_8ECF41:				; CODE XREF: ObpHandleRevocationBlockRemoveObject+6j
		push	0
		push	0
		call	_ObpHandleRevocationBlockRemoveInsertedObject@16 ; ObpHandleRevocationBlockRemoveInsertedObject(x,x,x,x)
		retn
; END OF FUNCTION CHUNK	FOR ObpHandleRevocationBlockRemoveObject
; 
; START	OF FUNCTION CHUNK FOR RtlpCheckDynamicTimeZoneInformation

loc_8ECF4B:				; CODE XREF: RtlpCheckDynamicTimeZoneInformation+A8j
		push	2Bh
		pop	ecx
		lea	esi, [ebp+var_E0]
		mov	bl, 1
		rep movsd
		jmp	loc_7B82C6
; END OF FUNCTION CHUNK	FOR RtlpCheckDynamicTimeZoneInformation
; 
; START	OF FUNCTION CHUNK FOR RtlSetActiveTimeBias

loc_8ECF5D:				; CODE XREF: RtlSetActiveTimeBias+22j
		push	38h		; size_t
		lea	eax, [ebp+var_44]
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		add	esp, 0Ch
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_44]
		mov	[ebp+var_40], 124h
		mov	ebx, 40000000h
		mov	[ebp+var_34], 4000000h
		mov	edi, offset ??_C@_1BO@EAFFNCKE@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AAT?$AAi?$AAm?$AAe?$AAB?$AAi?$AAa?$AAs@NNGAKEGL@
		push	1
		push	ecx
		push	esi
		push	eax
		mov	ecx, ebx
		mov	[ebp+var_3C], edi
		call	RtlpQueryRegistryValues
		mov	esi, eax
		test	esi, esi
		jns	loc_7B831B

loc_8ECFA9:				; CODE XREF: RtlSetActiveTimeBias+33j
		push	4
		lea	eax, [ebp+var_C]
		push	eax
		push	4
		push	edi
		push	[ebp+var_4]
		push	ebx
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)
		mov	esi, eax
		jmp	loc_7B8327
; END OF FUNCTION CHUNK	FOR RtlSetActiveTimeBias
; 
; START	OF FUNCTION CHUNK FOR RtlpGetDynamicTimeZoneInfoHandle

loc_8ECFC2:				; CODE XREF: RtlpGetDynamicTimeZoneInfoHandle+21j
		mov	eax, 0C000000Dh
		jmp	loc_7B83E8
; END OF FUNCTION CHUNK	FOR RtlpGetDynamicTimeZoneInfoHandle
; 
; START	OF FUNCTION CHUNK FOR EtwpFinalizeHeader

loc_8ECFCC:				; CODE XREF: EtwpFinalizeHeader+98j
		mov	eax, 0C0000017h
		jmp	loc_7B8613
; 

loc_8ECFD6:				; CODE XREF: EtwpFinalizeHeader+136j
		mov	eax, ebx
		jmp	loc_7B8538
; 

loc_8ECFDD:				; CODE XREF: EtwpFinalizeHeader+18Fj
		push	ebx
		mov	edx, edi
		mov	ecx, esi
		call	_EtwpAddLastDroppedEvent@12 ; EtwpAddLastDroppedEvent(x,x,x)
		jmp	loc_7B8591
; 

loc_8ECFEC:				; CODE XREF: EtwpFinalizeHeader+19Aj
		cmp	dword ptr [esi+54h], 0
		jz	loc_7B85AC
		jmp	loc_7B859C
; 

loc_8ECFFB:				; CODE XREF: EtwpFinalizeHeader+1B8j
		push	2		; size_t
		push	ebx		; void *
		mov	edx, edi
		mov	ecx, esi
		call	_EtwpAddBinaryInfoEvents@16 ; EtwpAddBinaryInfoEvents(x,x,x,x)
		jmp	loc_7B85BA
; 

loc_8ED00C:				; CODE XREF: EtwpFinalizeHeader+204j
		mov	eax, [esi+0B0h]
		mov	ecx, esi
		mul	dword ptr [esi+4]
		and	[ebp+var_58], 0
		and	[ebp+var_54], 0
		mov	ebx, eax
		mov	[ebp+var_30], edx
		call	_EtwpQueryMaximumFileSize@4 ; EtwpQueryMaximumFileSize(x)
		mov	ecx, eax
		mov	eax, [ebp+var_30]
		cmp	eax, edx
		ja	loc_7B8606
		jb	short loc_8ED040
		cmp	ebx, ecx
		jnb	loc_7B8606

loc_8ED040:				; CODE XREF: EtwpFinalizeHeader+134C3Aj
		push	14h
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_50]
		push	8
		push	eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_50], ebx
		push	eax
		push	dword ptr [esi+248h]
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		mov	esi, eax
		jmp	loc_7B8609
; END OF FUNCTION CHUNK	FOR EtwpFinalizeHeader
; 
; START	OF FUNCTION CHUNK FOR EtwpAddDebugInfoEvents

loc_8ED064:				; CODE XREF: EtwpAddDebugInfoEvents+2Ej
		lea	edi, [ebp+var_20]
		mov	[ebp+arg_4], edi
		jmp	loc_7B868A
; 

loc_8ED06F:				; CODE XREF: EtwpAddDebugInfoEvents+9Bj
		mov	ecx, [esi+50h]
		xor	eax, eax
		mov	[ebp+var_8], eax
		test	ecx, ecx
		jz	loc_7B8705

loc_8ED07F:				; CODE XREF: EtwpAddDebugInfoEvents+134A3Bj
		cmp	byte ptr [ecx+24h], 0
		jnz	loc_7B86FD
		mov	ecx, [ecx]
		inc	eax
		mov	[ebp+var_8], eax
		test	ecx, ecx
		jnz	short loc_8ED07F
		jmp	loc_7B86FD
; 

loc_8ED098:				; CODE XREF: EtwpAddDebugInfoEvents+A9j
		lea	ecx, [ebp+var_4]
		shl	eax, 5
		push	ecx		; int
		mov	ecx, [ebp+var_C]
		push	ebx		; int
		push	eax		; size_t
		push	0		; void *
		push	edi		; int
		push	44h
		pop	edx
		call	_EtwpAddEventToBuffer@28 ; EtwpAddEventToBuffer(x,x,x,x,x,x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	short loc_8ED0DC
		mov	eax, [esi+50h]
		mov	edx, [ebp+var_8]
		mov	ebx, [ebp+var_14]

loc_8ED0BF:				; CODE XREF: EtwpAddDebugInfoEvents+134A7Bj
		push	8
		lea	esi, [eax+4]
		mov	edi, ebx
		pop	ecx
		add	ebx, 20h
		rep movsd
		mov	eax, [eax]
		sub	edx, 1
		jnz	short loc_8ED0BF
		mov	ebx, [ebp+arg_0]
		sub	ebx, [ebp+var_4]
		mov	esi, [ebp+var_10]

loc_8ED0DC:				; CODE XREF: EtwpAddDebugInfoEvents+134A5Ej
		mov	edx, [ebp+arg_8]
		jmp	loc_7B8705
; END OF FUNCTION CHUNK	FOR EtwpAddDebugInfoEvents
; 
; START	OF FUNCTION CHUNK FOR EtwpCreateLogFile

loc_8ED0E4:				; CODE XREF: EtwpCreateLogFile+66j
		cmp	[ebx+78h], edx
		jz	loc_7B8A86
		jmp	loc_7B885E
; 

loc_8ED0F2:				; CODE XREF: EtwpCreateLogFile+280j
		test	al, 4
		jnz	loc_7B8A78
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7B8A78
; 

loc_8ED106:				; CODE XREF: EtwpCreateLogFile+95j
		mov	byte ptr [ebp+var_31], 1
		jmp	loc_7B888D
; 

loc_8ED10F:				; CODE XREF: EtwpCreateLogFile+214j
		test	al, 4
		jnz	loc_7B8A0C
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7B8A0C
; 

loc_8ED123:				; CODE XREF: EtwpCreateLogFile+138j
		mov	eax, [ebp+var_40]
		mov	[ebx+248h], eax
		jmp	loc_7B8A3A
; 

loc_8ED131:				; CODE XREF: EtwpCreateLogFile+250j
		push	edi
		call	_ZwClose@4	; ZwClose(x)
		cmp	dword ptr [ebx+248h], 0
		jz	loc_7B8947
		cmp	[ebp+var_44], 0
		jz	loc_7B8947
		lea	esi, [ebx+1F0h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebx+64h]
		mov	[ebx+74h], eax
		mov	eax, [ebx+68h]
		mov	[ebx+78h], eax
		mov	eax, [ebp+var_48]
		mov	[ebx+64h], eax
		mov	eax, [ebp+var_44]
		mov	[ebx+68h], eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8ED189
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8ED189:				; CODE XREF: EtwpCreateLogFile+13498Ej
		mov	ecx, esi
		call	KeAbPostRelease
		push	0
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	loc_7B8947
; END OF FUNCTION CHUNK	FOR EtwpCreateLogFile
; 
; START	OF FUNCTION CHUNK FOR EtwpUpdateFileHeader

loc_8ED1A0:				; CODE XREF: EtwpUpdateFileHeader+5Ej
		lea	edi, [ecx+177h]
		not	eax
		and	edi, eax
		mov	[ebp+var_40], edi
		jmp	loc_7B8B00
; 

loc_8ED1B2:				; CODE XREF: EtwpUpdateFileHeader+6Cj
		mov	eax, 0C0000206h
		jmp	loc_7B8B99
; 

loc_8ED1BC:				; CODE XREF: EtwpUpdateFileHeader+8Ej
		mov	eax, 0C0000017h
		jmp	loc_7B8B99
; 

loc_8ED1C6:				; CODE XREF: EtwpUpdateFileHeader+98j
		xor	ecx, ecx
		lea	eax, [ebp+var_50]
		push	ecx
		push	eax
		push	edi
		push	ebx
		lea	eax, [ebp+var_48]
		mov	[ebp+var_50], ecx
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	dword ptr [esi+248h]
		mov	[ebp+var_4C], ecx
		call	_ZwReadFile@36	; ZwReadFile(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_7B8B8F
		mov	eax, [ebx+88h]
		mov	[ebp+var_5C], eax
		test	eax, 4000402h
		jz	short loc_8ED211
		xor	eax, eax
		mov	edi, 0C000000Dh
		inc	eax
		mov	[esi+2Ch], eax
		jmp	loc_7B8B8F
; 

loc_8ED211:				; CODE XREF: EtwpUpdateFileHeader+134771j
		cmp	byte ptr [ebx+6Ch], 0Ah
		jnz	loc_8ED3B0
		cmp	byte ptr [ebx+6Dh], 0
		jnz	loc_8ED3B0
		cmp	dword ptr [ebx+94h], 4
		jz	short loc_8ED23F
		mov	edi, 0C000000Dh
		mov	dword ptr [esi+2Ch], 3
		jmp	loc_7B8B8F
; 

loc_8ED23F:				; CODE XREF: EtwpUpdateFileHeader+13479Ej
		mov	eax, [ebp+var_64]
		mov	edx, [ebx+68h]
		dec	eax
		mov	ecx, [ebx+8Ch]
		mov	[ebp+var_54], edx
		mov	[ebp+var_58], ecx
		test	eax, edx
		jz	short loc_8ED260
		mov	edi, 0C0000206h
		jmp	loc_7B8B8F
; 

loc_8ED260:				; CODE XREF: EtwpUpdateFileHeader+1347C6j
		lea	eax, [edx-400h]
		cmp	eax, 0FFFC00h
		ja	loc_8ED39F
		test	byte ptr [esi+258h], 2
		jz	short loc_8ED290
		cmp	[esi+4], edx
		jz	short loc_8ED290
		mov	edi, 0C0000206h
		mov	dword ptr [esi+2Ch], 5
		jmp	loc_7B8B8F
; 

loc_8ED290:				; CODE XREF: EtwpUpdateFileHeader+1347EAj
					; EtwpUpdateFileHeader+1347EFj
		mov	eax, [ebx+78h]
		or	eax, [ebx+7Ch]
		jnz	loc_8ED322
		test	byte ptr [ebp+var_5C], 20h
		jz	short loc_8ED2B3
		mov	edi, 0C000000Dh
		mov	dword ptr [esi+2Ch], 6
		jmp	loc_7B8B8F
; 

loc_8ED2B3:				; CODE XREF: EtwpUpdateFileHeader+134812j
		push	5
		push	18h
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		push	dword ptr [esi+248h]
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_8ED2DC
		mov	dword ptr [esi+2Ch], 7
		jmp	loc_7B8B8F
; 

loc_8ED2DC:				; CODE XREF: EtwpUpdateFileHeader+134840j
		mov	ecx, esi
		call	_EtwpQueryMaximumFileSize@4 ; EtwpQueryMaximumFileSize(x)
		xor	edi, edi
		cmp	edx, edi
		jl	short loc_8ED30C
		jg	short loc_8ED2EF
		cmp	eax, edi
		jbe	short loc_8ED30C

loc_8ED2EF:				; CODE XREF: EtwpUpdateFileHeader+13485Bj
		cmp	[ebp+var_14], edx
		jl	short loc_8ED30C
		jg	short loc_8ED2FB
		cmp	[ebp+var_18], eax
		jb	short loc_8ED30C

loc_8ED2FB:				; CODE XREF: EtwpUpdateFileHeader+134866j
		mov	edi, 0C0000188h
		mov	dword ptr [esi+2Ch], 8
		jmp	loc_7B8B8F
; 

loc_8ED30C:				; CODE XREF: EtwpUpdateFileHeader+134859j
					; EtwpUpdateFileHeader+13485Fj	...
		push	edi
		push	[ebp+var_54]
		push	[ebp+var_14]
		push	[ebp+var_18]
		call	__alldiv
		mov	ecx, eax
		mov	[ebp+var_58], ecx
		jmp	short loc_8ED324
; 

loc_8ED322:				; CODE XREF: EtwpUpdateFileHeader+134808j
		xor	edi, edi

loc_8ED324:				; CODE XREF: EtwpUpdateFileHeader+134892j
		test	ecx, ecx
		jnz	short loc_8ED339
		mov	edi, 0C000000Dh
		mov	dword ptr [esi+2Ch], 9
		jmp	loc_7B8B8F
; 

loc_8ED339:				; CODE XREF: EtwpUpdateFileHeader+134898j
		mov	ecx, esi
		call	EtwpQueryUsedProcessorCount
		cmp	[ebx+74h], eax
		jz	short loc_8ED356
		mov	edi, 0C000000Dh
		mov	dword ptr [esi+2Ch], 0Ah
		jmp	loc_7B8B8F
; 

loc_8ED356:				; CODE XREF: EtwpUpdateFileHeader+1348B5j
		push	edi
		lea	eax, [ebp+var_50]
		mov	[ebx+78h], edi
		push	eax
		mov	eax, [ebp+var_40]
		push	eax
		push	ebx
		lea	eax, [ebp+var_48]
		mov	[ebx+7Ch], edi
		push	eax
		push	edi
		push	edi
		push	edi
		push	dword ptr [esi+248h]
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_7B8B8F
		mov	eax, [ebp+var_58]
		mov	ecx, [ebp+var_54]
		mov	[esi+0B0h], eax
		mov	[esi+80h], eax
		mov	[esi+4], ecx
		imul	eax, ecx
		jmp	loc_7B8B82
; 

loc_8ED39F:				; CODE XREF: EtwpUpdateFileHeader+1347DDj
		mov	edi, 0C000000Dh
		mov	dword ptr [esi+2Ch], 4
		jmp	loc_7B8B8F
; 

loc_8ED3B0:				; CODE XREF: EtwpUpdateFileHeader+134787j
					; EtwpUpdateFileHeader+134791j
		mov	edi, 0C000000Dh
		mov	dword ptr [esi+2Ch], 2
		jmp	loc_7B8B8F
; END OF FUNCTION CHUNK	FOR EtwpUpdateFileHeader
; 
; START	OF FUNCTION CHUNK FOR EtwpAddLogHeader

loc_8ED3C1:				; CODE XREF: EtwpAddLogHeader+73j
		xor	eax, eax
		lea	edi, [esp+70h+var_20]
		stosd
		stosd
		stosd
		jmp	loc_7B8C51
; 

loc_8ED3CF:				; CODE XREF: EtwpAddLogHeader+110j
					; EtwpAddLogHeader+11Dj ...
		xor	al, al
		mov	cl, 2
		jmp	loc_7B8D0A
; 

loc_8ED3D8:				; CODE XREF: EtwpAddLogHeader+21Ej
		xor	eax, eax
		inc	eax
		jmp	loc_7B8DFC
; 

loc_8ED3E0:				; CODE XREF: EtwpAddLogHeader+35Bj
		mov	edx, [esp+74h+var_68]
		jmp	loc_7B8FDB
; 

loc_8ED3E9:				; CODE XREF: EtwpAddLogHeader+438j
		push	2		; size_t
		push	dword ptr [ebx]	; void *
		mov	edx, ebx
		mov	ecx, esi
		call	_EtwpAddBinaryInfoEvents@16 ; EtwpAddBinaryInfoEvents(x,x,x,x)
		jmp	loc_7B9016
; 

loc_8ED3FB:				; CODE XREF: EtwpAddLogHeader+411j
		mov	esi, [esp+74h+var_68]
		jmp	loc_7B9016
; END OF FUNCTION CHUNK	FOR EtwpAddLogHeader
; 
; START	OF FUNCTION CHUNK FOR RtlpGetTimeZoneInfoHandle

loc_8ED404:				; CODE XREF: RtlpGetTimeZoneInfoHandle+75j
		push	edi
		push	esi
		lea	edx, [esp+228h+var_210]
		mov	dword_6CEA5C, 1
		xor	ecx, ecx
		call	RtlpGetRegistryHandle
		cmp	eax, 0C0000034h
		jz	loc_7B937E
		jmp	loc_7B938C
; END OF FUNCTION CHUNK	FOR RtlpGetTimeZoneInfoHandle
; 
; START	OF FUNCTION CHUNK FOR WmipInsertStaticNames

loc_8ED42B:				; CODE XREF: WmipInsertStaticNames+69j
		mov	dword ptr [edi], 38h
		mov	dword ptr [edi+2Ch], 20h
		mov	[edi+30h], ecx
		jmp	loc_7B95C0
; END OF FUNCTION CHUNK	FOR WmipInsertStaticNames
; 
; START	OF FUNCTION CHUNK FOR WmipQueryAllData

loc_8ED440:				; CODE XREF: WmipQueryAllData+FEj
		mov	eax, [ebp+var_C8]
		lea	edi, [esi+18h]
		lea	esi, [ebp+var_E0]
		or	ecx, 100h
		movsd
		and	dword ptr [eax+0Ch], 0
		xor	ebx, ebx
		mov	[eax+2Ch], ecx
		mov	eax, [ebp+var_BC]
		movsd
		movsd
		movsd
		mov	dword ptr [eax], 30h
		jmp	loc_7B99EF
; 

loc_8ED473:				; CODE XREF: WmipQueryAllData+330j
		mov	eax, 0C0000001h
		jmp	loc_7B98F4
; 

loc_8ED47D:				; CODE XREF: WmipQueryAllData+208j
		mov	eax, [ebp+var_CC]
		jmp	loc_7B98F4
; 

loc_8ED488:				; CODE XREF: WmipQueryAllData+224j
		mov	ecx, [ebx]
		jmp	loc_7B9A1E
; 

loc_8ED48F:				; CODE XREF: WmipQueryAllData+33Bj
		push	48h
		pop	ecx
		jmp	loc_7B9A27
; 

loc_8ED497:				; CODE XREF: WmipQueryAllData+25Dj
		mov	byte ptr [ebp+var_92+1], 1
		add	ebx, 30h
		jmp	loc_7B9949
; 

loc_8ED4A6:				; CODE XREF: WmipQueryAllData+294j
					; WmipQueryAllData+29Cj
		mov	byte ptr [ebp+var_92+1], 1
		jmp	loc_7B9996
; 

loc_8ED4B2:				; CODE XREF: WmipQueryAllData+1F3j
					; WmipQueryAllData+210j
		mov	ebx, [ebp+var_98]
		jmp	loc_7B9996
; 

loc_8ED4BD:				; CODE XREF: WmipQueryAllData+14Ej
					; WmipQueryAllData+2E1j
		mov	ebx, [ebp+var_CC]
		jmp	loc_7B99E4
; 

loc_8ED4C8:				; CODE XREF: WmipQueryAllData+303j
		test	edi, edi
		jz	loc_7B99EF
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7B99EF
; END OF FUNCTION CHUNK	FOR WmipQueryAllData
; 
; START	OF FUNCTION CHUNK FOR WmipUnreferenceEntry

loc_8ED4DD:				; CODE XREF: WmipUnreferenceEntry+4Dj
		test	eax, 10000000h
		jz	loc_7B9B6D
		cmp	[ecx+4], esi
		jnz	short loc_8ED4FE
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_8ED4FE
		mov	[eax], ecx
		mov	[ecx+4], eax
		jmp	loc_7B9B6D
; 

loc_8ED4FE:				; CODE XREF: WmipUnreferenceEntry+1339D1j
					; WmipUnreferenceEntry+1339D8j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8ED503:				; CODE XREF: WmipUnreferenceEntry+28j
		push	0
		push	esi
		push	2
		push	14Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8ED513:				; CODE XREF: PiDqOpenUserObjectRegKey+81j
		lea	eax, [ebp-90h]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	edi, [ebp-5Ch]
		lea	eax, [ebp-90h]
		mov	byte ptr [ebp-51h], 1
		jmp	loc_7B9C73
; END OF FUNCTION CHUNK	FOR WmipUnreferenceEntry
; 
; START	OF FUNCTION CHUNK FOR PiDqOpenUserObjectRegKey

loc_8ED544:				; CODE XREF: PiDqOpenUserObjectRegKey+8Cj
		test	ebx, ebx
		jnz	short loc_8ED54E
		lea	ebx, [ebp+var_90]

loc_8ED54E:				; CODE XREF: PiDqOpenUserObjectRegKey+13395Cj
		mov	ebx, [ebx]
		jmp	loc_7B9C87
; 

loc_8ED555:				; CODE XREF: PiDqOpenUserObjectRegKey+94j
		lea	ebx, [ebp+var_90]
		jmp	loc_7B9C84
; 

loc_8ED560:				; CODE XREF: PiDqOpenUserObjectRegKey+ADj
		mov	eax, [ebp+var_64]
		cmp	dword ptr [eax], 2
		jge	loc_7B9CA9
		mov	ebx, [ebp+var_58]
		mov	esi, 0C0000022h
		jmp	loc_7B9D96
; 

loc_8ED579:				; CODE XREF: PiDqOpenUserObjectRegKey+15Bj
		test	eax, eax
		jnz	short loc_8ED581
		xor	ecx, ecx
		jmp	short loc_8ED584
; 

loc_8ED581:				; CODE XREF: PiDqOpenUserObjectRegKey+133991j
		mov	ecx, [eax+74h]

loc_8ED584:				; CODE XREF: PiDqOpenUserObjectRegKey+133995j
		mov	edi, [ebp+var_5C]
		lea	eax, [ebp+var_68]
		mov	edx, [ebp+var_60]
		push	eax
		push	[ebp+var_74]
		push	ecx
		push	0
		push	[ebp+arg_0]
		push	0
		push	edi
		call	__SysCtxRegCreateTree@36 ; _SysCtxRegCreateTree(x,x,x,x,x,x,x,x,x)
		jmp	loc_7B9D71
; 

loc_8ED5A4:				; CODE XREF: PiDqOpenUserObjectRegKey+18Bj
		mov	ecx, [ebp+var_80]
		test	ecx, ecx
		jz	loc_7B9D7B
		mov	eax, [ebp+var_68]
		mov	[ecx], eax
		jmp	loc_7B9D7B
; 

loc_8ED5B9:				; CODE XREF: PiDqOpenUserObjectRegKey+14Cj
		mov	edi, [ebp+var_5C]
		jmp	loc_7B9D7B
; 

loc_8ED5C1:				; CODE XREF: PiDqOpenUserObjectRegKey+197j
		mov	esi, 0C0000034h
		jmp	loc_7B9D87
; 

loc_8ED5CB:				; CODE XREF: PiDqOpenUserObjectRegKey+1D6j
		lea	eax, [ebp+var_90]
		push	eax
		call	SeReleaseSubjectContext
		jmp	loc_7B9DC6
; 

loc_8ED5DC:				; CODE XREF: PiDqOpenUserObjectRegKey+1E0j
		push	0
		push	[ebp+var_64]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7B9DD0
; END OF FUNCTION CHUNK	FOR PiDqOpenUserObjectRegKey
; 
; START	OF FUNCTION CHUNK FOR PiDqGetRelativeObjectRegPath

loc_8ED5EB:				; CODE XREF: PiDqGetRelativeObjectRegPath+26j
		mov	esi, 0C000009Ah

loc_8ED5F0:				; CODE XREF: PiDqGetRelativeObjectRegPath+4Dj
					; PiDqGetRelativeObjectRegPath+133821j
		mov	eax, [ebx]
		test	eax, eax
		jz	loc_7B9E49
		push	58706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [ebx], 0
		jmp	loc_7B9E49
; 

loc_8ED60D:				; CODE XREF: PiDqGetRelativeObjectRegPath+76j
		sub	esi, 1
		jz	short loc_8ED619
		mov	esi, 0C000000Dh
		jmp	short loc_8ED5F0
; 

loc_8ED619:				; CODE XREF: PiDqGetRelativeObjectRegPath+13381Aj
		push	ecx		; int
		push	400h		; int
		push	eax		; void *
		push	ecx		; int
		push	ecx		; int
		push	60h		; int
		mov	edx, edi
		call	__CmGetDevicePanelRegKeyPath@32	; _CmGetDevicePanelRegKeyPath(x,x,x,x,x,x,x,x)
		jmp	loc_7B9E3F
; 

loc_8ED630:				; CODE XREF: PiDqGetRelativeObjectRegPath+6Dj
		push	ecx
		push	400h
		push	eax
		push	ecx
		push	ecx
		push	40h
		jmp	short loc_8ED648
; 

loc_8ED63D:				; CODE XREF: PiDqGetRelativeObjectRegPath+5Fj
		push	ecx		; int
		push	400h		; int
		push	eax		; void *
		push	ecx		; int
		push	ecx		; int
		push	20h		; int

loc_8ED648:				; CODE XREF: PiDqGetRelativeObjectRegPath+133845j
		mov	edx, edi
		call	_CmGetCommonClassRegKeyPath
		jmp	loc_7B9E3F
; END OF FUNCTION CHUNK	FOR PiDqGetRelativeObjectRegPath
; 
; START	OF FUNCTION CHUNK FOR PnpConcatPWSTR

loc_8ED654:				; CODE XREF: PnpConcatPWSTR+5Fj
		mov	esi, 0C000000Dh
		jmp	loc_7B9F6E
; 

loc_8ED65E:				; CODE XREF: PnpConcatPWSTR+8Dj
		mov	esi, 0C000009Ah

loc_8ED663:				; CODE XREF: PnpConcatPWSTR+BDj
					; PnpConcatPWSTR+CEj
		mov	eax, [edi]
		test	eax, eax
		jz	loc_7B9F6E
		push	[ebp+arg_4]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi], 0
		jmp	loc_7B9F6E
; END OF FUNCTION CHUNK	FOR PnpConcatPWSTR
; 
; START	OF FUNCTION CHUNK FOR _PnpValidateObjectName

loc_8ED67E:				; CODE XREF: _PnpValidateObjectName+44j
		cmp	eax, 0C0000120h
		jz	short loc_8ED68E
		test	eax, eax
		jnz	short loc_8ED6C4
		jmp	loc_7B9FC2
; 

loc_8ED68E:				; CODE XREF: _PnpValidateObjectName+13370Dj
					; _PnpValidateObjectName+133744j
		mov	esi, [ebp+var_30]
		jmp	loc_7B9FDB
; 

loc_8ED696:				; CODE XREF: _PnpValidateObjectName+5Fj
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	1
		push	[ebp+arg_0]
		push	[ebp+var_4]
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	loc_7B9FDB
		cmp	eax, 0C0000120h
		jz	short loc_8ED68E
		test	eax, eax
		jz	loc_7B9FDB

loc_8ED6C4:				; CODE XREF: _PnpValidateObjectName+133711j
		mov	esi, 0C00000E5h
		jmp	loc_7B9FDB
; END OF FUNCTION CHUNK	FOR _PnpValidateObjectName
; 
; START	OF FUNCTION CHUNK FOR _PnpDispatchDeviceContainer

loc_8ED6CE:				; CODE XREF: _PnpDispatchDeviceContainer+1Fj
					; DATA XREF: PAGE:007BA106o ...
		mov	eax, 0C0000002h	; case 0x2
		jmp	loc_7BA08E
; 

loc_8ED6D8:				; CODE XREF: _PnpDispatchDeviceContainer+92j
		mov	[ebp+var_8], eax
		lea	esi, [ebp+var_8]
		mov	eax, [ecx+4]
		mov	edx, offset __PnpCmMatchCallbackRoutine@16 ; _PnpCmMatchCallbackRoutine(x,x,x,x)
		mov	[ebp+var_4], eax
		jmp	loc_7BA0DE
; 

loc_8ED6EE:				; CODE XREF: _PnpDispatchDeviceContainer+1Fj
					; DATA XREF: PAGE:007BA112o
		mov	eax, [ebp+arg_10] ; case 0x5
		push	dword ptr [eax+14h]
		push	dword ptr [eax+10h]
		push	dword ptr [eax+0Ch]
		push	ecx
		push	ecx
		call	__CmGetDeviceContainerMappedPropertyKeys@28 ; _CmGetDeviceContainerMappedPropertyKeys(x,x,x,x,x,x,x)
		jmp	loc_7BA08E
; 

loc_8ED706:				; CODE XREF: _PnpDispatchDeviceContainer+1Fj
					; DATA XREF: PAGE:007BA116o
		mov	eax, [ebp+arg_10] ; case 0x6
		push	dword ptr [eax+10h] ; int
		push	dword ptr [eax+0Ch] ; int
		push	dword ptr [eax+8] ; int
		push	dword ptr [eax+4] ; void *
		push	ecx		; int
		call	__CmGetDeviceContainerMappedPropertyLocales@28 ; _CmGetDeviceContainerMappedPropertyLocales(x,x,x,x,x,x,x)
		jmp	loc_7BA08E
; 

loc_8ED720:				; CODE XREF: _PnpDispatchDeviceContainer+19j
		mov	eax, 0C000000Dh	; default
		jmp	loc_7BA08E
; END OF FUNCTION CHUNK	FOR _PnpDispatchDeviceContainer
; 
; START	OF FUNCTION CHUNK FOR _CmGetDeviceContainerMappedProperty

loc_8ED72A:				; CODE XREF: _CmGetDeviceContainerMappedProperty+89j
		mov	esi, 0C0000023h
		jmp	loc_7BA142
; 

loc_8ED734:				; CODE XREF: _CmGetDeviceContainerMappedProperty+37j
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceContainer_HasProblem ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7BA142
		push	edi
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	offset _DEVPKEY_Device_HasProblem
		jmp	short loc_8ED795
; 

loc_8ED75D:				; CODE XREF: _CmGetDeviceContainerMappedProperty+40j
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceContainer_IsConnected ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7BA142
		push	edi
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	offset _DEVPKEY_Device_IsConnected
		jmp	short loc_8ED795
; 

loc_8ED786:				; CODE XREF: _CmGetDeviceContainerMappedProperty+5Fj
		push	edi
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	offset _DEVPKEY_Device_IsRebootRequired

loc_8ED795:				; CODE XREF: _CmGetDeviceContainerMappedProperty+133639j
					; _CmGetDeviceContainerMappedProperty+133662j
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		call	__CmGetContainerBooleanProperty@32 ; _CmGetContainerBooleanProperty(x,x,x,x,x,x,x,x)
		mov	esi, eax
		jmp	loc_7BA142
; END OF FUNCTION CHUNK	FOR _CmGetDeviceContainerMappedProperty
; 
; START	OF FUNCTION CHUNK FOR _CmOpenDeviceContainerRegKey

loc_8ED7A9:				; CODE XREF: _CmOpenDeviceContainerRegKey+6Fj
		cmp	eax, 0C0000120h
		jz	short loc_8ED7C2
		test	eax, eax
		jz	loc_7BA243
		mov	esi, 0C00000E5h
		jmp	loc_7BA275
; 

loc_8ED7C2:				; CODE XREF: _CmOpenDeviceContainerRegKey+1335E2j
					; _CmOpenDeviceContainerRegKey+133623j
		mov	esi, [ebp+var_30]
		jmp	loc_7BA268
; 

loc_8ED7CA:				; CODE XREF: _CmOpenDeviceContainerRegKey+96j
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	0Bh
		push	5
		push	[ebp+var_34]
		push	[ebp+var_38]
		call	edi
		cmp	eax, 0C0000002h
		jz	loc_7BA268
		cmp	eax, 0C0000120h
		jz	short loc_8ED7C2
		test	eax, eax
		jz	loc_7BA268
		mov	esi, 0C00000E5h
		jmp	loc_7BA268
; END OF FUNCTION CHUNK	FOR _CmOpenDeviceContainerRegKey
; 
; START	OF FUNCTION CHUNK FOR _CmOpenDeviceContainerRegKeyWorker

loc_8ED803:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+83j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+28h+var_14]
		xor	edi, edi
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [esp+28h+var_1C]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7BA409
		mov	esi, [esp+28h+var_1C]
		jmp	loc_7BA2D3
; 

loc_8ED834:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+5Cj
		mov	esi, 0C0000017h
		jmp	loc_7BA311
; 

loc_8ED83E:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+98j
		mov	[esp+28h+var_1C], edi
		test	ebx, ebx
		jnz	short loc_8ED84A
		xor	ecx, ecx
		jmp	short loc_8ED84D
; 

loc_8ED84A:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+1335BCj
		mov	ecx, [ebx+74h]

loc_8ED84D:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+1335C0j
		lea	eax, [esp+28h+var_18]
		xor	edx, edx
		push	eax
		push	2000000h
		call	__SysCtxRegOpenCurrentUserKey@16 ; _SysCtxRegOpenCurrentUserKey(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7BA409
		mov	edx, [esp+28h+var_18]
		jmp	loc_7BA3CC
; 

loc_8ED871:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+14Cj
		xor	ecx, ecx
		jmp	loc_7BA3DD
; 

loc_8ED878:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+2Fj
					; _CmOpenDeviceContainerRegKeyWorker+3Cj ...
		mov	esi, 0C000000Dh
		jmp	loc_7BA409
; 

loc_8ED882:				; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+186j
		push	[esp+28h+var_18]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7BA414
; END OF FUNCTION CHUNK	FOR _CmOpenDeviceContainerRegKeyWorker
; 
; START	OF FUNCTION CHUNK FOR WmipIoControl

loc_8ED890:				; CODE XREF: WmipIoControl+28Bj
		sub	eax, 104h
		jz	loc_7BA584
		sub	eax, 1Ch
		jnz	loc_8ED977
		cmp	ebx, 4
		jb	short loc_8ED8B7
		push	4
		mov	dword ptr [edi], 1
		pop	ebx
		jmp	loc_7BA531
; 

loc_8ED8B7:				; CODE XREF: WmipIoControl+1DFj
					; WmipIoControl+294j ...
		mov	esi, 0C0000023h
		jmp	loc_7BA531
; 

loc_8ED8C1:				; CODE XREF: WmipIoControl+119j
		cmp	ebx, 10h
		jb	short loc_8ED8B7
		mov	ecx, edi
		call	_WmipQueryGuidInfo@4 ; WmipQueryGuidInfo(x)
		push	10h
		mov	esi, eax
		pop	ebx
		jmp	loc_7BA51D
; 

loc_8ED8D7:				; CODE XREF: WmipIoControl+80j
		mov	ecx, edi
		call	_WmipProbeWnodeSingleItem@8 ; WmipProbeWnodeSingleItem(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7BA51D
		mov	eax, [esp+0B0h+var_98]
		lea	ecx, [esp+0B0h+var_A0]
		push	ecx
		push	eax
		push	edi
		push	3
		jmp	short loc_8ED904
; 

loc_8ED8F7:				; CODE XREF: WmipIoControl+1334D5j
		mov	eax, [esp+0C0h+var_A8]
		lea	ecx, [esp+0C0h+var_B0]
		push	ecx
		push	eax
		push	edi
		push	2

loc_8ED904:				; CODE XREF: WmipIoControl+133499j
		mov	edx, [esp+24h]
		xor	ecx, ecx
		push	1
		mov	[esp+0D4h+var_B0], eax
		call	WmipQuerySetExecuteSI
		mov	esi, eax
		xor	ebx, ebx
		jmp	loc_7BA51D
; 

loc_8ED91E:				; CODE XREF: WmipIoControl+77j
		push	esi
		push	ebx
		mov	ecx, edi
		call	_WmipProbeWnodeSingleInstance@16 ; WmipProbeWnodeSingleInstance(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7BA51D
		jmp	short loc_8ED8F7
; 

loc_8ED933:				; CODE XREF: WmipIoControl+6Bj
		mov	ecx, [esp+0B0h+var_9C]

loc_8ED937:				; CODE XREF: WmipIoControl:loc_7BA627j
		cmp	ebx, 8
		jb	loc_8ED8B7
		lea	ecx, [esp+0B0h+var_A0]
		mov	edx, edi
		push	ecx
		push	ebx
		mov	ecx, eax
		call	_WmipEnumerateGuids@16 ; WmipEnumerateGuids(x,x,x,x)
		jmp	loc_7BA517
; 

loc_8ED954:				; CODE XREF: WmipIoControl+5Dj
		cmp	edx, 16h
		jz	short loc_8ED963
		mov	esi, 0C0000001h
		jmp	loc_7BA531
; 

loc_8ED963:				; CODE XREF: WmipIoControl+1334FBj
		lea	edx, [esp+0B0h+var_A0]
		mov	ecx, edi
		call	_WmipTranslateFileHandle@8 ; WmipTranslateFileHandle(x,x)
		jmp	loc_7BA517
; 

loc_8ED973:				; CODE XREF: WmipIoControl+89j
		mov	ecx, [esp+0B0h+var_9C]

loc_8ED977:				; CODE XREF: WmipIoControl+227j
					; WmipIoControl+267j ...
		mov	esi, 0C0000010h
		jmp	loc_7BA531
; 

loc_8ED981:				; CODE XREF: WmipIoControl+230j
					; WmipIoControl+239j ...
		mov	esi, 0C0000010h
		jmp	loc_7BA521
; 

loc_8ED98B:				; CODE XREF: WmipIoControl+21Ej
		cmp	ebx, 38h
		jb	short loc_8ED9CB
		lea	esi, [edi+edx]
		lea	eax, [edi+4]
		cmp	eax, esi
		ja	short loc_8ED9CB
		mov	edx, [edi]
		lea	eax, [edx-1]
		cmp	eax, 0FFEh
		ja	short loc_8ED9CB
		imul	eax, edx, 18h
		add	eax, 8
		add	eax, edi
		cmp	eax, esi
		ja	short loc_8ED9CB
		lea	eax, [esp+0B0h+var_A0]
		push	eax
		push	0
		push	0
		push	edx
		push	edi
		push	ebx
		push	edi
		mov	dl, 1
		call	_WmipQuerySingleMultiple@36 ; WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)
		jmp	loc_7BA517
; 

loc_8ED9CB:				; CODE XREF: WmipIoControl+26Fj
					; WmipIoControl+133532j ...
		mov	esi, 0C000000Dh
		jmp	loc_7BA521
; 

loc_8ED9D5:				; CODE XREF: WmipIoControl+215j
		cmp	ebx, 38h
		jb	short loc_8ED9CB
		lea	esi, [edi+edx]
		lea	eax, [edi+4]
		cmp	eax, esi
		ja	short loc_8ED9CB
		mov	edx, [edi]
		lea	eax, [edx-1]
		cmp	eax, 0FFEh
		ja	short loc_8ED9CB
		lea	eax, [edi+8]
		lea	eax, [eax+edx*8]
		cmp	eax, esi
		ja	short loc_8ED9CB
		lea	eax, [esp+0B0h+var_A0]
		xor	edx, edx
		push	eax
		push	edi
		push	ebx
		push	edi
		push	1
		push	ecx
		xor	ecx, ecx
		call	_WmipQueryAllDataMultiple@32 ; WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)
		jmp	loc_7BA517
; END OF FUNCTION CHUNK	FOR WmipIoControl
; 
; START	OF FUNCTION CHUNK FOR WmipOpenBlock

loc_8EDA13:				; CODE XREF: WmipOpenBlock+100j
		mov	esi, 0C00000AFh
		jmp	loc_7BA807
; 

loc_8EDA1D:				; CODE XREF: WmipOpenBlock+13Dj
		push	esi
		push	edi
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	esi, 0C000009Ah
		jmp	loc_7BA803
; END OF FUNCTION CHUNK	FOR WmipOpenBlock
; 
; START	OF FUNCTION CHUNK FOR WmipGetGuidSecurityDescriptor

loc_8EDA2E:				; CODE XREF: WmipGetGuidSecurityDescriptor+88j
		push	70696D57h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_7BABC8
		mov	eax, 0C000009Ah
		jmp	loc_7BAC0C
; 

loc_8EDA4F:				; CODE XREF: WmipGetGuidSecurityDescriptor+A8j
		test	edi, edi
		jz	short loc_8EDA5C
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, ebx

loc_8EDA5C:				; CODE XREF: WmipGetGuidSecurityDescriptor+132F17j
		mov	ebx, [ebp+var_6C]
		jmp	loc_7BABC0
; 

loc_8EDA64:				; CODE XREF: WmipGetGuidSecurityDescriptor+B0j
		cmp	[ebp+var_68], ebx
		jz	short loc_8EDA7A
		push	[ebp+var_68]
		lea	eax, [ebp+var_68]
		mov	[ebp+var_4C], eax
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		mov	[ebp+var_48], eax

loc_8EDA7A:				; CODE XREF: WmipGetGuidSecurityDescriptor+132F2Dj
		cmp	[ebp+var_64], ebx
		jz	short loc_8EDA90
		push	[ebp+var_64]
		lea	eax, [ebp+var_64]
		mov	[ebp+var_30], eax
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		mov	[ebp+var_2C], eax

loc_8EDA90:				; CODE XREF: WmipGetGuidSecurityDescriptor+132F43j
		push	1
		push	ecx
		push	ebx
		lea	eax, [ebp+var_60]
		mov	edx, edi
		push	eax
		xor	ecx, ecx
		call	RtlpQueryRegistryValues
		jmp	loc_7BABF0
; 

loc_8EDAA6:				; CODE XREF: WmipGetGuidSecurityDescriptor+C2j
		push	ebx
		push	[ebp+var_64]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7BAC02
; END OF FUNCTION CHUNK	FOR WmipGetGuidSecurityDescriptor
; 
; START	OF FUNCTION CHUNK FOR RtlpQueryRegistryValues

loc_8EDAB4:				; CODE XREF: RtlpQueryRegistryValues+8Cj
		test	ebx, ebx
		jnz	short loc_8EDAC1
		push	[esp+58h+var_40]
		call	_ZwClose@4	; ZwClose(x)

loc_8EDAC1:				; CODE XREF: RtlpQueryRegistryValues+132D84j
		mov	eax, [esp+58h+var_4C]
		jmp	loc_7BAF69
; 

loc_8EDACA:				; CODE XREF: RtlpQueryRegistryValues+2DCj
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [esp+58h+var_40]
		mov	ecx, [ebx+4]
		mov	[esp+58h+var_44], eax
		jmp	loc_7BAE1B
; 

loc_8EDAE0:				; CODE XREF: RtlpQueryRegistryValues+193j
		lea	eax, [esp+58h+var_28]
		push	eax
		push	[esp+5Ch+var_44]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		jmp	loc_7BAECB
; 

loc_8EDAF3:				; CODE XREF: RtlpQueryRegistryValues+2E4j
		push	dword ptr [ebx+0Ch]
		push	[ebp+arg_4]
		push	0
		push	0
		push	0
		push	0
		call	dword ptr [ebx]
		mov	esi, eax
		jmp	loc_7BAECB
; 

loc_8EDB0A:				; CODE XREF: RtlpQueryRegistryValues+36Ej
		lea	eax, [edi+14h]
		mov	[esp+58h+var_24], eax
		mov	ax, [edi+10h]
		mov	word ptr [esp+58h+var_28], ax
		mov	ax, [edi+10h]
		mov	word ptr [esp+58h+var_28+2], ax
		lea	eax, [esp+58h+var_28]
		push	eax
		push	[esp+5Ch+var_44]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		mov	ecx, [esp+58h+var_34]
		test	eax, eax
		js	loc_7BB0AA
		dec	ecx
		jmp	loc_7BB0AA
; 

loc_8EDB43:				; CODE XREF: RtlpQueryRegistryValues+3C0j
		push	5B1h
		push	offset ??_C@_0DN@BGIBODAP@RtlpQueryRegistryValues?3?5Miscom@NNGAKEGL@
		call	_DbgPrint
		pop	ecx
		pop	ecx
		jmp	loc_7BB143
; 

loc_8EDB59:				; CODE XREF: RtlpQueryRegistryValues+3CAj
		test	byte ptr [ebx+4], 4
		jz	loc_7BB102
		mov	esi, 0C0000034h
		jmp	loc_7BAECB
; 

loc_8EDB6D:				; CODE XREF: RtlpQueryRegistryValues+C9j
					; RtlpQueryRegistryValues+D2j ...
		mov	esi, 0C000000Dh
		jmp	loc_7BAF32
; 

loc_8EDB77:				; CODE XREF: RtlpQueryRegistryValues+2A2j
		mov	esi, [esp+58h+var_4C]
		jmp	loc_7BAF32
; 

loc_8EDB80:				; CODE XREF: RtlpQueryRegistryValues+118j
		push	4FCh
		push	offset ??_C@_0DN@BGIBODAP@RtlpQueryRegistryValues?3?5Miscom@NNGAKEGL@
		call	_DbgPrint
		pop	ecx
		pop	ecx
		jmp	loc_7BAF32
; END OF FUNCTION CHUNK	FOR RtlpQueryRegistryValues
; 
; START	OF FUNCTION CHUNK FOR RtlpCallQueryRegistryRoutine

loc_8EDB96:				; CODE XREF: RtlpCallQueryRegistryRoutine+4Dj
		cmp	eax, edx
		jz	loc_7BB2BF
		jmp	loc_7BB19F
; 

loc_8EDBA3:				; CODE XREF: RtlpCallQueryRegistryRoutine+EFj
		lea	ecx, [edi+14h]
		add	ecx, edx
		jmp	loc_7BB248
; 

loc_8EDBAD:				; CODE XREF: RtlpCallQueryRegistryRoutine+1A9j
		test	edi, edi
		jz	loc_7BB3EC
		cmp	[edi], cx
		jz	short loc_8EDBCA

loc_8EDBBA:				; CODE XREF: RtlpCallQueryRegistryRoutine+132A77j
					; RtlpCallQueryRegistryRoutine+132A7Cj
		movzx	eax, word ptr [edx]
		add	edx, 2
		test	ax, ax
		jnz	short loc_8EDBBA
		cmp	[edx], cx
		jnz	short loc_8EDBBA

loc_8EDBCA:				; CODE XREF: RtlpCallQueryRegistryRoutine+132A6Cj
		mov	esi, edx
		sub	esi, edi
		add	esi, 2
		jmp	loc_7BB1B4
; 

loc_8EDBD6:				; CODE XREF: RtlpCallQueryRegistryRoutine+8Aj
		mov	eax, 0C0000024h
		jmp	loc_7BB21F
; 

loc_8EDBE0:				; CODE XREF: RtlpCallQueryRegistryRoutine+260j
		cmp	edx, 1
		jz	short loc_8EDBF3
		cmp	edx, 7
		jz	short loc_8EDBF3
		cmp	edx, 2
		jnz	loc_7BB1DC

loc_8EDBF3:				; CODE XREF: RtlpCallQueryRegistryRoutine+132A97j
					; RtlpCallQueryRegistryRoutine+132A9Cj
		test	cl, 4
		jmp	loc_7BB306
; 

loc_8EDBFB:				; CODE XREF: RtlpCallQueryRegistryRoutine+206j
		cmp	[ebp+arg_10], 0
		jz	short loc_8EDC14
		mov	ecx, [ebp+var_18]
		call	RtlpValidateKeyTrust
		test	eax, eax
		js	loc_7BB21F
		mov	eax, [ebp+arg_4]

loc_8EDC14:				; CODE XREF: RtlpCallQueryRegistryRoutine+132AB3j
		push	dword ptr [ebx+0Ch] ; void *
		xor	ecx, ecx
		mov	edx, edi	; void *
		push	eax		; size_t
		inc	ecx		; int
		call	RtlpQueryRegistryDirect
		add	dword ptr [ebx+0Ch], 8
		jmp	loc_7BB367
; 

loc_8EDC2B:				; CODE XREF: RtlpCallQueryRegistryRoutine+28Bj
		mov	eax, [ebp+var_14]
		test	eax, eax
		jle	short loc_8EDC50
		mov	ecx, [ebp+var_8]
		cmp	eax, 0FFFEh
		ja	short loc_8EDC47
		shr	eax, 1
		xor	edx, edx
		mov	[ecx+eax*2-2], dx
		jmp	short loc_8EDC50
; 

loc_8EDC47:				; CODE XREF: RtlpCallQueryRegistryRoutine+132AEEj
		xor	eax, eax
		mov	[ecx+0FFFCh], ax

loc_8EDC50:				; CODE XREF: RtlpCallQueryRegistryRoutine+132AE4j
					; RtlpCallQueryRegistryRoutine+132AF9j
		mov	eax, 0C000000Dh
		jmp	loc_7BB21F
; END OF FUNCTION CHUNK	FOR RtlpCallQueryRegistryRoutine
; 
; START	OF FUNCTION CHUNK FOR RtlpQueryRegistryDirect

loc_8EDC5A:				; CODE XREF: RtlpQueryRegistryDirect+99j
		mov	eax, 0C0000017h
		jmp	loc_7BB431
; END OF FUNCTION CHUNK	FOR RtlpQueryRegistryDirect
; 
; START	OF FUNCTION CHUNK FOR RtlpGetRegistryHandle

loc_8EDC64:				; CODE XREF: RtlpGetRegistryHandle+37j
		mov	eax, 0C000000Dh
		jmp	loc_7BB626
; 

loc_8EDC6E:				; CODE XREF: RtlpGetRegistryHandle+6Bj
		mov	eax, 0C0000017h
		jmp	loc_7BB626
; END OF FUNCTION CHUNK	FOR RtlpGetRegistryHandle
; 
; START	OF FUNCTION CHUNK FOR RtlpValidateKeyTrust

loc_8EDC78:				; CODE XREF: RtlpValidateKeyTrust+3Bj
		mov	eax, 0C0000022h

loc_8EDC7D:				; CODE XREF: RtlpValidateKeyTrust+2Fj
		cmp	eax, 0C0000189h
		jz	locret_7BB6FD
		push	9
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		leave
		retn
; END OF FUNCTION CHUNK	FOR RtlpValidateKeyTrust
; 
; START	OF FUNCTION CHUNK FOR KGetAppModelStateSeparatedRegKeyPath

loc_8EDC8F:				; CODE XREF: KGetAppModelStateSeparatedRegKeyPath+19j
		mov	esi, 0C000000Dh
		jmp	loc_7BB80C
; 

loc_8EDC99:				; CODE XREF: KGetAppModelStateSeparatedRegKeyPath+86j
		push	4D707041h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7BB80C
; END OF FUNCTION CHUNK	FOR KGetAppModelStateSeparatedRegKeyPath
; 
; START	OF FUNCTION CHUNK FOR RtlGetPersistedStateLocation

loc_8EDCA9:				; CODE XREF: RtlGetPersistedStateLocation+102j
		test	esi, esi
		js	loc_7BB8BE
		push	[ebp+arg_0]
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_C]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_30]
		push	eax
		push	20019h
		lea	eax, [ebp+var_10]
		mov	[ebp+var_30], 18h
		push	eax
		mov	[ebp+var_24], 240h
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_7BB86C
		test	esi, esi
		js	loc_7BB8BE
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	short loc_8EDD11
		mov	eax, offset ??_C@_1BK@CIGKBGGO@?$AAT?$AAa?$AAr?$AAg?$AAe?$AAt?$AAN?$AAt?$AAP?$AAa?$AAt?$AAh@NNGAKEGL@ ;	"TargetNtPath"

loc_8EDD11:				; CODE XREF: RtlGetPersistedStateLocation+1324E2j
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ebx, [ebp+arg_14]
		lea	esi, [ebx+10h]
		cmp	esi, ebx
		jnb	short loc_8EDD39
		mov	esi, 0C0000095h
		jmp	loc_8EDDD9
; 

loc_8EDD2F:				; CODE XREF: RtlGetPersistedStateLocation+6Aj
		mov	esi, 0C0000095h
		jmp	loc_7BB8BE
; 

loc_8EDD39:				; CODE XREF: RtlGetPersistedStateLocation+1324FBj
		push	70657373h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_8EDD56
		mov	esi, 0C0000017h
		jmp	loc_8EDDD9
; 

loc_8EDD56:				; CODE XREF: RtlGetPersistedStateLocation+132522j
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		push	edi
		push	2
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+var_10]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8EDD7D
		cmp	dword ptr [edi+4], 1
		jz	short loc_8EDD85
		mov	esi, 0C0000024h
		jmp	short loc_8EDDD9
; 

loc_8EDD7D:				; CODE XREF: RtlGetPersistedStateLocation+132546j
		cmp	esi, 80000005h
		jnz	short loc_8EDDD9

loc_8EDD85:				; CODE XREF: RtlGetPersistedStateLocation+13254Cj
		mov	ecx, [edi+8]
		lea	edx, [edi+0Ch]
		mov	[ebp+var_8], ecx
		test	esi, esi
		js	short loc_8EDDBF
		mov	eax, ecx
		xor	ebx, ebx
		shr	eax, 1
		cmp	[edx+eax*2-2], bx
		mov	ebx, [ebp+arg_14]
		jz	short loc_8EDDBF
		add	ecx, 2
		mov	[ebp+var_8], ecx
		cmp	ebx, ecx
		jb	short loc_8EDDBA
		shr	ecx, 1
		xor	eax, eax
		mov	[edx+ecx*2-2], ax
		mov	ecx, [ebp+var_8]
		jmp	short loc_8EDDBF
; 

loc_8EDDBA:				; CODE XREF: RtlGetPersistedStateLocation+132582j
		mov	esi, 80000005h

loc_8EDDBF:				; CODE XREF: RtlGetPersistedStateLocation+132568j
					; RtlGetPersistedStateLocation+132578j	...
		mov	eax, [ebp+arg_18]
		test	eax, eax
		jz	short loc_8EDDC8
		mov	[eax], ecx

loc_8EDDC8:				; CODE XREF: RtlGetPersistedStateLocation+13259Cj
		test	esi, esi
		js	short loc_8EDDD9
		push	ecx		; size_t
		push	edx		; void *
		push	[ebp+arg_10]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_8EDDD9:				; CODE XREF: RtlGetPersistedStateLocation+132502j
					; RtlGetPersistedStateLocation+132529j	...
		xor	ebx, ebx
		jmp	loc_7BB8BE
; 

loc_8EDDE0:				; CODE XREF: RtlGetPersistedStateLocation+9Aj
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7BB8C8
; 

loc_8EDDED:				; CODE XREF: RtlGetPersistedStateLocation+A4j
		push	[ebp+var_10]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7BB8D2
; END OF FUNCTION CHUNK	FOR RtlGetPersistedStateLocation
; 
; START	OF FUNCTION CHUNK FOR WmipAddProviderIdToPIList

loc_8EDDFA:				; CODE XREF: WmipAddProviderIdToPIList+2Fj
		push	2
		pop	ecx
		mov	eax, ebx
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_8EDE28
		mov	ecx, [ebp+var_8]
		push	70696D57h
		shl	ecx, 2
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		jmp	short loc_8EDE2A
; 

loc_8EDE28:				; CODE XREF: WmipAddProviderIdToPIList+132239j
		xor	esi, esi

loc_8EDE2A:				; CODE XREF: WmipAddProviderIdToPIList+132250j
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_10], ecx
		test	esi, esi
		jz	short loc_8EDE51
		mov	eax, ebx
		shl	eax, 2
		push	eax		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_4], esi
		mov	[eax], ecx
		jmp	short loc_8EDE7F
; 

loc_8EDE51:				; CODE XREF: WmipAddProviderIdToPIList+13225Cj
		xor	esi, esi
		mov	edi, offset _WmipISChunkInfo
		test	ebx, ebx
		jz	short loc_8EDE6E

loc_8EDE5C:				; CODE XREF: WmipAddProviderIdToPIList+132296j
		mov	edx, [ecx+esi*4]
		mov	ecx, edi
		call	WmipUnreferenceEntry
		mov	ecx, [ebp+var_4]
		inc	esi
		cmp	esi, ebx
		jb	short loc_8EDE5C

loc_8EDE6E:				; CODE XREF: WmipAddProviderIdToPIList+132284j
		mov	edx, [ebp+arg_8]
		mov	ecx, edi
		call	WmipUnreferenceEntry
		mov	edi, 0C000009Ah
		xor	esi, esi

loc_8EDE7F:				; CODE XREF: WmipAddProviderIdToPIList+132279j
		mov	eax, [ebp+var_C]
		mov	[eax], esi
		mov	eax, [ebp+var_10]
		cmp	eax, [ebp+arg_4]
		jz	short loc_8EDE94
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8EDE94:				; CODE XREF: WmipAddProviderIdToPIList+1322B4j
		test	edi, edi
		js	loc_7BBC16
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_14]
		mov	edx, [ebp+arg_8]
		jmp	loc_7BBC0B
; END OF FUNCTION CHUNK	FOR WmipAddProviderIdToPIList
; 
; START	OF FUNCTION CHUNK FOR WmipReferenceEntry

loc_8EDEAA:				; CODE XREF: WmipReferenceEntry+Cj
		jnz	short loc_8EDEB4
		xor	eax, eax
		push	eax
		push	eax
		push	ecx
		push	eax
		jmp	short loc_8EDEBB
; 

loc_8EDEB4:				; CODE XREF: WmipReferenceEntry:loc_8EDEAAj
		xor	eax, eax
		push	eax
		push	eax
		push	ecx
		push	2

loc_8EDEBB:				; CODE XREF: WmipReferenceEntry+1321F0j
		push	14Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8EDEC6:				; CODE XREF: WmipEnableCollectOrEvent+4Bj
		test	esi, esi
		jnz	loc_7BBD30
		jmp	loc_7BBD27
; END OF FUNCTION CHUNK	FOR WmipReferenceEntry
; 
; START	OF FUNCTION CHUNK FOR WmipProbeAndCaptureGuidObjectAttributes

loc_8EDED3:				; CODE XREF: WmipProbeAndCaptureGuidObjectAttributes+24j
		mov	esi, ecx
		jmp	loc_7BBF5A
; 

loc_8EDEDA:				; CODE XREF: WmipProbeAndCaptureGuidObjectAttributes+4Aj
		mov	ecx, eax
		jmp	loc_7BBF80
; END OF FUNCTION CHUNK	FOR WmipProbeAndCaptureGuidObjectAttributes

;  S U B	R O U T	I N E 


sub_8EDEE1	proc near		; DATA XREF: .text:006A301Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EDEE1	endp


;  S U B	R O U T	I N E 


sub_8EDEEF	proc near		; DATA XREF: .text:006A3020o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-28h]
sub_8EDEEF	endp

; START	OF FUNCTION CHUNK FOR WmipProbeAndCaptureGuidObjectAttributes

loc_8EDEF5:				; CODE XREF: WmipProbeAndCaptureGuidObjectAttributes+CFj
		mov	[ebp+var_1C], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_7BBFE6
; END OF FUNCTION CHUNK	FOR WmipProbeAndCaptureGuidObjectAttributes
; 
; START	OF FUNCTION CHUNK FOR EtwpDelayCreate

loc_8EDF04:				; CODE XREF: EtwpDelayCreate+81j
		cmp	[ebp+var_8], 18h
		jnz	loc_7BC0D7
		lea	edi, [ebx+18h]
		movzx	eax, word ptr [edi]
		push	5Ch
		pop	esi
		mov	ecx, eax
		cmp	ax, si
		jz	short loc_8EDF72
		mov	edx, eax

loc_8EDF20:				; CODE XREF: EtwpDelayCreate+131EB6j
		test	dx, dx
		jz	short loc_8EDF77
		add	edi, 2
		movzx	eax, word ptr [edi]
		mov	edx, eax
		mov	ecx, eax
		cmp	ax, si
		jnz	short loc_8EDF20
		jmp	short loc_8EDF72
; 

loc_8EDF36:				; CODE XREF: EtwpDelayCreate+131EF9j
		lea	edi, [edi+2]
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		cmp	ax, si
		jnz	short loc_8EDF72
		xor	eax, eax
		mov	dl, 1
		mov	[edi], ax
		mov	ecx, ebx
		mov	eax, [ebp+arg_0]
		movzx	eax, byte ptr [eax]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	EtwpCreateDirectoryFile
		mov	esi, eax
		test	esi, esi
		js	short loc_8EDF9B
		push	5Ch
		pop	esi
		mov	[edi], si
		mov	ecx, esi

loc_8EDF72:				; CODE XREF: EtwpDelayCreate+131EA0j
					; EtwpDelayCreate+131EB8j ...
		test	cx, cx
		jnz	short loc_8EDF36

loc_8EDF77:				; CODE XREF: EtwpDelayCreate+131EA7j
		mov	edi, [ebp+arg_0]
		xor	dl, dl
		mov	ecx, ebx
		movzx	eax, byte ptr [edi]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	EtwpCreateDirectoryFile
		mov	esi, eax
		jmp	loc_7BC0D7
; 

loc_8EDF9B:				; CODE XREF: EtwpDelayCreate+131EECj
		mov	edi, [ebp+arg_0]
		jmp	loc_7BC0D7
; END OF FUNCTION CHUNK	FOR EtwpDelayCreate
; 
; START	OF FUNCTION CHUNK FOR EtwpCreateDirectoryFile

loc_8EDFA3:				; CODE XREF: EtwpCreateDirectoryFile+21j
		mov	eax, 0C000000Dh
		jmp	loc_7BC1E4
; 

loc_8EDFAD:				; CODE XREF: EtwpCreateDirectoryFile+61j
		push	3
		pop	ecx
		push	21h
		mov	eax, 12019Fh
		pop	edx
		jmp	loc_7BC1A5
; 

loc_8EDFBD:				; CODE XREF: EtwpCreateDirectoryFile+BFj
		test	eax, eax
		jz	loc_7BC1D3
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		jz	loc_7BC1D9
		and	dword ptr [esi], 0
		jmp	loc_7BC1D9
; 

loc_8EDFDB:				; CODE XREF: EtwpCreateDirectoryFile+CEj
		lea	eax, [edi+3FFFFFBDh]
		neg	eax
		sbb	eax, eax
		and	edi, eax
		jmp	loc_7BC1E2
; END OF FUNCTION CHUNK	FOR EtwpCreateDirectoryFile
; 
; START	OF FUNCTION CHUNK FOR EtwpCreateNtFileName

loc_8EDFEC:				; CODE XREF: EtwpCreateNtFileName+37j
		cmp	[esi+2], ax
		jnz	short loc_8EE005
		cmp	word ptr [esi+4], 3Fh
		jnz	short loc_8EE005
		cmp	[esi+6], ax
		jnz	short loc_8EE005
		sub	ecx, 8
		add	esi, 8

loc_8EE005:				; CODE XREF: EtwpCreateNtFileName+2Ej
					; EtwpCreateNtFileName+131E04j	...
		cmp	[esi], ax
		jnz	loc_7BC229
		cmp	[esi+2], ax
		jnz	loc_7BC229
		push	0Eh
		jmp	loc_7BC22B
; 

loc_8EE01F:				; CODE XREF: EtwpCreateNtFileName+5Aj
		mov	eax, 0C0000017h
		jmp	short loc_8EE049
; 

loc_8EE026:				; CODE XREF: EtwpCreateNtFileName+66j
		lea	eax, [esi+2]
		cmp	[eax], cx
		jnz	loc_7BC258
		mov	ecx, offset ??_C@_1BA@OFNNPBJK@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAU?$AAN?$AAC@NNGAKEGL@
		jmp	loc_7BC25F
; 

loc_8EE03C:				; CODE XREF: EtwpCreateNtFileName+86j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C000000Dh

loc_8EE049:				; CODE XREF: EtwpCreateNtFileName+131E38j
		mov	ecx, [ebp+var_4]
		and	dword ptr [ecx], 0
		jmp	loc_7BC27D
; END OF FUNCTION CHUNK	FOR EtwpCreateNtFileName
; 
; START	OF FUNCTION CHUNK FOR WmipSendEnableRequest

loc_8EE054:				; CODE XREF: WmipSendEnableRequest+62j
		test	bl, bl
		mov	edx, esi
		push	ebx
		setz	al
		lea	ecx, ds:5[eax*2]
		call	WmipSendEnableDisableRequest
		mov	[ebp+var_4], eax
		test	bl, bl
		jz	short loc_8EE074
		mov	eax, [esi+38h]
		jmp	short loc_8EE077
; 

loc_8EE074:				; CODE XREF: WmipSendEnableRequest+131DE1j
		mov	eax, [esi+3Ch]

loc_8EE077:				; CODE XREF: WmipSendEnableRequest+131DE6j
		test	eax, eax
		mov	eax, [ebp+var_8]
		jnz	loc_7BC2D8
		jmp	loc_7BC2F4
; 

loc_8EE087:				; CODE XREF: WmipSendEnableRequest+94j
		mov	ecx, esi
		call	_WmipWaitForCollectionEnabled@4	; WmipWaitForCollectionEnabled(x)
		jmp	loc_7BC2B3
; END OF FUNCTION CHUNK	FOR WmipSendEnableRequest
; 
; START	OF FUNCTION CHUNK FOR WmipEnumerateMofResources

loc_8EE093:				; CODE XREF: WmipEnumerateMofResources+9Bj
		mov	[ecx], esi
		push	4
		jmp	short loc_8EE0A2
; 

loc_8EE099:				; CODE XREF: WmipEnumerateMofResources+35j
					; WmipEnumerateMofResources+82j
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		push	10h
		mov	[ecx], eax

loc_8EE0A2:				; CODE XREF: WmipEnumerateMofResources+131D63j
		pop	esi
		jmp	loc_7BC46E
; END OF FUNCTION CHUNK	FOR WmipEnumerateMofResources
; 
; START	OF FUNCTION CHUNK FOR NtCancelIoFile

loc_8EE0A8:				; CODE XREF: NtCancelIoFile+34j
		mov	ecx, eax
		jmp	loc_7BC656
; END OF FUNCTION CHUNK	FOR NtCancelIoFile

;  S U B	R O U T	I N E 


sub_8EE0AF	proc near		; DATA XREF: .text:006A303Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EE0AF	endp


;  S U B	R O U T	I N E 


sub_8EE0BD	proc near		; DATA XREF: .text:006A3040o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_7BC724
sub_8EE0BD	endp

; 
; START	OF FUNCTION CHUNK FOR NtCancelIoFile

loc_8EE0CF:				; CODE XREF: NtCancelIoFile+C0j
		lea	eax, [ebp+var_2C]
		push	eax
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		test	bl, bl
		jnz	loc_7BC6C6
		jmp	loc_7BC6E2
; END OF FUNCTION CHUNK	FOR NtCancelIoFile

;  S U B	R O U T	I N E 


sub_8EE0E9	proc near		; DATA XREF: .text:006A3048o
		xor	eax, eax
		inc	eax
		retn
sub_8EE0E9	endp


;  S U B	R O U T	I N E 


sub_8EE0ED	proc near		; DATA XREF: .text:006A304Co
		mov	esp, [ebp-18h]
		jmp	loc_7BC713
sub_8EE0ED	endp

; 

loc_8EE0F5:				; CODE XREF: PAGE:007BC95Fj
		mov	edx, 20000h
		lea	ecx, [ebp-3Ch]
		call	@EtwGetKernelTraceTimestamp@8 ;	EtwGetKernelTraceTimestamp(x,x)
		jmp	loc_7BC965
; 

loc_8EE107:				; CODE XREF: PAGE:007BC9E4j
		cmp	ds:_HvShutdownComplete,	0
		jz	short loc_8EE127
		test	byte ptr _PopShutdownCleanly, 8
		jz	short loc_8EE127
		push	0
		push	ebx
		push	1
		push	0Eh
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8EE127:				; CODE XREF: PAGE:008EE10Ej
					; PAGE:008EE117j
		mov	esi, 0C0000189h
		jmp	loc_7BCC29
; 

loc_8EE131:				; CODE XREF: PAGE:007BCA31j
		mov	eax, ecx
		jmp	loc_7BCA37
; 

loc_8EE138:				; CODE XREF: PAGE:007BCA72j
		mov	esi, 0C000000Dh
		mov	[ebp-100h], esi
		jmp	loc_7BCC22
; 

loc_8EE148:				; CODE XREF: PAGE:007BCCF2j
		mov	esi, 0C000009Ah
		mov	[ebp-100h], esi
		jmp	loc_7BCC22
; 

loc_8EE158:				; CODE XREF: PAGE:007BCA8Fj
		mov	eax, ecx
		jmp	loc_7BCA95
; 

loc_8EE15F:				; CODE XREF: PAGE:007BCAA8j
		mov	ecx, eax
		jmp	loc_7BCAAE
; 

loc_8EE166:				; CODE XREF: PAGE:007BCAC4j
		mov	ecx, eax
		jmp	loc_7BCACA
; 

loc_8EE16D:				; CODE XREF: PAGE:007BCAF1j
		mov	edx, eax
		jmp	loc_7BCAF7
; 

loc_8EE174:				; CODE XREF: PAGE:007BCB36j
					; PAGE:007BCB3Ej
		mov	byte ptr [ecx],	0
		jmp	loc_7BCB44
; 

loc_8EE17C:				; CODE XREF: PAGE:007BCB4Bj
		mov	esi, 0C000000Dh
		mov	[ebp-100h], esi
		jmp	loc_7BCC22
; 

loc_8EE18C:				; DATA XREF: .text:006A30ACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-148h], eax
		mov	eax, 1
		retn
; 

loc_8EE19F:				; DATA XREF: .text:006A30B0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-108h], 0
		xor	eax, eax
		mov	[ebp-10Ch], ax
		mov	esi, [ebp-148h]
		mov	[ebp-100h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, [ebp-14Ch]
		mov	[ebp-0F8h], edx
		mov	eax, [ebp-0FCh]
		mov	ecx, [ebp-150h]
		mov	[ebp-118h], ecx
		mov	ebx, [ebp-154h]
		mov	edi, [ebp-120h]
		jmp	loc_7BCB73
; 

loc_8EE1F7:				; CODE XREF: PAGE:007BCB82j
		test	eax, eax
		jz	loc_7BCB88
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp-120h], al
		mov	eax, ds:_CmKeyObjectType
		mov	dword ptr [ebp-128h], 0
		push	0
		lea	ecx, [ebp-128h]
		push	ecx
		push	dword ptr [ebp-120h]
		push	eax
		push	0
		push	dword ptr [ebp-0FCh]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8EE255
		mov	ecx, [ebp-128h]
		mov	eax, [ecx+8]
		mov	[ebp-130h], eax
		call	ObfDereferenceObject

loc_8EE255:				; CODE XREF: PAGE:008EE23Fj
		mov	edx, [ebp-0F8h]
		jmp	loc_7BCB88
; 

loc_8EE260:				; CODE XREF: PAGE:007BCB94j
		mov	esi, 0C000000Dh
		jmp	loc_7BCC29
; 

loc_8EE26A:				; DATA XREF: .text:006A30B8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-158h], eax
		mov	eax, 1
		retn
; 

loc_8EE27D:				; DATA XREF: .text:006A30BCo
		mov	esp, [ebp-18h]
		mov	esi, [ebp-158h]
		cmp	byte ptr [ebp-0F1h], 0
		jz	loc_7BCC22
		push	dword ptr [ebp-12Ch]
		push	dword ptr [ebp-0FCh]
		call	ObCloseHandle
		jmp	loc_7BCC22
; 

loc_8EE2A9:				; CODE XREF: PAGE:007BCC30j
		lea	ecx, [ebp-10Ch]
		push	ecx
		push	dword ptr [ebp-130h]
		push	0
		push	esi
		lea	ecx, [ebp-3Ch]
		push	ecx
		push	0Ah
		call	eax
		jmp	loc_7BCC36
; 

loc_8EE2C6:				; DATA XREF: .text:006A30D4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		mov	eax, large fs:124h
		mov	[ebp-34h], eax
		mov	eax, [ebp-34h]
		mov	al, [eax+15Ah]
		mov	[ebp-19h], al
		mov	cl, [ebp-19h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
; 

loc_8EE2F0:				; DATA XREF: .text:006A30D8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-38h]
		jmp	loc_7BCE6C
; 
; START	OF FUNCTION CHUNK FOR _PnpParseIndirectResourceString

loc_8EE302:				; CODE XREF: _PnpParseIndirectResourceString+6Cj
		cmp	eax, 2Dh
		jz	loc_7BCFB4
		jmp	loc_7BCF78
; 

loc_8EE310:				; CODE XREF: _PnpParseIndirectResourceString+8Dj
		xor	edi, edi
		jmp	loc_7BCFD5
; END OF FUNCTION CHUNK	FOR _PnpParseIndirectResourceString
; 
; START	OF FUNCTION CHUNK FOR RtlUnicodeStringToInteger

loc_8EE317:				; CODE XREF: RtlUnicodeStringToInteger+6Dj
		test	esi, esi
		jnz	loc_7BD0C0
		xor	ecx, ecx
		mov	[ebp+arg_0], ecx
		jmp	loc_7BD0D3
; 

loc_8EE329:				; CODE XREF: RtlUnicodeStringToInteger+5Aj
		or	esi, 0FFFFFFFFh
		jmp	loc_7BD0D3
; 

loc_8EE331:				; CODE XREF: RtlUnicodeStringToInteger+150j
		xor	eax, eax
		jmp	loc_7BD0EA
; 

loc_8EE338:				; CODE XREF: RtlUnicodeStringToInteger+187j
		mov	[ebp+arg_4], 10h
		mov	ebx, 4
		jmp	loc_7BD205
; 

loc_8EE349:				; CODE XREF: RtlUnicodeStringToInteger+190j
		mov	[ebp+arg_4], 8
		mov	ebx, 3
		jmp	loc_7BD205
; 

loc_8EE35A:				; CODE XREF: RtlUnicodeStringToInteger+199j
		mov	[ebp+arg_4], 2
		mov	ebx, 1
		jmp	loc_7BD205
; 

loc_8EE36B:				; CODE XREF: RtlUnicodeStringToInteger+13Cj
		mov	ebx, 3
		jmp	loc_7BD107
; 

loc_8EE375:				; CODE XREF: RtlUnicodeStringToInteger+133j
		mov	ebx, 1
		jmp	loc_7BD107
; 

loc_8EE37F:				; CODE XREF: RtlUnicodeStringToInteger+F3j
		cmp	ax, 66h
		ja	loc_7BD159
		movzx	eax, ax
		sub	eax, 57h
		jmp	loc_7BD11F
; END OF FUNCTION CHUNK	FOR RtlUnicodeStringToInteger

;  S U B	R O U T	I N E 


sub_8EE394	proc near		; DATA XREF: .text:006A3114o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		mov	eax, 1
		retn
sub_8EE394	endp


;  S U B	R O U T	I N E 


sub_8EE3A4	proc near		; DATA XREF: .text:006A3118o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-24h]
		jmp	loc_7BD175
sub_8EE3A4	endp

; 
; START	OF FUNCTION CHUNK FOR SeAppendPrivileges

loc_8EE3B6:				; CODE XREF: SeAppendPrivileges+1Dj
		test	edx, edx
		jz	short loc_8EE3C6
		lea	eax, [edx+edx*2]
		lea	edx, ds:8[eax*4]
		jmp	short loc_8EE3CB
; 

loc_8EE3C6:				; CODE XREF: SeAppendPrivileges+131128j
		mov	edx, 8

loc_8EE3CB:				; CODE XREF: SeAppendPrivileges+131134j
		test	esi, esi
		jnz	short loc_8EE3D3
		xor	eax, eax
		jmp	short loc_8EE3E8
; 

loc_8EE3D3:				; CODE XREF: SeAppendPrivileges+13113Dj
		test	ecx, ecx
		jz	short loc_8EE3E3
		lea	eax, [ecx+ecx*2]
		lea	eax, ds:8[eax*4]
		jmp	short loc_8EE3E8
; 

loc_8EE3E3:				; CODE XREF: SeAppendPrivileges+131145j
		mov	eax, 8

loc_8EE3E8:				; CODE XREF: SeAppendPrivileges+131141j
					; SeAppendPrivileges+131151j
		push	72506553h
		add	eax, edx
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+arg_4], esi
		test	esi, esi
		jnz	short loc_8EE40A
		mov	eax, 0C000009Ah
		jmp	loc_7BD2DD
; 

loc_8EE40A:				; CODE XREF: SeAppendPrivileges+13116Ej
		mov	ecx, [ebx]
		test	ecx, ecx
		jnz	short loc_8EE414
		xor	eax, eax
		jmp	short loc_8EE42B
; 

loc_8EE414:				; CODE XREF: SeAppendPrivileges+13117Ej
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_8EE426
		lea	eax, [eax+eax*2]
		lea	eax, ds:8[eax*4]
		jmp	short loc_8EE42B
; 

loc_8EE426:				; CODE XREF: SeAppendPrivileges+131188j
		mov	eax, 8

loc_8EE42B:				; CODE XREF: SeAppendPrivileges+131182j
					; SeAppendPrivileges+131194j
		push	eax		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, esi
		push	edi
		call	_SepConcatenatePrivileges@12 ; SepConcatenatePrivileges(x,x,x)
		mov	esi, [ebp+arg_0]
		cmp	byte ptr [esi+0Bh], 0
		jz	short loc_8EE451
		mov	eax, [ebx]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8EE451:				; CODE XREF: SeAppendPrivileges+1311B5j
		mov	eax, [ebp+arg_4]
		mov	[ebx], eax
		mov	byte ptr [esi+0Bh], 1
		jmp	loc_7BD2DB
; END OF FUNCTION CHUNK	FOR SeAppendPrivileges
; 

loc_8EE45F:				; CODE XREF: PAGE:007BD384j
		mov	ecx, eax
		jmp	loc_7BD38A
; 

loc_8EE466:				; CODE XREF: PAGE:007BD396j
		mov	ecx, eax
		jmp	loc_7BD39C
; 

loc_8EE46D:				; CODE XREF: PAGE:007BD3AFj
		mov	ecx, eax
		jmp	loc_7BD3B5
; 

loc_8EE474:				; CODE XREF: PAGE:007BD3EEj
		mov	ecx, eax
		jmp	loc_7BD3F4
; 

loc_8EE47B:				; DATA XREF: .text:006A3174o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		mov	eax, 1
		retn
; 

loc_8EE48B:				; DATA XREF: .text:006A3178o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_7BD4A9
; 

loc_8EE49D:				; CODE XREF: PAGE:007BD445j
		push	offset ??_C@_11LOCGONAA@@NNGAKEGL@
		lea	eax, [ebp-34h]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, [ebp-30h]
		mov	ecx, [ebp-34h]
		jmp	loc_7BD457
; 

loc_8EE4B6:				; DATA XREF: .text:006A3180o
		mov	eax, 1
		retn
; 

loc_8EE4BC:				; DATA XREF: .text:006A3184o
		jmp	short loc_8EE4C4
; 

loc_8EE4BE:				; DATA XREF: .text:006A318Co
		mov	eax, 1
		retn
; 

loc_8EE4C4:				; CODE XREF: PAGE:loc_8EE4BCj
					; DATA XREF: .text:006A3190o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-1Ch]
		jmp	loc_7BD490
; 
; START	OF FUNCTION CHUNK FOR NtExtendSection

loc_8EE4D6:				; CODE XREF: NtExtendSection+25j
		mov	[ebp+ms_exc.disabled], ecx
		mov	ebx, [ebp+arg_4]
		test	bl, 3
		jz	short loc_8EE4E6
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_8EE4E6:				; CODE XREF: NtExtendSection+130FC7j
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_8EE4F1
		mov	[eax], cl

loc_8EE4F1:				; CODE XREF: NtExtendSection+130FD5j
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+4]
		mov	[ebx+4], al
		mov	eax, [ebx]
		mov	[ebp+var_2C], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_28], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_7BD551
; END OF FUNCTION CHUNK	FOR NtExtendSection

;  S U B	R O U T	I N E 


sub_8EE512	proc near		; DATA XREF: .text:006A31CCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EE512	endp


;  S U B	R O U T	I N E 


sub_8EE520	proc near		; DATA XREF: .text:006A31D0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_7BD5A4
sub_8EE520	endp


;  S U B	R O U T	I N E 


sub_8EE532	proc near		; DATA XREF: .text:006A31D8o
		xor	eax, eax
		inc	eax
		retn
sub_8EE532	endp


;  S U B	R O U T	I N E 


sub_8EE536	proc near		; DATA XREF: .text:006A31DCo
		mov	esp, [ebp-18h]
		jmp	loc_7BD59A
sub_8EE536	endp

; 
; START	OF FUNCTION CHUNK FOR MmExtendSection

loc_8EE53E:				; CODE XREF: MmExtendSection+60j
					; MmExtendSection+6Cj
		mov	eax, 0C0000040h
		jmp	loc_7BD768
; 

loc_8EE548:				; CODE XREF: MmExtendSection+328j
					; MmExtendSection+336j
		mov	[edi], ecx
		mov	ecx, esi
		mov	[edi+4], edx
		lea	edx, [esp+50h+var_1C]
		call	MiUnlockControlAreaSectionExtend
		xor	eax, eax
		jmp	loc_7BD768
; 

loc_8EE55F:				; CODE XREF: MmExtendSection+343j
		mov	edi, 0C0000087h

loc_8EE564:				; CODE XREF: MmExtendSection+368j
		lea	edx, [esp+50h+var_1C]
		mov	ecx, esi
		call	MiUnlockControlAreaSectionExtend
		mov	edx, [esp+50h+var_44]
		mov	ecx, esi
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)
		mov	eax, edi
		jmp	loc_7BD768
; 

loc_8EE581:				; CODE XREF: MmExtendSection+283j
		test	al, 4
		jnz	loc_7BD83F
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset dword_6CF3C8
		jmp	loc_7BD83F
; 

loc_8EE598:				; CODE XREF: MmExtendSection+1C4j
		cmp	dword ptr [edx+4], 0
		jz	loc_7BD780
		mov	ecx, edx
		call	_MiSubsectionNeedsExtents@4 ; MiSubsectionNeedsExtents(x)
		mov	ecx, [esp+50h+var_44]
		mov	[esp+50h+var_2C], ecx
		jmp	loc_7BD784
; 

loc_8EE5B6:				; CODE XREF: MmExtendSection+1AAj
		call	_MiUpdateActiveSubsection@4 ; MiUpdateActiveSubsection(x)
		mov	ebx, eax
		jmp	loc_7BD766
; 

loc_8EE5C2:				; CODE XREF: MmExtendSection+41j
					; MmExtendSection+4Aj
		mov	eax, 0C0000087h
		jmp	loc_7BD768
; END OF FUNCTION CHUNK	FOR MmExtendSection
; 
; START	OF FUNCTION CHUNK FOR MiExtendSection

loc_8EE5CC:				; CODE XREF: MiExtendSection+2B2j
		mov	edx, [ebp+var_18]
		mov	ecx, edx
		cmp	dword ptr [edx+4], 0
		jz	loc_7BDB82
		call	_MiSubsectionNeedsExtents@4 ; MiSubsectionNeedsExtents(x)
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+var_18]
		mov	[eax], ecx
		jmp	loc_7BDB82
; 

loc_8EE5ED:				; CODE XREF: MiExtendSection+33Bj
		mov	eax, [ebp+arg_C]
		cmp	dword ptr [eax], 0
		jnz	loc_7BDCB7
		mov	[eax], ecx
		jmp	loc_7BDCB7
; 

loc_8EE600:				; CODE XREF: MiExtendSection+345j
		call	MiDecrementSubsectionViewCount
		mov	ecx, [ebp+var_4]
		jmp	loc_7BDCB7
; 

loc_8EE60D:				; CODE XREF: MiExtendSection+2BFj
		or	[ebp+var_C], 2
		mov	ebx, edi
		push	ecx
		call	_MiRevokeExecuteTail@4 ; MiRevokeExecuteTail(x)
		mov	esi, eax
		mov	[ebp+var_10], esi

loc_8EE61E:				; CODE XREF: MiExtendSection+130CC7j
		test	esi, esi
		js	short loc_8EE648
		mov	ecx, ebx
		call	MiIncrementSubsectionViewCount
		cmp	eax, 1
		jle	short loc_8EE648
		mov	ebx, [ebx+8]
		test	ebx, ebx
		jnz	short loc_8EE61E
		jmp	loc_7BDCF6
; 

loc_8EE63A:				; CODE XREF: MiExtendSection+CDj
		mov	edi, [ebp+var_98]

loc_8EE640:				; CODE XREF: MiExtendSection+30Ej
		mov	esi, 0C000009Ah
		mov	[ebp+var_10], esi

loc_8EE648:				; CODE XREF: MiExtendSection+130CB4j
					; MiExtendSection+130CC0j
		test	edi, edi
		jz	short loc_8EE6B1
		mov	esi, [ebp+var_28]

loc_8EE64F:				; CODE XREF: MiExtendSection+130D40j
		test	dword ptr [esi+1Ch], 40000000h
		mov	ebx, [edi+8]
		jz	short loc_8EE671
		cmp	dword ptr [edi+4], 0
		jz	short loc_8EE6A1
		and	[ebp+arg_0], 0
		lea	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_MiDeleteSubsectionPages@8 ; MiDeleteSubsectionPages(x,x)
		jmp	short loc_8EE6A1
; 

loc_8EE671:				; CODE XREF: MiExtendSection+130CEDj
		test	byte ptr [ebp+var_C], 2
		jz	short loc_8EE687
		test	dword ptr [edi+20h], 3FFFFFFFh
		jz	short loc_8EE687
		mov	ecx, edi
		call	MiDecrementSubsectionViewCount

loc_8EE687:				; CODE XREF: MiExtendSection+130D09j
					; MiExtendSection+130D12j
		cmp	dword ptr [edi+4], 0
		jz	short loc_8EE6A1
		lea	ecx, [edi+44h]
		xor	edx, edx
		call	_MiUpdateSystemProtoPtesTree@8 ; MiUpdateSystemProtoPtesTree(x,x)
		push	0
		push	dword ptr [edi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8EE6A1:				; CODE XREF: MiExtendSection+130CF3j
					; MiExtendSection+130D03j ...
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)
		mov	edi, ebx
		test	ebx, ebx
		jnz	short loc_8EE64F
		mov	esi, [ebp+var_10]

loc_8EE6B1:				; CODE XREF: MiExtendSection+130CDEj
		mov	eax, esi
		jmp	loc_7BDBCB
; END OF FUNCTION CHUNK	FOR MiExtendSection
; 
; START	OF FUNCTION CHUNK FOR FsRtlSetFileSize

loc_8EE6B8:				; CODE XREF: FsRtlSetFileSize+4Dj
		mov	eax, 0C000009Ah
		jmp	loc_7BDDE7
; 

loc_8EE6C2:				; CODE XREF: FsRtlSetFileSize+B2j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		call	KeWaitForSingleObject
		jmp	loc_7BDDD8
; END OF FUNCTION CHUNK	FOR FsRtlSetFileSize
; 
; START	OF FUNCTION CHUNK FOR CmRmIsKCBVisible

loc_8EE6D6:				; CODE XREF: CmRmIsKCBVisible+Aj
		mov	ecx, eax
		call	CmEqualTrans
		test	al, al
		jnz	loc_7BDE10
		retn
; END OF FUNCTION CHUNK	FOR CmRmIsKCBVisible

;  S U B	R O U T	I N E 


sub_8EE6E6	proc near		; DATA XREF: .text:006A322Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		mov	eax, 1
		retn
sub_8EE6E6	endp


;  S U B	R O U T	I N E 


sub_8EE6F6	proc near		; DATA XREF: .text:006A3230o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_7BE4D8
sub_8EE6F6	endp


;  S U B	R O U T	I N E 


sub_8EE708	proc near		; DATA XREF: .text:006A3238o
		mov	eax, 1
		retn
sub_8EE708	endp


;  S U B	R O U T	I N E 


sub_8EE70E	proc near		; DATA XREF: .text:006A323Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp+8]
		jmp	loc_7BE4D8
sub_8EE70E	endp


;  S U B	R O U T	I N E 


sub_8EE720	proc near		; DATA XREF: .text:006A3254o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-23Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EE720	endp


;  S U B	R O U T	I N E 


sub_8EE731	proc near		; DATA XREF: .text:006A3258o
		mov	esp, [ebp-18h]
		cmp	dword ptr [ebp-228h], 0
		jz	short loc_8EE74A
		push	0
		push	dword ptr [ebp-228h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8EE74A:				; CODE XREF: sub_8EE731+Aj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-23Ch]
		jmp	loc_7BE6EA
sub_8EE731	endp

; 
; START	OF FUNCTION CHUNK FOR IopTrackLink

loc_8EE75C:				; CODE XREF: IopTrackLink+B3j
		mov	edi, [ebp+var_22C]
		mov	[ebp+var_228], edi
		jmp	loc_7BE5E7
; 

loc_8EE76D:				; CODE XREF: IopTrackLink+FBj
		cmp	al, 1
		jnz	loc_7BE5F7

loc_8EE775:				; CODE XREF: IopTrackLink+1302ADj
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8EE77C:				; CODE XREF: IopTrackLink+1302ABj
		mov	eax, 0C000000Dh
		jmp	loc_7BE6EA
; 

loc_8EE786:				; CODE XREF: IopTrackLink+118j
		cmp	byte ptr [ebp+arg_C], 0
		jz	short loc_8EE793
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8EE793:				; CODE XREF: IopTrackLink+130294j
		mov	eax, 0C0000095h
		jmp	loc_7BE6EA
; 

loc_8EE79D:				; CODE XREF: IopTrackLink+127j
		cmp	byte ptr [ebp+arg_C], 0
		jz	short loc_8EE77C
		jmp	short loc_8EE775
; 

loc_8EE7A5:				; CODE XREF: IopTrackLink+135j
		cmp	byte ptr [ebp+arg_C], 0
		jz	short loc_8EE7B2
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8EE7B2:				; CODE XREF: IopTrackLink+1302B3j
		mov	eax, 80000005h
		jmp	loc_7BE6EA
; 

loc_8EE7BC:				; CODE XREF: IopTrackLink+17Ej
		cmp	byte ptr [ebp+arg_C], 0
		jz	loc_7BE6EA
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_22C]
		jmp	loc_7BE6EA
; 

loc_8EE7D8:				; CODE XREF: IopTrackLink+1DAj
		push	ebx
		push	10h
		lea	eax, [ebp+var_50]
		push	eax
		call	_RtlCompareMemoryUlong@12 ; RtlCompareMemoryUlong(x,x,x)
		cmp	eax, 10h
		jz	loc_7BE72D
		push	[ebp+var_21C]
		call	_IoGetTransactionParameterBlock@4 ; IoGetTransactionParameterBlock(x)
		test	eax, eax
		jnz	loc_8EED6D
		mov	esi, [ebp+var_220]
		cmp	[edi], ebx
		jz	short loc_8EE818
		push	esi
		call	_IoGetTransactionParameterBlock@4 ; IoGetTransactionParameterBlock(x)
		test	eax, eax
		jnz	loc_8EED6D

loc_8EE818:				; CODE XREF: IopTrackLink+130312j
		push	ecx
		lea	edx, [ebp+var_30]
		mov	ecx, esi
		call	_IopGetVolumeId@12 ; IopGetVolumeId(x,x,x)
		mov	esi, eax
		mov	[ebp+var_218], esi
		test	esi, esi
		js	loc_7BE6D6
		push	ecx
		lea	edx, [ebp+var_84]
		mov	edi, [ebp+var_21C]
		mov	ecx, edi
		call	_IopGetVolumeId@12 ; IopGetVolumeId(x,x,x)
		mov	esi, eax
		mov	[ebp+var_218], esi
		test	esi, esi
		js	loc_7BE6D6
		push	900A0h
		push	ebx
		xor	edx, edx
		mov	ecx, edi
		call	IopGetSetObjectId
		mov	esi, eax
		mov	[ebp+var_218], esi
		test	esi, esi
		js	loc_7BE6D6
		push	10h
		pop	ecx
		lea	esi, [ebp+var_70]
		lea	edi, [ebp+var_104]
		rep movsd
		push	10h
		pop	ecx
		lea	esi, [ebp+var_70]
		lea	edi, [ebp+var_C4]
		rep movsd
		push	10h		; size_t
		lea	eax, [ebp+var_80]
		push	eax		; void *
		lea	eax, [ebp+var_2C]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_8EE8B3
		mov	al, [ebp+var_60]
		or	al, 1
		mov	byte ptr [ebp+var_B4], al

loc_8EE8B3:				; CODE XREF: IopTrackLink+1303B0j
		push	90098h
		push	40h
		lea	edx, [ebp+var_C4]
		mov	edi, [ebp+var_220]
		mov	ecx, edi
		call	IopGetSetObjectId
		mov	esi, eax
		mov	[ebp+var_218], esi
		cmp	esi, 0C00000BDh
		jz	short loc_8EE8E5
		cmp	esi, 0C0000035h
		jnz	short loc_8EE925

loc_8EE8E5:				; CODE XREF: IopTrackLink+1303E5j
		push	900C0h
		push	40h
		lea	edx, [ebp+var_104]
		mov	ecx, edi
		call	IopGetSetObjectId
		mov	esi, eax
		mov	[ebp+var_218], esi
		test	esi, esi
		js	loc_8EE9A8
		push	900BCh
		push	30h
		lea	edx, [ebp+var_B4]
		mov	ecx, edi
		call	IopGetSetObjectId
		mov	esi, eax
		mov	[ebp+var_218], esi

loc_8EE925:				; CODE XREF: IopTrackLink+1303EDj
		test	esi, esi
		js	short loc_8EE9A8
		mov	[ebp+var_221], 1
		push	10h		; size_t
		lea	eax, [ebp+var_80]
		push	eax		; void *
		lea	eax, [ebp+var_2C]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_8EE9A0
		push	[ebp+var_228]
		lea	eax, [ebp+var_104]
		push	eax
		lea	edx, [ebp+var_30]
		lea	ecx, [ebp+var_210]
		call	_IopMarshalIds@16 ; IopMarshalIds(x,x,x,x)
		push	10h
		pop	ecx
		lea	esi, [ebp+var_70]
		lea	edi, [ebp+var_280]
		rep movsd
		mov	al, [ebp+var_60]
		and	al, 0FEh
		mov	[ebp+var_270], al
		lea	eax, [ebp+var_210]
		push	eax
		lea	edx, [ebp+var_280]
		lea	ecx, [ebp+var_84]
		call	_IopSendMessageToTrackService@12 ; IopSendMessageToTrackService(x,x,x)
		mov	esi, eax
		mov	[ebp+var_218], esi
		mov	edi, [ebp+var_220]

loc_8EE9A0:				; CODE XREF: IopTrackLink+13044Ej
		test	esi, esi
		jns	loc_7BE6D6

loc_8EE9A8:				; CODE XREF: IopTrackLink+13040Dj
					; IopTrackLink+130431j
		mov	eax, ebx
		cmp	[ebp+var_221], al
		jz	short loc_8EE9E9
		push	10h		; size_t
		lea	eax, [ebp+var_70]
		push	eax		; void *
		lea	eax, [ebp+var_104]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		mov	ecx, edi
		test	eax, eax
		jnz	short loc_8EE9D7
		push	900A0h
		push	ebx
		xor	edx, edx
		jmp	short loc_8EE9E4
; 

loc_8EE9D7:				; CODE XREF: IopTrackLink+1304D5j
		push	900BCh
		push	30h
		lea	edx, [ebp+var_F4]

loc_8EE9E4:				; CODE XREF: IopTrackLink+1304DFj
		call	IopGetSetObjectId

loc_8EE9E9:				; CODE XREF: IopTrackLink+1304BAj
		test	eax, eax
		js	loc_7BE6D6

loc_8EE9F1:				; CODE XREF: IopTrackLink+130666j
		push	90098h
		push	40h
		lea	edx, [ebp+var_70]
		mov	ecx, [ebp+var_21C]
		call	IopGetSetObjectId
		jmp	loc_7BE6D6
; 

loc_8EEA0B:				; CODE XREF: IopTrackLink+1B7j
		call	IopGetSetObjectId
		mov	[ebp+var_218], eax
		test	eax, eax
		js	loc_7BE72D
		push	ebx
		push	10h
		lea	eax, [ebp+var_50]
		push	eax
		call	_RtlCompareMemoryUlong@12 ; RtlCompareMemoryUlong(x,x,x)
		cmp	eax, 10h
		jz	loc_7BE72D
		push	[ebp+var_21C]
		call	_IoGetTransactionParameterBlock@4 ; IoGetTransactionParameterBlock(x)
		test	eax, eax
		jnz	loc_8EED6D
		cmp	[edi], ebx
		jz	short loc_8EEA58
		push	esi
		call	_IoGetTransactionParameterBlock@4 ; IoGetTransactionParameterBlock(x)
		test	eax, eax
		jnz	loc_8EED6D

loc_8EEA58:				; CODE XREF: IopTrackLink+130552j
		push	1400E8h
		push	14h
		lea	edx, [ebp+var_30]
		mov	ecx, esi
		call	IopGetSetObjectId
		jmp	short loc_8EEA73
; 

loc_8EEA6B:				; CODE XREF: IopTrackLink+1307B1j
		push	ecx
		mov	ecx, esi
		call	_IopGetVolumeId@12 ; IopGetVolumeId(x,x,x)

loc_8EEA73:				; CODE XREF: IopTrackLink+130573j
		mov	esi, eax
		mov	[ebp+var_218], esi
		test	esi, esi
		js	loc_7BE6D6
		push	900C0h
		push	40h
		lea	edx, [ebp+var_104]
		mov	ecx, [ebp+var_220]
		call	IopGetSetObjectId
		mov	esi, eax
		mov	[ebp+var_218], esi
		test	esi, esi
		js	loc_7BE6D6
		push	edi
		lea	eax, [ebp+var_104]
		push	eax
		lea	edx, [ebp+var_30]
		lea	ecx, [ebp+var_210]
		call	_IopMarshalIds@16 ; IopMarshalIds(x,x,x,x)
		push	ebx
		push	[ebp+var_214]
		mov	eax, [ebp+var_20C]
		add	eax, 8
		push	eax
		lea	eax, [ebp+var_210]
		push	eax
		mov	edx, [ebp+var_238]
		mov	edi, [ebp+var_21C]
		mov	ecx, edi
		call	IopTrackLink
		mov	esi, eax
		mov	[ebp+var_218], esi
		test	esi, esi
		js	loc_7BE6D6
		push	900A0h
		push	ebx
		xor	edx, edx
		mov	ecx, edi
		call	IopGetSetObjectId
		mov	esi, eax
		mov	[ebp+var_218], esi
		test	esi, esi
		js	loc_7BE6D6

loc_8EEB1B:				; CODE XREF: IopTrackLink+13084Dj
		push	10h
		pop	ecx
		lea	esi, [ebp+var_70]
		lea	edi, [ebp+var_C4]
		rep movsd
		mov	al, [ebp+var_60]
		or	al, 1
		mov	byte ptr [ebp+var_B4], al
		push	900BCh
		push	30h
		lea	edx, [ebp+var_B4]
		mov	ecx, [ebp+var_220]
		call	IopGetSetObjectId
		mov	esi, eax
		mov	[ebp+var_218], esi
		test	esi, esi
		jns	loc_7BE6D6
		jmp	loc_8EE9F1
; 

loc_8EEB61:				; CODE XREF: IopTrackLink+1A0j
		push	ecx
		lea	edx, [ebp+var_84]
		call	_IopGetVolumeId@12 ; IopGetVolumeId(x,x,x)
		mov	esi, eax
		mov	[ebp+var_218], esi
		test	esi, esi
		js	loc_7BE6D6
		push	9009Ch
		push	40h
		lea	edx, [ebp+var_70]
		mov	ecx, [ebp+var_21C]
		call	IopGetSetObjectId
		mov	esi, eax
		mov	[ebp+var_218], esi
		test	esi, esi
		js	loc_7BE6D6
		push	ebx
		push	10h
		lea	eax, [ebp+var_50]
		push	eax
		call	_RtlCompareMemoryUlong@12 ; RtlCompareMemoryUlong(x,x,x)
		cmp	eax, 10h
		jz	loc_7BE72D
		push	[ebp+var_21C]
		call	_IoGetTransactionParameterBlock@4 ; IoGetTransactionParameterBlock(x)
		test	eax, eax
		jnz	loc_8EED6D
		cmp	[edi], ebx
		jz	short loc_8EEBE1
		push	[ebp+var_220]
		call	_IoGetTransactionParameterBlock@4 ; IoGetTransactionParameterBlock(x)
		test	eax, eax
		jnz	loc_8EED6D

loc_8EEBE1:				; CODE XREF: IopTrackLink+1306D6j
		push	10h
		pop	ecx
		lea	esi, [ebp+var_70]
		lea	edi, [ebp+var_280]
		rep movsd
		mov	al, [ebp+var_60]
		and	al, 0FEh
		mov	[ebp+var_270], al
		push	[ebp+var_228]
		lea	edx, [ebp+var_280]
		lea	ecx, [ebp+var_84]
		call	_IopSendMessageToTrackService@12 ; IopSendMessageToTrackService(x,x,x)
		jmp	short loc_8EEC1F
; 

loc_8EEC13:				; CODE XREF: IopTrackLink+130863j
					; IopTrackLink+130871j
		push	edi
		mov	ecx, [ebp+var_21C]
		call	_IopSetRemoteLink@12 ; IopSetRemoteLink(x,x,x)

loc_8EEC1F:				; CODE XREF: IopTrackLink+13071Bj
		mov	esi, eax
		jmp	loc_8EED72
; 

loc_8EEC26:				; CODE XREF: IopTrackLink+198j
		push	9009Ch
		push	40h
		lea	edx, [ebp+var_70]
		call	IopGetSetObjectId
		mov	esi, eax
		mov	[ebp+var_218], esi
		cmp	esi, 0C0000034h
		jz	loc_7BE72D
		test	esi, esi
		js	loc_7BE6D6
		push	ebx
		push	10h
		lea	eax, [ebp+var_50]
		push	eax
		call	_RtlCompareMemoryUlong@12 ; RtlCompareMemoryUlong(x,x,x)
		cmp	eax, 10h
		jz	loc_7BE72D
		push	[ebp+var_21C]
		call	_IoGetTransactionParameterBlock@4 ; IoGetTransactionParameterBlock(x)
		test	eax, eax
		jnz	loc_8EED6D
		mov	esi, [ebp+var_220]
		cmp	[edi], ebx
		jz	loc_8EED48
		push	esi
		call	_IoGetTransactionParameterBlock@4 ; IoGetTransactionParameterBlock(x)
		test	eax, eax
		jnz	loc_8EED6D
		cmp	[edi], ebx
		jz	loc_8EED48
		mov	eax, [esi+4]
		lea	edx, [ebp+var_30]
		test	byte ptr [eax+20h], 10h
		jz	loc_8EEA6B
		push	1400E8h
		push	14h
		mov	ecx, esi
		call	IopGetSetObjectId
		mov	esi, eax
		mov	[ebp+var_218], esi
		test	esi, esi
		js	loc_7BE6D6
		push	900C0h
		push	40h
		lea	edx, [ebp+var_104]
		mov	ecx, [ebp+var_220]
		call	IopGetSetObjectId
		mov	esi, eax
		mov	[ebp+var_218], esi
		test	esi, esi
		js	loc_7BE6D6
		push	edi
		lea	eax, [ebp+var_104]
		push	eax
		lea	edx, [ebp+var_30]
		lea	ecx, [ebp+var_210]
		call	_IopMarshalIds@16 ; IopMarshalIds(x,x,x,x)
		push	ebx
		mov	edi, [ebp+var_214]
		push	edi
		mov	eax, [ebp+var_20C]
		add	eax, 8
		push	eax
		lea	eax, [ebp+var_210]
		push	eax
		mov	edx, [ebp+var_238]
		mov	ecx, [ebp+var_21C]
		call	IopTrackLink
		mov	esi, eax
		mov	[ebp+var_218], esi
		test	esi, esi
		js	loc_7BE6DC
		jmp	loc_8EEB1B
; 

loc_8EED48:				; CODE XREF: IopTrackLink+13078Bj
					; IopTrackLink+1307A1j
		push	[ebp+var_21C]
		call	_IoGetTransactionParameterBlock@4 ; IoGetTransactionParameterBlock(x)
		test	eax, eax
		jnz	short loc_8EED6D
		cmp	[edi], ebx
		jz	loc_8EEC13
		push	esi
		call	_IoGetTransactionParameterBlock@4 ; IoGetTransactionParameterBlock(x)
		test	eax, eax
		jz	loc_8EEC13

loc_8EED6D:				; CODE XREF: IopTrackLink+130304j
					; IopTrackLink+13031Cj	...
		mov	esi, 0C0190059h

loc_8EED72:				; CODE XREF: IopTrackLink+239j
					; IopTrackLink+13072Bj
		mov	[ebp+var_218], esi
		jmp	loc_7BE6D6
; END OF FUNCTION CHUNK	FOR IopTrackLink

;  S U B	R O U T	I N E 


sub_8EED7D	proc near		; DATA XREF: .text:006A3264o
		xor	ebx, ebx
		mov	esi, [ebp-218h]
		mov	edi, [ebp-240h]
		jmp	sub_7BE6FC
sub_8EED7D	endp

; 
; START	OF FUNCTION CHUNK FOR IopGetSetObjectId

loc_8EED90:				; CODE XREF: IopGetSetObjectId+80j
		cmp	edi, 1400E8h
		jz	loc_7BE7BA
		cmp	edi, 900C0h
		jz	loc_7BE7BA
		mov	eax, [ebp+arg_0]
		mov	[ecx-1Ch], eax
		jmp	loc_7BE7C0
; 

loc_8EEDB3:				; CODE XREF: IopGetSetObjectId+A3j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+40h+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esp+30h+var_18]
		jmp	loc_7BE7DD
; END OF FUNCTION CHUNK	FOR IopGetSetObjectId
; 
; START	OF FUNCTION CHUNK FOR MmSecureVirtualMemoryEx

loc_8EEDCC:				; CODE XREF: MmSecureVirtualMemoryEx+F2j
		cmp	esi, 1
		jz	loc_7BE860
		cmp	esi, 80000001h
		jz	loc_7BE860
		jmp	loc_7BE926
; 

loc_8EEDE6:				; CODE XREF: MmSecureVirtualMemoryEx+70j
					; MmSecureVirtualMemoryEx+80j ...
		mov	ecx, edi
		call	MiUnlockAndDereferenceVad
		jmp	loc_7BE926
; END OF FUNCTION CHUNK	FOR MmSecureVirtualMemoryEx

;  S U B	R O U T	I N E 


sub_8EEDF2	proc near		; DATA XREF: .text:006A327Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		mov	eax, 1
		retn
sub_8EEDF2	endp


;  S U B	R O U T	I N E 


sub_8EEE02	proc near		; DATA XREF: .text:006A3280o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_7BEA48
sub_8EEE02	endp


;  S U B	R O U T	I N E 


sub_8EEE14	proc near		; DATA XREF: .text:006A3288o
		mov	eax, 1
		retn
sub_8EEE14	endp


;  S U B	R O U T	I N E 


sub_8EEE1A	proc near		; DATA XREF: .text:006A328Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp+8]
		jmp	loc_7BEA48
sub_8EEE1A	endp


;  S U B	R O U T	I N E 


sub_8EEE2C	proc near		; DATA XREF: .text:006A32A4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8EEE2C	endp


;  S U B	R O U T	I N E 


sub_8EEE3C	proc near		; DATA XREF: .text:006A32A8o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-28h]
		mov	[ebp-1Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7BEAF1
sub_8EEE3C	endp

; 
; START	OF FUNCTION CHUNK FOR PsSwapImpersonationToken

loc_8EEE51:				; CODE XREF: PsSwapImpersonationToken+24j
		mov	eax, 0C000007Ch
		jmp	loc_7BECAD
; 

loc_8EEE5B:				; CODE XREF: PsSwapImpersonationToken+49j
		mov	edi, 0C000007Ch
		jmp	loc_7BEC8F
; END OF FUNCTION CHUNK	FOR PsSwapImpersonationToken
; 
; START	OF FUNCTION CHUNK FOR NtQuerySystemEnvironmentValueEx

loc_8EEE65:				; CODE XREF: NtQuerySystemEnvironmentValueEx+52j
		mov	ecx, ebx
		call	_ExpUnicodeStringToNonpagedWStr@4 ; ExpUnicodeStringToNonpagedWStr(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_8EEE7C
		mov	esi, 0C000009Ah
		jmp	loc_7BEE1B
; 

loc_8EEE7C:				; CODE XREF: NtQuerySystemEnvironmentValueEx+1300B2j
		push	0
		push	esi
		mov	ecx, [ebp+var_40]
		push	ecx
		push	[ebp+var_3C]
		mov	edx, [ebp+var_38]
		mov	ecx, edi
		call	_ExpGetFirmwareEnvironmentVariable@24 ;	ExpGetFirmwareEnvironmentVariable(x,x,x,x,x,x)
		mov	esi, eax
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7BEE1B
; 

loc_8EEE9F:				; CODE XREF: NtQuerySystemEnvironmentValueEx+B3j
		xor	ecx, ecx
		inc	ecx
		call	_ExpFirmwareAccessAppContainerCheck@4 ;	ExpFirmwareAccessAppContainerCheck(x)
		jmp	loc_7BEE7A
; 

loc_8EEEAC:				; CODE XREF: NtQuerySystemEnvironmentValueEx+92j
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, ebx
		test	bl, 3
		jnz	loc_8EEFA9
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_8EEEC6
		mov	ecx, eax

loc_8EEEC6:				; CODE XREF: NtQuerySystemEnvironmentValueEx+130104j
		nop
		mov	al, [ecx]
		mov	ecx, [ebx]
		mov	[ebp+var_5C], ecx
		mov	eax, [ebx+4]
		mov	[ebp+var_58], eax
		test	cx, cx
		jnz	short loc_8EEEEA
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000005h
		jmp	loc_7BEE1D
; 

loc_8EEEEA:				; CODE XREF: NtQuerySystemEnvironmentValueEx+130119j
		test	al, 1
		jnz	loc_8EEFA9
		movzx	ebx, cx
		lea	edx, [ebx+eax]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		ja	short loc_8EEF06
		cmp	edx, eax
		jnb	short loc_8EEF09

loc_8EEF06:				; CODE XREF: NtQuerySystemEnvironmentValueEx+130142j
		mov	byte ptr [ecx],	0

loc_8EEF09:				; CODE XREF: NtQuerySystemEnvironmentValueEx+130146j
		mov	edx, [ebp+var_38]
		mov	ecx, edx
		test	dl, 3
		jnz	loc_8EEFA9
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_8EEF22
		mov	ecx, eax

loc_8EEF22:				; CODE XREF: NtQuerySystemEnvironmentValueEx+130160j
		nop
		mov	al, [ecx]
		mov	edi, [ebp+var_40]
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jb	short loc_8EEF35
		mov	ecx, eax

loc_8EEF35:				; CODE XREF: NtQuerySystemEnvironmentValueEx+130173j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, [edi]
		mov	[ebp+var_34], eax
		mov	ecx, eax
		mov	edi, [ebp+var_3C]
		test	edi, edi
		jnz	short loc_8EEF4E
		xor	eax, eax
		mov	[ebp+var_34], eax
		xor	ecx, ecx

loc_8EEF4E:				; CODE XREF: NtQuerySystemEnvironmentValueEx+130187j
		test	ecx, ecx
		jz	short loc_8EEF5E
		push	1
		push	eax
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	edx, [ebp+var_38]

loc_8EEF5E:				; CODE XREF: NtQuerySystemEnvironmentValueEx+130192j
		test	esi, esi
		jz	short loc_8EEF73
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_8EEF6F
		mov	ecx, eax

loc_8EEF6F:				; CODE XREF: NtQuerySystemEnvironmentValueEx+1301ADj
		mov	eax, [ecx]
		mov	[ecx], eax

loc_8EEF73:				; CODE XREF: NtQuerySystemEnvironmentValueEx+1301A2j
		mov	esi, edx
		lea	edi, [ebp+var_2C]
		movsd
		movsd
		movsd
		movsd
		push	72766E45h
		lea	eax, [ebx+2]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_44], esi
		test	esi, esi
		jnz	short loc_8EEFAE
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000009Ah
		jmp	loc_7BEE1D
; 

loc_8EEFA9:				; CODE XREF: NtQuerySystemEnvironmentValueEx+1300F7j
					; NtQuerySystemEnvironmentValueEx+13012Ej ...
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_8EEFAE:				; CODE XREF: NtQuerySystemEnvironmentValueEx+1301D8j
		push	ebx		; size_t
		push	[ebp+var_58]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		shr	ebx, 1
		xor	eax, eax
		mov	[esi+ebx*2], ax
		push	0FFFFFFFEh
		pop	ebx
		mov	[ebp+ms_exc.disabled], ebx
		push	1
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		push	[ebp+var_3C]
		lea	edx, [ebp+var_2C]
		mov	ecx, esi
		call	_ExpGetFirmwareEnvironmentVariable@24 ;	ExpGetFirmwareEnvironmentVariable(x,x,x,x,x,x)
		mov	edi, eax
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_34]
		mov	ecx, [ebp+var_40]
		mov	[ecx], eax
		mov	ecx, [ebp+var_4C]
		test	ecx, ecx
		jz	short loc_8EF005
		mov	eax, [ebp+var_48]
		mov	[ecx], eax

loc_8EF005:				; CODE XREF: NtQuerySystemEnvironmentValueEx+130240j
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, edi
		jmp	loc_7BEE1D
; END OF FUNCTION CHUNK	FOR NtQuerySystemEnvironmentValueEx

;  S U B	R O U T	I N E 


sub_8EF00F	proc near		; DATA XREF: .text:006A32D0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-50h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8EF00F	endp


;  S U B	R O U T	I N E 


sub_8EF01F	proc near		; DATA XREF: .text:006A32D4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-50h]
		jmp	loc_7BEE1D
sub_8EF01F	endp

; 

loc_8EF031:				; DATA XREF: .text:006A32C4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-54h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_8EF041:				; DATA XREF: .text:006A32C8o
		mov	esp, [ebp-18h]
		cmp	dword ptr [ebp-44h], 0
		jz	short loc_8EF054
		push	0
		push	dword ptr [ebp-44h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8EF054:				; CODE XREF: PAGE:008EF048j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-54h]
		jmp	loc_7BEE1D
; 
; START	OF FUNCTION CHUNK FOR ExGetFirmwareEnvironmentVariable

loc_8EF063:				; CODE XREF: ExGetFirmwareEnvironmentVariable+Fj
		mov	ecx, [ebp+arg_0]
		call	_ExpUnicodeStringToNonpagedWStr@4 ; ExpUnicodeStringToNonpagedWStr(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_8EF07B
		mov	eax, 0C000009Ah
		jmp	loc_7BEEAE
; 

loc_8EF07B:				; CODE XREF: ExGetFirmwareEnvironmentVariable+1301DBj
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		push	0
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_ExpGetFirmwareEnvironmentVariable@24 ;	ExpGetFirmwareEnvironmentVariable(x,x,x,x,x,x)
		push	0
		push	edi
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		jmp	loc_7BEEAE
; END OF FUNCTION CHUNK	FOR ExGetFirmwareEnvironmentVariable
; 
; START	OF FUNCTION CHUNK FOR IoWMISystemControl

loc_8EF0A1:				; CODE XREF: IoWMISystemControl+300j
		cmp	al, 8
		jz	loc_7BEF19

loc_8EF0A9:				; CODE XREF: IoWMISystemControl+2Ej
					; IoWMISystemControl+37j
		mov	esi, 0C0000010h

loc_8EF0AE:				; CODE XREF: IoWMISystemControl+1301F4j
					; IoWMISystemControl+13020Bj
		mov	[ebx+18h], esi

loc_8EF0B1:				; CODE XREF: IoWMISystemControl+1302F2j
					; IoWMISystemControl+1302FFj
		xor	dl, dl
		mov	ecx, ebx
		call	IofCompleteRequest
		jmp	loc_7BEFF9
; 

loc_8EF0BF:				; CODE XREF: IoWMISystemControl+7Fj
		mov	esi, 0C0000295h
		jmp	short loc_8EF0AE
; 

loc_8EF0C6:				; CODE XREF: IoWMISystemControl+8Aj
					; IoWMISystemControl+92j ...
		test	byte ptr [esi+2Ch], 80h
		mov	ecx, [esi+34h]
		mov	[ebp+var_2C], ecx
		jnz	loc_7BEF78
		mov	esi, 0C0000296h
		jmp	short loc_8EF0AE
; 

loc_8EF0DD:				; CODE XREF: IoWMISystemControl+182j
		mov	edi, 0C0000010h
		jmp	loc_7BF1AF
; 

loc_8EF0E7:				; CODE XREF: IoWMISystemControl+1CFj
		xor	edx, edx
		and	[ebp+var_28], edx
		jmp	loc_7BF0B2
; 

loc_8EF0F1:				; CODE XREF: IoWMISystemControl+1E6j
		lea	eax, [ebp+var_48]
		mov	[ebp+var_8], eax
		jmp	loc_7BF0BC
; 

loc_8EF0FC:				; CODE XREF: IoWMISystemControl+22Ej
		push	4
		pop	ecx
		mov	[ebp+var_24], ecx
		jmp	loc_7BF1A0
; 

loc_8EF107:				; CODE XREF: IoWMISystemControl+CAj
		push	ecx
		push	3Ch
		push	0C0000023h
		jmp	short loc_8EF119
; 

loc_8EF111:				; CODE XREF: IoWMISystemControl+E6j
		push	ecx
		push	0
		push	0C0000296h

loc_8EF119:				; CODE XREF: IoWMISystemControl+13023Fj
					; IoWMISystemControl+130279j
		push	ebx
		call	IoWMICompleteRequest
		jmp	loc_7BEFF7
; 

loc_8EF124:				; CODE XREF: IoWMISystemControl+D2j
					; IoWMISystemControl+DBj
		mov	ecx, [esi+4]
		call	WmipFindRegEntryByDevice
		mov	edx, eax
		test	edx, edx
		jz	short loc_8EF141
		mov	eax, [edx+8]
		mov	[ebp+var_14], eax
		test	edi, edi
		jnz	short loc_8EF14B
		mov	ecx, [edx+1Ch]
		jmp	short loc_8EF14E
; 

loc_8EF141:				; CODE XREF: IoWMISystemControl+130260j
					; IoWMISystemControl+1302B2j
		push	ecx
		push	0
		push	0C0000295h
		jmp	short loc_8EF119
; 

loc_8EF14B:				; CODE XREF: IoWMISystemControl+13026Aj
		xor	ecx, ecx
		inc	ecx

loc_8EF14E:				; CODE XREF: IoWMISystemControl+13026Fj
		mov	[ebp+var_1C], ecx
		mov	ecx, edx
		call	WmipUnreferenceRegEntry
		mov	ecx, [ebp+var_20]
		jmp	loc_7BEFB1
; 

loc_8EF160:				; CODE XREF: IoWMISystemControl+102j
		and	[ebp+var_30], 0
		xor	esi, esi
		xor	ecx, ecx
		jmp	loc_7BEFE5
; 

loc_8EF16D:				; CODE XREF: IoWMISystemControl+C0j
					; DATA XREF: PAGE:off_7BF1D8o
		test	edi, edi	; case 0x1
		jz	short loc_8EF176
		cmp	edi, 1
		jnz	short loc_8EF18F

loc_8EF176:				; CODE XREF: IoWMISystemControl+13029Fj
		mov	ecx, [esi+4]
		call	WmipFindRegEntryByDevice
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_8EF141
		mov	eax, [ecx+8]
		mov	[ebp+var_14], eax
		call	WmipUnreferenceRegEntry

loc_8EF18F:				; CODE XREF: IoWMISystemControl+1302A4j
		mov	ecx, [esi+38h]
		lea	eax, [ecx+esi]
		push	eax
		mov	eax, [ebp+var_20]
		sub	eax, ecx
		push	eax
		lea	eax, [esi+3Ch]
		push	eax
		push	1
		push	[ebp+var_2C]
		jmp	loc_7BEFED
; 

loc_8EF1AA:				; CODE XREF: IoWMISystemControl+C0j
					; DATA XREF: PAGE:off_7BF1D8o
		mov	eax, 0C00002C6h	; case 0x2
		mov	esi, eax
		mov	[ebx+18h], eax
		jmp	short loc_8EF1BE
; 

loc_8EF1B6:				; CODE XREF: IoWMISystemControl+C0j
					; DATA XREF: PAGE:off_7BF1D8o
		mov	esi, 0C0000010h	; case 0x9
		mov	[ebx+18h], esi

loc_8EF1BE:				; CODE XREF: IoWMISystemControl+1302E4j
		and	dword ptr [ebx+1Ch], 0
		jmp	loc_8EF0B1
; 

loc_8EF1C7:				; CODE XREF: IoWMISystemControl+C0j
					; DATA XREF: PAGE:off_7BF1D8o
		xor	esi, esi	; case 0x4
		and	[ebx+18h], esi
		and	[ebx+1Ch], esi
		jmp	loc_8EF0B1
; 

loc_8EF1D4:				; CODE XREF: IoWMISystemControl+BAj
					; IoWMISystemControl+C0j
					; DATA XREF: ...
		mov	esi, 0C0000010h	; default
		jmp	loc_7BEFF9
; END OF FUNCTION CHUNK	FOR IoWMISystemControl
; 
; START	OF FUNCTION CHUNK FOR WmipQueryWmiDataBlock

loc_8EF1DE:				; CODE XREF: WmipQueryWmiDataBlock+59j
		jbe	loc_8EF4F8
		cmp	eax, 5
		jbe	short loc_8EF21D
		cmp	eax, 6
		jnz	loc_8EF4F8
		mov	eax, [ebp+arg_18]
		lea	edx, [esp+0A8h+var_9C]
		mov	[esp+0A8h+var_9C], eax
		neg	eax
		sbb	eax, eax
		and	eax, edi
		mov	ecx, eax
		call	_WmipGetSMBiosEventlog@8 ; WmipGetSMBiosEventlog(x,x)
		mov	esi, eax
		mov	eax, [esp+0A8h+var_9C]
		test	esi, esi
		js	loc_7BF29D
		jmp	loc_7BF297
; 

loc_8EF21D:				; CODE XREF: WmipQueryWmiDataBlock+12FFDFj
		lea	eax, [esp+0A8h+var_90]
		mov	[esp+0A8h+var_8C], ebx
		push	eax
		lea	eax, [esp+0ACh+var_84]
		mov	[esp+0ACh+var_98], ebx
		push	eax
		lea	edx, [esp+0B0h+var_98]
		mov	[esp+0B0h+var_84], ebx
		lea	ecx, [esp+0B0h+var_8C]
		mov	[esp+0B0h+var_90], ebx
		call	_WmipGetSysIds@16 ; WmipGetSysIds(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8EF4FD
		cmp	[ebp+arg_8], 5
		jnz	short loc_8EF263
		mov	eax, [esp+0A8h+var_90]
		mov	esi, eax
		mov	edx, [esp+0A8h+var_84]
		shl	esi, 3
		jmp	short loc_8EF270
; 

loc_8EF263:				; CODE XREF: WmipQueryWmiDataBlock+13004Aj
		mov	eax, [esp+0A8h+var_98]
		mov	esi, eax
		mov	edx, [esp+0A8h+var_8C]
		shl	esi, 4

loc_8EF270:				; CODE XREF: WmipQueryWmiDataBlock+130059j
		mov	ecx, [ebp+arg_18]
		add	esi, 4
		mov	[esp+0A8h+var_9C], esi
		cmp	ecx, esi
		jb	short loc_8EF2BA
		mov	ecx, [esp+0A8h+var_88]
		mov	[ecx], esi
		mov	[edi], eax
		lea	eax, [esi-4]
		push	eax		; size_t
		push	edx		; void *
		lea	eax, [edi+4]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_8EF2B3
; 

loc_8EF299:				; CODE XREF: WmipQueryWmiDataBlock+130169j
		mov	eax, [esp+0A8h+var_98]
		mov	ecx, [esp+0A8h+var_88]
		mov	[edi], eax
		mov	eax, [esp+0A8h+var_8C]
		mov	[edi+4], eax
		mov	eax, [esp+0A8h+var_90]
		mov	[edi+8], eax
		mov	[ecx], esi

loc_8EF2B3:				; CODE XREF: WmipQueryWmiDataBlock+13008Fj
		mov	esi, ebx
		jmp	loc_8EF4FD
; 

loc_8EF2BA:				; CODE XREF: WmipQueryWmiDataBlock+130074j
					; WmipQueryWmiDataBlock+130163j
		mov	esi, 0C0000023h
		jmp	loc_8EF4FD
; 

loc_8EF2C4:				; CODE XREF: WmipQueryWmiDataBlock+50j
		lea	eax, [esp+0A8h+var_98]
		mov	[esp+0A8h+var_98], ebx
		mov	[esp+0A8h+var_6C], eax
		mov	ecx, 4000000h
		lea	eax, [esp+0A8h+var_8C]
		mov	[esp+0A8h+var_68], ecx
		push	1
		mov	[esp+0ACh+var_50], eax
		mov	edx, 124h
		push	ecx
		lea	eax, [esp+0B0h+var_90]
		mov	[esp+0B0h+var_74], edx
		mov	[esp+0B0h+var_34], eax
		lea	eax, [esp+0B0h+var_78]
		push	ebx
		mov	[esp+0B4h+var_58], edx
		mov	[esp+0B4h+var_4C], ecx
		mov	[esp+0B4h+var_3C], edx
		mov	edx, offset ??_C@_1FM@BFBPAOJP@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		mov	[esp+0B4h+var_30], ecx
		xor	ecx, ecx
		push	eax
		mov	[esp+0B8h+var_8C], ebx
		mov	[esp+0B8h+var_90], ebx
		mov	[esp+0B8h+var_78], ebx
		mov	[esp+0B8h+var_70], offset ??_C@_1CC@MBMHMCGC@?$AAB?$AAo?$AAo?$AAt?$AAA?$AAr?$AAc?$AAh?$AAi?$AAt?$AAe?$AAc?$AAt?$AAu?$AAr@NNGAKEGL@
		mov	[esp+0B8h+var_5C], ebx
		mov	[esp+0B8h+var_54], offset ??_C@_1CC@CBGHPEEO@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAr?$AAr?$AAe?$AAd?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl@NNGAKEGL@
		mov	[esp+0B8h+var_40], ebx
		mov	[esp+0B8h+var_38], offset ??_C@_1BK@JKLHPNBO@?$AAC?$AAa?$AAp?$AAa?$AAb?$AAi?$AAl?$AAi?$AAt?$AAi?$AAe?$AAs@NNGAKEGL@ ; "Capabilities"
		mov	[esp+0B8h+var_24], ebx
		mov	[esp+0B8h+var_20], ebx
		call	RtlpQueryRegistryValues
		test	eax, eax
		js	loc_8EF4F8
		mov	ecx, [ebp+arg_18]
		push	0Ch
		pop	esi
		mov	[esp+0A8h+var_9C], esi
		cmp	ecx, esi
		jb	loc_8EF2BA
		jmp	loc_8EF299
; 

loc_8EF376:				; CODE XREF: WmipQueryWmiDataBlock+47j
		mov	[esp+0A8h+var_98], ebx
		mov	[esp+0A8h+var_94], ebx
		call	WmipFindRegEntryByDevice
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8EF4F8
		mov	ecx, [ebx+0Ch]
		test	ecx, ecx
		jz	short loc_8EF40E
		lea	edx, [esp+0A8h+var_98]
		call	IoGetDeviceInstanceName
		mov	esi, eax
		test	esi, esi
		js	short loc_8EF407
		mov	ecx, [esp+0A8h+var_98]
		movzx	edx, cx
		lea	eax, [edx+0Ah]
		mov	[esp+0A8h+var_9C], eax
		cmp	eax, [ebp+arg_18]
		ja	short loc_8EF3F6
		mov	ecx, [esp+0A8h+var_88]
		mov	dword ptr [edi], 1
		push	edx		; size_t
		push	[esp+0ACh+var_94] ; void *
		mov	[ecx], eax
		mov	eax, [esp+0B0h+var_98]
		add	eax, 4
		mov	[edi+4], ax
		add	edi, 6
		push	edi		; void *
		call	_memcpy
		mov	ecx, [esp+0B4h+var_98]
		add	esp, 0Ch
		movzx	eax, cx
		add	edi, eax
		push	5Fh
		pop	eax
		mov	[edi], ax
		push	30h
		pop	eax
		mov	[edi+2], ax
		jmp	short loc_8EF3FB
; 

loc_8EF3F6:				; CODE XREF: WmipQueryWmiDataBlock+1301ACj
		mov	esi, 0C0000023h

loc_8EF3FB:				; CODE XREF: WmipQueryWmiDataBlock+1301ECj
		lea	eax, [esp+0A8h+var_98]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	short loc_8EF413
; 

loc_8EF407:				; CODE XREF: WmipQueryWmiDataBlock+130199j
		mov	esi, 0C0000295h
		jmp	short loc_8EF413
; 

loc_8EF40E:				; CODE XREF: WmipQueryWmiDataBlock+13018Aj
		mov	esi, 0C0000001h

loc_8EF413:				; CODE XREF: WmipQueryWmiDataBlock+1301FDj
					; WmipQueryWmiDataBlock+130204j
		mov	ecx, ebx
		jmp	short loc_8EF420
; 

loc_8EF417:				; CODE XREF: WmipQueryWmiDataBlock+130242j
		mov	esi, 0C0000001h

loc_8EF41C:				; CODE XREF: WmipQueryWmiDataBlock+1302E1j
					; WmipQueryWmiDataBlock+1302EBj
		mov	ecx, [esp+0A8h+var_90]

loc_8EF420:				; CODE XREF: WmipQueryWmiDataBlock+13020Dj
		call	WmipUnreferenceRegEntry
		jmp	loc_8EF4FD
; 

loc_8EF42A:				; CODE XREF: WmipQueryWmiDataBlock+3Ej
		mov	[esp+0A8h+var_84], ebx
		mov	[esp+0A8h+var_80], ebx
		call	WmipFindRegEntryByDevice
		mov	esi, eax
		mov	[esp+0A8h+var_90], esi
		test	esi, esi
		jz	loc_8EF4F8
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_8EF417
		lea	edx, [esp+0A8h+var_84]
		call	IoGetDeviceInstanceName
		mov	esi, eax
		mov	[esp+0A8h+var_8C], esi
		test	esi, esi
		js	loc_8EF4EE
		mov	eax, [esp+0A8h+var_84]
		movzx	eax, ax
		mov	[esp+0A8h+var_98], eax
		lea	edx, [eax+2]
		mov	eax, [ebp+arg_10]
		lea	ecx, [edx+7]
		and	ecx, 0FFFFFFF8h
		dec	eax
		imul	eax, ecx
		add	eax, edx
		mov	[esp+0A8h+var_9C], eax
		cmp	eax, [ebp+arg_18]
		ja	short loc_8EF4DA
		push	eax		; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		mov	ebx, [ebp+arg_10]
		add	esp, 0Ch
		test	ebx, ebx
		jz	short loc_8EF4DF
		mov	esi, [esp+0A8h+var_88]
		mov	eax, [esp+0A8h+var_98]

loc_8EF4A3:				; CODE XREF: WmipQueryWmiDataBlock+1302CAj
		add	edi, 7
		lea	ecx, [eax+2]
		and	edi, 0FFFFFFF8h
		mov	[esi], ecx
		mov	ecx, [esp+0A8h+var_84]
		lea	esi, [esi+4]
		push	eax		; size_t
		push	[esp+0ACh+var_80] ; void *
		mov	[edi], cx
		add	edi, 2
		push	edi		; void *
		call	_memcpy
		mov	eax, [esp+0B4h+var_98]
		add	esp, 0Ch
		add	edi, eax
		sub	ebx, 1
		jnz	short loc_8EF4A3
		mov	esi, [esp+0A8h+var_8C]
		jmp	short loc_8EF4DF
; 

loc_8EF4DA:				; CODE XREF: WmipQueryWmiDataBlock+13027Fj
		mov	esi, 0C0000023h

loc_8EF4DF:				; CODE XREF: WmipQueryWmiDataBlock+130291j
					; WmipQueryWmiDataBlock+1302D0j
		lea	eax, [esp+0A8h+var_84]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	loc_8EF41C
; 

loc_8EF4EE:				; CODE XREF: WmipQueryWmiDataBlock+130255j
		mov	esi, 0C0000295h
		jmp	loc_8EF41C
; 

loc_8EF4F8:				; CODE XREF: WmipQueryWmiDataBlock:loc_8EF1DEj
					; WmipQueryWmiDataBlock+12FFE4j ...
		mov	esi, 0C0000295h

loc_8EF4FD:				; CODE XREF: WmipQueryWmiDataBlock+130040j
					; WmipQueryWmiDataBlock+1300ADj ...
		mov	eax, [esp+0A8h+var_9C]
		jmp	loc_7BF29D
; END OF FUNCTION CHUNK	FOR WmipQueryWmiDataBlock
; 
; START	OF FUNCTION CHUNK FOR IoWMICompleteRequest

loc_8EF506:				; CODE XREF: IoWMICompleteRequest+1Bj
		mov	ebx, [ebp+arg_4]
		sub	eax, 1
		jz	short loc_8EF542
		sub	eax, 8
		jnz	loc_7BF3A6
		mov	esi, [edi+3Ch]
		add	esi, [ebp+arg_8]
		test	ebx, ebx
		js	short loc_8EF537
		lea	eax, [edi+10h]
		mov	[edi], esi
		push	eax
		call	KeQuerySystemTime
		mov	eax, [ebp+arg_8]
		mov	[edi+40h], eax
		jmp	loc_7BF372
; 

loc_8EF537:				; CODE XREF: IoWMICompleteRequest+130257j
					; IoWMICompleteRequest+130282j
		cmp	ebx, 0C0000023h
		jmp	loc_7BF38F
; 

loc_8EF542:				; CODE XREF: IoWMICompleteRequest+130244j
		mov	esi, [edi+38h]
		add	esi, [ebp+arg_8]
		test	ebx, ebx
		js	short loc_8EF537
		lea	eax, [edi+10h]
		mov	[edi], esi
		push	eax
		call	KeQuerySystemTime
		jmp	loc_7BF372
; 

loc_8EF55C:				; CODE XREF: IoWMICompleteRequest+48j
		mov	ebx, eax
		jmp	loc_7BF316
; END OF FUNCTION CHUNK	FOR IoWMICompleteRequest
; 
; START	OF FUNCTION CHUNK FOR ExpGetSystemFirmwareTableInformation

loc_8EF563:				; CODE XREF: ExpGetSystemFirmwareTableInformation+2Aj
		mov	dword ptr [edx], 10h
		mov	edi, 0C0000004h
		jmp	loc_7BF46D
; 

loc_8EF573:				; CODE XREF: ExpGetSystemFirmwareTableInformation+102j
		mov	edi, 0C000009Ah
		jmp	loc_7BF46D
; 

loc_8EF57D:				; CODE XREF: ExpGetSystemFirmwareTableInformation+138j
		cmp	dword ptr [esi], 52534D42h
		jnz	short loc_8EF598
		xor	ecx, ecx
		call	_ExpFirmwareAccessAppContainerCheck@4 ;	ExpFirmwareAccessAppContainerCheck(x)
		test	al, al
		jz	short loc_8EF598
		mov	ecx, [ebp+var_58]
		jmp	loc_7BF3EC
; 

loc_8EF598:				; CODE XREF: ExpGetSystemFirmwareTableInformation+1301D9j
					; ExpGetSystemFirmwareTableInformation+1301E4j
		mov	edi, 0C0000022h
		cmp	dword_6B2D08, 5
		jbe	loc_7BF46D
		push	2000h
		push	ebx
		mov	ecx, offset dword_6B2D08
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_7BF46D
		mov	eax, [esi]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], 4
		mov	[ebp+var_24], ebx
		lea	eax, [ebp+var_50]
		push	eax
		push	3
		push	ebx
		push	ebx
		push	offset loc_424186
		push	offset dword_6B2D08
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_7BF46D
; END OF FUNCTION CHUNK	FOR ExpGetSystemFirmwareTableInformation

;  S U B	R O U T	I N E 


sub_8EF5F6	proc near		; DATA XREF: .text:006A32ECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-6Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EF5F6	endp


;  S U B	R O U T	I N E 


sub_8EF604	proc near		; DATA XREF: .text:006A32F0o
		mov	edi, [ebp-6Ch]
		jmp	short loc_8EF60C
; 

loc_8EF609:				; DATA XREF: .text:006A32FCo
		mov	edi, [ebp-74h]

loc_8EF60C:				; CODE XREF: sub_8EF604+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-60h]
		jmp	loc_7BF46D
sub_8EF604	endp


;  S U B	R O U T	I N E 


sub_8EF61E	proc near		; DATA XREF: .text:006A32F8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-74h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EF61E	endp

; 
; START	OF FUNCTION CHUNK FOR WmipGetSMBiosTableData

loc_8EF62C:				; CODE XREF: WmipGetSMBiosTableData+16j
		mov	eax, 0C000000Dh
		jmp	loc_7BF5C6
; 

loc_8EF636:				; CODE XREF: WmipGetSMBiosTableData+9Aj
		mov	esi, 0C0000010h
		jmp	loc_7BF59A
; 

loc_8EF640:				; CODE XREF: WmipGetSMBiosTableData+5Aj
		test	esi, esi
		js	loc_7BF5AE
		mov	edx, [edi]
		mov	ecx, ebx
		call	_WmipSMBiosHideMachine@8 ; WmipSMBiosHideMachine(x,x)
		jmp	loc_7BF5AE
; END OF FUNCTION CHUNK	FOR WmipGetSMBiosTableData
; 
; START	OF FUNCTION CHUNK FOR WmipGetRegistryHideMachine

loc_8EF656:				; CODE XREF: WmipGetRegistryHideMachine+5Aj
		push	offset ??_C@_1BI@HMDFEAOI@?$AAH?$AAi?$AAd?$AAe?$AAM?$AAa?$AAc?$AAh?$AAi?$AAn?$AAe@NNGAKEGL@
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		push	ebx
		push	2
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_4]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	loc_7BF68C
		push	70696D57h
		push	[ebp+var_8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_7BF68C
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_8]
		lea	eax, [ebp+var_10]
		push	esi
		push	2
		push	eax
		push	[ebp+var_4]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8EF6C5
		cmp	dword ptr [esi+4], 4
		jnz	short loc_8EF6C5
		cmp	dword ptr [esi+8], 4
		jnz	short loc_8EF6C5
		mov	edi, [esi+0Ch]

loc_8EF6C5:				; CODE XREF: WmipGetRegistryHideMachine+130088j
					; WmipGetRegistryHideMachine+13008Ej ...
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7BF68C
; 

loc_8EF6D1:				; CODE XREF: WmipGetRegistryHideMachine+63j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7BF695
; END OF FUNCTION CHUNK	FOR WmipGetRegistryHideMachine
; 
; START	OF FUNCTION CHUNK FOR MiFindEmptyAddressRangeDown

loc_8EF6DE:				; CODE XREF: MiFindEmptyAddressRangeDown+1Dj
		mov	eax, 0C0000017h
		jmp	loc_7BF7BF
; 

loc_8EF6E8:				; CODE XREF: MiFindEmptyAddressRangeDown+83j
		mov	eax, [ebp+arg_10]
		and	eax, 2
		cmp	edi, [ebp+arg_8]
		jz	short loc_8EF6FF
		test	eax, eax
		jnz	short loc_8EF70A
		mov	edi, [ebp+arg_8]
		jmp	loc_7BF786
; 

loc_8EF6FF:				; CODE XREF: MiFindEmptyAddressRangeDown+12FFBDj
		test	eax, eax
		jnz	short loc_8EF70A
		mov	eax, 10000h
		jmp	short loc_8EF710
; 

loc_8EF70A:				; CODE XREF: MiFindEmptyAddressRangeDown+12FFC1j
					; MiFindEmptyAddressRangeDown+12FFCDj
		mov	eax, [ebp+var_8]
		shl	eax, 10h

loc_8EF710:				; CODE XREF: MiFindEmptyAddressRangeDown+12FFD4j
		cmp	eax, ebx
		jnb	short loc_8EF716
		mov	eax, ebx

loc_8EF716:				; CODE XREF: MiFindEmptyAddressRangeDown+12FFDEj
		cmp	eax, esi
		jnb	loc_7BF7BD
		mov	esi, eax
		jmp	loc_7BF786
; END OF FUNCTION CHUNK	FOR MiFindEmptyAddressRangeDown
; 
; START	OF FUNCTION CHUNK FOR MiFindEmptyAddressRangeDownTree

loc_8EF725:				; CODE XREF: MiFindEmptyAddressRangeDownTree+6Ej
		push	1
		push	edx
		mov	edx, edi
		mov	ecx, eax
		call	_MiHonorRangeStraddleRequirement@16 ; MiHonorRangeStraddleRequirement(x,x,x,x)
		mov	edx, [ebp+arg_4]
		mov	ecx, eax
		mov	eax, [ebp+arg_C]
		neg	eax
		and	ecx, eax
		mov	[ebp+var_C], ecx
		shl	ecx, 0Ch
		jmp	loc_7BF84E
; 

loc_8EF748:				; CODE XREF: MiFindEmptyAddressRangeDownTree+D3j
		mov	eax, [ebp+arg_C]
		lea	ecx, [ebp+var_40]
		dec	ebx
		mov	[ebp+var_30], esi
		add	ebx, [ebp+arg_C]
		mov	[ebp+arg_0], ecx
		jmp	loc_7BF8CC
; 

loc_8EF75D:				; CODE XREF: MiFindEmptyAddressRangeDownTree+E2j
		lea	ecx, [ebp+var_40]
		mov	eax, ebx
		mov	[ebp+arg_0], ecx
		jmp	loc_7BF8C2
; 

loc_8EF76A:				; CODE XREF: MiFindEmptyAddressRangeDownTree+F8j
		push	esi
		push	edx
		mov	edx, [ebp+var_14]
		mov	ecx, ebx
		call	_MiHonorRangeStraddleRequirement@16 ; MiHonorRangeStraddleRequirement(x,x,x,x)
		mov	edx, [ebp+arg_4]
		mov	ebx, eax
		jmp	loc_7BF8D8
; 

loc_8EF780:				; CODE XREF: MiFindEmptyAddressRangeDownTree+140j
		push	1
		push	edx
		mov	edx, ebx
		call	_MiHonorRangeStraddleRequirement@16 ; MiHonorRangeStraddleRequirement(x,x,x,x)
		mov	ecx, eax
		and	ecx, edi
		jmp	loc_7BF920
; END OF FUNCTION CHUNK	FOR MiFindEmptyAddressRangeDownTree
; 
; START	OF FUNCTION CHUNK FOR RtlGenerate8dot3Name

loc_8EF793:				; CODE XREF: RtlGenerate8dot3Name+30j
		mov	[ebp+var_15], 1
		cmp	ds:_NlsMbOemCodePageTag, bl
		jnz	loc_7BF991
		jmp	loc_7BF98E
; 

loc_8EF7A8:				; CODE XREF: RtlGenerate8dot3Name+A0j
		or	[ebp+var_24], 0FFFFFFFFh
		jmp	loc_7BF9FE
; 

loc_8EF7B1:				; CODE XREF: RtlGenerate8dot3Name+DCj
		push	7Fh
		pop	eax
		cmp	dx, ax
		jbe	short loc_8EF7CC
		mov	eax, ds:_NlsUnicodeToMbOemData
		mov	ecx, edx
		cmp	byte ptr [eax+ecx*2+1],	0
		jz	short loc_8EF7CC
		push	2
		pop	eax
		jmp	short loc_8EF7CF
; 

loc_8EF7CC:				; CODE XREF: RtlGenerate8dot3Name+12FE5Fj
					; RtlGenerate8dot3Name+12FE6Dj
		xor	eax, eax
		inc	eax

loc_8EF7CF:				; CODE XREF: RtlGenerate8dot3Name+12FE72j
		add	edi, eax
		cmp	edi, 6
		ja	loc_7BFA47
		mov	al, [ebp+var_25]
		jmp	loc_7BFA3A
; 

loc_8EF7E2:				; CODE XREF: RtlGenerate8dot3Name+14Aj
		push	7Fh
		pop	eax
		cmp	dx, ax
		jbe	short loc_8EF7FD
		mov	eax, ds:_NlsUnicodeToMbOemData
		mov	ecx, edx
		cmp	byte ptr [eax+ecx*2+1],	0
		jz	short loc_8EF7FD
		push	2
		pop	eax
		jmp	short loc_8EF800
; 

loc_8EF7FD:				; CODE XREF: RtlGenerate8dot3Name+12FE90j
					; RtlGenerate8dot3Name+12FE9Ej
		xor	eax, eax
		inc	eax

loc_8EF800:				; CODE XREF: RtlGenerate8dot3Name+12FEA3j
		mov	ecx, [ebp+var_1C]
		add	ecx, eax
		mov	[ebp+var_1C], ecx
		cmp	ecx, 4
		ja	loc_7BFBBF
		jmp	loc_7BFAA8
; 

loc_8EF816:				; CODE XREF: RtlGenerate8dot3Name+274j
		push	7Eh
		pop	eax
		mov	[esi+edi*2+16h], ax
		jmp	loc_7BFAB5
; 

loc_8EF823:				; CODE XREF: RtlGenerate8dot3Name+287j
		movzx	eax, word ptr [esi+4]
		cmp	ax, dx
		jbe	short loc_8EF83F
		mov	ecx, eax
		mov	eax, ds:_NlsUnicodeToMbOemData
		cmp	byte ptr [eax+ecx*2+1],	0
		jz	short loc_8EF83F
		xor	edx, edx
		inc	edx
		jmp	short loc_8EF841
; 

loc_8EF83F:				; CODE XREF: RtlGenerate8dot3Name+12FED2j
					; RtlGenerate8dot3Name+12FEE0j
		mov	edx, ebx

loc_8EF841:				; CODE XREF: RtlGenerate8dot3Name+12FEE5j
		movzx	eax, word ptr [esi+6]
		push	7Fh
		pop	ecx
		cmp	ax, cx
		jbe	short loc_8EF860
		mov	ecx, eax
		mov	eax, ds:_NlsUnicodeToMbOemData
		cmp	byte ptr [eax+ecx*2+1],	0
		jz	short loc_8EF860
		xor	eax, eax
		inc	eax
		jmp	short loc_8EF862
; 

loc_8EF860:				; CODE XREF: RtlGenerate8dot3Name+12FEF3j
					; RtlGenerate8dot3Name+12FF01j
		mov	eax, ebx

loc_8EF862:				; CODE XREF: RtlGenerate8dot3Name+12FF06j
		or	eax, edx
		mov	[ebp+var_24], eax
		jmp	loc_7BFBE8
; 

loc_8EF86C:				; CODE XREF: RtlGenerate8dot3Name+1BCj
					; RtlGenerate8dot3Name+1C4j
		mov	ecx, ebx
		jmp	loc_7BFB44
; 

loc_8EF873:				; CODE XREF: RtlGenerate8dot3Name+24Ej
		cmp	[ebp+var_15], 0
		mov	dl, [esi+3]
		jz	short loc_8EF8CD
		mov	ecx, ebx
		mov	[ebp+var_1C], ecx
		test	dl, dl
		jz	short loc_8EF8D0
		push	7
		pop	eax
		sub	eax, edi
		lea	edi, [esi+4]
		mov	[ebp+var_30], eax
		mov	esi, eax

loc_8EF892:				; CODE XREF: RtlGenerate8dot3Name+12FF6Ej
		movzx	eax, word ptr [edi]
		cmp	ax, word ptr [ebp+var_3C]
		jbe	short loc_8EF8B1
		mov	ecx, eax
		mov	eax, ds:_NlsUnicodeToMbOemData
		cmp	byte ptr [eax+ecx*2+1],	0
		mov	ecx, [ebp+var_1C]
		jz	short loc_8EF8B1
		push	2
		pop	eax
		jmp	short loc_8EF8B4
; 

loc_8EF8B1:				; CODE XREF: RtlGenerate8dot3Name+12FF41j
					; RtlGenerate8dot3Name+12FF52j
		xor	eax, eax
		inc	eax

loc_8EF8B4:				; CODE XREF: RtlGenerate8dot3Name+12FF57j
		add	ecx, eax
		mov	[ebp+var_1C], ecx
		cmp	ecx, esi
		ja	short loc_8EF8C8
		inc	ebx
		movzx	eax, dl
		add	edi, 2
		cmp	ebx, eax
		jb	short loc_8EF892

loc_8EF8C8:				; CODE XREF: RtlGenerate8dot3Name+12FF63j
		mov	esi, [ebp+var_38]
		jmp	short loc_8EF8D0
; 

loc_8EF8CD:				; CODE XREF: RtlGenerate8dot3Name+12FF22j
		lea	ebx, [edx-1]

loc_8EF8D0:				; CODE XREF: RtlGenerate8dot3Name+12FF2Bj
					; RtlGenerate8dot3Name+12FF73j
		mov	[esi+3], bl
		test	bl, bl
		jnz	loc_7BFBAC
		mov	eax, 0C0000427h
		jmp	loc_7BFBAE
; END OF FUNCTION CHUNK	FOR RtlGenerate8dot3Name
; 
; START	OF FUNCTION CHUNK FOR GetNextWchar

loc_8EF8E5:				; CODE XREF: GetNextWchar+35j
		cmp	[ebp+arg_4], 0
		jz	loc_7BFD3D
		lea	eax, [ebp+var_4]
		push	eax
		call	_RtlIsValidOemCharacter@4 ; RtlIsValidOemCharacter(x)
		test	al, al
		jz	loc_7BFD3D
		mov	esi, [ebp+var_4]
		jmp	loc_7BFCF5
; END OF FUNCTION CHUNK	FOR GetNextWchar
; 
; START	OF FUNCTION CHUNK FOR MiValidateImagePfn

loc_8EF908:				; CODE XREF: MiValidateImagePfn+33j
		cmp	dword ptr [ecx+18h], 0
		jnz	loc_7BFDCB
		call	_MiGetSectionStrongImageReference@4 ; MiGetSectionStrongImageReference(x)
		test	eax, eax
		js	loc_7BFEEE
		jmp	loc_7BFDCB
; 

loc_8EF924:				; CODE XREF: MiValidateImagePfn+4Aj
		test	ds:_MiFlags, 4000h
		jz	short loc_8EF93C
		mov	eax, [ebp+var_C]
		test	dword ptr [eax+34h], 0C0000h
		jnz	short loc_8EF942

loc_8EF93C:				; CODE XREF: MiValidateImagePfn+12FB9Cj
		cmp	[ebp+arg_8], 0FFFFFFFFh
		jnz	short loc_8EF956

loc_8EF942:				; CODE XREF: MiValidateImagePfn+12FBA8j
		call	_MiReserveFaultPte@0 ; MiReserveFaultPte()
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_8EF956
		mov	[ebp+var_1], 1
		jmp	loc_7BFDE6
; 

loc_8EF956:				; CODE XREF: MiValidateImagePfn+12FBAEj
					; MiValidateImagePfn+12FBB9j
		mov	eax, 0C000009Ah
		jmp	loc_7BFEEE
; 

loc_8EF960:				; CODE XREF: MiValidateImagePfn+85j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_8EF992
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr word_6D07B8+1,	0
		jnz	loc_7BFE20

loc_8EF979:				; CODE XREF: MiValidateImagePfn+12FC19j
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	loc_7BFE20
		or	edx, 80000000h
		jmp	loc_7BFE20
; 

loc_8EF992:				; CODE XREF: MiValidateImagePfn+12FBD5j
		mov	eax, large fs:124h
		mov	ecx, [ebp+arg_14]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_8EF979
		jmp	loc_7BFE20
; 

loc_8EF9B2:				; CODE XREF: MiValidateImagePfn+96j
		push	edx
		push	edi
		mov	ecx, ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_7BFE2E
; 

loc_8EF9C0:				; CODE XREF: MiValidateImagePfn+BAj
		test	dword ptr [ecx+34h], 0C0000h
		jz	loc_7BFE52
		cmp	[ebp+arg_8], 0FFFFFFFFh
		jz	loc_7BFEF7
		mov	ecx, [ebp+var_14]
		mov	edx, [ebp+var_8]
		cmp	[ecx+10h], edi
		jz	loc_7BFE7F
		or	eax, 1
		mov	[ebp+arg_14], eax
		jmp	loc_7BFE7F
; 

loc_8EF9F1:				; CODE XREF: MiValidateImagePfn+E5j
		mov	esi, 0C000009Ah
		jmp	loc_7BFECC
; 

loc_8EF9FB:				; CODE XREF: MiValidateImagePfn+11Dj
		mov	ecx, [esi+8]
		mov	eax, [esi+0Ch]
		shrd	ecx, eax, 5
		mov	eax, [ebp+var_C]
		test	cl, 2
		setnz	cl
		mov	eax, [eax+34h]
		and	eax, 0C0000h
		neg	eax
		sbb	al, al
		inc	al
		test	cl, al
		jz	loc_7BFEB5
		push	3
		pop	edx
		jmp	loc_7BFEB5
; END OF FUNCTION CHUNK	FOR MiValidateImagePfn
; 
; START	OF FUNCTION CHUNK FOR NtSetInformationVirtualMemory

loc_8EFA2C:				; CODE XREF: NtSetInformationVirtualMemory+ACj
					; NtSetInformationVirtualMemory+D2j
		mov	eax, 0C00000F4h
		jmp	loc_7C00F0
; 

loc_8EFA36:				; CODE XREF: NtSetInformationVirtualMemory+119j
		test	dword ptr [ecx+2FCh], 40000h
		jnz	loc_7C0153
		mov	[ebp+var_15C], edi
		jmp	loc_7C0153
; 

loc_8EFA51:				; CODE XREF: NtSetInformationVirtualMemory+176j
					; NtSetInformationVirtualMemory+182j
		mov	[edi], al
		jmp	loc_7C01BC
; 

loc_8EFA58:				; CODE XREF: NtSetInformationVirtualMemory+1B1j
					; NtSetInformationVirtualMemory+1B9j
		mov	[esi], al
		jmp	loc_7C01F3
; 

loc_8EFA5F:				; CODE XREF: NtSetInformationVirtualMemory+231j
					; NtSetInformationVirtualMemory+239j
		mov	byte ptr [edx],	0
		jmp	loc_7C0273
; 

loc_8EFA67:				; CODE XREF: NtSetInformationVirtualMemory+1DEj
					; NtSetInformationVirtualMemory+1EAj ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_7C064B
; 

loc_8EFA73:				; CODE XREF: NtSetInformationVirtualMemory+556j
		mov	edx, eax
		jmp	loc_7C0590
; END OF FUNCTION CHUNK	FOR NtSetInformationVirtualMemory

;  S U B	R O U T	I N E 


sub_8EFA7A	proc near		; DATA XREF: .text:006A3314o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-194h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EFA7A	endp


;  S U B	R O U T	I N E 


sub_8EFA8B	proc near		; DATA XREF: .text:006A3318o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-194h]
		jmp	loc_7C00F0
sub_8EFA8B	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationVirtualMemory

loc_8EFAA0:				; CODE XREF: NtSetInformationVirtualMemory+277j
		mov	ecx, eax
		shl	ecx, 3
		push	0
		push	40h
		mov	edx, 724D6D4Dh
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_138], esi
		test	esi, esi
		jnz	loc_7C02B1
		lea	esi, [ebp+var_11C]
		mov	ebx, 0C000009Ah
		lea	edi, [ebp+var_9C]
		jmp	loc_7C048D
; 

loc_8EFAD9:				; CODE XREF: NtSetInformationVirtualMemory+28Bj
		mov	ecx, eax
		shl	ecx, 3
		push	0
		push	40h
		mov	edx, 724D6D4Dh
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_13C], eax
		test	eax, eax
		jnz	loc_7C02C5
		lea	edi, [ebp+var_9C]
		mov	ebx, 0C000009Ah
		jmp	loc_7C0487
; 

loc_8EFB0A:				; CODE XREF: NtSetInformationVirtualMemory+298j
		mov	eax, ds:_MmSectionObjectType
		and	[ebp+var_158], 0
		push	0
		lea	ecx, [ebp+var_158]
		push	ecx
		push	[ebp+var_160]
		push	eax
		push	1
		push	[ebp+var_180]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, eax
		mov	eax, [ebp+var_158]
		mov	[ebp+var_168], eax
		test	ebx, ebx
		js	loc_7C0481
		jmp	loc_7C02D2
; 

loc_8EFB4E:				; CODE XREF: NtSetInformationVirtualMemory+57Bj
					; NtSetInformationVirtualMemory+584j
		mov	ebx, 0C00000EFh
		jmp	loc_7C0481
; 

loc_8EFB58:				; CODE XREF: NtSetInformationVirtualMemory+311j
		mov	ebx, 0C00000F2h
		jmp	loc_7C0481
; 

loc_8EFB62:				; CODE XREF: NtSetInformationVirtualMemory+32Cj
		sub	edi, 1
		jz	loc_8EFC33
		sub	edi, 1
		jz	loc_8EFBF6
		sub	edi, 1
		jz	short loc_8EFBA8
		sub	edi, 1
		jnz	loc_7C0481
		cmp	[ebp+var_14C], edi
		jz	short loc_8EFB94
		mov	ebx, 0C000000Dh
		jmp	loc_7C0481
; 

loc_8EFB94:				; CODE XREF: NtSetInformationVirtualMemory+12FB54j
		push	1
		mov	edx, [ebp+var_144]
		mov	ecx, esi
		call	_VmPrefetchVirtualAddresses@12 ; VmPrefetchVirtualAddresses(x,x,x)
		jmp	loc_7C047F
; 

loc_8EFBA8:				; CODE XREF: NtSetInformationVirtualMemory+12FB43j
		cmp	[ebp+var_14C], 200h
		jnz	short loc_8EFBD9
		push	[ebp+var_160]
		push	ds:dword_A94A5C
		push	ds:_SeLockMemoryPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_8EFBE3
		mov	ebx, 0C0000061h
		jmp	loc_7C0481
; 

loc_8EFBD9:				; CODE XREF: NtSetInformationVirtualMemory+12FB7Ej
					; NtSetInformationVirtualMemory+12FC15j
		mov	ebx, 0C00000BBh
		jmp	loc_7C0481
; 

loc_8EFBE3:				; CODE XREF: NtSetInformationVirtualMemory+12FB99j
		push	ecx
		mov	edx, [ebp+var_144]
		mov	ecx, esi
		call	_MiProcessVaContiguityInformation@12 ; MiProcessVaContiguityInformation(x,x,x)
		jmp	loc_7C047F
; 

loc_8EFBF6:				; CODE XREF: NtSetInformationVirtualMemory+12FB3Aj
		mov	eax, [ebp+var_140]
		mov	edi, [ebp+var_13C]
		cmp	[ebp+var_14C], 1
		jz	short loc_8EFC12
		mov	ebx, 0C00000F3h
		jmp	short loc_8EFC28
; 

loc_8EFC12:				; CODE XREF: NtSetInformationVirtualMemory+12FBD5j
		xor	ebx, ebx
		cmp	dword ptr [esi+4], 1000h
		setz	bl
		dec	ebx
		and	ebx, 37h
		add	ebx, 0C00000BBh

loc_8EFC28:				; CODE XREF: NtSetInformationVirtualMemory+12FBDCj
		mov	esi, [ebp+var_138]
		jmp	loc_7C03F3
; 

loc_8EFC33:				; CODE XREF: NtSetInformationVirtualMemory+12FB31j
		cmp	[ebp+var_14C], 0
		jnz	short loc_8EFC54
		mov	eax, [ebp+var_150]
		test	byte ptr [eax+0FCh], 10h
		jz	short loc_8EFBD9
		push	0
		push	3
		jmp	loc_7C0472
; 

loc_8EFC54:				; CODE XREF: NtSetInformationVirtualMemory+430j
					; NtSetInformationVirtualMemory+46Bj ...
		mov	ebx, 0C00000F3h
		jmp	loc_7C0481
; 

loc_8EFC5E:				; CODE XREF: NtSetInformationVirtualMemory+33Fj
		mov	ebx, 0C00000F2h
		jmp	loc_7C0487
; END OF FUNCTION CHUNK	FOR NtSetInformationVirtualMemory

;  S U B	R O U T	I N E 


sub_8EFC68	proc near		; DATA XREF: .text:006A332Co
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8EFC68	endp


;  S U B	R O U T	I N E 


sub_8EFC6E	proc near		; DATA XREF: .text:006A3330o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-15Ch]
		mov	edi, [ebp-13Ch]
		jmp	loc_7C03E7
sub_8EFC6E	endp

; 

loc_8EFC89:				; DATA XREF: .text:006A3320o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-198h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_8EFC9C:				; DATA XREF: .text:006A3324o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-198h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-138h]
		mov	edi, [ebp-13Ch]
		mov	eax, [ebp-19Ch]
		jmp	loc_7C03F3
; 
; START	OF FUNCTION CHUNK FOR NtSetInformationVirtualMemory

loc_8EFCC3:				; CODE XREF: NtSetInformationVirtualMemory+3C1j
		lea	eax, [ebp+var_134]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		jmp	loc_7C03FB
; 

loc_8EFCD4:				; CODE XREF: NtSetInformationVirtualMemory+3CFj
		call	ObfDereferenceObject
		jmp	loc_7C0409
; 

loc_8EFCDE:				; CODE XREF: NtSetInformationVirtualMemory+3EAj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7C0424
; 

loc_8EFCEB:				; CODE XREF: NtSetInformationVirtualMemory+3F8j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7C0432
; 

loc_8EFCF8:				; CODE XREF: NtSetInformationVirtualMemory+E0j
					; NtSetInformationVirtualMemory+EBj
		mov	eax, 0C00000F1h
		jmp	loc_7C00F0
; 

loc_8EFD02:				; CODE XREF: NtSetInformationVirtualMemory+7Fj
					; NtSetInformationVirtualMemory+91j ...
		mov	eax, 0C00000F0h
		jmp	loc_7C00F0
; END OF FUNCTION CHUNK	FOR NtSetInformationVirtualMemory
; 
; START	OF FUNCTION CHUNK FOR MiCfgMarkValidEntries

loc_8EFD0C:				; CODE XREF: MiCfgMarkValidEntries+40j
					; MiCfgMarkValidEntries+12F64Cj
		mov	eax, [ebx+ecx*8-8]
		cmp	eax, [ebx+ecx*8]
		ja	loc_8EFD9E
		inc	ecx
		cmp	ecx, edi
		jb	short loc_8EFD0C
		jmp	loc_7C0716
; 

loc_8EFD23:				; CODE XREF: MiCfgMarkValidEntries+8Dj
		test	al, 1
		jnz	loc_7C0842
		jmp	loc_7C0763
; 

loc_8EFD30:				; CODE XREF: MiCfgMarkValidEntries+B2j
		mov	eax, 0C0000045h
		jmp	loc_7C0803
; 

loc_8EFD3A:				; CODE XREF: MiCfgMarkValidEntries+F1j
		and	[ebp+arg_4], 0
		test	dword ptr [esi+1Ch], 100000h
		jnz	short loc_8EFD94
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	ecx, [esi+2Ch]
		cmp	[ecx], eax
		jnz	short loc_8EFD94
		mov	ecx, [esi+0Ch]
		mov	eax, ecx
		shl	eax, 0Ch
		cmp	eax, edx
		jnz	short loc_8EFD94
		lea	eax, [ebp+arg_4]
		mov	edx, ecx
		push	eax
		push	0
		mov	ecx, esi
		call	MiGetProtoPteAddress
		mov	ecx, [ebp+var_C]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, [esi+30h]
		mov	ecx, [ebp+arg_4]
		push	eax
		call	MiStartingOffset
		cmp	eax, [ebp+arg_18]
		jnz	short loc_8EFD94
		cmp	edx, [ebp+arg_1C]
		jnz	short loc_8EFD94
		mov	edx, [ebp+var_4]
		jmp	loc_7C07C7
; 

loc_8EFD94:				; CODE XREF: MiCfgMarkValidEntries+E6j
					; MiCfgMarkValidEntries+12F675j ...
		mov	edi, 0C000000Dh
		jmp	loc_7C07FA
; 

loc_8EFD9E:				; CODE XREF: MiCfgMarkValidEntries+2Fj
					; MiCfgMarkValidEntries+4Aj ...
		mov	eax, 0C000000Dh
		jmp	loc_7C0803
; END OF FUNCTION CHUNK	FOR MiCfgMarkValidEntries
; 
; START	OF FUNCTION CHUNK FOR MiProcessVaRangesInfoClass

loc_8EFDA8:				; CODE XREF: MiProcessVaRangesInfoClass+70j
		mov	edi, ecx
		mov	[esp+30h+var_18], 1
		shl	edi, 0Ch
		dec	edx
		or	edi, 0FFFh
		lea	eax, [edi+1]
		mov	[esp+30h+var_14], eax
		mov	eax, [esp+30h+var_20]
		sub	eax, edi
		add	edx, eax
		mov	[esp+30h+var_1C], edx
		jmp	loc_7C08E6
; 

loc_8EFDD4:				; CODE XREF: MiProcessVaRangesInfoClass+8Ej
		mov	eax, [ebx+1Ch]
		and	eax, 5100000h
		cmp	eax, 4100000h
		jz	short loc_8EFDF7
		mov	ecx, [esp+30h+var_20]
		mov	edx, edi
		push	2
		push	0
		call	MiMoveDirtyBitsToPfns
		jmp	loc_7C0915
; 

loc_8EFDF7:				; CODE XREF: MiProcessVaRangesInfoClass+12F571j
		mov	esi, 0C00000BBh
		jmp	loc_7C0915
; END OF FUNCTION CHUNK	FOR MiProcessVaRangesInfoClass

;  S U B	R O U T	I N E 


sub_8EFE01	proc near		; DATA XREF: .text:006A336Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EFE01	endp


;  S U B	R O U T	I N E 


sub_8EFE0F	proc near		; DATA XREF: .text:006A3370o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_7C09DA
sub_8EFE0F	endp


;  S U B	R O U T	I N E 


sub_8EFE21	proc near		; DATA XREF: .text:006A3378o
		xor	eax, eax
		inc	eax
		retn
sub_8EFE21	endp


;  S U B	R O U T	I N E 


sub_8EFE25	proc near		; DATA XREF: .text:006A337Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp+0Ch]
		jmp	loc_7C09DA
sub_8EFE25	endp

; 
; START	OF FUNCTION CHUNK FOR SepAssemblePrivileges

loc_8EFE37:				; CODE XREF: SepAssemblePrivileges+6Bj
		imul	ecx, eax, 0Ch
		mov	eax, ds:_SeRelabelPrivilege
		mov	[ecx+edx+8], eax
		mov	eax, ds:dword_A94A4C
		mov	[ecx+edx+0Ch], eax
		imul	eax, [edx], 0Ch
		mov	[eax+edx+10h], edi
		inc	dword ptr [edx]
		jmp	loc_7C0A7F
; END OF FUNCTION CHUNK	FOR SepAssemblePrivileges

;  S U B	R O U T	I N E 


sub_8EFE5A	proc near		; CODE XREF: ObpAssignSecurity+136j

arg_C		= dword	ptr  14h

		push	ebx
		push	[esp+arg_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7C0C04
sub_8EFE5A	endp

; 
; START	OF FUNCTION CHUNK FOR ObpAssignSecurity

loc_8EFE69:				; CODE XREF: ObpAssignSecurity+DCj
		lea	eax, [esp+4Ch+var_38]
		push	eax
		call	_SeDeassignSecurity@4 ;	SeDeassignSecurity(x)
		jmp	loc_7C0BAA
; END OF FUNCTION CHUNK	FOR ObpAssignSecurity
; 
; START	OF FUNCTION CHUNK FOR RtlRunOnceExecuteOnce

loc_8EFE78:				; CODE XREF: RtlRunOnceExecuteOnce+27j
					; RtlRunOnceExecuteOnce+6Cj ...
		mov	ecx, large fs:124h
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		push	esi
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger

loc_8EFE8B:				; CODE XREF: RtlRunOnceBeginInitialize+5Ej
		cmp	ecx, 1
		jnz	short loc_8EFEAC
		test	ebx, ebx
		jnz	short loc_8EFEA2
		mov	edx, edi
		mov	ecx, eax
		call	_RtlpRunOnceWaitForInit@8 ; RtlpRunOnceWaitForInit(x,x)
		jmp	loc_7C0D03
; 

loc_8EFEA2:				; CODE XREF: RtlRunOnceExecuteOnce+12F284j
		mov	esi, 0C00000F0h
		jmp	loc_7C0CF0
; 

loc_8EFEAC:				; CODE XREF: RtlRunOnceExecuteOnce+12F280j
		cmp	ecx, 3
		jnz	loc_7C0CE4
		mov	esi, ebx
		neg	esi
		sbb	esi, esi
		and	esi, 40000013h
		add	esi, 0C00000F0h
		jmp	loc_7C0CF0
; END OF FUNCTION CHUNK	FOR RtlRunOnceExecuteOnce
; 
; START	OF FUNCTION CHUNK FOR RtlRunOnceComplete

loc_8EFECC:				; CODE XREF: RtlRunOnceComplete+72j
		cmp	edx, 3
		jnz	short loc_8EFEF3
		test	al, 1
		jnz	loc_7C0DDB
		mov	eax, [ebp+arg_4]
		lock cmpxchg [edi], ecx
		cmp	eax, [ebp+arg_4]
		jz	loc_7C0DD0
		mov	eax, 0C0000035h
		jmp	loc_7C0D8B
; 

loc_8EFEF3:				; CODE XREF: RtlRunOnceComplete+12F18Fj
		mov	eax, 0C0000001h
		jmp	loc_7C0D8B
; END OF FUNCTION CHUNK	FOR RtlRunOnceComplete
; 
; START	OF FUNCTION CHUNK FOR RtlpRunOnceWakeAll

loc_8EFEFD:				; CODE XREF: RtlpRunOnceWakeAll+Fj
					; RtlpRunOnceWakeAll+12F131j
		mov	esi, [eax]
		mov	ecx, [eax+0Ch]
		add	eax, 14h
		lock bts dword ptr [eax], 2
		call	KeAlertThreadByThreadId
		mov	eax, esi
		test	esi, esi
		jnz	short loc_8EFEFD
		jmp	loc_7C0DF7
; END OF FUNCTION CHUNK	FOR RtlpRunOnceWakeAll
; 
; START	OF FUNCTION CHUNK FOR AlpcpTrackPortReferences

loc_8EFF1A:				; CODE XREF: AlpcpTrackPortReferences+19j
		push	esi
		lea	esi, [edi+0D0h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+0F0h]
		test	eax, eax
		jz	short loc_8EFF43
		cmp	ebx, [eax+10h]
		jnz	short loc_8EFF43
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_8EFF43:				; CODE XREF: AlpcpTrackPortReferences+12F136j
					; AlpcpTrackPortReferences+12F13Bj
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8EFF57
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8EFF57:				; CODE XREF: AlpcpTrackPortReferences+12F152j
		mov	ecx, esi
		pop	esi
		pop	edi
		pop	ebx
		jmp	KeAbPostRelease
; END OF FUNCTION CHUNK	FOR AlpcpTrackPortReferences

;  S U B	R O U T	I N E 


sub_8EFF61	proc near		; DATA XREF: .text:006A33F4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8EFF61	endp


;  S U B	R O U T	I N E 


sub_8EFF6F	proc near		; DATA XREF: .text:006A33F8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_7C0E8A
sub_8EFF6F	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryPerformanceCounter

loc_8EFF81:				; CODE XREF: NtQueryPerformanceCounter+22j
		lea	eax, [ebp+var_24]
		push	eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	loc_7C0E88
		mov	eax, [ebp+var_24]
		mov	[ecx], eax
		mov	eax, [ebp+var_20]
		mov	[ecx+4], eax
		jmp	loc_7C0E88
; END OF FUNCTION CHUNK	FOR NtQueryPerformanceCounter
; 
; START	OF FUNCTION CHUNK FOR EtwpFreeSoftRestartContext

loc_8EFFAE:				; CODE XREF: EtwpFreeSoftRestartContext+Ej
		call	_EtwpCancelMemoryPreservation@4	; EtwpCancelMemoryPreservation(x)
		lea	eax, [edi+0Ch]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+2E0h], 0
		jmp	loc_7C1320
; END OF FUNCTION CHUNK	FOR EtwpFreeSoftRestartContext
; 
; START	OF FUNCTION CHUNK FOR EtwpFreeDisallowedGuids

loc_8EFFD0:				; CODE XREF: EtwpFreeDisallowedGuids+Bj
		push	edi
		push	dword ptr [esi+4]
		xor	eax, eax
		mov	[esi], ax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+4], edi
		jmp	loc_7C1335
; END OF FUNCTION CHUNK	FOR EtwpFreeDisallowedGuids
; 
; START	OF FUNCTION CHUNK FOR EtwpShutdownConsumers

loc_8EFFE6:				; CODE XREF: EtwpShutdownConsumers+2Ej
		push	esi
		mov	esi, [edi+10Ch]
		xor	edx, edx
		push	0FFFFFFDFh
		mov	[edi+10Ch], edx
		mov	[edi+28h], edx
		pop	eax
		lock and [ecx],	eax
		push	edx
		push	edx
		lea	eax, [edi+164h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	0
		push	0
		push	dword ptr [esi+18h]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, esi
		call	ObfDereferenceObject
		pop	esi
		jmp	loc_7C136C
; END OF FUNCTION CHUNK	FOR EtwpShutdownConsumers
; 
; START	OF FUNCTION CHUNK FOR EtwpRealtimeDisconnectAllConsumers

loc_8F0025:				; CODE XREF: EtwpRealtimeDisconnectAllConsumers+11j
		cmp	[esi+4], edi
		jnz	short loc_8F0058
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_8F0058
		mov	[edi], eax
		push	0
		mov	[eax+4], edi
		dec	dword ptr [ebx+108h]
		or	byte ptr [esi+32h], 4
		push	0
		push	dword ptr [esi+18h]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	loc_7C1385
; 

loc_8F0058:				; CODE XREF: EtwpRealtimeDisconnectAllConsumers+12ECB0j
					; EtwpRealtimeDisconnectAllConsumers+12ECB7j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8F005D:				; CODE XREF: NtAlpcOpenSenderProcess+79j
		mov	ecx, edx
		jmp	loc_7C141F
; END OF FUNCTION CHUNK	FOR EtwpRealtimeDisconnectAllConsumers
; 
; START	OF FUNCTION CHUNK FOR NtAlpcOpenSenderProcess

loc_8F0064:				; CODE XREF: NtAlpcOpenSenderProcess+8Dj
		mov	esi, eax
		jmp	loc_7C1433
; 

loc_8F006B:				; CODE XREF: NtAlpcOpenSenderProcess+A6j
		mov	esi, eax
		jmp	loc_7C144C
; END OF FUNCTION CHUNK	FOR NtAlpcOpenSenderProcess

;  S U B	R O U T	I N E 


sub_8F0072	proc near		; DATA XREF: .text:006A3434o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F0072	endp


;  S U B	R O U T	I N E 


sub_8F0080	proc near		; DATA XREF: .text:006A3438o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-1Ch]
		call	ObfDereferenceObject
		mov	esi, [ebp-2Ch]
		jmp	loc_7C1514
sub_8F0080	endp

; 
; START	OF FUNCTION CHUNK FOR NtAlpcOpenSenderProcess

loc_8F0093:				; CODE XREF: NtAlpcOpenSenderProcess+D5j
		mov	ecx, ebx
		call	ObfDereferenceObject
		jmp	loc_7C151B
; 

loc_8F009F:				; CODE XREF: NtAlpcOpenSenderProcess+108j
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_8F00AF
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_8F00AF:				; CODE XREF: NtAlpcOpenSenderProcess+12ED06j
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	esi, 0C000000Bh
		jmp	loc_7C151B
; 

loc_8F00C7:				; CODE XREF: NtAlpcOpenSenderProcess+12EDB3j
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8F00CE:				; CODE XREF: NtAlpcOpenSenderProcess+12EDADj
		mov	ecx, edi
		call	KeAbPostRelease

loc_8F00D5:				; CODE XREF: NtAlpcOpenSenderProcess+1A3j
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_8F00E5
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_8F00E5:				; CODE XREF: NtAlpcOpenSenderProcess+12ED3Cj
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	esi, 0C0000022h
		jmp	loc_7C151B
; 

loc_8F00FD:				; CODE XREF: NtAlpcOpenSenderProcess+1C2j
		xor	ecx, ecx
		push	11h
		pop	eax
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jz	short loc_8F0112
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8F0112:				; CODE XREF: NtAlpcOpenSenderProcess+12ED69j
		mov	ecx, edi
		call	KeAbPostRelease
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_8F0129
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_8F0129:				; CODE XREF: NtAlpcOpenSenderProcess+12ED80j
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	esi, 0C0000037h
		jmp	loc_7C151B
; 

loc_8F0141:				; CODE XREF: NtAlpcOpenSenderProcess+1D7j
		xor	ecx, ecx
		push	11h
		pop	eax
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jz	loc_8F00CE
		jmp	loc_8F00C7
; 

loc_8F0158:				; CODE XREF: NtAlpcOpenSenderProcess+127j
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)
		jmp	loc_7C14CD
; END OF FUNCTION CHUNK	FOR NtAlpcOpenSenderProcess

;  S U B	R O U T	I N E 


sub_8F0164	proc near		; DATA XREF: .text:006A3440o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F0164	endp


;  S U B	R O U T	I N E 


sub_8F0172	proc near		; DATA XREF: .text:006A3444o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-30h]
		jmp	loc_7C1514
sub_8F0172	endp


;  S U B	R O U T	I N E 


sub_8F017D	proc near		; DATA XREF: .text:006A3460o
		mov	al, [ebp-19h]
		mov	esi, [ebp+8]
		jmp	sub_7C16B9
sub_8F017D	endp

; 
; START	OF FUNCTION CHUNK FOR PfSnVolumeKeyQuery

loc_8F0188:				; CODE XREF: PfSnVolumeKeyQuery+40j
		mov	ecx, esi
		call	_PfSnFailProcessTrace@4	; PfSnFailProcessTrace(x)
		mov	eax, 0C000009Ah
		jmp	loc_7C1715
; END OF FUNCTION CHUNK	FOR PfSnVolumeKeyQuery
; 
; START	OF FUNCTION CHUNK FOR PfSnArrayGrow

loc_8F0199:				; CODE XREF: PfSnArrayGrow+5Aj
		push	eax		; size_t
		mov	eax, [ebp+arg_8]
		push	dword ptr [eax]	; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_7C17C2
; 

loc_8F01AD:				; CODE XREF: PfSnArrayGrow+67j
		push	esi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_8]
		jmp	loc_7C17CF
; END OF FUNCTION CHUNK	FOR PfSnArrayGrow
; 
; START	OF FUNCTION CHUNK FOR ExHandleSPCall2

loc_8F01BC:				; CODE XREF: ExHandleSPCall2+2Fj
		mov	ebx, 0C0000023h
		jmp	loc_7C193B
; 

loc_8F01C6:				; CODE XREF: ExHandleSPCall2+42j
					; ExHandleSPCall2+4Aj
		mov	byte ptr [eax],	0
		jmp	loc_7C1860
; 

loc_8F01CE:				; CODE XREF: ExHandleSPCall2+6Ej
					; ExHandleSPCall2+76j
		mov	byte ptr [eax],	0
		jmp	loc_7C188C
; 

loc_8F01D6:				; CODE XREF: ExHandleSPCall2+A3j
		mov	ebx, 0C0000017h
		jmp	short loc_8F01F8
; 

loc_8F01DD:				; CODE XREF: ExHandleSPCall2+80j
					; ExHandleSPCall2+88j
		mov	ebx, 0C0000023h
		jmp	short loc_8F01F8
; END OF FUNCTION CHUNK	FOR ExHandleSPCall2

;  S U B	R O U T	I N E 


sub_8F01E4	proc near		; DATA XREF: .text:006A347Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F01E4	endp


;  S U B	R O U T	I N E 


sub_8F01F2	proc near		; DATA XREF: .text:006A3480o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-38h]
sub_8F01F2	endp

; START	OF FUNCTION CHUNK FOR ExHandleSPCall2

loc_8F01F8:				; CODE XREF: ExHandleSPCall2+12E9CBj
					; ExHandleSPCall2+12E9D2j
		mov	[ebp+var_1C], ebx
		jmp	loc_7C18D2
; 

loc_8F0200:				; CODE XREF: ExHandleSPCall2+F6j
		mov	eax, [ebp+var_28]
		mov	ecx, [ebp+var_34]
		mov	[ecx+0Ch], eax
		jmp	loc_7C1938
; 

loc_8F020E:				; CODE XREF: ExHandleSPCall2+102j
		mov	ebx, 0C0000023h
		mov	[ebp+var_1C], ebx
		jmp	loc_7C1938
; END OF FUNCTION CHUNK	FOR ExHandleSPCall2

;  S U B	R O U T	I N E 


sub_8F021B	proc near		; DATA XREF: .text:006A3488o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F021B	endp


;  S U B	R O U T	I N E 


sub_8F0229	proc near		; DATA XREF: .text:006A348Co
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-3Ch]
		mov	[ebp-1Ch], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7C193B
sub_8F0229	endp

; 
; START	OF FUNCTION CHUNK FOR _CmGetDeviceMappedPropertyFromRegProp

loc_8F023E:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+7Fj
					; _CmGetDeviceMappedPropertyFromRegProp+173j ...
		mov	ebx, 0C000000Dh
		jmp	loc_7C1C6E
; 

loc_8F0248:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+F8j
		mov	eax, [ebp+var_88]
		mov	ecx, [ebp+var_9C]
		jmp	loc_7C1A8C
; 

loc_8F0259:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+109j
		mov	ebx, 0C0000016h
		jmp	loc_7C1C6E
; 

loc_8F0263:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+314j
		mov	ebx, 0C0000017h
		jmp	loc_7C1C6E
; 

loc_8F026D:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+345j
		mov	ebx, eax
		mov	eax, [ebp+var_8C]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7C1C61
; 

loc_8F0282:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+2CDj
		and	dword ptr [esi], 0
		mov	ebx, 0C00000E5h
		jmp	loc_7C1C6E
; 

loc_8F028F:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+207j
		mov	[esi], eax
		mov	[edi], eax
		jmp	loc_8F034F
; 

loc_8F0298:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+130j
		push	[ebp+arg_18]
		mov	edx, [ebp+var_80]
		lea	eax, [ebp+var_70]
		mov	ecx, [ebp+var_84]
		push	eax
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_70], 4
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		push	1Bh
		push	[ebp+var_90]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7C1C61
		mov	eax, [ebp+var_74]
		cmp	eax, [edi+0Ch]
		jnz	loc_8F023E
		mov	ecx, [ebp+var_94]
		mov	dword ptr [esi], 1
		mov	eax, [edi+4]
		mov	[ecx], eax
		mov	eax, [ebp+var_7C]
		cmp	eax, [esi]
		jb	short loc_8F030B
		cmp	[ebp+var_A0], 0
		mov	ecx, [ebp+var_78]
		setz	al
		dec	al
		mov	[ecx], al
		jmp	loc_7C1C61
; 

loc_8F030B:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+25Fj
					; _CmGetDeviceMappedPropertyFromRegProp+12E933j
		mov	ebx, 0C0000023h
		jmp	loc_7C1C6E
; 

loc_8F0315:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+126j
		mov	ebx, 0C00000BBh
		jmp	loc_7C1C6E
; 

loc_8F031F:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+2A8j
		mov	edx, [ebp+var_80]
		lea	eax, [ebp+var_A4]
		mov	ecx, [ebp+var_84]
		push	0
		push	eax
		push	0
		push	1
		push	0
		push	10h
		call	_CmOpenDeviceRegKey
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_8F0359
		push	[ebp+var_A4]
		call	_ZwClose@4	; ZwClose(x)

loc_8F034F:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+12E8D3j
		mov	ebx, 0C0000225h
		jmp	loc_7C1C6E
; 

loc_8F0359:				; CODE XREF: _CmGetDeviceMappedPropertyFromRegProp+12E982j
		cmp	ebx, esi
		jz	loc_7C1C6E
		cmp	ebx, 0C00000C0h
		jz	loc_7C1C6E
		mov	ebx, 0C0000001h
		jmp	loc_7C1C6E
; END OF FUNCTION CHUNK	FOR _CmGetDeviceMappedPropertyFromRegProp
; 
; START	OF FUNCTION CHUNK FOR RtlDowncaseUnicodeString

loc_8F0377:				; CODE XREF: RtlDowncaseUnicodeString+1Bj
		mov	[esi+2], ax
		push	ecx
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[esi+4], eax
		test	eax, eax
		jnz	short loc_8F0392
		mov	eax, 0C0000017h
		jmp	loc_7C1E37
; 

loc_8F0392:				; CODE XREF: RtlDowncaseUnicodeString+12E5C6j
		movzx	ecx, word ptr [ebx]
		jmp	loc_7C1DE7
; END OF FUNCTION CHUNK	FOR RtlDowncaseUnicodeString

;  S U B	R O U T	I N E 


sub_8F039A	proc near		; DATA XREF: .text:006A34A8o
		mov	ebx, [ebp+0Ch]
		mov	esi, [ebp+8]
		jmp	sub_7C1E49
sub_8F039A	endp

; 
; START	OF FUNCTION CHUNK FOR sub_7C1E49

loc_8F03A5:				; CODE XREF: sub_7C1E49+4j
		cmp	byte ptr [ebp+10h], 0
		jz	locret_7C1E53
		push	dword ptr [esi+4]
		call	_ExFreePool@4	; ExFreePool(x)
		and	dword ptr [esi+4], 0
		retn
; END OF FUNCTION CHUNK	FOR sub_7C1E49
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepQuerySystemSecurityAttributeAndValues

loc_8F03BC:				; CODE XREF: AuthzBasepQuerySystemSecurityAttributeAndValues+Fj
		mov	eax, [esi+28h]
		mov	edx, [eax]
		mov	eax, [esi+20h]
		add	eax, 2Ch
		cmp	edx, eax
		jnz	loc_7C1ECE
		mov	edi, 8000001Ah
		jmp	loc_7C1EDA
; END OF FUNCTION CHUNK	FOR AuthzBasepQuerySystemSecurityAttributeAndValues
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepFindSystemSecurityAttribute

loc_8F03D9:				; CODE XREF: AuthzBasepFindSystemSecurityAttribute+60j
		lea	ebx, [esi-8]
		test	byte ptr [ebx+20h], 1
		jnz	short loc_8F03F8
		push	ecx
		lea	ecx, [ebx+10h]
		mov	edx, edi
		call	AuthzBasepEqualUnicodeString
		test	al, al
		jnz	loc_7C1F25
		mov	ecx, [ebp+var_8]

loc_8F03F8:				; CODE XREF: AuthzBasepFindSystemSecurityAttribute+12E4FAj
		mov	esi, [esi]
		lea	eax, [ecx+10h]
		jmp	loc_7C1F44
; END OF FUNCTION CHUNK	FOR AuthzBasepFindSystemSecurityAttribute
; 
; START	OF FUNCTION CHUNK FOR PopEtEnergyTrackerCleanupAggregates

loc_8F0402:				; CODE XREF: PopEtEnergyTrackerCleanupAggregates+27j
		mov	eax, [ebx]
		mov	ecx, [esi]
		jmp	loc_7C2AAD
; 

loc_8F040B:				; CODE XREF: PopEtEnergyTrackerCleanupAggregates+88j
		and	dword ptr [edi+254h], 0FFFFFFFBh
		lea	eax, [edi+58h]
		push	1C8h		; size_t
		xor	ebx, ebx
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+var_4]
		add	esp, 0Ch
		jmp	loc_7C2A95
; END OF FUNCTION CHUNK	FOR PopEtEnergyTrackerCleanupAggregates
; 
; START	OF FUNCTION CHUNK FOR SepMakeTokenEffectiveOnly

loc_8F042E:				; CODE XREF: SepMakeTokenEffectiveOnly+4Ej
		and	dword ptr [ecx+90h], 0
		xor	eax, eax
		jmp	loc_7C33B2
; 

loc_8F043C:				; CODE XREF: SepMakeTokenEffectiveOnly+62j
		or	dword ptr [ecx+0B8h], 0FFFFFFFFh
		or	[ebp+var_4], 0FFFFFFFFh
		jmp	loc_7C33C6
; END OF FUNCTION CHUNK	FOR SepMakeTokenEffectiveOnly
; 
; START	OF FUNCTION CHUNK FOR NtRemoveIoCompletion

loc_8F044C:				; CODE XREF: NtRemoveIoCompletion+4Aj
		mov	ecx, eax
		jmp	loc_7C3442
; 

loc_8F0453:				; CODE XREF: NtRemoveIoCompletion+5Ej
		mov	ecx, eax
		jmp	loc_7C3456
; 

loc_8F045A:				; CODE XREF: NtRemoveIoCompletion+72j
		mov	ecx, eax
		jmp	loc_7C346A
; END OF FUNCTION CHUNK	FOR NtRemoveIoCompletion

;  S U B	R O U T	I N E 


sub_8F0461	proc near		; DATA XREF: .text:006A3534o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8F0461	endp


;  S U B	R O U T	I N E 


sub_8F0471	proc near		; DATA XREF: .text:006A3538o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-28h]
		jmp	loc_7C34FD
sub_8F0471	endp

; 
; START	OF FUNCTION CHUNK FOR NtRemoveIoCompletion

loc_8F0483:				; CODE XREF: NtRemoveIoCompletion+37j
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	loc_7C3480
		mov	[ebp+var_1C], eax
		jmp	loc_7C3480
; END OF FUNCTION CHUNK	FOR NtRemoveIoCompletion

;  S U B	R O U T	I N E 


sub_8F0496	proc near		; DATA XREF: .text:006A3540o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F0496	endp


;  S U B	R O U T	I N E 


sub_8F04A4	proc near		; DATA XREF: .text:006A3544o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-34h]
		jmp	loc_7C34F4
sub_8F04A4	endp

; 
; START	OF FUNCTION CHUNK FOR NtRemoveIoCompletion

loc_8F04AF:				; CODE XREF: NtRemoveIoCompletion+DBj
		mov	ecx, [ebp+var_4C]
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		mov	ecx, [ebp+var_48]
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		mov	eax, [ebp+var_44]
		mov	ecx, [ebp+arg_C]
		mov	[ecx], eax
		mov	eax, [ebp+var_40]
		mov	[ecx+4], eax
		jmp	loc_7C34FB
; END OF FUNCTION CHUNK	FOR NtRemoveIoCompletion
; 
; START	OF FUNCTION CHUNK FOR RawCleanupVcb

loc_8F04D2:				; CODE XREF: RawCleanupVcb+10j
		test	byte ptr [esi+48h], 8
		jz	loc_7C3557
		push	edi
		push	dword ptr [esi+8Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+8Ch], edi
		jmp	loc_7C3557
; END OF FUNCTION CHUNK	FOR RawCleanupVcb
; 
; START	OF FUNCTION CHUNK FOR FsRtlTeardownPerStreamContexts

loc_8F04F3:				; CODE XREF: FsRtlTeardownPerStreamContexts+2Fj
		mov	ecx, [esi+28h]
		call	ExAcquireFastMutex
		jmp	loc_7C35CF
; 

loc_8F0500:				; CODE XREF: FsRtlTeardownPerStreamContexts+7Fj
		mov	ecx, [esi+28h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	loc_7C361A
; 

loc_8F050D:				; CODE XREF: FsRtlTeardownPerStreamContexts+A7j
		mov	ecx, [esi+28h]
		call	ExAcquireFastMutex
		jmp	loc_7C3647
; END OF FUNCTION CHUNK	FOR FsRtlTeardownPerStreamContexts

;  S U B	R O U T	I N E 


sub_8F051A	proc near		; DATA XREF: .text:006A3560o
		mov	esi, [ebp+8]
		mov	al, [ebp-19h]
		jmp	sub_7C365F
sub_8F051A	endp

; 
; START	OF FUNCTION CHUNK FOR sub_7C365F

loc_8F0525:				; CODE XREF: sub_7C365F+Bj
		mov	ecx, [esi+28h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		retn
; END OF FUNCTION CHUNK	FOR sub_7C365F
; 
; START	OF FUNCTION CHUNK FOR NtCreateWaitCompletionPacket

loc_8F052E:				; CODE XREF: NtCreateWaitCompletionPacket+34j
		mov	ecx, eax
		jmp	loc_7C36C6
; END OF FUNCTION CHUNK	FOR NtCreateWaitCompletionPacket

;  S U B	R O U T	I N E 


sub_8F0535	proc near		; DATA XREF: .text:006A357Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8F0535	endp


;  S U B	R O U T	I N E 


sub_8F0545	proc near		; DATA XREF: .text:006A3580o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-24h]
		jmp	loc_7C3738
sub_8F0545	endp


;  S U B	R O U T	I N E 


sub_8F0557	proc near		; DATA XREF: .text:006A3588o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8F0557	endp


;  S U B	R O U T	I N E 


sub_8F055D	proc near		; DATA XREF: .text:006A358Co
		mov	esp, [ebp-18h]
		jmp	loc_7C372E
sub_8F055D	endp


;  S U B	R O U T	I N E 


sub_8F0565	proc near		; DATA XREF: .text:006A35A4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F0565	endp


;  S U B	R O U T	I N E 


sub_8F0573	proc near		; DATA XREF: .text:006A35A8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-44h]
		jmp	loc_7C389B
sub_8F0573	endp


;  S U B	R O U T	I N E 


sub_8F057E	proc near		; DATA XREF: .text:006A35C4o
		xor	eax, eax
		inc	eax
		retn
sub_8F057E	endp


;  S U B	R O U T	I N E 


sub_8F0582	proc near		; DATA XREF: .text:006A35C8o
		mov	esp, [ebp-18h]
		jmp	loc_7C390F
sub_8F0582	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlNotifyFilterChangeDirectory

loc_8F058A:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+41j
		mov	edx, [ebp+arg_8]
		mov	ecx, esi
		call	_FsRtlCheckNotifyForDelete@8 ; FsRtlCheckNotifyForDelete(x,x)
		jmp	loc_7C4103
; 

loc_8F0599:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+84j
		mov	edx, [ebp+arg_1C]

loc_8F059C:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+5Fj
		xor	ecx, ecx
		inc	ecx
		or	[edx+3], cl
		mov	dword ptr [edi+18h], 10Bh
		jmp	short loc_8F05C4
; 

loc_8F05AB:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+12C60Ej
		and	eax, 0FFFDh
		mov	[esi+24h], ax
		mov	eax, [edi+60h]
		xor	ecx, ecx
		inc	ecx
		or	[eax+3], cl
		mov	dword ptr [edi+18h], 10Ch

loc_8F05C4:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+12C585j
					; FsRtlNotifyFilterChangeDirectory+12C603j
		mov	dl, cl
		mov	ecx, edi
		call	IofCompleteRequest
		jmp	loc_7C4103
; 

loc_8F05D2:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+166j
		or	[esi+24h], cx
		jmp	loc_7C4190
; 

loc_8F05DB:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+170j
		push	2
		pop	eax
		mov	[ebp+arg_10], eax
		mov	ebx, [ebp+arg_C]
		cmp	[ebx], ax
		jb	short loc_8F05F8
		mov	eax, [ebx+4]
		cmp	byte ptr [eax+1], 0
		jnz	short loc_8F05F8
		mov	byte ptr [esi+54h], 2
		jmp	short loc_8F05FE
; 

loc_8F05F8:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+12C5C3j
					; FsRtlNotifyFilterChangeDirectory+12C5CCj
		mov	[esi+54h], cl
		mov	[ebp+arg_10], ecx

loc_8F05FE:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+12C5D2j
		mov	eax, [ebp+arg_C]
		mov	ebx, [ebp+arg_10]
		cmp	[eax], bx
		jnz	loc_7C419D
		or	word ptr [esi+24h], 10h
		jmp	loc_7C419D
; 

loc_8F0617:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+8Cj
		xor	ecx, ecx
		inc	ecx
		mov	edx, [ebp+arg_1C]
		or	[edx+3], cl
		mov	dword ptr [edi+18h], 0C0000056h
		jmp	short loc_8F05C4
; 

loc_8F0629:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+97j
		test	cx, cx
		jnz	loc_7C40C1
		jmp	loc_8F05AB
; 

loc_8F0637:				; CODE XREF: FsRtlNotifyFilterChangeDirectory+A8j
		test	cx, cx
		jnz	loc_7C40D2
		xor	eax, eax
		mov	[esi+3Ch], eax
		mov	[esi+40h], eax
		push	eax
		push	eax
		push	[ebp+arg_10]
		mov	edx, esi
		mov	ecx, edi
		call	FsRtlNotifyCompleteIrp
		jmp	loc_7C4103
; END OF FUNCTION CHUNK	FOR FsRtlNotifyFilterChangeDirectory

;  S U B	R O U T	I N E 


sub_8F065B	proc near		; DATA XREF: .text:006A3610o
		mov	ebx, [ebp+8]
		jmp	sub_7C41E0
sub_8F065B	endp

; 
; START	OF FUNCTION CHUNK FOR sub_7C41E0

loc_8F0663:				; CODE XREF: sub_7C41E0+1Cj
		push	esi
		call	SeReleaseSubjectContext
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	locret_7C4202
; END OF FUNCTION CHUNK	FOR sub_7C41E0
; 
; START	OF FUNCTION CHUNK FOR FsRtlNotifyCompleteIrp

loc_8F0676:				; CODE XREF: FsRtlNotifyCompleteIrp+6Bj
		test	byte ptr [eax+6], 5
		jz	short loc_8F0681
		mov	ecx, [eax+0Ch]
		jmp	short loc_8F0693
; 

loc_8F0681:				; CODE XREF: FsRtlNotifyCompleteIrp+12BF6Cj
		push	40000010h
		push	ebx
		push	ebx
		push	1
		push	ebx
		push	eax
		call	MmMapLockedPagesSpecifyCache
		mov	ecx, eax

loc_8F0693:				; CODE XREF: FsRtlNotifyCompleteIrp+12BF71j
		test	ecx, ecx
		jz	short loc_8F06A4
		push	edi
		mov	eax, [ebp+var_1C]
		push	dword ptr [eax+2Ch]
		push	ecx
		jmp	loc_7C4801
; 

loc_8F06A4:				; CODE XREF: FsRtlNotifyCompleteIrp+12BF87j
		mov	eax, 10Ch
		mov	[ebp+arg_8], eax
		mov	[ebp+arg_4], eax
		mov	edi, ebx
		mov	[ebp+arg_0], edi
		jmp	loc_7C4795
; END OF FUNCTION CHUNK	FOR FsRtlNotifyCompleteIrp

;  S U B	R O U T	I N E 


sub_8F06B9	proc near		; DATA XREF: .text:006A3664o
		xor	eax, eax
		inc	eax
		retn
sub_8F06B9	endp


;  S U B	R O U T	I N E 


sub_8F06BD	proc near		; DATA XREF: .text:006A3668o
		mov	esp, [ebp-18h]
		mov	eax, 10Ch
		mov	[ebp+10h], eax
		mov	[ebp+0Ch], eax
		xor	ebx, ebx
		mov	edi, ebx
		mov	[ebp+8], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-24h]
		jmp	loc_7C479C
sub_8F06BD	endp


;  S U B	R O U T	I N E 


sub_8F06E1	proc near		; DATA XREF: .text:006A3688o
		mov	esi, [ebp+8]
		jmp	sub_7C4891
sub_8F06E1	endp

; 
; START	OF FUNCTION CHUNK FOR sub_7C4891

loc_8F06E9:				; CODE XREF: sub_7C4891+16j
		push	esi
		call	SeReleaseSubjectContext
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
; END OF FUNCTION CHUNK	FOR sub_7C4891
; 
; START	OF FUNCTION CHUNK FOR FsRtlNotifyFilterChangeDirectoryLite

loc_8F06F8:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+1E0j
		lea	eax, [ebp+var_1C]
		push	eax
		call	_FsRtlNotifyUninitializeSync@4 ; FsRtlNotifyUninitializeSync(x)
		jmp	loc_7C48DB
; 

loc_8F0706:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+51j
		mov	ecx, [ebp+arg_4]
		call	_FsRtlCheckNotifyForDeleteLite@4 ; FsRtlCheckNotifyForDeleteLite(x)
		jmp	loc_7C4A16
; 

loc_8F0713:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+6Dj
		xor	ecx, ecx
		inc	ecx
		or	[edx+3], cl
		jmp	short loc_8F0724
; 

loc_8F071B:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+191j
		xor	ecx, ecx
		inc	ecx
		mov	eax, [ebp+var_1C]
		or	[eax+3], cl

loc_8F0724:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+12BE65j
		mov	dword ptr [edi+18h], 10Bh
		jmp	loc_7C4AB3
; 

loc_8F0730:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+E9j
		mov	eax, 80h
		or	[esi+24h], ax
		jmp	loc_7C49A3
; 

loc_8F073E:				; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+19Aj
		xor	ecx, ecx
		inc	ecx
		mov	eax, [ebp+var_1C]
		or	[eax+3], cl
		mov	dword ptr [edi+18h], 0C0000056h
		jmp	loc_7C4AB3
; END OF FUNCTION CHUNK	FOR FsRtlNotifyFilterChangeDirectoryLite

;  S U B	R O U T	I N E 


sub_8F0753	proc near		; DATA XREF: .text:006A36A8o
		xor	ebx, ebx
		jmp	sub_7C4ADD
sub_8F0753	endp

; 
; START	OF FUNCTION CHUNK FOR sub_7C4ADD

loc_8F075A:				; CODE XREF: sub_7C4ADD+1Ej
		push	esi
		call	SeReleaseSubjectContext
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	locret_7C4B01
; END OF FUNCTION CHUNK	FOR sub_7C4ADD
; 
; START	OF FUNCTION CHUNK FOR FsRtlNotifyUpdateBuffer

loc_8F076C:				; CODE XREF: FsRtlNotifyUpdateBuffer+20j
					; FsRtlNotifyUpdateBuffer+12BBA2j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	al, al
		jmp	loc_7C4C6D
; 

loc_8F077A:				; CODE XREF: FsRtlNotifyUpdateBuffer+33j
		test	ax, ax
		jz	short loc_8F07A8
		push	eax		; size_t
		push	dword ptr [ebx+4] ; void *
		lea	eax, [edi+0Ch]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		movzx	ecx, word ptr [ebx]
		lea	eax, [ecx+2]
		cmp	[edi+8], eax
		jb	short loc_8F076C
		push	5Ch
		pop	eax
		mov	[ecx+edi+0Ch], ax
		movzx	esi, word ptr [ebx]
		add	esi, 2

loc_8F07A8:				; CODE XREF: FsRtlNotifyUpdateBuffer+12BB87j
		mov	ebx, [ebp+arg_4]
		movzx	eax, word ptr [ebx]
		push	eax		; size_t
		push	dword ptr [ebx+4] ; void *
		lea	eax, [edi+0Ch]
		add	eax, esi
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	loc_7C4C61
		movzx	eax, word ptr [ebx]
		add	esi, eax
		push	3Ah
		pop	eax
		mov	[esi+edi+0Ch], ax
		movzx	eax, word ptr [ecx]
		push	eax
		push	dword ptr [ecx+4]
		lea	eax, [edi+0Eh]
		add	eax, esi
		push	eax
		jmp	loc_7C4C59
; 

loc_8F07EA:				; CODE XREF: FsRtlNotifyUpdateBuffer+44j
		push	eax
		push	dword ptr [ebx+4]
		lea	eax, [ebp+arg_C]
		push	eax
		push	ecx
		lea	eax, [edi+0Ch]
		push	eax
		call	RtlOemToUnicodeN
		push	5Ch
		pop	ecx
		mov	eax, [ebp+arg_C]
		mov	[eax+edi+0Ch], cx
		lea	esi, [eax+2]
		movzx	eax, word ptr [ebx]
		jmp	loc_7C4C40
; 

loc_8F0812:				; CODE XREF: FsRtlNotifyUpdateBuffer+52j
		mov	ecx, [ebp+arg_4]
		movzx	eax, word ptr [ecx]
		push	eax
		push	dword ptr [ecx+4]
		lea	eax, [ebp+arg_C]
		push	eax
		push	dword ptr [edi+8]
		push	edx
		call	RtlOemToUnicodeN
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	loc_7C4C61
		add	esi, [ebp+arg_C]
		push	3Ah
		pop	eax
		mov	[esi+edi+0Ch], ax
		movzx	eax, word ptr [ecx]
		push	eax
		push	dword ptr [ecx+4]
		lea	eax, [ebp+arg_C]
		push	eax
		push	dword ptr [edi+8]
		lea	eax, [edi+0Eh]
		add	eax, esi
		push	eax
		call	RtlOemToUnicodeN
		jmp	loc_7C4C61
; END OF FUNCTION CHUNK	FOR FsRtlNotifyUpdateBuffer

;  S U B	R O U T	I N E 


sub_8F085D	proc near		; DATA XREF: .text:006A36C4o
		xor	eax, eax
		inc	eax
		retn
sub_8F085D	endp


;  S U B	R O U T	I N E 


sub_8F0861	proc near		; DATA XREF: .text:006A36C8o
		mov	esp, [ebp-18h]
		xor	al, al
		jmp	loc_7C4C63
sub_8F0861	endp


;  S U B	R O U T	I N E 


sub_8F086B	proc near		; DATA XREF: .text:006A3704o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F086B	endp


;  S U B	R O U T	I N E 


sub_8F0879	proc near		; DATA XREF: .text:006A3708o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_7C4CE9
sub_8F0879	endp


;  S U B	R O U T	I N E 


sub_8F088B	proc near		; DATA XREF: .text:006A3710o
		xor	eax, eax
		inc	eax
		retn
sub_8F088B	endp


;  S U B	R O U T	I N E 


sub_8F088F	proc near		; DATA XREF: .text:006A3714o
		mov	esp, [ebp-18h]
		jmp	loc_7C4D0E
sub_8F088F	endp

; 
; START	OF FUNCTION CHUNK FOR PfpRpRehashIfNeeded

loc_8F0897:				; CODE XREF: PfpRpRehashIfNeeded+57j
		mov	esi, eax
		jmp	loc_7C4E33
; END OF FUNCTION CHUNK	FOR PfpRpRehashIfNeeded
; 
; START	OF FUNCTION CHUNK FOR FsRtlQueryKernelEaFile

loc_8F089E:				; CODE XREF: FsRtlQueryKernelEaFile+37j
		mov	edi, 0C0000010h
		jmp	short loc_8F08AA
; 

loc_8F08A5:				; CODE XREF: FsRtlQueryKernelEaFile+5Bj
		mov	edi, 0C000009Ah

loc_8F08AA:				; CODE XREF: FsRtlQueryKernelEaFile+12B977j
		mov	[ebp+var_20], edi
		jmp	loc_7C5029
; 

loc_8F08B2:				; CODE XREF: FsRtlQueryKernelEaFile+8Aj
		mov	eax, [eax]
		mov	[ecx-14h], eax
		or	byte ptr [ecx-22h], 4
		jmp	loc_7C4FBF
; 

loc_8F08C0:				; CODE XREF: FsRtlQueryKernelEaFile+E9j
		lea	eax, [ebp+var_34]
		mov	[ebp+arg_1C], eax
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+arg_1C]
		push	eax
		push	1
		call	FsRtlCancellableWaitForMultipleObjects
		cmp	eax, 0C000004Bh
		jnz	loc_7C501B
		push	esi
		call	IoCancelIrp
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_34]
		push	eax
		call	KeWaitForSingleObject
		jmp	loc_7C501B
; END OF FUNCTION CHUNK	FOR FsRtlQueryKernelEaFile

;  S U B	R O U T	I N E 


sub_8F08F8	proc near		; DATA XREF: .text:006A3750o
		xor	ebx, ebx
		mov	esi, [ebp-24h]
		mov	edi, [ebp-20h]
		jmp	sub_7C504F
sub_8F08F8	endp

; 
; START	OF FUNCTION CHUNK FOR sub_7C504F

loc_8F0905:				; CODE XREF: sub_7C504F+9j
		call	_FsRtlpFreeMdlChain@4 ;	FsRtlpFreeMdlChain(x)
		mov	[esi+4], ebx
		jmp	loc_7C505E
; END OF FUNCTION CHUNK	FOR sub_7C504F
; 
; START	OF FUNCTION CHUNK FOR ExpRaiseHardError

loc_8F0912:				; CODE XREF: ExpRaiseHardError+69j
		mov	eax, 0C000000Dh
		jmp	loc_7C5394
; 

loc_8F091C:				; CODE XREF: ExpRaiseHardError+79j
		push	[ebp+var_190]
		push	ds:dword_A949BC
		push	ds:_SeShutdownPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_8F0941
		mov	eax, 0C0000061h
		jmp	loc_7C5394
; 

loc_8F0941:				; CODE XREF: ExpRaiseHardError+12B6EDj
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	short loc_8F0950
		mov	_ExReadyForErrors, bl

loc_8F0950:				; CODE XREF: ExpRaiseHardError+12B700j
		mov	esi, [ebp+var_194]
		mov	dword ptr [esi+200h], 2
		mov	[ebp+var_185], 1
		mov	edx, [ebp+var_198]
		jmp	loc_7C52CD
; 

loc_8F0972:				; CODE XREF: ExpRaiseHardError+C2j
					; ExpRaiseHardError+CEj
		cmp	[ebp+var_186], bl
		setnz	al
		movzx	eax, al
		push	eax
		push	[ebp+var_18C]
		push	[ebp+arg_0]
		mov	ecx, edi
		call	_ExpSystemErrorHandler@20 ; ExpSystemErrorHandler(x,x,x,x,x)
		jmp	loc_7C5392
; 

loc_8F0994:				; CODE XREF: ExpRaiseHardError+E0j
		mov	eax, edi
		and	eax, ecx
		cmp	eax, ecx
		jnz	loc_7C538A
		cmp	[ebp+var_186], bl
		setnz	al
		movzx	eax, al
		push	eax
		push	[ebp+var_18C]
		push	[ebp+arg_0]
		mov	ecx, edi
		call	_ExpSystemErrorHandler@20 ; ExpSystemErrorHandler(x,x,x,x,x)
		jmp	loc_7C538A
; 

loc_8F09C2:				; CODE XREF: ExpRaiseHardError+124j
		mov	eax, [ebp+var_194]
		mov	eax, [eax+1FCh]
		mov	[ebp+var_18C], eax
		jmp	loc_7C5379
; 

loc_8F09D9:				; CODE XREF: ExpRaiseHardError+18Cj
		mov	[ebp+var_1A0], 0C0000001h
		jmp	loc_7C53DA
; END OF FUNCTION CHUNK	FOR ExpRaiseHardError

;  S U B	R O U T	I N E 


sub_8F09E8	proc near		; DATA XREF: .text:006A3794o
		xor	eax, eax
		inc	eax
		retn
sub_8F09E8	endp


;  S U B	R O U T	I N E 


sub_8F09EC	proc near		; DATA XREF: .text:006A3798o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	edi, [ebp-1ACh]
		jmp	loc_7C53E1
sub_8F09EC	endp

; 
; START	OF FUNCTION CHUNK FOR ExpRaiseHardError

loc_8F0A03:				; CODE XREF: ExpRaiseHardError+1A2j
		cmp	[ebp+var_185], 1
		jnz	short loc_8F0A17
		mov	ecx, [ebp+var_18C]
		call	ObfDereferenceObject

loc_8F0A17:				; CODE XREF: ExpRaiseHardError+12B7C2j
		mov	[ebp+var_18C], ebx
		jmp	loc_7C5381
; END OF FUNCTION CHUNK	FOR ExpRaiseHardError

;  S U B	R O U T	I N E 


sub_8F0A22	proc near		; DATA XREF: .text:006A37A0o
		xor	eax, eax
		inc	eax
		retn
sub_8F0A22	endp


;  S U B	R O U T	I N E 


sub_8F0A26	proc near		; DATA XREF: .text:006A37A4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		jmp	loc_7C5465
sub_8F0A26	endp

; 
; START	OF FUNCTION CHUNK FOR ExGetPoolTagInfo

loc_8F0A37:				; CODE XREF: ExGetPoolTagInfo+C9j
		mov	[ebp+var_24], 0C0000095h
		jmp	loc_7C5665
; END OF FUNCTION CHUNK	FOR ExGetPoolTagInfo

;  S U B	R O U T	I N E 


sub_8F0A43	proc near		; DATA XREF: .text:006A37E8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F0A43	endp


;  S U B	R O U T	I N E 


sub_8F0A51	proc near		; DATA XREF: .text:006A37ECo
		mov	esp, [ebp-18h]
		mov	eax, [ebp-34h]
		mov	[ebp-24h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-38h]
		jmp	loc_7C566C
sub_8F0A51	endp

; 
; START	OF FUNCTION CHUNK FOR ExGetPoolTagInfo

loc_8F0A69:				; CODE XREF: ExGetPoolTagInfo+48j
					; ExGetPoolTagInfo+65j
		mov	eax, 0C000009Ah
		jmp	loc_7C5683
; END OF FUNCTION CHUNK	FOR ExGetPoolTagInfo

;  S U B	R O U T	I N E 


sub_8F0A73	proc near		; DATA XREF: .text:006A37DCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F0A73	endp


;  S U B	R O U T	I N E 


sub_8F0A81	proc near		; DATA XREF: .text:006A37E0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3Ch]
		jmp	loc_7C5683
sub_8F0A81	endp

; 
; START	OF FUNCTION CHUNK FOR EtwpIsGuidAllowed

loc_8F0A93:				; CODE XREF: EtwpIsGuidAllowed+22j
		push	offset _EtwpCompareGuid	; int __cdecl (*)(const	void *,const void *)
		push	10h		; size_t
		push	eax		; size_t
		push	dword ptr [edi+2D8h] ; void *
		push	ebx		; void *
		call	_bsearch
		add	esp, 14h
		mov	ebx, eax
		neg	ebx
		sbb	bl, bl
		inc	bl
		jmp	loc_7C56CA
; END OF FUNCTION CHUNK	FOR EtwpIsGuidAllowed
; 
; START	OF FUNCTION CHUNK FOR AlpcpDispatchCloseMessage

loc_8F0AB7:				; CODE XREF: AlpcpDispatchCloseMessage+D1j
		mov	ecx, [ebp+var_C]
		call	_AlpcpLogClosePort@4 ; AlpcpLogClosePort(x)
		jmp	loc_7C57C5
; END OF FUNCTION CHUNK	FOR AlpcpDispatchCloseMessage
; 
; START	OF FUNCTION CHUNK FOR AlpcpReferenceAndLockTargetPortsAndCommunicationInfo

loc_8F0AC4:				; CODE XREF: AlpcpReferenceAndLockTargetPortsAndCommunicationInfo+F0j
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	loc_7C58FF
; END OF FUNCTION CHUNK	FOR AlpcpReferenceAndLockTargetPortsAndCommunicationInfo

;  S U B	R O U T	I N E 


sub_8F0AD0	proc near		; DATA XREF: .text:006A382Co
		mov	ecx, [ebp-14h]
		mov	eax, [ecx]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		call	_CmpFatalFilter@8 ; CmpFatalFilter(x,x)

loc_8F0ADF:				; DATA XREF: .text:006A3830o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-1Ch]
		jmp	loc_7C5D3A
sub_8F0AD0	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryEvent

loc_8F0AEA:				; CODE XREF: NtQueryEvent+13j
		mov	eax, 0C0000003h
		jmp	loc_7C5E32
; 

loc_8F0AF4:				; CODE XREF: NtQueryEvent+1Dj
		mov	eax, 0C0000004h
		jmp	loc_7C5E32
; 

loc_8F0AFE:				; CODE XREF: NtQueryEvent+5Cj
		mov	ecx, eax
		jmp	loc_7C5DBA
; END OF FUNCTION CHUNK	FOR NtQueryEvent

;  S U B	R O U T	I N E 


sub_8F0B05	proc near		; DATA XREF: .text:006A386Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F0B05	endp


;  S U B	R O U T	I N E 


sub_8F0B13	proc near		; DATA XREF: .text:006A3870o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_7C5E32
sub_8F0B13	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryEvent

loc_8F0B25:				; CODE XREF: NtQueryEvent+37j
		mov	esi, [ebp+arg_10]
		jmp	loc_7C5DC5
; END OF FUNCTION CHUNK	FOR NtQueryEvent

;  S U B	R O U T	I N E 


sub_8F0B2D	proc near		; DATA XREF: .text:006A3878o
		xor	eax, eax
		inc	eax
		retn
sub_8F0B2D	endp


;  S U B	R O U T	I N E 


sub_8F0B31	proc near		; DATA XREF: .text:006A387Co
		mov	esp, [ebp-18h]
		jmp	loc_7C5E1C
sub_8F0B31	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryEvent

loc_8F0B39:				; CODE XREF: NtQueryEvent+A5j
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		mov	[eax+4], ebx
		test	esi, esi
		jz	loc_7C5E23
		mov	dword ptr [esi], 8
		jmp	loc_7C5E23
; END OF FUNCTION CHUNK	FOR NtQueryEvent
; 
; START	OF FUNCTION CHUNK FOR CmpGetCallbackObjectContext

loc_8F0B54:				; CODE XREF: CmpGetCallbackObjectContext+58j
					; CmpGetCallbackObjectContext+60j
		cmp	ecx, edx
		jl	loc_7C5F8F
		jg	short loc_8F0B67
		cmp	ebx, [ebp+var_4]
		jb	loc_7C5F8F

loc_8F0B67:				; CODE XREF: CmpGetCallbackObjectContext+12AC36j
		mov	eax, [eax]
		cmp	eax, esi
		jnz	loc_7C5F75
		jmp	loc_7C5F8F
; END OF FUNCTION CHUNK	FOR CmpGetCallbackObjectContext
; 
; START	OF FUNCTION CHUNK FOR MiCheckForUserStackOverflow

loc_8F0B76:				; CODE XREF: MiCheckForUserStackOverflow+7Bj
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		pop	edx
		mov	esi, [ebp+var_34]
		mov	ecx, esi
		call	MiObtainReferencedVadEx
		mov	edi, eax
		test	edi, edi
		jz	loc_7C602D
		mov	ecx, [edi+1Ch]
		and	ecx, 5100000h
		cmp	ecx, 4100000h
		jnz	loc_7C602D
		mov	[ebp+var_24], 1
		mov	ebx, [edi+0Ch]
		shl	ebx, 0Ch
		mov	ecx, edi
		call	MiUnlockAndDereferenceVadShared
		xor	ecx, ecx
		mov	edi, ecx
		mov	[ebp+var_28], 0C00000FDh
		mov	[ebp+var_2C], 1000h
		mov	eax, esi
		and	eax, 0FFFFF000h
		add	eax, 0FFFFF000h
		mov	[ebp+var_30], eax
		cmp	eax, esi
		ja	short loc_8F0C15
		cmp	eax, ebx
		jbe	short loc_8F0C15
		push	102h
		push	1000h
		lea	eax, [ebp+var_2C]
		push	eax
		push	ecx
		lea	eax, [ebp+var_30]
		push	eax
		push	0FFFFFFFFh
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		mov	esi, 113h
		mov	ebx, [ebp+var_24]
		test	eax, eax
		js	loc_7C6032
		mov	[ebp+var_28], esi
		jmp	loc_7C6032
; 

loc_8F0C15:				; CODE XREF: MiCheckForUserStackOverflow+12AC31j
					; MiCheckForUserStackOverflow+12AC35j
		mov	ebx, [ebp+var_24]
		jmp	loc_7C602D
; 

loc_8F0C1D:				; CODE XREF: MiCheckForUserStackOverflow+88j
		mov	ecx, edi
		call	MiUnlockAndDereferenceVadShared
		jmp	loc_7C603A
; 

loc_8F0C29:				; CODE XREF: MiCheckForUserStackOverflow+61j
		mov	esi, 113h
		jmp	loc_7C6048
; 

loc_8F0C33:				; CODE XREF: MiCheckForUserStackOverflow+117j
		add	eax, 1000h
		jmp	short loc_8F0C49
; 

loc_8F0C3A:				; CODE XREF: MiCheckForUserStackOverflow+167j
		sub	ecx, 1000h
		mov	[ebp+var_1C], ecx
		lea	eax, [edx+1000h]

loc_8F0C49:				; CODE XREF: MiCheckForUserStackOverflow+12AC8Cj
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_3C]
		push	eax
		push	4
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	0FFFFFFFFh
		call	_ZwProtectVirtualMemory@20 ; ZwProtectVirtualMemory(x,x,x,x,x)
		mov	eax, [ebp+var_20]
		mov	esi, 0C00000FDh
		jmp	loc_7C611C
; END OF FUNCTION CHUNK	FOR MiCheckForUserStackOverflow

;  S U B	R O U T	I N E 


sub_8F0C6E	proc near		; DATA XREF: .text:006A38ACo
		xor	eax, eax
		inc	eax
		retn
sub_8F0C6E	endp


;  S U B	R O U T	I N E 


sub_8F0C72	proc near		; DATA XREF: .text:006A38B0o
		mov	esp, [ebp-18h]
		mov	esi, 80000001h
		jmp	loc_7C6129
sub_8F0C72	endp

; 

loc_8F0C7F:				; DATA XREF: .text:006A38A0o
		xor	eax, eax
		inc	eax
		retn
; 

loc_8F0C83:				; DATA XREF: .text:006A38A4o
		jmp	short loc_8F0C89
; 

loc_8F0C85:				; DATA XREF: .text:006A3894o
		xor	eax, eax
		inc	eax
		retn
; 

loc_8F0C89:				; CODE XREF: PAGE:loc_8F0C83j
					; DATA XREF: .text:006A3898o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
; START	OF FUNCTION CHUNK FOR MiCheckForUserStackOverflow

loc_8F0C93:				; CODE XREF: MiCheckForUserStackOverflow+2Dj
					; MiCheckForUserStackOverflow+4Cj ...
		mov	eax, 80000001h
		jmp	loc_7C6132
; END OF FUNCTION CHUNK	FOR MiCheckForUserStackOverflow
; 
; START	OF FUNCTION CHUNK FOR IopCheckTopDeviceHint

loc_8F0C9D:				; CODE XREF: IopCheckTopDeviceHint+43j
		cmp	eax, 3
		jz	loc_7C6246
		cmp	eax, 20h
		jz	loc_7C6246
		cmp	eax, 35h
		jz	loc_7C6246
		cmp	eax, 11h
		jz	loc_7C6246
		cmp	eax, 0Ch
		jnz	loc_7C6272
		jmp	loc_7C6246
; 

loc_8F0CCF:				; CODE XREF: IopCheckTopDeviceHint+2Aj
		mov	eax, [esi+68h]
		test	eax, eax
		jz	short loc_8F0D25
		and	[ebp+arg_0], 0
		lea	ecx, [ebp+arg_0]
		push	0
		push	ecx
		push	offset _GUID_ECP_IO_DEVICE_HINT
		push	eax
		call	_FsRtlFindExtraCreateParameter@16 ; FsRtlFindExtraCreateParameter(x,x,x,x)
		test	eax, eax
		js	short loc_8F0D25
		mov	eax, [ebp+arg_4]
		mov	edi, [ebp+arg_0]
		movzx	eax, word ptr [eax]
		cmp	[edi+6], ax
		jnb	short loc_8F0D0C
		mov	[edi+4], ax
		mov	eax, 0C0000496h
		jmp	loc_7C6261
; 

loc_8F0D0C:				; CODE XREF: IopCheckTopDeviceHint+12AAD2j
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		push	[ebp+arg_4]
		lea	eax, [edi+4]
		mov	[edi], ebx
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		or	dword ptr [edi-10h], 8

loc_8F0D25:				; CODE XREF: IopCheckTopDeviceHint+12AAAAj
					; IopCheckTopDeviceHint+12AAC3j
		mov	eax, [esi+5Ch]
		test	al, 10h
		jz	short loc_8F0D3C
		and	eax, 0FFFFFFEFh
		mov	[esi+5Ch], eax
		mov	eax, 0C0000368h
		jmp	loc_7C6261
; 

loc_8F0D3C:				; CODE XREF: IopCheckTopDeviceHint+12AB00j
		mov	eax, 0C0000369h
		jmp	loc_7C6261
; END OF FUNCTION CHUNK	FOR IopCheckTopDeviceHint
; 
; START	OF FUNCTION CHUNK FOR ObpAdjustCreatorAccessState

loc_8F0D46:				; CODE XREF: ObpAdjustCreatorAccessState+48j
		mov	eax, ds:_SeSecurityPrivilege
		and	[ebp+var_8], 0
		mov	[ebp+var_10], eax
		mov	eax, ds:dword_A94A3C
		push	edx
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_18]
		push	ebx
		push	eax
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		call	_SePrivilegeCheck@12 ; SePrivilegeCheck(x,x,x)
		test	al, al
		lea	eax, [ebp+var_18]
		jnz	short loc_8F0D88
		push	0
		push	eax
		mov	edx, ebx
		xor	ecx, ecx
		call	_SePrivilegedServiceAuditAlarm@16 ; SePrivilegedServiceAuditAlarm(x,x,x,x)
		mov	eax, 0C0000061h
		jmp	loc_7C6309
; 

loc_8F0D88:				; CODE XREF: ObpAdjustCreatorAccessState+12AAF6j
		and	dword ptr [edi], 0FEFFFFFFh
		or	dword ptr [esi+14h], 1000000h
		push	eax
		push	esi
		call	SeAppendPrivileges
		mov	eax, [esi+10h]
		jmp	loc_7C62C8
; END OF FUNCTION CHUNK	FOR ObpAdjustCreatorAccessState

;  S U B	R O U T	I N E 


sub_8F0DA4	proc near		; DATA XREF: .text:006A38CCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F0DA4	endp


;  S U B	R O U T	I N E 


sub_8F0DB2	proc near		; DATA XREF: .text:006A38D0o
		mov	esp, [ebp-18h]
		mov	edx, [ebp-1Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7C63E0
sub_8F0DB2	endp

; 
; START	OF FUNCTION CHUNK FOR PiCMOpenClassKey

loc_8F0DC4:				; CODE XREF: PiCMOpenClassKey+7Aj
		cmp	ebx, 3
		jz	loc_7C6478

loc_8F0DCD:				; CODE XREF: PiCMOpenClassKey+52j
					; PiCMOpenClassKey+5Bj	...
		mov	esi, 0C000000Dh
		jmp	loc_7C64EE
; 

loc_8F0DD7:				; CODE XREF: PiCMOpenClassKey+C2j
		xor	ebx, ebx
		push	ebx
		push	40h
		call	_CmOpenCommonClassRegKey
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	loc_7C64D8
		cmp	[ebp+var_20], 1
		jnz	loc_7C64EE
		push	2
		pop	ecx
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jz	short loc_8F0E1C
		mov	edx, [ebp+var_2C]
		lea	eax, [ebp+var_4]
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		push	ebx
		push	eax
		push	edi
		call	__CmCreateInterfaceClass@24 ; _CmCreateInterfaceClass(x,x,x,x,x,x)
		jmp	short loc_8F0E6C
; 

loc_8F0E1C:				; CODE XREF: PiCMOpenClassKey+12AA0Bj
					; PiCMOpenClassKey+12AA42j
		mov	esi, 0C0000022h
		jmp	loc_7C64EE
; 

loc_8F0E26:				; CODE XREF: PiCMOpenClassKey+DAj
		cmp	[ebp+var_20], 1
		jnz	loc_7C64EE
		push	2
		pop	ecx
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jz	short loc_8F0E1C
		mov	edx, [ebp+var_2C]
		lea	eax, [ebp+var_4]
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		push	ebx
		push	eax
		push	edi
		call	__CmCreateInstallerClass@24 ; _CmCreateInstallerClass(x,x,x,x,x,x)
		jmp	short loc_8F0E6C
; 

loc_8F0E53:				; CODE XREF: PiCMOpenClassKey+83j
		mov	edi, [ebp+var_24]
		lea	eax, [ebp+var_4]
		xor	edx, edx
		cmp	ebx, 3
		push	eax
		push	edi
		setz	dl
		push	ecx
		add	edx, 7
		call	__PnpCtxOpenContextBaseKey@20 ;	_PnpCtxOpenContextBaseKey(x,x,x,x,x)

loc_8F0E6C:				; CODE XREF: PiCMOpenClassKey+12AA22j
					; PiCMOpenClassKey+12AA59j
		mov	esi, eax
		jmp	loc_7C64D8
; 

loc_8F0E73:				; CODE XREF: PiCMOpenClassKey+120j
					; PiCMOpenClassKey+128j
		test	edi, edi
		jz	loc_7C6526
		push	[ebp+var_C]
		push	edi
		call	ObCloseHandle
		jmp	loc_7C6526
; END OF FUNCTION CHUNK	FOR PiCMOpenClassKey
; 
; START	OF FUNCTION CHUNK FOR PiCMOpenDeviceKey

loc_8F0E89:				; CODE XREF: PiCMOpenDeviceKey+120j
		push	2
		pop	ecx
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jnz	short loc_8F0E9F
		mov	esi, 0C0000022h
		jmp	loc_7C65FC
; 

loc_8F0E9F:				; CODE XREF: PiCMOpenDeviceKey+12A95Bj
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+arg_C]
		mov	ecx, _PiPnpRtlCtx
		push	edi
		push	eax
		push	1
		push	[ebp+var_1C]
		push	[ebp+var_14]
		push	[ebp+var_4]
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		jmp	loc_7C65E4
; 

loc_8F0EC4:				; CODE XREF: PiCMOpenDeviceKey+4Ej
					; PiCMOpenDeviceKey+58j ...
		mov	esi, 0C000000Dh
		jmp	loc_7C65FC
; 

loc_8F0ECE:				; CODE XREF: PiCMOpenDeviceKey+129j
		push	[ebp+var_C]
		push	ebx
		call	ObCloseHandle
		jmp	loc_7C662A
; END OF FUNCTION CHUNK	FOR PiCMOpenDeviceKey
; 
; START	OF FUNCTION CHUNK FOR PiCMOpenObjectKey

loc_8F0EDC:				; CODE XREF: PiCMOpenObjectKey+191j
		sub	eax, 1
		jnz	loc_7C6710
		push	5
		jmp	loc_7C67FF
; 

loc_8F0EEC:				; CODE XREF: PiCMOpenObjectKey:loc_7C67A2j
		mov	edi, ecx
		jmp	short loc_8F0EF9
; 

loc_8F0EF0:				; CODE XREF: PiCMOpenObjectKey+B4j
		cmp	edi, 4
		jbe	loc_7C6720

loc_8F0EF9:				; CODE XREF: PiCMOpenObjectKey+19Aj
					; PiCMOpenObjectKey+12A888j
		cmp	[ebp+var_18], 1
		jnz	loc_7C6720
		jmp	loc_7C67B0
; 

loc_8F0F08:				; CODE XREF: PiCMOpenObjectKey+161j
		push	2
		pop	ecx
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jnz	short loc_8F0F1E
		mov	esi, 0C0000022h
		jmp	loc_7C6761
; 

loc_8F0F1E:				; CODE XREF: PiCMOpenObjectKey+12A8ACj
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_4]
		push	ecx
		push	ecx
		push	eax
		push	[ebp+var_1C]
		push	edi
		call	__PnpCreateObject@28 ; _PnpCreateObject(x,x,x,x,x,x,x)
		mov	esi, eax
		jmp	loc_7C6749
; 

loc_8F0F37:				; CODE XREF: PiCMOpenObjectKey+4Ej
					; PiCMOpenObjectKey+57j ...
		mov	esi, 0C000000Dh
		jmp	loc_7C6761
; 

loc_8F0F41:				; CODE XREF: PiCMOpenObjectKey+125j
		test	edi, edi
		jz	loc_7C6791
		push	[ebp+var_C]
		push	edi
		call	ObCloseHandle
		jmp	loc_7C6791
; END OF FUNCTION CHUNK	FOR PiCMOpenObjectKey

;  S U B	R O U T	I N E 


sub_8F0F57	proc near		; DATA XREF: .text:006A38ECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F0F57	endp


;  S U B	R O U T	I N E 


sub_8F0F65	proc near		; DATA XREF: .text:006A38F0o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-24h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	10h
		pop	ebx
		jmp	loc_7C6892
sub_8F0F65	endp

; 
; START	OF FUNCTION CHUNK FOR PiCMCaptureRegistryInputData

loc_8F0F7A:				; CODE XREF: PiCMCaptureRegistryInputData+4Ej
					; PiCMCaptureRegistryInputData+56j
		mov	byte ptr [eax],	0
		jmp	loc_7C6912
; 

loc_8F0F82:				; CODE XREF: PiCMCaptureRegistryInputData+5Fj
					; PiCMCaptureRegistryInputData+74j
		mov	ebx, 0C000000Dh
		jmp	short loc_8F0F9D
; END OF FUNCTION CHUNK	FOR PiCMCaptureRegistryInputData

;  S U B	R O U T	I N E 


sub_8F0F89	proc near		; DATA XREF: .text:006A390Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F0F89	endp


;  S U B	R O U T	I N E 


sub_8F0F97	proc near		; DATA XREF: .text:006A3910o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-28h]
sub_8F0F97	endp

; START	OF FUNCTION CHUNK FOR PiCMCaptureRegistryInputData

loc_8F0F9D:				; CODE XREF: PiCMCaptureRegistryInputData+12A6D1j
		mov	[ebp+var_1C], ebx
		jmp	loc_7C6930
; 

loc_8F0FA5:				; CODE XREF: PiCMCaptureRegistryInputData+A2j
		test	eax, eax
		jnz	short loc_8F0FB7

loc_8F0FA9:				; CODE XREF: PiCMCaptureRegistryInputData+96j
		cmp	dword ptr [esi+10h], 0
		ja	short loc_8F0FC1
		test	eax, eax
		jz	loc_7C698A

loc_8F0FB7:				; CODE XREF: PiCMCaptureRegistryInputData+12A6F1j
		cmp	dword ptr [esi+10h], 2
		jnb	loc_7C698A

loc_8F0FC1:				; CODE XREF: PiCMCaptureRegistryInputData+12A6F7j
		mov	ebx, 0C000000Dh

loc_8F0FC6:				; CODE XREF: PiCMCaptureRegistryInputData+86j
					; PiCMCaptureRegistryInputData+D6j
		cmp	[ebp+var_20], 0
		jz	short loc_8F0FE1
		mov	eax, [esi+0Ch]
		cmp	byte ptr [ebp+var_24], 0
		jz	short loc_8F0FE1
		test	eax, eax
		jz	short loc_8F0FE1
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8F0FE1:				; CODE XREF: PiCMCaptureRegistryInputData+12A714j
					; PiCMCaptureRegistryInputData+12A71Dj	...
		push	9
		pop	ecx
		xor	eax, eax
		mov	edi, esi
		rep stosd
		jmp	loc_7C6992
; 

loc_8F0FEF:				; CODE XREF: PiCMCaptureRegistryInputData+2Aj
					; PiCMCaptureRegistryInputData+32j
		mov	ebx, 0C000000Dh
		mov	esi, [ebp+arg_4]
		jmp	loc_7C698A
; END OF FUNCTION CHUNK	FOR PiCMCaptureRegistryInputData
; 
; START	OF FUNCTION CHUNK FOR PiCMConvertDeviceKeyType

loc_8F0FFC:				; CODE XREF: PiCMConvertDeviceKeyType+39j
		mov	dword ptr [edx], 13h
		mov	ecx, 213h
		mov	eax, 113h
		jmp	loc_7C6A38
; 

loc_8F1011:				; CODE XREF: PiCMConvertDeviceKeyType+26j
		cmp	ebx, 100h
		jz	short loc_8F102C
		cmp	ebx, 200h
		jnz	loc_7C6A80
		mov	[edx], ecx
		jmp	loc_7C6A44
; 

loc_8F102C:				; CODE XREF: PiCMConvertDeviceKeyType+12A5FFj
		mov	[edx], eax
		jmp	loc_7C6A44
; END OF FUNCTION CHUNK	FOR PiCMConvertDeviceKeyType
; 
; START	OF FUNCTION CHUNK FOR AuthzBasepQueryClaimAttributesToken

loc_8F1033:				; CODE XREF: AuthzBasepQueryClaimAttributesToken+1Bj
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	_AuthzBasepGetClaimAttributesCopyoutBufferSize@8 ; AuthzBasepGetClaimAttributesCopyoutBufferSize(x,x)
		test	eax, eax
		js	loc_7C6AC2
		mov	esi, [ebp+var_4]
		test	esi, esi
		jnz	short loc_8F1056
		mov	eax, 0C000000Dh
		jmp	loc_7C6AC2
; 

loc_8F1056:				; CODE XREF: AuthzBasepQueryClaimAttributesToken+12A5C2j
		cmp	[ebp+arg_0], esi
		jb	loc_7C6AC9
		push	[ebp+arg_0]	; size_t
		push	0		; int
		push	[ebp+var_8]	; void *
		call	_memset
		mov	edx, [ebp+var_8]
		add	esp, 0Ch
		mov	ecx, edi	; int
		push	[ebp+arg_0]	; int
		call	_AuthzBasepCopyoutClaimAttributes@12 ; AuthzBasepCopyoutClaimAttributes(x,x,x)
		jmp	loc_7C6AC0
; END OF FUNCTION CHUNK	FOR AuthzBasepQueryClaimAttributesToken
; 
; START	OF FUNCTION CHUNK FOR NtCreateIoCompletion

loc_8F1081:				; CODE XREF: NtCreateIoCompletion+34j
		mov	ecx, eax
		jmp	loc_7C6B4A
; END OF FUNCTION CHUNK	FOR NtCreateIoCompletion

;  S U B	R O U T	I N E 


sub_8F1088	proc near		; DATA XREF: .text:006A394Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8F1088	endp


;  S U B	R O U T	I N E 


sub_8F1098	proc near		; DATA XREF: .text:006A3950o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-24h]
		jmp	loc_7C6BC6
sub_8F1098	endp


;  S U B	R O U T	I N E 


sub_8F10AA	proc near		; DATA XREF: .text:006A3958o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8F10AA	endp


;  S U B	R O U T	I N E 


sub_8F10B0	proc near		; DATA XREF: .text:006A395Co
		mov	esp, [ebp-18h]
		jmp	loc_7C6BBC
sub_8F10B0	endp

; 
; START	OF FUNCTION CHUNK FOR _PnpParseIndirectInfString

loc_8F10B8:				; CODE XREF: _PnpParseIndirectInfString+9Dj
		cmp	word ptr [esi+eax*2+2],	28h
		jnz	loc_7C6DA0
		cmp	word ptr [esi+edi*2-2],	29h
		jmp	loc_7C6D9E
; END OF FUNCTION CHUNK	FOR _PnpParseIndirectInfString
; 
; START	OF FUNCTION CHUNK FOR ObSetCurrentProcessDeviceMap

loc_8F10CF:				; CODE XREF: ObSetCurrentProcessDeviceMap+28j
		mov	eax, 0C000007Ch
		jmp	loc_7C6E90
; 

loc_8F10D9:				; CODE XREF: ObSetCurrentProcessDeviceMap+53j
					; ObSetCurrentProcessDeviceMap+61j
		mov	esi, 0C0000039h
		jmp	loc_7C6E83
; END OF FUNCTION CHUNK	FOR ObSetCurrentProcessDeviceMap
; 
; START	OF FUNCTION CHUNK FOR SeGetTokenDeviceMap

loc_8F10E3:				; CODE XREF: SeGetTokenDeviceMap+1BDj
		mov	ecx, [ebp+var_90]
		call	ObfDereferenceDeviceMap
		jmp	loc_7C7098
; 

loc_8F10F3:				; CODE XREF: SeGetTokenDeviceMap+5Dj
					; SeGetTokenDeviceMap+6Bj
		mov	eax, 0C000005Fh
		jmp	loc_7C6F32
; 

loc_8F10FD:				; CODE XREF: SeGetTokenDeviceMap+48j
					; SeGetTokenDeviceMap+50j
		mov	eax, 0C000000Dh
		jmp	loc_7C6F32
; END OF FUNCTION CHUNK	FOR SeGetTokenDeviceMap
; 
; START	OF FUNCTION CHUNK FOR DbgkForwardException

loc_8F1107:				; CODE XREF: DbgkForwardException+114j
		mov	[esp+0D0h+var_94], 80010001h
		jmp	loc_7C71E4
; 

loc_8F1114:				; CODE XREF: DbgkForwardException+10Cj
		xor	edx, edx
		lea	eax, [esp+0D0h+var_B0]
		cmp	byte ptr [esp+0D0h+var_C0], dl
		mov	ecx, edi
		push	eax
		setnz	dl
		call	_DbgkpSendApiMessage@12	; DbgkpSendApiMessage(x,x,x)
		mov	ebx, eax
		jmp	loc_7C71E4
; END OF FUNCTION CHUNK	FOR DbgkForwardException

;  S U B	R O U T	I N E 


sub_8F1130	proc near		; DATA XREF: .text:006A3974o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F1130	endp


;  S U B	R O U T	I N E 


sub_8F113E	proc near		; DATA XREF: .text:006A3978o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_7C72A7
sub_8F113E	endp


;  S U B	R O U T	I N E 


sub_8F1150	proc near		; DATA XREF: .text:006A3980o
		xor	eax, eax
		inc	eax
		retn
sub_8F1150	endp


;  S U B	R O U T	I N E 


sub_8F1154	proc near		; DATA XREF: .text:006A3984o
		mov	esp, [ebp-18h]
		jmp	loc_7C729D
sub_8F1154	endp

; 
; START	OF FUNCTION CHUNK FOR NtOpenMutant

loc_8F115C:				; CODE XREF: NtOpenMutant+68j
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jmp	loc_7C72A4
; END OF FUNCTION CHUNK	FOR NtOpenMutant
; 
; START	OF FUNCTION CHUNK FOR CmQueryMultipleValueKey

loc_8F1169:				; CODE XREF: CmQueryMultipleValueKey+7Aj
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_CmQueryMultipleValueForLayeredKey@24 ;	CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)
		mov	esi, eax
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	eax, esi
		jmp	loc_7C7B26
; 

loc_8F118D:				; CODE XREF: CmQueryMultipleValueKey+83j
					; CmQueryMultipleValueKey+8Cj
		lea	ecx, [edi+18h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lock inc dword ptr [edi+1Ch]
		xor	edx, edx
		mov	ecx, esi
		call	CmpIsKeyDeletedForKeyBody
		mov	ecx, edi
		test	al, al
		jz	short loc_8F11EE
		mov	eax, [esi+1Ch]
		and	al, 1
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 2A9h
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		jmp	short loc_8F11DE
; 

loc_8F11C3:				; CODE XREF: CmQueryMultipleValueKey+B2j
					; CmQueryMultipleValueKey+129A32j
		mov	eax, [esi+1Ch]
		and	al, 1
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 2A9h
		mov	edx, edi
		mov	ecx, ebx
		call	CmpUnlockTwoKcbs

loc_8F11DE:				; CODE XREF: CmQueryMultipleValueKey+1299C7j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		lea	eax, [esi-3FFFFE84h]
		jmp	loc_7C7B26
; 

loc_8F11EE:				; CODE XREF: CmQueryMultipleValueKey+1299AEj
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		lea	edx, [ebp+var_20]
		mov	ecx, esi
		call	CmpTransSearchAddTransFromKeyBody
		mov	[ebp+var_48], eax
		test	eax, eax
		jns	loc_7C788C
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	eax, [ebp+var_48]
		jmp	loc_7C7B26
; 

loc_8F1215:				; CODE XREF: CmQueryMultipleValueKey+97j
		mov	ebx, [eax+8]
		mov	[ebp+var_54], ebx
		jmp	loc_7C7897
; 

loc_8F1220:				; CODE XREF: CmQueryMultipleValueKey+BDj
		mov	edx, [ebp+var_20]
		mov	ecx, esi
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	short loc_8F11C3
		jmp	loc_7C78BD
; 

loc_8F1233:				; CODE XREF: CmQueryMultipleValueKey+ECj
		xor	ecx, ecx
		push	11h
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_8F1248
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_8F1248:				; CODE XREF: CmQueryMultipleValueKey+129A45j
		mov	ecx, esi
		call	KeAbPostRelease
		jmp	short loc_8F125C
; 

loc_8F1251:				; CODE XREF: CmQueryMultipleValueKey+129AA9j
		lea	eax, [ebp+var_68]
		push	eax
		mov	eax, [ebp+var_40]
		push	eax
		call	dword ptr [eax+8]

loc_8F125C:				; CODE XREF: CmQueryMultipleValueKey+129A55j
		mov	edx, edi
		mov	ecx, ebx
		call	CmpUnlockTwoKcbs
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	eax, 0C000009Ah
		jmp	loc_7C7B26
; 

loc_8F1274:				; CODE XREF: CmQueryMultipleValueKey+11Dj
		cmp	[edi+9Ch], esi
		jnz	loc_7C791D
		mov	[ebp+var_22], 1
		jmp	loc_7C791D
; 

loc_8F1289:				; CODE XREF: CmQueryMultipleValueKey+125j
		mov	ecx, [ebx+10h]
		mov	[ebp+var_50], ecx
		mov	eax, [ebx+14h]
		lea	edx, [ebp+var_94]
		push	edx
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		mov	[ebp+var_4C], eax
		test	eax, eax
		jz	short loc_8F1251
		test	esi, esi
		jz	loc_7C7925
		cmp	[ebx+9Ch], esi
		jnz	loc_7C7925
		mov	[ebp+var_21], 1
		jmp	loc_7C7925
; 

loc_8F12C2:				; CODE XREF: CmQueryMultipleValueKey+16Cj
		lea	eax, [edx-2]
		mov	[ecx], ax
		movzx	edx, ax
		test	ax, ax
		jnz	loc_7C795C
		jmp	loc_7C796C
; 

loc_8F12D9:				; CODE XREF: CmQueryMultipleValueKey+182j
		mov	eax, [ebp+var_50]
		mov	esi, eax
		mov	[ebp+var_34], esi
		cmp	[ebp+var_21], 0
		jnz	short loc_8F1308
		mov	[ebp+var_20], edx
		lea	edx, [ebp+var_20]
		push	edx
		xor	edx, edx
		push	edx
		push	edx
		push	ecx
		mov	edx, [ebp+var_4C]
		lea	edx, [edx+24h]
		mov	ecx, eax
		call	_CmpFindNameInList@24 ;	CmpFindNameInList(x,x,x,x,x,x)
		mov	eax, [ebp+var_20]
		mov	[ebp+var_2C], eax
		jmp	short loc_8F1321
; 

loc_8F1308:				; CODE XREF: CmQueryMultipleValueKey+129AEBj
		lea	edx, [ebp+var_2C]
		push	edx
		xor	edx, edx
		push	edx
		push	edx
		push	ecx
		lea	edx, [ebx+94h]
		mov	ecx, eax
		call	_CmpFindNameInList@24 ;	CmpFindNameInList(x,x,x,x,x,x)
		mov	eax, [ebp+var_2C]

loc_8F1321:				; CODE XREF: CmQueryMultipleValueKey+129B0Cj
		mov	[ebp+var_20], eax
		mov	ecx, [ebp+var_28]
		jmp	loc_7C7985
; 

loc_8F132C:				; CODE XREF: CmQueryMultipleValueKey+19Cj
		lea	edx, [ebp+var_2C]
		push	edx
		xor	edx, edx
		push	edx
		push	edx
		push	ecx
		lea	edx, [edi+94h]
		mov	ecx, eax
		call	_CmpFindNameInList@24 ;	CmpFindNameInList(x,x,x,x,x,x)
		mov	eax, [ebp+var_2C]
		jmp	loc_7C79BA
; 

loc_8F134A:				; CODE XREF: CmQueryMultipleValueKey+1DCj
					; CmQueryMultipleValueKey+256j
		mov	[ebp+var_38], 0C000009Ah
		jmp	loc_7C7AF8
; 

loc_8F1356:				; CODE XREF: CmQueryMultipleValueKey+2A0j
		xor	eax, eax
		push	eax
		push	[ebp+var_44]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[ebp+var_19], al
		jmp	loc_7C7AB0
; END OF FUNCTION CHUNK	FOR CmQueryMultipleValueKey

;  S U B	R O U T	I N E 


sub_8F136B	proc near		; DATA XREF: .text:006A39D4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-58h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F136B	endp


;  S U B	R O U T	I N E 


sub_8F1379	proc near		; DATA XREF: .text:006A39D8o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-58h]
		mov	[ebp-38h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-78h]
		mov	[ebp-40h], eax
		mov	esi, [ebp-2Ch]
		mov	edx, [ebp-7Ch]
		mov	ecx, [ebp-80h]
		mov	edi, [ebp-84h]
		mov	ebx, [ebp-54h]
		mov	eax, [ebp-58h]
		jmp	loc_7C7AE0
sub_8F1379	endp

; 
; START	OF FUNCTION CHUNK FOR CmQueryMultipleValueKey

loc_8F13A9:				; CODE XREF: CmQueryMultipleValueKey+21Dj
					; CmQueryMultipleValueKey+225j	...
		mov	[ebp+var_1A], 1
		jmp	loc_7C7ABB
; 

loc_8F13B2:				; CODE XREF: CmQueryMultipleValueKey+1C6j
		mov	eax, 0C0000034h
		mov	[ebp+var_38], eax
		xor	ecx, ecx
		mov	esi, ecx
		jmp	loc_7C7ADA
; 

loc_8F13C3:				; CODE XREF: CmQueryMultipleValueKey+300j
		lea	eax, [ebp+var_60]
		push	eax
		mov	eax, [ebp+var_34]
		push	eax
		call	dword ptr [eax+8]
		jmp	loc_7C7B00
; 

loc_8F13D3:				; CODE XREF: CmQueryMultipleValueKey+30Aj
		lea	eax, [ebp+var_94]
		push	eax
		mov	eax, [ebp+var_50]
		push	eax
		call	dword ptr [eax+8]
		jmp	loc_7C7B0A
; END OF FUNCTION CHUNK	FOR CmQueryMultipleValueKey
; 
; START	OF FUNCTION CHUNK FOR DrvDbLoadDatabaseNode

loc_8F13E6:				; CODE XREF: DrvDbLoadDatabaseNode+1B3j
		mov	esi, 0C000000Dh
		jmp	loc_7C7C20
; 

loc_8F13F0:				; CODE XREF: DrvDbLoadDatabaseNode+20Aj
		call	_DrvDbGetSecurityDescriptor@0 ;	DrvDbGetSecurityDescriptor()
		mov	esi, eax
		mov	[esp+28h+var_8], esi
		test	esi, esi
		jnz	short loc_8F1409
		mov	esi, 0C00000E5h
		jmp	loc_7C7C20
; 

loc_8F1409:				; CODE XREF: DrvDbLoadDatabaseNode+129883j
		mov	eax, [ebx]
		mov	edx, [edi+18h]
		test	eax, eax
		jnz	short loc_8F1416
		xor	ecx, ecx
		jmp	short loc_8F1419
; 

loc_8F1416:				; CODE XREF: DrvDbLoadDatabaseNode+129896j
		mov	ecx, [eax+74h]

loc_8F1419:				; CODE XREF: DrvDbLoadDatabaseNode+12989Aj
		push	0
		lea	eax, [edi+30h]
		push	eax
		push	ecx
		push	esi
		push	2000000h
		push	0
		push	edx
		mov	edx, [esp+44h+var_1C]
		call	__SysCtxRegCreateTree@36 ; _SysCtxRegCreateTree(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7C7C20
		mov	edx, edi
		mov	ecx, ebx
		call	_DrvDbInitializeDatabaseNodeVersion@8 ;	DrvDbInitializeDatabaseNodeVersion(x,x)
		jmp	loc_7C7D92
; 

loc_8F144A:				; CODE XREF: DrvDbLoadDatabaseNode+63j
		xor	ecx, ecx
		mov	[esp+40h+var_28], ecx
		jmp	loc_7C7BEB
; 

loc_8F1455:				; CODE XREF: DrvDbLoadDatabaseNode+6Bj
		mov	esi, eax
		jmp	loc_7C7BFE
; 

loc_8F145C:				; CODE XREF: DrvDbLoadDatabaseNode+76j
		mov	edx, [edi+10h]
		test	edx, edx
		jz	short loc_8F147C
		mov	ecx, [ebx]
		lea	eax, [esp+40h+var_34]
		push	eax
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7C7BFE
		lea	eax, [edi+30h]

loc_8F147C:				; CODE XREF: DrvDbLoadDatabaseNode+1298E7j
		mov	ecx, [ebx]
		mov	edx, [edi+18h]
		test	ecx, ecx
		jz	short loc_8F1488
		mov	ecx, [ecx+74h]

loc_8F1488:				; CODE XREF: DrvDbLoadDatabaseNode+129909j
		push	eax
		push	2000000h
		push	0
		push	edx
		mov	edx, [esp+50h+var_34]
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7C7BFE
		jmp	loc_7C7D95
; 

loc_8F14A9:				; CODE XREF: DrvDbLoadDatabaseNode+F9j
		mov	eax, [ebx+4]
		test	eax, eax
		jz	short loc_8F14C5
		cmp	eax, 0FFFFFFFFh
		jz	short loc_8F14C5
		mov	edx, edi
		mov	[esi], eax
		mov	ecx, ebx
		call	_DrvDbInitializeDatabaseNodeVersion@8 ;	DrvDbInitializeDatabaseNodeVersion(x,x)
		jmp	loc_7C7C97
; 

loc_8F14C5:				; CODE XREF: DrvDbLoadDatabaseNode+101j
					; DrvDbLoadDatabaseNode+129934j ...
		and	dword ptr [esi], 0
		jmp	loc_7C7C97
; 

loc_8F14CD:				; CODE XREF: DrvDbLoadDatabaseNode+10Cj
					; DrvDbLoadDatabaseNode+117j
		or	dword ptr [esi], 0FFFFFFFFh
		jmp	loc_7C7C97
; 

loc_8F14D5:				; CODE XREF: DrvDbLoadDatabaseNode+147j
					; DrvDbLoadDatabaseNode+14Fj
		and	dword ptr [edi+24h], 0
		xor	esi, esi
		jmp	loc_7C7CE5
; 

loc_8F14E0:				; CODE XREF: DrvDbLoadDatabaseNode+15Aj
					; DrvDbLoadDatabaseNode+165j
		or	dword ptr [edi+24h], 0FFFFFFFFh
		jmp	loc_7C7CE5
; 

loc_8F14E9:				; CODE XREF: DrvDbLoadDatabaseNode+175j
					; DrvDbLoadDatabaseNode+188j ...
		mov	edx, edi
		mov	ecx, ebx
		call	DrvDbUnloadDatabaseNode
		or	dword ptr [edi+1Ch], 4
		mov	esi, 0C0000467h
		jmp	loc_7C7BFE
; 

loc_8F1500:				; CODE XREF: DrvDbLoadDatabaseNode+A0j
		cmp	eax, 0C0000002h
		jz	loc_7C7C20
		test	esi, esi
		jnz	loc_7C7C20
		mov	esi, eax
		jmp	loc_7C7C20
; 

loc_8F151A:				; CODE XREF: DrvDbLoadDatabaseNode+AFj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7C7C2F
; END OF FUNCTION CHUNK	FOR DrvDbLoadDatabaseNode
; 
; START	OF FUNCTION CHUNK FOR DrvDbUnloadDatabaseNode

loc_8F1527:				; CODE XREF: DrvDbUnloadDatabaseNode+41j
		test	byte ptr [edi+1Ch], 2
		jz	short loc_8F156E
		xor	ecx, ecx
		lea	eax, [edi+34h]
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], eax

loc_8F1538:				; CODE XREF: DrvDbUnloadDatabaseNode+1297C2j
		mov	edx, [eax]
		test	edx, edx
		jz	short loc_8F1557
		push	edx
		call	_ZwClose@4	; ZwClose(x)
		mov	esi, eax
		test	esi, esi
		js	loc_7C7DE9
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		and	dword ptr [eax], 0

loc_8F1557:				; CODE XREF: DrvDbUnloadDatabaseNode+12979Aj
		inc	ecx
		add	eax, 4
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], eax
		cmp	ecx, 6
		jb	short loc_8F1538
		test	esi, esi
		js	loc_7C7DE9

loc_8F156E:				; CODE XREF: DrvDbUnloadDatabaseNode+129789j
		mov	eax, [edi+30h]
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		mov	esi, eax
		test	esi, esi
		js	loc_7C7DE9
		and	dword ptr [edi+30h], 0
		jmp	loc_7C7DE9
; 

loc_8F158A:				; CODE XREF: DrvDbUnloadDatabaseNode+60j
		cmp	eax, 0C0000002h
		jz	loc_7C7E08
		test	esi, esi
		jnz	loc_7C7E08
		mov	esi, eax
		jmp	loc_7C7E08
; END OF FUNCTION CHUNK	FOR DrvDbUnloadDatabaseNode
; 
; START	OF FUNCTION CHUNK FOR PiDrvDbLoadNode

loc_8F15A4:				; CODE XREF: PiDrvDbLoadNode+35j
		mov	esi, 0C0000467h
		jmp	loc_7C7ED3
; 

loc_8F15AE:				; CODE XREF: PiDrvDbLoadNode+A0j
		mov	edx, [ebp+var_8]
		lea	eax, [ebx+24h]
		push	eax
		push	esi
		push	0
		push	offset ??_C@_1BO@JJFLMBDN@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAD?$AAa?$AAt?$AAa?$AAb?$AAa?$AAs?$AAe@NNGAKEGL@ ; "DriverDatabase"
		xor	ecx, ecx
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		push	[ebp+var_8]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		jns	loc_7C7EC9
		jmp	loc_7C7F0E
; 

loc_8F15DB:				; CODE XREF: PiDrvDbLoadNode+ADj
		mov	esi, 0C00002EBh
		jmp	loc_7C7ED3
; 

loc_8F15E5:				; CODE XREF: PiDrvDbLoadNode+CBj
		push	edi
		lea	edx, [ebx+8]
		mov	byte ptr [ebx+111h], 1
		mov	ecx, offset _KMPnPEvt_DriverDatabaseUnload_Stop
		call	_PnpDiagnosticTraceObjectWithStatus@12 ; PnpDiagnosticTraceObjectWithStatus(x,x,x)
		push	edi
		lea	edx, [ebx+8]
		mov	ecx, offset _KMPnPEvt_DriverDatabaseLoaded_Stop
		call	_PnpDiagnosticTraceObjectWithStatus@12 ; PnpDiagnosticTraceObjectWithStatus(x,x,x)
		jmp	loc_7C7F39
; 

loc_8F160D:				; CODE XREF: PiDrvDbLoadNode+106j
		cmp	byte ptr [ebx+28h], 0
		jz	short loc_8F161D
		mov	esi, 0C0000467h
		jmp	loc_7C7F76
; 

loc_8F161D:				; CODE XREF: PiDrvDbLoadNode+1297A9j
		mov	esi, [ebx+88h]
		test	esi, esi
		js	loc_7C7F76
		mov	esi, 0C0000001h
		jmp	loc_7C7F76
; END OF FUNCTION CHUNK	FOR PiDrvDbLoadNode
; 
; START	OF FUNCTION CHUNK FOR PiDrvDbUnloadNode

loc_8F1635:				; CODE XREF: PiDrvDbUnloadNode+36j
		push	0
		push	0
		lea	eax, [esi+0B8h]
		xor	edx, edx
		push	eax
		push	0
		lea	ecx, [esi+90h]
		call	KiSetTimerEx
		jmp	loc_7C7FE0
; END OF FUNCTION CHUNK	FOR PiDrvDbUnloadNode

;  S U B	R O U T	I N E 


sub_8F1654	proc near		; DATA XREF: .text:006A3A34o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F1654	endp


;  S U B	R O U T	I N E 


sub_8F1662	proc near		; DATA XREF: .text:006A3A38o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_7C80F9
sub_8F1662	endp

; 
; START	OF FUNCTION CHUNK FOR NtQuerySystemTime

loc_8F1674:				; CODE XREF: NtQuerySystemTime+22j
		push	[ebp+arg_0]
		call	KeQuerySystemTime
		jmp	loc_7C80F7
; END OF FUNCTION CHUNK	FOR NtQuerySystemTime
; 
; START	OF FUNCTION CHUNK FOR IoQuerySystemDeviceName

loc_8F1681:				; CODE XREF: IoQuerySystemDeviceName+2Fj
		cmp	_IopAmbiguousSystemDisk, 0
		mov	eax, esi
		jz	loc_7C8149
		cmp	edi, 63h
		jz	short loc_8F16C0
		cmp	edi, 62h
		jnz	loc_7C8149
		lea	edx, [ebp+var_4]
		call	_IopFindSystemDevice@8 ; IopFindSystemDevice(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_8F16B6
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8F16B6:				; CODE XREF: IoQuerySystemDeviceName+129596j
		mov	eax, esi
		cmp	edi, ebx
		jnz	loc_7C8149

loc_8F16C0:				; CODE XREF: IoQuerySystemDeviceName+12957Fj
		mov	eax, 0C0000451h
		jmp	loc_7C8149
; END OF FUNCTION CHUNK	FOR IoQuerySystemDeviceName

;  S U B	R O U T	I N E 


sub_8F16CA	proc near		; DATA XREF: .text:006A3A54o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F16CA	endp


;  S U B	R O U T	I N E 


sub_8F16D8	proc near		; DATA XREF: .text:006A3A58o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-24h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	edx, [ebp-20h]
		jmp	loc_7C825E
sub_8F16D8	endp

; 
; START	OF FUNCTION CHUNK FOR IopRetrieveSystemDeviceName

loc_8F16EF:				; CODE XREF: IopRetrieveSystemDeviceName+50j
		mov	edi, ecx
		jmp	loc_7C81C6
; END OF FUNCTION CHUNK	FOR IopRetrieveSystemDeviceName

;  S U B	R O U T	I N E 


sub_8F16F6	proc near		; DATA XREF: .text:006A3A60o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F16F6	endp


;  S U B	R O U T	I N E 


sub_8F1704	proc near		; DATA XREF: .text:006A3A64o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-2Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		jmp	loc_7C81F9
sub_8F1704	endp

; 
; START	OF FUNCTION CHUNK FOR SiGetFirmwareSystemPartition

loc_8F1718:				; CODE XREF: SiGetFirmwareSystemPartition+23j
					; SiGetFirmwareSystemPartition+3Fj
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		call	_SiGetDefaultSystemPartition@8 ; SiGetDefaultSystemPartition(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_8F176B
		cmp	esi, 0C0000451h
		jnz	loc_7C83ED
		test	bl, bl
		jz	loc_7C83ED
		cmp	[ebp+arg_0], 2
		jnz	loc_7C83ED
		push	edi
		push	1
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		push	eax
		push	1
		mov	edx, offset ??_C@_1CG@EEKKLGPP@?$AAF?$AAi?$AAr?$AAm?$AAw?$AAa?$AAr?$AAe?$AAB?$AAo?$AAo?$AAt?$AAD?$AAe?$AAv@NNGAKEGL@
		inc	ecx
		call	SiGetBootDeviceName
		test	eax, eax
		js	loc_7C83ED

loc_8F1764:				; CODE XREF: SiGetFirmwareSystemPartition+1293D1j
		xor	esi, esi
		jmp	loc_7C83ED
; 

loc_8F176B:				; CODE XREF: SiGetFirmwareSystemPartition+12937Ej
		mov	ecx, [edi]
		lea	edx, [ebp+var_4]
		call	SiTranslateSymbolicLink
		mov	esi, eax
		test	esi, esi
		js	short loc_8F1764
		push	0
		push	dword ptr [edi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_4]
		mov	[edi], eax
		jmp	loc_7C83ED
; END OF FUNCTION CHUNK	FOR SiGetFirmwareSystemPartition
; 
; START	OF FUNCTION CHUNK FOR SiGetBootDeviceName

loc_8F178E:				; CODE XREF: SiGetBootDeviceName+8Fj
		mov	esi, 0C0000001h
		jmp	loc_7C8539
; 

loc_8F1798:				; CODE XREF: SiGetBootDeviceName+C0j
		mov	esi, 0C000009Ah
		jmp	loc_7C8539
; 

loc_8F17A2:				; CODE XREF: SiGetBootDeviceName+117j
		push	offset ??_C@_1BE@DLNCBOIL@?$AAp?$AAa?$AAr?$AAt?$AAi?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@ ; wchar_t *
		push	ebx		; wchar_t *
		call	_wcsstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_8F17B8
		xor	ecx, ecx
		mov	[eax], cx

loc_8F17B8:				; CODE XREF: SiGetBootDeviceName+1293BBj
		mov	ecx, ebx
		xor	esi, esi
		lea	edx, [ecx+2]

loc_8F17BF:				; CODE XREF: SiGetBootDeviceName+1293D2j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_8F17BF
		sub	ecx, edx
		sar	ecx, 1
		push	4B505953h
		lea	eax, ds:2[ecx*2]
		push	eax
		push	1
		mov	[esp+3Ch+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[esp+30h+var_10], esi
		test	esi, esi
		jnz	short loc_8F180B
		mov	esi, 0C000009Ah

loc_8F17F5:				; CODE XREF: SiGetBootDeviceName+10Cj
					; SiGetBootDeviceName+124j ...
		test	edi, edi
		jz	loc_7C8520
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7C8520
; 

loc_8F180B:				; CODE XREF: SiGetBootDeviceName+1293F8j
		push	[esp+30h+var_4]	; size_t
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		lea	edx, [esp+30h+var_20]
		mov	ecx, esi
		mov	[esp+30h+var_20], eax
		call	SiTranslateSymbolicLink
		mov	esi, eax
		test	esi, esi
		js	loc_7C8557
		mov	edi, [esp+30h+var_20]
		jmp	loc_7C8513
; 

loc_8F1846:				; CODE XREF: SiGetBootDeviceName+99j
					; SiGetBootDeviceName+A3j
		mov	esi, 0C0000001h
		jmp	loc_7C8518
; 

loc_8F1850:				; CODE XREF: SiGetBootDeviceName+13Dj
		xor	ebx, ebx
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7C853B
; END OF FUNCTION CHUNK	FOR SiGetBootDeviceName
; 
; START	OF FUNCTION CHUNK FOR SiOpenRegistryKey

loc_8F185E:				; CODE XREF: SiOpenRegistryKey+51j
		cmp	[ebp+var_4], 0
		jz	loc_7C8747
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7C8747
; END OF FUNCTION CHUNK	FOR SiOpenRegistryKey
; 
; START	OF FUNCTION CHUNK FOR SiTranslateSymbolicLink

loc_8F1875:				; CODE XREF: SiTranslateSymbolicLink+132j
		push	0
		push	[esp+44h+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7C893C
; 

loc_8F1885:				; CODE XREF: SiTranslateSymbolicLink+116j
		push	[esp+40h+var_30]
		call	_ZwClose@4	; ZwClose(x)
		and	[esp+40h+var_30], 0
		mov	eax, [esp+40h+var_24]
		jmp	loc_7C8920
; 

loc_8F189C:				; CODE XREF: SiTranslateSymbolicLink+B4j
					; SiTranslateSymbolicLink+11Ej
		test	eax, eax
		jz	loc_7C8928
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7C8928
; END OF FUNCTION CHUNK	FOR SiTranslateSymbolicLink
; 
; START	OF FUNCTION CHUNK FOR PsConvertToGuiThread

loc_8F18B1:				; CODE XREF: PsConvertToGuiThread+21j
		mov	eax, 0C000000Dh
		jmp	loc_7C8AAA
; 

loc_8F18BB:				; CODE XREF: PsConvertToGuiThread+2Ej
		mov	eax, 4000001Bh
		jmp	loc_7C8AAA
; 

loc_8F18C5:				; CODE XREF: PsConvertToGuiThread+51j
					; PsConvertToGuiThread+59j
		xor	ecx, ecx
		mov	edx, ebx
		test	edi, edi
		setnz	cl
		inc	ecx
		call	_EtwTimLogProhibitWin32kSystemCalls@8 ;	EtwTimLogProhibitWin32kSystemCalls(x,x)
		test	edi, edi
		jz	loc_7C8A1B
		mov	eax, 0C0000022h
		jmp	loc_7C8AAA
; END OF FUNCTION CHUNK	FOR PsConvertToGuiThread
; 
; START	OF FUNCTION CHUNK FOR CmpDereferenceKeyControlBlockUnsafe

loc_8F18E6:				; CODE XREF: CmpDereferenceKeyControlBlockUnsafe+Ej
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	1Fh
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8F18F5:				; CODE XREF: SeObjectCreateSaclAccessBits+4Cj
		cmp	al, 12h
		jz	loc_7C8B5A
		cmp	al, 15h
		jnz	loc_7C8B73
		jmp	loc_7C8B5A
; END OF FUNCTION CHUNK	FOR CmpDereferenceKeyControlBlockUnsafe
; 
; START	OF FUNCTION CHUNK FOR CmQueryFeatureConfigurationSections

loc_8F190A:				; CODE XREF: CmQueryFeatureConfigurationSections+2Cj
		mov	esi, 0C0000004h
		jmp	loc_7C8C0D
; END OF FUNCTION CHUNK	FOR CmQueryFeatureConfigurationSections

;  S U B	R O U T	I N E 


sub_8F1914	proc near		; DATA XREF: .text:006A3AA8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-7Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8F1914	endp


;  S U B	R O U T	I N E 


sub_8F1924	proc near		; DATA XREF: .text:006A3AACo
		mov	esi, [ebp-7Ch]
		jmp	short loc_8F193C
; 

loc_8F1929:				; DATA XREF: .text:006A3A9Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-80h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_8F1939:				; DATA XREF: .text:006A3AA0o
		mov	esi, [ebp-80h]

loc_8F193C:				; CODE XREF: sub_8F1924+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7C8C0D
sub_8F1924	endp

; 
; START	OF FUNCTION CHUNK FOR CmQueryFeatureConfigurationSections

loc_8F194B:				; CODE XREF: CmQueryFeatureConfigurationSections+9Dj
		push	[ebp+arg_C]
		push	eax
		call	ObCloseHandle
		jmp	loc_7C8C1D
; END OF FUNCTION CHUNK	FOR CmQueryFeatureConfigurationSections
; 
; START	OF FUNCTION CHUNK FOR CmFcManagerQueryFeatureConfigurationSectionInformation

loc_8F1959:				; CODE XREF: CmFcManagerQueryFeatureConfigurationSectionInformation+BFj
		mov	edx, 200h
		mov	[ebp+var_4C], edx
		jmp	loc_7C8D07
; 

loc_8F1966:				; CODE XREF: CmFcManagerQueryFeatureConfigurationSectionInformation+D7j
		push	ecx
		push	dword ptr [ebp+arg_4]
		push	ds:_MmSectionObjectType
		push	4
		push	esi
		push	edx
		push	ebx
		call	ObOpenObjectByPointer
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7C8D7F
		mov	eax, [ebp+var_44]
		mov	ecx, [ebp+var_48]
		jmp	loc_7C8D1F
; 

loc_8F198F:				; CODE XREF: CmFcManagerQueryFeatureConfigurationSectionInformation+14Cj
		push	dword ptr [ebp+arg_4]
		push	eax
		call	ObCloseHandle
		jmp	loc_7C8D94
; END OF FUNCTION CHUNK	FOR CmFcManagerQueryFeatureConfigurationSectionInformation
; 
; START	OF FUNCTION CHUNK FOR CmpRegisterCallbackInternal

loc_8F199D:				; CODE XREF: CmpRegisterCallbackInternal+1Ej
		mov	eax, 0C000009Ah
		jmp	loc_7C8E95
; 

loc_8F19A7:				; CODE XREF: CmpRegisterCallbackInternal+7Dj
		mov	edi, 0C000009Ah

loc_8F19AC:				; CODE XREF: CmpRegisterCallbackInternal+AFj
		mov	eax, [esi+24h]
		test	eax, eax
		jz	short loc_8F19BB
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8F19BB:				; CODE XREF: CmpRegisterCallbackInternal+128BD3j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7C8E93
; END OF FUNCTION CHUNK	FOR CmpRegisterCallbackInternal
; 
; START	OF FUNCTION CHUNK FOR CmpInsertCallbackInListByAltitude

loc_8F19C8:				; CODE XREF: CmpInsertCallbackInListByAltitude+9Fj
		cmp	[ebp+var_1], bl
		jz	short loc_8F19DB
		jmp	loc_7C8F43
; 

loc_8F19D2:				; CODE XREF: CmpInsertCallbackInListByAltitude+B8j
		cmp	[ebp+var_1], bl
		jnz	loc_7C8EF2

loc_8F19DB:				; CODE XREF: CmpInsertCallbackInListByAltitude+128B2Fj
		mov	ebx, 0C01C0011h
		jmp	loc_7C8F0D
; END OF FUNCTION CHUNK	FOR CmpInsertCallbackInListByAltitude
; 

loc_8F19E5:				; CODE XREF: PAGE:007C8F7Ej
		or	esi, 0FFFFFFFFh
		jmp	loc_7C8F8F
; 

loc_8F19ED:				; CODE XREF: PAGE:007C8F96j
		mov	eax, 0C0000040h
		jmp	loc_7C8FD7
; 

loc_8F19F7:				; CODE XREF: PAGE:007C9001j
		add	esi, 8
		mov	dword ptr [ebp-0Ch], 1
		jmp	loc_7C9007
; 

loc_8F1A06:				; CODE XREF: PAGE:007C9019j
		mov	eax, 0C000009Ah
		mov	[ebx+64h], eax
		jmp	loc_7C8FD7
; 
; START	OF FUNCTION CHUNK FOR CcPreparePinWrite

loc_8F1A13:				; CODE XREF: CcPreparePinWrite+6Cj
		lea	eax, [ebp+var_20]
		cmp	edi, eax
		jnz	short loc_8F1A3E
		push	[ebp+var_20]
		mov	edx, esi
		mov	ecx, [ebp+arg_4]
		call	_CcAllocateObcb@12 ; CcAllocateObcb(x,x,x)
		mov	[ebp+var_20], eax
		lea	edi, [eax+10h]
		mov	[ebp+var_28], edi
		mov	ecx, [ebp+var_24]
		mov	eax, [ebp+arg_18]
		mov	[eax], ecx
		mov	edx, [ebp+var_40]
		mov	ecx, [ebp+var_38]

loc_8F1A3E:				; CODE XREF: CcPreparePinWrite+128924j
		sub	ecx, edx
		add	esi, ecx
		mov	[ebp+arg_8], esi
		mov	[ebp+var_38], edx
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_34], eax
		add	edi, 4
		mov	[ebp+var_28], edi
		jmp	loc_7C9166
; 

loc_8F1A59:				; CODE XREF: CcPreparePinWrite+8Fj
		xor	bl, bl
		mov	[ebp+var_19], bl
		mov	ecx, [ebp+var_20]
		jmp	loc_7C91E1
; END OF FUNCTION CHUNK	FOR CcPreparePinWrite

;  S U B	R O U T	I N E 


sub_8F1A66	proc near		; DATA XREF: .text:006A3AC8o
		mov	ecx, [ebp-20h]
		mov	bl, [ebp-19h]
		jmp	sub_7C91F4
sub_8F1A66	endp

; 
; START	OF FUNCTION CHUNK FOR sub_7C91F4

loc_8F1A71:				; CODE XREF: sub_7C91F4+2j
		test	ecx, ecx
		jz	locret_7C91FC
		push	ecx
		call	_CcUnpinData@4	; CcUnpinData(x)
		jmp	locret_7C91FC
; END OF FUNCTION CHUNK	FOR sub_7C91F4
; 
; START	OF FUNCTION CHUNK FOR NtAddAtomEx

loc_8F1A84:				; CODE XREF: NtAddAtomEx+4Aj
		mov	eax, 0C0000022h
		jmp	loc_7C93BB
; 

loc_8F1A8E:				; CODE XREF: NtAddAtomEx+8Fj
		mov	ecx, eax
		jmp	loc_7C930F
; END OF FUNCTION CHUNK	FOR NtAddAtomEx

;  S U B	R O U T	I N E 


sub_8F1A95	proc near		; DATA XREF: .text:006A3B04o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-230h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F1A95	endp


;  S U B	R O U T	I N E 


sub_8F1AA6	proc near		; DATA XREF: .text:006A3B08o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-230h]
		jmp	loc_7C93BB
sub_8F1AA6	endp


;  S U B	R O U T	I N E 


sub_8F1ABB	proc near		; DATA XREF: .text:006A3B10o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-234h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F1ABB	endp


;  S U B	R O U T	I N E 


sub_8F1ACC	proc near		; DATA XREF: .text:006A3B14o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-234h]
		jmp	loc_7C93B2
sub_8F1ACC	endp

; 
; START	OF FUNCTION CHUNK FOR NtAddAtomEx

loc_8F1ADA:				; CODE XREF: NtAddAtomEx+2Dj
					; NtAddAtomEx+56j
		mov	eax, 0C000000Dh
		jmp	loc_7C93BB
; END OF FUNCTION CHUNK	FOR NtAddAtomEx
; 
; START	OF FUNCTION CHUNK FOR NtSetInformationKey

loc_8F1AE4:				; CODE XREF: NtSetInformationKey+3Cj
		mov	edx, 20000h
		lea	ecx, [ebp+var_3C]
		call	@EtwGetKernelTraceTimestamp@8 ;	EtwGetKernelTraceTimestamp(x,x)
		jmp	loc_7C9428
; 

loc_8F1AF6:				; CODE XREF: NtSetInformationKey+8Aj
		mov	esi, 0C0000189h
		jmp	short loc_8F1B10
; 

loc_8F1AFD:				; CODE XREF: NtSetInformationKey+1287CDj
		mov	ecx, [ebp+var_6C]
		mov	eax, [ecx+8]
		mov	[ebp+var_58], eax
		call	ObfDereferenceObject

loc_8F1B0B:				; CODE XREF: NtSetInformationKey+128795j
					; NtSetInformationKey+12879Cj ...
		mov	esi, 0C0000004h

loc_8F1B10:				; CODE XREF: NtSetInformationKey+128715j
					; NtSetInformationKey+12877Ej
		mov	al, bl
		jmp	loc_8F1D2D
; 

loc_8F1B17:				; CODE XREF: NtSetInformationKey+CEj
		cmp	ds:_CmpTraceRoutine, ebx
		jz	short loc_8F1B5F
		mov	ecx, [ebp+var_5C]
		test	ecx, ecx
		jz	short loc_8F1B5F
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_54], al
		mov	eax, ds:_CmKeyObjectType
		mov	[ebp+var_68], ebx
		push	ebx
		lea	edx, [ebp+var_68]
		push	edx
		push	[ebp+var_54]
		push	eax
		push	ebx
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8F1B5F
		mov	ecx, [ebp+var_68]
		mov	eax, [ecx+8]
		mov	[ebp+var_58], eax
		call	ObfDereferenceObject

loc_8F1B5F:				; CODE XREF: NtSetInformationKey+128737j
					; NtSetInformationKey+12873Ej ...
		mov	esi, 0C0000003h
		jmp	short loc_8F1B10
; 

loc_8F1B66:				; CODE XREF: NtSetInformationKey+B2j
					; NtSetInformationKey+C5j
		push	4
		jmp	short loc_8F1B6C
; 

loc_8F1B6A:				; CODE XREF: NtSetInformationKey+A9j
		push	8

loc_8F1B6C:				; CODE XREF: NtSetInformationKey+128782j
		mov	[ebp+var_3F], 1
		jmp	loc_7C94BF
; 

loc_8F1B75:				; CODE XREF: NtSetInformationKey+DDj
		cmp	ds:_CmpTraceRoutine, ebx
		jz	short loc_8F1B0B
		mov	ecx, [ebp+var_5C]
		test	ecx, ecx
		jz	short loc_8F1B0B
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_54], al
		mov	eax, ds:_CmKeyObjectType
		mov	[ebp+var_6C], ebx
		push	ebx
		lea	edx, [ebp+var_6C]
		push	edx
		push	[ebp+var_54]
		push	eax
		push	ebx
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	loc_8F1B0B
		jmp	loc_8F1AFD
; 

loc_8F1BB8:				; CODE XREF: NtSetInformationKey+EBj
		lea	ecx, [edi+eax]
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		ja	short loc_8F1BCD
		cmp	ecx, edi
		jnb	loc_7C94D7

loc_8F1BCD:				; CODE XREF: NtSetInformationKey+1287DDj
		mov	[edx], bl
		jmp	loc_7C94D7
; 

loc_8F1BD4:				; CODE XREF: NtSetInformationKey+139j
		cmp	[ebp+var_3F], 0
		jnz	short loc_8F1BEB
		mov	esi, eax
		jmp	short loc_8F1BE3
; 

loc_8F1BDE:				; CODE XREF: NtSetInformationKey+128825j
					; NtSetInformationKey+12885Aj
		mov	esi, 0C0000022h

loc_8F1BE3:				; CODE XREF: NtSetInformationKey+147j
					; NtSetInformationKey+1287F6j ...
		mov	al, [ebp+var_3D]
		jmp	loc_7C9609
; 

loc_8F1BEB:				; CODE XREF: NtSetInformationKey+1287F2j
		lea	eax, [ebp+var_9C]
		push	eax
		call	SeCaptureSubjectContext
		mov	[ebp+var_3D], 1
		lea	edx, [ebp+var_54]
		lea	ecx, [ebp+var_9C]
		call	CmDoVirtualTest
		test	al, al
		jz	short loc_8F1BDE
		mov	eax, ds:_CmKeyObjectType
		mov	[ebp+var_7C], ebx
		push	ebx
		lea	ecx, [ebp+var_7C]
		push	ecx
		push	[ebp+var_78]
		push	eax
		push	20019h
		push	[ebp+var_5C]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	edi, [ebp+var_7C]
		mov	[ebp+var_48], edi
		test	esi, esi
		js	short loc_8F1BE3
		mov	ecx, edi
		call	_CmKeyBodyNeedsVirtualImage@4 ;	CmKeyBodyNeedsVirtualImage(x)
		test	al, al
		jz	short loc_8F1BDE
		mov	esi, ebx
		mov	dl, 1
		mov	[ebp+var_3E], dl
		jmp	loc_7C9528
; 

loc_8F1C4E:				; CODE XREF: NtSetInformationKey+154j
		test	edi, edi
		jz	loc_7C9540
		mov	eax, [edi+8]
		mov	[ebp+var_58], eax
		jmp	loc_7C9540
; 

loc_8F1C61:				; CODE XREF: NtSetInformationKey+15Ej
		mov	ecx, [edi+8]
		test	byte ptr [ecx+4], 80h
		jnz	short loc_8F1C77
		call	_CmpIsKcbImmutable@4 ; CmpIsKcbImmutable(x)
		test	al, al
		jz	loc_7C954A

loc_8F1C77:				; CODE XREF: NtSetInformationKey+128882j
		mov	esi, 0C0000022h
		mov	al, dl
		jmp	loc_7C9609
; 

loc_8F1C83:				; CODE XREF: NtSetInformationKey+1C4j
		lea	ecx, [esi+3FFFFAFDh]
		neg	ecx
		sbb	ecx, ecx
		and	esi, ecx
		jmp	short loc_8F1CA0
; 

loc_8F1C91:				; CODE XREF: NtSetInformationKey+1E1j
		lea	edx, [ebp+var_64]
		mov	edi, [ebp+var_48]
		mov	ecx, edi
		call	_CmSetLastWriteTimeKey@8 ; CmSetLastWriteTimeKey(x,x)

loc_8F1C9E:				; CODE XREF: NtSetInformationKey+128910j
		mov	esi, eax

loc_8F1CA0:				; CODE XREF: NtSetInformationKey+1288A9j
		mov	al, [ebp+var_3E]
		jmp	loc_7C9609
; 

loc_8F1CA8:				; CODE XREF: NtSetInformationKey+1D3j
		lea	eax, [ebp+var_54]
		push	eax
		lea	eax, [ebp+var_9C]
		push	eax
		push	2
		mov	dl, [ebp+var_49]
		lea	ecx, [ebp+var_48]
		call	_CmKeyBodyReplicateToVirtual@20	; CmKeyBodyReplicateToVirtual(x,x,x,x,x)
		mov	esi, eax
		mov	cl, [ebp+var_3E]
		mov	al, cl
		test	esi, esi
		js	short loc_8F1D2D
		jmp	loc_7C95BF
; 

loc_8F1CD0:				; CODE XREF: NtSetInformationKey+205j
		push	[ebp+var_64]
		push	4
		jmp	short loc_8F1CE3
; 

loc_8F1CD7:				; CODE XREF: NtSetInformationKey+1FCj
		push	[ebp+var_64]
		push	3
		jmp	short loc_8F1CE3
; 

loc_8F1CDE:				; CODE XREF: NtSetInformationKey+1F3j
		push	[ebp+var_64]
		push	2

loc_8F1CE3:				; CODE XREF: NtSetInformationKey+1288EFj
					; NtSetInformationKey+1288F6j
		pop	edx
		jmp	short loc_8F1CEC
; 

loc_8F1CE6:				; CODE XREF: NtSetInformationKey+1EAj
		push	[ebp+var_64]
		xor	edx, edx
		inc	edx

loc_8F1CEC:				; CODE XREF: NtSetInformationKey+1288FEj
		mov	edi, [ebp+var_48]
		mov	ecx, edi
		call	_CmSetKeyFlags@12 ; CmSetKeyFlags(x,x,x)
		jmp	short loc_8F1C9E
; END OF FUNCTION CHUNK	FOR NtSetInformationKey

;  S U B	R O U T	I N E 


sub_8F1CF8	proc near		; DATA XREF: .text:006A3B2Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-88h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F1CF8	endp


;  S U B	R O U T	I N E 


sub_8F1D09	proc near		; DATA XREF: .text:006A3B30o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-88h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	al, bl
		mov	[ebp-41h], al
		mov	[ebp-40h], al
		mov	ecx, ebx
		mov	[ebp-58h], ecx
		jmp	short loc_8F1D2D
sub_8F1D09	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationKey

loc_8F1D2A:				; CODE XREF: NtSetInformationKey+20Ej
		mov	al, [ebp+var_3D]

loc_8F1D2D:				; CODE XREF: NtSetInformationKey+12872Cj
					; NtSetInformationKey+1288E3j ...
		mov	edi, [ebp+var_48]
		jmp	loc_7C9609
; 

loc_8F1D35:				; CODE XREF: NtSetInformationKey+225j
		lea	eax, [ebp+var_9C]
		push	eax
		call	SeReleaseSubjectContext
		jmp	loc_7C9611
; 

loc_8F1D46:				; CODE XREF: NtSetInformationKey+26Aj
		push	ebx
		push	[ebp+var_58]
		push	ebx
		push	esi
		lea	ecx, [ebp+var_3C]
		push	ecx
		push	14h
		call	eax
		jmp	loc_7C9656
; END OF FUNCTION CHUNK	FOR NtSetInformationKey
; 
; START	OF FUNCTION CHUNK FOR ExpWin32OpenProcedure

loc_8F1D59:				; CODE XREF: ExpWin32OpenProcedure+59j
		lea	eax, [ebp+arg_C]
		push	eax
		push	1
		lea	eax, [ebp+var_14]
		push	eax
		push	25h
		jmp	loc_7C9717
; END OF FUNCTION CHUNK	FOR ExpWin32OpenProcedure
; 
; START	OF FUNCTION CHUNK FOR ExpWin32OkayToCloseProcedure

loc_8F1D6A:				; CODE XREF: ExpWin32OkayToCloseProcedure+64j
		lea	eax, [esp+20h+var_14]
		push	eax
		push	1
		lea	eax, [esp+28h+var_10]
		push	eax
		push	26h
		jmp	loc_7C9800
; END OF FUNCTION CHUNK	FOR ExpWin32OkayToCloseProcedure
; 
; START	OF FUNCTION CHUNK FOR RtlpValidRelativeAttribute

loc_8F1D7D:				; CODE XREF: RtlpValidRelativeAttribute+94j
		cmp	eax, 3
		jz	loc_8F1EDD
		cmp	eax, 5
		jz	loc_8F1E6F
		cmp	eax, 6
		jz	short loc_8F1E03
		cmp	ecx, 10h
		jnz	loc_7C99B4
		cmp	[ebp+var_4], esi
		jbe	loc_7C99AD
		lea	eax, [edi+10h]
		push	4
		mov	[ebp+var_C], eax
		pop	edx

loc_8F1DAF:				; CODE XREF: RtlpValidRelativeAttribute+12850Cj
		mov	ecx, [eax]
		mov	[ebp+var_8], ecx
		cmp	ebx, ecx
		jb	loc_7C99B4
		mov	eax, ebx
		sub	eax, ecx
		cmp	eax, edx
		jb	loc_7C99B4
		mov	eax, [ecx+edi]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_7C99B4
		mov	eax, ebx
		sub	eax, [ebp+var_8]
		cmp	eax, [ebp+var_10]
		jb	loc_7C99B4
		mov	eax, [ebp+var_C]
		inc	esi
		push	4
		pop	edx
		add	eax, edx
		mov	[ebp+var_C], eax
		cmp	esi, [ebp+var_4]
		jb	short loc_8F1DAF
		jmp	loc_7C99AD
; 

loc_8F1E03:				; CODE XREF: RtlpValidRelativeAttribute+1284A2j
		mov	edx, esi
		cmp	[ebp+var_4], edx
		jz	loc_7C99AD
		lea	eax, [edi+10h]
		mov	[ebp+var_8], eax

loc_8F1E14:				; CODE XREF: RtlpValidRelativeAttribute+128578j
		mov	eax, [eax]
		mov	[ebp+var_C], eax
		cmp	ebx, eax
		jb	loc_7C99B4
		mov	eax, ebx
		sub	eax, [ebp+var_C]
		cmp	eax, 8
		jb	loc_7C99B4
		mov	eax, [ebp+var_C]
		mov	ecx, [eax+edi]
		mov	[ebp+var_C], ecx
		mov	ecx, [eax+edi+4]
		mov	eax, [ebp+var_C]
		mov	[ebp+var_10], ecx
		or	eax, ecx
		mov	ecx, [ebp+var_4]
		jz	short loc_8F1E5C
		cmp	[ebp+var_C], 1
		jnz	loc_7C99B4
		cmp	[ebp+var_10], esi
		jnz	loc_7C99B4

loc_8F1E5C:				; CODE XREF: RtlpValidRelativeAttribute+128557j
		mov	eax, [ebp+var_8]
		inc	edx
		add	eax, 4
		mov	[ebp+var_8], eax
		cmp	edx, ecx
		jb	short loc_8F1E14
		jmp	loc_7C99AD
; 

loc_8F1E6F:				; CODE XREF: RtlpValidRelativeAttribute+128499j
		cmp	[ebp+var_4], esi
		jbe	loc_7C99AD
		lea	eax, [edi+10h]
		push	4
		mov	[ebp+var_C], eax
		pop	edx

loc_8F1E81:				; CODE XREF: RtlpValidRelativeAttribute+1285E6j
		mov	ecx, [eax]
		mov	[ebp+var_8], ecx
		cmp	ebx, ecx
		jb	loc_7C99B4
		mov	eax, ebx
		sub	eax, ecx
		cmp	eax, edx
		jb	loc_7C99B4
		mov	eax, [ecx+edi]
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_7C99B4
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_7C99B4
		mov	eax, ebx
		sub	eax, [ebp+var_8]
		cmp	eax, [ebp+var_10]
		jb	loc_7C99B4
		mov	eax, [ebp+var_C]
		inc	esi
		push	4
		pop	edx
		add	eax, edx
		mov	[ebp+var_C], eax
		cmp	esi, [ebp+var_4]
		jb	short loc_8F1E81
		jmp	loc_7C99AD
; 

loc_8F1EDD:				; CODE XREF: RtlpValidRelativeAttribute+128490j
		cmp	[ebp+var_4], esi
		jbe	loc_7C99AD
		lea	eax, [edi+10h]
		mov	[ebp+var_C], eax

loc_8F1EEC:				; CODE XREF: RtlpValidRelativeAttribute+128636j
		mov	eax, [eax]
		cmp	ebx, eax
		jb	loc_7C99B4
		mov	edx, ebx
		sub	edx, eax
		cmp	edx, 2
		jb	loc_7C99B4
		lea	ecx, [ebp+var_10]
		push	ecx
		lea	ecx, [eax+edi]
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		test	eax, eax
		js	loc_7C99B4
		mov	eax, [ebp+var_C]
		inc	esi
		push	4
		pop	ecx
		add	eax, ecx
		mov	[ebp+var_C], eax
		cmp	esi, [ebp+var_4]
		jb	short loc_8F1EEC
		jmp	loc_7C99AD
; END OF FUNCTION CHUNK	FOR RtlpValidRelativeAttribute
; 
; START	OF FUNCTION CHUNK FOR _PnpValidatePropertyData

loc_8F1F2D:				; CODE XREF: _PnpValidatePropertyData+1Dj
		mov	esi, 0C000000Dh
		jmp	loc_7C9B69
; 

loc_8F1F37:				; CODE XREF: _PnpValidatePropertyData+138j
		dec	eax
		sub	eax, 1
		jmp	loc_7C9AC2
; END OF FUNCTION CHUNK	FOR _PnpValidatePropertyData
; 
; START	OF FUNCTION CHUNK FOR PcwCreateInstance

loc_8F1F40:				; CODE XREF: PcwCreateInstance+13j
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax], 0
		call	_ExpPcwDisabledStatus@0	; ExpPcwDisabledStatus()
		mov	esi, eax
		jmp	loc_7C9CBA
; END OF FUNCTION CHUNK	FOR PcwCreateInstance
; 
; START	OF FUNCTION CHUNK FOR NtGetMUIRegistryInfo

loc_8F1F52:				; CODE XREF: NtGetMUIRegistryInfo+40j
					; NtGetMUIRegistryInfo+4Cj ...
		mov	esi, 0C0000001h
		jmp	loc_7C9E7B
; 

loc_8F1F5C:				; CODE XREF: NtGetMUIRegistryInfo+81j
					; NtGetMUIRegistryInfo+91j ...
		mov	esi, 0C000000Dh
		jmp	loc_7C9E7B
; 

loc_8F1F66:				; CODE XREF: NtGetMUIRegistryInfo+66j
		mov	eax, ecx
		jmp	loc_7C9D9C
; 

loc_8F1F6D:				; CODE XREF: NtGetMUIRegistryInfo+EFj
		test	byte ptr [ebp+arg_0], 2
		jz	short loc_8F1F52
		and	_MUIRegistryInfo, 0
		and	_MUIRegistryInfoSize, 0
		jmp	loc_7CA019
; 

loc_8F1F86:				; CODE XREF: NtGetMUIRegistryInfo+26Dj
		mov	ecx, 8002h
		jmp	short loc_8F1F92
; 

loc_8F1F8D:				; CODE XREF: NtGetMUIRegistryInfo+12826Ej
		mov	ecx, 8001h

loc_8F1F92:				; CODE XREF: NtGetMUIRegistryInfo+12825Bj
		call	_MUIBugCheck@4	; MUIBugCheck(x)

loc_8F1F97:				; CODE XREF: NtGetMUIRegistryInfo+277j
		cmp	ds:_PsUILanguageComitted, 0
		jnz	short loc_8F1F8D
		call	_MigrateOOBELanguageToInstallationLanguage@0 ; MigrateOOBELanguageToInstallationLanguage()
		jmp	loc_7C9FAD
; 

loc_8F1FAA:				; CODE XREF: NtGetMUIRegistryInfo+281j
		mov	ax, ds:_PsInstallUILanguageId
		mov	ds:_PsMachineUILanguageId, ax
		jmp	loc_7C9FB7
; 

loc_8F1FBB:				; CODE XREF: NtGetMUIRegistryInfo+227j
					; NtGetMUIRegistryInfo+248j ...
		or	_MUIRegistryInfo, 0FFFFFFFFh
		and	_MUIRegistryInfoSize, 0
		jmp	loc_7C9E7B
; 

loc_8F1FCE:				; CODE XREF: NtGetMUIRegistryInfo+119j
		mov	esi, 0C0000023h
		jmp	loc_7C9E53
; 

loc_8F1FD8:				; CODE XREF: NtGetMUIRegistryInfo+12Fj
		mov	ecx, eax
		jmp	loc_7C9E65
; END OF FUNCTION CHUNK	FOR NtGetMUIRegistryInfo

;  S U B	R O U T	I N E 


sub_8F1FDF	proc near		; DATA XREF: .text:006A3B58o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F1FDF	endp


;  S U B	R O U T	I N E 


sub_8F1FED	proc near		; DATA XREF: .text:006A3B5Co
		mov	esi, [ebp-28h]
		jmp	short loc_8F202E
sub_8F1FED	endp

; 
; START	OF FUNCTION CHUNK FOR NtGetMUIRegistryInfo

loc_8F1FF2:				; CODE XREF: NtGetMUIRegistryInfo+2BDj
		test	byte ptr [ebp+arg_0], 8
		jz	loc_8F1F5C
		mov	eax, ds:0FFDF03A4h
		inc	eax
		mov	ds:0FFDF03A4h, eax
		mov	ecx, _MUIRegistryInfo
		test	ecx, ecx
		jz	loc_7CA019
		mov	[ecx+0Ch], eax
		jmp	loc_7CA019
; END OF FUNCTION CHUNK	FOR NtGetMUIRegistryInfo

;  S U B	R O U T	I N E 


sub_8F201D	proc near		; DATA XREF: .text:006A3B4Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F201D	endp


;  S U B	R O U T	I N E 


sub_8F202B	proc near		; DATA XREF: .text:006A3B50o
		mov	esi, [ebp-2Ch]

loc_8F202E:				; CODE XREF: sub_8F1FED+3j
		mov	esp, [ebp-18h]
		jmp	loc_7C9E74
sub_8F202B	endp

; 
; START	OF FUNCTION CHUNK FOR ExpWin32CloseProcedure

loc_8F2036:				; CODE XREF: ExpWin32CloseProcedure+53j
		lea	eax, [esp+18h+var_14]
		push	eax
		push	1
		lea	eax, [esp+20h+var_10]
		push	eax
		push	27h
		jmp	loc_7CA14F
; END OF FUNCTION CHUNK	FOR ExpWin32CloseProcedure
; 
; START	OF FUNCTION CHUNK FOR PspAllocateAndQueryProcessNotificationChannel

loc_8F2049:				; CODE XREF: PspAllocateAndQueryProcessNotificationChannel+D8j
		mov	[ebp+var_66], 1
		jmp	loc_7CA294
; 

loc_8F2052:				; CODE XREF: PspAllocateAndQueryProcessNotificationChannel+162j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	ebx
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		jmp	loc_7CA2F4
; 

loc_8F2065:				; CODE XREF: PspAllocateAndQueryProcessNotificationChannel+16Cj
		lea	eax, [ebp+var_64]
		push	eax
		call	_ZwDeleteWnfStateName@4	; ZwDeleteWnfStateName(x)
		jmp	loc_7CA2FE
; END OF FUNCTION CHUNK	FOR PspAllocateAndQueryProcessNotificationChannel
; 
; START	OF FUNCTION CHUNK FOR SepFilterPrivilegeAudits

loc_8F2073:				; CODE XREF: SepFilterPrivilegeAudits+B6j
		mov	eax, [edx]
		cmp	eax, [ecx+4]
		jz	short loc_8F2082
		mov	eax, [ebp+var_4]
		jmp	loc_7CA45C
; 

loc_8F2082:				; CODE XREF: SepFilterPrivilegeAudits+127CD8j
		inc	edi
		jmp	loc_7CA468
; END OF FUNCTION CHUNK	FOR SepFilterPrivilegeAudits
; 
; START	OF FUNCTION CHUNK FOR AlpcpAllocateMessageFunction

loc_8F2088:				; CODE XREF: AlpcpAllocateMessageFunction+42j
		mov	ecx, edi
		call	_AlpcpAllocateMessageFromExtendedTables@4 ; AlpcpAllocateMessageFromExtendedTables(x)
		test	eax, eax
		jnz	loc_7CA4CE
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		jmp	loc_7CA4DB
; END OF FUNCTION CHUNK	FOR AlpcpAllocateMessageFunction
; 
; START	OF FUNCTION CHUNK FOR KeBuildLogicalProcessorSystemInformation

loc_8F20A5:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+56j
		or	edi, 0FFFFFFFFh
		jmp	loc_7CA541
; 

loc_8F20AD:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+79j
		or	edi, 0FFFFFFFFh
		jmp	loc_7CA564
; 

loc_8F20B5:				; CODE XREF: KeBuildLogicalProcessorSystemInformation+E9j
		mov	edi, [ebp+var_20]
		jmp	loc_7CA66C
; END OF FUNCTION CHUNK	FOR KeBuildLogicalProcessorSystemInformation
; 
; START	OF FUNCTION CHUNK FOR SepIsSiblingTokenByPointer

loc_8F20BD:				; CODE XREF: SepIsSiblingTokenByPointer+2Ej
		mov	eax, 0C0000001h
		jmp	loc_7CA9EC
; 

loc_8F20C7:				; CODE XREF: SepIsSiblingTokenByPointer+AEj
		cmp	esi, [edx+5Ch]
		jnz	loc_7CA9D0
		mov	eax, [ebp+var_4]
		cmp	eax, [edx+60h]
		jnz	loc_7CA9D0
		mov	eax, [ebp+var_18]
		cmp	eax, [ecx+5Ch]
		jnz	loc_7CA9D0
		mov	eax, [ebp+var_1C]
		cmp	eax, [ecx+60h]
		jnz	loc_7CA9D0
		mov	eax, [ebp+var_8]
		mov	byte ptr [eax],	1
		jmp	loc_7CA9D0
; END OF FUNCTION CHUNK	FOR SepIsSiblingTokenByPointer
; 
; START	OF FUNCTION CHUNK FOR SepIsChildTokenByPointer

loc_8F20FF:				; CODE XREF: SepIsChildTokenByPointer+4Aj
		cmp	ecx, [ebp+var_8]
		jnz	loc_7CAA4E
		mov	byte ptr [edi],	1
		jmp	loc_7CAA4E
; END OF FUNCTION CHUNK	FOR SepIsChildTokenByPointer
; 
; START	OF FUNCTION CHUNK FOR NtCompareTokens

loc_8F2110:				; CODE XREF: NtCompareTokens+3Aj
		mov	ecx, eax
		jmp	loc_7CAA9C
; END OF FUNCTION CHUNK	FOR NtCompareTokens

;  S U B	R O U T	I N E 


sub_8F2117	proc near		; DATA XREF: .text:006A3B74o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F2117	endp


;  S U B	R O U T	I N E 


sub_8F2125	proc near		; DATA XREF: .text:006A3B78o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3Ch]
		jmp	loc_7CAC89
sub_8F2125	endp

; 
; START	OF FUNCTION CHUNK FOR NtCompareTokens

loc_8F2137:				; CODE XREF: NtCompareTokens+6Ej
		mov	edi, ebx
		mov	esi, [ebp+var_28]
		jmp	loc_7CAC4C
; 

loc_8F2141:				; CODE XREF: NtCompareTokens+7Aj
		mov	bl, 1
		mov	esi, [ebp+var_28]
		jmp	loc_7CAC4E
; 

loc_8F214B:				; CODE XREF: NtCompareTokens+129j
		push	dword ptr [esi+1E0h]
		push	dword ptr [edi+1E0h]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	loc_7CAC4C
		push	dword ptr [esi+1E8h]
		push	dword ptr [esi+1E4h]
		mov	edx, [edi+1E8h]
		mov	ecx, [edi+1E4h]
		call	SepCompareSidAndAttributeArrays
		test	al, al
		jz	loc_7CAC4C
		jmp	loc_7CAB8B
; 

loc_8F218E:				; CODE XREF: NtCompareTokens+14Fj
		push	ebx
		push	edx
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	loc_7CAC4C
		jmp	loc_7CABB1
; 

loc_8F21A2:				; CODE XREF: NtCompareTokens+16Dj
		push	edi
		call	_SeTokenIsWriteRestricted@4 ; SeTokenIsWriteRestricted(x)
		mov	bl, al
		push	esi
		call	_SeTokenIsWriteRestricted@4 ; SeTokenIsWriteRestricted(x)
		cmp	bl, al
		jnz	loc_7CAC4C
		push	dword ptr [esi+80h]
		push	dword ptr [esi+98h]
		mov	edx, [edi+80h]
		mov	ecx, [edi+98h]
		call	SepCompareSidAndAttributeArrays
		test	al, al
		jz	loc_7CAC4C
		jmp	loc_7CABCF
; END OF FUNCTION CHUNK	FOR NtCompareTokens

;  S U B	R O U T	I N E 


sub_8F21E2	proc near		; DATA XREF: .text:006A3B80o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F21E2	endp


;  S U B	R O U T	I N E 


sub_8F21F0	proc near		; DATA XREF: .text:006A3B84o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-40h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7CAC89
sub_8F21F0	endp

; 
; START	OF FUNCTION CHUNK FOR AuthzBasepCompareSecurityAttribute

loc_8F2202:				; CODE XREF: AuthzBasepCompareSecurityAttribute+56j
		cmp	eax, 6
		jz	loc_7CADEC
		cmp	edx, 10h
		jnz	loc_7CADF4
		jmp	loc_7CADBA
; END OF FUNCTION CHUNK	FOR AuthzBasepCompareSecurityAttribute
; 
; START	OF FUNCTION CHUNK FOR SepCompareClaimAttributes

loc_8F2219:				; CODE XREF: SepCompareClaimAttributes+20j
		test	edi, edi
		jz	short loc_8F2237
		cmp	[edi+120h], eax
		mov	dh, 1
		setnz	cl
		cmp	[edi+124h], eax
		setnz	bl
		cmp	[edi], eax
		jz	short loc_8F2237
		mov	bh, dh

loc_8F2237:				; CODE XREF: SepCompareClaimAttributes+127421j
					; SepCompareClaimAttributes+127439j
		test	esi, esi
		jz	short loc_8F2257
		cmp	[esi+120h], eax
		mov	[ebp+var_1], 1
		setnz	dl
		cmp	[esi+124h], eax
		setnz	ch
		cmp	[esi], eax
		jz	short loc_8F2257
		mov	al, 1

loc_8F2257:				; CODE XREF: SepCompareClaimAttributes+12743Fj
					; SepCompareClaimAttributes+127459j
		cmp	dh, [ebp+var_1]
		jnz	short loc_8F22C1
		cmp	cl, dl
		jnz	short loc_8F22C1
		cmp	bl, ch
		jnz	short loc_8F22C1
		cmp	bh, al
		jnz	short loc_8F22C1
		test	dh, dh
		jz	loc_7CAE20
		test	cl, cl
		jz	short loc_8F2289
		mov	edx, [esi+120h]
		mov	ecx, [edi+120h]
		call	_AuthzBasepCompareSecurityAttributesInformation@8 ; AuthzBasepCompareSecurityAttributesInformation(x,x)
		test	al, al
		jz	short loc_8F22C1

loc_8F2289:				; CODE XREF: SepCompareClaimAttributes+127478j
		test	bl, bl
		jz	short loc_8F22A2
		mov	edx, [esi+124h]
		mov	ecx, [edi+124h]
		call	_AuthzBasepCompareSecurityAttributesInformation@8 ; AuthzBasepCompareSecurityAttributesInformation(x,x)
		test	al, al
		jz	short loc_8F22C1

loc_8F22A2:				; CODE XREF: SepCompareClaimAttributes+127491j
		test	bh, bh
		jz	loc_7CAE20
		push	dword ptr [esi]
		mov	edx, [edi]
		push	dword ptr [esi+4]
		mov	ecx, [edi+4]
		call	SepCompareSidAndAttributeArrays
		test	al, al
		jnz	loc_7CAE20

loc_8F22C1:				; CODE XREF: SepCompareClaimAttributes+127460j
					; SepCompareClaimAttributes+127464j ...
		xor	al, al
		jmp	loc_7CAE22
; END OF FUNCTION CHUNK	FOR SepCompareClaimAttributes
; 
; START	OF FUNCTION CHUNK FOR SepCompareSidAndAttributeArrays

loc_8F22C8:				; CODE XREF: SepCompareSidAndAttributeArrays+5Cj
		mov	eax, esi
		mov	[ebp+var_8], esi
		jb	short loc_8F22D4
		jmp	short loc_8F2329
; 

loc_8F22D1:				; CODE XREF: SepCompareSidAndAttributeArrays+1274FFj
		mov	ecx, [ebp+var_4]

loc_8F22D4:				; CODE XREF: SepCompareSidAndAttributeArrays+1274A5j
		mov	ebx, esi
		cmp	esi, [ebp+arg_4]
		jnb	short loc_8F2318
		mov	ecx, [ecx+eax*8]
		mov	edi, [ebp+var_8]
		mov	esi, [ebp+var_4]
		mov	[ebp+var_10], ecx

loc_8F22E7:				; CODE XREF: SepCompareSidAndAttributeArrays+1274E5j
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax+ebx*8]
		push	ecx
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	short loc_8F2306
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+ebx*8+4]
		xor	eax, [esi+edi*8+4]
		test	al, 14h
		jz	short loc_8F230F

loc_8F2306:				; CODE XREF: SepCompareSidAndAttributeArrays+1274CDj
		mov	ecx, [ebp+var_10]
		inc	ebx
		cmp	ebx, [ebp+arg_4]
		jb	short loc_8F22E7

loc_8F230F:				; CODE XREF: SepCompareSidAndAttributeArrays+1274DCj
		mov	esi, [ebp+var_C]
		mov	edi, [ebp+var_14]
		mov	eax, [ebp+var_8]

loc_8F2318:				; CODE XREF: SepCompareSidAndAttributeArrays+1274B1j
		cmp	ebx, [ebp+arg_4]
		jz	loc_7CAE93
		inc	eax
		mov	[ebp+var_8], eax
		cmp	eax, edi
		jb	short loc_8F22D1

loc_8F2329:				; CODE XREF: SepCompareSidAndAttributeArrays+1274A7j
		mov	eax, esi
		mov	[ebp+var_8], esi
		cmp	esi, [ebp+arg_4]
		jnb	loc_7CAE8A

loc_8F2337:				; CODE XREF: SepCompareSidAndAttributeArrays+127560j
		mov	ebx, esi
		cmp	esi, edi
		jnb	short loc_8F2379
		mov	ecx, [ebp+arg_0]
		mov	esi, [ebp+var_8]
		mov	ecx, [ecx+eax*8]
		mov	[ebp+var_14], ecx

loc_8F2349:				; CODE XREF: SepCompareSidAndAttributeArrays+127549j
		mov	eax, [ebp+var_4]
		push	dword ptr [eax+ebx*8]
		push	ecx
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	short loc_8F236B
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		mov	eax, [eax+ebx*8+4]
		xor	eax, [ecx+esi*8+4]
		test	al, 14h
		jz	short loc_8F2373

loc_8F236B:				; CODE XREF: SepCompareSidAndAttributeArrays+12752Fj
		mov	ecx, [ebp+var_14]
		inc	ebx
		cmp	ebx, edi
		jb	short loc_8F2349

loc_8F2373:				; CODE XREF: SepCompareSidAndAttributeArrays+127541j
		mov	esi, [ebp+var_C]
		mov	eax, [ebp+var_8]

loc_8F2379:				; CODE XREF: SepCompareSidAndAttributeArrays+127513j
		cmp	ebx, edi
		jz	loc_7CAE93
		inc	eax
		mov	[ebp+var_8], eax
		cmp	eax, [ebp+arg_4]
		jb	short loc_8F2337
		jmp	loc_7CAE8A
; END OF FUNCTION CHUNK	FOR SepCompareSidAndAttributeArrays
; 
; START	OF FUNCTION CHUNK FOR NtGetCachedSigningLevel

loc_8F238F:				; CODE XREF: NtGetCachedSigningLevel+144j
		cmp	cl, 1
		jnz	short loc_8F23A6
		push	4
		push	4
		push	ebx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	edx, [ebp+var_74]
		mov	cl, [ebp+var_5D]
		mov	eax, esi

loc_8F23A6:				; CODE XREF: NtGetCachedSigningLevel+1274FAj
		test	dl, 2
		jz	short loc_8F2411
		mov	edi, [ebp+var_78]
		cmp	[ebx], edi
		jb	short loc_8F23DD
		mov	esi, [ebp+var_7C]
		test	esi, esi
		jz	short loc_8F23DD
		cmp	cl, 1
		jnz	short loc_8F23CA
		push	1
		push	edi
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	edi, [ebp+var_78]

loc_8F23CA:				; CODE XREF: NtGetCachedSigningLevel+127524j
		push	edi		; size_t
		lea	eax, [ebp+var_5C]
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	esi, [ebp+var_64]
		jmp	short loc_8F23E8
; 

loc_8F23DD:				; CODE XREF: NtGetCachedSigningLevel+127518j
					; NtGetCachedSigningLevel+12751Fj
		mov	esi, 0C0000023h
		mov	[ebp+var_8C], esi

loc_8F23E8:				; CODE XREF: NtGetCachedSigningLevel+127543j
		mov	[ebx], edi
		mov	ebx, [ebp+var_84]
		test	ebx, ebx
		jz	short loc_8F2409
		cmp	[ebp+var_5D], 1
		jnz	short loc_8F2404
		push	4
		push	4
		push	ebx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_8F2404:				; CODE XREF: NtGetCachedSigningLevel+127560j
		mov	eax, [ebp+var_80]
		mov	[ebx], eax

loc_8F2409:				; CODE XREF: NtGetCachedSigningLevel+12755Aj
		mov	edi, [ebp+var_68]
		jmp	loc_7CAFE2
; 

loc_8F2411:				; CODE XREF: NtGetCachedSigningLevel+127511j
		and	dword ptr [ebx], 0
		mov	esi, eax
		jmp	loc_7CAFE2
; END OF FUNCTION CHUNK	FOR NtGetCachedSigningLevel

;  S U B	R O U T	I N E 


sub_8F241B	proc near		; DATA XREF: .text:006A3B9Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-88h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F241B	endp


;  S U B	R O U T	I N E 


sub_8F242C	proc near		; DATA XREF: .text:006A3BA0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-88h]
		mov	[ebp-8Ch], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-90h]
		jmp	loc_7CAF46
sub_8F242C	endp

; 
; START	OF FUNCTION CHUNK FOR NtGetCachedSigningLevel

loc_8F244D:				; CODE XREF: NtGetCachedSigningLevel+59j
					; NtGetCachedSigningLevel+62j ...
		mov	esi, 0C000000Dh
		jmp	loc_7CAF46
; END OF FUNCTION CHUNK	FOR NtGetCachedSigningLevel
; 
; START	OF FUNCTION CHUNK FOR NtAlpcDeleteSectionView

loc_8F2457:				; CODE XREF: NtAlpcDeleteSectionView+20j
		mov	esi, 0C000000Dh
		jmp	loc_7CB1EB
; END OF FUNCTION CHUNK	FOR NtAlpcDeleteSectionView
; 
; START	OF FUNCTION CHUNK FOR NtQuerySystemInformationEx

loc_8F2461:				; CODE XREF: NtQuerySystemInformationEx:loc_7CB2FBj
		cmp	ecx, 8
		jz	loc_7CB301
		cmp	ecx, 17h
		jz	loc_7CB301
		cmp	ecx, 2Ah
		jz	loc_7CB301
		cmp	ecx, 3Dh
		jz	loc_7CB301
		cmp	ecx, 48h
		jnz	short loc_8F2498
		jmp	loc_7CB272
; 

loc_8F248F:				; CODE XREF: NtQuerySystemInformationEx+122j
		sub	eax, 3
		jz	loc_7CB2F4

loc_8F2498:				; CODE XREF: NtQuerySystemInformationEx+D6j
					; NtQuerySystemInformationEx+FBj ...
		mov	eax, 0C0000003h
		jmp	loc_7CB2BD
; 

loc_8F24A2:				; CODE XREF: NtQuerySystemInformationEx+7Fj
					; NtQuerySystemInformationEx+87j
		mov	byte ptr [eax],	0
		jmp	loc_7CB2A5
; 

loc_8F24AA:				; CODE XREF: NtQuerySystemInformationEx+11j
					; NtQuerySystemInformationEx+1Cj
		mov	eax, 0C000000Dh
		jmp	loc_7CB2BD
; END OF FUNCTION CHUNK	FOR NtQuerySystemInformationEx
; 
; START	OF FUNCTION CHUNK FOR RtlpOpenImageFileOptionsKeyEx

loc_8F24B4:				; CODE XREF: RtlpOpenImageFileOptionsKeyEx+57j
		mov	eax, 0C0000023h
		jmp	loc_7CB43E
; 

loc_8F24BE:				; CODE XREF: RtlpOpenImageFileOptionsKeyEx+D2j
		push	[esp+40h+var_28]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7CB438
; 

loc_8F24CC:				; CODE XREF: RtlpOpenImageFileOptionsKeyEx+FDj
		cmp	[esp+40h+var_2C], 0
		jz	loc_7CB43C
		push	[esp+40h+var_2C]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7CB43C
; END OF FUNCTION CHUNK	FOR RtlpOpenImageFileOptionsKeyEx
; 
; START	OF FUNCTION CHUNK FOR RtlpProcessIFEOKeyFilter

loc_8F24E5:				; CODE XREF: RtlpProcessIFEOKeyFilter+B5j
		cmp	eax, 0C0000023h
		jz	loc_7CB57B
		cmp	eax, 80000005h
		jnz	loc_7CB57D
		jmp	loc_7CB57B
; 

loc_8F2500:				; CODE XREF: RtlpProcessIFEOKeyFilter+AAj
		cmp	[ebp+var_228], 4
		jnz	loc_7CB57B
		cmp	[ebp+var_224], 4
		jnz	loc_7CB57B
		cmp	[ebp+var_220], edi
		jz	loc_7CB57B
		mov	eax, large fs:124h
		xor	ebx, ebx
		push	offset ??_C@_19JHEHLFPM@?$AA?2?$AA?$DP?$AA?$DP?$AA?2@NNGAKEGL@ ; "\\??\\"
		cmp	byte ptr [eax+15Ah], 1
		mov	eax, [esi]
		mov	esi, [esi+4]
		setz	bl
		dec	ebx
		mov	[ebp+var_248], eax
		and	ebx, 0FFFFFC00h
		mov	[ebp+var_244], esi
		lea	eax, [ebp+var_240]
		add	ebx, 640h
		push	eax
		mov	[ebp+var_264], ebx
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	loc_7CB57D
		push	1
		lea	eax, [ebp+var_248]
		push	eax
		lea	eax, [ebp+var_240]
		push	eax
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_8F25AA
		mov	eax, 0FFF8h
		add	word ptr [ebp+var_248],	ax
		add	word ptr [ebp+var_248+2], ax
		add	esi, 8
		mov	[ebp+var_244], esi

loc_8F25AA:				; CODE XREF: RtlpProcessIFEOKeyFilter+1270CCj
		lea	eax, [ebp+var_22C]
		xor	ecx, ecx
		mov	[ebp+var_250], eax
		mov	[ebp+var_258], ecx

loc_8F25BE:				; CODE XREF: RtlpProcessIFEOKeyFilter+1272F2j
		lea	edx, [ebp+var_234]
		push	edx
		push	[ebp+var_238]
		push	eax
		mov	eax, [ebp+var_254]
		push	0
		push	ecx
		push	dword ptr [eax]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8F279D
		mov	ecx, [ebp+var_250]
		mov	ax, [ecx+0Ch]
		mov	word ptr [ebp+var_240],	ax
		mov	ax, [ecx+0Ch]
		and	[ebp+var_26C], 0
		and	[ebp+var_268], 0
		mov	word ptr [ebp+var_240+2], ax
		lea	eax, [ecx+10h]
		mov	[ebp+var_23C], eax
		mov	eax, [ebp+var_254]
		mov	[ebp+var_27C], 18h
		mov	[ebp+var_270], ebx
		mov	eax, [eax]
		mov	[ebp+var_278], eax
		lea	eax, [ebp+var_240]
		mov	[ebp+var_274], eax
		lea	eax, [ebp+var_27C]
		push	eax
		push	9
		lea	eax, [ebp+var_230]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8F279D
		push	offset ??_C@_1BO@JOOJEFDK@?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAF?$AAu?$AAl?$AAl?$AAP?$AAa?$AAt?$AAh@NNGAKEGL@
		lea	eax, [ebp+var_240]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8F2792
		mov	ebx, [ebp+var_24C]
		mov	eax, [ebp+var_238]

loc_8F2689:				; CODE XREF: RtlpProcessIFEOKeyFilter+127248j
					; RtlpProcessIFEOKeyFilter+127254j
		lea	ecx, [ebp+var_234]
		push	ecx
		push	eax
		push	ebx
		push	2
		pop	eax
		push	eax
		lea	eax, [ebp+var_240]
		push	eax
		push	[ebp+var_230]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 80000005h
		jz	short loc_8F26BA
		cmp	esi, 0C0000023h
		jnz	short loc_8F26FC

loc_8F26BA:				; CODE XREF: RtlpProcessIFEOKeyFilter+1271F0j
		test	edi, edi
		jz	short loc_8F26C6
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8F26C6:				; CODE XREF: RtlpProcessIFEOKeyFilter+1271FCj
		push	6B497452h
		push	[ebp+var_234]
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	edi, eax
		test	edi, edi
		jz	short loc_8F26F7
		mov	eax, [ebp+var_234]
		mov	ebx, edi
		mov	[ebp+var_250], edi
		mov	[ebp+var_238], eax
		jmp	short loc_8F2702
; 

loc_8F26F7:				; CODE XREF: RtlpProcessIFEOKeyFilter+12721Fj
		mov	esi, 0C0000017h

loc_8F26FC:				; CODE XREF: RtlpProcessIFEOKeyFilter+1271F8j
		mov	eax, [ebp+var_238]

loc_8F2702:				; CODE XREF: RtlpProcessIFEOKeyFilter+127235j
		cmp	esi, 80000005h
		jz	loc_8F2689
		cmp	esi, 0C0000023h
		jz	loc_8F2689
		mov	[ebp+var_24C], ebx
		mov	ebx, [ebp+var_264]
		test	esi, esi
		jns	short loc_8F2743
		push	[ebp+var_230]
		call	_ZwClose@4	; ZwClose(x)
		lea	eax, [esi+3FFFFFCCh]
		neg	eax
		sbb	eax, eax
		and	esi, eax
		jmp	short loc_8F279D
; 

loc_8F2743:				; CODE XREF: RtlpProcessIFEOKeyFilter+127268j
		mov	ecx, [ebp+var_24C]
		cmp	dword ptr [ecx+4], 1
		jnz	short loc_8F2792
		cmp	dword ptr [ecx+8], 0FFFEh
		ja	short loc_8F2792
		mov	ax, [ecx+8]
		push	2
		pop	edx
		sub	ax, dx
		mov	word ptr [ebp+var_260],	ax
		mov	word ptr [ebp+var_260+2], ax
		lea	eax, [ecx+0Ch]
		mov	[ebp+var_25C], eax
		lea	eax, [ebp+var_260]
		push	1
		push	eax
		lea	eax, [ebp+var_248]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jz	short loc_8F27B8

loc_8F2792:				; CODE XREF: RtlpProcessIFEOKeyFilter+1271B7j
					; RtlpProcessIFEOKeyFilter+12728Dj ...
		push	[ebp+var_230]
		call	_ZwClose@4	; ZwClose(x)

loc_8F279D:				; CODE XREF: RtlpProcessIFEOKeyFilter+127120j
					; RtlpProcessIFEOKeyFilter+12719Cj ...
		mov	ecx, [ebp+var_258]
		mov	eax, [ebp+var_250]
		inc	ecx
		mov	[ebp+var_258], ecx
		test	esi, esi
		jns	loc_8F25BE

loc_8F27B8:				; CODE XREF: RtlpProcessIFEOKeyFilter+1272D0j
		test	edi, edi
		jz	short loc_8F27C4
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8F27C4:				; CODE XREF: RtlpProcessIFEOKeyFilter+1272FAj
		test	esi, esi
		js	short loc_8F27DD
		mov	ebx, [ebp+var_254]
		push	dword ptr [ebx]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [ebp+var_230]
		mov	[ebx], eax

loc_8F27DD:				; CODE XREF: RtlpProcessIFEOKeyFilter+127306j
		lea	eax, [esi+7FFFFFE6h]
		neg	eax
		sbb	eax, eax
		and	eax, esi
		jmp	loc_7CB57D
; END OF FUNCTION CHUNK	FOR RtlpProcessIFEOKeyFilter
; 
; START	OF FUNCTION CHUNK FOR ObQueryObjectAuditingByHandle

loc_8F27EE:				; CODE XREF: ObQueryObjectAuditingByHandle+49j
		mov	ecx, ebx
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_8F2805
		mov	eax, 0C0000008h
		jmp	loc_7CB6A4
; 

loc_8F2805:				; CODE XREF: ObQueryObjectAuditingByHandle+12720Dj
		mov	[ebp+var_1], 1
		jmp	loc_7CB641
; 

loc_8F280E:				; CODE XREF: ObQueryObjectAuditingByHandle+B0j
		lea	ecx, [ebx+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_7CB6A2
; END OF FUNCTION CHUNK	FOR ObQueryObjectAuditingByHandle
; 
; START	OF FUNCTION CHUNK FOR NtCloseObjectAuditAlarm

loc_8F281E:				; CODE XREF: NtCloseObjectAuditAlarm+2Aj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, large fs:124h
		lea	edx, [ebp+var_34]
		push	edx
		push	eax
		push	ecx
		call	SeCaptureSubjectContextEx
		mov	dl, bl
		lea	ecx, [ebp+var_34]
		call	_SeCheckAuditPrivilege@8 ; SeCheckAuditPrivilege(x,x)
		test	al, al
		jnz	short loc_8F2851
		mov	esi, 0C0000061h
		jmp	short loc_8F28A2
; 

loc_8F2851:				; CODE XREF: NtCloseObjectAuditAlarm+12717Ej
		mov	[ebp+ms_exc.disabled], edi
		lea	edx, [ebp+var_1C]
		mov	ecx, [ebp+arg_0]
		call	SepProbeAndCaptureString_U
		mov	esi, eax
		mov	[ebp+var_24], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_8F288D
; END OF FUNCTION CHUNK	FOR NtCloseObjectAuditAlarm

;  S U B	R O U T	I N E 


sub_8F286D	proc near		; DATA XREF: .text:006A3BDCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F286D	endp


;  S U B	R O U T	I N E 


sub_8F287B	proc near		; DATA XREF: .text:006A3BE0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	[ebp-24h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	edi, edi
sub_8F287B	endp

; START	OF FUNCTION CHUNK FOR NtCloseObjectAuditAlarm

loc_8F288D:				; CODE XREF: NtCloseObjectAuditAlarm+1271A1j
		test	esi, esi
		js	short loc_8F28A2
		push	edi
		push	edi
		lea	eax, [ebp+var_34]
		push	eax
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_1C]
		call	_SepAdtCloseObjectAuditAlarm@20	; SepAdtCloseObjectAuditAlarm(x,x,x,x,x)

loc_8F28A2:				; CODE XREF: NtCloseObjectAuditAlarm+127185j
					; NtCloseObjectAuditAlarm+1271C5j
		cmp	[ebp+var_1C], 0
		jz	short loc_8F28B1
		push	edi
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8F28B1:				; CODE XREF: NtCloseObjectAuditAlarm+1271DCj
		lea	eax, [ebp+var_34]
		push	eax
		call	SeReleaseSubjectContext
		mov	eax, 0C000009Ah
		cmp	esi, eax
		jnz	short loc_8F28C9
		push	eax
		call	_SepAuditFailed@4 ; SepAuditFailed(x)

loc_8F28C9:				; CODE XREF: NtCloseObjectAuditAlarm+1271F7j
		mov	eax, esi
		jmp	loc_7CB6FC
; END OF FUNCTION CHUNK	FOR NtCloseObjectAuditAlarm
; 
; START	OF FUNCTION CHUNK FOR NtQueryWnfStateNameInformation

loc_8F28D0:				; CODE XREF: NtQueryWnfStateNameInformation+B3j
		mov	eax, 0C000000Dh
		jmp	short loc_8F2921
; 

loc_8F28D7:				; CODE XREF: NtQueryWnfStateNameInformation+268j
		mov	eax, 0C000000Dh
		mov	[ebp+var_20], eax
		jmp	loc_7CB8D5
; 

loc_8F28E4:				; CODE XREF: NtQueryWnfStateNameInformation+FCj
		push	[ebp+var_50]
		push	[ebp+var_54]
		call	_ExpWnfCheckCrossScopeAccess@8 ; ExpWnfCheckCrossScopeAccess(x,x)
		mov	[ebp+var_20], eax
		mov	ecx, [ebp+arg_4]
		test	eax, eax
		js	loc_7CB8D5
		mov	eax, esi
		mov	dl, [ebp+var_19]
		jmp	loc_7CB810
; END OF FUNCTION CHUNK	FOR NtQueryWnfStateNameInformation

;  S U B	R O U T	I N E 


sub_8F2907	proc near		; DATA XREF: .text:006A3C08o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8F2907	endp


;  S U B	R O U T	I N E 


sub_8F2917	proc near		; DATA XREF: .text:006A3C0Co
		mov	eax, [ebp-44h]
		jmp	short loc_8F293C
sub_8F2917	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryWnfStateNameInformation

loc_8F291C:				; CODE XREF: NtQueryWnfStateNameInformation+A9j
		mov	eax, 0C0000003h

loc_8F2921:				; CODE XREF: NtQueryWnfStateNameInformation+1271C7j
		push	0FFFFFFFEh
		pop	edi
		jmp	loc_7CB8CF
; END OF FUNCTION CHUNK	FOR NtQueryWnfStateNameInformation

;  S U B	R O U T	I N E 


sub_8F2929	proc near		; DATA XREF: .text:006A3BFCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-48h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8F2929	endp


;  S U B	R O U T	I N E 


sub_8F2939	proc near		; DATA XREF: .text:006A3C00o
		mov	eax, [ebp-48h]

loc_8F293C:				; CODE XREF: sub_8F2917+3j
		mov	esp, [ebp-18h]
		push	0FFFFFFFEh
		mov	[ebp-20h], eax
		pop	edi
		mov	[ebp-4], edi
		xor	esi, esi
		jmp	loc_7CB9D8
sub_8F2939	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryWnfStateNameInformation

loc_8F294F:				; CODE XREF: NtQueryWnfStateNameInformation+1CCj
		test	ecx, ecx
		jnz	loc_7CB8E0
		mov	[ebp+ms_exc.disabled], 2
		mov	eax, [ebp+arg_C]
		mov	[eax], esi
		mov	[ebp+var_20], esi
		mov	[ebp+ms_exc.disabled], edi
		jmp	loc_7CB8E0
; END OF FUNCTION CHUNK	FOR NtQueryWnfStateNameInformation

;  S U B	R O U T	I N E 


sub_8F296E	proc near		; DATA XREF: .text:006A3C14o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8F296E	endp


;  S U B	R O U T	I N E 


sub_8F297E	proc near		; DATA XREF: .text:006A3C18o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-4Ch]
		mov	[ebp-20h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7CB8E0
sub_8F297E	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpAssociateIoCompletionPort

loc_8F2993:				; CODE XREF: AlpcpAssociateIoCompletionPort+10j
		mov	eax, 0C000000Dh
		jmp	loc_7CBD8D
; 

loc_8F299D:				; CODE XREF: AlpcpAssociateIoCompletionPort+2Ej
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8F29B1
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8F29B1:				; CODE XREF: AlpcpAssociateIoCompletionPort+126D14j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, 0C0000048h
		jmp	loc_7CBD8C
; 

loc_8F29C2:				; CODE XREF: AlpcpAssociateIoCompletionPort+3Aj
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8F29D6
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8F29D6:				; CODE XREF: AlpcpAssociateIoCompletionPort+126D39j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, 0C00000BBh
		jmp	loc_7CBD8C
; 

loc_8F29E7:				; CODE XREF: AlpcpAssociateIoCompletionPort+92j
		mov	ecx, [edx+190h]
		jmp	loc_7CBD2F
; 

loc_8F29F2:				; CODE XREF: AlpcpAssociateIoCompletionPort+86j
		mov	ecx, [ecx+30h]
		shr	ecx, 2
		jmp	loc_7CBD37
; 

loc_8F29FD:				; CODE XREF: AlpcpAssociateIoCompletionPort+AEj
		mov	ebx, 0C000009Ah

loc_8F2A02:				; CODE XREF: AlpcpAssociateIoCompletionPort+72j
		mov	ecx, [esi+10h]
		test	ecx, ecx
		jz	short loc_8F2A12
		call	ObfDereferenceObject
		and	dword ptr [esi+10h], 0

loc_8F2A12:				; CODE XREF: AlpcpAssociateIoCompletionPort+126D73j
		mov	ecx, [esi+18h]
		test	ecx, ecx
		jz	loc_7CBD76
		call	_AlpcpFreeCompletionPacketLookaside@4 ;	AlpcpFreeCompletionPacketLookaside(x)
		and	dword ptr [esi+18h], 0
		jmp	loc_7CBD76
; END OF FUNCTION CHUNK	FOR AlpcpAssociateIoCompletionPort
; 
; START	OF FUNCTION CHUNK FOR AlpcpInitializeCompletionList

loc_8F2A2B:				; CODE XREF: AlpcpInitializeCompletionList+71j
					; AlpcpInitializeCompletionList+CAj
		mov	edi, 0C000009Ah
		jmp	short loc_8F2A4F
; END OF FUNCTION CHUNK	FOR AlpcpInitializeCompletionList

;  S U B	R O U T	I N E 


sub_8F2A32	proc near		; DATA XREF: .text:006A3C58o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-40h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp-28h]
		mov	cl, bl
		mov	[ebp-1Ah], cl
		mov	cl, [ebp-1Eh]
		mov	[ebp-1Bh], cl
sub_8F2A32	endp

; START	OF FUNCTION CHUNK FOR AlpcpInitializeCompletionList

loc_8F2A4F:				; CODE XREF: AlpcpInitializeCompletionList+126BFCj
					; AlpcpInitializeCompletionList+126C2Aj
		mov	ecx, [ebp+var_24]
		mov	dl, bl
		jmp	loc_7CC148
; 

loc_8F2A59:				; CODE XREF: AlpcpInitializeCompletionList+A9j
		mov	edi, 0C0000018h
		jmp	short loc_8F2A4F
; 

loc_8F2A60:				; CODE XREF: AlpcpInitializeCompletionList+102j
		mov	eax, [eax+0Ch]
		jmp	loc_7CBF4C
; 

loc_8F2A68:				; CODE XREF: AlpcpInitializeCompletionList+11Dj
					; AlpcpInitializeCompletionList+2DAj
		mov	edi, 0C000009Ah
		jmp	loc_7CC142
; 

loc_8F2A72:				; CODE XREF: AlpcpInitializeCompletionList+2ACj
		mov	edi, 0C000071Ah
		jmp	loc_7CC142
; 

loc_8F2A7C:				; CODE XREF: AlpcpInitializeCompletionList+2BAj
		mov	edi, 0C0000700h
		jmp	loc_7CC142
; END OF FUNCTION CHUNK	FOR AlpcpInitializeCompletionList

;  S U B	R O U T	I N E 


sub_8F2A86	proc near		; DATA XREF: .text:006A3C54o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F2A86	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpInitializeCompletionList

loc_8F2A94:				; CODE XREF: AlpcpInitializeCompletionList+2Fj
					; AlpcpInitializeCompletionList+40j ...
		mov	edi, 0C000000Dh
		jmp	loc_7CC148
; 

loc_8F2A9E:				; CODE XREF: AlpcpInitializeCompletionList+335j
		cmp	[ebp+var_1A], 0
		jz	short loc_8F2AAC
		push	dword ptr [esi+10h]
		call	_MmUnlockPages@4 ; MmUnlockPages(x)

loc_8F2AAC:				; CODE XREF: AlpcpInitializeCompletionList+126C6Ej
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_8F2AB9
		push	eax
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_8F2AB9:				; CODE XREF: AlpcpInitializeCompletionList+126C7Dj
		cmp	[ebp+var_1B], 0
		jz	short loc_8F2AC6
		mov	ecx, esi
		call	_AlpcpUnregisterCompletionListDatabase@4 ; AlpcpUnregisterCompletionListDatabase(x)

loc_8F2AC6:				; CODE XREF: AlpcpInitializeCompletionList+126C89j
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7CC16F
; END OF FUNCTION CHUNK	FOR AlpcpInitializeCompletionList
; 
; START	OF FUNCTION CHUNK FOR AlpcpRegisterCompletionListDatabase

loc_8F2AD2:				; CODE XREF: AlpcpRegisterCompletionListDatabase+62j
		mov	eax, [edx+14h]
		cmp	eax, [esi+18h]
		jnb	loc_7CC1B2
		mov	eax, [edx+18h]
		cmp	eax, [esi+14h]
		jbe	loc_7CC1F6
		xor	esi, esi
		jmp	loc_7CC1CC
; END OF FUNCTION CHUNK	FOR AlpcpRegisterCompletionListDatabase
; 
; START	OF FUNCTION CHUNK FOR SepIsImageInMinTcbList

loc_8F2AF1:				; CODE XREF: SepIsImageInMinTcbList+85j
					; SepIsImageInMinTcbList+9Bj
		mov	eax, [ebp+arg_10]
		mov	ecx, [ebp+arg_C]
		mov	[eax], cl
		jmp	loc_7CC378
; 

loc_8F2AFE:				; CODE XREF: SepIsImageInMinTcbList+ACj
					; SepIsImageInMinTcbList+BFj
		mov	eax, [ebp+arg_C]
		mov	[esi], al
		jmp	loc_7CC399
; 

loc_8F2B08:				; CODE XREF: SepIsImageInMinTcbList+DCj
		mov	eax, [ebp+arg_10]
		mov	al, [eax]
		mov	[esi], al
		jmp	loc_7CC3B6
; 

loc_8F2B14:				; CODE XREF: SepIsImageInMinTcbList+11Dj
		push	edi
		push	4
		lea	eax, [ebp+arg_C]
		push	eax
		push	4
		push	(offset	loc_8BF0E9+1)
		push	[ebp+arg_8]
		call	RtlQueryImageFileKeyOption
		test	eax, eax
		js	short loc_8F2B44
		mov	ecx, [ebp+arg_C]
		and	ecx, 0Fh
		lea	eax, [ecx-2]
		cmp	eax, 0Dh
		ja	short loc_8F2B44
		mov	eax, [ebp+arg_18]
		mov	[esi], cl
		mov	byte ptr [eax],	8

loc_8F2B44:				; CODE XREF: SepIsImageInMinTcbList+126858j
					; SepIsImageInMinTcbList+126866j
		push	[ebp+arg_8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7CC30E
; END OF FUNCTION CHUNK	FOR SepIsImageInMinTcbList
; 

loc_8F2B51:				; CODE XREF: PAGE:007CC478j
		mov	eax, ecx
		jmp	loc_7CC47E
; 

loc_8F2B58:				; DATA XREF: .text:006A3C74o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_8F2B68:				; DATA XREF: .text:006A3C78o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-28h]
		jmp	loc_7CC516
; 
; START	OF FUNCTION CHUNK FOR IoOpenDeviceRegistryKey

loc_8F2B7A:				; CODE XREF: IoOpenDeviceRegistryKey+4Aj
		or	esi, 200h
		jmp	loc_7CC582
; END OF FUNCTION CHUNK	FOR IoOpenDeviceRegistryKey
; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationAtom

loc_8F2B85:				; CODE XREF: NtQueryInformationAtom+2Aj
		mov	eax, 0C0000022h
		jmp	loc_7CC7EE
; 

loc_8F2B8F:				; CODE XREF: NtQueryInformationAtom+65j
		mov	ecx, eax
		jmp	loc_7CC76D
; 

loc_8F2B96:				; CODE XREF: NtQueryInformationAtom+79j
		sub	eax, 1
		jz	short loc_8F2BA8
		mov	edx, 0C0000003h
		mov	[ebp+var_30], edx
		jmp	loc_7CC7DC
; 

loc_8F2BA8:				; CODE XREF: NtQueryInformationAtom+126497j
		push	4
		pop	esi
		mov	[ebp+var_24], esi
		cmp	[ebp+arg_C], esi
		jb	short loc_8F2BE3
		lea	eax, [edi+4]
		push	eax
		push	edi
		mov	edx, [ebp+arg_C]
		lea	edx, [edx-4]
		shr	edx, 1
		mov	ecx, [ebp+var_20]
		call	_RtlQueryAtomsInAtomTable@16 ; RtlQueryAtomsInAtomTable(x,x,x,x)
		mov	edx, eax
		mov	[ebp+var_30], edx
		test	edx, edx
		js	loc_7CC7DC
		mov	ecx, [edi]
		lea	esi, ds:4[ecx*2]
		jmp	loc_7CC7D9
; 

loc_8F2BE3:				; CODE XREF: NtQueryInformationAtom+88j
					; NtQueryInformationAtom+1264AFj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7CC7EE
; END OF FUNCTION CHUNK	FOR NtQueryInformationAtom

;  S U B	R O U T	I N E 


sub_8F2BF4	proc near		; DATA XREF: .text:006A3C94o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F2BF4	endp


;  S U B	R O U T	I N E 


sub_8F2C02	proc near		; DATA XREF: .text:006A3C98o
		mov	esp, [ebp-18h]
		mov	edx, [ebp-38h]
		mov	[ebp-30h], edx
		jmp	loc_7CC7E5
sub_8F2C02	endp

; 
; START	OF FUNCTION CHUNK FOR PiPnpRtlGetFilteredDeviceList

loc_8F2C10:				; CODE XREF: PiPnpRtlGetFilteredDeviceList+4Ej
					; PiPnpRtlGetFilteredDeviceList+C8j ...
		mov	esi, 0C000000Dh
		jmp	loc_7CC888
; 

loc_8F2C1A:				; CODE XREF: PiPnpRtlGetFilteredDeviceList+17Dj
		mov	eax, [ebp+var_4]
		inc	ecx
		add	ecx, 1
		jnz	loc_7CC94E
		jmp	loc_7CC983
; 

loc_8F2C2C:				; CODE XREF: PiPnpRtlGetFilteredDeviceList+199j
		mov	esi, 0C000009Ah
		jmp	loc_7CC888
; 

loc_8F2C36:				; CODE XREF: PiPnpRtlGetFilteredDeviceList+31j
		mov	esi, 0C0000016h
		jmp	loc_7CCA22
; END OF FUNCTION CHUNK	FOR PiPnpRtlGetFilteredDeviceList
; 
; START	OF FUNCTION CHUNK FOR PiPnpRtlGetFilteredDeviceInterfaceList

loc_8F2C40:				; CODE XREF: PiPnpRtlGetFilteredDeviceInterfaceList+63j
		push	3
		mov	edx, offset PiPnpRtlInterfaceFilterCallback
		pop	ecx
		call	_PiDmGetCmObjectListFromCache@24 ; PiDmGetCmObjectListFromCache(x,x,x,x,x,x)
		jmp	loc_7CCAB1
; END OF FUNCTION CHUNK	FOR PiPnpRtlGetFilteredDeviceInterfaceList
; 
; START	OF FUNCTION CHUNK FOR PiDmGetCmObjectConstraintListFromCache

loc_8F2C52:				; CODE XREF: PiDmGetCmObjectConstraintListFromCache+2Aj
		sub	eax, 1
		jz	short loc_8F2C76
		sub	eax, 1
		jz	short loc_8F2C6F
		sub	eax, 1
		jz	short loc_8F2C68
		xor	eax, eax
		jmp	loc_7CCB33
; 

loc_8F2C68:				; CODE XREF: PiDmGetCmObjectConstraintListFromCache+12615Fj
		push	6
		jmp	loc_7CCB32
; 

loc_8F2C6F:				; CODE XREF: PiDmGetCmObjectConstraintListFromCache+12615Aj
		push	5
		jmp	loc_7CCB32
; 

loc_8F2C76:				; CODE XREF: PiDmGetCmObjectConstraintListFromCache+126155j
		push	4
		jmp	loc_7CCB32
; END OF FUNCTION CHUNK	FOR PiDmGetCmObjectConstraintListFromCache
; 
; START	OF FUNCTION CHUNK FOR CmpCheckCreateAccessOnKcbStack

loc_8F2C7D:				; CODE XREF: CmpCheckCreateAccessOnKcbStack+22j
		mov	dl, byte ptr [ebp+arg_8]
		mov	ecx, esi
		push	ebx
		push	edi
		call	_CmpSetAccessStateForBackupRestore@16 ;	CmpSetAccessStateForBackupRestore(x,x,x,x)
		test	eax, eax
		js	short loc_8F2C95
		mov	dl, [ebp+arg_10]
		jmp	loc_7CCC46
; 

loc_8F2C95:				; CODE XREF: CmpCheckCreateAccessOnKcbStack+3Bj
					; CmpCheckCreateAccessOnKcbStack+12606Dj
		mov	eax, [ebp+arg_18]
		xor	bl, bl
		mov	dword ptr [eax], 0C0000022h
		jmp	loc_7CCC7A
; 

loc_8F2CA5:				; CODE XREF: CmpCheckCreateAccessOnKcbStack+43j
		cmp	dword ptr [esi+10h], 0
		jnz	loc_7CCC67
		mov	eax, [ebp+arg_18]
		and	dword ptr [eax], 0
		jmp	loc_7CCC7A
; END OF FUNCTION CHUNK	FOR CmpCheckCreateAccessOnKcbStack
; 
; START	OF FUNCTION CHUNK FOR CmpCheckCreateAccess

loc_8F2CBA:				; CODE XREF: CmpCheckCreateAccess+5Bj
		xor	bl, bl
		mov	dword ptr [esi], 0C0000022h
		jmp	loc_7CCCC9
; END OF FUNCTION CHUNK	FOR CmpCheckCreateAccess
; 
; START	OF FUNCTION CHUNK FOR _CmGetDeviceSoftwareKeyPath

loc_8F2CC7:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+24j
		test	[ebp+arg_0], 200h
		jz	loc_8F2DB4
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jnz	short loc_8F2D51
		lea	ebx, [edx+2]
		xor	ecx, ecx

loc_8F2CE0:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+126005j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, cx
		jnz	short loc_8F2CE0
		sub	edx, ebx
		sar	edx, 1
		add	edx, 64h
		test	esi, esi
		jz	short loc_8F2CF8
		mov	[esi], edx

loc_8F2CF8:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+126010j
		cmp	edx, [ebp+arg_10]
		ja	loc_7CCD83
		push	offset ??_C@_1CE@IFGFIICE@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAP?$AAa?$AAr?$AAa?$AAm?$AAe?$AAt?$AAe@NNGAKEGL@
		push	edi
		push	offset ??_C@_1DM@BNJPOICG@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@
		push	(offset	loc_8C8FD1+1)
		push	offset ??_C@_1BI@GNPPDLIB@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@
		push	800h
		push	ecx
		push	ecx
		push	[ebp+arg_10]
		push	[ebp+var_68]
		jmp	short loc_8F2D44
; 

loc_8F2D25:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+126196j
		lea	eax, [ebp+var_60]
		push	eax
		push	(offset	loc_8C90FB+1)
		push	edi
		push	offset ??_C@_1FG@MPFEKKOF@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@ ; char
		push	offset ??_C@_1BM@OHMKBCBF@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AA0?$AA4?$AAu?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@ ; wchar_t *
		push	800h		; int
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_10]	; int
		push	ebx		; void *

loc_8F2D44:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+12603Fj
		call	RtlStringCchPrintfExW
		add	esp, 28h
		jmp	loc_7CCD72
; 

loc_8F2D51:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+125FF5j
		cmp	ebx, 0FFFFFFFFh
		jz	loc_8F2E7F
		lea	eax, [edx+2]
		xor	ecx, ecx
		mov	[ebp+var_64], eax

loc_8F2D62:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+126087j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, cx
		jnz	short loc_8F2D62
		sub	edx, [ebp+var_64]
		sar	edx, 1
		add	edx, 61h
		test	esi, esi
		jz	short loc_8F2D7B
		mov	[esi], edx

loc_8F2D7B:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+126093j
		cmp	edx, [ebp+arg_10]
		ja	loc_7CCD83
		push	offset ??_C@_1CE@IFGFIICE@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAP?$AAa?$AAr?$AAa?$AAm?$AAe?$AAt?$AAe@NNGAKEGL@
		push	edi
		push	offset ??_C@_1DM@BNJPOICG@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@
		push	ebx
		push	offset ??_C@_1FG@MPFEKKOF@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@ ; char
		push	offset ??_C@_1CC@NAAEOCPD@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AA0?$AA4?$AAu?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF@NNGAKEGL@ ; wchar_t *
		push	800h		; int
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_10]	; int
		push	[ebp+var_68]	; void *
		call	RtlStringCchPrintfExW
		add	esp, 2Ch
		jmp	loc_7CCD72
; 

loc_8F2DB4:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+125FEAj
		lea	eax, [edx+2]
		xor	ecx, ecx
		mov	[ebp+var_64], eax

loc_8F2DBC:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+1260E1j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, cx
		jnz	short loc_8F2DBC
		sub	edx, [ebp+var_64]
		sar	edx, 1
		add	edx, 31h
		test	esi, esi
		jz	short loc_8F2DD5
		mov	[esi], edx

loc_8F2DD5:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+1260EDj
		cmp	edx, [ebp+arg_10]
		ja	loc_7CCD83
		push	offset ??_C@_1CE@IFGFIICE@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAP?$AAa?$AAr?$AAa?$AAm?$AAe?$AAt?$AAe@NNGAKEGL@
		push	edi
		push	offset ??_C@_1DM@BNJPOICG@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@
		jmp	short loc_8F2DF9
; 

loc_8F2DEB:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+126162j
		lea	eax, [ebp+var_60]
		push	eax
		push	(offset	loc_8C90FB+1)
		push	(offset	loc_8C8FD1+1) ;	char

loc_8F2DF9:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+126105j
		push	offset ??_C@_1BC@GLIGFLDD@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@	; "%s\\%s\\%s"
		push	800h		; int
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_10]	; int
		push	ebx		; void *
		call	RtlStringCchPrintfExW
		add	esp, 24h
		jmp	loc_7CCD72
; 

loc_8F2E16:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+42j
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	short loc_8F2E48
		lea	edx, [ebp+var_60]
		xor	ecx, ecx
		lea	edi, [edx+2]

loc_8F2E25:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+12614Aj
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, cx
		jnz	short loc_8F2E25
		sub	edx, edi
		sar	edx, 1
		add	edx, 5Bh
		test	esi, esi
		jz	short loc_8F2E3D
		mov	[esi], edx

loc_8F2E3D:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+126155j
		cmp	edx, [ebp+arg_10]
		ja	loc_7CCD83
		jmp	short loc_8F2DEB
; 

loc_8F2E48:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+126137j
		cmp	edi, 0FFFFFFFFh
		jz	short loc_8F2E7F
		lea	edx, [ebp+var_60]
		xor	ecx, ecx
		lea	eax, [edx+2]
		mov	[ebp+var_64], eax

loc_8F2E58:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+12617Dj
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, cx
		jnz	short loc_8F2E58
		sub	edx, [ebp+var_64]
		sar	edx, 1
		add	edx, 58h
		test	esi, esi
		jz	short loc_8F2E71
		mov	[esi], edx

loc_8F2E71:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+126189j
		cmp	edx, [ebp+arg_10]
		ja	loc_7CCD83
		jmp	loc_8F2D25
; 

loc_8F2E7F:				; CODE XREF: _CmGetDeviceSoftwareKeyPath+126070j
					; _CmGetDeviceSoftwareKeyPath+126167j
		mov	eax, 0C000000Dh
		jmp	loc_7CCD72
; END OF FUNCTION CHUNK	FOR _CmGetDeviceSoftwareKeyPath
; 
; START	OF FUNCTION CHUNK FOR _CmGetDeviceSoftwareKey

loc_8F2E89:				; CODE XREF: _CmGetDeviceSoftwareKey+58j
		cmp	[ebp+arg_8], 1
		jz	short loc_8F2E99
		mov	esi, 0C0000034h
		jmp	loc_7CCDE8
; 

loc_8F2E99:				; CODE XREF: _CmGetDeviceSoftwareKey+126103j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	dword ptr [edi+7Ch]
		call	ExAcquireResourceExclusiveLite
		mov	edx, [ebp+var_70]
		lea	eax, [ebp+var_68]
		xor	ecx, ecx
		mov	[ebp+var_68], 58h
		push	ecx
		push	eax
		push	ebx
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_6C], ecx
		push	eax
		push	0Ah
		push	ecx
		mov	ecx, edi
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	loc_8F2FD8
		mov	edx, [ebp+var_70]
		lea	eax, [ebp+var_68]
		xor	ecx, ecx
		mov	[ebp+var_68], 4Eh
		push	ecx
		push	eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_6C], ecx
		push	eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	9
		push	ecx
		mov	ecx, edi
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	short loc_8F2F1C
		mov	esi, 0C0000034h
		jmp	loc_8F2FD8
; 

loc_8F2F1C:				; CODE XREF: _CmGetDeviceSoftwareKey+126186j
		test	esi, esi
		js	loc_8F2FD8
		xor	ecx, ecx
		lea	edx, [ebp+var_60]
		push	ecx
		xor	eax, eax
		mov	[ebp+var_14], ax
		lea	eax, [ebp+var_64]
		push	eax
		push	ecx
		push	2001Fh
		push	ecx
		push	20h
		mov	ecx, edi
		call	_CmOpenCommonClassRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_8F2FD8
		mov	edx, [ebp+var_64]
		lea	eax, [ebp+var_74]
		push	eax
		push	ecx
		push	ecx
		lea	eax, [ebp+var_10]
		mov	ecx, edi
		push	eax
		call	__CmCreateOrdinalInstanceKey@24	; _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8F2FD8
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_60]
		push	eax		; char
		push	offset ??_C@_1M@DFKENGJN@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@ ; "%s\\%s"
		push	800h		; int
		push	0		; int
		push	0		; int
		push	2Ch		; int
		push	ebx		; void *
		call	RtlStringCchPrintfExW
		mov	esi, eax
		add	esp, 20h
		test	esi, esi
		js	short loc_8F2FD8
		push	ebx
		lea	eax, [ebp+var_7C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8F2FD8
		movzx	eax, word ptr [ebp+var_7C+2]
		xor	ebx, ebx
		mov	edx, [ebp+var_70]
		mov	ecx, edi
		push	ebx
		push	eax
		push	[ebp+var_78]
		push	1
		push	0Ah
		push	ebx
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_8F2FD8
		mov	eax, [edi+74h]
		test	eax, eax
		jnz	short loc_8F2FC9
		push	ebx
		jmp	short loc_8F2FCD
; 

loc_8F2FC9:				; CODE XREF: _CmGetDeviceSoftwareKey+12623Aj
		mov	ecx, [eax+4]
		push	ecx

loc_8F2FCD:				; CODE XREF: _CmGetDeviceSoftwareKey+12623Dj
		mov	ecx, [ebp+var_64]
		lea	edx, [ebp+var_10]
		call	__RegRtlDeleteKeyTransacted@12 ; _RegRtlDeleteKeyTransacted(x,x,x)

loc_8F2FD8:				; CODE XREF: _CmGetDeviceSoftwareKey+126152j
					; _CmGetDeviceSoftwareKey+12618Dj ...
		mov	ecx, [edi+7Ch]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	[ebp+var_74], 0
		jz	loc_7CCDE8
		push	[ebp+var_74]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7CCDE8
; 

loc_8F2FFC:				; CODE XREF: _CmGetDeviceSoftwareKey+62j
		push	[ebp+var_64]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7CCDF2
; END OF FUNCTION CHUNK	FOR _CmGetDeviceSoftwareKey

;  S U B	R O U T	I N E 


sub_8F3009	proc near		; DATA XREF: .text:006A3CB4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F3009	endp


;  S U B	R O U T	I N E 


sub_8F3017	proc near		; DATA XREF: .text:006A3CB8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_7CCE8D
sub_8F3017	endp


;  S U B	R O U T	I N E 


sub_8F3029	proc near		; DATA XREF: .text:006A3CC0o
		xor	eax, eax
		inc	eax
		retn
sub_8F3029	endp


;  S U B	R O U T	I N E 


sub_8F302D	proc near		; DATA XREF: .text:006A3CC4o
		mov	esp, [ebp-18h]
		jmp	loc_7CCE83
sub_8F302D	endp

; 
; START	OF FUNCTION CHUNK FOR NtOpenSemaphore

loc_8F3035:				; CODE XREF: NtOpenSemaphore+68j
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jmp	loc_7CCE8A
; END OF FUNCTION CHUNK	FOR NtOpenSemaphore
; 
; START	OF FUNCTION CHUNK FOR FsRtlKernelFsControlFile

loc_8F3042:				; CODE XREF: FsRtlKernelFsControlFile+3Dj
		mov	edi, 0C0000010h
		jmp	short loc_8F304E
; 

loc_8F3049:				; CODE XREF: FsRtlKernelFsControlFile+61j
					; FsRtlKernelFsControlFile+1261E0j
		mov	edi, 0C000009Ah

loc_8F304E:				; CODE XREF: FsRtlKernelFsControlFile+12619Fj
		mov	[ebp+var_1C], edi
		jmp	loc_7CCFDC
; 

loc_8F3056:				; CODE XREF: FsRtlKernelFsControlFile+168j
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_8F3069
		mov	[esi+0Ch], eax
		mov	dword ptr [esi+8], 10h
		jmp	short loc_8F306C
; 

loc_8F3069:				; CODE XREF: FsRtlKernelFsControlFile+1261B3j
		mov	[esi+8], ebx

loc_8F306C:				; CODE XREF: FsRtlKernelFsControlFile+1261BFj
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	loc_7CCF7E
		push	ebx
		push	ebx
		push	ebx
		push	edx
		push	eax
		call	IoAllocateMdl
		mov	ecx, eax
		mov	[esi+4], ecx
		test	ecx, ecx
		jz	short loc_8F3049
		mov	[ebp+ms_exc.disabled], 1
		xor	eax, eax
		cmp	edi, 1
		setnz	al
		push	eax
		push	ebx
		push	ecx
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	[ebp+ms_exc.disabled], ebx
		jmp	loc_7CCF7E
; END OF FUNCTION CHUNK	FOR FsRtlKernelFsControlFile

;  S U B	R O U T	I N E 


sub_8F30A9	proc near		; DATA XREF: .text:006A3CE8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F30A9	endp


;  S U B	R O U T	I N E 


sub_8F30B7	proc near		; DATA XREF: .text:006A3CECo
		mov	esp, [ebp-18h]
		mov	edi, [ebp-24h]
		mov	[ebp-1Ch], edi
		xor	ebx, ebx
		mov	[ebp-4], ebx
		mov	esi, [ebp-20h]
		jmp	loc_7CCFDC
sub_8F30B7	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlKernelFsControlFile

loc_8F30CD:				; CODE XREF: FsRtlKernelFsControlFile+9Ej
		mov	[esi+8], ebx
		mov	[esi+3Ch], ebx
		jmp	loc_7CCF7E
; 

loc_8F30D8:				; CODE XREF: FsRtlKernelFsControlFile+A6j
		mov	eax, [ebp+arg_8]
		mov	[esi+0Ch], eax
		jmp	loc_7CCF69
; 

loc_8F30E3:				; CODE XREF: FsRtlKernelFsControlFile+11Cj
		lea	eax, [ebp+var_3C]
		mov	[ebp+arg_0], eax
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+arg_0]
		push	eax
		push	1
		call	FsRtlCancellableWaitForMultipleObjects
		cmp	eax, 0C000004Bh
		jnz	loc_7CCFCA
		push	esi
		call	IoCancelIrp
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_3C]
		push	eax
		call	KeWaitForSingleObject
		jmp	loc_7CCFCA
; 

loc_8F311B:				; CODE XREF: FsRtlKernelFsControlFile+160j
		cmp	ecx, eax
		jb	short loc_8F3121
		mov	ecx, eax

loc_8F3121:				; CODE XREF: FsRtlKernelFsControlFile+126275j
		push	ecx		; size_t
		push	[ebp+arg_8]	; void *
		push	[ebp+arg_10]	; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_7CCFDC
; END OF FUNCTION CHUNK	FOR FsRtlKernelFsControlFile

;  S U B	R O U T	I N E 


sub_8F3135	proc near		; DATA XREF: .text:006A3CE0o
		xor	ebx, ebx
		mov	esi, [ebp-20h]
		mov	edi, [ebp-1Ch]
		jmp	sub_7CD030
sub_8F3135	endp

; 
; START	OF FUNCTION CHUNK FOR sub_7CD030

loc_8F3142:				; CODE XREF: sub_7CD030+9j
		call	_FsRtlpFreeMdlChain@4 ;	FsRtlpFreeMdlChain(x)
		mov	[esi+4], ebx
		jmp	loc_7CD03F
; END OF FUNCTION CHUNK	FOR sub_7CD030
; 
; START	OF FUNCTION CHUNK FOR NtSetSecurityObject

loc_8F314F:				; CODE XREF: NtSetSecurityObject+28j
		mov	eax, 0C0000005h
		jmp	loc_7CD1BE
; 

loc_8F3159:				; CODE XREF: NtSetSecurityObject+46j
		or	ebx, 1FFh
		test	eax, eax
		jnz	short loc_8F3169
		and	ebx, 0FFFFFF7Fh

loc_8F3169:				; CODE XREF: NtSetSecurityObject+126115j
		test	ecx, ecx
		jnz	loc_7CD098
		and	ebx, 0FFFFFEFFh
		jmp	loc_7CD098
; 

loc_8F317C:				; CODE XREF: NtSetSecurityObject+191j
					; NtSetSecurityObject+246j
		push	1
		push	dword ptr [ebp+var_20]
		push	[ebp+var_10]
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)
		mov	ecx, [ebp+var_C]
		call	ObfDereferenceObject
		mov	eax, 0C0000079h
		jmp	loc_7CD1BE
; 

loc_8F319B:				; CODE XREF: NtSetSecurityObject+272j
		lea	eax, [ebp+var_5]
		mov	byte ptr [ebp+arg_4+3],	0
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+arg_4+3]
		push	eax
		push	[ebp+var_18]
		call	_RtlGetSaclSecurityDescriptor@16 ; RtlGetSaclSecurityDescriptor(x,x,x,x)
		mov	esi, eax
		mov	al, byte ptr [ebp+arg_4+3]
		test	al, al
		jnz	short loc_8F31F4
		mov	eax, [ebp+var_C]
		xor	edx, edx
		and	[ebp+var_2C], 0
		push	1
		lea	ecx, [eax-18h]
		shr	ecx, 8
		xor	cl, [eax-0Ch]
		xor	cl, byte ptr ds:_ObHeaderCookie
		movzx	eax, cl
		lea	ecx, [ebp+var_2C]
		mov	eax, ds:_ObTypeIndexTable[eax*4]
		add	eax, 8
		push	eax
		call	_SepRmGlobalSaclFind@16	; SepRmGlobalSaclFind(x,x,x,x)
		cmp	eax, 0C0000034h
		setnz	al

loc_8F31F4:				; CODE XREF: NtSetSecurityObject+12616Ej
		test	esi, esi
		js	loc_7CD192
		test	al, al
		jz	short loc_8F3233
		mov	edx, edi
		mov	eax, ebx
		and	edx, 80000h
		and	eax, 13h
		neg	edx
		sbb	edx, edx
		and	edx, eax
		test	edi, 40000h
		jz	short loc_8F321E
		or	edx, 4

loc_8F321E:				; CODE XREF: NtSetSecurityObject+1261CDj
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_1C]
		push	eax
		push	0
		call	ObpAllocateAndQuerySecurityDescriptorInfo
		mov	esi, eax
		jmp	loc_7CD13B
; 

loc_8F3233:				; CODE XREF: NtSetSecurityObject+1261B2j
		and	edi, 0FFF3FFFFh
		jmp	loc_7CD13B
; 

loc_8F323E:				; CODE XREF: NtSetSecurityObject+F9j
		lea	eax, [ecx-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [ecx-0Ch]
		mov	ecx, [ebp+var_C]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		cmp	eax, ds:_IoFileObjectType
		jnz	short loc_8F3275
		mov	eax, [ecx+4]
		test	byte ptr [eax+20h], 10h
		jnz	loc_7CD14B

loc_8F3275:				; CODE XREF: NtSetSecurityObject+12621Aj
		lea	eax, [ebp+var_14]
		push	eax
		push	0
		push	40h
		pop	edx
		call	ObpAllocateAndQuerySecurityDescriptorInfo
		mov	ecx, [ebp+var_C]
		mov	esi, eax
		jmp	loc_7CD14B
; 

loc_8F328D:				; CODE XREF: NtSetSecurityObject+135j
		push	0
		push	[ebp+var_14]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7CD187
; 

loc_8F329C:				; CODE XREF: NtSetSecurityObject+155j
		push	0
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7CD1A7
; END OF FUNCTION CHUNK	FOR NtSetSecurityObject
; 
; START	OF FUNCTION CHUNK FOR SeSetSecurityAccessMask

loc_8F32AB:				; CODE XREF: SeSetSecurityAccessMask+Aj
		mov	eax, 10C0000h
		mov	[edx], eax
		jmp	loc_7CD2E0
; END OF FUNCTION CHUNK	FOR SeSetSecurityAccessMask
; 
; START	OF FUNCTION CHUNK FOR SeSecurityDescriptorChangedAuditAlarm

loc_8F32B7:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+A7j
		push	0C000007Ch
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		jmp	loc_7CD519
; 

loc_8F32C6:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+C5j
		cmp	[ebp+arg_20], ebx
		jz	loc_7CD41D
		mov	esi, [ebp+arg_14]
		and	esi, 20h
		mov	[esp+80h+var_70], esi
		jmp	loc_7CD41D
; 

loc_8F32DE:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+213j
		mov	eax, [ebp+arg_14]
		and	eax, 8
		or	esi, eax
		mov	[esp+80h+var_70], esi
		jmp	loc_7CD56B
; 

loc_8F32EF:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+223j
		cmp	[ebp+arg_24], ebx
		jz	loc_7CD42C
		mov	eax, [ebp+arg_14]
		and	eax, 40h
		or	esi, eax
		mov	[esp+80h+var_70], esi
		jmp	loc_7CD42C
; 

loc_8F3309:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+DFj
					; SeSecurityDescriptorChangedAuditAlarm+EAj
		mov	eax, [esp+80h+var_14]
		test	eax, eax
		jz	short loc_8F3339
		lea	edx, [esp+80h+var_20]
		mov	ecx, eax
		call	_SepQueryTypeString@8 ;	SepQueryTypeString(x,x)
		mov	ecx, eax
		mov	[esp+80h+var_1C], ecx
		test	ecx, ecx
		js	loc_8F38D0
		mov	ecx, [esp+80h+var_20]
		test	ecx, ecx
		jz	short loc_8F3339
		mov	esi, ecx
		jmp	loc_7CD444
; 

loc_8F3339:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+125FBDj
					; SeSecurityDescriptorChangedAuditAlarm+125FDEj
		mov	esi, ebx
		jmp	loc_7CD448
; 

loc_8F3340:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+FCj
		mov	edx, [ebp+arg_1C]
		movzx	eax, word ptr [edx+2]
		mov	ecx, eax
		test	al, 10h
		jnz	short loc_8F3353
		xor	eax, eax
		mov	ecx, eax
		jmp	short loc_8F3364
; 

loc_8F3353:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+125FF9j
		test	cx, cx
		mov	ecx, [edx+0Ch]
		jns	short loc_8F3364
		lea	eax, [ecx+edx]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_8F3364:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+125FFFj
					; SeSecurityDescriptorChangedAuditAlarm+126007j
		lea	eax, [esp+80h+var_48]
		mov	edx, edi
		push	eax
		push	[esp+84h+var_34]
		call	_SeMaximumAuditMask@16 ; SeMaximumAuditMask(x,x,x,x)
		lea	eax, [esp+80h+var_48]
		mov	edx, edi
		push	eax
		push	[esp+84h+var_34]
		mov	ecx, esi
		call	_SeMaximumAuditMaskFromGlobalSacl@16 ; SeMaximumAuditMaskFromGlobalSacl(x,x,x,x)
		test	[esp+80h+var_48], 80000h
		jz	loc_7CD454
		mov	ecx, [esp+80h+var_70]
		cmp	[esp+80h+var_71], bl
		jz	loc_7CD458
		mov	eax, [ebp+arg_14]
		and	eax, 10h
		or	ecx, eax
		mov	[esp+80h+var_70], ecx
		jmp	loc_7CD458
; 

loc_8F33B3:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+140j
		movzx	eax, word ptr [edi+2]
		mov	edx, eax
		test	al, 10h
		jnz	short loc_8F33C1
		xor	eax, eax
		jmp	short loc_8F33DE
; 

loc_8F33C1:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126069j
		test	dx, dx
		jns	short loc_8F33DB
		mov	edx, [edi+0Ch]
		lea	eax, [edx+edi]
		neg	edx
		sbb	edx, edx
		and	edx, eax
		mov	[esp+80h+var_50], edx
		jmp	loc_7CD498
; 

loc_8F33DB:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126072j
		mov	eax, [edi+0Ch]

loc_8F33DE:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+12606Dj
		mov	[esp+80h+var_50], eax
		jmp	loc_7CD498
; 

loc_8F33E7:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+17Bj
		movzx	eax, word ptr [eax+2]
		mov	edx, eax
		test	al, 10h
		jnz	short loc_8F33F7
		xor	eax, eax
		mov	edx, eax
		jmp	short loc_8F3412
; 

loc_8F33F7:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+12609Dj
		test	dx, dx
		jns	short loc_8F340C
		mov	eax, [ebp+arg_24]
		mov	edx, [eax+0Ch]
		add	eax, edx
		neg	edx
		sbb	edx, edx
		and	edx, eax
		jmp	short loc_8F3412
; 

loc_8F340C:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1260A8j
		mov	edx, [ebp+arg_24]
		mov	edx, [edx+0Ch]

loc_8F3412:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1260A3j
					; SeSecurityDescriptorChangedAuditAlarm+1260B8j
		mov	[esp+80h+var_58], edx
		jmp	loc_7CD4D5
; 

loc_8F341B:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+199j
		mov	edx, [esp+80h+var_54]
		lea	esi, [eax+8]
		mov	[esp+80h+Source1], esi
		test	edx, edx
		jz	short loc_8F343E
		movzx	eax, word ptr [edx+4]
		test	ax, ax
		jz	short loc_8F343E
		add	edx, 8
		mov	[esp+80h+var_6C], eax
		mov	[esp+80h+Source2], edx

loc_8F343E:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1260D6j
					; SeSecurityDescriptorChangedAuditAlarm+1260DFj
		mov	edx, [esp+80h+var_50]
		test	edx, edx
		jz	short loc_8F345C
		movzx	eax, word ptr [edx+4]
		test	ax, ax
		jz	short loc_8F345C
		lea	edi, [edx+8]
		mov	[esp+80h+var_38], eax
		mov	[esp+80h+var_60], edi
		jmp	short loc_8F345E
; 

loc_8F345C:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1260F2j
					; SeSecurityDescriptorChangedAuditAlarm+1260FBj
		mov	edi, ebx

loc_8F345E:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126108j
		mov	edx, [esp+80h+var_4C]
		test	edx, edx
		jz	short loc_8F347A
		movzx	eax, word ptr [edx+4]
		test	ax, ax
		jz	short loc_8F347A
		add	edx, 8
		mov	[esp+80h+var_40], eax
		mov	[esp+80h+var_28], edx

loc_8F347A:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126112j
					; SeSecurityDescriptorChangedAuditAlarm+12611Bj
		mov	edx, [esp+80h+var_58]
		test	edx, edx
		jz	short loc_8F3496
		movzx	eax, word ptr [edx+4]
		test	ax, ax
		jz	short loc_8F3496
		add	edx, 8
		mov	[esp+80h+var_3C], eax
		mov	[esp+80h+var_2C], edx

loc_8F3496:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+12612Ej
					; SeSecurityDescriptorChangedAuditAlarm+126137j ...
		mov	dl, [esi]
		movzx	eax, dl
		sub	eax, 11h
		jz	loc_8F3602
		sub	eax, 1
		jz	loc_8F35A4
		sub	eax, 1
		jz	short loc_8F351E
		test	cl, 8
		jz	loc_8F3642
		mov	edi, [esp+80h+Source2]
		test	edi, edi
		jz	short loc_8F3513
		cmp	[edi], dl
		jnz	short loc_8F3513
		movzx	eax, word ptr [edi+2]
		cmp	[esi+2], ax
		jnz	short loc_8F3513
		movzx	esi, word ptr [edi+2]
		push	eax		; Length
		push	edi		; Source2
		push	[esp+88h+Source1] ; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		mov	ecx, [esp+80h+var_70]
		cmp	eax, esi
		jnz	short loc_8F350F
		mov	edx, [esp+80h+var_6C]
		lea	eax, [esi+edi]
		mov	esi, [esp+80h+Source1]
		add	edx, 0FFFFh
		movzx	edi, dx
		neg	edi
		mov	[esp+80h+var_6C], edx
		sbb	edi, edi
		and	edi, eax
		mov	[esp+80h+Source2], edi
		jmp	loc_8F3646
; 

loc_8F350F:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126194j
		mov	esi, [esp+80h+Source1]

loc_8F3513:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+12616Fj
					; SeSecurityDescriptorChangedAuditAlarm+126173j ...
		or	ebx, 8
		and	ecx, 0FFFFFFF7h
		jmp	loc_8F363E
; 

loc_8F351E:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+12615Ej
		test	cl, 40h
		jz	loc_8F3642
		mov	edi, [esp+80h+var_2C]
		test	edi, edi
		jz	short loc_8F3599
		movzx	eax, word ptr [edi+2]
		cmp	[esi+2], ax
		jnz	short loc_8F3599
		movzx	esi, word ptr [edi+2]
		push	eax		; Length
		push	edi		; Source2
		push	[esp+88h+Source1] ; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, esi
		jnz	short loc_8F3591
		mov	ecx, [esp+80h+var_3C]
		lea	eax, [edi+esi]
		add	ecx, 0FFFFh
		movzx	edi, cx
		neg	edi
		mov	[esp+80h+var_3C], ecx
		sbb	edi, edi
		and	edi, eax
		mov	[esp+80h+var_2C], edi
		jmp	short loc_8F3584
; 

loc_8F356C:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1262D8j
		mov	eax, [esp+80h+var_38]
		dec	eax
		mov	ecx, eax
		mov	[esp+80h+var_38], eax
		neg	ecx
		lea	eax, [esi+edi]
		sbb	ecx, ecx
		and	ecx, eax
		mov	[esp+80h+var_60], ecx

loc_8F3584:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126218j
					; SeSecurityDescriptorChangedAuditAlarm+12629Ej
		mov	ecx, [esp+80h+var_70]
		mov	esi, [esp+80h+Source1]
		jmp	loc_8F3642
; 

loc_8F3591:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1261F8j
		mov	ecx, [esp+80h+var_70]
		mov	esi, [esp+80h+Source1]

loc_8F3599:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1261DBj
					; SeSecurityDescriptorChangedAuditAlarm+1261E5j
		or	ebx, 40h
		and	ecx, 0FFFFFFBFh
		jmp	loc_8F363E
; 

loc_8F35A4:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126155j
		test	cl, 20h
		jz	loc_8F3642
		mov	edi, [esp+80h+var_28]
		test	edi, edi
		jz	short loc_8F35FA
		movzx	eax, word ptr [edi+2]
		cmp	[esi+2], ax
		jnz	short loc_8F35FA
		movzx	esi, word ptr [edi+2]
		push	eax		; Length
		push	edi		; Source2
		push	[esp+88h+Source1] ; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, esi
		jnz	short loc_8F35F2
		mov	ecx, [esp+80h+var_40]
		lea	eax, [edi+esi]
		add	ecx, 0FFFFh
		movzx	edi, cx
		neg	edi
		mov	[esp+80h+var_40], ecx
		sbb	edi, edi
		and	edi, eax
		mov	[esp+80h+var_28], edi
		jmp	short loc_8F3584
; 

loc_8F35F2:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+12627Ej
		mov	ecx, [esp+80h+var_70]
		mov	esi, [esp+80h+Source1]

loc_8F35FA:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126261j
					; SeSecurityDescriptorChangedAuditAlarm+12626Bj
		or	ebx, 20h
		and	ecx, 0FFFFFFDFh
		jmp	short loc_8F363E
; 

loc_8F3602:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+12614Cj
		test	cl, 10h
		jz	short loc_8F3642
		mov	edx, [esp+80h+var_60]
		test	edx, edx
		jz	short loc_8F3638
		movzx	eax, word ptr [edx+2]
		cmp	[esi+2], ax
		jnz	short loc_8F3638
		movzx	esi, word ptr [edx+2]
		push	eax		; Length
		push	edx		; Source2
		push	[esp+88h+Source1] ; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, esi
		jz	loc_8F356C
		mov	ecx, [esp+80h+var_70]
		mov	esi, [esp+80h+Source1]

loc_8F3638:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1262BBj
					; SeSecurityDescriptorChangedAuditAlarm+1262C5j
		or	ebx, 10h
		and	ecx, 0FFFFFFEFh

loc_8F363E:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1261C7j
					; SeSecurityDescriptorChangedAuditAlarm+12624Dj ...
		mov	[esp+80h+var_70], ecx

loc_8F3642:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126163j
					; SeSecurityDescriptorChangedAuditAlarm+1261CFj ...
		mov	edx, [esp+80h+var_6C]

loc_8F3646:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1261B8j
		movzx	eax, word ptr [esi+2]
		mov	edi, [esp+80h+var_18]
		add	esi, eax
		mov	eax, [esp+80h+var_44]
		inc	edi
		mov	[esp+80h+var_18], edi
		mov	[esp+80h+Source1], esi
		movzx	eax, word ptr [eax+4]
		cmp	edi, eax
		jnb	short loc_8F3671
		mov	edi, [esp+80h+var_60]
		test	ecx, ecx
		jnz	loc_8F3496

loc_8F3671:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126311j
		test	dx, dx
		jz	short loc_8F367D
		mov	eax, ecx
		and	eax, 8
		or	ebx, eax

loc_8F367D:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126322j
		cmp	word ptr [esp+80h+var_40], 0
		jz	short loc_8F368C
		mov	eax, ecx
		and	eax, 20h
		or	ebx, eax

loc_8F368C:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126331j
		cmp	word ptr [esp+80h+var_3C], 0
		jz	short loc_8F369B
		mov	eax, ecx
		and	eax, 40h
		or	ebx, eax

loc_8F369B:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126340j
		cmp	[esp+80h+var_38], 0
		mov	esi, [ebp+arg_28]
		mov	edi, [ebp+arg_18]
		jz	loc_7CD4F1
		and	ecx, 10h
		or	ebx, ecx
		jmp	loc_7CD4F1
; 

loc_8F36B6:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1D6j
		xor	esi, esi
		cmp	[eax+4], si
		mov	esi, [ebp+arg_28]
		jz	loc_7CD52E
		mov	ebx, ecx
		and	ebx, 8
		jmp	loc_7CD52E
; 

loc_8F36CF:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1E2j
		xor	esi, esi
		cmp	[eax+4], si
		mov	esi, [ebp+arg_28]
		jz	loc_7CD53A
		mov	eax, ecx
		and	eax, 10h
		or	ebx, eax
		jmp	loc_7CD53A
; 

loc_8F36EA:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1EEj
		xor	edi, edi
		cmp	[eax+4], di
		mov	edi, [ebp+arg_18]
		jz	loc_7CD546
		mov	eax, ecx
		and	eax, 20h
		or	ebx, eax
		jmp	loc_7CD546
; 

loc_8F3705:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1F8j
		xor	eax, eax
		cmp	[edx+4], ax
		jz	loc_7CD4F3
		and	ecx, 40h
		or	ebx, ecx
		jmp	loc_7CD4F3
; 

loc_8F371B:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1A3j
		test	[esp+80h+var_48], 80000h
		jz	short loc_8F3795
		test	byte ptr [ebp+arg_14], 1
		jz	short loc_8F375D
		mov	edx, [esi+4]
		cmp	[esi+2], ax
		jge	short loc_8F373F
		lea	eax, [edx+esi]
		neg	edx
		sbb	edx, edx
		and	edx, eax
		xor	eax, eax

loc_8F373F:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1263E0j
		mov	ecx, [edi+4]
		cmp	[edi+2], ax
		jge	short loc_8F3751
		lea	eax, [ecx+edi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_8F3751:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1263F4j
		call	_SepIsSidEqual@8 ; SepIsSidEqual(x,x)
		test	al, al
		jnz	short loc_8F375D
		or	ebx, 1

loc_8F375D:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1263D7j
					; SeSecurityDescriptorChangedAuditAlarm+126406j
		test	byte ptr [ebp+arg_14], 2
		jz	short loc_8F3795
		mov	edx, [esi+8]
		xor	ecx, ecx
		cmp	[esi+2], cx
		jge	short loc_8F3777
		lea	eax, [edx+esi]
		neg	edx
		sbb	edx, edx
		and	edx, eax

loc_8F3777:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+12641Aj
		cmp	[edi+2], cx
		mov	ecx, [edi+8]
		jge	short loc_8F3789
		lea	eax, [ecx+edi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_8F3789:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+12642Cj
		call	_SepIsSidEqual@8 ; SepIsSidEqual(x,x)
		test	al, al
		jnz	short loc_8F3795
		or	ebx, 2

loc_8F3795:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1263D1j
					; SeSecurityDescriptorChangedAuditAlarm+12640Fj ...
		test	[esp+80h+var_48], 40000h
		jz	loc_7CD4FB
		movzx	eax, word ptr [esi+2]
		mov	ecx, eax
		test	al, 4
		jnz	short loc_8F37B3
		xor	esi, esi
		mov	edx, esi
		jmp	short loc_8F37C6
; 

loc_8F37B3:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126459j
		mov	edx, [esi+10h]
		test	cx, cx
		jns	short loc_8F37C4
		lea	eax, [edx+esi]
		neg	edx
		sbb	edx, edx
		and	edx, eax

loc_8F37C4:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126467j
		xor	esi, esi

loc_8F37C6:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+12645Fj
		movzx	eax, word ptr [edi+2]
		mov	ecx, eax
		test	al, 4
		jnz	short loc_8F37D4
		mov	ecx, esi
		jmp	short loc_8F37E5
; 

loc_8F37D4:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+12647Cj
		test	cx, cx
		mov	ecx, [edi+10h]
		jns	short loc_8F37E5
		lea	eax, [ecx+edi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_8F37E5:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126480j
					; SeSecurityDescriptorChangedAuditAlarm+126488j
		call	_SepIsAclEqual@8 ; SepIsAclEqual(x,x)
		test	al, al
		jnz	loc_7CD4FB
		or	ebx, 4
		jmp	loc_7CD4FB
; 

loc_8F37FA:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1ABj
		mov	eax, [esp+80h+var_14]
		test	eax, eax
		jz	short loc_8F3829
		lea	edx, [esp+80h+var_24]
		mov	ecx, eax
		call	SepQueryNameString
		mov	[esp+80h+var_1C], eax
		test	eax, eax
		js	loc_8F38D0
		mov	eax, [esp+80h+var_24]
		test	eax, eax
		jz	short loc_8F3829
		mov	ecx, eax
		mov	[esp+80h+var_5C], ecx
		jmp	short loc_8F382D
; 

loc_8F3829:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1264AEj
					; SeSecurityDescriptorChangedAuditAlarm+1264CDj
		mov	ecx, [esp+80h+var_5C]

loc_8F382D:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1264D5j
		mov	eax, [esp+80h+var_34]
		mov	edi, [ebp+arg_8]
		mov	eax, [eax+94h]
		mov	esi, [eax]
		test	bl, 8
		jz	short loc_8F3862
		push	[ebp+arg_28]
		mov	edx, [ebp+arg_1C]
		push	8
		push	edx
		push	esi
		push	edi
		push	ecx
		push	[esp+98h+var_64]
		mov	edx, offset _SeSubsystemName
		lea	ecx, [esp+9Ch+var_10]
		call	_SepAdtSecurityDescriptorChangedAuditAlarm@36 ;	SepAdtSecurityDescriptorChangedAuditAlarm(x,x,x,x,x,x,x,x,x)

loc_8F3862:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1264EDj
		test	bl, 20h
		jz	short loc_8F3887
		push	[ebp+arg_28]
		mov	edx, offset _SeSubsystemName
		lea	ecx, [esp+84h+var_10]
		push	20h
		push	[ebp+arg_20]
		push	esi
		push	edi
		push	[esp+94h+var_5C]
		push	[esp+98h+var_64]
		call	_SepAdtSecurityDescriptorChangedAuditAlarm@36 ;	SepAdtSecurityDescriptorChangedAuditAlarm(x,x,x,x,x,x,x,x,x)

loc_8F3887:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126513j
		test	bl, 40h
		jz	short loc_8F38AC
		push	[ebp+arg_28]
		mov	edx, offset _SeSubsystemName
		lea	ecx, [esp+84h+var_10]
		push	40h
		push	[ebp+arg_24]
		push	esi
		push	edi
		push	[esp+94h+var_5C]
		push	[esp+98h+var_64]
		call	_SepAdtSecurityDescriptorChangedAuditAlarm@36 ;	SepAdtSecurityDescriptorChangedAuditAlarm(x,x,x,x,x,x,x,x,x)

loc_8F38AC:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126538j
		and	ebx, 0FFFFFF97h
		jz	short loc_8F38D0
		push	[ebp+arg_28]
		mov	edx, offset _SeSubsystemName
		lea	ecx, [esp+84h+var_10]
		push	ebx
		push	[ebp+arg_18]
		push	esi
		push	edi
		push	[esp+94h+var_5C]
		push	[esp+98h+var_64]
		call	_SepAdtSecurityDescriptorChangedAuditAlarm@36 ;	SepAdtSecurityDescriptorChangedAuditAlarm(x,x,x,x,x,x,x,x,x)

loc_8F38D0:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+125FD2j
					; SeSecurityDescriptorChangedAuditAlarm+1264C1j ...
		mov	eax, [esp+80h+var_24]
		xor	ebx, ebx
		test	eax, eax
		jz	short loc_8F38E1
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8F38E1:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+126586j
		mov	eax, [esp+80h+var_20]
		test	eax, eax
		jz	loc_7CD503
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7CD503
; 

loc_8F38F9:				; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+1B7j
		push	eax
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		jmp	loc_7CD50F
; END OF FUNCTION CHUNK	FOR SeSecurityDescriptorChangedAuditAlarm
; 
; START	OF FUNCTION CHUNK FOR ObpAllocateAndQuerySecurityDescriptorInfo

loc_8F3904:				; CODE XREF: ObpAllocateAndQuerySecurityDescriptorInfo+3Fj
		lea	eax, [ebp+arg_0]
		push	eax		; void *
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	0		; int
		lea	eax, [ebp+var_8]
		push	eax		; int
		call	SeQuerySecurityDescriptorInfo
		mov	edi, 7153624Fh
		push	edi
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_7CD684
		lea	eax, [ebp+arg_0]
		push	eax		; void *
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	esi		; int
		lea	eax, [ebp+var_8]
		push	eax		; int
		call	SeQuerySecurityDescriptorInfo
		jmp	short loc_8F3980
; 

loc_8F3945:				; CODE XREF: ObpAllocateAndQuerySecurityDescriptorInfo+95j
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	edi
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_7CD684
		mov	eax, [ebp+var_C]
		push	0
		push	[ebp+arg_0]
		push	dword ptr [eax+4Ch]
		lea	eax, [ebp+var_4]
		push	[ebp+var_14]
		push	eax
		push	esi
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		push	[ebp+var_10]
		call	[ebp+var_18]

loc_8F3980:				; CODE XREF: ObpAllocateAndQuerySecurityDescriptorInfo+126375j
		mov	ebx, eax
		jmp	loc_7CD669
; END OF FUNCTION CHUNK	FOR ObpAllocateAndQuerySecurityDescriptorInfo
; 
; START	OF FUNCTION CHUNK FOR MmStoreAllocateVirtualMemory

loc_8F3987:				; CODE XREF: MmStoreAllocateVirtualMemory+D2j
		mov	ecx, edi
		call	MiUnlockAndDereferenceVad
		push	[esp+90h+var_7C]
		call	_MmUnsecureVirtualMemory@4 ; MmUnsecureVirtualMemory(x)
		xor	eax, eax
		jmp	loc_7CD7BA
; 

loc_8F399E:				; CODE XREF: MmStoreAllocateVirtualMemory+124j
		push	ecx
		push	ebx
		push	[esp+0A8h+var_40]
		lea	edx, [esp+1Bh]
		mov	[esp+0ACh+var_91], bl
		push	dword ptr [edi+10h]
		mov	ecx, edi
		push	dword ptr [edi+0Ch]
		call	MiFreeVadRange
		jmp	loc_7CD7B6
; END OF FUNCTION CHUNK	FOR MmStoreAllocateVirtualMemory
; 
; START	OF FUNCTION CHUNK FOR NtAlpcDeletePortSection

loc_8F39BE:				; CODE XREF: NtAlpcDeletePortSection+19j
		mov	esi, 0C000000Dh
		jmp	loc_7CD859
; END OF FUNCTION CHUNK	FOR NtAlpcDeletePortSection

;  S U B	R O U T	I N E 


sub_8F39C8	proc near		; DATA XREF: .text:006A3D04o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-68h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F39C8	endp


;  S U B	R O U T	I N E 


sub_8F39D6	proc near		; DATA XREF: .text:006A3D08o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-68h]
		jmp	loc_7CD93F
sub_8F39D6	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpGetEffectiveTokenMessage

loc_8F39E1:				; CODE XREF: AlpcpGetEffectiveTokenMessage+Cj
		mov	eax, 0C0000703h
		jmp	loc_7CD9D2
; END OF FUNCTION CHUNK	FOR AlpcpGetEffectiveTokenMessage
; 
; START	OF FUNCTION CHUNK FOR FsRtlIsFatDbcsLegal

loc_8F39EB:				; CODE XREF: FsRtlIsFatDbcsLegal+26j
		cmp	si, ax
		jnz	short loc_8F3A02
		mov	al, [edi]
		cmp	al, 2Eh
		jz	loc_8F3B0A
		cmp	al, 22h
		jz	loc_8F3B0A

loc_8F3A02:				; CODE XREF: FsRtlIsFatDbcsLegal+125F92j
		cmp	si, 2
		jnz	loc_7CDA88
		mov	al, [edi]
		cmp	al, 2Eh
		jnz	short loc_8F3A1B
		cmp	[edi+1], al
		jz	loc_8F3B0A

loc_8F3A1B:				; CODE XREF: FsRtlIsFatDbcsLegal+125FB4j
		cmp	al, 22h
		jnz	loc_7CDA88
		cmp	[edi+1], al
		jz	loc_8F3B0A
		jmp	loc_7CDA88
; 

loc_8F3A31:				; CODE XREF: FsRtlIsFatDbcsLegal+2Fj
		cmp	[ebp+arg_10], dl
		jz	loc_7CDB0D
		xor	eax, eax
		inc	eax
		cmp	si, ax
		jbe	loc_8F3B0A
		mov	eax, 0FFFFh
		inc	edi
		add	si, ax
		mov	[ebp+arg_4], edi
		add	word ptr [ebp+arg_0+2],	ax
		mov	word ptr [ebp+arg_0], si
		jmp	loc_7CDA91
; 

loc_8F3A5F:				; CODE XREF: FsRtlIsFatDbcsLegal+38j
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edx
		mov	[ebp+arg_0], eax
		mov	[ebp+arg_4], edi
		test	si, si
		jz	loc_8F3B0A

loc_8F3A77:				; CODE XREF: FsRtlIsFatDbcsLegal+126058j
		cmp	byte ptr [edi],	5Ch
		jz	loc_7CDB0D
		lea	ecx, [ebp+arg_0]
		push	ecx
		lea	ecx, [ebp+var_8]
		push	ecx
		push	edi
		push	eax
		call	_FsRtlDissectDbcs@16 ; FsRtlDissectDbcs(x,x,x,x)
		xor	eax, eax
		push	eax
		push	eax
		push	[ebp+arg_8]
		push	[ebp+var_4]
		push	[ebp+var_8]
		call	FsRtlIsFatDbcsLegal
		test	al, al
		jz	loc_7CDB0D
		mov	eax, [ebp+arg_0]
		test	ax, ax
		jz	short loc_8F3B0A
		mov	edi, [ebp+arg_4]
		jmp	short loc_8F3A77
; 

loc_8F3AB6:				; CODE XREF: FsRtlIsFatDbcsLegal+40j
		lea	eax, [ebp+arg_0]
		push	eax
		call	_FsRtlDoesDbcsContainWildCards@4 ; FsRtlDoesDbcsContainWildCards(x)
		test	al, al
		jz	short loc_8F3B14
		xor	ebx, ebx
		movzx	esi, si
		mov	edx, ebx
		test	esi, esi
		jz	short loc_8F3B0A

loc_8F3ACE:				; CODE XREF: FsRtlIsFatDbcsLegal+1260ACj
		mov	cl, [edi+edx]
		cmp	cl, 80h
		jb	short loc_8F3AEE
		cmp	ds:_NlsMbOemCodePageTag, bl
		jz	short loc_8F3AEE
		movzx	eax, cl
		cmp	ds:_NlsOemLeadByteInfoTable[eax*2], bx
		jz	short loc_8F3AEE
		inc	edx
		jmp	short loc_8F3B05
; 

loc_8F3AEE:				; CODE XREF: FsRtlIsFatDbcsLegal+126078j
					; FsRtlIsFatDbcsLegal+126080j ...
		test	cl, cl
		js	short loc_8F3B05
		movzx	eax, cl
		movzx	ecx, ds:byte_40B788[eax]
		and	ecx, 9
		jz	loc_7CDB0D

loc_8F3B05:				; CODE XREF: FsRtlIsFatDbcsLegal+126090j
					; FsRtlIsFatDbcsLegal+126094j
		inc	edx
		cmp	edx, esi
		jb	short loc_8F3ACE

loc_8F3B0A:				; CODE XREF: FsRtlIsFatDbcsLegal+125F98j
					; FsRtlIsFatDbcsLegal+125FA0j ...
		xor	ecx, ecx
		inc	ecx
		mov	al, cl
		jmp	loc_7CDB02
; 

loc_8F3B14:				; CODE XREF: FsRtlIsFatDbcsLegal+126065j
		xor	edx, edx
		jmp	loc_7CDAA2
; 

loc_8F3B1B:				; CODE XREF: FsRtlIsFatDbcsLegal+59j
		cmp	ds:_NlsMbOemCodePageTag, 0
		jz	loc_7CDABB
		movzx	eax, bl
		xor	ecx, ecx
		cmp	ds:_NlsOemLeadByteInfoTable[eax*2], cx
		jz	loc_7CDABB
		test	bh, bh
		jnz	short loc_8F3B48
		cmp	edx, 7
		jnb	loc_7CDB0D

loc_8F3B48:				; CODE XREF: FsRtlIsFatDbcsLegal+1260E1j
		lea	eax, [esi-1]
		cmp	edx, eax
		jz	loc_7CDB0D
		inc	edx
		jmp	loc_7CDAEB
; END OF FUNCTION CHUNK	FOR FsRtlIsFatDbcsLegal
; 
; START	OF FUNCTION CHUNK FOR MiAllocateUserStack

loc_8F3B59:				; CODE XREF: MiAllocateUserStack+14j
		lea	eax, [ebp+var_4]
		mov	dword ptr [esi+34h], 20000001h
		mov	[esi+38h], eax
		jmp	loc_7CDD70
; END OF FUNCTION CHUNK	FOR MiAllocateUserStack
; 
; START	OF FUNCTION CHUNK FOR CmpCheckKeyBodyAccess

loc_8F3B6B:				; CODE XREF: CmpCheckKeyBodyAccess+31j
		mov	ecx, 0C000017Ch
		mov	[ebp+var_C], ecx
		jmp	loc_7CDF54
; 

loc_8F3B78:				; CODE XREF: CmpCheckKeyBodyAccess+9Ej
		push	[ebp+var_8]
		push	esi
		call	SeAppendPrivileges
		push	[ebp+var_8]
		call	_SeFreePrivileges@4 ; SeFreePrivileges(x)
		mov	al, byte ptr [ebp+arg_0]
		jmp	loc_7CDEDC
; 

loc_8F3B91:				; CODE XREF: CmpCheckKeyBodyAccess+C2j
		lea	eax, [esi+0Ah]
		push	eax
		lea	eax, [ecx+2Ch]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	0
		push	esi
		push	edi
		push	0
		jmp	loc_7CDF16
; 

loc_8F3BAA:				; CODE XREF: CmpCheckKeyBodyAccess+108j
		mov	ecx, [ebp+var_1C]
		call	_CmpFreePool@4	; CmpFreePool(x)
		mov	ecx, [ebp+var_C]
		jmp	loc_7CDF46
; END OF FUNCTION CHUNK	FOR CmpCheckKeyBodyAccess
; 
; START	OF FUNCTION CHUNK FOR CmpCheckAdminAccess

loc_8F3BBA:				; CODE XREF: CmpCheckAdminAccess+60j
		push	0
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7CDFBE
; END OF FUNCTION CHUNK	FOR CmpCheckAdminAccess
; 
; START	OF FUNCTION CHUNK FOR CmpBuildAdminInformation

loc_8F3BC9:				; CODE XREF: CmpBuildAdminInformation+B3j
		mov	eax, ds:_SeExports
		xor	edi, edi
		mov	[ebp+var_34], 7
		inc	edi
		mov	eax, [eax+0E4h]
		mov	[ebp+var_38], eax
		jmp	loc_7CE08D
; 

loc_8F3BE6:				; CODE XREF: CmpBuildAdminInformation+BCj
		mov	eax, ds:_SeExports
		mov	[ebp+edi*8+var_34], 60h
		mov	eax, [eax+180h]
		mov	[ebp+edi*8+var_38], eax
		inc	edi
		jmp	loc_7CE096
; 

loc_8F3C03:				; CODE XREF: CmpBuildAdminInformation+C4j
		lea	ebx, [ebx+edi*8]
		xor	esi, esi

loc_8F3C08:				; CODE XREF: CmpBuildAdminInformation+125C42j
		push	[ebp+esi*8+var_38]
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	ebx, eax
		inc	esi
		cmp	esi, edi
		jb	short loc_8F3C08
		jmp	loc_7CE09E
; 

loc_8F3C1D:				; CODE XREF: CmpBuildAdminInformation+103j
		mov	ebx, 0C000009Ah
		xor	edi, edi
		jmp	loc_7CE1EF
; 

loc_8F3C29:				; CODE XREF: CmpBuildAdminInformation+1B9j
		lea	eax, [ebp+var_14]
		push	eax		; int
		lea	eax, [ebp+var_C]
		push	eax		; int
		mov	eax, [ebp+var_4]
		push	[ebp+var_C]	; void *
		mov	eax, [eax]
		mov	ecx, [eax]
		mov	eax, [esi+4]
		lea	eax, [eax+ecx*8]
		push	eax		; int
		push	[ebp+var_14]	; int
		lea	eax, [ebp+var_38]
		push	eax		; int
		push	edi		; int
		call	_RtlCopySidAndAttributesArray@28 ; RtlCopySidAndAttributesArray(x,x,x,x,x,x,x)
		jmp	loc_7CE193
; END OF FUNCTION CHUNK	FOR CmpBuildAdminInformation
; 
; START	OF FUNCTION CHUNK FOR CmpEffectiveTokenForSubject

loc_8F3C54:				; CODE XREF: CmpEffectiveTokenForSubject+Ej
		xor	ecx, ecx
		test	eax, eax
		setnz	cl
		inc	ecx
		mov	[edx], ecx
		jmp	loc_7CE278
; END OF FUNCTION CHUNK	FOR CmpEffectiveTokenForSubject

;  S U B	R O U T	I N E 


sub_8F3C63	proc near		; DATA XREF: .text:006A3D24o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F3C63	endp


;  S U B	R O U T	I N E 


sub_8F3C71	proc near		; DATA XREF: .text:006A3D28o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-1Ch]
		jmp	loc_7CE2DB
sub_8F3C71	endp

; 
; START	OF FUNCTION CHUNK FOR IopSymlinkRememberJunction

loc_8F3C7C:				; CODE XREF: IopSymlinkRememberJunction+28j
		mov	ecx, esi
		mov	[esi], dx
		call	_IopSymlinkFreeRelatedMountPointChain@4	; IopSymlinkFreeRelatedMountPointChain(x)
		jmp	loc_7CE356
; 

loc_8F3C8B:				; CODE XREF: IopSymlinkRememberJunction+35j
		mov	esi, eax
		mov	eax, [esi+8]
		jmp	loc_7CE333
; 

loc_8F3C95:				; CODE XREF: IopSymlinkRememberJunction+77j
		mov	ebx, 0C000009Ah
		jmp	loc_7CE395
; END OF FUNCTION CHUNK	FOR IopSymlinkRememberJunction
; 
; START	OF FUNCTION CHUNK FOR IopSymlinkProcessReparse

loc_8F3C9F:				; CODE XREF: IopSymlinkProcessReparse+30j
		cmp	eax, 0A0000019h
		jz	loc_7CE449
		cmp	eax, 2
		jbe	loc_7CE457
		mov	ecx, [esi+3Ch]
		lea	edx, [ebp+arg_4]
		and	dword ptr [ebp+arg_4], 0
		call	_IopSymlinkGetECP@8 ; IopSymlinkGetECP(x,x)
		test	eax, eax
		js	short loc_8F3CFA
		push	edi
		mov	edi, dword ptr [ebp+arg_4]
		mov	edx, edi
		mov	eax, [edi+8]
		jmp	short loc_8F3CD6
; 

loc_8F3CD1:				; CODE XREF: IopSymlinkProcessReparse+1258A4j
		mov	edx, eax
		mov	eax, [edx+8]

loc_8F3CD6:				; CODE XREF: IopSymlinkProcessReparse+12589Bj
		test	eax, eax
		jnz	short loc_8F3CD1
		add	edx, 0Ch
		lea	ecx, [ebx+30h]
		call	_IopFindMatchingComponentsLengthR@8 ; IopFindMatchingComponentsLengthR(x,x)
		push	edi
		movzx	ecx, ax
		mov	edx, ebx
		push	esi
		call	IopSymlinkRememberJunction
		pop	edi
		test	eax, eax
		jns	loc_7CE457

loc_8F3CFA:				; CODE XREF: IopSymlinkProcessReparse+125890j
		mov	[esi+18h], eax
		jmp	loc_7CE457
; END OF FUNCTION CHUNK	FOR IopSymlinkProcessReparse
; 
; START	OF FUNCTION CHUNK FOR IopSymlinkGetRelatedMountPoint

loc_8F3D02:				; CODE XREF: IopSymlinkGetRelatedMountPoint+8j
		cmp	[ecx], dx
		ja	loc_7CEA1A
		mov	ecx, [ecx+8]
		test	ecx, ecx
		jnz	loc_7CEA10
		jmp	loc_7CEA1A
; END OF FUNCTION CHUNK	FOR IopSymlinkGetRelatedMountPoint
; 
; START	OF FUNCTION CHUNK FOR IopSymlinkCreateECP

loc_8F3D1B:				; CODE XREF: IopSymlinkCreateECP+3Aj
		lea	eax, [edi-2]
		mov	[ebp+var_1], 1
		mov	[esi], ax
		movzx	edx, ax
		jmp	loc_7CEA6A
; 

loc_8F3D2D:				; CODE XREF: IopSymlinkCreateECP+A0j
		movzx	edx, word ptr [esi]
		movzx	edi, word ptr [ebx+0Ch]
		add	edx, 2
		add	edi, edx
		cmp	edi, 0FFFFh
		jb	short loc_8F3D4B
		mov	eax, 0C0000106h
		jmp	loc_7CEAD9
; 

loc_8F3D4B:				; CODE XREF: IopSymlinkCreateECP+125315j
		mov	ecx, [ebp+var_C]
		lea	edx, [ebp+var_8]
		push	edi
		call	IopSymlinkAllocateAndAddECP
		test	eax, eax
		js	loc_7CEAD9
		movzx	eax, word ptr [ebx+2]
		lea	edx, [edi+14h]
		mov	edi, [ebp+var_8]
		mov	ecx, edi
		push	0		; int
		push	eax		; __int16
		movzx	eax, word ptr [ebx+4]
		push	eax		; __int16
		movzx	eax, word ptr [ebx+0Ch]
		push	eax		; __int16
		push	dword ptr [ebx+10h] ; void *
		movzx	eax, word ptr [esi]
		push	0		; __int16
		push	eax		; __int16
		push	dword ptr [esi+4] ; void *
		call	IopSymlinkInitializeSymlinkInfo
		mov	ax, [edi+0Ch]
		sub	ax, [ebx+0Ch]
		add	ax, [ebx]
		mov	[edi], ax
		jmp	loc_7CEAA4
; END OF FUNCTION CHUNK	FOR IopSymlinkCreateECP
; 
; START	OF FUNCTION CHUNK FOR IopSymlinkUpdateECP

loc_8F3D9C:				; CODE XREF: IopSymlinkUpdateECP+100j
		push	[ebp+var_8]
		call	_FsRtlFreeExtraCreateParameter@4 ; FsRtlFreeExtraCreateParameter(x)
		mov	eax, esi
		jmp	loc_7CEBBB
; 

loc_8F3DAB:				; CODE XREF: IopSymlinkUpdateECP+55j
		mov	ebx, eax
		jmp	loc_7CEB3C
; 

loc_8F3DB2:				; CODE XREF: IopSymlinkUpdateECP+6Fj
		mov	eax, 0C000009Ah
		jmp	loc_7CEBBB
; END OF FUNCTION CHUNK	FOR IopSymlinkUpdateECP
; 
; START	OF FUNCTION CHUNK FOR IopSymlinkInitializeSymlinkInfo

loc_8F3DBC:				; CODE XREF: IopSymlinkInitializeSymlinkInfo+44j
		mov	si, [ebp+arg_10]
		push	ebx
		movzx	ebx, si
		push	ebx		; size_t
		push	[ebp+arg_C]	; void *
		push	ecx		; void *
		call	_memcpy
		mov	ecx, [edi+10h]
		add	esp, 0Ch
		shr	ebx, 1
		mov	[edi+0Ch], si
		movzx	edx, si
		push	5Ch
		pop	eax
		cmp	[ecx+ebx*2-2], ax
		jz	short loc_8F3DF7
		mov	[ecx+ebx*2], ax
		add	word ptr [edi+0Ch], 2
		movzx	edx, word ptr [edi+0Ch]
		mov	ecx, [edi+10h]

loc_8F3DF7:				; CODE XREF: IopSymlinkInitializeSymlinkInfo+1251DBj
		pop	ebx
		jmp	loc_7CEC54
; END OF FUNCTION CHUNK	FOR IopSymlinkInitializeSymlinkInfo
; 
; START	OF FUNCTION CHUNK FOR IopSymlinkAllocateAndAddECP

loc_8F3DFD:				; CODE XREF: IopSymlinkAllocateAndAddECP+50j
		lea	eax, [ebp+var_8]
		push	eax
		push	0
		call	FsRtlAllocateExtraCreateParameterList
		mov	edi, eax
		test	edi, edi
		js	loc_7CED26
		mov	esi, [ebp+var_8]
		push	esi
		push	[ebp+var_C]
		call	_IoSetIrpExtraCreateParameter@8	; IoSetIrpExtraCreateParameter(x,x)
		mov	[ebp+var_1], 1
		jmp	loc_7CED0A
; 

loc_8F3E27:				; CODE XREF: IopSymlinkAllocateAndAddECP+63j
					; IopSymlinkAllocateAndAddECP+75j
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_8F3E3B
		and	dword ptr [eax+8], 0
		push	dword ptr [ebx]
		call	_FsRtlFreeExtraCreateParameter@4 ; FsRtlFreeExtraCreateParameter(x)
		and	dword ptr [ebx], 0

loc_8F3E3B:				; CODE XREF: IopSymlinkAllocateAndAddECP+125177j
		cmp	[ebp+var_1], 0
		jz	loc_7CED1D
		push	esi
		call	FsRtlFreeExtraCreateParameterList
		push	[ebp+var_C]
		call	_IoClearIrpExtraCreateParameter@4 ; IoClearIrpExtraCreateParameter(x)
		jmp	loc_7CED1D
; END OF FUNCTION CHUNK	FOR IopSymlinkAllocateAndAddECP
; 
; START	OF FUNCTION CHUNK FOR ExpWnfCreateProcessContext

loc_8F3E58:				; CODE XREF: ExpWnfCreateProcessContext+27j
		mov	ebx, 0C000009Ah
		jmp	loc_7CEFE7
; 

loc_8F3E62:				; CODE XREF: ExpWnfCreateProcessContext+DBj
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	ExpWnfDeleteProcessContext
		jmp	loc_7CEFE7
; END OF FUNCTION CHUNK	FOR ExpWnfCreateProcessContext
; 
; START	OF FUNCTION CHUNK FOR PiAuVerifyAccessToObject

loc_8F3E71:				; CODE XREF: PiAuVerifyAccessToObject+31j
					; PiAuVerifyAccessToObject+3Cj
		mov	ebx, 0C000000Dh
		jmp	loc_7CF0BE
; END OF FUNCTION CHUNK	FOR PiAuVerifyAccessToObject
; 
; START	OF FUNCTION CHUNK FOR MmLockPagableDataSection

loc_8F3E7B:				; CODE XREF: MmLockPagableDataSection+A4j
		push	0
		push	0
		push	[ebp+arg_0]
		push	1234h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8F3E8F:				; CODE XREF: PsSetProcessWin32Process+72j
					; PsSetProcessWin32Process+80j
		push	65446954h
		push	14h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_8F3EC6
		mov	edx, 624A7350h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		push	3
		push	ebx
		mov	[ebx+10h], esi
		mov	dword ptr [ebx+8], offset _PspTimerDelayWorkerRoutine@4	; PspTimerDelayWorkerRoutine(x)
		mov	[ebx+0Ch], ebx
		mov	[ebx], edi
		call	ExQueueWorkItem

loc_8F3EC6:				; CODE XREF: MmLockPagableDataSection+124D8Bj
		mov	ebx, [ebp+arg_0]
		jmp	loc_7CF266
; END OF FUNCTION CHUNK	FOR MmLockPagableDataSection
; 
; START	OF FUNCTION CHUNK FOR PsSetProcessWin32Process

loc_8F3ECE:				; CODE XREF: PsSetProcessWin32Process+3Fj
					; PsSetProcessWin32Process+4Bj
		mov	edi, 0C000010Ah
		jmp	loc_7CF266
; END OF FUNCTION CHUNK	FOR PsSetProcessWin32Process
; 
; START	OF FUNCTION CHUNK FOR NtGetNextThread

loc_8F3ED8:				; CODE XREF: NtGetNextThread+9Bj
		mov	ecx, eax
		jmp	loc_7CF371
; 

loc_8F3EDF:				; CODE XREF: NtGetNextThread+B2j
		mov	eax, 0C000000Dh
		jmp	loc_7CF526
; 

loc_8F3EE9:				; CODE XREF: NtGetNextThread+12Ej
		mov	edx, edi
		call	ObfDereferenceObjectWithTag
		mov	esi, 0C000000Dh
		jmp	loc_7CF53D
; 

loc_8F3EFA:				; CODE XREF: NtGetNextThread+188j
		mov	edx, eax
		mov	ecx, esi
		call	@PsSynchronizeWithThreadInsertion@8 ; PsSynchronizeWithThreadInsertion(x,x)
		test	byte ptr [esi+2FCh], 2
		jz	short loc_8F3F5B
		jmp	loc_7CF45E
; 

loc_8F3F11:				; CODE XREF: NtGetNextThread+1C8j
		or	[ebp+var_7C], 1FFFFFh
		jmp	loc_7CF4A1
; END OF FUNCTION CHUNK	FOR NtGetNextThread

;  S U B	R O U T	I N E 


sub_8F3F1D	proc near		; DATA XREF: .text:006A3D50o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-178h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8F3F1D	endp


;  S U B	R O U T	I N E 


sub_8F3F30	proc near		; DATA XREF: .text:006A3D54o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-178h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, 6E457350h
		mov	esi, [ebp-168h]
		jmp	loc_7CF50A
sub_8F3F30	endp

; 
; START	OF FUNCTION CHUNK FOR NtGetNextThread

loc_8F3F50:				; CODE XREF: NtGetNextThread+212j
		cmp	eax, 0C0000022h
		jnz	loc_7CF504

loc_8F3F5B:				; CODE XREF: NtGetNextThread+124C3Aj
		push	esi
		push	[ebp+var_160]
		call	_PsGetNextProcessThread@8 ; PsGetNextProcessThread(x,x)
		mov	esi, eax
		mov	[ebp+var_168], eax
		test	esi, esi
		mov	eax, [ebp+var_16C]
		jnz	loc_7CF451
		mov	ebx, 8000001Ah
		jmp	loc_7CF50A
; END OF FUNCTION CHUNK	FOR NtGetNextThread

;  S U B	R O U T	I N E 


sub_8F3F87	proc near		; DATA XREF: .text:006A3D44o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-17Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8F3F87	endp


;  S U B	R O U T	I N E 


sub_8F3F9A	proc near		; DATA XREF: .text:006A3D48o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-17Ch]
		jmp	loc_7CF526
sub_8F3F9A	endp

; 
; START	OF FUNCTION CHUNK FOR ExpWnfDispatchKernelSubscription

loc_8F3FAF:				; CODE XREF: ExpWnfDispatchKernelSubscription+113j
					; ExpWnfDispatchKernelSubscription+12Aj
		mov	ecx, [esp+30h+var_24]
		and	ecx, 0FFFFFFFEh
		mov	[esp+30h+var_24], ecx
		jmp	loc_7CF7C0
; 

loc_8F3FBF:				; CODE XREF: ExpWnfDispatchKernelSubscription+145j
		and	ecx, 0FFFFFFFEh
		mov	[esp+30h+var_24], ecx
		jmp	loc_7CF7DA
; 

loc_8F3FCB:				; CODE XREF: ExpWnfDispatchKernelSubscription+157j
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jz	short loc_8F3FE1
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	edx, [esp+30h+var_20]

loc_8F3FE1:				; CODE XREF: ExpWnfDispatchKernelSubscription+124948j
		mov	ecx, edx
		call	KeAbPostRelease
		jmp	loc_7CF885
; 

loc_8F3FED:				; CODE XREF: ExpWnfDispatchKernelSubscription+19Cj
		and	[esp+30h+var_18], 0
		jmp	loc_7CF835
; END OF FUNCTION CHUNK	FOR ExpWnfDispatchKernelSubscription
; 
; START	OF FUNCTION CHUNK FOR MmCreateSpecialImageSection

loc_8F3FF7:				; CODE XREF: MmCreateSpecialImageSection+3Aj
		or	esi, 8
		jmp	loc_7CF98A
; 

loc_8F3FFF:				; CODE XREF: MmCreateSpecialImageSection+D0j
		push	offset _MiHalfSecond
		xor	eax, eax
		push	eax
		push	eax
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	eax, [esp+20h+var_8]
		mov	edx, [esp+20h+var_4]
		jmp	loc_7CF9A0
; END OF FUNCTION CHUNK	FOR MmCreateSpecialImageSection

;  S U B	R O U T	I N E 


sub_8F401A	proc near		; DATA XREF: .text:006A3D78o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8F401A	endp


;  S U B	R O U T	I N E 


sub_8F402A	proc near		; DATA XREF: .text:006A3D7Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-28h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7CFAB4
sub_8F402A	endp

; 

loc_8F403C:				; DATA XREF: .text:006A3D6Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8F404A:				; DATA XREF: .text:006A3D70o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2Ch]
		jmp	loc_7CFAB6
; 
; START	OF FUNCTION CHUNK FOR PsSuspendThread

loc_8F405C:				; CODE XREF: PsSuspendThread+3Fj
		mov	esi, 0C000004Bh
		jmp	loc_7CFB28
; END OF FUNCTION CHUNK	FOR PsSuspendThread

;  S U B	R O U T	I N E 


sub_8F4066	proc near		; DATA XREF: .text:006A3D94o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	ecx, ecx
		cmp	eax, 0C000004Ah
		setz	cl
		mov	eax, ecx
		retn
sub_8F4066	endp


;  S U B	R O U T	I N E 


sub_8F407D	proc near		; DATA XREF: .text:006A3D98o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-24h]
		jmp	loc_7CFB1E
sub_8F407D	endp

; 
; START	OF FUNCTION CHUNK FOR PsSuspendThread

loc_8F4088:				; CODE XREF: PsSuspendThread+A5j
		push	1
		push	edi
		mov	edx, [ebp+var_20]
		mov	ecx, esi
		call	_EtwTiLogSuspendResumeThread@16	; EtwTiLogSuspendResumeThread(x,x,x,x)
		jmp	loc_7CFB40
; END OF FUNCTION CHUNK	FOR PsSuspendThread
; 
; START	OF FUNCTION CHUNK FOR CmpAddKeyHashToEntry

loc_8F409A:				; CODE XREF: CmpAddKeyHashToEntry+11j
		test	esi, esi
		jz	loc_7CFBDB
		mov	ebx, [ecx]

loc_8F40A4:				; CODE XREF: CmpAddKeyHashToEntry+124501j
		cmp	ebx, [esi]
		jnz	short loc_8F40C0
		mov	eax, [ecx+0Ch]
		cmp	eax, [esi+0Ch]
		jnz	short loc_8F40C0
		mov	eax, [ecx+8]
		cmp	eax, [esi+8]
		jnz	short loc_8F40C0
		lea	eax, [esi-8]
		jmp	loc_7CFBE3
; 

loc_8F40C0:				; CODE XREF: CmpAddKeyHashToEntry+1244E2j
					; CmpAddKeyHashToEntry+1244EAj	...
		mov	esi, [esi+4]
		test	esi, esi
		jnz	short loc_8F40A4
		jmp	loc_7CFBDB
; END OF FUNCTION CHUNK	FOR CmpAddKeyHashToEntry

;  S U B	R O U T	I N E 


sub_8F40CC	proc near		; DATA XREF: .text:006A3DB8o
		xor	esi, esi
		mov	edi, [ebp-1Ch]
		jmp	sub_7CFD31
sub_8F40CC	endp

; 
; START	OF FUNCTION CHUNK FOR sub_7CFD31

loc_8F40D6:				; CODE XREF: sub_7CFD31+3j
		test	edi, edi
		jz	locret_7CFD3A
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
; END OF FUNCTION CHUNK	FOR sub_7CFD31
; 
; START	OF FUNCTION CHUNK FOR RtlGetVersion

loc_8F40E6:				; CODE XREF: RtlGetVersion+92j
		call	RtlGetSuiteMask
		and	eax, 1FFFFh
		mov	[esi+11Ch], eax
		jmp	loc_7CFE54
; END OF FUNCTION CHUNK	FOR RtlGetVersion
; 
; START	OF FUNCTION CHUNK FOR RtlGetSuiteMask

loc_8F40FB:				; CODE XREF: RtlGetSuiteMask+7j
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	eax, [eax+28Ch]
		mov	eax, [eax+14h]
		retn
; END OF FUNCTION CHUNK	FOR RtlGetSuiteMask
; 
; START	OF FUNCTION CHUNK FOR AlpcpCreateConnectionPort

loc_8F410A:				; CODE XREF: AlpcpCreateConnectionPort+51j
		mov	ecx, eax
		jmp	loc_7CFF15
; 

loc_8F4111:				; CODE XREF: AlpcpCreateConnectionPort+68j
		mov	esi, eax
		jmp	loc_7CFF2C
; END OF FUNCTION CHUNK	FOR AlpcpCreateConnectionPort

;  S U B	R O U T	I N E 


sub_8F4118	proc near		; DATA XREF: .text:006A3DD4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-58h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F4118	endp


;  S U B	R O U T	I N E 


sub_8F4126	proc near		; DATA XREF: .text:006A3DD8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-58h]
		jmp	loc_7D003C
sub_8F4126	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpCreateConnectionPort

loc_8F4138:				; CODE XREF: AlpcpCreateConnectionPort+145j
		mov	edi, eax

loc_8F413A:				; CODE XREF: AlpcpCreateConnectionPort+E4j
					; AlpcpCreateConnectionPort+12428Fj
		mov	ecx, esi

loc_8F413C:				; CODE XREF: AlpcpCreateConnectionPort+BEj
		call	ObfDereferenceObject
		mov	eax, edi
		jmp	loc_7D003C
; 

loc_8F4148:				; CODE XREF: AlpcpCreateConnectionPort+111j
		mov	edi, 0C0000017h
		jmp	short loc_8F413A
; END OF FUNCTION CHUNK	FOR AlpcpCreateConnectionPort

;  S U B	R O U T	I N E 


sub_8F414F	proc near		; DATA XREF: .text:006A3DE0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-64h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F414F	endp


;  S U B	R O U T	I N E 


sub_8F415D	proc near		; DATA XREF: .text:006A3DE4o
		mov	esp, [ebp-18h]
		push	dword ptr [ebp-50h]
		call	NtClose
		mov	ecx, [ebp-64h]
		jmp	loc_7D0033
sub_8F415D	endp

; 
; START	OF FUNCTION CHUNK FOR PspReadIFEONodeOptions

loc_8F4170:				; CODE XREF: PspReadIFEONodeOptions+25j
		mov	eax, [ebp+var_4]
		movzx	ecx, al
		sub	ecx, edi
		jz	short loc_8F41BA
		sub	ecx, 1
		jnz	loc_7D023B
		movzx	ecx, ds:_KeNumberNodes
		shr	eax, 8
		cmp	eax, ecx
		jnb	loc_7D023B
		mov	ecx, [ebp+arg_0]
		cmp	[ecx], edi
		jnz	loc_7D023B
		mov	eax, ds:_KeNodeBlock[eax*4]
		cmp	[eax+84h], edi
		jz	loc_7D023B
		mov	[ecx], eax
		jmp	loc_7D023B
; 

loc_8F41BA:				; CODE XREF: PspReadIFEONodeOptions+123F68j
		test	eax, 0FFFFFF00h
		jz	loc_7D023B
		or	dword ptr [esi+0F8h], 100000h
		jmp	loc_7D023B
; END OF FUNCTION CHUNK	FOR PspReadIFEONodeOptions
; 
; START	OF FUNCTION CHUNK FOR PspReadIFEOPerfOptions

loc_8F41D4:				; CODE XREF: PspReadIFEOPerfOptions+75j
		mov	eax, [esp+10h+var_4]
		shr	eax, 2
		or	dword ptr [esi+4], 1
		mov	[esi+14h], eax
		jmp	loc_7D02BD
; END OF FUNCTION CHUNK	FOR PspReadIFEOPerfOptions
; 
; START	OF FUNCTION CHUNK FOR RtlQueryImageFileKeyOption

loc_8F41E7:				; CODE XREF: RtlQueryImageFileKeyOption+CDj
		mov	eax, [ebp+var_20]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8F41F2:				; CODE XREF: RtlQueryImageFileKeyOption+76j
		mov	esi, [ebp+var_1C]
		jmp	loc_7D0362
; 

loc_8F41FA:				; CODE XREF: RtlQueryImageFileKeyOption+152j
		cmp	eax, 1
		jz	short loc_8F4209
		mov	esi, 0C0000024h
		jmp	loc_7D03FE
; 

loc_8F4209:				; CODE XREF: RtlQueryImageFileKeyOption+123F2Bj
		push	4
		pop	eax
		cmp	edx, eax
		jnz	short loc_8F425B
		cmp	ecx, eax
		jnz	loc_7D045C
		test	bl, 3
		jz	short loc_8F4227
		mov	esi, 80000002h
		jmp	loc_7D03A5
; 

loc_8F4227:				; CODE XREF: RtlQueryImageFileKeyOption+123F49j
		mov	[ebp+var_1C], eax
		test	ebx, ebx
		jz	loc_7D0455
		lea	eax, [edi+0Ch]
		mov	[ebp+var_24], eax
		mov	ax, [edi+8]
		mov	word ptr [ebp+var_28], ax
		mov	ax, [edi+8]
		push	ebx
		mov	word ptr [ebp+var_28+2], ax
		lea	eax, [ebp+var_28]
		push	0
		push	eax
		call	RtlUnicodeStringToInteger
		mov	esi, eax
		jmp	loc_7D03FE
; 

loc_8F425B:				; CODE XREF: RtlQueryImageFileKeyOption+123F3Cj
		mov	eax, [edi+8]
		mov	[ebp+var_1C], eax
		jmp	short loc_8F4266
; 

loc_8F4263:				; CODE XREF: RtlQueryImageFileKeyOption+123FC1j
		mov	eax, [edi+8]

loc_8F4266:				; CODE XREF: RtlQueryImageFileKeyOption+123F8Fj
		cmp	eax, ecx
		ja	loc_7D0455
		push	eax		; size_t
		lea	eax, [edi+0Ch]
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_7D03FE
; 

loc_8F4281:				; CODE XREF: RtlQueryImageFileKeyOption+FBj
					; RtlQueryImageFileKeyOption+104j
		cmp	edx, eax
		jnz	short loc_8F4295
		mov	eax, [edi+8]
		mov	[ebp+var_1C], eax
		test	ebx, ebx
		jz	loc_7D0455
		jmp	short loc_8F4263
; 

loc_8F4295:				; CODE XREF: RtlQueryImageFileKeyOption+111j
					; RtlQueryImageFileKeyOption+15Aj ...
		mov	esi, 0C0000024h
		jmp	loc_7D03A5
; 

loc_8F429F:				; CODE XREF: RtlQueryImageFileKeyOption+135j
		cmp	esi, 80000005h
		jnz	loc_7D03A5
		jmp	loc_7D040D
; 

loc_8F42B0:				; CODE XREF: RtlQueryImageFileKeyOption+A5j
		mov	eax, 0C0000017h
		jmp	loc_7D034E
; END OF FUNCTION CHUNK	FOR RtlQueryImageFileKeyOption
; 
; START	OF FUNCTION CHUNK FOR EtwpProviderArrivalCallback

loc_8F42BA:				; CODE XREF: EtwpProviderArrivalCallback+2Aj
		mov	eax, 0C0000141h
		jmp	loc_7D0540
; 

loc_8F42C4:				; CODE XREF: EtwpProviderArrivalCallback+39j
					; EtwpProviderArrivalCallback+49j
		lea	ecx, [ebp+var_20C]
		mov	[ebp+var_21C], 2000000h
		mov	[ebp+Length], ecx
		mov	edx, edi
		lea	ecx, [ebp+var_21C]
		push	ecx
		mov	cl, al
		call	_EtwpLocateBinaryForRegEntry@12	; EtwpLocateBinaryForRegEntry(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_8F4304
		mov	ecx, [edi+10h]
		lea	edx, [ebp+var_21C]
		add	ecx, 14h
		push	ecx		; void *
		mov	ecx, esi
		call	_EtwpTrackBinaryForSession@12 ;	EtwpTrackBinaryForSession(x,x,x)

loc_8F4304:				; CODE XREF: EtwpProviderArrivalCallback+123E6Cj
		lea	eax, [ebp+var_20C]
		cmp	[ebp+Length], eax
		jz	short loc_8F431F
		push	0
		push	[ebp+Length]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8F431F:				; CODE XREF: EtwpProviderArrivalCallback+123E8Ej
		mov	al, [ebp+var_20D]
		mov	edx, 200h
		jmp	loc_7D04D1
; 

loc_8F432F:				; CODE XREF: EtwpProviderArrivalCallback+A4j
		cmp	_KdDebuggerNotPresent, 0
		jnz	short loc_8F4341
		cmp	_KdPitchDebugger, 0
		jz	short loc_8F434E

loc_8F4341:				; CODE XREF: EtwpProviderArrivalCallback+123EB4j
		cmp	_KdEventLoggingPresent,	0
		jz	loc_7D052C

loc_8F434E:				; CODE XREF: EtwpProviderArrivalCallback+123EBDj
		mov	ecx, esi
		call	_EtwpSendDbgId@4 ; EtwpSendDbgId(x)
		jmp	loc_7D052C
; 

loc_8F435A:				; CODE XREF: EtwpProviderArrivalCallback+B6j
		push	0
		push	[ebp+var_214]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7D053E
; END OF FUNCTION CHUNK	FOR EtwpProviderArrivalCallback
; 
; START	OF FUNCTION CHUNK FOR EtwpLocateDbgIdForRegEntry

loc_8F436C:				; CODE XREF: EtwpLocateDbgIdForRegEntry+21j
		mov	eax, 0C0000141h
		jmp	loc_7D06EC
; END OF FUNCTION CHUNK	FOR EtwpLocateDbgIdForRegEntry

;  S U B	R O U T	I N E 


sub_8F4376	proc near		; DATA XREF: .text:006A3E08o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F4376	endp


;  S U B	R O U T	I N E 


sub_8F4384	proc near		; DATA XREF: .text:006A3E0Co
		mov	eax, [ebp-30h]
		jmp	short loc_8F439D
; 

loc_8F4389:				; DATA XREF: .text:006A3DFCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8F4397:				; DATA XREF: .text:006A3E00o
		mov	eax, [ebp-34h]
		mov	[ebp-28h], eax

loc_8F439D:				; CODE XREF: sub_8F4384+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7D06EC
sub_8F4384	endp

; 
; START	OF FUNCTION CHUNK FOR RtlCutoverTimeToSystemTime

loc_8F43AC:				; CODE XREF: RtlCutoverTimeToSystemTime+2Cj
		push	esi
		push	ebx
		call	_RtlTimeFieldsToTime@8 ; RtlTimeFieldsToTime(x,x)
		test	al, al
		jz	loc_7D0879
		mov	al, 1
		jmp	loc_7D0872
; 

loc_8F43C2:				; CODE XREF: RtlCutoverTimeToSystemTime+C6j
		xor	eax, eax
		inc	eax
		cmp	cx, si
		jge	loc_7D0802
		sub	esi, ecx
		lea	eax, [esi+1]
		mov	di, ax
		movzx	eax, ax
		jmp	loc_7D0802
; END OF FUNCTION CHUNK	FOR RtlCutoverTimeToSystemTime
; 
; START	OF FUNCTION CHUNK FOR CmpLockDeletedHashEntryExclusiveByKcb

loc_8F43DE:				; CODE XREF: CmpLockDeletedHashEntryExclusiveByKcb+50j
					; CmpLockHashEntryExclusiveByKcb+50j
		push	[ebp+var_4]
		push	8
		push	ebx
		push	17h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8F43EE:				; CODE XREF: EtwpReceiveNotification+2Aj
		mov	ebx, 0C000000Dh
		jmp	loc_7D0A6C
; END OF FUNCTION CHUNK	FOR CmpLockDeletedHashEntryExclusiveByKcb
; 
; START	OF FUNCTION CHUNK FOR EtwpReceiveNotification

loc_8F43F8:				; CODE XREF: EtwpReceiveNotification+67j
		mov	edi, [edi]
		cmp	edi, ecx
		jnz	loc_7D09AB
		jmp	loc_7D09BB
; 

loc_8F4407:				; CODE XREF: EtwpReceiveNotification+54j
					; EtwpReceiveNotification+6Fj
		mov	ecx, [ebp+var_10]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ebx, 8000001Ah
		jmp	loc_7D0A6C
; END OF FUNCTION CHUNK	FOR EtwpReceiveNotification
; 
; START	OF FUNCTION CHUNK FOR NtSetWnfProcessNotificationEvent

loc_8F4427:				; CODE XREF: NtSetWnfProcessNotificationEvent+30j
		lea	edx, [ebp+var_4]
		call	ExpWnfCreateProcessContext
		mov	esi, eax
		test	esi, esi
		js	loc_7D0B6A
		mov	edi, [ebp+var_4]
		jmp	loc_7D0B30
; 

loc_8F4441:				; CODE XREF: NtSetWnfProcessNotificationEvent+68j
		call	ObfDereferenceObject
		mov	esi, 0C0000718h
		jmp	loc_7D0B6A
; END OF FUNCTION CHUNK	FOR NtSetWnfProcessNotificationEvent
; 
; START	OF FUNCTION CHUNK FOR RtlpInternEntryCreate

loc_8F4450:				; CODE XREF: RtlpInternEntryCreate+A5j
		mov	eax, ebx
		sub	eax, esi
		push	eax		; size_t
		lea	eax, [esi+edi]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_7D0CB3
; END OF FUNCTION CHUNK	FOR RtlpInternEntryCreate
; 
; START	OF FUNCTION CHUNK FOR RtlpInsertStringAtom

loc_8F4468:				; CODE XREF: RtlpInsertStringAtom+26j
					; RtlpInsertStringAtom+34j ...
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebx+0Ch]
		mov	edx, esi
		call	ExMapHandleToPointer
		mov	ecx, [ebx+0Ch]
		mov	edx, esi
		push	eax
		call	ExDestroyHandle
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_7D0D66
; END OF FUNCTION CHUNK	FOR RtlpInsertStringAtom
; 
; START	OF FUNCTION CHUNK FOR RtlDecompressFragmentLZNT1

loc_8F449C:				; CODE XREF: RtlDecompressFragmentLZNT1+5Fj
		mov	al, [ebx]
		mov	byte ptr [esp+40h+var_30], al
		mov	al, [ebx+1]
		mov	byte ptr [esp+40h+var_30+1], al
		jmp	loc_7D0DD7
; 

loc_8F44AE:				; CODE XREF: RtlDecompressFragmentLZNT1+9Fj
					; RtlDecompressFragmentLZNT1+C5j
		mov	eax, [ebp+arg_18]
		and	[eax], esi
		xor	esi, esi
		jmp	loc_7D0F3C
; 

loc_8F44BA:				; CODE XREF: RtlDecompressFragmentLZNT1+116j
		lea	ecx, [esp+40h+var_2C]
		push	ecx
		push	eax
		push	ebx
		push	[esp+4Ch+var_20]
		push	edi
		call	_LZNT1DecompressChunk@20 ; LZNT1DecompressChunk(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_7D0EA9

loc_8F44D5:				; CODE XREF: RtlDecompressFragmentLZNT1+132j
		mov	eax, [esp+40h+var_2C]
		jmp	short loc_8F44F8
; 

loc_8F44DB:				; CODE XREF: RtlDecompressFragmentLZNT1+F4j
		lea	eax, [ebx+2]
		add	eax, edx
		add	eax, ecx
		cmp	eax, [esp+40h+var_24]
		ja	short loc_8F451C
		lea	eax, [ecx+2]
		push	edx
		add	eax, ebx
		push	eax
		jmp	loc_7D0FB2
; 

loc_8F44F4:				; CODE XREF: RtlDecompressFragmentLZNT1+223j
		mov	eax, [esp+40h+var_28]

loc_8F44F8:				; CODE XREF: RtlDecompressFragmentLZNT1+12376Fj
		mov	ecx, [ebp+arg_18]
		mov	[ecx], eax
		jmp	loc_7D0F3C
; 

loc_8F4502:				; CODE XREF: RtlDecompressFragmentLZNT1+23Dj
		sub	ecx, ebx
		push	ecx		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [esp+4Ch+var_28]
		add	esp, 0Ch
		sub	eax, ebx
		add	edi, eax
		jmp	loc_7D0F34
; 

loc_8F451C:				; CODE XREF: RtlDecompressFragmentLZNT1+8Dj
					; RtlDecompressFragmentLZNT1+D7j ...
		mov	eax, [ebp+arg_18]
		mov	esi, 0C0000242h
		mov	[eax], ebx
		jmp	loc_7D0F3C
; END OF FUNCTION CHUNK	FOR RtlDecompressFragmentLZNT1
; 
; START	OF FUNCTION CHUNK FOR RtlDecompressBufferLZNT1

loc_8F452B:				; CODE XREF: RtlDecompressBufferLZNT1+5Dj
		mov	al, [ebx]
		mov	byte ptr [esp+38h+var_2C], al
		mov	al, [ebx+1]
		mov	byte ptr [esp+38h+var_2C+1], al
		jmp	loc_7D1045
; 

loc_8F453D:				; CODE XREF: RtlDecompressBufferLZNT1+A3j
		lea	eax, [esp+38h+var_28]
		push	eax
		push	edx
		mov	edx, [esp+40h+var_20]
		push	ebx
		push	edx
		push	edi
		call	_LZNT1DecompressChunk@20 ; LZNT1DecompressChunk(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_8F45A3

loc_8F4555:				; CODE XREF: RtlDecompressBufferLZNT1+C2j
		mov	ecx, [ebp+arg_14]
		mov	eax, [esp+38h+var_28]
		mov	[ecx], eax
		jmp	loc_7D112E
; 

loc_8F4563:				; CODE XREF: RtlDecompressBufferLZNT1+96j
		cmp	eax, 2
		jb	loc_7D110A
		mov	edx, [esp+38h+var_20]
		lea	ecx, [eax-2]
		lea	eax, [ecx+edi]
		mov	[esp+38h+var_28], ecx
		cmp	eax, edx
		jbe	short loc_8F4586
		mov	ecx, edx
		sub	ecx, edi
		mov	[esp+38h+var_28], ecx

loc_8F4586:				; CODE XREF: RtlDecompressBufferLZNT1+1235A2j
		lea	eax, [ebx+2]
		add	eax, ecx
		cmp	eax, [esp+38h+var_24]
		ja	loc_7D110A
		push	ecx		; size_t
		lea	eax, [ebx+2]
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_8F45A3:				; CODE XREF: RtlDecompressBufferLZNT1+123579j
		mov	ecx, [esp+38h+var_28]
		jmp	loc_7D10A9
; 

loc_8F45AC:				; CODE XREF: RtlDecompressBufferLZNT1+10Bj
		sub	eax, ecx
		lea	ecx, [eax+edi]
		mov	[esp+38h+var_1C], ecx
		cmp	ecx, edx
		jnb	loc_7D1120
		push	eax		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	edi, [esp+44h+var_1C]
		add	esp, 0Ch
		jmp	loc_7D10EB
; 

loc_8F45D2:				; CODE XREF: RtlDecompressBufferLZNT1+15Dj
		xor	ebx, ebx
		lea	eax, [esp+38h+var_18]
		push	ebx
		push	ebx
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_7D113F
; END OF FUNCTION CHUNK	FOR RtlDecompressBufferLZNT1
; 
; START	OF FUNCTION CHUNK FOR NtCreateSymbolicLinkObject

loc_8F45E5:				; CODE XREF: NtCreateSymbolicLinkObject+7Dj
		mov	ecx, eax
		jmp	loc_7D11ED
; 

loc_8F45EC:				; CODE XREF: NtCreateSymbolicLinkObject+9Bj
		mov	eax, ecx
		jmp	loc_7D120B
; 

loc_8F45F3:				; CODE XREF: NtCreateSymbolicLinkObject+CCj
					; NtCreateSymbolicLinkObject+D4j
		mov	byte ptr [eax],	0
		jmp	loc_7D1244
; 

loc_8F45FB:				; CODE XREF: NtCreateSymbolicLinkObject+E3j
		mov	ecx, eax
		jmp	loc_7D1253
; 

loc_8F4602:				; CODE XREF: NtCreateSymbolicLinkObject+115j
					; NtCreateSymbolicLinkObject+11Dj
		mov	byte ptr [eax],	0
		jmp	loc_7D128D
; 

loc_8F460A:				; CODE XREF: NtCreateSymbolicLinkObject+12Cj
		mov	ecx, eax
		jmp	loc_7D129C
; END OF FUNCTION CHUNK	FOR NtCreateSymbolicLinkObject

;  S U B	R O U T	I N E 


sub_8F4611	proc near		; DATA XREF: .text:006A3E8Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0A0h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F4611	endp


;  S U B	R O U T	I N E 


sub_8F4622	proc near		; DATA XREF: .text:006A3E90o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0A0h]
		jmp	loc_7D1446
sub_8F4622	endp

; 
; START	OF FUNCTION CHUNK FOR NtCreateSymbolicLinkObject

loc_8F4637:				; CODE XREF: NtCreateSymbolicLinkObject+152j
		and	edx, 0FFFEh
		mov	word ptr [ebp+var_8C+2], dx
		mov	ecx, [ebp+var_8C]
		jmp	loc_7D12C2
; 

loc_8F464F:				; CODE XREF: NtCreateSymbolicLinkObject+162j
					; NtCreateSymbolicLinkObject+16Fj ...
		mov	eax, 0C000000Dh
		jmp	loc_7D1446
; END OF FUNCTION CHUNK	FOR NtCreateSymbolicLinkObject
; 
; START	OF FUNCTION CHUNK FOR ObCreateSymbolicLink

loc_8F4659:				; CODE XREF: ObCreateSymbolicLink+85j
		mov	ebx, 0C0000017h
		jmp	loc_7D1579
; END OF FUNCTION CHUNK	FOR ObCreateSymbolicLink

;  S U B	R O U T	I N E 


sub_8F4663	proc near		; DATA XREF: .text:006A3EB8o
		xor	eax, eax
		inc	eax
		retn
sub_8F4663	endp


;  S U B	R O U T	I N E 


sub_8F4667	proc near		; DATA XREF: .text:006A3EBCo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	edi, edi
		mov	esi, [ebp-1Ch]
		jmp	loc_7D1577
sub_8F4667	endp

; 

loc_8F467B:				; DATA XREF: .text:006A3EACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8F4689:				; DATA XREF: .text:006A3EB0o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-2Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-1Ch]
		jmp	loc_7D1579
; 
; START	OF FUNCTION CHUNK FOR MiSwitchBaseAddress

loc_8F469E:				; CODE XREF: MiSwitchBaseAddress+64j
		mov	eax, large fs:124h
		mov	edx, [ebx+18h]
		push	dword ptr [eax+80h]
		mov	eax, [ebp+var_4]
		mov	ecx, [eax+20h]
		and	ecx, 0FFFFFFF8h
		add	ecx, 30h
		call	_DbgUnLoadImageSymbolsUnicode@12 ; DbgUnLoadImageSymbolsUnicode(x,x,x)
		mov	eax, 0DFFFh
		and	[ebx+8], ax
		jmp	loc_7D1620
; END OF FUNCTION CHUNK	FOR MiSwitchBaseAddress
; 
; START	OF FUNCTION CHUNK FOR PspAssignProcessQuotaBlock

loc_8F46CC:				; CODE XREF: PspAssignProcessQuotaBlock+56j
		test	byte ptr [ebx+30h], 10h
		jz	loc_7D16C4
		mov	al, 1
		xor	ebx, ebx
		mov	[ebp+var_65], al
		jmp	loc_7D16D0
; 

loc_8F46E2:				; CODE XREF: PspAssignProcessQuotaBlock+180j
		mov	edi, 0C000009Ah
		jmp	short loc_8F4740
; 

loc_8F46E9:				; CODE XREF: PspAssignProcessQuotaBlock+1A0j
		lea	eax, [ebp+var_64]
		push	eax		; void *
		lea	eax, [esi+240h]
		push	eax		; void *
		push	ebx		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		jmp	loc_7D180E
; 

loc_8F46FF:				; CODE XREF: PspAssignProcessQuotaBlock+1BFj
		lock dec dword ptr [esi+204h]
		mov	ecx, esi
		call	PspDereferenceQuotaBlock
		mov	esi, edi
		jmp	loc_7D1778
; 

loc_8F4714:				; CODE XREF: PspAssignProcessQuotaBlock+120j
		mov	edi, offset _PspSystemQuotaBlock
		mov	ecx, esi
		mov	eax, edi
		lock cmpxchg [edx], ecx
		cmp	eax, edi
		jz	loc_7D1790
		mov	edi, 0C0000001h

loc_8F472E:				; CODE XREF: PspAssignProcessQuotaBlock+195j
		test	esi, esi
		jz	short loc_8F4740
		lock dec dword ptr [esi+204h]
		mov	ecx, esi
		call	PspDereferenceQuotaBlock

loc_8F4740:				; CODE XREF: PspAssignProcessQuotaBlock+9Dj
					; PspAssignProcessQuotaBlock+12307Fj ...
		mov	eax, edi
		jmp	loc_7D1792
; END OF FUNCTION CHUNK	FOR PspAssignProcessQuotaBlock
; 
; START	OF FUNCTION CHUNK FOR PspLookupProcessQuotaBlock

loc_8F4747:				; CODE XREF: PspLookupProcessQuotaBlock+56j
		lea	eax, [ebx-208h]
		mov	[ebp+var_C], eax
		add	eax, 240h
		push	eax
		push	ecx
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	short loc_8F476D
		mov	ebx, [ebx]
		lea	eax, [esi+4]
		mov	ecx, [ebp+var_4]
		jmp	loc_7D1896
; 

loc_8F476D:				; CODE XREF: PspLookupProcessQuotaBlock+122F1Cj
		mov	edi, [ebp+var_C]
		jmp	loc_7D1922
; 

loc_8F4775:				; CODE XREF: PspLookupProcessQuotaBlock+E8j
		mov	ecx, edi
		call	_PspSafeReferenceQuotaBlock@4 ;	PspSafeReferenceQuotaBlock(x)
		test	eax, eax
		jnz	short loc_8F47AF
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_8F47A8
		cmp	[ebp+arg_0], eax
		jnz	short loc_8F47A8
		add	edi, 208h
		mov	edx, [edi]
		cmp	[edx+4], edi
		jnz	short loc_8F47D4
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	short loc_8F47D4
		mov	[eax], edx
		mov	[edx+4], eax
		and	dword ptr [edi], 0

loc_8F47A8:				; CODE XREF: PspLookupProcessQuotaBlock+122F43j
					; PspLookupProcessQuotaBlock+122F48j
		xor	edi, edi
		jmp	loc_7D18A1
; 

loc_8F47AF:				; CODE XREF: PspLookupProcessQuotaBlock+122F3Cj
		lock inc dword ptr [edi+204h]
		jmp	loc_7D189E
; 

loc_8F47BB:				; CODE XREF: PspLookupProcessQuotaBlock+94j
		lea	ecx, [esi+4]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_8F47D4
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		jmp	loc_7D18E8
; 

loc_8F47D4:				; CODE XREF: PspLookupProcessQuotaBlock+122F55j
					; PspLookupProcessQuotaBlock+122F5Cj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8F47D9:				; CODE XREF: PspReadUserQuotaLimits+117j
		cmp	[ebp+var_20], 1
		jz	short loc_8F47E7
		push	[ebp+var_20]
		call	_ZwClose@4	; ZwClose(x)

loc_8F47E7:				; CODE XREF: PspLookupProcessQuotaBlock+122F9Bj
		mov	[ebp+var_20], esi
		jmp	loc_7D1A82
; END OF FUNCTION CHUNK	FOR PspLookupProcessQuotaBlock
; 
; START	OF FUNCTION CHUNK FOR PspReadUserQuotaLimits

loc_8F47EF:				; CODE XREF: PspReadUserQuotaLimits+ADj
		mov	[ebp+var_24], edi
		mov	eax, offset _PspDefaultResourceLimits
		mov	edi, ebx
		mov	ebx, offset _PspDefaultResourceNames
		sub	eax, edi
		mov	[ebp+var_54], eax

loc_8F4803:				; CODE XREF: PspReadUserQuotaLimits+122F08j
		lea	eax, [ebp+var_50]
		push	eax
		push	14h
		lea	eax, [ebp+var_1C]
		push	eax
		push	2
		push	ebx
		push	[ebp+var_28]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_8F4833
		cmp	esi, 0C0000034h
		jz	short loc_8F4833
		push	[ebp+var_28]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7D1A1F
; 

loc_8F4833:				; CODE XREF: PspReadUserQuotaLimits+122EBAj
					; PspReadUserQuotaLimits+122EC2j
		cmp	esi, 0C0000034h
		jz	short loc_8F484F
		cmp	[ebp+var_14], 4
		jnz	short loc_8F484F
		cmp	[ebp+var_18], 4
		jnz	short loc_8F484F
		mov	eax, [ebp+var_10]
		mov	esi, [ebp+var_24]
		jmp	short loc_8F485C
; 

loc_8F484F:				; CODE XREF: PspReadUserQuotaLimits+122ED7j
					; PspReadUserQuotaLimits+122EDDj ...
		mov	esi, [ebp+var_24]
		mov	eax, [ebp+var_54]
		inc	esi
		mov	[ebp+var_24], esi
		mov	eax, [eax+edi]

loc_8F485C:				; CODE XREF: PspReadUserQuotaLimits+122EEBj
		mov	[edi], eax
		add	ebx, 8
		add	edi, 4
		cmp	ebx, offset _PspPriorityTable
		jl	short loc_8F4803
		push	[ebp+var_28]
		call	_ZwClose@4	; ZwClose(x)
		cmp	esi, 4
		jnb	short loc_8F4899
		mov	ecx, [ebp+var_2C]
		xor	edx, edx
		call	PspSanitizeResourceLimits
		mov	esi, eax
		test	esi, esi
		js	loc_7D1A1F
		mov	eax, [ebp+var_58]
		xor	edi, edi
		mov	[eax], edi
		jmp	loc_7D1A1D
; 

loc_8F4899:				; CODE XREF: PspReadUserQuotaLimits+122F15j
		xor	edi, edi
		jmp	loc_7D1A1D
; END OF FUNCTION CHUNK	FOR PspReadUserQuotaLimits
; 
; START	OF FUNCTION CHUNK FOR PspSetProcessPpmPolicy

loc_8F48A0:				; CODE XREF: PspSetProcessPpmPolicy+31j
		mov	ecx, [ebx]
		lea	edi, [esi+3A8h]
		mov	edx, [edi]
		mov	eax, 4000000h
		shr	ecx, 7
		and	edx, eax
		and	ecx, 7
		call	_KeGetProcessQosFromPolicy@4 ; KeGetProcessQosFromPolicy(x)
		cmp	eax, 2
		jnz	short loc_8F48D3
		test	edx, edx
		jnz	loc_7D1BAB
		mov	eax, 4000000h
		lock or	[edi], eax
		jmp	short loc_8F48E3
; 

loc_8F48D3:				; CODE XREF: PspSetProcessPpmPolicy+122D4Bj
		test	edx, edx
		jz	loc_7D1BAB
		mov	eax, 0FBFFFFFFh
		lock and [edi],	eax

loc_8F48E3:				; CODE XREF: PspSetProcessPpmPolicy+122D5Dj
		test	dword ptr [esi+0FCh], 1000h
		jz	loc_7D1BAB
		mov	cl, 1
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		push	0
		xor	edx, edx
		xor	cl, cl
		call	ExpUpdateTimerResolution
		mov	ecx, offset _ExpTimeRefreshLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_7D1BAB
; END OF FUNCTION CHUNK	FOR PspSetProcessPpmPolicy
; 
; START	OF FUNCTION CHUNK FOR CmpCheckKeySecurityDescriptorAccess

loc_8F4919:				; CODE XREF: CmpCheckKeySecurityDescriptorAccess+82j
		push	0
		push	edi
		mov	dl, bl
		lea	ecx, [ebp+var_80]
		call	_CmpSetAccessStateForBackupRestore@16 ;	CmpSetAccessStateForBackupRestore(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7D1DB1
		cmp	[ebp+var_70], 0
		jnz	short loc_8F493D
		xor	esi, esi
		jmp	loc_7D1DB1
; 

loc_8F493D:				; CODE XREF: CmpCheckKeySecurityDescriptorAccess+122C48j
		mov	eax, [ebp+var_6C]
		mov	[ebp+var_14C], eax
		jmp	loc_7D1D74
; END OF FUNCTION CHUNK	FOR CmpCheckKeySecurityDescriptorAccess
; 
; START	OF FUNCTION CHUNK FOR PspGetNoChildProcessRestrictedPolicy

loc_8F494B:				; CODE XREF: PspGetNoChildProcessRestrictedPolicy+42j
		xor	eax, eax
		cmp	byte ptr [ebp+var_2], al
		setnz	al
		inc	eax
		leave
		retn
; END OF FUNCTION CHUNK	FOR PspGetNoChildProcessRestrictedPolicy
; 
; START	OF FUNCTION CHUNK FOR RtlpWriteExtendedContext

loc_8F4956:				; CODE XREF: RtlpWriteExtendedContext+54j
		push	40h
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax+14h]
		mov	eax, [eax+10h]
		add	eax, esi
		push	eax
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		jmp	loc_7D1E86
; END OF FUNCTION CHUNK	FOR RtlpWriteExtendedContext

;  S U B	R O U T	I N E 


sub_8F496E	proc near		; DATA XREF: .text:006A3ED4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F496E	endp


;  S U B	R O U T	I N E 


sub_8F497C	proc near		; DATA XREF: .text:006A3ED8o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-24h]
		jmp	loc_7D1E99
sub_8F497C	endp

; 
; START	OF FUNCTION CHUNK FOR _CmGetMatchingFilteredDeviceList

loc_8F4987:				; CODE XREF: _CmGetMatchingFilteredDeviceList+7Fj
		test	eax, eax
		jnz	short loc_8F49E4

loc_8F498B:				; CODE XREF: _CmGetMatchingFilteredDeviceList+5Ej
					; _CmGetMatchingFilteredDeviceList+9Dj
		push	[ebp+var_C]
		mov	edx, [ebp+var_28]
		mov	ecx, edi
		push	[ebp+var_10]
		push	[ebp+var_14]
		push	[ebp+var_18]
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	[ebp+var_24]
		call	__CmGetMatchingFilteredDeviceListWorker@36 ; _CmGetMatchingFilteredDeviceListWorker(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	ebx, ebx
		jz	loc_7D2222
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	10h
		push	1
		push	0
		push	edi
		call	ebx
		cmp	eax, 0C0000002h
		jz	loc_7D2222
		cmp	eax, 0C0000120h
		jz	loc_7D221F
		test	eax, eax
		jz	loc_7D2222

loc_8F49E4:				; CODE XREF: _CmGetMatchingFilteredDeviceList+1227EFj
		mov	esi, 0C00000E5h
		jmp	loc_7D2222
; END OF FUNCTION CHUNK	FOR _CmGetMatchingFilteredDeviceList
; 
; START	OF FUNCTION CHUNK FOR PiCMConvertDeviceListFilters

loc_8F49EE:				; CODE XREF: PiCMConvertDeviceListFilters+6Ej
		dec	eax
		sub	eax, 1
		jnz	loc_7D22CA
		mov	dword ptr [edx], 4
		mov	eax, 104h
		jmp	loc_7D227A
; 

loc_8F4A08:				; CODE XREF: PiCMConvertDeviceListFilters:loc_7D2291j
		mov	eax, 108h
		jmp	short loc_8F4A34
; 

loc_8F4A0F:				; CODE XREF: PiCMConvertDeviceListFilters+28j
		mov	dword ptr [edx], 40h
		mov	eax, 140h
		jmp	loc_7D227A
; 

loc_8F4A1F:				; CODE XREF: PiCMConvertDeviceListFilters+1Fj
		mov	dword ptr [edx], 20h
		mov	eax, 120h
		jmp	loc_7D227A
; 

loc_8F4A2F:				; CODE XREF: PiCMConvertDeviceListFilters+17j
		mov	eax, 110h

loc_8F4A34:				; CODE XREF: PiCMConvertDeviceListFilters+1227D1j
		mov	[edx], edi
		jmp	loc_7D227A
; END OF FUNCTION CHUNK	FOR PiCMConvertDeviceListFilters
; 
; START	OF FUNCTION CHUNK FOR PiCMCaptureDeviceListInputData

loc_8F4A3B:				; CODE XREF: PiCMCaptureDeviceListInputData+4Ej
					; PiCMCaptureDeviceListInputData+56j
		mov	byte ptr [eax],	0
		jmp	loc_7D232E
; 

loc_8F4A43:				; CODE XREF: PiCMCaptureDeviceListInputData+5Fj
					; PiCMCaptureDeviceListInputData+74j
		mov	ebx, 0C000000Dh
		jmp	short loc_8F4A5E
; END OF FUNCTION CHUNK	FOR PiCMCaptureDeviceListInputData

;  S U B	R O U T	I N E 


sub_8F4A4A	proc near		; DATA XREF: .text:006A3EF4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F4A4A	endp


;  S U B	R O U T	I N E 


sub_8F4A58	proc near		; DATA XREF: .text:006A3EF8o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-28h]
sub_8F4A58	endp

; START	OF FUNCTION CHUNK FOR PiCMCaptureDeviceListInputData

loc_8F4A5E:				; CODE XREF: PiCMCaptureDeviceListInputData+122776j
		mov	[ebp+var_1C], ebx
		jmp	loc_7D234C
; 

loc_8F4A66:				; CODE XREF: PiCMCaptureDeviceListInputData+9Ej
		test	eax, eax
		jz	loc_7D23BE

loc_8F4A6E:				; CODE XREF: PiCMCaptureDeviceListInputData+FAj
		cmp	dword ptr [esi+0Ch], 2
		jnb	loc_7D23A2

loc_8F4A78:				; CODE XREF: PiCMCaptureDeviceListInputData+F0j
		mov	ebx, 0C000000Dh

loc_8F4A7D:				; CODE XREF: PiCMCaptureDeviceListInputData+86j
					; PiCMCaptureDeviceListInputData+D2j
		cmp	[ebp+var_20], 0
		jz	short loc_8F4A98
		mov	eax, [esi+8]
		cmp	byte ptr [ebp+var_24], 0
		jz	short loc_8F4A98
		test	eax, eax
		jz	short loc_8F4A98
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8F4A98:				; CODE XREF: PiCMCaptureDeviceListInputData+1227AFj
					; PiCMCaptureDeviceListInputData+1227B8j ...
		xor	eax, eax
		mov	edi, esi
		stosd
		stosd
		stosd
		stosd
		stosd
		jmp	loc_7D23AA
; 

loc_8F4AA6:				; CODE XREF: PiCMCaptureDeviceListInputData+2Aj
					; PiCMCaptureDeviceListInputData+32j
		mov	ebx, 0C000000Dh
		mov	esi, [ebp+arg_4]
		jmp	loc_7D23A2
; END OF FUNCTION CHUNK	FOR PiCMCaptureDeviceListInputData
; 
; START	OF FUNCTION CHUNK FOR AlpcSectionDestroyProcedure

loc_8F4AB3:				; CODE XREF: AlpcSectionDestroyProcedure+Ej
		mov	edx, [esi+0Ch]
		push	esi
		call	@AlpcDeleteBlobByHandle@12 ; AlpcDeleteBlobByHandle(x,x,x)
		and	dword ptr [esi+8], 0
		jmp	loc_7D23F4
; 

loc_8F4AC5:				; CODE XREF: AlpcSectionDestroyProcedure+19j
		mov	edx, esi
		call	_AlpcpRemoveResourcePort@8 ; AlpcpRemoveResourcePort(x,x)
		mov	ecx, [esi+14h]
		call	ObfDereferenceObject
		and	dword ptr [esi+14h], 0
		jmp	loc_7D23FF
; END OF FUNCTION CHUNK	FOR AlpcSectionDestroyProcedure

;  S U B	R O U T	I N E 


sub_8F4ADD	proc near		; DATA XREF: .text:006A3F14o
		xor	eax, eax
		inc	eax
		retn
sub_8F4ADD	endp


;  S U B	R O U T	I N E 


sub_8F4AE1	proc near		; DATA XREF: .text:006A3F18o
		mov	esp, [ebp-18h]
		mov	eax, [ebp+8]
		mov	byte ptr [eax+15h], 1
		jmp	loc_7D2448
sub_8F4AE1	endp

; 
; START	OF FUNCTION CHUNK FOR MmCommitSessionMappedView

loc_8F4AF0:				; CODE XREF: MmCommitSessionMappedView+18j
		mov	ecx, esi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jz	loc_7D248A
		mov	eax, 0C00000EFh
		jmp	loc_7D25F4
; 

loc_8F4B0A:				; CODE XREF: MmCommitSessionMappedView+36j
		mov	ecx, edx
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jz	loc_7D24A8

loc_8F4B1A:				; CODE XREF: MmCommitSessionMappedView+25j
		mov	eax, 0C00000F0h
		jmp	loc_7D25F4
; 

loc_8F4B24:				; CODE XREF: MmCommitSessionMappedView+53j
		mov	eax, 0C0000019h
		jmp	loc_7D25F4
; 

loc_8F4B2E:				; CODE XREF: MmCommitSessionMappedView+E1j
		mov	edi, [ebp+arg_0]
		or	eax, 0FFFFFFFFh
		mov	esi, [edi+74h]
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8F4B48
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8F4B48:				; CODE XREF: MmCommitSessionMappedView+1226D3j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	esi, 0C0000021h
		jmp	short loc_8F4B99
; 

loc_8F4B56:				; CODE XREF: MmCommitSessionMappedView+137j
					; MmCommitSessionMappedView+13Fj ...
		mov	edx, [edx+8]
		sub	ecx, esi
		sbb	eax, edi
		test	edx, edx
		jz	short loc_8F4B73
		mov	esi, [edx+1Ch]
		cmp	eax, edi
		ja	short loc_8F4B56
		jb	loc_7D25B1
		jmp	loc_7D25A9
; 

loc_8F4B73:				; CODE XREF: MmCommitSessionMappedView+114j
					; MmCommitSessionMappedView+1226F3j
		mov	edi, [ebp+arg_0]
		or	eax, 0FFFFFFFFh
		mov	esi, [edi+74h]
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8F4B8D
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8F4B8D:				; CODE XREF: MmCommitSessionMappedView+122718j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	esi, 0C00000F0h

loc_8F4B99:				; CODE XREF: MmCommitSessionMappedView+1226E8j
		mov	ecx, ebx
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, esi
		jmp	loc_7D25F4
; 

loc_8F4BA7:				; CODE XREF: MmCommitSessionMappedView+164j
		test	al, 4
		jnz	loc_7D25D6
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7D25D6
; END OF FUNCTION CHUNK	FOR MmCommitSessionMappedView
; 
; START	OF FUNCTION CHUNK FOR NtFlushVirtualMemory

loc_8F4BBB:				; CODE XREF: NtFlushVirtualMemory+43j
		mov	ecx, eax
		jmp	loc_7D2645
; 

loc_8F4BC2:				; CODE XREF: NtFlushVirtualMemory+59j
		mov	ecx, eax
		jmp	loc_7D265B
; 

loc_8F4BC9:				; CODE XREF: NtFlushVirtualMemory+6Fj
		mov	ecx, eax
		jmp	loc_7D2671
; END OF FUNCTION CHUNK	FOR NtFlushVirtualMemory

;  S U B	R O U T	I N E 


sub_8F4BD0	proc near		; DATA XREF: .text:006A3F34o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F4BD0	endp


;  S U B	R O U T	I N E 


sub_8F4BDE	proc near		; DATA XREF: .text:006A3F38o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-28h]
		jmp	loc_7D270E
sub_8F4BDE	endp

; 
; START	OF FUNCTION CHUNK FOR NtFlushVirtualMemory

loc_8F4BF0:				; CODE XREF: NtFlushVirtualMemory+2Ej
		mov	esi, [ebp+arg_4]
		mov	ecx, [esi]
		mov	[ebp+var_20], ecx
		mov	edi, [ebp+arg_8]
		mov	edx, [edi]
		mov	[ebp+var_1C], edx
		mov	ebx, [ebp+arg_C]
		jmp	loc_7D2686
; 

loc_8F4C08:				; CODE XREF: NtFlushVirtualMemory+91j
		mov	eax, 0C00000F0h
		jmp	loc_7D270E
; 

loc_8F4C12:				; CODE XREF: NtFlushVirtualMemory+9Cj
		mov	eax, 0C00000F1h
		jmp	loc_7D270E
; END OF FUNCTION CHUNK	FOR NtFlushVirtualMemory

;  S U B	R O U T	I N E 


sub_8F4C1C	proc near		; DATA XREF: .text:006A3F40o
		xor	eax, eax
		inc	eax
		retn
sub_8F4C1C	endp


;  S U B	R O U T	I N E 


sub_8F4C20	proc near		; DATA XREF: .text:006A3F44o
		mov	esp, [ebp-18h]
		jmp	loc_7D2704
sub_8F4C20	endp

; 
; START	OF FUNCTION CHUNK FOR MmFlushVirtualMemory

loc_8F4C28:				; CODE XREF: MmFlushVirtualMemory+78j
		push	2
		pop	esi
		lea	ecx, [esp+58h+var_1C]
		xor	edx, edx
		push	ecx
		mov	ecx, eax
		call	KiStackAttachProcess
		jmp	loc_7D279E
; 

loc_8F4C3E:				; CODE XREF: MmFlushVirtualMemory+A4j
		mov	ebx, [esp+58h+var_4C]
		cmp	ebx, 0C00000A0h
		jnz	loc_7D2974
		mov	ebx, 0C0000019h
		jmp	loc_7D2974
; 

loc_8F4C58:				; CODE XREF: MmFlushVirtualMemory+11Cj
		mov	[esp+58h+var_34], 4
		jmp	loc_7D2842
; 

loc_8F4C65:				; CODE XREF: MmFlushVirtualMemory+164j
		mov	ecx, esi
		and	ecx, 1
		cmp	[esp+58h+var_3C], ebx
		jz	short loc_8F4CA3
		test	ecx, ecx
		jz	short loc_8F4CB2
		mov	ecx, [esp+58h+var_4C]
		xor	edx, edx
		call	_MiFindLastSubsection@8	; MiFindLastSubsection(x,x)
		mov	[esp+58h+var_40], eax
		mov	ecx, [eax+24h]
		mov	edx, [eax+1Ch]
		and	ecx, 3FFFFFFFh
		sub	edx, ecx
		mov	ecx, [eax+4]
		lea	ecx, [ecx+edx*8]
		add	ecx, 0FFFFFFF8h
		mov	[esp+58h+var_38], ecx
		jmp	loc_7D28A3
; 

loc_8F4CA3:				; CODE XREF: MmFlushVirtualMemory+12254Ej
		test	ecx, ecx
		jz	short loc_8F4CB2
		mov	eax, [esp+58h+var_24]
		mov	[eax], ebx
		mov	[eax+4], ebx
		jmp	short loc_8F4CBE
; 

loc_8F4CB2:				; CODE XREF: MmFlushVirtualMemory+122552j
					; MmFlushVirtualMemory+122585j
		mov	ebx, 0C0000019h
		jmp	short loc_8F4CBE
; 

loc_8F4CB9:				; CODE XREF: MmFlushVirtualMemory+193j
		mov	ebx, 0C000009Ah

loc_8F4CBE:				; CODE XREF: MmFlushVirtualMemory+122590j
					; MmFlushVirtualMemory+122597j
		mov	ecx, [esp+5Ch+var_30]
		jmp	loc_7D296F
; 

loc_8F4CC7:				; CODE XREF: MmFlushVirtualMemory+1A3j
		xor	edx, edx
		lea	ecx, [esp+5Ch+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_7D28C9
; 

loc_8F4CD7:				; CODE XREF: MmFlushVirtualMemory+1C2j
		push	offset _MiShortTime
		push	ebx
		push	ebx
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	eax, [esp+5Ch+var_4C]
		jmp	loc_7D28E8
; 

loc_8F4CEC:				; CODE XREF: MmFlushVirtualMemory+C5j
					; MmFlushVirtualMemory+D6j
		mov	ebx, 0C0000019h
		jmp	loc_7D296F
; 

loc_8F4CF6:				; CODE XREF: MmFlushVirtualMemory+257j
		xor	edx, edx
		lea	ecx, [esp+58h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_7D297D
; END OF FUNCTION CHUNK	FOR MmFlushVirtualMemory
; 
; START	OF FUNCTION CHUNK FOR EtwpFreeGuidEntry

loc_8F4D06:				; CODE XREF: EtwpFreeGuidEntry+Ej
		mov	eax, large fs:124h
		push	ebx
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [esi+168h]
		mov	ebx, 16Ch
		add	ecx, ebx
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, large fs:124h
		mov	eax, [esi+168h]
		mov	[eax+170h], ecx
		lea	ecx, [esi+8]
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_8F4D83
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	short loc_8F4D83
		mov	[eax], edx
		mov	[edx+4], eax
		xor	edx, edx
		mov	eax, [esi+168h]
		mov	[eax+170h], edi
		mov	ecx, [esi+168h]
		add	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [esi+168h]
		call	EtwpUnreferenceGuidEntry
		pop	ebx
		jmp	loc_7D299E
; 

loc_8F4D83:				; CODE XREF: EtwpFreeGuidEntry+1223BAj
					; EtwpFreeGuidEntry+1223C1j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8F4D88:				; CODE XREF: MiMarkPrivateImageCfgBits+29j
		sub	edx, eax
		sar	edx, 3
		shl	edx, 0Ch
		add	edi, edx
		add	esi, edx
		jmp	loc_7D2A03
; END OF FUNCTION CHUNK	FOR EtwpFreeGuidEntry

;  S U B	R O U T	I N E 


sub_8F4D99	proc near		; CODE XREF: PiDqSerializationAlloc+31j
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [esi]
		jmp	loc_7D2A7D
sub_8F4D99	endp

; 
; START	OF FUNCTION CHUNK FOR KeSynchronizeWithDynamicProcessors

loc_8F4DA7:				; CODE XREF: KeSynchronizeWithDynamicProcessors+Ej
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, _KiDynamicProcessorLock
		test	al, 1
		jnz	loc_7D2AF2
		mov	esi, offset _KiDynamicProcessorLock
		mov	ecx, esi
		call	ExAcquireFastMutex
		mov	ecx, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	loc_7D2AF2
; END OF FUNCTION CHUNK	FOR KeSynchronizeWithDynamicProcessors
; 
; START	OF FUNCTION CHUNK FOR NtGetNlsSectionPtr

loc_8F4DD8:				; CODE XREF: NtGetNlsSectionPtr+4Fj
		mov	eax, 0C00000F2h
		jmp	loc_7D2D4B
; 

loc_8F4DE2:				; CODE XREF: NtGetNlsSectionPtr+57j
		mov	eax, 0C00000F3h
		jmp	loc_7D2D4B
; 

loc_8F4DEC:				; CODE XREF: NtGetNlsSectionPtr+7Fj
		mov	ecx, eax
		jmp	loc_7D2BDB
; 

loc_8F4DF3:				; CODE XREF: NtGetNlsSectionPtr+92j
		mov	ecx, eax
		jmp	loc_7D2BEE
; 

loc_8F4DFA:				; CODE XREF: NtGetNlsSectionPtr+A1j
		test	al, 3
		jz	short loc_8F4E03
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_8F4E03:				; CODE XREF: NtGetNlsSectionPtr+1222A6j
		lea	edx, [eax+4]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		ja	short loc_8F4E18
		cmp	edx, eax
		jnb	loc_7D2BFD

loc_8F4E18:				; CODE XREF: NtGetNlsSectionPtr+1222B8j
		mov	byte ptr [ecx],	0
		jmp	loc_7D2BFD
; END OF FUNCTION CHUNK	FOR NtGetNlsSectionPtr

;  S U B	R O U T	I N E 


sub_8F4E20	proc near		; DATA XREF: .text:006A3F5Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-138h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F4E20	endp


;  S U B	R O U T	I N E 


sub_8F4E31	proc near		; DATA XREF: .text:006A3F60o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-138h]
		jmp	loc_7D2D4B
sub_8F4E31	endp

; 
; START	OF FUNCTION CHUNK FOR NtGetNlsSectionPtr

loc_8F4E46:				; CODE XREF: NtGetNlsSectionPtr+181j
		lea	eax, [ebp+var_134]
		push	eax
		lea	eax, [ebp+var_130]
		push	eax
		mov	edi, [ebp+var_12C]
		push	edi
		call	_MmMapViewInSystemSpace@12 ; MmMapViewInSystemSpace(x,x,x)
		jmp	loc_7D2D18
; END OF FUNCTION CHUNK	FOR NtGetNlsSectionPtr

;  S U B	R O U T	I N E 


sub_8F4E65	proc near		; DATA XREF: .text:006A3F68o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-140h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8F4E65	endp


;  S U B	R O U T	I N E 


sub_8F4E78	proc near		; DATA XREF: .text:006A3F6Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-140h]
		jmp	loc_7D2D42
sub_8F4E78	endp

; 
; START	OF FUNCTION CHUNK FOR RtlpInitNlsFileName

loc_8F4E86:				; CODE XREF: RtlpInitNlsFileName+93j
		mov	esi, 0C00000EFh
		jmp	loc_7D2EFB
; 

loc_8F4E90:				; CODE XREF: RtlpInitNlsFileName+16Bj
		mov	eax, 0C0000001h
		jmp	loc_7D2EFD
; END OF FUNCTION CHUNK	FOR RtlpInitNlsFileName
; 
; START	OF FUNCTION CHUNK FOR RtlIntegerToChar

loc_8F4E9A:				; CODE XREF: RtlIntegerToChar+24j
		xor	esi, esi
		inc	esi
		mov	ecx, esi
		jmp	loc_7D315E
; 

loc_8F4EA4:				; CODE XREF: RtlIntegerToChar+7Bj
		neg	edi
		cmp	ebx, edi
		jge	loc_7D3109
		sub	edi, ebx
		mov	esi, edi
		push	esi		; size_t
		push	30h		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	edi, ebx
		mov	eax, [ebp+var_44]
		add	eax, esi
		mov	[ebp+var_44], eax
		mov	edx, [ebp+var_48]
		jmp	loc_7D3107
; END OF FUNCTION CHUNK	FOR RtlIntegerToChar

;  S U B	R O U T	I N E 


sub_8F4ED0	proc near		; DATA XREF: .text:006A3F84o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F4ED0	endp


;  S U B	R O U T	I N E 


sub_8F4EDE	proc near		; DATA XREF: .text:006A3F88o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-4Ch]
		jmp	loc_7D312E
sub_8F4EDE	endp

; 
; START	OF FUNCTION CHUNK FOR PfSnQueryPrefetcherInformation

loc_8F4EF0:				; CODE XREF: PfSnQueryPrefetcherInformation+27j
		mov	ebx, 0C0000022h
		jmp	loc_7D31F4
; 

loc_8F4EFA:				; CODE XREF: PfSnQueryPrefetcherInformation+33j
		mov	ebx, 0C0000004h
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		jmp	loc_7D31F4
; 

loc_8F4F09:				; CODE XREF: PfSnQueryPrefetcherInformation+93j
		mov	ebx, 0C0000003h
		jmp	loc_7D31F4
; END OF FUNCTION CHUNK	FOR PfSnQueryPrefetcherInformation

;  S U B	R O U T	I N E 


sub_8F4F13	proc near		; DATA XREF: .text:006A3FB0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F4F13	endp


;  S U B	R O U T	I N E 


sub_8F4F21	proc near		; DATA XREF: .text:006A3FB4o
		mov	ebx, [ebp-24h]
		jmp	short loc_8F4F41
sub_8F4F21	endp

; 
; START	OF FUNCTION CHUNK FOR PfSnQueryPrefetcherInformation

loc_8F4F26:				; CODE XREF: PfSnQueryPrefetcherInformation+51j
					; PfSnQueryPrefetcherInformation+5Ej ...
		mov	ebx, 0C000000Dh
		jmp	loc_7D31F4
; END OF FUNCTION CHUNK	FOR PfSnQueryPrefetcherInformation

;  S U B	R O U T	I N E 


sub_8F4F30	proc near		; DATA XREF: .text:006A3FA4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F4F30	endp


;  S U B	R O U T	I N E 


sub_8F4F3E	proc near		; DATA XREF: .text:006A3FA8o
		mov	ebx, [ebp-28h]

loc_8F4F41:				; CODE XREF: sub_8F4F21+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7D31F4
sub_8F4F3E	endp


;  S U B	R O U T	I N E 


sub_8F4F50	proc near		; DATA XREF: .text:006A3FCCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F4F50	endp


;  S U B	R O U T	I N E 


sub_8F4F5E	proc near		; DATA XREF: .text:006A3FD0o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-28h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, offset dword_6D495C
		mov	esi, [ebp-2Ch]
		jmp	loc_7D3382
sub_8F4F5E	endp

; 
; START	OF FUNCTION CHUNK FOR PfSnGetCompletedTrace

loc_8F4F78:				; CODE XREF: PfSnGetCompletedTrace+B8j
		mov	[ebp+var_19], 1
		mov	ecx, offset dword_6D4964
		call	ExAcquireFastMutex
		mov	eax, dword_6D495C
		cmp	[eax+4], ebx
		jnz	loc_7D33D5
		mov	[esi], eax
		mov	[esi+4], ebx
		mov	[eax+4], esi
		mov	dword_6D495C, esi
		inc	dword_6D4984
		jmp	loc_7D339C
; 

loc_8F4FAD:				; CODE XREF: PfSnGetCompletedTrace+146j
		cmp	[edi+60h], bl
		jz	short loc_8F4FD9
		push	1
		push	dword ptr [eax]
		lea	eax, [edi+64h]
		mov	ecx, offset _SeSubsystemName
		push	dword ptr [edi+14h]
		push	dword ptr [edi+28h]
		push	dword ptr [edi+24h]
		push	dword ptr [edi+1Ch]
		push	edx
		push	eax
		lea	edx, [edi+6Ch]
		call	SepAdtPrivilegeObjectAuditAlarm
		jmp	loc_7D3424
; 

loc_8F4FD9:				; CODE XREF: PfSnGetCompletedTrace+152j
					; PfSnGetCompletedTrace+121CE4j
		push	2
		push	200h
		push	ebx
		lea	eax, [ebp+ms_exc.disabled]
		push	eax
		push	0FFFFFFFFh
		push	edx
		push	0FFFFFFFFh
		call	_ZwDuplicateObject@28 ;	ZwDuplicateObject(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8F5009
		push	ebx
		lea	eax, [ebp+ms_exc.handler]
		mov	[ebp+ms_exc.handler], ebx
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+ms_exc.disabled]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, [ebp+ms_exc.handler]

loc_8F5009:				; CODE XREF: PfSnGetCompletedTrace+121D25j
		push	ebx
		lea	edx, [edi+6Ch]
		mov	ecx, esi
		push	1
		call	_SepAdtClassifyObjectIntoSubCategory@16	; SepAdtClassifyObjectIntoSubCategory(x,x,x,x)
		movzx	eax, ax
		mov	[ebp+ms_exc.exc_ptr], eax
		test	esi, esi
		jz	short loc_8F5027
		mov	ecx, esi
		call	ObfDereferenceObject

loc_8F5027:				; CODE XREF: PfSnGetCompletedTrace+121D52j
		cmp	[ebp+ms_exc.disabled], ebx
		jz	short loc_8F5037
		push	[ebp+ms_exc.disabled]
		call	_ZwClose@4	; ZwClose(x)
		mov	[ebp+ms_exc.disabled], ebx

loc_8F5037:				; CODE XREF: PfSnGetCompletedTrace+121D5Ej
		mov	eax, [ebp+ms_exc.msEH_ptr]
		lea	esi, [edi+64h]
		push	edi
		add	eax, 1Ch
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	2
		call	_PsGetCurrentThreadProcessId@0 ; PsGetCurrentThreadProcessId()
		push	eax
		mov	eax, [ebp+ms_exc.msEH_ptr]
		mov	edx, offset _SeSubsystemName
		push	1
		mov	ecx, [ebp+ms_exc.exc_ptr]
		push	dword ptr [eax]
		lea	eax, [edi+6Ch]
		push	dword ptr [edi+14h]
		push	dword ptr [edi+18h]
		push	dword ptr [edi+24h]
		push	dword ptr [edi+1Ch]
		push	[ebp+arg_0]
		push	esi
		push	eax
		lea	eax, [ebp+ms_exc.prev_er]
		push	eax
		call	_SepAdtOpenObjectAuditAlarm@76 ; SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		push	edi
		mov	bl, al
		call	_PsGetCurrentThreadProcessId@0 ; PsGetCurrentThreadProcessId()
		mov	ecx, [ebp+ms_exc.exc_ptr]
		push	eax
		push	1
		push	dword ptr [edi+14h]
		lea	eax, [edi+6Ch]
		push	dword ptr [edi+18h]
		push	dword ptr [edi+24h]
		push	dword ptr [edi+1Ch]
		push	esi
		push	eax
		lea	eax, [ebp+ms_exc.prev_er]
		push	eax
		call	_SepAdtStagingEvent@48 ; SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)
		jmp	loc_7D3424
; END OF FUNCTION CHUNK	FOR PfSnGetCompletedTrace

;  S U B	R O U T	I N E 


sub_8F50A6	proc near		; DATA XREF: .text:006A3FECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F50A6	endp


;  S U B	R O U T	I N E 


sub_8F50B4	proc near		; DATA XREF: .text:006A3FF0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-24h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7D34D9
sub_8F50B4	endp


;  S U B	R O U T	I N E 


sub_8F50C6	proc near		; DATA XREF: .text:006A400Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-48h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F50C6	endp


;  S U B	R O U T	I N E 


sub_8F50D4	proc near		; DATA XREF: .text:006A4010o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-48h]
		jmp	loc_7D369C
sub_8F50D4	endp

; 
; START	OF FUNCTION CHUNK FOR NtCreateNamedPipeFile

loc_8F50E6:				; CODE XREF: NtCreateNamedPipeFile+46j
		mov	eax, [ecx]
		mov	[ebp+var_2C], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_28], eax
		jmp	loc_7D3656
; END OF FUNCTION CHUNK	FOR NtCreateNamedPipeFile
; 
; START	OF FUNCTION CHUNK FOR RtlAcquirePrivilege

loc_8F50F6:				; CODE XREF: RtlAcquirePrivilege+1Ej
		mov	eax, 0C000000Dh
		jmp	loc_7D3AE5
; 

loc_8F5100:				; CODE XREF: RtlAcquirePrivilege+27j
		or	ebx, 1
		jmp	loc_7D39CB
; 

loc_8F5108:				; CODE XREF: RtlAcquirePrivilege+4Cj
		mov	eax, 0C0000017h
		jmp	loc_7D3AE5
; 

loc_8F5112:				; CODE XREF: RtlAcquirePrivilege+70j
		push	28h
		mov	edx, esi
		pop	ecx
		call	RtlpOpenThreadToken
		mov	edi, eax
		test	edi, edi
		js	loc_7D3B30
		jmp	loc_7D3A40
; 

loc_8F512B:				; CODE XREF: RtlAcquirePrivilege+ABj
		push	200h
		push	28h
		push	0FFFFFFFFh
		call	_ZwOpenProcessTokenEx@16 ; ZwOpenProcessTokenEx(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_7D3B0F
		or	dword ptr [esi+10h], 2
		jmp	loc_7D3A68
; 

loc_8F514C:				; CODE XREF: RtlAcquirePrivilege+1217F1j
		lea	ecx, [ebp+var_4]
		push	ecx
		push	eax
		push	[ebp+var_4]
		push	dword ptr [esi+0Ch]
		push	0
		push	dword ptr [esi]
		call	_ZwAdjustPrivilegesToken@24 ; ZwAdjustPrivilegesToken(x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000023h
		jnz	loc_7D3AD2
		push	0
		push	dword ptr [esi+8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8F5178:				; CODE XREF: RtlAcquirePrivilege+12Ej
		push	62507452h
		push	[ebp+var_4]
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	[esi+8], eax
		test	eax, eax
		jnz	short loc_8F514C
		mov	edi, 0C0000017h
		jmp	loc_7D3AD2
; 

loc_8F519B:				; CODE XREF: RtlAcquirePrivilege+164j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7D3B08
; END OF FUNCTION CHUNK	FOR RtlAcquirePrivilege
; 
; START	OF FUNCTION CHUNK FOR RtlpOpenThreadToken

loc_8F51A8:				; CODE XREF: RtlpOpenThreadToken+1Cj
		push	esi
		push	ebx
		push	0
		push	edi
		push	0FFFFFFFEh
		call	_ZwOpenThreadTokenEx@20	; ZwOpenThreadTokenEx(x,x,x,x,x)
		jmp	loc_7D3C46
; END OF FUNCTION CHUNK	FOR RtlpOpenThreadToken
; 
; START	OF FUNCTION CHUNK FOR CmpDoLocalizeNextHive

loc_8F51B9:				; CODE XREF: CmpDoLocalizeNextHive+3Ej
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	bl, 1
		jmp	loc_7D3DAE
; END OF FUNCTION CHUNK	FOR CmpDoLocalizeNextHive
; 
; START	OF FUNCTION CHUNK FOR HvHiveConvertLockedPagesToCowByPolicy

loc_8F51CC:				; CODE XREF: HvHiveConvertLockedPagesToCowByPolicy+44j
		test	al, 4
		jnz	loc_7D3E06
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7D3E06
; END OF FUNCTION CHUNK	FOR HvHiveConvertLockedPagesToCowByPolicy
; 
; START	OF FUNCTION CHUNK FOR _CmGetDeviceInterfaceMappedPropertyFromRegValue

loc_8F51E0:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+3Aj
		mov	ebx, edx
		jmp	loc_7D41DA
; 

loc_8F51E7:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+5Aj
					; _CmGetDeviceInterfaceMappedPropertyFromRegValue+B1j
		mov	esi, 0C0000230h
		jmp	loc_7D433B
; 

loc_8F51F1:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+A0j
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+arg_10]
		jmp	loc_7D4209
; 

loc_8F51FC:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+234j
		xor	ecx, ecx
		jmp	loc_7D43C9
; 

loc_8F5203:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+269j
		mov	esi, eax
		jmp	loc_7D432D
; 

loc_8F520A:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+2F5j
					; _CmGetDeviceInterfaceMappedPropertyFromRegValue+12109Cj
		mov	esi, edi
		jmp	loc_7D432D
; 

loc_8F5211:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+2E2j
		mov	dword ptr [eax], 19h
		jmp	loc_7D432D
; 

loc_8F521C:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+1E5j
		mov	esi, 0C0000023h
		jmp	loc_7D432D
; 

loc_8F5226:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+17Aj
		cmp	edi, ecx
		jnz	short loc_8F520A
		jmp	loc_7D430C
; 

loc_8F522F:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+193j
					; _CmGetDeviceInterfaceMappedPropertyFromRegValue+19Bj
		mov	esi, ecx
		jmp	loc_7D432D
; 

loc_8F5236:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+FBj
					; _CmGetDeviceInterfaceMappedPropertyFromRegValue+113j	...
		mov	esi, 0C0000230h
		jmp	loc_7D432D
; END OF FUNCTION CHUNK	FOR _CmGetDeviceInterfaceMappedPropertyFromRegValue
; 
; START	OF FUNCTION CHUNK FOR PspGetProcessParameterOverrides

loc_8F5240:				; CODE XREF: PspGetProcessParameterOverrides+35j
		cmp	dword ptr [eax], 1
		jz	loc_7D455F
		push	eax
		call	ds:__imp__PsDestroyProcessParameterOverrides@4 ; PsDestroyProcessParameterOverrides(x)
		xor	eax, eax
		jmp	loc_7D455F
; END OF FUNCTION CHUNK	FOR PspGetProcessParameterOverrides
; 
; START	OF FUNCTION CHUNK FOR _CmGetDeviceHardwareKeyPath

loc_8F5257:				; CODE XREF: _CmGetDeviceHardwareKeyPath+10j
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	short loc_8F5297
		lea	edi, [edx+2]
		xor	ecx, ecx

loc_8F5263:				; CODE XREF: _CmGetDeviceHardwareKeyPath+120BE6j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, cx
		jnz	short loc_8F5263
		mov	eax, [ebp+arg_14]
		sub	edx, edi
		sar	edx, 1
		add	edx, 52h
		test	eax, eax
		jz	short loc_8F527E
		mov	[eax], edx

loc_8F527E:				; CODE XREF: _CmGetDeviceHardwareKeyPath+120BF4j
		cmp	edx, [ebp+arg_10]
		ja	loc_7D46F9
		push	esi
		push	offset ??_C@_1DM@BNJPOICG@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@
		push	(offset	loc_8C8FD1+1)
		jmp	loc_7D46D9
; 

loc_8F5297:				; CODE XREF: _CmGetDeviceHardwareKeyPath+120BD6j
		cmp	edi, 0FFFFFFFFh
		jz	short loc_8F52F2
		push	ebx
		lea	ebx, [edx+2]
		xor	ecx, ecx

loc_8F52A2:				; CODE XREF: _CmGetDeviceHardwareKeyPath+120C25j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, cx
		jnz	short loc_8F52A2
		mov	eax, [ebp+arg_14]
		sub	edx, ebx
		sar	edx, 1
		add	edx, 4Fh
		pop	ebx
		test	eax, eax
		jz	short loc_8F52BE
		mov	[eax], edx

loc_8F52BE:				; CODE XREF: _CmGetDeviceHardwareKeyPath+120C34j
		cmp	edx, [ebp+arg_10]
		ja	loc_7D46F9
		push	esi
		push	offset ??_C@_1DM@BNJPOICG@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@
		push	edi
		push	offset ??_C@_1FG@MPFEKKOF@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@ ; char
		push	offset ??_C@_1BM@OHMKBCBF@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AA0?$AA4?$AAu?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@ ; wchar_t *
		push	800h		; int
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		call	RtlStringCchPrintfExW
		add	esp, 28h
		jmp	loc_7D46F3
; 

loc_8F52F2:				; CODE XREF: _CmGetDeviceHardwareKeyPath+120C14j
		mov	eax, 0C000000Dh
		jmp	loc_7D46F3
; 

loc_8F52FC:				; CODE XREF: _CmGetDeviceHardwareKeyPath+34j
		add	edx, 1Fh
		test	eax, eax
		jz	short loc_8F5305
		mov	[eax], edx

loc_8F5305:				; CODE XREF: _CmGetDeviceHardwareKeyPath+120C7Bj
		cmp	edx, [ebp+arg_10]
		ja	loc_7D46F9
		push	esi
		push	offset ??_C@_1DM@BNJPOICG@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@ ; char
		push	offset ??_C@_1M@DFKENGJN@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@ ; "%s\\%s"
		push	800h		; int
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		call	RtlStringCchPrintfExW
		add	esp, 20h
		jmp	loc_7D46F3
; END OF FUNCTION CHUNK	FOR _CmGetDeviceHardwareKeyPath
; 
; START	OF FUNCTION CHUNK FOR SepValidLabelSubjectContext

loc_8F5333:				; CODE XREF: SepValidLabelSubjectContext+6Bj
		mov	edx, ds:_SeExports
		lea	eax, [ebp+var_5]
		push	eax
		mov	ecx, edi
		mov	edx, [edx+17Ch]
		call	RtlSidDominates
		test	eax, eax
		js	loc_7D47EA
		cmp	byte ptr [ebp+var_5], 0
		jnz	loc_7D47BD
		mov	eax, ds:_SeExports
		mov	edi, [eax+17Ch]
		jmp	loc_7D47BD
; 

loc_8F536C:				; CODE XREF: SepValidLabelSubjectContext+88j
		push	ds:dword_A94A4C
		mov	dl, 1
		mov	ecx, ebx
		push	ds:_SeRelabelPrivilege
		call	_SeSinglePrivilegeCheckEx@16 ; SeSinglePrivilegeCheckEx(x,x,x,x)
		jmp	loc_7D47DA
; END OF FUNCTION CHUNK	FOR SepValidLabelSubjectContext
; 
; START	OF FUNCTION CHUNK FOR CmpClearKeyAccessBits

loc_8F5386:				; CODE XREF: CmpClearKeyAccessBits+31j
		mov	eax, 0C000009Ah
		jmp	loc_7D4851
; 

loc_8F5390:				; CODE XREF: CmpClearKeyAccessBits+72j
		mov	edi, 0C000009Ah
		jmp	loc_7D4847
; END OF FUNCTION CHUNK	FOR CmpClearKeyAccessBits
; 
; START	OF FUNCTION CHUNK FOR PlugPlayGetDeviceProperty

loc_8F539A:				; CODE XREF: PlugPlayGetDeviceProperty+4Ej
		mov	eax, [ebp+arg_0]
		sub	edi, ecx
		push	edi		; size_t
		add	eax, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_7D49F8
; END OF FUNCTION CHUNK	FOR PlugPlayGetDeviceProperty
; 
; START	OF FUNCTION CHUNK FOR ConstraintEval

loc_8F53B2:				; CODE XREF: ConstraintEval+4Bj
		mov	ebx, 0C000000Dh
		jmp	loc_7D4BBE
; 

loc_8F53BC:				; CODE XREF: ConstraintEval+6Bj
		mov	ebx, 0C0000017h
		jmp	loc_7D4BBE
; 

loc_8F53C6:				; CODE XREF: ConstraintEval+DDj
		test	eax, eax
		jz	loc_7D4ACB
		test	ecx, ecx
		jz	loc_7D4ACB
		push	ecx		; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_7D4ACB
		jmp	loc_7D4B07
; 

loc_8F53EC:				; CODE XREF: ConstraintEval+EBj
		mov	ebx, [ebp+var_50]
		jmp	loc_7D4ACB
; 

loc_8F53F4:				; CODE XREF: ConstraintEval+1EAj
		cmp	eax, 19h
		jz	loc_7D4B3D
		cmp	eax, 2012h
		jz	loc_7D4B3D
		jmp	loc_7D4AD7
; 

loc_8F540D:				; CODE XREF: ConstraintEval+1D0j
		cmp	[ebp+var_14], 11h
		jnz	loc_7D4AD7
		mov	eax, [ebp+var_C]
		cmp	byte ptr [eax],	0FFh
		jnz	short loc_8F542B
		mov	[ebp+var_C], offset unk_701374
		jmp	loc_7D4B3D
; 

loc_8F542B:				; CODE XREF: ConstraintEval+1209F9j
		mov	[ebp+var_C], offset unk_6B6A50
		jmp	loc_7D4B3D
; 

loc_8F5437:				; CODE XREF: ConstraintEval+10Aj
		mov	[ebp+var_14], 7
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], offset unk_701378
		jmp	loc_7D4B3D
; 

loc_8F5451:				; CODE XREF: ConstraintEval+20Fj
		test	eax, eax
		jz	loc_7D4C78
		test	ecx, ecx
		jz	loc_7D4C78
		push	ecx		; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_7D4C78
		jmp	loc_7D4C39
; 

loc_8F5477:				; CODE XREF: ConstraintEval+24Fj
		xor	edi, 10000h
		mov	[esi-4], edi
		jmp	loc_7D4C78
; END OF FUNCTION CHUNK	FOR ConstraintEval
; 
; START	OF FUNCTION CHUNK FOR SimplifyFilter

loc_8F5485:				; CODE XREF: SimplifyFilter+51j
		mov	eax, [edx]
		test	eax, 0FF00000h
		jz	short loc_8F54DA
		cmp	eax, 100000h
		jz	short loc_8F54CF
		cmp	eax, 200000h
		jz	short loc_8F54C4
		cmp	eax, 300000h
		jz	short loc_8F54B9
		cmp	eax, 400000h
		jnz	loc_7D4CDB
		mov	dword ptr [edx], 200000h
		jmp	loc_7D4CDB
; 

loc_8F54B9:				; CODE XREF: SimplifyFilter+12081Dj
		mov	dword ptr [edx], 100000h
		jmp	loc_7D4CDB
; 

loc_8F54C4:				; CODE XREF: SimplifyFilter+120816j
		mov	dword ptr [edx], 400000h
		jmp	loc_7D4CDB
; 

loc_8F54CF:				; CODE XREF: SimplifyFilter+12080Fj
		mov	dword ptr [edx], 300000h
		jmp	loc_7D4CDB
; 

loc_8F54DA:				; CODE XREF: SimplifyFilter+120808j
		xor	eax, 10000h
		mov	[edx], eax
		jmp	loc_7D4CDB
; 

loc_8F54E6:				; CODE XREF: SimplifyFilter+27j
					; SimplifyFilter+32j
		xor	eax, eax
		test	ecx, ecx
		setz	al
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		jmp	loc_7D4CE7
; END OF FUNCTION CHUNK	FOR SimplifyFilter
; 
; START	OF FUNCTION CHUNK FOR MiCleanEmbryonicProcess

loc_8F54F7:				; CODE XREF: MiCleanEmbryonicProcess+12j
		mov	al, [esi+2A3h]
		and	al, 60h
		cmp	al, 60h
		jz	loc_7D4D97

loc_8F5507:				; CODE XREF: MiCleanEmbryonicProcess+26j
		test	edx, 10000h

loc_8F550D:				; CODE XREF: MiCleanEmbryonicProcess+120814j
		jz	short loc_8F5514
		call	_MiDereferenceSession@0	; MiDereferenceSession()

loc_8F5514:				; CODE XREF: MiCleanEmbryonicProcess:loc_8F550Dj
		xor	eax, eax
		inc	eax
		jmp	loc_7D4D99
; 

loc_8F551C:				; CODE XREF: MiCleanEmbryonicProcess+31j
		mov	eax, [esi+27Ch]
		sub	eax, 5
		push	eax
		call	_PsReturnProcessQuota@12 ; PsReturnProcessQuota(x,x,x)
		mov	edx, [esi+27Ch]
		sub	edx, 5
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	ecx, eax
		call	_MiReturnResident@8 ; MiReturnResident(x,x)
		mov	edx, [edi]
		mov	ecx, edx
		and	ecx, 0FFFFF7FFh
		mov	eax, edx
		or	ecx, ebx
		lock cmpxchg [edi], ecx
		mov	esi, eax
		cmp	esi, edx
		jz	short loc_8F556E

loc_8F5558:				; CODE XREF: MiCleanEmbryonicProcess+12080Cj
		mov	ecx, esi
		and	esi, 0FFFFF7FFh
		or	esi, ebx
		mov	eax, ecx
		lock cmpxchg [edi], esi
		mov	esi, eax
		cmp	esi, ecx
		jnz	short loc_8F5558

loc_8F556E:				; CODE XREF: MiCleanEmbryonicProcess+1207F6j
		test	dword ptr [edi], 10000h
		jmp	short loc_8F550D
; END OF FUNCTION CHUNK	FOR MiCleanEmbryonicProcess
; 
; START	OF FUNCTION CHUNK FOR NtAllocateReserveObject

loc_8F5576:				; CODE XREF: NtAllocateReserveObject+38j
		mov	ecx, eax
		jmp	loc_7D4E2C
; END OF FUNCTION CHUNK	FOR NtAllocateReserveObject

;  S U B	R O U T	I N E 


sub_8F557D	proc near		; DATA XREF: .text:006A4054o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F557D	endp


;  S U B	R O U T	I N E 


sub_8F558B	proc near		; DATA XREF: .text:006A4058o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_7D4ED5
sub_8F558B	endp


;  S U B	R O U T	I N E 


sub_8F559D	proc near		; DATA XREF: .text:006A4060o
		xor	eax, eax
		inc	eax
		retn
sub_8F559D	endp


;  S U B	R O U T	I N E 


sub_8F55A1	proc near		; DATA XREF: .text:006A4064o
		mov	esp, [ebp-18h]
		jmp	loc_7D4ECB
sub_8F55A1	endp

; 
; START	OF FUNCTION CHUNK FOR NtAllocateReserveObject

loc_8F55A9:				; CODE XREF: NtAllocateReserveObject+4Cj
		mov	eax, 0C000000Dh
		jmp	loc_7D4ED5
; END OF FUNCTION CHUNK	FOR NtAllocateReserveObject
; 
; START	OF FUNCTION CHUNK FOR PfSnLogVolumeCreate

loc_8F55B3:				; CODE XREF: PfSnLogVolumeCreate+33j
		mov	edi, 0C000017Ah
		jmp	loc_7D50D0
; END OF FUNCTION CHUNK	FOR PfSnLogVolumeCreate
; 
; START	OF FUNCTION CHUNK FOR SmQueryStoreInformation

loc_8F55BD:				; CODE XREF: SmQueryStoreInformation+10j
		mov	eax, 0C0000004h
		jmp	loc_7D515A
; 

loc_8F55C7:				; CODE XREF: SmQueryStoreInformation+2Ej
		mov	eax, 0C000000Dh
		jmp	loc_7D515A
; 

loc_8F55D1:				; CODE XREF: SmQueryStoreInformation+6Bj
		mov	eax, 0C0000003h
		jmp	loc_7D515A
; 

loc_8F55DB:				; CODE XREF: SmQueryStoreInformation+5Cj
		push	[ebp+arg_4]
		push	[ebp+arg_8]
		push	[ebp+var_20]
		mov	edx, [ebp+var_24]
		mov	ecx, offset unk_718498
		call	_SmcProcessStatsRequest@20 ; SmcProcessStatsRequest(x,x,x,x,x)
		jmp	loc_7D515A
; 

loc_8F55F6:				; CODE XREF: SmQueryStoreInformation+4Ej
		push	[ebp+arg_4]
		push	[ebp+arg_8]
		push	[ebp+var_20]
		mov	edx, [ebp+var_24]
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	_SmProcessListRequest@20 ; SmProcessListRequest(x,x,x,x,x)
		jmp	loc_7D515A
; 

loc_8F5611:				; CODE XREF: SmQueryStoreInformation+45j
		push	[ebp+arg_4]
		push	[ebp+arg_8]
		push	[ebp+var_20]
		mov	edx, [ebp+var_24]
		call	_SmProcessStatsRequest@20 ; SmProcessStatsRequest(x,x,x,x,x)
		jmp	loc_7D515A
; END OF FUNCTION CHUNK	FOR SmQueryStoreInformation

;  S U B	R O U T	I N E 


sub_8F5627	proc near		; DATA XREF: .text:006A407Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F5627	endp


;  S U B	R O U T	I N E 


sub_8F5635	proc near		; DATA XREF: .text:006A4080o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-1Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7D515A
sub_8F5635	endp

; 
; START	OF FUNCTION CHUNK FOR SmProcessCompressionInfoRequest

loc_8F5647:				; CODE XREF: SmProcessCompressionInfoRequest+9Aj
		mov	eax, 0C0000206h
		jmp	loc_7D53AD
; 

loc_8F5651:				; CODE XREF: SmProcessCompressionInfoRequest+BFj
		mov	[edx], al
		jmp	loc_7D528F
; 

loc_8F5658:				; CODE XREF: SmProcessCompressionInfoRequest+128j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8F566C
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8F566C:				; CODE XREF: SmProcessCompressionInfoRequest+120499j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, 0C00001A9h
		jmp	loc_7D53AD
; END OF FUNCTION CHUNK	FOR SmProcessCompressionInfoRequest

;  S U B	R O U T	I N E 


sub_8F5682	proc near		; DATA XREF: .text:006A40A8o
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-66Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F5682	endp


;  S U B	R O U T	I N E 


sub_8F5696	proc near		; DATA XREF: .text:006A40ACo
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-66Ch]
		jmp	short loc_8F56C8
sub_8F5696	endp

; 
; START	OF FUNCTION CHUNK FOR SmProcessCompressionInfoRequest

loc_8F56A1:				; CODE XREF: SmProcessCompressionInfoRequest+EEj
					; SmProcessCompressionInfoRequest+FEj
		mov	eax, 0C000000Dh
		jmp	loc_7D53AD
; END OF FUNCTION CHUNK	FOR SmProcessCompressionInfoRequest

;  S U B	R O U T	I N E 


sub_8F56AB	proc near		; DATA XREF: .text:006A409Co
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-670h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F56AB	endp


;  S U B	R O U T	I N E 


sub_8F56BF	proc near		; DATA XREF: .text:006A40A0o
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-670h]

loc_8F56C8:				; CODE XREF: sub_8F5696+9j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7D53AD
sub_8F56BF	endp

; 
; START	OF FUNCTION CHUNK FOR PiDqIrpQueryGetResult

loc_8F56D7:				; CODE XREF: PiDqIrpQueryGetResult+3Ej
		mov	esi, 0C00000BBh
		jmp	loc_7D55C7
; 

loc_8F56E1:				; CODE XREF: PiDqIrpQueryGetResult+66j
		mov	esi, 0C0000120h
		jmp	loc_7D5508
; 

loc_8F56EB:				; CODE XREF: PiDqIrpQueryGetResult+6Ej
					; PiDqIrpQueryGetResult+7Ej
		mov	esi, 0C00000BBh
		jmp	loc_7D5508
; 

loc_8F56F5:				; CODE XREF: PiDqIrpQueryGetResult+76j
		mov	esi, 0C000009Ah
		jmp	loc_7D5508
; 

loc_8F56FF:				; CODE XREF: PiDqIrpQueryGetResult+B4j
		mov	esi, 0C0000023h
		jmp	loc_7D55C7
; END OF FUNCTION CHUNK	FOR PiDqIrpQueryGetResult

;  S U B	R O U T	I N E 


sub_8F5709	proc near		; DATA XREF: .text:006A40C4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F5709	endp


;  S U B	R O U T	I N E 


sub_8F5717	proc near		; DATA XREF: .text:006A40C8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-38h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-3Ch]
		mov	edi, [ebp-24h]
		jmp	loc_7D555A
sub_8F5717	endp

; 
; START	OF FUNCTION CHUNK FOR PiDqIrpQueryGetResult

loc_8F572F:				; CODE XREF: PiDqIrpQueryGetResult+1BCj
		mov	esi, 0C000000Dh
		jmp	loc_7D55C7
; 

loc_8F5739:				; CODE XREF: PiDqIrpQueryGetResult+176j
		or	eax, 1
		mov	[ebx+74h], eax
		mov	ecx, ebx
		call	PiDqQueryFreeActiveData
		jmp	loc_7D55F6
; END OF FUNCTION CHUNK	FOR PiDqIrpQueryGetResult
; 
; START	OF FUNCTION CHUNK FOR WmipSendWmiIrpToTraceDeviceList

loc_8F574B:				; CODE XREF: WmipSendWmiIrpToTraceDeviceList+45j
		mov	esi, 0C000009Ah
		jmp	loc_7D583B
; END OF FUNCTION CHUNK	FOR WmipSendWmiIrpToTraceDeviceList
; 
; START	OF FUNCTION CHUNK FOR PspJobClose

loc_8F5755:				; CODE XREF: PspJobClose+A9j
		mov	ecx, esi
		call	_PspHardDereferenceSiloWorker@4	; PspHardDereferenceSiloWorker(x)
		jmp	loc_7D587E
; 

loc_8F5761:				; CODE XREF: PspJobClose+68j
		mov	edx, 624A7350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		jmp	loc_7D58B2
; END OF FUNCTION CHUNK	FOR PspJobClose
; 
; START	OF FUNCTION CHUNK FOR NtTerminateJobObject

loc_8F5772:				; CODE XREF: NtTerminateJobObject+38j
		test	ds:_PerfGlobalGroupMask, 80000h
		jz	loc_7D5945
		push	721h
		push	esi
		xor	edx, edx
		xor	ecx, ecx
		call	@EtwTraceJob@16	; EtwTraceJob(x,x,x,x)
		jmp	loc_7D5945
; END OF FUNCTION CHUNK	FOR NtTerminateJobObject
; 
; START	OF FUNCTION CHUNK FOR PspTerminateAllProcessesInJobHierarchy

loc_8F5796:				; CODE XREF: PspTerminateAllProcessesInJobHierarchy+58j
		push	721h
		push	edi
		movzx	edx, al
		mov	ecx, esi
		call	@EtwTraceJob@16	; EtwTraceJob(x,x,x,x)
		jmp	loc_7D59AA
; END OF FUNCTION CHUNK	FOR PspTerminateAllProcessesInJobHierarchy
; 
; START	OF FUNCTION CHUNK FOR NtAlpcCreateResourceReserve

loc_8F57AB:				; CODE XREF: NtAlpcCreateResourceReserve+22j
		mov	esi, 0C000000Dh
		jmp	loc_7D5A7B
; 

loc_8F57B5:				; CODE XREF: NtAlpcCreateResourceReserve+48j
		mov	ecx, eax
		jmp	loc_7D5A16
; END OF FUNCTION CHUNK	FOR NtAlpcCreateResourceReserve

;  S U B	R O U T	I N E 


sub_8F57BC	proc near		; DATA XREF: .text:006A40E4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F57BC	endp


;  S U B	R O U T	I N E 


sub_8F57CA	proc near		; DATA XREF: .text:006A40E8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-24h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7D5A7B
sub_8F57CA	endp


;  S U B	R O U T	I N E 


sub_8F57DC	proc near		; DATA XREF: .text:006A40F0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F57DC	endp


;  S U B	R O U T	I N E 


sub_8F57EA	proc near		; DATA XREF: .text:006A40F4o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-28h]
		jmp	loc_7D5A6C
sub_8F57EA	endp

; 
; START	OF FUNCTION CHUNK FOR StringListContains

loc_8F57F5:				; CODE XREF: StringListContains+2Dj
		push	esi		; wchar_t *
		push	edi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		jmp	loc_7D5CFD
; 

loc_8F5803:				; CODE XREF: StringListContains+87j
		cmp	eax, 2012h
		jnz	short loc_8F5812
		test	ebx, ebx
		jnz	loc_7D5D2F

loc_8F5812:				; CODE XREF: StringListContains+11FB66j
		mov	ecx, esi
		xor	edi, edi
		lea	edx, [ecx+2]

loc_8F5819:				; CODE XREF: StringListContains+11FB80j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_8F5819
		mov	eax, [ebp+var_4]
		sub	ecx, edx
		sar	ecx, 1
		xor	edx, edx
		lea	esi, [esi+ecx*2]
		mov	ecx, [ebp+var_C]
		add	esi, 2
		cmp	[esi], dx
		jnz	loc_7D5CC4
		jmp	loc_7D5D2F
; END OF FUNCTION CHUNK	FOR StringListContains
; 
; START	OF FUNCTION CHUNK FOR IopOpenLinkOrRenameTarget

loc_8F5844:				; CODE XREF: IopOpenLinkOrRenameTarget+A1j
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 1
		jnz	short loc_8F5873
		lea	eax, [esp+0A0h+var_88]
		push	eax
		push	edx
		push	edx
		push	1
		push	ecx
		call	_IoConvertFileHandleToKernelHandle@20 ;	IoConvertFileHandleToKernelHandle(x,x,x,x,x)
		test	eax, eax
		js	loc_7D6064
		mov	ebx, [esp+0A0h+var_88]
		jmp	loc_7D5F03
; 

loc_8F5873:				; CODE XREF: IopOpenLinkOrRenameTarget+11F9F5j
		mov	ebx, ecx
		mov	[esp+0A0h+var_88], ebx
		jmp	loc_7D5F03
; 

loc_8F587E:				; CODE XREF: IopOpenLinkOrRenameTarget+13Aj
		mov	eax, [eax]
		mov	[esp+0A0h+var_7A+2], eax
		jmp	loc_7D5F9C
; 

loc_8F5889:				; CODE XREF: IopOpenLinkOrRenameTarget+1E5j
		push	0
		push	[esp+0A4h+var_90]
		call	ObCloseHandle
		mov	esi, 0C00000D4h
		jmp	loc_7D605A
; 

loc_8F589E:				; CODE XREF: IopOpenLinkOrRenameTarget+1C1j
		push	0
		push	[esp+0A4h+var_90]
		call	ObCloseHandle
		jmp	loc_7D605A
; 

loc_8F58AE:				; CODE XREF: IopOpenLinkOrRenameTarget+200j
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 1
		jnz	loc_7D6062
		push	0
		push	[esp+0A4h+var_88]
		call	ObCloseHandle
		jmp	loc_7D6062
; END OF FUNCTION CHUNK	FOR IopOpenLinkOrRenameTarget
; 
; START	OF FUNCTION CHUNK FOR IopGetBasicInformationFile

loc_8F58D1:				; CODE XREF: IopGetBasicInformationFile+41j
		call	_VfFastIoSnapState@0 ; VfFastIoSnapState()
		mov	edi, eax
		mov	eax, [ebp+var_C]
		jmp	loc_7D60CB
; 

loc_8F58E0:				; CODE XREF: IopGetBasicInformationFile+62j
		mov	edx, esi
		mov	ecx, edi
		call	_VfFastIoCheckState@8 ;	VfFastIoCheckState(x,x)
		mov	al, [ebp+var_1]
		jmp	loc_7D60EC
; 

loc_8F58F1:				; CODE XREF: IopGetBasicInformationFile+29j
					; IopGetBasicInformationFile+34j ...
		lea	eax, [ebp+var_C]
		mov	ecx, ebx
		push	eax
		push	[ebp+var_8]
		push	4
		push	28h
		pop	edx
		call	IopGetFileInformation
		jmp	loc_7D60F7
; END OF FUNCTION CHUNK	FOR IopGetBasicInformationFile
; 
; START	OF FUNCTION CHUNK FOR PspValidateJobAffinityState

loc_8F5909:				; CODE XREF: PspValidateJobAffinityState+26j
		mov	edx, esi
		call	_PspCheckJobAccessState@8 ; PspCheckJobAccessState(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_7D6136
		jmp	loc_7D6128
; END OF FUNCTION CHUNK	FOR PspValidateJobAffinityState
; 
; START	OF FUNCTION CHUNK FOR PspSetQuotaLimits

loc_8F591F:				; CODE XREF: PspSetQuotaLimits+50j
		push	8
		pop	ecx
		lea	edi, [ebp+var_54]
		rep movsd
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		xor	ebx, ebx
		inc	ebx
		mov	[ebp+var_97], bl
		jmp	loc_7D623D
; 

loc_8F593F:				; CODE XREF: PspSetQuotaLimits+127j
					; PspSetQuotaLimits+130j
		cmp	[ebp+var_97], bl
		jnz	short loc_8F595D
		push	38h		; size_t
		push	ecx		; int
		lea	eax, [ebp+var_54]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_24], 10h

loc_8F595D:				; CODE XREF: PspSetQuotaLimits+11F777j
		push	[ebp+arg_4]
		push	ds:dword_A94A1C
		push	ds:_SeIncreaseQuotaPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_8F597C
		mov	ebx, 0C0000061h
		jmp	short loc_8F59AC
; 

loc_8F597C:				; CODE XREF: PspSetQuotaLimits+11F7A5j
		mov	edi, [ebp+var_A0]
		push	edi
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	esi, eax
		push	esi
		mov	edx, edi
		lea	ecx, [ebp+var_54]
		call	PspAssignProcessQuotaBlock
		mov	ebx, eax
		lea	ecx, [edi+12Ch]
		mov	edx, esi
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		test	ebx, ebx
		jns	loc_7D6432

loc_8F59AC:				; CODE XREF: PspSetQuotaLimits+11F7ACj
		mov	edx, 79517350h
		mov	ecx, [ebp+var_A0]
		call	ObfDereferenceObjectWithTag
		mov	eax, ebx
		jmp	loc_7D6448
; 

loc_8F59C3:				; CODE XREF: PspSetQuotaLimits+1C4j
		mov	esi, ebx
		mov	byte ptr [ebp+var_A8], bl
		mov	[ebp+var_95], bl
		cmp	[ebp+var_98], 0
		jnz	loc_7D6398
		mov	eax, [edi+170h]
		mov	[ebp+var_4C], eax
		mov	eax, [edi+174h]
		mov	[ebp+var_48], eax
		jmp	loc_7D6398
; 

loc_8F59F5:				; CODE XREF: PspSetQuotaLimits+201j
		cmp	[ebp+var_95], bl
		jnz	loc_7D63D5
		mov	edx, esi
		mov	ecx, [ebp+var_A0]
		call	MmEnforceWorkingSetLimit
		jmp	loc_7D63D5
; 

loc_8F5A13:				; CODE XREF: PspSetQuotaLimits+7Fj
					; PspSetQuotaLimits+8Cj ...
		mov	eax, 0C000000Dh
		jmp	loc_7D6448
; 

loc_8F5A1D:				; CODE XREF: PspSetQuotaLimits+5Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7D6448
; END OF FUNCTION CHUNK	FOR PspSetQuotaLimits

;  S U B	R O U T	I N E 


sub_8F5A2E	proc near		; DATA XREF: .text:006A4154o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B4h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F5A2E	endp


;  S U B	R O U T	I N E 


sub_8F5A3F	proc near		; DATA XREF: .text:006A4158o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0B4h]
		jmp	loc_7D6448
sub_8F5A3F	endp

; 
; START	OF FUNCTION CHUNK FOR PspGetProcessProtectionRequirementsFromImage

loc_8F5A54:				; CODE XREF: PspGetProcessProtectionRequirementsFromImage+18j
		cmp	[ebp+arg_0], 0
		mov	ebx, 81h
		mov	byte ptr [ebp+var_4], bl
		jz	loc_7D65C9
		cmp	[ebp+arg_0], bl
		jz	loc_7D65C9
		push	[ebp+var_4]
		push	dword ptr [ebp+arg_0]
		call	_RtlTestProtectedAccess@8 ; RtlTestProtectedAccess(x,x)
		test	al, al
		jz	loc_7D65C9
		jmp	loc_7D65C6
; END OF FUNCTION CHUNK	FOR PspGetProcessProtectionRequirementsFromImage
; 
; START	OF FUNCTION CHUNK FOR PspSetJobLimitsJobPreCallback

loc_8F5A87:				; CODE XREF: PspSetJobLimitsJobPreCallback+1Aj
		cmp	[esi], edi
		jz	loc_7D6664
		xor	edx, edx
		mov	ecx, offset dword_6BEF18
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, 100h
		lea	eax, [edi+310h]
		lock or	[eax], ecx
		jmp	loc_7D6664
; END OF FUNCTION CHUNK	FOR PspSetJobLimitsJobPreCallback
; 
; START	OF FUNCTION CHUNK FOR PspSetEffectiveJobLimits

loc_8F5AAE:				; CODE XREF: PspSetEffectiveJobLimits+E4j
		test	esi, esi
		jz	short loc_8F5AEE
		cmp	[esi+164h], ecx
		jz	short loc_8F5AEE
		lea	eax, [ebp+var_18]
		add	esi, 15Ch
		push	eax
		lea	eax, [ebx+0B8h]
		push	eax
		push	esi
		call	_KeAndAffinityEx@12 ; KeAndAffinityEx(x,x,x)
		mov	eax, [ebp+var_10]
		cmp	[ebx+0C0h], eax
		jnz	short loc_8F5AF4
		test	eax, eax
		jz	short loc_8F5AF4
		lea	edi, [ebx+15Ch]
		lea	esi, [ebp+var_18]
		jmp	loc_7D676C
; 

loc_8F5AEE:				; CODE XREF: PspSetEffectiveJobLimits+11F444j
					; PspSetEffectiveJobLimits+11F44Cj
		lea	esi, [ebx+0B8h]

loc_8F5AF4:				; CODE XREF: PspSetEffectiveJobLimits+11F46Ej
					; PspSetEffectiveJobLimits+11F472j
		lea	edi, [ebx+15Ch]
		jmp	loc_7D676C
; 

loc_8F5AFF:				; CODE XREF: PspSetEffectiveJobLimits+F2j
		mov	[eax], dx
		mov	[eax+2], dx
		mov	[eax+4], ecx
		mov	[eax+8], ecx
		jmp	loc_7D66A4
; 

loc_8F5B11:				; CODE XREF: PspSetEffectiveJobLimits+110j
		xor	dl, dl
		jmp	loc_7D6788
; 

loc_8F5B18:				; CODE XREF: PspSetEffectiveJobLimits+123j
		mov	dh, [ebx+1A5h]
		movzx	eax, dl
		movzx	ecx, dh
		mov	al, byte ptr ds:_PspPriorityClassRank[eax]
		cmp	al, byte ptr ds:_PspPriorityClassRank[ecx]
		jb	loc_7D6795
		mov	dl, dh
		jmp	loc_7D6795
; 

loc_8F5B3D:				; CODE XREF: PspSetEffectiveJobLimits+136j
		push	0Ah
		pop	eax
		jmp	loc_7D67AE
; 

loc_8F5B45:				; CODE XREF: PspSetEffectiveJobLimits+148j
		mov	ecx, [ebx+0ECh]
		cmp	ecx, eax
		jnb	loc_7D67BA
		mov	[ebx+190h], ecx
		jmp	loc_7D66CA
; 

loc_8F5B5E:				; CODE XREF: PspSetEffectiveJobLimits+15Bj
		xor	eax, eax
		mov	ecx, eax
		jmp	loc_7D67D9
; 

loc_8F5B67:				; CODE XREF: PspSetEffectiveJobLimits+174j
		mov	edx, [ebx+0ACh]
		cmp	edx, eax
		jb	short loc_8F5B79
		test	eax, eax
		jnz	loc_7D67E6

loc_8F5B79:				; CODE XREF: PspSetEffectiveJobLimits+11F503j
		mov	eax, [ebx+0A8h]
		mov	[ebx+174h], edx
		mov	[ebx+170h], eax
		jmp	loc_7D66DC
; 

loc_8F5B90:				; CODE XREF: PspSetEffectiveJobLimits+18Dj
		xor	ecx, ecx
		mov	edx, ecx
		mov	edi, ecx
		jmp	loc_7D6811
; 

loc_8F5B9B:				; CODE XREF: PspSetEffectiveJobLimits+1ACj
		mov	esi, [ebx+9Ch]
		cmp	esi, edx
		mov	eax, [ebx+98h]
		mov	[ebp+var_C], esi
		mov	esi, [ebp+var_8]
		mov	[ebp+var_4], eax
		jl	short loc_8F5BC7
		jg	short loc_8F5BBA
		cmp	eax, ecx
		jb	short loc_8F5BC7

loc_8F5BBA:				; CODE XREF: PspSetEffectiveJobLimits+11F548j
		mov	eax, ecx
		or	eax, edx
		jnz	loc_7D681E
		mov	eax, [ebp+var_4]

loc_8F5BC7:				; CODE XREF: PspSetEffectiveJobLimits+11F546j
					; PspSetEffectiveJobLimits+11F54Cj
		mov	[ebx+168h], eax
		mov	eax, [ebp+var_C]
		mov	[ebx+16Ch], eax
		mov	[ebx+180h], ebx
		jmp	loc_7D66FE
; END OF FUNCTION CHUNK	FOR PspSetEffectiveJobLimits
; 
; START	OF FUNCTION CHUNK FOR KIsUnlockSettingEnabled

loc_8F5BE1:				; CODE XREF: KIsUnlockSettingEnabled+81j
		cmp	dword ptr [edi], 0FFFFh
		jnz	loc_7D6AB3
		push	edi
		mov	edx, ebx
		lea	ecx, [esp+34h+var_10]
		call	KGetUnlockSetting
		mov	esi, eax
		jmp	loc_7D6AB3
; 

loc_8F5C00:				; CODE XREF: KIsUnlockSettingEnabled+C6j
		cmp	dword ptr [edi], 0FFFFh
		jnz	loc_7D6AF8
		push	edi
		mov	edx, ebx
		lea	ecx, [esp+34h+var_8]
		call	KGetUnlockSetting
		mov	esi, eax
		jmp	loc_7D6AF8
; END OF FUNCTION CHUNK	FOR KIsUnlockSettingEnabled
; 
; START	OF FUNCTION CHUNK FOR KGetUnlockSetting

loc_8F5C1F:				; CODE XREF: KGetUnlockSetting+7Dj
		cmp	eax, 0FFFFh
		jz	loc_7D6BA1
		xor	cl, cl
		jmp	loc_7D6BA1
; END OF FUNCTION CHUNK	FOR KGetUnlockSetting
; 
; START	OF FUNCTION CHUNK FOR RtlPinAtomInAtomTable

loc_8F5C31:				; CODE XREF: RtlPinAtomInAtomTable+16j
		mov	eax, 0C000000Dh
		jmp	loc_7D6CB9
; 

loc_8F5C3B:				; CODE XREF: RtlPinAtomInAtomTable+33j
		test	di, di
		jz	loc_7D6C91
		xor	esi, esi
		jmp	short loc_8F5C5C
; END OF FUNCTION CHUNK	FOR RtlPinAtomInAtomTable

;  S U B	R O U T	I N E 


sub_8F5C48	proc near		; DATA XREF: .text:006A41BCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F5C48	endp


;  S U B	R O U T	I N E 


sub_8F5C56	proc near		; DATA XREF: .text:006A41C0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
sub_8F5C56	endp

; START	OF FUNCTION CHUNK FOR RtlPinAtomInAtomTable

loc_8F5C5C:				; CODE XREF: RtlPinAtomInAtomTable+11F022j
		mov	[ebp+var_1C], esi
		jmp	loc_7D6C91
; END OF FUNCTION CHUNK	FOR RtlPinAtomInAtomTable
; 
; START	OF FUNCTION CHUNK FOR PopBootStatSet

loc_8F5C64:				; CODE XREF: PopBootStatSet+184j
		mov	esi, 0C000009Ah
		jmp	loc_7D6E65
; 

loc_8F5C6E:				; CODE XREF: PopBootStatSet+1AAj
					; PopBootStatSet+1B2j
		mov	[ecx], bl
		jmp	loc_7D6F18
; END OF FUNCTION CHUNK	FOR PopBootStatSet

;  S U B	R O U T	I N E 


sub_8F5C75	proc near		; DATA XREF: .text:006A41DCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F5C75	endp


;  S U B	R O U T	I N E 


sub_8F5C83	proc near		; DATA XREF: .text:006A41E0o

; FUNCTION CHUNK AT 008F5CB1 SIZE 0000001A BYTES

		mov	esi, [ebp-44h]
		jmp	short loc_8F5CB1
sub_8F5C83	endp

; 
; START	OF FUNCTION CHUNK FOR PopBootStatSet

loc_8F5C88:				; CODE XREF: PopBootStatSet+ADj
		mov	esi, 0C000000Dh
		jmp	loc_7D6E65
; 

loc_8F5C92:				; CODE XREF: PopBootStatSet+F6j
		mov	eax, [ebp+var_38]
		mov	ecx, [ebp+var_2C]
		mov	[edx+ecx*4], eax
		jmp	loc_7D6E5C
; END OF FUNCTION CHUNK	FOR PopBootStatSet

;  S U B	R O U T	I N E 


sub_8F5CA0	proc near		; DATA XREF: .text:006A41E8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F5CA0	endp


;  S U B	R O U T	I N E 


sub_8F5CAE	proc near		; DATA XREF: .text:006A41ECo
		mov	esi, [ebp-4Ch]
sub_8F5CAE	endp

; START	OF FUNCTION CHUNK FOR sub_8F5C83

loc_8F5CB1:				; CODE XREF: sub_8F5C83+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	al, [ebp-1Ah]
		mov	[ebp-19h], al
		mov	edi, [ebp-30h]
		xor	ebx, ebx
		jmp	loc_7D6E65
; END OF FUNCTION CHUNK	FOR sub_8F5C83
; 
; START	OF FUNCTION CHUNK FOR RtlGetSetBootStatusData

loc_8F5CCB:				; CODE XREF: RtlGetSetBootStatusData+53j
		mov	eax, 0C000000Dh
		jmp	loc_7D70A1
; END OF FUNCTION CHUNK	FOR RtlGetSetBootStatusData
; 
; START	OF FUNCTION CHUNK FOR RtlpGetSetBootStatusData

loc_8F5CD5:				; CODE XREF: RtlpGetSetBootStatusData+74j
					; RtlpGetSetBootStatusData+7Dj
		mov	eax, 0C0000059h
		jmp	loc_7D719B
; 

loc_8F5CDF:				; CODE XREF: RtlpGetSetBootStatusData+86j
		mov	eax, 0C0000023h
		jmp	loc_7D719B
; 

loc_8F5CE9:				; CODE XREF: RtlpGetSetBootStatusData+99j
					; RtlpGetSetBootStatusData+A5j	...
		xor	ecx, ecx
		lea	eax, [ebp+var_18]
		push	ecx
		push	eax
		push	edi
		push	[ebp+arg_4]
		lea	eax, [ebp+var_20]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	ebx
		call	_ZwReadFile@36	; ZwReadFile(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		jmp	loc_7D718E
; END OF FUNCTION CHUNK	FOR RtlpGetSetBootStatusData
; 
; START	OF FUNCTION CHUNK FOR SepCheckCapabilities

loc_8F5D08:				; CODE XREF: SepCheckCapabilities+4Cj
		mov	byte ptr [edi],	1
		jmp	loc_7D76D6
; 

loc_8F5D10:				; CODE XREF: SepCheckCapabilities+F2j
					; SepCheckCapabilities+11Dj
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+edi*8]
		cmp	byte ptr [eax+1], 9
		jnz	loc_7D76D1
		push	0
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		cmp	dword ptr [eax], 3
		jnz	loc_7D76D1
		cmp	[esp+38h+var_24], 0
		jnz	short loc_8F5D52
		lea	eax, [esp+38h+var_24]
		push	eax
		push	1Fh
		push	[esp+40h+var_4]
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7D76D6

loc_8F5D52:				; CODE XREF: SepCheckCapabilities+11E714j
		mov	eax, [esp+38h+var_24]
		mov	ebx, [eax]
		push	ebx
		call	_RtlSubAuthorityCountSid@4 ; RtlSubAuthorityCountSid(x)
		cmp	byte ptr [eax],	8
		jb	short loc_8F5D8C
		push	1Ch		; Length
		push	1
		push	ebx
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	eax		; Source2
		mov	eax, [ebp+arg_0]
		push	1
		push	dword ptr [eax+edi*8]
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 1Ch
		jnz	short loc_8F5D8C
		mov	al, [esp+38h+var_29]
		jmp	short loc_8F5D92
; 

loc_8F5D8C:				; CODE XREF: SepCheckCapabilities+11E73Fj
					; SepCheckCapabilities+11E762j
		xor	al, al
		mov	[esp+38h+var_29], al

loc_8F5D92:				; CODE XREF: SepCheckCapabilities+11E768j
		mov	bl, al
		test	al, al
		jz	loc_7D76D1
		jmp	loc_7D76C6
; 

loc_8F5DA1:				; CODE XREF: SepCheckCapabilities+CBj
		push	0
		push	[esp+3Ch+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7D76F3
; END OF FUNCTION CHUNK	FOR SepCheckCapabilities
; 
; START	OF FUNCTION CHUNK FOR ExpWatchProductTypeWork

loc_8F5DB1:				; CODE XREF: ExpWatchProductTypeWork+AEj
		or	[esp+84h+var_70], 0FFFFFFFFh
		lea	eax, [esp+84h+var_74]
		push	eax
		push	esi
		push	esi
		mov	[esp+90h+var_74], 0FF676980h
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	loc_7D786B
; 

loc_8F5DCF:				; CODE XREF: ExpWatchProductTypeWork+B6j
		push	esi
		push	esi
		push	eax
		push	0Dh
		jmp	short loc_8F5DDC
; 

loc_8F5DD6:				; CODE XREF: ExpWatchProductTypeWork+286j
		push	esi
		push	1

loc_8F5DD9:				; CODE XREF: ExpWatchProductTypeWork+11E702j
		push	eax

loc_8F5DDA:				; CODE XREF: ExpWatchProductTypeWork+11E72Aj
		push	11h

loc_8F5DDC:				; CODE XREF: ExpWatchProductTypeWork+11E600j
		push	9Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8F5DE6:				; CODE XREF: ExpWatchProductTypeWork+10Bj
		or	[esp+0A0h+var_8C], 0FFFFFFFFh
		mov	[esp+0A0h+var_90], 0FF676980h

loc_8F5DF3:				; CODE XREF: ExpWatchProductTypeWork+11E64Bj
		lea	eax, [esp+0A0h+var_90]
		push	eax
		push	esi
		push	esi
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		lea	eax, [esp+28h]
		push	eax		; int
		push	22h		; int
		lea	eax, [esp+0A8h+var_50]
		push	eax		; int
		push	2		; size_t
		lea	eax, [esp+0B0h+var_88]
		push	eax		; int
		push	_ExpProductTypeKey ; int
		call	NtQueryValueKey
		cmp	eax, edi
		jz	short loc_8F5DF3
		jmp	loc_7D78E5
; 

loc_8F5E26:				; CODE XREF: ExpWatchProductTypeWork+150j
					; ExpWatchProductTypeWork+18Dj
		mov	bl, 1
		jmp	loc_7D7969
; 

loc_8F5E2D:				; CODE XREF: ExpWatchProductTypeWork+1D3j
		test	bl, bl
		jz	loc_7D79AD
		mov	edi, _ExpProductTypeValueInfo
		lea	esi, [esp+84h+var_34]
		push	8
		pop	ecx
		rep movsd
		xor	bl, bl
		movsw
		jmp	loc_7D79B1
; 

loc_8F5E4D:				; CODE XREF: ExpWatchProductTypeWork+27Ej
		or	dword ptr [esp+14h], 0FFFFFFFFh
		mov	[esp+8Ch+var_7C], 0FF676980h

loc_8F5E5A:				; CODE XREF: ExpWatchProductTypeWork+11E6B5j
		lea	eax, [esp+8Ch+var_7C]
		push	eax
		push	esi
		push	esi
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	ecx, _ExpProductTypeValueInfo
		push	dword ptr [ecx+8]
		lea	eax, [ecx+0Ch]
		push	eax
		push	dword ptr [ecx+4]
		lea	eax, [esp+98h+var_74]
		push	esi
		push	eax
		push	_ExpProductTypeKey
		call	NtSetValueKey
		cmp	eax, edi
		jz	short loc_8F5E5A
		jmp	loc_7D7A58
; 

loc_8F5E90:				; CODE XREF: ExpWatchProductTypeWork+2CCj
		or	dword ptr [esp+14h], 0FFFFFFFFh
		mov	[esp+8Ch+var_7C], 0FF676980h

loc_8F5E9D:				; CODE XREF: ExpWatchProductTypeWork+11E6F8j
		lea	eax, [esp+8Ch+var_7C]
		push	eax
		push	esi
		push	esi
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	ecx, dword_6D6EF0
		push	dword ptr [ecx+8]
		lea	eax, [ecx+0Ch]
		push	eax
		push	dword ptr [ecx+4]
		lea	eax, [esp+98h+var_74]
		push	esi
		push	eax
		push	_ExpProductTypeKey
		call	NtSetValueKey
		cmp	eax, edi
		jz	short loc_8F5E9D
		jmp	loc_7D7AA6
; 

loc_8F5ED3:				; CODE XREF: ExpWatchProductTypeWork+2D4j
		push	esi
		push	2
		jmp	loc_8F5DD9
; 

loc_8F5EDB:				; CODE XREF: ExpWatchProductTypeWork+29Ej
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+8Ch+var_74]
		push	eax
		push	_ExpProductTypeKey
		call	NtDeleteValueKey
		jmp	loc_7D7AAE
; 

loc_8F5EF5:				; CODE XREF: ExpWatchProductTypeWork+239j
					; ExpWatchProductTypeWork+247j
		push	esi
		push	1
		jmp	short loc_8F5EFD
; 

loc_8F5EFA:				; CODE XREF: ExpWatchProductTypeWork+31Cj
		push	esi
		push	4

loc_8F5EFD:				; CODE XREF: ExpWatchProductTypeWork+11E724j
		push	edi
		jmp	loc_8F5DDA
; 

loc_8F5F03:				; CODE XREF: ExpWatchProductTypeWork+30Bj
		or	dword ptr [esp+14h], 0FFFFFFFFh
		lea	eax, [esp+8Ch+var_7C]
		push	eax
		push	esi
		push	esi
		mov	[esp+98h+var_7C], 0FF676980h
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	loc_7D7AAE
; 

loc_8F5F21:				; CODE XREF: ExpWatchProductTypeWork+332j
		push	esi
		push	esi
		push	0C000026Ah
		push	offset _ExpExpirationThread@4 ;	ExpExpirationThread(x)
		push	esi
		push	esi
		push	esi
		push	1FFFFFh
		lea	eax, [esp+0ACh+var_60]
		mov	bl, bh
		push	eax
		call	PsCreateSystemThreadEx
		test	eax, eax
		js	loc_7D7B0C
		push	[esp+8Ch+var_60]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7D7B0C
; END OF FUNCTION CHUNK	FOR ExpWatchProductTypeWork
; 
; START	OF FUNCTION CHUNK FOR RtlUnicodeToUTF8N

loc_8F5F57:				; CODE XREF: RtlUnicodeToUTF8N+14Fj
		mov	eax, 0C000000Dh
		jmp	loc_7D7EBD
; 

loc_8F5F61:				; CODE XREF: RtlUnicodeToUTF8N+2Bj
		mov	eax, 0C00000F3h
		jmp	loc_7D7EBD
; 

loc_8F5F6B:				; CODE XREF: RtlUnicodeToUTF8N+45j
		test	ebx, ebx
		jz	loc_7D7EB0
		jmp	loc_7D7E4E
; 

loc_8F5F78:				; CODE XREF: RtlUnicodeToUTF8N+50j
		lea	eax, [esi-0DC00h]
		cmp	eax, 3FFh
		ja	loc_7D7E4E
		shl	ebx, 0Ah
		add	ebx, 0FCA02400h
		add	ebx, esi
		add	ecx, 2
		jmp	loc_7D7E4E
; 

loc_8F5F9C:				; CODE XREF: RtlUnicodeToUTF8N+73j
		mov	[ebp+var_4], 107h
		mov	ebx, 0FFFDh
		jmp	loc_7D7E5F
; 

loc_8F5FAD:				; CODE XREF: RtlUnicodeToUTF8N+7Fj
		cmp	ebx, 7FFh
		jbe	short loc_8F5FC3
		mov	eax, 0FFFFh
		cmp	eax, ebx
		sbb	esi, esi
		neg	esi
		add	esi, 2

loc_8F5FC3:				; CODE XREF: RtlUnicodeToUTF8N+11E1CDj
		inc	esi
		jmp	loc_7D7E6B
; 

loc_8F5FC9:				; CODE XREF: RtlUnicodeToUTF8N+95j
		mov	eax, ebx
		cmp	ebx, 7FFh
		ja	short loc_8F5FDA
		shr	eax, 6
		or	al, 0C0h
		jmp	short loc_8F600D
; 

loc_8F5FDA:				; CODE XREF: RtlUnicodeToUTF8N+11E1EBj
		shr	eax, 0Ch
		mov	esi, 0FFFFh
		mov	[ebp+arg_4], eax
		cmp	ebx, esi
		ja	short loc_8F5FF0
		or	eax, 0E0h
		jmp	short loc_8F6001
; 

loc_8F5FF0:				; CODE XREF: RtlUnicodeToUTF8N+11E201j
		mov	eax, ebx
		shr	eax, 12h
		or	al, 0F0h
		mov	[edx], al
		inc	edx
		mov	eax, [ebp+arg_4]
		and	al, 3Fh
		or	al, 80h

loc_8F6001:				; CODE XREF: RtlUnicodeToUTF8N+11E208j
		mov	[edx], al
		mov	eax, ebx
		shr	eax, 6
		inc	edx
		and	al, 3Fh
		or	al, 80h

loc_8F600D:				; CODE XREF: RtlUnicodeToUTF8N+11E1F2j
		mov	[edx], al
		and	bl, 3Fh
		inc	edx
		or	bl, 80h
		jmp	loc_7D7E81
; 

loc_8F601B:				; CODE XREF: RtlUnicodeToUTF8N+E0j
		mov	eax, esi
		jmp	loc_7D7ECC
; 

loc_8F6022:				; CODE XREF: RtlUnicodeToUTF8N+11Aj
		movzx	ebx, bx
		add	ecx, 2
		cmp	ebx, 7Fh
		ja	short loc_8F6035
		mov	[edx], bl
		inc	edx
		jmp	loc_7D7F24
; 

loc_8F6035:				; CODE XREF: RtlUnicodeToUTF8N+F9j
					; RtlUnicodeToUTF8N+16Ej ...
		mov	edi, 7FFh
		cmp	ebx, edi
		ja	short loc_8F6047
		mov	eax, ebx
		or	eax, 3000h
		jmp	short loc_8F60AB
; 

loc_8F6047:				; CODE XREF: RtlUnicodeToUTF8N+11E256j
		lea	eax, [ebx-0D800h]
		cmp	eax, edi
		jbe	short loc_8F605A
		mov	eax, ebx
		or	eax, 0E0000h
		jmp	short loc_8F6096
; 

loc_8F605A:				; CODE XREF: RtlUnicodeToUTF8N+11E269j
		cmp	ebx, 0DBFFh
		ja	short loc_8F60CC
		movzx	edi, word ptr [ecx]
		add	ecx, 2
		lea	eax, [edi-0DC00h]
		cmp	eax, 3FFh
		ja	short loc_8F60C4
		shl	ebx, 0Ah
		add	ebx, 0FCA02400h
		add	ebx, edi
		mov	eax, ebx
		shr	eax, 12h
		or	al, 0F0h
		mov	[edx], al
		mov	eax, ebx
		and	eax, 3F000h
		inc	edx
		or	eax, 80000h

loc_8F6096:				; CODE XREF: RtlUnicodeToUTF8N+11E272j
		shr	eax, 0Ch
		sub	esi, 2
		mov	[edx], al
		mov	eax, ebx
		and	eax, 0FC0h
		inc	edx
		or	eax, 2000h

loc_8F60AB:				; CODE XREF: RtlUnicodeToUTF8N+11E25Fj
		and	bl, 3Fh
		shr	eax, 6
		or	bl, 80h
		mov	[edx], al
		sub	esi, 2
		mov	[edx+1], bl
		add	edx, 2
		jmp	loc_7D7F24
; 

loc_8F60C4:				; CODE XREF: RtlUnicodeToUTF8N+11E28Dj
		sub	ecx, 4
		jmp	loc_7D7F28
; 

loc_8F60CC:				; CODE XREF: RtlUnicodeToUTF8N+11E27Aj
		sub	ecx, 2
		jmp	loc_7D7F28
; 

loc_8F60D4:				; CODE XREF: RtlUnicodeToUTF8N+8Cj
		mov	edi, 0C0000023h
		jmp	loc_7D7EB3
; END OF FUNCTION CHUNK	FOR RtlUnicodeToUTF8N
; 
; START	OF FUNCTION CHUNK FOR CmpTryToLockHashEntryExclusive

loc_8F60DE:				; CODE XREF: CmpTryToLockHashEntryExclusive+4Cj
		push	[ebp+arg_0]
		push	0Dh
		push	edi
		push	17h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8F60ED:				; CODE XREF: CmpTryToLockHashEntryExclusive+2Dj
		test	eax, eax
		jz	short loc_8F60FA
		mov	edx, eax
		mov	ecx, esi
		call	KeAbPostReleaseEx

loc_8F60FA:				; CODE XREF: CmpTryToLockHashEntryExclusive+11E185j
		xor	bl, bl
		jmp	loc_7D7FBC
; END OF FUNCTION CHUNK	FOR CmpTryToLockHashEntryExclusive
; 
; START	OF FUNCTION CHUNK FOR PiDmObjectGetCachedObjectReference

loc_8F6101:				; CODE XREF: PiDmObjectGetCachedObjectReference+4Fj
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_10]
		push	eax
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7D8074
		mov	bl, 1
		jmp	loc_7D801B
; 

loc_8F6121:				; CODE XREF: PiDmObjectGetCachedObjectReference+A8j
		mov	ecx, [ebp+arg_0]
		call	PiDmObjectRelease
		jmp	loc_7D8074
; END OF FUNCTION CHUNK	FOR PiDmObjectGetCachedObjectReference
; 
; START	OF FUNCTION CHUNK FOR SepFreeDefaultDacl

loc_8F612E:				; CODE XREF: SepFreeDefaultDacl+2Ej
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memmove
		mov	eax, [esi+0A0h]
		add	esp, 0Ch
		mov	[esi+9Ch], eax
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR SepFreeDefaultDacl
; 
; START	OF FUNCTION CHUNK FOR CmGetVisibleValueCount

loc_8F6152:				; CODE XREF: CmGetVisibleValueCount+17j
		push	esi
		mov	esi, [ecx+9Ch]
		test	esi, esi
		jz	short loc_8F616A
		cmp	esi, [ebp+arg_0]
		jnz	short loc_8F616E
		mov	eax, [ecx+94h]
		jmp	short loc_8F6171
; 

loc_8F616A:				; CODE XREF: CmGetVisibleValueCount+11DEE1j
		test	edx, edx
		jnz	short loc_8F6171

loc_8F616E:				; CODE XREF: CmGetVisibleValueCount+11DEE6j
		mov	eax, [ecx+30h]

loc_8F6171:				; CODE XREF: CmGetVisibleValueCount+11DEEEj
					; CmGetVisibleValueCount+11DEF2j
		pop	esi
		jmp	loc_7D829A
; END OF FUNCTION CHUNK	FOR CmGetVisibleValueCount
; 
; START	OF FUNCTION CHUNK FOR CmpCreateHiveRootCell

loc_8F6177:				; CODE XREF: CmpCreateHiveRootCell+61j
		mov	edx, 30100h
		jmp	short loc_8F6183
; 

loc_8F617E:				; CODE XREF: CmpCreateHiveRootCell+E9j
		mov	edx, 30200h

loc_8F6183:				; CODE XREF: CmpCreateHiveRootCell+11DEDEj
		mov	ecx, 0C000009Ah
		push	ecx
		mov	edi, ecx
		jmp	short loc_8F6193
; 

loc_8F618D:				; CODE XREF: CmpCreateHiveRootCell+204j
		push	edi
		mov	edx, 30300h

loc_8F6193:				; CODE XREF: CmpCreateHiveRootCell+11DEEDj
		mov	esi, [ebp+arg_4]
		jmp	short loc_8F619E
; 

loc_8F6198:				; CODE XREF: CmpCreateHiveRootCell+16Aj
		push	edi
		mov	edx, 30500h

loc_8F619E:				; CODE XREF: CmpCreateHiveRootCell+11DEF8j
					; CmpCreateHiveRootCell+11DF12j
		mov	ecx, esi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_7D8422
; 

loc_8F61AA:				; CODE XREF: CmpCreateHiveRootCell+123j
		push	edi
		mov	edx, 30400h
		jmp	short loc_8F619E
; 

loc_8F61B2:				; CODE XREF: CmpCreateHiveRootCell+15Bj
		test	cl, 4
		jnz	loc_7D83FF
		mov	ecx, eax
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	eax, [ebp+arg_4]
		jmp	loc_7D83FF
; 

loc_8F61CA:				; CODE XREF: CmpCreateHiveRootCell+212j
		lea	eax, [ebp+var_8]
		push	eax
		call	_SeDeassignSecurity@4 ;	SeDeassignSecurity(x)
		jmp	loc_7D843D
; 

loc_8F61D8:				; CODE XREF: CmpCreateHiveRootCell+223j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_4]
		jmp	loc_7D84C7
; 

loc_8F61E8:				; CODE XREF: CmpCreateHiveRootCell+1B3j
		mov	edx, eax
		mov	ecx, ebx
		call	HvFreeCell
		jmp	loc_7D8457
; END OF FUNCTION CHUNK	FOR CmpCreateHiveRootCell
; 
; START	OF FUNCTION CHUNK FOR RtlMakeSelfRelativeSD

loc_8F61F6:				; CODE XREF: RtlMakeSelfRelativeSD+72j
		mov	eax, 0C000000Dh
		jmp	loc_7D882B
; END OF FUNCTION CHUNK	FOR RtlMakeSelfRelativeSD
; 
; START	OF FUNCTION CHUNK FOR RtlpQuerySecurityDescriptor

loc_8F6200:				; CODE XREF: RtlpQuerySecurityDescriptor+2Bj
		mov	edx, esi
		jmp	loc_7D88BF
; 

loc_8F6207:				; CODE XREF: RtlpQuerySecurityDescriptor+44j
		mov	edx, esi
		jmp	loc_7D88D6
; 

loc_8F620E:				; CODE XREF: RtlpQuerySecurityDescriptor+C1j
		lea	eax, [edx+ecx]
		neg	edx
		sbb	edx, edx
		and	edx, eax
		jmp	loc_7D8904
; END OF FUNCTION CHUNK	FOR RtlpQuerySecurityDescriptor
; 
; START	OF FUNCTION CHUNK FOR CmpGetVolumeLogFileSizeCap

loc_8F621C:				; CODE XREF: CmpGetVolumeLogFileSizeCap+59j
		mov	ecx, 80000h
		cmp	eax, ecx
		ja	loc_7D8A41
		jmp	loc_7D8A3F
; END OF FUNCTION CHUNK	FOR CmpGetVolumeLogFileSizeCap
; 
; START	OF FUNCTION CHUNK FOR RtlpDeleteData

loc_8F622E:				; CODE XREF: RtlpDeleteData+30j
					; RtlpDeleteData+11D752j
		mov	al, [esi+ebx]
		mov	[ecx+esi], al
		inc	esi
		cmp	esi, [ebp+arg_0]
		jb	short loc_8F622E
		jmp	loc_7D8AF6
; END OF FUNCTION CHUNK	FOR RtlpDeleteData
; 
; START	OF FUNCTION CHUNK FOR RtlUTF8ToUnicodeN

loc_8F623F:				; CODE XREF: RtlUTF8ToUnicodeN+2Ej
		mov	eax, 0C00000F2h
		jmp	loc_7D8D2F
; 

loc_8F6249:				; CODE XREF: RtlUTF8ToUnicodeN+36j
		cmp	[ebp+arg_8], eax
		jnz	short loc_8F6258
		mov	eax, 0C000000Dh
		jmp	loc_7D8D2F
; 

loc_8F6258:				; CODE XREF: RtlUTF8ToUnicodeN+11D6B4j
		push	[ebp+arg_8]
		mov	edx, esi
		mov	ecx, ebx
		call	_CountUTF8ToUnicode@12 ; CountUTF8ToUnicode(x,x,x)
		jmp	loc_7D8D2F
; 

loc_8F6269:				; CODE XREF: RtlUTF8ToUnicodeN+4Dj
		mov	eax, esi
		and	al, 0C0h
		cmp	al, 80h
		jz	short loc_8F6284
		dec	ebx

loc_8F6272:				; CODE XREF: RtlUTF8ToUnicodeN+11D725j
					; RtlUTF8ToUnicodeN+11D72Ej ...
		mov	eax, 107h
		mov	edx, 0FFFDh
		mov	[ebp+var_4], eax
		jmp	loc_7D8BF6
; 

loc_8F6284:				; CODE XREF: RtlUTF8ToUnicodeN+11D6D7j
		and	esi, 3Fh
		shl	edx, 6
		or	edx, esi
		test	edx, 20000000h
		jnz	short loc_8F62D5
		test	edx, 10000000h
		jz	short loc_8F62BF
		test	edx, 800000h
		jnz	loc_7D8BD7
		mov	eax, edx
		and	eax, 1F0h
		sub	eax, 10h
		cmp	eax, 0F0h
		jbe	loc_7D8BD7
		jmp	short loc_8F6272
; 

loc_8F62BF:				; CODE XREF: RtlUTF8ToUnicodeN+11D702j
		mov	eax, edx
		and	eax, 3E0h
		jz	short loc_8F6272
		cmp	eax, 360h
		jnz	loc_7D8BD7
		jmp	short loc_8F6272
; 

loc_8F62D5:				; CODE XREF: RtlUTF8ToUnicodeN+11D6FAj
		mov	esi, [ebp+arg_C]
		mov	eax, edx
		and	eax, 101F0000h
		cmp	eax, 10000000h
		jbe	loc_7D8BF9
		cmp	ecx, esi
		jnb	loc_8F647C
		mov	eax, edx
		and	edx, 3FFh
		shr	eax, 0Ah
		and	eax, 7FFh
		sub	eax, 2840h
		mov	[ecx], ax
		add	ecx, 2
		add	edx, 0DC00h
		jmp	loc_7D8BF9
; 

loc_8F6318:				; CODE XREF: RtlUTF8ToUnicodeN+58j
					; RtlUTF8ToUnicodeN+16Dj
		test	dl, 40h
		jz	loc_8F6272
		test	dl, 20h
		jz	short loc_8F6346
		mov	eax, edx
		and	eax, 0Fh
		test	dl, 10h
		mov	edx, eax
		jz	short loc_8F635D
		cmp	edx, 4
		ja	loc_8F6272
		or	edx, 504D0C00h
		jmp	loc_7D8BD7
; 

loc_8F6346:				; CODE XREF: RtlUTF8ToUnicodeN+11D78Cj
		and	edx, 1Fh
		cmp	edx, 1
		jbe	loc_8F6272
		or	edx, 800000h
		jmp	loc_7D8BD7
; 

loc_8F635D:				; CODE XREF: RtlUTF8ToUnicodeN+11D798j
		or	edx, 48228000h
		jmp	loc_7D8BD7
; 

loc_8F6368:				; CODE XREF: RtlUTF8ToUnicodeN+84j
		mov	edx, eax
		jmp	loc_7D8C22
; 

loc_8F636F:				; CODE XREF: RtlUTF8ToUnicodeN+B1j
		movsx	edx, byte ptr [ebx]
		inc	ebx
		cmp	edx, 7Fh
		ja	short loc_8F6394
		mov	[ecx], dx
		add	ecx, 2
		jmp	loc_7D8C4F
; 

loc_8F6383:				; CODE XREF: RtlUTF8ToUnicodeN+C7j
					; RtlUTF8ToUnicodeN+F5j
		movzx	edx, dl
		inc	ebx
		cmp	edx, 7Fh
		ja	short loc_8F6394
		mov	[ecx], dx
		jmp	loc_8F646C
; 

loc_8F6394:				; CODE XREF: RtlUTF8ToUnicodeN+A2j
					; RtlUTF8ToUnicodeN+11D7DEj ...
		movsx	esi, byte ptr [ebx]
		inc	ebx
		test	dl, 40h
		jz	loc_8F6474
		mov	eax, esi
		and	al, 0C0h
		cmp	al, 80h
		jnz	loc_8F6474
		and	esi, 3Fh
		test	dl, 20h
		jz	loc_8F6456
		movsx	edi, byte ptr [ebx]
		mov	eax, edx
		and	eax, 0Fh
		shl	eax, 6
		or	esi, eax
		mov	eax, esi
		test	dl, 10h
		jz	short loc_8F642B
		shr	eax, 4
		dec	eax
		cmp	eax, 0Fh
		ja	loc_8F6474
		mov	eax, edi
		and	al, 0C0h
		cmp	al, 80h
		jnz	loc_8F6474
		movsx	edx, byte ptr [ebx+1]
		and	edi, 3Fh
		shl	esi, 6
		mov	eax, edx
		and	al, 0C0h
		or	esi, edi
		cmp	al, 80h
		jnz	short loc_8F6474
		shl	esi, 6
		and	edx, 3Fh
		or	esi, edx
		mov	eax, esi
		and	esi, 3FFh
		shr	eax, 0Ah
		and	eax, 7FFh
		sub	eax, 2840h
		mov	[ecx], ax
		add	ecx, 2
		sub	esi, 2400h
		push	2
		movzx	esi, si
		pop	eax
		jmp	short loc_8F644C
; 

loc_8F642B:				; CODE XREF: RtlUTF8ToUnicodeN+11D833j
		and	eax, 3E0h
		jz	short loc_8F6474
		cmp	eax, 360h
		jz	short loc_8F6474
		mov	eax, edi
		and	al, 0C0h
		cmp	al, 80h
		jnz	short loc_8F6474
		shl	esi, 6
		and	edi, 3Fh
		xor	eax, eax
		or	esi, edi
		inc	eax

loc_8F644C:				; CODE XREF: RtlUTF8ToUnicodeN+11D891j
		mov	edi, [ebp+arg_4]
		add	ebx, eax
		add	edi, 0FFFFFFFEh
		jmp	short loc_8F6463
; 

loc_8F6456:				; CODE XREF: RtlUTF8ToUnicodeN+11D81Bj
		and	edx, 1Fh
		cmp	edx, 1
		jbe	short loc_8F6474
		shl	edx, 6
		or	esi, edx

loc_8F6463:				; CODE XREF: RtlUTF8ToUnicodeN+11D8BCj
		sub	edi, 2
		mov	[ecx], si
		mov	[ebp+arg_4], edi

loc_8F646C:				; CODE XREF: RtlUTF8ToUnicodeN+11D7F7j
		add	ecx, 2
		jmp	loc_7D8C2B
; 

loc_8F6474:				; CODE XREF: RtlUTF8ToUnicodeN+11D803j
					; RtlUTF8ToUnicodeN+11D80Fj ...
		sub	ebx, 2
		jmp	loc_7D8CEF
; 

loc_8F647C:				; CODE XREF: RtlUTF8ToUnicodeN+63j
					; RtlUTF8ToUnicodeN+11D754j
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_8F648B
		sub	ecx, [ebp+arg_0]
		and	ecx, 0FFFFFFFEh
		mov	[eax], ecx

loc_8F648B:				; CODE XREF: RtlUTF8ToUnicodeN+11D8E9j
		mov	eax, 0C0000023h
		jmp	loc_7D8D2F
; 

loc_8F6495:				; CODE XREF: RtlUTF8ToUnicodeN+17Fj
		mov	eax, 107h
		cmp	ecx, esi
		jb	short loc_8F64A8
		mov	eax, 0C0000023h
		jmp	loc_7D8D20
; 

loc_8F64A8:				; CODE XREF: RtlUTF8ToUnicodeN+11D904j
		mov	edx, 0FFFDh
		mov	[ecx], dx
		add	ecx, 2
		jmp	loc_7D8D20
; END OF FUNCTION CHUNK	FOR RtlUTF8ToUnicodeN
; 
; START	OF FUNCTION CHUNK FOR SleepstudyHelperBuildBlocker

loc_8F64B8:				; CODE XREF: SleepstudyHelperBuildBlocker+8Ej
		or	dword ptr [ebx+4], 4
		jmp	loc_7D8E20
; 

loc_8F64C1:				; CODE XREF: SleepstudyHelperBuildBlocker+155j
		or	dword ptr [ebx+4], 2
		call	_SSHSupportQueryInterruptTime@0	; SSHSupportQueryInterruptTime()
		mov	[ebx+10h], eax
		mov	[ebx+14h], edx
		jmp	loc_7D8EE7
; 

loc_8F64D5:				; CODE XREF: SleepstudyHelperBuildBlocker+49j
					; SleepstudyHelperBuildBlocker+51j
		mov	eax, [ebp+var_4]
		mov	[ebp+arg_0], 0C000009Ah
		jmp	short loc_8F64E4
; 

loc_8F64E1:				; CODE XREF: SleepstudyHelperBuildBlocker+22j
		mov	[ebp+arg_0], esi

loc_8F64E4:				; CODE XREF: SleepstudyHelperBuildBlocker+11D753j
		test	ebx, ebx
		jz	short loc_8F64F1
		mov	edx, eax
		mov	ecx, ebx
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_8F64F1:				; CODE XREF: SleepstudyHelperBuildBlocker+11D75Aj
		test	edi, edi
		jz	short loc_8F64FF
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_8F64FF:				; CODE XREF: SleepstudyHelperBuildBlocker+11D767j
		mov	edi, [ebp+arg_0]
		jmp	loc_7D8EFC
; END OF FUNCTION CHUNK	FOR SleepstudyHelperBuildBlocker
; 
; START	OF FUNCTION CHUNK FOR SleepstudyHelperDestroyBlockerBuilder

loc_8F6507:				; CODE XREF: SleepstudyHelperDestroyBlockerBuilder+1Bj
		xor	eax, eax
		mov	edx, ebx
		mov	[esi+28h], eax
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
		mov	[esi+2Ch], edi
		jmp	loc_7D8F2B
; END OF FUNCTION CHUNK	FOR SleepstudyHelperDestroyBlockerBuilder
; 
; START	OF FUNCTION CHUNK FOR SshpDereferenceBlocker

loc_8F651B:				; CODE XREF: SshpDereferenceBlocker+1Ej
		call	_SshpFreeBlockerEntry@4	; SshpFreeBlockerEntry(x)
		mov	ecx, esi
		test	esi, esi
		jnz	loc_7D8F57
		jmp	loc_7D8F74
; END OF FUNCTION CHUNK	FOR SshpDereferenceBlocker
; 
; START	OF FUNCTION CHUNK FOR wil_StagingConfig_QueryFeatureState

loc_8F652F:				; CODE XREF: wil_StagingConfig_QueryFeatureState+74j
		lea	eax, [ebp+var_D8]
		mov	[ebp+var_D8], edi
		push	eax
		lea	ecx, [ebp+var_110]
		call	_wil_details_StagingConfig_EnumerateFeatures@12	; wil_details_StagingConfig_EnumerateFeatures(x,x,x)
		cmp	[ebp+var_D8], edi
		jnz	short loc_8F655B
		mov	eax, [ebp+var_FC]
		cmp	[eax+6], di
		jbe	short loc_8F655E

loc_8F655B:				; CODE XREF: wil_StagingConfig_QueryFeatureState+11D5A3j
		xor	edi, edi
		inc	edi

loc_8F655E:				; CODE XREF: wil_StagingConfig_QueryFeatureState+11D5AFj
		or	[ebx], edi
		jmp	loc_7D9024
; 

loc_8F6565:				; CODE XREF: wil_StagingConfig_QueryFeatureState+81j
		push	4C4957h
		push	[ebp+var_EC]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7D9031
; END OF FUNCTION CHUNK	FOR wil_StagingConfig_QueryFeatureState
; 
; START	OF FUNCTION CHUNK FOR wil_RtlStagingConfig_QueryFeatureState

loc_8F657A:				; CODE XREF: wil_RtlStagingConfig_QueryFeatureState+32j
		mov	ecx, [ebp+var_10]
		xor	ebx, ebx
		mov	eax, ecx
		inc	ebx
		shr	eax, 4
		and	eax, 3
		mov	[esi], eax
		mov	eax, ecx
		shr	eax, 8
		and	al, 3Fh
		mov	[esi+4], al
		mov	eax, [ebp+var_C]
		mov	[esi+0Ch], eax
		mov	eax, ecx
		shr	eax, 0Eh
		and	eax, 3
		mov	[esi+8], eax
		mov	eax, ecx
		shr	eax, 6
		and	eax, ebx
		shr	ecx, 7
		and	ecx, ebx
		mov	[esi+14h], eax
		mov	[esi+10h], ecx
		jmp	loc_7D908C
; 

loc_8F65BC:				; CODE XREF: wil_RtlStagingConfig_QueryFeatureState+3Ej
		mov	eax, [ebp+var_10]
		shr	eax, 7
		and	eax, 1
		mov	[esi+10h], eax
		jmp	loc_7D908C
; 

loc_8F65CD:				; CODE XREF: wil_RtlStagingConfig_QueryFeatureState+49j
		xor	ecx, ecx
		cmp	edi, 80000022h
		setnz	cl
		mov	[edx], ecx
		jmp	loc_7D9097
; END OF FUNCTION CHUNK	FOR wil_RtlStagingConfig_QueryFeatureState
; 
; START	OF FUNCTION CHUNK FOR RtlpFcQueryFeatureConfigurationFromBufferSet

loc_8F65DF:				; CODE XREF: RtlpFcQueryFeatureConfigurationFromBufferSet+23j
		and	[ebp+var_8], 0
		lea	eax, [esi+20h]
		push	[ebp+arg_4]
		mov	[ebp+var_4], 1
		mov	ecx, edi
		mov	edx, [ebp+edx*4+var_8]
		shl	edx, 4
		push	eax
		add	edx, esi
		call	_RtlpFcQueryFeatureConfigurationFromBuffers@16 ; RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)
		jmp	loc_7D90DD
; END OF FUNCTION CHUNK	FOR RtlpFcQueryFeatureConfigurationFromBufferSet
; 
; START	OF FUNCTION CHUNK FOR PfSnHashUnsafeUnicodeString

loc_8F6606:				; CODE XREF: PfSnHashUnsafeUnicodeString+53j
		sub	edi, 1
		jz	short loc_8F6671
		sub	edi, 1
		jz	short loc_8F6665
		sub	edi, 1
		jz	short loc_8F6659
		sub	edi, 1
		jz	short loc_8F664D
		sub	edi, 1
		jz	short loc_8F6641
		sub	edi, 1
		jz	short loc_8F6635
		sub	edi, 1
		jnz	short loc_8F667D
		imul	esi, 25h
		movzx	eax, byte ptr [edx]
		add	esi, eax
		inc	edx
		mov	[ebp+var_1C], edx

loc_8F6635:				; CODE XREF: PfSnHashUnsafeUnicodeString+11D52Ej
		imul	esi, 25h
		movzx	eax, byte ptr [edx]
		add	esi, eax
		inc	edx
		mov	[ebp+var_1C], edx

loc_8F6641:				; CODE XREF: PfSnHashUnsafeUnicodeString+11D529j
		imul	esi, 25h
		movzx	eax, byte ptr [edx]
		add	esi, eax
		inc	edx
		mov	[ebp+var_1C], edx

loc_8F664D:				; CODE XREF: PfSnHashUnsafeUnicodeString+11D524j
		imul	esi, 25h
		movzx	eax, byte ptr [edx]
		add	esi, eax
		inc	edx
		mov	[ebp+var_1C], edx

loc_8F6659:				; CODE XREF: PfSnHashUnsafeUnicodeString+11D51Fj
		imul	esi, 25h
		movzx	eax, byte ptr [edx]
		add	esi, eax
		inc	edx
		mov	[ebp+var_1C], edx

loc_8F6665:				; CODE XREF: PfSnHashUnsafeUnicodeString+11D51Aj
		imul	esi, 25h
		movzx	eax, byte ptr [edx]
		add	esi, eax
		inc	edx
		mov	[ebp+var_1C], edx

loc_8F6671:				; CODE XREF: PfSnHashUnsafeUnicodeString+11D515j
		imul	esi, 25h
		movzx	eax, byte ptr [edx]
		add	esi, eax
		inc	edx
		mov	[ebp+var_1C], edx

loc_8F667D:				; CODE XREF: PfSnHashUnsafeUnicodeString+11D533j
		mov	eax, [ebp+var_24]
		mov	[eax], esi
		jmp	short loc_8F6698
; END OF FUNCTION CHUNK	FOR PfSnHashUnsafeUnicodeString

;  S U B	R O U T	I N E 


sub_8F6684	proc near		; DATA XREF: .text:006A4204o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F6684	endp


;  S U B	R O U T	I N E 


sub_8F6692	proc near		; DATA XREF: .text:006A4208o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-28h]
sub_8F6692	endp

; START	OF FUNCTION CHUNK FOR PfSnHashUnsafeUnicodeString

loc_8F6698:				; CODE XREF: PfSnHashUnsafeUnicodeString+11D58Ej
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; END OF FUNCTION CHUNK	FOR PfSnHashUnsafeUnicodeString
; 
; START	OF FUNCTION CHUNK FOR CmpInitCmRM

loc_8F66B1:				; CODE XREF: CmpInitCmRM+BEj
					; CmpInitCmRM+D0j
		mov	dword ptr [ebx+9A4h], 1
		jmp	short loc_8F66CC
; 

loc_8F66BD:				; CODE XREF: CmpInitCmRM+EBj
		mov	dword ptr [ebx+9A4h], 1

loc_8F66C7:				; CODE XREF: CmpInitCmRM+11D54Aj
		mov	esi, 0C000009Ah

loc_8F66CC:				; CODE XREF: CmpInitCmRM+11D50Fj
		push	esi
		mov	edx, ebx
		mov	[ebx+9A8h], esi
		call	_CmpLogTxrInitEvent@12 ; CmpLogTxrInitEvent(x,x,x)
		mov	eax, esi
		jmp	loc_7D9771
; 

loc_8F66E1:				; CODE XREF: CmpInitCmRM+11Aj
		push	6D524D43h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [ebx+9A4h], 2
		jmp	short loc_8F66C7
; 

loc_8F66F8:				; CODE XREF: CmpInitCmRM+162j
		mov	[esi+0A4h], eax
		jmp	loc_8F67C8
; 

loc_8F6703:				; CODE XREF: CmpInitCmRM+17Fj
		lea	esi, [ebp+var_34]
		mov	[ebp+var_68], 1
		movsd
		mov	[ebp+var_49], 1
		movsd
		movsd
		movsd
		mov	esi, [ebx+20h]
		jmp	loc_7D9331
; 

loc_8F671D:				; CODE XREF: CmpInitCmRM+199j
		lea	esi, [ebp+var_14]
		mov	[ebp+var_49], 1
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebx+20h]
		jmp	loc_7D934B
; 

loc_8F6730:				; CODE XREF: CmpInitCmRM+1B6j
		add	esi, 70h
		mov	al, 1
		movsd
		movsd
		movsd
		movsd
		jmp	loc_7D936B
; 

loc_8F673E:				; CODE XREF: CmpInitCmRM+1C4j
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, ebx
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	ecx, ebx
		call	_HvLockHiveWriter@4 ; HvLockHiveWriter(x)
		mov	ecx, ebx
		call	_HvMarkBaseBlockDirty@4	; HvMarkBaseBlockDirty(x)
		mov	ecx, ebx
		call	HvUnlockHiveWriter
		mov	ecx, ebx
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		jmp	loc_7D9376
; 

loc_8F6770:				; CODE XREF: CmpInitCmRM+2E8j
		cmp	[ebp+var_68], edi
		jnz	loc_8F680E
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, [ebp+var_48]
		mov	edx, ebx
		push	eax
		call	_CmpLogTxrInitEvent@12 ; CmpLogTxrInitEvent(x,x,x)
		jmp	short loc_8F67C8
; 

loc_8F678F:				; CODE XREF: CmpInitCmRM+444j
		cmp	[ebp+var_5C], edi
		jz	short loc_8F679D
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_8F679D:				; CODE XREF: CmpInitCmRM+11D5E6j
		cmp	[ebp+var_50], edi
		jz	short loc_8F67AE
		push	[ebp+var_50]
		call	ds:__imp__ClfsCloseLogFileObject@4 ; ClfsCloseLogFileObject(x)
		mov	[ebp+var_50], edi

loc_8F67AE:				; CODE XREF: CmpInitCmRM+11D5F4j
		cmp	[ebp+var_58], edi
		jz	short loc_8F67BF
		push	[ebp+var_58]
		call	ds:__imp__ClfsMgmtDeregisterManagedClient@4 ; ClfsMgmtDeregisterManagedClient(x)
		mov	[ebp+var_58], edi

loc_8F67BF:				; CODE XREF: CmpInitCmRM+11D605j
		cmp	[ebp+var_68], edi
		jnz	loc_7D9605

loc_8F67C8:				; CODE XREF: CmpInitCmRM+11D552j
					; CmpInitCmRM+11D5E1j
		mov	edi, [ebx+20h]
		lea	esi, [ebp+var_34]
		add	edi, 94h
		mov	[ebp+var_68], 1
		mov	al, 1
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebx+20h]
		lea	esi, [ebp+var_14]
		add	edi, 70h
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebx+20h]
		lea	esi, [ebp+var_14]
		sub	edi, 0FFFFFF80h
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_6C]
		test	esi, esi
		jnz	loc_7D936E
		mov	[ebp+var_4A], al
		jmp	loc_7D936E
; 

loc_8F680E:				; CODE XREF: CmpInitCmRM+11D5C7j
		mov	dword ptr [ebx+9A4h], 7
		jmp	loc_8F68F1
; 

loc_8F681D:				; CODE XREF: CmpInitCmRM+467j
		mov	dword ptr [ebx+9A4h], 0Bh
		jmp	loc_8F68F4
; 

loc_8F682C:				; CODE XREF: CmpInitCmRM+4B9j
		mov	dword ptr [ebx+9A4h], 0Ch
		jmp	loc_8F68F4
; 

loc_8F683B:				; CODE XREF: CmpInitCmRM+526j
		lea	eax, [ebp+var_A4]
		push	eax
		lea	eax, [ebp+var_44]
		push	eax
		push	dword ptr [esi+10h]
		lea	ecx, [esi+18h]
		push	1F007Fh
		push	ecx
		call	_ZwOpenResourceManager@20 ; ZwOpenResourceManager(x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_48], eax
		jmp	loc_7D96D8
; 

loc_8F6861:				; CODE XREF: CmpInitCmRM+52Ej
		mov	dword ptr [ebx+9A4h], 0Dh
		jmp	loc_8F68F4
; 

loc_8F6870:				; CODE XREF: CmpInitCmRM+543j
		mov	dword ptr [ebx+9A4h], 0Eh
		jmp	short loc_8F68F4
; 

loc_8F687C:				; CODE XREF: CmpInitCmRM+573j
		mov	dword ptr [ebx+9A4h], 0Fh
		jmp	short loc_8F68F4
; 

loc_8F6888:				; CODE XREF: CmpInitCmRM+5BDj
		xor	edx, edx
		mov	ecx, esi
		call	CmpStartRMLog
		jmp	loc_7D976F
; 

loc_8F6896:				; CODE XREF: CmpInitCmRM+3C0j
		mov	dword ptr [ebx+9A4h], 0Ah
		jmp	short loc_8F68F4
; 

loc_8F68A2:				; CODE XREF: CmpInitCmRM+35Bj
		mov	ecx, [ebp+var_48]
		mov	dword ptr [ebx+9A4h], 9
		jmp	short loc_8F68F1
; 

loc_8F68B1:				; CODE XREF: CmpInitCmRM+337j
		mov	[ebx+9A4h], esi
		jmp	short loc_8F68F1
; 

loc_8F68B9:				; CODE XREF: CmpInitCmRM+2ABj
		mov	dword ptr [ebx+9A4h], 6
		jmp	short loc_8F68F1
; 

loc_8F68C5:				; CODE XREF: CmpInitCmRM+245j
		mov	ecx, 0C000009Ah
		mov	dword ptr [ebx+9A4h], 5
		mov	[ebp+var_48], ecx
		jmp	short loc_8F68EF
; 

loc_8F68D9:				; CODE XREF: CmpInitCmRM+212j
		mov	dword ptr [ebx+9A4h], 4
		jmp	short loc_8F68EF
; 

loc_8F68E5:				; CODE XREF: CmpInitCmRM+1ECj
		mov	dword ptr [ebx+9A4h], 3

loc_8F68EF:				; CODE XREF: CmpInitCmRM+11D72Bj
					; CmpInitCmRM+11D737j
		xor	edi, edi

loc_8F68F1:				; CODE XREF: CmpInitCmRM+11D66Cj
					; CmpInitCmRM+11D703j ...
		mov	esi, [ebp+var_54]

loc_8F68F4:				; CODE XREF: CmpInitCmRM+11D67Bj
					; CmpInitCmRM+11D68Aj ...
		push	ecx
		mov	edx, ebx
		call	_CmpLogTxrInitEvent@12 ; CmpLogTxrInitEvent(x,x,x)
		cmp	[ebp+var_58], 0
		jz	short loc_8F690E
		push	[ebp+var_58]
		call	ds:__imp__ClfsMgmtDeregisterManagedClient@4 ; ClfsMgmtDeregisterManagedClient(x)
		mov	[ebp+var_58], edi

loc_8F690E:				; CODE XREF: CmpInitCmRM+11D754j
		cmp	[ebp+var_50], 0
		jz	short loc_8F691D
		push	[ebp+var_50]
		call	ds:__imp__ClfsCloseLogFileObject@4 ; ClfsCloseLogFileObject(x)

loc_8F691D:				; CODE XREF: CmpInitCmRM+11D766j
		cmp	[ebp+var_70], 0
		jz	short loc_8F692C
		lea	eax, [ebp+var_74]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_8F692C:				; CODE XREF: CmpInitCmRM+11D775j
		cmp	[ebp+var_80], 0
		jz	short loc_8F693E
		lea	eax, [ebp+var_84]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_8F693E:				; CODE XREF: CmpInitCmRM+11D784j
		cmp	[ebp+var_5C], 0
		jz	short loc_8F694D
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_8F694D:				; CODE XREF: CmpInitCmRM+11D796j
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_8F695A
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_8F695A:				; CODE XREF: CmpInitCmRM+11D7A6j
		mov	ecx, [esi+14h]
		test	ecx, ecx
		jz	short loc_8F6966
		call	ObfDereferenceObject

loc_8F6966:				; CODE XREF: CmpInitCmRM+11D7B3j
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_8F6973
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_8F6973:				; CODE XREF: CmpInitCmRM+11D7BFj
		push	6D524D43h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_A8]
		push	esi
		call	ExDeleteResourceLite
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_48]
		mov	[ebx+9A8h], eax
		jmp	loc_7D9771
; END OF FUNCTION CHUNK	FOR CmpInitCmRM
; 
; START	OF FUNCTION CHUNK FOR CmpUuidCreate

loc_8F699F:				; CODE XREF: CmpUuidCreate+16j
		or	[ebp+var_4], 0FFFFFFFFh
		lea	eax, [ebp+var_8]
		push	eax
		push	0
		push	0
		mov	[ebp+var_8], 0FF676980h
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	loc_7D9809
; END OF FUNCTION CHUNK	FOR CmpUuidCreate
; 
; START	OF FUNCTION CHUNK FOR CmpQueryNameString

loc_8F69BC:				; CODE XREF: CmpQueryNameString+71j
		cmp	edi, 80000005h
		jnz	loc_7D9913
		mov	eax, [ebp+var_8]
		cmp	[ebp+var_4], eax
		jbe	loc_7D9913
		xor	eax, eax
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_4]
		push	62534D43h
		push	eax
		push	1
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_10], eax
		jmp	loc_7D98AD
; 

loc_8F69FA:				; CODE XREF: CmpQueryNameString+B2j
		lea	eax, [ecx-2]
		mov	[ebx], ax
		movzx	ecx, ax
		test	ax, ax
		jnz	loc_7D9900
		jmp	loc_7D9910
; END OF FUNCTION CHUNK	FOR CmpQueryNameString
; 
; START	OF FUNCTION CHUNK FOR CmpTransSearchAddTransFromRm

loc_8F6A11:				; CODE XREF: CmpTransSearchAddTransFromRm+13j
		cmp	dword ptr [ecx+30h], 0
		jz	loc_880F1B
		jmp	loc_880EE5
; 

loc_8F6A20:				; CODE XREF: CmpTransSearchAddTransFromRm+1Dj
		test	esi, esi
		jnz	loc_880EEF
		mov	eax, 0C0190002h
		jmp	loc_880F11
; END OF FUNCTION CHUNK	FOR CmpTransSearchAddTransFromRm
; 
; START	OF FUNCTION CHUNK FOR CmpTransSearchAddTrans

loc_8F6A32:				; CODE XREF: CmpTransSearchAddTrans+74j
		cmp	[ebp+arg_8], 0
		jz	loc_881001
		mov	eax, _CmpTransactionInitializingCount
		mov	ecx, offset _CmpTransactionListLock
		mov	[esp+20h+var_8], eax
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	0
		push	4
		lea	eax, [esp+28h+var_8]
		mov	edx, offset _CmpTransactionInitializingCount
		push	eax
		mov	ecx, offset _CmpTransactionInitializingEvent
		call	ExBlockOnAddressPushLock
		jmp	loc_880F5E
; 

loc_8F6A78:				; CODE XREF: CmpTransSearchAddTrans+11Cj
		mov	esi, 0C000009Ah
		jmp	loc_880FDF
; 

loc_8F6A82:				; CODE XREF: CmpTransSearchAddTrans+125j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebx+30h]
		add	ecx, 430h
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		movzx	eax, al
		mov	[esp+20h+var_C], eax
		test	eax, eax
		jnz	loc_88104D
		mov	esi, 0C0000189h
		jmp	loc_881006
; 

loc_8F6AB7:				; CODE XREF: CmpTransSearchAddTrans+16Bj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpTransactionListLock
		call	ExAcquireFastMutexUnsafe
		mov	ecx, [edi]
		cmp	[ecx+4], edi
		jnz	loc_88109A
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	loc_88109A
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	ecx, offset _CmpTransactionListLock
		dec	_CmpTransactionInitializingCount
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		and	[esp+20h+var_14], 0
		lea	eax, [esp+20h+var_4]
		and	[esp+20h+var_4], 0
		xor	edx, edx
		lock or	[eax], edx
		cmp	_CmpTransactionInitializingEvent, edx
		jz	loc_881006
		mov	ecx, offset _CmpTransactionInitializingEvent
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	loc_881006
; 

loc_8F6B34:				; CODE XREF: CmpTransSearchAddTrans+E8j
		push	72544D43h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_880FB7
; 

loc_8F6B44:				; CODE XREF: CmpTransSearchAddTrans+9Aj
		mov	ecx, [ebp+arg_4]
		lea	ecx, [ecx+430h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_880FC2
; END OF FUNCTION CHUNK	FOR CmpTransSearchAddTrans
; 
; START	OF FUNCTION CHUNK FOR CmpSearchForTrans

loc_8F6B63:				; CODE XREF: CmpSearchForTrans+2Dj
					; CmpSearchForTrans+36j
		mov	eax, [ebp+var_4]
		test	ebx, ebx
		jz	loc_8810B9
		lea	edx, [edi+2Ch]	; Source2
		mov	ecx, ebx	; Source1
		call	_CmpTransUowIsEqual@8 ;	CmpTransUowIsEqual(x,x)
		test	al, al
		mov	eax, [ebp+var_4]
		jz	loc_8810B9
		jmp	loc_8810DC
; END OF FUNCTION CHUNK	FOR CmpSearchForTrans
; 
; START	OF FUNCTION CHUNK FOR CmpTransInitializeTransaction

loc_8F6B88:				; CODE XREF: CmpTransInitializeTransaction+28j
		lea	eax, [ebp+var_8]
		xor	edx, edx
		push	eax
		push	1
		push	dword ptr [edi+1Ch]
		call	CmpTransSearchAddTransFromRm
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8811C8
		jmp	loc_881118
; 

loc_8F6BA7:				; CODE XREF: CmpTransInitializeTransaction+A8j
		mov	ebx, 0C0190002h
		call	_UNLOCK_TRANSACTION_LIST@0 ; UNLOCK_TRANSACTION_LIST()

loc_8F6BB1:				; CODE XREF: CmpTransInitializeTransaction+4Dj
					; CmpTransInitializeTransaction+6Dj
		test	esi, esi
		jz	loc_8811C8
		push	esi
		call	_CmpTransDereferenceTransaction@4 ; CmpTransDereferenceTransaction(x)
		jmp	loc_8811C8
; END OF FUNCTION CHUNK	FOR CmpTransInitializeTransaction
; 
; START	OF FUNCTION CHUNK FOR CmpStartRMLogs

loc_8F6BC4:				; CODE XREF: CmpStartRMLogs+5Fj
		cmp	esi, 0C000007Fh
		jz	loc_88130B
		cmp	esi, 0C0000043h
		jz	loc_88130B
		cmp	esi, 0C000009Ah
		jz	loc_88130B
		cmp	byte ptr [ebp+var_18], 1
		jnz	loc_88130B
		and	dword ptr [ebx+3Ch], 0FFFFFFFDh
		lea	edx, [ebp+var_14]
		mov	ecx, ebx
		call	CmpStartRMLog
		mov	esi, eax
		jmp	loc_88130B
; END OF FUNCTION CHUNK	FOR CmpStartRMLogs
; 
; START	OF FUNCTION CHUNK FOR CmpStartRMLog

loc_8F6C07:				; CODE XREF: CmpStartRMLog+6Fj
		mov	ebx, 0C000009Ah

loc_8F6C0C:				; CODE XREF: CmpStartRMLog+56j
		mov	ecx, esi
		call	_UnlockRMLog@4	; UnlockRMLog(x)
		mov	eax, ebx
		jmp	loc_881773
; 

loc_8F6C1A:				; CODE XREF: CmpStartRMLog+A3j
		mov	eax, dword_6B179C
		mov	esi, [ebp+var_10]
		mov	edi, [eax+20h]
		add	edi, ecx
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_20]
		jmp	loc_8814ED
; 

loc_8F6C33:				; CODE XREF: CmpStartRMLog+8Fj
		mov	ecx, [esi+30h]
		lea	edx, [ebp+var_48]
		mov	ecx, [ecx+400h]
		call	CmpQueryNameString
		mov	edi, eax
		test	edi, edi
		js	loc_88173C
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_48]
		mov	[ebp+var_1C], eax
		mov	ecx, 80h
		test	edx, edx
		jz	short loc_8F6C71
		mov	eax, [esi+30h]
		mov	esi, edx
		mov	edi, [eax+20h]
		add	edi, ecx
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_20]

loc_8F6C71:				; CODE XREF: CmpStartRMLog+7581Aj
		lea	eax, [ebp+var_40]
		push	eax
		mov	eax, [esi+30h]
		mov	eax, [eax+20h]
		add	eax, ecx
		push	eax
		call	_RtlStringFromGUID@8 ; RtlStringFromGUID(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_88173C
		mov	eax, [esi+30h]
		mov	dword ptr [esi+28h], 100000h
		mov	[esi+2Ch], ebx
		jmp	loc_88151A
; 

loc_8F6C9F:				; CODE XREF: CmpStartRMLog+24Bj
		test	eax, eax
		js	loc_8816A4
		mov	eax, [ebp+var_50]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_4C]
		jmp	loc_8816A1
; 

loc_8F6CB5:				; CODE XREF: CmpStartRMLog+19Aj
					; CmpStartRMLog+1A5j
		mov	ecx, [ebp+var_C]
		mov	eax, [ecx+48h]
		mov	[ebp+var_38], eax
		mov	eax, [ecx+4Ch]
		mov	[ebp+var_34], eax
		jmp	loc_8816B2
; 

loc_8F6CC9:				; CODE XREF: CmpStartRMLog+295j
		test	byte ptr [esi+3Ch], 4
		jz	loc_8816DF
		push	[ebp+var_34]
		mov	ecx, esi
		push	[ebp+var_38]
		call	_CmpRmRecover@12 ; CmpRmRecover(x,x,x)
		and	dword ptr [esi+3Ch], 0FFFFFFFBh
		jmp	loc_8816DF
; 

loc_8F6CE9:				; CODE XREF: CmpStartRMLog+2CBj
					; CmpStartRMLog+2D5j
		mov	[ebp+var_2], bl
		cmp	[ebp+var_8], ebx
		jz	short loc_8F6CFD
		push	[ebp+var_8]
		call	ds:__imp__ClfsTerminateReadLog@4 ; ClfsTerminateReadLog(x)
		mov	[ebp+var_8], ebx

loc_8F6CFD:				; CODE XREF: CmpStartRMLog+758ABj
		push	dword ptr [esi+34h]
		call	ds:__imp__ClfsDeleteLogByPointer@4 ; ClfsDeleteLogByPointer(x)
		lea	edi, [esi+38h]
		push	dword ptr [edi]
		call	ds:__imp__ClfsDeleteMarshallingArea@4 ;	ClfsDeleteMarshallingArea(x)
		push	dword ptr [esi+34h]
		mov	[edi], ebx
		call	ds:__imp__ClfsCloseLogFileObject@4 ; ClfsCloseLogFileObject(x)
		push	edi
		lea	eax, [esi+34h]
		push	eax
		lea	ecx, [esi+24h]
		mov	[eax], ebx
		push	ecx
		lea	eax, [esi+28h]
		mov	[ecx], ebx
		push	eax
		push	ecx
		push	[ebp+var_14]
		jmp	loc_88154A
; 

loc_8F6D36:				; CODE XREF: CmpStartRMLog+2DEj
		push	[ebp+var_8]
		call	ds:__imp__ClfsTerminateReadLog@4 ; ClfsTerminateReadLog(x)
		jmp	loc_881728
; 

loc_8F6D44:				; CODE XREF: CmpStartRMLog+2E6j
		cmp	[esi+38h], ebx
		jz	loc_88173C
		mov	[esi+38h], ebx
		jmp	loc_88173C
; 

loc_8F6D55:				; CODE XREF: CmpStartRMLog+302j
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	loc_88174C
; END OF FUNCTION CHUNK	FOR CmpStartRMLog
; 
; START	OF FUNCTION CHUNK FOR CmpLogCheckpoint

loc_8F6D63:				; CODE XREF: CmpLogCheckpoint+A8j
		lea	ebx, [eax+40h]
		push	ebx
		call	ds:__imp__ClfsLsnInvalid@4 ; ClfsLsnInvalid(x)
		test	al, al
		jnz	short loc_8F6D8E
		lea	eax, [esi+48h]
		push	eax
		call	ds:__imp__ClfsLsnContainer@4 ; ClfsLsnContainer(x)
		push	ebx
		mov	esi, eax
		call	ds:__imp__ClfsLsnContainer@4 ; ClfsLsnContainer(x)
		cmp	eax, esi
		jz	short loc_8F6DCE
		mov	esi, [ebp+var_D4]

loc_8F6D8E:				; CODE XREF: CmpLogCheckpoint+7555Bj
		lea	eax, [ebp+var_BC]
		push	eax
		call	ds:__imp__ClfsLsnInvalid@4 ; ClfsLsnInvalid(x)
		test	al, al
		jnz	short loc_8F6DB8
		lea	eax, [ebp+var_BC]
		push	eax
		push	ebx
		call	ds:__imp__ClfsLsnLess@8	; ClfsLsnLess(x,x)
		test	al, al
		lea	eax, [esi+8]
		jz	loc_8818AB

loc_8F6DB8:				; CODE XREF: CmpLogCheckpoint+75589j
		mov	eax, [ebx]
		mov	[ebp+var_BC], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_B8], eax
		jmp	loc_8818A8
; 

loc_8F6DCE:				; CODE XREF: CmpLogCheckpoint+75572j
		mov	ecx, offset _CmpTransactionListLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	eax, eax
		jmp	loc_881A12
; 

loc_8F6DEB:				; CODE XREF: CmpLogCheckpoint+1F6j
		lea	eax, [ebp+var_E0]
		mov	[ebp+var_E0], edi
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_3C]
		push	eax
		push	3
		push	esi
		push	esi
		push	offset word_41AA12
		push	ebx
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], 4
		mov	[ebp+var_10], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_881A10
; END OF FUNCTION CHUNK	FOR CmpLogCheckpoint
; 
; START	OF FUNCTION CHUNK FOR CmpTransWriteLog

loc_8F6E1F:				; CODE XREF: CmpTransWriteLog+2Dj
					; CmpTransWriteLog+7554Aj ...
		mov	eax, ds:_CLFS_LSN_NULL_EXT
		push	esi
		push	[ebp+arg_4]
		mov	[ebp+var_74], eax
		mov	eax, ds:dword_412DAC
		mov	[ebp+var_70], eax
		mov	eax, [ebp+var_64]
		push	0
		mov	[ebp+var_7C], eax
		mov	eax, [ebp+arg_0]
		push	0
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	eax
		push	1
		lea	eax, [ebp+var_7C]
		push	eax
		push	dword ptr [ebx+38h]
		call	ds:__imp__ClfsReserveAndAppendLog@36 ; ClfsReserveAndAppendLog(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_8F6E69
		mov	[ebp+var_50], eax
		jmp	loc_881A5A
; 

loc_8F6E69:				; CODE XREF: CmpTransWriteLog+75437j
		push	20204D43h
		push	0C00h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_50], eax
		test	eax, eax
		jz	loc_8F707A
		push	0C00h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_64]
		mov	ecx, 0BCCh
		add	esp, 0Ch
		mov	[ebp+var_54], ecx
		mov	eax, [eax+4]
		mov	[ebp+var_6C], eax
		cmp	eax, ecx
		jb	loc_8F6F4A
		xor	edx, edx

loc_8F6EB0:				; CODE XREF: CmpTransWriteLog+7548Fj
		inc	edx
		cmp	eax, ecx
		jb	short loc_8F6EB9
		sub	eax, ecx
		jnz	short loc_8F6EB0

loc_8F6EB9:				; CODE XREF: CmpTransWriteLog+7548Bj
		mov	eax, [ebp+var_50]
		mov	edi, eax
		mov	esi, [ebp+var_64]
		push	0Ah
		mov	[ebp+var_68], esi
		lea	ecx, [eax+34h]
		mov	[ebp+var_5C], ecx
		pop	ecx
		rep movsd
		or	dword ptr [eax+0Ch], 80000000h
		xor	esi, esi
		mov	edi, [ebp+var_54]
		mov	ecx, [ebp+var_68]
		mov	[eax+28h], edx
		mov	[ebp+var_7C], eax
		jmp	short loc_8F6EE9
; 

loc_8F6EE6:				; CODE XREF: CmpTransWriteLog+7551Dj
		mov	esi, [ebp+var_54]

loc_8F6EE9:				; CODE XREF: CmpTransWriteLog+754BCj
		push	edi		; size_t
		push	ecx		; void *
		push	[ebp+var_5C]	; void *
		call	_memcpy
		mov	eax, [ebp+var_50]
		add	esp, 0Ch
		push	[ebp+var_60]
		mov	[eax+2Ch], esi
		inc	esi
		push	[ebp+arg_4]
		mov	[eax+30h], edi
		lea	eax, [edi+34h]
		push	0
		push	0
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	eax
		push	1
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_54], esi
		push	eax
		push	dword ptr [ebx+38h]
		call	ds:__imp__ClfsReserveAndAppendLog@36 ; ClfsReserveAndAppendLog(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8F6F47
		mov	eax, [ebp+var_6C]
		mov	ecx, [ebp+var_68]
		sub	eax, edi
		add	ecx, edi
		mov	[ebp+var_6C], eax
		mov	[ebp+var_68], ecx
		cmp	eax, edi
		jnb	short loc_8F6F43
		mov	edi, eax

loc_8F6F43:				; CODE XREF: CmpTransWriteLog+75517j
		test	eax, eax
		jnz	short loc_8F6EE6

loc_8F6F47:				; CODE XREF: CmpTransWriteLog+75503j
		mov	edi, [ebp+var_58]

loc_8F6F4A:				; CODE XREF: CmpTransWriteLog+75480j
		push	0
		push	[ebp+var_50]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+var_50], esi
		jmp	loc_881A5A
; 

loc_8F6F5C:				; CODE XREF: CmpTransWriteLog+38j
		test	edi, edi
		jnz	short loc_8F6F7A
		inc	edi
		mov	ecx, ebx
		push	1
		mov	[ebp+var_58], edi
		call	CmpLogCheckpoint
		mov	esi, [ebp+var_60]
		test	eax, eax
		jns	loc_8F6E1F
		jmp	short loc_8F6F83
; 

loc_8F6F7A:				; CODE XREF: CmpTransWriteLog+75536j
		cmp	edi, 1
		jnz	loc_881A90

loc_8F6F83:				; CODE XREF: CmpTransWriteLog+75550j
		inc	edi
		mov	ecx, ebx
		mov	[ebp+var_58], edi
		call	_CmpAddRemoveRMLogContainer@8 ;	CmpAddRemoveRMLogContainer(x,x)
		cmp	dword_6B2348, 5
		mov	esi, eax
		jbe	short loc_8F6FEE
		push	0
		push	1
		mov	ecx, offset dword_6B2348
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_8F6FEE
		push	4
		pop	edx
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_5C], 1
		mov	[ebp+var_2C], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_54]
		mov	[ebp+var_28], ecx
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	edx
		push	ecx
		push	ecx
		push	offset dword_41AA98
		push	offset dword_6B2348
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_54], esi
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_8F6FEE:				; CODE XREF: CmpTransWriteLog+7556Fj
					; CmpTransWriteLog+75581j
		test	esi, esi
		js	loc_881A90
		push	1
		mov	ecx, ebx
		call	CmpLogCheckpoint
		mov	esi, [ebp+var_60]
		jmp	loc_8F6E1F
; 

loc_8F7007:				; CODE XREF: CmpTransWriteLog+62j
		mov	ecx, ebx
		call	_CmpAddRemoveRMLogContainer@8 ;	CmpAddRemoveRMLogContainer(x,x)
		cmp	dword_6B2348, 5
		mov	esi, eax
		jbe	loc_881A90
		xor	edi, edi
		mov	ecx, offset dword_6B2348
		push	edi
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_881A90
		push	4
		pop	ecx
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_5C], 2
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_54]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	ecx
		push	edi
		push	edi
		push	offset byte_41AA65
		push	offset dword_6B2348
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edi
		mov	[ebp+var_54], esi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_881A90
; 

loc_8F707A:				; CODE XREF: CmpTransWriteLog+75457j
		mov	[ebp+var_50], 0C000009Ah
		jmp	loc_881A90
; END OF FUNCTION CHUNK	FOR CmpTransWriteLog
; 
; START	OF FUNCTION CHUNK FOR CmpComputeLogFillLevel

loc_8F7086:				; CODE XREF: CmpComputeLogFillLevel+D9j
		lea	eax, [ebp+var_98]
		mov	[ebp+var_98], 78h
		push	eax
		lea	eax, [ebp+var_80]
		push	eax
		push	[ebp+var_84]
		call	ebx
		mov	esi, eax
		test	esi, esi
		js	loc_881BC8
		mov	eax, [ebp+var_80]
		sub	eax, [ebp+var_78]
		mov	ecx, [ebp+var_7C]
		sbb	ecx, [ebp+var_74]
		jmp	loc_881BB1
; END OF FUNCTION CHUNK	FOR CmpComputeLogFillLevel
; 
; START	OF FUNCTION CHUNK FOR CmpStartCLFSLog

loc_8F70BE:				; CODE XREF: CmpStartCLFSLog+7Fj
		mov	eax, 0C000009Ah
		jmp	loc_881E0D
; 

loc_8F70C8:				; CODE XREF: CmpStartCLFSLog+12Fj
		mov	esi, 0C000009Ah
		jmp	loc_881DE5
; 

loc_8F70D2:				; CODE XREF: CmpStartCLFSLog+14Aj
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_881DE5
; 

loc_8F70DC:				; CODE XREF: CmpStartCLFSLog+112j
		cmp	esi, 0C0000034h
		jnz	loc_881DE5
		xor	eax, eax
		push	eax
		push	eax
		push	200h
		push	eax
		push	8
		push	2
		push	edi
		push	eax
		push	0C0010000h
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	ds:__imp__ClfsCreateLogFile@44 ; ClfsCreateLogFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_881DE5
		xor	edi, edi

loc_8F7117:				; CODE XREF: CmpStartCLFSLog+754ECj
		mov	ecx, [ebp+var_24]
		mov	edx, ebx
		push	1
		push	[ebp+var_48]
		push	edi
		push	offset _CmpContainerSuffix
		push	offset _CmpLogExt
		push	[ebp+var_4C]
		call	_CmpAddRemoveContainerToCLFSLog@32 ; CmpAddRemoveContainerToCLFSLog(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_881DE5
		inc	edi
		cmp	edi, 3
		jb	short loc_8F7117
		jmp	loc_881DAE
; 

loc_8F7149:				; CODE XREF: CmpStartCLFSLog+19Dj
		lea	eax, [ebp+var_5C]
		push	eax
		mov	eax, large fs:124h
		push	eax
		call	PsRestoreImpersonation
		jmp	loc_881DF9
; 

loc_8F715E:				; CODE XREF: CmpStartCLFSLog+1AFj
		cmp	[ebp+var_24], 0
		jz	loc_881E0B
		push	[ebp+var_24]
		call	ds:__imp__ClfsCloseLogFileObject@4 ; ClfsCloseLogFileObject(x)
		jmp	loc_881E0B
; END OF FUNCTION CHUNK	FOR CmpStartCLFSLog
; 
; START	OF FUNCTION CHUNK FOR WmipSecurityMethod

loc_8F7176:				; CODE XREF: WmipSecurityMethod+48j
		push	0
		push	0
		push	0C000000Dh
		push	1
		push	29h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8F7188:				; CODE XREF: WmipSecurityMethod+DBj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	70696D57h
		push	[ebp+var_60]
		push	[ebp+var_68]
		jmp	loc_7D9AD4
; 

loc_8F71A0:				; CODE XREF: WmipSecurityMethod+B9j
		mov	esi, 0C000009Ah
		jmp	loc_7D9B05
; END OF FUNCTION CHUNK	FOR WmipSecurityMethod

;  S U B	R O U T	I N E 


sub_8F71AA	proc near		; DATA XREF: .text:006A4224o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8F71AA	endp


;  S U B	R O U T	I N E 


sub_8F71BA	proc near		; DATA XREF: .text:006A4228o
		mov	esp, [ebp-18h]
		mov	edx, [ebp-20h]
		jmp	loc_7D9C2D
sub_8F71BA	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlSetKernelEaFile

loc_8F71C5:				; CODE XREF: FsRtlSetKernelEaFile+37j
		mov	edi, 0C0000010h
		jmp	loc_7D9D90
; 

loc_8F71CF:				; CODE XREF: FsRtlSetKernelEaFile+5Bj
		mov	edi, 0C000009Ah
		jmp	loc_7D9D90
; 

loc_8F71D9:				; CODE XREF: FsRtlSetKernelEaFile+C1j
		lea	eax, [ebp+var_34]
		mov	[ebp+arg_4], eax
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+arg_4]
		push	eax
		push	1
		call	FsRtlCancellableWaitForMultipleObjects
		cmp	eax, 0C000004Bh
		jnz	loc_7D9D8D
		push	esi
		call	IoCancelIrp
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_34]
		push	eax
		call	KeWaitForSingleObject
		jmp	loc_7D9D8D
; END OF FUNCTION CHUNK	FOR FsRtlSetKernelEaFile

;  S U B	R O U T	I N E 


sub_8F7211	proc near		; DATA XREF: .text:006A4248o
		xor	ebx, ebx
		mov	esi, [ebp-24h]
		mov	edi, [ebp-20h]
		jmp	sub_7D9DB3
sub_8F7211	endp

; 
; START	OF FUNCTION CHUNK FOR sub_7D9DB3

loc_8F721E:				; CODE XREF: sub_7D9DB3+9j
		call	_FsRtlpFreeMdlChain@4 ;	FsRtlpFreeMdlChain(x)
		mov	[esi+4], ebx
		jmp	loc_7D9DC2
; END OF FUNCTION CHUNK	FOR sub_7D9DB3
; 
; START	OF FUNCTION CHUNK FOR GetPropertyFromPropArray

loc_8F722B:				; CODE XREF: GetPropertyFromPropArray+77j
		test	eax, eax
		jz	short loc_8F7244
		test	ecx, ecx
		jz	short loc_8F7244
		push	ecx		; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_7D9E47

loc_8F7244:				; CODE XREF: GetPropertyFromPropArray+11D463j
					; GetPropertyFromPropArray+11D467j
		mov	ecx, [ebp+arg_4]
		jmp	loc_7D9E04
; END OF FUNCTION CHUNK	FOR GetPropertyFromPropArray
; 
; START	OF FUNCTION CHUNK FOR NtPrivilegedServiceAuditAlarm

loc_8F724C:				; CODE XREF: NtPrivilegedServiceAuditAlarm+44j
		mov	esi, 0C0000061h
		jmp	short loc_8F727D
; 

loc_8F7253:				; CODE XREF: NtPrivilegedServiceAuditAlarm+6Ej
		lea	eax, [ebp+var_48]
		push	eax
		call	SeReleaseSubjectContext
		cmp	esi, 0C0000008h
		jz	short loc_8F7286
		push	esi
		jmp	short loc_8F726C
; 

loc_8F7267:				; CODE XREF: NtPrivilegedServiceAuditAlarm+11D45Bj
		push	0C000009Ah

loc_8F726C:				; CODE XREF: NtPrivilegedServiceAuditAlarm+11D3A3j
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		jmp	short loc_8F7286
; 

loc_8F7273:				; CODE XREF: NtPrivilegedServiceAuditAlarm+87j
		call	ObfDereferenceObject
		mov	esi, 0C00000A5h

loc_8F727D:				; CODE XREF: NtPrivilegedServiceAuditAlarm+11D38Fj
		lea	eax, [ebp+var_48]
		push	eax
		call	SeReleaseSubjectContext

loc_8F7286:				; CODE XREF: NtPrivilegedServiceAuditAlarm+11D3A0j
					; NtPrivilegedServiceAuditAlarm+11D3AFj ...
		mov	eax, esi
		jmp	loc_7DA072
; 

loc_8F728D:				; CODE XREF: NtPrivilegedServiceAuditAlarm+DDj
		mov	edx, eax
		jmp	loc_7D9FA5
; 

loc_8F7294:				; CODE XREF: NtPrivilegedServiceAuditAlarm+F2j
		mov	esi, 0C000000Dh
		jmp	short loc_8F72A0
; 

loc_8F729B:				; CODE XREF: NtPrivilegedServiceAuditAlarm+133j
		mov	esi, 0C000009Ah

loc_8F72A0:				; CODE XREF: NtPrivilegedServiceAuditAlarm+11D3D7j
		mov	[ebp+var_1C], esi
		jmp	loc_7DA00F
; 

loc_8F72A8:				; CODE XREF: NtPrivilegedServiceAuditAlarm+111j
					; NtPrivilegedServiceAuditAlarm+119j
		mov	[edx], bl
		jmp	loc_7D9FE1
; END OF FUNCTION CHUNK	FOR NtPrivilegedServiceAuditAlarm

;  S U B	R O U T	I N E 


sub_8F72AF	proc near		; DATA XREF: .text:006A4264o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F72AF	endp


;  S U B	R O U T	I N E 


sub_8F72BD	proc near		; DATA XREF: .text:006A4268o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-34h]
		mov	[ebp-1Ch], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		jmp	loc_7DA016
sub_8F72BD	endp

; 
; START	OF FUNCTION CHUNK FOR NtPrivilegedServiceAuditAlarm

loc_8F72D4:				; CODE XREF: NtPrivilegedServiceAuditAlarm+156j
		cmp	[ebp+var_2C], 0
		jz	short loc_8F72E3
		push	ebx
		push	[ebp+var_2C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8F72E3:				; CODE XREF: NtPrivilegedServiceAuditAlarm+11D416j
		cmp	[ebp+var_28], 0
		jz	short loc_8F72F2
		push	ebx
		push	[ebp+var_28]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8F72F2:				; CODE XREF: NtPrivilegedServiceAuditAlarm+11D425j
		mov	edi, [ebp+var_20]
		test	edi, edi
		jz	short loc_8F7300
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8F7300:				; CODE XREF: NtPrivilegedServiceAuditAlarm+11D435j
		lea	eax, [ebp+var_48]
		push	eax
		call	SeReleaseSubjectContext
		mov	ecx, [ebp+var_24]
		call	ObfDereferenceObject
		cmp	esi, 0C000009Ah
		jnz	loc_8F7286
		jmp	loc_8F7267
; END OF FUNCTION CHUNK	FOR NtPrivilegedServiceAuditAlarm

;  S U B	R O U T	I N E 


sub_8F7322	proc near		; DATA XREF: .text:006A4284o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8F7322	endp


;  S U B	R O U T	I N E 


sub_8F7332	proc near		; DATA XREF: .text:006A4288o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_7DA143
sub_8F7332	endp

; 
; START	OF FUNCTION CHUNK FOR WdipStartEndScenario

loc_8F7344:				; CODE XREF: WdipStartEndScenario+1Aj
		cmp	[edx+4], si
		jnz	loc_7DA442
		cmp	[edx+6], si
		jnz	loc_7DA442
		cmp	byte ptr [edx+8], 0
		jnz	loc_7DA442
		cmp	byte ptr [edx+9], 0
		jnz	loc_7DA442
		cmp	byte ptr [edx+0Ah], 0
		jnz	loc_7DA442
		cmp	byte ptr [edx+0Bh], 0
		jnz	loc_7DA442
		cmp	byte ptr [edx+0Ch], 0
		jnz	loc_7DA442
		cmp	byte ptr [edx+0Dh], 0
		jnz	loc_7DA442
		cmp	byte ptr [edx+0Eh], 0
		jnz	loc_7DA442
		cmp	byte ptr [edx+0Fh], 0
		jz	loc_7DA460
		jmp	loc_7DA442
; END OF FUNCTION CHUNK	FOR WdipStartEndScenario
; 
; START	OF FUNCTION CHUNK FOR WdipSemDisableScenario

loc_8F73AD:				; CODE XREF: WdipSemDisableScenario+37j
					; WdipSemDisableScenario+3Fj
		mov	esi, 0C000000Dh
		jmp	loc_7DA587
; 

loc_8F73B7:				; CODE XREF: WdipSemDisableScenario+5Aj
		mov	[ebp+var_1], 1
		jmp	loc_7DA526
; 

loc_8F73C0:				; CODE XREF: WdipSemDisableScenario+103j
		mov	edx, [ebp+var_C]
		mov	ecx, offset _WDI_SEM_EVENT_SCENARIO_END_FAILED
		push	esi
		push	edi
		push	[ebp+var_8]
		call	_WdipSemWriteSemFailureEvent@20	; WdipSemWriteSemFailureEvent(x,x,x,x,x)
		jmp	loc_7DA5A5
; 

loc_8F73D7:				; CODE XREF: WdipSemDisableScenario+10Dj
		mov	ecx, ebx
		call	_WdipSemActivateInstance@4 ; WdipSemActivateInstance(x)
		jmp	loc_7DA555
; 

loc_8F73E3:				; CODE XREF: WdipSemDisableScenario+D7j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		cmp	_WdipSemEnabled, 0
		jz	short loc_8F7408
		call	_WdipSemShutdown@0 ; WdipSemShutdown()

loc_8F7408:				; CODE XREF: WdipSemDisableScenario+11CF65j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_7DA579
; END OF FUNCTION CHUNK	FOR WdipSemDisableScenario
; 
; START	OF FUNCTION CHUNK FOR WdipSemWriteSemActionsEvent

loc_8F7422:				; CODE XREF: WdipSemWriteSemActionsEvent+4Dj
					; WdipSemWriteSemActionsEvent+55j
		mov	esi, 0C000000Dh
		jmp	loc_7DA9A5
; END OF FUNCTION CHUNK	FOR WdipSemWriteSemActionsEvent
; 
; START	OF FUNCTION CHUNK FOR WmiQueryTraceInformation

loc_8F742C:				; CODE XREF: WmiQueryTraceInformation+2Dj
		mov	[edi], ebx
		jmp	loc_7DAA99
; 

loc_8F7433:				; CODE XREF: WmiQueryTraceInformation+3Fj
					; DATA XREF: PAGE:off_7DABC6o
		cmp	[ebp+arg_8], 4	; case 0x0
		jnz	short loc_8F746C
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_8F747D
		mov	esi, [eax+8]
		mov	edx, [eax+0Ch]
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], edx
		mov	eax, esi
		or	eax, edx
		jz	short loc_8F745B
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_8F748E
		cmp	edx, ebx
		jnz	short loc_8F748E

loc_8F745B:				; CODE XREF: WmiQueryTraceInformation+11C9EAj
					; WmiQueryTraceInformation+11CA32j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000008h
		jmp	loc_7DAB0B
; 

loc_8F746C:				; CODE XREF: WmiQueryTraceInformation+4Aj
					; WmiQueryTraceInformation+D0j	...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_7DAB0B
; 

loc_8F747D:				; CODE XREF: WmiQueryTraceInformation+55j
					; WmiQueryTraceInformation+11C9D8j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000030h
		jmp	loc_7DAB0B
; 

loc_8F748E:				; CODE XREF: WmiQueryTraceInformation+11C9EFj
					; WmiQueryTraceInformation+11C9F3j
		movzx	eax, word ptr [ebp+var_38]
		mov	[ebp+var_1C], eax
		cmp	eax, [ecx+8]
		jnb	short loc_8F745B
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	loc_7DAAF9
		mov	[ecx], eax
		jmp	loc_7DAAF9
; 

loc_8F74AC:				; CODE XREF: WmiQueryTraceInformation+95j
		mov	dword ptr [edi], 4
		jmp	loc_7DAB01
; 

loc_8F74B7:				; CODE XREF: WmiQueryTraceInformation+3Fj
					; DATA XREF: PAGE:007DABCAo
		cmp	[ebp+arg_8], 8	; case 0x1
		jnz	short loc_8F746C
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_8F747D
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		cmp	eax, [ecx+8]
		jnb	short loc_8F745B
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		test	eax, eax
		movzx	eax, ax
		jnz	short loc_8F74E0
		mov	eax, 0FFFFh

loc_8F74E0:				; CODE XREF: WmiQueryTraceInformation+11CA73j
		mov	word ptr [ebp+var_38], ax
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_8F74FA
		mov	eax, [ebp+var_38]
		mov	[ecx], eax
		mov	[ecx+4], ebx
		jmp	short loc_8F74FA
; 

loc_8F74F5:				; CODE XREF: WmiQueryTraceInformation+11CD9Aj
		mov	[eax], ebx
		mov	[eax+4], esi

loc_8F74FA:				; CODE XREF: WmiQueryTraceInformation+11CA83j
					; WmiQueryTraceInformation+11CA8Dj ...
		test	edi, edi
		jz	loc_7DAB01
		mov	dword ptr [edi], 8
		jmp	loc_7DAB01
; 

loc_8F750D:				; CODE XREF: WmiQueryTraceInformation+3Fj
					; DATA XREF: PAGE:007DABCEo
		cmp	[ebp+arg_8], 4	; case 0x2
		jb	loc_8F746C
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	loc_8F747D
		mov	edx, [ecx+8]
		mov	ecx, [ecx+0Ch]
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], ecx
		mov	eax, edx
		or	eax, ecx
		jz	loc_8F745B
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_8F754E
		cmp	ecx, ebx
		jz	loc_8F745B
		jmp	short loc_8F754E
; 

loc_8F7547:				; CODE XREF: WmiQueryTraceInformation+11CB28j
					; WmiQueryTraceInformation+11CB32j
		shrd	edx, ecx, 10h
		movzx	ecx, dl

loc_8F754E:				; CODE XREF: WmiQueryTraceInformation+11CAD5j
					; WmiQueryTraceInformation+11CADFj
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	loc_7DAAF9
		mov	[eax], ecx
		jmp	loc_7DAAF9
; 

loc_8F7560:				; CODE XREF: WmiQueryTraceInformation+3Fj
					; DATA XREF: PAGE:007DABD2o
		cmp	[ebp+arg_8], 4	; case 0x3
		jb	loc_8F746C
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	loc_8F747D
		mov	edx, [ecx+8]
		mov	ecx, [ecx+0Ch]
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], ecx
		mov	eax, edx
		or	eax, ecx
		jz	loc_8F745B
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_8F7547
		cmp	ecx, ebx
		jz	loc_8F745B
		jmp	short loc_8F7547
; 

loc_8F759A:				; CODE XREF: WmiQueryTraceInformation+3Fj
					; DATA XREF: PAGE:007DABD6o
		push	8		; case 0x4
		pop	esi
		cmp	[ebp+arg_8], esi
		jnz	loc_8F746C
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, [eax+1F0h]
		push	ebx
		xor	edx, edx
		inc	edx
		call	EtwpAcquireLoggerContextByLoggerId
		test	eax, eax
		jz	short loc_8F75FD
		mov	ecx, [eax]
		mov	[ebp+arg_8], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], ebx
		xor	dl, dl
		mov	ecx, eax
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_8F75EE
		mov	ecx, [ebp+arg_8]
		mov	[eax], ecx
		mov	[eax+4], ebx
		jmp	short loc_8F75EE
; 

loc_8F75E3:				; CODE XREF: WmiQueryTraceInformation+11CCD7j
		mov	eax, [ebp+var_38]
		mov	[ecx], eax
		mov	eax, [ebp+var_34]
		mov	[ecx+4], eax

loc_8F75EE:				; CODE XREF: WmiQueryTraceInformation+11CB71j
					; WmiQueryTraceInformation+11CB7Bj ...
		test	edi, edi
		jz	loc_7DAB01
		mov	[edi], esi
		jmp	loc_7DAB01
; 

loc_8F75FD:				; CODE XREF: WmiQueryTraceInformation+75j
					; WmiQueryTraceInformation+11CB56j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000225h
		jmp	loc_7DAB0B
; 

loc_8F760E:				; CODE XREF: WmiQueryTraceInformation+3Fj
					; DATA XREF: PAGE:007DABDAo
		mov	[ebp+var_20], 0C0000003h ; case	0x5
		jmp	loc_7DAB01
; 

loc_8F761A:				; CODE XREF: WmiQueryTraceInformation+3Fj
					; DATA XREF: PAGE:007DABDEo
		mov	[ebp+var_24], ebx ; case 0x6
		cmp	[ebp+arg_8], 8
		jb	loc_8F746C
		cmp	[ebp+arg_4], 0
		jz	loc_8F746C
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	edx, [eax+1F0h]
		mov	[ebp+arg_C], edx
		mov	esi, ebx
		mov	[ebp+var_24], esi
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1C], eax
		mov	ecx, eax
		mov	[ebp+arg_10], ecx

loc_8F764F:				; CODE XREF: WmiQueryTraceInformation+11CC38j
		cmp	ecx, [edx+8]
		jnb	short loc_8F76A0
		push	ebx
		mov	edx, eax
		mov	ecx, [ebp+arg_C]
		call	EtwpAcquireLoggerContextByLoggerId
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_8F768F
		lea	ecx, ds:8[esi*8]
		cmp	ecx, [ebp+arg_8]
		ja	short loc_8F7682
		mov	ecx, [ebp+arg_10]
		mov	eax, [ebp+arg_4]
		mov	[eax+esi*8], ecx
		mov	[eax+esi*8+4], ebx
		mov	eax, [ebp+arg_0]

loc_8F7682:				; CODE XREF: WmiQueryTraceInformation+11CC0Aj
		xor	dl, dl
		mov	ecx, eax
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		inc	esi
		mov	[ebp+var_24], esi

loc_8F768F:				; CODE XREF: WmiQueryTraceInformation+11CBFEj
		mov	eax, [ebp+arg_10]
		inc	eax
		mov	[ebp+var_1C], eax
		mov	ecx, eax
		mov	[ebp+arg_10], eax
		mov	edx, [ebp+arg_C]
		jmp	short loc_8F764F
; 

loc_8F76A0:				; CODE XREF: WmiQueryTraceInformation+11CBECj
		shl	esi, 3
		cmp	esi, [ebp+arg_8]
		jbe	loc_8F75EE
		mov	[ebp+var_20], 105h
		jmp	loc_8F75EE
; 

loc_8F76B8:				; CODE XREF: WmiQueryTraceInformation+3Fj
					; DATA XREF: PAGE:007DABE2o
		mov	[ebp+ms_exc.disabled], 1 ; case	0x7
		mov	eax, large fs:124h
		mov	[ebp+arg_0], eax
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_C+3],	al
		test	al, al
		jz	short loc_8F76FF
		mov	ecx, [ebp+arg_10]
		movzx	eax, word ptr [ecx]
		test	ax, ax
		jz	short loc_8F76FF
		mov	ecx, [ecx+4]
		test	cl, 1
		jz	short loc_8F76ED
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_8F76ED:				; CODE XREF: WmiQueryTraceInformation+11CC80j
		lea	edx, [ecx+eax]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_8F76FD
		cmp	edx, ecx
		jnb	short loc_8F76FF

loc_8F76FD:				; CODE XREF: WmiQueryTraceInformation+11CC91j
		mov	[eax], bl

loc_8F76FF:				; CODE XREF: WmiQueryTraceInformation+11CC6Dj
					; WmiQueryTraceInformation+11CC78j ...
		mov	[ebp+ms_exc.disabled], ebx
		push	8
		pop	esi
		cmp	[ebp+arg_8], esi
		jnz	loc_8F746C
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		lea	edx, [ebp+var_38]
		mov	ecx, [ebp+arg_10]
		call	_EtwQueryTraceHandleByLoggerName@8 ; EtwQueryTraceHandleByLoggerName(x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		jns	short loc_8F7732
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_7DAB0B
; 

loc_8F7732:				; CODE XREF: WmiQueryTraceInformation+11CCBEj
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	loc_8F75EE
		jmp	loc_8F75E3
; END OF FUNCTION CHUNK	FOR WmiQueryTraceInformation

;  S U B	R O U T	I N E 


sub_8F7742	proc near		; DATA XREF: .text:006A42B0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F7742	endp


;  S U B	R O U T	I N E 


sub_8F7750	proc near		; DATA XREF: .text:006A42B4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2Ch]
		jmp	loc_7DAB0B
sub_8F7750	endp

; 
; START	OF FUNCTION CHUNK FOR WmiQueryTraceInformation

loc_8F7762:				; CODE XREF: WmiQueryTraceInformation+3Fj
					; DATA XREF: PAGE:007DABEEo
		mov	[ebp+var_40], ebx ; case 0xA
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_28], ebx
		cmp	[ebp+arg_8], 8
		jnz	loc_8F746C
		mov	esi, [ebp+arg_10]
		test	esi, esi
		jz	loc_8F747D
		mov	esi, [esi]
		mov	[ebp+var_1C], esi
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, [eax+1F0h]
		push	ebx
		mov	edx, esi
		call	EtwpAcquireLoggerContextByLoggerId
		mov	[ebp+arg_8], eax
		test	eax, eax
		jz	loc_8F75FD
		mov	ecx, ds:_KeNumberProcessors
		mov	[ebp+arg_10], ecx
		mov	edx, ebx
		mov	esi, ebx

loc_8F77B0:				; CODE XREF: WmiQueryTraceInformation+11CD84j
		mov	[ebp+var_28], edx
		cmp	edx, ecx
		jnb	short loc_8F77EC
		mov	eax, [eax+2E4h]
		mov	ecx, edx
		shl	ecx, 6
		mov	eax, [eax+8D8h]
		mov	ecx, [eax+ecx+4]
		mov	eax, [ebp+var_1C]
		mov	eax, [ecx+eax*8]
		add	ebx, eax
		mov	[ebp+var_40], ebx
		mov	eax, [ebp+var_1C]
		mov	eax, [ecx+eax*8+4]
		adc	esi, eax
		mov	[ebp+var_3C], esi
		inc	edx
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+arg_10]
		jmp	short loc_8F77B0
; 

loc_8F77EC:				; CODE XREF: WmiQueryTraceInformation+11CD4Fj
		xor	dl, dl
		mov	ecx, eax
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	loc_8F74FA
		jmp	loc_8F74F5
; 

loc_8F7805:				; CODE XREF: WmiQueryTraceInformation+3Fj
					; DATA XREF: PAGE:007DABEAo
		mov	ecx, [ebp+arg_10] ; case 0x9
		test	ecx, ecx
		jnz	short loc_8F781D
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C00000F3h
		jmp	loc_7DAB0B
; 

loc_8F781D:				; CODE XREF: WmiQueryTraceInformation+11CDA4j
		test	edi, edi
		jnz	short loc_8F7832
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C00000F2h
		jmp	loc_7DAB0B
; 

loc_8F7832:				; CODE XREF: WmiQueryTraceInformation+11CDB9j
		push	20h
		pop	eax
		mov	[edi], eax
		cmp	[ebp+arg_8], eax
		jb	loc_8F746C
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	loc_7DABA2
		mov	eax, [ecx]
		mov	[ebp+var_38], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_34], eax
		movzx	eax, word ptr [ebp+var_38]
		mov	[ebp+var_1C], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, [eax+1F0h]
		push	ebx
		mov	edx, [ebp+var_1C]
		call	EtwpAcquireLoggerContextByLoggerId
		mov	edi, eax
		test	edi, edi
		jz	short loc_8F78CC
		mov	dword ptr [esi], 1
		mov	ecx, [edi+4]
		mov	[esi+4], ecx
		mov	ecx, [edi+98h]
		mov	[esi+8], ecx
		mov	ecx, [edi+0A4h]
		mov	[esi+0Ch], ecx
		mov	eax, [edi+0Ch]
		mov	[esi+10h], eax
		mov	eax, [edi+84h]
		mov	[esi+14h], eax
		mov	eax, [edi+7Ch]
		mov	[esi+1Ch], eax
		mov	eax, [edi+88h]
		mov	[esi+18h], eax
		xor	dl, dl
		mov	ecx, edi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		jmp	short loc_8F78D3
; 

loc_8F78CC:				; CODE XREF: WmiQueryTraceInformation+11CE1Dj
		mov	[ebp+var_20], 0C0000296h

loc_8F78D3:				; CODE XREF: WmiQueryTraceInformation+11CE64j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_7DAB01
; 

loc_8F78E4:				; CODE XREF: WmiQueryTraceInformation+B9j
		mov	dword ptr [edi], 4
		jmp	loc_7DAB25
; 

loc_8F78EF:				; CODE XREF: WmiQueryTraceInformation+C6j
					; WmiQueryTraceInformation+F3j	...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C00000A3h
		jmp	loc_7DAB0B
; 

loc_8F7900:				; CODE XREF: WmiQueryTraceInformation+3Fj
					; DATA XREF: PAGE:007DABF6o
		test	edi, edi	; case 0xC
		jz	short loc_8F790A
		mov	dword ptr [edi], 3Ch

loc_8F790A:				; CODE XREF: WmiQueryTraceInformation+11CE9Cj
		cmp	_EtwpInitialized, 0
		jz	short loc_8F78EF
		cmp	[ebp+arg_8], 3Ch
		jnz	loc_8F746C
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	loc_7DABA2
		push	0Fh
		pop	ecx
		mov	esi, offset _EtwpAllNotifyRoutines
		rep movsd
		jmp	loc_7DAB49
; 

loc_8F7937:				; CODE XREF: WmiQueryTraceInformation+39j
					; WmiQueryTraceInformation+3Fj
					; DATA XREF: ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh ; default
		mov	eax, 0C0000003h
		jmp	loc_7DAB0B
; END OF FUNCTION CHUNK	FOR WmiQueryTraceInformation

;  S U B	R O U T	I N E 


sub_8F7948	proc near		; DATA XREF: .text:006A42A4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F7948	endp


;  S U B	R O U T	I N E 


sub_8F7956	proc near		; DATA XREF: .text:006A42A8o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-30h]
		mov	[ebp-20h], eax
		jmp	loc_7DAB01
sub_8F7956	endp

; 
; START	OF FUNCTION CHUNK FOR WdipSemDisableContextProvider

loc_8F7964:				; CODE XREF: WdipSemDisableContextProvider+32j
		mov	esi, 0C000000Dh
		jmp	loc_7DACD4
; END OF FUNCTION CHUNK	FOR WdipSemDisableContextProvider
; 
; START	OF FUNCTION CHUNK FOR WdipSemValidateEndEvent

loc_8F796E:				; CODE XREF: WdipSemValidateEndEvent+44j
					; WdipSemValidateEndEvent+55j
		inc	edi
		add	ebx, 4
		cmp	edi, [ebp+var_8]
		jnb	loc_7DAE27
		mov	ecx, [ebp+var_C]
		jmp	loc_7DADED
; END OF FUNCTION CHUNK	FOR WdipSemValidateEndEvent
; 
; START	OF FUNCTION CHUNK FOR MiCreatePerSessionProtos

loc_8F7983:				; CODE XREF: MiCreatePerSessionProtos+80j
		cmp	[ebp+var_8], esi
		jz	short loc_8F79A2
		mov	edi, [ebp+var_8]

loc_8F798B:				; CODE XREF: MiCreatePerSessionProtos+11CA49j
		lea	eax, [ebp+var_C]
		mov	edx, ebx
		push	eax
		mov	ecx, edi
		call	_MiDereferenceSubsectionProtos@12 ; MiDereferenceSubsectionProtos(x,x,x)
		mov	edi, [edi+8]
		cmp	edi, esi
		jnz	short loc_8F798B
		mov	edi, [ebp+var_18]

loc_8F79A2:				; CODE XREF: MiCreatePerSessionProtos+11CA32j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8F79B6
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8F79B6:				; CODE XREF: MiCreatePerSessionProtos+11CA59j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_10]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		lea	ecx, [ebp+var_C]
		call	_MiFreeSubsectionProtos@4 ; MiFreeSubsectionProtos(x)
		mov	eax, [ebp+var_1C]
		jmp	loc_7DB00D
; END OF FUNCTION CHUNK	FOR MiCreatePerSessionProtos
; 
; START	OF FUNCTION CHUNK FOR MiAllocatePerSessionProtos

loc_8F79D5:				; CODE XREF: MiAllocatePerSessionProtos+38j
		mov	eax, 0C000012Dh
		jmp	loc_7DB1D2
; 

loc_8F79DF:				; CODE XREF: MiAllocatePerSessionProtos+58j
					; MiAllocatePerSessionProtos+85j ...
		mov	edi, 0C000009Ah
		jmp	loc_7DB1B5
; 

loc_8F79E9:				; CODE XREF: MiAllocatePerSessionProtos+FAj
		mov	ecx, [ebp+var_28]
		jmp	loc_7DB144
; 

loc_8F79F1:				; CODE XREF: MiAllocatePerSessionProtos+12Bj
		mov	eax, [ebp+var_30]
		mov	[ebx], eax
		nop
		mov	eax, [ebp+var_28]
		jmp	loc_7DB16A
; 

loc_8F79FF:				; CODE XREF: MiAllocatePerSessionProtos+175j
		mov	edi, [ebp+var_20]
		shl	edi, 0Ch
		push	edi
		push	eax
		call	_MmSizeOfMdl@8	; MmSizeOfMdl(x,x)
		push	esi
		push	40h
		mov	edx, 206C644Dh
		mov	ecx, eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_48], ebx
		test	ebx, ebx
		jz	short loc_8F79DF
		mov	[ebx], esi
		mov	edx, [ebp+var_38]
		mov	ecx, edx
		and	ecx, 0FFFh
		lea	eax, [edi+0FFFh]
		add	eax, ecx
		shr	eax, 0Ch
		lea	eax, ds:1Ch[eax*4]
		mov	[ebx+4], ax
		xor	eax, eax
		mov	[ebx+6], ax
		and	edx, 0FFFFF000h
		mov	[ebx+10h], edx
		mov	[ebx+18h], ecx
		mov	[ebx+14h], edi
		mov	[ebp+ms_exc.disabled], esi
		push	esi
		push	esi
		push	ebx
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]
		movzx	eax, word ptr [eax+10h]
		shr	eax, 1
		and	eax, 1Fh
		mov	[ebp+var_38], eax
		push	esi
		mov	edi, [ebp+var_20]
		mov	edx, edi
		mov	ecx, [ebp+var_40]
		call	_MiChargeResident@12 ; MiChargeResident(x,x,x)
		test	eax, eax
		jz	loc_8F79DF
		mov	edx, [ebp+var_38]
		test	byte ptr ds:_MiFlags+2,	1
		jz	short loc_8F7AE5
		test	ds:_MiFlags, 8000h
		jz	short loc_8F7AE5
		test	dl, 2
		jz	short loc_8F7AE5
		mov	ecx, [ebp+var_3C]
		mov	eax, [ecx+38h]
		mov	eax, [eax+18h]
		mov	[ebp+var_60], eax
		mov	eax, [ebp+arg_0]
		shl	eax, 0Ch
		mov	[ebp+var_64], eax
		mov	[ebp+var_58], esi
		mov	eax, [ecx]
		mov	ecx, [ebp+arg_0]
		shl	ecx, 0Ch
		mov	eax, [eax+18h]
		add	eax, ecx
		add	eax, [ebp+arg_4]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_64]
		push	eax
		jmp	short loc_8F7AE7
; 

loc_8F7AE5:				; CODE XREF: MiAllocatePerSessionProtos+11CA6Dj
					; MiAllocatePerSessionProtos+11CA79j ...
		push	esi
		push	esi

loc_8F7AE7:				; CODE XREF: MiAllocatePerSessionProtos+11CAB3j
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		push	edi
		lea	eax, [ebx+1Ch]
		push	eax
		mov	edx, [ebp+var_34]
		mov	ecx, [ebp+var_3C]
		call	_MiFillPerSessionProtos@36 ; MiFillPerSessionProtos(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_7DB1B5
		mov	edi, [ebp+var_24]
		jmp	loc_7DB1AB
; END OF FUNCTION CHUNK	FOR MiAllocatePerSessionProtos

;  S U B	R O U T	I N E 


sub_8F7B10	proc near		; DATA XREF: .text:006A42ECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F7B10	endp


;  S U B	R O U T	I N E 


sub_8F7B1E	proc near		; DATA XREF: .text:006A42F0o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-4Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	esi, esi
		mov	eax, [ebp-50h]
		mov	[ebp-24h], eax
		mov	ebx, [ebp-48h]
		mov	eax, [ebp-54h]
		mov	[ebp-2Ch], eax
		jmp	loc_7DB1B5
sub_8F7B1E	endp


;  S U B	R O U T	I N E 


sub_8F7B41	proc near		; CODE XREF: MiAllocatePerSessionProtos+187j
		push	ebx
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7DB1BD
sub_8F7B41	endp

; 
; START	OF FUNCTION CHUNK FOR MiAllocatePerSessionProtos

loc_8F7B53:				; CODE XREF: MiAllocatePerSessionProtos+192j
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jz	short loc_8F7B63
		xor	edx, edx
		mov	ecx, eax
		call	_MiUpdateSystemProtoPtesTree@8 ; MiUpdateSystemProtoPtesTree(x,x)

loc_8F7B63:				; CODE XREF: MiAllocatePerSessionProtos+11CB28j
		mov	eax, [ebx+24h]
		test	eax, eax
		jz	short loc_8F7B71
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8F7B71:				; CODE XREF: MiAllocatePerSessionProtos+11CB38j
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7DB1C8
; 

loc_8F7B7D:				; CODE XREF: MiAllocatePerSessionProtos+19Aj
		mov	eax, [ebp+var_1C]
		mov	edx, [eax+1Ch]
		mov	ecx, [ebp+var_40]
		call	MiReturnCommit
		jmp	loc_7DB1D0
; END OF FUNCTION CHUNK	FOR MiAllocatePerSessionProtos
; 
; START	OF FUNCTION CHUNK FOR CmpTrimHive

loc_8F7B90:				; CODE XREF: CmpTrimHive+69j
		test	al, 4
		jnz	loc_7DB27D
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7DB27D
; END OF FUNCTION CHUNK	FOR CmpTrimHive
; 
; START	OF FUNCTION CHUNK FOR HvTrimHive

loc_8F7BA4:				; CODE XREF: HvTrimHive+34j
		push	18h
		push	2
		pop	ecx
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	edx, [edx+8]
		and	ebx, 0FFFFFFF0h
		push	eax
		shr	edx, 0Ch
		mov	ecx, ebx
		call	_MiDeprioritizeVirtualAddresses@16 ; MiDeprioritizeVirtualAddresses(x,x,x,x)
		jmp	loc_7DB2E2
; END OF FUNCTION CHUNK	FOR HvTrimHive

;  S U B	R O U T	I N E 


sub_8F7BC4	proc near		; DATA XREF: .text:006A430Co
		xor	eax, eax
		inc	eax
		retn
sub_8F7BC4	endp


;  S U B	R O U T	I N E 


sub_8F7BC8	proc near		; DATA XREF: .text:006A4310o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	al, 1
		jmp	loc_7DB32D
sub_8F7BC8	endp

; 
; START	OF FUNCTION CHUNK FOR ObpCreateSymbolicLinkName

loc_8F7BD9:				; CODE XREF: ObpCreateSymbolicLinkName+2Cj
		mov	esi, ecx
		jmp	loc_7DB423
; 

loc_8F7BE0:				; CODE XREF: ObpCreateSymbolicLinkName+11Aj
		push	8
		pop	eax
		add	esi, eax
		mov	ecx, edx
		mov	eax, 0FFF8h
		mov	[ebp+var_8], ecx
		add	di, ax
		mov	[ebp+var_C], esi
		mov	word ptr [ebp+var_28], di
		jmp	loc_7DB502
; 

loc_8F7BFE:				; CODE XREF: ObpCreateSymbolicLinkName+DBj
					; ObpCreateSymbolicLinkName+EAj
		mov	di, word ptr [ebp+var_28]
		mov	ecx, [ebp+var_8]
		jmp	loc_7DB502
; 

loc_8F7C0A:				; CODE XREF: ObpCreateSymbolicLinkName+16Ej
		mov	al, [ebp+var_2]
		mov	[ebp+var_2], al
		mov	al, [ebp+var_1]
		mov	[ebp+var_1], al
		mov	byte ptr [ebp+var_36], bl
		mov	byte ptr [ebp+var_36+1], bl
		jmp	loc_7DB55E
; 

loc_8F7C21:				; CODE XREF: ObpCreateSymbolicLinkName+196j
		mov	al, [ebp+var_2]
		mov	byte ptr [ebp+var_36], al
		mov	al, [ebp+var_1]
		mov	byte ptr [ebp+var_36+1], al
		jmp	loc_7DB58A
; 

loc_8F7C32:				; CODE XREF: ObpCreateSymbolicLinkName+1E6j
		cmp	dword ptr [esi+10h], 0
		jnz	loc_7DB5CE
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	short loc_8F7C61
		mov	edi, [ebp+var_10]
		dec	eax
		mov	[ebp+var_18], eax
		mov	eax, [esi+8]
		mov	esi, [esi+0Ch]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_C], esi
		mov	[ebp+var_24], esi
		jmp	loc_7DB4B6
; 

loc_8F7C61:				; CODE XREF: ObpCreateSymbolicLinkName+11C85Fj
		xor	esi, esi
		jmp	loc_7DB5CE
; 

loc_8F7C68:				; CODE XREF: ObpCreateSymbolicLinkName+268j
		cmp	eax, 10h
		jmp	short loc_8F7C7E
; 

loc_8F7C6D:				; CODE XREF: ObpCreateSymbolicLinkName+256j
		push	5
		jmp	short loc_8F7C86
; 

loc_8F7C71:				; CODE XREF: ObpCreateSymbolicLinkName+23Bj
		cmp	eax, 14h
		jz	short loc_8F7C84
		cmp	eax, 24h
		jz	short loc_8F7C8C
		cmp	eax, 28h

loc_8F7C7E:				; CODE XREF: ObpCreateSymbolicLinkName+11C889j
		jnz	loc_7DB6C8

loc_8F7C84:				; CODE XREF: ObpCreateSymbolicLinkName+244j
					; ObpCreateSymbolicLinkName+11C892j
		push	4

loc_8F7C86:				; CODE XREF: ObpCreateSymbolicLinkName+11C88Dj
					; ObpCreateSymbolicLinkName+11C8ACj
		pop	ebx
		jmp	loc_7DB65A
; 

loc_8F7C8C:				; CODE XREF: ObpCreateSymbolicLinkName+11C897j
		push	6
		jmp	short loc_8F7C86
; END OF FUNCTION CHUNK	FOR ObpCreateSymbolicLinkName
; 
; START	OF FUNCTION CHUNK FOR NtAllocateUuids

loc_8F7C90:				; CODE XREF: NtAllocateUuids+4Aj
		mov	[eax], dl
		jmp	loc_7DB728
; 

loc_8F7C97:				; CODE XREF: NtAllocateUuids+9Aj
		mov	[eax], dl
		jmp	loc_7DB778
; 

loc_8F7C9E:				; CODE XREF: NtAllocateUuids+34j
		mov	esi, [ebp+arg_C]
		jmp	loc_7DB782
; 

loc_8F7CA6:				; CODE XREF: NtAllocateUuids+DBj
		push	eax
		mov	edx, edi
		mov	ecx, eax
		call	ExfAcquirePushLockExclusiveEx
		jmp	loc_7DB7B9
; 

loc_8F7CB5:				; CODE XREF: NtAllocateUuids+FCj
		or	edx, 0FFFFFFFFh
		mov	ebx, offset _ExpUuidLock
		lock xadd [ebx], edx
		and	dl, 6
		cmp	dl, 2
		jnz	short loc_8F7CD0
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8F7CD0:				; CODE XREF: NtAllocateUuids+11C5EFj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [ebp+arg_0]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		jmp	loc_7DB84F
; 

loc_8F7CE6:				; CODE XREF: NtAllocateUuids+11Dj
		test	al, 4
		jnz	loc_7DB7FB
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7DB7FB
; END OF FUNCTION CHUNK	FOR NtAllocateUuids

;  S U B	R O U T	I N E 


sub_8F7CFA	proc near		; DATA XREF: .text:006A4338o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8F7CFA	endp


;  S U B	R O U T	I N E 


sub_8F7D0A	proc near		; DATA XREF: .text:006A433Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-28h]
		jmp	loc_7DB84F
sub_8F7D0A	endp

; 

loc_8F7D1C:				; DATA XREF: .text:006A432Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_8F7D2C:				; DATA XREF: .text:006A4330o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2Ch]
		jmp	loc_7DB84F
; 
; START	OF FUNCTION CHUNK FOR ExpAllocateUuids

loc_8F7D3E:				; CODE XREF: ExpAllocateUuids+EAj
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_1C], esi
		push	eax
		mov	[ebp+var_18], esi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ecx, ds:_ExpUuidSequenceNumber
		xor	ecx, edx
		xor	ecx, eax
		lea	eax, [ebp+var_8]
		xor	ecx, [ebp+arg_0]
		xor	ecx, eax
		jmp	loc_7DB983
; 

loc_8F7D65:				; CODE XREF: ExpAllocateUuids+4Bj
					; ExpAllocateUuids+53j
		inc	ds:_ExpUuidSequenceNumber
		mov	ecx, esi
		mov	edx, 4E20h
		mov	ds:_ExpUuidSequenceNumberNotSaved, 1
		sub	ecx, edx
		mov	eax, edi
		mov	ds:_ExpUuidLastTimeAllocated, ecx
		sbb	eax, 0
		xor	ecx, ecx
		mov	ds:dword_A93E0C, eax
		jmp	loc_7DB8E5
; 

loc_8F7D92:				; CODE XREF: ExpAllocateUuids+5Dj
		mov	eax, ds:_ExpUuidTimeSequenceNumber
		cmp	eax, 1Fh
		jb	short loc_8F7DA6
		mov	eax, 0C000022Dh
		jmp	loc_7DB965
; 

loc_8F7DA6:				; CODE XREF: ExpAllocateUuids+11C50Ej
		inc	eax
		mov	ds:_ExpUuidTimeSequenceNumber, eax
		mov	eax, 2710h
		mov	[ebx], eax
		sub	esi, eax
		mov	eax, [ebp+var_C]
		sbb	edi, 0
		lea	edx, [eax+4]
		mov	[eax], esi
		mov	[eax+4], edi
		call	_ExpSetBorrowedTimeOnTimestamp@8 ; ExpSetBorrowedTimeOnTimestamp(x,x)
		jmp	loc_7DB959
; 

loc_8F7DCD:				; CODE XREF: ExpAllocateUuids+6Aj
		and	ds:_ExpUuidTimeSequenceNumber, 0
		jmp	loc_7DB8FC
; 

loc_8F7DD9:				; CODE XREF: ExpAllocateUuids+72j
					; ExpAllocateUuids+89j	...
		mov	[ebx], edx
		xor	edx, edx
		mov	eax, [ebx]
		xor	ecx, ecx
		jmp	loc_7DB935
; END OF FUNCTION CHUNK	FOR ExpAllocateUuids
; 
; START	OF FUNCTION CHUNK FOR ExEnableHandleExceptions

loc_8F7DE6:				; CODE XREF: ExEnableHandleExceptions+2Fj
		mov	eax, [ecx+8]
		test	al, 8
		jnz	loc_7DBABD
		test	bl, bl
		jz	loc_7DBA98
		or	eax, 8
		mov	[ecx+8], eax
		jmp	loc_7DBA98
; END OF FUNCTION CHUNK	FOR ExEnableHandleExceptions
; 
; START	OF FUNCTION CHUNK FOR NtFilterToken

loc_8F7E04:				; CODE XREF: NtFilterToken+54j
		mov	ecx, eax
		jmp	loc_7DBB2E
; 

loc_8F7E0B:				; CODE XREF: NtFilterToken+7Bj
		mov	edx, eax
		jmp	loc_7DBB55
; 

loc_8F7E12:				; CODE XREF: NtFilterToken+E5j
		mov	edx, eax
		jmp	loc_7DBBBF
; END OF FUNCTION CHUNK	FOR NtFilterToken

;  S U B	R O U T	I N E 


sub_8F7E19	proc near		; DATA XREF: .text:006A4354o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-58h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F7E19	endp


;  S U B	R O U T	I N E 


sub_8F7E27	proc near		; DATA XREF: .text:006A4358o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-58h]
		mov	[ebp-20h], edi
		push	0FFFFFFFEh
		pop	ebx
		mov	[ebp-4], ebx
		xor	esi, esi
		jmp	loc_7DBBE9
sub_8F7E27	endp

; 
; START	OF FUNCTION CHUNK FOR NtFilterToken

loc_8F7E3D:				; CODE XREF: NtFilterToken+12Cj
		mov	edi, 0C000000Dh
		jmp	loc_7DBCA9
; END OF FUNCTION CHUNK	FOR NtFilterToken

;  S U B	R O U T	I N E 


sub_8F7E47	proc near		; DATA XREF: .text:006A4360o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F7E47	endp


;  S U B	R O U T	I N E 


sub_8F7E55	proc near		; DATA XREF: .text:006A4364o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-5Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7DBCA9
sub_8F7E55	endp

; 
; START	OF FUNCTION CHUNK FOR PspSetBackgroundJobTree

loc_8F7E67:				; CODE XREF: PspSetBackgroundJobTree+2Ej
					; PspSetBackgroundJobTree+80j
		mov	ecx, edi
		call	ExReleaseResourceLite
		mov	eax, 0C000000Dh
		jmp	loc_7DBDB0
; END OF FUNCTION CHUNK	FOR PspSetBackgroundJobTree
; 
; START	OF FUNCTION CHUNK FOR EtwpRealtimeNotifyConsumers

loc_8F7E78:				; CODE XREF: EtwpRealtimeNotifyConsumers+6Bj
		mov	esi, 0C0000017h
		jmp	loc_7DBDFA
; 

loc_8F7E82:				; CODE XREF: EtwpRealtimeNotifyConsumers+85j
		mov	al, [ebx+32h]
		mov	edx, edi
		and	al, 8
		mov	ecx, esi
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 3
		inc	eax
		push	eax
		push	0
		push	[ebp+var_4]
		mov	[ebp+var_8], eax
		call	EtwpAddDebugInfoEvents
		lea	eax, [esi+2C8h]
		cmp	[eax], eax
		jz	short loc_8F7EC9
		test	dword ptr [esi+258h], 2000000h
		jz	short loc_8F7EC9
		push	[ebp+var_8]	; size_t
		mov	edx, edi
		mov	ecx, esi
		push	[ebp+var_4]	; void *
		call	_EtwpAddBinaryInfoEvents@16 ; EtwpAddBinaryInfoEvents(x,x,x,x)

loc_8F7EC9:				; CODE XREF: EtwpRealtimeNotifyConsumers+11C0E8j
					; EtwpRealtimeNotifyConsumers+11C0F4j
		or	byte ptr [ebx+32h], 8
		cmp	dword ptr [edi+30h], 48h
		jbe	short loc_8F7EE4
		push	edi
		mov	edx, ebx
		mov	ecx, esi
		call	EtwpRealtimeInjectEtwBuffer
		mov	dword ptr [edi+30h], 48h

loc_8F7EE4:				; CODE XREF: EtwpRealtimeNotifyConsumers+11C10Dj
		mov	ebx, [ebx]
		lea	eax, [esi+100h]
		jmp	loc_7DBE47
; 

loc_8F7EF1:				; CODE XREF: EtwpRealtimeNotifyConsumers+90j
		cmp	byte ptr [eax+24h], 0
		jnz	loc_7DBE5A
		mov	byte ptr [eax+24h], 1
		mov	eax, [eax]
		jmp	loc_7DBE52
; 

loc_8F7F06:				; CODE XREF: EtwpRealtimeNotifyConsumers+42j
		test	al, 4
		jnz	loc_7DBE0C
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7DBE0C
; END OF FUNCTION CHUNK	FOR EtwpRealtimeNotifyConsumers
; 
; START	OF FUNCTION CHUNK FOR EtwpGetMaxTrackingEventBufferSize

loc_8F7F1A:				; CODE XREF: EtwpGetMaxTrackingEventBufferSize+1Cj
		mov	ecx, [esi+10h]
		mov	eax, [esi+8]
		mov	esi, [esi]
		add	eax, 1Bh
		shl	ecx, 4
		add	eax, ecx
		and	eax, 0FFFFFFF8h
		add	edx, eax
		jmp	loc_7DBE94
; 

loc_8F7F34:				; CODE XREF: EtwpGetMaxTrackingEventBufferSize+2Aj
		shl	eax, 5
		add	eax, 17h
		and	eax, 0FFFFFFF8h
		add	edx, eax
		jmp	loc_7DBEAA
; END OF FUNCTION CHUNK	FOR EtwpGetMaxTrackingEventBufferSize
; 
; START	OF FUNCTION CHUNK FOR EtwpInitializeProviderInfoBuffer

loc_8F7F44:				; CODE XREF: EtwpInitializeProviderInfoBuffer+99j
		mov	eax, _EtwCPUSpeedInMHz
		xor	ecx, ecx
		shld	ecx, eax, 3
		and	esi, 7
		shl	eax, 3
		or	eax, esi
		mov	[edx+24h], ecx
		mov	[edx+20h], eax
		jmp	loc_7DBF6E
; END OF FUNCTION CHUNK	FOR EtwpInitializeProviderInfoBuffer
; 
; START	OF FUNCTION CHUNK FOR PspSetProcessPriorityClass

loc_8F7F62:				; CODE XREF: PspSetProcessPriorityClass+76j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_8F7F84
		push	ds:dword_A949F4
		mov	edx, 200h
		push	ds:_SeIncreaseBasePriorityPrivilege
		push	[ebp+arg_4]
		call	_SeCheckPrivilegedObject@20 ; SeCheckPrivilegedObject(x,x,x,x,x)
		jmp	short loc_8F7F98
; 

loc_8F7F84:				; CODE XREF: PspSetProcessPriorityClass+11BFE1j
		push	[ebp+arg_4]
		push	ds:dword_A949F4
		push	ds:_SeIncreaseBasePriorityPrivilege
		call	SeSinglePrivilegeCheck

loc_8F7F98:				; CODE XREF: PspSetProcessPriorityClass+11BFFCj
		movzx	eax, al
		test	eax, eax
		jnz	loc_7DBFA0
		mov	eax, 0C0000061h
		jmp	loc_7DBFBC
; END OF FUNCTION CHUNK	FOR PspSetProcessPriorityClass
; 
; START	OF FUNCTION CHUNK FOR EtwpInitializeTimeStamp

loc_8F7FAD:				; CODE XREF: EtwpInitializeTimeStamp+27j
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	eax
		call	off_6B1438	; ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig(x)
		test	eax, eax
		js	loc_7DC03D
		push	2
		jmp	loc_7DC162
; 

loc_8F7FCE:				; CODE XREF: EtwpInitializeTimeStamp+4Cj
		mov	ecx, esi
		call	EtwpGetLoggerTimeStamp
		push	ebx
		mov	[esi+0F0h], eax
		mov	[esi+0F4h], edx
		call	_KeQuerySystemTimePrecise@4 ; KeQuerySystemTimePrecise(x)
		jmp	loc_7DC0D2
; 

loc_8F7FEC:				; CODE XREF: EtwpInitializeTimeStamp+7Ej
		mov	ecx, esi
		call	EtwpGetLoggerTimeStamp
		push	ebx
		mov	[esi+0F0h], eax
		mov	[esi+0F4h], edx
		call	_KeQuerySystemTimePrecise@4 ; KeQuerySystemTimePrecise(x)
		and	dword ptr [esi+258h], 0F7FFFFFFh
		mov	eax, [esi+7Ch]
		mov	ecx, [ebp+var_18]
		mov	edx, [ebp+var_4]
		jmp	short loc_8F802F
; 

loc_8F801A:				; CODE XREF: EtwpInitializeTimeStamp+9Ej
		cmp	eax, 4
		jnz	loc_7DC158
		mov	[esi+0F0h], ecx
		mov	[esi+0F4h], edi

loc_8F802F:				; CODE XREF: EtwpInitializeTimeStamp+11C008j
		cmp	eax, 4
		jz	loc_7DC0D2
		jmp	loc_7DC158
; 

loc_8F803D:				; CODE XREF: EtwpInitializeTimeStamp+BCj
		sub	ecx, [ebp+var_20]
		mov	[esi+358h], ecx
		sbb	edi, eax
		mov	[esi+35Ch], edi
		jmp	loc_7DC0D2
; END OF FUNCTION CHUNK	FOR EtwpInitializeTimeStamp
; 
; START	OF FUNCTION CHUNK FOR PiDcHandleCustomDeviceEvent

loc_8F8053:				; CODE XREF: PiDcHandleCustomDeviceEvent+4Ej
		lea	ecx, [ebp+var_160]
		call	PiPnpRtlBeginOperation
		mov	edi, eax
		test	edi, edi
		js	loc_8F82D5
		mov	ecx, [ebx+68h]
		lea	eax, [ebp+var_150]
		push	eax
		push	esi
		push	6
		pop	edx
		call	_PnpQueryDeviceRelations@16 ; PnpQueryDeviceRelations(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8F82D5
		mov	eax, [ebp+var_150]
		test	eax, eax
		jz	loc_8F82F7
		cmp	[eax], esi
		jz	loc_8F82DB
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceExclusiveLite
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_154]
		push	4Eh
		pop	edi
		push	esi
		push	eax
		lea	eax, [ebp+var_F8]
		mov	[ebp+var_154], edi
		push	eax
		lea	eax, [ebp+var_158]
		push	eax
		push	25h
		push	esi
		lea	edx, [ebx+70h]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_8F82C1
		cmp	[ebp+var_158], 1
		jnz	loc_8F82C1
		cmp	[ebp+var_154], edi
		jnz	loc_8F82C1
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_A8]
		push	eax
		lea	eax, [ebp+var_F8]
		push	eax
		lea	edx, [ebx+70h]
		call	_CmGetDeviceContainerIdFromBase
		mov	edi, eax
		test	edi, edi
		js	loc_8F82C6
		lea	eax, [ebp+var_A8]
		push	eax		; wchar_t *
		lea	eax, [ebp+var_F8]
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		mov	ecx, [ebp+var_150]
		test	eax, eax
		mov	eax, esi
		setnz	[ebp+var_149]
		mov	[ebp+var_15C], eax
		cmp	[ecx], esi
		jbe	loc_8F82C6

loc_8F8158:				; CODE XREF: PiDcHandleCustomDeviceEvent+11BD93j
		mov	eax, [ecx+eax*4+4]
		test	eax, eax
		jz	short loc_8F816B
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_8F816D
; 

loc_8F816B:				; CODE XREF: PiDcHandleCustomDeviceEvent+11BC38j
		mov	eax, esi

loc_8F816D:				; CODE XREF: PiDcHandleCustomDeviceEvent+11BC43j
		test	eax, eax
		jz	loc_8F82AA
		mov	ebx, [eax+18h]
		test	ebx, ebx
		jz	loc_8F82AA
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_154]
		push	esi
		push	eax
		lea	eax, [ebp+var_148]
		mov	[ebp+var_154], 4Eh
		push	eax
		lea	eax, [ebp+var_158]
		mov	edx, ebx
		push	eax
		push	25h
		push	esi
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000225h
		jz	loc_8F82A4
		test	edi, edi
		js	loc_8F82C1
		cmp	[ebp+var_158], 1
		jnz	loc_8F82C1
		cmp	[ebp+var_154], 4Eh
		jnz	loc_8F82C1
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_58]
		push	eax
		lea	eax, [ebp+var_148]
		mov	edx, ebx
		push	eax
		call	_CmGetDeviceContainerIdFromBase
		mov	edi, eax
		test	edi, edi
		js	loc_8F82C6
		cmp	[ebp+var_149], 0
		jnz	short loc_8F8255
		lea	eax, [ebp+var_58]
		push	eax
		lea	eax, [ebp+var_A8]
		push	eax
		lea	edx, [ebp+var_F8]
		call	__CmMoveBaseContainer@16 ; _CmMoveBaseContainer(x,x,x,x)
		lea	ecx, [ebp+var_58]
		mov	edi, eax
		call	_PiDcContainerRequiresConfiguration@4 ;	PiDcContainerRequiresConfiguration(x)
		test	edi, edi
		js	loc_8F82C6
		push	ecx
		lea	eax, [ebp+var_58]
		push	eax
		push	ecx
		push	27h
		pop	edx
		lea	ecx, [ebp+var_A8]
		call	RtlStringCopyWorkerW
		mov	edi, eax
		test	edi, edi
		js	short loc_8F82C6
		mov	[ebp+var_149], 1

loc_8F8255:				; CODE XREF: PiDcHandleCustomDeviceEvent+11BCE4j
		lea	eax, [ebp+var_A8]
		push	eax		; wchar_t *
		lea	eax, [ebp+var_58]
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_8F82A4
		mov	ecx, _PiPnpRtlCtx
		lea	edx, [ebp+var_58]
		call	__CmIsLocalMachineContainer@8 ;	_CmIsLocalMachineContainer(x,x)
		test	al, al
		jnz	short loc_8F82A4
		lea	eax, [ebp+var_A8]
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		lea	edx, [ebp+var_148]
		call	__CmMoveBaseContainer@16 ; _CmMoveBaseContainer(x,x,x,x)
		lea	ecx, [ebp+var_A8]
		mov	edi, eax
		call	_PiDcContainerRequiresConfiguration@4 ;	PiDcContainerRequiresConfiguration(x)
		test	edi, edi
		js	short loc_8F82C6

loc_8F82A4:				; CODE XREF: PiDcHandleCustomDeviceEvent+11BC92j
					; PiDcHandleCustomDeviceEvent+11BD43j ...
		mov	ecx, [ebp+var_150]

loc_8F82AA:				; CODE XREF: PiDcHandleCustomDeviceEvent+11BC49j
					; PiDcHandleCustomDeviceEvent+11BC54j
		mov	eax, [ebp+var_15C]
		inc	eax
		mov	[ebp+var_15C], eax
		cmp	eax, [ecx]
		jb	loc_8F8158
		jmp	short loc_8F82C6
; 

loc_8F82C1:				; CODE XREF: PiDcHandleCustomDeviceEvent+11BBB8j
					; PiDcHandleCustomDeviceEvent+11BBC5j ...
		mov	edi, 0C000090Bh

loc_8F82C6:				; CODE XREF: PiDcHandleCustomDeviceEvent+11BBF8j
					; PiDcHandleCustomDeviceEvent+11BC2Cj ...
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_8F82D5:				; CODE XREF: PiDcHandleCustomDeviceEvent+11BB3Cj
					; PiDcHandleCustomDeviceEvent+11BB59j
		mov	eax, [ebp+var_150]

loc_8F82DB:				; CODE XREF: PiDcHandleCustomDeviceEvent+11BB6Fj
		test	eax, eax
		jz	short loc_8F82F7
		cmp	[eax], esi
		jbe	short loc_8F82F7

loc_8F82E3:				; CODE XREF: PiDcHandleCustomDeviceEvent+11BDCFj
		mov	ecx, [eax+esi*4+4]
		call	ObfDereferenceObject
		mov	eax, [ebp+var_150]
		inc	esi
		cmp	esi, [eax]
		jb	short loc_8F82E3

loc_8F82F7:				; CODE XREF: PiDcHandleCustomDeviceEvent+11BB67j
					; PiDcHandleCustomDeviceEvent+11BDB7j ...
		mov	ecx, [ebp+var_160]
		test	ecx, ecx
		jz	loc_7DC57A
		call	PiPnpRtlEndOperation
		jmp	loc_7DC57A
; END OF FUNCTION CHUNK	FOR PiDcHandleCustomDeviceEvent
; 
; START	OF FUNCTION CHUNK FOR ExpCreateWorkerThread

loc_8F830F:				; CODE XREF: ExpCreateWorkerThread+96j
					; ExpCreateWorkerThread+11BD6Cj
		mov	ecx, edx
		and	edx, 3FFFh
		dec	edx
		mov	eax, ecx
		lock cmpxchg [edi], edx
		mov	edx, eax
		cmp	edx, ecx
		jnz	short loc_8F830F
		jmp	loc_7DC643
; END OF FUNCTION CHUNK	FOR ExpCreateWorkerThread
; 
; START	OF FUNCTION CHUNK FOR RtlGetNtSystemRoot

loc_8F8329:				; CODE XREF: RtlGetNtSystemRoot+7j
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	eax, [eax+28Ch]
		add	eax, 1Eh
		retn
; END OF FUNCTION CHUNK	FOR RtlGetNtSystemRoot
; 
; START	OF FUNCTION CHUNK FOR WdipTimeoutCheckRoutine

loc_8F8338:				; CODE XREF: WdipTimeoutCheckRoutine+38j
		mov	dl, 1
		mov	ecx, edi
		call	_WdipSemDisableContextProviders@8 ; WdipSemDisableContextProviders(x,x)
		mov	ecx, edi
		mov	esi, edi
		call	WdipSemMarkNextTimedOutInstanceForDeletion
		mov	ecx, [esi+18h]
		mov	edi, eax
		lea	eax, [esi+8]
		push	eax
		mov	dx, [ecx+10h]
		call	_WdipSemLogTimeoutInformation@12 ; WdipSemLogTimeoutInformation(x,x,x)
		mov	ecx, esi
		call	_WdipSemDeleteTransitionalInstance@4 ; WdipSemDeleteTransitionalInstance(x)
		jmp	loc_7DC804
; END OF FUNCTION CHUNK	FOR WdipTimeoutCheckRoutine
; 
; START	OF FUNCTION CHUNK FOR WdipSemMarkNextTimedOutInstanceForDeletion

loc_8F8368:				; CODE XREF: WdipSemMarkNextTimedOutInstanceForDeletion+5Aj
		mov	eax, [ecx+18h]
		cmp	byte ptr [eax+268h], 0
		jz	loc_7DC892
		cmp	[ecx+20h], esi
		jnz	loc_7DC892
		mov	dword ptr [ecx+20h], 1
		mov	esi, ecx
		jmp	loc_7DC896
; END OF FUNCTION CHUNK	FOR WdipSemMarkNextTimedOutInstanceForDeletion
; 
; START	OF FUNCTION CHUNK FOR WdipSemSqmLogInflightLimitExceededDataPoints

loc_8F838F:				; CODE XREF: WdipSemSqmLogInflightLimitExceededDataPoints+3Dj
		mov	edx, ebx
		call	_WdipSemSqmIncrementDword@8 ; WdipSemSqmIncrementDword(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_8F839E
		xor	esi, esi

loc_8F839E:				; CODE XREF: WdipSemSqmLogInflightLimitExceededDataPoints+11BAD6j
		xor	edi, edi
		test	ebx, ebx
		jz	loc_7DC907

loc_8F83A8:				; CODE XREF: WdipSemSqmLogInflightLimitExceededDataPoints+11BB28j
		mov	esi, _WdipSemFrequentScenarioTable[edi*4]
		lea	edx, [ebp+var_14]
		mov	ecx, esi
		call	_WdipSemGetGuidKey@8 ; WdipSemGetGuidKey(x,x)
		test	eax, eax
		js	short loc_8F83E7
		mov	eax, [ebp+var_14]
		mov	ecx, 426h
		mov	[ebp+var_10], eax
		movzx	eax, word ptr [esi+10h]
		mov	[ebp+var_C], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_10]
		push	eax
		push	3
		pop	edx
		call	_WdipSemSqmAddToStream@12 ; WdipSemSqmAddToStream(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_8F83E9

loc_8F83E7:				; CODE XREF: WdipSemSqmLogInflightLimitExceededDataPoints+11BAF7j
		xor	esi, esi

loc_8F83E9:				; CODE XREF: WdipSemSqmLogInflightLimitExceededDataPoints+11BB21j
		inc	edi
		cmp	edi, ebx
		jb	short loc_8F83A8
		jmp	loc_7DC907
; 

loc_8F83F3:				; CODE XREF: WdipSemSqmLogInflightLimitExceededDataPoints+4Bj
					; WdipSemSqmLogInflightLimitExceededDataPoints+11BB53j
		mov	edx, _WdipSemFrequentScenarioTable[edi*4]
		test	edx, edx
		jz	short loc_8F8408
		mov	ecx, offset unk_6BDC00
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_8F8408:				; CODE XREF: WdipSemSqmLogInflightLimitExceededDataPoints+11BB38j
		and	_WdipSemFrequentScenarioTable[edi*4], 0
		inc	edi
		cmp	edi, dword_6BCA40
		jb	short loc_8F83F3
		jmp	loc_7DC915
; END OF FUNCTION CHUNK	FOR WdipSemSqmLogInflightLimitExceededDataPoints
; 
; START	OF FUNCTION CHUNK FOR CmSnapshotRMTxArray

loc_8F841E:				; CODE XREF: CmSnapshotRMTxArray+33j
		call	_UNLOCK_TRANSACTION_LIST@0 ; UNLOCK_TRANSACTION_LIST()
		mov	edx, esi
		mov	ecx, edi
		call	_CmpReserveRollbackPacketSpace@8 ; CmpReserveRollbackPacketSpace(x,x)
		test	eax, eax
		jns	loc_7DCD6A
		jmp	loc_7DCDB0
; 

loc_8F8439:				; CODE XREF: CmSnapshotRMTxArray+4Bj
		test	byte ptr [eax+18h], 8
		jnz	loc_7DCD96
		mov	edx, [eax+24h]
		mov	ecx, edi
		call	_CmpAddEnlistmentToRollbackPacket@8 ; CmpAddEnlistmentToRollbackPacket(x,x)
		jmp	loc_7DCD96
; END OF FUNCTION CHUNK	FOR CmSnapshotRMTxArray
; 
; START	OF FUNCTION CHUNK FOR CmRmFinalizeRecovery

loc_8F8452:				; CODE XREF: CmRmFinalizeRecovery+30j
		cmp	[esi+4], edi
		jnz	short loc_8F84CA
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_8F84CA
		mov	[edi], eax
		mov	[eax+4], edi
		call	_UNLOCK_TRANSACTION_LIST@0 ; UNLOCK_TRANSACTION_LIST()
		lea	edx, [ebp+var_20]
		mov	ecx, esi
		call	_CmpTransMgrRollback@8 ; CmpTransMgrRollback(x,x)
		lea	ecx, [ebp+var_1C]
		call	CmpAttachToRegistryProcess
		push	8
		pop	edx
		mov	ecx, esi
		call	_CmpTransMgrFreeVolatileData@8 ; CmpTransMgrFreeVolatileData(x,x)
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		cmp	dword ptr [esi+1Ch], 0
		jz	short loc_8F849C
		push	dword ptr [esi+1Ch]
		call	_CmpTransDereferenceTransaction@4 ; CmpTransDereferenceTransaction(x)

loc_8F849C:				; CODE XREF: CmRmFinalizeRecovery+11B63Cj
		mov	ecx, [esi+24h]
		test	ecx, ecx
		jz	short loc_8F84A8
		call	ObfDereferenceObject

loc_8F84A8:				; CODE XREF: CmRmFinalizeRecovery+11B64Bj
		mov	eax, [esi+28h]
		test	eax, eax
		jz	short loc_8F84B5
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_8F84B5:				; CODE XREF: CmRmFinalizeRecovery+11B657j
		push	72544D43h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		call	_LOCK_TRANSACTION_LIST@0 ; LOCK_TRANSACTION_LIST()
		jmp	loc_7DCE82
; 

loc_8F84CA:				; CODE XREF: CmRmFinalizeRecovery+11B5FFj
					; CmRmFinalizeRecovery+11B606j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8F84CF:				; CODE XREF: PoSetProcessEnergyTrackingState+1Cj
		mov	esi, 0C00000BBh
		jmp	loc_7DD05B
; END OF FUNCTION CHUNK	FOR CmRmFinalizeRecovery
; 
; START	OF FUNCTION CHUNK FOR PoSetProcessEnergyTrackingState

loc_8F84D9:				; CODE XREF: PoSetProcessEnergyTrackingState+25j
					; PoSetProcessEnergyTrackingState+32j ...
		mov	esi, 0C000000Dh
		jmp	loc_7DD03B
; END OF FUNCTION CHUNK	FOR PoSetProcessEnergyTrackingState
; 
; START	OF FUNCTION CHUNK FOR PspApplyIFEOPerfOptions

loc_8F84E3:				; CODE XREF: PspApplyIFEOPerfOptions+19j
		mov	edi, [esi+8]
		cmp	edi, 4
		jnb	loc_7DD143
		cmp	edi, 2
		jbe	short loc_8F8511
		push	[ebp+arg_0]
		push	ds:dword_A949F4
		push	ds:_SeIncreaseBasePriorityPrivilege
		call	SeSinglePrivilegeCheck
		and	eax, 1
		jz	loc_7DD143

loc_8F8511:				; CODE XREF: PspApplyIFEOPerfOptions+11B3CEj
		mov	eax, [ebx+0FCh]
		lea	esi, [ebx+0FCh]
		shl	edi, 1Bh

loc_8F8520:				; CODE XREF: PspApplyIFEOPerfOptions+11B40Ej
		mov	ecx, eax
		mov	edx, eax
		and	ecx, 0C7FFFFFFh
		or	ecx, edi
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_8F8520
		mov	esi, [esp+18h+var_8]
		jmp	loc_7DD143
; 

loc_8F853D:				; CODE XREF: PspApplyIFEOPerfOptions+5Ej
		cmp	dword ptr [esi+10h], 0FFh
		ja	loc_7DD188
		push	[ebp+arg_0]
		mov	dl, [esi+10h]
		mov	ecx, ebx
		push	0
		call	PspSetProcessPriorityClass
		jmp	loc_7DD188
; END OF FUNCTION CHUNK	FOR PspApplyIFEOPerfOptions
; 
; START	OF FUNCTION CHUNK FOR AslPathSplit

loc_8F855E:				; CODE XREF: AslPathSplit+52j
		mov	edi, esi
		jmp	loc_7DD291
; 

loc_8F8565:				; CODE XREF: AslPathSplit+6Dj
		push	esi
		push	(offset	loc_8C4E4F+1)
		push	4D6h
		jmp	short loc_8F857D
; 

loc_8F8572:				; CODE XREF: AslPathSplit+11B3AAj
		push	esi
		push	offset ??_C@_0BO@LFCDCAJH@RtlStringCchCopyW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	505h

loc_8F857D:				; CODE XREF: AslPathSplit+11B352j
					; AslPathSplit+11B37Ej	...
		push	offset ??_C@_0N@PFKILGJP@AslPathSplit@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_7DD322
; 

loc_8F8591:				; CODE XREF: AslPathSplit+93j
		push	esi
		push	offset ??_C@_0BO@LFCDCAJH@RtlStringCchCopyW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	4EAh
		jmp	short loc_8F857D
; 

loc_8F859E:				; CODE XREF: AslPathSplit+D5j
		push	esi
		push	(offset	loc_8C4E4F+1)
		push	4F7h
		jmp	short loc_8F857D
; 

loc_8F85AB:				; CODE XREF: AslPathSplit+FCj
		push	esi
		push	offset ??_C@_0BO@LFCDCAJH@RtlStringCchCopyW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	4FEh
		jmp	short loc_8F857D
; 

loc_8F85B8:				; CODE XREF: AslPathSplit+BEj
		push	eax
		call	RtlStringCchCopyW
		mov	esi, eax
		test	esi, esi
		jns	loc_7DD320
		jmp	short loc_8F8572
; END OF FUNCTION CHUNK	FOR AslPathSplit
; 
; START	OF FUNCTION CHUNK FOR PsGetThreadExitStatus

loc_8F85CA:				; CODE XREF: PsGetThreadExitStatus+19j
		mov	ecx, edi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	eax, 103h
		jmp	loc_7DD379
; END OF FUNCTION CHUNK	FOR PsGetThreadExitStatus
; 
; START	OF FUNCTION CHUNK FOR CmpInsertSecurityCellList

loc_8F85DB:				; CODE XREF: CmpInsertSecurityCellList+50j
		xor	al, al
		jmp	loc_7DD42B
; 

loc_8F85E2:				; CODE XREF: CmpInsertSecurityCellList+D6j
		mov	edi, ebx
		jmp	loc_7DD47B
; 

loc_8F85E9:				; CODE XREF: CmpInsertSecurityCellList+76j
		cmp	[ebp+var_1], 0
		jz	short loc_8F8604
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_C]
		mov	eax, [edx+4]
		mov	[ecx+4], eax
		mov	ecx, [ebp+var_8]
		mov	eax, [edx+8]
		mov	[ecx+8], eax

loc_8F8604:				; CODE XREF: CmpInsertSecurityCellList+139j
					; CmpInsertSecurityCellList+152j ...
		cmp	[ebp+var_8], 0
		jz	short loc_8F8612
		lea	eax, [ebp+var_20]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_8F8612:				; CODE XREF: CmpInsertSecurityCellList+123j
					; CmpInsertSecurityCellList+11B288j
		cmp	[ebp+var_C], 0
		jz	short loc_8F8620
		lea	eax, [ebp+var_28]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_8F8620:				; CODE XREF: CmpInsertSecurityCellList+10Cj
					; CmpInsertSecurityCellList+11B296j
		test	edi, edi
		jz	short loc_8F8630
		cmp	edi, ebx
		jz	short loc_8F8630
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_8F8630:				; CODE XREF: CmpInsertSecurityCellList+F5j
					; CmpInsertSecurityCellList+11B2A2j ...
		test	ebx, ebx
		jz	short loc_8F863C
		lea	eax, [ebp+var_38]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_8F863C:				; CODE XREF: CmpInsertSecurityCellList+C1j
					; CmpInsertSecurityCellList+11B2B2j
		mov	byte ptr [ebp+var_14], 0
		jmp	loc_7DD420
; END OF FUNCTION CHUNK	FOR CmpInsertSecurityCellList

;  S U B	R O U T	I N E 


sub_8F8645	proc near		; CODE XREF: CmpWakeWriteQueueWaiters+Aj
		push	ebx
		mov	ebx, [ebp+8]
		push	esi

loc_8F864A:				; CODE XREF: sub_8F8645+19j
		mov	esi, [edx+14h]
		push	0
		push	0
		push	edx
		mov	[edx+10h], ebx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	edx, esi
		test	esi, esi
		jnz	short loc_8F864A
		pop	esi
		pop	ebx
		jmp	loc_7DD556
sub_8F8645	endp

; 
; START	OF FUNCTION CHUNK FOR SeTokenDefaultDaclChangedAuditAlarm

loc_8F8667:				; CODE XREF: SeTokenDefaultDaclChangedAuditAlarm+71j
		push	0C000007Ch
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		jmp	loc_7DD634
; 

loc_8F8676:				; CODE XREF: SeTokenDefaultDaclChangedAuditAlarm+8Cj
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		call	_SepIsAclEqual@8 ; SepIsAclEqual(x,x)
		test	al, al
		jnz	loc_7DD610
		mov	eax, [esp+58h+var_3C]
		test	eax, eax
		jz	short loc_8F86B4
		lea	edx, [esp+58h+var_4C]
		mov	ecx, eax
		call	_SepQueryTypeString@8 ;	SepQueryTypeString(x,x)
		mov	edi, [esp+58h+var_4C]
		mov	esi, eax
		test	esi, esi
		js	loc_8F8771
		test	edi, edi
		jz	short loc_8F86B8
		mov	[esp+58h+var_40], edi
		jmp	short loc_8F86B8
; 

loc_8F86B4:				; CODE XREF: SeTokenDefaultDaclChangedAuditAlarm+11B113j
		mov	edi, [esp+58h+var_4C]

loc_8F86B8:				; CODE XREF: SeTokenDefaultDaclChangedAuditAlarm+11B130j
					; SeTokenDefaultDaclChangedAuditAlarm+11B136j
		push	1
		lea	eax, [esp+5Ch+var_28]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8F8771
		push	0
		push	[ebp+arg_4]
		lea	eax, [esp+60h+var_28]
		push	1
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	loc_8F8771
		lea	eax, [esp+58h+var_48]
		push	eax		; int
		push	1		; int
		push	1		; int
		push	0		; char
		lea	eax, [esp+68h+var_28]
		push	eax		; size_t
		call	SeCaptureSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	short loc_8F8771
		push	1
		lea	eax, [esp+5Ch+var_14]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8F8771
		push	0
		push	[ebp+arg_8]
		lea	eax, [esp+60h+var_14]
		push	1
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	short loc_8F8771
		lea	eax, [esp+58h+var_44]
		push	eax		; int
		push	1		; int
		push	1		; int
		push	0		; char
		lea	eax, [esp+68h+var_14]
		push	eax		; size_t
		call	SeCaptureSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	short loc_8F8771
		push	[esp+58h+var_44]
		mov	eax, [ebx+94h]
		lea	ecx, [esp+5Ch+var_38]
		push	4
		push	[esp+60h+var_48]
		mov	edx, offset _SeSubsystemName
		push	dword ptr [eax]
		push	[ebp+arg_0]
		push	0
		push	[esp+70h+var_40]
		call	_SepAdtSecurityDescriptorChangedAuditAlarm@36 ;	SepAdtSecurityDescriptorChangedAuditAlarm(x,x,x,x,x,x,x,x,x)

loc_8F8771:				; CODE XREF: SeTokenDefaultDaclChangedAuditAlarm+11B128j
					; SeTokenDefaultDaclChangedAuditAlarm+11B14Cj ...
		test	edi, edi
		jz	loc_7DD610
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7DD610
; 

loc_8F8786:				; CODE XREF: SeTokenDefaultDaclChangedAuditAlarm+99j
		push	1
		push	0
		push	[esp+60h+var_48]
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)
		jmp	loc_7DD61B
; 

loc_8F8798:				; CODE XREF: SeTokenDefaultDaclChangedAuditAlarm+A4j
		push	1
		push	0
		push	[esp+60h+var_44]
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)
		jmp	loc_7DD626
; END OF FUNCTION CHUNK	FOR SeTokenDefaultDaclChangedAuditAlarm
; 
; START	OF FUNCTION CHUNK FOR SepSetTokenClaims

loc_8F87AA:				; CODE XREF: SepSetTokenClaims+2Ej
		mov	eax, [esi+0C0h]
		cmp	[eax+40h], ebx
		jnz	short loc_8F881D
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [esi+0C0h]
		xor	edx, edx
		add	ecx, 3Ch
		call	ExAcquirePushLockExclusiveEx
		mov	edi, [esi+0C0h]
		cmp	[edi+40h], ebx
		jnz	short loc_8F87EC
		mov	eax, [ebp+var_4]
		mov	bl, 1
		mov	[edi+40h], eax
		mov	edi, [esi+0C0h]

loc_8F87EC:				; CODE XREF: SepSetTokenClaims+11B128j
		add	edi, 3Ch
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8F8803
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8F8803:				; CODE XREF: SepSetTokenClaims+11B146j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	edi, [ebp+var_4]
		test	bl, bl
		jnz	short loc_8F8843

loc_8F881D:				; CODE XREF: SepSetTokenClaims+11B0FFj
		mov	edx, [esi+0C0h]
		mov	ecx, edi
		mov	edx, [edx+40h]
		call	SepCompareClaimAttributes
		test	al, al
		jnz	short loc_8F8843
		or	dword ptr [esi+0B0h], 8000h
		mov	[esi+27Ch], edi
		jmp	short loc_8F885D
; 

loc_8F8843:				; CODE XREF: SepSetTokenClaims+11B167j
					; SepSetTokenClaims+11B17Bj
		mov	eax, [esi+0C0h]
		mov	eax, [eax+40h]
		mov	[esi+27Ch], eax
		test	bl, bl
		jnz	short loc_8F885D
		mov	ecx, edi
		call	_SepDeleteClaimAttributes@4 ; SepDeleteClaimAttributes(x)

loc_8F885D:				; CODE XREF: SepSetTokenClaims+11B18Dj
					; SepSetTokenClaims+11B1A0j
		mov	eax, [ebp+arg_8]
		jmp	loc_7DD6EE
; END OF FUNCTION CHUNK	FOR SepSetTokenClaims
; 
; START	OF FUNCTION CHUNK FOR SepCreateClaimAttributes

loc_8F8865:				; CODE XREF: SepCreateClaimAttributes+3Aj
					; SepCreateClaimAttributes+43j	...
		call	_AuthzBasepAllocateClaimCollectionNoLists@0 ; AuthzBasepAllocateClaimCollectionNoLists()
		mov	edi, eax
		test	edi, edi
		jnz	short loc_8F887A
		mov	esi, 0C000009Ah
		jmp	loc_8F89B8
; 

loc_8F887A:				; CODE XREF: SepCreateClaimAttributes+11B178j
		cmp	[ebp+var_14], ebx
		jz	short loc_8F88B9
		call	_AuthzBasepAllocateSecurityAttributesList@0 ; AuthzBasepAllocateSecurityAttributesList()
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	short loc_8F8895
		mov	esi, 0C000009Ah
		jmp	loc_8F89B0
; 

loc_8F8895:				; CODE XREF: SepCreateClaimAttributes+11B193j
		push	[ebp+var_14]
		lea	edx, [ebp+var_18]
		mov	ecx, eax
		call	AuthzBasepSetSecurityAttributesToken
		mov	esi, eax
		test	esi, esi
		js	loc_8F8969
		mov	eax, [ebp+var_8]
		mov	[ebp+var_1], 1
		mov	[edi+120h], eax

loc_8F88B9:				; CODE XREF: SepCreateClaimAttributes+11B187j
		cmp	[ebp+arg_0], ebx
		jz	short loc_8F88EE
		call	_AuthzBasepAllocateSecurityAttributesList@0 ; AuthzBasepAllocateSecurityAttributesList()
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8F89BF
		push	[ebp+arg_0]
		lea	edx, [ebp+var_18]
		mov	ecx, ebx
		call	AuthzBasepSetSecurityAttributesToken
		mov	esi, eax
		test	esi, esi
		js	loc_8F8969
		mov	[ebp+var_2], 1
		mov	[edi+124h], ebx

loc_8F88EE:				; CODE XREF: SepCreateClaimAttributes+11B1C6j
		cmp	[ebp+arg_8], 0
		jz	short loc_8F8960
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_8F8960
		lea	ecx, [ebp+var_C]
		mov	edx, eax
		push	ecx
		mov	ecx, [ebp+arg_8]
		call	_SepLengthSidAndAttributesArray@12 ; SepLengthSidAndAttributesArray(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8F8969
		push	64546553h
		push	[ebp+var_C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_8F89BF
		mov	edx, [ebp+arg_4] ; int
		lea	ecx, [ebp+arg_0]
		push	ecx		; int
		lea	ecx, [ebp+var_1C]
		push	ecx		; int
		push	ecx		; int
		push	ecx		; int
		push	[ebp+var_C]	; int
		mov	ecx, [ebp+arg_8] ; void	*
		push	eax		; void *
		push	0		; char
		call	SeCaptureSidAndAttributesArray
		mov	esi, eax
		test	esi, esi
		js	short loc_8F8969
		mov	edx, [ebp+arg_4]
		lea	eax, [edi+10h]
		mov	ecx, [ebp+var_10]
		push	eax		; void *
		push	edx		; int
		push	ecx		; int
		mov	[edi], edx
		mov	[edi+4], ecx
		call	RtlSidHashInitialize

loc_8F8960:				; CODE XREF: SepCreateClaimAttributes+11B1FCj
					; SepCreateClaimAttributes+11B203j
		mov	eax, [ebp+var_20]
		mov	[eax], edi
		test	esi, esi
		jns	short loc_8F89B8

loc_8F8969:				; CODE XREF: SepCreateClaimAttributes+11B1B0j
					; SepCreateClaimAttributes+11B1E8j ...
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_8F8988
		cmp	[ebp+var_1], 0
		jz	short loc_8F8980
		mov	ecx, eax
		call	AuthzBasepFreeSecurityAttributesList
		mov	eax, [ebp+var_8]

loc_8F8980:				; CODE XREF: SepCreateClaimAttributes+11B27Ej
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8F8988:				; CODE XREF: SepCreateClaimAttributes+11B278j
		test	ebx, ebx
		jz	short loc_8F89A1
		cmp	[ebp+var_2], 0
		jz	short loc_8F8999
		mov	ecx, ebx
		call	AuthzBasepFreeSecurityAttributesList

loc_8F8999:				; CODE XREF: SepCreateClaimAttributes+11B29Aj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8F89A1:				; CODE XREF: SepCreateClaimAttributes+11B294j
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_8F89B0
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8F89B0:				; CODE XREF: SepCreateClaimAttributes+11B19Aj
					; SepCreateClaimAttributes+11B2B0j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8F89B8:				; CODE XREF: SepCreateClaimAttributes+11B17Fj
					; SepCreateClaimAttributes+11B271j
		mov	eax, esi
		jmp	loc_7DD74A
; 

loc_8F89BF:				; CODE XREF: SepCreateClaimAttributes+11B1D1j
					; SepCreateClaimAttributes+11B22Dj
		mov	esi, 0C000009Ah
		jmp	short loc_8F8969
; END OF FUNCTION CHUNK	FOR SepCreateClaimAttributes
; 
; START	OF FUNCTION CHUNK FOR ExpSetWorkerFactoryDeferredCreateTimer

loc_8F89C6:				; CODE XREF: ExpSetWorkerFactoryDeferredCreateTimer+14j
		mov	edx, _ExpWorkerFactoryDeferredLongTimeout
		mov	edi, 1F4h
		mov	esi, dword_6BBA34
		jmp	loc_7DD9CD
; 

loc_8F89DC:				; CODE XREF: ExpSetWorkerFactoryDeferredCreateTimer+52j
		mov	[ebp+var_4], ecx
		mov	eax, ecx
		cmp	ebx, ecx
		jg	loc_7DD9D9
		jmp	loc_7DDA03
; END OF FUNCTION CHUNK	FOR ExpSetWorkerFactoryDeferredCreateTimer
; 
; START	OF FUNCTION CHUNK FOR PfpQueryGpuUtilization

loc_8F89EE:				; CODE XREF: PfpQueryGpuUtilization+21j
		mov	eax, 0C0000206h
		jmp	loc_7DDAC7
; END OF FUNCTION CHUNK	FOR PfpQueryGpuUtilization

;  S U B	R O U T	I N E 


sub_8F89F8	proc near		; DATA XREF: .text:006A43C8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F89F8	endp


;  S U B	R O U T	I N E 


sub_8F8A06	proc near		; DATA XREF: .text:006A43CCo
		mov	eax, [ebp-40h]
		jmp	short loc_8F8A1C
; 

loc_8F8A0B:				; DATA XREF: .text:006A43BCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8F8A19:				; DATA XREF: .text:006A43C0o
		mov	eax, [ebp-44h]

loc_8F8A1C:				; CODE XREF: sub_8F8A06+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7DDAC7
sub_8F8A06	endp

; 
; START	OF FUNCTION CHUNK FOR RtlCreateHeap

loc_8F8A2B:				; CODE XREF: RtlCreateHeap+74j
		test	eax, 200h
		jnz	short loc_8F8A5E
		test	eax, 10000000h
		jnz	short loc_8F8A72
		mov	ecx, eax
		and	ecx, 0FFF80C00h
		cmp	_RtlpHeapErrorHandlerThreshold,	2
		jl	short loc_8F8A66
		test	ecx, ecx
		jz	short loc_8F8A72
		push	offset ??_C@_0CK@BNECCOKI@?$CB?$CICheckedFlags?5?$CG?5?$HOHEAP_CREATE_V@NNGAKEGL@
		call	_DbgPrint
		pop	ecx
		call	_RtlpHeapHandleError@4 ; RtlpHeapHandleError(x)

loc_8F8A5E:				; CODE XREF: RtlCreateHeap+11AF22j
					; RtlCreateHeap+11B04Ej ...
		mov	edi, [ebp+var_5C]
		jmp	loc_7DDC0C
; 

loc_8F8A66:				; CODE XREF: RtlCreateHeap+11AF3Aj
		test	ecx, ecx
		jz	short loc_8F8A72
		and	eax, 7F3FFh
		mov	[ebp+arg_0], eax

loc_8F8A72:				; CODE XREF: RtlCreateHeap+11AF29j
					; RtlCreateHeap+11AF3Ej ...
		push	30h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_E4]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		jz	short loc_8F8AA2
		mov	[ebp+ms_exc.disabled], ebx
		cmp	dword ptr [esi], 30h
		jnz	short loc_8F8A9B
		push	0Ch
		pop	ecx
		lea	edi, [ebp+var_E4]
		rep movsd

loc_8F8A9B:				; CODE XREF: RtlCreateHeap+11AF80j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_8F8AA2:				; CODE XREF: RtlCreateHeap+11AF78j
		mov	ecx, [ebp+var_64]
		mov	eax, [ebp+arg_0]
		test	cl, 10h
		jz	short loc_8F8AB3
		or	eax, 20h
		mov	[ebp+arg_0], eax

loc_8F8AB3:				; CODE XREF: RtlCreateHeap+11AF9Dj
		test	cl, 20h
		jz	short loc_8F8ABE
		or	eax, 40h
		mov	[ebp+arg_0], eax

loc_8F8ABE:				; CODE XREF: RtlCreateHeap+11AFA8j
		test	ecx, 200000h
		jz	short loc_8F8ACE
		or	eax, 80h
		mov	[ebp+arg_0], eax

loc_8F8ACE:				; CODE XREF: RtlCreateHeap+11AFB6j
		mov	eax, [ebp+var_E0]
		mov	[ebp+var_90], eax
		test	eax, eax
		jnz	short loc_8F8AE9
		mov	eax, ds:dword_7051E4
		mov	[ebp+var_90], eax

loc_8F8AE9:				; CODE XREF: RtlCreateHeap+11AFCEj
		mov	ecx, [ebp+var_DC]
		mov	[ebp+var_94], ecx
		test	ecx, ecx
		jnz	short loc_8F8B04
		mov	eax, ds:dword_7051E0
		mov	[ebp+var_94], eax

loc_8F8B04:				; CODE XREF: RtlCreateHeap+11AFE9j
		mov	eax, [ebp+var_D8]
		mov	[ebp+var_98], eax
		test	eax, eax
		jnz	short loc_8F8B1F
		mov	eax, ds:dword_7051D8
		mov	[ebp+var_98], eax

loc_8F8B1F:				; CODE XREF: RtlCreateHeap+11B004j
		mov	ecx, [ebp+var_D4]
		mov	[ebp+var_88], ecx
		test	ecx, ecx
		jnz	short loc_8F8B3A
		mov	eax, ds:dword_7051DC
		mov	[ebp+var_88], eax

loc_8F8B3A:				; CODE XREF: RtlCreateHeap+11B01Fj
		mov	eax, dword_6FE0D8
		test	eax, eax
		jnz	short loc_8F8B6A
		mov	dword_6FE0DC, 10000h
		push	ebx
		push	2Ch
		lea	eax, [ebp+var_48]
		push	eax
		push	ebx
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	loc_8F8A5E
		mov	eax, [ebp+var_28]
		mov	dword_6FE0D8, eax

loc_8F8B6A:				; CODE XREF: RtlCreateHeap+11B033j
		mov	ecx, [ebp+var_D0]
		mov	[ebp+var_70], ecx
		test	ecx, ecx
		jnz	short loc_8F8B88
		mov	ecx, eax
		sub	ecx, dword_6FE0DC
		sub	ecx, 1000h
		mov	[ebp+var_70], ecx

loc_8F8B88:				; CODE XREF: RtlCreateHeap+11B067j
		mov	eax, [ebp+var_CC]
		mov	[ebp+var_74], eax
		test	eax, eax
		jz	short loc_8F8B9C
		cmp	eax, 7F000h
		jbe	short loc_8F8BA3

loc_8F8B9C:				; CODE XREF: RtlCreateHeap+11B085j
		mov	[ebp+var_74], 7F000h

loc_8F8BA3:				; CODE XREF: RtlCreateHeap+11B08Cj
		mov	edx, [ebp+arg_C]
		test	edx, edx
		jnz	short loc_8F8BDA
		mov	edx, 1000h
		jmp	short loc_8F8BE6
; END OF FUNCTION CHUNK	FOR RtlCreateHeap

;  S U B	R O U T	I N E 


sub_8F8BB1	proc near		; DATA XREF: .text:006A43E4o
		mov	edx, [ebp-14h]
		mov	eax, [edx]
		mov	ecx, [eax]
		call	_RtlpHeapExceptionFilter@8 ; RtlpHeapExceptionFilter(x,x)
		retn
sub_8F8BB1	endp


;  S U B	R O U T	I N E 


sub_8F8BBE	proc near		; DATA XREF: .text:006A43E8o
		mov	esp, [ebp-18h]
		xor	ebx, ebx
		mov	esi, ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-70h]
		mov	edx, [ebp-88h]
		jmp	loc_7DDBDC
sub_8F8BBE	endp

; 
; START	OF FUNCTION CHUNK FOR RtlCreateHeap

loc_8F8BDA:				; CODE XREF: RtlCreateHeap+11B09Aj
		add	edx, 0FFFh
		and	edx, 0FFFFF000h

loc_8F8BE6:				; CODE XREF: RtlCreateHeap+11B0A1j
		mov	[ebp+var_68], edx
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jnz	short loc_8F8BFE
		lea	ecx, [edx+0FFFFh]
		and	ecx, 0FFFF0000h
		jmp	short loc_8F8C0A
; 

loc_8F8BFE:				; CODE XREF: RtlCreateHeap+11B0E0j
		add	ecx, 0FFFh
		and	ecx, 0FFFFF000h

loc_8F8C0A:				; CODE XREF: RtlCreateHeap+11B0EEj
		mov	[ebp+var_58], ecx
		cmp	edx, ecx
		jbe	short loc_8F8C16
		mov	[ebp+var_68], ecx
		mov	edx, ecx

loc_8F8C16:				; CODE XREF: RtlCreateHeap+11B101j
		mov	eax, [ebp+arg_0]
		mov	edi, [ebp+var_5C]
		test	al, 2
		jz	short loc_8F8C56
		test	edi, edi
		jnz	short loc_8F8C56
		mov	[ebp+var_8C], 1000h
		mov	[ebp+var_84], 2
		lea	eax, [ecx-1000h]
		cmp	eax, edx
		mov	eax, [ebp+arg_0]
		jnb	short loc_8F8C5C
		add	ecx, 10FFFh
		and	ecx, 0FFFF0000h
		mov	[ebp+var_58], ecx
		jmp	short loc_8F8C5C
; 

loc_8F8C56:				; CODE XREF: RtlCreateHeap+11B110j
					; RtlCreateHeap+11B114j
		mov	[ebp+var_8C], ebx

loc_8F8C5C:				; CODE XREF: RtlCreateHeap+11B135j
					; RtlCreateHeap+11B146j
		test	edx, edx
		jz	loc_7DDC0C
		test	ecx, ecx
		jz	loc_7DDC0C
		mov	[ebp+var_64], 258h
		mov	edx, [ebp+var_50]
		test	al, 1
		jnz	short loc_8F8CF3
		test	edx, edx
		jz	short loc_8F8C86
		or	eax, 80000000h
		mov	[ebp+arg_0], eax

loc_8F8C86:				; CODE XREF: RtlCreateHeap+11B16Ej
		mov	ecx, edx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 0FFFFFFC8h
		add	ecx, 290h
		mov	[ebp+var_64], ecx
		mov	esi, edx
		neg	esi
		sbb	esi, esi
		and	esi, edx
		mov	[ebp+var_54], esi

loc_8F8CA3:				; CODE XREF: RtlCreateHeap+11B1E7j
		test	edi, edi
		jz	loc_8F8DDB
		cmp	[ebp+var_C0], 0
		jz	short sub_8F8D0E
		mov	edx, [ebp+var_C8]
		test	edx, edx
		jz	short loc_8F8D01
		mov	ecx, [ebp+var_C4]
		test	ecx, ecx
		jz	short loc_8F8D01
		cmp	edx, ecx
		ja	short loc_8F8D01
		test	al, 2
		jnz	short loc_8F8D01
		mov	[ebp+var_60], edi
		lea	eax, [edi+edx]
		mov	[ebp+var_6C], eax
		mov	[ebp+var_58], ecx
		push	1000h		; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, [ebp+var_60]
		jmp	loc_8F8DC4
; 

loc_8F8CF3:				; CODE XREF: RtlCreateHeap+11B16Aj
		test	edx, edx
		jz	short loc_8F8CA3
		mov	esi, ebx
		jmp	loc_7DDBDC
; 

loc_8F8CFE:				; CODE XREF: RtlCreateHeap+11B4EDj
		mov	edi, [ebp+var_5C]

loc_8F8D01:				; CODE XREF: RtlCreateHeap+11B1AEj
					; RtlCreateHeap+11B1B8j ...
		mov	eax, [ebp+var_54]
		mov	esi, ebx
		mov	edx, [ebp+var_50]
		jmp	loc_7DDBDE
; END OF FUNCTION CHUNK	FOR RtlCreateHeap

;  S U B	R O U T	I N E 


sub_8F8D0E	proc near		; CODE XREF: RtlCreateHeap+11B1A4j
		push	ebx
		push	1Ch
		lea	eax, [ebp-0B4h]
		push	eax
		push	ebx
		push	edi
		push	0FFFFFFFFh
		call	_ZwQueryVirtualMemory@24 ; ZwQueryVirtualMemory(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8F8D01
		mov	eax, [ebp-0B4h]
		mov	[ebp-6Ch], eax
		cmp	eax, edi
		jnz	short loc_8F8D01
		cmp	dword ptr [ebp-0A4h], 10000h
		jz	short loc_8F8D01
		mov	ecx, eax
		mov	[ebp-60h], ecx
		mov	edx, 1000h
		cmp	[ebp-0A4h], edx
		jnz	short loc_8F8DA7
		mov	esi, [ebp+8]
		test	esi, 40000h
		jz	short loc_8F8D64
		test	byte ptr [ebp-0A0h], 40h
		jz	short loc_8F8D01

loc_8F8D64:				; CODE XREF: sub_8F8D0E+4Bj
		push	edx		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	ebx
		push	1Ch
		lea	eax, [ebp-100h]
		push	eax
		push	3
		push	edi
		push	0FFFFFFFFh
		call	_ZwQueryVirtualMemory@24 ; ZwQueryVirtualMemory(x,x,x,x,x,x)
		test	eax, eax
		js	loc_8F8D01
		mov	eax, [ebp-0F4h]
		mov	[ebp-58h], eax
		mov	eax, [ebp-0A8h]
		mov	[ebp-68h], eax
		mov	ecx, [ebp-60h]
		add	eax, ecx
		mov	[ebp-6Ch], eax
		jmp	short loc_8F8DC7
; 

loc_8F8DA7:				; CODE XREF: sub_8F8D0E+40j
		mov	esi, [ebp-0A8h]
		mov	[ebp-58h], esi
		mov	eax, [ebp-68h]
		cmp	eax, esi
		jbe	short loc_8F8DBC
		mov	eax, esi
		mov	[ebp-68h], eax

loc_8F8DBC:				; CODE XREF: sub_8F8D0E+A7j
		cmp	eax, edx
		jb	loc_8F8D01

loc_8F8DC4:				; CODE XREF: RtlCreateHeap+11B1E0j
		mov	esi, [ebp+8]

loc_8F8DC7:				; CODE XREF: sub_8F8D0E+97j
		or	dword ptr [ebp-84h], 1
		mov	edx, edi
		mov	[ebp-4Ch], edx
		mov	eax, [ebp-6Ch]
		jmp	loc_8F8E75
sub_8F8D0E	endp

; 
; START	OF FUNCTION CHUNK FOR RtlCreateHeap

loc_8F8DDB:				; CODE XREF: RtlCreateHeap+11B197j
		mov	[ebp+var_7C], ebx
		cmp	[ebp+var_C0], 0
		jz	short loc_8F8DF1
		mov	esi, ebx
		mov	eax, [ebp+var_54]
		jmp	loc_7DDBDE
; 

loc_8F8DF1:				; CODE XREF: RtlCreateHeap+11B2D7j
		call	_RtlpHeapGenerateRandomValue64@0 ; RtlpHeapGenerateRandomValue64()
		and	eax, 1Fh
		shl	eax, 10h
		mov	[ebp+var_78], eax
		mov	ecx, [ebp+var_58]
		add	eax, ecx
		mov	[ebp+var_80], eax
		cmp	eax, ecx
		jnb	short loc_8F8E11
		mov	[ebp+var_80], ecx
		mov	[ebp+var_78], ebx

loc_8F8E11:				; CODE XREF: RtlCreateHeap+11B2FBj
		push	4
		push	2000h
		lea	eax, [ebp+var_80]
		push	eax
		push	ebx
		lea	eax, [ebp+var_7C]
		push	eax
		push	0FFFFFFFFh
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		test	eax, eax
		js	loc_8F8D01
		mov	edx, [ebp+var_7C]
		mov	[ebp+var_4C], edx
		mov	eax, [ebp+var_80]
		mov	[ebp+var_58], eax
		cmp	[ebp+var_78], 0
		jz	short loc_8F8E68
		push	8000h
		lea	eax, [ebp+var_78]
		push	eax
		lea	eax, [ebp+var_7C]
		push	eax
		push	0FFFFFFFFh
		call	_ZwFreeVirtualMemory@16	; ZwFreeVirtualMemory(x,x,x,x)
		mov	edx, [ebp+var_7C]
		add	edx, [ebp+var_78]
		mov	[ebp+var_4C], edx
		mov	eax, [ebp+var_80]
		sub	eax, [ebp+var_78]
		mov	[ebp+var_58], eax

loc_8F8E68:				; CODE XREF: RtlCreateHeap+11B332j
		mov	ecx, edx
		mov	[ebp+var_60], ecx
		mov	eax, edx
		mov	[ebp+var_6C], eax
		mov	esi, [ebp+arg_0]

loc_8F8E75:				; CODE XREF: sub_8F8D0E+C8j
		cmp	ecx, eax
		jnz	short loc_8F8EA4
		push	4
		push	1000h
		lea	eax, [ebp+var_68]
		push	eax
		push	ebx
		lea	eax, [ebp+var_60]
		push	eax
		push	0FFFFFFFFh
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		test	eax, eax
		js	loc_8F8D01
		mov	eax, [ebp+var_6C]
		add	eax, [ebp+var_68]
		mov	[ebp+var_6C], eax
		mov	edx, [ebp+var_4C]

loc_8F8EA4:				; CODE XREF: RtlCreateHeap+11B369j
		lea	edi, [edx+258h]
		test	_NtGlobalFlag, 800h
		jz	short loc_8F8EE3
		lea	eax, [edi+7]
		and	eax, 0FFFFFFF8h
		mov	[edx+0BCh], eax
		mov	ecx, 60Ch
		mov	eax, [ebp+var_64]
		add	eax, ecx
		mov	edx, [ebp+var_4C]
		mov	edi, [edx+0BCh]
		add	edi, ecx
		or	[ebp+arg_0], 4000000h
		mov	esi, [ebp+arg_0]
		jmp	short loc_8F8EE6
; 

loc_8F8EE3:				; CODE XREF: RtlCreateHeap+11B3A6j
		mov	eax, [ebp+var_64]

loc_8F8EE6:				; CODE XREF: RtlCreateHeap+11B3D3j
		add	eax, 7
		and	eax, 0FFFFFFF8h
		mov	[ebp+var_64], eax
		shr	eax, 3
		mov	[edx], ax
		mov	eax, [ebp+var_4C]
		mov	byte ptr [eax+2], 1
		mov	eax, [ebp+var_4C]
		mov	byte ptr [eax+7], 1
		mov	eax, [ebp+var_4C]
		mov	dword ptr [eax+60h], 0EEFFEEFFh
		mov	ecx, esi
		and	ecx, 0EFFFFFFFh
		mov	eax, [ebp+var_4C]
		mov	[eax+40h], ecx
		mov	eax, [ebp+var_4C]
		mov	[eax+58h], ebx
		push	5Ch		; size_t
		push	ebx		; int
		mov	eax, [ebp+var_4C]
		add	eax, 1F4h
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, [ebp+var_4C]
		call	_RtlpCreateHeapEncoding@4 ; RtlpCreateHeapEncoding(x)
		mov	edx, [ebp+arg_0]
		mov	ecx, edx
		and	ecx, 6001007Dh
		mov	eax, [ebp+var_4C]
		mov	[eax+44h], ecx
		mov	ecx, edi
		mov	eax, [ebp+var_4C]
		sub	ecx, eax
		mov	[eax+7Eh], cx
		mov	eax, [ebp+var_4C]
		mov	[eax+80h], ebx
		mov	eax, [ebp+var_4C]
		add	eax, 0C0h
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [ebp+var_4C]
		add	eax, 9Ch
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [ebp+var_4C]
		add	eax, 0A4h
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [ebp+var_4C]
		add	eax, 8Ch
		mov	[eax+4], eax
		mov	[eax], eax
		cmp	[ebp+var_54], 0
		jnz	short loc_8F8FB5
		test	dl, 1
		jnz	short loc_8F8FB5
		mov	[ebp+var_54], edi
		push	edi
		call	ExInitializeResourceLite
		test	eax, eax
		js	loc_8F8A5E
		add	edi, 38h

loc_8F8FB5:				; CODE XREF: RtlCreateHeap+11B48Cj
					; RtlCreateHeap+11B491j
		mov	eax, [ebp+var_4C]
		mov	ecx, [ebp+var_54]
		mov	[eax+0C8h], ecx
		mov	eax, [ebp+var_4C]
		or	dword ptr [eax+48h], 80000000h
		mov	eax, [ebp+var_58]
		sub	eax, [ebp+var_8C]
		add	eax, [ebp+var_60]
		push	eax
		mov	eax, [ebp+var_6C]
		push	eax
		push	[ebp+var_60]
		push	[ebp+var_84]
		push	ecx
		mov	eax, [ebp+var_64]
		add	eax, 238h
		push	eax
		mov	ecx, [ebp+var_4C]
		mov	edx, ecx
		call	_RtlpInitializeHeapSegment@32 ;	RtlpInitializeHeapSegment(x,x,x,x,x,x,x,x)
		test	al, al
		jz	loc_8F8CFE
		cmp	[ebp+var_5C], 0
		jz	short loc_8F9016
		push	80h		; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch

loc_8F9016:				; CODE XREF: RtlCreateHeap+11B4F7j
		mov	dword ptr [edi+4], 80h
		lea	ecx, [edi+24h]
		mov	[edi+1Ch], ecx
		mov	eax, [ebp+var_4C]
		add	eax, 0C0h
		mov	[edi+18h], eax
		lea	eax, [ecx+10h]
		mov	[edi+20h], eax
		mov	edx, edi
		mov	ecx, [ebp+var_4C]
		call	_RtlpPopulateListIndex@8 ; RtlpPopulateListIndex(x,x)
		xor	ecx, ecx
		mov	eax, [ebp+var_4C]
		mov	[eax+7Ch], cx
		mov	eax, [ebp+var_4C]
		mov	ecx, [ebp+var_90]
		mov	[eax+64h], ecx
		mov	eax, [ebp+var_4C]
		mov	ecx, [ebp+var_94]
		mov	[eax+68h], ecx
		mov	ecx, [ebp+var_98]
		shr	ecx, 3
		mov	eax, [ebp+var_4C]
		mov	[eax+6Ch], ecx
		mov	ecx, [ebp+var_88]
		shr	ecx, 3
		mov	eax, [ebp+var_4C]
		mov	[eax+70h], ecx
		mov	eax, [ebp+var_4C]
		mov	ecx, [ebp+var_70]
		mov	[eax+78h], ecx
		mov	ecx, [ebp+var_74]
		add	ecx, 7
		shr	ecx, 3
		mov	eax, [ebp+var_4C]
		mov	[eax+5Ch], ecx
		mov	ecx, [ebp+var_C0]
		xor	ecx, _RtlpHeapKey
		mov	eax, [ebp+var_4C]
		mov	[eax+0CCh], ecx
		mov	eax, [ebp+var_4C]
		mov	dword ptr [eax+250h], 4
		mov	eax, [ebp+var_4C]
		mov	dword ptr [eax+254h], 0FE000h
		mov	eax, [ebp+var_4C]
		test	[ebp+arg_0], 10000h
		jz	short loc_8F90E9
		mov	dword ptr [eax+94h], 17h
		mov	eax, [ebp+var_4C]
		mov	dword ptr [eax+98h], 0FFFFFFF0h
		jmp	short loc_8F9100
; 

loc_8F90E9:				; CODE XREF: RtlCreateHeap+11B5C0j
		mov	dword ptr [eax+94h], 0Fh
		mov	eax, [ebp+var_4C]
		mov	dword ptr [eax+98h], 0FFFFFFF8h

loc_8F9100:				; CODE XREF: RtlCreateHeap+11B5D9j
		mov	eax, [ebp+var_4C]
		test	byte ptr [eax+40h], 20h
		jz	short loc_8F9113
		add	dword ptr [eax+94h], 8
		mov	eax, [ebp+var_4C]

loc_8F9113:				; CODE XREF: RtlCreateHeap+11B5F9j
		and	dword ptr [eax+48h], 7FFFFFFFh
		mov	esi, [ebp+var_4C]
		mov	[ebp+var_4C], ebx
		mov	edi, [ebp+var_5C]
		jmp	loc_7DDBD9
; 

loc_8F9128:				; CODE XREF: RtlCreateHeap+D2j
		cmp	eax, edx
		jz	loc_7DDBE6
		push	eax
		call	ExDeleteResourceLite
		jmp	loc_7DDBE6
; 

loc_8F913B:				; CODE XREF: RtlCreateHeap+DCj
		test	edi, edi
		jnz	loc_7DDBF0
		mov	[ebp+var_58], ebx
		push	8000h
		lea	eax, [ebp+var_58]
		push	eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	0FFFFFFFFh
		call	_ZwFreeVirtualMemory@16	; ZwFreeVirtualMemory(x,x,x,x)
		jmp	loc_7DDBF0
; END OF FUNCTION CHUNK	FOR RtlCreateHeap
; 
; START	OF FUNCTION CHUNK FOR SeSecureBootQueryInformation

loc_8F915F:				; CODE XREF: SeSecureBootQueryInformation+4Dj
		sub	eax, 1Ah
		jz	loc_7DDC31
		sub	eax, 8
		jz	short loc_8F9177
		mov	ebx, 0C0000003h
		jmp	loc_7DDC44
; 

loc_8F9177:				; CODE XREF: SeSecureBootQueryInformation+11B55Bj
		mov	esi, _g_SecureBootActivePlatformManifest
		test	esi, esi
		jnz	short loc_8F918B
		mov	ebx, 0C0EB0006h
		jmp	loc_7DDC44
; 

loc_8F918B:				; CODE XREF: SeSecureBootQueryInformation+11B56Fj
		mov	edi, _g_SecureBootActivePlatformManifestSize
		lea	ecx, [edi+4]
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		cmp	[ebp+arg_0], ecx
		jb	loc_7DDC8F
		mov	[ebp+ms_exc.disabled], 2
		push	edi		; size_t
		push	esi		; void *
		lea	eax, [edx+4]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_7DDC86
; END OF FUNCTION CHUNK	FOR SeSecureBootQueryInformation

;  S U B	R O U T	I N E 


sub_8F91BC	proc near		; DATA XREF: .text:006A441Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8F91BC	endp


;  S U B	R O U T	I N E 


sub_8F91CC	proc near		; DATA XREF: .text:006A4420o
		mov	ebx, [ebp-20h]
		jmp	loc_8F9276
sub_8F91CC	endp

; 

loc_8F91D4:				; DATA XREF: .text:006A4404o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_8F91E4:				; DATA XREF: .text:006A4408o
		mov	ebx, [ebp-24h]
		jmp	loc_8F9276
; 
; START	OF FUNCTION CHUNK FOR SeSecureBootQueryInformation

loc_8F91EC:				; CODE XREF: SeSecureBootQueryInformation+29j
		mov	esi, [ebp+arg_4]
		cmp	edi, 0ABh
		jnz	short loc_8F9206
		push	1Ch
		pop	edi
		mov	[esi], edi
		mov	[ebp+var_1C], edx
		mov	eax, [ecx+38h]
		add	eax, edi
		jmp	short loc_8F9209
; 

loc_8F9206:				; CODE XREF: SeSecureBootQueryInformation+11B5E5j
		push	18h
		pop	eax

loc_8F9209:				; CODE XREF: SeSecureBootQueryInformation+11B5F4j
		mov	[esi], eax
		cmp	[ebp+arg_0], eax
		jb	loc_7DDC8F
		mov	[ebp+ms_exc.disabled], 1
		lea	esi, [ecx+4]
		mov	edi, edx
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ecx+14h]
		mov	[edx+10h], eax
		mov	eax, [ecx+20h]
		mov	[edx+14h], eax
		cmp	[ebp+var_28], 0ABh
		jnz	loc_7DDC86
		push	dword ptr [ecx+38h] ; size_t
		lea	eax, [ecx+3Ch]
		push	eax		; void *
		mov	esi, [ebp+var_1C]
		lea	eax, [esi+1Ch]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, dword_6FDDF4
		mov	eax, [eax+38h]
		mov	[esi+18h], eax
		jmp	loc_7DDC86
; END OF FUNCTION CHUNK	FOR SeSecureBootQueryInformation

;  S U B	R O U T	I N E 


sub_8F9263	proc near		; DATA XREF: .text:006A4410o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8F9263	endp


;  S U B	R O U T	I N E 


sub_8F9273	proc near		; DATA XREF: .text:006A4414o
		mov	ebx, [ebp-2Ch]

loc_8F9276:				; CODE XREF: sub_8F91CC+3j
					; PAGE:008F91E7j
		mov	esp, [ebp-18h]
		jmp	loc_7DDC86
sub_8F9273	endp

; 
; START	OF FUNCTION CHUNK FOR EtwpAllocateTraceBufferPool

loc_8F927E:				; CODE XREF: EtwpAllocateTraceBufferPool+2Aj
		add	ecx, 4
		jmp	loc_7DDCC6
; 

loc_8F9286:				; CODE XREF: EtwpAllocateTraceBufferPool+32j
		mov	edx, ecx
		jmp	loc_7DDCCE
; 

loc_8F928D:				; CODE XREF: EtwpAllocateTraceBufferPool+44j
		mov	eax, edx
		jmp	loc_7DDCE0
; 

loc_8F9294:				; CODE XREF: EtwpAllocateTraceBufferPool+66j
		mov	[edi+0A4h], esi
		mov	eax, esi
		jmp	loc_7DDD02
; 

loc_8F92A1:				; CODE XREF: EtwpAllocateTraceBufferPool+84j
		sub	eax, [ebp+var_4]
		dec	eax
		cmp	ecx, eax
		jbe	loc_7DDD20
		mov	[edi+88h], eax
		jmp	loc_7DDD20
; END OF FUNCTION CHUNK	FOR EtwpAllocateTraceBufferPool
; 
; START	OF FUNCTION CHUNK FOR SepUpdateLogonSessionTrack

loc_8F92B8:				; CODE XREF: SepUpdateLogonSessionTrack+9Cj
		mov	edi, 0C000009Ah
		jmp	loc_7DDF78
; END OF FUNCTION CHUNK	FOR SepUpdateLogonSessionTrack
; 
; START	OF FUNCTION CHUNK FOR CmLoadKey

loc_8F92C2:				; CODE XREF: CmLoadKey+8Ej
		mov	eax, 0FFFEh
		add	[edx], ax
		sub	ecx, 1
		jnz	loc_7DE058
		jmp	loc_7DE06A
; 

loc_8F92D8:				; CODE XREF: CmLoadKey+9Aj
		mov	eax, 0C000000Dh
		jmp	loc_7DE23B
; 

loc_8F92E2:				; CODE XREF: CmLoadKey+BAj
		mov	eax, 0C000009Ah
		jmp	loc_7DE23B
; 

loc_8F92EC:				; CODE XREF: CmLoadKey+E2j
		push	2
		pop	eax
		cmp	word ptr [esp+1C0h+var_174], ax
		jz	loc_7DE0BE
		lea	eax, [esp+1C0h+var_174]
		mov	[esp+1C0h+var_1B4], eax
		jmp	loc_7DE0BE
; 

loc_8F9307:				; CODE XREF: CmLoadKey+EFj
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C0000189h
		jmp	loc_7DE23B
; 

loc_8F9318:				; CODE XREF: CmLoadKey+13Cj
		mov	ebx, 0C000009Ah
		mov	[esp+1C0h+var_1B4], ebx
		jmp	loc_7DE1F0
; 

loc_8F9326:				; CODE XREF: CmLoadKey+1B3j
		xor	edx, edx
		cmp	ebx, 0C0000043h
		jz	short loc_8F9357
		push	10h
		push	ebx
		jmp	short loc_8F9345
; 

loc_8F9335:				; CODE XREF: CmLoadKey+11B39Fj
		push	20h

loc_8F9337:				; CODE XREF: CmLoadKey+11B3CFj
					; CmLoadKey+11B406j
		mov	eax, 0C0000043h
		xor	edx, edx
		mov	ebx, eax
		mov	[esp+1CCh+var_1BC], ebx
		push	eax

loc_8F9345:				; CODE XREF: CmLoadKey+11B35Dj
		push	1Fh
		mov	ecx, edi
		call	SetFailureLocation
		mov	esi, [esp+1C8h+var_1B4]
		jmp	loc_7DE1E8
; 

loc_8F9357:				; CODE XREF: CmLoadKey+11B358j
		xor	ebx, ebx
		lea	eax, [esp+1C0h+var_198]
		push	ebx
		push	ebx
		push	ebx
		push	[esp+1CCh+var_16C]
		mov	ecx, esi
		push	8
		push	eax
		lea	eax, [esp+1D8h+var_1A8]
		push	eax
		call	CmpOpenHiveFile
		test	eax, eax
		js	short loc_8F9335
		mov	eax, _CmIoFileObjectType
		lea	ecx, [esp+1C0h+var_1B4]
		push	ebx
		push	ecx
		push	ebx
		mov	eax, [eax]
		push	eax
		push	ebx
		push	[esp+1D4h+var_1A8]
		mov	[esp+1D8h+var_1B4], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		push	[esp+1C0h+var_1A8]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		jns	short loc_8F93A7
		push	30h
		jmp	short loc_8F9337
; 

loc_8F93A7:				; CODE XREF: CmLoadKey+11B3CBj
		push	[esp+1C0h+var_184]
		mov	edx, [esp+1C4h+var_1B4]
		push	[esp+1C4h+var_168]
		mov	ecx, [esp+1C8h+var_178]
		push	[ebp+arg_18]
		push	edi
		push	[esp+1D0h+var_180]
		push	[esp+1D4h+var_17C]
		push	[ebp+arg_0]
		call	_CmpResolveHiveLoadConflict@36 ; CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)
		mov	ecx, [esp+1C0h+var_1B4]
		mov	esi, eax
		call	ObfDereferenceObject
		test	esi, esi
		jns	short loc_8F93E1
		push	40h
		jmp	loc_8F9337
; 

loc_8F93E1:				; CODE XREF: CmLoadKey+11B402j
		mov	esi, [esp+1C0h+var_1AC]
		jmp	loc_7DE1E4
; 

loc_8F93EA:				; CODE XREF: CmLoadKey+1C2j
		mov	eax, _CmIoFileObjectType
		lea	edx, [esp+1C0h+var_1A8]
		mov	ecx, [esi+400h]
		xor	ebx, ebx
		push	ebx
		push	edx
		mov	eax, [eax]
		push	ebx
		push	eax
		push	ebx
		push	ecx
		mov	[esp+1D8h+var_1A8], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, eax
		mov	[esp+1C0h+var_1B4], ebx
		test	ebx, ebx
		jns	short loc_8F942D
		push	50h
		jmp	short sub_8F941C
; 

loc_8F941A:				; CODE XREF: CmLoadKey+11B49Ej
		push	60h
; END OF FUNCTION CHUNK	FOR CmLoadKey

;  S U B	R O U T	I N E 


sub_8F941C	proc near		; CODE XREF: CmLoadKey+11B442j
		push	ebx
		push	1Fh
		xor	edx, edx
		mov	ecx, edi
		call	SetFailureLocation
		jmp	loc_7DE1E8
sub_8F941C	endp

; 
; START	OF FUNCTION CHUNK FOR CmLoadKey

loc_8F942D:				; CODE XREF: CmLoadKey+11B43Ej
		push	[esp+1C0h+var_184]
		mov	edx, [esp+1C4h+var_1A8]
		push	[esp+1C4h+var_168]
		mov	ecx, [esp+1C8h+var_178]
		push	[ebp+arg_18]
		push	edi
		push	[esp+1D0h+var_180]
		push	[esp+1D4h+var_17C]
		push	[ebp+arg_0]
		call	_CmpResolveHiveLoadConflict@36 ; CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)
		mov	ecx, [esp+1C0h+var_1A8]
		mov	ebx, eax
		mov	[esp+1C0h+var_1B4], ebx
		call	ObfDereferenceObject
		test	ebx, ebx
		jns	loc_7DE1E2
		cmp	ebx, 0C0000225h
		jz	loc_7DE19E
		jmp	short loc_8F941A
; 

loc_8F9476:				; CODE XREF: CmLoadKey+206j
		push	70h
		push	ebx
		push	1Fh
		xor	edx, edx
		mov	ecx, edi
		call	SetFailureLocation
		jmp	loc_7DE1F0
; 

loc_8F9489:				; CODE XREF: CmLoadKey+214j
		lea	ecx, [esp+1C0h+var_150]
		call	CmpAttachToRegistryProcess
		mov	ecx, esi
		call	_CmpDestroyHive@4 ; CmpDestroyHive(x)
		xor	edx, edx
		lea	ecx, [esp+1C0h+var_150]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_7DE1F0
; 

loc_8F94A9:				; CODE XREF: CmLoadKey+22Cj
		cmp	dword_6B2348, 5
		jbe	loc_7DE22C
		push	4000h
		mov	esi, offset dword_6B2348
		push	8
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_8F96E6
		mov	esi, [esp+1C0h+var_1A0]
		lea	ecx, [edi+4]
		movzx	edi, word ptr [ecx]
		lea	eax, [esp+1C0h+var_158]
		mov	[esp+1C0h+var_118], eax
		xor	edx, edx
		lea	eax, [esp+1C0h+var_1A4]
		and	[esp+1C0h+var_E4], 0
		mov	[esp+1C0h+var_108], eax
		mov	eax, edi
		mov	[esp+1C0h+var_190], eax
		lea	eax, [esp+1C0h+var_190]
		mov	[esp+1C0h+var_F8], eax
		push	2
		pop	eax
		mov	[esp+1C0h+var_F0], eax
		and	[esp+1C0h+var_DC], 0
		and	[esp+1C0h+var_D4], 0
		and	[esp+1C0h+var_CC], 0
		mov	[esp+1C0h+var_154], edx
		mov	[esp+1C0h+var_114], edx
		mov	[esp+1C0h+var_10C], edx
		mov	[esp+1C0h+var_104], edx
		mov	[esp+1C0h+var_FC], edx
		mov	[esp+1C0h+var_F4], edx
		mov	[esp+1C0h+var_EC], edx
		lea	edx, [esi+6]
		mov	[esp+1C0h+var_1A4], ebx
		add	esi, 132h
		movzx	ebx, word ptr [edx]
		mov	eax, ebx
		imul	edi, 0Ch
		mov	[esp+1C0h+var_198], eax
		lea	eax, [esp+1C0h+var_198]
		mov	[esp+1C0h+var_E8], eax
		push	2
		pop	eax
		mov	[esp+1C0h+var_E0], eax
		mov	al, [esi]
		mov	[esp+1C0h+var_1AD], al
		movzx	eax, al
		mov	[esp+1C0h+var_19C], eax
		lea	eax, [esp+1C0h+var_19C]
		mov	[esp+1C0h+var_D8], eax
		push	2
		pop	eax
		mov	[esp+1C0h+var_D0], eax
		mov	[esp+1C0h+var_C0], eax
		mov	eax, [esp+1C0h+var_1A0]
		add	eax, 8
		mov	[esp+1C0h+var_B0], edi
		mov	edi, [esp+1C0h+var_1A0]
		mov	[esp+1C0h+var_C8], ecx
		xor	ecx, ecx
		mov	[esp+1C0h+var_B8], eax
		imul	ebx, 0Ch
		lea	eax, [edi+68h]
		mov	[esp+1C0h+var_A8], edx
		push	2
		pop	edx
		mov	[esp+1C0h+var_98], eax
		lea	eax, [edi+134h]
		mov	[esp+1C0h+var_158], 1
		mov	[esp+1C0h+var_110], 8
		mov	[esp+1C0h+var_100], 4
		mov	[esp+1C0h+var_C4], ecx
		mov	[esp+1C0h+var_BC], ecx
		mov	[esp+1C0h+var_B4], ecx
		mov	[esp+1C0h+var_AC], ecx
		mov	[esp+1C0h+var_A4], ecx
		mov	[esp+1C0h+var_A0], edx
		mov	[esp+1C0h+var_9C], ecx
		mov	[esp+1C0h+var_94], ecx
		mov	[esp+1C0h+var_90], ebx
		mov	[esp+1C0h+var_8C], ecx
		mov	[esp+1C0h+var_88], esi
		mov	[esp+1C0h+var_84], ecx
		mov	[esp+1C0h+var_80], edx
		mov	[esp+1C0h+var_7C], ecx
		mov	[esp+1C0h+var_78], eax
		mov	[esp+1C0h+var_74], ecx
		movzx	eax, [esp+1C0h+var_1AD]
		mov	esi, offset dword_6B2348
		shl	eax, 3
		mov	edx, offset loc_419D1B
		mov	[esp+1C0h+var_70], eax
		lea	eax, [esp+1C0h+var_168]
		mov	[esp+1C0h+var_68], eax
		lea	eax, [esp+1C0h+var_138]
		push	eax
		push	0Eh
		mov	[esp+1C8h+var_6C], ecx
		mov	[esp+1C8h+var_164], ecx
		mov	[esp+1C8h+var_64], ecx
		mov	[esp+1C8h+var_5C], ecx
		push	ecx
		mov	ecx, esi
		mov	[esp+1CCh+var_168], 1000000h
		mov	[esp+1CCh+var_60], 8
		call	__tlgWriteAgg@20 ; _tlgWriteAgg(x,x,x,x,x)
		mov	ebx, [esp+1C0h+var_1B4]

loc_8F96E6:				; CODE XREF: CmLoadKey+11B4F5j
		cmp	dword_6B2348, 5
		jbe	loc_7DE22C
		push	0
		push	8
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_7DE22C
		mov	esi, [esp+1C0h+var_1A0]
		lea	ecx, [edi+4]
		movzx	edi, word ptr [ecx]
		lea	eax, [esp+1C0h+var_1A4]
		mov	[esp+1C0h+var_118], eax
		xor	edx, edx
		mov	eax, edi
		mov	[esp+1C0h+var_114], edx
		mov	[esp+1C0h+var_190], eax
		lea	eax, [esp+1C0h+var_190]
		mov	[esp+1C0h+var_108], eax
		push	2
		pop	eax
		mov	[esp+1C0h+var_100], eax
		mov	[esp+1C0h+var_10C], edx
		mov	[esp+1C0h+var_104], edx
		mov	[esp+1C0h+var_FC], edx
		lea	edx, [esi+6]
		mov	[esp+1C0h+var_1A4], ebx
		add	esi, 132h
		movzx	ebx, word ptr [edx]
		mov	eax, ebx
		and	[esp+1C0h+var_F4], 0
		mov	[esp+1C0h+var_198], eax
		lea	eax, [esp+1C0h+var_198]
		mov	[esp+1C0h+var_F8], eax
		push	2
		pop	eax
		mov	[esp+1C0h+var_F0], eax
		mov	al, [esi]
		mov	[esp+1C0h+var_1AD], al
		movzx	eax, al
		mov	[esp+1C0h+var_19C], eax
		lea	eax, [esp+1C0h+var_19C]
		mov	[esp+1C0h+var_E8], eax
		and	[esp+1C0h+var_EC], 0
		and	[esp+1C0h+var_E4], 0
		and	[esp+1C0h+var_DC], 0
		imul	edi, 0Ch
		push	2
		pop	eax
		mov	[esp+1C0h+var_E0], eax
		mov	[esp+1C0h+var_D0], eax
		mov	eax, [esp+1C0h+var_1A0]
		add	eax, 8
		mov	[esp+1C0h+var_C0], edi
		mov	edi, [esp+1C0h+var_1A0]
		mov	[esp+1C0h+var_C8], eax
		mov	[esp+1C0h+var_D8], ecx
		xor	ecx, ecx
		push	2
		lea	eax, [edi+68h]
		mov	[esp+1C4h+var_B8], edx
		mov	[esp+1C4h+var_A8], eax
		mov	eax, ebx
		imul	eax, 0Ch
		pop	edx
		mov	[esp+1C0h+var_110], 4
		mov	[esp+1C0h+var_D4], ecx
		mov	[esp+1C0h+var_CC], ecx
		mov	[esp+1C0h+var_A0], eax
		lea	eax, [edi+134h]
		mov	[esp+1C0h+var_88], eax
		movzx	eax, [esp+1C0h+var_1AD]
		shl	eax, 3
		mov	[esp+1C0h+var_80], eax
		lea	eax, [esp+1C0h+var_138]
		mov	[esp+1C0h+var_C4], ecx
		mov	[esp+1C0h+var_BC], ecx
		mov	[esp+1C0h+var_B4], ecx
		mov	[esp+1C0h+var_B0], edx
		mov	[esp+1C0h+var_AC], ecx
		mov	[esp+1C0h+var_A4], ecx
		mov	[esp+1C0h+var_9C], ecx
		mov	[esp+1C0h+var_98], esi
		mov	[esp+1C0h+var_94], ecx
		mov	[esp+1C0h+var_90], edx
		mov	[esp+1C0h+var_8C], ecx
		mov	[esp+1C0h+var_84], ecx
		mov	[esp+1C0h+var_7C], ecx
		push	eax
		push	0Ch
		push	ecx
		push	ecx
		push	offset loc_419B8F
		push	offset dword_6B2348
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_7DE22C
; 

loc_8F98BD:				; CODE XREF: CmLoadKey+250j
		lea	eax, [esp+1C0h+var_190]
		mov	[esp+1C0h+var_190], 1
		mov	[esp+1C0h+var_38], eax
		xor	ecx, ecx
		lea	eax, [esp+1C0h+var_1A4]
		mov	[esp+1C0h+var_18C], ecx
		push	8
		pop	edx
		mov	[esp+1C0h+var_28], eax
		lea	eax, [esp+1C0h+var_198]
		mov	[esp+1C0h+var_18], eax
		lea	eax, [esp+1C0h+var_58]
		push	eax
		push	5
		mov	[esp+1C8h+var_34], ecx
		mov	[esp+1C8h+var_30], edx
		mov	[esp+1C8h+var_2C], ecx
		mov	[esp+1C8h+var_24], ecx
		mov	[esp+1C8h+var_1C], ecx
		mov	[esp+1C8h+var_194], ecx
		mov	[esp+1C8h+var_14], ecx
		mov	[esp+1C8h+var_10], edx
		mov	edx, (offset loc_419CC2+6)
		mov	[esp+1C8h+var_C], ecx
		push	ecx
		mov	ecx, esi
		mov	[esp+1CCh+var_1A4], ebx
		mov	[esp+1CCh+var_20], 4
		mov	[esp+1CCh+var_198], 1000000h
		call	__tlgWriteAgg@20 ; _tlgWriteAgg(x,x,x,x,x)
		jmp	loc_7DE22C
; END OF FUNCTION CHUNK	FOR CmLoadKey
; 
; START	OF FUNCTION CHUNK FOR CmpQueryHiveRedirectionFileList

loc_8F995E:				; CODE XREF: CmpQueryHiveRedirectionFileList+45j
		mov	[ebp+var_210], 200h
		cmp	_CmpHiveRedirectionFileListHandle, eax
		jnz	loc_8F99F8
		push	offset ??_C@_1IO@IILNFANJ@?$AA?2?$AAr?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAm?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		lea	eax, [ebp+var_218]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		push	1
		push	edi
		lea	eax, [ebp+var_218]
		mov	[ebp+var_230], 18h
		mov	[ebp+var_228], eax
		lea	eax, [ebp+var_230]
		push	edi
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_20C]
		mov	[ebp+var_22C], edi
		push	eax
		mov	[ebp+var_224], 240h
		mov	[ebp+var_220], edi
		mov	[ebp+var_21C], edi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8F9A2D
		mov	ecx, [ebp+var_20C]
		mov	edx, offset _CmpHiveRedirectionFileListHandle
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	short loc_8F99F8
		push	[ebp+var_20C]
		call	_ZwClose@4	; ZwClose(x)

loc_8F99F8:				; CODE XREF: CmpQueryHiveRedirectionFileList+11B6FCj
					; CmpQueryHiveRedirectionFileList+11B779j
		lea	eax, [ebp+var_210]
		push	eax
		push	[ebp+var_210]
		lea	eax, [ebp+var_208]
		push	eax
		push	2
		push	ebx
		push	_CmpHiveRedirectionFileListHandle
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_8F9A2D
		lea	eax, [ebp+var_1FC]
		push	eax		; void *
		push	esi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		test	eax, eax

loc_8F9A2D:				; CODE XREF: CmpQueryHiveRedirectionFileList+11B764j
					; CmpQueryHiveRedirectionFileList+11B7AAj
		setz	al
		jmp	loc_7DE2BF
; END OF FUNCTION CHUNK	FOR CmpQueryHiveRedirectionFileList
; 

loc_8F9A35:				; CODE XREF: PAGE:007DE3ABj
		sub	eax, 1
		jnz	loc_7DE313
		dec	_PiUEventDevInstancePropertyClientCount
		jmp	loc_7DE313
; 

loc_8F9A49:				; CODE XREF: PAGE:007DE31Bj
		mov	edx, edi
		mov	ecx, esi
		mov	edi, [edi]
		push	0
		call	_PiUEventDequeuePendingEventWorker@12 ;	PiUEventDequeuePendingEventWorker(x,x,x)
		jmp	loc_7DE319
; 

loc_8F9A5B:				; CODE XREF: PAGE:007DE328j
		mov	edx, edi
		mov	ecx, esi
		mov	edi, [edi]
		push	1
		call	_PiUEventDequeuePendingEventWorker@12 ;	PiUEventDequeuePendingEventWorker(x,x,x)
		jmp	loc_7DE326
; 
; START	OF FUNCTION CHUNK FOR RtlSetConsoleSessionForegroundProcessId

loc_8F9A6D:				; CODE XREF: RtlSetConsoleSessionForegroundProcessId+Cj
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, [eax+28Ch]
		mov	eax, [ebp+arg_0]
		mov	[ecx+8], eax
		mov	eax, [ebp+arg_4]
		mov	[ecx+0Ch], eax
		jmp	loc_7DE518
; END OF FUNCTION CHUNK	FOR RtlSetConsoleSessionForegroundProcessId
; 
; START	OF FUNCTION CHUNK FOR MiCreateRotateView

loc_8F9A89:				; CODE XREF: MiCreateRotateView+46j
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	edi
		jmp	loc_7DE609
; END OF FUNCTION CHUNK	FOR MiCreateRotateView
; 
; START	OF FUNCTION CHUNK FOR MmGetPhysicalMemoryRangesEx2

loc_8F9A97:				; CODE XREF: MmGetPhysicalMemoryRangesEx2+1Cj
		test	ecx, ecx
		jnz	loc_7DE68B
		jmp	loc_7DE65E
; 

loc_8F9AA4:				; CODE XREF: MmGetPhysicalMemoryRangesEx2+41j
		mov	ecx, [esi+64h]
		call	PsDereferencePartition
		jmp	loc_7DE683
; END OF FUNCTION CHUNK	FOR MmGetPhysicalMemoryRangesEx2
; 
; START	OF FUNCTION CHUNK FOR MiGetPhysicalMemoryRanges

loc_8F9AB1:				; CODE XREF: MiGetPhysicalMemoryRanges+2Cj
					; MiGetPhysicalMemoryRanges+34j
		mov	edx, ebx
		mov	[esp+20h+var_11], 1
		call	_MiLockDynamicMemoryShared@8 ; MiLockDynamicMemoryShared(x,x)
		cmp	esi, edi
		jz	loc_7DE6CA
		xor	edi, edi

loc_8F9AC7:				; CODE XREF: MiGetPhysicalMemoryRanges+11B4A5j
		cmp	[esi+0F48h], edi
		jz	loc_7DE6CA
		cmp	[esi+38h], edi
		jnz	loc_7DE6CA
		mov	edx, ebx
		mov	ecx, esi
		call	_MiUnlockDynamicMemoryShared@8 ; MiUnlockDynamicMemoryShared(x,x)
		mov	edx, ebx
		mov	ecx, esi
		call	_MiLockDynamicMemoryExclusive@8	; MiLockDynamicMemoryExclusive(x,x)
		mov	eax, [esi+0F48h]
		test	eax, eax
		jz	short loc_8F9B23
		cmp	[esi+38h], edi
		jnz	short loc_8F9B0A
		mov	ecx, esi
		call	_MiMakePartitionMemoryBlock@4 ;	MiMakePartitionMemoryBlock(x)
		mov	eax, [esi+0F48h]

loc_8F9B0A:				; CODE XREF: MiGetPhysicalMemoryRanges+11B46Bj
		test	eax, eax
		jz	short loc_8F9B23
		cmp	[esi+38h], edi
		jnz	short loc_8F9B23
		mov	edx, ebx
		mov	ecx, esi
		call	MiUnlockDynamicMemoryExclusive
		xor	eax, eax
		jmp	loc_7DE76D
; 

loc_8F9B23:				; CODE XREF: MiGetPhysicalMemoryRanges+11B466j
					; MiGetPhysicalMemoryRanges+11B47Cj ...
		mov	edx, ebx
		mov	ecx, esi
		call	MiUnlockDynamicMemoryExclusive
		mov	edx, ebx
		mov	ecx, esi
		call	_MiLockDynamicMemoryShared@8 ; MiLockDynamicMemoryShared(x,x)
		jmp	short loc_8F9AC7
; 

loc_8F9B37:				; CODE XREF: MiGetPhysicalMemoryRanges+49j
		xor	edi, edi
		jmp	loc_7DE6ED
; 

loc_8F9B3E:				; CODE XREF: MiGetPhysicalMemoryRanges+C4j
		mov	edx, ebx
		mov	ecx, esi
		call	_MiUnlockDynamicMemoryShared@8 ; MiUnlockDynamicMemoryShared(x,x)
		jmp	loc_7DE75A
; END OF FUNCTION CHUNK	FOR MiGetPhysicalMemoryRanges
; 
; START	OF FUNCTION CHUNK FOR PsResumeProcess

loc_8F9B4C:				; CODE XREF: PsResumeProcess+6Ej
		push	1
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	_EtwTiLogSuspendResumeProcess@16 ; EtwTiLogSuspendResumeProcess(x,x,x,x)
		jmp	loc_7DE7EE
; END OF FUNCTION CHUNK	FOR PsResumeProcess
; 
; START	OF FUNCTION CHUNK FOR CmpTryToLockKcbExclusive

loc_8F9B5D:				; CODE XREF: CmpTryToLockKcbExclusive+1Cj
		test	eax, eax
		jz	short loc_8F9B6A
		mov	edx, eax
		mov	ecx, esi
		call	KeAbPostReleaseEx

loc_8F9B6A:				; CODE XREF: CmpTryToLockKcbExclusive+11B2BDj
		xor	bl, bl
		jmp	loc_7DE8D4
; END OF FUNCTION CHUNK	FOR CmpTryToLockKcbExclusive
; 
; START	OF FUNCTION CHUNK FOR CmpSetValueDataExisting

loc_8F9B71:				; CODE XREF: CmpSetValueDataExisting+37j
		mov	eax, 0C000009Ah
		jmp	loc_7DE9D0
; 

loc_8F9B7B:				; CODE XREF: CmpSetValueDataExisting+4Dj
		mov	edi, 0C000009Ah
		jmp	loc_7DE9C6
; 

loc_8F9B85:				; CODE XREF: CmpSetValueDataExisting+74j
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	ebx, [ebp+var_C]
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+arg_8], edi
		push	eax
		mov	eax, [ebp+var_8]
		mov	ecx, esi
		mov	edx, [ebx+4]
		movzx	eax, ax
		push	1
		shl	eax, 2
		push	eax
		call	_HvReallocateCell@24 ; HvReallocateCell(x,x,x,x,x,x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_8F9C03
		mov	ecx, [ebp+var_8]
		mov	[ebx+4], eax
		movzx	eax, word ptr [ebx+2]
		mov	ebx, [ebp+arg_8]
		mov	[ebp+var_14], eax
		cmp	ax, cx
		jnb	loc_7DE95A

loc_8F9BCF:				; CODE XREF: CmpSetValueDataExisting+11B322j
		push	edi
		push	edi
		push	[ebp+arg_4]
		mov	edx, 3FD8h
		mov	ecx, esi
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	edx, [ebp+var_14]
		movzx	ecx, dx
		mov	[ebx+ecx*4], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_7DE9D7
		mov	ecx, [ebp+var_8]
		inc	edx
		mov	[ebp+var_14], edx
		cmp	dx, cx
		jb	short loc_8F9BCF
		jmp	loc_7DE95A
; 

loc_8F9C03:				; CODE XREF: CmpSetValueDataExisting+11B2DAj
					; CmpSetValueDataExisting+11B38Aj
		mov	ebx, [ebp+arg_8]
		mov	edi, 0C000009Ah
		jmp	loc_7DE9BA
; 

loc_8F9C10:				; CODE XREF: CmpSetValueDataExisting+7Aj
		mov	edi, [ebp+var_C]
		movzx	eax, cx
		mov	[ebp+arg_8], eax

loc_8F9C19:				; CODE XREF: CmpSetValueDataExisting+11B357j
		movzx	edx, ax
		mov	ecx, esi
		mov	edx, [ebx+edx*4]
		call	HvFreeCell
		mov	eax, [ebp+arg_8]
		inc	eax
		mov	[ebp+arg_8], eax
		cmp	ax, [edi+2]
		jb	short loc_8F9C19
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	ebx, [ebp+var_C]
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+arg_8]
		xor	edi, edi
		push	eax
		mov	eax, [ebp+var_8]
		mov	ecx, esi
		mov	edx, [ebx+4]
		movzx	eax, ax
		push	1
		shl	eax, 2
		push	eax
		mov	[ebp+arg_8], edi
		call	_HvReallocateCell@24 ; HvReallocateCell(x,x,x,x,x,x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_8F9C03
		mov	ecx, [ebp+var_8]
		mov	[ebx+4], eax
		mov	ebx, [ebp+arg_8]
		jmp	loc_7DE95A
; END OF FUNCTION CHUNK	FOR CmpSetValueDataExisting

;  S U B	R O U T	I N E 


sub_8F9C74	proc near		; DATA XREF: .text:006A4464o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F9C74	endp


;  S U B	R O U T	I N E 


sub_8F9C82	proc near		; DATA XREF: .text:006A4468o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_7DEA58
sub_8F9C82	endp

; 
; START	OF FUNCTION CHUNK FOR PspSetProcessSchedulingGroup

loc_8F9C94:				; CODE XREF: PspSetProcessSchedulingGroup+25j
		test	edi, edi
		jz	loc_7DEA9D
		pop	edi
		mov	ecx, esi
		xor	edx, edx
		pop	esi
		pop	ebx
		jmp	_KeSetProcessSchedulingGroup@8 ; KeSetProcessSchedulingGroup(x,x)
; END OF FUNCTION CHUNK	FOR PspSetProcessSchedulingGroup
; 
; START	OF FUNCTION CHUNK FOR MiDereferenceFailedControlArea

loc_8F9CA8:				; CODE XREF: MiDereferenceFailedControlArea+Bj
		call	_MiAweControlArea@4 ; MiAweControlArea(x)
		test	eax, eax
		jz	short loc_8F9CB7
		pop	esi
		jmp	_MiDeleteSectionAwe@4 ;	MiDeleteSectionAwe(x)
; 

loc_8F9CB7:				; CODE XREF: MiDereferenceFailedControlArea+11B0E9j
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR MiDereferenceFailedControlArea
; 
; START	OF FUNCTION CHUNK FOR NtRegisterThreadTerminatePort

loc_8F9CB9:				; CODE XREF: NtRegisterThreadTerminatePort+4Bj
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject
		mov	eax, 0C000009Ah
		jmp	loc_7DECD9
; END OF FUNCTION CHUNK	FOR NtRegisterThreadTerminatePort
; 
; START	OF FUNCTION CHUNK FOR PspSetJobIoAttributionJobPreCallback

loc_8F9CCB:				; CODE XREF: PspSetJobIoAttributionJobPreCallback+10j
		movzx	eax, byte ptr [eax+8]
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[edx+328h], eax
		jmp	loc_7DED2A
; END OF FUNCTION CHUNK	FOR PspSetJobIoAttributionJobPreCallback

;  S U B	R O U T	I N E 


sub_8F9CE0	proc near		; CODE XREF: PspEnableWakeCounters+37j
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		lea	esi, [ecx+1B8h]
		push	7
		sub	edi, ecx
		pop	ebx

loc_8F9CF0:				; CODE XREF: sub_8F9CE0+22j
		mov	eax, [edi+esi]
		add	[esi], eax
		mov	eax, [edi+esi+4]
		adc	[esi+4], eax
		lea	esi, [esi+8]
		sub	ebx, 1
		jnz	short loc_8F9CF0
		mov	eax, [edx+1F0h]
		add	[ecx+1F0h], eax
		mov	eax, [edx+1F4h]
		adc	[ecx+1F4h], eax
		pop	edi
		pop	esi
		pop	ebx
		jmp	loc_7DED42
sub_8F9CE0	endp

; 
; START	OF FUNCTION CHUNK FOR PspIsSiloInSilo

loc_8F9D24:				; CODE XREF: PspIsSiloInSilo+9j
		cmp	ecx, edx
		jz	loc_7DED70
		mov	ecx, [ecx+244h]
		jmp	loc_7DED73
; END OF FUNCTION CHUNK	FOR PspIsSiloInSilo
; 
; START	OF FUNCTION CHUNK FOR CmpConstructNameFromKcbNameBlocks

loc_8F9D37:				; CODE XREF: CmpConstructNameFromKcbNameBlocks+1Cj
		mov	ebx, 0C000000Dh
		jmp	loc_7DEEE6
; 

loc_8F9D41:				; CODE XREF: CmpConstructNameFromKcbNameBlocks+39j
		mov	ebx, 0C000009Ah
		jmp	loc_7DEEE5
; 

loc_8F9D4B:				; CODE XREF: CmpConstructNameFromKcbNameBlocks+A4j
		mov	ebx, [ebp+var_4]
		lea	eax, [ebx+ebx]
		push	eax		; size_t
		push	edx		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_7DEEC1
; END OF FUNCTION CHUNK	FOR CmpConstructNameFromKcbNameBlocks

;  S U B	R O U T	I N E 


sub_8F9D61	proc near		; CODE XREF: FsRtlPrepareMdlWriteEx+23j
		push	ebx
		call	IoGetRelatedDeviceObject
		push	edi
		push	dword ptr [ebp+0Ch]
		mov	[ebp+1Ch], eax
		push	dword ptr [ebp+10h]
		push	0
		push	eax
		push	4
		call	_IoBuildAsynchronousFsdRequest@24 ; IoBuildAsynchronousFsdRequest(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_8F9D8D
		mov	eax, 0C000009Ah
		mov	[edi], eax
		jmp	loc_7DF055
; 

loc_8F9D8D:				; CODE XREF: sub_8F9D61+1Ej
		mov	eax, [esi+60h]
		mov	ecx, [ebp+14h]
		push	esi
		push	dword ptr [ebp+1Ch]
		mov	[eax-0Ch], ebx
		mov	byte ptr [eax-23h], 2
		mov	[eax-1Ch], ecx
		or	dword ptr [esi+8], 4
		call	_IoSynchronousCallDriver@8 ; IoSynchronousCallDriver(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_8F9DC7
		mov	eax, [ebp+18h]
		mov	ecx, [esi+4]
		mov	[eax], ecx
		and	dword ptr [esi+4], 0
		mov	ecx, [esi+18h]
		mov	[edi], ecx
		mov	eax, [esi+1Ch]
		mov	[edi+4], eax

loc_8F9DC7:				; CODE XREF: sub_8F9D61+4Dj
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		jmp	loc_7DF053
sub_8F9D61	endp


;  S U B	R O U T	I N E 


sub_8F9DD2	proc near		; CODE XREF: FsRtlMdlReadEx+23j
		push	ebx
		call	IoGetRelatedDeviceObject
		push	0
		push	dword ptr [ebp+0Ch]
		mov	[ebp+1Ch], eax
		push	dword ptr [ebp+10h]
		push	0
		push	eax
		push	3
		call	_IoBuildAsynchronousFsdRequest@24 ; IoBuildAsynchronousFsdRequest(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_8F9DFF
		mov	eax, 0C000009Ah
		mov	[edi], eax
		jmp	loc_7DF0D5
; 

loc_8F9DFF:				; CODE XREF: sub_8F9DD2+1Fj
		mov	eax, [esi+60h]
		mov	ecx, [ebp+14h]
		push	esi
		push	dword ptr [ebp+1Ch]
		mov	[eax-0Ch], ebx
		mov	byte ptr [eax-23h], 2
		mov	[eax-1Ch], ecx
		or	dword ptr [esi+8], 4
		call	_IoSynchronousCallDriver@8 ; IoSynchronousCallDriver(x,x)
		mov	ecx, [esi+18h]
		mov	ebx, eax
		mov	[edi], ecx
		mov	ecx, [esi+1Ch]
		mov	[edi+4], ecx
		test	ebx, ebx
		js	short loc_8F9E39
		mov	eax, [ebp+18h]
		mov	ecx, [esi+4]
		mov	[eax], ecx
		and	dword ptr [esi+4], 0

loc_8F9E39:				; CODE XREF: sub_8F9DD2+59j
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		jmp	loc_7DF0D3
sub_8F9DD2	endp

; 
; START	OF FUNCTION CHUNK FOR IoEnumerateRegisteredFiltersList

loc_8F9E44:				; CODE XREF: IoEnumerateRegisteredFiltersList+25j
		call	_IopGetFsRegistrationInProgress@0 ; IopGetFsRegistrationInProgress()
		test	al, al
		jz	short loc_8F9E57
		mov	esi, 0C000022Dh
		jmp	loc_7DF2D2
; 

loc_8F9E57:				; CODE XREF: IoEnumerateRegisteredFiltersList+11AC03j
		push	1
		push	ebx
		call	ExAcquireResourceExclusiveLite
		jmp	loc_7DF273
; END OF FUNCTION CHUNK	FOR IoEnumerateRegisteredFiltersList
; 
; START	OF FUNCTION CHUNK FOR CmpAddToHiveFileList

loc_8F9E64:				; CODE XREF: CmpAddToHiveFileList+11Aj
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7DF372
; 

loc_8F9E71:				; CODE XREF: CmpAddToHiveFileList+4Aj
		mov	esi, 0C0000017h
		jmp	loc_7DF3F3
; END OF FUNCTION CHUNK	FOR CmpAddToHiveFileList
; 
; START	OF FUNCTION CHUNK FOR SeCreateClientSecurityFromSubjectContext

loc_8F9E7B:				; CODE XREF: SeCreateClientSecurityFromSubjectContext+93j
		mov	ebx, [ebp+var_C]
		mov	byte ptr [ebp+var_5], 1
		jmp	loc_7DF4A1
; END OF FUNCTION CHUNK	FOR SeCreateClientSecurityFromSubjectContext
; 
; START	OF FUNCTION CHUNK FOR EtwpGenerateFileName

loc_8F9E87:				; CODE XREF: EtwpGenerateFileName+11j
		mov	eax, 0C0000030h
		jmp	loc_7DFBD6
; 

loc_8F9E91:				; CODE XREF: EtwpGenerateFileName+8Aj
					; EtwpGenerateFileName+A2j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C0000030h
		jmp	loc_7DFBD5
; END OF FUNCTION CHUNK	FOR EtwpGenerateFileName
; 
; START	OF FUNCTION CHUNK FOR PfpVirtualQuery

loc_8F9EA3:				; CODE XREF: PfpVirtualQuery+1Cj
		mov	eax, 0C0000206h
		jmp	loc_7DFC9B
; 

loc_8F9EAD:				; CODE XREF: PfpVirtualQuery+44j
					; PfpVirtualQuery+4Cj
		mov	byte ptr [edx],	0
		mov	eax, [esi+10h]
		jmp	loc_7DFC3C
; 

loc_8F9EB8:				; CODE XREF: PfpVirtualQuery+77j
		test	al, 2
		jnz	loc_7DFCB2
		jmp	loc_7DFC67
; END OF FUNCTION CHUNK	FOR PfpVirtualQuery

;  S U B	R O U T	I N E 


sub_8F9EC5	proc near		; DATA XREF: .text:006A44CCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F9EC5	endp


;  S U B	R O U T	I N E 


sub_8F9ED3	proc near		; DATA XREF: .text:006A44D0o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-1Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7DFC9B
sub_8F9ED3	endp

; 
; START	OF FUNCTION CHUNK FOR PerfDiagpProxyWorker

loc_8F9EE5:				; CODE XREF: PerfDiagpProxyWorker+108j
		cmp	ecx, 1
		jnz	short loc_8F9EF8
		jmp	loc_7DFDAC
; 

loc_8F9EEF:				; CODE XREF: PerfDiagpProxyWorker+117j
		cmp	esi, 5
		jz	loc_7DFD6B

loc_8F9EF8:				; CODE XREF: PerfDiagpProxyWorker+11A1DEj
		cmp	esi, ecx
		jge	short loc_8F9F03
		mov	esi, ecx
		jmp	loc_7DFDAC
; 

loc_8F9F03:				; CODE XREF: PerfDiagpProxyWorker+4Aj
					; PerfDiagpProxyWorker+E0j ...
		mov	dword_6BC724, 8
		jmp	loc_7DFDB2
; 

loc_8F9F12:				; CODE XREF: PerfDiagpProxyWorker+B1j
		test	al, 4
		jnz	loc_7DFDC1
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7DFDC1
; END OF FUNCTION CHUNK	FOR PerfDiagpProxyWorker
; 
; START	OF FUNCTION CHUNK FOR MmGetPageFileInformation

loc_8F9F26:				; CODE XREF: MmGetPageFileInformation+46j
		mov	eax, 0C00004A0h
		jmp	loc_7E01B1
; 

loc_8F9F30:				; CODE XREF: MmGetPageFileInformation+91j
					; MmGetPageFileInformation+9Aj
		mov	[ebp+var_20], eax
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		jmp	loc_7E01DC
; END OF FUNCTION CHUNK	FOR MmGetPageFileInformation

;  S U B	R O U T	I N E 


sub_8F9F3D	proc near		; DATA XREF: .text:006A44ECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-54h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8F9F3D	endp


;  S U B	R O U T	I N E 


sub_8F9F4B	proc near		; DATA XREF: .text:006A44F0o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-54h]
		mov	[ebp-34h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, [ebp-30h]
		jmp	loc_7E01A5
sub_8F9F4B	endp

; 
; START	OF FUNCTION CHUNK FOR MmGetPageFileInformation

loc_8F9F63:				; CODE XREF: MmGetPageFileInformation+19Dj
		mov	ecx, [edx+64h]
		call	PsDereferencePartition
		jmp	loc_7E01AF
; END OF FUNCTION CHUNK	FOR MmGetPageFileInformation
; 
; START	OF FUNCTION CHUNK FOR CmpConstructAndCacheName

loc_8F9F70:				; CODE XREF: CmpConstructAndCacheName+2Bj
		mov	edx, 624E4D43h
		mov	ecx, esi
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
		jmp	loc_7E021F
; END OF FUNCTION CHUNK	FOR CmpConstructAndCacheName
; 
; START	OF FUNCTION CHUNK FOR EtwpTrackProviderBinary

loc_8F9F81:				; CODE XREF: EtwpTrackProviderBinary+46j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	eax, [esi+10h]
		xor	edx, edx
		mov	ecx, [eax+168h]
		add	ecx, 16Ch
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, large fs:124h
		mov	eax, [esi+10h]
		mov	eax, [eax+168h]
		mov	[eax+170h], ecx
		jmp	loc_7E0352
; 

loc_8F9FB7:				; CODE XREF: EtwpTrackProviderBinary+90j
		movzx	edx, word ptr [edi+eax+66h]
		mov	ecx, [ebp+var_8]
		push	0
		call	EtwpAcquireLoggerContextByLoggerId
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_7E039C
		push	ebx
		mov	dl, 1
		mov	ecx, eax
		call	EtwpProviderArrivalCallback
		mov	ecx, [ebp+var_C]
		xor	dl, dl
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		jmp	loc_7E039C
; 

loc_8F9FEA:				; CODE XREF: EtwpTrackProviderBinary+A1j
		cmp	dword ptr [edi+eax+60h], 0
		jz	loc_7E03AD
		movzx	edx, word ptr [edi+ecx+66h]
		mov	ecx, [ebp+var_8]
		push	0
		call	EtwpAcquireLoggerContextByLoggerId
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_7E03AD
		push	ebx
		mov	dl, 1
		mov	ecx, eax
		call	EtwpProviderArrivalCallback
		mov	ecx, [ebp+var_C]
		xor	dl, dl
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		jmp	loc_7E03AD
; 

loc_8FA028:				; CODE XREF: EtwpTrackProviderBinary+E2j
		and	dword ptr [eax+170h], 0
		xor	edx, edx
		mov	eax, [esi+10h]
		mov	ecx, [eax+168h]
		add	ecx, 16Ch
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_7E03EE
; END OF FUNCTION CHUNK	FOR EtwpTrackProviderBinary
; 
; START	OF FUNCTION CHUNK FOR MiInSwapStore

loc_8FA04F:				; CODE XREF: MiInSwapStore+1Fj
		mov	eax, 0C000009Ah
		jmp	loc_7E04A6
; END OF FUNCTION CHUNK	FOR MiInSwapStore
; 
; START	OF FUNCTION CHUNK FOR CmpLockHashEntryShared

loc_8FA059:				; CODE XREF: CmpLockHashEntryShared+29j
		push	[ebp+arg_0]
		push	9
		push	esi
		push	17h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8FA069:				; CODE XREF: CmEqualTrans+11j
		mov	eax, [ecx+1Ch]
		test	eax, eax
		jz	short loc_8FA07E
		mov	esi, [edx+1Ch]
		test	esi, esi
		jz	short loc_8FA07E
		cmp	eax, esi
		pop	esi
		setz	al
		retn
; 

loc_8FA07E:				; CODE XREF: CmpLockHashEntryShared+119BC4j
					; CmpLockHashEntryShared+119BCBj
		add	edx, 2Ch
		add	ecx, 2Ch
		pop	esi
		jmp	_CmpTransUowIsEqual@8 ;	CmpTransUowIsEqual(x,x)
; END OF FUNCTION CHUNK	FOR CmpLockHashEntryShared
; 
; START	OF FUNCTION CHUNK FOR CmpAddStringToMapping

loc_8FA08A:				; CODE XREF: CmpAddStringToMapping+26j
		mov	esi, 0C0000095h
		jmp	loc_7E063E
; 

loc_8FA094:				; CODE XREF: CmpAddStringToMapping+EAj
		mov	_CmpSIDToHiveMapping, edi
		jmp	loc_7E068C
; 

loc_8FA09F:				; CODE XREF: CmpAddStringToMapping+FFj
		mov	eax, _CmpSIDToHiveMappingCount
		shl	eax, 4
		push	eax		; size_t
		push	edi		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	65564D43h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7E05C1
; END OF FUNCTION CHUNK	FOR CmpAddStringToMapping

;  S U B	R O U T	I N E 


sub_8FA0C2	proc near		; DATA XREF: .text:006A450Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8FA0C2	endp


;  S U B	R O U T	I N E 


sub_8FA0D0	proc near		; DATA XREF: .text:006A4510o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-28h]
		jmp	loc_7E06E3
sub_8FA0D0	endp

; 
; START	OF FUNCTION CHUNK FOR RtlUpcaseUnicodeStringToOemString

loc_8FA0DB:				; CODE XREF: RtlUpcaseUnicodeStringToOemString+1Fj
		mov	eax, 0C00000F0h
		jmp	loc_7E0880
; 

loc_8FA0E5:				; CODE XREF: RtlUpcaseUnicodeStringToOemString+3Ej
		mov	eax, 80000005h
		jmp	loc_7E0880
; 

loc_8FA0EF:				; CODE XREF: RtlUpcaseUnicodeStringToOemString+7Dj
		mov	esi, 0C0000162h
		mov	[ebp+var_1C], esi
		jmp	loc_7E0859
; END OF FUNCTION CHUNK	FOR RtlUpcaseUnicodeStringToOemString

;  S U B	R O U T	I N E 


sub_8FA0FC	proc near		; DATA XREF: .text:006A4530o
		xor	ebx, ebx
		mov	edi, [ebp+8]
		mov	esi, [ebp-1Ch]
		jmp	sub_7E08AE
sub_8FA0FC	endp

; 
; START	OF FUNCTION CHUNK FOR sub_7E08AE

loc_8FA109:				; CODE XREF: sub_7E08AE+3j
					; sub_7E08AE+Bj
		cmp	byte ptr [ebp+10h], 0
		jz	locret_7E08BF
		push	dword ptr [edi+4]
		call	_ExFreePool@4	; ExFreePool(x)
		mov	[edi+4], ebx
		retn
; END OF FUNCTION CHUNK	FOR sub_7E08AE

;  S U B	R O U T	I N E 


sub_8FA11F	proc near		; DATA XREF: .text:006A454Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8FA11F	endp


;  S U B	R O U T	I N E 


sub_8FA12F	proc near		; DATA XREF: .text:006A4550o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_7E09C0
sub_8FA12F	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryTimerResolution

loc_8FA141:				; CODE XREF: NtQueryTimerResolution+1Aj
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_KeMaximumIncrement
		mov	[ecx], eax
		mov	ecx, [ebp+arg_4]
		mov	eax, ds:_KeMinimumIncrement
		mov	[ecx], eax
		mov	ecx, [ebp+arg_8]
		mov	eax, ds:_KeTimeIncrement
		mov	[ecx], eax
		jmp	loc_7E09BE
; END OF FUNCTION CHUNK	FOR NtQueryTimerResolution
; 
; START	OF FUNCTION CHUNK FOR ExpWnfRegisterPermanentName

loc_8FA164:				; CODE XREF: ExpWnfRegisterPermanentName+96j
		lea	edi, [esi+4]
		mov	esi, eax
		add	edi, ebx
		movsd
		movsd
		movsd
		movsd
		jmp	loc_7E0A7A
; END OF FUNCTION CHUNK	FOR ExpWnfRegisterPermanentName
; 
; START	OF FUNCTION CHUNK FOR PspSetJobLimitsJobPostCallback

loc_8FA174:				; CODE XREF: PspSetJobLimitsJobPostCallback+Cj
		mov	ecx, [ebp+arg_0]
		cmp	[eax], ecx
		jz	loc_7E0B22
		call	_PspApplyWorkingSetLimits@8 ; PspApplyWorkingSetLimits(x,x)
		jmp	loc_7E0B22
; END OF FUNCTION CHUNK	FOR PspSetJobLimitsJobPostCallback
; 
; START	OF FUNCTION CHUNK FOR ExpWnfGetPermanentDataStoreHandle

loc_8FA189:				; CODE XREF: ExpWnfGetPermanentDataStoreHandle+60j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7E0C8C
; END OF FUNCTION CHUNK	FOR ExpWnfGetPermanentDataStoreHandle
; 
; START	OF FUNCTION CHUNK FOR MiFreePlaceholderStorage

loc_8FA196:				; CODE XREF: MiFreePlaceholderStorage+11j
		mov	ecx, esi
		call	_MiFreePlaceholderVadEvent@4 ; MiFreePlaceholderVadEvent(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR MiFreePlaceholderStorage
; 
; START	OF FUNCTION CHUNK FOR NtMakeTemporaryObject

loc_8FA1A7:				; CODE XREF: NtMakeTemporaryObject+4Ej
		push	[ebp+arg_0]
		push	[ebp+var_8]
		call	_SeDeleteObjectAuditAlarm@8 ; SeDeleteObjectAuditAlarm(x,x)
		jmp	loc_7E0D68
; END OF FUNCTION CHUNK	FOR NtMakeTemporaryObject
; 
; START	OF FUNCTION CHUNK FOR CmpGetCorrectKcbLockOrder

loc_8FA1B7:				; CODE XREF: CmpGetCorrectKcbLockOrder:loc_7E0DF8j
		movzx	eax, word ptr [ecx+6Ah]
		test	al, 4
		jz	short loc_8FA1CC
		test	dword ptr [edx+68h], 20000h
		jnz	loc_7E0DE6

loc_8FA1CC:				; CODE XREF: CmpGetCorrectKcbLockOrder+1193F7j
		test	al, 2
		jz	short loc_8FA1DD
		test	dword ptr [edx+68h], 40000h
		jnz	loc_7E0DFE

loc_8FA1DD:				; CODE XREF: CmpGetCorrectKcbLockOrder+119408j
		movzx	eax, word ptr [ecx+22h]
		movzx	esi, word ptr [edx+22h]
		cmp	ax, si
		jg	loc_7E0DE6
		jl	loc_7E0DFE
		cmp	ecx, edx
		jbe	loc_7E0DFE
		jmp	loc_7E0DE6
; END OF FUNCTION CHUNK	FOR CmpGetCorrectKcbLockOrder
; 
; START	OF FUNCTION CHUNK FOR ObpDeleteSymbolicLinkName

loc_8FA201:				; CODE XREF: ObpDeleteSymbolicLinkName+10j
		lea	edx, [ebx-18h]
		movzx	eax, byte ptr [edx+0Eh]
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	edx, eax
		mov	eax, [edx]
		mov	eax, [eax+98h]
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_8FA287
		push	edi
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, large fs:124h
		mov	edi, eax
		dec	word ptr [ecx+13Eh]
		nop
		lea	eax, [edi+70h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_4]
		lea	edx, [esi-1]
		mov	eax, [ecx+10h]
		btr	eax, edx
		mov	[ecx+10h], eax
		mov	byte ptr [esi+ecx+13h],	0
		cmp	ecx, [edi]
		jnz	short loc_8FA26C
		mov	eax, [edi+4]
		btr	eax, edx
		mov	[edi+4], eax
		jmp	short loc_8FA270
; 

loc_8FA26C:				; CODE XREF: ObpDeleteSymbolicLinkName+1193C1j
		dec	dword ptr [edi+esi*4+4]

loc_8FA270:				; CODE XREF: ObpDeleteSymbolicLinkName+1193CCj
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi

loc_8FA287:				; CODE XREF: ObpDeleteSymbolicLinkName+119383j
		and	dword ptr [ebx+10h], 0
		jmp	loc_7E0EB4
; END OF FUNCTION CHUNK	FOR ObpDeleteSymbolicLinkName
; 
; START	OF FUNCTION CHUNK FOR PsTerminateSystemThread

loc_8FA290:				; CODE XREF: PsTerminateSystemThread+12j
		mov	eax, 0C000000Dh
		jmp	loc_7E1471
; END OF FUNCTION CHUNK	FOR PsTerminateSystemThread
; 
; START	OF FUNCTION CHUNK FOR ExpWnfEnumerateScopeInstances

loc_8FA29A:				; CODE XREF: ExpWnfEnumerateScopeInstances+18j
					; ExpWnfEnumerateScopeInstances+21j
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	ecx, eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		jmp	loc_7E1562
; 

loc_8FA2AB:				; CODE XREF: ExpWnfEnumerateScopeInstances+9Dj
		mov	esi, [esi]
		and	[ebp+var_8], 0
		cmp	esi, ebx
		jnz	loc_7E15C3
		jmp	loc_7E15D9
; END OF FUNCTION CHUNK	FOR ExpWnfEnumerateScopeInstances
; 
; START	OF FUNCTION CHUNK FOR PsDereferenceKernelStack

loc_8FA2BE:				; CODE XREF: PsDereferenceKernelStack+14j
		push	0
		mov	edx, offset _PspDeleteKernelStack@12 ; PspDeleteKernelStack(x,x,x)
		mov	ecx, esi
		call	_KeEnumerateKernelStackSegments@12 ; KeEnumerateKernelStackSegments(x,x,x)
		and	dword ptr [esi+20h], 0
		jmp	loc_7E168C
; END OF FUNCTION CHUNK	FOR PsDereferenceKernelStack
; 
; START	OF FUNCTION CHUNK FOR PspDoesJobHierarchyPermitUILimits

loc_8FA2D5:				; CODE XREF: PspDoesJobHierarchyPermitUILimits+Bj
		test	byte ptr [eax+310h], 10h
		jnz	short loc_8FA2E9
		mov	eax, [eax+244h]
		jmp	loc_7E195F
; 

loc_8FA2E9:				; CODE XREF: PspDoesJobHierarchyPermitUILimits+118986j
		xor	al, al
		pop	ecx
		retn
; END OF FUNCTION CHUNK	FOR PspDoesJobHierarchyPermitUILimits
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceThermalRequest

loc_8FA2ED:				; CODE XREF: PopDiagTraceThermalRequest+6Bj
		mov	ecx, [ebx+10h]
		mov	edx, 67446F50h
		mov	ecx, [ecx+18h]
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	edi, eax
		test	edi, edi
		jz	short loc_8FA30E
		mov	eax, [edi+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_8FA310
; 

loc_8FA30E:				; CODE XREF: PopDiagTraceThermalRequest+118921j
		xor	eax, eax

loc_8FA310:				; CODE XREF: PopDiagTraceThermalRequest+11892Cj
		mov	[esp+100h+var_EC], eax
		test	eax, eax
		jz	loc_8FA580
		push	ecx
		mov	ecx, [ebx+0Ch]
		lea	eax, [esp+104h+var_F1+1]
		push	eax
		xor	edx, edx
		call	PoStoreDiagnosticContext
		push	50455654h
		push	[esp+104h+var_F1+1]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8FA580
		push	ecx
		mov	ecx, [ebx+0Ch]
		lea	eax, [esp+104h+var_F1+1]
		push	eax
		mov	edx, esi
		call	PoStoreDiagnosticContext
		test	eax, eax
		js	loc_8FA580
		mov	eax, [esi+14h]
		mov	ecx, [esi+8]
		add	eax, esi
		mov	edx, [esi+0Ch]
		add	ecx, esi
		mov	[esp+100h+var_C4], eax
		add	edx, esi
		mov	ax, word ptr [esp+100h+var_F1+1]
		sub	ax, [esi+14h]
		mov	[esp+100h+var_CC], edx
		movzx	edx, ax
		movzx	eax, ax
		mov	[esp+100h+var_D0], eax
		lea	eax, [ecx+2]
		mov	[esp+100h+var_C0], edx
		mov	edx, [esp+100h+var_CC]
		mov	[esp+100h+var_C8], ecx
		mov	[esp+100h+var_F1+1], eax

loc_8FA39B:				; CODE XREF: PopDiagTraceThermalRequest+1189C6j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+100h+var_E8]
		jnz	short loc_8FA39B
		sub	ecx, [esp+100h+var_F1+1]
		sar	ecx, 1
		movzx	eax, cx
		mov	ecx, edx
		mov	[esp+100h+var_F1+1], eax
		movzx	eax, ax
		mov	[esp+100h+var_D8], eax
		lea	edx, [ecx+2]

loc_8FA3C1:				; CODE XREF: PopDiagTraceThermalRequest+1189ECj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+100h+var_E8]
		jnz	short loc_8FA3C1
		sub	ecx, edx
		sar	ecx, 1
		movzx	edx, cx
		mov	eax, edx
		mov	[esp+100h+var_D4], eax
		mov	eax, [esp+100h+var_EC]
		push	4
		pop	ecx
		push	2
		mov	ax, [eax+48h]
		shr	ax, 1
		movzx	eax, ax
		mov	[esp+104h+var_DC], eax
		xor	eax, eax
		cmp	[ebx+9], al
		mov	[esp+104h+var_E0], ebx
		setnz	al
		mov	[esp+104h+var_A0], ecx
		mov	[esp+104h+var_E4], eax
		mov	al, [ebx+8]
		xor	ebx, ebx
		mov	byte ptr [esp+104h+var_F1], al
		lea	eax, [esp+104h+var_F1]
		mov	[esp+104h+var_B8], eax
		lea	eax, [esp+104h+var_E4]
		mov	[esp+104h+var_A8], eax
		lea	eax, [esp+104h+var_E0]
		mov	[esp+104h+var_98], eax
		lea	eax, [esp+104h+var_DC]
		mov	[esp+104h+var_88], eax
		lea	eax, [esp+104h+var_D8]
		mov	[esp+104h+var_78], eax
		lea	eax, [esp+104h+var_D4]
		mov	[esp+104h+var_68], eax
		lea	eax, [esp+104h+var_D0]
		mov	[esp+104h+var_58], eax
		mov	eax, [esp+104h+var_EC]
		mov	[esp+104h+var_90], ecx
		pop	ecx
		mov	[esp+100h+var_B4], ebx
		mov	[esp+100h+var_B0], 1
		mov	[esp+100h+var_AC], ebx
		mov	[esp+100h+var_A4], ebx
		mov	[esp+100h+var_9C], ebx
		mov	[esp+100h+var_94], ebx
		mov	[esp+100h+var_8C], ebx
		mov	[esp+100h+var_84], ebx
		mov	[esp+100h+var_80], ecx
		mov	[esp+100h+var_7C], ebx
		mov	[esp+100h+var_74], ebx
		mov	[esp+100h+var_70], ecx
		mov	[esp+100h+var_6C], ebx
		mov	[esp+100h+var_64], ebx
		mov	[esp+100h+var_60], ecx
		mov	[esp+100h+var_5C], ebx
		mov	[esp+100h+var_54], ebx
		mov	[esp+100h+var_50], ecx
		mov	[esp+100h+var_4C], ebx
		movzx	ecx, word ptr [eax+48h]
		mov	eax, [eax+4Ch]
		mov	[esp+100h+var_48], eax
		mov	eax, ecx
		mov	[esp+100h+var_40], eax
		mov	eax, [esp+100h+var_C8]
		mov	[esp+100h+var_38], eax
		mov	eax, [esp+100h+var_F1+1]
		movzx	eax, ax
		add	eax, eax
		mov	[esp+100h+var_44], ebx
		mov	[esp+100h+var_30], eax
		mov	eax, [esp+100h+var_CC]
		mov	[esp+100h+var_28], eax
		mov	eax, edx
		add	eax, eax
		mov	[esp+100h+var_3C], ebx
		mov	[esp+100h+var_20], eax
		mov	eax, [esp+100h+var_C4]
		mov	[esp+100h+var_34], ebx
		mov	[esp+100h+var_2C], ebx
		mov	[esp+100h+var_24], ebx
		mov	[esp+100h+var_1C], ebx
		mov	[esp+100h+var_18], eax
		mov	eax, [esp+100h+var_C0]
		movzx	eax, ax
		mov	[esp+100h+var_10], eax
		lea	eax, [esp+100h+var_B8]
		push	eax
		push	0Bh
		push	ebx
		push	[esp+10Ch+var_BC]
		mov	[esp+110h+var_14], ebx
		push	dword_6C1D74
		mov	[esp+114h+var_C], ebx
		push	_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_8FA580:				; CODE XREF: PopDiagTraceThermalRequest+118936j
					; PopDiagTraceThermalRequest+118960j ...
		test	edi, edi
		jz	short loc_8FA590
		mov	edx, 67446F50h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_8FA590:				; CODE XREF: PopDiagTraceThermalRequest+118BA2j
		test	esi, esi
		jz	loc_7E1A51
		push	50455654h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7E1A51
; END OF FUNCTION CHUNK	FOR PopDiagTraceThermalRequest
; 
; START	OF FUNCTION CHUNK FOR FsRtlQueryCachedVdl

loc_8FA5A8:				; CODE XREF: FsRtlQueryCachedVdl+67j
		mov	eax, 0C000009Ah
		jmp	loc_7E1C32
; 

loc_8FA5B2:				; CODE XREF: FsRtlQueryCachedVdl+BCj
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [esp+80h+var_58]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esp+70h+var_60]
		jmp	loc_7E1C04
; END OF FUNCTION CHUNK	FOR FsRtlQueryCachedVdl
; 
; START	OF FUNCTION CHUNK FOR PspSetJobLimitsProcessCallback

loc_8FA5C9:				; CODE XREF: PspSetJobLimitsProcessCallback+24j
		mov	eax, [esi+158h]
		cmp	[edi], eax
		jz	loc_7E1CB8
		mov	ecx, esi
		call	_PspAddProcessToWorkingSetChangeList@4 ; PspAddProcessToWorkingSetChangeList(x)
		jmp	loc_7E1CB8
; END OF FUNCTION CHUNK	FOR PspSetJobLimitsProcessCallback
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceCoolingExtension

loc_8FA5E3:				; CODE XREF: PopDiagTraceCoolingExtension+54j
		mov	ecx, [edi+18h]
		mov	edx, 67446F50h
		push	esi
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	esi, eax
		test	esi, esi
		jz	short loc_8FA602
		mov	ecx, [esi+0B0h]
		mov	edx, [ecx+14h]
		jmp	short loc_8FA604
; 

loc_8FA602:				; CODE XREF: PopDiagTraceCoolingExtension+118935j
		xor	edx, edx

loc_8FA604:				; CODE XREF: PopDiagTraceCoolingExtension+118940j
		test	edx, edx
		jz	loc_8FA6EA
		mov	ax, [edx+48h]
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_8C], eax
		xor	eax, eax
		cmp	[edi+40h], eax
		push	4
		setnz	al
		mov	[ebp+var_88], edi
		mov	[ebp+var_80], eax
		xor	eax, eax
		cmp	[edi+44h], eax
		pop	ecx
		setnz	al
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_7C], eax
		xor	eax, eax
		cmp	[edi+21h], al
		mov	[ebp+var_5C], ecx
		setnz	al
		mov	[ebp+var_4C], 1
		mov	[ebp+var_84], eax
		mov	al, [edi+22h]
		xor	edi, edi
		mov	byte ptr [ebp+var_75], al
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_75+1],	eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_75]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_88]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_24], eax
		mov	[ebp+var_70], edi
		mov	[ebp+var_68], edi
		mov	[ebp+var_60], edi
		mov	[ebp+var_58], edi
		mov	[ebp+var_50], edi
		mov	[ebp+var_48], edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], 2
		mov	[ebp+var_18], edi
		movzx	ecx, word ptr [edx+48h]
		mov	eax, [edx+4Ch]
		mov	[ebp+var_14], eax
		mov	eax, ecx
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_75+1]
		push	eax
		push	7
		push	edi
		push	ebx
		push	dword_6C1D74
		mov	[ebp+var_10], edi
		push	_PopDiagHandle
		mov	[ebp+var_8], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_8FA6EA:				; CODE XREF: PopDiagTraceCoolingExtension+118946j
		test	esi, esi
		jz	short loc_8FA6FA
		mov	edx, 67446F50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_8FA6FA:				; CODE XREF: PopDiagTraceCoolingExtension+118A2Cj
		pop	esi
		jmp	loc_7E1D1A
; END OF FUNCTION CHUNK	FOR PopDiagTraceCoolingExtension
; 
; START	OF FUNCTION CHUNK FOR CmpLogTransactionAbortedWithChildName

loc_8FA700:				; CODE XREF: CmpLogTransactionAbortedWithChildName+27j
		cmp	dword_6B2348, 4
		jbe	loc_7E1D55
		push	ebx
		push	1
		mov	ecx, offset dword_6B2348
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_7E1D55
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	CmpConstructNameFromKcbNameBlocks
		mov	esi, [ebp+var_8]
		mov	ebx, 624E4D43h
		test	eax, eax
		js	short loc_8FA79B
		test	edi, edi
		jz	short loc_8FA78D
		movzx	ecx, word ptr [esi]
		movzx	eax, word ptr [edi]
		add	ecx, 2
		add	eax, ecx
		cmp	eax, 0FFFFh
		ja	short loc_8FA79B
		movzx	eax, ax
		xor	ecx, ecx
		push	ebx
		mov	edx, eax
		mov	word ptr [ebp+var_10+2], ax
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_8FA79B
		mov	edx, esi
		lea	ecx, [ebp+var_10]
		call	_RtlUnicodeStringCopy@8	; RtlUnicodeStringCopy(x,x)
		mov	edx, offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@
		lea	ecx, [ebp+var_10]
		call	_RtlUnicodeStringCatString@8 ; RtlUnicodeStringCatString(x,x)
		mov	edx, edi
		lea	ecx, [ebp+var_10]
		call	_RtlUnicodeStringCat@8 ; RtlUnicodeStringCat(x,x)
		lea	ecx, [ebp+var_10]
		jmp	short loc_8FA78F
; 

loc_8FA78D:				; CODE XREF: CmpLogTransactionAbortedWithChildName+118A12j
		mov	ecx, esi

loc_8FA78F:				; CODE XREF: CmpLogTransactionAbortedWithChildName+118A63j
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		push	ecx
		call	_CmpLogTransactionAbortedByName@16 ; CmpLogTransactionAbortedByName(x,x,x,x)

loc_8FA79B:				; CODE XREF: CmpLogTransactionAbortedWithChildName+118A0Ej
					; CmpLogTransactionAbortedWithChildName+118A24j ...
		test	esi, esi
		jz	loc_7E1D55
		mov	edx, ebx
		mov	ecx, esi
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
		jmp	loc_7E1D55
; END OF FUNCTION CHUNK	FOR CmpLogTransactionAbortedWithChildName
; 
; START	OF FUNCTION CHUNK FOR RtlValidProcessProtection

loc_8FA7B1:				; CODE XREF: RtlValidProcessProtection+24j
		cmp	al, 8
		jz	loc_7E1DBC
		cmp	al, 12h
		jz	loc_7E1DBC
		cmp	al, 21h
		jz	loc_7E1DBC
		jmp	loc_7E1DDE
; 

loc_8FA7CE:				; CODE XREF: RtlValidProcessProtection+31j
		cmp	al, 72h
		jz	loc_7E1DBC
		cmp	al, 81h
		jnz	loc_7E1DDE
		jmp	loc_7E1DBC
; END OF FUNCTION CHUNK	FOR RtlValidProcessProtection
; 
; START	OF FUNCTION CHUNK FOR PspDoesJobHierarchyPermitUILimitsCallback

loc_8FA7E3:				; CODE XREF: PspDoesJobHierarchyPermitUILimitsCallback+Bj
		test	byte ptr [eax+310h], 10h
		jnz	short loc_8FA7F9
		cmp	dword ptr [eax+0E8h], 0FFFFFFFEh
		jnz	loc_7E1E73

loc_8FA7F9:				; CODE XREF: PspDoesJobHierarchyPermitUILimitsCallback+118988j
		mov	eax, 0C0000718h
		jmp	loc_7E1E75
; END OF FUNCTION CHUNK	FOR PspDoesJobHierarchyPermitUILimitsCallback

;  S U B	R O U T	I N E 


sub_8FA803	proc near		; CODE XREF: PfSnTracingStateExWorkerRoutine+1Cj
		push	ebx
		mov	dword_6D4988, 1
		mov	ebx, offset dword_6D495C

loc_8FA813:				; CODE XREF: sub_8FA803+3Dj
		cmp	dword_6D495C, ebx
		jz	short loc_8FA847
		mov	eax, dword_6D4960
		cmp	[eax], ebx
		jnz	short loc_8FA842
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_8FA842
		push	esi
		mov	dword_6D4960, ecx
		push	eax
		mov	[ecx], ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		dec	dword_6D4984
		jmp	short loc_8FA813
; 

loc_8FA842:				; CODE XREF: sub_8FA803+1Fj
					; sub_8FA803+26j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8FA847:				; CODE XREF: sub_8FA803+16j
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, dword_6D498C
		pop	ebx
		test	eax, eax
		jz	loc_7E212B
		push	esi
		push	esi
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_7E212B
sub_8FA803	endp

; 
; START	OF FUNCTION CHUNK FOR IopSymlinkEnforceEnabledTypes

loc_8FA869:				; CODE XREF: IopSymlinkEnforceEnabledTypes+42j
		test	byte ptr [esi-10h], 10h
		jnz	loc_7E21EB
		jmp	loc_7E21AE
; 

loc_8FA878:				; CODE XREF: IopSymlinkEnforceEnabledTypes+4Fj
		test	esi, esi
		jz	loc_7E21EB
		cmp	[esi+10h], ecx
		setz	[ebp+var_1]
		jmp	loc_7E21BB
; 

loc_8FA88C:				; CODE XREF: IopSymlinkEnforceEnabledTypes+5Aj
		test	esi, esi
		jnz	loc_7E21C6
		lea	eax, [ebp+var_8]
		push	eax
		push	69536F49h
		push	edi
		push	edi
		push	1Ch
		pop	eax
		push	eax
		push	offset _GUID_ECP_NETWORK_OPEN_CONTEXT
		call	FsRtlAllocateExtraCreateParameter
		test	eax, eax
		js	loc_7E21E4
		mov	esi, [ebp+var_8]
		xor	eax, eax
		push	7
		pop	ecx
		push	1Ch
		mov	edi, esi
		rep stosd
		pop	eax
		mov	[esi], ax
		xor	eax, eax
		push	esi
		push	[ebp+arg_0]
		mov	[esi+2], ax
		call	FsRtlInsertExtraCreateParameter
		mov	al, [ebp+var_2]
		push	2
		pop	ecx
		jmp	loc_7E21C6
; 

loc_8FA8E1:				; CODE XREF: IopSymlinkEnforceEnabledTypes+71j
		test	bl, 2
		jnz	short loc_8FA8E9
		mov	[esi+4], ecx

loc_8FA8E9:				; CODE XREF: IopSymlinkEnforceEnabledTypes+11877Ej
		test	bl, 1
		jmp	short loc_8FA906
; 

loc_8FA8EE:				; CODE XREF: IopSymlinkEnforceEnabledTypes+64j
		test	bl, 0Ch
		jz	loc_7E21EB
		test	al, al
		jnz	short loc_8FA918
		test	bl, 8
		jnz	short loc_8FA903
		mov	[esi+4], ecx

loc_8FA903:				; CODE XREF: IopSymlinkEnforceEnabledTypes+118798j
		test	bl, 4

loc_8FA906:				; CODE XREF: IopSymlinkEnforceEnabledTypes+118786j
		jnz	loc_7E21E2
		mov	dword ptr [esi+4], 1
		jmp	loc_7E21E2
; 

loc_8FA918:				; CODE XREF: IopSymlinkEnforceEnabledTypes+118793j
		test	bl, 4
		jmp	loc_7E21E0
; END OF FUNCTION CHUNK	FOR IopSymlinkEnforceEnabledTypes
; 
; START	OF FUNCTION CHUNK FOR EtwpApplyTransientFilters

loc_8FA920:				; CODE XREF: EtwpApplyTransientFilters+1Dj
		call	_EtwpApplyExeFilter@8 ;	EtwpApplyExeFilter(x,x)
		mov	bl, al
		test	bl, bl
		jz	loc_7E223A
		jmp	loc_7E2215
; 

loc_8FA934:				; CODE XREF: EtwpApplyTransientFilters+2Aj
					; EtwpApplyTransientFilters+33j
		push	dword ptr [esi+8]
		mov	ecx, edi
		call	_EtwpApplyPackageIdFilter@12 ; EtwpApplyPackageIdFilter(x,x,x)
		mov	bl, al
		xor	ecx, ecx
		jmp	loc_7E222B
; 

loc_8FA947:				; CODE XREF: EtwpApplyTransientFilters+42j
		mov	edx, [eax+8]
		mov	bl, cl
		mov	esi, [eax]
		mov	eax, [edi+28h]
		add	esi, [ebp+arg_0]
		shr	edx, 2
		mov	eax, [eax+0E4h]
		test	edx, edx
		jz	loc_7E223A

loc_8FA965:				; CODE XREF: EtwpApplyTransientFilters+11877Bj
		cmp	[esi+ecx*4], eax
		jz	short loc_8FA974
		inc	ecx
		cmp	ecx, edx
		jb	short loc_8FA965
		jmp	loc_7E223A
; 

loc_8FA974:				; CODE XREF: EtwpApplyTransientFilters+118776j
		mov	bl, 1
		jmp	loc_7E223A
; END OF FUNCTION CHUNK	FOR EtwpApplyTransientFilters
; 
; START	OF FUNCTION CHUNK FOR CmListGetPrevElement

loc_8FA97B:				; CODE XREF: CmListGetPrevElement+10j
		mov	eax, [esi+4]
		mov	[edx], eax
		lea	eax, [esi-10h]
		jmp	loc_7E2292
; END OF FUNCTION CHUNK	FOR CmListGetPrevElement
; 
; START	OF FUNCTION CHUNK FOR ExpParseAndUpdateLeapSecondData

loc_8FA988:				; CODE XREF: ExpParseAndUpdateLeapSecondData+1185FAj
		push	7

loc_8FA98A:				; CODE XREF: ExpParseAndUpdateLeapSecondData+56j
		pop	esi
		jmp	loc_7E2403
; 

loc_8FA990:				; CODE XREF: ExpParseAndUpdateLeapSecondData+45j
		cmp	ebx, [esi+4]
		ja	short loc_8FA99F
		sbb	esi, esi
		and	esi, 3
		jmp	loc_7E2403
; 

loc_8FA99F:				; CODE XREF: ExpParseAndUpdateLeapSecondData+1185DDj
		push	6453704Ch
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_8FA988
		mov	eax, ebx
		shl	eax, 3
		add	eax, 8
		push	eax		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		add	ecx, 0Ch
		mov	edx, ebx
		push	edi
		push	esi
		call	_RtlParseLeapSecondData@16 ; RtlParseLeapSecondData(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_8FAA05
		mov	esi, [ebp+var_8]
		mov	eax, ebx
		shl	eax, 3
		push	eax		; size_t
		lea	eax, [edi+8]
		push	eax		; void *
		lea	eax, [esi+8]
		push	eax		; void *
		call	_memcpy
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		add	esp, 0Ch
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	[esi+4], ebx
		xor	esi, esi

loc_8FAA05:				; CODE XREF: ExpParseAndUpdateLeapSecondData+5Ej
					; ExpParseAndUpdateLeapSecondData+118623j
		test	edi, edi
		jz	loc_7E2403
		push	6453704Ch
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7E2403
; END OF FUNCTION CHUNK	FOR ExpParseAndUpdateLeapSecondData
; 
; START	OF FUNCTION CHUNK FOR MiCloneProcessAddressSpace

loc_8FAA1D:				; CODE XREF: MiCloneProcessAddressSpace+56j
		mov	eax, 0C00000BBh
		jmp	loc_846238
; 

loc_8FAA27:				; CODE XREF: MiCloneProcessAddressSpace+9Aj
		test	ecx, ecx
		jnz	loc_8460A6
		mov	edi, 0C00000BBh
		jmp	short loc_8FAA8A
; 

loc_8FAA36:				; CODE XREF: MiCloneProcessAddressSpace+B5j
		mov	edi, 0C000010Ah
		jmp	short loc_8FAA42
; 

loc_8FAA3D:				; CODE XREF: MiCloneProcessAddressSpace+10Ej
		mov	edi, 0C000009Ah

loc_8FAA42:				; CODE XREF: MiCloneProcessAddressSpace+B4A35j
		mov	[ebp+var_24], edi

loc_8FAA45:				; CODE XREF: MiCloneProcessAddressSpace+CCj
					; MiCloneProcessAddressSpace+E3j ...
		mov	ecx, [ebp+var_34]
		or	edx, 0FFFFFFFFh
		push	0
		push	[ebp+var_44]
		call	_MiUnlockVadRange@16 ; MiUnlockVadRange(x,x,x,x)

loc_8FAA55:				; CODE XREF: MiCloneProcessAddressSpace+1FFj
		cmp	[ebp+var_2C], 0
		jz	short loc_8FAA7A
		mov	edi, [ebp+var_2C]

loc_8FAA5E:				; CODE XREF: MiCloneProcessAddressSpace+B4A6Fj
		push	dword ptr [edi+20h]
		mov	esi, [edi]
		push	ebx
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, esi
		test	esi, esi
		jnz	short loc_8FAA5E
		mov	edi, [ebp+var_24]

loc_8FAA7A:				; CODE XREF: MiCloneProcessAddressSpace+B4A53j
					; MiCloneProcessAddressSpace+B4B35j
		mov	eax, [ebp+var_38]
		test	eax, eax
		jz	short loc_8FAA8A
		mov	edx, eax
		mov	ecx, ebx
		call	_MiFreeCloneDescriptor@8 ; MiFreeCloneDescriptor(x,x)

loc_8FAA8A:				; CODE XREF: MiCloneProcessAddressSpace+B4A2Ej
					; MiCloneProcessAddressSpace+B4A79j
		cmp	[ebp+var_28], 0
		jz	short loc_8FAA9A
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_8FAA9A:				; CODE XREF: MiCloneProcessAddressSpace+B4A88j
		cmp	[ebp+var_48], 0
		jz	short loc_8FAAA9
		xor	edx, edx
		mov	ecx, ebx
		call	MiLockDownWorkingSet

loc_8FAAA9:				; CODE XREF: MiCloneProcessAddressSpace+B4A98j
		mov	ecx, ebx
		call	_MiDeleteInsertedCloneVads@4 ; MiDeleteInsertedCloneVads(x)
		jmp	loc_846236
; 

loc_8FAAB5:				; CODE XREF: MiCloneProcessAddressSpace+17Bj
		mov	eax, [ebx+350h]
		xor	esi, esi
		jmp	short loc_8FAAC3
; 

loc_8FAABF:				; CODE XREF: MiCloneProcessAddressSpace+B4ABFj
		mov	esi, eax
		mov	eax, [eax]

loc_8FAAC3:				; CODE XREF: MiCloneProcessAddressSpace+B4AB7j
		test	eax, eax
		jnz	short loc_8FAABF
		jmp	short loc_8FAB2D
; 

loc_8FAAC9:				; CODE XREF: MiCloneProcessAddressSpace+B4B29j
		mov	eax, [esi+4]
		mov	edi, esi
		mov	ecx, esi
		test	eax, eax
		jz	short loc_8FAAEE
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_8FAAF6

loc_8FAADC:				; CODE XREF: MiCloneProcessAddressSpace+B4ADEj
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_8FAADC
		jmp	short loc_8FAAF6
; 

loc_8FAAE8:				; CODE XREF: MiCloneProcessAddressSpace+B4AEEj
		cmp	[esi], ecx
		jz	short loc_8FAAF6
		mov	ecx, esi

loc_8FAAEE:				; CODE XREF: MiCloneProcessAddressSpace+B4ACCj
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_8FAAE8

loc_8FAAF6:				; CODE XREF: MiCloneProcessAddressSpace+B4AD4j
					; MiCloneProcessAddressSpace+B4AE0j ...
		mov	ecx, edi
		call	_MiIsVadLargePrivate@4 ; MiIsVadLargePrivate(x)
		test	eax, eax
		jz	short loc_8FAB2D
		mov	ecx, [edi+0Ch]
		shl	ecx, 0Ch
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		push	edi
		mov	edx, eax
		mov	ecx, ebx
		call	_MiCopyLargeVad@12 ; MiCopyLargeVad(x,x,x)
		mov	edi, eax
		mov	[ebp+var_24], eax
		test	edi, edi
		js	loc_84618C
		sub	[ebp+var_30], 1
		jz	loc_846187

loc_8FAB2D:				; CODE XREF: MiCloneProcessAddressSpace+B4AC1j
					; MiCloneProcessAddressSpace+B4AF9j
		test	esi, esi
		jnz	short loc_8FAAC9
		jmp	loc_846187
; 

loc_8FAB36:				; CODE XREF: MiCloneProcessAddressSpace+22Aj
		mov	edi, 0C000009Ah
		jmp	loc_8FAA7A
; END OF FUNCTION CHUNK	FOR MiCloneProcessAddressSpace
; 
; START	OF FUNCTION CHUNK FOR MiAllocateChildVads

loc_8FAB40:				; CODE XREF: MiAllocateChildVads+13Dj
		and	ecx, 0FFBFFFFFh
		mov	[esi+1Ch], ecx
		jmp	loc_846397
; 

loc_8FAB4E:				; CODE XREF: MiAllocateChildVads+196j
		cmp	[ebp+var_24], 0
		jnz	short loc_8FAB69
		mov	ecx, [ebp+var_20]
		lea	eax, [ebp+var_1C]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		mov	[ebp+var_24], 1

loc_8FAB69:				; CODE XREF: MiAllocateChildVads+B48FEj
		mov	ecx, esi
		call	_MiCreatePlaceholderStorage@4 ;	MiCreatePlaceholderStorage(x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8FAC29
		mov	ecx, [ebp+var_2C]
		jmp	loc_8463F0
; 

loc_8FAB82:				; CODE XREF: MiAllocateChildVads+1A8j
		cmp	[ebp+var_24], 0
		jnz	short loc_8FAB9D
		mov	ecx, [ebp+var_20]
		lea	eax, [ebp+var_1C]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		mov	[ebp+var_24], 1

loc_8FAB9D:				; CODE XREF: MiAllocateChildVads+B4932j
		mov	eax, [esi+10h]
		mov	edx, esi
		sub	eax, [esi+0Ch]
		mov	ecx, [ebp+var_20]
		inc	eax
		push	eax
		call	_MiCreateWriteWatchView@12 ; MiCreateWriteWatchView(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_8FAC29
		mov	ecx, [ebp+var_2C]
		jmp	loc_846402
; 

loc_8FABBD:				; CODE XREF: MiAllocateChildVads+1B5j
		mov	eax, [ecx+20h]
		mov	edx, esi
		xor	eax, [esi+20h]
		mov	ecx, [ebp+var_20]
		and	eax, 7FFFFFFFh
		xor	[esi+20h], eax
		push	1
		push	0
		call	_MiCreateLargePageVad@16 ; MiCreateLargePageVad(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_8FAC29
		mov	eax, [ebp+var_38]
		inc	dword ptr [eax]
		jmp	loc_846418
; 

loc_8FABE9:				; CODE XREF: MiAllocateChildVads+1C8j
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		and	[ebp+var_24], 0
		jmp	loc_846422
; 

loc_8FABFC:				; CODE XREF: MiAllocateChildVads+B49CEj
		mov	ecx, [esi+2Ch]
		mov	edx, [ebp+var_20]
		push	0
		mov	ecx, [ecx]
		call	MiRemoveSharedCommitNode

loc_8FAC0B:				; CODE XREF: MiAllocateChildVads+168j
					; MiAllocateChildVads+B49CCj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi
		jmp	short loc_8FAC29
; 

loc_8FAC17:				; CODE XREF: MiAllocateChildVads+245j
		mov	ecx, esi
		call	_MiVadHasSharedCommit@4	; MiVadHasSharedCommit(x)
		test	eax, eax
		jz	short loc_8FAC0B
		jmp	short loc_8FABFC
; 

loc_8FAC24:				; CODE XREF: MiAllocateChildVads+EAj
		mov	ebx, 0C000009Ah

loc_8FAC29:				; CODE XREF: MiAllocateChildVads+21Cj
					; MiAllocateChildVads+255j ...
		cmp	[ebp+var_24], 0
		mov	edi, [ebp+var_20]
		jnz	short loc_8FAC3F
		lea	eax, [ebp+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, edi
		call	KiStackAttachProcess

loc_8FAC3F:				; CODE XREF: MiAllocateChildVads+B49DCj
		test	esi, esi
		jz	short loc_8FAC84
		mov	ecx, esi
		call	_MiVadHasSharedCommit@4	; MiVadHasSharedCommit(x)
		test	eax, eax
		jz	short loc_8FAC5C
		mov	ecx, [esi+2Ch]
		mov	edx, edi
		push	0
		mov	ecx, [ecx]
		call	MiRemoveSharedCommitNode

loc_8FAC5C:				; CODE XREF: MiAllocateChildVads+B49F8j
		mov	ecx, esi
		call	_MiCloneDiscardVadCommit@4 ; MiCloneDiscardVadCommit(x)
		push	4
		mov	edx, esi
		mov	ecx, edi
		call	_MiFreeVadEventBitmap@12 ; MiFreeVadEventBitmap(x,x,x)
		mov	ecx, esi
		call	MiFreePlaceholderStorage
		mov	ecx, esi
		call	_MiFreeVadEvents@4 ; MiFreeVadEvents(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8FAC84:				; CODE XREF: MiAllocateChildVads+B49EDj
		mov	ecx, [ebp+var_30]
		test	ecx, ecx
		jz	short loc_8FAC92
		xor	edx, edx
		call	_MiDeletePartialCloneVads@8 ; MiDeletePartialCloneVads(x,x)

loc_8FAC92:				; CODE XREF: MiAllocateChildVads+B4A35j
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	eax, ebx
		jmp	loc_84643E
; END OF FUNCTION CHUNK	FOR MiAllocateChildVads
; 
; START	OF FUNCTION CHUNK FOR MiBuildNewCloneDescriptor

loc_8FACA3:				; CODE XREF: MiBuildNewCloneDescriptor+65j
		push	esi
		push	edi

loc_8FACA5:				; CODE XREF: MiBuildNewCloneDescriptor+B472Aj
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		push	0

loc_8FACAC:				; CODE XREF: MiBuildNewCloneDescriptor+B4711j
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8FACB2:				; CODE XREF: MiBuildNewCloneDescriptor+27j
					; MiBuildNewCloneDescriptor+B46FCj
		xor	eax, eax
		jmp	loc_8466E1
; 

loc_8FACB9:				; CODE XREF: MiBuildNewCloneDescriptor+45j
		push	esi
		push	edi
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		jmp	short loc_8FACB2
; 

loc_8FACC2:				; CODE XREF: MiBuildNewCloneDescriptor+8Aj
		push	edi
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	esi
		push	[ebp+var_C]
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		push	edi
		jmp	short loc_8FACAC
; 

loc_8FACD7:				; CODE XREF: MiBuildNewCloneDescriptor+9Ej
		mov	eax, [ebp+var_4]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	esi
		push	[ebp+var_C]
		jmp	short loc_8FACA5
; END OF FUNCTION CHUNK	FOR MiBuildNewCloneDescriptor
; 
; START	OF FUNCTION CHUNK FOR MiLockPagedRange

loc_8FACF0:				; CODE XREF: MiLockPagedRange+B4618j
		sub	esi, 1000h
		lea	ecx, [esi+ebx]
		call	_MiUnlockPagedAddress@4	; MiUnlockPagedAddress(x)

loc_8FACFE:				; CODE XREF: MiLockPagedRange+19j
		test	esi, esi
		jnz	short loc_8FACF0
		xor	eax, eax
		jmp	loc_846714
; END OF FUNCTION CHUNK	FOR MiLockPagedRange
; 
; START	OF FUNCTION CHUNK FOR MiInsertChildVads

loc_8FAD09:				; CODE XREF: MiInsertChildVads+94j
		mov	eax, [ebp+var_24]
		mov	eax, [eax+24Ch]
		test	ecx, 100000h
		jz	short loc_8FAD25
		inc	dword ptr [eax+0B0h]
		jmp	loc_8467B2
; 

loc_8FAD25:				; CODE XREF: MiInsertChildVads+B4600j
		inc	dword ptr [eax+0B4h]
		jmp	loc_8467B2
; 

loc_8FAD30:				; CODE XREF: MiInsertChildVads+BBj
		mov	eax, large fs:124h
		mov	[ebp+var_20], eax
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset dword_6CF3C8
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+2Ch]
		mov	ecx, offset dword_6CF3C8
		mov	eax, [eax]
		mov	eax, [eax]
		mov	eax, [eax+18h]
		inc	dword ptr [eax+8]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8FAD76
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset dword_6CF3C8

loc_8FAD76:				; CODE XREF: MiInsertChildVads+B4652j
		call	KeAbPostRelease
		mov	ecx, [ebp+var_20]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_8467D9
; 

loc_8FAD88:				; CODE XREF: MiInsertChildVads+80j
		test	ecx, 100000h
		jmp	short loc_8FAD96
; 

loc_8FAD90:				; CODE XREF: MiInsertChildVads+69j
		test	dword ptr [edi], 100000h

loc_8FAD96:				; CODE XREF: MiInsertChildVads+B4676j
		jnz	short loc_8FADA1
		xor	edx, edx
		mov	ecx, esi
		call	MiUpControlAreaRefs

loc_8FADA1:				; CODE XREF: MiInsertChildVads+58j
					; MiInsertChildVads:loc_8FAD96j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_MiDeletePartialCloneVads@8 ; MiDeletePartialCloneVads(x,x)
		jmp	loc_8467F1
; END OF FUNCTION CHUNK	FOR MiInsertChildVads
; 
; START	OF FUNCTION CHUNK FOR ExQueryProcessHandleInformation

loc_8FADB0:				; CODE XREF: ExQueryProcessHandleInformation+93j
		xor	edx, edx
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	loc_84694D
; END OF FUNCTION CHUNK	FOR ExQueryProcessHandleInformation

;  S U B	R O U T	I N E 


sub_8FADBC	proc near		; DATA XREF: .text:006A45B4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8FADBC	endp


;  S U B	R O U T	I N E 


sub_8FADCA	proc near		; DATA XREF: .text:006A45B8o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-3Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-2Ch]
		jmp	loc_8469A1
sub_8FADCA	endp

; 
; START	OF FUNCTION CHUNK FOR ExQueryProcessHandleInformation

loc_8FADDF:				; CODE XREF: ExQueryProcessHandleInformation+5Aj
		test	[ebp+var_20], 7FCh
		jz	loc_846994
		cmp	dword ptr [ebx], 0
		jz	loc_846994
		add	esi, 1Ch
		mov	[ebp+var_30], 0C0000004h
		jmp	loc_846994
; END OF FUNCTION CHUNK	FOR ExQueryProcessHandleInformation

;  S U B	R O U T	I N E 


sub_8FAE04	proc near		; DATA XREF: .text:006A45C0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8FAE04	endp


;  S U B	R O U T	I N E 


sub_8FAE12	proc near		; DATA XREF: .text:006A45C4o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-40h]
		jmp	loc_8469B1
sub_8FAE12	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryMutant

loc_8FAE1D:				; CODE XREF: NtQueryMutant+2Bj
		mov	eax, 0C0000004h
		jmp	loc_846B08
; 

loc_8FAE27:				; CODE XREF: NtQueryMutant+6Aj
		mov	ecx, eax
		jmp	loc_846A94
; END OF FUNCTION CHUNK	FOR NtQueryMutant

;  S U B	R O U T	I N E 


sub_8FAE2E	proc near		; DATA XREF: .text:006A45DCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8FAE2E	endp


;  S U B	R O U T	I N E 


sub_8FAE3C	proc near		; DATA XREF: .text:006A45E0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_846B08
sub_8FAE3C	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryMutant

loc_8FAE4E:				; CODE XREF: NtQueryMutant+45j
		mov	esi, [ebp+arg_10]
		mov	edi, [ebp+arg_8]
		jmp	loc_846AA1
; END OF FUNCTION CHUNK	FOR NtQueryMutant

;  S U B	R O U T	I N E 


sub_8FAE59	proc near		; DATA XREF: .text:006A45E8o
		xor	eax, eax
		inc	eax
		retn
sub_8FAE59	endp


;  S U B	R O U T	I N E 


sub_8FAE5D	proc near		; DATA XREF: .text:006A45ECo
					; .text:006A45F8o
		mov	esp, [ebp-18h]
		jmp	loc_846AF6
sub_8FAE5D	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryMutant

loc_8FAE65:				; CODE XREF: NtQueryMutant+119j
		mov	eax, [ebp+arg_4]
		mov	[edi], eax
		mov	[edi+4], cl
		mov	[edi+5], dl
		jmp	short loc_8FAE81
; END OF FUNCTION CHUNK	FOR NtQueryMutant

;  S U B	R O U T	I N E 


sub_8FAE72	proc near		; DATA XREF: .text:006A45F4o
		xor	eax, eax
		inc	eax
		retn
sub_8FAE72	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryMutant

loc_8FAE76:				; CODE XREF: NtQueryMutant+B4j
		mov	eax, [ebp+var_2C]
		mov	[edi], eax
		mov	eax, [ebp+var_28]
		mov	[edi+4], eax

loc_8FAE81:				; CODE XREF: NtQueryMutant+B444Cj
		test	esi, esi
		jz	loc_846AFD
		mov	[esi], ebx
		jmp	loc_846AFD
; 

loc_8FAE90:				; CODE XREF: NtQueryMutant+1Dj
		mov	eax, 0C0000003h
		jmp	loc_846B08
; END OF FUNCTION CHUNK	FOR NtQueryMutant
; 
; START	OF FUNCTION CHUNK FOR PiPnpRtlServiceFilterCallback

loc_8FAE9A:				; CODE XREF: PiPnpRtlServiceFilterCallback+69j
		lea	eax, [esp+17h]
		mov	edx, edi
		mov	edi, [esp+98h+var_80]
		mov	ecx, edi
		push	eax
		call	__CmIsDevicePresent@12 ; _CmIsDevicePresent(x,x,x)
		test	eax, eax
		js	loc_846EEC
		cmp	[esp+98h+var_81], bl
		jz	loc_846EEC
		xor	ecx, ecx
		jmp	loc_846D5D
; 

loc_8FAEC5:				; CODE XREF: PiPnpRtlServiceFilterCallback+31Ej
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_84700E
; 

loc_8FAED3:				; CODE XREF: PiPnpRtlServiceFilterCallback+313j
		mov	eax, 0C000009Ah
		jmp	loc_846DBD
; 

loc_8FAEDD:				; CODE XREF: PiPnpRtlServiceFilterCallback+107j
		mov	bl, 1

loc_8FAEDF:				; CODE XREF: PiPnpRtlServiceFilterCallback+2A4j
		mov	edi, [esp+98h+var_80]

loc_8FAEE3:				; CODE XREF: PiPnpRtlServiceFilterCallback+1FCj
		mov	eax, [esi+10h]
		test	eax, eax
		jz	loc_846EEC
		push	dword ptr [esi+14h]
		push	[ebp+arg_8]
		push	[esp+0A0h+var_78]
		push	edi
		call	eax
		mov	bl, al
		jmp	loc_846EEC
; 

loc_8FAF02:				; CODE XREF: PiPnpRtlServiceFilterCallback+2CCj
		mov	edi, [esp+98h+var_7C]
		mov	eax, 0C000009Ah
		jmp	loc_846EBB
; 

loc_8FAF10:				; CODE XREF: PiPnpRtlServiceFilterCallback+295j
		mov	bl, 1
		jmp	loc_846F8C
; 

loc_8FAF17:				; CODE XREF: PiPnpRtlServiceFilterCallback+77j
					; PiPnpRtlServiceFilterCallback+83j ...
		mov	bl, 1
		jmp	loc_846EE4
; END OF FUNCTION CHUNK	FOR PiPnpRtlServiceFilterCallback
; 
; START	OF FUNCTION CHUNK FOR NtQuerySemaphore

loc_8FAF1E:				; CODE XREF: NtQuerySemaphore+3Dj
		mov	byte ptr [eax],	0
		jmp	loc_847063
; 

loc_8FAF26:				; CODE XREF: NtQuerySemaphore+5Dj
		mov	ecx, eax
		jmp	loc_847083
; END OF FUNCTION CHUNK	FOR NtQuerySemaphore

;  S U B	R O U T	I N E 


sub_8FAF2D	proc near		; DATA XREF: .text:006A4614o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8FAF2D	endp


;  S U B	R O U T	I N E 


sub_8FAF3B	proc near		; DATA XREF: .text:006A4618o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-24h]
		jmp	loc_847104
sub_8FAF3B	endp

; 
; START	OF FUNCTION CHUNK FOR NtQuerySemaphore

loc_8FAF4D:				; CODE XREF: NtQuerySemaphore+20j
		mov	esi, [ebp+arg_10]
		mov	ebx, [ebp+arg_8]
		jmp	loc_84708E
; 

loc_8FAF58:				; CODE XREF: NtQuerySemaphore+72j
		mov	eax, 0C0000003h
		jmp	loc_847104
; 

loc_8FAF62:				; CODE XREF: NtQuerySemaphore+7Cj
		mov	eax, 0C0000004h
		jmp	loc_847104
; END OF FUNCTION CHUNK	FOR NtQuerySemaphore

;  S U B	R O U T	I N E 


sub_8FAF6C	proc near		; DATA XREF: .text:006A4620o
		xor	eax, eax
		inc	eax
		retn
sub_8FAF6C	endp


;  S U B	R O U T	I N E 


sub_8FAF70	proc near		; DATA XREF: .text:006A4624o
		mov	esp, [ebp-18h]
		jmp	loc_8470FA
sub_8FAF70	endp

; 
; START	OF FUNCTION CHUNK FOR NtQuerySemaphore

loc_8FAF78:				; CODE XREF: NtQuerySemaphore+BBj
		mov	[ebx], edi
		mov	eax, [ebp+arg_10]
		mov	[ebx+4], eax
		test	esi, esi
		jz	loc_847101
		mov	dword ptr [esi], 8
		jmp	loc_847101
; END OF FUNCTION CHUNK	FOR NtQuerySemaphore
; 
; START	OF FUNCTION CHUNK FOR PsSuspendProcess

loc_8FAF93:				; CODE XREF: PsSuspendProcess+62j
		push	0
		push	edi
		mov	edx, ebx
		mov	ecx, esi
		call	_EtwTiLogSuspendResumeProcess@16 ; EtwTiLogSuspendResumeProcess(x,x,x,x)
		jmp	loc_8471EA
; END OF FUNCTION CHUNK	FOR PsSuspendProcess
; 
; START	OF FUNCTION CHUNK FOR SmProcessQueryStoreStats

loc_8FAFA4:				; CODE XREF: SmProcessQueryStoreStats+88j
		mov	eax, [esp+618h+var_5E8]
		shl	eax, 0Ch
		mov	[ecx], eax
		jmp	loc_847252
; END OF FUNCTION CHUNK	FOR SmProcessQueryStoreStats
; 
; START	OF FUNCTION CHUNK FOR PfpDeprioritizeOldPagesInWs

loc_8FAFB2:				; CODE XREF: PfpDeprioritizeOldPagesInWs+24j
		mov	esi, 0C0000206h
		jmp	loc_847379
; 

loc_8FAFBC:				; CODE XREF: PfpDeprioritizeOldPagesInWs+48j
					; PfpDeprioritizeOldPagesInWs+50j
		mov	[edx], bl
		mov	eax, [esi+10h]
		jmp	loc_8472E6
; END OF FUNCTION CHUNK	FOR PfpDeprioritizeOldPagesInWs

;  S U B	R O U T	I N E 


sub_8FAFC6	proc near		; DATA XREF: .text:006A463Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8FAFC6	endp


;  S U B	R O U T	I N E 


sub_8FAFD4	proc near		; DATA XREF: .text:006A4640o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-28h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_847379
sub_8FAFD4	endp

; 
; START	OF FUNCTION CHUNK FOR DbgkpSendErrorMessage

loc_8FAFE6:				; CODE XREF: DbgkpSendErrorMessage+84j
		mov	ebx, 0C00000BBh
		jmp	loc_8476B7
; 

loc_8FAFF0:				; CODE XREF: DbgkpSendErrorMessage+D3j
		mov	ecx, 0FFFFD8F0h
		imul	ecx
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_9C], edx
		jmp	loc_847483
; 

loc_8FB00E:				; CODE XREF: DbgkpSendErrorMessage+144j
		mov	ebx, 0C0000194h
		jmp	loc_84751B
; 

loc_8FB018:				; CODE XREF: DbgkpSendErrorMessage+155j
		mov	ebx, 0C0000353h
		jmp	loc_847518
; 

loc_8FB022:				; CODE XREF: DbgkpSendErrorMessage+210j
		mov	dword ptr [esi+80h], 1
		jmp	loc_8475BE
; 

loc_8FB031:				; CODE XREF: DbgkpSendErrorMessage+293j
		mov	ebx, 0C000004Bh
		jmp	loc_847641
; 

loc_8FB03B:				; CODE XREF: DbgkpSendErrorMessage+33Dj
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	ebx
		push	10000h
		push	dword ptr [esi+8]
		call	_ZwAlpcSendWaitReceivePort@32 ;	ZwAlpcSendWaitReceivePort(x,x,x,x,x,x,x,x)
		jmp	loc_8476EB
; 

loc_8FB055:				; CODE XREF: DbgkpSendErrorMessage+34Aj
		cmp	ebx, 10002h
		jnz	loc_84768A
		cmp	[ebp+var_79], 0
		jz	short loc_8FB079
		xor	dl, dl
		mov	ecx, edi
		call	PsThawProcess
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	[ebp+var_79], 0

loc_8FB079:				; CODE XREF: DbgkpSendErrorMessage+B3CBDj
		mov	ecx, [ebp+var_A4]
		mov	dl, 1
		push	1
		call	DbgkForwardException
		movzx	ebx, al
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 3FFFFEBCh
		add	ebx, 0C0000144h
		jmp	loc_84768A
; 

loc_8FB0A0:				; CODE XREF: DbgkpSendErrorMessage+2CFj
		mov	ecx, [ebp+var_84]

loc_8FB0A6:				; CODE XREF: DbgkpSendErrorMessage+2A1j
		cmp	ebx, 0C0000037h
		jnz	loc_84768A
		mov	edx, [ebp+var_A8]
		push	esi
		call	_DbgkpRemoveErrorPort@12 ; DbgkpRemoveErrorPort(x,x,x)
		jmp	loc_84768A
; 

loc_8FB0C3:				; CODE XREF: DbgkpSendErrorMessage+104j
					; DbgkpSendErrorMessage+10Fj
		mov	ebx, 0C000004Bh
		jmp	loc_8476A3
; 

loc_8FB0CD:				; CODE XREF: DbgkpSendErrorMessage+EFj
					; DbgkpSendErrorMessage+F9j
		mov	ebx, 0C0000353h
		jmp	loc_8476A3
; END OF FUNCTION CHUNK	FOR DbgkpSendErrorMessage
; 
; START	OF FUNCTION CHUNK FOR DbgkpSuspendProcess

loc_8FB0D7:				; CODE XREF: DbgkpSuspendProcess+1Bj
		mov	ecx, esi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		xor	al, al
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR DbgkpSuspendProcess
; 
; START	OF FUNCTION CHUNK FOR PsSetProcessFaultInformation

loc_8FB0E2:				; CODE XREF: PsSetProcessFaultInformation+34j
		mov	eax, dword_6B3690
		cmp	eax, ds:0FFDF037Ch
		jnb	short loc_8FB115
		cmp	dword_6B368C, 0
		jnz	short loc_8FB10B
		mov	ecx, off_6B3688
		lea	edx, [ebp+var_4]
		call	_TelemetryCoverageStringHashInternal@8 ; TelemetryCoverageStringHashInternal(x,x)
		mov	dword_6B368C, eax

loc_8FB10B:				; CODE XREF: PsSetProcessFaultInformation+B38FAj
		push	offset off_6B3688
		call	_EtwTelemetryCoverageReport@4 ;	EtwTelemetryCoverageReport(x)

loc_8FB115:				; CODE XREF: PsSetProcessFaultInformation+B38F1j
		mov	eax, large fs:124h
		mov	[ebp+arg_0], eax
		dec	word ptr [eax+13Ch]
		nop
		lea	edi, [ebx+0E0h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	cl, [ebx+3A7h]
		mov	al, cl
		and	al, 7
		cmp	al, 7
		jnb	short loc_8FB152
		lea	eax, [ecx+1]
		xor	al, cl
		and	al, 7
		xor	al, cl
		mov	[ebx+3A7h], al

loc_8FB152:				; CODE XREF: PsSetProcessFaultInformation+B3945j
		mov	eax, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8FB165
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8FB165:				; CODE XREF: PsSetProcessFaultInformation+B3960j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+arg_0]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	ecx, [ebp+arg_4]
		mov	eax, [ecx]
		jmp	loc_84783C
; 

loc_8FB17E:				; CODE XREF: PsSetProcessFaultInformation+5Cj
		mov	ecx, large fs:124h
		push	esi
		push	ecx
		push	ebx
		call	dword ptr [eax]
		mov	ecx, ds:_PspHwTraceExtensionHost
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)
		jmp	loc_84785E
; END OF FUNCTION CHUNK	FOR PsSetProcessFaultInformation
; 
; START	OF FUNCTION CHUNK FOR _CmGetInstallerClassMappedPropertyFromRegValue

loc_8FB19A:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+96j
		mov	eax, [ebp+var_44]
		mov	ecx, [ebp+var_28]
		jmp	loc_847A75
; 

loc_8FB1A5:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+A4j
		mov	esi, 0C0000016h
		jmp	loc_847B9D
; 

loc_8FB1AF:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+BBj
		mov	[ebp+var_28], ecx
		jmp	loc_847ADA
; 

loc_8FB1B7:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+FFj
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_NoInstallClass ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_847BCA
		mov	eax, [ebp+arg_4]
		jmp	loc_847B0D
; 

loc_8FB1D7:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+108j
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_NoDisplayClass ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_847BCA
		jmp	loc_847B16
; 

loc_8FB1F4:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+111j
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_SilentInstall ; void *
		push	[ebp+arg_4]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_847BCA
		jmp	loc_847B1F
; 

loc_8FB213:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+123j
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_FSFilterClass ; void *
		push	[ebp+arg_4]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_847B31
		jmp	loc_847BCA
; 

loc_8FB232:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+1F0j
		cmp	eax, 0C000017Ch
		jz	loc_847B80
		test	eax, eax
		js	short loc_8FB274
		cmp	[ebp+var_28], 1
		mov	eax, [ebp+var_3C]
		mov	ecx, [ebp+var_40]
		mov	dword ptr [eax], 1
		mov	eax, [ebx+4]
		mov	[ecx], eax
		jb	short loc_8FB27B
		xor	eax, eax
		mov	[ebp+var_8], ax
		lea	eax, [ebp+var_1D+1]
		push	eax		; wchar_t *
		push	offset ??_C@_13COJANIEC@?$AA0@NNGAKEGL@	; wchar_t *
		call	__wcsicmp
		neg	eax
		pop	ecx
		pop	ecx
		sbb	al, al
		jmp	short loc_8FB28E
; 

loc_8FB274:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B3837j
					; _CmGetInstallerClassMappedPropertyFromRegValue+B39EFj
		mov	esi, eax
		jmp	loc_847B85
; 

loc_8FB27B:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B384Ej
					; _CmGetInstallerClassMappedPropertyFromRegValue+B3A08j
		mov	esi, 0C0000023h
		jmp	loc_847B85
; 

loc_8FB285:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B3A0Ej
		cmp	[ebp+var_54], 0
		setz	al
		dec	al

loc_8FB28E:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B386Aj
		mov	ecx, [ebp+var_34]
		mov	[ecx], al
		jmp	loc_847B85
; 

loc_8FB298:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+12Cj
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_Name ; void	*
		push	[ebp+arg_4]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8FB365
		mov	ebx, [ebp+var_2C]
		mov	esi, 0C0000225h
		mov	[ebp+var_44], eax

loc_8FB2BD:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B3933j
		sub	eax, 0
		jz	short loc_8FB2C9
		mov	ecx, offset ??_C@_11LOCGONAA@@NNGAKEGL@
		jmp	short loc_8FB2D4
; 

loc_8FB2C9:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B38B8j
		mov	ecx, [ebx+8]
		test	ecx, ecx
		jz	loc_847B85

loc_8FB2D4:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B38BFj
		mov	eax, [ebp+var_28]
		mov	edx, edi
		mov	[ebp+var_24], eax
		test	edi, edi
		jnz	short loc_8FB2E3
		mov	edx, [ebp+var_30]

loc_8FB2E3:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B38D6j
		mov	eax, [ebp+var_38]
		mov	eax, [eax+108h]
		test	eax, eax
		jnz	short loc_8FB2F5
		mov	eax, offset _PnpRegQueryValueIndirect

loc_8FB2F5:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B38E6j
		lea	ebx, [ebp+var_1D]
		push	ebx
		lea	ebx, [ebp+var_24]
		push	ebx
		push	[ebp+var_34]
		lea	ebx, [ebp+var_48]
		push	ebx
		push	ecx
		push	edx
		push	[ebp+var_38]
		call	eax ; _PnpRegQueryValueIndirect
		mov	ecx, eax
		mov	ebx, [ebp+var_2C]
		cmp	ecx, 0C0000034h
		jz	short loc_8FB331
		cmp	ecx, 0C000017Ch
		jz	short loc_8FB331
		mov	edx, 0C0000023h
		test	ecx, ecx
		jz	short loc_8FB342
		cmp	ecx, edx
		jz	short loc_8FB342
		mov	esi, ecx
		jmp	short loc_8FB344
; 

loc_8FB331:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B390Ej
					; _CmGetInstallerClassMappedPropertyFromRegValue+B3916j
		mov	eax, [ebp+var_44]
		inc	eax
		mov	[ebp+var_44], eax
		cmp	eax, 2
		jl	short loc_8FB2BD
		jmp	loc_847B85
; 

loc_8FB342:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B391Fj
					; _CmGetInstallerClassMappedPropertyFromRegValue+B3923j
		xor	esi, esi

loc_8FB344:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B3927j
		test	esi, esi
		js	loc_847B85
		jmp	loc_847C16
; 

loc_8FB351:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+232j
		cmp	eax, 12h
		jnz	loc_847B85
		mov	dword ptr [ebx], 19h
		jmp	loc_847B85
; 

loc_8FB365:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B38A4j
		cmp	ebx, 2
		jnz	loc_847B3A
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_DHPRebalanceOptOut ; void *
		push	[ebp+arg_4]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_847B3A
		mov	ebx, [ebp+var_2C]
		mov	[ebp+var_24], 4
		mov	eax, [ebx+8]
		mov	[ebp+var_50], eax
		test	edi, edi
		jnz	short loc_8FB39F
		mov	edi, [ebp+var_30]

loc_8FB39F:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+B3992j
		lea	eax, [ebp+var_4C]
		mov	edx, edi
		push	eax
		push	ecx
		mov	ecx, [ebp+var_38]
		push	0
		push	1
		push	0
		call	_PnpOpenPropertiesKey
		mov	esi, eax
		mov	edi, 0C0000034h
		cmp	esi, edi
		jz	loc_847B80
		test	esi, esi
		js	loc_847B85
		mov	edx, [ebp+var_50]
		lea	eax, [ebp+var_24]
		mov	ecx, [ebp+var_4C]
		push	eax
		lea	eax, [ebp+var_54]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		call	_RegRtlQueryValue
		cmp	eax, edi
		jz	loc_847B80
		cmp	eax, 0C000017Ch
		jz	loc_847B80
		test	eax, eax
		js	loc_8FB274
		mov	eax, [ebp+var_3C]
		xor	edx, edx
		mov	ecx, [ebp+var_40]
		inc	edx
		mov	[eax], edx
		mov	eax, [ebx+4]
		mov	[ecx], eax
		cmp	[ebp+var_28], edx
		jb	loc_8FB27B
		jmp	loc_8FB285
; 

loc_8FB41B:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+208j
		cmp	ecx, edx
		jz	loc_847C16
		mov	esi, ecx
		jmp	loc_847B85
; 

loc_8FB42A:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegValue+181j
		push	[ebp+var_4C]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_847B8F
; END OF FUNCTION CHUNK	FOR _CmGetInstallerClassMappedPropertyFromRegValue
; 
; START	OF FUNCTION CHUNK FOR MiLogReserveVaFailed

loc_8FB437:				; CODE XREF: MiLogReserveVaFailed+97j
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_80], 10h
		mov	[ebp+var_88], eax
		xor	edx, edx
		mov	eax, [ebp+var_BC]
		mov	[ebp+var_C8], eax
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_78], eax
		mov	eax, [edi+11Ch]
		mov	[ebp+var_D0], eax
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_D8]
		mov	[ebp+var_58], eax
		mov	eax, [edi+1CCh]
		mov	[ebp+var_84], edx
		mov	[ebp+var_7C], edx
		mov	[ebp+var_C4], edx
		mov	[ebp+var_74], edx
		mov	[ebp+var_6C], edx
		mov	[ebp+var_CC], edx
		mov	[ebp+var_64], edx
		mov	[ebp+var_5C], edx
		mov	[ebp+var_D4], edx
		mov	[ebp+var_54], edx
		mov	[ebp+var_4C], edx
		cdq
		mov	[ebp+var_E0], eax
		lea	eax, [ebp+var_E0]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_E8]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_DC], edx
		cdq
		push	8
		pop	ecx
		mov	[ebp+var_F0], eax
		lea	eax, [ebp+var_F0]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_4]
		push	8
		mov	[ebp+var_EC], edx
		cdq
		mov	[ebp+var_70], ecx
		mov	[ebp+var_60], ecx
		mov	ecx, [edi+118h]
		xor	edi, edi
		mov	[ebp+var_F8], eax
		lea	eax, [ebp+var_F8]
		mov	[ebp+var_D8], ecx
		pop	ecx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_A8]
		push	eax
		push	0Ah
		push	ecx
		push	ecx
		push	1
		push	ecx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_F4], edx
		mov	edx, offset loc_41CAF9
		mov	[ebp+var_10], ecx
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_44], edi
		mov	[ebp+var_3C], edi
		mov	[ebp+var_E8], ebx
		mov	[ebp+var_E4], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_2C], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_C], edi
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)
		jmp	loc_847CA0
; END OF FUNCTION CHUNK	FOR MiLogReserveVaFailed
; 
; START	OF FUNCTION CHUNK FOR MiExpandVadBitMapDown

loc_8FB570:				; CODE XREF: MiExpandVadBitMapDown+36j
		test	dl, 1Fh
		mov	edi, ecx
		push	0
		pop	eax
		setnz	al
		shr	edx, 5
		add	eax, edx
		lea	edx, [ecx-1]
		shl	eax, 2
		mov	ebx, eax
		and	ebx, 0FFFh
		neg	ebx
		sbb	ebx, ebx
		shr	eax, 0Ch
		neg	ebx
		add	ebx, eax
		mov	eax, ebx
		shl	eax, 0Ch
		sub	edi, eax
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, edi
		call	MiMakeHyperRangeAccessible
		test	eax, eax
		js	loc_847D1C
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_4]
		add	[ecx+64h], eax
		mov	eax, ebx
		shl	eax, 0Fh
		add	[esi], eax
		mov	[esi+4], edi
		cmp	edi, dword_6D2E88
		jnz	short loc_8FB5DC
		movsx	eax, byte ptr [edi]
		bts	eax, 0
		mov	[edi], al
		xor	eax, eax
		inc	eax
		jmp	short loc_8FB5DE
; 

loc_8FB5DC:				; CODE XREF: MiExpandVadBitMapDown+B38ECj
		xor	eax, eax

loc_8FB5DE:				; CODE XREF: MiExpandVadBitMapDown+B38FAj
		mov	[esi+8], eax
		mov	[esi+10h], eax
		and	dword ptr [esi+0Ch], 0
		mov	ecx, [esi+4]
		sub	ecx, dword_6D2E88
		imul	edx, ebx, 80000000h
		shl	ecx, 13h
		add	edx, ecx
		call	MiUpdateVadBits
		xor	eax, eax
		inc	eax
		jmp	loc_847D1E
; END OF FUNCTION CHUNK	FOR MiExpandVadBitMapDown

;  S U B	R O U T	I N E 


sub_8FB609	proc near		; DATA XREF: .text:006A467Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8FB609	endp


;  S U B	R O U T	I N E 


sub_8FB617	proc near		; DATA XREF: .text:006A4680o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_847E6C
sub_8FB617	endp

; 
; START	OF FUNCTION CHUNK FOR PiCMOpenDeviceInterfaceKey

loc_8FB629:				; CODE XREF: PiCMOpenDeviceInterfaceKey+A9j
		cmp	[ebp+var_18], 1
		jnz	loc_847FA9
		push	2
		pop	ecx
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jnz	short loc_8FB649
		mov	esi, 0C0000022h
		jmp	loc_847FA9
; 

loc_8FB649:				; CODE XREF: PiCMOpenDeviceInterfaceKey+B375Bj
		push	ebx
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		push	1
		push	[ebp+var_1C]
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	32h
		call	_CmOpenDeviceInterfaceRegKey
		mov	esi, eax
		jmp	loc_847F91
; 

loc_8FB66A:				; CODE XREF: PiCMOpenDeviceInterfaceKey+4Ej
					; PiCMOpenDeviceInterfaceKey+58j ...
		mov	esi, 0C000000Dh
		jmp	loc_847FA9
; 

loc_8FB674:				; CODE XREF: PiCMOpenDeviceInterfaceKey+F1j
					; PiCMOpenDeviceInterfaceKey+F9j
		test	edi, edi
		jz	loc_847FE1
		push	[ebp+var_C]
		push	edi
		call	ObCloseHandle
		jmp	loc_847FE1
; END OF FUNCTION CHUNK	FOR PiCMOpenDeviceInterfaceKey
; 
; START	OF FUNCTION CHUNK FOR PspRundownProcess

loc_8FB68A:				; CODE XREF: PspRundownProcess+33j
		lea	eax, [esi+0F8h]
		lock bts dword ptr [eax], 8
		jnb	short loc_8FB6A4
		mov	ecx, esi
		mov	edx, 77537350h
		pop	esi
		jmp	ObfDereferenceObjectWithTag
; 

loc_8FB6A4:				; CODE XREF: PspRundownProcess+B36A3j
		xor	eax, eax
		inc	eax
		lock xadd ds:_PspRundownNeededCount, eax
		inc	eax
		cmp	eax, 1
		jnz	loc_848046
		push	3
		push	offset _PspProcessRundownWorkItem
		jmp	loc_848041
; END OF FUNCTION CHUNK	FOR PspRundownProcess
; 
; START	OF FUNCTION CHUNK FOR DbgkpSendApiMessageLpc

loc_8FB6C5:				; CODE XREF: DbgkpSendApiMessageLpc+32j
		mov	ecx, esi
		call	DbgkpSuspendProcess
		mov	[ebp+arg_0], al
		jmp	loc_848080
; 

loc_8FB6D4:				; CODE XREF: DbgkpSendApiMessageLpc+88j
		xor	dl, dl
		mov	ecx, esi
		call	PsThawProcess
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_8480D6
; END OF FUNCTION CHUNK	FOR DbgkpSendApiMessageLpc
; 
; START	OF FUNCTION CHUNK FOR PiCMGetDeviceInterfaceAlias

loc_8FB6E7:				; CODE XREF: PiCMGetDeviceInterfaceAlias+A6j
		mov	esi, 0C000009Ah
		jmp	loc_84819C
; 

loc_8FB6F1:				; CODE XREF: PiCMGetDeviceInterfaceAlias+8Fj
		xor	edi, edi
		jmp	loc_84819C
; 

loc_8FB6F8:				; CODE XREF: PiCMGetDeviceInterfaceAlias+F6j
		mov	esi, 0C0000023h
		jmp	loc_848203
; 

loc_8FB702:				; CODE XREF: PiCMGetDeviceInterfaceAlias+71j
					; PiCMGetDeviceInterfaceAlias+7Dj
		mov	esi, 0C000000Dh
		xor	edx, edx

loc_8FB709:				; CODE XREF: PiCMGetDeviceInterfaceAlias+127j
		push	[ebp+var_30]
		push	[ebp+arg_4]
		push	ebx
		push	[ebp+var_8]
		push	0
		push	0
		jmp	loc_848229
; 

loc_8FB71C:				; CODE XREF: PiCMGetDeviceInterfaceAlias+60j
					; PiCMGetDeviceInterfaceAlias+69j
		mov	esi, 0C000000Dh
		jmp	loc_848210
; END OF FUNCTION CHUNK	FOR PiCMGetDeviceInterfaceAlias
; 
; START	OF FUNCTION CHUNK FOR IoGetDeviceInterfaceAlias

loc_8FB726:				; CODE XREF: IoGetDeviceInterfaceAlias+95j
		mov	esi, 0C000000Dh
		jmp	loc_848551
; 

loc_8FB730:				; CODE XREF: IoGetDeviceInterfaceAlias+ECj
		mov	esi, 0C0000022h
		jmp	loc_848551
; 

loc_8FB73A:				; CODE XREF: IoGetDeviceInterfaceAlias+13Ej
					; IoGetDeviceInterfaceAlias+19Ej
		mov	esi, 0C000009Ah
		jmp	loc_848522
; 

loc_8FB744:				; CODE XREF: IoGetDeviceInterfaceAlias+17Aj
		mov	esi, 0C00000EFh
		jmp	loc_848522
; 

loc_8FB74E:				; CODE XREF: IoGetDeviceInterfaceAlias+1C0j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	esi
		mov	esi, [esp+0A4h+var_88]
		lea	eax, [esi+esi]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_8FB776
		mov	esi, 0C000009Ah
		jmp	loc_84851E
; 

loc_8FB776:				; CODE XREF: IoGetDeviceInterfaceAlias+B34F0j
		mov	edx, [esp+0A0h+var_8D+1]
		lea	eax, [esp+0A0h+var_88]
		push	eax
		push	esi
		push	edi
		call	_CmGetDeviceInterfaceReferenceString
		mov	ebx, eax
		jmp	loc_848440
; 

loc_8FB78D:				; CODE XREF: IoGetDeviceInterfaceAlias+1CDj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C0000034h
		jmp	loc_84844D
; 

loc_8FB79F:				; CODE XREF: IoGetDeviceInterfaceAlias+229j
					; IoGetDeviceInterfaceAlias+B3551j
		mov	esi, 0C000009Ah
		jmp	loc_84851C
; 

loc_8FB7A9:				; CODE XREF: IoGetDeviceInterfaceAlias+250j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [esp+0A0h+var_84]
		push	20207050h
		lea	eax, [esi+esi]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+0A0h+var_88], eax
		test	eax, eax
		jz	short loc_8FB79F
		lea	ecx, [esp+0A0h+var_84]
		push	ecx
		push	esi
		push	eax
		push	[esp+0ACh+var_80]
		lea	edx, [esp+0B0h+var_58]
		push	ebx
		push	[esp+0B4h+var_94]
		call	_CmGetDeviceInterfaceName
		mov	esi, eax
		jmp	loc_8484D0
; 

loc_8FB7ED:				; CODE XREF: IoGetDeviceInterfaceAlias+293j
		push	[esp+0A0h+var_74]
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	loc_84851C
; 

loc_8FB7FB:				; CODE XREF: IoGetDeviceInterfaceAlias+5Ej
					; IoGetDeviceInterfaceAlias+67j ...
		mov	esi, 0C000000Dh
		jmp	loc_84853A
; END OF FUNCTION CHUNK	FOR IoGetDeviceInterfaceAlias
; 
; START	OF FUNCTION CHUNK FOR _CmGetDeviceInterfaceReferenceString

loc_8FB805:				; CODE XREF: _CmGetDeviceInterfaceReferenceString+26j
		mov	esi, 0C0000034h
		jmp	loc_84867C
; END OF FUNCTION CHUNK	FOR _CmGetDeviceInterfaceReferenceString
; 
; START	OF FUNCTION CHUNK FOR PiCMCaptureInterfaceAliasInputData

loc_8FB80F:				; CODE XREF: PiCMCaptureInterfaceAliasInputData+4Ej
					; PiCMCaptureInterfaceAliasInputData+56j
		mov	byte ptr [eax],	0
		jmp	loc_8486F0
; 

loc_8FB817:				; CODE XREF: PiCMCaptureInterfaceAliasInputData+5Fj
					; PiCMCaptureInterfaceAliasInputData+74j
		mov	ebx, 0C000000Dh
		jmp	short loc_8FB832
; END OF FUNCTION CHUNK	FOR PiCMCaptureInterfaceAliasInputData

;  S U B	R O U T	I N E 


sub_8FB81E	proc near		; DATA XREF: .text:006A469Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8FB81E	endp


;  S U B	R O U T	I N E 


sub_8FB82C	proc near		; DATA XREF: .text:006A46A0o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-28h]
sub_8FB82C	endp

; START	OF FUNCTION CHUNK FOR PiCMCaptureInterfaceAliasInputData

loc_8FB832:				; CODE XREF: PiCMCaptureInterfaceAliasInputData+B3188j
		mov	[ebp+var_1C], ebx
		jmp	loc_84870E
; 

loc_8FB83A:				; CODE XREF: PiCMCaptureInterfaceAliasInputData+A2j
		test	eax, eax
		jnz	short loc_8FB84C

loc_8FB83E:				; CODE XREF: PiCMCaptureInterfaceAliasInputData+96j
		cmp	dword ptr [esi+1Ch], 0
		ja	short loc_8FB856
		test	eax, eax
		jz	loc_848768

loc_8FB84C:				; CODE XREF: PiCMCaptureInterfaceAliasInputData+B31A8j
		cmp	dword ptr [esi+1Ch], 2
		jnb	loc_848768

loc_8FB856:				; CODE XREF: PiCMCaptureInterfaceAliasInputData+B31AEj
		mov	ebx, 0C000000Dh

loc_8FB85B:				; CODE XREF: PiCMCaptureInterfaceAliasInputData+86j
					; PiCMCaptureInterfaceAliasInputData+D6j
		cmp	[ebp+var_20], 0
		jz	short loc_8FB876
		mov	eax, [esi+18h]
		cmp	byte ptr [ebp+var_24], 0
		jz	short loc_8FB876
		test	eax, eax
		jz	short loc_8FB876
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8FB876:				; CODE XREF: PiCMCaptureInterfaceAliasInputData+B31CBj
					; PiCMCaptureInterfaceAliasInputData+B31D4j ...
		push	9
		pop	ecx
		xor	eax, eax
		mov	edi, esi
		rep stosd
		jmp	loc_848770
; 

loc_8FB884:				; CODE XREF: PiCMCaptureInterfaceAliasInputData+2Aj
					; PiCMCaptureInterfaceAliasInputData+32j
		mov	ebx, 0C000000Dh
		mov	esi, [ebp+arg_4]
		jmp	loc_848768
; END OF FUNCTION CHUNK	FOR PiCMCaptureInterfaceAliasInputData
; 
; START	OF FUNCTION CHUNK FOR _CmGetInstallerClassMappedPropertyFromCoInstallers

loc_8FB891:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromCoInstallers+63j
		cmp	ecx, 0C000017Ch
		jz	loc_8487FB
		test	ecx, ecx
		jz	short loc_8FB8B0
		cmp	ecx, 0C0000023h
		jz	short loc_8FB8B0
		mov	esi, ecx
		jmp	loc_848800
; 

loc_8FB8B0:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromCoInstallers+B310Dj
					; _CmGetInstallerClassMappedPropertyFromCoInstallers+B3115j
		cmp	[ebp+var_8], 7
		jz	short loc_8FB8DF
		push	ebx
		lea	eax, [ebp+var_10]
		mov	[ebp+var_10], esi
		push	eax
		mov	[ebp+var_C], esi
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	loc_848800
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_4]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		jmp	loc_848800
; 

loc_8FB8DF:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromCoInstallers+B3122j
		mov	edx, [ebp+arg_10]
		mov	eax, [ebp+arg_8]
		mov	[edx], eax
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 2012h
		test	ecx, ecx
		jnz	short loc_8FB8FC
		test	edi, edi
		jnz	loc_848800

loc_8FB8FC:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromCoInstallers+B3160j
		mov	esi, 0C0000023h
		jmp	loc_848800
; END OF FUNCTION CHUNK	FOR _CmGetInstallerClassMappedPropertyFromCoInstallers
; 
; START	OF FUNCTION CHUNK FOR MiMapLockedPagesInUserSpace

loc_8FB906:				; CODE XREF: MiMapLockedPagesInUserSpace+18j
		push	0C0000141h
		jmp	short loc_8FB91C
; 

loc_8FB90D:				; CODE XREF: MiMapLockedPagesInUserSpace+B31AFj
		mov	esi, [ebp+var_3C]
		mov	ebx, [ebp+var_C]

loc_8FB913:				; CODE XREF: MiMapLockedPagesInUserSpace+B3159j
					; MiMapLockedPagesInUserSpace+B3172j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	ebx

loc_8FB91C:				; CODE XREF: MiMapLockedPagesInUserSpace+B30F9j
					; MiMapLockedPagesInUserSpace+B311Dj
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_8FB921:				; CODE XREF: MiMapLockedPagesInUserSpace+20Ej
		push	0
		xor	edx, edx
		call	_MiDeleteVad@12	; MiDeleteVad(x,x,x)

loc_8FB92A:				; CODE XREF: MiMapLockedPagesInUserSpace+4Ej
		push	0C000009Ah
		jmp	short loc_8FB91C
; 

loc_8FB931:				; CODE XREF: MiMapLockedPagesInUserSpace+B8j
		mov	ebx, 0C000010Ah
		mov	[ebp+var_C], ebx
		jmp	short loc_8FB95E
; 

loc_8FB93B:				; CODE XREF: MiMapLockedPagesInUserSpace+D7j
		push	ecx
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		push	0
		push	eax
		call	MiIsVaRangeAvailable
		test	eax, eax
		jnz	loc_84891F
		mov	ebx, 0C0000018h
		mov	edx, ecx
		mov	[ebp+var_C], ebx

loc_8FB95B:				; CODE XREF: MiMapLockedPagesInUserSpace+253j
		mov	edi, [ebp+var_8]

loc_8FB95E:				; CODE XREF: MiMapLockedPagesInUserSpace+B3127j
		mov	ecx, [ebp+var_18]
		call	UNLOCK_ADDRESS_SPACE
		mov	ecx, [ebp+var_24]
		test	ecx, ecx
		jz	short loc_8FB913
		mov	eax, ecx
		xor	edx, edx
		sub	eax, edi
		inc	edx
		add	eax, 4
		shr	eax, 2
		cmp	ecx, edi
		sbb	edi, edi
		not	edi
		and	edi, eax
		cmp	edi, edx
		jb	short loc_8FB913
		mov	esi, [ebp+var_8]
		mov	ebx, edx

loc_8FB98B:				; CODE XREF: MiMapLockedPagesInUserSpace+B31ADj
		mov	eax, [esi]
		mov	ecx, eax
		mov	[ebp+arg_4], eax
		call	_MiIsPfn@4	; MiIsPfn(x)
		test	eax, eax
		jz	short loc_8FB9AC
		imul	ecx, [ebp+arg_4], 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	_MiDoubleUnlockMdlPage@4 ; MiDoubleUnlockMdlPage(x)
		jmp	short loc_8FB9B9
; 

loc_8FB9AC:				; CODE XREF: MiMapLockedPagesInUserSpace+B3187j
		mov	edx, [ebp+arg_4]
		xor	ecx, ecx
		push	1
		inc	ecx
		call	MiDereferenceIoPages

loc_8FB9B9:				; CODE XREF: MiMapLockedPagesInUserSpace+B3198j
		add	esi, 4
		inc	ebx
		cmp	ebx, edi
		jbe	short loc_8FB98B
		jmp	loc_8FB90D
; END OF FUNCTION CHUNK	FOR MiMapLockedPagesInUserSpace
; 
; START	OF FUNCTION CHUNK FOR EtwpCreateUmReplyObject

loc_8FB9C6:				; CODE XREF: EtwpCreateUmReplyObject+48j
		mov	ebx, 0C0000017h
		jmp	loc_848B90
; 

loc_8FB9D0:				; CODE XREF: EtwpCreateUmReplyObject+E4j
		test	al, 4
		jnz	loc_848B54
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_848B54
; 

loc_8FB9E4:				; CODE XREF: EtwpCreateUmReplyObject+82j
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_848B90
; END OF FUNCTION CHUNK	FOR EtwpCreateUmReplyObject
; 
; START	OF FUNCTION CHUNK FOR EtwpReceiveReplyDataBlock

loc_8FB9F0:				; CODE XREF: EtwpReceiveReplyDataBlock+5Cj
		mov	esi, 0C0000008h
		jmp	loc_848C61
; END OF FUNCTION CHUNK	FOR EtwpReceiveReplyDataBlock
; 
; START	OF FUNCTION CHUNK FOR EtwpQueueReply

loc_8FB9FA:				; CODE XREF: EtwpQueueReply+37j
		mov	ebx, 0C0000017h
		lock inc dword ptr [esi+28h]
		mov	ecx, [ebp+var_4]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+8], eax
		dec	eax
		jnz	loc_848D71
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_848D71
; END OF FUNCTION CHUNK	FOR EtwpQueueReply
; 
; START	OF FUNCTION CHUNK FOR EtwpRealtimeSaveState

loc_8FBA22:				; CODE XREF: EtwpRealtimeSaveState+40j
		cmp	[ebx+110h], edi
		jz	loc_8FBADE
		mov	ecx, [ebx+148h]
		test	ecx, ecx
		jz	loc_8FBADE
		mov	eax, [ebx+128h]
		lea	esi, [ebx+150h]
		lea	edi, [ebp+var_40]
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+var_28], eax
		mov	eax, [ebx+12Ch]
		mov	[ebp+var_24], eax
		mov	eax, [ebx+120h]
		mov	[ebp+var_20], eax
		mov	eax, [ebx+124h]
		mov	[ebp+var_1C], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_2C], eax
		mov	eax, [ebx+130h]
		mov	[ebp+var_18], eax
		mov	eax, [ebx+134h]
		mov	[ebp+var_14], eax
		mov	eax, [ebx+138h]
		mov	[ebp+var_30], ecx
		mov	ecx, ebx
		mov	[ebp+var_10], eax
		mov	eax, [ebx+13Ch]
		mov	[ebp+var_C], eax
		mov	[ebp+var_50], 73466C52h
		mov	[ebp+var_48], 1
		call	EtwpQueryUsedProcessorCount
		xor	edi, edi
		mov	[ebp+var_44], eax
		push	edi
		lea	eax, [ebp+var_68]
		mov	[ebp+var_4C], edi
		push	eax
		push	48h
		lea	eax, [ebp+var_50]
		push	eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	edi
		push	edi
		push	edi
		push	dword ptr [ebx+110h]
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_848DDF

loc_8FBADE:				; CODE XREF: EtwpRealtimeSaveState+B2CAAj
					; EtwpRealtimeSaveState+B2CB8j
		mov	ecx, [ebx+148h]
		add	[ebx+0BCh], ecx
		mov	[ebx+148h], edi
		mov	[ebx+138h], edi
		mov	[ebx+13Ch], edi
		jmp	loc_848DC4
; END OF FUNCTION CHUNK	FOR EtwpRealtimeSaveState
; 
; START	OF FUNCTION CHUNK FOR CmUnRegisterCallback

loc_8FBB01:				; CODE XREF: CmUnRegisterCallback+5Fj
		test	[ebp+var_20], ecx
		jnz	loc_848E20
		lea	esi, [edi+8]
		lock or	[esi], ecx
		call	_CmpUnlockCallbackList@0 ; CmpUnlockCallbackList()
		jmp	short loc_8FBB2A
; END OF FUNCTION CHUNK	FOR CmUnRegisterCallback

;  S U B	R O U T	I N E 


sub_8FBB17	proc near		; CODE XREF: CmUnRegisterCallback+B2D3Ej
		push	ebx
		push	4
		lea	eax, [ebp-20h]
		push	eax
		mov	edx, esi
		mov	ecx, offset _CallbackListDeleteEvent
		call	ExBlockOnAddressPushLock
sub_8FBB17	endp

; START	OF FUNCTION CHUNK FOR CmUnRegisterCallback

loc_8FBB2A:				; CODE XREF: CmUnRegisterCallback+B2D1Fj
		mov	eax, [esi]
		mov	[ebp+var_20], eax
		cmp	eax, 80000000h
		jnz	short sub_8FBB17
		call	_CmpLockCallbackListExclusive@0	; CmpLockCallbackListExclusive()
		mov	ecx, [edi]
		mov	eax, [edi+4]
		cmp	[ecx+4], edi
		jnz	loc_848F21
		cmp	[eax], edi
		jnz	loc_848F21
		mov	[eax], ecx
		mov	[ecx+4], eax
		call	_CmpUnlockCallbackList@0 ; CmpUnlockCallbackList()
		mov	[ebp+var_24], ebx
		jmp	loc_848F11
; 

loc_8FBB63:				; CODE XREF: CmUnRegisterCallback+A3j
		mov	esi, eax

loc_8FBB65:				; CODE XREF: CmUnRegisterCallback+B2DFEj
		mov	ecx, [eax]
		mov	[ebp+var_20], ecx
		lea	ecx, [eax-8]
		mov	[ebp+var_2C], ecx
		mov	ecx, [eax+14h]
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		test	al, al
		jz	short loc_8FBBDE
		mov	eax, [ebp+var_2C]
		lea	ecx, [eax+8]
		mov	edx, [ecx]
		mov	[ebp+var_2C], edx
		mov	edx, [ecx+4]
		mov	edi, [ebp+var_2C]
		cmp	[edi+4], ecx
		mov	edi, [ebp+var_28]
		jnz	loc_848F21
		cmp	[edx], ecx
		jnz	loc_848F21
		mov	ecx, [ebp+var_2C]
		mov	[edx], ecx
		mov	[ecx+4], edx
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_848F21
		cmp	[ecx], eax
		jnz	loc_848F21
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	eax, [ebp+var_38]
		lea	ecx, [ebp+var_3C]
		cmp	[eax], ecx
		jnz	loc_848F21
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[ebp+var_38], esi
		jmp	short loc_8FBBE2
; 

loc_8FBBDE:				; CODE XREF: CmUnRegisterCallback+B2D84j
		mov	byte ptr [ebp+arg_4+3],	1

loc_8FBBE2:				; CODE XREF: CmUnRegisterCallback+B2DE6j
		mov	edx, [ebp+var_20]
		mov	eax, edx
		lea	ecx, [edi+28h]
		cmp	edx, ecx
		jz	loc_848E9F
		mov	esi, edx
		jmp	loc_8FBB65
; 

loc_8FBBF9:				; CODE XREF: CmUnRegisterCallback+B6j
		mov	eax, [esi]
		lea	ecx, [ebp+var_3C]
		cmp	[esi+4], ecx
		jnz	loc_848F21
		cmp	[eax+4], esi
		jnz	loc_848F21
		mov	[ebp+var_3C], eax
		mov	[eax+4], ecx
		add	esi, 0FFFFFFF8h
		mov	[ebp+var_2C], esi
		mov	eax, [esi+1Ch]
		mov	[ebp+var_48], eax
		mov	eax, [esi+20h]
		mov	[ebp+var_44], eax
		mov	[ebp+ms_exc.disabled], ebx
		lea	eax, [ebp+var_48]
		push	eax
		push	28h
		push	dword ptr [edi+18h]
		call	dword ptr [edi+1Ch]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_8FBC53
; END OF FUNCTION CHUNK	FOR CmUnRegisterCallback

;  S U B	R O U T	I N E 


sub_8FBC40	proc near		; DATA XREF: .text:006A46BCo
		xor	eax, eax
		inc	eax
		retn
sub_8FBC40	endp


;  S U B	R O U T	I N E 


sub_8FBC44	proc near		; DATA XREF: .text:006A46C0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	edi, [ebp-28h]
sub_8FBC44	endp

; START	OF FUNCTION CHUNK FOR CmUnRegisterCallback

loc_8FBC53:				; CODE XREF: CmUnRegisterCallback+B2E48j
		mov	esi, [ebp+var_2C]
		mov	ecx, [esi+1Ch]
		call	ObfDereferenceObject
		push	63634D43h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_848EA4
; 

loc_8FBC6E:				; CODE XREF: CmUnRegisterCallback+C0j
		lea	eax, [edi+28h]
		mov	[ebp+var_2C], eax
		mov	edi, eax

loc_8FBC76:				; CODE XREF: CmUnRegisterCallback+B2EB0j
		call	_CmpLockContextListExclusive@0 ; CmpLockContextListExclusive()
		mov	esi, [edi]
		mov	[ebp+var_34], esi
		call	_CmpUnlockContextList@0	; CmpUnlockContextList()
		cmp	esi, [ebp+var_30]
		jz	short loc_8FBC9F
		push	ebx
		push	4
		lea	eax, [ebp+var_34]
		push	eax
		mov	edx, edi
		mov	ecx, offset _CallbackListDeleteEvent
		call	ExBlockOnAddressPushLock
		jmp	short loc_8FBCA2
; 

loc_8FBC9F:				; CODE XREF: CmUnRegisterCallback+B2E92j
		mov	byte ptr [ebp+arg_4+3],	bl

loc_8FBCA2:				; CODE XREF: CmUnRegisterCallback+B2EA7j
		cmp	byte ptr [ebp+arg_4+3],	0
		jnz	short loc_8FBC76
		mov	edi, [ebp+var_28]
		jmp	loc_848EBC
; END OF FUNCTION CHUNK	FOR CmUnRegisterCallback

;  S U B	R O U T	I N E 


sub_8FBCB0	proc near		; DATA XREF: .text:006A46DCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8FBCB0	endp


;  S U B	R O U T	I N E 


sub_8FBCBE	proc near		; DATA XREF: .text:006A46E0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_848FE4
sub_8FBCBE	endp


;  S U B	R O U T	I N E 


sub_8FBCD0	proc near		; DATA XREF: .text:006A46E8o
		xor	eax, eax
		inc	eax
		retn
sub_8FBCD0	endp


;  S U B	R O U T	I N E 


sub_8FBCD4	proc near		; DATA XREF: .text:006A46ECo
		mov	esp, [ebp-18h]
		jmp	loc_848FDB
sub_8FBCD4	endp

; 
; START	OF FUNCTION CHUNK FOR MiUnmapLockedPagesInUserSpace

loc_8FBCDC:				; CODE XREF: MiUnmapLockedPagesInUserSpace+61j
		push	0
		push	esi
		push	edi
		push	1402h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8FBCEC:				; CODE XREF: MiUnmapLockedPagesInUserSpace+74j
		mov	eax, [ebp+var_C]
		test	byte ptr [eax+0FCh], 20h
		jnz	loc_8490C8
		mov	eax, [esi+10h]
		mov	edx, ebx
		sub	eax, [esi+0Ch]
		mov	ecx, esi
		push	0
		inc	eax
		push	55h
		shl	eax, 0Ch
		push	eax
		call	MiCheckSecuredVad
		test	eax, eax
		jns	loc_8490C8
		mov	edx, [esi+10h]
		lea	edi, [ebp+var_28]
		push	6
		pop	ecx
		xor	eax, eax
		shl	edx, 0Ch
		rep stosd
		lea	eax, [ebp+var_28]
		or	edx, 0FFFh
		push	eax
		push	40h
		mov	ecx, ebx
		call	_MiDeleteVirtualAddresses@16 ; MiDeleteVirtualAddresses(x,x,x,x)
		jmp	loc_8490DA
; END OF FUNCTION CHUNK	FOR MiUnmapLockedPagesInUserSpace
; 
; START	OF FUNCTION CHUNK FOR NtAcquireProcessActivityReference

loc_8FBD44:				; CODE XREF: NtAcquireProcessActivityReference+34j
		mov	ecx, eax
		jmp	loc_849162
; END OF FUNCTION CHUNK	FOR NtAcquireProcessActivityReference

;  S U B	R O U T	I N E 


sub_8FBD4B	proc near		; DATA XREF: .text:006A4704o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8FBD4B	endp


;  S U B	R O U T	I N E 


sub_8FBD59	proc near		; DATA XREF: .text:006A4708o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-24h]
		jmp	loc_8491E4
sub_8FBD59	endp

; 
; START	OF FUNCTION CHUNK FOR NtAcquireProcessActivityReference

loc_8FBD6B:				; CODE XREF: NtAcquireProcessActivityReference+49j
		mov	eax, 0C00000F1h
		jmp	loc_8491E4
; END OF FUNCTION CHUNK	FOR NtAcquireProcessActivityReference

;  S U B	R O U T	I N E 


sub_8FBD75	proc near		; DATA XREF: .text:006A4710o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_8FBD75	endp


;  S U B	R O U T	I N E 


sub_8FBD85	proc near		; DATA XREF: .text:006A4714o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-2Ch]
		jmp	loc_8491CE
sub_8FBD85	endp

; 
; START	OF FUNCTION CHUNK FOR NtAcquireProcessActivityReference

loc_8FBD90:				; CODE XREF: NtAcquireProcessActivityReference+91j
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jmp	loc_8491D5
; END OF FUNCTION CHUNK	FOR NtAcquireProcessActivityReference
; 
; START	OF FUNCTION CHUNK FOR PsRemoveCreateThreadNotifyRoutine

loc_8FBD9D:				; CODE XREF: PsRemoveCreateThreadNotifyRoutine+8Ej
		mov	ecx, [ebp+var_4]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, 0C000007Ah
		jmp	loc_849314
; END OF FUNCTION CHUNK	FOR PsRemoveCreateThreadNotifyRoutine

;  S U B	R O U T	I N E 


sub_8FBDAF	proc near		; CODE XREF: MmInSwapVirtualAddresses+51j
		push	ebx
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		mov	[ebp-88h], eax
		xor	ecx, ecx
		push	4
		pop	edx
		lea	eax, [ebp-88h]
		mov	[ebp-68h], ecx
		mov	[ebp-6Ch], eax
		lea	eax, [ebp-80h]
		mov	[ebp-5Ch], eax
		lea	eax, [ebp-6Ch]
		push	eax
		push	2
		push	ecx
		push	offset _KERNEL_MEM_EVENT_WS_INSWAP_START
		push	esi
		push	edi
		mov	[ebp-64h], edx
		mov	[ebp-60h], ecx
		mov	[ebp-58h], ecx
		mov	[ebp-54h], edx
		mov	[ebp-50h], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_84941D
sub_8FBDAF	endp


;  S U B	R O U T	I N E 


sub_8FBDF9	proc near		; CODE XREF: MmInSwapVirtualAddresses+9Aj
		push	ebx
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		mov	[ebp-84h], eax
		xor	ecx, ecx
		push	4
		pop	edx
		lea	eax, [ebp-84h]
		mov	[ebp-68h], ecx
		mov	[ebp-6Ch], eax
		lea	eax, [ebp-70h]
		mov	[ebp-5Ch], eax
		lea	eax, [ebp-6Ch]
		push	eax
		push	2
		push	ecx
		push	offset _KERNEL_MEM_EVENT_WS_INSWAP_STOP
		push	esi
		push	edi
		mov	[ebp-64h], edx
		mov	[ebp-60h], ecx
		mov	[ebp-58h], ecx
		mov	[ebp-54h], edx
		mov	[ebp-50h], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_849466
sub_8FBDF9	endp

; 
; START	OF FUNCTION CHUNK FOR EtwpAddReplyIndex

loc_8FBE43:				; CODE XREF: EtwpAddReplyIndex+1Bj
		inc	esi
		add	edi, 4
		cmp	esi, 4
		jb	loc_84948B
		jmp	loc_8494A1
; END OF FUNCTION CHUNK	FOR EtwpAddReplyIndex
; 
; START	OF FUNCTION CHUNK FOR PsRemoveLoadImageNotifyRoutine

loc_8FBE55:				; CODE XREF: PsRemoveLoadImageNotifyRoutine+39j
					; PsRemoveLoadImageNotifyRoutine+4Bj
		mov	edx, esi
		mov	ecx, edi
		call	_ExDereferenceCallBackBlock@8 ;	ExDereferenceCallBackBlock(x,x)

loc_8FBE5E:				; CODE XREF: PsRemoveLoadImageNotifyRoutine+2Dj
		inc	ebx
		add	edi, 4
		cmp	ebx, 40h
		jb	loc_8494CE
		mov	ecx, [ebp+var_4]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, 0C000007Ah
		jmp	loc_84952B
; END OF FUNCTION CHUNK	FOR PsRemoveLoadImageNotifyRoutine
; 
; START	OF FUNCTION CHUNK FOR MmBackSystemImageWithPagefile

loc_8FBE7D:				; CODE XREF: MmBackSystemImageWithPagefile+13j
		push	0
		push	0
		push	esi
		push	1239h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8FBE8F:				; CODE XREF: MiBackSystemImageWithPagefile+33j
					; MiBackSystemImageWithPagefile+43j
		mov	eax, 0C0000141h
		jmp	loc_8496EC
; END OF FUNCTION CHUNK	FOR MmBackSystemImageWithPagefile
; 
; START	OF FUNCTION CHUNK FOR MiReleaseDriverPtes

loc_8FBE99:				; CODE XREF: MiReleaseDriverPtes+B3j
		mov	eax, [ebp+arg_0]
		push	0
		shl	eax, 0Ch
		push	eax
		push	[ebp+var_10]
		push	2103h
		jmp	short loc_8FBEBD
; 

loc_8FBEAC:				; CODE XREF: MiReleaseDriverPtes+3Dj
					; MiReleaseDriverPtes+79j
		mov	eax, [ebp+arg_0]
		push	0
		shl	eax, 0Ch
		push	eax
		push	[ebp+var_10]
		push	2102h

loc_8FBEBD:				; CODE XREF: MiReleaseDriverPtes+B2746j
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_8FBEC5:				; CODE XREF: MiReserveDriverPtes+AAj
		push	40h
		pop	eax
		jmp	loc_849963
; END OF FUNCTION CHUNK	FOR MiReleaseDriverPtes
; 
; START	OF FUNCTION CHUNK FOR MiReserveDriverPtes

loc_8FBECD:				; CODE XREF: MiReserveDriverPtes+116j
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_14]
		push	edi
		push	[ebp+var_C]
		lea	edx, [edx+ecx*8]
		mov	ecx, [ebp+var_18]
		shl	edx, 9
		call	_MiReturnSystemVa@16 ; MiReturnSystemVa(x,x,x,x)

loc_8FBEE5:				; CODE XREF: MiReserveDriverPtes+EBj
		mov	ecx, [ebp+var_4]
		call	MiUnlockDriverMappings
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		jmp	loc_849911
; END OF FUNCTION CHUNK	FOR MiReserveDriverPtes
; 
; START	OF FUNCTION CHUNK FOR IopOpenRegistryKey

loc_8FBEFB:				; CODE XREF: IopOpenRegistryKey+2Fj
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		push	esi
		push	esi
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+arg_4]
		push	ecx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		jmp	loc_849AB6
; END OF FUNCTION CHUNK	FOR IopOpenRegistryKey
; 
; START	OF FUNCTION CHUNK FOR MiUseLargeDriverPage

loc_8FBF15:				; CODE XREF: MiUseLargeDriverPage+30j
		push	1
		lea	eax, [esi+8]
		push	eax
		push	edi
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	loc_849C0C
		mov	esi, [esi]
		jmp	loc_849BFE
; END OF FUNCTION CHUNK	FOR MiUseLargeDriverPage
; 
; START	OF FUNCTION CHUNK FOR MiFreeInitializationCode

loc_8FBF30:				; CODE XREF: MiFreeInitializationCode+CAj
					; MiFreeInitializationCode+D6j
		sub	dword_6D361C, esi
		jmp	loc_849D61
; END OF FUNCTION CHUNK	FOR MiFreeInitializationCode
; 
; START	OF FUNCTION CHUNK FOR MiSnapDriverRange

loc_8FBF3B:				; CODE XREF: MiSnapDriverRange+6Aj
		mov	esi, eax
		mov	[ebp+var_38], eax
		jmp	loc_849EB2
; 

loc_8FBF45:				; CODE XREF: MiSnapDriverRange+F2j
		mov	esi, [edi+24h]
		and	esi, 20000000h
		jmp	loc_849F65
; 

loc_8FBF53:				; CODE XREF: MiSnapDriverRange+FAj
		cmp	byte ptr [edi],	50h
		jnz	loc_849F6C
		cmp	byte ptr [edi+1], 41h
		jnz	loc_849F6C
		cmp	byte ptr [edi+2], 47h
		jnz	loc_849F6C
		cmp	byte ptr [edi+3], 45h
		jnz	loc_849F6C
		cmp	byte ptr [edi+4], 4Bh
		jnz	loc_849F6C
		cmp	byte ptr [edi+5], 44h
		jnz	loc_849F6C
		jmp	loc_849F92
; 

loc_8FBF93:				; CODE XREF: MiSnapDriverRange+17Cj
		test	byte ptr [ebp+arg_0], 0Ch
		jz	loc_849FC4
		cmp	esi, 1000h
		jb	loc_849FCA
		jmp	loc_849FC4
; 

loc_8FBFAE:				; CODE XREF: MiSnapDriverRange+1F2j
		mov	ecx, eax
		jmp	loc_84A03A
; END OF FUNCTION CHUNK	FOR MiSnapDriverRange
; 
; START	OF FUNCTION CHUNK FOR MiGetSystemAddressForImage

loc_8FBFB5:				; CODE XREF: MiGetSystemAddressForImage+10Fj
		push	ecx
		push	ecx
		call	_xKdGetAcpiTablePhase0@8 ; xKdGetAcpiTablePhase0(x,x)
		test	eax, eax
		jns	loc_84A24F
		jmp	loc_84A33E
; 

loc_8FBFC9:				; CODE XREF: MiGetSystemAddressForImage+15Ej
		lea	eax, [ebp+var_B0]
		push	eax
		push	3
		pop	edx
		mov	ecx, [ebp+var_B8]
		call	MiMapImageInSystemSpace
		mov	[ebp+var_C4], eax
		test	eax, eax
		js	loc_84A33E
		mov	esi, [ebp+var_B0]
		push	esi
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	edx, eax
		mov	ecx, [esi+3Ch]
		add	ecx, 34h
		mov	[ebp+var_B4], ecx
		mov	[ebp+ms_exc.disabled], ebx
		mov	ax, [edx+18h]
		mov	[ebp+var_64], ax
		mov	eax, [edx+3Ch]
		mov	[ebp+var_84], eax
		mov	eax, [edx+38h]
		mov	[ebp+var_80], eax
		mov	eax, [edx+50h]
		mov	[ebp+var_7C], eax
		mov	ecx, [edx+70h]
		mov	[ebp+var_78], ecx
		mov	eax, [edx+34h]
		mov	[ebp+var_88], eax
		mov	eax, [edx+54h]
		mov	[ebp+var_74], eax
		mov	eax, [edx+28h]
		mov	[ebp+var_70], eax
		mov	eax, [edx+60h]
		mov	[ebp+var_6C], eax
		mov	eax, [edx+64h]
		mov	[ebp+var_68], eax
		mov	ax, [edx+5Ch]
		mov	[ebp+var_62], ax
		mov	ax, [edx+48h]
		mov	[ebp+var_60], ax
		mov	ax, [edx+4Ah]
		mov	[ebp+var_5E], ax
		mov	ax, [edx+40h]
		mov	[ebp+var_5C], ax
		mov	ax, [edx+42h]
		mov	[ebp+var_5A], ax
		mov	ax, [edx+5Eh]
		mov	[ebp+var_58], ax
		mov	eax, [edx+58h]
		mov	[ebp+var_54], eax
		mov	eax, [edx+1Ch]
		mov	[ebp+var_50], eax
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ebx
		mov	eax, [edx+74h]
		cmp	eax, 6
		jbe	short loc_8FC0B0
		mov	esi, [edx+0A8h]
		test	esi, esi
		jz	short loc_8FC0B0
		mov	[ebp+var_2C], esi
		mov	eax, [edx+0ACh]
		mov	[ebp+var_28], eax
		mov	eax, [edx+74h]

loc_8FC0B0:				; CODE XREF: MiGetSystemAddressForImage+B1F5Bj
					; MiGetSystemAddressForImage+B1F65j
		cmp	eax, 0Ch
		jbe	short loc_8FC0CA
		mov	eax, [edx+0D8h]
		mov	[ebp+var_4C], eax
		mov	eax, [edx+0DCh]
		mov	[ebp+var_48], eax
		mov	eax, [edx+74h]

loc_8FC0CA:				; CODE XREF: MiGetSystemAddressForImage+B1F79j
		cmp	eax, 0Eh
		jbe	short loc_8FC0F8
		mov	eax, [edx+0E8h]
		mov	[ebp+var_44], eax
		mov	eax, [edx+0ECh]
		mov	[ebp+var_40], eax
		cmp	[edx+0E8h], ebx
		jz	short loc_8FC0FE
		cmp	[edx+0ECh], ebx
		jz	short loc_8FC0FE
		or	ecx, edi
		mov	[ebp+var_78], ecx
		jmp	short loc_8FC0FE
; 

loc_8FC0F8:				; CODE XREF: MiGetSystemAddressForImage+B1F93j
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ebx

loc_8FC0FE:				; CODE XREF: MiGetSystemAddressForImage+B1FADj
					; MiGetSystemAddressForImage+B1FB5j ...
		cmp	dword ptr [edx+74h], 5
		jbe	short loc_8FC118
		mov	eax, [edx+0A0h]
		mov	[ebp+var_3C], eax
		mov	eax, [edx+0A4h]
		mov	[ebp+var_38], eax
		jmp	short loc_8FC11E
; 

loc_8FC118:				; CODE XREF: MiGetSystemAddressForImage+B1FC8j
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx

loc_8FC11E:				; CODE XREF: MiGetSystemAddressForImage+B1FDCj
		cmp	dword ptr [edx+74h], 0Ah
		jbe	short loc_8FC138
		mov	eax, [edx+0C8h]
		mov	[ebp+var_34], eax
		mov	eax, [edx+0CCh]
		mov	[ebp+var_30], eax
		jmp	short loc_8FC13E
; 

loc_8FC138:				; CODE XREF: MiGetSystemAddressForImage+B1FE8j
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx

loc_8FC13E:				; CODE XREF: MiGetSystemAddressForImage+B1FFCj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+var_C4]
		jmp	short loc_8FC163
; END OF FUNCTION CHUNK	FOR MiGetSystemAddressForImage

;  S U B	R O U T	I N E 


sub_8FC14D	proc near		; DATA XREF: .text:006A478Co
		xor	eax, eax
		inc	eax
		retn
sub_8FC14D	endp


;  S U B	R O U T	I N E 


sub_8FC151	proc near		; DATA XREF: .text:006A4790o
		mov	esp, [ebp-18h]
		mov	esi, 0C0000001h
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	edi, edi
		inc	edi
sub_8FC151	endp

; START	OF FUNCTION CHUNK FOR MiGetSystemAddressForImage

loc_8FC163:				; CODE XREF: MiGetSystemAddressForImage+B2011j
		lea	ecx, [ebp+var_B0]
		call	MiUnmapImageInSystemSpace
		test	esi, esi
		js	loc_84A33E
		push	edi
		push	0FFFFFFFFh
		push	[ebp+var_BC]
		push	[ebp+var_B4]
		lea	edx, [ebp+var_88]
		mov	ebx, [ebp+var_B8]
		mov	ecx, [ebx]
		call	MiRelocateImage
		test	eax, eax
		js	loc_84A33E
		lea	edx, [ebp+var_C0]
		mov	ecx, ebx
		call	_MiImageSuitableForSystem@8 ; MiImageSuitableForSystem(x,x)
		cmp	[ebp+var_C0], 0
		jnz	loc_84A29E
		test	dword ptr [ebx+1Ch], 40000000h
		jz	loc_84A33E
		jmp	loc_84A29E
; 

loc_8FC1CC:				; CODE XREF: MiGetSystemAddressForImage+189j
		push	ecx
		push	ecx
		call	_xKdGetAcpiTablePhase0@8 ; xKdGetAcpiTablePhase0(x,x)
		test	eax, eax
		js	short loc_8FC1E5
		jmp	loc_84A2C9
; 

loc_8FC1DC:				; CODE XREF: MiGetSystemAddressForImage+B20C4j
		mov	edx, edi
		mov	ecx, esi
		call	MiFreePrivateFixupEntryForSystemImage

loc_8FC1E5:				; CODE XREF: MiGetSystemAddressForImage+1A0j
					; MiGetSystemAddressForImage+B209Bj ...
		mov	edx, [ebp+var_C8]
		shl	edx, 0Ch
		mov	ecx, esi
		call	_MiReturnSystemImageAddress@8 ;	MiReturnSystemImageAddress(x,x)
		jmp	loc_84A33E
; 

loc_8FC1FA:				; CODE XREF: MiGetSystemAddressForImage+1F0j
		cmp	ebx, edi
		jnz	short loc_8FC1E5
		jmp	short loc_8FC1DC
; END OF FUNCTION CHUNK	FOR MiGetSystemAddressForImage
; 
; START	OF FUNCTION CHUNK FOR MiConstructLoaderEntry

loc_8FC200:				; CODE XREF: MiConstructLoaderEntry+58j
		mov	edi, 0C000009Ah
		jmp	short loc_8FC22E
; 

loc_8FC207:				; CODE XREF: MiConstructLoaderEntry+BDj
		mov	edi, 0C0000130h
		jmp	short loc_8FC21A
; 

loc_8FC20E:				; CODE XREF: MiConstructLoaderEntry+115j
					; MiConstructLoaderEntry+136j ...
		mov	edi, 0C000007Bh
		jmp	short loc_8FC21A
; 

loc_8FC215:				; CODE XREF: MiConstructLoaderEntry+164j
					; MiConstructLoaderEntry+1A8j
		mov	edi, 0C000009Ah

loc_8FC21A:				; CODE XREF: MiConstructLoaderEntry+B1EC6j
					; MiConstructLoaderEntry+B1ECDj
		push	esi
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		jz	short loc_8FC22E
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8FC22E:				; CODE XREF: MiConstructLoaderEntry+B1EBFj
					; MiConstructLoaderEntry+B1EDFj
		mov	eax, edi
		jmp	loc_84A6C9
; END OF FUNCTION CHUNK	FOR MiConstructLoaderEntry
; 
; START	OF FUNCTION CHUNK FOR ExCovAddInfoToLoaderEntry

loc_8FC235:				; CODE XREF: ExCovAddInfoToLoaderEntry+2Aj
		mov	ecx, [ebp+var_8]
		push	esi		; char
		push	offset ??_C@_0DM@MMGIBEFD@COV?3?5Stored?5coverage?5section?5in@NNGAKEGL@ ; char	*
		push	2		; int
		push	7Eh		; int
		mov	[esi+44h], ecx
		mov	[esi+48h], eax
		call	_DbgPrintEx
		add	esp, 10h
		cmp	[esi+48h], edi
		jz	loc_84A932
		xor	eax, eax
		mov	[ebp+var_C], edi
		mov	[ebp+var_10], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _ExpCovPushLock
		call	@ExfAcquirePushLockExclusive@4 ; ExfAcquirePushLockExclusive(x)
		mov	ebx, _ExpCovUnloadedModuleList
		cmp	ebx, offset _ExpCovUnloadedModuleList
		jz	loc_8FC37A

loc_8FC28B:				; CODE XREF: ExCovAddInfoToLoaderEntry+B19DAj
		lea	ecx, [ebp+var_10]
		mov	edi, ebx
		lea	eax, [esi+24h]
		push	ecx
		mov	ecx, [esi+48h]
		mov	edx, eax
		call	_ExpCovReadFriendlyName@12 ; ExpCovReadFriendlyName(x,x,x)
		test	eax, eax
		js	short loc_8FC2C5
		push	1
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebx+10h]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jnz	short loc_8FC2C5
		cmp	[ebp+var_C], eax
		jz	short loc_8FC2DE
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	short loc_8FC2DE
; 

loc_8FC2C5:				; CODE XREF: ExCovAddInfoToLoaderEntry+B199Ej
					; ExCovAddInfoToLoaderEntry+B19B1j
		cmp	[ebp+var_C], 0
		jz	short loc_8FC2D4
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_8FC2D4:				; CODE XREF: ExCovAddInfoToLoaderEntry+B19C7j
		mov	ebx, [ebx]
		cmp	ebx, offset _ExpCovUnloadedModuleList
		jnz	short loc_8FC28B

loc_8FC2DE:				; CODE XREF: ExCovAddInfoToLoaderEntry+B19B6j
					; ExCovAddInfoToLoaderEntry+B19C1j
		test	edi, edi
		jz	loc_8FC37A
		cmp	ebx, offset _ExpCovUnloadedModuleList
		jz	loc_8FC37A
		mov	ebx, [esi+48h]
		mov	ecx, [edi+1Ch]
		mov	[ebp+var_8], ecx
		mov	eax, [ebx+4]
		cmp	eax, [ecx+4]
		jnz	short loc_8FC35E
		mov	eax, [ebx+18h]
		cmp	eax, [ecx+18h]
		jnz	short loc_8FC35E
		mov	eax, [ebx+1Ch]
		cmp	eax, [ecx+1Ch]
		jnz	short loc_8FC35E
		push	10h		; Length
		lea	eax, [ecx+8]
		push	eax		; Source2
		lea	eax, [ebx+8]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 10h
		setnz	al
		dec	al
		and	al, 1
		lea	eax, [edi+8]
		jz	short loc_8FC361
		push	eax		; char
		push	offset ??_C@_0CJ@HJBHOMNE@COV?3?5Entry?5for?5same?5versioned?5?$CF@NNGAKEGL@ ; char *
		push	2		; int
		push	7Eh		; int
		call	_DbgPrintEx
		mov	eax, [ebp+var_8]
		push	dword ptr [ebx+1Ch] ; size_t
		mov	edx, [ebx+20h]
		add	edx, [esi+48h]
		mov	eax, [eax+20h]
		add	eax, [edi+1Ch]
		push	eax		; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 1Ch
		jmp	short loc_8FC373
; 

loc_8FC35E:				; CODE XREF: ExCovAddInfoToLoaderEntry+B19FFj
					; ExCovAddInfoToLoaderEntry+B1A07j ...
		lea	eax, [edi+8]

loc_8FC361:				; CODE XREF: ExCovAddInfoToLoaderEntry+B1A2Dj
		push	eax		; char
		push	offset ??_C@_0CO@HLOHHDKP@COV?3?5Entry?5for?5different?5versio@NNGAKEGL@ ; char	*
		push	2		; int
		push	7Eh		; int
		call	_DbgPrintEx
		add	esp, 10h

loc_8FC373:				; CODE XREF: ExCovAddInfoToLoaderEntry+B1A5Aj
		mov	ecx, edi
		call	_ExpCovDeleteUnloadedModuleEntry@4 ; ExpCovDeleteUnloadedModuleEntry(x)

loc_8FC37A:				; CODE XREF: ExCovAddInfoToLoaderEntry+B1983j
					; ExCovAddInfoToLoaderEntry+B19DEj ...
		mov	ecx, offset _ExpCovPushLock
		call	@ExfReleasePushLock@4 ;	ExfReleasePushLock(x)
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_84A932
; END OF FUNCTION CHUNK	FOR ExCovAddInfoToLoaderEntry
; 
; START	OF FUNCTION CHUNK FOR ExpCovGetSectionInfo

loc_8FC38E:				; CODE XREF: ExpCovGetSectionInfo+36j
		imul	edi, ecx, 28h
		mov	ecx, [eax+50h]
		add	ecx, esi
		add	edi, ebx
		mov	edx, [edi+24h]
		mov	ebx, [edi+20h]
		add	edx, esi
		lea	eax, [ebx+edx]
		cmp	eax, ecx
		ja	short loc_8FC3DD
		cmp	dword ptr [edi+28h], 0
		jz	short loc_8FC3DD
		cmp	ebx, 28h
		jb	short loc_8FC3DD
		cmp	dword ptr [edx], 0DEC001C0h
		jnz	short loc_8FC3DD
		mov	eax, [edx+18h]
		cmp	eax, ebx
		jnz	short loc_8FC3DD
		mov	ecx, [edx+1Ch]
		add	ecx, 28h
		cmp	eax, ecx
		jbe	short loc_8FC3DD
		test	byte ptr [edx+20h], 7
		jnz	short loc_8FC3DD
		mov	ecx, [ebp+var_4]
		mov	[ecx], eax
		mov	eax, edx
		jmp	loc_84A97E
; 

loc_8FC3DD:				; CODE XREF: ExpCovGetSectionInfo+B1A6Dj
					; ExpCovGetSectionInfo+B1A73j ...
		push	esi		; char
		push	offset ??_C@_0DD@CDEHOJBL@COV?3?5Malformed?5coverage?5section@NNGAKEGL@	; char *
		push	0		; int
		push	7Eh		; int
		call	_DbgPrintEx
		add	esp, 10h
		jmp	loc_84A97C
; END OF FUNCTION CHUNK	FOR ExpCovGetSectionInfo
; 
; START	OF FUNCTION CHUNK FOR MiLockdownSections

loc_8FC3F4:				; CODE XREF: MiLockdownSections+20j
		cmp	[ecx+3Ch], esi
		jz	short loc_8FC403
		test	byte ptr [ebx+14h], 2
		jz	loc_84A9AA

loc_8FC403:				; CODE XREF: MiLockdownSections+B1A73j
		push	2
		pop	esi
		jmp	loc_84A9AA
; 

loc_8FC40B:				; CODE XREF: MiLockdownSections+82j
		mov	edx, 7265h
		cmp	[edi-20h], dx
		jnz	loc_84AA0C
		xor	eax, eax
		inc	eax
		jmp	loc_84AA0C
; 

loc_8FC422:				; CODE XREF: MiLockdownSections+92j
		mov	ecx, [edi-14h]
		mov	eax, [edi-1Ch]
		cmp	ecx, eax
		jnb	short loc_8FC42E
		mov	ecx, eax

loc_8FC42E:				; CODE XREF: MiLockdownSections+B1AA6j
		mov	edx, [edi-18h]
		add	ecx, 0FFFh
		lea	eax, [edx+ebx]
		shr	edx, 0Ch
		add	ecx, eax
		and	ecx, 0FFFFF000h
		sub	ecx, eax
		shr	ecx, 0Ch
		push	ecx
		push	edx
		push	[ebp+var_10]
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		mov	ecx, [ebp+var_4]
		jmp	loc_84AA1C
; END OF FUNCTION CHUNK	FOR MiLockdownSections

;  S U B	R O U T	I N E 


sub_8FC45C	proc near		; DATA XREF: .text:006A47ACo
		xor	eax, eax
		inc	eax
		retn
sub_8FC45C	endp


;  S U B	R O U T	I N E 


sub_8FC460	proc near		; DATA XREF: .text:006A47B0o
		mov	esp, [ebp-18h]
		jmp	loc_84AAEF
sub_8FC460	endp

; 
; START	OF FUNCTION CHUNK FOR MiResolveImageReferences

loc_8FC468:				; CODE XREF: MiResolveImageReferences+37Bj
		mov	ecx, edi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 1
		jz	short loc_8FC484
		mov	ecx, edi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jnz	loc_84AEBD

loc_8FC484:				; CODE XREF: MiResolveImageReferences+B193Ej
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		mov	eax, [ebp+var_14]
		lea	ecx, [ebp+var_48]
		or	eax, 1
		push	eax
		call	_MiLoadImportDll@20 ; MiLoadImportDll(x,x,x,x,x)
		mov	esi, eax
		jmp	loc_84AEB5
; 

loc_8FC4A5:				; CODE XREF: MiResolveImageReferences+3DAj
		cmp	byte ptr [ebp+var_1], 0
		jz	loc_8FC551
		mov	ecx, [ebp+arg_0]
		jmp	loc_84AF16
; 

loc_8FC4B7:				; CODE XREF: MiResolveImageReferences+419j
		cmp	esi, 0C0000018h
		jnz	loc_84AEBD
		mov	ecx, edi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 1
		jz	short loc_8FC4DF
		mov	ecx, edi
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, 0Bh
		jnz	loc_84AEBD

loc_8FC4DF:				; CODE XREF: MiResolveImageReferences+B1999j
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_C]
		or	ebx, 1
		push	eax
		push	ebx
		lea	ecx, [ebp+var_48]
		call	_MiLoadImportDll@20 ; MiLoadImportDll(x,x,x,x,x)
		mov	esi, eax
		jmp	loc_84AEBD
; 

loc_8FC4FD:				; CODE XREF: MiResolveImageReferences+E4j
					; MiResolveImageReferences+2CAj ...
		mov	esi, 0C000009Ah

loc_8FC502:				; CODE XREF: MiResolveImageReferences+92j
					; MiResolveImageReferences+DAj	...
		mov	eax, [ebp+var_8]

loc_8FC505:				; CODE XREF: MiResolveImageReferences+B1A2Fj
		mov	edx, [ebp+var_24]
		mov	ecx, [ebp+var_34]
		push	esi
		push	eax
		call	_MiLogFailedDriverLoad@16 ; MiLogFailedDriverLoad(x,x,x,x)
		cmp	[ebp+var_2], 0
		jz	short loc_8FC522
		push	0
		push	[ebp+var_4C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8FC522:				; CODE XREF: MiResolveImageReferences+B19E2j
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ebx, [ebp+var_1C]
		test	ebx, ebx
		jz	short loc_8FC54A
		mov	eax, [ebp+var_28]
		cmp	eax, [ebx]
		jz	short loc_8FC53B
		mov	[ebx], eax

loc_8FC53B:				; CODE XREF: MiResolveImageReferences+B1A03j
		mov	ecx, ebx
		call	MiDereferenceImports
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8FC54A:				; CODE XREF: MiResolveImageReferences+B19FCj
		mov	eax, esi
		jmp	loc_84AD9A
; 

loc_8FC551:				; CODE XREF: MiResolveImageReferences+B1975j
		mov	esi, 0C0000034h
		jmp	short loc_8FC502
; 

loc_8FC558:				; CODE XREF: MiResolveImageReferences+1F8j
		mov	ecx, [ebp+var_10]
		mov	edx, edi
		push	ebx
		call	_MiSnapUnresolvedImport@12 ; MiSnapUnresolvedImport(x,x,x)
		jmp	short loc_8FC505
; END OF FUNCTION CHUNK	FOR MiResolveImageReferences
; 
; START	OF FUNCTION CHUNK FOR MiSnapThunk

loc_8FC565:				; CODE XREF: MiSnapThunk+78j
		mov	[ebp+arg_0], ecx
		jmp	loc_84B036
; 

loc_8FC56D:				; CODE XREF: MiSnapThunk+BAj
		mov	eax, 0C0000262h
		jmp	loc_84B02C
; 

loc_8FC577:				; CODE XREF: MiSnapThunk+3Aj
					; MiSnapThunk+E8j ...
		mov	eax, 0C0000263h
		jmp	loc_84B02C
; END OF FUNCTION CHUNK	FOR MiSnapThunk
; 
; START	OF FUNCTION CHUNK FOR PsQueryCurrentApiSetSchema

loc_8FC581:				; CODE XREF: PsQueryCurrentApiSetSchema+12j
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	eax, [eax+25Ch]
		leave
		retn
; END OF FUNCTION CHUNK	FOR PsQueryCurrentApiSetSchema
; 
; START	OF FUNCTION CHUNK FOR MiMapSystemImage

loc_8FC58E:				; CODE XREF: MiMapSystemImage+AFj
		mov	edx, eax
		mov	ecx, edi
		call	MiCreatePerSessionProtos
		test	eax, eax
		js	loc_84B379
		jmp	loc_84B3B3
; 

loc_8FC5A4:				; CODE XREF: MiMapSystemImage+E1j
		test	dword ptr [edi+1Ch], 4000000h
		jz	short loc_8FC5B7
		mov	edx, dword ptr [ebp+arg_4]
		mov	ecx, edi
		call	_MiDereferencePerSessionProtos@8 ; MiDereferencePerSessionProtos(x,x)

loc_8FC5B7:				; CODE XREF: MiMapSystemImage+B12ADj
		mov	eax, 0C0000017h
		jmp	loc_84B379
; 

loc_8FC5C1:				; CODE XREF: MiMapSystemImage+65j
		cmp	[ebp+var_8], esi
		jnz	short loc_8FC5D2
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		call	_MiChargeSystemImageCommitment@8 ; MiChargeSystemImageCommitment(x,x)
		jmp	short loc_8FC5E5
; 

loc_8FC5D2:				; CODE XREF: MiMapSystemImage+B12C6j
		test	dword ptr [edi+1Ch], 4000000h
		jz	short loc_8FC5E5
		mov	edx, dword ptr [ebp+arg_4]
		mov	ecx, edi
		call	_MiDereferencePerSessionProtos@8 ; MiDereferencePerSessionProtos(x,x)

loc_8FC5E5:				; CODE XREF: MiMapSystemImage+B12D2j
					; MiMapSystemImage+B12DBj
		mov	edx, [ebp+var_4]
		mov	ecx, edx
		call	_MiGetSystemRegionType@4 ; MiGetSystemRegionType(x)
		cmp	eax, esi
		jz	short loc_8FC5F8
		cmp	eax, 0Bh
		jnz	short loc_8FC606

loc_8FC5F8:				; CODE XREF: MiMapSystemImage+B12F3j
		mov	eax, [edi]
		cmp	edx, [eax+18h]
		jz	short loc_8FC606
		mov	ecx, edi
		call	MiDeleteSessionDriverProtos

loc_8FC606:				; CODE XREF: MiMapSystemImage+B12F8j
					; MiMapSystemImage+B12FFj
		mov	eax, [ebp+var_10]
		jmp	loc_84B379
; END OF FUNCTION CHUNK	FOR MiMapSystemImage
; 
; START	OF FUNCTION CHUNK FOR MiResolveImageImports

loc_8FC60E:				; CODE XREF: MiResolveImageImports+57j
		mov	edx, esi
		mov	ecx, offset ??_C@_0O@GIMHGJOJ@UnwritableIAT@NNGAKEGL@
		call	_MiLogStrongCodeDriverLoadFailure@8 ; MiLogStrongCodeDriverLoadFailure(x,x)
		mov	dword_6CF4F4, 0C0h
		jmp	short loc_8FC63C
; 

loc_8FC626:				; CODE XREF: MiResolveImageImports+B12ADj
		mov	edx, esi
		mov	ecx, offset ??_C@_0BK@CNBJDBMN@UnwritableImportDirectory@NNGAKEGL@
		call	_MiLogStrongCodeDriverLoadFailure@8 ; MiLogStrongCodeDriverLoadFailure(x,x)
		mov	dword_6CF4F4, 0C1h

loc_8FC63C:				; CODE XREF: MiResolveImageImports+B1238j
		mov	eax, 0C000007Bh
		jmp	loc_84B4A2
; 

loc_8FC646:				; CODE XREF: MiResolveImageImports+38j
					; MiResolveImageImports+43j
		and	[ebp+var_10], edi
		lea	eax, [ebp+var_14]
		push	eax
		push	1
		push	1
		push	[ebp+var_C]
		xor	ebx, ebx
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_8FC6AF
		mov	eax, ebx

loc_8FC663:				; CODE XREF: MiResolveImageImports+B12B9j
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_8FC6A7
		mov	ebx, [ebp+var_C]
		mov	edx, [edi+10h]
		add	edx, ebx
		lea	eax, [ecx+ebx]
		xor	ecx, ecx
		xor	ebx, ebx
		cmp	[eax], ecx
		jz	short loc_8FC687

loc_8FC67C:				; CODE XREF: MiResolveImageImports+B1299j
		lea	eax, [eax+4]
		inc	ecx
		cmp	dword ptr [eax], 0
		mov	ebx, ecx
		jnz	short loc_8FC67C

loc_8FC687:				; CODE XREF: MiResolveImageImports+B128Ej
		shl	ebx, 2
		mov	ecx, esi
		push	4
		push	ebx
		mov	[ebp+var_8], ebx
		call	_MiSetImageProtection@16 ; MiSetImageProtection(x,x,x,x)
		test	eax, eax
		jz	short loc_8FC626
		mov	eax, [ebp+var_4]
		inc	eax
		mov	[ebp+var_4], eax
		add	edi, 14h
		jnz	short loc_8FC663

loc_8FC6A7:				; CODE XREF: MiResolveImageImports+B127Bj
		test	eax, eax
		jnz	loc_84B450

loc_8FC6AF:				; CODE XREF: MiResolveImageImports+B1273j
		xor	eax, eax
		jmp	loc_84B4A2
; 

loc_8FC6B6:				; CODE XREF: MiResolveImageImports+91j
		imul	eax, [ebp+var_4], var_14
		add	edi, eax
		jz	loc_84B492

loc_8FC6C2:				; CODE XREF: MiResolveImageImports+B1311j
		mov	eax, [edi]
		test	eax, eax
		jz	loc_84B492
		add	eax, [ebp+var_C]
		xor	ecx, ecx
		mov	edx, [edi+10h]
		xor	ebx, ebx
		add	edx, [ebp+var_C]
		cmp	[eax], ecx
		jz	short loc_8FC6E8

loc_8FC6DD:				; CODE XREF: MiResolveImageImports+B12FAj
		lea	eax, [eax+4]
		inc	ecx
		cmp	dword ptr [eax], 0
		mov	ebx, ecx
		jnz	short loc_8FC6DD

loc_8FC6E8:				; CODE XREF: MiResolveImageImports+B12EFj
		mov	eax, ebx
		mov	ecx, esi
		shl	eax, 2
		push	100h
		push	eax
		call	_MiSetImageProtection@16 ; MiSetImageProtection(x,x,x,x)
		add	edi, 14h
		jnz	short loc_8FC6C2
		jmp	loc_84B492
; END OF FUNCTION CHUNK	FOR MiResolveImageImports
; 
; START	OF FUNCTION CHUNK FOR LdrImageDirectoryEntryToLoadConfig

loc_8FC704:				; CODE XREF: LdrImageDirectoryEntryToLoadConfig+3Bj
		mov	eax, ds:_MmUserProbeAddress
		lea	ecx, [edx+4]
		cmp	ecx, eax
		ja	short loc_8FC718
		cmp	ecx, edx
		jnb	loc_84B60F

loc_8FC718:				; CODE XREF: LdrImageDirectoryEntryToLoadConfig+B1140j
		mov	[eax], bl
		jmp	loc_84B60F
; END OF FUNCTION CHUNK	FOR LdrImageDirectoryEntryToLoadConfig
; 
; START	OF FUNCTION CHUNK FOR MiHandleDriverNonPagedSections

loc_8FC71F:				; CODE XREF: MiHandleDriverNonPagedSections+FEj
		cmp	edi, eax
		jz	loc_84B709
		mov	edx, [ebp+var_4]
		push	ecx
		mov	ecx, edi
		call	_MiUnlockCodePage@12 ; MiUnlockCodePage(x,x,x)
		jmp	loc_84B75D
; 

loc_8FC737:				; CODE XREF: MiHandleDriverNonPagedSections+12Fj
					; MiHandleDriverNonPagedSections+B111Cj
		lea	eax, [ebp+var_4]
		mov	edx, esi
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_8]
		push	8
		call	MiSnapDriverRange
		mov	ecx, [ebp+var_C]
		mov	esi, eax
		test	ecx, ecx
		jz	short loc_8FC75E
		mov	edx, [ebp+var_4]
		push	ecx
		call	_MiUnlockCodePage@12 ; MiUnlockCodePage(x,x,x)

loc_8FC75E:				; CODE XREF: MiHandleDriverNonPagedSections+B110Fj
		test	esi, esi
		jnz	short loc_8FC737
		jmp	loc_84B77D
; 

loc_8FC767:				; CODE XREF: MiHandleDriverNonPagedSections+A4j
		cmp	eax, [ebp+var_C]
		jb	loc_84B6EE
		lea	ecx, [ebp+var_8]
		push	ecx
		push	eax
		push	[ebp+var_4]
		call	RtlFindNextForwardRunClear
		test	eax, eax
		jz	short loc_8FC786
		mov	edx, [ebp+var_8]
		jmp	short loc_8FC78B
; 

loc_8FC786:				; CODE XREF: MiHandleDriverNonPagedSections+B113Bj
		mov	eax, [ebp+var_4]
		mov	edx, [eax]

loc_8FC78B:				; CODE XREF: MiHandleDriverNonPagedSections+B1140j
		mov	eax, [ebp+var_1C]
		sub	edx, eax
		lea	ecx, [edx+eax]
		shl	eax, 0Ch
		add	eax, [ebp+var_24]
		mov	[ebp+var_C], ecx
		mov	ecx, eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], esi
		lea	eax, [eax+edx*8]
		add	eax, 0FFFFFFF8h
		mov	[ebp+var_18], eax
		jmp	loc_84B6F5
; 

loc_8FC7B7:				; CODE XREF: MiHandleDriverNonPagedSections+BFj
		cmp	[ebp+arg_0], 1
		jnz	short loc_8FC7E7
		mov	edx, [ebp+var_10]
		mov	ecx, ebx
		push	edi
		push	[ebp+var_18]
		call	_MiLockCode@16	; MiLockCode(x,x,x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		lea	eax, [ebx+5Ch]
		jns	loc_84B6B6
		mov	eax, [ebp+var_10]
		mov	[ebp+arg_0], esi
		mov	[ebp+var_20], eax
		jmp	loc_84B6B0
; 

loc_8FC7E7:				; CODE XREF: MiHandleDriverNonPagedSections+B1177j
		mov	eax, [ebp+var_10]
		cmp	eax, [ebp+var_20]
		jz	loc_84B709
		mov	edx, [ebp+var_18]
		push	ecx
		mov	ecx, eax
		call	_MiUnlockCodePage@12 ; MiUnlockCodePage(x,x,x)
		jmp	loc_84B6B3
; END OF FUNCTION CHUNK	FOR MiHandleDriverNonPagedSections
; 
; START	OF FUNCTION CHUNK FOR MiDriverLoadSucceeded

loc_8FC803:				; CODE XREF: MiDriverLoadSucceeded+D3j
					; MiDriverLoadSucceeded+EDj
		push	dword ptr [ebp+arg_8] ;	char
		push	(offset	loc_8BBE35+1) ;	wchar_t	*
		push	100h		; int
		push	esi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 10h
		jmp	loc_84B8AC
; END OF FUNCTION CHUNK	FOR MiDriverLoadSucceeded
; 
; START	OF FUNCTION CHUNK FOR MiObtainSectionForDriver

loc_8FC81E:				; CODE XREF: MiObtainSectionForDriver+A8j
		mov	edi, 0C0000018h
		jmp	short loc_8FC82A
; 

loc_8FC825:				; CODE XREF: MiObtainSectionForDriver+B6j
		mov	edi, 0C000009Ah

loc_8FC82A:				; CODE XREF: MiObtainSectionForDriver+B08DDj
		push	esi
		call	_ObDereferenceObjectDeferDelete@4 ; ObDereferenceObjectDeferDelete(x)
		mov	eax, edi
		jmp	loc_84C009
; END OF FUNCTION CHUNK	FOR MiObtainSectionForDriver
; 
; START	OF FUNCTION CHUNK FOR MiGenerateSystemImageNames

loc_8FC837:				; CODE XREF: MiGenerateSystemImageNames+35j
		mov	eax, 0C00000EFh
		jmp	loc_84C0E4
; 

loc_8FC841:				; CODE XREF: MiGenerateSystemImageNames+1Aj
		mov	esi, [ebp+arg_4]
		mov	[esi], ax
		mov	ecx, [edx+4]
		jmp	loc_84C09F
; END OF FUNCTION CHUNK	FOR MiGenerateSystemImageNames
; 
; START	OF FUNCTION CHUNK FOR KseShimDriverIoCallbacks

loc_8FC84F:				; CODE XREF: KseShimDriverIoCallbacks+85j
		mov	ecx, 80h
		call	_KsepPoolAllocateNonPaged@4 ; KsepPoolAllocateNonPaged(x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_8FC869
		mov	esi, 0C0000017h
		jmp	loc_84C21D
; 

loc_8FC869:				; CODE XREF: KseShimDriverIoCallbacks+B06CBj
		mov	eax, [edi+2Ch]
		test	eax, eax
		jz	short loc_8FC884
		cmp	[ebp+var_94], 0
		jz	short loc_8FC884
		mov	[ecx], eax
		mov	eax, [ebp+var_94]
		mov	[edi+2Ch], eax

loc_8FC884:				; CODE XREF: KseShimDriverIoCallbacks+B06DCj
					; KseShimDriverIoCallbacks+B06E5j
		mov	eax, [edi+30h]
		test	eax, eax
		jz	short loc_8FC8A0
		cmp	[ebp+var_90], 0
		jz	short loc_8FC8A0
		mov	[ecx+4], eax
		mov	eax, [ebp+var_90]
		mov	[edi+30h], eax

loc_8FC8A0:				; CODE XREF: KseShimDriverIoCallbacks+B06F7j
					; KseShimDriverIoCallbacks+B0700j
		mov	eax, [edi+34h]
		test	eax, eax
		jz	short loc_8FC8BC
		cmp	[ebp+var_8C], 0
		jz	short loc_8FC8BC
		mov	[ecx+8], eax
		mov	eax, [ebp+var_8C]
		mov	[edi+34h], eax

loc_8FC8BC:				; CODE XREF: KseShimDriverIoCallbacks+B0713j
					; KseShimDriverIoCallbacks+B071Cj
		mov	eax, [ebx+4]
		test	eax, eax
		jz	short loc_8FC8D8
		cmp	[ebp+var_88], 0
		jz	short loc_8FC8D8
		mov	[ecx+0Ch], eax
		mov	eax, [ebp+var_88]
		mov	[ebx+4], eax

loc_8FC8D8:				; CODE XREF: KseShimDriverIoCallbacks+B072Fj
					; KseShimDriverIoCallbacks+B0738j
		xor	edx, edx
		lea	esi, [ecx+10h]
		add	edi, 38h

loc_8FC8E0:				; CODE XREF: KseShimDriverIoCallbacks+B077Aj
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_8FC902
		cmp	eax, offset _IopInvalidDeviceRequest@8 ; IopInvalidDeviceRequest(x,x)
		jz	short loc_8FC902
		cmp	[ebp+edx*4+var_84], 0
		jz	short loc_8FC902
		mov	[esi], eax
		mov	eax, [ebp+edx*4+var_84]
		mov	[edi], eax

loc_8FC902:				; CODE XREF: KseShimDriverIoCallbacks+B0752j
					; KseShimDriverIoCallbacks+B0759j ...
		inc	edx
		add	esi, 4
		add	edi, 4
		cmp	edx, 1Bh
		jbe	short loc_8FC8E0
		xor	eax, eax
		mov	[ebx+1Ch], ecx
		xor	esi, esi
		inc	eax
		lock xadd _KsepHistoryMessagesIndex, eax
		inc	eax
		and	eax, 3Fh
		mov	edi, offset ??_C@_0CJ@IOKAEDJA@KSE?3?5Hooked?5callbacks?5for?5drive@NNGAKEGL@
		push	8
		pop	ecx
		and	dword_6C7244[eax*8], esi
		test	_KsepDebugFlag,	1
		mov	word_6C7242[eax*8], cx
		mov	ecx, 106h
		mov	_KsepHistoryMessages[eax*8], cx
		jz	short loc_8FC95D
		push	dword ptr [ebp+var_8] ;	char
		push	edi		; char *
		push	9		; int
		call	_KsepDebugPrint
		add	esp, 0Ch

loc_8FC95D:				; CODE XREF: KseShimDriverIoCallbacks+B07BBj
		push	dword ptr [ebp+var_8]
		push	edi
		push	9
		call	_KsepLogInfo
		add	esp, 0Ch
		jmp	loc_84C224
; 

loc_8FC970:				; CODE XREF: KseShimDriverIoCallbacks+DDj
		push	esi		; char *
		push	0		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx
		jmp	loc_84C275
; END OF FUNCTION CHUNK	FOR KseShimDriverIoCallbacks
; 
; START	OF FUNCTION CHUNK FOR KsepGetShimCallbacksForDriver

loc_8FC97F:				; CODE XREF: KsepGetShimCallbacksForDriver+1Dj
		mov	eax, edi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		mov	word_6C7022[eax*8], cx
		mov	ecx, 303h
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], cx
		jz	loc_84C2A9
		push	esi
		push	ecx
		push	offset ??_C@_0CB@IMKMNFAK@minkernel?2ntos?2kshim?2kseloader?4@NNGAKEGL@
		push	(offset	loc_8BB71B+1)
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		mov	edx, [ebp+var_4]
		jmp	loc_84C2A9
; 

loc_8FC9D3:				; CODE XREF: KsepGetShimCallbacksForDriver+44j
		mov	eax, [ebp+var_10]
		mov	edx, [eax+0Ch]
		mov	ecx, [eax+10h]
		mov	[ebp+var_10], edx
		test	edx, edx
		jz	loc_8FCCB8
		lea	eax, [ecx+30h]
		mov	[ebp+var_18], eax

loc_8FC9ED:				; CODE XREF: KsepGetShimCallbacksForDriver+B0A2Cj
		mov	eax, [eax]
		test	byte ptr [eax+10h], 4
		jnz	loc_8FCCA3
		mov	ebx, [eax+8]
		mov	[ebp+var_1C], ebx
		test	ebx, ebx
		jnz	short loc_8FCA51
		mov	eax, edi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		push	7
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 338h
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_8FCA51
		push	esi
		push	ecx
		push	offset ??_C@_0CB@IMKMNFAK@minkernel?2ntos?2kshim?2kseloader?4@NNGAKEGL@
		push	(offset	loc_8BB707+1)
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		mov	edx, [ebp+var_10]

loc_8FCA51:				; CODE XREF: KsepGetShimCallbacksForDriver+B077Bj
					; KsepGetShimCallbacksForDriver+B07B5j
		mov	ecx, [ebx+18h]
		mov	eax, esi
		mov	[ebp+var_8], eax
		cmp	dword ptr [ecx], 4
		jz	loc_8FCCA3
		mov	ebx, esi
		mov	[ebp+var_C], esi

loc_8FCA67:				; CODE XREF: KsepGetShimCallbacksForDriver+B0A14j
		cmp	dword ptr [ebx+ecx], 3
		mov	edx, ecx
		jnz	loc_8FCC8A
		mov	eax, [ebx+ecx+8]
		mov	[ebp+var_14], esi
		cmp	dword ptr [eax], 2
		jz	loc_8FCC87
		mov	eax, esi

loc_8FCA85:				; CODE XREF: KsepGetShimCallbacksForDriver+B09FBj
		mov	ebx, [ebx+ecx+8]
		add	ebx, eax
		mov	edx, [ebx+4]
		mov	eax, edx
		sub	eax, 1
		jz	loc_8FCBF6
		sub	eax, 1
		jz	loc_8FCBC6
		sub	eax, 1
		jz	loc_8FCB93
		sub	eax, 1
		jz	loc_8FCB5D
		lea	eax, [edx-64h]
		cmp	eax, 1Bh
		ja	short loc_8FCAFA
		mov	ecx, [ebp+var_4]
		cmp	[ecx+edx*4-180h], esi
		jz	short loc_8FCAEB
		mov	eax, edi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		push	7
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 393h
		jmp	loc_8FCC1B
; 

loc_8FCAEB:				; CODE XREF: KsepGetShimCallbacksForDriver+B0840j
		mov	eax, [ebx+8]
		mov	[ecx+edx*4-180h], eax
		jmp	loc_8FCC5A
; 

loc_8FCAFA:				; CODE XREF: KsepGetShimCallbacksForDriver+B0834j
		mov	eax, edi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	2
		push	7
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 3A0h
		mov	dword_6C7024[eax*8], 0C000000Dh
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_8FCB46
		push	dword ptr [ebx+4] ; char
		push	offset ??_C@_0CM@PNBGCPNA@KSE?3?5Invalid?5callback?5code?5enco@NNGAKEGL@ ; char	*
		push	9		; int
		call	_KsepDebugPrint
		add	esp, 0Ch

loc_8FCB46:				; CODE XREF: KsepGetShimCallbacksForDriver+B08ACj
		push	dword ptr [ebx+4] ; char
		push	offset ??_C@_0CM@PNBGCPNA@KSE?3?5Invalid?5callback?5code?5enco@NNGAKEGL@ ; char	*
		push	9		; int
		call	_KsepLogError
		add	esp, 0Ch
		jmp	loc_8FCC5A
; 

loc_8FCB5D:				; CODE XREF: KsepGetShimCallbacksForDriver+B0828j
		mov	ecx, [ebp+var_4]
		cmp	[ecx+0Ch], esi
		jz	short loc_8FCB88
		mov	eax, edi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		push	7
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 381h
		jmp	loc_8FCC1B
; 

loc_8FCB88:				; CODE XREF: KsepGetShimCallbacksForDriver+B08DDj
		mov	eax, [ebx+8]
		mov	[ecx+0Ch], eax
		jmp	loc_8FCC5A
; 

loc_8FCB93:				; CODE XREF: KsepGetShimCallbacksForDriver+B081Fj
		mov	ecx, [ebp+var_4]
		cmp	[ecx+8], esi
		jz	short loc_8FCBBB
		mov	eax, edi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		push	7
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 372h
		jmp	short loc_8FCC1B
; 

loc_8FCBBB:				; CODE XREF: KsepGetShimCallbacksForDriver+B0913j
		mov	eax, [ebx+8]
		mov	[ecx+8], eax
		jmp	loc_8FCC5A
; 

loc_8FCBC6:				; CODE XREF: KsepGetShimCallbacksForDriver+B0816j
		mov	ecx, [ebp+var_4]
		cmp	[ecx+4], esi
		jz	short loc_8FCBEE
		mov	eax, edi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		push	7
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 363h
		jmp	short loc_8FCC1B
; 

loc_8FCBEE:				; CODE XREF: KsepGetShimCallbacksForDriver+B0946j
		mov	eax, [ebx+8]
		mov	[ecx+4], eax
		jmp	short loc_8FCC5A
; 

loc_8FCBF6:				; CODE XREF: KsepGetShimCallbacksForDriver+B080Dj
		mov	ecx, [ebp+var_4]
		cmp	[ecx], esi
		jz	short loc_8FCC55
		mov	eax, edi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		push	7
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 354h

loc_8FCC1B:				; CODE XREF: KsepGetShimCallbacksForDriver+B0860j
					; KsepGetShimCallbacksForDriver+B08FDj	...
		test	_KsepDebugFlag,	2
		mov	_KsepHistoryErrors[eax*8], cx
		mov	dword_6C7024[eax*8], 0C0000001h
		jz	short loc_8FCC45
		push	(offset	loc_8BB7CE+4) ;	char *
		push	9		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx

loc_8FCC45:				; CODE XREF: KsepGetShimCallbacksForDriver+B09AFj
		push	(offset	loc_8BB7CE+4) ;	char *
		push	9		; int
		call	_KsepLogError
		pop	ecx
		pop	ecx
		jmp	short loc_8FCC5A
; 

loc_8FCC55:				; CODE XREF: KsepGetShimCallbacksForDriver+B0975j
		mov	eax, [ebx+8]
		mov	[ecx], eax

loc_8FCC5A:				; CODE XREF: KsepGetShimCallbacksForDriver+B086Fj
					; KsepGetShimCallbacksForDriver+B08D2j	...
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+var_1C]
		inc	eax
		mov	ebx, eax
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_C]
		shl	ebx, 4
		mov	edx, [ecx+18h]
		mov	ecx, edx
		mov	[ebp+var_20], ebx
		mov	eax, [eax+edx+8]
		cmp	dword ptr [ebx+eax], 2
		mov	eax, ebx
		mov	ebx, [ebp+var_C]
		jnz	loc_8FCA85

loc_8FCC87:				; CODE XREF: KsepGetShimCallbacksForDriver+B07F7j
		mov	eax, [ebp+var_8]

loc_8FCC8A:				; CODE XREF: KsepGetShimCallbacksForDriver+B07E7j
		inc	eax
		mov	ecx, edx
		imul	ebx, eax, 0Ch
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], ebx
		cmp	dword ptr [ebx+edx], 4
		jnz	loc_8FCA67
		mov	edx, [ebp+var_10]

loc_8FCCA3:				; CODE XREF: KsepGetShimCallbacksForDriver+B076Dj
					; KsepGetShimCallbacksForDriver+B07D6j
		mov	eax, [ebp+var_18]
		add	eax, 34h
		sub	edx, 1
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], edx
		jnz	loc_8FC9ED

loc_8FCCB8:				; CODE XREF: KsepGetShimCallbacksForDriver+B075Bj
		lock xadd _KsepHistoryMessagesIndex, edi
		inc	edi
		and	edi, 3Fh
		test	_KsepDebugFlag,	1
		push	7
		pop	eax
		mov	word_6C7242[edi*8], ax
		mov	eax, 3B4h
		mov	dword_6C7244[edi*8], esi
		mov	_KsepHistoryMessages[edi*8], ax
		mov	edi, offset ??_C@_0CB@KONNGALH@KSE?3?5GetShimCallbacks?5succeeded@NNGAKEGL@
		jz	short loc_8FCCFB
		push	edi		; char *
		push	9		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx

loc_8FCCFB:				; CODE XREF: KsepGetShimCallbacksForDriver+B0A69j
		push	edi
		push	9
		call	_KsepLogInfo
		pop	ecx
		pop	ecx
		jmp	loc_84C2D5
; END OF FUNCTION CHUNK	FOR KsepGetShimCallbacksForDriver
; 
; START	OF FUNCTION CHUNK FOR PnpPrepareDriverLoading

loc_8FCD0A:				; CODE XREF: PnpPrepareDriverLoading+37j
		mov	eax, 0C0000001h
		jmp	loc_84C364
; END OF FUNCTION CHUNK	FOR PnpPrepareDriverLoading
; 
; START	OF FUNCTION CHUNK FOR PpCheckInDriverDatabase

loc_8FCD14:				; CODE XREF: PpCheckInDriverDatabase+3Fj
		mov	eax, ds:_PiLoggedErrorEventsMask
		test	al, 8
		jnz	loc_84C452
		or	eax, 8
		mov	[ebp+var_10], edi
		mov	ds:_PiLoggedErrorEventsMask, eax
		lea	eax, [ebp+var_10]
		push	offset ??_C@_1DC@BHKKHEJ@?$AAB?$AAU?$AAI?$AAL?$AAD?$AA?5?$AAD?$AAR?$AAI?$AAV?$AAE?$AAR?$AA?5?$AAP?$AAA@NNGAKEGL@
		push	eax
		mov	[ebp+var_C], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi		; size_t
		push	edi		; void *
		push	0C000036Dh	; int
		xor	edx, edx
		lea	ecx, [ebp+var_10]
		call	_PnpLogEvent@20	; PnpLogEvent(x,x,x,x,x)
		jmp	loc_84C452
; 

loc_8FCD53:				; CODE XREF: PpCheckInDriverDatabase+B8j
					; PpCheckInDriverDatabase+C0j
		test	byte_6CD8BA, 2
		jz	loc_84C468
		push	[ebp+arg_C]
		push	ecx
		call	_McTemplateK0j_EtwWriteTransfer@16 ; McTemplateK0j_EtwWriteTransfer(x,x,x,x)
		jmp	loc_84C468
; END OF FUNCTION CHUNK	FOR PpCheckInDriverDatabase
; 
; START	OF FUNCTION CHUNK FOR PiLookupInDDBCache

loc_8FCD6E:				; CODE XREF: PiLookupInDDBCache+60j
		mov	ecx, [esi+4]
		jmp	loc_84C4E7
; 

loc_8FCD76:				; CODE XREF: PiLookupInDDBCache+1D3j
					; PiLookupInDDBCache+229j
		mov	esi, 80000005h
		jmp	loc_84C71C
; 

loc_8FCD80:				; CODE XREF: PiLookupInDDBCache+24Aj
		mov	esi, 0C000009Ah
		jmp	loc_84C71C
; END OF FUNCTION CHUNK	FOR PiLookupInDDBCache
; 
; START	OF FUNCTION CHUNK FOR IopLoadDriver

loc_8FCD8A:				; CODE XREF: IopLoadDriver+8Aj
		cmp	eax, 80000005h
		jz	loc_84C840
		mov	ebx, 0C0000160h
		jmp	loc_84CD6E
; 

loc_8FCD9F:				; CODE XREF: IopLoadDriver+A7j
		mov	ebx, 0C0000095h
		jmp	loc_84CD6E
; 

loc_8FCDA9:				; CODE XREF: IopLoadDriver+C5j
		mov	ebx, 0C000009Ah
		jmp	loc_84CD6E
; 

loc_8FCDB3:				; CODE XREF: IopLoadDriver+5ADj
		push	offset ??_C@_1M@LHGLMLD@?$AAG?$AAr?$AAo?$AAu?$AAp@NNGAKEGL@
		lea	eax, [ebp+var_98]
		mov	[ebp+var_98], esi
		push	eax
		mov	[ebp+var_94], esi
		mov	[ebp+var_84], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4Ch		; size_t
		lea	eax, [ebp+var_58]
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	edi, [ebp+var_64]
		lea	eax, [ebp+var_84]
		add	esp, 0Ch
		push	eax		; int
		push	4Ch		; int
		lea	eax, [ebp+var_58]
		push	eax		; int
		push	ebx		; size_t
		lea	eax, [ebp+var_98]
		push	eax		; int
		push	edi		; int
		call	NtQueryValueKey
		test	eax, eax
		js	short loc_8FCE39
		mov	eax, [ebp+var_50]
		lea	ecx, [ebp+var_98]
		add	eax, 0FFFFFFFEh
		xor	edx, edx
		mov	word ptr [ebp+var_98], ax
		mov	word ptr [ebp+var_98+2], ax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_94], eax
		call	_IopSafebootDriverLoad@8 ; IopSafebootDriverLoad(x,x)
		test	al, al
		jnz	loc_84C930

loc_8FCE39:				; CODE XREF: IopLoadDriver+B0655j
		xor	edx, edx
		lea	ecx, [ebp+var_60]
		call	_IopSafebootDriverLoad@8 ; IopSafebootDriverLoad(x,x)
		test	al, al
		jnz	loc_84C930
		xor	dl, dl
		lea	ecx, [ebp+var_60]
		call	IopBootLog
		lea	eax, [ebp+var_98]
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		push	offset ??_C@_0CG@KIBIFHIL@SAFEBOOT?3?5skipping?5device?5?$DN?5?$CFwZ@NNGAKEGL@
		call	_DbgPrint
		add	esp, 0Ch
		xor	edx, edx
		mov	ecx, ebx
		call	HeadlessKernelAddLogEntry
		push	esi
		push	edi
		call	ObCloseHandle
		mov	eax, 0C000035Fh
		jmp	loc_84CD42
; 

loc_8FCE87:				; CODE XREF: IopLoadDriver+192j
		mov	[ebp+var_5C], esi
		jmp	loc_84CCC0
; 

loc_8FCE8F:				; CODE XREF: IopLoadDriver+630j
		mov	ecx, offset _IopDriverLoadResource
		call	ExReleaseResourceLite
		xor	dl, dl
		lea	ecx, [ebp+var_60]
		call	IopBootLog
		cmp	ebx, 0C0000034h
		jnz	loc_84CCC0
		mov	ebx, 0C000038Eh
		jmp	loc_84CCC0
; 

loc_8FCEB9:				; CODE XREF: IopLoadDriver+24Dj
					; IopLoadDriver+287j
		push	[ebp+var_8C]
		call	MmUnloadSystemImage
		jmp	loc_84CE2A
; 

loc_8FCEC9:				; CODE XREF: IopLoadDriver+378j
		push	edi
		push	[ebp+var_90]
		push	eax
		push	[ebp+var_74]
		push	11Fh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8FCEDE:				; CODE XREF: IopLoadDriver+3E5j
		push	esi
		call	_ObMakeTemporaryObject@4 ; ObMakeTemporaryObject(x)
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	esi, [ebp+var_68]
		mov	ebx, 0C000009Ah
		jmp	loc_84CD6E
; 

loc_8FCEF8:				; CODE XREF: IopLoadDriver+402j
		push	esi
		call	_ObMakeTemporaryObject@4 ; ObMakeTemporaryObject(x)
		mov	ecx, esi
		call	ObfDereferenceObject
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_84CCC0
; 

loc_8FCF12:				; CODE XREF: IopLoadDriver+458j
		or	dword ptr [esi+8], 100h
		jmp	loc_84CC0E
; 

loc_8FCF1E:				; CODE XREF: IopLoadDriver+4BEj
		mov	dword ptr [eax], offset	_IopInvalidDeviceRequest@8 ; IopInvalidDeviceRequest(x,x)
		jmp	loc_84CC74
; 

loc_8FCF29:				; CODE XREF: IopLoadDriver+11Aj
		and	[ebp+var_5C], 0
		mov	ebx, 0C000009Ah
		jmp	loc_84CCC0
; 

loc_8FCF37:				; CODE XREF: IopLoadDriver+1A6j
		mov	esi, [ebp+var_68]
		jmp	loc_84CD62
; 

loc_8FCF3F:				; CODE XREF: IopLoadDriver+5FCj
		lea	eax, [ebp+var_A0]
		mov	edx, (offset loc_8B8729+1)
		push	eax
		push	0
		mov	ecx, edi
		call	IopGetRegistryValue
		test	eax, eax
		js	loc_84CCE2
		mov	edi, [ebp+var_A0]
		cmp	dword ptr [edi+0Ch], 0
		jz	short loc_8FCF94
		mov	ecx, [edi+8]
		lea	edx, [ebp+var_60]
		mov	eax, [ebp+var_5C]
		add	ecx, edi
		neg	eax
		lea	edi, [ebp+var_7C]
		push	ebx
		sbb	eax, eax
		mov	ecx, [ecx]
		and	eax, edx
		mov	edx, [ebp+var_78]
		neg	edx
		push	eax
		sbb	edx, edx
		and	edx, edi
		call	_CmBootLastKnownGood@16	; CmBootLastKnownGood(x,x,x,x)
		mov	edi, [ebp+var_A0]

loc_8FCF94:				; CODE XREF: IopLoadDriver+B07B6j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_84CCDF
; END OF FUNCTION CHUNK	FOR IopLoadDriver
; 
; START	OF FUNCTION CHUNK FOR IopQueryRegistryKeySystemPath

loc_8FCFA1:				; CODE XREF: IopQueryRegistryKeySystemPath+9Ej
		mov	esi, 0C000009Ah
		jmp	loc_84D011
; 

loc_8FCFAB:				; CODE XREF: IopQueryRegistryKeySystemPath+14Ej
		movzx	eax, di
		add	eax, 20h
		cmp	eax, 0FFFFh
		jbe	short loc_8FCFC2
		mov	esi, 80000005h
		jmp	loc_84D009
; 

loc_8FCFC2:				; CODE XREF: IopQueryRegistryKeySystemPath+B0156j
		xor	ecx, ecx
		movzx	edx, ax
		mov	word ptr [ebp+var_18], cx
		inc	ecx
		mov	word ptr [ebp+var_18+2], ax
		call	IopVerifierExAllocatePool
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_84D021
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_84D009
		and	[ebp+var_4C], 0
		lea	eax, [ebp+var_18]
		and	[ebp+var_40], 0
		and	[ebp+var_3C], 0
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_50]
		push	eax
		push	1
		lea	eax, [ebp+var_4]
		mov	[ebp+var_50], 18h
		push	eax
		mov	[ebp+var_44], 240h
		call	_ZwOpenSymbolicLinkObject@12 ; ZwOpenSymbolicLinkObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8FD072
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		movzx	ecx, word ptr [ebp+var_18]
		mov	eax, [ebp+var_14]
		shr	ecx, 1
		push	5Ch
		pop	edx
		push	2
		mov	[eax+ecx*2], dx
		mov	ax, word ptr [ebp+var_18]
		pop	ecx
		add	ax, cx
		movzx	ecx, ax
		mov	word ptr [ebp+var_18], ax
		mov	eax, [ebp+var_14]
		shr	ecx, 1
		xor	edx, edx
		mov	[eax+ecx*2], dx
		jmp	loc_84CFB4
; 

loc_8FD072:				; CODE XREF: IopQueryRegistryKeySystemPath+B01D7j
		xor	eax, eax
		mov	word ptr [ebp+var_18], ax
		jmp	loc_84CFB4
; 

loc_8FD07D:				; CODE XREF: IopQueryRegistryKeySystemPath+168j
		push	0
		push	[ebp+var_14]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_84CFCE
; 

loc_8FD08C:				; CODE XREF: IopQueryRegistryKeySystemPath+CEj
					; IopQueryRegistryKeySystemPath+E3j ...
		mov	esi, 0C00000E5h
		jmp	loc_84D009
; END OF FUNCTION CHUNK	FOR IopQueryRegistryKeySystemPath
; 
; START	OF FUNCTION CHUNK FOR IopGetDriverNameFromKeyNode

loc_8FD096:				; CODE XREF: IopGetDriverNameFromKeyNode+2Cj
		mov	esi, [ebp+var_8]
		push	2
		pop	ecx
		cmp	[esi+0Ch], ecx
		jbe	short loc_8FD0E0
		cmp	dword ptr [esi+4], 1
		jnz	short loc_8FD0E0
		mov	ax, [esi+0Ch]
		mov	edi, esi
		sub	ax, cx
		movzx	ecx, ax
		mov	[ebx], cx
		mov	ax, [esi+0Ch]
		mov	[ebx+2], ax
		mov	edx, [esi+8]
		add	edx, esi
		shr	ecx, 1
		jz	short loc_8FD0D8

loc_8FD0C7:				; CODE XREF: IopGetDriverNameFromKeyNode+B00AEj
		mov	ax, [edx]
		lea	edx, [edx+2]
		mov	[edi], ax
		lea	edi, [edi+2]
		sub	ecx, 1
		jnz	short loc_8FD0C7

loc_8FD0D8:				; CODE XREF: IopGetDriverNameFromKeyNode+B009Dj
		mov	[ebx+4], esi
		jmp	loc_84D173
; 

loc_8FD0E0:				; CODE XREF: IopGetDriverNameFromKeyNode+B0077j
					; IopGetDriverNameFromKeyNode+B007Dj
		mov	edi, 0C0000160h
		jmp	short loc_8FD141
; 

loc_8FD0E7:				; CODE XREF: IopGetDriverNameFromKeyNode+BBj
					; IopGetDriverNameFromKeyNode+C7j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, [ebp+var_4]
		mov	ecx, 200h
		call	IopVerifierExAllocatePool
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_8FD13C
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_4]
		push	ebx
		push	0
		push	[ebp+var_14]
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	edi, eax
		jmp	loc_84D0F5
; 

loc_8FD11B:				; CODE XREF: IopGetDriverNameFromKeyNode+CFj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_8FD141
; 

loc_8FD125:				; CODE XREF: IopGetDriverNameFromKeyNode+E6j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, 0C0000095h
		jmp	short loc_8FD141
; 

loc_8FD134:				; CODE XREF: IopGetDriverNameFromKeyNode+104j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8FD13C:				; CODE XREF: IopGetDriverNameFromKeyNode+9Dj
					; IopGetDriverNameFromKeyNode+B00D8j
		mov	edi, 0C000009Ah

loc_8FD141:				; CODE XREF: IopGetDriverNameFromKeyNode+B00BDj
					; IopGetDriverNameFromKeyNode+B00FBj ...
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		jmp	loc_84D175
; 

loc_8FD150:				; CODE XREF: IopGetDriverNameFromKeyNode+5Bj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8FD158:				; CODE XREF: IopGetDriverNameFromKeyNode+4Ej
		mov	eax, 0C0000160h
		jmp	loc_84D175
; END OF FUNCTION CHUNK	FOR IopGetDriverNameFromKeyNode
; 
; START	OF FUNCTION CHUNK FOR IopGetRegistryValue

loc_8FD162:				; CODE XREF: IopGetRegistryValue+D7j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		jmp	loc_84D22B
; END OF FUNCTION CHUNK	FOR IopGetRegistryValue
; 
; START	OF FUNCTION CHUNK FOR PiLookupInDDB

loc_8FD171:				; CODE XREF: PiLookupInDDB+56j
		push	[ebp+arg_4]
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		push	[ebp+arg_0]
		push	edi
		call	PiIsDriverBlocked
		mov	esi, eax
		jmp	loc_84D2D6
; 

loc_8FD189:				; CODE XREF: PiLookupInDDB+66j
		lea	ecx, [ebp+var_28]
		call	_PiReleaseDDB@4	; PiReleaseDDB(x)
		jmp	loc_84D2E6
; END OF FUNCTION CHUNK	FOR PiLookupInDDB
; 
; START	OF FUNCTION CHUNK FOR PiIsDriverBlocked

loc_8FD196:				; CODE XREF: PiIsDriverBlocked+4Bj
		push	4
		pop	eax
		push	ecx
		mov	[ebp+var_44], eax
		mov	edx, edi
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_44]
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		push	ecx
		mov	ecx, ebx
		call	_SdbQueryDataEx@28 ; SdbQueryDataEx(x,x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_8FD21C
		mov	eax, [ebp+var_34]
		xor	ebx, ebx
		test	al, 10h
		jz	short loc_8FD1D3
		call	_PiIsHVCIEnabled@0 ; PiIsHVCIEnabled()
		test	al, al
		jz	short loc_8FD1F2
		mov	ebx, 0C000036Bh
		jmp	short loc_8FD1F2
; 

loc_8FD1D3:				; CODE XREF: PiIsDriverBlocked+AFE8Dj
		test	al, 4
		jz	short loc_8FD1E2
		push	9
		call	_ExIsProcessorFeaturePresent@4 ; ExIsProcessorFeaturePresent(x)
		test	al, al
		jz	short loc_8FD1F2

loc_8FD1E2:				; CODE XREF: PiIsDriverBlocked+AFEA1j
		test	byte ptr [ebp+var_34], 1
		push	0
		pop	ebx
		setnz	bl
		add	ebx, 0C000036Bh

loc_8FD1F2:				; CODE XREF: PiIsDriverBlocked+AFE96j
					; PiIsDriverBlocked+AFE9Dj ...
		test	byte ptr [ebp+var_34], 8
		jz	short loc_8FD221
		cmp	_PnpSetupInProgress, 0
		jnz	short loc_8FD21C
		cmp	_PnpSetupOOBEInProgress, 0
		jnz	short loc_8FD21C
		cmp	_PnpSetupUpgradeInProgress, 0
		jnz	short loc_8FD21C
		cmp	_PnpSetupRollbackActiveInProgress, 0
		jz	short loc_8FD221

loc_8FD21C:				; CODE XREF: PiIsDriverBlocked+AFE84j
					; PiIsDriverBlocked+AFECBj ...
		mov	ebx, 0C000036Bh

loc_8FD221:				; CODE XREF: PiIsDriverBlocked+AFEC2j
					; PiIsDriverBlocked+AFEE6j
		mov	ecx, [ebp+var_38]
		lea	eax, [ebp+var_30]
		push	eax
		mov	edx, edi
		call	_SdbReadEntryInformation@12 ; SdbReadEntryInformation(x,x,x)
		test	eax, eax
		jnz	loc_84D387
		mov	eax, ds:_PiLoggedErrorEventsMask
		mov	ecx, 100h
		test	eax, ecx
		jnz	loc_84D387
		or	eax, ecx
		xor	edi, edi
		mov	ds:_PiLoggedErrorEventsMask, eax
		lea	eax, [ebp+var_3C]
		push	(offset	loc_8B9B3D+1)
		push	eax
		mov	[ebp+var_3C], edi
		mov	[ebp+var_38], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi		; size_t
		push	edi		; void *
		push	0C000036Dh	; int
		xor	edx, edx
		lea	ecx, [ebp+var_3C]
		call	_PnpLogEvent@20	; PnpLogEvent(x,x,x,x,x)
		jmp	loc_84D387
; 

loc_8FD27C:				; CODE XREF: PiIsDriverBlocked+5Aj
					; PiIsDriverBlocked+66j
		push	5Ch		; wchar_t
		push	dword ptr [esi+4] ; wchar_t *
		call	_wcsrchr
		mov	esi, eax
		pop	ecx
		pop	ecx
		test	esi, esi
		jnz	short loc_8FD296
		mov	edx, [ebp+var_40]
		mov	esi, [edx+4]
		jmp	short loc_8FD299
; 

loc_8FD296:				; CODE XREF: PiIsDriverBlocked+AFF58j
		add	esi, 2

loc_8FD299:				; CODE XREF: PiIsDriverBlocked+AFF60j
		and	[ebp+var_3C], 0
		lea	eax, [ebp+var_3C]
		and	[ebp+var_38], 0
		push	esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	10h		; size_t
		lea	eax, [ebp+var_30]
		xor	edx, edx
		push	eax		; void *
		push	ebx		; int
		lea	ecx, [ebp+var_3C]
		call	_PnpLogEvent@20	; PnpLogEvent(x,x,x,x,x)
		push	ebx
		push	[ebp+var_34]
		lea	edx, [ebp+var_30]
		mov	ecx, esi
		call	_PnpTraceDriverBlocked@16 ; PnpTraceDriverBlocked(x,x,x,x)
		mov	esi, [ebp+var_40]
		jmp	loc_84D3A0
; 

loc_8FD2D2:				; CODE XREF: PiIsDriverBlocked+8Ej
					; PiIsDriverBlocked+9Aj
		mov	eax, [ebp+var_50]
		test	eax, eax
		jz	loc_84D3D4
		test	byte ptr [ebp+var_34], 10h
		lea	esi, [ebp+var_30]
		mov	edi, eax
		movsd
		movsd
		movsd
		movsd
		jz	loc_84D3D4
		mov	edx, [ebp+var_40]
		mov	ecx, eax
		call	_PiNotifyCiDriverBlocked@8 ; PiNotifyCiDriverBlocked(x,x)
		jmp	loc_84D3D4
; END OF FUNCTION CHUNK	FOR PiIsDriverBlocked
; 
; START	OF FUNCTION CHUNK FOR PiUpdateDriverDBCache

loc_8FD2FF:				; CODE XREF: PiUpdateDriverDBCache+4Fj
		mov	ecx, [ebx+4]
		jmp	loc_84D440
; 

loc_8FD307:				; CODE XREF: PiUpdateDriverDBCache+A4j
		mov	eax, ds:_PiDDBCacheList
		cmp	[eax+4], edi
		jnz	loc_84D57F
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_84D57F
		mov	ds:_PiDDBCacheList, ecx
		mov	[ecx+4], edi
		jmp	loc_84D55C
; 

loc_8FD32E:				; CODE XREF: PiUpdateDriverDBCache+D0j
		mov	esi, [ebx+4]
		jmp	loc_84D4C1
; END OF FUNCTION CHUNK	FOR PiUpdateDriverDBCache
; 
; START	OF FUNCTION CHUNK FOR SdbGetDatabaseMatch

loc_8FD336:				; CODE XREF: SdbGetDatabaseMatch+11Dj
		push	eax
		push	offset ??_C@_0DH@KCAJCNBK@Failed?5to?5initialize?5file?5mappi@NNGAKEGL@
		push	15DFh
		jmp	short loc_8FD34E
; 

loc_8FD343:				; CODE XREF: SdbGetDatabaseMatch+FEj
		push	eax
		push	(offset	loc_8C32DC+2)
		push	15E7h

loc_8FD34E:				; CODE XREF: SdbGetDatabaseMatch+AFDBDj
		push	offset ??_C@_0BE@BEOLDIOM@SdbGetDatabaseMatch@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_84D653
; 

loc_8FD362:				; CODE XREF: SdbGetDatabaseMatch+99j
		push	(offset	loc_8C330B+1)
		push	15F0h
		push	offset ??_C@_0BE@BEOLDIOM@SdbGetDatabaseMatch@NNGAKEGL@

loc_8FD371:				; CODE XREF: SdbGetDatabaseMatch+AFE55j
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_84D653
; 

loc_8FD380:				; CODE XREF: SdbGetDatabaseMatch+C1j
		push	offset ??_C@_0DA@NCEAGMKL@The?5database?5has?5more?5matches?5t@NNGAKEGL@
		push	15FFh
		push	edi
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		push	10h
		pop	eax
		jmp	loc_84D64B
; 

loc_8FD39D:				; CODE XREF: SdbGetDatabaseMatch+C9j
		lea	esi, [eax-1]
		test	esi, esi
		js	loc_84D653

loc_8FD3A8:				; CODE XREF: SdbGetDatabaseMatch+AFE5Aj
		test	[ebp+esi*8+var_88], 2
		jnz	short loc_8FD3DB
		mov	edx, [ebx+4]
		lea	eax, [ebp+var_94]
		push	eax
		push	[ebp+esi*8+var_8C]
		mov	ecx, ebx
		call	SdbTagIDToTagRef
		test	eax, eax
		jnz	short loc_8FD3DB
		push	(offset	loc_8C32BB+1)
		push	1612h
		push	edi
		jmp	short loc_8FD371
; 

loc_8FD3DB:				; CODE XREF: SdbGetDatabaseMatch+AFE2Cj
					; SdbGetDatabaseMatch+AFE48j
		sub	esi, 1
		jns	short loc_8FD3A8
		jmp	loc_84D653
; END OF FUNCTION CHUNK	FOR SdbGetDatabaseMatch
; 
; START	OF FUNCTION CHUNK FOR AslFileMappingDelete

loc_8FD3E5:				; CODE XREF: AslFileMappingDelete+1Dj
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+2Ch], 0
		jmp	loc_84D6C9
; END OF FUNCTION CHUNK	FOR AslFileMappingDelete
; 
; START	OF FUNCTION CHUNK FOR AslFileMappingCreate

loc_8FD3F5:				; CODE XREF: AslFileMappingCreate+68j
		mov	esi, 0C0000017h
		jmp	loc_84D900
; 

loc_8FD3FF:				; CODE XREF: AslFileMappingCreate+7Bj
		push	esi
		push	(offset	loc_8C3E05+1)
		push	79h
		jmp	short loc_8FD414
; 

loc_8FD409:				; CODE XREF: AslFileMappingCreate+BFj
		push	esi
		push	(offset	loc_8C4BCB+1)
		push	0B5h

loc_8FD414:				; CODE XREF: AslFileMappingCreate+AFC09j
		push	(offset	loc_8C4C1A+4)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_84D8FC
; 

loc_8FD428:				; CODE XREF: AslFileMappingCreate+8Fj
		push	8
		xor	eax, eax
		mov	edi, esi
		pop	ecx
		rep stosd
		mov	edi, [ebp+var_28]
		mov	[esi+1Ch], al
		mov	[esi], edx
		jmp	loc_84D8A6
; 

loc_8FD43E:				; CODE XREF: AslFileMappingCreate+129j
		cmp	esi, 0C0000022h
		jz	short loc_8FD473
		cmp	esi, 0C0000043h
		jz	short loc_8FD473
		cmp	esi, 0C0000013h
		jz	short loc_8FD473
		cmp	esi, 0C00000BAh
		jz	short loc_8FD473
		push	esi
		push	edi
		push	offset ??_C@_0CO@ODFLHDNN@RtlFileMapInitializeByFilePath?5@NNGAKEGL@
		push	9Fh
		push	(offset	loc_8C4C1A+4)
		push	1
		jmp	short loc_8FD486
; 

loc_8FD473:				; CODE XREF: AslFileMappingCreate+AFC46j
					; AslFileMappingCreate+AFC4Ej ...
		push	esi
		push	edi
		push	offset ??_C@_0CO@ODFLHDNN@RtlFileMapInitializeByFilePath?5@NNGAKEGL@
		push	0A1h
		push	(offset	loc_8C4C1A+4)
		push	3

loc_8FD486:				; CODE XREF: AslFileMappingCreate+AFC73j
		call	AslLogCallPrintf
		add	esp, 18h
		jmp	loc_84D8FC
; 

loc_8FD493:				; CODE XREF: AslFileMappingCreate+CDj
		mov	eax, [ebp+arg_8]
		mov	[ebx+27h], cl
		mov	[ebx+18h], edx
		mov	[ebx+1Ch], eax
		jmp	loc_84D8D1
; 

loc_8FD4A4:				; CODE XREF: AslFileMappingCreate+E4j
		or	eax, [ebp+var_18]
		jnz	short loc_8FD4CB
		push	offset ??_C@_0DD@GJMEFMID@File?5size?5is?50?5bytes?5yet?5ImageV@NNGAKEGL@
		push	0CEh
		push	(offset	loc_8C4C1A+4)
		push	ecx
		call	AslLogCallPrintf
		add	esp, 10h
		mov	esi, 0C000000Dh
		jmp	loc_84D8FC
; 

loc_8FD4CB:				; CODE XREF: AslFileMappingCreate+AFCA9j
		lea	edx, [ebx+28h]
		lea	ecx, [ebx+8]
		call	AslpFileMappingGetFileKind
		test	eax, eax
		jns	loc_84D8F3
		push	eax
		push	dword ptr [ebx]
		push	offset ??_C@_0CK@IADOKJDF@AslpFileMappingGetFileKind?5fail@NNGAKEGL@
		push	0D5h
		push	(offset	loc_8C4C1A+4)
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		mov	dword ptr [ebx+28h], 3
		jmp	loc_84D8F3
; 

loc_8FD506:				; CODE XREF: AslFileMappingCreate+105j
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	loc_84D909
; 

loc_8FD514:				; CODE XREF: AslFileMappingCreate+38j
					; AslFileMappingCreate+41j ...
		mov	eax, 0C000000Dh
		jmp	loc_84D90B
; END OF FUNCTION CHUNK	FOR AslFileMappingCreate
; 
; START	OF FUNCTION CHUNK FOR KsepGetShimsForDriver

loc_8FD51E:				; CODE XREF: KsepGetShimsForDriver+3Bj
		mov	ecx, [ebp+var_C]
		mov	eax, [ecx+10h]
		mov	[esi], eax
		mov	eax, [ecx+0Ch]
		mov	[edi], eax
		xor	eax, eax
		jmp	loc_84D9CF
; 

loc_8FD532:				; CODE XREF: KsepGetShimsForDriver+7Fj
		mov	edx, ebx
		mov	ecx, edi
		call	_KsepResolveApplicableShimsForDriver@8 ; KsepResolveApplicableShimsForDriver(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_8FD555
		push	14h
		pop	ecx
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	[ebp+arg_4], eax
		test	eax, eax
		jnz	short loc_8FD573
		mov	esi, 0C000009Ah

loc_8FD555:				; CODE XREF: KsepGetShimsForDriver+AFC09j
		test	edi, edi
		jz	loc_84D9C5
		test	ebx, ebx
		jz	loc_84D9C5
		mov	edx, ebx
		mov	ecx, edi
		call	KsepDbFreeDriverShims
		jmp	loc_84D9C5
; 

loc_8FD573:				; CODE XREF: KsepGetShimsForDriver+AFC18j
		mov	ecx, [ebp+arg_0]
		mov	[eax+10h], edi
		mov	[eax+8], ecx
		mov	[eax+0Ch], ebx
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	edx, edx
		mov	ecx, offset unk_6D4A90
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, dword_6D4A8C
		mov	edx, offset unk_6D4A88
		cmp	[ecx], edx
		jz	short loc_8FD5A4
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8FD5A4:				; CODE XREF: KsepGetShimsForDriver+AFC67j
		mov	eax, [ebp+arg_4]
		mov	[eax+4], ecx
		mov	[eax], edx
		mov	[ecx], eax
		mov	ecx, offset unk_6D4A90
		mov	dword_6D4A8C, eax
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8FD5CF
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset unk_6D4A90

loc_8FD5CF:				; CODE XREF: KsepGetShimsForDriver+AFC8Dj
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_84D9BB
; 

loc_8FD5DE:				; CODE XREF: KsepGetShimsForDriver+91j
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryMessagesIndex, eax
		inc	eax
		mov	edi, [ebp+var_10]
		and	eax, 3Fh
		push	7
		pop	ebx
		mov	ecx, 168h
		and	dword_6C7244[eax*8], 0
		test	_KsepDebugFlag,	1
		mov	word_6C7242[eax*8], bx
		mov	_KsepHistoryMessages[eax*8], cx
		jz	short loc_8FD62A
		push	dword ptr [edi+4] ; char
		push	(offset	loc_8BB63F+1) ;	char *
		push	ebx		; int
		call	_KsepDebugPrint
		add	esp, 0Ch

loc_8FD62A:				; CODE XREF: KsepGetShimsForDriver+AFCE1j
		push	dword ptr [edi+4]
		push	(offset	loc_8BB63F+1)
		push	ebx
		call	_KsepLogInfo
		add	esp, 0Ch
		jmp	loc_84D9CD
; END OF FUNCTION CHUNK	FOR KsepGetShimsForDriver
; 
; START	OF FUNCTION CHUNK FOR KsepDbGetDriverShims

loc_8FD640:				; CODE XREF: KsepDbGetDriverShims+86j
		lea	eax, [ebp+var_10]
		mov	edx, offset _KsepMatchMachineInfo
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+arg_0]
		push	[ebp+var_18]
		push	[ebp+var_1C]
		call	KsepDbGetDriverShimsInternal
		mov	esi, eax
		test	esi, esi
		jns	short loc_8FD674
		cmp	esi, 0C0000225h
		jz	short loc_8FD674
		mov	ebx, [ebp+var_C]
		mov	edi, [ebp+var_10]
		jmp	loc_84DA7A
; 

loc_8FD674:				; CODE XREF: KsepDbGetDriverShims+AFC89j
					; KsepDbGetDriverShims+AFC91j
		mov	ebx, [ebp+var_C]
		mov	edi, [ebp+var_10]
		jmp	loc_84DA62
; 

loc_8FD67F:				; CODE XREF: KsepDbGetDriverShims+99j
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+arg_8]
		mov	[ecx], ebx
		xor	ebx, ebx
		mov	[eax], edi
		jmp	short loc_8FD6F3
; 

loc_8FD68D:				; CODE XREF: KsepDbGetDriverShims+91j
		test	edi, edi
		jz	short loc_8FD6E2
		lea	eax, [edi+esi]
		imul	ecx, eax, 34h
		mov	[ebp+var_1C], eax
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		jnz	short loc_8FD6B0
		mov	esi, 0C0000017h
		jmp	loc_84DA7A
; 

loc_8FD6B0:				; CODE XREF: KsepDbGetDriverShims+AFCCEj
		imul	esi, 34h
		push	esi		; size_t
		push	[ebp+var_4]	; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		add	eax, esi
		push	edi		; size_t
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+arg_4]
		add	esp, 0Ch
		mov	eax, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_1C]
		mov	[eax], ecx
		jmp	short loc_8FD6F3
; 

loc_8FD6E2:				; CODE XREF: KsepDbGetDriverShims+AFCB9j
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		mov	[ecx], eax
		mov	eax, [ebp+arg_8]
		mov	[eax], esi

loc_8FD6F3:				; CODE XREF: KsepDbGetDriverShims+AFCB5j
					; KsepDbGetDriverShims+AFD0Aj
		xor	esi, esi
		jmp	loc_84DA7A
; 

loc_8FD6FA:				; CODE XREF: KsepDbGetDriverShims+A9j
		mov	edx, [ebp+var_14]
		call	KsepDbFreeDriverShims
		jmp	loc_84DA85
; 

loc_8FD707:				; CODE XREF: KsepDbGetDriverShims+B1j
		mov	edx, edi
		mov	ecx, ebx
		call	KsepDbFreeDriverShims
		jmp	loc_84DA8D
; 

loc_8FD715:				; CODE XREF: KsepDbGetDriverShims+2Aj
					; KsepDbGetDriverShims+35j
		mov	eax, 0C000000Dh
		jmp	loc_84DA9D
; END OF FUNCTION CHUNK	FOR KsepDbGetDriverShims
; 
; START	OF FUNCTION CHUNK FOR KseShimDatabaseClose

loc_8FD71F:				; CODE XREF: KseShimDatabaseClose+20j
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		push	9
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 233h
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], cx
		jz	loc_84DACA
		push	0
		push	ecx
		push	offset ??_C@_0BO@PKNCBPOC@minkernel?2ntos?2kshim?2ksesdb?4c@NNGAKEGL@
		push	offset ??_C@_0BP@KBJLCIJO@DbHandleIn?5?$DN?$DN?5KsepShimDbHandle@NNGAKEGL@
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		jmp	loc_84DACA
; END OF FUNCTION CHUNK	FOR KseShimDatabaseClose
; 
; START	OF FUNCTION CHUNK FOR KsepDbGetDriverShimsInternal

loc_8FD775:				; CODE XREF: KsepDbGetDriverShimsInternal+4Dj
		lea	ecx, [ebp+var_14]
		mov	edx, eax
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		mov	ecx, esi
		call	SdbTagRefToTagID
		test	eax, eax
		jz	loc_84DBAD
		mov	ebx, [ebp+var_C]
		mov	ecx, ebx
		mov	edx, [ebp+var_14]
		push	7026h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	loc_84DBAD
		xor	esi, esi

loc_8FD7AA:				; CODE XREF: KsepDbGetDriverShimsInternal+AFC5Ej
		mov	edx, [ebp+var_14]
		mov	ecx, ebx
		push	eax
		call	SdbFindNextTag
		inc	esi
		test	eax, eax
		jnz	short loc_8FD7AA
		mov	eax, [ebp+arg_10]
		imul	ecx, esi, 34h
		mov	[eax], esi
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	esi, eax
		mov	[ebp+var_10], esi
		test	esi, esi
		jnz	short loc_8FD7DA
		mov	esi, 0C0000017h
		jmp	loc_8FD951
; 

loc_8FD7DA:				; CODE XREF: KsepDbGetDriverShimsInternal+AFC74j
		mov	edx, [ebp+var_14]
		mov	ecx, ebx
		push	7026h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	edi, eax
		xor	ecx, ecx
		mov	[ebp+var_18], edi
		mov	[ebp+var_1C], ecx
		test	edi, edi
		jz	loc_8FD940
		add	esi, 18h
		mov	[ebp+var_C], esi

loc_8FD801:				; CODE XREF: KsepDbGetDriverShimsInternal+AFDDDj
		mov	eax, [ebp+arg_10]
		cmp	ecx, [eax]
		jnb	loc_8FD918
		push	9010h
		mov	edx, edi
		mov	ecx, ebx
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	short loc_8FD849
		sub	esp, 10h	; int
		lea	esi, [ebp+var_2C]
		mov	edi, esp
		lea	ecx, [ebp+var_3C]
		mov	edx, eax
		push	ecx		; void *
		movsd
		mov	ecx, ebx
		movsd
		movsd
		movsd
		call	_SdbReadGUIDTag@24 ; SdbReadGUIDTag(x,x,x,x,x,x)
		mov	edi, [ebp+var_C]
		mov	esi, eax
		lea	edi, [edi-18h]
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_18]
		mov	esi, [ebp+var_C]

loc_8FD849:				; CODE XREF: KsepDbGetDriverShimsInternal+AFCC2j
		push	6001h
		mov	edx, edi
		mov	ecx, ebx
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	short loc_8FD880
		mov	edx, eax
		mov	ecx, ebx
		call	SdbGetStringTagPtr
		test	eax, eax
		jz	loc_8FD94C
		lea	ecx, [esi-8]
		mov	edx, eax
		call	KsepStringDuplicate
		mov	esi, eax
		test	esi, esi
		js	loc_8FD951

loc_8FD880:				; CODE XREF: KsepDbGetDriverShimsInternal+AFCFFj
		push	6003h
		mov	edx, edi
		mov	ecx, ebx
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	short loc_8FD8B7
		mov	edx, eax
		mov	ecx, ebx
		call	SdbGetStringTagPtr
		test	eax, eax
		jz	loc_8FD94C
		mov	ecx, [ebp+var_C]
		mov	edx, eax
		call	KsepStringDuplicate
		mov	esi, eax
		test	esi, esi
		js	loc_8FD951

loc_8FD8B7:				; CODE XREF: KsepDbGetDriverShimsInternal+AFD36j
		push	4017h
		mov	edx, edi
		mov	ecx, ebx
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	short loc_8FD8DC
		push	0
		mov	edx, eax
		mov	ecx, ebx
		call	SdbReadDWORDTag
		mov	esi, [ebp+var_C]
		mov	[esi+10h], eax
		jmp	short loc_8FD8DF
; 

loc_8FD8DC:				; CODE XREF: KsepDbGetDriverShimsInternal+AFD6Dj
		mov	esi, [ebp+var_C]

loc_8FD8DF:				; CODE XREF: KsepDbGetDriverShimsInternal+AFD80j
		push	6008h
		mov	edx, edi
		mov	ecx, ebx
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	short loc_8FD90E
		mov	edx, eax
		mov	ecx, ebx
		call	SdbGetStringTagPtr
		test	eax, eax
		jz	short loc_8FD94C
		lea	ecx, [esi+8]
		mov	edx, eax
		call	KsepStringDuplicate
		mov	esi, eax
		test	esi, esi
		js	short loc_8FD951

loc_8FD90E:				; CODE XREF: KsepDbGetDriverShimsInternal+AFD95j
		mov	esi, [ebp+var_C]
		mov	dword ptr [esi+14h], 1

loc_8FD918:				; CODE XREF: KsepDbGetDriverShimsInternal+AFCACj
		mov	edx, [ebp+var_14]
		mov	ecx, ebx
		push	edi
		call	SdbFindNextTag
		mov	ecx, [ebp+var_1C]
		mov	edi, eax
		inc	ecx
		mov	[ebp+var_18], edi
		add	esi, 34h
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_C], esi
		test	edi, edi
		jnz	loc_8FD801
		mov	esi, [ebp+var_10]

loc_8FD940:				; CODE XREF: KsepDbGetDriverShimsInternal+AFC9Bj
		mov	eax, [ebp+arg_C]
		mov	[eax], esi
		xor	esi, esi
		jmp	loc_84DBBE
; 

loc_8FD94C:				; CODE XREF: KsepDbGetDriverShimsInternal+AFD0Cj
					; KsepDbGetDriverShimsInternal+AFD43j ...
		mov	esi, 0C000000Dh

loc_8FD951:				; CODE XREF: KsepDbGetDriverShimsInternal+AFC7Bj
					; KsepDbGetDriverShimsInternal+AFD20j ...
		mov	edi, [ebp+var_10]
		jmp	loc_84DBB2
; END OF FUNCTION CHUNK	FOR KsepDbGetDriverShimsInternal
; 
; START	OF FUNCTION CHUNK FOR KsepDbFreeDriverShims

loc_8FD959:				; CODE XREF: KsepDbFreeDriverShims+Bj
		test	edi, edi
		jz	short loc_8FD991
		lea	esi, [ebx+18h]

loc_8FD960:				; CODE XREF: KsepDbFreeDriverShims+AFDBDj
		cmp	dword ptr [esi+4], 0
		jz	short loc_8FD96D
		mov	ecx, esi
		call	KsepStringFree

loc_8FD96D:				; CODE XREF: KsepDbFreeDriverShims+AFD92j
		cmp	dword ptr [esi-4], 0
		jz	short loc_8FD97B
		lea	ecx, [esi-8]
		call	KsepStringFree

loc_8FD97B:				; CODE XREF: KsepDbFreeDriverShims+AFD9Fj
		cmp	dword ptr [esi+0Ch], 0
		jz	short loc_8FD989
		lea	ecx, [esi+8]
		call	KsepStringFree

loc_8FD989:				; CODE XREF: KsepDbFreeDriverShims+AFDADj
		add	esi, 34h
		sub	edi, 1
		jnz	short loc_8FD960

loc_8FD991:				; CODE XREF: KsepDbFreeDriverShims+AFD89j
		pop	edi
		pop	esi
		mov	ecx, ebx
		pop	ebx
		jmp	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
; END OF FUNCTION CHUNK	FOR KsepDbFreeDriverShims
; 
; START	OF FUNCTION CHUNK FOR SdbGetDatabaseID

loc_8FD99B:				; CODE XREF: SdbGetDatabaseID+23j
		push	offset ??_C@_0BH@OMOHPKII@Failed?5to?5get?5root?5tag@NNGAKEGL@
		push	1B8h
		jmp	short loc_8FD9B1
; 

loc_8FD9A7:				; CODE XREF: SdbGetDatabaseID+3Bj
		push	offset ??_C@_0BO@BKONLPA@Failed?5to?5get?5the?5database?5id@NNGAKEGL@
		push	1BEh

loc_8FD9B1:				; CODE XREF: SdbGetDatabaseID+AFDBDj
		push	offset ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_84DC67
; 

loc_8FD9C5:				; CODE XREF: SdbGetDatabaseID+52j
		push	ebx
		push	offset ??_C@_0CB@BBOOADBN@Failed?5to?5read?5database?5id?50x?$CFl@NNGAKEGL@
		push	1C3h
		push	offset ??_C@_0BB@FHFOAFEG@SdbGetDatabaseID@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_84DC67
; END OF FUNCTION CHUNK	FOR SdbGetDatabaseID
; 
; START	OF FUNCTION CHUNK FOR AslStringDuplicate

loc_8FD9E4:				; CODE XREF: AslStringDuplicate+37j
		push	esi
		push	(offset	loc_8C48FD+1)
		push	239h
		jmp	short loc_8FD9FC
; 

loc_8FD9F1:				; CODE XREF: AslStringDuplicate+6Cj
		push	esi
		push	(offset	loc_8C491D+1)
		push	24Ah

loc_8FD9FC:				; CODE XREF: AslStringDuplicate+AFD83j
					; AslStringDuplicate+AFDAFj
		push	offset ??_C@_0BD@NJPGHOHJ@AslStringDuplicate@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_84DD19
; 

loc_8FDA10:				; CODE XREF: AslStringDuplicate+50j
		push	esi
		push	(offset	loc_8C491D+1)
		push	244h
		jmp	short loc_8FD9FC
; 

loc_8FDA1D:				; CODE XREF: AslStringDuplicate+80j
		push	offset ??_C@_0O@NALGGDJF@Out?5of?5memory@NNGAKEGL@
		push	251h
		push	offset ??_C@_0BD@NJPGHOHJ@AslStringDuplicate@NNGAKEGL@
		push	1
		mov	esi, 0C0000017h
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_84DD18
; 

loc_8FDA40:				; CODE XREF: AslStringDuplicate+95j
		push	esi
		push	offset ??_C@_0BO@LFCDCAJH@RtlStringCchCopyW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	25Bh
		push	offset ??_C@_0BD@NJPGHOHJ@AslStringDuplicate@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_84DD10
; 

loc_8FDA5F:				; CODE XREF: AslStringDuplicate+A6j
		push	74705041h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_84DD18
; END OF FUNCTION CHUNK	FOR AslStringDuplicate
; 
; START	OF FUNCTION CHUNK FOR SdbpFindFirstIndexedWildCardTag

loc_8FDA6F:				; CODE XREF: SdbpFindFirstIndexedWildCardTag+50j
		push	eax
		movzx	eax, si
		push	eax
		push	offset ??_C@_0CP@NDDLDDHN@Failed?5to?5get?5an?5index?5for?5tag?5@NNGAKEGL@
		push	2AFh
		push	offset ??_C@_0CA@MKAJGAKM@SdbpFindFirstIndexedWildCardTag@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		jmp	loc_84DDE6
; 

loc_8FDA92:				; CODE XREF: SdbpFindFirstIndexedWildCardTag+95j
		push	offset ??_C@_0CF@EGNAAOEO@Failed?5to?5convert?5name?5to?5multi@NNGAKEGL@
		push	2C0h
		push	offset ??_C@_0CA@MKAJGAKM@SdbpFindFirstIndexedWildCardTag@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_84DDE6
; 

loc_8FDAB0:				; CODE XREF: SdbpFindFirstIndexedWildCardTag+B3j
		push	dword ptr [ebx]
		push	offset ??_C@_0CE@KINBPPGK@Failed?5to?5get?5index?5by?5tag?5id?50@NNGAKEGL@
		push	2CAh
		push	offset ??_C@_0CA@MKAJGAKM@SdbpFindFirstIndexedWildCardTag@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_84DDE6
; 

loc_8FDAD0:				; CODE XREF: SdbpFindFirstIndexedWildCardTag+EFj
		lea	ecx, [ebp+var_10]
		call	_SdbpKeyToAnsiString@12	; SdbpKeyToAnsiString(x,x,x)
		mov	[ebp+var_8], 2Ah
		jmp	loc_84DE25
; END OF FUNCTION CHUNK	FOR SdbpFindFirstIndexedWildCardTag
; 
; START	OF FUNCTION CHUNK FOR SdbGetDatabaseMatchEx

loc_8FDAE1:				; CODE XREF: SdbGetDatabaseMatchEx+39j
		mov	esi, edi
		jmp	loc_84DEDA
; 

loc_8FDAE8:				; CODE XREF: SdbGetDatabaseMatchEx+A6j
		lea	edx, [ebp+var_3C]
		mov	ecx, ebx
		call	_SdbFindNextStringIndexedTag@8 ; SdbFindNextStringIndexedTag(x,x)
		jmp	loc_84DEF2
; 

loc_8FDAF7:				; CODE XREF: SdbGetDatabaseMatchEx+C1j
		push	(offset	loc_8C324B+1)
		push	190Eh
		jmp	short loc_8FDB24
; 

loc_8FDB03:				; CODE XREF: SdbGetDatabaseMatchEx+DDj
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+arg_0]
		push	eax
		push	esi
		mov	edx, ebx
		call	SdbTagIDToTagRef
		test	eax, eax
		jnz	loc_84DF0F
		push	(offset	loc_8C324B+1)
		push	1926h

loc_8FDB24:				; CODE XREF: SdbGetDatabaseMatchEx+AFC69j
		push	offset ??_C@_0BG@ELHOKMEA@SdbGetDatabaseMatchEx@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_84DF0F
; END OF FUNCTION CHUNK	FOR SdbGetDatabaseMatchEx
; 
; START	OF FUNCTION CHUNK FOR SdbpGetIndex

loc_8FDB38:				; CODE XREF: SdbpGetIndex+18j
		push	esi
		push	offset ??_C@_0DF@LGEIFGCE@Index?5tagid?50x?$CFlx?5is?5not?5referr@NNGAKEGL@
		push	463h
		push	(offset	loc_8C4722+6)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		xor	eax, eax
		jmp	loc_84DFC4
; END OF FUNCTION CHUNK	FOR SdbpGetIndex
; 
; START	OF FUNCTION CHUNK FOR SdbFindFirstStringIndexedTag

loc_8FDB59:				; CODE XREF: SdbFindFirstStringIndexedTag+2Bj
		movzx	eax, di
		push	eax
		mov	eax, [ebp+var_8]
		movzx	eax, ax
		push	eax
		push	(offset	loc_8C4462+2)
		push	0F9h
		push	offset ??_C@_0BN@IHIKDBOD@SdbFindFirstStringIndexedTag@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		jmp	loc_84E026
; END OF FUNCTION CHUNK	FOR SdbFindFirstStringIndexedTag
; 
; START	OF FUNCTION CHUNK FOR SdbpGetFirstIndexedRecord

loc_8FDB82:				; CODE XREF: SdbpGetFirstIndexedRecord+1Aj
		push	esi
		push	offset ??_C@_0CC@MAMOALIP@The?5tag?50x?$CFlx?5is?5not?5an?5index?5t@NNGAKEGL@
		push	1BCh
		jmp	short loc_8FDB9A
; 

loc_8FDB8F:				; CODE XREF: SdbpGetFirstIndexedRecord+41j
		push	esi
		push	offset ??_C@_0DL@FBMDICIO@Failed?5to?5get?5the?5pointer?5to?5in@NNGAKEGL@
		push	1C5h

loc_8FDB9A:				; CODE XREF: SdbpGetFirstIndexedRecord+AFB51j
		push	(offset	loc_8C4448+2)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		xor	eax, eax
		jmp	loc_84E0AD
; 

loc_8FDBB0:				; CODE XREF: SdbpGetFirstIndexedRecord+7Ej
		mov	ecx, [ebp+var_4]
		mov	edx, [ebx]
		dec	ecx
		cmp	edx, ecx
		jnb	loc_84E0C0
		imul	ecx, edx, 0Ch
		mov	edx, [ebp+var_8]
		mov	ecx, [ecx+edx+14h]
		jmp	loc_84E0C5
; END OF FUNCTION CHUNK	FOR SdbpGetFirstIndexedRecord
; 
; START	OF FUNCTION CHUNK FOR SdbReadDWORDTag

loc_8FDBCD:				; CODE XREF: SdbReadDWORDTag+2Bj
		call	SdbGetTagFromTagID
		movzx	ecx, ax
		push	ecx
		push	esi
		push	(offset	loc_8C3631+5)
		push	96h
		push	offset ??_C@_0BA@GCHIOJFL@SdbReadDWORDTag@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		mov	eax, edi
		jmp	loc_84E11B
; END OF FUNCTION CHUNK	FOR SdbReadDWORDTag
; 
; START	OF FUNCTION CHUNK FOR SdbpGetMappedTagData

loc_8FDBF7:				; CODE XREF: SdbpGetMappedTagData+14j
		push	ecx
		push	eax
		push	offset ??_C@_0EO@JEMFMFJL@Trying?5to?5read?5mapped?5data?5past@NNGAKEGL@
		push	2EAh
		push	offset ??_C@_0BC@HKOOPOLO@SdbpGetMappedData@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		xor	esi, esi

loc_8FDC14:				; CODE XREF: SdbpGetMappedTagData+1Fj
		push	(offset	loc_8C3729+1)
		push	1CFh
		push	(offset	loc_8C3747+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_84E147
; END OF FUNCTION CHUNK	FOR SdbpGetMappedTagData
; 
; START	OF FUNCTION CHUNK FOR SdbFindNextTag

loc_8FDC32:				; CODE XREF: SdbFindNextTag+27j
		push	(offset	loc_8C3524+4)
		push	5Eh
		push	offset ??_C@_0P@FPAMPNAO@SdbFindNextTag@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		xor	eax, eax
		jmp	loc_84E19B
; END OF FUNCTION CHUNK	FOR SdbFindNextTag
; 
; START	OF FUNCTION CHUNK FOR SdbReadWORDTag

loc_8FDC4F:				; CODE XREF: SdbReadWORDTag+2Fj
		call	SdbGetTagFromTagID
		movzx	ecx, ax
		push	ecx
		push	esi
		push	(offset	loc_8C3631+5)
		push	8Fh
		push	(offset	loc_8C36B8+2)
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		mov	ax, di
		jmp	loc_84E1F3
; END OF FUNCTION CHUNK	FOR SdbReadWORDTag
; 
; START	OF FUNCTION CHUNK FOR SdbpReadTagData

loc_8FDC7A:				; CODE XREF: SdbpReadTagData+16j
		push	esi
		push	[ebp+arg_4]
		push	offset ??_C@_0CG@PDEBNNFA@Buffer?5too?5small?4?5Avail?3?5?$CFd?0?5Ne@NNGAKEGL@
		push	160h
		push	(offset	loc_8C36ED+3)
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		jmp	short loc_8FDCB2
; 

loc_8FDC99:				; CODE XREF: SdbpReadTagData+35j
		push	offset ??_C@_0BH@MDHELOIN@Error?5reading?5tag?5data@NNGAKEGL@
		push	167h
		push	(offset	loc_8C36ED+3)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h

loc_8FDCB2:				; CODE XREF: SdbpReadTagData+AFA9Dj
		xor	eax, eax
		jmp	loc_84E238
; END OF FUNCTION CHUNK	FOR SdbpReadTagData
; 
; START	OF FUNCTION CHUNK FOR InitOnceScanIndexes

loc_8FDCB9:				; CODE XREF: InitOnceScanIndexes+Cj
		push	offset ??_C@_0CN@DLEDMNBL@PDB?5was?5not?5supplied?5for?5InitOn@NNGAKEGL@
		push	3BAh
		jmp	short loc_8FDCCF
; 

loc_8FDCC5:				; CODE XREF: InitOnceScanIndexes+16j
		push	offset ??_C@_0DH@NGAMOJOE@No?5return?5context?5was?5supplied?5@NNGAKEGL@
		push	3C0h

loc_8FDCCF:				; CODE XREF: InitOnceScanIndexes+AFA83j
		push	offset ??_C@_0BE@MFGMCOON@InitOnceScanIndexes@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		xor	eax, eax
		jmp	loc_84E3A1
; 

loc_8FDCE5:				; CODE XREF: InitOnceScanIndexes+42j
		push	offset ??_C@_0CI@HKBLJLNI@Failed?5to?5get?5the?5child?5index?5f@NNGAKEGL@
		push	3CFh
		jmp	short loc_8FDD02
; 

loc_8FDCF1:				; CODE XREF: InitOnceScanIndexes+124j
		xor	eax, eax
		push	offset ??_C@_0BN@GCFFLLIE@Index?5missing?5TAG_INDEX_BITS@NNGAKEGL@
		mov	[ecx+esi+2Ch], ax
		push	404h

loc_8FDD02:				; CODE XREF: InitOnceScanIndexes+AFAAFj
					; InitOnceScanIndexes+AFAFFj ...
		push	offset ??_C@_0BE@MFGMCOON@InitOnceScanIndexes@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_84E39D
; 

loc_8FDD16:				; CODE XREF: InitOnceScanIndexes+59j
		push	ebx
		push	(offset	loc_8C4641+1)
		push	3D4h
		push	offset ??_C@_0BE@MFGMCOON@InitOnceScanIndexes@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_84E39D
; 

loc_8FDD35:				; CODE XREF: InitOnceScanIndexes+C8j
		push	(offset	loc_8C4625+1)
		push	3F3h
		jmp	short loc_8FDD02
; 

loc_8FDD41:				; CODE XREF: InitOnceScanIndexes+9Bj
		push	(offset	loc_8C4606+4)
		push	3EAh
		jmp	short loc_8FDD02
; 

loc_8FDD4D:				; CODE XREF: InitOnceScanIndexes+85j
		push	offset ??_C@_0EB@LJPIIMCB@Too?5many?5indexes?5in?5file?3?5recom@NNGAKEGL@
		push	3E3h
		jmp	short loc_8FDD02
; END OF FUNCTION CHUNK	FOR InitOnceScanIndexes
; 
; START	OF FUNCTION CHUNK FOR SdbGetNextChild

loc_8FDD59:				; CODE XREF: SdbGetNextChild+24j
		push	(offset	loc_8C2641+1)
		push	53Ch
		push	(offset	loc_8C266D+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		xor	eax, eax
		jmp	loc_84E42F
; END OF FUNCTION CHUNK	FOR SdbGetNextChild
; 
; START	OF FUNCTION CHUNK FOR SdbpGetTagHeadSize

loc_8FDD79:				; CODE XREF: SdbpGetTagHeadSize+17j
		push	(offset	loc_8C3662+2)
		push	5Eh
		push	offset ??_C@_0BD@MJHGMCAF@SdbpGetTagHeadSize@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		xor	eax, eax
		leave
		retn
; END OF FUNCTION CHUNK	FOR SdbpGetTagHeadSize
; 
; START	OF FUNCTION CHUNK FOR SdbpGetNextTagId

loc_8FDD93:				; CODE XREF: SdbpGetNextTagId+2Bj
		push	offset ??_C@_0BN@MMDIANPF@Reading?5from?5unfinished?5list@NNGAKEGL@
		push	4DDh
		push	offset ??_C@_0BB@OGLNMMEN@SdbpGetNextTagId@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		mov	eax, [esi+0Ch]
		jmp	loc_84E4CE
; END OF FUNCTION CHUNK	FOR SdbpGetNextTagId
; 
; START	OF FUNCTION CHUNK FOR SdbGetTagDataSize

loc_8FDDB4:				; CODE XREF: SdbGetTagDataSize+5Cj
		push	(offset	loc_8C370E+4)
		push	116h
		push	(offset	loc_8C36FF+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_84E538
; 

loc_8FDDD2:				; CODE XREF: SdbGetTagDataSize+74j
					; SdbGetTagDataSize+80j
		push	(offset	loc_8C370E+4)
		push	121h
		push	(offset	loc_8C36FF+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		or	esi, 0FFFFFFFFh
		jmp	loc_84E55C
; END OF FUNCTION CHUNK	FOR SdbGetTagDataSize
; 
; START	OF FUNCTION CHUNK FOR SdbGetTagFromTagID

loc_8FDDF3:				; CODE XREF: SdbGetTagFromTagID+17j
		push	offset ??_C@_0BD@GBHBBJKK@Error?5reading?5data@NNGAKEGL@
		push	4BBh
		push	offset ??_C@_0BD@BBDOGMGI@SdbGetTagFromTagID@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		xor	eax, eax
		leave
		retn
; END OF FUNCTION CHUNK	FOR SdbGetTagFromTagID
; 
; START	OF FUNCTION CHUNK FOR SdbpReadMappedData

loc_8FDE10:				; CODE XREF: SdbpReadMappedData+1Ej
		push	offset ??_C@_0EI@COOFDAJ@Offset?5and?5region?5size?5add?5up?5t@NNGAKEGL@
		push	2C8h
		push	(offset	loc_8C231F+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	short loc_8FDE49
; 

loc_8FDE2B:				; CODE XREF: SdbpReadMappedData+2Aj
		push	eax
		push	[ebp+arg_4]
		push	esi
		push	offset ??_C@_0EN@ELOPGLPH@Attempt?5to?5read?5past?5the?5end?5of@NNGAKEGL@
		push	2CDh
		push	(offset	loc_8C231F+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 1Ch

loc_8FDE49:				; CODE XREF: SdbpReadMappedData+AF88Fj
		xor	eax, eax
		jmp	loc_84E5E1
; END OF FUNCTION CHUNK	FOR SdbpReadMappedData
; 
; START	OF FUNCTION CHUNK FOR SdbpSearchDB

loc_8FDE50:				; CODE XREF: SdbpSearchDB+5Cj
		lea	eax, [ebp+var_48]
		mov	edx, 7007h
		push	eax
		push	[ebp+var_C]
		push	ecx
		mov	ecx, esi
		call	SdbpFindFirstIndexedWildCardTag
		jmp	short loc_8FDEA7
; 

loc_8FDE66:				; CODE XREF: SdbpSearchDB+AF727j
		push	[ebp+arg_8]	; void *
		lea	ecx, [ebp+var_8]
		mov	edx, esi
		push	ecx		; int
		push	1		; int
		push	[ebp+arg_4]	; int
		lea	ecx, [ebp+var_4]
		push	ecx		; int
		mov	ecx, [ebp+var_18]
		push	eax		; int
		call	_SdbpCheckExe@32 ; SdbpCheckExe(x,x,x,x,x,x,x,x)
		mov	ebx, [ebp+var_4]
		test	eax, eax
		jz	short loc_8FDE94
		cmp	[ebp+var_8], 2
		jnz	loc_84E84E
		jmp	short loc_8FDE9D
; 

loc_8FDE94:				; CODE XREF: SdbpSearchDB+AF704j
		cmp	ebx, 10h
		ja	loc_84E865

loc_8FDE9D:				; CODE XREF: SdbpSearchDB+AF710j
		lea	edx, [ebp+var_48]
		mov	ecx, esi
		call	SdbpFindNextIndexedWildCardTag

loc_8FDEA7:				; CODE XREF: SdbpSearchDB+AF6E2j
		test	eax, eax
		jnz	short loc_8FDE66
		jmp	loc_84E7E4
; 

loc_8FDEB0:				; CODE XREF: SdbpSearchDB+78j
		push	7001h
		xor	edx, edx
		mov	[ebp+var_1C], edi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jnz	short loc_8FDEF0
		push	(offset	loc_8C316C+6)
		push	107Ah
		jmp	short loc_8FDEDC
; 

loc_8FDED2:				; CODE XREF: SdbpSearchDB+AF83Cj
		push	(offset	loc_8C316C+6)
		push	10C2h

loc_8FDEDC:				; CODE XREF: SdbpSearchDB+AF74Ej
		push	(offset	loc_8C3186+2)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_84E84E
; 

loc_8FDEF0:				; CODE XREF: SdbpSearchDB+AF742j
		push	[ebp+var_C]	; wchar_t *
		mov	edx, eax
		mov	ecx, esi
		push	6001h		; int
		push	7007h		; __int16
		call	_SdbFindFirstNamedTag@20 ; SdbFindFirstNamedTag(x,x,x,x,x)
		jmp	loc_84E81D
; 

loc_8FDF0B:				; CODE XREF: SdbpSearchDB+A0j
		push	[ebp+arg_8]	; void *
		lea	ecx, [ebp+var_8]
		mov	edx, esi
		push	ecx		; int
		push	edi		; int
		push	[ebp+arg_4]	; int
		lea	ecx, [ebp+var_4]
		push	ecx		; int
		mov	ecx, [ebp+var_18]
		push	eax		; int
		call	_SdbpCheckExe@32 ; SdbpCheckExe(x,x,x,x,x,x,x,x)
		mov	ebx, [ebp+var_4]
		test	eax, eax
		jz	short loc_8FDF38
		cmp	[ebp+var_8], 2
		jnz	loc_84E84E
		jmp	short loc_8FDF41
; 

loc_8FDF38:				; CODE XREF: SdbpSearchDB+AF7A8j
		cmp	ebx, 10h
		ja	loc_84E865

loc_8FDF41:				; CODE XREF: SdbpSearchDB+AF7B4j
		mov	ecx, esi
		cmp	[ebp+var_1C], edi
		jz	short loc_8FDF55
		lea	edx, [ebp+var_48]
		call	_SdbFindNextStringIndexedTag@8 ; SdbFindNextStringIndexedTag(x,x)
		jmp	loc_84E81D
; 

loc_8FDF55:				; CODE XREF: SdbpSearchDB+AF7C4j
		push	[ebp+var_C]	; wchar_t *
		mov	edx, [ebp+var_14]
		push	6001h		; int
		push	[ebp+var_10]	; int
		call	_SdbpFindNextNamedTag@20 ; SdbpFindNextNamedTag(x,x,x,x,x)
		jmp	loc_84E81D
; 

loc_8FDF6D:				; CODE XREF: SdbpSearchDB+ACj
		push	edi
		push	6020h
		mov	edx, 7007h
		mov	ecx, esi
		call	SdbGetIndex
		mov	ecx, esi
		test	eax, eax
		jz	short loc_8FDFAA
		lea	eax, [ebp+var_48]
		mov	[ebp+var_1C], 1
		push	eax
		mov	eax, [ebp+arg_4]
		mov	edx, 7007h
		push	dword ptr [eax+18h]
		push	6020h
		call	SdbFindFirstStringIndexedTag
		jmp	loc_8FE03C
; 

loc_8FDFAA:				; CODE XREF: SdbpSearchDB+AF801j
		push	7001h
		xor	edx, edx
		mov	[ebp+var_1C], edi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jnz	loc_8FDED2
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		mov	ecx, esi
		push	dword ptr [eax+18h] ; wchar_t *
		push	6020h		; int
		push	7007h		; __int16
		call	_SdbFindFirstNamedTag@20 ; SdbFindFirstNamedTag(x,x,x,x,x)
		jmp	short loc_8FE03C
; 

loc_8FDFDF:				; CODE XREF: SdbpSearchDB+AF8BFj
		push	[ebp+arg_8]	; void *
		lea	ecx, [ebp+var_8]
		mov	edx, esi
		push	ecx		; int
		push	edi		; int
		push	[ebp+arg_4]	; int
		lea	ecx, [ebp+var_4]
		push	ecx		; int
		mov	ecx, [ebp+var_18]
		push	eax		; int
		call	_SdbpCheckExe@32 ; SdbpCheckExe(x,x,x,x,x,x,x,x)
		mov	ebx, [ebp+var_4]
		test	eax, eax
		jz	short loc_8FE00C
		cmp	[ebp+var_8], 2
		jnz	loc_84E84E
		jmp	short loc_8FE015
; 

loc_8FE00C:				; CODE XREF: SdbpSearchDB+AF87Cj
		cmp	ebx, 10h
		ja	loc_84E865

loc_8FE015:				; CODE XREF: SdbpSearchDB+AF888j
		mov	ecx, esi
		cmp	[ebp+var_1C], edi
		jz	short loc_8FE026
		lea	edx, [ebp+var_48]
		call	_SdbFindNextStringIndexedTag@8 ; SdbFindNextStringIndexedTag(x,x)
		jmp	short loc_8FE03C
; 

loc_8FE026:				; CODE XREF: SdbpSearchDB+AF898j
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+var_14]
		push	dword ptr [eax+18h] ; wchar_t *
		push	6020h		; int
		push	[ebp+var_10]	; int
		call	_SdbpFindNextNamedTag@20 ; SdbpFindNextNamedTag(x,x,x,x,x)

loc_8FE03C:				; CODE XREF: SdbpSearchDB+AF823j
					; SdbpSearchDB+AF85Bj ...
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	short loc_8FDFDF
		jmp	loc_84E834
; 

loc_8FE048:				; CODE XREF: SdbpSearchDB+C6j
		lea	eax, [ebp+var_48]
		mov	edx, 7007h
		push	eax
		push	[ebp+var_C]
		push	ecx
		mov	ecx, esi
		call	SdbpFindFirstIndexedWildCardTag
		jmp	short loc_8FE09F
; 

loc_8FE05E:				; CODE XREF: SdbpSearchDB+AF91Fj
		push	[ebp+arg_8]	; void *
		lea	ecx, [ebp+var_8]
		mov	edx, esi
		push	ecx		; int
		push	2		; int
		push	[ebp+arg_4]	; int
		lea	ecx, [ebp+var_4]
		push	ecx		; int
		mov	ecx, [ebp+var_18]
		push	eax		; int
		call	_SdbpCheckExe@32 ; SdbpCheckExe(x,x,x,x,x,x,x,x)
		mov	ebx, [ebp+var_4]
		test	eax, eax
		jz	short loc_8FE08C
		cmp	[ebp+var_8], 2
		jnz	loc_84E84E
		jmp	short loc_8FE095
; 

loc_8FE08C:				; CODE XREF: SdbpSearchDB+AF8FCj
		cmp	ebx, 10h
		ja	loc_84E865

loc_8FE095:				; CODE XREF: SdbpSearchDB+AF908j
		lea	edx, [ebp+var_48]
		mov	ecx, esi
		call	SdbpFindNextIndexedWildCardTag

loc_8FE09F:				; CODE XREF: SdbpSearchDB+AF8DAj
		test	eax, eax
		jnz	short loc_8FE05E
		jmp	loc_84E84E
; 

loc_8FE0A8:				; CODE XREF: SdbpSearchDB+E6j
					; SdbpSearchDB+AF948j
		mov	eax, [ebp+arg_8]
		mov	ecx, esi
		push	6006h
		mov	edx, [eax+edi*8]
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	short loc_8FE0C7
		mov	edx, eax
		mov	ecx, esi
		call	SdbGetStringTagPtr

loc_8FE0C7:				; CODE XREF: SdbpSearchDB+AF93Aj
		inc	edi
		cmp	edi, ebx
		jb	short loc_8FE0A8
		mov	ebx, [ebp+var_4]
		jmp	loc_84E85C
; END OF FUNCTION CHUNK	FOR SdbpSearchDB
; 
; START	OF FUNCTION CHUNK FOR SdbGetIndex

loc_8FE0D4:				; CODE XREF: SdbGetIndex+35j
		push	eax
		push	offset ??_C@_0DK@DNDEGMAH@RtlRunOnceExecuteOnce?5failed?5fo@NNGAKEGL@
		push	435h
		push	(offset	loc_8C475B+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_84E8E4
; END OF FUNCTION CHUNK	FOR SdbGetIndex
; 
; START	OF FUNCTION CHUNK FOR AslStringUpcaseToMultiByteN

loc_8FE0F3:				; CODE XREF: AslStringUpcaseToMultiByteN+36j
		push	offset ??_C@_0O@NALGGDJF@Out?5of?5memory@NNGAKEGL@
		push	427h
		push	offset ??_C@_0BM@NEFIOBOM@AslStringUpcaseToMultiByteN@NNGAKEGL@
		push	1
		mov	esi, 0C0000017h
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_84EA1F
; 

loc_8FE116:				; CODE XREF: AslStringUpcaseToMultiByteN+5Cj
		push	esi
		push	offset ??_C@_0CD@JCPPHMHK@RtlUpcaseUnicodeString?5failed?5?$FL@NNGAKEGL@
		push	430h
		jmp	short loc_8FE12E
; 

loc_8FE123:				; CODE XREF: AslStringUpcaseToMultiByteN+7Ej
		push	esi
		push	offset ??_C@_0CJ@HGKEFLOG@RtlUnicodeStringToAnsiString?5fa@NNGAKEGL@
		push	472h

loc_8FE12E:				; CODE XREF: AslStringUpcaseToMultiByteN+AF78Fj
		push	offset ??_C@_0BM@NEFIOBOM@AslStringUpcaseToMultiByteN@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_84EA1F
; END OF FUNCTION CHUNK	FOR AslStringUpcaseToMultiByteN
; 
; START	OF FUNCTION CHUNK FOR KseShimDatabaseOpen

loc_8FE142:				; CODE XREF: KseShimDatabaseOpen+31j
		and	dword ptr [edi], 0
		mov	esi, 0C0000001h
		jmp	loc_84EAAE
; 

loc_8FE14F:				; CODE XREF: KseShimDatabaseOpen+9Ej
		mov	eax, dword_6C7480
		cmp	eax, dword_6C74A8
		jb	loc_84EB0A
		mov	ecx, offset unk_6C7488
		call	_KsepSdbUnmapFromMemory@4 ; KsepSdbUnmapFromMemory(x)
		call	_KsepDeletePatchSdb@0 ;	KsepDeletePatchSdb()
		jmp	loc_84EB0A
; 

loc_8FE174:				; CODE XREF: KseShimDatabaseOpen+87j
		and	dword ptr [edi], 0
		mov	esi, 0C0000001h
		lock inc dword_6C6F9C
		jmp	loc_84EAAE
; 

loc_8FE188:				; CODE XREF: KseShimDatabaseOpen+51j
		test	al, 4
		jnz	loc_84EABD
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_84EABD
; END OF FUNCTION CHUNK	FOR KseShimDatabaseOpen
; 
; START	OF FUNCTION CHUNK FOR KsepRegistryQueryDriverShims

loc_8FE19C:				; CODE XREF: KsepRegistryQueryDriverShims+2Bj
		push	[ebp+arg_4]	; int
		mov	ecx, [ebp+var_4]
		mov	edx, offset ??_C@_1M@PLLFNIO@?$AAS?$AAh?$AAi?$AAm?$AAs@NNGAKEGL@
		push	800h		; int
		push	ebx		; void *
		push	7		; int
		call	KsepRegistryQuerySZ
		mov	esi, eax
		jmp	loc_84EB6D
; 

loc_8FE1BB:				; CODE XREF: KsepRegistryQueryDriverShims+42j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		lock inc dword_6C6FBC
		jmp	loc_84EB84
; END OF FUNCTION CHUNK	FOR KsepRegistryQueryDriverShims
; 
; START	OF FUNCTION CHUNK FOR KsepStringConcatenate

loc_8FE1CF:				; CODE XREF: KsepStringConcatenate+1Cj
		mov	eax, esi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		push	3
		mov	word_6C7022[eax*8], dx
		mov	edx, 2CCh
		mov	_KsepHistoryErrors[eax*8], dx
		mov	dword_6C7024[eax*8], 0C0000420h
		pop	edx
		jz	loc_84EBB6
		push	ecx
		mov	eax, 2CCh
		push	eax
		push	offset ??_C@_0BP@MHONLNCD@minkernel?2ntos?2kshim?2ksemisc?4c@NNGAKEGL@
		push	offset ??_C@_0BF@IPJAJFEJ@ResultString?5?$CB?$DN?5NULL@NNGAKEGL@
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		push	3
		xor	ecx, ecx
		pop	edx
		jmp	loc_84EBB6
; 

loc_8FE22D:				; CODE XREF: KsepStringConcatenate+24j
		mov	eax, esi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		mov	word_6C7022[eax*8], dx
		mov	edx, 2CDh
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], dx
		jz	loc_84EBBE
		push	ecx
		push	edx
		push	offset ??_C@_0BP@MHONLNCD@minkernel?2ntos?2kshim?2ksemisc?4c@NNGAKEGL@
		push	(offset	loc_8BBB9F+1)
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		jmp	loc_84EBBE
; 

loc_8FE27E:				; CODE XREF: KsepStringConcatenate+2Ej
		lock xadd _KsepHistoryErrorsIndex, esi
		inc	esi
		and	esi, 3Fh
		test	_KsepDebugFlag,	4
		push	3
		pop	eax
		mov	word_6C7022[esi*8], ax
		mov	eax, 2CEh
		mov	dword_6C7024[esi*8], 0C0000420h
		mov	_KsepHistoryErrors[esi*8], ax
		jz	loc_84EBC8
		push	0
		push	eax
		push	offset ??_C@_0BP@MHONLNCD@minkernel?2ntos?2kshim?2ksemisc?4c@NNGAKEGL@
		push	offset ??_C@_0BE@LHNGPILI@RightString?5?$CB?$DN?5NULL@NNGAKEGL@
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		jmp	loc_84EBC8
; END OF FUNCTION CHUNK	FOR KsepStringConcatenate
; 
; START	OF FUNCTION CHUNK FOR KsepRegistryOpenKey

loc_8FE2D1:				; CODE XREF: KsepRegistryOpenKey+2Ej
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		mov	word_6C7022[eax*8], cx
		mov	ecx, 1A6h
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_8FE31B
		push	0
		push	ecx
		push	offset ??_C@_0CD@GDPINNHE@minkernel?2ntos?2kshim?2kseregistr@NNGAKEGL@
		push	offset ??_C@_0BD@MJDCKHCM@EnginePath?5?$CB?$DN?5NULL@NNGAKEGL@
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)

loc_8FE31B:				; CODE XREF: KsepRegistryOpenKey+AF667j
		push	4
		pop	ecx
		jmp	loc_84ECD4
; 

loc_8FE323:				; CODE XREF: KsepRegistryOpenKey+39j
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		mov	word_6C7022[eax*8], cx
		mov	ecx, 1A7h
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], cx
		jz	loc_84ECDF
		push	0
		push	ecx
		push	offset ??_C@_0CD@GDPINNHE@minkernel?2ntos?2kshim?2kseregistr@NNGAKEGL@
		push	offset ??_C@_0P@MJKECDDF@Handle?5?$CB?$DN?5NULL@NNGAKEGL@
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		jmp	loc_84ECDF
; END OF FUNCTION CHUNK	FOR KsepRegistryOpenKey
; 
; START	OF FUNCTION CHUNK FOR KsepEngineGetShimsFromRegistry

loc_8FE376:				; CODE XREF: KsepEngineGetShimsFromRegistry+48j
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		mov	ecx, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KsepStringSplitMultiString@16 ; KsepStringSplitMultiString(x,x,x,x)
		mov	edi, [ebp+var_10]
		mov	esi, eax
		test	esi, esi
		js	loc_8FE461
		imul	ecx, edi, 34h
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		test	ebx, ebx
		jnz	short loc_8FE3B1
		mov	esi, 0C0000017h
		jmp	loc_8FE461
; 

loc_8FE3B1:				; CODE XREF: KsepEngineGetShimsFromRegistry+AF491j
		and	[ebp+var_C], 0
		test	edi, edi
		jz	short loc_8FE3ED
		mov	eax, [ebp+var_4]
		lea	esi, [ebx+2Ch]
		mov	ebx, [ebp+var_C]
		add	eax, 4
		mov	[ebp+var_10], eax

loc_8FE3C8:				; CODE XREF: KsepEngineGetShimsFromRegistry+AF4D4j
		mov	edx, [eax]
		lea	ecx, [esi-1Ch]
		call	KsepStringDuplicate
		test	eax, eax
		js	short loc_8FE3EA
		and	dword ptr [esi], 0
		inc	ebx
		mov	eax, [ebp+var_10]
		add	esi, 34h
		add	eax, 8
		mov	[ebp+var_10], eax
		cmp	ebx, edi
		jb	short loc_8FE3C8

loc_8FE3EA:				; CODE XREF: KsepEngineGetShimsFromRegistry+AF4C0j
		mov	ebx, [ebp+var_8]

loc_8FE3ED:				; CODE XREF: KsepEngineGetShimsFromRegistry+AF4A3j
		mov	edx, edi
		mov	ecx, ebx
		call	_KsepDbGetShimInfo@8 ; KsepDbGetShimInfo(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_8FE455
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	2
		push	2
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 405h
		mov	dword_6C7024[eax*8], esi
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_8FE443
		push	esi		; char
		push	offset ??_C@_0DB@EDPECHCA@KSE?3?5Cannot?5resolve?5registry?5sh@NNGAKEGL@ ; char	*
		push	0		; int
		call	_KsepDebugPrint
		add	esp, 0Ch

loc_8FE443:				; CODE XREF: KsepEngineGetShimsFromRegistry+AF51Dj
		push	esi		; char
		push	offset ??_C@_0DB@EDPECHCA@KSE?3?5Cannot?5resolve?5registry?5sh@NNGAKEGL@ ; char	*
		push	0		; int
		call	_KsepLogError
		add	esp, 0Ch
		jmp	short loc_8FE461
; 

loc_8FE455:				; CODE XREF: KsepEngineGetShimsFromRegistry+AF4E6j
		mov	eax, [ebp+arg_0]
		xor	esi, esi
		mov	[eax], ebx
		mov	eax, [ebp+arg_4]
		mov	[eax], edi

loc_8FE461:				; CODE XREF: KsepEngineGetShimsFromRegistry+AF47Cj
					; KsepEngineGetShimsFromRegistry+AF498j ...
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	loc_84EF62
		test	edi, edi
		jz	short loc_8FE487
		mov	ebx, eax

loc_8FE472:				; CODE XREF: KsepEngineGetShimsFromRegistry+AF56Bj
		mov	ecx, ebx
		call	KsepStringFree
		add	ebx, 8
		sub	edi, 1
		jnz	short loc_8FE472
		mov	ebx, [ebp+var_8]
		mov	eax, [ebp+var_4]

loc_8FE487:				; CODE XREF: KsepEngineGetShimsFromRegistry+AF55Aj
		mov	ecx, eax
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
		jmp	loc_84EF62
; END OF FUNCTION CHUNK	FOR KsepEngineGetShimsFromRegistry
; 
; START	OF FUNCTION CHUNK FOR KsepStringFree

loc_8FE493:				; CODE XREF: KsepStringFree+7j
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		push	3
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 34Bh
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], cx
		jz	loc_84EFB8
		push	0
		push	ecx
		push	offset ??_C@_0BP@MHONLNCD@minkernel?2ntos?2kshim?2ksemisc?4c@NNGAKEGL@
		push	offset ??_C@_0P@FNKIDPLG@String?5?$CB?$DN?5NULL@NNGAKEGL@
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR KsepStringFree
; 
; START	OF FUNCTION CHUNK FOR KsepStringDuplicateUnicode

loc_8FE4E6:				; CODE XREF: KsepStringDuplicateUnicode+11j
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		push	3
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 28Dh
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], cx
		jz	loc_84EFD1
		push	ebx
		push	ecx
		push	offset ??_C@_0BP@MHONLNCD@minkernel?2ntos?2kshim?2ksemisc?4c@NNGAKEGL@
		push	offset ??_C@_0BF@LFGACLEE@SourceString?5?$CB?$DN?5NULL@NNGAKEGL@
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		jmp	loc_84EFD1
; END OF FUNCTION CHUNK	FOR KsepStringDuplicateUnicode
; 
; START	OF FUNCTION CHUNK FOR KsepIsModuleShimmed

loc_8FE53B:				; CODE XREF: KsepIsModuleShimmed+47j
		mov	ecx, eax
		mov	eax, [eax]
		cmp	[ecx+8], ebx
		jnz	loc_84F06D
		xor	edi, edi
		mov	[esi], ecx
		inc	edi
		jmp	loc_84F075
; END OF FUNCTION CHUNK	FOR KsepIsModuleShimmed
; 
; START	OF FUNCTION CHUNK FOR MiCreateSectionForDriver

loc_8FE552:				; CODE XREF: MiCreateSectionForDriver+33j
		cmp	_KdDebuggerNotPresent, 0
		jnz	loc_84F1A9
		push	ecx
		push	ecx
		call	_KdPullRemoteFile@16 ; KdPullRemoteFile(x,x,x,x)
		test	eax, eax
		js	loc_84F1A9
		push	edi		; char
		push	offset ??_C@_0CH@HOAINNBL@MmLoadSystemImage?3?5Pulled?5?$CFwZ?5f@NNGAKEGL@ ; char *
		push	2		; int
		push	66h		; int
		call	_DbgPrintEx
		add	esp, 10h
		jmp	loc_84F1A9
; 

loc_8FE585:				; CODE XREF: MiCreateSectionForDriver+DBj
		push	esi
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	_MiLogFailedDriverLoad@16 ; MiLogFailedDriverLoad(x,x,x,x)
		mov	eax, esi
		jmp	loc_84F25B
; END OF FUNCTION CHUNK	FOR MiCreateSectionForDriver
; 
; START	OF FUNCTION CHUNK FOR SdbGetDatabaseEdition

loc_8FE598:				; CODE XREF: SdbGetDatabaseEdition+16j
		push	offset ??_C@_0CK@LKALPFJL@Failed?5to?5get?5database?5tag?0?5db?5@NNGAKEGL@
		push	25Fh
		push	offset ??_C@_0BG@DGNFNDAB@SdbGetDatabaseEdition@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_84F2F0
; END OF FUNCTION CHUNK	FOR SdbGetDatabaseEdition
; 
; START	OF FUNCTION CHUNK FOR KsepSdbMapToMemory

loc_8FE5B6:				; CODE XREF: KsepSdbMapToMemory+A7j
		push	offset ??_C@_0CJ@EBFFHOCD@KSE?3?5ZwOpenFile?5failed?5opening?5@NNGAKEGL@ ; "KSE: ZwOpenFile failed opening DB file!"...
		push	0		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx
		jmp	loc_84F3FD
; 

loc_8FE5C9:				; CODE XREF: KsepSdbMapToMemory+128j
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	2
		push	9
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 2C0h
		mov	dword_6C7024[eax*8], esi
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_8FE60E
		push	(offset	loc_8BB9EB+1) ;	char *
		push	0		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx

loc_8FE60E:				; CODE XREF: KsepSdbMapToMemory+AF2AEj
		push	(offset	loc_8BB9EB+1)
		jmp	loc_84F402
; 

loc_8FE618:				; CODE XREF: KsepSdbMapToMemory+153j
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	2
		push	9
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 2CEh
		mov	dword_6C7024[eax*8], esi
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_8FE65D
		push	offset ??_C@_0CF@BHLNKHBJ@KSE?3?5ObRefByHandle?$CIsection?$CJ?5fai@NNGAKEGL@ ; char *
		push	0		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx

loc_8FE65D:				; CODE XREF: KsepSdbMapToMemory+AF2FDj
		push	offset ??_C@_0CF@BHLNKHBJ@KSE?3?5ObRefByHandle?$CIsection?$CJ?5fai@NNGAKEGL@ ; char *
		push	0		; int
		call	_KsepLogError
		pop	ecx
		pop	ecx
		mov	edx, edi
		jmp	loc_84F40D
; 

loc_8FE672:				; CODE XREF: KsepSdbMapToMemory+170j
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	2
		push	9
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 2DBh
		mov	dword_6C7024[eax*8], esi
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_8FE6B6
		push	(offset	loc_8BBAC7+7) ;	char *
		push	edi		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx

loc_8FE6B6:				; CODE XREF: KsepSdbMapToMemory+AF357j
		push	(offset	loc_8BBAC7+7) ;	char *
		push	edi		; int
		call	_KsepLogError
		mov	edi, [ebp+var_10]
		mov	edx, [ebp+var_C]
		pop	ecx
		pop	ecx
		jmp	loc_84F40D
; 

loc_8FE6CE:				; CODE XREF: KsepSdbMapToMemory+187j
		xor	eax, eax
		mov	esi, 0C0000001h
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	2
		push	9
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 2E4h
		mov	dword_6C7024[eax*8], esi
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_8FE718
		push	offset ??_C@_0CG@DMMNINDB@KSE?3?5SdbInitDatabaseInMemory?5Fa@NNGAKEGL@ ; char *
		push	0		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx

loc_8FE718:				; CODE XREF: KsepSdbMapToMemory+AF3B8j
		push	offset ??_C@_0CG@DMMNINDB@KSE?3?5SdbInitDatabaseInMemory?5Fa@NNGAKEGL@ ; char *
		push	0		; int
		call	_KsepLogError
		pop	ecx
		pop	ecx
		jmp	loc_84F415
; 

loc_8FE72B:				; CODE XREF: KsepSdbMapToMemory+C7j
		push	edi
		call	_MmUnmapViewInSystemSpace@4 ; MmUnmapViewInSystemSpace(x)
		jmp	loc_84F41D
; 

loc_8FE736:				; CODE XREF: KsepSdbMapToMemory+CFj
		mov	ecx, ebx
		call	ObfDereferenceObject
		jmp	loc_84F425
; 

loc_8FE742:				; CODE XREF: KsepSdbMapToMemory+D9j
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_84F42F
; 

loc_8FE74F:				; CODE XREF: KsepSdbMapToMemory+E3j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_84F439
; END OF FUNCTION CHUNK	FOR KsepSdbMapToMemory
; 
; START	OF FUNCTION CHUNK FOR IopBootLog

loc_8FE75C:				; CODE XREF: IopBootLog+6Bj
		push	1
		add	eax, 20h
		push	eax
		call	ExAcquireResourceExclusiveLite
		test	bl, bl
		jz	short loc_8FE773
		push	ds:dword_A933A4
		jmp	short loc_8FE77C
; 

loc_8FE773:				; CODE XREF: IopBootLog+AF25Bj
		mov	eax, ds:dword_A933A4
		add	eax, 8
		push	eax

loc_8FE77C:				; CODE XREF: IopBootLog+AF263j
		lea	eax, [ebp+var_410]
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		push	offset ??_C@_13HOIJIPNN@?$AA?5@NNGAKEGL@
		lea	eax, [ebp+var_41C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_41C]
		push	eax
		lea	eax, [ebp+var_410]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	esi
		lea	eax, [ebp+var_410]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	offset ??_C@_15JNBOKNOG@?$AA?$AN?$AA?6@NNGAKEGL@
		lea	eax, [ebp+var_424]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_424]
		push	eax
		lea	eax, [ebp+var_410]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	si, word ptr [ebp+var_410]
		mov	edi, [ebp+var_40C]
		cmp	si, word ptr [ebp+var_410+2]
		jnz	short loc_8FE80D
		mov	eax, 0FFFEh
		add	si, ax
		movzx	eax, si
		shr	eax, 1
		xor	ecx, ecx
		mov	word ptr [ebp+var_410],	si
		mov	[edi+eax*2], cx

loc_8FE80D:				; CODE XREF: IopBootLog+AF2E3j
		mov	edx, ds:dword_A933A4
		mov	ecx, [edx+58h]
		push	ecx		; char
		push	offset ??_C@_15KNBIKKIN@?$AA?$CF?$AAd@NNGAKEGL@	; wchar_t *
		push	100h		; int
		lea	eax, [ecx+1]
		mov	[edx+58h], eax
		lea	eax, [ebp+var_208]
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 10h
		lea	eax, [ebp+var_208]
		push	eax
		lea	eax, [ebp+var_42C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_11LOCGONAA@@NNGAKEGL@
		lea	eax, [ebp+var_434]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, ds:dword_A933A4
		cmp	byte ptr [eax+5Ch], 0
		jnz	loc_8FE8EC
		push	1
		push	0F003Fh
		xor	ebx, ebx
		lea	ecx, [ebp+var_40C]
		push	offset _CmRegistryMachineSystemCurrentControlSetControlBootLog
		xor	edx, edx
		mov	[ebp+var_414], ebx
		mov	[ebp+var_40C], ebx
		call	IopOpenRegistryKey
		test	eax, eax
		js	short loc_8FE8F7
		mov	edx, [ebp+var_40C]
		lea	eax, [ebp+var_42C]
		push	1
		push	0F003Fh
		push	eax
		lea	ecx, [ebp+var_414]
		call	IopOpenRegistryKey
		test	eax, eax
		js	short loc_8FE8DF
		movzx	eax, si
		add	eax, 2
		push	eax
		push	edi
		push	1
		push	ebx
		lea	eax, [ebp+var_434]
		push	eax
		push	[ebp+var_414]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[ebp+var_414]
		call	_ZwClose@4	; ZwClose(x)

loc_8FE8DF:				; CODE XREF: IopBootLog+AF3A7j
		push	[ebp+var_40C]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_8FE8F7
; 

loc_8FE8EC:				; CODE XREF: IopBootLog+AF355j
		lea	ecx, [ebp+var_410]
		call	_IopBootLogToFile@4 ; IopBootLogToFile(x)

loc_8FE8F7:				; CODE XREF: IopBootLog+AF384j
					; IopBootLog+AF3DCj
		mov	ecx, ds:dword_A933A4
		lea	ecx, [ecx+20h]
		call	ExReleaseResourceLite
		jmp	loc_84F57F
; END OF FUNCTION CHUNK	FOR IopBootLog
; 
; START	OF FUNCTION CHUNK FOR EtwTiLogDriverObjectLoad

loc_8FE90A:				; CODE XREF: EtwTiLogDriverObjectLoad+35j
		push	0
		push	40000000h
		push	0
		push	edi
		push	ebx
		call	EtwProviderEnabled
		test	al, al
		jz	loc_84F615
		test	esi, esi
		jz	short loc_8FE94D
		movzx	ecx, word ptr [esi]
		test	cx, cx
		jz	short loc_8FE94D
		mov	ax, cx
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_34], eax
		mov	eax, [esi+4]
		mov	[ebp+var_24], eax
		mov	eax, ecx
		mov	[ebp+var_1C], eax
		jmp	short loc_8FE968
; 

loc_8FE94D:				; CODE XREF: EtwTiLogDriverObjectLoad+AF34Aj
					; EtwTiLogDriverObjectLoad+AF352j
		lea	eax, [ebp+var_38]
		mov	[ebp+var_38], 6
		mov	[ebp+var_34], eax
		mov	[ebp+var_24], offset ??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@NNGAKEGL@ ;	"(null)"
		mov	[ebp+var_1C], 0Ch

loc_8FE968:				; CODE XREF: EtwTiLogDriverObjectLoad+AF371j
		xor	ebx, ebx
		mov	[ebp+var_2C], 2
		lea	ecx, [ebp+var_3C]
		mov	[ebp+var_18], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_30], ebx
		call	_EtwpTiQueryCodeIntegrityOptions@4 ; EtwpTiQueryCodeIntegrityOptions(x)
		test	eax, eax
		jns	short loc_8FE98D
		or	[ebp+var_3C], 0FFFFFFFFh

loc_8FE98D:				; CODE XREF: EtwTiLogDriverObjectLoad+AF3ADj
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	ebx
		push	offset _THREATINT_DRIVER_OBJECT_LOAD
		push	dword_6BC124
		mov	[ebp+var_C], 4
		push	_EtwThreatIntProvRegHandle
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_84F615
; END OF FUNCTION CHUNK	FOR EtwTiLogDriverObjectLoad
; 
; START	OF FUNCTION CHUNK FOR SdbReadBinaryTag

loc_8FE9C2:				; CODE XREF: SdbReadBinaryTag+24j
		call	SdbGetTagFromTagID
		movzx	eax, ax
		push	eax
		push	esi
		push	(offset	loc_8C39D7+1)
		push	396h
		push	offset ??_C@_0BB@LJNHMANB@SdbReadBinaryTag@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		jmp	short loc_8FEA00
; 

loc_8FE9E7:				; CODE XREF: SdbReadBinaryTag+37j
		push	offset ??_C@_0BF@BPPGAGIB@Error?5reading?5buffer@NNGAKEGL@
		push	39Bh
		push	offset ??_C@_0BB@LJNHMANB@SdbReadBinaryTag@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h

loc_8FEA00:				; CODE XREF: SdbReadBinaryTag+AF393j
		xor	eax, eax
		jmp	loc_84F692
; END OF FUNCTION CHUNK	FOR SdbReadBinaryTag
; 
; START	OF FUNCTION CHUNK FOR SdbpValidateAndApplyCompatFlags

loc_8FEA07:				; CODE XREF: SdbpValidateAndApplyCompatFlags+18j
		push	3
		push	edx
		push	offset ??_C@_0DJ@PJIHKOPL@MajorVersion?5mismatch?0?5MajorVer@NNGAKEGL@
		push	32Ah
		push	offset ??_C@_0CA@NCGKJNJB@SdbpValidateAndApplyCompatFlags@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		jmp	loc_84F6C9
; 

loc_8FEA28:				; CODE XREF: SdbpValidateAndApplyCompatFlags+Aj
		or	dword ptr [ecx+0A28h], 1
		jmp	loc_84F6CF
; 

loc_8FEA34:				; CODE XREF: SdbpValidateAndApplyCompatFlags+28j
		push	(offset	loc_8C2468+2)
		push	334h
		push	offset ??_C@_0CA@NCGKJNJB@SdbpValidateAndApplyCompatFlags@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_84F6C6
; END OF FUNCTION CHUNK	FOR SdbpValidateAndApplyCompatFlags
; 
; START	OF FUNCTION CHUNK FOR SdbpOpenDatabaseInMemory

loc_8FEA52:				; CODE XREF: SdbpOpenDatabaseInMemory+27j
		push	offset ??_C@_0CA@IINJBIKG@Failed?5to?5allocate?5DB?5structure@NNGAKEGL@
		push	44Dh
		push	offset ??_C@_0BJ@GELLJEDM@SdbpOpenDatabaseInMemory@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	short loc_8FEA91
; 

loc_8FEA6D:				; CODE XREF: SdbpOpenDatabaseInMemory+52j
		push	offset ??_C@_0BL@NBLFIGNK@Can?8t?5read?5database?5header@NNGAKEGL@
		push	458h
		push	offset ??_C@_0BJ@GELLJEDM@SdbpOpenDatabaseInMemory@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h

loc_8FEA86:				; CODE XREF: SdbpOpenDatabaseInMemory+65j
		push	74705041h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8FEA91:				; CODE XREF: SdbpOpenDatabaseInMemory+AF393j
		xor	eax, eax
		jmp	loc_84F745
; END OF FUNCTION CHUNK	FOR SdbpOpenDatabaseInMemory
; 
; START	OF FUNCTION CHUNK FOR SdbCloseDatabaseRead

loc_8FEA98:				; CODE XREF: SdbCloseDatabaseRead+16j
		cmp	dword ptr [eax+8], 1
		jnz	loc_84F768
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_8FEAB6
		push	edi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi+0A3Ch]

loc_8FEAB6:				; CODE XREF: SdbCloseDatabaseRead+AF35Bj
		test	eax, eax
		jz	short loc_8FEAC1
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8FEAC1:				; CODE XREF: SdbCloseDatabaseRead+AF36Cj
		mov	ecx, [esi+0A40h]
		mov	[esi+0A3Ch], ebx
		test	ecx, ecx
		jz	loc_84F768
		call	_AslHashFree@4	; AslHashFree(x)
		mov	[esi+0A40h], ebx
		jmp	loc_84F768
; 

loc_8FEAE5:				; CODE XREF: SdbCloseDatabaseRead+21j
		test	al, 1
		jz	loc_84F773
		mov	eax, [esi+4]
		test	eax, eax
		jz	loc_84F773
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+4], ebx
		mov	[esi+0Ch], ebx
		jmp	loc_84F773
; END OF FUNCTION CHUNK	FOR SdbCloseDatabaseRead
; 
; START	OF FUNCTION CHUNK FOR SdbInitDatabaseInMemory

loc_8FEB0A:				; CODE XREF: SdbInitDatabaseInMemory+18j
		push	offset ??_C@_0BO@JBCGLKOO@Failed?5to?5allocate?5sdbcontext@NNGAKEGL@
		push	40Dh
		push	(offset	loc_8C2553+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	short loc_8FEB35
; 

loc_8FEB25:				; CODE XREF: SdbInitDatabaseInMemory+AF3D6j
		call	SdbCloseDatabaseRead

loc_8FEB2A:				; CODE XREF: SdbInitDatabaseInMemory+AF3D4j
		push	74705041h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8FEB35:				; CODE XREF: SdbInitDatabaseInMemory+AF39Dj
		xor	eax, eax
		jmp	loc_84F7E5
; 

loc_8FEB3C:				; CODE XREF: SdbInitDatabaseInMemory+2Dj
		push	offset ??_C@_0BN@COLBLNAK@Unable?5to?5open?5main?5database@NNGAKEGL@
		push	416h
		push	(offset	loc_8C2553+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		mov	ecx, [ebx+4]
		test	ecx, ecx
		jz	short loc_8FEB2A
		jmp	short loc_8FEB25
; END OF FUNCTION CHUNK	FOR SdbInitDatabaseInMemory
; 
; START	OF FUNCTION CHUNK FOR SdbReleaseDatabase

loc_8FEB5E:				; CODE XREF: SdbReleaseDatabase+36j
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+3FCh], eax
		dec	eax
		mov	[ebp+var_20], eax
		jns	loc_84F88F
		mov	eax, [esi+3FCh]
		add	eax, 3FCh
		lock inc dword ptr [eax]
		push	offset ??_C@_0CN@BKAMMBMC@SDB?5Handle?5count?5was?5decremente@NNGAKEGL@
		push	64h
		push	edi
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_84F88F
; 

loc_8FEB98:				; CODE XREF: SdbReleaseDatabase+3Ej
		push	offset ??_C@_0EE@JDBHMHFA@Attempt?5to?5release?5SDB?5handle?5t@NNGAKEGL@
		push	72h
		push	edi
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_84F89A
; 

loc_8FEBAF:				; CODE XREF: SdbReleaseDatabase+4Fj
		mov	ecx, [esi+54h]
		call	SdbCloseDatabaseRead
		jmp	loc_84F879
; END OF FUNCTION CHUNK	FOR SdbReleaseDatabase

;  S U B	R O U T	I N E 


sub_8FEBBC	proc near		; DATA XREF: .text:006A47CCo
		mov	eax, [ebp-14h]
		mov	[ebp-1Ch], eax
		mov	eax, [ebp-1Ch]
		push	dword ptr [eax+4]
		mov	eax, [ebp-1Ch]
		push	dword ptr [eax]
		mov	eax, [ebp-1Ch]
		mov	eax, [eax]
		push	dword ptr [eax+4]
		mov	eax, [ebp-1Ch]
		mov	eax, [eax+4]
		push	dword ptr [eax+0B8h]
		push	0
		push	offset ??_C@_00CNPNBAHC@@NNGAKEGL@
		mov	eax, [ebp-1Ch]
		mov	eax, [eax]
		push	dword ptr [eax]
		push	offset ??_C@_0FK@ENLKOOIG@Shim?5Exception?5?$CF?$CDx?5in?5module?5?$CC?$CF@NNGAKEGL@
		push	0B3h
		push	offset ??_C@_0BF@JOEMLKFM@ShimExceptionHandler@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 2Ch
		xor	eax, eax
		inc	eax
		retn
sub_8FEBBC	endp


;  S U B	R O U T	I N E 


sub_8FEC0C	proc near		; DATA XREF: .text:006A47D0o
		mov	esp, [ebp-18h]
		jmp	loc_84F89A
sub_8FEC0C	endp

; 
; START	OF FUNCTION CHUNK FOR SdbpCleanupLocalDatabaseSupport

loc_8FEC14:				; CODE XREF: SdbpCleanupLocalDatabaseSupport+24j
					; SdbpCleanupLocalDatabaseSupport+AF372j
		xor	eax, eax
		mov	ecx, edi
		inc	eax
		shl	eax, cl
		test	[esi+10h], eax
		jz	short loc_8FEC28
		push	edi
		mov	ecx, esi
		call	_SdbpCloseLocalDatabaseEx@12 ; SdbpCloseLocalDatabaseEx(x,x,x)

loc_8FEC28:				; CODE XREF: SdbpCleanupLocalDatabaseSupport+AF364j
		inc	edi
		cmp	edi, 10h
		jb	short loc_8FEC14
		jmp	loc_84F8CA
; 

loc_8FEC33:				; CODE XREF: SdbpCleanupLocalDatabaseSupport+14j
		push	1
		mov	ecx, esi
		call	_SdbpCloseLocalDatabaseEx@12 ; SdbpCloseLocalDatabaseEx(x,x,x)
		jmp	loc_84F8D4
; END OF FUNCTION CHUNK	FOR SdbpCleanupLocalDatabaseSupport
; 
; START	OF FUNCTION CHUNK FOR AslLogCallPrintf

loc_8FEC41:				; CODE XREF: AslLogCallPrintf+Cj
		lea	ecx, [ebp+arg_10]
		push	ecx
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	eax
		pop	ebp
		retn
; END OF FUNCTION CHUNK	FOR AslLogCallPrintf
; 
; START	OF FUNCTION CHUNK FOR SdbpReadStringRef

loc_8FEC55:				; CODE XREF: SdbpReadStringRef+29j
		call	SdbGetTagFromTagID
		movzx	eax, ax
		push	eax
		push	esi
		push	offset ??_C@_0CK@EFGNGJNF@TagID?50x?$CF08X?0?5Tag?5?$CF04X?5not?5STRI@NNGAKEGL@
		push	223h
		push	offset ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		jmp	short loc_8FEC93
; 

loc_8FEC7A:				; CODE XREF: SdbpReadStringRef+3Cj
		push	offset ??_C@_0BD@GBHBBJKK@Error?5reading?5data@NNGAKEGL@
		push	228h
		push	offset ??_C@_0BC@NCDLJHHM@SdbpReadStringRef@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h

loc_8FEC93:				; CODE XREF: SdbpReadStringRef+AF380j
		xor	eax, eax
		jmp	loc_84F93D
; END OF FUNCTION CHUNK	FOR SdbpReadStringRef
; 
; START	OF FUNCTION CHUNK FOR SdbpGetStringTableItemFromStringRef

loc_8FEC9A:				; CODE XREF: SdbpGetStringTableItemFromStringRef+1Cj
		mov	edi, [ebx+0A3Ch]
		test	edi, edi
		jnz	short loc_8FECC4
		push	offset ??_C@_0BF@BCCGBNAE@No?5stringtable?5in?5DB@NNGAKEGL@
		push	2EFh
		push	offset ??_C@_0CE@BMLDKOE@SdbpGetStringTableItemFromStrin@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		mov	esi, 0C0000225h
		jmp	short loc_8FED2E
; 

loc_8FECC4:				; CODE XREF: SdbpGetStringTableItemFromStringRef+AF360j
		push	6
		pop	eax
		jmp	loc_84F99B
; 

loc_8FECCC:				; CODE XREF: SdbpGetStringTableItemFromStringRef+3Cj
		push	esi
		push	offset ??_C@_0ED@DCMDCLGF@RtlRunOnceExecuteOnce?5failed?5fo@NNGAKEGL@
		push	303h
		push	offset ??_C@_0CE@BMLDKOE@SdbpGetStringTableItemFromStrin@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_8FED26
; 

loc_8FECE8:				; CODE XREF: SdbpGetStringTableItemFromStringRef+70j
		push	(offset	loc_8C381E+2)
		push	321h
		push	offset ??_C@_0CE@BMLDKOE@SdbpGetStringTableItemFromStrin@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		mov	esi, 0C0000024h
		jmp	short loc_8FED2E
; 

loc_8FED08:				; CODE XREF: SdbpGetStringTableItemFromStringRef+47j
					; SdbpGetStringTableItemFromStringRef+51j
		push	offset ??_C@_0EH@PNILNHFJ@InitOnceGetStringTableOffset?5su@NNGAKEGL@
		push	313h
		push	offset ??_C@_0CE@BMLDKOE@SdbpGetStringTableItemFromStrin@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		mov	esi, 0C0000229h

loc_8FED26:				; CODE XREF: SdbpGetStringTableItemFromStringRef+AF3A4j
		test	esi, esi
		jns	loc_84F9BA

loc_8FED2E:				; CODE XREF: SdbpGetStringTableItemFromStringRef+AF380j
					; SdbpGetStringTableItemFromStringRef+AF3C4j
		and	[ebp+var_4], 0
		xor	edi, edi
		jmp	loc_84F9BA
; END OF FUNCTION CHUNK	FOR SdbpGetStringTableItemFromStringRef
; 
; START	OF FUNCTION CHUNK FOR SdbpGetMappedStringFromTable

loc_8FED39:				; CODE XREF: SdbpGetMappedStringFromTable+1Ej
					; SdbpGetMappedStringFromTable+29j ...
		push	(offset	loc_8C383D+5)
		push	37Ah
		push	offset ??_C@_0BN@OPBEPIGD@SdbpGetMappedStringFromTable@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		xor	eax, eax
		leave
		retn
; END OF FUNCTION CHUNK	FOR SdbpGetMappedStringFromTable
; 
; START	OF FUNCTION CHUNK FOR SdbGetStringTagPtr

loc_8FED56:				; CODE XREF: SdbGetStringTagPtr+Dj
		push	offset ??_C@_0M@CDOJHNDI@Invalid?5pdb@NNGAKEGL@
		push	27Bh
		jmp	short loc_8FED6C
; 

loc_8FED62:				; CODE XREF: SdbGetStringTagPtr+43j
		push	offset ??_C@_0BI@LALNJILA@Error?5getting?5StringRef@NNGAKEGL@
		push	28Fh

loc_8FED6C:				; CODE XREF: SdbGetStringTagPtr+AF348j
		push	offset ??_C@_0BD@COEPMOEJ@SdbGetStringTagPtr@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		xor	eax, eax
		jmp	loc_84FA6E
; 

loc_8FED82:				; CODE XREF: SdbGetStringTagPtr+28j
		mov	edx, ebx
		mov	ecx, esi
		call	SdbpGetMappedTagData
		jmp	loc_84FA6A
; END OF FUNCTION CHUNK	FOR SdbGetStringTagPtr
; 
; START	OF FUNCTION CHUNK FOR PiInitializeDDB

loc_8FED90:				; CODE XREF: PiInitializeDDB+7Dj
		cmp	_InitIsWinPEMode, 0
		jnz	loc_84FAF5
		mov	eax, ds:_PiLoggedErrorEventsMask
		test	al, 10h
		jnz	loc_84FAF5
		or	eax, 10h
		push	offset ??_C@_1CK@FMLCBACL@?$AAD?$AAA?$AAT?$AAA?$AAB?$AAA?$AAS?$AAE?$AA?5?$AAO?$AAP?$AAE?$AAN?$AA?5?$AAF@NNGAKEGL@
		jmp	short loc_8FEDBE
; 

loc_8FEDB4:				; CODE XREF: PiInitializeDDB+AF3B6j
		or	eax, 80h
		push	offset ??_C@_1CK@LCFHMPII@?$AAI?$AAN?$AAI?$AAT?$AA?5?$AAD?$AAA?$AAT?$AAA?$AAB?$AAA?$AAS?$AAE?$AA?5?$AAF@NNGAKEGL@

loc_8FEDBE:				; CODE XREF: PiInitializeDDB+AF340j
					; PiInitializeDDB+AF38Bj ...
		mov	ds:_PiLoggedErrorEventsMask, eax
		lea	eax, [ebp+var_28]
		push	eax
		mov	[ebp+var_24], edi
		mov	[ebp+var_28], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi		; size_t
		push	edi		; void *
		push	0C000036Dh	; int
		xor	edx, edx
		lea	ecx, [ebp+var_28]
		call	_PnpLogEvent@20	; PnpLogEvent(x,x,x,x,x)
		jmp	loc_84FAF5
; 

loc_8FEDE8:				; CODE XREF: PiInitializeDDB+DFj
		mov	eax, ds:_PiLoggedErrorEventsMask
		test	al, 20h
		jnz	loc_84FAF5
		or	eax, 20h
		push	offset ??_C@_1DA@CGKMMHFH@?$AAD?$AAA?$AAT?$AAA?$AAB?$AAA?$AAS?$AAE?$AA?5?$AAS?$AAE?$AAC?$AAT?$AAI?$AAO@NNGAKEGL@
		jmp	short loc_8FEDBE
; 

loc_8FEDFF:				; CODE XREF: PiInitializeDDB+103j
		mov	eax, ds:_PiLoggedErrorEventsMask
		test	al, 40h
		jnz	loc_84FAF5
		or	eax, 40h
		push	offset ??_C@_1DA@ENMEFAGE@?$AAD?$AAA?$AAT?$AAA?$AAB?$AAA?$AAS?$AAE?$AA?5?$AAM?$AAA?$AAP?$AAP?$AAI?$AAN@NNGAKEGL@
		jmp	short loc_8FEDBE
; 

loc_8FEE16:				; CODE XREF: PiInitializeDDB+116j
		mov	eax, ds:_PiLoggedErrorEventsMask
		mov	esi, 0C0000001h
		test	al, al
		js	loc_84FAF5
		jmp	short loc_8FEDB4
; 

loc_8FEE2A:				; CODE XREF: PiInitializeDDB+86j
		push	[ebp+var_C]
		push	0FFFFFFFFh
		call	_ZwUnmapViewOfSection@8	; ZwUnmapViewOfSection(x,x)
		jmp	loc_84FAFE
; 

loc_8FEE39:				; CODE XREF: PiInitializeDDB+8Fj
		push	[ebp+var_10]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_84FB07
; 

loc_8FEE46:				; CODE XREF: PiInitializeDDB+98j
		push	[ebp+var_14]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_84FB10
; END OF FUNCTION CHUNK	FOR PiInitializeDDB

;  S U B	R O U T	I N E 


sub_8FEE53	proc near		; CODE XREF: KsepShimDatabaseTime+B9j
		push	ebx		; char *
		push	edi		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx
		jmp	loc_881EDD
sub_8FEE53	endp

; 
; START	OF FUNCTION CHUNK FOR KsepShimDatabaseTime

loc_8FEE61:				; CODE XREF: KsepShimDatabaseTime+FEj
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		mov	ebx, offset ??_C@_0DF@PGNHHABD@KSE?3?5ZwQueryInformationFile?5fai@NNGAKEGL@
		push	9
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 391h
		mov	dword_6C7024[eax*8], esi
		mov	_KsepHistoryErrors[eax*8], cx
		jmp	loc_881ED0
; END OF FUNCTION CHUNK	FOR KsepShimDatabaseTime
; 
; START	OF FUNCTION CHUNK FOR SdbpFindMatchingName

loc_8FEE99:				; CODE XREF: SdbpFindMatchingName+45j
		push	eax		; wchar_t *
		push	ecx		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		js	short loc_8FEEE6
		jmp	loc_84FC44
; 

loc_8FEEAB:				; CODE XREF: SdbpFindMatchingName+38j
		push	ebx
		push	offset ??_C@_0CJ@MKJAMLMD@Can?8t?5get?5the?5name?5string?5for?5t@NNGAKEGL@
		push	10Ah
		push	offset ??_C@_0BF@OOLJGFD@SdbpFindMatchingName@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_8FEEE6
; 

loc_8FEEC7:				; CODE XREF: SdbpFindMatchingName+26j
		movzx	eax, word ptr [edi+0Ch]
		push	eax
		push	esi
		push	offset ??_C@_0CK@NAHMHKEF@The?5tag?50x?$CFx?5was?5not?5found?5unde@NNGAKEGL@
		push	100h
		push	offset ??_C@_0BF@OOLJGFD@SdbpFindMatchingName@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 18h

loc_8FEEE6:				; CODE XREF: SdbpFindMatchingName+AF2B6j
					; SdbpFindMatchingName+AF2D7j
		xor	eax, eax
		jmp	loc_84FC59
; END OF FUNCTION CHUNK	FOR SdbpFindMatchingName
; 
; START	OF FUNCTION CHUNK FOR KseDriverUnloadImage

loc_8FEEED:				; CODE XREF: KseDriverUnloadImage+48j
		cmp	[ebp+var_4], 0
		jz	loc_84FCB4
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset unk_6D4A90
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [ebp+var_4]
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_8FEF52
		xor	ebx, ebx

loc_8FEF22:				; CODE XREF: KseDriverUnloadImage+AF2E7j
		mov	eax, [esi+10h]
		mov	eax, [ebx+eax+30h]
		test	byte ptr [eax+10h], 4
		jnz	short loc_8FEF41
		mov	eax, [eax+8]
		mov	eax, [eax+10h]
		test	eax, eax
		jz	short loc_8FEF41
		push	dword ptr [edi+18h] ; char
		call	eax
		mov	ecx, [ebp+var_8]

loc_8FEF41:				; CODE XREF: KseDriverUnloadImage+AF2C7j
					; KseDriverUnloadImage+AF2D1j
		mov	eax, [esi+0Ch]
		inc	ecx
		add	ebx, 34h
		mov	[ebp+var_8], ecx
		cmp	ecx, eax
		jb	short loc_8FEF22
		xor	ebx, ebx
		inc	ebx

loc_8FEF52:				; CODE XREF: KseDriverUnloadImage+AF2B8j
		xor	edx, edx
		mov	[ebp+var_C], edx
		test	eax, eax
		jz	loc_8FF00D
		xor	ecx, ecx
		mov	[ebp+var_8], ecx

loc_8FEF64:				; CODE XREF: KseDriverUnloadImage+AF3A1j
		mov	eax, [esi+10h]
		mov	edi, [ecx+eax+30h]
		cmp	dword ptr [edi+0Ch], 0
		ja	short loc_8FEFCB
		mov	eax, ebx
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		push	7
		pop	esi
		mov	word_6C7022[eax*8], si
		mov	esi, 58Dh
		mov	_KsepHistoryErrors[eax*8], si
		mov	esi, [ebp+var_4]
		mov	dword_6C7024[eax*8], 0C0000420h
		jz	short loc_8FEFCB
		push	0
		mov	eax, 58Dh
		push	eax
		push	offset ??_C@_0CB@IMKMNFAK@minkernel?2ntos?2kshim?2kseloader?4@NNGAKEGL@
		push	offset ??_C@_0BN@OACNHOHA@RegisteredShim?9?$DORefCount?5?$DO?50@NNGAKEGL@
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_8]

loc_8FEFCB:				; CODE XREF: KseDriverUnloadImage+AF309j
					; KseDriverUnloadImage+AF346j
		mov	eax, [edi+0Ch]
		dec	eax
		test	byte ptr [edi+10h], 4
		mov	[edi+0Ch], eax
		jz	short loc_8FEFFA
		test	eax, eax
		jnz	short loc_8FEFFA
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	loc_8FF160
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	loc_8FF160
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	ecx, [ebp+var_8]

loc_8FEFFA:				; CODE XREF: KseDriverUnloadImage+AF370j
					; KseDriverUnloadImage+AF374j
		inc	edx
		add	ecx, 34h
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ecx
		cmp	edx, [esi+0Ch]
		jb	loc_8FEF64

loc_8FF00D:				; CODE XREF: KseDriverUnloadImage+AF2F3j
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_8FF160
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_8FF160
		mov	[ecx], eax
		mov	edi, offset unk_6D4A90
		mov	[eax+4], ecx
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_8FF041
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_8FF041:				; CODE XREF: KseDriverUnloadImage+AF3D2j
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		and	[ebp+var_C], 0
		mov	edx, [esi+0Ch]
		test	edx, edx
		jz	loc_8FF0FE
		xor	ecx, ecx
		mov	[ebp+var_8], ecx

loc_8FF061:				; CODE XREF: KseDriverUnloadImage+AF492j
		mov	eax, [esi+10h]
		mov	edi, [ecx+eax+30h]
		mov	eax, [edi+14h]
		test	eax, eax
		jz	short loc_8FF079
		mov	ecx, eax
		call	ObfDereferenceObject
		mov	ecx, [ebp+var_8]

loc_8FF079:				; CODE XREF: KseDriverUnloadImage+AF407j
		test	byte ptr [edi+10h], 4
		jz	short loc_8FF0E6
		cmp	dword ptr [edi+0Ch], 0
		jnz	short loc_8FF0E6
		mov	ecx, edi
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
		mov	eax, ebx
		lock xadd _KsepHistoryMessagesIndex, eax
		inc	eax
		and	eax, 3Fh
		push	7
		pop	ecx
		and	dword_6C7244[eax*8], 0
		test	_KsepDebugFlag,	1
		mov	word_6C7242[eax*8], cx
		mov	ecx, 5C6h
		mov	_KsepHistoryMessages[eax*8], cx
		jz	short loc_8FF0D3
		push	edi		; char
		push	offset ??_C@_0FA@OMDCIEJP@KSE?3?5Cleaned?5up?5dangling?5shim?5o@NNGAKEGL@ ; char *
		push	5		; int
		call	_KsepDebugPrint
		add	esp, 0Ch

loc_8FF0D3:				; CODE XREF: KseDriverUnloadImage+AF45Bj
		push	edi
		push	offset ??_C@_0FA@OMDCIEJP@KSE?3?5Cleaned?5up?5dangling?5shim?5o@NNGAKEGL@
		push	5
		call	_KsepLogInfo
		mov	ecx, [ebp+var_8]
		add	esp, 0Ch

loc_8FF0E6:				; CODE XREF: KseDriverUnloadImage+AF417j
					; KseDriverUnloadImage+AF41Dj
		mov	eax, [ebp+var_C]
		add	ecx, 34h
		mov	edx, [esi+0Ch]
		inc	eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], ecx
		cmp	eax, edx
		jb	loc_8FF061

loc_8FF0FE:				; CODE XREF: KseDriverUnloadImage+AF3F0j
		mov	ecx, [esi+10h]
		call	KsepDbFreeDriverShims
		mov	ecx, esi
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
		lock xadd _KsepHistoryMessagesIndex, ebx
		inc	ebx
		and	ebx, 3Fh
		mov	esi, offset ??_C@_0DD@NHMKKKIL@KSE?3?5Shimmed?5driver?5unload?5noti@NNGAKEGL@
		push	7
		pop	eax
		and	dword_6C7244[ebx*8], 0
		test	_KsepDebugFlag,	1
		mov	word_6C7242[ebx*8], ax
		mov	eax, 5CEh
		mov	_KsepHistoryMessages[ebx*8], ax
		jz	short loc_8FF151
		push	esi		; char *
		push	5		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx

loc_8FF151:				; CODE XREF: KseDriverUnloadImage+AF4DFj
		push	esi
		push	5
		call	_KsepLogInfo
		pop	ecx
		pop	ecx
		jmp	loc_84FCB4
; 

loc_8FF160:				; CODE XREF: KseDriverUnloadImage+AF37Bj
					; KseDriverUnloadImage+AF386j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_8FF165:				; CODE XREF: SdbpGetNextIndexedRecord+1Cj
		push	edi
		push	offset ??_C@_0CC@MAMOALIP@The?5tag?50x?$CFlx?5is?5not?5an?5index?5t@NNGAKEGL@
		push	201h
		jmp	short loc_8FF17D
; END OF FUNCTION CHUNK	FOR KseDriverUnloadImage
; 
; START	OF FUNCTION CHUNK FOR SdbpGetNextIndexedRecord

loc_8FF172:				; CODE XREF: SdbpGetNextIndexedRecord+2Fj
		push	edi
		push	offset ??_C@_0DD@LMANNPAC@Failed?5to?5get?5pointer?5to?5the?5in@NNGAKEGL@
		push	208h

loc_8FF17D:				; CODE XREF: KseDriverUnloadImage+AF50Aj
		push	offset ??_C@_0BJ@MNECNDBL@SdbpGetNextIndexedRecord@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		xor	eax, eax
		jmp	loc_84FD47
; 

loc_8FF193:				; CODE XREF: SdbpGetNextIndexedRecord+3Dj
		mov	eax, [esi+4]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jnz	short loc_8FF1A8
		imul	eax, [esi+10h],	0Ch
		mov	eax, [eax+ebx+8]
		mov	[ebp+arg_0], eax

loc_8FF1A8:				; CODE XREF: SdbpGetNextIndexedRecord+AF4D1j
		mov	ebx, [ebp+var_4]
		mov	edx, eax
		mov	ecx, ebx
		call	SdbpGetNextTagId
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		mov	edi, eax
		call	SdbGetTagFromTagID
		movzx	eax, ax
		mov	edx, edi
		mov	ecx, ebx
		mov	[ebp+arg_0], eax
		call	SdbGetTagFromTagID
		movzx	ecx, ax
		test	cx, cx
		jz	loc_84FD44
		mov	eax, ecx
		mov	edx, 7000h
		and	eax, 0F000h
		cmp	ax, dx
		jnz	loc_84FD44
		cmp	cx, word ptr [ebp+arg_0]
		jnz	loc_84FD44
		cmp	edi, [esi+8]
		jz	loc_84FD44
		mov	[esi+4], edi
		jmp	loc_84FD5A
; END OF FUNCTION CHUNK	FOR SdbpGetNextIndexedRecord
; 
; START	OF FUNCTION CHUNK FOR InitOnceGetStringTableOffset

loc_8FF20B:				; CODE XREF: InitOnceGetStringTableOffset+Bj
		push	offset ??_C@_0DG@GGNJABMO@PDB?5was?5not?5supplied?5for?5InitOn@NNGAKEGL@
		push	2B2h
		push	offset ??_C@_0BN@JIAHKIEA@InitOnceGetStringTableOffset@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		xor	eax, eax
		jmp	loc_84FDA3
; 

loc_8FF22B:				; CODE XREF: InitOnceGetStringTableOffset+17j
		push	offset ??_C@_0EA@EKDDGMOF@No?5return?5context?5was?5supplied?5@NNGAKEGL@
		push	2B8h
		push	offset ??_C@_0BN@JIAHKIEA@InitOnceGetStringTableOffset@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		xor	eax, eax
		jmp	loc_84FDA2
; 

loc_8FF24B:				; CODE XREF: InitOnceGetStringTableOffset+38j
		push	offset ??_C@_0BF@BCCGBNAE@No?5stringtable?5in?5DB@NNGAKEGL@
		push	2C2h
		push	offset ??_C@_0BN@JIAHKIEA@InitOnceGetStringTableOffset@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_84FD9F
; END OF FUNCTION CHUNK	FOR InitOnceGetStringTableOffset

;  S U B	R O U T	I N E 


sub_8FF269	proc near		; CODE XREF: IopUnloadDriver+5Ej
		push	ebx
		push	offset ??_C@_0CN@OHIJAEJ@Server?5Silo?5attempting?5to?5unloa@NNGAKEGL@
		call	_DbgPrint
		pop	ecx
		pop	ecx

loc_8FF276:				; CODE XREF: IopUnloadDriver+274j
		mov	eax, 0C0000061h
		jmp	loc_84FFEE
sub_8FF269	endp

; 
; START	OF FUNCTION CHUNK FOR IopUnloadDriver

loc_8FF280:				; CODE XREF: IopUnloadDriver+285j
		mov	ebx, eax
		jmp	loc_850033
; 

loc_8FF287:				; CODE XREF: IopUnloadDriver+29Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000000Dh
		jmp	loc_84FFEE
; END OF FUNCTION CHUNK	FOR IopUnloadDriver

;  S U B	R O U T	I N E 


sub_8FF298	proc near		; DATA XREF: .text:006A47ECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_8FF298	endp


;  S U B	R O U T	I N E 


sub_8FF2A6	proc near		; DATA XREF: .text:006A47F0o
		mov	esp, [ebp-18h]
		cmp	dword ptr [ebp-28h], 0
		jz	short loc_8FF2B9
		push	0
		push	dword ptr [ebp-28h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8FF2B9:				; CODE XREF: sub_8FF2A6+7j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3Ch]
		jmp	loc_84FFEE
sub_8FF2A6	endp

; 
; START	OF FUNCTION CHUNK FOR IopUnloadDriver

loc_8FF2C8:				; CODE XREF: IopUnloadDriver+13Bj
					; IopUnloadDriver+145j
		mov	ecx, esi

loc_8FF2CA:				; CODE XREF: IopUnloadDriver+15Aj
		call	ObfDereferenceObject
		mov	edi, 0C0000010h
		jmp	loc_84FFC8
; END OF FUNCTION CHUNK	FOR IopUnloadDriver
; 
; START	OF FUNCTION CHUNK FOR EtwUnregister

loc_8FF2D9:				; CODE XREF: EtwUnregister+11j
		mov	eax, 0C0000008h
		jmp	loc_8501D3
; 

loc_8FF2E3:				; CODE XREF: EtwUnregister+1Bj
		push	0
		push	1
		push	esi
		push	4
		push	11Dh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_8FF2F4:				; CODE XREF: EtwUnregister+CEj
		mov	eax, [esi+10h]
		add	eax, 14h
		push	eax
		push	edi
		push	1
		push	ecx
		push	ecx
		mov	ecx, ebx
		call	_EtwpEventWriteTemplateSessAndProv@28 ;	EtwpEventWriteTemplateSessAndProv(x,x,x,x,x,x,x)
		jmp	loc_8501B4
; END OF FUNCTION CHUNK	FOR EtwUnregister
; 
; START	OF FUNCTION CHUNK FOR EtwpCloseRegistrationObject

loc_8FF30C:				; CODE XREF: EtwpCloseRegistrationObject+32j
		mov	eax, [edi+10h]
		add	eax, 14h
		push	eax
		push	0
		push	1
		push	ecx
		push	ecx
		mov	ecx, ebx
		call	_EtwpEventWriteTemplateSessAndProv@28 ;	EtwpEventWriteTemplateSessAndProv(x,x,x,x,x,x,x)
		jmp	loc_7E25AA
; END OF FUNCTION CHUNK	FOR EtwpCloseRegistrationObject
; 
; START	OF FUNCTION CHUNK FOR PiCMGetRegistryProperty

loc_8FF325:				; CODE XREF: PiCMGetRegistryProperty+9Bj
		mov	esi, 0C000009Ah
		jmp	loc_8502D5
; 

loc_8FF32F:				; CODE XREF: PiCMGetRegistryProperty+C1j
		cmp	[ebp+var_2C], 2
		jnz	short loc_8FF357
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_4]
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	edi
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_C]
		push	0
		call	__CmGetInstallerClassRegProp@32	; _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)
		jmp	loc_850319
; 

loc_8FF357:				; CODE XREF: PiCMGetRegistryProperty+AF0FFj
		mov	ebx, [ebp+arg_C]

loc_8FF35A:				; CODE XREF: PiCMGetRegistryProperty+40j
					; PiCMGetRegistryProperty+49j ...
		mov	esi, 0C000000Dh
		jmp	loc_85031E
; 

loc_8FF364:				; CODE XREF: PiCMGetRegistryProperty+6Dj
					; PiCMGetRegistryProperty+79j
		mov	esi, 0C000000Dh
		jmp	loc_85035D
; END OF FUNCTION CHUNK	FOR PiCMGetRegistryProperty
; 
; START	OF FUNCTION CHUNK FOR PiCMReleaseRegistryPropertyInputData

loc_8FF36E:				; CODE XREF: PiCMReleaseRegistryPropertyInputData+28j
		test	bl, bl
		jz	loc_8503A8
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8503A8
; END OF FUNCTION CHUNK	FOR PiCMReleaseRegistryPropertyInputData
; 
; START	OF FUNCTION CHUNK FOR PiCMConvertRegistryProperty

loc_8FF383:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 4 ; case 0x3
		retn
; 

loc_8FF38A:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 6 ; case 0x5
		retn
; 

loc_8FF391:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 7 ; case 0x6
		retn
; 

loc_8FF398:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 0Bh ; case 0xA
		retn
; 

loc_8FF39F:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 0Fh ; case 0xE
		retn
; 

loc_8FF3A6:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 11h ; case 0x10
		retn
; 

loc_8FF3AD:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 14h ; case 0x13
		retn
; 

loc_8FF3B4:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 17h ; case 0x16
		retn
; 

loc_8FF3BB:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 18h ; case 0x17
		retn
; 

loc_8FF3C2:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 19h ; case 0x18
		retn
; 

loc_8FF3C9:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 1Ah ; case 0x19
		retn
; 

loc_8FF3D0:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 1Bh ; case 0x1A
		retn
; 

loc_8FF3D7:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 1Ch ; case 0x1B
		retn
; 

loc_8FF3DE:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 1Dh ; case 0x1C
		retn
; 

loc_8FF3E5:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 1Eh ; case 0x1D
		retn
; 

loc_8FF3EC:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 1Fh ; case 0x1E
		retn
; 

loc_8FF3F3:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 20h ; case 0x1F
		retn
; 

loc_8FF3FA:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 21h ; case 0x20
		retn
; 

loc_8FF401:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 22h ; case 0x21
		retn
; 

loc_8FF408:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 24h ; case 0x23
		retn
; 

loc_8FF40F:				; CODE XREF: PiCMConvertRegistryProperty+Cj
					; DATA XREF: PAGE:off_850432o
		mov	dword ptr [edx], 25h ; case 0x24
		retn
; 

loc_8FF416:				; CODE XREF: PiCMConvertRegistryProperty+6j
		mov	eax, 0C000000Dh	; default
		retn
; END OF FUNCTION CHUNK	FOR PiCMConvertRegistryProperty
; 
; START	OF FUNCTION CHUNK FOR PiCMCaptureRegistryPropertyInputData

loc_8FF41C:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+56j
					; PiCMCaptureRegistryPropertyInputData+5Ej
		mov	byte ptr [ecx],	0
		jmp	loc_85052A
; 

loc_8FF424:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+6Aj
					; PiCMCaptureRegistryPropertyInputData+7Cj
		mov	eax, 0C000000Dh
		mov	[ebp+var_24], eax
		mov	[ebp+var_1C], eax
		jmp	loc_850548
; END OF FUNCTION CHUNK	FOR PiCMCaptureRegistryPropertyInputData

;  S U B	R O U T	I N E 


sub_8FF434	proc near		; DATA XREF: .text:006A480Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8FF434	endp


;  S U B	R O U T	I N E 


sub_8FF442	proc near		; DATA XREF: .text:006A4810o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-30h]
		mov	[ebp-1Ch], eax
		mov	[ebp-24h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp+0Ch]
		jmp	loc_85054F
sub_8FF442	endp

; 
; START	OF FUNCTION CHUNK FOR PiCMCaptureRegistryPropertyInputData

loc_8FF45D:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+A7j
		test	eax, eax
		jnz	short loc_8FF46B

loc_8FF461:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+9Bj
		cmp	dword ptr [ebx+10h], 0
		ja	short loc_8FF471
		test	eax, eax
		jz	short loc_8FF4BA

loc_8FF46B:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+AEF99j
		cmp	dword ptr [ebx+10h], 2
		jnb	short loc_8FF4BA

loc_8FF471:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+EDj
					; PiCMCaptureRegistryPropertyInputData+AEF9Fj ...
		mov	esi, 0C000000Dh

loc_8FF476:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+FDj
		cmp	[ebp+var_28], 0
		jz	short loc_8FF491
		mov	eax, [ebx+0Ch]
		cmp	byte ptr [ebp+var_20], 0
		jz	short loc_8FF491
		test	eax, eax
		jz	short loc_8FF491
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8FF491:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+AEFB4j
					; PiCMCaptureRegistryPropertyInputData+AEFBDj ...
		cmp	[ebp+var_2C], 0
		jz	short loc_8FF4AC
		mov	eax, [ebx+1Ch]
		cmp	byte ptr [ebp+var_20], 0
		jz	short loc_8FF4AC
		test	eax, eax
		jz	short loc_8FF4AC
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8FF4AC:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+AEFCFj
					; PiCMCaptureRegistryPropertyInputData+AEFD8j ...
		push	0Ah
		pop	ecx
		xor	eax, eax
		mov	edi, ebx
		rep stosd
		jmp	loc_8505C9
; 

loc_8FF4BA:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+AEFA3j
					; PiCMCaptureRegistryPropertyInputData+AEFA9j
		mov	esi, [ebp+var_1C]
		jmp	loc_85059F
; 

loc_8FF4C2:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+E3j
		mov	ecx, [ebx+20h]
		test	ecx, ecx
		jz	short loc_8FF4F8
		push	1
		push	[ebp+var_20]
		push	1
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	PiControlMakeUserModeCallersCopy
		mov	esi, eax
		test	esi, esi
		js	short loc_8FF4EC
		mov	[ebp+var_2C], 1
		jmp	loc_8505C1
; 

loc_8FF4EC:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+AF018j
		and	dword ptr [edi], 0
		and	dword ptr [ebx+20h], 0
		jmp	loc_8505C1
; 

loc_8FF4F8:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+AF001j
		test	eax, eax
		jz	loc_8505AF

loc_8FF500:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+F5j
		cmp	dword ptr [ebx+20h], 0
		jnz	loc_8505C1
		jmp	loc_8FF471
; 

loc_8FF50F:				; CODE XREF: PiCMCaptureRegistryPropertyInputData+31j
					; PiCMCaptureRegistryPropertyInputData+39j
		mov	esi, 0C000000Dh
		mov	ebx, [ebp+arg_4]
		jmp	loc_8505C1
; END OF FUNCTION CHUNK	FOR PiCMCaptureRegistryPropertyInputData
; 
; START	OF FUNCTION CHUNK FOR EtwSetProcessTelemetryCoverage

loc_8FF51C:				; CODE XREF: EtwSetProcessTelemetryCoverage+6Fj
					; EtwSetProcessTelemetryCoverage+AEF99j
		mov	eax, 0C000000Dh
		jmp	loc_850643
; 

loc_8FF526:				; CODE XREF: EtwSetProcessTelemetryCoverage+37j
		cmp	eax, 0FFFFFFFEh
		jnz	short loc_8FF551
		mov	edx, esi
		mov	ecx, edi
		call	_EtwpCoverageCheckCP@8 ; EtwpCoverageCheckCP(x,x)
		jmp	short loc_8FF53F
; 

loc_8FF536:				; CODE XREF: EtwSetProcessTelemetryCoverage+AEF64j
		mov	edx, esi
		mov	ecx, edi
		call	_EtwpCoverageResetCP@8 ; EtwpCoverageResetCP(x,x)

loc_8FF53F:				; CODE XREF: EtwSetProcessTelemetryCoverage+AEF44j
		test	eax, eax
		jnz	loc_850641
		mov	eax, 0C0000225h
		jmp	loc_850643
; 

loc_8FF551:				; CODE XREF: EtwSetProcessTelemetryCoverage+AEF39j
		cmp	eax, 0FFFFFFFDh
		jz	short loc_8FF536
		cmp	eax, 0FFFFFFFCh
		jnz	short loc_8FF586
		call	_EtwpCoverageUserIsAdmin@0 ; EtwpCoverageUserIsAdmin()
		test	al, al
		jnz	short loc_8FF56E
		mov	eax, 0C0000022h
		jmp	loc_850643
; 

loc_8FF56E:				; CODE XREF: EtwSetProcessTelemetryCoverage+AEF72j
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	_EtwpCoverageReset@8 ; EtwpCoverageReset(x,x)
		mov	eax, [edi+8]
		mov	eax, [eax+18h]
		mov	[esi+8], eax
		jmp	loc_850641
; 

loc_8FF586:				; CODE XREF: EtwSetProcessTelemetryCoverage+AEF69j
		cmp	eax, 0FFFFFFFBh
		jnz	short loc_8FF51C
		mov	ecx, esi
		call	_EtwpCoverageRecordAtHighIrql@4	; EtwpCoverageRecordAtHighIrql(x)
		jmp	loc_850641
; END OF FUNCTION CHUNK	FOR EtwSetProcessTelemetryCoverage

;  S U B	R O U T	I N E 


sub_8FF597	proc near		; DATA XREF: .text:006A4838o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		xor	eax, eax
		inc	eax
		retn
sub_8FF597	endp


;  S U B	R O U T	I N E 


sub_8FF5A5	proc near		; DATA XREF: .text:006A483Co
		mov	eax, [ebp-34h]
		jmp	short loc_8FF5BB
; 

loc_8FF5AA:				; DATA XREF: .text:006A482Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_8FF5B8:				; DATA XREF: .text:006A4830o
		mov	eax, [ebp-38h]

loc_8FF5BB:				; CODE XREF: sub_8FF5A5+3j
		mov	esp, [ebp-18h]
		mov	[ebp-1Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-24h]
		xor	esi, esi
		jmp	loc_850786
sub_8FF5A5	endp

; 
; START	OF FUNCTION CHUNK FOR EtwpCoverageEnsureUserModeView

loc_8FF5D2:				; CODE XREF: EtwpCoverageEnsureUserModeView+E1j
		test	al, 4
		jnz	loc_85074B
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_85074B
; 

loc_8FF5E6:				; CODE XREF: EtwpCoverageEnsureUserModeView+FFj
		push	esi
		push	esi
		mov	ecx, ebx
		call	MiUnmapViewOfSection
		jmp	loc_850769
; END OF FUNCTION CHUNK	FOR EtwpCoverageEnsureUserModeView
; 
; START	OF FUNCTION CHUNK FOR IoCreateDeviceSecure

loc_8FF5F4:				; CODE XREF: IoCreateDeviceSecure+1B5j
		mov	ebx, [esp+50h+var_28]
		mov	esi, 0C000000Dh
		mov	edi, [esp+50h+var_3C]
		jmp	loc_850D77
; 

loc_8FF606:				; CODE XREF: IoCreateDeviceSecure+5Bj
		mov	ebx, [esp+50h+var_28]

loc_8FF60A:				; CODE XREF: IoCreateDeviceSecure+ABj
					; IoCreateDeviceSecure+EAj ...
		mov	edi, [esp+50h+var_3C]

loc_8FF60E:				; CODE XREF: IoCreateDeviceSecure+139j
					; IoCreateDeviceSecure+15Aj ...
		xor	edx, edx
		jmp	loc_850D77
; 

loc_8FF615:				; CODE XREF: IoCreateDeviceSecure+1CFj
		mov	esi, 0C000009Ah
		jmp	short loc_8FF60A
; 

loc_8FF61C:				; CODE XREF: IoCreateDeviceSecure+FDj
		mov	ecx, [esp+50h+var_24]
		jmp	loc_850CF9
; 

loc_8FF625:				; CODE XREF: IoCreateDeviceSecure+112j
		mov	al, [esp+50h+var_18]
		mov	byte ptr [esp+50h+var_38], al
		jmp	loc_850D0E
; 

loc_8FF632:				; CODE XREF: IoCreateDeviceSecure+192j
		push	edi
		call	IoDeleteDevice
		jmp	loc_850D8E
; END OF FUNCTION CHUNK	FOR IoCreateDeviceSecure
; 
; START	OF FUNCTION CHUNK FOR IopGetSecurityDescriptorInformation

loc_8FF63D:				; CODE XREF: IopGetSecurityDescriptorInformation+37j
		xor	ebx, ebx
		inc	ebx
		jmp	loc_850E43
; END OF FUNCTION CHUNK	FOR IopGetSecurityDescriptorInformation
; 
; START	OF FUNCTION CHUNK FOR LocalConvertStringSDToSD_Rev1

loc_8FF645:				; CODE XREF: LocalConvertStringSDToSD_Rev1+6Aj
		and	[ecx], edx
		jmp	loc_850F6E
; 

loc_8FF64C:				; CODE XREF: LocalConvertStringSDToSD_Rev1+25Cj
		cmp	ecx, 20h
		jz	short loc_8FF6C2
		cmp	edi, 53h
		jnz	short loc_8FF6CA
		push	3Ah
		pop	ecx
		cmp	[eax+2], cx
		jnz	short loc_8FF6CA
		add	eax, 4
		cmp	[esp+50h+var_30], 0
		jnz	short loc_8FF6CA
		push	28h
		pop	ecx
		cmp	[eax], cx
		jz	short loc_8FF693
		lea	ecx, [esp+50h+var_38]
		push	ecx		; int
		lea	ecx, [esp+54h+var_1C]
		push	ecx		; int
		push	2
		pop	edx
		mov	ecx, eax	; wchar_t *
		call	LocalGetSDControlForString
		mov	esi, eax
		test	esi, esi
		jnz	loc_851151
		mov	eax, [esp+50h+var_38]

loc_8FF693:				; CODE XREF: LocalConvertStringSDToSD_Rev1+AE771j
		push	0		; int
		push	0		; int
		push	0		; int
		push	0		; int
		lea	ecx, [esp+60h+var_38]
		xor	dl, dl		; int
		push	ecx		; int
		lea	ecx, [esp+64h+var_30]
		push	ecx		; int
		mov	ecx, eax	; wchar_t *
		call	LocalGetAclForString
		mov	esi, eax
		test	esi, esi
		jnz	loc_851151
		mov	byte ptr [esp+50h+var_20], 1
		jmp	loc_850FFC
; 

loc_8FF6C2:				; CODE XREF: LocalConvertStringSDToSD_Rev1+AE751j
		add	eax, 2
		jmp	loc_850F6E
; 

loc_8FF6CA:				; CODE XREF: LocalConvertStringSDToSD_Rev1+96j
					; LocalConvertStringSDToSD_Rev1+A4j ...
		push	57h
		pop	esi
		jmp	loc_8510D7
; 

loc_8FF6D2:				; CODE XREF: LocalConvertStringSDToSD_Rev1+120j
		push	eax
		call	RtlNtStatusToDosError
		mov	esi, eax
		jmp	loc_851024
; 

loc_8FF6DF:				; CODE XREF: LocalConvertStringSDToSD_Rev1+2AAj
		push	eax
		call	RtlNtStatusToDosError
		mov	esi, eax
		test	esi, esi
		jnz	loc_851151
		jmp	loc_851045
; 

loc_8FF6F4:				; CODE XREF: LocalConvertStringSDToSD_Rev1+2C4j
		push	eax
		call	RtlNtStatusToDosError
		mov	esi, eax
		test	esi, esi
		jnz	loc_851151
		jmp	loc_85104D
; 

loc_8FF709:				; CODE XREF: LocalConvertStringSDToSD_Rev1+16Cj
		push	eax
		call	RtlNtStatusToDosError
		mov	esi, eax
		test	esi, esi
		jnz	loc_851151
		jmp	loc_851070
; 

loc_8FF71E:				; CODE XREF: LocalConvertStringSDToSD_Rev1+177j
		push	0
		push	[esp+54h+var_30]
		lea	eax, [esp+58h+var_14]
		push	[esp+58h+var_20]
		push	eax
		call	_RtlSetSaclSecurityDescriptor@16 ; RtlSetSaclSecurityDescriptor(x,x,x,x)
		test	eax, eax
		jns	loc_85107B
		push	eax
		call	RtlNtStatusToDosError
		mov	esi, eax
		test	esi, esi
		jnz	loc_851151
		jmp	loc_85107B
; 

loc_8FF74F:				; CODE XREF: LocalConvertStringSDToSD_Rev1+1ACj
		push	8
		pop	esi
		jmp	loc_851151
; 

loc_8FF757:				; CODE XREF: LocalConvertStringSDToSD_Rev1+1C4j
		push	eax
		call	RtlNtStatusToDosError
		mov	esi, eax
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_8FF76D
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_8FF76D:				; CODE XREF: LocalConvertStringSDToSD_Rev1+AE865j
		and	dword ptr [edi], 0
		jmp	short loc_8FF775
; 

loc_8FF772:				; CODE XREF: LocalConvertStringSDToSD_Rev1+196j
		push	7Ah
		pop	esi

loc_8FF775:				; CODE XREF: LocalConvertStringSDToSD_Rev1+AE872j
		test	esi, esi
		jnz	loc_851151
		jmp	loc_8510C8
; 

loc_8FF782:				; CODE XREF: LocalConvertStringSDToSD_Rev1+1D3j
		mov	eax, [esp+50h+var_2C]
		mov	[ecx], eax
		jmp	loc_8510D7
; 

loc_8FF78D:				; CODE XREF: LocalConvertStringSDToSD_Rev1+1DEj
		test	edx, edx
		jz	loc_8510E2
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8510E2
; 

loc_8FF7A2:				; CODE XREF: LocalConvertStringSDToSD_Rev1+1E9j
		test	ebx, ebx
		jz	loc_8510ED
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8510ED
; 

loc_8FF7B7:				; CODE XREF: LocalConvertStringSDToSD_Rev1+206j
		push	0
		push	[esp+54h+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_85110A
; 

loc_8FF7C7:				; CODE XREF: LocalConvertStringSDToSD_Rev1+56j
					; LocalConvertStringSDToSD_Rev1+5Fj
		push	57h
		pop	eax
		jmp	loc_85110C
; END OF FUNCTION CHUNK	FOR LocalConvertStringSDToSD_Rev1
; 
; START	OF FUNCTION CHUNK FOR LocalGetAclForString

loc_8FF7CF:				; CODE XREF: LocalGetAclForString+B9j
		mov	eax, [ebp+var_98]
		xor	edx, edx
		mov	ecx, [ebp+var_CC]
		mov	[eax], edx
		lea	eax, [ebx+22h]
		mov	[ecx], eax
		jmp	loc_851727
; 

loc_8FF7E9:				; CODE XREF: LocalGetAclForString+F4j
		lea	edx, [eax-2]
		jmp	loc_8512DD
; 

loc_8FF7F1:				; CODE XREF: LocalGetAclForString+150j
		mov	eax, ecx
		mov	[ebp+var_BC], eax
		jmp	loc_85131E
; 

loc_8FF7FE:				; CODE XREF: LocalGetAclForString+16Aj
		push	8
		pop	edi
		jmp	loc_851727
; 

loc_8FF806:				; CODE XREF: LocalGetAclForString+1EBj
					; LocalGetAclForString+AE647j
		add	ebx, 2
		movzx	eax, word ptr [ebx]
		cmp	ax, dx
		jz	short loc_8FF806
		mov	ecx, eax
		jmp	loc_8513B9
; 

loc_8FF818:				; CODE XREF: LocalGetAclForString+205j
					; LocalGetAclForString+AE656j
		add	ebx, 2
		cmp	[ebx], dx
		jz	short loc_8FF818
		jmp	loc_8513D3
; 

loc_8FF825:				; CODE XREF: LocalGetAclForString+243j
		cmp	ax, dx
		jz	loc_851411

loc_8FF82E:				; CODE XREF: LocalGetAclForString+3C5j
					; LocalGetAclForString+658j ...
		mov	edi, 538h
		jmp	loc_8FFABD
; 

loc_8FF838:				; CODE XREF: LocalGetAclForString+255j
		cmp	bl, 8
		ja	loc_851423

loc_8FF841:				; CODE XREF: LocalGetAclForString+25Ej
		mov	eax, [ebp+var_98]
		mov	eax, [eax]
		mov	byte ptr [eax],	4
		jmp	loc_85142C
; 

loc_8FF851:				; CODE XREF: LocalGetAclForString+267j
		add	esi, 2
		jmp	loc_85142C
; 

loc_8FF859:				; CODE XREF: LocalGetAclForString+591j
					; LocalGetAclForString+AE697j
		add	esi, 2
		cmp	[esi], dx
		jz	short loc_8FF859
		jmp	loc_85175F
; 

loc_8FF866:				; CODE XREF: LocalGetAclForString+5D7j
		push	20h
		pop	edx
		jmp	loc_85144E
; 

loc_8FF86E:				; CODE XREF: LocalGetAclForString+28Ej
					; LocalGetAclForString+AE6AFj
		add	esi, 2
		movzx	eax, word ptr [esi]
		cmp	ax, dx
		jz	short loc_8FF86E
		mov	ecx, eax
		jmp	loc_85145C
; 

loc_8FF880:				; CODE XREF: LocalGetAclForString+2A2j
					; LocalGetAclForString+AE6BEj
		add	esi, 2
		cmp	[esi], dx
		jz	short loc_8FF880
		jmp	loc_851470
; 

loc_8FF88D:				; CODE XREF: LocalGetAclForString+2ABj
		push	4
		pop	eax
		jmp	loc_85147F
; 

loc_8FF895:				; CODE XREF: LocalGetAclForString+2FAj
					; LocalGetAclForString+AE6D6j
		add	esi, 2
		movzx	eax, word ptr [esi]
		cmp	ax, dx
		jz	short loc_8FF895
		mov	ecx, eax
		jmp	loc_8514C8
; 

loc_8FF8A7:				; CODE XREF: LocalGetAclForString+306j
		cmp	bl, 5
		jb	short loc_8FF8B1
		cmp	bl, 8
		jbe	short loc_8FF8BA

loc_8FF8B1:				; CODE XREF: LocalGetAclForString+AE6E2j
		cmp	bl, 0Bh
		jnz	loc_8FF82E

loc_8FF8BA:				; CODE XREF: LocalGetAclForString+AE6E7j
		push	24h
		push	esi
		lea	eax, [ebp+var_58]
		push	25h
		push	eax
		call	_wcsncpy_s
		xor	eax, eax
		lea	ecx, [ebp+var_58]
		add	esp, 10h
		mov	[ebp+var_10], ax
		test	edi, edi
		jnz	short loc_8FF8EF
		lea	edx, [ebp+var_70]
		call	_SddlpUuidFromString@8 ; SddlpUuidFromString(x,x)
		test	eax, eax
		jz	short loc_8FF922
		lea	eax, [ebp+var_70]
		mov	[ebp+var_B4], eax
		jmp	short loc_8FF904
; 

loc_8FF8EF:				; CODE XREF: LocalGetAclForString+AE70Ej
		lea	edx, [ebp+var_80]
		call	_SddlpUuidFromString@8 ; SddlpUuidFromString(x,x)
		test	eax, eax
		jz	short loc_8FF922
		lea	eax, [ebp+var_80]
		mov	[ebp+var_B0], eax

loc_8FF904:				; CODE XREF: LocalGetAclForString+AE725j
		add	esi, 48h
		push	3Bh
		pop	ecx
		push	20h
		movzx	eax, word ptr [esi]
		pop	edx
		cmp	ax, cx
		jz	loc_8514D4
		cmp	ax, dx
		jz	loc_8514D4

loc_8FF922:				; CODE XREF: LocalGetAclForString+AE71Aj
					; LocalGetAclForString+AE731j
		mov	edi, 6A9h
		jmp	loc_8FFABD
; 

loc_8FF92C:				; CODE XREF: LocalGetAclForString+318j
		add	esi, 2
		jmp	loc_8514DD
; 

loc_8FF934:				; CODE XREF: LocalGetAclForString+370j
					; LocalGetAclForString+AE772j
		add	esi, 2
		cmp	[esi], dx
		jz	short loc_8FF934
		jmp	loc_85153E
; 

loc_8FF941:				; CODE XREF: LocalGetAclForString+379j
					; LocalGetAclForString+382j ...
		push	3Bh
		pop	ecx
		cmp	[esi], cx
		jnz	loc_8FFA12
		add	esi, 2
		movzx	eax, word ptr [esi]
		mov	ecx, eax
		cmp	ax, dx
		jnz	short loc_8FF967

loc_8FF95A:				; CODE XREF: LocalGetAclForString+AE79Bj
		add	esi, 2
		movzx	eax, word ptr [esi]
		cmp	ax, dx
		jz	short loc_8FF95A
		mov	ecx, eax

loc_8FF967:				; CODE XREF: LocalGetAclForString+AE790j
		push	28h
		pop	eax
		cmp	cx, ax
		jnz	loc_8FFA0A
		xor	eax, eax
		cmp	[ebp+var_A0], eax
		jz	short loc_8FF991
		push	eax
		push	[ebp+var_A0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[ebp+var_A0], eax

loc_8FF991:				; CODE XREF: LocalGetAclForString+AE7B3j
		cmp	[ebp+var_AC], 0
		mov	[ebp+var_A4], eax
		jz	short loc_8FF9B4
		push	eax
		push	[ebp+var_AC]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[ebp+var_AC], eax

loc_8FF9B4:				; CODE XREF: LocalGetAclForString+AE7D6j
		mov	[ebp+var_B8], eax
		lea	edx, [ebp+var_A8]
		mov	ecx, esi
		push	eax
		push	eax
		push	eax
		push	eax
		cmp	bl, 12h
		jnz	short loc_8FF9E9
		lea	eax, [ebp+var_B8]
		push	eax
		lea	eax, [ebp+var_AC]
		push	eax
		call	_LocalGetRelativeAttributeForString@32 ; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_8FF9FF
		jmp	loc_8FFABD
; 

loc_8FF9E9:				; CODE XREF: LocalGetAclForString+AE801j
		push	eax
		lea	eax, [ebp+var_A4]
		push	eax
		lea	eax, [ebp+var_A0]
		push	eax
		call	_LocalGetConditionForString@36 ; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)
		mov	edi, eax

loc_8FF9FF:				; CODE XREF: LocalGetAclForString+AE81Aj
		mov	eax, [ebp+var_A8]
		push	20h
		pop	edx
		jmp	short loc_8FFA12
; 

loc_8FFA0A:				; CODE XREF: LocalGetAclForString+AE7A5j
		mov	eax, esi
		mov	[ebp+var_A8], eax

loc_8FFA12:				; CODE XREF: LocalGetAclForString+AE77Fj
					; LocalGetAclForString+AE840j
		mov	ebx, [ebp+var_A4]
		mov	ecx, [ebp+var_B8]
		test	ebx, ebx
		jnz	short loc_8FFA2A
		test	ecx, ecx
		jz	loc_8FF82E

loc_8FFA2A:				; CODE XREF: LocalGetAclForString+AE858j
		test	edi, edi
		jnz	loc_8FFABD
		jmp	loc_851580
; 

loc_8FFA37:				; CODE XREF: LocalGetAclForString+3BBj
		add	eax, 2
		mov	[ebp+var_A8], eax
		jmp	loc_851580
; 

loc_8FFA45:				; CODE XREF: LocalGetAclForString+3FBj
		lea	eax, [esi-5]
		cmp	eax, 3
		ja	loc_8FF82E
		cmp	[ebp+var_B4], 0
		push	10h
		pop	eax
		mov	[ebp+var_94], eax
		jz	short loc_8FFA69
		mov	[ebp+var_94], edx

loc_8FFA69:				; CODE XREF: LocalGetAclForString+AE899j
		cmp	[ebp+var_B0], 0
		jz	loc_8515D3
		add	[ebp+var_94], eax
		jmp	loc_8515D3
; 

loc_8FFA81:				; CODE XREF: LocalGetAclForString+3E9j
		mov	eax, esi
		sub	eax, 0Bh
		jz	short loc_8FFAC8
		dec	eax

loc_8FFA89:				; CODE XREF: LocalGetAclForString+AE958j
		sub	eax, 1
		jnz	loc_8FF82E

loc_8FFA92:				; CODE XREF: LocalGetAclForString+3F2j
		cmp	ebx, 0FFFFFFFCh
		ja	loc_90004A
		lea	ecx, [ebx+3]
		and	ecx, 0FFFFFFFCh

loc_8FFAA1:				; CODE XREF: LocalGetAclForString+AE94Aj
		lea	eax, [ebp+var_94]
		push	eax
		push	0Ch
		pop	edx

loc_8FFAAB:				; CODE XREF: LocalGetAclForString+AE943j
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jns	loc_8515D3

loc_8FFAB8:				; CODE XREF: LocalGetAclForString+42Dj
					; LocalGetAclForString+44Fj ...
		mov	edi, 216h

loc_8FFABD:				; CODE XREF: LocalGetAclForString+AE66Bj
					; LocalGetAclForString+AE75Fj ...
		mov	esi, [ebp+var_88]
		jmp	loc_9000C7
; 

loc_8FFAC8:				; CODE XREF: LocalGetAclForString+AE8BEj
		cmp	[ebp+var_B4], 0
		push	10h
		pop	edx
		mov	[ebp+var_94], edx
		jz	short loc_8FFAE3
		push	20h
		pop	edx
		mov	[ebp+var_94], edx

loc_8FFAE3:				; CODE XREF: LocalGetAclForString+AE910j
		cmp	[ebp+var_B0], 0
		jz	short loc_8FFAF5
		add	edx, 10h
		mov	[ebp+var_94], edx

loc_8FFAF5:				; CODE XREF: LocalGetAclForString+AE922j
		cmp	ebx, 0FFFFFFFCh
		ja	loc_90004A
		lea	eax, [ebp+var_94]
		lea	ecx, [ebx+3]
		push	eax
		and	ecx, 0FFFFFFFCh
		jmp	short loc_8FFAAB
; 

loc_8FFB0D:				; CODE XREF: LocalGetAclForString+3DEj
		mov	eax, esi
		sub	eax, 12h
		jz	short loc_8FFAA1
		sub	eax, 1
		jz	loc_8515C9
		sub	eax, 1
		jnz	loc_8FFA89
		jmp	loc_8515C9
; 

loc_8FFB2B:				; CODE XREF: LocalGetAclForString+461j
		xor	eax, eax
		lea	ecx, [ebp+var_9C]
		mov	[ebp+var_9C], eax
		mov	eax, [ebp+var_C0]
		sub	eax, [ebp+var_DC]
		mul	ebx
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_8FFAB8
		mov	edx, [ebp+var_BC]
		mov	eax, ecx
		mov	ecx, [ebp+var_9C]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_8FFAB8
		push	ecx
		mov	ecx, [ebp+var_9C]
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	ecx, [ebp+var_98]
		mov	[ebp+var_C8], eax
		mov	ecx, [ecx]
		test	eax, eax
		jz	loc_900054
		mov	edx, [ebp+var_BC]
		push	edx		; size_t
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_C8]
		add	esp, 0Ch
		mov	ecx, [ebp+var_9C]
		mov	[eax+2], cx
		mov	ecx, [ebp+var_98]
		mov	ecx, [ecx]
		test	ecx, ecx
		jz	short loc_8FFBD0
		xor	eax, eax
		push	eax
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_C8]

loc_8FFBD0:				; CODE XREF: LocalGetAclForString+AE9F7j
		mov	ecx, [ebp+var_98]
		mov	[ecx], eax
		mov	eax, [ebp+var_9C]
		mov	[ebp+var_BC], eax
		jmp	loc_851635
; 

loc_8FFBE9:				; CODE XREF: LocalGetAclForString+495j
		sub	esi, 1
		jz	short loc_8FFC32
		sub	esi, 1
		jnz	loc_8FFC81
		mov	dl, [ebp+var_81]
		mov	esi, [ebp+var_88]
		mov	al, dl
		and	al, 80h
		movzx	eax, al
		push	eax
		mov	al, dl
		and	al, 40h
		movzx	eax, al
		push	eax
		mov	eax, [ebp+var_90]
		push	esi
		push	eax
		movzx	eax, dl
		and	eax, 0FFFFFF3Fh
		push	eax
		push	2
		push	dword ptr [ecx]
		call	_RtlAddAuditAccessAceEx@28 ; RtlAddAuditAccessAceEx(x,x,x,x,x,x,x)
		jmp	loc_851684
; 

loc_8FFC32:				; CODE XREF: LocalGetAclForString+AEA24j
		push	1
		jmp	loc_851664
; 

loc_8FFC39:				; CODE XREF: LocalGetAclForString+48Bj
		mov	esi, [ebp+var_88]
		mov	eax, [ebp+var_90]
		push	esi		; void *
		push	[ebp+var_B0]	; int
		push	[ebp+var_B4]	; int
		push	eax		; int
		movzx	eax, [ebp+var_81]
		push	eax		; int
		push	4		; int
		push	dword ptr [ecx]	; int
		call	_RtlAddAccessAllowedObjectAce@28 ; RtlAddAccessAllowedObjectAce(x,x,x,x,x,x,x)
		jmp	loc_851684
; 

loc_8FFC69:				; CODE XREF: LocalGetAclForString+485j
		cmp	esi, 6
		jz	short loc_8FFCCD
		cmp	esi, 7
		jz	short loc_8FFC8B
		cmp	esi, 8
		jbe	short loc_8FFC81
		cmp	esi, 0Ah
		jbe	loc_8FFFA7

loc_8FFC81:				; CODE XREF: LocalGetAclForString+AEA29j
					; LocalGetAclForString+AEAAEj ...
		mov	ebx, 0C000000Dh
		jmp	loc_9000AB
; 

loc_8FFC8B:				; CODE XREF: LocalGetAclForString+AEAA9j
		mov	dl, [ebp+var_81]
		mov	esi, [ebp+var_88]
		mov	al, dl
		and	al, 80h
		movzx	eax, al
		push	eax		; char
		mov	al, dl
		and	al, 40h
		movzx	eax, al
		push	eax		; char
		mov	eax, [ebp+var_90]
		push	esi		; void *
		push	[ebp+var_B0]	; int
		push	[ebp+var_B4]	; int
		push	eax		; int
		movzx	eax, dl
		push	eax		; int
		push	4		; int
		push	dword ptr [ecx]	; int
		call	_RtlAddAuditAccessObjectAce@36 ; RtlAddAuditAccessObjectAce(x,x,x,x,x,x,x,x,x)
		jmp	loc_851684
; 

loc_8FFCCD:				; CODE XREF: LocalGetAclForString+AEAA4j
		mov	esi, [ebp+var_88]
		mov	eax, [ebp+var_90]
		push	esi		; void *
		push	[ebp+var_B0]	; int
		push	[ebp+var_B4]	; int
		push	eax		; int
		movzx	eax, [ebp+var_81]
		push	eax		; int
		push	4		; int
		push	dword ptr [ecx]	; int
		call	_RtlAddAccessDeniedObjectAce@28	; RtlAddAccessDeniedObjectAce(x,x,x,x,x,x,x)
		jmp	loc_851684
; 

loc_8FFCFD:				; CODE XREF: LocalGetAclForString+47Cj
		mov	esi, [ebp+var_88]
		cmp	ebx, 0FFFFh
		jnb	loc_90009F
		mov	eax, [ebp+var_90]
		push	esi		; void *
		push	[ebp+var_B0]	; int
		push	[ebp+var_B4]	; int
		push	eax		; int
		movzx	eax, [ebp+var_81]
		push	eax		; int
		push	4		; int
		push	dword ptr [ecx]	; int
		call	_RtlAddAccessAllowedObjectAce@28 ; RtlAddAccessAllowedObjectAce(x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_9000B1
		mov	eax, [ebp+var_98]
		mov	ecx, [eax]
		lea	eax, [ebp+var_D8]
		push	eax
		movzx	eax, word ptr [ecx+4]
		dec	eax
		push	eax
		push	ecx
		call	_RtlGetAce@12	; RtlGetAce(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_9000B1
		mov	esi, [ebp+var_D8]
		cmp	byte ptr [esi],	5
		setz	al
		lea	eax, ds:9[eax*2]
		mov	[esi], al
		mov	eax, [ebp+var_94]
		mov	[esi+2], ax
		mov	eax, [ebp+var_A4]
		test	eax, eax
		jz	loc_90000D
		cmp	byte ptr [esi],	0Bh
		push	eax		; size_t
		push	[ebp+var_A0]	; void *
		push	[ebp+var_88]
		jnz	short loc_8FFDC3
		mov	esi, [esi+8]
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	eax, [ebp+var_D8]
		mov	ecx, esi
		and	ecx, 1
		and	esi, 2
		lea	ecx, [esi+ecx*2]
		lea	eax, [eax+ecx*8]
		add	eax, 0Ch
		jmp	short loc_8FFDCD
; 

loc_8FFDC3:				; CODE XREF: LocalGetAclForString+AEBD8j
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	esi, 8
		add	eax, esi

loc_8FFDCD:				; CODE XREF: LocalGetAclForString+AEBF9j
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_90000D
; 

loc_8FFDDB:				; CODE XREF: LocalGetAclForString+476j
		sub	esi, 0Dh
		jz	loc_8FFFA7
		sub	esi, 4
		jz	loc_8FFF84
		sub	esi, 1
		jz	loc_8FFE89
		sub	esi, 1
		jz	short loc_8FFE67
		sub	esi, 1
		jz	short loc_8FFE44
		sub	esi, 1
		jnz	loc_8FFC81
		mov	eax, [ebp+var_A4]
		mov	esi, [ebp+var_88]
		cmp	eax, 0FFFFh
		jnb	loc_90009F
		push	eax
		push	[ebp+var_A0]
		mov	eax, [ebp+var_90]
		push	eax
		movzx	eax, [ebp+var_81]
		push	ecx
		mov	ecx, [ecx]
		push	esi
		push	eax
		call	_SddlAddAccessFilterAce@32 ; SddlAddAccessFilterAce(x,x,x,x,x,x,x,x)
		jmp	loc_851684
; 

loc_8FFE44:				; CODE XREF: LocalGetAclForString+AEC36j
		mov	eax, [ebp+var_90]
		mov	esi, [ebp+var_88]
		push	eax
		movzx	eax, [ebp+var_81]
		push	ecx
		mov	ecx, [ecx]
		push	esi
		push	eax
		call	_SddlAddProcessTrustLabelAce@24	; SddlAddProcessTrustLabelAce(x,x,x,x,x,x)
		jmp	loc_851684
; 

loc_8FFE67:				; CODE XREF: LocalGetAclForString+AEC31j
		mov	esi, [ebp+var_88]
		mov	eax, [ebp+var_90]
		mov	ecx, [ecx]
		push	esi
		push	eax
		movzx	eax, [ebp+var_81]
		push	eax
		call	_SddlAddScopedPolicyIDAce@20 ; SddlAddScopedPolicyIDAce(x,x,x,x,x)
		jmp	loc_851684
; 

loc_8FFE89:				; CODE XREF: LocalGetAclForString+AEC28j
		cmp	ebx, 0FFFFh
		jnb	loc_9000A6
		test	[ebp+var_81], 0E0h
		jnz	loc_9000A6
		cmp	[ebp+var_90], 0
		mov	esi, [ebp+var_88]
		jnz	loc_90009F
		push	6		; size_t
		lea	eax, [ebp+var_60]
		push	eax		; void *
		lea	eax, [esi+2]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_90009F
		cmp	byte ptr [esi+1], 1
		jnz	loc_90009F
		cmp	[esi+8], eax
		jnz	loc_90009F
		push	ecx
		mov	ecx, ebx
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_900008
		mov	al, [ebp+var_89]
		lea	ecx, [esi+8]
		mov	[esi], al
		mov	al, [ebp+var_81]
		mov	[esi+1], al
		xor	eax, eax
		mov	[esi+4], eax
		mov	eax, [ebp+var_88]
		push	eax		; void *
		push	ecx		; void *
		push	eax
		mov	[esi+2], bx
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	eax		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		cmp	[ebp+var_B8], 0
		jz	short loc_8FFF61
		push	[ebp+var_B8]
		push	[ebp+var_AC]
		jmp	short loc_8FFF48
; 

loc_8FFF3C:				; CODE XREF: LocalGetAclForString+AEE3Bj
		push	[ebp+var_A4]	; size_t
		push	[ebp+var_A0]	; void *

loc_8FFF48:				; CODE XREF: LocalGetAclForString+AED72j
		push	[ebp+var_88]
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	eax, 8
		add	eax, esi
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_8FFF61:				; CODE XREF: LocalGetAclForString+AED64j
					; LocalGetAclForString:loc_8FFFFDj
		mov	eax, [ebp+var_98]
		push	ebx
		push	esi
		push	0FFFFFFFFh
		push	2
		push	dword ptr [eax]
		call	RtlAddAce
		mov	ebx, eax
		xor	eax, eax
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_90000D
; 

loc_8FFF84:				; CODE XREF: LocalGetAclForString+AEC1Fj
		mov	eax, [ebp+var_90]
		mov	esi, [ebp+var_88]
		push	eax
		movzx	eax, [ebp+var_81]
		push	ecx
		mov	ecx, [ecx]
		push	esi
		push	eax
		call	_SddlAddMandatoryAce@24	; SddlAddMandatoryAce(x,x,x,x,x,x)
		jmp	loc_851684
; 

loc_8FFFA7:				; CODE XREF: LocalGetAclForString+AEAB3j
					; LocalGetAclForString+AEC16j
		cmp	ebx, 0FFFFh
		jnb	loc_9000A6
		push	ecx
		mov	ecx, ebx
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_900008
		mov	al, [ebp+var_89]
		lea	ecx, [esi+8]
		mov	[esi], al
		mov	al, [ebp+var_81]
		mov	[esi+1], al
		mov	eax, [ebp+var_90]
		mov	[esi+4], eax
		mov	eax, [ebp+var_88]
		push	eax		; void *
		push	ecx		; void *
		push	eax
		mov	[esi+2], bx
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	eax		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		cmp	[ebp+var_A4], 0

loc_8FFFFD:				; DATA XREF: SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+381o
					; SepCommonAccessCheckExWithAdminlessChecks(x,x,x,x,x,x,x,x)+12FFo ...
		jz	loc_8FFF61
		jmp	loc_8FFF3C
; 

loc_900008:				; CODE XREF: LocalGetAclForString+AED26j
					; LocalGetAclForString+AEDF7j
					; DATA XREF: ...
		mov	ebx, 0C0000017h

loc_90000D:				; CODE XREF: LocalGetAclForString+AEBC2j
					; LocalGetAclForString+AEC0Ej ...
		mov	esi, [ebp+var_88]
		jmp	loc_851686
; 

loc_900018:				; CODE XREF: LocalGetAclForString+4EBj
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ecx, ecx
		mov	[ebp+var_A0], ecx
		jmp	loc_8516B9
; 

loc_90002C:				; CODE XREF: LocalGetAclForString+4FFj
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ecx, ecx
		mov	[ebp+var_AC], ecx
		jmp	loc_8516CD
; 

loc_900040:				; CODE XREF: LocalGetAclForString+5AEj
		mov	edi, 3ECh
		jmp	loc_8FFABD
; 

loc_90004A:				; CODE XREF: LocalGetAclForString+AE8CDj
					; LocalGetAclForString+AE930j
		mov	edi, 216h
		jmp	loc_9000EF
; 

loc_900054:				; CODE XREF: LocalGetAclForString+AE9C6j
		test	ecx, ecx
		jz	short loc_900061
		xor	eax, eax
		push	eax
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_900061:				; CODE XREF: LocalGetAclForString+AEE8Ej
		mov	eax, [ebp+var_98]
		xor	ecx, ecx
		cmp	[ebp+var_8A], 1
		mov	[eax], ecx
		jnz	short loc_900091
		mov	eax, [ebp+var_88]
		test	eax, eax
		jz	short loc_900087
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ecx, ecx

loc_900087:				; CODE XREF: LocalGetAclForString+AEEB4j
		mov	esi, ecx
		mov	[ebp+var_8A], cl
		jmp	short loc_900097
; 

loc_900091:				; CODE XREF: LocalGetAclForString+AEEAAj
		mov	esi, [ebp+var_88]

loc_900097:				; CODE XREF: LocalGetAclForString+AEEC7j
		push	8
		pop	edi
		jmp	loc_8516FE
; 

loc_90009F:				; CODE XREF: LocalGetAclForString+AEB41j
					; LocalGetAclForString+AEC52j ...
		mov	ebx, 0C0000077h
		jmp	short loc_9000B1
; 

loc_9000A6:				; CODE XREF: LocalGetAclForString+AECC7j
					; LocalGetAclForString+AECD4j ...
		mov	ebx, 0C0000077h

loc_9000AB:				; CODE XREF: LocalGetAclForString+4C0j
					; LocalGetAclForString+AEABEj
		mov	esi, [ebp+var_88]

loc_9000B1:				; CODE XREF: LocalGetAclForString+AEB70j
					; LocalGetAclForString+AEB95j ...
		push	ebx
		call	RtlNtStatusToDosError
		mov	edi, eax
		jmp	short loc_9000C7
; 

loc_9000BB:				; CODE XREF: LocalGetAclForString+354j
					; LocalGetAclForString+362j
		mov	edi, 538h
		jmp	short loc_9000C7
; 

loc_9000C2:				; CODE XREF: LocalGetAclForString+21Cj
		mov	edi, 70Ch

loc_9000C7:				; CODE XREF: LocalGetAclForString+346j
					; LocalGetAclForString+AE8FBj ...
		xor	ecx, ecx
		jmp	loc_8516FE
; 

loc_9000CE:				; CODE XREF: LocalGetAclForString+540j
		test	eax, eax
		jz	short loc_9000D9
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9000D9:				; CODE XREF: LocalGetAclForString+AEF08j
		mov	eax, [ebp+var_98]
		xor	edx, edx
		mov	[eax], edx
		jmp	loc_85171A
; 

loc_9000E8:				; CODE XREF: LocalGetAclForString+634j
		push	edx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9000EF:				; CODE XREF: LocalGetAclForString+129j
					; LocalGetAclForString+AEE87j
		xor	edx, edx
		jmp	loc_851727
; 

loc_9000F6:				; CODE XREF: LocalGetAclForString+567j
		push	edx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_851735
; 

loc_900102:				; CODE XREF: LocalGetAclForString+575j
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_851743
; 

loc_900110:				; CODE XREF: LocalGetAclForString+91j
					; LocalGetAclForString+99j ...
		push	57h
		pop	eax
		jmp	loc_851745
; END OF FUNCTION CHUNK	FOR LocalGetAclForString
; 
; START	OF FUNCTION CHUNK FOR LocalGetSDDLDeliminator

loc_900118:				; CODE XREF: LocalGetSDDLDeliminator+25j
		xor	edx, edx
		cmp	[edi], dx
		jz	loc_851872
		mov	ecx, [ebp+var_8]

loc_900126:				; CODE XREF: LocalGetSDDLDeliminator+AE946j
		cmp	[ecx], edx
		jnz	short loc_900180
		test	ebx, ebx
		jnz	short loc_900180
		movzx	eax, word ptr [edi]
		sub	eax, 22h
		jz	short loc_900161
		sub	eax, 6
		jz	short loc_900159
		sub	eax, 1
		jz	short loc_90014D
		sub	eax, 11h
		jnz	short loc_900178
		test	esi, esi
		jnz	short loc_900178
		mov	[ecx], edi
		jmp	short loc_900178
; 

loc_90014D:				; CODE XREF: LocalGetSDDLDeliminator+AE906j
		cmp	[ebp+var_4], edx
		jnz	short loc_900178
		test	esi, esi
		jz	short loc_900173
		dec	esi
		jmp	short loc_900178
; 

loc_900159:				; CODE XREF: LocalGetSDDLDeliminator+AE901j
		cmp	[ebp+var_4], edx
		jnz	short loc_900178
		inc	esi
		jmp	short loc_900178
; 

loc_900161:				; CODE XREF: LocalGetSDDLDeliminator+AE8FCj
		cmp	esi, 1
		jbe	short loc_900173
		xor	eax, eax
		cmp	[ebp+var_4], eax
		setz	al
		mov	[ebp+var_4], eax
		jmp	short loc_900178
; 

loc_900173:				; CODE XREF: LocalGetSDDLDeliminator+AE91Cj
					; LocalGetSDDLDeliminator+AE92Cj
		mov	ebx, 538h

loc_900178:				; CODE XREF: LocalGetSDDLDeliminator+AE90Bj
					; LocalGetSDDLDeliminator+AE90Fj ...
		add	edi, 2
		cmp	[edi], dx
		jnz	short loc_900126

loc_900180:				; CODE XREF: LocalGetSDDLDeliminator+AE8F0j
					; LocalGetSDDLDeliminator+AE8F4j
		cmp	[ebp+var_4], edx
		jnz	short loc_90018D
		test	esi, esi
		jz	loc_851872

loc_90018D:				; CODE XREF: LocalGetSDDLDeliminator+AE94Bj
		mov	ebx, 538h
		jmp	loc_851872
; END OF FUNCTION CHUNK	FOR LocalGetSDDLDeliminator
; 
; START	OF FUNCTION CHUNK FOR LocalGetAceCount

loc_900197:				; CODE XREF: LocalGetAceCount+29j
		push	20h
		pop	eax
		mov	[ebp+var_14], eax
		jmp	short loc_9001A7
; 

loc_90019F:				; CODE XREF: LocalGetAceCount+AE92Fj
		cmp	[edi], ax
		jnz	short loc_9001AB
		add	edi, 2

loc_9001A7:				; CODE XREF: LocalGetAceCount+AE923j
		cmp	edi, ebx
		jb	short loc_90019F

loc_9001AB:				; CODE XREF: LocalGetAceCount+AE928j
		push	28h
		pop	ecx
		cmp	edi, ebx
		jz	short loc_9001BA
		mov	[ebp+var_10], esi
		cmp	[edi], cx
		jz	short loc_9001C1

loc_9001BA:				; CODE XREF: LocalGetAceCount+AE936j
		mov	[ebp+var_10], 1

loc_9001C1:				; CODE XREF: LocalGetAceCount+AE93Ej
		cmp	edi, ebx
		jnb	loc_851906
		push	3Bh
		pop	edx

loc_9001CC:				; CODE XREF: LocalGetAceCount+AE9C3j
		movzx	eax, word ptr [edi]
		cmp	ax, word ptr [ebp+var_14]
		jz	short loc_9001DE
		cmp	[ebp+var_10], esi
		jnz	loc_851916

loc_9001DE:				; CODE XREF: LocalGetAceCount+AE959j
		cmp	ax, cx
		jnz	short loc_9001EE
		mov	eax, [ebp+var_4]
		cmp	[ebp+var_C], esi
		jnz	short loc_900238
		inc	eax
		jmp	short loc_900216
; 

loc_9001EE:				; CODE XREF: LocalGetAceCount+AE967j
		cmp	eax, 29h
		jnz	short loc_90021B
		mov	eax, [ebp+var_4]
		cmp	[ebp+var_C], esi
		jnz	short loc_900238
		test	eax, eax
		jz	short loc_90024C
		cmp	eax, 1
		jnz	short loc_900215
		cmp	[ebp+var_8], 5
		jb	short loc_90024C
		mov	ecx, [ebp+arg_0]
		push	28h
		mov	[ebp+var_8], esi
		inc	dword ptr [ecx]
		pop	ecx

loc_900215:				; CODE XREF: LocalGetAceCount+AE988j
		dec	eax

loc_900216:				; CODE XREF: LocalGetAceCount+AE972j
		mov	[ebp+var_4], eax
		jmp	short loc_900238
; 

loc_90021B:				; CODE XREF: LocalGetAceCount+AE977j
		cmp	ax, dx
		jnz	short loc_900225
		inc	[ebp+var_8]
		jmp	short loc_900235
; 

loc_900225:				; CODE XREF: LocalGetAceCount+AE9A4j
		cmp	eax, 22h
		jnz	short loc_900235
		xor	eax, eax
		cmp	[ebp+var_C], eax
		setz	al
		mov	[ebp+var_C], eax

loc_900235:				; CODE XREF: LocalGetAceCount+AE9A9j
					; LocalGetAceCount+AE9AEj
		mov	eax, [ebp+var_4]

loc_900238:				; CODE XREF: LocalGetAceCount+AE96Fj
					; LocalGetAceCount+AE97Fj ...
		add	edi, 2
		cmp	edi, ebx
		jb	short loc_9001CC
		test	eax, eax
		jz	loc_851906
		mov	eax, [ebp+arg_0]
		mov	[eax], esi

loc_90024C:				; CODE XREF: LocalGetAceCount+AE983j
					; LocalGetAceCount+AE98Ej
		mov	esi, 538h
		jmp	loc_851906
; END OF FUNCTION CHUNK	FOR LocalGetAceCount
; 
; START	OF FUNCTION CHUNK FOR FContainCallBackAce

loc_900256:				; CODE XREF: FContainCallBackAce+D4j
					; FContainCallBackAce+AE949j
		cmp	[ecx], di
		jnz	short loc_900267
		inc	edx
		mov	ecx, esi
		lea	eax, [edx+edx]
		sub	ecx, eax
		cmp	ecx, ebx
		jnb	short loc_900256

loc_900267:				; CODE XREF: FContainCallBackAce+AE93Dj
		xor	edi, edi

loc_900269:				; CODE XREF: FContainCallBackAce+C8j
		lea	eax, [edx+edx]
		mov	ecx, esi
		sub	ecx, eax
		cmp	word ptr [ecx],	28h
		jnz	loc_8519CA
		push	2
		pop	eax
		push	20h
		pop	ecx
		cmp	[esi+4], cx
		jnz	short loc_90028D

loc_900286:				; CODE XREF: FContainCallBackAce+AE96Fj
		inc	eax
		cmp	[esi+eax*2], cx
		jz	short loc_900286

loc_90028D:				; CODE XREF: FContainCallBackAce+AE968j
		cmp	word ptr [esi+eax*2], 3Bh
		jnz	loc_8519CA
		xor	edi, edi
		inc	edi
		jmp	loc_8519D6
; END OF FUNCTION CHUNK	FOR FContainCallBackAce
; 
; START	OF FUNCTION CHUNK FOR LocalGetSDControlForString

loc_9002A0:				; CODE XREF: LocalGetSDControlForString+30j
		inc	esi
		add	esi, 1
		jnz	loc_851A23
		jmp	loc_851A2C
; END OF FUNCTION CHUNK	FOR LocalGetSDControlForString
; 
; START	OF FUNCTION CHUNK FOR DrvDbDispatchDeviceId

loc_9002AF:				; CODE XREF: DrvDbDispatchDeviceId+31j
		test	eax, eax
		jnz	short loc_9002BD
		mov	eax, 0C0000467h
		jmp	loc_851AFF
; 

loc_9002BD:				; CODE XREF: DrvDbDispatchDeviceId+AE811j
		cmp	ecx, 2
		jz	short loc_9002E1
		jle	loc_851AD7
		cmp	ecx, 4
		jle	short loc_9002E7
		cmp	ecx, 6
		jle	short loc_9002EE
		cmp	ecx, 8
		jz	short loc_9002EE
		cmp	ecx, 9
		jz	short loc_9002E7
		jmp	loc_851AD7
; 

loc_9002E1:				; CODE XREF: DrvDbDispatchDeviceId+AE820j
		cmp	byte ptr [edi+4], 0
		jz	short loc_9002EE

loc_9002E7:				; CODE XREF: DrvDbDispatchDeviceId+AE82Bj
					; DrvDbDispatchDeviceId+AE83Aj
		shr	eax, 1Eh
		and	al, 1
		jmp	short loc_9002F1
; 

loc_9002EE:				; CODE XREF: DrvDbDispatchDeviceId+AE830j
					; DrvDbDispatchDeviceId+AE835j	...
		shr	eax, 1Fh

loc_9002F1:				; CODE XREF: DrvDbDispatchDeviceId+AE84Cj
		test	al, al

loc_9002F3:				; DATA XREF: .text:004FBD29o
		jnz	loc_851AD7
		mov	eax, 0C0000022h
		jmp	loc_851AFF
; 

loc_900303:				; CODE XREF: DrvDbDispatchDeviceId+3Dj
					; DATA XREF: PAGE:off_851B10o
		mov	edx, [ebp+arg_4] ; case	0x0
		call	_DrvDbValidateDeviceIdName@8 ; DrvDbValidateDeviceIdName(x,x)
		jmp	loc_851AFF
; 

loc_900310:				; CODE XREF: DrvDbDispatchDeviceId+3Dj
					; DATA XREF: PAGE:off_851B10o
		mov	al, [edi+4]	; case 0x1
		mov	esi, [edi+8]
		mov	edx, [edi]
		mov	byte ptr [ebp+arg_8], al
		push	0
		lea	eax, [edi+0Ch]
		mov	ecx, ebx
		push	eax
		push	esi
		push	[ebp+arg_8]
		push	edx
		push	[ebp+arg_4]
		xor	edx, edx
		push	5
		call	DrvDbOpenObjectRegKey
		jmp	loc_851AFF
; 

loc_900339:				; CODE XREF: DrvDbDispatchDeviceId+3Dj
					; DATA XREF: PAGE:off_851B10o
		mov	edx, [ebp+arg_4] ; case	0x2
		lea	eax, [edi+8]
		push	eax
		lea	eax, [edi+4]
		mov	ecx, ebx
		push	eax
		push	dword ptr [edi]
		call	_DrvDbCreateDeviceId@20	; DrvDbCreateDeviceId(x,x,x,x,x)
		jmp	loc_851AFF
; 

loc_900352:				; CODE XREF: DrvDbDispatchDeviceId+3Dj
					; DATA XREF: PAGE:off_851B10o
		push	2		; case 0x3
		push	[ebp+arg_4]
		mov	ecx, ebx
		push	5
		pop	edx
		call	_DrvDbDeleteObjectRegKey@16 ; DrvDbDeleteObjectRegKey(x,x,x,x)
		jmp	loc_851AFF
; 

loc_900366:				; CODE XREF: DrvDbDispatchDeviceId+3Dj
					; DATA XREF: PAGE:off_851B10o
		mov	eax, [edi+10h]	; case 0x4
		mov	ecx, [edi+0Ch]
		mov	edx, [edi+8]
		mov	esi, [edi+4]
		mov	edi, [edi]
		push	2
		push	eax
		push	ecx
		push	edx
		push	esi
		push	edi
		push	5
		pop	edx
		mov	ecx, ebx
		call	_DrvDbGetObjectList@32 ; DrvDbGetObjectList(x,x,x,x,x,x,x,x)
		jmp	loc_851AFF
; 

loc_90038A:				; CODE XREF: DrvDbDispatchDeviceId+3Dj
					; DATA XREF: PAGE:off_851B10o
		push	dword ptr [edi+14h] ; case 0x5
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		push	dword ptr [edi+10h]
		push	dword ptr [edi+0Ch]
		push	dword ptr [edi]
		call	_DrvDbGetDeviceIdMappedPropertyKeys@24 ; DrvDbGetDeviceIdMappedPropertyKeys(x,x,x,x,x,x)
		jmp	loc_851AFF
; 

loc_9003A4:				; CODE XREF: DrvDbDispatchDeviceId+3Dj
					; DATA XREF: PAGE:off_851B10o
		push	dword ptr [edi+14h] ; case 0x8
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		push	dword ptr [edi+10h] ; wchar_t *
		push	dword ptr [edi+0Ch] ; int
		push	dword ptr [edi+8] ; void *
		push	dword ptr [edi]	; int
		call	_DrvDbSetDeviceIdMappedProperty@28 ; DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)
		jmp	loc_851AFF
; END OF FUNCTION CHUNK	FOR DrvDbDispatchDeviceId
; 
; START	OF FUNCTION CHUNK FOR DrvDbGetDeviceIdMappedProperty

loc_9003C1:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+37j
		push	10h		; size_t
		push	offset _DEVPKEY_NODE ; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_90040D
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_C]
		push	edi		; int
		mov	dword ptr [eax], 12h
		mov	eax, [ebp+arg_10]
		shr	eax, 1
		push	eax		; int
		push	[ebp+arg_C]	; void *
		push	ebx		; int
		push	5
		pop	edx
		call	_DrvDbGetObjectDatabaseNodeName@24 ; DrvDbGetObjectDatabaseNodeName(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_900406
		cmp	esi, 0C0000023h
		jnz	loc_851C2B

loc_900406:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+AE8C4j
		shl	dword ptr [edi], 1
		jmp	loc_851C2B
; 

loc_90040D:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+AE89Fj
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceId_DriverInfNames	; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_9004F3

loc_900425:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+74j
		mov	byte ptr [ebp+arg_14], 0
		jmp	loc_851BAE
; 

loc_90042E:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+7Ej
		lea	eax, [ebx+2]
		push	3Ah		; wchar_t
		push	eax		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_851BB8
		inc	eax
		add	eax, 1
		jnz	loc_851BBA
		jmp	loc_851BB8
; 

loc_900452:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+13Dj
		cmp	esi, 0C0000225h
		jz	loc_851C04
		cmp	esi, 0C0000023h
		jnz	loc_851C18
		jmp	loc_851C77
; 

loc_90046F:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+E6j
		cmp	esi, 0C0000023h
		jnz	loc_851C2B
		jmp	loc_851C20
; 

loc_900480:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+16Dj
		mov	esi, 0C0000225h
		jmp	loc_851C2B
; 

loc_90048A:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+8Bj
					; DrvDbGetDeviceIdMappedProperty+95j
		mov	edx, [ebp+arg_0]
		inc	edx
		neg	edx
		sbb	edx, edx
		and	edx, [ebp+arg_0]
		jnz	short loc_9004B7
		push	edx
		push	edx
		lea	ecx, [ebp+var_8]
		push	ecx
		push	edx
		push	1
		push	ebx
		push	5
		mov	ecx, eax
		call	DrvDbOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_851C2B
		mov	edx, [ebp+var_8]

loc_9004B7:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+AE961j
		push	[ebp+arg_14]
		lea	eax, [ebp+var_10]
		push	eax
		mov	eax, [ebp+arg_10]
		shr	eax, 1
		push	eax
		push	[ebp+arg_C]
		call	DrvDbGetDeviceIdDriverInfMatches
		mov	esi, eax
		test	esi, esi
		jns	short loc_9004DE
		cmp	esi, 0C0000023h
		jnz	loc_851C2B

loc_9004DE:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+AE99Cj
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 2012h
		mov	eax, [ebp+var_10]
		add	eax, eax
		mov	[edi], eax
		jmp	loc_851C2B
; 

loc_9004F3:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+58j
					; DrvDbGetDeviceIdMappedProperty+AE8EBj
		mov	ecx, [ebp+arg_14]

loc_9004F6:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+40j
		xor	eax, eax
		xor	ebx, ebx
		mov	[ebp+arg_4], eax

loc_9004FD:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+AE9F4j
		mov	edx, ds:off_405064[ebx]
		cmp	[edx+10h], ecx
		jnz	short loc_90051E
		push	10h		; size_t
		push	esi		; void *
		push	edx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_900534
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_14]

loc_90051E:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+AE9D2j
		inc	eax
		add	ebx, 18h
		mov	[ebp+arg_4], eax
		cmp	ebx, 18h
		jb	short loc_9004FD

loc_90052A:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+AEA0Aj
		mov	esi, 0C0000016h
		jmp	loc_851C35
; 

loc_900534:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+AE9E2j
		imul	ebx, [ebp+arg_4], arg_10
		add	ebx, offset off_405064
		jz	short loc_90052A
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_90056C
		xor	ecx, ecx
		lea	eax, [ebp+var_8]
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_C]
		push	1
		push	[ebp+var_18]
		push	5
		call	DrvDbOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_851C2B
		mov	edx, [ebp+var_8]

loc_90056C:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+AEA11j
		push	edi
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	ebx
		call	DrvDbGetRegValueMappedProperty
		mov	esi, eax
		jmp	loc_851C2B
; 

loc_900583:				; CODE XREF: DrvDbGetDeviceIdMappedProperty+FBj
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_851C35
; END OF FUNCTION CHUNK	FOR DrvDbGetDeviceIdMappedProperty
; 
; START	OF FUNCTION CHUNK FOR DrvDbGetDeviceIdDriverInfMatches

loc_900590:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+49j
		mov	esi, 0C0000225h
		jmp	loc_851E60
; 

loc_90059A:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+70j
		mov	esi, 0C0000017h
		jmp	loc_851E5F
; 

loc_9005A4:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+CEj
		xor	eax, eax
		mov	[ebp+var_C], eax
		jmp	loc_851DBA
; 

loc_9005AE:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+8Fj
		push	ecx		; int
		push	ecx		; void *
		lea	ecx, [ebp+var_10]
		push	ecx		; int
		lea	ecx, [ebp+var_4]
		push	ecx		; int
		mov	ecx, [ebp+var_1C]
		push	edi		; void *
		call	_RegRtlEnumValue
		mov	esi, eax
		test	esi, esi
		js	short loc_9005E4
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_9005FC
		xor	ecx, ecx
		mov	[edi+eax*2], cx
		inc	eax
		jmp	loc_851DED
; 

loc_9005DA:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+C4j
					; DrvDbGetDeviceIdDriverInfMatches+D8j
		mov	esi, 0C00000E5h
		jmp	loc_851E56
; 

loc_9005E4:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+B9j
					; DrvDbGetDeviceIdDriverInfMatches+AE8E9j
		mov	ecx, [ebp+arg_8]
		cmp	esi, 8000001Ah
		jnz	loc_851E36
		xor	eax, eax
		mov	esi, eax
		jmp	loc_851E36
; 

loc_9005FC:				; CODE XREF: DrvDbGetDeviceIdDriverInfMatches+AE8F0j
		mov	esi, 0C00000E5h
		jmp	loc_851E6F
; END OF FUNCTION CHUNK	FOR DrvDbGetDeviceIdDriverInfMatches
; 
; START	OF FUNCTION CHUNK FOR DrvDbBuildDeviceIdDriverInfMatch

loc_900606:				; CODE XREF: DrvDbBuildDeviceIdDriverInfMatch+20j
		cmp	al, 3
		jnz	short loc_90062C
		push	offset ??_C@_11LOCGONAA@@NNGAKEGL@
		push	offset ??_C@_1M@IGDBBKDM@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CK@NNGAKEGL@
		push	800h
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		jmp	loc_851EFA
; 

loc_90062C:				; CODE XREF: DrvDbBuildDeviceIdDriverInfMatch+AE786j
		mov	eax, 0C000000Dh
		jmp	loc_851EE1
; 

loc_900636:				; CODE XREF: DrvDbBuildDeviceIdDriverInfMatch+18j
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	800h
		push	edi
		push	edi
		push	offset ??_C@_11LOCGONAA@@NNGAKEGL@
		call	RtlStringCchCopyExW
		jmp	loc_851EE1
; END OF FUNCTION CHUNK	FOR DrvDbBuildDeviceIdDriverInfMatch
; 
; START	OF FUNCTION CHUNK FOR MiAllocateDriverPage

loc_900652:				; CODE XREF: MiAllocateDriverPage+29j
		push	esi
		push	0FFFFFFFFh
		push	[ebp+var_8]
		mov	ecx, ebx
		call	_MiGetSlabPage@20 ; MiGetSlabPage(x,x,x,x,x)
		mov	[ebp+var_4], eax
		cmp	eax, 0FFFFFFFFh
		jnz	loc_851F44
		jmp	loc_851F3B
; 

loc_900670:				; CODE XREF: MiAllocateDriverPage+66j
		or	dword_6CF55C, 0FFFFFFFFh
		lea	edx, [ebp+var_14]
		push	esi
		xor	ecx, ecx
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		mov	ecx, edx
		call	_MiGetNextPageColor@4 ;	MiGetNextPageColor(x)
		mov	edi, eax
		jmp	short loc_9006A4
; 

loc_90068D:				; CODE XREF: MiAllocateDriverPage+AE7A8j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jz	loc_851F41
		xor	edx, edx
		mov	ecx, ebx
		call	_MiWaitForFreePage@8 ; MiWaitForFreePage(x,x)

loc_9006A4:				; CODE XREF: MiAllocateDriverPage+AE77Fj
		push	esi
		mov	edx, edi
		mov	ecx, ebx
		call	MiGetPage
		mov	[ebp+var_4], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_90068D
		jmp	loc_851F44
; END OF FUNCTION CHUNK	FOR MiAllocateDriverPage
; 
; START	OF FUNCTION CHUNK FOR PiDqObjectManagerServiceActionQueue

loc_9006BB:				; CODE XREF: PiDqObjectManagerServiceActionQueue+75j
		lea	eax, [esp+50h+var_40]
		mov	[esp+50h+var_3C], eax
		mov	[esp+50h+var_40], eax
		jmp	loc_85218A
; 

loc_9006CC:				; CODE XREF: PiDqObjectManagerServiceActionQueue+DCj
					; PiDqObjectManagerServiceActionQueue+F7j
		xor	bl, bl
		jmp	loc_8521FD
; 

loc_9006D3:				; CODE XREF: PiDqObjectManagerServiceActionQueue+115j
		lea	eax, [esi+68h]
		mov	edi, [eax]
		mov	[esp+50h+var_30], eax
		cmp	edi, eax
		jz	short loc_90072C

loc_9006E0:				; CODE XREF: PiDqObjectManagerServiceActionQueue+AE638j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [edi+20h]
		call	ExAcquirePushLockExclusiveEx
		or	dword ptr [edi+74h], 1
		mov	ecx, edi
		call	PiDqQueryFreeActiveData
		mov	ecx, edi
		call	PiDqQueryCompletePendedIrp
		xor	edx, edx
		lea	ecx, [edi+20h]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	edi, [edi]
		cmp	edi, [esp+50h+var_30]
		jnz	short loc_9006E0
		mov	esi, [esp+50h+var_2C]

loc_90072C:				; CODE XREF: PiDqObjectManagerServiceActionQueue+AE5F0j
		and	dword ptr [esi+7Ch], 0FFFFFFFDh
		jmp	loc_852209
; 

loc_900735:				; CODE XREF: PiDqObjectManagerServiceActionQueue+1D3j
		push	esi
		push	dword ptr [esi+0Ch]
		mov	edx, offset _KMPnPEvt_DevQuery_ProcessingStart
		call	_McTemplateK0p_EtwWriteTransfer@16 ; McTemplateK0p_EtwWriteTransfer(x,x,x,x)
		jmp	loc_8522C7
; 

loc_900748:				; CODE XREF: PiDqObjectManagerServiceActionQueue+264j
		push	esi
		push	dword ptr [esi+0Ch]
		mov	edx, offset _KMPnPEvt_DevQuery_ProcessingStop
		call	_McTemplateK0p_EtwWriteTransfer@16 ; McTemplateK0p_EtwWriteTransfer(x,x,x,x)
		jmp	loc_852358
; END OF FUNCTION CHUNK	FOR PiDqObjectManagerServiceActionQueue
; 
; START	OF FUNCTION CHUNK FOR PiDqQueryApplyObjectEvent

loc_90075B:				; CODE XREF: PiDqQueryApplyObjectEvent+3Dj
		lea	eax, [ebp+var_4]
		push	eax
		lea	edx, [edi+10h]
		lea	ecx, [esi+10h]
		call	_PiDqSameUserHive@12 ; PiDqSameUserHive(x,x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jns	loc_852481

loc_900775:				; CODE XREF: PiDqQueryApplyObjectEvent+142j
					; PiDqQueryApplyObjectEvent+1D5j ...
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [esi+20h]
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_14]
		or	dword ptr [ecx+74h], 1
		call	PiDqQueryFreeActiveData
		xor	edx, edx
		lea	ecx, [esi+20h]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_852586
; 

loc_9007B4:				; CODE XREF: PiDqQueryApplyObjectEvent+37Dj
		mov	edx, ebx
		mov	[ebp+var_1C], edx
		cmp	[edi+2Ch], ebx
		jbe	loc_8524FC
		lea	ecx, [edi+48h]
		mov	[ebp+var_18], ecx

loc_9007C8:				; CODE XREF: PiDqQueryApplyObjectEvent+AE3EBj
		cmp	dword ptr [ecx-4], 1
		jnz	short loc_9007D3
		cmp	byte ptr [ebp+var_4], bl
		jz	short loc_90081C

loc_9007D3:				; CODE XREF: PiDqQueryApplyObjectEvent+AE38Ej
		cmp	[ecx], ebx
		jz	loc_8527C1
		mov	eax, [esi+0Ch]
		mov	esi, [eax+28h]
		cmp	[esi], bx
		jz	short loc_900819

loc_9007E6:				; CODE XREF: PiDqQueryApplyObjectEvent+AE3D6j
		push	esi		; wchar_t *
		push	dword ptr [ecx]	; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_900830
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_9007F9:				; CODE XREF: PiDqQueryApplyObjectEvent+AE3C4j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_9007F9
		sub	ecx, edx
		sar	ecx, 1
		lea	esi, [esi+ecx*2]
		mov	ecx, [ebp+var_18]
		add	esi, 2
		cmp	[esi], bx
		jnz	short loc_9007E6
		mov	edx, [ebp+var_1C]

loc_900819:				; CODE XREF: PiDqQueryApplyObjectEvent+AE3A6j
		mov	esi, [ebp+var_14]

loc_90081C:				; CODE XREF: PiDqQueryApplyObjectEvent+AE393j
		inc	edx
		add	ecx, 1Ch
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], ecx
		cmp	edx, [edi+2Ch]
		jb	short loc_9007C8
		jmp	loc_8524FC
; 

loc_900830:				; CODE XREF: PiDqQueryApplyObjectEvent+AE3B4j
		mov	esi, [ebp+var_14]
		mov	byte ptr [ebp+var_4+3],	1
		jmp	loc_8524FC
; 

loc_90083C:				; CODE XREF: PiDqQueryApplyObjectEvent+43Fj
		cmp	byte ptr [ebp+var_4], bl
		jz	loc_852821
		jmp	loc_852883
; 

loc_90084A:				; CODE XREF: PiDqQueryApplyObjectEvent+44Dj
		mov	eax, [esi+0Ch]
		mov	edx, [eax+28h]
		mov	[ebp+var_1C], edx
		cmp	[edx], bx
		jz	short loc_90089B

loc_900858:				; CODE XREF: PiDqQueryApplyObjectEvent+AE452j
		push	edx		; wchar_t *
		push	dword ptr [ecx]	; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_900894
		mov	edx, [ebp+var_1C]
		mov	ecx, edx
		lea	eax, [ecx+2]
		mov	[ebp+var_1C], eax

loc_900871:				; CODE XREF: PiDqQueryApplyObjectEvent+AE43Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_900871
		sub	ecx, [ebp+var_1C]
		sar	ecx, 1
		lea	edx, [edx+ecx*2]
		mov	ecx, [ebp+var_C]
		add	edx, 2
		mov	[ebp+var_1C], edx
		cmp	[edx], bx
		jnz	short loc_900858
		jmp	short loc_900898
; 

loc_900894:				; CODE XREF: PiDqQueryApplyObjectEvent+AE426j
		mov	byte ptr [ebp+var_4+3],	1

loc_900898:				; CODE XREF: PiDqQueryApplyObjectEvent+AE454j
		mov	ecx, [ebp+var_C]

loc_90089B:				; CODE XREF: PiDqQueryApplyObjectEvent+AE418j
		cmp	byte ptr [ebp+var_4+3],	bl
		jnz	loc_8524FC
		mov	edx, [ebp+var_18]
		jmp	loc_852821
; 

loc_9008AC:				; CODE XREF: PiDqQueryApplyObjectEvent+272j
		test	ecx, ecx
		jz	loc_8524D2
		cmp	[ebp+var_28], ebx
		jz	loc_8524D2
		push	[ebp+var_28]	; wchar_t *
		push	ecx		; wchar_t *
		call	__wcsicmp
		mov	edx, [ebp+var_18]
		test	eax, eax
		mov	eax, [ebp+var_C]
		pop	ecx
		pop	ecx
		jnz	loc_8524D2
		jmp	loc_8526B6
; 

loc_9008DB:				; CODE XREF: PiDqQueryApplyObjectEvent+27Bj
		cmp	byte ptr [ebp+var_4], bl
		jnz	loc_8526BF
		jmp	loc_8524D2
; 

loc_9008E9:				; CODE XREF: PiDqQueryApplyObjectEvent+2BAj
		test	eax, eax
		jz	loc_85254B
		test	edx, edx
		jz	loc_85254B
		push	edx		; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		mov	ecx, [ebp+var_C]
		test	eax, eax
		jnz	loc_85254B
		jmp	loc_8526FE
; 

loc_900912:				; CODE XREF: PiDqQueryApplyObjectEvent+2C3j
		cmp	byte ptr [ebp+var_4], bl
		jnz	loc_852707
		jmp	loc_85254B
; 

loc_900920:				; CODE XREF: PiDqQueryApplyObjectEvent+2DBj
		sub	eax, 1
		jz	short loc_900994
		sub	eax, 1
		jnz	loc_852600
		mov	esi, [edx+1Ch]
		mov	cl, bl
		mov	byte ptr [ebp+var_4+2],	cl
		mov	[ebp+var_1C], esi
		cmp	[esi], bx
		jz	loc_852600
		mov	dl, bl

loc_900944:				; CODE XREF: PiDqQueryApplyObjectEvent+AE54Cj
		test	dl, dl
		jnz	short loc_9009B3
		mov	eax, [edi+8]
		push	dword ptr [eax+0Ch] ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		mov	ecx, eax
		lea	eax, [esi+2]
		neg	ecx
		mov	[ebp+var_28], eax
		sbb	cl, cl
		inc	cl
		mov	dl, cl
		mov	byte ptr [ebp+var_4+2],	cl

loc_900969:				; CODE XREF: PiDqQueryApplyObjectEvent+AE534j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, bx
		jnz	short loc_900969
		sub	esi, [ebp+var_28]
		mov	eax, [ebp+var_1C]
		sar	esi, 1
		lea	eax, [eax+esi*2]
		add	eax, 2
		mov	[ebp+var_1C], eax
		mov	esi, eax
		cmp	[eax], bx
		jnz	short loc_900944
		mov	esi, [ebp+var_14]
		jmp	loc_852726
; 

loc_900994:				; CODE XREF: PiDqQueryApplyObjectEvent+AE4E5j
		mov	eax, [edi+8]
		push	dword ptr [eax+0Ch] ; wchar_t *
		push	dword ptr [edx+18h] ; wchar_t *
		call	__wcsicmp
		mov	edx, eax
		neg	edx
		pop	ecx
		sbb	dl, dl
		pop	ecx
		inc	dl
		mov	cl, dl
		jmp	loc_852723
; 

loc_9009B3:				; CODE XREF: PiDqQueryApplyObjectEvent+AE508j
		mov	esi, [ebp+var_14]
		jmp	loc_85272E
; 

loc_9009BB:				; CODE XREF: PiDqQueryApplyObjectEvent+31Dj
					; PiDqQueryApplyObjectEvent+328j
		mov	cl, bl
		mov	[ebp+var_10], ebx
		mov	byte ptr [ebp+var_4+2],	cl
		mov	eax, ebx
		jmp	loc_85276F
; 

loc_9009CA:				; CODE XREF: PiDqQueryApplyObjectEvent+362j
		mov	eax, ebx
		mov	cl, bl
		mov	[ebp+var_10], eax
		jmp	loc_8527A9
; 

loc_9009D6:				; CODE XREF: PiDqQueryApplyObjectEvent+1C5j
		mov	eax, large fs:124h
		push	3
		pop	ebx
		mov	byte ptr [ebp+var_4+1],	1
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebp+var_24]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [ebp+var_14]
		jmp	short loc_900A19
; 

loc_9009FA:				; CODE XREF: PiDqQueryApplyObjectEvent+AE60Cj
		mov	eax, large fs:124h
		push	3
		pop	ebx
		mov	byte ptr [ebp+var_4+1],	1
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [esi+20h]
		call	ExAcquirePushLockExclusiveEx

loc_900A19:				; CODE XREF: PiDqQueryApplyObjectEvent+AE5BAj
		mov	edx, [edi+8]
		mov	ecx, esi
		call	_PiDqQueryDeleteObjectFromResultSet@8 ;	PiDqQueryDeleteObjectFromResultSet(x,x)
		xor	edx, edx
		lea	ecx, [esi+20h]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	cl, byte ptr [ebp+var_4+1]
		jmp	loc_85260E
; 

loc_900A41:				; CODE XREF: PiDqQueryApplyObjectEvent+19Ej
		cmp	[ebp+var_6], bl
		jz	loc_85260C
		jmp	short loc_9009FA
; END OF FUNCTION CHUNK	FOR PiDqQueryApplyObjectEvent
; 
; START	OF FUNCTION CHUNK FOR WmipQuerySetExecuteSI

loc_900A4C:				; CODE XREF: WmipQuerySetExecuteSI+D3j
		mov	eax, [esp+80h+var_60]
		or	dword ptr [edi+2Ch], 100h
		push	30h
		pop	ecx
		mov	[edi], ecx
		mov	[eax+1Ch], ecx
		jmp	loc_852A69
; 

loc_900A64:				; CODE XREF: WmipQuerySetExecuteSI+14Bj
					; WmipQuerySetExecuteSI+157j
		mov	eax, [esp+80h+var_58]
		inc	eax
		mov	[esp+80h+var_58], eax
		cmp	eax, [esp+80h+var_64]
		jb	loc_8529DE
		jmp	loc_852A35
; 

loc_900A7C:				; CODE XREF: WmipQuerySetExecuteSI+18Dj
		test	eax, eax
		jz	loc_852A69
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_852A69
; 

loc_900A91:				; CODE XREF: WmipQuerySetExecuteSI+1A0j
		mov	esi, 0C000000Dh
		jmp	loc_852A7C
; END OF FUNCTION CHUNK	FOR WmipQuerySetExecuteSI
; 
; START	OF FUNCTION CHUNK FOR WmipPrepareWnodeSI

loc_900A9B:				; CODE XREF: WmipPrepareWnodeSI+6Dj
		mov	byte ptr [eax],	1
		mov	eax, ecx
		jmp	loc_852C91
; 

loc_900AA5:				; CODE XREF: WmipPrepareWnodeSI+F2j
		mov	edi, edx
		mov	eax, [esi+30h]
		mov	[ebp+var_2C], eax
		cmp	[esi+24h], edx
		jbe	short loc_900AFC

loc_900AB2:				; CODE XREF: WmipPrepareWnodeSI+ADF9Aj
		push	[ebp+var_24]	; wchar_t *
		push	dword ptr [eax+edi*4] ;	wchar_t	*
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_900AD1
		mov	eax, [ebp+var_2C]
		inc	edi
		cmp	edi, [esi+24h]
		jb	short loc_900AB2
		jmp	loc_852C4D
; 

loc_900AD1:				; CODE XREF: WmipPrepareWnodeSI+ADF91j
		or	dword ptr [ebx+2Ch], 80h
		xor	edx, edx
		mov	eax, [esi+2Ch]
		mov	[ebx+4], eax
		mov	eax, [ebp+var_38]
		mov	[ebx+34h], edi
		mov	[eax], dl
		mov	al, 1
		mov	[ebp+var_15], al
		jmp	loc_852C52
; 

loc_900AF2:				; CODE XREF: WmipPrepareWnodeSI+117j
		mov	al, 1
		mov	[ebp+var_15], al
		jmp	loc_852C50
; 

loc_900AFC:				; CODE XREF: WmipPrepareWnodeSI+E2j
					; WmipPrepareWnodeSI+ADF80j
		mov	al, [ebp+var_15]
		jmp	loc_852C55
; 

loc_900B04:				; CODE XREF: WmipPrepareWnodeSI+BCj
		mov	[ebp+var_20], 0C0000301h
		jmp	loc_852C61
; 

loc_900B10:				; CODE XREF: WmipPrepareWnodeSI+86j
		mov	[ebp+var_20], 0C000009Ah
		jmp	loc_852C75
; 

loc_900B1C:				; CODE XREF: WmipPrepareWnodeSI+273j
					; WmipPrepareWnodeSI+ADFFCj
		mov	edx, [ebx+edi*4]
		mov	ecx, offset _WmipISChunkInfo
		call	WmipUnreferenceEntry
		inc	edi
		cmp	edi, esi
		jb	short loc_900B1C
		xor	eax, eax
		jmp	loc_852DA9
; 

loc_900B35:				; CODE XREF: WmipPrepareWnodeSI+282j
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_852C8E
; 

loc_900B41:				; CODE XREF: WmipPrepareWnodeSI+48j
					; WmipPrepareWnodeSI+53j
		mov	eax, 0C0000301h
		jmp	loc_852C91
; END OF FUNCTION CHUNK	FOR WmipPrepareWnodeSI
; 
; START	OF FUNCTION CHUNK FOR _CmGetDeviceInterfaceName

loc_900B4B:				; CODE XREF: _CmGetDeviceInterfaceName+1Fj
					; _CmGetDeviceInterfaceName+2Fj
		mov	ecx, 0C000000Dh
		jmp	loc_852F63
; 

loc_900B55:				; CODE XREF: _CmGetDeviceInterfaceName+16Fj
					; _CmGetDeviceInterfaceName+17Bj
		mov	ecx, 0C000000Dh
		jmp	loc_852F61
; 

loc_900B5F:				; CODE XREF: _CmGetDeviceInterfaceName+76j
		mov	ecx, 0C0000023h
		jmp	loc_852F61
; END OF FUNCTION CHUNK	FOR _CmGetDeviceInterfaceName

;  S U B	R O U T	I N E 


sub_900B69	proc near		; DATA XREF: .text:006A4854o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		inc	eax
		retn
sub_900B69	endp


;  S U B	R O U T	I N E 


sub_900B77	proc near		; DATA XREF: .text:006A4858o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-24h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	14h
		pop	ebx
		jmp	loc_85313E
sub_900B77	endp

; 
; START	OF FUNCTION CHUNK FOR _RegRtlEnumValue

loc_900B8C:				; CODE XREF: _RegRtlEnumValue+8Cj
		mov	ebx, 0C0000017h
		jmp	loc_85328C
; 

loc_900B96:				; CODE XREF: _RegRtlEnumValue+ACj
		cmp	ebx, 80000005h
		jnz	loc_853284
		jmp	loc_853214
; 

loc_900BA7:				; CODE XREF: _RegRtlEnumValue+CAj
					; _RegRtlEnumValue+DDj	...
		mov	eax, [edi+10h]
		mov	ebx, 0C0000023h
		mov	ecx, [ebp+arg_10]
		shr	eax, 1
		inc	eax
		mov	[esi], eax
		mov	eax, [edi+0Ch]
		mov	[ecx], eax
		jmp	loc_853284
; END OF FUNCTION CHUNK	FOR _RegRtlEnumValue
; 
; START	OF FUNCTION CHUNK FOR PiDqObjectManagerHandleObjectEvent

loc_900BC1:				; CODE XREF: PiDqObjectManagerHandleObjectEvent+1Bj
		mov	ecx, [edi+8]
		mov	edx, [ecx+14h]
		mov	ecx, [ecx+0Ch]
		call	_PiDqDeleteUserObjectFromLoadedHives@8 ; PiDqDeleteUserObjectFromLoadedHives(x,x)
		jmp	loc_853323
; END OF FUNCTION CHUNK	FOR PiDqObjectManagerHandleObjectEvent
; 
; START	OF FUNCTION CHUNK FOR SPCallServerHandleWaitForDisplayWindow

loc_900BD4:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+1Dj
					; SPCallServerHandleWaitForDisplayWindow+25j ...
		mov	edx, 0C000000Dh
		jmp	loc_8536CB
; 

loc_900BDE:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+3Dj
					; SPCallServerHandleWaitForDisplayWindow+46j
		mov	edx, 0C000000Dh
		jmp	loc_8534FD
; 

loc_900BE8:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+117j
					; SPCallServerHandleWaitForDisplayWindow+121j
		mov	esi, ebx
		jmp	loc_853563
; 

loc_900BEF:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+16Cj
					; SPCallServerHandleWaitForDisplayWindow+AD7CCj
		push	ebx
		push	1
		push	1
		push	6
		push	offset unk_6B72E0
		call	KeWaitForSingleObject
		mov	esi, eax
		cmp	esi, 101h
		jz	short loc_900BEF
		test	esi, esi
		js	loc_8535AE
		cmp	esi, 0C0h
		jz	loc_8535AE
		cmp	esi, 102h
		jz	loc_8535AE
		push	ebx
		push	offset unk_6B72E0
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		jmp	loc_8535AE
; 

loc_900C3A:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+187j
					; SPCallServerHandleWaitForDisplayWindow+1A0j ...
		mov	eax, [ebp+var_4]
		jmp	loc_853601
; 

loc_900C42:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+25Aj
		mov	edx, 0C000003Eh
		jmp	loc_8536CB
; 

loc_900C4C:				; CODE XREF: SPCallServerHandleWaitForDisplayWindow+271j
		mov	edx, 0C0000017h
		jmp	loc_8536CB
; END OF FUNCTION CHUNK	FOR SPCallServerHandleWaitForDisplayWindow
; 
; START	OF FUNCTION CHUNK FOR MiFreeRelocations

loc_900C56:				; CODE XREF: MiFreeRelocations+26j
		mov	ecx, [esi+34h]
		mov	[esp+20h+var_10], eax
		movzx	eax, cx
		mov	[esp+20h+var_C], eax
		mov	eax, ecx
		shr	eax, 14h
		and	eax, 3
		test	dword ptr [esi+1Ch], 10000000h
		mov	[esp+20h+var_4], eax
		jz	short loc_900C8A
		shr	ecx, 10h
		and	cl, 1
		mov	[esp+20h+var_8], 1
		mov	[esp+20h+var_7], cl
		jmp	short loc_900C8F
; 

loc_900C8A:				; CODE XREF: MiFreeRelocations+AD1C5j
		mov	[esp+20h+var_8], 0

loc_900C8F:				; CODE XREF: MiFreeRelocations+AD1D6j
		lea	ecx, [esp+20h+var_10]
		call	_MiReturnImageBase@4 ; MiReturnImageBase(x)
		or	dword ptr [esi+30h], 0FFFFFFFFh
		jmp	loc_853ADE
; 

loc_900CA1:				; CODE XREF: MiFreeRelocations+40j
		mov	ecx, esi
		mov	edx, esi
		call	_MiGetLeafPfnBuddy@8 ; MiGetLeafPfnBuddy(x,x)
		mov	esi, eax
		call	_MiDeleteDirectMapFixupPfn@4 ; MiDeleteDirectMapFixupPfn(x)
		jmp	loc_853AF0
; END OF FUNCTION CHUNK	FOR MiFreeRelocations
; 
; START	OF FUNCTION CHUNK FOR PnpNotifyDeviceClassChange

loc_900CB6:				; CODE XREF: PnpNotifyDeviceClassChange+BCj
		cmp	[esi+0Ch], ebx
		jnz	loc_853CCD
		jmp	loc_853CB2
; END OF FUNCTION CHUNK	FOR PnpNotifyDeviceClassChange
; 
; START	OF FUNCTION CHUNK FOR PopProcessorInformation

loc_900CC4:				; CODE XREF: PopProcessorInformation+67j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_900CCD
		mov	[eax], esi

loc_900CCD:				; CODE XREF: PopProcessorInformation+ACD61j
		mov	esi, 0C0000023h
		jmp	loc_85409F
; END OF FUNCTION CHUNK	FOR PopProcessorInformation
; 
; START	OF FUNCTION CHUNK FOR PfpProcessScenarioPhase

loc_900CD7:				; CODE XREF: PfpProcessScenarioPhase+43j
		cmp	ecx, 5
		jz	loc_85415F

loc_900CE0:				; CODE XREF: PfpProcessScenarioPhase+17j
		mov	edi, 0C000000Dh
		jmp	loc_854156
; 

loc_900CEA:				; CODE XREF: PfpProcessScenarioPhase+50j
		push	edi
		push	esi
		jmp	loc_900D98
; 

loc_900CF1:				; CODE XREF: PfpProcessScenarioPhase+3Bj
		mov	eax, [ebx+8]
		xor	edi, edi
		sub	eax, edi
		jz	short loc_900D40
		sub	eax, 1
		jnz	loc_854156
		cmp	dword_6D488C, 3
		jnz	loc_854156
		push	ecx
		push	1388h
		push	3
		mov	esi, offset unk_6D4870
		pop	edx
		mov	ecx, esi
		call	PfpScenCtxPrefetchWait
		push	edi
		push	dword_6D4890
		xor	edx, edx
		push	edi
		push	3
		pop	ecx
		call	_PfpLogScenarioEvent@20	; PfpLogScenarioEvent(x,x,x,x,x)
		push	edi
		push	edi
		push	3
		pop	edx
		mov	ecx, esi
		jmp	short loc_900D9F
; 

loc_900D40:				; CODE XREF: PfpProcessScenarioPhase+ACC3Aj
		call	_RtlGetActiveConsoleId@0 ; RtlGetActiveConsoleId()
		mov	esi, eax
		call	_PsGetCurrentProcessSessionId@0	; PsGetCurrentProcessSessionId()
		cmp	eax, esi
		jnz	loc_854156
		call	_PFP_CAN_DO_ACCESS_LOGGING@0 ; PFP_CAN_DO_ACCESS_LOGGING()
		test	eax, eax
		jz	loc_854156
		xor	ecx, ecx
		mov	esi, edi
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		test	eax, eax
		jz	loc_854156

loc_900D72:				; CODE XREF: PfpProcessScenarioPhase+ACCC3j
		inc	esi
		mov	ecx, eax
		cmp	esi, 3
		jnb	short loc_900D85
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		test	eax, eax
		jnz	short loc_900D72
		jmp	short loc_900D8A
; 

loc_900D85:				; CODE XREF: PfpProcessScenarioPhase+ACCBAj
		call	ObfDereferenceObject

loc_900D8A:				; CODE XREF: PfpProcessScenarioPhase+ACCC5j
		cmp	esi, 3
		jb	loc_854156
		push	dword ptr [ebx+14h]
		push	3

loc_900D98:				; CODE XREF: PfpProcessScenarioPhase+ACC2Ej
		xor	edx, edx
		mov	ecx, offset unk_6D4870

loc_900D9F:				; CODE XREF: PfpProcessScenarioPhase+ACC80j
		call	PfpScenCtxScenarioSet
		jmp	loc_854156
; 

loc_900DA9:				; CODE XREF: PfpProcessScenarioPhase+25j
		mov	edi, 0C000007Bh
		jmp	loc_854156
; END OF FUNCTION CHUNK	FOR PfpProcessScenarioPhase
; 
; START	OF FUNCTION CHUNK FOR PfGenerateTrace

loc_900DB3:				; CODE XREF: PfGenerateTrace+30j
		mov	esi, 0C0000287h
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_900DCC
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_900DCC:				; CODE XREF: PfGenerateTrace+ACBA9j
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_8542C1
; END OF FUNCTION CHUNK	FOR PfGenerateTrace
; 
; START	OF FUNCTION CHUNK FOR EtwpRealtimeConnect

loc_900DDD:				; CODE XREF: EtwpRealtimeConnect+82j
		mov	ecx, eax
		jmp	loc_85439E
; 

loc_900DE4:				; CODE XREF: EtwpRealtimeConnect+96j
		mov	ecx, eax
		jmp	loc_8543B2
; 

loc_900DEB:				; CODE XREF: EtwpRealtimeConnect+AAj
		mov	ecx, eax
		jmp	loc_8543C6
; 

loc_900DF2:				; CODE XREF: EtwpRealtimeConnect+E5j
		mov	eax, 0C000000Dh
		jmp	loc_85459B
; 

loc_900DFC:				; CODE XREF: EtwpRealtimeConnect+F2j
		mov	esi, 0C000000Dh

loc_900E01:				; CODE XREF: EtwpRealtimeConnect+108j
					; EtwpRealtimeConnect+11Aj ...
		mov	dl, 1
		mov	ecx, edi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		cmp	[ebp+var_20], 0
		jz	short loc_900E18
		push	[ebp+var_20]
		call	_ZwClose@4	; ZwClose(x)

loc_900E18:				; CODE XREF: EtwpRealtimeConnect+ACAF8j
		mov	ecx, [ebp+var_40]
		test	ecx, ecx
		jz	short loc_900E24
		call	ObfDereferenceObject

loc_900E24:				; CODE XREF: EtwpRealtimeConnect+ACB07j
		mov	ecx, [ebp+var_44]
		test	ecx, ecx
		jz	short loc_900E30
		call	ObfDereferenceObject

loc_900E30:				; CODE XREF: EtwpRealtimeConnect+ACB13j
		mov	eax, esi
		jmp	loc_85459B
; END OF FUNCTION CHUNK	FOR EtwpRealtimeConnect

;  S U B	R O U T	I N E 


sub_900E37	proc near		; DATA XREF: .text:006A4894o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-60h], eax
		xor	eax, eax
		inc	eax
		retn
sub_900E37	endp


;  S U B	R O U T	I N E 


sub_900E45	proc near		; DATA XREF: .text:006A4898o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-60h]
		jmp	loc_85459B
sub_900E45	endp

; 
; START	OF FUNCTION CHUNK FOR IopSetDeviceSecurityDescriptor

loc_900E57:				; CODE XREF: IopSetDeviceSecurityDescriptor+C3j
		mov	ecx, offset _IopSecurityResource
		call	ExReleaseResourceLite
		mov	ecx, edi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	1
		push	esi
		call	ObDereferenceSecurityDescriptor
		push	1
		push	[ebp+var_8]
		call	ObDereferenceSecurityDescriptor
		mov	esi, [ebp+var_C]
		mov	ebx, [ebp+var_10]
		jmp	loc_8545F6
; 

loc_900E85:				; CODE XREF: IopSetDeviceSecurityDescriptor+82j
		test	esi, esi
		jz	loc_8546CA
		jmp	loc_8546D3
; END OF FUNCTION CHUNK	FOR IopSetDeviceSecurityDescriptor
; 
; START	OF FUNCTION CHUNK FOR PspCreateProcess

loc_900E92:				; CODE XREF: PspCreateProcess+9Aj
		test	cl, cl
		jz	loc_854778

loc_900E9A:				; CODE XREF: PspCreateProcess+7Dj
					; PspCreateProcess+AC7CEj ...
		mov	eax, 0C000000Dh
		jmp	loc_8549C0
; 

loc_900EA4:				; CODE XREF: PspCreateProcess+ADj
		test	eax, eax
		jz	short loc_900E9A
		jmp	loc_85478B
; 

loc_900EAD:				; CODE XREF: PspCreateProcess+C3j
		test	edx, edx
		jz	short loc_900E9A
		jmp	loc_8547A1
; 

loc_900EB6:				; CODE XREF: PspCreateProcess+CBj
		test	cl, cl
		jnz	short loc_900E9A
		test	ebx, ebx
		jz	short loc_900EF4
		xor	eax, eax
		cmp	[ebx+4], eax
		jnz	short loc_900E9A
		mov	eax, [ebx+8]
		test	eax, eax
		jz	short loc_900E9A
		cmp	dword ptr [eax+4], 0
		jz	short loc_900E9A
		xor	edi, edi
		cmp	[eax], di
		mov	edi, [ebp+var_188]
		jz	short loc_900E9A
		cmp	dword ptr [ebx+0Ch], 200h
		jnz	short loc_900E9A
		xor	eax, eax
		cmp	[ebx+10h], eax
		jnz	short loc_900E9A
		cmp	[ebx+14h], eax
		jnz	short loc_900E9A

loc_900EF4:				; CODE XREF: PspCreateProcess+AC7E4j
		cmp	[ebp+var_174], 0
		jnz	short loc_900E9A
		cmp	[ebp+var_19C], 0
		jnz	short loc_900E9A
		cmp	[ebp+var_198], 0
		jz	short loc_900E9A
		jmp	loc_8547A9
; 

loc_900F14:				; CODE XREF: PspCreateProcess+D7j
		test	cl, cl
		jnz	short loc_900E9A
		test	edx, edx
		jz	loc_900E9A
		jmp	loc_8547B5
; 

loc_900F25:				; CODE XREF: PspCreateProcess+FCj
		test	cl, cl
		jz	short loc_900F7B
		mov	[ebp+ms_exc.disabled], esi
		mov	edx, ebx
		test	bl, 3
		jz	short loc_900F38
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_900F38:				; CODE XREF: PspCreateProcess+AC859j
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_900F43
		mov	edx, eax

loc_900F43:				; CODE XREF: PspCreateProcess+AC867j
		nop
		mov	al, [edx]
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_30], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_900F7E
; END OF FUNCTION CHUNK	FOR PspCreateProcess

;  S U B	R O U T	I N E 


sub_900F55	proc near		; DATA XREF: .text:006A48B4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1A8h], eax
		xor	eax, eax
		inc	eax
		retn
sub_900F55	endp


;  S U B	R O U T	I N E 


sub_900F66	proc near		; DATA XREF: .text:006A48B8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1A8h]
		jmp	loc_8549C0
sub_900F66	endp

; 
; START	OF FUNCTION CHUNK FOR PspCreateProcess

loc_900F7B:				; CODE XREF: PspCreateProcess+AC84Fj
		mov	eax, [ebx+0Ch]

loc_900F7E:				; CODE XREF: PspCreateProcess+AC87Bj
		test	cl, cl
		jnz	short loc_900F89
		and	eax, 11FF2h
		jmp	short loc_900F8E
; 

loc_900F89:				; CODE XREF: PspCreateProcess+AC8A8j
		and	eax, 1DF2h

loc_900F8E:				; CODE XREF: PspCreateProcess+AC8AFj
		mov	[ebp+var_30], eax
		jmp	loc_8547DA
; 

loc_900F96:				; CODE XREF: PspCreateProcess+10Aj
		mov	eax, ds:_MmSectionObjectType
		mov	[ebp+var_194], esi
		push	esi
		lea	esi, [ebp+var_194]
		push	esi
		push	ecx
		push	eax
		push	8
		push	edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+var_194]
		mov	[ebp+var_174], eax
		mov	[ebp+var_1A4], eax
		test	ecx, ecx
		jns	short loc_900FD2
		mov	eax, ecx
		jmp	loc_8549C0
; 

loc_900FD2:				; CODE XREF: PspCreateProcess+AC8F1j
		mov	ecx, [ebp+arg_8]
		xor	esi, esi
		jmp	loc_8547F6
; 

loc_900FDC:				; CODE XREF: PspCreateProcess+183j
		xor	ecx, ecx
		mov	byte ptr [ebp+var_16D],	cl
		lea	eax, [ebp+var_16D]
		push	eax
		lea	eax, [ebp+var_184]
		push	eax
		lea	eax, [ebp+var_178]
		push	eax
		push	[ebp+var_16D]
		push	ecx
		xor	edx, edx
		mov	ecx, [ebp+var_180]
		call	SeQuerySigningPolicy
		mov	esi, eax
		test	esi, esi
		js	loc_854999
		mov	al, byte ptr [ebp+var_178]
		test	al, al
		jz	short loc_901025
		cmp	al, 1
		jnz	short loc_901032

loc_901025:				; CODE XREF: PspCreateProcess+AC947j
		cmp	byte ptr [ebp+var_16D],	0
		jz	loc_854885

loc_901032:				; CODE XREF: PspCreateProcess+AC94Bj
					; PspCreateProcess+AC98Dj
		mov	esi, 0C00000BBh
		jmp	loc_854999
; 

loc_90103C:				; CODE XREF: PspCreateProcess+1B5j
		push	[ebp+var_16D]
		lea	edx, [ebp+var_169]
		mov	ecx, eax
		call	PspGetProcessProtectionRequirementsFromImage
		mov	esi, eax
		test	esi, esi
		js	loc_854999
		mov	al, byte ptr [ebp+var_16D]
		cmp	al, byte ptr [ebp+var_169]
		jnz	short loc_901032
		jmp	loc_854893
; 

loc_90106C:				; CODE XREF: PspCreateProcess+1C2j
		mov	eax, [ebp+var_188]
		neg	eax
		sbb	eax, eax
		and	eax, [ebp+var_180]
		test	ebx, ebx
		jz	short loc_901085
		mov	edx, [ebx+8]
		jmp	short loc_901089
; 

loc_901085:				; CODE XREF: PspCreateProcess+AC9A6j
		xor	ecx, ecx
		mov	edx, ecx

loc_901089:				; CODE XREF: PspCreateProcess+AC9ABj
		mov	ecx, [ebp+var_1A0]
		push	ecx
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+arg_C]
		push	eax
		push	[ebp+var_16D]
		push	ecx
		mov	ecx, edi
		call	PsCreateMinimalProcess
		mov	esi, eax
		jmp	loc_854999
; 

loc_9010AE:				; CODE XREF: PspCreateProcess+22Fj
		push	3
		pop	eax
		jmp	loc_85490D
; END OF FUNCTION CHUNK	FOR PspCreateProcess

;  S U B	R O U T	I N E 


sub_9010B6	proc near		; DATA XREF: .text:006A48C0o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_9010B6	endp


;  S U B	R O U T	I N E 


sub_9010BC	proc near		; DATA XREF: .text:006A48C4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-18Ch]
		mov	eax, [ebp-1A4h]
		mov	[ebp-174h], eax
		jmp	loc_854970
sub_9010BC	endp

; 
; START	OF FUNCTION CHUNK FOR PspCreateProcess

loc_9010DD:				; CODE XREF: PspCreateProcess+260j
					; PspCreateProcess+2ABj
		xor	dl, dl
		mov	ecx, [ebp+var_17C]
		call	_PspRundownSingleProcess@8 ; PspRundownSingleProcess(x,x)
		jmp	loc_854989
; END OF FUNCTION CHUNK	FOR PspCreateProcess
; 
; START	OF FUNCTION CHUNK FOR PiDcHandleInterfaceEvent

loc_9010EF:				; CODE XREF: PiDcHandleInterfaceEvent+28j
		push	edx
		lea	eax, [ebp+var_70]
		push	eax
		push	10h
		lea	eax, [ebp+var_68]
		push	eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	offset _DEVPKEY_Device_ContainerId
		push	edx
		push	edx
		mov	edx, [ecx+8]
		mov	ecx, _PiPnpRtlCtx
		push	3
		mov	edx, [edx+0Ch]
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	loc_854A72
		cmp	[ebp+var_6C], 0Dh
		jnz	loc_854A72
		cmp	[ebp+var_70], 10h
		jnz	loc_854A72
		push	ecx		; int
		lea	edx, [ebp+var_58] ; void *
		lea	ecx, [ebp+var_68] ; int
		call	_PnpStringFromGuid@12 ;	PnpStringFromGuid(x,x,x)
		mov	edx, eax
		test	edx, edx
		js	loc_854A72
		lea	ecx, [ebp+var_58]
		call	_PiDcContainerRequiresConfiguration@4 ;	PiDcContainerRequiresConfiguration(x)
		mov	edx, eax
		jmp	loc_854A72
; END OF FUNCTION CHUNK	FOR PiDcHandleInterfaceEvent
; 
; START	OF FUNCTION CHUNK FOR NtCommitRegistryTransaction

loc_90115B:				; CODE XREF: NtCommitRegistryTransaction+43j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	esi, 0C0000189h
		jmp	loc_854BE8
; 

loc_901171:				; CODE XREF: NtCommitRegistryTransaction+4Dj
		mov	esi, 0C000000Dh
		jmp	loc_854BD5
; END OF FUNCTION CHUNK	FOR NtCommitRegistryTransaction
; 
; START	OF FUNCTION CHUNK FOR CmpRundownUnitOfWork

loc_90117B:				; CODE XREF: CmpRundownUnitOfWork+AC13Fj
					; CmpRundownUnitOfWork+AC18Fj
		push	edi
		push	ebx
		push	2

loc_90117F:				; CODE XREF: CmpRundownUnitOfWork+B7j
		push	12h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_901188:				; CODE XREF: CmpRundownUnitOfWork+7Aj
		xor	edx, edx
		test	eax, eax
		jz	short loc_90119D
		mov	ecx, [ebx+4]

loc_901191:				; CODE XREF: CmpRundownUnitOfWork+AC13Bj
		cmp	[ecx], edi
		jz	short loc_90119D
		inc	edx
		add	ecx, 4
		cmp	edx, eax
		jb	short loc_901191

loc_90119D:				; CODE XREF: CmpRundownUnitOfWork+AC12Cj
					; CmpRundownUnitOfWork+AC133j
		cmp	edx, eax
		jz	short loc_90117B
		lea	esi, [eax-1]
		jmp	short loc_9011B1
; 

loc_9011A6:				; CODE XREF: CmpRundownUnitOfWork+AC153j
		mov	ecx, [ebx+4]
		mov	eax, [ecx+edx*4+4]
		mov	[ecx+edx*4], eax
		inc	edx

loc_9011B1:				; CODE XREF: CmpRundownUnitOfWork+AC144j
		cmp	edx, esi
		jb	short loc_9011A6
		dec	dword ptr [ebx]
		cmp	dword ptr [ebx], 1
		jnz	loc_85506E
		mov	eax, [ebx+4]
		push	78494D43h
		push	eax
		mov	esi, [eax]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebx+4], esi
		jmp	loc_85506E
; 

loc_9011D8:				; CODE XREF: CmpRundownUnitOfWork+9Cj
		xor	edx, edx
		test	eax, eax
		jz	short loc_9011ED
		mov	ecx, [ebx+4]

loc_9011E1:				; CODE XREF: CmpRundownUnitOfWork+AC18Bj
		cmp	[ecx], edi
		jz	short loc_9011ED
		inc	edx
		add	ecx, 4
		cmp	edx, eax
		jb	short loc_9011E1

loc_9011ED:				; CODE XREF: CmpRundownUnitOfWork+AC17Cj
					; CmpRundownUnitOfWork+AC183j
		cmp	edx, eax
		jz	short loc_90117B
		lea	esi, [eax-1]
		jmp	short loc_901201
; 

loc_9011F6:				; CODE XREF: CmpRundownUnitOfWork+AC1A3j
		mov	ecx, [ebx+4]
		mov	eax, [ecx+edx*4+4]
		mov	[ecx+edx*4], eax
		inc	edx

loc_901201:				; CODE XREF: CmpRundownUnitOfWork+AC194j
		cmp	edx, esi
		jb	short loc_9011F6
		dec	dword ptr [ebx]
		cmp	dword ptr [ebx], 1
		jnz	loc_855075
		mov	eax, [ebx+4]
		push	78494D43h
		push	eax
		mov	esi, [eax]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebx+4], esi
		jmp	loc_855075
; END OF FUNCTION CHUNK	FOR CmpRundownUnitOfWork
; 
; START	OF FUNCTION CHUNK FOR CmpCommitPreparedLightWeightTransaction

loc_901228:				; CODE XREF: CmpCommitPreparedLightWeightTransaction+43j
		lea	eax, [ebp+var_58]
		push	eax
		push	2
		push	0
		push	0
		push	offset loc_41A3E8
		push	offset dword_6B2348
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_855313
; 

loc_901246:				; CODE XREF: CmpCommitPreparedLightWeightTransaction+C4j
		lea	eax, [ebp+var_60]
		mov	[ebp+var_60], esi
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	3
		push	ebx
		push	ebx
		push	offset loc_41A3A5
		push	edi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_855394
; END OF FUNCTION CHUNK	FOR CmpCommitPreparedLightWeightTransaction
; 
; START	OF FUNCTION CHUNK FOR CmpPrepareLightWeightTransaction

loc_901274:				; CODE XREF: CmpPrepareLightWeightTransaction+33j
		lea	eax, [ebp+var_28]
		push	eax
		push	2
		push	esi
		push	esi
		push	offset byte_41A451
		push	offset dword_6B2348
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_8553DD
; 

loc_901290:				; CODE XREF: CmpPrepareLightWeightTransaction+6Dj
		push	ebx
		mov	ecx, edi
		call	_CmpCleanupLightWeightPrepare@12 ; CmpCleanupLightWeightPrepare(x,x,x)
		jmp	loc_85541B
; 

loc_90129D:				; CODE XREF: CmpPrepareLightWeightTransaction+93j
		lea	eax, [ebp+var_28]
		push	eax
		push	2
		push	edi
		push	edi
		push	offset dword_41A420
		push	ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_85543D
; END OF FUNCTION CHUNK	FOR CmpPrepareLightWeightTransaction
; 
; START	OF FUNCTION CHUNK FOR CmpReportNotify

loc_9012B5:				; CODE XREF: CmpReportNotify+19j
		test	dword ptr [ecx+68h], 40000h
		jz	short loc_9012C1
		mov	ecx, [ecx+24h]

loc_9012C1:				; CODE XREF: CmpReportNotify+ABCD6j
		mov	ecx, [ecx+24h]
		jmp	loc_855605
; END OF FUNCTION CHUNK	FOR CmpReportNotify
; 
; START	OF FUNCTION CHUNK FOR CmpLightWeightCommitSetValueKeyUoW

loc_9012C9:				; CODE XREF: CmpLightWeightCommitSetValueKeyUoW+3Fj
		mov	[ebx+3Ch], ecx
		mov	eax, [edi+44h]
		mov	ecx, [edi+18h]
		mov	ax, [eax+8]
		mov	[ecx+62h], ax
		mov	eax, [edi+44h]
		jmp	loc_855679
; 

loc_9012E2:				; CODE XREF: CmpLightWeightCommitSetValueKeyUoW+4Bj
		mov	[ebx+40h], eax
		mov	eax, [edi+44h]
		mov	ecx, [edi+18h]
		mov	eax, [eax+0Ch]
		mov	[ecx+64h], eax
		jmp	loc_855685
; END OF FUNCTION CHUNK	FOR CmpLightWeightCommitSetValueKeyUoW
; 
; START	OF FUNCTION CHUNK FOR CmpLightWeightPrepareSetValueKeyUoW

loc_9012F6:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+92j
		mov	esi, 0C000009Ah
		jmp	loc_855A10
; 

loc_901300:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+BAj
		mov	esi, 0C000009Ah
		jmp	loc_855A05
; 

loc_90130A:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+E1j
		lea	eax, [ecx+8]
		mov	[ebp+var_10], eax
		jmp	loc_855878
; 

loc_901315:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+104j
		mov	esi, 0C000009Ah
		jmp	loc_8559FD
; 

loc_90131F:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+133j
		mov	esi, 0C000017Dh
		jmp	loc_8559DE
; 

loc_901329:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+16Dj
		mov	esi, 0C000009Ah
		jmp	loc_8559D0
; 

loc_901333:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+19Ej
					; CmpLightWeightPrepareSetValueKeyUoW+1C5j
		mov	esi, 0C000009Ah
		jmp	loc_8559C6
; 

loc_90133D:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+1E6j
		mov	esi, 0C000017Dh
		jmp	loc_8559BA
; 

loc_901347:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+1FCj
		mov	esi, 0C000009Ah
		jmp	loc_8559BA
; 

loc_901351:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+20Dj
		mov	esi, 0C000017Dh
		jmp	loc_8559AC
; 

loc_90135B:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+1D3j
		mov	eax, [ebx+28h]
		mov	edx, esi
		push	1
		push	[ebp+var_20]
		push	eax
		push	[ebp+var_14]
		call	CmpAddValueToListEx
		jmp	loc_85597A
; 

loc_901373:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+268j
		mov	edx, eax
		mov	ecx, edi
		call	_CmpFreeValue@8	; CmpFreeValue(x,x)
		jmp	loc_8559C6
; 

loc_901381:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+297j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8559FD
; 

loc_90138E:				; CODE XREF: CmpLightWeightPrepareSetValueKeyUoW+2B2j
		mov	edx, 77554D43h
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
		jmp	loc_855A10
; END OF FUNCTION CHUNK	FOR CmpLightWeightPrepareSetValueKeyUoW
; 
; START	OF FUNCTION CHUNK FOR CmpLightWeightCreateSetValueData

loc_90139D:				; CODE XREF: CmpLightWeightCreateSetValueData+36j
		mov	esi, 0C000009Ah
		jmp	loc_855B6B
; 

loc_9013A7:				; CODE XREF: CmpLightWeightCreateSetValueData+AFj
		mov	edx, [edi+8]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_9013B6
		mov	ecx, ebx
		call	HvFreeCell

loc_9013B6:				; CODE XREF: CmpLightWeightCreateSetValueData+AB8F7j
		mov	edx, 77554D43h
		mov	ecx, edi
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
		jmp	loc_855B6B
; END OF FUNCTION CHUNK	FOR CmpLightWeightCreateSetValueData
; 
; START	OF FUNCTION CHUNK FOR NtOpenObjectAuditAlarm

loc_9013C7:				; CODE XREF: NtOpenObjectAuditAlarm+59j
		mov	esi, 0C0000061h
		jmp	short loc_901403
; 

loc_9013CE:				; CODE XREF: NtOpenObjectAuditAlarm+80j
		lea	eax, [ebp+var_64]
		push	eax
		call	SeReleaseSubjectContext
		cmp	esi, 0C0000008h
		jz	loc_901600
		push	esi
		jmp	loc_9015FB
; 

loc_9013E9:				; CODE XREF: NtOpenObjectAuditAlarm+218j
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	esi, 0C00000A5h
		jmp	short loc_901403
; 

loc_9013F7:				; CODE XREF: NtOpenObjectAuditAlarm+99j
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	esi, 0C0000079h

loc_901403:				; CODE XREF: NtOpenObjectAuditAlarm+AB7B8j
					; NtOpenObjectAuditAlarm+AB7E1j
		lea	eax, [ebp+var_64]
		push	eax
		call	SeReleaseSubjectContext
		jmp	loc_901600
; 

loc_901411:				; CODE XREF: NtOpenObjectAuditAlarm+22Dj
		mov	eax, ecx
		jmp	loc_855E47
; 

loc_901418:				; CODE XREF: NtOpenObjectAuditAlarm+240j
		cmp	edi, 42h
		jbe	loc_855E5A
		mov	esi, 0C000000Dh
		jmp	loc_855D5E
; 

loc_90142B:				; CODE XREF: NtOpenObjectAuditAlarm+25Fj
					; NtOpenObjectAuditAlarm+267j
		mov	[ecx], bl
		jmp	loc_855E81
; 

loc_901432:				; CODE XREF: NtOpenObjectAuditAlarm+27Fj
		push	ebx
		push	dword ptr [ebp+var_3C]
		push	[ebp+var_20]
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)
		mov	ecx, [ebp+var_28]
		call	ObfDereferenceObject
		lea	eax, [ebp+var_64]
		push	eax
		call	SeReleaseSubjectContext
		mov	edi, 0C000009Ah
		mov	[ebp+var_34], edi
		push	edi
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, edi
		jmp	loc_855E0D
; 

loc_90146B:				; CODE XREF: NtOpenObjectAuditAlarm+F0j
		mov	eax, ecx
		jmp	loc_855D0A
; 

loc_901472:				; CODE XREF: NtOpenObjectAuditAlarm+10Bj
		mov	ecx, eax
		jmp	loc_855D25
; END OF FUNCTION CHUNK	FOR NtOpenObjectAuditAlarm

;  S U B	R O U T	I N E 


sub_901479	proc near		; DATA XREF: .text:006A48DCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-48h], eax
		xor	eax, eax
		inc	eax
		retn
sub_901479	endp


;  S U B	R O U T	I N E 


sub_901487	proc near		; DATA XREF: .text:006A48E0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-48h]
		mov	[ebp-34h], esi
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp-4], edi
		xor	ebx, ebx
		jmp	loc_855D67
sub_901487	endp

; 
; START	OF FUNCTION CHUNK FOR NtOpenObjectAuditAlarm

loc_90149D:				; CODE XREF: NtOpenObjectAuditAlarm+155j
		cmp	[ebp+var_2C], 0
		jz	short loc_9014AC
		push	ebx
		push	[ebp+var_2C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9014AC:				; CODE XREF: NtOpenObjectAuditAlarm+AB88Dj
		cmp	[ebp+var_38], 0
		jz	short loc_9014BB
		push	ebx
		push	[ebp+var_38]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9014BB:				; CODE XREF: NtOpenObjectAuditAlarm+AB89Cj
		cmp	[ebp+var_30], 0
		jz	short loc_9014CA
		push	ebx
		push	[ebp+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9014CA:				; CODE XREF: NtOpenObjectAuditAlarm+AB8ABj
		cmp	[ebp+var_24], 0
		jz	short loc_9014D9
		push	ebx
		push	[ebp+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9014D9:				; CODE XREF: NtOpenObjectAuditAlarm+AB8BAj
		cmp	[ebp+var_20], 0
		jz	short loc_9014EB
		push	ebx
		push	dword ptr [ebp+var_3C]
		push	[ebp+var_20]
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)

loc_9014EB:				; CODE XREF: NtOpenObjectAuditAlarm+AB8C9j
		mov	ecx, [ebp+var_28]
		call	ObfDereferenceObject
		lea	eax, [ebp+var_64]
		push	eax
		call	SeReleaseSubjectContext
		jmp	loc_9015F1
; 

loc_901501:				; CODE XREF: NtOpenObjectAuditAlarm+17Fj
		mov	eax, [ebp+var_20]
		movzx	ecx, word ptr [eax+2]
		mov	edx, ecx
		and	edx, 10h
		mov	[ebp+arg_10], edx
		jz	short loc_901522
		mov	edx, [eax+0Ch]
		test	cx, cx
		jns	short loc_901524
		test	edx, edx
		jz	short loc_901522
		add	edx, eax
		jmp	short loc_901524
; 

loc_901522:				; CODE XREF: NtOpenObjectAuditAlarm+AB8FCj
					; NtOpenObjectAuditAlarm+AB908j
		mov	edx, ebx

loc_901524:				; CODE XREF: NtOpenObjectAuditAlarm+AB904j
					; NtOpenObjectAuditAlarm+AB90Cj
		cmp	word ptr [ebp+arg_10], 0
		jz	short loc_90153B
		test	cx, cx
		mov	ecx, [eax+0Ch]
		jns	short loc_90153D
		test	ecx, ecx
		jz	short loc_90153B
		add	ecx, eax
		jmp	short loc_90153D
; 

loc_90153B:				; CODE XREF: NtOpenObjectAuditAlarm+AB915j
					; NtOpenObjectAuditAlarm+AB921j
		mov	ecx, ebx

loc_90153D:				; CODE XREF: NtOpenObjectAuditAlarm+AB91Dj
					; NtOpenObjectAuditAlarm+AB925j
		lea	eax, [ebp+var_1A]
		push	eax
		lea	eax, [ebp-19h]
		push	eax
		push	[ebp+arg_28]
		mov	eax, [ebp+arg_18]
		or	eax, [ebp+arg_1C]
		push	eax
		push	[ebp+var_28]
		push	edx
		push	ecx
		call	_SeExamineSacl@28 ; SeExamineSacl(x,x,x,x,x,x,x)
		cmp	[ebp+var_19], 0
		jnz	short loc_901569
		cmp	[ebp+var_1A], 0
		jz	loc_855D99

loc_901569:				; CODE XREF: NtOpenObjectAuditAlarm+AB949j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	2
		push	dword ptr [eax+0E4h]
		push	[ebp+arg_28]
		push	[ebp+var_24]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+var_5C]
		push	[ebp+var_28]
		push	[ebp+var_20]
		push	[ebp+var_30]
		mov	esi, [ebp+var_38]
		push	esi
		mov	eax, [ebp+arg_4]
		neg	eax
		sbb	eax, eax
		lea	ecx, [ebp+var_40]
		and	eax, ecx
		push	eax
		mov	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_44]
		call	_SepAdtOpenObjectAuditAlarm@76 ; SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_1B], al
		jmp	loc_855D99
; END OF FUNCTION CHUNK	FOR NtOpenObjectAuditAlarm

;  S U B	R O U T	I N E 


sub_9015BE	proc near		; DATA XREF: .text:006A48E8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_9015BE	endp


;  S U B	R O U T	I N E 


sub_9015CC	proc near		; DATA XREF: .text:006A48ECo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-4Ch]
		jmp	loc_855E0D
sub_9015CC	endp

; 
; START	OF FUNCTION CHUNK FOR NtOpenObjectAuditAlarm

loc_9015DE:				; CODE XREF: NtOpenObjectAuditAlarm+B6j
					; NtOpenObjectAuditAlarm+BFj
		mov	ecx, esi
		call	ObfDereferenceObject
		lea	eax, [ebp+var_64]
		push	eax
		call	SeReleaseSubjectContext
		mov	esi, [ebp+var_34]

loc_9015F1:				; CODE XREF: NtOpenObjectAuditAlarm+AB8E8j
		mov	edi, 0C000009Ah
		cmp	esi, edi
		jnz	short loc_901600
		push	edi

loc_9015FB:				; CODE XREF: NtOpenObjectAuditAlarm+AB7D0j
		call	_SepAuditFailed@4 ; SepAuditFailed(x)

loc_901600:				; CODE XREF: NtOpenObjectAuditAlarm+AB7C9j
					; NtOpenObjectAuditAlarm+AB7F8j ...
		mov	eax, esi
		jmp	loc_855E0D
; END OF FUNCTION CHUNK	FOR NtOpenObjectAuditAlarm
; 
; START	OF FUNCTION CHUNK FOR EtwpRealtimeSaveBuffer

loc_901607:				; CODE XREF: EtwpRealtimeSaveBuffer+72j
					; EtwpRealtimeSaveBuffer+81j
		and	[ebp+var_1C], 0
		mov	eax, edi
		push	48h
		pop	ecx
		mov	[ebp+var_20], ecx
		xor	edi, edi
		mov	[ebp+var_14], edx
		mov	[ebp+var_18], eax
		jmp	loc_8565BF
; 

loc_901620:				; CODE XREF: EtwpRealtimeSaveBuffer+8Cj
					; EtwpRealtimeSaveBuffer+95j
		mov	edx, [ebx+30h]
		xor	eax, eax
		add	edx, ecx
		adc	eax, edi
		cmp	eax, [ebp+var_C]
		jl	loc_8565D3
		jg	short loc_90163D
		cmp	edx, [ebp+var_10]
		jb	loc_8565D3

loc_90163D:				; CODE XREF: EtwpRealtimeSaveBuffer+AB0FAj
		inc	dword ptr [esi+0BCh]
		lea	ecx, [esi+10h]
		cmp	dword ptr [ecx], 0
		mov	edi, 0C0000188h
		mov	dword ptr [esi+160h], 2
		jl	short loc_90165E
		mov	eax, edi
		xchg	eax, [ecx]

loc_90165E:				; CODE XREF: EtwpRealtimeSaveBuffer+AB120j
		push	offset _ETW_EVENT_BACKING_FILE_FULL
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_85666E
		push	dword ptr [esi+0Ch]
		push	ecx
		lea	ecx, [esi+5Ch]
		push	ecx
		push	ecx
		push	ecx
		call	_EtwpEventWriteTemplateBackingFile@28 ;	EtwpEventWriteTemplateBackingFile(x,x,x,x,x,x,x)
		jmp	loc_85666E
; 

loc_901690:				; CODE XREF: EtwpRealtimeSaveBuffer+117j
		lea	ecx, [esi+10h]
		cmp	dword ptr [ecx], 0
		jl	loc_856655
		mov	eax, 0C0000188h
		xchg	eax, [ecx]
		push	offset _ETW_EVENT_BACKING_FILE_FULL
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_856655
		push	dword ptr [esi+0Ch]
		lea	eax, [esi+5Ch]
		push	ecx
		push	eax
		push	ecx
		push	ecx
		call	_EtwpEventWriteTemplateBackingFile@28 ;	EtwpEventWriteTemplateBackingFile(x,x,x,x,x,x,x)
		jmp	loc_856655
; 

loc_9016D5:				; CODE XREF: EtwpRealtimeSaveBuffer+BCj
		inc	dword ptr [esi+0BCh]
		push	offset _ETW_EVENT_WRITE_FAILED
		mov	dword ptr [esi+160h], 2
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_856655
		push	dword ptr [esi+0Ch]
		lea	eax, [esi+114h]
		push	edi
		push	eax
		lea	eax, [esi+5Ch]
		push	eax
		push	ecx
		push	ecx
		mov	ecx, offset _ETW_EVENT_WRITE_FAILED
		call	_EtwpEventWriteTemplateAdmin@32	; EtwpEventWriteTemplateAdmin(x,x,x,x,x,x,x,x)
		jmp	loc_856655
; END OF FUNCTION CHUNK	FOR EtwpRealtimeSaveBuffer
; 
; START	OF FUNCTION CHUNK FOR PopNotifySessionDisplayRequired

loc_901723:				; CODE XREF: PopNotifySessionDisplayRequired+32j
		push	dword ptr [ebp+arg_8]
		mov	edx, [ebp+arg_4]
		call	_TtmNotifySessionDisplayRequiredChange@12 ; TtmNotifySessionDisplayRequiredChange(x,x,x)
		jmp	loc_856776
; END OF FUNCTION CHUNK	FOR PopNotifySessionDisplayRequired
; 
; START	OF FUNCTION CHUNK FOR PsSetCreateThreadNotifyRoutineEx

loc_901733:				; CODE XREF: PsSetCreateThreadNotifyRoutineEx+Cj
		sub	eax, 1
		jz	short loc_901742
		mov	eax, 0C000000Dh
		jmp	loc_8567AF
; 

loc_901742:				; CODE XREF: PsSetCreateThreadNotifyRoutineEx+AAFB2j
		push	2
		pop	esi
		jmp	loc_856799
; END OF FUNCTION CHUNK	FOR PsSetCreateThreadNotifyRoutineEx
; 
; START	OF FUNCTION CHUNK FOR PsSetLoadImageNotifyRoutineEx

loc_90174A:				; CODE XREF: PsSetLoadImageNotifyRoutineEx+78j
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_901751:				; CODE XREF: PsSetLoadImageNotifyRoutineEx+20j
		mov	esi, 0C000009Ah
		jmp	loc_856842
; END OF FUNCTION CHUNK	FOR PsSetLoadImageNotifyRoutineEx
; 
; START	OF FUNCTION CHUNK FOR PspSetCreateThreadNotifyRoutine

loc_90175B:				; CODE XREF: PspSetCreateThreadNotifyRoutine+3Dj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C000009Ah
		jmp	loc_85690C
; END OF FUNCTION CHUNK	FOR PspSetCreateThreadNotifyRoutine
; 
; START	OF FUNCTION CHUNK FOR PspSetCreateProcessNotifyRoutine

loc_90176D:				; CODE XREF: PspSetCreateProcessNotifyRoutine+101j
		mov	ecx, [ebp+var_C]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, 0C000007Ah
		jmp	loc_8569CB
; 

loc_90177F:				; CODE XREF: PspSetCreateProcessNotifyRoutine+2Bj
		mov	eax, 0C0000022h
		jmp	loc_8569CB
; 

loc_901789:				; CODE XREF: PspSetCreateProcessNotifyRoutine+3Fj
		mov	eax, 0C000009Ah
		jmp	loc_8569CB
; 

loc_901793:				; CODE XREF: PspSetCreateProcessNotifyRoutine+6Cj
		push	0
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C000000Dh
		jmp	loc_8569CB
; END OF FUNCTION CHUNK	FOR PspSetCreateProcessNotifyRoutine
; 
; START	OF FUNCTION CHUNK FOR CmpTransSearchAddTransFromKeyBody

loc_9017A7:				; CODE XREF: CmpTransSearchAddTransFromKeyBody+14j
		cmp	dword ptr [ecx+24h], 0
		jnz	loc_856C3C
		mov	eax, 0C0190002h
		jmp	loc_856C72
; END OF FUNCTION CHUNK	FOR CmpTransSearchAddTransFromKeyBody
; 
; START	OF FUNCTION CHUNK FOR CmpTransSearchAddLightWeightTrans

loc_9017BB:				; CODE XREF: CmpTransSearchAddLightWeightTrans+78j
		mov	edi, 0C000009Ah
		jmp	loc_856D0F
; 

loc_9017C5:				; CODE XREF: CmpTransSearchAddLightWeightTrans+8Aj
		xor	ebx, ebx
		inc	ebx
		call	_LOCK_TRANSACTION_LIST@0 ; LOCK_TRANSACTION_LIST()
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		call	_CmpBindHiveToTrans@8 ;	CmpBindHiveToTrans(x,x)
		mov	edi, eax
		neg	edi
		sbb	edi, edi
		and	edi, 2
		add	edi, 0C0190001h
		jmp	loc_856DA6
; 

loc_9017EB:				; CODE XREF: CmpTransSearchAddLightWeightTrans+A0j
		mov	edi, 0C0190002h

loc_9017F0:				; CODE XREF: CmpTransSearchAddLightWeightTrans+49j
		call	_UNLOCK_TRANSACTION_LIST@0 ; UNLOCK_TRANSACTION_LIST()
		jmp	loc_856D21
; 

loc_9017FA:				; CODE XREF: CmpTransSearchAddLightWeightTrans+DFj
		push	72544D43h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_856D0F
; END OF FUNCTION CHUNK	FOR CmpTransSearchAddLightWeightTrans
; 
; START	OF FUNCTION CHUNK FOR EtwpRealtimeRestoreBuffer

loc_90180A:				; CODE XREF: EtwpRealtimeRestoreBuffer+72j
		mov	eax, 0C0000011h
		jmp	loc_857002
; END OF FUNCTION CHUNK	FOR EtwpRealtimeRestoreBuffer
; 
; START	OF FUNCTION CHUNK FOR PiResetProblemDevicesWorker

loc_901814:				; CODE XREF: PiResetProblemDevicesWorker+13j
		mov	eax, [esi+114h]
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	eax, [edi]
		jnz	short loc_901867
		mov	eax, [edi+8]
		test	eax, eax
		jz	short loc_90183C
		mov	ecx, [esi+198h]
		cmp	ecx, eax
		jnb	short loc_901867
		lea	eax, [ecx+1]
		mov	[esi+198h], eax

loc_90183C:				; CODE XREF: PiResetProblemDevicesWorker+AA801j
		mov	ecx, [esi+10h]
		xor	edx, edx
		push	ebx
		xor	ebx, ebx
		inc	edx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	1
		call	PnpRequestDeviceAction
		cmp	[edi+4], ebx
		jz	short loc_901866
		mov	ecx, [esi+10h]
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	1
		push	10h
		pop	edx
		call	PnpRequestDeviceAction

loc_901866:				; CODE XREF: PiResetProblemDevicesWorker+AA82Dj
		pop	ebx

loc_901867:				; CODE XREF: PiResetProblemDevicesWorker+AA7FAj
					; PiResetProblemDevicesWorker+AA80Bj
		pop	edi
		jmp	loc_85703F
; END OF FUNCTION CHUNK	FOR PiResetProblemDevicesWorker
; 
; START	OF FUNCTION CHUNK FOR PiDqGetObjectManagerForPnpObjectType

loc_90186D:				; CODE XREF: PiDqGetObjectManagerForPnpObjectType+25j
		sub	ecx, 1
		jnz	locret_857052
		mov	eax, offset _PiDqDevicePanelManager
		retn
; END OF FUNCTION CHUNK	FOR PiDqGetObjectManagerForPnpObjectType
; 
; START	OF FUNCTION CHUNK FOR EtwpExpandFileName

loc_90187C:				; CODE XREF: EtwpExpandFileName+55j
		mov	dl, [ebp+var_1]
		xor	eax, eax
		mov	[ebp+var_2], al
		cmp	dword ptr [ebp+arg_0], eax
		jnz	short loc_901891
		test	dl, dl
		jz	loc_8571BB

loc_901891:				; CODE XREF: EtwpExpandFileName+AA803j
		mov	ecx, [ebp+arg_4]
		add	esi, 2
		jmp	loc_857125
; 

loc_90189C:				; CODE XREF: EtwpExpandFileName+146j
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_3], 1
		add	esi, eax
		jmp	loc_857137
; 

loc_9018AA:				; CODE XREF: EtwpExpandFileName+CEj
		cmp	[ebp+var_1], 0
		jz	short loc_9018DB
		cmp	[ebp+var_3], 0
		jz	short loc_9018BE
		mov	edx, [ebp+arg_4]
		mov	eax, [edx+4]
		jmp	short loc_9018C3
; 

loc_9018BE:				; CODE XREF: EtwpExpandFileName+AA830j
		mov	eax, offset ??_C@_11LOCGONAA@@NNGAKEGL@

loc_9018C3:				; CODE XREF: EtwpExpandFileName+AA838j
		push	eax
		push	dword ptr [ebx+4] ; char
		push	offset ??_C@_1O@PEBEJIFE@?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAs@NNGAKEGL@	; wchar_t *
		push	esi		; int
		push	edi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 14h
		jmp	loc_8571A1
; 

loc_9018DB:				; CODE XREF: EtwpExpandFileName+AA82Aj
		push	dword ptr [ebx+4] ; char
		push	offset ??_C@_17EEOGHOKP@?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; wchar_t *
		push	esi		; int
		push	edi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 10h
		jmp	loc_8571A1
; 

loc_9018F2:				; CODE XREF: EtwpExpandFileName+C4j
		mov	ebx, 0C0000017h
		jmp	loc_8571B9
; END OF FUNCTION CHUNK	FOR EtwpExpandFileName
; 
; START	OF FUNCTION CHUNK FOR NtAreMappedFilesTheSame

loc_9018FC:				; CODE XREF: NtAreMappedFilesTheSame+26j
		mov	eax, 0C0000141h
		jmp	loc_8575D7
; 

loc_901906:				; CODE XREF: NtAreMappedFilesTheSame+49j
		mov	edx, esi
		mov	ecx, ebx
		call	_MiLockVadShared@8 ; MiLockVadShared(x,x)
		mov	ecx, esi
		call	MiUnlockAndDereferenceVadShared
		mov	eax, 0C0000141h
		jmp	loc_8575D6
; 

loc_901920:				; CODE XREF: NtAreMappedFilesTheSame+53j
		call	_MiDereferenceVad@4 ; MiDereferenceVad(x)
		mov	ecx, edi
		call	MiUnlockAndDereferenceVadShared
		xor	eax, eax
		jmp	loc_8575D6
; 

loc_901933:				; CODE XREF: NtAreMappedFilesTheSame+B5j
					; NtAreMappedFilesTheSame+BEj ...
		mov	ebx, 0C0000018h
		jmp	loc_8575A6
; 

loc_90193D:				; CODE XREF: NtAreMappedFilesTheSame+98j
					; NtAreMappedFilesTheSame+A7j
		mov	ebx, 0C0000141h
		jmp	loc_8575A6
; 

loc_901947:				; CODE XREF: NtAreMappedFilesTheSame+61j
					; NtAreMappedFilesTheSame+71j
		mov	ecx, edi
		call	MiUnlockAndDereferenceVadShared
		mov	edx, esi
		mov	ecx, ebx
		call	_MiLockVadShared@8 ; MiLockVadShared(x,x)
		mov	ecx, esi
		call	MiUnlockAndDereferenceVadShared
		mov	eax, 0C0000018h
		jmp	loc_8575D6
; END OF FUNCTION CHUNK	FOR NtAreMappedFilesTheSame
; 
; START	OF FUNCTION CHUNK FOR PopDirectedDripsRefreshDisengageState

loc_901968:				; CODE XREF: PopDirectedDripsRefreshDisengageState+34j
		test	ebx, ebx
		jnz	short loc_901978
		mov	ecx, edi
		xor	dl, dl
		pop	edi
		pop	esi
		pop	ebx
		jmp	_PopDirectedDripsResumeDevices@8 ; PopDirectedDripsResumeDevices(x,x)
; 

loc_901978:				; CODE XREF: PopDirectedDripsRefreshDisengageState+AA36Aj
		test	esi, esi
		jnz	loc_85763A
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_PopDirectedDripsSuspendDevices@4 ; PopDirectedDripsSuspendDevices(x)
; END OF FUNCTION CHUNK	FOR PopDirectedDripsRefreshDisengageState
; 
; START	OF FUNCTION CHUNK FOR PopDirectedDripsDiagTraceDisengageReasonChange

loc_90198A:				; CODE XREF: PopDirectedDripsDiagTraceDisengageReasonChange+44j
		mov	ecx, edi
		xor	edx, edx
		xor	ecx, esi
		mov	[ebp+var_40], edx
		mov	eax, ecx
		mov	[ebp+var_38], edx
		and	eax, edi
		mov	[ebp+var_30], edx
		mov	[ebp+var_54], eax
		and	ecx, esi
		lea	eax, [ebp+var_48]
		mov	[ebp+var_50], ecx
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_50]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_54]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	edx
		push	offset _POP_ETW_EVENT_DIRECTED_DRIPS_DISENGAGE_MASK_CHANGED
		push	ebx
		push	[ebp+var_58]
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_857688
; END OF FUNCTION CHUNK	FOR PopDirectedDripsDiagTraceDisengageReasonChange
; 
; START	OF FUNCTION CHUNK FOR CmpCheckExeOwnerForPca

loc_9019F4:				; CODE XREF: CmpCheckExeOwnerForPca+50j
		mov	ecx, ebx
		jmp	loc_857812
; END OF FUNCTION CHUNK	FOR CmpCheckExeOwnerForPca
; 
; START	OF FUNCTION CHUNK FOR MiDereferenceImports

loc_9019FB:				; CODE XREF: MiDereferenceImports+3Fj
		mov	ecx, [ebp+var_4]
		or	edx, 0FFFFFFFFh
		call	MiUnloadSystemImage
		jmp	loc_85793B
; END OF FUNCTION CHUNK	FOR MiDereferenceImports
; 
; START	OF FUNCTION CHUNK FOR MiUnloadApproved

loc_901A0B:				; CODE XREF: MiUnloadApproved+47j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+180h]
		test	byte ptr [eax+4], 2
		jnz	loc_85798C
		push	dword ptr [eax+8]
		push	edi
		push	esi
		push	2200h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_901A38:				; CODE XREF: MiUnloadApproved+2Bj
					; MiUnloadApproved+52j
		test	byte ptr [esi+70h], 20h
		jnz	short loc_901A5B
		push	offset ??_C@_09ICCHCNIA@DllUnload@NNGAKEGL@
		push	edi
		call	_RtlFindExportedRoutineByName@8	; RtlFindExportedRoutineByName(x,x)
		test	eax, eax
		jz	loc_85798C
		call	eax
		test	eax, eax
		js	loc_85798C

loc_901A5B:				; CODE XREF: MiUnloadApproved+AA0E6j
		mov	eax, ebx
		jmp	loc_85798E
; END OF FUNCTION CHUNK	FOR MiUnloadApproved
; 
; START	OF FUNCTION CHUNK FOR IopDeleteDriver

loc_901A62:				; CODE XREF: IopDeleteDriver+14j
		push	esi

loc_901A63:				; CODE XREF: IopDeleteDriver+AA0BCj
		mov	esi, [eax]
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		test	esi, esi
		jnz	short loc_901A63
		pop	esi
		jmp	loc_8579CE
; 

loc_901A78:				; CODE XREF: IopDeleteDriver+73j
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [edi+18h]
		jmp	loc_857A2D
; END OF FUNCTION CHUNK	FOR IopDeleteDriver
; 
; START	OF FUNCTION CHUNK FOR MmUnloadSystemImage

loc_901A87:				; CODE XREF: MmUnloadSystemImage+18j
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		push	eax
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	ebx, eax
		mov	[ebp+var_1], 1
		jmp	loc_857A6E
; END OF FUNCTION CHUNK	FOR MmUnloadSystemImage
; 
; START	OF FUNCTION CHUNK FOR NtAlpcCancelMessage

loc_901A9D:				; CODE XREF: NtAlpcCancelMessage+26j
		mov	esi, 0C000000Dh
		jmp	loc_857B8D
; 

loc_901AA7:				; CODE XREF: NtAlpcCancelMessage+5Bj
		mov	edx, eax
		jmp	loc_857AFF
; END OF FUNCTION CHUNK	FOR NtAlpcCancelMessage

;  S U B	R O U T	I N E 


sub_901AAE	proc near		; DATA XREF: .text:006A4924o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		inc	eax
		retn
sub_901AAE	endp


;  S U B	R O U T	I N E 


sub_901ABC	proc near		; DATA XREF: .text:006A4928o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-24h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_857B8D
sub_901ABC	endp

; 
; START	OF FUNCTION CHUNK FOR NtAlpcCancelMessage

loc_901ACE:				; CODE XREF: NtAlpcCancelMessage+3Dj
		mov	eax, [ebp+arg_8]
		mov	ebx, [eax+0Ch]
		mov	ecx, [eax+10h]
		mov	[ebp+arg_8], ecx
		mov	edi, [eax+4]
		jmp	loc_857B1E
; 

loc_901AE2:				; CODE XREF: NtAlpcCancelMessage+82j
		mov	esi, 0C0000109h
		jmp	loc_857B8D
; 

loc_901AEC:				; CODE XREF: NtAlpcCancelMessage+CAj
		mov	eax, [ebx+0F4h]
		and	al, 6
		cmp	al, 4
		jnz	short loc_901B02
		cmp	edi, [esi+38h]
		jnz	short loc_901B0B
		jmp	loc_857B6E
; 

loc_901B02:				; CODE XREF: NtAlpcCancelMessage+AA058j
		cmp	edi, [esi+3Ch]
		jz	loc_857B6E

loc_901B0B:				; CODE XREF: NtAlpcCancelMessage+AA05Dj
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_901B1B
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_901B1B:				; CODE XREF: NtAlpcCancelMessage+AA074j
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	esi, 0C0000719h
		jmp	loc_857B86
; 

loc_901B2C:				; CODE XREF: NtAlpcCancelMessage+D4j
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_901B3C
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_901B3C:				; CODE XREF: NtAlpcCancelMessage+AA095j
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	esi, 0C0000703h
		jmp	loc_857B86
; 

loc_901B4D:				; CODE XREF: NtAlpcCancelMessage+14Dj
		mov	al, byte ptr _PopWnfCsEnterScenarioId
		xor	ecx, ecx
		mov	[ebp-35h], al
		lea	eax, [ebp-35h]
		push	8
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_24], eax
		pop	eax
		mov	[ebp+var_1C], eax
		mov	[ebp+ms_exc.handler], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], 1
		mov	[ebp+var_28], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+ms_exc.old_esp], ecx
		mov	[ebp+ms_exc.exc_ptr], offset _PopWnfCsEnterScenarioId
		mov	[ebp+ms_exc.prev_er], ecx
		mov	[ebp+ms_exc.msEH_ptr], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_857BF1
; END OF FUNCTION CHUNK	FOR NtAlpcCancelMessage
; 
; START	OF FUNCTION CHUNK FOR MiRememberUnloadedDriver

loc_901BA0:				; CODE XREF: MiRememberUnloadedDriver+74j
		xor	eax, eax
		mov	[esi], eax
		jmp	loc_857CEF
; END OF FUNCTION CHUNK	FOR MiRememberUnloadedDriver
; 
; START	OF FUNCTION CHUNK FOR CmpCloneKCBValueListForTrans

loc_901BA9:				; CODE XREF: CmpCloneKCBValueListForTrans+65j
		mov	eax, [esi+10h]
		lea	ecx, [ebp+var_10]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_901BB4:				; CODE XREF: CmpCloneKCBValueListForTrans+42j
		xor	al, al
		jmp	loc_857D58	; size_t
; END OF FUNCTION CHUNK	FOR CmpCloneKCBValueListForTrans
; 
; START	OF FUNCTION CHUNK FOR HvDuplicateCell

loc_901BBB:				; CODE XREF: HvDuplicateCell+5Aj
		push	0		; int
		push	ebx		; void *
		call	_memset
		jmp	loc_857E33
; END OF FUNCTION CHUNK	FOR HvDuplicateCell
; 
; START	OF FUNCTION CHUNK FOR NtSetCachedSigningLevel2

loc_901BC8:				; CODE XREF: NtSetCachedSigningLevel2+2Ej
		mov	esi, 0C0000001h
		jmp	loc_858065
; 

loc_901BD2:				; CODE XREF: NtSetCachedSigningLevel2+38j
					; NtSetCachedSigningLevel2+A9CC1j
		mov	esi, 0C00000F0h
		jmp	loc_858065
; 

loc_901BDC:				; CODE XREF: NtSetCachedSigningLevel2+5Bj
		cmp	byte ptr [ebp+arg_4], cl
		jnz	short loc_901BD2
		jmp	loc_857F7F
; 

loc_901BE6:				; CODE XREF: NtSetCachedSigningLevel2+68j
					; NtSetCachedSigningLevel2+7Aj	...
		mov	esi, 0C00000EFh
		jmp	loc_858065
; 

loc_901BF0:				; CODE XREF: NtSetCachedSigningLevel2+86j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[ebp+arg_0], eax
		mov	dl, [eax+3A5h]
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	al, [eax+3A6h]
		and	al, 7
		cmp	al, 1
		jz	short loc_901C27
		mov	esi, 0C0000022h
		jmp	loc_858065
; 

loc_901C27:				; CODE XREF: NtSetCachedSigningLevel2+A9CFDj
		mov	eax, [ebp+arg_0]
		mov	al, [eax+3A4h]
		and	al, 0Fh
		mov	byte ptr [ebp+var_30], al
		and	dl, 0Fh
		mov	byte ptr [ebp+arg_0+3],	dl
		mov	byte ptr [ebp+var_34], dl
		mov	eax, dword_6BEA40
		test	eax, eax
		jz	short loc_901C61
		push	[ebp+var_30]
		push	[ebp+var_34]
		call	eax
		test	eax, eax
		jz	short loc_901C5E
		mov	al, byte ptr [ebp+var_30]
		mov	byte ptr [ebp+var_1D], al
		jmp	loc_857FAA
; 

loc_901C5E:				; CODE XREF: NtSetCachedSigningLevel2+A9D33j
		mov	dl, byte ptr [ebp+arg_0+3]

loc_901C61:				; CODE XREF: NtSetCachedSigningLevel2+A9D27j
		mov	byte ptr [ebp+var_1D], dl
		jmp	loc_857FAA
; 

loc_901C69:				; CODE XREF: NtSetCachedSigningLevel2+71j
		test	bl, 1
		jz	short loc_901C77
		mov	byte ptr [ebp+var_1D], 0Fh
		jmp	loc_857FAA
; 

loc_901C77:				; CODE XREF: NtSetCachedSigningLevel2+A9D4Ej
		test	bl, 2
		jz	loc_901BE6
		mov	byte ptr [ebp+var_1D], 8
		jmp	loc_857FAA
; 

loc_901C89:				; CODE XREF: NtSetCachedSigningLevel2+A5j
		mov	esi, 0C000009Ah
		jmp	loc_858062
; 

loc_901C93:				; CODE XREF: NtSetCachedSigningLevel2+D3j
					; NtSetCachedSigningLevel2+DCj
		mov	[eax], cl
		jmp	loc_858000
; 

loc_901C9A:				; CODE XREF: NtSetCachedSigningLevel2+E7j
		test	al, 3
		jnz	loc_858092
		lea	edx, [eax+0Ch]
		mov	eax, ds:_MmUserProbeAddress
		mov	[ebp+arg_0], eax
		cmp	edx, eax
		mov	eax, [ebp+arg_14]
		ja	short loc_901CBC
		cmp	edx, eax
		jnb	loc_85800B

loc_901CBC:				; CODE XREF: NtSetCachedSigningLevel2+A9D94j
		mov	eax, [ebp+arg_0]
		mov	[eax], cl
		jmp	loc_85800B
; 

loc_901CC6:				; CODE XREF: NtSetCachedSigningLevel2+FFj
		cmp	dword ptr [eax], 0Ch
		jnb	short loc_901CDF
		mov	esi, 0C00000F4h
		mov	[ebp+var_28], esi

loc_901CD3:				; CODE XREF: NtSetCachedSigningLevel2+A9DE6j
					; NtSetCachedSigningLevel2+A9DF8j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_858060
; 

loc_901CDF:				; CODE XREF: NtSetCachedSigningLevel2+A9DABj
		xor	ecx, ecx
		cmp	[eax+4], cx
		jbe	loc_858025
		lea	ecx, [ebp+var_24]
		push	ecx
		push	[ebp+var_2C]
		xor	edx, edx
		inc	edx
		lea	ecx, [eax+4]
		call	SepCaptureUnicodeStringArray
		mov	esi, eax
		mov	[ebp+var_28], esi
		test	esi, esi
		js	short loc_901CD3
		push	ecx
		mov	ecx, [ebp+var_24]
		call	sub_53CD24
		mov	esi, eax
		mov	[ebp+var_28], esi
		test	esi, esi
		js	short loc_901CD3
		jmp	loc_858023
; END OF FUNCTION CHUNK	FOR NtSetCachedSigningLevel2

;  S U B	R O U T	I N E 


sub_901D1D	proc near		; DATA XREF: .text:006A4944o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_901D1D	endp


;  S U B	R O U T	I N E 


sub_901D2D	proc near		; DATA XREF: .text:006A4948o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-38h]
		mov	[ebp-28h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ecx, ecx
		mov	edi, [ebp-30h]
		mov	dh, [ebp-2Ch]
		jmp	loc_858065
sub_901D2D	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetCachedSigningLevel2

loc_901D4A:				; CODE XREF: NtSetCachedSigningLevel2+43j
					; NtSetCachedSigningLevel2+4Fj	...
		mov	esi, 0C00000F2h
		jmp	loc_858065
; 

loc_901D54:				; CODE XREF: NtSetCachedSigningLevel2+14Bj
		cmp	dh, 1
		jnz	loc_85806F
		push	ecx
		push	[ebp+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_85806F
; END OF FUNCTION CHUNK	FOR NtSetCachedSigningLevel2
; 
; START	OF FUNCTION CHUNK FOR ObRegisterCallbacks

loc_901D6B:				; CODE XREF: ObRegisterCallbacks+59j
		mov	eax, 0C000009Ah
		jmp	loc_858244
; 

loc_901D75:				; CODE XREF: ObRegisterCallbacks+DAj
		cmp	[esi+0Ch], ebx
		jz	loc_901E0D
		test	ecx, ecx
		jz	loc_858199
		jmp	loc_85818C
; 

loc_901D8B:				; CODE XREF: ObRegisterCallbacks+F2j
		call	_MmVerifyCallbackFunctionCheckFlags@8 ;	MmVerifyCallbackFunctionCheckFlags(x,x)
		test	eax, eax
		jnz	loc_8581A4

loc_901D98:				; CODE XREF: ObRegisterCallbacks+E7j
		mov	[ebp+var_8], 0C0000022h

loc_901D9F:				; CODE XREF: ObRegisterCallbacks+144j
					; ObRegisterCallbacks+170j
		xor	eax, eax
		cmp	ax, [edi+2]
		jnb	short loc_901DFD
		lea	esi, [edi+10h]

loc_901DAA:				; CODE XREF: ObRegisterCallbacks+A9D4Fj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		mov	ecx, [esi+14h]
		xor	edx, edx
		sub	ecx, 0FFFFFF80h
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_901E1A
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_901E1A
		mov	[eax], ecx
		xor	edx, edx
		mov	[ecx+4], eax
		mov	ecx, [esi+14h]
		sub	ecx, 0FFFFFF80h
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		movzx	eax, word ptr [edi+2]
		inc	ebx
		add	esi, 24h
		cmp	ebx, eax
		jb	short loc_901DAA

loc_901DFD:				; CODE XREF: ObRegisterCallbacks+A9CF9j
		push	6C46624Fh
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_858241
; 

loc_901E0D:				; CODE XREF: ObRegisterCallbacks+C1j
					; ObRegisterCallbacks+CFj ...
		mov	eax, 0C000000Dh
		mov	[ebp+var_8], eax
		jmp	loc_85821A
; 

loc_901E1A:				; CODE XREF: ObRegisterCallbacks+A9D1Ej
					; ObRegisterCallbacks+A9D25j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_901E1F:				; CODE XREF: ObRegisterCallbacks+26j
					; ObRegisterCallbacks+33j
		mov	eax, 0C000000Dh
		jmp	loc_858244
; END OF FUNCTION CHUNK	FOR ObRegisterCallbacks
; 
; START	OF FUNCTION CHUNK FOR ObpInsertCallbackByAltitude

loc_901E29:				; CODE XREF: ObpInsertCallbackByAltitude+3Ej
		mov	edi, [edi+10h]
		mov	ebx, eax
		add	edi, 8

loc_901E31:				; CODE XREF: ObpInsertCallbackByAltitude+A9BFAj
		mov	eax, [esi+10h]
		push	edi
		add	eax, 8
		push	eax
		call	RtlCompareAltitudes
		test	eax, eax
		jle	short loc_901E4A
		mov	esi, [esi]
		cmp	esi, ebx
		jnz	short loc_901E31
		test	eax, eax

loc_901E4A:				; CODE XREF: ObpInsertCallbackByAltitude+A9BF4j
		mov	edi, [ebp+var_8]
		push	0
		pop	ebx
		jnz	loc_858290
		mov	ebx, 0C01C0011h
		jmp	loc_8582A4
; END OF FUNCTION CHUNK	FOR ObpInsertCallbackByAltitude
; 
; START	OF FUNCTION CHUNK FOR PopNotifyConsoleUserPresent

loc_901E60:				; CODE XREF: PopNotifyConsoleUserPresent+40j
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		call	_TtmNotifyConsoleUserPresent@8 ; TtmNotifyConsoleUserPresent(x,x)
		jmp	loc_85845B
; END OF FUNCTION CHUNK	FOR PopNotifyConsoleUserPresent
; 
; START	OF FUNCTION CHUNK FOR NtOpenKeyTransactedEx

loc_901E6F:				; CODE XREF: NtOpenKeyTransactedEx+25j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	edi, 0C0000189h
		jmp	loc_85852E
; END OF FUNCTION CHUNK	FOR NtOpenKeyTransactedEx
; 
; START	OF FUNCTION CHUNK FOR CmpLockIXLockIntent

loc_901E85:				; CODE XREF: CmpLockIXLockIntent+Fj
		mov	ecx, [esi+4]
		mov	edx, [edi+1Ch]
		mov	ecx, [ecx+1Ch]
		call	CmEqualTrans
		test	al, al
		jnz	loc_85859E

loc_901E9B:				; CODE XREF: CmpLockIXLockIntent+A9948j
					; CmpLockIXLockIntent+A999Aj
		xor	al, al
		jmp	loc_8585A0
; 

loc_901EA2:				; CODE XREF: CmpLockIXLockIntent+2Ej
		push	78494D43h
		push	8
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_901E9B
		mov	[esi+4], eax
		mov	[eax], ebx
		mov	eax, [esi+4]
		mov	[eax+4], edi

loc_901EBF:				; CODE XREF: CmpLockIXLockIntent+A99C3j
		inc	dword ptr [esi]
		jmp	loc_8585AF
; 

loc_901EC6:				; CODE XREF: CmpLockIXLockIntent+18j
		xor	ebx, ebx
		test	eax, eax
		jz	short loc_901EEC

loc_901ECC:				; CODE XREF: CmpLockIXLockIntent+A9980j
		mov	eax, [esi+4]
		mov	edx, [edi+1Ch]
		mov	ecx, [eax+ebx*4]
		mov	ecx, [ecx+1Ch]
		call	CmEqualTrans
		test	al, al
		jnz	loc_85859E
		mov	eax, [esi]
		inc	ebx
		cmp	ebx, eax
		jb	short loc_901ECC

loc_901EEC:				; CODE XREF: CmpLockIXLockIntent+A9960j
		push	78494D43h
		lea	eax, ds:4[eax*4]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_901E9B
		mov	eax, [esi]
		shl	eax, 2
		push	eax		; size_t
		push	dword ptr [esi+4] ; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	78494D43h
		push	dword ptr [esi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+4], ebx
		mov	eax, [esi]
		mov	[ebx+eax*4], edi
		jmp	short loc_901EBF
; END OF FUNCTION CHUNK	FOR CmpLockIXLockIntent
; 
; START	OF FUNCTION CHUNK FOR PopWnfAudioCallback

loc_901F2F:				; CODE XREF: PopWnfAudioCallback+8Dj
		push	0
		push	0
		push	5
		pop	ecx
		call	_PopUpdateSmartUserPresencePredictions@12 ; PopUpdateSmartUserPresencePredictions(x,x,x)
		jmp	loc_858608
; END OF FUNCTION CHUNK	FOR PopWnfAudioCallback
; 
; START	OF FUNCTION CHUNK FOR PopPowerRequestNotifyAudioStateChanged

loc_901F40:				; CODE XREF: PopPowerRequestNotifyAudioStateChanged+4Bj
		cmp	ds:_PopPowerRequestActiveAudioEnablesExecutionRequired,	0
		jz	short loc_901F55
		cmp	byte_6C3862, bl
		jnz	loc_85869B

loc_901F55:				; CODE XREF: PopPowerRequestNotifyAudioStateChanged+A98FDj
		cmp	byte_6C3861, bl
		jnz	loc_85869B
		push	esi
		call	KeQueryInterruptTime
		mov	esi, eax
		mov	ecx, edx
		sub	esi, dword_6C3868
		mov	edx, 989680h
		mov	eax, ds:_PopExecutionRequiredTimeout
		sbb	ecx, dword_6C386C
		mul	edx
		cmp	ecx, edx
		ja	short loc_901F8F
		jb	short loc_901F8D
		cmp	esi, eax
		jnb	short loc_901F8F

loc_901F8D:				; CODE XREF: PopPowerRequestNotifyAudioStateChanged+A993Dj
		mov	bl, 1

loc_901F8F:				; CODE XREF: PopPowerRequestNotifyAudioStateChanged+A993Bj
					; PopPowerRequestNotifyAudioStateChanged+A9941j
		pop	esi
		jmp	loc_85869D
; 

loc_901F95:				; CODE XREF: PopPowerRequestNotifyAudioStateChanged+59j
		mov	cl, bl
		mov	_PopExecutionRequiredContext, bl
		call	PopEnableExecutionRequiredPowerRequests
		jmp	loc_8586A9
; END OF FUNCTION CHUNK	FOR PopPowerRequestNotifyAudioStateChanged
; 
; START	OF FUNCTION CHUNK FOR PopAudioAccountingCallback

loc_901FA7:				; CODE XREF: PopAudioAccountingCallback+26j
		mov	ecx, dword_6D451C
		cmp	edi, ecx
		jb	short loc_901FC1
		ja	short loc_901FBB
		cmp	esi, dword_6D4518
		jbe	short loc_901FC1

loc_901FBB:				; CODE XREF: PopAudioAccountingCallback+A98E7j
		sub	eax, esi
		sbb	edx, edi
		jmp	short loc_901FC9
; 

loc_901FC1:				; CODE XREF: PopAudioAccountingCallback+A98E5j
					; PopAudioAccountingCallback+A98EFj
		sub	eax, dword_6D4518
		sbb	edx, ecx

loc_901FC9:				; CODE XREF: PopAudioAccountingCallback+A98F5j
		add	dword_6D4520, eax
		adc	dword_6D4524, edx
		jmp	loc_8586F6
; END OF FUNCTION CHUNK	FOR PopAudioAccountingCallback
; 
; START	OF FUNCTION CHUNK FOR PopAvlFindOrMakeStatsForScenarioType

loc_901FDA:				; CODE XREF: PopAvlFindOrMakeStatsForScenarioType+44j
		cmp	esi, 1
		jnz	loc_8587D4
		mov	eax, offset _MOBILE_HOTSPOT_STATS_ID ; "Mobile Hotspot"
		jmp	loc_8587B5
; 

loc_901FED:				; CODE XREF: PopAvlFindOrMakeStatsForScenarioType+EBj
		lea	eax, [esp+0D0h+var_B8]
		push	eax
		push	edi
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)
		jmp	loc_8587EA
; END OF FUNCTION CHUNK	FOR PopAvlFindOrMakeStatsForScenarioType
; 
; START	OF FUNCTION CHUNK FOR CmpLockIXLockExclusive

loc_901FFD:				; CODE XREF: CmpLockIXLockExclusive+Ej
		cmp	eax, 1
		jnz	loc_8588A3
		mov	ecx, [esi+4]
		mov	edx, [edx+1Ch]
		mov	ecx, [ecx+1Ch]
		call	CmEqualTrans
		test	al, al
		jz	loc_8588A3
		or	dword ptr [esi], 80000000h
		jmp	loc_85887C
; END OF FUNCTION CHUNK	FOR CmpLockIXLockExclusive
; 
; START	OF FUNCTION CHUNK FOR EtwpRealtimeZeroTruncateLogfile

loc_902027:				; CODE XREF: EtwpRealtimeZeroTruncateLogfile+3Dj
					; EtwpRealtimeZeroTruncateLogfile+62j
		push	dword ptr [edi+110h]
		call	_ZwClose@4	; ZwClose(x)
		mov	[edi+110h], esi
		mov	ebx, esi
		jmp	loc_85892A
; END OF FUNCTION CHUNK	FOR EtwpRealtimeZeroTruncateLogfile
; 
; START	OF FUNCTION CHUNK FOR EtwpCheckSecurityLoggerAccess

loc_90203F:				; CODE XREF: EtwpCheckSecurityLoggerAccess+Aj
		cmp	al, 61h
		jz	loc_858964
		cmp	al, 62h
		jz	loc_858964
		cmp	al, 51h
		jz	loc_858964
		mov	edx, 0C0000022h
		jmp	loc_858964
; END OF FUNCTION CHUNK	FOR EtwpCheckSecurityLoggerAccess
; 
; START	OF FUNCTION CHUNK FOR NtCreateRegistryTransaction

loc_902061:				; CODE XREF: NtCreateRegistryTransaction+23j
		mov	esi, 0C0000189h
		jmp	loc_858B49
; 

loc_90206B:				; CODE XREF: NtCreateRegistryTransaction+2Cj
		mov	esi, 0C000000Dh
		jmp	loc_858B49
; 

loc_902075:				; CODE XREF: NtCreateRegistryTransaction+5Cj
		mov	ecx, edx
		jmp	loc_858AD2
; END OF FUNCTION CHUNK	FOR NtCreateRegistryTransaction

;  S U B	R O U T	I N E 


sub_90207C	proc near		; DATA XREF: .text:006A4964o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_90207C	endp


;  S U B	R O U T	I N E 


sub_90208A	proc near		; DATA XREF: .text:006A4968o
		mov	esi, [ebp-28h]
		jmp	short loc_902092
; 

loc_90208F:				; DATA XREF: .text:006A4974o
		mov	esi, [ebp-30h]

loc_902092:				; CODE XREF: sub_90208A+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_858B46
sub_90208A	endp

; 
; START	OF FUNCTION CHUNK FOR NtCreateRegistryTransaction

loc_9020A1:				; CODE XREF: NtCreateRegistryTransaction+46j
		mov	ebx, [ebp+arg_0]
		mov	[ebx], esi
		jmp	loc_858ADB
; END OF FUNCTION CHUNK	FOR NtCreateRegistryTransaction

;  S U B	R O U T	I N E 


sub_9020AB	proc near		; DATA XREF: .text:006A4970o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		xor	eax, eax
		inc	eax
		retn
sub_9020AB	endp

; 
; START	OF FUNCTION CHUNK FOR NtCreateRegistryTransaction

loc_9020B9:				; CODE XREF: NtCreateRegistryTransaction+DDj
		push	[ebp+var_20]
		call	NtClose
		jmp	loc_858B53
; END OF FUNCTION CHUNK	FOR NtCreateRegistryTransaction
; 
; START	OF FUNCTION CHUNK FOR MiReturnSystemImageCommitment

loc_9020C6:				; CODE XREF: MiReturnSystemImageCommitment+7j
		mov	ecx, [ecx+3Ch]
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	eax, [eax]
		mov	edx, [eax+4]
		mov	esi, edx
		jmp	loc_858BA9
; END OF FUNCTION CHUNK	FOR MiReturnSystemImageCommitment
; 
; START	OF FUNCTION CHUNK FOR PoUnregisterPowerSettingCallback

loc_9020DA:				; CODE XREF: PoUnregisterPowerSettingCallback+3Dj
		mov	eax, [esi+0Ch]
		cmp	eax, large fs:124h
		jnz	short loc_9020EF
		mov	byte ptr [esi+10h], 1
		jmp	loc_858C3E
; 

loc_9020EF:				; CODE XREF: PoUnregisterPowerSettingCallback+A94F0j
		mov	byte ptr [esi+11h], 1
		jmp	short loc_90211B
; 

loc_9020F5:				; CODE XREF: PoUnregisterPowerSettingCallback+A952Cj
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _PopPowerSettingCallbackReturned
		call	KeWaitForSingleObject
		push	offset _PopPowerSettingCallbackReturned
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	ecx, edi
		call	ExAcquireFastMutex

loc_90211B:				; CODE XREF: PoUnregisterPowerSettingCallback+A94FFj
		mov	eax, [esi+0Ch]
		test	eax, eax
		jnz	short loc_9020F5
		mov	[esi+11h], bl
		jmp	loc_858C37
; END OF FUNCTION CHUNK	FOR PoUnregisterPowerSettingCallback
; 
; START	OF FUNCTION CHUNK FOR PopMonitorInvocation

loc_90212A:				; CODE XREF: PopMonitorInvocation+19j
		cmp	[ecx], bl
		jz	loc_858D15
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	ecx, edi
		call	_PopIsInputSuppressionEngaged@4	; PopIsInputSuppressionEngaged(x)
		test	al, al
		jz	short loc_902155
		cmp	_PopWdiCurrentScenario,	offset _GUID_NULL
		jz	short loc_902155
		mov	ecx, edi
		call	_PopTraceMonitorOnRequestUserInput@4 ; PopTraceMonitorOnRequestUserInput(x)

loc_902155:				; CODE XREF: PopMonitorInvocation+A944Aj
					; PopMonitorInvocation+A9456j
		mov	edx, edi
		mov	cl, 1
		call	_PopProcessSessionDisplayStateChange@8 ; PopProcessSessionDisplayStateChange(x,x)
		mov	esi, eax
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		test	esi, esi
		jz	short loc_902175
		cmp	esi, 103h
		jnz	loc_858D15

loc_902175:				; CODE XREF: PopMonitorInvocation+A9471j
		mov	ecx, _PopLastStandbyExitScenarioId
		cmp	ecx, _PopWdiCurrentScenarioInstanceId
		jnz	short loc_902194
		mov	eax, dword_6FE0B4
		cmp	eax, dword_6C1F7C
		jz	loc_858D15

loc_902194:				; CODE XREF: PopMonitorInvocation+A948Bj
		cmp	_PopConsoleDisplayState, ebx
		jnz	loc_858D15
		mov	ecx, edi
		call	_PopDiagTraceMonitorOnWithLidClosed@4 ;	PopDiagTraceMonitorOnWithLidClosed(x)
		mov	eax, _PopWdiCurrentScenarioInstanceId
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	8
		push	offset _PopWdiCurrentScenarioInstanceId
		mov	_PopLastStandbyExitScenarioId, eax
		mov	eax, dword_6C1F7C
		push	offset _WNF_PO_MODERN_STANDBY_EXIT_INITIATED
		mov	dword_6FE0B4, eax
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		jmp	loc_858D15
; END OF FUNCTION CHUNK	FOR PopMonitorInvocation
; 
; START	OF FUNCTION CHUNK FOR EtwpGetImageSize

loc_9021D5:				; CODE XREF: EtwpGetImageSize+23j
		mov	edi, 20Bh
		cmp	si, di
		jnz	loc_858DA8
		jmp	loc_858DA3
; END OF FUNCTION CHUNK	FOR EtwpGetImageSize

;  S U B	R O U T	I N E 


sub_9021E8	proc near		; DATA XREF: .text:006A498Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_9021E8	endp


;  S U B	R O U T	I N E 


sub_9021F6	proc near		; DATA XREF: .text:006A4990o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_858DBD
sub_9021F6	endp

; 
; START	OF FUNCTION CHUNK FOR CmpRollbackLightWeightTransaction

loc_902208:				; CODE XREF: CmpRollbackLightWeightTransaction+1Cj
		push	4
		pop	edx
		xor	eax, eax
		mov	ecx, edx
		inc	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 1
		jz	short loc_902223
		mov	ebx, 0C0190003h
		jmp	loc_858E22
; 

loc_902223:				; CODE XREF: CmpRollbackLightWeightTransaction+A942Bj
		push	ebx
		push	edx
		lea	eax, [esp+18h+var_4]
		mov	[esp+18h+var_4], edx
		push	eax
		lea	ecx, [esi+4]
		mov	edx, esi
		call	ExBlockOnAddressPushLock
		jmp	loc_858E2A
; END OF FUNCTION CHUNK	FOR CmpRollbackLightWeightTransaction
; 
; START	OF FUNCTION CHUNK FOR PopIssueActionRequest

loc_90223D:				; CODE XREF: PopIssueActionRequest+49j
					; PopIssueActionRequest+55j
		mov	edi, [esp+40h+var_30]
		cmp	edi, 2
		jnz	loc_85AAFD
		cmp	esi, 5
		jge	loc_85AAFD
		mov	eax, dword_6C26D4
		test	eax, eax
		jz	short loc_90226A
		cmp	eax, 4
		jz	short loc_90226A
		cmp	eax, 5
		jnz	loc_85AAFD

loc_90226A:				; CODE XREF: PopIssueActionRequest+A77BCj
					; PopIssueActionRequest+A77C1j
		mov	eax, dword_6C2D18
		test	eax, eax
		jnz	short loc_9022A7
		cmp	byte_6C2D11, bl
		jz	short loc_902294
		test	_PopSimulate, 4000000h
		jz	short loc_9022A7
		push	7
		pop	edx
		push	4
		pop	ecx
		call	PopSetSystemState
		jmp	short loc_9022A7
; 

loc_902294:				; CODE XREF: PopIssueActionRequest+A77DBj
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		push	1
		call	_PopSetSystemAwayMode@4	; PopSetSystemAwayMode(x)
		mov	ebx, eax
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()

loc_9022A7:				; CODE XREF: PopIssueActionRequest+A77D3j
					; PopIssueActionRequest+A77E7j	...
		call	_PopReleaseAwaymodeLock@0 ; PopReleaseAwaymodeLock()
		mov	eax, ebx
		jmp	loc_85ADD8
; 

loc_9022B3:				; CODE XREF: PopIssueActionRequest+74j
		cmp	eax, 7
		jle	short loc_9022C1
		cmp	eax, 0Bh
		jnz	loc_85AB18

loc_9022C1:				; CODE XREF: PopIssueActionRequest+A7818j
		push	15h
		jmp	loc_85AB1A
; 

loc_9022C8:				; CODE XREF: PopIssueActionRequest+6Bj
		xor	esi, esi
		inc	esi
		jmp	loc_85AB1B
; 

loc_9022D0:				; CODE XREF: PopIssueActionRequest+80j
		cmp	_PopConsoleDisplayState, ebx
		jz	short loc_9022F0
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		mov	ecx, esi
		call	_PopScreenOff@4	; PopScreenOff(x)
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		xor	eax, eax
		jmp	loc_85ADD8
; 

loc_9022F0:				; CODE XREF: PopIssueActionRequest+A7838j
		mov	eax, 0C000A003h
		jmp	loc_85ADD8
; 

loc_9022FA:				; CODE XREF: PopIssueActionRequest+91j
					; PopIssueActionRequest+9Aj ...
		mov	al, 1
		mov	byte ptr [esp+40h+var_34+1], al
		jmp	loc_85AB4D
; 

loc_902305:				; CODE XREF: PopIssueActionRequest+B5j
					; PopIssueActionRequest+BDj
		mov	al, 1
		mov	byte ptr [esp+40h+var_34+2], al
		jmp	loc_85AB67
; 

loc_902310:				; CODE XREF: PopIssueActionRequest+CEj
		or	edi, 1
		jmp	loc_85AB75
; 

loc_902318:				; CODE XREF: PopIssueActionRequest+D9j
		and	_PopAction, 0FDh
		jmp	loc_85AB7D
; 

loc_902324:				; CODE XREF: PopIssueActionRequest+159j
		mov	eax, [esp+44h+var_30]
		push	edi
		push	eax
		mov	eax, [esp+4Ch+var_34]
		push	eax
		call	_ZwSetSystemPowerState@12 ; ZwSetSystemPowerState(x,x,x)
		mov	esi, eax
		jmp	loc_85AD59
; 

loc_90233B:				; CODE XREF: PopIssueActionRequest+1C8j
		mov	eax, ebx
		jmp	loc_85AC6F
; 

loc_902342:				; CODE XREF: PopIssueActionRequest+2A1j
		cmp	[esp+44h+var_38], 0
		jnz	loc_85ADC2
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	_PopTtmIsSxTransitionInProgress, bl
		mov	bl, _PopTtmIsSxCompleteNotificationPending
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		test	bl, bl
		jz	short loc_902387
		mov	ecx, [esp+44h+var_2C]
		call	_TtmNotifyLowPowerStateExited@4	; TtmNotifyLowPowerStateExited(x)
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		xor	ebx, ebx
		mov	_PopTtmIsSxCompleteNotificationPending,	bl
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		jmp	loc_85AD45
; 

loc_902387:				; CODE XREF: PopIssueActionRequest+A78C7j
		xor	ebx, ebx
		jmp	loc_85AD4C
; END OF FUNCTION CHUNK	FOR PopIssueActionRequest
; 
; START	OF FUNCTION CHUNK FOR PopPowerAggregatorRecordIntent

loc_90238E:				; CODE XREF: PopPowerAggregatorRecordIntent+3Bj
		cmp	[esi+18h], edi
		jnz	loc_85B017
		mov	eax, [ebp+arg_4]
		cmp	[esi+20h], eax
		jnz	loc_85B017
		cmp	[esi+88h], ebx
		jnz	loc_85B017
		mov	edx, [ebp+arg_8]
		lea	ecx, [esi+28h]
		call	_PopPowerAggregatorAreTargetStatesEqual@8 ; PopPowerAggregatorAreTargetStatesEqual(x,x)
		test	al, al
		jz	loc_85B017
		mov	edx, [ebp+arg_C]
		lea	ecx, [esi+58h]
		call	_PopPowerAggregatorAreTargetStatesEqual@8 ; PopPowerAggregatorAreTargetStatesEqual(x,x)
		test	al, al
		jz	loc_85B017
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeQueryInterruptTimePrecise@4 ; KeQueryInterruptTimePrecise(x)
		sub	eax, [esi+8]
		sbb	edx, [esi+0Ch]
		mov	[ebp+var_4], edx
		jnz	loc_85B017
		cmp	eax, 2FAF080h
		jb	loc_85B04F
		jmp	loc_85B017
; END OF FUNCTION CHUNK	FOR PopPowerAggregatorRecordIntent
; 
; START	OF FUNCTION CHUNK FOR PopPowerAggregatorDiagTraceEvent

loc_9023FD:				; CODE XREF: PopPowerAggregatorDiagTraceEvent+2Dj
		push	[ebp+arg_0]
		push	[ebp+var_4]
		push	0
		push	esi
		push	edi
		push	ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_85B2F3
; END OF FUNCTION CHUNK	FOR PopPowerAggregatorDiagTraceEvent
; 
; START	OF FUNCTION CHUNK FOR PopPowerAggregatorSystemTransitionEnterStateHandler

loc_902412:				; CODE XREF: PopPowerAggregatorSystemTransitionEnterStateHandler+3Aj
		cmp	eax, 4
		jnz	loc_85B3A8
		jmp	loc_85B33A
; END OF FUNCTION CHUNK	FOR PopPowerAggregatorSystemTransitionEnterStateHandler
; 
; START	OF FUNCTION CHUNK FOR PopPowerAggregatorIsAtTargetState

loc_902420:				; CODE XREF: PopPowerAggregatorIsAtTargetState+Ej
		cmp	dword_6C0A08, 1
		jnz	loc_85B42E
		mov	eax, dword_6C0A10
		cmp	eax, dword_6C09E8
		jnz	loc_85B42E
		mov	eax, dword_6C0A14
		cmp	eax, dword_6C09EC
		jmp	loc_85B43D
; END OF FUNCTION CHUNK	FOR PopPowerAggregatorIsAtTargetState
; 
; START	OF FUNCTION CHUNK FOR EmPowerPagingEnabled

loc_90244E:				; CODE XREF: EmPowerPagingEnabled+36j
		xor	ebx, ebx
		lea	eax, [ebp+var_14]
		push	0
		inc	ebx
		push	ebx
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [ebp+var_14]
		mov	_EmpPagingStatus, eax
		jmp	loc_85B483
; 

loc_90246A:				; CODE XREF: EmPowerPagingEnabled+48j
		test	al, 4
		jnz	loc_85B492
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_85B492
; 

loc_90247E:				; CODE XREF: EmPowerPagingEnabled+57j
		xor	ebx, ebx
		lea	eax, [ebp+var_14]
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	eax
		call	KeWaitForSingleObject
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	_EmpPagingStatus, ebx
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9024B0
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9024B0:				; CODE XREF: EmPowerPagingEnabled+A7063j
		mov	ecx, esi
		call	KeAbPostRelease
		jmp	loc_85B4A1
; END OF FUNCTION CHUNK	FOR EmPowerPagingEnabled
; 
; START	OF FUNCTION CHUNK FOR PopFxNotifySxTransitionState

loc_9024BC:				; CODE XREF: PopFxNotifySxTransitionState+27j
		test	al, 4
		jnz	loc_85B57B
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_85B57B
; 

loc_9024D0:				; CODE XREF: PopFxNotifySxTransitionState+60j
		cmp	[eax+4], edi
		jnz	short loc_9024F5
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_9024F5
		push	1
		add	eax, 10h
		mov	dword_6C39E4, ecx
		push	eax
		mov	[ecx+4], edi
		call	ExQueueWorkItem
		jmp	loc_85B5A7
; 

loc_9024F5:				; CODE XREF: PopFxNotifySxTransitionState+A6F85j
					; PopFxNotifySxTransitionState+A6F8Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9024FA:				; CODE XREF: PopFxNotifySxTransitionState+6Fj
		test	al, 4
		jnz	loc_85B5C3
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_85B5C3
; END OF FUNCTION CHUNK	FOR PopFxNotifySxTransitionState
; 
; START	OF FUNCTION CHUNK FOR PopNotifyTelemetryOsState

loc_90250E:				; CODE XREF: PopNotifyTelemetryOsState+59j
		push	2
		pop	edx
		lea	eax, [ebx-2]
		cmp	edx, eax
		sbb	edx, edx
		and	edx, 0FFFFFFFDh
		add	edx, 8
		jmp	loc_85B62D
; END OF FUNCTION CHUNK	FOR PopNotifyTelemetryOsState
; 
; START	OF FUNCTION CHUNK FOR PopPolicyWorkerAction

loc_902523:				; CODE XREF: PopPolicyWorkerAction+6Dj
		cmp	dword_6C26C8, 5
		jnz	short loc_902538
		mov	dword_6C26D4, 6
		jmp	short loc_902540
; 

loc_902538:				; CODE XREF: PopPolicyWorkerAction+A6ED2j
		mov	eax, [ebp+var_18]
		mov	dword_6C26D4, eax

loc_902540:				; CODE XREF: PopPolicyWorkerAction+A6EDEj
		mov	eax, dword_6C26CC
		and	cl, 0FDh
		and	eax, 0FFFFFFFCh
		mov	_PopAction, cl
		or	eax, 80000020h
		mov	cl, bl
		mov	dword_6C26CC, eax
		call	_PopSetPowerActionState@4 ; PopSetPowerActionState(x)
		push	2
		pop	ecx
		jmp	loc_85B6F8
; 

loc_90256A:				; CODE XREF: PopPolicyWorkerAction+7Dj
		mov	eax, [ebp+var_1C]
		lea	ecx, [ebp+var_14]
		and	[ebp+var_10], 0
		mov	edx, ebx
		and	[ebp+var_8], 0
		push	offset byte_401802
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_24]
		push	1223h
		push	80008000h
		mov	[ebp+var_20], edi
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], 8
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_85B6DB
; END OF FUNCTION CHUNK	FOR PopPolicyWorkerAction
; 
; START	OF FUNCTION CHUNK FOR PopSleepstudyStartNextSession

loc_9025A6:				; CODE XREF: PopSleepstudyStartNextSession+1ACj
		push	[ebp+var_174]
		mov	ecx, offset _WNF_PO_SCENARIO_CHANGE
		push	edx
		mov	edx, edi
		call	_PopSleepstudySendWnfNotification@16 ; PopSleepstudySendWnfNotification(x,x,x,x)
		push	0
		push	[ebp+var_164]
		lea	edx, [ebp+var_1D0]
		mov	ecx, esi
		call	_PopSleepstudyCaptureResiliencyStatistics@16 ; PopSleepstudyCaptureResiliencyStatistics(x,x,x,x)
		mov	ecx, [ebp+var_158]

loc_9025D4:				; CODE XREF: PopSleepstudyStartNextSession+1A3j
		cmp	ecx, 2
		jz	loc_85BB30
		cmp	dword ptr [esi], 1
		jnz	short loc_9025EA
		add	dword ptr [ebx+8], 1
		adc	dword ptr [ebx+0Ch], 0

loc_9025EA:				; CODE XREF: PopSleepstudyStartNextSession+A6C62j
		cmp	ecx, 1
		jz	short loc_9025F4
		cmp	ecx, 3
		jnz	short loc_902607

loc_9025F4:				; CODE XREF: PopSleepstudyStartNextSession+A6C6Fj
		mov	byte_6D458C, 1
		cmp	ecx, 3
		jnz	short loc_902607
		mov	eax, dword_6C26D4
		jmp	short loc_90261A
; 

loc_902607:				; CODE XREF: PopSleepstudyStartNextSession+A6C74j
					; PopSleepstudyStartNextSession+A6C80j
		xor	eax, eax
		cmp	[ebp+var_160], 2Dh
		setnz	al
		dec	eax
		and	eax, 0FFFFFFF1h
		add	eax, 11h

loc_90261A:				; CODE XREF: PopSleepstudyStartNextSession+A6C87j
		mov	edx, [ebp+var_168]
		xor	cl, cl
		mov	_PopSleepstudyStopReason, eax
		call	_PopSetModernStandbyTransitionReason@8 ; PopSetModernStandbyTransitionReason(x,x)
		lea	eax, [ebp+var_150]
		mov	edx, edi
		push	eax		; void *
		push	dword ptr [ebx+0Ch] ; int
		push	dword ptr [ebx+8] ; int
		call	_PopSleepstudyCaptureSessionStatistics@20 ; PopSleepstudyCaptureSessionStatistics(x,x,x,x,x)
		cmp	_PopSleepstudySessionContext, 0
		jnz	short loc_9026A3
		and	[ebp+var_190], 0
		lea	eax, [ebp+var_190]
		and	[ebp+var_18C], 0
		lea	esi, [ebp+var_150]
		or	[ebp+var_188], 0FFFFFFFFh
		mov	edi, offset _PopWdiScenarioStopEventData
		or	[ebp+var_184], 0FFFFFFFFh
		push	52h
		pop	ecx
		push	eax
		push	0
		push	0
		push	0FFFFFFFFh
		push	0FD050F80h
		rep movsd
		push	offset unk_6BF048
		call	KeSetTimer2
		mov	esi, [ebp+var_154]
		mov	edi, offset _GUID_NULL
		mov	_PopSleepstudySessionContext, 1

loc_9026A3:				; CODE XREF: PopSleepstudyStartNextSession+A6CC9j
		push	dword ptr [ebx+0Ch]
		mov	edx, edi
		mov	ecx, offset _WNF_PO_UMPO_SCENARIO_CHANGE
		push	dword ptr [ebx+8]
		call	_PopSleepstudySendWnfNotification@16 ; PopSleepstudySendWnfNotification(x,x,x,x)
		mov	ecx, [ebp+var_158]
		jmp	loc_85BB30
; 

loc_9026C0:				; CODE XREF: PopSleepstudyStartNextSession+1BEj
		lea	ecx, [ebp+var_1B0]
		call	_PopCalculateIdleInformation@4 ; PopCalculateIdleInformation(x)
		mov	eax, [ebp+var_1A0]
		lea	edx, [ebp+var_1D0]
		mov	[ebx+38h], eax
		mov	ecx, ebx
		mov	eax, [ebp+var_19C]
		mov	[ebx+3Ch], eax
		mov	eax, [ebp+var_1A8]
		push	1
		push	[ebp+var_164]
		mov	[ebx+50h], eax
		mov	eax, [ebp+var_1A4]
		mov	[ebx+54h], eax
		call	_PopSleepstudyCaptureResiliencyStatistics@16 ; PopSleepstudyCaptureResiliencyStatistics(x,x,x,x)
		push	dword ptr [esi+0Ch]
		mov	edx, offset _GUID_SPM_LOW_POWER_CS
		mov	ecx, offset _WNF_PO_SCENARIO_CHANGE
		push	dword ptr [esi+8]
		jmp	short loc_902757
; 

loc_902716:				; CODE XREF: PopSleepstudyStartNextSession+1B5j
		mov	edx, [ebp+var_168]
		mov	cl, 1
		call	_PopSetModernStandbyTransitionReason@8 ; PopSetModernStandbyTransitionReason(x,x)
		lea	eax, [ebp+var_150]
		mov	esi, offset _GUID_SPM_LOW_POWER_CS
		push	eax		; void *
		push	dword ptr [ebx+0Ch] ; int
		mov	edx, esi
		push	dword ptr [ebx+8] ; int
		call	_PopSleepstudyCaptureSessionStatistics@20 ; PopSleepstudyCaptureSessionStatistics(x,x,x,x,x)
		cmp	_PopSleepstudySessionContext, 0
		jnz	short loc_90274A
		call	_PopDiagTraceSleepStudyStart@0 ; PopDiagTraceSleepStudyStart()

loc_90274A:				; CODE XREF: PopSleepstudyStartNextSession+A6DC5j
		push	dword ptr [ebx+0Ch]
		mov	edx, esi
		mov	ecx, offset _WNF_PO_UMPO_SCENARIO_CHANGE
		push	dword ptr [ebx+8]

loc_902757:				; CODE XREF: PopSleepstudyStartNextSession+A6D96j
		call	_PopSleepstudySendWnfNotification@16 ; PopSleepstudySendWnfNotification(x,x,x,x)
		jmp	loc_85BB42
; END OF FUNCTION CHUNK	FOR PopSleepstudyStartNextSession
; 
; START	OF FUNCTION CHUNK FOR PoUserShutdownInitiated

loc_902761:				; CODE XREF: PoUserShutdownInitiated+4Bj
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		jmp	loc_85BCBA
; END OF FUNCTION CHUNK	FOR PoUserShutdownInitiated
; 
; START	OF FUNCTION CHUNK FOR PopExecutePowerAction

loc_90276B:				; CODE XREF: PopExecutePowerAction+47j
		push	offset byte_401802
		push	1222h
		xor	edx, edx
		mov	[ebp+var_98], ecx
		lea	eax, [ebp+var_E4]
		mov	[ebp+var_90], ecx
		push	80008000h
		inc	edx
		mov	[ebp+var_E0], edi
		lea	ecx, [ebp+var_9D+1]
		mov	[ebp+var_DC], esi
		mov	[ebp+var_E4], ebx
		mov	[ebp+var_9D+1],	eax
		mov	[ebp+var_94], 0Ch
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_85BD0F
; 

loc_9027C1:				; CODE XREF: PopExecutePowerAction+C0j
		lea	eax, [ebp+var_A4]
		xor	ecx, ecx
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_BC]
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_C4]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_CC]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_D0]
		push	4
		pop	edx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_D4]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_8C]
		push	eax
		push	8
		push	ecx
		push	offset _POP_ETW_EVENT_EXECUTE_POWER_ACTION
		push	esi
		push	edi
		mov	[ebp+var_88], ecx
		mov	[ebp+var_84], edx
		mov	[ebp+var_80], ecx
		mov	[ebp+var_78], ecx
		mov	[ebp+var_74], edx
		mov	[ebp+var_70], ecx
		mov	[ebp+var_68], ecx
		mov	[ebp+var_64], edx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_58], ecx
		mov	[ebp+var_54], edx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebx+4]
		jmp	loc_85BD8E
; 

loc_90287D:				; CODE XREF: PopExecutePowerAction+ECj
		mov	edx, 0C00000BBh

loc_902882:				; CODE XREF: PopExecutePowerAction+3D6j
		mov	ecx, ebx
		call	_PopCompleteAction@8 ; PopCompleteAction(x,x)
		jmp	loc_85C046
; 

loc_90288E:				; CODE XREF: PopExecutePowerAction+100j
		mov	edi, [ebp+var_B4]
		jmp	loc_85BDD4
; 

loc_902899:				; CODE XREF: PopExecutePowerAction+130j
		cmp	_PsWin32CalloutsEstablished, 0
		jz	loc_85BDF8
		mov	eax, [ebx]
		cmp	eax, 2
		jnz	short loc_9028FE
		mov	eax, edi
		xor	esi, esi
		and	al, 10h
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFFF0h
		add	eax, ecx
		mov	[ebp+var_A8], eax
		jmp	short loc_9028F3
; 

loc_9028C7:				; CODE XREF: PopExecutePowerAction+A6C3Ej
		xor	eax, eax
		xor	esi, esi
		cmp	byte_6C2D44, al
		push	esi
		setz	al
		dec	eax
		and	eax, 10h
		add	eax, 10h
		mov	[ebp+var_A8], eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	_PopShutdownButtonPressTime, eax
		mov	dword_6C362C, edx

loc_9028F3:				; CODE XREF: PopExecutePowerAction+A6C03j
		mov	[ebp+var_A4], edi
		jmp	loc_85BE0D
; 

loc_9028FE:				; CODE XREF: PopExecutePowerAction+A6BE9j
		test	eax, eax
		jz	short loc_9028C7
		cmp	eax, 0Fh
		jnz	loc_85BDF8
		test	edi, 2000000h
		jz	short loc_902924
		push	10h
		pop	eax
		mov	[ebp+var_A8], eax
		mov	[ebp+var_A4], edi
		jmp	short loc_90293A
; 

loc_902924:				; CODE XREF: PopExecutePowerAction+A6C4Fj
		mov	eax, ecx
		mov	[ebp+var_A8], eax
		jmp	loc_85BDFE
; 

loc_902931:				; CODE XREF: PopExecutePowerAction+145j
		cmp	esi, 6
		jg	loc_85BE0D

loc_90293A:				; CODE XREF: PopExecutePowerAction+A6C60j
		push	dword ptr [ebx]
		mov	edx, eax
		mov	ecx, esi
		call	_PopDiagTraceShutdownAction@12 ; PopDiagTraceShutdownAction(x,x,x)
		jmp	loc_85BE0D
; 

loc_90294A:				; CODE XREF: PopExecutePowerAction+16Bj
		or	edi, 10000000h
		jmp	loc_85BE39
; 

loc_902955:				; CODE XREF: PopExecutePowerAction+18Dj
		push	6
		pop	eax
		mov	[ebp+var_A4], eax
		jmp	loc_85BE55
; 

loc_902963:				; CODE XREF: PopExecutePowerAction+1F6j
		mov	eax, ecx
		jmp	loc_85BEBE
; 

loc_90296A:				; CODE XREF: PopExecutePowerAction+290j
		mov	al, byte ptr [ebp+var_9D]
		mov	byte ptr [ebp+var_9D], al
		jmp	loc_85BF5F
; 

loc_90297B:				; CODE XREF: PopExecutePowerAction+2AFj
		or	cl, 2
		jmp	loc_85BF77
; 

loc_902983:				; CODE XREF: PopExecutePowerAction+2D1j
		mov	eax, [ebx+0Ch]
		mov	dword_6C26D8, eax
		jmp	loc_85BF99
; 

loc_902990:				; CODE XREF: PopExecutePowerAction+2F1j
		mov	_PopTtmIsSxTransitionInProgress, 1
		jmp	loc_85BFB9
; 

loc_90299C:				; CODE XREF: PopExecutePowerAction+339j
		mov	eax, offset _PopShutdownEventCode
		xchg	ecx, [eax]
		test	ecx, ecx
		jmp	short loc_9029B7
; 

loc_9029A7:				; CODE XREF: PopExecutePowerAction+342j
		push	10h
		pop	ecx
		mov	edx, offset _PopShutdownEventCode
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax

loc_9029B7:				; CODE XREF: PopExecutePowerAction+A6CE3j
		mov	ecx, [ebp+var_AC]
		jnz	loc_85C010
		or	ecx, 10h
		jmp	loc_85C010
; END OF FUNCTION CHUNK	FOR PopExecutePowerAction
; 
; START	OF FUNCTION CHUNK FOR NtInitiatePowerAction

loc_9029CB:				; CODE XREF: NtInitiatePowerAction+6Dj
		mov	eax, 0C0000061h
		jmp	loc_85C2E1
; 

loc_9029D5:				; CODE XREF: NtInitiatePowerAction+99j
		cmp	ecx, 5
		jl	loc_85C1AD

loc_9029DE:				; CODE XREF: NtInitiatePowerAction+50j
					; NtInitiatePowerAction+79j ...
		mov	eax, 0C000000Dh
		jmp	loc_85C2E1
; 

loc_9029E8:				; CODE XREF: NtInitiatePowerAction+ADj
		cmp	edi, 6
		jle	loc_85C1D4
		jmp	loc_85C1C1
; 

loc_9029F6:				; CODE XREF: NtInitiatePowerAction+BAj
		mov	eax, 0C00000BBh
		jmp	loc_85C2E1
; 

loc_902A00:				; CODE XREF: NtInitiatePowerAction+E8j
		cmp	edi, 6
		jnz	loc_85C1FC
		test	eax, 3000000h
		jz	loc_85C1FC
		mov	[esp+40h+var_2C], 0Fh
		jmp	loc_85C20D
; 

loc_902A21:				; CODE XREF: NtInitiatePowerAction+119j
		mov	eax, 0C000009Ah
		jmp	loc_85C2E1
; 

loc_902A2B:				; CODE XREF: NtInitiatePowerAction+150j
		cmp	edi, 6
		jg	loc_85C264
		test	byte_6D4A00, 8
		jnz	loc_85C264
		call	_PopSetSystemShutdownMarker@0 ;	PopSetSystemShutdownMarker()
		jmp	loc_85C264
; 

loc_902A4B:				; CODE XREF: NtInitiatePowerAction+199j
		test	byte_6C26C1, 3
		jz	loc_85C2AD
		push	0
		push	1
		push	0
		push	5
		push	esi
		call	KeWaitForSingleObject
		mov	ebx, eax
		jmp	loc_85C2AD
; END OF FUNCTION CHUNK	FOR NtInitiatePowerAction
; 
; START	OF FUNCTION CHUNK FOR PoBlockConsoleSwitch

loc_902A6D:				; CODE XREF: PoBlockConsoleSwitch+21j
					; PoBlockConsoleSwitch+37j
		lea	eax, [ebp+var_10]
		push	eax
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	loc_85C594
; END OF FUNCTION CHUNK	FOR PoBlockConsoleSwitch
; 
; START	OF FUNCTION CHUNK FOR PopDispatchStateCallout

loc_902A7F:				; CODE XREF: PopDispatchStateCallout+29j
		mov	eax, [esi+4]
		lea	ecx, [esp+38h+var_28]
		mov	[esp+38h+var_14], eax
		xor	edx, edx
		mov	eax, [esi+8]
		inc	edx
		mov	[esp+38h+var_10], eax
		mov	eax, [esi+0Ch]
		mov	[esp+38h+var_C], eax
		mov	eax, [esi+10h]
		push	offset byte_401802
		mov	[esp+3Ch+var_8], eax
		lea	eax, [esp+3Ch+var_14]
		push	1228h
		push	80008000h
		mov	[esp+44h+var_28], eax
		mov	[esp+44h+var_24], ebx
		mov	[esp+44h+var_20], 10h
		mov	[esp+44h+var_1C], ebx
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_85C5F3
; 

loc_902AD3:				; CODE XREF: PopDispatchStateCallout+59j
		push	offset byte_401802
		push	1229h
		xor	edx, edx
		mov	[esp+40h+var_2C], esi
		lea	eax, [esp+40h+var_2C]
		mov	[esp+40h+var_24], ebx
		push	80008000h
		inc	edx
		mov	[esp+44h+var_28], eax
		lea	ecx, [esp+44h+var_28]
		mov	[esp+44h+var_20], edi
		mov	[esp+44h+var_1C], ebx
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_85C623
; END OF FUNCTION CHUNK	FOR PopDispatchStateCallout
; 
; START	OF FUNCTION CHUNK FOR PopDiagTracePerfTrackData

loc_902B0B:				; CODE XREF: PopDiagTracePerfTrackData+D2j
		xor	ebx, ebx
		lea	ecx, [ebp+var_88]
		mov	edx, offset dword_6C2888
		mov	[ebp+var_88], ebx
		mov	[ebp+var_84], ebx
		call	PopQpcTimeInMs
		mov	esi, eax
		mov	edx, offset dword_6C2870
		mov	ecx, offset dword_6C2868
		mov	[ebp+var_C4], esi
		call	PopQpcTimeInMs
		push	4
		add	eax, esi
		mov	[ebp+var_68], offset dword_6C2A48
		mov	[ebp+var_90], eax
		lea	ecx, [ebp+var_90]
		pop	eax
		mov	[ebp+var_58], ecx
		lea	ecx, [ebp+var_C4]
		mov	[ebp+var_60], eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_68]
		push	eax
		mov	[ebp+var_48], ecx
		lea	ecx, [ebp+var_C8]
		push	5
		mov	[ebp+var_38], ecx
		lea	ecx, [ebp+var_CC]
		push	ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_1C], ebx
		push	offset _POP_ETW_EVENT_PERFTRACK_STANDBY
		jmp	loc_90311B
; 

loc_902BB4:				; CODE XREF: PopDiagTracePerfTrackData+135j
		mov	edx, offset dword_6C2848
		mov	ecx, offset _PopShutdownButtonPressTime
		call	PopQpcTimeInMs
		add	eax, esi
		mov	edx, offset ??_C@_1DK@JPPMLNFP@?$AAL?$AAa?$AAs?$AAt?$AAL?$AAo?$AAg?$AAO?$AAf?$AAf?$AAE?$AAn?$AAd?$AAT?$AAi@NNGAKEGL@
		mov	[ebp+var_D0], eax
		xor	esi, esi
		lea	eax, [ebp+var_88]
		mov	ecx, offset ??_C@_1JA@IMHLFALN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		push	eax		; void *
		push	esi		; int
		push	8		; size_t
		call	PopReadRegKeyValue
		test	eax, eax
		js	short loc_902C02
		mov	edx, offset dword_6C2900
		lea	ecx, [ebp+var_88]
		call	PopQpcTimeInMs
		mov	[ebp+var_94], eax
		jmp	short loc_902C08
; 

loc_902C02:				; CODE XREF: PopDiagTracePerfTrackData+A652Cj
		mov	[ebp+var_94], esi

loc_902C08:				; CODE XREF: PopDiagTracePerfTrackData+A6544j
		lea	ecx, [ebp+var_D0]
		mov	[ebp+var_64], esi
		mov	[ebp+var_58], ecx
		lea	eax, [ebp+var_98]
		push	4
		lea	ecx, [ebp+var_9C]
		mov	[ebp+var_68], eax
		pop	eax
		mov	[ebp+var_48], ecx
		lea	ecx, [ebp+var_94]
		mov	[ebp+var_38], ecx
		lea	ecx, [ebp+var_68]
		push	ecx
		push	eax
		push	esi
		push	offset _POP_ETW_EVENT_PERFTRACK_HYBRID_SHUTDOWN
		push	dword_6C1D74
		mov	[ebp+var_60], eax
		push	_PopDiagHandle
		mov	[ebp+var_5C], esi
		mov	[ebp+var_54], esi
		mov	[ebp+var_50], eax
		mov	[ebp+var_4C], esi
		mov	[ebp+var_44], esi
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], esi
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		push	edi
		push	ebx
		lea	edx, [ebp+var_C0]
		mov	ecx, offset dword_6C28B8
		call	PopComputeDerivedHiberStats
		mov	eax, [ebp+var_90]
		mov	ebx, 7FFFh
		mov	ecx, dword_6C2A7C
		mov	[ebp+var_80], eax
		mov	eax, dword_6C2A78
		shrd	eax, ecx, 8
		shr	ecx, 8
		cmp	ecx, esi
		jb	short loc_902CB5
		ja	short loc_902CAB
		cmp	eax, ebx
		jbe	short loc_902CB5

loc_902CAB:				; CODE XREF: PopDiagTracePerfTrackData+A65E9j
		mov	eax, ebx
		mov	[ebp+var_84], esi
		jmp	short loc_902CBB
; 

loc_902CB5:				; CODE XREF: PopDiagTracePerfTrackData+A65E7j
					; PopDiagTracePerfTrackData+A65EDj
		mov	[ebp+var_84], ecx

loc_902CBB:				; CODE XREF: PopDiagTracePerfTrackData+A65F7j
		mov	ecx, dword_6C2A80
		and	eax, ebx
		mov	[ebp+var_7C], ax
		mov	esi, 0FFFFh
		mov	eax, dword_6C2A84
		shrd	ecx, eax, 8
		shr	eax, 8
		test	eax, eax
		jb	short loc_902CE8
		ja	short loc_902CE2
		cmp	ecx, esi
		jbe	short loc_902CE8

loc_902CE2:				; CODE XREF: PopDiagTracePerfTrackData+A6620j
		mov	[ebp+var_7A], si
		jmp	short loc_902CEC
; 

loc_902CE8:				; CODE XREF: PopDiagTracePerfTrackData+A661Ej
					; PopDiagTracePerfTrackData+A6624j
		mov	[ebp+var_7A], cx

loc_902CEC:				; CODE XREF: PopDiagTracePerfTrackData+A662Aj
		push	edi
		push	[ebp+var_8C]
		push	dword_6C291C
		push	dword_6C2918
		call	__aulldiv
		test	edx, edx
		jb	short loc_902D14
		ja	short loc_902D0E
		cmp	eax, esi
		jbe	short loc_902D14

loc_902D0E:				; CODE XREF: PopDiagTracePerfTrackData+A664Cj
		mov	[ebp+var_78], si
		jmp	short loc_902D18
; 

loc_902D14:				; CODE XREF: PopDiagTracePerfTrackData+A664Aj
					; PopDiagTracePerfTrackData+A6650j
		mov	[ebp+var_78], ax

loc_902D18:				; CODE XREF: PopDiagTracePerfTrackData+A6656j
		push	edi
		push	[ebp+var_8C]
		push	dword_6C2A0C
		push	dword_6C2A08
		call	__aulldiv
		test	edx, edx
		jb	short loc_902D40
		ja	short loc_902D3A
		cmp	eax, esi
		jbe	short loc_902D40

loc_902D3A:				; CODE XREF: PopDiagTracePerfTrackData+A6678j
		mov	[ebp+var_76], si
		jmp	short loc_902D44
; 

loc_902D40:				; CODE XREF: PopDiagTracePerfTrackData+A6676j
					; PopDiagTracePerfTrackData+A667Cj
		mov	[ebp+var_76], ax

loc_902D44:				; CODE XREF: PopDiagTracePerfTrackData+A6682j
		mov	eax, dword_6C2908
		mov	[ebp+var_74], si
		cmp	eax, esi
		ja	short loc_902D55
		mov	[ebp+var_74], ax

loc_902D55:				; CODE XREF: PopDiagTracePerfTrackData+A6693j
		mov	eax, dword_6C2A48
		mov	[ebp+var_72], si
		cmp	eax, esi
		ja	short loc_902D66
		mov	[ebp+var_72], ax

loc_902D66:				; CODE XREF: PopDiagTracePerfTrackData+A66A4j
		mov	eax, 3FFh
		cmp	[ebp+var_BC], eax
		ja	short loc_902D79
		mov	eax, [ebp+var_BC]

loc_902D79:				; CODE XREF: PopDiagTracePerfTrackData+A66B5j
		mov	edi, 1FFh
		cmp	[ebp+var_B4], edi
		ja	short loc_902D8C
		mov	edi, [ebp+var_B4]

loc_902D8C:				; CODE XREF: PopDiagTracePerfTrackData+A66C8j
		push	[ebp+var_A4]
		mov	ecx, dword_6C2998
		push	[ebp+var_8C]
		shl	edi, 0Ah
		xor	edi, eax
		and	edi, 7FC00h
		xor	edi, eax
		sub	ecx, dword_6C29D0
		mov	eax, dword_6C299C
		sbb	eax, dword_6C29D4
		push	eax
		push	ecx
		call	__aulldiv
		test	edx, edx
		jb	short loc_902DDB
		mov	ecx, 1FFFh
		ja	short loc_902DD2
		cmp	eax, ecx
		jbe	short loc_902DDB

loc_902DD2:				; CODE XREF: PopDiagTracePerfTrackData+A6710j
		and	[ebp+var_84], 0
		jmp	short loc_902DE3
; 

loc_902DDB:				; CODE XREF: PopDiagTracePerfTrackData+A6709j
					; PopDiagTracePerfTrackData+A6714j
		mov	ecx, eax
		mov	[ebp+var_84], edx

loc_902DE3:				; CODE XREF: PopDiagTracePerfTrackData+A671Dj
		mov	eax, dword_6C2A58
		and	edi, 7FFFFh
		shl	ecx, 13h
		or	ecx, edi
		xor	edi, edi
		mov	[ebp+var_70], ecx
		mov	ecx, dword_6C2A5C
		shrd	eax, ecx, 8
		shr	ecx, 8
		cmp	ecx, edi
		jb	short loc_902E19
		ja	short loc_902E0F
		cmp	eax, ebx
		jbe	short loc_902E19

loc_902E0F:				; CODE XREF: PopDiagTracePerfTrackData+A674Dj
		mov	eax, ebx
		mov	[ebp+var_84], edi
		jmp	short loc_902E1F
; 

loc_902E19:				; CODE XREF: PopDiagTracePerfTrackData+A674Bj
					; PopDiagTracePerfTrackData+A6751j
		mov	[ebp+var_84], ecx

loc_902E1F:				; CODE XREF: PopDiagTracePerfTrackData+A675Bj
		mov	ecx, dword_6C2A60
		and	eax, ebx
		mov	[ebp+var_6C], ax
		mov	eax, dword_6C2A64
		shrd	ecx, eax, 8
		shr	eax, 8
		cmp	eax, edi
		jb	short loc_902E47
		ja	short loc_902E41
		cmp	ecx, esi
		jbe	short loc_902E47

loc_902E41:				; CODE XREF: PopDiagTracePerfTrackData+A677Fj
		mov	[ebp+var_6A], si
		jmp	short loc_902E4B
; 

loc_902E47:				; CODE XREF: PopDiagTracePerfTrackData+A677Dj
					; PopDiagTracePerfTrackData+A6783j
		mov	[ebp+var_6A], cx

loc_902E4B:				; CODE XREF: PopDiagTracePerfTrackData+A6789j
		mov	edx, edi
		lea	ecx, [ebp+var_5C]

loc_902E50:				; CODE XREF: PopDiagTracePerfTrackData+A67B0j
		lea	eax, [ebp+var_80]
		mov	[ecx-8], edi
		lea	eax, [eax+edx*4]
		mov	dword ptr [ecx-4], 4
		inc	edx
		mov	[ecx-0Ch], eax
		mov	[ecx], edi
		lea	ecx, [ecx+10h]
		cmp	edx, 6
		jb	short loc_902E50
		lea	eax, [ebp+var_68]
		push	eax
		push	6
		push	edi
		push	offset _POP_ETW_EVENT_PERFTRACK_HYBRID_RESUME
		jmp	loc_90311B
; 

loc_902E7F:				; CODE XREF: PopDiagTracePerfTrackData+124j
		push	4
		lea	eax, [ebp+var_98]
		xor	esi, esi
		mov	[ebp+var_68], eax
		lea	ecx, [ebp+var_D4]
		pop	eax
		mov	[ebp+var_60], eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	3
		push	esi
		push	offset _POP_ETW_EVENT_PERFTRACK_HIBERNATE
		push	dword_6C1D74
		mov	[ebp+var_58], ecx
		lea	ecx, [ebp+var_9C]
		push	_PopDiagHandle
		mov	[ebp+var_64], esi
		mov	[ebp+var_5C], esi
		mov	[ebp+var_54], esi
		mov	[ebp+var_4C], esi
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], esi
		mov	[ebp+var_3C], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	eax, dword_6C2908
		mov	[ebp+var_84], eax
		test	eax, eax
		jz	loc_85C7F7
		push	edi
		push	ebx
		lea	edx, [ebp+var_C0]
		mov	ecx, offset dword_6C28B8
		call	PopComputeDerivedHiberStats
		mov	eax, [ebp+var_90]
		mov	ebx, 7FFFh
		mov	ecx, dword_6C2A78
		mov	[ebp+var_80], eax
		mov	eax, dword_6C2A7C
		shrd	ecx, eax, 8
		shr	eax, 8
		cmp	eax, esi
		jb	short loc_902F30
		ja	short loc_902F26
		cmp	ecx, ebx
		jbe	short loc_902F30

loc_902F26:				; CODE XREF: PopDiagTracePerfTrackData+A6864j
		mov	ecx, ebx
		mov	[ebp+var_AC], esi
		jmp	short loc_902F36
; 

loc_902F30:				; CODE XREF: PopDiagTracePerfTrackData+A6862j
					; PopDiagTracePerfTrackData+A6868j
		mov	[ebp+var_AC], eax

loc_902F36:				; CODE XREF: PopDiagTracePerfTrackData+A6872j
		mov	edx, [ebp+var_A0]
		mov	esi, 0FFFFh
		mov	eax, edx
		shl	edx, 0Ah
		shl	eax, 0Ah
		xor	eax, ecx
		mov	ecx, dword_6C2A80
		and	eax, ebx
		xor	eax, edx
		mov	[ebp+var_7C], ax
		mov	eax, dword_6C2A84
		shrd	ecx, eax, 8
		shr	eax, 8
		test	eax, eax
		ja	short loc_902F75
		jb	short loc_902F6F
		cmp	ecx, esi
		jnb	short loc_902F75

loc_902F6F:				; CODE XREF: PopDiagTracePerfTrackData+A68ADj
		mov	[ebp+var_7A], cx
		jmp	short loc_902F79
; 

loc_902F75:				; CODE XREF: PopDiagTracePerfTrackData+A68ABj
					; PopDiagTracePerfTrackData+A68B1j
		mov	[ebp+var_7A], si

loc_902F79:				; CODE XREF: PopDiagTracePerfTrackData+A68B7j
		push	edi
		push	[ebp+var_8C]
		push	dword_6C291C
		push	dword_6C2918
		call	__aulldiv
		test	edx, edx
		ja	short loc_902FA1
		jb	short loc_902F9B
		cmp	eax, esi
		jnb	short loc_902FA1

loc_902F9B:				; CODE XREF: PopDiagTracePerfTrackData+A68D9j
		mov	[ebp+var_78], ax
		jmp	short loc_902FA5
; 

loc_902FA1:				; CODE XREF: PopDiagTracePerfTrackData+A68D7j
					; PopDiagTracePerfTrackData+A68DDj
		mov	[ebp+var_78], si

loc_902FA5:				; CODE XREF: PopDiagTracePerfTrackData+A68E3j
		push	edi
		push	[ebp+var_8C]
		push	dword_6C2A0C
		push	dword_6C2A08
		call	__aulldiv
		test	edx, edx
		ja	short loc_902FCD
		jb	short loc_902FC7
		cmp	eax, esi
		jnb	short loc_902FCD

loc_902FC7:				; CODE XREF: PopDiagTracePerfTrackData+A6905j
		mov	[ebp+var_76], ax
		jmp	short loc_902FD1
; 

loc_902FCD:				; CODE XREF: PopDiagTracePerfTrackData+A6903j
					; PopDiagTracePerfTrackData+A6909j
		mov	[ebp+var_76], si

loc_902FD1:				; CODE XREF: PopDiagTracePerfTrackData+A690Fj
		mov	eax, [ebp+var_84]
		mov	[ebp+var_74], ax
		cmp	eax, esi
		jb	short loc_902FE3
		mov	[ebp+var_74], si

loc_902FE3:				; CODE XREF: PopDiagTracePerfTrackData+A6921j
		mov	eax, dword_6C2A48
		mov	[ebp+var_72], ax
		cmp	eax, esi
		jb	short loc_902FF4
		mov	[ebp+var_72], si

loc_902FF4:				; CODE XREF: PopDiagTracePerfTrackData+A6932j
		mov	eax, 3FFh
		cmp	[ebp+var_BC], eax
		ja	short loc_903007
		mov	eax, [ebp+var_BC]

loc_903007:				; CODE XREF: PopDiagTracePerfTrackData+A6943j
		mov	edi, 1FFh
		cmp	[ebp+var_B4], edi
		ja	short loc_90301A
		mov	edi, [ebp+var_B4]

loc_90301A:				; CODE XREF: PopDiagTracePerfTrackData+A6956j
		push	[ebp+var_A4]
		mov	ecx, dword_6C2998
		push	[ebp+var_8C]
		shl	edi, 0Ah
		xor	edi, eax
		and	edi, 7FC00h
		xor	edi, eax
		sub	ecx, dword_6C29D0
		mov	eax, dword_6C299C
		sbb	eax, dword_6C29D4
		push	eax
		push	ecx
		call	__aulldiv
		test	edx, edx
		jb	short loc_903069
		mov	ecx, 1FFFh
		ja	short loc_903060
		cmp	eax, ecx
		jbe	short loc_903069

loc_903060:				; CODE XREF: PopDiagTracePerfTrackData+A699Ej
		and	[ebp+var_AC], 0
		jmp	short loc_903071
; 

loc_903069:				; CODE XREF: PopDiagTracePerfTrackData+A6997j
					; PopDiagTracePerfTrackData+A69A2j
		mov	ecx, eax
		mov	[ebp+var_AC], edx

loc_903071:				; CODE XREF: PopDiagTracePerfTrackData+A69ABj
		mov	eax, dword_6C2A5C
		and	edi, 7FFFFh
		shl	ecx, 13h
		or	edi, ecx
		mov	ecx, dword_6C2A58
		shrd	ecx, eax, 8
		mov	[ebp+var_70], edi
		xor	edi, edi
		shr	eax, 8
		cmp	eax, edi
		jb	short loc_9030A7
		ja	short loc_90309D
		cmp	ecx, ebx
		jbe	short loc_9030A7

loc_90309D:				; CODE XREF: PopDiagTracePerfTrackData+A69DBj
		mov	ecx, ebx
		mov	[ebp+var_AC], edi
		jmp	short loc_9030AD
; 

loc_9030A7:				; CODE XREF: PopDiagTracePerfTrackData+A69D9j
					; PopDiagTracePerfTrackData+A69DFj
		mov	[ebp+var_AC], eax

loc_9030AD:				; CODE XREF: PopDiagTracePerfTrackData+A69E9j
		mov	eax, _PopEnableMinimalHiberFile
		neg	eax
		movzx	ecx, cx
		sbb	eax, eax
		and	ecx, ebx
		and	eax, 8000h
		or	ecx, eax
		mov	eax, dword_6C2A64
		mov	[ebp+var_6C], cx
		mov	ecx, dword_6C2A60
		shrd	ecx, eax, 8
		shr	eax, 8
		cmp	eax, edi
		ja	short loc_9030E8
		jb	short loc_9030E2
		cmp	ecx, esi
		jnb	short loc_9030E8

loc_9030E2:				; CODE XREF: PopDiagTracePerfTrackData+A6A20j
		mov	[ebp+var_6A], cx
		jmp	short loc_9030EC
; 

loc_9030E8:				; CODE XREF: PopDiagTracePerfTrackData+A6A1Ej
					; PopDiagTracePerfTrackData+A6A24j
		mov	[ebp+var_6A], si

loc_9030EC:				; CODE XREF: PopDiagTracePerfTrackData+A6A2Aj
		mov	edx, edi
		lea	ecx, [ebp+var_5C]

loc_9030F1:				; CODE XREF: PopDiagTracePerfTrackData+A6A51j
		lea	eax, [ebp+var_80]
		mov	[ecx-8], edi
		lea	eax, [eax+edx*4]
		mov	dword ptr [ecx-4], 4
		inc	edx
		mov	[ecx-0Ch], eax
		mov	[ecx], edi
		lea	ecx, [ecx+10h]
		cmp	edx, 6
		jb	short loc_9030F1
		lea	eax, [ebp+var_68]
		push	eax
		push	6
		push	edi
		push	offset _POP_ETW_EVENT_PERFTRACK_RESUME_FROM_HIBERNATE

loc_90311B:				; CODE XREF: PopDiagTracePerfTrackData+A64F3j
					; PopDiagTracePerfTrackData+A67BEj
		push	dword_6C1D74
		push	_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_85C7F7
; END OF FUNCTION CHUNK	FOR PopDiagTracePerfTrackData
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceHiberStats

loc_903131:				; CODE XREF: PopDiagTraceHiberStats+45j
		mov	edi, ebx
		mov	[ebp+var_48C], edi
		jmp	loc_85C857
; 

loc_90313E:				; CODE XREF: PopDiagTraceHiberStats+381j
		mov	ebx, 0FFDF0320h

loc_903143:				; CODE XREF: PopDiagTraceHiberStats+A694Cj
		pause
		mov	edx, [esi]
		mov	edi, [ebx]
		mov	ecx, [ecx]
		cmp	edx, ecx
		mov	ecx, 0FFDF0328h
		jnz	short loc_903143
		mov	ebx, [ebp+var_4A0]
		jmp	loc_85CB8D
; END OF FUNCTION CHUNK	FOR PopDiagTraceHiberStats
; 
; START	OF FUNCTION CHUNK FOR PopComputeDerivedHiberStats

loc_90315F:				; CODE XREF: PopComputeDerivedHiberStats+6Aj
		mov	edx, esi
		jmp	loc_85CE24
; 

loc_903166:				; CODE XREF: PopComputeDerivedHiberStats+93j
		mov	ecx, esi
		jmp	loc_85CE4A
; 

loc_90316D:				; CODE XREF: PopComputeDerivedHiberStats+BFj
		mov	eax, [ebx+130h]
		or	eax, [ebx+134h]
		jnz	loc_85CE69
		mov	ecx, esi
		jmp	loc_85CE87
; 

loc_903186:				; CODE XREF: PopComputeDerivedHiberStats+FCj
		mov	eax, [ebx+128h]
		or	eax, [ebx+12Ch]
		jz	loc_85CEC4
		jmp	loc_85CEA6
; END OF FUNCTION CHUNK	FOR PopComputeDerivedHiberStats
; 
; START	OF FUNCTION CHUNK FOR EtwShutdown

loc_90319D:				; CODE XREF: EtwShutdown+3Fj
		test	al, al
		jnz	short loc_9031AA
		call	_EtwpTraceSystemShutdown@0 ; EtwpTraceSystemShutdown()
		mov	al, [esp+0D0h+var_BD]

loc_9031AA:				; CODE XREF: EtwShutdown+A62CDj
		mov	dword ptr [esi+8A4h], 1
		jmp	loc_85CF17
; 

loc_9031B9:				; CODE XREF: EtwShutdown+A0j
		test	dword ptr [eax+0Ch], 400h
		jnz	loc_85CF85

loc_9031C6:				; CODE XREF: EtwShutdown+95j
					; EtwShutdown+ADj
		test	bx, bx
		jz	short loc_9031D2
		mov	[esp+0D0h+var_B0], bx
		jmp	short loc_9031DC
; 

loc_9031D2:				; CODE XREF: EtwShutdown+A62F7j
		mov	ecx, 0FFFFh
		mov	[esp+0D0h+var_B0], cx

loc_9031DC:				; CODE XREF: EtwShutdown+A62FEj
		lea	esi, [eax+0C8h]
		xor	dl, dl
		lea	edi, [esp+0D0h+var_A0]
		mov	ecx, eax
		movsd
		movsd
		movsd
		movsd
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		cmp	[esp+0D0h+var_BE], 0
		jnz	short loc_903200
		inc	_EtwpStopTraceCount

loc_903200:				; CODE XREF: EtwShutdown+A6326j
		mov	esi, [esp+0D0h+var_BC]
		lea	edx, [esp+0D0h+var_B8]
		push	1
		mov	ecx, esi
		call	EtwpStopTrace
		jmp	loc_85CF5F
; END OF FUNCTION CHUNK	FOR EtwShutdown
; 
; START	OF FUNCTION CHUNK FOR EtwpFlushCoverage

loc_903216:				; CODE XREF: EtwpFlushCoverage+47j
		test	al, 4
		jnz	loc_85D003
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_85D003
; END OF FUNCTION CHUNK	FOR EtwpFlushCoverage
; 
; START	OF FUNCTION CHUNK FOR PopReadSystemAwayModePolicy

loc_90322A:				; CODE XREF: PopReadSystemAwayModePolicy+32j
		cmp	byte_6C2D12, bl
		jz	loc_85D182
		mov	bl, 1
		jmp	loc_85D182
; 

loc_90323D:				; CODE XREF: PopReadSystemAwayModePolicy+75j
		cmp	[ebp+var_14], 4
		jnz	loc_85D1C5
		cmp	[ebp+var_10], 4
		jnz	loc_85D1C5
		cmp	[ebp+var_C], 0
		jz	loc_85D1C5
		mov	bl, 1
		jmp	loc_85D1C5
; END OF FUNCTION CHUNK	FOR PopReadSystemAwayModePolicy
; 
; START	OF FUNCTION CHUNK FOR CmSetLazyFlushState

loc_903262:				; CODE XREF: CmSetLazyFlushState+1Cj
		push	offset _CmpEnableLazyFlushTimer
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		test	al, al
		jz	loc_85D3BA
		xor	ecx, ecx
		inc	ecx
		call	_CmpEnableLazyFlush@4 ;	CmpEnableLazyFlush(x)
		jmp	loc_85D3BA
; END OF FUNCTION CHUNK	FOR CmSetLazyFlushState
; 
; START	OF FUNCTION CHUNK FOR PopClearSystemSleepCheckpoint

loc_903281:				; CODE XREF: PopClearSystemSleepCheckpoint+Dj
					; PopClearSystemSleepCheckpoint+15j
		test	byte ptr _PopCheckpointSystemSleepSimulateFlags, 2
		jnz	loc_85D68B
		push	1
		push	esi
		push	esi
		push	offset _SYSTEM_SLEEP_ETW_CHECKPOINT_GUID
		push	offset _PopCheckpointSystemSleepVariable
		call	_ExSetFirmwareEnvironmentVariable@20 ; ExSetFirmwareEnvironmentVariable(x,x,x,x,x)
		lea	edx, [eax+3FFFFF00h]
		neg	edx
		sbb	edx, edx
		and	edx, eax
		jmp	loc_85D68B
; END OF FUNCTION CHUNK	FOR PopClearSystemSleepCheckpoint

;  S U B	R O U T	I N E 


sub_9032B2	proc near		; CODE XREF: PopFreeHiberContext+E7j
		push	ebx
		mov	edx, 138h
		mov	ecx, esi
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		push	ebx
		push	esi
		push	0Ah
		push	103h
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_9032D3:				; CODE XREF: PopHiberInitializeResources+74j
		mov	ecx, [ebp-10h]
		mov	[ebp-8], ecx
		jmp	loc_85D9A0
sub_9032B2	endp

; 
; START	OF FUNCTION CHUNK FOR PopHiberInitializeResources

loc_9032DE:				; CODE XREF: PopHiberInitializeResources+A1j
		mov	eax, ecx
		mov	[ebp+var_C], ecx
		jmp	loc_85D9CD
; 

loc_9032E8:				; CODE XREF: PopHiberInitializeResources+AEj
		mov	eax, ecx
		mov	[ebp+var_C], eax
		jmp	loc_85D9DA
; 

loc_9032F2:				; CODE XREF: PopHiberInitializeResources+154j
		push	72626968h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9032FD:				; CODE XREF: PopHiberInitializeResources+3Cj
					; PopHiberInitializeResources+68j ...
		mov	ebx, dword_6C2508
		xor	eax, eax
		push	70h		; size_t
		inc	eax
		push	esi		; int
		push	ebx		; void *
		mov	[ebp+var_4], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_C], eax
		call	_memset
		mov	eax, dword_6C24BC
		add	esp, 0Ch
		mov	[ebx+4], eax
		mov	esi, 3000h
		mov	eax, dword_6C2504
		mov	[ebp+var_20], eax
		jmp	loc_85DB56
; END OF FUNCTION CHUNK	FOR PopHiberInitializeResources
; 
; START	OF FUNCTION CHUNK FOR PopAllocateHiberContext

loc_903335:				; CODE XREF: PopAllocateHiberContext+E5j
		mov	esi, 0C000000Fh
		push	2Ah
		jmp	short loc_903345
; 

loc_90333E:				; CODE XREF: PopAllocateHiberContext+305j
		mov	esi, 0C000009Ah
		push	34h

loc_903345:				; CODE XREF: PopAllocateHiberContext+A5760j
		pop	ecx
		call	PopCheckpointSystemSleep
		jmp	loc_85DF36
; 

loc_903350:				; CODE XREF: PopAllocateHiberContext+101j
		push	2Bh
		jmp	short loc_90335C
; 

loc_903354:				; CODE XREF: PopAllocateHiberContext+29Aj
		mov	esi, [edi+80h]
		push	32h

loc_90335C:				; CODE XREF: PopAllocateHiberContext+A5776j
					; PopAllocateHiberContext+A57D7j ...
		pop	ecx
		call	PopCheckpointSystemSleep
		jmp	loc_85DF27
; 

loc_903367:				; CODE XREF: PopAllocateHiberContext+16Cj
		mov	edx, dword_6C2510
		mov	ecx, edx
		and	dword ptr [esi], 0
		and	ecx, 0FFFh
		and	edx, ebx
		mov	[esi+18h], ecx
		mov	[esi+10h], edx
		mov	dword ptr [esi+14h], 1000h
		lea	eax, [ecx+1FFFh]
		shr	eax, 0Ch
		lea	eax, ds:1Ch[eax*4]
		mov	[esi+4], ax
		xor	eax, eax
		mov	[esi+6], ax
		push	dword ptr [edi+94h]
		call	MmBuildMdlForNonPagedPool
		jmp	loc_85DD4E
; 

loc_9033B1:				; CODE XREF: PopAllocateHiberContext+17Dj
		push	2Ch
		jmp	short loc_90335C
; 

loc_9033B5:				; CODE XREF: PopAllocateHiberContext+18Fj
		push	2Dh
		jmp	short loc_90335C
; 

loc_9033B9:				; CODE XREF: PopAllocateHiberContext+1A6j
		mov	ecx, ebx
		call	BcdCloseStore
		push	2Eh
		jmp	short loc_90335C
; 

loc_9033C4:				; CODE XREF: PopAllocateHiberContext+1C5j
		call	BcdCloseStore
		push	2Fh
		jmp	short loc_90335C
; 

loc_9033CD:				; CODE XREF: PopAllocateHiberContext+1FEj
		mov	edx, [ebp+var_18]
		mov	eax, [ebp+var_14]
		push	ecx
		shrd	edx, eax, 0Ch
		push	4
		mov	ecx, edi
		mov	[edi+0C4h], edx
		call	_PopDiscardRange@16 ; PopDiscardRange(x,x,x,x)
		jmp	loc_85DDE0
; 

loc_9033EC:				; CODE XREF: PopAllocateHiberContext+20Bj
					; PopAllocateHiberContext+218j
		mov	esi, 20676244h
		push	esi
		push	0
		push	offset _KdTimerDifference
		push	2
		push	edi
		call	PoSetHiberRange
		push	esi
		push	0
		push	offset _KdDebuggerLock
		push	2
		push	edi
		call	PoSetHiberRange
		jmp	loc_85DDFA
; 

loc_903416:				; CODE XREF: PopAllocateHiberContext+25Cj
		mov	[edi+6Ch], ecx
		mov	edx, ecx
		jmp	loc_85DE3E
; 

loc_903420:				; CODE XREF: PopAllocateHiberContext+274j
		push	30h
		jmp	loc_90335C
; 

loc_903427:				; CODE XREF: PopAllocateHiberContext+284j
		mov	eax, [eax+0C8h]
		add	eax, 18h
		mov	[ebp+var_14], eax
		mov	esi, [eax]
		jmp	short loc_903485
; 

loc_903437:				; CODE XREF: PopAllocateHiberContext+A58ABj
		mov	ecx, [esi+2Ch]
		test	ecx, ecx
		jz	short loc_903483
		test	ecx, 0FFFh
		jnz	short loc_90348E
		push	2
		lea	eax, [esi+30h]
		pop	edx
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], edx

loc_903452:				; CODE XREF: PopAllocateHiberContext+A58A2j
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_903472
		push	66756263h
		push	dword ptr [esi+2Ch]
		push	ecx
		push	8000h
		push	edi
		call	PoSetHiberRange
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+var_8]

loc_903472:				; CODE XREF: PopAllocateHiberContext+A587Aj
		add	eax, 4
		sub	edx, 1
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], edx
		jnz	short loc_903452
		mov	eax, [ebp+var_14]

loc_903483:				; CODE XREF: PopAllocateHiberContext+A5860j
		mov	esi, [esi]

loc_903485:				; CODE XREF: PopAllocateHiberContext+A5859j
		cmp	esi, eax
		jnz	short loc_903437
		jmp	loc_85DED5
; 

loc_90348E:				; CODE XREF: PopAllocateHiberContext+A5868j
		push	0
		push	50h
		pop	edx
		lea	ecx, [esi-4]
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		push	0
		mov	edx, 138h
		mov	ecx, edi
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		push	31h
		pop	ecx
		call	PopCheckpointSystemSleep
		push	edi
		push	[ebp+var_10]
		jmp	short loc_9034DD
; 

loc_9034B7:				; CODE XREF: PopAllocateHiberContext+2C2j
		push	0
		mov	edx, 0C0h
		mov	ecx, ebx
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		push	0
		mov	edx, 138h
		mov	ecx, edi
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		push	33h
		pop	ecx
		call	PopCheckpointSystemSleep
		push	edi
		push	ebx

loc_9034DD:				; CODE XREF: PopAllocateHiberContext+A58D9j
		push	0Ah
		push	102h
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_9034EF:				; CODE XREF: PopResizeHiberFile+30j
					; PopResizeHiberFile+6Fj ...
		mov	ecx, 0C0000001h
		jmp	loc_85E233
; END OF FUNCTION CHUNK	FOR PopAllocateHiberContext
; 
; START	OF FUNCTION CHUNK FOR PopResizeHiberFile

loc_9034F9:				; CODE XREF: PopResizeHiberFile+5Dj
		mov	edi, [esp+40h+var_18]
		mov	esi, [esp+40h+var_14]
		jmp	loc_85E14B
; 

loc_903506:				; CODE XREF: PopResizeHiberFile+A9j
		mov	eax, dword_6C24A4
		push	esi
		push	esi
		push	esi
		push	esi
		add	eax, 5Ch
		push	eax
		call	KeWaitForSingleObject
		mov	ecx, [esp+40h+var_20]
		jmp	loc_85E197
; 

loc_903521:				; CODE XREF: PopResizeHiberFile+E4j
		mov	eax, dword_6C24A4
		push	esi
		push	esi
		push	esi
		push	esi
		add	eax, 5Ch
		push	eax
		call	KeWaitForSingleObject
		mov	ecx, [esp+40h+var_20]
		jmp	loc_85E1D2
; END OF FUNCTION CHUNK	FOR PopResizeHiberFile
; 
; START	OF FUNCTION CHUNK FOR PopValidateHiberFileSize

loc_90353C:				; CODE XREF: PopValidateHiberFileSize+43j
		mov	[ebp+var_48], esi
		mov	[ebp+var_4C], esi
		jmp	loc_85E2C4
; END OF FUNCTION CHUNK	FOR PopValidateHiberFileSize
; 
; START	OF FUNCTION CHUNK FOR PopBcdSetPendingResume

loc_903547:				; CODE XREF: PopBcdSetPendingResume+46j
		mov	byte ptr [ebp+var_18], 1
		jmp	loc_85E400
; END OF FUNCTION CHUNK	FOR PopBcdSetPendingResume
; 
; START	OF FUNCTION CHUNK FOR BiLoadSystemStore

loc_903550:				; CODE XREF: BiLoadSystemStore+5Bj
		mov	esi, 0C000009Ah
		jmp	loc_860603
; 

loc_90355A:				; CODE XREF: BiLoadSystemStore+99j
		push	esi
		push	ebx
		push	offset ??_C@_1HG@EJMNDF@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAa?$AAd?$AAd?$AA?5?$AAs@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 10h
		cmp	esi, 0C0000043h
		jnz	loc_860603
		push	[ebp+var_4]
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	ecx, [ebp+var_14]
		call	_BiLogFileOwnerProcess@8 ; BiLogFileOwnerProcess(x,x)
		jmp	loc_860603
; 

loc_903590:				; CODE XREF: BiLoadSystemStore+AFj
		push	esi
		lea	eax, [edi+0Ch]
		push	eax
		push	offset ??_C@_1GE@BKEKDECN@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAm?$AAa?$AAr?$AAk?$AA?5@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 10h
		mov	ecx, ebx
		call	BcdCloseStore
		jmp	loc_860603
; 

loc_9035B0:				; CODE XREF: BiLoadSystemStore+BEj
		push	esi
		lea	eax, [edi+0Ch]
		push	eax
		push	offset ??_C@_1FO@CPLCCCHE@?$AAF?$AAi?$AAl?$AAe?$AA?5?$AAi?$AAs?$AA?5?$AAn?$AAo?$AAt?$AA?5?$AAs?$AAy?$AAs@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 10h
		mov	ecx, ebx
		call	BcdCloseStore
		mov	esi, 0C0000098h
		jmp	loc_860603
; END OF FUNCTION CHUNK	FOR BiLoadSystemStore
; 
; START	OF FUNCTION CHUNK FOR BiCloseStore

loc_9035D5:				; CODE XREF: BiCloseStore+1Ej
		push	offset ??_C@_1EG@OHPMMJHC@?$AAE?$AAx?$AAp?$AAo?$AAr?$AAt?$AAi?$AAn?$AAg?$AA?5?$AAa?$AAl?$AAt?$AAe?$AAr@NNGAKEGL@
		push	2
		call	_BiLogMessage
		add	esp, 8
		mov	ecx, esi
		call	BiExportStoreAlterationsToFirmware
		mov	edi, eax
		test	edi, edi
		js	short loc_9035FF
		xor	dl, dl
		mov	ecx, esi
		call	BiSetFirmwareModified
		jmp	loc_860650
; 

loc_9035FF:				; CODE XREF: BiCloseStore+A2FC3j
		push	edi
		push	offset ??_C@_1GK@NKBLNBBA@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAe?$AAx?$AAp?$AAo?$AAr@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 0Ch
		jmp	loc_860650
; END OF FUNCTION CHUNK	FOR BiCloseStore
; 
; START	OF FUNCTION CHUNK FOR BiAddStoreFromFile

loc_903614:				; CODE XREF: BiAddStoreFromFile+63j
		cmp	esi, 0C0000022h
		jnz	loc_9036C2
		lea	ecx, [esp+40h+var_1C] ;	wchar_t	*
		call	_BiDoesHiveKeyExist@4 ;	BiDoesHiveKeyExist(x)
		test	al, al
		jnz	short loc_903634
		mov	eax, [esp+40h+var_2C]
		inc	eax
		jmp	short loc_903636
; 

loc_903634:				; CODE XREF: BiAddStoreFromFile+A2F61j
		xor	eax, eax

loc_903636:				; CODE XREF: BiAddStoreFromFile+A2F68j
		mov	[esp+40h+var_2C], eax
		cmp	eax, 0Ah
		jnb	short loc_9036A8
		inc	ebx
		cmp	ebx, 5F5E0FFh
		jbe	loc_860704
		lea	eax, [esp+40h+var_1C]
		push	eax
		lea	eax, [edi+0Ch]
		push	eax
		push	offset ??_C@_1HO@GNIINMFH@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAf?$AAi?$AAn?$AAd?$AA?5@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 10h
		mov	esi, 0C0000001h

loc_903669:				; CODE XREF: BiAddStoreFromFile+EAj
					; BiAddStoreFromFile+A2FF6j
		mov	ecx, [esp+40h+var_34]
		test	ecx, ecx
		jz	loc_8607BA
		call	_BiCloseKey@4	; BiCloseKey(x)
		lea	edx, [esp+40h+var_1C]
		xor	ebx, ebx
		lea	ecx, [edx+2]

loc_903683:				; CODE XREF: BiAddStoreFromFile+A2FC2j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, bx
		jnz	short loc_903683
		sub	edx, ecx
		lea	ecx, [esp+40h+var_1C]
		sar	edx, 1
		push	ebx
		lea	edx, ds:2[edx*2]
		call	BiUnloadHiveByName
		jmp	loc_8607BA
; 

loc_9036A8:				; CODE XREF: BiAddStoreFromFile+A2F73j
		push	0C0000022h
		lea	eax, [edi+0Ch]
		push	eax
		push	(offset	loc_8C6FDB+1)
		push	4
		call	_BiLogMessage
		add	esp, 10h
		jmp	short loc_903669
; 

loc_9036C2:				; CODE XREF: BiAddStoreFromFile+A2F50j
		xor	ecx, ecx
		lea	eax, [edi+0Ch]
		push	esi
		push	eax
		cmp	esi, 0C000000Fh
		lea	eax, [esp+48h+var_1C]
		push	eax
		setnz	cl
		push	offset ??_C@_1GK@NBGLBMAJ@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAl?$AAo?$AAa?$AAd?$AA?5@NNGAKEGL@
		lea	ecx, ds:2[ecx*2]
		push	ecx
		call	_BiLogMessage
		add	esp, 14h
		jmp	loc_8607B2
; 

loc_9036F1:				; CODE XREF: BiAddStoreFromFile+7Ej
		mov	ecx, [esp+40h+var_34]
		lea	eax, [esp+40h+var_30]
		xor	ebx, ebx
		mov	edx, (offset loc_8C6F2D+1)
		push	ebx
		push	eax
		push	ebx
		push	20019h
		call	BiCreateKey
		mov	esi, eax
		test	esi, esi
		jns	short loc_903742
		push	esi
		lea	eax, [esp+44h+var_1C]
		push	eax
		lea	eax, [edi+0Ch]
		push	eax
		push	offset ??_C@_1JO@GOAKEPKG@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAi?$AAn?$AAi?$AAt?$AAi@NNGAKEGL@
		jmp	short loc_903733
; 

loc_903724:				; CODE XREF: BiAddStoreFromFile+A30A9j
		push	esi
		lea	eax, [esp+54h+var_2C]
		push	eax
		lea	eax, [edi+0Ch]
		push	eax
		push	(offset	loc_8C6E31+1)

loc_903733:				; CODE XREF: BiAddStoreFromFile+A3058j
		push	4
		call	_BiLogMessage
		add	esp, 14h
		jmp	loc_8607AA
; 

loc_903742:				; CODE XREF: BiAddStoreFromFile+A3047j
		mov	ecx, [esp+40h+var_30]
		call	_BiCloseKey@4	; BiCloseKey(x)
		mov	ecx, [esp+40h+var_34]
		lea	eax, [esp+40h+var_30]
		push	ebx
		push	eax
		push	ebx
		push	20019h
		mov	edx, offset ??_C@_1BI@DLMANABL@?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		mov	[esp+50h+var_30], ebx
		call	BiCreateKey
		mov	esi, eax
		test	esi, esi
		jns	loc_86074E
		jmp	short loc_903724
; 

loc_903775:				; CODE XREF: BiAddStoreFromFile+A4j
		cmp	esi, 0C0000034h
		jnz	short loc_903791
		push	offset ??_C@_1FG@CJJHKDMI@?$AAA?$AA?5?$AAv?$AAa?$AAl?$AAi?$AAd?$AA?5?$AAs?$AAt?$AAo?$AAr?$AAe?$AA?5?$AAm@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 8
		mov	esi, 0C000015Ch

loc_903791:				; CODE XREF: BiAddStoreFromFile+A30B1j
		push	esi
		lea	eax, [esp+44h+var_1C]
		push	eax
		lea	eax, [edi+0Ch]
		push	eax
		push	offset ??_C@_1JK@ICGMJJA@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAo?$AAp?$AAe?$AAn?$AA?5@NNGAKEGL@
		jmp	short loc_9037B1
; 

loc_9037A2:				; CODE XREF: BiAddStoreFromFile+C5j
		push	esi
		lea	eax, [esp+44h+var_1C]
		push	eax
		lea	eax, [edi+0Ch]
		push	eax
		push	offset ??_C@_1JA@LHPLIIFE@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAs?$AAe?$AAt?$AA?5?$AAd@NNGAKEGL@

loc_9037B1:				; CODE XREF: BiAddStoreFromFile+A30D6j
		push	4
		call	_BiLogMessage
		add	esp, 14h
		jmp	loc_86079F
; END OF FUNCTION CHUNK	FOR BiAddStoreFromFile
; 
; START	OF FUNCTION CHUNK FOR BiMarkTreatAsSystemStore

loc_9037C0:				; CODE XREF: BiMarkTreatAsSystemStore+38j
					; BiMarkTreatAsSystemStore+51j	...
		push	offset ??_C@_1BI@DLMANABL@?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		mov	edx, (offset loc_8C6C71+1)
		mov	ecx, edi
		call	_BiDeleteRegistryValue@12 ; BiDeleteRegistryValue(x,x,x)
		lea	ecx, [eax+3FFFFFCCh]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		jmp	loc_86085B
; END OF FUNCTION CHUNK	FOR BiMarkTreatAsSystemStore
; 
; START	OF FUNCTION CHUNK FOR BiLoadHive

loc_9037E2:				; CODE XREF: BiLoadHive+4Aj
		mov	esi, 0C000000Fh
		mov	[ebp+var_1C], esi
		jmp	loc_860A41
; 

loc_9037EF:				; CODE XREF: BiLoadHive+6Cj
		push	esi
		push	offset ??_C@_1CE@NMBJJGCH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\"
		push	(offset	loc_8C7F01+1)
		push	4
		call	_BiLogMessage
		add	esp, 10h
		mov	ebx, [ebp+var_20]
		jmp	loc_860A41
; 

loc_90380C:				; CODE XREF: BiLoadHive+DDj
		push	esi
		push	offset ??_C@_1CE@NMBJJGCH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\"
		push	offset ??_C@_1GO@MDEDFILO@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAa?$AAc?$AAq?$AAu?$AAi@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 10h
		jmp	loc_860A41
; 

loc_903826:				; CODE XREF: BiLoadHive+100j
		push	1380h
		lea	eax, [ebp+var_74]
		push	eax
		lea	eax, [ebp+var_5C]
		push	eax
		call	_ZwLoadKey2@12	; ZwLoadKey2(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_860A10
		lea	eax, [ebp+var_74]
		push	eax
		lea	eax, [ebp+var_5C]
		push	eax
		call	_ZwLoadKey@8	; ZwLoadKey(x,x)
		mov	esi, eax
		jmp	loc_860A10
; 

loc_903856:				; CODE XREF: BiLoadHive+113j
		push	esi
		push	[ebp+var_20]
		push	240h
		push	[ebp+var_24]
		push	(offset	loc_8C7E97+1)
		xor	eax, eax
		cmp	esi, 0C0000022h
		setnz	al
		lea	eax, ds:2[eax*2]
		push	eax
		call	_BiLogMessage
		add	esp, 18h
		jmp	loc_860A41
; 

loc_903887:				; CODE XREF: BiLoadHive+131j
		lea	edx, [ebp+var_34]
		push	11h
		pop	ecx
		call	BiAcquirePrivilege
		lea	eax, [ebp+var_5C]
		push	eax
		call	_ZwUnloadKey@4	; ZwUnloadKey(x)
		lea	ecx, [ebp+var_34]
		call	_BiReleasePrivilege@4 ;	BiReleasePrivilege(x)
		push	esi
		push	240h
		push	[ebp+var_24]
		push	offset ??_C@_1HC@IHHDHBPH@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAo?$AAp?$AAe?$AAn?$AA?5?$AAn?$AAe?$AAw@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 14h
		jmp	loc_860A41
; 

loc_9038C0:				; CODE XREF: BiLoadHive+147j
		mov	[ebp+ms_exc.disabled], edi
		int	3		; Trap to Debugger
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_2C]
		jmp	short loc_9038E6
; END OF FUNCTION CHUNK	FOR BiLoadHive

;  S U B	R O U T	I N E 


sub_9038D0	proc near		; DATA XREF: .text:006A49CCo
		xor	eax, eax
		inc	eax
		retn
sub_9038D0	endp


;  S U B	R O U T	I N E 


sub_9038D4	proc near		; DATA XREF: .text:006A49D0o
		mov	esp, [ebp-18h]
		push	5
		pop	eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	edi, edi
		mov	esi, [ebp-1Ch]
sub_9038D4	endp

; START	OF FUNCTION CHUNK FOR BiLoadHive

loc_9038E6:				; CODE XREF: BiLoadHive+A2FC4j
		cmp	eax, 5
		jnb	loc_860A57
		inc	eax
		mov	[ebp+var_2C], eax
		jmp	loc_860945
; END OF FUNCTION CHUNK	FOR BiLoadHive
; 
; START	OF FUNCTION CHUNK FOR BiAcquirePrivilege

loc_9038F8:				; CODE XREF: BiAcquirePrivilege+42j
		test	bl, bl
		jnz	loc_860B00
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		push	4
		push	eax
		push	5
		push	0FFFFFFFEh
		call	_ZwSetInformationThread@16 ; ZwSetInformationThread(x,x,x,x)
		jmp	loc_860B00
; END OF FUNCTION CHUNK	FOR BiAcquirePrivilege
; 
; START	OF FUNCTION CHUNK FOR BiAdjustPrivilege

loc_903918:				; CODE XREF: BiAdjustPrivilege+59j
		lea	eax, [ebp+var_30]
		push	eax
		push	edi
		push	0
		push	28h
		push	0FFFFFFFEh
		call	_ZwOpenThreadTokenEx@20	; ZwOpenThreadTokenEx(x,x,x,x,x)
		jmp	short loc_903938
; 

loc_90392A:				; CODE XREF: BiAdjustPrivilege+3Ej
		push	200h
		push	28h
		push	0FFFFFFFFh
		call	_ZwOpenProcessTokenEx@16 ; ZwOpenProcessTokenEx(x,x,x,x)

loc_903938:				; CODE XREF: BiAdjustPrivilege+A2E20j
		mov	esi, eax
		test	esi, esi
		js	loc_860BCC
		jmp	loc_860B67
; END OF FUNCTION CHUNK	FOR BiAdjustPrivilege
; 
; START	OF FUNCTION CHUNK FOR BiCleanupLoadedStores

loc_903947:				; CODE XREF: BiCleanupLoadedStores+E6j
		test	al, al
		jz	loc_860CEE
		mov	ecx, [esp+28h+var_14]
		call	BcdForciblyUnloadStore
		jmp	loc_860C81
; END OF FUNCTION CHUNK	FOR BiCleanupLoadedStores
; 
; START	OF FUNCTION CHUNK FOR PopBcdEstablishResumeObject

loc_90395D:				; CODE XREF: PopBcdEstablishResumeObject+D1j
					; PopBcdEstablishResumeObject+E3j ...
		mov	esi, 0C0000225h

loc_903962:				; CODE XREF: PopBcdEstablishResumeObject+A0j
					; PopBcdEstablishResumeObject+BBj
		test	edi, edi
		jz	short loc_903973
		mov	ecx, edi
		call	_BcdCloseObject@4 ; BcdCloseObject(x)
		xor	edi, edi
		mov	[esp+40h+var_2C], edi

loc_903973:				; CODE XREF: PopBcdEstablishResumeObject+80j
					; PopBcdEstablishResumeObject+A2BD4j
		cmp	_InitIsWinPEMode, 0
		jnz	short loc_903992
		mov	ecx, [esp+40h+var_24]
		lea	eax, [esp+40h+var_2C]
		push	eax
		mov	edx, ebx
		call	_PopBcdRegenerateResumeObject@12 ; PopBcdRegenerateResumeObject(x,x,x)
		mov	edi, [esp+40h+var_2C]
		mov	esi, eax

loc_903992:				; CODE XREF: PopBcdEstablishResumeObject+A2BEAj
		test	esi, esi
		jns	short loc_90399D
		xor	edi, edi
		jmp	loc_860EBA
; 

loc_90399D:				; CODE XREF: PopBcdEstablishResumeObject+A2C04j
		xor	esi, esi
		jmp	loc_860EBA
; END OF FUNCTION CHUNK	FOR PopBcdEstablishResumeObject
; 
; START	OF FUNCTION CHUNK FOR BcdCloseStore

loc_9039A4:				; CODE XREF: BcdCloseStore+19j
		push	edx
		push	offset ??_C@_1HK@OHPJHCML@?$AAB?$AAc?$AAd?$AAC?$AAl?$AAo?$AAs?$AAe?$AAS?$AAt?$AAo?$AAr?$AAe?$AA?3?$AA?5@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 0Ch
		mov	eax, edx
		jmp	loc_860F68
; END OF FUNCTION CHUNK	FOR BcdCloseStore
; 
; START	OF FUNCTION CHUNK FOR BcdGetSystemStorePath

loc_9039BB:				; CODE XREF: BcdGetSystemStorePath+1Bj
		add	eax, 0FFFFFFFEh
		cmp	eax, 1
		ja	short loc_9039CD
		mov	eax, offset ??_C@_1DA@FADLAHEF@?$AA?2?$AAE?$AAF?$AAI?$AA?2?$AAM?$AAi?$AAc?$AAr?$AAo?$AAs?$AAo?$AAf?$AAt?$AA?2@NNGAKEGL@
		jmp	loc_860F9C
; 

loc_9039CD:				; CODE XREF: BcdGetSystemStorePath+A2A4Bj
		mov	ebx, 0C00000BBh
		push	ebx
		push	offset ??_C@_1FI@JMOEDDGI@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAg?$AAe?$AAt?$AA?5?$AAs@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 0Ch
		jmp	loc_861054
; 

loc_9039E7:				; CODE XREF: BcdGetSystemStorePath+45j
		push	ebx
		push	offset ??_C@_1FG@JFDBELFL@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAg?$AAe?$AAt?$AA?5?$AAs@NNGAKEGL@
		push	4
		call	_BiLogMessage
		jmp	loc_861036
; 

loc_9039F9:				; CODE XREF: BcdGetSystemStorePath+D8j
		test	edi, edi
		jz	loc_861054
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_861054
; END OF FUNCTION CHUNK	FOR BcdGetSystemStorePath
; 
; START	OF FUNCTION CHUNK FOR BiConvertBootEnvironmentDeviceToNt

loc_903A11:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+64j
		sub	eax, 1
		jz	loc_903C35
		sub	eax, 1
		jz	short loc_903A6C
		sub	eax, 1
		jnz	loc_903EFF
		mov	edi, [esi+10h]
		push	4B444342h
		add	edi, 15h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8611AA
		push	edi		; size_t
		xor	eax, eax
		push	eax		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [ebx], 9
		lea	eax, [esi+14h]
		push	eax
		lea	eax, [ebx+14h]
		push	1
		push	eax
		call	_strcpy_s
		jmp	loc_86116E
; 

loc_903A6C:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A29BBj
		cmp	dword ptr [esi+10h], 1
		push	22h
		pop	edi
		mov	[esp+40h+var_18], edi
		mov	[esp+40h+var_14], edi
		jnz	short loc_903AA3
		lea	edi, [esi+1Ch]
		xor	edx, edx
		lea	ecx, [edi+2]

loc_903A85:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2A2Cj
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, dx
		jnz	short loc_903A85
		sub	edi, ecx
		sar	edi, 1
		lea	edi, ds:22h[edi*2]
		mov	[esp+40h+var_18], edi
		mov	[esp+40h+var_14], edi

loc_903AA3:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2A19j
		mov	ecx, [esi+18h]
		mov	[esp+40h+var_C], ecx
		test	ecx, ecx
		jz	loc_903BA4
		test	[ebp+arg_0], 20h
		jnz	loc_903B5B
		lea	edx, [esp+40h+var_1C]
		mov	ecx, esi
		call	BiGetNtPartitionPath
		mov	edx, [esp+40h+var_1C]
		mov	[esp+40h+var_24], edx
		test	eax, eax
		js	short loc_903B51
		mov	ecx, edx
		mov	[esp+40h+var_2D], 1
		lea	edx, [ecx+2]

loc_903ADD:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2A86j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+40h+var_4]
		jnz	short loc_903ADD
		sub	ecx, edx
		sar	ecx, 1
		push	4B444342h
		lea	eax, ds:2[ecx*2]
		mov	[esp+44h+var_1C], eax
		add	eax, 14h
		push	eax
		push	1
		mov	[esp+4Ch+var_28], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+40h+var_2C], eax
		test	eax, eax
		jnz	short loc_903B1F
		mov	esi, 0C000009Ah
		jmp	loc_861191
; 

loc_903B1F:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2AB1j
		push	[esp+40h+var_28] ; size_t
		xor	ecx, ecx
		push	ecx		; int
		push	eax		; void *
		call	_memset
		mov	eax, [esp+4Ch+var_2C]
		add	esp, 0Ch
		push	[esp+40h+var_1C] ; size_t
		mov	dword ptr [eax], 2
		mov	eax, [esp+44h+var_2C]
		push	[esp+44h+var_24] ; void	*
		add	eax, 14h
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_903B51:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2A6Fj
		cmp	[esp+40h+var_2C], ebx
		jnz	short loc_903B92
		mov	ecx, [esp+40h+var_C]

loc_903B5B:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2A54j
		mov	eax, [esi+8]
		sub	eax, ecx
		cmp	eax, 4Ch
		jb	loc_903EFF
		mov	edx, [esp+40h+var_10]
		lea	eax, [esp+40h+var_28]
		push	eax
		lea	eax, [esp+44h+var_2C]
		add	esi, 28h
		push	eax
		xor	eax, eax
		add	ecx, esi
		push	eax
		call	BiConvertBootEnvironmentDeviceToNt
		mov	esi, eax
		test	esi, esi
		js	loc_903EE4
		mov	esi, [esp+40h+var_20]

loc_903B92:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2AF3j
		mov	ecx, [esp+40h+var_14]
		mov	edi, [esp+40h+var_28]
		add	edi, ecx
		mov	[esp+40h+var_C], ecx
		mov	[esp+40h+var_14], edi

loc_903BA4:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2A4Aj
		push	4B444342h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8611AA
		push	[esp+40h+var_14] ; size_t
		xor	eax, eax
		push	eax		; int
		push	ebx		; void *
		call	_memset
		xor	eax, eax
		mov	dword ptr [ebx], 8
		add	esp, 0Ch
		cmp	[esi+10h], eax
		jnz	short loc_903BE3
		mov	[ebx+14h], eax
		mov	eax, [esi+14h]
		mov	[ebx+1Ch], eax
		jmp	short loc_903C14
; 

loc_903BE3:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2B74j
		add	esi, 1Ch
		mov	dword ptr [ebx+14h], 1
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_903BF2:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2B9Bj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+40h+var_4]
		jnz	short loc_903BF2
		sub	ecx, edx
		sar	ecx, 1
		push	esi
		lea	eax, [ecx+1]
		push	eax
		lea	eax, [ebx+20h]
		push	eax
		call	_wcscpy_s
		add	esp, 0Ch

loc_903C14:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2B7Fj
		cmp	[esp+40h+var_2C], 0
		jz	loc_861171
		mov	eax, [esp+40h+var_C]
		mov	[ebx+18h], eax
		add	eax, ebx
		push	[esp+40h+var_28]
		push	[esp+44h+var_2C]
		jmp	loc_861168
; 

loc_903C35:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A29B2j
		push	24h
		pop	eax
		push	4B444342h
		push	eax
		push	1
		mov	[esp+4Ch+var_C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8611AA
		push	9
		xor	eax, eax
		mov	edi, ebx
		add	esi, 20h
		pop	ecx
		rep stosd
		mov	dword ptr [ebx], 7
		lea	edi, [ebx+14h]
		movsd
		movsd
		movsd
		movsd
		jmp	short loc_903C7D
; 

loc_903C6E:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2C46j
		xor	eax, eax
		mov	edi, ebx
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	dword ptr [ebx], 1

loc_903C7D:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2C0Aj
		mov	edi, [esp+40h+var_C]
		xor	eax, eax
		mov	esi, eax
		jmp	loc_861175
; 

loc_903C8A:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+5Bj
		push	14h
		pop	eax
		push	4B444342h
		push	eax
		push	1
		mov	[esp+4Ch+var_C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8611AA
		jmp	short loc_903C6E
; 

loc_903CAA:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+89j
		mov	ecx, [esp+40h+var_C]
		test	ecx, ecx
		jz	loc_8610F1
		mov	esi, 0C0000001h
		jmp	short loc_903CC1
; 

loc_903CBD:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A8j
		mov	ecx, [esp+40h+var_C]

loc_903CC1:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2C59j
		test	ecx, ecx
		jz	loc_903EDC
		add	ecx, [esp+40h+var_20]
		lea	eax, [esp+40h+var_28]
		mov	edx, [esp+40h+var_10]
		push	eax
		lea	eax, [esp+44h+var_2C]
		push	eax
		xor	eax, eax
		push	eax
		call	BiConvertBootEnvironmentDeviceToNt
		mov	esi, eax
		test	esi, esi
		js	loc_903EE4
		mov	edi, [esp+40h+var_28]
		push	4B444342h
		add	edi, 22h
		push	edi
		push	1
		mov	[esp+4Ch+var_18], edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[esp+40h+var_8], ebx
		test	ebx, ebx
		jz	loc_8611AA
		push	edi		; size_t
		xor	eax, eax
		push	eax		; int
		push	ebx		; void *
		call	_memset
		mov	ecx, [esp+4Ch+var_10]
		xor	eax, eax
		add	esp, 0Ch
		mov	dword ptr [ebx], 8
		mov	[ebx+14h], eax
		mov	eax, 12000002h
		test	ecx, ecx
		jz	short loc_903D54
		cmp	ecx, 21000001h
		jnz	short loc_903D47
		mov	eax, 22000002h
		jmp	short loc_903D54
; 

loc_903D47:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2CDCj
		cmp	ecx, 11000043h
		jnz	short loc_903D54
		mov	eax, 12000044h

loc_903D54:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2CD4j
					; BiConvertBootEnvironmentDeviceToNt+A2CE3j ...
		mov	[ebx+1Ch], eax
		lea	eax, [ebx+22h]
		mov	dword ptr [ebx+18h], 22h
		push	[esp+40h+var_28] ; size_t
		push	[esp+44h+var_2C] ; void	*
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_903EDC
; 

loc_903D77:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+4Cj
		mov	edx, [esi+10h]
		mov	eax, edx
		sub	eax, 3
		jz	short loc_903D8B
		dec	eax
		sub	eax, 1
		jnz	loc_903EFF

loc_903D8B:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2D1Dj
		xor	ecx, ecx
		cmp	edx, 3
		setz	cl
		xor	eax, eax
		dec	ecx
		and	ecx, 0FFFFFFECh
		add	ecx, 34h
		cmp	edx, 3
		lea	edx, [esi+10h]
		setz	al
		dec	eax
		and	eax, 0FFFFFFECh
		add	eax, 24h
		add	edx, eax
		lea	eax, [ecx+0Ch]
		mov	[esp+40h+var_4], edx
		mov	edx, [esi+8]
		cmp	edx, eax
		jb	loc_903ED7
		mov	eax, [esp+40h+var_4]
		sub	edx, ecx
		cmp	[eax+8], edx
		ja	loc_903ED7
		mov	edx, [esp+40h+var_10]
		lea	ecx, [esp+40h+var_28]
		push	ecx
		lea	ecx, [esp+44h+var_2C]
		push	ecx
		xor	ecx, ecx
		push	ecx
		mov	ecx, eax
		call	BiConvertBootEnvironmentDeviceToNt
		mov	esi, eax
		test	esi, esi
		js	loc_903EE4
		mov	eax, [esp+40h+var_2C]
		cmp	dword ptr [eax], 3
		jz	loc_903EFB
		mov	edx, [esp+40h+var_4]
		mov	eax, [edx+8]
		add	eax, edx
		xor	esi, esi
		mov	ecx, eax
		mov	[esp+40h+var_24], eax
		lea	edx, [ecx+2]

loc_903E12:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2DB9j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_903E12
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, ds:2[ecx*2]
		lea	ecx, [esp+40h+var_14]
		mov	[esp+40h+var_4], eax
		push	ecx
		push	1Ch
		mov	edx, eax
		pop	ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_903EE4
		mov	edx, [esp+40h+var_28]
		lea	eax, [esp+40h+var_14]
		mov	ecx, [esp+40h+var_14]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_903EE4
		mov	esi, [esp+40h+var_4]
		mov	edi, [esp+40h+var_28]
		add	esi, 1Bh
		and	esi, 0FFFFFFFCh
		push	4B444342h
		add	edi, esi
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8611AA
		push	edi		; size_t
		xor	eax, eax
		push	eax		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebx+18h]
		push	[esp+40h+var_4]	; size_t
		push	[esp+44h+var_24] ; void	*
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebx+14h], esi
		lea	eax, [esi+ebx]
		push	[esp+40h+var_28] ; size_t
		push	[esp+44h+var_2C] ; void	*
		push	eax		; void *
		call	_memcpy
		mov	ecx, [esp+4Ch+var_20]
		xor	eax, eax
		add	esp, 0Ch
		cmp	dword ptr [ecx+10h], 3
		setz	al
		add	eax, 3
		mov	[ebx], eax
		jmp	loc_861171
; 

loc_903ED7:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2D58j
					; BiConvertBootEnvironmentDeviceToNt+A2D67j
		mov	esi, 0C000000Dh

loc_903EDC:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2C61j
					; BiConvertBootEnvironmentDeviceToNt+A2D10j
		test	esi, esi
		jns	loc_861175

loc_903EE4:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+7Fj
					; BiConvertBootEnvironmentDeviceToNt+A2B26j ...
		cmp	esi, 0C000009Ah
		jz	short loc_903F19
		test	ebx, ebx
		jz	short loc_903EFB
		push	4B444342h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_903EFB:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2D96j
					; BiConvertBootEnvironmentDeviceToNt+A2E8Cj
		mov	esi, [esp+40h+var_20]

loc_903EFF:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A29C0j
					; BiConvertBootEnvironmentDeviceToNt+A2B01j ...
		lea	eax, [esp+40h+var_18]
		mov	ecx, esi
		push	eax
		lea	edx, [esp+44h+var_8]
		call	_BiConvertBootEnvironmentDeviceToUnknown@12 ; BiConvertBootEnvironmentDeviceToUnknown(x,x,x)
		mov	edi, [esp+40h+var_18]
		mov	esi, eax
		mov	ebx, [esp+40h+var_8]

loc_903F19:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2E88j
		test	esi, esi
		js	loc_86117F
		jmp	loc_861175
; 

loc_903F26:				; CODE XREF: BiConvertBootEnvironmentDeviceToNt+122j
		push	4B444342h
		push	[esp+44h+var_2C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_86118A
; END OF FUNCTION CHUNK	FOR BiConvertBootEnvironmentDeviceToNt
; 
; START	OF FUNCTION CHUNK FOR BiGetNtPartitionPath

loc_903F39:				; CODE XREF: BiGetNtPartitionPath+AFj
		mov	eax, 0C0000017h
		jmp	loc_8614C2
; 

loc_903F43:				; CODE XREF: BiGetNtPartitionPath+BDj
		cmp	[ebp+var_4C], eax
		jnz	loc_861275
		cmp	[ebp+var_54], eax
		jnz	loc_861275
		mov	[ebp+var_31], 1
		jmp	loc_861275
; 

loc_903F5E:				; CODE XREF: BiGetNtPartitionPath+179j
		cmp	esi, 8000001Ah
		jz	loc_861331
		mov	ebx, [ebp+var_48]
		jmp	loc_861494
; 

loc_903F72:				; CODE XREF: BiGetNtPartitionPath+1FDj
		push	4B444342h
		push	[ebp+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_861358
; 

loc_903F84:				; CODE XREF: BiGetNtPartitionPath+211j
		cmp	eax, 1
		jnz	loc_904018
		push	dword ptr [edx]
		push	dword ptr [esi]
		push	offset ??_C@_1DA@FBMBGMIJ@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AA?$CF?$AAs?$AA?2?$AAP?$AAa?$AAr?$AAt@NNGAKEGL@ ;	"\\"
		push	2Ch
		push	edi
		call	_swprintf_s
		add	esp, 14h
		lea	eax, [ebp+var_84]
		push	edi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	ecx, ecx
		mov	[ebp+var_BC], 18h
		push	ecx
		lea	eax, [ebp+var_84]
		mov	[ebp+var_B8], ecx
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_8C]
		push	3
		push	eax
		lea	eax, [ebp+var_BC]
		mov	[ebp+var_B0], 240h
		push	eax
		push	80000000h
		lea	eax, [ebp+var_64]
		mov	[ebp+var_AC], ecx
		push	eax
		mov	[ebp+var_A8], ecx
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		js	loc_86144C
		push	[ebp+var_64]
		call	_ZwClose@4	; ZwClose(x)
		mov	bl, 1
		jmp	loc_86144C
; 

loc_904018:				; CODE XREF: BiGetNtPartitionPath+21Aj
					; BiGetNtPartitionPath+A2DD5j
		test	eax, eax
		jnz	loc_86144C
		jmp	loc_8613D2
; 

loc_904025:				; CODE XREF: BiGetNtPartitionPath+227j
		test	edx, edx
		jnz	short loc_904034
		mov	edx, [ebp+var_4C]
		test	edx, edx
		jz	loc_8613DF

loc_904034:				; CODE XREF: BiGetNtPartitionPath+A2E75j
		mov	[ebp+var_58], edx
		jmp	loc_8613DF
; 

loc_90403C:				; CODE XREF: BiGetNtPartitionPath+264j
		mov	ecx, edi
		call	_BiGetPartitionVhdFilePath@4 ; BiGetPartitionVhdFilePath(x)
		mov	[ebp+var_44], eax
		test	eax, eax
		jz	loc_86141C
		push	eax		; wchar_t *
		push	[ebp+var_38]	; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_861447
		mov	eax, [ebp+var_44]
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ecx, ecx
		mov	[ebp+var_44], ecx
		jmp	loc_86141C
; 

loc_904079:				; CODE XREF: BiGetNtPartitionPath+26Ej
		mov	ecx, [ebp+var_58]
		test	ecx, ecx
		jz	short loc_904096
		push	10h		; size_t
		lea	eax, [esi+28h]
		push	eax		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jmp	loc_861441
; 

loc_904096:				; CODE XREF: BiGetNtPartitionPath+279j
					; BiGetNtPartitionPath+283j ...
		mov	ecx, [ebp+var_30]

loc_904099:				; CODE XREF: BiGetNtPartitionPath+246j
		mov	eax, [ebp+var_68]
		add	esi, 90h
		inc	eax
		mov	[ebp+var_68], eax
		cmp	eax, [ecx+4]
		jb	loc_8613F3
		jmp	loc_861449
; 

loc_9040B4:				; CODE XREF: BiGetNtPartitionPath+2ACj
		test	bl, bl
		jz	loc_861358
		test	bh, bh
		jnz	loc_861464
		mov	ecx, edi
		call	_BiGetPartitionVhdFilePath@4 ; BiGetPartitionVhdFilePath(x)
		mov	esi, eax
		mov	[ebp+var_44], esi
		test	esi, esi
		jz	short loc_9040F7
		push	esi		; wchar_t *
		push	[ebp+var_38]	; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_861464
		push	4B444342h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[ebp+var_44], eax

loc_9040F7:				; CODE XREF: BiGetNtPartitionPath+A2F20j
		mov	esi, [ebp+var_40]
		xor	eax, eax
		mov	bl, al
		jmp	loc_86135A
; 

loc_904103:				; CODE XREF: BiGetNtPartitionPath+187j
					; BiGetNtPartitionPath+2B7j
		mov	esi, 0C000000Dh
		jmp	short loc_904112
; 

loc_90410A:				; CODE XREF: BiGetNtPartitionPath+172j
		mov	ebx, [ebp+var_48]
		mov	esi, 0C0000017h

loc_904112:				; CODE XREF: BiGetNtPartitionPath+118j
					; BiGetNtPartitionPath+2E4j ...
		test	edi, edi
		jz	loc_86149C
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_86149C
; 

loc_90412A:				; CODE XREF: BiGetNtPartitionPath+300j
		push	4B444342h
		push	[ebp+var_38]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8614B8
; 

loc_90413C:				; CODE XREF: BiGetNtPartitionPath+308j
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8614C0
; END OF FUNCTION CHUNK	FOR BiGetNtPartitionPath
; 
; START	OF FUNCTION CHUNK FOR BiIsValidDiskDevice

loc_90414C:				; CODE XREF: BiIsValidDiskDevice+65j
					; BiIsValidDiskDevice+A2CA3j
		cmp	si, di
		jb	loc_8614FC
		cmp	si, 39h
		ja	loc_8614FC
		inc	edx
		cmp	dx, 0Ah
		ja	loc_8614FC
		add	ecx, 2
		movzx	eax, word ptr [ecx]
		mov	esi, eax
		test	ax, ax
		jnz	short loc_90414C
		jmp	loc_86152F
; END OF FUNCTION CHUNK	FOR BiIsValidDiskDevice
; 
; START	OF FUNCTION CHUNK FOR BiTranslateSymbolicLink

loc_90417C:				; CODE XREF: BiTranslateSymbolicLink+89j
		push	4B444342h
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8615CB
; 

loc_90418E:				; CODE XREF: BiTranslateSymbolicLink+ADj
		mov	esi, 0C000009Ah
		jmp	loc_861650
; 

loc_904198:				; CODE XREF: BiTranslateSymbolicLink+118j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_4], 0
		mov	eax, [ebp+var_C]
		jmp	loc_86165A
; 

loc_9041AC:				; CODE XREF: BiTranslateSymbolicLink+C3j
					; BiTranslateSymbolicLink+120j
		test	eax, eax
		jz	loc_861662
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_861662
; END OF FUNCTION CHUNK	FOR BiTranslateSymbolicLink
; 
; START	OF FUNCTION CHUNK FOR BiGetDriveLayoutBlock

loc_9041C4:				; CODE XREF: BiGetDriveLayoutBlock+31j
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_4]
		call	_BiGetPhysicalDriveName@8 ; BiGetPhysicalDriveName(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9041F6
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		call	_BiGetDriveLayoutInformation@8 ; BiGetDriveLayoutInformation(x,x)
		push	4B444342h
		push	[ebp+var_4]
		mov	ebx, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		jns	loc_8616A1

loc_9041F6:				; CODE XREF: BiGetDriveLayoutBlock+58j
					; BiGetDriveLayoutBlock+A2B69j
		mov	eax, [esi]
		test	eax, eax
		jz	loc_8616C8
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi], 0
		jmp	loc_8616C8
; 

loc_904213:				; CODE XREF: BiGetDriveLayoutBlock+43j
		cmp	edx, 1
		jnz	short loc_90422E
		and	dword ptr [ecx+4], 0
		lea	esi, [eax+8]
		lea	edi, [ecx+8]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_C]
		jmp	loc_8616C0
; 

loc_90422E:				; CODE XREF: BiGetDriveLayoutBlock+A2BACj
		mov	ebx, 0C000000Dh
		jmp	loc_8616C0
; END OF FUNCTION CHUNK	FOR BiGetDriveLayoutBlock
; 
; START	OF FUNCTION CHUNK FOR BcdOpenStore

loc_904238:				; CODE XREF: BcdOpenStore+22j
		push	ecx
		push	[ebp+var_4]
		push	offset ??_C@_19CIJIHAKK@?$AAN?$AAU?$AAL?$AAL@NNGAKEGL@
		push	offset ??_C@_1KE@DMKAGBMK@?$AAB?$AAc?$AAd?$AAO?$AAp?$AAe?$AAn?$AAS?$AAt?$AAo?$AAr?$AAe?$AA?3?$AA?5?$AAF@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 14h
		mov	eax, ecx
		jmp	loc_86179A
; 

loc_904257:				; CODE XREF: BcdOpenStore+5Fj
		push	esi
		push	offset ??_C@_1FA@PPLIENGI@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAo?$AAp?$AAe?$AAn?$AA?5@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 0Ch
		jmp	loc_861791
; END OF FUNCTION CHUNK	FOR BcdOpenStore
; 
; START	OF FUNCTION CHUNK FOR PopBcdSetDefaultResumeObjectElements

loc_90426C:				; CODE XREF: PopBcdSetDefaultResumeObjectElements+105j
		mov	esi, 0C0000024h
		jmp	loc_861A35
; 

loc_904276:				; CODE XREF: PopBcdSetDefaultResumeObjectElements+164j
		mov	esi, 0C000009Ah
		jmp	loc_861A35
; 

loc_904280:				; CODE XREF: PopBcdSetDefaultResumeObjectElements+1FBj
		push	[esp+58h+var_24]
		lea	eax, [esp+5Ch+var_8]
		mov	edx, 15000052h
		push	eax
		push	ecx
		mov	ecx, edi
		call	BcdSetElementDataWithFlags
		jmp	loc_8619AD
; 

loc_90429B:				; CODE XREF: PopBcdSetDefaultResumeObjectElements+206j
		push	[esp+58h+var_3C]
		lea	eax, [esp+5Ch+var_48]
		mov	edx, 16000054h
		push	eax
		push	ecx
		mov	ecx, edi
		call	BcdSetElementDataWithFlags
		jmp	loc_8619B8
; 

loc_9042B6:				; CODE XREF: PopBcdSetDefaultResumeObjectElements+211j
		push	[esp+58h+var_3C]
		lea	eax, [esp+5Ch+var_44]
		mov	edx, 16000046h
		push	eax
		push	ecx
		mov	ecx, edi
		call	BcdSetElementDataWithFlags
		jmp	loc_8619C3
; 

loc_9042D1:				; CODE XREF: PopBcdSetDefaultResumeObjectElements+89j
		mov	ebx, [esp+58h+var_34]
		jmp	loc_861A35
; END OF FUNCTION CHUNK	FOR PopBcdSetDefaultResumeObjectElements
; 
; START	OF FUNCTION CHUNK FOR BiDeleteElement

loc_9042DA:				; CODE XREF: BiDeleteElement+75j
		push	esi
		push	offset ??_C@_1HC@IKFAJEGO@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAo?$AAp?$AAe?$AAn?$AA?5@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 0Ch
		jmp	loc_861B0E
; 

loc_9042EF:				; CODE XREF: BiDeleteElement+92j
		mov	esi, 0C0000001h
		jmp	loc_861B0E
; 

loc_9042F9:				; CODE XREF: BiDeleteElement+C0j
		push	esi
		lea	eax, [esp+54h+var_30]
		push	eax
		push	offset ??_C@_1GM@IPBIONFL@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAo?$AAp?$AAe?$AAn?$AA?5@NNGAKEGL@ ; "Failed to	open element %ws key for dele"...
		push	4
		call	_BiLogMessage
		add	esp, 10h
		jmp	loc_861B02
; 

loc_904313:				; CODE XREF: BiDeleteElement+CAj
		mov	ecx, edi
		call	_BiCloseKey@4	; BiCloseKey(x)
		jmp	loc_861B0A
; END OF FUNCTION CHUNK	FOR BiDeleteElement
; 
; START	OF FUNCTION CHUNK FOR PopBcdReadElement

loc_90431F:				; CODE XREF: PopBcdReadElement+51j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_861D07
; END OF FUNCTION CHUNK	FOR PopBcdReadElement
; 
; START	OF FUNCTION CHUNK FOR BiEnumerateSubKeys

loc_90432C:				; CODE XREF: BiEnumerateSubKeys+70j
		cmp	esi, 80000005h
		jnz	loc_861F14
		jmp	loc_861D96
; 

loc_90433D:				; CODE XREF: BiEnumerateSubKeys+110j
		mov	esi, 0C000009Ah
		jmp	loc_861F4D
; 

loc_904347:				; CODE XREF: BiEnumerateSubKeys+158j
		mov	esi, 0C000009Ah
		jmp	loc_861F0E
; 

loc_904351:				; CODE XREF: BiEnumerateSubKeys+1A0j
		mov	esi, 0C0000023h
		jmp	loc_861F0E
; 

loc_90435B:				; CODE XREF: BiEnumerateSubKeys+18Aj
		test	ebx, ebx
		jz	loc_861F11
		jmp	loc_861EFF
; 

loc_904368:				; CODE XREF: BiEnumerateSubKeys+205j
		mov	eax, [ebp+var_6C]
		test	eax, eax
		jz	loc_861F2B
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_861F2B
; 

loc_904383:				; CODE XREF: BiEnumerateSubKeys+211j
		mov	[ebp+ms_exc.disabled], edi
		int	3		; Trap to Debugger
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_84]
		jmp	short loc_9043AC
; END OF FUNCTION CHUNK	FOR BiEnumerateSubKeys

;  S U B	R O U T	I N E 


sub_904396	proc near		; DATA XREF: .text:006A49ECo
		xor	eax, eax
		inc	eax
		retn
sub_904396	endp


;  S U B	R O U T	I N E 


sub_90439A	proc near		; DATA XREF: .text:006A49F0o
		mov	esp, [ebp-18h]
		push	5
		pop	eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	edi, edi
		mov	esi, [ebp-58h]
sub_90439A	endp

; START	OF FUNCTION CHUNK FOR BiEnumerateSubKeys

loc_9043AC:				; CODE XREF: BiEnumerateSubKeys+A2674j
		cmp	eax, 5
		jnb	loc_861F37
		inc	eax
		mov	[ebp+var_84], eax
		jmp	loc_861D5B
; END OF FUNCTION CHUNK	FOR BiEnumerateSubKeys
; 
; START	OF FUNCTION CHUNK FOR BiOpenSystemStore

loc_9043C1:				; CODE XREF: BiOpenSystemStore+1EDj
		mov	ecx, edi
		call	_BiCloseKey@4	; BiCloseKey(x)
		jmp	loc_862006
; 

loc_9043CD:				; CODE XREF: BiOpenSystemStore+E0j
		push	(offset	loc_8C736B+1)
		push	4
		call	_BiLogMessage
		add	esp, 8
		mov	esi, 0C0000225h
		jmp	loc_8620B0
; 

loc_9043E6:				; CODE XREF: BiOpenSystemStore+130j
		sub	eax, 1
		jz	short loc_904401
		sub	eax, 1
		jz	short loc_9043FA
		mov	esi, 0C00000BBh
		jmp	loc_86208A
; 

loc_9043FA:				; CODE XREF: BiOpenSystemStore+A249Cj
		xor	esi, esi
		jmp	loc_862092
; 

loc_904401:				; CODE XREF: BiOpenSystemStore+A2497j
		mov	ecx, edi
		call	_BiBindEfiNamespaceObjects@4 ; BiBindEfiNamespaceObjects(x)
		mov	esi, eax
		jmp	loc_86208A
; 

loc_90440F:				; CODE XREF: BiOpenSystemStore+13Aj
		push	esi
		push	ebx
		push	(offset	loc_8C7287+1)
		push	4
		call	_BiLogMessage
		add	esp, 10h
		jmp	loc_8620A8
; 

loc_904425:				; CODE XREF: BiOpenSystemStore+108j
		or	edi, 2
		jmp	loc_8620A2
; 

loc_90442D:				; CODE XREF: BiOpenSystemStore+F7j
					; BiOpenSystemStore+158j
		test	edi, edi
		jz	loc_8620B0
		mov	edx, [esp+30h+var_8]
		mov	ecx, edi
		add	edx, edx
		call	BiCloseStore
		jmp	loc_8620B0
; END OF FUNCTION CHUNK	FOR BiOpenSystemStore
; 
; START	OF FUNCTION CHUNK FOR BcdOpenObject

loc_904447:				; CODE XREF: BcdOpenObject+62j
		push	esi
		push	offset ??_C@_1FI@PDDFMHFP@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAg?$AAe?$AAt?$AA?5?$AAo@NNGAKEGL@
		jmp	short loc_904455
; 

loc_90444F:				; CODE XREF: BcdOpenObject+13Bj
		push	esi
		push	offset ??_C@_1GA@BMFPLOJK@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAu?$AAp?$AAd?$AAa?$AAt@NNGAKEGL@

loc_904455:				; CODE XREF: BcdOpenObject+A22E1j
		push	4
		call	_BiLogMessage
		mov	edi, [esp+44h+var_14]
		jmp	short loc_9044B3
; 

loc_904462:				; CODE XREF: BcdOpenObject+98j
		push	esi
		push	(offset	loc_8C75E1+1)
		jmp	short loc_904470
; 

loc_90446A:				; CODE XREF: BcdOpenObject+113j
		push	esi
		push	(offset	loc_8C763F+1)

loc_904470:				; CODE XREF: BcdOpenObject+A22FCj
		push	4
		jmp	short loc_9044AE
; 

loc_904474:				; CODE XREF: BcdOpenObject+100j
		sub	eax, 1
		jz	short loc_904483
		mov	esi, 0C000000Dh
		jmp	loc_86227D
; 

loc_904483:				; CODE XREF: BcdOpenObject+A230Bj
		mov	ecx, [esp+38h+var_20]
		lea	edx, [esp+38h+var_10]
		call	_BiGetDefaultBootEntryIdentifier@8 ; BiGetDefaultBootEntryIdentifier(x,x)
		jmp	loc_86227B
; 

loc_904495:				; CODE XREF: BcdOpenObject+C4j
		xor	eax, eax
		cmp	esi, 0C0000034h
		push	esi
		setnz	al
		push	offset ??_C@_1FA@MKEEABKA@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAo?$AAp?$AAe?$AAn?$AA?5@NNGAKEGL@
		lea	eax, ds:2[eax*2]
		push	eax

loc_9044AE:				; CODE XREF: BcdOpenObject+A2306j
		call	_BiLogMessage

loc_9044B3:				; CODE XREF: BcdOpenObject+A22F4j
		add	esp, 0Ch
		jmp	loc_862236
; END OF FUNCTION CHUNK	FOR BcdOpenObject
; 
; START	OF FUNCTION CHUNK FOR BiCreateKey

loc_9044BB:				; CODE XREF: BiCreateKey+8Fj
		mov	esi, 0C0000079h
		mov	[ebp+var_24], esi

loc_9044C3:				; CODE XREF: BiCreateKey+D8j
					; BiCreateKey+F4j ...
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jz	loc_862436
		call	_BiZwClose@4	; BiZwClose(x)
		jmp	loc_862436
; 

loc_9044D8:				; CODE XREF: BiCreateKey+159j
		mov	[ebp+ms_exc.disabled], ebx
		int	3		; Trap to Debugger
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_34]
		jmp	short loc_9044FE
; END OF FUNCTION CHUNK	FOR BiCreateKey

;  S U B	R O U T	I N E 


sub_9044E8	proc near		; DATA XREF: .text:006A4A0Co
		xor	eax, eax
		inc	eax
		retn
sub_9044E8	endp


;  S U B	R O U T	I N E 


sub_9044EC	proc near		; DATA XREF: .text:006A4A10o
		mov	esp, [ebp-18h]
		push	5
		pop	edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp-24h]
sub_9044EC	endp

; START	OF FUNCTION CHUNK FOR BiCreateKey

loc_9044FE:				; CODE XREF: BiCreateKey+A21F4j
		cmp	edi, 5
		jnb	loc_862451
		inc	edi
		mov	[ebp+var_34], edi
		jmp	loc_86231F
; END OF FUNCTION CHUNK	FOR BiCreateKey
; 
; START	OF FUNCTION CHUNK FOR BiGetRegistryValue

loc_904510:				; CODE XREF: BiGetRegistryValue+A9j
					; BiGetRegistryValue+F9j
		mov	esi, 0C000009Ah
		jmp	short loc_90451C
; 

loc_904517:				; CODE XREF: BiGetRegistryValue+D4j
		mov	esi, 0C0000024h

loc_90451C:				; CODE XREF: BiGetRegistryValue+A20AFj
		mov	[ebp+var_20], esi
		jmp	loc_862582
; 

loc_904524:				; CODE XREF: BiGetRegistryValue+144j
		mov	[ebp+ms_exc.disabled], edi
		int	3		; Trap to Debugger
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_30]
		jmp	short loc_90454A
; END OF FUNCTION CHUNK	FOR BiGetRegistryValue

;  S U B	R O U T	I N E 


sub_904534	proc near		; DATA XREF: .text:006A4A2Co
		xor	eax, eax
		inc	eax
		retn
sub_904534	endp


;  S U B	R O U T	I N E 


sub_904538	proc near		; DATA XREF: .text:006A4A30o
		mov	esp, [ebp-18h]
		push	5
		pop	ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	edi, edi
		mov	esi, [ebp-20h]
sub_904538	endp

; START	OF FUNCTION CHUNK FOR BiGetRegistryValue

loc_90454A:				; CODE XREF: BiGetRegistryValue+A20CCj
		cmp	ebx, 5
		jnb	loc_8625B0
		inc	ebx
		mov	[ebp+var_30], ebx
		mov	ebx, [ebp+var_2C]
		jmp	loc_862488
; END OF FUNCTION CHUNK	FOR BiGetRegistryValue
; 
; START	OF FUNCTION CHUNK FOR BcdGetElementDataWithFlags

loc_90455F:				; CODE XREF: BcdGetElementDataWithFlags+62j
		push	ecx
		push	(offset	loc_8C7981+1)
		push	4
		call	_BiLogMessage
		add	esp, 0Ch
		mov	eax, ecx
		jmp	loc_862755
; 

loc_904576:				; CODE XREF: BcdGetElementDataWithFlags+BDj
		push	esi
		push	ebx
		push	offset ??_C@_1JO@HHKLDKGJ@?$AAB?$AAc?$AAd?$AAG?$AAe?$AAt?$AAE?$AAl?$AAe?$AAm?$AAe?$AAn?$AAt?$AAD?$AAa@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 10h
		jmp	loc_862729
; 

loc_90458C:				; CODE XREF: BcdGetElementDataWithFlags+D9j
		mov	esi, 0C0000001h
		jmp	loc_862729
; 

loc_904596:				; CODE XREF: BcdGetElementDataWithFlags+129j
		push	esi
		push	[ebp+var_68]
		push	ebx
		push	offset ??_C@_1LM@EBMDGPOP@?$AAB?$AAc?$AAd?$AAG?$AAe?$AAt?$AAE?$AAl?$AAe?$AAm?$AAe?$AAn?$AAt?$AAD?$AAa@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 14h
		jmp	loc_862716
; END OF FUNCTION CHUNK	FOR BcdGetElementDataWithFlags
; 
; START	OF FUNCTION CHUNK FOR BiOpenKey

loc_9045AF:				; CODE XREF: BiOpenKey+141j
		call	_BiZwClose@4	; BiZwClose(x)
		jmp	loc_862855
; 

loc_9045B9:				; CODE XREF: BiOpenKey+BEj
		mov	[ebp+ms_exc.disabled], ebx
		int	3		; Trap to Debugger
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_30]
		jmp	short loc_9045DF
; END OF FUNCTION CHUNK	FOR BiOpenKey

;  S U B	R O U T	I N E 


sub_9045C9	proc near		; DATA XREF: .text:006A4A4Co
		xor	eax, eax
		inc	eax
		retn
sub_9045C9	endp


;  S U B	R O U T	I N E 


sub_9045CD	proc near		; DATA XREF: .text:006A4A50o
		mov	esp, [ebp-18h]
		push	5
		pop	eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp-24h]
sub_9045CD	endp

; START	OF FUNCTION CHUNK FOR BiOpenKey

loc_9045DF:				; CODE XREF: BiOpenKey+A1E23j
		cmp	eax, 5
		jnb	loc_862868
		inc	eax
		mov	[ebp+var_30], eax
		jmp	loc_8627CE
; END OF FUNCTION CHUNK	FOR BiOpenKey
; 
; START	OF FUNCTION CHUNK FOR BcdSetElementDataWithFlags

loc_9045F1:				; CODE XREF: BcdSetElementDataWithFlags+37j
		test	eax, eax
		jz	loc_862927
		mov	eax, 0C000000Dh
		jmp	loc_862A7C
; 

loc_904603:				; CODE XREF: BcdSetElementDataWithFlags+51j
		push	ecx
		mov	ecx, esi
		call	BiDeleteElement
		xor	eax, eax
		jmp	loc_862A7C
; 

loc_904612:				; CODE XREF: BcdSetElementDataWithFlags+9Bj
		push	esi
		push	offset ??_C@_1GK@DGBKFFHL@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAo?$AAp?$AAe?$AAn?$AA?5@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 0Ch
		jmp	loc_862A37
; 

loc_904627:				; CODE XREF: BcdSetElementDataWithFlags+B5j
		mov	esi, 0C0000001h
		jmp	loc_862A4A
; 

loc_904631:				; CODE XREF: BcdSetElementDataWithFlags+DDj
		push	esi
		lea	eax, [esp+64h+var_30]
		push	eax
		push	offset ??_C@_1FM@MCOPBIDM@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAo?$AAp?$AAe?$AAn?$AA?5@NNGAKEGL@
		push	4
		call	_BiLogMessage
		mov	edi, [esp+70h+var_44]
		add	esp, 10h
		jmp	loc_862A37
; 

loc_90464F:				; CODE XREF: BcdSetElementDataWithFlags+104j
		push	esi
		lea	eax, [esp+64h+var_30]
		push	eax
		push	offset ??_C@_1GE@MOGGGLMO@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAc?$AAo?$AAn?$AAv?$AAe@NNGAKEGL@
		jmp	short loc_904667
; 

loc_90465C:				; CODE XREF: BcdSetElementDataWithFlags+132j
		push	esi
		lea	eax, [esp+64h+var_30]
		push	eax
		push	offset ??_C@_1GO@IGGIJOKF@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAs?$AAe?$AAt?$AA?5?$AAr@NNGAKEGL@

loc_904667:				; CODE XREF: BcdSetElementDataWithFlags+A1D70j
		push	4
		call	_BiLogMessage
		add	esp, 10h
		jmp	loc_862A22
; 

loc_904676:				; CODE XREF: BcdSetElementDataWithFlags+14Fj
		cmp	[esp+60h+var_4E], 0
		jz	loc_862A3F
		mov	ecx, edi
		call	BiDeleteKey
		xor	edi, edi
		jmp	loc_862A3F
; END OF FUNCTION CHUNK	FOR BcdSetElementDataWithFlags
; 
; START	OF FUNCTION CHUNK FOR BiIsLinkedToFirmwareVariable

loc_90468F:				; CODE XREF: BiIsLinkedToFirmwareVariable+12j
		mov	edx, esi
		mov	ecx, edi
		call	_BiIsLinkedToEfiVariable@8 ; BiIsLinkedToEfiVariable(x,x)
		jmp	loc_862C12
; END OF FUNCTION CHUNK	FOR BiIsLinkedToFirmwareVariable
; 
; START	OF FUNCTION CHUNK FOR BiSetRegistryValue

loc_90469D:				; CODE XREF: BiSetRegistryValue+67j
		and	[ebp+ms_exc.disabled], 0
		int	3		; Trap to Debugger
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9046BF
; END OF FUNCTION CHUNK	FOR BiSetRegistryValue

;  S U B	R O U T	I N E 


sub_9046AB	proc near		; DATA XREF: .text:006A4A6Co
		xor	eax, eax
		inc	eax
		retn
sub_9046AB	endp


;  S U B	R O U T	I N E 


sub_9046AF	proc near		; DATA XREF: .text:006A4A70o
		mov	esp, [ebp-18h]
		push	5
		pop	edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-28h]
sub_9046AF	endp

; START	OF FUNCTION CHUNK FOR BiSetRegistryValue

loc_9046BF:				; CODE XREF: BiSetRegistryValue+A1A27j
		cmp	edi, 5
		jnb	loc_862CEF
		inc	edi
		jmp	loc_862C9D
; END OF FUNCTION CHUNK	FOR BiSetRegistryValue
; 
; START	OF FUNCTION CHUNK FOR BiConvertElementToRegistryData

loc_9046CE:				; CODE XREF: BiConvertElementToRegistryData+5Dj
		mov	ebx, [ebp+arg_0]
		sub	ecx, 1
		jnz	short loc_9046DB
		test	bl, 7
		jnz	short loc_904704

loc_9046DB:				; CODE XREF: BiConvertElementToRegistryData+A1992j
		push	edi
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_9046FA
		push	ebx		; size_t
		push	esi		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_862DCF
; 

loc_9046FA:				; CODE XREF: BiConvertElementToRegistryData+7Fj
					; BiConvertElementToRegistryData+B9j ...
		mov	ebx, 0C0000017h
		jmp	loc_862E44
; 

loc_904704:				; CODE XREF: BiConvertElementToRegistryData+6Aj
					; BiConvertElementToRegistryData+110j ...
		mov	ebx, 0C0000024h
		jmp	loc_862E44
; 

loc_90470E:				; CODE XREF: BiConvertElementToRegistryData+54j
		push	8
		pop	ebx
		cmp	[ebp+arg_0], ebx
		jnz	short loc_904704
		push	edi
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_9046FA
		mov	eax, [esi]
		mov	[edi], eax
		mov	eax, [esi+4]
		mov	[edi+4], eax
		jmp	loc_862DCF
; 

loc_904734:				; CODE XREF: BiConvertElementToRegistryData+4Bj
		mov	eax, [ebp+arg_0]
		test	al, 0Fh
		jnz	short loc_904704
		shr	eax, 4
		mov	edi, edx
		mov	[ebp+var_14], eax
		mov	ecx, edx
		mov	[ebp+arg_0], edx
		test	eax, eax
		jz	short loc_904795

loc_90474C:				; CODE XREF: BiConvertElementToRegistryData+A1A4Fj
		push	edx
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	1
		lea	edx, [ebp+var_20]
		mov	ecx, esi
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_862E44
		movzx	ecx, word ptr [ebp+var_20]
		lea	eax, [ebp+var_20]
		add	ecx, 2
		add	edi, ecx
		push	eax
		mov	[ebp+var_18], edi
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, [ebp+arg_0]
		add	esi, 10h
		inc	eax
		push	0
		mov	[ebp+arg_0], eax
		pop	edx
		cmp	eax, [ebp+var_14]
		jb	short loc_90474C
		mov	ecx, edi

loc_904795:				; CODE XREF: BiConvertElementToRegistryData+A1A08j
		lea	esi, [ecx+2]
		push	4B444342h
		push	esi
		push	1
		mov	[ebp+var_10], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9046FA
		xor	ecx, ecx
		mov	[ebp+arg_0], eax
		mov	[ebp+var_18], ecx
		cmp	[ebp+var_14], ecx
		jbe	short loc_904812
		mov	eax, [ebp+var_C]

loc_9047C2:				; CODE XREF: BiConvertElementToRegistryData+A1ACBj
		push	1
		lea	edx, [ebp+var_20]
		mov	ecx, eax
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_90486C
		movzx	esi, word ptr [ebp+var_20]
		add	esi, 2
		push	esi		; size_t
		push	[ebp+var_1C]	; void *
		push	[ebp+arg_0]	; void *
		call	_memcpy
		add	[ebp+arg_0], esi
		lea	eax, [ebp+var_20]
		add	esp, 0Ch
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	esi, [ebp+var_18]
		mov	eax, [ebp+var_C]
		inc	esi
		add	eax, 10h
		mov	[ebp+var_18], esi
		mov	[ebp+var_C], eax
		cmp	esi, [ebp+var_14]
		jb	short loc_9047C2
		mov	eax, [ebp+arg_0]

loc_904812:				; CODE XREF: BiConvertElementToRegistryData+A1A7Bj
		xor	ecx, ecx
		mov	[eax], cx
		jmp	loc_862E1B
; 

loc_90481C:				; CODE XREF: BiConvertElementToRegistryData+A6j
		lea	ecx, [ebp+var_18]
		push	ecx
		push	2
		pop	edx
		mov	ecx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_862E44
		mov	esi, [ebp+var_18]
		mov	[ebp+var_10], esi
		jmp	loc_862DEE
; 

loc_90483F:				; CODE XREF: BiConvertElementToRegistryData+D3j
		xor	eax, eax
		mov	[esi+edi-2], ax
		jmp	loc_862E1B
; 

loc_90484B:				; CODE XREF: BiConvertElementToRegistryData+144j
		mov	edx, [ebp+arg_0]
		call	_BiConvertQualifiedPartitionToBootEnvironment@12 ; BiConvertQualifiedPartitionToBootEnvironment(x,x,x)
		jmp	loc_862E95
; 

loc_904858:				; CODE XREF: BiConvertElementToRegistryData+16Fj
		mov	ebx, 0C000000Dh
		jmp	short loc_904864
; 

loc_90485F:				; CODE XREF: BiConvertElementToRegistryData+183j
		mov	ebx, 0C0000017h

loc_904864:				; CODE XREF: BiConvertElementToRegistryData+A1B1Bj
		mov	esi, [ebp+var_8]
		jmp	loc_862E3C
; 

loc_90486C:				; CODE XREF: BiConvertElementToRegistryData+A1A90j
		mov	esi, [ebp+var_8]

loc_90486F:				; CODE XREF: BiConvertElementToRegistryData+DEj
		test	edi, edi
		jz	loc_862E44
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_862E37
; 

loc_904887:				; CODE XREF: BiConvertElementToRegistryData+157j
		mov	esi, [ebp+var_10]
		jmp	loc_862E3C
; 

loc_90488F:				; CODE XREF: BiConvertElementToRegistryData+FCj
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_862E44
; END OF FUNCTION CHUNK	FOR BiConvertElementToRegistryData
; 
; START	OF FUNCTION CHUNK FOR BiAcquireBcdSyncMutant

loc_90489B:				; CODE XREF: BiAcquireBcdSyncMutant+19j
		lea	eax, [ebp+var_28]
		mov	[ebp+var_28], 18h
		push	eax
		push	100000h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_24], esi
		push	eax
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_20], (offset loc_40393F+1)
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		call	_ZwOpenMutant@12 ; ZwOpenMutant(x,x,x)
		cmp	eax, 0C0000034h
		jnz	short loc_9048E2
		or	ecx, 0FFFFFFFFh
		mov	edx, offset _BcdMutantHandle
		xor	eax, eax
		lock cmpxchg [edx], ecx
		jmp	short loc_904904
; 

loc_9048E2:				; CODE XREF: BiAcquireBcdSyncMutant+A1998j
		test	eax, eax
		js	loc_862F7B
		mov	ecx, [ebp+var_4]
		mov	edx, offset _BcdMutantHandle
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	short loc_904904
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_904904:				; CODE XREF: BiAcquireBcdSyncMutant+A19A8j
					; BiAcquireBcdSyncMutant+A19C2j
		mov	eax, _BcdMutantHandle
		jmp	loc_862F57
; END OF FUNCTION CHUNK	FOR BiAcquireBcdSyncMutant
; 
; START	OF FUNCTION CHUNK FOR BiGetKeyName

loc_90490E:				; CODE XREF: BiGetKeyName+3Ej
		test	esi, esi
		js	loc_863091
		mov	esi, 0C000000Dh
		jmp	short loc_904922
; 

loc_90491D:				; CODE XREF: BiGetKeyName+57j
					; BiGetKeyName+92j
		mov	esi, 0C000009Ah

loc_904922:				; CODE XREF: BiGetKeyName+A1945j
		mov	[ebp+var_1C], esi
		jmp	loc_863091
; 

loc_90492A:				; CODE XREF: BiGetKeyName+D0j
		and	[ebp+ms_exc.disabled], 0
		int	3		; Trap to Debugger
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_90494C
; END OF FUNCTION CHUNK	FOR BiGetKeyName

;  S U B	R O U T	I N E 


sub_904938	proc near		; DATA XREF: .text:006A4A8Co
		xor	eax, eax
		inc	eax
		retn
sub_904938	endp


;  S U B	R O U T	I N E 


sub_90493C	proc near		; DATA XREF: .text:006A4A90o
		mov	esp, [ebp-18h]
		push	5
		pop	ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-1Ch]
sub_90493C	endp

; START	OF FUNCTION CHUNK FOR BiGetKeyName

loc_90494C:				; CODE XREF: BiGetKeyName+A1960j
		cmp	ebx, 5
		jnb	loc_8630AC
		inc	ebx
		jmp	loc_862FEA
; END OF FUNCTION CHUNK	FOR BiGetKeyName
; 
; START	OF FUNCTION CHUNK FOR BiConvertRegistryDataToElement

loc_90495B:				; CODE XREF: BiConvertRegistryDataToElement+F2j
		sub	eax, 1
		jz	loc_9049F6
		sub	eax, 1
		jz	short loc_9049E4
		sub	eax, 1
		jz	short loc_9049BF
		mov	ebx, [ebp+arg_0]
		sub	eax, 1
		jz	short loc_9049AD
		test	ebx, ebx
		jz	short loc_904989
		cmp	ebx, [edi]
		ja	loc_86312B

loc_904982:				; CODE XREF: BiConvertRegistryDataToElement+A18FAj
		push	ebx
		push	edx
		push	[ebp+arg_C]
		jmp	short loc_9049A0
; 

loc_904989:				; CODE XREF: BiConvertRegistryDataToElement+43j
					; BiConvertRegistryDataToElement+4Bj ...
		mov	esi, 0C0000024h
		jmp	loc_863200
; 

loc_904993:				; CODE XREF: BiConvertRegistryDataToElement+A1936j
		mov	eax, [ebp+arg_C]
		push	[ebp+arg_0]	; size_t
		push	edx		; void *
		mov	[eax], ecx
		mov	[eax+4], ecx
		push	eax		; void *

loc_9049A0:				; CODE XREF: BiConvertRegistryDataToElement+A18C9j
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_8631FA
; 

loc_9049AD:				; CODE XREF: BiConvertRegistryDataToElement+A18B6j
		test	ebx, ebx
		jz	short loc_904989
		test	bl, 7
		jnz	short loc_904989
		cmp	[edi], ebx
		jnb	short loc_904982
		jmp	loc_86312B
; 

loc_9049BF:				; CODE XREF: BiConvertRegistryDataToElement+A18AEj
		cmp	[ebp+arg_0], 1
		jnz	short loc_904989
		push	2
		pop	ebx
		cmp	[edi], ebx
		jb	loc_86312B
		mov	ecx, [ebp+arg_C]
		xor	eax, eax
		mov	[ecx+1], al
		cmp	[edx], al
		setnz	al
		mov	[ecx], al
		jmp	loc_8631FA
; 

loc_9049E4:				; CODE XREF: BiConvertRegistryDataToElement+A18A9j
		push	8
		pop	ebx
		cmp	[ebp+arg_0], ebx
		ja	short loc_904989
		cmp	[edi], ebx
		jb	loc_86312B
		jmp	short loc_904993
; 

loc_9049F6:				; CODE XREF: BiConvertRegistryDataToElement+A18A0j
		cmp	[ebp+arg_0], 2
		mov	esi, ecx
		mov	eax, [ebp+arg_C]
		mov	[ebp+arg_8], ecx
		mov	[ebp+arg_C], eax
		jb	short loc_904989
		test	byte ptr [ebp+arg_0], 1
		jnz	loc_904989
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		shr	eax, 1
		mov	[edx+eax*2-2], cx
		xor	eax, eax
		cmp	[edx], ax
		jz	loc_904AAA

loc_904A28:				; CODE XREF: BiConvertRegistryDataToElement+A19E2j
		mov	eax, [ebp+arg_8]
		cmp	eax, [ebp+arg_0]
		jnb	short loc_904AA2
		add	ebx, 10h
		mov	ecx, ebx
		mov	[ebp+arg_4], ecx
		cmp	ebx, [edi]
		ja	short loc_904A65
		push	edx
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	[ebp+arg_C]
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_863254
		add	[ebp+arg_C], 10h
		mov	ecx, ebx
		mov	edx, [ebp+var_10]

loc_904A65:				; CODE XREF: BiConvertRegistryDataToElement+A197Cj
		mov	edi, edx
		lea	eax, [edi+2]
		mov	[ebp+var_10], eax

loc_904A6D:				; CODE XREF: BiConvertRegistryDataToElement+A19B9j
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, word ptr [ebp+var_14]
		jnz	short loc_904A6D
		mov	eax, edi
		mov	[ebp+arg_4], edi
		sub	eax, [ebp+var_10]
		mov	edi, [ebp+arg_8]
		sar	eax, 1
		lea	edx, [edx+eax*2]
		lea	edi, [edi+eax*2]
		add	edx, 2
		add	edi, 2
		mov	[ebp+var_10], edx
		xor	eax, eax
		mov	[ebp+arg_8], edi
		mov	edi, [ebp+arg_10]
		cmp	[edx], ax
		jnz	short loc_904A28

loc_904AA2:				; CODE XREF: BiConvertRegistryDataToElement+A1970j
		test	esi, esi
		js	loc_863254

loc_904AAA:				; CODE XREF: BiConvertRegistryDataToElement+A1964j
		cmp	ecx, [edi]
		jbe	loc_86324B
		mov	esi, 0C0000023h
		jmp	loc_86324F
; 

loc_904ABC:				; CODE XREF: BiConvertRegistryDataToElement+5Fj
		lea	ebx, [eax+2]
		mov	byte ptr [ebp+arg_8+3],	1
		mov	ecx, ebx
		jmp	loc_863123
; 

loc_904ACA:				; CODE XREF: BiConvertRegistryDataToElement+15Fj
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	[eax+esi], cx
		jmp	loc_8631FA
; 

loc_904AD8:				; CODE XREF: BiConvertRegistryDataToElement+9Bj
		lea	edx, [ebp+var_8]
		call	_BiConvertBootEnvironmentDeviceToQualifiedPartition@12 ; BiConvertBootEnvironmentDeviceToQualifiedPartition(x,x,x)
		jmp	loc_863178
; 

loc_904AE5:				; CODE XREF: BiConvertRegistryDataToElement+A5j
		lea	edx, [ebp+var_8]
		call	_BiConvertBootEnvironmentDeviceToUnknown@12 ; BiConvertBootEnvironmentDeviceToUnknown(x,x,x)
		jmp	loc_863178
; 

loc_904AF2:				; CODE XREF: BiConvertRegistryDataToElement+CAj
		mov	ecx, [ebp+var_18]
		mov	edx, esi
		call	_BiResolveLocateDevice@8 ; BiResolveLocateDevice(x,x)
		test	eax, eax
		js	loc_86318E
		mov	eax, [esi+18h]
		mov	ebx, [ebp+var_C]
		sub	ebx, eax
		add	eax, esi
		push	ebx		; size_t
		push	eax		; void *
		push	esi		; void *
		call	_memmove
		add	esp, 0Ch
		jmp	loc_863191
; 

loc_904B1E:				; CODE XREF: BiConvertRegistryDataToElement+BEj
		mov	ebx, [ebp+var_C]
		jmp	loc_863254
; END OF FUNCTION CHUNK	FOR BiConvertRegistryDataToElement
; 
; START	OF FUNCTION CHUNK FOR BiIsObjectAliased

loc_904B26:				; CODE XREF: BiIsObjectAliased+33j
		mov	dword ptr [esi], 2
		mov	bl, 1
		jmp	loc_863297
; END OF FUNCTION CHUNK	FOR BiIsObjectAliased
; 
; START	OF FUNCTION CHUNK FOR BiConvertNtDeviceToBootEnvironment

loc_904B33:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+32j
					; DATA XREF: PAGE:off_863344o
		cmp	esi, 22h	; case 0x7
		jb	loc_86332C
		mov	eax, [edi+18h]
		cmp	esi, eax
		jbe	loc_86332C
		mov	[esp+20h+var_C], edx
		push	1Eh
		pop	ecx
		mov	[esp+20h+var_10], ecx
		test	eax, eax
		jz	loc_904C07
		lea	edx, [eax+edi]
		sub	esi, eax
		cmp	dword ptr [edx], 3
		mov	[esp+20h+var_10], edx
		jnz	loc_86332C
		cmp	esi, 2Eh
		jb	loc_86332C
		mov	ecx, [edx+14h]
		mov	eax, esi
		sub	eax, ecx
		mov	[esp+20h+var_C], ecx
		mov	ecx, [ecx+edx]
		cmp	ecx, 2
		jnz	short loc_904BB3
		cmp	eax, 16h
		jb	loc_86332C
		mov	ecx, [esp+20h+var_C]
		add	ecx, 14h
		add	ecx, edx
		call	_BiGetPartitionVhdFilePath@4 ; BiGetPartitionVhdFilePath(x)
		test	eax, eax
		jz	short loc_904BD4
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_863333
; 

loc_904BB3:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+A18E2j
		cmp	ecx, 6
		jz	short loc_904BD4
		cmp	ecx, 8
		jnz	short loc_904BC2
		cmp	eax, 22h
		jnb	short loc_904BD4

loc_904BC2:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+A1917j
		cmp	ecx, 1
		jnz	loc_86332C
		cmp	eax, 14h
		jb	loc_86332C

loc_904BD4:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+A18FDj
					; BiConvertNtDeviceToBootEnvironment+A1912j ...
		mov	ecx, [esp+20h+var_10]
		lea	eax, [esp+20h+var_14]
		push	eax
		xor	eax, eax
		mov	edx, esi
		push	eax
		call	BiConvertNtDeviceToBootEnvironment
		mov	esi, eax
		test	esi, esi
		js	loc_863311
		mov	eax, [esp+20h+var_14]
		mov	[esp+20h+var_C], 28h
		mov	ecx, [eax+8]
		add	ecx, 46h
		mov	[esp+20h+var_10], ecx

loc_904C07:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+A18B0j
		cmp	dword ptr [edi+14h], 1
		lea	esi, [edi+20h]
		jnz	short loc_904C2D
		mov	edx, esi
		lea	ebx, [edx+2]

loc_904C15:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+A197Cj
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [esp+20h+var_8]
		jnz	short loc_904C15
		sub	edx, ebx
		sar	edx, 1
		lea	ecx, [ecx+edx*2]
		mov	[esp+20h+var_10], ecx

loc_904C2D:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+A196Aj
		push	4B444342h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_904C7F
		push	[esp+20h+var_10] ; size_t
		xor	eax, eax
		push	eax		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [esp+2Ch+var_10]
		add	esp, 0Ch
		mov	dword ptr [ebx], 8
		mov	[ebx+8], eax
		xor	eax, eax
		cmp	[edi+14h], eax
		jnz	short loc_904C89
		mov	[ebx+10h], eax
		mov	eax, [edi+1Ch]
		xor	edi, edi
		push	1Eh
		mov	[ebx+14h], eax
		pop	esi
		jmp	short loc_904CD0
; 

loc_904C74:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+A1AFBj
					; BiConvertNtDeviceToBootEnvironment+A1BB7j
		push	4B444342h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_904C7F:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+A199Aj
					; BiConvertNtDeviceToBootEnvironment+A1A9Fj ...
		mov	esi, 0C000009Ah
		jmp	loc_863311
; 

loc_904C89:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+A19BEj
		mov	ecx, esi
		mov	dword ptr [ebx+10h], 1
		xor	edi, edi
		lea	edx, [ecx+2]

loc_904C97:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+A19FCj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_904C97
		sub	ecx, edx
		sar	ecx, 1
		push	esi
		lea	eax, [ecx+1]
		push	eax
		lea	eax, [ebx+1Ch]
		push	eax
		call	_wcscpy_s
		add	esp, 0Ch
		lea	ecx, [esi+2]

loc_904CBA:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+A1A1Fj
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, di
		jnz	short loc_904CBA
		sub	esi, ecx
		sar	esi, 1
		lea	esi, ds:1Eh[esi*2]

loc_904CD0:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+A19CEj
		cmp	[esp+20h+var_14], 0
		jz	short loc_904D1F
		mov	edx, [esp+20h+var_C]
		lea	ecx, [esi+ebx]
		mov	[ecx], edi
		mov	eax, [esp+20h+var_14]
		mov	eax, [eax+8]
		add	eax, edx
		mov	dword ptr [ecx+10h], 6
		mov	[ecx+8], eax
		mov	eax, [esp+20h+var_14]
		push	dword ptr [eax+8] ; size_t
		push	eax		; void *
		lea	eax, [ecx+edx]
		push	eax		; void *
		call	_memcpy
		mov	[ebx+18h], esi
		jmp	short loc_904D1C
; 

loc_904D09:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+A1AA5j
		push	esi		; size_t
		xor	edi, edi
		push	edi		; int
		push	ebx		; void *
		call	_memset
		mov	dword ptr [ebx], 5
		mov	[ebx+8], esi

loc_904D1C:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+A1A63j
		add	esp, 0Ch

loc_904D1F:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+A1A31j
		mov	esi, edi
		jmp	loc_863311
; 

loc_904D26:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+32j
					; DATA XREF: PAGE:off_863344o
		cmp	esi, 14h	; case 0x0
		jb	loc_86332C
		push	4B444342h
		push	48h
		pop	esi
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_904C7F
		jmp	short loc_904D09
; 

loc_904D4B:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+32j
					; DATA XREF: PAGE:off_863344o
		cmp	esi, 2Eh	; case 0x2
		jb	loc_86332C
		mov	ecx, [edi+14h]
		test	ecx, ecx
		jz	loc_86332C
		lea	eax, [esp+20h+var_10]
		mov	[esp+20h+var_10], edx
		push	eax		; int
		push	[ebp+arg_0]	; int
		sub	esi, ecx
		lea	eax, [edi+18h]
		push	eax		; void *
		add	ecx, edi
		mov	edx, esi
		call	_BiConvertNtFilePathToBootEnvironment@20 ; BiConvertNtFilePathToBootEnvironment(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_863311
		mov	esi, [esp+20h+var_10]
		push	4B444342h
		mov	edi, [esi+4]
		add	edi, 14h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_904C74
		push	edi		; size_t
		xor	eax, eax
		push	eax		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		mov	[ebx], eax
		lea	eax, [ebx+14h]
		mov	[ebx+8], edi
		mov	dword ptr [ebx+10h], 5
		jmp	short loc_904DEA
; 

loc_904DC5:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+A1BBDj
		push	edi		; size_t
		xor	eax, eax
		push	eax		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		mov	[ebx], eax
		lea	eax, [ebx+28h]
		mov	dword ptr [ebx+4], 1
		mov	[ebx+8], edi
		mov	dword ptr [ebx+10h], 3

loc_904DEA:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+A1B1Fj
		push	dword ptr [esi+4] ; size_t
		push	esi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		push	4B444342h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_86330D
; 

loc_904E07:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+32j
					; DATA XREF: PAGE:off_863344o
		cmp	esi, 2Eh	; case 0x3
		jb	loc_86332C
		mov	ecx, [edi+14h]
		test	ecx, ecx
		jz	loc_86332C
		lea	eax, [esp+20h+var_10]
		mov	[esp+20h+var_10], edx
		push	eax		; int
		push	[ebp+arg_0]	; int
		sub	esi, ecx
		lea	eax, [edi+18h]
		push	eax		; void *
		add	ecx, edi
		mov	edx, esi
		call	_BiConvertNtFilePathToBootEnvironment@20 ; BiConvertNtFilePathToBootEnvironment(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_863311
		mov	esi, [esp+20h+var_10]
		push	4B444342h
		mov	edi, [esi+4]
		add	edi, 28h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_904C74
		jmp	loc_904DC5
; 

loc_904E66:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+32j
					; DATA XREF: PAGE:off_863344o
		cmp	esi, 24h	; case 0x6
		jb	loc_86332C
		push	4B444342h
		push	48h
		pop	esi
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_904C7F
		push	esi		; size_t
		xor	eax, eax
		push	eax		; int
		push	ebx		; void *
		call	_memset
		mov	dword ptr [ebx], 7
		lea	edi, [ebx+10h]
		mov	[ebx+8], esi
		add	esp, 0Ch
		mov	esi, offset _VmbFsInterfaceTypeGuid
		movsd
		movsd
		movsd
		movsd
		mov	esi, [esp+20h+var_4]
		lea	edi, [ebx+20h]
		lea	esi, [esi+14h]
		movsd
		movsd
		movsd
		movsd
		jmp	loc_86330D
; 

loc_904EBE:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+32j
					; DATA XREF: PAGE:off_863344o
		add	edi, 14h	; case 0x4
		cmp	esi, 15h
		jb	loc_86332C
		cmp	esi, 20h
		jb	loc_86332C
		mov	eax, [edi+8]
		cmp	eax, 100000h
		ja	loc_86332C
		push	4B444342h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_904C7F
		push	dword ptr [edi+8] ; size_t
		push	edi		; void *
		push	ebx		; void *
		call	_memcpy
		jmp	short loc_904F33
; 

loc_904F04:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+A1CCFj
		push	edi		; size_t
		xor	eax, eax
		push	eax		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [ebx], 9
		xor	eax, eax
		mov	[ebx+4], eax
		lea	eax, [esi+1]
		mov	[ebx+8], edi
		push	[esp+2Ch+var_10]
		mov	[ebx+10h], eax
		push	eax
		lea	eax, [ebx+14h]
		push	eax
		call	_strcpy_s

loc_904F33:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+A1C5Ej
		add	esp, 0Ch
		jmp	loc_86330D
; 

loc_904F3B:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+32j
					; DATA XREF: PAGE:off_863344o
		cmp	esi, 15h	; case 0x8
		jb	loc_86332C
		lea	eax, [edi+14h]
		mov	esi, eax
		mov	[esp+20h+var_4], eax
		lea	ecx, [esi+1]

loc_904F50:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+A1CB1j
		mov	al, [esi]
		inc	esi
		test	al, al
		jnz	short loc_904F50
		sub	esi, ecx
		push	4B444342h
		lea	edi, [esi+15h]
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_904C7F
		jmp	short loc_904F04
; 

loc_904F75:				; CODE XREF: BiConvertNtDeviceToBootEnvironment+72j
		push	4B444342h
		push	[esp+24h+var_14]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_86331C
; END OF FUNCTION CHUNK	FOR BiConvertNtDeviceToBootEnvironment
; 
; START	OF FUNCTION CHUNK FOR BiCreatePartitionDevice

loc_904F88:				; CODE XREF: BiCreatePartitionDevice+9Fj
		lea	edx, [ebp+var_70]
		mov	ecx, ebx
		call	_BiGetPhysicalDriveName@8 ; BiGetPhysicalDriveName(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_904FFD
		mov	ecx, [ebp+var_70]
		lea	edx, [ebp+var_54]
		call	_BiGetDriveLayoutInformation@8 ; BiGetDriveLayoutInformation(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_904FFD
		mov	ebx, [ebp+var_60]
		jmp	loc_86340D
; 

loc_904FB1:				; CODE XREF: BiCreatePartitionDevice+B9j
		push	16h		; size_t
		push	offset ??_C@_1CO@JFDIPJLA@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi?$AAs@NNGAKEGL@ ; "\\Device\\HarddiskVolume"
		push	edi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_905007
		push	5Ch
		pop	ebx
		lea	eax, [edi+2Ch]
		push	ebx		; wchar_t
		push	eax		; wchar_t *
		call	_wcschr
		mov	esi, eax
		pop	ecx
		pop	ecx
		test	esi, esi
		jz	short loc_905005
		xor	eax, eax
		mov	ecx, edi
		mov	[esi], ax
		call	_BiGetPartitionVhdFilePath@4 ; BiGetPartitionVhdFilePath(x)
		mov	[esi], bx
		test	eax, eax
		jz	short loc_905005
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, 0C00000BBh

loc_904FFD:				; CODE XREF: BiCreatePartitionDevice+A1C2Ej
					; BiCreatePartitionDevice+A1C3Fj
		mov	esi, [ebp+var_54]
		jmp	loc_863571
; 

loc_905005:				; CODE XREF: BiCreatePartitionDevice+A1C70j
					; BiCreatePartitionDevice+A1C83j
		xor	esi, esi

loc_905007:				; CODE XREF: BiCreatePartitionDevice+A1C5Bj
		lea	eax, [ebp+var_74]
		mov	ecx, edi	; wchar_t *
		push	eax		; int
		lea	edx, [ebp+var_6C] ; int
		call	_BiCreateFileDeviceElement@12 ;	BiCreateFileDeviceElement(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_9050BB
		mov	edx, [ebp+var_74]
		lea	eax, [ebp+var_5C]
		mov	ecx, [ebp+var_6C]
		push	eax
		push	esi
		call	BiConvertNtDeviceToBootEnvironment
		mov	ebx, eax
		test	ebx, ebx
		js	loc_9050BB
		mov	eax, [ebp+var_5C]
		mov	[ebp+var_30], 6
		mov	eax, [eax+8]
		mov	[ebp+var_68], eax
		jmp	loc_863427
; 

loc_90504E:				; CODE XREF: BiCreatePartitionDevice+C6j
		cmp	eax, 1
		jnz	short loc_9050B6
		and	[ebp+var_2C], 0
		lea	edi, [ebp+var_28]
		add	esi, 8
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_54]
		jmp	loc_863441
; 

loc_905069:				; CODE XREF: BiCreatePartitionDevice+168j
		cmp	[ebp+var_138], 1
		jnz	short loc_9050B3
		lea	esi, [ebp+var_108]
		lea	edi, [ebp+var_40]
		movsd
		movsd
		movsd
		movsd
		jmp	loc_8634E8
; 

loc_905084:				; CODE XREF: BiCreatePartitionDevice+189j
		mov	eax, esi
		jmp	loc_8634FA
; 

loc_90508B:				; CODE XREF: BiCreatePartitionDevice+1A6j
		mov	ebx, 0C000009Ah

loc_905090:				; CODE XREF: BiCreatePartitionDevice+140j
					; BiCreatePartitionDevice+15Bj
		mov	edi, [ebp+var_58]
		jmp	short loc_9050BB
; 

loc_905095:				; CODE XREF: BiCreatePartitionDevice+1AFj
		mov	eax, esi
		jmp	loc_863520
; 

loc_90509C:				; CODE XREF: BiCreatePartitionDevice+1E8j
		push	[ebp+var_68]	; size_t
		lea	eax, [esi+38h]
		push	[ebp+var_5C]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_863556
; 

loc_9050B3:				; CODE XREF: BiCreatePartitionDevice+A1D08j
		mov	edi, [ebp+var_58]

loc_9050B6:				; CODE XREF: BiCreatePartitionDevice+A1CE9j
		mov	ebx, 0C000000Dh

loc_9050BB:				; CODE XREF: BiCreatePartitionDevice+A1CB1j
					; BiCreatePartitionDevice+A1CCBj ...
		mov	esi, [ebp+var_54]
		jmp	loc_863566
; 

loc_9050C3:				; CODE XREF: BiCreatePartitionDevice+203j
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_863571
; 

loc_9050D3:				; CODE XREF: BiCreatePartitionDevice+20Dj
		push	4B444342h
		push	[ebp+var_5C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_86357B
; 

loc_9050E5:				; CODE XREF: BiCreatePartitionDevice+215j
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_863583
; 

loc_9050F5:				; CODE XREF: BiCreatePartitionDevice+220j
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_86358E
; END OF FUNCTION CHUNK	FOR BiCreatePartitionDevice
; 
; START	OF FUNCTION CHUNK FOR BiGetPartitionInformation

loc_905105:				; CODE XREF: BiGetPartitionInformation+6Fj
		test	ebx, ebx
		jnz	loc_905191
		push	20h
		lea	eax, [ebp+var_2C]
		push	eax
		push	edi
		push	edi
		push	74004h
		lea	eax, [ebp+var_38]
		push	eax
		push	edi
		push	edi
		push	edi
		push	esi
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	loc_863641
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_C4], eax
		mov	eax, [ebp+var_28]
		mov	[ebp+var_C0], eax
		mov	eax, [ebp+var_24]
		mov	[ebp+var_BC], eax
		mov	eax, [ebp+var_20]
		mov	[ebp+var_B8], eax
		mov	eax, [ebp+var_18]
		mov	[ebp+var_B4], eax
		mov	al, [ebp+var_11]
		mov	[ebp+var_B0], al
		mov	al, [ebp+var_14]
		mov	[ebp+var_AC], al
		mov	al, [ebp+var_13]
		mov	[ebp+var_AB], al
		mov	al, [ebp+var_12]
		mov	[ebp+var_AA], al
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_CC], edi
		mov	[ebp+var_A8], eax

loc_905191:				; CODE XREF: BiGetPartitionInformation+A1B49j
		test	edx, edx
		js	loc_863641
		jmp	loc_863633
; END OF FUNCTION CHUNK	FOR BiGetPartitionInformation
; 
; START	OF FUNCTION CHUNK FOR BiGetPartitionVhdFilePathFromUnicodeString

loc_90519E:				; CODE XREF: BiGetPartitionVhdFilePathFromUnicodeString+9Cj
		cmp	ebx, 1
		jnz	loc_863722
		mov	edi, [esi]
		push	4B444342h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	2
		pop	ebx
		jmp	loc_8636D6
; 

loc_9051BC:				; CODE XREF: BiGetPartitionVhdFilePathFromUnicodeString+A4j
		lea	edx, [ebp+var_C]
		mov	ecx, esi	; wchar_t *
		call	_BiTranslateSymbolicLinkFile@8 ; BiTranslateSymbolicLinkFile(x,x)
		test	eax, eax
		js	loc_863733
		push	4B444342h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_C]
		jmp	loc_863733
; END OF FUNCTION CHUNK	FOR BiGetPartitionVhdFilePathFromUnicodeString
; 
; START	OF FUNCTION CHUNK FOR BiIssueGetDriveLayoutIoctl

loc_9051E1:				; CODE XREF: BiIssueGetDriveLayoutIoctl+58j
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_8]
		push	4B444342h
		add	esi, 2400h
		push	esi
		push	1
		mov	[ebp+var_8], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_86380A

loc_90520F:				; CODE XREF: BiIssueGetDriveLayoutIoctl+A1AEAj
		mov	esi, 0C000009Ah
		jmp	loc_86383F
; 

loc_905219:				; CODE XREF: BiIssueGetDriveLayoutIoctl+60j
		mov	esi, 808h
		jmp	short loc_905251
; 

loc_905220:				; CODE XREF: BiIssueGetDriveLayoutIoctl+A1A91j
		mov	esi, 0C000009Ah

loc_905225:				; CODE XREF: BiIssueGetDriveLayoutIoctl+75j
		test	edi, edi
		jz	loc_86384F
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_86384F
; 

loc_90523D:				; CODE XREF: BiIssueGetDriveLayoutIoctl+A1AB5j
		push	4B444342h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_8]
		add	esi, 800h

loc_905251:				; CODE XREF: BiIssueGetDriveLayoutIoctl+A1A4Aj
		push	4B444342h
		push	esi
		push	1
		mov	[ebp+var_8], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_905220
		push	esi
		push	ebx
		xor	ecx, ecx
		lea	eax, [ebp+var_14]
		push	ecx
		push	ecx
		push	7400Ch
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+var_4]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_90523D
		test	esi, esi
		js	loc_86383F
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		imul	eax, [ebx], 90h
		push	4B444342h
		add	eax, 30h
		push	eax
		push	1
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_4], edi
		test	edi, edi
		jz	loc_90520F
		push	[ebp+var_8]	; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		and	dword ptr [edi], 0
		lea	edx, [ebx+8]
		mov	eax, [ebx]
		lea	ecx, [edi+30h]
		and	[ebp+var_8], 0
		add	esp, 0Ch
		mov	[edi+4], eax
		mov	eax, [ebx+4]
		mov	[edi+8], eax
		cmp	dword ptr [ebx], 0
		jbe	loc_86383A
		mov	edi, [ebp+var_8]

loc_9052F6:				; CODE XREF: BiIssueGetDriveLayoutIoctl+A1B72j
		and	dword ptr [ecx], 0
		inc	edi
		mov	eax, [edx]
		lea	ecx, [ecx+90h]
		mov	[ecx-88h], eax
		lea	edx, [edx+20h]
		mov	eax, [edx-1Ch]
		mov	[ecx-84h], eax
		mov	eax, [edx-18h]
		mov	[ecx-80h], eax
		mov	eax, [edx-14h]
		mov	[ecx-7Ch], eax
		mov	eax, [edx-0Ch]
		mov	[ecx-78h], eax
		mov	al, [edx-5]
		mov	[ecx-74h], al
		mov	al, [edx-8]
		mov	[ecx-70h], al
		mov	al, [edx-7]
		mov	[ecx-6Fh], al
		mov	al, [edx-6]
		mov	[ecx-6Eh], al
		mov	eax, [edx-10h]
		mov	[ecx-6Ch], eax
		cmp	edi, [ebx]
		jb	short loc_9052F6
		mov	edi, [ebp+var_4]
		jmp	loc_86383A
; 

loc_905350:				; CODE XREF: BiIssueGetDriveLayoutIoctl+6Dj
		push	4B444342h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_863847
; END OF FUNCTION CHUNK	FOR BiIssueGetDriveLayoutIoctl
; 
; START	OF FUNCTION CHUNK FOR BiIsVolumePartitionInformationRetained

loc_905360:				; CODE XREF: BiIsVolumePartitionInformationRetained+DAj
		push	118h		; size_t
		lea	eax, [ebp+var_144]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_148], 11Ch
		lea	eax, [ebp+var_148]
		push	eax
		call	RtlGetVersion
		test	eax, eax
		js	short loc_9053F9
		cmp	[ebp+var_144], 5
		jnz	short loc_9053F9
		cmp	[ebp+var_140], esi
		jnz	short loc_9053F9
		push	20h
		lea	eax, [ebp+var_28]
		mov	[ebp+var_154], esi
		push	eax
		push	esi
		push	esi
		push	74004h
		lea	eax, [ebp+var_154]
		mov	[ebp+var_150], esi
		push	eax
		push	esi
		push	esi
		push	esi
		push	[ebp+var_14C]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_86393E
		cmp	[ebp+var_18], 1Dh
		jnz	short loc_9053F2
		cmp	[ebp+var_28], 3A00h
		jnz	short loc_9053F2
		cmp	[ebp+var_24], esi
		jnz	short loc_9053F2
		cmp	[ebp+var_14], 1
		jz	short loc_9053F9

loc_9053F2:				; CODE XREF: BiIsVolumePartitionInformationRetained+A1B7Ej
					; BiIsVolumePartitionInformationRetained+A1B87j ...
		mov	ebx, esi
		jmp	loc_86393E
; 

loc_9053F9:				; CODE XREF: BiIsVolumePartitionInformationRetained+A1B2Fj
					; BiIsVolumePartitionInformationRetained+A1B38j ...
		mov	ebx, 0C00000BBh
		jmp	loc_86393E
; END OF FUNCTION CHUNK	FOR BiIsVolumePartitionInformationRetained
; 
; START	OF FUNCTION CHUNK FOR BiVerifyBootPartition

loc_905403:				; CODE XREF: BiVerifyBootPartition+22j
		lea	esi, [ecx+10h]
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], esi
		jmp	loc_8639A2
; 

loc_905411:				; CODE XREF: BiVerifyBootPartition+2Bj
		cmp	eax, 8
		jnz	loc_905559
		mov	eax, [ecx+18h]
		test	eax, eax
		jz	loc_905559
		add	eax, 10h
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edx
		lea	edx, [eax+ecx]
		jmp	loc_8639A8
; 

loc_905436:				; CODE XREF: BiVerifyBootPartition+47j
		cmp	edx, 6
		jnz	loc_905559
		lea	edx, [eax+18h]
		lea	esi, [edx+ecx]
		mov	[ebp+var_18], edx
		mov	ecx, [ecx+8]
		lea	eax, [edx+24h]
		cmp	ecx, eax
		jb	loc_905559
		mov	eax, [esi+8]
		add	eax, edx
		cmp	ecx, eax
		jb	loc_905559
		xor	ecx, ecx
		cmp	[esi], ecx
		jnz	loc_905559
		cmp	dword ptr [esi+10h], 5
		jnz	loc_905559
		lea	eax, [ebp+var_14]
		xor	edx, edx
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		mov	ecx, esi
		call	BiConvertBootEnvironmentDeviceToNt
		mov	edi, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	loc_8639F4
		cmp	[ebp+var_14], 2Eh
		jb	short loc_905509
		cmp	dword ptr [edi], 3
		jnz	short loc_905509
		mov	eax, [edi+14h]
		add	eax, edi
		cmp	dword ptr [eax], 2
		jnz	short loc_905509
		add	eax, 14h
		xor	ebx, ebx
		mov	ecx, eax
		mov	[ebp+var_1C], eax
		lea	edx, [ecx+2]

loc_9054B8:				; CODE XREF: BiVerifyBootPartition+A1B59j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_9054B8
		sub	ecx, edx
		sar	ecx, 1
		add	edi, 18h
		lea	esi, [ecx+ecx]
		lea	ecx, [edi+2]

loc_9054D0:				; CODE XREF: BiVerifyBootPartition+A1B71j
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, bx
		jnz	short loc_9054D0
		sub	edi, ecx
		sar	edi, 1
		push	4B444342h
		lea	edi, ds:2[edi*2]
		lea	eax, [edi+esi]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_905513
		mov	edi, [ebp+var_4]
		mov	esi, 0C0000017h
		jmp	loc_8639F4
; 

loc_905509:				; CODE XREF: BiVerifyBootPartition+A1B32j
					; BiVerifyBootPartition+A1B37j	...
		mov	esi, 0C000000Dh
		jmp	loc_8639F4
; 

loc_905513:				; CODE XREF: BiVerifyBootPartition+A1B92j
		push	esi		; size_t
		push	[ebp+var_1C]	; void *
		push	ebx		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	eax, 18h
		push	edi		; size_t
		push	eax		; void *
		lea	eax, [ebx+esi]
		push	eax		; void *
		call	_memcpy
		mov	edi, [ebp+var_4]
		add	esp, 18h
		jmp	loc_8639B5
; 

loc_905539:				; CODE XREF: BiVerifyBootPartition+8Ej
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8639FC
; 

loc_905549:				; CODE XREF: BiVerifyBootPartition+96j
		push	4B444342h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_863A04
; 

loc_905559:				; CODE XREF: BiVerifyBootPartition+A1AACj
					; BiVerifyBootPartition+A1AB7j	...
		mov	esi, 0C000000Dh
		jmp	loc_863A04
; END OF FUNCTION CHUNK	FOR BiVerifyBootPartition
; 
; START	OF FUNCTION CHUNK FOR BiOpenKeyNonBcd

loc_905563:				; CODE XREF: BiOpenKeyNonBcd+6Ej
		cmp	[ebp+var_1C], 0
		jz	loc_863A82
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_863A82
; 

loc_90557A:				; CODE XREF: BiOpenKeyNonBcd+7Bj
		mov	[ebp+ms_exc.disabled], esi
		int	3		; Trap to Debugger
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_90559A
; END OF FUNCTION CHUNK	FOR BiOpenKeyNonBcd

;  S U B	R O U T	I N E 


sub_905587	proc near		; DATA XREF: .text:006A4AACo
		xor	eax, eax
		inc	eax
		retn
sub_905587	endp


;  S U B	R O U T	I N E 


sub_90558B	proc near		; DATA XREF: .text:006A4AB0o
		mov	esp, [ebp-18h]
		push	5
		pop	edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	esi, esi
sub_90558B	endp

; START	OF FUNCTION CHUNK FOR BiOpenKeyNonBcd

loc_90559A:				; CODE XREF: BiOpenKeyNonBcd+A1B77j
		cmp	edi, 5
		jnb	loc_863A8F
		inc	edi
		jmp	loc_863A2A
; END OF FUNCTION CHUNK	FOR BiOpenKeyNonBcd
; 
; START	OF FUNCTION CHUNK FOR BiGetSystemPartition

loc_9055A9:				; CODE XREF: BiGetSystemPartition+24j
		test	esi, esi
		js	loc_863BC7
		mov	esi, 0C0000001h
		jmp	loc_863BC7
; 

loc_9055BB:				; CODE XREF: BiGetSystemPartition+51j
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_863BC7
; END OF FUNCTION CHUNK	FOR BiGetSystemPartition
; 
; START	OF FUNCTION CHUNK FOR SyspartGetFirmwarePartition

loc_9055CB:				; CODE XREF: SyspartGetFirmwarePartition+25j
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, offset SiGetFirmwareSystemPartition
		push	esi
		call	SiGetSystemDeviceName
		jmp	loc_863C01
; END OF FUNCTION CHUNK	FOR SyspartGetFirmwarePartition
; 
; START	OF FUNCTION CHUNK FOR SiQuerySystemInformationString

loc_9055E0:				; CODE XREF: SiQuerySystemInformationString+28j
		test	esi, esi
		js	loc_863C7C
		mov	esi, 0C0000001h
		jmp	loc_863C7C
; END OF FUNCTION CHUNK	FOR SiQuerySystemInformationString
; 
; START	OF FUNCTION CHUNK FOR PopBcdSetupResumeObject

loc_9055F2:				; CODE XREF: PopBcdSetupResumeObject+34j
		mov	esi, 0C000009Ah
		jmp	loc_863D71
; END OF FUNCTION CHUNK	FOR PopBcdSetupResumeObject
; 
; START	OF FUNCTION CHUNK FOR PoInitializeBroadcast

loc_9055FC:				; CODE XREF: PoInitializeBroadcast+25j
		mov	ebx, 0C000009Ah
		jmp	loc_85E5B3
; END OF FUNCTION CHUNK	FOR PoInitializeBroadcast
; 
; START	OF FUNCTION CHUNK FOR MiDereferenceSessionFinal

loc_905606:				; CODE XREF: MiDereferenceSessionFinal+155j
		mov	edx, 73536D4Dh
		call	ObfDereferenceObjectWithTag
		jmp	loc_85E715
; END OF FUNCTION CHUNK	FOR MiDereferenceSessionFinal
; 
; START	OF FUNCTION CHUNK FOR IoDisconnectInterruptEx

loc_905615:				; CODE XREF: IoDisconnectInterruptEx+25j
		sub	eax, 1
		jz	short loc_90562B
		push	0
		push	0
		push	edx
		push	9
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_90562B:				; CODE XREF: IoDisconnectInterruptEx+1Cj
					; IoDisconnectInterruptEx+A6D90j
		mov	esi, [ecx+4]
		xor	edi, edi
		cmp	[esi+4], edi
		jbe	loc_85E8EC
		lea	ebx, [esi+14h]

loc_90563C:				; CODE XREF: IoDisconnectInterruptEx+A6DC2j
		push	dword ptr [ebx]
		call	IoDisconnectInterrupt
		inc	edi
		lea	ebx, [ebx+28h]
		cmp	edi, [esi+4]
		jb	short loc_90563C
		jmp	loc_85E8EC
; END OF FUNCTION CHUNK	FOR IoDisconnectInterruptEx
; 
; START	OF FUNCTION CHUNK FOR IoDisconnectInterrupt

loc_905651:				; CODE XREF: IoDisconnectInterrupt+A5j
		mov	ecx, [edi+14h]
		call	_IopFindPassiveInterruptBlock@4	; IopFindPassiveInterruptBlock(x)
		test	eax, eax
		jz	loc_85E9A7
		lock dec dword ptr [eax+70h]
		mov	ecx, eax
		call	_IopDereferencePassiveInterruptBlock@4 ; IopDereferencePassiveInterruptBlock(x)
		jmp	loc_85E9A7
; 

loc_905671:				; CODE XREF: IoDisconnectInterrupt+C0j
		mov	eax, large fs:124h
		xor	cl, cl
		test	bl, bl
		jle	short loc_90569E
		movzx	edx, bl
		mov	edi, eax

loc_905682:				; CODE XREF: IoDisconnectInterrupt+A6D95j
		mov	eax, [esi]
		cmp	[eax+5Ch], edi
		jnz	short loc_90568B
		mov	cl, 1

loc_90568B:				; CODE XREF: IoDisconnectInterrupt+A6D8Bj
		add	esi, 4
		sub	edx, 1
		jnz	short loc_905682
		mov	edi, [ebp+var_4]
		test	cl, cl
		jnz	loc_85E9C2

loc_90569E:				; CODE XREF: IoDisconnectInterrupt+A6D7Fj
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [edi+134h]
		push	eax
		call	KeWaitForSingleObject
		jmp	loc_85E9C2
; 

loc_9056B5:				; CODE XREF: IoDisconnectInterrupt+FAj
					; IoDisconnectInterrupt+10Aj
		movzx	edx, word ptr [esi+2]
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_9056F6
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		xor	ebx, ebx
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_9056F8
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		jmp	short loc_9056F8
; 

loc_9056F6:				; CODE XREF: IoDisconnectInterrupt+A6DC9j
		xor	ebx, ebx

loc_9056F8:				; CODE XREF: IoDisconnectInterrupt+A6DDFj
					; IoDisconnectInterrupt+A6DF8j
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_905796
		mov	edx, 1F4h
		lea	edi, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		cmp	[edi], bx
		jz	short loc_905730
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [edi+4]
		call	IoAddTriageDumpDataBlock

loc_905730:				; CODE XREF: IoDisconnectInterrupt+A6E1Dj
		mov	edx, [esi+0B0h]
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_905764
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [esi+0B0h]

loc_905764:				; CODE XREF: IoDisconnectInterrupt+A6E43j
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_905796
		lea	ecx, [eax+1Ch]
		cmp	[ecx], bx
		jz	short loc_905796
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_905796:				; CODE XREF: IoDisconnectInterrupt+A6E07j
					; IoDisconnectInterrupt+A6E70j	...
		push	ebx
		push	ebx
		push	esi
		push	2
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_9057A6:				; CODE XREF: WmipCopyFromEventQueues+22j
		mov	eax, [edx+3Ch]
		test	eax, eax
		jz	loc_85EB45
		cmp	dword ptr [edx+48h], 0
		jz	loc_85EB45
		mov	[esi], eax
		xor	ecx, ecx
		mov	[eax+0Ah], cx
		mov	ecx, [esi]
		movzx	eax, word ptr [edx+4Ch]
		shl	eax, 10h
		or	[ecx+8], eax
		and	dword ptr [edx+4Ch], 0
		jmp	loc_85EB48
; END OF FUNCTION CHUNK	FOR IoDisconnectInterrupt
; 
; START	OF FUNCTION CHUNK FOR WmipQueueNotification

loc_9057D8:				; CODE XREF: WmipQueueNotification+36j
		cmp	eax, ecx
		sbb	eax, eax
		not	eax
		and	edi, eax
		mov	eax, [ebp+var_4]
		jmp	loc_85ECBC
; 

loc_9057E8:				; CODE XREF: WmipQueueNotification+4Cj
		lea	eax, [ecx+3FFFh]
		and	eax, 0FFFFC000h
		mov	[ebp+var_4], eax
		jmp	loc_85ECD2
; 

loc_9057FB:				; CODE XREF: WmipQueueNotification+76j
		push	dword ptr [esi+0Ch] ; size_t
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		mov	ecx, [esi]
		add	esp, 0Ch
		mov	edx, [ebp+var_8]
		mov	eax, edi
		sub	eax, ecx
		add	edx, eax
		push	ebx
		push	ecx
		mov	[ebp+var_8], edx
		mov	[esi+4], edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_85ECFC
; END OF FUNCTION CHUNK	FOR WmipQueueNotification
; 
; START	OF FUNCTION CHUNK FOR PopGetWakeSource

loc_905825:				; CODE XREF: PopGetWakeSource+24j
		mov	eax, 0C000000Dh
		jmp	loc_85EE15
; 

loc_90582F:				; CODE XREF: PopGetWakeSource+81j
		mov	esi, [ebp+var_4]
		mov	edi, [ebp+var_1C]
		mov	ebx, [ebp+var_18]

loc_905838:				; CODE XREF: PopGetWakeSource+A6AEBj
		mov	ecx, edi
		call	_PopWakeSourceSize@4 ; PopWakeSourceSize(x)
		mov	edi, [edi]
		add	esi, 7
		and	esi, 0FFFFFFF8h
		add	esi, eax
		cmp	edi, ebx
		jnz	short loc_905838
		mov	edi, [ebp+var_20]
		mov	ebx, [ebp+var_14]
		mov	[ebp+var_4], esi
		xor	esi, esi
		mov	ecx, [ebp+var_4]
		jmp	loc_85EDE7
; 

loc_905860:				; CODE XREF: PopGetWakeSource+10Dj
		mov	edi, [ebp+var_24]
		mov	esi, [ebp+var_18]

loc_905866:				; CODE XREF: PopGetWakeSource+A6B2Bj
		mov	ecx, [ebp+var_1C]
		add	ebx, 7
		and	ebx, 0FFFFFFF8h
		mov	eax, ebx
		sub	eax, esi
		mov	[ecx], eax
		add	ecx, 4
		mov	[ebp+var_1C], ecx
		mov	ecx, ebx
		push	edi
		call	_PopCopyWakeSource@12 ;	PopCopyWakeSource(x,x,x)
		add	ebx, [ebx+4]
		mov	edi, [edi]
		cmp	edi, [ebp+var_28]
		jnz	short loc_905866
		mov	edi, [ebp+var_20]
		mov	edx, [ebp+var_C]
		mov	esi, [ebp+var_10]
		jmp	loc_85EE73
; END OF FUNCTION CHUNK	FOR PopGetWakeSource
; 
; START	OF FUNCTION CHUNK FOR PopFinalizeWakeInfo

loc_90589B:				; CODE XREF: PopFinalizeWakeInfo+1Bj
		cmp	dword ptr [esi+8], 0
		jnz	short loc_9058A8
		mov	ecx, esi
		call	_PopFinalizeDeviceWakeSource@4 ; PopFinalizeDeviceWakeSource(x)

loc_9058A8:				; CODE XREF: PopFinalizeWakeInfo+A6A19j
		mov	esi, [esi]
		jmp	loc_85EE9F
; END OF FUNCTION CHUNK	FOR PopFinalizeWakeInfo
; 
; START	OF FUNCTION CHUNK FOR DbgkClearProcessDebugObject

loc_9058AF:				; CODE XREF: DbgkClearProcessDebugObject+28j
		cmp	esi, edi
		jz	short loc_9058BB
		test	edi, edi
		jnz	loc_85EED8

loc_9058BB:				; CODE XREF: DbgkClearProcessDebugObject+A6A07j
		xor	edi, edi
		mov	[ebx+190h], edi
		jmp	loc_85EEDF
; 

loc_9058C8:				; CODE XREF: DbgkClearProcessDebugObject+45j
		lea	eax, [esp+20h+var_8]
		lea	ecx, [esi+10h]
		mov	[esp+20h+var_4], eax
		mov	[esp+20h+var_8], eax
		call	ExAcquireFastMutex
		lea	ecx, [esi+30h]
		mov	edx, [ecx]
		jmp	short loc_90592F
; 

loc_9058E3:				; CODE XREF: DbgkClearProcessDebugObject+A6A87j
		mov	eax, edx
		mov	edx, [edx]
		cmp	[eax+20h], ebx
		jnz	short loc_90592F
		cmp	[edx+4], eax
		jnz	loc_905977
		mov	ecx, [eax+4]
		mov	[esp+20h+var_10], ecx
		cmp	[ecx], eax
		jnz	short loc_905977
		mov	[ecx], edx
		lea	ebx, [esp+20h+var_8]
		mov	[edx+4], ecx
		mov	ecx, [esp+20h+var_4]
		mov	[esp+20h+var_10], ecx
		cmp	[ecx], ebx
		mov	ebx, [esp+20h+var_C]
		jnz	short loc_905977
		lea	ecx, [esp+20h+var_8]
		mov	[eax], ecx
		mov	ecx, [esp+20h+var_10]
		mov	[eax+4], ecx
		mov	[ecx], eax
		lea	ecx, [esi+30h]
		mov	[esp+20h+var_4], eax

loc_90592F:				; CODE XREF: DbgkClearProcessDebugObject+A6A37j
					; DbgkClearProcessDebugObject+A6A40j
		cmp	edx, ecx
		jnz	short loc_9058E3
		lea	ecx, [esi+10h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, esi
		call	ObfDereferenceObject

loc_905942:				; CODE XREF: DbgkClearProcessDebugObject+A6ACBj
		mov	ecx, [esp+20h+var_8]
		lea	eax, [esp+20h+var_8]
		cmp	ecx, eax
		jz	loc_85EEF5
		cmp	[ecx+4], eax
		jnz	short loc_905977
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_905977
		mov	[esp+20h+var_8], eax
		lea	edx, [esp+20h+var_8]
		mov	[eax+4], edx
		mov	dword ptr [ecx+28h], 0C0000354h
		call	_DbgkpWakeTarget@4 ; DbgkpWakeTarget(x)
		jmp	short loc_905942
; 

loc_905977:				; CODE XREF: DbgkClearProcessDebugObject+A6A45j
					; DbgkClearProcessDebugObject+A6A54j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
; END OF FUNCTION CHUNK	FOR DbgkClearProcessDebugObject	; AL = character to display
; START	OF FUNCTION CHUNK FOR PopReadHiberbootPolicy

loc_90597C:				; CODE XREF: PopReadHiberbootPolicy+31j
		mov	al, byte ptr [ebp+var_19]
		test	al, al
		jz	loc_85EF3F
		mov	bl, al
		jmp	loc_85EF8C
; END OF FUNCTION CHUNK	FOR PopReadHiberbootPolicy
; 
; START	OF FUNCTION CHUNK FOR PfpQueryScenarioInformation

loc_90598E:				; CODE XREF: PfpQueryScenarioInformation+1Aj
		mov	ebx, 0C0000206h
		jmp	loc_85F12E
; 

loc_905998:				; CODE XREF: PfpQueryScenarioInformation+3Cj
		mov	eax, ecx
		jmp	loc_85F0C0
; END OF FUNCTION CHUNK	FOR PfpQueryScenarioInformation

;  S U B	R O U T	I N E 


sub_90599F	proc near		; DATA XREF: .text:006A4AD8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_90599F	endp


;  S U B	R O U T	I N E 


sub_9059AD	proc near		; DATA XREF: .text:006A4ADCo
		mov	ebx, [ebp-28h]
		jmp	short loc_9059C3
; 

loc_9059B2:				; DATA XREF: .text:006A4ACCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9059C0:				; DATA XREF: .text:006A4AD0o
		mov	ebx, [ebp-2Ch]

loc_9059C3:				; CODE XREF: sub_9059AD+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_85F12E
sub_9059AD	endp

; 
; START	OF FUNCTION CHUNK FOR PopEsSnapTelemetry

loc_9059D2:				; CODE XREF: PopEsSnapTelemetry+2Aj
		mov	eax, 0FFDF0320h
		lea	ebx, [eax+8]

loc_9059DA:				; CODE XREF: PopEsSnapTelemetry+A6618j
		pause
		mov	edx, [esi]
		mov	edi, [eax]
		mov	ecx, [ebx]
		cmp	edx, ecx
		jnz	short loc_9059DA
		mov	ecx, [ebp+var_8]
		mov	ebx, [ebp+var_4]
		jmp	loc_85F3FC
; END OF FUNCTION CHUNK	FOR PopEsSnapTelemetry
; 
; START	OF FUNCTION CHUNK FOR SepDeleteLogonSessionTrack

loc_9059F1:				; CODE XREF: SepDeleteLogonSessionTrack+74j
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_905A0D
		test	byte ptr [esi+18h], 8
		jnz	short loc_905A03
		cmp	eax, 1
		jz	short loc_905A0D

loc_905A03:				; CODE XREF: SepDeleteLogonSessionTrack+A6544j
		mov	esi, 0C0000104h
		jmp	loc_905AAC
; 

loc_905A0D:				; CODE XREF: SepDeleteLogonSessionTrack+A653Ej
					; SepDeleteLogonSessionTrack+A6549j
		mov	ecx, [ebp+var_8]
		mov	eax, [esi]
		mov	[ecx], eax
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	short loc_905A22
		and	dword ptr [esi+1Ch], 0
		mov	[ebp+var_C], eax

loc_905A22:				; CODE XREF: SepDeleteLogonSessionTrack+A6561j
		mov	ecx, edi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	edi, [ebp+var_C]
		test	edi, edi
		jz	short loc_905A4D
		mov	edx, [esi+58h]
		mov	ecx, ebx
		call	SepCleanupLUIDDeviceMapDirectory
		mov	ecx, edi
		call	ObfDereferenceDeviceMap

loc_905A4D:				; CODE XREF: SepDeleteLogonSessionTrack+A6582j
		mov	ecx, [esi+58h]
		test	ecx, ecx
		jz	short loc_905A5E
		mov	edx, 734C6553h
		call	ObfDereferenceObjectWithTag

loc_905A5E:				; CODE XREF: SepDeleteLogonSessionTrack+A659Aj
		mov	eax, [esi+28h]
		test	eax, eax
		jz	short loc_905A6D
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_905A6D:				; CODE XREF: SepDeleteLogonSessionTrack+A65ABj
		mov	ecx, [esi+40h]
		test	ecx, ecx
		jz	short loc_905A7D
		call	_SepDeleteClaimAttributes@4 ; SepDeleteClaimAttributes(x)
		and	dword ptr [esi+40h], 0

loc_905A7D:				; CODE XREF: SepDeleteLogonSessionTrack+A65BAj
		cmp	_SepTokenSidSharingEnabled, 0
		jz	short loc_905A8D
		mov	ecx, esi
		call	_SepDeleteLogonSessionSidValues@4 ; SepDeleteLogonSessionSidValues(x)

loc_905A8D:				; CODE XREF: SepDeleteLogonSessionTrack+A65CCj
		lea	ecx, [esi+48h]
		call	ObDestroyHandleRevocationBlock
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		call	SepDeleteSessionLowboxEntries
		jmp	loc_85F551
; 

loc_905AA7:				; CODE XREF: SepDeleteLogonSessionTrack+51j
		mov	esi, 0C000005Fh

loc_905AAC:				; CODE XREF: SepDeleteLogonSessionTrack+A6550j
		mov	ecx, edi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		jmp	loc_85F553
; END OF FUNCTION CHUNK	FOR SepDeleteLogonSessionTrack
; 
; START	OF FUNCTION CHUNK FOR ObRevokeHandles

loc_905AC6:				; CODE XREF: ObRevokeHandles+21j
		push	1
		mov	ecx, esi
		mov	edx, edi
		mov	esi, [esi]
		push	1
		call	_ObpHandleRevocationBlockRemoveInsertedObject@16 ; ObpHandleRevocationBlockRemoveInsertedObject(x,x,x,x)
		jmp	loc_85F57F
; END OF FUNCTION CHUNK	FOR ObRevokeHandles
; 
; START	OF FUNCTION CHUNK FOR BcdForciblyUnloadStore

loc_905ADA:				; CODE XREF: BcdForciblyUnloadStore+19j
		push	ecx
		push	offset ??_C@_1IM@KDHDNKKJ@?$AAB?$AAc?$AAd?$AAF?$AAo?$AAr?$AAc?$AAi?$AAb?$AAl?$AAy?$AAU?$AAn?$AAl?$AAo@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 0Ch
		mov	eax, ecx
		jmp	loc_85F6B9
; 

loc_905AF1:				; CODE XREF: BcdForciblyUnloadStore+5Aj
		push	esi
		push	(offset	loc_8C6983+1)
		push	4
		call	_BiLogMessage
		add	esp, 0Ch
		jmp	loc_85F6B0
; END OF FUNCTION CHUNK	FOR BcdForciblyUnloadStore
; 
; START	OF FUNCTION CHUNK FOR BiUnloadHiveByName

loc_905B06:				; CODE XREF: BiUnloadHiveByName+2Fj
		mov	esi, 0C000009Ah
		jmp	loc_85F7DA
; END OF FUNCTION CHUNK	FOR BiUnloadHiveByName
; 
; START	OF FUNCTION CHUNK FOR BiExportStoreAlterationsToFirmware

loc_905B10:				; CODE XREF: BiExportStoreAlterationsToFirmware+14j
		sub	eax, 1
		jz	short loc_905B28
		sub	eax, 1
		jz	loc_85F806
		mov	eax, 0C00000BBh
		jmp	loc_85F808
; 

loc_905B28:				; CODE XREF: BiExportStoreAlterationsToFirmware+A6327j
		mov	ecx, esi
		call	_BiExportStoreAlterationsToEfi@4 ; BiExportStoreAlterationsToEfi(x)
		jmp	loc_85F808
; END OF FUNCTION CHUNK	FOR BiExportStoreAlterationsToFirmware
; 
; START	OF FUNCTION CHUNK FOR PfpLogEventRequest

loc_905B34:				; CODE XREF: PfpLogEventRequest+13j
					; PfpLogEventRequest+1Cj
		mov	edx, [ebx+4]
		mov	esi, offset unk_6D4480
		push	6
		pop	ecx
		mov	edi, edx
		rep movsd
		mov	eax, [ebx]
		and	al, 1Fh
		cmp	al, 2
		jnz	short loc_905B56
		mov	ecx, [edx+18h]
		shr	ecx, 5
		and	ecx, 7
		jmp	short loc_905B5D
; 

loc_905B56:				; CODE XREF: PfpLogEventRequest+A633Bj
		call	_MmGetDefaultPagePriority@0 ; MmGetDefaultPagePriority()
		mov	ecx, eax

loc_905B5D:				; CODE XREF: PfpLogEventRequest+A6346j
		call	_PfTSetTracingPriority@4 ; PfTSetTracingPriority(x)
		jmp	loc_85F830
; END OF FUNCTION CHUNK	FOR PfpLogEventRequest
; 
; START	OF FUNCTION CHUNK FOR MiDeleteSessionDriverProtos

loc_905B67:				; CODE XREF: MiDeleteSessionDriverProtos+1Cj
		and	dword ptr [esi+0Ch], 0
		mov	ecx, eax
		mov	[eax+20h], esi
		call	MiDeletePerSessionProtos
		jmp	loc_85F9A6
; END OF FUNCTION CHUNK	FOR MiDeleteSessionDriverProtos
; 
; START	OF FUNCTION CHUNK FOR PerfDiagpSaveActiveDCLLogFileName

loc_905B7A:				; CODE XREF: PerfDiagpSaveActiveDCLLogFileName+22j
		push	offset ??_C@_1CE@BPONIBHD@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AAS?$AAh?$AAu?$AAt?$AAd?$AAo?$AAw?$AAn?$AAD@NNGAKEGL@	; "ActiveShutdownDCL"
		push	offset ??_C@_1DA@EEFDJGGO@?$AAD?$AAi?$AAa?$AAg?$AAn?$AAo?$AAs?$AAt?$AAi?$AAc?$AAs?$AA?2?$AAP?$AAe?$AAr@NNGAKEGL@ ; "Diagnostics\\Performance"
		push	2
		call	_RtlDeleteRegistryValue@12 ; RtlDeleteRegistryValue(x,x,x)
		jmp	loc_85FA96
; 

loc_905B90:				; CODE XREF: PerfDiagpSaveActiveDCLLogFileName+97j
					; PerfDiagpSaveActiveDCLLogFileName+A6j
		push	offset ??_C@_1CE@BPONIBHD@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AAS?$AAh?$AAu?$AAt?$AAd?$AAo?$AAw?$AAn?$AAD@NNGAKEGL@	; "ActiveShutdownDCL"
		push	offset ??_C@_1DA@EEFDJGGO@?$AAD?$AAi?$AAa?$AAg?$AAn?$AAo?$AAs?$AAt?$AAi?$AAc?$AAs?$AA?2?$AAP?$AAe?$AAr@NNGAKEGL@ ; "Diagnostics\\Performance"
		push	esi
		call	_RtlDeleteRegistryValue@12 ; RtlDeleteRegistryValue(x,x,x)
		jmp	loc_85FA8E
; END OF FUNCTION CHUNK	FOR PerfDiagpSaveActiveDCLLogFileName
; 
; START	OF FUNCTION CHUNK FOR BiDeleteKey

loc_905BA5:				; CODE XREF: BiDeleteKey+35j
					; BiDeleteKey+A6138j
		mov	edx, [ebx+esi*4]
		lea	eax, [ebp+var_4]
		push	eax
		push	0F003Fh
		mov	ecx, edi
		call	BiOpenKey
		test	eax, eax
		js	short loc_905BD0
		mov	ecx, [ebp+var_4]
		call	BiDeleteKey
		test	eax, eax
		jns	short loc_905BD0
		mov	ecx, [ebp+var_4]
		call	_BiCloseKey@4	; BiCloseKey(x)

loc_905BD0:				; CODE XREF: BiDeleteKey+A611Ej
					; BiDeleteKey+A612Aj
		inc	esi
		cmp	esi, [ebp+var_8]
		jb	short loc_905BA5
		jmp	loc_85FAD7
; 

loc_905BDB:				; CODE XREF: BiDeleteKey+3Dj
		push	4B444342h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_85FADF
; END OF FUNCTION CHUNK	FOR BiDeleteKey
; 
; START	OF FUNCTION CHUNK FOR MiReleaseSessionDriverCharges

loc_905BEB:				; CODE XREF: MiReleaseSessionDriverCharges+1Fj
		mov	ecx, [esi+2Ch]
		call	_MiReturnCrossPartitionControlAreaCharges@4 ; MiReturnCrossPartitionControlAreaCharges(x)
		jmp	loc_85FBB1
; END OF FUNCTION CHUNK	FOR MiReleaseSessionDriverCharges
; 
; START	OF FUNCTION CHUNK FOR PopFastS4Check

loc_905BF8:				; CODE XREF: PopFastS4Check+7j
		cmp	byte_6C2D1C, 0
		jnz	loc_85FBD5
		cmp	byte_6C2791, 1
		jnz	loc_85FBD5
		cmp	byte_6C2788, 1
		jnz	loc_85FBD5
		cmp	byte_6C2796, 2
		jnz	loc_85FBD5
		mov	al, 1
		retn
; END OF FUNCTION CHUNK	FOR PopFastS4Check
; 
; START	OF FUNCTION CHUNK FOR PopEnforceResiliencyScenarios

loc_905C2F:				; CODE XREF: PopEnforceResiliencyScenarios+35j
		test	al, al
		jnz	loc_85FD1F
		or	_PopCoalescingState, 2
		mov	ds:_PopCoalescingEnforced, 1
		mov	ds:_PopEnforcedCoalescingSpindownTimeout, ecx
		jmp	short loc_905C6F
; 

loc_905C4D:				; CODE XREF: PopEnforceResiliencyScenarios+3Dj
		cmp	ds:_PopCoalescingEnforced, 0
		jz	loc_85FD1F
		and	ds:_PopEnforcedCoalescingSpindownTimeout, 0
		and	_PopCoalescingState, 0FDh
		mov	ds:_PopCoalescingEnforced, 0

loc_905C6F:				; CODE XREF: PopEnforceResiliencyScenarios+A5F6Fj
		call	_PopEnsureCoalescingWorkerWillRun@0 ; PopEnsureCoalescingWorkerWillRun()
		jmp	loc_85FD1F
; END OF FUNCTION CHUNK	FOR PopEnforceResiliencyScenarios
; 
; START	OF FUNCTION CHUNK FOR PopEnforceDeepSleep

loc_905C79:				; CODE XREF: PopEnforceDeepSleep+47j
		test	al, al
		jnz	short loc_905CB2
		cmp	ds:_PopDeepSleepEnforced, al
		jnz	loc_85FD79
		imul	eax, esi, 989680h
		push	0
		push	eax
		call	_KeSetMaxDynamicTickDuration@8 ; KeSetMaxDynamicTickDuration(x,x)
		xor	ecx, ecx
		mov	ds:_PopDeepSleepEnforced, 1
		call	PopDeepSleepClearDisengageReason
		xor	ecx, ecx
		inc	ecx
		call	PopDeepSleepClearDisengageReason
		jmp	loc_85FD79
; 

loc_905CB2:				; CODE XREF: PopEnforceDeepSleep+4Fj
					; PopEnforceDeepSleep+A5F57j
		cmp	ds:_PopDeepSleepEnforced, 0
		jz	loc_85FD79
		push	dword_6C00C4
		push	_PopMaxDynamicTickDurationOriginalValue
		call	_KeSetMaxDynamicTickDuration@8 ; KeSetMaxDynamicTickDuration(x,x)
		xor	ecx, ecx
		mov	ds:_PopDeepSleepEnforced, 0
		call	PopDeepSleepSetDisengageReason
		cmp	byte_6C2E34, 0
		jnz	loc_85FD79
		xor	ecx, ecx
		inc	ecx
		call	PopDeepSleepSetDisengageReason
		jmp	loc_85FD79
; END OF FUNCTION CHUNK	FOR PopEnforceDeepSleep
; 
; START	OF FUNCTION CHUNK FOR RtlDestroyHeap

loc_905CF8:				; CODE XREF: RtlDestroyHeap+15j
		cmp	_RtlpHeapErrorHandlerThreshold,	2
		jl	loc_85FDAE
		push	offset ??_C@_0BF@JMLBIMHL@?$CIHeapHandle?5?$CB?$DN?5NULL?$CJ@NNGAKEGL@
		call	_DbgPrint
		pop	ecx
		call	_RtlpHeapHandleError@4 ; RtlpHeapHandleError(x)

loc_905D15:				; CODE XREF: RtlDestroyHeap+22j
		mov	eax, [edi+58h]
		test	eax, eax
		jz	short loc_905D34
		dec	eax
		cmp	ax, 1
		jnb	short loc_905D34
		push	0
		push	8
		movzx	eax, ax
		push	0
		push	edi
		call	ds:_RtlpInterceptorRoutines[eax*4]

loc_905D34:				; CODE XREF: RtlDestroyHeap+A5F94j
					; RtlDestroyHeap+A5F9Bj
		push	ebx
		lea	ebx, [edi+9Ch]
		push	esi
		mov	esi, [ebx]
		jmp	short loc_905D64
; 

loc_905D40:				; CODE XREF: RtlDestroyHeap+A5FE0j
		mov	eax, esi
		mov	esi, [esi]
		and	[ebp+var_4], 0
		and	eax, 0FFFF0000h
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_4]
		push	8000h
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	0FFFFFFFFh
		call	_ZwFreeVirtualMemory@16	; ZwFreeVirtualMemory(x,x,x,x)

loc_905D64:				; CODE XREF: RtlDestroyHeap+A5FB8j
		cmp	ebx, esi
		jnz	short loc_905D40
		mov	eax, [edi+40h]
		test	al, 1
		jnz	short loc_905D85
		test	eax, eax
		js	short loc_905D7E
		push	dword ptr [edi+0C8h]
		call	ExDeleteResourceLite

loc_905D7E:				; CODE XREF: RtlDestroyHeap+A5FEBj
		and	dword ptr [edi+0C8h], 0

loc_905D85:				; CODE XREF: RtlDestroyHeap+A5FE7j
					; RtlDestroyHeap+A6011j
		mov	esi, [edi+0A8h]
		sub	esi, 10h
		mov	ecx, esi
		call	_RtlpDestroyHeapSegment@4 ; RtlpDestroyHeapSegment(x)
		cmp	esi, edi
		jnz	short loc_905D85
		pop	esi
		pop	ebx
		jmp	loc_85FDAE
; END OF FUNCTION CHUNK	FOR RtlDestroyHeap

;  S U B	R O U T	I N E 


sub_905DA0	proc near		; CODE XREF: PopPolicyWorkerActionPromote+17j
		push	ebx
		movzx	ebx, al
		movzx	eax, byte_6C26C1
		sub	eax, 0
		jz	short loc_905DEB
		dec	eax
		sub	eax, 1
		jnz	short loc_905DFF
		push	dword_6C26CC
		mov	edx, dword_6C26C4
		mov	cl, 1
		push	dword_6C26C8
		call	PopIssueActionRequest
		test	eax, eax
		js	short loc_905DDD
		not	bl
		and	_PopAction, bl
		jmp	short loc_905DFF
; 

loc_905DDD:				; CODE XREF: sub_905DA0+31j
		cmp	byte_6C26C1, 2
		jz	short loc_905DFF
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_905DFA
; 

loc_905DEB:				; CODE XREF: sub_905DA0+Ej
		test	bl, 2
		jz	short loc_905DFF
		mov	cl, 1
		call	_PopSetPowerActionState@4 ; PopSetPowerActionState(x)
		push	2
		pop	ecx

loc_905DFA:				; CODE XREF: sub_905DA0+49j
		call	PopGetPolicyWorker

loc_905DFF:				; CODE XREF: sub_905DA0+14j
					; sub_905DA0+3Bj ...
		pop	ebx
		jmp	loc_85FDD3
sub_905DA0	endp

; 
; START	OF FUNCTION CHUNK FOR PfpServiceMainThreadBoostPrep

loc_905E05:				; CODE XREF: PfpServiceMainThreadBoostPrep+5Bj
		mov	esi, 0C000009Ah

loc_905E0A:				; CODE XREF: PfpServiceMainThreadBoostPrep+2Cj
					; PfpServiceMainThreadBoostPrep+7Ej
		test	edi, edi
		jz	loc_85FE61
		push	edi
		call	_ObDereferenceObjectDeferDelete@4 ; ObDereferenceObjectDeferDelete(x)
		jmp	loc_85FE61
; END OF FUNCTION CHUNK	FOR PfpServiceMainThreadBoostPrep
; 
; START	OF FUNCTION CHUNK FOR PopPowerAggregatorNotifyDisplayPoweredOn

loc_905E1D:				; CODE XREF: PopPowerAggregatorNotifyDisplayPoweredOn+3Aj
		mov	ecx, offset _PopPowerAggregatorContext
		mov	byte_6C0A18, 1
		call	_PopPowerAggregatorScheduleWorker@4 ; PopPowerAggregatorScheduleWorker(x)
		jmp	loc_8600A8
; END OF FUNCTION CHUNK	FOR PopPowerAggregatorNotifyDisplayPoweredOn
; 
; START	OF FUNCTION CHUNK FOR PopAdvanceSystemPowerState

loc_905E33:				; CODE XREF: PopAdvanceSystemPowerState+20j
		sub	edx, 1
		jz	short loc_905E55
		sub	edx, 1
		jnz	loc_860226
		cmp	edi, 5
		jz	loc_860231
		push	2
		lea	eax, [edi+1]
		pop	edx
		jmp	loc_86021F
; 

loc_905E55:				; CODE XREF: PopAdvanceSystemPowerState+A5C40j
		lea	eax, [edi-1]
		mov	edx, ebx
		mov	[esi], eax
		call	PopVerifySystemPowerState
		cmp	[esi], edi
		jnz	loc_860226
		mov	[esi], ebx
		jmp	loc_860226
; END OF FUNCTION CHUNK	FOR PopAdvanceSystemPowerState
; 
; START	OF FUNCTION CHUNK FOR WmipDoDisableRequest

loc_905E70:				; CODE XREF: WmipDoDisableRequest+35j
		test	bl, bl
		mov	edx, esi
		push	ebx
		setz	al
		lea	ecx, ds:4[eax*2]
		call	WmipSendEnableDisableRequest
		mov	edi, eax
		test	bl, bl
		jz	short loc_905E8F
		mov	eax, [esi+38h]
		jmp	short loc_905E92
; 

loc_905E8F:				; CODE XREF: WmipDoDisableRequest+A5B8Ej
		mov	eax, [esi+3Ch]

loc_905E92:				; CODE XREF: WmipDoDisableRequest+A5B93j
		test	eax, eax
		mov	eax, [esp+10h+var_4]
		jz	loc_86031A
		jmp	loc_860335
; END OF FUNCTION CHUNK	FOR WmipDoDisableRequest
; 
; START	OF FUNCTION CHUNK FOR BcdFlushStore

loc_905EA3:				; CODE XREF: BcdFlushStore+18j
		push	edx
		push	(offset	loc_8C72F1+1)
		push	4
		call	_BiLogMessage
		add	esp, 0Ch
		mov	eax, edx
		jmp	loc_8603CA
; END OF FUNCTION CHUNK	FOR BcdFlushStore
; 
; START	OF FUNCTION CHUNK FOR PspClosePartitionHandle

loc_905EBA:				; CODE XREF: PspClosePartitionHandle+13j
		jz	short loc_905EC6
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_860473
; 

loc_905EC6:				; CODE XREF: PspClosePartitionHandle:loc_905EBAj
		call	PsDereferencePartition
		jmp	loc_860473
; END OF FUNCTION CHUNK	FOR PspClosePartitionHandle
; 
; START	OF FUNCTION CHUNK FOR PiSwUpdateArrayProperties

loc_905ED0:				; CODE XREF: PiSwUpdateArrayProperties+7Bj
		test	eax, eax
		jz	loc_863E39
		test	ecx, ecx
		jz	loc_863E39
		push	ecx		; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_863E53
		jmp	loc_863E39
; 

loc_905EF6:				; CODE XREF: PiSwUpdateArrayProperties+8Bj
		mov	eax, [ebx+edi+24h]
		and	dword ptr [ebx+edi+24h], 0
		mov	ecx, [esi]
		mov	[ebp+var_C], eax
		test	ecx, ecx
		jz	short loc_905F20
		push	57706E50h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+edi+24h], eax
		test	eax, eax
		jz	short loc_905F3A
		mov	eax, [ebp+var_C]

loc_905F20:				; CODE XREF: PiSwUpdateArrayProperties+A2134j
		test	eax, eax
		jz	short loc_905F2F
		push	57706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_905F2F:				; CODE XREF: PiSwUpdateArrayProperties+A2150j
		mov	ecx, [esi]
		mov	[ebx+edi+20h], ecx
		jmp	loc_863E63
; 

loc_905F3A:				; CODE XREF: PiSwUpdateArrayProperties+A2149j
		imul	eax, [ebp+arg_0], 28h
		mov	ecx, [ebp+var_C]
		mov	[eax+edi+24h], ecx
		mov	ecx, 0C000009Ah
		jmp	loc_863E96
; END OF FUNCTION CHUNK	FOR PiSwUpdateArrayProperties
; 
; START	OF FUNCTION CHUNK FOR PiSwDispatch

loc_905F4F:				; CODE XREF: PiSwDispatch+9Cj
		sub	eax, ecx
		mov	ecx, edi
		jz	short loc_905F62
		mov	esi, 0C00000BBh
		mov	[edi+18h], esi
		jmp	loc_863F28
; 

loc_905F62:				; CODE XREF: PiSwDispatch+A20B3j
		call	_PiSwIrpGetLifetime@4 ;	PiSwIrpGetLifetime(x)
		jmp	loc_863EF4
; END OF FUNCTION CHUNK	FOR PiSwDispatch

;  S U B	R O U T	I N E 


sub_905F6C	proc near		; DATA XREF: .text:006A4B14o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		push	eax
		call	ds:__imp__RpcExceptionFilter@4 ; RpcExceptionFilter(x)
		retn
sub_905F6C	endp


;  S U B	R O U T	I N E 


sub_905F7E	proc near		; DATA XREF: .text:006A4B18o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-2Ch]
		and	dword ptr [ebp-1Ch], 0
		jmp	loc_864008
sub_905F7E	endp

; 
; START	OF FUNCTION CHUNK FOR PiSwIrpPropertySet

loc_905F8D:				; CODE XREF: PiSwIrpPropertySet+CBj
		mov	esi, 0C00000BBh
		jmp	loc_8640A4
; 

loc_905F97:				; CODE XREF: PiSwIrpPropertySet+2Bj
					; PiSwIrpPropertySet+7Cj ...
		mov	esi, 0C000000Dh
		jmp	loc_8640D0
; END OF FUNCTION CHUNK	FOR PiSwIrpPropertySet
; 
; START	OF FUNCTION CHUNK FOR PiProcessReenumeration

loc_905FA1:				; CODE XREF: PiProcessReenumeration+78j
		mov	edx, 80000000h
		mov	ecx, edi
		call	PipClearDevNodeFlags
		jmp	loc_8641A2
; END OF FUNCTION CHUNK	FOR PiProcessReenumeration
; 
; START	OF FUNCTION CHUNK FOR PiProcessRequeryDeviceState

loc_905FB2:				; CODE XREF: PiProcessRequeryDeviceState+1Aj
		cmp	eax, 313h
		jz	short loc_905FC4
		cmp	eax, 314h
		jnz	loc_86422F

loc_905FC4:				; CODE XREF: PiProcessRequeryDeviceState+A1DADj
		mov	esi, 0C0000056h
		jmp	loc_86422F
; END OF FUNCTION CHUNK	FOR PiProcessRequeryDeviceState
; 
; START	OF FUNCTION CHUNK FOR PiProcessQueryDeviceState

loc_905FCE:				; CODE XREF: PiProcessQueryDeviceState+6Bj
		call	PipSetDevNodeUserFlags
		jmp	loc_8642AA
; 

loc_905FD8:				; CODE XREF: PiProcessQueryDeviceState+C1j
		test	bl, 10h
		jnz	loc_8642FB

loc_905FE1:				; CODE XREF: PiProcessQueryDeviceState+B8j
		push	3
		pop	edx
		mov	ecx, esi
		call	_PnpCheckForActiveDependencies@8 ; PnpCheckForActiveDependencies(x,x)
		test	al, al
		jz	short loc_906006
		push	0
		push	33h

loc_905FF3:				; CODE XREF: PiProcessQueryDeviceState+132j
					; PiProcessQueryDeviceState+A1DEDj
		xor	dl, dl
		mov	ecx, esi
		call	_PnpRequestDeviceRemoval@16 ; PnpRequestDeviceRemoval(x,x,x,x)
		mov	edi, 0C0000001h
		jmp	loc_864319
; 

loc_906006:				; CODE XREF: PiProcessQueryDeviceState+A1DB9j
		mov	eax, [ebp+var_4]
		jmp	loc_8642FB
; 

loc_90600E:				; CODE XREF: PiProcessQueryDeviceState+C9j
		and	bl, 1
		movzx	eax, bl
		neg	eax
		push	0
		sbb	eax, eax
		and	eax, 5
		add	eax, 18h
		push	eax
		jmp	short loc_905FF3
; 

loc_906023:				; CODE XREF: PiProcessQueryDeviceState+D2j
		mov	ecx, [ebp+var_C]
		shr	ebx, 2
		and	bl, 1
		mov	dl, bl
		call	_IopResourceRequirementsChanged@8 ; IopResourceRequirementsChanged(x,x)
		jmp	loc_864319
; 

loc_906038:				; CODE XREF: PiProcessQueryDeviceState+DFj
		mov	ecx, esi
		call	_PiUpdateDeviceResourceLists@4 ; PiUpdateDeviceResourceLists(x)
		mov	edi, eax
		jmp	loc_864319
; END OF FUNCTION CHUNK	FOR PiProcessQueryDeviceState
; 
; START	OF FUNCTION CHUNK FOR PipClearDevNodeUserFlags

loc_906046:				; CODE XREF: PipClearDevNodeUserFlags+1Fj
		mov	edx, [esi+18h]
		test	edx, edx
		jz	loc_864391
		push	0Bh
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		mov	ecx, [esi+110h]
		mov	eax, ecx
		xor	eax, edi
		test	al, 40h
		jz	short loc_906076
		mov	edx, [esi+18h]
		push	1Dh
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		mov	ecx, [esi+110h]

loc_906076:				; CODE XREF: PipClearDevNodeUserFlags+A1CF8j
		xor	ecx, edi
		test	cl, 4
		jz	loc_864391
		mov	edx, [esi+18h]
		push	1Eh
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		jmp	loc_864391
; END OF FUNCTION CHUNK	FOR PipClearDevNodeUserFlags
; 
; START	OF FUNCTION CHUNK FOR PipEnumerateDevice

loc_906090:				; CODE XREF: PipEnumerateDevice+B2j
		mov	edx, edi
		mov	ecx, offset _KMPnPEvt_DeviceEnum_Pend
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)
		mov	eax, [ebp+arg_0]
		jmp	loc_864467
; 

loc_9060A4:				; CODE XREF: PipEnumerateDevice+BBj
		mov	edx, edi
		mov	[esi+18h], eax
		mov	ecx, offset _KMPnPEvt_DeviceEnum_Stop
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)
		mov	edx, esi
		call	PnpDeviceCompletionQueueDispatchedEntryCompleted
		jmp	loc_864457
; 

loc_9060BF:				; CODE XREF: PipEnumerateDevice+11j
					; PipEnumerateDevice+1Ej ...
		cmp	[ebp+arg_0], 0
		jz	short loc_9060D7
		test	[ebx+10Ch], edi
		jz	short loc_9060D7
		mov	eax, 0C000022Dh
		jmp	loc_864467
; 

loc_9060D7:				; CODE XREF: PipEnumerateDevice+A1D2Dj
					; PipEnumerateDevice+A1D35j
		lea	edx, [ebx+14h]
		mov	ecx, offset _KMPnPEvt_DeviceEnum_Start
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)
		push	8
		pop	edx
		mov	ecx, ebx
		call	PipClearDevNodeFlags
		mov	ecx, [ebx+10h]
		call	_PoFxActivateDevice@4 ;	PoFxActivateDevice(x)
		mov	ecx, [ebx+10h]
		lea	eax, [ebx+160h]
		or	dword ptr [ebx+1C8h], 80h
		xor	edx, edx
		push	eax
		push	0
		call	_PnpQueryDeviceRelations@16 ; PnpQueryDeviceRelations(x,x,x,x)
		mov	ecx, [ebx+10h]
		mov	esi, eax
		call	PoFxIdleDevice
		and	dword ptr [ebx+1C8h], 0FFFFFF7Fh
		mov	edx, 30Dh
		push	ecx
		mov	ecx, ebx
		mov	[ebx+108h], esi
		call	PipSetDevNodeState
		lea	edx, [ebx+14h]
		mov	ecx, offset _KMPnPEvt_DeviceEnum_Stop
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)
		jmp	loc_864465
; END OF FUNCTION CHUNK	FOR PipEnumerateDevice

;  S U B	R O U T	I N E 


sub_90614C	proc near		; CODE XREF: PnpDeviceCompletionProcessCompletedRequest+4Fj
		push	ebx
		push	80h
		push	esi
		push	0Dh
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_906160:				; CODE XREF: PipEnumerateCompleted+F4j
		mov	edx, 10000h
		mov	ecx, edi
		call	PipSetDevNodeFlags
		push	ebx
		push	18h
		mov	dl, 1
		mov	ecx, edi
		call	_PnpRequestDeviceRemoval@16 ; PnpRequestDeviceRemoval(x,x,x,x)
		mov	eax, [ebp-0Ch]
		mov	byte ptr [ebp-1], 1
		jmp	loc_86460E
sub_90614C	endp

; 
; START	OF FUNCTION CHUNK FOR PipEnumerateCompleted

loc_906184:				; CODE XREF: PipEnumerateCompleted+A4j
		cmp	esi, _IopRootDeviceNode
		jz	loc_8645BE
		mov	ebx, 0C00002CEh
		jmp	loc_8645BE
; END OF FUNCTION CHUNK	FOR PipEnumerateCompleted
; 
; START	OF FUNCTION CHUNK FOR _PnpRaiseNtPlugPlayDevicePropertyChangeEvent

loc_90619A:				; CODE XREF: _PnpRaiseNtPlugPlayDevicePropertyChangeEvent+31j
		push	eax
		push	0
		push	1
		call	_CmRaisePropertyChangeEvent
		jmp	loc_8646AD
; END OF FUNCTION CHUNK	FOR _PnpRaiseNtPlugPlayDevicePropertyChangeEvent
; 
; START	OF FUNCTION CHUNK FOR PipProcessEnumeratedChildDevice

loc_9061A9:				; CODE XREF: PipProcessEnumeratedChildDevice+1Aj
		movzx	edx, word ptr [esi+2]
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		xor	ebx, ebx
		test	ecx, ecx
		jz	short loc_9061E8
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_9061E8
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_9061E8:				; CODE XREF: PipProcessEnumeratedChildDevice+A1AA1j
					; PipProcessEnumeratedChildDevice+A1AB5j
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_906286
		mov	edx, 1F4h
		lea	edi, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		cmp	[edi], bx
		jz	short loc_906220
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [edi+4]
		call	IoAddTriageDumpDataBlock

loc_906220:				; CODE XREF: PipProcessEnumeratedChildDevice+A1AEFj
		mov	edx, [esi+0B0h]
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_906254
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [esi+0B0h]

loc_906254:				; CODE XREF: PipProcessEnumeratedChildDevice+A1B15j
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_906286
		lea	ecx, [eax+1Ch]
		cmp	[ecx], bx
		jz	short loc_906286
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_906286:				; CODE XREF: PipProcessEnumeratedChildDevice+A1AD9j
					; PipProcessEnumeratedChildDevice+A1B42j ...
		push	ebx
		push	ebx
		push	esi
		push	4
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_906295:				; CODE XREF: PipProcessEnumeratedChildDevice+80j
		push	eax
		push	31h
		pop	edx
		mov	ecx, edi
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		jmp	loc_86475E
; END OF FUNCTION CHUNK	FOR PipProcessEnumeratedChildDevice
; 
; START	OF FUNCTION CHUNK FOR PipProcessDevNodeTree

loc_9062A5:				; CODE XREF: PipProcessDevNodeTree+4Bj
		push	dword ptr [edi+18h]
		mov	edx, offset _KMPnPEvt_AssignResources_Start
		push	ecx
		call	_McTemplateK0z_EtwWriteTransfer@16 ; McTemplateK0z_EtwWriteTransfer(x,x,x,x)
		jmp	loc_8647F9
; 

loc_9062B8:				; CODE XREF: PipProcessDevNodeTree+6Dj
		push	dword ptr [edi+18h]
		mov	edx, offset _KMPnPEvt_AssignResources_Stop
		push	ecx
		call	_McTemplateK0z_EtwWriteTransfer@16 ; McTemplateK0z_EtwWriteTransfer(x,x,x,x)
		jmp	loc_86481B
; 

loc_9062CB:				; CODE XREF: PipProcessDevNodeTree+77j
		mov	ecx, _IopRootDeviceNode
		mov	edx, ebx
		push	1
		push	0
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PipProcessDevNodeTree
		cmp	eax, 0C00002CEh
		jnz	loc_864825
		mov	ah, 1
		mov	[ebp+var_3], ah
		jmp	loc_864828
; 

loc_9062F9:				; CODE XREF: PipProcessDevNodeTree+B9j
		push	0
		push	33h
		pop	edx
		mov	ecx, esi
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		jmp	loc_864867
; 

loc_90630A:				; CODE XREF: PipProcessDevNodeTree+2BBj
		test	ecx, 2000000h
		jnz	loc_8648B2	; default
		jmp	loc_864A69
; 

loc_90631B:				; CODE XREF: PipProcessDevNodeTree+2D9j
		push	0
		push	33h
		pop	edx
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		jmp	loc_8648B2	; default
; 

loc_90632A:				; CODE XREF: PipProcessDevNodeTree+1F4j
		mov	[ebp+var_1], 1

loc_90632E:				; CODE XREF: PipProcessDevNodeTree+292j
		xor	ebx, ebx
		inc	ebx
		jmp	loc_8648B2	; default
; 

loc_906336:				; CODE XREF: PipProcessDevNodeTree+DDj
					; DATA XREF: PAGE:off_864B88o
		movzx	eax, [ebp+var_1] ; case	0x30A
		mov	ecx, esi
		push	eax
		mov	eax, [ebp+arg_C]
		movzx	edx, al
		call	_PipProcessRestartPhase1@12 ; PipProcessRestartPhase1(x,x,x)
		jmp	loc_864AC1
; 

loc_90634D:				; CODE XREF: PipProcessDevNodeTree+DDj
					; DATA XREF: PAGE:off_864B88o
		mov	ecx, esi	; case 0x30B
		call	_PipProcessRestartPhase2@4 ; PipProcessRestartPhase2(x)
		jmp	loc_864A50
; 

loc_906359:				; CODE XREF: PipProcessDevNodeTree+2B2j
		mov	edi, 0C00002CEh
		jmp	loc_8648A6
; 

loc_906363:				; CODE XREF: PipProcessDevNodeTree+104j
					; PipProcessDevNodeTree+123j ...
		mov	al, [ebp+arg_10]
		test	al, al
		jz	short loc_90639C
		mov	[ebp+var_18], edi
		mov	edi, [ebp+var_14]
		jmp	loc_8648ED
; 

loc_906375:				; CODE XREF: PipProcessDevNodeTree+150j
		mov	ecx, esi
		call	_PpDevCfgTraceDeviceStart@4 ; PpDevCfgTraceDeviceStart(x)
		jmp	loc_8648FE
; 

loc_906381:				; CODE XREF: PipProcessDevNodeTree+221j
		xor	ebx, ebx
		inc	ebx
		jmp	loc_864909
; 

loc_906389:				; CODE XREF: PipProcessDevNodeTree+28Bj
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_906393
		mov	esi, [eax+4]

loc_906393:				; CODE XREF: PipProcessDevNodeTree+A1BE6j
		mov	[ebp+var_4], 1
		jmp	loc_864922
; 

loc_90639C:				; CODE XREF: PipProcessDevNodeTree+A1BC0j
		mov	edi, [ebp+var_14]

loc_90639F:				; CODE XREF: PipProcessDevNodeTree+8Fj
		lea	eax, [ebp+var_2]
		mov	[ebp+var_3], 0
		xor	edx, edx
		xor	ecx, ecx
		push	eax
		inc	edx
		inc	ecx
		call	_PnpDeviceCompletionProcessCompletedRequests@12	; PnpDeviceCompletionProcessCompletedRequests(x,x,x)
		mov	ebx, [ebp+var_10]
		mov	edx, ebx
		mov	ecx, _IopRootDeviceNode
		push	1
		push	[ebp+arg_C]
		mov	[ebp+var_1], 0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PipProcessDevNodeTree
		add	edi, 14h
		lea	ecx, [ebp+var_20]
		mov	dx, [edi]
		call	IopAllocateUnicodeString
		mov	esi, eax
		test	esi, esi
		js	short loc_906450
		push	edi
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		mov	ecx, [ebp+var_C]
		mov	ecx, [ecx+10h]
		call	ObfDereferenceObject
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeUnlockTree
		call	_PnpSynchronizeDeviceEventQueue@0 ; PnpSynchronizeDeviceEventQueue()
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeLockTree
		mov	edx, 746C6644h
		lea	ecx, [ebp+var_20]
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	esi, eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	esi, esi
		jz	short loc_906446
		mov	eax, [esi+0B0h]
		mov	edi, [eax+14h]
		mov	edx, edi
		mov	[ebp+var_14], edi
		mov	esi, edi
		mov	[ebp+var_C], edx
		jmp	loc_864928
; 

loc_906446:				; CODE XREF: PipProcessDevNodeTree+A1C84j
		mov	eax, 0C0000001h
		jmp	loc_864951
; 

loc_906450:				; CODE XREF: PipProcessDevNodeTree+A1C3Ej
		mov	ecx, [ebp+var_C]
		mov	ecx, [ecx+10h]
		call	ObfDereferenceObject
		mov	eax, esi
		jmp	loc_864951
; END OF FUNCTION CHUNK	FOR PipProcessDevNodeTree
; 
; START	OF FUNCTION CHUNK FOR PipCheckForUnsatisfiedDependencies

loc_906462:				; CODE XREF: PipCheckForUnsatisfiedDependencies+24j
		lea	eax, [ebp+var_8]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_4]
		call	_PiEnumerateProviderListEntry@12 ; PiEnumerateProviderListEntry(x,x,x)
		mov	edx, [ebp+var_4]
		mov	esi, [esi]
		test	edx, edx
		jz	short loc_906484
		mov	eax, [edx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_906486
; 

loc_906484:				; CODE XREF: PipCheckForUnsatisfiedDependencies+A181Dj
		mov	ecx, ebx

loc_906486:				; CODE XREF: PipCheckForUnsatisfiedDependencies+A1828j
		test	edx, edx
		jz	short loc_9064A9
		test	ecx, ecx
		jz	short loc_9064A9
		mov	eax, [ebp+var_8]
		and	eax, [ebp+var_C]
		test	al, 3
		jz	loc_864C7C
		call	_PipIsProviderStarted@4	; PipIsProviderStarted(x)
		test	al, al
		jnz	loc_864C7C

loc_9064A9:				; CODE XREF: PipCheckForUnsatisfiedDependencies+A182Ej
					; PipCheckForUnsatisfiedDependencies+A1832j
		mov	bl, 1
		jmp	loc_864C84
; END OF FUNCTION CHUNK	FOR PipCheckForUnsatisfiedDependencies
; 
; START	OF FUNCTION CHUNK FOR PipCallDriverAddDevice

loc_9064B0:				; CODE XREF: PipCallDriverAddDevice+14Fj
		mov	edx, [ebx+18h]
		lea	eax, [esp+0E8h+var_CC]
		push	0
		push	eax
		push	edi
		lea	eax, [esp+0F4h+var_B4]
		push	eax
		lea	eax, [esp+0F8h+var_AC]
		push	eax
		push	offset _DEVPKEY_Device_DebuggerSafe
		push	0
		push	[esp+104h+var_D0]
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9064FC
		cmp	[esp+0E8h+var_AC], 7
		jnz	short loc_9064FC
		cmp	[esp+0E8h+var_CC], edi
		jnz	short loc_9064FC
		cmp	[esp+0E8h+var_B4], 0
		jz	short loc_9064FC
		xor	ecx, ecx
		inc	ecx
		jmp	loc_864E01
; 

loc_9064FC:				; CODE XREF: PipCallDriverAddDevice+A1832j
					; PipCallDriverAddDevice+A1839j ...
		push	0
		push	35h
		jmp	short loc_906505
; 

loc_906502:				; CODE XREF: PipCallDriverAddDevice+682j
		push	eax
		push	32h

loc_906505:				; CODE XREF: PipCallDriverAddDevice+A1854j
					; PipCallDriverAddDevice+A1BE2j ...
		xor	dl, dl
		mov	ecx, ebx
		call	_PnpRequestDeviceRemoval@16 ; PnpRequestDeviceRemoval(x,x,x,x)
		mov	esi, 0C00002CEh
		jmp	loc_864D4F
; 

loc_906518:				; CODE XREF: PipCallDriverAddDevice+470j
		cmp	[esp+0E8h+var_B4], 0FFh
		ja	loc_865122
		lea	eax, [esp+0E8h+var_84]
		push	eax
		push	[esp+0ECh+var_B4]
		call	_PnpQueryProximityNode
		test	eax, eax
		js	loc_865122
		movzx	eax, word ptr [esp+0F0h+var_8C]
		mov	[ebx+1A4h], eax
		jmp	loc_865122
; 

loc_90654D:				; CODE XREF: PipCallDriverAddDevice+489j
		mov	[ebx+1A4h], ecx
		mov	eax, ecx
		jmp	loc_865147
; 

loc_90655A:				; CODE XREF: PipCallDriverAddDevice+4A3j
		mov	edx, [ebx+18h]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	edi
		mov	[esp+0F0h+var_B4], eax
		lea	eax, [esp+0F0h+var_B4]
		push	eax
		push	7
		push	offset _DEVPKEY_Device_Numa_Node
		push	0
		push	[esp+100h+var_D0]
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		jmp	loc_864E0E
; 

loc_906588:				; CODE XREF: PipCallDriverAddDevice+195j
					; PipCallDriverAddDevice+1A1j
		lea	ecx, [esp+0E8h+var_90]
		call	_PnpGetStableSystemBootTime@4 ;	PnpGetStableSystemBootTime(x)
		test	eax, eax
		js	loc_864E53
		cmp	esi, 0C0000023h
		jz	short loc_9065D0
		cmp	[esp+0E8h+var_AC], 10h
		jnz	short loc_9065D0
		cmp	[esp+0E8h+var_CC], 8
		jnz	short loc_9065D0
		cmp	_PnpBootMode, 0
		jnz	short loc_9065D0
		mov	eax, [esp+0E8h+var_90]
		cmp	eax, [esp+0E8h+var_80]
		jnz	short loc_9065D0
		mov	eax, [esp+0E8h+var_8C]
		cmp	eax, [esp+0E8h+var_7C]
		jz	loc_864D4A

loc_9065D0:				; CODE XREF: PipCallDriverAddDevice+A18F3j
					; PipCallDriverAddDevice+A18FAj ...
		mov	edx, [ebx+18h]
		xor	eax, eax
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	eax
		push	eax
		push	eax
		push	edi
		push	eax
		push	[esp+100h+var_D0]
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		jmp	loc_864E53
; 

loc_9065F1:				; CODE XREF: PipCallDriverAddDevice+202j
		lea	edx, [esp+0E8h+var_C8]
		lea	ecx, [esp+0E8h+var_A0]
		call	_IopSafebootDriverLoad@8 ; IopSafebootDriverLoad(x,x)
		test	al, al
		jnz	loc_864EB4
		mov	eax, 100h
		mov	edi, 6E657050h
		push	edi
		push	eax
		push	1
		mov	[esp+0F4h+var_D4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_90667C
		mov	edx, [ebx+18h]
		lea	eax, [esp+0E8h+var_D4]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	eax
		push	esi
		lea	eax, [esp+0F4h+var_BC]
		push	eax
		push	1
		push	[esp+0FCh+var_D0]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_906663
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	edi
		push	[esp+0ECh+var_D4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		jmp	short loc_90667C
; 

loc_906663:				; CODE XREF: PipCallDriverAddDevice+A199Dj
		test	eax, eax
		js	short loc_90667C
		and	[esp+0E8h+var_A0], 0
		lea	eax, [esp+0E8h+var_A0]
		and	[esp+0E8h+var_9C], 0
		push	esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_90667C:				; CODE XREF: PipCallDriverAddDevice+A1975j
					; PipCallDriverAddDevice+A19B5j ...
		xor	dl, dl
		lea	ecx, [esp+0E8h+var_A0]
		call	IopBootLog
		test	esi, esi
		jz	loc_864D4A
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_864D4A
; 

loc_90669C:				; CODE XREF: PipCallDriverAddDevice+259j
					; PipCallDriverAddDevice+263j ...
		and	[esp+0E8h+var_C0], 0
		jmp	loc_864F1F
; 

loc_9066A6:				; CODE XREF: PipCallDriverAddDevice+29Ej
		mov	esi, 0C000009Ah
		jmp	loc_864FA2
; 

loc_9066B0:				; CODE XREF: PipCallDriverAddDevice+2ACj
		mov	eax, [esp+0E8h+var_B8]
		test	eax, eax
		jz	loc_9067A5
		lea	ecx, [esp+0E8h+var_78]
		push	ecx
		push	[esp+0ECh+var_C8]
		lea	edx, [esp+0F0h+var_D4]
		push	0
		push	1
		push	eax
		lea	eax, [esp+0FCh+var_58]
		push	eax
		push	offset _DEVPKEY_DeviceClass_ConfigFilters
		push	0
		lea	ecx, [esp+108h+var_C4]
		call	PnpCallDriverQueryServiceHelper
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_9066F8
		cmp	esi, 0C0000225h
		jnz	short loc_9066FA

loc_9066F8:				; CODE XREF: PipCallDriverAddDevice+A1A42j
		xor	esi, esi

loc_9066FA:				; CODE XREF: PipCallDriverAddDevice+A1A4Aj
		test	esi, esi
		js	loc_864FA2
		push	0
		lea	eax, [esp+0ECh+var_CC]
		push	eax
		push	[esp+0F0h+var_D4]
		push	[esp+0F4h+var_C4]
		jmp	short loc_906755
; 

loc_906713:				; CODE XREF: PipCallDriverAddDevice+A1AD5j
		mov	eax, [esp+0F8h+var_DC]
		cmp	eax, [esp+0F8h+var_E4]
		jbe	loc_90683C
		push	0
		push	[esp+0FCh+var_D4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+0F8h+var_DC]
		push	edi
		push	eax
		push	1
		mov	[esp+104h+var_E4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+0F8h+var_D4], eax
		test	eax, eax
		jz	loc_906832
		push	0
		lea	ecx, [esp+0FCh+var_DC]
		push	ecx
		push	[esp+100h+var_E4]
		push	eax

loc_906755:				; CODE XREF: PipCallDriverAddDevice+A1A65j
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [esp+108h+var_A8]
		push	eax
		push	offset _DEVPKEY_DeviceClass_ConfigNotifyWnfTriggers
		push	0
		push	[esp+114h+var_C8]
		lea	edx, [esp+0B0h]
		push	2
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_906713

loc_906783:				; CODE XREF: PipCallDriverAddDevice+A1B8Bj
		test	esi, esi
		jns	loc_906846
		cmp	esi, 0C0000034h
		jz	short loc_90679B
		cmp	esi, 0C0000225h
		jnz	short loc_90679D

loc_90679B:				; CODE XREF: PipCallDriverAddDevice+A1AE5j
		xor	esi, esi

loc_90679D:				; CODE XREF: PipCallDriverAddDevice+A1AEDj
					; PipCallDriverAddDevice+A1BA2j ...
		test	esi, esi
		js	loc_864FA2

loc_9067A5:				; CODE XREF: PipCallDriverAddDevice+A1A0Aj
		cmp	[esp+0E8h+var_70], 0
		jnz	loc_864F5E
		mov	edx, [ebx+18h]
		lea	eax, [esp+0E8h+var_CC]
		mov	ecx, _PiPnpRtlCtx
		push	4
		pop	edi
		push	0
		push	eax
		lea	eax, [esp+0F0h+var_C0]
		mov	[esp+0F0h+var_CC], edi
		push	eax
		lea	eax, [esp+0F4h+var_BC]
		push	eax
		push	0Bh
		push	[esp+0FCh+var_D0]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_864F5E
		cmp	[esp+0E8h+var_BC], edi
		jnz	loc_864F5E
		cmp	[esp+0E8h+var_CC], edi
		jnz	loc_864F5E
		mov	eax, [esp+0E8h+var_C0]
		test	eax, 80000h
		jz	loc_864F5E
		mov	edx, [ebx+18h]
		and	eax, 0FFF7FFFFh
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	edi
		mov	[esp+0F0h+var_C0], eax
		lea	eax, [esp+0F0h+var_C0]
		push	eax
		push	edi
		push	0Bh
		push	[esp+0FCh+var_D0]
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		jmp	loc_864F5E
; 

loc_906832:				; CODE XREF: PipCallDriverAddDevice+A1A97j
		mov	esi, 0C000009Ah
		jmp	loc_906783
; 

loc_90683C:				; CODE XREF: PipCallDriverAddDevice+A1A6Fj
		mov	esi, 0C0000001h
		jmp	loc_864FA2
; 

loc_906846:				; CODE XREF: PipCallDriverAddDevice+A1AD9j
		cmp	[esp+0F8h+var_A8], 1003h
		jnz	loc_90679D
		mov	eax, [esp+0F8h+var_DC]
		test	al, 7
		jnz	loc_90679D
		test	eax, eax
		jz	loc_90679D
		mov	edi, [esp+0F8h+var_D4]
		shr	eax, 3
		mov	[esp+0F8h+var_B8], eax
		mov	esi, eax

loc_906875:				; CODE XREF: PipCallDriverAddDevice+A1BDDj
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	edi
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		add	edi, 8
		sub	esi, 1
		jnz	short loc_906875
		push	esi
		push	38h
		jmp	loc_906505
; 

loc_906893:				; CODE XREF: PipCallDriverAddDevice+4D8j
		cmp	esi, 0C0000034h
		jz	loc_86518A
		jmp	loc_864F6F
; 

loc_9068A4:				; CODE XREF: PipCallDriverAddDevice+302j
		xor	esi, esi
		jmp	loc_864D4F
; 

loc_9068AB:				; CODE XREF: PipCallDriverAddDevice+51Bj
		push	0C0000182h
		push	13h
		pop	edx
		mov	ecx, ebx
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		jmp	loc_864D4A
; 

loc_9068BF:				; CODE XREF: PipCallDriverAddDevice+736j
		mov	al, [esp+0E8h+var_D5]
		cmp	al, 3
		jnz	loc_86540B
		mov	eax, [esp+0E8h+var_A4]
		mov	ecx, [ebx+10h]
		push	0
		push	[esp+0ECh+var_C8]
		mov	edx, [eax+10h]
		call	IovUtilMarkStack
		push	edi
		mov	[ebx+108h], edi
		push	1Fh
		jmp	loc_906505
; 

loc_9068EE:				; CODE XREF: PipCallDriverAddDevice+713j
		mov	edx, [ebx+18h]
		lea	eax, [esp+0E8h+var_CC]
		mov	ecx, _PiPnpRtlCtx
		push	4
		pop	esi
		push	0
		push	eax
		lea	eax, [esp+0F0h+var_C0]
		mov	[esp+0F0h+var_CC], esi
		push	eax
		lea	eax, [esp+0F4h+var_BC]
		push	eax
		push	0Bh
		push	[esp+0FCh+var_D0]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_90695B
		cmp	[esp+0E8h+var_BC], esi
		jnz	short loc_90695B
		cmp	[esp+0E8h+var_CC], esi
		jnz	short loc_90695B
		mov	eax, [esp+0E8h+var_C0]
		test	eax, 80000h
		jz	short loc_90695B
		mov	edx, [ebx+18h]
		and	eax, 0FFF7FFFFh
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	esi
		mov	[esp+0F0h+var_C0], eax
		lea	eax, [esp+0F0h+var_C0]
		push	eax
		push	esi
		push	0Bh
		push	[esp+0FCh+var_D0]
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)

loc_90695B:				; CODE XREF: PipCallDriverAddDevice+A1C70j
					; PipCallDriverAddDevice+A1C76j ...
		mov	al, [esp+0E8h+var_D5]
		jmp	loc_8652DC
; 

loc_906964:				; CODE XREF: PipCallDriverAddDevice+6CBj
		mov	esi, 0C00000BBh
		jmp	loc_864D4F
; 

loc_90696E:				; CODE XREF: PipCallDriverAddDevice+6D9j
		cmp	[ebx+1D0h], ecx
		jz	loc_86538B
		mov	ecx, ebx
		call	_PipDmgEnforceEnumerationPolicy@4 ; PipDmgEnforceEnumerationPolicy(x)
		mov	esi, eax
		jmp	loc_864D4F
; END OF FUNCTION CHUNK	FOR PipCallDriverAddDevice
; 
; START	OF FUNCTION CHUNK FOR PipSetDevNodeFlags

loc_906988:				; CODE XREF: PipSetDevNodeFlags+1Ej
		mov	edx, [esi+18h]
		test	edx, edx
		jz	loc_8654C6
		push	0Bh
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		mov	ecx, [esi+10Ch]
		mov	eax, ecx
		xor	eax, edi
		test	eax, 4000h
		jz	short loc_9069BB
		mov	edx, [esi+18h]
		push	1Ch
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		mov	ecx, [esi+10Ch]

loc_9069BB:				; CODE XREF: PipSetDevNodeFlags+A1507j
		xor	ecx, edi
		test	ecx, 2000h
		jz	loc_8654C6
		mov	edx, [esi+18h]
		push	1Bh
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		jmp	loc_8654C6
; END OF FUNCTION CHUNK	FOR PipSetDevNodeFlags
; 
; START	OF FUNCTION CHUNK FOR PipClearDevNodeFlags

loc_9069D8:				; CODE XREF: PipClearDevNodeFlags+1Fj
		mov	edx, [esi+18h]
		test	edx, edx
		jz	loc_8654EF
		push	0Bh
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		mov	ecx, [esi+10Ch]
		mov	eax, ecx
		xor	eax, edi
		test	eax, 4000h
		jz	short loc_906A0B
		mov	edx, [esi+18h]
		push	1Ch
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		mov	ecx, [esi+10Ch]

loc_906A0B:				; CODE XREF: PipClearDevNodeFlags+A152Fj
		xor	ecx, edi
		test	ecx, 2000h
		jz	loc_8654EF
		mov	edx, [esi+18h]
		push	1Bh
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		jmp	loc_8654EF
; END OF FUNCTION CHUNK	FOR PipClearDevNodeFlags
; 
; START	OF FUNCTION CHUNK FOR PiUpdateGuestAssignedState

loc_906A28:				; CODE XREF: PiUpdateGuestAssignedState+28j
		mov	ecx, edi
		call	_PipSetGuestAssignedProperty@8 ; PipSetGuestAssignedProperty(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_906A48
		mov	dl, bl
		mov	ecx, edi
		call	_PipSendGuestAssignedNotification@8 ; PipSendGuestAssignedNotification(x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_86567A

loc_906A48:				; CODE XREF: PiUpdateGuestAssignedState+A13E9j
		push	esi
		push	39h
		xor	dl, dl
		mov	ecx, edi
		call	_PnpRequestDeviceRemoval@16 ; PnpRequestDeviceRemoval(x,x,x,x)
		jmp	loc_86567A
; END OF FUNCTION CHUNK	FOR PiUpdateGuestAssignedState
; 
; START	OF FUNCTION CHUNK FOR PnpProcessAssignResources

loc_906A59:				; CODE XREF: PnpProcessAssignResources+CEj
		xor	esi, esi
		jmp	loc_865765
; 

loc_906A60:				; CODE XREF: PnpProcessAssignResources+15Cj
		cmp	eax, 0C000008Ah
		jz	short loc_906AA2
		cmp	eax, 0C0000182h
		jz	short loc_906A9D
		mov	ecx, esi
		push	eax
		cmp	eax, 0C0000908h
		jz	short loc_906A99
		cmp	eax, 0C0040035h
		jz	short loc_906A99
		cmp	eax, 0C0040036h
		jz	short loc_906A95
		cmp	eax, 0C0040037h
		jz	short loc_906A91
		push	0Ch
		jmp	short loc_906AA7
; 

loc_906A91:				; CODE XREF: PnpProcessAssignResources+A1403j
		push	24h
		jmp	short loc_906AA7
; 

loc_906A95:				; CODE XREF: PnpProcessAssignResources+A13FCj
		push	21h
		jmp	short loc_906AA7
; 

loc_906A99:				; CODE XREF: PnpProcessAssignResources+A13EEj
					; PnpProcessAssignResources+A13F5j
		push	23h
		jmp	short loc_906AA7
; 

loc_906A9D:				; CODE XREF: PnpProcessAssignResources+A13E4j
		push	eax
		push	22h
		jmp	short loc_906AA5
; 

loc_906AA2:				; CODE XREF: PnpProcessAssignResources+A13DDj
		push	eax
		push	11h

loc_906AA5:				; CODE XREF: PnpProcessAssignResources+A1418j
		mov	ecx, esi

loc_906AA7:				; CODE XREF: PnpProcessAssignResources+A1407j
					; PnpProcessAssignResources+A140Bj ...
		pop	edx
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		jmp	loc_865798
; END OF FUNCTION CHUNK	FOR PnpProcessAssignResources
; 
; START	OF FUNCTION CHUNK FOR PnpProcessAssignResourcesWorker

loc_906AB2:				; CODE XREF: PnpProcessAssignResourcesWorker+54j
		mov	eax, [esi+114h]
		cmp	eax, 0Ch
		jz	short loc_906ACB
		cmp	eax, 21h
		jz	short loc_906ACB
		cmp	eax, 24h
		jnz	loc_8657FA

loc_906ACB:				; CODE XREF: PnpProcessAssignResourcesWorker+A12D1j
					; PnpProcessAssignResourcesWorker+A12D6j
		mov	ecx, esi
		call	PipClearDevNodeProblem
		jmp	loc_8657FA
; END OF FUNCTION CHUNK	FOR PnpProcessAssignResourcesWorker
; 
; START	OF FUNCTION CHUNK FOR _PnpDispatchInstallerClass

loc_906AD7:				; CODE XREF: _PnpDispatchInstallerClass+21j
					; DATA XREF: PAGE:off_858F18o
		mov	ecx, [ebp+arg_10] ; case 0x1
		mov	al, [ecx+4]
		mov	esi, [ecx+8]
		mov	edx, [ecx]
		mov	byte ptr [ebp+arg_10], al
		lea	eax, [ecx+0Ch]
		mov	ecx, [ebp+arg_0]
		push	eax
		push	esi
		push	[ebp+arg_10]
		push	edx
		mov	edx, [ebp+arg_4]
		push	edi
		push	20h
		call	_CmOpenCommonClassRegKey
		jmp	loc_858EC2
; 

loc_906B01:				; CODE XREF: _PnpDispatchInstallerClass+21j
					; DATA XREF: PAGE:off_858F18o
		mov	ecx, [ebp+arg_10] ; case 0x2
		mov	edx, [ebp+arg_4]
		mov	eax, [ecx+0Ch]
		and	eax, 0FFFF0000h
		push	eax
		lea	eax, [ecx+8]
		push	eax
		lea	eax, [ecx+4]
		push	eax
		push	dword ptr [ecx]
		mov	ecx, [ebp+arg_0]
		call	__CmCreateInstallerClass@24 ; _CmCreateInstallerClass(x,x,x,x,x,x)
		jmp	loc_858EC2
; 

loc_906B27:				; CODE XREF: _PnpDispatchInstallerClass+21j
					; DATA XREF: PAGE:off_858F18o
		mov	eax, [ebp+arg_10] ; case 0x3
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	eax, [eax]
		and	eax, 0FFFF0000h
		push	eax
		call	__CmDeleteInstallerClass@12 ; _CmDeleteInstallerClass(x,x,x)
		jmp	loc_858EC2
; 

loc_906B42:				; CODE XREF: _PnpDispatchInstallerClass+79j
		mov	[ebp+var_8], eax
		lea	edx, [ebp+var_8]
		mov	eax, [ecx+4]
		mov	edi, offset __PnpCmMatchCallbackRoutine@16 ; _PnpCmMatchCallbackRoutine(x,x,x,x)
		mov	[ebp+var_4], eax
		jmp	loc_858EF7
; 

loc_906B58:				; CODE XREF: _PnpDispatchInstallerClass+21j
					; DATA XREF: PAGE:off_858F18o
		mov	eax, [ebp+arg_10] ; case 0x5
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	dword ptr [eax+14h]
		push	dword ptr [eax+10h]
		push	dword ptr [eax+0Ch]
		push	edi
		push	dword ptr [eax]
		call	__CmGetInstallerClassMappedPropertyKeys@28 ; _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)
		jmp	loc_858EC2
; 

loc_906B77:				; CODE XREF: _PnpDispatchInstallerClass+21j
					; DATA XREF: PAGE:off_858F18o
		mov	eax, [ebp+arg_10] ; case 0x6
		push	dword ptr [eax+10h] ; int
		push	dword ptr [eax+0Ch] ; int
		push	dword ptr [eax+8] ; int
		push	dword ptr [eax+4] ; void *
		push	ecx		; int
		call	__CmGetInstallerClassMappedPropertyLocales@28 ;	_CmGetInstallerClassMappedPropertyLocales(x,x,x,x,x,x,x)
		jmp	loc_858EC2
; 

loc_906B91:				; CODE XREF: _PnpDispatchInstallerClass+21j
					; DATA XREF: PAGE:off_858F18o
		mov	eax, [ebp+arg_10] ; case 0x8
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	dword ptr [eax+14h] ; int
		push	dword ptr [eax+10h] ; int
		push	dword ptr [eax+0Ch] ; int
		push	dword ptr [eax+8] ; void *
		push	dword ptr [eax+4] ; int
		push	dword ptr [eax]	; int
		call	__CmSetInstallerClassMappedProperty@32 ; _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)
		jmp	loc_858EC2
; 

loc_906BB5:				; CODE XREF: _PnpDispatchInstallerClass+1Bj
		mov	eax, 0C000000Dh	; default
		jmp	loc_858EC2
; END OF FUNCTION CHUNK	FOR _PnpDispatchInstallerClass
; 
; START	OF FUNCTION CHUNK FOR _CmGetInstallerClassMappedProperty

loc_906BBF:				; CODE XREF: _CmGetInstallerClassMappedProperty+E5j
		push	[ebp+arg_18]	; int
		mov	edx, [ebp+var_4]
		push	[ebp+arg_14]	; int
		mov	ecx, [ebp+var_8]
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	esi		; void *
		push	[ebp+arg_0]	; int
		call	_CmGetInstallerClassMappedPropertyFromRegProp
		mov	ebx, eax
		cmp	ebx, 0C0000016h
		jnz	loc_85900A
		jmp	loc_858F8D
; 

loc_906BED:				; CODE XREF: _CmGetInstallerClassMappedProperty+ABj
		mov	ecx, [ebp+arg_4]
		jmp	loc_858FCF
; END OF FUNCTION CHUNK	FOR _CmGetInstallerClassMappedProperty
; 
; START	OF FUNCTION CHUNK FOR _CmGetInstallerClassMappedPropertyFromComposite

loc_906BF5:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromComposite+4Ej
		mov	esi, 0C0000230h
		jmp	loc_85915A
; 

loc_906BFF:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromComposite+57j
		push	10h		; size_t
		push	offset _DEVPKEY_NAME ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_85915A
		mov	ecx, [ebp+arg_C]
		mov	edx, [esp+20h+var_C]
		push	eax
		lea	eax, [esp+24h+var_14]
		push	eax
		push	[esp+28h+var_10]
		push	ecx
		push	[ebp+arg_8]
		mov	ecx, [esp+34h+var_8]
		push	offset _DEVPKEY_DeviceClass_Name
		push	0
		push	[ebp+arg_0]
		push	2
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_906C94
		mov	ebx, 0C0000023h
		cmp	esi, ebx
		jz	short loc_906C94
		cmp	esi, 0C0000225h
		jnz	loc_85915A
		mov	edx, [esp+20h+var_C]
		lea	eax, [esp+20h+var_14]
		mov	ecx, [esp+20h+var_8]
		push	0
		push	eax
		push	[esp+28h+var_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	offset _DEVPKEY_DeviceClass_ClassName
		push	0
		push	[ebp+arg_0]
		push	2
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_906C94
		cmp	esi, ebx
		jnz	loc_85915A

loc_906C94:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromComposite+ADB8Dj
					; _CmGetInstallerClassMappedPropertyFromComposite+ADB96j ...
		mov	eax, [esp+20h+var_14]
		mov	[edi], eax
		jmp	loc_85915A
; 

loc_906C9F:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromComposite+60j
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_Configurable ; void	*
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_85915A
		mov	edx, [esp+20h+var_C]
		mov	ecx, [esp+20h+var_8]
		push	eax
		lea	eax, [esp+24h+var_14]
		push	eax
		push	[esp+28h+var_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	(offset	loc_427EBB+1)
		push	0
		push	[ebp+arg_0]
		push	2
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_906C94
		mov	ebx, 0C0000023h
		cmp	esi, ebx
		jz	short loc_906C94
		cmp	esi, 0C0000225h
		jnz	loc_85915A
		mov	edx, [esp+20h+var_C]
		lea	eax, [esp+20h+var_14]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	ecx
		push	ecx
		push	[ebp+arg_8]
		push	offset _DEVPKEY_DeviceClass_ClassInstaller
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, [esp+40h+var_8]
		push	2
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	ecx, 0C0000225h
		cmp	esi, ecx
		jnz	short loc_906D57
		mov	edx, [esp+20h+var_C]
		lea	eax, [esp+20h+var_14]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	ecx
		push	ecx
		push	[ebp+arg_8]
		push	offset _DEVPKEY_DeviceClass_ClassCoInstallers
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, [esp+40h+var_8]
		push	2
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	ecx, 0C0000225h

loc_906D57:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromComposite+ADC71j
		test	esi, esi
		jns	short loc_906D67
		cmp	esi, ecx
		jz	short loc_906D67
		cmp	esi, ebx
		jnz	loc_85915A

loc_906D67:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromComposite+ADCA1j
					; _CmGetInstallerClassMappedPropertyFromComposite+ADCA5j
		mov	eax, [ebp+arg_8]
		mov	dword ptr [edi], 1
		mov	dword ptr [eax], 11h
		mov	eax, [esp+20h+var_10]
		cmp	eax, [edi]
		jnb	short loc_906D85
		mov	esi, ebx
		jmp	loc_85915A
; 

loc_906D85:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromComposite+ADCC4j
		cmp	esi, ecx
		mov	ecx, [ebp+arg_C]
		setnz	al
		dec	al
		xor	esi, esi
		mov	[ecx], al
		jmp	loc_85915A
; END OF FUNCTION CHUNK	FOR _CmGetInstallerClassMappedPropertyFromComposite
; 
; START	OF FUNCTION CHUNK FOR _CmGetInstallerClassCompoundFilters

loc_906D98:				; CODE XREF: _CmGetInstallerClassCompoundFilters+5Dj
		xor	ecx, ecx
		jmp	loc_8591E6
; 

loc_906D9F:				; CODE XREF: _CmGetInstallerClassCompoundFilters+7Fj
		push	[ebp+arg_14]	; int
		mov	edx, [ebp+var_10]
		mov	ecx, edi
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		push	[ebp+var_C]	; void *
		push	[ebp+arg_4]	; int
		push	[ebp+var_8]	; int
		push	[ebp+var_4]	; int
		call	__CmGetInstallerClassCompoundFiltersWorker@40 ;	_CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000034h
		jz	loc_859205
		cmp	eax, 0C000017Ch
		jz	loc_859205
		cmp	eax, 0C0000225h
		jz	loc_859205
		test	eax, eax
		jns	loc_859223
		jmp	loc_859221
; 

loc_906DEF:				; CODE XREF: _CmGetInstallerClassCompoundFilters+B9j
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_85923F
; END OF FUNCTION CHUNK	FOR _CmGetInstallerClassCompoundFilters
; 
; START	OF FUNCTION CHUNK FOR _CmGetInstallerClassMappedPropertyFromRegProp

loc_906DFC:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegProp+96j
		mov	eax, [ebp+var_18]
		mov	ecx, [ebp+arg_4]
		jmp	loc_8592E3
; 

loc_906E07:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegProp+A4j
		mov	esi, 0C0000230h
		jmp	loc_859364
; 

loc_906E11:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegProp+107j
		mov	eax, [ebp+arg_14]
		mov	eax, [eax]
		mov	[ebp+var_4], eax
		test	esi, esi
		jz	short loc_906E6A
		cmp	esi, edx
		jnz	loc_859364
		push	52504E50h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_906E42
		mov	esi, 0C0000017h
		jmp	loc_859364
; 

loc_906E42:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegProp+ADBC0j
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	ecx
		mov	ecx, [ebp+var_C]
		push	eax
		push	ebx
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+arg_C]
		push	[ebp+arg_0]
		call	__CmGetInstallerClassRegProp@32	; _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_906E65
		mov	esi, eax
		jmp	short loc_906EA0
; 

loc_906E65:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegProp+ADBE9j
		mov	eax, [ebp+var_4]
		mov	edi, ebx

loc_906E6A:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegProp+ADBA5j
		test	edi, edi
		jz	short loc_906E98
		cmp	eax, 2
		jb	short loc_906E98
		sub	esp, 0Ch
		mov	ecx, edi
		call	_PnpParseIndirectInfString
		test	al, al
		jnz	short loc_906E8F
		sub	esp, 10h
		mov	ecx, edi
		call	_PnpParseIndirectResourceString
		test	al, al
		jz	short loc_906E98

loc_906E8F:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegProp+ADC09j
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 19h

loc_906E98:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegProp+ADBF6j
					; _CmGetInstallerClassMappedPropertyFromRegProp+ADBFBj	...
		test	ebx, ebx
		jz	loc_859364

loc_906EA0:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegProp+ADBEDj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_859364
; 

loc_906EAD:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegProp+BBj
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	ecx
		mov	ecx, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_4], 4
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	1Bh
		push	[ebp+arg_0]
		call	__CmGetInstallerClassRegProp@32	; _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_859364
		mov	ecx, [ebp+arg_10]
		mov	eax, [ebp+var_10]
		cmp	eax, [ecx+0Ch]
		jz	short loc_906EF0
		mov	esi, 0C000000Dh
		jmp	loc_859364
; 

loc_906EF0:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegProp+ADC6Ej
		mov	edx, [ebp+arg_14]
		mov	dword ptr [edx], 1
		mov	eax, [ecx+4]
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		mov	ecx, [ebp+var_14]
		cmp	ecx, [edx]
		jnb	short loc_906F12
		mov	esi, 0C0000023h
		jmp	loc_859364
; 

loc_906F12:				; CODE XREF: _CmGetInstallerClassMappedPropertyFromRegProp+ADC90j
		cmp	[ebp+var_1C], ebx
		setz	al
		dec	al
		mov	[edi], al
		jmp	loc_859364
; END OF FUNCTION CHUNK	FOR _CmGetInstallerClassMappedPropertyFromRegProp
; 
; START	OF FUNCTION CHUNK FOR _CmGetInstallerClassRegPropWorker

loc_906F21:				; CODE XREF: _CmGetInstallerClassRegPropWorker+24j
					; _CmGetInstallerClassRegPropWorker+55j
		mov	esi, 0C000000Dh
		jmp	loc_859595
; 

loc_906F2B:				; CODE XREF: _CmGetInstallerClassRegPropWorker+C6j
		mov	esi, 0C0000230h
		jmp	loc_859581
; 

loc_906F35:				; CODE XREF: _CmGetInstallerClassRegPropWorker+1AEj
		mov	esi, 0C00000E5h
		jmp	loc_859581
; 

loc_906F3F:				; CODE XREF: _CmGetInstallerClassRegPropWorker+6Bj
					; _CmGetInstallerClassRegPropWorker+74j ...
		mov	esi, 0C0000230h
		jmp	loc_859595
; 

loc_906F49:				; CODE XREF: _CmGetInstallerClassRegPropWorker+2Fj
					; _CmGetInstallerClassRegPropWorker+3Aj
		mov	esi, 0C000000Dh
		jmp	loc_859581
; END OF FUNCTION CHUNK	FOR _CmGetInstallerClassRegPropWorker
; 
; START	OF FUNCTION CHUNK FOR PiCMSetObjectProperty

loc_906F53:				; CODE XREF: PiCMSetObjectProperty+71j
		push	10h		; size_t
		lea	eax, [ebp+var_28]
		push	offset _DEVPKEY_Device_FriendlyName ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_906FC2
		jmp	loc_8658CF
; 

loc_906F6F:				; CODE XREF: PiCMSetObjectProperty+7Aj
		push	10h		; size_t
		lea	eax, [ebp+var_28]
		push	offset _DEVPKEY_Device_FriendlyNameAttributes ;	void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_906FC2
		jmp	loc_8658D8
; 

loc_906F8B:				; CODE XREF: PiCMSetObjectProperty+83j
		push	10h		; size_t
		lea	eax, [ebp+var_28]
		push	offset _DEVPKEY_DriverPackage_SourceMediaPath ;	void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_906FC2
		jmp	loc_8658E1
; 

loc_906FA7:				; CODE XREF: PiCMSetObjectProperty+8Cj
		push	10h		; size_t
		lea	eax, [ebp+var_28]
		push	offset _DEVPKEY_WIA_DeviceType ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8658EA

loc_906FC2:				; CODE XREF: PiCMSetObjectProperty+A1710j
					; PiCMSetObjectProperty+A172Cj	...
		xor	ecx, ecx
		inc	ecx
		jmp	loc_8658EC
; 

loc_906FCA:				; CODE XREF: PiCMSetObjectProperty+A5j
		mov	ebx, 0C0000022h
		jmp	loc_8659A1
; 

loc_906FD4:				; CODE XREF: PiCMSetObjectProperty+105j
		sub	esi, 1
		jnz	loc_865A13
		push	5
		jmp	loc_865965
; 

loc_906FE4:				; CODE XREF: PiCMSetObjectProperty+FCj
		push	4
		jmp	loc_865965
; 

loc_906FEB:				; CODE XREF: PiCMSetObjectProperty+F3j
		push	2
		jmp	loc_865965
; 

loc_906FF2:				; CODE XREF: PiCMSetObjectProperty+E1j
		push	6
		jmp	loc_865965
; 

loc_906FF9:				; CODE XREF: PiCMSetObjectProperty+1A9j
		sub	esi, 1
		jz	short loc_907014
		sub	esi, 1
		jz	short loc_907010
		sub	esi, 1
		jnz	loc_865A13
		push	0Bh
		jmp	short loc_907016
; 

loc_907010:				; CODE XREF: PiCMSetObjectProperty+A17A9j
		push	0Ah
		jmp	short loc_907016
; 

loc_907014:				; CODE XREF: PiCMSetObjectProperty+A17A4j
		push	9

loc_907016:				; CODE XREF: PiCMSetObjectProperty+1CAj
					; PiCMSetObjectProperty+A17B6j	...
		pop	eax
		jmp	loc_865A07
; 

loc_90701C:				; CODE XREF: PiCMSetObjectProperty+1C3j
		mov	ebx, 0C000000Dh
		jmp	loc_865966
; 

loc_907026:				; CODE XREF: PiCMSetObjectProperty+13Aj
		cmp	[ebp+var_18], 26h
		jnz	loc_8659A1
		push	10h		; size_t
		lea	eax, [ebp+var_28]
		push	offset _DEVPKEY_Device_BaseContainerId ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8659A1
		mov	ebx, 0C0000230h
		jmp	loc_865998
; 

loc_907055:				; CODE XREF: PiCMSetObjectProperty+B0j
					; PiCMSetObjectProperty+BAj ...
		mov	ebx, 0C000000Dh
		jmp	loc_8659A1
; END OF FUNCTION CHUNK	FOR PiCMSetObjectProperty
; 
; START	OF FUNCTION CHUNK FOR PiSwPropertySet

loc_90705F:				; CODE XREF: PiSwPropertySet+90j
		cmp	dword ptr [edi-8], 0
		jnz	loc_865ACB
		xor	esi, esi
		jmp	loc_865ABE
; END OF FUNCTION CHUNK	FOR PiSwPropertySet
; 
; START	OF FUNCTION CHUNK FOR PiPnpRtlSetObjectProperty

loc_907070:				; CODE XREF: PiPnpRtlSetObjectProperty+16Cj
		push	10h		; size_t
		push	offset _DEVPKEY_Device_InstanceId ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jmp	short loc_907091
; 

loc_907084:				; CODE XREF: PiPnpRtlSetObjectProperty+247j
					; PiPnpRtlSetObjectProperty+29Ej
		mov	esi, [esp+70h+var_60]
		mov	ecx, esi
		call	__CmIsRootEnumeratedDevice@4 ; _CmIsRootEnumeratedDevice(x)
		test	al, al

loc_907091:				; CODE XREF: PiPnpRtlSetObjectProperty+A158Ej
		jnz	loc_865BC0

loc_907097:				; CODE XREF: PiPnpRtlSetObjectProperty+19Aj
					; PiPnpRtlSetObjectProperty+2B7j
		mov	esi, 0C0000022h
		jmp	loc_865C37
; 

loc_9070A1:				; CODE XREF: PiPnpRtlSetObjectProperty+2D4j
		cmp	[esp+70h+var_64], 0
		jz	loc_907155
		cmp	[ebp+arg_18], 4
		jmp	loc_865CFB
; 

loc_9070B5:				; CODE XREF: PiPnpRtlSetObjectProperty+22Aj
		mov	ecx, [esp+70h+var_64]
		test	ecx, ecx
		jz	loc_907155
		cmp	[ebp+arg_18], 2
		jb	loc_907155
		cmp	[ebp+arg_10], 12h
		jnz	loc_907155
		mov	eax, [ebp+arg_18]
		xor	edi, edi
		shr	eax, 1
		cmp	[ecx+eax*2-2], di
		jnz	short loc_907155
		lea	eax, [esp+70h+var_2C]
		push	eax
		lea	eax, [esp+74h+var_28]
		push	eax
		lea	edx, [esp+78h+var_24]
		call	__CmSplitDevicePanelId@16 ; _CmSplitDevicePanelId(x,x,x,x)
		test	eax, eax
		js	short loc_907155
		mov	esi, [esp+70h+var_60]
		lea	eax, [esp+70h+var_58]
		mov	ecx, [esp+70h+var_50]
		mov	edx, esi
		push	edi
		push	eax
		push	10h
		lea	eax, [esp+7Ch+var_14]
		push	eax
		lea	eax, [esp+80h+var_48]
		push	eax
		push	offset _DEVPKEY_Device_ContainerId
		push	edi
		push	[esp+8Ch+var_54]
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_907155
		cmp	[esp+70h+var_48], 0Dh
		jnz	short loc_907155
		cmp	[esp+70h+var_58], 10h
		jnz	short loc_907155
		push	10h		; size_t
		lea	eax, [esp+74h+var_24]
		push	eax		; void *
		lea	eax, [esp+78h+var_14]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_865BC2

loc_907155:				; CODE XREF: PiPnpRtlSetObjectProperty+20Dj
					; PiPnpRtlSetObjectProperty+A15B2j ...
		mov	esi, 0C000000Dh
		jmp	loc_865C37
; 

loc_90715F:				; CODE XREF: PiPnpRtlSetObjectProperty+1B7j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceExclusiveLite
		mov	[esp+70h+var_59], 1
		jmp	loc_865BE8
; 

loc_907183:				; CODE XREF: PiPnpRtlSetObjectProperty+2F1j
		xor	edx, edx
		mov	ecx, 8Ah
		call	SeAuditingWithTokenForSubcategory
		test	al, al
		jz	loc_865BE8
		mov	ecx, [esp+70h+var_50]
		lea	eax, [esp+70h+var_58]
		push	edi
		push	eax
		lea	eax, [esp+78h+var_44]
		mov	[esp+78h+var_58], 4
		push	eax
		lea	eax, [esp+7Ch+var_38]
		mov	edx, esi
		push	eax
		push	0Bh
		push	[esp+84h+var_54]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9071D2
		cmp	[esp+70h+var_58], 4
		jnz	short loc_9071D2
		cmp	[esp+70h+var_38], 4
		jz	short loc_9071D6

loc_9071D2:				; CODE XREF: PiPnpRtlSetObjectProperty+A16CEj
					; PiPnpRtlSetObjectProperty+A16D5j
		mov	[esp+70h+var_44], edi

loc_9071D6:				; CODE XREF: PiPnpRtlSetObjectProperty+A16DCj
		mov	eax, [esp+70h+var_64]
		mov	edi, [eax]
		jmp	loc_865BEC
; 

loc_9071E1:				; CODE XREF: PiPnpRtlSetObjectProperty+264j
		xor	edx, edx
		mov	ecx, 8Ah
		call	SeAuditingWithTokenForSubcategory
		test	al, al
		jz	loc_865BE8
		push	4
		pop	ecx
		push	edi
		lea	eax, [esp+74h+var_58]
		mov	[esp+74h+var_58], ecx
		push	eax
		push	ecx
		mov	ecx, [esp+7Ch+var_50]
		lea	eax, [esp+7Ch+var_3C]
		push	eax
		lea	eax, [esp+80h+var_48]
		mov	edx, esi
		push	eax
		push	offset _DEVPKEY_Device_InstallError
		push	edi
		push	[esp+8Ch+var_54]
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_907236
		cmp	[esp+70h+var_58], 4
		jnz	short loc_907236
		cmp	[esp+70h+var_48], 17h
		jz	short loc_90723A

loc_907236:				; CODE XREF: PiPnpRtlSetObjectProperty+A1732j
					; PiPnpRtlSetObjectProperty+A1739j
		mov	[esp+70h+var_3C], edi

loc_90723A:				; CODE XREF: PiPnpRtlSetObjectProperty+A1740j
		cmp	[ebp+arg_18], 4
		jnz	short loc_907255
		cmp	[ebp+arg_10], 17h
		jnz	short loc_907255
		mov	eax, [esp+70h+var_64]
		mov	ecx, [eax]
		mov	[esp+70h+var_40], ecx
		jmp	loc_865BEC
; 

loc_907255:				; CODE XREF: PiPnpRtlSetObjectProperty+A174Aj
					; PiPnpRtlSetObjectProperty+A1750j
		mov	[esp+70h+var_40], edi
		jmp	loc_865BE8
; 

loc_90725E:				; CODE XREF: PiPnpRtlSetObjectProperty+181j
		push	10h		; size_t
		push	offset _DEVPKEY_Device_PhysicalDeviceLocation ;	"~\vT@Ej\vL\t"
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_865C2C
		push	[esp+70h+var_54]
		mov	edx, [esp+74h+var_60]
		mov	ecx, [esp+74h+var_50]
		call	__CmUpdateDevicePanelInterface@12 ; _CmUpdateDevicePanelInterface(x,x,x)
		jmp	loc_865C2C
; 

loc_90728C:				; CODE XREF: PiPnpRtlSetObjectProperty+30Ej
		xor	edx, edx
		mov	ecx, 8Ah
		call	SeAuditingWithTokenForSubcategory
		test	al, al
		jz	loc_865C2C
		push	[esp+70h+var_60]
		lea	eax, [esp+74h+var_34]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, [esp+70h+var_44]
		lea	ecx, [esp+70h+var_34]
		test	esi, esi
		setns	byte ptr [esp+70h+var_4C]
		push	[esp+70h+var_4C]
		push	edi
		call	_PiAuditDeviceEnableDisableRequest@16 ;	PiAuditDeviceEnableDisableRequest(x,x,x,x)
		jmp	loc_865C2C
; 

loc_9072CC:				; CODE XREF: PiPnpRtlSetObjectProperty+281j
		xor	edx, edx
		mov	ecx, 8Ah
		call	SeAuditingWithTokenForSubcategory
		test	al, al
		jz	loc_865C2C
		push	[esp+70h+var_60]
		lea	eax, [esp+74h+var_34]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, [esp+70h+var_3C]
		lea	ecx, [esp+70h+var_34]
		test	esi, esi
		setns	byte ptr [esp+70h+var_4C]
		push	[esp+70h+var_4C]
		push	[esp+74h+var_40]
		call	_PiAuditDeviceInstallPolicyBlock@16 ; PiAuditDeviceInstallPolicyBlock(x,x,x,x)
		jmp	loc_865C2C
; 

loc_90730F:				; CODE XREF: PiPnpRtlSetObjectProperty+13Dj
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_865C37
; END OF FUNCTION CHUNK	FOR PiPnpRtlSetObjectProperty
; 
; START	OF FUNCTION CHUNK FOR _PnpSetObjectPropertyWorker

loc_90732A:				; CODE XREF: _PnpSetObjectPropertyWorker+6Ej
		cmp	[ebp+arg_0], 7
		jl	loc_865F6E
		push	[ebp+arg_C]
		mov	edx, [ebp+var_C]
		push	[ebp+arg_8]
		mov	ecx, [ebp+var_8]
		push	edi
		push	[ebp+arg_0]
		call	_PnpObjectRaisePropertyChangeEvent
		jmp	loc_865F6E
; END OF FUNCTION CHUNK	FOR _PnpSetObjectPropertyWorker
; 
; START	OF FUNCTION CHUNK FOR _PnpSetPropertyWorker

loc_90734E:				; CODE XREF: _PnpSetPropertyWorker+4Cj
					; _PnpSetPropertyWorker+A12ECj
		mov	esi, 0C000000Dh
		jmp	loc_86625E
; 

loc_907358:				; CODE XREF: _PnpSetPropertyWorker+54j
		lea	ecx, [ebp+var_8C]
		push	ecx
		push	55h
		pop	edx
		mov	ecx, eax
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_86625E
		mov	eax, [ebp+var_78]
		mov	esi, [ebp+var_84]
		jmp	loc_8660F8
; 

loc_907381:				; CODE XREF: _PnpSetPropertyWorker+5Ej
		mov	ecx, eax
		call	__IsNeutralLocale@4 ; _IsNeutralLocale(x)
		test	al, al
		jz	short loc_90734E
		jmp	loc_866102
; 

loc_907391:				; CODE XREF: _PnpSetPropertyWorker+B6j
		mov	esi, 0C00000E5h
		xor	ebx, ebx
		jmp	loc_866224
; 

loc_90739D:				; CODE XREF: _PnpSetPropertyWorker+120j
		mov	[ebp+var_6C], ebx
		jmp	loc_86627D
; 

loc_9073A5:				; CODE XREF: _PnpSetPropertyWorker+158j
		mov	[ebp+var_74], ebx
		mov	esi, eax
		jmp	loc_86623A
; 

loc_9073AF:				; CODE XREF: _PnpSetPropertyWorker+196j
		cmp	[ebp+var_7C], 1
		jnz	loc_86623A
		test	edi, edi
		jz	short loc_9073CB
		mov	eax, [edi+74h]
		test	eax, eax
		jz	short loc_9073CB
		mov	ecx, [eax+4]
		push	ebx
		push	ecx
		jmp	short loc_9073CD
; 

loc_9073CB:				; CODE XREF: _PnpSetPropertyWorker+A131Dj
					; _PnpSetPropertyWorker+A1324j
		push	ebx
		push	ebx

loc_9073CD:				; CODE XREF: _PnpSetPropertyWorker+A132Bj
		mov	ecx, [ebp+var_6C]
		lea	edx, [ebp+var_18]
		call	_RegRtlDeleteTreeInternal
		jmp	loc_86623A
; 

loc_9073DD:				; CODE XREF: _PnpSetPropertyWorker+1ACj
		cmp	[ebp+var_80], 1
		jnz	loc_866250
		test	edi, edi
		jz	short loc_9073F9
		mov	eax, [edi+74h]
		test	eax, eax
		jz	short loc_9073F9
		mov	ecx, [eax+4]
		push	ebx
		push	ecx
		jmp	short loc_9073FB
; 

loc_9073F9:				; CODE XREF: _PnpSetPropertyWorker+A134Bj
					; _PnpSetPropertyWorker+A1352j
		push	ebx
		push	ebx

loc_9073FB:				; CODE XREF: _PnpSetPropertyWorker+A1359j
		mov	ecx, [ebp+var_70]
		lea	edx, [ebp+var_68]
		call	_RegRtlDeleteTreeInternal
		jmp	loc_866250
; END OF FUNCTION CHUNK	FOR _PnpSetPropertyWorker
; 
; START	OF FUNCTION CHUNK FOR PiSwGetChildPdo

loc_90740B:				; CODE XREF: PiSwGetChildPdo+100j
		lea	ecx, [edi+28h]
		cmp	word ptr [ecx],	2
		jnb	loc_8663CB
		jmp	loc_866388
; 

loc_90741D:				; CODE XREF: PiSwGetChildPdo+15Bj
		mov	ecx, eax
		call	ObfDereferenceObject
		movzx	eax, word ptr [edi+6Ch]
		mov	ecx, eax
		test	ax, ax
		jnz	short loc_90743D
		push	5
		push	[ebp+var_8]
		call	IoInvalidateDeviceRelations
		movzx	ecx, word ptr [edi+6Ch]

loc_90743D:				; CODE XREF: PiSwGetChildPdo+A11ABj
		mov	eax, 0FFFFh
		cmp	cx, ax
		jnb	loc_866367
		lea	eax, [ecx+1]
		mov	[edi+6Ch], ax
		jmp	loc_866367
; 

loc_907457:				; CODE XREF: PiSwGetChildPdo+76j
		mov	ecx, [eax+28h]
		mov	edx, [ecx]
		cmp	eax, [edx+40h]
		jnz	short loc_907464
		and	[edx+40h], esi

loc_907464:				; CODE XREF: PiSwGetChildPdo+A11DDj
		or	dword ptr [ecx+4], 20h
		jmp	loc_8662FE
; 

loc_90746D:				; CODE XREF: PiSwGetChildPdo+BEj
		push	esi
		call	IoDeleteDevice
		xor	esi, esi
		jmp	loc_866367
; 

loc_90747A:				; CODE XREF: PiSwGetChildPdo+34j
		test	ecx, ecx
		jz	loc_8662D5
		mov	eax, [ecx+14h]
		mov	eax, [eax+28h]
		and	dword ptr [eax+4], 0FFFFFFF7h
		mov	eax, [eax+4]
		test	al, 4
		jz	loc_8662D5
		mov	ecx, [ecx+14h]
		xor	dl, dl
		call	_PiSwProcessRemove@8 ; PiSwProcessRemove(x,x)
		jmp	loc_866367
; END OF FUNCTION CHUNK	FOR PiSwGetChildPdo
; 
; START	OF FUNCTION CHUNK FOR PiUEventDeviceNeedsInstall

loc_9074A6:				; CODE XREF: PiUEventDeviceNeedsInstall+87j
		cmp	[ebp+var_4], 16h
		jz	loc_882003
		jmp	loc_881FBD
; 

loc_9074B5:				; CODE XREF: PiUEventDeviceNeedsInstall+8Fj
		cmp	[ebp+var_4], 12h
		jz	loc_881FF9
		cmp	[ebp+var_4], 1
		jz	loc_881FF9
		jmp	loc_881FC5
; END OF FUNCTION CHUNK	FOR PiUEventDeviceNeedsInstall
; 
; START	OF FUNCTION CHUNK FOR PiDcGenerateConfigNotificationIfContainerRequiresConfiguration

loc_9074CE:				; CODE XREF: PiDcGenerateConfigNotificationIfContainerRequiresConfiguration+80j
					; PiDcGenerateConfigNotificationIfContainerRequiresConfiguration+98j
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	ebx
		push	4
		push	offset _unconfiguredConfigFlags
		push	7
		push	offset _DEVPKEY_DeviceContainer_ConfigFlags
		push	ebx
		push	ebx
		push	5
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_882093
		jmp	loc_8820A6
; END OF FUNCTION CHUNK	FOR PiDcGenerateConfigNotificationIfContainerRequiresConfiguration
; 
; START	OF FUNCTION CHUNK FOR RtlGenerateClass5Guid

loc_9074FD:				; CODE XREF: RtlGenerateClass5Guid+44j
		mov	eax, 0C00000EFh
		jmp	loc_8822C3
; 

loc_907507:				; CODE XREF: RtlGenerateClass5Guid+4Cj
		mov	eax, 0C00000F2h
		jmp	loc_8822C3
; 

loc_907511:				; CODE XREF: RtlGenerateClass5Guid+54j
		cmp	[ebp+arg_8], esi
		jz	loc_882172
		mov	eax, 0C00000F1h
		jmp	loc_8822C3
; 

loc_907524:				; CODE XREF: RtlGenerateClass5Guid+AFj
		mov	ebx, 0C000009Ah
		jmp	loc_8821CD
; END OF FUNCTION CHUNK	FOR RtlGenerateClass5Guid
; 
; START	OF FUNCTION CHUNK FOR PnpHardwareConfigCreateBootDriverFlags

loc_90752E:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+4Fj
		mov	esi, 0C000000Dh
		jmp	loc_8825C1
; 

loc_907538:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+8Fj
		cmp	esi, 0C0000034h
		jnz	loc_88259B
		xor	eax, eax
		mov	[ebp+var_58], 18h
		push	eax
		push	eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_54], eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	1F0003h
		lea	eax, [ebp+var_14]
		mov	[ebp+var_4C], 200h
		push	eax
		call	_ZwCreateEvent@20 ; ZwCreateEvent(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_88259B
		push	8
		lea	eax, [ebp+var_3C]
		push	eax
		push	0Ch
		lea	eax, [ebp+var_10]
		push	eax
		push	2D1400h
		lea	eax, [ebp+var_34]
		push	eax
		push	0
		push	0
		push	[ebp+var_14]
		push	[ebp+var_24]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 103h
		jnz	short loc_9075C8
		push	0
		push	0
		push	[ebp+var_14]
		call	_ZwWaitForSingleObject@12 ; ZwWaitForSingleObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_88259B
		mov	esi, [ebp+var_34]

loc_9075C8:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+850A7j
		test	esi, esi
		js	loc_88259B
		push	6E697050h
		push	[ebp+var_38]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9075EF
		mov	esi, 0C000009Ah
		jmp	loc_88259B
; 

loc_9075EF:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+850DDj
		xor	esi, esi
		push	esi
		push	[ebp+var_14]
		call	_ZwResetEvent@8	; ZwResetEvent(x,x)
		push	[ebp+var_38]
		lea	eax, [ebp+var_10]
		push	edi
		push	0Ch
		push	eax
		push	2D1400h
		lea	eax, [ebp+var_34]
		push	eax
		push	esi
		push	esi
		push	[ebp+var_14]
		push	[ebp+var_24]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 103h
		jnz	short loc_90763D
		push	0
		push	0
		push	[ebp+var_14]
		call	_ZwWaitForSingleObject@12 ; ZwWaitForSingleObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_88259B
		mov	esi, [ebp+var_34]

loc_90763D:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+8511Cj
		test	esi, esi
		js	loc_88259B
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jnz	short loc_907652
		xor	ecx, ecx
		jmp	short loc_907655
; 

loc_907652:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+85146j
		mov	ecx, [eax+74h]

loc_907655:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+8514Aj
		lea	eax, [ebp+var_20]
		mov	edx, 80000002h
		push	eax
		push	1
		push	0
		push	offset ??_C@_1EC@DGAEKDHP@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_88259B
		mov	ecx, [ebp+var_20]
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_1C], 4
		push	eax
		lea	eax, [ebp+var_28]
		mov	edx, offset ??_C@_1CA@PABBOCNB@?$AAB?$AAo?$AAo?$AAt?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAF?$AAl?$AAa?$AAg?$AAs@NNGAKEGL@ ; "BootDriverFlags"
		push	eax
		call	_RegRtlQueryValue
		mov	esi, eax
		test	esi, esi
		js	loc_88259B
		mov	eax, [ebp+var_2C]
		mov	ecx, eax
		and	ecx, 0FFFFFFE3h
		mov	[ebp+var_18], ecx
		mov	edx, [edi+1Ch]
		cmp	edx, 0Ch
		jg	short loc_9076D5
		jz	short loc_9076CD
		test	edx, edx
		jle	short loc_9076E9
		cmp	edx, 3
		jle	short loc_9076F1
		cmp	edx, 7
		jz	short loc_9076C8
		cmp	edx, 0Bh
		jmp	short loc_9076E7
; 

loc_9076C8:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+851BBj
		or	ecx, 14h
		jmp	short loc_9076D0
; 

loc_9076CD:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+851ADj
		or	ecx, 8

loc_9076D0:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+851C5j
		mov	[ebp+var_18], ecx
		jmp	short loc_9076F1
; 

loc_9076D5:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+851ABj
		cmp	edx, 0Fh
		jl	short loc_9076E9
		cmp	edx, 10h
		jle	short loc_9076E9
		cmp	edx, 11h
		jz	short loc_9076F1
		cmp	edx, 13h

loc_9076E7:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+851C0j
		jz	short loc_9076F1

loc_9076E9:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+851B1j
					; PnpHardwareConfigCreateBootDriverFlags+851D2j ...
		and	eax, 1Ch
		or	eax, ecx
		mov	[ebp+var_18], eax

loc_9076F1:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+851B6j
					; PnpHardwareConfigCreateBootDriverFlags+851CDj ...
		push	4
		lea	eax, [ebp+var_18]
		mov	edx, offset ??_C@_1CA@PABBOCNB@?$AAB?$AAo?$AAo?$AAt?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAF?$AAl?$AAa?$AAg?$AAs@NNGAKEGL@ ; "BootDriverFlags"
		push	eax
		push	4
		mov	ecx, ebx
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		mov	esi, eax
		jmp	loc_88259B
; 

loc_90770C:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+99j
		push	[ebp+var_20]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8825A5
; 

loc_907719:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+ABj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8825B7
; 

loc_907726:				; CODE XREF: PnpHardwareConfigCreateBootDriverFlags+B5j
		push	[ebp+var_14]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8825C1
; END OF FUNCTION CHUNK	FOR PnpHardwareConfigCreateBootDriverFlags
; 
; START	OF FUNCTION CHUNK FOR IopCreateArcName

loc_907733:				; CODE XREF: IopCreateArcName+BCj
					; IopCreateArcName+114j ...
		mov	esi, 0C000009Ah
		jmp	loc_882A0E
; 

loc_90773D:				; CODE XREF: IopCreateArcName+E1j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+158h+var_108]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esp+148h+var_128]
		jmp	loc_882741
; 

loc_907756:				; CODE XREF: IopCreateArcName+90j
		mov	dword ptr [esp+148h+var_D0], edx
		jmp	loc_88274B
; 

loc_90775F:				; CODE XREF: IopCreateArcName+139j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+158h+var_108]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esp+148h+var_128]
		jmp	loc_882799
; 

loc_907778:				; CODE XREF: IopCreateArcName+152j
		mov	edx, eax
		mov	[esp+148h+var_DC], edx
		jmp	loc_8827B2
; 

loc_907783:				; CODE XREF: IopCreateArcName+164j
		and	[esp+148h+var_11C], ebx
		mov	ecx, 204h
		mov	[esp+148h+var_120], 8000h
		call	IopVerifierExAllocatePool
		mov	[esp+148h+var_114], eax
		test	eax, eax
		jz	short loc_907733
		push	dword ptr [ebp+4] ; int
		lea	ecx, [esp+14Ch+var_128]
		push	ecx		; int
		lea	ecx, [esp+150h+var_108]
		push	ecx		; int
		lea	ecx, [esp+154h+var_120]
		push	ecx		; int
		push	[esp+158h+var_DC] ; size_t
		push	eax		; void *
		push	edi		; int
		push	3		; int
		call	_IopBuildSynchronousFsdRequest@32 ; IopBuildSynchronousFsdRequest(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9077D0
		mov	esi, 0C000009Ah
		jmp	loc_882A02
; 

loc_9077D0:				; CODE XREF: IopCreateArcName+8516Aj
		mov	eax, [esi+60h]
		push	0
		push	0
		or	byte ptr [eax-22h], 2
		lea	eax, [esp+150h+var_108]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	edx, esi
		mov	ecx, edi
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jnz	short loc_90780C
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+158h+var_108]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esp+148h+var_128]

loc_90780C:				; CODE XREF: IopCreateArcName+8519Cj
		test	esi, esi
		js	loc_882A02
		mov	edx, [esp+148h+var_DC]
		xor	eax, eax
		shr	edx, 2
		xor	ecx, ecx
		test	edx, edx
		jz	short loc_90782F
		mov	esi, [esp+148h+var_114]

loc_907827:				; CODE XREF: IopCreateArcName+851D3j
		add	eax, [esi+ecx*4]
		inc	ecx
		cmp	ecx, edx
		jb	short loc_907827

loc_90782F:				; CODE XREF: IopCreateArcName+851C7j
		not	eax
		inc	eax
		jmp	short loc_907887
; 

loc_907834:				; CODE XREF: IopCreateArcName+1C6j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	5
		lea	eax, [esp+158h+var_108]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esp+148h+var_128]
		jmp	loc_882826
; 

loc_90784E:				; CODE XREF: IopCreateArcName+1D2j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [esp+148h+var_130]
		add	esi, esi
		push	6F426F49h
		push	esi
		mov	[esp+150h+var_130], esi
		push	200h
		jmp	loc_8827D0
; 

loc_907870:				; CODE XREF: IopCreateArcName+1A5j
		mov	esi, 0C000009Ah
		jmp	loc_882832
; 

loc_90787A:				; CODE XREF: IopCreateArcName+1F2j
		cmp	dword ptr [ebx+8], 0
		jnz	loc_882852

loc_907884:				; CODE XREF: IopCreateArcName+1E5j
		mov	eax, [ebx+0Ch]

loc_907887:				; CODE XREF: IopCreateArcName+851D8j
		mov	cl, 1
		mov	[esp+148h+var_120], eax
		jmp	loc_882858
; 

loc_907892:				; CODE XREF: IopCreateArcName+24Ej
		mov	ecx, esi
		call	_VhdiVerifyBootDisk@4 ;	VhdiVerifyBootDisk(x)
		test	al, al
		jnz	loc_8828AE

loc_9078A1:				; CODE XREF: IopCreateArcName+21Cj
					; IopCreateArcName+226j ...
		mov	edi, [edi]
		cmp	edi, offset _IoArcTableListHead
		jz	loc_90793B
		mov	eax, [esp+148h+var_120]
		mov	cl, [esp+148h+var_135]
		jmp	loc_882872
; 

loc_9078BC:				; CODE XREF: IopCreateArcName+22Ej
		cmp	byte ptr [edi+14h], 0
		jnz	short loc_9078A1
		cmp	[edi+10h], eax
		jmp	loc_8828B9
; 

loc_9078CA:				; CODE XREF: IopCreateArcName+277j
		push	(offset	loc_8B84AF+1)
		jmp	loc_8828DC
; 

loc_9078D4:				; CODE XREF: IopCreateArcName+2F9j
		cmp	_InitializationPhase, 2
		jnb	loc_8829F6
		mov	eax, ds:_KeLoaderBlock
		mov	edx, [eax+68h]
		mov	eax, [edi+0Ch]

loc_9078EC:				; CODE XREF: IopCreateArcName+852C2j
		mov	cl, [eax]
		cmp	cl, [edx]
		mov	[esp+148h+var_135], cl
		mov	ecx, [esp+148h+var_134]
		jnz	short loc_907922
		cmp	[esp+148h+var_135], 0
		jz	short loc_90791E
		mov	cl, [eax+1]
		cmp	cl, [edx+1]
		mov	[esp+148h+var_135], cl
		mov	ecx, [esp+148h+var_134]
		jnz	short loc_907922
		add	eax, 2
		add	edx, 2
		cmp	[esp+148h+var_135], 0
		jnz	short loc_9078EC

loc_90791E:				; CODE XREF: IopCreateArcName+852A5j
		xor	eax, eax
		jmp	short loc_907927
; 

loc_907922:				; CODE XREF: IopCreateArcName+8529Ej
					; IopCreateArcName+852B5j
		sbb	eax, eax
		or	eax, 1

loc_907927:				; CODE XREF: IopCreateArcName+852C6j
		test	eax, eax
		jnz	loc_8829F6
		or	dword ptr [ecx+1Ch], 100h
		jmp	loc_8829F6
; 

loc_90793B:				; CODE XREF: IopCreateArcName+20Ej
					; IopCreateArcName+8524Fj
		mov	esi, 0C00000BBh
		jmp	loc_8829F6
; 

loc_907945:				; CODE XREF: IopCreateArcName+17Fj
		mov	esi, 0C000009Ah
		jmp	loc_8829F6
; 

loc_90794F:				; CODE XREF: IopCreateArcName+3AEj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_882A0E
; END OF FUNCTION CHUNK	FOR IopCreateArcName
; 
; START	OF FUNCTION CHUNK FOR IopVerifyDiskSignature

loc_90795C:				; CODE XREF: IopVerifyDiskSignature+13j
		cmp	esi, 1
		jnz	loc_882A5C
		cmp	byte ptr [edx+16h], 0
		jz	loc_882A5C
		push	10h		; size_t
		push	eax		; void *
		lea	eax, [edx+18h]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_882A5C
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	loc_882A55
		and	[ecx], eax
		jmp	loc_882A55
; END OF FUNCTION CHUNK	FOR IopVerifyDiskSignature
; 
; START	OF FUNCTION CHUNK FOR ExInitLicenseData

loc_907998:				; CODE XREF: ExInitLicenseData+9Fj
					; ExInitLicenseData+ABj
		mov	[ebp+var_40], bl
		jmp	loc_882B37
; 

loc_9079A0:				; CODE XREF: ExInitLicenseData+14Cj
		xor	ecx, ecx
		inc	ecx
		mov	[edi+5C10h], cl
		jmp	loc_882BE1
; 

loc_9079AE:				; CODE XREF: ExInitLicenseData+187j
		push	offset _KernelLicensingCacheCorrupt
		call	ntoskrnl_24
		mov	eax, [ebp+var_1C]
		jmp	loc_882C13
; 

loc_9079C0:				; CODE XREF: ExInitLicenseData+1A7j
		mov	ecx, edi
		call	_SLUpdateLicenseDataInternal@12	; SLUpdateLicenseDataInternal(x,x,x)
		jmp	loc_882C37
; 

loc_9079CC:				; CODE XREF: ExInitLicenseData+221j
		mov	eax, [esi]
		test	eax, eax
		jz	loc_882CAD
		push	69534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_882CAD
; 

loc_9079E6:				; CODE XREF: ExInitLicenseData+22Fj
		mov	eax, [esi+5B74h]
		test	eax, eax
		jz	loc_882CBB
		shl	eax, 3
		push	eax		; size_t
		lea	eax, [esi+0Ch]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+5B74h], ebx
		jmp	loc_882CBB
; END OF FUNCTION CHUNK	FOR ExInitLicenseData
; 
; START	OF FUNCTION CHUNK FOR ExGetExpirationDate

loc_907A10:				; CODE XREF: ExGetExpirationDate+3Cj
		mov	esi, 0C000000Dh
		jmp	loc_882DB4
; 

loc_907A1A:				; CODE XREF: ExGetExpirationDate+12Fj
		mov	esi, 0C0000001h
		jmp	loc_882DAC
; 

loc_907A24:				; CODE XREF: ExGetExpirationDate+6Bj
					; ExGetExpirationDate+8Ej
		and	dword ptr [ebx], 0
		and	dword ptr [ebx+4], 0
		jmp	loc_882DB4
; END OF FUNCTION CHUNK	FOR ExGetExpirationDate
; 
; START	OF FUNCTION CHUNK FOR SLQueryLicenseValueInternal

loc_907A30:				; CODE XREF: SLQueryLicenseValueInternal+407j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+var_130]
		lea	ecx, [esi+5B80h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp+var_134]
		jmp	loc_883267
; END OF FUNCTION CHUNK	FOR SLQueryLicenseValueInternal

;  S U B	R O U T	I N E 


sub_907A5C	proc near		; DATA XREF: .text:006A4B34o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-194h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_907A5C	endp


;  S U B	R O U T	I N E 


sub_907A6F	proc near		; DATA XREF: .text:006A4B38o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-194h]
		mov	[ebp-128h], esi
		xor	eax, eax
		inc	eax
		mov	[ebp-144h], eax
		mov	[ebp-122h], al
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	dword ptr [ebp-140h], 2
		mov	dword ptr [ebp-148h], offset off_A46548
		mov	eax, [ebp-178h]
		mov	[ebp-130h], eax
		mov	edi, [ebp-17Ch]
		mov	[ebp-184h], edi
		jmp	loc_88329E
sub_907A6F	endp

; 
; START	OF FUNCTION CHUNK FOR SLQueryLicenseValueInternal

loc_907AC7:				; CODE XREF: SLQueryLicenseValueInternal+457j
		lea	esi, [eax+5B80h]
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_907AE2
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_907AE2:				; CODE XREF: SLQueryLicenseValueInternal+84C85j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	esi, [ebp+var_128]
		jmp	loc_882FBC
; 

loc_907B00:				; CODE XREF: SLQueryLicenseValueInternal+472j
		mov	esi, 0C0000023h
		mov	[ebp+var_128], esi
		jmp	loc_8832CC
; END OF FUNCTION CHUNK	FOR SLQueryLicenseValueInternal

;  S U B	R O U T	I N E 


sub_907B10	proc near		; DATA XREF: .text:006A4B40o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-198h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_907B10	endp


;  S U B	R O U T	I N E 


sub_907B23	proc near		; DATA XREF: .text:006A4B44o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-198h]
		mov	[ebp-128h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		jmp	loc_8830CC
sub_907B23	endp

; 
; START	OF FUNCTION CHUNK FOR SLQueryLicenseValueInternal

loc_907B40:				; CODE XREF: SLQueryLicenseValueInternal+1C5j
		cmp	[ebp+var_150], 0
		jz	loc_88301F
		push	ebx
		push	offset dword_A418C8
		push	edi
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	loc_88301F
		movzx	eax, word ptr [edi]
		add	eax, [ebp+var_140]
		mov	[ebp+var_134], eax
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_14C], edi
		test	edi, edi
		jnz	short loc_907B93
		mov	esi, 0C0000017h
		jmp	loc_8832E6
; 

loc_907B93:				; CODE XREF: SLQueryLicenseValueInternal+84D33j
		push	[ebp+var_134]	; size_t
		push	ebx		; int
		mov	edi, [ebp+var_14C]
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, [ebp+var_184]
		movzx	eax, word ptr [ecx]
		push	eax		; size_t
		push	dword ptr [ecx+4] ; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	byte ptr [ebp+var_122+1], bl
		mov	[ebp+var_122+2], offset	??_C@_1EA@KEBBLPOF@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AA?9?$AAS?$AAP?$AAP?$AA?9?$AAG?$AAe@FNODOBFM@
		mov	[ebp+var_11C], offset ??_C@_1DM@GNIBEDOK@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AA?9?$AAS?$AAP?$AAP?$AA?9?$AAA?$AAc@FNODOBFM@
		mov	[ebp+var_118], (offset loc_5A6B11+1)
		mov	[ebp+var_114], offset ??_C@_1EO@FHDGJOKE@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AA?9?$AAS?$AAP?$AAP?$AA?9?$AAL?$AAa@FNODOBFM@
		mov	[ebp+var_110], offset ??_C@_1CM@BIAGPLBJ@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAE?$AAx?$AAp?$AAi?$AAr?$AAa?$AAt?$AAi@FNODOBFM@
		mov	[ebp+var_10C], (offset loc_5A6AE1+1)
		mov	[ebp+var_108], offset ??_C@_1HI@LOGLGABO@?$AAT?$AAe?$AAr?$AAm?$AAi?$AAn?$AAa?$AAl?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe@FNODOBFM@
		mov	edi, ebx

loc_907C0D:				; CODE XREF: SLQueryLicenseValueInternal+84DD5j
		push	[ebp+edi*4+var_122+2] ;	wchar_t	*
		push	[ebp+var_14C]	; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_907C33
		inc	edi
		cmp	edi, 7
		jb	short loc_907C0D
		mov	al, byte ptr [ebp+var_122+1]
		jmp	short loc_907C35
; 

loc_907C33:				; CODE XREF: SLQueryLicenseValueInternal+84DCFj
		mov	al, 1

loc_907C35:				; CODE XREF: SLQueryLicenseValueInternal+84DDDj
		mov	edi, [ebp+var_130]
		test	al, al
		jnz	loc_883025
		lea	edx, [ebp+var_164]
		mov	ecx, edi
		call	_SLGetSubscriptionPfn@8	; SLGetSubscriptionPfn(x,x)
		push	ebx
		push	[ebp+var_168]
		push	[ebp+var_13C]
		push	[ebp+arg_8]
		push	[ebp+var_15C]
		push	[ebp+var_134]
		push	[ebp+var_14C]
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+var_164]
		call	ds:dword_A93E8C
		test	eax, eax
		jns	short loc_907C90
		cmp	eax, 0C0000023h
		jnz	loc_883025

loc_907C90:				; CODE XREF: SLQueryLicenseValueInternal+84E2Fj
		cmp	[ebp+arg_8], 0
		mov	esi, 0C0000023h
		jz	short loc_907C9D
		mov	esi, eax

loc_907C9D:				; CODE XREF: SLQueryLicenseValueInternal+84E45j
		mov	[ebp+var_128], esi
		mov	[ebp+var_138], esi
		mov	[ebp+var_129], bl
		jmp	loc_883025
; 

loc_907CB4:				; CODE XREF: SLQueryLicenseValueInternal+210j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	esi, [edi+5B80h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	byte ptr [edi+5C10h], 1
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_907CEC
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_907CEC:				; CODE XREF: SLQueryLicenseValueInternal+84E8Fj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	esi, [ebp+var_128]
		mov	[ebp+var_138], esi
		jmp	loc_88306A
; 

loc_907D10:				; CODE XREF: SLQueryLicenseValueInternal+272j
		test	esi, esi
		jns	short loc_907D28
		cmp	esi, 0C0000034h
		jz	short loc_907D28
		cmp	esi, 0C0000225h
		jnz	loc_8830CC

loc_907D28:				; CODE XREF: SLQueryLicenseValueInternal+84EBEj
					; SLQueryLicenseValueInternal+84EC6j
		lea	ecx, [ebp+var_122]
		push	ecx
		push	[ebp+var_13C]
		push	[ebp+arg_8]
		push	[ebp+var_15C]
		push	[ebp+var_168]
		push	edi
		call	eax
		cmp	byte ptr [ebp+var_122],	0
		jz	loc_8830CC
		mov	esi, eax
		jmp	loc_8832E6
; 

loc_907D5B:				; CODE XREF: SLQueryLicenseValueInternal+7Bj
					; SLQueryLicenseValueInternal+83j ...
		mov	esi, 0C000000Dh
		jmp	loc_8832E6
; 

loc_907D65:				; CODE XREF: SLQueryLicenseValueInternal+27Fj
		push	ebx
		push	[ebp+var_164]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8830D9
; 

loc_907D76:				; CODE XREF: SLQueryLicenseValueInternal+28Dj
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8830E7
; END OF FUNCTION CHUNK	FOR SLQueryLicenseValueInternal

;  S U B	R O U T	I N E 


sub_907D82	proc near		; DATA XREF: .text:006A4B7Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_907D82	endp


;  S U B	R O U T	I N E 


sub_907D92	proc near		; DATA XREF: .text:006A4B80o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-1Ch]
		mov	[ebp-20h], esi
		jmp	loc_883359
sub_907D92	endp

; 
; START	OF FUNCTION CHUNK FOR ExpLoadAndSortLicensingCacheDescriptors

loc_907DA0:				; CODE XREF: ExpLoadAndSortLicensingCacheDescriptors+48j
		mov	[ebp+var_20], 0C000003Eh
		jmp	loc_8833FC
; 

loc_907DAC:				; CODE XREF: ExpLoadAndSortLicensingCacheDescriptors+5Cj
		mov	[ebp+var_20], 0C0000034h
		jmp	loc_8833FC
; END OF FUNCTION CHUNK	FOR ExpLoadAndSortLicensingCacheDescriptors

;  S U B	R O U T	I N E 


sub_907DB8	proc near		; DATA XREF: .text:006A4BA0o
		xor	ebx, ebx
		mov	esi, [ebp-2Ch]
		jmp	sub_8834FF
sub_907DB8	endp

; 
; START	OF FUNCTION CHUNK FOR ExpLoadAndSortLicensingCacheDescriptors

loc_907DC2:				; CODE XREF: ExpLoadAndSortLicensingCacheDescriptors+D3j
		mov	eax, [esi+5B7Ch]
		mov	[ebp+var_24], eax
		test	eax, eax
		jz	short loc_907DF5
		mov	edi, [ebp+var_20]
		jmp	loc_883486
; 

loc_907DD7:				; CODE XREF: ExpLoadAndSortLicensingCacheDescriptors+F0j
		push	2
		pop	edx
		mov	ecx, esi
		call	_ExpSetLicenseTamperState@8 ; ExpSetLicenseTamperState(x,x)
		mov	eax, [ebp+var_24]
		jmp	loc_883490
; 

loc_907DE9:				; CODE XREF: ExpLoadAndSortLicensingCacheDescriptors+129j
		cmp	edi, 0C0000023h
		jnz	loc_8834EE

loc_907DF5:				; CODE XREF: ExpLoadAndSortLicensingCacheDescriptors+84A33j
		mov	[ebp+var_20], 0C000003Eh
		mov	byte ptr [esi+5C10h], 1
		mov	[ebp+var_19], 1
		jmp	loc_8834EE
; 

loc_907E0C:				; CODE XREF: ExpLoadAndSortLicensingCacheDescriptors+133j
		mov	eax, [ebp+var_28]
		mov	byte ptr [eax+5B78h], 1
		mov	[ebp+var_20], 0C0000034h
		jmp	loc_8834EE
; END OF FUNCTION CHUNK	FOR ExpLoadAndSortLicensingCacheDescriptors

;  S U B	R O U T	I N E 


sub_907E22	proc near		; DATA XREF: .text:006A4BACo
		mov	esi, [ebp-2Ch]
		jmp	sub_883530
sub_907E22	endp

; 
; START	OF FUNCTION CHUNK FOR sub_883530

loc_907E2A:				; CODE XREF: sub_883530+Fj
		test	al, 4
		jnz	loc_883545
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_883545
; END OF FUNCTION CHUNK	FOR sub_883530
; 
; START	OF FUNCTION CHUNK FOR ExpLoadAndSortLicensingCacheDescriptors

loc_907E3E:				; CODE XREF: ExpLoadAndSortLicensingCacheDescriptors+7Fj
		push	offset _KernelLicensingCacheCorrupt
		call	ntoskrnl_24
		jmp	loc_88341F
; END OF FUNCTION CHUNK	FOR ExpLoadAndSortLicensingCacheDescriptors
; 
; START	OF FUNCTION CHUNK FOR ExpKernelExpirationDateCacheProvider

loc_907E4D:				; CODE XREF: ExpKernelExpirationDateCacheProvider+5Aj
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlTimeToTimeFields@8 ; RtlTimeToTimeFields(x,x)
		mov	eax, [ebp+var_38+2]
		lea	esi, [ebp+var_14]
		mov	ecx, [ebp+var_38]
		mov	byte ptr [ebp+var_14+2], al
		mov	edi, [ebp+var_18]
		shr	eax, 8
		mov	byte ptr [ebp+var_14+3], al
		mov	eax, [ebp+var_34]
		mov	[ebp+var_10], al
		shr	eax, 8
		mov	[ebp+var_F], al
		mov	eax, [ebp+var_34+2]
		mov	[ebp+var_E], al
		shr	eax, 8
		mov	[ebp+var_D], al
		mov	eax, [ebp+var_30]
		mov	[ebp+var_C], al
		shr	eax, 8
		mov	[ebp+var_B], al
		mov	eax, [ebp+var_30+2]
		mov	byte ptr [ebp+var_14], cl
		mov	[ebp+var_A], al
		shr	ecx, 8
		mov	byte ptr [ebp+var_14+1], cl
		shr	eax, 8
		mov	[ebp+var_9], al
		mov	eax, [ebp+var_1C]
		movsd
		movsd
		movsd
		movsd
		mov	byte ptr [eax],	1
		jmp	loc_88371A
; END OF FUNCTION CHUNK	FOR ExpKernelExpirationDateCacheProvider
; 
; START	OF FUNCTION CHUNK FOR SeCodeIntegrityGetBuildExpiryTime

loc_907EB7:				; CODE XREF: SeCodeIntegrityGetBuildExpiryTime+Cj
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax], 0
		and	dword ptr [eax+4], 0
		xor	eax, eax
		pop	ebp
		retn	4
; END OF FUNCTION CHUNK	FOR SeCodeIntegrityGetBuildExpiryTime
; 
; START	OF FUNCTION CHUNK FOR ExpOsProductCacheProviderHelper

loc_907EC7:				; CODE XREF: ExpOsProductCacheProviderHelper+48j
					; ExpOsProductCacheProviderHelper+54j
		push	20534C53h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_907EE6
		mov	esi, 0C0000017h
		jmp	loc_883872
; 

loc_907EE6:				; CODE XREF: ExpOsProductCacheProviderHelper+846C2j
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_4]
		push	edi
		push	2
		push	ebx
		push	[ebp+var_8]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_907F38
		mov	eax, [ebp+arg_C]
		mov	ecx, [edi+8]
		mov	[eax], ecx
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_907F13
		mov	eax, [edi+4]
		mov	[ecx], eax

loc_907F13:				; CODE XREF: ExpOsProductCacheProviderHelper+846F4j
		mov	eax, [edi+8]
		cmp	[ebp+arg_8], eax
		jnb	short loc_907F22
		mov	esi, 0C0000023h
		jmp	short loc_907F38
; 

loc_907F22:				; CODE XREF: ExpOsProductCacheProviderHelper+84701j
		cmp	[ebp+arg_4], 0
		jz	short loc_907F38
		push	eax		; size_t
		lea	eax, [edi+0Ch]
		push	eax		; void *
		push	[ebp+arg_4]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_907F38:				; CODE XREF: ExpOsProductCacheProviderHelper+846E5j
					; ExpOsProductCacheProviderHelper+84708j ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_883872
; END OF FUNCTION CHUNK	FOR ExpOsProductCacheProviderHelper
; 
; START	OF FUNCTION CHUNK FOR IopConnectLineBasedInterrupt

loc_907F45:				; CODE XREF: IopConnectLineBasedInterrupt+ECj
		mov	esi, 0C000009Ah
		jmp	loc_86664B
; 

loc_907F4F:				; CODE XREF: IopConnectLineBasedInterrupt+192j
		mov	esi, [ebp+var_8]
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_18]

loc_907F58:				; CODE XREF: IopConnectLineBasedInterrupt+144j
		inc	ecx
		add	eax, 50h
		mov	[ebp+var_18], ecx
		mov	[ebp+var_1C], eax
		cmp	ecx, [esi]
		jb	loc_8665D9
		jmp	loc_866630
; 

loc_907F6F:				; CODE XREF: IopConnectLineBasedInterrupt+88j
					; IopConnectLineBasedInterrupt+B3j ...
		mov	esi, 0C000000Dh
		jmp	loc_86664B
; 

loc_907F79:				; CODE XREF: IopConnectLineBasedInterrupt+1BFj
		test	ebx, ebx
		jz	loc_86665D
		test	edi, edi
		jz	short loc_907FA4
		lea	edi, [ebx+0D8h]
		mov	ebx, [ebp+var_C]

loc_907F8E:				; CODE XREF: IopConnectLineBasedInterrupt+A1B07j
		mov	eax, [edi]
		add	eax, 60h
		push	eax
		call	IoDisconnectInterrupt
		lea	edi, [edi+4]
		sub	ebx, 1
		jnz	short loc_907F8E
		mov	ebx, [ebp+var_24]

loc_907FA4:				; CODE XREF: IopConnectLineBasedInterrupt+A1AEBj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_86665D
; 

loc_907FB1:				; CODE XREF: IopConnectLineBasedInterrupt+29j
					; IopConnectLineBasedInterrupt+3Aj ...
		mov	eax, 0C000000Dh
		jmp	loc_86665F
; END OF FUNCTION CHUNK	FOR IopConnectLineBasedInterrupt

;  S U B	R O U T	I N E 


sub_907FBB	proc near		; CODE XREF: IoConnectInterruptEx+22j

var_1		= byte ptr -1
arg_C		= dword	ptr  14h
arg_10		= word ptr  18h

		push	ebx
		push	ebx
		call	esi
		movzx	eax, al
		push	eax
		push	1
		push	121h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_907FCF:				; CODE XREF: IoConnectInterruptEx+A0j
		sub	eax, 1
		jz	loc_8666AE
		mov	dword ptr [ebx], 3
		jmp	loc_908064
; 

loc_907FE3:				; CODE XREF: IoConnectInterruptEx+CBj
		test	dl, dl
		jnz	loc_86673D
		cmp	dword ptr [ebx+14h], 0
		mov	[esp+10h+var_1], 1
		jz	loc_866742

loc_907FFA:				; CODE XREF: IoConnectInterruptEx+ABj
					; IoConnectInterruptEx+B5j ...
		mov	eax, 0C000000Dh
		jmp	loc_866848
; 

loc_908004:				; CODE XREF: IoConnectInterruptEx+F4j
		cmp	[esp+10h+var_1], 0
		jnz	short loc_908064
		xor	eax, eax
		mov	edx, [ebx+4]
		lea	edi, [esp+10h+arg_C]
		mov	ecx, [ebx+8]
		stosd
		stosd
		stosd
		mov	eax, [esp+14h]
		mov	[esp+10h+arg_10], ax
		mov	eax, [ebx+28h]
		mov	[esp+10h+arg_C], eax
		movzx	eax, byte ptr [ebx+19h]
		push	eax
		lea	eax, [esp+14h+arg_C]
		push	eax
		movzx	eax, byte ptr [ebx+1Ah]
		push	eax
		push	dword ptr [ebx+24h]
		movzx	eax, byte ptr [ebx+18h]
		push	eax
		movzx	eax, byte ptr [ebx+20h]
		push	eax
		push	dword ptr [ebx+1Ch]
		push	dword ptr [ebx+14h]
		push	dword ptr [ebx+10h]
		push	dword ptr [ebx+0Ch]
		call	IopConnectInterruptFullySpecified
		jmp	loc_866882
; 

loc_90805C:				; CODE XREF: IoConnectInterruptEx+11Ej
					; IoConnectInterruptEx+A1A1Aj
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_908064:				; CODE XREF: IoConnectInterruptEx+6Cj
					; sub_907FBB+23j ...
		mov	eax, 0C00000BBh
		jmp	loc_866848
sub_907FBB	endp

; 
; START	OF FUNCTION CHUNK FOR IoConnectInterruptEx

loc_90806E:				; CODE XREF: IoConnectInterruptEx+148j
		test	al, al
		jz	loc_8667BA

loc_908076:				; CODE XREF: IoConnectInterruptEx+154j
					; IoConnectInterruptEx+15Ej ...
		mov	eax, [esp+88h+var_78]

loc_90807A:				; CODE XREF: IoConnectInterruptEx+13Dj
		inc	esi
		add	ecx, 50h
		cmp	esi, eax
		jb	loc_86679E
		jmp	short loc_90805C
; 

loc_908088:				; CODE XREF: IoConnectInterruptEx+1F3j
		mov	byte ptr [ebx+1Ah], 1
		jmp	loc_8667FC
; END OF FUNCTION CHUNK	FOR IoConnectInterruptEx
; 
; START	OF FUNCTION CHUNK FOR IopConnectMessageBasedInterrupt

loc_908091:				; CODE XREF: IopConnectMessageBasedInterrupt+ECj
		mov	[ebp+var_8A], 1
		jmp	loc_8669A1
; 

loc_90809D:				; CODE XREF: IopConnectMessageBasedInterrupt+149j
		mov	esi, 0C000009Ah
		jmp	loc_866B6B
; 

loc_9080A7:				; CODE XREF: IopConnectMessageBasedInterrupt+190j
		cmp	edi, 1
		jz	loc_866A1C
		cmp	edi, 2
		jz	loc_866A1C
		jmp	loc_866B43
; 

loc_9080BE:				; CODE XREF: IopConnectMessageBasedInterrupt+19Dj
		mov	byte ptr [ebp+arg_10], 0
		jmp	loc_866A34
; 

loc_9080C7:				; CODE XREF: IopConnectMessageBasedInterrupt+32Fj
		xor	edi, edi
		cmp	[ebx+4], edi
		jbe	short loc_9080E7
		lea	esi, [ebx+14h]

loc_9080D1:				; CODE XREF: IopConnectMessageBasedInterrupt+A1859j
		push	dword ptr [esi]
		call	IoDisconnectInterrupt
		inc	edi
		lea	esi, [esi+28h]
		cmp	edi, [ebx+4]
		jb	short loc_9080D1
		mov	esi, [ebp+var_90]

loc_9080E7:				; CODE XREF: IopConnectMessageBasedInterrupt+A1846j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_866B87
; 

loc_9080F4:				; CODE XREF: IopConnectMessageBasedInterrupt+6Ej
					; IopConnectMessageBasedInterrupt+7Fj ...
		mov	esi, 0C000000Dh
		jmp	loc_866B87
; END OF FUNCTION CHUNK	FOR IopConnectMessageBasedInterrupt
; 
; START	OF FUNCTION CHUNK FOR IoGetDevicePropertyData

loc_9080FE:				; CODE XREF: IoGetDevicePropertyData+20j
					; IoGetDevicePropertyData+30j ...
		movzx	edx, word ptr [esi+2]
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_90813B
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_90813B
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_90813B:				; CODE XREF: IoGetDevicePropertyData+125B50j
					; IoGetDevicePropertyData+125B64j
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_9081D9
		mov	edx, 1F4h
		lea	edi, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		cmp	[edi], bx
		jz	short loc_908173
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [edi+4]
		call	IoAddTriageDumpDataBlock

loc_908173:				; CODE XREF: IoGetDevicePropertyData+125B9Ej
		mov	edx, [esi+0B0h]
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_9081A7
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [esi+0B0h]

loc_9081A7:				; CODE XREF: IoGetDevicePropertyData+125BC4j
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_9081D9
		lea	ecx, [eax+1Ch]
		cmp	[ecx], bx
		jz	short loc_9081D9
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_9081D9:				; CODE XREF: IoGetDevicePropertyData+Fj
					; IoSetDevicePropertyData+Fj ...
		push	ebx
		push	ebx
		push	esi
		push	2
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_9081E9:				; CODE XREF: PnpSetDevicePropertyData+72j
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_B8], offset unk_AA0000
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_B8]
		push	eax
		push	[ebp+arg_0]
		call	_RtlLCIDToCultureName@8	; RtlLCIDToCultureName(x,x)
		test	al, al
		jnz	loc_883962
		mov	esi, 0C0000001h
		jmp	loc_8839DF
; END OF FUNCTION CHUNK	FOR IoGetDevicePropertyData
; 
; START	OF FUNCTION CHUNK FOR PnpSetDevicePropertyData

loc_908220:				; CODE XREF: PnpSetDevicePropertyData+5Ej
					; PnpSetDevicePropertyData+68j
		mov	esi, 0C0000010h
		jmp	loc_8839DF
; END OF FUNCTION CHUNK	FOR PnpSetDevicePropertyData
; 
; START	OF FUNCTION CHUNK FOR IopGetInterruptConnectionData

loc_90822A:				; CODE XREF: IopGetInterruptConnectionData+83j
		mov	edi, 0C000003Eh

loc_90822F:				; CODE XREF: IopGetInterruptConnectionData+74j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_866C67
; END OF FUNCTION CHUNK	FOR IopGetInterruptConnectionData
; 
; START	OF FUNCTION CHUNK FOR PnpGetDevicePropertyData

loc_90823C:				; CODE XREF: PnpGetDevicePropertyData+77j
		lea	eax, [esp+0D8h+var_B8]
		mov	[esp+0D8h+var_C8], offset unk_AA0000
		mov	[esp+0D8h+var_C4], eax
		lea	eax, [esp+0D8h+var_C8]
		push	eax
		push	[ebp+arg_0]
		call	_RtlLCIDToCultureName@8	; RtlLCIDToCultureName(x,x)
		test	al, al
		jnz	loc_7E2693
		mov	esi, 0C0000001h
		jmp	loc_7E26FF
; 

loc_90826B:				; CODE XREF: PnpGetDevicePropertyData+123j
					; PnpGetDevicePropertyData+12Fj
		push	[esp+0D8h+var_CC] ; int
		mov	edx, ebx	; void *
		mov	ecx, edi	; int
		push	[ebp+arg_8]	; int
		call	_PnpGetInterruptInformation@16 ; PnpGetInterruptInformation(x,x,x,x)
		mov	esi, eax
		jmp	loc_7E26E1
; 

loc_908282:				; CODE XREF: PnpGetDevicePropertyData+63j
					; PnpGetDevicePropertyData+6Dj
		mov	esi, 0C0000010h
		jmp	loc_7E26FF
; END OF FUNCTION CHUNK	FOR PnpGetDevicePropertyData
; 
; START	OF FUNCTION CHUNK FOR PnpSetInterruptInformation

loc_90828C:				; CODE XREF: PnpSetInterruptInformation+48j
		push	47706E50h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_883A78
; END OF FUNCTION CHUNK	FOR PnpSetInterruptInformation
; 
; START	OF FUNCTION CHUNK FOR IopConnectInterrupt

loc_90829C:				; CODE XREF: IopConnectInterrupt+8Cj
					; IopConnectInterrupt+C7j
		mov	esi, 0C000000Dh
		jmp	loc_866F40
; 

loc_9082A6:				; CODE XREF: IopConnectInterrupt+EEj
		mov	esi, 0C000009Ah
		jmp	loc_866F40
; 

loc_9082B0:				; CODE XREF: IopConnectInterrupt+13Ej
		lea	eax, [ebx+134h]
		mov	[ebp+var_14], eax
		jmp	loc_866DBA
; 

loc_9082BE:				; CODE XREF: IopConnectInterrupt+19Aj
		mov	esi, 0C000009Ah

loc_9082C3:				; CODE XREF: IopConnectInterrupt+2C4j
					; IopConnectInterrupt+A1697j
		mov	al, [ebp+var_1]
		test	al, al
		jle	short loc_9082EF
		movzx	eax, al
		lea	edi, [ebx+164h]
		mov	dword ptr [ebp+arg_14],	eax

loc_9082D6:				; CODE XREF: IopConnectInterrupt+A1677j
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_9082E4
		call	_KeFreeInterrupt@4 ; KeFreeInterrupt(x)
		mov	eax, dword ptr [ebp+arg_14]

loc_9082E4:				; CODE XREF: IopConnectInterrupt+A1664j
		add	edi, 4
		sub	eax, 1
		mov	dword ptr [ebp+arg_14],	eax
		jnz	short loc_9082D6

loc_9082EF:				; CODE XREF: IopConnectInterrupt+A1652j
		push	6E696F49h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_866F40
; 

loc_9082FF:				; CODE XREF: IopConnectInterrupt+20Dj
		lea	edx, [ebp+var_3C]
		mov	ecx, edi
		call	_IopAllocatePassiveInterruptBlock@8 ; IopAllocatePassiveInterruptBlock(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9082C3
		jmp	loc_866E89
; 

loc_908314:				; CODE XREF: IopConnectInterrupt+23Fj
		cmp	[ebp+arg_14], 0
		jnz	loc_866F38
		mov	ecx, [ebp+var_1C]
		call	_IopFindPassiveInterruptBlock@4	; IopFindPassiveInterruptBlock(x)
		test	eax, eax
		jz	loc_866F38
		lock dec dword ptr [eax+70h]
		mov	ecx, eax
		call	_IopDereferencePassiveInterruptBlock@4 ; IopDereferencePassiveInterruptBlock(x)
		jmp	loc_866F38
; 

loc_90833E:				; CODE XREF: IopConnectInterrupt+257j
					; IopConnectInterrupt+267j
		movzx	edx, word ptr [ebx+2]
		mov	ecx, ebx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+8]
		test	ecx, ecx
		jz	short loc_90837F
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+8]
		xor	edi, edi
		add	ecx, 1Ch
		cmp	[ecx], di
		jz	short loc_908381
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		jmp	short loc_908381
; 

loc_90837F:				; CODE XREF: IopConnectInterrupt+A16D8j
		xor	edi, edi

loc_908381:				; CODE XREF: IopConnectInterrupt+A16EEj
					; IopConnectInterrupt+A1707j
		mov	eax, [ebx+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_90841F
		mov	edx, 1F4h
		lea	esi, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		cmp	[esi], di
		jz	short loc_9083B9
		push	2
		pop	edx
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [esi]
		mov	ecx, [esi+4]
		call	IoAddTriageDumpDataBlock

loc_9083B9:				; CODE XREF: IopConnectInterrupt+A172Cj
		mov	edx, [ebx+0B0h]
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], di
		jz	short loc_9083ED
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebx+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [ebx+0B0h]

loc_9083ED:				; CODE XREF: IopConnectInterrupt+A1752j
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_90841F
		lea	ecx, [eax+1Ch]
		cmp	[ecx], di
		jz	short loc_90841F
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebx+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_90841F:				; CODE XREF: IopConnectInterrupt+A1716j
					; IopConnectInterrupt+A177Fj ...
		push	edi
		push	edi
		push	ebx
		push	2
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_90842F:				; CODE XREF: IopDestroyActiveConnectBlock+57j
		test	eax, eax
		jnz	short loc_908436
		mov	edi, [ebx+4]

loc_908436:				; CODE XREF: IopConnectInterrupt+A17BBj
		lock dec dword ptr [ecx]
		jmp	loc_86700F
; END OF FUNCTION CHUNK	FOR IopConnectInterrupt
; 
; START	OF FUNCTION CHUNK FOR IopDestroyActiveConnectBlock

loc_90843E:				; CODE XREF: IopDestroyActiveConnectBlock+5Fj
		lea	eax, [esp+20h+var_10]
		mov	bl, 1
		mov	[esi+28h], eax
		jmp	loc_867013
; 

loc_90844C:				; CODE XREF: IopDestroyActiveConnectBlock+97j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+30h+var_10]
		push	eax
		call	KeWaitForSingleObject
		jmp	loc_86704F
; 

loc_908461:				; CODE XREF: IopDestroyActiveConnectBlock+9Fj
		push	0
		push	0
		push	edi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_86704F
; 

loc_908470:				; CODE XREF: IopDestroyActiveConnectBlock+10Fj
		mov	ecx, [eax+0Ch]
		mov	[edi+0Ch], ecx
		mov	ecx, [eax+10h]
		mov	[edi+10h], ecx
		mov	eax, [eax+10h]
		lock inc dword ptr [eax]
		jmp	loc_8670C8
; END OF FUNCTION CHUNK	FOR IopDestroyActiveConnectBlock
; 
; START	OF FUNCTION CHUNK FOR PnpTraceInterruptConnection

loc_908487:				; CODE XREF: PnpTraceInterruptConnection+3Aj
		lea	eax, [esp+78h+var_68]
		mov	[esp+78h+var_64], esi
		mov	[esp+78h+var_38], eax
		xor	ecx, ecx
		lea	eax, [esp+0Fh]
		mov	[esp+78h+var_34], esi
		push	8
		pop	edx
		mov	[esp+78h+var_28], eax
		inc	ecx
		lea	eax, [esp+78h+var_60]
		mov	[esp+78h+var_68], ecx
		mov	[esp+78h+var_18], eax
		lea	eax, [esp+78h+var_58]
		push	eax
		push	5
		mov	[esp+80h+var_30], edx
		mov	[esp+80h+var_20], ecx
		mov	[esp+80h+var_10], edx
		mov	edx, offset loc_41C336
		push	ecx
		mov	ecx, edi
		mov	[esp+84h+var_2C], esi
		mov	[esp+84h+var_69], bl
		mov	[esp+84h+var_24], esi
		mov	[esp+84h+var_1C], esi
		mov	[esp+84h+var_60], 1000000h
		mov	[esp+84h+var_5C], esi
		mov	[esp+84h+var_14], esi
		mov	[esp+84h+var_C], esi
		call	__tlgWriteAgg@20 ; _tlgWriteAgg(x,x,x,x,x)
		jmp	loc_867176
; END OF FUNCTION CHUNK	FOR PnpTraceInterruptConnection
; 
; START	OF FUNCTION CHUNK FOR MiSessionCreate

loc_9084FA:				; CODE XREF: MiSessionCreate+57j
					; MiSessionCreate+77j ...
		mov	edi, 0C000009Ah
		jmp	loc_86730E
; END OF FUNCTION CHUNK	FOR MiSessionCreate
; 
; START	OF FUNCTION CHUNK FOR MiSessionObjectCreate

loc_908504:				; CODE XREF: MiSessionObjectCreate+A123Aj
		mov	ecx, esi
		call	ObfDereferenceObject

loc_90850B:				; CODE XREF: MiSessionObjectCreate+88j
		mov	eax, 0C000009Ah
		jmp	loc_86753C
; 

loc_908515:				; CODE XREF: MiSessionObjectCreate+F7j
		push	ebx

loc_908516:				; CODE XREF: MiSessionObjectCreate+9Cj
					; MiSessionObjectCreate+BDj
		push	esi

loc_908517:				; CODE XREF: MiSessionObjectCreate+DFj
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		jmp	loc_86753C
; 

loc_908523:				; CODE XREF: MiSessionObjectCreate+12Fj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_86753A
; 

loc_908530:				; CODE XREF: MiSessionObjectCreate+1CCj
		cmp	[edi+8], ebx
		jz	loc_8674EA
		call	_KeGetSchedulingGroupSize@0 ; KeGetSchedulingGroupSize()
		push	ebx
		push	48h
		mov	edx, 70724753h
		mov	ecx, eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[esi+14h], eax
		test	eax, eax
		jz	short loc_908504
		push	5
		pop	ecx
		mov	[ebp+var_110], ebx
		xor	edx, edx
		mov	word ptr [ebp+var_110],	cx
		mov	ecx, eax
		push	ebx
		push	[ebp+var_110]
		call	KeInsertSchedulingGroup
		jmp	loc_8674EA
; END OF FUNCTION CHUNK	FOR MiSessionObjectCreate
; 
; START	OF FUNCTION CHUNK FOR MiInitializeSystemWorkingSetList

loc_908579:				; CODE XREF: MiInitializeSystemWorkingSetList+67j
		mov	edx, [ebp+var_8]
		shl	edi, 8
		add	edx, 10A4h
		add	edx, ecx
		mov	eax, dword_6D3690[edi]
		jmp	loc_867637
; END OF FUNCTION CHUNK	FOR MiInitializeSystemWorkingSetList
; 
; START	OF FUNCTION CHUNK FOR MiInitializeDynamicBitmap

loc_908592:				; CODE XREF: MiInitializeDynamicBitmap+BBj
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_9085D2
		xor	eax, eax
		inc	eax
		cmp	byte ptr word_6D07B8+1,	0
		mov	[ebp+arg_4], eax
		jnz	loc_867740

loc_9085AE:				; CODE XREF: MiInitializeDynamicBitmap+A0F6Cj
		mov	ecx, [ebp+var_4]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		mov	eax, [ebp+arg_4]
		jz	loc_867740
		mov	edx, [ebp+var_8]
		mov	ebx, ecx
		or	edx, 80000000h
		jmp	loc_867740
; 

loc_9085D2:				; CODE XREF: MiInitializeDynamicBitmap+A0F1Dj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_9085AE
		jmp	loc_86773D
; 

loc_9085EF:				; CODE XREF: MiInitializeDynamicBitmap+CCj
		push	edx
		push	ebx
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_86774E
; END OF FUNCTION CHUNK	FOR MiInitializeDynamicBitmap
; 
; START	OF FUNCTION CHUNK FOR MiMapNewSession

loc_9085FD:				; CODE XREF: MiMapNewSession+E3j
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_908648
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_90862C
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr word_6D07B8+1,	0
		jnz	short loc_90864A

loc_90861B:				; CODE XREF: MiMapNewSession+A0A8Cj
		mov	eax, edi
		and	eax, 1
		or	eax, esi
		jz	short loc_90864A
		or	edx, 80000000h
		jmp	short loc_90864A
; 

loc_90862C:				; CODE XREF: MiMapNewSession+A0A55j
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_90861B
		jmp	short loc_90864A
; 

loc_908648:				; CODE XREF: MiMapNewSession+A0A4Cj
		mov	ecx, esi

loc_90864A:				; CODE XREF: MiMapNewSession+A0A61j
					; MiMapNewSession+A0A6Aj ...
		mov	[ebx+4], edx
		nop
		mov	[ebx], edi
		test	ecx, ecx
		jz	loc_867CA8
		push	edx
		push	edi
		mov	ecx, ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_867CA8
; 

loc_908666:				; CODE XREF: MiMapNewSession+22Bj
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_908685
		cmp	byte ptr word_6D07B8+1,	0
		mov	[ebp+var_1C], 1
		jnz	loc_867DE9
		jmp	short loc_9086A1
; 

loc_908685:				; CODE XREF: MiMapNewSession+A0AB5j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_867DE9

loc_9086A1:				; CODE XREF: MiMapNewSession+A0ACBj
		mov	ecx, [ebp+var_4]
		mov	eax, ecx
		and	eax, 1
		or	eax, esi
		jz	loc_867DE9
		mov	edx, [ebp+var_8]
		mov	edi, ecx
		or	edx, 80000000h
		jmp	loc_867DE9
; 

loc_9086C1:				; CODE XREF: MiMapNewSession+199j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_9086DC
		xor	edx, edx
		inc	edx
		cmp	byte ptr word_6D07B8+1,	0
		jnz	loc_867D57
		jmp	short loc_9086F8
; 

loc_9086DC:				; CODE XREF: MiMapNewSession+A0B10j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_867D57

loc_9086F8:				; CODE XREF: MiMapNewSession+A0B22j
		mov	eax, ebx
		and	eax, 1
		or	eax, esi
		jz	loc_867D57
		or	edi, 80000000h
		jmp	loc_867D57
; 

loc_908710:				; CODE XREF: MiMapNewSession+1A7j
		push	edi
		push	ebx
		mov	ebx, [ebp+var_10]
		mov	ecx, ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_867D68
; END OF FUNCTION CHUNK	FOR MiMapNewSession
; 
; START	OF FUNCTION CHUNK FOR MiInitializeSessionGlobals

loc_908721:				; CODE XREF: MiInitializeSessionGlobals+22j
		mov	eax, 0C0000021h
		jmp	loc_867E41
; 

loc_90872B:				; CODE XREF: MiInitializeSessionGlobals+40j
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jz	short loc_90878C
		dec	word ptr [edi+13Eh]
		nop
		mov	esi, offset dword_6D05C8
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		cmp	dword ptr [eax+1F4h], 0
		jnz	short loc_90876A
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, ebx
		mov	[eax+1F4h], ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_90876A:				; CODE XREF: MiInitializeSessionGlobals+A094Aj
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_90877E
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_90877E:				; CODE XREF: MiInitializeSessionGlobals+A0969j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_90878C:				; CODE XREF: MiInitializeSessionGlobals+A0926j
		mov	ecx, ebx
		call	_MmIsSessionLeaderProcess@4 ; MmIsSessionLeaderProcess(x)
		test	eax, eax
		jnz	loc_867E3F
		jmp	short loc_9087CB
; 

loc_90879D:				; CODE XREF: MiInitializeSessionGlobals+63j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9087B1
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9087B1:				; CODE XREF: MiInitializeSessionGlobals+A099Cj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		cmp	dword_6D05C4, ebx
		jz	loc_867E3F

loc_9087CB:				; CODE XREF: MiInitializeSessionGlobals+A098Fj
		mov	eax, 0C000001Ch
		jmp	loc_867E41
; 

loc_9087D5:				; CODE XREF: MiInitializeSessionGlobals+76j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9087E9
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9087E9:				; CODE XREF: MiInitializeSessionGlobals+A09D4j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, 0C000009Ah
		jmp	loc_867E41
; 

loc_908801:				; CODE XREF: MiInitializeSessionGlobals+CAj
		test	al, 4
		jnz	loc_867EDC
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_867EDC
; END OF FUNCTION CHUNK	FOR MiInitializeSessionGlobals
; 
; START	OF FUNCTION CHUNK FOR _PnpDeviceRaisePropertyChangeEventWorker

loc_908815:				; CODE XREF: _PnpDeviceRaisePropertyChangeEventWorker+77j
		push	10h		; size_t
		push	offset _DEVPKEY_Device_RestrictedSD ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_867F8D
		jmp	loc_8680F2
; 

loc_908832:				; CODE XREF: _PnpDeviceRaisePropertyChangeEventWorker+158j
					; _PnpDeviceRaisePropertyChangeEventWorker+188j
		and	[esp+0C4h+var_B0], 0
		lea	eax, [esp+0C4h+var_B0]
		push	eax
		push	1
		push	5
		push	0
		push	esi
		call	edi
		jmp	loc_867FF2
; 

loc_90884A:				; CODE XREF: _PnpDeviceRaisePropertyChangeEventWorker+22Aj
		mov	[esp+0C4h+var_8C], ebx
		mov	[esp+0C4h+var_88], offset off_4015A0
		mov	[esp+0C4h+var_84], 1
		jmp	loc_868140
; 

loc_908863:				; CODE XREF: _PnpDeviceRaisePropertyChangeEventWorker+25Aj
		lea	eax, [esp+0C4h+var_B0]
		mov	[esp+0C4h+var_B0], ebx
		push	eax
		push	1
		push	3
		push	ebx
		push	esi
		call	edi
		jmp	loc_868016
; END OF FUNCTION CHUNK	FOR _PnpDeviceRaisePropertyChangeEventWorker
; 
; START	OF FUNCTION CHUNK FOR IopErrorLogThread

loc_908879:				; CODE XREF: IopErrorLogThread+8Aj
		mov	ecx, [esp+650h+var_638]
		jmp	loc_8682D6
; 

loc_908882:				; CODE XREF: IopErrorLogThread+A6j
		and	[esp+650h+var_640], 0
		lea	eax, [esp+650h+var_640]
		push	eax
		push	108h
		lea	eax, [esp+658h+var_618]
		push	eax
		push	edi
		call	_ObQueryNameString@16 ;	ObQueryNameString(x,x,x,x)
		test	eax, eax
		js	short loc_9088B9
		cmp	[esp+650h+var_640], 0
		jz	short loc_9088B9
		mov	eax, [esp+650h+var_618]
		mov	ecx, [esp+650h+var_614]
		mov	[esp+650h+var_63C], eax
		mov	[esp+650h+var_638], ecx
		jmp	short loc_9088D3
; 

loc_9088B9:				; CODE XREF: IopErrorLogThread+A0666j
					; IopErrorLogThread+A066Dj
		push	offset ??_C@_11LOCGONAA@@NNGAKEGL@
		lea	eax, [esp+654h+var_63C]
		jmp	short loc_9088C9
; 

loc_9088C4:				; CODE XREF: IopErrorLogThread+78j
		push	offset ??_C@_1CE@DLCIFMKP@?$AAA?$AAp?$AAp?$AAl?$AAi?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AA?5?$AAP?$AAo?$AAp@NNGAKEGL@

loc_9088C9:				; CODE XREF: IopErrorLogThread+A068Aj
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, [esp+650h+var_638]

loc_9088D3:				; CODE XREF: IopErrorLogThread+A067Fj
		mov	dx, word ptr [esp+650h+var_63C]
		test	dx, dx
		jz	loc_868317
		jmp	loc_8682E4
; 

loc_9088E6:				; CODE XREF: IopErrorLogThread+F5j
		lea	ecx, [esp+650h+var_640]
		push	ecx
		push	108h
		lea	ecx, [esp+658h+var_510]
		push	ecx
		push	eax
		jmp	short loc_908926
; 

loc_9088FB:				; CODE XREF: IopErrorLogThread+A06FBj
		cmp	[esp+660h+var_651], 0
		jnz	short loc_908935
		mov	edx, [esp+660h+var_650]
		xor	ecx, ecx
		inc	ecx
		call	sub_610570
		mov	edi, eax
		test	edi, edi
		jz	short loc_908935
		lea	eax, [esp+660h+var_650]
		mov	[esp+660h+var_651], 1
		push	eax
		push	[esp+664h+var_650]
		push	edi
		push	dword ptr [ebx+8]

loc_908926:				; CODE XREF: IopErrorLogThread+A06C1j
		call	_ObQueryNameString@16 ;	ObQueryNameString(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000004h
		jz	short loc_9088FB

loc_908935:				; CODE XREF: IopErrorLogThread+A06C8j
					; IopErrorLogThread+A06DAj
		test	esi, esi
		js	loc_868333
		cmp	[esp+660h+var_650], 0
		jz	loc_868333
		mov	eax, [edi]
		mov	[esp+660h+var_63C], eax
		mov	ecx, [edi+4]
		mov	[esp+660h+var_638], ecx
		jmp	loc_868346
; 

loc_90895A:				; CODE XREF: IopErrorLogThread+16Aj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8683A8
; 

loc_908967:				; CODE XREF: IopErrorLogThread+17Cj
					; IopErrorLogThread+187j
		lea	eax, [esp+650h+var_408]
		push	offset ??_C@_19ENNDBEJL@?$AAN?$AAT?$AAF?$AAS@NNGAKEGL@ ; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_8683C5
		movzx	eax, word ptr [edi+2Ch]
		lea	ecx, [edi+50h]
		sub	[edi+2], ax
		mov	[esp+650h+var_634], eax
		mov	[esp+650h+var_630], ecx
		jmp	loc_8683CD
; 

loc_90899B:				; CODE XREF: IopErrorLogThread+1BDj
		mov	ecx, ebx
		call	_IopErrorLogRequeueEntry@4 ; IopErrorLogRequeueEntry(x)
		call	_IopErrorLogQueueRequest@0 ; IopErrorLogQueueRequest()
		jmp	loc_868432
; END OF FUNCTION CHUNK	FOR IopErrorLogThread
; 
; START	OF FUNCTION CHUNK FOR EtwWriteErrorLogEntry

loc_9089AC:				; CODE XREF: EtwWriteErrorLogEntry+147j
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_7C], eax
		movzx	eax, cx
		push	6
		mov	[ebp+var_78], edx
		mov	[ebp+var_74], eax
		mov	[ebp+var_70], edx
		pop	esi
		jmp	loc_86859D
; 

loc_9089C6:				; CODE XREF: EtwWriteErrorLogEntry+168j
		mov	edx, edi
		mov	[ebp+var_25C], edx
		mov	[ebp+var_26C], edx
		jmp	loc_8685BE
; 

loc_9089D9:				; CODE XREF: EtwWriteErrorLogEntry+17Dj
		mov	[ebx+6], dx
		jmp	loc_8685D3
; 

loc_9089E2:				; CODE XREF: EtwWriteErrorLogEntry+3A5j
		mov	ecx, 0FFFFh
		add	[ebx+4], cx
		jmp	loc_8687FB
; END OF FUNCTION CHUNK	FOR EtwWriteErrorLogEntry
; 
; START	OF FUNCTION CHUNK FOR RtlQueryModuleInformation

loc_9089F0:				; CODE XREF: RtlQueryModuleInformation+49j
		cmp	[ebp+arg_4], 4
		jz	short loc_908A00
		mov	eax, 0C00000F0h
		jmp	loc_8689CB
; 

loc_908A00:				; CODE XREF: RtlQueryModuleInformation+A0176j
		test	bl, 3
		jz	loc_8688E5
		mov	eax, 0C00000F1h
		jmp	loc_8688DD
; 

loc_908A13:				; CODE XREF: RtlQueryModuleInformation+16Aj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8689EE
; 

loc_908A20:				; CODE XREF: RtlQueryModuleInformation+D8j
		mov	eax, [edx-12h]
		mov	[ecx+edi*4], eax
		jmp	loc_868992
; END OF FUNCTION CHUNK	FOR RtlQueryModuleInformation
; 
; START	OF FUNCTION CHUNK FOR PopConnectedStandbySettingCallback

loc_908A2B:				; CODE XREF: PopConnectedStandbySettingCallback+32j
		xor	ebx, ebx
		cmp	_PopMonitorOffDueToSleep, bl
		jz	short loc_908A44
		mov	_PopMonitorOffDueToSleep, bl
		test	eax, eax
		jz	short loc_908A56
		jmp	loc_868BC3
; 

loc_908A44:				; CODE XREF: PopConnectedStandbySettingCallback+9FEADj
		cmp	dword_6C26C4, ebx
		jnz	short loc_908A63
		cmp	_PopHiberBootForceMonitorOff, bl
		jnz	short loc_908A63
		test	eax, eax

loc_908A56:				; CODE XREF: PopConnectedStandbySettingCallback+9FEB7j
		setnz	cl
		call	_PopFanUpdateCsState@4 ; PopFanUpdateCsState(x)
		jmp	loc_868BC3
; 

loc_908A63:				; CODE XREF: PopConnectedStandbySettingCallback+9FEC4j
					; PopConnectedStandbySettingCallback+9FECCj
		mov	_PopMonitorOffDueToSleep, 1
		jmp	loc_868BCA
; END OF FUNCTION CHUNK	FOR PopConnectedStandbySettingCallback
; 
; START	OF FUNCTION CHUNK FOR PoRegisterPowerSettingCallback

loc_908A6F:				; CODE XREF: PoRegisterPowerSettingCallback+24Cj
		mov	eax, offset _PopPrimaryDisplayVisibleStateErratum
		mov	[esp+248h+var_230], eax
		jmp	loc_7E27EC
; 

loc_908A7D:				; CODE XREF: PoRegisterPowerSettingCallback+A3j
		mov	esi, 0C000009Ah
		jmp	loc_7E28CA
; 

loc_908A87:				; CODE XREF: PoRegisterPowerSettingCallback+D8j
		mov	ecx, esi
		call	_PopEnsureErratumSubscribed@4 ;	PopEnsureErratumSubscribed(x)
		lea	eax, [esi+8]
		mov	[esp+248h+var_23C], eax
		jmp	loc_7E2848
; END OF FUNCTION CHUNK	FOR PoRegisterPowerSettingCallback
; 
; START	OF FUNCTION CHUNK FOR PopBatteryWorker

loc_908A9A:				; CODE XREF: PopBatteryWorker+ABj
		push	dword ptr [esi-4]
		call	IoCancelIrp
		mov	esi, [esi]
		jmp	loc_868DDB
; 

loc_908AA9:				; CODE XREF: PopBatteryWorker+B9j
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esi+8]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esi]
		jmp	loc_868DE9
; 

loc_908ABD:				; CODE XREF: PopBatteryWorker+F0j
		mov	byte ptr [esp+13h], 1
		jmp	loc_868E28
; 

loc_908AC7:				; CODE XREF: PopBatteryWorker+100j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		push	edi
		push	edi
		push	edi
		mov	dword_6C2654, eax
		mov	al, byte_6C264C
		push	edi
		mov	byte ptr [esp+2C8h+var_2A0], al
		lea	eax, [esp+2C8h+var_2A0]
		push	1
		push	eax
		push	offset _WNF_PO_RECONCILED_WEAK_CHARGER
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		cmp	dword_6C2654, 0
		jz	short loc_908B16
		mov	dword_6C2654, edi

loc_908B16:				; CODE XREF: PopBatteryWorker+9FDDCj
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_868E38
; 

loc_908B29:				; CODE XREF: PopBatteryWorker+112j
		mov	[esp+2B8h+var_2A4], ebx

loc_908B2D:				; CODE XREF: PopBatteryWorker+9FE55j
		mov	esi, [eax]
		lea	edi, [eax-20h]
		cmp	dword ptr [edi+38h], 2
		jnz	short loc_908B7E
		cmp	[esi+4], eax
		jnz	loc_908FA0
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_908FA0
		mov	[ecx], esi
		mov	[esi+4], ecx
		mov	ecx, edi
		and	dword ptr [eax], 0
		dec	dword_6C252C
		inc	dword_6C257C
		mov	byte_6C2530, 1
		call	_PopBatteryReadTag@4 ; PopBatteryReadTag(x)
		test	eax, eax
		jns	short loc_908B79
		mov	ecx, edi
		call	_PopBatteryWaitTag@4 ; PopBatteryWaitTag(x)

loc_908B79:				; CODE XREF: PopBatteryWorker+9FE3Ej
		mov	byte ptr [esp+2B8h+var_2A4], 1

loc_908B7E:				; CODE XREF: PopBatteryWorker+9FE04j
		mov	edi, offset dword_6C253C
		mov	eax, esi
		cmp	esi, edi
		jnz	short loc_908B2D
		jmp	loc_868E4A
; 

loc_908B8E:				; CODE XREF: PopBatteryWorker+125j
		cmp	dword ptr [esi+38h], 1
		jnz	short loc_908BBC
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esi+28h]
		push	eax
		call	KeWaitForSingleObject
		mov	ecx, esi
		call	_PopBatteryInitialize@4	; PopBatteryInitialize(x)
		test	eax, eax
		js	short loc_908BB5
		mov	byte ptr [esp+2B8h+var_2A4], 1
		jmp	short loc_908BBC
; 

loc_908BB5:				; CODE XREF: PopBatteryWorker+9FE7Aj
		mov	ecx, esi
		call	_PopBatteryWaitTag@4 ; PopBatteryWaitTag(x)

loc_908BBC:				; CODE XREF: PopBatteryWorker+9FE60j
					; PopBatteryWorker+9FE81j
		mov	esi, [esi]
		jmp	loc_868E55
; 

loc_908BC3:				; CODE XREF: PopBatteryWorker+133j
					; PopBatteryWorker+9FF43j
		lea	esi, [ebx+44h]
		mov	dl, 1
		lea	edi, [esp+2B8h+var_214]
		movsd
		movsd
		movsd
		movsd
		lea	esi, [ebx-20h]
		mov	ecx, esi	; char
		call	_PopBatteryQueryStatus@8 ; PopBatteryQueryStatus(x,x)
		test	eax, eax
		jns	short loc_908BF2
		xor	ecx, ecx
		mov	dword ptr [ebx+18h], 2
		inc	ecx
		call	_PopBatteryQueueWork@4 ; PopBatteryQueueWork(x)
		jmp	short loc_908C6D
; 

loc_908BF2:				; CODE XREF: PopBatteryWorker+9FEADj
		mov	ecx, esi
		call	_PopAccountBatteryEnergyChange@4 ; PopAccountBatteryEnergyChange(x)
		mov	edx, [ebx+44h]
		mov	eax, edx
		xor	eax, [esp+2B8h+var_214]
		test	al, 7
		jz	short loc_908C10
		mov	[esp+2B8h+var_2A7], 1
		jmp	short loc_908C2D
; 

loc_908C10:				; CODE XREF: PopBatteryWorker+9FED5j
		mov	eax, [esp+2B8h+var_210]
		cmp	eax, [ebx+48h]
		jnz	short loc_908C28
		mov	eax, [esp+2B8h+var_208]
		cmp	eax, [ebx+50h]
		jz	short loc_908C2D

loc_908C28:				; CODE XREF: PopBatteryWorker+9FEE8j
		mov	byte ptr [esp+13h], 1

loc_908C2D:				; CODE XREF: PopBatteryWorker+9FEDCj
					; PopBatteryWorker+9FEF4j
		or	eax, 0FFFFFFFFh
		test	dl, 2
		jz	short loc_908C41
		xor	edx, edx
		mov	ecx, esi
		call	_PopBatteryQueryEstimatedTime@8	; PopBatteryQueryEstimatedTime(x,x)
		mov	edx, [ebx+44h]

loc_908C41:				; CODE XREF: PopBatteryWorker+9FF01j
		lea	ecx, [eax+1]
		mov	[ebx+54h], eax
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		push	ecx
		push	dword ptr [ebx+50h]
		push	dword ptr [ebx+4Ch]
		push	dword ptr [ebx+48h]
		push	edx
		push	esi		; char
		push	offset ??_C@_0HO@MIEEEJEB@?6Battery?5Status?5?$FL?$CFp?$FN?6?$HM?9?9?5PowerS@NNGAKEGL@ ; char *
		push	3		; int
		push	92h		; int
		call	_DbgPrintEx
		add	esp, 24h

loc_908C6D:				; CODE XREF: PopBatteryWorker+9FEBEj
		mov	ebx, [ebx]
		cmp	ebx, offset dword_6C253C
		jnz	loc_908BC3
		jmp	loc_868E6B
; 

loc_908C80:				; CODE XREF: PopBatteryWorker+13Ej
		call	_PopBatteryUpdateCompositeInformation@0	; PopBatteryUpdateCompositeInformation()
		xor	ebx, ebx
		mov	al, 1
		mov	[esp+2B8h+var_2A7], al
		mov	_PopMaxChargeRate, ebx
		mov	dword_6FE094, ebx
		jmp	loc_868E7C
; 

loc_908C9E:				; CODE XREF: PopBatteryWorker+1AAj
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		test	edx, edx
		jnz	short loc_908CB4
		cmp	eax, 11E1A300h
		jb	loc_868EE2

loc_908CB4:				; CODE XREF: PopBatteryWorker+9FF75j
		mov	[esp+2B8h+var_280], 1
		jmp	loc_868EE2
; 

loc_908CC1:				; CODE XREF: PopBatteryWorker+198j
		mov	ecx, dword_6C253C
		mov	ebx, [esp+2B8h+var_278]

loc_908CCB:				; CODE XREF: PopBatteryWorker+A0021j
		mov	eax, offset dword_6C253C
		cmp	ecx, eax
		jz	loc_908D58
		mov	eax, [ecx+44h]
		mov	edx, eax
		and	edx, 7Fh
		and	eax, 0Ah
		or	edx, ebx
		mov	ebx, edx
		mov	[esp+2B8h+var_278], ebx
		cmp	al, 0Ah
		jnz	short loc_908CF6
		or	ebx, 8
		mov	[esp+2B8h+var_278], ebx

loc_908CF6:				; CODE XREF: PopBatteryWorker+9FFBBj
		mov	edx, [ecx+48h]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_908D15
		mov	eax, [esp+2B8h+var_2A4]
		inc	eax
		neg	eax
		sbb	eax, eax
		and	eax, [esp+2B8h+var_2A4]
		add	eax, edx
		mov	[esp+2B8h+var_2A4], eax
		mov	[esp+2B8h+var_274], eax

loc_908D15:				; CODE XREF: PopBatteryWorker+9FFCAj
		mov	edx, [ecx+4Ch]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_908D34
		lea	eax, [esi+1]
		neg	eax
		sbb	eax, eax
		and	esi, eax
		mov	[esp+2B8h+var_270], esi
		cmp	edx, esi
		jbe	short loc_908D34
		mov	esi, edx
		mov	[esp+2B8h+var_270], esi

loc_908D34:				; CODE XREF: PopBatteryWorker+9FFE9j
					; PopBatteryWorker+9FFFAj
		mov	edx, [ecx+50h]
		cmp	edx, 80000000h
		jz	short loc_908D51
		lea	eax, [edi-80000000h]
		neg	eax
		sbb	eax, eax
		and	edi, eax
		add	edi, edx
		mov	[esp+2B8h+var_26C], edi

loc_908D51:				; CODE XREF: PopBatteryWorker+A000Bj
		mov	ecx, [ecx]
		jmp	loc_908CCB
; 

loc_908D58:				; CODE XREF: PopBatteryWorker+9FFA0j
		mov	[esp+2B8h+var_2A4], ebx
		test	bl, 2
		jz	short loc_908D6C
		and	ebx, 0FFFFFFFBh
		mov	[esp+2B8h+var_2A4], ebx
		mov	[esp+2B8h+var_278], ebx

loc_908D6C:				; CODE XREF: PopBatteryWorker+A002Dj
		test	bl, 1
		jnz	short loc_908DE8
		mov	ecx, dword_6C253C
		xor	edi, edi
		cmp	ecx, eax
		jz	loc_868EE2

loc_908D81:				; CODE XREF: PopBatteryWorker+A0071j
		mov	esi, [ecx+54h]
		cmp	esi, 0FFFFFFFFh
		jz	short loc_908D9F
		test	esi, esi
		jz	short loc_908D9F
		imul	eax, [ecx+48h],	0E10h
		xor	edx, edx
		div	esi
		sub	edi, eax
		mov	eax, offset dword_6C253C

loc_908D9F:				; CODE XREF: PopBatteryWorker+A0055j
					; PopBatteryWorker+A0059j
		mov	ecx, [ecx]
		cmp	ecx, eax
		jnz	short loc_908D81
		test	edi, edi
		jz	loc_868EE2
		mov	esi, dword_6C253C
		mov	ebx, [esp+2B8h+var_284]

loc_908DB7:				; CODE XREF: PopBatteryWorker+A00A7j
		lea	ecx, [esi-20h]
		mov	edx, edi
		call	_PopBatteryQueryEstimatedTime@8	; PopBatteryQueryEstimatedTime(x,x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_908DD1
		lea	ecx, [ebx+1]
		neg	ecx
		sbb	ecx, ecx
		and	ebx, ecx
		add	ebx, eax

loc_908DD1:				; CODE XREF: PopBatteryWorker+A0092j
		mov	esi, [esi]
		cmp	esi, offset dword_6C253C
		jnz	short loc_908DB7
		mov	[esp+2B8h+var_284], ebx
		mov	ebx, [esp+2B8h+var_2A4]
		jmp	loc_868EE2
; 

loc_908DE8:				; CODE XREF: PopBatteryWorker+A003Dj
		test	bl, 4
		jz	loc_868EE2
		call	_PopEstimateChargeTime@0 ; PopEstimateChargeTime()
		mov	[esp+2B8h+var_268], eax
		mov	[esp+2B8h+var_264], edx
		jmp	loc_868EE2
; 

loc_908E03:				; CODE XREF: PopBatteryWorker+1BFj
		test	al, al
		jz	short loc_908E14
		jmp	loc_868EF7
; 

loc_908E0C:				; CODE XREF: PopBatteryWorker+1C8j
		test	al, al
		jz	loc_868F00

loc_908E14:				; CODE XREF: PopBatteryWorker+A00D3j
		mov	[esp+2B8h+var_280], 1
		jmp	loc_868F00
; 

loc_908E21:				; CODE XREF: PopBatteryWorker+1DDj
		push	0
		push	0
		push	0
		push	0
		push	1
		lea	eax, [esp+2CCh+var_2A6]
		test	ecx, ecx
		push	eax
		push	(offset	loc_42546B+1)
		setnz	[esp+2D4h+var_2A6]
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		cmp	dword_6B23F8, 5
		jbe	loc_868F15
		mov	cl, [esp+2B8h+var_2A6]
		and	[esp+2B8h+var_54], 0
		and	[esp+2B8h+var_4C], 0
		and	[esp+2B8h+var_44], 0
		and	[esp+2B8h+var_3C], 0
		push	4
		mov	byte ptr [esp+2BCh+var_299], cl
		lea	ecx, [esp+2BCh+var_299]
		mov	[esp+2BCh+var_230], eax
		lea	eax, [esp+2BCh+var_230]
		mov	[esp+2BCh+var_58], ecx
		pop	ecx
		mov	[esp+2B8h+var_48], eax
		lea	eax, [esp+2B8h+var_78]
		push	eax
		push	ecx
		push	0
		push	0
		push	offset loc_41FDA5
		push	offset dword_6B23F8
		mov	[esp+2D0h+var_50], 1
		mov	[esp+2D0h+var_40], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_868F15
; 

loc_908ECC:				; CODE XREF: PopBatteryWorker+1EBj
		xor	ebx, ebx
		test	eax, eax
		setnz	bl
		inc	ebx
		jmp	loc_868F25
; 

loc_908ED9:				; CODE XREF: PopBatteryWorker+1F9j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset dword_6C2650
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	ecx, ecx
		mov	dword_6C2654, eax
		mov	eax, ebx
		sub	eax, ecx
		jz	short loc_908F38
		sub	eax, 1
		jz	short loc_908F25
		sub	eax, 1
		jnz	short loc_908F78
		cmp	dword_6C2648, 1
		jnz	short loc_908F78
		mov	byte ptr [esp+2B8h+var_299+1], cl
		lea	eax, [esp+2B8h+var_299+1]
		jmp	short loc_908F65
; 

loc_908F25:				; CODE XREF: PopBatteryWorker+A01D9j
		cmp	byte_6C264C, cl
		jnz	short loc_908F78
		mov	byte ptr [esp+2B8h+var_294], 1
		lea	eax, [esp+2B8h+var_294]
		jmp	short loc_908F65
; 

loc_908F38:				; CODE XREF: PopBatteryWorker+A01D4j
		cmp	byte_6C264C, cl
		jnz	short loc_908F53
		cmp	dword_6C2648, 1
		jnz	short loc_908F78
		mov	byte ptr [esp+2B8h+var_290], cl
		lea	eax, [esp+2B8h+var_290]
		jmp	short loc_908F65
; 

loc_908F53:				; CODE XREF: PopBatteryWorker+A020Cj
		cmp	dword_6C2648, 2
		jnz	short loc_908F78
		mov	byte ptr [esp+2B8h+var_28C], 1
		lea	eax, [esp+2B8h+var_28C]

loc_908F65:				; CODE XREF: PopBatteryWorker+A01F1j
					; PopBatteryWorker+A0204j ...
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	1
		push	eax
		push	offset _WNF_PO_RECONCILED_WEAK_CHARGER
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		xor	ecx, ecx

loc_908F78:				; CODE XREF: PopBatteryWorker+A01DEj
					; PopBatteryWorker+A01E7j ...
		cmp	dword_6C2654, 0
		jz	short loc_908F87
		mov	dword_6C2654, ecx

loc_908F87:				; CODE XREF: PopBatteryWorker+A024Dj
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	dword_6C2648, ebx
		jmp	loc_868F36
; 

loc_908FA0:				; CODE XREF: PopBatteryWorker+9FE09j
					; PopBatteryWorker+9FE14j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_908FA5:				; CODE XREF: PopBatteryWorker+270j
		lea	ecx, [esi-20h]	; char
		xor	dl, dl
		call	_PopBatteryQueryStatus@8 ; PopBatteryQueryStatus(x,x)
		mov	esi, [esi]
		jmp	loc_868F9C
; 

loc_908FB6:				; CODE XREF: PopBatteryWorker+29Ej
		call	_PopBatteryEstimatesSpoiled@0 ;	PopBatteryEstimatesSpoiled()
		test	al, al
		jnz	loc_868FD6
		mov	eax, edi
		jmp	loc_868FDC
; 

loc_908FCA:				; CODE XREF: PopBatteryWorker+2D1j
		push	9
		pop	ecx
		mov	eax, dword_6C2528
		lea	edi, [esp+2B8h+var_204]
		mov	esi, offset dword_6C2558
		rep movsd
		mov	esi, offset dword_6C2544
		lea	edi, [esp+2B8h+var_1E0]
		movsd
		movsd
		movsd
		movsd
		xor	edi, edi
		mov	[esp+2B8h+var_1CC], eax
		mov	eax, dword_6C252C
		push	edi
		push	edi
		push	edi
		push	edi
		mov	[esp+2C8h+var_1D0], eax
		lea	eax, [esp+2C8h+var_204]
		push	3Ch
		push	eax
		push	offset _WNF_PO_COMPOSITE_BATTERY
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		cmp	dword_6B23F8, 5
		mov	[esp+2B8h+var_27C], eax
		jbe	loc_909350
		push	4000h
		push	edi
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_909350
		mov	bl, byte ptr dword_6C2544
		lea	eax, [esp+2B8h+var_22C]
		and	[esp+2B8h+var_1A4], 0
		mov	edx, offset ??_C@_08KKBGCHG@AC?5Power@NNGAKEGL@
		and	[esp+2B8h+var_19C], 0
		mov	edi, dword_6C252C
		mov	[esp+2B8h+var_22C], edi
		mov	[esp+2B8h+var_1A8], eax
		mov	[esp+2B8h+var_1A0], 4
		test	bl, 1
		jnz	short loc_909091
		mov	edx, (offset loc_8BD059+1)

loc_909091:				; CODE XREF: PopBatteryWorker+A0358j
		lea	ecx, [esp+2B8h+var_198]
		call	_tlgCreate1Sz_char
		mov	esi, (offset loc_8BD074+4)
		mov	edx, offset ??_C@_0BE@HBALMBOB@Battery?5Discharging@NNGAKEGL@
		test	bl, 2
		jnz	short loc_9090AE
		mov	edx, esi

loc_9090AE:				; CODE XREF: PopBatteryWorker+A0378j
		lea	ecx, [esp+2B8h+var_188]
		call	_tlgCreate1Sz_char
		mov	edx, (offset loc_8BD074+6)
		test	bl, 4
		jnz	short loc_9090C6
		mov	edx, esi

loc_9090C6:				; CODE XREF: PopBatteryWorker+A0390j
		lea	ecx, [esp+2B8h+var_178]
		call	_tlgCreate1Sz_char
		mov	edx, offset ??_C@_0BB@PMCEFKNF@Battery?5Critical@NNGAKEGL@
		test	bl, 8
		jnz	short loc_9090DE
		mov	edx, esi

loc_9090DE:				; CODE XREF: PopBatteryWorker+A03A8j
		lea	ecx, [esp+2B8h+var_168]
		call	_tlgCreate1Sz_char
		mov	edx, offset ??_C@_0BN@OMAGIAMP@Battery?5charge?5limiting?5mode@NNGAKEGL@
		test	bl, 10h
		jnz	short loc_9090F6
		mov	edx, esi

loc_9090F6:				; CODE XREF: PopBatteryWorker+A03C0j
		lea	ecx, [esp+2B8h+var_158]
		call	_tlgCreate1Sz_char
		mov	edx, offset ??_C@_0CM@BIFDFPBB@Battery?5charging?5state?5power?5su@NNGAKEGL@
		test	bl, 20h
		jnz	short loc_90910E
		mov	edx, esi

loc_90910E:				; CODE XREF: PopBatteryWorker+A03D8j
		lea	ecx, [esp+2B8h+var_148]
		call	_tlgCreate1Sz_char
		test	bl, 40h
		jz	short loc_909124
		mov	esi, offset ??_C@_0CA@NILBEDJH@Battery?5charging?5state?5adequate@NNGAKEGL@

loc_909124:				; CODE XREF: PopBatteryWorker+A03EBj
		mov	edx, esi
		lea	ecx, [esp+2B8h+var_138]
		call	_tlgCreate1Sz_char
		mov	esi, dword_6C2568
		test	esi, esi
		jnz	short loc_909142
		xor	ecx, ecx
		mov	eax, ecx
		jmp	short loc_909155
; 

loc_909142:				; CODE XREF: PopBatteryWorker+A0408j
		imul	eax, dword_6C2548, 64h
		mov	ecx, esi
		shr	ecx, 1
		xor	edx, edx
		add	eax, ecx
		div	esi
		xor	ecx, ecx

loc_909155:				; CODE XREF: PopBatteryWorker+A040Ej
		mov	[esp+2B8h+var_218], eax
		lea	eax, [esp+2B8h+var_218]
		mov	[esp+2B8h+var_128], eax
		mov	[esp+2B8h+var_124], ecx
		mov	[esp+2B8h+var_11C], ecx
		push	4
		pop	edx
		mov	[esp+2B8h+var_120], edx
		test	esi, esi
		jnz	short loc_90918A
		mov	eax, ecx
		jmp	short loc_9091A5
; 

loc_90918A:				; CODE XREF: PopBatteryWorker+A0452j
		mov	eax, dword_6C2548
		mov	ecx, 186A0h
		mul	ecx
		push	0
		push	esi
		push	edx
		push	eax
		call	__aulldiv
		push	4
		xor	ecx, ecx
		pop	edx

loc_9091A5:				; CODE XREF: PopBatteryWorker+A0456j
		test	dword_6C2558, 40000000h
		mov	[esp+2B8h+var_258], eax
		lea	eax, [esp+2B8h+var_258]
		mov	[esp+2B8h+var_118], eax
		mov	eax, dword_6C2548
		mov	[esp+2B8h+var_254], eax
		lea	eax, [esp+2B8h+var_254]
		mov	[esp+2B8h+var_108], eax
		lea	eax, [esp+2B8h+var_250]
		mov	[esp+2B8h+var_F8], eax
		mov	eax, dword_6C254C
		mov	[esp+2B8h+var_24C], eax
		lea	eax, [esp+2B8h+var_24C]
		mov	[esp+2B8h+var_E8], eax
		mov	eax, dword_6C2550
		mov	[esp+2B8h+var_248], eax
		lea	eax, [esp+2B8h+var_248]
		mov	[esp+2B8h+var_D8], eax
		mov	eax, dword_6C2528
		mov	[esp+2B8h+var_244], eax
		lea	eax, [esp+2B8h+var_244]
		push	4
		mov	[esp+2BCh+var_250], esi
		pop	esi
		mov	[esp+2B8h+var_C8], eax
		lea	eax, [esp+2B8h+var_240]
		mov	[esp+2B8h+var_110], edx
		mov	[esp+2B8h+var_100], edx
		mov	edx, offset ??_C@_0BH@BFPPAGEL@Relative?5Capacity?5Unit@NNGAKEGL@
		mov	[esp+2B8h+var_114], ecx
		mov	[esp+2B8h+var_10C], ecx
		mov	[esp+2B8h+var_104], ecx
		mov	[esp+2B8h+var_FC], ecx
		mov	[esp+2B8h+var_F4], ecx
		mov	[esp+2B8h+var_F0], esi
		mov	[esp+2B8h+var_EC], ecx
		mov	[esp+2B8h+var_E4], ecx
		mov	[esp+2B8h+var_E0], esi
		mov	[esp+2B8h+var_DC], ecx
		mov	[esp+2B8h+var_D4], ecx
		mov	[esp+2B8h+var_D0], esi
		mov	[esp+2B8h+var_CC], ecx
		mov	[esp+2B8h+var_C4], ecx
		mov	[esp+2B8h+var_C0], esi
		mov	[esp+2B8h+var_BC], ecx
		mov	[esp+2B8h+var_240], edi
		mov	[esp+2B8h+var_B8], eax
		mov	[esp+2B8h+var_B4], ecx
		mov	[esp+2B8h+var_B0], esi
		mov	[esp+2B8h+var_AC], ecx
		jnz	short loc_9092CE
		mov	edx, (offset loc_8BD114+4)

loc_9092CE:				; CODE XREF: PopBatteryWorker+A0595j
		lea	ecx, [esp+2B8h+var_A8]
		call	_tlgCreate1Sz_char
		mov	eax, dword_6C2564
		xor	edi, edi
		mov	[esp+2B8h+var_23C], eax
		lea	eax, [esp+2B8h+var_23C]
		mov	[esp+2B8h+var_98], eax
		mov	eax, [esp+2B8h+var_27C]
		mov	[esp+2B8h+var_238], eax
		lea	eax, [esp+2B8h+var_238]
		mov	[esp+2B8h+var_88], eax
		lea	eax, [esp+2B8h+var_1C8]
		push	eax
		push	15h
		push	edi
		push	edi
		push	(offset	loc_41FF3C+4)
		push	offset dword_6B23F8
		mov	[esp+2D0h+var_94], edi
		mov	[esp+2D0h+var_90], esi
		mov	[esp+2D0h+var_8C], edi
		mov	[esp+2D0h+var_84], edi
		mov	[esp+2D0h+var_80], esi
		mov	[esp+2D0h+var_7C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	short loc_909353
; 

loc_909350:				; CODE XREF: PopBatteryWorker+A02F6j
					; PopBatteryWorker+A030Ej
		push	4
		pop	esi

loc_909353:				; CODE XREF: PopBatteryWorker+A061Cj
		cmp	[esp+2B8h+var_280], 1
		jnz	short loc_909394
		cmp	[esp+2B8h+var_285], 0
		mov	[esp+2B8h+var_228], edi
		mov	[esp+2B8h+var_224], edi
		jnz	short loc_90937C
		lea	eax, [esp+2B8h+var_228]
		push	eax
		call	KeQuerySystemTime

loc_90937C:				; CODE XREF: PopBatteryWorker+A063Bj
		push	edi
		push	edi
		push	edi
		push	edi
		push	8
		lea	eax, [esp+2CCh+var_228]
		push	eax
		push	offset _WNF_PO_DISCHARGE_START_FILETIME
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)

loc_909394:				; CODE XREF: PopBatteryWorker+A0626j
		test	bh, bh
		jz	loc_869009
		or	[esp+2B8h+var_21C], 0FFFFFFFFh
		lea	eax, [esp+2B8h+var_220]
		push	edi
		push	edi
		push	edi
		push	edi
		push	8
		push	eax
		push	offset _WNF_PO_POWER_STATE_CHANGE
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		cmp	dword_6B23F8, 5
		jbe	loc_869009
		mov	[esp+2B8h+var_234], eax
		lea	eax, [esp+2B8h+var_234]
		mov	[esp+2B8h+var_18], eax
		lea	eax, [esp+2B8h+var_38]
		push	eax
		push	3
		push	edi
		push	edi
		push	offset loc_41FF0C
		push	offset dword_6B23F8
		mov	[esp+2D0h+var_14], edi
		mov	[esp+2D0h+var_10], esi
		mov	[esp+2D0h+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_869009
; 

loc_909413:				; CODE XREF: PopBatteryWorker+2FEj
		mov	dword_6C2044, edi
		jmp	loc_869036
; END OF FUNCTION CHUNK	FOR PopBatteryWorker
; 
; START	OF FUNCTION CHUNK FOR PopBatteryApplyCompositeState

loc_90941E:				; CODE XREF: PopBatteryApplyCompositeState+61j
		xor	edx, edx
		mov	cl, 1
		call	PopBatteryUpdateAlarms
		push	4
		pop	ecx
		call	_PopSetNotificationWork@4 ; PopSetNotificationWork(x)
		mov	ecx, esi
		call	_PopRecordAcDcState@4 ;	PopRecordAcDcState(x)
		push	2
		pop	ecx
		call	PopInitSIdle
		call	PopInitilizeAcDcSettings
		call	_PpmProfileAcDcUpdate@0	; PpmProfileAcDcUpdate()
		cmp	esi, 1
		jnz	short loc_909459
		mov	_PopMaxChargeRate, ebx
		mov	dword_6FE094, ebx

loc_909459:				; CODE XREF: PopBatteryApplyCompositeState+A0367j
		mov	[ebp+var_89], 1
		jmp	loc_86914B
; 

loc_909465:				; CODE XREF: PopBatteryApplyCompositeState+6Dj
		push	offset dword_6C252C ; void *
		push	4
		pop	edx
		mov	ecx, offset _GUID_BATTERY_COUNT	; int
		call	_PopSetPowerSettingValueAcDc@12	; PopSetPowerSettingValueAcDc(x,x,x)
		lea	eax, [ebp+var_AC]
		push	eax
		lea	edx, [ebp+var_94]
		lea	ecx, [ebp+var_A8]
		call	_CalculateBatteryCount@12 ; CalculateBatteryCount(x,x,x)
		mov	eax, _PopCachedValidBatteryCount
		mov	ecx, [ebp+var_A8]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9094A3
		cmp	eax, ecx
		jz	short loc_9094BA

loc_9094A3:				; CODE XREF: PopBatteryApplyCompositeState+A03B9j
		push	[ebp+var_AC]
		mov	edx, [ebp+var_94]
		mov	_PopCachedValidBatteryCount, ecx
		call	_PopDiagTraceBatteryCountChange@12 ; PopDiagTraceBatteryCountChange(x,x,x)

loc_9094BA:				; CODE XREF: PopBatteryApplyCompositeState+A03BDj
		mov	[ebp+var_89], 1
		jmp	loc_869157
; 

loc_9094C6:				; CODE XREF: PopBatteryApplyCompositeState+F7j
		call	_PopRecalculateCBTriggerLevels@4 ; PopRecalculateCBTriggerLevels(x)
		jmp	loc_8691E1
; 

loc_9094D0:				; CODE XREF: PopBatteryApplyCompositeState+10Bj
		xor	edx, edx
		mov	ecx, offset dword_6C25F0
		inc	edx
		call	_PopBatteryCheckTriggerAllBatteries@8 ;	PopBatteryCheckTriggerAllBatteries(x,x)
		test	al, al
		jz	loc_8691F5
		test	byte ptr dword_6C25F4, 2
		jnz	loc_8691F5
		push	40h
		pop	ecx
		call	PopGetPolicyWorker
		call	PopCheckForWork
		jmp	loc_8691F5
; 

loc_909504:				; CODE XREF: PopBatteryApplyCompositeState+145j
		mov	eax, edi
		shl	eax, 4
		mov	eax, dword_6C25F4[eax]
		cmp	_PopBatteryCachedFlags[edi*4], eax
		jz	short loc_909578
		mov	ecx, [ebp+var_94]
		mov	_PopBatteryCachedFlags[edi*4], eax
		lea	eax, [ebp+var_90]
		push	eax
		lea	eax, [ebx+4]
		imul	edx, eax, 18h
		add	edx, _PopPolicy
		call	_PopDiagTraceBatteryAlarmStatus@12 ; PopDiagTraceBatteryAlarmStatus(x,x,x)
		mov	edi, [ebp+var_90]
		mov	ecx, edi
		shl	ecx, 4
		cmp	dword_6C25F4[ecx], 80h
		jnz	short loc_909578
		lea	eax, [ebp+var_90]
		push	eax
		lea	eax, [edi+4]
		imul	edx, eax, 18h
		lea	ecx, dword_6C25F0[ecx]
		add	edx, _PopPolicy
		call	_PopDiagTraceBatteryTriggerMet@12 ; PopDiagTraceBatteryTriggerMet(x,x,x)
		mov	edi, [ebp+var_90]

loc_909578:				; CODE XREF: PopBatteryApplyCompositeState+A0432j
					; PopBatteryApplyCompositeState+A046Ej
		cmp	byte_6C25E8, 0
		jnz	short loc_9095A8
		mov	eax, _PopPolicy
		imul	ecx, edi, 18h
		push	1
		push	dword ptr [ecx+eax+74h]
		add	eax, 68h
		add	eax, ecx
		mov	ecx, edi
		push	eax
		shl	ecx, 4
		push	8
		add	ecx, offset dword_6C25F0
		pop	edx
		call	PopExecutePowerAction

loc_9095A8:				; CODE XREF: PopBatteryApplyCompositeState+A049Bj
		cmp	esi, 3
		jnz	loc_869258
		test	edi, edi
		jnz	short loc_9095BD
		xor	esi, esi
		inc	esi
		jmp	loc_869258
; 

loc_9095BD:				; CODE XREF: PopBatteryApplyCompositeState+A04CFj
		cmp	edi, 1
		jnz	loc_869258
		push	2
		pop	esi
		jmp	loc_869258
; 

loc_9095CE:				; CODE XREF: PopBatteryApplyCompositeState+18Bj
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	4
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_B0], esi
		push	eax
		push	offset _WNF_PO_BATTERY_CHARGE_LEVEL
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	edx, dword_6B23F8
		mov	edi, eax
		cmp	edx, 5
		jbe	short loc_90966E
		test	esi, esi
		jnz	short loc_909603
		mov	edx, offset ??_C@_0BG@GDLPOEEB@PoBatteryLevelUnknown@NNGAKEGL@
		jmp	short loc_90962A
; 

loc_909603:				; CODE XREF: PopBatteryApplyCompositeState+A0516j
		cmp	esi, 1
		jnz	short loc_90960F
		mov	edx, (offset loc_8BCC2B+1)
		jmp	short loc_90962A
; 

loc_90960F:				; CODE XREF: PopBatteryApplyCompositeState+A0522j
		cmp	esi, 2
		jnz	short loc_90961B
		mov	edx, offset ??_C@_0BC@KHACHKGG@PoBatteryLevelLow@NNGAKEGL@
		jmp	short loc_90962A
; 

loc_90961B:				; CODE XREF: PopBatteryApplyCompositeState+A052Ej
		mov	edx, offset ??_C@_0BF@GBOKHDFO@PoBatteryLevelNormal@NNGAKEGL@
		cmp	esi, 3
		jz	short loc_90962A
		mov	edx, offset ??_C@_0BA@BEMFFGJJ@?$DMInvalid?5Value?$DO@NNGAKEGL@

loc_90962A:				; CODE XREF: PopBatteryApplyCompositeState+A051Dj
					; PopBatteryApplyCompositeState+A0529j	...
		lea	ecx, [ebp+var_68]
		call	_tlgCreate1Sz_char
		push	4
		lea	eax, [ebp+var_B4]
		mov	[ebp+var_B4], edi
		pop	edi
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_88]
		push	eax
		push	edi
		push	ebx
		push	ebx
		push	offset loc_420169
		push	offset dword_6B23F8
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		mov	edx, dword_6B23F8
		jmp	short loc_909671
; 

loc_90966E:				; CODE XREF: PopBatteryApplyCompositeState+A0512j
		push	4
		pop	edi

loc_909671:				; CODE XREF: PopBatteryApplyCompositeState+A0588j
		cmp	esi, 2
		jz	short loc_909685
		cmp	esi, 1
		jz	short loc_909685
		mov	al, bl
		mov	[ebp+var_8A], bl
		jmp	short loc_90968D
; 

loc_909685:				; CODE XREF: PopBatteryApplyCompositeState+A0590j
					; PopBatteryApplyCompositeState+A0595j
		mov	al, 1
		mov	[ebp+var_8A], al

loc_90968D:				; CODE XREF: PopBatteryApplyCompositeState+A059Fj
		mov	ecx, dword_6C2580
		cmp	ecx, 2
		jz	short loc_90969F
		cmp	ecx, 1
		mov	cl, bl
		jnz	short loc_9096A1

loc_90969F:				; CODE XREF: PopBatteryApplyCompositeState+A05B2j
		mov	cl, 1

loc_9096A1:				; CODE XREF: PopBatteryApplyCompositeState+A05B9j
		cmp	al, cl
		jz	short loc_90970B
		cmp	edx, 5
		jbe	short loc_90970B
		push	4000h
		push	ebx
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_90970B
		movzx	eax, [ebp+var_8A]
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	edi
		push	ebx
		push	ebx
		push	(offset	loc_420122+4)
		push	offset dword_6B23F8
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_A4], esi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_90970B:				; CODE XREF: PopBatteryApplyCompositeState+A05BFj
					; PopBatteryApplyCompositeState+A05C4j	...
		mov	ecx, esi
		mov	dword_6C2580, esi
		call	_PopRecordBatteryLevel@4 ; PopRecordBatteryLevel(x)
		jmp	loc_869275
; 

loc_90971D:				; CODE XREF: PopBatteryApplyCompositeState+198j
		call	_PopTracePowerReconfig@0 ; PopTracePowerReconfig()
		jmp	loc_869282
; 

loc_909727:				; CODE XREF: PopBatteryApplyCompositeState+1F6j
		mov	al, cl
		mov	byte_6C2675, 1
		shr	al, 2
		and	al, 1
		shr	cl, 1
		mov	byte_6C2676, al
		and	cl, 1
		cmp	byte_6C2630, 0
		setnz	al
		or	cl, al
		mov	eax, dword_6C2568
		mov	dword_6C267C, eax
		mov	eax, dword_6C2548
		mov	dword_6C2680, eax
		mov	eax, dword_6C2550
		mov	dword_6C2684, eax
		mov	eax, dword_6C2554
		mov	dword_6C2688, eax
		mov	eax, dword_6C256C
		mov	dword_6C268C, eax
		mov	eax, dword_6C2570
		mov	byte_6C2677, cl
		mov	dword_6C2690, eax
		jmp	loc_8692E0
; 

loc_909792:				; CODE XREF: PopBatteryApplyCompositeState+225j
		mov	eax, dword_6C2634
		xor	edx, edx	; Length
		add	eax, 1F4h
		mov	ecx, 3E8h
		div	ecx
		mov	ecx, offset _GUID_BATTERY_PERCENTAGE_REMAINING ; int
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_98]
		push	eax		; void *
		push	4
		pop	edx
		call	_PopSetPowerSettingValueAcDc@12	; PopSetPowerSettingValueAcDc(x,x,x)
		mov	ecx, [ebp+var_98]
		call	_PopRecordBatteryPercentage@4 ;	PopRecordBatteryPercentage(x)
		cmp	dword_6C2634, 0FFFFFFFFh
		setnz	bl
		dec	bl
		call	KeQueryInterruptTime
		mov	[ebp+var_A4], eax
		mov	ecx, edx
		mov	[ebp+var_A0], ecx
		and	bl, 1
		jz	short loc_909815
		sub	eax, dword_6C2638
		push	0
		sbb	ecx, dword_6C263C
		add	eax, 1388h
		pop	edi
		push	edi
		push	2710h
		adc	ecx, edi
		push	ecx
		push	eax
		call	__aulldiv
		mov	edi, eax
		jmp	short loc_909817
; 

loc_909815:				; CODE XREF: PopBatteryApplyCompositeState+A0708j
		xor	edi, edi

loc_909817:				; CODE XREF: PopBatteryApplyCompositeState+A072Fj
		mov	esi, [ebp+var_B8]
		mov	edx, [ebp+var_9C]
		mov	ecx, [ebp+var_98]
		push	edi
		push	esi
		call	_PopSqmBatteryUpdate@16	; PopSqmBatteryUpdate(x,x,x,x)
		mov	edx, [ebp+var_9C]
		mov	ecx, [ebp+var_98]
		push	edi
		push	esi
		call	_PopBatteryTracePercentageRemaining@16 ; PopBatteryTracePercentageRemaining(x,x,x,x)
		mov	eax, [ebp+var_A4]
		mov	dword_6C2638, eax
		mov	eax, [ebp+var_A0]
		mov	dword_6C263C, eax
		jmp	loc_86930F
; END OF FUNCTION CHUNK	FOR PopBatteryApplyCompositeState
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceBatteryTriggerFlags

loc_90985E:				; CODE XREF: PopDiagTraceBatteryTriggerFlags+8Dj
		mov	edx, ecx
		lea	ecx, [ebp+var_68]
		call	_tlgCreate1Sz_char
		mov	eax, [ebp+var_94]
		xor	ecx, ecx
		mov	byte ptr [ebp+var_8B+1], al
		lea	eax, [ebp+var_8B+1]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+var_90]
		mov	byte ptr [ebp+var_8B], al
		lea	eax, [ebp+var_8B]
		mov	[ebp+var_48], eax
		lea	eax, [ebp-8Ch]
		mov	[ebp+var_38], eax
		mov	al, byte ptr [ebp+var_8B+2]
		mov	byte ptr [ebp+var_8B+2], al
		lea	eax, [ebp+var_8B+2]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_90]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_8B+3]
		push	eax
		push	8
		push	ecx
		push	ecx
		push	offset loc_41E29C
		push	offset dword_6B23F8
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_8C], bl
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_90], esi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_869388
; END OF FUNCTION CHUNK	FOR PopDiagTraceBatteryTriggerFlags
; 
; START	OF FUNCTION CHUNK FOR PopBatteryCheckTrigger

loc_909917:				; CODE XREF: PopBatteryCheckTrigger+7j
		xor	edx, edx
		call	_PopBatteryCheckTriggerAllBatteries@8 ;	PopBatteryCheckTriggerAllBatteries(x,x)
		test	al, al
		jz	loc_8693DB
		mov	al, 1
		retn
; END OF FUNCTION CHUNK	FOR PopBatteryCheckTrigger
; 
; START	OF FUNCTION CHUNK FOR PopAccountCbEnergyChange

loc_909929:				; CODE XREF: PopAccountCbEnergyChange+41j
					; PopAccountCbEnergyChange+A051Bj
		add	edx, [ecx+98h]
		adc	esi, [ecx+9Ch]
		mov	ecx, [ecx]
		cmp	ecx, edi
		jnz	short loc_909929
		mov	[ebp+var_178], edx
		mov	[ebp+var_174], esi
		jmp	loc_869465
; 

loc_90994C:				; CODE XREF: PopAccountCbEnergyChange+5Bj
					; PopAccountCbEnergyChange+A0535j
		or	ebx, [eax+70h]
		mov	eax, [eax]
		cmp	eax, ecx
		jnz	short loc_90994C
		mov	[ebp+var_180], ebx
		jmp	loc_86947F
; 

loc_909960:				; CODE XREF: PopAccountCbEnergyChange+67j
					; PopAccountCbEnergyChange+73j	...
		mov	eax, edx
		mov	edi, offset dword_6C2698
		sub	eax, dword_6C26A0
		mov	[ebp+var_16C], eax
		sbb	esi, dword_6C26A4
		cmp	dword_6B23F8, 5
		mov	[ebp+var_170], esi
		lea	esi, [ebp+var_180]
		movsd
		movsd
		movsd
		movsd
		jbe	loc_8694A3
		mov	eax, [ebp+var_174]
		xor	edi, edi
		mov	[ebp+var_19C], eax
		lea	eax, [ebp+var_1A0]
		mov	[ebp+var_1A0], edx
		mov	esi, (offset loc_8BD074+4)
		mov	[ebp+var_148], eax
		mov	edx, offset ??_C@_0BL@IEGKJEJE@Energy?5Counter?5Unavailable@NNGAKEGL@
		mov	[ebp+var_144], edi
		mov	[ebp+var_140], 8
		mov	[ebp+var_13C], edi
		test	bl, 1
		jnz	short loc_9099DD
		mov	edx, esi

loc_9099DD:				; CODE XREF: PopAccountCbEnergyChange+A05BBj
		lea	ecx, [ebp+var_138]
		call	_tlgCreate1Sz_char
		mov	edx, offset ??_C@_0BH@BFPPAGEL@Relative?5Capacity?5Unit@NNGAKEGL@
		test	bl, 2
		jnz	short loc_9099F4
		mov	edx, esi

loc_9099F4:				; CODE XREF: PopAccountCbEnergyChange+A05D2j
		lea	ecx, [ebp+var_128]
		call	_tlgCreate1Sz_char
		mov	edx, offset ??_C@_0BA@DBAOEMLN@FCC?5Unavailable@NNGAKEGL@
		test	bl, 4
		jnz	short loc_909A0B
		mov	edx, esi

loc_909A0B:				; CODE XREF: PopAccountCbEnergyChange+A05E9j
		lea	ecx, [ebp+var_118]
		call	_tlgCreate1Sz_char
		mov	edx, (offset loc_8BD175+7)
		test	bl, 8
		jnz	short loc_909A22
		mov	edx, esi

loc_909A22:				; CODE XREF: PopAccountCbEnergyChange+A0600j
		lea	ecx, [ebp+var_108]
		call	_tlgCreate1Sz_char
		mov	eax, [ebp+var_16C]
		mov	edx, offset ??_C@_08KKBGCHG@AC?5Power@NNGAKEGL@
		mov	ebx, dword_6C2544
		mov	[ebp+var_178], eax
		mov	eax, [ebp+var_170]
		mov	[ebp+var_174], eax
		lea	eax, [ebp+var_178]
		mov	[ebp+var_F8], eax
		mov	eax, dword_6C252C
		mov	[ebp+var_170], eax
		lea	eax, [ebp+var_170]
		mov	[ebp+var_F4], edi
		mov	[ebp+var_F0], 8
		mov	[ebp+var_EC], edi
		mov	[ebp+var_E8], eax
		mov	[ebp+var_E4], edi
		mov	[ebp+var_E0], 4
		mov	[ebp+var_DC], edi
		test	bl, 1
		jnz	short loc_909AA9
		mov	edx, (offset loc_8BD059+1)

loc_909AA9:				; CODE XREF: PopAccountCbEnergyChange+A0684j
		lea	ecx, [ebp+var_D8]
		call	_tlgCreate1Sz_char
		mov	edx, offset ??_C@_0BE@HBALMBOB@Battery?5Discharging@NNGAKEGL@
		test	bl, 2
		jnz	short loc_909AC0
		mov	edx, esi

loc_909AC0:				; CODE XREF: PopAccountCbEnergyChange+A069Ej
		lea	ecx, [ebp+var_C8]
		call	_tlgCreate1Sz_char
		mov	edx, (offset loc_8BD074+6)
		test	bl, 4
		jnz	short loc_909AD7
		mov	edx, esi

loc_909AD7:				; CODE XREF: PopAccountCbEnergyChange+A06B5j
		lea	ecx, [ebp+var_B8]
		call	_tlgCreate1Sz_char
		mov	edx, offset ??_C@_0BB@PMCEFKNF@Battery?5Critical@NNGAKEGL@
		test	bl, 8
		jnz	short loc_909AEE
		mov	edx, esi

loc_909AEE:				; CODE XREF: PopAccountCbEnergyChange+A06CCj
		lea	ecx, [ebp+var_A8]
		call	_tlgCreate1Sz_char
		mov	edx, offset ??_C@_0BN@OMAGIAMP@Battery?5charge?5limiting?5mode@NNGAKEGL@
		test	bl, 10h
		jnz	short loc_909B05
		mov	edx, esi

loc_909B05:				; CODE XREF: PopAccountCbEnergyChange+A06E3j
		lea	ecx, [ebp+var_98]
		call	_tlgCreate1Sz_char
		mov	edx, offset ??_C@_0CM@BIFDFPBB@Battery?5charging?5state?5power?5su@NNGAKEGL@
		test	bl, 20h
		jnz	short loc_909B1C
		mov	edx, esi

loc_909B1C:				; CODE XREF: PopAccountCbEnergyChange+A06FAj
		lea	ecx, [ebp+var_88]
		call	_tlgCreate1Sz_char
		test	bl, 40h
		jz	short loc_909B31
		mov	esi, offset ??_C@_0CA@NILBEDJH@Battery?5charging?5state?5adequate@NNGAKEGL@

loc_909B31:				; CODE XREF: PopAccountCbEnergyChange+A070Cj
		mov	edx, esi
		lea	ecx, [ebp+var_78]
		call	_tlgCreate1Sz_char
		mov	esi, dword_6C2568
		test	esi, esi
		jnz	short loc_909B49
		mov	eax, edi
		jmp	short loc_909B5A
; 

loc_909B49:				; CODE XREF: PopAccountCbEnergyChange+A0725j
		imul	ecx, dword_6C2548, 64h
		mov	eax, esi
		shr	eax, 1
		xor	edx, edx
		add	eax, ecx
		div	esi

loc_909B5A:				; CODE XREF: PopAccountCbEnergyChange+A0729j
		mov	[ebp+var_16C], eax
		lea	eax, [ebp+var_16C]
		mov	[ebp+var_68], eax
		mov	[ebp+var_64], edi
		mov	[ebp+var_5C], edi
		push	4
		pop	ebx
		mov	[ebp+var_60], ebx
		test	esi, esi
		jnz	short loc_909B7D
		mov	eax, edi
		jmp	short loc_909B92
; 

loc_909B7D:				; CODE XREF: PopAccountCbEnergyChange+A0759j
		mov	eax, dword_6C2548
		mov	ecx, 186A0h
		mul	ecx
		push	edi
		push	esi
		push	edx
		push	eax
		call	__aulldiv

loc_909B92:				; CODE XREF: PopAccountCbEnergyChange+A075Dj
		mov	[ebp+var_184], eax
		lea	eax, [ebp+var_184]
		mov	[ebp+var_58], eax
		mov	eax, dword_6C2548
		mov	[ebp+var_188], eax
		lea	eax, [ebp+var_188]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_18C]
		mov	[ebp+var_38], eax
		mov	eax, dword_6C254C
		mov	[ebp+var_190], eax
		lea	eax, [ebp+var_190]
		mov	[ebp+var_28], eax
		mov	eax, dword_6C2550
		mov	[ebp+var_194], eax
		lea	eax, [ebp+var_194]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_168]
		push	eax
		push	16h
		push	edi
		push	edi
		push	offset loc_41F5F0
		push	offset dword_6B23F8
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], edi
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], edi
		mov	[ebp+var_18C], esi
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_8694A3
; END OF FUNCTION CHUNK	FOR PopAccountCbEnergyChange
; 
; START	OF FUNCTION CHUNK FOR PopBatteryCheckCompositeCapacity

loc_909C38:				; CODE XREF: PopBatteryCheckCompositeCapacity+38j
		mov	eax, [esi+4]
		mov	ecx, edx
		mov	edi, dword_6C2568
		cmp	edi, eax
		jbe	short loc_909C5D
		test	edi, edi
		jnz	short loc_909C4F
		xor	ecx, ecx
		jmp	short loc_909C5D
; 

loc_909C4F:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0797j
		mul	edx
		push	0
		push	edi
		push	edx
		push	eax
		call	__aulldiv
		mov	ecx, eax

loc_909C5D:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0793j
					; PopBatteryCheckCompositeCapacity+A079Bj
		mov	eax, dword_6C2634
		xor	edi, edi
		mov	[ebp+var_140], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_909C73
		mov	edi, ecx
		sub	edi, eax

loc_909C73:				; CODE XREF: PopBatteryCheckCompositeCapacity+A07BBj
		xor	edx, edx
		lea	eax, [ecx+1F4h]
		mov	ebx, 3E8h
		div	ebx
		mov	[ebp+var_144], ebx
		xor	edx, edx
		mov	ebx, eax
		mov	eax, [ebp+var_140]
		add	eax, 1F4h
		div	[ebp+var_144]
		cmp	ebx, eax
		jz	short loc_909CAB
		sub	ebx, eax
		mov	eax, [ebp+var_148]
		mov	[eax], ebx

loc_909CAB:				; CODE XREF: PopBatteryCheckCompositeCapacity+A07EDj
		mov	al, byte_6C2630
		mov	edx, [ebp+var_14C]
		mov	bl, byte_6C2644
		mov	dword_6C2634, ecx
		mov	[ebp+var_140], eax
		cmp	edx, 1
		jnz	short loc_909CDA
		xor	bl, bl
		mov	byte ptr [ebp+var_140],	dl
		jmp	loc_8694F8
; 

loc_909CDA:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0819j
		mov	eax, dword_6C2544
		not	eax
		and	eax, 1
		cmp	edx, eax
		jz	short loc_909CFB
		xor	bl, bl

loc_909CEA:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0856j
		mov	dword_6C2640, ecx

loc_909CF0:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0854j
		xor	al, al
		and	dword_6C2658, 0
		jmp	short loc_909D56
; 

loc_909CFB:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0834j
		cmp	byte_6C2530, 0
		jz	short loc_909D0A
		test	bl, bl
		jnz	short loc_909CF0
		jmp	short loc_909CEA
; 

loc_909D0A:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0850j
		mov	edx, dword_6C2640
		cmp	edx, ecx
		jnb	short loc_909D1C
		mov	edx, ecx
		mov	dword_6C2640, edx

loc_909D1C:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0860j
		mov	eax, _WeakChargerChargeDropMilliPercent
		add	eax, ecx
		cmp	edx, eax
		jbe	short loc_909D29
		mov	bl, 1

loc_909D29:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0873j
		mov	ecx, dword_6C2658
		add	ecx, edi
		mov	eax, ecx
		mov	dword_6C2658, ecx
		cdq
		xor	eax, edx
		sub	eax, edx
		cmp	eax, _BatteryChargeTrajectoryThresholdMilliPercent
		jl	loc_869506
		and	dword_6C2658, 0
		mov	eax, ecx
		shr	eax, 1Fh

loc_909D56:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0847j
		mov	[ebp+var_140], eax
		jmp	loc_869506
; 

loc_909D61:				; CODE XREF: PopBatteryCheckCompositeCapacity+5Fj
		movzx	eax, bl
		mov	byte_6C2644, bl
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		mov	[ebp+var_14C], eax
		lea	eax, [ebp+var_14C]
		push	4
		push	eax
		push	offset _WNF_PO_WEAK_CHARGER
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		cmp	dword_6B23F8, 5
		mov	[ebp+var_150], eax
		jbe	loc_869517
		push	4000h
		push	ebx
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_869517
		test	byte ptr [esi],	1
		mov	edx, edi
		movzx	eax, byte_6C2644
		mov	[ebp+var_148], eax
		lea	eax, [ebp+var_148]
		mov	[ebp+var_11C], eax
		mov	eax, dword_6C252C
		push	4
		pop	ecx
		mov	[ebp+var_144], eax
		lea	eax, [ebp+var_144]
		mov	[ebp+var_118], ebx
		mov	[ebp+var_114], ecx
		mov	[ebp+var_110], ebx
		mov	[ebp+var_10C], eax
		mov	[ebp+var_108], ebx
		mov	[ebp+var_104], ecx
		mov	[ebp+var_100], ebx
		jnz	short loc_909E17
		mov	edx, (offset loc_8BD059+1)

loc_909E17:				; CODE XREF: PopBatteryCheckCompositeCapacity+A095Ej
		lea	ecx, [ebp+var_FC]
		call	_tlgCreate1Sz_char
		test	byte ptr [esi],	2
		mov	ebx, (offset loc_8BD074+4)
		mov	edx, offset ??_C@_0BE@HBALMBOB@Battery?5Discharging@NNGAKEGL@
		jnz	short loc_909E33
		mov	edx, ebx

loc_909E33:				; CODE XREF: PopBatteryCheckCompositeCapacity+A097Dj
		lea	ecx, [ebp+var_EC]
		call	_tlgCreate1Sz_char
		test	byte ptr [esi],	4
		mov	edx, (offset loc_8BD074+6)
		jnz	short loc_909E4A
		mov	edx, ebx

loc_909E4A:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0994j
		lea	ecx, [ebp+var_DC]
		call	_tlgCreate1Sz_char
		test	byte ptr [esi],	8
		mov	edx, offset ??_C@_0BB@PMCEFKNF@Battery?5Critical@NNGAKEGL@
		jnz	short loc_909E61
		mov	edx, ebx

loc_909E61:				; CODE XREF: PopBatteryCheckCompositeCapacity+A09ABj
		lea	ecx, [ebp+var_CC]
		call	_tlgCreate1Sz_char
		test	byte ptr [esi],	10h
		mov	edx, offset ??_C@_0BN@OMAGIAMP@Battery?5charge?5limiting?5mode@NNGAKEGL@
		jnz	short loc_909E78
		mov	edx, ebx

loc_909E78:				; CODE XREF: PopBatteryCheckCompositeCapacity+A09C2j
		lea	ecx, [ebp+var_BC]
		call	_tlgCreate1Sz_char
		test	byte ptr [esi],	20h
		mov	edx, offset ??_C@_0CM@BIFDFPBB@Battery?5charging?5state?5power?5su@NNGAKEGL@
		jnz	short loc_909E8F
		mov	edx, ebx

loc_909E8F:				; CODE XREF: PopBatteryCheckCompositeCapacity+A09D9j
		lea	ecx, [ebp+var_AC]
		call	_tlgCreate1Sz_char
		test	byte ptr [esi],	40h
		mov	edx, offset ??_C@_0CA@NILBEDJH@Battery?5charging?5state?5adequate@NNGAKEGL@
		jnz	short loc_909EA6
		mov	edx, ebx

loc_909EA6:				; CODE XREF: PopBatteryCheckCompositeCapacity+A09F0j
		lea	ecx, [ebp+var_9C]
		call	_tlgCreate1Sz_char
		mov	edi, dword_6C2568
		mov	ebx, [esi+4]
		test	edi, edi
		jnz	short loc_909EC2
		xor	eax, eax
		jmp	short loc_909ECF
; 

loc_909EC2:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0A0Aj
		imul	eax, ebx, 64h
		mov	ecx, edi
		shr	ecx, 1
		xor	edx, edx
		add	eax, ecx
		div	edi

loc_909ECF:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0A0Ej
		and	[ebp+var_88], 0
		and	[ebp+var_80], 0
		mov	[ebp+var_154], eax
		lea	eax, [ebp+var_154]
		mov	[ebp+var_8C], eax
		push	4
		pop	ecx
		mov	[ebp+var_84], ecx
		test	edi, edi
		jnz	short loc_909EFD
		xor	eax, eax
		jmp	short loc_909F13
; 

loc_909EFD:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0A45j
		mov	ecx, 186A0h
		mov	eax, ebx
		mul	ecx
		push	0
		push	edi
		push	edx
		push	eax
		call	__aulldiv
		push	4
		pop	ecx

loc_909F13:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0A49j
		mov	[ebp+var_158], eax
		lea	eax, [ebp+var_158]
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_15C]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_160]
		mov	[ebp+var_5C], eax
		mov	eax, [esi+8]
		mov	[ebp+var_164], eax
		lea	eax, [ebp+var_164]
		mov	[ebp+var_4C], eax
		mov	eax, [esi+0Ch]
		and	[ebp+var_78], 0
		and	[ebp+var_70], 0
		mov	[ebp+var_168], eax
		lea	eax, [ebp+var_168]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+var_150]
		mov	[ebp+var_150], eax
		lea	eax, [ebp+var_150]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_174]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_13C]
		push	eax
		push	13h
		mov	[ebp+var_15C], ebx
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	(offset	loc_41FBEC+4)
		push	offset dword_6B23F8
		mov	[ebp+var_74], ecx
		mov	[ebp+var_68], ebx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_160], edi
		mov	[ebp+var_58], ebx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_174], 1000000h
		mov	[ebp+var_170], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], 8
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		mov	edi, offset ??_C@_08KKBGCHG@AC?5Power@NNGAKEGL@
		jmp	loc_869517
; 

loc_909FFD:				; CODE XREF: PopBatteryCheckCompositeCapacity+71j
		xor	ebx, ebx
		mov	byte_6C2630, al
		push	ebx
		push	ebx
		push	ebx
		movzx	eax, al
		push	ebx
		mov	[ebp+var_150], eax
		lea	eax, [ebp+var_150]
		push	4
		push	eax
		push	offset _WNF_PO_BATTERY_DISCHARGING
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		cmp	dword_6B23F8, 5
		mov	[ebp+var_144], eax
		jbe	loc_869529
		push	4000h
		push	ebx
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_869529
		test	byte ptr [esi],	1
		movzx	eax, byte_6C2630
		mov	[ebp+var_168], eax
		lea	eax, [ebp+var_168]
		mov	[ebp+var_10C], eax
		mov	eax, dword_6C252C
		push	4
		pop	ecx
		mov	[ebp+var_164], eax
		lea	eax, [ebp+var_164]
		mov	[ebp+var_108], ebx
		mov	[ebp+var_104], ecx
		mov	[ebp+var_100], ebx
		mov	[ebp+var_FC], eax
		mov	[ebp+var_F8], ebx
		mov	[ebp+var_F4], ecx
		mov	[ebp+var_F0], ebx
		jnz	short loc_90A0B0
		mov	edi, (offset loc_8BD059+1)

loc_90A0B0:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0BF7j
		mov	edx, edi
		lea	ecx, [ebp+var_EC]
		call	_tlgCreate1Sz_char
		test	byte ptr [esi],	2
		mov	ebx, (offset loc_8BD074+4)
		mov	eax, offset ??_C@_0BE@HBALMBOB@Battery?5Discharging@NNGAKEGL@
		jnz	short loc_90A0CE
		mov	eax, ebx

loc_90A0CE:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0C18j
		mov	edx, eax
		lea	ecx, [ebp+var_DC]
		call	_tlgCreate1Sz_char
		test	byte ptr [esi],	4
		mov	eax, (offset loc_8BD074+6)
		jnz	short loc_90A0E7
		mov	eax, ebx

loc_90A0E7:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0C31j
		mov	edx, eax
		lea	ecx, [ebp+var_CC]
		call	_tlgCreate1Sz_char
		test	byte ptr [esi],	8
		mov	eax, offset ??_C@_0BB@PMCEFKNF@Battery?5Critical@NNGAKEGL@
		jnz	short loc_90A100
		mov	eax, ebx

loc_90A100:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0C4Aj
		mov	edx, eax
		lea	ecx, [ebp+var_BC]
		call	_tlgCreate1Sz_char
		test	byte ptr [esi],	10h
		mov	eax, offset ??_C@_0BN@OMAGIAMP@Battery?5charge?5limiting?5mode@NNGAKEGL@
		jnz	short loc_90A119
		mov	eax, ebx

loc_90A119:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0C63j
		mov	edx, eax
		lea	ecx, [ebp+var_AC]
		call	_tlgCreate1Sz_char
		test	byte ptr [esi],	20h
		mov	eax, offset ??_C@_0CM@BIFDFPBB@Battery?5charging?5state?5power?5su@NNGAKEGL@
		jnz	short loc_90A132
		mov	eax, ebx

loc_90A132:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0C7Cj
		mov	edx, eax
		lea	ecx, [ebp+var_9C]
		call	_tlgCreate1Sz_char
		test	byte ptr [esi],	40h
		mov	eax, offset ??_C@_0CA@NILBEDJH@Battery?5charging?5state?5adequate@NNGAKEGL@
		jnz	short loc_90A14B
		mov	eax, ebx

loc_90A14B:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0C95j
		mov	edx, eax
		lea	ecx, [ebp+var_8C]
		call	_tlgCreate1Sz_char
		mov	edi, dword_6C2568
		mov	ebx, [esi+4]
		test	edi, edi
		jnz	short loc_90A16B
		xor	ecx, ecx
		mov	eax, ecx
		jmp	short loc_90A17A
; 

loc_90A16B:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0CB1j
		imul	eax, ebx, 64h
		mov	ecx, edi
		shr	ecx, 1
		xor	edx, edx
		add	eax, ecx
		div	edi
		xor	ecx, ecx

loc_90A17A:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0CB7j
		mov	[ebp+var_160], eax
		lea	eax, [ebp+var_160]
		mov	[ebp+var_7C], eax
		mov	[ebp+var_78], ecx
		mov	[ebp+var_70], ecx
		push	4
		pop	edx
		mov	[ebp+var_74], edx
		test	edi, edi
		jnz	short loc_90A19D
		mov	eax, ecx
		jmp	short loc_90A1B4
; 

loc_90A19D:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0CE5j
		mov	eax, ebx
		mov	edx, 186A0h
		mul	edx
		push	ecx
		push	edi
		push	edx
		push	eax
		call	__aulldiv
		push	4
		xor	ecx, ecx
		pop	edx

loc_90A1B4:				; CODE XREF: PopBatteryCheckCompositeCapacity+A0CE9j
		mov	[ebp+var_15C], eax
		lea	eax, [ebp+var_15C]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_158]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_154]
		mov	[ebp+var_4C], eax
		mov	eax, [esi+8]
		mov	[ebp+var_14C], eax
		lea	eax, [ebp+var_14C]
		mov	[ebp+var_3C], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_148], eax
		lea	eax, [ebp+var_148]
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+var_144]
		mov	[ebp+var_144], eax
		lea	eax, [ebp+var_144]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_12C]
		push	eax
		push	12h
		push	ecx
		push	ecx
		push	offset loc_41FA3D
		push	offset dword_6B23F8
		mov	[ebp+var_68], ecx
		mov	[ebp+var_64], edx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_158], ebx
		mov	[ebp+var_58], ecx
		mov	[ebp+var_54], edx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_154], edi
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_869529
; END OF FUNCTION CHUNK	FOR PopBatteryCheckCompositeCapacity
; 
; START	OF FUNCTION CHUNK FOR PopGetDischargeStartStatus

loc_90A26F:				; CODE XREF: PopGetDischargeStartStatus+49j
		mov	eax, [ebp+var_10]
		or	eax, [ebp+var_C]
		jnz	short loc_90A27B
		push	2
		jmp	short loc_90A27D
; 

loc_90A27B:				; CODE XREF: PopGetDischargeStartStatus+A0D3Bj
		push	3

loc_90A27D:				; CODE XREF: PopGetDischargeStartStatus+A0D3Fj
		pop	esi
		jmp	loc_86958C
; END OF FUNCTION CHUNK	FOR PopGetDischargeStartStatus
; 
; START	OF FUNCTION CHUNK FOR _CmSetDeviceMappedProperty

loc_90A283:				; CODE XREF: _CmSetDeviceMappedProperty+10Ej
		push	[ebp+arg_14]	; int
		mov	edx, [ebp+var_4]
		push	[ebp+arg_10]	; int
		mov	ecx, [ebp+var_8]
		push	[ebp+arg_C]	; int
		push	edi		; void *
		push	[ebp+arg_0]	; int
		call	__CmSetDeviceMappedPropertyFromRegProp@28 ; _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000016h
		jnz	loc_869767
		jmp	loc_869703
; 

loc_90A2AE:				; CODE XREF: _CmSetDeviceMappedProperty+EFj
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_90A2CF
		cmp	eax, 1
		jz	short loc_90A2CF
		push	[ebp+arg_14]	; int
		mov	edx, [ebp+var_4]
		push	[ebp+arg_10]	; int
		mov	ecx, [ebp+var_8]
		push	eax		; int
		push	edi		; void *
		call	__CmSetDeviceMappedPropertyFromDriverKeyRegValue@24 ; _CmSetDeviceMappedPropertyFromDriverKeyRegValue(x,x,x,x,x,x)
		jmp	short loc_90A2DB
; 

loc_90A2CF:				; CODE XREF: _CmSetDeviceMappedProperty+A0C0Fj
					; _CmSetDeviceMappedProperty+A0C14j
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		push	edi		; void *
		call	__CmDeleteDeviceMappedPropertyFromDriverKeyRegValue@12 ; _CmDeleteDeviceMappedPropertyFromDriverKeyRegValue(x,x,x)

loc_90A2DB:				; CODE XREF: _CmSetDeviceMappedProperty+A0C29j
		mov	esi, 0C0000016h
		jmp	loc_869726
; 

loc_90A2E5:				; CODE XREF: _CmSetDeviceMappedProperty+131j
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_90A309
		cmp	eax, 1
		jz	short loc_90A309
		push	[ebp+arg_14]	; int
		mov	edx, [ebp+var_4]
		push	[ebp+arg_10]	; int
		mov	ecx, [ebp+var_8]
		push	eax		; int
		push	edi		; void *
		push	[ebp+arg_0]	; int
		call	__CmSetDeviceMappedPropertyFromInstanceKeyRegValue@28 ;	_CmSetDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x,x,x,x)
		jmp	short loc_90A318
; 

loc_90A309:				; CODE XREF: _CmSetDeviceMappedProperty+A0C46j
					; _CmSetDeviceMappedProperty+A0C4Bj
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		push	edi		; void *
		push	[ebp+arg_0]	; int
		call	__CmDeleteDeviceMappedPropertyFromInstanceKeyRegValue@16 ; _CmDeleteDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x)

loc_90A318:				; CODE XREF: _CmSetDeviceMappedProperty+A0C63j
		mov	esi, eax
		test	esi, esi
		js	short loc_90A330
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		push	edi
		push	ebx
		push	[ebp+arg_0]
		push	1
		call	_PnpObjectRaisePropertyChangeEvent

loc_90A330:				; CODE XREF: _CmSetDeviceMappedProperty+A0C78j
		cmp	esi, 0C0000016h
		jnz	loc_869767
		jmp	loc_86974B
; END OF FUNCTION CHUNK	FOR _CmSetDeviceMappedProperty
; 
; START	OF FUNCTION CHUNK FOR EtwpQueryRegistryCallback

loc_90A341:				; CODE XREF: EtwpQueryRegistryCallback+8Aj
		mov	ebx, 0C0000017h
		jmp	loc_869822
; 

loc_90A34B:				; CODE XREF: EtwpQueryRegistryCallback+9Ej
		mov	ebx, 0C0000206h
		mov	[eax], ecx
		jmp	loc_869822
; 

loc_90A357:				; CODE XREF: EtwpQueryRegistryCallback+26j
		mov	ebx, 0C0000003h
		jmp	loc_869822
; END OF FUNCTION CHUNK	FOR EtwpQueryRegistryCallback
; 
; START	OF FUNCTION CHUNK FOR PiDcHandleDeviceEvent

loc_90A361:				; CODE XREF: PiDcHandleDeviceEvent+82j
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_8C]
		push	edi
		push	eax
		push	10h
		lea	eax, [ebp+var_68]
		push	eax
		lea	eax, [ebp+var_88]
		push	eax
		mov	eax, [ebp+var_98]
		push	offset _DEVPKEY_Device_ContainerId
		push	edi
		push	edi
		mov	edx, [eax+8]
		push	1
		mov	edx, [edx+0Ch]
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_869947
		cmp	[ebp+var_88], 0Dh
		jnz	loc_869947
		cmp	[ebp+var_8C], 10h
		jnz	loc_869947
		push	ecx		; int
		lea	edx, [ebp+var_58] ; void *
		lea	ecx, [ebp+var_68] ; int
		call	_PnpStringFromGuid@12 ;	PnpStringFromGuid(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_869947
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_8C]
		push	edi
		push	eax
		push	1
		lea	eax, [ebp+var_81]
		push	eax
		lea	eax, [ebp+var_88]
		push	eax
		push	offset _DEVPKEY_DeviceContainer_IsLocalMachine
		push	edi
		push	edi
		push	5
		lea	edx, [ebp+var_58]
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_869947
		cmp	[ebp+var_88], 11h
		jnz	loc_869947
		cmp	[ebp+var_8C], 1
		jnz	loc_869947
		cmp	byte ptr [ebp+var_81], 0FFh
		jnz	short loc_90A436
		test	byte ptr [esi+14h], 1
		jz	loc_869947

loc_90A436:				; CODE XREF: PiDcHandleDeviceEvent+A0B8Cj
		lea	ecx, [ebp+var_58]
		call	_PiDcContainerRequiresConfiguration@4 ;	PiDcContainerRequiresConfiguration(x)
		mov	ebx, eax
		jmp	loc_869947
; END OF FUNCTION CHUNK	FOR PiDcHandleDeviceEvent
; 
; START	OF FUNCTION CHUNK FOR _CmIsDeviceSafeRemovalRequired

loc_90A445:				; CODE XREF: _CmIsDeviceSafeRemovalRequired+B8j
		xor	eax, eax
		mov	[ebp+var_338], eax
		jmp	loc_869A1C
; 

loc_90A452:				; CODE XREF: _CmIsDeviceSafeRemovalRequired+122j
		cmp	[ebp+var_344], 11h
		mov	cl, [ebp+var_32E]
		mov	al, cl
		mov	[ebp+var_32D], al
		jnz	loc_869A86
		cmp	[ebp+var_334], 1
		mov	[ebp+var_32D], al
		jnz	loc_869A86
		cmp	[ebp+var_32F], 0
		setnz	al
		mov	[ebp+var_32D], al
		jmp	loc_869A86
; END OF FUNCTION CHUNK	FOR _CmIsDeviceSafeRemovalRequired
; 
; START	OF FUNCTION CHUNK FOR PiDmCacheDataEncode

loc_90A495:				; CODE XREF: PiDmCacheDataEncode+AAj
		xor	eax, eax
		mov	[ebp+var_5C], eax
		jmp	loc_869B99
; 

loc_90A49F:				; CODE XREF: PiDmCacheDataEncode+38j
		mov	esi, [ebp+var_60]
		lea	edi, [ebx+4]
		movsd
		movsd
		movsd
		movsd
		mov	dword ptr [ebx], 4
		jmp	loc_869BCA
; 

loc_90A4B4:				; CODE XREF: PiDmCacheDataEncode+F1j
		mov	eax, 0C000009Ah
		jmp	loc_869BCA
; END OF FUNCTION CHUNK	FOR PiDmCacheDataEncode
; 
; START	OF FUNCTION CHUNK FOR EtwStartAutoLogger

loc_90A4BE:				; CODE XREF: EtwStartAutoLogger+177j
					; EtwStartAutoLogger+191j
		mov	esi, 0C0000017h
		jmp	loc_86A666
; 

loc_90A4C8:				; CODE XREF: EtwStartAutoLogger+2C6j
		push	eax
		lea	eax, [ebp+var_398]
		xor	esi, esi
		push	eax
		mov	[ebp+var_328], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_398]
		mov	[ebp+var_3B4], 18h
		mov	[ebp+var_3AC], eax
		lea	eax, [ebp+var_328]
		push	eax
		push	esi
		push	esi
		push	esi
		lea	eax, [ebp+var_3B4]
		mov	[ebp+var_3B0], esi
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_320]
		mov	[ebp+var_3A8], 240h
		push	eax
		mov	[ebp+var_3A4], esi
		mov	[ebp+var_3A0], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_90A570
		mov	ecx, [ebp+var_370]
		call	_EtwpCreateKeyTreeForPath@4 ; EtwpCreateKeyTreeForPath(x)
		test	eax, eax
		jnz	short loc_90A574
		lea	eax, [ebp+var_328]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_3B4]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_320]
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax

loc_90A570:				; CODE XREF: EtwStartAutoLogger+A0837j
		test	esi, esi
		jz	short loc_90A57E

loc_90A574:				; CODE XREF: EtwStartAutoLogger+A0846j
		xor	eax, eax
		mov	esi, eax
		mov	[ebp+var_320], eax

loc_90A57E:				; CODE XREF: EtwStartAutoLogger+A0870j
		xor	eax, eax
		inc	eax
		cmp	[ebp+var_328], eax
		jnz	loc_869FCE
		mov	[ebp+var_330], eax
		jmp	loc_869FCE
; 

loc_90A598:				; CODE XREF: EtwStartAutoLogger+2DDj
		push	7
		xor	eax, eax
		lea	edi, [ebp+var_2E8]
		pop	ecx
		rep stosd
		lea	eax, [ebp+var_368]
		mov	[ebp+var_2F0], eax
		xor	eax, eax
		inc	eax
		push	eax
		push	ecx
		xor	eax, eax
		mov	ecx, 40000000h
		push	eax
		lea	eax, [ebp+var_304]
		push	eax
		call	RtlpQueryRegistryValues
		mov	esi, eax
		lea	edi, [ebx+0B4h]
		xor	ecx, ecx
		test	esi, esi
		jns	loc_869FE7
		mov	esi, ecx
		jmp	loc_869FE7
; 

loc_90A5E3:				; CODE XREF: EtwStartAutoLogger+79Dj
		cmp	[ebp+var_330], 0
		jnz	loc_90A715
		lea	eax, [ebx+4Ch]
		xor	esi, esi
		mov	[ebp+var_2F0], eax
		lea	eax, [ebx+30h]
		mov	[ebp+var_2D4], eax
		lea	eax, [ebx+34h]
		mov	[ebp+var_2B8], eax
		lea	eax, [ebx+44h]
		mov	[ebp+var_29C], eax
		lea	eax, [ebx+38h]
		mov	[ebp+var_280], eax
		mov	eax, [ebx+84h]
		mov	[ebp+var_264], eax
		movzx	eax, word ptr [ebx+80h]
		mov	[ebp+var_260], eax
		mov	eax, [ebp+var_378]
		mov	[ebp+var_248], eax
		mov	eax, [ebp+var_37C]
		mov	[ebp+var_244], eax
		mov	eax, [ebp+var_350]
		mov	[ebp+var_22C], eax
		mov	eax, [ebp+var_354]
		mov	[ebp+var_228], eax
		lea	eax, [ebx+28h]
		mov	[ebp+var_210], eax
		lea	eax, [ebx+3Ch]
		mov	[ebp+var_1F4], eax
		lea	eax, [ebx+40h]
		mov	[ebp+var_1D8], eax
		lea	eax, [ebp+var_36C]
		mov	[ebp+var_1BC], eax
		mov	eax, [ebp+var_380]
		mov	[ebp+var_1A0], eax
		movzx	eax, word ptr [ebp+var_384]
		mov	[ebp+var_19C], eax
		lea	eax, [ebx+60h]
		mov	[ebp+var_184], eax
		lea	eax, [ebp+var_340]
		mov	[ebp+var_168], eax
		mov	eax, [ebp+var_388]
		mov	[ebp+var_14C], eax
		movzx	eax, word ptr [ebp+var_38C]
		mov	[ebp+var_148], eax
		mov	eax, [ebp+var_358]
		mov	[ebp+var_130], eax
		mov	eax, [ebp+var_35C]
		mov	[ebp+var_12C], eax
		lea	eax, [ebp+var_344]
		mov	[ebp+var_114], eax
		mov	eax, [ebp+var_348]
		mov	[ebp+var_F8], eax
		movzx	eax, word ptr [ebp+var_34C]
		mov	[ebp+var_F4], eax
		jmp	short loc_90A758
; 

loc_90A715:				; CODE XREF: EtwStartAutoLogger+A08E8j
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_304], offset EtwpQueryRegistryCallback
		push	4
		mov	[ebp+var_2F8], eax
		xor	esi, esi
		pop	ecx
		lea	eax, [ebx+60h]
		mov	[ebp+var_2FC], offset ??_C@_1BI@MGELNINL@?$AAF?$AAi?$AAl?$AAe?$AAC?$AAo?$AAu?$AAn?$AAt?$AAe?$AAr@NNGAKEGL@
		mov	[ebp+var_2F4], ecx
		mov	[ebp+var_2F0], eax
		mov	[ebp+var_B4], ecx
		mov	[ebp+var_B0], eax
		mov	[ebp+var_2E8], esi

loc_90A758:				; CODE XREF: EtwStartAutoLogger+A0A11j
		xor	eax, eax
		inc	eax
		push	eax
		push	ecx
		push	esi
		lea	eax, [ebp+var_304]
		mov	ecx, 40000000h
		push	eax
		call	RtlpQueryRegistryValues
		mov	[ebp+var_328], esi
		jmp	loc_86A4A5
; 

loc_90A77A:				; CODE XREF: EtwStartAutoLogger+7E0j
		mov	eax, ecx
		shr	eax, 2
		movzx	edx, ax
		test	cl, 3
		jz	short loc_90A788
		inc	edx

loc_90A788:				; CODE XREF: EtwStartAutoLogger+A0A83j
		mov	ecx, [ebp+var_324]
		push	3
		pop	eax
		mov	[ecx+2], ax
		lea	eax, [edx+1]
		mov	[ecx], ax
		inc	word ptr [ebx+0B2h]
		mov	ax, [ecx]
		add	[ebx+0B0h], ax
		cmp	word ptr [ebp+var_39C],	0
		movzx	eax, word ptr [ecx]
		mov	ecx, [ebp+var_318]
		lea	ecx, [ecx+eax*4]
		mov	[ebp+var_318], ecx
		mov	ecx, [ebp+var_324]
		jbe	short loc_90A7D4
		movzx	eax, word ptr [edi]
		lea	edi, [edi+eax*4]

loc_90A7D4:				; CODE XREF: EtwStartAutoLogger+A0ACAj
		cmp	edi, ecx
		jz	loc_86A4EE
		movzx	eax, dx
		lea	eax, ds:4[eax*4]
		push	eax		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memmove
		add	esp, 0Ch
		jmp	loc_86A4E8
; 

loc_90A7F6:				; CODE XREF: EtwStartAutoLogger+7F3j
		movzx	eax, word ptr [ebx+0B0h]
		lea	edi, [ecx+404h]
		add	eax, 2Ch
		lea	edx, [edi+4]
		lea	ecx, [ebp+var_38C]
		lea	eax, [ebx+eax*4]
		mov	[ebp+var_324], eax
		call	_EtwpParsePoolTagFilter@8 ; EtwpParsePoolTagFilter(x,x)
		movzx	ecx, ax
		mov	[ebp+var_360], ecx
		test	cx, cx
		jz	loc_86A4FB
		push	4
		lea	eax, [ecx+1]
		pop	edx
		mov	[edi+2], dx
		mov	edx, [ebp+var_318]
		mov	[edi], ax
		inc	word ptr [ebx+0B2h]
		mov	ax, [edi]
		add	[ebx+0B0h], ax
		movzx	eax, word ptr [edi]
		lea	edx, [edx+eax*4]
		mov	[ebp+var_318], edx
		cmp	[ebp+var_324], edi
		jz	loc_86A501
		movzx	eax, cx
		lea	eax, ds:4[eax*4]
		push	eax		; size_t
		push	edi		; void *
		push	[ebp+var_324]	; void *
		call	_memmove
		add	esp, 0Ch
		jmp	loc_86A4FB
; 

loc_90A88A:				; CODE XREF: EtwStartAutoLogger+806j
		movzx	eax, word ptr [ebx+0B0h]
		mov	ecx, [ebp+var_390]
		add	eax, 2Ch
		push	5
		lea	edi, [ebx+eax*4]
		pop	eax
		mov	[ecx+2], ax
		push	3
		pop	eax
		mov	[ecx], ax
		inc	word ptr [ebx+0B2h]
		mov	ax, [ecx]
		add	[ebx+0B0h], ax
		movzx	eax, word ptr [ecx]
		lea	edx, [edx+eax*4]
		mov	[ebp+var_318], edx
		cmp	edi, ecx
		jz	loc_86A50E
		push	0Ch		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memmove
		add	esp, 0Ch
		jmp	loc_86A50E
; 

loc_90A8E0:				; CODE XREF: EtwStartAutoLogger+A57j
		mov	esi, 0C0000017h
		jmp	loc_86A660
; 

loc_90A8EA:				; CODE XREF: EtwStartAutoLogger+A98j
		push	[ebp+var_320]
		jmp	loc_86A7A6
; 

loc_90A8F5:				; CODE XREF: EtwStartAutoLogger+8C3j
		mov	esi, 0C000000Dh
		jmp	loc_86A5E0
; 

loc_90A8FF:				; CODE XREF: EtwStartAutoLogger+8B6j
		mov	esi, offset _GlobalLoggerGuid
		lea	edi, [ebp+var_314]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_328]
		jmp	loc_86A5E0
; 

loc_90A919:				; CODE XREF: EtwStartAutoLogger+932j
		push	4Ch
		xor	edx, edx
		movzx	eax, ax
		pop	ecx
		div	ecx
		mov	edi, eax
		test	edx, edx
		jnz	loc_90A9DA
		mov	ecx, [ebp+var_348]
		mov	[ebp+var_360], ecx
		mov	ecx, [ebp+var_34C+2]
		sub	ecx, [ebp+var_34C]
		push	4Ch
		pop	eax
		add	ecx, eax
		mov	word ptr [ebp+var_364],	ax
		mov	word ptr [ebp+var_364+2], cx
		cmp	edi, 200h
		ja	short loc_90A9DA
		xor	eax, eax
		mov	[ebp+var_334], eax
		test	edi, edi
		jz	short loc_90A9B2
		mov	eax, [ebp+var_31C]
		mov	[ebp+var_338], eax

loc_90A978:				; CODE XREF: EtwStartAutoLogger+A0CAEj
		push	eax
		lea	eax, [ebp+var_364]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_90A9DA
		mov	ecx, [ebp+var_334]
		add	[ebp+var_360], 4Ch
		inc	ecx
		mov	eax, [ebp+var_338]
		add	eax, 10h
		mov	[ebp+var_334], ecx
		mov	[ebp+var_338], eax
		cmp	ecx, edi
		jb	short loc_90A978

loc_90A9B2:				; CODE XREF: EtwStartAutoLogger+A0C68j
		test	esi, esi
		jnz	short loc_90A9DA
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		push	[ebp+var_31C]
		push	edi
		mov	edi, [ebp+var_318]
		mov	edx, edi
		mov	ecx, [eax+1F0h]
		call	_EtwpUpdateDisallowList@16 ; EtwpUpdateDisallowList(x,x,x,x)
		jmp	loc_86A63C
; 

loc_90A9DA:				; CODE XREF: EtwStartAutoLogger+A0C25j
					; EtwStartAutoLogger+A0C5Cj ...
		mov	edi, [ebp+var_318]
		jmp	loc_86A63C
; 

loc_90A9E5:				; CODE XREF: EtwStartAutoLogger+970j
		push	esi
		call	RtlNtStatusToDosError
		mov	[ebp+var_374], eax
		mov	eax, [ebp+var_32C]
		jmp	loc_86A678
; 

loc_90A9FC:				; CODE XREF: EtwStartAutoLogger+980j
		pop	ecx
		push	ecx
		lea	eax, [ebp+var_374]
		push	eax
		push	ecx
		push	(offset	loc_8BA67D+1)
		push	edx
		jmp	loc_86A698
; 

loc_90AA11:				; CODE XREF: EtwStartAutoLogger+9B3j
		push	edx
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_86A6BB
; END OF FUNCTION CHUNK	FOR EtwStartAutoLogger
; 
; START	OF FUNCTION CHUNK FOR EtwpEnableKeyProviders

loc_90AA1C:				; CODE XREF: EtwpEnableKeyProviders+88j
		push	[ebp+arg_8]
		lea	eax, [ebp+var_40]
		mov	edx, ebx
		push	eax
		push	ecx
		lea	eax, [ebp+var_164]
		mov	ecx, esi
		push	eax
		push	0
		push	edi
		call	EtwpEnumerateKeyProviders
		jmp	loc_86A8C2
; END OF FUNCTION CHUNK	FOR EtwpEnableKeyProviders
; 
; START	OF FUNCTION CHUNK FOR EtwpEnumerateKeyProviders

loc_90AA3C:				; CODE XREF: EtwpEnumerateKeyProviders+F1j
		push	esi
		call	RtlNtStatusToDosError
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		push	4
		push	eax
		push	4
		push	offset ??_C@_1BK@KDBPPJPB@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAS?$AAt?$AAa?$AAt?$AAu?$AAs@NNGAKEGL@
		test	ebx, ebx
		jz	short loc_90AA59
		push	ebx
		jmp	short loc_90AA5C
; 

loc_90AA59:				; CODE XREF: EtwpEnumerateKeyProviders+A015Cj
		push	[ebp+arg_0]

loc_90AA5C:				; CODE XREF: EtwpEnumerateKeyProviders+A015Fj
		push	0
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)
		jmp	loc_86A9CA
; END OF FUNCTION CHUNK	FOR EtwpEnumerateKeyProviders
; 
; START	OF FUNCTION CHUNK FOR MiLogPinDriverAddressesWorker

loc_90AA68:				; CODE XREF: MiLogPinDriverAddressesWorker+56j
		mov	ecx, dword_6D35BC
		mov	[esp+0B0h+var_8C], ecx
		cmp	dword ptr [ecx], 5
		jbe	loc_90AB79
		push	4000h
		push	0
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_90AB75
		mov	eax, [esp+0B0h+var_A0]
		xor	ecx, ecx
		sub	eax, [esp+0B0h+var_98]
		mov	[esp+0B0h+var_88], eax
		lea	eax, [esp+0B0h+var_88]
		mov	[esp+0B0h+var_58], eax
		lea	eax, [esp+0B0h+var_98]
		mov	[esp+0B0h+var_48], eax
		xor	eax, eax
		cmp	[esp+0B0h+var_9C], 1
		push	8
		setz	al
		mov	[esp+0B4h+var_84], ecx
		mov	[esp+0B4h+var_94], eax
		lea	eax, [esp+0B4h+var_94]
		mov	[esp+0B4h+var_38], eax
		xor	eax, eax
		cmp	edi, 1
		mov	[esp+0B4h+var_54], ecx
		pop	edx
		setz	al
		mov	[esp+0B0h+var_50], edx
		mov	[esp+0B0h+var_90], eax
		lea	eax, [esp+0B0h+var_90]
		mov	[esp+0B0h+var_28], eax
		lea	eax, [esp+0B0h+var_80]
		mov	[esp+0B0h+var_18], eax
		lea	eax, [esp+0B0h+var_78]
		push	eax
		push	7
		mov	[esp+0B8h+var_4C], ecx
		mov	[esp+0B8h+var_44], ecx
		mov	[esp+0B8h+var_3C], ecx
		mov	[esp+0B8h+var_34], ecx
		mov	[esp+0B8h+var_2C], ecx
		mov	[esp+0B8h+var_24], ecx
		mov	[esp+0B8h+var_1C], ecx
		mov	[esp+0B8h+var_7C], ecx
		mov	[esp+0B8h+var_14], ecx
		mov	[esp+0B8h+var_10], edx
		mov	edx, offset loc_41D0C8
		mov	[esp+0B8h+var_C], ecx
		push	ecx
		mov	ecx, [esp+0BCh+var_8C]
		mov	[esp+0BCh+var_98], ebx
		mov	[esp+0BCh+var_40], 4
		mov	[esp+0BCh+var_30], 4
		mov	[esp+0BCh+var_20], 4
		mov	[esp+0BCh+var_80], 1000000h
		call	__tlgWriteAgg@20 ; _tlgWriteAgg(x,x,x,x,x)

loc_90AB75:				; CODE XREF: MiLogPinDriverAddressesWorker+A006Bj
		mov	eax, [esp+0B0h+var_A0]

loc_90AB79:				; CODE XREF: MiLogPinDriverAddressesWorker+A0057j
		mov	[esi], eax
		jmp	loc_86AA7A
; END OF FUNCTION CHUNK	FOR MiLogPinDriverAddressesWorker
; 
; START	OF FUNCTION CHUNK FOR MiLogPinDriverAddress

loc_90AB80:				; CODE XREF: MiLogPinDriverAddress+8Ej
		mov	ecx, [ebp+var_114]
		lea	eax, [ebp+var_148]
		mov	[ebp+var_E8], eax
		xor	edx, edx
		and	[ebp+var_CC], 0
		and	[ebp+var_C4], 0
		mov	ecx, [ecx]
		mov	eax, ecx
		shr	eax, 1
		and	eax, 1
		and	[ebp+var_BC], 0
		mov	[ebp+var_118], eax
		lea	eax, [ebp+var_118]
		mov	[ebp+var_D8], eax
		mov	eax, ecx
		shr	eax, 2
		and	eax, 1
		and	[ebp+var_B4], 0
		mov	[ebp+var_11C], eax
		lea	eax, [ebp+var_11C]
		mov	[ebp+var_C8], eax
		mov	eax, ecx
		shr	eax, 3
		and	eax, 1
		and	[ebp+var_AC], 0
		mov	[ebp+var_120], eax
		lea	eax, [ebp+var_120]
		mov	[ebp+var_B8], eax
		mov	eax, ecx
		shr	eax, 4
		and	eax, 1
		and	[ebp+var_A4], 0
		mov	[ebp+var_124], eax
		lea	eax, [ebp+var_124]
		mov	[ebp+var_A8], eax
		mov	eax, ecx
		shr	eax, 5
		and	eax, 1
		and	[ebp+var_9C], 0
		mov	[ebp+var_128], eax
		lea	eax, [ebp+var_128]
		and	[ebp+var_94], 0
		and	[ebp+var_8C], 0
		and	[ebp+var_84], 0
		and	[ebp+var_7C], 0
		and	[ebp+var_74], 0
		and	[ebp+var_6C], 0
		mov	[ebp+var_98], eax
		mov	eax, ecx
		shr	eax, 6
		and	eax, 3
		mov	[ebp+var_144], edx
		mov	[ebp+var_12C], eax
		lea	eax, [ebp+var_12C]
		mov	[ebp+var_88], eax
		mov	eax, ecx
		shr	eax, 0Ah
		and	eax, 3
		shr	ecx, 8
		mov	[ebp+var_130], eax
		and	ecx, 3
		lea	eax, [ebp+var_130]
		mov	[ebp+var_E4], edx
		push	4
		mov	[ebp+var_DC], edx
		mov	[ebp+var_D4], edx
		pop	edx
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_134]
		mov	[ebp+var_134], ecx
		xor	ecx, ecx
		mov	[ebp+var_148], 1
		mov	[ebp+var_E0], 8
		mov	[ebp+var_D0], edx
		mov	[ebp+var_C0], edx
		mov	[ebp+var_B0], edx
		mov	[ebp+var_A0], edx
		mov	[ebp+var_90], edx
		mov	[ebp+var_80], edx
		mov	[ebp+var_70], edx
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_64], ecx
		mov	[ebp+var_58], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_48], eax
		movzx	eax, word ptr [ebx]
		mov	[ebp+var_40], eax
		mov	eax, [ebp+var_10C]
		mov	[ebp+var_10C], eax
		lea	eax, [ebp+var_10C]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_110]
		mov	[ebp+var_110], eax
		lea	eax, [ebp+var_110]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_150]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_108]
		push	eax
		push	10h
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edx
		mov	edx, offset loc_41D13E
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_14C], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_50], 2
		mov	[ebp+var_150], 81000000h
		mov	[ebp+var_10], 8
		call	__tlgWriteAgg@20 ; _tlgWriteAgg(x,x,x,x,x)
		jmp	loc_86AB76
; END OF FUNCTION CHUNK	FOR MiLogPinDriverAddress
; 
; START	OF FUNCTION CHUNK FOR PnpAsynchronousCall

loc_90ADAF:				; CODE XREF: PnpAsynchronousCall+2Dj
		mov	edi, [ebp+var_4]
		mov	esi, 0C000009Ah
		jmp	loc_86AC58
; END OF FUNCTION CHUNK	FOR PnpAsynchronousCall
; 
; START	OF FUNCTION CHUNK FOR NtGetNextProcess

loc_90ADBC:				; CODE XREF: NtGetNextProcess+84j
		mov	ecx, eax
		jmp	loc_86ACFC
; 

loc_90ADC3:				; CODE XREF: NtGetNextProcess+9Dj
		mov	eax, 0C000000Dh
		jmp	loc_86AE67
; 

loc_90ADCD:				; CODE XREF: NtGetNextProcess+DBj
		call	_PsGetPreviousProcess@4	; PsGetPreviousProcess(x)
		mov	esi, eax
		mov	[ebp+var_160], eax
		jmp	loc_86AD60
; 

loc_90ADDF:				; CODE XREF: NtGetNextProcess+138j
		mov	edx, edi
		mov	ecx, esi
		call	_PspSynchronizeWithProcessInsertion@8 ;	PspSynchronizeWithProcessInsertion(x,x)
		test	dword ptr [esi+0FCh], 4000000h
		jz	loc_86AE87
		mov	eax, [ebp+var_15C]
		jmp	loc_86ADB0
; 

loc_90AE03:				; CODE XREF: NtGetNextProcess+185j
		or	[ebp+var_7C], 1FFFFFh
		jmp	loc_86AE00
; END OF FUNCTION CHUNK	FOR NtGetNextProcess

;  S U B	R O U T	I N E 


sub_90AE0F	proc near		; DATA XREF: .text:006A4BD0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-170h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_90AE0F	endp


;  S U B	R O U T	I N E 


sub_90AE22	proc near		; DATA XREF: .text:006A4BD4o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-170h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-160h]
		jmp	loc_86AE55
sub_90AE22	endp

; 
; START	OF FUNCTION CHUNK FOR NtGetNextProcess

loc_90AE3D:				; CODE XREF: NtGetNextProcess+21Bj
		call	_PsGetPreviousProcess@4	; PsGetPreviousProcess(x)
		mov	esi, eax
		mov	[ebp+var_160], eax
		jmp	loc_86AEA0
; END OF FUNCTION CHUNK	FOR NtGetNextProcess

;  S U B	R O U T	I N E 


sub_90AE4F	proc near		; DATA XREF: .text:006A4BC4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-178h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_90AE4F	endp


;  S U B	R O U T	I N E 


sub_90AE62	proc near		; DATA XREF: .text:006A4BC8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-178h]
		jmp	loc_86AE67
sub_90AE62	endp

; 
; START	OF FUNCTION CHUNK FOR PpmPerfUpdateDomainPolicy

loc_90AE77:				; CODE XREF: PpmPerfUpdateDomainPolicy+4Cj
		mov	[ebp+var_3], 1
		jmp	loc_86AF94
; 

loc_90AE80:				; CODE XREF: PpmPerfUpdateDomainPolicy+59j
		mov	al, 1
		mov	[ebp+var_1], al
		jmp	loc_86AFD7
; 

loc_90AE8A:				; CODE XREF: PpmPerfUpdateDomainPolicy+89j
		and	edx, 0FFFFFFFDh
		jmp	loc_86AFD1
; 

loc_90AE92:				; CODE XREF: PpmPerfUpdateDomainPolicy+A4j
		mov	[ebp+var_8], ebx
		jmp	loc_86AFEC
; 

loc_90AE9A:				; CODE XREF: PpmPerfUpdateDomainPolicy+C2j
		mov	ds:_PpmPerfQosEnabled, al
		mov	bl, 1
		mov	[ebp+var_2], 1
		jmp	loc_86B00A
; END OF FUNCTION CHUNK	FOR PpmPerfUpdateDomainPolicy
; 
; START	OF FUNCTION CHUNK FOR PpmEventQosSupport

loc_90AEAA:				; CODE XREF: PpmEventQosSupport+42j
		xor	eax, eax
		mov	[ebp+var_14], offset _PpmPerfQosDisableReasons
		cmp	ds:_PpmPerfSchedulerDirectedPerfStatesSupported, al
		push	4
		setnz	al
		mov	[ebp+var_38], eax
		xor	eax, eax
		cmp	ds:_PpmPerfQosEnabled, al
		pop	ecx
		setnz	al
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_3C], eax
		xor	edx, edx
		lea	eax, [ebp+var_38]
		mov	[ebp+var_30], edx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	esi
		push	edi
		push	ebx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_86B0BC
; END OF FUNCTION CHUNK	FOR PpmEventQosSupport
; 
; START	OF FUNCTION CHUNK FOR pIoQueryDeviceDescription

loc_90AF0D:				; CODE XREF: pIoQueryDeviceDescription+8Ej
		mov	edi, [edi]
		lea	eax, [edi+1]
		mov	[ebp+var_4C], eax
		jmp	loc_86B1B1
; 

loc_90AF1A:				; CODE XREF: pIoQueryDeviceDescription+190j
		push	0
		push	0
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		mov	eax, [ebx+8]
		push	edi
		push	dword ptr [eax]
		mov	eax, [ebx]
		push	[ebp+var_64]
		push	[ebp+arg_0]
		push	dword ptr [eax]
		lea	eax, [ebp+var_40]
		push	eax
		push	dword ptr [ebx+1Ch]
		call	dword ptr [ebx+18h]
		mov	esi, eax
		jmp	loc_86B30F
; 

loc_90AF45:				; CODE XREF: pIoQueryDeviceDescription+1CEj
		mov	eax, [eax]
		mov	[ebp+var_50], eax
		lea	ecx, [eax+1]
		mov	[ebp+var_58], ecx
		jmp	loc_86B2FC
; 

loc_90AF55:				; CODE XREF: pIoQueryDeviceDescription+1EAj
					; pIoQueryDeviceDescription+20Bj
		xor	esi, esi
		jmp	loc_86B30F
; 

loc_90AF5C:				; CODE XREF: pIoQueryDeviceDescription+247j
		push	0
		push	[ebp+var_2C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[ebp+var_2C], 0
		jmp	loc_86B319
; END OF FUNCTION CHUNK	FOR pIoQueryDeviceDescription
; 
; START	OF FUNCTION CHUNK FOR IoQueryDeviceDescription

loc_90AF6F:				; CODE XREF: IoQueryDeviceDescription+25j
		mov	eax, 0C0000002h
		jmp	loc_86B566
; END OF FUNCTION CHUNK	FOR IoQueryDeviceDescription
; 
; START	OF FUNCTION CHUNK FOR pIoQueryBusDescription

loc_90AF79:				; CODE XREF: pIoQueryBusDescription+8Cj
		mov	eax, 0C000009Ah
		jmp	loc_86B76D
; END OF FUNCTION CHUNK	FOR pIoQueryBusDescription
; 
; START	OF FUNCTION CHUNK FOR IopGetRegistryKeyInformation

loc_90AF83:				; CODE XREF: IopGetRegistryKeyInformation+4Ej
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		jmp	loc_86B8B6
; END OF FUNCTION CHUNK	FOR IopGetRegistryKeyInformation
; 
; START	OF FUNCTION CHUNK FOR WmipSendEnableDisableRequest

loc_90AF92:				; CODE XREF: WmipSendEnableDisableRequest+8Bj
		push	70696D57h
		shl	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_14C], edi
		test	edi, edi
		jnz	short loc_90AFB8
		mov	eax, 0C000009Ah
		jmp	loc_86BA17
; 

loc_90AFB8:				; CODE XREF: WmipSendEnableDisableRequest+9F672j
		mov	edx, [ebp+var_144]
		jmp	loc_86B9D7
; 

loc_90AFC3:				; CODE XREF: WmipSendEnableDisableRequest+C7j
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_86BA07
; END OF FUNCTION CHUNK	FOR WmipSendEnableDisableRequest
; 
; START	OF FUNCTION CHUNK FOR PopVerifyPowerActionPolicy

loc_90AFCF:				; CODE XREF: PopVerifyPowerActionPolicy+4Cj
		mov	al, 1
		jmp	loc_86BCD5
; 

loc_90AFD6:				; CODE XREF: PopVerifyPowerActionPolicy+57j
		xor	edx, edx
		inc	edx
		jmp	loc_86BC7F
; 

loc_90AFDE:				; CODE XREF: PopVerifyPowerActionPolicy+61j
		inc	edx
		jmp	loc_86BC89
; 

loc_90AFE4:				; CODE XREF: PopVerifyPowerActionPolicy+A4j
		cmp	[ebp+var_44], 0
		push	8
		pop	eax
		jz	loc_86BCCC
		mov	[esi], edi
		mov	eax, edi
		jmp	loc_86BCCC
; 

loc_90AFFA:				; CODE XREF: PopVerifyPowerActionPolicy+8Aj
		push	2
		pop	eax
		mov	[esi], eax
		mov	edi, eax
		jmp	loc_86BCDA
; 

loc_90B006:				; CODE XREF: PopVerifyPowerActionPolicy+BEj
		test	bl, bl
		jz	short loc_90B011
		push	3
		jmp	loc_86BD0C
; 

loc_90B011:				; CODE XREF: PopVerifyPowerActionPolicy+E2j
					; PopVerifyPowerActionPolicy+9F3E6j
		and	dword ptr [esi], 0
		mov	bh, 1
		xor	eax, eax
		jmp	loc_86BCCC
; 

loc_90B01D:				; CODE XREF: PopVerifyPowerActionPolicy+21j
					; PopVerifyPowerActionPolicy+2Fj
		xor	al, al
		jmp	loc_86BCD5
; END OF FUNCTION CHUNK	FOR PopVerifyPowerActionPolicy
; 
; START	OF FUNCTION CHUNK FOR PnpRecordBlackboxDeviceCompletionQueueInformation

loc_90B024:				; CODE XREF: PnpRecordBlackboxDeviceCompletionQueueInformation+26j
		push	48h
		pop	edi
		push	4B706E50h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_86BDE6
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		mov	edx, [ebp+var_8]
		mov	dword ptr [esi], 1
		mov	[esi+4], edi
		mov	eax, [ebx+24h]
		push	0
		push	2710h
		sub	ecx, [eax]
		sbb	edx, [eax+4]
		push	edx
		push	ecx
		call	__aulldiv
		mov	[esi+0Ch], eax
		xor	ecx, ecx
		mov	eax, [ebx+10h]
		mov	[esi+10h], eax
		mov	eax, [ebx+8]
		mov	[esi+18h], eax
		mov	eax, _PnpDeviceEventThread
		mov	[esi+30h], eax
		mov	[esi+1Ch], ecx
		mov	[esi+28h], ebx
		mov	[esi+2Ch], ecx
		mov	[esi+34h], ecx
		mov	eax, _PnpDeviceActionThread
		mov	[esi+38h], eax
		mov	eax, _PnpDelayedRemoveWorkerThread
		mov	[esi+3Ch], ecx
		mov	[esi+40h], eax
		mov	[esi+44h], ecx
		jmp	loc_86BDE8
; 

loc_90B0B2:				; CODE XREF: PnpRecordBlackboxDeviceCompletionQueueInformation+52j
		push	4B706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_86BE12
; END OF FUNCTION CHUNK	FOR PnpRecordBlackboxDeviceCompletionQueueInformation
; 
; START	OF FUNCTION CHUNK FOR LocalGetSidForString

loc_90B0C2:				; CODE XREF: LocalGetSidForString+79j
		push	eax
		call	RtlNtStatusToDosError
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	loc_86BE6E
		jmp	loc_86BE97
; END OF FUNCTION CHUNK	FOR LocalGetSidForString
; 
; START	OF FUNCTION CHUNK FOR PiSwPdoPnPDispatch

loc_90B0D8:				; CODE XREF: PiSwPdoPnPDispatch+29j
		mov	esi, 0C000000Eh
		jmp	loc_86C043
; 

loc_90B0E2:				; CODE XREF: PiSwPdoPnPDispatch+388j
		push	57706E50h
		push	8
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_90B1D0
		mov	eax, [ebp+arg_0]
		mov	ecx, eax
		mov	[edi], ebx
		mov	[edi+4], eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	esi, [ebp+arg_4]
		mov	[esi+1Ch], edi
		jmp	loc_86C011
; 

loc_90B113:				; CODE XREF: PiSwPdoPnPDispatch+58j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	ebx
		mov	ebx, offset _PiSwLockObj
		push	ebx
		call	ExAcquireResourceExclusiveLite
		mov	eax, [edi+4]
		mov	ecx, [ebp+arg_0]
		or	eax, 2
		mov	[edi+4], eax
		shr	eax, 3
		and	al, 1
		mov	dl, al
		call	_PiSwProcessRemove@8 ; PiSwProcessRemove(x,x)
		test	byte ptr [edi+4], 8
		jnz	short loc_90B197
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		mov	esi, [edi+28h]
		call	_PiSwUnassociateDeviceObject@4 ; PiSwUnassociateDeviceObject(x)
		or	dword ptr [esi+4], 10h
		push	edi
		call	IoDeleteDevice
		jmp	short loc_90B197
; 

loc_90B164:				; CODE XREF: PiSwPdoPnPDispatch+14Ej
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	ebx, offset _PiSwLockObj
		push	ebx
		call	ExAcquireResourceExclusiveLite
		mov	eax, [edi+4]
		mov	ecx, [ebp+arg_0]
		or	eax, 4
		mov	[edi+4], eax
		shr	eax, 3
		and	al, 1
		mov	dl, al
		call	_PiSwProcessRemove@8 ; PiSwProcessRemove(x,x)

loc_90B197:				; CODE XREF: PiSwPdoPnPDispatch+9F297j
					; PiSwPdoPnPDispatch+9F2B0j
		mov	ecx, ebx
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_86C011
; 

loc_90B1AF:				; CODE XREF: PiSwPdoPnPDispatch+2BDj
		mov	ecx, [edi]
		xor	dl, dl
		call	PiSwDeviceInterfacesUpdateState
		jmp	loc_86C030
; 

loc_90B1BD:				; CODE XREF: PiSwPdoPnPDispatch+145j
		movzx	esi, byte ptr [edx+4]
		neg	esi
		sbb	esi, esi
		and	esi, 0C00000BBh
		jmp	loc_86C043
; 

loc_90B1D0:				; CODE XREF: PiSwPdoPnPDispatch+2E1j
					; PiSwPdoPnPDispatch+9F241j
		mov	esi, 0C000009Ah
		jmp	loc_86C043
; 

loc_90B1DA:				; CODE XREF: PiSwPdoPnPDispatch+226j
		mov	esi, 0C000009Ah
		jmp	loc_86C030
; 

loc_90B1E4:				; CODE XREF: PiSwPdoPnPDispatch+9Dj
					; PiSwPdoPnPDispatch+1CAj ...
		mov	esi, 0C000000Eh
		jmp	loc_86C030
; END OF FUNCTION CHUNK	FOR PiSwPdoPnPDispatch
; 
; START	OF FUNCTION CHUNK FOR SepDeReferenceLogonSession

loc_90B1EE:				; CODE XREF: SepDeReferenceLogonSession+8Ej
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_86C3AB
; 

loc_90B1F8:				; CODE XREF: SepDeReferenceLogonSession+154j
		cmp	[esi+10h], edi
		jz	loc_86C2F4
		jmp	loc_86C39E
; 

loc_90B206:				; CODE XREF: SepDeReferenceLogonSession+F6j
		call	_SepDeleteClaimAttributes@4 ; SepDeleteClaimAttributes(x)
		mov	[esi+40h], edi
		jmp	loc_86C340
; 

loc_90B213:				; CODE XREF: SepDeReferenceLogonSession+53j
					; SepDeReferenceLogonSession+13Dj
		mov	ecx, edi
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	edi, edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	46h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_90B22D:				; CODE XREF: SepInformLsaOfDeletedLogon+11j
		push	774C6553h
		push	30h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_86C3D9
		test	edi, edi
		jz	loc_86C41C
		mov	edx, 734C6553h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		jmp	loc_86C41C
; END OF FUNCTION CHUNK	FOR SepDeReferenceLogonSession
; 
; START	OF FUNCTION CHUNK FOR SepInformLsaOfDeletedLogon

loc_90B25E:				; CODE XREF: SepInformLsaOfDeletedLogon+54j
		test	edi, edi
		jz	short loc_90B26E
		mov	edx, 734C6553h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_90B26E:				; CODE XREF: SepInformLsaOfDeletedLogon+9EE9Ej
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_86C41C
; END OF FUNCTION CHUNK	FOR SepInformLsaOfDeletedLogon
; 
; START	OF FUNCTION CHUNK FOR ObDestroyHandleRevocationBlock

loc_90B27A:				; CODE XREF: ObDestroyHandleRevocationBlock+21j
		push	1
		mov	ecx, edi
		mov	edx, esi
		mov	edi, [edi]
		push	0
		call	_ObpHandleRevocationBlockRemoveInsertedObject@16 ; ObpHandleRevocationBlockRemoveInsertedObject(x,x,x,x)
		jmp	loc_86C443
; END OF FUNCTION CHUNK	FOR ObDestroyHandleRevocationBlock
; 
; START	OF FUNCTION CHUNK FOR SepCleanupLUIDDeviceMapDirectory

loc_90B28E:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+58j
		mov	eax, 0C000000Dh
		jmp	loc_86C70B
; 

loc_90B298:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+7Cj
		mov	ecx, ds:_PsInitialSystemProcess
		lea	eax, [esp+100h+var_A0]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		jmp	loc_86C4FC
; 

loc_90B2AF:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+113j
		push	edi
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		cmp	[esp+100h+var_ED], bl
		jmp	loc_86C703
; 

loc_90B2BE:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory:loc_86C703j
		xor	edx, edx
		lea	ecx, [esp+100h+var_A0]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_86C709
; 

loc_90B2CE:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+2C0j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_86C72C
; 

loc_90B2DB:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+212j
		push	[esp+100h+var_E4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_86C68A
; 

loc_90B2E9:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+1C3j
		and	[esp+100h+var_E8], 0
		test	edi, edi
		jz	short loc_90B307
		mov	ebx, [esp+100h+var_E8]

loc_90B2F6:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+9EE9Bj
		push	dword ptr [esi+ebx*4]
		call	_ZwClose@4	; ZwClose(x)
		inc	ebx
		cmp	ebx, edi
		jb	short loc_90B2F6
		mov	ebx, [esp+100h+var_D0]

loc_90B307:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+9EE8Aj
		mov	edi, [esp+100h+var_D4]
		push	0
		add	edi, 14h
		push	esi
		mov	[esp+108h+var_D4], edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	61486553h
		mov	eax, edi
		shl	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[esp+100h+var_E8], eax
		test	esi, esi
		jnz	loc_86C59E
		mov	edi, [esp+100h+var_D8]

loc_90B33E:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+132j
		push	[esp+100h+var_EC]
		call	_ZwClose@4	; ZwClose(x)
		test	ebx, ebx
		jz	short loc_90B353
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90B353:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+9EEE3j
		push	edi
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		cmp	[esp+100h+var_ED], 0
		jnz	short loc_90B36B
		xor	edx, edx
		lea	ecx, [esp+100h+var_A0]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_90B36B:				; CODE XREF: SepCleanupLUIDDeviceMapDirectory+9EEF8j
		mov	eax, 0C0000017h
		jmp	loc_86C70B
; END OF FUNCTION CHUNK	FOR SepCleanupLUIDDeviceMapDirectory
; 
; START	OF FUNCTION CHUNK FOR SepInformFileSystemsOfDeletedLogon

loc_90B375:				; CODE XREF: SepInformFileSystemsOfDeletedLogon+30j
		mov	edx, 53466553h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag
		jmp	loc_86C798
; END OF FUNCTION CHUNK	FOR SepInformFileSystemsOfDeletedLogon
; 
; START	OF FUNCTION CHUNK FOR WdipSemEnableScenario

loc_90B386:				; CODE XREF: WdipSemEnableScenario+37j
					; WdipSemEnableScenario+3Fj
		mov	esi, 0C000000Dh
		jmp	loc_86C8CC
; 

loc_90B390:				; CODE XREF: WdipSemEnableScenario+5Aj
		mov	[ebp+var_1], 1
		jmp	loc_86C86B
; 

loc_90B399:				; CODE XREF: WdipSemEnableScenario+FEj
		mov	edx, [ebp+var_C]
		mov	ecx, offset _WDI_SEM_EVENT_SCENARIO_START_FAILED
		push	esi
		push	edi
		push	[ebp+var_8]
		call	_WdipSemWriteSemFailureEvent@20	; WdipSemWriteSemFailureEvent(x,x,x,x,x)
		jmp	loc_86C8EA
; 

loc_90B3B0:				; CODE XREF: WdipSemEnableScenario+108j
		mov	ecx, ebx
		call	_WdipSemDeleteTransitionalInstance@4 ; WdipSemDeleteTransitionalInstance(x)
		jmp	loc_86C89A
; 

loc_90B3BC:				; CODE XREF: WdipSemEnableScenario+D2j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		cmp	_WdipSemEnabled, 0
		jz	short loc_90B3E1
		call	_WdipSemShutdown@0 ; WdipSemShutdown()

loc_90B3E1:				; CODE XREF: WdipSemEnableScenario+9EBF4j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_86C8BE
; END OF FUNCTION CHUNK	FOR WdipSemEnableScenario
; 
; START	OF FUNCTION CHUNK FOR WdipSemEnableContextProvider

loc_90B3FB:				; CODE XREF: WdipSemEnableContextProvider+2Dj
		mov	[ebp+var_8], 0C000000Dh
		jmp	loc_86CA93
; 

loc_90B407:				; CODE XREF: WdipSemEnableContextProvider+FFj
		cmp	edx, [ebp+var_10]
		jz	loc_86CA90
		jmp	loc_86CA4F
; END OF FUNCTION CHUNK	FOR WdipSemEnableContextProvider
; 
; START	OF FUNCTION CHUNK FOR WdipSemReserveInstanceTableEntry

loc_90B415:				; CODE XREF: WdipSemReserveInstanceTableEntry+35j
		mov	dx, [ebx+10h]
		mov	ecx, ebx
		push	edi
		call	_WdipSemLogInflightLimitExceededInformation@12 ; WdipSemLogInflightLimitExceededInformation(x,x,x)
		jmp	loc_86CB46
; END OF FUNCTION CHUNK	FOR WdipSemReserveInstanceTableEntry
; 
; START	OF FUNCTION CHUNK FOR PopVerifySystemPowerState

loc_90B426:				; CODE XREF: PopVerifySystemPowerState+2Aj
		cmp	edx, 2
		jz	loc_86CD02
		jmp	loc_86CCBB
; 

loc_90B434:				; CODE XREF: PopVerifySystemPowerState+54j
					; PopVerifySystemPowerState+63j
		call	_PopIsHibernateSupported@4 ; PopIsHibernateSupported(x)
		test	al, al
		jnz	loc_86CCBB
		push	4
		pop	esi
		jmp	loc_86CCA9
; 

loc_90B449:				; CODE XREF: PopVerifySystemPowerState+41j
		push	3
		pop	esi
		jmp	loc_86CCDC
; 

loc_90B451:				; CODE XREF: PopVerifySystemPowerState+6Bj
		cmp	byte ptr word_6C2E24, 0
		jnz	loc_86CCBB
		push	2
		pop	esi
		jmp	loc_86CCE5
; 

loc_90B466:				; CODE XREF: PopVerifySystemPowerState+B3j
					; PopVerifySystemPowerState+C5j
		cmp	esi, 5
		jnz	loc_86CCBB
		test	al, al
		jz	short loc_90B496
		cmp	byte_6C2E26, 0
		jz	short loc_90B489
		cmp	byte_6C2E28, 0
		jnz	loc_86CCBB

loc_90B489:				; CODE XREF: PopVerifySystemPowerState+9E806j
		call	_PopIsHibernateSupported@4 ; PopIsHibernateSupported(x)
		test	al, al
		jnz	loc_86CCBB

loc_90B496:				; CODE XREF: PopVerifySystemPowerState+9E7FDj
		mov	esi, ebx
		jmp	loc_86CCBB
; END OF FUNCTION CHUNK	FOR PopVerifySystemPowerState
; 
; START	OF FUNCTION CHUNK FOR WmipProcessEvent

loc_90B49D:				; CODE XREF: WmipProcessEvent+1Aj
		call	_WmipDereferenceEvent@4	; WmipDereferenceEvent(x)
		mov	ebx, eax
		mov	[ebp+var_C], eax
		test	ebx, ebx
		jnz	short loc_90B4C1
		cmp	[ebp+arg_0], al
		jz	short loc_90B4B7
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90B4B7:				; CODE XREF: WmipProcessEvent+9E71Cj
		mov	eax, 0C0000001h
		jmp	loc_86CDF4
; 

loc_90B4C1:				; CODE XREF: WmipProcessEvent+9E717j
		mov	esi, ebx
		jmp	loc_86CDB9
; 

loc_90B4C8:				; CODE XREF: WmipProcessEvent+2Bj
		mov	edx, [esi]
		mov	ecx, esi
		call	_WmipIncludeStaticNames@8 ; WmipIncludeStaticNames(x,x)
		mov	esi, eax
		jmp	loc_86CDC3
; 

loc_90B4D8:				; CODE XREF: WmipProcessEvent+51j
		cmp	esi, ebx
		jz	loc_86CDE9
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_86CDE9
; 

loc_90B4ED:				; CODE XREF: WmipProcessEvent+59j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_86CDF1
; END OF FUNCTION CHUNK	FOR WmipProcessEvent
; 
; START	OF FUNCTION CHUNK FOR PiDmCacheDataFree

loc_90B4FA:				; CODE XREF: PiDmCacheDataFree+13j
		mov	ecx, [edi+8]
		call	PiDmObjectRelease
		jmp	loc_86CEBF
; 

loc_90B507:				; CODE XREF: PiDmCacheDataFree+Aj
		push	5A706E50h
		push	dword ptr [edi+0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_86CEBF
; END OF FUNCTION CHUNK	FOR PiDmCacheDataFree
; 
; START	OF FUNCTION CHUNK FOR LdrResGetRCConfig

loc_90B519:				; CODE XREF: LdrResGetRCConfig+71j
		mov	eax, [ebp+var_34]
		mov	ecx, [ebp+var_30]

loc_90B51F:				; CODE XREF: LdrResGetRCConfig+57j
		test	edi, edi
		jnz	short loc_90B53B
		test	eax, eax
		jnz	short loc_90B53B
		push	ecx
		push	[ebp+arg_4]
		lea	edx, [ebp+var_38]
		call	_LdrpResGetMappingSize@16 ; LdrpResGetMappingSize(x,x,x,x)
		test	eax, eax
		js	loc_86D06A

loc_90B53B:				; CODE XREF: LdrResGetRCConfig+9E539j
					; LdrResGetRCConfig+9E53Dj
		or	esi, 200030h
		push	ebx
		push	ebx
		lea	eax, [ebp+var_40]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	3
		lea	eax, [ebp+var_28]
		push	eax
		push	esi
		mov	edx, [ebp+var_38]
		mov	ecx, [ebp+var_30]
		call	LdrpResSearchResourceMappedFile
		mov	edi, eax
		test	edi, edi
		js	loc_90B713
		mov	[ebp+ms_exc.disabled], ebx
		mov	esi, [ebp+var_2C]
		cmp	[ebp+var_34], 0
		jnz	loc_90B6D4
		mov	edx, [esi+4]
		mov	ecx, [ebp+var_30]
		and	ecx, 0FFFFFFFCh
		add	ecx, [ebp+var_38]
		lea	eax, [edx+esi]
		cmp	eax, ecx
		jbe	short loc_90B59E
		mov	edi, 0C000007Bh
		mov	[ebp+var_3C], edi

loc_90B592:				; CODE XREF: LdrResGetRCConfig+9E5C8j
					; LdrResGetRCConfig+9E5CCj ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_90B720
; 

loc_90B59E:				; CODE XREF: LdrResGetRCConfig+9E5A0j
		mov	edi, 0C00B0003h
		mov	[ebp+var_3C], edi
		mov	ecx, [esi+44h]
		mov	eax, [esi+48h]
		add	eax, ecx
		cmp	eax, edx
		ja	short loc_90B592
		cmp	eax, ecx
		jb	short loc_90B592
		mov	ecx, [esi+4Ch]
		mov	eax, [esi+50h]
		add	eax, ecx
		cmp	eax, edx
		ja	short loc_90B592
		cmp	eax, ecx
		jb	short loc_90B592
		mov	ecx, [esi+54h]
		mov	eax, [esi+58h]
		add	eax, ecx
		cmp	eax, edx
		ja	short loc_90B592
		cmp	eax, ecx
		jb	short loc_90B592
		mov	ecx, [esi+5Ch]
		mov	eax, [esi+60h]
		add	eax, ecx
		cmp	eax, edx
		ja	short loc_90B592
		cmp	eax, ecx
		jb	short loc_90B592
		mov	ecx, [esi+64h]
		mov	eax, [esi+68h]
		add	eax, ecx
		cmp	eax, edx
		ja	short loc_90B592
		cmp	eax, ecx
		jb	short loc_90B592
		mov	ecx, [esi+6Ch]
		mov	eax, [esi+70h]
		add	eax, ecx
		cmp	eax, edx
		ja	short loc_90B592
		cmp	eax, ecx
		jb	short loc_90B592
		mov	ecx, [esi+74h]
		mov	eax, [esi+78h]
		add	eax, ecx
		cmp	eax, edx
		ja	short loc_90B592
		cmp	eax, ecx
		jb	loc_90B592
		mov	ecx, [esi+7Ch]
		mov	eax, [esi+80h]
		add	eax, ecx
		cmp	eax, edx
		ja	loc_90B592
		cmp	eax, ecx
		jb	loc_90B592
		cmp	dword ptr [esi], 0FECDFECDh
		jnz	loc_90B592
		cmp	edx, [ebp+var_40]
		jnz	loc_90B592
		cmp	dword ptr [esi+8], 10000h
		jnz	loc_90B592
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_90B66E
		push	7
		pop	edx
		call	_CheckOneBitValidFlag@8	; CheckOneBitValidFlag(x,x)
		test	al, al
		jz	loc_90B592

loc_90B66E:				; CODE XREF: LdrResGetRCConfig+9E674j
		mov	eax, [esi+10h]
		mov	[ebp+var_34], eax
		mov	ecx, eax
		and	ecx, 0FFFFFFCFh
		push	3
		pop	edx
		call	_CheckOneBitValidFlag@8	; CheckOneBitValidFlag(x,x)
		test	al, al
		jz	loc_90B592
		mov	ecx, [ebp+var_34]
		and	ecx, 0FFFFFFFCh
		push	30h
		pop	edx
		call	_CheckOneBitValidFlag@8	; CheckOneBitValidFlag(x,x)
		test	al, al
		jz	loc_90B592
		test	byte ptr [ebp+var_34], 1
		jz	short loc_90B6D1
		push	3
		pop	edx
		mov	ecx, [esi+18h]
		call	_CheckOneBitValidFlag@8	; CheckOneBitValidFlag(x,x)
		test	al, al
		jz	loc_90B592
		mov	ecx, [esi+14h]
		test	ecx, ecx
		jz	short loc_90B6D1
		mov	edx, 100h
		call	_CheckOneBitValidFlag@8	; CheckOneBitValidFlag(x,x)
		test	al, al
		jz	loc_90B592

loc_90B6D1:				; CODE XREF: LdrResGetRCConfig+9E6BBj
					; LdrResGetRCConfig+9E6D5j
		mov	[ebp+var_3C], ebx

loc_90B6D4:				; CODE XREF: LdrResGetRCConfig+9E589j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_44]
		test	eax, eax
		jz	short loc_90B6E4
		mov	[eax], esi

loc_90B6E4:				; CODE XREF: LdrResGetRCConfig+9E6F8j
		mov	edi, ebx
		jmp	short loc_90B72E
; END OF FUNCTION CHUNK	FOR LdrResGetRCConfig

;  S U B	R O U T	I N E 


sub_90B6E8	proc near		; DATA XREF: .text:006A4BECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-48h], eax
		xor	eax, eax
		inc	eax
		retn
sub_90B6E8	endp


;  S U B	R O U T	I N E 


sub_90B6F6	proc near		; DATA XREF: .text:006A4BF0o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-48h]
		mov	[ebp-3Ch], edi
		xor	ebx, ebx
		mov	[ebp-2Ch], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-4Ch]
		mov	[ebp-30h], eax
		jmp	short loc_90B720
sub_90B6F6	endp

; 
; START	OF FUNCTION CHUNK FOR LdrResGetRCConfig

loc_90B713:				; CODE XREF: LdrResGetRCConfig+9E579j
		cmp	edi, 0C000007Bh
		jz	short loc_90B720
		mov	edi, 0C000008Ah

loc_90B720:				; CODE XREF: LdrResGetRCConfig+9E5B1j
					; sub_90B6F6+1Bj ...
		test	edi, edi
		jns	short loc_90B72B
		mov	esi, ebx
		mov	[ebp+var_2C], esi
		jmp	short loc_90B72E
; 

loc_90B72B:				; CODE XREF: LdrResGetRCConfig+9E73Aj
		mov	esi, [ebp+var_2C]

loc_90B72E:				; CODE XREF: LdrResGetRCConfig+9E6FEj
					; LdrResGetRCConfig+9E741j
		cmp	[ebp+arg_8], 0
		jz	loc_86D068
		test	esi, esi
		jnz	short loc_90B73F
		or	esi, 0FFFFFFFFh

loc_90B73F:				; CODE XREF: LdrResGetRCConfig+9E752j
		push	ebx
		push	edi
		push	2
		push	ebx
		push	esi
		push	ebx
		xor	edx, edx
		mov	ecx, [ebp+var_30]
		call	LdrpSetAlternateResourceModuleHandle
		jmp	loc_86D068
; END OF FUNCTION CHUNK	FOR LdrResGetRCConfig
; 

loc_90B755:				; CODE XREF: PAGE:0086D0CFj
		mov	esi, 0C0000061h
		jmp	short loc_90B786
; 

loc_90B75C:				; CODE XREF: PAGE:0086D0F6j
		lea	eax, [ebp-44h]
		push	eax
		call	SeReleaseSubjectContext
		cmp	esi, 0C0000008h
		jz	short loc_90B78F
		push	esi
		jmp	short loc_90B775
; 

loc_90B770:				; CODE XREF: PAGE:0090B814j
		push	0C000009Ah

loc_90B775:				; CODE XREF: PAGE:0090B76Ej
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		jmp	short loc_90B78F
; 

loc_90B77C:				; CODE XREF: PAGE:0086D10Fj
		call	ObfDereferenceObject
		mov	esi, 0C00000A5h

loc_90B786:				; CODE XREF: PAGE:0090B75Aj
		lea	eax, [ebp-44h]
		push	eax
		call	SeReleaseSubjectContext

loc_90B78F:				; CODE XREF: PAGE:0090B76Bj
					; PAGE:0090B77Aj ...
		mov	eax, esi
		jmp	loc_86D210
; 

loc_90B796:				; CODE XREF: PAGE:0086D145j
		mov	edx, eax
		jmp	loc_86D14B
; 

loc_90B79D:				; CODE XREF: PAGE:0086D15Aj
		mov	esi, 0C000000Dh
		jmp	short loc_90B7A9
; 

loc_90B7A4:				; CODE XREF: PAGE:0086D19Bj
		mov	esi, 0C000009Ah

loc_90B7A9:				; CODE XREF: PAGE:0090B7A2j
		mov	[ebp-20h], esi
		jmp	loc_86D1B5
; 

loc_90B7B1:				; CODE XREF: PAGE:0086D179j
					; PAGE:0086D181j
		mov	[edx], bl
		jmp	loc_86D187
; 

loc_90B7B8:				; DATA XREF: .text:006A4C0Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_90B7C6:				; DATA XREF: .text:006A4C10o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-30h]
		mov	[ebp-20h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		jmp	loc_86D1BC
; 

loc_90B7DD:				; CODE XREF: PAGE:0086D1C1j
		test	edi, edi
		jz	short loc_90B7E8
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90B7E8:				; CODE XREF: PAGE:0090B7DFj
		cmp	dword ptr [ebp-28h], 0
		jz	short loc_90B7F7
		push	ebx
		push	dword ptr [ebp-28h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90B7F7:				; CODE XREF: PAGE:0090B7ECj
		lea	eax, [ebp-44h]
		push	eax
		call	SeReleaseSubjectContext
		mov	ecx, [ebp-1Ch]
		call	ObfDereferenceObject
		cmp	esi, 0C000009Ah
		jnz	loc_90B78F
		jmp	loc_90B770
; 
; START	OF FUNCTION CHUNK FOR PoCreatePowerRequest

loc_90B819:				; CODE XREF: PoCreatePowerRequest+33j
					; PoCreatePowerRequest+48j
		cmp	[ebp+var_4], 0
		jz	loc_86D27F
		mov	ecx, [ebp+var_4]
		call	_PoDestroyReasonContext@4 ; PoDestroyReasonContext(x)
		jmp	loc_86D27F
; END OF FUNCTION CHUNK	FOR PoCreatePowerRequest

;  S U B	R O U T	I N E 


sub_90B830	proc near		; DATA XREF: .text:006A4C2Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_90B830	endp


;  S U B	R O U T	I N E 


sub_90B83E	proc near		; DATA XREF: .text:006A4C30o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_86D3D5
sub_90B83E	endp


;  S U B	R O U T	I N E 


sub_90B850	proc near		; DATA XREF: .text:006A4C38o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_90B850	endp


;  S U B	R O U T	I N E 


sub_90B856	proc near		; DATA XREF: .text:006A4C3Co
		mov	esp, [ebp-18h]
		jmp	loc_86D3CB
sub_90B856	endp

; 
; START	OF FUNCTION CHUNK FOR RtlOemStringToUnicodeString

loc_90B85E:				; CODE XREF: RtlOemStringToUnicodeString+1Ej
		mov	eax, 0C00000F0h
		jmp	loc_86D4D8
; END OF FUNCTION CHUNK	FOR RtlOemStringToUnicodeString

;  S U B	R O U T	I N E 


sub_90B868	proc near		; DATA XREF: .text:006A4C58o
		mov	edi, [ebp+8]
		mov	ebx, [ebp-1Ch]
		jmp	sub_86D502
sub_90B868	endp

; 
; START	OF FUNCTION CHUNK FOR sub_86D502

loc_90B873:				; CODE XREF: sub_86D502+4j
					; sub_86D502+Cj
		cmp	byte ptr [ebp+10h], 0
		jz	locret_86D514
		push	dword ptr [edi+4]
		call	_ExFreePool@4	; ExFreePool(x)
		and	dword ptr [edi+4], 0
		retn
; END OF FUNCTION CHUNK	FOR sub_86D502
; 
; START	OF FUNCTION CHUNK FOR RtlOemStringToUnicodeString

loc_90B88A:				; CODE XREF: RtlOemStringToUnicodeString+46j
					; RtlOemStringToUnicodeString+4Fj
		mov	eax, 80000005h
		jmp	loc_86D4D8
; END OF FUNCTION CHUNK	FOR RtlOemStringToUnicodeString
; 
; START	OF FUNCTION CHUNK FOR RtlOemToUnicodeN

loc_90B894:				; CODE XREF: RtlOemToUnicodeN+10j
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jnz	short loc_90B89E
		lea	eax, [ebp+arg_8]

loc_90B89E:				; CODE XREF: RtlOemToUnicodeN+9E37Fj
		xor	esi, esi
		cmp	[ebp+arg_10], esi
		jnz	short loc_90B8A9
		mov	[eax], esi
		jmp	short loc_90B8C7
; 

loc_90B8A9:				; CODE XREF: RtlOemToUnicodeN+9E389j
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	RtlUTF8ToUnicodeN
		cmp	eax, 0C0000023h
		jnz	short loc_90B8C7
		mov	esi, 80000005h

loc_90B8C7:				; CODE XREF: RtlOemToUnicodeN+9E38Dj
					; RtlOemToUnicodeN+9E3A6j
		mov	eax, esi
		jmp	loc_86D591
; 

loc_90B8CE:				; CODE XREF: RtlOemToUnicodeN+29j
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		mov	eax, ds:_NlsMbOemCodePageTables
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_4], eax
		test	edi, edi
		jz	short loc_90B940
		mov	ebx, [ebp+arg_C]

loc_90B8E5:				; CODE XREF: RtlOemToUnicodeN+9E417j
		test	edx, edx
		jz	short loc_90B93D
		movzx	ecx, byte ptr [ebx]
		dec	edi
		mov	[ebp+arg_4], edi
		dec	edx
		movzx	eax, ds:_NlsOemLeadByteInfoTable[ecx*2]
		mov	edi, eax
		mov	[ebp+arg_10], edi
		mov	edi, [ebp+arg_4]
		test	ax, ax
		jz	short loc_90B91D
		test	edx, edx
		jz	short loc_90B935
		inc	ebx
		movzx	eax, ax
		dec	edx
		movzx	ecx, byte ptr [ebx]
		add	ecx, eax
		mov	eax, [ebp+var_4]
		movzx	ecx, word ptr [eax+ecx*2]
		jmp	short loc_90B926
; 

loc_90B91D:				; CODE XREF: RtlOemToUnicodeN+9E3EAj
		mov	eax, ds:_NlsOemToUnicodeData
		movzx	ecx, word ptr [eax+ecx*2]

loc_90B926:				; CODE XREF: RtlOemToUnicodeN+9E401j
		inc	ebx
		mov	[esi], cx
		lea	eax, [esi+2]
		mov	esi, eax
		test	edi, edi
		jnz	short loc_90B8E5
		jmp	short loc_90B93D
; 

loc_90B935:				; CODE XREF: RtlOemToUnicodeN+9E3EEj
		xor	eax, eax
		mov	[esi], ax
		add	esi, 2

loc_90B93D:				; CODE XREF: RtlOemToUnicodeN+9E3CDj
					; RtlOemToUnicodeN+9E419j
		mov	ecx, [ebp+arg_0]

loc_90B940:				; CODE XREF: RtlOemToUnicodeN+9E3C6j
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	loc_86D586
		sub	esi, ecx
		mov	[eax], esi
		jmp	loc_86D586
; END OF FUNCTION CHUNK	FOR RtlOemToUnicodeN
; 
; START	OF FUNCTION CHUNK FOR _CmSetDeviceInterfaceMappedProperty

loc_90B954:				; CODE XREF: _CmSetDeviceInterfaceMappedProperty+88j
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_90B978
		cmp	eax, 1
		jz	short loc_90B978
		push	[ebp+arg_14]	; int
		mov	edx, [ebp+var_4]
		push	[ebp+arg_10]	; int
		mov	ecx, [ebp+var_8]
		push	eax		; int
		push	ebx		; void *
		push	[ebp+arg_0]	; int
		call	__CmSetDeviceInterfaceMappedPropertyFromRegValue@28 ; _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)
		jmp	short loc_90B987
; 

loc_90B978:				; CODE XREF: _CmSetDeviceInterfaceMappedProperty+9E395j
					; _CmSetDeviceInterfaceMappedProperty+9E39Aj
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		push	ebx		; void *
		push	[ebp+arg_0]	; int
		call	__CmDeleteDeviceInterfaceMappedPropertyFromRegValue@16 ; _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)

loc_90B987:				; CODE XREF: _CmSetDeviceInterfaceMappedProperty+9E3B2j
		mov	esi, eax
		test	esi, esi
		js	short loc_90B99F
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		push	ebx
		push	edi
		push	[ebp+arg_0]
		push	3
		call	_PnpObjectRaisePropertyChangeEvent

loc_90B99F:				; CODE XREF: _CmSetDeviceInterfaceMappedProperty+9E3C7j
		cmp	esi, 0C0000016h
		jnz	loc_86D620
		jmp	loc_86D607
; END OF FUNCTION CHUNK	FOR _CmSetDeviceInterfaceMappedProperty
; 
; START	OF FUNCTION CHUNK FOR SepCreateLogonSessionTrack

loc_90B9B0:				; CODE XREF: SepCreateLogonSessionTrack+21j
		mov	eax, 0C000009Ah
		jmp	loc_86D75A
; 

loc_90B9BA:				; CODE XREF: SepCreateLogonSessionTrack+5Dj
		lea	eax, [esi+64h]
		mov	[eax+4], eax
		mov	[eax], eax
		jmp	loc_86D6E9
; 

loc_90B9C7:				; CODE XREF: SepCreateLogonSessionTrack+E3j
		mov	eax, [ebx+4]
		cmp	eax, [edi+8]
		jnz	loc_86D76F
		mov	ecx, [ebp+var_8]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C00000EEh
		jmp	loc_86D75A
; 

loc_90B9F9:				; CODE XREF: SepCreateLogonSessionTrack+ACj
		mov	edx, 734C6553h
		mov	ecx, eax
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+var_4]
		jmp	loc_86D738
; END OF FUNCTION CHUNK	FOR SepCreateLogonSessionTrack
; 
; START	OF FUNCTION CHUNK FOR NtNotifyChangeSession

loc_90BA0D:				; CODE XREF: NtNotifyChangeSession+6Ej
		mov	eax, 0C00000F4h
		jmp	loc_86D942
; 

loc_90BA17:				; CODE XREF: NtNotifyChangeSession:loc_86DA1Ej
		sub	eax, edi
		cmp	eax, 0FFFFFFFDh
		jb	loc_86D89F
		jmp	loc_86DA24
; 

loc_90BA27:				; CODE XREF: NtNotifyChangeSession+208j
					; NtNotifyChangeSession+210j
		mov	[edx], bl
		jmp	loc_86D9DE	; void *
; 

loc_90BA2E:				; CODE XREF: NtNotifyChangeSession+234j
		lea	edi, [ebp+var_11C]
		mov	[ebp+var_12C], edi
		mov	eax, edi
		push	eax		; void *
		call	_memcpy
		mov	[ebp+var_11E], 1
		jmp	loc_86DA0F
; END OF FUNCTION CHUNK	FOR NtNotifyChangeSession

;  S U B	R O U T	I N E 


sub_90BA4E	proc near		; DATA XREF: .text:006A4C74o
		xor	eax, eax
		inc	eax
		retn
sub_90BA4E	endp


;  S U B	R O U T	I N E 


sub_90BA52	proc near		; DATA XREF: .text:006A4C78o
		mov	esp, [ebp-18h]
		xor	ebx, ebx
		cmp	[ebp-12Ch], ebx
		jz	short loc_90BA74
		cmp	byte ptr [ebp-11Dh], 1
		jnz	short loc_90BA74
		push	ebx
		push	dword ptr [ebp-12Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90BA74:				; CODE XREF: sub_90BA52+Bj
					; sub_90BA52+14j
		mov	edi, ebx
		mov	[ebp-12Ch], edi
		mov	esi, ebx
		jmp	loc_86DA12
sub_90BA52	endp

; 
; START	OF FUNCTION CHUNK FOR NtNotifyChangeSession

loc_90BA83:				; CODE XREF: NtNotifyChangeSession+1EEj
		mov	edi, [ebp+arg_C]
		cmp	edi, 1
		jz	short loc_90BAC6
		cmp	edi, 2
		jz	short loc_90BAC6
		push	6E536F49h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_90BABF
		mov	[ebp+var_11D], 1
		push	esi		; size_t
		push	[ebp+var_128]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_86D8CA
; 

loc_90BABF:				; CODE XREF: NtNotifyChangeSession+9E2D9j
		mov	[ebp+var_11E], 1

loc_90BAC6:				; CODE XREF: NtNotifyChangeSession+9E2C1j
					; NtNotifyChangeSession+9E2C6j
		mov	edi, [ebp+var_128]
		jmp	loc_86D8CA
; 

loc_90BAD1:				; CODE XREF: NtNotifyChangeSession+1D9j
		cmp	[ebp+var_11D], 1
		jnz	loc_86D9A7
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_86D9A7
; END OF FUNCTION CHUNK	FOR NtNotifyChangeSession
; 
; START	OF FUNCTION CHUNK FOR ObpSetDeviceMap

loc_90BAEA:				; CODE XREF: ObpSetDeviceMap+46j
		mov	esi, 0C000000Dh
		jmp	short loc_90BAF6
; 

loc_90BAF1:				; CODE XREF: ObpSetDeviceMap+5Ej
		mov	esi, 0C000009Ah

loc_90BAF6:				; CODE XREF: ObpSetDeviceMap+9E057j
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, esi
		jmp	loc_86DBD3
; 

loc_90BB04:				; CODE XREF: ObpSetDeviceMap+9Aj
		mov	ecx, edi
		call	ObfDereferenceObject
		push	6D44624Fh
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_4]
		jmp	loc_86DBD3
; 

loc_90BB1E:				; CODE XREF: ObpSetDeviceMap+A7j
		mov	edx, 6D44624Fh
		call	ObfReferenceObjectWithTag
		mov	ecx, [ebp+var_4]
		mov	[esi+34h], ecx
		jmp	loc_86DB45
; 

loc_90BB33:				; CODE XREF: ObpSetDeviceMap+DEj
		mov	[ebp+arg_4], esi
		mov	esi, ecx
		lock inc dword ptr [esi+0Ch]
		jmp	loc_86DB9C
; 

loc_90BB41:				; CODE XREF: ObpSetDeviceMap+126j
		mov	ecx, [eax+8]
		xor	dl, dl
		call	ObpCloseHandle
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	ecx, [esi+34h]
		test	ecx, ecx
		jz	short loc_90BB63
		mov	edx, 6D44624Fh
		call	ObfDereferenceObjectWithTag

loc_90BB63:				; CODE XREF: ObpSetDeviceMap+9E0BFj
		mov	eax, [ebp+arg_4]
		push	6D44624Fh
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_86DBC4
; END OF FUNCTION CHUNK	FOR ObpSetDeviceMap
; 
; START	OF FUNCTION CHUNK FOR IoWMIQuerySingleInstance

loc_90BB76:				; CODE XREF: IoWMIQuerySingleInstance+34j
		mov	edi, 0C000009Ah
		jmp	loc_86DCF9
; END OF FUNCTION CHUNK	FOR IoWMIQuerySingleInstance
; 
; START	OF FUNCTION CHUNK FOR PopInitSIdle

loc_90BB80:				; CODE XREF: PopInitSIdle+46j
		mov	ecx, esi
		call	_PopUpdateSystemIdleContext@4 ;	PopUpdateSystemIdleContext(x)
		jmp	loc_86DE2A
; 

loc_90BB8C:				; CODE XREF: PopInitSIdle+105j
		test	_PopSimulate, 1000000h
		jnz	loc_86DDBA
		mov	eax, dword_6C26C4
		mov	[ebp+var_6C], 4
		cmp	eax, edi
		jz	short loc_90BBBD
		cmp	eax, 3
		jz	short loc_90BBBD
		mov	[ebp+Source2], edi
		mov	[ebp+var_48], 4
		jmp	short loc_90BBC8
; 

loc_90BBBD:				; CODE XREF: PopInitSIdle+9DE6Ej
					; PopInitSIdle+9DE73j
		mov	[ebp+Source2], eax
		mov	eax, dword_6C26C8
		mov	[ebp+var_48], eax

loc_90BBC8:				; CODE XREF: PopInitSIdle+9DE7Fj
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_4C], ebx
		jmp	loc_86DDE4
; 

loc_90BBD3:				; CODE XREF: PopInitSIdle+A2j
		test	eax, eax
		jz	short loc_90BC17

loc_90BBD7:				; CODE XREF: PopInitSIdle+99j
		cmp	[ebp+var_AC], bl
		jz	short loc_90BBF0
		xor	ecx, ecx
		mov	[ebp+Source2], edi
		mov	eax, [esi+3Ch]
		inc	ecx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_48], ecx
		jmp	short loc_90BC46
; 

loc_90BBF0:				; CODE XREF: PopInitSIdle+9DEA1j
		cmp	byte ptr [ebp+var_C0+3], bl
		jnz	short loc_90BC08
		cmp	[ebp+var_BC], bl
		jnz	short loc_90BC08
		cmp	[ebp+var_BB], bl
		jz	short loc_90BC17

loc_90BC08:				; CODE XREF: PopInitSIdle+9DEBAj
					; PopInitSIdle+9DEC2j
		mov	[ebp+Source2], edi
		mov	eax, [esi+3Ch]
		mov	[ebp+var_48], 4
		jmp	short loc_90BC43
; 

loc_90BC17:				; CODE XREF: PopInitSIdle+9DE99j
					; PopInitSIdle+9DECAj
		lea	ecx, [ebp+var_C0]
		call	PopIsDozeSupported
		test	al, al
		jz	loc_86DDE4
		cmp	[esi+58h], ebx
		jbe	loc_86DDE4
		push	3
		pop	edi
		mov	[ebp+Source2], edi
		mov	eax, [esi+58h]
		mov	[ebp+var_48], 5

loc_90BC43:				; CODE XREF: PopInitSIdle+9DED9j
		mov	[ebp+var_6C], edi

loc_90BC46:				; CODE XREF: PopInitSIdle+9DEB2j
		mov	[ebp+var_5C], eax
		jmp	loc_86DDE4
; END OF FUNCTION CHUNK	FOR PopInitSIdle
; 
; START	OF FUNCTION CHUNK FOR PopEsWorker

loc_90BC4E:				; CODE XREF: PopEsWorker+42j
		cmp	edx, 4
		jz	short loc_90BC5C
		cmp	edx, 2
		jnz	loc_86DFE3

loc_90BC5C:				; CODE XREF: PopEsWorker+9DCBFj
		mov	[esp+28h+var_15], 1
		and	ebx, 0FFFFFFF7h
		jmp	loc_86DFDA
; END OF FUNCTION CHUNK	FOR PopEsWorker
; 
; START	OF FUNCTION CHUNK FOR PopEsEvaluateNextState

loc_90BC69:				; CODE XREF: PopEsEvaluateNextState+2Aj
		cmp	byte ptr [ecx+1], 0
		jz	loc_86E18A
		mov	ebx, [ecx+8]
		test	ebx, ebx
		jz	loc_86E18A
		imul	eax, [ecx+0Ch],	64h
		xor	edx, edx
		dec	eax
		add	eax, ebx
		div	ebx
		cmp	eax, [ebp+var_4]
		ja	short loc_90BC9C
		xor	esi, esi
		mov	dword ptr [edi], 2
		inc	esi
		jmp	loc_86E1A4
; 

loc_90BC9C:				; CODE XREF: PopEsEvaluateNextState+9DB32j
		xor	edx, edx
		inc	edx
		jmp	loc_86E18A
; 

loc_90BCA4:				; CODE XREF: PopEsEvaluateNextState+37j
		cmp	dword_6C2D50, esi
		jbe	loc_86E197
		cmp	_PopEsBgActivityPolicy,	edx
		jnz	loc_86E197
		mov	dword ptr [edi], 8
		jmp	short loc_90BCCA
; 

loc_90BCC4:				; CODE XREF: PopEsEvaluateNextState+44j
		mov	dword ptr [edi], 10h

loc_90BCCA:				; CODE XREF: PopEsEvaluateNextState+9DB68j
		mov	esi, edx
		jmp	loc_86E1A4
; END OF FUNCTION CHUNK	FOR PopEsEvaluateNextState
; 
; START	OF FUNCTION CHUNK FOR PopEsStartTelemetry

loc_90BCD1:				; CODE XREF: PopEsStartTelemetry+31j
		mov	eax, 0FFDF0328h

loc_90BCD6:				; CODE XREF: PopEsStartTelemetry+9DB2Ej
		pause
		mov	edx, [esi]
		mov	ebx, [edi]
		mov	ecx, [eax]
		cmp	edx, ecx
		jnz	short loc_90BCD6
		mov	ecx, [ebp+var_4]
		jmp	loc_86E1E9
; END OF FUNCTION CHUNK	FOR PopEsStartTelemetry
; 
; START	OF FUNCTION CHUNK FOR PsChangeQuantumTable

loc_90BCEA:				; CODE XREF: PsChangeQuantumTable+13j
		mov	edx, eax
		jmp	loc_86E31D
; 

loc_90BCF1:				; CODE XREF: PsChangeQuantumTable+2Cj
					; PsChangeQuantumTable+39j
		mov	esi, offset _PspFixedQuantums
		jmp	loc_86E348
; 

loc_90BCFB:				; CODE XREF: PsChangeQuantumTable+4Aj
					; PsChangeQuantumTable+5Cj
		add	esi, 3
		jmp	loc_86E366
; END OF FUNCTION CHUNK	FOR PsChangeQuantumTable
; 
; START	OF FUNCTION CHUNK FOR PopTransitionTelemetryOsState

loc_90BD03:				; CODE XREF: PopTransitionTelemetryOsState+86j
		sub	eax, 1
		jz	loc_90BDC9
		sub	eax, 1
		jz	short loc_90BD90
		sub	eax, 1
		jz	short loc_90BD57
		sub	eax, ecx
		jnz	loc_86E4CB
		mov	eax, dword_6B3510
		cmp	eax, ds:0FFDF037Ch
		jnb	loc_86E4CB
		cmp	dword_6B350C, edi
		jnz	short loc_90BD4D
		mov	ecx, off_6B3508
		lea	edx, [ebp+var_19C]
		call	_TelemetryCoverageStringHashInternal@8 ; TelemetryCoverageStringHashInternal(x,x)
		mov	dword_6B350C, eax

loc_90BD4D:				; CODE XREF: PopTransitionTelemetryOsState+9D92Bj
		push	offset off_6B3508
		jmp	loc_86E4C6
; 

loc_90BD57:				; CODE XREF: PopTransitionTelemetryOsState+9D90Aj
		mov	eax, dword_6B3520
		cmp	eax, ds:0FFDF037Ch
		jnb	loc_86E4CB
		cmp	dword_6B351C, edi
		jnz	short loc_90BD86
		mov	ecx, off_6B3518
		lea	edx, [ebp+var_198]
		call	_TelemetryCoverageStringHashInternal@8 ; TelemetryCoverageStringHashInternal(x,x)
		mov	dword_6B351C, eax

loc_90BD86:				; CODE XREF: PopTransitionTelemetryOsState+9D964j
		push	offset off_6B3518
		jmp	loc_86E4C6
; 

loc_90BD90:				; CODE XREF: PopTransitionTelemetryOsState+9D905j
		mov	eax, dword_6B3530
		cmp	eax, ds:0FFDF037Ch
		jnb	loc_86E4CB
		cmp	dword_6B352C, edi
		jnz	short loc_90BDBF
		mov	ecx, off_6B3528
		lea	edx, [ebp+var_194]
		call	_TelemetryCoverageStringHashInternal@8 ; TelemetryCoverageStringHashInternal(x,x)
		mov	dword_6B352C, eax

loc_90BDBF:				; CODE XREF: PopTransitionTelemetryOsState+9D99Dj
		push	offset off_6B3528
		jmp	loc_86E4C6
; 

loc_90BDC9:				; CODE XREF: PopTransitionTelemetryOsState+9D8FCj
		mov	eax, dword_6B3570
		cmp	eax, ds:0FFDF037Ch
		jnb	loc_86E4CB
		cmp	dword_6B356C, edi
		jnz	short loc_90BDF8
		mov	ecx, off_6B3568
		lea	edx, [ebp+var_190]
		call	_TelemetryCoverageStringHashInternal@8 ; TelemetryCoverageStringHashInternal(x,x)
		mov	dword_6B356C, eax

loc_90BDF8:				; CODE XREF: PopTransitionTelemetryOsState+9D9D6j
		push	offset off_6B3568
		jmp	loc_86E4C6
; 

loc_90BE02:				; CODE XREF: PopTransitionTelemetryOsState+60Dj
		sub	eax, 1
		jz	loc_90BEC8
		sub	eax, 1
		jz	short loc_90BE8F
		sub	eax, 1
		jz	short loc_90BE56
		sub	eax, ecx
		jnz	loc_86E4CB
		mov	eax, dword_6B3580
		cmp	eax, ds:0FFDF037Ch
		jnb	loc_86E4CB
		cmp	dword_6B357C, edi
		jnz	short loc_90BE4C
		mov	ecx, off_6B3578
		lea	edx, [ebp+var_188]
		call	_TelemetryCoverageStringHashInternal@8 ; TelemetryCoverageStringHashInternal(x,x)
		mov	dword_6B357C, eax

loc_90BE4C:				; CODE XREF: PopTransitionTelemetryOsState+9DA2Aj
		push	offset off_6B3578
		jmp	loc_86E4C6
; 

loc_90BE56:				; CODE XREF: PopTransitionTelemetryOsState+9DA09j
		mov	eax, dword_6B3590
		cmp	eax, ds:0FFDF037Ch
		jnb	loc_86E4CB
		cmp	dword_6B358C, edi
		jnz	short loc_90BE85
		mov	ecx, off_6B3588
		lea	edx, [ebp+var_180]
		call	_TelemetryCoverageStringHashInternal@8 ; TelemetryCoverageStringHashInternal(x,x)
		mov	dword_6B358C, eax

loc_90BE85:				; CODE XREF: PopTransitionTelemetryOsState+9DA63j
		push	offset off_6B3588
		jmp	loc_86E4C6
; 

loc_90BE8F:				; CODE XREF: PopTransitionTelemetryOsState+9DA04j
		mov	eax, dword_6B3540
		cmp	eax, ds:0FFDF037Ch
		jnb	loc_86E4CB
		cmp	dword_6B353C, edi
		jnz	short loc_90BEBE
		mov	ecx, off_6B3538
		lea	edx, [ebp+var_17C]
		call	_TelemetryCoverageStringHashInternal@8 ; TelemetryCoverageStringHashInternal(x,x)
		mov	dword_6B353C, eax

loc_90BEBE:				; CODE XREF: PopTransitionTelemetryOsState+9DA9Cj
		push	offset off_6B3538
		jmp	loc_86E4C6
; 

loc_90BEC8:				; CODE XREF: PopTransitionTelemetryOsState+9D9FBj
		mov	eax, dword_6B3550
		cmp	eax, ds:0FFDF037Ch
		jnb	loc_86E4CB
		cmp	dword_6B354C, edi
		jnz	short loc_90BEF7
		mov	ecx, off_6B3548
		lea	edx, [ebp+var_178]
		call	_TelemetryCoverageStringHashInternal@8 ; TelemetryCoverageStringHashInternal(x,x)
		mov	dword_6B354C, eax

loc_90BEF7:				; CODE XREF: PopTransitionTelemetryOsState+9DAD5j
		push	offset off_6B3548
		jmp	loc_86E4C6
; 

loc_90BF01:				; CODE XREF: PopTransitionTelemetryOsState+6Dj
		cmp	ebx, ecx
		jnz	short loc_90BF3E
		mov	eax, dword_6B35A0
		cmp	eax, ds:0FFDF037Ch
		jnb	loc_86E4CB
		cmp	dword_6B359C, edi
		jnz	short loc_90BF34
		mov	ecx, off_6B3598
		lea	edx, [ebp+var_170]
		call	_TelemetryCoverageStringHashInternal@8 ; TelemetryCoverageStringHashInternal(x,x)
		mov	dword_6B359C, eax

loc_90BF34:				; CODE XREF: PopTransitionTelemetryOsState+9DB12j
		push	offset off_6B3598
		jmp	loc_86E4C6
; 

loc_90BF3E:				; CODE XREF: PopTransitionTelemetryOsState+9DAF9j
		mov	eax, dword_6B3560
		cmp	eax, ds:0FFDF037Ch
		jnb	loc_86E4CB
		cmp	dword_6B355C, edi
		jnz	short loc_90BF6D
		mov	ecx, off_6B3558
		lea	edx, [ebp+var_16C]
		call	_TelemetryCoverageStringHashInternal@8 ; TelemetryCoverageStringHashInternal(x,x)
		mov	dword_6B355C, eax

loc_90BF6D:				; CODE XREF: PopTransitionTelemetryOsState+9DB4Bj
		push	offset off_6B3558
		jmp	loc_86E4C6
; 

loc_90BF77:				; CODE XREF: PopTransitionTelemetryOsState+F1j
		mov	eax, dword_6C1F28
		cmp	eax, 1
		jz	loc_86E501
		cmp	eax, 4
		jz	loc_86E501
		cmp	eax, 5
		jz	loc_86E501
		test	edx, edx
		jz	short loc_90BFA2
		and	dword_6C1F24, 0

loc_90BFA2:				; CODE XREF: PopTransitionTelemetryOsState+9DB8Fj
		xor	edx, edx
		mov	ecx, offset _PopTelemetryOsState
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_86EA01
; 

loc_90BFB8:				; CODE XREF: PopTransitionTelemetryOsState+18Fj
					; PopTransitionTelemetryOsState+197j
		mov	[ebp+var_16C], eax
		mov	[ebp+var_170], edx
		jmp	loc_86E5A7
; 

loc_90BFC9:				; CODE XREF: PopTransitionTelemetryOsState+263j
		imul	eax, [ebp+var_22C], 64h
		xor	edx, edx
		div	ecx
		mov	[ebp+var_180], eax
		jmp	loc_86E673
; END OF FUNCTION CHUNK	FOR PopTransitionTelemetryOsState
; 
; START	OF FUNCTION CHUNK FOR PopMeasureEnergyChange

loc_90BFDF:				; CODE XREF: PopMeasureEnergyChange+26j
		mov	eax, [ebx]
		or	eax, [ebp+var_10]
		mov	ecx, [ebp+var_4]
		mov	[esi], eax
		mov	eax, [ebp+var_8]
		sub	eax, [ebx+8]
		sbb	ecx, [ebx+0Ch]
		jmp	loc_86EA8A
; END OF FUNCTION CHUNK	FOR PopMeasureEnergyChange
; 
; START	OF FUNCTION CHUNK FOR PpmUpdateProcessorPolicy

loc_90BFF7:				; CODE XREF: PpmUpdateProcessorPolicy+46j
		mov	eax, large fs:20h
		mov	ecx, [eax+3D54h]
		mov	eax, edi
		and	ecx, 4
		or	eax, ecx
		jz	loc_86F23A
		cmp	byte ptr [ebx+78h], 0
		mov	ecx, 0DB0h
		rdmsr
		jnz	short loc_90C022
		and	eax, 0FFFFFFFEh
		jmp	short loc_90C025
; 

loc_90C022:				; CODE XREF: PpmUpdateProcessorPolicy+9CE2Dj
		or	eax, 1

loc_90C025:				; CODE XREF: PpmUpdateProcessorPolicy+9CE32j
		wrmsr
		jmp	loc_86F23A
; 

loc_90C02C:				; CODE XREF: PpmUpdateProcessorPolicy+95j
		call	eax
		test	eax, eax
		js	loc_86F249
		jmp	loc_86F289
; END OF FUNCTION CHUNK	FOR PpmUpdateProcessorPolicy
; 
; START	OF FUNCTION CHUNK FOR SmcProcessListRequest

loc_90C03B:				; CODE XREF: SmcProcessListRequest+2Bj
		mov	eax, 0C0000206h
		jmp	loc_86F40D
; END OF FUNCTION CHUNK	FOR SmcProcessListRequest

;  S U B	R O U T	I N E 


sub_90C045	proc near		; DATA XREF: .text:006A4CA0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-6Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_90C045	endp


;  S U B	R O U T	I N E 


sub_90C053	proc near		; DATA XREF: .text:006A4CA4o
		mov	eax, [ebp-6Ch]
		jmp	short loc_90C069
; 

loc_90C058:				; DATA XREF: .text:006A4C94o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-70h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_90C066:				; DATA XREF: .text:006A4C98o
		mov	eax, [ebp-70h]

loc_90C069:				; CODE XREF: sub_90C053+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_86F40D
sub_90C053	endp

; 
; START	OF FUNCTION CHUNK FOR SmcGetCacheList

loc_90C078:				; CODE XREF: SmcGetCacheList+11j
		mov	eax, [ecx+0Ch]
		and	eax, 0FFFh
		shl	eax, 4
		or	eax, esi
		inc	edx
		mov	[edi], eax
		add	edi, 4
		jmp	loc_86F447
; END OF FUNCTION CHUNK	FOR SmcGetCacheList
; 
; START	OF FUNCTION CHUNK FOR PnpCompareInterruptInformation

loc_90C090:				; CODE XREF: PnpCompareInterruptInformation+2Fj
		cmp	dword_6B2B18, 5
		jbe	loc_86F4B3
		push	4000h
		xor	esi, esi
		mov	edi, offset dword_6B2B18
		push	esi
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_86F4B3
		mov	edx, (offset loc_8B987E+2)
		lea	ecx, [ebp+var_3C]
		call	_tlgCreate1Sz_char
		lea	eax, [ebp+var_14]
		mov	[ebp+var_2C], eax
		mov	eax, [ebx+18h]
		mov	[ebp+var_1C], eax
		movzx	eax, word ptr [ebx+14h]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	5
		push	esi
		push	esi
		push	offset loc_41C0FC
		jmp	loc_90C201
; 

loc_90C0EB:				; CODE XREF: PnpCompareInterruptInformation+3Aj
		cmp	dword_6B2B18, 5
		jbe	loc_86F4B3
		push	4000h
		xor	esi, esi
		mov	edi, offset dword_6B2B18
		push	esi
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_86F4B3
		mov	edx, offset ??_C@_0O@HCMCJMOF@Size?5Mismatch@NNGAKEGL@
		lea	ecx, [ebp+var_5C]
		call	_tlgCreate1Sz_char
		mov	ecx, [ebp+var_80]
		push	4
		mov	[ebp+var_84], ebx
		mov	eax, [ecx]
		lea	ecx, [ebp+var_84]
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_4C], eax
		pop	eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_3C], ecx
		mov	ecx, [ebp+var_88]
		mov	[ebp+var_2C], eax
		mov	eax, [ecx+18h]
		mov	[ebp+var_1C], eax
		movzx	eax, word ptr [ecx+14h]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_7C]
		push	eax
		push	7
		push	esi
		push	esi
		push	offset loc_41C0A5
		jmp	loc_90C1F5
; 

loc_90C172:				; CODE XREF: PnpCompareInterruptInformation+53j
		cmp	dword_6B2B18, 5
		jbe	loc_86F4B3
		push	4000h
		xor	esi, esi
		mov	edi, offset dword_6B2B18
		push	esi
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_86F4B3
		mov	edx, (offset loc_8B9888+2)
		lea	ecx, [ebp+var_5C]
		call	_tlgCreate1Sz_char
		mov	eax, [ebp+var_84]
		lea	ecx, [ebp+var_80]
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_84]
		push	4
		mov	[ebp+var_4C], eax
		pop	eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_3C], ecx
		mov	ecx, [ebp+var_88]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_80], ebx
		mov	eax, [ecx+18h]
		mov	[ebp+var_1C], eax
		movzx	eax, word ptr [ecx+14h]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_7C]
		push	eax
		push	7
		push	esi
		push	esi
		push	offset loc_41C145

loc_90C1F5:				; CODE XREF: PnpCompareInterruptInformation+9CD13j
		mov	[ebp+var_48], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_38], esi
		mov	[ebp+var_40], esi

loc_90C201:				; CODE XREF: PnpCompareInterruptInformation+9CC8Cj
		push	edi
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], 2
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_86F4B3
; END OF FUNCTION CHUNK	FOR PnpCompareInterruptInformation
; 
; START	OF FUNCTION CHUNK FOR RtlUnicodeStringToOemString

loc_90C21F:				; CODE XREF: RtlUnicodeStringToOemString+1Fj
		mov	eax, 0C00000F0h
		jmp	loc_86F868
; 

loc_90C229:				; CODE XREF: RtlUnicodeStringToOemString+3Aj
		mov	eax, 80000005h
		jmp	loc_86F868
; END OF FUNCTION CHUNK	FOR RtlUnicodeStringToOemString

;  S U B	R O U T	I N E 


sub_90C233	proc near		; DATA XREF: .text:006A4CC0o
		xor	ebx, ebx
		mov	esi, [ebp+8]
		mov	edi, [ebp-1Ch]
		jmp	sub_86F892
sub_90C233	endp

; 
; START	OF FUNCTION CHUNK FOR sub_86F892

loc_90C240:				; CODE XREF: sub_86F892+3j
					; sub_86F892+Bj
		cmp	byte ptr [ebp+10h], 0
		jz	locret_86F8A3
		push	dword ptr [esi+4]
		call	_ExFreePool@4	; ExFreePool(x)
		mov	[esi+4], ebx
		retn
; END OF FUNCTION CHUNK	FOR sub_86F892
; 
; START	OF FUNCTION CHUNK FOR WmipGetGuidObjectInstanceInfo

loc_90C256:				; CODE XREF: WmipGetGuidObjectInstanceInfo+71j
					; WmipGetGuidObjectInstanceInfo+10Dj
		mov	esi, [esi]
		cmp	esi, eax
		jnz	loc_86FA21
		mov	ebx, [ebp+var_14]
		xor	ecx, ecx
		jmp	loc_86FA82
; 

loc_90C26A:				; CODE XREF: WmipGetGuidObjectInstanceInfo+FBj
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	loc_86FAB5
; END OF FUNCTION CHUNK	FOR WmipGetGuidObjectInstanceInfo
; 
; START	OF FUNCTION CHUNK FOR ExpCheckIRTimerAccess

loc_90C278:				; CODE XREF: ExpCheckIRTimerAccess+35j
		test	eax, eax
		jnz	short loc_90C291
		mov	edx, [ebp+arg_0+2]
		mov	ecx, esi
		call	_ExCheckValidIRTimerId@8 ; ExCheckValidIRTimerId(x,x)
		test	al, al
		jz	short loc_90C291
		xor	eax, eax
		jmp	loc_86FC46
; 

loc_90C291:				; CODE XREF: ExpCheckIRTimerAccess+9C692j
					; ExpCheckIRTimerAccess+9C6A0j
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_90C296:				; CODE XREF: CmpPublishEventForPcaResolver+54j
		lea	ecx, [ebp+var_60]
		call	CmpAttachToRegistryProcess
		jmp	loc_86FD58
; END OF FUNCTION CHUNK	FOR ExpCheckIRTimerAccess
; 
; START	OF FUNCTION CHUNK FOR CmpPublishEventForPcaResolver

loc_90C2A3:				; CODE XREF: CmpPublishEventForPcaResolver+F2j
		xor	edx, edx
		lea	ecx, [ebp+var_60]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_86FDF6
; END OF FUNCTION CHUNK	FOR CmpPublishEventForPcaResolver

;  S U B	R O U T	I N E 


sub_90C2B2	proc near		; DATA XREF: .text:006A4CFCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		xor	eax, eax
		inc	eax
		retn
sub_90C2B2	endp


;  S U B	R O U T	I N E 


sub_90C2C0	proc near		; DATA XREF: .text:006A4D00o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-38h]
		jmp	loc_86FEA4
sub_90C2C0	endp

; 
; START	OF FUNCTION CHUNK FOR NtCreateMailslotFile

loc_90C2D2:				; CODE XREF: NtCreateMailslotFile+40j
		mov	eax, [edx]
		mov	[ebp+var_2C], eax
		mov	eax, [edx+4]
		mov	[ebp+var_28], eax
		jmp	loc_86FE74
; END OF FUNCTION CHUNK	FOR NtCreateMailslotFile
; 
; START	OF FUNCTION CHUNK FOR FsRtlIssueFileNotificationFsctl

loc_90C2E2:				; CODE XREF: FsRtlIssueFileNotificationFsctl+91j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [ebp+var_2C]
		jmp	loc_86FF57
; END OF FUNCTION CHUNK	FOR FsRtlIssueFileNotificationFsctl
; 
; START	OF FUNCTION CHUNK FOR NtInitializeRegistry

loc_90C2F9:				; CODE XREF: NtInitializeRegistry+27j
		push	[esp+8+var_4]
		push	ds:dword_A949E4
		push	ds:_SeBackupPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_90C31C
		mov	eax, 0C0000061h
		jmp	loc_87002D
; 

loc_90C31C:				; CODE XREF: NtInitializeRegistry+9C318j
		call	_CmpSyncNextBackupHive@0 ; CmpSyncNextBackupHive()
		jmp	loc_87002D
; 

loc_90C326:				; CODE XREF: NtInitializeRegistry+65j
		cmp	cx, 1
		jz	loc_870063
		mov	eax, 0C000000Dh
		jmp	loc_87002D
; END OF FUNCTION CHUNK	FOR NtInitializeRegistry
; 
; START	OF FUNCTION CHUNK FOR CmpAcceptBoot

loc_90C33A:				; CODE XREF: CmpAcceptBoot+3Bj
		mov	ecx, esi
		call	_CmpSaveBootControlSet@4 ; CmpSaveBootControlSet(x)
		mov	esi, eax
		jmp	loc_8700AD
; END OF FUNCTION CHUNK	FOR CmpAcceptBoot
; 
; START	OF FUNCTION CHUNK FOR FsRtlCheckUpperOplock

loc_90C348:				; CODE XREF: FsRtlCheckUpperOplock+5Ej
		mov	[ebp+ms_exc.disabled], edx
		mov	ecx, [ebx+4Ch]
		call	ExAcquireFastMutexUnsafe
		mov	byte ptr [ebp+var_41], 1
		mov	edi, [ebx+48h]
		cmp	edi, 1
		jz	loc_90C4FF
		test	[ebp+arg_14], 20000h
		jz	short loc_90C3BF
		cmp	edi, 1000h
		jz	short loc_90C386
		cmp	edi, 1010h
		jz	short loc_90C386
		mov	esi, 0C0000909h
		jmp	loc_90C4FC
; 

loc_90C386:				; CODE XREF: FsRtlCheckUpperOplock+9C18Cj
					; FsRtlCheckUpperOplock+9C194j
		lea	eax, [ebx+14h]
		mov	edi, [eax]

loc_90C38B:				; CODE XREF: FsRtlCheckUpperOplock+9C1CBj
		cmp	edi, eax
		jz	short loc_90C3B3
		mov	eax, [edi+8]
		cmp	dword ptr [eax+0Ch], 90240h
		jnz	short loc_90C3AC
		mov	edi, [edi+4]
		push	1000h
		xor	edx, edx
		mov	ecx, [edi]
		call	_FsRtlpRemoveAndCompleteReadOnlyIrp@12 ; FsRtlpRemoveAndCompleteReadOnlyIrp(x,x,x)

loc_90C3AC:				; CODE XREF: FsRtlCheckUpperOplock+9C1B3j
		mov	edi, [edi]
		lea	eax, [ebx+14h]
		jmp	short loc_90C38B
; 

loc_90C3B3:				; CODE XREF: FsRtlCheckUpperOplock+9C1A7j
		mov	ecx, ebx
		call	FsRtlpComputeShareableOplockState
		jmp	loc_90C4FF
; 

loc_90C3BF:				; CODE XREF: FsRtlCheckUpperOplock+9C184j
		mov	edx, [ebp+var_58]
		mov	ecx, edi
		call	FsRtlpOplockUpperLowerCompatible
		test	al, al
		jnz	loc_90C4FF
		test	edx, edx
		jz	short loc_90C432
		cmp	edx, 1000h
		jz	short loc_90C414
		cmp	edx, 3000h
		jz	short loc_90C408
		cmp	edx, 5000h
		jz	short loc_90C3F7
		mov	esi, 0C00000E3h
		jmp	loc_90C4FC
; 

loc_90C3F7:				; CODE XREF: FsRtlCheckUpperOplock+9C205j
		mov	eax, edi
		shr	eax, 2
		and	eax, 0FFFFFF01h
		mov	edi, 2000h
		jmp	short loc_90C40F
; 

loc_90C408:				; CODE XREF: FsRtlCheckUpperOplock+9C1FDj
		mov	al, 1

loc_90C40A:				; CODE XREF: FsRtlCheckUpperOplock+9C23Ej
		mov	edi, 4000h

loc_90C40F:				; CODE XREF: FsRtlCheckUpperOplock+9C220j
		mov	cl, [ebp+var_42]
		jmp	short loc_90C43C
; 

loc_90C414:				; CODE XREF: FsRtlCheckUpperOplock+9C1F5j
		mov	al, 1
		mov	ecx, 5000h
		and	edi, ecx
		cmp	edi, ecx
		jnz	short loc_90C426
		mov	[ebp+var_43], al
		jmp	short loc_90C40A
; 

loc_90C426:				; CODE XREF: FsRtlCheckUpperOplock+9C239j
		mov	cl, [ebp+var_42]
		test	edi, edi
		jnz	short loc_90C43C
		mov	edi, [ebp+var_5C]
		jmp	short loc_90C43C
; 

loc_90C432:				; CODE XREF: FsRtlCheckUpperOplock+9C1EDj
		mov	cl, 1
		mov	edi, 7000h
		mov	eax, [ebp+var_60]

loc_90C43C:				; CODE XREF: FsRtlCheckUpperOplock+9C22Cj
					; FsRtlCheckUpperOplock+9C245j	...
		mov	byte ptr [ebp+var_41+1], 3
		test	al, al
		jz	short loc_90C469
		xor	ecx, ecx
		push	ecx
		lea	eax, [ebp+var_41]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+var_4C]
		push	[ebp+var_50]
		push	[ebp+var_54]
		push	ecx
		push	[ebp+arg_14]
		push	ecx
		lea	edx, [ebp+var_41+1]
		mov	ecx, ebx
		call	FsRtlpOplockBreakToII
		jmp	short loc_90C490
; 

loc_90C469:				; CODE XREF: FsRtlCheckUpperOplock+9C25Cj
		test	cl, cl
		jz	short loc_90C495
		xor	ecx, ecx
		push	ecx
		lea	eax, [ebp+var_41]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+var_4C]
		push	[ebp+var_50]
		push	[ebp+var_54]
		push	ecx
		push	[ebp+arg_14]
		push	ecx
		lea	edx, [ebp+var_41+1]
		mov	ecx, ebx
		call	FsRtlpOplockBreakToNone

loc_90C490:				; CODE XREF: FsRtlCheckUpperOplock+9C281j
		mov	esi, eax
		mov	[ebp+var_48], esi

loc_90C495:				; CODE XREF: FsRtlCheckUpperOplock+9C285j
		test	esi, esi
		jnz	short loc_90C4FF
		test	[ebx+48h], edi
		jz	short loc_90C4FF
		xor	ecx, ecx
		push	ecx
		lea	eax, [ebp+var_41]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+var_4C]
		push	[ebp+var_50]
		push	[ebp+var_54]
		push	edi
		xor	edi, edi
		push	edi
		movzx	eax, [ebp+var_43]
		or	eax, [ebp+arg_14]
		push	eax
		push	edi
		lea	edx, [ebp+var_41+1]
		mov	ecx, ebx
		call	_FsRtlpOplockBreakByCacheFlags@60 ; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_48], esi
		cmp	[ebp+var_43], 0
		jz	short loc_90C4FF
		push	edi
		lea	eax, [ebp+var_41]
		push	eax
		push	edi
		push	edi
		push	edi
		push	edi
		push	[ebp+var_4C]
		push	[ebp+var_50]
		push	[ebp+var_54]
		push	2000h
		push	edi
		push	[ebp+arg_14]
		push	edi
		lea	edx, [ebp+var_41+1]
		mov	ecx, ebx
		call	_FsRtlpOplockBreakByCacheFlags@60 ; FsRtlpOplockBreakByCacheFlags(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax

loc_90C4FC:				; CODE XREF: FsRtlCheckUpperOplock+9C19Bj
					; FsRtlCheckUpperOplock+9C20Cj
		mov	[ebp+var_48], esi

loc_90C4FF:				; CODE XREF: FsRtlCheckUpperOplock+9C177j
					; FsRtlCheckUpperOplock+9C1D4j	...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_90C516
		jmp	loc_87024A
; END OF FUNCTION CHUNK	FOR FsRtlCheckUpperOplock

;  S U B	R O U T	I N E 


sub_90C510	proc near		; DATA XREF: .text:006A4D20o
		mov	ebx, [ebp-64h]
		mov	esi, [ebp-48h]
sub_90C510	endp


;  S U B	R O U T	I N E 


sub_90C516	proc near		; CODE XREF: FsRtlCheckUpperOplock+9C320p
		cmp	byte ptr [ebp-41h], 0
		jz	nullsub_8
		mov	ecx, [ebx+4Ch]
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		retn
sub_90C516	endp

; 
; START	OF FUNCTION CHUNK FOR PopDirectedDripsNotify

loc_90C529:				; CODE XREF: PopDirectedDripsNotify+3Aj
					; DATA XREF: PAGE:off_870376o
		mov	dword_6C3710, edi ; case 0x0
		xor	edx, edx
		mov	edi, offset dword_6C371C
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebx]
		mov	dword_6C3828, eax
		mov	eax, [ebx+4]
		mov	dword_6C382C, eax
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_90C560
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_90C560:				; CODE XREF: PopDirectedDripsNotify+9C289j
		mov	ecx, edi
		call	KeAbPostRelease
		push	0
		xor	edx, edx
		lea	ecx, [esp+1Ch+var_8]
		call	_PopDirectedDripsQueryMitigationStatus@12 ; PopDirectedDripsQueryMitigationStatus(x,x,x)
		push	dword ptr [ebx+4]
		mov	ecx, [esp+1Ch+var_8]
		push	dword ptr [ebx]
		call	_PopDirectedDripsDiagNotifySessionStart@12 ; PopDirectedDripsDiagNotifySessionStart(x,x,x)
		jmp	loc_870340	; default
; 

loc_90C587:				; CODE XREF: PopDirectedDripsNotify+3Aj
					; DATA XREF: PAGE:off_870376o
		mov	esi, [ebx]	; case 0x1
		mov	edi, offset dword_6C371C
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, dword_6C3710
		mov	[esi+0C8h], eax
		or	eax, 0FFFFFFFFh
		and	dword_6C3828, 0
		and	dword_6C382C, 0
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_90C5C4
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_90C5C4:				; CODE XREF: PopDirectedDripsNotify+9C2EDj
		mov	ecx, edi
		call	KeAbPostRelease
		call	_PopDirectedDripsSendSessionData@4 ; PopDirectedDripsSendSessionData(x)
		jmp	loc_870340	; default
; 

loc_90C5D5:				; CODE XREF: PopDirectedDripsNotify+3Aj
					; DATA XREF: PAGE:off_870376o
		mov	dl, [ebx]	; case 0x6
		call	_PopDirectedDripsEngage@8 ; PopDirectedDripsEngage(x,x)
		jmp	loc_870340	; default
; 

loc_90C5E1:				; CODE XREF: PopDirectedDripsNotify+3Aj
					; DATA XREF: PAGE:off_870376o
		call	_PopDisengageDirectedDrips@4 ; case 0x7
		jmp	loc_870340	; default
; 

loc_90C5EB:				; CODE XREF: PopDirectedDripsNotify+3Aj
					; DATA XREF: PAGE:off_870376o
		mov	dword_6C36C8, edi ; case 0x2
		jmp	loc_870340	; default
; 

loc_90C5F6:				; CODE XREF: PopDirectedDripsNotify+3Aj
					; DATA XREF: PAGE:off_870376o
		mov	esi, 2000h	; case 0x5

loc_90C5FB:				; CODE XREF: PopDirectedDripsNotify+3Aj
					; DATA XREF: PAGE:off_870376o
		mov	edi, offset dword_6C371C ; case	0x3
		xor	edx, edx
		mov	ecx, edi
		or	esi, 1000h
		call	ExAcquirePushLockExclusiveEx
		mov	eax, dword_6C3828
		cmp	eax, [ebx]
		jnz	short loc_90C657
		mov	eax, dword_6C382C
		cmp	eax, [ebx+4]
		jnz	short loc_90C657
		cmp	dword_6C3830, 0
		jz	short loc_90C657
		mov	edx, offset _PopDirectedDripsState
		mov	eax, [edx]

loc_90C632:				; CODE XREF: PopDirectedDripsNotify+9C36Cj
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_90C632
		and	eax, esi
		cmp	eax, esi
		jnz	short loc_90C64B
		cmp	dword_6C36C8, 0
		jz	short loc_90C657

loc_90C64B:				; CODE XREF: PopDirectedDripsNotify+9C372j
		push	0
		push	800h
		call	_PopQueueDirectedDripsWork@12 ;	PopQueueDirectedDripsWork(x,x,x)

loc_90C657:				; CODE XREF: PopDirectedDripsNotify+9C348j
					; PopDirectedDripsNotify+9C352j ...
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2

loc_90C662:				; CODE XREF: PopDirectedDripsNotify+A2j
		jnz	loc_870339
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_870339
; END OF FUNCTION CHUNK	FOR PopDirectedDripsNotify
; 
; START	OF FUNCTION CHUNK FOR PopInitializePowerPolicySimulate

loc_90C674:				; CODE XREF: PopInitializePowerPolicySimulate+ECj
		cmp	[ebp+var_10], 4
		jnz	loc_870490
		mov	eax, [ebp+var_C]
		mov	_PopSimulateHiberBugcheck, eax
		jmp	loc_870490
; END OF FUNCTION CHUNK	FOR PopInitializePowerPolicySimulate

;  S U B	R O U T	I N E 


sub_90C68B	proc near		; CODE XREF: PopSanityCheckHiberFile+3Ej
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esi+5Ch]
		push	eax
		call	KeWaitForSingleObject
		mov	edx, [ebp-18h]
		jmp	loc_870526
sub_90C68B	endp


;  S U B	R O U T	I N E 


sub_90C6A0	proc near		; CODE XREF: SepNotifyFileSystems+7Dj
					; sub_90C6A0+8j
		push	ebx
		call	dword ptr [esi+4]
		mov	esi, [esi]
		test	esi, esi
		jnz	short sub_90C6A0
		jmp	loc_870643
sub_90C6A0	endp

; 
; START	OF FUNCTION CHUNK FOR SepNotifyFileSystems

loc_90C6AF:				; CODE XREF: SepNotifyFileSystems+65j
		mov	edx, 53466553h
		call	ObfDereferenceObjectWithTag
		jmp	loc_870681
; END OF FUNCTION CHUNK	FOR SepNotifyFileSystems
; 
; START	OF FUNCTION CHUNK FOR EtwWriteStartScenario

loc_90C6BE:				; CODE XREF: EtwWriteStartScenario+36j
					; EtwWriteStartScenario+3Ej
		mov	edi, 0C000000Dh
		jmp	loc_8707F1
; 

loc_90C6C8:				; CODE XREF: EtwWriteStartScenario+52j
		mov	edi, 0C0000008h
		jmp	loc_8707F1
; END OF FUNCTION CHUNK	FOR EtwWriteStartScenario
; 
; START	OF FUNCTION CHUNK FOR MmManagePartitionGetMemoryEvents

loc_90C6D2:				; CODE XREF: MmManagePartitionGetMemoryEvents+7Cj
					; MmManagePartitionGetMemoryEvents+A8j	...
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_90C6E0
		push	ebx
		push	eax
		call	ObCloseHandle

loc_90C6E0:				; CODE XREF: MmManagePartitionGetMemoryEvents+9BE7Fj
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_90C6EE
		push	ebx
		push	eax
		call	ObCloseHandle

loc_90C6EE:				; CODE XREF: MmManagePartitionGetMemoryEvents+9BE8Dj
		mov	eax, [esi+14h]
		test	eax, eax
		jz	loc_870932
		push	ebx
		push	eax
		call	ObCloseHandle
		jmp	loc_870932
; 

loc_90C705:				; CODE XREF: MmManagePartitionGetMemoryEvents+13j
					; MmManagePartitionGetMemoryEvents+1Cj	...
		mov	eax, 0C000000Dh
		jmp	loc_870935
; END OF FUNCTION CHUNK	FOR MmManagePartitionGetMemoryEvents
; 
; START	OF FUNCTION CHUNK FOR EtwpCheckForPoolTagFilterExtension

loc_90C70F:				; CODE XREF: EtwpCheckForPoolTagFilterExtension+21j
		mov	cx, [esi]
		shl	cx, 2
		sub	cx, bx
		shr	cx, 2
		movzx	edx, cx
		cmp	dx, bx
		jbe	short loc_90C72F
		mov	eax, 0C000000Dh
		jmp	loc_87097F
; 

loc_90C72F:				; CODE XREF: EtwpCheckForPoolTagFilterExtension+9BDE7j
		imul	eax, edi, 14h
		lea	ecx, [esi+4]
		add	eax, offset _EtwpPoolTagFilter
		push	eax
		call	EtwpUpdateTagFilter
		jmp	loc_87097D
; END OF FUNCTION CHUNK	FOR EtwpCheckForPoolTagFilterExtension
; 
; START	OF FUNCTION CHUNK FOR EtwpUpdateTagFilter

loc_90C745:				; CODE XREF: EtwpUpdateTagFilter+Ej
		xor	eax, eax
		test	dx, dx
		jz	short loc_90C779
		lea	ebx, [esi+4]

loc_90C74F:				; CODE XREF: EtwpUpdateTagFilter+9BDF1j
		cmp	byte ptr [ecx],	2Ah
		jz	loc_87099A
		mov	edi, [ecx]
		mov	[ebp+arg_0], edi
		cmp	edi, 3F3F3F3Fh
		jz	loc_87099A
		mov	[ebx], edi
		add	ecx, 4
		inc	eax
		movzx	edi, dx
		add	ebx, 4
		cmp	eax, edi
		jb	short loc_90C74F

loc_90C779:				; CODE XREF: EtwpUpdateTagFilter+9BDC4j
		movzx	eax, dx
		jmp	loc_8709A4
; END OF FUNCTION CHUNK	FOR EtwpUpdateTagFilter

;  S U B	R O U T	I N E 


sub_90C781	proc near		; DATA XREF: .text:006A4D3Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_90C781	endp


;  S U B	R O U T	I N E 


sub_90C78F	proc near		; DATA XREF: .text:006A4D40o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-20h]
		jmp	loc_870A24
sub_90C78F	endp

; 
; START	OF FUNCTION CHUNK FOR RtlNextUnicodePrefix

loc_90C79A:				; CODE XREF: RtlNextUnicodePrefix+5Fj
					; RtlNextUnicodePrefix+9BD16j
		mov	eax, [edx]
		mov	ecx, edx
		mov	edx, eax
		cmp	eax, ecx
		jnz	short loc_90C79A
		jmp	loc_870AF1
; END OF FUNCTION CHUNK	FOR RtlNextUnicodePrefix
; 
; START	OF FUNCTION CHUNK FOR PopNetCheckOpportunisticDs

loc_90C7A9:				; CODE XREF: PopNetCheckOpportunisticDs+Aj
		cmp	_PopNetBIRequestActive,	0
		jnz	loc_870B9C
		call	_PopIsRemoteDesktopEnabled@0 ; PopIsRemoteDesktopEnabled()
		test	al, al
		jnz	loc_870B9C
		inc	al
		pop	ecx
		retn
; END OF FUNCTION CHUNK	FOR PopNetCheckOpportunisticDs
; 
; START	OF FUNCTION CHUNK FOR SepInitializeLowBoxNumberTable

loc_90C7C7:				; CODE XREF: SepInitializeLowBoxNumberTable+2Fj
		push	dword ptr [edi]
		call	RtlDeleteHashTable
		mov	esi, 0C000009Ah
		jmp	loc_870D19
; END OF FUNCTION CHUNK	FOR SepInitializeLowBoxNumberTable
; 
; START	OF FUNCTION CHUNK FOR SeQueryHSTIResults

loc_90C7D8:				; CODE XREF: SeQueryHSTIResults+19j
		cmp	edx, edi
		jnb	short loc_90C7E6
		mov	esi, 0C0000004h
		jmp	loc_870D4A
; 

loc_90C7E6:				; CODE XREF: SeQueryHSTIResults+9BAB4j
		xor	esi, esi
		mov	[ebp+ms_exc.disabled], esi
		push	edi		; size_t
		push	ds:dword_A9AC30	; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_870D4A
; END OF FUNCTION CHUNK	FOR SeQueryHSTIResults

;  S U B	R O U T	I N E 


sub_90C807	proc near		; DATA XREF: .text:006A4D5Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_90C807	endp


;  S U B	R O U T	I N E 


sub_90C817	proc near		; DATA XREF: .text:006A4D60o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	esi, esi
		jmp	loc_870D4A
sub_90C817	endp

; 
; START	OF FUNCTION CHUNK FOR _PnpUpdateInterfacesCallback

loc_90C828:				; CODE XREF: _PnpUpdateInterfacesCallback+33j
		push	dword ptr [esi]
		mov	edx, [ebp+arg_4]
		lea	ecx, [ebp+var_C]
		push	ecx
		push	dword ptr [esi+0Ch]
		mov	ecx, [ebp+arg_0]
		push	dword ptr [esi+8]
		mov	[ebp+var_C], edi
		push	eax
		push	3
		mov	[ebp+var_8], edi
		call	__PnpNotifyDerivedKeys@32 ; _PnpNotifyDerivedKeys(x,x,x,x,x,x,x,x)
		jmp	loc_870D97
; END OF FUNCTION CHUNK	FOR _PnpUpdateInterfacesCallback
; 
; START	OF FUNCTION CHUNK FOR PspOpenPartitionHandle

loc_90C84D:				; CODE XREF: PspOpenPartitionHandle+14j
		cmp	ecx, 1
		jz	short loc_90C857
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_90C857:				; CODE XREF: PspOpenPartitionHandle+9B904j
		mov	eax, 0C0000001h
		jmp	loc_870F74
; END OF FUNCTION CHUNK	FOR PspOpenPartitionHandle
; 
; START	OF FUNCTION CHUNK FOR CmpTryAcquireKcbIXLocks

loc_90C861:				; CODE XREF: CmpTryAcquireKcbIXLocks+30j
		cmp	edi, ecx
		jz	short loc_90C86C
		mov	eax, edi
		jmp	loc_870FBA
; 

loc_90C86C:				; CODE XREF: CmpTryAcquireKcbIXLocks+9B8E5j
		test	eax, eax
		js	loc_870FC0

loc_90C874:				; CODE XREF: CmpTryAcquireKcbIXLocks+46j
		mov	eax, ecx
		jmp	loc_870FBA
; END OF FUNCTION CHUNK	FOR CmpTryAcquireKcbIXLocks
; 
; START	OF FUNCTION CHUNK FOR PipCslStateChangeCallback

loc_90C87B:				; CODE XREF: PipCslStateChangeCallback+Cj
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	10h
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_90C88D:				; CODE XREF: PopUserPresentSetWorker+10j
		xor	eax, eax
		mov	ecx, offset dword_6C2D18
		push	edi
		inc	eax
		xchg	eax, [ecx]
		push	ecx
		push	offset _PopAwayModeUserPresenceDpc@16 ;	PopAwayModeUserPresenceDpc(x,x,x,x)
		mov	edi, offset _PopAwayModeUserPresenceDpcObject
		push	edi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	0FFFFFFFFh
		push	0FE363C80h
		push	edi
		push	0
		xor	edx, edx
		mov	ecx, offset _PopAwayModeUserPresenceTimer
		call	KiSetTimerEx
		push	40h
		pop	ecx
		mov	_PopAwaymodeExitReason,	esi
		call	_PopSetNotificationWork@4 ; PopSetNotificationWork(x)
		pop	edi
		jmp	loc_87119C
; END OF FUNCTION CHUNK	FOR PipCslStateChangeCallback
; 
; START	OF FUNCTION CHUNK FOR PopUserPresentSetWorker

loc_90C8D3:				; CODE XREF: PopUserPresentSetWorker+37j
		push	0
		push	0
		push	offset _PopUserPresentCompletedEvent
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_8711C3
; END OF FUNCTION CHUNK	FOR PopUserPresentSetWorker
; 
; START	OF FUNCTION CHUNK FOR RtlSetActiveConsoleId

loc_90C8E6:				; CODE XREF: RtlSetActiveConsoleId+Cj
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, [eax+28Ch]
		mov	eax, [ebp+arg_0]
		mov	[ecx+4], eax
		jmp	loc_871292
; END OF FUNCTION CHUNK	FOR RtlSetActiveConsoleId
; 
; START	OF FUNCTION CHUNK FOR PoFxRegisterCrashdumpDevice

loc_90C8FC:				; CODE XREF: PoFxRegisterCrashdumpDevice+11j
		mov	edx, [eax+28h]
		push	eax
		call	_PopPluginRegisterCrashdumpDevice@12 ; PopPluginRegisterCrashdumpDevice(x,x,x)
		jmp	loc_8712E6
; END OF FUNCTION CHUNK	FOR PoFxRegisterCrashdumpDevice
; 
; START	OF FUNCTION CHUNK FOR PopBroadcastInputSuppressionCallback

loc_90C90A:				; CODE XREF: PopBroadcastInputSuppressionCallback+Cj
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	(offset	loc_407FB3+5) ;	void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_90C950
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	offset _GUID_LIDSWITCH_STATE_CHANGE ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_90C950
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	offset _GUID_CONSOLE_DISPLAY_STATE ; "VoJpG$oG"
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8713EE

loc_90C950:				; CODE XREF: PopBroadcastInputSuppressionCallback+9B542j
					; PopBroadcastInputSuppressionCallback+9B558j
		call	_PopEvaluateInputSuppressionAction@0 ; PopEvaluateInputSuppressionAction()
		jmp	loc_8713EE
; END OF FUNCTION CHUNK	FOR PopBroadcastInputSuppressionCallback
; 
; START	OF FUNCTION CHUNK FOR EtwpUpdateTrace

loc_90C95A:				; CODE XREF: EtwpUpdateTrace+E7j
		cmp	[ebx+80h], dx
		jbe	loc_883B75
		or	ecx, 40h
		jmp	loc_883B75
; 

loc_90C96F:				; CODE XREF: EtwpUpdateTrace+102j
		lea	ecx, [ebx+80h]
		cmp	[ecx], dx
		jbe	loc_883B90
		mov	eax, [esp-4+arg_8]
		test	al, 8
		jnz	loc_883B0A
		test	byte ptr [esp-4+arg_C],	8
		jnz	loc_883B0A
		test	eax, 400h
		jnz	loc_883B0A
		lea	edx, [esp-4+arg_20]
		call	EtwpCaptureString
		mov	edi, eax
		test	edi, edi
		js	loc_883B0F
		mov	ecx, [esi+204h]
		test	ecx, ecx
		jz	short loc_90C9C9
		call	ObfDereferenceObject
		and	dword ptr [esi+204h], 0

loc_90C9C9:				; CODE XREF: EtwpUpdateTrace+88F33j
		mov	ecx, large fs:124h
		mov	esi, [esp-4+arg_10]
		mov	[esp-4+arg_28],	0Ch
		mov	[esp-4+arg_2C],	2
		mov	[esp-4+arg_30],	101h
		lea	eax, [esi+1F8h]
		push	eax
		push	0
		lea	eax, [esp+4+arg_28]
		push	eax
		push	ecx
		call	_SeCreateClientSecurity@16 ; SeCreateClientSecurity(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_883B0F
		mov	eax, [esp-4+arg_20]
		mov	ecx, esi
		mov	[esi+74h], eax
		mov	eax, [esp-4+arg_24]
		push	4
		mov	[esi+78h], eax
		and	[esp+arg_24], 0
		pop	edx
		call	EtwpSynchronizeWithLogger
		push	2
		pop	edx
		mov	ecx, esi
		call	EtwpSynchronizeWithLogger
		mov	edi, eax
		test	edi, edi
		js	loc_883B0F
		xor	edx, edx
		cmp	[esi+0F8h], edx
		jz	loc_883B0F
		jmp	loc_883B90
; 

loc_90CA4D:				; CODE XREF: EtwpUpdateTrace+11Cj
		or	eax, ecx
		mov	[esp-4+arg_8], eax
		cmp	[esi+84h], edx
		jnz	loc_883BB2
		and	al, 10h
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 3E7h
		inc	eax
		mov	[esi+84h], eax
		jmp	loc_883BB2
; 

loc_90CA79:				; CODE XREF: EtwpUpdateTrace+124j
		cmp	[esi+248h], edx
		jz	loc_883B0A
		push	8
		and	eax, 0FFFFFEFFh
		mov	ecx, esi
		pop	edx
		mov	[esp-4+arg_8], eax
		call	EtwpSynchronizeWithLogger
		jmp	loc_883BB2
; 

loc_90CA9D:				; CODE XREF: EtwpUpdateTrace+142j
		push	0
		jmp	short loc_90CAA3
; 

loc_90CAA1:				; CODE XREF: EtwpUpdateTrace+15Aj
		push	1

loc_90CAA3:				; CODE XREF: EtwpUpdateTrace+89017j
		push	dword ptr [esi]
		mov	edx, [esp+4+arg_14]
		mov	ecx, ebx
		call	_EtwpUpdatePerProcessTracing@16	; EtwpUpdatePerProcessTracing(x,x,x,x)
		jmp	loc_883BE8
; 

loc_90CAB5:				; CODE XREF: EtwpUpdateTrace+1CEj
		xor	eax, eax
		cmp	[esi+4], eax
		jbe	short loc_90CAC3
		mov	ecx, esi
		call	_EtwpGetSystemMaximumBufferCount@4 ; EtwpGetSystemMaximumBufferCount(x)

loc_90CAC3:				; CODE XREF: EtwpUpdateTrace+89032j
		cmp	edi, eax
		jbe	short loc_90CACC
		mov	[ebx+38h], eax
		mov	edi, eax

loc_90CACC:				; CODE XREF: EtwpUpdateTrace+8903Dj
		cmp	edi, [esi+0A4h]
		jbe	loc_883C5C
		mov	[esi+0A4h], edi
		jmp	loc_883C5C
; 

loc_90CAE3:				; CODE XREF: EtwpUpdateTrace+1E5j
		cmp	eax, [esi+84h]
		jz	loc_883C73
		push	4
		pop	edx
		mov	ecx, esi
		mov	[esi+84h], eax
		call	EtwpSynchronizeWithLogger
		mov	ecx, [esp-4+arg_8]
		jmp	loc_883C73
; 

loc_90CB08:				; CODE XREF: EtwpUpdateTrace+1F4j
		cmp	dword ptr [esi+0E0h], 1
		jnz	short loc_90CB1B
		mov	edi, 0C00000BBh
		jmp	loc_883B0F
; 

loc_90CB1B:				; CODE XREF: EtwpUpdateTrace+89087j
		mov	edx, 800h
		lea	eax, [esi+25Ch]
		lock or	[eax], edx
		or	ecx, edi
		cmp	_KdDebuggerNotPresent, 0
		mov	[esp-4+arg_8], ecx
		jnz	short loc_90CB41
		cmp	_KdPitchDebugger, 0
		jz	short loc_90CB4E

loc_90CB41:				; CODE XREF: EtwpUpdateTrace+890AEj
		cmp	_KdEventLoggingPresent,	0
		jz	loc_883C8A

loc_90CB4E:				; CODE XREF: EtwpUpdateTrace+890B7j
		mov	ecx, esi
		call	_EtwpSendDbgId@4 ; EtwpSendDbgId(x)
		jmp	loc_883C8A
; 

loc_90CB5A:				; CODE XREF: EtwpUpdateTrace+1FCj
		and	ecx, 0FFF7FFFFh
		mov	[esp-4+arg_8], ecx
		jmp	loc_883C8A
; 

loc_90CB69:				; CODE XREF: EtwpUpdateTrace+207j
		and	[esp-4+arg_18],	0
		lea	edx, [esp-4+arg_18]
		lea	ecx, [esi+0C8h]
		call	_EtwpGetSecurityDescriptorByGuid@8 ; EtwpGetSecurityDescriptorByGuid(x,x)
		mov	edx, [esp-4+arg_18]
		mov	ecx, esi
		call	_EtwpUpdateLoggerSecurityDescriptor@8 ;	EtwpUpdateLoggerSecurityDescriptor(x,x)
		lea	ecx, [esp-4+arg_18]
		mov	edi, eax
		call	_EtwpFreeSecurityDescriptor@4 ;	EtwpFreeSecurityDescriptor(x)
		test	edi, edi
		js	loc_883B0F
		jmp	loc_883C95
; 

loc_90CBA0:				; CODE XREF: EtwpUpdateTrace+21Cj
		xor	edi, edi
		cmp	[esi+84h], edi
		ja	short loc_90CBD5
		test	eax, 400h
		jnz	short loc_90CBD5
		mov	ecx, esi
		call	EtwpQueryUsedProcessorCount
		mov	edx, [esi+0A4h]
		mov	ecx, [ebx+4Ch]
		sub	edx, eax
		dec	edx
		cmp	ecx, edx
		jle	short loc_90CBCD
		mov	[ebx+4Ch], edx
		mov	ecx, edx

loc_90CBCD:				; CODE XREF: EtwpUpdateTrace+8913Ej
		test	ecx, ecx
		jns	loc_883CAA

loc_90CBD5:				; CODE XREF: EtwpUpdateTrace+89120j
					; EtwpUpdateTrace+89127j
		mov	[ebx+4Ch], edi
		mov	ecx, edi
		jmp	loc_883CAA
; 

loc_90CBDF:				; CODE XREF: EtwpUpdateTrace+252j
		push	ecx
		push	ecx
		mov	edx, esi
		mov	ecx, ebx
		call	_EtwpEventWriteTemplateSession@16 ; EtwpEventWriteTemplateSession(x,x,x,x)
		jmp	loc_883B0F
; END OF FUNCTION CHUNK	FOR EtwpUpdateTrace
; 
; START	OF FUNCTION CHUNK FOR EtwpCheckSystemTraceAccess

loc_90CBEF:				; CODE XREF: EtwpCheckSystemTraceAccess+Aj
		mov	edx, ecx
		mov	ecx, eax
		call	_EtwpCheckLoggerControlAccess@8	; EtwpCheckLoggerControlAccess(x,x)
		pop	ecx
		retn
; END OF FUNCTION CHUNK	FOR EtwpCheckSystemTraceAccess
; 
; START	OF FUNCTION CHUNK FOR EtwpCheckForStackTracingExtension

loc_90CBFA:				; CODE XREF: EtwpCheckForStackTracingExtension+17j
		mov	ax, [edx]
		mov	ecx, ebx
		shl	ax, 2
		add	edx, 4
		sub	ax, 4
		movzx	eax, ax
		shr	eax, 2
		push	eax
		call	_EtwpUpdateStackTracing@12 ; EtwpUpdateStackTracing(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7E29D9
		push	5
		pop	edx
		mov	ecx, edi
		call	_EtwpGetFlagExtension@8	; EtwpGetFlagExtension(x,x)
		test	eax, eax
		jz	loc_7E29D9
		mov	cx, [eax]
		shl	cx, 2
		cmp	cx, 0Ch
		jz	short loc_90CC49
		mov	esi, 0C000000Dh
		jmp	loc_7E29D9
; 

loc_90CC49:				; CODE XREF: EtwpCheckForStackTracingExtension+12A281j
		mov	edx, [eax+4]
		mov	ecx, ebx
		mov	eax, [eax+8]
		push	eax
		call	_EtwpEnableStackCaching@12 ; EtwpEnableStackCaching(x,x,x)
		mov	esi, eax
		jmp	loc_7E29D9
; END OF FUNCTION CHUNK	FOR EtwpCheckForStackTracingExtension
; 
; START	OF FUNCTION CHUNK FOR EtwpUpdateLoggerGroupMasks

loc_90CC5E:				; CODE XREF: EtwpUpdateLoggerGroupMasks+4Cj
		mov	eax, [esi+48h]
		test	eax, eax
		js	loc_7E2A99
		mov	[ebp+var_24], eax
		jmp	loc_7E2A99
; END OF FUNCTION CHUNK	FOR EtwpUpdateLoggerGroupMasks
; 
; START	OF FUNCTION CHUNK FOR EtwpUpdateGroupMasks

loc_90CC71:				; CODE XREF: EtwpUpdateGroupMasks+5Bj
		or	dword ptr [ebx], 200h
		jmp	loc_7E2B53
; 

loc_90CC7C:				; CODE XREF: EtwpUpdateGroupMasks+6Dj
		mov	ecx, ebx
		call	_EtwpCheckSiloGroupMasks@4 ; EtwpCheckSiloGroupMasks(x)
		test	eax, eax
		js	loc_7E2CF2
		jmp	loc_7E2B65
; 

loc_90CC90:				; CODE XREF: EtwpUpdateGroupMasks+7Ej
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+78h+var_64], al
		push	[esp+78h+var_64]
		push	ds:dword_A94C9C
		push	ds:_SeSystemProfilePrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	loc_7E2B76
		mov	eax, 0C0000061h
		jmp	loc_7E2CF2
; 

loc_90CCC7:				; CODE XREF: EtwpUpdateGroupMasks+E1j
		test	ecx, 100h
		jnz	loc_7E2D04
		jmp	loc_7E2BD9
; 

loc_90CCD8:				; CODE XREF: EtwpUpdateGroupMasks+23Aj
		test	eax, 100h
		jnz	loc_7E2BE3
		jmp	loc_7E2D32
; 

loc_90CCE8:				; CODE XREF: EtwpUpdateGroupMasks+1A8j
		mov	ebx, [esp+78h+var_68]
		jmp	loc_7E2CCD
; 

loc_90CCF1:				; CODE XREF: EtwpUpdateGroupMasks+1F1j
		test	al, 4
		jnz	loc_7E2CE9
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7E2CE9
; END OF FUNCTION CHUNK	FOR EtwpUpdateGroupMasks
; 
; START	OF FUNCTION CHUNK FOR EtwpKernelTraceRundown

loc_90CD05:				; CODE XREF: EtwpKernelTraceRundown+49j
		test	bl, bl
		jnz	loc_7E2E17
		mov	edx, edi
		xor	cl, cl
		call	_EtwpLogRefSetAutoMark@8 ; EtwpLogRefSetAutoMark(x,x)
		jmp	loc_7E2E17
; 

loc_90CD1B:				; CODE XREF: EtwpKernelTraceRundown+7Bj
					; EtwpKernelTraceRundown+8Aj
		mov	al, [eax+3]
		mov	edx, [ebp+arg_0]
		and	al, 1
		movzx	eax, al
		test	ecx, ecx
		mov	ecx, [ebp+var_4]
		push	ebx
		push	eax
		setnz	al
		movzx	eax, al
		push	eax
		call	_CmEtwRunDown@20 ; CmEtwRunDown(x,x,x,x,x)
		jmp	loc_7E2E58
; 

loc_90CD3E:				; CODE XREF: EtwpKernelTraceRundown+95j
		push	1
		mov	dl, bl
		mov	ecx, edi
		call	_EtwpSampledProfileRunDown@12 ;	EtwpSampledProfileRunDown(x,x,x)
		mov	eax, [esi+4]
		jmp	loc_7E2E63
; 

loc_90CD51:				; CODE XREF: EtwpKernelTraceRundown+A0j
		push	0
		mov	dl, bl
		mov	ecx, edi
		call	_EtwpSampledProfileRunDown@12 ;	EtwpSampledProfileRunDown(x,x,x)
		mov	eax, [esi+4]
		jmp	loc_7E2E6E
; 

loc_90CD64:				; CODE XREF: EtwpKernelTraceRundown+ABj
		mov	dl, bl
		mov	ecx, edi
		call	_EtwpSpinLockConfigRunDown@8 ; EtwpSpinLockConfigRunDown(x,x)
		mov	eax, [esi+4]
		jmp	loc_7E2E79
; 

loc_90CD75:				; CODE XREF: EtwpKernelTraceRundown+B6j
		mov	dl, bl
		mov	ecx, edi
		call	_EtwpExecutiveResourceConfigRunDown@8 ;	EtwpExecutiveResourceConfigRunDown(x,x)
		mov	eax, [esi+4]
		jmp	loc_7E2E84
; 

loc_90CD86:				; CODE XREF: EtwpKernelTraceRundown+C1j
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		movzx	eax, bl
		push	eax
		call	_MmPerfLogSessionRundown@12 ; MmPerfLogSessionRundown(x,x,x)
		mov	eax, [esi+4]
		jmp	loc_7E2E8F
; 

loc_90CD9D:				; CODE XREF: EtwpKernelTraceRundown+CCj
		mov	dl, bl
		mov	ecx, edi
		call	_EtwpPoolRunDown@8 ; EtwpPoolRunDown(x,x)
		jmp	loc_7E2E9A
; 

loc_90CDAB:				; CODE XREF: EtwpKernelTraceRundown+DBj
		mov	dl, bl
		mov	ecx, edi
		call	_EtwpClockSourceRunDown@8 ; EtwpClockSourceRunDown(x,x)
		jmp	loc_7E2EA9
; 

loc_90CDB9:				; CODE XREF: EtwpKernelTraceRundown+164j
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	_MmLogSystemShareablePfnInfo@8 ; MmLogSystemShareablePfnInfo(x,x)
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		push	1
		push	285h
		call	_MmIdentifyPhysicalMemory@16 ; MmIdentifyPhysicalMemory(x,x,x,x)
		mov	eax, [esi+4]
		jmp	loc_7E2F32
; 

loc_90CDDC:				; CODE XREF: EtwpKernelTraceRundown+16Cj
		mov	ecx, edi
		call	_EtwpLogMemInfoRundown@4 ; EtwpLogMemInfoRundown(x)
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		push	0
		push	223h
		call	_MmIdentifyPhysicalMemory@16 ; MmIdentifyPhysicalMemory(x,x,x,x)
		mov	eax, [esi+4]
		jmp	loc_7E2F3A
; 

loc_90CDFC:				; CODE XREF: EtwpKernelTraceRundown+177j
		push	0
		lea	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	_MmLogQueryCombineStats@12 ; MmLogQueryCombineStats(x,x,x)
		jmp	loc_7E2F45
; 

loc_90CE0D:				; CODE XREF: EtwpKernelTraceRundown+19Ej
		push	0
		push	0
		mov	edx, offset _PpmTracePerfIdleRundown@12	; PpmTracePerfIdleRundown(x,x,x)
		mov	ecx, offset _KeActiveProcessors
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)
		mov	eax, [esi+10h]
		jmp	loc_7E2F6C
; 

loc_90CE28:				; CODE XREF: EtwpKernelTraceRundown+1A6j
		xor	dl, dl
		mov	ecx, edi
		call	_EtwpObjectTypeRundown@8 ; EtwpObjectTypeRundown(x,x)
		jmp	loc_7E2F74
; 

loc_90CE36:				; CODE XREF: EtwpKernelTraceRundown+1B9j
		mov	ecx, edi
		call	_EtwpProcessorRundown@8	; EtwpProcessorRundown(x,x)
		jmp	loc_7E2EC7
; 

loc_90CE42:				; CODE XREF: EtwpKernelTraceRundown+F1j
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		push	1
		push	285h
		call	_MmIdentifyPhysicalMemory@16 ; MmIdentifyPhysicalMemory(x,x,x,x)
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		call	_MmLogSystemShareablePfnInfo@8 ; MmLogSystemShareablePfnInfo(x,x)
		mov	eax, [esi+4]
		jmp	loc_7E2EBF
; 

loc_90CE67:				; CODE XREF: EtwpKernelTraceRundown+F9j
		mov	edx, edi
		mov	cl, bl
		call	_EtwpLogRefSetAutoMark@8 ; EtwpLogRefSetAutoMark(x,x)
		jmp	loc_7E2EC7
; END OF FUNCTION CHUNK	FOR EtwpKernelTraceRundown
; 
; START	OF FUNCTION CHUNK FOR EtwpProcessThreadImageRundown

loc_90CE75:				; CODE XREF: EtwpProcessThreadImageRundown+CBj
		mov	eax, [esi+2B4h]
		mov	al, [eax+0A0h]
		sar	al, 3
		jmp	short loc_90CE95
; 

loc_90CE86:				; CODE XREF: EtwpProcessThreadImageRundown+46j
		mov	eax, [esi+2B4h]
		mov	al, [eax+0A0h]
		sar	al, 4

loc_90CE95:				; CODE XREF: EtwpProcessThreadImageRundown+129EFEj
		and	al, 1
		jmp	loc_7E2FD2
; 

loc_90CE9C:				; CODE XREF: EtwpProcessThreadImageRundown+57j
		test	dword ptr [esi+0Ch], 2000000h
		jz	loc_7E2FE3
		movzx	eax, byte ptr [esi+25Ah]
		imul	eax, 14h
		add	eax, offset _EtwpObjectTypeFilter
		mov	[ebp+var_2C], eax
		jmp	loc_7E2FE3
; 

loc_90CEC0:				; CODE XREF: EtwpProcessThreadImageRundown+80j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	loc_7E300C
		xor	edx, edx
		lea	ecx, [eax+0Ch]

loc_90CED0:				; CODE XREF: EtwpProcessThreadImageRundown+129F59j
		cmp	dword ptr [ecx], 80000004h
		jz	short loc_90CEE6
		inc	edx
		add	ecx, 10h
		cmp	edx, [ebp+arg_8]
		jb	short loc_90CED0
		jmp	loc_7E300C
; 

loc_90CEE6:				; CODE XREF: EtwpProcessThreadImageRundown+129F50j
		mov	eax, [eax]
		lea	ecx, [ebp+var_4]
		push	ecx
		push	dword ptr [eax]
		call	PsLookupProcessByProcessId
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7E3028
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_4]
		call	EtwpProcessEnumCallback
		jmp	loc_7E3028
; 

loc_90CF0E:				; CODE XREF: EtwpProcessThreadImageRundown+B6j
		push	0
		push	[ebp+var_14]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7E3042
; END OF FUNCTION CHUNK	FOR EtwpProcessThreadImageRundown
; 
; START	OF FUNCTION CHUNK FOR EtwpProcessEnumCallback

loc_90CF1D:				; CODE XREF: EtwpProcessEnumCallback+60j
		mov	ecx, eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		cmp	[eax+1F0h], edx
		jnz	loc_7E31CE
		jmp	loc_7E30BC
; 

loc_90CF35:				; CODE XREF: EtwpProcessEnumCallback+AAj
		mov	cl, [esp+40h+var_30]
		xor	al, al
		jmp	loc_7E3121
; 

loc_90CF40:				; CODE XREF: EtwpProcessEnumCallback+1F6j
		mov	edx, ebx
		mov	ecx, esi
		call	_EtwpEnumerateWorkingSet@8 ; EtwpEnumerateWorkingSet(x,x)
		jmp	loc_7E31B1
; 

loc_90CF4E:				; CODE XREF: EtwpProcessEnumCallback+EBj
		mov	edx, ebx
		mov	ecx, esi
		call	_EtwpEnumerateWorkingSet@8 ; EtwpEnumerateWorkingSet(x,x)
		jmp	loc_7E3147
; 

loc_90CF5C:				; CODE XREF: EtwpProcessEnumCallback+118j
		cmp	esi, ds:_PsIdleProcess
		jz	loc_7E3174
		mov	edx, ebx
		mov	ecx, esi
		call	_EtwpObjectHandleRundown@8 ; EtwpObjectHandleRundown(x,x)
		jmp	loc_7E3174
; 

loc_90CF76:				; CODE XREF: EtwpProcessEnumCallback+140j
		mov	edx, [esp+40h+var_2C]
		mov	ecx, esi
		call	_EtwpProcessPerfCtrsRundown@8 ;	EtwpProcessPerfCtrsRundown(x,x)
		mov	eax, [edi]
		jmp	loc_7E319C
; END OF FUNCTION CHUNK	FOR EtwpProcessEnumCallback
; 
; START	OF FUNCTION CHUNK FOR EtwpSysModuleRunDown

loc_90CF88:				; CODE XREF: EtwpSysModuleRunDown+73j
		mov	edx, [esi+2E4h]
		lea	eax, [ebp+var_6C]
		push	offset byte_401802
		push	1422h
		push	1
		push	dword ptr [esi]
		lea	ecx, [ebp+var_38]
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], 4
		mov	[ebp+var_2C], edi
		call	EtwpLogKernelEvent
		jmp	loc_7E351D
; END OF FUNCTION CHUNK	FOR EtwpSysModuleRunDown

;  S U B	R O U T	I N E 


sub_90CFBC	proc near		; CODE XREF: EtwpLogAlwaysPresentRundown+13j
		push	ebx
		push	0F3Ah
		push	0
		push	esi
		mov	edx, edi
		xor	ecx, ecx
		call	EtwpLogKernelEvent
		jmp	loc_7E35B1
sub_90CFBC	endp

; 
; START	OF FUNCTION CHUNK FOR EtwpUpdateGlobalGroupMasks

loc_90CFD3:				; CODE XREF: EtwpUpdateGlobalGroupMasks+58j
		xor	eax, eax
		inc	eax
		jmp	loc_7E362B
; 

loc_90CFDB:				; CODE XREF: EtwpUpdateGlobalGroupMasks+69j
		mov	ebx, 80000025h
		jmp	loc_7E3712
; 

loc_90CFE5:				; CODE XREF: EtwpUpdateGlobalGroupMasks+B9j
		mov	ecx, esi
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	edx, [eax+1F0h]
		test	edx, edx
		jz	short loc_90D00D
		xor	ecx, ecx
		add	edx, 928h

loc_90CFFE:				; CODE XREF: EtwpUpdateGlobalGroupMasks+129A47j
		mov	eax, [edx]
		lea	edx, [edx+4]
		or	[esp+ecx*4+80h+var_64],	eax
		inc	ecx
		cmp	ecx, 8
		jb	short loc_90CFFE

loc_90D00D:				; CODE XREF: EtwpUpdateGlobalGroupMasks+129A30j
		mov	ecx, esi
		jmp	loc_7E3672
; 

loc_90D014:				; CODE XREF: EtwpUpdateGlobalGroupMasks+129j
		mov	ecx, [esp+80h+var_74]
		mov	esi, [esp+80h+var_6C]
		shl	ecx, 5
		add	esi, 948h
		add	esi, ecx
		mov	ecx, [esp+80h+var_68]
		xor	edx, edx

loc_90D02D:				; CODE XREF: EtwpUpdateGlobalGroupMasks+129A80j
		mov	eax, [esp+edx+80h+var_44]
		not	eax
		and	[ecx], eax
		add	ecx, edi
		and	[esp+edx+80h+var_64], eax
		add	edx, edi
		and	[esi], eax
		add	esi, edi
		cmp	edx, 20h
		jb	short loc_90D02D
		jmp	loc_7E36F3
; END OF FUNCTION CHUNK	FOR EtwpUpdateGlobalGroupMasks
; 
; START	OF FUNCTION CHUNK FOR EtwpEnableKernelTrace

loc_90D04B:				; CODE XREF: EtwpEnableKernelTrace+44j
		mov	[ebp+var_20], eax
		mov	eax, 880000h
		jmp	loc_7E3788
; 

loc_90D058:				; CODE XREF: EtwpEnableKernelTrace+4Ej
		mov	[ebp+var_20], eax
		jmp	loc_7E3790
; 

loc_90D060:				; CODE XREF: EtwpEnableKernelTrace+5Fj
		mov	eax, _EtwpMemInfoInterval
		mov	ecx, 2710h
		or	[ebp+var_30], 0FFFFFFFFh
		xor	edi, edi
		or	[ebp+var_2C], 0FFFFFFFFh
		mul	ecx
		lea	ecx, [ebp+var_38]
		mov	[ebp+var_38], edi
		push	ecx
		push	edx
		push	eax
		neg	eax
		mov	[ebp+var_34], edi
		adc	edx, edi
		neg	edx
		push	edx
		push	eax
		push	offset _EtwpMemInfoTimer
		call	KeSetTimer2
		mov	edx, edi
		jmp	loc_7E37A1
; 

loc_90D09B:				; CODE XREF: EtwpEnableKernelTrace+A5j
		or	esi, eax
		mov	dword_6B14BC, edx
		mov	ecx, [ebx]
		mov	[ebp+var_24], esi
		jmp	loc_7E37E7
; 

loc_90D0AD:				; CODE XREF: EtwpEnableKernelTrace+B2j
		or	esi, eax
		mov	dword_6B14B8, edx
		mov	ecx, [ebx]
		mov	[ebp+var_24], esi
		jmp	loc_7E37F4
; 

loc_90D0BF:				; CODE XREF: EtwpEnableKernelTrace+D9j
		or	esi, eax
		mov	dword_6CEA6C, offset _EtwpTraceIoInit@4	; EtwpTraceIoInit(x)
		mov	[ebp+var_24], esi
		jmp	loc_7E381B
; 

loc_90D0D3:				; CODE XREF: EtwpEnableKernelTrace+E7j
		or	edi, 1
		mov	dword_6CEA70, offset _EtwpTraceOpticalIo@20 ; EtwpTraceOpticalIo(x,x,x,x,x)
		mov	eax, [ebx+10h]
		mov	[ebp+var_14], edi
		jmp	loc_7E3829
; 

loc_90D0EB:				; CODE XREF: EtwpEnableKernelTrace+EFj
		or	edi, 2
		mov	dword_6CEA74, offset _EtwpTraceOpticalIoInit@4 ; EtwpTraceOpticalIoInit(x)
		mov	[ebp+var_14], edi
		jmp	loc_7E3831
; 

loc_90D100:				; CODE XREF: EtwpEnableKernelTrace+FCj
		or	esi, edx
		mov	_EtwpSplitIoNotifyRoutines, offset _EtwpTraceSplitIo@12	; EtwpTraceSplitIo(x,x,x)
		mov	[ebp+var_24], esi
		jmp	loc_7E383E
; 

loc_90D114:				; CODE XREF: EtwpEnableKernelTrace+10Cj
		or	edi, ecx
		mov	dword_6B149C, offset _EtwpTraceFltIo@16	; EtwpTraceFltIo(x,x,x,x)
		mov	eax, [ebx+10h]
		mov	[ebp+var_14], edi
		jmp	loc_7E384E
; 

loc_90D12B:				; CODE XREF: EtwpEnableKernelTrace+119j
		or	edi, ecx
		mov	dword_6B14A0, offset _EtwpTraceFltIo@16	; EtwpTraceFltIo(x,x,x,x)
		mov	eax, [ebx+10h]
		mov	[ebp+var_14], edi
		jmp	loc_7E385B
; 

loc_90D142:				; CODE XREF: EtwpEnableKernelTrace+129j
		or	edi, 100000h
		mov	dword_6B14A4, ecx
		mov	eax, [ebx+10h]
		mov	[ebp+var_14], edi
		jmp	loc_7E386B
; 

loc_90D159:				; CODE XREF: EtwpEnableKernelTrace+131j
		or	edi, edx
		mov	dword_6B14A8, ecx
		mov	eax, [ebx+10h]
		mov	[ebp+var_14], edi
		jmp	loc_7E3873
; 

loc_90D16C:				; CODE XREF: EtwpEnableKernelTrace+143j
		or	edi, ecx
		mov	dword_6B5B80, edx
		mov	eax, [ebx+10h]
		mov	[ebp+var_14], edi
		jmp	loc_7E3885
; 

loc_90D17F:				; CODE XREF: EtwpEnableKernelTrace+150j
		or	edi, ecx
		mov	dword_6B5B84, edx
		mov	[ebp+var_14], edi
		jmp	loc_7E3892
; 

loc_90D18F:				; CODE XREF: EtwpEnableKernelTrace+15Ej
		or	[ebp+var_1C], eax
		mov	dword_6B5B88, offset _EtwpSystemTraceWdf@20 ; EtwpSystemTraceWdf(x,x,x,x,x)
		jmp	loc_7E38A0
; 

loc_90D1A1:				; CODE XREF: EtwpEnableKernelTrace+16Dj
		xor	ecx, ecx
		mov	ds:_CmpTraceRoutine, offset _EtwpTraceRegistry@24 ; EtwpTraceRegistry(x,x,x,x,x,x)
		or	esi, edx
		mov	ds:_CmpTraceTxrRoutine,	offset _EtwpTraceRegistryTransaction@24	; EtwpTraceRegistryTransaction(x,x,x,x,x,x)
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_24], esi
		jmp	loc_7E38AF
; 

loc_90D1C4:				; CODE XREF: EtwpEnableKernelTrace+178j
		call	@AlpcRegisterLogRoutine@4 ; AlpcRegisterLogRoutine(x)
		mov	ecx, eax
		mov	[ebp+var_4C], ecx
		test	ecx, ecx
		js	loc_90D27D
		mov	eax, [ebx]
		or	esi, 100000h
		mov	[ebp+var_24], esi
		jmp	loc_7E38BA
; 

loc_90D1E6:				; CODE XREF: EtwpEnableKernelTrace+183j
		mov	ecx, offset _EtwpTraceNetwork@16 ; EtwpTraceNetwork(x,x,x,x)
		mov	_EtwpTdiIoNotify, ecx
		call	_WmiSetNetworkNotify@4 ; WmiSetNetworkNotify(x)
		or	esi, 10000h
		mov	[ebp+var_24], esi
		jmp	loc_7E38C5
; 

loc_90D204:				; CODE XREF: EtwpEnableKernelTrace+18Dj
		xor	ecx, ecx
		inc	ecx
		call	_IoPerfInit@4	; IoPerfInit(x)
		mov	ecx, eax
		mov	[ebp+var_4C], ecx
		test	ecx, ecx
		js	short loc_90D27D
		or	[ebp+var_20], 10h
		jmp	loc_7E38CF
; 

loc_90D21E:				; CODE XREF: EtwpEnableKernelTrace+199j
		push	1
		push	offset _EtwpTraceDebugPrint@12 ; EtwpTraceDebugPrint(x,x,x)
		call	_DbgSetDebugPrintCallback@8 ; DbgSetDebugPrintCallback(x,x)
		mov	ecx, eax
		mov	[ebp+var_4C], ecx
		test	ecx, ecx
		js	short loc_90D27D
		or	esi, 40000h
		mov	[ebp+var_24], esi
		jmp	loc_7E38DB
; 

loc_90D241:				; CODE XREF: EtwpEnableKernelTrace+1A4j
		call	_EtwpTimeProfileInit@0 ; EtwpTimeProfileInit()
		mov	esi, [ebp+var_20]
		mov	eax, [ebx+4]
		or	esi, 2
		mov	[ebp+var_20], esi
		jmp	loc_7E38E9
; 

loc_90D257:				; CODE XREF: EtwpEnableKernelTrace+1B2j
		call	_EtwpPmcProfileInit@0 ;	EtwpPmcProfileInit()
		or	esi, 400h
		mov	[ebp+var_20], esi
		jmp	loc_7E38F4
; 

loc_90D26A:				; CODE XREF: EtwpEnableKernelTrace+1BCj
		call	_ObEnableEtwReferenceTrace@0 ; ObEnableEtwReferenceTrace()
		or	edi, 80h
		mov	[ebp+var_14], edi
		jmp	loc_7E38FE
; 

loc_90D27D:				; CODE XREF: EtwpEnableKernelTrace:loc_7E390Cj
					; EtwpEnableKernelTrace+129A94j ...
		mov	edx, [ebp+var_54]
		lea	edi, [ebp+var_48]
		push	8
		pop	esi
		xor	eax, eax
		mov	ecx, esi
		rep stosd
		lea	ecx, [ebp+var_48]
		sub	ebx, edx
		sub	ecx, edx

loc_90D293:				; CODE XREF: EtwpEnableKernelTrace+129B67j
		mov	eax, [ebx+edx]
		not	eax
		and	eax, [edx]
		mov	[ecx+edx], eax
		lea	edx, [edx+4]
		sub	esi, 1
		jnz	short loc_90D293
		push	[ebp+arg_4]
		lea	edx, [ebp+var_24]
		push	[ebp+var_50]
		lea	ecx, [ebp+var_48]
		call	EtwpDisableKernelTrace
		mov	edx, [ebp+var_4C]
		jmp	loc_7E3912
; END OF FUNCTION CHUNK	FOR EtwpEnableKernelTrace
; 
; START	OF FUNCTION CHUNK FOR EtwpDisableKernelTrace

loc_90D2BE:				; CODE XREF: EtwpDisableKernelTrace+21j
		mov	ds:_CmpTraceRoutine, edi
		mov	ds:_CmpTraceTxrRoutine,	edi
		jmp	loc_7E398B
; 

loc_90D2CF:				; CODE XREF: EtwpDisableKernelTrace+2Cj
		call	@AlpcUnregisterLogRoutine@4 ; AlpcUnregisterLogRoutine(x)
		mov	eax, [esi]
		jmp	loc_7E3996
; 

loc_90D2DB:				; CODE XREF: EtwpDisableKernelTrace+37j
		mov	dword_6B14BC, edi
		mov	eax, [esi]
		jmp	loc_7E39A1
; 

loc_90D2E8:				; CODE XREF: EtwpDisableKernelTrace+42j
		mov	dword_6B14B8, edi
		mov	eax, [esi]
		jmp	loc_7E39AC
; 

loc_90D2F5:				; CODE XREF: EtwpDisableKernelTrace+71j
		mov	dword_6CEA6C, edi
		jmp	loc_7E39DB
; 

loc_90D300:				; CODE XREF: EtwpDisableKernelTrace+7Cj
		mov	dword_6CEA70, edi
		mov	eax, [esi+10h]
		jmp	loc_7E39E6
; 

loc_90D30E:				; CODE XREF: EtwpDisableKernelTrace+84j
		mov	dword_6CEA74, edi
		jmp	loc_7E39EE
; 

loc_90D319:				; CODE XREF: EtwpDisableKernelTrace+91j
		mov	_EtwpSplitIoNotifyRoutines, edi
		mov	eax, [esi]
		jmp	loc_7E39FB
; 

loc_90D326:				; CODE XREF: EtwpDisableKernelTrace+9Cj
		xor	ecx, ecx
		call	_WmiSetNetworkNotify@4 ; WmiSetNetworkNotify(x)
		jmp	loc_7E3A06
; 

loc_90D332:				; CODE XREF: EtwpDisableKernelTrace+A6j
		xor	ecx, ecx
		inc	ecx
		call	_IoPerfReset@4	; IoPerfReset(x)
		jmp	loc_7E3A10
; 

loc_90D33F:				; CODE XREF: EtwpDisableKernelTrace+B4j
		mov	dword_6B149C, edi
		mov	eax, [esi+10h]
		jmp	loc_7E3A1E
; 

loc_90D34D:				; CODE XREF: EtwpDisableKernelTrace+BFj
		mov	dword_6B14A0, edi
		mov	eax, [esi+10h]
		jmp	loc_7E3A29
; 

loc_90D35B:				; CODE XREF: EtwpDisableKernelTrace+CAj
		mov	dword_6B14A4, edi
		mov	eax, [esi+10h]
		jmp	loc_7E3A34
; 

loc_90D369:				; CODE XREF: EtwpDisableKernelTrace+D5j
		mov	dword_6B14A8, edi
		mov	eax, [esi+10h]
		jmp	loc_7E3A3F
; 

loc_90D377:				; CODE XREF: EtwpDisableKernelTrace+E0j
		mov	dword_6B5B80, edi
		mov	eax, [esi+10h]
		jmp	loc_7E3A4A
; 

loc_90D385:				; CODE XREF: EtwpDisableKernelTrace+FCj
		push	edi
		push	offset _EtwpTraceDebugPrint@12 ; EtwpTraceDebugPrint(x,x,x)
		call	_DbgSetDebugPrintCallback@8 ; DbgSetDebugPrintCallback(x,x)
		jmp	loc_7E3A66
; 

loc_90D395:				; CODE XREF: EtwpDisableKernelTrace+107j
		mov	ecx, offset _EtwpProfileObject
		call	_KeStopProfile@4 ; KeStopProfile(x)
		mov	eax, [esi+4]
		jmp	loc_7E3A71
; 

loc_90D3A7:				; CODE XREF: EtwpDisableKernelTrace+112j
		cmp	_EtwpPmcProfile, edi
		jbe	short loc_90D3CE
		xor	ebx, ebx

loc_90D3B1:				; CODE XREF: EtwpDisableKernelTrace+129A65j
		mov	ecx, dword_6BC3A4
		lea	ecx, [ecx+ebx]
		call	_KeStopProfile@4 ; KeStopProfile(x)
		inc	edi
		lea	ebx, [ebx+34h]
		cmp	edi, _EtwpPmcProfile
		jb	short loc_90D3B1
		mov	ebx, [ebp+var_4]

loc_90D3CE:				; CODE XREF: EtwpDisableKernelTrace+129A49j
		xor	edi, edi
		jmp	loc_7E3A7C
; 

loc_90D3D5:				; CODE XREF: EtwpDisableKernelTrace+126j
		test	ebx, ebx
		jz	short loc_90D3E2
		test	[ebx+4], eax
		jnz	loc_7E3A90

loc_90D3E2:				; CODE XREF: EtwpDisableKernelTrace+129A73j
		push	edi
		push	offset _EtwpMemInfoTimer
		call	KeCancelTimer2
		jmp	loc_7E3A90
; END OF FUNCTION CHUNK	FOR EtwpDisableKernelTrace
; 
; START	OF FUNCTION CHUNK FOR EtwpUpdateFileInfoDriverState

loc_90D3F2:				; CODE XREF: EtwpUpdateFileInfoDriverState+6Fj
		push	(offset	loc_8C04EF+1)
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		call	_ZwLoadDriver@4	; ZwLoadDriver(x)
		test	eax, eax
		jns	short loc_90D41E
		cmp	eax, 0C000010Eh
		jz	short loc_90D41E
		mov	esi, 0C000026Ch
		jmp	loc_7E3B0E
; 

loc_90D41E:				; CODE XREF: EtwpUpdateFileInfoDriverState+12994Dj
					; EtwpUpdateFileInfoDriverState+129954j
		mov	dword_6FDB40, esi
		mov	edi, esi
		jmp	loc_7E3B33
; 

loc_90D42B:				; CODE XREF: EtwpUpdateFileInfoDriverState+2Bj
		mov	edx, [ebp+arg_8]
		push	ecx
		mov	ecx, [ebp+arg_4]
		mov	ecx, [ecx]
		call	_WmiTraceRundownNotify@12 ; WmiTraceRundownNotify(x,x,x)
		jmp	loc_7E3AEF
; 

loc_90D43E:				; CODE XREF: EtwpUpdateFileInfoDriverState+3Ej
		push	(offset	loc_8C04EF+1)
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		call	_ZwUnloadDriver@4 ; ZwUnloadDriver(x)
		mov	dword_6FDB40, ebx
		jmp	loc_7E3B02
; 

loc_90D460:				; CODE XREF: EtwpUpdateFileInfoDriverState+4Aj
		push	(offset	loc_8C04EF+1)
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		call	_ZwUnloadDriver@4 ; ZwUnloadDriver(x)
		mov	dword_6FDB40, ebx
		jmp	loc_7E3B0E
; END OF FUNCTION CHUNK	FOR EtwpUpdateFileInfoDriverState
; 
; START	OF FUNCTION CHUNK FOR EtwpSynchronizeWithLogger

loc_90D482:				; CODE XREF: EtwpSynchronizeWithLogger+27j
					; EtwpSynchronizeWithLogger+35j
		lea	eax, [edi+25Ch]
		lock bts dword ptr [eax], 8
		jb	loc_7E3CB7
		lea	ecx, [edi+1B0h]
		call	_EtwpInsertQueueDpc@4 ;	EtwpInsertQueueDpc(x)
		jmp	loc_7E3CB7
; END OF FUNCTION CHUNK	FOR EtwpSynchronizeWithLogger
; 
; START	OF FUNCTION CHUNK FOR EtwpFlushTrace

loc_90D4A3:				; CODE XREF: EtwpFlushTrace+63j
		mov	esi, 0C00000BBh
		jmp	loc_7E3DBA
; 

loc_90D4AD:				; CODE XREF: EtwpFlushTrace+8Ej
		cmp	[ebx+84h], edx
		jz	short loc_90D4C6
		cmp	[ebx+80h], dx
		jz	short loc_90D4C6
		or	ecx, 40h
		jmp	loc_7E3D68
; 

loc_90D4C6:				; CODE XREF: EtwpFlushTrace+1297DFj
					; EtwpFlushTrace+1297E8j
		mov	esi, 0C000000Fh
		jmp	loc_7E3DBA
; 

loc_90D4D0:				; CODE XREF: EtwpFlushTrace+A6j
		lea	edx, [esp+20h+var_8]
		lea	ecx, [ebx+80h]
		call	EtwpCaptureString
		mov	esi, eax
		test	esi, esi
		js	loc_7E3DBA
		mov	eax, [esp+20h+var_8]
		xor	ecx, ecx
		mov	[edi+74h], eax
		inc	ecx
		mov	eax, [esp+20h+var_4]
		mov	[edi+78h], eax
		lea	eax, [edi+25Ch]
		and	[esp+20h+var_4], 0
		lock or	[eax], ecx
		test	dword ptr [edi+0Ch], 2000000h
		jz	short loc_90D541
		movzx	eax, byte ptr [edi+25Ah]
		mov	ecx, [esp+20h+var_C]
		shl	eax, 5
		add	ecx, 948h
		add	eax, ecx
		jz	short loc_90D541
		mov	eax, [eax+4]
		test	al, 4
		jz	short loc_90D541
		test	eax, 100h
		jz	short loc_90D541
		mov	ecx, [edi+7Ch]
		xor	dl, dl
		call	_EtwpCCSwapStop@8 ; EtwpCCSwapStop(x,x)

loc_90D541:				; CODE XREF: EtwpFlushTrace+12983Bj
					; EtwpFlushTrace+129853j ...
		mov	ecx, edi
		call	_EtwpBufferingModeFlush@4 ; EtwpBufferingModeFlush(x)
		jmp	loc_7E3D8A
; 

loc_90D54D:				; CODE XREF: EtwpFlushTrace+E0j
		push	ecx
		push	ecx
		mov	edx, edi
		mov	ecx, ebx
		call	_EtwpEventWriteTemplateSession@16 ; EtwpEventWriteTemplateSession(x,x,x,x)
		jmp	loc_7E3DBA
; END OF FUNCTION CHUNK	FOR EtwpFlushTrace
; 
; START	OF FUNCTION CHUNK FOR EtwpStopTrace

loc_90D55D:				; CODE XREF: EtwpStopTrace+69j
		mov	dl, 1
		mov	ecx, esi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		mov	edi, 0C0000121h
		jmp	loc_7E3F7F
; 

loc_90D570:				; CODE XREF: EtwpStopTrace+7Fj
		mov	dl, 1
		mov	ecx, esi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		jmp	loc_7E3F7F
; 

loc_90D57E:				; CODE XREF: EtwpStopTrace+92j
		mov	ecx, esi
		call	_EtwpStopLoggerInstance@4 ; EtwpStopLoggerInstance(x)
		mov	dl, 1
		mov	ecx, esi
		mov	edi, eax
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		test	edi, edi
		js	loc_7E3F7F
		mov	edx, esi
		mov	ecx, ebx
		call	EtwpGetLoggerInfoFromContext
		mov	ecx, esi
		mov	edi, eax
		call	_EtwpFreeLoggerContext@4 ; EtwpFreeLoggerContext(x)
		jmp	loc_7E3F7F
; 

loc_90D5AF:				; CODE XREF: EtwpStopTrace+E6j
		mov	eax, [esp+20h+var_14]
		xor	edx, edx
		inc	edx
		mov	ecx, [eax+188h]
		mov	eax, [esp+20h+var_10]
		mov	ecx, [ecx+eax*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		jmp	loc_7E3ED2
; 

loc_90D5CD:				; CODE XREF: EtwpStopTrace+D5j
		mov	edi, 80000025h
		jmp	loc_7E3ED2
; 

loc_90D5D7:				; CODE XREF: EtwpStopTrace+148j
		push	ecx
		push	ecx
		mov	edx, esi
		mov	ecx, ebx
		call	_EtwpEventWriteTemplateSession@16 ; EtwpEventWriteTemplateSession(x,x,x,x)
		jmp	loc_7E3F34
; END OF FUNCTION CHUNK	FOR EtwpStopTrace
; 
; START	OF FUNCTION CHUNK FOR EtwpAcquireLoggerContext

loc_90D5E7:				; CODE XREF: EtwpAcquireLoggerContext+37j
		movzx	esi, cl
		jmp	loc_7E4077
; END OF FUNCTION CHUNK	FOR EtwpAcquireLoggerContext
; 
; START	OF FUNCTION CHUNK FOR EtwpCaptureString

loc_90D5EF:				; CODE XREF: EtwpCaptureString+53j
					; EtwpCaptureString+5Bj
		mov	byte ptr [eax],	0
		jmp	loc_7E4167
; END OF FUNCTION CHUNK	FOR EtwpCaptureString

;  S U B	R O U T	I N E 


sub_90D5F7	proc near		; DATA XREF: .text:006A4D88o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_90D5F7	endp


;  S U B	R O U T	I N E 


sub_90D605	proc near		; DATA XREF: .text:006A4D8Co
		mov	edi, [ebp-28h]
		jmp	short loc_90D61B
; 

loc_90D60A:				; DATA XREF: .text:006A4D7Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_90D618:				; DATA XREF: .text:006A4D80o
		mov	edi, [ebp-2Ch]

loc_90D61B:				; CODE XREF: sub_90D605+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-20h]
		jmp	loc_7E41C0
sub_90D605	endp

; 
; START	OF FUNCTION CHUNK FOR EtwpGetLoggerInfoFromContext

loc_90D62D:				; CODE XREF: EtwpGetLoggerInfoFromContext+102j
		mov	eax, 0FFFFh
		jmp	loc_7E4347
; END OF FUNCTION CHUNK	FOR EtwpGetLoggerInfoFromContext

;  S U B	R O U T	I N E 


sub_90D637	proc near		; DATA XREF: .text:006A4DA4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-50h], eax
		xor	eax, eax
		inc	eax
		retn
sub_90D637	endp


;  S U B	R O U T	I N E 


sub_90D645	proc near		; DATA XREF: .text:006A4DA8o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-50h]
		mov	[ebp-48h], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	edi, edi
		mov	ebx, [ebp-54h]
		mov	esi, [ebp-4Ch]
		jmp	loc_7E43C6
sub_90D645	endp

; 
; START	OF FUNCTION CHUNK FOR EtwpGetLoggerInfoFromContext

loc_90D662:				; CODE XREF: EtwpGetLoggerInfoFromContext+196j
		test	al, 4
		jnz	loc_7E43D8
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_44]
		jmp	loc_7E43D8
; END OF FUNCTION CHUNK	FOR EtwpGetLoggerInfoFromContext

;  S U B	R O U T	I N E 


sub_90D677	proc near		; DATA XREF: .text:006A4DB0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-58h], eax
		xor	eax, eax
		inc	eax
		retn
sub_90D677	endp


;  S U B	R O U T	I N E 


sub_90D685	proc near		; DATA XREF: .text:006A4DB4o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-58h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7E441E
sub_90D685	endp

; 
; START	OF FUNCTION CHUNK FOR EtwpDisableTraceProviders

loc_90D697:				; CODE XREF: EtwpDisableTraceProviders+16j
		mov	eax, [esi+4]
		mov	edi, [eax+28Ch]
		add	edi, 226h
		jmp	loc_7E46FB
; 

loc_90D6AB:				; CODE XREF: EtwpDisableTraceProviders+A0j
		test	esi, esi
		jz	short loc_90D6B4
		cmp	esi, 1
		jnz	short loc_90D6CD

loc_90D6B4:				; CODE XREF: EtwpDisableTraceProviders+128FD3j
		mov	[ebp+var_8], ebx
		lea	edx, [ebp+var_C]
		mov	ecx, offset _EtwpUpdateProcessTracingCallback@8	; EtwpUpdateProcessTracingCallback(x,x)
		mov	[ebp+var_C], esi
		mov	byte ptr [ebp+var_8], bl
		call	PsEnumProcesses
		mov	eax, [ebp+var_4]

loc_90D6CD:				; CODE XREF: EtwpDisableTraceProviders+128FD8j
		xor	ecx, ecx
		mov	[edi+esi*2], cx
		jmp	loc_7E4780
; END OF FUNCTION CHUNK	FOR EtwpDisableTraceProviders
; 
; START	OF FUNCTION CHUNK FOR EtwpClearSessionAndUnreferenceEntry

loc_90D6D8:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+188j
		lea	edi, [eax-8]
		mov	eax, large fs:124h
		mov	[ebp+var_3C], edi
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [edi+10h]
		xor	edx, edx
		add	ecx, 16Ch
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, large fs:124h
		lea	edx, [edi+35h]
		mov	eax, [edi+10h]
		mov	ebx, [ebp+var_34]
		mov	[ebp+var_2D], 1
		mov	[eax+170h], ecx
		mov	eax, [ebp+var_40]
		jmp	loc_7E4A14
; 

loc_90D71E:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+1A8j
		mov	edx, [ebp+var_80]
		cmp	edx, [ebp+var_50]
		jnz	loc_7E4AFA
		jmp	loc_7E4A2C
; 

loc_90D72F:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+1D7j
		lea	eax, [ecx+88h]
		mov	[ebp+var_38], eax
		jmp	loc_7E4A5B
; 

loc_90D73D:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+2DAj
					; EtwpClearSessionAndUnreferenceEntry+2F2j
		or	eax, 0FFFFFFFFh
		lock xadd [ebx+8], eax
		dec	eax
		jnz	short loc_90D750
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90D750:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+128EC8j
		xor	ebx, ebx
		mov	[ebp+var_34], ebx
		jmp	loc_7E4B76
; 

loc_90D75A:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+260j
		lea	ecx, [ebx+78h]
		mov	[ecx+8], eax
		mov	eax, ecx
		sub	eax, ebx
		mov	dword ptr [ecx+0Ch], 80000000h
		add	eax, 10h
		cdq
		mov	[ecx+4], edx
		mov	edx, esi
		mov	[ecx], eax
		add	ecx, 10h
		movzx	eax, byte ptr [edi+34h]
		push	eax
		call	_EtwpCopySchematizedFilters@12 ; EtwpCopySchematizedFilters(x,x,x)
		mov	dword ptr [ebx+74h], 1
		jmp	loc_7E4AE7
; 

loc_90D78F:				; CODE XREF: EtwpClearSessionAndUnreferenceEntry+280j
		mov	eax, [edi+10h]
		xor	edx, edx
		and	dword ptr [eax+170h], 0
		mov	ecx, [edi+10h]
		add	ecx, 16Ch
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ebx, [ebp+var_34]
		mov	eax, [ebp+var_40]
		mov	[ebp+var_2D], 0
		jmp	loc_7E4B04
; END OF FUNCTION CHUNK	FOR EtwpClearSessionAndUnreferenceEntry
; 
; START	OF FUNCTION CHUNK FOR SepDereferenceLowBoxNumberEntry

loc_90D7C4:				; CODE XREF: SepDereferenceLowBoxNumberEntry+17j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _LowboxSessionMapLock
		call	ExAcquirePushLockSharedEx
		lea	eax, [ebp+var_8]
		xor	dl, dl
		push	eax
		mov	ecx, esi
		call	_SepGetTokenSessionMapEntry@12 ; SepGetTokenSessionMapEntry(x,x,x)
		push	11h
		mov	ebx, eax
		xor	edx, edx
		pop	eax
		mov	esi, offset _LowboxSessionMapLock
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_90D807
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_90D807:				; CODE XREF: SepDereferenceLowBoxNumberEntry+128C7Aj
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_7E4BAC
; 

loc_90D818:				; CODE XREF: SepDereferenceLowBoxNumberEntry:loc_7E4BFBj
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_7E4BD5
; END OF FUNCTION CHUNK	FOR SepDereferenceLowBoxNumberEntry
; 
; START	OF FUNCTION CHUNK FOR SepDereferenceCachedHandlesEntry

loc_90D822:				; CODE XREF: SepDereferenceCachedHandlesEntry:loc_7E4CD6j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_7E4CB2
; 

loc_90D82C:				; CODE XREF: SepDereferenceCachedHandlesEntry+76j
		test	al, 4
		jnz	loc_7E4CF8
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7E4CF8
; END OF FUNCTION CHUNK	FOR SepDereferenceCachedHandlesEntry
; 
; START	OF FUNCTION CHUNK FOR SepAllocateAndInitializeCachedHandleEntry

loc_90D840:				; CODE XREF: SepAllocateAndInitializeCachedHandleEntry+1Bj
		sub	eax, 1
		jnz	loc_7E4D77
		movzx	eax, word ptr [edi+6]
		add	ecx, eax
		jmp	loc_7E4D77
; 

loc_90D854:				; CODE XREF: SepAllocateAndInitializeCachedHandleEntry+60j
		sub	eax, 1
		jnz	loc_7E4DC1
		lea	ecx, [edi+4]
		mov	ax, [ecx]
		lea	edx, [esi+14h]
		mov	[edx], ax
		mov	ax, [edi+6]
		mov	[esi+16h], ax
		lea	eax, [esi+24h]
		push	ecx
		push	edx
		mov	[esi+18h], eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		jmp	loc_7E4DC1
; END OF FUNCTION CHUNK	FOR SepAllocateAndInitializeCachedHandleEntry
; 
; START	OF FUNCTION CHUNK FOR PspAddSchedulingGroupToJobChain

loc_90D883:				; CODE XREF: PspAddSchedulingGroupToJobChain+36j
					; PspAddSchedulingGroupToJobChain+128B68j
		mov	eax, 0C000009Ah
		jmp	loc_7E4ED5
; 

loc_90D88D:				; CODE XREF: PspAddSchedulingGroupToJobChain+5Ej
		test	byte ptr [edi+310h], 20h
		jnz	loc_7E4E38
		push	2
		pop	ecx
		call	PspAllocateRateControl
		xor	ebx, ebx
		mov	[edi+21Ch], eax
		test	eax, eax
		jz	loc_90D932
		or	dword ptr [eax+44h], 3
		mov	dword ptr [eax+40h], 27102710h
		mov	ecx, [edi+21Ch]
		mov	eax, [eax+40h]
		push	624A7350h
		push	0Ch
		mov	[ecx+18h], eax
		mov	eax, [edi+21Ch]
		push	1
		or	dword ptr [eax+14h], 40h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_90D91E
		push	20h
		pop	ecx
		lea	eax, [edi+310h]
		lock or	[eax], ecx
		mov	[esi+8], edi
		lea	ecx, [esp+20h+var_8]
		mov	eax, [esp+20h+var_8]
		cmp	[eax+4], ecx
		jnz	loc_7E4EDC
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[eax+4], esi
		mov	[esp+20h+var_8], esi
		mov	edi, [edi+244h]
		jmp	loc_7E4E30
; 

loc_90D91E:				; CODE XREF: PspAddSchedulingGroupToJobChain+128B11j
		mov	ecx, [edi+21Ch]
		push	2
		pop	edx
		call	_PspFreeRateControl@8 ;	PspFreeRateControl(x,x)
		mov	[edi+21Ch], ebx

loc_90D932:				; CODE XREF: PspAddSchedulingGroupToJobChain+128AD8j
					; PspAddSchedulingGroupToJobChain+128BBBj
		mov	esi, [esp+20h+var_8]
		lea	eax, [esp+20h+var_8]
		cmp	esi, eax
		jz	loc_90D883
		mov	edi, [esi+8]
		mov	ecx, [edi+21Ch]
		test	ecx, ecx
		jz	short loc_90D969
		push	2
		pop	edx
		call	_PspFreeRateControl@8 ;	PspFreeRateControl(x,x)
		push	0FFFFFFDFh
		mov	[edi+21Ch], ebx
		lea	eax, [edi+310h]
		pop	ecx
		lock and [eax],	ecx

loc_90D969:				; CODE XREF: PspAddSchedulingGroupToJobChain+128B79j
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_7E4EDC
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_7E4EDC
		push	624A7350h
		mov	[ecx], eax
		push	esi
		mov	[eax+4], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_90D932
; 

loc_90D991:				; CODE XREF: PspAddSchedulingGroupToJobChain+8Aj
		mov	eax, [eax+21Ch]
		add	eax, 40h
		jmp	loc_7E4E7A
; 

loc_90D99F:				; CODE XREF: PspAddSchedulingGroupToJobChain+A0j
		test	eax, eax
		jz	loc_7E4E7A
		mov	ecx, [edi+258h]
		mov	edx, 624A7350h
		call	ObfReferenceObjectWithTag
		mov	eax, [esp+20h+var_10]
		mov	ecx, [esp+20h+var_C]
		jmp	loc_7E4E7A
; 

loc_90D9C4:				; CODE XREF: PspAddSchedulingGroupToJobChain+B8j
		push	8
		push	ebx
		push	ebx
		push	offset _PspSetCpuRateControlJobPostCallback@8 ;	PspSetCpuRateControlJobPostCallback(x,x)
		mov	edx, offset _PspSetCpuRateControlJobPreCallback@8 ; PspSetCpuRateControlJobPreCallback(x,x)
		mov	ecx, edi
		call	PspEnumJobsAndProcessesInJobHierarchy
		jmp	loc_7E4E92
; END OF FUNCTION CHUNK	FOR PspAddSchedulingGroupToJobChain
; 
; START	OF FUNCTION CHUNK FOR ObpParseSymbolicLinkEx

loc_90D9DE:				; CODE XREF: ObpParseSymbolicLinkEx+19Bj
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_7E52F7
		jmp	loc_7E5451
; 

loc_90D9F0:				; CODE XREF: ObpParseSymbolicLinkEx+1B1j
		cmp	edi, 0C0000024h
		jnz	loc_7E546C
		jmp	loc_7E52F7
; 

loc_90DA01:				; CODE XREF: ObpParseSymbolicLinkEx+41j
		mov	edi, 0C0000024h
		jmp	loc_7E546C
; 

loc_90DA0B:				; CODE XREF: ObpParseSymbolicLinkEx+4Fj
		mov	eax, [esi+18h]
		and	[edi+4], eax
		mov	eax, [esi+14h]
		jmp	loc_7E5305
; 

loc_90DA19:				; CODE XREF: ObpParseSymbolicLinkEx+57j
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	[edi+8], eax
		mov	eax, [esi+14h]
		jmp	loc_7E530D
; 

loc_90DA29:				; CODE XREF: ObpParseSymbolicLinkEx+7Fj
		cmp	word ptr [ebx],	0
		jz	loc_7E5335
		mov	eax, [ebx+4]
		cmp	word ptr [eax],	5Ch
		jnz	loc_7E5335
		sub	edi, 2
		jmp	loc_7E5335
; 

loc_90DA48:				; CODE XREF: ObpParseSymbolicLinkEx+95j
		mov	edi, 0C0000106h
		jmp	loc_7E546C
; 

loc_90DA52:				; CODE XREF: ObpParseSymbolicLinkEx+169j
		mov	edi, 0C000009Ah
		jmp	loc_7E546C
; 

loc_90DA5C:				; CODE XREF: ObpParseSymbolicLinkEx+135j
		mov	eax, 368h
		jmp	loc_7E53F0
; END OF FUNCTION CHUNK	FOR ObpParseSymbolicLinkEx
; 
; START	OF FUNCTION CHUNK FOR SepSetTokenCachedHandles

loc_90DA66:				; CODE XREF: SepSetTokenCachedHandles+3Fj
		mov	ebx, 0C0000017h
		jmp	loc_7E564A
; 

loc_90DA70:				; CODE XREF: SepSetTokenCachedHandles+139j
		mov	ebx, 0C000009Ah

loc_90DA75:				; CODE XREF: SepSetTokenCachedHandles+BDj
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2

loc_90DA80:				; CODE XREF: SepSetTokenCachedHandles+140j
		jnz	loc_7E5619
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7E5619
; END OF FUNCTION CHUNK	FOR SepSetTokenCachedHandles
; 
; START	OF FUNCTION CHUNK FOR SepAssignTokenCachedHandleEntry

loc_90DA92:				; CODE XREF: SepAssignTokenCachedHandleEntry+Fj
		sub	edx, 1
		jnz	loc_7E56A3
		cmp	[ebp+arg_4], al
		mov	edx, [ebp+arg_0]
		mov	[ecx+298h], edx
		setz	al
		jmp	loc_7E569F
; END OF FUNCTION CHUNK	FOR SepAssignTokenCachedHandleEntry
; 
; START	OF FUNCTION CHUNK FOR SepGetCachedHandlesEntry

loc_90DAAF:				; CODE XREF: SepGetCachedHandlesEntry+24j
		sub	eax, 1
		jnz	loc_7E56F1
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		push	1
		lea	eax, [edi+4]
		push	eax
		call	RtlHashUnicodeString
		mov	esi, [ebp+var_4]
		jmp	loc_7E56F1
; 

loc_90DAD0:				; CODE XREF: SepGetCachedHandlesEntry+94j
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, 0C000009Ah
		jmp	loc_7E5757
; END OF FUNCTION CHUNK	FOR SepGetCachedHandlesEntry
; 
; START	OF FUNCTION CHUNK FOR SepFindMatchingCachedHandlesEntry

loc_90DAE1:				; CODE XREF: SepFindMatchingCachedHandlesEntry+44j
		sub	ecx, 1
		jnz	loc_7E57C2
		push	1
		add	eax, 14h
		push	eax
		push	edi
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		jmp	loc_7E57BC
; 

loc_90DAFB:				; CODE XREF: SepFindMatchingCachedHandlesEntry+39j
					; SepFindMatchingCachedHandlesEntry+5Cj
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	RtlGetNextEntryHashTable
		test	eax, eax
		jnz	loc_7E579B
		jmp	loc_7E57CA
; END OF FUNCTION CHUNK	FOR SepFindMatchingCachedHandlesEntry
; 
; START	OF FUNCTION CHUNK FOR SepSetTokenLowboxNumber

loc_90DB14:				; CODE XREF: SepSetTokenLowboxNumber+2Fj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lea	eax, [ebp+var_8]
		mov	[ebp+var_1], 1
		push	eax
		xor	dl, dl
		mov	ecx, edi
		call	_SepGetTokenSessionMapEntry@12 ; SepGetTokenSessionMapEntry(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_90DBA5
		cmp	ebx, 0C0000225h
		jnz	short loc_90DB9D
		push	11h
		xor	ecx, ecx
		mov	ebx, offset _LowboxSessionMapLock
		pop	eax
		lock cmpxchg [ebx], ecx
		cmp	eax, 11h
		jz	short loc_90DB62
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_90DB62:				; CODE XREF: SepSetTokenLowboxNumber+128377j
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		xor	eax, eax
		mov	byte ptr [ebp+var_10], 1
		mov	[ebp+var_1], al
		mov	dl, 1
		lea	eax, [ebp+var_8]
		mov	ecx, edi
		push	eax
		call	_SepGetTokenSessionMapEntry@12 ; SepGetTokenSessionMapEntry(x,x,x)
		mov	ebx, eax

loc_90DB9D:				; CODE XREF: SepSetTokenLowboxNumber+128364j
		test	ebx, ebx
		js	loc_7E587F

loc_90DBA5:				; CODE XREF: SepSetTokenLowboxNumber+12835Cj
		mov	edi, [ebp+var_8]
		jmp	loc_7E5823
; 

loc_90DBAD:				; CODE XREF: SepSetTokenLowboxNumber+A1j
		or	eax, 0FFFFFFFFh
		mov	esi, offset _LowboxSessionMapLock
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_90DBE2
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	short loc_90DBE2
; 

loc_90DBC8:				; CODE XREF: SepSetTokenLowboxNumber+ABj
		push	11h
		xor	ecx, ecx
		mov	esi, offset _LowboxSessionMapLock
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_90DBE2
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_90DBE2:				; CODE XREF: SepSetTokenLowboxNumber+1283DBj
					; SepSetTokenLowboxNumber+1283E4j ...
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_7E5893
; END OF FUNCTION CHUNK	FOR SepSetTokenLowboxNumber
; 
; START	OF FUNCTION CHUNK FOR SepGetLowBoxNumberEntry

loc_90DBF3:				; CODE XREF: SepGetLowBoxNumberEntry+40j
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_7E593A
; 

loc_90DBFD:				; CODE XREF: SepGetLowBoxNumberEntry+75j
		mov	eax, 0C000009Ah
		jmp	loc_7E5941
; 

loc_90DC07:				; CODE XREF: SepGetLowBoxNumberEntry+A1j
		push	[ebp+var_4]
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		add	eax, eax
		mov	[ebp+var_8], eax
		cmp	eax, 10000h
		ja	short loc_90DC78
		mov	ecx, eax
		push	734C6553h
		shr	ecx, 3
		push	ecx
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	short loc_90DC78
		mov	eax, [ebp+var_4]
		push	esi
		push	dword ptr [eax+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_8]
		push	ecx
		mov	[ecx], eax
		mov	eax, [ebp+var_10]
		mov	[ecx+4], eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		mov	eax, [ebp+var_8]
		shr	eax, 1
		push	eax
		push	esi
		push	[ebp+var_4]
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		push	esi
		push	edi
		push	[ebp+var_4]
		call	RtlFindClearBitsAndSet
		mov	[ebp+var_8], eax
		cmp	eax, 0FFFFFFFFh
		jnz	loc_7E599B

loc_90DC78:				; CODE XREF: SepGetLowBoxNumberEntry+ACj
					; SepGetLowBoxNumberEntry+128325j ...
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90DC7F:				; CODE XREF: SepGetLowBoxNumberEntry+1283A8j
		mov	esi, 0C000009Ah
		jmp	loc_7E59D7
; 

loc_90DC89:				; CODE XREF: SepGetLowBoxNumberEntry+D8j
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	[ebp+var_8]
		push	edi
		push	[ebp+var_4]
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		jmp	short loc_90DC7F
; END OF FUNCTION CHUNK	FOR SepGetLowBoxNumberEntry
; 
; START	OF FUNCTION CHUNK FOR SepFindMatchingLowBoxNumberEntry

loc_90DC9E:				; CODE XREF: SepFindMatchingLowBoxNumberEntry+48j
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		call	RtlGetNextEntryHashTable
		test	eax, eax
		jnz	loc_7E5A1D
		mov	al, [ebp+var_1]
		jmp	loc_7E5A32
; END OF FUNCTION CHUNK	FOR SepFindMatchingLowBoxNumberEntry
; 
; START	OF FUNCTION CHUNK FOR SepValidateReferencedCachedHandles

loc_90DCB8:				; CODE XREF: SepValidateReferencedCachedHandles+56j
		sub	eax, 1
		jnz	short loc_90DD2E
		push	dword ptr [ecx+78h] ; char
		lea	eax, [esp+464h+var_408]
		add	ebx, 4
		push	offset ??_C@_1BK@JJANIBL@?$AA?2?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAs?$AA?2?$AA?$CF?$AAd@NNGAKEGL@ ; "\\Sessions\\%d"
		push	100h		; int
		push	eax		; wchar_t *
		mov	[esp+470h+var_444], ebx
		call	RtlStringCchPrintfW
		mov	esi, eax
		add	esp, 10h
		test	esi, esi
		js	loc_7E5CBD
		lea	eax, [esp+460h+var_408]
		push	eax
		lea	eax, [esp+464h+var_428]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[esp+460h+var_420], 1
		mov	[esp+460h+var_448], 1
		call	_RtlGetCurrentServiceSessionId@0 ; RtlGetCurrentServiceSessionId()
		mov	ecx, [esp+460h+var_450]
		cmp	[ecx+78h], eax
		jnz	short loc_90DD2E
		push	offset aBasenamedobjec ; "\\BaseNamedObjects"
		lea	eax, [esp+464h+var_41C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[esp+460h+var_414], 1
		mov	[esp+460h+var_448], 2

loc_90DD2E:				; CODE XREF: SepValidateReferencedCachedHandles+128269j
					; SepValidateReferencedCachedHandles+1282BEj
		xor	ebx, ebx
		jmp	loc_7E5B4E
; END OF FUNCTION CHUNK	FOR SepValidateReferencedCachedHandles
; 
; START	OF FUNCTION CHUNK FOR SepQueryNameString

loc_90DD35:				; CODE XREF: SepQueryNameString+2Bj
		cmp	esi, 0C0000023h
		jnz	loc_7E5E08
		jmp	loc_7E5DC9
; 

loc_90DD46:				; CODE XREF: SepQueryNameString+5Dj
					; SepQueryNameString+6Aj
		xor	eax, eax
		push	eax
		push	dword ptr [edi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi], 0
		test	esi, esi
		js	short loc_90DD87
		lea	eax, [ebx-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [ebx-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		cmp	eax, ds:_PsProcessType
		jnz	short loc_90DD87
		mov	edx, edi
		mov	ecx, ebx
		call	PsGetAllocatedFullProcessImageNameEx

loc_90DD87:				; CODE XREF: SepQueryNameString+127FBDj
					; SepQueryNameString+127FE4j
		xor	esi, esi
		jmp	loc_7E5E08
; END OF FUNCTION CHUNK	FOR SepQueryNameString
; 
; START	OF FUNCTION CHUNK FOR PspAllocateRateControl

loc_90DD8E:				; CODE XREF: PspAllocateRateControl+43j
		push	624A7350h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi
		jmp	loc_7E5F3D
; END OF FUNCTION CHUNK	FOR PspAllocateRateControl
; 

loc_90DDA0:				; CODE XREF: PAGE:007E5F75j
		mov	eax, 0C000000Dh
		jmp	loc_7E5F67
; 
; START	OF FUNCTION CHUNK FOR RtlDeleteAtomFromAtomTable

loc_90DDAA:				; CODE XREF: RtlDeleteAtomFromAtomTable+12j
		mov	eax, 0C000000Dh
		jmp	loc_7E6114
; END OF FUNCTION CHUNK	FOR RtlDeleteAtomFromAtomTable
; 
; START	OF FUNCTION CHUNK FOR PsReturnSharedPoolQuota

loc_90DDB4:				; CODE XREF: PsReturnSharedPoolQuota+1Fj
		push	[ebp+arg_0]
		xor	edx, edx
		mov	ecx, esi
		push	0
		call	PspReturnQuota
		jmp	loc_7E6173
; END OF FUNCTION CHUNK	FOR PsReturnSharedPoolQuota
; 
; START	OF FUNCTION CHUNK FOR PspAllocateAndQueryNotificationChannel

loc_90DDC7:				; CODE XREF: PspAllocateAndQueryNotificationChannel+130j
		mov	edi, 0C0000022h
		jmp	short loc_90DDFA
; 

loc_90DDCE:				; CODE XREF: PspAllocateAndQueryNotificationChannel+183j
		mov	eax, [esp+68h+var_58]
		test	eax, eax
		jz	loc_7E6360
		mov	ecx, eax
		call	ObfDereferenceObject
		jmp	loc_7E6360
; 

loc_90DDE6:				; CODE XREF: PspAllocateAndQueryNotificationChannel+289j
		mov	[esp+68h+var_5A], 1
		jmp	loc_7E6268
; 

loc_90DDF0:				; CODE XREF: PspAllocateAndQueryNotificationChannel+1DFj
					; PspAllocateAndQueryNotificationChannel+263j
		push	ebx
		push	[esp+6Ch+var_50]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90DDFA:				; CODE XREF: PspAllocateAndQueryNotificationChannel+14Dj
					; PspAllocateAndQueryNotificationChannel+1A4j ...
		push	[esp+68h+var_40]
		push	[esp+6Ch+var_4C]
		call	_ObReleaseObjectSecurity@8 ; ObReleaseObjectSecurity(x,x)

loc_90DE07:				; CODE XREF: PspAllocateAndQueryNotificationChannel+126j
		mov	eax, edi
		jmp	loc_7E62BB
; 

loc_90DE0E:				; CODE XREF: PspAllocateAndQueryNotificationChannel+EAj
		lea	eax, [esp+68h+var_C]
		push	eax
		call	_ZwDeleteWnfStateName@4	; ZwDeleteWnfStateName(x)
		jmp	loc_7E62B9
; END OF FUNCTION CHUNK	FOR PspAllocateAndQueryNotificationChannel
; 
; START	OF FUNCTION CHUNK FOR PspLockRootJobExclusive

loc_90DE1D:				; CODE XREF: PspLockRootJobExclusive+39j
		add	ecx, 20h
		call	ExReleaseResourceLite
		jmp	loc_7E64FE
; END OF FUNCTION CHUNK	FOR PspLockRootJobExclusive
; 
; START	OF FUNCTION CHUNK FOR PspFreezeJobTree

loc_90DE2A:				; CODE XREF: PspFreezeJobTree+168j
					; PspFreezeJobTree+1BCj ...
		mov	ecx, [esp+88h+var_74]
		mov	[esp+88h+var_78], 0C000000Dh
		call	ExReleaseResourceLite
		jmp	loc_7E6629
; 

loc_90DE40:				; CODE XREF: PspFreezeJobTree+149j
		and	dword ptr [ebx], 0FFFFFFFBh
		lea	edx, [esp+88h+var_58]
		mov	ecx, esi
		mov	[esp+88h+var_58], 4
		mov	[esp+88h+var_53], 0
		call	PspFreezeJobTree
		mov	[esp+88h+var_78], 106h
		jmp	loc_7E6619
; END OF FUNCTION CHUNK	FOR PspFreezeJobTree
; 
; START	OF FUNCTION CHUNK FOR PspSendWakeNotification

loc_90DE68:				; CODE XREF: PspSendWakeNotification+4Ej
					; PspSendWakeNotification+56j
		test	edi, edi
		jnz	short loc_90DE75
		cmp	ebx, 1
		jbe	loc_7E67BB

loc_90DE75:				; CODE XREF: PspSendWakeNotification+1276E2j
		test	byte ptr [ebp+arg_C], 1
		jz	loc_7E67BB
		jmp	loc_7E67E4
; 

loc_90DE84:				; CODE XREF: PspSendWakeNotification+72j
		test	byte ptr [ebp+arg_C], 4
		jz	loc_7E6800
		cmp	ebx, 1
		jnz	loc_7E6800
		test	edi, edi
		jnz	loc_7E6800
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceWakeEvent@8 ; EtwTraceWakeEvent(x,x)
		jmp	loc_7E6800
; END OF FUNCTION CHUNK	FOR PspSendWakeNotification
; 
; START	OF FUNCTION CHUNK FOR PspRemoveCpuRateControl

loc_90DEAE:				; CODE XREF: PspRemoveCpuRateControl+45j
		cmp	[esi+248h], esi
		jnz	loc_7E68FD
		mov	ecx, [esi+258h]
		test	ecx, ecx
		jz	loc_7E68FD
		mov	edx, 624A7350h
		call	ObfDereferenceObjectWithTag
		and	dword ptr [esi+258h], 0
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR PspRemoveCpuRateControl
; 
; START	OF FUNCTION CHUNK FOR PspSetJobIoAttribution

loc_90DEDB:				; CODE XREF: PspSetJobIoAttribution+2Dj
		mov	edi, ebx
		mov	ebx, 0C00000BBh
		jmp	loc_7E6A21
; 

loc_90DEE7:				; CODE XREF: PspSetJobIoAttribution+46j
		mov	edi, ebx
		mov	ebx, 0C000009Ah
		jmp	loc_7E6A21
; 

loc_90DEF3:				; CODE XREF: PspSetJobIoAttribution+68j
		mov	edi, ebx
		mov	ebx, 0C000009Ah
		jmp	short loc_90DF03
; 

loc_90DEFC:				; CODE XREF: PspSetJobIoAttribution+83j
		mov	edi, ebx
		mov	ebx, 0C0000017h

loc_90DF03:				; CODE XREF: PspSetJobIoAttribution+1275E2j
		mov	eax, [ebp+arg_4]
		mov	cl, [ebp+var_1]
		jmp	loc_7E6A1D
; 

loc_90DF0E:				; CODE XREF: PspSetJobIoAttribution+EDj
		sub	ecx, eax
		mov	[esi+324h], ecx
		jmp	loc_7E6A18
; END OF FUNCTION CHUNK	FOR PspSetJobIoAttribution
; 
; START	OF FUNCTION CHUNK FOR EtwTracePsIoAttribution

loc_90DF1B:				; CODE XREF: EtwTracePsIoAttribution+37j
		lea	eax, [ebp+var_38]
		xor	edx, edx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_0]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	esi
		push	edi
		push	ebx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_7E6AA5
; END OF FUNCTION CHUNK	FOR EtwTracePsIoAttribution
; 
; START	OF FUNCTION CHUNK FOR IoDiskIoAttributionAllocate

loc_90DF61:				; CODE XREF: IoDiskIoAttributionAllocate+6Bj
		mov	ecx, edi
		call	_IoDiskIoAttributionReference@4	; IoDiskIoAttributionReference(x)
		mov	[esi+90h], edi
		jmp	loc_7E6B75
; END OF FUNCTION CHUNK	FOR IoDiskIoAttributionAllocate
; 
; START	OF FUNCTION CHUNK FOR PspQueryJobIoAttribution

loc_90DF73:				; CODE XREF: PspQueryJobIoAttribution+32j
		mov	esi, 0C0000225h
		jmp	loc_7E6C9C
; END OF FUNCTION CHUNK	FOR PspQueryJobIoAttribution
; 
; START	OF FUNCTION CHUNK FOR NtAdjustGroupsToken

loc_90DF7D:				; CODE XREF: NtAdjustGroupsToken+2Dj
		mov	eax, 0C000000Dh
		jmp	loc_7E6E64
; 

loc_90DF87:				; CODE XREF: NtAdjustGroupsToken+69j
		mov	eax, ecx
		jmp	loc_7E6D15
; 

loc_90DF8E:				; CODE XREF: NtAdjustGroupsToken+77j
		push	4
		push	[ebp+arg_C]
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	ecx, [ebp+arg_14]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_90DFA7
		mov	ecx, eax

loc_90DFA7:				; CODE XREF: NtAdjustGroupsToken+1272FDj
		mov	eax, [ecx]
		mov	[ecx], eax
		jmp	loc_7E6D23
; END OF FUNCTION CHUNK	FOR NtAdjustGroupsToken

;  S U B	R O U T	I N E 


sub_90DFB0	proc near		; DATA XREF: .text:006A4DCCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		xor	eax, eax
		inc	eax
		retn
sub_90DFB0	endp


;  S U B	R O U T	I N E 


sub_90DFBE	proc near		; DATA XREF: .text:006A4DD0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-38h]
		jmp	loc_7E6E64
sub_90DFBE	endp

; 
; START	OF FUNCTION CHUNK FOR NtAdjustGroupsToken

loc_90DFD0:				; CODE XREF: NtAdjustGroupsToken+47j
		push	0FFFFFFFEh
		pop	edi
		mov	esi, [ebp+arg_10]
		jmp	loc_7E6D2B
; END OF FUNCTION CHUNK	FOR NtAdjustGroupsToken

;  S U B	R O U T	I N E 


sub_90DFDB	proc near		; DATA XREF: .text:006A4DD8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		xor	eax, eax
		inc	eax
		retn
sub_90DFDB	endp


;  S U B	R O U T	I N E 


sub_90DFE9	proc near		; DATA XREF: .text:006A4DDCo

; FUNCTION CHUNK AT 0090E06A SIZE 0000000C BYTES

		mov	esp, [ebp-18h]
		mov	eax, [ebp-40h]
		jmp	short loc_90E06A
sub_90DFE9	endp

; 
; START	OF FUNCTION CHUNK FOR NtAdjustGroupsToken

loc_90DFF1:				; CODE XREF: NtAdjustGroupsToken+E7j
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jz	short loc_90E001
		push	ecx
		mov	dl, byte ptr [ebp+arg_8+3]
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)

loc_90E001:				; CODE XREF: NtAdjustGroupsToken+127350j
		mov	eax, edi
		jmp	loc_7E6E64
; 

loc_90E008:				; CODE XREF: NtAdjustGroupsToken+132j
		mov	dword ptr [ebp-4], 2
		mov	ecx, [ebp+arg_14]
		mov	eax, [ebp+var_24]
		mov	[ecx], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7E6DDE
; END OF FUNCTION CHUNK	FOR NtAdjustGroupsToken

;  S U B	R O U T	I N E 


sub_90E023	proc near		; DATA XREF: .text:006A4DE4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_90E023	endp

; 
byte_90E031	db 8Bh,	65h, 0E8h	; DATA XREF: .text:006A4DE8o
		dd 0B86583h, 458DC933h,	809F0B8h, 8BD4758Bh, 25E8304Eh
		dd 0E8FFC10Eh, 0FFC113F0h, 0F9E8CE8Bh, 8BFFC116h, 0C985E04Dh
		dd 8A510974h, 4BE8D055h, 8BFFE8F1h
		db 45h,	0B4h
; 
; START	OF FUNCTION CHUNK FOR sub_90DFE9

loc_90E06A:				; CODE XREF: sub_90DFE9+6j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7E6E64
; END OF FUNCTION CHUNK	FOR sub_90DFE9
; 
; START	OF FUNCTION CHUNK FOR NtAdjustGroupsToken

loc_90E076:				; CODE XREF: NtAdjustGroupsToken+13Aj
		and	[ebp+var_50], 0
		xor	ecx, ecx
		lea	eax, [ebp+var_50]
		lock or	[eax], ecx
		mov	ecx, [edi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, edi
		call	ObfDereferenceObject
		test	ebx, ebx
		jz	short loc_90E0A5
		push	ecx
		mov	dl, byte ptr [ebp+arg_8+3]
		mov	ecx, ebx
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)

loc_90E0A5:				; CODE XREF: NtAdjustGroupsToken+1273F2j
		mov	eax, [ebp+arg_10]
		jmp	loc_7E6E64
; 

loc_90E0AD:				; CODE XREF: NtAdjustGroupsToken+142j
		mov	eax, [ebp+var_24]
		cmp	eax, [ebp+arg_C]
		jbe	short loc_90E0EE
		and	[ebp+var_54], 0
		xor	ecx, ecx
		lea	eax, [ebp+var_54]
		lock or	[eax], ecx
		mov	ecx, [edi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, edi
		call	ObfDereferenceObject
		test	ebx, ebx
		jz	short loc_90E0E4
		push	ecx
		mov	dl, byte ptr [ebp+arg_8+3]
		mov	ecx, ebx
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)

loc_90E0E4:				; CODE XREF: NtAdjustGroupsToken+127431j
		mov	eax, 0C0000023h
		jmp	loc_7E6E64
; 

loc_90E0EE:				; CODE XREF: NtAdjustGroupsToken+12740Dj
		mov	eax, [ebp+var_28]
		lea	eax, ds:7[eax*8]
		add	eax, esi
		and	eax, 0FFFFFFFCh
		jmp	loc_7E6DF1
; END OF FUNCTION CHUNK	FOR NtAdjustGroupsToken

;  S U B	R O U T	I N E 


sub_90E102	proc near		; DATA XREF: .text:006A4DF0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-68h], eax
		xor	eax, eax
		inc	eax
		retn
sub_90E102	endp

; 
dword_90E110	dd 8BE8658Bh, 4E8DD475h, 0B1E8E834h, 6583FFBCh,	0C933009Ch
					; DATA XREF: .text:006A4DF4o
		dd 0F09C458Dh, 4E8B0809h, 0D3EE830h, 9E8FFC1h, 8BFFC113h
		dd 1612E8CEh, 4D8BFFC1h, 74C985E0h, 558A5109h, 0F064E8D0h
		dd 45C7FFE8h, 0FFFFFEFCh, 98458BFFh, 0ED8D07E9h
		db 0FFh
; 
; START	OF FUNCTION CHUNK FOR SepAdjustGroups

loc_90E15D:				; CODE XREF: SepAdjustGroups+E2j
					; SepAdjustGroups+EDj
		movzx	eax, byte ptr [edx+1]
		lea	edx, ds:0Bh[eax*4]
		mov	al, [ebp+var_1]
		and	edx, 0FFFFFFFCh
		add	[ebp+var_C], edx
		mov	[ebp+arg_18], edx
		test	al, al
		jz	short loc_90E1CB
		cmp	[ebp+arg_C], 0
		jz	short loc_90E1B3
		mov	eax, [esi]
		mov	ecx, [ebp+arg_C]
		mov	edx, [ebp+var_1C]
		mov	[ecx+eax*8+8], edx
		mov	eax, [esi]
		mov	edx, [ebp+arg_10]
		mov	[ecx+eax*8+4], edx
		mov	eax, [ebp+var_14]
		push	eax		; void *
		push	edx		; void *
		mov	edx, [ebp+arg_18]
		push	edx		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		mov	eax, [ebp+arg_10]
		mov	ecx, [ebp+var_8]
		add	eax, [ebp+arg_18]
		mov	[ebp+arg_10], eax
		mov	ecx, [ecx+94h]

loc_90E1B3:				; CODE XREF: SepAdjustGroups+1272F4j
		mov	eax, [ecx+edi*8+4]
		cmp	ebx, 2
		jnz	short loc_90E1C1
		or	eax, 4
		jmp	short loc_90E1C4
; 

loc_90E1C1:				; CODE XREF: SepAdjustGroups+127332j
		and	eax, 0FFFFFFFBh

loc_90E1C4:				; CODE XREF: SepAdjustGroups+127337j
		mov	[ecx+edi*8+4], eax
		mov	al, [ebp+var_1]

loc_90E1CB:				; CODE XREF: SepAdjustGroups+1272EEj
		inc	dword ptr [esi]
		jmp	loc_7E6F1C
; 

loc_90E1D2:				; CODE XREF: SepAdjustGroups+145j
		mov	eax, [esi]
		mov	edx, [ebp+var_1C]
		push	[ebp+var_14]	; void *
		mov	[ecx+eax*8+8], edx
		mov	eax, [esi]
		mov	edx, [ebp+arg_10]
		push	edx		; void *
		push	ebx		; int
		mov	[ecx+eax*8+4], edx
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		mov	eax, [ebp+var_8]
		add	[ebp+arg_10], ebx
		mov	edx, [eax+94h]
		jmp	loc_7E6FD3
; 

loc_90E1FF:				; CODE XREF: SepAdjustGroups+120j
		mov	eax, 0C00002B3h
		jmp	loc_7E6F5B
; 

loc_90E209:				; CODE XREF: SepAdjustGroups+117j
		mov	eax, 0C000005Dh
		jmp	loc_7E6F5B
; 

loc_90E213:				; CODE XREF: SepAdjustGroups+CBj
		mov	ecx, [esi]
		mov	edx, [ebp+var_C]
		lea	edx, [edx+ecx*8]
		mov	ecx, [ebp+arg_14]
		add	edx, 4
		mov	[ecx], edx
		jmp	loc_7E6F59
; END OF FUNCTION CHUNK	FOR SepAdjustGroups
; 
; START	OF FUNCTION CHUNK FOR NtCreateTokenEx

loc_90E228:				; CODE XREF: NtCreateTokenEx+138j
		mov	eax, 0C0000061h
		jmp	loc_7E7548
; 

loc_90E232:				; CODE XREF: NtCreateTokenEx+159j
		mov	edx, eax
		jmp	loc_7E7163
; 

loc_90E239:				; CODE XREF: NtCreateTokenEx+177j
		mov	edx, eax
		jmp	loc_7E7181
; 

loc_90E240:				; CODE XREF: NtCreateTokenEx+194j
		mov	edx, eax
		jmp	loc_7E719E
; 

loc_90E247:				; CODE XREF: NtCreateTokenEx+1B1j
		mov	edx, eax
		jmp	loc_7E71BB
; 

loc_90E24E:				; CODE XREF: NtCreateTokenEx+1CEj
		mov	edx, eax
		jmp	loc_7E71D8
; 

loc_90E255:				; CODE XREF: NtCreateTokenEx+1F6j
		mov	edx, eax
		jmp	loc_7E7200
; 

loc_90E25C:				; CODE XREF: NtCreateTokenEx+217j
		mov	edx, eax
		jmp	loc_7E7221
; 

loc_90E263:				; CODE XREF: NtCreateTokenEx+239j
		mov	edx, eax
		jmp	loc_7E7243
; 

loc_90E26A:				; CODE XREF: NtCreateTokenEx+24Aj
		mov	edx, eax
		test	al, 3
		jnz	loc_7E75B8
		mov	eax, ds:_MmUserProbeAddress
		cmp	[ebp+var_8C], eax
		jb	short loc_90E283
		mov	edx, eax

loc_90E283:				; CODE XREF: NtCreateTokenEx+12727Bj
		nop
		mov	al, [edx]
		jmp	loc_7E7254
; 

loc_90E28B:				; CODE XREF: NtCreateTokenEx+255j
		mov	edx, eax
		test	al, 3
		jnz	loc_7E75B8
		mov	eax, ds:_MmUserProbeAddress
		cmp	[ebp+var_80], eax
		jb	short loc_90E2A1
		mov	edx, eax

loc_90E2A1:				; CODE XREF: NtCreateTokenEx+127299j
		nop
		mov	al, [edx]
		jmp	loc_7E725F
; 

loc_90E2A9:				; CODE XREF: NtCreateTokenEx+263j
		mov	edx, eax
		test	al, 3
		jnz	loc_7E75B8
		mov	eax, ds:_MmUserProbeAddress
		cmp	[ebp+var_88], eax
		jb	short loc_90E2C2
		mov	edx, eax

loc_90E2C2:				; CODE XREF: NtCreateTokenEx+1272BAj
		nop
		mov	al, [edx]
		jmp	loc_7E726D
; 

loc_90E2CA:				; CODE XREF: NtCreateTokenEx+271j
		mov	edx, eax
		test	al, 3
		jnz	loc_7E75B8
		mov	eax, ds:_MmUserProbeAddress
		cmp	[ebp+var_84], eax
		jb	short loc_90E2E3
		mov	edx, eax

loc_90E2E3:				; CODE XREF: NtCreateTokenEx+1272DBj
		nop
		mov	al, [edx]
		jmp	loc_7E727B
; END OF FUNCTION CHUNK	FOR NtCreateTokenEx

;  S U B	R O U T	I N E 


sub_90E2EB	proc near		; DATA XREF: .text:006A4E0Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C4h], eax
		xor	eax, eax
		inc	eax
		retn
sub_90E2EB	endp


;  S U B	R O U T	I N E 


sub_90E2FC	proc near		; DATA XREF: .text:006A4E10o

; FUNCTION CHUNK AT 0090E3FD SIZE 00000008 BYTES
; FUNCTION CHUNK AT 0090E4C1 SIZE 0000000C BYTES

		mov	eax, [ebp-0C4h]
		jmp	loc_90E3FD
sub_90E2FC	endp

; 
; START	OF FUNCTION CHUNK FOR NtCreateTokenEx

loc_90E307:				; CODE XREF: NtCreateTokenEx+143j
		mov	edi, [ebp+var_90]
		jmp	loc_7E7282
; 

loc_90E312:				; CODE XREF: NtCreateTokenEx+2B0j
		cmp	[ebp+var_2E], 0
		jnz	loc_7E72BA
		mov	eax, 0C00000A5h
		jmp	loc_7E7548
; 

loc_90E326:				; CODE XREF: NtCreateTokenEx+3E4j
		test	ebx, ebx
		js	loc_7E73EE
		mov	edx, [eax]	; int
		mov	[ebp+var_98], edx
		lea	ecx, [ebp+var_D4]
		push	ecx		; int
		lea	ecx, [ebp+var_58]
		push	ecx		; int
		push	ecx		; int
		push	ecx		; int
		push	esi		; int
		push	esi		; void *
		push	[ebp+var_38]	; char
		lea	ecx, [eax+4]	; void *
		call	SeCaptureSidAndAttributesArray
		mov	ebx, eax
		mov	[ebp+var_34], ebx
		jmp	loc_7E73EE
; 

loc_90E35A:				; CODE XREF: NtCreateTokenEx+3F2j
		test	ebx, ebx
		js	loc_7E73FC
		lea	ecx, [ebp+var_5C]
		push	ecx		; int
		push	esi		; int
		push	[ebp+var_38]	; size_t
		push	1		; int
		lea	edx, [ebp+var_B0]
		mov	ecx, eax
		call	SepCaptureTokenSecurityAttributesInformation
		mov	ebx, eax
		mov	[ebp+var_34], ebx
		jmp	loc_7E73FC
; 

loc_90E383:				; CODE XREF: NtCreateTokenEx+400j
		test	ebx, ebx
		js	loc_7E740A
		lea	ecx, [ebp+var_60]
		push	ecx		; int
		push	esi		; int
		push	[ebp+var_38]	; size_t
		push	1		; int
		lea	edx, [ebp+var_B0]
		mov	ecx, eax
		call	SepCaptureTokenSecurityAttributesInformation
		mov	ebx, eax
		mov	[ebp+var_34], ebx
		jmp	loc_7E740A
; 

loc_90E3AC:				; CODE XREF: NtCreateTokenEx+40Ej
		test	ebx, ebx
		js	loc_7E7418
		mov	eax, [eax]
		mov	[ebp+var_94], eax
		mov	[ebp+var_2F], 1
		jmp	loc_7E7418
; 

loc_90E3C5:				; CODE XREF: NtCreateTokenEx+50Aj
		push	ecx
		mov	dl, al
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)
		jmp	loc_7E7514
; 

loc_90E3D2:				; CODE XREF: NtCreateTokenEx+515j
		call	SepFreeCapturedTokenSecurityAttributesInformation
		jmp	loc_7E751F
; 

loc_90E3DC:				; CODE XREF: NtCreateTokenEx+520j
		call	SepFreeCapturedTokenSecurityAttributesInformation
		jmp	loc_7E752A
; END OF FUNCTION CHUNK	FOR NtCreateTokenEx

;  S U B	R O U T	I N E 


sub_90E3E6	proc near		; DATA XREF: .text:006A4E24o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0E0h], eax
		xor	eax, eax
		inc	eax
		retn
sub_90E3E6	endp


;  S U B	R O U T	I N E 


sub_90E3F7	proc near		; DATA XREF: .text:006A4E28o
		mov	eax, [ebp-0E0h]
sub_90E3F7	endp

; START	OF FUNCTION CHUNK FOR sub_90E2FC

loc_90E3FD:				; CODE XREF: sub_90E2FC+6j
		mov	esp, [ebp-18h]
		jmp	loc_90E4C1
; END OF FUNCTION CHUNK	FOR sub_90E2FC

;  S U B	R O U T	I N E 


sub_90E405	proc near		; DATA XREF: .text:006A4E18o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0DCh], eax
		xor	eax, eax
		inc	eax
		retn
sub_90E405	endp


;  S U B	R O U T	I N E 


sub_90E416	proc near		; DATA XREF: .text:006A4E1Co
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-4Ch]
		mov	bl, [ebp-38h]
		test	ecx, ecx
		jz	short loc_90E42B
		push	ecx
		mov	dl, bl
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)

loc_90E42B:				; CODE XREF: sub_90E416+Bj
		mov	ecx, [ebp-50h]
		test	ecx, ecx
		jz	short loc_90E43A
		push	ecx
		mov	dl, bl
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)

loc_90E43A:				; CODE XREF: sub_90E416+1Aj
		mov	ecx, [ebp-54h]
		test	ecx, ecx
		jz	short loc_90E449
		push	ecx
		mov	dl, bl
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)

loc_90E449:				; CODE XREF: sub_90E416+29j
		cmp	dword ptr [ebp-3Ch], 0
		jz	short loc_90E462
		test	bl, bl
		jz	short loc_90E458
		cmp	bl, 1
		jnz	short loc_90E462

loc_90E458:				; CODE XREF: sub_90E416+3Bj
		push	0
		push	dword ptr [ebp-3Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90E462:				; CODE XREF: sub_90E416+37j
					; sub_90E416+40j
		cmp	dword ptr [ebp-40h], 0
		jz	short loc_90E47B
		test	bl, bl
		jz	short loc_90E471
		cmp	bl, 1
		jnz	short loc_90E47B

loc_90E471:				; CODE XREF: sub_90E416+54j
		push	0
		push	dword ptr [ebp-40h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90E47B:				; CODE XREF: sub_90E416+50j
					; sub_90E416+59j
		cmp	dword ptr [ebp-44h], 0
		jz	short loc_90E494
		test	bl, bl
		jz	short loc_90E48A
		cmp	bl, 1
		jnz	short loc_90E494

loc_90E48A:				; CODE XREF: sub_90E416+6Dj
		push	0
		push	dword ptr [ebp-44h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90E494:				; CODE XREF: sub_90E416+69j
					; sub_90E416+72j
		mov	ecx, [ebp-58h]
		test	ecx, ecx
		jz	short loc_90E4A3
		push	ecx
		mov	dl, bl
		call	_SeReleaseLuidAndAttributesArray@12 ; SeReleaseLuidAndAttributesArray(x,x,x)

loc_90E4A3:				; CODE XREF: sub_90E416+83j
		mov	ecx, [ebp-5Ch]
		test	ecx, ecx
		jz	short loc_90E4AF
		call	SepFreeCapturedTokenSecurityAttributesInformation

loc_90E4AF:				; CODE XREF: sub_90E416+92j
		mov	ecx, [ebp-60h]
		test	ecx, ecx
		jz	short loc_90E4BB
		call	SepFreeCapturedTokenSecurityAttributesInformation

loc_90E4BB:				; CODE XREF: sub_90E416+9Ej
		mov	eax, [ebp-0DCh]
sub_90E416	endp

; START	OF FUNCTION CHUNK FOR sub_90E2FC

loc_90E4C1:				; CODE XREF: sub_90E2FC+104j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7E7548
; END OF FUNCTION CHUNK	FOR sub_90E2FC
; 
; START	OF FUNCTION CHUNK FOR NtCreateTokenEx

loc_90E4CD:				; CODE XREF: NtCreateTokenEx+287j
		mov	eax, 0C00000A8h
		jmp	loc_7E7548
; 

loc_90E4D7:				; CODE XREF: NtCreateTokenEx+5EBj
		mov	eax, 0C000000Dh
		jmp	loc_7E7688
; 

loc_90E4E1:				; CODE XREF: NtCreateTokenEx+5F7j
		mov	eax, edi
		shl	eax, 4
		jmp	loc_7E7616
; 

loc_90E4EB:				; CODE XREF: NtCreateTokenEx+626j
		mov	eax, 0C000009Ah
		jmp	loc_7E7688
; 

loc_90E4F5:				; CODE XREF: NtCreateTokenEx+633j
		mov	ecx, [ebp+arg_0]
		mov	edx, ebx
		push	edi
		call	_SepInsertOrReferenceSharedSidEntries@12 ; SepInsertOrReferenceSharedSidEntries(x,x,x)
		jmp	loc_7E7657
; 

loc_90E505:				; CODE XREF: NtCreateTokenEx+658j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7E7685
; END OF FUNCTION CHUNK	FOR NtCreateTokenEx
; 
; START	OF FUNCTION CHUNK FOR SeCaptureSidAndAttributesArray

loc_90E512:				; CODE XREF: SeCaptureSidAndAttributesArray+56j
		mov	eax, 0C000000Dh
		jmp	loc_7E78A6
; 

loc_90E51C:				; CODE XREF: SeCaptureSidAndAttributesArray+1C9j
					; SeCaptureSidAndAttributesArray+1D1j
		mov	byte ptr [ecx],	0
		jmp	loc_7E7927
; 

loc_90E524:				; CODE XREF: SeCaptureSidAndAttributesArray+1FDj
		mov	eax, edi
		jmp	loc_7E7953
; 

loc_90E52B:				; CODE XREF: SeCaptureSidAndAttributesArray+20Fj
		mov	ecx, 0C0000078h
		mov	[ebp+var_20], ecx
		mov	[ebp+var_24], ecx
		mov	edi, [ebp+var_30]
		jmp	loc_7E77EA
; 

loc_90E53E:				; CODE XREF: SeCaptureSidAndAttributesArray+240j
					; SeCaptureSidAndAttributesArray+248j
		mov	byte ptr [edi],	0
		mov	eax, [ebp+var_20]
		mov	eax, [eax+4]
		jmp	loc_7E799E
; 

loc_90E54C:				; CODE XREF: SeCaptureSidAndAttributesArray+A3j
		push	0
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_20]
		jmp	loc_7E78A6
; END OF FUNCTION CHUNK	FOR SeCaptureSidAndAttributesArray

;  S U B	R O U T	I N E 


sub_90E55E	proc near		; DATA XREF: .text:006A4E44o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		mov	eax, 1
		retn
sub_90E55E	endp


;  S U B	R O U T	I N E 


sub_90E56E	proc near		; DATA XREF: .text:006A4E48o
		mov	esp, [ebp-18h]
		push	0
		push	dword ptr [ebp-1Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-34h]
		jmp	loc_7E78A6
sub_90E56E	endp

; 
; START	OF FUNCTION CHUNK FOR SeCaptureSidAndAttributesArray

loc_90E58A:				; CODE XREF: SeCaptureSidAndAttributesArray+16Cj
		push	0
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7E78C2
; 

loc_90E599:				; CODE XREF: SeCaptureSidAndAttributesArray+32Bj
		cmp	[ebp+arg_0], 0
		jz	short loc_90E5A9
		push	0
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90E5A9:				; CODE XREF: SeCaptureSidAndAttributesArray+19Dj
					; SeCaptureSidAndAttributesArray+126E4Dj
		mov	eax, 0C000009Ah
		jmp	loc_7E78A6
; 

loc_90E5B3:				; CODE XREF: SeCaptureSidAndAttributesArray+2EAj
		mov	eax, 0C000000Dh
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], eax
		jmp	loc_7E7A5F
; END OF FUNCTION CHUNK	FOR SeCaptureSidAndAttributesArray

;  S U B	R O U T	I N E 


sub_90E5C3	proc near		; DATA XREF: .text:006A4E50o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3Ch], eax
		mov	eax, 1
		retn
sub_90E5C3	endp


;  S U B	R O U T	I N E 


sub_90E5D3	proc near		; DATA XREF: .text:006A4E54o
		mov	esp, [ebp-18h]
		cmp	dword ptr [ebp+0Ch], 0
		jnz	short loc_90E5EF
		push	0
		mov	esi, [ebp+1Ch]
		mov	eax, [esi]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [esi], 0

loc_90E5EF:				; CODE XREF: sub_90E5D3+7j
		push	0
		push	dword ptr [ebp-1Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-3Ch]
		jmp	loc_7E78A6
sub_90E5D3	endp

; 
; START	OF FUNCTION CHUNK FOR SeCaptureSidAndAttributesArray

loc_90E608:				; CODE XREF: SeCaptureSidAndAttributesArray+350j
		push	0
		mov	ebx, [ebp+arg_14]
		mov	eax, [ebx]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [ebx], 0
		jmp	loc_7E78A4
; END OF FUNCTION CHUNK	FOR SeCaptureSidAndAttributesArray
; 
; START	OF FUNCTION CHUNK FOR SeCaptureAcl

loc_90E620:				; CODE XREF: SeCaptureAcl+2Aj
		mov	eax, edx
		jmp	loc_7E7B18
; 

loc_90E627:				; CODE XREF: SeCaptureAcl+51j
					; SeCaptureAcl+59j
		mov	[eax], bl
		jmp	loc_7E7B47
; END OF FUNCTION CHUNK	FOR SeCaptureAcl

;  S U B	R O U T	I N E 


sub_90E62E	proc near		; DATA XREF: .text:006A4E6Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_90E62E	endp


;  S U B	R O U T	I N E 


sub_90E63C	proc near		; DATA XREF: .text:006A4E70o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_7E7BA7
sub_90E63C	endp


;  S U B	R O U T	I N E 


sub_90E64E	proc near		; CODE XREF: SeCaptureAcl+B7j
		push	ebx
		push	dword ptr [edi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[edi], ebx

loc_90E658:				; CODE XREF: SeCaptureAcl+69j
		mov	eax, 0C0000077h
		jmp	loc_7E7BA7
sub_90E64E	endp


;  S U B	R O U T	I N E 


sub_90E662	proc near		; DATA XREF: .text:006A4E78o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_90E662	endp


;  S U B	R O U T	I N E 


sub_90E670	proc near		; DATA XREF: .text:006A4E7Co
		mov	esp, [ebp-18h]
		xor	ebx, ebx
		push	ebx
		mov	esi, [ebp+18h]
		push	dword ptr [esi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-28h]
		jmp	loc_7E7BA7
sub_90E670	endp

; 
; START	OF FUNCTION CHUNK FOR IopAllocateFoExtensionsOnCreate

loc_90E691:				; CODE XREF: IopAllocateFoExtensionsOnCreate+47j
		xor	esi, esi
		mov	ecx, ebx
		mov	[ebp+arg_0], esi
		call	_IopCheckStackForTransactionSupport@4 ;	IopCheckStackForTransactionSupport(x)
		test	eax, eax
		jnz	short loc_90E6D5
		cmp	dword ptr [edi+3Ch], 1
		jnz	short loc_90E6C5
		mov	cl, [edi+2Eh]
		mov	eax, [ebp+arg_8]
		and	cl, 6
		neg	cl
		sbb	cl, cl
		and	eax, 0FEEDFF56h
		inc	cl
		neg	eax
		sbb	al, al
		inc	al
		test	cl, al
		jnz	short loc_90E6D5

loc_90E6C5:				; CODE XREF: IopAllocateFoExtensionsOnCreate+126A35j
		cmp	byte ptr [edi+55h], 0
		jnz	short loc_90E6D5
		mov	eax, 0C019003Fh
		jmp	loc_7E7CE9
; 

loc_90E6D5:				; CODE XREF: IopAllocateFoExtensionsOnCreate+126A2Fj
					; IopAllocateFoExtensionsOnCreate+126A53j ...
		mov	eax, [edi+70h]
		test	eax, eax
		jz	short loc_90E742
		push	8
		pop	ecx
		cmp	[eax], cx
		jnz	short loc_90E742
		mov	ebx, [eax+4]
		test	ebx, ebx
		jz	short loc_90E742
		push	esi
		push	ds:_TmTransactionObjectType
		push	120037h
		push	ebx
		call	ObReferenceObjectByPointer
		test	eax, eax
		js	loc_7E7CE9
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+arg_0]
		push	esi		; int
		push	eax		; int
		push	1		; char
		push	8		; size_t
		xor	edx, edx
		call	IopGetSetSpecificExtension
		mov	esi, eax
		test	esi, esi
		jns	short loc_90E72A
		mov	ecx, ebx
		call	ObfDereferenceObject
		jmp	loc_7E7CE7
; 

loc_90E72A:				; CODE XREF: IopAllocateFoExtensionsOnCreate+126AACj
		mov	edx, [edi+70h]
		mov	ecx, [ebp+arg_0]
		mov	eax, [edx]
		mov	[ecx], eax
		mov	eax, [edx+4]
		mov	[ecx+4], eax
		mov	eax, [edi+5Ch]
		jmp	loc_7E7CBD
; 

loc_90E742:				; CODE XREF: IopAllocateFoExtensionsOnCreate+126A6Aj
					; IopAllocateFoExtensionsOnCreate+126A72j ...
		mov	eax, 0C000000Dh
		jmp	loc_7E7CE9
; 

loc_90E74C:				; CODE XREF: IopAllocateFoExtensionsOnCreate+E7j
		push	edi
		call	_PsReleaseSiloHardReference@4 ;	PsReleaseSiloHardReference(x)
		jmp	loc_7E7CE7
; END OF FUNCTION CHUNK	FOR IopAllocateFoExtensionsOnCreate
; 
; START	OF FUNCTION CHUNK FOR NtIsProcessInJob

loc_90E757:				; CODE XREF: NtIsProcessInJob+23j
		mov	esi, [esi+80h]
		mov	[ebp+var_4], esi
		jmp	loc_7E7E40
; END OF FUNCTION CHUNK	FOR NtIsProcessInJob
; 
; START	OF FUNCTION CHUNK FOR SeSetSessionIdToken

loc_90E765:				; CODE XREF: SeSetSessionIdToken+53j
		mov	ebx, 0C000012Bh
		jmp	loc_7E7F64
; 

loc_90E76F:				; CODE XREF: SeSetSessionIdToken+63j
		mov	edx, [esi+274h]
		test	edx, edx
		jz	loc_7E7F49
		mov	ecx, [esi+78h]
		call	SepDereferenceLowBoxNumberEntry
		and	[esi+274h], ebx
		jmp	loc_7E7F49
; 

loc_90E790:				; CODE XREF: SeSetSessionIdToken+7Ej
		mov	edx, [esi+1E0h]
		mov	ecx, esi
		call	SepSetTokenLowboxNumber
		mov	ebx, eax
		jmp	loc_7E7F64
; END OF FUNCTION CHUNK	FOR SeSetSessionIdToken
; 
; START	OF FUNCTION CHUNK FOR PspJobDeleteStorageArrays

loc_90E7A4:				; CODE XREF: PspJobDeleteStorageArrays+Dj
		call	_PspStorageEmptyAll@4 ;	PspStorageEmptyAll(x)
		mov	ecx, [esi+308h]
		call	_PspFreeStorage@4 ; PspFreeStorage(x)
		and	dword ptr [esi+308h], 0
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR PspJobDeleteStorageArrays
; 
; START	OF FUNCTION CHUNK FOR PspJobIoRateControlDisable

loc_90E7BD:				; CODE XREF: PspJobIoRateControlDisable+13j
		lea	ecx, [esi+340h]
		call	PspIoRateEntryDeactivate
		xor	edi, edi
		inc	edi
		jmp	loc_7E7FE3
; 

loc_90E7D0:				; CODE XREF: PspJobIoRateControlDisable+33j
		lea	eax, [ebp+var_8]
		cmp	[esi+4], eax
		jnz	short loc_90E7FD
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_90E7FD
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_8], eax
		mov	[eax+4], ecx
		mov	ecx, esi
		call	PspIoRateEntryDeactivate
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		inc	edi
		jmp	loc_7E7FF5
; 

loc_90E7FD:				; CODE XREF: PspJobIoRateControlDisable+12680Cj
					; PspJobIoRateControlDisable+126813j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_90E802:				; CODE XREF: NtAssignProcessToJobObject+4Ej
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	esi, [eax+158h]
		jmp	loc_7E818A
; END OF FUNCTION CHUNK	FOR PspJobIoRateControlDisable

;  S U B	R O U T	I N E 


sub_90E819	proc near		; CODE XREF: NtAssignProcessToJobObject+96j
		push	ebx
		mov	edx, edi
		mov	ecx, esi
		call	_EtwTraceJobAssignProcess@12 ; EtwTraceJobAssignProcess(x,x,x)
		jmp	loc_7E81AC
sub_90E819	endp

; 
; START	OF FUNCTION CHUNK FOR PsAssignProcessToJobObject

loc_90E828:				; CODE XREF: PsAssignProcessToJobObject+3Fj
		cmp	esi, 0Ah
		jbe	loc_7E81F2
		mov	eax, 0C0000001h
		jmp	loc_7E8227
; END OF FUNCTION CHUNK	FOR PsAssignProcessToJobObject
; 
; START	OF FUNCTION CHUNK FOR PspAssignProcessToJob

loc_90E83B:				; CODE XREF: PspAssignProcessToJob+5Ej
		mov	esi, [ebx+158h]
		mov	edx, eax
		push	ecx
		lea	ecx, [ebp+var_58]
		mov	[ebp+var_21+1],	esi
		push	ecx
		mov	ecx, edi
		call	_PspGetNextJobProcess@16 ; PspGetNextJobProcess(x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_40], eax
		mov	edx, 624A7350h
		mov	ecx, ebx
		call	ObfReferenceObjectWithTag
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_58]
		push	ebx
		push	eax
		mov	ecx, edi
		mov	[ebp+var_19], 1
		call	_PspQuitNextJobProcess@16 ; PspQuitNextJobProcess(x,x,x,x)
		jmp	loc_7E829A
; 

loc_90E87B:				; CODE XREF: PspAssignProcessToJob+75j
		mov	esi, 0C000010Ah
		jmp	loc_7E8526
; 

loc_90E885:				; CODE XREF: PspAssignProcessToJob+B1j
		call	_PspIsJobMovable@4 ; PspIsJobMovable(x)
		test	al, al
		jz	short loc_90E8B1
		mov	[ebp+var_2C], 5
		cmp	[ebx+158h], edi
		jnz	short loc_90E8B1
		test	dword ptr [ebx+3A8h], 1000h
		jz	short loc_90E8B1
		mov	eax, [ebp+var_2C]
		jmp	loc_7E8316
; 

loc_90E8B1:				; CODE XREF: PspAssignProcessToJob+C5j
					; PspAssignProcessToJob+126656j ...
		mov	esi, 0C0000022h
		jmp	loc_7E8526
; 

loc_90E8BB:				; CODE XREF: PspAssignProcessToJob+D1j
		mov	esi, 0C000022Dh
		jmp	loc_7E8526
; 

loc_90E8C5:				; CODE XREF: PspAssignProcessToJob+DAj
					; PspAssignProcessToJob+19Fj
		xor	esi, esi
		jmp	loc_7E8526
; 

loc_90E8CC:				; CODE XREF: PspAssignProcessToJob+E2j
					; PspAssignProcessToJob+EBj
		mov	eax, [ebp+var_21+1]
		jmp	loc_7E8330
; 

loc_90E8D4:				; CODE XREF: PspAssignProcessToJob+34Cj
		test	byte ptr [eax+310h], 10h
		jnz	short loc_90E8EF
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		call	PspDoesJobHierarchyPermitUILimits
		test	al, al
		jnz	loc_7E833C

loc_90E8EF:				; CODE XREF: PspAssignProcessToJob+114j
					; PspAssignProcessToJob+12Ej ...
		mov	esi, 0C00000BBh
		jmp	loc_7E8526
; 

loc_90E8F9:				; CODE XREF: PspAssignProcessToJob+11Dj
		test	byte ptr [edi+18Ch], 1
		jnz	short loc_90E8EF
		jmp	loc_7E8359
; 

loc_90E907:				; CODE XREF: PspAssignProcessToJob+1CDj
		push	626F4Ah
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	edx
		push	eax
		mov	edx, ebx
		mov	ecx, edi
		call	PspChargeJobWakeCounter
		mov	ecx, [ebp+var_38]
		jmp	loc_7E8409
; 

loc_90E924:				; CODE XREF: PspAssignProcessToJob+1F7j
		mov	edx, [ebp+var_21+1]
		xor	ecx, ecx
		push	626F4Ah
		push	ecx
		push	esi
		push	ecx
		push	eax
		push	ecx
		mov	ecx, edi
		call	PspChargeJobWakeCounter
		jmp	loc_7E8433
; 

loc_90E93F:				; CODE XREF: PspAssignProcessToJob+298j
		push	4
		pop	eax
		jmp	loc_7E84D6
; 

loc_90E947:				; CODE XREF: PspAssignProcessToJob+2ADj
		mov	esi, 0C0000044h
		jmp	loc_7E8526
; 

loc_90E951:				; CODE XREF: PspAssignProcessToJob+2E0j
		mov	eax, [edi+0E8h]
		mov	[ebp+var_4C], edi
		mov	[ebp+var_48], 1
		mov	[ebp+var_44], ebx
		mov	[ebp+var_38], eax
		cmp	eax, 0FFFFFFFDh
		ja	short loc_90E993
		mov	edx, [ebp+var_28]
		mov	ecx, edi
		call	_PspLockJobExclusive@8 ; PspLockJobExclusive(x,x)
		lea	eax, [ebp+var_38]
		push	eax
		push	1
		lea	eax, [ebp+var_4C]
		push	eax
		push	6
		call	PsInvokeWin32Callout
		mov	edx, [ebp+var_28]
		mov	ecx, edi
		mov	esi, eax
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)

loc_90E993:				; CODE XREF: PspAssignProcessToJob+126734j
		test	esi, esi
		js	loc_7E8526
		jmp	loc_7E851C
; 

loc_90E9A0:				; CODE XREF: PspAssignProcessToJob+2EAj
		mov	al, [ebp+var_19]
		mov	esi, 0C000022Dh
		or	al, 20h
		mov	[ebp+var_19], al
		jmp	loc_7E8529
; 

loc_90E9B2:				; CODE XREF: PspAssignProcessToJob+30Bj
		test	al, 8
		jz	loc_7E8547
		cmp	[ebp+var_2C], 5
		jnz	short loc_90E9CF
		push	esi
		push	edi
		push	0
		push	ebx
		push	0EFh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_90E9CF:				; CODE XREF: PspAssignProcessToJob+126788j
		xor	eax, eax
		mov	ecx, 0C000010Ah
		cmp	esi, ecx
		setz	al
		xor	edx, edx
		dec	eax
		and	eax, 0FFFFFF3Ah
		add	eax, ecx
		mov	ecx, ebx
		push	eax
		push	0Ah
		call	PspRemoveProcessFromJobChain
		mov	al, [ebp+var_19]
		jmp	loc_7E8547
; 

loc_90E9F7:				; CODE XREF: PspAssignProcessToJob+316j
		push	edi
		mov	edx, ebx
		lea	ecx, [ebp+var_18]
		call	PspUnlockJobsAndProcessExclusive
		mov	al, [ebp+var_19]
		jmp	loc_7E8552
; 

loc_90EA0A:				; CODE XREF: PspAssignProcessToJob+31Ej
		mov	ecx, edi
		call	_PspUnlockJobAssignment@4 ; PspUnlockJobAssignment(x)
		mov	al, [ebp+var_19]
		jmp	loc_7E855A
; 

loc_90EA19:				; CODE XREF: PspAssignProcessToJob+326j
		mov	edx, 624A7350h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		jmp	loc_7E8562
; END OF FUNCTION CHUNK	FOR PspAssignProcessToJob
; 
; START	OF FUNCTION CHUNK FOR PspUnlockJobsAndProcessExclusive

loc_90EA2A:				; CODE XREF: PspUnlockJobsAndProcessExclusive+30j
		lea	esi, [ebx+0E0h]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_90EA44
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_90EA44:				; CODE XREF: PspUnlockJobsAndProcessExclusive+126461j
		mov	ecx, esi
		call	KeAbPostRelease
		jmp	loc_7E8610
; END OF FUNCTION CHUNK	FOR PspUnlockJobsAndProcessExclusive
; 
; START	OF FUNCTION CHUNK FOR PspRetrieveJobChainSegmentProcessCharges

loc_90EA50:				; CODE XREF: PspRetrieveJobChainSegmentProcessCharges+2Cj
		sub	eax, 1
		jz	short loc_90EA5E
		xor	ecx, ecx
		mov	edx, ecx
		jmp	loc_7E863E
; 

loc_90EA5E:				; CODE XREF: PspRetrieveJobChainSegmentProcessCharges+126429j
		xor	ecx, ecx
		jmp	loc_7E863E
; END OF FUNCTION CHUNK	FOR PspRetrieveJobChainSegmentProcessCharges
; 
; START	OF FUNCTION CHUNK FOR PspValidateJobAssignmentDiskIoAttribution

loc_90EA65:				; CODE XREF: PspValidateJobAssignmentDiskIoAttribution+28j
					; PspValidateJobAssignmentDiskIoAttribution+3Bj
		cmp	dword ptr [esi+324h], 0
		jnz	short loc_90EA7F
		push	0
		mov	ecx, esi
		call	_PspIsSetJobIoAttribution@12 ; PspIsSetJobIoAttribution(x,x,x)
		test	al, al
		jz	loc_7E867A

loc_90EA7F:				; CODE XREF: PspValidateJobAssignmentDiskIoAttribution+12640Cj
		xor	al, al
		jmp	loc_7E867C
; END OF FUNCTION CHUNK	FOR PspValidateJobAssignmentDiskIoAttribution
; 
; START	OF FUNCTION CHUNK FOR PspValidateJobAssignmentRateControlLimits

loc_90EA86:				; CODE XREF: PspValidateJobAssignmentRateControlLimits+36j
		test	[edx+310h], esi
		jz	loc_7E86DC
		xor	al, al
		jmp	loc_7E86BA
; END OF FUNCTION CHUNK	FOR PspValidateJobAssignmentRateControlLimits
; 
; START	OF FUNCTION CHUNK FOR PspValidateJobAssignmentSiloPolicy

loc_90EA99:				; CODE XREF: PspValidateJobAssignmentSiloPolicy+21j
		push	[ebp+arg_0]
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		cmp	esi, eax
		jmp	loc_7E8757
; END OF FUNCTION CHUNK	FOR PspValidateJobAssignmentSiloPolicy
; 
; START	OF FUNCTION CHUNK FOR PspTerminateProcessesJobCallback

loc_90EAA8:				; CODE XREF: PspTerminateProcessesJobCallback+26j
		mov	eax, [edi]
		mov	[esp+28h+var_18], eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	[esp+28h+var_14], eax
		call	_PspMarkServerSiloAsTerminating@4 ; PspMarkServerSiloAsTerminating(x)
		mov	bl, al
		test	bl, bl
		jz	loc_7E878C
		mov	ecx, [esp+28h+var_14]
		mov	eax, [esp+28h+var_18]
		mov	[ecx+284h], eax
		jmp	loc_7E878C
; END OF FUNCTION CHUNK	FOR PspTerminateProcessesJobCallback
; 
; START	OF FUNCTION CHUNK FOR PspGetJobAssignmentDisposition

loc_90EAD9:				; CODE XREF: PspGetJobAssignmentDisposition+Dj
		call	_PsIsJobParentImmutable@4 ; PsIsJobParentImmutable(x)
		test	al, al
		jnz	short loc_90EB0B
		cmp	dword ptr [edi+8Ch], 0
		jnz	short loc_90EB0B
		cmp	dword ptr [edi+3A0h], 0FFFFFFFFh
		jz	short loc_90EB0B
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		cmp	[ebp+arg_0], ecx
		setnz	cl
		add	ecx, 6
		mov	[eax], ecx
		xor	eax, eax
		jmp	loc_7E8917
; 

loc_90EB0B:				; CODE XREF: PspGetJobAssignmentDisposition+126220j
					; PspGetJobAssignmentDisposition+126229j ...
		mov	eax, 0C00000BBh
		jmp	loc_7E8917
; 

loc_90EB15:				; CODE XREF: PspGetJobAssignmentDisposition+25j
		mov	eax, 0C000010Ah
		jmp	loc_7E8917
; 

loc_90EB1F:				; CODE XREF: PspGetJobAssignmentDisposition+33j
		mov	esi, 0C000010Ah
		jmp	loc_7E890C
; 

loc_90EB29:				; CODE XREF: PspGetJobAssignmentDisposition+6Bj
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 2
		jmp	loc_7E890C
; 

loc_90EB37:				; CODE XREF: PspGetJobAssignmentDisposition+7Fj
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 3
		jmp	loc_7E890C
; 

loc_90EB45:				; CODE XREF: PspGetJobAssignmentDisposition+98j
					; PspGetJobAssignmentDisposition+A4j
		call	_PspIsJobMovable@4 ; PspIsJobMovable(x)
		test	al, al
		jz	short loc_90EB5C
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 5
		jmp	loc_7E890C
; 

loc_90EB5C:				; CODE XREF: PspGetJobAssignmentDisposition+12628Cj
		mov	esi, 0C00000BBh
		jmp	loc_7E890C
; END OF FUNCTION CHUNK	FOR PspGetJobAssignmentDisposition
; 
; START	OF FUNCTION CHUNK FOR PspGetJobLockHierarchyForAssignment

loc_90EB66:				; CODE XREF: PspGetJobLockHierarchyForAssignment+32j
		sub	eax, 1
		jz	short loc_90EB7D
		sub	eax, 1
		jz	loc_7E8A0A
		sub	eax, 1
		jnz	loc_7E8A1A

loc_90EB7D:				; CODE XREF: PspGetJobLockHierarchyForAssignment+12616Fj
		mov	eax, [ebp+arg_0]
		jmp	loc_7E8A38
; END OF FUNCTION CHUNK	FOR PspGetJobLockHierarchyForAssignment
; 
; START	OF FUNCTION CHUNK FOR NtOpenPrivateNamespace

loc_90EB85:				; CODE XREF: NtOpenPrivateNamespace+3Bj
		mov	ecx, eax
		jmp	loc_7E8A9B
; 

loc_90EB8C:				; CODE XREF: NtOpenPrivateNamespace+4Aj
		mov	esi, ecx
		test	cl, 3
		jz	short loc_90EB98
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_90EB98:				; CODE XREF: NtOpenPrivateNamespace+126137j
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_90EBA3
		mov	esi, eax

loc_90EBA3:				; CODE XREF: NtOpenPrivateNamespace+126145j
		nop
		mov	al, [esi]
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_1C], eax
		jmp	loc_7E8AAA
; END OF FUNCTION CHUNK	FOR NtOpenPrivateNamespace

;  S U B	R O U T	I N E 


sub_90EBB1	proc near		; DATA XREF: .text:006A4E94o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_90EBB1	endp


;  S U B	R O U T	I N E 


sub_90EBBF	proc near		; DATA XREF: .text:006A4E98o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-28h]
		jmp	loc_7E8B34
sub_90EBBF	endp

; 
; START	OF FUNCTION CHUNK FOR NtOpenPrivateNamespace

loc_90EBD1:				; CODE XREF: NtOpenPrivateNamespace+28j
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	loc_7E8AB1
		mov	eax, [eax+0Ch]
		mov	[ebp+var_1C], eax
		jmp	loc_7E8AB1
; END OF FUNCTION CHUNK	FOR NtOpenPrivateNamespace

;  S U B	R O U T	I N E 


sub_90EBE7	proc near		; DATA XREF: .text:006A4EA0o
		xor	eax, eax
		inc	eax
		retn
sub_90EBE7	endp


;  S U B	R O U T	I N E 


sub_90EBEB	proc near		; DATA XREF: .text:006A4EA4o
		mov	esp, [ebp-18h]
		jmp	loc_7E8B9B
sub_90EBEB	endp

; 
; START	OF FUNCTION CHUNK FOR PspUnlockJobListExclusive

loc_90EBF3:				; CODE XREF: PspUnlockJobListExclusive+15j
		test	al, 4
		jnz	loc_7E8BD7
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7E8BD7
; END OF FUNCTION CHUNK	FOR PspUnlockJobListExclusive
; 
; START	OF FUNCTION CHUNK FOR ExUuidCreate

loc_90EC07:				; CODE XREF: ExUuidCreate+C3j
		push	ecx
		mov	edx, eax
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_10]
		mov	ecx, offset _ExpUuidLock
		jmp	loc_7E8CB7
; 

loc_90EC1C:				; CODE XREF: ExUuidCreate+119j
		test	cl, 4
		jnz	loc_7E8D0D
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_7E8D0D
; 

loc_90EC31:				; CODE XREF: ExUuidCreate+DAj
					; ExUuidCreate+E6j
		mov	eax, esi
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	loc_7E8D0F
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset _ExpUuidLock
		jmp	loc_7E8D0F
; 

loc_90EC50:				; CODE XREF: ExUuidCreate+FAj
		or	eax, 0FFFFFFFFh
		mov	esi, offset _ExpUuidLock
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_90EC69
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_90EC69:				; CODE XREF: ExUuidCreate+126072j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_8]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_7E8C7E
; END OF FUNCTION CHUNK	FOR ExUuidCreate
; 
; START	OF FUNCTION CHUNK FOR NtCreatePrivateNamespace

loc_90EC7D:				; CODE XREF: NtCreatePrivateNamespace+37j
		mov	ecx, eax
		jmp	loc_7E8D8F
; END OF FUNCTION CHUNK	FOR NtCreatePrivateNamespace

;  S U B	R O U T	I N E 


sub_90EC84	proc near		; DATA XREF: .text:006A4EBCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_90EC84	endp


;  S U B	R O U T	I N E 


sub_90EC92	proc near		; DATA XREF: .text:006A4EC0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2Ch]
		jmp	loc_7E8F20
sub_90EC92	endp

; 
; START	OF FUNCTION CHUNK FOR NtCreatePrivateNamespace

loc_90ECA4:				; CODE XREF: NtCreatePrivateNamespace+7Bj
		mov	esi, 0C000000Dh
		jmp	short loc_90ECAD
; 

loc_90ECAB:				; CODE XREF: NtCreatePrivateNamespace+9Fj
		mov	esi, eax

loc_90ECAD:				; CODE XREF: NtCreatePrivateNamespace+6Aj
					; NtCreatePrivateNamespace+125F57j
		push	534E624Fh
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		jmp	loc_7E8F20
; 

loc_90ECBF:				; CODE XREF: NtCreatePrivateNamespace+117j
		mov	ebx, 0C0000033h
		jmp	loc_7E8F46
; 

loc_90ECC9:				; CODE XREF: NtCreatePrivateNamespace+179j
					; NtCreatePrivateNamespace+189j
		mov	edx, edi
		lea	ecx, [ebx+74h]
		call	_ObpRemoveNamespaceEntry@8 ; ObpRemoveNamespaceEntry(x,x)
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObject
		jmp	loc_7E8EED
; END OF FUNCTION CHUNK	FOR NtCreatePrivateNamespace

;  S U B	R O U T	I N E 


sub_90ECE0	proc near		; DATA XREF: .text:006A4EC8o
		xor	eax, eax
		inc	eax
		retn
sub_90ECE0	endp


;  S U B	R O U T	I N E 


sub_90ECE4	proc near		; DATA XREF: .text:006A4ECCo
		mov	esp, [ebp-18h]
		jmp	loc_7E8F16
sub_90ECE4	endp

; 
; START	OF FUNCTION CHUNK FOR NtCreateJobObject

loc_90ECEC:				; CODE XREF: NtCreateJobObject+3Aj
		mov	ecx, eax
		jmp	loc_7E905E
; 

loc_90ECF3:				; CODE XREF: NtCreateJobObject+1A8j
		mov	[ebp+var_40], 0FFFFD8F0h
		or	[ebp+var_3C], 0FFFFFFFFh
		lea	eax, [ebp+var_40]
		push	eax
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		cmp	ebx, 0C000022Dh
		jz	loc_7E91B8
		jmp	loc_7E91CC
; 

loc_90ED1C:				; CODE XREF: NtCreateJobObject+1CBj
		mov	edi, 0C000009Ah
		jmp	loc_7E91F5
; END OF FUNCTION CHUNK	FOR NtCreateJobObject

;  S U B	R O U T	I N E 


sub_90ED26	proc near		; DATA XREF: .text:006A4EF0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_90ED26	endp


;  S U B	R O U T	I N E 


sub_90ED36	proc near		; DATA XREF: .text:006A4EF4o
		mov	edi, [ebp-34h]
		jmp	short loc_90ED4E
; 

loc_90ED3B:				; DATA XREF: .text:006A4EE4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_90ED4B:				; DATA XREF: .text:006A4EE8o
		mov	edi, [ebp-38h]

loc_90ED4E:				; CODE XREF: sub_90ED36+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7E928D
sub_90ED36	endp

; 
; START	OF FUNCTION CHUNK FOR NtCreateJobObject

loc_90ED5D:				; CODE XREF: NtCreateJobObject+23Aj
		push	720h
		push	edi
		mov	edx, [ebp+var_2C]
		mov	ecx, esi
		call	@EtwTraceJob@16	; EtwTraceJob(x,x,x,x)
		jmp	loc_7E925E
; END OF FUNCTION CHUNK	FOR NtCreateJobObject
; 
; START	OF FUNCTION CHUNK FOR ObpVerifyCreatorAccessCheck

loc_90ED72:				; CODE XREF: ObpVerifyCreatorAccessCheck+10Dj
		mov	ecx, esi
		mov	[esp+90h+var_58], ecx
		jmp	loc_7E93A5
; 

loc_90ED7D:				; CODE XREF: ObpVerifyCreatorAccessCheck+86j
					; ObpVerifyCreatorAccessCheck+173j
		mov	[esp+90h+var_58], 0C0000022h
		jmp	loc_7E93B0
; END OF FUNCTION CHUNK	FOR ObpVerifyCreatorAccessCheck
; 
; START	OF FUNCTION CHUNK FOR SepFreeCapturedTokenSecurityAttributesInformation

loc_90ED8A:				; CODE XREF: SepFreeCapturedTokenSecurityAttributesInformation+77j
		cmp	eax, 4
		jz	loc_7EA79D
		cmp	eax, 5
		jz	loc_7EA79D
		cmp	eax, 6
		jz	loc_7EA79D
		cmp	ecx, 10h
		jnz	loc_7EA768
		jmp	loc_7EA79D
; END OF FUNCTION CHUNK	FOR SepFreeCapturedTokenSecurityAttributesInformation
; 
; START	OF FUNCTION CHUNK FOR SepCaptureTokenSecurityAttributesAndOperationsInformation

loc_90EDB3:				; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+1Ej
		cmp	[ecx+4], ebx
		jz	short loc_90EDC8
		mov	[eax], ecx
		xor	eax, eax
		jmp	loc_7EA90A
; 

loc_90EDC1:				; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+4Aj
					; SepCaptureTokenSecurityAttributesAndOperationsInformation+1245EFj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_90EDC8:				; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+1245B8j
		mov	eax, 0C000000Dh
		jmp	loc_7EA90A
; 

loc_90EDD2:				; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+39j
		mov	edx, eax
		jmp	loc_7EA83D
; 

loc_90EDD9:				; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+60j
		mov	eax, edx
		jmp	loc_7EA864
; 

loc_90EDE0:				; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+8Dj
		mov	ebx, eax
		jmp	loc_7EA891
; 

loc_90EDE7:				; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+77j
		mov	edi, [ebp+var_20]
		cmp	dword ptr [edi], 1
		jnz	short loc_90EDC1
		jmp	loc_7EA8A0
; 

loc_90EDF4:				; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+F0j
		mov	edi, 0C0000017h

loc_90EDF9:				; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+104j
		test	ecx, ecx
		jz	short loc_90EE05
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90EE05:				; CODE XREF: SepCaptureTokenSecurityAttributesAndOperationsInformation+1245FDj
		test	esi, esi
		jz	loc_7EA908
		mov	ecx, esi
		call	SepFreeCapturedTokenSecurityAttributesInformation
		jmp	loc_7EA908
; END OF FUNCTION CHUNK	FOR SepCaptureTokenSecurityAttributesAndOperationsInformation

;  S U B	R O U T	I N E 


sub_90EE19	proc near		; DATA XREF: .text:006A4FECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		xor	eax, eax
		inc	eax
		retn
sub_90EE19	endp


;  S U B	R O U T	I N E 


sub_90EE27	proc near		; DATA XREF: .text:006A4FF0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-34h]
		jmp	loc_7EA90A
sub_90EE27	endp

; 
; START	OF FUNCTION CHUNK FOR SepCaptureTokenSecurityAttributesInformation

loc_90EE39:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+3Ej
		mov	eax, 0C00000BBh
		jmp	loc_7EAC0C
; 

loc_90EE43:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+118j
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_90EE51:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+59j
		mov	eax, 0C000009Ah
		jmp	loc_7EAC0C
; 

loc_90EE5B:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+64j
					; SepCaptureTokenSecurityAttributesInformation+6Ej ...
		mov	[ebp+var_19], 1
		jmp	loc_7EA9A5
; 

loc_90EE64:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+A7j
					; SepCaptureTokenSecurityAttributesInformation+AFj
		mov	[eax], bl
		jmp	loc_7EA9DD
; 

loc_90EE6B:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+CBj
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	loc_7EAC0C
; 

loc_90EE7E:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+F2j
		push	ebx
		mov	eax, [ebp+var_24]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_7EAC0A
; 

loc_90EE94:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+146j
					; SepCaptureTokenSecurityAttributesInformation+14Fj
		mov	edx, [ebp+var_54]
		mov	[edx], bl
		jmp	loc_7EAA7D
; 

loc_90EE9E:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+18Bj
		mov	esi, 0C000000Dh
		mov	[ebp+var_28], esi
		mov	eax, ebx
		mov	[ebp+var_30], eax
		mov	[ebp+var_34], eax
		jmp	short loc_90EF25
; 

loc_90EEB0:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+1A8j
		mov	esi, 0C000009Ah
		jmp	short loc_90EF22
; 

loc_90EEB7:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+207j
		mov	eax, [ebp+var_64]

loc_90EEBA:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+1F2j
		mov	[eax], bl
		movzx	eax, word ptr [ecx+edi]
		jmp	loc_7EAB35
; 

loc_90EEC5:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+3C6j
		cmp	dx, word ptr [ebp+var_60]
		jz	short loc_90EEF7
		cmp	edx, 5
		jz	short loc_90EEE1
		cmp	edx, 6
		jz	loc_7EAC95
		push	10h
		pop	edx
		cmp	si, dx
		jnz	short loc_90EF0D

loc_90EEE1:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+1245A6j
		lea	ecx, [ebp+var_2C]
		push	ecx
		push	ecx
		mov	edx, [ebp+arg_4]
		mov	ecx, [eax+edi+14h]
		call	_SepCaptureOctetStringArray@16 ; SepCaptureOctetStringArray(x,x,x,x)
		jmp	loc_7EACA6
; 

loc_90EEF7:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+1245A1j
		lea	ecx, [ebp+var_2C]
		push	ecx
		push	ecx
		mov	edx, [ebp+arg_4]
		mov	ecx, [eax+edi+14h]
		call	_SepCaptureFqbnArray@16	; SepCaptureFqbnArray(x,x,x,x)
		jmp	loc_7EACA6
; 

loc_90EF0D:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+361j
					; SepCaptureTokenSecurityAttributesInformation+1245B7j
		mov	esi, 0C00000BBh
		mov	[ebp+var_20], esi
		mov	[ebp+var_28], esi
		jmp	loc_7EACBF
; 

loc_90EF1D:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+267j
					; SepCaptureTokenSecurityAttributesInformation+28Aj
		mov	esi, 0C000000Dh

loc_90EF22:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+12458Dj
		mov	[ebp+var_28], esi

loc_90EF25:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+124586j
		mov	[ebp+var_20], esi
		jmp	loc_7EABB8
; END OF FUNCTION CHUNK	FOR SepCaptureTokenSecurityAttributesInformation

;  S U B	R O U T	I N E 


sub_90EF2D	proc near		; DATA XREF: .text:006A500Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-68h], eax
		xor	eax, eax
		inc	eax
		retn
sub_90EF2D	endp


;  S U B	R O U T	I N E 


sub_90EF3B	proc near		; DATA XREF: .text:006A5010o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-68h]
		mov	[ebp-20h], esi
		mov	[ebp-28h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	edi, [ebp-58h]
		mov	[ebp-38h], edi
		mov	ecx, [ebp-34h]
		mov	[ebp-30h], ecx
		jmp	loc_7EABBF
sub_90EF3B	endp

; 
; START	OF FUNCTION CHUNK FOR SepCaptureTokenSecurityAttributesInformation

loc_90EF61:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+335j
		mov	esi, 0C000000Dh
		mov	[ebp+var_20], esi
		jmp	loc_7EAC63
; 

loc_90EF6E:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+352j
		mov	esi, 0C000000Dh
		mov	[ebp+var_20], esi
		jmp	loc_7EABF4
; 

loc_90EF7B:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+2D7j
		mov	eax, [ebp+var_38]
		test	eax, eax
		jz	short loc_90EFC9
		mov	edi, ebx
		lea	esi, [eax+4]

loc_90EF87:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+124670j
		cmp	edi, [ebp+var_44]
		jnb	short loc_90EF9A
		push	ebx
		push	dword ptr [esi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		inc	edi
		add	esi, 18h
		jmp	short loc_90EF87
; 

loc_90EF9A:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+124662j
		mov	eax, ebx
		mov	ecx, [ebp+var_38]
		add	ecx, 14h
		mov	esi, [ebp+var_20]
		mov	edi, ecx

loc_90EFA7:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+124696j
		mov	[ebp+arg_4], eax
		push	ebx
		cmp	eax, [ebp+var_48]
		jnb	short loc_90EFC0
		push	dword ptr [edi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_4]
		inc	eax
		add	edi, 18h
		jmp	short loc_90EFA7
; 

loc_90EFC0:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+124686j
		mov	edi, [ebp+var_38]
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90EFC9:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+124658j
		mov	eax, [ebp+var_30]
		test	eax, eax
		jz	short loc_90EFD7
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90EFD7:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+1246A6j
		cmp	[ebp+var_2C], 0
		jz	short loc_90EFE6
		push	ebx
		push	[ebp+var_2C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90EFE6:				; CODE XREF: SepCaptureTokenSecurityAttributesInformation+1246B3j
		push	ebx
		mov	eax, [ebp+var_24]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7EAC0A
; END OF FUNCTION CHUNK	FOR SepCaptureTokenSecurityAttributesInformation
; 
; START	OF FUNCTION CHUNK FOR ObpCaptureBoundaryDescriptor

loc_90EFF5:				; CODE XREF: ObpCaptureBoundaryDescriptor+42j
		mov	esi, eax
		jmp	loc_7EAD60
; 

loc_90EFFC:				; CODE XREF: ObpCaptureBoundaryDescriptor+78j
					; ObpCaptureBoundaryDescriptor+80j
		mov	[eax], bl
		jmp	loc_7EAD9E
; 

loc_90F003:				; CODE XREF: ObpCaptureBoundaryDescriptor+5Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000000Dh
		jmp	loc_7EAE8D
; END OF FUNCTION CHUNK	FOR ObpCaptureBoundaryDescriptor

;  S U B	R O U T	I N E 


sub_90F014	proc near		; DATA XREF: .text:006A5054o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		xor	eax, eax
		inc	eax
		retn
sub_90F014	endp


;  S U B	R O U T	I N E 


sub_90F022	proc near		; DATA XREF: .text:006A5058o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-30h]
		jmp	loc_7EAE8D
sub_90F022	endp

; 
; START	OF FUNCTION CHUNK FOR ObpCaptureBoundaryDescriptor

loc_90F034:				; CODE XREF: ObpCaptureBoundaryDescriptor+30j
		mov	esi, ecx
		lea	edi, [ebp+var_50]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_48]
		jmp	loc_7EADA5
; 

loc_90F045:				; CODE XREF: ObpCaptureBoundaryDescriptor+1BAj
		lea	eax, [ebp+var_20]
		push	eax
		push	1Fh
		push	esi
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7EAE6E
		mov	eax, [ebp+var_20]
		push	dword ptr [eax]
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		mov	edx, eax
		mov	[ebp+var_2C], edx
		lea	eax, [edx+7]
		and	eax, 0FFFFFFF8h
		add	eax, 8
		mov	ecx, [ebp+var_24]
		add	ecx, eax
		mov	eax, ebx
		adc	eax, ebx
		jmp	loc_7EAEDD
; 

loc_90F081:				; CODE XREF: ObpCaptureBoundaryDescriptor+D7j
		mov	esi, 0C000009Ah
		jmp	loc_7EAE6E
; 

loc_90F08B:				; CODE XREF: ObpCaptureBoundaryDescriptor+108j
		lea	ecx, [edi+18h]
		add	ecx, esi
		lea	eax, [ecx+7]
		and	eax, 0FFFFFFF8h
		cmp	ecx, eax
		jnz	short loc_90F0CB
		mov	dword ptr [ecx], 2
		mov	edx, [ebp+var_2C]
		lea	eax, [edx+7]
		and	eax, 0FFFFFFF8h
		add	eax, 8
		mov	[ecx+4], eax
		add	esi, eax
		inc	[ebp+var_4C]
		push	edx		; size_t
		mov	eax, [ebp+var_20]
		push	dword ptr [eax]	; void *
		lea	eax, [ecx+8]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_7EAE26
; 

loc_90F0CB:				; CODE XREF: ObpCaptureBoundaryDescriptor+131j
					; ObpCaptureBoundaryDescriptor+124380j
		mov	esi, 0C000000Dh
		jmp	loc_7EAE6E
; END OF FUNCTION CHUNK	FOR ObpCaptureBoundaryDescriptor

;  S U B	R O U T	I N E 


sub_90F0D5	proc near		; DATA XREF: .text:006A5060o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		xor	eax, eax
		cmp	[ebp-1Ah], al
		setnz	al
		retn
sub_90F0D5	endp


;  S U B	R O U T	I N E 


sub_90F0E8	proc near		; DATA XREF: .text:006A5064o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-38h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	edi, [ebp-3Ch]
		jmp	loc_7EAE6E
sub_90F0E8	endp

; 
; START	OF FUNCTION CHUNK FOR ObpCaptureBoundaryDescriptor

loc_90F0FF:				; CODE XREF: ObpCaptureBoundaryDescriptor+B4j
					; ObpCaptureBoundaryDescriptor+BDj
		mov	esi, 0C0000095h
		jmp	loc_7EAE6E
; 

loc_90F109:				; CODE XREF: ObpCaptureBoundaryDescriptor+15Aj
		push	ebx
		push	[ebp+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7EAE78
; 

loc_90F117:				; CODE XREF: ObpCaptureBoundaryDescriptor+168j
		test	edi, edi
		jz	loc_7EAE8B
		push	534E624Fh
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7EAE8B
; END OF FUNCTION CHUNK	FOR ObpCaptureBoundaryDescriptor
; 
; START	OF FUNCTION CHUNK FOR CmpLogHiveFileInaccessible

loc_90F12F:				; CODE XREF: CmpLogHiveFileInaccessible+170j
		mov	eax, [ebp+var_C4]
		lea	ecx, [ebp+var_38]
		mov	[ebp+var_C8], eax
		mov	edx, edi
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_44], esi
		mov	[ebp+var_48], eax
		mov	[ebp+var_40], 4
		mov	[ebp+var_3C], esi
		call	_tlgCreate1Sz_wchar_t
		movzx	eax, byte ptr [ebx+1]
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], esi
		mov	[ebp+var_1C], esi
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_D8], 1000000h
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_D8]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	6
		push	esi
		push	esi
		push	offset byte_41A88B
		push	offset dword_6B2348
		mov	[ebp+var_D4], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], 8
		mov	[ebp+var_C], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_7EB0B4
; END OF FUNCTION CHUNK	FOR CmpLogHiveFileInaccessible
; 
; START	OF FUNCTION CHUNK FOR LocalConvertSDToStringSD_Rev1

loc_90F1B4:				; CODE XREF: LocalConvertSDToStringSD_Rev1+60j
		lea	eax, [ebp+arg_8+3]
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		push	[ebp+arg_4]
		call	_RtlGetOwnerSecurityDescriptor@12 ; RtlGetOwnerSecurityDescriptor(x,x,x)
		test	eax, eax
		jns	loc_7EB174

loc_90F1CC:				; CODE XREF: LocalConvertSDToStringSD_Rev1+71j
					; LocalConvertSDToStringSD_Rev1+92j ...
		push	eax
		call	RtlNtStatusToDosError
		mov	esi, eax
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	short loc_90F1E4
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90F1E4:				; CODE XREF: LocalConvertSDToStringSD_Rev1+1240CBj
		mov	eax, esi
		jmp	loc_7EB3ED
; 

loc_90F1EB:				; CODE XREF: LocalConvertSDToStringSD_Rev1+69j
		lea	eax, [ebp+arg_8+3]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		push	[ebp+arg_4]
		call	_RtlGetGroupSecurityDescriptor@12 ; RtlGetGroupSecurityDescriptor(x,x,x)
		jmp	loc_7EB17D
; 

loc_90F200:				; CODE XREF: LocalConvertSDToStringSD_Rev1+B6j
		push	eax
		call	RtlNtStatusToDosError
		jmp	loc_7EB3ED
; 

loc_90F20B:				; CODE XREF: LocalConvertSDToStringSD_Rev1+C3j
		test	esi, esi
		jz	loc_7EB1D7
		push	ebx
		lea	eax, [ebp+var_10]
		xor	edx, edx
		push	eax
		mov	ecx, esi
		call	_SddlFilterSacl@16 ; SddlFilterSacl(x,x,x,x)
		push	ecx
		mov	ecx, [ebp+var_10]
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	short loc_90F238
		mov	eax, 0C0000017h
		jmp	short loc_90F1CC
; 

loc_90F238:				; CODE XREF: LocalConvertSDToStringSD_Rev1+124121j
		push	ebx
		lea	ecx, [ebp+var_10]
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	_SddlFilterSacl@16 ; SddlFilterSacl(x,x,x,x)
		mov	esi, [ebp+var_24]
		jmp	loc_7EB1D7
; 

loc_90F24E:				; CODE XREF: LocalConvertSDToStringSD_Rev1+E8j
		push	1		; size_t
		push	ecx		; int
		push	ecx		; int
		push	ebx		; int
		lea	edx, [ebp+var_18]
		call	_LocalGetStringForSid@24 ; LocalGetStringForSid(x,x,x,x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	loc_7EB3A7
		jmp	loc_7EB1FC
; 

loc_90F26B:				; CODE XREF: LocalConvertSDToStringSD_Rev1+F3j
		push	1		; size_t
		push	ecx		; int
		push	ecx		; int
		push	ebx		; int
		lea	edx, [ebp+var_C]
		call	_LocalGetStringForSid@24 ; LocalGetStringForSid(x,x,x,x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	loc_7EB3A7
		jmp	loc_7EB207
; 

loc_90F288:				; CODE XREF: LocalConvertSDToStringSD_Rev1+13Aj
		push	1
		xor	edx, edx
		lea	ecx, [ebp+var_10]
		push	edx
		push	edx
		push	edx
		push	ecx
		lea	ecx, [ebp+var_2C]
		push	ecx
		push	edx
		mov	dl, al
		mov	ecx, esi
		call	LocalConvertAclToString
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		test	ebx, ebx
		jnz	loc_7EB3AA
		mov	edi, [ebp+var_10]
		jmp	loc_7EB24E
; 

loc_90F2B6:				; CODE XREF: LocalConvertSDToStringSD_Rev1+17Aj
		lea	edx, [ecx+2]

loc_90F2B9:				; CODE XREF: LocalConvertSDToStringSD_Rev1+1241B4j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_90F2B9
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 4
		jmp	loc_7EB28E
; 

loc_90F2D3:				; CODE XREF: LocalConvertSDToStringSD_Rev1+185j
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_90F2D8:				; CODE XREF: LocalConvertSDToStringSD_Rev1+1241D4j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_14]
		jnz	short loc_90F2D8
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 4
		jmp	loc_7EB299
; 

loc_90F2F3:				; CODE XREF: LocalConvertSDToStringSD_Rev1+18Dj
		xor	ebx, ebx
		jmp	loc_7EB2C4
; 

loc_90F2FA:				; CODE XREF: LocalConvertSDToStringSD_Rev1+1BAj
		mov	eax, [ebp+var_1C]
		add	edi, 4
		test	eax, eax
		jz	loc_7EB2CE
		mov	ecx, eax
		lea	edx, [ecx+2]

loc_90F30D:				; CODE XREF: LocalConvertSDToStringSD_Rev1+124208j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_90F30D
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		jmp	loc_7EB2CE
; 

loc_90F324:				; CODE XREF: LocalConvertSDToStringSD_Rev1+1E5j
		push	eax
		push	3Ah
		push	offset ??_C@_13BNMMGIII@?$AAO@NNGAKEGL@
		push	offset ??_C@_1BE@OCEKOCCF@?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAc?$AA?$CF?$AAw?$AAs@NNGAKEGL@
		push	ebx
		push	edx
		call	_swprintf_s
		mov	eax, [ebp+arg_C]
		add	esp, 18h
		mov	edx, [eax]
		mov	esi, edx
		lea	ecx, [esi+2]

loc_90F345:				; CODE XREF: LocalConvertSDToStringSD_Rev1+124241j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, word ptr [ebp+var_14]
		jnz	short loc_90F345
		sub	esi, ecx
		sar	esi, 1
		jmp	loc_7EB2F9
; 

loc_90F35A:				; CODE XREF: LocalConvertSDToStringSD_Rev1+1F0j
		push	ecx
		push	3Ah
		push	offset ??_C@_13NIHIEAGH@?$AAG@NNGAKEGL@
		mov	eax, ebx
		sub	eax, esi
		push	offset ??_C@_1BE@OCEKOCCF@?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAc?$AA?$CF?$AAw?$AAs@NNGAKEGL@
		push	eax
		lea	eax, [edx+esi*2]
		push	eax
		call	_swprintf_s
		mov	eax, [ebp+arg_C]
		add	esp, 18h
		mov	edx, [eax]
		lea	ecx, [edx+esi*2]
		lea	eax, [ecx+2]
		mov	[ebp+arg_4], eax

loc_90F386:				; CODE XREF: LocalConvertSDToStringSD_Rev1+124282j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_14]
		jnz	short loc_90F386
		sub	ecx, [ebp+arg_4]
		sar	ecx, 1
		add	esi, ecx
		jmp	loc_7EB304
; 

loc_90F39E:				; CODE XREF: LocalConvertSDToStringSD_Rev1+20Cj
		push	3Ah
		push	offset ??_C@_13MKMNOPIJ@?$AAD@NNGAKEGL@
		push	offset ??_C@_1O@KEANMPML@?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAc@NNGAKEGL@
		push	eax
		push	ecx
		call	_swprintf_s
		add	esp, 14h
		jmp	loc_7EB337
; 

loc_90F3B9:				; CODE XREF: LocalConvertSDToStringSD_Rev1+288j
		mov	eax, ebx
		lea	ecx, [edx+esi*2]
		mov	edx, [ebp+var_1C]
		sub	eax, esi
		test	edx, edx
		jz	short loc_90F3E0
		push	edx
		push	3Ah
		push	offset ??_C@_13HADIAKP@?$AAS@NNGAKEGL@
		push	offset ??_C@_1BE@OCEKOCCF@?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAc?$AA?$CF?$AAw?$AAs@NNGAKEGL@
		push	eax
		push	ecx
		call	_swprintf_s
		add	esp, 18h
		jmp	short loc_90F3F6
; 

loc_90F3E0:				; CODE XREF: LocalConvertSDToStringSD_Rev1+1242B7j
		push	3Ah
		push	offset ??_C@_13HADIAKP@?$AAS@NNGAKEGL@
		push	offset ??_C@_1O@KEANMPML@?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAc@NNGAKEGL@
		push	eax
		push	ecx
		call	_swprintf_s
		add	esp, 14h

loc_90F3F6:				; CODE XREF: LocalConvertSDToStringSD_Rev1+1242D0j
		mov	eax, [ebp+arg_C]
		mov	edx, [eax]
		lea	ecx, [edx+esi*2]
		lea	eax, [ecx+2]
		mov	[ebp+arg_C], eax

loc_90F404:				; CODE XREF: LocalConvertSDToStringSD_Rev1+124300j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_14]
		jnz	short loc_90F404
		sub	ecx, [ebp+arg_C]
		mov	eax, [ebp+var_2C]
		sar	ecx, 1
		add	esi, ecx
		test	eax, eax
		jz	loc_7EB39C
		push	eax
		sub	ebx, esi
		lea	eax, [edx+esi*2]
		push	ebx
		push	eax
		call	_wcscpy_s
		add	esp, 0Ch
		jmp	loc_7EB39C
; END OF FUNCTION CHUNK	FOR LocalConvertSDToStringSD_Rev1
; 
; START	OF FUNCTION CHUNK FOR LocalGetStringForControl

loc_90F437:				; CODE XREF: LocalGetStringForControl+2Cj
					; LocalGetStringForControl+50j
		push	57h

loc_90F439:				; CODE XREF: LocalGetStringForControl+F1j
		pop	eax
		jmp	loc_7EB4D8
; END OF FUNCTION CHUNK	FOR LocalGetStringForControl
; 
; START	OF FUNCTION CHUNK FOR LocalConvertSidToStringSidW

loc_90F43F:				; CODE XREF: LocalConvertSidToStringSidW+3Cj
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, 0C0000017h
		jmp	loc_7EB58B
; END OF FUNCTION CHUNK	FOR LocalConvertSidToStringSidW
; 
; START	OF FUNCTION CHUNK FOR SeQueryMandatoryLabel

loc_90F452:				; CODE XREF: SeQueryMandatoryLabel+3Dj
		test	byte ptr [eax+1], 8
		jnz	loc_7EB5D9
		lea	ebx, [eax+8]
		jmp	loc_7EB5E0
; END OF FUNCTION CHUNK	FOR SeQueryMandatoryLabel
; 
; START	OF FUNCTION CHUNK FOR LocalpGetStringForCondition

loc_90F464:				; CODE XREF: LocalpGetStringForCondition+300j
		cmp	bl, 4
		jbe	loc_7EB90A
		cmp	bl, 18h
		jz	loc_7EB90A

loc_90F476:				; CODE XREF: LocalpGetStringForCondition+104j
					; LocalpGetStringForCondition+10Cj ...
		mov	esi, 538h

loc_90F47B:				; CODE XREF: LocalpGetStringForCondition+123FFBj
					; LocalpGetStringForCondition+124005j
		mov	[ebp+var_408], esi
		jmp	loc_7EB9A9
; 

loc_90F486:				; CODE XREF: LocalpGetStringForCondition+130j
		cmp	edi, 1
		jl	short loc_90F476
		lea	ecx, [ebp+edi*4+var_408]
		jmp	short loc_90F4BC
; 

loc_90F494:				; CODE XREF: LocalpGetStringForCondition+11Ej
					; LocalpGetStringForCondition+127j
		cmp	edi, 2
		jl	short loc_90F476
		lea	ecx, [ebp+edi*4+var_408]
		call	EncloseSubCondition
		mov	esi, eax
		mov	[ebp+var_408], esi
		test	esi, esi
		jnz	loc_7EB9A9
		lea	ecx, [ebp+edi*4+var_40C]

loc_90F4BC:				; CODE XREF: LocalpGetStringForCondition+123E8Ej
		call	EncloseSubCondition
		mov	esi, eax
		mov	[ebp+var_408], esi
		test	esi, esi
		jnz	loc_7EB9A9
		mov	ecx, [ebp+var_414]
		jmp	loc_7EB73A
; 

loc_90F4DC:				; CODE XREF: LocalpGetStringForCondition+183j
		test	edi, edi
		jz	loc_90F60E
		lea	eax, [ebp+edi*4+var_408]
		mov	edx, [eax]
		mov	[ebp+var_42C], eax
		lea	eax, [ebp+var_40C]
		push	eax
		mov	[ebp+var_414], edx
		call	_ULongAddStringSize@12 ; ULongAddStringSize(x,x,x)
		test	eax, eax
		js	loc_90F604
		mov	eax, [ebp+var_40C]
		add	eax, 8
		push	ecx
		mov	ecx, eax
		mov	dword ptr [ebp+var_410], eax
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	[ebp+var_40C], eax
		test	eax, eax
		jz	loc_90F5FC
		mov	ecx, [ebp+var_418]
		cmp	bl, 0A2h
		jnz	short loc_90F551
		mov	ebx, [ebp+var_414]
		push	ebx
		push	ds:_Operators[ecx]
		push	offset ??_C@_1BC@DENFCPFO@?$AA?$CI?$AA?$CF?$AAl?$AAs?$AA?$CF?$AAl?$AAs?$AA?$CJ@NNGAKEGL@
		jmp	short loc_90F5C3
; 

loc_90F551:				; CODE XREF: LocalpGetStringForCondition+123F37j
		mov	cl, ds:byte_403FDC[ecx]
		cmp	cl, 87h
		jz	short loc_90F569
		cmp	cl, 8Dh
		jz	short loc_90F569
		mov	ebx, [ebp+var_414]
		jmp	short loc_90F5B1
; 

loc_90F569:				; CODE XREF: LocalpGetStringForCondition+123F56j
					; LocalpGetStringForCondition+123F5Bj
		mov	ebx, [ebp+var_414]
		push	6		; size_t
		push	offset ??_C@_1O@PJNANMOG@?$AA?$EA?$AAU?$AAS?$AAE?$AAR?$AA?4@NNGAKEGL@ ;	wchar_t	*
		push	ebx		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_90F5F5
		push	8		; size_t
		push	offset ??_C@_1BC@BELPDGGJ@?$AA?$EA?$AAD?$AAE?$AAV?$AAI?$AAC?$AAE?$AA?4@NNGAKEGL@ ; wchar_t *
		push	ebx		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_90F5F5
		push	7		; size_t
		push	offset ??_C@_1BA@DDPCKNJI@?$AA?$EA?$AAT?$AAO?$AAK?$AAE?$AAN?$AA?4@NNGAKEGL@ ; wchar_t *
		push	ebx		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_90F5F5
		mov	eax, [ebp+var_40C]

loc_90F5B1:				; CODE XREF: LocalpGetStringForCondition+123F63j
		mov	ecx, [ebp+var_418]
		push	ebx
		push	ds:_Operators[ecx] ; char
		push	offset ??_C@_1BE@KAFBMKIO@?$AA?$CI?$AA?$CF?$AAl?$AAs?$AA?5?$AA?$CF?$AAl?$AAs?$AA?$CJ@NNGAKEGL@ ; wchar_t *

loc_90F5C3:				; CODE XREF: LocalpGetStringForCondition+123F4Bj
		mov	ecx, dword ptr [ebp+var_410]
		shr	ecx, 1
		push	ecx		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 14h
		test	eax, eax
		js	short loc_90F618
		test	ebx, ebx
		jz	short loc_90F5E6
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90F5E6:				; CODE XREF: LocalpGetStringForCondition+123FD7j
		mov	edx, [ebp+var_42C]
		xor	eax, eax
		mov	ecx, eax
		jmp	loc_7EB85D
; 

loc_90F5F5:				; CODE XREF: LocalpGetStringForCondition+123F7Dj
					; LocalpGetStringForCondition+123F91j ...
		mov	esi, 538h
		jmp	short loc_90F61B
; 

loc_90F5FC:				; CODE XREF: LocalpGetStringForCondition+1F7j
					; LocalpGetStringForCondition+123F28j
		push	8
		pop	esi
		jmp	loc_90F47B
; 

loc_90F604:				; CODE XREF: LocalpGetStringForCondition+1A9j
					; LocalpGetStringForCondition+1D2j ...
		mov	esi, 216h
		jmp	loc_90F47B
; 

loc_90F60E:				; CODE XREF: LocalpGetStringForCondition+123EDAj
		mov	esi, 538h
		jmp	loc_7EB97C
; 

loc_90F618:				; CODE XREF: LocalpGetStringForCondition+229j
					; LocalpGetStringForCondition+123FD3j
		push	32h
		pop	esi

loc_90F61B:				; CODE XREF: LocalpGetStringForCondition+123FF6j
		mov	[ebp+var_408], esi

loc_90F621:				; CODE XREF: LocalpGetStringForCondition+2BAj
					; LocalpGetStringForCondition+33Aj
		mov	eax, [ebp+var_40C]
		test	eax, eax
		jz	loc_7EB9A9
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7EB9A9
; 

loc_90F63D:				; CODE XREF: LocalpGetStringForCondition+3A0j
					; LocalpGetStringForCondition+3A9j
		test	esi, esi
		jnz	short loc_90F653
		mov	esi, 538h
		jmp	short loc_90F64D
; 

loc_90F648:				; CODE XREF: LocalpGetStringForCondition+C3j
		mov	esi, 3E9h

loc_90F64D:				; CODE XREF: LocalpGetStringForCondition+124042j
		mov	[ebp+var_408], esi

loc_90F653:				; CODE XREF: LocalpGetStringForCondition+12403Bj
		xor	esi, esi

loc_90F655:				; CODE XREF: LocalpGetStringForCondition+124066j
		mov	eax, [ebp+edi*4+var_408]
		dec	edi
		test	eax, eax
		jz	short loc_90F668
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90F668:				; CODE XREF: LocalpGetStringForCondition+12405Bj
		test	edi, edi
		jnz	short loc_90F655
		mov	esi, [ebp+var_408]
		jmp	loc_7EB97C
; 

loc_90F677:				; CODE XREF: LocalpGetStringForCondition+A2j
					; LocalpGetStringForCondition+AEj
		mov	eax, 325h
		jmp	loc_7EB97E
; END OF FUNCTION CHUNK	FOR LocalpGetStringForCondition
; 
; START	OF FUNCTION CHUNK FOR EncloseSubCondition

loc_90F681:				; CODE XREF: EncloseSubCondition+15j
		push	edi
		push	2
		lea	ecx, [edx+2]
		pop	edi

loc_90F688:				; CODE XREF: EncloseSubCondition+123C98j
		mov	ax, [edx]
		add	edx, edi
		cmp	ax, si
		jnz	short loc_90F688
		sub	edx, ecx
		lea	ecx, [ebp+var_4]
		sar	edx, 1
		mov	eax, edx
		mul	edi
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_90F6CD
		mov	eax, ecx
		mov	ecx, [ebp+var_4]
		push	eax
		push	6
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_90F6CD
		push	ecx
		mov	ecx, [ebp+var_4]
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_90F6D4
		push	8
		jmp	short loc_90F6F7
; 

loc_90F6CD:				; CODE XREF: EncloseSubCondition+123CAEj
					; EncloseSubCondition+123CC0j
		mov	esi, 216h
		jmp	short loc_90F709
; 

loc_90F6D4:				; CODE XREF: EncloseSubCondition+123CCFj
		push	dword ptr [ebx]	; char
		mov	eax, [ebp+var_4]
		push	offset ??_C@_1M@OEKLHGCN@?$AA?$CI?$AA?$CF?$AAl?$AAs?$AA?$CJ@NNGAKEGL@ ;	wchar_t	*
		shr	eax, 1
		push	eax		; int
		push	edi		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 10h
		test	eax, eax
		jns	short loc_90F6FA
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	32h

loc_90F6F7:				; CODE XREF: EncloseSubCondition+123CD3j
		pop	esi
		jmp	short loc_90F709
; 

loc_90F6FA:				; CODE XREF: EncloseSubCondition+123CF4j
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_90F707
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90F707:				; CODE XREF: EncloseSubCondition+123D06j
		mov	[ebx], edi

loc_90F709:				; CODE XREF: EncloseSubCondition+123CDAj
					; EncloseSubCondition+123D00j
		pop	edi
		jmp	loc_7EBA13
; END OF FUNCTION CHUNK	FOR EncloseSubCondition
; 
; START	OF FUNCTION CHUNK FOR GetPrintableOperandValue

loc_90F70F:				; CODE XREF: GetPrintableOperandValue+86j
		cmp	al, 18h
		jz	loc_90F9AF
		cmp	al, 50h
		jz	loc_90F815
		cmp	al, 51h
		jnz	loc_90F980
		lea	eax, [edx-1]
		cmp	eax, 4
		jb	loc_90F801
		mov	ecx, [edi+1]
		mov	[ebp+var_70], ecx
		mov	dword ptr [ebx], 5
		cmp	ecx, 44h
		ja	loc_90F801
		lea	eax, [edx-5]
		cmp	eax, ecx
		jb	loc_90F801
		push	ecx		; size_t
		lea	eax, [edi+5]
		push	eax		; void *
		lea	eax, [ebp+var_58]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	edx, [ebp+var_68]
		push	[ebp+arg_14]	; size_t
		push	ecx		; int
		push	ecx		; int
		push	[ebp+var_88]	; int
		lea	ecx, [ebp+var_58]
		call	_LocalGetStringForSid@24 ; LocalGetStringForSid(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_7EBB2A
		mov	ecx, dword ptr [ebp+var_68]
		mov	eax, [ebp+var_70]
		add	[ebx], eax
		xor	edi, edi
		push	2
		lea	edx, [ecx+2]
		pop	ebx

loc_90F794:				; CODE XREF: GetPrintableOperandValue+123D82j
		mov	ax, [ecx]
		add	ecx, ebx
		cmp	ax, di
		jnz	short loc_90F794
		lea	eax, [ebp+var_5C]
		sub	ecx, edx
		push	eax
		push	6
		sar	ecx, 1
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_90F80B
		mov	eax, [ebp+var_5C]
		lea	ecx, [ebp+var_5C]
		mul	ebx
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_90F80B
		mov	edi, [ebp+var_5C]
		push	ecx
		mov	ecx, edi
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	ecx, [ebp+var_60]
		mov	[ecx], eax
		test	eax, eax
		jz	loc_7EBB50
		push	dword ptr [ebp+var_68] ; char
		shr	edi, 1
		push	offset ??_C@_1BC@CNNNAONL@?$AAS?$AAI?$AAD?$AA?$CI?$AA?$CF?$AAl?$AAs?$AA?$CJ@NNGAKEGL@ ;	wchar_t	*
		push	edi		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 10h
		test	eax, eax
		jns	loc_7EBB2A

loc_90F7F9:				; CODE XREF: GetPrintableOperandValue+123F2Ej
					; GetPrintableOperandValue+12413Fj ...
		push	32h

loc_90F7FB:				; CODE XREF: GetPrintableOperandValue+138j
		pop	esi
		jmp	loc_7EBB2A
; 

loc_90F801:				; CODE XREF: GetPrintableOperandValue+92j
					; GetPrintableOperandValue+A9j	...
		mov	esi, 538h
		jmp	loc_7EBB36
; 

loc_90F80B:				; CODE XREF: GetPrintableOperandValue+123D96j
					; GetPrintableOperandValue+123DA9j ...
		mov	esi, 216h
		jmp	loc_7EBB2A
; 

loc_90F815:				; CODE XREF: GetPrintableOperandValue+123CFFj
		lea	eax, [edx-1]
		cmp	eax, 4
		jb	short loc_90F801
		mov	ecx, [edi+1]
		mov	[ebp+var_6C], ecx
		mov	dword ptr [ebx], 5
		test	ecx, ecx
		jz	short loc_90F801
		lea	eax, [edx-5]
		cmp	eax, ecx
		jb	short loc_90F801
		push	6
		pop	eax
		push	ecx
		mov	ecx, eax
		mov	[ebp+var_5C], eax
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	ecx, [ebp+var_60]
		mov	[ecx], eax
		test	eax, eax
		jz	loc_7EBB50
		push	7Bh
		pop	edx
		mov	[eax], dx
		xor	eax, eax
		mov	edx, [ebx]
		mov	[ebp+var_70], edx
		mov	[ebp+var_78], eax
		cmp	[ebp+var_6C], eax
		jbe	loc_90F98A
		lea	ecx, [edi+edx]
		mov	edi, [ebp+var_80]
		mov	[ebp+var_7C], ecx

loc_90F871:				; CODE XREF: GetPrintableOperandValue+123F59j
		add	ecx, eax
		cmp	byte ptr [ecx],	50h
		jz	loc_90F97E
		push	[ebp+arg_14]
		lea	edx, [ebp+var_68]
		push	[ebp+var_8C]
		push	[ebp+var_90]
		push	[ebp+var_88]
		push	ebx
		push	edx
		mov	edx, edi
		sub	edx, eax
		sub	edx, [ebp+var_70]
		call	GetPrintableOperandValue
		mov	esi, eax
		test	esi, esi
		jnz	loc_7EBB2A
		mov	eax, [ebp+var_78]
		add	eax, [ebx]
		mov	edx, dword ptr [ebp+var_68]
		mov	ecx, [ebp+var_5C]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_74]
		push	eax
		call	_ULongAddStringSize@12 ; ULongAddStringSize(x,x,x)
		test	eax, eax
		js	loc_90F80B
		mov	ecx, [ebp+var_74]
		lea	eax, [ebp+var_74]
		push	eax
		push	4
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_90F80B
		mov	ecx, [ebp+var_60]
		mov	edx, [ecx]
		mov	ecx, edx
		lea	eax, [ecx+2]
		mov	[ebp+var_80], eax

loc_90F8EF:				; CODE XREF: GetPrintableOperandValue+123EE2j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_84]
		jnz	short loc_90F8EF
		sub	ecx, [ebp+var_80]
		sar	ecx, 1
		push	ecx		; int
		push	ecx		; int
		push	edx		; void *
		mov	edx, [ebp+var_74]
		add	ecx, ecx
		call	_SddlpReAlloc@20 ; SddlpReAlloc(x,x,x,x,x)
		mov	edx, eax
		mov	eax, [ebp+var_60]
		mov	[eax], edx
		test	edx, edx
		jz	loc_7EBB50
		mov	ecx, [ebp+var_74]
		mov	eax, [ebp+var_5C]
		sub	ecx, eax
		push	dword ptr [ebp+var_68] ; char
		shr	eax, 1
		add	ecx, 4
		add	eax, 0FFFFFFFEh
		shr	ecx, 1
		push	offset ??_C@_1M@DNOAINIG@?$AA?$CF?$AAl?$AAs?$AA?0?$AA?5@NNGAKEGL@ ; wchar_t *
		push	ecx		; int
		lea	eax, [edx+eax*2]
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 10h
		test	eax, eax
		js	loc_90F7F9
		cmp	dword ptr [ebp+var_68],	0
		jz	short loc_90F95F
		xor	eax, eax
		push	eax
		push	dword ptr [ebp+var_68]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90F95F:				; CODE XREF: GetPrintableOperandValue+123F38j
		mov	edx, [ebp+var_74]
		xor	eax, eax
		mov	ecx, [ebp+var_7C]
		mov	dword ptr [ebp+var_68],	eax
		mov	eax, [ebp+var_78]
		mov	[ebp+var_5C], edx
		cmp	[ebp+var_6C], eax
		ja	loc_90F871
		mov	ecx, [ebp+var_60]
		jmp	short loc_90F98D
; 

loc_90F97E:				; CODE XREF: GetPrintableOperandValue+123E5Cj
		xor	ecx, ecx

loc_90F980:				; CODE XREF: GetPrintableOperandValue+76j
					; GetPrintableOperandValue+123D07j
		mov	esi, 538h
		jmp	loc_7EBB2C
; 

loc_90F98A:				; CODE XREF: GetPrintableOperandValue+123E48j
		push	6
		pop	edx

loc_90F98D:				; CODE XREF: GetPrintableOperandValue+123F62j
		mov	eax, [ecx]
		shr	edx, 1
		push	7Dh
		pop	edi
		mov	[eax+edx*2-8], di
		mov	eax, [ecx]
		xor	ecx, ecx
		mov	[eax+edx*2-6], cx
		mov	eax, [ebp+var_6C]
		add	eax, [ebp+var_70]
		mov	[ebx], eax
		jmp	loc_7EBB2A
; 

loc_90F9AF:				; CODE XREF: GetPrintableOperandValue+123CF7j
		lea	eax, [edx-1]
		cmp	eax, 4
		jb	loc_90F801
		mov	ecx, [edi+1]
		lea	eax, [edx-5]
		mov	[ebp+var_7C], ecx
		mov	dword ptr [ebx], 5
		cmp	eax, ecx
		jb	loc_90F801
		test	ecx, ecx
		jz	loc_90F801
		push	2
		mov	eax, ecx
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_5C]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_7EBB49
		mov	eax, ecx
		mov	ecx, [ebp+var_5C]
		push	eax
		push	2
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_7EBB49
		mov	eax, [ebp+var_5C]
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_5C]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_7EBB49
		push	ecx
		mov	ecx, [ebp+var_5C]
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+var_60]
		mov	[eax], ecx
		test	ecx, ecx
		jz	loc_7EBB50
		mov	esi, [ebp+var_60]
		push	23h
		pop	eax
		mov	[ecx], ax
		xor	eax, eax
		mov	edx, eax
		mov	[ebp+var_6C], eax

loc_90FA4B:				; CODE XREF: GetPrintableOperandValue+124072j
		mov	eax, [ebx]
		lea	ecx, [edi+edx]
		movzx	edx, byte ptr [ecx+eax]
		mov	ecx, [esi]
		mov	eax, edx
		mov	esi, [ebp+var_6C]
		and	edx, 0Fh
		shr	eax, 4
		mov	ax, ds:word_42E340[eax*2]
		mov	[ecx+esi*4+2], ax
		mov	esi, [ebp+var_60]
		mov	ax, ds:word_42E340[edx*2]
		mov	edx, [ebp+var_6C]
		mov	ecx, [esi]
		mov	[ecx+edx*4+4], ax
		inc	edx
		mov	ecx, [ebp+var_7C]
		mov	[ebp+var_6C], edx
		cmp	edx, ecx
		jb	short loc_90FA4B
		mov	edx, [ebp+var_5C]
		mov	eax, esi
		shr	edx, 1
		xor	esi, esi
		mov	eax, [eax]
		mov	[eax+edx*2-2], si
		add	[ebx], ecx
		jmp	loc_7EBB2A
; 

loc_90FAA5:				; CODE XREF: GetPrintableOperandValue+7Ej
		lea	eax, [edx-1]
		cmp	eax, 0Ah
		jb	loc_90F801
		mov	eax, [edi+1]
		mov	[ebp+var_7C], eax
		mov	eax, [edi+5]
		mov	[ebp+var_84], eax
		mov	al, [edi+9]
		push	ecx
		mov	[ebp+var_62], al
		lea	ecx, [ebp+var_5C]
		mov	al, [edi+0Ah]
		push	40h
		mov	[ebp+var_5C], 20h
		mov	[ebp+var_61], al
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_7EBB49
		push	ecx
		mov	ecx, [ebp+var_5C]
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	edi, eax
		mov	eax, [ebp+var_60]
		mov	[eax], edi
		test	edi, edi
		jz	loc_7EBB50
		mov	cl, [ebp+var_62]
		push	2
		pop	eax
		cmp	cl, 1
		jnz	short loc_90FB0D
		push	2Bh
		jmp	short loc_90FB14
; 

loc_90FB0D:				; CODE XREF: GetPrintableOperandValue+1240EDj
		cmp	cl, 2
		jnz	short loc_90FB1A
		push	2Dh

loc_90FB14:				; CODE XREF: GetPrintableOperandValue+1240F1j
		pop	ecx
		mov	[edi], cx
		add	edi, eax

loc_90FB1A:				; CODE XREF: GetPrintableOperandValue+1240F6j
		mov	cl, [ebp+var_61]
		cmp	cl, 1
		jnz	loc_90FBB3
		push	30h
		pop	ecx
		push	offset ??_C@_1M@NJBLEBAG@?$AA?$CF?$AAI?$AA6?$AA4?$AAo@NNGAKEGL@
		jmp	short loc_90FB40
; 

loc_90FB30:				; CODE XREF: GetPrintableOperandValue+12419Ej
		push	30h
		pop	ecx
		push	78h
		mov	[edi], cx
		add	edi, eax
		pop	ecx
		push	offset ??_C@_1M@BENFCOCA@?$AA?$CF?$AAI?$AA6?$AA4?$AAx@NNGAKEGL@

loc_90FB40:				; CODE XREF: GetPrintableOperandValue+124114j
		mov	[edi], cx
		add	edi, eax
		jmp	short loc_90FB4C
; 

loc_90FB47:				; CODE XREF: GetPrintableOperandValue+12419Cj
		push	offset ??_C@_1M@OGLPPGPN@?$AA?$CF?$AAI?$AA6?$AA4?$AAu@NNGAKEGL@

loc_90FB4C:				; CODE XREF: GetPrintableOperandValue+12412Bj
		push	8
		pop	edx
		lea	ecx, [ebp+var_14]
		call	RtlStringCchCopyW
		test	eax, eax
		js	loc_90F7F9
		mov	edx, [ebp+var_7C]
		mov	eax, edx
		mov	ecx, [ebp+var_84]
		or	eax, ecx
		jnz	short loc_90FB74
		cmp	[ebp+var_61], 1
		jz	short loc_90FBAB

loc_90FB74:				; CODE XREF: GetPrintableOperandValue+124152j
		cmp	[ebp+var_62], 2
		jnz	short loc_90FB83
		neg	edx
		push	0
		pop	eax
		adc	ecx, eax
		neg	ecx

loc_90FB83:				; CODE XREF: GetPrintableOperandValue+12415Ej
		push	ecx
		mov	ecx, [ebp+var_60]
		lea	eax, [ebp+var_14]
		push	edx		; char
		push	eax		; wchar_t *
		mov	eax, edi
		sub	eax, [ecx]
		mov	ecx, [ebp+var_5C]
		sar	eax, 1
		shr	ecx, 1
		sub	ecx, eax
		push	ecx		; int
		push	edi		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 14h
		test	eax, eax
		js	loc_90F7F9

loc_90FBAB:				; CODE XREF: GetPrintableOperandValue+124158j
		add	dword ptr [ebx], 0Ah
		jmp	loc_7EBB2A
; 

loc_90FBB3:				; CODE XREF: GetPrintableOperandValue+124106j
		cmp	cl, 3
		jnz	short loc_90FB47
		jmp	loc_90FB30
; 

loc_90FBBD:				; CODE XREF: GetPrintableOperandValue+116j
		push	ecx
		push	dword ptr [ebp+var_68]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7EBB36
; END OF FUNCTION CHUNK	FOR GetPrintableOperandValue
; 
; START	OF FUNCTION CHUNK FOR GetPrintableAttributeName

loc_90FBCB:				; CODE XREF: GetPrintableAttributeName+4Aj
					; GetPrintableAttributeName+61j
		mov	esi, 538h
		jmp	loc_7EBC62
; 

loc_90FBD5:				; CODE XREF: GetPrintableAttributeName+6Dj
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_C]
		mov	edx, [ebp+var_8]
		push	eax
		lea	ecx, [ecx+5]
		call	_EncodeAttributeName@12	; EncodeAttributeName(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_7EBC57
		mov	ecx, [ebp+var_C]
		lea	edx, [ecx+2]

loc_90FBF7:				; CODE XREF: GetPrintableAttributeName+1240A5j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_18]
		jnz	short loc_90FBF7
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, [ecx+ecx]
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_10], eax
		push	ecx
		push	2
		pop	edx
		mov	ecx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_90FC41
		cmp	bl, 0FBh
		jnz	short loc_90FC4B
		push	10h
		jmp	short loc_90FC2A
; 

loc_90FC28:				; CODE XREF: GetPrintableAttributeName+12410Aj
		push	0Eh

loc_90FC2A:				; CODE XREF: GetPrintableAttributeName+1240CAj
					; GetPrintableAttributeName+1240F6j ...
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		pop	edi
		push	eax
		mov	edx, edi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jns	loc_7EBBE6

loc_90FC41:				; CODE XREF: GetPrintableAttributeName+1240C1j
		mov	esi, 216h
		jmp	loc_7EBC57
; 

loc_90FC4B:				; CODE XREF: GetPrintableAttributeName+1240C6j
		cmp	bl, 0F9h
		jnz	short loc_90FC54
		push	0Ch
		jmp	short loc_90FC2A
; 

loc_90FC54:				; CODE XREF: GetPrintableAttributeName+1240F2j
		cmp	bl, 0FAh
		jnz	short loc_90FC5D
		push	14h
		jmp	short loc_90FC2A
; 

loc_90FC5D:				; CODE XREF: GetPrintableAttributeName+1240FBj
		cmp	bl, 0FCh
		jnz	loc_7EBBE6
		jmp	short loc_90FC28
; 

loc_90FC68:				; CODE XREF: GetPrintableAttributeName+84j
		mov	esi, 216h
		jmp	loc_7EBC62
; 

loc_90FC72:				; CODE XREF: GetPrintableAttributeName+A3j
		push	edi
		push	offset ??_C@_1BC@BELPDGGJ@?$AA?$EA?$AAD?$AAE?$AAV?$AAI?$AAC?$AAE?$AA?4@NNGAKEGL@
		jmp	short loc_90FC80
; 

loc_90FC7A:				; CODE XREF: GetPrintableAttributeName+B3j
		push	edi		; size_t
		push	offset ??_C@_1BG@ILPAMDME@?$AA?$EA?$AAR?$AAE?$AAS?$AAO?$AAU?$AAR?$AAC?$AAE?$AA?4@NNGAKEGL@ ; "@RESOURCE."

loc_90FC80:				; CODE XREF: GetPrintableAttributeName+12411Cj
					; GetPrintableAttributeName+12414Cj
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_90FC89:				; CODE XREF: GetPrintableAttributeName+C3j
		push	[ebp+var_10]	; size_t
		lea	eax, [ebx+edi]
		push	[ebp+var_C]	; void *
		push	eax		; void *
		call	_memcpy
		mov	edx, [ebp+arg_8]
		mov	eax, [edx]
		jmp	loc_7EBC43
; 

loc_90FCA2:				; CODE XREF: GetPrintableAttributeName+ABj
		push	edi
		push	offset ??_C@_1O@PJNANMOG@?$AA?$EA?$AAU?$AAS?$AAE?$AAR?$AA?4@NNGAKEGL@
		jmp	short loc_90FC80
; 

loc_90FCAA:				; CODE XREF: GetPrintableAttributeName+BBj
		push	edi		; size_t
		push	offset ??_C@_1BA@DDPCKNJI@?$AA?$EA?$AAT?$AAO?$AAK?$AAE?$AAN?$AA?4@NNGAKEGL@ ; void *
		push	ebx		; void *
		call	_memcpy
		mov	al, byte ptr [ebp+arg_0]
		add	esp, 0Ch
		jmp	loc_7EBC1D
; 

loc_90FCC1:				; CODE XREF: GetPrintableAttributeName+100j
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7EBC62
; END OF FUNCTION CHUNK	FOR GetPrintableAttributeName
; 
; START	OF FUNCTION CHUNK FOR RtlEnumerateBoundaryDescriptorEntries

loc_90FCCF:				; CODE XREF: RtlEnumerateBoundaryDescriptorEntries+6Aj
		sub	eax, 1
		jnz	loc_7EBD42
		inc	edx
		mov	[ebp+var_10], edx
		cmp	edx, 1
		jbe	loc_7EBCE6
		mov	eax, 0C000022Ah
		jmp	loc_7EBD3B
; END OF FUNCTION CHUNK	FOR RtlEnumerateBoundaryDescriptorEntries
; 
; START	OF FUNCTION CHUNK FOR LocalConvertAclToString

loc_90FCEF:				; CODE XREF: LocalConvertAclToString+42j
		mov	[esi], ecx
		mov	[ebx], ecx
		jmp	short loc_90FD01
; 

loc_90FCF5:				; CODE XREF: LocalConvertAclToString+123FA1j
		push	9
		pop	ecx
		mov	esi, offset ??_C@_1CE@KMLBPDC@?$AAN?$AAO?$AA_?$AAA?$AAC?$AAC?$AAE?$AAS?$AAS?$AA_?$AAC?$AAO?$AAN?$AAT?$AAR@NNGAKEGL@
		mov	edi, eax
		rep movsd

loc_90FD01:				; CODE XREF: LocalConvertAclToString+123F7Bj
		xor	eax, eax
		jmp	loc_7EC2ED
; 

loc_90FD08:				; CODE XREF: LocalConvertAclToString+4Aj
		push	24h
		mov	[esi], ecx
		pop	ecx
		push	ecx
		mov	[ebx], ecx
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	[esi], eax
		test	eax, eax
		jnz	short loc_90FCF5
		push	8
		pop	eax
		xor	ecx, ecx
		jmp	short loc_90FD26
; 

loc_90FD22:				; CODE XREF: LocalConvertAclToString+57j
		mov	[esi], ecx
		mov	eax, ecx

loc_90FD26:				; CODE XREF: LocalConvertAclToString+123FA8j
		mov	[ebx], ecx
		jmp	loc_7EC2ED
; 

loc_90FD2D:				; CODE XREF: LocalConvertAclToString+8Ej
		xor	eax, eax
		push	eax
		push	ebx

loc_90FD31:				; CODE XREF: LocalConvertAclToString+123FD2j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90FD36:				; CODE XREF: LocalConvertAclToString+79j
		push	8
		jmp	loc_90FFD3
; 

loc_90FD3D:				; CODE XREF: LocalConvertAclToString+A8j
		xor	esi, esi
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	esi
		push	[ebp+var_30]
		jmp	short loc_90FD31
; 

loc_90FD4C:				; CODE XREF: LocalConvertAclToString+146j
					; DATA XREF: PAGE:007EC438o
		mov	edx, [ebx+8]
		mov	ecx, edx
		mov	eax, [ebx+4]
		and	ecx, 1
		and	edx, 2
		mov	[ebp+var_10], eax
		mov	esi, ecx
		lea	eax, [ebx+0Ch]
		shl	esi, 4
		mov	edi, edx
		neg	edi
		sbb	edi, edi
		and	edi, 10h
		add	edi, 0Ch
		add	edi, esi
		add	edi, ebx
		neg	ecx
		mov	[ebp+var_20], edi
		sbb	ecx, ecx
		test	ecx, eax
		mov	ecx, [ebp+var_4]
		jz	short loc_90FD89
		add	ecx, 48h
		mov	[ebp+var_24], ecx

loc_90FD89:				; CODE XREF: LocalConvertAclToString+124009j
		test	edx, edx
		jz	short loc_90FD94
		lea	eax, [esi+0Ch]
		add	eax, ebx
		jmp	short loc_90FD96
; 

loc_90FD94:				; CODE XREF: LocalConvertAclToString+124013j
		xor	eax, eax

loc_90FD96:				; CODE XREF: LocalConvertAclToString+12401Aj
		test	eax, eax
		jz	loc_7EBED1
		lea	eax, [ecx+48h]
		mov	[ebp+var_24], eax
		jmp	loc_7EBED1
; 

loc_90FDA9:				; CODE XREF: LocalConvertAclToString+1A6j
		push	4
		pop	eax
		jmp	loc_7EBF27
; 

loc_90FDB1:				; CODE XREF: LocalConvertAclToString+1E0j
		push	4
		pop	eax
		jmp	loc_7EBF61
; 

loc_90FDB9:				; CODE XREF: LocalConvertAclToString+1D8j
		mov	esi, [ebp+var_28]
		jmp	loc_7EBFCD
; 

loc_90FDC1:				; CODE XREF: LocalConvertAclToString+61Fj
		push	ecx
		push	6
		pop	ecx
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	[esi], eax
		test	eax, eax
		jz	short loc_90FDE5
		push	offset ??_C@_15OHIPBLFN@?$AAS?$AAA@NNGAKEGL@
		push	3
		push	eax
		call	_wcscpy_s
		add	esp, 0Ch
		jmp	loc_7EC3AE
; 

loc_90FDE5:				; CODE XREF: LocalConvertAclToString+124056j
		push	8
		pop	eax
		jmp	short loc_90FE09
; 

loc_90FDEA:				; CODE XREF: LocalConvertAclToString+630j
		push	eax
		call	RtlNtStatusToDosError
		jmp	short loc_90FE09
; 

loc_90FDF2:				; CODE XREF: LocalConvertAclToString+190j
		mov	edx, [ebp+var_24]
		mov	[ebp+var_4], edx
		jmp	loc_7EC044
; 

loc_90FDFD:				; CODE XREF: LocalConvertAclToString+139j
					; LocalConvertAclToString+146j
					; DATA XREF: ...
		mov	eax, 538h
		jmp	short loc_90FE0C
; 

loc_90FE04:				; CODE XREF: LocalConvertAclToString+EDj
		mov	eax, 538h

loc_90FE09:				; CODE XREF: LocalConvertAclToString+124070j
					; LocalConvertAclToString+124078j
		mov	edx, [ebp+var_4]

loc_90FE0C:				; CODE XREF: LocalConvertAclToString+12408Aj
		mov	[ebp+arg_0], eax
		jmp	loc_7EC044
; 

loc_90FE14:				; CODE XREF: LocalConvertAclToString+C2j
		mov	edx, [ebp+var_4]
		jmp	short loc_90FE1C
; 

loc_90FE19:				; CODE XREF: LocalConvertAclToString+2CEj
		mov	esi, [ebp+arg_4]

loc_90FE1C:				; CODE XREF: LocalConvertAclToString+12409Fj
		mov	eax, 538h
		mov	[ebp+arg_0], eax
		jmp	loc_7EC04F
; 

loc_90FE29:				; CODE XREF: LocalConvertAclToString+2E2j
		inc	edx
		mov	[ebp+var_4], edx
		jmp	loc_7EC060
; 

loc_90FE32:				; CODE XREF: LocalConvertAclToString+2F9j
		push	8
		pop	edi
		mov	[ebp+arg_0], edi
		jmp	loc_7EC28D
; 

loc_90FE3D:				; CODE XREF: LocalConvertAclToString+3B5j
					; DATA XREF: PAGE:007EC45Co
		mov	eax, [ecx+4]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+8]
		mov	edx, eax
		and	edx, 1
		and	eax, 2
		mov	ecx, edx
		mov	ebx, eax
		shl	ecx, 4
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 10h
		add	ebx, 0Ch
		add	ebx, ecx
		add	ebx, [ebp+var_C]
		mov	[ebp+var_20], ebx
		mov	ebx, [ebp+var_C]
		test	eax, eax
		jz	short loc_90FE7A
		lea	eax, [ebx+0Ch]
		add	eax, ecx
		mov	[ebp+var_34], eax
		xor	eax, eax
		jmp	short loc_90FE7F
; 

loc_90FE7A:				; CODE XREF: LocalConvertAclToString+1240F4j
		xor	eax, eax
		mov	[ebp+var_34], eax

loc_90FE7F:				; CODE XREF: LocalConvertAclToString+124100j
		test	edx, edx
		jz	short loc_90FE8E
		lea	eax, [ebx+0Ch]
		mov	[ebp+var_38], eax
		jmp	loc_7EC140
; 

loc_90FE8E:				; CODE XREF: LocalConvertAclToString+124109j
		mov	[ebp+var_38], eax
		jmp	loc_7EC142
; 

loc_90FE96:				; CODE XREF: LocalConvertAclToString+5E4j
		push	4
		pop	eax
		jmp	loc_7EC365
; 

loc_90FE9E:				; CODE XREF: LocalConvertAclToString+5DBj
		xor	eax, eax
		mov	[ebp+var_3C], eax

loc_90FEA3:				; CODE XREF: LocalConvertAclToString+124173j
		xor	edx, edx
		mov	ecx, eax
		inc	edx
		shl	edx, cl
		and	edx, [ebp+var_10]
		jz	short loc_90FEE4
		cmp	byte ptr [ebx],	11h
		jnz	short loc_90FEB9
		push	4
		pop	eax
		jmp	short loc_90FEBC
; 

loc_90FEB9:				; CODE XREF: LocalConvertAclToString+12413Aj
		mov	eax, [ebp+var_18]

loc_90FEBC:				; CODE XREF: LocalConvertAclToString+12413Fj
		push	eax
		xor	ecx, ecx
		call	_LookupAccessMaskInTable@12 ; LookupAccessMaskInTable(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_90FEDE
		push	dword ptr [ebx]
		push	esi
		push	edi
		call	_wcscpy_s
		mov	eax, [ebx+4]
		add	esp, 0Ch
		sub	esi, eax
		lea	edi, [edi+eax*2]

loc_90FEDE:				; CODE XREF: LocalConvertAclToString+124150j
		mov	ebx, [ebp+var_C]
		mov	eax, [ebp+var_3C]

loc_90FEE4:				; CODE XREF: LocalConvertAclToString+124135j
		inc	eax
		mov	[ebp+var_3C], eax
		cmp	eax, 20h
		jb	short loc_90FEA3
		jmp	loc_7EC1CF
; 

loc_90FEF2:				; CODE XREF: LocalConvertAclToString+46Ej
		lea	edx, [ebp+var_14]
		mov	ecx, eax
		call	_SddlpUuidToString@8 ; SddlpUuidToString(x,x)
		test	eax, eax
		jz	loc_7EC287
		mov	ebx, [ebp+var_14]
		xor	edx, edx
		lea	ecx, [ebx+2]

loc_90FF0C:				; CODE XREF: LocalConvertAclToString+12419Dj
		mov	ax, [ebx]
		add	ebx, 2
		cmp	ax, dx
		jnz	short loc_90FF0C
		push	[ebp+var_14]
		sub	ebx, ecx
		push	esi
		push	edi
		sar	ebx, 1
		call	_wcscpy_s
		add	esp, 0Ch
		lea	edi, [edi+ebx*2]
		sub	esi, ebx
		cmp	[ebp+var_14], 0
		jz	short loc_90FF3E
		xor	eax, eax
		push	eax
		push	[ebp+var_14]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90FF3E:				; CODE XREF: LocalConvertAclToString+1241B9j
		push	3Bh
		pop	ecx
		jmp	loc_7EC1EC
; 

loc_90FF46:				; CODE XREF: LocalConvertAclToString+488j
		lea	edx, [ebp+var_14]
		mov	ecx, eax
		call	_SddlpUuidToString@8 ; SddlpUuidToString(x,x)
		test	eax, eax
		jz	loc_7EC287
		mov	ebx, [ebp+var_14]
		xor	edx, edx
		lea	ecx, [ebx+2]

loc_90FF60:				; CODE XREF: LocalConvertAclToString+1241F1j
		mov	ax, [ebx]
		add	ebx, 2
		cmp	ax, dx
		jnz	short loc_90FF60
		push	[ebp+var_14]
		sub	ebx, ecx
		push	esi
		push	edi
		sar	ebx, 1
		call	_wcscpy_s
		add	esp, 0Ch
		lea	edi, [edi+ebx*2]
		sub	esi, ebx
		cmp	[ebp+var_14], 0
		jz	short loc_90FF92
		xor	eax, eax
		push	eax
		push	[ebp+var_14]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90FF92:				; CODE XREF: LocalConvertAclToString+12420Dj
		push	3Bh
		pop	ecx
		jmp	loc_7EC206
; 

loc_90FF9A:				; CODE XREF: LocalConvertAclToString+326j
					; LocalConvertAclToString+35Fj	...
		mov	ebx, [ebp+var_8]
		mov	edi, 538h
		mov	[ebp+arg_0], edi
		jmp	loc_7EC28D
; 

loc_90FFAA:				; CODE XREF: LocalConvertAclToString+55Dj
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7EC2DB
; 

loc_90FFB6:				; CODE XREF: LocalConvertAclToString+565j
		mov	esi, [ebp+arg_4]
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_90FFC8
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_90FFC8:				; CODE XREF: LocalConvertAclToString+124245j
		xor	eax, eax
		mov	[esi], eax
		jmp	loc_7EC2E6
; 

loc_90FFD1:				; CODE XREF: LocalConvertAclToString+2Fj
					; LocalConvertAclToString+3Aj
		push	57h

loc_90FFD3:				; CODE XREF: LocalConvertAclToString+123FC0j
		pop	eax
		jmp	loc_7EC2ED
; END OF FUNCTION CHUNK	FOR LocalConvertAclToString
; 
; START	OF FUNCTION CHUNK FOR LocalGetAceCondition

loc_90FFD9:				; CODE XREF: LocalGetAceCondition+3Fj
					; LocalGetAceCondition+56j
		mov	esi, [edi+8]
		push	eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		movzx	edi, word ptr [edi+2]
		mov	ecx, esi
		and	ecx, 1
		and	esi, 2
		shl	ecx, 4
		sub	edi, ecx
		shl	esi, 3
		sub	edi, esi
		mov	esi, [ebp+var_4]
		sub	edi, eax
		sub	edi, 0Ch
		jmp	loc_7EC54D
; 

loc_910005:				; CODE XREF: LocalGetAceCondition+85j
		push	ebx		; int
		push	[ebp+arg_18]	; size_t
		lea	ecx, [eax+esi]
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		call	_LocalGetStringForRelativeAttribute@28 ; LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)
		jmp	loc_7EC583
; END OF FUNCTION CHUNK	FOR LocalGetAceCondition
; 
; START	OF FUNCTION CHUNK FOR LookupAceFlagsInTable

loc_91001F:				; CODE XREF: LookupAceFlagsInTable+32j
		mov	edx, dword_6B1FA4[esi]
		mov	eax, edi
		mov	[ebp+var_8], edx

loc_91002A:				; CODE XREF: LookupAceFlagsInTable+123A92j
		mov	edx, [ebp+var_8]
		mov	cl, [ebp+arg_4]
		cmp	[edx+eax], cl
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+var_4]
		jz	loc_7EC5E8
		inc	eax
		cmp	eax, ecx
		jb	short loc_91002A
		jmp	loc_7EC5F7
; END OF FUNCTION CHUNK	FOR LookupAceFlagsInTable
; 
; START	OF FUNCTION CHUNK FOR LookupSidInTable

loc_910049:				; CODE XREF: LookupSidInTable+23j
		xor	eax, eax
		jmp	loc_7EC758
; 

loc_910050:				; CODE XREF: LookupSidInTable+61j
					; LookupSidInTable+6Cj	...
		mov	[ebp+var_8], 1
		cmp	eax, 206h
		jnz	loc_7EC721
		mov	[ebp+var_C], 1
		jmp	loc_7EC721
; 

loc_91006E:				; CODE XREF: LookupSidInTable+111j
		mov	[ebp+var_C], 1
		jmp	loc_7EC7D3
; 

loc_91007A:				; CODE XREF: LookupSidInTable+DCj
		cmp	byte ptr [ebp+arg_C], bl
		jz	loc_7EC73C
		cmp	[ebp+arg_0], ebx
		jnz	loc_7EC73C
		cmp	byte_6B3FF8[esi], bl
		jz	loc_7EC73C
		cmp	dword_6B4008[esi], ebx
		jz	loc_7EC73C
		push	dword_6B4004[esi] ; size_t
		lea	eax, off_6B3FFA[esi]
		push	eax		; wchar_t *
		push	offset ??_C@_15PJFMCJHO@?$AAD?$AAA@NNGAKEGL@ ; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7EC73C
		mov	[ebp+var_10], edi
		jmp	loc_7EC73C
; 

loc_9100CE:				; CODE XREF: LookupSidInTable+E6j
		cmp	byte ptr [ebp+arg_C], bl
		jz	loc_7EC756
		cmp	[ebp+arg_0], ebx
		jnz	loc_7EC756
		mov	eax, [ebp+var_10]
		cmp	eax, 3Fh
		jnb	loc_7EC756
		cmp	[ebp+var_C], ebx
		jz	short loc_91016B
		cmp	[ebp+var_1], bl
		jz	short loc_910103
		mov	ecx, [ebp+arg_10]
		mov	eax, [ebp+var_14]
		mov	[ecx], eax
		jmp	loc_7EC756
; 

loc_910103:				; CODE XREF: LookupSidInTable+123A50j
		imul	edi, eax, 64h
		mov	eax, dword_6B4008[edi]
		test	eax, eax
		jz	loc_7EC756
		push	eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	ecx
		mov	[ebp+arg_C], eax
		lea	ecx, [eax+1]
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	esi, eax
		mov	eax, [ebp+arg_10]
		mov	[eax], esi
		test	esi, esi
		jz	loc_7EC756
		push	[ebp+arg_C]	; size_t
		lfence	eax
		push	dword_6B4008[edi] ; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	dword_6B4008[edi]
		call	_RtlSubAuthorityCountSid@4 ; RtlSubAuthorityCountSid(x)
		movzx	eax, byte ptr [eax]
		dec	eax
		push	eax
		push	esi
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	dword ptr [eax], 206h
		jmp	loc_7EC756
; 

loc_91016B:				; CODE XREF: LookupSidInTable+123A4Bj
		imul	ebx, eax, 64h
		jmp	loc_7EC750
; END OF FUNCTION CHUNK	FOR LookupSidInTable
; 
; START	OF FUNCTION CHUNK FOR CmpQueryFileSecurityDescriptor

loc_910173:				; CODE XREF: CmpQueryFileSecurityDescriptor+5Bj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edi, edi
		jmp	loc_7EC9E5
; 

loc_910182:				; CODE XREF: CmpQueryFileSecurityDescriptor+2Cj
		test	esi, esi
		jnz	loc_7EC9E5
		mov	esi, 0C0000001h
		jmp	loc_7EC9E5
; END OF FUNCTION CHUNK	FOR CmpQueryFileSecurityDescriptor
; 
; START	OF FUNCTION CHUNK FOR ObpVerifyAccessToBoundaryEntry

loc_910194:				; CODE XREF: ObpVerifyAccessToBoundaryEntry+17Cj
		mov	dword ptr [ebx+18h], 0C0000022h
		jmp	loc_7ECB32
; 

loc_9101A0:				; CODE XREF: ObpVerifyAccessToBoundaryEntry+187j
		mov	dword ptr [ebx+18h], 0C000000Dh
		jmp	loc_7ECB32
; 

loc_9101AC:				; CODE XREF: ObpVerifyAccessToBoundaryEntry+141j
		push	esi		; int
		push	54h		; size_t
		lea	eax, [esp+130h+var_100]
		push	eax		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		push	7
		push	ecx
		push	edi
		xor	edi, edi
		lea	ecx, [esp+134h+var_100]
		push	edi
		call	RtlAddMandatoryAce
		xor	esi, esi
		lea	eax, [esp+128h+var_114]
		inc	esi
		push	esi
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		jmp	loc_7ECAE3
; 

loc_9101DC:				; CODE XREF: ObpVerifyAccessToBoundaryEntry+14Cj
		mov	dword ptr [ebx+18h], 0C00000E5h
		jmp	loc_7ECB32
; END OF FUNCTION CHUNK	FOR ObpVerifyAccessToBoundaryEntry
; 
; START	OF FUNCTION CHUNK FOR RtlAddMandatoryAce

loc_9101E8:				; CODE XREF: RtlAddMandatoryAce+38j
		mov	eax, 0C0000078h
		jmp	loc_7ECD7C
; 

loc_9101F2:				; CODE XREF: RtlAddMandatoryAce+5Dj
		mov	eax, 0C0000059h
		jmp	loc_7ECD7C
; 

loc_9101FC:				; CODE XREF: RtlAddMandatoryAce+52j
					; RtlAddMandatoryAce+71j ...
		mov	eax, 0C000000Dh
		jmp	loc_7ECD7C
; END OF FUNCTION CHUNK	FOR RtlAddMandatoryAce
; 
; START	OF FUNCTION CHUNK FOR NtCreateLowBoxToken

loc_910206:				; CODE XREF: NtCreateLowBoxToken+64j
		mov	ecx, eax
		jmp	loc_7ECF10
; 

loc_91020D:				; CODE XREF: NtCreateLowBoxToken+8Fj
					; NtCreateLowBoxToken+97j
		xor	ecx, ecx
		mov	[eax], cl
		jmp	loc_7ECF45
; END OF FUNCTION CHUNK	FOR NtCreateLowBoxToken

;  S U B	R O U T	I N E 


sub_910216	proc near		; DATA XREF: .text:006A507Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		xor	eax, eax
		inc	eax
		retn
sub_910216	endp


;  S U B	R O U T	I N E 


sub_910224	proc near		; DATA XREF: .text:006A5080o

; FUNCTION CHUNK AT 009102FD SIZE 0000000F BYTES

		mov	eax, [ebp-40h]
		jmp	loc_9102FD
sub_910224	endp

; 
; START	OF FUNCTION CHUNK FOR NtCreateLowBoxToken

loc_91022C:				; CODE XREF: NtCreateLowBoxToken+AAj
		mov	eax, 0C000000Dh
		jmp	loc_7ED2B3
; 

loc_910236:				; CODE XREF: NtCreateLowBoxToken+B4j
		cmp	dword ptr [ebp+arg_20],	0
		jnz	short loc_91024B
		cmp	[ebp+arg_1C], 0
		jz	loc_7ECF6A
		jmp	loc_7ECF60
; 

loc_91024B:				; CODE XREF: NtCreateLowBoxToken+BEj
					; NtCreateLowBoxToken+123394j
		mov	eax, 0C0000030h
		jmp	loc_7ED2B3
; 

loc_910255:				; CODE XREF: NtCreateLowBoxToken+42Cj
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	eax, 0C00000A5h
		jmp	loc_7ED2B3
; 

loc_910266:				; CODE XREF: NtCreateLowBoxToken+12Dj
		mov	eax, [ebp+var_5C]
		mov	[ebp+arg_8], eax
		jmp	loc_7ECFD9
; 

loc_910271:				; CODE XREF: NtCreateLowBoxToken+17Fj
					; NtCreateLowBoxToken+1A4j ...
		mov	esi, 0C000000Dh

loc_910276:				; CODE XREF: NtCreateLowBoxToken+157j
					; NtCreateLowBoxToken+170j ...
		mov	bl, [ebp+var_19]
		jmp	loc_7ED24C
; 

loc_91027E:				; CODE XREF: NtCreateLowBoxToken+439j
		mov	esi, 0C000A202h
		jmp	short loc_910276
; 

loc_910285:				; CODE XREF: NtCreateLowBoxToken+45Cj
		mov	esi, 0C0000022h
		jmp	short loc_910276
; 

loc_91028C:				; CODE XREF: NtCreateLowBoxToken+268j
		mov	esi, 0C0000446h
		jmp	loc_7ED16B
; 

loc_910296:				; CODE XREF: NtCreateLowBoxToken+3AAj
		test	esi, esi
		js	short loc_9102A5
		mov	ecx, [ebp+var_20]
		lea	ecx, [ecx+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)

loc_9102A5:				; CODE XREF: NtCreateLowBoxToken+1233F2j
		and	[ebp+var_54], 0
		xor	ecx, ecx
		lea	eax, [ebp+var_54]
		lock or	[eax], ecx
		mov	ecx, [ebp+var_20]
		mov	ecx, [ecx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_7ED256
; 

loc_9102C6:				; CODE XREF: NtCreateLowBoxToken+3B2j
		test	bl, bl
		jz	short loc_9102D2
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObject

loc_9102D2:				; CODE XREF: NtCreateLowBoxToken+123422j
		cmp	[ebp+var_34], 0
		jz	loc_7ED25E
		push	[ebp+var_28]
		push	[ebp+var_34]
		call	ObCloseHandle
		jmp	loc_7ED25E
; END OF FUNCTION CHUNK	FOR NtCreateLowBoxToken

;  S U B	R O U T	I N E 


sub_9102EC	proc near		; DATA XREF: .text:006A5088o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-58h], eax
		xor	eax, eax
		inc	eax
		retn
sub_9102EC	endp


;  S U B	R O U T	I N E 


sub_9102FA	proc near		; DATA XREF: .text:006A508Co
		mov	eax, [ebp-58h]
sub_9102FA	endp

; START	OF FUNCTION CHUNK FOR sub_910224

loc_9102FD:				; CODE XREF: sub_910224+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7ED2B3
; END OF FUNCTION CHUNK	FOR sub_910224

;  S U B	R O U T	I N E 


sub_91030C	proc near		; DATA XREF: .text:006A50A4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		inc	eax
		retn
sub_91030C	endp


;  S U B	R O U T	I N E 


sub_91031A	proc near		; DATA XREF: .text:006A50A8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-24h]
		jmp	loc_7ED3AE
sub_91031A	endp

; 
; START	OF FUNCTION CHUNK FOR SepCaptureInt64Array

loc_910325:				; CODE XREF: SepCaptureInt64Array+73j
		push	0
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7ED3C5
; END OF FUNCTION CHUNK	FOR SepCaptureInt64Array
; 
; START	OF FUNCTION CHUNK FOR RtlGetAppContainerSidType

loc_910334:				; CODE XREF: RtlGetAppContainerSidType+50j
		mov	dword ptr [eax], 3

loc_91033A:				; CODE XREF: RtlGetAppContainerSidType+64j
		mov	eax, 0C000A200h
		jmp	loc_7ED436
; END OF FUNCTION CHUNK	FOR RtlGetAppContainerSidType
; 
; START	OF FUNCTION CHUNK FOR SepHasCriticalAcesRemoved

loc_910344:				; CODE XREF: SepHasCriticalAcesRemoved+148j
		cmp	word ptr [ebp+var_20], 0
		jz	loc_7ED571
		cmp	word ptr [ebp+var_24], 0
		jz	loc_7ED571
		mov	byte ptr [edi],	1
		jmp	loc_7ED571
; END OF FUNCTION CHUNK	FOR SepHasCriticalAcesRemoved
; 
; START	OF FUNCTION CHUNK FOR RawFileSystemControl

loc_910362:				; CODE XREF: RawFileSystemControl+1Ej
		sub	eax, 1
		jz	short loc_910371
		mov	esi, 0C0000010h
		jmp	loc_7EDF53
; 

loc_910371:				; CODE XREF: RawFileSystemControl+12243Dj
		call	_RawVerifyVolume@8 ; RawVerifyVolume(x,x)
		jmp	loc_7EDF51
; 

loc_91037B:				; CODE XREF: RawFileSystemControl+15j
		push	edx
		mov	edx, ecx
		mov	ecx, edi
		call	_RawUserFsCtrl@12 ; RawUserFsCtrl(x,x,x)
		jmp	loc_7EDF51
; END OF FUNCTION CHUNK	FOR RawFileSystemControl
; 
; START	OF FUNCTION CHUNK FOR RawMountVolume

loc_91038A:				; CODE XREF: RawMountVolume+2Dj
		mov	eax, 0C000014Fh
		jmp	loc_7EE0FC
; 

loc_910394:				; CODE XREF: RawMountVolume+8Cj
					; RawMountVolume+EBj
		lea	ecx, [esi+0B8h]
		call	RawCleanupVcb
		push	esi
		call	IoDeleteDevice
		jmp	loc_7EE0FA
; END OF FUNCTION CHUNK	FOR RawMountVolume

;  S U B	R O U T	I N E 


sub_9103AA	proc near		; DATA XREF: .text:006A50C4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-68h], eax
		xor	eax, eax
		inc	eax
		retn
sub_9103AA	endp


;  S U B	R O U T	I N E 


sub_9103B8	proc near		; DATA XREF: .text:006A50C8o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-68h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	edi, edi
		mov	esi, [ebp-58h]
		jmp	loc_7EE051
sub_9103B8	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlNotifyVolumeEventEx

loc_9103CF:				; CODE XREF: FsRtlNotifyVolumeEventEx+2Cj
					; DATA XREF: PAGE:off_7EE196o
		mov	esi, (offset loc_4274FD+3) ; case 0x0
		jmp	short loc_9103F0
; 

loc_9103D6:				; CODE XREF: FsRtlNotifyVolumeEventEx+2Cj
					; DATA XREF: PAGE:off_7EE196o
		mov	esi, offset _GUID_IO_VOLUME_DISMOUNT_FAILED ; case 0x1
		jmp	short loc_9103F0
; 

loc_9103DD:				; CODE XREF: FsRtlNotifyVolumeEventEx+2Cj
					; DATA XREF: PAGE:off_7EE196o
		mov	esi, offset _GUID_IO_VOLUME_LOCK ; case	0x2
		jmp	short loc_9103F0
; 

loc_9103E4:				; CODE XREF: FsRtlNotifyVolumeEventEx+2Cj
					; DATA XREF: PAGE:off_7EE196o
		mov	esi, offset _GUID_IO_VOLUME_LOCK_FAILED	; case 0x3
		jmp	short loc_9103F0
; 

loc_9103EB:				; CODE XREF: FsRtlNotifyVolumeEventEx+2Cj
					; DATA XREF: PAGE:off_7EE196o
		mov	esi, offset _GUID_IO_VOLUME_UNLOCK ; case 0x4

loc_9103F0:				; CODE XREF: FsRtlNotifyVolumeEventEx+12229Ej
					; FsRtlNotifyVolumeEventEx+1222A5j ...
		mov	eax, [ebp+arg_8]
		push	eax
		lea	edi, [eax+4]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_4]
		push	esi
		call	_IoReportTargetDeviceChange@8 ;	IoReportTargetDeviceChange(x,x)
		jmp	loc_7EE186
; 

loc_910409:				; CODE XREF: FsRtlNotifyVolumeEventEx+2Cj
					; DATA XREF: PAGE:off_7EE196o
		mov	esi, offset _GUID_IO_VOLUME_NEED_CHKDSK	; case 0x6
		jmp	loc_7EE16E
; 

loc_910413:				; CODE XREF: FsRtlNotifyVolumeEventEx+2Cj
					; DATA XREF: PAGE:off_7EE196o
		mov	esi, (offset locret_4274CF+1) ;	case 0x8
		jmp	loc_7EE16E
; 

loc_91041D:				; CODE XREF: FsRtlNotifyVolumeEventEx+2Cj
					; DATA XREF: PAGE:off_7EE196o
		mov	esi, offset _GUID_IO_VOLUME_WORM_NEAR_FULL ; case 0x7
		jmp	loc_7EE16E
; 

loc_910427:				; CODE XREF: FsRtlNotifyVolumeEventEx+2Cj
					; DATA XREF: PAGE:off_7EE196o
		mov	esi, offset _GUID_IO_VOLUME_FORCE_CLOSED ; case	0x9
		jmp	loc_7EE16E
; 

loc_910431:				; CODE XREF: FsRtlNotifyVolumeEventEx+2Cj
					; DATA XREF: PAGE:off_7EE196o
		mov	esi, offset _GUID_IO_VOLUME_INFO_MAKE_COMPAT ; case 0xA
		jmp	loc_7EE16E
; 

loc_91043B:				; CODE XREF: FsRtlNotifyVolumeEventEx+2Cj
					; DATA XREF: PAGE:off_7EE196o
		mov	esi, offset _GUID_IO_VOLUME_PREPARING_EJECT ; case 0xB
		jmp	loc_7EE16E
; 

loc_910445:				; CODE XREF: FsRtlNotifyVolumeEventEx+2Cj
					; DATA XREF: PAGE:off_7EE196o
		mov	esi, offset _GUID_IO_VOLUME_CHANGE_SIZE	; case 0xC
		jmp	loc_7EE16E
; 

loc_91044F:				; CODE XREF: FsRtlNotifyVolumeEventEx+2Cj
					; DATA XREF: PAGE:off_7EE196o
		mov	esi, offset _GUID_IO_VOLUME_BACKGROUND_FORMAT ;	case 0xD
		jmp	loc_7EE16E
; 

loc_910459:				; CODE XREF: FsRtlNotifyVolumeEventEx+26j
		mov	ecx, [ebp+var_4] ; default
		call	ObfDereferenceObject
		mov	eax, 0C000000Dh
		jmp	loc_7EE18F
; END OF FUNCTION CHUNK	FOR FsRtlNotifyVolumeEventEx
; 
; START	OF FUNCTION CHUNK FOR PnpFreeInterruptInformation

loc_91046B:				; CODE XREF: PnpFreeInterruptInformation+10j
		push	47706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi+0B0h]
		pop	esi
		and	dword ptr [eax+30h], 0
		retn
; END OF FUNCTION CHUNK	FOR PnpFreeInterruptInformation
; 
; START	OF FUNCTION CHUNK FOR IoCreateDevice

loc_910482:				; CODE XREF: IoCreateDevice+3D8j
		cmp	[esp+98h+var_84], 0
		jz	short loc_91049D
		push	0
		push	[esp+9Ch+var_84]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[esp+98h+var_84], 0
		mov	ecx, [esp+98h+var_7C]

loc_91049D:				; CODE XREF: IoCreateDevice+122273j
		cmp	[esp+98h+var_80], 0
		mov	esi, [ebp+arg_4]
		mov	eax, [esp+98h+var_70]
		jz	loc_7EE287
		push	0
		push	[esp+9Ch+var_80]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[esp+98h+var_80], 0
		mov	ecx, [esp+98h+var_7C]
		mov	eax, [esp+98h+var_70]
		jmp	loc_7EE287
; 

loc_9104CC:				; CODE XREF: IoCreateDevice+41Bj
		mov	ecx, [esp+98h+var_88]
		call	ObfDereferenceObject
		cmp	[esp+98h+var_84], edi
		jz	short loc_9104E5
		push	edi
		push	[esp+9Ch+var_84]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9104E5:				; CODE XREF: IoCreateDevice+1222C5j
		cmp	[esp+98h+var_80], edi
		jz	short loc_9104F5
		push	edi
		push	[esp+9Ch+var_80]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9104F5:				; CODE XREF: IoCreateDevice+1222D5j
		mov	ecx, [esp+98h+var_68]
		mov	[ecx], edi
		jmp	loc_7EE513
; 

loc_910500:				; CODE XREF: IoCreateDevice+116j
		mov	esi, 0C000000Dh

loc_910505:				; CODE XREF: IoCreateDevice+140j
		mov	edi, [esp+98h+var_74]
		jmp	loc_7EE4E1
; 

loc_91050E:				; CODE XREF: IoCreateDevice+2D2j
		push	0
		push	[esp+9Ch+var_84]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7EE4EC
; END OF FUNCTION CHUNK	FOR IoCreateDevice
; 
; START	OF FUNCTION CHUNK FOR IopCreateDefaultDeviceSecurityDescriptor

loc_91051E:				; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+2Aj
					; IopCreateDefaultDeviceSecurityDescriptor+84j	...
		mov	eax, ds:_SePublicDefaultUnrestrictedDacl
		mov	[ebp+arg_10], edi
		movzx	eax, word ptr [eax+2]
		mov	ecx, eax
		lea	eax, [ebp+arg_10]
		push	eax
		mov	[ebp+var_4], ecx
		mov	[ebp+arg_C], ecx
		call	_RtlGetNtProductType@4 ; RtlGetNtProductType(x)
		test	al, al
		jz	loc_7EE6FE
		cmp	[ebp+arg_10], 1
		push	4
		pop	ecx
		jnz	short loc_91056F
		mov	eax, _SeInteractiveSid
		jmp	short loc_910558
; 

loc_910553:				; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+121F14j
		mov	eax, _SeWorldSid

loc_910558:				; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+121EF3j
		movzx	eax, byte ptr [eax+1]
		add	ax, cx
		shl	ax, 2
		add	ax, word ptr [ebp+var_4]
		movzx	eax, ax
		mov	[ebp+arg_C], eax
		jmp	short loc_910577
; 

loc_91056F:				; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+121EECj
		cmp	esi, 2
		jz	short loc_910553
		mov	eax, [ebp+arg_C]

loc_910577:				; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+121F0Fj
		push	65536F49h
		movzx	eax, ax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_4], edx
		test	edx, edx
		jz	loc_7EE6FE
		mov	ecx, ds:_SePublicDefaultUnrestrictedDacl
		movzx	eax, word ptr [ecx+2]
		push	eax		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		cmp	[ebp+arg_10], 1
		mov	ecx, [ebp+arg_C]
		mov	[eax+2], cx
		jnz	short loc_9105C7
		push	edi
		push	_SeInteractiveSid
		push	0C0010000h
		jmp	short loc_9105D8
; 

loc_9105C7:				; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+121F59j
		cmp	esi, 2
		jnz	short loc_9105E3
		push	edi
		push	_SeWorldSid
		push	80000000h

loc_9105D8:				; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+121F67j
		push	edi
		push	2
		pop	edx
		mov	ecx, eax
		call	RtlpAddKnownAce

loc_9105E3:				; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+121F6Cj
		mov	esi, [ebp+arg_4]
		push	1
		push	esi
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	edi
		push	[ebp+var_4]
		push	1
		push	esi
		call	RtlSetDaclSecurityDescriptor
		test	ebx, ebx
		jz	short loc_910601
		or	dword ptr [ebx], 4

loc_910601:				; CODE XREF: IopCreateDefaultDeviceSecurityDescriptor+121F9Ej
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+var_4]
		mov	[ecx], eax
		jmp	loc_7EE6B1
; END OF FUNCTION CHUNK	FOR IopCreateDefaultDeviceSecurityDescriptor
; 
; START	OF FUNCTION CHUNK FOR IopCreateSecurityDescriptorPerType

loc_91060E:				; CODE XREF: IopCreateSecurityDescriptorPerType+5Dj
		sub	edx, 1
		jz	short loc_91061D
		mov	eax, 0C000000Dh
		jmp	loc_7EE74D
; 

loc_91061D:				; CODE XREF: IopCreateSecurityDescriptorPerType+121F0Fj
		mov	esi, ds:_SeSystemDefaultDacl
		jmp	loc_7EE726
; 

loc_910628:				; CODE XREF: IopCreateSecurityDescriptorPerType+54j
		mov	esi, ds:_SePublicOpenDacl
		jmp	loc_7EE76B
; 

loc_910633:				; CODE XREF: IopCreateSecurityDescriptorPerType+13j
		mov	esi, ds:_SePublicDefaultDacl
		jmp	loc_7EE726
; 

loc_91063E:				; CODE XREF: IopCreateSecurityDescriptorPerType+91j
		mov	eax, 0C000009Ah
		jmp	loc_7EE74C
; END OF FUNCTION CHUNK	FOR IopCreateSecurityDescriptorPerType
; 
; START	OF FUNCTION CHUNK FOR EtwTiLogDeviceObjectLoadUnload

loc_910648:				; CODE XREF: EtwTiLogDeviceObjectLoadUnload+38j
		push	0
		push	80000000h
		push	0
		push	ebx
		push	[ebp+var_54]
		call	EtwProviderEnabled
		test	al, al
		jz	loc_7EE824
		test	edi, edi
		jz	short loc_9106A6
		movzx	ecx, word ptr [edi]
		test	cx, cx
		jz	short loc_9106A6
		and	[ebp+var_40], 0
		mov	ax, cx
		and	[ebp+var_38], 0
		and	[ebp+var_30], 0
		and	[ebp+var_28], 0
		shr	ax, 1
		and	[ebp+var_4C], 0
		movzx	eax, ax
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_44], eax
		mov	eax, [edi+4]
		mov	edi, offset ??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@NNGAKEGL@ ; "(null)"
		mov	[ebp+var_34], eax
		mov	eax, ecx
		mov	[ebp+var_2C], eax
		jmp	short loc_9106D5
; 

loc_9106A6:				; CODE XREF: EtwTiLogDeviceObjectLoadUnload+121E7Ej
					; EtwTiLogDeviceObjectLoadUnload+121E86j
		xor	ecx, ecx
		mov	[ebp+var_48], 6
		lea	eax, [ebp+var_48]
		mov	[ebp+var_40], ecx
		mov	[ebp+var_44], eax
		mov	edi, offset ??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@NNGAKEGL@ ; "(null)"
		mov	eax, ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_4C], eax
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], 0Ch
		mov	[ebp+var_28], ecx

loc_9106D5:				; CODE XREF: EtwTiLogDeviceObjectLoadUnload+121EBEj
		mov	ecx, [ebp+arg_0]
		push	2
		pop	edx
		mov	[ebp+var_3C], edx
		test	ecx, ecx
		jz	short loc_91070A
		movzx	eax, word ptr [ecx]
		test	ax, ax
		jz	short loc_91070A
		and	[ebp+var_20], 0
		lea	edi, [ebp+var_50]
		and	[ebp+var_18], 0
		mov	[ebp+var_24], edi
		mov	edi, [ecx+4]
		xor	ecx, ecx
		mov	[ebp+var_1C], edx
		mov	edx, eax
		shr	ax, 1
		movzx	eax, ax
		jmp	short loc_910724
; 

loc_91070A:				; CODE XREF: EtwTiLogDeviceObjectLoadUnload+121EFAj
					; EtwTiLogDeviceObjectLoadUnload+121F02j
		and	[ebp+var_20], 0
		lea	eax, [ebp+var_50]
		and	[ebp+var_18], 0
		mov	ecx, [ebp+var_4C]
		push	0Ch
		mov	[ebp+var_1C], edx
		pop	edx
		push	6
		mov	[ebp+var_24], eax
		pop	eax

loc_910724:				; CODE XREF: EtwTiLogDeviceObjectLoadUnload+121F22j
		and	[ebp+var_8], 0
		movzx	eax, ax
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	4
		push	0
		push	esi
		push	ebx
		push	[ebp+var_54]
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_7EE824
; END OF FUNCTION CHUNK	FOR EtwTiLogDeviceObjectLoadUnload
; 
; START	OF FUNCTION CHUNK FOR RawInitializeVcb

loc_91074E:				; CODE XREF: RawInitializeVcb+70j
		mov	esi, ecx
		jmp	loc_7EE8B2
; END OF FUNCTION CHUNK	FOR RawInitializeVcb
; 
; START	OF FUNCTION CHUNK FOR ExAllocateCacheAwareRundownProtection

loc_910755:				; CODE XREF: ExAllocateCacheAwareRundownProtection+2Bj
		push	4
		pop	edi
		jmp	loc_7EE96E
; 

loc_91075D:				; CODE XREF: ExAllocateCacheAwareRundownProtection+50j
					; ExAllocateCacheAwareRundownProtection+83j
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		jmp	loc_7EE9EE
; END OF FUNCTION CHUNK	FOR ExAllocateCacheAwareRundownProtection
; 
; START	OF FUNCTION CHUNK FOR RawScanDeletedList

loc_91076B:				; CODE XREF: RawScanDeletedList+Ej
		push	esi
		mov	ecx, offset _RawGlobalLock
		call	ExAcquireFastMutex
		mov	esi, _RawDismountedQueue
		cmp	esi, ebx
		jz	short loc_9107B2
		push	edi

loc_910781:				; CODE XREF: RawScanDeletedList+121D43j
		lea	ebx, [esi-80h]
		mov	esi, [esi]
		lea	edi, [ebx+0A0h]
		mov	ecx, edi
		call	@ExTryToAcquireFastMutex@4 ; ExTryToAcquireFastMutex(x)
		test	al, al
		jz	short loc_9107A9
		mov	ecx, ebx
		call	_RawCheckForDeleteVolume@4 ; RawCheckForDeleteVolume(x)
		test	al, al
		jnz	short loc_9107A9
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_9107A9:				; CODE XREF: RawScanDeletedList+121D29j
					; RawScanDeletedList+121D34j
		cmp	esi, offset _RawDismountedQueue
		jnz	short loc_910781
		pop	edi

loc_9107B2:				; CODE XREF: RawScanDeletedList+121D12j
		pop	esi
		mov	ecx, offset _RawGlobalLock
		pop	ebx
		jmp	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
; END OF FUNCTION CHUNK	FOR RawScanDeletedList
; 
; START	OF FUNCTION CHUNK FOR PiUEventInitClientRegistrationContext

loc_9107BE:				; CODE XREF: PiUEventInitClientRegistrationContext+70j
					; PiUEventInitClientRegistrationContext+ABj ...
		mov	eax, [edi+8]
		test	eax, eax
		jz	short loc_9107D0
		push	59706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9107D0:				; CODE XREF: PiUEventInitClientRegistrationContext+121D41j
		push	59706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edi, edi
		jmp	loc_7EEC8A
; END OF FUNCTION CHUNK	FOR PiUEventInitClientRegistrationContext
; 
; START	OF FUNCTION CHUNK FOR PiUEventHandleRegistration

loc_9107E2:				; CODE XREF: PiUEventHandleRegistration+48j
		mov	edi, [ebp+var_8]
		mov	esi, 0C000009Ah
		jmp	short loc_910802
; 

loc_9107EC:				; CODE XREF: PiUEventHandleRegistration+87j
					; PiUEventHandleRegistration+97j ...
		mov	esi, 0C000000Dh

loc_9107F1:				; CODE XREF: PiUEventHandleRegistration+190j
					; PiUEventHandleRegistration+1E2j ...
		mov	edi, [ebp+var_8]

loc_9107F4:				; CODE XREF: PiUEventHandleRegistration+19Ej
		test	ebx, ebx
		jz	short loc_910802
		mov	dl, [ebp+var_1]
		mov	ecx, ebx
		call	PiUEventFreeClientRegistrationContext

loc_910802:				; CODE XREF: PiUEventHandleRegistration+121B40j
					; PiUEventHandleRegistration+121B4Cj
		and	dword ptr [edi+10h], 0
		jmp	loc_7EEE4E
; 

loc_91080B:				; CODE XREF: PiUEventHandleRegistration+265j
		cmp	esi, 3
		jnz	short loc_9107EC
		jmp	loc_7EED77
; 

loc_910815:				; CODE XREF: PiUEventHandleRegistration+291j
		sub	eax, 1
		jnz	short loc_9107EC
		jmp	loc_7EEF41
; 

loc_91081F:				; CODE XREF: PiUEventHandleRegistration+2A4j
		mov	edx, ecx
		lea	eax, [ebx+0Ch]
		xor	ecx, ecx
		push	eax
		inc	ecx
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9107F1
		jmp	loc_7EEDC2
; 

loc_910838:				; CODE XREF: PiUEventHandleRegistration+2ACj
		sub	eax, 1
		jz	short loc_910847
		mov	esi, 0C000000Dh
		jmp	loc_7EEE2E
; 

loc_910847:				; CODE XREF: PiUEventHandleRegistration+121B91j
		test	byte ptr [edi+20Ch], 2
		jz	short loc_910855
		push	0Dh
		pop	eax
		jmp	short loc_910860
; 

loc_910855:				; CODE XREF: PiUEventHandleRegistration+121BA4j
		lea	ecx, [edi+218h]
		call	_PiUEventHashStringIntoBucket@4	; PiUEventHashStringIntoBucket(x)

loc_910860:				; CODE XREF: PiUEventHandleRegistration+121BA9j
		lea	eax, _PiUEventDevInstancePropertyClientList[eax*8]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_7EEF8C
		inc	_PiUEventDevInstancePropertyClientCount
		mov	[ebx], eax
		mov	[ebx+4], ecx
		mov	[ecx], ebx
		jmp	loc_7EEE27
; 

loc_910884:				; CODE XREF: PiUEventHandleRegistration+2B9j
		lea	ecx, [edi+218h]
		call	_PiUEventHashStringIntoBucket@4	; PiUEventHashStringIntoBucket(x)
		jmp	loc_7EEF6C
; 

loc_910894:				; CODE XREF: PiUEventHandleRegistration+22j
					; PiUEventHandleRegistration+2Fj ...
		mov	esi, 0C000000Dh
		mov	edi, ecx
		jmp	loc_7EEE46
; END OF FUNCTION CHUNK	FOR PiUEventHandleRegistration
; 
; START	OF FUNCTION CHUNK FOR EtwpBuildNotificationPacket

loc_9108A0:				; CODE XREF: EtwpBuildNotificationPacket+2Aj
		lea	eax, [ebp+var_4]
		xor	edx, edx
		push	eax
		push	78h
		pop	esi
		mov	ecx, esi
		call	_EtwpAllocDataBlock@12 ; EtwpAllocDataBlock(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7EEFD1
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+arg_4]
		mov	dword ptr [ecx+8], 1
		mov	[eax], ecx
		mov	[ecx+4], esi
		jmp	loc_7EEFD1
; 

loc_9108D1:				; CODE XREF: EtwpBuildNotificationPacket+22j
		add	eax, 88h
		lea	ecx, [ebp+var_4]
		push	ecx
		xor	edx, edx
		mov	[ebp+var_8], eax
		mov	ecx, eax
		call	_EtwpAllocDataBlock@12 ; EtwpAllocDataBlock(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7EEFD1
		mov	edx, [ebp+var_4]
		test	esi, esi
		jz	short loc_910900
		push	edi
		push	1Eh
		pop	ecx
		mov	edi, edx
		rep movsd
		pop	edi

loc_910900:				; CODE XREF: EtwpBuildNotificationPacket+121963j
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		push	[ebp+arg_0]
		inc	ecx
		mov	[edx+74h], ecx
		mov	[edx+8], ecx
		lea	ecx, [edx+78h]
		mov	[eax], edx
		mov	eax, [ebp+var_8]
		mov	[edx+4], eax
		mov	eax, [ebp+var_C]
		mov	[ecx+8], eax
		mov	eax, ecx
		sub	eax, edx
		mov	dword ptr [ecx+0Ch], 80000000h
		add	eax, 10h
		cdq
		mov	[ecx+4], edx
		mov	edx, [ebp+var_10]
		mov	[ecx], eax
		add	ecx, 10h
		call	_EtwpCopySchematizedFilters@12 ; EtwpCopySchematizedFilters(x,x,x)
		jmp	loc_7EEFD1
; END OF FUNCTION CHUNK	FOR EtwpBuildNotificationPacket
; 
; START	OF FUNCTION CHUNK FOR EtwpRegisterProvider

loc_910944:				; CODE XREF: EtwpRegisterProvider+60j
		mov	eax, 0C0000022h
		jmp	loc_7EF68C
; 

loc_91094E:				; CODE XREF: EtwpRegisterProvider+1DFj
					; EtwpRegisterProvider+1EDj ...
		mov	eax, 0C000000Dh
		jmp	loc_7EF68C
; 

loc_910958:				; CODE XREF: EtwpRegisterProvider+9Cj
		mov	ebx, 0C0000017h
		jmp	loc_7EF68A
; 

loc_910962:				; CODE XREF: EtwpRegisterProvider+A9j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [esi+168h]
		xor	edx, edx
		add	ecx, 16Ch
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, large fs:124h
		mov	eax, [esi+168h]
		mov	[eax+170h], ecx
		jmp	loc_7EF591
; 

loc_91099B:				; CODE XREF: EtwpRegisterProvider+122j
		cmp	[ecx+40h], edx
		jz	loc_7EF60A
		lea	eax, [ebx+36h]
		push	eax
		push	edx
		mov	dl, [ebx+32h]
		shr	dl, 3
		push	1
		and	dl, 1
		call	EtwpUpdateEnableMask
		jmp	loc_7EF60A
; 

loc_9109BE:				; CODE XREF: EtwpRegisterProvider+26Aj
		push	46777445h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_7EF756
		and	[esp+70h+var_14], 0
		lea	eax, [esp+70h+var_18]
		mov	[esp+70h+var_64], eax
		mov	edx, esi
		mov	eax, [esp+70h+var_58]
		mov	[esp+70h+var_18], edi
		mov	[esp+70h+var_10], eax
		mov	[esp+70h+var_C], 80000000h
		movzx	ecx, byte ptr [ebx+34h]
		push	ecx
		mov	ecx, edi
		call	_EtwpCopySchematizedFilters@12 ; EtwpCopySchematizedFilters(x,x,x)
		jmp	loc_7EF756
; 

loc_910A09:				; CODE XREF: EtwpRegisterProvider+2A3j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7EF639
; 

loc_910A16:				; CODE XREF: EtwpRegisterProvider+170j
		push	[esp+70h+var_50]
		push	0
		push	1
		push	ecx
		push	ecx
		mov	ecx, edi
		call	_EtwpEventWriteTemplateSessAndProv@28 ;	EtwpEventWriteTemplateSessAndProv(x,x,x,x,x,x,x)
		jmp	loc_7EF658
; 

loc_910A2C:				; CODE XREF: EtwpRegisterProvider+19Bj
		and	dword ptr [eax+170h], 0
		xor	edx, edx
		mov	ecx, [esi+168h]
		add	ecx, 16Ch
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_7EF683
; END OF FUNCTION CHUNK	FOR EtwpRegisterProvider
; 
; START	OF FUNCTION CHUNK FOR EtwpComputeRegEntryEnableInfo

loc_910A50:				; CODE XREF: EtwpComputeRegEntryEnableInfo+E4j
		mov	al, [ebp+var_2]
		test	al, al
		jz	short loc_910AB1
		mov	edx, [ebp+var_14]
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		add	edx, 70h
		movzx	esi, al

loc_910A65:				; CODE XREF: EtwpComputeRegEntryEnableInfo+12131Fj
		mov	eax, 1
		shl	eax, cl
		test	eax, esi
		jz	short loc_910AA2
		mov	al, [ebx+4]
		mov	dword ptr [ebx], 1
		mov	cl, [edx-0Ch]
		cmp	al, cl
		ja	short loc_910A82
		mov	al, cl

loc_910A82:				; CODE XREF: EtwpComputeRegEntryEnableInfo+1212EEj
		mov	[ebx+4], al
		mov	eax, [edx]
		or	[ebx+10h], eax
		mov	eax, [edx+4]
		or	[ebx+14h], eax
		mov	eax, [edx+8]
		and	[ebx+18h], eax
		mov	eax, [edx+0Ch]
		and	[ebx+1Ch], eax
		mov	eax, [edx-8]
		or	[ebx+8], eax

loc_910AA2:				; CODE XREF: EtwpComputeRegEntryEnableInfo+1212DEj
		mov	ecx, [ebp+var_8]
		add	edx, 20h
		inc	ecx
		mov	[ebp+var_8], ecx
		cmp	ecx, 8
		jb	short loc_910A65

loc_910AB1:				; CODE XREF: EtwpComputeRegEntryEnableInfo+1212C5j
		mov	al, [ebp+var_3]
		test	al, al
		jz	loc_7EF87A
		mov	edx, [ebp+var_C]
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		add	edx, 64h
		movzx	esi, al

loc_910ACA:				; CODE XREF: EtwpComputeRegEntryEnableInfo+12138Aj
		mov	eax, 1
		shl	eax, cl
		test	eax, esi
		jz	short loc_910B0D
		cmp	dword ptr [edx-4], 0
		jz	short loc_910B0D
		mov	al, [ebx+4]
		mov	dword ptr [ebx], 1
		mov	cl, [edx]
		cmp	al, cl
		ja	short loc_910AEC
		mov	al, cl

loc_910AEC:				; CODE XREF: EtwpComputeRegEntryEnableInfo+121358j
		mov	[ebx+4], al
		mov	eax, [edx+0Ch]
		or	[ebx+10h], eax
		mov	eax, [edx+10h]
		or	[ebx+14h], eax
		mov	eax, [edx+14h]
		and	[ebx+18h], eax
		mov	eax, [edx+18h]
		and	[ebx+1Ch], eax
		mov	eax, [edx+4]
		or	[ebx+8], eax

loc_910B0D:				; CODE XREF: EtwpComputeRegEntryEnableInfo+121343j
					; EtwpComputeRegEntryEnableInfo+121349j
		mov	ecx, [ebp+var_8]
		add	edx, 20h
		inc	ecx
		mov	[ebp+var_8], ecx
		cmp	ecx, 8
		jb	short loc_910ACA
		jmp	loc_7EF87A
; END OF FUNCTION CHUNK	FOR EtwpComputeRegEntryEnableInfo
; 
; START	OF FUNCTION CHUNK FOR EtwpAddKmRegEntry

loc_910B21:				; CODE XREF: EtwpAddKmRegEntry+25j
		mov	edi, 0C0000017h
		jmp	loc_7EF98F
; END OF FUNCTION CHUNK	FOR EtwpAddKmRegEntry
; 
; START	OF FUNCTION CHUNK FOR EtwpEnableAutoLoggerProvider

loc_910B2B:				; CODE XREF: EtwpEnableAutoLoggerProvider+202j
		mov	ecx, eax
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_910B32:				; CODE XREF: EtwpEnableAutoLoggerProvider+8CE27j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_910B32
		mov	edi, [ebp+var_380]
		sub	ecx, edx
		mov	edx, edi
		sar	ecx, 1
		lea	ebx, [edx+2]

loc_910B4C:				; CODE XREF: EtwpEnableAutoLoggerProvider+8CE45j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [ebp+var_36C]
		jnz	short loc_910B4C
		sub	edx, ebx
		sar	edx, 1
		push	50777445h
		lea	eax, [ecx+edx]
		lea	eax, ds:4[eax*2]
		push	eax
		push	1
		mov	[ebp+var_36C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_33C], ebx
		test	ebx, ebx
		jz	loc_910CDC
		mov	eax, dword ptr [ebp+var_384]
		push	edi
		push	eax		; char
		push	offset ??_C@_1BA@NPEHGALP@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; wchar_t *
		push	[ebp+var_36C]	; int
		push	ebx		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 14h
		test	eax, eax
		jnz	short loc_910C0F
		push	ebx
		lea	eax, [ebp+var_3A0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_3A0]
		mov	[ebp+var_3C8], 18h
		mov	[ebp+var_3C0], eax
		xor	edi, edi
		lea	eax, [ebp+var_3C8]
		mov	[ebp+var_3C4], edi
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_338]
		mov	[ebp+var_3BC], 240h
		push	eax
		mov	[ebp+var_3B8], edi
		mov	[ebp+var_3B4], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		jns	short loc_910C0F
		mov	[ebp+var_338], edi

loc_910C0F:				; CODE XREF: EtwpEnableAutoLoggerProvider+8CE96j
					; EtwpEnableAutoLoggerProvider+8CEF3j
		mov	edi, [ebp+var_334]
		jmp	loc_883F1C
; 

loc_910C1A:				; CODE XREF: EtwpEnableAutoLoggerProvider+378j
		test	ebx, ebx
		jnz	loc_884092
		lea	eax, [ebp+var_354]
		mov	[ebp+var_308], esi
		mov	[ebp+var_30C], eax
		lea	eax, [ebp+var_35C]
		mov	[ebp+var_2F0], eax
		lea	eax, [ebp+var_360]
		mov	[ebp+var_2D4], eax
		lea	eax, [ebp+var_358]
		mov	[ebp+var_2B8], eax
		lea	eax, [ebp+var_378]
		push	8
		pop	edx
		mov	[ebp+var_29C], eax
		lea	eax, [ebp+var_3A8]
		push	1
		mov	[ebp+var_280], eax
		xor	eax, eax
		push	ecx
		push	eax
		mov	[ebp+var_298], edx
		lea	eax, [ebp+var_320]
		mov	[ebp+var_27C], edx
		mov	edx, ecx
		push	eax
		mov	ecx, 40000000h
		mov	[ebp+var_2EC], esi
		mov	[ebp+var_2D0], esi
		mov	[ebp+var_2B4], esi
		call	RtlpQueryRegistryValues
		mov	ecx, [ebp+var_338]
		jmp	loc_884092
; 

loc_910CB5:				; CODE XREF: EtwpEnableAutoLoggerProvider+3B9j
		mov	eax, 0FFFFh
		jmp	loc_8840D3
; 

loc_910CBF:				; CODE XREF: EtwpEnableAutoLoggerProvider+367j
					; EtwpEnableAutoLoggerProvider+380j ...
		push	eax
		call	RtlNtStatusToDosError
		mov	ecx, [ebp+var_338]
		mov	[ebp+var_364], eax
		jmp	loc_88420E
; 

loc_910CD6:				; CODE XREF: EtwpEnableAutoLoggerProvider+50Aj
		push	ecx
		jmp	loc_88422A
; 

loc_910CDC:				; CODE XREF: EtwpEnableAutoLoggerProvider+16Aj
					; EtwpEnableAutoLoggerProvider+8CE72j
		mov	edi, [ebp+var_334]
		jmp	loc_88423A
; 

loc_910CE7:				; CODE XREF: EtwpEnableAutoLoggerProvider+54Ej
		push	[ebp+var_338]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_884268
; 

loc_910CF7:				; CODE XREF: EtwpEnableAutoLoggerProvider+556j
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_884270
; 

loc_910D05:				; CODE XREF: EtwpEnableAutoLoggerProvider+564j
		push	ebx
		push	[ebp+var_344]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_88427E
; 

loc_910D16:				; CODE XREF: EtwpEnableAutoLoggerProvider+571j
		push	ebx
		push	[ebp+var_348]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_88428B
; 

loc_910D27:				; CODE XREF: EtwpEnableAutoLoggerProvider+587j
		push	ebx
		push	[ebp+var_350]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8842A1
; END OF FUNCTION CHUNK	FOR EtwpEnableAutoLoggerProvider
; 
; START	OF FUNCTION CHUNK FOR EtwpGetAutoLoggerProviderFilter

loc_910D38:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+11Ej
					; EtwpGetAutoLoggerProviderFilter+2B4j	...
		mov	esi, 0C0000017h
		jmp	loc_88452A
; 

loc_910D42:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+1B2j
		mov	ecx, eax
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_910D49:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+8C9FAj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_910D49
		sub	ecx, edx
		sar	ecx, 1
		push	50777445h
		lea	esi, ds:12h[ecx*2]
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_330], ebx
		test	ebx, ebx
		jz	short loc_910D38
		mov	edx, dword ptr [ebp+var_34C]
		push	edx		; char
		push	offset ??_C@_1BI@GHNFACD@?$AA?$CF?$AAw?$AAs?$AA?2?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@NNGAKEGL@ ; wchar_t *
		push	esi		; int
		push	ebx		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	esi, eax
		add	esp, 10h
		test	esi, esi
		jnz	loc_88452A
		push	ebx
		lea	eax, [ebp+var_360]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_360]
		mov	[ebp+var_378], 18h
		mov	[ebp+var_370], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_378]
		mov	[ebp+var_374], ecx
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_30C]
		mov	[ebp+var_36C], 240h
		push	eax
		mov	[ebp+var_368], ecx
		mov	[ebp+var_364], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		jmp	loc_884510
; 

loc_910DF8:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+596j
		cmp	[ebp+var_314], 0
		mov	ecx, [ebp+var_32C]
		push	8
		mov	eax, [ecx+4]
		mov	[ebp+var_2F0], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_2EC], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_2D4], eax
		movzx	eax, word ptr [ecx+8]
		mov	[ebp+var_2D0], eax
		mov	eax, [ecx+14h]
		mov	[ebp+var_2B8], eax
		movzx	eax, word ptr [ecx+10h]
		mov	[ebp+var_2B4], eax
		lea	eax, [ebp+var_320]
		mov	[ebp+var_29C], eax
		lea	eax, [ebp+var_324]
		mov	[ebp+var_280], eax
		lea	eax, [ebp+var_328]
		mov	[ebp+var_264], eax
		mov	eax, [ebp+var_344]
		mov	[ebp+var_248], eax
		mov	eax, [ebp+var_348]
		mov	[ebp+var_244], eax
		mov	eax, [ecx+1Ch]
		mov	[ebp+var_22C], eax
		movzx	eax, word ptr [ecx+18h]
		mov	[ebp+var_228], eax
		pop	eax
		jz	short loc_910EAC
		mov	eax, [ebp+var_334]
		mov	[ebp+var_210], eax
		mov	eax, [ebp+var_338]
		push	9
		mov	[ebp+var_20C], eax
		pop	eax

loc_910EAC:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+8CB37j
		cmp	[ebp+var_310], 0
		jz	short loc_910ED2
		imul	esi, eax, 1Ch
		mov	eax, [ebp+var_33C]
		mov	[ebp+esi+var_2F0], eax
		mov	eax, [ebp+var_340]
		mov	[ebp+esi+var_2EC], eax

loc_910ED2:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+8CB5Bj
		push	1
		push	ecx
		xor	eax, eax
		mov	ecx, 40000000h
		push	eax
		lea	eax, [ebp+var_304]
		push	eax
		call	RtlpQueryRegistryValues
		mov	esi, eax
		xor	edx, edx
		test	esi, esi
		jns	loc_8848F4
		mov	esi, edx
		jmp	loc_8848F4
; 

loc_910EFC:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+5F5j
		mov	edi, [ebp+var_32C]
		push	4
		pop	ebx

loc_910F05:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+8CBB9j
		push	edi
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		add	edi, 8
		sub	ebx, 1
		jnz	short loc_910F05
		mov	eax, [ebp+var_31C]
		mov	[eax], ebx
		jmp	loc_88452A
; 

loc_910F20:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+1E1j
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_88453F
; 

loc_910F2C:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+229j
		push	[ebp+var_30C]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_884587
; 

loc_910F3C:				; CODE XREF: EtwpGetAutoLoggerProviderFilter+242j
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8845A0
; END OF FUNCTION CHUNK	FOR EtwpGetAutoLoggerProviderFilter
; 
; START	OF FUNCTION CHUNK FOR EtwpAllocGuidEntry

loc_910F48:				; CODE XREF: EtwpAllocGuidEntry+92j
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, esi
		jmp	loc_7EFC62
; END OF FUNCTION CHUNK	FOR EtwpAllocGuidEntry
; 
; START	OF FUNCTION CHUNK FOR EtwpEnableTrace

loc_910F56:				; CODE XREF: EtwpEnableTrace+2Bj
		cmp	[ebx+edx*8+4], edi
		jz	loc_7EFCB9
		mov	edi, 400h
		cmp	ax, di
		ja	short loc_910F7A
		add	esi, 2
		inc	ecx
		add	esi, eax
		mov	[ebp+var_4], ecx
		xor	edi, edi
		jmp	loc_7EFCB9
; 

loc_910F7A:				; CODE XREF: EtwpEnableTrace+13Dj
					; EtwpEnableTrace+1212E0j
		mov	esi, 0C000000Dh
		jmp	loc_7EFDA4
; 

loc_910F84:				; CODE XREF: EtwpEnableTrace+5Aj
		inc	ecx
		add	esi, eax
		mov	[ebp+var_4], ecx
		jmp	loc_7EFCE8
; 

loc_910F8F:				; CODE XREF: EtwpEnableTrace+65j
		inc	ecx
		add	esi, eax
		mov	[ebp+var_4], ecx
		jmp	loc_7EFCF3
; 

loc_910F9A:				; CODE XREF: EtwpEnableTrace+70j
		inc	ecx
		add	esi, eax
		mov	[ebp+var_4], ecx
		jmp	loc_7EFCFE
; 

loc_910FA5:				; CODE XREF: EtwpEnableTrace+7Aj
		inc	ecx
		add	esi, 18h
		mov	[ebp+var_4], ecx
		jmp	loc_7EFD08
; 

loc_910FB1:				; CODE XREF: EtwpEnableTrace+9Bj
		mov	esi, 0C0000017h
		jmp	loc_7EFDA4
; 

loc_910FBB:				; CODE XREF: EtwpEnableTrace+BAj
		lea	edi, [ebx+38h]
		movsd
		movsd
		movsd
		movsd
		jmp	loc_7EFD48
; 

loc_910FC7:				; CODE XREF: EtwpEnableTrace+179j
		cmp	dword ptr [eax+ecx*8+4], 0
		jz	loc_7EFE07
		mov	eax, ecx
		sub	eax, 0
		jz	short loc_911000
		sub	eax, 1
		jz	short loc_910FF8
		sub	eax, 1
		jz	short loc_910FF0
		sub	eax, 1
		jnz	short loc_911006
		mov	dword ptr [edx], 80008000h
		jmp	short loc_911006
; 

loc_910FF0:				; CODE XREF: EtwpEnableTrace+121359j
		mov	dword ptr [edx], 80000020h
		jmp	short loc_911006
; 

loc_910FF8:				; CODE XREF: EtwpEnableTrace+121354j
		mov	dword ptr [edx], 80000010h
		jmp	short loc_911006
; 

loc_911000:				; CODE XREF: EtwpEnableTrace+12134Fj
		mov	dword ptr [edx], 80000008h

loc_911006:				; CODE XREF: EtwpEnableTrace+12135Ej
					; EtwpEnableTrace+121366j ...
		mov	eax, [ebp+arg_28]
		mov	esi, [ebp+arg_0]
		movzx	ecx, word ptr [eax+ecx*8]
		mov	eax, edi
		add	ecx, 2
		sub	eax, ebx
		mov	[edx-4], ecx
		cdq
		mov	[esi-0Ch], eax
		mov	eax, esi
		push	ecx		; size_t
		mov	ecx, [ebp+arg_28]
		mov	[eax-8], edx
		mov	eax, [ebp+arg_C]
		push	dword ptr [ecx+eax*8+4]	; void *
		push	edi		; void *
		call	_memcpy
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		mov	esi, [ebp+arg_10]
		add	esp, 0Ch
		mov	eax, [ebp+arg_28]
		add	edi, [edx-4]
		inc	esi
		add	edx, 10h
		mov	[ebp+arg_10], esi
		mov	[ebp+arg_0], edx
		jmp	loc_7EFE07
; 

loc_911054:				; CODE XREF: EtwpEnableTrace+1B9j
		sub	eax, 1
		jnz	loc_7EFE4E
		mov	dword ptr [edx+4], 80001000h
		jmp	loc_7EFE4E
; 

loc_911069:				; CODE XREF: EtwpEnableTrace+21Ej
		add	esi, esi
		mov	eax, edi
		push	ecx		; size_t
		push	[ebp+arg_30]	; void *
		sub	eax, ebx
		cdq
		push	edi		; void *
		mov	dword ptr [ebx+esi*8+84h], 80000400h
		mov	[ebx+esi*8+80h], ecx
		mov	[ebx+esi*8+78h], eax
		mov	[ebx+esi*8+7Ch], edx
		call	_memcpy
		add	edi, [ebx+esi*8+80h]
		add	esp, 0Ch
		mov	esi, [ebp+arg_10]
		inc	esi
		mov	[ebp+arg_10], esi
		jmp	loc_7EFEAC
; 

loc_9110AA:				; CODE XREF: EtwpEnableTrace+229j
		add	esi, esi
		mov	eax, edi
		push	ecx		; size_t
		push	[ebp+arg_38]	; void *
		sub	eax, ebx
		cdq
		push	edi		; void *
		mov	dword ptr [ebx+esi*8+84h], 80002000h
		mov	[ebx+esi*8+80h], ecx
		mov	[ebx+esi*8+78h], eax
		mov	[ebx+esi*8+7Ch], edx
		call	_memcpy
		add	edi, [ebx+esi*8+80h]
		add	esp, 0Ch
		mov	esi, [ebp+arg_10]
		inc	esi
		mov	[ebp+arg_10], esi
		jmp	loc_7EFEB7
; 

loc_9110EB:				; CODE XREF: EtwpEnableTrace+234j
		add	esi, esi
		mov	eax, edi
		push	ecx		; size_t
		push	[ebp+arg_40]	; void *
		sub	eax, ebx
		cdq
		push	edi		; void *
		mov	dword ptr [ebx+esi*8+84h], 80000000h
		mov	[ebx+esi*8+80h], ecx
		mov	[ebx+esi*8+78h], eax
		mov	[ebx+esi*8+7Ch], edx
		call	_memcpy
		add	edi, [ebx+esi*8+80h]
		add	esp, 0Ch
		mov	esi, [ebp+arg_10]
		inc	esi
		jmp	loc_7EFEC2
; 

loc_911129:				; CODE XREF: EtwpEnableTrace+244j
		add	esi, esi
		mov	eax, edi
		sub	eax, ebx
		cdq
		push	6
		mov	dword ptr [ebx+esi*8+84h], 80004000h
		mov	dword ptr [ebx+esi*8+80h], 18h
		mov	[ebx+esi*8+78h], eax
		mov	[ebx+esi*8+7Ch], edx
		mov	esi, [ebp+arg_48]
		pop	ecx
		rep movsd
		jmp	loc_7EFD8E
; END OF FUNCTION CHUNK	FOR EtwpEnableTrace
; 
; START	OF FUNCTION CHUNK FOR EtwpUpdateGuidEnableInfo

loc_91115B:				; CODE XREF: EtwpUpdateGuidEnableInfo+278j
		mov	eax, 0C000009Ah
		jmp	loc_7F072A
; END OF FUNCTION CHUNK	FOR EtwpUpdateGuidEnableInfo
; 
; START	OF FUNCTION CHUNK FOR EtwpCheckNotificationAccess

loc_911165:				; CODE XREF: EtwpCheckNotificationAccess+3Fj
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	EtwpCheckSecurityLoggerAccess
		mov	esi, eax
		jmp	loc_7F08D3
; END OF FUNCTION CHUNK	FOR EtwpCheckNotificationAccess
; 
; START	OF FUNCTION CHUNK FOR PfSnLogPrefetchMetadata

loc_91117E:				; CODE XREF: PfSnLogPrefetchMetadata+4Ej
		lea	eax, [ebp+var_54]
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		lea	edx, [edi+50h]
		lea	ecx, [edi+10h]
		call	_PfSnBuildScenarioEventDescriptors@16 ;	PfSnBuildScenarioEventDescriptors(x,x,x,x)
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		push	ebx
		push	esi
		push	dword_6D49EC
		mov	[ebp+var_C], 4
		push	dword_6D49E8
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_7F092E
; END OF FUNCTION CHUNK	FOR PfSnLogPrefetchMetadata
; 
; START	OF FUNCTION CHUNK FOR EtwpStartLogger

loc_9111C2:				; CODE XREF: EtwpStartLogger+99j
		or	ebx, 80h
		mov	[esp+0B8h+var_A0], ebx
		jmp	loc_7F09DF
; 

loc_9111D1:				; CODE XREF: EtwpStartLogger+A5j
		test	ebx, 1000000h
		jz	loc_7F09EB
		and	ebx, 0FEFFFFFFh
		mov	[esp+0B8h+var_A0], ebx
		jmp	loc_7F09EB
; 

loc_9111EC:				; CODE XREF: EtwpStartLogger+AEEj
		and	ebx, 0FFFFFEFFh
		mov	[esp+0B8h+var_A0], ebx
		jmp	loc_7F1434
; 

loc_9111FB:				; CODE XREF: EtwpStartLogger+AF7j
		mov	[edi+44h], eax
		jmp	loc_7F143D
; 

loc_911203:				; CODE XREF: EtwpStartLogger+B06j
		mov	[edi+4Ch], eax
		jmp	loc_7F09F7
; 

loc_91120B:				; CODE XREF: EtwpStartLogger+159j
		test	ecx, ecx
		jz	loc_7F118A
		jmp	loc_7F0A9F
; 

loc_911218:				; CODE XREF: EtwpStartLogger+174j
		call	_EtwpIsSoftRestartSupported@0 ;	EtwpIsSoftRestartSupported()
		test	al, al
		jnz	short loc_91122B
		mov	esi, 0C00000BBh
		jmp	loc_911573
; 

loc_91122B:				; CODE XREF: EtwpStartLogger+1208DFj
		test	ecx, ecx
		jz	loc_7F118A
		test	edx, 1000000h
		jnz	loc_7F118A
		jmp	loc_7F0ABA
; 

loc_911244:				; CODE XREF: EtwpStartLogger+1F2j
					; EtwpStartLogger+321j	...
		mov	esi, 0C0000035h
		jmp	loc_911573
; 

loc_91124E:				; CODE XREF: EtwpStartLogger+2B5j
		xor	eax, eax
		mov	ecx, edi
		lea	esi, [eax+1]
		lea	edx, [eax+1]
		mov	[esp+0B8h+var_A8], esi
		mov	[esp+0B8h+var_A4], esi
		call	_EtwpGetFlagExtension@8	; EtwpGetFlagExtension(x,x)
		test	eax, eax
		jz	short loc_91129C
		test	ebx, 1000000h
		jnz	loc_7F118A
		lea	eax, [esp+0B8h+var_90]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		push	offset ??_C@_1CC@EOPECBIH@?$AAN?$AAT?$AA?5?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?5?$AAL?$AAo?$AAg?$AAg?$AAe@NNGAKEGL@ ; void *
		lea	eax, [esp+0BCh+var_90]
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jz	loc_911362
		xor	eax, eax
		mov	[esp+0B8h+var_9C], eax

loc_91129C:				; CODE XREF: EtwpStartLogger+120927j
		mov	eax, [esp+0B8h+var_98]
		lea	edx, [eax+4]
		jmp	loc_7F1494
; 

loc_9112A8:				; CODE XREF: EtwpStartLogger+2E9j
		push	10h		; size_t
		lea	eax, [esp+0BCh+var_48]
		push	esi		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_911244
		jmp	loc_7F0C2F
; 

loc_9112C1:				; CODE XREF: EtwpStartLogger+82Cj
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		mov	ecx, [esp+0B8h+var_AC]
		mov	eax, [ecx+8]
		jmp	loc_7F0C5F
; 

loc_9112D2:				; CODE XREF: EtwpStartLogger+378j
		cmp	byte_6FF220, 0
		jnz	short loc_911346
		xor	edx, edx
		inc	edx
		cmp	dword_6B2A40, 5
		mov	byte_6FF220, dl
		jbe	short loc_911346
		push	8000h
		xor	eax, eax
		mov	edi, offset dword_6B2A40
		push	eax
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_911346
		lea	eax, [esp+0B8h+var_A8]
		mov	[esp+0B8h+var_A8], esi
		mov	[esp+0B8h+var_18], eax
		xor	ecx, ecx
		lea	eax, [esp+0B8h+var_38]
		mov	[esp+0B8h+var_14], ecx
		push	eax
		push	3
		push	ecx
		push	ecx
		push	offset loc_423A35
		push	edi
		mov	[esp+0D0h+var_10], 4
		mov	[esp+0D0h+var_C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_911346:				; CODE XREF: EtwpStartLogger+120999j
					; EtwpStartLogger+1209ABj ...
		mov	esi, 0C000009Ah
		jmp	loc_911573
; 

loc_911350:				; CODE XREF: EtwpStartLogger+B92j
		xor	eax, eax
		mov	esi, eax
		mov	[esp+0B8h+var_9C], eax
		mov	eax, offset ??_C@_1CC@EOPECBIH@?$AAN?$AAT?$AA?5?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?5?$AAL?$AAo?$AAg?$AAg?$AAe@NNGAKEGL@
		jmp	loc_7F14E7
; 

loc_911362:				; CODE XREF: EtwpStartLogger+B3Dj
					; EtwpStartLogger+BBCj	...
		mov	esi, 0C0000017h
		jmp	loc_911573
; 

loc_91136C:				; CODE XREF: EtwpStartLogger+3D0j
		xor	eax, eax
		mov	byte ptr [esp+0B8h+var_94], al
		jmp	loc_7F0D3C
; 

loc_911377:				; CODE XREF: EtwpStartLogger+AB4j
		inc	eax
		cmp	eax, ecx
		jb	loc_7F13ED
		jmp	loc_7F13FA
; 

loc_911385:				; CODE XREF: EtwpStartLogger+AC0j
		mov	esi, 0C000009Ah
		jmp	loc_91154E
; 

loc_91138F:				; CODE XREF: EtwpStartLogger+425j
		mov	cx, [eax]
		shl	cx, 2
		cmp	cx, si
		jnz	loc_7F0D6B
		mov	edx, [eax+4]
		lea	ecx, [ebx+378h]
		call	_EtwpSetPartitionContext@8 ; EtwpSetPartitionContext(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9114DB
		jmp	loc_7F0D6B
; 

loc_9113BC:				; CODE XREF: EtwpStartLogger+437j
		mov	esi, 0C0000017h
		jmp	loc_91154A
; 

loc_9113C6:				; CODE XREF: EtwpStartLogger+468j
		mov	ecx, ebx
		call	_EtwpSetQpcDeltaTracking@4 ; EtwpSetQpcDeltaTracking(x)
		mov	esi, eax
		test	esi, esi
		js	loc_9114DB
		xor	edx, edx
		jmp	loc_7F0DAE
; 

loc_9113DE:				; CODE XREF: EtwpStartLogger+476j
		or	dword ptr [ebx+258h], 40000000h
		jmp	loc_7F0DBC
; 

loc_9113ED:				; CODE XREF: EtwpStartLogger+49Dj
		cmp	[ebx+84h], edx
		ja	short loc_9113FD
		test	eax, eax
		jns	loc_7F0DE3

loc_9113FD:				; CODE XREF: EtwpStartLogger+120AB3j
		mov	[edi+4Ch], edx
		mov	ecx, edx
		jmp	loc_7F0DE3
; 

loc_911407:				; CODE XREF: EtwpStartLogger+9D0j
		mov	al, cl
		jmp	loc_7F1319
; 

loc_91140E:				; CODE XREF: EtwpStartLogger+5E5j
		mov	[edi+30h], ecx
		mov	eax, ecx
		jmp	loc_7F0F2B
; 

loc_911418:				; CODE XREF: EtwpStartLogger+5FBj
		mov	eax, [ebx+4]
		mov	ecx, 20000000h
		add	eax, 1FFFFFh
		and	eax, 0FFE00000h
		mov	[ebx+4], eax
		lea	eax, [ebx+258h]
		lock or	[eax], ecx
		jmp	loc_7F0F41
; 

loc_91143B:				; CODE XREF: EtwpStartLogger+BFAj
					; EtwpStartLogger+C0Dj
		lea	eax, [ebx+258h]
		lock or	[eax], esi
		mov	eax, [ebx+4]
		jmp	loc_7F0F8E
; 

loc_91144C:				; CODE XREF: EtwpStartLogger+66Fj
					; EtwpStartLogger+6D7j
		mov	ecx, ebx
		call	_EtwpFreeTraceBufferPool@4 ; EtwpFreeTraceBufferPool(x)
		jmp	loc_9114DB
; 

loc_911458:				; CODE XREF: EtwpStartLogger+75Dj
		mov	eax, [esp+0B8h+var_AC]
		xor	edx, edx
		inc	edx
		mov	ecx, [eax+188h]
		mov	eax, [esp+0B8h+var_A8]
		mov	ecx, [ecx+eax*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		jmp	short loc_911485
; 

loc_911473:				; CODE XREF: EtwpStartLogger+120B7Bj
		mov	edx, ebx
		mov	ecx, edi
		call	EtwpGetLoggerInfoFromContext
		mov	dl, 1
		mov	ecx, ebx
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_911485:				; CODE XREF: EtwpStartLogger+120B31j
		mov	ecx, ebx
		call	_EtwpFreeLoggerContext@4 ; EtwpFreeLoggerContext(x)
		jmp	loc_7F1137
; 

loc_911491:				; CODE XREF: EtwpStartLogger+798j
		push	ecx
		push	ecx
		mov	edx, ebx
		mov	ecx, offset _ETW_EVENT_START_TRACE
		call	_EtwpEventWriteTemplateSession@16 ; EtwpEventWriteTemplateSession(x,x,x,x)
		jmp	loc_7F10DE
; 

loc_9114A4:				; CODE XREF: EtwpStartLogger+A13j
					; EtwpStartLogger+A43j
		mov	ecx, ebx
		mov	[ebx+28h], esi
		call	_EtwpStopLoggerInstance@4 ; EtwpStopLoggerInstance(x)
		test	dword ptr [ebx+0Ch], 400h
		jz	loc_7F1119
		jmp	short loc_911473
; 

loc_9114BD:				; CODE XREF: EtwpStartLogger+7DFj
		mov	edx, [esp+0B8h+var_AC]
		mov	ecx, edi
		movzx	eax, al
		push	eax
		push	dword ptr [ebx]
		call	_EtwpUpdatePerProcessTracing@16	; EtwpUpdatePerProcessTracing(x,x,x,x)
		jmp	loc_7F1125
; 

loc_9114D3:				; CODE XREF: EtwpStartLogger+549j
					; EtwpStartLogger+62Bj
		mov	eax, [esp+0B8h+var_A4]
		mov	[esp+0B8h+var_A8], eax

loc_9114DB:				; CODE XREF: EtwpStartLogger+4D9j
					; EtwpStartLogger+5B7j	...
		test	dword ptr [ebx+0Ch], 2000000h
		jz	short loc_9114F5
		mov	eax, [esp+0B8h+var_AC]
		mov	ecx, [esp+0B8h+var_9C]
		add	eax, 924h
		lock btr [eax],	ecx

loc_9114F5:				; CODE XREF: EtwpStartLogger+120BA2j
		mov	eax, [ebx+258h]
		xor	edi, edi
		test	al, al
		jns	short loc_911513
		push	edi
		push	dword ptr [ebx+2B4h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebx+258h]

loc_911513:				; CODE XREF: EtwpStartLogger+120BBFj
		test	eax, 2000h
		jz	short loc_911521
		lock dec dword_6BC448

loc_911521:				; CODE XREF: EtwpStartLogger+120BD8j
		lea	eax, [ebx+64h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebx+6Ch]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, [ebx+248h]
		test	eax, eax
		jz	short loc_911543
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_911543:				; CODE XREF: EtwpStartLogger+120BFBj
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_91154A:				; CODE XREF: EtwpStartLogger+120A81j
		mov	ebx, [esp+0B8h+var_A0]

loc_91154E:				; CODE XREF: EtwpStartLogger+3B4j
					; EtwpStartLogger+A99j	...
		mov	eax, [esp+0B8h+var_AC]
		xor	edx, edx
		mov	edi, [esp+0B8h+var_A8]
		inc	edx
		mov	ecx, [eax+188h]
		mov	ecx, [ecx+edi*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		mov	edx, [esp+0B8h+var_98]
		xor	ecx, ecx
		inc	ecx
		lea	eax, [edx+edi*4]
		xchg	ecx, [eax]

loc_911573:				; CODE XREF: EtwpStartLogger+185j
					; EtwpStartLogger+1D8j	...
		mov	edi, offset _ETW_EVENT_SESSION_START_FAILED
		push	edi
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9115A3
		push	ebx
		push	esi
		lea	eax, [esp+0C0h+var_84]
		push	eax
		lea	eax, [esp+0C4h+var_90]
		push	eax
		push	ecx
		push	ecx
		mov	ecx, edi
		call	_EtwpEventWriteTemplateAdmin@32	; EtwpEventWriteTemplateAdmin(x,x,x,x,x,x,x,x)

loc_9115A3:				; CODE XREF: EtwpStartLogger+120C4Cj
		lea	eax, [esp+0B8h+var_90]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esp+0B8h+var_84]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	ecx, [esp+0B8h+var_88]
		call	_EtwpFreeSecurityDescriptor@4 ;	EtwpFreeSecurityDescriptor(x)
		jmp	loc_7F1137
; END OF FUNCTION CHUNK	FOR EtwpStartLogger
; 
; START	OF FUNCTION CHUNK FOR EtwpLookupLoggerIdByName

loc_9115C5:				; CODE XREF: EtwpLookupLoggerIdByName+52j
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		xor	eax, eax
		jmp	loc_7F1589
; END OF FUNCTION CHUNK	FOR EtwpLookupLoggerIdByName
; 
; START	OF FUNCTION CHUNK FOR EtwpEnableDisableSpecialGuids

loc_9115D6:				; CODE XREF: EtwpEnableDisableSpecialGuids+A2j
		cmp	edi, ds:_EtwpHostSiloState
		jnz	loc_7F165A
		cmp	ebx, 1
		jnz	short loc_9115EC
		mov	byte ptr [ebp+arg_14], bl
		jmp	short loc_9115F4
; 

loc_9115EC:				; CODE XREF: EtwpEnableDisableSpecialGuids+120033j
		cmp	ebx, esi
		jnz	short loc_91160E
		mov	byte ptr [ebp+arg_14], 0

loc_9115F4:				; CODE XREF: EtwpEnableDisableSpecialGuids+120038j
		push	[ebp+arg_10]
		movzx	eax, word ptr [ebp+arg_0]
		mov	ecx, edi
		push	[ebp+arg_C]
		push	[ebp+arg_14]
		push	eax
		call	_EtwpCheckGuidAccessAndDoRundown@24 ; EtwpCheckGuidAccessAndDoRundown(x,x,x,x,x,x)
		jmp	loc_7F1635
; 

loc_91160E:				; CODE XREF: EtwpEnableDisableSpecialGuids+12003Cj
					; EtwpEnableDisableSpecialGuids+120067j
		xor	eax, eax
		jmp	loc_7F1635
; 

loc_911615:				; CODE XREF: EtwpEnableDisableSpecialGuids+72j
		cmp	byte ptr [ebp+arg_8+3],	1
		jnz	short loc_91160E
		mov	byte ptr [ebp+arg_14], 0
		sub	ebx, 1
		jz	short loc_91165A
		sub	ebx, 1
		jz	short loc_91164D
		sub	ebx, esi
		jz	short loc_911661
		sub	ebx, 4
		jz	short loc_911647
		sub	ebx, 8
		jnz	short loc_911665
		movzx	edx, word ptr [ebp+arg_0]
		mov	ecx, edi
		call	_EtwpLogFileNameRundown@8 ; EtwpLogFileNameRundown(x,x)
		jmp	loc_7F1635
; 

loc_911647:				; CODE XREF: EtwpEnableDisableSpecialGuids+12007Ej
		mov	byte ptr [ebp+arg_14], 0
		jmp	short loc_911665
; 

loc_91164D:				; CODE XREF: EtwpEnableDisableSpecialGuids+120075j
		movzx	esi, byte ptr [edi+914h]
		mov	byte ptr [ebp+arg_14], 0
		jmp	short loc_911665
; 

loc_91165A:				; CODE XREF: EtwpEnableDisableSpecialGuids+120070j
		movzx	esi, byte ptr [edi+914h]

loc_911661:				; CODE XREF: EtwpEnableDisableSpecialGuids+120079j
		mov	byte ptr [ebp+arg_14], 1

loc_911665:				; CODE XREF: EtwpEnableDisableSpecialGuids+120083j
					; EtwpEnableDisableSpecialGuids+120099j ...
		push	[ebp+arg_14]
		movzx	eax, word ptr [ebp+arg_0]
		mov	edx, esi
		push	eax
		mov	ecx, edi
		call	_EtwpCheckLoggerAccessAndDoRundown@16 ;	EtwpCheckLoggerAccessAndDoRundown(x,x,x,x)
		jmp	loc_7F1635
; 

loc_91167B:				; CODE XREF: EtwpEnableDisableSpecialGuids+4Ej
		movzx	eax, ds:byte_A41114[eax*8]
		mov	ecx, edi
		mov	dl, byte ptr [ebp+arg_8+3]
		push	eax
		push	[ebp+var_8]
		push	[ebp+arg_0]
		call	_EtwpEnableDisableUMGL@20 ; EtwpEnableDisableUMGL(x,x,x,x,x)
		jmp	loc_7F1635
; END OF FUNCTION CHUNK	FOR EtwpEnableDisableSpecialGuids
; 
; START	OF FUNCTION CHUNK FOR EtwpValidateEnableNotification

loc_911699:				; CODE XREF: EtwpValidateEnableNotification+94j
		test	dword ptr [ebx+50h], 400h
		jnz	loc_7F178C
		jmp	loc_7F16FC
; 

loc_9116AB:				; CODE XREF: EtwpValidateEnableNotification+83j
					; EtwpValidateEnableNotification+A7j
		mov	esi, 0C0000296h
		jmp	loc_7F1746
; 

loc_9116B5:				; CODE XREF: EtwpValidateEnableNotification+4Aj
		mov	eax, [ebx+50h]
		test	al, 20h
		jnz	loc_7F178C
		test	eax, 400h
		jnz	loc_7F178C
		jmp	loc_7F1749
; END OF FUNCTION CHUNK	FOR EtwpValidateEnableNotification
; 
; START	OF FUNCTION CHUNK FOR EtwpFreeFilterInfo

loc_9116D0:				; CODE XREF: EtwpFreeFilterInfo+Ej
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7F17C2
; 

loc_9116DD:				; CODE XREF: EtwpFreeFilterInfo+24j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7F17D8
; 

loc_9116EA:				; CODE XREF: EtwpFreeFilterInfo+41j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
; END OF FUNCTION CHUNK	FOR EtwpFreeFilterInfo
; 
; START	OF FUNCTION CHUNK FOR EtwpUpdateRegEntryEnableMask

loc_9116F3:				; CODE XREF: EtwpUpdateRegEntryEnableMask+16j
		test	cl, cl
		setnz	bl
		lea	ebx, ds:35h[ebx*2]
		jmp	loc_7F1826
; 

loc_911704:				; CODE XREF: EtwpUpdateRegEntryEnableMask+57j
		cmp	byte ptr [ebp+arg_3], 0
		jz	loc_7F185B
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		call	_EtwpTrackDecodeGuidForSession@8 ; EtwpTrackDecodeGuidForSession(x,x)
		test	al, al
		jnz	loc_7F185B
		mov	eax, 0FFFFFBFFh
		lock and [edi],	ax
		jmp	loc_7F185B
; END OF FUNCTION CHUNK	FOR EtwpUpdateRegEntryEnableMask
; 
; START	OF FUNCTION CHUNK FOR EtwpCalculateUpdateNotification

loc_91172E:				; CODE XREF: EtwpCalculateUpdateNotification+35j
		mov	al, [ebx+36h]
		mov	dl, [ebx+34h]
		jmp	loc_7F18CF
; 

loc_911739:				; CODE XREF: EtwpCalculateUpdateNotification+2Cj
		cmp	[ebp+arg_C], cl
		jz	short loc_911743
		mov	al, [ebx+37h]
		jmp	short loc_911746
; 

loc_911743:				; CODE XREF: EtwpCalculateUpdateNotification+11FEAEj
		mov	al, [ebx+35h]

loc_911746:				; CODE XREF: EtwpCalculateUpdateNotification+11FEB3j
		mov	dl, cl
		jmp	loc_7F18CF
; 

loc_91174D:				; CODE XREF: EtwpCalculateUpdateNotification+152j
		cmp	[ebp+arg_10], 1
		jnz	loc_7F1905
		cmp	[ebp+arg_0], cl
		jnz	loc_7F191A
		jmp	loc_7F19C7
; 

loc_911765:				; CODE XREF: EtwpCalculateUpdateNotification+D1j
		add	eax, 88h
		mov	[ebp+var_7C], eax
		jmp	loc_7F1965
; 

loc_911772:				; CODE XREF: EtwpCalculateUpdateNotification+E9j
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		jmp	loc_7F197D
; END OF FUNCTION CHUNK	FOR EtwpCalculateUpdateNotification
; 
; START	OF FUNCTION CHUNK FOR EtwpSendDataBlock

loc_91177F:				; CODE XREF: EtwpSendDataBlock+AAj
		mov	ecx, [ebx+1Ch]
		call	_MmGetSessionById@4 ; MmGetSessionById(x)
		mov	esi, eax
		mov	[ebp+var_C0], esi
		test	esi, esi
		jnz	short loc_91179D
		mov	eax, 0C0000225h
		jmp	loc_7F1A5F
; 

loc_91179D:				; CODE XREF: EtwpSendDataBlock+11FD97j
		lea	edx, [ebp+var_90]
		mov	ecx, esi
		call	MmAttachSession
		mov	[ebp+var_94], eax
		test	eax, eax
		jns	short loc_9117C0
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	loc_7F1BAA
; 

loc_9117C0:				; CODE XREF: EtwpSendDataBlock+11FDB8j
		mov	esi, [ebp+var_98]
		jmp	loc_7F1AAA
; 

loc_9117CB:				; CODE XREF: EtwpSendDataBlock+118j
		lea	eax, [esi+84h]

loc_9117D1:				; CODE XREF: EtwpSendDataBlock+11FDEBj
		mov	edi, [eax]
		test	edi, edi
		jns	short loc_9117F2
		cmp	edi, 80000000h
		jz	short loc_9117F2
		inc	edx
		add	eax, 10h
		cmp	edx, ecx
		jb	short loc_9117D1
		mov	eax, [ebp+var_AC]
		jmp	loc_7F1B1A
; 

loc_9117F2:				; CODE XREF: EtwpSendDataBlock+11FDDBj
					; EtwpSendDataBlock+11FDE3j
		shl	edx, 4
		mov	eax, esi
		xor	ecx, ecx
		mov	[ebp+var_6C], edi
		add	eax, [edx+esi+78h]
		mov	[ebp+var_78], eax
		mov	eax, [edx+esi+80h]
		adc	ecx, [edx+esi+7Ch]
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_74], ecx
		jmp	loc_7F1B1A
; 

loc_91181C:				; CODE XREF: EtwpSendDataBlock+B3j
		mov	[ebp+var_94], 0C000000Dh
		jmp	loc_7F1B4F
; 

loc_91182B:				; CODE XREF: EtwpSendDataBlock+15Dj
		lea	edx, [ebp+var_90]
		mov	ecx, esi
		call	MmDetachSession
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	loc_7F1B5D
; 

loc_911844:				; CODE XREF: EtwpSendDataBlock+19Ej
					; EtwpSendDataBlock+1AAj
		cmp	dword_6B2A40, 5
		jbe	loc_7F1BAA
		push	2000h
		push	800h
		mov	ecx, offset dword_6B2A40
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_7F1BAA
		xor	ecx, ecx
		mov	[ebp+var_A8], 81000000h
		push	ecx
		push	2710h
		push	edi
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_A4], ecx
		push	esi
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], 8
		mov	[ebp+var_2C], ecx
		call	__alldiv
		mov	[ebp+var_A0], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_9C], edx
		mov	[ebp+var_28], eax
		mov	eax, [ebx+10h]
		add	eax, 14h
		mov	[ebp+var_24], ecx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	5
		push	ecx
		push	ecx
		push	offset loc_424036
		push	offset dword_6B2A40
		mov	[ebp+var_20], 8
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], 10h
		mov	[ebp+var_C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_7F1BAA
; END OF FUNCTION CHUNK	FOR EtwpSendDataBlock
; 
; START	OF FUNCTION CHUNK FOR EtwpQueueNotification

loc_9118F8:				; CODE XREF: EtwpQueueNotification+39j
					; EtwpQueueNotification+54j
		mov	esi, 0C0000017h
		jmp	loc_7F1D17
; 

loc_911902:				; CODE XREF: EtwpQueueNotification+144j
		push	3
		pop	edx
		mov	ecx, edi
		call	_EtwpReleaseQueueEntry@8 ; EtwpReleaseQueueEntry(x,x)
		jmp	loc_7F1D17
; 

loc_911911:				; CODE XREF: EtwpQueueNotification+D4j
		mov	eax, [ebx+4]
		jmp	loc_7F1CFA
; END OF FUNCTION CHUNK	FOR EtwpQueueNotification
; 
; START	OF FUNCTION CHUNK FOR EtwpAddDataSource

loc_911919:				; CODE XREF: EtwpAddDataSource+48j
		push	edi
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, esi
		jmp	loc_7F1E48
; END OF FUNCTION CHUNK	FOR EtwpAddDataSource
; 
; START	OF FUNCTION CHUNK FOR EtwpEnableGuid

loc_911927:				; CODE XREF: EtwpEnableGuid+1D8j
		mov	esi, 0C0000017h
		jmp	loc_7F2159
; 

loc_911931:				; CODE XREF: EtwpEnableGuid+37Cj
		mov	esi, 0C0000303h
		mov	ebx, edi
		jmp	loc_7F2159
; 

loc_91193D:				; CODE XREF: EtwpEnableGuid+210j
		mov	esi, 0C0000296h
		jmp	loc_7F2140
; 

loc_911947:				; CODE XREF: EtwpEnableGuid+25Ej
		and	ecx, 7FFFh
		mov	byte ptr [edx+6Bh], 1
		mov	[edx+68h], cx
		mov	eax, [esi+10h]
		mov	ecx, [esi+14h]
		jmp	loc_7F20BA
; 

loc_911960:				; CODE XREF: EtwpEnableGuid+2C3j
		mov	esi, 2000h
		lea	edx, [edi+258h]
		mov	eax, [edx]

loc_91196D:				; CODE XREF: EtwpEnableGuid+11FB23j
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_91196D
		test	eax, esi
		jnz	loc_7F211B
		call	_EtwpReferenceStackLookasideList@0 ; EtwpReferenceStackLookasideList()
		jmp	loc_7F211B
; 

loc_911989:				; CODE XREF: EtwpEnableGuid+39Ej
		mov	esi, 0C0000017h
		jmp	loc_7F2434
; 

loc_911993:				; CODE XREF: EtwpEnableGuid+3BFj
		mov	edi, [esp+118h+var_F8]
		mov	esi, 0C0000017h
		jmp	loc_7F2429
; 

loc_9119A1:				; CODE XREF: EtwpEnableGuid+432j
		lea	esi, [eax-8]
		mov	[esp+118h+var_104], esi
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	ecx, [esi+10h]
		xor	edx, edx
		add	ecx, 16Ch
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, large fs:124h
		mov	eax, [esi+10h]
		mov	esi, [esp+118h+var_F8]
		mov	edi, [esp+118h+var_F4]
		mov	[esp+118h+var_FC], esi
		mov	esi, [esp+118h+var_104]
		mov	[eax+170h], ecx
		mov	eax, [esp+118h+var_DC]
		mov	[esp+118h+var_105], 1
		jmp	loc_7F2290
; 

loc_9119EB:				; CODE XREF: EtwpEnableGuid+499j
		cmp	[esp+118h+var_C8], 0
		jnz	short loc_9119FA
		mov	al, [esi+36h]
		jmp	loc_7F22FF
; 

loc_9119FA:				; CODE XREF: EtwpEnableGuid+11FB9Ej
		mov	al, [esi+37h]
		jmp	loc_7F22FF
; 

loc_911A02:				; CODE XREF: EtwpEnableGuid+4A4j
		mov	al, [esi+35h]
		jmp	loc_7F22FF
; 

loc_911A0A:				; CODE XREF: EtwpEnableGuid+4FBj
		test	eax, eax
		jnz	loc_7F23AA
		mov	eax, [esp+118h+var_E0]
		mov	[esp+118h+var_FC], eax
		mov	[esp+118h+var_F8], eax
		jmp	loc_7F23AA
; 

loc_911A23:				; CODE XREF: EtwpEnableGuid+7CCj
		mov	ecx, [esi+1Ch]
		call	_MmGetSessionById@4 ; MmGetSessionById(x)
		mov	edi, eax
		mov	[esp+118h+var_104], edi
		test	edi, edi
		jz	short loc_911A52
		lea	edx, [esp+118h+var_58]
		mov	ecx, edi
		call	MmAttachSession
		test	eax, eax
		jns	loc_7F2624
		mov	ecx, edi
		call	ObfDereferenceObject

loc_911A52:				; CODE XREF: EtwpEnableGuid+11FBE1j
		mov	edi, [esp+118h+var_F4]
		jmp	loc_7F2391
; 

loc_911A5B:				; CODE XREF: EtwpEnableGuid+7ECj
		lea	edx, [esp+118h+var_58]
		mov	ecx, eax
		call	MmDetachSession
		mov	ecx, [esp+118h+var_104]
		call	ObfDereferenceObject
		jmp	loc_7F2391
; 

loc_911A77:				; CODE XREF: EtwpEnableGuid+481j
		lea	eax, [esp+118h+var_B0]
		push	eax
		mov	eax, [esp+11Ch+var_EE+2]
		movzx	esi, word ptr [eax+4Eh]
		mov	eax, 7FFFh
		and	si, ax
		mov	eax, [esp+11Ch+var_104]
		push	dword ptr [eax+28h]
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		mov	edx, esi
		mov	ecx, eax
		call	_EtwpDemuxPrivateTraceHandle@12	; EtwpDemuxPrivateTraceHandle(x,x,x)
		test	eax, eax
		jnz	short loc_911B04
		mov	esi, [esp+118h+var_FC]
		mov	eax, [esp+118h+var_B0]
		cmp	ax, [esi+4Eh]
		jz	short loc_911AF7
		mov	edx, [esp+118h+var_BC]
		lea	eax, [esp+118h+var_F8]
		push	eax
		mov	eax, [esp+11Ch+var_A0]
		mov	ecx, [eax]
		call	_EtwpAllocDataBlock@12 ; EtwpAllocDataBlock(x,x,x)
		test	eax, eax
		js	loc_911BA2
		mov	ecx, [esp+118h+var_E0]
		call	_EtwpUnreferenceDataBlock@4 ; EtwpUnreferenceDataBlock(x)
		mov	esi, [esp+118h+var_F8]
		mov	ecx, [esp+118h+var_B0]
		mov	eax, ecx
		or	eax, 8000h
		mov	[esp+118h+var_FC], esi
		mov	[esp+118h+var_E0], esi
		mov	[esi+4Eh], ax
		mov	[esi+68h], cx

loc_911AF7:				; CODE XREF: EtwpEnableGuid+11FC5Fj
		mov	[esp+118h+var_CC], esi
		mov	esi, [esp+118h+var_104]
		jmp	loc_7F2391
; 

loc_911B04:				; CODE XREF: EtwpEnableGuid+11FC51j
		mov	esi, [esp+118h+var_104]
		jmp	loc_7F23AA
; 

loc_911B0D:				; CODE XREF: EtwpEnableGuid+55Dj
		mov	eax, [esi+10h]
		xor	edx, edx
		and	dword ptr [eax+170h], 0
		mov	ecx, [esi+10h]
		add	ecx, 16Ch
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	[esp+118h+var_105], 0
		jmp	loc_7F23B5
; 

loc_911B36:				; CODE XREF: EtwpEnableGuid+577j
		and	dword ptr [ecx+170h], 0
		xor	edx, edx
		add	ecx, 16Ch
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_7F23CF
; 

loc_911B54:				; CODE XREF: EtwpEnableGuid+583j
		mov	byte ptr [esp+118h+var_E8], 1
		mov	[esp+118h+var_E4], esi
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		lea	ecx, [esi+16Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	edi, [esp+118h+var_F4]
		mov	[esi+170h], eax
		mov	eax, [esi+8]
		add	eax, 0FFFFFFF8h
		mov	ecx, eax
		sub	ecx, ebx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, [esp+118h+var_F8]
		mov	[esp+118h+var_D8], ecx
		mov	ecx, esi
		mov	[esp+118h+var_FC], eax
		jmp	loc_7F226A
; 

loc_911BA2:				; CODE XREF: EtwpEnableGuid+11FC77j
		cmp	[esp+118h+var_105], 0
		mov	edi, [esp+118h+var_E0]
		jz	short loc_911BD0
		mov	ecx, [esp+118h+var_104]
		xor	edx, edx
		mov	eax, [ecx+10h]
		and	dword ptr [eax+170h], 0
		mov	ecx, [ecx+10h]
		add	ecx, 16Ch
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_911BD0:				; CODE XREF: EtwpEnableGuid+11FD59j
		mov	esi, 0C0000017h
		jmp	loc_7F2429
; 

loc_911BDA:				; CODE XREF: EtwpEnableGuid+5CDj
		cmp	[esp+118h+var_100], 1
		jnz	short loc_911C11
		mov	ecx, [esp+118h+var_C0]
		movzx	eax, byte ptr [ecx+4]
		push	eax
		push	dword ptr [ecx+8]
		lea	eax, [edi+5Ch]
		push	dword ptr [ecx+1Ch]
		push	dword ptr [ecx+18h]
		push	dword ptr [ecx+14h]
		push	dword ptr [ecx+10h]
		push	[esp+130h+var_B8]
		push	eax
		push	ecx
		push	ecx
		mov	ecx, [esp+140h+var_D4]
		call	_EtwpEventWriteProviderEnabled@48 ; EtwpEventWriteProviderEnabled(x,x,x,x,x,x,x,x,x,x,x,x)
		jmp	loc_7F2425
; 

loc_911C11:				; CODE XREF: EtwpEnableGuid+11FD8Dj
		push	[esp+118h+var_B8]
		lea	eax, [edi+5Ch]
		push	eax
		push	2
		push	ecx
		push	ecx
		mov	ecx, [esp+12Ch+var_D4]
		call	_EtwpEventWriteTemplateSessAndProv@28 ;	EtwpEventWriteTemplateSessAndProv(x,x,x,x,x,x,x)
		jmp	loc_7F2425
; 

loc_911C2B:				; CODE XREF: EtwpEnableGuid+15Aj
					; EtwpEnableGuid+166j
		mov	esi, 0C0000022h
		jmp	loc_7F2425
; END OF FUNCTION CHUNK	FOR EtwpEnableGuid
; 
; START	OF FUNCTION CHUNK FOR EtwpIsRegEntryAllowed

loc_911C35:				; CODE XREF: EtwpIsRegEntryAllowed+39j
		mov	ecx, [esi+28h]
		call	_EtwpCheckCurrentUserProcessAccess@4 ; EtwpCheckCurrentUserProcessAccess(x)
		jmp	loc_7F269A
; 

loc_911C42:				; CODE XREF: EtwpIsRegEntryAllowed+42j
		mov	edx, [esi+10h]
		mov	ecx, [ebp+var_4]
		add	edx, 14h
		call	EtwpIsGuidAllowed
		test	al, al
		jz	loc_7F26A7
		jmp	loc_7F268C
; END OF FUNCTION CHUNK	FOR EtwpIsRegEntryAllowed
; 
; START	OF FUNCTION CHUNK FOR EtwpRealtimeCreateLogfile

loc_911C5D:				; CODE XREF: EtwpRealtimeCreateLogfile+71j
		mov	eax, 0C0000017h
		jmp	loc_7F2799
; 

loc_911C67:				; CODE XREF: EtwpRealtimeCreateLogfile+8Dj
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C000000Dh
		jmp	loc_7F2799
; 

loc_911C7A:				; CODE XREF: EtwpRealtimeCreateLogfile+F0j
		mov	edi, 0C0000017h
		jmp	loc_7F2917
; 

loc_911C84:				; CODE XREF: EtwpRealtimeCreateLogfile+187j
					; EtwpRealtimeCreateLogfile+197j
		mov	ecx, esi
		call	EtwpRealtimeZeroTruncateLogfile
		mov	ecx, esi
		call	_EtwpRealtimeResetReferenceTime@4 ; EtwpRealtimeResetReferenceTime(x)
		mov	eax, [esi+148h]
		mov	ecx, esi
		add	[esi+0BCh], eax
		push	0C0000102h
		push	4
		pop	edx
		mov	dword ptr [esi+160h], 3
		mov	[esi+148h], ebx
		mov	[esi+138h], ebx
		mov	[esi+13Ch], ebx
		call	_EtwpSendSessionNotification@12	; EtwpSendSessionNotification(x,x,x)
		mov	edi, ebx
		jmp	loc_7F2917
; END OF FUNCTION CHUNK	FOR EtwpRealtimeCreateLogfile
; 
; START	OF FUNCTION CHUNK FOR EtwpUpdateEnableMask

loc_911CD0:				; CODE XREF: EtwpUpdateEnableMask+32j
		test	dword ptr [esi], 400h
		jz	loc_7F2E38
		jmp	loc_7F2E52
; END OF FUNCTION CHUNK	FOR EtwpUpdateEnableMask
; 
; START	OF FUNCTION CHUNK FOR EtwpReferenceLoggerSecurityDescriptor

loc_911CE1:				; CODE XREF: EtwpReferenceLoggerSecurityDescriptor+36j
		mov	ecx, edx
		lea	eax, [ebx-0Ch]
		lock xadd [eax], ecx
		test	ecx, ecx
		jg	short loc_911CF3
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_911CF3:				; CODE XREF: EtwpReferenceLoggerSecurityDescriptor+11ED1Aj
		mov	ecx, [esi]
		mov	eax, ecx
		jmp	short loc_911D18
; 

loc_911CF9:				; CODE XREF: EtwpReferenceLoggerSecurityDescriptor+11ED4Cj
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	ebx, eax
		jnz	short loc_911D20
		lea	edx, [ecx+7]
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	eax, ecx
		jz	loc_7F300E
		push	7
		mov	ecx, eax
		pop	edx

loc_911D18:				; CODE XREF: EtwpReferenceLoggerSecurityDescriptor+11ED25j
		and	eax, edx
		add	eax, edx
		cmp	eax, edx
		jbe	short loc_911CF9

loc_911D20:				; CODE XREF: EtwpReferenceLoggerSecurityDescriptor+11ED2Ej
		push	edx
		push	ebx
		call	ObDereferenceSecurityDescriptor
		jmp	loc_7F300E
; 

loc_911D2C:				; CODE XREF: EtwpReferenceLoggerSecurityDescriptor+2Bj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _EtwpSecurityLock
		call	ExAcquirePushLockSharedEx
		mov	ebx, [esi]
		and	ebx, 0FFFFFFF8h
		lea	eax, [ebx-0Ch]
		lock xadd [eax], edi
		test	edi, edi
		jg	short loc_911D5B
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_911D5B:				; CODE XREF: EtwpReferenceLoggerSecurityDescriptor+11ED82j
		push	11h
		xor	edx, edx
		mov	esi, offset _EtwpSecurityLock
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_911D75
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_911D75:				; CODE XREF: EtwpReferenceLoggerSecurityDescriptor+11ED9Aj
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_7F300E
; END OF FUNCTION CHUNK	FOR EtwpReferenceLoggerSecurityDescriptor
; 
; START	OF FUNCTION CHUNK FOR EtwpFlushBuffer

loc_911D86:				; CODE XREF: EtwpFlushBuffer+8Fj
		push	edi
		push	4
		pop	edx
		mov	ecx, ebx
		call	_EtwpSendSessionNotification@12	; EtwpSendSessionNotification(x,x,x)
		jmp	loc_7F3486
; 

loc_911D96:				; CODE XREF: EtwpFlushBuffer+59j
		push	esi
		push	3
		pop	edx
		mov	ecx, ebx
		call	_EtwpSendSessionNotification@12	; EtwpSendSessionNotification(x,x,x)
		jmp	loc_7F34A3
; 

loc_911DA6:				; CODE XREF: EtwpFlushBuffer+6Dj
		cmp	esi, 0C0000001h
		jz	short loc_911DB5
		mov	eax, esi
		jmp	loc_7F34B9
; 

loc_911DB5:				; CODE XREF: EtwpFlushBuffer+11E968j
		mov	eax, edi
		jmp	loc_7F34B9
; END OF FUNCTION CHUNK	FOR EtwpFlushBuffer
; 
; START	OF FUNCTION CHUNK FOR EtwpWaitForBufferReferenceCount

loc_911DBC:				; CODE XREF: EtwpWaitForBufferReferenceCount+Bj
		push	offset _EtwpShortTime
		push	edi
		push	edi
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	loc_7F34E6
; END OF FUNCTION CHUNK	FOR EtwpWaitForBufferReferenceCount
; 
; START	OF FUNCTION CHUNK FOR EtwpFlushBufferToLogfile

loc_911DCD:				; CODE XREF: EtwpFlushBufferToLogfile+E8j
		mov	eax, [edi+4]
		and	dword ptr [edi+94h], 0
		mov	[edi+90h], eax
		mov	dword ptr [edi+80h], 1
		jmp	loc_7F35FC
; 

loc_911DEC:				; CODE XREF: EtwpFlushBufferToLogfile+F0j
		lea	eax, [edi+258h]
		mov	ecx, 100h
		mov	ebx, 0C0000188h
		test	[eax], ecx
		jnz	short loc_911E34
		lock or	[eax], ecx
		push	offset _ETW_EVENT_MAX_FILE_SIZE_REACHED
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_911E34
		push	[ebp+var_8]
		lea	eax, [edi+64h]
		push	esi
		push	dword ptr [edi+0Ch]
		push	ecx
		push	eax
		lea	eax, [edi+5Ch]
		push	eax
		push	ecx
		push	ecx
		call	_EtwpEventWriteTemplateMaxFileSize@40 ;	EtwpEventWriteTemplateMaxFileSize(x,x,x,x,x,x,x,x,x,x)

loc_911E34:				; CODE XREF: EtwpFlushBufferToLogfile+CAj
					; EtwpFlushBufferToLogfile+11E852j ...
		lock inc dword ptr [edi+0B4h]
		lea	eax, [ebx+3FFFFF66h]
		neg	eax
		sbb	eax, eax
		and	ebx, eax
		jmp	loc_7F3688
; 

loc_911E4C:				; CODE XREF: EtwpFlushBufferToLogfile+78j
		mov	esi, offset _ETW_EVENT_WRITE_FAILED
		push	esi
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_7F3674
		push	dword ptr [edi+0Ch]
		lea	eax, [edi+64h]
		push	ebx
		push	eax
		lea	eax, [edi+5Ch]
		push	eax
		push	ecx
		push	ecx
		mov	ecx, esi
		call	_EtwpEventWriteTemplateAdmin@32	; EtwpEventWriteTemplateAdmin(x,x,x,x,x,x,x,x)
		jmp	loc_7F3674
; END OF FUNCTION CHUNK	FOR EtwpFlushBufferToLogfile
; 
; START	OF FUNCTION CHUNK FOR EtwpFlushBufferToRealtime

loc_911E85:				; CODE XREF: EtwpFlushBufferToRealtime+2Fj
					; EtwpFlushBufferToRealtime+3Fj
		cmp	[esi+108h], ebx
		jz	short loc_911E99
		cmp	[esi+148h], ebx
		jz	loc_7F3705

loc_911E99:				; CODE XREF: EtwpFlushBufferToRealtime+11E7BBj
		mov	eax, ebx
		jmp	loc_7F3705
; END OF FUNCTION CHUNK	FOR EtwpFlushBufferToRealtime
; 
; START	OF FUNCTION CHUNK FOR EtwpRealtimeDeliverBuffer

loc_911EA0:				; CODE XREF: EtwpRealtimeDeliverBuffer+22j
		cmp	ecx, 3
		jnz	short loc_911EAA
		push	8
		pop	eax
		jmp	short loc_911EB9
; 

loc_911EAA:				; CODE XREF: EtwpRealtimeDeliverBuffer+11E783j
		xor	eax, eax
		cmp	ecx, 2
		setz	al
		lea	eax, ds:2[eax*2]

loc_911EB9:				; CODE XREF: EtwpRealtimeDeliverBuffer+11E788j
		or	[edx+34h], ax
		mov	[ebp+var_2], 1
		jmp	loc_7F3748
; 

loc_911EC6:				; CODE XREF: EtwpRealtimeDeliverBuffer+4Cj
		or	eax, 4
		mov	[edx+34h], ax
		jmp	loc_7F3772
; 

loc_911ED2:				; CODE XREF: EtwpRealtimeDeliverBuffer+7Aj
		and	cl, 0FDh
		mov	[ebx+32h], cl
		movzx	eax, word ptr [edx+34h]
		jmp	loc_7F37A0
; 

loc_911EE1:				; CODE XREF: EtwpRealtimeDeliverBuffer+68j
		cmp	eax, 0C000003Ch
		jnz	loc_7F37EB
		mov	[ebx+10h], esi
		mov	esi, ebx
		jmp	loc_7F37B6
; 

loc_911EF6:				; CODE XREF: EtwpRealtimeDeliverBuffer+BEj
		or	byte ptr [esi+32h], 2
		inc	dword ptr [esi+28h]
		mov	esi, [esi+10h]
		jmp	loc_7F37DC
; END OF FUNCTION CHUNK	FOR EtwpRealtimeDeliverBuffer
; 
; START	OF FUNCTION CHUNK FOR EtwpRealtimeInjectEtwBuffer

loc_911F05:				; CODE XREF: EtwpRealtimeInjectEtwBuffer+88j
		mov	[ebp+var_3C], 0C000003Ch
		jmp	short loc_911F2A
; END OF FUNCTION CHUNK	FOR EtwpRealtimeInjectEtwBuffer

;  S U B	R O U T	I N E 


sub_911F0E	proc near		; DATA XREF: .text:006A50F4o
		mov	esp, [ebp-18h]
		push	dword ptr [ebp-38h]
		mov	edx, [ebp-48h]
		mov	edx, [edx+30h]
		mov	esi, [ebp-44h]
		mov	ecx, esi
		call	_EtwpFreeUserBufferSpace@12 ; EtwpFreeUserBufferSpace(x,x,x)
		mov	eax, [ebp-4Ch]
		mov	[ebp-3Ch], eax
sub_911F0E	endp

; START	OF FUNCTION CHUNK FOR EtwpRealtimeInjectEtwBuffer

loc_911F2A:				; CODE XREF: EtwpRealtimeInjectEtwBuffer+11E702j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_7F390E
; END OF FUNCTION CHUNK	FOR EtwpRealtimeInjectEtwBuffer

;  S U B	R O U T	I N E 


sub_911F36	proc near		; DATA XREF: .text:006A50F0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_911F36	endp

; 

loc_911F44:				; DATA XREF: .text:006A50E4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-50h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_911F52:				; DATA XREF: .text:006A50E8o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-50h]
		mov	[ebp-3Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-44h]
		jmp	loc_7F390E
; 
; START	OF FUNCTION CHUNK FOR EtwpFindUserBufferSpace

loc_911F6A:				; CODE XREF: EtwpFindUserBufferSpace+9Ej
		cmp	esi, 0C000009Ah
		jz	short loc_911F7E
		cmp	esi, 0C000012Dh
		jnz	loc_7F39CC

loc_911F7E:				; CODE XREF: EtwpFindUserBufferSpace+11E610j
		mov	esi, 0C000003Ch
		jmp	loc_7F39CC
; END OF FUNCTION CHUNK	FOR EtwpFindUserBufferSpace

;  S U B	R O U T	I N E 


sub_911F88	proc near		; DATA XREF: .text:006A510Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_911F88	endp


;  S U B	R O U T	I N E 


sub_911F96	proc near		; DATA XREF: .text:006A5110o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_7F39CC
sub_911F96	endp

; 
; START	OF FUNCTION CHUNK FOR PfSnPrefetchMetadata

loc_911FA8:				; CODE XREF: PfSnPrefetchMetadata+37j
		mov	esi, 0C000000Dh
		jmp	loc_7F3BB8
; END OF FUNCTION CHUNK	FOR PfSnPrefetchMetadata
; 
; START	OF FUNCTION CHUNK FOR PfpFileBuildReadSupport

loc_911FB2:				; CODE XREF: PfpFileBuildReadSupport+89j
		test	byte ptr [eax+10h], 4
		jz	loc_7F3DED
		mov	esi, eax
		lea	edi, [ebp+var_40]
		jmp	short loc_911FC9
; 

loc_911FC3:				; CODE XREF: PfpFileBuildReadSupport+F1j
		mov	edi, [ebp+var_20]
		lea	esi, [ebp+var_40]

loc_911FC9:				; CODE XREF: PfpFileBuildReadSupport+11E263j
		push	5
		pop	ecx
		rep movsd
		or	[ebp+var_30], 10h
		xor	ecx, ecx
		mov	edi, [ebp+var_8]
		jmp	loc_7F3E55
; 

loc_911FDC:				; CODE XREF: PfpFileBuildReadSupport+100j
		mov	eax, [ebp+var_3C]
		mov	eax, [eax+14h]
		cmp	[eax+8], ecx
		jz	loc_7F3E64
		mov	esi, 0C0000021h
		jmp	loc_7F3EF3
; 

loc_911FF5:				; CODE XREF: PfpFileBuildReadSupport+13Cj
		cmp	byte ptr [ebp+arg_4], 0
		jz	loc_7F3F20
		cmp	esi, 0C0000433h
		jnz	loc_7F3F20
		jmp	loc_7F3EF3
; 

loc_912010:				; CODE XREF: PfpFileBuildReadSupport+156j
		mov	eax, [ebp+var_10]
		mov	[ebp+var_14], eax
		jmp	loc_7F3EF3
; 

loc_91201B:				; CODE XREF: PfpFileBuildReadSupport+1A2j
		push	[ebp+var_C]
		call	NtClose
		jmp	loc_7F3F06
; 

loc_912028:				; CODE XREF: PfpFileBuildReadSupport+1B3j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7F3F17
; END OF FUNCTION CHUNK	FOR PfpFileBuildReadSupport
; 
; START	OF FUNCTION CHUNK FOR NtNotifyChangeMultipleKeys

loc_912035:				; CODE XREF: NtNotifyChangeMultipleKeys+86j
		mov	eax, 0C0000189h
		jmp	loc_7F4270
; 

loc_91203F:				; CODE XREF: NtNotifyChangeMultipleKeys+92j
					; NtNotifyChangeMultipleKeys+D0j ...
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)
		mov	eax, 0C000000Dh
		jmp	loc_7F4270
; END OF FUNCTION CHUNK	FOR NtNotifyChangeMultipleKeys

;  S U B	R O U T	I N E 


sub_91204E	proc near		; DATA XREF: .text:006A512Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-118h], eax
		xor	eax, eax
		inc	eax
		retn
sub_91204E	endp


;  S U B	R O U T	I N E 


sub_91205F	proc near		; DATA XREF: .text:006A5130o
		mov	esp, [ebp-18h]
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-118h]
		jmp	loc_7F4270
sub_91205F	endp

; 
; START	OF FUNCTION CHUNK FOR NtNotifyChangeMultipleKeys

loc_912079:				; CODE XREF: NtNotifyChangeMultipleKeys+FFj
		mov	esi, 0C000000Dh

loc_91207E:				; CODE XREF: NtNotifyChangeMultipleKeys+12Ej
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)
		mov	eax, esi
		jmp	loc_7F4270
; 

loc_91208A:				; CODE XREF: NtNotifyChangeMultipleKeys+47Bj
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	edi, 0C000000Dh
		jmp	loc_7F4255
; 

loc_91209B:				; CODE XREF: NtNotifyChangeMultipleKeys+169j
		cmp	edi, 1
		jnz	short loc_9120B7
		mov	ecx, ebx
		call	ObfDereferenceObject
		jmp	short loc_9120B7
; 

loc_9120A9:				; CODE XREF: NtNotifyChangeMultipleKeys+4AAj
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	ecx, esi
		call	_CmpFreePostBlock@4 ; CmpFreePostBlock(x)

loc_9120B7:				; CODE XREF: NtNotifyChangeMultipleKeys+11E12Cj
					; NtNotifyChangeMultipleKeys+11E135j
		mov	edi, 0C000009Ah
		jmp	loc_7F4255
; 

loc_9120C1:				; CODE XREF: NtNotifyChangeMultipleKeys+1C5j
		cmp	[ebp+arg_4], 1
		jnz	short loc_9120D6
		mov	ecx, [ebp+var_E8]
		jmp	short loc_9120D1
; 

loc_9120CF:				; CODE XREF: NtNotifyChangeMultipleKeys+11E485j
		mov	ecx, ebx

loc_9120D1:				; CODE XREF: NtNotifyChangeMultipleKeys+11E15Bj
		call	_CmpFreePostBlock@4 ; CmpFreePostBlock(x)

loc_9120D6:				; CODE XREF: NtNotifyChangeMultipleKeys+11E153j
					; NtNotifyChangeMultipleKeys+11E47Fj
		mov	ecx, esi
		jmp	short loc_9120E0
; 

loc_9120DA:				; CODE XREF: NtNotifyChangeMultipleKeys+11E207j
		mov	ecx, [ebp+var_E8]

loc_9120E0:				; CODE XREF: NtNotifyChangeMultipleKeys+11E166j
		call	_CmpFreePostBlock@4 ; CmpFreePostBlock(x)
		jmp	loc_7F4255
; 

loc_9120EA:				; CODE XREF: NtNotifyChangeMultipleKeys+181j
		mov	edi, [ebp+var_E0]
		jmp	loc_7F4166
; 

loc_9120F5:				; CODE XREF: NtNotifyChangeMultipleKeys+26Bj
		mov	ecx, offset _CmpPostLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	eax, [ebp+var_EC]
		cmp	eax, 1
		jz	short loc_91211A
		cmp	eax, 2
		jnz	short loc_912121
		mov	ecx, [ebp+var_F8]
		call	_CmUnlockHive@4	; CmUnlockHive(x)

loc_91211A:				; CODE XREF: NtNotifyChangeMultipleKeys+11E196j
		mov	ecx, [ebx]
		mov	ecx, [ecx+10h]
		jmp	short loc_912136
; 

loc_912121:				; CODE XREF: NtNotifyChangeMultipleKeys+11E19Bj
		cmp	eax, 3
		jnz	short loc_91213B
		mov	ecx, [ebx]
		mov	ecx, [ecx+10h]
		call	_CmUnlockHive@4	; CmUnlockHive(x)
		mov	ecx, [ebp+var_F8]

loc_912136:				; CODE XREF: NtNotifyChangeMultipleKeys+11E1ADj
		call	_CmUnlockHive@4	; CmUnlockHive(x)

loc_91213B:				; CODE XREF: NtNotifyChangeMultipleKeys+11E1B2j
		mov	esi, [ebp+arg_4]
		cmp	esi, 1
		jnz	short loc_912155
		mov	ecx, [ebp+var_E0]
		mov	edx, [ecx+8]
		mov	ecx, [ebx]
		call	CmpUnlockTwoKcbs
		jmp	short loc_91215C
; 

loc_912155:				; CODE XREF: NtNotifyChangeMultipleKeys+11E1CFj
		mov	ecx, [ebx]
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)

loc_91215C:				; CODE XREF: NtNotifyChangeMultipleKeys+11E1E1j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	ecx, [ebp+var_FC]
		test	ecx, ecx
		jz	short loc_912170
		call	ObfDereferenceObject

loc_912170:				; CODE XREF: NtNotifyChangeMultipleKeys+11E1F7j
		cmp	esi, 1
		jnz	loc_7F4255
		jmp	loc_9120DA
; 

loc_91217E:				; CODE XREF: NtNotifyChangeMultipleKeys+52Aj
		mov	ecx, [ebp+var_E8]
		call	_CmpFreePostBlock@4 ; CmpFreePostBlock(x)
		mov	[ebp+var_D9], 0
		jmp	loc_7F41F9
; 

loc_912195:				; CODE XREF: NtNotifyChangeMultipleKeys+560j
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	loc_9123FC
		cmp	[eax], esi
		jnz	loc_9123FC
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_D9], al
		lea	edx, [esi+8]
		mov	eax, [edx]
		mov	ecx, [edx+4]
		cmp	[eax+4], edx
		jnz	loc_9123FC
		cmp	[ecx], edx
		jnz	loc_9123FC
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	cl, [ebp+var_D9]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, [ebp+var_DA]
		mov	[ebp+var_D9], al
		jmp	loc_7F41F9
; 

loc_9121F9:				; CODE XREF: NtNotifyChangeMultipleKeys+2DDj
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)
		xor	eax, eax
		mov	[ebp+var_E1], al
		push	eax
		push	1
		push	[ebp+var_108]
		push	eax
		push	dword ptr [esi+20h]
		call	KeWaitForSingleObject
		mov	edi, eax
		cmp	edi, 101h
		jz	loc_912349
		cmp	edi, 0C0h
		jz	loc_912349
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	edi, offset _CmpPostLock
		mov	ecx, edi
		call	ExAcquireFastMutexUnsafe
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_DA], al
		mov	ebx, [ebp+var_E8]
		cmp	[ebp+var_D9], 0
		jz	short loc_91229D
		mov	ecx, [ebx]
		test	ecx, ecx
		jz	short loc_91227F
		mov	edx, [ebx+4]
		cmp	[ecx+4], ebx
		jnz	loc_9123FC
		cmp	[edx], ebx
		jnz	loc_9123FC
		mov	[edx], ecx
		mov	[ecx+4], edx

loc_91227F:				; CODE XREF: NtNotifyChangeMultipleKeys+11E2F2j
		lea	eax, [ebx+8]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_9123FC
		cmp	[ecx], eax
		jnz	loc_9123FC
		mov	[ecx], edx
		mov	[edx+4], ecx

loc_91229D:				; CODE XREF: NtNotifyChangeMultipleKeys+11E2ECj
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_9122BC
		mov	ecx, [esi+4]
		cmp	[eax+4], esi
		jnz	loc_9123FC
		cmp	[ecx], esi
		jnz	loc_9123FC
		mov	[ecx], eax
		mov	[eax+4], ecx

loc_9122BC:				; CODE XREF: NtNotifyChangeMultipleKeys+11E32Fj
		lea	eax, [esi+8]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_9123FC
		cmp	[ecx], eax
		jnz	loc_9123FC
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	cl, [ebp+var_DA]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, edi
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	eax, [esi+20h]
		mov	edi, [eax+10h]
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_10C]
		mov	[eax], edi
		and	dword ptr [eax+4], 0
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_9123EA
; END OF FUNCTION CHUNK	FOR NtNotifyChangeMultipleKeys

;  S U B	R O U T	I N E 


sub_912317	proc near		; DATA XREF: .text:006A5138o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-11Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_912317	endp


;  S U B	R O U T	I N E 


sub_912328	proc near		; DATA XREF: .text:006A513Co
		mov	esp, [ebp-18h]
		mov	edi, [ebp-11Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-110h]
		mov	ebx, [ebp-0E8h]
		jmp	loc_9123EA
sub_912328	endp

; 
; START	OF FUNCTION CHUNK FOR NtNotifyChangeMultipleKeys

loc_912349:				; CODE XREF: NtNotifyChangeMultipleKeys+11E2AEj
					; NtNotifyChangeMultipleKeys+11E2BAj
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, offset _CmpPostLock
		call	ExAcquireFastMutexUnsafe
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_DA], al
		mov	ebx, [ebp+var_E8]
		cmp	[ebp+var_D9], 0
		jz	short loc_9123A2
		mov	ecx, [ebx]
		test	ecx, ecx
		jz	short loc_91238C
		mov	edx, [ebx+4]
		cmp	[ecx+4], ebx
		jnz	short loc_9123FC
		cmp	[edx], ebx
		jnz	short loc_9123FC
		mov	[edx], ecx
		mov	[ecx+4], edx

loc_91238C:				; CODE XREF: NtNotifyChangeMultipleKeys+11E407j
		lea	eax, [ebx+8]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_9123FC
		cmp	[ecx], eax
		jnz	short loc_9123FC
		mov	[ecx], edx
		mov	[edx+4], ecx

loc_9123A2:				; CODE XREF: NtNotifyChangeMultipleKeys+11E401j
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_9123B9
		mov	ecx, [esi+4]
		cmp	[eax+4], esi
		jnz	short loc_9123FC
		cmp	[ecx], esi
		jnz	short loc_9123FC
		mov	[ecx], eax
		mov	[eax+4], ecx

loc_9123B9:				; CODE XREF: NtNotifyChangeMultipleKeys+11E434j
		lea	eax, [esi+8]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_9123FC
		cmp	[ecx], eax
		jnz	short loc_9123FC
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	cl, [ebp+var_DA]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, offset _CmpPostLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_9123EA:				; CODE XREF: NtNotifyChangeMultipleKeys+11E3A0j
					; sub_912328+1Cj
		cmp	[ebp+var_D9], 0
		jz	loc_9120D6
		jmp	loc_9120CF
; 

loc_9123FC:				; CODE XREF: NtNotifyChangeMultipleKeys+11E22Bj
					; NtNotifyChangeMultipleKeys+11E233j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_912401:				; CODE XREF: NtNotifyChangeMultipleKeys+2D0j
		mov	ecx, esi
		call	_CmpFreePostBlock@4 ; CmpFreePostBlock(x)
		mov	ecx, [ebp+var_FC]
		test	ecx, ecx
		jz	loc_7F4255
		call	ObfDereferenceObject
		jmp	loc_7F4255
; 

loc_912420:				; CODE XREF: NtNotifyChangeMultipleKeys+222j
					; NtNotifyChangeMultipleKeys+4C7j
		mov	ecx, [ebx]
		cmp	[ebp+arg_4], 1
		jnz	short loc_912432
		mov	edx, [edi+8]
		call	CmpUnlockTwoKcbs
		jmp	short loc_912437
; 

loc_912432:				; CODE XREF: NtNotifyChangeMultipleKeys+11E4B4j
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)

loc_912437:				; CODE XREF: NtNotifyChangeMultipleKeys+11E4BEj
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	ecx, [ebp+var_FC]
		test	ecx, ecx
		jz	short loc_91244B
		call	ObfDereferenceObject

loc_91244B:				; CODE XREF: NtNotifyChangeMultipleKeys+11E4D2j
		cmp	[ebp+arg_4], 1
		jnz	short loc_91245C
		mov	ecx, [ebp+var_E8]
		call	_CmpFreePostBlock@4 ; CmpFreePostBlock(x)

loc_91245C:				; CODE XREF: NtNotifyChangeMultipleKeys+11E4DDj
		mov	ecx, esi
		call	_CmpFreePostBlock@4 ; CmpFreePostBlock(x)
		mov	edi, 0C000017Ch
		jmp	loc_7F4255
; END OF FUNCTION CHUNK	FOR NtNotifyChangeMultipleKeys
; 
; START	OF FUNCTION CHUNK FOR CmpNotifyChangeKey

loc_91246D:				; CODE XREF: CmpNotifyChangeKey+2Bj
		mov	ecx, edi
		call	_CmpFreePostBlock@4 ; CmpFreePostBlock(x)
		mov	eax, 0C000017Ch
		jmp	loc_7F46F5
; 

loc_91247E:				; CODE XREF: CmpNotifyChangeKey+5Aj
		mov	ecx, edi
		call	_CmpFreePostBlock@4 ; CmpFreePostBlock(x)
		mov	eax, 0C000009Ah
		jmp	loc_7F46F5
; 

loc_91248F:				; CODE XREF: CmpNotifyChangeKey+174j
		mov	eax, [ebp+var_20]
		mov	edx, 1
		mov	ecx, [edi+1Ch]
		mov	[ebp+var_28], cl
		shr	ecx, 10h
		mov	eax, [eax+8]
		and	cl, 1
		mov	[ebp+var_2C], eax
		mov	al, [ebp+arg_4]
		push	offset loc_501902
		mov	[ebp+var_27], al
		lea	eax, [ebp+var_30]
		push	930h
		mov	[ebp+var_26], cl
		lea	ecx, [ebp+var_1C]
		push	42000000h
		mov	[ebp+var_25], 0
		mov	[ebp+var_30], edi
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], 0
		mov	[ebp+var_14], 0Bh
		mov	[ebp+var_10], 0
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		jmp	loc_7F46EA
; END OF FUNCTION CHUNK	FOR CmpNotifyChangeKey
; 
; START	OF FUNCTION CHUNK FOR CmpAllocatePostBlock

loc_9124F0:				; CODE XREF: CmpAllocatePostBlock+59j
		push	0
		push	1
		push	ecx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		jmp	loc_7F4841
; END OF FUNCTION CHUNK	FOR CmpAllocatePostBlock
; 
; START	OF FUNCTION CHUNK FOR PfSnPopulateReadList

loc_9124FF:				; CODE XREF: PfSnPopulateReadList+388j
		mov	eax, [esp+0A0h+var_58]
		mov	dword ptr [ecx+eax], 0FFFFFFFFh
		jmp	loc_7F4CFC
; 

loc_91250F:				; CODE XREF: PfSnPopulateReadList+1EFj
					; PfSnPopulateReadList+44Bj
		mov	edx, [esp+0A0h+var_8C]
		jmp	loc_7F4CE1
; 

loc_912518:				; CODE XREF: PfSnPopulateReadList+217j
		mov	ebx, [esp+0A0h+var_70]
		mov	eax, 0C000009Ah
		mov	edi, [esp+0A0h+var_6C]
		mov	esi, [esp+0A0h+var_88]
		jmp	short loc_91252D
; 

loc_91252B:				; CODE XREF: PfSnPopulateReadList+CAj
		xor	edx, edx

loc_91252D:				; CODE XREF: PfSnPopulateReadList+11DBF9j
		mov	[edi+1Ch], eax
		jmp	loc_7F4D1B
; 

loc_912535:				; CODE XREF: PfSnPopulateReadList+3F0j
		shl	ebx, 5
		mov	edx, esi
		add	ebx, [esi+1Ch]
		push	1
		mov	ecx, ebx
		call	PfSnCleanupPrefetchSectionInfo
		mov	edx, [esp+0A0h+var_8C]
		jmp	loc_7F4D26
; 

loc_91254F:				; CODE XREF: PfSnPopulateReadList+3FEj
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7F4A6D
; END OF FUNCTION CHUNK	FOR PfSnPopulateReadList
; 
; START	OF FUNCTION CHUNK FOR PfSnGetSectionObject

loc_91255C:				; CODE XREF: PfSnGetSectionObject+8Bj
		mov	esi, 0C000000Dh
		jmp	loc_7F50BD
; 

loc_912566:				; CODE XREF: PfSnGetSectionObject+A7j
		and	[ebp+var_18], 0
		xor	ecx, ecx
		or	ecx, [edx+18h]
		and	[ebp+var_14], 0
		mov	[ebp+var_1C], eax
		mov	eax, [edx+1Ch]
		mov	[ebp+var_10], ecx
		or	ecx, eax
		mov	[ebp+var_20], 3
		mov	[ebp+var_C], eax
		jz	loc_7F4EFF
		push	[ebp+var_2C]
		mov	edx, [esi+10h]
		lea	eax, [ebp+var_20]
		push	1
		push	0
		push	eax
		mov	ecx, edi
		call	PfSnPrefetchFileMetadata
		jmp	loc_7F4EFF
; 

loc_9125A8:				; CODE XREF: PfSnGetSectionObject+294j
		mov	esi, [ebp+arg_8]
		xor	edx, edx
		mov	edi, [ebp+var_28]
		mov	ecx, edi
		push	esi
		jmp	loc_7F50EE
; 

loc_9125B8:				; CODE XREF: PfSnGetSectionObject+184j
		mov	esi, [ebp+arg_8]
		xor	edx, edx
		mov	edi, [ebp+var_28]
		mov	ecx, edi
		push	esi
		call	_PfSnIsSectionPrefetchedAfterPhase@12 ;	PfSnIsSectionPrefetchedAfterPhase(x,x,x)
		test	al, al
		jnz	loc_7F5066
		jmp	loc_7F505C
; 

loc_9125D5:				; CODE XREF: PfSnGetSectionObject+204j
		cmp	[ebx+14h], edx
		jnz	loc_7F5066
		xor	edx, edx
		mov	ecx, edi
		push	esi
		inc	edx
		call	_PfSnIsSectionPrefetchedAfterPhase@12 ;	PfSnIsSectionPrefetchedAfterPhase(x,x,x)
		test	al, al
		jnz	loc_7F505C
		mov	eax, [edi+14h]
		shr	eax, 8
		and	eax, esi
		test	al, 7Fh
		jz	loc_7F5066
		jmp	loc_7F505C
; END OF FUNCTION CHUNK	FOR PfSnGetSectionObject
; 
; START	OF FUNCTION CHUNK FOR PfSnCleanupPrefetchSectionInfo

loc_912606:				; CODE XREF: PfSnCleanupPrefetchSectionInfo+69j
		mov	edx, [edi+4]
		mov	ecx, esi
		call	_PfpOpenHandleClose@8 ;	PfpOpenHandleClose(x,x)
		jmp	loc_7F52E7
; END OF FUNCTION CHUNK	FOR PfSnCleanupPrefetchSectionInfo
; 
; START	OF FUNCTION CHUNK FOR PfpOpenHandleCreate

loc_912615:				; CODE XREF: PfpOpenHandleCreate+11Cj
		cmp	eax, 5
		jz	short loc_912665
		cmp	eax, 0Ah
		jle	loc_7F5403
		cmp	eax, 0Dh
		jle	short loc_912631
		cmp	eax, 10h
		jnz	loc_7F5403

loc_912631:				; CODE XREF: PfpOpenHandleCreate+11D316j
		cmp	eax, 10h
		jnz	short loc_91263F
		cmp	ebx, 1
		ja	loc_7F5403

loc_91263F:				; CODE XREF: PfpOpenHandleCreate+11D324j
		mov	eax, [esi+20h]
		cmp	eax, [esi+24h]
		jbe	loc_7F5403
		lea	eax, [esp+5Ch+var_4C]
		push	eax
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	eax, [esi+1Ch]
		add	[esi+24h], eax
		inc	ebx
		jmp	loc_7F534D
; 

loc_912665:				; CODE XREF: PfpOpenHandleCreate+11D308j
		mov	dword ptr [esi+2Ch], 1
		jmp	loc_7F5403
; 

loc_912671:				; CODE XREF: PfpOpenHandleCreate+41j
		mov	ecx, 0C0000189h
		jmp	loc_7F5403
; END OF FUNCTION CHUNK	FOR PfpOpenHandleCreate
; 
; START	OF FUNCTION CHUNK FOR IopQueryXxxInformation

loc_91267B:				; CODE XREF: IopQueryXxxInformation+1F7j
		mov	ecx, ebx
		call	ObfDereferenceObject
		jmp	loc_7F5632
; 

loc_912687:				; CODE XREF: IopQueryXxxInformation+AEj
		mov	[esp+38h+var_20], 47h
		mov	[esp+38h+var_25], 1
		jmp	loc_7F5564
; 

loc_912699:				; CODE XREF: IopQueryXxxInformation+D0j
		xor	edx, edx
		mov	ecx, ebx
		call	_IopAllocateIrpCleanup@8 ; IopAllocateIrpCleanup(x,x)
		mov	eax, 0C000009Ah
		jmp	loc_7F5634
; 

loc_9126AC:				; CODE XREF: IopQueryXxxInformation+13Bj
		or	byte ptr [ecx-22h], 1
		jmp	loc_7F55F1
; END OF FUNCTION CHUNK	FOR IopQueryXxxInformation
; 
; START	OF FUNCTION CHUNK FOR PfpPrefetchFilesTrickle

loc_9126B5:				; CODE XREF: PfpPrefetchFilesTrickle+104j
		mov	edx, ebx
		jmp	loc_7F5866
; END OF FUNCTION CHUNK	FOR PfpPrefetchFilesTrickle
; 
; START	OF FUNCTION CHUNK FOR PfpFileSetupObjectAttributes

loc_9126BC:				; CODE XREF: PfpFileSetupObjectAttributes+29j
					; PfpFileSetupObjectAttributes+32j
		mov	edx, [ebp+arg_4]
		lea	eax, [esi+8]
		or	dword ptr [edi], 2000h
		imul	ecx, [ebp+arg_0], 28h
		push	8
		mov	[edx+4], eax
		pop	eax
		mov	[edx], ax
		mov	[edx+2], ax
		mov	eax, [ebx+8]
		mov	ecx, [ecx+eax]
		jmp	loc_7F5A85
; END OF FUNCTION CHUNK	FOR PfpFileSetupObjectAttributes
; 
; START	OF FUNCTION CHUNK FOR PfpFileBuildReadList

loc_9126E4:				; CODE XREF: PfpFileBuildReadList+1Cj
		push	4C526650h
		xor	ebx, ebx
		push	18h
		inc	ebx
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_912717
		mov	eax, [ebp+arg_4]
		xor	esi, esi
		mov	[ecx], esi
		mov	[ecx+0Ch], esi
		mov	[ecx+8], esi
		mov	[ecx+4], ebx
		mov	[ecx+10h], esi
		mov	[ecx+14h], esi
		mov	[eax], ecx
		jmp	loc_7F5BE6
; 

loc_912717:				; CODE XREF: PfpFileBuildReadList+78j
					; PfpFileBuildReadList+11CC4Ej
		mov	eax, 0C000009Ah
		jmp	loc_7F5BE8
; 

loc_912721:				; CODE XREF: PfpFileBuildReadList+C8j
		and	edi, 0FFFFF000h
		mov	[ebp+arg_0], eax
		jmp	loc_7F5B78
; 

loc_91272F:				; CODE XREF: PfpFileBuildReadList+56j
					; PfpFileBuildReadList+5Fj
		mov	eax, 0C0000095h
		jmp	loc_7F5BE8
; END OF FUNCTION CHUNK	FOR PfpFileBuildReadList
; 
; START	OF FUNCTION CHUNK FOR EtwpRealtimeFlushSavedBuffers

loc_912739:				; CODE XREF: EtwpRealtimeFlushSavedBuffers+3Cj
		mov	eax, 0C0000017h
		jmp	loc_7F5C09
; 

loc_912743:				; CODE XREF: EtwpRealtimeFlushSavedBuffers+CCj
		mov	ecx, ebx
		call	_EtwpIsRealtimeLogfileSpaceAvailable@4 ; EtwpIsRealtimeLogfileSpaceAvailable(x)
		cmp	al, 1
		jnz	loc_7F5C45
		xor	eax, eax
		lea	ecx, [ebx+10h]
		xchg	eax, [ecx]
		jmp	loc_7F5C3F
; 

loc_91275E:				; CODE XREF: EtwpRealtimeFlushSavedBuffers+91j
		mov	eax, [ebp+var_8]
		mov	[ebx+128h], esi
		mov	esi, [ebx+148h]
		mov	[ebx+12Ch], eax

loc_912773:				; CODE XREF: EtwpRealtimeFlushSavedBuffers+60j
		test	esi, esi
		jnz	loc_7F5CC8
		jmp	loc_7F5CC1
; 

loc_912780:				; CODE XREF: EtwpRealtimeFlushSavedBuffers+82j
		mov	eax, [ebx+148h]
		xor	esi, esi
		add	[ebx+0BCh], eax
		push	3
		pop	eax
		push	0C0000102h
		push	4
		pop	edx
		mov	[ebx+160h], eax
		mov	[ebx+148h], esi
		mov	[ebx+138h], esi
		mov	[ebx+13Ch], esi
		call	_EtwpSendSessionNotification@12	; EtwpSendSessionNotification(x,x,x)
		mov	ecx, ebx
		call	EtwpRealtimeZeroTruncateLogfile
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	byte ptr [ebx+258h], 1
		jz	short loc_9127D4
		mov	ecx, ebx
		call	_EtwpRealtimeResetReferenceTime@4 ; EtwpRealtimeResetReferenceTime(x)

loc_9127D4:				; CODE XREF: EtwpRealtimeFlushSavedBuffers+11CBDBj
		mov	eax, 0C0000102h
		jmp	loc_7F5C09
; END OF FUNCTION CHUNK	FOR EtwpRealtimeFlushSavedBuffers
; 
; START	OF FUNCTION CHUNK FOR PfSnQueryVolumeInfo

loc_9127DE:				; CODE XREF: PfSnQueryVolumeInfo+D3j
		mov	edx, [ebp+var_48]
		lea	ecx, [ebp+var_38]
		call	_PfpOpenHandleClose@8 ;	PfpOpenHandleClose(x,x)
		jmp	loc_7F5F1F
; END OF FUNCTION CHUNK	FOR PfSnQueryVolumeInfo
; 
; START	OF FUNCTION CHUNK FOR NtFlushBuffersFileEx

loc_9127EE:				; CODE XREF: NtFlushBuffersFileEx+52j
		mov	ecx, eax
		jmp	loc_7F6004
; END OF FUNCTION CHUNK	FOR NtFlushBuffersFileEx

;  S U B	R O U T	I N E 


sub_9127F5	proc near		; DATA XREF: .text:006A5154o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		xor	eax, eax
		inc	eax
		retn
sub_9127F5	endp


;  S U B	R O U T	I N E 


sub_912803	proc near		; DATA XREF: .text:006A5158o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-24h]
		jmp	loc_7F6147
sub_912803	endp

; 
; START	OF FUNCTION CHUNK FOR NtFlushBuffersFileEx

loc_912815:				; CODE XREF: NtFlushBuffersFileEx+12Bj
		test	edi, edi
		jz	short loc_912821
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_912821:				; CODE XREF: NtFlushBuffersFileEx+11C86Bj
		xor	edx, edx
		mov	ecx, [ebp+var_1C]
		call	_IopAllocateIrpCleanup@8 ; IopAllocateIrpCleanup(x,x)
		mov	eax, 0C000009Ah
		jmp	loc_7F6147
; 

loc_912835:				; CODE XREF: NtFlushBuffersFileEx+168j
		mov	byte ptr [eax-23h], 2
		jmp	loc_7F612E
; 

loc_91283E:				; CODE XREF: NtFlushBuffersFileEx+172j
		mov	byte ptr [eax-23h], 3
		jmp	loc_7F612E
; 

loc_912847:				; CODE XREF: NtFlushBuffersFileEx+17Cj
		mov	byte ptr [eax-23h], 4
		jmp	loc_7F612E
; 

loc_912850:				; CODE XREF: NtFlushBuffersFileEx+20j
					; NtFlushBuffersFileEx+29j
		mov	eax, 0C000000Dh
		jmp	loc_7F6147
; END OF FUNCTION CHUNK	FOR NtFlushBuffersFileEx
; 
; START	OF FUNCTION CHUNK FOR NtQuerySecurityObject

loc_91285A:				; CODE XREF: NtQuerySecurityObject+37j
		mov	ecx, eax
		jmp	loc_7F6783
; END OF FUNCTION CHUNK	FOR NtQuerySecurityObject

;  S U B	R O U T	I N E 


sub_912861	proc near		; DATA XREF: .text:006A51B4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_912861	endp


;  S U B	R O U T	I N E 


sub_91286F	proc near		; DATA XREF: .text:006A51B8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-28h]
		jmp	loc_7F6828
sub_91286F	endp


;  S U B	R O U T	I N E 


sub_912881	proc near		; DATA XREF: .text:006A51C0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_912881	endp


;  S U B	R O U T	I N E 


sub_91288F	proc near		; DATA XREF: .text:006A51C4o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-1Ch]
		call	ObfDereferenceObject
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2Ch]
		jmp	loc_7F6828
sub_91288F	endp

; 
; START	OF FUNCTION CHUNK FOR IopGetSetSecurityObject

loc_9128A9:				; CODE XREF: IopGetSetSecurityObject+27j
		cmp	[ebx+20h], ecx
		jz	loc_7F6AE3
		jmp	loc_7F690F
; 

loc_9128B7:				; CODE XREF: IopGetSetSecurityObject+F6j
		xor	edx, edx
		mov	ecx, ebx
		call	_IopAllocateIrpCleanup@8 ; IopAllocateIrpCleanup(x,x)
		mov	eax, 0C000009Ah
		jmp	loc_7F6A94
; 

loc_9128CA:				; CODE XREF: IopGetSetSecurityObject+175j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebx+5Ch]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [ebx+1Ch]
		jmp	loc_7F6A5D
; 

loc_9128E1:				; CODE XREF: IopGetSetSecurityObject+1F1j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_44]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [ebp+var_34]
		jmp	loc_7F6A64
; 

loc_9128F8:				; CODE XREF: IopGetSetSecurityObject+189j
		xor	ebx, ebx
		inc	ebx
		cmp	edi, ebx
		jnz	short loc_912941
		mov	edi, [ebp+arg_0]
		test	dword ptr [edi+20h], 100h
		jnz	loc_7F6BAF
		and	[ebp+ms_exc.disabled], 0
		push	[ebp+arg_8]	; void *
		mov	edx, [ebp+arg_10]
		mov	ecx, [ebp+arg_C]
		call	_SeAssignWorldSecurityDescriptor@12 ; SeAssignWorldSecurityDescriptor(x,x,x)
		mov	esi, eax
		jmp	short loc_912939
; END OF FUNCTION CHUNK	FOR IopGetSetSecurityObject

;  S U B	R O U T	I N E 


sub_912925	proc near		; DATA XREF: .text:006A51DCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_912925	endp


;  S U B	R O U T	I N E 


sub_912933	proc near		; DATA XREF: .text:006A51E0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-28h]
sub_912933	endp

; START	OF FUNCTION CHUNK FOR IopGetSetSecurityObject

loc_912939:				; CODE XREF: IopGetSetSecurityObject+11C041j
		mov	[ebp+var_1C], esi
		jmp	loc_7F6A8B
; 

loc_912941:				; CODE XREF: IopGetSetSecurityObject+11C01Bj
		test	edi, edi
		jnz	short loc_912951
		mov	eax, [ebp+arg_0]
		test	dword ptr [eax+1Ch], 100h
		jnz	short loc_912995

loc_912951:				; CODE XREF: IopGetSetSecurityObject+11C061j
		xor	esi, esi
		jmp	loc_7F6A92
; END OF FUNCTION CHUNK	FOR IopGetSetSecurityObject

;  S U B	R O U T	I N E 


sub_912958	proc near		; DATA XREF: .text:006A51E8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_912958	endp


;  S U B	R O U T	I N E 


sub_912966	proc near		; DATA XREF: .text:006A51ECo
		mov	esp, [ebp-18h]
		mov	esi, [ebp-2Ch]
		jmp	loc_7F6A8B
sub_912966	endp

; 
; START	OF FUNCTION CHUNK FOR IopGetSetSecurityObject

loc_912971:				; CODE XREF: IopGetSetSecurityObject+210j
		test	dword ptr [ebx+2Ch], 100h
		jnz	loc_7F6A92
		jmp	loc_7F6AF8
; 

loc_912983:				; CODE XREF: IopGetSetSecurityObject+25Aj
		mov	eax, [edi+0B0h]
		and	dword ptr [eax+10h], 0FFFFF7FFh
		jmp	loc_7F6B42
; 

loc_912995:				; CODE XREF: IopGetSetSecurityObject+3Ej
					; IopGetSetSecurityObject+2C7j	...
		mov	esi, ecx
		jmp	loc_7F6A92
; END OF FUNCTION CHUNK	FOR IopGetSetSecurityObject
; 
; START	OF FUNCTION CHUNK FOR NtQueryFullAttributesFile

loc_91299C:				; CODE XREF: NtQueryFullAttributesFile+94j
		mov	byte ptr [eax],	0
		jmp	loc_7F6CEA
; END OF FUNCTION CHUNK	FOR NtQueryFullAttributesFile

;  S U B	R O U T	I N E 


sub_9129A4	proc near		; DATA XREF: .text:006A5204o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-100h], eax
		mov	eax, 1
		retn
sub_9129A4	endp


;  S U B	R O U T	I N E 


sub_9129B7	proc near		; DATA XREF: .text:006A5208o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-100h]
		jmp	loc_7F6E02
sub_9129B7	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryFullAttributesFile

loc_9129CC:				; CODE XREF: NtQueryFullAttributesFile+1AAj
		push	edi
		push	[ebp+var_FC]
		call	ObCloseHandle
		mov	esi, 0C0000024h
		jmp	loc_7F6E00
; END OF FUNCTION CHUNK	FOR NtQueryFullAttributesFile

;  S U B	R O U T	I N E 


sub_9129E2	proc near		; DATA XREF: .text:006A5210o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-108h], eax
		mov	eax, 1
		retn
sub_9129E2	endp


;  S U B	R O U T	I N E 


sub_9129F5	proc near		; DATA XREF: .text:006A5214o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-108h]
		jmp	loc_7F6E46
sub_9129F5	endp

; 

loc_912A03:				; CODE XREF: PAGE:007F6F0Ej
		mov	byte ptr [eax],	0
		jmp	loc_7F6F14
; 

loc_912A0B:				; DATA XREF: .text:006A522Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-100h], eax
		mov	eax, 1
		retn
; 

loc_912A1E:				; DATA XREF: .text:006A5230o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-100h]
		jmp	loc_7F706E
; 

loc_912A33:				; CODE XREF: PAGE:007F7066j
		push	dword ptr [ebp-0F8h]
		push	dword ptr [ebp-0FCh]
		call	ObCloseHandle
		mov	esi, 0C0000024h
		jmp	loc_7F706C
; 
; START	OF FUNCTION CHUNK FOR FsRtlpCleanupEcps

loc_912A4E:				; CODE XREF: FsRtlpCleanupEcps+13j
		add	eax, 0FFFFFFF0h
		mov	[ebx+4], eax
		mov	al, 1
		jmp	loc_7F7194
; 

loc_912A5B:				; CODE XREF: FsRtlpCleanupEcps+90j
		mov	edx, edi
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	loc_7F714A
; 

loc_912A67:				; CODE XREF: FsRtlpCleanupEcps+C9j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7F7190
; 

loc_912A74:				; CODE XREF: FsRtlpCleanupEcps+15Aj
		cmp	[edi+4], eax
		jnz	short loc_912AA0
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_912AA0
		mov	[ecx], edi
		mov	[edi+4], ecx
		mov	dword ptr [eax], 0
		lea	eax, [edx+2Ch]
		push	eax
		mov	dword ptr [edx+4], 0
		call	_FsRtlFreeExtraCreateParameter@4 ; FsRtlFreeExtraCreateParameter(x)
		jmp	loc_7F7200
; 

loc_912AA0:				; CODE XREF: FsRtlpCleanupEcps+33j
					; FsRtlpCleanupEcps+3Ej ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_912AA7:				; CODE XREF: IopSynchronousApiServiceTail+68j
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_IopCancelAlertedRequest@8 ; IopCancelAlertedRequest(x,x)
		jmp	loc_7F7F64
; END OF FUNCTION CHUNK	FOR FsRtlpCleanupEcps

;  S U B	R O U T	I N E 


sub_912AB6	proc near		; DATA XREF: .text:006A52C4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_912AB6	endp


;  S U B	R O U T	I N E 


sub_912AC4	proc near		; DATA XREF: .text:006A52C8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-1Ch]
		jmp	loc_7F7F25
sub_912AC4	endp

; 
; START	OF FUNCTION CHUNK FOR PfSnOpenVolumesForPrefetch

loc_912ACF:				; CODE XREF: PfSnOpenVolumesForPrefetch+78j
					; PfSnOpenVolumesForPrefetch+86j
		mov	esi, 0C000000Dh
		jmp	loc_7F8435
; 

loc_912AD9:				; CODE XREF: PfSnOpenVolumesForPrefetch+A1j
					; PfSnOpenVolumesForPrefetch+1C9j ...
		mov	esi, 0C000009Ah
		jmp	loc_7F8435
; 

loc_912AE3:				; CODE XREF: PfSnOpenVolumesForPrefetch+17Bj
		xor	eax, eax
		mov	[ebp+var_4], eax
		jmp	loc_7F81B0
; 

loc_912AED:				; CODE XREF: PfSnOpenVolumesForPrefetch+3C2j
		test	byte ptr [ebp+var_18], 3
		jnz	loc_7F83F8
		mov	edx, [ebp+var_1C]
		lea	ecx, [ebx+10h]
		call	_PfSnVolumeCheckIsSdBus@8 ; PfSnVolumeCheckIsSdBus(x,x)
		test	eax, eax
		jnz	loc_7F83F8
		or	[ebp+var_18], 2
		jmp	loc_7F83F8
; 

loc_912B13:				; CODE XREF: PfSnOpenVolumesForPrefetch+34Cj
		mov	ecx, [ebp+var_4]

loc_912B16:				; CODE XREF: PfSnOpenVolumesForPrefetch+2CAj
					; PfSnOpenVolumesForPrefetch+2FCj
		xor	eax, eax
		mov	[ebp+var_44], 2
		mov	[ebp+var_54], eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], eax
		lea	eax, [edi+0Ch]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_7F84AC
		mov	[ebx], eax
		mov	[ebx+4], edx
		mov	[edx], ebx
		mov	[eax+4], ebx
		jmp	loc_7F83FB
; 

loc_912B48:				; CODE XREF: PfSnOpenVolumesForPrefetch+40Dj
		mov	edx, [edi+4]
		lea	ecx, [ebp+var_68]
		call	_PfpOpenHandleClose@8 ;	PfpOpenHandleClose(x,x)
		jmp	loc_7F843F
; 

loc_912B58:				; CODE XREF: PfSnOpenVolumesForPrefetch+4B7j
		mov	ecx, eax
		jmp	loc_7F84E9
; END OF FUNCTION CHUNK	FOR PfSnOpenVolumesForPrefetch

;  S U B	R O U T	I N E 


sub_912B5F	proc near		; DATA XREF: .text:006A52E4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_912B5F	endp


;  S U B	R O U T	I N E 


sub_912B6D	proc near		; DATA XREF: .text:006A52E8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_7F8576
sub_912B6D	endp


;  S U B	R O U T	I N E 


sub_912B7F	proc near		; DATA XREF: .text:006A52F0o
		xor	eax, eax
		inc	eax
		retn
sub_912B7F	endp


;  S U B	R O U T	I N E 


sub_912B83	proc near		; DATA XREF: .text:006A52F4o
		mov	esp, [ebp-18h]
		jmp	loc_7F8564
sub_912B83	endp

; 
; START	OF FUNCTION CHUNK FOR IopCleanupProcessResources

loc_912B8B:				; CODE XREF: IopCleanupProcessResources+1Cj
		cmp	[esi+10h], edi
		jnz	short loc_912B97
		mov	ecx, esi
		call	_IopCleanupFileObjectIosbRange@4 ; IopCleanupFileObjectIosbRange(x)

loc_912B97:				; CODE XREF: IopCleanupProcessResources+11A606j
		mov	esi, [esi+14h]
		jmp	loc_7F85A2
; END OF FUNCTION CHUNK	FOR IopCleanupProcessResources
; 
; START	OF FUNCTION CHUNK FOR NtResetEvent

loc_912B9F:				; CODE XREF: NtResetEvent+7Fj
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_912BAF
		mov	ecx, eax

loc_912BAF:				; CODE XREF: NtResetEvent+11A5D3j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_7F85FC
; END OF FUNCTION CHUNK	FOR NtResetEvent

;  S U B	R O U T	I N E 


sub_912BBF	proc near		; DATA XREF: .text:006A530Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_912BBF	endp


;  S U B	R O U T	I N E 


sub_912BCD	proc near		; DATA XREF: .text:006A5310o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_7F8641
sub_912BCD	endp

; 
; START	OF FUNCTION CHUNK FOR NtResetEvent

loc_912BDF:				; CODE XREF: NtResetEvent+86j
		mov	[ebp+ms_exc.disabled], 1
		mov	[esi], edi
		jmp	short loc_912BED
; END OF FUNCTION CHUNK	FOR NtResetEvent

;  S U B	R O U T	I N E 


sub_912BEA	proc near		; DATA XREF: .text:006A531Co
		mov	esp, [ebp-18h]
sub_912BEA	endp

; START	OF FUNCTION CHUNK FOR NtResetEvent

loc_912BED:				; CODE XREF: NtResetEvent+11A610j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_7F8632
; END OF FUNCTION CHUNK	FOR NtResetEvent

;  S U B	R O U T	I N E 


sub_912BF9	proc near		; DATA XREF: .text:006A5318o
		xor	eax, eax
		inc	eax
		retn
sub_912BF9	endp

; 
; START	OF FUNCTION CHUNK FOR PfSnLogOpenVolumesForPrefetch

loc_912BFD:				; CODE XREF: PfSnLogOpenVolumesForPrefetch+48j
		lea	eax, [ebp+var_44]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		lea	edx, [edi+50h]
		lea	ecx, [edi+10h]
		call	_PfSnBuildScenarioEventDescriptors@16 ;	PfSnBuildScenarioEventDescriptors(x,x,x,x)
		lea	eax, [ebp+var_44]
		push	eax
		push	4
		push	0
		push	esi
		push	dword_6D49EC
		push	dword_6D49E8
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_7F86B6
; END OF FUNCTION CHUNK	FOR PfSnLogOpenVolumesForPrefetch
; 
; START	OF FUNCTION CHUNK FOR PfpPrefetchDirectoryStream

loc_912C2F:				; CODE XREF: PfpPrefetchDirectoryStream+1F3j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	14BCh
		push	191h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_912C43:				; CODE XREF: PfpPrefetchDirectoryStream+18Bj
					; PfpPrefetchDirectoryStream+1A6j
		mov	esi, 0C0000240h
		jmp	loc_7F8C3F
; END OF FUNCTION CHUNK	FOR PfpPrefetchDirectoryStream
; 
; START	OF FUNCTION CHUNK FOR PfpVolumePrefetchMetadata

loc_912C4D:				; CODE XREF: PfpVolumePrefetchMetadata+D1j
		mov	eax, [esi+4]
		mov	ebx, [ebp+var_2C]
		mov	[esi+eax*8+10h], ebx
		mov	ebx, [ebp+var_30]
		mov	[esi+eax*8+14h], ebx
		mov	esi, [esi+4]
		mov	eax, [ebp+var_4]
		inc	esi
		mov	ebx, [ebp+var_14]
		mov	[eax+4], esi
		cmp	esi, [ebx+10h]
		jnb	loc_7F8D51
		jmp	loc_7F8D48
; 

loc_912C79:				; CODE XREF: PfpVolumePrefetchMetadata+E5j
		mov	ecx, ebx
		call	_PfpCheckPrefetchAbort@4 ; PfpCheckPrefetchAbort(x)
		test	eax, eax
		jnz	loc_912D2D
		mov	eax, [ebx]
		lea	ecx, [ebx+18h]
		test	byte ptr [eax+38h], 4
		jz	short loc_912CA3
		mov	edx, [ebp+var_34]
		call	_PfpAvailablePagesForPrefetch@8	; PfpAvailablePagesForPrefetch(x,x)
		test	eax, eax
		jz	loc_912D2D

loc_912CA3:				; CODE XREF: PfpVolumePrefetchMetadata+11A023j
		imul	ecx, [ebp+var_10], 28h
		xor	edx, edx
		mov	eax, [ebx+8]
		push	edx
		push	edx
		push	edx
		mov	ecx, [ecx+eax]
		lea	eax, ds:10h[esi*8]
		push	eax
		push	[ebp+var_4]
		lea	eax, [ebp+var_4C]
		push	90120h
		push	eax
		push	edx
		push	edx
		call	_IopXxxControlFile@44 ;	IopXxxControlFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	edx, [ebx]
		mov	esi, eax
		test	byte ptr [edx+38h], 4
		jz	short loc_912CE5
		mov	eax, [ebp+var_4]
		lea	ecx, [ebx+18h]
		mov	edx, [eax+4]
		call	_PfpUpdateRepurposedByPrefetch@8 ; PfpUpdateRepurposedByPrefetch(x,x)

loc_912CE5:				; CODE XREF: PfpVolumePrefetchMetadata+11A067j
		test	esi, esi
		js	loc_7F8D9C
		cmp	esi, 103h
		jz	short loc_912D0D
		mov	eax, [edi+0Ch]
		mov	ecx, [ebp+var_28]
		mov	esi, [ebp+var_4]
		shr	eax, 1
		cmp	ecx, eax
		jnb	loc_7F8D5C
		jmp	loc_7F8D04
; 

loc_912D0D:				; CODE XREF: PfpVolumePrefetchMetadata+11A085j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	15FBh
		jmp	short loc_912D23
; 

loc_912D19:				; CODE XREF: PfpVolumePrefetchMetadata+307j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	1660h

loc_912D23:				; CODE XREF: PfpVolumePrefetchMetadata+11A0A9j
		push	191h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_912D2D:				; CODE XREF: PfpVolumePrefetchMetadata+295j
					; PfpVolumePrefetchMetadata+2B0j ...
		mov	esi, 0C0000240h
		jmp	loc_7F8D9C
; END OF FUNCTION CHUNK	FOR PfpVolumePrefetchMetadata
; 
; START	OF FUNCTION CHUNK FOR PfSnVolumeCheckSeekPenalty

loc_912D37:				; CODE XREF: PfSnVolumeCheckSeekPenalty+6Aj
		push	0
		push	0
		push	edi
		call	_ZwWaitForSingleObject@12 ; ZwWaitForSingleObject(x,x,x)
		mov	eax, [ebp+var_28]
		jmp	loc_7F9034
; END OF FUNCTION CHUNK	FOR PfSnVolumeCheckSeekPenalty
; 
; START	OF FUNCTION CHUNK FOR PfSnPrefetchFileMetadata

loc_912D49:				; CODE XREF: PfSnPrefetchFileMetadata+A5j
		push	0
		push	0
		push	[ebp+arg_C]
		call	NtWaitForSingleObject
		mov	esi, [ebp+var_10]
		jmp	loc_7F9135
; 

loc_912D5D:				; CODE XREF: PfSnPrefetchFileMetadata+5Aj
					; PfSnPrefetchFileMetadata+66j
		mov	ecx, [edx+28h]
		xor	edx, edx
		mov	[ebp+arg_8], ecx
		mov	[ebp+var_8], edx
		and	[ecx+4], esi
		mov	dword ptr [ecx], 3
		mov	[ecx+8], eax
		test	edi, edi
		jz	loc_7F913B

loc_912D7C:				; CODE XREF: PfSnPrefetchFileMetadata+119D96j
		mov	eax, edi
		mov	esi, 300h
		sub	eax, edx
		mov	[ebp+arg_0], esi
		cmp	eax, esi
		jnb	short loc_912D91
		mov	esi, eax
		mov	[ebp+arg_0], eax

loc_912D91:				; CODE XREF: PfSnPrefetchFileMetadata+119D00j
		mov	eax, esi
		mov	[ecx+4], esi
		shl	eax, 3
		push	eax		; size_t
		mov	eax, [ebp+arg_4]
		add	eax, 2
		add	eax, edx
		lea	eax, [ebx+eax*8]
		push	eax		; void *
		lea	eax, [ecx+10h]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+arg_8]
		add	esp, 0Ch
		mov	eax, [eax+4]
		push	0
		push	[ebp+arg_C]
		lea	esi, ds:10h[eax*8]
		call	NtResetEvent
		mov	edx, [ebp+arg_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	esi
		push	[ebp+arg_8]
		push	90120h
		push	eax
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_4]
		call	_IopXxxControlFile@44 ;	IopXxxControlFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 103h
		jnz	short loc_912E01
		push	0
		push	0
		push	[ebp+arg_C]
		call	NtWaitForSingleObject
		mov	esi, [ebp+var_10]

loc_912E01:				; CODE XREF: PfSnPrefetchFileMetadata+119D66j
		mov	ecx, 0C0000000h
		mov	eax, esi
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_7F913B
		mov	edx, [ebp+var_8]
		add	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_8], edx
		cmp	edx, edi
		jb	loc_912D7C
		jmp	loc_7F913B
; 

loc_912E2B:				; CODE XREF: PfSnPrefetchFileMetadata+33j
					; PfSnPrefetchFileMetadata+3Dj
		mov	esi, 0C000007Bh
		jmp	loc_7F913B
; END OF FUNCTION CHUNK	FOR PfSnPrefetchFileMetadata
; 
; START	OF FUNCTION CHUNK FOR _CmGetDeviceMappedPropertyFromComposite

loc_912E35:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+B7j
		mov	esi, 0C000000Dh
		jmp	loc_7F95A9
; 

loc_912E3F:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+FAj
		mov	esi, 0C0000230h
		jmp	loc_7F95A9
; 

loc_912E49:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+22Bj
		push	10h		; size_t
		push	offset _DEVPKEY_Device_Siblings	; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7F95A9
		mov	eax, [ebp+var_E4]
		mov	ecx, [ebp+var_DC]
		mov	edi, [ebp+var_D5+1]
		mov	edx, edi
		shr	eax, 1
		mov	[ebp+var_F0], eax
		lea	eax, [ebp+var_F0]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_D0]
		call	__CmGetDeviceSiblings@16 ; _CmGetDeviceSiblings(x,x,x,x)
		jmp	loc_9130E0
; 

loc_912E95:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+4ACj
		and	dword ptr [ebx], 0
		and	dword ptr [edi], 0
		jmp	loc_7F95E0
; 

loc_912EA0:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+781j
		mov	ecx, [ebp+var_114]
		jmp	loc_7F92E7
; 

loc_912EAB:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+12Aj
		push	10h		; size_t
		push	offset _DEVPKEY_Device_ProblemStatus ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7F95A9
		jmp	loc_7F9947
; 

loc_912EC8:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+B01j
					; _CmGetDeviceMappedPropertyFromComposite+B1Fj
		test	[ebp+var_F4], 400h
		jz	loc_7F9F1D
		push	18h
		jmp	loc_7F99B6
; 

loc_912EDF:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+814j
		push	10h		; size_t
		push	offset _DEVPKEY_Device_ProblemStatus ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7F99DA
		push	[ebp+var_100]
		mov	edx, [ebp+var_D5+1]
		lea	eax, [ebp+var_E8]
		mov	ecx, [ebp+var_D0]
		push	eax
		push	4
		pop	ebx
		push	ebx
		lea	eax, [ebp+var_118]
		push	eax
		lea	eax, [ebp+var_F8]
		push	eax
		push	offset _DEVPKEY_Device_ProblemStatusOverride
		push	0
		push	[ebp+var_FC]
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_912F57
		cmp	[ebp+var_F8], 18h
		jnz	short loc_912F57
		cmp	[ebp+var_E8], ebx
		jnz	short loc_912F57
		mov	eax, [ebp+var_118]
		mov	[ebp+var_110], eax

loc_912F57:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+119D78j
					; _CmGetDeviceMappedPropertyFromComposite+119D81j ...
		mov	ebx, [ebp+var_EC]
		jmp	loc_7F99E0
; 

loc_912F62:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+83Ej
					; _CmGetDeviceMappedPropertyFromComposite+B27j	...
		mov	ecx, [ebp+var_DC]
		mov	eax, [ebp+var_110]
		mov	[ecx], eax
		jmp	loc_7F95E0
; 

loc_912F75:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+2F4j
		push	4
		pop	eax
		jmp	short loc_912FE6
; 

loc_912F7A:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+4E4j
		push	8
		jmp	short loc_912FDF
; 

loc_912F7E:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+9A1j
		mov	eax, [ebp+var_10C]
		cmp	eax, 19h
		jz	loc_7F9B67
		cmp	eax, 16h
		jz	loc_7F9B67
		cmp	eax, 1Dh
		jz	loc_7F9B67
		cmp	eax, 18h
		jnz	loc_7F9745
		jmp	loc_7F9B67	; size_t
; 

loc_912FAD:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+158j
		push	offset _DEVPKEY_Device_BusRelations ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7F95A9
		push	20h		; size_t
		jmp	short loc_912FDF
; 

loc_912FC7:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+161j
		push	offset _DEVPKEY_Device_TransportRelations ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7F95A9
		push	40h

loc_912FDF:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+8EFj
					; _CmGetDeviceMappedPropertyFromComposite+119DBCj ...
		pop	eax
		mov	[ebp+var_F4], eax

loc_912FE6:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+119DB8j
		mov	edi, [ebp+var_D5+1]
		mov	edx, edi
		push	ecx
		lea	ecx, [ebp+var_F0]
		push	ecx
		mov	ecx, [ebp+var_D0]
		push	0
		push	0
		push	eax
		call	__CmGetDeviceRelationsList@28 ;	_CmGetDeviceRelationsList(x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_7F9F1D
		test	esi, esi
		jz	loc_7F9F1D
		mov	ecx, 0C0000023h
		cmp	esi, ecx
		jnz	loc_7F9597
		mov	eax, [ebp+var_F0]
		add	eax, eax
		mov	[ebx], eax
		mov	eax, [ebp+var_E0]
		mov	dword ptr [eax], 2012h
		mov	eax, [ebp+arg_10]
		cmp	eax, [ebx]
		jb	loc_7F9A7C
		mov	edi, [ebp+var_DC]
		mov	edx, [ebp+var_D5+1]
		push	ecx
		lea	ecx, [ebp+var_F0]
		shr	eax, 1
		push	ecx
		mov	ecx, [ebp+var_D0]
		push	eax
		mov	eax, [ebp+var_F4]
		push	edi
		push	eax
		call	__CmGetDeviceRelationsList@28 ;	_CmGetDeviceRelationsList(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_91308A
		mov	ecx, edi
		call	__PnpMultiSzGetLen@4 ; _PnpMultiSzGetLen(x)
		add	eax, eax
		mov	[ebx], eax
		jmp	loc_7F95A9
; 

loc_91308A:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+119EB8j
		mov	eax, [ebp+var_E0]
		and	dword ptr [ebx], 0
		and	dword ptr [eax], 0
		jmp	loc_7F95E0	; size_t
; 

loc_91309B:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+173j
		push	offset _DEVPKEY_Device_Children	; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7F95A9
		mov	eax, [ebp+var_E4]
		mov	ecx, [ebp+var_DC]
		mov	edi, [ebp+var_D5+1]
		mov	edx, edi
		shr	eax, 1
		mov	[ebp+var_F0], eax
		lea	eax, [ebp+var_F0]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_D0]
		call	__CmGetDeviceChildren@16 ; _CmGetDeviceChildren(x,x,x,x)

loc_9130E0:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+119CD0j
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_7F9597
		mov	ecx, 0C0000023h
		test	esi, esi
		jz	short loc_9130FF
		cmp	esi, ecx
		jnz	loc_7F9597

loc_9130FF:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+119F35j
		mov	eax, [ebp+var_F0]
		add	eax, eax
		mov	[ebx], eax
		mov	eax, [ebp+var_E0]
		mov	dword ptr [eax], 2012h
		jmp	loc_7F9A71
; 

loc_91311A:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+C39j
		cmp	[ebp+var_F8], 11h
		jnz	loc_7F9745
		cmp	byte ptr [ebp+var_D5], 0FFh
		jmp	loc_7F9BCC
; 

loc_913133:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+C45j
		cmp	esi, 0C0000023h
		jnz	loc_7F9597
		jmp	loc_7F9E0B
; 

loc_913144:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+D05j
		cmp	[ebp+var_10C], 0Eh
		jmp	short loc_91315A
; 

loc_91314D:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+11A102j
		mov	edi, [ebp+var_D5+1]
		cmp	byte ptr [ebp+var_D5], 0FFh

loc_91315A:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+119F8Bj
					; _CmGetDeviceMappedPropertyFromComposite+11A0D6j
		jnz	loc_7F9597
		jmp	loc_7F9745
; 

loc_913165:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+197j
		push	eax		; size_t
		push	offset _DEVPKEY_Device_Stack ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7F95A9
		mov	eax, [ebp+var_E0]
		mov	edi, [ebp+var_D5+1]
		push	edi
		mov	dword ptr [eax], 2012h
		lea	eax, [ebp+var_108]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7F9597
		mov	eax, [ebp+var_E4]
		push	ecx
		mov	ecx, [ebp+var_DC]
		push	ebx
		push	eax
		push	ecx
		push	0Eh
		jmp	short loc_9131CB
; 

loc_9131B9:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+11A0AAj
		mov	eax, [ebp+var_E4]
		push	ecx
		mov	ecx, [ebp+var_DC]
		push	ebx
		push	eax
		push	ecx
		push	10h

loc_9131CB:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+119FF7j
					; _CmGetDeviceMappedPropertyFromComposite+11A068j
		mov	ebx, [ebp+var_D0]
		jmp	loc_7F97C4
; 

loc_9131D6:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+1A0j
		push	eax		; size_t
		push	(offset	loc_410083+5) ;	void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7F95A9
		mov	eax, [ebp+var_E0]
		mov	edi, [ebp+var_D5+1]
		push	edi
		mov	dword ptr [eax], 2012h
		lea	eax, [ebp+var_108]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7F9597
		mov	eax, [ebp+var_E4]
		push	ecx
		mov	ecx, [ebp+var_DC]
		push	ebx
		push	eax
		push	ecx
		push	0Fh
		jmp	short loc_9131CB
; 

loc_91322A:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+1A9j
		push	eax		; size_t
		push	offset _DEVPKEY_Device_DependencyDependents ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7F95A9
		mov	eax, [ebp+var_E0]
		mov	edi, [ebp+var_D5+1]
		push	edi
		mov	dword ptr [eax], 2012h
		lea	eax, [ebp+var_108]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7F9597
		jmp	loc_9131B9
; 

loc_91326F:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+703j
		cmp	[ebp+var_F8], 11h
		jnz	loc_7F98D5
		cmp	[ebp+var_E8], 1
		jnz	loc_7F98D5
		mov	edi, [ebp+var_D5+1]
		cmp	byte ptr [ebp+var_D5], 0
		jmp	loc_91315A
; 

loc_91329B:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+70Fj
		cmp	esi, edi
		jnz	loc_7F95E0
		jmp	loc_7F98D5
; 

loc_9132A8:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+756j
		cmp	[ebp+var_F8], 11h
		jnz	loc_7F95E0
		cmp	[ebp+var_E8], 1
		jnz	loc_7F95E0
		jmp	loc_91314D
; 

loc_9132C7:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+762j
		cmp	esi, edi
		jnz	loc_7F95E0
		jmp	loc_7F9928
; 

loc_9132D4:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+413j
		mov	ecx, [ebp+var_114]
		push	10h
		pop	eax
		jmp	loc_7F9381
; 

loc_9132E2:				; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+D4Cj
		cmp	esi, 0C000000Eh
		jz	loc_7F95A9
		cmp	esi, 0C00000C0h
		jz	loc_7F95A9
		mov	esi, 0C0000001h
		jmp	loc_7F95A9
; END OF FUNCTION CHUNK	FOR _CmGetDeviceMappedPropertyFromComposite
; 
; START	OF FUNCTION CHUNK FOR _CmGetDeviceCompoundFilters

loc_913304:				; CODE XREF: _CmGetDeviceCompoundFilters+75j
		push	[ebp+arg_14]	; int
		mov	edx, [ebp+var_10]
		mov	ecx, edi
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		push	[ebp+var_C]	; void *
		push	[ebp+arg_4]	; void *
		push	[ebp+var_8]	; int
		push	[ebp+var_4]	; int
		call	__CmGetDeviceCompoundFiltersWorker@40 ;	_CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000034h
		jz	loc_859745
		cmp	eax, 0C000017Ch
		jz	loc_859745
		cmp	eax, 0C0000225h
		jnz	loc_859762
		jmp	loc_859745
; 

loc_91334C:				; CODE XREF: _CmGetDeviceCompoundFilters+A2j
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_859772
; END OF FUNCTION CHUNK	FOR _CmGetDeviceCompoundFilters
; 
; START	OF FUNCTION CHUNK FOR PiUEventHandleGetEvent

loc_913359:				; CODE XREF: PiUEventHandleGetEvent+A1j
		mov	eax, [ebp+var_C]
		cmp	[ecx+4], eax
		jnz	short loc_913392
		mov	edi, [eax+4]
		cmp	[edi], eax
		jnz	short loc_913392
		mov	[edi], ecx
		mov	[ecx+4], edi
		lea	edi, [ebx+38h]
		dec	dword ptr [ebx+48h]
		mov	edx, [edi+4]
		mov	[ebp+var_18], edx
		cmp	[edx], edi
		mov	edx, [ebp+var_10]
		jnz	short loc_913392
		mov	ecx, [ebp+var_18]
		mov	[eax], edi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[edi+4], eax
		jmp	loc_7F9FEA
; 

loc_913392:				; CODE XREF: PiUEventHandleGetEvent+11942Bj
					; PiUEventHandleGetEvent+119432j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_913397:				; CODE XREF: PiUEventHandleGetEvent+70j
		mov	eax, [ebp+var_14]
		cmp	dword ptr [eax], 0
		jnz	loc_7F9FF4
		mov	eax, [ebp+arg_8]
		and	dword ptr [eax+4], 0
		mov	ecx, [ebx+8]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	loc_7FA01B
; 

loc_9133B7:				; CODE XREF: PiUEventHandleGetEvent+17j
					; PiUEventHandleGetEvent+1Fj ...
		mov	esi, 0C000000Dh
		jmp	loc_7FA01B
; END OF FUNCTION CHUNK	FOR PiUEventHandleGetEvent
; 
; START	OF FUNCTION CHUNK FOR PiUEventCopyEventData

loc_9133C1:				; CODE XREF: PiUEventCopyEventData+184j
		mov	ebx, 0C000000Dh
		jmp	loc_7FA11E
; 

loc_9133CB:				; CODE XREF: PiUEventCopyEventData+176j
		lea	esi, [edx+50h]
		mov	edx, 0C8h
		lea	eax, [ebp+var_4]
		mov	ecx, esi
		push	eax
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_7FA11E
		mov	eax, [ebp+var_4]
		lea	edi, ds:26h[eax*2]
		cmp	[ebp+var_C], edi
		jb	short loc_91343A
		lea	eax, ds:2[eax*2]
		push	eax		; size_t
		push	esi		; void *
		mov	esi, [ebp+var_8]
		lea	eax, [esi+24h]
		push	eax		; void *
		call	_memcpy
		mov	dword ptr [esi+1Ch], 3
		jmp	loc_7FA20A
; 

loc_913418:				; CODE XREF: PiUEventCopyEventData+4Fj
		or	dword ptr [ecx+34h], 0FFFFFFFFh
		lea	edi, [ecx+24h]
		and	[ecx+38h], ebx
		xor	eax, eax
		mov	dword ptr [ecx+1Ch], 1
		stosd
		stosd
		stosd
		stosd
		mov	dword ptr [ecx], 3Ch
		jmp	loc_7FA11E
; 

loc_91343A:				; CODE XREF: PiUEventCopyEventData+1Bj
					; PiUEventCopyEventData+27j ...
		mov	ebx, 0C0000023h
		jmp	loc_7FA11E
; END OF FUNCTION CHUNK	FOR PiUEventCopyEventData
; 
; START	OF FUNCTION CHUNK FOR PiUEventHandleIoctl

loc_913444:				; CODE XREF: PiUEventHandleIoctl+58j
		mov	edx, [esi+0Ch]
		lea	eax, [esi+18h]
		push	eax
		push	ecx
		push	dword ptr [ecx+8]
		mov	ecx, [ecx+18h]
		call	_PiUEventHandleVetoEvent@20 ; PiUEventHandleVetoEvent(x,x,x,x,x)
		jmp	loc_7FA285
; END OF FUNCTION CHUNK	FOR PiUEventHandleIoctl
; 
; START	OF FUNCTION CHUNK FOR PiCMValidateDeviceInstance

loc_91345C:				; CODE XREF: PiCMValidateDeviceInstance+1B9j
		cmp	[ebp+var_C], ebx
		jnz	loc_7FA484
		cmp	[ebp+var_10], ebx
		jnz	loc_7FA484
		cmp	[ebp+var_14], 0
		jz	loc_7FA484
		jmp	loc_7FA506
; 

loc_91347D:				; CODE XREF: PiCMValidateDeviceInstance+56j
					; PiCMValidateDeviceInstance+67j ...
		mov	esi, 0C000000Dh
		jmp	loc_7FA484
; END OF FUNCTION CHUNK	FOR PiCMValidateDeviceInstance

;  S U B	R O U T	I N E 


sub_913487	proc near		; DATA XREF: .text:006A536Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_913487	endp


;  S U B	R O U T	I N E 


sub_913495	proc near		; DATA XREF: .text:006A5370o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-20h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		push	8
		pop	ebx
		jmp	loc_7FA552
sub_913495	endp

; 
; START	OF FUNCTION CHUNK FOR PiDqQueryRelease

loc_9134AA:				; CODE XREF: PiDqQueryRelease+1Bj
		push	esi
		push	dword ptr [esi+0Ch]
		mov	edx, offset _KMPnPEvt_DevQuery_QueryStop
		call	_McTemplateK0p_EtwWriteTransfer@16 ; McTemplateK0p_EtwWriteTransfer(x,x,x,x)
		jmp	loc_7FA5DB
; END OF FUNCTION CHUNK	FOR PiDqQueryRelease
; 
; START	OF FUNCTION CHUNK FOR PiDqQueryGetObjectManager

loc_9134BD:				; CODE XREF: PiDqQueryGetObjectManager+15j
		sub	eax, 1
		jz	short loc_9134E4
		sub	eax, 3
		jz	short loc_9134DA
		sub	eax, 4
		jnz	loc_7FA6E8
		mov	edx, offset _PiDqDevicePanelManager
		jmp	loc_7FA6E8
; 

loc_9134DA:				; CODE XREF: PiDqQueryGetObjectManager+118DFDj
		mov	edx, offset _PiDqDeviceInstallerClassManager
		jmp	loc_7FA6E8
; 

loc_9134E4:				; CODE XREF: PiDqQueryGetObjectManager+118DF8j
		mov	edx, offset _PiDqDeviceInterfaceClassManager
		jmp	loc_7FA6E8
; END OF FUNCTION CHUNK	FOR PiDqQueryGetObjectManager
; 
; START	OF FUNCTION CHUNK FOR PiDqObjectManagerEnumerateAndRegisterQuery

loc_9134EE:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+279j
		mov	esi, 0C000009Ah
		jmp	loc_7FA994
; 

loc_9134F8:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+9Aj
		sub	eax, 1
		jnz	loc_7FA7E2
		mov	edi, [edx+1Ch]
		cmp	[edi], cx
		jz	loc_7FA7E2

loc_91350D:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+118EF3j
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_913512:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+118E23j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+0D0h+var_B0]
		jnz	short loc_913512
		sub	ecx, edx
		sar	ecx, 1
		lea	edx, [ecx+1]
		lea	edx, [edi+edx*2]
		jmp	short loc_913562
; 

loc_91352B:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+118E71j
		push	edx		; wchar_t *
		push	edi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_9135CC
		mov	edx, [esp+0D0h+var_B8]
		mov	ecx, edx
		lea	eax, [ecx+2]
		mov	[esp+0D0h+var_B8], eax

loc_913549:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+118E5Aj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+0D0h+var_B0]
		jnz	short loc_913549
		sub	ecx, [esp+0D0h+var_B8]
		sar	ecx, 1
		lea	edx, [edx+ecx*2]
		add	edx, 2

loc_913562:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+118E2Fj
		xor	eax, eax
		mov	[esp+0D0h+var_B8], edx
		cmp	[edx], ax
		jnz	short loc_91352B
		lea	eax, [esp+0D0h+var_C0]
		mov	edx, edi
		push	eax
		mov	eax, [esp+0D4h+var_B4]
		mov	ecx, [eax+80h]
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_913593
		xor	eax, eax
		mov	esi, eax
		jmp	short loc_9135CC
; 

loc_913593:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+118E91j
		test	esi, esi
		js	loc_7FA80C
		mov	ecx, [esp+0D0h+var_C0]
		call	_PiDmObjectIsEnumerable@4 ; PiDmObjectIsEnumerable(x)
		test	al, al
		jz	short loc_9135B5
		mov	edx, [esp+0D0h+var_C0]
		mov	ecx, ebx
		call	PiDqQueryEnumObject
		mov	esi, eax

loc_9135B5:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+118EACj
		mov	ecx, [esp+0D0h+var_C0]
		call	PiDmObjectRelease
		xor	eax, eax
		mov	[esp+0D0h+var_C0], eax
		test	esi, esi
		js	loc_7FA80C

loc_9135CC:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+118E3Cj
					; PiDqObjectManagerEnumerateAndRegisterQuery+118E97j
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_9135D1:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+118EE2j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+0D0h+var_B0]
		jnz	short loc_9135D1
		sub	ecx, edx
		xor	eax, eax
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2
		cmp	[edi], ax
		jnz	loc_91350D
		jmp	loc_7FA7E2
; 

loc_9135F8:				; CODE XREF: PiDqObjectManagerEnumerateAndRegisterQuery+131j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		or	dword ptr [ebx+74h], 1
		mov	ecx, ebx
		call	PiDqQueryFreeActiveData
		xor	edx, edx
		lea	ecx, [ebx+20h]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_7FA831
; END OF FUNCTION CHUNK	FOR PiDqObjectManagerEnumerateAndRegisterQuery

;  S U B	R O U T	I N E 


sub_913633	proc near		; DATA XREF: .text:006A538Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_913633	endp


;  S U B	R O U T	I N E 


sub_913641	proc near		; DATA XREF: .text:006A5390o
		mov	esp, [ebp-18h]
		mov	edx, [ebp-1Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-20h]
		jmp	loc_7FAA2F
sub_913641	endp

; 
; START	OF FUNCTION CHUNK FOR PiDaDispatch

loc_913656:				; CODE XREF: PiDaDispatch+1Ej
		mov	esi, 0C0000010h

loc_91365B:				; CODE XREF: PiDaDispatch+A7j
		xor	dl, dl
		mov	[ecx+18h], esi
		call	IofCompleteRequest
		jmp	loc_7FAA9F
; END OF FUNCTION CHUNK	FOR PiDaDispatch
; 
; START	OF FUNCTION CHUNK FOR PiDqDispatch

loc_91366A:				; CODE XREF: PiDqDispatch+186j
					; PiDqDispatch+1FDj
		mov	esi, 0C00000BBh
		jmp	loc_7FABE6
; 

loc_913674:				; CODE XREF: PiDqDispatch+1E8j
		mov	esi, 0C000000Dh
		jmp	loc_7FABE6
; END OF FUNCTION CHUNK	FOR PiDqDispatch
; 
; START	OF FUNCTION CHUNK FOR PiUEventDispatch

loc_91367E:				; CODE XREF: PiUEventDispatch+54j
		mov	edi, 0C00000BBh
		mov	[esi+18h], edi
		jmp	loc_7FAD7C
; END OF FUNCTION CHUNK	FOR PiUEventDispatch
; 
; START	OF FUNCTION CHUNK FOR PiDqQueryCreate

loc_91368B:				; CODE XREF: PiDqQueryCreate+2Cj
		mov	edi, 0C000009Ah
		jmp	loc_7FAE77
; END OF FUNCTION CHUNK	FOR PiDqQueryCreate
; 
; START	OF FUNCTION CHUNK FOR PiDqIrpQueryCreate

loc_913695:				; CODE XREF: PiDqIrpQueryCreate+4Cj
		mov	edi, 0C00000BBh
		jmp	loc_7FB005
; 

loc_91369F:				; CODE XREF: PiDqIrpQueryCreate+57j
		mov	edi, 0C000000Dh
		jmp	loc_7FB005
; 

loc_9136A9:				; CODE XREF: PiDqIrpQueryCreate+7Dj
		mov	edi, 0C0000120h
		jmp	loc_7FAFC4
; 

loc_9136B3:				; CODE XREF: PiDqIrpQueryCreate+85j
					; PiDqIrpQueryCreate+97j
		mov	edi, 0C00000BBh
		jmp	loc_7FAFC4
; 

loc_9136BD:				; CODE XREF: PiDqIrpQueryCreate+A4j
		mov	edi, 0C0000023h
		jmp	loc_7FAFC4
; END OF FUNCTION CHUNK	FOR PiDqIrpQueryCreate

;  S U B	R O U T	I N E 


sub_9136C7	proc near		; DATA XREF: .text:006A53ACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-78h], eax
		push	eax
		call	ds:__imp__RpcExceptionFilter@4 ; RpcExceptionFilter(x)
		retn
sub_9136C7	endp


;  S U B	R O U T	I N E 


sub_9136D9	proc near		; DATA XREF: .text:006A53B0o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-78h]
		mov	esi, [ebp-4Ch]
		mov	[ebp-60h], esi
		lea	eax, [esi+0Ch]
		mov	[ebp-3Ch], eax
		xor	ebx, ebx
		mov	[eax], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-40h]
		mov	[ebp-58h], ecx
		jmp	loc_7FAF6F
sub_9136D9	endp

; 
; START	OF FUNCTION CHUNK FOR PiDqIrpQueryCreate

loc_913701:				; CODE XREF: PiDqIrpQueryCreate+139j
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_30], ebx
		mov	esi, [esi]
		mov	[ebp+var_34], esi
		lea	edx, [ebp+var_5C]
		mov	ecx, [esi+10h]
		call	_PiDqConvertObjectTypeToString@8 ; PiDqConvertObjectTypeToString(x,x)
		test	eax, eax
		js	loc_9139CD
		mov	eax, [esi+14h]
		mov	[ebp+var_44], eax
		lea	edx, [ebp+var_6C]
		mov	ecx, eax
		call	_PiDqConvertQueryTypeToString@8	; PiDqConvertQueryTypeToString(x,x)
		test	eax, eax
		js	loc_9139CD
		mov	eax, [ebp+var_44]
		cmp	eax, 1
		jnz	loc_913965
		mov	eax, [esi+18h]
		mov	[ebp+var_4C], eax

loc_913758:				; CODE XREF: PiDqIrpQueryCreate+118AEAj
		mov	esi, 58706E50h

loc_91375D:				; CODE XREF: PiDqIrpQueryCreate+118B4Aj
		mov	eax, 200h
		mov	[ebp+var_50], eax
		push	esi
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_48], eax
		test	eax, eax
		jz	loc_9139D2
		lea	ecx, [ebp+var_50]
		push	ecx
		push	200h
		mov	edx, eax
		mov	eax, [ebp+var_34]
		mov	ecx, [eax+20h]
		call	_PiDqConvertQueryFlagsToString@16 ; PiDqConvertQueryFlagsToString(x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_9137CA
		push	esi
		mov	eax, [ebp+var_48]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	esi
		push	[ebp+var_50]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_48], eax
		test	eax, eax
		jz	loc_9139D2
		lea	ecx, [ebp+var_50]
		push	ecx
		push	[ebp+var_50]
		mov	edx, eax
		mov	eax, [ebp+var_34]
		mov	ecx, [eax+20h]
		call	_PiDqConvertQueryFlagsToString@16 ; PiDqConvertQueryFlagsToString(x,x,x,x)

loc_9137CA:				; CODE XREF: PiDqIrpQueryCreate+118916j
		test	eax, eax
		js	loc_9139D2
		mov	eax, [ebp+var_34]
		test	byte ptr [eax+20h], 4
		jz	short loc_913838
		mov	eax, [eax+24h]
		cmp	eax, 2
		jbe	loc_9139D2
		push	esi
		add	eax, eax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_3C], edx
		test	edx, edx
		jz	loc_9139D2
		mov	eax, [ebp+var_34]
		mov	ecx, [eax+24h]
		add	ecx, ecx
		push	ecx		; size_t
		push	dword ptr [eax+28h] ; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_34]
		mov	ecx, [eax+24h]
		dec	ecx
		sub	ecx, 1
		jz	short loc_913838
		push	20h
		pop	edx
		mov	eax, [ebp+var_3C]

loc_913826:				; CODE XREF: PiDqIrpQueryCreate+1189B5j
		cmp	[eax+ecx*2], bx
		jnz	short loc_913830
		mov	[eax+ecx*2], dx

loc_913830:				; CODE XREF: PiDqIrpQueryCreate+1189ACj
		sub	ecx, 1
		jnz	short loc_913826
		mov	eax, [ebp+var_34]

loc_913838:				; CODE XREF: PiDqIrpQueryCreate+11895Bj
					; PiDqIrpQueryCreate+1189A0j
		cmp	[eax+2Ch], ebx
		jbe	short loc_9138B8
		mov	eax, 200h
		mov	[ebp+var_54], eax
		push	esi
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_40], eax
		test	eax, eax
		jz	loc_9139D2
		lea	ecx, [ebp+var_54]
		push	ecx
		push	200h
		push	eax
		mov	eax, [ebp+var_34]
		mov	edx, [eax+2Ch]
		mov	ecx, [eax+30h]
		call	_PnpConvertDevpropcompkeyArrayToString@20 ; PnpConvertDevpropcompkeyArrayToString(x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_9138AD
		push	esi
		push	[ebp+var_40]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	esi
		push	[ebp+var_54]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_40], eax
		test	eax, eax
		jz	loc_9139D2
		lea	ecx, [ebp+var_54]
		push	ecx
		push	[ebp+var_54]
		push	eax
		mov	eax, [ebp+var_34]
		mov	edx, [eax+2Ch]
		mov	ecx, [eax+30h]
		call	_PnpConvertDevpropcompkeyArrayToString@20 ; PnpConvertDevpropcompkeyArrayToString(x,x,x,x,x)

loc_9138AD:				; CODE XREF: PiDqIrpQueryCreate+1189F8j
		test	eax, eax
		js	loc_9139D2
		mov	eax, [ebp+var_34]

loc_9138B8:				; CODE XREF: PiDqIrpQueryCreate+1189BDj
		cmp	[eax+34h], ebx
		jbe	short loc_913931
		mov	eax, 200h
		mov	[ebp+var_44], eax
		push	esi
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9139D2
		lea	eax, [ebp+var_44]
		push	eax
		push	ebx
		push	200h
		mov	eax, [ebp+var_34]
		mov	edx, [eax+38h]
		mov	ecx, [eax+34h]
		call	_FilterConvertToString@20 ; FilterConvertToString(x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_913929
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	esi
		push	[ebp+var_44]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9139D2
		lea	eax, [ebp+var_44]
		push	eax
		push	ebx
		push	[ebp+var_44]
		mov	eax, [ebp+var_34]
		mov	edx, [eax+38h]
		mov	ecx, [eax+34h]
		call	_FilterConvertToString@20 ; FilterConvertToString(x,x,x,x,x)

loc_913929:				; CODE XREF: PiDqIrpQueryCreate+118A77j
		test	eax, eax
		js	loc_9139D2

loc_913931:				; CODE XREF: PiDqIrpQueryCreate+118A3Dj
		test	byte_6CD8BA, 40h
		jz	loc_9139D2
		push	ebx
		push	[ebp+var_40]
		push	[ebp+var_3C]
		mov	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_4C]
		push	[ebp+var_6C]
		push	[ebp+var_5C]
		call	_PsGetCurrentThreadProcessId@0 ; PsGetCurrentThreadProcessId()
		push	eax
		push	[ebp+var_60]
		push	[ebp+var_34]
		call	_McTemplateK0pqzzzzzzz_EtwWriteTransfer@48 ; McTemplateK0pqzzzzzzz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x)
		jmp	short loc_9139D2
; 

loc_913965:				; CODE XREF: PiDqIrpQueryCreate+1188CEj
		cmp	eax, 2
		jnz	loc_913758
		mov	eax, [esi+18h]
		cmp	eax, 2
		jbe	short loc_9139CD
		mov	esi, 58706E50h
		push	esi
		add	eax, eax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_30], edx
		test	edx, edx
		jz	short loc_9139E0
		mov	eax, [ebp+var_34]
		mov	ecx, [eax+18h]
		add	ecx, ecx
		push	ecx		; size_t
		push	dword ptr [eax+1Ch] ; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_34]
		mov	eax, [eax+18h]
		dec	eax
		sub	eax, 1
		mov	edx, [ebp+var_30]
		jz	short loc_9139C5
		push	20h
		pop	ecx

loc_9139B6:				; CODE XREF: PiDqIrpQueryCreate+118B45j
		cmp	[edx+eax*2], bx
		jnz	short loc_9139C0
		mov	[edx+eax*2], cx

loc_9139C0:				; CODE XREF: PiDqIrpQueryCreate+118B3Cj
		sub	eax, 1
		jnz	short loc_9139B6

loc_9139C5:				; CODE XREF: PiDqIrpQueryCreate+118B33j
		mov	[ebp+var_4C], edx
		jmp	loc_91375D
; 

loc_9139CD:				; CODE XREF: PiDqIrpQueryCreate+1188AAj
					; PiDqIrpQueryCreate+1188C2j ...
		mov	esi, 58706E50h

loc_9139D2:				; CODE XREF: PiDqIrpQueryCreate+1188F5j
					; PiDqIrpQueryCreate+118932j ...
		mov	edx, [ebp+var_30]
		test	edx, edx
		jz	short loc_9139E0
		push	esi
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9139E0:				; CODE XREF: PiDqIrpQueryCreate+118B0Fj
					; PiDqIrpQueryCreate+118B59j
		mov	eax, [ebp+var_48]
		test	eax, eax
		jz	short loc_9139EE
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9139EE:				; CODE XREF: PiDqIrpQueryCreate+118B67j
		mov	eax, [ebp+var_3C]
		test	eax, eax
		jz	short loc_9139FC
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9139FC:				; CODE XREF: PiDqIrpQueryCreate+118B75j
		mov	eax, [ebp+var_40]
		test	eax, eax
		jz	short loc_913A0A
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_913A0A:				; CODE XREF: PiDqIrpQueryCreate+118B83j
		test	ebx, ebx
		jz	loc_7FAFBD
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7FAFBD
; END OF FUNCTION CHUNK	FOR PiDqIrpQueryCreate
; 
; START	OF FUNCTION CHUNK FOR PiDqQueryValidateQueryData

loc_913A1E:				; CODE XREF: PiDqQueryValidateQueryData+EAj
		mov	edx, [esi+18h]
		mov	ecx, [esi+1Ch]
		call	_PnpValidateMultiSz@8 ;	PnpValidateMultiSz(x,x)
		test	eax, eax
		js	loc_7FB1B1
		jmp	loc_7FB0E6
; 

loc_913A36:				; CODE XREF: PiDqQueryValidateQueryData+121j
					; PiDqQueryValidateQueryData+1189B5j
		mov	ecx, [esi+40h]
		push	dword ptr [ecx+ebx+14h]
		mov	edx, [ecx+ebx+18h]
		mov	ecx, [ecx+ebx+1Ch]
		call	_PnpValidatePropertyData
		test	eax, eax
		js	loc_7FB1B1
		inc	edi
		add	ebx, 20h
		cmp	edi, [esi+3Ch]
		jb	short loc_913A36
		jmp	loc_7FB16E
; END OF FUNCTION CHUNK	FOR PiDqQueryValidateQueryData
; 
; START	OF FUNCTION CHUNK FOR FilterEvalImpliedAnd

loc_913A60:				; CODE XREF: FilterEvalImpliedAnd+3Bj
		mov	esi, 0C000000Dh
		jmp	loc_7FB25E
; END OF FUNCTION CHUNK	FOR FilterEvalImpliedAnd

;  S U B	R O U T	I N E 


sub_913A6A	proc near		; DATA XREF: .text:006A53CCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_913A6A	endp


;  S U B	R O U T	I N E 


sub_913A78	proc near		; DATA XREF: .text:006A53D0o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-28h]
sub_913A78	endp

; START	OF FUNCTION CHUNK FOR PiCMCaptureInterfaceListInputData

loc_913A7E:				; CODE XREF: PiCMCaptureInterfaceListInputData+C5j
		mov	[ebp+var_1C], ebx
		jmp	loc_7FB2EA
; 

loc_913A86:				; CODE XREF: PiCMCaptureInterfaceListInputData+82j
		mov	ecx, [esi+1Ch]
		cmp	ecx, 2
		jb	short loc_913ACB
		push	1
		push	[ebp+var_24]
		push	2
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	PiControlMakeUserModeCallersCopy
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_913ABF
		mov	[ebp+var_20], 1
		mov	edx, [esi+1Ch]
		shr	edx, 1
		mov	ecx, [edi]
		xor	eax, eax
		mov	[ecx+edx*2-2], ax
		jmp	loc_7FB31E
; 

loc_913ABF:				; CODE XREF: PiCMCaptureInterfaceListInputData+11881Fj
		and	dword ptr [edi], 0
		and	dword ptr [esi+1Ch], 0
		jmp	loc_7FB31E
; 

loc_913ACB:				; CODE XREF: PiCMCaptureInterfaceListInputData+118808j
		test	eax, eax
		jz	loc_7FB30C

loc_913AD3:				; CODE XREF: PiCMCaptureInterfaceListInputData+94j
		cmp	dword ptr [esi+1Ch], 2
		jnb	loc_7FB31E

loc_913ADD:				; CODE XREF: PiCMCaptureInterfaceListInputData+8Cj
		mov	ebx, 0C000000Dh

loc_913AE2:				; CODE XREF: PiCMCaptureInterfaceListInputData+72j
					; PiCMCaptureInterfaceListInputData+9Cj
		cmp	[ebp+var_20], 0
		jz	short loc_913AFD
		mov	eax, [esi+18h]
		cmp	byte ptr [ebp+var_24], 0
		jz	short loc_913AFD
		test	eax, eax
		jz	short loc_913AFD
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_913AFD:				; CODE XREF: PiCMCaptureInterfaceListInputData+118862j
					; PiCMCaptureInterfaceListInputData+11886Bj ...
		push	9
		pop	ecx
		xor	eax, eax
		mov	edi, esi
		rep stosd
		jmp	loc_7FB326
; 

loc_913B0B:				; CODE XREF: PiCMCaptureInterfaceListInputData+2Aj
					; PiCMCaptureInterfaceListInputData+32j
		mov	ebx, 0C000000Dh
		mov	esi, [ebp+arg_4]
		jmp	loc_7FB31E
; END OF FUNCTION CHUNK	FOR PiCMCaptureInterfaceListInputData
; 
; START	OF FUNCTION CHUNK FOR PiCMGetDeviceInterfaceList

loc_913B18:				; CODE XREF: PiCMGetDeviceInterfaceList+67j
		mov	eax, ebx
		shr	eax, 10h
		and	eax, 1
		push	eax
		push	edx
		lea	eax, [ebp+var_20]
		push	eax
		push	ecx
		call	_McTemplateK0jzt_EtwWriteTransfer@24 ; McTemplateK0jzt_EtwWriteTransfer(x,x,x,x,x,x)
		mov	edx, [ebp+var_38]
		jmp	loc_7FB3BB
; 

loc_913B34:				; CODE XREF: PiCMGetDeviceInterfaceList+8Ej
		mov	esi, 0C000000Dh
		jmp	loc_7FB49B
; 

loc_913B3E:				; CODE XREF: PiCMGetDeviceInterfaceList+97j
		mov	esi, 0C000000Dh
		jmp	loc_7FB3EB
; 

loc_913B48:				; CODE XREF: PiCMGetDeviceInterfaceList+70j
					; PiCMGetDeviceInterfaceList+7Cj
		mov	eax, [ebp+var_2C]
		mov	esi, 0C000000Dh
		jmp	loc_7FB43C
; 

loc_913B55:				; CODE XREF: PiCMGetDeviceInterfaceList+11Dj
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	loc_7FB471
		push	ebx
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7FB471
; 

loc_913B76:				; CODE XREF: PiCMGetDeviceInterfaceList+12Aj
		push	esi
		push	ecx
		mov	edx, offset _KMPnPEvt_CfgMgr_DeviceInterfaceList_Stop
		call	_McTemplateK0d_EtwWriteTransfer@16 ; McTemplateK0d_EtwWriteTransfer(x,x,x,x)
		jmp	loc_7FB47E
; END OF FUNCTION CHUNK	FOR PiCMGetDeviceInterfaceList
; 
; START	OF FUNCTION CHUNK FOR DrvDbGetDriverInfFileMappedProperty

loc_913B87:				; CODE XREF: DrvDbGetDriverInfFileMappedProperty+2Fj
		push	10h		; size_t
		push	offset _DEVPKEY_NODE ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_913BD0
		mov	eax, [ebp+arg_10]
		mov	ecx, [ebp+var_8]
		push	edi		; int
		shr	eax, 1
		push	eax		; int
		push	[ebp+arg_C]	; void *
		mov	dword ptr [ebx], 12h
		push	esi		; int
		push	3
		pop	edx
		call	_DrvDbGetObjectDatabaseNodeName@24 ; DrvDbGetObjectDatabaseNodeName(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_913BC9
		cmp	esi, 0C0000023h
		jnz	loc_7FB60F

loc_913BC9:				; CODE XREF: DrvDbGetDriverInfFileMappedProperty+118645j
		shl	dword ptr [edi], 1
		jmp	loc_7FB60F
; 

loc_913BD0:				; CODE XREF: DrvDbGetDriverInfFileMappedProperty+118623j
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_14]
		jmp	loc_7FB5AB
; END OF FUNCTION CHUNK	FOR DrvDbGetDriverInfFileMappedProperty
; 
; START	OF FUNCTION CHUNK FOR DrvDbDispatchDriverInfFile

loc_913BDB:				; CODE XREF: DrvDbDispatchDriverInfFile+31j
		test	eax, eax
		jnz	short loc_913BE9
		mov	eax, 0C0000467h
		jmp	loc_7FB6E1
; 

loc_913BE9:				; CODE XREF: DrvDbDispatchDriverInfFile+11855Bj
		cmp	ecx, 2
		jz	short loc_913C0D
		jle	loc_7FB6B9
		cmp	ecx, 4
		jle	short loc_913C13
		cmp	ecx, 6
		jle	short loc_913C1A
		cmp	ecx, 8
		jz	short loc_913C1A
		cmp	ecx, 9
		jz	short loc_913C13
		jmp	loc_7FB6B9
; 

loc_913C0D:				; CODE XREF: DrvDbDispatchDriverInfFile+11856Aj
		cmp	byte ptr [edi+4], 0
		jz	short loc_913C1A

loc_913C13:				; CODE XREF: DrvDbDispatchDriverInfFile+118575j
					; DrvDbDispatchDriverInfFile+118584j
		shr	eax, 1Eh
		and	al, 1
		jmp	short loc_913C1D
; 

loc_913C1A:				; CODE XREF: DrvDbDispatchDriverInfFile+11857Aj
					; DrvDbDispatchDriverInfFile+11857Fj ...
		shr	eax, 1Fh

loc_913C1D:				; CODE XREF: DrvDbDispatchDriverInfFile+118596j
		test	al, al
		jnz	loc_7FB6B9
		mov	eax, 0C0000022h
		jmp	loc_7FB6E1
; 

loc_913C2F:				; CODE XREF: DrvDbDispatchDriverInfFile+3Dj
					; DATA XREF: PAGE:off_7FB716o
		mov	edx, [ebp+arg_4] ; case	0x0
		call	_DrvDbValidateDriverInfFileName@8 ; DrvDbValidateDriverInfFileName(x,x)
		jmp	loc_7FB6E1
; 

loc_913C3C:				; CODE XREF: DrvDbDispatchDriverInfFile+3Dj
					; DATA XREF: PAGE:off_7FB716o
		mov	edx, [ebp+arg_4] ; case	0x2
		lea	eax, [edi+8]
		push	eax
		lea	eax, [edi+4]
		mov	ecx, ebx
		push	eax
		push	dword ptr [edi]
		call	_DrvDbCreateDriverInfFile@20 ; DrvDbCreateDriverInfFile(x,x,x,x,x)
		jmp	loc_7FB6E1
; 

loc_913C55:				; CODE XREF: DrvDbDispatchDriverInfFile+3Dj
					; DATA XREF: PAGE:off_7FB716o
		push	0		; case 0x3
		push	[ebp+arg_4]
		mov	ecx, ebx
		push	3
		pop	edx
		call	_DrvDbDeleteObjectRegKey@16 ; DrvDbDeleteObjectRegKey(x,x,x,x)
		jmp	loc_7FB6E1
; 

loc_913C69:				; CODE XREF: DrvDbDispatchDriverInfFile+3Dj
					; DATA XREF: PAGE:off_7FB716o
		mov	eax, [edi+10h]	; case 0x4
		mov	ecx, [edi+0Ch]
		mov	edx, [edi+8]
		mov	esi, [edi+4]
		mov	edi, [edi]
		push	0
		push	eax
		push	ecx
		push	edx
		push	esi
		push	edi
		push	3
		pop	edx
		mov	ecx, ebx
		call	_DrvDbGetObjectList@32 ; DrvDbGetObjectList(x,x,x,x,x,x,x,x)
		jmp	loc_7FB6E1
; 

loc_913C8D:				; CODE XREF: DrvDbDispatchDriverInfFile+3Dj
					; DATA XREF: PAGE:off_7FB716o
		push	dword ptr [edi+14h] ; case 0x5
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		push	dword ptr [edi+10h]
		push	dword ptr [edi+0Ch]
		push	dword ptr [edi]
		call	_DrvDbGetDriverInfFileMappedPropertyKeys@24 ; DrvDbGetDriverInfFileMappedPropertyKeys(x,x,x,x,x,x)
		jmp	loc_7FB6E1
; 

loc_913CA7:				; CODE XREF: DrvDbDispatchDriverInfFile+3Dj
					; DATA XREF: PAGE:off_7FB716o
		push	dword ptr [edi+14h] ; case 0x8
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		push	dword ptr [edi+10h] ; int
		push	dword ptr [edi+0Ch] ; int
		push	dword ptr [edi+8] ; void *
		push	dword ptr [edi]	; int
		call	_DrvDbSetDriverInfFileMappedProperty@28	; DrvDbSetDriverInfFileMappedProperty(x,x,x,x,x,x,x)
		jmp	loc_7FB6E1
; END OF FUNCTION CHUNK	FOR DrvDbDispatchDriverInfFile
; 
; START	OF FUNCTION CHUNK FOR _CmGetMatchingFilteredDeviceInterfaceList

loc_913CC4:				; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceList+89j
		test	eax, eax
		jnz	short loc_913CFD
		jmp	loc_7FB7E1
; 

loc_913CCD:				; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceList+CFj
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	11h
		push	3
		push	0
		push	edi
		call	ebx
		cmp	eax, 0C0000002h
		jz	loc_7FB7CC
		cmp	eax, 0C0000120h
		jz	loc_7FB7C9
		test	eax, eax
		jz	loc_7FB7CC

loc_913CFD:				; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceList+11858Cj
		mov	esi, 0C00000E5h
		jmp	loc_7FB7CC
; END OF FUNCTION CHUNK	FOR _CmGetMatchingFilteredDeviceInterfaceList
; 
; START	OF FUNCTION CHUNK FOR _PnpDispatchInterfaceClass

loc_913D07:				; CODE XREF: _PnpDispatchInterfaceClass+21j
					; DATA XREF: PAGE:off_7FB8AEo
		mov	ecx, [ebp+arg_10] ; case 0x1
		mov	al, [ecx+4]
		mov	esi, [ecx+8]
		mov	edx, [ecx]
		mov	byte ptr [ebp+arg_10], al
		lea	eax, [ecx+0Ch]
		mov	ecx, [ebp+arg_0]
		push	eax
		push	esi
		push	[ebp+arg_10]
		push	edx
		mov	edx, [ebp+arg_4]
		push	edi
		push	40h
		call	_CmOpenCommonClassRegKey
		jmp	loc_7FB858
; 

loc_913D31:				; CODE XREF: _PnpDispatchInterfaceClass+21j
					; DATA XREF: PAGE:off_7FB8AEo
		mov	ecx, [ebp+arg_10] ; case 0x2
		mov	edx, [ebp+arg_4]
		mov	eax, [ecx+0Ch]
		and	eax, 0FFFF0000h
		push	eax
		lea	eax, [ecx+8]
		push	eax
		lea	eax, [ecx+4]
		push	eax
		push	dword ptr [ecx]
		mov	ecx, [ebp+arg_0]
		call	__CmCreateInterfaceClass@24 ; _CmCreateInterfaceClass(x,x,x,x,x,x)
		jmp	loc_7FB858
; 

loc_913D57:				; CODE XREF: _PnpDispatchInterfaceClass+21j
					; DATA XREF: PAGE:off_7FB8AEo
		mov	eax, [ebp+arg_10] ; case 0x3
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	eax, [eax]
		and	eax, 0FFFF0000h
		push	eax
		call	__CmDeleteInterfaceClass@12 ; _CmDeleteInterfaceClass(x,x,x)
		jmp	loc_7FB858
; 

loc_913D72:				; CODE XREF: _PnpDispatchInterfaceClass+79j
		mov	[ebp+var_8], eax
		lea	edx, [ebp+var_8]
		mov	eax, [ecx+4]
		mov	edi, offset __PnpCmMatchCallbackRoutine@16 ; _PnpCmMatchCallbackRoutine(x,x,x,x)
		mov	[ebp+var_4], eax
		jmp	loc_7FB88D
; 

loc_913D88:				; CODE XREF: _PnpDispatchInterfaceClass+21j
					; DATA XREF: PAGE:off_7FB8AEo
		mov	eax, [ebp+arg_10] ; case 0x5
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	dword ptr [eax+14h]
		push	dword ptr [eax+10h]
		push	dword ptr [eax+0Ch]
		push	edi
		push	dword ptr [eax]
		call	__CmGetInterfaceClassMappedPropertyKeys@28 ; _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)
		jmp	loc_7FB858
; 

loc_913DA7:				; CODE XREF: _PnpDispatchInterfaceClass+21j
					; DATA XREF: PAGE:off_7FB8AEo
		mov	eax, [ebp+arg_10] ; case 0x6
		push	dword ptr [eax+10h] ; int
		push	dword ptr [eax+0Ch] ; int
		push	dword ptr [eax+8] ; int
		push	dword ptr [eax+4] ; void *
		push	ecx		; int
		call	__CmGetInterfaceClassMappedPropertyLocales@28 ;	_CmGetInterfaceClassMappedPropertyLocales(x,x,x,x,x,x,x)
		jmp	loc_7FB858
; 

loc_913DC1:				; CODE XREF: _PnpDispatchInterfaceClass+21j
					; DATA XREF: PAGE:off_7FB8AEo
		mov	eax, [ebp+arg_10] ; case 0x8
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	dword ptr [eax+14h] ; int
		push	dword ptr [eax+10h] ; int
		push	dword ptr [eax+0Ch] ; int
		push	dword ptr [eax+8] ; void *
		push	dword ptr [eax+4] ; int
		push	dword ptr [eax]	; int
		call	__CmSetInterfaceClassMappedProperty@32 ; _CmSetInterfaceClassMappedProperty(x,x,x,x,x,x,x,x)
		jmp	loc_7FB858
; 

loc_913DE5:				; CODE XREF: _PnpDispatchInterfaceClass+1Bj
		mov	eax, 0C000000Dh	; default
		jmp	loc_7FB858
; END OF FUNCTION CHUNK	FOR _PnpDispatchInterfaceClass
; 
; START	OF FUNCTION CHUNK FOR _CmGetInterfaceClassMappedProperty

loc_913DEF:				; CODE XREF: _CmGetInterfaceClassMappedProperty+31j
					; _CmGetInterfaceClassMappedProperty+3Dj ...
		add	ecx, 8
		mov	[ebp+arg_4], ecx
		cmp	ecx, 8
		jb	loc_7FB8FB

loc_913DFE:				; CODE XREF: _CmGetInterfaceClassMappedProperty+76j
		mov	ecx, [edi+10h]
		mov	[ebp+arg_4], ecx

loc_913E04:				; CODE XREF: _CmGetInterfaceClassMappedProperty+118556j
		mov	eax, ds:off_A42F30[esi]
		cmp	ecx, [eax+10h]
		jnz	short loc_913E22
		push	10h		; size_t
		push	eax		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_913E2F
		mov	ecx, [ebp+arg_4]

loc_913E22:				; CODE XREF: _CmGetInterfaceClassMappedProperty+11853Bj
		add	esi, 8
		cmp	esi, 8
		jb	short loc_913E04
		jmp	loc_7FB94E
; 

loc_913E2F:				; CODE XREF: _CmGetInterfaceClassMappedProperty+11854Bj
		push	[ebp+arg_18]	; int
		mov	edx, [ebp+var_4]
		push	[ebp+arg_14]	; int
		mov	ecx, [ebp+var_8]
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	edi		; void *
		push	[ebp+arg_0]	; int
		call	__CmGetInterfaceClassMappedPropertyFromComposite@32 ; _CmGetInterfaceClassMappedPropertyFromComposite(x,x,x,x,x,x,x,x)
		mov	ebx, eax
		jmp	loc_7FB94E
; END OF FUNCTION CHUNK	FOR _CmGetInterfaceClassMappedProperty
; 
; START	OF FUNCTION CHUNK FOR _CmGetInterfaceClassMappedPropertyFromRegValue

loc_913E51:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromRegValue+2Ej
		mov	ebx, edx
		jmp	loc_7FB9A2
; 

loc_913E58:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromRegValue+4Ej
					; _CmGetInterfaceClassMappedPropertyFromRegValue+91j
		mov	esi, 0C0000230h
		jmp	loc_7FBA43
; 

loc_913E62:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromRegValue+81j
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+arg_10]

loc_913E6B:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromRegValue+6Dj
		and	[ebp+var_10], 0
		add	edx, 8
		add	ecx, 8
		mov	[ebp+arg_10], edx
		mov	[ebp+var_C], ecx
		cmp	edx, 8
		jb	loc_7FB9C2
		jmp	loc_7FB9E7
; 

loc_913E89:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromRegValue+148j
		cmp	edi, 0C000017Ch
		jz	loc_7FBA38
		mov	edx, 0C0000023h
		test	edi, edi
		jz	short loc_913EA9
		cmp	edi, edx
		jz	short loc_913EA9
		mov	esi, edi
		jmp	loc_7FBA3D
; 

loc_913EA9:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromRegValue+11853Cj
					; _CmGetInterfaceClassMappedPropertyFromRegValue+118540j
		mov	ecx, [ebp+arg_14]
		mov	eax, [ebp+arg_C]
		mov	[ecx], eax
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 12h
		test	edi, edi
		jnz	short loc_913EC6
		test	ebx, ebx
		jnz	loc_7FBA3D

loc_913EC6:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromRegValue+11855Cj
		mov	esi, edx
		jmp	loc_7FBA3D
; END OF FUNCTION CHUNK	FOR _CmGetInterfaceClassMappedPropertyFromRegValue
; 
; START	OF FUNCTION CHUNK FOR IopGetDeviceInterfaces

loc_913ECD:				; CODE XREF: IopGetDeviceInterfaces+137j
		cmp	[esp+0D8h+var_B8], 12h
		jnz	loc_7FBBEB
		mov	edi, [esp+0D8h+var_BC]
		lea	eax, [esp+0D8h+var_AC]
		xor	ecx, ecx
		mov	edx, edi
		push	ecx
		push	eax
		push	ecx
		push	20019h
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	30h
		call	_CmOpenDeviceInterfaceRegKey
		test	eax, eax
		jns	short loc_913F09
		xor	eax, eax
		mov	[esp+0D8h+var_C9], al
		jmp	loc_914086
; 

loc_913F09:				; CODE XREF: IopGetDeviceInterfaces+11844Ej
		cmp	[esp+0D8h+var_9C], ebx
		jz	loc_913FA8
		mov	eax, 190h
		push	20207050h
		push	eax
		push	1
		mov	[esp+0E4h+var_B4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[esp+0D8h+var_C2+2], esi
		test	esi, esi
		jnz	short loc_913F3F
		mov	esi, 0C000009Ah
		mov	edi, eax
		jmp	loc_7FBD1A
; 

loc_913F3F:				; CODE XREF: IopGetDeviceInterfaces+118483j
		xor	ecx, ecx
		lea	eax, [esp+0D8h+var_B4]
		push	ecx
		push	eax
		push	[esp+0E0h+var_B4]
		lea	eax, [esp+0E4h+var_B8]
		mov	edx, edi
		push	esi
		push	eax
		push	offset _DEVPKEY_Device_InstanceId
		push	ecx
		push	[esp+0F4h+var_AC]
		mov	ecx, _PiPnpRtlCtx
		push	3
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_91406B
		cmp	[esp+0D8h+var_B8], 12h
		jnz	loc_91406B
		push	esi
		lea	eax, [esp+0DCh+var_84]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	loc_91406B
		push	1
		lea	eax, [esp+0DCh+var_84]
		push	eax
		push	[esp+0E0h+var_9C]
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	loc_91406B

loc_913FA8:				; CODE XREF: IopGetDeviceInterfaces+11845Fj
		test	byte ptr [ebp+arg_0], 1
		jnz	short loc_914002
		xor	ecx, ecx
		lea	eax, [esp+0D8h+var_B4]
		push	ecx
		push	eax
		xor	edx, edx
		mov	[esp+0E0h+var_C9], cl
		inc	edx
		lea	eax, [esp+0E0h+var_C2]
		push	edx
		push	eax
		lea	eax, [esp+0E8h+var_B8]
		mov	[esp+0E8h+var_B4], edx
		push	eax
		push	offset _DEVPKEY_DeviceInterface_Enabled
		push	ecx
		push	[esp+0F4h+var_AC]
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	3
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_914071
		cmp	[esp+0D8h+var_B8], 11h
		jnz	short loc_914071
		cmp	[esp+0D8h+var_B4], 1
		jnz	short loc_914071
		cmp	byte ptr [esp+0D8h+var_C2], 0FFh
		jnz	short loc_91406B

loc_914002:				; CODE XREF: IopGetDeviceInterfaces+1184FEj
		xor	eax, eax
		lea	edi, [esp+0D8h+var_7C]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	byte ptr [esp+0D8h+var_C2+1], al
		lea	eax, [esp+0D8h+var_7C]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	edi, [esp+0D8h+var_BC]
		lea	eax, [esp+0D8h+var_C2+1]
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	eax
		lea	eax, [esp+0DCh+var_7C]
		push	eax
		push	[esp+0E0h+var_AC]
		push	3
		call	_PiPnpRtlApplyMandatoryFilters@24 ; PiPnpRtlApplyMandatoryFilters(x,x,x,x,x,x)
		mov	esi, eax
		lea	eax, [esp+0D8h+var_7C]
		push	eax
		call	SeReleaseSubjectContext
		test	esi, esi
		js	short loc_91406B
		mov	[esp+0D8h+var_C9], 1
		cmp	byte ptr [esp+0D8h+var_C2+1], bl
		jnz	short loc_914071

loc_91406B:				; CODE XREF: IopGetDeviceInterfaces+1184BEj
					; IopGetDeviceInterfaces+1184C9j ...
		xor	eax, eax
		mov	[esp+0D8h+var_C9], al

loc_914071:				; CODE XREF: IopGetDeviceInterfaces+118539j
					; IopGetDeviceInterfaces+118544j ...
		push	[esp+0D8h+var_AC]
		call	_ZwClose@4	; ZwClose(x)
		cmp	[esp+0D8h+var_C9], bl
		jnz	loc_7FBBFB
		xor	eax, eax

loc_914086:				; CODE XREF: IopGetDeviceInterfaces+118456j
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	edi, eax
		mov	[esp+0D8h+var_B0], eax
		mov	[esp+0D8h+var_BC], edi
		jmp	loc_7FBBFB
; 

loc_91409E:				; CODE XREF: IopGetDeviceInterfaces+143j
		cmp	esi, 0C0000034h
		jz	loc_7FBBF7
		cmp	esi, 0C000003Ah
		jz	loc_7FBBF7
		test	esi, esi
		js	loc_7FBD1A
		mov	esi, 0C0000001h
		jmp	loc_7FBD1A
; 

loc_9140C8:				; CODE XREF: IopGetDeviceInterfaces+15Dj
		mov	[esp+0D8h+var_6C], edi
		jmp	loc_7FBC11
; 

loc_9140D1:				; CODE XREF: IopGetDeviceInterfaces+18Dj
		mov	ecx, [esp+0D8h+var_B0]
		shr	ecx, 1
		cmp	ecx, eax
		jb	loc_7FBC41
		lea	eax, [ecx+1]
		mov	[esp+0D8h+var_C8], eax
		jmp	loc_7FBC41
; 

loc_9140EB:				; CODE XREF: IopGetDeviceInterfaces+23Bj
		xor	edx, edx
		jmp	loc_7FBC4E
; 

loc_9140F2:				; CODE XREF: IopGetDeviceInterfaces+1ABj
		push	edx
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+0D8h+var_C8]
		jmp	loc_7FBC5F
; 

loc_914102:				; CODE XREF: IopGetDeviceInterfaces+1D7j
		push	800h
		lea	eax, [esp+0DCh+var_A8]
		mov	edx, edi
		push	eax
		lea	eax, [esp+0E0h+var_98]
		mov	ecx, ebx
		push	eax
		push	[esp+0E4h+var_BC]
		call	RtlStringCchCopyExW
		mov	esi, eax
		test	esi, esi
		js	loc_7FBCF3
		mov	ecx, [esp+0D8h+var_A8]
		test	ecx, ecx
		jz	short loc_91413D
		mov	edi, [esp+0D8h+var_98]
		dec	ecx
		add	edi, 2
		jmp	loc_7FBC8F
; 

loc_91413D:				; CODE XREF: IopGetDeviceInterfaces+118680j
		mov	esi, 0C0000001h
		jmp	loc_7FBCF3
; 

loc_914147:				; CODE XREF: IopGetDeviceInterfaces+1C4j
		mov	esi, 0C000009Ah
		jmp	loc_7FBCEF
; 

loc_914151:				; CODE XREF: IopGetDeviceInterfaces+38Cj
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+0D8h+var_C8]
		push	20207050h
		add	eax, eax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_7FBE40
		mov	esi, 0C000009Ah
		jmp	loc_7FBD16
; 

loc_914181:				; CODE XREF: IopGetDeviceInterfaces+371j
		mov	esi, 0C000009Ah
		jmp	loc_7FBD1A
; 

loc_91418B:				; CODE XREF: IopGetDeviceInterfaces+99j
					; IopGetDeviceInterfaces+284j
		mov	eax, [esp+0D8h+var_90]
		xor	ecx, ecx
		mov	[eax], ecx
		mov	eax, [esp+0D8h+var_8C]
		test	eax, eax
		jz	loc_7FBD52
		mov	[eax], ecx
		jmp	loc_7FBD52
; 

loc_9141A6:				; CODE XREF: IopGetDeviceInterfaces+2C7j
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7FBD7B
; 

loc_9141B4:				; CODE XREF: IopGetDeviceInterfaces+2CFj
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7FBD83
; 

loc_9141C2:				; CODE XREF: IopGetDeviceInterfaces+2D7j
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7FBD8B
; END OF FUNCTION CHUNK	FOR IopGetDeviceInterfaces
; 
; START	OF FUNCTION CHUNK FOR DrvDbGetRegValueMappedProperty

loc_9141D0:				; CODE XREF: DrvDbGetRegValueMappedProperty+50j
		cmp	edx, 0C0000023h
		jnz	loc_7FC048
		jmp	loc_7FC012
; 

loc_9141E1:				; CODE XREF: DrvDbGetRegValueMappedProperty+78j
		xor	ecx, ecx
		inc	ecx
		mov	[eax], ecx
		test	esi, esi
		jz	loc_7FC066
		cmp	[ebp+arg_C], ecx
		jb	loc_7FC066
		cmp	edx, 0C0000023h
		jz	loc_7FC05F
		cmp	[ebp+var_4], 0
		setz	al
		dec	al
		mov	[esi], al
		jmp	loc_7FC048
; 

loc_914213:				; CODE XREF: DrvDbGetRegValueMappedProperty+6Cj
		mov	eax, [ebp+arg_10]
		push	2
		pop	ecx
		mov	[eax], ecx
		test	esi, esi
		jz	loc_7FC066
		cmp	[ebp+arg_C], ecx
		jb	loc_7FC066
		cmp	edx, 0C0000023h
		jz	loc_7FC05F
		mov	ax, word ptr [ebp+var_4]
		mov	[esi], ax
		jmp	loc_7FC048
; END OF FUNCTION CHUNK	FOR DrvDbGetRegValueMappedProperty
; 
; START	OF FUNCTION CHUNK FOR PiDqQueryFreeActiveData

loc_914244:				; CODE XREF: PiDqQueryFreeActiveData+29j
		cmp	[ecx+4], edi
		jnz	short loc_91425F
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_91425F
		mov	[edi], eax
		mov	[eax+4], edi
		call	_PiDqQueryActionQueueEntryFree@4 ; PiDqQueryActionQueueEntryFree(x)
		jmp	loc_7FC093
; 

loc_91425F:				; CODE XREF: PiDqQueryFreeActiveData+1181D9j
					; PiDqQueryFreeActiveData+1181E0j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_914264:				; CODE XREF: PiDqQueryFreeActiveData+38j
		call	_PiDqActionDataFree@4 ;	PiDqActionDataFree(x)
		and	dword ptr [esi+60h], 0
		jmp	loc_7FC0AC
; END OF FUNCTION CHUNK	FOR PiDqQueryFreeActiveData

;  S U B	R O U T	I N E 


sub_914272	proc near		; DATA XREF: .text:006A53ECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_914272	endp


;  S U B	R O U T	I N E 


sub_914280	proc near		; DATA XREF: .text:006A53F0o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-28h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp-24h]
		jmp	loc_7FC1F0
sub_914280	endp

; 
; START	OF FUNCTION CHUNK FOR PiDqQuerySerializeActionQueue

loc_914297:				; CODE XREF: PiDqQuerySerializeActionQueue+14Cj
		mov	edi, 0C0000005h

loc_91429C:				; CODE XREF: PiDqQuerySerializeActionQueue+A9j
					; PiDqQuerySerializeActionQueue+CAj ...
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx
		mov	eax, [ebp+arg_8]
		mov	[eax], ebx
		jmp	loc_7FC2C6
; 

loc_9142AB:				; CODE XREF: PiDqQuerySerializeActionQueue+85j
		xor	ebx, ebx
		jmp	loc_7FC2BE
; 

loc_9142B2:				; CODE XREF: PiDqQuerySerializeActionQueue+21Bj
		call	_PiDqActionDataFree@4 ;	PiDqActionDataFree(x)
		jmp	loc_7FC2D1
; END OF FUNCTION CHUNK	FOR PiDqQuerySerializeActionQueue
; 
; START	OF FUNCTION CHUNK FOR PiDqActionDataCreate

loc_9142BC:				; CODE XREF: PiDqActionDataCreate+33j
		mov	esi, 0C000009Ah
		jmp	loc_7FC4AE
; 

loc_9142C6:				; CODE XREF: PiDqActionDataCreate+B6j
		cmp	[esp+28h+var_8], 1
		jnz	loc_91436C
		lea	esi, [esp+28h+var_14]
		push	esi
		push	eax
		push	edx
		xor	edx, edx
		test	byte ptr [esp+34h+var_10], 4
		jz	short loc_914320
		push	dword ptr [edi+28h]
		push	dword ptr [ebx+8]
		push	ecx
		mov	ecx, [esp+40h+var_18]
		call	_PiDqActionDataGetAllPropertiesInBestLanguage@32 ; PiDqActionDataGetAllPropertiesInBestLanguage(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7FC501
		mov	ecx, [esp+28h+var_18]
		lea	eax, [esp+28h+var_14]
		push	eax
		lea	eax, [ebx+0Ch]
		xor	edx, edx
		push	eax
		lea	eax, [ebx+10h]
		inc	edx
		push	eax
		push	dword ptr [edi+28h]
		push	dword ptr [ebx+8]
		push	[esp+3Ch+var_C]
		call	_PiDqActionDataGetAllPropertiesInBestLanguage@32 ; PiDqActionDataGetAllPropertiesInBestLanguage(x,x,x,x,x,x,x,x)
		jmp	short loc_914357
; 

loc_914320:				; CODE XREF: PiDqActionDataCreate+117F27j
		push	dword ptr [ebx+8]
		mov	edi, [esp+38h+var_18]
		push	ecx
		mov	ecx, edi
		call	_PiDqActionDataGetAllPropertiesInAllLanguages@28 ; PiDqActionDataGetAllPropertiesInAllLanguages(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7FC501
		lea	eax, [esp+28h+var_14]
		xor	edx, edx
		push	eax
		lea	eax, [ebx+0Ch]
		inc	edx
		push	eax
		lea	eax, [ebx+10h]
		mov	ecx, edi
		push	eax
		push	dword ptr [ebx+8]
		push	[esp+38h+var_C]
		call	_PiDqActionDataGetAllPropertiesInAllLanguages@28 ; PiDqActionDataGetAllPropertiesInAllLanguages(x,x,x,x,x,x,x)

loc_914357:				; CODE XREF: PiDqActionDataCreate+117F66j
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	loc_7FC4A0
		xor	esi, esi
		jmp	loc_7FC4A0
; 

loc_91436C:				; CODE XREF: PiDqActionDataCreate+117F13j
		push	eax
		mov	eax, [ebp+arg_0]
		push	edx
		mov	edx, ecx
		mov	ecx, [esp+30h+var_18]
		push	dword ptr [eax+0Ch]
		push	0
		push	0
		jmp	loc_7FC4E5
; END OF FUNCTION CHUNK	FOR PiDqActionDataCreate
; 
; START	OF FUNCTION CHUNK FOR PiDqQueryAppendActionEntry

loc_914383:				; CODE XREF: PiDqQueryAppendActionEntry+23j
		mov	ecx, [esi+0Ch]
		mov	ecx, [ecx+10h]
		call	PiDqGetPnpObjectType
		mov	ecx, eax
		call	_PiDmGetObjectCount@4 ;	PiDmGetObjectCount(x)
		add	eax, eax
		cmp	[esi+6Ch], eax
		jbe	loc_7FC587
		or	dword ptr [esi+74h], 1
		mov	ecx, esi
		pop	esi
		jmp	PiDqQueryFreeActiveData
; END OF FUNCTION CHUNK	FOR PiDqQueryAppendActionEntry
; 
; START	OF FUNCTION CHUNK FOR _RegRtlCreateTreeTransacted

loc_9143AC:				; CODE XREF: _RegRtlCreateTreeTransacted+46j
		lea	eax, [esp+20h+var_10]
		mov	edx, 7FFFh
		push	eax
		mov	ecx, ebx
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_7FC60E
		mov	esi, [esp+20h+var_10]
		inc	esi
		push	4C474552h
		lea	eax, [esi+esi]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9143EC
		mov	edi, 0C0000017h
		jmp	loc_7FC60E
; 

loc_9143EC:				; CODE XREF: _RegRtlCreateTreeTransacted+117E1Ej
		push	100h
		push	0
		push	0
		push	[esp+2Ch+var_4]
		mov	edx, esi
		mov	ecx, ebx
		call	RtlStringCchCopyExW
		mov	edi, eax
		test	edi, edi
		jnz	loc_9144FD
		mov	eax, [esp+20h+var_8]
		mov	esi, ebx
		mov	edi, eax
		mov	[esp+20h+var_10], edi
		test	eax, eax
		jnz	short loc_914442
		push	12h		; size_t
		push	offset ??_C@_1CG@GOLKLNMC@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@NNGAKEGL@ ; "\\"
		push	ebx		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_914442
		mov	edi, 80000002h
		lea	esi, [ebx+24h]
		jmp	short loc_91443E
; 

loc_91443A:				; CODE XREF: _RegRtlCreateTreeTransacted+117F2Cj
		mov	edi, [esp+20h+var_C]

loc_91443E:				; CODE XREF: _RegRtlCreateTreeTransacted+117E76j
		mov	[esp+20h+var_10], edi

loc_914442:				; CODE XREF: _RegRtlCreateTreeTransacted+117E58j
					; _RegRtlCreateTreeTransacted+117E6Cj
		push	5Ch
		pop	eax
		push	eax		; wchar_t
		push	esi		; wchar_t *
		mov	[esp+28h+var_4], esi
		call	_wcschr
		mov	esi, eax
		pop	ecx
		pop	ecx
		test	esi, esi
		jz	short loc_91448E
		xor	eax, eax
		mov	[esi], ax
		add	esi, 2
		push	5Ch
		pop	edx
		movzx	ecx, word ptr [esi]
		mov	eax, ecx
		cmp	cx, dx
		jnz	short loc_914478

loc_91446D:				; CODE XREF: _RegRtlCreateTreeTransacted+117EB4j
		add	esi, 2
		movzx	eax, word ptr [esi]
		cmp	ax, dx
		jz	short loc_91446D

loc_914478:				; CODE XREF: _RegRtlCreateTreeTransacted+117EA9j
		movzx	eax, ax
		neg	eax
		sbb	eax, eax
		and	esi, eax
		jz	short loc_91448E
		mov	ecx, [ebp+arg_0]
		push	4
		and	ecx, 0FFFFFFFCh
		pop	edx
		jmp	short loc_914494
; 

loc_91448E:				; CODE XREF: _RegRtlCreateTreeTransacted+117E94j
					; _RegRtlCreateTreeTransacted+117EBFj
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]

loc_914494:				; CODE XREF: _RegRtlCreateTreeTransacted+117ECAj
		push	[ebp+arg_18]
		mov	eax, esi
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, [ebp+arg_14]
		test	esi, esi
		push	eax
		lea	eax, [esp+28h+var_C]
		push	eax
		setnz	al
		dec	al
		and	al, byte ptr [ebp+arg_C]
		movzx	eax, al
		push	eax
		mov	eax, esi
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, [ebp+arg_8]
		push	eax
		push	edx
		mov	edx, [esp+38h+var_4]
		push	ecx
		mov	ecx, edi
		call	_RegRtlCreateKeyTransacted
		mov	edi, eax
		mov	eax, [esp+20h+var_10]
		cmp	eax, [esp+20h+var_8]
		jz	short loc_9144E8
		cmp	eax, 80000002h
		jz	short loc_9144E8
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_9144E8:				; CODE XREF: _RegRtlCreateTreeTransacted+117F17j
					; _RegRtlCreateTreeTransacted+117F1Ej
		test	edi, edi
		jnz	short loc_9144FD
		test	esi, esi
		jnz	loc_91443A
		mov	ecx, [ebp+arg_10]
		mov	eax, [esp+20h+var_C]
		mov	[ecx], eax

loc_9144FD:				; CODE XREF: _RegRtlCreateTreeTransacted+117E44j
					; _RegRtlCreateTreeTransacted+117F28j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7FC60E
; END OF FUNCTION CHUNK	FOR _RegRtlCreateTreeTransacted
; 
; START	OF FUNCTION CHUNK FOR _RegRtlCreateKeyTransacted

loc_91450A:				; CODE XREF: _RegRtlCreateKeyTransacted+2Ej
		lea	edx, [ebp+var_8]
		call	_RegRtlOpenPredefinedKey
		mov	edi, eax
		test	edi, edi
		js	loc_7FC6BE
		mov	esi, [ebp+var_8]
		jmp	loc_7FC64E
; 

loc_914524:				; CODE XREF: _RegRtlCreateKeyTransacted+88j
		push	[ebp+arg_18]
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_2C]
		push	[ebp+arg_0]
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_10]
		push	eax
		call	_NtCreateKeyTransacted_Stub@32 ; NtCreateKeyTransacted_Stub(x,x,x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C000007Ah
		jnz	loc_7FC6BE
		mov	edi, 0C0190004h
		jmp	loc_7FC6BE
; END OF FUNCTION CHUNK	FOR _RegRtlCreateKeyTransacted
; 
; START	OF FUNCTION CHUNK FOR _CmOpenCommonClassRegKey

loc_914553:				; CODE XREF: _CmOpenCommonClassRegKey+8Dj
		cmp	eax, 0C0000120h
		jz	short loc_91456C
		test	eax, eax
		jz	loc_7FC771

loc_914562:				; CODE XREF: _CmOpenCommonClassRegKey+117EC6j
		mov	esi, 0C00000E5h
		jmp	loc_7FC7A3
; 

loc_91456C:				; CODE XREF: _CmOpenCommonClassRegKey+117E7Cj
					; _CmOpenCommonClassRegKey+117EBCj
		mov	esi, [ebp+var_30]
		jmp	loc_7FC798
; 

loc_914574:				; CODE XREF: _CmOpenCommonClassRegKey+B6j
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	0Bh
		push	ebx
		push	[ebp+var_38]
		push	[ebp+var_40]
		call	edi
		cmp	eax, 0C0000002h
		jz	loc_7FC798
		cmp	eax, 0C0000120h
		jz	short loc_91456C
		test	eax, eax
		jz	loc_7FC798
		jmp	short loc_914562
; 

loc_9145A4:				; CODE XREF: _CmOpenCommonClassRegKey+4Bj
		mov	esi, 0C000000Dh
		jmp	loc_7FC79B
; END OF FUNCTION CHUNK	FOR _CmOpenCommonClassRegKey
; 
; START	OF FUNCTION CHUNK FOR _CmOpenCommonClassRegKeyWorker

loc_9145AE:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+44j
		mov	edi, 140h
		mov	[esp+30h+var_14], edi
		jmp	loc_7FC80E
; 

loc_9145BC:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+86j
		mov	edi, [esp+30h+var_24]
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+30h+var_10]
		xor	edi, edi
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [esp+30h+var_14]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7FC968
		mov	edi, [esp+30h+var_14]
		push	52504E50h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, [esp+30h+var_C]
		jmp	loc_7FC81B
; 

loc_914602:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+5Fj
		mov	esi, 0C0000017h
		jmp	loc_7FC854
; 

loc_91460C:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+EBj
		mov	esi, 0C000000Dh
		jmp	loc_7FC968
; 

loc_914616:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+136j
		push	1
		lea	eax, [esp+34h+var_8]
		push	eax
		push	(offset	loc_404F87+1)
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_91463A
		push	0Eh
		pop	eax
		mov	[esp+30h+var_1C], eax
		add	edi, 24h
		jmp	loc_7FC90A
; 

loc_91463A:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+117E65j
		push	4
		pop	eax
		jmp	loc_7FC90A
; 

loc_914642:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+C4j
					; _CmOpenCommonClassRegKeyWorker+CEj
		mov	esi, 0C000000Dh
		jmp	loc_7FC964
; 

loc_91464C:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+9Fj
		mov	edi, ecx
		test	ebx, ebx
		jnz	short loc_914656
		xor	ecx, ecx
		jmp	short loc_914659
; 

loc_914656:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+117E8Cj
		mov	ecx, [ebx+74h]

loc_914659:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+117E90j
		lea	eax, [esp+30h+var_18]
		xor	edx, edx
		push	eax
		push	2000000h
		call	__SysCtxRegOpenCurrentUserKey@16 ; _SysCtxRegOpenCurrentUserKey(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7FC964
		mov	edx, [esp+30h+var_18]
		mov	[esp+30h+var_20], edx
		jmp	loc_7FC922
; 

loc_914681:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+162j
		test	ebx, ebx
		jnz	short loc_914689
		xor	ecx, ecx
		jmp	short loc_91468C
; 

loc_914689:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+117EBFj
		mov	ecx, [ebx+74h]

loc_91468C:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+117EC3j
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	ecx
		push	0
		push	[ebp+arg_8]
		push	0
		push	edi
		call	__SysCtxRegCreateTree@36 ; _SysCtxRegCreateTree(x,x,x,x,x,x,x,x,x)
		jmp	loc_7FC959
; 

loc_9146A5:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+16Aj
		xor	ecx, ecx
		jmp	loc_7FC937
; 

loc_9146AC:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+1E0j
		lea	eax, [esp+30h+var_20]
		mov	ecx, ebx
		push	eax
		push	9
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7FC964
		push	[ebp+arg_10]
		mov	ecx, [ebx+74h]
		push	[ebp+arg_8]
		mov	edx, [esp+38h+var_20]
		push	0
		push	edi
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_7FC959
		mov	ecx, [ebp+arg_14]
		mov	dword ptr [ecx], 2
		jmp	loc_7FC959
; 

loc_9146F0:				; CODE XREF: _CmOpenCommonClassRegKeyWorker+1A9j
		push	[esp+30h+var_18]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7FC973
; END OF FUNCTION CHUNK	FOR _CmOpenCommonClassRegKeyWorker
; 
; START	OF FUNCTION CHUNK FOR _CmGetCommonClassRegKeyPath

loc_9146FE:				; CODE XREF: _CmGetCommonClassRegKeyPath+15j
					; _CmGetCommonClassRegKeyPath+2Aj ...
		mov	eax, 0C000000Dh
		jmp	loc_7FCA70
; 

loc_914708:				; CODE XREF: _CmGetCommonClassRegKeyPath+4Aj
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jnz	short loc_914779
		mov	edi, edx
		xor	ecx, ecx
		lea	ebx, [edi+2]

loc_914716:				; CODE XREF: _CmGetCommonClassRegKeyPath+117D69j
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, cx
		jnz	short loc_914716
		sub	edi, ebx
		sar	edi, 1
		lea	ebx, [edi+34h]
		test	esi, esi
		jz	short loc_914747
		mov	edi, esi
		lea	eax, [edi+2]
		mov	[ebp+arg_0], eax

loc_914734:				; CODE XREF: _CmGetCommonClassRegKeyPath+117D87j
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, cx
		jnz	short loc_914734
		sub	edi, [ebp+arg_0]
		inc	ebx
		sar	edi, 1
		add	ebx, edi

loc_914747:				; CODE XREF: _CmGetCommonClassRegKeyPath+117D74j
		mov	eax, [ebp+arg_14]
		test	eax, eax
		jz	short loc_914750
		mov	[eax], ebx

loc_914750:				; CODE XREF: _CmGetCommonClassRegKeyPath+117D96j
		cmp	ebx, [ebp+arg_10]
		ja	loc_7FCA94
		test	esi, esi
		jz	short loc_91476E
		push	esi
		push	edx
		push	(offset	loc_8C8FD1+1)
		push	offset ??_C@_1BC@GLIGFLDD@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@	; "%s\\%s\\%s"
		jmp	loc_914809
; 

loc_91476E:				; CODE XREF: _CmGetCommonClassRegKeyPath+117DA5j
		push	edx
		push	(offset	loc_8C8FD1+1)
		jmp	loc_7FCA56
; 

loc_914779:				; CODE XREF: _CmGetCommonClassRegKeyPath+117D57j
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_9146FE
		mov	edi, edx
		xor	ecx, ecx
		lea	eax, [edi+2]
		mov	[ebp+arg_0], eax

loc_914788:				; CODE XREF: _CmGetCommonClassRegKeyPath+117DDBj
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, cx
		jnz	short loc_914788
		sub	edi, [ebp+arg_0]
		sar	edi, 1
		lea	eax, [edi+31h]
		mov	[ebp+arg_4], eax
		test	esi, esi
		jz	short loc_9147C0
		mov	edi, esi
		lea	eax, [edi+2]
		mov	[ebp+arg_0], eax

loc_9147AA:				; CODE XREF: _CmGetCommonClassRegKeyPath+117DFDj
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, cx
		jnz	short loc_9147AA
		sub	edi, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		sar	edi, 1
		inc	eax
		add	eax, edi

loc_9147C0:				; CODE XREF: _CmGetCommonClassRegKeyPath+117DEAj
		mov	edi, [ebp+arg_14]
		test	edi, edi
		jz	short loc_9147C9
		mov	[edi], eax

loc_9147C9:				; CODE XREF: _CmGetCommonClassRegKeyPath+117E0Fj
		cmp	eax, [ebp+arg_10]
		ja	loc_7FCA94
		test	esi, esi
		jz	short loc_9147FD
		push	esi
		push	edx
		push	ebx
		push	offset ??_C@_1FG@MPFEKKOF@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@ ; char
		push	offset ??_C@_1BM@OHMKBCBF@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AA0?$AA4?$AAu?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@ ; wchar_t *
		push	800h		; int
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		call	RtlStringCchPrintfExW
		add	esp, 28h
		jmp	loc_7FCA70
; 

loc_9147FD:				; CODE XREF: _CmGetCommonClassRegKeyPath+117E1Ej
		push	edx
		push	ebx
		push	offset ??_C@_1FG@MPFEKKOF@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@ ; char
		push	offset ??_C@_1BG@JBOBLEJK@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AA0?$AA4?$AAu?$AA?2?$AA?$CF?$AAs@NNGAKEGL@ ; wchar_t *

loc_914809:				; CODE XREF: _CmGetCommonClassRegKeyPath+117DB3j
		push	800h		; int
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		call	RtlStringCchPrintfExW
		add	esp, 24h
		jmp	loc_7FCA70
; 

loc_914823:				; CODE XREF: _CmGetCommonClassRegKeyPath+98j
		push	edx		; char
		push	offset ??_C@_15GANGMFKL@?$AA?$CF?$AAs@NNGAKEGL@	; "%"
		push	800h		; int
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		call	RtlStringCchPrintfExW
		add	esp, 1Ch
		jmp	loc_7FCA70
; END OF FUNCTION CHUNK	FOR _CmGetCommonClassRegKeyPath
; 
; START	OF FUNCTION CHUNK FOR PiCMCaptureObjectInputData

loc_914843:				; CODE XREF: PiCMCaptureObjectInputData+4Ej
					; PiCMCaptureObjectInputData+56j
		mov	byte ptr [eax],	0
		jmp	loc_7FCAF8
; 

loc_91484B:				; CODE XREF: PiCMCaptureObjectInputData+5Fj
					; PiCMCaptureObjectInputData+74j
		mov	ebx, 0C000000Dh
		jmp	short loc_914866
; END OF FUNCTION CHUNK	FOR PiCMCaptureObjectInputData

;  S U B	R O U T	I N E 


sub_914852	proc near		; DATA XREF: .text:006A540Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_914852	endp


;  S U B	R O U T	I N E 


sub_914860	proc near		; DATA XREF: .text:006A5410o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-28h]
sub_914860	endp

; START	OF FUNCTION CHUNK FOR PiCMCaptureObjectInputData

loc_914866:				; CODE XREF: PiCMCaptureObjectInputData+117DB4j
		mov	[ebp+var_1C], ebx
		jmp	loc_7FCB16
; 

loc_91486E:				; CODE XREF: PiCMCaptureObjectInputData+CCj
		test	eax, eax
		jz	loc_7FCB34

loc_914876:				; CODE XREF: PiCMCaptureObjectInputData+A4j
		cmp	dword ptr [esi+10h], 2
		jnb	loc_7FCB46

loc_914880:				; CODE XREF: PiCMCaptureObjectInputData+9Cj
		mov	ebx, 0C000000Dh

loc_914885:				; CODE XREF: PiCMCaptureObjectInputData+86j
					; PiCMCaptureObjectInputData+ACj
		cmp	[ebp+var_20], 0
		jz	short loc_9148A0
		mov	eax, [esi+0Ch]
		cmp	byte ptr [ebp+var_24], 0
		jz	short loc_9148A0
		test	eax, eax
		jz	short loc_9148A0
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9148A0:				; CODE XREF: PiCMCaptureObjectInputData+117DEDj
					; PiCMCaptureObjectInputData+117DF6j ...
		push	7
		pop	ecx
		xor	eax, eax
		mov	edi, esi
		rep stosd
		jmp	loc_7FCB4E
; 

loc_9148AE:				; CODE XREF: PiCMCaptureObjectInputData+2Aj
					; PiCMCaptureObjectInputData+32j
		mov	ebx, 0C000000Dh
		mov	esi, [ebp+arg_4]
		jmp	loc_7FCB46
; END OF FUNCTION CHUNK	FOR PiCMCaptureObjectInputData
; 
; START	OF FUNCTION CHUNK FOR PiCMGetObjectList

loc_9148BB:				; CODE XREF: PiCMGetObjectList+82j
		jz	short loc_9148DE
		sub	eax, 1
		jz	short loc_9148F2
		sub	eax, 1
		jz	short loc_9148EE
		sub	eax, 1
		jz	short loc_9148EA
		sub	eax, 1
		jz	short loc_9148E6
		sub	eax, 1
		jnz	loc_7FCC49
		push	5
		jmp	short loc_9148E0
; 

loc_9148DE:				; CODE XREF: PiCMGetObjectList:loc_9148BBj
		push	6

loc_9148E0:				; CODE XREF: PiCMGetObjectList+117D32j
					; PiCMGetObjectList+117D3Ej ...
		pop	esi
		jmp	loc_7FCC51
; 

loc_9148E6:				; CODE XREF: PiCMGetObjectList+117D25j
		push	3
		jmp	short loc_9148E0
; 

loc_9148EA:				; CODE XREF: PiCMGetObjectList+117D20j
		push	4
		jmp	short loc_9148E0
; 

loc_9148EE:				; CODE XREF: PiCMGetObjectList+117D1Bj
		push	2
		jmp	short loc_9148E0
; 

loc_9148F2:				; CODE XREF: PiCMGetObjectList+117D16j
		xor	esi, esi
		mov	edi, 0C00000BBh
		inc	esi
		jmp	loc_7FCC51
; 

loc_9148FF:				; CODE XREF: PiCMGetObjectList+8Dj
		sub	eax, 1
		jz	short loc_914923
		sub	eax, 1
		jz	short loc_91491F
		sub	eax, 1
		jz	short loc_91491B
		sub	eax, 1
		jnz	loc_7FCC49
		push	0Bh
		jmp	short loc_914925
; 

loc_91491B:				; CODE XREF: PiCMGetObjectList+117D62j
		push	0Ah
		jmp	short loc_914925
; 

loc_91491F:				; CODE XREF: PiCMGetObjectList+117D5Dj
		push	9
		jmp	short loc_914925
; 

loc_914923:				; CODE XREF: PiCMGetObjectList+117D58j
		push	8

loc_914925:				; CODE XREF: PiCMGetObjectList+117D6Fj
					; PiCMGetObjectList+117D73j ...
		pop	ebx
		jmp	loc_7FCC3D
; 

loc_91492B:				; CODE XREF: PiCMGetObjectList+68j
					; PiCMGetObjectList+74j ...
		mov	edi, 0C000000Dh
		jmp	loc_7FCCE7
; 

loc_914935:				; CODE XREF: PiCMGetObjectList+D1j
		mov	edi, 0C000009Ah
		jmp	loc_7FCCE7
; 

loc_91493F:				; CODE XREF: PiCMGetObjectList+40j
					; PiCMGetObjectList+4Aj ...
		mov	ebx, [ebp+var_8]
		mov	edi, 0C000000Dh
		jmp	loc_7FCC99
; 

loc_91494C:				; CODE XREF: PiCMGetObjectList+125j
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	loc_7FCCD5
		push	0
		push	[ebp+var_18]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7FCCD5
; END OF FUNCTION CHUNK	FOR PiCMGetObjectList
; 
; START	OF FUNCTION CHUNK FOR DrvDbGetDriverDatabaseList

loc_91496E:				; CODE XREF: DrvDbGetDriverDatabaseList+41j
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_10]
		push	7
		push	dword ptr [ebx+0Ch]
		push	dword ptr [ecx]
		call	eax
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+var_8]
		test	al, al
		jz	loc_7FCD92
		jmp	loc_7FCD51
; END OF FUNCTION CHUNK	FOR DrvDbGetDriverDatabaseList
; 
; START	OF FUNCTION CHUNK FOR FilterEvalStrict

loc_914990:				; CODE XREF: FilterEvalStrict+167j
		cmp	edx, offset loc_500000
		jnz	loc_914A6D
		test	dword ptr [esi], 0FF00000h
		jz	short loc_9149EA
		lea	eax, [ebp+arg_4]
		mov	edx, esi
		push	eax
		mov	ecx, ebx
		call	_FindFilterOperatorClose@12 ; FindFilterOperatorClose(x,x,x)
		mov	edx, eax
		mov	eax, [ebp+arg_4]
		inc	eax
		mov	[ebp+arg_4], eax
		test	edx, edx
		jz	short loc_9149C5
		mov	eax, edx
		jmp	loc_7FCF86
; 

loc_9149C5:				; CODE XREF: FilterEvalStrict+117B8Aj
		push	[ebp+arg_8]
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_14]
		push	esi
		push	eax
		call	FilterEvalStrict
		mov	edi, eax
		test	edi, edi
		jnz	loc_7FCF86
		imul	eax, [ebp+arg_4], 2Ch
		add	esi, eax
		sub	ebx, [ebp+arg_4]
		jmp	short loc_914A45
; 

loc_9149EA:				; CODE XREF: FilterEvalStrict+117B70j
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		mov	eax, [ebp+var_18]
		add	eax, 30h
		push	eax
		push	[ebp+var_10]
		call	[ebp+var_14]
		mov	edi, eax
		cmp	edi, 0C0000225h
		jnz	short loc_914A17
		mov	eax, 0C0000001h
		jmp	loc_7FCF86
; 

loc_914A17:				; CODE XREF: FilterEvalStrict+117BD9j
		test	edi, edi
		jnz	loc_7FCF86
		push	[ebp+arg_8]	; int
		mov	eax, [ebp+var_18]
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		push	dword ptr [eax+50h] ; int
		push	dword ptr [eax+54h] ; wchar_t *
		push	dword ptr [eax+4Ch] ; int
		push	dword ptr [esi]	; int
		push	[ebp+var_C]	; int
		call	PropertyEval
		mov	esi, [ebp+var_18]
		add	esi, 58h
		dec	ebx

loc_914A45:				; CODE XREF: FilterEvalStrict+117BB6j
		mov	edx, [ebp+arg_8]
		xor	eax, eax
		xor	ecx, ecx
		cmp	[edx], ecx
		setz	al
		mov	[edx], eax
		mov	edx, [ebp+arg_0]
		jmp	loc_7FCF55
; 

loc_914A5B:				; CODE XREF: FilterEvalStrict+171j
		cmp	eax, 600000h
		jnz	short loc_914A6D
		cmp	edx, offset loc_500000
		jmp	loc_7FCF71
; 

loc_914A6D:				; CODE XREF: FilterEvalStrict+32j
					; FilterEvalStrict+43j	...
		mov	eax, 0C000000Dh
		jmp	loc_7FCF86
; END OF FUNCTION CHUNK	FOR FilterEvalStrict
; 
; START	OF FUNCTION CHUNK FOR PropertyEval

loc_914A77:				; CODE XREF: PropertyEval+163j
		cmp	edi, 2012h
		jz	loc_7FD08B
		cmp	edi, 19h
		jz	loc_7FD08B
		jmp	short loc_914A91 ; default
; 

loc_914A8E:				; CODE XREF: PropertyEval+82j
					; PropertyEval+8Bj ...
		mov	ebx, [ebp+arg_14]

loc_914A91:				; CODE XREF: PropertyEval+98j
					; PropertyEval+A1j ...
		mov	[ebp+var_1C], 0C00000BBh ; default
		jmp	loc_7FD0F8
; 

loc_914A9D:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:off_7FD284o
		cmp	eax, edi
		mov	ebx, [ebp+arg_14]
		jnz	short loc_914A91 ; default
		cmp	esi, 2
		jnz	short loc_914A91 ; default
		test	edx, edx
		jnz	loc_7FD0F4
		cmp	[ebp+arg_C], edx
		jmp	loc_7FD135
; 

loc_914AB9:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:007FD288o
		add	eax, 0FFFFFFFEh
		cmp	eax, 0Dh
		mov	ebx, [ebp+arg_14]
		ja	short loc_914A91 ; default
		jmp	ds:off_91818B[eax*4] ; case 0x6

loc_914ACB:				; DATA XREF: PAGE:off_91818Bo
		dec	esi
		sub	esi, 1
		jz	loc_7FD206
		sub	esi, 1
		jz	short loc_914B40
		sub	esi, 1
		jz	short loc_914B23
		sub	esi, 1
		jz	short loc_914B06
		sub	esi, 1
		jnz	short loc_914A91 ; default
		mov	cl, [edx]
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		cmp	cl, [eax]
		jmp	short loc_914AFE
; 

loc_914AF4:				; CODE XREF: PropertyEval+117D22j
		movsx	ecx, byte ptr [edx]

loc_914AF7:				; CODE XREF: PropertyEval+118456j
					; PropertyEval+1187D2j	...
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		cmp	ecx, [eax]

loc_914AFE:				; CODE XREF: PropertyEval+117AAEj
					; PropertyEval+117C59j
		setle	dl
		jmp	loc_7FD212
; 

loc_914B06:				; CODE XREF: PropertyEval+117A9Ej
		mov	cl, [edx]
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		cmp	cl, [eax]
		jmp	short loc_914B1B
; 

loc_914B11:				; CODE XREF: PropertyEval+117D13j
		movsx	ecx, byte ptr [edx]

loc_914B14:				; CODE XREF: PropertyEval+11845Ej
					; PropertyEval+1187DAj	...
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		cmp	ecx, [eax]

loc_914B1B:				; CODE XREF: PropertyEval+117ACBj
					; PropertyEval+117C6Fj
		setnl	dl
		jmp	loc_7FD212
; 

loc_914B23:				; CODE XREF: PropertyEval+117A99j
		mov	cl, [edx]
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		cmp	cl, [eax]
		jmp	short loc_914B38
; 

loc_914B2E:				; CODE XREF: PropertyEval+117D0Aj
		movsx	ecx, byte ptr [edx]

loc_914B31:				; CODE XREF: PropertyEval+118466j
					; PropertyEval+1187E2j	...
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		cmp	ecx, [eax]

loc_914B38:				; CODE XREF: PropertyEval+117AE8j
					; PropertyEval+117C85j
		setl	dl
		jmp	loc_7FD212
; 

loc_914B40:				; CODE XREF: PropertyEval+117A94j
		mov	cl, [edx]
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		cmp	cl, [eax]
		jmp	short loc_914B55
; 

loc_914B4B:				; CODE XREF: PropertyEval+117D01j
		movsx	ecx, byte ptr [edx]

loc_914B4E:				; CODE XREF: PropertyEval+11846Ej
					; PropertyEval+1187EAj	...
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		cmp	ecx, [eax]

loc_914B55:				; CODE XREF: PropertyEval+117B05j
					; PropertyEval+117C9Bj
		setnle	dl
		jmp	loc_7FD212
; 

loc_914B5D:				; CODE XREF: PropertyEval+117A80j
					; DATA XREF: PAGE:0091818Fo
		dec	esi
		sub	esi, 1
		jz	loc_914C53
		sub	esi, 1
		jz	loc_914C1F
		sub	esi, 1
		jz	short loc_914BEB
		sub	esi, 1
		jz	short loc_914BB7
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	short loc_914B91
; 

loc_914B8B:				; CODE XREF: PropertyEval+117CE0j
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]

loc_914B91:				; CODE XREF: PropertyEval+117B45j
		movsx	edx, byte ptr [edx]
		jmp	short loc_914B9F
; 

loc_914B96:				; CODE XREF: PropertyEval+118AA3j
		movzx	edx, word ptr [edx]
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]

loc_914B9F:				; CODE XREF: PropertyEval+117B50j
					; PropertyEval+1182F0j	...
		xor	ecx, ecx
		cmp	edx, eax
		jmp	short loc_914BAF
; 

loc_914BA5:				; CODE XREF: PropertyEval+118D2Ej
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]

loc_914BAB:				; CODE XREF: PropertyEval+118D57j
					; PropertyEval+118DACj	...
		xor	ecx, ecx
		cmp	[edx], eax

loc_914BAF:				; CODE XREF: PropertyEval+117B5Fj
					; PropertyEval+118689j
		setle	cl
		jmp	loc_7FD271
; 

loc_914BB7:				; CODE XREF: PropertyEval+117B34j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	short loc_914BC5
; 

loc_914BBF:				; CODE XREF: PropertyEval+117CD1j
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]

loc_914BC5:				; CODE XREF: PropertyEval+117B79j
		movsx	edx, byte ptr [edx]
		jmp	short loc_914BD3
; 

loc_914BCA:				; CODE XREF: PropertyEval+118A94j
		movzx	edx, word ptr [edx]
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]

loc_914BD3:				; CODE XREF: PropertyEval+117B84j
					; PropertyEval+118303j	...
		xor	ecx, ecx
		cmp	edx, eax
		jmp	short loc_914BE3
; 

loc_914BD9:				; CODE XREF: PropertyEval+118D1Fj
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]

loc_914BDF:				; CODE XREF: PropertyEval+118D62j
					; PropertyEval+118DB7j	...
		xor	ecx, ecx
		cmp	[edx], eax

loc_914BE3:				; CODE XREF: PropertyEval+117B93j
					; PropertyEval+1186A2j
		setnl	cl
		jmp	loc_7FD271
; 

loc_914BEB:				; CODE XREF: PropertyEval+117B2Fj
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	short loc_914BF9
; 

loc_914BF3:				; CODE XREF: PropertyEval+117CC8j
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]

loc_914BF9:				; CODE XREF: PropertyEval+117BADj
		movsx	edx, byte ptr [edx]
		jmp	short loc_914C07
; 

loc_914BFE:				; CODE XREF: PropertyEval+118A8Bj
		movzx	edx, word ptr [edx]
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]

loc_914C07:				; CODE XREF: PropertyEval+117BB8j
					; PropertyEval+118316j	...
		xor	ecx, ecx
		cmp	edx, eax
		jmp	short loc_914C17
; 

loc_914C0D:				; CODE XREF: PropertyEval+118D16j
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]

loc_914C13:				; CODE XREF: PropertyEval+118D6Dj
					; PropertyEval+118DC2j	...
		xor	ecx, ecx
		cmp	[edx], eax

loc_914C17:				; CODE XREF: PropertyEval+117BC7j
					; PropertyEval+1186BBj
		setl	cl
		jmp	loc_7FD271
; 

loc_914C1F:				; CODE XREF: PropertyEval+117B26j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	short loc_914C2D
; 

loc_914C27:				; CODE XREF: PropertyEval+117CBFj
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]

loc_914C2D:				; CODE XREF: PropertyEval+117BE1j
		movsx	edx, byte ptr [edx]
		jmp	short loc_914C3B
; 

loc_914C32:				; CODE XREF: PropertyEval+118A82j
		movzx	edx, word ptr [edx]
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]

loc_914C3B:				; CODE XREF: PropertyEval+117BECj
					; PropertyEval+118329j	...
		xor	ecx, ecx
		cmp	edx, eax
		jmp	short loc_914C4B
; 

loc_914C41:				; CODE XREF: PropertyEval+118D0Dj
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]

loc_914C47:				; CODE XREF: PropertyEval+118D78j
					; PropertyEval+118DCDj	...
		xor	ecx, ecx
		cmp	[edx], eax

loc_914C4B:				; CODE XREF: PropertyEval+117BFBj
					; PropertyEval+1186D4j
		setnle	cl
		jmp	loc_7FD271
; 

loc_914C53:				; CODE XREF: PropertyEval+117B1Dj
		movsx	ecx, byte ptr [edx]
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	short loc_914C67
; 

loc_914C5E:				; CODE XREF: PropertyEval+118A79j
		movzx	ecx, word ptr [edx]
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]

loc_914C67:				; CODE XREF: PropertyEval+117C18j
					; PropertyEval+117CF3j	...
		sub	ecx, eax
		jmp	loc_7FD26C
; 

loc_914C6E:				; CODE XREF: PropertyEval+117A80j
					; DATA XREF: PAGE:00918193o
		dec	esi
		sub	esi, 1
		jz	short loc_914CE4
		sub	esi, 1
		jz	short loc_914CCE
		sub	esi, 1
		jz	short loc_914CB8
		sub	esi, 1
		jz	short loc_914CA2
		sub	esi, 1
		jnz	loc_914A91	; default
		movsx	cx, byte ptr [edx]
		jmp	short loc_914C95
; 

loc_914C92:				; CODE XREF: PropertyEval+118752j
		mov	cx, [edx]

loc_914C95:				; CODE XREF: PropertyEval+117C4Cj
					; PropertyEval+1183B4j
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		cmp	cx, [eax]
		jmp	loc_914AFE
; 

loc_914CA2:				; CODE XREF: PropertyEval+117C3Dj
		movsx	cx, byte ptr [edx]
		jmp	short loc_914CAB
; 

loc_914CA8:				; CODE XREF: PropertyEval+118743j
		mov	cx, [edx]

loc_914CAB:				; CODE XREF: PropertyEval+117C62j
					; PropertyEval+1183BCj
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		cmp	cx, [eax]
		jmp	loc_914B1B
; 

loc_914CB8:				; CODE XREF: PropertyEval+117C38j
		movsx	cx, byte ptr [edx]
		jmp	short loc_914CC1
; 

loc_914CBE:				; CODE XREF: PropertyEval+11873Aj
		mov	cx, [edx]

loc_914CC1:				; CODE XREF: PropertyEval+117C78j
					; PropertyEval+1183C4j
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		cmp	cx, [eax]
		jmp	loc_914B38
; 

loc_914CCE:				; CODE XREF: PropertyEval+117C33j
		movsx	cx, byte ptr [edx]
		jmp	short loc_914CD7
; 

loc_914CD4:				; CODE XREF: PropertyEval+118731j
		mov	cx, [edx]

loc_914CD7:				; CODE XREF: PropertyEval+117C8Ej
					; PropertyEval+1183CCj
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		cmp	cx, [eax]
		jmp	loc_914B55
; 

loc_914CE4:				; CODE XREF: PropertyEval+117C2Ej
		movsx	cx, byte ptr [edx]
		jmp	short loc_914CED
; 

loc_914CEA:				; CODE XREF: PropertyEval+118728j
					; PropertyEval+118AACj
		mov	cx, [edx]

loc_914CED:				; CODE XREF: PropertyEval+117CA4j
					; PropertyEval+1183D4j
		xor	edx, edx
		mov	eax, [ebp+arg_C]
		cmp	cx, [eax]
		jmp	loc_7FD20F
; 

loc_914CFA:				; CODE XREF: PropertyEval+117A80j
					; DATA XREF: PAGE:00918197o
		dec	esi
		sub	esi, 1
		jz	short loc_914D29
		sub	esi, 1
		jz	loc_914C27
		sub	esi, 1
		jz	loc_914BF3
		sub	esi, 1
		jz	loc_914BBF
		sub	esi, 1
		jnz	loc_914A91	; default
		jmp	loc_914B8B
; 

loc_914D29:				; CODE XREF: PropertyEval+117CBAj
		movsx	ecx, byte ptr [edx]
		jmp	short loc_914D31
; 

loc_914D2E:				; CODE XREF: PropertyEval+11875Bj
		movsx	ecx, word ptr [edx]

loc_914D31:				; CODE XREF: PropertyEval+117CE8j
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_914C67
; 

loc_914D3C:				; CODE XREF: PropertyEval+117A80j
					; DATA XREF: PAGE:0091819Bo
		dec	esi
		sub	esi, 1
		jz	short loc_914D6B
		sub	esi, 1
		jz	loc_914B4B
		sub	esi, 1
		jz	loc_914B2E
		sub	esi, 1
		jz	loc_914B11
		sub	esi, 1
		jnz	loc_914A91	; default
		jmp	loc_914AF4
; 

loc_914D6B:				; CODE XREF: PropertyEval+117CFCj
					; PropertyEval+117D33j
		movsx	ecx, byte ptr [edx]
		jmp	loc_7FD267
; 

loc_914D73:				; CODE XREF: PropertyEval+117A80j
					; DATA XREF: PAGE:0091819Fo
		dec	esi
		sub	esi, 1
		jz	short loc_914D6B
		sub	esi, 1
		jz	short loc_914DC5
		sub	esi, 1
		jz	short loc_914DBD
		sub	esi, 1
		jz	short loc_914D9F
		sub	esi, 1
		jnz	loc_914A91	; default
		movsx	ecx, byte ptr [edx]
		jmp	short loc_914D98
; 

loc_914D96:				; CODE XREF: PropertyEval+118E82j
		mov	ecx, [edx]

loc_914D98:				; CODE XREF: PropertyEval+117D50j
					; PropertyEval+11849Cj	...
		mov	eax, [ebp+arg_C]
		cmp	[eax], ecx
		jmp	short loc_914DB6
; 

loc_914D9F:				; CODE XREF: PropertyEval+117D42j
		movsx	ecx, byte ptr [edx]
		jmp	short loc_914DA6
; 

loc_914DA4:				; CODE XREF: PropertyEval+118E73j
		mov	ecx, [edx]

loc_914DA6:				; CODE XREF: PropertyEval+117D5Ej
					; PropertyEval+1184A4j	...
		mov	eax, [ebp+arg_C]
		cmp	ecx, [eax]
		jmp	short loc_914DB6
; 

loc_914DAD:				; CODE XREF: PropertyEval+1183F7j
		movzx	ecx, byte ptr [edx]

loc_914DB0:				; CODE XREF: PropertyEval+118AD9j
		mov	eax, [ebp+arg_C]
		cmp	[eax], cx

loc_914DB6:				; CODE XREF: PropertyEval+117D59j
					; PropertyEval+117D67j	...
		sbb	eax, eax
		jmp	loc_7FD1EE
; 

loc_914DBD:				; CODE XREF: PropertyEval+117D3Dj
		movsx	ecx, byte ptr [edx]
		jmp	loc_7FD257
; 

loc_914DC5:				; CODE XREF: PropertyEval+117D38j
		movsx	ecx, byte ptr [edx]
		jmp	loc_7FD27A
; 

loc_914DCD:				; CODE XREF: PropertyEval+117A80j
					; DATA XREF: PAGE:009181A3o ...
		dec	esi
		sub	esi, 1
		jz	loc_914EAF
		sub	esi, 1
		jz	loc_914E80
		sub	esi, 1
		jz	short loc_914E51
		sub	esi, 1
		jz	short loc_914E22
		sub	esi, 1
		jnz	loc_914A91	; default
		movsx	eax, byte ptr [edx]
		jmp	short loc_914DFA
; 

loc_914DF8:				; CODE XREF: PropertyEval+118EB5j
		mov	eax, [edx]

loc_914DFA:				; CODE XREF: PropertyEval+117DB2j
					; PropertyEval+1184DAj	...
		cdq
		mov	esi, [ebp+arg_C]
		cmp	edx, [esi+4]
		jg	loc_7FD0F4
		jl	loc_7FD0F6
		jmp	short loc_914E11
; 

loc_914E0F:				; CODE XREF: PropertyEval+1195E9j
					; PropertyEval+119669j
		mov	eax, [edx]

loc_914E11:				; CODE XREF: PropertyEval+117DC9j
					; PropertyEval+117EBEj
		cmp	eax, [esi]
		jmp	short loc_914E17
; 

loc_914E15:				; CODE XREF: PropertyEval+119567j
					; PropertyEval+1199D9j
		cmp	[edx], esi

loc_914E17:				; CODE XREF: PropertyEval+117DCFj
					; PropertyEval+11910Ej
		jbe	loc_7FD0F6
		jmp	loc_7FD0F4
; 

loc_914E22:				; CODE XREF: PropertyEval+117DA4j
		movsx	eax, byte ptr [edx]
		jmp	short loc_914E29
; 

loc_914E27:				; CODE XREF: PropertyEval+118EA6j
		mov	eax, [edx]

loc_914E29:				; CODE XREF: PropertyEval+117DE1j
					; PropertyEval+1184E2j	...
		cdq
		mov	esi, [ebp+arg_C]
		cmp	edx, [esi+4]
		jl	loc_7FD0F4
		jg	loc_7FD0F6
		jmp	short loc_914E40
; 

loc_914E3E:				; CODE XREF: PropertyEval+119603j
					; PropertyEval+119683j
		mov	eax, [edx]

loc_914E40:				; CODE XREF: PropertyEval+117DF8j
					; PropertyEval+117EDDj
		cmp	eax, [esi]
		jmp	short loc_914E46
; 

loc_914E44:				; CODE XREF: PropertyEval+119580j
					; PropertyEval+1199F2j
		cmp	[edx], esi

loc_914E46:				; CODE XREF: PropertyEval+117DFEj
					; PropertyEval+119129j
		jnb	loc_7FD0F6
		jmp	loc_7FD0F4
; 

loc_914E51:				; CODE XREF: PropertyEval+117D9Fj
		movsx	eax, byte ptr [edx]
		jmp	short loc_914E58
; 

loc_914E56:				; CODE XREF: PropertyEval+118E9Dj
		mov	eax, [edx]

loc_914E58:				; CODE XREF: PropertyEval+117E10j
					; PropertyEval+1184EAj	...
		cdq
		mov	esi, [ebp+arg_C]
		cmp	edx, [esi+4]
		jg	loc_7FD0F4
		jl	loc_7FD0F6
		jmp	short loc_914E6F
; 

loc_914E6D:				; CODE XREF: PropertyEval+11961Dj
					; PropertyEval+11969Dj
		mov	eax, [edx]

loc_914E6F:				; CODE XREF: PropertyEval+117E27j
					; PropertyEval+117EFCj
		cmp	eax, [esi]
		jmp	short loc_914E75
; 

loc_914E73:				; CODE XREF: PropertyEval+119599j
					; PropertyEval+119A0Bj
		cmp	[edx], esi

loc_914E75:				; CODE XREF: PropertyEval+117E2Dj
					; PropertyEval+119144j
		jb	loc_7FD0F6
		jmp	loc_7FD0F4
; 

loc_914E80:				; CODE XREF: PropertyEval+117D96j
		movsx	eax, byte ptr [edx]
		jmp	short loc_914E87
; 

loc_914E85:				; CODE XREF: PropertyEval+118E94j
		mov	eax, [edx]

loc_914E87:				; CODE XREF: PropertyEval+117E3Fj
					; PropertyEval+1184F2j	...
		cdq
		mov	esi, [ebp+arg_C]
		cmp	edx, [esi+4]
		jl	loc_7FD0F4
		jg	loc_7FD0F6
		jmp	short loc_914E9E
; 

loc_914E9C:				; CODE XREF: PropertyEval+119637j
					; PropertyEval+1196B7j
		mov	eax, [edx]

loc_914E9E:				; CODE XREF: PropertyEval+117E56j
					; PropertyEval+117F1Bj
		cmp	eax, [esi]
		jmp	short loc_914EA4
; 

loc_914EA2:				; CODE XREF: PropertyEval+1195B2j
					; PropertyEval+119A24j
		cmp	[edx], esi

loc_914EA4:				; CODE XREF: PropertyEval+117E5Cj
					; PropertyEval+11915Fj
		ja	loc_7FD0F6
		jmp	loc_7FD0F4
; 

loc_914EAF:				; CODE XREF: PropertyEval+117D8Dj
					; PropertyEval+117E8Aj
		movsx	eax, byte ptr [edx]
		jmp	short loc_914EB6
; 

loc_914EB4:				; CODE XREF: PropertyEval+118E8Bj
					; PropertyEval+118EBEj
		mov	eax, [edx]

loc_914EB6:				; CODE XREF: PropertyEval+117E6Ej
					; PropertyEval+1184FAj	...
		cdq
		mov	esi, [ebp+arg_C]
		cmp	eax, [esi]
		jnz	loc_7FD0F4
		cmp	edx, [esi+4]
		jmp	loc_7FD135
; 

loc_914ECA:				; CODE XREF: PropertyEval+117A80j
					; DATA XREF: PAGE:009181A7o
		dec	esi
		sub	esi, 1
		jz	short loc_914EAF
		sub	esi, 1
		jz	short loc_914F45
		sub	esi, 1
		jz	short loc_914F26
		sub	esi, 1
		jz	short loc_914F07
		sub	esi, 1
		jnz	loc_914A91	; default
		movsx	eax, byte ptr [edx]
		jmp	short loc_914EEF
; 

loc_914EED:				; CODE XREF: PropertyEval+118EE8j
		mov	eax, [edx]

loc_914EEF:				; CODE XREF: PropertyEval+117EA7j
					; PropertyEval+118520j	...
		cdq
		mov	esi, [ebp+arg_C]
		cmp	edx, [esi+4]
		ja	loc_7FD0F4
		jb	loc_7FD0F6
		jmp	loc_914E11
; 

loc_914F07:				; CODE XREF: PropertyEval+117E99j
		movsx	eax, byte ptr [edx]
		jmp	short loc_914F0E
; 

loc_914F0C:				; CODE XREF: PropertyEval+118ED9j
		mov	eax, [edx]

loc_914F0E:				; CODE XREF: PropertyEval+117EC6j
					; PropertyEval+118528j	...
		cdq
		mov	esi, [ebp+arg_C]
		cmp	edx, [esi+4]
		jb	loc_7FD0F4
		ja	loc_7FD0F6
		jmp	loc_914E40
; 

loc_914F26:				; CODE XREF: PropertyEval+117E94j
		movsx	eax, byte ptr [edx]
		jmp	short loc_914F2D
; 

loc_914F2B:				; CODE XREF: PropertyEval+118ED0j
		mov	eax, [edx]

loc_914F2D:				; CODE XREF: PropertyEval+117EE5j
					; PropertyEval+118530j	...
		cdq
		mov	esi, [ebp+arg_C]
		cmp	edx, [esi+4]
		ja	loc_7FD0F4
		jb	loc_7FD0F6
		jmp	loc_914E6F
; 

loc_914F45:				; CODE XREF: PropertyEval+117E8Fj
		movsx	eax, byte ptr [edx]
		jmp	short loc_914F4C
; 

loc_914F4A:				; CODE XREF: PropertyEval+118EC7j
		mov	eax, [edx]

loc_914F4C:				; CODE XREF: PropertyEval+117F04j
					; PropertyEval+118538j	...
		cdq
		mov	esi, [ebp+arg_C]
		cmp	edx, [esi+4]
		jb	loc_7FD0F4
		ja	loc_7FD0F6
		jmp	loc_914E9E
; 

loc_914F64:				; CODE XREF: PropertyEval+117A80j
					; DATA XREF: PAGE:009181ABo
		dec	esi
		sub	esi, 1
		jz	loc_9150C5
		sub	esi, 1
		jz	loc_915186
		sub	esi, 1
		jz	loc_9150EB
		sub	esi, 1
		jz	loc_91502D
		sub	esi, 1
		jnz	loc_914A91	; default
		movsx	eax, byte ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	qword ptr [ebp-28h]
		fld	qword ptr [ebp-28h]
		jmp	short loc_914FAB
; 

loc_914FA3:				; CODE XREF: PropertyEval+11A9E8j
		fild	qword ptr [edx]
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]

loc_914FAB:				; CODE XREF: PropertyEval+117F5Dj
					; PropertyEval+11856Aj	...
		mov	eax, [ebp+arg_C]
		fld	dword ptr [eax]
		jmp	short loc_914FE7
; 

loc_914FB2:				; CODE XREF: PropertyEval+11A122j
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	dword ptr [ebp+var_28],	ecx
		mov	eax, edx
		and	edx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], edx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+arg_C]
		fld	[ebp+arg_C]

loc_914FE7:				; CODE XREF: PropertyEval+117F6Cj
					; PropertyEval+119F67j	...
		fcompp	st(1), st
		jmp	short loc_915023
; 

loc_914FEB:				; CODE XREF: PropertyEval+11A658j
		mov	eax, [ebp+arg_C]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	dword ptr [ebp+var_28],	ecx
		mov	eax, edx
		and	edx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], edx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+var_28]
		fld	[ebp+var_28]

loc_91501E:				; CODE XREF: PropertyEval+11AE43j
		mov	esi, [ebp+var_20]
		fcomp	qword ptr [esi]

loc_915023:				; CODE XREF: PropertyEval+117FA5j
					; PropertyEval+118240j	...
		fnstsw	ax
		test	ah, 1
		jmp	loc_7FD135
; 

loc_91502D:				; CODE XREF: PropertyEval+117F3Fj
		movsx	eax, byte ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	short loc_915046
; 

loc_91503E:				; CODE XREF: PropertyEval+11A9D9j
		fild	qword ptr [edx]
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]

loc_915046:				; CODE XREF: PropertyEval+117FF8j
					; PropertyEval+11857Ej	...
		mov	eax, [ebp+arg_C]
		fld	dword ptr [eax]
		jmp	short loc_915082
; 

loc_91504D:				; CODE XREF: PropertyEval+11A113j
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	dword ptr [ebp+var_28],	ecx
		mov	eax, edx
		and	edx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], edx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+arg_C]
		fld	[ebp+arg_C]

loc_915082:				; CODE XREF: PropertyEval+118007j
					; PropertyEval+119F79j	...
		fcompp	st(1), st
		jmp	short loc_9150BE
; 

loc_915086:				; CODE XREF: PropertyEval+11A649j
		mov	eax, [ebp+arg_C]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	dword ptr [ebp+var_28],	ecx
		mov	eax, edx
		and	edx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], edx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+var_28]
		fld	[ebp+var_28]

loc_9150B9:				; CODE XREF: PropertyEval+11AE7Bj
		mov	esi, [ebp+var_20]
		fcomp	qword ptr [esi]

loc_9150BE:				; CODE XREF: PropertyEval+118040j
					; PropertyEval+11821Dj	...
		fnstsw	ax
		test	ah, 41h
		jmp	short loc_9150E0
; 

loc_9150C5:				; CODE XREF: PropertyEval+117F24j
		movsx	eax, byte ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]

loc_9150D4:				; CODE XREF: PropertyEval+1185BAj
					; PropertyEval+118936j	...
		mov	eax, [ebp+arg_C]
		fld	dword ptr [eax]

loc_9150D9:				; CODE XREF: PropertyEval+1182A9j
					; PropertyEval+119D66j	...
		fucompp
		fnstsw	ax
		test	ah, 44h

loc_9150E0:				; CODE XREF: PropertyEval+11807Fj
					; PropertyEval+1181D8j
		jnp	loc_7FD0F6
		jmp	loc_7FD0F4
; 

loc_9150EB:				; CODE XREF: PropertyEval+117F36j
		movsx	eax, byte ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	short loc_915104
; 

loc_9150FC:				; CODE XREF: PropertyEval+11A9D0j
		fild	qword ptr [edx]
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]

loc_915104:				; CODE XREF: PropertyEval+1180B6j
					; PropertyEval+118592j	...
		mov	eax, [ebp+arg_C]
		fld	dword ptr [eax]
		jmp	short loc_915140
; 

loc_91510B:				; CODE XREF: PropertyEval+11A10Aj
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	dword ptr [ebp+var_28],	ecx
		mov	eax, edx
		and	edx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], edx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+arg_C]
		fld	[ebp+arg_C]

loc_915140:				; CODE XREF: PropertyEval+1180C5j
					; PropertyEval+119F8Bj	...
		fcompp	st(1), st
		jmp	short loc_91517C
; 

loc_915144:				; CODE XREF: PropertyEval+11A640j
		mov	eax, [ebp+arg_C]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	dword ptr [ebp+var_28],	ecx
		mov	eax, edx
		and	edx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], edx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+var_28]
		fld	[ebp+var_28]

loc_915177:				; CODE XREF: PropertyEval+11AEB3j
		mov	esi, [ebp+var_20]
		fcomp	qword ptr [esi]

loc_91517C:				; CODE XREF: PropertyEval+1180FEj
					; PropertyEval+118286j	...
		fnstsw	ax
		test	ah, 41h
		jmp	loc_7FD135
; 

loc_915186:				; CODE XREF: PropertyEval+117F2Dj
		movsx	eax, byte ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	short loc_91519F
; 

loc_915197:				; CODE XREF: PropertyEval+11A9C7j
		fild	qword ptr [edx]
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]

loc_91519F:				; CODE XREF: PropertyEval+118151j
					; PropertyEval+1185A6j	...
		mov	eax, [ebp+arg_C]
		fld	dword ptr [eax]
		jmp	short loc_9151DB
; 

loc_9151A6:				; CODE XREF: PropertyEval+11A101j
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	dword ptr [ebp+var_28],	ecx
		mov	eax, edx
		and	edx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], edx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+arg_C]
		fld	[ebp+arg_C]

loc_9151DB:				; CODE XREF: PropertyEval+118160j
					; PropertyEval+119F9Dj	...
		fcompp	st(1), st
		jmp	short loc_915217
; 

loc_9151DF:				; CODE XREF: PropertyEval+11A637j
		mov	eax, [ebp+arg_C]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	dword ptr [ebp+var_28],	ecx
		mov	eax, edx
		and	edx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], edx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+var_28]
		fld	[ebp+var_28]

loc_915212:				; CODE XREF: PropertyEval+11AEEBj
		mov	esi, [ebp+var_20]
		fcomp	qword ptr [esi]

loc_915217:				; CODE XREF: PropertyEval+118199j
					; PropertyEval+118263j	...
		fnstsw	ax
		test	ah, 5
		jmp	loc_9150E0
; 

loc_915221:				; CODE XREF: PropertyEval+117A80j
					; DATA XREF: PAGE:009181AFo ...
		dec	esi
		sub	esi, 1
		jz	loc_9152CF
		sub	esi, 1
		jz	short loc_9152AC
		sub	esi, 1
		jz	short loc_915289
		sub	esi, 1
		jz	short loc_915266
		sub	esi, 1
		jnz	loc_914A91	; default
		movsx	eax, byte ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	short loc_91525C
; 

loc_915254:				; CODE XREF: PropertyEval+11AA28j
		fild	qword ptr [edx]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]

loc_91525C:				; CODE XREF: PropertyEval+11820Ej
					; PropertyEval+1185ECj	...
		mov	eax, [ebp+arg_C]
		fcomp	qword ptr [eax]
		jmp	loc_9150BE
; 

loc_915266:				; CODE XREF: PropertyEval+1181F4j
		movsx	eax, byte ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	short loc_91527F
; 

loc_915277:				; CODE XREF: PropertyEval+11AA19j
		fild	qword ptr [edx]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]

loc_91527F:				; CODE XREF: PropertyEval+118231j
					; PropertyEval+118600j	...
		mov	eax, [ebp+arg_C]
		fcomp	qword ptr [eax]
		jmp	loc_915023
; 

loc_915289:				; CODE XREF: PropertyEval+1181EFj
		movsx	eax, byte ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	short loc_9152A2
; 

loc_91529A:				; CODE XREF: PropertyEval+11AA10j
		fild	qword ptr [edx]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]

loc_9152A2:				; CODE XREF: PropertyEval+118254j
					; PropertyEval+118614j	...
		mov	eax, [ebp+arg_C]
		fcomp	qword ptr [eax]
		jmp	loc_915217
; 

loc_9152AC:				; CODE XREF: PropertyEval+1181EAj
		movsx	eax, byte ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	short loc_9152C5
; 

loc_9152BD:				; CODE XREF: PropertyEval+11AA07j
		fild	qword ptr [edx]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]

loc_9152C5:				; CODE XREF: PropertyEval+118277j
					; PropertyEval+118628j	...
		mov	eax, [ebp+arg_C]
		fcomp	qword ptr [eax]
		jmp	loc_91517C
; 

loc_9152CF:				; CODE XREF: PropertyEval+1181E1j
		movsx	eax, byte ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	short loc_9152E8
; 

loc_9152E0:				; CODE XREF: PropertyEval+11A9FEj
		fild	qword ptr [edx]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]

loc_9152E8:				; CODE XREF: PropertyEval+11829Aj
					; PropertyEval+11863Cj	...
		mov	eax, [ebp+arg_C]
		fld	qword ptr [eax]
		jmp	loc_9150D9
; 

loc_9152F2:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:007FD28Co
		add	eax, 0FFFFFFFEh
		cmp	eax, 0Dh
		mov	ebx, [ebp+arg_14]
		ja	loc_914A91	; default
		jmp	ds:off_9181C3[eax*4] ; case 0x6

loc_915308:				; CODE XREF: PropertyEval+117A80j
					; DATA XREF: PAGE:off_9181C3o
		dec	esi
		sub	esi, 1
		jz	short loc_915372
		sub	esi, 1
		jz	short loc_91535F
		sub	esi, 1
		jz	short loc_91534C
		sub	esi, 1
		jz	short loc_915339
		sub	esi, 1
		jnz	loc_914A91	; default
		movzx	edx, byte ptr [edx]
		jmp	short loc_91532E
; 

loc_91532B:				; CODE XREF: PropertyEval+118A01j
		movzx	edx, word ptr [edx]

loc_91532E:				; CODE XREF: PropertyEval+1182E5j
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		jmp	loc_914B9F
; 

loc_915339:				; CODE XREF: PropertyEval+1182D7j
		movzx	edx, byte ptr [edx]
		jmp	short loc_915341
; 

loc_91533E:				; CODE XREF: PropertyEval+1189F2j
		movzx	edx, word ptr [edx]

loc_915341:				; CODE XREF: PropertyEval+1182F8j
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		jmp	loc_914BD3
; 

loc_91534C:				; CODE XREF: PropertyEval+1182D2j
		movzx	edx, byte ptr [edx]
		jmp	short loc_915354
; 

loc_915351:				; CODE XREF: PropertyEval+1189E9j
		movzx	edx, word ptr [edx]

loc_915354:				; CODE XREF: PropertyEval+11830Bj
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		jmp	loc_914C07
; 

loc_91535F:				; CODE XREF: PropertyEval+1182CDj
		movzx	edx, byte ptr [edx]
		jmp	short loc_915367
; 

loc_915364:				; CODE XREF: PropertyEval+1189E0j
		movzx	edx, word ptr [edx]

loc_915367:				; CODE XREF: PropertyEval+11831Ej
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		jmp	loc_914C3B
; 

loc_915372:				; CODE XREF: PropertyEval+1182C8j
		movzx	ecx, byte ptr [edx]
		jmp	short loc_91537A
; 

loc_915377:				; CODE XREF: PropertyEval+1189D7j
		movzx	ecx, word ptr [edx]

loc_91537A:				; CODE XREF: PropertyEval+118331j
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		jmp	loc_914C67
; 

loc_915385:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj
					; DATA XREF: ...
		dec	esi
		sub	esi, 1
		jz	loc_7FD206
		sub	esi, 1
		jz	short loc_9153CB
		sub	esi, 1
		jz	short loc_9153BF
		sub	esi, 1
		jz	short loc_9153B3
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	cl, [edx]
		mov	eax, [ebp+arg_C]
		cmp	[eax], cl
		jmp	loc_914DB6
; 

loc_9153B3:				; CODE XREF: PropertyEval+118358j
		mov	cl, [edx]
		mov	eax, [ebp+arg_C]
		cmp	cl, [eax]
		jmp	loc_914DB6
; 

loc_9153BF:				; CODE XREF: PropertyEval+118353j
		mov	cl, [edx]
		mov	eax, [ebp+arg_C]
		cmp	cl, [eax]
		jmp	loc_7FD25C
; 

loc_9153CB:				; CODE XREF: PropertyEval+11834Ej
		mov	cl, [edx]
		mov	eax, [ebp+arg_C]
		cmp	[eax], cl
		jmp	loc_7FD25C
; 

loc_9153D7:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj
					; DATA XREF: ...
		dec	esi
		sub	esi, 1
		jz	short loc_915415
		sub	esi, 1
		jz	short loc_91540D
		sub	esi, 1
		jz	short loc_915405
		sub	esi, 1
		jz	short loc_9153FD
		sub	esi, 1
		jnz	loc_914A91	; default
		movzx	ecx, byte ptr [edx]
		jmp	loc_914C95
; 

loc_9153FD:				; CODE XREF: PropertyEval+1183A6j
		movzx	ecx, byte ptr [edx]
		jmp	loc_914CAB
; 

loc_915405:				; CODE XREF: PropertyEval+1183A1j
		movzx	ecx, byte ptr [edx]
		jmp	loc_914CC1
; 

loc_91540D:				; CODE XREF: PropertyEval+11839Cj
		movzx	ecx, byte ptr [edx]
		jmp	loc_914CD7
; 

loc_915415:				; CODE XREF: PropertyEval+118397j
					; PropertyEval+1183DDj
		movzx	ecx, byte ptr [edx]
		jmp	loc_914CED
; 

loc_91541D:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj
					; DATA XREF: ...
		dec	esi
		sub	esi, 1
		jz	short loc_915415
		sub	esi, 1
		jz	short loc_915466
		sub	esi, 1
		jz	short loc_915453
		sub	esi, 1
		jz	short loc_915440
		sub	esi, 1
		jnz	loc_914A91	; default
		jmp	loc_914DAD
; 

loc_915440:				; CODE XREF: PropertyEval+1183ECj
		movzx	ecx, byte ptr [edx]
		jmp	short loc_915448
; 

loc_915445:				; CODE XREF: PropertyEval+118AC7j
		mov	cx, [edx]

loc_915448:				; CODE XREF: PropertyEval+1183FFj
		mov	eax, [ebp+arg_C]
		cmp	cx, [eax]
		jmp	loc_914DB6
; 

loc_915453:				; CODE XREF: PropertyEval+1183E7j
		movzx	ecx, byte ptr [edx]
		jmp	short loc_91545B
; 

loc_915458:				; CODE XREF: PropertyEval+118ABEj
		mov	cx, [edx]

loc_91545B:				; CODE XREF: PropertyEval+118412j
		mov	eax, [ebp+arg_C]
		cmp	cx, [eax]
		jmp	loc_7FD25C
; 

loc_915466:				; CODE XREF: PropertyEval+1183E2j
		movzx	ecx, byte ptr [edx]
		jmp	short loc_91546E
; 

loc_91546B:				; CODE XREF: PropertyEval+118AB5j
		mov	cx, [edx]

loc_91546E:				; CODE XREF: PropertyEval+118425j
		mov	eax, [ebp+arg_C]
		cmp	[eax], cx
		jmp	loc_7FD25C
; 

loc_915479:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj
					; DATA XREF: ...
		dec	esi
		sub	esi, 1
		jz	short loc_9154B7
		sub	esi, 1
		jz	short loc_9154AF
		sub	esi, 1
		jz	short loc_9154A7
		sub	esi, 1
		jz	short loc_91549F
		sub	esi, 1
		jnz	loc_914A91	; default
		movzx	ecx, byte ptr [edx]
		jmp	loc_914AF7
; 

loc_91549F:				; CODE XREF: PropertyEval+118448j
		movzx	ecx, byte ptr [edx]
		jmp	loc_914B14
; 

loc_9154A7:				; CODE XREF: PropertyEval+118443j
		movzx	ecx, byte ptr [edx]
		jmp	loc_914B31
; 

loc_9154AF:				; CODE XREF: PropertyEval+11843Ej
		movzx	ecx, byte ptr [edx]
		jmp	loc_914B4E
; 

loc_9154B7:				; CODE XREF: PropertyEval+118439j
					; PropertyEval+11847Fj
		movzx	ecx, byte ptr [edx]
		jmp	loc_7FD267
; 

loc_9154BF:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj
					; DATA XREF: ...
		dec	esi
		sub	esi, 1
		jz	short loc_9154B7
		sub	esi, 1
		jz	short loc_9154F5
		sub	esi, 1
		jz	short loc_9154ED
		sub	esi, 1
		jz	short loc_9154E5
		sub	esi, 1
		jnz	loc_914A91	; default
		movzx	ecx, byte ptr [edx]
		jmp	loc_914D98
; 

loc_9154E5:				; CODE XREF: PropertyEval+11848Ej
		movzx	ecx, byte ptr [edx]
		jmp	loc_914DA6
; 

loc_9154ED:				; CODE XREF: PropertyEval+118489j
		movzx	ecx, byte ptr [edx]
		jmp	loc_7FD257
; 

loc_9154F5:				; CODE XREF: PropertyEval+118484j
		movzx	ecx, byte ptr [edx]
		jmp	loc_7FD27A
; 

loc_9154FD:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj
					; DATA XREF: ...
		dec	esi
		sub	esi, 1
		jz	short loc_91553B
		sub	esi, 1
		jz	short loc_915533
		sub	esi, 1
		jz	short loc_91552B
		sub	esi, 1
		jz	short loc_915523
		sub	esi, 1
		jnz	loc_914A91	; default
		movzx	eax, byte ptr [edx]
		jmp	loc_914DFA
; 

loc_915523:				; CODE XREF: PropertyEval+1184CCj
		movzx	eax, byte ptr [edx]
		jmp	loc_914E29
; 

loc_91552B:				; CODE XREF: PropertyEval+1184C7j
		movzx	eax, byte ptr [edx]
		jmp	loc_914E58
; 

loc_915533:				; CODE XREF: PropertyEval+1184C2j
		movzx	eax, byte ptr [edx]
		jmp	loc_914E87
; 

loc_91553B:				; CODE XREF: PropertyEval+1184BDj
					; PropertyEval+118503j
		movzx	eax, byte ptr [edx]
		jmp	loc_914EB6
; 

loc_915543:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj
					; DATA XREF: ...
		dec	esi
		sub	esi, 1
		jz	short loc_91553B
		sub	esi, 1
		jz	short loc_915579
		sub	esi, 1
		jz	short loc_915571
		sub	esi, 1
		jz	short loc_915569
		sub	esi, 1
		jnz	loc_914A91	; default
		movzx	eax, byte ptr [edx]
		jmp	loc_914EEF
; 

loc_915569:				; CODE XREF: PropertyEval+118512j
		movzx	eax, byte ptr [edx]
		jmp	loc_914F0E
; 

loc_915571:				; CODE XREF: PropertyEval+11850Dj
		movzx	eax, byte ptr [edx]
		jmp	loc_914F2D
; 

loc_915579:				; CODE XREF: PropertyEval+118508j
		movzx	eax, byte ptr [edx]
		jmp	loc_914F4C
; 

loc_915581:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj
					; DATA XREF: ...
		dec	esi
		sub	esi, 1
		jz	short loc_9155EF
		sub	esi, 1
		jz	short loc_9155DB
		sub	esi, 1
		jz	short loc_9155C7
		sub	esi, 1
		jz	short loc_9155B3
		sub	esi, 1
		jnz	loc_914A91	; default
		movzx	eax, byte ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_914FAB
; 

loc_9155B3:				; CODE XREF: PropertyEval+118550j
		movzx	eax, byte ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_915046
; 

loc_9155C7:				; CODE XREF: PropertyEval+11854Bj
		movzx	eax, byte ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_915104
; 

loc_9155DB:				; CODE XREF: PropertyEval+118546j
		movzx	eax, byte ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91519F
; 

loc_9155EF:				; CODE XREF: PropertyEval+118541j
		movzx	eax, byte ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9150D4
; 

loc_915603:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj
					; DATA XREF: ...
		dec	esi
		sub	esi, 1
		jz	short loc_915671
		sub	esi, 1
		jz	short loc_91565D
		sub	esi, 1
		jz	short loc_915649
		sub	esi, 1
		jz	short loc_915635
		sub	esi, 1
		jnz	loc_914A91	; default
		movzx	eax, byte ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91525C
; 

loc_915635:				; CODE XREF: PropertyEval+1185D2j
		movzx	eax, byte ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91527F
; 

loc_915649:				; CODE XREF: PropertyEval+1185CDj
		movzx	eax, byte ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9152A2
; 

loc_91565D:				; CODE XREF: PropertyEval+1185C8j
		movzx	eax, byte ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9152C5
; 

loc_915671:				; CODE XREF: PropertyEval+1185C3j
		movzx	eax, byte ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9152E8
; 

loc_915685:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:007FD290o
		add	eax, 0FFFFFFFEh
		cmp	eax, 0Dh
		mov	ebx, [ebp+arg_14]
		ja	loc_914A91	; default
		jmp	ds:off_9181FB[eax*4] ; case 0x6

loc_91569B:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj
					; DATA XREF: ...
		dec	esi
		sub	esi, 1
		jz	short loc_91571D
		sub	esi, 1
		jz	short loc_915704
		sub	esi, 1
		jz	short loc_9156EB
		sub	esi, 1
		jz	short loc_9156D2
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movsx	ax, byte ptr [eax]
		jmp	short loc_9156C8
; 

loc_9156C2:				; CODE XREF: PropertyEval+11871Fj
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]

loc_9156C8:				; CODE XREF: PropertyEval+11867Cj
		xor	ecx, ecx
		cmp	[edx], ax
		jmp	loc_914BAF
; 

loc_9156D2:				; CODE XREF: PropertyEval+11866Aj
		mov	eax, [ebp+arg_C]
		movsx	ax, byte ptr [eax]
		jmp	short loc_9156E1
; 

loc_9156DB:				; CODE XREF: PropertyEval+118714j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]

loc_9156E1:				; CODE XREF: PropertyEval+118695j
		xor	ecx, ecx
		cmp	[edx], ax
		jmp	loc_914BE3
; 

loc_9156EB:				; CODE XREF: PropertyEval+118665j
		mov	eax, [ebp+arg_C]
		movsx	ax, byte ptr [eax]
		jmp	short loc_9156FA
; 

loc_9156F4:				; CODE XREF: PropertyEval+11870Fj
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]

loc_9156FA:				; CODE XREF: PropertyEval+1186AEj
		xor	ecx, ecx
		cmp	[edx], ax
		jmp	loc_914C17
; 

loc_915704:				; CODE XREF: PropertyEval+118660j
		mov	eax, [ebp+arg_C]
		movsx	ax, byte ptr [eax]
		jmp	short loc_915713
; 

loc_91570D:				; CODE XREF: PropertyEval+11870Aj
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]

loc_915713:				; CODE XREF: PropertyEval+1186C7j
		xor	ecx, ecx
		cmp	[edx], ax
		jmp	loc_914C4B
; 

loc_91571D:				; CODE XREF: PropertyEval+11865Bj
		mov	eax, [ebp+arg_C]
		movsx	ax, byte ptr [eax]
		jmp	short loc_91572C
; 

loc_915726:				; CODE XREF: PropertyEval+118705j
					; PropertyEval+118A0Aj
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]

loc_91572C:				; CODE XREF: PropertyEval+1186E0j
		xor	ecx, ecx
		cmp	[edx], ax
		jmp	short loc_91573D
; 

loc_915733:				; CODE XREF: PropertyEval+118D04j
					; PropertyEval+118FAFj
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]

loc_915739:				; CODE XREF: PropertyEval+118D83j
					; PropertyEval+118DD8j	...
		xor	ecx, ecx
		cmp	[edx], eax

loc_91573D:				; CODE XREF: PropertyEval+1186EDj
		setz	cl
		jmp	loc_7FD271
; 

loc_915745:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_915726
		sub	esi, 1
		jz	short loc_91570D
		sub	esi, 1
		jz	short loc_9156F4
		sub	esi, 1
		jz	short loc_9156DB
		sub	esi, 1
		jnz	loc_914A91	; default
		jmp	loc_9156C2
; 

loc_915768:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_914CEA
		sub	esi, 1
		jz	loc_914CD4
		sub	esi, 1
		jz	loc_914CBE
		sub	esi, 1
		jz	loc_914CA8
		sub	esi, 1
		jnz	loc_914A91	; default
		jmp	loc_914C92
; 

loc_91579B:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_914D2E
		sub	esi, 1
		jz	short loc_9157E7
		sub	esi, 1
		jz	short loc_9157D9
		sub	esi, 1
		jz	short loc_9157CB
		sub	esi, 1
		jnz	loc_914A91	; default
		movsx	edx, word ptr [edx]
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_914B9F
; 

loc_9157CB:				; CODE XREF: PropertyEval+11876Ej
		movsx	edx, word ptr [edx]
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_914BD3
; 

loc_9157D9:				; CODE XREF: PropertyEval+118769j
		movsx	edx, word ptr [edx]
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_914C07
; 

loc_9157E7:				; CODE XREF: PropertyEval+118764j
		movsx	edx, word ptr [edx]
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_914C3B
; 

loc_9157F5:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_915833
		sub	esi, 1
		jz	short loc_91582B
		sub	esi, 1
		jz	short loc_915823
		sub	esi, 1
		jz	short loc_91581B
		sub	esi, 1
		jnz	loc_914A91	; default
		movsx	ecx, word ptr [edx]
		jmp	loc_914AF7
; 

loc_91581B:				; CODE XREF: PropertyEval+1187C4j
		movsx	ecx, word ptr [edx]
		jmp	loc_914B14
; 

loc_915823:				; CODE XREF: PropertyEval+1187BFj
		movsx	ecx, word ptr [edx]
		jmp	loc_914B31
; 

loc_91582B:				; CODE XREF: PropertyEval+1187BAj
		movsx	ecx, word ptr [edx]
		jmp	loc_914B4E
; 

loc_915833:				; CODE XREF: PropertyEval+1187B5j
					; PropertyEval+1187FBj
		movsx	ecx, word ptr [edx]
		jmp	loc_7FD267
; 

loc_91583B:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_915833
		sub	esi, 1
		jz	short loc_915871
		sub	esi, 1
		jz	short loc_915869
		sub	esi, 1
		jz	short loc_915861
		sub	esi, 1
		jnz	loc_914A91	; default
		movsx	ecx, word ptr [edx]
		jmp	loc_914D98
; 

loc_915861:				; CODE XREF: PropertyEval+11880Aj
		movsx	ecx, word ptr [edx]
		jmp	loc_914DA6
; 

loc_915869:				; CODE XREF: PropertyEval+118805j
		movsx	ecx, word ptr [edx]
		jmp	loc_7FD257
; 

loc_915871:				; CODE XREF: PropertyEval+118800j
		movsx	ecx, word ptr [edx]
		jmp	loc_7FD27A
; 

loc_915879:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_9158B7
		sub	esi, 1
		jz	short loc_9158AF
		sub	esi, 1
		jz	short loc_9158A7
		sub	esi, 1
		jz	short loc_91589F
		sub	esi, 1
		jnz	loc_914A91	; default
		movsx	eax, word ptr [edx]
		jmp	loc_914DFA
; 

loc_91589F:				; CODE XREF: PropertyEval+118848j
		movsx	eax, word ptr [edx]
		jmp	loc_914E29
; 

loc_9158A7:				; CODE XREF: PropertyEval+118843j
		movsx	eax, word ptr [edx]
		jmp	loc_914E58
; 

loc_9158AF:				; CODE XREF: PropertyEval+11883Ej
		movsx	eax, word ptr [edx]
		jmp	loc_914E87
; 

loc_9158B7:				; CODE XREF: PropertyEval+118839j
					; PropertyEval+11887Fj
		movsx	eax, word ptr [edx]
		jmp	loc_914EB6
; 

loc_9158BF:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_9158B7
		sub	esi, 1
		jz	short loc_9158F5
		sub	esi, 1
		jz	short loc_9158ED
		sub	esi, 1
		jz	short loc_9158E5
		sub	esi, 1
		jnz	loc_914A91	; default
		movsx	eax, word ptr [edx]
		jmp	loc_914EEF
; 

loc_9158E5:				; CODE XREF: PropertyEval+11888Ej
		movsx	eax, word ptr [edx]
		jmp	loc_914F0E
; 

loc_9158ED:				; CODE XREF: PropertyEval+118889j
		movsx	eax, word ptr [edx]
		jmp	loc_914F2D
; 

loc_9158F5:				; CODE XREF: PropertyEval+118884j
		movsx	eax, word ptr [edx]
		jmp	loc_914F4C
; 

loc_9158FD:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_91596B
		sub	esi, 1
		jz	short loc_915957
		sub	esi, 1
		jz	short loc_915943
		sub	esi, 1
		jz	short loc_91592F
		sub	esi, 1
		jnz	loc_914A91	; default
		movsx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_914FAB
; 

loc_91592F:				; CODE XREF: PropertyEval+1188CCj
		movsx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_915046
; 

loc_915943:				; CODE XREF: PropertyEval+1188C7j
		movsx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_915104
; 

loc_915957:				; CODE XREF: PropertyEval+1188C2j
		movsx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91519F
; 

loc_91596B:				; CODE XREF: PropertyEval+1188BDj
		movsx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9150D4
; 

loc_91597F:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_9159ED
		sub	esi, 1
		jz	short loc_9159D9
		sub	esi, 1
		jz	short loc_9159C5
		sub	esi, 1
		jz	short loc_9159B1
		sub	esi, 1
		jnz	loc_914A91	; default
		movsx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91525C
; 

loc_9159B1:				; CODE XREF: PropertyEval+11894Ej
		movsx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91527F
; 

loc_9159C5:				; CODE XREF: PropertyEval+118949j
		movsx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9152A2
; 

loc_9159D9:				; CODE XREF: PropertyEval+118944j
		movsx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9152C5
; 

loc_9159ED:				; CODE XREF: PropertyEval+11893Fj
		movsx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9152E8
; 

loc_915A01:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:007FD294o
		add	eax, 0FFFFFFFEh
		cmp	eax, 0Dh
		mov	ebx, [ebp+arg_14]
		ja	loc_914A91	; default
		jmp	ds:off_918233[eax*4] ; case 0x6

loc_915A17:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_915377
		sub	esi, 1
		jz	loc_915364
		sub	esi, 1
		jz	loc_915351
		sub	esi, 1
		jz	loc_91533E
		sub	esi, 1
		jnz	loc_914A91	; default
		jmp	loc_91532B
; 

loc_915A4A:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_915726
		sub	esi, 1
		jz	short loc_915A9D
		sub	esi, 1
		jz	short loc_915A92
		sub	esi, 1
		jz	short loc_915A77
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		cmp	ax, [edx]
		jmp	short loc_915A8A
; 

loc_915A77:				; CODE XREF: PropertyEval+118A1Dj
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		cmp	[edx], ax
		jmp	short loc_915A8A
; 

loc_915A82:				; CODE XREF: PropertyEval+118FD1j
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]

loc_915A88:				; CODE XREF: PropertyEval+119028j
					; PropertyEval+119070j	...
		cmp	eax, [edx]

loc_915A8A:				; CODE XREF: PropertyEval+118A31j
					; PropertyEval+118A3Cj	...
		sbb	eax, eax
		inc	eax
		jmp	loc_7FD141
; 

loc_915A92:				; CODE XREF: PropertyEval+118A18j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		cmp	[edx], ax
		jmp	short loc_915AB0
; 

loc_915A9D:				; CODE XREF: PropertyEval+118A13j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		cmp	ax, [edx]
		jmp	short loc_915AB0
; 

loc_915AA8:				; CODE XREF: PropertyEval+118FBDj
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]

loc_915AAE:				; CODE XREF: PropertyEval+11903Bj
					; PropertyEval+119086j	...
		cmp	[edx], eax

loc_915AB0:				; CODE XREF: PropertyEval+118A57j
					; PropertyEval+118A62j	...
		sbb	eax, eax
		neg	eax
		jmp	loc_7FD141
; 

loc_915AB9:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_914C5E
		sub	esi, 1
		jz	loc_914C32
		sub	esi, 1
		jz	loc_914BFE
		sub	esi, 1
		jz	loc_914BCA
		sub	esi, 1
		jnz	loc_914A91	; default
		jmp	loc_914B96
; 

loc_915AEC:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_914CEA
		sub	esi, 1
		jz	loc_91546B
		sub	esi, 1
		jz	loc_915458
		sub	esi, 1
		jz	loc_915445
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	cx, [edx]
		jmp	loc_914DB0
; 

loc_915B22:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_915B60
		sub	esi, 1
		jz	short loc_915B58
		sub	esi, 1
		jz	short loc_915B50
		sub	esi, 1
		jz	short loc_915B48
		sub	esi, 1
		jnz	loc_914A91	; default
		movzx	ecx, word ptr [edx]
		jmp	loc_914AF7
; 

loc_915B48:				; CODE XREF: PropertyEval+118AF1j
		movzx	ecx, word ptr [edx]
		jmp	loc_914B14
; 

loc_915B50:				; CODE XREF: PropertyEval+118AECj
		movzx	ecx, word ptr [edx]
		jmp	loc_914B31
; 

loc_915B58:				; CODE XREF: PropertyEval+118AE7j
		movzx	ecx, word ptr [edx]
		jmp	loc_914B4E
; 

loc_915B60:				; CODE XREF: PropertyEval+118AE2j
					; PropertyEval+118B28j
		movzx	ecx, word ptr [edx]
		jmp	loc_7FD267
; 

loc_915B68:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_915B60
		sub	esi, 1
		jz	short loc_915B9E
		sub	esi, 1
		jz	short loc_915B96
		sub	esi, 1
		jz	short loc_915B8E
		sub	esi, 1
		jnz	loc_914A91	; default
		movzx	ecx, word ptr [edx]
		jmp	loc_914D98
; 

loc_915B8E:				; CODE XREF: PropertyEval+118B37j
		movzx	ecx, word ptr [edx]
		jmp	loc_914DA6
; 

loc_915B96:				; CODE XREF: PropertyEval+118B32j
		movzx	ecx, word ptr [edx]
		jmp	loc_7FD257
; 

loc_915B9E:				; CODE XREF: PropertyEval+118B2Dj
		movzx	ecx, word ptr [edx]
		jmp	loc_7FD27A
; 

loc_915BA6:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_915BE4
		sub	esi, 1
		jz	short loc_915BDC
		sub	esi, 1
		jz	short loc_915BD4
		sub	esi, 1
		jz	short loc_915BCC
		sub	esi, 1
		jnz	loc_914A91	; default
		movzx	eax, word ptr [edx]
		jmp	loc_914DFA
; 

loc_915BCC:				; CODE XREF: PropertyEval+118B75j
		movzx	eax, word ptr [edx]
		jmp	loc_914E29
; 

loc_915BD4:				; CODE XREF: PropertyEval+118B70j
		movzx	eax, word ptr [edx]
		jmp	loc_914E58
; 

loc_915BDC:				; CODE XREF: PropertyEval+118B6Bj
		movzx	eax, word ptr [edx]
		jmp	loc_914E87
; 

loc_915BE4:				; CODE XREF: PropertyEval+118B66j
					; PropertyEval+118BACj
		movzx	eax, word ptr [edx]
		jmp	loc_914EB6
; 

loc_915BEC:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_915BE4
		sub	esi, 1
		jz	short loc_915C22
		sub	esi, 1
		jz	short loc_915C1A
		sub	esi, 1
		jz	short loc_915C12
		sub	esi, 1
		jnz	loc_914A91	; default
		movzx	eax, word ptr [edx]
		jmp	loc_914EEF
; 

loc_915C12:				; CODE XREF: PropertyEval+118BBBj
		movzx	eax, word ptr [edx]
		jmp	loc_914F0E
; 

loc_915C1A:				; CODE XREF: PropertyEval+118BB6j
		movzx	eax, word ptr [edx]
		jmp	loc_914F2D
; 

loc_915C22:				; CODE XREF: PropertyEval+118BB1j
		movzx	eax, word ptr [edx]
		jmp	loc_914F4C
; 

loc_915C2A:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_915C98
		sub	esi, 1
		jz	short loc_915C84
		sub	esi, 1
		jz	short loc_915C70
		sub	esi, 1
		jz	short loc_915C5C
		sub	esi, 1
		jnz	loc_914A91	; default
		movzx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_914FAB
; 

loc_915C5C:				; CODE XREF: PropertyEval+118BF9j
		movzx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_915046
; 

loc_915C70:				; CODE XREF: PropertyEval+118BF4j
		movzx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_915104
; 

loc_915C84:				; CODE XREF: PropertyEval+118BEFj
		movzx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91519F
; 

loc_915C98:				; CODE XREF: PropertyEval+118BEAj
		movzx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9150D4
; 

loc_915CAC:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_915D1A
		sub	esi, 1
		jz	short loc_915D06
		sub	esi, 1
		jz	short loc_915CF2
		sub	esi, 1
		jz	short loc_915CDE
		sub	esi, 1
		jnz	loc_914A91	; default
		movzx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91525C
; 

loc_915CDE:				; CODE XREF: PropertyEval+118C7Bj
		movzx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91527F
; 

loc_915CF2:				; CODE XREF: PropertyEval+118C76j
		movzx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9152A2
; 

loc_915D06:				; CODE XREF: PropertyEval+118C71j
		movzx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9152C5
; 

loc_915D1A:				; CODE XREF: PropertyEval+118C6Cj
		movzx	eax, word ptr [edx]
		mov	[ebp+arg_0], eax
		fild	[ebp+arg_0]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9152E8
; 

loc_915D2E:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:007FD298o
		add	eax, 0FFFFFFFEh
		cmp	eax, 0Dh
		mov	ebx, [ebp+arg_14]
		ja	loc_914A91	; default
		jmp	ds:off_91826B[eax*4] ; case 0x6

loc_915D44:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_915733
		sub	esi, 1
		jz	loc_914C41
		sub	esi, 1
		jz	loc_914C0D
		sub	esi, 1
		jz	loc_914BD9
		sub	esi, 1
		jnz	loc_914A91	; default
		jmp	loc_914BA5
; 

loc_915D77:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_915DC1
		sub	esi, 1
		jz	short loc_915DB6
		sub	esi, 1
		jz	short loc_915DAB
		sub	esi, 1
		jz	short loc_915DA0
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	loc_914BAB
; 

loc_915DA0:				; CODE XREF: PropertyEval+118D46j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	loc_914BDF
; 

loc_915DAB:				; CODE XREF: PropertyEval+118D41j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	loc_914C13
; 

loc_915DB6:				; CODE XREF: PropertyEval+118D3Cj
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	loc_914C47
; 

loc_915DC1:				; CODE XREF: PropertyEval+118D37j
					; PropertyEval+119004j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	loc_915739
; 

loc_915DCC:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_915E16
		sub	esi, 1
		jz	short loc_915E0B
		sub	esi, 1
		jz	short loc_915E00
		sub	esi, 1
		jz	short loc_915DF5
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_914BAB
; 

loc_915DF5:				; CODE XREF: PropertyEval+118D9Bj
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_914BDF
; 

loc_915E00:				; CODE XREF: PropertyEval+118D96j
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_914C13
; 

loc_915E0B:				; CODE XREF: PropertyEval+118D91j
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_914C47
; 

loc_915E16:				; CODE XREF: PropertyEval+118D8Cj
					; PropertyEval+11904Cj
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_915739
; 

loc_915E21:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_915E6B
		sub	esi, 1
		jz	short loc_915E60
		sub	esi, 1
		jz	short loc_915E55
		sub	esi, 1
		jz	short loc_915E4A
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_914BAB
; 

loc_915E4A:				; CODE XREF: PropertyEval+118DF0j
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_914BDF
; 

loc_915E55:				; CODE XREF: PropertyEval+118DEBj
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_914C13
; 

loc_915E60:				; CODE XREF: PropertyEval+118DE6j
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_914C47
; 

loc_915E6B:				; CODE XREF: PropertyEval+118DE1j
					; PropertyEval+11909Aj
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_915739
; 

loc_915E76:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_7FD265
		sub	esi, 1
		jz	short loc_915EAD
		sub	esi, 1
		jz	short loc_915EA6
		sub	esi, 1
		jz	short loc_915E9F
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	ecx, [edx]
		jmp	loc_914AF7
; 

loc_915E9F:				; CODE XREF: PropertyEval+118E49j
		mov	ecx, [edx]
		jmp	loc_914B14
; 

loc_915EA6:				; CODE XREF: PropertyEval+118E44j
		mov	ecx, [edx]
		jmp	loc_914B31
; 

loc_915EAD:				; CODE XREF: PropertyEval+118E3Fj
		mov	ecx, [edx]
		jmp	loc_914B4E
; 

loc_915EB4:				; CODE XREF: PropertyEval+20Bj
		sub	esi, 1
		jz	loc_914DA4
		sub	esi, 1
		jnz	loc_914A91	; default
		jmp	loc_914D96
; 

loc_915ECB:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_914EB4
		sub	esi, 1
		jz	loc_914E85
		sub	esi, 1
		jz	loc_914E56
		sub	esi, 1
		jz	loc_914E27
		sub	esi, 1
		jnz	loc_914A91	; default
		jmp	loc_914DF8
; 

loc_915EFE:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_914EB4
		sub	esi, 1
		jz	loc_914F4A
		sub	esi, 1
		jz	loc_914F2B
		sub	esi, 1
		jz	loc_914F0C
		sub	esi, 1
		jnz	loc_914A91	; default
		jmp	loc_914EED
; 

loc_915F31:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_915F83
		sub	esi, 1
		jz	short loc_915F76
		sub	esi, 1
		jz	short loc_915F69
		sub	esi, 1
		jz	short loc_915F5C
		sub	esi, 1
		jnz	loc_914A91	; default
		fild	dword ptr [edx]
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]
		jmp	loc_914FAB
; 

loc_915F5C:				; CODE XREF: PropertyEval+118F00j
		fild	dword ptr [edx]
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]
		jmp	loc_915046
; 

loc_915F69:				; CODE XREF: PropertyEval+118EFBj
		fild	dword ptr [edx]
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]
		jmp	loc_915104
; 

loc_915F76:				; CODE XREF: PropertyEval+118EF6j
		fild	dword ptr [edx]
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]
		jmp	loc_91519F
; 

loc_915F83:				; CODE XREF: PropertyEval+118EF1j
		fild	dword ptr [edx]
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]
		jmp	loc_9150D4
; 

loc_915F90:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_915FE2
		sub	esi, 1
		jz	short loc_915FD5
		sub	esi, 1
		jz	short loc_915FC8
		sub	esi, 1
		jz	short loc_915FBB
		sub	esi, 1
		jnz	loc_914A91	; default
		fild	dword ptr [edx]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91525C
; 

loc_915FBB:				; CODE XREF: PropertyEval+118F5Fj
		fild	dword ptr [edx]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91527F
; 

loc_915FC8:				; CODE XREF: PropertyEval+118F5Aj
		fild	dword ptr [edx]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9152A2
; 

loc_915FD5:				; CODE XREF: PropertyEval+118F55j
		fild	dword ptr [edx]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9152C5
; 

loc_915FE2:				; CODE XREF: PropertyEval+118F50j
		fild	dword ptr [edx]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9152E8
; 

loc_915FEF:				; CODE XREF: PropertyEval+8Bj
					; PropertyEval+1F6j
					; DATA XREF: ...
		dec	esi		; case 0x2
		sub	esi, 1
		jz	loc_915733
		sub	esi, 1
		jz	short loc_91602F
		sub	esi, 1
		jz	loc_915AA8
		sub	esi, 1
		jz	short loc_91601A
		sub	esi, 1
		jnz	loc_914A91	; default
		jmp	loc_915A82
; 

loc_91601A:				; CODE XREF: PropertyEval+118FC6j
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		jmp	short loc_916028
; 

loc_916022:				; CODE XREF: PropertyEval+1190B1j
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]

loc_916028:				; CODE XREF: PropertyEval+118FDCj
					; PropertyEval+119033j	...
		cmp	[edx], eax
		jmp	loc_915A8A
; 

loc_91602F:				; CODE XREF: PropertyEval+118FB8j
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		jmp	short loc_91603D
; 

loc_916037:				; CODE XREF: PropertyEval+1190A3j
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]

loc_91603D:				; CODE XREF: PropertyEval+118FF1j
					; PropertyEval+119046j	...
		cmp	eax, [edx]
		jmp	loc_915AB0
; 

loc_916044:				; CODE XREF: PropertyEval+1F6j
					; DATA XREF: PAGE:off_7FD2E8o
		dec	esi		; case 0x3
		sub	esi, 1
		jz	loc_915DC1
		sub	esi, 1
		jz	short loc_916084
		sub	esi, 1
		jz	short loc_916079
		sub	esi, 1
		jz	short loc_916071
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	loc_915A88
; 

loc_916071:				; CODE XREF: PropertyEval+119017j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	short loc_916028
; 

loc_916079:				; CODE XREF: PropertyEval+119012j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	loc_915AAE
; 

loc_916084:				; CODE XREF: PropertyEval+11900Dj
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	short loc_91603D
; 

loc_91608C:				; CODE XREF: PropertyEval+1F6j
					; DATA XREF: PAGE:off_7FD2E8o
		dec	esi		; case 0x4
		sub	esi, 1
		jz	loc_915E16
		sub	esi, 1
		jz	short loc_9160CF
		sub	esi, 1
		jz	short loc_9160C4
		sub	esi, 1
		jz	short loc_9160B9
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_915A88
; 

loc_9160B9:				; CODE XREF: PropertyEval+11905Fj
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_916028
; 

loc_9160C4:				; CODE XREF: PropertyEval+11905Aj
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_915AAE
; 

loc_9160CF:				; CODE XREF: PropertyEval+119055j
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_91603D
; 

loc_9160DA:				; CODE XREF: PropertyEval+1F6j
					; DATA XREF: PAGE:off_7FD2E8o
		dec	esi		; case 0x5
		sub	esi, 1
		jz	loc_915E6B
		sub	esi, 1
		jz	loc_916037
		sub	esi, 1
		jz	short loc_91610F
		sub	esi, 1
		jz	loc_916022
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_915A88
; 

loc_91610F:				; CODE XREF: PropertyEval+1190ACj
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_915AAE
; 

loc_91611A:				; CODE XREF: PropertyEval+1F6j
					; DATA XREF: PAGE:off_7FD2E8o
		dec	esi		; case 0x8
		sub	esi, 1
		jz	loc_9161A8
		sub	esi, 1
		jz	short loc_91618D
		sub	esi, 1
		jz	short loc_916172
		sub	esi, 1
		jz	short loc_916157
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	edx, [edx]
		mov	eax, [ebp+arg_C]
		cmp	ecx, [eax+4]
		jg	loc_7FD0F4
		jl	loc_7FD0F6

loc_916150:				; CODE XREF: PropertyEval+1191ABj
		cmp	edx, [eax]
		jmp	loc_914E17
; 

loc_916157:				; CODE XREF: PropertyEval+1190EDj
		mov	edx, [edx]
		mov	eax, [ebp+arg_C]
		cmp	ecx, [eax+4]
		jl	loc_7FD0F4
		jg	loc_7FD0F6

loc_91616B:				; CODE XREF: PropertyEval+1191C4j
		cmp	edx, [eax]
		jmp	loc_914E46
; 

loc_916172:				; CODE XREF: PropertyEval+1190E8j
		mov	edx, [edx]
		mov	eax, [ebp+arg_C]
		cmp	ecx, [eax+4]
		jg	loc_7FD0F4
		jl	loc_7FD0F6

loc_916186:				; CODE XREF: PropertyEval+1191DDj
		cmp	edx, [eax]
		jmp	loc_914E75
; 

loc_91618D:				; CODE XREF: PropertyEval+1190E3j
		mov	edx, [edx]
		mov	eax, [ebp+arg_C]
		cmp	ecx, [eax+4]
		jl	loc_7FD0F4
		jg	loc_7FD0F6

loc_9161A1:				; CODE XREF: PropertyEval+1191F6j
		cmp	edx, [eax]
		jmp	loc_914EA4
; 

loc_9161A8:				; CODE XREF: PropertyEval+1190DAj
					; PropertyEval+11917Dj
		mov	eax, [edx]
		mov	edx, [ebp+arg_C]
		cmp	eax, [edx]
		jnz	loc_7FD0F4
		cmp	ecx, [edx+4]
		jmp	loc_7FD135
; 

loc_9161BD:				; CODE XREF: PropertyEval+1F6j
					; DATA XREF: PAGE:off_7FD2E8o
		dec	esi		; case 0x9
		sub	esi, 1
		jz	short loc_9161A8
		sub	esi, 1
		jz	short loc_916226
		sub	esi, 1
		jz	short loc_91620D
		sub	esi, 1
		jz	short loc_9161F4
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	edx, [edx]
		mov	eax, [ebp+arg_C]
		cmp	ecx, [eax+4]
		ja	loc_7FD0F4
		jb	loc_7FD0F6
		jmp	loc_916150
; 

loc_9161F4:				; CODE XREF: PropertyEval+11918Cj
		mov	edx, [edx]
		mov	eax, [ebp+arg_C]
		cmp	ecx, [eax+4]
		jb	loc_7FD0F4
		ja	loc_7FD0F6
		jmp	loc_91616B
; 

loc_91620D:				; CODE XREF: PropertyEval+119187j
		mov	edx, [edx]
		mov	eax, [ebp+arg_C]
		cmp	ecx, [eax+4]
		ja	loc_7FD0F4
		jb	loc_7FD0F6
		jmp	loc_916186
; 

loc_916226:				; CODE XREF: PropertyEval+119182j
		mov	edx, [edx]
		mov	eax, [ebp+arg_C]
		cmp	ecx, [eax+4]
		jb	loc_7FD0F4
		ja	loc_7FD0F6
		jmp	loc_9161A1
; 

loc_91623F:				; CODE XREF: PropertyEval+1F6j
					; DATA XREF: PAGE:off_7FD2E8o
		dec	esi		; case 0xA
		sub	esi, 1
		jz	short loc_9162C1
		sub	esi, 1
		jz	short loc_9162A8
		sub	esi, 1
		jz	short loc_91628F
		sub	esi, 1
		jz	short loc_916276
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [edx]
		fild	dword ptr [edx]
		test	eax, eax
		jns	short loc_91626B
		fadd	ds:__real@4f800000

loc_91626B:				; CODE XREF: PropertyEval+11921Fj
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]
		jmp	loc_914FAB
; 

loc_916276:				; CODE XREF: PropertyEval+11920Ej
		mov	eax, [edx]
		fild	dword ptr [edx]
		test	eax, eax
		jns	short loc_916284
		fadd	ds:__real@4f800000

loc_916284:				; CODE XREF: PropertyEval+119238j
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]
		jmp	loc_915046
; 

loc_91628F:				; CODE XREF: PropertyEval+119209j
		mov	eax, [edx]
		fild	dword ptr [edx]
		test	eax, eax
		jns	short loc_91629D
		fadd	ds:__real@4f800000

loc_91629D:				; CODE XREF: PropertyEval+119251j
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]
		jmp	loc_915104
; 

loc_9162A8:				; CODE XREF: PropertyEval+119204j
		mov	eax, [edx]
		fild	dword ptr [edx]
		test	eax, eax
		jns	short loc_9162B6
		fadd	ds:__real@4f800000

loc_9162B6:				; CODE XREF: PropertyEval+11926Aj
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]
		jmp	loc_91519F
; 

loc_9162C1:				; CODE XREF: PropertyEval+1191FFj
		mov	eax, [edx]
		fild	dword ptr [edx]
		test	eax, eax
		jns	short loc_9162CF
		fadd	ds:__real@4f800000

loc_9162CF:				; CODE XREF: PropertyEval+119283j
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]
		jmp	loc_9150D4
; 

loc_9162DA:				; CODE XREF: PropertyEval+1F6j
					; DATA XREF: PAGE:off_7FD2E8o
		dec	esi		; case 0xB
		sub	esi, 1
		jz	short loc_91635C
		sub	esi, 1
		jz	short loc_916343
		sub	esi, 1
		jz	short loc_91632A
		sub	esi, 1
		jz	short loc_916311
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [edx]
		fild	dword ptr [edx]
		test	eax, eax
		jns	short loc_916306
		fadd	ds:__real@41f0000000000000

loc_916306:				; CODE XREF: PropertyEval+1192BAj
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91525C
; 

loc_916311:				; CODE XREF: PropertyEval+1192A9j
		mov	eax, [edx]
		fild	dword ptr [edx]
		test	eax, eax
		jns	short loc_91631F
		fadd	ds:__real@41f0000000000000

loc_91631F:				; CODE XREF: PropertyEval+1192D3j
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91527F
; 

loc_91632A:				; CODE XREF: PropertyEval+1192A4j
		mov	eax, [edx]
		fild	dword ptr [edx]
		test	eax, eax
		jns	short loc_916338
		fadd	ds:__real@41f0000000000000

loc_916338:				; CODE XREF: PropertyEval+1192ECj
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9152A2
; 

loc_916343:				; CODE XREF: PropertyEval+11929Fj
		mov	eax, [edx]
		fild	dword ptr [edx]
		test	eax, eax
		jns	short loc_916351
		fadd	ds:__real@41f0000000000000

loc_916351:				; CODE XREF: PropertyEval+119305j
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9152C5
; 

loc_91635C:				; CODE XREF: PropertyEval+11929Aj
		mov	eax, [edx]
		fild	dword ptr [edx]
		test	eax, eax
		jns	short loc_91636A
		fadd	ds:__real@41f0000000000000

loc_91636A:				; CODE XREF: PropertyEval+11931Ej
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9152E8
; 

loc_916375:				; CODE XREF: PropertyEval+1DBj
					; PropertyEval+1E4j
		cmp	eax, 7
		jnz	loc_914A91	; default
		mov	edx, [edx]
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]
		cmp	esi, 7
		jnz	short loc_916391
		and	eax, edx
		jmp	loc_7FD141
; 

loc_916391:				; CODE XREF: PropertyEval+119344j
		or	eax, edx
		jmp	loc_7FD141
; 

loc_916398:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:007FD2A0o
		add	eax, 0FFFFFFFEh
		cmp	eax, 0Dh
		mov	ebx, [ebp+arg_14]
		ja	loc_914A91	; default
		jmp	ds:off_9182A3[eax*4] ; default

loc_9163AE:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_91644F
		sub	esi, 1
		jz	short loc_916431
		sub	esi, 1
		jz	short loc_916413
		sub	esi, 1
		jz	short loc_9163F5
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		jmp	short loc_9163DD
; 

loc_9163D8:				; CODE XREF: PropertyEval+11954Ej
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]

loc_9163DD:				; CODE XREF: PropertyEval+119392j
					; PropertyEval+11944Bj	...
		cdq
		mov	esi, [ebp+var_20]
		cmp	[esi+4], edx
		jg	short loc_9163EC
		jl	short loc_9163EE
		cmp	[esi], eax
		jbe	short loc_9163EE

loc_9163EC:				; CODE XREF: PropertyEval+1193A0j
					; PropertyEval+1193C5j	...
		xor	edi, edi

loc_9163EE:				; CODE XREF: PropertyEval+1193A2j
					; PropertyEval+1193A6j	...
		xor	ecx, ecx
		jmp	loc_7FD0F6
; 

loc_9163F5:				; CODE XREF: PropertyEval+119381j
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		jmp	short loc_916402
; 

loc_9163FD:				; CODE XREF: PropertyEval+11953Fj
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]

loc_916402:				; CODE XREF: PropertyEval+1193B7j
					; PropertyEval+119456j	...
		cdq
		mov	esi, [ebp+var_20]
		cmp	[esi+4], edx
		jl	short loc_9163EC
		jg	short loc_9163EE
		cmp	[esi], eax
		jnb	short loc_9163EE
		jmp	short loc_9163EC
; 

loc_916413:				; CODE XREF: PropertyEval+11937Cj
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		jmp	short loc_916420
; 

loc_91641B:				; CODE XREF: PropertyEval+119536j
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]

loc_916420:				; CODE XREF: PropertyEval+1193D5j
					; PropertyEval+119461j	...
		cdq
		mov	esi, [ebp+var_20]
		cmp	[esi+4], edx
		jg	short loc_9163EC
		jl	short loc_9163EE
		cmp	[esi], eax
		jb	short loc_9163EE
		jmp	short loc_9163EC
; 

loc_916431:				; CODE XREF: PropertyEval+119377j
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		jmp	short loc_91643E
; 

loc_916439:				; CODE XREF: PropertyEval+11952Dj
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]

loc_91643E:				; CODE XREF: PropertyEval+1193F3j
					; PropertyEval+11946Cj	...
		cdq
		mov	esi, [ebp+var_20]
		cmp	[esi+4], edx
		jl	short loc_9163EC
		jg	short loc_9163EE
		cmp	[esi], eax
		ja	short loc_9163EE
		jmp	short loc_9163EC
; 

loc_91644F:				; CODE XREF: PropertyEval+11936Ej
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		jmp	short loc_91645C
; 

loc_916457:				; CODE XREF: PropertyEval+119524j
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]

loc_91645C:				; CODE XREF: PropertyEval+119411j
					; PropertyEval+119474j	...
		cdq
		mov	esi, [ebp+var_20]
		cmp	[esi], eax
		jnz	short loc_9163EC
		cmp	[esi+4], edx
		jz	short loc_9163EE
		jmp	short loc_9163EC
; 

loc_91646B:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_9164B2
		sub	esi, 1
		jz	short loc_9164AA
		sub	esi, 1
		jz	short loc_91649F
		sub	esi, 1
		jz	short loc_916494
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	loc_9163DD
; 

loc_916494:				; CODE XREF: PropertyEval+11943Aj
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	loc_916402
; 

loc_91649F:				; CODE XREF: PropertyEval+119435j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	loc_916420
; 

loc_9164AA:				; CODE XREF: PropertyEval+119430j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	short loc_91643E
; 

loc_9164B2:				; CODE XREF: PropertyEval+11942Bj
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	short loc_91645C
; 

loc_9164BA:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_916504
		sub	esi, 1
		jz	short loc_9164F9
		sub	esi, 1
		jz	short loc_9164EE
		sub	esi, 1
		jz	short loc_9164E3
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_9163DD
; 

loc_9164E3:				; CODE XREF: PropertyEval+119489j
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_916402
; 

loc_9164EE:				; CODE XREF: PropertyEval+119484j
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_916420
; 

loc_9164F9:				; CODE XREF: PropertyEval+11947Fj
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_91643E
; 

loc_916504:				; CODE XREF: PropertyEval+11947Aj
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_91645C
; 

loc_91650F:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_916559
		sub	esi, 1
		jz	short loc_91654E
		sub	esi, 1
		jz	short loc_916543
		sub	esi, 1
		jz	short loc_916538
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_9163DD
; 

loc_916538:				; CODE XREF: PropertyEval+1194DEj
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_916402
; 

loc_916543:				; CODE XREF: PropertyEval+1194D9j
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_916420
; 

loc_91654E:				; CODE XREF: PropertyEval+1194D4j
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_91643E
; 

loc_916559:				; CODE XREF: PropertyEval+1194CFj
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_91645C
; 

loc_916564:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_916457
		sub	esi, 1
		jz	loc_916439
		sub	esi, 1
		jz	loc_91641B
		sub	esi, 1
		jz	loc_9163FD
		sub	esi, 1
		jnz	loc_914A91	; default
		jmp	loc_9163D8
; 

loc_916597:				; CODE XREF: PropertyEval+11A980j
		mov	eax, [ebp+arg_C]
		mov	esi, [eax]
		cmp	[edx+4], ecx
		jg	loc_7FD0F4
		jl	loc_7FD0F6
		jmp	loc_914E15
; 

loc_9165B0:				; CODE XREF: PropertyEval+11A977j
		mov	eax, [ebp+arg_C]
		mov	esi, [eax]
		cmp	[edx+4], ecx
		jl	loc_7FD0F4
		jg	loc_7FD0F6
		jmp	loc_914E44
; 

loc_9165C9:				; CODE XREF: PropertyEval+11A96Ej
		mov	eax, [ebp+arg_C]
		mov	esi, [eax]
		cmp	[edx+4], ecx
		jg	loc_7FD0F4
		jl	loc_7FD0F6
		jmp	loc_914E73
; 

loc_9165E2:				; CODE XREF: PropertyEval+11A965j
		mov	eax, [ebp+arg_C]
		mov	esi, [eax]
		cmp	[edx+4], ecx
		jl	loc_7FD0F4
		jg	loc_7FD0F6
		jmp	loc_914EA2
; 

loc_9165FB:				; CODE XREF: PropertyEval+1199A7j
					; PropertyEval+11A95Cj
		mov	eax, [ebp+arg_C]
		mov	ecx, [eax]
		cmp	[edx], ecx
		jnz	loc_91681E
		xor	ecx, ecx
		cmp	[edx+4], ecx
		jnz	loc_7FD0F4
		jmp	loc_7FD0F6
; 

loc_916618:				; CODE XREF: PropertyEval+11A9B3j
		mov	eax, [edx+4]
		mov	esi, [ebp+arg_C]
		cmp	eax, [esi+4]
		jg	loc_7FD0F4
		jl	loc_7FD0F6
		jmp	loc_914E0F
; 

loc_916632:				; CODE XREF: PropertyEval+11A9AAj
		mov	eax, [edx+4]
		mov	esi, [ebp+arg_C]
		cmp	eax, [esi+4]
		jl	loc_7FD0F4
		jg	loc_7FD0F6
		jmp	loc_914E3E
; 

loc_91664C:				; CODE XREF: PropertyEval+11A9A1j
		mov	eax, [edx+4]
		mov	esi, [ebp+arg_C]
		cmp	eax, [esi+4]
		jg	loc_7FD0F4
		jl	loc_7FD0F6
		jmp	loc_914E6D
; 

loc_916666:				; CODE XREF: PropertyEval+11A998j
		mov	eax, [edx+4]
		mov	esi, [ebp+arg_C]
		cmp	eax, [esi+4]
		jl	loc_7FD0F4
		jg	loc_7FD0F6
		jmp	loc_914E9C
; 

loc_916680:				; CODE XREF: PropertyEval+119A2Dj
					; PropertyEval+11A98Fj
		mov	eax, [edx]
		mov	esi, [ebp+arg_C]
		cmp	eax, [esi]
		jnz	loc_7FD0F4
		mov	eax, [edx+4]
		cmp	eax, [esi+4]
		jmp	loc_7FD135
; 

loc_916698:				; CODE XREF: PropertyEval+119A51j
		mov	eax, [edx+4]
		mov	esi, [ebp+arg_C]
		cmp	eax, [esi+4]
		ja	loc_7FD0F4
		jb	loc_7FD0F6
		jmp	loc_914E0F
; 

loc_9166B2:				; CODE XREF: PropertyEval+119A48j
		mov	eax, [edx+4]
		mov	esi, [ebp+arg_C]
		cmp	eax, [esi+4]
		jb	loc_7FD0F4
		ja	loc_7FD0F6
		jmp	loc_914E3E
; 

loc_9166CC:				; CODE XREF: PropertyEval+119A3Fj
		mov	eax, [edx+4]
		mov	esi, [ebp+arg_C]
		cmp	eax, [esi+4]
		ja	loc_7FD0F4
		jb	loc_7FD0F6
		jmp	loc_914E6D
; 

loc_9166E6:				; CODE XREF: PropertyEval+119A36j
		mov	eax, [edx+4]
		mov	esi, [ebp+arg_C]
		cmp	eax, [esi+4]
		jb	loc_7FD0F4
		ja	loc_7FD0F6
		jmp	loc_914E9C
; 

loc_916700:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_916752
		sub	esi, 1
		jz	short loc_916745
		sub	esi, 1
		jz	short loc_916738
		sub	esi, 1
		jz	short loc_91672B
		sub	esi, 1
		jnz	loc_914A91	; default
		fild	qword ptr [edx]
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]
		jmp	loc_914FAB
; 

loc_91672B:				; CODE XREF: PropertyEval+1196CFj
		fild	qword ptr [edx]
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]
		jmp	loc_915046
; 

loc_916738:				; CODE XREF: PropertyEval+1196CAj
		fild	qword ptr [edx]
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]
		jmp	loc_915104
; 

loc_916745:				; CODE XREF: PropertyEval+1196C5j
		fild	qword ptr [edx]
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]
		jmp	loc_91519F
; 

loc_916752:				; CODE XREF: PropertyEval+1196C0j
		fild	qword ptr [edx]
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]
		jmp	loc_9150D4
; 

loc_91675F:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_9167B1
		sub	esi, 1
		jz	short loc_9167A4
		sub	esi, 1
		jz	short loc_916797
		sub	esi, 1
		jz	short loc_91678A
		sub	esi, 1
		jnz	loc_914A91	; default
		fild	qword ptr [edx]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91525C
; 

loc_91678A:				; CODE XREF: PropertyEval+11972Ej
		fild	qword ptr [edx]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91527F
; 

loc_916797:				; CODE XREF: PropertyEval+119729j
		fild	qword ptr [edx]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9152A2
; 

loc_9167A4:				; CODE XREF: PropertyEval+119724j
		fild	qword ptr [edx]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9152C5
; 

loc_9167B1:				; CODE XREF: PropertyEval+11971Fj
		fild	qword ptr [edx]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9152E8
; 

loc_9167BE:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:007FD2A4o
		add	eax, 0FFFFFFFEh
		cmp	eax, 0Dh
		mov	ebx, [ebp+arg_14]
		ja	loc_914A91	; default
		jmp	ds:off_9182DB[eax*4] ; default

loc_9167D4:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_916897
		sub	esi, 1
		jz	loc_916871
		sub	esi, 1
		jz	short loc_91684B
		sub	esi, 1
		jz	short loc_916825
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		jmp	short loc_916807
; 

loc_916802:				; CODE XREF: PropertyEval+11999Ej
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]

loc_916807:				; CODE XREF: PropertyEval+1197BCj
					; PropertyEval+119898j	...
		cdq
		mov	esi, [ebp+var_20]
		cmp	[esi+4], edx
		ja	short loc_91681E
		jb	loc_9163EE

loc_916816:				; CODE XREF: PropertyEval+11A7CDj
		cmp	[esi], eax
		jbe	loc_9163EE

loc_91681E:				; CODE XREF: PropertyEval+1195BEj
					; PropertyEval+1197CAj	...
		xor	ecx, ecx
		jmp	loc_7FD0F4
; 

loc_916825:				; CODE XREF: PropertyEval+1197ABj
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		jmp	short loc_916832
; 

loc_91682D:				; CODE XREF: PropertyEval+11998Fj
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]

loc_916832:				; CODE XREF: PropertyEval+1197E7j
					; PropertyEval+1198A3j	...
		cdq
		mov	esi, [ebp+var_20]
		cmp	[esi+4], edx
		jb	short loc_91681E
		ja	loc_9163EE

loc_916841:				; CODE XREF: PropertyEval+11A7F2j
		cmp	[esi], eax
		jnb	loc_9163EE
		jmp	short loc_91681E
; 

loc_91684B:				; CODE XREF: PropertyEval+1197A6j
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		jmp	short loc_916858
; 

loc_916853:				; CODE XREF: PropertyEval+119986j
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]

loc_916858:				; CODE XREF: PropertyEval+11980Dj
					; PropertyEval+1198AEj	...
		cdq
		mov	esi, [ebp+var_20]
		cmp	[esi+4], edx
		ja	short loc_91681E
		jb	loc_9163EE

loc_916867:				; CODE XREF: PropertyEval+11A817j
		cmp	[esi], eax
		jb	loc_9163EE
		jmp	short loc_91681E
; 

loc_916871:				; CODE XREF: PropertyEval+11979Dj
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		jmp	short loc_91687E
; 

loc_916879:				; CODE XREF: PropertyEval+11997Dj
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]

loc_91687E:				; CODE XREF: PropertyEval+119833j
					; PropertyEval+1198B9j	...
		cdq
		mov	esi, [ebp+var_20]
		cmp	[esi+4], edx
		jb	short loc_91681E
		ja	loc_9163EE

loc_91688D:				; CODE XREF: PropertyEval+11A83Cj
		cmp	[esi], eax
		ja	loc_9163EE
		jmp	short loc_91681E
; 

loc_916897:				; CODE XREF: PropertyEval+119794j
					; PropertyEval+11A78Bj
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		jmp	short loc_9168A4
; 

loc_91689F:				; CODE XREF: PropertyEval+119974j
					; PropertyEval+11A929j
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]

loc_9168A4:				; CODE XREF: PropertyEval+119859j
					; PropertyEval+1198C4j	...
		cdq
		mov	esi, [ebp+var_20]
		cmp	[esi], eax
		jnz	loc_91681E
		cmp	[esi+4], edx
		jmp	loc_91800A
; 

loc_9168B8:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_916902
		sub	esi, 1
		jz	short loc_9168F7
		sub	esi, 1
		jz	short loc_9168EC
		sub	esi, 1
		jz	short loc_9168E1
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	loc_916807
; 

loc_9168E1:				; CODE XREF: PropertyEval+119887j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	loc_916832
; 

loc_9168EC:				; CODE XREF: PropertyEval+119882j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	loc_916858
; 

loc_9168F7:				; CODE XREF: PropertyEval+11987Dj
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	loc_91687E
; 

loc_916902:				; CODE XREF: PropertyEval+119878j
					; PropertyEval+11A845j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	short loc_9168A4
; 

loc_91690A:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_916954
		sub	esi, 1
		jz	short loc_916949
		sub	esi, 1
		jz	short loc_91693E
		sub	esi, 1
		jz	short loc_916933
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_916807
; 

loc_916933:				; CODE XREF: PropertyEval+1198D9j
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_916832
; 

loc_91693E:				; CODE XREF: PropertyEval+1198D4j
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_916858
; 

loc_916949:				; CODE XREF: PropertyEval+1198CFj
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_91687E
; 

loc_916954:				; CODE XREF: PropertyEval+1198CAj
					; PropertyEval+11A88Dj
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_9168A4
; 

loc_91695F:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_9169A9
		sub	esi, 1
		jz	short loc_91699E
		sub	esi, 1
		jz	short loc_916993
		sub	esi, 1
		jz	short loc_916988
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_916807
; 

loc_916988:				; CODE XREF: PropertyEval+11992Ej
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_916832
; 

loc_916993:				; CODE XREF: PropertyEval+119929j
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_916858
; 

loc_91699E:				; CODE XREF: PropertyEval+119924j
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_91687E
; 

loc_9169A9:				; CODE XREF: PropertyEval+11991Fj
					; PropertyEval+11A8DBj
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_9168A4
; 

loc_9169B4:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_91689F
		sub	esi, 1
		jz	loc_916879
		sub	esi, 1
		jz	loc_916853
		sub	esi, 1
		jz	loc_91682D
		sub	esi, 1
		jnz	loc_914A91	; default
		jmp	loc_916802
; 

loc_9169E7:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_9165FB
		sub	esi, 1
		jz	short loc_916A54
		sub	esi, 1
		jz	short loc_916A3B
		sub	esi, 1
		jz	short loc_916A22
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		mov	esi, [eax]
		cmp	[edx+4], ecx
		ja	loc_7FD0F4
		jb	loc_7FD0F6
		jmp	loc_914E15
; 

loc_916A22:				; CODE XREF: PropertyEval+1199BAj
		mov	eax, [ebp+arg_C]
		mov	esi, [eax]
		cmp	[edx+4], ecx
		jb	loc_7FD0F4
		ja	loc_7FD0F6
		jmp	loc_914E44
; 

loc_916A3B:				; CODE XREF: PropertyEval+1199B5j
		mov	eax, [ebp+arg_C]
		mov	esi, [eax]
		cmp	[edx+4], ecx
		ja	loc_7FD0F4
		jb	loc_7FD0F6
		jmp	loc_914E73
; 

loc_916A54:				; CODE XREF: PropertyEval+1199B0j
		mov	eax, [ebp+arg_C]
		mov	esi, [eax]
		cmp	[edx+4], ecx
		jb	loc_7FD0F4
		ja	loc_7FD0F6
		jmp	loc_914EA2
; 

loc_916A6D:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_916680
		sub	esi, 1
		jz	loc_9166E6
		sub	esi, 1
		jz	loc_9166CC
		sub	esi, 1
		jz	loc_9166B2
		sub	esi, 1
		jz	loc_916698
		jmp	loc_914A91	; default
; 

loc_916AA0:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_916B9A
		sub	esi, 1
		jz	loc_916B65
		sub	esi, 1
		jz	short loc_916B30
		sub	esi, 1
		jz	short loc_916AFB
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [edx]
		mov	ecx, [edx+4]
		mov	dword ptr [ebp+var_28],	eax
		mov	eax, ecx
		and	ecx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], ecx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]
		jmp	loc_914FAB
; 

loc_916AFB:				; CODE XREF: PropertyEval+119A77j
		mov	eax, [edx]
		mov	ecx, [edx+4]
		mov	dword ptr [ebp+var_28],	eax
		mov	eax, ecx
		and	ecx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], ecx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]
		jmp	loc_915046
; 

loc_916B30:				; CODE XREF: PropertyEval+119A72j
		mov	eax, [edx]
		mov	ecx, [edx+4]
		mov	dword ptr [ebp+var_28],	eax
		mov	eax, ecx
		and	ecx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], ecx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]
		jmp	loc_915104
; 

loc_916B65:				; CODE XREF: PropertyEval+119A69j
		mov	eax, [edx]
		mov	ecx, [edx+4]
		mov	dword ptr [ebp+var_28],	eax
		mov	eax, ecx
		and	ecx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], ecx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]
		jmp	loc_91519F
; 

loc_916B9A:				; CODE XREF: PropertyEval+119A60j
		mov	eax, [edx]
		mov	ecx, [edx+4]
		mov	dword ptr [ebp+var_28],	eax
		mov	eax, ecx
		and	ecx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], ecx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]
		jmp	loc_9150D4
; 

loc_916BCF:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_916CC9
		sub	esi, 1
		jz	loc_916C94
		sub	esi, 1
		jz	short loc_916C5F
		sub	esi, 1
		jz	short loc_916C2A
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [edx]
		mov	ecx, [edx+4]
		mov	dword ptr [ebp+var_28],	eax
		mov	eax, ecx
		and	ecx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], ecx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91525C
; 

loc_916C2A:				; CODE XREF: PropertyEval+119BA6j
		mov	eax, [edx]
		mov	ecx, [edx+4]
		mov	dword ptr [ebp+var_28],	eax
		mov	eax, ecx
		and	ecx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], ecx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91527F
; 

loc_916C5F:				; CODE XREF: PropertyEval+119BA1j
		mov	eax, [edx]
		mov	ecx, [edx+4]
		mov	dword ptr [ebp+var_28],	eax
		mov	eax, ecx
		and	ecx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], ecx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9152A2
; 

loc_916C94:				; CODE XREF: PropertyEval+119B98j
		mov	eax, [edx]
		mov	ecx, [edx+4]
		mov	dword ptr [ebp+var_28],	eax
		mov	eax, ecx
		and	ecx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], ecx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9152C5
; 

loc_916CC9:				; CODE XREF: PropertyEval+119B8Fj
		mov	eax, [edx]
		mov	ecx, [edx+4]
		mov	dword ptr [ebp+var_28],	eax
		mov	eax, ecx
		and	ecx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], ecx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9152E8
; 

loc_916CFE:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:007FD2A8o
		add	eax, 0FFFFFFFEh
		cmp	eax, 0Dh
		mov	ebx, [ebp+arg_14]
		ja	loc_914A91	; default
		jmp	ds:off_918313[eax*4] ; default

loc_916D14:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_916D96
		sub	esi, 1
		jz	short loc_916D7D
		sub	esi, 1
		jz	short loc_916D64
		sub	esi, 1
		jz	short loc_916D4B
		sub	esi, 1
		jnz	loc_914A91	; default
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fcomp	[ebp+var_28]
		jmp	loc_9150BE
; 

loc_916D4B:				; CODE XREF: PropertyEval+119CE3j
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fcomp	[ebp+var_28]
		jmp	loc_915023
; 

loc_916D64:				; CODE XREF: PropertyEval+119CDEj
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fcomp	[ebp+var_28]
		jmp	loc_915217
; 

loc_916D7D:				; CODE XREF: PropertyEval+119CD9j
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fcomp	[ebp+var_28]
		jmp	loc_91517C
; 

loc_916D96:				; CODE XREF: PropertyEval+119CD4j
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9150D9
; 

loc_916DAF:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_916E31
		sub	esi, 1
		jz	short loc_916E18
		sub	esi, 1
		jz	short loc_916DFF
		sub	esi, 1
		jz	short loc_916DE6
		sub	esi, 1
		jnz	loc_914A91	; default
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fcomp	[ebp+var_28]
		jmp	loc_9150BE
; 

loc_916DE6:				; CODE XREF: PropertyEval+119D7Ej
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fcomp	[ebp+var_28]
		jmp	loc_915023
; 

loc_916DFF:				; CODE XREF: PropertyEval+119D79j
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fcomp	[ebp+var_28]
		jmp	loc_915217
; 

loc_916E18:				; CODE XREF: PropertyEval+119D74j
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fcomp	[ebp+var_28]
		jmp	loc_91517C
; 

loc_916E31:				; CODE XREF: PropertyEval+119D6Fj
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9150D9
; 

loc_916E4A:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_916ECC
		sub	esi, 1
		jz	short loc_916EB3
		sub	esi, 1
		jz	short loc_916E9A
		sub	esi, 1
		jz	short loc_916E81
		sub	esi, 1
		jnz	loc_914A91	; default
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fcomp	[ebp+var_28]
		jmp	loc_9150BE
; 

loc_916E81:				; CODE XREF: PropertyEval+119E19j
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fcomp	[ebp+var_28]
		jmp	loc_915023
; 

loc_916E9A:				; CODE XREF: PropertyEval+119E14j
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fcomp	[ebp+var_28]
		jmp	loc_915217
; 

loc_916EB3:				; CODE XREF: PropertyEval+119E0Fj
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fcomp	[ebp+var_28]
		jmp	loc_91517C
; 

loc_916ECC:				; CODE XREF: PropertyEval+119E0Aj
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9150D9
; 

loc_916EE5:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_916F67
		sub	esi, 1
		jz	short loc_916F4E
		sub	esi, 1
		jz	short loc_916F35
		sub	esi, 1
		jz	short loc_916F1C
		sub	esi, 1
		jnz	loc_914A91	; default
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fcomp	[ebp+var_28]
		jmp	loc_9150BE
; 

loc_916F1C:				; CODE XREF: PropertyEval+119EB4j
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fcomp	[ebp+var_28]
		jmp	loc_915023
; 

loc_916F35:				; CODE XREF: PropertyEval+119EAFj
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fcomp	[ebp+var_28]
		jmp	loc_915217
; 

loc_916F4E:				; CODE XREF: PropertyEval+119EAAj
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fcomp	[ebp+var_28]
		jmp	loc_91517C
; 

loc_916F67:				; CODE XREF: PropertyEval+119EA5j
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9150D9
; 

loc_916F80:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_916FE6
		sub	esi, 1
		jz	short loc_916FD4
		sub	esi, 1
		jz	short loc_916FC2
		sub	esi, 1
		jz	short loc_916FB0
		sub	esi, 1
		jnz	loc_914A91	; default
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		fild	dword ptr [eax]
		fstp	[ebp+arg_C]
		fld	[ebp+arg_C]
		jmp	loc_914FE7
; 

loc_916FB0:				; CODE XREF: PropertyEval+119F4Fj
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		fild	dword ptr [eax]
		fstp	[ebp+arg_C]
		fld	[ebp+arg_C]
		jmp	loc_915082
; 

loc_916FC2:				; CODE XREF: PropertyEval+119F4Aj
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		fild	dword ptr [eax]
		fstp	[ebp+arg_C]
		fld	[ebp+arg_C]
		jmp	loc_915140
; 

loc_916FD4:				; CODE XREF: PropertyEval+119F45j
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		fild	dword ptr [eax]
		fstp	[ebp+arg_C]
		fld	[ebp+arg_C]
		jmp	loc_9151DB
; 

loc_916FE6:				; CODE XREF: PropertyEval+119F40j
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		fild	dword ptr [eax]
		fstp	[ebp+arg_C]
		fld	[ebp+arg_C]
		jmp	loc_9150D9
; 

loc_916FF8:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_9170A2
		sub	esi, 1
		jz	short loc_917080
		sub	esi, 1
		jz	short loc_91705E
		sub	esi, 1
		jz	short loc_91703C
		sub	esi, 1
		jnz	loc_914A91	; default
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		test	eax, eax
		jns	short loc_917031
		fadd	ds:__real@4f800000

loc_917031:				; CODE XREF: PropertyEval+119FE5j
		fstp	[ebp+arg_C]
		fld	[ebp+arg_C]
		jmp	loc_914FE7
; 

loc_91703C:				; CODE XREF: PropertyEval+119FCBj
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		test	eax, eax
		jns	short loc_917053
		fadd	ds:__real@4f800000

loc_917053:				; CODE XREF: PropertyEval+11A007j
		fstp	[ebp+arg_C]
		fld	[ebp+arg_C]
		jmp	loc_915082
; 

loc_91705E:				; CODE XREF: PropertyEval+119FC6j
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		test	eax, eax
		jns	short loc_917075
		fadd	ds:__real@4f800000

loc_917075:				; CODE XREF: PropertyEval+11A029j
		fstp	[ebp+arg_C]
		fld	[ebp+arg_C]
		jmp	loc_915140
; 

loc_917080:				; CODE XREF: PropertyEval+119FC1j
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		test	eax, eax
		jns	short loc_917097
		fadd	ds:__real@4f800000

loc_917097:				; CODE XREF: PropertyEval+11A04Bj
		fstp	[ebp+arg_C]
		fld	[ebp+arg_C]
		jmp	loc_9151DB
; 

loc_9170A2:				; CODE XREF: PropertyEval+119FB8j
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		test	eax, eax
		jns	short loc_9170B9
		fadd	ds:__real@4f800000

loc_9170B9:				; CODE XREF: PropertyEval+11A06Dj
		fstp	[ebp+arg_C]
		fld	[ebp+arg_C]
		jmp	loc_9150D9
; 

loc_9170C4:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_91712A
		sub	esi, 1
		jz	short loc_917118
		sub	esi, 1
		jz	short loc_917106
		sub	esi, 1
		jz	short loc_9170F4
		sub	esi, 1
		jnz	loc_914A91	; default
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		fild	qword ptr [eax]
		fstp	[ebp+arg_C]
		fld	[ebp+arg_C]
		jmp	loc_914FE7
; 

loc_9170F4:				; CODE XREF: PropertyEval+11A093j
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		fild	qword ptr [eax]
		fstp	[ebp+arg_C]
		fld	[ebp+arg_C]
		jmp	loc_915082
; 

loc_917106:				; CODE XREF: PropertyEval+11A08Ej
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		fild	qword ptr [eax]
		fstp	[ebp+arg_C]
		fld	[ebp+arg_C]
		jmp	loc_915140
; 

loc_917118:				; CODE XREF: PropertyEval+11A089j
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		fild	qword ptr [eax]
		fstp	[ebp+arg_C]
		fld	[ebp+arg_C]
		jmp	loc_9151DB
; 

loc_91712A:				; CODE XREF: PropertyEval+11A084j
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		fild	qword ptr [eax]
		fstp	[ebp+arg_C]
		fld	[ebp+arg_C]
		jmp	loc_9150D9
; 

loc_91713C:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_91716B
		sub	esi, 1
		jz	loc_9151A6
		sub	esi, 1
		jz	loc_91510B
		sub	esi, 1
		jz	loc_91504D
		sub	esi, 1
		jnz	loc_914A91	; default
		jmp	loc_914FB2
; 

loc_91716B:				; CODE XREF: PropertyEval+11A0FCj
		fld	dword ptr [edx]
		mov	eax, [ebp+arg_C]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	dword ptr [ebp+var_28],	ecx
		mov	eax, edx
		and	edx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], edx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+arg_C]
		fld	[ebp+arg_C]
		jmp	loc_9150D9
; 

loc_9171A5:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_9171DF
		sub	esi, 1
		jz	short loc_9171D8
		sub	esi, 1
		jz	short loc_9171D1
		sub	esi, 1
		jz	short loc_9171CA
		sub	esi, 1
		jnz	loc_914A91	; default
		fld	dword ptr [edx]
		jmp	loc_914FAB
; 

loc_9171CA:				; CODE XREF: PropertyEval+11A174j
		fld	dword ptr [edx]
		jmp	loc_915046
; 

loc_9171D1:				; CODE XREF: PropertyEval+11A16Fj
		fld	dword ptr [edx]
		jmp	loc_915104
; 

loc_9171D8:				; CODE XREF: PropertyEval+11A16Aj
		fld	dword ptr [edx]
		jmp	loc_91519F
; 

loc_9171DF:				; CODE XREF: PropertyEval+11A165j
		fld	dword ptr [edx]
		jmp	loc_9150D4
; 

loc_9171E6:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_917220
		sub	esi, 1
		jz	short loc_917219
		sub	esi, 1
		jz	short loc_917212
		sub	esi, 1
		jz	short loc_91720B
		sub	esi, 1
		jnz	loc_914A91	; default
		fld	dword ptr [edx]
		jmp	loc_91525C
; 

loc_91720B:				; CODE XREF: PropertyEval+11A1B5j
		fld	dword ptr [edx]
		jmp	loc_91527F
; 

loc_917212:				; CODE XREF: PropertyEval+11A1B0j
		fld	dword ptr [edx]
		jmp	loc_9152A2
; 

loc_917219:				; CODE XREF: PropertyEval+11A1ABj
		fld	dword ptr [edx]
		jmp	loc_9152C5
; 

loc_917220:				; CODE XREF: PropertyEval+11A1A6j
		fld	dword ptr [edx]
		jmp	loc_9152E8
; 

loc_917227:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:007FD2ACo
		add	eax, 0FFFFFFFEh
		cmp	eax, 0Dh
		mov	ebx, [ebp+arg_14]
		ja	loc_914A91	; default
		jmp	ds:off_91834B[eax*4] ; default

loc_91723D:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_9172FB
		sub	esi, 1
		jz	loc_9172D5
		sub	esi, 1
		jz	short loc_9172AF
		sub	esi, 1
		jz	short loc_917289
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	short loc_917282
; 

loc_917277:				; CODE XREF: PropertyEval+11ADE5j
		mov	eax, [ebp+arg_C]
		fild	qword ptr [eax]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]

loc_917282:				; CODE XREF: PropertyEval+11A231j
					; PropertyEval+11A30Dj	...
		fcomp	qword ptr [edx]
		jmp	loc_915023
; 

loc_917289:				; CODE XREF: PropertyEval+11A214j
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	short loc_9172A8
; 

loc_91729D:				; CODE XREF: PropertyEval+11ADD6j
		mov	eax, [ebp+arg_C]
		fild	qword ptr [eax]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]

loc_9172A8:				; CODE XREF: PropertyEval+11A257j
					; PropertyEval+11A324j	...
		fcomp	qword ptr [edx]
		jmp	loc_9150BE
; 

loc_9172AF:				; CODE XREF: PropertyEval+11A20Fj
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	short loc_9172CE
; 

loc_9172C3:				; CODE XREF: PropertyEval+11ADCDj
		mov	eax, [ebp+arg_C]
		fild	qword ptr [eax]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]

loc_9172CE:				; CODE XREF: PropertyEval+11A27Dj
					; PropertyEval+11A33Bj	...
		fcomp	qword ptr [edx]
		jmp	loc_91517C
; 

loc_9172D5:				; CODE XREF: PropertyEval+11A206j
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	short loc_9172F4
; 

loc_9172E9:				; CODE XREF: PropertyEval+11ADC4j
		mov	eax, [ebp+arg_C]
		fild	qword ptr [eax]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]

loc_9172F4:				; CODE XREF: PropertyEval+11A2A3j
					; PropertyEval+11A352j	...
		fcomp	qword ptr [edx]
		jmp	loc_915217
; 

loc_9172FB:				; CODE XREF: PropertyEval+11A1FDj
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	short loc_91731A
; 

loc_91730F:				; CODE XREF: PropertyEval+11ADBBj
		mov	eax, [ebp+arg_C]
		fild	qword ptr [eax]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]

loc_91731A:				; CODE XREF: PropertyEval+11A2C9j
					; PropertyEval+11A369j	...
		fld	qword ptr [edx]
		jmp	loc_9150D9
; 

loc_917321:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_91739B
		sub	esi, 1
		jz	short loc_917384
		sub	esi, 1
		jz	short loc_91736D
		sub	esi, 1
		jz	short loc_917356
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_917282
; 

loc_917356:				; CODE XREF: PropertyEval+11A2F0j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172A8
; 

loc_91736D:				; CODE XREF: PropertyEval+11A2EBj
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172CE
; 

loc_917384:				; CODE XREF: PropertyEval+11A2E6j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172F4
; 

loc_91739B:				; CODE XREF: PropertyEval+11A2E1j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91731A
; 

loc_9173B2:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_91742C
		sub	esi, 1
		jz	short loc_917415
		sub	esi, 1
		jz	short loc_9173FE
		sub	esi, 1
		jz	short loc_9173E7
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_917282
; 

loc_9173E7:				; CODE XREF: PropertyEval+11A381j
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172A8
; 

loc_9173FE:				; CODE XREF: PropertyEval+11A37Cj
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172CE
; 

loc_917415:				; CODE XREF: PropertyEval+11A377j
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172F4
; 

loc_91742C:				; CODE XREF: PropertyEval+11A372j
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91731A
; 

loc_917443:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_9174BD
		sub	esi, 1
		jz	short loc_9174A6
		sub	esi, 1
		jz	short loc_91748F
		sub	esi, 1
		jz	short loc_917478
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_917282
; 

loc_917478:				; CODE XREF: PropertyEval+11A412j
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172A8
; 

loc_91748F:				; CODE XREF: PropertyEval+11A40Dj
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172CE
; 

loc_9174A6:				; CODE XREF: PropertyEval+11A408j
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172F4
; 

loc_9174BD:				; CODE XREF: PropertyEval+11A403j
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91731A
; 

loc_9174D4:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_917532
		sub	esi, 1
		jz	short loc_917522
		sub	esi, 1
		jz	short loc_917512
		sub	esi, 1
		jz	short loc_917502
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		fild	dword ptr [eax]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_917282
; 

loc_917502:				; CODE XREF: PropertyEval+11A4A3j
		mov	eax, [ebp+arg_C]
		fild	dword ptr [eax]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172A8
; 

loc_917512:				; CODE XREF: PropertyEval+11A49Ej
		mov	eax, [ebp+arg_C]
		fild	dword ptr [eax]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172CE
; 

loc_917522:				; CODE XREF: PropertyEval+11A499j
		mov	eax, [ebp+arg_C]
		fild	dword ptr [eax]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172F4
; 

loc_917532:				; CODE XREF: PropertyEval+11A494j
		mov	eax, [ebp+arg_C]
		fild	dword ptr [eax]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91731A
; 

loc_917542:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_9175E4
		sub	esi, 1
		jz	short loc_9175C4
		sub	esi, 1
		jz	short loc_9175A4
		sub	esi, 1
		jz	short loc_917584
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		test	eax, eax
		jns	short loc_917579
		fadd	ds:__real@41f0000000000000

loc_917579:				; CODE XREF: PropertyEval+11A52Dj
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_917282
; 

loc_917584:				; CODE XREF: PropertyEval+11A515j
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		test	eax, eax
		jns	short loc_917599
		fadd	ds:__real@41f0000000000000

loc_917599:				; CODE XREF: PropertyEval+11A54Dj
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172A8
; 

loc_9175A4:				; CODE XREF: PropertyEval+11A510j
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		test	eax, eax
		jns	short loc_9175B9
		fadd	ds:__real@41f0000000000000

loc_9175B9:				; CODE XREF: PropertyEval+11A56Dj
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172CE
; 

loc_9175C4:				; CODE XREF: PropertyEval+11A50Bj
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		test	eax, eax
		jns	short loc_9175D9
		fadd	ds:__real@41f0000000000000

loc_9175D9:				; CODE XREF: PropertyEval+11A58Dj
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172F4
; 

loc_9175E4:				; CODE XREF: PropertyEval+11A502j
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		test	eax, eax
		jns	short loc_9175F9
		fadd	ds:__real@41f0000000000000

loc_9175F9:				; CODE XREF: PropertyEval+11A5ADj
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91731A
; 

loc_917604:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_917662
		sub	esi, 1
		jz	short loc_917652
		sub	esi, 1
		jz	short loc_917642
		sub	esi, 1
		jz	short loc_917632
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		fild	qword ptr [eax]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_917282
; 

loc_917632:				; CODE XREF: PropertyEval+11A5D3j
		mov	eax, [ebp+arg_C]
		fild	qword ptr [eax]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172A8
; 

loc_917642:				; CODE XREF: PropertyEval+11A5CEj
		mov	eax, [ebp+arg_C]
		fild	qword ptr [eax]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172CE
; 

loc_917652:				; CODE XREF: PropertyEval+11A5C9j
		mov	eax, [ebp+arg_C]
		fild	qword ptr [eax]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172F4
; 

loc_917662:				; CODE XREF: PropertyEval+11A5C4j
		mov	eax, [ebp+arg_C]
		fild	qword ptr [eax]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91731A
; 

loc_917672:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_9176A1
		sub	esi, 1
		jz	loc_9151DF
		sub	esi, 1
		jz	loc_915144
		sub	esi, 1
		jz	loc_915086
		sub	esi, 1
		jnz	loc_914A91	; default
		jmp	loc_914FEB
; 

loc_9176A1:				; CODE XREF: PropertyEval+11A632j
		mov	eax, [ebp+arg_C]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	dword ptr [ebp+var_28],	ecx
		mov	eax, edx
		and	edx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], edx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	short loc_917709
; 

loc_9176D6:				; CODE XREF: PropertyEval+11ADEEj
		mov	eax, [ebp+arg_C]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	dword ptr [ebp+var_28],	ecx
		mov	eax, edx
		and	edx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], edx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+var_28]
		fld	[ebp+var_28]

loc_917709:				; CODE XREF: PropertyEval+11A690j
		mov	esi, [ebp+var_20]
		fld	qword ptr [esi]
		jmp	loc_9150D9
; 

loc_917713:				; CODE XREF: PropertyEval+11AF18j
		mov	eax, [ebp+arg_C]
		fld	dword ptr [eax]
		jmp	loc_917282
; 

loc_91771D:				; CODE XREF: PropertyEval+11AF0Fj
		mov	eax, [ebp+arg_C]
		fld	dword ptr [eax]
		jmp	loc_9172A8
; 

loc_917727:				; CODE XREF: PropertyEval+11AF06j
		mov	eax, [ebp+arg_C]
		fld	dword ptr [eax]
		jmp	loc_9172CE
; 

loc_917731:				; CODE XREF: PropertyEval+11AEFDj
		mov	eax, [ebp+arg_C]
		fld	dword ptr [eax]
		jmp	loc_9172F4
; 

loc_91773B:				; CODE XREF: PropertyEval+11AEF4j
		mov	eax, [ebp+arg_C]
		fld	dword ptr [eax]
		jmp	loc_91731A
; 

loc_917745:				; CODE XREF: PropertyEval+11AF4Bj
		mov	eax, [ebp+arg_C]
		fld	qword ptr [eax]
		jmp	loc_917282
; 

loc_91774F:				; CODE XREF: PropertyEval+11AF42j
		mov	eax, [ebp+arg_C]
		fld	qword ptr [eax]
		jmp	loc_9172A8
; 

loc_917759:				; CODE XREF: PropertyEval+11AF39j
		mov	eax, [ebp+arg_C]
		fld	qword ptr [eax]
		jmp	loc_9172CE
; 

loc_917763:				; CODE XREF: PropertyEval+11AF30j
		mov	eax, [ebp+arg_C]
		fld	qword ptr [eax]
		jmp	loc_9172F4
; 

loc_91776D:				; CODE XREF: PropertyEval+11AF27j
		fld	qword ptr [edx]
		jmp	loc_9152E8
; 

loc_917774:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:007FD2B0o
		cmp	eax, 0Ch
		jmp	short loc_91777C
; 

loc_917779:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:007FD2DCo
		cmp	eax, 17h

loc_91777C:				; CODE XREF: PropertyEval+11A733j
		mov	ebx, [ebp+arg_14]
		jnz	loc_914A91	; default

loc_917785:				; CODE XREF: PropertyEval+6Fj
		cmp	esi, 2
		jnz	loc_914A91	; default

loc_91778E:				; CODE XREF: PropertyEval+11B111j
		mov	eax, [ebp+arg_0]

loc_917791:				; CODE XREF: PropertyEval+184j
		cmp	eax, [ebp+arg_10]
		jnz	loc_7FD0F4
		push	eax
		push	[ebp+arg_C]
		jmp	short loc_9177A3
; 

loc_9177A0:				; CODE XREF: PropertyEval+11B047j
		push	10h		; size_t
		push	esi		; void *

loc_9177A3:				; CODE XREF: PropertyEval+11A75Aj
		push	edx		; void *
		call	_memcmp
		add	esp, 0Ch
		xor	ecx, ecx
		test	eax, eax
		jmp	loc_7FD135
; 

loc_9177B5:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:007FD2B8o
		add	eax, 0FFFFFFFEh
		cmp	eax, 0Dh
		mov	ebx, [ebp+arg_14]
		ja	loc_914A91	; default
		jmp	ds:off_918383[eax*4] ; default

loc_9177CB:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_916897
		sub	esi, 1
		jz	loc_917860
		sub	esi, 1
		jz	short loc_91783B
		sub	esi, 1
		jz	short loc_917816
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		jmp	short loc_9177FE
; 

loc_9177F9:				; CODE XREF: PropertyEval+11A953j
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]

loc_9177FE:				; CODE XREF: PropertyEval+11A7B3j
					; PropertyEval+11A869j	...
		cdq
		mov	esi, [ebp+var_20]
		cmp	[esi+4], edx
		jg	loc_91681E
		jl	loc_9163EE
		jmp	loc_916816
; 

loc_917816:				; CODE XREF: PropertyEval+11A7A2j
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		jmp	short loc_917823
; 

loc_91781E:				; CODE XREF: PropertyEval+11A944j
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]

loc_917823:				; CODE XREF: PropertyEval+11A7D8j
					; PropertyEval+11A874j	...
		cdq
		mov	esi, [ebp+var_20]
		cmp	[esi+4], edx
		jl	loc_91681E
		jg	loc_9163EE
		jmp	loc_916841
; 

loc_91783B:				; CODE XREF: PropertyEval+11A79Dj
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		jmp	short loc_917848
; 

loc_917843:				; CODE XREF: PropertyEval+11A93Bj
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]

loc_917848:				; CODE XREF: PropertyEval+11A7FDj
					; PropertyEval+11A87Fj	...
		cdq
		mov	esi, [ebp+var_20]
		cmp	[esi+4], edx
		jg	loc_91681E
		jl	loc_9163EE
		jmp	loc_916867
; 

loc_917860:				; CODE XREF: PropertyEval+11A794j
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		jmp	short loc_91786D
; 

loc_917868:				; CODE XREF: PropertyEval+11A932j
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]

loc_91786D:				; CODE XREF: PropertyEval+11A822j
					; PropertyEval+11A887j	...
		cdq
		mov	esi, [ebp+var_20]
		cmp	[esi+4], edx
		jl	loc_91681E
		jg	loc_9163EE
		jmp	loc_91688D
; 

loc_917885:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_916902
		sub	esi, 1
		jz	short loc_9178C5
		sub	esi, 1
		jz	short loc_9178BD
		sub	esi, 1
		jz	short loc_9178B2
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	loc_9177FE
; 

loc_9178B2:				; CODE XREF: PropertyEval+11A858j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	loc_917823
; 

loc_9178BD:				; CODE XREF: PropertyEval+11A853j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	short loc_917848
; 

loc_9178C5:				; CODE XREF: PropertyEval+11A84Ej
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		jmp	short loc_91786D
; 

loc_9178CD:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_916954
		sub	esi, 1
		jz	short loc_917910
		sub	esi, 1
		jz	short loc_917905
		sub	esi, 1
		jz	short loc_9178FA
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_9177FE
; 

loc_9178FA:				; CODE XREF: PropertyEval+11A8A0j
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_917823
; 

loc_917905:				; CODE XREF: PropertyEval+11A89Bj
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_917848
; 

loc_917910:				; CODE XREF: PropertyEval+11A896j
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		jmp	loc_91786D
; 

loc_91791B:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_9169A9
		sub	esi, 1
		jz	short loc_91795E
		sub	esi, 1
		jz	short loc_917953
		sub	esi, 1
		jz	short loc_917948
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_9177FE
; 

loc_917948:				; CODE XREF: PropertyEval+11A8EEj
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_917823
; 

loc_917953:				; CODE XREF: PropertyEval+11A8E9j
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_917848
; 

loc_91795E:				; CODE XREF: PropertyEval+11A8E4j
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		jmp	loc_91786D
; 

loc_917969:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_91689F
		sub	esi, 1
		jz	loc_917868
		sub	esi, 1
		jz	loc_917843
		sub	esi, 1
		jz	loc_91781E
		sub	esi, 1
		jnz	loc_914A91	; default
		jmp	loc_9177F9
; 

loc_91799C:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_9165FB
		sub	esi, 1
		jz	loc_9165E2
		sub	esi, 1
		jz	loc_9165C9
		sub	esi, 1
		jz	loc_9165B0
		sub	esi, 1
		jz	loc_916597
		jmp	loc_914A91	; default
; 

loc_9179CF:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_916680
		sub	esi, 1
		jz	loc_916666
		sub	esi, 1
		jz	loc_91664C
		sub	esi, 1
		jz	loc_916632
		sub	esi, 1
		jz	loc_916618
		jmp	loc_914A91	; default
; 

loc_917A02:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_917A31
		sub	esi, 1
		jz	loc_915197
		sub	esi, 1
		jz	loc_9150FC
		sub	esi, 1
		jz	loc_91503E
		sub	esi, 1
		jnz	loc_914A91	; default
		jmp	loc_914FA3
; 

loc_917A31:				; CODE XREF: PropertyEval+11A9C2j
		fild	qword ptr [edx]
		fstp	[ebp+arg_0]
		fld	[ebp+arg_0]
		jmp	loc_9150D4
; 

loc_917A3E:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_9152E0
		sub	esi, 1
		jz	loc_9152BD
		sub	esi, 1
		jz	loc_91529A
		sub	esi, 1
		jz	loc_915277
		sub	esi, 1
		jnz	loc_914A91	; default
		jmp	loc_915254
; 

loc_917A71:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:007FD2BCo
		add	eax, 0FFFFFFFEh
		cmp	eax, 0Dh
		mov	ebx, [ebp+arg_14]
		ja	loc_914A91	; default
		jmp	ds:off_9183BB[eax*4] ; default

loc_917A87:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_917B01
		sub	esi, 1
		jz	short loc_917AEA
		sub	esi, 1
		jz	short loc_917AD3
		sub	esi, 1
		jz	short loc_917ABC
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_917282
; 

loc_917ABC:				; CODE XREF: PropertyEval+11AA56j
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172A8
; 

loc_917AD3:				; CODE XREF: PropertyEval+11AA51j
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172CE
; 

loc_917AEA:				; CODE XREF: PropertyEval+11AA4Cj
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172F4
; 

loc_917B01:				; CODE XREF: PropertyEval+11AA47j
		mov	eax, [ebp+arg_C]
		movsx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91731A
; 

loc_917B18:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_917B92
		sub	esi, 1
		jz	short loc_917B7B
		sub	esi, 1
		jz	short loc_917B64
		sub	esi, 1
		jz	short loc_917B4D
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_917282
; 

loc_917B4D:				; CODE XREF: PropertyEval+11AAE7j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172A8
; 

loc_917B64:				; CODE XREF: PropertyEval+11AAE2j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172CE
; 

loc_917B7B:				; CODE XREF: PropertyEval+11AADDj
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172F4
; 

loc_917B92:				; CODE XREF: PropertyEval+11AAD8j
		mov	eax, [ebp+arg_C]
		movzx	eax, byte ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91731A
; 

loc_917BA9:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_917C23
		sub	esi, 1
		jz	short loc_917C0C
		sub	esi, 1
		jz	short loc_917BF5
		sub	esi, 1
		jz	short loc_917BDE
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_917282
; 

loc_917BDE:				; CODE XREF: PropertyEval+11AB78j
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172A8
; 

loc_917BF5:				; CODE XREF: PropertyEval+11AB73j
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172CE
; 

loc_917C0C:				; CODE XREF: PropertyEval+11AB6Ej
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172F4
; 

loc_917C23:				; CODE XREF: PropertyEval+11AB69j
		mov	eax, [ebp+arg_C]
		movsx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91731A
; 

loc_917C3A:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_917CB4
		sub	esi, 1
		jz	short loc_917C9D
		sub	esi, 1
		jz	short loc_917C86
		sub	esi, 1
		jz	short loc_917C6F
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_917282
; 

loc_917C6F:				; CODE XREF: PropertyEval+11AC09j
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172A8
; 

loc_917C86:				; CODE XREF: PropertyEval+11AC04j
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172CE
; 

loc_917C9D:				; CODE XREF: PropertyEval+11ABFFj
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172F4
; 

loc_917CB4:				; CODE XREF: PropertyEval+11ABFAj
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91731A
; 

loc_917CCB:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	short loc_917D29
		sub	esi, 1
		jz	short loc_917D19
		sub	esi, 1
		jz	short loc_917D09
		sub	esi, 1
		jz	short loc_917CF9
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		fild	dword ptr [eax]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_917282
; 

loc_917CF9:				; CODE XREF: PropertyEval+11AC9Aj
		mov	eax, [ebp+arg_C]
		fild	dword ptr [eax]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172A8
; 

loc_917D09:				; CODE XREF: PropertyEval+11AC95j
		mov	eax, [ebp+arg_C]
		fild	dword ptr [eax]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172CE
; 

loc_917D19:				; CODE XREF: PropertyEval+11AC90j
		mov	eax, [ebp+arg_C]
		fild	dword ptr [eax]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172F4
; 

loc_917D29:				; CODE XREF: PropertyEval+11AC8Bj
		mov	eax, [ebp+arg_C]
		fild	dword ptr [eax]
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91731A
; 

loc_917D39:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_917DDB
		sub	esi, 1
		jz	short loc_917DBB
		sub	esi, 1
		jz	short loc_917D9B
		sub	esi, 1
		jz	short loc_917D7B
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		test	eax, eax
		jns	short loc_917D70
		fadd	ds:__real@41f0000000000000

loc_917D70:				; CODE XREF: PropertyEval+11AD24j
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_917282
; 

loc_917D7B:				; CODE XREF: PropertyEval+11AD0Cj
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		test	eax, eax
		jns	short loc_917D90
		fadd	ds:__real@41f0000000000000

loc_917D90:				; CODE XREF: PropertyEval+11AD44j
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172A8
; 

loc_917D9B:				; CODE XREF: PropertyEval+11AD07j
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		test	eax, eax
		jns	short loc_917DB0
		fadd	ds:__real@41f0000000000000

loc_917DB0:				; CODE XREF: PropertyEval+11AD64j
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172CE
; 

loc_917DBB:				; CODE XREF: PropertyEval+11AD02j
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		test	eax, eax
		jns	short loc_917DD0
		fadd	ds:__real@41f0000000000000

loc_917DD0:				; CODE XREF: PropertyEval+11AD84j
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9172F4
; 

loc_917DDB:				; CODE XREF: PropertyEval+11ACF9j
		mov	eax, [ebp+arg_C]
		mov	eax, [eax]
		mov	[ebp+arg_C], eax
		fild	[ebp+arg_C]
		test	eax, eax
		jns	short loc_917DF0
		fadd	ds:__real@41f0000000000000

loc_917DF0:				; CODE XREF: PropertyEval+11ADA4j
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91731A
; 

loc_917DFB:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_91730F
		sub	esi, 1
		jz	loc_9172E9
		sub	esi, 1
		jz	loc_9172C3
		sub	esi, 1
		jz	loc_91729D
		sub	esi, 1
		jnz	loc_914A91	; default
		jmp	loc_917277
; 

loc_917E2E:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_9176D6
		sub	esi, 1
		jz	loc_917EFC
		sub	esi, 1
		jz	short loc_917EC4
		sub	esi, 1
		jz	short loc_917E8C
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	eax, [ebp+arg_C]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	dword ptr [ebp+var_28],	ecx
		mov	eax, edx
		and	edx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], edx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_91501E
; 

loc_917E8C:				; CODE XREF: PropertyEval+11AE05j
		mov	eax, [ebp+arg_C]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	dword ptr [ebp+var_28],	ecx
		mov	eax, edx
		and	edx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], edx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_9150B9
; 

loc_917EC4:				; CODE XREF: PropertyEval+11AE00j
		mov	eax, [ebp+arg_C]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	dword ptr [ebp+var_28],	ecx
		mov	eax, edx
		and	edx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], edx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_915177
; 

loc_917EFC:				; CODE XREF: PropertyEval+11ADF7j
		mov	eax, [ebp+arg_C]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		mov	dword ptr [ebp+var_28],	ecx
		mov	eax, edx
		and	edx, 7FFFFFFFh
		mov	dword ptr [ebp+var_28+4], edx
		fild	[ebp+var_28]
		and	eax, 80000000h
		mov	dword ptr [ebp+var_28+4], eax
		xor	ecx, ecx
		mov	dword ptr [ebp+var_28],	ecx
		fild	[ebp+var_28]
		fchs
		faddp	st(1), st
		fstp	[ebp+var_28]
		fld	[ebp+var_28]
		jmp	loc_915212
; 

loc_917F34:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_91773B
		sub	esi, 1
		jz	loc_917731
		sub	esi, 1
		jz	loc_917727
		sub	esi, 1
		jz	loc_91771D
		sub	esi, 1
		jz	loc_917713
		jmp	loc_914A91	; default
; 

loc_917F67:				; CODE XREF: PropertyEval+117A80j
					; PropertyEval+1182BDj	...
		dec	esi
		sub	esi, 1
		jz	loc_91776D
		sub	esi, 1
		jz	loc_917763
		sub	esi, 1
		jz	loc_917759
		sub	esi, 1
		jz	loc_91774F
		sub	esi, 1
		jz	loc_917745
		jmp	loc_914A91	; default
; 

loc_917F9A:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:007FD2C0o
		cmp	eax, 10h
		mov	ebx, [ebp+arg_14]
		jnz	loc_914A91	; default
		dec	esi
		sub	esi, 1
		jz	loc_918037
		sub	esi, 1
		jz	short loc_918026
		sub	esi, 1
		jz	short loc_918015
		sub	esi, 1
		jz	short loc_917FDA
		sub	esi, 1
		jnz	loc_914A91	; default
		mov	edx, [ebp+arg_C]
		mov	esi, [ebp+var_20]
		mov	ecx, esi
		call	_CompareFileTimeType@8 ; CompareFileTimeType(x,x)
		cmp	eax, 0FFFFFFFFh
		jmp	short loc_917FE9
; 

loc_917FDA:				; CODE XREF: PropertyEval+11AF79j
		mov	edx, [ebp+arg_C]
		mov	esi, [ebp+var_20]
		mov	ecx, esi
		call	_CompareFileTimeType@8 ; CompareFileTimeType(x,x)
		cmp	eax, edi

loc_917FE9:				; CODE XREF: PropertyEval+11AF94j
		jz	loc_9163EE
		mov	edx, [ebp+arg_C]
		mov	ecx, esi
		call	_CompareFileTimeType@8 ; CompareFileTimeType(x,x)
		jmp	short loc_918008
; 

loc_917FFB:				; CODE XREF: PropertyEval+11B128j
		push	eax		; size_t
		push	[ebp+arg_C]	; void *
		push	edx		; void *
		call	_memcmp
		add	esp, 0Ch

loc_918008:				; CODE XREF: PropertyEval+11AFB5j
		test	eax, eax

loc_91800A:				; CODE XREF: PropertyEval+11986Fj
		jnz	loc_91681E
		jmp	loc_9163EE
; 

loc_918015:				; CODE XREF: PropertyEval+11AF74j
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+var_20]
		call	_CompareFileTimeType@8 ; CompareFileTimeType(x,x)
		inc	eax
		jmp	loc_7FD1EA
; 

loc_918026:				; CODE XREF: PropertyEval+11AF6Fj
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+var_20]
		call	_CompareFileTimeType@8 ; CompareFileTimeType(x,x)
		dec	eax
		jmp	loc_7FD1EA
; 

loc_918037:				; CODE XREF: PropertyEval+11AF66j
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+var_20]
		call	_CompareFileTimeType@8 ; CompareFileTimeType(x,x)
		jmp	loc_7FD1EA
; 

loc_918047:				; CODE XREF: PropertyEval+177j
		lea	eax, [esi-9]
		cmp	eax, 2
		ja	loc_914A91	; default
		push	esi		; int
		push	[ebp+arg_4]	; int
		mov	edx, [ebp+arg_C] ; wchar_t *
		mov	ecx, [ebp+var_20] ; wchar_t *
		call	_SubstringMatch@16 ; SubstringMatch(x,x,x,x)
		jmp	loc_7FD187
; 

loc_918067:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:007FD2D4o
		cmp	eax, 15h
		mov	ebx, [ebp+arg_14]
		jnz	loc_7FD0F8
		cmp	esi, 2
		jnz	loc_7FD0F8
		mov	eax, [edx+10h]
		mov	esi, [ebp+arg_C]
		cmp	eax, [esi+10h]
		jnz	loc_7FD0F4
		jmp	loc_9177A0
; 

loc_918090:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:007FD2D8o
		cmp	eax, 16h
		jmp	short loc_918098
; 

loc_918095:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:007FD2E0o
		cmp	eax, 18h

loc_918098:				; CODE XREF: PropertyEval+11B04Fj
		mov	ebx, [ebp+arg_14]
		jnz	loc_914A91	; default
		cmp	esi, 2
		jnz	loc_914A91	; default
		jmp	loc_7FD265
; 

loc_9180AF:				; CODE XREF: PropertyEval+8Bj
					; DATA XREF: PAGE:007FD2E4o
		cmp	eax, 19h
		mov	ebx, [ebp+arg_14]
		jz	short loc_9180C0
		cmp	eax, 12h
		jnz	loc_914A91	; default

loc_9180C0:				; CODE XREF: PropertyEval+11B071j
		dec	esi
		sub	esi, 1
		jnz	loc_914A91	; default
		jmp	loc_7FD1C1
; 

loc_9180CF:				; CODE XREF: PropertyEval+108j
		cmp	dword ptr [ebp+var_28+4], 100Dh
		jnz	loc_914A8E
		cmp	eax, 100Dh
		jz	short loc_9180EC
		cmp	eax, 0Dh
		jnz	loc_914A91	; default

loc_9180EC:				; CODE XREF: PropertyEval+11B09Dj
		dec	esi
		sub	esi, 1
		jz	short loc_918160
		sub	esi, 0FFFFFFEh
		jnz	loc_914A91	; default
		push	10h
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_20]
		call	_ArrayContains@20 ; ArrayContains(x,x,x,x,x)
		jmp	loc_7FD187
; 

loc_918116:				; CODE XREF: PropertyEval+111j
		cmp	eax, 2012h
		jz	loc_7FD15B
		jmp	loc_914A91	; default
; 

loc_918126:				; CODE XREF: PropertyEval+12Dj
		mov	edi, 1000h
		sub	edx, edi
		jz	short loc_91813B
		sub	edx, edi
		jz	short loc_91813B
		sub	edx, edi
		jnz	loc_914A91	; default

loc_91813B:				; CODE XREF: PropertyEval+11B0E9j
					; PropertyEval+11B0EDj
		push	esi		; int
		push	[ebp+arg_4]	; int
		push	[ebp+arg_C]	; wchar_t *
		mov	edx, eax	; int
		mov	ecx, [ebp+var_20] ; wchar_t *
		call	_StringListElementSubstringMatch@20 ; StringListElementSubstringMatch(x,x,x,x,x)
		jmp	loc_7FD187
; 

loc_918151:				; CODE XREF: PropertyEval+11Ej
		cmp	[ebp+arg_4], 0
		jz	loc_91778E
		jmp	loc_914A91	; default
; 

loc_918160:				; CODE XREF: PropertyEval+11B0ACj
		mov	eax, [ebp+arg_0]
		cmp	eax, [ebp+arg_10]
		jnz	loc_7FD0F4
		jmp	loc_917FFB
; END OF FUNCTION CHUNK	FOR PropertyEval

;  S U B	R O U T	I N E 


sub_918171	proc near		; DATA XREF: .text:006A542Co
		xor	eax, eax
		retn
sub_918171	endp


;  S U B	R O U T	I N E 


sub_918174	proc near		; DATA XREF: .text:006A5430o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ecx, ecx
		mov	ebx, [ebp+1Ch]
		jmp	loc_7FD100
sub_918174	endp

; 
		db 8Dh,	49h, 0
off_91818B	dd offset loc_914ACB	; DATA XREF: PropertyEval+117A80r
		dd offset loc_914B5D
		dd offset loc_914C6E
		dd offset loc_914CFA
		dd offset loc_914D3C
		dd offset loc_914D73
		dd offset loc_914DCD
		dd offset loc_914ECA
		dd offset loc_914F64
		dd offset loc_915221
		dd offset loc_914A91	; default
		dd offset loc_914A91	; default
		dd offset loc_914DCD
		dd offset loc_915221
off_9181C3	dd offset loc_915308	; DATA XREF: PropertyEval+1182BDr
		dd offset loc_915385
		dd offset loc_9153D7
		dd offset loc_91541D
		dd offset loc_915479
		dd offset loc_9154BF
		dd offset loc_9154FD
		dd offset loc_915543
		dd offset loc_915581
		dd offset loc_915603
		dd offset loc_914A91	; default
		dd offset loc_914A91	; default
		dd offset loc_9154FD
		dd offset loc_915603
off_9181FB	dd offset loc_91569B	; DATA XREF: PropertyEval+118650r
		dd offset loc_915745
		dd offset loc_915768
		dd offset loc_91579B
		dd offset loc_9157F5
		dd offset loc_91583B
		dd offset loc_915879
		dd offset loc_9158BF
		dd offset loc_9158FD
		dd offset loc_91597F
		dd offset loc_914A91	; default
		dd offset loc_914A91	; default
		dd offset loc_915879
		dd offset loc_91597F
off_918233	dd offset loc_915A17	; DATA XREF: PropertyEval+1189CCr
		dd offset loc_915A4A
		dd offset loc_915AB9
		dd offset loc_915AEC
		dd offset loc_915B22
		dd offset loc_915B68
		dd offset loc_915BA6
		dd offset loc_915BEC
		dd offset loc_915C2A
		dd offset loc_915CAC
		dd offset loc_914A91	; default
		dd offset loc_914A91	; default
		dd offset loc_915BA6
		dd offset loc_915CAC
off_91826B	dd offset loc_915D44	; DATA XREF: PropertyEval+118CF9r
		dd offset loc_915D77
		dd offset loc_915DCC
		dd offset loc_915E21
		dd offset loc_915E76
		dd offset loc_7FD241	; case 0x6
		dd offset loc_915ECB
		dd offset loc_915EFE
		dd offset loc_915F31
		dd offset loc_915F90
		dd offset loc_914A91	; default
		dd offset loc_914A91	; default
		dd offset loc_915ECB
		dd offset loc_915F90
off_9182A3	dd offset loc_9163AE	; DATA XREF: PropertyEval+119363r
		dd offset loc_91646B
		dd offset loc_9164BA
		dd offset loc_91650F
		dd offset loc_916564
		dd offset loc_91799C
		dd offset loc_9179CF
		dd offset loc_916A6D
		dd offset loc_916700
		dd offset loc_91675F
		dd offset loc_914A91	; default
		dd offset loc_914A91	; default
		dd offset loc_9179CF
		dd offset loc_91675F
off_9182DB	dd offset loc_9167D4	; DATA XREF: PropertyEval+119789r
		dd offset loc_9168B8
		dd offset loc_91690A
		dd offset loc_91695F
		dd offset loc_9169B4
		dd offset loc_9169E7
		dd offset loc_916A6D
		dd offset loc_916A6D
		dd offset loc_916AA0
		dd offset loc_916BCF
		dd offset loc_914A91	; default
		dd offset loc_914A91	; default
		dd offset loc_916A6D
		dd offset loc_916BCF
off_918313	dd offset loc_916D14	; DATA XREF: PropertyEval+119CC9r
		dd offset loc_916DAF
		dd offset loc_916E4A
		dd offset loc_916EE5
		dd offset loc_916F80
		dd offset loc_916FF8
		dd offset loc_9170C4
		dd offset loc_91713C
		dd offset loc_9171A5
		dd offset loc_9171E6
		dd offset loc_914A91	; default
		dd offset loc_914A91	; default
		dd offset loc_9170C4
		dd offset loc_9171E6
off_91834B	dd offset loc_91723D	; DATA XREF: PropertyEval+11A1F2r
		dd offset loc_917321
		dd offset loc_9173B2
		dd offset loc_917443
		dd offset loc_9174D4
		dd offset loc_917542
		dd offset loc_917604
		dd offset loc_917672
		dd offset loc_917F34
		dd offset loc_917F67
		dd offset loc_914A91	; default
		dd offset loc_914A91	; default
		dd offset loc_917604
		dd offset loc_917F67
off_918383	dd offset loc_9177CB	; DATA XREF: PropertyEval+11A780r
		dd offset loc_917885
		dd offset loc_9178CD
		dd offset loc_91791B
		dd offset loc_917969
		dd offset loc_91799C
		dd offset loc_9179CF
		dd offset loc_916A6D
		dd offset loc_917A02
		dd offset loc_917A3E
		dd offset loc_914A91	; default
		dd offset loc_914A91	; default
		dd offset loc_9179CF
		dd offset loc_917A3E
off_9183BB	dd offset loc_917A87	; DATA XREF: PropertyEval+11AA3Cr
		dd offset loc_917B18
		dd offset loc_917BA9
		dd offset loc_917C3A
		dd offset loc_917CCB
		dd offset loc_917D39
		dd offset loc_917DFB
		dd offset loc_917E2E
		dd offset loc_917F34
		dd offset loc_917F67
		dd offset loc_914A91	; default
		dd offset loc_914A91	; default
		dd offset loc_917DFB
		dd offset loc_917F67
; 
; START	OF FUNCTION CHUNK FOR PiDqPropertyCallback

loc_9183F3:				; CODE XREF: PiDqPropertyCallback+5Cj
		test	eax, eax
		jz	loc_7FD3B3
		test	ecx, ecx
		jz	loc_7FD3B3
		push	ecx		; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_7FD382
		jmp	loc_7FD3B3
; 

loc_918419:				; CODE XREF: PiDqPropertyCallback+B0j
		sub	eax, 1
		jz	short loc_918428
		mov	esi, 0C000000Dh
		jmp	loc_7FD3AA
; 

loc_918428:				; CODE XREF: PiDqPropertyCallback+11B0FCj
		xor	eax, eax
		mov	[ebp+arg_0], eax
		cmp	[ebx], eax
		jnz	short loc_918472
		mov	ecx, [ebx+14h]
		push	ecx
		push	ecx
		push	ebx
		lea	eax, [ecx+10h]
		mov	ecx, [ecx+0Ch]
		push	eax
		push	0
		push	1
		mov	ecx, [ecx+10h]
		call	PiDqGetPnpObjectType
		mov	edx, [ebx+10h]
		xor	ecx, ecx
		push	eax
		inc	ecx
		call	_PiDqOpenObjectRegKey@36 ; PiDqOpenObjectRegKey(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_8], esi
		cmp	esi, 0C0000034h
		jnz	short loc_91846F
		xor	esi, esi
		or	dword ptr [ebx], 0FFFFFFFFh
		mov	[ebp+var_8], esi
		mov	eax, esi
		jmp	short loc_918472
; 

loc_91846F:				; CODE XREF: PiDqPropertyCallback+11B141j
		mov	eax, [ebp+arg_0]

loc_918472:				; CODE XREF: PiDqPropertyCallback+11B10Fj
					; PiDqPropertyCallback+11B14Dj
		mov	edx, [ebx]
		cmp	edx, 0FFFFFFFFh
		jnz	loc_7FD3E4
		imul	edi, [ebx+0Ch],	28h
		mov	esi, [ebp+arg_4]
		mov	eax, [ebp+arg_8]
		push	7
		pop	ecx
		add	edi, [ebx+8]
		rep movsd
		inc	dword ptr [ebx+0Ch]
		xor	ecx, ecx
		mov	esi, [ebp+var_8]
		mov	[eax], ecx
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx
		jmp	loc_7FD3AA
; 

loc_9184A8:				; CODE XREF: PiDqPropertyCallback+E9j
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		mov	esi, ecx
		mov	[eax], ecx
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		jmp	loc_7FD3A5
; END OF FUNCTION CHUNK	FOR PiDqPropertyCallback
; 
; START	OF FUNCTION CHUNK FOR PiDqGetPnpObjectType

loc_9184BB:				; CODE XREF: PiDqGetPnpObjectType+13j
		sub	ecx, 1
		jz	short loc_9184D6
		sub	ecx, 3
		jz	short loc_9184D2
		sub	ecx, 4
		jnz	locret_7FD4C8
		push	6
		pop	eax
		retn
; 

loc_9184D2:				; CODE XREF: PiDqGetPnpObjectType+11B005j
		push	2
		pop	eax
		retn
; 

loc_9184D6:				; CODE XREF: PiDqGetPnpObjectType+11B000j
		push	4
		pop	eax
		retn
; END OF FUNCTION CHUNK	FOR PiDqGetPnpObjectType
; 
; START	OF FUNCTION CHUNK FOR DrvDbDispatchDriverDatabase

loc_9184DA:				; CODE XREF: DrvDbDispatchDriverDatabase+26j
					; DATA XREF: PAGE:off_7FD570o
		mov	edx, [ebp+arg_4] ; case	0x0
		call	_DrvDbValidateDriverDatabaseName@8 ; DrvDbValidateDriverDatabaseName(x,x)
		jmp	locret_7FD526
; 

loc_9184E7:				; CODE XREF: DrvDbDispatchDriverDatabase+26j
					; DATA XREF: PAGE:off_7FD570o
		mov	ecx, [ebp+arg_10] ; case 0x2
		mov	edx, [ebp+arg_4]
		lea	eax, [ecx+8]
		push	eax
		lea	eax, [ecx+4]
		push	eax
		push	dword ptr [ecx]
		mov	ecx, [ebp+var_4]
		call	_DrvDbCreateDriverDatabase@20 ;	DrvDbCreateDriverDatabase(x,x,x,x,x)
		jmp	locret_7FD526
; 

loc_918504:				; CODE XREF: DrvDbDispatchDriverDatabase+26j
					; DATA XREF: PAGE:off_7FD570o
		mov	edx, [ebp+arg_4] ; case	0x3
		mov	ecx, [ebp+var_4]
		call	_DrvDbDeleteDriverDatabase@8 ; DrvDbDeleteDriverDatabase(x,x)
		jmp	locret_7FD526
; 

loc_918514:				; CODE XREF: DrvDbDispatchDriverDatabase+26j
					; DATA XREF: PAGE:off_7FD570o
		mov	eax, [ebp+arg_10] ; case 0x5
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_4]
		push	dword ptr [eax+14h]
		push	dword ptr [eax+10h]
		push	dword ptr [eax+0Ch]
		push	dword ptr [eax]
		call	_DrvDbGetDriverDatabaseMappedPropertyKeys@24 ; DrvDbGetDriverDatabaseMappedPropertyKeys(x,x,x,x,x,x)
		jmp	locret_7FD526
; 

loc_918532:				; CODE XREF: DrvDbDispatchDriverDatabase+26j
					; DATA XREF: PAGE:off_7FD570o
		mov	eax, [ebp+arg_10] ; case 0x8
		mov	edx, [ebp+arg_4] ; wchar_t *
		mov	ecx, [ebp+var_4] ; int
		push	dword ptr [eax+14h] ; int
		push	dword ptr [eax+10h] ; void *
		push	dword ptr [eax+0Ch] ; int
		push	dword ptr [eax+8] ; void *
		push	dword ptr [eax]	; int
		call	_DrvDbSetDriverDatabaseMappedProperty@28 ; DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)
		jmp	locret_7FD526
; END OF FUNCTION CHUNK	FOR DrvDbDispatchDriverDatabase
; 
; START	OF FUNCTION CHUNK FOR PiPnpRtlBeginOperation

loc_918553:				; CODE XREF: PiPnpRtlBeginOperation+55j
		mov	esi, 0C000009Ah
		jmp	loc_7FD6D5
; END OF FUNCTION CHUNK	FOR PiPnpRtlBeginOperation
; 
; START	OF FUNCTION CHUNK FOR PiDqQueryEvaluateFilter

loc_91855D:				; CODE XREF: PiDqQueryEvaluateFilter+46j
		mov	esi, 0C000009Ah
		jmp	loc_7FD7E7
; 

loc_918567:				; CODE XREF: PiDqQueryEvaluateFilter+C9j
		cmp	eax, 0FFFFFFFFh
		jz	loc_7FD7F3
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7FD7F3
; END OF FUNCTION CHUNK	FOR PiDqQueryEvaluateFilter
; 
; START	OF FUNCTION CHUNK FOR _CmOpenDeviceInterfaceRegKey

loc_91857B:				; CODE XREF: _CmOpenDeviceInterfaceRegKey+7Aj
		cmp	eax, 0C0000120h
		jz	short loc_918594
		test	eax, eax
		jz	loc_7FD8AE
		mov	esi, 0C00000E5h
		jmp	loc_7FD8EC
; 

loc_918594:				; CODE XREF: _CmOpenDeviceInterfaceRegKey+11AD54j
					; _CmOpenDeviceInterfaceRegKey+11AD97j
		mov	esi, [esp+60h+var_48]
		jmp	loc_7FD8DA
; 

loc_91859D:				; CODE XREF: _CmOpenDeviceInterfaceRegKey+A8j
		lea	eax, [esp+60h+var_48]
		mov	[esp+60h+var_48], esi
		push	eax
		push	2
		push	0Bh
		push	3
		push	[esp+70h+var_50]
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	loc_7FD8DA
		cmp	eax, 0C0000120h
		jz	short loc_918594
		test	eax, eax
		jz	loc_7FD8DA
		mov	esi, 0C00000E5h
		jmp	loc_7FD8DA
; END OF FUNCTION CHUNK	FOR _CmOpenDeviceInterfaceRegKey
; 
; START	OF FUNCTION CHUNK FOR _CmOpenDeviceInterfaceRegKeyWorker

loc_9185D7:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+58j
		mov	edi, 258h
		mov	[ebp+var_14], edi
		jmp	loc_7FD960
; 

loc_9185E4:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+72j
		mov	esi, 0C0000017h
		jmp	loc_7FD99F
; 

loc_9185EE:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+127j
		push	1
		lea	eax, [ebp+var_30]
		push	eax
		push	(offset	loc_404F87+1)
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	loc_7FDA3C
		mov	[ebp+var_18], 0Eh
		lea	eax, [edi+56h]
		jmp	loc_7FDA39
; 

loc_918615:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+D1j
					; _CmOpenDeviceInterfaceRegKeyWorker+DBj
		mov	edi, [ebp+var_4]

loc_918618:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+38j
					; _CmOpenDeviceInterfaceRegKeyWorker+44j ...
		mov	esi, 0C000000Dh
		jmp	loc_7FDA87
; 

loc_918622:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+ACj
		mov	edi, [ebp+var_4]
		mov	[ebp+arg_4], edi
		test	ebx, ebx
		jnz	short loc_918630
		xor	ecx, ecx
		jmp	short loc_918633
; 

loc_918630:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11AD28j
		mov	ecx, [ebx+74h]

loc_918633:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11AD2Cj
		lea	eax, [ebp+var_C]
		xor	edx, edx
		push	eax
		push	2000000h
		call	__SysCtxRegOpenCurrentUserKey@16 ; _SysCtxRegOpenCurrentUserKey(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_918784
		mov	eax, [ebp+var_C]
		jmp	loc_7FDA57
; 

loc_918655:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+15Aj
		xor	ecx, ecx
		jmp	loc_7FDA65
; 

loc_91865C:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+177j
		cmp	eax, 0C000017Ch
		jz	short loc_91868E
		mov	edx, 0C0000034h
		cmp	eax, edx
		jnz	short loc_918698
		cmp	byte ptr [ebp+arg_C], 0
		mov	eax, [ebp+arg_0]
		movzx	ecx, al
		jnz	short loc_9186A6
		cmp	ecx, 30h
		jnz	short loc_91869F
		test	eax, 0F00h
		jnz	short loc_91869F
		mov	esi, 0C00002B9h
		jmp	loc_7FDA87
; 

loc_91868E:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11AD5Fj
					; _CmOpenDeviceInterfaceRegKeyWorker+11AE26j
		mov	esi, 0C00000E5h
		jmp	loc_7FDA87
; 

loc_918698:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11AD68j
					; _CmOpenDeviceInterfaceRegKeyWorker+11AE2Ej ...
		mov	esi, eax
		jmp	loc_7FDA87
; 

loc_91869F:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11AD79j
					; _CmOpenDeviceInterfaceRegKeyWorker+11AD80j
		mov	esi, edx
		jmp	loc_7FDA87
; 

loc_9186A6:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11AD74j
		cmp	ecx, 30h
		jnz	short loc_9186B2
		test	eax, 0F00h
		jz	short loc_9186D6

loc_9186B2:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11ADA7j
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_1C]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	ecx
		push	1
		push	ecx
		push	30h
		mov	ecx, ebx
		call	_CmOpenDeviceInterfaceRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_7FDA87
		mov	eax, [ebp+arg_0]

loc_9186D6:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11ADAEj
		lea	ecx, [ebp+var_10]
		mov	edx, eax
		push	ecx
		mov	ecx, ebx
		call	__CmGetDeviceInterfaceRegKeySecurityDescriptor@12 ; _CmGetDeviceInterfaceRegKeySecurityDescriptor(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7FDA87
		cmp	[ebp+var_10], 0
		mov	eax, 0E0006h
		jnz	short loc_9186FB
		mov	eax, [ebp+arg_8]

loc_9186FB:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11ADF4j
		mov	[ebp+arg_C], eax
		test	ebx, ebx
		jnz	short loc_918706
		xor	ecx, ecx
		jmp	short loc_918709
; 

loc_918706:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11ADFEj
		mov	ecx, [ebx+74h]

loc_918709:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11AE02j
		push	[ebp+arg_14]
		lea	edx, [ebp+var_8]
		push	edx
		mov	edx, [ebp+var_10]
		push	ecx
		push	edx
		mov	edx, [ebp+var_24]
		push	eax
		push	0
		push	[ebp+arg_4]
		call	__SysCtxRegCreateTree@36 ; _SysCtxRegCreateTree(x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jz	loc_91868E
		test	eax, eax
		js	loc_918698
		mov	eax, [ebp+arg_8]
		cmp	[ebp+arg_C], eax
		jnz	short loc_91874F
		mov	edx, [ebp+arg_10]
		mov	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		mov	[edx], eax
		jmp	loc_7FDA87
; 

loc_91874F:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11AE3Aj
		test	ebx, ebx
		jnz	short loc_918757
		xor	ecx, ecx
		jmp	short loc_91875A
; 

loc_918757:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11AE4Fj
		mov	ecx, [ebx+74h]

loc_91875A:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11AE53j
		mov	edx, [ebp+arg_10]
		push	edx
		mov	edx, [ebp+var_8]
		push	eax
		push	0
		push	0
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jnz	short loc_91877C
		mov	esi, 0C0000034h
		jmp	loc_7FDA87
; 

loc_91877C:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11AE6Ej
		test	eax, eax
		js	loc_918698

loc_918784:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+9Fj
					; _CmOpenDeviceInterfaceRegKeyWorker+C2j ...
		mov	edi, [ebp+var_4]
		jmp	loc_7FDA87
; 

loc_91878C:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+189j
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7FDA91
; 

loc_918799:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+193j
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7FDA9B
; 

loc_9187A6:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+19Dj
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7FDAA5
; 

loc_9187B3:				; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+1A8j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7FDAB0
; END OF FUNCTION CHUNK	FOR _CmOpenDeviceInterfaceRegKeyWorker
; 
; START	OF FUNCTION CHUNK FOR _CmGetDeviceInterfaceRegKeyPath

loc_9187C0:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+82j
		mov	esi, 0C0000017h
		jmp	loc_7FDC69
; 

loc_9187CA:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+AFj
		cmp	[ebp+arg_4], 0
		jnz	short loc_9187F2
		lea	ecx, [ebp+var_58]
		lea	eax, [ecx+2]
		mov	[ebp+var_5C], eax

loc_9187D9:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+11ACE1j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_68]
		jnz	short loc_9187D9
		sub	ecx, [ebp+var_5C]
		sar	ecx, 1
		lea	eax, [ecx+63h]
		jmp	loc_7FDBD4
; 

loc_9187F2:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+11ACCCj
		cmp	[ebp+arg_4], 0FFFFFFFFh
		jz	short loc_91881A
		lea	ecx, [ebp+var_58]
		lea	eax, [ecx+2]
		mov	[ebp+var_5C], eax

loc_918801:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+11AD09j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_68]
		jnz	short loc_918801
		sub	ecx, [ebp+var_5C]
		sar	ecx, 1
		lea	eax, [ecx+60h]
		jmp	loc_7FDBD4
; 

loc_91881A:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+11ACF4j
		mov	esi, 0C000000Dh
		jmp	loc_7FDC5C
; 

loc_918824:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+F7j
					; _CmGetDeviceInterfaceRegKeyPath+193j
		mov	esi, 0C000000Dh
		jmp	loc_7FDC08
; 

loc_91882E:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+124j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	short loc_918863
		push	ebx
		lea	eax, [ebp+var_58]
		push	eax
		push	(offset	loc_8C91DD+1)
		push	(offset	loc_8C8FD1+1) ;	char
		push	offset ??_C@_1BI@GNPPDLIB@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@ ; wchar_t *
		push	800h		; int
		xor	eax, eax
		push	eax		; int
		push	eax		; int
		push	edi		; int
		push	[ebp+var_64]	; void *
		call	RtlStringCchPrintfExW
		add	esp, 28h
		jmp	loc_7FDC50
; 

loc_918863:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+11AD31j
		cmp	eax, 0FFFFFFFFh
		jz	loc_7FDC56
		push	ebx
		lea	ecx, [ebp+var_58]
		push	ecx
		push	(offset	loc_8C91DD+1)
		push	eax
		push	offset ??_C@_1FG@MPFEKKOF@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@ ; char
		push	offset ??_C@_1CC@NAAEOCPD@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AA0?$AA4?$AAu?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF@NNGAKEGL@ ; wchar_t *
		push	800h		; int
		xor	eax, eax
		push	eax		; int
		push	eax		; int
		push	edi		; int
		push	[ebp+var_64]	; void *
		call	RtlStringCchPrintfExW
		add	esp, 2Ch
		jmp	loc_7FDC50
; 

loc_91889B:				; CODE XREF: _CmGetDeviceInterfaceRegKeyPath+32j
					; _CmGetDeviceInterfaceRegKeyPath+3Dj
		mov	esi, 0C000000Dh
		jmp	loc_7FDC5E
; END OF FUNCTION CHUNK	FOR _CmGetDeviceInterfaceRegKeyPath
; 
; START	OF FUNCTION CHUNK FOR _CmGetDeviceInterfaceMappedPropertyFromComposite

loc_9188A5:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+2Dj
		mov	edi, ecx
		jmp	loc_7FDD1E
; 

loc_9188AC:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+49j
		mov	esi, 0C0000230h
		jmp	loc_7FDD75
; 

loc_9188B6:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+84j
		mov	esi, 0C0000023h
		jmp	loc_7FDD75
; 

loc_9188C0:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+A1j
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceInterface_ReferenceString	; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7FDD75
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_10]
		push	eax
		shr	edi, 1
		push	edi
		push	ebx
		call	_CmGetDeviceInterfaceReferenceString
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_9188FC
		mov	esi, 0C0000225h
		jmp	loc_7FDD75
; 

loc_9188FC:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+11AC10j
		test	esi, esi
		jz	short loc_91890C
		cmp	esi, 0C0000023h
		jnz	loc_7FDD75

loc_91890C:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+11AC1Ej
		mov	eax, [ebp+var_10]
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		jns	short loc_91892C
		mov	esi, 0C00000E5h
		jmp	loc_7FDD75
; 

loc_91892C:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+11AC40j
		mov	ecx, [ebp+arg_14]
		mov	eax, [ebp+var_4]
		mov	[ecx], eax
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 12h
		jmp	loc_7FDD75
; 

loc_918942:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+D6j
		mov	esi, 0C0000017h
		jmp	loc_7FDD75
; 

loc_91894C:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+13Dj
		mov	esi, 0C0000225h
		jmp	loc_7FDE23
; 

loc_918956:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+10Dj
		mov	esi, 0C0000225h
		jmp	loc_7FDE9A
; 

loc_918960:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyFromComposite+14Dj
		cmp	esi, 0C0000023h
		jnz	loc_7FDD75
		jmp	loc_7FDE33
; END OF FUNCTION CHUNK	FOR _CmGetDeviceInterfaceMappedPropertyFromComposite
; 
; START	OF FUNCTION CHUNK FOR DrvDbDispatchDriverPackage

loc_918971:				; CODE XREF: DrvDbDispatchDriverPackage+31j
		test	eax, eax
		jnz	short loc_91897F
		mov	eax, 0C0000467h
		jmp	loc_7FDFD1
; 

loc_91897F:				; CODE XREF: DrvDbDispatchDriverPackage+11AA01j
		cmp	ecx, 2
		jz	short loc_9189A3
		jle	loc_7FDFA9
		cmp	ecx, 4
		jle	short loc_9189A9
		cmp	ecx, 6
		jle	short loc_9189B0
		cmp	ecx, 8
		jz	short loc_9189B0
		cmp	ecx, 9
		jz	short loc_9189A9
		jmp	loc_7FDFA9
; 

loc_9189A3:				; CODE XREF: DrvDbDispatchDriverPackage+11AA10j
		cmp	byte ptr [edi+4], 0
		jz	short loc_9189B0

loc_9189A9:				; CODE XREF: DrvDbDispatchDriverPackage+11AA1Bj
					; DrvDbDispatchDriverPackage+11AA2Aj
		shr	eax, 1Eh
		and	al, 1
		jmp	short loc_9189B3
; 

loc_9189B0:				; CODE XREF: DrvDbDispatchDriverPackage+11AA20j
					; DrvDbDispatchDriverPackage+11AA25j ...
		shr	eax, 1Fh

loc_9189B3:				; CODE XREF: DrvDbDispatchDriverPackage+11AA3Cj
		test	al, al
		jnz	loc_7FDFA9
		mov	eax, 0C0000022h
		jmp	loc_7FDFD1
; 

loc_9189C5:				; CODE XREF: DrvDbDispatchDriverPackage+3Dj
					; DATA XREF: PAGE:off_7FE006o
		mov	edx, [ebp+arg_4] ; case	0x0
		call	_DrvDbValidateDriverInfFileName@8 ; DrvDbValidateDriverInfFileName(x,x)
		jmp	loc_7FDFD1
; 

loc_9189D2:				; CODE XREF: DrvDbDispatchDriverPackage+3Dj
					; DATA XREF: PAGE:off_7FE006o
		mov	edx, [ebp+arg_4] ; case	0x2
		lea	eax, [edi+8]
		push	eax
		lea	eax, [edi+4]
		mov	ecx, ebx
		push	eax
		push	dword ptr [edi]
		call	_DrvDbCreateDriverPackage@20 ; DrvDbCreateDriverPackage(x,x,x,x,x)
		jmp	loc_7FDFD1
; 

loc_9189EB:				; CODE XREF: DrvDbDispatchDriverPackage+3Dj
					; DATA XREF: PAGE:off_7FE006o
		push	0		; case 0x3
		push	[ebp+arg_4]
		mov	ecx, ebx
		push	2
		pop	edx
		call	_DrvDbDeleteObjectRegKey@16 ; DrvDbDeleteObjectRegKey(x,x,x,x)
		jmp	loc_7FDFD1
; 

loc_9189FF:				; CODE XREF: DrvDbDispatchDriverPackage+3Dj
					; DATA XREF: PAGE:off_7FE006o
		mov	eax, [edi+10h]	; case 0x4
		mov	ecx, [edi+0Ch]
		mov	edx, [edi+8]
		mov	esi, [edi+4]
		mov	edi, [edi]
		push	0
		push	eax
		push	ecx
		push	edx
		push	esi
		push	edi
		push	2
		pop	edx
		mov	ecx, ebx
		call	_DrvDbGetObjectList@32 ; DrvDbGetObjectList(x,x,x,x,x,x,x,x)
		jmp	loc_7FDFD1
; 

loc_918A23:				; CODE XREF: DrvDbDispatchDriverPackage+3Dj
					; DATA XREF: PAGE:off_7FE006o
		push	dword ptr [edi+14h] ; case 0x5
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		push	dword ptr [edi+10h]
		push	dword ptr [edi+0Ch]
		push	dword ptr [edi]
		call	_DrvDbGetDriverPackageMappedPropertyKeys@24 ; DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)
		jmp	loc_7FDFD1
; 

loc_918A3D:				; CODE XREF: DrvDbDispatchDriverPackage+3Dj
					; DATA XREF: PAGE:off_7FE006o
		push	dword ptr [edi+14h] ; case 0x8
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		push	dword ptr [edi+10h] ; wchar_t *
		push	dword ptr [edi+0Ch] ; int
		push	dword ptr [edi+8] ; void *
		push	dword ptr [edi]	; int
		call	_DrvDbSetDriverPackageMappedProperty@28	; DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)
		jmp	loc_7FDFD1
; END OF FUNCTION CHUNK	FOR DrvDbDispatchDriverPackage
; 
; START	OF FUNCTION CHUNK FOR DrvDbGetDriverPackageMappedProperty

loc_918A5A:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+325j
		mov	eax, [ebp+arg_10]
		mov	ecx, [esp+60h+var_48]
		push	edi		; int
		shr	eax, 1
		push	eax		; int
		push	[ebp+arg_C]	; void *
		mov	dword ptr [ebx], 12h
		push	[esp+6Ch+var_44] ; int
		push	2
		pop	edx
		call	_DrvDbGetObjectDatabaseNodeName@24 ; DrvDbGetObjectDatabaseNodeName(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_918A88
		cmp	esi, 0C0000023h
		jnz	short loc_918A8A

loc_918A88:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AA2Aj
		shl	dword ptr [edi], 1

loc_918A8A:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AA32j
		test	esi, esi
		jns	loc_7FE26C

loc_918A92:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+353j
		mov	ebx, [esp+60h+var_20]
		jmp	loc_7FE251
; 

loc_918A9B:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+75j
		push	10h		; size_t
		push	offset _DEVPKEY_DriverPackage_Configurable ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7FE37F
		mov	eax, [ebp+arg_0]
		xor	ebx, ebx
		inc	ebx
		test	eax, eax
		jnz	short loc_918AE7
		xor	ecx, ecx
		lea	eax, [esp+60h+var_4C]
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [esp+70h+var_48]
		xor	edx, edx
		push	ebx
		push	[esp+74h+var_44]
		push	2
		call	DrvDbOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_7FE26C
		mov	eax, [esp+60h+var_4C]

loc_918AE7:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AA67j
		mov	ecx, [ebp+arg_8]
		mov	edx, [esp+60h+var_44]
		push	edi		; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		push	ecx		; int
		mov	ecx, [esp+70h+var_48]
		push	offset _DEVPKEY_DriverPackage_ConfigurableOverride ; void *
		push	eax		; int
		call	DrvDbGetDriverPackageMappedProperty
		mov	esi, eax
		test	esi, esi
		jns	loc_7FE26C
		mov	edi, 0C0000023h
		cmp	esi, edi
		jz	loc_7FE26C
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_918B27
		mov	ecx, [esp+60h+var_4C]

loc_918B27:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AACDj
		mov	eax, [ebp+arg_14]
		mov	edx, [esp+60h+var_44]
		push	eax		; int
		push	4		; int
		lea	eax, [esp+68h+var_30]
		push	eax		; void *
		push	[ebp+arg_8]	; int
		push	offset _DEVPKEY_DriverPackage_ConfigurableFlags	; void *
		push	ecx		; int
		mov	ecx, [esp+78h+var_48]
		call	DrvDbGetDriverPackageMappedProperty
		mov	esi, eax
		cmp	esi, edi
		jz	short loc_918B6C
		test	esi, esi
		js	loc_7FE26C
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+arg_14]
		cmp	dword ptr [ecx], 7
		jnz	short loc_918B76
		cmp	dword ptr [eax], 4
		jnz	short loc_918B76
		mov	edx, [esp+60h+var_30]
		jmp	short loc_918B7D
; 

loc_918B6C:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AAF8j
					; DrvDbGetDriverPackageMappedProperty+11AFE9j ...
		mov	esi, 0C00000E5h
		jmp	loc_7FE26C
; 

loc_918B76:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AB0Bj
					; DrvDbGetDriverPackageMappedProperty+11AB10j
		or	edx, 0FFFFFFFFh
		mov	[esp+60h+var_30], edx

loc_918B7D:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AB16j
		mov	dword ptr [ecx], 11h
		mov	ecx, [ebp+arg_C]
		mov	[eax], ebx
		test	ecx, ecx
		jz	short loc_918B9F
		cmp	[ebp+arg_10], ebx
		jb	short loc_918B9F
		test	edx, edx
		setnz	al
		dec	al
		mov	[ecx], al
		jmp	loc_7FE26C
; 

loc_918B9F:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AB36j
					; DrvDbGetDriverPackageMappedProperty+11AB3Bj ...
		mov	esi, edi
		jmp	loc_7FE26C
; 

loc_918BA6:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+7Ej
		push	10h		; size_t
		push	offset _DEVPKEY_DriverPackage_FamilyId ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7FE37F
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		inc	ebx
		test	esi, esi
		jnz	short loc_918BF1
		xor	ecx, ecx
		lea	eax, [esp+60h+var_4C]
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [esp+70h+var_48]
		xor	edx, edx
		push	ebx
		push	[esp+74h+var_44]
		push	2
		call	DrvDbOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_7FE26C
		mov	esi, [ebp+arg_0]

loc_918BF1:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AB72j
		push	42444450h
		push	412h
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+60h+var_3C], eax
		test	eax, eax
		jz	short loc_918C7E
		test	esi, esi
		jnz	short loc_918C11
		mov	esi, [esp+60h+var_4C]

loc_918C11:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11ABB7j
		mov	edx, [esp+60h+var_44]
		mov	ecx, [esp+60h+var_48]
		push	edi		; int
		push	412h		; int
		push	eax		; void *
		push	[ebp+arg_8]	; int
		push	offset _DEVPKEY_DriverPackage_ProviderName ; void *
		push	esi		; int
		call	DrvDbGetDriverPackageMappedProperty
		mov	esi, eax
		mov	edi, 0C0000023h
		cmp	esi, edi
		jz	short loc_918C88
		test	esi, esi
		js	loc_7FE25E
		mov	ecx, [ebp+arg_8]
		cmp	dword ptr [ecx], 12h
		jnz	loc_918DD9
		mov	ebx, [ebp+arg_14]
		mov	edx, [ebx]
		lea	eax, [edx-2]
		cmp	eax, 206h
		ja	loc_918DD9
		shr	edx, 1
		xor	eax, eax
		dec	edx
		lea	esi, [edx+edx]
		mov	edx, [esp+60h+var_3C]
		mov	[esp+60h+var_40], esi
		cmp	[esi+edx], ax
		jz	short loc_918C92
		lea	esi, [edi-22h]
		jmp	loc_7FE260
; 

loc_918C7E:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+168j
					; DrvDbGetDriverPackageMappedProperty+11ABB3j
		mov	esi, 0C0000017h
		jmp	loc_7FE26C
; 

loc_918C88:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11ABE3j
					; DrvDbGetDriverPackageMappedProperty+11ACB3j
		mov	esi, 0C00000E5h
		jmp	loc_7FE25E
; 

loc_918C92:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AC20j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_918C9D
		mov	eax, [esp+60h+var_4C]

loc_918C9D:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AC43j
		mov	[esp+60h+var_2C], eax
		add	edx, 2
		push	ebx		; int
		mov	eax, 410h
		add	edx, esi
		sub	eax, esi
		mov	[esp+64h+var_28], edx
		push	eax		; int
		push	edx		; void *
		mov	edx, [esp+6Ch+var_44]
		push	ecx		; int
		mov	ecx, [esp+70h+var_48]
		push	offset _DEVPKEY_DriverPackage_OriginalInfName ;	void *
		push	[esp+74h+var_2C] ; int
		mov	[esp+78h+var_20], eax
		call	DrvDbGetDriverPackageMappedProperty
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	short loc_918D05
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_918CE4
		mov	eax, [esp+60h+var_4C]

loc_918CE4:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AC8Aj
		mov	edx, [esp+60h+var_44]
		mov	ecx, [esp+60h+var_48]
		push	ebx		; int
		push	[esp+64h+var_20] ; int
		push	[esp+68h+var_28] ; void	*
		push	[ebp+arg_8]	; int
		push	offset _DEVPKEY_DriverPackage_DriverInfName ; void *
		push	eax		; int
		call	DrvDbGetDriverPackageMappedProperty
		mov	esi, eax

loc_918D05:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AC83j
		cmp	esi, edi
		jz	loc_918C88
		test	esi, esi
		js	loc_7FE25E
		mov	ecx, [ebp+arg_8]
		cmp	dword ptr [ecx], 12h
		jnz	loc_918DD9
		mov	eax, [ebx]
		sub	eax, 2
		cmp	eax, 206h
		ja	loc_918DD9
		mov	eax, [esp+60h+var_3C]
		mov	edx, [esp+60h+var_40]
		push	2Dh
		pop	ebx
		mov	[esp+60h+var_28], eax
		mov	[edx+eax], bx
		movzx	ebx, word ptr [eax]
		mov	[esp+60h+var_20], ebx
		test	bx, bx
		jz	short loc_918D98
		mov	ecx, [esp+60h+var_28]
		mov	eax, ebx
		push	20h
		pop	edi
		push	2Dh
		movzx	edx, ax
		pop	ebx

loc_918D5F:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AD32j
		cmp	dx, di
		jz	short loc_918D75
		cmp	dx, bx
		jz	short loc_918D75
		cmp	dx, 7Eh
		jz	short loc_918D75
		cmp	dx, 3Ah
		jnz	short loc_918D7B

loc_918D75:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AD0Ej
					; DrvDbGetDriverPackageMappedProperty+11AD13j ...
		push	5Fh
		pop	eax
		mov	[ecx], ax

loc_918D7B:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AD1Fj
		add	ecx, 2
		movzx	eax, word ptr [ecx]
		mov	edx, eax
		test	ax, ax
		jnz	short loc_918D5F
		mov	ecx, [ebp+arg_8]
		mov	edi, 0C0000023h
		mov	eax, [esp+60h+var_3C]
		mov	edx, [esp+60h+var_40]

loc_918D98:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11ACFAj
		push	2Dh
		pop	ebx
		mov	[edx+eax], bx
		mov	ebx, [ebp+arg_14]
		mov	dword ptr [ecx], 12h
		mov	eax, [ebx]
		add	eax, 2
		add	eax, edx
		cmp	[ebp+arg_C], 0
		mov	[ebx], eax
		jz	short loc_918DD2
		cmp	[ebp+arg_10], eax
		jb	short loc_918DD2
		mov	edx, [esp+60h+var_3C]
		push	eax		; size_t
		push	edx		; void *
		push	[ebp+arg_C]	; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_7FE25E
; 

loc_918DD2:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AD61j
					; DrvDbGetDriverPackageMappedProperty+11AD66j
		mov	esi, edi
		jmp	loc_7FE25E
; 

loc_918DD9:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11ABF3j
					; DrvDbGetDriverPackageMappedProperty+11AC06j ...
		mov	esi, 0C0000001h
		jmp	loc_7FE25E
; 

loc_918DE3:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+87j
		push	10h		; size_t
		push	offset _DEVPKEY_DriverPackage_Configurations ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_918E1B
		mov	eax, [ebp+arg_4]
		mov	ecx, [esp+60h+var_40]
		jmp	loc_7FE0E1
; 

loc_918E03:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+90j
		push	10h		; size_t
		push	offset _DEVPKEY_DriverPackage_ConfigurationScopes ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7FE37F

loc_918E1B:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11ADA1j
		mov	edx, [ebp+arg_0]
		xor	ebx, ebx
		inc	ebx
		test	edx, edx
		jnz	short loc_918E4D
		xor	ecx, ecx
		lea	eax, [esp+60h+var_4C]
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [esp+70h+var_48]
		push	ebx
		push	[esp+74h+var_44]
		push	2
		call	DrvDbOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_7FE26C
		mov	edx, [esp+60h+var_4C]

loc_918E4D:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11ADCFj
		mov	eax, [esp+60h+var_48]
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_918E5B
		mov	ecx, eax
		jmp	short loc_918E5E
; 

loc_918E5B:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AE01j
		mov	ecx, [eax+74h]

loc_918E5E:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AE05j
		lea	eax, [esp+60h+var_34]
		push	eax
		push	9
		xor	eax, eax
		push	eax
		push	offset ??_C@_1BO@LGEPHCPO@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn?$AAs@NNGAKEGL@
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_918E81
		mov	esi, 0C0000225h

loc_918E81:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AE26j
		test	esi, esi
		js	loc_7FE26C
		mov	esi, [ebp+arg_4]
		xor	eax, eax
		xor	ecx, ecx
		mov	[esp+60h+var_7], ax
		mov	eax, [ebp+arg_C]
		mov	[esp+60h+var_5], cl
		cmp	dword ptr [esi+10h], 1Eh
		mov	[esp+60h+var_14], eax
		mov	[esp+60h+var_C], ecx
		mov	[esp+60h+var_4], ecx
		jnz	short loc_918EC8
		push	10h		; size_t
		push	offset _DEVPKEY_DriverPackage_ConfigurationScopes ; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		mov	[esp+60h+var_8], bl
		xor	ecx, ecx
		test	eax, eax
		jz	short loc_918ECC

loc_918EC8:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AE58j
		mov	[esp+60h+var_8], cl

loc_918ECC:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AE72j
		cmp	[ebp+arg_C], 0
		jz	short loc_918EDD
		mov	eax, [ebp+arg_10]
		shr	eax, 1
		mov	[esp+60h+var_10], eax
		jmp	short loc_918EE1
; 

loc_918EDD:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AE7Cj
		mov	[esp+60h+var_10], ecx

loc_918EE1:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AE87j
		mov	edx, [esp+60h+var_34]
		lea	eax, [esp+60h+var_14]
		push	eax
		mov	eax, [esp+64h+var_48]
		push	offset _DrvDbGetConfigurationSubKeyCallback@16 ; DrvDbGetConfigurationSubKeyCallback(x,x,x,x)
		mov	ecx, [eax]
		call	__PnpCtxRegEnumKeyWithCallback@16 ; _PnpCtxRegEnumKeyWithCallback(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_918F14
		cmp	[esp+60h+var_4], 0
		jge	loc_7FE26C
		mov	esi, [esp+60h+var_4]
		jmp	loc_7FE26C
; 

loc_918F14:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AEAAj
		mov	ecx, [esp+60h+var_C]
		test	ecx, ecx
		jnz	short loc_918F26
		mov	esi, 0C0000225h
		jmp	loc_7FE26C
; 

loc_918F26:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AEC6j
		mov	eax, [ebp+arg_8]
		inc	ecx
		mov	esi, [esp+60h+var_4]
		mov	[esp+60h+var_C], ecx
		mov	dword ptr [eax], 2012h
		lea	edx, [ecx+ecx]
		mov	eax, [esp+60h+var_14]
		mov	[edi], edx
		test	eax, eax
		jz	short loc_918F56
		cmp	edx, [ebp+arg_10]
		ja	short loc_918F56
		xor	edx, edx
		mov	[eax+ecx*2-2], dx
		jmp	loc_7FE26C
; 

loc_918F56:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AEEFj
					; DrvDbGetDriverPackageMappedProperty+11AEF4j
		mov	esi, 0C0000023h
		jmp	loc_7FE26C
; 

loc_918F60:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+99j
		push	10h		; size_t
		push	offset _DEVPKEY_DriverPackage_DriverPackageId ;	void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7FE37F
		mov	edx, [esp+60h+var_44]
		mov	ecx, edx
		mov	dword ptr [ebx], 12h
		lea	ebx, [ecx+2]

loc_918F87:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AF3Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+60h+var_1C]
		jnz	short loc_918F87
		sub	ecx, ebx
		sar	ecx, 1
		lea	ecx, ds:2[ecx*2]
		mov	[edi], ecx
		cmp	[ebp+arg_C], esi
		jz	short loc_918FBD
		cmp	[ebp+arg_10], ecx
		jb	short loc_918FBD
		push	ecx		; size_t
		push	edx		; void *
		push	[ebp+arg_C]	; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_7FE287
; 

loc_918FBD:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AF50j
					; DrvDbGetDriverPackageMappedProperty+11AF55j
		mov	esi, 0C0000023h
		jmp	loc_7FE287
; 

loc_918FC7:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+A2j
		push	10h		; size_t
		push	offset _DEVPKEY_DriverPackage_Integrated ; void	*
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7FE37F
		mov	eax, [ebp+arg_0]
		xor	ebx, ebx
		inc	ebx
		test	eax, eax
		jnz	short loc_919017
		lea	eax, [esp+60h+var_2C]
		xor	ecx, ecx
		push	eax
		push	ecx
		lea	eax, [esp+68h+var_4C]
		xor	edx, edx
		push	eax
		push	ecx
		mov	ecx, [esp+70h+var_48]
		push	ebx
		push	[esp+74h+var_44]
		push	2
		call	DrvDbOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_7FE26C
		mov	eax, [esp+60h+var_4C]

loc_919017:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AF93j
		mov	edx, [esp+60h+var_44]
		lea	ecx, [esp+13h]
		push	edi		; int
		push	ebx		; int
		push	ecx		; void *
		push	[ebp+arg_8]	; int
		mov	ecx, [esp+70h+var_48]
		push	offset _DEVPKEY_DriverPackage_Inbox ; void *
		push	eax		; int
		call	DrvDbGetDriverPackageMappedProperty
		mov	esi, eax
		mov	edi, 0C0000023h
		cmp	esi, edi
		jz	loc_918B6C
		cmp	esi, 0C0000225h
		jnz	short loc_919053
		xor	eax, eax
		mov	esi, eax
		mov	cl, al
		jmp	short loc_9190C1
; 

loc_919053:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AFF5j
		test	esi, esi
		js	loc_7FE26C
		mov	eax, [ebp+arg_8]
		cmp	dword ptr [eax], 11h
		jnz	short loc_919070
		mov	eax, [ebp+arg_14]
		cmp	[eax], ebx
		jnz	short loc_919070
		mov	cl, [esp+60h+var_4D]
		jmp	short loc_919077
; 

loc_919070:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11B00Dj
					; DrvDbGetDriverPackageMappedProperty+11B014j
		or	cl, 0FFh
		mov	[esp+60h+var_4D], cl

loc_919077:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11B01Aj
		test	cl, cl
		jz	short loc_9190C5
		cmp	[esp+60h+var_4C], 0
		jnz	short loc_9190B0
		lea	eax, [esp+60h+var_2C]
		xor	ecx, ecx
		push	eax
		push	ecx
		lea	eax, [esp+68h+var_4C]
		xor	edx, edx
		push	eax
		push	ecx
		mov	ecx, [esp+70h+var_48]
		push	ebx
		push	[esp+74h+var_44]
		push	2
		call	DrvDbOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_7FE26C
		mov	cl, [esp+60h+var_4D]

loc_9190B0:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11B02Cj
		mov	eax, [esp+60h+var_2C]
		mov	al, [eax+1Ch]
		and	al, 10h
		neg	al
		sbb	al, al
		not	al
		and	cl, al

loc_9190C1:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11AFFDj
		mov	[esp+60h+var_4D], cl

loc_9190C5:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11B025j
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 11h
		mov	eax, [ebp+arg_14]
		mov	[eax], ebx
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	loc_918B9F
		cmp	[ebp+arg_10], ebx
		jb	loc_918B9F
		mov	[eax], cl
		jmp	loc_7FE26C
; 

loc_9190EE:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+ABj
		push	10h		; size_t
		push	offset _DEVPKEY_DriverPackage_Primitive	; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_7FE37F
		mov	eax, [ebp+arg_0]
		xor	ebx, ebx
		inc	ebx
		test	eax, eax
		jnz	short loc_91913A
		xor	ecx, ecx
		lea	eax, [esp+60h+var_4C]
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [esp+70h+var_48]
		xor	edx, edx
		push	ebx
		push	[esp+74h+var_44]
		push	2
		call	DrvDbOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_7FE26C
		mov	eax, [esp+60h+var_4C]

loc_91913A:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11B0BAj
		mov	edx, [esp+60h+var_44]
		lea	ecx, [esp+60h+var_38]
		push	edi		; int
		push	4		; int
		push	ecx		; void *
		push	[ebp+arg_8]	; int
		mov	ecx, [esp+70h+var_48]
		push	offset _DEVPKEY_DriverPackage_PrimitiveFlags ; void *
		push	eax		; int
		call	DrvDbGetDriverPackageMappedProperty
		mov	esi, eax
		mov	edi, 0C0000023h
		cmp	esi, edi
		jz	loc_918B6C
		cmp	esi, 0C0000225h
		jnz	short loc_9191AA
		xor	eax, eax
		mov	esi, eax

loc_919173:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11B164j
					; DrvDbGetDriverPackageMappedProperty+11B16Cj
		or	ecx, 0FFFFFFFFh
		mov	[esp+60h+var_38], ecx

loc_91917A:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11B172j
		mov	eax, [ebp+arg_8]
		mov	edx, [ebp+arg_C]
		mov	dword ptr [eax], 11h
		mov	eax, [ebp+arg_14]
		mov	[eax], ebx
		test	edx, edx
		jz	loc_918B9F
		cmp	[ebp+arg_10], ebx
		jb	loc_918B9F
		test	ecx, ecx
		setnz	al
		dec	al
		mov	[edx], al
		jmp	loc_7FE26C
; 

loc_9191AA:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+11B119j
		test	esi, esi
		js	loc_7FE26C
		mov	eax, [ebp+arg_8]
		cmp	dword ptr [eax], 7
		jnz	short loc_919173
		mov	eax, [ebp+arg_14]
		cmp	dword ptr [eax], 4
		jnz	short loc_919173
		mov	ecx, [esp+60h+var_38]
		jmp	short loc_91917A
; 

loc_9191C8:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+195j
		mov	esi, 0C0000225h
		jmp	loc_7FE251
; 

loc_9191D2:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+1A2j
		mov	esi, 0C00000E5h
		jmp	loc_7FE251
; 

loc_9191DC:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+1DAj
					; DrvDbGetDriverPackageMappedProperty+1E3j
		mov	esi, edi
		jmp	loc_7FE251
; 

loc_9191E3:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+1B1j
					; DrvDbGetDriverPackageMappedProperty+1BCj
		mov	esi, 0C0000001h
		jmp	loc_7FE251
; 

loc_9191ED:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+26Aj
		cmp	esi, edi
		jnz	loc_7FE26C
		jmp	loc_7FE2C4
; 

loc_9191FA:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+212j
		push	eax
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7FE26C
; 

loc_919206:				; CODE XREF: DrvDbGetDriverPackageMappedProperty+21Dj
		push	[esp+60h+var_34]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_7FE277
; END OF FUNCTION CHUNK	FOR DrvDbGetDriverPackageMappedProperty
; 
; START	OF FUNCTION CHUNK FOR IopDeviceInterfaceFilterCallback

loc_919214:				; CODE XREF: IopDeviceInterfaceFilterCallback+34j
		push	eax
		lea	eax, [esp+24h+var_8]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	loc_7FE408
		push	[ebp+arg_4]
		lea	eax, [esp+24h+var_10]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	loc_7FE408
		push	1
		lea	eax, [esp+24h+var_10]
		push	eax
		lea	eax, [esp+28h+var_8]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		cmp	al, 1
		jz	loc_7FE408
		jmp	loc_7FE3E6
; END OF FUNCTION CHUNK	FOR IopDeviceInterfaceFilterCallback
; 
; START	OF FUNCTION CHUNK FOR PiDqQueryEnumObject

loc_91925A:				; CODE XREF: PiDqQueryEnumObject+4Fj
					; PiDqQueryEnumObject+5Bj
		xor	cl, cl
		xor	esi, esi
		mov	byte ptr [ebp+var_1], cl
		jmp	loc_7FE56B
; END OF FUNCTION CHUNK	FOR PiDqQueryEnumObject
; 
; START	OF FUNCTION CHUNK FOR SepIsImpersonationAllowedDueToCapability

loc_919266:				; CODE XREF: SepIsImpersonationAllowedDueToCapability+2Dj
		xor	eax, eax
		xor	edx, edx
		push	eax
		push	eax
		push	eax
		push	eax
		mov	eax, _SeDefaultAccountAliasSid
		mov	ecx, esi
		push	eax
		mov	[ebp+var_8], eax
		call	_SepSidInToken@28 ; SepSidInToken(x,x,x,x,x,x,x)
		mov	bl, al
		test	bl, bl
		jz	short loc_9192A9
		push	esi
		call	_SeTokenIsRestricted@4 ; SeTokenIsRestricted(x)
		test	al, al
		jz	short loc_9192A3
		xor	eax, eax
		xor	edx, edx
		push	eax
		push	eax
		push	1
		push	eax
		push	[ebp+var_8]
		mov	ecx, esi
		call	_SepSidInToken@28 ; SepSidInToken(x,x,x,x,x,x,x)
		mov	bl, al

loc_9192A3:				; CODE XREF: SepIsImpersonationAllowedDueToCapability+11AC82j
		test	bl, bl
		jz	short loc_9192A9
		mov	bh, 1

loc_9192A9:				; CODE XREF: SepIsImpersonationAllowedDueToCapability+11AC78j
					; SepIsImpersonationAllowedDueToCapability+11AC9Bj
		cmp	ds:_SepAllowSessionImpersonationCap, 0
		jz	short loc_919309
		test	dword ptr [esi+0B0h], 4000h
		jnz	short loc_919309
		xor	eax, eax
		xor	edx, edx
		push	eax
		push	eax
		push	eax
		push	eax
		mov	eax, _SeSessionImpersonationCapabilityGroupSid
		mov	ecx, esi
		push	eax
		mov	[ebp+var_8], eax
		call	_SepSidInToken@28 ; SepSidInToken(x,x,x,x,x,x,x)
		mov	bl, al
		test	bl, bl
		jz	short loc_9192FF
		push	esi
		call	_SeTokenIsRestricted@4 ; SeTokenIsRestricted(x)
		test	al, al
		jz	short loc_9192FB
		xor	eax, eax
		xor	edx, edx
		push	eax
		push	eax
		push	1
		push	eax
		push	[ebp+var_8]
		mov	ecx, esi
		call	_SepSidInToken@28 ; SepSidInToken(x,x,x,x,x,x,x)
		mov	bl, al

loc_9192FB:				; CODE XREF: SepIsImpersonationAllowedDueToCapability+11ACDAj
		test	bl, bl
		jnz	short loc_919370

loc_9192FF:				; CODE XREF: SepIsImpersonationAllowedDueToCapability+11ACD0j
		test	bh, bh
		jz	short loc_919305
		mov	bl, 1

loc_919305:				; CODE XREF: SepIsImpersonationAllowedDueToCapability+11ACF7j
		test	bl, bl
		jnz	short loc_919370

loc_919309:				; CODE XREF: SepIsImpersonationAllowedDueToCapability+11ACA6j
					; SepIsImpersonationAllowedDueToCapability+11ACB2j
		test	dword ptr [edi+0B0h], 4000h
		jz	loc_7FE63D
		xor	eax, eax
		xor	edx, edx
		push	eax
		push	eax
		push	eax
		push	eax
		mov	eax, _SeConstrainedImpersonationCapabilityGroupSid
		mov	ecx, esi
		push	eax
		mov	[ebp+var_8], eax
		call	_SepSidInToken@28 ; SepSidInToken(x,x,x,x,x,x,x)
		mov	bl, al
		test	bl, bl
		jz	short loc_91935A
		push	esi
		call	_SeTokenIsRestricted@4 ; SeTokenIsRestricted(x)
		test	al, al
		jz	short loc_919356
		xor	eax, eax
		xor	edx, edx
		push	eax
		push	eax
		push	1
		push	eax
		push	[ebp+var_8]
		mov	ecx, esi
		call	_SepSidInToken@28 ; SepSidInToken(x,x,x,x,x,x,x)
		mov	bl, al

loc_919356:				; CODE XREF: SepIsImpersonationAllowedDueToCapability+11AD35j
		test	bl, bl
		jnz	short loc_919364

loc_91935A:				; CODE XREF: SepIsImpersonationAllowedDueToCapability+11AD2Bj
		test	bh, bh
		jz	short loc_919360
		mov	bl, 1

loc_919360:				; CODE XREF: SepIsImpersonationAllowedDueToCapability+11AD52j
		test	bl, bl
		jz	short loc_919377

loc_919364:				; CODE XREF: SepIsImpersonationAllowedDueToCapability+11AD4Ej
		test	dword ptr [esi+0B0h], 4000h
		jnz	short loc_919377

loc_919370:				; CODE XREF: SepIsImpersonationAllowedDueToCapability+11ACF3j
					; SepIsImpersonationAllowedDueToCapability+11ACFDj
		mov	al, 1
		jmp	loc_7FE63F
; 

loc_919377:				; CODE XREF: SepIsImpersonationAllowedDueToCapability+11AD58j
					; SepIsImpersonationAllowedDueToCapability+11AD64j
		xor	eax, eax
		lea	ecx, [esi+1ECh]
		push	eax		; char
		push	eax		; char
		push	1		; char
		push	eax		; char
		push	_SeConstrainedImpersonationCapabilitySid ; void	*
		xor	edx, edx
		call	SepSidInTokenSidHash
		mov	byte ptr [ebp+var_1], al
		test	al, al
		jz	loc_7FE63F
		mov	edx, [edi+1E8h]
		lea	eax, [ebp+var_1]
		push	eax
		push	ecx
		push	dword ptr [edi+1E4h]
		mov	ecx, esi
		call	SepCheckCapabilities
		test	eax, eax
		mov	al, byte ptr [ebp+var_1]
		js	loc_7FE63F
		test	al, al
		jnz	loc_7FE63F
		push	dword ptr [edi+1E0h]
		push	dword ptr [esi+1E0h]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		jmp	loc_7FE63F
; END OF FUNCTION CHUNK	FOR SepIsImpersonationAllowedDueToCapability
; 
; START	OF FUNCTION CHUNK FOR RtlIsMultiSessionSku

loc_9193DD:				; CODE XREF: RtlIsMultiSessionSku+7j
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	eax, [eax+28Ch]
		mov	al, [eax+1Ch]
		retn
; END OF FUNCTION CHUNK	FOR RtlIsMultiSessionSku
; 
; START	OF FUNCTION CHUNK FOR _PnpGetObjectList

loc_9193EC:				; CODE XREF: _PnpGetObjectList+A4j
		cmp	eax, 0C0000120h
		jz	loc_7FE719
		test	eax, eax
		jz	loc_7FE70C
		jmp	loc_7FE71E
; END OF FUNCTION CHUNK	FOR _PnpGetObjectList
; 
; START	OF FUNCTION CHUNK FOR PiPnpRtlEndOperation

loc_919404:				; CODE XREF: PiPnpRtlEndOperation+DDj
		cmp	[ecx+4], edi
		jnz	loc_7FEA9B
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	loc_7FEA9B
		mov	[edi], eax
		add	ecx, 0FFFFFFE0h
		mov	[eax+4], edi
		mov	[ebp+var_4], ecx
		call	PiPnpRtlObjectEventRelease
		jmp	loc_7FEA81
; END OF FUNCTION CHUNK	FOR PiPnpRtlEndOperation
; 
; START	OF FUNCTION CHUNK FOR PiPnpRtlObjectEventRelease

loc_91942D:				; CODE XREF: PiPnpRtlObjectEventRelease+2Aj
		lea	eax, [esi+10h]
		push	eax
		call	SeReleaseSubjectContext
		jmp	loc_7FEAD0
; 

loc_91943B:				; CODE XREF: PiPnpRtlObjectEventRelease+4Fj
		push	41706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7FEAF5
; END OF FUNCTION CHUNK	FOR PiPnpRtlObjectEventRelease
; 
; START	OF FUNCTION CHUNK FOR DrvDbGetObjectDatabaseNode

loc_91944B:				; CODE XREF: DrvDbGetObjectDatabaseNode+A3j
		mov	esi, 0C000003Ah
		jmp	loc_7FEB40
; END OF FUNCTION CHUNK	FOR DrvDbGetObjectDatabaseNode
; 
; START	OF FUNCTION CHUNK FOR _PnpDispatchDeviceInterface

loc_919455:				; CODE XREF: _PnpDispatchDeviceInterface+1Fj
					; DATA XREF: PAGE:off_7FEC8Ao
		mov	ecx, [ebp+arg_10] ; case 0x2
		mov	edx, [ebp+arg_4]
		mov	eax, [ecx+0Ch]
		and	eax, 0FFFF0000h
		push	eax
		lea	eax, [ecx+8]
		push	eax
		lea	eax, [ecx+4]
		push	eax
		push	dword ptr [ecx]
		mov	ecx, [ebp+arg_0]
		call	__CmCreateDeviceInterface@24 ; _CmCreateDeviceInterface(x,x,x,x,x,x)
		jmp	loc_7FEC02
; 

loc_91947B:				; CODE XREF: _PnpDispatchDeviceInterface+1Fj
					; DATA XREF: PAGE:off_7FEC8Ao
		mov	eax, [ebp+arg_10] ; case 0x3
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	eax, [eax]
		and	eax, 0FFFF0000h
		push	eax
		call	__CmDeleteDeviceInterface@12 ; _CmDeleteDeviceInterface(x,x,x)
		jmp	loc_7FEC02
; 

loc_919496:				; CODE XREF: _PnpDispatchDeviceInterface+A7j
		mov	[ebp+var_8], eax
		lea	esi, [ebp+var_8]
		mov	eax, [edx+4]
		mov	ecx, offset __PnpCmMatchCallbackRoutine@16 ; _PnpCmMatchCallbackRoutine(x,x,x,x)
		mov	[ebp+var_4], eax
		jmp	loc_7FEC67
; 

loc_9194AC:				; CODE XREF: _PnpDispatchDeviceInterface+1Fj
					; DATA XREF: PAGE:off_7FEC8Ao
		mov	eax, [ebp+arg_10] ; case 0x5
		mov	edx, [ebp+arg_4]
		push	dword ptr [eax+14h]
		push	dword ptr [eax+10h]
		push	dword ptr [eax+0Ch]
		push	ecx
		push	dword ptr [eax]
		mov	ecx, [ebp+arg_0]
		call	__CmGetDeviceInterfaceMappedPropertyKeys@28 ; _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)
		jmp	loc_7FEC02
; 

loc_9194CB:				; CODE XREF: _PnpDispatchDeviceInterface+1Fj
					; DATA XREF: PAGE:off_7FEC8Ao
		mov	eax, [ebp+arg_10] ; case 0x6
		push	dword ptr [eax+10h] ; int
		push	dword ptr [eax+0Ch] ; int
		push	dword ptr [eax+8] ; int
		push	dword ptr [eax+4] ; void *
		push	ecx		; int
		call	__CmGetDeviceInterfaceMappedPropertyLocales@28 ; _CmGetDeviceInterfaceMappedPropertyLocales(x,x,x,x,x,x,x)
		jmp	loc_7FEC02
; 

loc_9194E5:				; CODE XREF: _PnpDispatchDeviceInterface+19j
		mov	eax, 0C000000Dh	; default
		jmp	loc_7FEC02
; END OF FUNCTION CHUNK	FOR _PnpDispatchDeviceInterface
; 
; START	OF FUNCTION CHUNK FOR PnpUnicodeStringToWstr

loc_9194EF:				; CODE XREF: PnpUnicodeStringToWstr+6Dj
					; PnpUnicodeStringToWstr+89j ...
		mov	[ebx], ecx
		test	esi, esi
		jz	loc_7FEE6D
		mov	eax, edx
		jmp	short loc_919506
; 

loc_9194FD:				; CODE XREF: PnpUnicodeStringToWstr+E5j
		mov	edx, [ebp+var_4]
		movzx	eax, dx
		add	eax, 2

loc_919506:				; CODE XREF: PnpUnicodeStringToWstr+10Dj
					; PnpUnicodeStringToWstr+11A779j
		mov	[esi], eax
		jmp	loc_7FEE6D
; 

loc_91950D:				; CODE XREF: PnpUnicodeStringToWstr+64j
		cmp	word ptr [ebp+var_10], di
		jz	short loc_9194EF
		push	75737050h
		push	2
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_7FEE94
		xor	ecx, ecx
		mov	[ebx], eax
		mov	[eax], cx
		test	esi, esi
		jz	loc_7FEE6D
		mov	dword ptr [esi], 2
		jmp	loc_7FEE6D
; 

loc_919543:				; CODE XREF: PnpUnicodeStringToWstr+31j
					; PnpUnicodeStringToWstr+3Cj
		mov	[ebx], edi
		test	esi, esi
		jz	loc_7FEE6D
		mov	[esi], edi
		jmp	loc_7FEE6D
; 

loc_919554:				; CODE XREF: PnpUnicodeStringToWstr+16j
					; PnpUnicodeStringToWstr+21j ...
		mov	edi, 0C000000Dh
		jmp	loc_7FEE6D
; END OF FUNCTION CHUNK	FOR PnpUnicodeStringToWstr
; 
; START	OF FUNCTION CHUNK FOR PiControlGetDeviceInterfaceEnabled

loc_91955E:				; CODE XREF: PiControlGetDeviceInterfaceEnabled+F7j
		cmp	[esp+20h+var_4], 0
		jz	loc_7FEFBF
		push	esi
		push	[esp+24h+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7FEFBF
; 

loc_919578:				; CODE XREF: PiControlGetDeviceInterfaceEnabled+33j
					; PiControlGetDeviceInterfaceEnabled+41j ...
		mov	eax, 0C000000Dh
		jmp	loc_7FEFC1
; END OF FUNCTION CHUNK	FOR PiControlGetDeviceInterfaceEnabled
; 
; START	OF FUNCTION CHUNK FOR _CmGetDeviceInterfaceSubkeyPath

loc_919582:				; CODE XREF: _CmGetDeviceInterfaceSubkeyPath+70j
		mov	eax, 0C0000033h
		jmp	loc_7FF0BA
; END OF FUNCTION CHUNK	FOR _CmGetDeviceInterfaceSubkeyPath
; 
; START	OF FUNCTION CHUNK FOR ScanHexFormat

loc_91958C:				; CODE XREF: ScanHexFormat+77j
		cmp	eax, 58h
		jz	loc_7FF26D
		jmp	loc_7FF256
; END OF FUNCTION CHUNK	FOR ScanHexFormat
; 
; START	OF FUNCTION CHUNK FOR DrvDbAcquireDatabaseNodeBaseKey

loc_91959A:				; CODE XREF: DrvDbAcquireDatabaseNodeBaseKey+34j
		mov	esi, 0C0000467h
		jmp	loc_7FF68E
; 

loc_9195A4:				; CODE XREF: DrvDbAcquireDatabaseNodeBaseKey+F2j
		test	eax, eax
		jnz	short loc_9195AC
		xor	ecx, ecx
		jmp	short loc_9195AF
; 

loc_9195AC:				; CODE XREF: DrvDbAcquireDatabaseNodeBaseKey+119F6Ej
		mov	ecx, [eax+74h]

loc_9195AF:				; CODE XREF: DrvDbAcquireDatabaseNodeBaseKey+119F72j
		push	ebx
		push	2000000h
		push	0
		push	0
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		jmp	loc_7FF751
; 

loc_9195C3:				; CODE XREF: DrvDbAcquireDatabaseNodeBaseKey+A4j
		test	eax, eax
		jnz	short loc_9195CB
		xor	ecx, ecx
		jmp	short loc_9195CE
; 

loc_9195CB:				; CODE XREF: DrvDbAcquireDatabaseNodeBaseKey+119F8Dj
		mov	ecx, [eax+74h]

loc_9195CE:				; CODE XREF: DrvDbAcquireDatabaseNodeBaseKey+119F91j
		push	[ebp+arg_4]
		push	2000000h
		push	0
		push	0
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		jmp	loc_7FF705
; 

loc_9195E4:				; CODE XREF: DrvDbAcquireDatabaseNodeBaseKey+70j
					; DrvDbAcquireDatabaseNodeBaseKey+7Cj
		mov	esi, 0C000036Dh
		jmp	loc_7FF6BA
; END OF FUNCTION CHUNK	FOR DrvDbAcquireDatabaseNodeBaseKey
; 
; START	OF FUNCTION CHUNK FOR DrvDbOpenObjectRegKey

loc_9195EE:				; CODE XREF: DrvDbOpenObjectRegKey+7Ej
		mov	esi, 0C0000034h
		jmp	loc_7FF926
; 

loc_9195F8:				; CODE XREF: DrvDbOpenObjectRegKey+90j
		xor	ecx, ecx
		jmp	loc_7FF867
; 

loc_9195FF:				; CODE XREF: DrvDbOpenObjectRegKey+5Dj
					; DrvDbOpenObjectRegKey+86j
		cmp	esi, 0C0000034h
		jnz	loc_7FF89E
		cmp	[ebp+arg_C], 0
		jz	loc_7FF8AD
		mov	edi, [ebx+14h]
		lea	eax, [esp+18h+var_C]
		push	eax
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, ebx
		call	DrvDbAcquireDatabaseNodeBaseKey
		mov	esi, eax
		test	esi, esi
		jns	short loc_919645
		cmp	esi, 0C0000467h
		jnz	loc_7FF8AD
		mov	esi, 0C00000A2h
		jmp	loc_7FF8AD
; 

loc_919645:				; CODE XREF: DrvDbOpenObjectRegKey+119E5Fj
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_91964F
		xor	ecx, ecx
		jmp	short loc_919652
; 

loc_91964F:				; CODE XREF: DrvDbOpenObjectRegKey+119E7Bj
		mov	ecx, [eax+74h]

loc_919652:				; CODE XREF: DrvDbOpenObjectRegKey+119E7Fj
		mov	edx, [esp+18h+var_C]
		push	0
		push	[ebp+arg_10]
		push	ecx
		push	0
		push	[ebp+arg_8]
		push	0
		push	[ebp+arg_4]
		call	__SysCtxRegCreateTree@36 ; _SysCtxRegCreateTree(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_7FF8AD
		jmp	loc_7FF89E
; 

loc_91967A:				; CODE XREF: DrvDbOpenObjectRegKey+106j
		cmp	esi, 0C0000467h
		jnz	loc_7FF8AD
		mov	esi, 0C0000034h
		jmp	loc_7FF8AD
; 

loc_919690:				; CODE XREF: DrvDbOpenObjectRegKey+112j
		test	eax, eax
		jnz	short loc_919698
		xor	ecx, ecx
		jmp	short loc_91969B
; 

loc_919698:				; CODE XREF: DrvDbOpenObjectRegKey+119EC4j
		mov	ecx, [eax+74h]

loc_91969B:				; CODE XREF: DrvDbOpenObjectRegKey+119EC8j
		push	[ebp+arg_14]
		mov	edx, [esp+1Ch+var_C]
		push	[ebp+arg_10]
		push	ecx
		push	0
		push	[ebp+arg_8]
		push	0
		push	[ebp+arg_4]
		call	__SysCtxRegCreateTree@36 ; _SysCtxRegCreateTree(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		jmp	loc_7FF89E
; 

loc_9196BC:				; CODE XREF: DrvDbOpenObjectRegKey+D9j
		mov	[eax], edi
		jmp	loc_7FF8AD
; END OF FUNCTION CHUNK	FOR DrvDbOpenObjectRegKey
; 
; START	OF FUNCTION CHUNK FOR PiCMHandleIoctl

loc_9196C3:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFAC6o
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PiCMEnumerateSubKeys@24 ; PiCMEnumerateSubKeys(x,x,x,x,x,x)
		jmp	loc_7FF9E2
; 

loc_9196D5:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFB2Ao
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PiCMCreateObject@24 ; PiCMCreateObject(x,x,x,x,x,x)
		jmp	loc_7FF9E2
; 

loc_9196E7:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFB2Eo
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PiCMDeleteObject@24 ; PiCMDeleteObject(x,x,x,x,x,x)
		jmp	loc_7FF9E2
; 

loc_9196F9:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFACAo
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PiCMGetObjectPropertyKeys@24 ;	PiCMGetObjectPropertyKeys(x,x,x,x,x,x)
		jmp	loc_7FF9E2
; 

loc_91970B:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFADAo
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PiCMSetRegistryProperty@24 ; PiCMSetRegistryProperty(x,x,x,x,x,x)
		jmp	loc_7FF9E2
; 

loc_91971D:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFAE6o
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PiCMGetDeviceDepth@24 ; PiCMGetDeviceDepth(x,x,x,x,x,x)
		jmp	loc_7FF9E2
; 

loc_91972F:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFAEAo
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PiCMSetDeviceProblem@24 ; PiCMSetDeviceProblem(x,x,x,x,x,x)
		jmp	loc_7FF9E2
; 

loc_919741:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFAEEo
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PiCMQueryRemove@24 ; PiCMQueryRemove(x,x,x,x,x,x)
		jmp	loc_7FF9E2
; 

loc_919753:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFAF2o
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PiCMRegisterDeviceInterface@24	; PiCMRegisterDeviceInterface(x,x,x,x,x,x)
		jmp	loc_7FF9E2
; 

loc_919765:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFAF6o
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PiCMUnregisterDeviceInterface@24 ; PiCMUnregisterDeviceInterface(x,x,x,x,x,x)
		jmp	loc_7FF9E2
; 

loc_919777:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFB02o
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PiCMCreateDevice@24 ; PiCMCreateDevice(x,x,x,x,x,x)
		jmp	loc_7FF9E2
; 

loc_919789:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFB06o
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PiCMDeleteDevice@24 ; PiCMDeleteDevice(x,x,x,x,x,x)
		jmp	loc_7FF9E2
; 

loc_91979B:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFB0Ao
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PiCMDeviceAction@24 ; PiCMDeviceAction(x,x,x,x,x,x)
		jmp	loc_7FF9E2
; 

loc_9197AD:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFB12o
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PiCMDeleteDeviceInterfaceKey@24 ; PiCMDeleteDeviceInterfaceKey(x,x,x,x,x,x)
		jmp	loc_7FF9E2
; 

loc_9197BF:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFB1Ao
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PiCMDeleteDeviceKey@24	; PiCMDeleteDeviceKey(x,x,x,x,x,x)
		jmp	loc_7FF9E2
; 

loc_9197D1:				; CODE XREF: PiCMHandleIoctl+28j
					; DATA XREF: PAGE:007FFB22o
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PiCMDeleteClassKey@24 ; PiCMDeleteClassKey(x,x,x,x,x,x)
		jmp	loc_7FF9E2
; 

loc_9197E3:				; CODE XREF: PiCMHandleIoctl+1Bj
					; PiCMHandleIoctl+28j
					; DATA XREF: ...
		mov	eax, 0C00000BBh
		jmp	loc_7FF9E2
; END OF FUNCTION CHUNK	FOR PiCMHandleIoctl
; 
; START	OF FUNCTION CHUNK FOR PiCMCapturePropertyInputData

loc_9197ED:				; CODE XREF: PiCMCapturePropertyInputData+56j
					; PiCMCapturePropertyInputData+5Ej
		mov	byte ptr [ecx],	0
		jmp	loc_7FFC14
; 

loc_9197F5:				; CODE XREF: PiCMCapturePropertyInputData+6Aj
					; PiCMCapturePropertyInputData+7Cj
		mov	eax, 0C000000Dh
		mov	[ebp+var_24], eax
		mov	[ebp+var_1C], eax
		jmp	loc_7FFC32
; END OF FUNCTION CHUNK	FOR PiCMCapturePropertyInputData

;  S U B	R O U T	I N E 


sub_919805	proc near		; DATA XREF: .text:006A544Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		xor	eax, eax
		inc	eax
		retn
sub_919805	endp


;  S U B	R O U T	I N E 


sub_919813	proc near		; DATA XREF: .text:006A5450o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-30h]
		mov	[ebp-1Ch], eax
		mov	[ebp-24h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp+0Ch]
		jmp	loc_7FFC39
sub_919813	endp

; 
; START	OF FUNCTION CHUNK FOR PiCMCapturePropertyInputData

loc_91982E:				; CODE XREF: PiCMCapturePropertyInputData+C2j
		and	dword ptr [edi], 0
		and	dword ptr [ebx+10h], 0
		jmp	loc_7FFC8D
; 

loc_91983A:				; CODE XREF: PiCMCapturePropertyInputData+A7j
		test	eax, eax
		jnz	short loc_919848

loc_91983E:				; CODE XREF: PiCMCapturePropertyInputData+9Bj
		cmp	dword ptr [ebx+10h], 0
		ja	short loc_91984E
		test	eax, eax
		jz	short loc_91989B

loc_919848:				; CODE XREF: PiCMCapturePropertyInputData+119C8Cj
		cmp	dword ptr [ebx+10h], 2
		jnb	short loc_91989B

loc_91984E:				; CODE XREF: PiCMCapturePropertyInputData+EDj
					; PiCMCapturePropertyInputData+119C92j	...
		mov	esi, 0C000000Dh

loc_919853:				; CODE XREF: PiCMCapturePropertyInputData+FDj
		cmp	[ebp+var_28], 0
		jz	short loc_91986E
		mov	eax, [ebx+0Ch]
		cmp	byte ptr [ebp+var_20], 0
		jz	short loc_91986E
		test	eax, eax
		jz	short loc_91986E
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_91986E:				; CODE XREF: PiCMCapturePropertyInputData+119CA7j
					; PiCMCapturePropertyInputData+119CB0j	...
		cmp	[ebp+var_2C], 0
		jz	short loc_919889
		mov	eax, [ebx+2Ch]
		cmp	byte ptr [ebp+var_20], 0
		jz	short loc_919889
		test	eax, eax
		jz	short loc_919889
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_919889:				; CODE XREF: PiCMCapturePropertyInputData+119CC2j
					; PiCMCapturePropertyInputData+119CCBj	...
		push	38h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_7FFCB3
; 

loc_91989B:				; CODE XREF: PiCMCapturePropertyInputData+119C96j
					; PiCMCapturePropertyInputData+119C9Cj
		mov	esi, [ebp+var_1C]
		jmp	loc_7FFC8D
; 

loc_9198A3:				; CODE XREF: PiCMCapturePropertyInputData+11Cj
		test	eax, eax
		jz	loc_7FFC99

loc_9198AB:				; CODE XREF: PiCMCapturePropertyInputData+F5j
		cmp	dword ptr [ebx+30h], 0
		jnz	loc_7FFCAB
		jmp	short loc_91984E
; 

loc_9198B7:				; CODE XREF: PiCMCapturePropertyInputData+31j
					; PiCMCapturePropertyInputData+39j
		mov	esi, 0C000000Dh
		mov	ebx, [ebp+arg_4]
		jmp	loc_7FFCAB
; END OF FUNCTION CHUNK	FOR PiCMCapturePropertyInputData
; 
; START	OF FUNCTION CHUNK FOR NtPlugPlayControl

loc_9198C4:				; CODE XREF: NtPlugPlayControl+1Bj
		push	1
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	short loc_9198FE
		jmp	loc_7FFD27
; 

loc_9198E0:				; CODE XREF: NtPlugPlayControl+4Cj
		mov	eax, 0C0000002h
		jmp	loc_7FFDD5
; 

loc_9198EA:				; CODE XREF: NtPlugPlayControl+58j
		mov	eax, 0C0000030h
		jmp	loc_7FFDD5
; 

loc_9198F4:				; CODE XREF: NtPlugPlayControl+65j
		cmp	byte ptr [esi+0Ch], 0
		jnz	loc_7FFD71

loc_9198FE:				; CODE XREF: NtPlugPlayControl+119BD3j
		mov	eax, 0C0000061h
		jmp	loc_7FFDD5
; 

loc_919908:				; CODE XREF: NtPlugPlayControl+C7j
		cmp	[ebp+var_4], 0
		jz	loc_7FFDD3
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_7FFDD3
; 

loc_919921:				; CODE XREF: NtPlugPlayControl+3Aj
		mov	eax, 0C00000E5h
		jmp	loc_7FFDD5
; 

loc_91992B:				; CODE XREF: NtPlugPlayControl+27j
					; NtPlugPlayControl+42j
		mov	eax, 0C00000EFh
		jmp	loc_7FFDD5
; END OF FUNCTION CHUNK	FOR NtPlugPlayControl
; 
; START	OF FUNCTION CHUNK FOR PiControlMakeUserModeCallersCopy

loc_919935:				; CODE XREF: PiControlMakeUserModeCallersCopy+60j
		test	edi, edi
		jz	loc_7FFE58
		push	0
		push	dword ptr [esi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi], 0
		jmp	loc_7FFE58
; END OF FUNCTION CHUNK	FOR PiControlMakeUserModeCallersCopy
; 
; START	OF FUNCTION CHUNK FOR PiControlCopyUserModeCallersBuffer

loc_91994E:				; CODE XREF: PiControlCopyUserModeCallersBuffer+16j
		push	[ebp+arg_0]	; size_t
		push	edi		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax
		jmp	loc_7FFECD
; 

loc_919962:				; CODE XREF: PiControlCopyUserModeCallersBuffer+25j
		push	[ebp+arg_4]
		push	esi
		push	ecx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	ecx, [ebp+var_1C]
		jmp	loc_7FFEB9
; END OF FUNCTION CHUNK	FOR PiControlCopyUserModeCallersBuffer

;  S U B	R O U T	I N E 


sub_919974	proc near		; DATA XREF: .text:006A546Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_919974	endp


;  S U B	R O U T	I N E 


sub_919982	proc near		; DATA XREF: .text:006A5470o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-20h]
		jmp	loc_7FFEC4
sub_919982	endp

; 
; START	OF FUNCTION CHUNK FOR PiCMGetObjectProperty

loc_91998D:				; CODE XREF: PiCMGetObjectProperty+1ADj
		sub	eax, 1
		jnz	loc_80010B
		push	5
		jmp	loc_8001EF
; 

loc_91999D:				; CODE XREF: PiCMGetObjectProperty+B3j
		push	7
		jmp	loc_8000FE
; 

loc_9199A4:				; CODE XREF: PiCMGetObjectProperty+D3j
		mov	edi, 0C000000Dh
		jmp	loc_800113
; 

loc_9199AE:				; CODE XREF: PiCMGetObjectProperty+106j
		mov	edi, 0C000009Ah
		jmp	loc_800146
; 

loc_9199B8:				; CODE XREF: PiCMGetObjectProperty+8Ej
					; PiCMGetObjectProperty+9Aj
		mov	edi, 0C000000Dh
		jmp	loc_8001C5
; 

loc_9199C2:				; CODE XREF: PiCMGetObjectProperty+61j
					; PiCMGetObjectProperty+6Aj ...
		mov	edi, 0C000000Dh
		jmp	loc_80016B
; END OF FUNCTION CHUNK	FOR PiCMGetObjectProperty

;  S U B	R O U T	I N E 


sub_9199CC	proc near		; DATA XREF: .text:006A548Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_9199CC	endp


;  S U B	R O U T	I N E 


sub_9199DA	proc near		; DATA XREF: .text:006A5490o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-1Ch]
		jmp	loc_8002DD
sub_9199DA	endp

; 
; START	OF FUNCTION CHUNK FOR PiDqActionDataGetRequestedProperties

loc_9199E5:				; CODE XREF: PiDqActionDataGetRequestedProperties+3Aj
		mov	ebx, 0C000009Ah
		jmp	loc_80049C
; 

loc_9199EF:				; CODE XREF: PiDqActionDataGetRequestedProperties+EBj
		mov	ebx, 0C000000Dh
		jmp	loc_80049C
; 

loc_9199F9:				; CODE XREF: PiDqActionDataGetRequestedProperties+BCj
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8004AC
; END OF FUNCTION CHUNK	FOR PiDqActionDataGetRequestedProperties
; 
; START	OF FUNCTION CHUNK FOR _PnpOpenObjectRegKey

loc_919A04:				; CODE XREF: _PnpOpenObjectRegKey+5Cj
		cmp	eax, 0C0000120h
		jz	short loc_919A1D
		test	eax, eax
		jz	loc_800656
		mov	esi, 0C00000E5h
		jmp	loc_80068C
; 

loc_919A1D:				; CODE XREF: _PnpOpenObjectRegKey+119417j
					; _PnpOpenObjectRegKey+11945Bj
		mov	esi, [esp+50h+var_40]
		jmp	loc_800681
; 

loc_919A26:				; CODE XREF: _PnpOpenObjectRegKey+89j
		lea	eax, [esp+50h+var_40]
		mov	[esp+50h+var_40], esi
		push	eax
		push	2
		push	2
		push	[ebp+arg_0]
		push	[esp+60h+var_44]
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	loc_800681
		cmp	eax, 0C0000120h
		jz	short loc_919A1D
		test	eax, eax
		jz	loc_800681
		mov	esi, 0C00000E5h
		jmp	loc_800681
; END OF FUNCTION CHUNK	FOR _PnpOpenObjectRegKey
; 
; START	OF FUNCTION CHUNK FOR PiPnpRtlInterfaceFilterCallback

loc_919A61:				; CODE XREF: PiPnpRtlInterfaceFilterCallback+43j
		cmp	[eax], bx
		jz	loc_8006E9
		push	47706E50h
		push	190h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_80070F
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_20]
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		push	eax
		push	190h
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		push	offset _DEVPKEY_Device_InstanceId
		push	ebx
		push	ebx
		push	3
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_800707
		cmp	[ebp+var_1C], 12h
		jnz	loc_800707
		push	edi		; wchar_t *
		push	dword ptr [esi+4] ; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_800707
		jmp	loc_8006E9
; 

loc_919AD5:				; CODE XREF: PiPnpRtlInterfaceFilterCallback+69j
		push	47706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_80070F
; END OF FUNCTION CHUNK	FOR PiPnpRtlInterfaceFilterCallback
; 
; START	OF FUNCTION CHUNK FOR PiDmListEnumObjectsWithCallback

loc_919AE5:				; CODE XREF: PiDmListEnumObjectsWithCallback+61j
		mov	[ebp+var_8], 0C000009Ah
		jmp	loc_8008D7
; END OF FUNCTION CHUNK	FOR PiDmListEnumObjectsWithCallback
; 
; START	OF FUNCTION CHUNK FOR IopGetLegacyVetoListDrivers

loc_919AF1:				; CODE XREF: IopGetLegacyVetoListDrivers+68j
		mov	ecx, [esi+0Ch]
		mov	[ecx], eax
		jmp	loc_800ACE
; 

loc_919AFB:				; CODE XREF: IopGetLegacyVetoListDrivers+88j
		mov	eax, [esi+0Ch]
		mov	dword ptr [eax], 0C000009Ah
		jmp	loc_800ACE
; 

loc_919B09:				; CODE XREF: IopGetLegacyVetoListDrivers+ADj
		mov	eax, [esi+0Ch]
		mov	dword ptr [eax], 0C000009Ah
		jmp	loc_800AC2
; 

loc_919B17:				; CODE XREF: IopGetLegacyVetoListDrivers+D6j
		mov	eax, [ebp+var_10]
		push	0
		push	ebx
		mov	[ebp+var_C], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	6F697050h
		push	[ebp+var_C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_919BC3
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+var_14]
		push	1
		push	[ebp+var_C]
		push	ebx
		push	[ebp+var_8]
		call	_ZwQueryDirectoryObject@28 ; ZwQueryDirectoryObject(x,x,x,x,x,x,x)
		jmp	loc_800A1C
; 

loc_919B5C:				; CODE XREF: IopGetLegacyVetoListDrivers+FBj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_1C]
		movzx	eax, cx
		mov	[ebp+var_4], eax
		mov	word ptr [ebp+var_28+2], ax
		push	6F697050h
		movzx	eax, cx
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_24], edi
		test	edi, edi
		jz	short loc_919BC3
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_1C]
		jmp	loc_800A41
; 

loc_919B95:				; CODE XREF: IopGetLegacyVetoListDrivers+146j
		cmp	dword ptr [esi], 0
		mov	eax, [esi+8]
		mov	dword ptr [eax], 0Bh
		jz	loc_800A8C
		mov	edx, ebx
		mov	ecx, esi
		call	_IopAppendLegacyVeto@8 ; IopAppendLegacyVeto(x,x)
		jmp	loc_800A8C
; 

loc_919BB5:				; CODE XREF: IopGetLegacyVetoListDrivers+159j
		cmp	dword ptr [esi], 0
		jz	loc_800AE1
		jmp	loc_800A9F
; 

loc_919BC3:				; CODE XREF: IopGetLegacyVetoListDrivers+1191F8j
					; IopGetLegacyVetoListDrivers+119248j
		mov	eax, [esi+0Ch]
		mov	dword ptr [eax], 0C000009Ah
		jmp	loc_800AB6
; END OF FUNCTION CHUNK	FOR IopGetLegacyVetoListDrivers

;  S U B	R O U T	I N E 


sub_919BD1	proc near		; CODE XREF: PnpGetObjectProperty+26j
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_800B46
sub_919BD1	endp

; 
; START	OF FUNCTION CHUNK FOR PnpGetObjectProperty

loc_919BDD:				; CODE XREF: PnpGetObjectProperty+72j
		mov	edx, [ebp+var_4]
		mov	edi, [ebp+var_8]
		jmp	loc_800B33
; 

loc_919BE8:				; CODE XREF: PnpGetObjectProperty+39j
		mov	edi, 0C000009Ah
		jmp	loc_800B92
; END OF FUNCTION CHUNK	FOR PnpGetObjectProperty
; 
; START	OF FUNCTION CHUNK FOR _CmGetDeviceInstanceKeyPath

loc_919BF2:				; CODE XREF: _CmGetDeviceInstanceKeyPath+62j
		cmp	esi, 0FFFFFFFFh
		jz	short loc_919C4D
		push	ebx
		lea	ebx, [edx+2]
		xor	ecx, ecx

loc_919BFD:				; CODE XREF: _CmGetDeviceInstanceKeyPath+118F14j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, cx
		jnz	short loc_919BFD
		mov	eax, [ebp+arg_14]
		sub	edx, ebx
		sar	edx, 1
		add	edx, 4Fh
		pop	ebx
		test	eax, eax
		jz	short loc_919C19
		mov	[eax], edx

loc_919C19:				; CODE XREF: _CmGetDeviceInstanceKeyPath+118F23j
		cmp	edx, [ebp+arg_10]
		ja	loc_800DA8
		push	edi
		push	offset ??_C@_1DM@BNJPOICG@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@
		push	esi
		push	offset ??_C@_1FG@MPFEKKOF@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@ ; char
		push	offset ??_C@_1BM@OHMKBCBF@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AA0?$AA4?$AAu?$AA?2?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@ ; wchar_t *
		push	800h		; int
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		call	RtlStringCchPrintfExW
		add	esp, 28h
		jmp	loc_800D49
; 

loc_919C4D:				; CODE XREF: _CmGetDeviceInstanceKeyPath+118F03j
		mov	eax, 0C000000Dh
		jmp	loc_800D49
; END OF FUNCTION CHUNK	FOR _CmGetDeviceInstanceKeyPath
; 
; START	OF FUNCTION CHUNK FOR _CmGetDeviceRegKeyPath

loc_919C57:				; CODE XREF: _CmGetDeviceRegKeyPath+12j
					; _CmGetDeviceRegKeyPath+1Ej ...
		mov	eax, 0C000000Dh
		jmp	loc_800DFA
; END OF FUNCTION CHUNK	FOR _CmGetDeviceRegKeyPath
; 
; START	OF FUNCTION CHUNK FOR _RegRtlQueryValue

loc_919C61:				; CODE XREF: _RegRtlQueryValue+A1j
		mov	esi, 0C0000017h
		jmp	loc_801005
; END OF FUNCTION CHUNK	FOR _RegRtlQueryValue
; 
; START	OF FUNCTION CHUNK FOR PiDqPnPGetObjectProperty

loc_919C6B:				; CODE XREF: PiDqPnPGetObjectProperty+A3j
		mov	edx, [ebp+arg_0]
		lea	eax, [esp+20h+var_14]
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	esi
		push	ebx
		lea	eax, [esp+30h+var_10]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_C]
		call	__PnpGetGenericStoreProperty@36	; _PnpGetGenericStoreProperty(x,x,x,x,x,x,x,x,x)
		jmp	loc_801196
; 

loc_919C91:				; CODE XREF: PiDqPnPGetObjectProperty+92j
		mov	esi, 0C000009Ah
		jmp	loc_8011A0
; 

loc_919C9B:				; CODE XREF: PiDqPnPGetObjectProperty+F3j
		mov	eax, [edi+18h]
		test	eax, eax
		jz	loc_8011C1
		push	58706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8011C1
; END OF FUNCTION CHUNK	FOR PiDqPnPGetObjectProperty
; 
; START	OF FUNCTION CHUNK FOR PiPnpRtlObjectEventCreate

loc_919CB6:				; CODE XREF: PiPnpRtlObjectEventCreate+F4j
		mov	edi, [esp+0A8h+var_94]
		xor	ebx, ebx
		jmp	short loc_919CE0
; 

loc_919CBE:				; CODE XREF: PiPnpRtlObjectEventCreate+119j
		mov	edi, [esp+0A8h+var_94]
		mov	ebx, 0C000009Ah
		jmp	short loc_919CD9
; 

loc_919CC9:				; CODE XREF: PiPnpRtlObjectEventCreate+167j
		mov	ebx, 0C000009Ah

loc_919CCE:				; CODE XREF: PiPnpRtlObjectEventCreate+170j
		test	esi, esi
		jz	short loc_919CD9
		mov	ecx, esi
		call	PiPnpRtlObjectEventRelease

loc_919CD9:				; CODE XREF: PiPnpRtlObjectEventCreate+83j
					; PiPnpRtlObjectEventCreate+118AD7j ...
		mov	eax, [esp+0A8h+var_84]
		and	dword ptr [eax], 0

loc_919CE0:				; CODE XREF: PiPnpRtlObjectEventCreate+118ACCj
		test	edi, edi
		jz	loc_8012AD
		mov	ecx, edi
		call	PiDmObjectRelease
		jmp	loc_8012AD
; END OF FUNCTION CHUNK	FOR PiPnpRtlObjectEventCreate
; 
; START	OF FUNCTION CHUNK FOR PiPnpRtlObjectActionCallback

loc_919CF4:				; CODE XREF: PiPnpRtlObjectActionCallback+11Cj
					; DATA XREF: PAGE:off_8016ECo
		cmp	[ebp+arg_8], 7	; case 0x3
		jnz	loc_801577	; default
		cmp	[ebp+arg_10], 1
		jnz	short loc_919D1E
		mov	ecx, [ebp+arg_4]
		call	_PiDrvDbMountNode@4 ; PiDrvDbMountNode(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_919D69
		mov	dword ptr [esi+4], 1
		jmp	loc_801577	; default
; 

loc_919D1E:				; CODE XREF: PiPnpRtlObjectActionCallback+118882j
		cmp	dword ptr [esi+4], 1
		jnz	loc_801577	; default
		cmp	dword ptr [esi], 0
		jge	short loc_919D37
		mov	ecx, [ebp+arg_4]
		call	_PiDrvDbUnmountNode@4 ;	PiDrvDbUnmountNode(x)
		jmp	short loc_919D3B
; 

loc_919D37:				; CODE XREF: PiPnpRtlObjectActionCallback+1188ABj
		mov	byte ptr [esi+10h], 1

loc_919D3B:				; CODE XREF: PiPnpRtlObjectActionCallback+1188B5j
		mov	dword ptr [esi+4], 0
		jmp	loc_801577	; default
; 

loc_919D47:				; CODE XREF: PiPnpRtlObjectActionCallback+11Cj
					; DATA XREF: PAGE:off_8016ECo
		cmp	[ebp+arg_8], 7	; case 0x4
		jnz	loc_801577	; default
		cmp	[ebp+arg_10], 1
		jnz	short loc_919D75
		mov	ecx, [ebp+arg_4]
		call	_PiDrvDbUnmountNode@4 ;	PiDrvDbUnmountNode(x)
		mov	edi, eax
		test	edi, edi
		jns	loc_801577	; default

loc_919D69:				; CODE XREF: PiPnpRtlObjectActionCallback+118890j
		mov	[esi], edi
		mov	edi, 0C0000120h
		jmp	loc_801577	; default
; 

loc_919D75:				; CODE XREF: PiPnpRtlObjectActionCallback+1188D5j
		cmp	dword ptr [esi], 0C0000034h
		jnz	loc_801577	; default
		mov	dword ptr [esi], 0
		mov	edi, 0C0000120h
		jmp	loc_801577	; default
; 

loc_919D91:				; CODE XREF: PiPnpRtlObjectActionCallback+155j
		mov	eax, [esi+8]
		push	edx
		mov	[esp+1Ch+var_8], eax
		mov	edx, offset _PiDmPnpObjectMatchCallback@12 ; PiDmPnpObjectMatchCallback(x,x,x)
		mov	eax, [esi+0Ch]
		push	edi
		mov	[esp+20h+var_4], eax
		lea	eax, [esp+20h+var_8]
		push	ebx
		push	eax
		call	_PiDmGetObjectList@24 ;	PiDmGetObjectList(x,x,x,x,x,x)
		cmp	eax, 0C0000016h
		jz	loc_801575
		jmp	loc_801582
; END OF FUNCTION CHUNK	FOR PiPnpRtlObjectActionCallback
; 
; START	OF FUNCTION CHUNK FOR PiDmObjectGetAggregatedBooleanPropertyData

loc_919DC1:				; CODE XREF: PiDmObjectGetAggregatedBooleanPropertyData+38j
		mov	[ebp+arg_10], 0
		jmp	loc_80174E
; 

loc_919DCD:				; CODE XREF: PiDmObjectGetAggregatedBooleanPropertyData+CEj
		mov	eax, 0C0000023h
		jmp	loc_80177C
; 

loc_919DD7:				; CODE XREF: PiDmObjectGetAggregatedBooleanPropertyData+10Cj
		mov	ecx, [ebp+arg_4]
		xor	esi, esi
		mov	eax, [ecx+14h]
		lea	eax, [eax+eax*4]
		mov	eax, ds:dword_4042C4[eax*4]
		add	eax, ebx
		mov	[ebp+arg_14], eax
		mov	edx, [eax]
		mov	[ebp+arg_8], edx
		cmp	edx, eax
		jz	short loc_919E5F

loc_919DF7:				; CODE XREF: PiDmObjectGetAggregatedBooleanPropertyData+11874Dj
		mov	eax, [ecx+14h]
		push	0
		lea	eax, [eax+eax*4]
		sub	edx, ds:dword_4042CC[eax*4]
		lea	eax, [ebp+var_18]
		push	eax
		push	1
		lea	eax, [ebp+var_1]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		mov	eax, [ecx+4]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		mov	eax, [edx+14h]
		mov	edx, [edx+0Ch]
		push	0
		push	0
		push	eax
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_919E43
		cmp	[ebp+var_C], 11h
		jnz	short loc_919E4F
		cmp	byte ptr [ebp+var_1], 0FFh
		jnz	short loc_919E4F
		inc	esi
		jmp	short loc_919E4F
; 

loc_919E43:				; CODE XREF: PiDmObjectGetAggregatedBooleanPropertyData+118722j
		cmp	ebx, 0C0000225h
		jnz	loc_801830

loc_919E4F:				; CODE XREF: PiDmObjectGetAggregatedBooleanPropertyData+118728j
					; PiDmObjectGetAggregatedBooleanPropertyData+11872Ej ...
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		mov	edx, [edx]
		mov	[ebp+arg_8], edx
		cmp	edx, [ebp+arg_14]
		jnz	short loc_919DF7

loc_919E5F:				; CODE XREF: PiDmObjectGetAggregatedBooleanPropertyData+1186E5j
		mov	[edi], esi
		jmp	loc_801822
; END OF FUNCTION CHUNK	FOR PiDmObjectGetAggregatedBooleanPropertyData
; 
; START	OF FUNCTION CHUNK FOR PiDmObjectRelease

loc_919E66:				; CODE XREF: PiDmObjectRelease+17j
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_919E78
		push	5A706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_919E78:				; CODE XREF: PiDmObjectRelease+118529j
		mov	ecx, [esi+14h]
		lea	eax, [ebp+var_4]
		push	ebx
		push	eax
		lea	edx, [ebp+var_8]
		call	_PiDmGetCacheKeys@12 ; PiDmGetCacheKeys(x,x,x)
		mov	ebx, [ebp+var_4]
		test	ebx, ebx
		jz	short loc_919EA3
		push	edi
		lea	edi, [esi+40h]

loc_919E93:				; CODE XREF: PiDmObjectRelease+11855Ej
		mov	ecx, edi
		call	PiDmCacheDataFree
		add	edi, 14h
		sub	ebx, 1
		jnz	short loc_919E93
		pop	edi

loc_919EA3:				; CODE XREF: PiDmObjectRelease+11854Bj
		push	5A706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebx
		jmp	loc_80195F
; END OF FUNCTION CHUNK	FOR PiDmObjectRelease
; 
; START	OF FUNCTION CHUNK FOR PiDmInitializeComparisonObject

loc_919EB4:				; CODE XREF: PiDmInitializeComparisonObject+25j
		mov	cx, word ptr [ebp+var_14]
		jmp	loc_801A9A
; 

loc_919EBD:				; CODE XREF: PiDmInitializeComparisonObject+3Fj
					; PiDmInitializeComparisonObject+46j ...
		mov	eax, 0C000000Dh
		jmp	loc_801AE8
; END OF FUNCTION CHUNK	FOR PiDmInitializeComparisonObject
; 
; START	OF FUNCTION CHUNK FOR PiDmGetObjectManagerForObjectType

loc_919EC7:				; CODE XREF: PiDmGetObjectManagerForObjectType+2Bj
		sub	ecx, 1
		jnz	locret_801BD6
		mov	eax, offset _PiDmDevicePanelManager
		retn
; END OF FUNCTION CHUNK	FOR PiDmGetObjectManagerForObjectType
; 
; START	OF FUNCTION CHUNK FOR PiDmObjectGetCachedObjectPropertyData

loc_919ED6:				; CODE XREF: PiDmObjectGetCachedObjectPropertyData+4Cj
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_10]
		push	eax
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_801CB8
		mov	bl, 1
		jmp	loc_801C5A
; 

loc_919EF6:				; CODE XREF: PiDmObjectGetCachedObjectPropertyData+AAj
		mov	ecx, [ebp+arg_0]
		call	PiDmObjectRelease
		jmp	loc_801CB8
; END OF FUNCTION CHUNK	FOR PiDmObjectGetCachedObjectPropertyData
; 
; START	OF FUNCTION CHUNK FOR _PnpGetObjectPropertyWorker

loc_919F03:				; CODE XREF: _PnpGetObjectPropertyWorker+1Bj
		mov	esi, 0C000000Dh
		jmp	loc_801E11
; END OF FUNCTION CHUNK	FOR _PnpGetObjectPropertyWorker
; 
; START	OF FUNCTION CHUNK FOR PiDmObjectUpdateCachedObjectProperty

loc_919F0D:				; CODE XREF: PiDmObjectUpdateCachedObjectProperty+18Dj
		push	5A706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, ebx
		mov	eax, ebx
		mov	[ebp+var_C], esi
		jmp	loc_80200E
; 

loc_919F24:				; CODE XREF: PiDmObjectUpdateCachedObjectProperty+12Aj
					; PiDmObjectUpdateCachedObjectProperty+136j ...
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_20]
		call	PiDmCacheDataFree
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	esi, [ebp+var_C]
		jmp	loc_802052
; END OF FUNCTION CHUNK	FOR PiDmObjectUpdateCachedObjectProperty
; 
; START	OF FUNCTION CHUNK FOR _PnpDispatchDevice

loc_919F62:				; CODE XREF: _PnpDispatchDevice+1Fj
					; DATA XREF: PAGE:off_80229Ao
		mov	ecx, [ebp+arg_10] ; case 0x2
		mov	edx, [ebp+arg_4]
		mov	eax, [ecx+0Ch]
		and	eax, 0FFFF0000h
		push	eax
		lea	eax, [ecx+8]
		push	eax
		lea	eax, [ecx+4]
		push	eax
		push	dword ptr [ecx]
		mov	ecx, [ebp+arg_0]
		call	_CmCreateDevice
		jmp	loc_802213
; 

loc_919F88:				; CODE XREF: _PnpDispatchDevice+1Fj
					; DATA XREF: PAGE:off_80229Ao
		mov	eax, [ebp+arg_10] ; case 0x3
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	eax, [eax]
		and	eax, 0FFFF0000h
		push	eax
		call	__CmDeleteDevice@12 ; _CmDeleteDevice(x,x,x)
		jmp	loc_802213
; 

loc_919FA3:				; CODE XREF: _PnpDispatchDevice+B0j
		mov	[ebp+var_8], eax
		lea	esi, [ebp+var_8]
		mov	eax, [ecx+4]
		mov	edx, offset __PnpCmMatchCallbackRoutine@16 ; _PnpCmMatchCallbackRoutine(x,x,x,x)
		mov	[ebp+var_4], eax
		jmp	loc_802278
; 

loc_919FB9:				; CODE XREF: _PnpDispatchDevice+1Fj
					; DATA XREF: PAGE:off_80229Ao
		mov	eax, [ebp+arg_10] ; case 0x5
		mov	ecx, [ebp+arg_0]
		push	dword ptr [eax+14h]
		push	dword ptr [eax+10h]
		push	dword ptr [eax+0Ch]
		push	edx
		push	dword ptr [eax]
		mov	edx, [ebp+arg_4]
		call	__CmGetDeviceMappedPropertyKeys@28 ; _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)
		jmp	loc_802213
; 

loc_919FD8:				; CODE XREF: _PnpDispatchDevice+1Fj
					; DATA XREF: PAGE:off_80229Ao
		mov	eax, [ebp+arg_10] ; case 0x6
		push	dword ptr [eax+10h] ; int
		push	dword ptr [eax+0Ch] ; int
		push	dword ptr [eax+8] ; int
		push	dword ptr [eax+4] ; void *
		push	ecx		; int
		call	__CmGetDeviceMappedPropertyLocales@28 ;	_CmGetDeviceMappedPropertyLocales(x,x,x,x,x,x,x)
		jmp	loc_802213
; 

loc_919FF2:				; CODE XREF: _PnpDispatchDevice+19j
		mov	eax, 0C000000Dh	; default
		jmp	loc_802213
; END OF FUNCTION CHUNK	FOR _PnpDispatchDevice
; 
; START	OF FUNCTION CHUNK FOR _CmGetDeviceMappedProperty

loc_919FFC:				; CODE XREF: _CmGetDeviceMappedProperty+27j
		mov	eax, 0C000000Dh
		jmp	loc_8023B8
; 

loc_91A006:				; CODE XREF: _CmGetDeviceMappedProperty+F0j
		mov	ecx, [ebp+arg_8]
		jmp	loc_80232D
; END OF FUNCTION CHUNK	FOR _CmGetDeviceMappedProperty
; 
; START	OF FUNCTION CHUNK FOR PnpAllocatePWSTR

loc_91A00E:				; CODE XREF: PnpAllocatePWSTR+5Cj
		mov	esi, 0C000009Ah

loc_91A013:				; CODE XREF: PnpAllocatePWSTR+71j
		mov	eax, [edi]
		test	eax, eax
		jz	loc_8024DD
		push	[ebp+arg_0]
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi], 0
		jmp	loc_8024DD
; END OF FUNCTION CHUNK	FOR PnpAllocatePWSTR
; 
; START	OF FUNCTION CHUNK FOR _PnpOpenPropertiesKey

loc_91A02E:				; CODE XREF: _PnpOpenPropertiesKey+69j
		xor	eax, eax
		jmp	loc_80276B
; 

loc_91A035:				; CODE XREF: _PnpOpenPropertiesKey+80j
		lea	esi, [eax+0Ch]
		push	52504E50h
		lea	eax, [esi+esi]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_802782
		mov	esi, 0C0000017h
		jmp	loc_8027FD
; 

loc_91A05C:				; CODE XREF: _PnpOpenPropertiesKey+B7j
		xor	ecx, ecx
		jmp	loc_8027B6
; 

loc_91A063:				; CODE XREF: _PnpOpenPropertiesKey+14Fj
		call	__PnpGetPropertiesSecurityDescriptor@4 ; _PnpGetPropertiesSecurityDescriptor(x)
		mov	[ebp+var_90], eax
		test	eax, eax
		jnz	short loc_91A07C
		mov	esi, 0C00000E5h
		jmp	loc_8027E0
; 

loc_91A07C:				; CODE XREF: _PnpOpenPropertiesKey+11797Aj
		push	eax
		call	_RtlValidSecurityDescriptor@4 ;	RtlValidSecurityDescriptor(x)
		test	al, al
		jnz	short loc_91A090
		mov	esi, 0C00000E5h
		jmp	loc_80284D
; 

loc_91A090:				; CODE XREF: _PnpOpenPropertiesKey+11798Ej
		test	ebx, ebx
		jnz	short loc_91A098
		xor	ecx, ecx
		jmp	short loc_91A09B
; 

loc_91A098:				; CODE XREF: _PnpOpenPropertiesKey+11799Cj
		mov	ecx, [ebx+74h]

loc_91A09B:				; CODE XREF: _PnpOpenPropertiesKey+1179A0j
		mov	eax, [ebp+var_90]
		mov	edx, [ebp+var_88]
		push	0
		push	[ebp+var_84]
		push	ecx
		push	eax
		push	[ebp+arg_4]
		push	0
		push	offset ??_C@_1BG@COALCEMK@?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAi?$AAe?$AAs@NNGAKEGL@
		call	__SysCtxRegCreateKey@36	; _SysCtxRegCreateKey(x,x,x,x,x,x,x,x,x)
		jmp	loc_80285C
; 

loc_91A0C5:				; CODE XREF: _PnpOpenPropertiesKey+17Aj
		mov	eax, [ebp+var_84]
		mov	edx, [eax]
		and	dword ptr [eax], 0
		mov	[ebp+var_98], edx
		test	ebx, ebx
		jnz	short loc_91A0DE
		xor	ecx, ecx
		jmp	short loc_91A0E1
; 

loc_91A0DE:				; CODE XREF: _PnpOpenPropertiesKey+1179E2j
		mov	ecx, [ebx+74h]

loc_91A0E1:				; CODE XREF: _PnpOpenPropertiesKey+1179E6j
		push	0
		push	eax
		push	ecx
		push	0
		push	[ebp+arg_4]
		push	0
		push	[ebp+var_8C]
		call	__SysCtxRegCreateTree@36 ; _SysCtxRegCreateTree(x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jz	loc_802883
		test	eax, eax
		jns	loc_80284D
		jmp	loc_80284B
; 

loc_91A10F:				; CODE XREF: _PnpOpenPropertiesKey+161j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8027E0
; 

loc_91A11C:				; CODE XREF: _PnpOpenPropertiesKey+F3j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8027EF
; 

loc_91A129:				; CODE XREF: _PnpOpenPropertiesKey+101j
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8027FD
; END OF FUNCTION CHUNK	FOR _PnpOpenPropertiesKey
; 
; START	OF FUNCTION CHUNK FOR _RegRtlOpenKeyTransacted

loc_91A134:				; CODE XREF: _RegRtlOpenKeyTransacted+9Dj
		mov	ebx, [ebp+arg_4]
		mov	edx, ebx
		push	esi
		push	ecx
		mov	ecx, [ebp+arg_8]
		push	eax
		call	_NtOpenKeyTransactedEx_Stub@20 ; NtOpenKeyTransactedEx_Stub(x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C000007Ah
		jnz	loc_802972
		mov	ecx, [ebp+arg_8]
		lea	eax, [esp+38h+var_18]
		push	esi
		push	eax
		mov	edx, ebx
		call	_NtOpenKeyTransacted_Stub@16 ; NtOpenKeyTransacted_Stub(x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C000007Ah
		jnz	loc_802972
		mov	edi, 0C0190004h
		jmp	loc_802972
; END OF FUNCTION CHUNK	FOR _RegRtlOpenKeyTransacted
; 
; START	OF FUNCTION CHUNK FOR PiDmCacheDataDecode

loc_91A17A:				; CODE XREF: PiDmCacheDataDecode+49j
					; PiDmCacheDataDecode+5Ej
		mov	ebx, 0C00000E5h
		jmp	loc_802A14
; 

loc_91A184:				; CODE XREF: PiDmCacheDataDecode+37j
		mov	eax, [ebp+arg_8]
		mov	dword ptr [edx], 0Dh
		push	10h
		pop	edx
		mov	[eax], edx
		cmp	[ebp+arg_4], edx
		jb	loc_802ADB
		lea	esi, [ecx+4]
		movsd
		movsd
		movsd
		movsd
		jmp	loc_802A14
; END OF FUNCTION CHUNK	FOR PiDmCacheDataDecode
; 
; START	OF FUNCTION CHUNK FOR EtwpGetGuidSecurityDescriptor

loc_91A1A7:				; CODE XREF: EtwpGetGuidSecurityDescriptor+3Dj
		mov	ebx, 0C000009Ah
		jmp	loc_802CAE
; END OF FUNCTION CHUNK	FOR EtwpGetGuidSecurityDescriptor
; 
; START	OF FUNCTION CHUNK FOR RtlQueryRegistryValueWithFallback

loc_91A1B1:				; CODE XREF: RtlQueryRegistryValueWithFallback+16j
		mov	eax, 0C000000Dh
		jmp	loc_802DB3
; 

loc_91A1BB:				; CODE XREF: RtlQueryRegistryValueWithFallback+49j
		mov	esi, 0C0000017h
		jmp	loc_802DAF
; 

loc_91A1C5:				; CODE XREF: RtlQueryRegistryValueWithFallback+58j
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		push	edi
		push	2
		push	[ebp+arg_8]
		push	[ebp+arg_0]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	loc_802D9B
		jmp	loc_802D82
; END OF FUNCTION CHUNK	FOR RtlQueryRegistryValueWithFallback
; 
; START	OF FUNCTION CHUNK FOR _CmMapCmObjectTypeToPnpObjectType

loc_91A1ED:				; CODE XREF: _CmMapCmObjectTypeToPnpObjectType+1Fj
		sub	ecx, 1
		jz	short loc_91A1F5
		xor	eax, eax
		retn
; 

loc_91A1F5:				; CODE XREF: _CmMapCmObjectTypeToPnpObjectType+1173E4j
		push	6
		pop	eax
		retn
; END OF FUNCTION CHUNK	FOR _CmMapCmObjectTypeToPnpObjectType
; 
; START	OF FUNCTION CHUNK FOR CmpFindNameInListCellWithStatus

loc_91A1F9:				; CODE XREF: CmpFindNameInListCellWithStatus+84j
		push	edx
		movzx	edx, word ptr [eax]
		push	ebx
		call	CmpCompareTwoCompressedNames
		jmp	loc_80322B
; 

loc_91A208:				; CODE XREF: CmpFindNameInListCellWithStatus+1A7j
		mov	ecx, [ebp+arg_4]
		push	0
		movzx	eax, word ptr [ecx]
		mov	edx, [ecx+4]
		lea	ecx, [ebp+var_2C]
		push	eax
		call	_CmpCompareCompressedName@16 ; CmpCompareCompressedName(x,x,x,x)
		mov	esi, eax
		neg	esi
		jmp	loc_80316C
; END OF FUNCTION CHUNK	FOR CmpFindNameInListCellWithStatus
; 
; START	OF FUNCTION CHUNK FOR NtSetValueKey

loc_91A225:				; CODE XREF: NtSetValueKey+90j
		mov	edx, 20000h
		lea	ecx, [ebp+var_80]
		call	@EtwGetKernelTraceTimestamp@8 ;	EtwGetKernelTraceTimestamp(x,x)
		jmp	loc_803306
; 

loc_91A237:				; CODE XREF: NtSetValueKey+152j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	al, [ebp+var_95]
		test	al, al
		jnz	loc_8033C8
		mov	edi, 0C0000189h
		jmp	loc_8036DC
; 

loc_91A25B:				; CODE XREF: NtSetValueKey+6F2j
		lea	eax, [ebp+var_D8]
		push	eax
		lea	eax, [ebp+var_A0]
		push	eax
		push	[ebp+var_A4]
		push	ecx
		mov	edx, 20019h
		mov	ecx, [ebp+var_B8]
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_88], edi
		test	edi, edi
		js	loc_8036E2
		mov	ecx, [ebp+var_A0]
		call	_CmKeyBodyNeedsVirtualImage@4 ;	CmKeyBodyNeedsVirtualImage(x)
		test	al, al
		jz	loc_803968
		mov	bh, 1
		mov	[ebp+var_82], bh
		jmp	loc_803401
; 

loc_91A2B0:				; CODE XREF: NtSetValueKey+1A2j
		mov	ecx, [ebp+var_A0]
		test	ecx, ecx
		jz	loc_803418
		mov	eax, [ecx+8]
		mov	[ebp+var_C8], eax
		jmp	loc_803418
; 

loc_91A2CC:				; CODE XREF: NtSetValueKey+1D9j
		mov	esi, eax
		jmp	loc_80344F
; 

loc_91A2D3:				; CODE XREF: NtSetValueKey+230j
					; NtSetValueKey+238j
		mov	byte ptr [ecx],	0
		mov	edi, [ebp+var_8C]
		mov	bx, word ptr [ebp+var_90]
		jmp	loc_8034AE
; 

loc_91A2E8:				; CODE XREF: NtSetValueKey+25Cj
					; NtSetValueKey+264j
		mov	byte ptr [edx],	0
		mov	edi, [ebp+var_8C]
		mov	bx, word ptr [ebp+var_90]
		jmp	loc_8034DA
; 

loc_91A2FD:				; CODE XREF: NtSetValueKey+278j
					; NtSetValueKey+285j ...
		mov	edi, 0C000000Dh
		mov	[ebp+var_88], edi
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	bl, [ebp+var_82]
		jmp	loc_8036E2
; 

loc_91A31A:				; CODE XREF: NtSetValueKey+572j
		mov	edi, 0C000009Ah
		mov	[ebp+var_88], edi
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	bl, [ebp+var_82]
		jmp	loc_8036E2
; 

loc_91A337:				; CODE XREF: NtSetValueKey+2DBj
		mov	eax, [ebp+var_DC]
		jmp	loc_803565
; 

loc_91A342:				; CODE XREF: NtSetValueKey+36Dj
		mov	eax, 0FFFEh
		add	bx, ax
		mov	word ptr [ebp+var_90], bx
		jnz	loc_8035D2
		jmp	loc_8035E3
; 

loc_91A35C:				; CODE XREF: NtSetValueKey+416j
		lea	edi, [eax+3FFFFAFDh]
		neg	edi
		sbb	edi, edi
		and	edi, eax
		mov	bl, [ebp+var_82]
		jmp	loc_8036DC
; 

loc_91A373:				; CODE XREF: NtSetValueKey+42Aj
		lea	eax, [ebp+var_B4]
		push	eax
		lea	eax, [ebp+var_F0]
		push	eax
		push	2
		mov	dl, [ebp+var_83]
		lea	ecx, [ebp+var_A0]
		call	_CmKeyBodyReplicateToVirtual@20	; CmKeyBodyReplicateToVirtual(x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_88], edi
		mov	bl, [ebp+var_82]
		test	edi, edi
		js	loc_8036E2
		mov	ebx, [ebp+arg_C]
		mov	edi, [ebp+var_9C]
		jmp	loc_8036A0
; 

loc_91A3B8:				; CODE XREF: NtSetValueKey+437j
		mov	byte ptr [ebp+var_B4], 1
		jmp	loc_8036B4
; END OF FUNCTION CHUNK	FOR NtSetValueKey

;  S U B	R O U T	I N E 


sub_91A3C4	proc near		; DATA XREF: .text:006A54ACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0E0h], eax
		mov	eax, 1
		retn
sub_91A3C4	endp


;  S U B	R O U T	I N E 


sub_91A3D7	proc near		; DATA XREF: .text:006A54B0o
		mov	esp, [ebp-18h]
		xor	eax, eax
		mov	[ebp-90h], ax
		mov	[ebp-8Ch], eax
		mov	edi, [ebp-0E0h]
		mov	[ebp-88h], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	bl, [ebp-82h]
		mov	bh, al
		mov	[ebp-84h], al
		jmp	loc_8036E8
sub_91A3D7	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetValueKey

loc_91A40F:				; CODE XREF: NtSetValueKey+4DEj
		lea	ecx, [ebp+var_90]
		push	ecx
		push	[ebp+var_C8]
		push	0
		push	edi
		lea	ecx, [ebp+var_80]
		push	ecx
		push	0Eh
		call	eax
		jmp	loc_803754
; END OF FUNCTION CHUNK	FOR NtSetValueKey
; 
; START	OF FUNCTION CHUNK FOR _PnpRegQueryValueIndirect

loc_91A42C:				; CODE XREF: _PnpRegQueryValueIndirect+90j
		mov	esi, edx
		xor	edi, edi
		mov	[ebp+arg_C], esi
		cmp	esi, 0FFFEh
		ja	loc_8043FA

loc_91A43F:				; CODE XREF: _PnpRegQueryValueIndirect+1160DBj
		test	edi, edi
		jz	short loc_91A44B
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_91A44B:				; CODE XREF: _PnpRegQueryValueIndirect+11608Dj
		push	52504E50h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8043FA
		mov	edx, [ebp+arg_8]
		lea	eax, [ebp+arg_14]
		mov	ecx, [ebp+arg_4]
		push	eax
		push	edi
		push	0
		mov	[ebp+arg_14], esi
		call	_RegRtlQueryValue
		cmp	eax, 0C0000023h
		jnz	short loc_91A49B
		cmp	[ebp+arg_14], esi
		jbe	short loc_91A496
		mov	esi, [ebp+arg_14]
		mov	[ebp+arg_C], esi
		cmp	esi, 0FFFEh
		jbe	short loc_91A43F
		jmp	loc_804475
; 

loc_91A496:				; CODE XREF: _PnpRegQueryValueIndirect+1160CDj
		mov	eax, 0C00000E5h

loc_91A49B:				; CODE XREF: _PnpRegQueryValueIndirect+1160C8j
		test	eax, eax
		jnz	loc_804475
		mov	edx, [ebp+arg_C]
		mov	esi, edi
		jmp	loc_80444A
; 

loc_91A4AD:				; CODE XREF: _PnpRegQueryValueIndirect+C5j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8043FA
; END OF FUNCTION CHUNK	FOR _PnpRegQueryValueIndirect
; 
; START	OF FUNCTION CHUNK FOR _CmGetDeviceRegPropWorker

loc_91A4BA:				; CODE XREF: _CmGetDeviceRegPropWorker+5Ej
					; _CmGetDeviceRegPropWorker+80j
		mov	esi, 0C000000Dh
		jmp	loc_80463C
; 

loc_91A4C4:				; CODE XREF: _CmGetDeviceRegPropWorker+12Cj
		mov	esi, 0C0000230h
		jmp	loc_80462E
; 

loc_91A4CE:				; CODE XREF: _CmGetDeviceRegPropWorker+106j
		test	edi, edi
		jnz	short loc_91A4D5
		mov	edi, [ebp+var_68]

loc_91A4D5:				; CODE XREF: _CmGetDeviceRegPropWorker+116044j
		push	0
		push	ecx
		mov	ecx, [ebp+var_74]
		lea	eax, [ebp+var_88]
		push	edx
		push	[ebp+var_5C]
		mov	edx, [ebp+var_70]
		push	eax
		push	offset _DEVPKEY_Device_LocationPaths
		push	0
		push	edi
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_64]
		mov	dword ptr [eax], 7
		test	esi, esi
		jns	loc_80462E
		cmp	esi, 0C0000034h
		jnz	loc_80462E
		jmp	loc_804654
; 

loc_91A51C:				; CODE XREF: _CmGetDeviceRegPropWorker+2DEj
		mov	esi, 0C0000023h
		jmp	loc_80462E
; 

loc_91A526:				; CODE XREF: _CmGetDeviceRegPropWorker+27Ej
		mov	esi, 0C00000E5h
		jmp	loc_80462E
; 

loc_91A530:				; CODE XREF: _CmGetDeviceRegPropWorker+A2j
					; _CmGetDeviceRegPropWorker+ABj ...
		mov	esi, 0C0000230h
		jmp	loc_80463C
; 

loc_91A53A:				; CODE XREF: _CmGetDeviceRegPropWorker+66j
					; _CmGetDeviceRegPropWorker+6Ej ...
		mov	esi, 0C000000Dh
		jmp	loc_80462E
; END OF FUNCTION CHUNK	FOR _CmGetDeviceRegPropWorker
; 
; START	OF FUNCTION CHUNK FOR _PnpCtxGetCachedNodeBaseKey

loc_91A544:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+2Ej
					; DATA XREF: PAGE:off_804AF6o
		mov	eax, [esi+3Ch]	; case 0xB
		jmp	loc_8048FE
; 

loc_91A54C:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+2Ej
					; DATA XREF: PAGE:off_804AF6o
		lea	eax, [ebp+var_4] ; case	0x1
		push	eax
		push	2
		jmp	loc_804921
; 

loc_91A557:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+2Ej
					; DATA XREF: PAGE:off_804AF6o
		lea	eax, [ebp+var_4] ; case	0x2
		push	eax
		push	3
		jmp	loc_804921
; 

loc_91A562:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+28j
		mov	edi, 0C000000Dh	; default
		jmp	loc_80492F
; 

loc_91A56C:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+90j
					; _PnpCtxGetCachedNodeBaseKey+99j
		mov	edi, 0C000000Dh
		jmp	loc_804965
; 

loc_91A576:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+165j
		mov	edi, 0C00000E5h
		jmp	loc_80490D
; 

loc_91A580:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+AFj
					; DATA XREF: PAGE:off_804B32o
		push	4		; case 0xC
		pop	eax
		mov	ebx, offset ??_C@_1DO@IICHHBAO@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAC?$AAr?$AAi?$AAt?$AAi?$AAc?$AAa@NNGAKEGL@
		jmp	loc_804984
; 

loc_91A58D:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+A9j
		mov	edi, 0C000000Dh	; default
		mov	eax, ebx
		jmp	loc_804984
; 

loc_91A599:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+109j
					; DATA XREF: PAGE:off_804B5Eo
		mov	[esi+3Ch], ecx	; case 0xC
		jmp	loc_8049D9
; 

loc_91A5A1:				; CODE XREF: _PnpCtxGetCachedNodeBaseKey+103j
		mov	edi, 0C000000Dh	; default
		jmp	loc_8049D9
; END OF FUNCTION CHUNK	FOR _PnpCtxGetCachedNodeBaseKey
; 
; START	OF FUNCTION CHUNK FOR _CmOpenDeviceRegKey

loc_91A5AB:				; CODE XREF: _CmOpenDeviceRegKey+30j
		mov	edi, 0C0000017h
		jmp	loc_804C8F
; 

loc_91A5B5:				; CODE XREF: _CmOpenDeviceRegKey+78j
		cmp	eax, 0C0000120h
		jz	short loc_91A5CE
		test	eax, eax
		jz	loc_804C52
		mov	edi, 0C00000E5h
		jmp	loc_804C87
; 

loc_91A5CE:				; CODE XREF: _CmOpenDeviceRegKey+1159E8j
					; _CmOpenDeviceRegKey+115A26j
		mov	edi, [esi]
		jmp	loc_804C7C
; 

loc_91A5D5:				; CODE XREF: _CmOpenDeviceRegKey+A4j
		push	esi
		push	2
		push	0Bh
		push	1
		push	[esp+40h+var_20]
		mov	[esi], edi
		push	[esp+44h+var_1C]
		call	ebx ; ??_C@_1DO@IICHHBAO@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAC?$AAr?$AAi?$AAt?$AAi?$AAc?$AAa@NNGAKEGL@
		cmp	eax, 0C0000002h
		jz	loc_804C7C
		cmp	eax, 0C0000120h
		jz	short loc_91A5CE
		test	eax, eax
		jz	loc_804C7C
		mov	edi, 0C00000E5h
		jmp	loc_804C7C
; END OF FUNCTION CHUNK	FOR _CmOpenDeviceRegKey
; 
; START	OF FUNCTION CHUNK FOR PiPnpRtlCmActionCallback

loc_91A60C:				; CODE XREF: PiPnpRtlCmActionCallback+1D1j
		sub	eax, 1
		jnz	loc_805051
		mov	eax, [esi+0Ch]
		lea	edx, [esp+48h+var_39]
		mov	ecx, eax
		mov	[esp+48h+var_20], eax
		call	__CmIsInstallerClassRegPropWritable@8 ;	_CmIsInstallerClassRegPropWritable(x,x)
		test	eax, eax
		js	short loc_91A63B
		cmp	byte ptr [esp+48h+var_39], bl
		jnz	short loc_91A63B

loc_91A631:				; CODE XREF: PiPnpRtlCmActionCallback+1ECj
		mov	edi, 0C0000022h
		jmp	loc_804FEC
; 

loc_91A63B:				; CODE XREF: PiPnpRtlCmActionCallback+11587Bj
					; PiPnpRtlCmActionCallback+115881j
		mov	edx, [esp+48h+var_34]
		lea	eax, [esp+48h+var_39+1]
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	edi
		lea	eax, [esp+54h+var_2C]
		push	eax
		push	[esp+58h+var_20]
		push	dword ptr [esi+8]
		call	__CmGetInstallerClassRegProp@32	; _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)
		jmp	loc_804FBF
; 

loc_91A662:				; CODE XREF: PiPnpRtlCmActionCallback+3A5j
		mov	ecx, [ebp+arg_8]
		push	eax
		call	_CmMapCmObjectTypeToPnpObjectType
		mov	edx, [esp+4Ch+var_34]
		mov	ecx, [esp+4Ch+var_24]
		push	eax
		call	_PiPnpRtlCacheObjectBaseKey@16 ; PiPnpRtlCacheObjectBaseKey(x,x,x,x)
		test	edi, edi
		jmp	loc_80500E
; 

loc_91A680:				; CODE XREF: PiPnpRtlCmActionCallback+3BFj
		cmp	dword ptr [esi+10h], 1
		mov	[esp+48h+var_39+1], ebx
		jnz	short loc_91A69F
		cmp	dword ptr [esi+18h], 4Eh
		jnz	short loc_91A69F
		mov	ecx, [esi+14h]
		call	_PnpIsValidGuidString@4	; PnpIsValidGuidString(x)
		test	al, al
		jz	short loc_91A69F
		mov	ebx, [esi+14h]

loc_91A69F:				; CODE XREF: PiPnpRtlCmActionCallback+1158DAj
					; PiPnpRtlCmActionCallback+1158E0j ...
		mov	ecx, [esp+48h+var_34]
		lea	eax, [esp+48h+var_39+1]
		push	eax
		mov	edx, ebx
		call	_PiPnpRtlGatherInstallerClassChangeInfo@12 ; PiPnpRtlGatherInstallerClassChangeInfo(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_91AB22
		mov	ecx, [esp+48h+var_39+1]
		mov	[esi+4], ecx
		jmp	loc_804E92
; 

loc_91A6C5:				; CODE XREF: PiPnpRtlCmActionCallback+3F5j
		mov	esi, [esi+4]
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_91A6F1
		mov	edx, [esi+4]
		test	edx, edx
		jz	short loc_91A6DF
		push	ebx
		push	eax
		push	5
		pop	ecx
		call	_PiDmListRemoveObject@16 ; PiDmListRemoveObject(x,x,x,x)

loc_91A6DF:				; CODE XREF: PiPnpRtlCmActionCallback+115925j
		mov	edx, [esi+8]
		test	edx, edx
		jz	short loc_91A6F1
		push	ebx
		push	dword ptr [esi]
		push	5
		pop	ecx
		call	_PiDmListAddObject@16 ;	PiDmListAddObject(x,x,x,x)

loc_91A6F1:				; CODE XREF: PiPnpRtlCmActionCallback+11591Ej
					; PiPnpRtlCmActionCallback+115936j
		mov	ecx, esi
		call	_PiPnpRtlFreeInstallerClassChangeInfo@4	; PiPnpRtlFreeInstallerClassChangeInfo(x)
		jmp	loc_804EC7
; 

loc_91A6FD:				; CODE XREF: PiPnpRtlCmActionCallback+411j
		push	dword ptr [esi+18h]
		mov	edx, [esi+8]
		push	dword ptr [esi+14h]
		mov	ecx, [ebp+arg_8]
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		call	_PiDmGetCmObjectListFromCache@24 ; PiDmGetCmObjectListFromCache(x,x,x,x,x,x)
		jmp	loc_804F0D
; 

loc_91A719:				; CODE XREF: PiPnpRtlCmActionCallback+164j
		xor	edi, edi
		jmp	loc_804E92
; 

loc_91A720:				; CODE XREF: PiPnpRtlCmActionCallback+52j
		cmp	[ebp+arg_10], 1
		jnz	short loc_91A786
		cmp	[ebp+arg_8], 1
		jnz	short loc_91A740
		mov	ecx, [esp+48h+var_34]
		lea	edx, [esp+48h+var_39+1]
		and	[esp+48h+var_39+1], 0
		call	_PiPnpRtlGatherDeviceDeleteInfo@8 ; PiPnpRtlGatherDeviceDeleteInfo(x,x)
		jmp	short loc_91A770
; 

loc_91A740:				; CODE XREF: PiPnpRtlCmActionCallback+11597Cj
		cmp	[ebp+arg_8], 3
		jnz	loc_804E92
		mov	ecx, [esp+48h+var_34]
		lea	edx, [esp+48h+var_39+1]
		and	[esp+48h+var_39+1], 0
		call	_PiPnpRtlGatherInterfaceDeleteInfo@8 ; PiPnpRtlGatherInterfaceDeleteInfo(x,x)
		jmp	short loc_91A770
; 

loc_91A75E:				; CODE XREF: PiPnpRtlCmActionCallback+115D6Fj
		mov	ecx, [esi+0Ch]
		lea	eax, [esp+48h+var_39+1]
		and	[esp+48h+var_39+1], 0
		push	eax
		call	_PiPnpRtlGatherPanelRemoveInfo@12 ; PiPnpRtlGatherPanelRemoveInfo(x,x,x)

loc_91A770:				; CODE XREF: PiPnpRtlCmActionCallback+115990j
					; PiPnpRtlCmActionCallback+1159AEj ...
		mov	edi, eax
		test	edi, edi
		js	loc_91AB22
		mov	eax, [esp+48h+var_39+1]
		mov	[esi+4], eax
		jmp	loc_804E92
; 

loc_91A786:				; CODE XREF: PiPnpRtlCmActionCallback+115976j
		xor	ebx, ebx
		cmp	[ebp+arg_8], 1
		jnz	loc_91A8A3
		mov	ecx, [esi+4]
		lea	edi, [esp+48h+Source2]
		xor	eax, eax
		mov	[esp+48h+var_39+1], ecx
		stosd
		mov	[esp+48h+var_2C], ebx
		mov	[esp+48h+var_28], ebx
		stosd
		stosd
		stosd
		lea	eax, [ecx+4]
		push	eax
		mov	[esp+4Ch+var_20], eax
		lea	eax, [esp+4Ch+var_2C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+48h+Source2]
		push	eax
		lea	eax, [esp+4Ch+var_2C]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		test	eax, eax
		jns	short loc_91A7DA
		xor	eax, eax
		lea	edi, [esp+48h+Source2]
		stosd
		stosd
		stosd
		stosd

loc_91A7DA:				; CODE XREF: PiPnpRtlCmActionCallback+115A20j
		cmp	[esi], ebx
		jl	short loc_91A82C
		test	byte_6CD8BA, 8
		jz	short loc_91A835
		lea	ecx, [esp+48h+Source2] ; Source2
		call	_PnpIsNullGuid@4 ; PnpIsNullGuid(x)
		mov	edx, offset _KMPnPEvt_DeviceDelete_Success
		jmp	short loc_91A805
; 

loc_91A7F7:				; CODE XREF: PiPnpRtlCmActionCallback+115A85j
		lea	ecx, [esp+48h+Source2] ; Source2
		call	_PnpIsNullGuid@4 ; PnpIsNullGuid(x)
		mov	edx, offset _KMPnPEvt_DeviceDelete_Failure

loc_91A805:				; CODE XREF: PiPnpRtlCmActionCallback+115A47j
		push	dword ptr [esi]
		mov	edi, [esp+4Ch+var_34]
		xor	ecx, ecx
		test	al, al
		mov	eax, [esp+4Ch+var_39+1]
		setz	cl
		neg	ecx
		push	dword ptr [eax]
		lea	eax, [esp+50h+Source2]
		sbb	ecx, ecx
		and	ecx, eax
		push	ecx
		push	edi
		push	ecx
		call	_McTemplateK0zjdd_EtwWriteTransfer@28 ;	McTemplateK0zjdd_EtwWriteTransfer(x,x,x,x,x,x,x)
		jmp	short loc_91A839
; 

loc_91A82C:				; CODE XREF: PiPnpRtlCmActionCallback+115A2Ej
		test	byte_6CD8BA, 10h
		jnz	short loc_91A7F7

loc_91A835:				; CODE XREF: PiPnpRtlCmActionCallback+115A37j
		mov	edi, [esp+48h+var_34]

loc_91A839:				; CODE XREF: PiPnpRtlCmActionCallback+115A7Cj
		cmp	[esi], ebx
		jl	short loc_91A895
		mov	esi, [esp+48h+var_20]
		cmp	[esi], bx
		jz	short loc_91A876
		lea	eax, [esp+48h+var_20]
		mov	[esp+48h+var_20], ebx
		push	eax
		mov	[esp+4Ch+var_1C], ebx
		call	KeQuerySystemTime
		mov	ecx, [esp+48h+var_24]
		lea	eax, [esp+48h+var_20]
		push	ebx
		push	8
		push	eax
		push	10h
		push	offset _DEVPKEY_DeviceClass_LastDeleteDate
		push	ebx
		push	ebx
		push	2
		mov	edx, esi
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)

loc_91A876:				; CODE XREF: PiPnpRtlCmActionCallback+115A96j
		mov	ecx, edi
		call	__CmIsRootEnumeratedDevice@4 ; _CmIsRootEnumeratedDevice(x)
		test	al, al
		jz	short loc_91A895
		push	edi
		lea	eax, [esp+4Ch+var_2C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	ecx, [esp+48h+var_2C]
		call	_IopMarkRootEnumeratedDeviceObjectUninstalled@4	; IopMarkRootEnumeratedDeviceObjectUninstalled(x)

loc_91A895:				; CODE XREF: PiPnpRtlCmActionCallback+115A8Dj
					; PiPnpRtlCmActionCallback+115AD1j
		mov	ecx, [esp+48h+var_39+1]
		call	_PiPnpRtlFreeDeviceDeleteInfo@4	; PiPnpRtlFreeDeviceDeleteInfo(x)
		jmp	loc_804EC7
; 

loc_91A8A3:				; CODE XREF: PiPnpRtlCmActionCallback+1159DEj
		cmp	[ebp+arg_8], 3
		jnz	loc_804EC7
		mov	edi, [esi+4]
		cmp	[esi], ebx
		jl	short loc_91A8EE
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_91A8EE
		mov	edx, [edi+4]
		test	edx, edx
		jz	short loc_91A8CA
		push	ebx
		push	eax
		xor	ecx, ecx
		call	_PiDmListRemoveObject@16 ; PiDmListRemoveObject(x,x,x,x)

loc_91A8CA:				; CODE XREF: PiPnpRtlCmActionCallback+115B11j
		mov	edx, [edi+8]
		test	edx, edx
		jz	short loc_91A8DC
		push	ebx
		push	dword ptr [edi]
		xor	ecx, ecx
		inc	ecx
		call	_PiDmListRemoveObject@16 ; PiDmListRemoveObject(x,x,x,x)

loc_91A8DC:				; CODE XREF: PiPnpRtlCmActionCallback+115B21j
		mov	edx, [edi+0Ch]
		test	edx, edx
		jz	short loc_91A8EE
		push	ebx
		push	dword ptr [edi]
		push	2
		pop	ecx
		call	_PiDmListRemoveObject@16 ; PiDmListRemoveObject(x,x,x,x)

loc_91A8EE:				; CODE XREF: PiPnpRtlCmActionCallback+115B04j
					; PiPnpRtlCmActionCallback+115B0Aj ...
		mov	ecx, edi
		call	_PiPnpRtlFreeInterfaceDeleteInfo@4 ; PiPnpRtlFreeInterfaceDeleteInfo(x)
		jmp	loc_804EC7
; 

loc_91A8FA:				; CODE XREF: PiPnpRtlCmActionCallback+383j
		mov	ecx, [ebp+arg_8]
		mov	[esp+48h+var_39+1], eax
		call	_CmMapCmObjectTypeToPnpObjectType
		mov	edi, eax
		lea	eax, [esp+48h+var_39+1]
		push	eax
		mov	ecx, edi
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		test	eax, eax
		js	loc_805147
		mov	esi, [esp+48h+var_39+1]
		mov	ecx, esi
		call	_KsepCacheLock@4 ; KsepCacheLock(x)
		mov	ebx, [esi+18h]
		mov	ecx, esi
		mov	eax, ebx
		or	eax, 1
		mov	[esi+18h], eax
		call	_PiDmObjectReleaseLock@4 ; PiDmObjectReleaseLock(x)
		test	bl, 1
		jz	short loc_91A94A
		mov	edx, [esp+48h+var_34]
		push	ecx
		mov	ecx, edi
		call	PiDmRemoveCacheReferenceForObject

loc_91A94A:				; CODE XREF: PiPnpRtlCmActionCallback+115B8Ej
		mov	ecx, esi
		call	PiDmObjectRelease
		jmp	loc_805147
; 

loc_91A956:				; CODE XREF: PiPnpRtlCmActionCallback+351j
		mov	edx, [esp+48h+var_34]
		push	edi
		push	ecx
		call	_PiDmListAddList@16 ; PiDmListAddList(x,x,x,x)
		jmp	loc_805105
; 

loc_91A966:				; CODE XREF: PiPnpRtlCmActionCallback+2F6j
		cmp	[ebp+arg_8], 6
		jnz	loc_804EC7
		cmp	[esi], ebx
		jl	loc_804EC7
		lea	eax, [esp+48h+var_30]
		mov	[esp+48h+var_30], ebx
		push	eax
		push	6
		mov	edi, ebx
		pop	ecx
		mov	[esp+4Ch+var_39+1], edi
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		test	eax, eax
		js	short loc_91A9BD
		mov	edx, [esi+0Ch]
		lea	eax, [esp+48h+var_39+1]
		xor	ecx, ecx
		push	eax
		inc	ecx
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	edi, [esp+48h+var_39+1]
		test	eax, eax
		js	short loc_91A9BD
		mov	edx, [esp+48h+var_30]
		lea	eax, [esp+48h+var_39]
		push	eax
		push	edi
		push	6
		pop	ecx
		call	_PiDmListAddObject@16 ;	PiDmListAddObject(x,x,x,x)

loc_91A9BD:				; CODE XREF: PiPnpRtlCmActionCallback+115BE3j
					; PiPnpRtlCmActionCallback+115BFBj
		cmp	[esp+48h+var_30], ebx
		jz	loc_805114
		mov	ecx, [esp+48h+var_30]
		jmp	loc_80510F
; 

loc_91A9D0:				; CODE XREF: PiPnpRtlCmActionCallback+135j
		cmp	[ebp+arg_10], 1
		jnz	loc_804E92
		cmp	[ebp+arg_8], 5
		jnz	short loc_91AA5A
		test	dword ptr [esi+14h], 10000h
		jnz	loc_804E92
		xor	eax, eax
		lea	edi, [esp+48h+Source2]
		stosd
		xor	ebx, ebx
		mov	[esp+48h+var_39+1], ebx
		stosd
		stosd
		stosd
		lea	eax, [esp+48h+var_39+1]
		push	eax
		push	5
		pop	ecx
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		test	eax, eax
		js	loc_804F18
		mov	eax, [esp+48h+var_24]
		mov	edi, [esp+48h+var_39+1]
		mov	[esp+48h+Source2], eax
		mov	eax, [esi+0Ch]
		mov	[esp+48h+var_10], eax
		mov	eax, [esi+10h]
		mov	[esp+48h+var_C], eax

loc_91AA2C:				; CODE XREF: PiPnpRtlCmActionCallback+115CA8j
		lea	eax, [esp+48h+Source2]
		mov	[esp+48h+var_8], bl
		push	eax
		push	offset _PiPnpRtlEnumDevicesCallback@12 ; PiPnpRtlEnumDevicesCallback(x,x,x)
		push	4
		mov	edx, edi
		pop	ecx
		call	PiDmListEnumObjectsWithCallback
		mov	esi, eax
		mov	[esp+48h+var_39+1], esi
		test	esi, esi
		js	loc_91AAD8
		cmp	[esp+48h+var_8], bl
		jnz	short loc_91AA2C
		jmp	short loc_91AAD8
; 

loc_91AA5A:				; CODE XREF: PiPnpRtlCmActionCallback+115C30j
		cmp	[ebp+arg_8], 6
		jnz	loc_804E92
		test	dword ptr [esi+14h], 10000h
		jnz	loc_804E92
		xor	eax, eax
		lea	edi, [esp+48h+Source2]
		stosd
		xor	ebx, ebx
		mov	[esp+48h+var_39+1], ebx
		stosd
		stosd
		stosd
		lea	eax, [esp+48h+var_39+1]
		push	eax
		push	6
		pop	ecx
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		test	eax, eax
		js	loc_804F18
		mov	eax, [esp+48h+var_24]
		mov	edi, [esp+48h+var_39+1]
		mov	[esp+48h+Source2], eax
		mov	eax, [esi+0Ch]
		mov	[esp+48h+var_10], eax
		mov	eax, [esi+10h]
		mov	[esp+48h+var_C], eax

loc_91AAB0:				; CODE XREF: PiPnpRtlCmActionCallback+115D28j
		lea	eax, [esp+48h+Source2]
		mov	[esp+48h+var_8], bl
		push	eax
		push	offset _PiPnpRtlEnumDevicesCallback@12 ; PiPnpRtlEnumDevicesCallback(x,x,x)
		push	6
		mov	edx, edi
		pop	ecx
		call	PiDmListEnumObjectsWithCallback
		mov	esi, eax
		mov	[esp+48h+var_39+1], esi
		test	esi, esi
		js	short loc_91AAD8
		cmp	[esp+48h+var_8], bl
		jnz	short loc_91AAB0

loc_91AAD8:				; CODE XREF: PiPnpRtlCmActionCallback+115C9Ej
					; PiPnpRtlCmActionCallback+115CAAj ...
		mov	esi, [esp+48h+var_2C]
		test	edi, edi
		jz	short loc_91AAE7
		mov	ecx, edi
		call	PiDmObjectRelease

loc_91AAE7:				; CODE XREF: PiPnpRtlCmActionCallback+115D30j
		mov	eax, [esp+48h+var_39+1]
		jmp	loc_804F18
; 

loc_91AAF0:				; CODE XREF: PiPnpRtlCmActionCallback+12Cj
		cmp	[ebp+arg_10], 1
		jnz	short loc_91AB29
		cmp	[ebp+arg_8], 5
		jnz	short loc_91AB13
		mov	ecx, [esi+0Ch]
		lea	eax, [esp+48h+var_39+1]
		and	[esp+48h+var_39+1], 0
		push	eax
		call	_PiPnpRtlGatherContainerRemoveInfo@12 ;	PiPnpRtlGatherContainerRemoveInfo(x,x,x)
		jmp	loc_91A770
; 

loc_91AB13:				; CODE XREF: PiPnpRtlCmActionCallback+115D4Cj
		cmp	[ebp+arg_8], 6
		jnz	loc_804E92
		jmp	loc_91A75E
; 

loc_91AB22:				; CODE XREF: PiPnpRtlCmActionCallback+115905j
					; PiPnpRtlCmActionCallback+1159C6j
		mov	[esi], edi
		jmp	loc_804F1A
; 

loc_91AB29:				; CODE XREF: PiPnpRtlCmActionCallback+115D46j
		xor	ebx, ebx
		cmp	[ebp+arg_8], 5
		jnz	short loc_91AB78
		cmp	[esi], ebx
		jl	loc_804EC7
		mov	esi, [esi+4]
		mov	byte ptr [esp+48h+var_39], bl
		mov	edx, [esi+4]
		test	edx, edx
		jz	short loc_91AB6C
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_91AB6C
		lea	ecx, [esp+48h+var_39]
		push	ecx
		push	eax
		push	4
		pop	ecx
		call	_PiDmListRemoveObject@16 ; PiDmListRemoveObject(x,x,x,x)
		cmp	byte ptr [esp+48h+var_39], bl
		jz	short loc_91AB6C
		push	dword ptr [esi]
		mov	edx, [esi+4]
		push	ecx
		call	_PiDmListRemoveList@16 ; PiDmListRemoveList(x,x,x,x)

loc_91AB6C:				; CODE XREF: PiPnpRtlCmActionCallback+115D97j
					; PiPnpRtlCmActionCallback+115D9Dj ...
		mov	ecx, esi
		call	_PiPnpRtlFreeContainerRemoveInfo@4 ; PiPnpRtlFreeContainerRemoveInfo(x)
		jmp	loc_804EC7
; 

loc_91AB78:				; CODE XREF: PiPnpRtlCmActionCallback+115D81j
		cmp	[ebp+arg_8], 6
		jnz	loc_804EC7
		cmp	[esi], ebx
		jl	loc_804EC7
		mov	esi, [esi+4]
		mov	edx, [esi+4]
		test	edx, edx
		jz	short loc_91ABA8
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_91ABA8
		lea	ecx, [esp+48h+var_39]
		push	ecx
		push	eax
		push	6
		pop	ecx
		call	_PiDmListRemoveObject@16 ; PiDmListRemoveObject(x,x,x,x)

loc_91ABA8:				; CODE XREF: PiPnpRtlCmActionCallback+115DE4j
					; PiPnpRtlCmActionCallback+115DEAj
		mov	ecx, esi
		call	_PiPnpRtlFreeContainerRemoveInfo@4 ; PiPnpRtlFreeContainerRemoveInfo(x)
		jmp	loc_804EC7
; END OF FUNCTION CHUNK	FOR PiPnpRtlCmActionCallback
; 
; START	OF FUNCTION CHUNK FOR CmCallbackGetKeyObjectIDEx

loc_91ABB4:				; CODE XREF: CmCallbackGetKeyObjectIDEx+73j
		mov	[edx], ebx
		jmp	loc_805349
; 

loc_91ABBB:				; CODE XREF: CmCallbackGetKeyObjectIDEx+48j
					; CmCallbackGetKeyObjectIDEx+54j ...
		mov	esi, 0C000000Dh
		jmp	loc_8053BC
; END OF FUNCTION CHUNK	FOR CmCallbackGetKeyObjectIDEx
; 

loc_91ABC5:				; CODE XREF: PAGE:0080540Dj
		mov	bl, 1
		jmp	loc_805415
; 

loc_91ABCC:				; CODE XREF: PAGE:00805487j
		test	eax, eax
		jz	loc_80548D
		jmp	loc_8055BA
; 

loc_91ABD9:				; CODE XREF: PAGE:00805634j
		mov	esi, [edx+8]
		mov	[esp+24h], esi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		lea	ecx, [esi+18h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	edx, edx
		mov	[esi+1Ch], eax
		mov	esi, [ebx]
		lea	ecx, [esi+18h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+1Ch], eax
		mov	eax, [ebx]
		mov	esi, [esp+24h]
		jmp	loc_80550B
; 

loc_91AC18:				; CODE XREF: PAGE:0080551Fj
		mov	ecx, esi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		jmp	loc_805525
; 

loc_91AC24:				; DATA XREF: .text:006A54D0o
		mov	esi, [ebp-38h]
		jmp	sub_8056C6
; 
; START	OF FUNCTION CHUNK FOR CmpDereferenceKeyControlBlockWithLock

loc_91AC2C:				; CODE XREF: CmpDereferenceKeyControlBlockWithLock+24j
		test	dword ptr [esi+68h], 40000h
		jz	loc_8057B6
		cmp	byte ptr [ecx+6DCh], 1
		jnz	loc_8057B6
		call	CmpDoQueueLateUnloadWorker
		mov	eax, [esp+10h+var_4]
		jmp	loc_805740
; 

loc_91AC54:				; CODE XREF: CmpDereferenceKeyControlBlockWithLock+35j
		mov	edi, [esi+10h]
		mov	edx, eax
		mov	ecx, esi
		call	CmpCleanUpKcbCacheWithLock
		mov	eax, large fs:124h
		or	dword ptr [edi+64h], 80h
		mov	[edi+9B0h], eax
		xor	eax, eax
		inc	eax
		lock xadd [edi+9DCh], eax
		inc	eax
		dec	eax
		and	eax, 7Fh
		mov	dword ptr [edi+eax*4+9E0h], 1Fh
		test	byte ptr [edi+64h], 20h
		jnz	loc_8057B6
		lock xadd [edi+9D8h], ebx
		dec	ebx
		jnz	loc_8057B6
		mov	ecx, edi
		call	_CmpDeleteHive@4 ; CmpDeleteHive(x)
		jmp	loc_8057B6
; 

loc_91ACB3:				; CODE XREF: CmpDereferenceKeyControlBlockWithLock+9Aj
		test	dword ptr [esi+4], 80000h
		jz	loc_8057B6
		mov	ecx, esi
		call	CmpFreeKeyControlBlock
		jmp	loc_8057B6
; END OF FUNCTION CHUNK	FOR CmpDereferenceKeyControlBlockWithLock
; 
; START	OF FUNCTION CHUNK FOR CmpCleanUpKcbCacheWithLock

loc_91ACCC:				; CODE XREF: CmpCleanUpKcbCacheWithLock+2Cj
		mov	dl, 17h
		call	_CmpEtwDumpKcb@8 ; CmpEtwDumpKcb(x,x)
		mov	edx, [esp+18h+var_C]
		jmp	loc_805802
; 

loc_91ACDC:				; CODE XREF: CmpCleanUpKcbCacheWithLock+F5j
		mov	eax, [esi+3Ch]
		push	6E494D43h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8058CB
; END OF FUNCTION CHUNK	FOR CmpCleanUpKcbCacheWithLock
; 
; START	OF FUNCTION CHUNK FOR CmpLockHashEntryExclusive

loc_91ACEF:				; CODE XREF: CmpLockHashEntryExclusive+35j
		push	[ebp+arg_0]
		push	0Ch
		push	edi
		push	17h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_91ACFF:				; CODE XREF: CmpGetMappingHiveForString+97j
					; CmpGetMappingHiveForString+CFj
		inc	edi
		add	ecx, 10h
		mov	[ebp+var_C], ecx
		cmp	edi, eax
		jnb	loc_805C28
		mov	edx, [ebp+var_4]
		jmp	loc_805BE8
; END OF FUNCTION CHUNK	FOR CmpLockHashEntryExclusive
; 
; START	OF FUNCTION CHUNK FOR CmpCompareUnicodeString

loc_91AD16:				; CODE XREF: CmpCompareUnicodeString+82j
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	edx, [ebp+var_C]
		movzx	ecx, ax
		jmp	loc_805CBE
; 

loc_91AD26:				; CODE XREF: CmpCompareUnicodeString+95j
		cmp	dx, 61h
		jb	loc_805CCB
		cmp	dx, 7Ah
		jbe	short loc_91AD48
		mov	ecx, edx
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	ecx, [ebp+var_4]
		movzx	edx, ax
		jmp	loc_805CCB
; 

loc_91AD48:				; CODE XREF: CmpCompareUnicodeString+115104j
		add	edx, 0FFE0h
		jmp	loc_805CCB
; END OF FUNCTION CHUNK	FOR CmpCompareUnicodeString
; 
; START	OF FUNCTION CHUNK FOR CmpVEExecuteParseLogic

loc_91AD53:				; CODE XREF: CmpVEExecuteParseLogic+58j
		mov	ecx, ds:0FFFFFFF8h[ecx*4]
		jmp	loc_805E42
; 

loc_91AD5F:				; CODE XREF: CmpVEExecuteParseLogic+CEj
		lea	eax, [esp+38h+var_10]
		push	eax
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		push	eax
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	[esp+38h+var_29], 1
		lea	eax, [esp+38h+var_10]
		jmp	loc_805EB4
; 

loc_91AD84:				; CODE XREF: CmpVEExecuteParseLogic+11Fj
		lea	eax, [esp+38h+var_10]
		push	eax
		call	SeReleaseSubjectContext
		mov	al, [esp+38h+var_2A]
		jmp	loc_805F05
; 

loc_91AD97:				; CODE XREF: CmpVEExecuteParseLogic+155j
		push	[ebp+arg_4]
		push	ebx
		call	_CmpVEExecuteVirtualStoreParseLogic@16 ; CmpVEExecuteVirtualStoreParseLogic(x,x,x,x)
		jmp	loc_805E6B
; END OF FUNCTION CHUNK	FOR CmpVEExecuteParseLogic
; 
; START	OF FUNCTION CHUNK FOR CmpUnblockHiveWrites

loc_91ADA5:				; CODE XREF: CmpUnblockHiveWrites+Ej
		xor	ecx, ecx
		call	CmpGetNextHive
		or	edi, 0FFFFFFFFh

loc_91ADAF:				; CODE XREF: CmpUnblockHiveWrites+114CB6j
		mov	esi, eax
		test	ebx, ebx
		jz	short loc_91ADC9
		mov	eax, [esi+980h]
		and	eax, ebx
		cmp	eax, ebx
		jz	short loc_91ADC9
		cmp	esi, ds:_CmpMasterHive
		jnz	short loc_91ADF8

loc_91ADC9:				; CODE XREF: CmpUnblockHiveWrites+114C61j
					; CmpUnblockHiveWrites+114C6Dj
		mov	eax, edi
		lea	ecx, [esi+24h]
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_91ADE0
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [esi+24h]

loc_91ADE0:				; CODE XREF: CmpUnblockHiveWrites+114C84j
		call	KeAbPostRelease
		mov	eax, edi
		lock xadd [esi+9D8h], eax
		jnz	short loc_91ADF8
		mov	ecx, esi
		call	_CmpDeleteHive@4 ; CmpDeleteHive(x)

loc_91ADF8:				; CODE XREF: CmpUnblockHiveWrites+114C75j
					; CmpUnblockHiveWrites+114C9Dj
		cmp	esi, [ebp+arg_0]
		jz	loc_80617F
		mov	ecx, esi
		call	CmpGetNextHive
		jmp	short loc_91ADAF
; END OF FUNCTION CHUNK	FOR CmpUnblockHiveWrites
; 
; START	OF FUNCTION CHUNK FOR CmpBlockHiveWrites

loc_91AE0A:				; CODE XREF: CmpBlockHiveWrites+43j
		mov	eax, [esi+980h]
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_8061ED
		cmp	esi, ds:_CmpMasterHive
		jnz	loc_806202
		jmp	loc_8061ED
; END OF FUNCTION CHUNK	FOR CmpBlockHiveWrites
; 
; START	OF FUNCTION CHUNK FOR CmpGetNextHive

loc_91AE2B:				; CODE XREF: CmpGetNextHive+3Ej
					; CmpGetNextHive+8Dj
		mov	ebx, [ebx]
		xor	edi, edi
		cmp	ebx, offset _CmpHiveListHead
		jnz	loc_806260
		jmp	loc_80628A
; END OF FUNCTION CHUNK	FOR CmpGetNextHive
; 
; START	OF FUNCTION CHUNK FOR CmpLockHashEntrySharedByKcb

loc_91AE40:				; CODE XREF: CmpLockHashEntrySharedByKcb+2Cj
		push	edi
		push	7
		push	esi
		push	17h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_91AE4E:				; CODE XREF: CmpBlockTwoHiveWrites+53j
		mov	edi, [edi]
		xor	esi, esi
		cmp	edi, offset _CmpHiveListHead
		jnz	loc_8063A0
		jmp	loc_8063B9
; END OF FUNCTION CHUNK	FOR CmpLockHashEntrySharedByKcb
; 
; START	OF FUNCTION CHUNK FOR CmpBlockTwoHiveWrites

loc_91AE63:				; CODE XREF: CmpBlockTwoHiveWrites+7Fj
		mov	ebx, offset _CmpHiveListHead
		jmp	loc_8063EB
; 

loc_91AE6D:				; CODE XREF: CmpBlockTwoHiveWrites+B4j
		mov	ebx, [ebx]
		xor	edi, edi
		cmp	ebx, offset _CmpHiveListHead
		jnz	loc_806401
		jmp	loc_80641A
; 

loc_91AE82:				; CODE XREF: CmpBlockTwoHiveWrites+13Ej
					; CmpBlockTwoHiveWrites+15Cj
		cmp	cl, 1
		jnz	short loc_91AEBC
		or	esi, 0FFFFFFFFh
		lea	edi, [ebx+24h]
		mov	eax, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_91AEA0
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_91AEA0:				; CODE XREF: CmpBlockTwoHiveWrites+114B37j
		mov	ecx, edi
		call	KeAbPostRelease
		cmp	[ebp+arg_0], 0
		jz	short loc_91AEFB
		lock xadd [ebx+9D8h], esi
		dec	esi
		jnz	short loc_91AEFB
		mov	ecx, ebx
		jmp	short loc_91AEF6
; 

loc_91AEBC:				; CODE XREF: CmpBlockTwoHiveWrites+114B25j
		cmp	al, 1
		jnz	short loc_91AEFB
		or	esi, 0FFFFFFFFh
		add	edi, 24h
		mov	eax, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_91AED9
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_91AED9:				; CODE XREF: CmpBlockTwoHiveWrites+114B70j
		mov	ecx, edi
		call	KeAbPostRelease
		cmp	[ebp+arg_0], 0
		jz	short loc_91AEFB
		mov	edx, [ebp+var_8]
		lock xadd [edx+9D8h], esi
		dec	esi
		jnz	short loc_91AEFB
		mov	ecx, edx

loc_91AEF6:				; CODE XREF: CmpBlockTwoHiveWrites+114B5Aj
		call	_CmpDeleteHive@4 ; CmpDeleteHive(x)

loc_91AEFB:				; CODE XREF: CmpBlockTwoHiveWrites+114B4Bj
					; CmpBlockTwoHiveWrites+114B56j ...
		mov	eax, 0C0000034h
		jmp	loc_8064A6
; END OF FUNCTION CHUNK	FOR CmpBlockTwoHiveWrites
; 
; START	OF FUNCTION CHUNK FOR CmpUnblockTwoHiveWrites

loc_91AF05:				; CODE XREF: CmpUnblockTwoHiveWrites+59j
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_CmpDeleteHive@4 ; CmpDeleteHive(x)
; END OF FUNCTION CHUNK	FOR CmpUnblockTwoHiveWrites
; 
; START	OF FUNCTION CHUNK FOR _CmOpenDeviceRegKeyWorker

loc_91AF0F:				; CODE XREF: _CmOpenDeviceRegKeyWorker+ECj
					; _CmOpenDeviceRegKeyWorker+F6j ...
		mov	esi, 0C000000Dh
		jmp	loc_806923
; 

loc_91AF19:				; CODE XREF: _CmOpenDeviceRegKeyWorker+C8j
		mov	eax, [ebp+var_4]
		mov	[ebp+arg_0], edi
		test	eax, eax
		jnz	short loc_91AF27
		xor	ecx, ecx
		jmp	short loc_91AF2A
; 

loc_91AF27:				; CODE XREF: _CmOpenDeviceRegKeyWorker+114791j
		mov	ecx, [eax+74h]

loc_91AF2A:				; CODE XREF: _CmOpenDeviceRegKeyWorker+114795j
		lea	eax, [ebp+var_10]
		xor	edx, edx
		push	eax
		push	2000000h
		call	__SysCtxRegOpenCurrentUserKey@16 ; _SysCtxRegOpenCurrentUserKey(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_806923
		mov	edx, [ebp+var_10]
		jmp	loc_8068F5
; 

loc_91AF4C:				; CODE XREF: _CmOpenDeviceRegKeyWorker+1FDj
		mov	esi, 0C00000E5h
		jmp	loc_806923
; 

loc_91AF56:				; CODE XREF: _CmOpenDeviceRegKeyWorker+208j
		mov	esi, eax
		jmp	loc_806923
; 

loc_91AF5D:				; CODE XREF: _CmOpenDeviceRegKeyWorker+299j
		mov	esi, 0C000000Eh
		jmp	loc_806923
; 

loc_91AF67:				; CODE XREF: _CmOpenDeviceRegKeyWorker+2A1j
		test	ebx, 0F00h
		jz	loc_806A5A
		jmp	loc_806A37
; 

loc_91AF78:				; CODE XREF: _CmOpenDeviceRegKeyWorker+2E8j
		mov	ecx, [ebp+arg_8]
		jmp	loc_806A83
; 

loc_91AF80:				; CODE XREF: _CmOpenDeviceRegKeyWorker+2FAj
		xor	edx, edx
		jmp	loc_806A95
; 

loc_91AF87:				; CODE XREF: _CmOpenDeviceRegKeyWorker+30Aj
		mov	[ebp+var_1C], 0
		jmp	loc_806AA9
; 

loc_91AF93:				; CODE XREF: _CmOpenDeviceRegKeyWorker+33Aj
		mov	esi, 0C00000E5h
		jmp	loc_806923
; 

loc_91AF9D:				; CODE XREF: _CmOpenDeviceRegKeyWorker+34Aj
		mov	ecx, [ebp+arg_10]
		mov	eax, [ebp+var_8]
		mov	[ebp+var_8], 0
		mov	[ecx], eax
		jmp	loc_806923
; 

loc_91AFB1:				; CODE XREF: _CmOpenDeviceRegKeyWorker+85j
					; _CmOpenDeviceRegKeyWorker+26Fj
		mov	esi, 0C0000017h
		jmp	loc_806923
; 

loc_91AFBB:				; CODE XREF: _CmOpenDeviceRegKeyWorker+1A3j
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_806939
; 

loc_91AFC6:				; CODE XREF: _CmOpenDeviceRegKeyWorker+4Ej
					; _CmOpenDeviceRegKeyWorker+5Aj
		mov	eax, 0C000000Dh
		jmp	loc_80695D
; END OF FUNCTION CHUNK	FOR _CmOpenDeviceRegKeyWorker
; 
; START	OF FUNCTION CHUNK FOR CmGetVisibleMaxNameLenAndClassLen

loc_91AFD0:				; CODE XREF: CmGetVisibleMaxNameLenAndClassLen+3Bj
		lea	eax, [ecx+70h]
		mov	[esp+20h+var_10], eax

loc_91AFD7:				; CODE XREF: CmGetVisibleMaxNameLenAndClassLen+11443Fj
					; CmGetVisibleMaxNameLenAndClassLen+114445j ...
		push	10h
		lea	edx, [esp+24h+var_C]
		mov	ecx, eax
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_806C01
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebx+1Ch]
		call	CmEqualTrans
		test	al, al
		mov	eax, [esp+20h+var_10]
		jz	short loc_91AFD7
		cmp	dword ptr [ebx+24h], 1
		jnz	short loc_91AFD7
		mov	ebx, [ebx+30h]
		xor	edx, edx
		mov	ecx, ebx
		call	_CmpIsKeyDeleted@8 ; CmpIsKeyDeleted(x,x)
		test	al, al
		mov	eax, [esp+20h+var_10]
		jnz	short loc_91AFD7
		mov	eax, [ebx+14h]
		lea	edx, [esp+20h+var_8]
		mov	ecx, [ebx+10h]
		push	edx
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		test	eax, eax
		jz	short loc_91B060
		mov	ecx, [eax+34h]
		and	ecx, 0FFFFh
		cmp	[edi], ecx
		jnb	short loc_91B03E
		mov	[edi], ecx

loc_91B03E:				; CODE XREF: CmGetVisibleMaxNameLenAndClassLen+11447Aj
		test	esi, esi
		jz	short loc_91B04B
		mov	eax, [eax+38h]
		cmp	[esi], eax
		jnb	short loc_91B04B
		mov	[esi], eax

loc_91B04B:				; CODE XREF: CmGetVisibleMaxNameLenAndClassLen+114480j
					; CmGetVisibleMaxNameLenAndClassLen+114487j
		mov	eax, [ebx+10h]
		lea	ecx, [esp+2Ch+var_14]
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		mov	eax, [esp+34h+var_24]
		jmp	loc_91AFD7
; 

loc_91B060:				; CODE XREF: CmGetVisibleMaxNameLenAndClassLen+11446Dj
		mov	eax, 0C000009Ah
		jmp	loc_806C03
; END OF FUNCTION CHUNK	FOR CmGetVisibleMaxNameLenAndClassLen
; 
; START	OF FUNCTION CHUNK FOR CmGetVisibleMaxValueNameLenAndDataLen

loc_91B06A:				; CODE XREF: CmGetVisibleMaxValueNameLenAndDataLen+3Dj
		mov	eax, [esi+9Ch]
		test	eax, eax
		jz	loc_806C65
		cmp	eax, [ebp+arg_0]
		jnz	loc_806C65
		mov	[ecx], edi
		mov	[ebx], edi
		cmp	[esi+94h], edi
		jz	loc_806C65
		mov	eax, [esi+98h]
		lea	edx, [ebp+var_8]
		mov	ecx, [esi+10h]
		push	edx
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	loc_91B12E
		cmp	[esi+94h], edi
		jbe	short loc_91B113

loc_91B0B6:				; CODE XREF: CmGetVisibleMaxValueNameLenAndDataLen+1144EFj
		mov	eax, [eax+edi*4]
		lea	edx, [ebp+var_10]
		mov	ecx, [esi+10h]
		push	edx
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		mov	edx, eax
		test	edx, edx
		jz	short loc_91B123
		test	byte ptr [edx+10h], 1
		movzx	eax, word ptr [edx+2]
		jz	short loc_91B0DB
		lea	ecx, [eax+eax]
		movzx	eax, cx

loc_91B0DB:				; CODE XREF: CmGetVisibleMaxValueNameLenAndDataLen+1144B1j
		movzx	ecx, ax
		mov	eax, [ebp+arg_4]
		cmp	[eax], ecx
		jnb	short loc_91B0E7
		mov	[eax], ecx

loc_91B0E7:				; CODE XREF: CmGetVisibleMaxValueNameLenAndDataLen+1144C1j
		mov	eax, [edx+4]
		cmp	eax, 80000000h
		jb	short loc_91B0F6
		add	eax, 80000000h

loc_91B0F6:				; CODE XREF: CmGetVisibleMaxValueNameLenAndDataLen+1144CDj
		cmp	[ebx], eax
		jnb	short loc_91B0FC
		mov	[ebx], eax

loc_91B0FC:				; CODE XREF: CmGetVisibleMaxValueNameLenAndDataLen+1144D6j
		mov	eax, [esi+10h]
		lea	ecx, [ebp+var_10]
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		mov	eax, [ebp+arg_0]
		inc	edi
		cmp	edi, [esi+94h]
		jb	short loc_91B0B6

loc_91B113:				; CODE XREF: CmGetVisibleMaxValueNameLenAndDataLen+114492j
		mov	eax, [esi+10h]
		lea	ecx, [ebp+var_8]
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		jmp	loc_806C65
; 

loc_91B123:				; CODE XREF: CmGetVisibleMaxValueNameLenAndDataLen+1144A7j
		mov	eax, [esi+10h]
		lea	ecx, [ebp+var_8]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_91B12E:				; CODE XREF: CmGetVisibleMaxValueNameLenAndDataLen+114486j
		mov	eax, 0C000009Ah
		jmp	loc_806C67
; END OF FUNCTION CHUNK	FOR CmGetVisibleMaxValueNameLenAndDataLen
; 
; START	OF FUNCTION CHUNK FOR CmpQueryKeyDataFromCache

loc_91B138:				; CODE XREF: CmpQueryKeyDataFromCache+5Fj
		mov	eax, 0C000009Ah
		jmp	loc_806DD1
; 

loc_91B142:				; CODE XREF: CmpQueryKeyDataFromCache+6Cj
		mov	eax, ecx
		jmp	loc_806CF8
; 

loc_91B149:				; CODE XREF: CmpQueryKeyDataFromCache+7Ej
		mov	ebx, 0C000000Dh
		jmp	loc_806DCF
; 

loc_91B153:				; CODE XREF: CmpQueryKeyDataFromCache+D1j
		mov	ebx, 0C0000023h
		jmp	short loc_91B1CE
; 

loc_91B15A:				; CODE XREF: CmpQueryKeyDataFromCache+FEj
		mov	ecx, [esi+9Ch]
		test	ecx, ecx
		jz	loc_806D84
		cmp	ecx, eax
		jnz	loc_806D84
		mov	eax, [esi+94h]
		jmp	loc_806D87
; 

loc_91B17B:				; CODE XREF: CmpQueryKeyDataFromCache+122j
					; CmpQueryKeyDataFromCache+12Dj
		mov	eax, [esi+14h]
		mov	ecx, [esi+10h]
		lea	edx, [ebp+var_38]
		push	edx
		push	eax
		push	ecx
		mov	eax, [ecx+4]
		call	eax
		test	eax, eax
		jnz	short loc_91B197
		mov	ebx, 0C000009Ah
		jmp	short loc_91B1CE
; 

loc_91B197:				; CODE XREF: CmpQueryKeyDataFromCache+11450Ej
		push	[ebp+arg_C]
		mov	edx, eax
		mov	ecx, esi
		call	CmGetVisibleSubkeyCount
		mov	[edi+0Ch], eax
		mov	eax, [esi+10h]
		lea	ecx, [ebp+var_38]
		push	ecx
		push	eax
		mov	eax, [eax+8]
		call	eax
		jmp	loc_806DC8
; END OF FUNCTION CHUNK	FOR CmpQueryKeyDataFromCache

;  S U B	R O U T	I N E 


sub_91B1B8	proc near		; DATA XREF: .text:006A54ECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		mov	eax, 1
		retn
sub_91B1B8	endp


;  S U B	R O U T	I N E 


sub_91B1C8	proc near		; DATA XREF: .text:006A54F0o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-30h]
sub_91B1C8	endp

; START	OF FUNCTION CHUNK FOR CmpQueryKeyDataFromCache

loc_91B1CE:				; CODE XREF: CmpQueryKeyDataFromCache+1144D8j
					; CmpQueryKeyDataFromCache+114515j
		mov	[ebp+var_2C], ebx
		jmp	loc_806DC8
; END OF FUNCTION CHUNK	FOR CmpQueryKeyDataFromCache
; 
; START	OF FUNCTION CHUNK FOR RtlFindUnicodeSubstring

loc_91B1D6:				; CODE XREF: RtlFindUnicodeSubstring+2Ej
		cmp	edi, ebx
		ja	loc_806E9B
		mov	eax, [eax+4]
		mov	dword ptr [ebp+arg_8], eax

loc_91B1E4:				; CODE XREF: RtlFindUnicodeSubstring+1143FFj
		push	esi		; size_t
		push	eax		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_806EB3
		mov	eax, dword ptr [ebp+arg_8]
		add	edi, 2
		cmp	edi, ebx
		jbe	short loc_91B1E4
		jmp	loc_806E9B
; END OF FUNCTION CHUNK	FOR RtlFindUnicodeSubstring
; 

loc_91B206:				; CODE XREF: PAGE:00807074j
					; PAGE:0080722Ej
		mov	edi, 0C000000Dh
		mov	[ebp-20h], edi

loc_91B20E:				; CODE XREF: PAGE:0080713Bj
					; PAGE:00807162j
		mov	esi, [ebp-24h]
		jmp	loc_8071C0
; 

loc_91B216:				; DATA XREF: .text:006A554Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		mov	eax, 1
		retn
; 

loc_91B226:				; DATA XREF: .text:006A5550o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-30h]
		jmp	loc_807212
; 

loc_91B238:				; CODE XREF: PAGE:0080707Ej
		mov	ebx, [ebp+1Ch]
		jmp	loc_807121
; 

loc_91B240:				; DATA XREF: .text:006A5558o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		mov	eax, 1
		retn
; 

loc_91B250:				; DATA XREF: .text:006A555Co
		mov	esp, [ebp-18h]
		mov	edi, [ebp-38h]
		mov	[ebp-20h], edi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	bl, [ebp+1Fh]
		mov	esi, [ebp-24h]
		mov	al, [ebp-2Ch]
		jmp	loc_8071C6
; 

loc_91B26E:				; CODE XREF: PAGE:00807190j
		push	ebx
		push	dword ptr [ebp+18h]
		push	dword ptr [ebp+14h]
		push	0
		mov	eax, [ebp+10h]
		push	eax
		push	dword ptr [ebp-28h]
		mov	ecx, esi
		call	SepInternalQuerySecurityAttributesTokenEx
		mov	edi, eax
		mov	[ebp-20h], edi
		jmp	loc_8071C0
; 
; START	OF FUNCTION CHUNK FOR PfpRpFileKeyUpdate

loc_91B28F:				; CODE XREF: PfpRpFileKeyUpdate+2Fj
					; PfpRpFileKeyUpdate+44j
		mov	eax, 0C0000080h
		jmp	loc_807558
; 

loc_91B299:				; CODE XREF: PfpRpFileKeyUpdate+66j
		mov	edi, 0C000009Ah
		jmp	loc_807530
; 

loc_91B2A3:				; CODE XREF: PfpRpFileKeyUpdate+BAj
		mov	edi, 0C000004Dh
		jmp	loc_807530
; 

loc_91B2AD:				; CODE XREF: PfpRpFileKeyUpdate+1A4j
		mov	edi, 0C000009Ah
		or	eax, 0FFFFFFFFh
		jmp	loc_807516
; END OF FUNCTION CHUNK	FOR PfpRpFileKeyUpdate
; 
; START	OF FUNCTION CHUNK FOR CmpComputeComponentHashes

loc_91B2BA:				; CODE XREF: CmpComputeComponentHashes+170j
		mov	eax, 0C000000Dh
		jmp	loc_807876
; END OF FUNCTION CHUNK	FOR CmpComputeComponentHashes
; 

loc_91B2C4:				; CODE XREF: PAGE:00807BB0j
		cmp	bl, 1
		jnz	loc_91B37E
		mov	eax, [ebp-20h]
		test	eax, eax
		jnz	loc_91B376
		jmp	loc_91B37E
; 

loc_91B2DD:				; CODE XREF: PAGE:00807BCDj
		cmp	bl, 1
		jnz	loc_91B37E
		test	edi, edi
		jz	loc_91B37E
		push	0
		push	edi
		jmp	loc_91B379
; 

loc_91B2F6:				; CODE XREF: PAGE:00807BECj
		mov	eax, [ebp+8]
		cmp	al, 1
		jnz	short loc_91B309
		test	edi, edi
		jz	short loc_91B309
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_91B309:				; CODE XREF: PAGE:0091B2FBj
					; PAGE:0091B2FFj
		mov	eax, 0C000009Ah
		jmp	loc_807CEB
; 

loc_91B313:				; CODE XREF: PAGE:00807C77j
					; PAGE:00807C8Cj
		mov	eax, [ebp-38h]
		mov	byte ptr [eax],	0
		movzx	eax, word ptr [edx]
		jmp	loc_807C92
; 

loc_91B321:				; CODE XREF: PAGE:00807C49j
		mov	eax, [ebp-38h]
		jmp	loc_807C92
; 

loc_91B329:				; DATA XREF: .text:006A5574o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		mov	eax, 1
		retn
; 

loc_91B339:				; DATA XREF: .text:006A5578o
		mov	esp, [ebp-18h]
		cmp	byte ptr [ebp+8], 1
		jnz	short loc_91B351
		mov	eax, [ebp-20h]
		test	eax, eax
		jz	short loc_91B351
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_91B351:				; CODE XREF: PAGE:0091B340j
					; PAGE:0091B347j
		push	0
		push	dword ptr [ebp-48h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-4Ch]
		jmp	loc_807CEB
; 

loc_91B36A:				; CODE XREF: PAGE:00807B99j
					; PAGE:00807BA2j
		cmp	bl, 1
		jnz	short loc_91B37E
		mov	eax, [ebp-20h]
		test	eax, eax
		jz	short loc_91B37E

loc_91B376:				; CODE XREF: PAGE:0091B2D2j
		push	0
		push	eax

loc_91B379:				; CODE XREF: PAGE:0091B2F1j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_91B37E:				; CODE XREF: PAGE:0091B2C7j
					; PAGE:0091B2D8j ...
		mov	eax, 0C0000095h
		jmp	loc_807CEB
; 
; START	OF FUNCTION CHUNK FOR SeCaptureUnicodeStringStructures

loc_91B388:				; CODE XREF: SeCaptureUnicodeStringStructures+42j
		test	esi, esi
		jnz	short loc_91B39B
		test	ebx, ebx
		jnz	loc_807D88

loc_91B394:				; CODE XREF: SeCaptureUnicodeStringStructures+52j
		xor	eax, eax
		mov	[ebp+arg_0], eax
		jmp	short loc_91B3EF
; 

loc_91B39B:				; CODE XREF: SeCaptureUnicodeStringStructures+4Aj
					; SeCaptureUnicodeStringStructures+11364Aj
		mov	eax, 0C000000Dh
		mov	[ebp+arg_0], eax
		jmp	short loc_91B3EF
; 

loc_91B3A5:				; CODE XREF: SeCaptureUnicodeStringStructures+5Bj
		mov	[eax], ebx
		xor	eax, eax
		mov	[ebp+arg_0], eax
		jmp	short loc_91B3EF
; 

loc_91B3AE:				; CODE XREF: SeCaptureUnicodeStringStructures+70j
					; SeCaptureUnicodeStringStructures+79j
		or	edi, 0FFFFFFFFh
		mov	eax, 0C0000095h
		jmp	loc_807DC1
; 

loc_91B3BB:				; CODE XREF: SeCaptureUnicodeStringStructures+A3j
		mov	eax, 0C000009Ah
		mov	[ebp+arg_0], eax
		jmp	short loc_91B3EF
; END OF FUNCTION CHUNK	FOR SeCaptureUnicodeStringStructures

;  S U B	R O U T	I N E 


sub_91B3C5	proc near		; DATA XREF: .text:006A5594o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		mov	eax, 1
		retn
sub_91B3C5	endp


;  S U B	R O U T	I N E 


sub_91B3D5	proc near		; DATA XREF: .text:006A5598o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-24h]
		mov	[ebp+8], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, [ebp-28h]
		jmp	loc_807E31
sub_91B3D5	endp

; 
; START	OF FUNCTION CHUNK FOR SeCaptureUnicodeStringStructures

loc_91B3ED:				; CODE XREF: SeCaptureUnicodeStringStructures+89j
		xor	edx, edx

loc_91B3EF:				; CODE XREF: SeCaptureUnicodeStringStructures+F3j
					; SeCaptureUnicodeStringStructures+113659j ...
		test	edx, edx
		jz	loc_807E3E
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_0]
		jmp	loc_807E3E
; END OF FUNCTION CHUNK	FOR SeCaptureUnicodeStringStructures
; 
; START	OF FUNCTION CHUNK FOR CmpQueryKeyDataFromNode

loc_91B407:				; CODE XREF: CmpQueryKeyDataFromNode+17Cj
		mov	edi, 0C000000Dh
		jmp	loc_807F8C
; END OF FUNCTION CHUNK	FOR CmpQueryKeyDataFromNode

;  S U B	R O U T	I N E 


sub_91B411	proc near		; DATA XREF: .text:006A55CCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		mov	eax, 1
		retn
sub_91B411	endp


;  S U B	R O U T	I N E 


sub_91B421	proc near		; DATA XREF: .text:006A55D0o
		mov	edi, [ebp-2Ch]
		jmp	short loc_91B488
sub_91B421	endp

; 
; START	OF FUNCTION CHUNK FOR CmpQueryKeyDataFromNode

loc_91B426:				; CODE XREF: CmpQueryKeyDataFromNode+14Cj
		mov	eax, [esi+30h]
		lea	ecx, [ebp+var_3C]
		push	ecx
		push	eax
		push	ebx
		mov	eax, [ebx+4]
		call	eax
		mov	edi, eax
		mov	[ebp+var_1C], eax
		jmp	loc_807FD2
; END OF FUNCTION CHUNK	FOR CmpQueryKeyDataFromNode

;  S U B	R O U T	I N E 


sub_91B43E	proc near		; DATA XREF: .text:006A55C0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		mov	eax, 1
		retn
sub_91B43E	endp


;  S U B	R O U T	I N E 


sub_91B44E	proc near		; DATA XREF: .text:006A55C4o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-30h]
		jmp	loc_807FF4
sub_91B44E	endp

; 
; START	OF FUNCTION CHUNK FOR CmpQueryKeyDataFromNode

loc_91B459:				; CODE XREF: CmpQueryKeyDataFromNode+C5j
		cmp	edx, ecx
		ja	short loc_91B45F
		mov	ecx, edx

loc_91B45F:				; CODE XREF: CmpQueryKeyDataFromNode+1135DBj
		push	ecx		; size_t
		lea	eax, [esi+4Ch]
		push	eax		; void *
		lea	eax, [edi+10h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_807F74
; END OF FUNCTION CHUNK	FOR CmpQueryKeyDataFromNode

;  S U B	R O U T	I N E 


sub_91B475	proc near		; DATA XREF: .text:006A55B4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		mov	eax, 1
		retn
sub_91B475	endp


;  S U B	R O U T	I N E 


sub_91B485	proc near		; DATA XREF: .text:006A55B8o
		mov	edi, [ebp-34h]

loc_91B488:				; CODE XREF: sub_91B421+3j
		mov	[ebp-20h], edi
		mov	esp, [ebp-18h]
		jmp	loc_807F85
sub_91B485	endp

; 
; START	OF FUNCTION CHUNK FOR CmGetKeyLastWriteTime

loc_91B493:				; CODE XREF: CmGetKeyLastWriteTime+31j
		lea	eax, [ecx+70h]
		mov	[ebp+var_4], eax
		push	ebx

loc_91B49A:				; CODE XREF: CmGetKeyLastWriteTime+1133D3j
					; CmGetKeyLastWriteTime+1133D9j
		push	ecx
		lea	edx, [ebp+var_8]
		mov	ecx, eax
		call	CmListGetPrevElement
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_91B4C9
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebx+1Ch]
		call	CmEqualTrans
		test	al, al
		mov	eax, [ebp+var_4]
		jz	short loc_91B49A
		cmp	dword ptr [ebx+24h], 8
		jnz	short loc_91B49A
		mov	esi, [ebx+30h]
		mov	edi, [ebx+34h]

loc_91B4C9:				; CODE XREF: CmGetKeyLastWriteTime+1133C1j
		pop	ebx
		jmp	loc_808103
; END OF FUNCTION CHUNK	FOR CmGetKeyLastWriteTime
; 
; START	OF FUNCTION CHUNK FOR CmpWalkOneLevel

loc_91B4CF:				; CODE XREF: CmpWalkOneLevel+6C7j
		mov	eax, [edx+0Ch]
		mov	ebx, [eax+ebx*4-8]
		jmp	loc_8087F1
; 

loc_91B4DB:				; CODE XREF: CmpWalkOneLevel+80j
		mov	eax, [eax+0Ch]
		mov	edi, [eax+ecx*4-8]
		jmp	loc_8081AA
; 

loc_91B4E7:				; CODE XREF: CmpWalkOneLevel+CAj
					; CmpWalkOneLevel+6B8j
		push	esi
		push	0Ch
		push	edi
		push	17h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_91B4F4:				; CODE XREF: CmpWalkOneLevel+117j
		mov	eax, [esi+0Ch]
		mov	ebx, [eax+ebx*4-8]
		jmp	loc_808241
; 

loc_91B500:				; CODE XREF: CmpWalkOneLevel+167j
		mov	eax, [ebx+0Ch]
		mov	ecx, [eax+ecx*4-8]
		jmp	loc_808291
; 

loc_91B50C:				; CODE XREF: CmpWalkOneLevel+7B9j
					; CmpWalkOneLevel+113408j
		mov	ecx, [eax+24h]
		cmp	ecx, 2
		jz	short loc_91B52F
		cmp	ecx, 0Bh
		jz	short loc_91B52F
		push	10h
		lea	edx, [ebp+var_30]
		lea	ecx, [ebx+70h]
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jnz	short loc_91B50C
		jmp	loc_8088DF
; 

loc_91B52F:				; CODE XREF: CmpWalkOneLevel+1133F2j
					; CmpWalkOneLevel+1133F7j
		mov	ecx, [eax+1Ch]
		mov	edx, edi
		call	CmEqualTrans
		test	al, al
		jnz	loc_808855
		jmp	loc_8088DF
; 

loc_91B546:				; CODE XREF: CmpWalkOneLevel+1A1j
		mov	ecx, edi
		call	CmEqualTrans
		test	al, al
		jnz	short loc_91B55B
		mov	edx, 50300h
		jmp	loc_80885A
; 

loc_91B55B:				; CODE XREF: CmpWalkOneLevel+11342Fj
		mov	ecx, [ebp+var_C]
		jmp	loc_8082C7
; 

loc_91B563:				; CODE XREF: CmpWalkOneLevel+1AEj
		mov	edx, 50400h
		jmp	loc_80885A
; 

loc_91B56D:				; CODE XREF: CmpWalkOneLevel+1CBj
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		jmp	loc_8082F1
; 

loc_91B57F:				; CODE XREF: CmpWalkOneLevel+20Aj
		mov	eax, [ebx+0Ch]
		mov	ebx, [eax+ecx*4-8]
		jmp	loc_808334
; 

loc_91B58B:				; CODE XREF: CmpWalkOneLevel+633j
		mov	ecx, [ebp+var_28]
		mov	edx, [ebp+arg_14]
		jmp	loc_80847D
; 

loc_91B596:				; CODE XREF: CmpWalkOneLevel+62Bj
					; CmpWalkOneLevel+665j
		mov	edi, [ebp+arg_18]
		mov	ebx, 0C000009Ah
		jmp	loc_808659
; 

loc_91B5A3:				; CODE XREF: CmpWalkOneLevel+2C1j
					; CmpWalkOneLevel+69Fj
		mov	ebx, 0C000009Ah
		mov	[ebp+arg_14], ebx
		jmp	loc_8084B8
; 

loc_91B5B0:				; CODE XREF: CmpWalkOneLevel+5B6j
		mov	eax, [eax+0Ch]
		mov	[eax+ecx*4-8], ebx
		jmp	loc_8086E0
; 

loc_91B5BC:				; CODE XREF: CmpWalkOneLevel+587j
		push	ebx
		mov	edx, 50700h
		jmp	loc_808866
; 

loc_91B5C7:				; CODE XREF: CmpWalkOneLevel+54Dj
		push	ebx
		mov	edx, 50500h
		jmp	loc_808866
; 

loc_91B5D2:				; CODE XREF: CmpWalkOneLevel+1F1j
		mov	ebx, [ebp+var_10]
		jmp	loc_8086FC
; 

loc_91B5DA:				; CODE XREF: CmpWalkOneLevel+427j
		mov	eax, [ecx+0Ch]
		mov	ebx, [eax+ebx*4-8]
		jmp	loc_808551
; 

loc_91B5E6:				; CODE XREF: CmpWalkOneLevel+438j
		mov	[ebp+arg_1F], 1
		jmp	loc_808562
; 

loc_91B5EF:				; CODE XREF: CmpWalkOneLevel+44Dj
		mov	dword ptr [ebx+1Ch], 0
		jmp	loc_808576
; 

loc_91B5FB:				; CODE XREF: CmpWalkOneLevel+464j
		test	dword ptr [ebx+4], 80000h
		jz	loc_80858A
		mov	ecx, ebx
		call	CmpFreeKeyControlBlock
		jmp	loc_80858A
; 

loc_91B614:				; CODE XREF: CmpWalkOneLevel+494j
		mov	eax, [ecx+0Ch]
		mov	ebx, [edi+eax]
		jmp	loc_8085BE
; 

loc_91B61F:				; CODE XREF: CmpWalkOneLevel+4D1j
		mov	ecx, ebx
		call	_CmpDeleteHive@4 ; CmpDeleteHive(x)
		jmp	loc_8085F7
; 

loc_91B62B:				; CODE XREF: CmpWalkOneLevel+4EFj
		mov	ecx, eax
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)
		jmp	loc_808615
; END OF FUNCTION CHUNK	FOR CmpWalkOneLevel
; 
; START	OF FUNCTION CHUNK FOR CmpCreateKeyControlBlock

loc_91B637:				; CODE XREF: CmpCreateKeyControlBlock+4E1j
		mov	esi, 0C0000034h
		jmp	loc_808D87
; 

loc_91B641:				; CODE XREF: CmpCreateKeyControlBlock+517j
		mov	[ebp+var_20], edx
		lea	edx, [ebp+var_24]
		mov	word ptr [ebp+var_24], cx
		mov	word ptr [ebp+var_24+2], cx
		mov	ecx, [ebp+arg_C]
		call	CmpCompareUnicodeString
		test	eax, eax
		jz	loc_808E7E

loc_91B65F:				; CODE XREF: CmpCreateKeyControlBlock+528j
		mov	ecx, [ebp+arg_0]
		jmp	loc_808DAC
; 

loc_91B667:				; CODE XREF: CmpCreateKeyControlBlock+B7j
		mov	esi, 0C000000Dh

loc_91B66C:				; CODE XREF: CmpCreateKeyControlBlock+5E8j
					; CmpCreateKeyControlBlock+112D65j ...
		test	ebx, ebx
		jz	loc_808D87
		mov	ecx, [ebx+28h]
		test	ecx, ecx
		jz	short loc_91B680
		call	_CmpDereferenceNameControlBlockWithLock@4 ; CmpDereferenceNameControlBlockWithLock(x)

loc_91B680:				; CODE XREF: CmpCreateKeyControlBlock+112D29j
		cmp	dword ptr [ebx+24h], 0
		jz	short loc_91B68E
		mov	ecx, [ebp+arg_0]
		call	CmpDereferenceKeyControlBlockUnsafe

loc_91B68E:				; CODE XREF: CmpCreateKeyControlBlock+112D34j
		mov	eax, [ebx+6Ch]
		test	eax, eax
		jz	short loc_91B69D
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_91B69D:				; CODE XREF: CmpCreateKeyControlBlock+112D43j
		or	dword ptr [ebx+4], 80000h
		mov	ecx, ebx
		call	CmpFreeKeyControlBlock
		jmp	loc_808D87
; 

loc_91B6B0:				; CODE XREF: CmpCreateKeyControlBlock+162j
					; CmpCreateKeyControlBlock+4A0j
		mov	esi, 0C000009Ah
		jmp	short loc_91B66C
; 

loc_91B6B7:				; CODE XREF: CmpCreateKeyControlBlock+21Bj
		mov	esi, 0C000009Ah
		jmp	short loc_91B66C
; 

loc_91B6BE:				; CODE XREF: CmpCreateKeyControlBlock+2D6j
		test	eax, eax
		jz	loc_808C3D
		mov	edx, eax
		mov	ecx, edi
		call	KeAbPostReleaseEx
		jmp	loc_808C3D
; 

loc_91B6D4:				; CODE XREF: CmpCreateKeyControlBlock+328j
		mov	byte ptr [ebp+arg_C+3],	0
		xor	eax, eax
		jmp	loc_808C8B
; 

loc_91B6DF:				; CODE XREF: CmpCreateKeyControlBlock+34Cj
		mov	ecx, ebx
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	esi, 0C000009Ah
		lea	eax, [ebp+var_1C]
		push	eax
		mov	eax, [ebp+var_8]
		push	eax
		mov	eax, [eax+8]
		call	eax
		jmp	loc_91B66C
; 

loc_91B6FD:				; CODE XREF: CmpCreateKeyControlBlock+359j
		mov	byte ptr [ebp+arg_C+3],	1
		jmp	loc_808CB3
; 

loc_91B706:				; CODE XREF: CmpCreateKeyControlBlock+389j
		test	dword ptr [ebx+4], 80000h
		jz	loc_808CDF
		mov	ecx, ebx
		call	CmpFreeKeyControlBlock
		jmp	loc_808CDF
; 

loc_91B71F:				; CODE XREF: CmpCreateKeyControlBlock+4ADj
					; CmpCreateKeyControlBlock+4B5j
		mov	byte ptr [ebx+21h], 1
		jmp	loc_808E0B
; 

loc_91B728:				; CODE XREF: CmpCreateKeyControlBlock+3B1j
		push	0
		push	0
		push	ecx
		push	24h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_91B736:				; CODE XREF: CmpCreateKeyControlBlock+3BAj
		push	0
		push	0
		push	0
		push	15h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_91B745:				; CODE XREF: CmpCreateKeyControlBlock+42Aj
		mov	dl, 16h
		mov	ecx, ebx
		call	_CmpEtwDumpKcb@8 ; CmpEtwDumpKcb(x,x)
		jmp	loc_808D80
; END OF FUNCTION CHUNK	FOR CmpCreateKeyControlBlock
; 
; START	OF FUNCTION CHUNK FOR CmpGetNameControlBlock

loc_91B753:				; CODE XREF: CmpGetNameControlBlock+12j
		call	_CmpHashUnicodeComponent@4 ; CmpHashUnicodeComponent(x)
		mov	esi, eax
		jmp	loc_808F8A
; 

loc_91B75F:				; CODE XREF: CmpGetNameControlBlock+60j
		movzx	eax, dx
		mov	[ebp+var_10], eax
		mov	[ebp+var_1], 0
		jmp	loc_808FD6
; 

loc_91B76E:				; CODE XREF: CmpGetNameControlBlock+1B5j
		mov	esi, [ebp+var_8]
		shr	eax, 1
		mov	[ebp+var_18], 0
		mov	[ebp+var_20], eax
		mov	esi, [esi+4]
		mov	[ebp+var_14], esi
		mov	esi, [ebp+var_C]
		jz	loc_809147
		mov	eax, [ebp+var_14]
		sub	edx, eax
		mov	[ebp+var_1C], edx

loc_91B794:				; CODE XREF: CmpGetNameControlBlock+112869j
		movzx	eax, word ptr [eax]
		cmp	eax, 61h
		jnb	short loc_91B7A0
		mov	ecx, eax
		jmp	short loc_91B7B7
; 

loc_91B7A0:				; CODE XREF: CmpGetNameControlBlock+11282Aj
		cmp	eax, 7Ah
		jbe	short loc_91B7B4
		mov	ecx, eax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	edx, [ebp+var_1C]
		movzx	ecx, ax
		jmp	short loc_91B7B7
; 

loc_91B7B4:				; CODE XREF: CmpGetNameControlBlock+112833j
		lea	ecx, [eax-20h]

loc_91B7B7:				; CODE XREF: CmpGetNameControlBlock+11282Ej
					; CmpGetNameControlBlock+112842j
		mov	eax, [ebp+var_14]
		movzx	eax, word ptr [edx+eax]
		cmp	ecx, eax
		jnz	loc_80903C
		mov	ecx, [ebp+var_18]
		mov	eax, [ebp+var_14]
		inc	ecx
		add	eax, 2
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], eax
		cmp	ecx, [ebp+var_20]
		jb	short loc_91B794
		mov	ecx, [ebx]
		jmp	loc_809147
; 

loc_91B7E2:				; CODE XREF: CmpGetNameControlBlock+F5j
		push	esi
		call	_CmpGetHashIndex@4 ; CmpGetHashIndex(x)
		mov	ecx, _CmpNameCacheTable
		xor	edx, edx
		lea	ecx, [ecx+eax*8]
		call	ExReleasePushLockEx
		xor	eax, eax
		jmp	loc_8090EA
; 

loc_91B7FF:				; CODE XREF: CmpGetNameControlBlock+110j
		and	eax, 0FFFFFFFEh
		shr	edi, 1
		mov	[ebx], eax
		jz	loc_8090B0
		mov	esi, [ebp+var_8]
		lea	eax, [ebx+0Eh]
		mov	[ebp+var_18], eax
		xor	ebx, ebx
		mov	ecx, eax

loc_91B819:				; CODE XREF: CmpGetNameControlBlock+1128D3j
		mov	eax, [esi+4]
		movzx	eax, word ptr [eax+ebx*2]
		cmp	eax, 61h
		jb	short loc_91B83C
		cmp	eax, 7Ah
		jbe	short loc_91B836
		mov	ecx, eax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	ecx, [ebp+var_18]
		jmp	short loc_91B839
; 

loc_91B836:				; CODE XREF: CmpGetNameControlBlock+1128B8j
		add	eax, 0FFFFFFE0h

loc_91B839:				; CODE XREF: CmpGetNameControlBlock+1128C4j
		movzx	eax, ax

loc_91B83C:				; CODE XREF: CmpGetNameControlBlock+1128B3j
		mov	[ecx+ebx*2], ax
		inc	ebx
		cmp	ebx, edi
		jb	short loc_91B819
		mov	ebx, [ebp+var_20]
		jmp	loc_8090AD
; END OF FUNCTION CHUNK	FOR CmpGetNameControlBlock
; 
; START	OF FUNCTION CHUNK FOR CmpFindSubKeyByNumberEx

loc_91B84D:				; CODE XREF: CmpFindSubKeyByNumberEx+31j
					; CmpFindSubKeyByNumberEx+1126F9j ...
		mov	eax, 0C000009Ah
		jmp	loc_80926F
; 

loc_91B857:				; CODE XREF: CmpFindSubKeyByNumberEx+9Aj
		mov	ecx, [edi+14h]
		mov	[ebp+arg_18], 0
		mov	[ebp+var_3C], 0FFFFFFFFh
		mov	[ebp+var_38], 0
		mov	[ebp+var_44], 0FFFFFFFFh
		mov	[ebp+var_40], 0
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		jz	short loc_91B88C
		mov	edx, [edi+1Ch]
		mov	[ebp+var_20], edx
		jmp	short loc_91B893
; 

loc_91B88C:				; CODE XREF: CmpFindSubKeyByNumberEx+112692j
		mov	[ebp+var_20], 0FFFFFFFFh

loc_91B893:				; CODE XREF: CmpFindSubKeyByNumberEx+11269Aj
		mov	eax, [edi+18h]
		test	eax, eax
		jz	short loc_91B8A2
		mov	edx, [edi+20h]
		mov	[ebp+var_24], edx
		jmp	short loc_91B8A9
; 

loc_91B8A2:				; CODE XREF: CmpFindSubKeyByNumberEx+1126A8j
		mov	[ebp+var_24], 0FFFFFFFFh

loc_91B8A9:				; CODE XREF: CmpFindSubKeyByNumberEx+1126B0j
		add	eax, ecx
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_34]
		push	eax
		mov	eax, [esi+8]
		push	esi
		call	eax
		xor	eax, eax
		xor	edi, edi
		mov	[ebp+var_14], eax
		cmp	[ebp+var_1C], eax
		jbe	loc_91B9C3
		mov	ecx, [ebp+var_28]
		mov	eax, ecx
		neg	eax
		mov	[ebp+var_18], eax

loc_91B8D2:				; CODE XREF: CmpFindSubKeyByNumberEx+1127CEj
		mov	eax, [esi+4]
		mov	[ebp+var_10], edi
		cmp	[ebp+var_14], ecx
		jnb	short loc_91B905
		lea	ecx, [ebp+var_3C]
		push	ecx
		push	[ebp+var_20]
		push	esi
		call	eax
		test	eax, eax
		jz	loc_91B84D
		push	[ebp+var_14]
		mov	edx, eax
		mov	ecx, esi
		call	CmpDoFindSubKeyByNumber
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		lea	eax, [ebp+var_3C]
		jmp	short loc_91B92B
; 

loc_91B905:				; CODE XREF: CmpFindSubKeyByNumberEx+1126EBj
		lea	ecx, [ebp+var_44]
		push	ecx
		push	[ebp+var_24]
		push	esi
		call	eax
		test	eax, eax
		jz	loc_91B84D
		push	[ebp+var_18]
		mov	edx, eax
		mov	ecx, esi
		call	CmpDoFindSubKeyByNumber
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		lea	eax, [ebp+var_44]

loc_91B92B:				; CODE XREF: CmpFindSubKeyByNumberEx+112713j
		push	eax
		mov	eax, [esi+8]
		push	esi
		call	eax
		mov	eax, [ebp+arg_4]
		mov	eax, [eax]
		cmp	eax, 0FFFFFFFFh
		jz	loc_91B84D
		mov	edx, [ebp+arg_C]
		lea	ecx, [ebp+var_10]
		push	ecx
		mov	ecx, [ebp+arg_8]
		push	eax
		push	esi
		call	CmpFindSubkeyInHashByChildCell
		mov	edx, eax
		mov	[ebp+var_C], edx
		test	edx, edx
		js	loc_8092D7
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jz	short loc_91B989
		mov	edx, [ebp+arg_10]
		call	CmRmIsKCBVisible
		mov	ecx, [ebp+var_8]
		test	al, al
		jz	short loc_91B98E
		mov	edx, [ebp+arg_10]
		call	_CmpIsKeyDeleted@8 ; CmpIsKeyDeleted(x,x)
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_C]
		test	al, al
		jnz	short loc_91B991

loc_91B989:				; CODE XREF: CmpFindSubKeyByNumberEx+112776j
		inc	[ebp+arg_18]
		jmp	short loc_91B991
; 

loc_91B98E:				; CODE XREF: CmpFindSubKeyByNumberEx+112785j
		mov	edx, [ebp+var_C]

loc_91B991:				; CODE XREF: CmpFindSubKeyByNumberEx+112797j
					; CmpFindSubKeyByNumberEx+11279Cj
		mov	eax, [ebp+arg_0]
		inc	eax
		cmp	[ebp+arg_18], eax
		jz	short loc_91B9C9
		test	ecx, ecx
		jz	short loc_91B9AC
		mov	edx, [ebp+arg_14]
		call	_CmpDelayDerefKeyControlBlock@8	; CmpDelayDerefKeyControlBlock(x,x)
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_C]

loc_91B9AC:				; CODE XREF: CmpFindSubKeyByNumberEx+1127ACj
		mov	eax, [ebp+var_14]
		inc	[ebp+var_18]
		inc	eax
		mov	[ebp+var_14], eax
		cmp	eax, [ebp+var_1C]
		jnb	short loc_91B9CF
		mov	ecx, [ebp+var_28]
		jmp	loc_91B8D2
; 

loc_91B9C3:				; CODE XREF: CmpFindSubKeyByNumberEx+1126D2j
		xor	ecx, ecx
		xor	edx, edx
		jmp	short loc_91B9CC
; 

loc_91B9C9:				; CODE XREF: CmpFindSubKeyByNumberEx+1127A8j
		mov	eax, [ebp+var_14]

loc_91B9CC:				; CODE XREF: CmpFindSubKeyByNumberEx+1127D7j
		cmp	eax, [ebp+var_1C]

loc_91B9CF:				; CODE XREF: CmpFindSubKeyByNumberEx+1127C9j
		jnz	loc_809252
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_28], edi
		mov	dword ptr [eax], 0FFFFFFFFh

loc_91B9E1:				; CODE XREF: CmpFindSubKeyByNumberEx+112863j
		mov	ecx, [ebp+var_2C]
		lea	edx, [ebp+var_28]
		push	10h
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		mov	[ebp+var_24], eax
		test	eax, eax
		jz	short loc_91BA67
		mov	edx, [ebp+arg_10]
		mov	ecx, [eax+1Ch]
		call	CmEqualTrans
		test	al, al
		jz	short loc_91BA4B
		mov	eax, [ebp+var_24]
		mov	ecx, [eax+24h]
		cmp	ecx, 1
		jz	short loc_91BA19
		cmp	ecx, 0Ah
		jnz	short loc_91BA4B
		mov	eax, [eax+34h]
		jmp	short loc_91BA1C
; 

loc_91BA19:				; CODE XREF: CmpFindSubKeyByNumberEx+11281Dj
		mov	eax, [eax+30h]

loc_91BA1C:				; CODE XREF: CmpFindSubKeyByNumberEx+112827j
		mov	edx, [ebp+arg_10]
		mov	ecx, eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], eax
		call	CmRmIsKCBVisible
		test	al, al
		jz	short loc_91BA4B
		mov	edx, [ebp+arg_10]
		mov	ecx, [ebp+var_8]
		call	_CmpIsKeyDeleted@8 ; CmpIsKeyDeleted(x,x)
		test	al, al
		jnz	short loc_91BA4B
		mov	eax, [ebp+arg_18]
		cmp	eax, [ebp+arg_0]
		jz	short loc_91BA55
		inc	eax
		mov	[ebp+arg_18], eax

loc_91BA4B:				; CODE XREF: CmpFindSubKeyByNumberEx+112812j
					; CmpFindSubKeyByNumberEx+112822j ...
		xor	eax, eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], eax
		jmp	short loc_91B9E1
; 

loc_91BA55:				; CODE XREF: CmpFindSubKeyByNumberEx+112855j
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+arg_4]
		mov	eax, [edx+14h]
		mov	[ecx], eax
		mov	ecx, edx
		call	CmpReferenceKeyControlBlock

loc_91BA67:				; CODE XREF: CmpFindSubKeyByNumberEx+112803j
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		jmp	loc_809252
; 

loc_91BA72:				; CODE XREF: CmpFindSubKeyByNumberEx+DDj
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 0FFFFFFFFh
		jmp	loc_8092D3
; 

loc_91BA80:				; CODE XREF: CmpFindSubKeyByNumberEx+68j
		mov	edx, [ebp+arg_14]
		call	_CmpDelayDerefKeyControlBlock@8	; CmpDelayDerefKeyControlBlock(x,x)
		mov	edx, [ebp+var_C]
		jmp	loc_80925E
; END OF FUNCTION CHUNK	FOR CmpFindSubKeyByNumberEx
; 
; START	OF FUNCTION CHUNK FOR CmpUnlockTwoKcbs

loc_91BA90:				; CODE XREF: CmpUnlockTwoKcbs+4Aj
		test	dword ptr [esi+4], 80000h
		jz	loc_8093C0
		mov	ecx, esi
		call	CmpFreeKeyControlBlock
		jmp	loc_8093C0
; END OF FUNCTION CHUNK	FOR CmpUnlockTwoKcbs
; 
; START	OF FUNCTION CHUNK FOR CmpPerformKeyBodyDeletionCheck

loc_91BAA9:				; CODE XREF: CmpPerformKeyBodyDeletionCheck+42j
					; CmpPerformKeyBodyDeletionCheck+1126C4j
		mov	ecx, [eax+24h]
		cmp	ecx, 2
		jz	short loc_91BACB
		cmp	ecx, 0Bh
		jz	short loc_91BACB
		push	10h
		lea	edx, [ebp+var_4]
		mov	ecx, ebx
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jnz	short loc_91BAA9
		jmp	loc_809426
; 

loc_91BACB:				; CODE XREF: CmpPerformKeyBodyDeletionCheck+1126AFj
					; CmpPerformKeyBodyDeletionCheck+1126B4j
		mov	ecx, [eax+1Ch]
		mov	edx, esi
		call	CmEqualTrans
		test	al, al
		jz	loc_809426
		mov	eax, [edi+1Ch]

loc_91BAE0:				; CODE XREF: CmpPerformKeyBodyDeletionCheck+1Cj
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 2A9h
		add	eax, 0C000017Ch
		jmp	loc_809428
; END OF FUNCTION CHUNK	FOR CmpPerformKeyBodyDeletionCheck
; 
; START	OF FUNCTION CHUNK FOR NtEnumerateKey

loc_91BAF8:				; CODE XREF: NtEnumerateKey+95j
		mov	edx, 20000h
		lea	ecx, [ebp+var_40]
		call	@EtwGetKernelTraceTimestamp@8 ;	EtwGetKernelTraceTimestamp(x,x)
		jmp	loc_8094EB
; 

loc_91BB0A:				; CODE XREF: NtEnumerateKey+112j
		mov	esi, 0C0000189h
		jmp	loc_809727
; 

loc_91BB14:				; CODE XREF: NtEnumerateKey+39Aj
		cmp	eax, 2
		jz	loc_809573
		cmp	ds:_CmpTraceRoutine, edi
		jz	short loc_91BB70
		test	esi, esi
		jz	short loc_91BB70
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_A0], al
		mov	eax, ds:_CmKeyObjectType
		mov	[ebp+var_B0], edi
		push	0
		lea	ecx, [ebp+var_B0]
		push	ecx
		push	[ebp+var_A0]
		push	eax
		push	0
		push	esi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_91BB70
		mov	ecx, [ebp+var_B0]
		mov	edi, [ecx+8]
		call	ObfDereferenceObject

loc_91BB70:				; CODE XREF: NtEnumerateKey+1126D3j
					; NtEnumerateKey+1126D7j ...
		mov	esi, 0C000000Dh
		jmp	loc_809727
; 

loc_91BB7A:				; CODE XREF: NtEnumerateKey+167j
		mov	ecx, [ebp+var_9C]
		test	ecx, ecx
		jz	loc_8095BD
		mov	eax, [ecx+8]
		mov	[ebp+var_98], eax
		mov	[ebp+var_A8], eax
		jmp	loc_8095BD
; 

loc_91BB9C:				; CODE XREF: NtEnumerateKey+198j
		mov	ecx, eax
		jmp	loc_8095EE
; END OF FUNCTION CHUNK	FOR NtEnumerateKey

;  S U B	R O U T	I N E 


sub_91BBA3	proc near		; DATA XREF: .text:006A55ECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C0h], eax
		mov	eax, 1
		retn
sub_91BBA3	endp


;  S U B	R O U T	I N E 


sub_91BBB6	proc near		; DATA XREF: .text:006A55F0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0C0h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-0A8h]
		jmp	loc_809727
sub_91BBB6	endp

; 
; START	OF FUNCTION CHUNK FOR NtEnumerateKey

loc_91BBD1:				; CODE XREF: NtEnumerateKey+21Ej
		mov	edi, [ebp+var_98]
		cmp	esi, 0C0000503h
		jnz	loc_809727
		xor	esi, esi
		jmp	loc_809727
; END OF FUNCTION CHUNK	FOR NtEnumerateKey

;  S U B	R O U T	I N E 


sub_91BBEA	proc near		; DATA XREF: .text:006A55F8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C4h], eax
		mov	eax, 1
		retn
sub_91BBEA	endp


;  S U B	R O U T	I N E 


sub_91BBFD	proc near		; DATA XREF: .text:006A55FCo
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0C4h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-0A8h]
		jmp	loc_809727
sub_91BBFD	endp

; 
; START	OF FUNCTION CHUNK FOR NtEnumerateKey

loc_91BC18:				; CODE XREF: NtEnumerateKey+2DFj
		call	ObfDereferenceObject
		jmp	loc_809735
; 

loc_91BC22:				; CODE XREF: NtEnumerateKey+340j
		push	0
		push	edi
		push	[ebp+arg_4]
		push	esi
		lea	ecx, [ebp+var_40]
		push	ecx
		push	11h
		call	eax
		jmp	loc_809796
; END OF FUNCTION CHUNK	FOR NtEnumerateKey
; 
; START	OF FUNCTION CHUNK FOR CmEnumerateKey

loc_91BC36:				; CODE XREF: CmEnumerateKey+253j
		mov	byte ptr [esp+60h+var_4C], 0
		jmp	loc_809A5E
; 

loc_91BC40:				; CODE XREF: CmEnumerateKey+C1j
		mov	eax, [ebx+8]
		jmp	loc_8098C9
; 

loc_91BC48:				; CODE XREF: CmEnumerateKey+103j
		mov	edx, [esp+60h+var_48]
		mov	ecx, esi
		call	CmpPerformKeyBodyDeletionCheck
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8099BD

loc_91BC5D:				; CODE XREF: CmEnumerateKey+119j
		mov	eax, [esp+60h+var_48]
		lea	edx, [esp+60h+var_3C]
		mov	ecx, eax
		neg	ecx
		sbb	ecx, ecx
		and	ecx, edx
		mov	edx, esi
		neg	edx
		sbb	edx, edx
		and	edx, edi
		test	esi, esi
		mov	esi, [esp+60h+var_44]
		jnz	short loc_91BC7F
		mov	esi, edi

loc_91BC7F:				; CODE XREF: CmEnumerateKey+11247Bj
		lea	ebx, [esp+60h+var_28]
		push	ebx
		push	ecx
		lea	ecx, [esp+68h+var_4C]
		push	ecx
		lea	ecx, [esp+6Ch+var_40]
		push	ecx
		lea	ecx, [esp+70h+var_24]
		push	ecx
		push	eax
		push	[ebp+arg_0]
		mov	ecx, esi
		call	_CmpFindSubKeyByNumberFromMergedView@36	; CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8099BD
		mov	esi, [esp+60h+var_40]
		jmp	loc_80995A
; 

loc_91BCB2:				; CODE XREF: CmEnumerateKey+1CEj
		mov	ecx, eax
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)
		jmp	loc_8099D4
; END OF FUNCTION CHUNK	FOR CmEnumerateKey
; 
; START	OF FUNCTION CHUNK FOR CmpCheckLexicographicalOrder

loc_91BCBE:				; CODE XREF: CmpCheckLexicographicalOrder+89j
		mov	ax, [edi+48h]
		mov	word ptr [ebp+var_14], ax
		mov	word ptr [ebp+var_14+2], ax
		movzx	eax, word ptr [ebx+48h]
		push	0
		mov	[ebp+var_10], ecx
		lea	ecx, [ebp+var_14]
		push	eax
		call	_CmpCompareCompressedName@16 ; CmpCompareCompressedName(x,x,x,x)
		test	eax, eax
		js	loc_809B82
		mov	[ebp+arg_0], 0C000014Ch
		jmp	loc_809B89
; 

loc_91BCF0:				; CODE XREF: CmpCheckLexicographicalOrder+80j
		mov	[ebp+var_8], edx
		test	ax, ax
		jz	short loc_91BD29
		mov	ax, [ebx+48h]
		mov	edx, ecx
		mov	word ptr [ebp+var_C], ax
		lea	ecx, [ebp+var_C]
		mov	word ptr [ebp+var_C+2],	ax
		movzx	eax, word ptr [edi+48h]
		push	0
		push	eax
		call	_CmpCompareCompressedName@16 ; CmpCompareCompressedName(x,x,x,x)
		test	eax, eax
		jg	loc_809B82
		mov	[ebp+arg_0], 0C000014Ch
		jmp	loc_809B89
; 

loc_91BD29:				; CODE XREF: CmpCheckLexicographicalOrder+112216j
		mov	ax, [edi+48h]
		mov	word ptr [ebp+var_14], ax
		mov	word ptr [ebp+var_14+2], ax
		mov	ax, [ebx+48h]
		mov	word ptr [ebp+var_C], ax
		mov	word ptr [ebp+var_C+2],	ax
		lea	eax, [ebp+var_C]
		push	1
		push	eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], ecx
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		js	loc_809B82
		mov	[ebp+arg_0], 0C000014Ch
		jmp	loc_809B89
; END OF FUNCTION CHUNK	FOR CmpCheckLexicographicalOrder
; 
; START	OF FUNCTION CHUNK FOR CmpCompareTwoCompressedNames

loc_91BD67:				; CODE XREF: CmpCompareTwoCompressedNames+80j
		mov	ecx, edx
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		movzx	edx, ax
		mov	eax, [ebp+var_4]
		jmp	loc_809C5C
; END OF FUNCTION CHUNK	FOR CmpCompareTwoCompressedNames
; 
; START	OF FUNCTION CHUNK FOR NtEnumerateValueKey

loc_91BD79:				; CODE XREF: NtEnumerateValueKey+A8j
		mov	edx, 20000h
		lea	ecx, [ebp+var_58]
		call	@EtwGetKernelTraceTimestamp@8 ;	EtwGetKernelTraceTimestamp(x,x)
		jmp	loc_809D1E
; 

loc_91BD8B:				; CODE XREF: NtEnumerateValueKey+125j
		mov	esi, 0C0000189h
		jmp	loc_809F85
; 

loc_91BD95:				; CODE XREF: NtEnumerateValueKey+3E6j
		cmp	ds:_CmpTraceRoutine, edi
		jz	short loc_91BDE8
		test	esi, esi
		jz	short loc_91BDE8
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_BC], al
		mov	eax, ds:_CmKeyObjectType
		mov	[ebp+var_CC], edi
		push	0
		lea	ecx, [ebp+var_CC]
		push	ecx
		push	[ebp+var_BC]
		push	eax
		push	0
		push	esi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_91BDE8
		mov	ecx, [ebp+var_CC]
		mov	edi, [ecx+8]
		call	ObfDereferenceObject

loc_91BDE8:				; CODE XREF: NtEnumerateValueKey+11212Bj
					; NtEnumerateValueKey+11212Fj ...
		mov	esi, 0C000000Dh
		jmp	loc_809F85
; 

loc_91BDF2:				; CODE XREF: NtEnumerateValueKey+17Fj
		mov	ecx, [ebp+var_B0]
		test	ecx, ecx
		jz	loc_809DF5
		mov	eax, [ecx+8]
		mov	[ebp+var_B8], eax
		mov	[ebp+var_BC], eax
		jmp	loc_809DF5
; 

loc_91BE14:				; CODE XREF: NtEnumerateValueKey+1B0j
					; NtEnumerateValueKey+1B8j
		mov	byte ptr [ecx],	0
		jmp	loc_809E2E
; 

loc_91BE1C:				; CODE XREF: NtEnumerateValueKey+1CDj
		mov	ecx, eax
		jmp	loc_809E43
; END OF FUNCTION CHUNK	FOR NtEnumerateValueKey

;  S U B	R O U T	I N E 


sub_91BE23	proc near		; DATA XREF: .text:006A5614o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0DCh], eax
		mov	eax, 1
		retn
sub_91BE23	endp


;  S U B	R O U T	I N E 


sub_91BE36	proc near		; DATA XREF: .text:006A5618o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0DCh]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-0BCh]
		jmp	loc_809F85
sub_91BE36	endp

; 
; START	OF FUNCTION CHUNK FOR NtEnumerateValueKey

loc_91BE51:				; CODE XREF: NtEnumerateValueKey+253j
		mov	edi, [ebp+var_B8]
		cmp	esi, 0C0000503h
		jnz	loc_809F85
		xor	esi, esi
		jmp	loc_809F85
; 

loc_91BE6A:				; CODE XREF: NtEnumerateValueKey+2A9j
		lea	ecx, [ebp+var_34]
		call	CmpAttachToRegistryProcess
		push	0		; int
		lea	eax, [ebp+var_C4]
		push	eax		; int
		push	edi		; size_t
		push	[ebp+var_A4]	; int
		push	[ebp+arg_8]	; int
		push	[ebp+arg_4]	; int
		push	0		; char
		mov	edx, [ebp+var_C0]
		mov	ecx, [ebp+var_B0]
		call	_CmEnumerateValueKeyFromMergedView@36 ;	CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_809F40
; END OF FUNCTION CHUNK	FOR NtEnumerateValueKey

;  S U B	R O U T	I N E 


sub_91BEAC	proc near		; DATA XREF: .text:006A5620o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0E0h], eax
		mov	eax, 1
		retn
sub_91BEAC	endp


;  S U B	R O U T	I N E 


sub_91BEBF	proc near		; DATA XREF: .text:006A5624o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0E0h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-0BCh]
		jmp	loc_809F85
sub_91BEBF	endp

; 
; START	OF FUNCTION CHUNK FOR NtEnumerateValueKey

loc_91BEDA:				; CODE XREF: NtEnumerateValueKey+31Dj
		call	ObfDereferenceObject
		jmp	loc_809F93
; 

loc_91BEE4:				; CODE XREF: NtEnumerateValueKey+37Ej
		push	0
		push	edi
		push	[ebp+arg_4]
		push	esi
		lea	ecx, [ebp+var_58]
		push	ecx
		push	12h
		call	eax
		jmp	loc_809FF4
; END OF FUNCTION CHUNK	FOR NtEnumerateValueKey
; 
; START	OF FUNCTION CHUNK FOR CmEnumerateValueKey

loc_91BEF8:				; CODE XREF: CmEnumerateValueKey+7Ej
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		jmp	loc_80A0E4
; 

loc_91BF0A:				; CODE XREF: CmEnumerateValueKey+C2j
		push	[esp+50h+var_34] ; int
		mov	edx, ebx
		mov	ecx, edi
		push	[ebp+arg_8]	; size_t
		push	[esp+58h+var_30] ; int
		push	[ebp+arg_0]	; int
		call	_CmEnumerateValueFromLayeredKey@24 ; CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)
		mov	edi, eax
		jmp	loc_80A222
; 

loc_91BF28:				; CODE XREF: CmEnumerateValueKey+E3j
		mov	al, [edi+1Ch]
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 2A9h
		add	eax, 0C000017Ch
		jmp	loc_80A14B
; 

loc_91BF43:				; CODE XREF: CmEnumerateValueKey+FBj
					; CmEnumerateValueKey+105j
		lea	edx, [esp+50h+var_3C]
		mov	ecx, edi
		call	CmpTransSearchAddTransFromKeyBody
		mov	[esp+50h+var_40], eax
		test	eax, eax
		js	loc_80A1EE
		mov	edx, [esp+50h+var_3C]
		mov	ecx, edi
		call	CmpPerformKeyBodyDeletionCheck
		mov	edi, eax
		test	edi, edi
		js	loc_80A1F2
		mov	eax, [esp+50h+var_3C]
		test	eax, eax
		jz	loc_80A16B
		cmp	eax, [esi+9Ch]
		mov	eax, 94h
		jz	loc_80A170
		jmp	loc_80A16B
; 

loc_91BF91:				; CODE XREF: CmEnumerateValueKey+1BCj
		test	dword ptr [esi+4], 80000h
		jz	loc_80A222
		mov	ecx, esi
		call	CmpFreeKeyControlBlock
		jmp	loc_80A222
; END OF FUNCTION CHUNK	FOR CmEnumerateValueKey
; 
; START	OF FUNCTION CHUNK FOR CmpDoFindSubKeyByNumber

loc_91BFAA:				; CODE XREF: CmpDoFindSubKeyByNumber+C9j
		mov	esi, [ecx+esi*4+4]
		lea	eax, [ebp+var_14]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		mov	eax, esi
		jmp	loc_80A2CC
; 

loc_91BFBF:				; CODE XREF: CmpDoFindSubKeyByNumber+42j
					; CmpDoFindSubKeyByNumber+62j
		mov	eax, [edx+esi*4+4]
		jmp	loc_80A2CC
; END OF FUNCTION CHUNK	FOR CmpDoFindSubKeyByNumber
; 
		db 0CCh
; 
; START	OF FUNCTION CHUNK FOR CmpCheckLeaf

loc_91BFC9:				; CODE XREF: CmpCheckLeaf+EBj
		lea	ecx, [ebp+var_28]
		call	_CmpHashUnicodeComponent@4 ; CmpHashUnicodeComponent(x)
		jmp	loc_80A4ED
; 

loc_91BFD6:				; CODE XREF: CmpCheckLeaf+16Ej
		lea	ecx, [ebp+var_28]
		call	_CmpGenerateFastLeafHintForUnicodeString@4 ; CmpGenerateFastLeafHintForUnicodeString(x)
		jmp	loc_80A4ED
; 

loc_91BFE3:				; CODE XREF: CmpCheckLeaf+115j
		test	[ebp+var_18], 20000h
		mov	edi, 0C000014Ch
		mov	[ebp+var_5], 1
		jnz	short loc_91C061
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_91C007
		test	byte ptr _CmpBootType, 6
		jz	short loc_91C061

loc_91C007:				; CODE XREF: CmpCheckLeaf+111C8Cj
		mov	ecx, [ebp+arg_8]
		mov	edx, 1
		push	20h
		push	0C000014Ch
		push	17h
		call	SetFailureLocation
		mov	edi, [ebp+var_10]
		mov	ecx, edi
		mov	edx, [ebp+arg_4]
		push	0
		push	0
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_91C055
		mov	[ebx], esi
		mov	eax, [edi+20h]
		or	dword ptr [eax+0FF8h], 4
		jmp	loc_80A48E
; 

loc_91C043:				; CODE XREF: CmpCheckLeaf+B8j
		mov	ebx, [ebp+var_C]

loc_91C046:				; CODE XREF: CmpCheckLeaf+A7j
		lea	eax, [ebp+var_20]
		push	eax
		mov	eax, [edi+8]
		push	edi
		call	eax
		jmp	loc_80A49B
; 

loc_91C055:				; CODE XREF: CmpCheckLeaf+111CC0j
		mov	edi, 0C000017Dh
		mov	eax, 30h
		jmp	short loc_91C066
; 

loc_91C061:				; CODE XREF: CmpCheckLeaf+111C83j
					; CmpCheckLeaf+111C95j
		mov	eax, 10h

loc_91C066:				; CODE XREF: CmpCheckLeaf+111CEFj
		mov	ecx, [ebp+arg_8]
		xor	edx, edx
		push	eax
		push	edi
		push	17h
		call	SetFailureLocation
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_20]
		push	eax
		push	ecx
		mov	ecx, [ecx+8]
		call	ecx
		mov	eax, edi
		jmp	loc_80A4BC
; 

loc_91C088:				; CODE XREF: CmpCheckLeaf+96j
		mov	ecx, [ebp+arg_8]
		xor	edx, edx
		push	0
		push	0C000009Ah
		push	17h
		call	SetFailureLocation
		mov	eax, 0C000009Ah
		jmp	loc_80A4BC
; END OF FUNCTION CHUNK	FOR CmpCheckLeaf
; 
; START	OF FUNCTION CHUNK FOR NtResetWriteWatch

loc_91C0A5:				; CODE XREF: NtResetWriteWatch+53j
		mov	eax, 0C00000F0h
		jmp	loc_80A928
; 

loc_91C0AF:				; CODE XREF: NtResetWriteWatch+84j
		mov	al, [eax+15Ah]
		lea	ecx, [esp+40h+var_30]
		push	0
		push	0
		push	ecx
		push	77576D4Dh
		mov	byte ptr [esp+50h+var_2C], al
		mov	edx, 8
		push	[esp+50h+var_2C]
		mov	eax, ds:_PsProcessType
		mov	ecx, esi
		push	eax
		call	ObpReferenceObjectByHandleWithTag
		mov	[esp+40h+var_2C], eax
		test	eax, eax
		js	short loc_91C15E
		mov	eax, [esp+40h+var_30]
		xor	esi, esi
		mov	[esp+40h+var_30], eax
		cmp	edi, eax
		jz	loc_80A8E0
		lea	ecx, [esp+40h+var_1C]
		xor	edx, edx
		push	ecx
		mov	ecx, eax
		call	KiStackAttachProcess
		mov	esi, 1
		jmp	loc_80A8E0
; 

loc_91C10F:				; CODE XREF: NtResetWriteWatch+A2j
		mov	ebx, 0C00000EFh
		jmp	loc_80A913
; 

loc_91C119:				; CODE XREF: NtResetWriteWatch+109j
		shl	eax, 0Ch
		lea	ecx, [eax-1]
		test	ecx, ebx
		jnz	loc_80A907
		test	[esp+40h+var_24], ecx
		jz	loc_80A95F
		mov	ebx, 0C00000F1h
		jmp	loc_80A90C
; 

loc_91C13B:				; CODE XREF: NtResetWriteWatch+C5j
		xor	edx, edx
		lea	ecx, [esp+40h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_80A91B
; 

loc_91C14B:				; CODE XREF: NtResetWriteWatch+D0j
		mov	ecx, [esp+40h+var_30]
		mov	edx, 77576D4Dh
		call	ObfDereferenceObjectWithTag
		jmp	loc_80A926
; 

loc_91C15E:				; CODE XREF: NtResetWriteWatch+111893j
		mov	ebx, [esp+40h+var_2C]
		jmp	loc_80A926
; 

loc_91C167:				; CODE XREF: NtResetWriteWatch+5Ej
					; NtResetWriteWatch+66j
		mov	eax, 0C00000F1h
		jmp	loc_80A928
; END OF FUNCTION CHUNK	FOR NtResetWriteWatch
; 
; START	OF FUNCTION CHUNK FOR NtReleaseMutant

loc_91C171:				; CODE XREF: NtReleaseMutant+5Aj
		test	al, al
		jz	loc_80A9D0
		mov	[ebp+var_4], 0
		mov	ecx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_91C18D
		mov	ecx, eax

loc_91C18D:				; CODE XREF: NtReleaseMutant+111819j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_80A9D0
; END OF FUNCTION CHUNK	FOR NtReleaseMutant

;  S U B	R O U T	I N E 


sub_91C19D	proc near		; DATA XREF: .text:006A563Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		mov	eax, 1
		retn
sub_91C19D	endp


;  S U B	R O U T	I N E 


sub_91C1AD	proc near		; DATA XREF: .text:006A5640o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-30h]
		jmp	loc_80AA32
sub_91C1AD	endp

; 
; START	OF FUNCTION CHUNK FOR sub_80AA4E

loc_91C1BF:				; CODE XREF: sub_80AA4E+14j
		cmp	dword ptr [ebp-28h], 80h
		jz	loc_80AA68
		mov	dword ptr [ebp-2Ch], 0
		jmp	loc_80AA6F
; END OF FUNCTION CHUNK	FOR sub_80AA4E
; 
; START	OF FUNCTION CHUNK FOR NtReleaseMutant

loc_91C1D8:				; CODE XREF: NtReleaseMutant+AFj
		cmp	[ebp+var_19], 0
		jz	short loc_91C20E
		mov	[ebp+var_4], 2
		mov	[ebx], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_80AA25
; END OF FUNCTION CHUNK	FOR NtReleaseMutant

;  S U B	R O U T	I N E 


sub_91C1F3	proc near		; DATA XREF: .text:006A5654o
		mov	eax, 1
		retn
sub_91C1F3	endp


;  S U B	R O U T	I N E 


sub_91C1F9	proc near		; DATA XREF: .text:006A5658o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-20h]
		mov	esi, [ebp+0Ch]
		jmp	loc_80AA25
sub_91C1F9	endp

; 
; START	OF FUNCTION CHUNK FOR NtReleaseMutant

loc_91C20E:				; CODE XREF: NtReleaseMutant+11186Cj
		mov	[ebx], eax
		jmp	loc_80AA25
; END OF FUNCTION CHUNK	FOR NtReleaseMutant
; 
; START	OF FUNCTION CHUNK FOR NtQueryKey

loc_91C215:				; CODE XREF: NtQueryKey+B7j
		mov	edx, 20000h
		lea	ecx, [ebp+var_44]
		call	@EtwGetKernelTraceTimestamp@8 ;	EtwGetKernelTraceTimestamp(x,x)
		jmp	loc_80AB5D
; 

loc_91C227:				; CODE XREF: NtQueryKey+133j
		mov	edi, 0C0000189h
		jmp	loc_80ADF6
; 

loc_91C231:				; CODE XREF: NtQueryKey+441j
		cmp	esi, 1
		jz	loc_80ABE6
		cmp	esi, 6
		jz	loc_80ABE6
		cmp	ds:_CmpTraceRoutine, 0
		jz	short loc_91C2A1
		test	ebx, ebx
		jz	short loc_91C2A1
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_9C], al
		mov	eax, ds:_CmKeyObjectType
		mov	[ebp+var_AC], 0
		push	0
		lea	ecx, [ebp+var_AC]
		push	ecx
		push	[ebp+var_9C]
		push	eax
		push	0
		push	ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_91C2A1
		mov	ecx, [ebp+var_AC]
		mov	eax, [ecx+8]
		mov	[ebp+var_B8], eax
		call	ObfDereferenceObject

loc_91C2A1:				; CODE XREF: NtQueryKey+1117AAj
					; NtQueryKey+1117AEj ...
		mov	edi, 0C000000Dh
		jmp	loc_80ADF6
; 

loc_91C2AB:				; CODE XREF: NtQueryKey+187j
		mov	ecx, eax
		jmp	loc_80AC2D
; END OF FUNCTION CHUNK	FOR NtQueryKey

;  S U B	R O U T	I N E 


sub_91C2B2	proc near		; DATA XREF: .text:006A5674o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C8h], eax
		mov	eax, 1
		retn
sub_91C2B2	endp


;  S U B	R O U T	I N E 


sub_91C2C5	proc near		; DATA XREF: .text:006A5678o

; FUNCTION CHUNK AT 0091C388 SIZE 00000012 BYTES

		mov	edi, [ebp-0C8h]
		jmp	loc_91C388
sub_91C2C5	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryKey

loc_91C2D0:				; CODE XREF: NtQueryKey+204j
		mov	eax, [edi+8]
		mov	[ebp+var_B8], eax
		jmp	loc_80ACAA
; 

loc_91C2DE:				; CODE XREF: NtQueryKey+21Aj
		mov	edi, 0C0000022h
		jmp	loc_80ADF6
; 

loc_91C2E8:				; CODE XREF: NtQueryKey+28Fj
		cmp	edi, 0C0000503h
		jnz	loc_80ADF6
		xor	edi, edi
		jmp	loc_80ADF6
; 

loc_91C2FB:				; CODE XREF: NtQueryKey+481j
		mov	edi, 0C0000023h
		mov	[ebp+var_B0], edi
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_80ADF6
; END OF FUNCTION CHUNK	FOR NtQueryKey

;  S U B	R O U T	I N E 


sub_91C312	proc near		; DATA XREF: .text:006A568Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0D4h], eax
		mov	eax, 1
		retn
sub_91C312	endp


;  S U B	R O U T	I N E 


sub_91C325	proc near		; DATA XREF: .text:006A5690o
		mov	edi, [ebp-0D4h]
		jmp	short loc_91C382
sub_91C325	endp


;  S U B	R O U T	I N E 


sub_91C32D	proc near		; DATA XREF: .text:006A5698o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0D8h], eax
		mov	eax, 1
		retn
sub_91C32D	endp


;  S U B	R O U T	I N E 


sub_91C340	proc near		; DATA XREF: .text:006A569Co
		mov	edi, [ebp-0D8h]
		jmp	short loc_91C388
sub_91C340	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryKey

loc_91C348:				; CODE XREF: NtQueryKey+4A4j
		mov	edi, 0C0000008h
		jmp	loc_80ADF6
; 

loc_91C352:				; CODE XREF: NtQueryKey+4C0j
		mov	edi, 0C0000023h
		mov	[ebp+var_B0], edi
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_80ADF6
; END OF FUNCTION CHUNK	FOR NtQueryKey

;  S U B	R O U T	I N E 


sub_91C369	proc near		; DATA XREF: .text:006A5680o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0DCh], eax
		mov	eax, 1
		retn
sub_91C369	endp


;  S U B	R O U T	I N E 


sub_91C37C	proc near		; DATA XREF: .text:006A5684o
		mov	edi, [ebp-0DCh]

loc_91C382:				; CODE XREF: sub_91C325+6j
		mov	[ebp-0B0h], edi
sub_91C37C	endp

; START	OF FUNCTION CHUNK FOR sub_91C2C5

loc_91C388:				; CODE XREF: sub_91C2C5+6j
					; sub_91C340+6j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp+0Ch]
		jmp	loc_80ADF6
; END OF FUNCTION CHUNK	FOR sub_91C2C5
; 
; START	OF FUNCTION CHUNK FOR NtQueryKey

loc_91C39A:				; CODE XREF: NtQueryKey+35Ej
		call	ObfDereferenceObject
		jmp	loc_80AE04
; 

loc_91C3A4:				; CODE XREF: NtQueryKey+3BFj
		push	0
		push	[ebp+var_B8]
		push	esi
		push	edi
		lea	ecx, [ebp+var_44]
		push	ecx
		push	0Dh
		call	eax
		jmp	loc_80AE65
; END OF FUNCTION CHUNK	FOR NtQueryKey
; 
; START	OF FUNCTION CHUNK FOR CmQueryKey

loc_91C3BB:				; CODE XREF: CmQueryKey+D9j
					; CmQueryKey+E3j
		mov	ecx, edi
		call	_CmpLockKcbShared@4 ; CmpLockKcbShared(x)
		xor	edx, edx
		mov	ecx, ebx
		call	CmpIsKeyDeletedForKeyBody
		mov	ecx, edi
		test	al, al
		jz	short loc_91C402
		mov	eax, [ebx+1Ch]
		and	al, 1
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 2A9h
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		lea	eax, [esi-3FFFFE84h]
		jmp	loc_80B1BC
; 

loc_91C402:				; CODE XREF: CmQueryKey+11142Fj
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		lea	edx, [ebp+var_7C]
		mov	ecx, ebx
		call	CmpTransSearchAddTransFromKeyBody
		mov	edi, eax
		mov	[ebp+var_6C], edi
		test	edi, edi
		jns	loc_80B089
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_80B1BA
; 

loc_91C432:				; CODE XREF: CmQueryKey+EBj
		mov	eax, [esi+8]
		mov	[ebp+var_74], eax
		mov	[ebp+var_94], eax
		jmp	loc_80B091
; 

loc_91C443:				; CODE XREF: CmQueryKey+F6j
		mov	edx, ecx
		mov	ecx, [esi+8]
		call	_CmpLockTwoKcbsShared@8	; CmpLockTwoKcbsShared(x,x)
		jmp	loc_80B0A1
; 

loc_91C452:				; CODE XREF: CmQueryKey+129j
		test	byte ptr [ebx+1Ch], 1
		jz	short loc_91C465
		mov	edi, 0C0000425h
		mov	[ebp+var_6C], edi
		jmp	loc_80B1AE
; 

loc_91C465:				; CODE XREF: CmQueryKey+1114B6j
		mov	edi, 0C000017Ch
		jmp	loc_80B0D1
; 

loc_91C46F:				; CODE XREF: CmQueryKey+154j
		lea	edx, [ebp+var_A8]
		mov	ecx, eax
		call	_CmVirtualKCBToRealPath@8 ; CmVirtualKCBToRealPath(x,x)
		test	eax, eax
		js	loc_80B127
		lea	eax, [ebp+var_A8]
		jmp	loc_80B121
; 

loc_91C48F:				; CODE XREF: CmQueryKey+13Ej
					; CmQueryKey+18Ej
		mov	edi, 0C000009Ah
		mov	[ebp+var_6C], edi
		jmp	loc_80B1AE
; END OF FUNCTION CHUNK	FOR CmQueryKey

;  S U B	R O U T	I N E 


sub_91C49C	proc near		; DATA XREF: .text:006A56C0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0ACh], eax
		mov	eax, 1
		retn
sub_91C49C	endp


;  S U B	R O U T	I N E 


sub_91C4AF	proc near		; DATA XREF: .text:006A56C4o
		mov	edi, [ebp-0ACh]
		jmp	short loc_91C4BD
; 

loc_91C4B7:				; DATA XREF: .text:006A56D0o
		mov	edi, [ebp-0B0h]

loc_91C4BD:				; CODE XREF: sub_91C4AF+6j
		mov	esp, [ebp-18h]
		mov	[ebp-6Ch], edi
		mov	dword ptr [ebp-4], 0
		mov	ebx, [ebp-80h]
		mov	esi, [ebp-84h]
		jmp	loc_80B186
sub_91C4AF	endp

; 
; START	OF FUNCTION CHUNK FOR CmQueryKey

loc_91C4D8:				; CODE XREF: CmQueryKey+23Cj
		mov	edx, [ebp+var_7C]
		mov	ecx, esi
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jz	loc_80B1E2

loc_91C4EA:				; CODE XREF: CmQueryKey+24Ej
		mov	al, [ebx+1Ch]
		and	al, 1
		movzx	edi, al
		neg	edi
		sbb	edi, edi
		and	edi, 2A9h
		add	edi, 0C000017Ch
		mov	[ebp+var_6C], edi
		jmp	loc_80B1AE
; 

loc_91C50A:				; CODE XREF: CmQueryKey+31Fj
		mov	edi, 0C0000023h
		mov	edx, [ebp+var_70]
		jmp	loc_80B30F
; END OF FUNCTION CHUNK	FOR CmQueryKey

;  S U B	R O U T	I N E 


sub_91C517	proc near		; DATA XREF: .text:006A56CCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B0h], eax
		mov	eax, 1
		retn
sub_91C517	endp

; 
; START	OF FUNCTION CHUNK FOR CmQueryKey

loc_91C52A:				; CODE XREF: CmQueryKey+260j
		xor	eax, eax
		lea	edi, [ebp+var_E8]
		stosd
		stosd
		stosd
		stosd
		mov	esi, large fs:124h
		lea	eax, [ebp+var_E8]
		push	eax
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		push	eax
		push	esi
		call	SeCaptureSubjectContextEx
		mov	[ebp+var_4], 3
		mov	edx, [ebp+var_78]
		mov	dword ptr [edx], 4
		cmp	[ebp+arg_8], 4
		jnb	short loc_91C570
		mov	edi, 0C0000023h
		jmp	loc_91C5F3
; 

loc_91C570:				; CODE XREF: CmQueryKey+1115C4j
		push	ecx
		lea	edx, [ebp+var_E8]
		mov	ecx, [ebp+var_94]
		call	KCBNeedsVirtualImage
		xor	ecx, ecx
		test	al, al
		setnz	cl
		mov	edx, [ebp+var_70]
		mov	edi, [edx]
		and	edi, 0FFFFFFFEh
		or	edi, ecx
		mov	[edx], edi
		and	edi, 0FFFFFFFDh
		mov	[edx], edi
		mov	esi, edi
		test	al, al
		mov	eax, [ebp+var_94]
		jz	short loc_91C5B1
		test	byte ptr [eax+68h], 20h
		jnz	short loc_91C5B1
		or	esi, 2
		mov	[edx], esi

loc_91C5B1:				; CODE XREF: CmQueryKey+111604j
					; CmQueryKey+11160Aj
		cmp	_CmpVEEnabled, 0
		jz	short loc_91C5CA
		test	dword ptr [eax+68h], 1000000h
		jz	short loc_91C5CA
		mov	ecx, 4
		jmp	short loc_91C5CC
; 

loc_91C5CA:				; CODE XREF: CmQueryKey+111618j
					; CmQueryKey+111621j
		xor	ecx, ecx

loc_91C5CC:				; CODE XREF: CmQueryKey+111628j
		and	esi, 0FFFFFFFBh
		or	esi, ecx
		mov	[edx], esi
		mov	ecx, [eax+68h]
		shr	ecx, 16h
		xor	ecx, esi
		and	ecx, 8
		xor	ecx, esi
		mov	[edx], ecx
		mov	eax, [eax+68h]
		shr	eax, 13h
		xor	eax, ecx
		and	eax, 10h
		xor	eax, ecx
		mov	[edx], eax
		xor	edi, edi

loc_91C5F3:				; CODE XREF: CmQueryKey+1115CBj
		mov	[ebp+var_6C], edi
		mov	[ebp+var_4], 0
		mov	esi, [ebp+var_98]
		jmp	short loc_91C634
; END OF FUNCTION CHUNK	FOR CmQueryKey

;  S U B	R O U T	I N E 


sub_91C605	proc near		; DATA XREF: .text:006A56D8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B4h], eax
		mov	eax, 1
		retn
sub_91C605	endp


;  S U B	R O U T	I N E 


sub_91C618	proc near		; DATA XREF: .text:006A56DCo
		mov	esp, [ebp-18h]
		mov	edi, [ebp-0B4h]
		mov	[ebp-6Ch], edi
		mov	dword ptr [ebp-4], 0
		mov	ebx, [ebp-80h]
		mov	esi, [ebp-84h]
sub_91C618	endp

; START	OF FUNCTION CHUNK FOR CmQueryKey

loc_91C634:				; CODE XREF: CmQueryKey+111663j
		lea	eax, [ebp+var_E8]
		push	eax
		call	SeReleaseSubjectContext
		jmp	loc_80B186
; 

loc_91C645:				; CODE XREF: CmQueryKey+2B2j
		mov	edi, 0C0000023h
		mov	[ebp+var_6C], edi
		jmp	loc_80B1AE
; 

loc_91C652:				; CODE XREF: CmQueryKey+2CAj
		and	ecx, 0FFFFFFFEh
		jmp	loc_80B273
; 

loc_91C65A:				; CODE XREF: CmQueryKey+1EFj
		mov	ecx, [ebp+arg_0]
		cmp	ecx, 3
		jz	short loc_91C6C6
		cmp	ecx, 5
		jz	short loc_91C6C6
		cmp	ecx, 6
		jz	short loc_91C6C6
		mov	eax, [esi+8]
		mov	edx, [eax+58h]
		mov	[ebp+var_88], edx
		mov	edx, [eax+5Ch]
		mov	[ebp+var_90], edx
		mov	eax, [ebx+8]
		mov	[ebp+var_98], eax
		mov	eax, [eax+5Ch]
		cmp	eax, edx
		mov	edx, [ebp+var_70]
		jg	short loc_91C6C6
		jl	short loc_91C6A7
		mov	eax, [ebp+var_98]
		mov	eax, [eax+58h]
		cmp	eax, [ebp+var_88]
		jnb	short loc_91C6C6

loc_91C6A7:				; CODE XREF: CmQueryKey+1116F4j
		mov	[ebp+var_4], 4
		mov	eax, [ebp+var_88]
		mov	[edx], eax
		mov	eax, [ebp+var_90]
		mov	[edx+4], eax
		mov	[ebp+var_4], 0

loc_91C6C6:				; CODE XREF: CmQueryKey+1116C0j
					; CmQueryKey+1116C5j ...
		cmp	ecx, 2
		jz	short loc_91C6D4
		cmp	ecx, 4
		jnz	loc_80B1AE

loc_91C6D4:				; CODE XREF: CmQueryKey+111729j
		mov	[ebp+var_74], 0
		mov	[ebp+var_C0], 0
		mov	[ebp+var_BC], 0
		push	30h		; size_t
		push	0		; int
		lea	eax, [ebp+var_68]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_74]
		push	eax
		push	0
		lea	eax, [ebp+var_BC]
		push	eax
		lea	eax, [ebp+var_C0]
		push	eax
		lea	eax, [ebp+var_A0]
		push	eax
		push	[ebp+var_7C]
		push	0FFFFFFFFh
		mov	edx, [ebx+8]
		mov	ecx, [esi+8]
		call	_CmpFindSubKeyByNumberFromMergedView@36	; CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_6C], eax
		cmp	eax, 8000001Ah
		jnz	short loc_91C796
		mov	[ebp+var_4], 5
		mov	edi, [ebp+arg_0]
		mov	eax, [ebp+var_74]
		mov	ecx, [ebp+var_70]
		cmp	edi, 2
		jnz	short loc_91C76C
		mov	[ecx+14h], eax
		jmp	short loc_91C76F
; END OF FUNCTION CHUNK	FOR CmQueryKey

;  S U B	R O U T	I N E 


sub_91C74E	proc near		; DATA XREF: .text:006A56E4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B8h], eax
		mov	eax, 1
		retn
sub_91C74E	endp


;  S U B	R O U T	I N E 


sub_91C761	proc near		; DATA XREF: .text:006A56E8o

; FUNCTION CHUNK AT 0091C952 SIZE 0000001B BYTES

		mov	edi, [ebp-0B8h]
		jmp	loc_91C952
sub_91C761	endp

; 
; START	OF FUNCTION CHUNK FOR CmQueryKey

loc_91C76C:				; CODE XREF: CmQueryKey+1117A7j
		mov	[ecx+0Ch], eax

loc_91C76F:				; CODE XREF: CmQueryKey+1117ACj
		mov	[ebp+var_4], 0
		jmp	short loc_91C799
; END OF FUNCTION CHUNK	FOR CmQueryKey

;  S U B	R O U T	I N E 


sub_91C778	proc near		; DATA XREF: .text:006A56F0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C4h], eax
		mov	eax, 1
		retn
sub_91C778	endp


;  S U B	R O U T	I N E 


sub_91C78B	proc near		; DATA XREF: .text:006A56F4o
		mov	edi, [ebp-0C4h]
		jmp	loc_91C952
sub_91C78B	endp

; 
; START	OF FUNCTION CHUNK FOR CmQueryKey

loc_91C796:				; CODE XREF: CmQueryKey+111792j
		mov	edi, [ebp+arg_0]

loc_91C799:				; CODE XREF: CmQueryKey+1117D6j
		lea	eax, [ebp+var_74]
		push	eax		; int
		push	0		; int
		push	0		; size_t
		push	0		; int
		push	0		; int
		push	0FFFFFFFFh	; int
		push	1		; char
		mov	edx, esi
		mov	ecx, ebx
		call	_CmEnumerateValueKeyFromMergedView@36 ;	CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_6C], eax
		cmp	eax, 8000001Ah
		jnz	short loc_91C7DD
		mov	[ebp+var_4], 6
		mov	eax, [ebp+var_74]
		mov	ecx, [ebp+var_70]
		cmp	edi, 2
		jnz	short loc_91C7D3
		mov	[ecx+20h], eax
		jmp	short loc_91C7D6
; 

loc_91C7D3:				; CODE XREF: CmQueryKey+11182Cj
		mov	[ecx+14h], eax

loc_91C7D6:				; CODE XREF: CmQueryKey+111831j
		mov	[ebp+var_4], 0

loc_91C7DD:				; CODE XREF: CmQueryKey+11181Aj
		push	[ebp+var_7C]
		push	[ebp+var_78]
		push	30h
		lea	eax, [ebp+var_68]
		push	eax
		mov	edx, edi
		mov	ecx, [ebx+8]
		call	_CmpQueryKeyData@24 ; CmpQueryKeyData(x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_6C], edi
		test	edi, edi
		jns	short loc_91C808
		cmp	edi, 80000005h
		jnz	loc_80B1AE

loc_91C808:				; CODE XREF: CmQueryKey+11185Aj
		mov	[ebp+var_4], 7
		mov	eax, [ebp+var_70]
		cmp	[ebp+arg_0], 2
		jnz	short loc_91C859
		mov	ecx, [ebp+var_50]
		cmp	ecx, [eax+18h]
		jbe	short loc_91C823
		mov	[eax+18h], ecx

loc_91C823:				; CODE XREF: CmQueryKey+11187Ej
		mov	ecx, [ebp+var_44]
		cmp	ecx, [eax+24h]
		jbe	short loc_91C82E
		mov	[eax+24h], ecx

loc_91C82E:				; CODE XREF: CmQueryKey+111889j
		mov	ecx, [ebp+var_40]
		cmp	ecx, [eax+28h]
		jbe	short loc_91C87A
		mov	[eax+28h], ecx
		jmp	short loc_91C87A
; END OF FUNCTION CHUNK	FOR CmQueryKey

;  S U B	R O U T	I N E 


sub_91C83B	proc near		; DATA XREF: .text:006A56FCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C8h], eax
		mov	eax, 1
		retn
sub_91C83B	endp


;  S U B	R O U T	I N E 


sub_91C84E	proc near		; DATA XREF: .text:006A5700o
		mov	edi, [ebp-0C8h]
		jmp	loc_91C952
sub_91C84E	endp

; 
; START	OF FUNCTION CHUNK FOR CmQueryKey

loc_91C859:				; CODE XREF: CmQueryKey+111876j
		mov	ecx, [ebp+var_58]
		cmp	ecx, [eax+10h]
		jbe	short loc_91C864
		mov	[eax+10h], ecx

loc_91C864:				; CODE XREF: CmQueryKey+1118BFj
		mov	ecx, [ebp+var_50]
		cmp	ecx, [eax+18h]
		jbe	short loc_91C86F
		mov	[eax+18h], ecx

loc_91C86F:				; CODE XREF: CmQueryKey+1118CAj
		mov	ecx, [ebp+var_4C]
		cmp	ecx, [eax+1Ch]
		jbe	short loc_91C87A
		mov	[eax+1Ch], ecx

loc_91C87A:				; CODE XREF: CmQueryKey+111894j
					; CmQueryKey+111899j ...
		mov	[ebp+var_4], 0
		jmp	loc_80B1AE
; END OF FUNCTION CHUNK	FOR CmQueryKey

;  S U B	R O U T	I N E 


sub_91C886	proc near		; DATA XREF: .text:006A5708o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0CCh], eax
		mov	eax, 1
		retn
sub_91C886	endp


;  S U B	R O U T	I N E 


sub_91C899	proc near		; DATA XREF: .text:006A570Co
		mov	edi, [ebp-0CCh]
		jmp	loc_91C952
sub_91C899	endp

; 
; START	OF FUNCTION CHUNK FOR CmQueryKey

loc_91C8A4:				; CODE XREF: CmQueryKey+208j
		mov	eax, [ebp+arg_0]
		cmp	eax, 2
		jz	short loc_91C8B5
		cmp	eax, 4
		jnz	loc_80B1AE

loc_91C8B5:				; CODE XREF: CmQueryKey+11190Aj
		mov	[ebp+var_88], 0
		mov	[ebp+var_D4], 0
		mov	[ebp+var_D0], 0
		lea	eax, [ebp+var_88]
		push	eax
		push	0
		lea	eax, [ebp+var_D0]
		push	eax
		lea	eax, [ebp+var_D4]
		push	eax
		lea	eax, [ebp+var_A0]
		push	eax
		push	[ebp+var_7C]
		push	0FFFFFFFFh
		xor	edx, edx
		call	_CmpFindSubKeyByNumberFromMergedView@36	; CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_6C], edi
		cmp	edi, 8000001Ah
		jnz	loc_80B1AE
		mov	[ebp+var_4], 8
		mov	eax, [ebp+var_88]
		mov	ecx, [ebp+var_70]
		cmp	[ebp+arg_0], 2
		jnz	short loc_91C929
		mov	[ecx+14h], eax
		jmp	short loc_91C92C
; 

loc_91C929:				; CODE XREF: CmQueryKey+111982j
		mov	[ecx+0Ch], eax

loc_91C92C:				; CODE XREF: CmQueryKey+111987j
		xor	edi, edi
		mov	[ebp+var_6C], edi
		mov	[ebp+var_4], edi
		jmp	loc_80B1AE
; END OF FUNCTION CHUNK	FOR CmQueryKey

;  S U B	R O U T	I N E 


sub_91C939	proc near		; DATA XREF: .text:006A5714o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0D8h], eax
		mov	eax, 1
		retn
sub_91C939	endp


;  S U B	R O U T	I N E 


sub_91C94C	proc near		; DATA XREF: .text:006A5718o
		mov	edi, [ebp-0D8h]
sub_91C94C	endp

; START	OF FUNCTION CHUNK FOR sub_91C761

loc_91C952:				; CODE XREF: sub_91C761+6j
					; sub_91C78B+6j ...
		mov	esp, [ebp-18h]
		mov	[ebp-6Ch], edi
		mov	dword ptr [ebp-4], 0
		mov	ebx, [ebp-80h]
		mov	esi, [ebp-84h]
		jmp	loc_80B1AE
; END OF FUNCTION CHUNK	FOR sub_91C761
; 

loc_91C96D:				; DATA XREF: .text:006A56B8o
		mov	edi, [ebp-6Ch]
		mov	ebx, [ebp-80h]
		mov	esi, [ebp-84h]
		jmp	sub_80B31E
; 
; START	OF FUNCTION CHUNK FOR sub_80B31E

loc_91C97E:				; CODE XREF: sub_80B31E+2j
		mov	edx, [ebx+8]
		mov	ecx, [esi+8]
		call	CmpUnlockTwoKcbs
		jmp	loc_80B32E
; 

loc_91C98E:				; CODE XREF: sub_80B31E+33j
		lea	eax, [ebp-0A8h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	locret_80B36B
; END OF FUNCTION CHUNK	FOR sub_80B31E
; 
; START	OF FUNCTION CHUNK FOR CmpAttachToRegistryProcess

loc_91C99F:				; CODE XREF: CmpAttachToRegistryProcess+Dj
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		jmp	loc_80B393
; END OF FUNCTION CHUNK	FOR CmpAttachToRegistryProcess
; 
; START	OF FUNCTION CHUNK FOR CmpIsKeyDeletedForKeyBody

loc_91C9B1:				; CODE XREF: CmpIsKeyDeletedForKeyBody+46j
					; CmpIsKeyDeletedForKeyBody+4Fj
		mov	ecx, [eax+1Ch]
		mov	edx, esi
		call	CmEqualTrans
		test	al, al
		jnz	loc_80B40D
		jmp	loc_80B3BE
; END OF FUNCTION CHUNK	FOR CmpIsKeyDeletedForKeyBody
; 
; START	OF FUNCTION CHUNK FOR CmpGetValueData

loc_91C9C8:				; CODE XREF: CmpGetValueData+FBj
		mov	byte ptr [ebp+arg_10+3], 0
		jmp	loc_80C28B
; 

loc_91C9D1:				; CODE XREF: CmpGetValueData+116j
					; CmpGetValueData+149j
		mov	byte ptr [ebp+arg_10+3], 0
		jmp	loc_80C281
; 

loc_91C9DA:				; CODE XREF: CmpGetValueData+1ACj
		test	eax, eax
		jz	short loc_91C9E6
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_91C9E6:				; CODE XREF: CmpGetValueData+5Fj
					; CmpGetValueData+84j ...
		xor	al, al
		jmp	loc_80C157
; END OF FUNCTION CHUNK	FOR CmpGetValueData
; 
; START	OF FUNCTION CHUNK FOR SeOpenObjectAuditAlarmWithTransaction

loc_91C9ED:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+CDj
		mov	ecx, [esp+58h+var_4A+2]
		test	ecx, ecx
		jnz	short loc_91CA23
		lea	esi, [esp+58h+var_10]
		mov	eax, esi
		mov	[esp+58h+var_34], esi
		push	eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		push	eax
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	edx, [esp+58h+var_40]
		mov	al, [esp+58h+var_4B]
		jmp	short loc_91CA29
; 

loc_91CA23:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110733j
		mov	esi, ecx
		mov	[esp+58h+var_34], ecx

loc_91CA29:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110761j
		mov	ecx, [esi]
		mov	[esp+58h+var_18], ecx
		test	ecx, ecx
		jnz	short loc_91CA51
		mov	ecx, [esi+8]
		mov	[esp+58h+var_18], ecx
		test	ecx, ecx
		jnz	short loc_91CA51
		push	0C000007Ch
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		mov	edx, [esp+58h+var_40]
		jmp	loc_91CAFD
; 

loc_91CA51:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110771j
					; SeOpenObjectAuditAlarmWithTransaction+11077Cj
		cmp	byte ptr [ecx+77h], 2
		jnz	loc_91CB01
		xor	esi, esi
		xor	ecx, ecx
		mov	[esp+58h+var_24], esi
		mov	[esp+58h+var_20], esi

loc_91CA67:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+1107B6j
		movzx	eax, ds:_AdtpPerCategoryCount[ecx]
		add	ecx, 2
		add	esi, eax
		cmp	ecx, 4
		jb	short loc_91CA67
		lea	eax, [esi+0Eh]
		mov	[esp+58h+var_14], eax
		cmp	esi, eax
		jb	short loc_91CA89
		xor	ecx, ecx
		xor	eax, eax
		jmp	short loc_91CAD7
; 

loc_91CA89:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+1107C1j
					; SeOpenObjectAuditAlarmWithTransaction+110815j
		mov	ecx, [esp+58h+var_18]
		mov	eax, esi
		shr	eax, 1
		movzx	eax, byte ptr [eax+ecx+58h]
		mov	ecx, esi
		and	ecx, 1
		shl	ecx, 2
		shr	eax, cl
		test	al, 1
		jz	short loc_91CAB4
		test	bl, 2
		jnz	short loc_91CAED
		mov	ecx, [esp+58h+var_24]
		inc	ecx
		mov	[esp+58h+var_24], ecx
		jmp	short loc_91CAB8
; 

loc_91CAB4:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+1107E2j
		mov	ecx, [esp+58h+var_24]

loc_91CAB8:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+1107F2j
		test	al, 4
		jz	short loc_91CACC
		test	bl, 20h
		jnz	short loc_91CAED
		mov	eax, [esp+58h+var_20]
		inc	eax
		mov	[esp+58h+var_20], eax
		jmp	short loc_91CAD0
; 

loc_91CACC:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+1107FAj
		mov	eax, [esp+58h+var_20]

loc_91CAD0:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+11080Aj
		inc	esi
		cmp	esi, [esp+58h+var_14]
		jb	short loc_91CA89

loc_91CAD7:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+1107C7j
		test	bl, 1
		jz	short loc_91CAE2
		cmp	cx, 0Eh
		jz	short loc_91CAED

loc_91CAE2:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+11081Aj
		test	bl, 10h
		jz	short loc_91CAF9
		cmp	ax, 0Eh
		jnz	short loc_91CAF9

loc_91CAED:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+1107E7j
					; SeOpenObjectAuditAlarmWithTransaction+1107FFj ...
		mov	esi, [esp+58h+var_34]
		mov	al, 1
		mov	[esp+58h+var_4B], al
		jmp	short loc_91CB01
; 

loc_91CAF9:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110825j
					; SeOpenObjectAuditAlarmWithTransaction+11082Bj
		mov	esi, [esp+58h+var_34]

loc_91CAFD:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+11078Cj
		mov	al, [esp+58h+var_4B]

loc_91CB01:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110795j
					; SeOpenObjectAuditAlarmWithTransaction+110837j
		cmp	[esp+58h+var_4A+2], 0
		jnz	loc_80C453
		push	esi
		call	SeReleaseSubjectContext
		mov	edx, [esp+58h+var_40]
		mov	al, [esp+58h+var_4B]
		jmp	loc_80C453
; 

loc_91CB1F:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+BAj
					; SeOpenObjectAuditAlarmWithTransaction+19Ej
		push	edx
		mov	edx, [ebp+arg_0]
		push	ecx
		mov	ecx, [ebp+arg_4]
		call	_SepAdtClassifyObjectIntoSubCategory@16	; SepAdtClassifyObjectIntoSubCategory(x,x,x,x)
		mov	esi, [esp+58h+var_4A+2]
		mov	cx, ax
		mov	ebx, [esp+58h+var_40]
		mov	dl, byte ptr [ebp+arg_18]
		movzx	eax, cx
		push	esi
		movzx	ecx, cx
		push	ebx
		mov	[esp+60h+var_28], eax
		call	SepAdtAuditThisEventWithContext
		test	al, al
		jz	loc_91CC56
		mov	eax, [ebp+arg_10]
		mov	edx, [ebp+arg_C]
		mov	esi, [eax+14h]
		or	esi, [eax+10h]
		movzx	eax, word ptr [edx+2]
		mov	[esp+58h+var_18], esi
		mov	ecx, eax
		mov	[esp+58h+var_14], ecx
		test	al, 10h
		jnz	short loc_91CB77
		xor	edx, edx
		xor	ecx, ecx
		jmp	short loc_91CB9F
; 

loc_91CB77:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+1108AFj
		test	cx, cx
		mov	ecx, [edx+0Ch]
		mov	edx, ecx
		jns	short loc_91CB8C
		mov	eax, [ebp+arg_C]
		add	eax, ecx
		neg	edx
		sbb	edx, edx
		and	edx, eax

loc_91CB8C:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+1108BFj
		cmp	word ptr [esp+58h+var_14], 0
		jge	short loc_91CB9F
		mov	eax, [ebp+arg_C]
		add	eax, ecx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_91CB9F:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+1108B5j
					; SeOpenObjectAuditAlarmWithTransaction+1108D2j
		lea	eax, [esp+58h+var_4A+1]
		push	eax
		lea	eax, [esp+5Ch+var_4A]
		push	eax
		push	[ebp+arg_18]
		push	esi
		push	edi
		push	edx
		push	ecx
		call	_SeExamineSacl@28 ; SeExamineSacl(x,x,x,x,x,x,x)
		mov	edx, [ebp+arg_C]
		movzx	eax, word ptr [edx+2]
		mov	ecx, eax
		test	al, 10h
		jnz	short loc_91CBC6
		xor	edx, edx
		jmp	short loc_91CBD9
; 

loc_91CBC6:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110900j
		mov	edx, [edx+0Ch]
		test	cx, cx
		jns	short loc_91CBD9
		mov	eax, [ebp+arg_C]
		add	eax, edx
		neg	edx
		sbb	edx, edx
		and	edx, eax

loc_91CBD9:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110904j
					; SeOpenObjectAuditAlarmWithTransaction+11090Cj
		mov	ecx, [ebp+arg_0]
		lea	eax, [esp+58h+var_4A+1]
		push	eax
		lea	eax, [esp+5Ch+var_4A]
		push	eax
		push	[ebp+arg_18]
		push	esi
		push	edi
		call	_SeExamineGlobalSacl@28	; SeExamineGlobalSacl(x,x,x,x,x,x,x)
		cmp	byte ptr [esp+58h+var_4A], 0
		mov	ecx, [ebp+arg_18]
		jz	loc_80C397
		mov	eax, [ebp+arg_24]
		mov	byte ptr [eax],	1
		test	cl, cl
		jz	loc_80C397
		mov	edx, [ebp+arg_C]
		movzx	eax, word ptr [edx+2]
		mov	ecx, eax
		test	al, 10h
		jnz	short loc_91CC1D
		xor	ecx, ecx
		jmp	short loc_91CC2E
; 

loc_91CC1D:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110957j
		test	cx, cx
		mov	ecx, [edx+0Ch]
		jns	short loc_91CC2E
		lea	eax, [ecx+edx]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_91CC2E:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+11095Bj
					; SeOpenObjectAuditAlarmWithTransaction+110963j
		mov	esi, [esp+58h+var_2C]
		mov	edx, [esp+58h+var_18]
		add	esi, 18h
		push	esi
		push	edi
		call	_SeMaximumAuditMask@16 ; SeMaximumAuditMask(x,x,x,x)
		mov	edx, [esp+58h+var_18]
		mov	ecx, [ebp+arg_0]
		push	esi
		push	edi
		call	_SeMaximumAuditMaskFromGlobalSacl@16 ; SeMaximumAuditMaskFromGlobalSacl(x,x,x,x)
		mov	ecx, [ebp+arg_18]
		jmp	loc_80C397
; 

loc_91CC56:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+11088Dj
		mov	ecx, [ebp+arg_18]
		jmp	loc_80C39B
; 

loc_91CC5E:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+108j
		push	esi
		push	[esp+5Ch+var_18]
		mov	dl, bl
		mov	ecx, 82h
		call	SepAdtAuditThisEventWithContext
		jmp	loc_80C3D6
; 

loc_91CC74:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+186j
		mov	byte ptr [ebx+60h], 1
		jmp	loc_80C463
; 

loc_91CC7D:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+14Ej
					; SeOpenObjectAuditAlarmWithTransaction+15Aj
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_91CC90
		cmp	word ptr [eax],	0
		jz	short loc_91CC90
		mov	[esp+58h+var_44], eax
		jmp	short loc_91CCCC
; 

loc_91CC90:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+1109C2j
					; SeOpenObjectAuditAlarmWithTransaction+1109C8j
		cmp	[ebp+arg_4], 0
		jz	short loc_91CCCA
		mov	ecx, [ebp+arg_4]
		lea	edx, [esp+58h+var_1C]
		call	SepQueryNameString
		mov	[esp+58h+var_38], eax
		test	eax, eax
		js	short loc_91CCC1
		mov	ecx, [esp+58h+var_1C]
		test	ecx, ecx
		jz	short loc_91CCCA
		cmp	word ptr [ecx+2], 0
		jz	short loc_91CCCA
		mov	eax, ecx
		mov	[esp+58h+var_44], eax
		jmp	short loc_91CCCC
; 

loc_91CCC1:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+1109E8j
		mov	edi, [esp+58h+var_30]
		jmp	loc_91CE60
; 

loc_91CCCA:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+1109D4j
					; SeOpenObjectAuditAlarmWithTransaction+1109F0j ...
		xor	eax, eax

loc_91CCCC:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+1109CEj
					; SeOpenObjectAuditAlarmWithTransaction+1109FFj
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_91CCE1
		cmp	word ptr [ecx],	0
		jz	short loc_91CCE1
		mov	edx, ecx
		mov	[esp+58h+var_3C], edx
		jmp	short loc_91CD19
; 

loc_91CCE1:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110A11j
					; SeOpenObjectAuditAlarmWithTransaction+110A17j
		cmp	[ebp+arg_4], 0
		jz	short loc_91CD17
		mov	ecx, [ebp+arg_4]
		lea	edx, [esp+58h+var_30]
		call	_SepQueryTypeString@8 ;	SepQueryTypeString(x,x)
		mov	edi, [esp+58h+var_30]
		mov	[esp+58h+var_38], eax
		test	eax, eax
		js	loc_91CE60
		mov	eax, [esp+58h+var_44]
		test	edi, edi
		jz	short loc_91CD13
		mov	edx, edi
		mov	[esp+58h+var_3C], edx
		jmp	short loc_91CD1D
; 

loc_91CD13:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110A49j
		xor	edx, edx
		jmp	short loc_91CD1D
; 

loc_91CD17:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110A25j
		xor	edx, edx

loc_91CD19:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110A1Fj
		mov	edi, [esp+58h+var_30]

loc_91CD1D:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110A51j
					; SeOpenObjectAuditAlarmWithTransaction+110A55j
		cmp	byte ptr [ebp+arg_18], 0
		jnz	short loc_91CD96
		mov	eax, [ebp+arg_20]
		test	eax, eax
		jnz	short loc_91CD2D
		lea	eax, [esi+1Ch]

loc_91CD2D:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110A68j
		push	ebx
		push	eax
		mov	eax, [ebx+28h]
		push	0
		push	0
		push	0
		push	2
		push	eax
		mov	eax, [esi]
		mov	ecx, [esp+74h+var_28]
		push	0
		push	eax
		mov	eax, [ebx+14h]
		push	eax
		mov	eax, [ebx+18h]
		push	eax
		mov	eax, [ebx+24h]
		push	eax
		mov	eax, [ebx+1Ch]
		push	eax
		push	[ebp+arg_C]
		push	[esp+90h+var_44]
		push	edx
		push	0
		mov	edx, offset _SeSubsystemName
		call	_SepAdtOpenObjectAuditAlarm@76 ; SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	eax, [ebx+14h]
		mov	ecx, [esp+58h+var_3C]
		push	ebx
		push	0
		push	0
		push	eax
		mov	eax, [ebx+18h]
		push	eax
		mov	eax, [ebx+24h]
		push	eax
		mov	eax, [ebx+1Ch]
		push	eax
		push	[esp+74h+var_44]
		push	ecx
		mov	ecx, [esp+7Ch+var_28]
		push	0
		call	_SepAdtStagingEvent@48 ; SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)
		jmp	loc_91CE5C
; 

loc_91CD96:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110A61j
		test	eax, eax
		jz	short loc_91CDEC
		mov	eax, [ebx+68h]
		lea	esi, [ebx+64h]
		test	eax, eax
		jz	short loc_91CDB5
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[esi], ax
		mov	[ebx+66h], ax

loc_91CDB5:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110AE2j
		mov	eax, [esp+58h+var_44]
		push	20206553h
		movzx	eax, word ptr [eax+2]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+68h], eax
		test	eax, eax
		jz	short loc_91CDE4
		mov	ecx, [esp+58h+var_44]
		push	ecx
		push	esi
		mov	ax, [ecx+2]
		mov	[ebx+66h], ax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)

loc_91CDE4:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110B0Fj
		mov	edx, [esp+58h+var_3C]
		mov	esi, [esp+58h+var_2C]

loc_91CDEC:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110AD8j
		test	edx, edx
		jz	short loc_91CE3E
		mov	eax, [ebx+70h]
		lea	esi, [ebx+6Ch]
		test	eax, eax
		jz	short loc_91CE0F
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, [esp+58h+var_3C]
		xor	eax, eax
		mov	[esi], ax
		mov	[ebx+6Eh], ax

loc_91CE0F:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110B38j
		movzx	eax, word ptr [edx+2]
		push	20206553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+70h], eax
		test	eax, eax
		jz	short loc_91CE3A
		mov	ecx, [esp+58h+var_3C]
		push	ecx
		push	esi
		mov	ax, [ecx+2]
		mov	[ebx+6Eh], ax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)

loc_91CE3A:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110B65j
		mov	esi, [esp+58h+var_2C]

loc_91CE3E:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110B2Ej
		mov	ecx, [ebp+arg_20]
		test	ecx, ecx
		jz	short loc_91CE5C
		mov	eax, [ecx]
		mov	[esi+1Ch], eax
		mov	eax, [ecx+4]
		mov	[esi+20h], eax
		mov	eax, [ecx+8]
		mov	[esi+24h], eax
		mov	eax, [ecx+0Ch]
		mov	[esi+28h], eax

loc_91CE5C:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110AD1j
					; SeOpenObjectAuditAlarmWithTransaction+110B83j
		mov	eax, [esp+58h+var_38]

loc_91CE60:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110A05j
					; SeOpenObjectAuditAlarmWithTransaction+110A3Dj
		mov	ecx, [esp+58h+var_1C]
		test	ecx, ecx
		jz	short loc_91CE74
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+58h+var_38]

loc_91CE74:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110BA6j
		test	edi, edi
		jz	short loc_91CE84
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+58h+var_38]

loc_91CE84:				; CODE XREF: SeOpenObjectAuditAlarmWithTransaction+110BB6j
		test	eax, eax
		jns	loc_80C420
		push	eax
		call	_SepAuditFailed@4 ; SepAuditFailed(x)
		jmp	loc_80C420
; END OF FUNCTION CHUNK	FOR SeOpenObjectAuditAlarmWithTransaction
; 
; START	OF FUNCTION CHUNK FOR CmpQueryKeyValueData

loc_91CE97:				; CODE XREF: CmpQueryKeyValueData+338j
		push	edx		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_80E2FB
; END OF FUNCTION CHUNK	FOR CmpQueryKeyValueData

;  S U B	R O U T	I N E 


sub_91CEA7	proc near		; DATA XREF: .text:006A5734o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		mov	eax, 1
		retn
sub_91CEA7	endp


;  S U B	R O U T	I N E 


sub_91CEB7	proc near		; DATA XREF: .text:006A5738o

; FUNCTION CHUNK AT 0091CF40 SIZE 00000015 BYTES

		mov	ebx, [ebp-40h]
		jmp	loc_91CF40
sub_91CEB7	endp

; 
; START	OF FUNCTION CHUNK FOR CmpQueryKeyValueData

loc_91CEBF:				; CODE XREF: CmpQueryKeyValueData+28Ej
		mov	ebx, 0C000009Ah
		mov	[ebp+var_24], ebx
		jmp	loc_80E244
; END OF FUNCTION CHUNK	FOR CmpQueryKeyValueData

;  S U B	R O U T	I N E 


sub_91CECC	proc near		; DATA XREF: .text:006A5740o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-48h], eax
		mov	eax, 1
		retn
sub_91CECC	endp


;  S U B	R O U T	I N E 


sub_91CEDC	proc near		; DATA XREF: .text:006A5744o
		mov	ebx, [ebp-48h]
		jmp	short loc_91CF40
sub_91CEDC	endp

; 
; START	OF FUNCTION CHUNK FOR CmpQueryKeyValueData

loc_91CEE1:				; CODE XREF: CmpQueryKeyValueData+3FEj
		mov	[ebp+arg_C], ecx
		mov	ebx, 80000005h
		mov	[ebp+var_24], ebx
		jmp	loc_80E3B4
; 

loc_91CEF1:				; CODE XREF: CmpQueryKeyValueData+48Cj
		mov	ebx, 0C000009Ah
		mov	[ebp+var_24], ebx
		jmp	loc_80E3CB
; END OF FUNCTION CHUNK	FOR CmpQueryKeyValueData

;  S U B	R O U T	I N E 


sub_91CEFE	proc near		; DATA XREF: .text:006A5758o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		mov	eax, 1
		retn
sub_91CEFE	endp


;  S U B	R O U T	I N E 


sub_91CF0E	proc near		; DATA XREF: .text:006A575Co
		mov	ebx, [ebp-4Ch]
		jmp	short loc_91CF40
sub_91CF0E	endp

; 
; START	OF FUNCTION CHUNK FOR CmpQueryKeyValueData

loc_91CF13:				; CODE XREF: CmpQueryKeyValueData+172j
					; CmpQueryKeyValueData+178j
					; DATA XREF: ...
		mov	ebx, 0C000000Dh	; default
		jmp	loc_80E0DC
; 

loc_91CF1D:				; CODE XREF: CmpQueryKeyValueData+107j
		mov	eax, 0C000009Ah
		mov	[ebp+arg_0], eax
		mov	[ebp+var_24], eax
		jmp	loc_80E0BD
; END OF FUNCTION CHUNK	FOR CmpQueryKeyValueData

;  S U B	R O U T	I N E 


sub_91CF2D	proc near		; DATA XREF: .text:006A574Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-50h], eax
		mov	eax, 1
		retn
sub_91CF2D	endp


;  S U B	R O U T	I N E 


sub_91CF3D	proc near		; DATA XREF: .text:006A5750o
		mov	ebx, [ebp-50h]
sub_91CF3D	endp

; START	OF FUNCTION CHUNK FOR sub_91CEB7

loc_91CF40:				; CODE XREF: sub_91CEB7+3j
					; sub_91CEDC+3j ...
		mov	[ebp-24h], ebx
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-2Ch]
		jmp	loc_80E0DC
; END OF FUNCTION CHUNK	FOR sub_91CEB7
; 
; START	OF FUNCTION CHUNK FOR MiReadWriteVirtualMemory

loc_91CF55:				; CODE XREF: MiReadWriteVirtualMemory+AAj
		mov	edx, eax
		jmp	loc_80E540
; END OF FUNCTION CHUNK	FOR MiReadWriteVirtualMemory

;  S U B	R O U T	I N E 


sub_91CF5C	proc near		; DATA XREF: .text:006A5774o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		mov	eax, 1
		retn
sub_91CF5C	endp


;  S U B	R O U T	I N E 


sub_91CF6C	proc near		; DATA XREF: .text:006A5778o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-30h]
		jmp	loc_80E5E5
sub_91CF6C	endp

; 
; START	OF FUNCTION CHUNK FOR MiReadWriteVirtualMemory

loc_91CF7E:				; CODE XREF: MiReadWriteVirtualMemory+5Dj
		mov	esi, [ebp+arg_8]
		jmp	loc_80E54E
; END OF FUNCTION CHUNK	FOR MiReadWriteVirtualMemory

;  S U B	R O U T	I N E 


sub_91CF86	proc near		; DATA XREF: .text:006A5780o
		mov	eax, 1
		retn
sub_91CF86	endp


;  S U B	R O U T	I N E 


sub_91CF8C	proc near		; DATA XREF: .text:006A5784o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp+10h]
		jmp	loc_80E5E3
sub_91CF8C	endp

; 
; START	OF FUNCTION CHUNK FOR CmpConstructNameFromKeyNodes

loc_91CF9E:				; CODE XREF: CmpConstructNameFromKeyNodes+48j
		mov	eax, [ecx+0Ch]
		mov	edi, [eax+edi*4-8]
		jmp	loc_80E692
; 

loc_91CFAA:				; CODE XREF: CmpConstructNameFromKeyNodes+5Fj
		movsx	eax, si
		sub	eax, 1
		jz	loc_80E6A5
		shl	eax, 2
		mov	ecx, 1
		push	35364D43h
		mov	edx, eax
		mov	[ebp+var_14], eax
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_91CFDD
		mov	esi, 0C000009Ah
		jmp	loc_80E83E
; 

loc_91CFDD:				; CODE XREF: CmpConstructNameFromKeyNodes+10E991j
		push	[ebp+var_14]	; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_80E6A5
; 

loc_91CFF0:				; CODE XREF: CmpConstructNameFromKeyNodes+ADj
		mov	esi, 0C000000Dh
		jmp	loc_80E83E
; 

loc_91CFFA:				; CODE XREF: CmpConstructNameFromKeyNodes+CEj
		mov	esi, 0C000009Ah
		jmp	loc_80E83E
; 

loc_91D004:				; CODE XREF: CmpConstructNameFromKeyNodes+117j
		shr	cx, 1
		movzx	esi, cx
		jmp	loc_80E75F
; 

loc_91D00F:				; CODE XREF: CmpConstructNameFromKeyNodes+131j
		mov	ebx, [edi+6Ch]
		mov	edx, eax
		mov	eax, ecx
		test	ebx, ebx
		jz	loc_80E77A

loc_91D01E:				; CODE XREF: CmpConstructNameFromKeyNodes+10E9F0j
		mov	eax, [ebx+8]
		lea	ecx, [ebp+var_30]
		push	eax
		call	_CmpSetKcbAtLayerHeight@12 ; CmpSetKcbAtLayerHeight(x,x,x)
		mov	ebx, [ebx+0Ch]
		dec	edx
		test	ebx, ebx
		jnz	short loc_91D01E
		mov	ecx, [ebp+var_24]
		movzx	eax, word ptr [edi+22h]
		mov	[ebp+var_8], ecx
		jmp	loc_80E77A
; 

loc_91D041:				; CODE XREF: CmpConstructNameFromKeyNodes+157j
		mov	ebx, [edi+ecx*4-8]
		jmp	loc_80E7A1
; 

loc_91D04A:				; CODE XREF: CmpConstructNameFromKeyNodes+165j
		dec	eax
		test	ax, ax
		jns	loc_80E790
		jmp	loc_80E7AB
; 

loc_91D059:				; CODE XREF: CmpConstructNameFromKeyNodes+198j
		lea	eax, [esi+esi]
		push	eax		; size_t
		mov	eax, [ebp+var_10]
		add	eax, 4Ch
		push	eax		; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_80E801
; END OF FUNCTION CHUNK	FOR CmpConstructNameFromKeyNodes
; 
; START	OF FUNCTION CHUNK FOR MmCopyVirtualMemory

loc_91D072:				; CODE XREF: MmCopyVirtualMemory+58Aj
		mov	ebx, [ebp+var_2F8]
		jmp	loc_80E9B6
; 

loc_91D07D:				; CODE XREF: MmCopyVirtualMemory+1D9j
		mov	edx, [ebp+var_300]
		mov	ecx, ebx
		call	_LOCK_ADDRESS_SPACE@8 ;	LOCK_ADDRESS_SPACE(x,x)
		mov	ecx, [ebp+var_300]
		mov	eax, [ecx+350h]
		mov	[ebp+var_2C8], eax
		xor	cl, cl
		mov	[ebp+var_2CD], cl
		mov	[ebp+var_2E9], cl
		mov	edx, [ebp+var_2E4]
		test	eax, eax
		jz	short loc_91D0E3
		mov	ecx, edx
		shr	ecx, 0Ch
		mov	[ebp+var_2E0], ecx

loc_91D0BF:				; CODE XREF: MmCopyVirtualMemory+10E8FFj
		cmp	ecx, [eax+10h]
		ja	loc_91D163
		cmp	ecx, [eax+0Ch]
		jnb	loc_91D184
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	loc_91D171
		xor	cl, cl

loc_91D0DD:				; CODE XREF: MmCopyVirtualMemory+10E8ECj
		mov	[ebp+var_2CD], cl

loc_91D0E3:				; CODE XREF: MmCopyVirtualMemory+10E832j
					; MmCopyVirtualMemory+10E911j
		cmp	[ebp+var_2E9], 0
		jnz	loc_91D1CF
		test	cl, cl
		jz	short loc_91D127
		mov	[ebp+var_2E0], eax
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	loc_91D196
		mov	eax, ecx
		mov	[ebp+var_2C8], eax
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_91D127

loc_91D113:				; CODE XREF: MmCopyVirtualMemory+10E89Fj
		mov	[ebp+var_2C8], ecx
		mov	eax, [ecx]
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_91D113

loc_91D121:				; CODE XREF: MmCopyVirtualMemory+10E92Ej
					; MmCopyVirtualMemory+10E95Cj
		mov	eax, [ebp+var_2C8]

loc_91D127:				; CODE XREF: MmCopyVirtualMemory+10E872j
					; MmCopyVirtualMemory+10E891j ...
		mov	ecx, [ebp+var_2F4]

loc_91D12D:				; CODE XREF: MmCopyVirtualMemory+10E96Ej
		test	ecx, ecx
		jz	loc_91D1F4
		mov	eax, [ecx+10h]
		shl	eax, 0Ch
		or	eax, 0FFFh
		sub	eax, edx
		inc	eax
		mov	[ebp+var_2F4], eax
		mov	al, [ecx+28h]
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		add	eax, 2
		mov	[ebp+var_2FC], eax
		jmp	loc_91D2DD
; 

loc_91D163:				; CODE XREF: MmCopyVirtualMemory+10E842j
		mov	ecx, [eax+4]
		test	ecx, ecx
		jnz	short loc_91D171
		mov	cl, 1
		jmp	loc_91D0DD
; 

loc_91D171:				; CODE XREF: MmCopyVirtualMemory+10E855j
					; MmCopyVirtualMemory+10E8E8j
		mov	eax, ecx
		mov	[ebp+var_2C8], eax
		mov	ecx, [ebp+var_2E0]
		jmp	loc_91D0BF
; 

loc_91D184:				; CODE XREF: MmCopyVirtualMemory+10E84Bj
		mov	[ebp+var_2E9], 1
		mov	cl, [ebp+var_2CD]
		jmp	loc_91D0E3
; 

loc_91D196:				; CODE XREF: MmCopyVirtualMemory+10E87Fj
		mov	eax, [eax+8]
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_2C8], eax
		jz	short loc_91D127
		mov	ecx, [ebp+var_2E0]

loc_91D1AA:				; CODE XREF: MmCopyVirtualMemory+10E948j
		mov	eax, [eax]
		cmp	eax, ecx
		jz	loc_91D121
		mov	eax, [ebp+var_2C8]
		mov	ecx, eax
		mov	eax, [eax+8]
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_2C8], eax
		jnz	short loc_91D1AA
		jmp	loc_91D127
; 

loc_91D1CF:				; CODE XREF: MmCopyVirtualMemory+10E86Aj
		mov	eax, [eax+1Ch]
		and	eax, 3100000h
		cmp	eax, 2100000h
		jnz	loc_91D121
		mov	eax, [ebp+var_2C8]
		mov	ecx, eax
		test	byte ptr [eax+28h], 4
		jnz	loc_91D12D

loc_91D1F4:				; CODE XREF: MmCopyVirtualMemory+10E8AFj
		mov	[ebp+var_2E8], 0
		mov	ecx, [ebp+var_2DC]
		dec	ecx
		add	ecx, edx
		shr	ecx, 0Ch
		mov	[ebp+var_2F4], ecx
		test	eax, eax
		jz	loc_91D2D1

loc_91D218:				; CODE XREF: MmCopyVirtualMemory+10EA31j
		mov	[ebp+var_2E8], eax
		mov	eax, [eax+1Ch]
		and	eax, 3100000h
		cmp	eax, 2100000h
		mov	eax, [ebp+var_2C8]
		jnz	short loc_91D239
		test	byte ptr [eax+28h], 4
		jnz	short loc_91D2B7

loc_91D239:				; CODE XREF: MmCopyVirtualMemory+10E9B1j
		cmp	[eax+10h], ecx
		jnb	loc_91D2D1
		mov	[ebp+var_2E0], eax
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_91D26D
		mov	eax, ecx
		mov	[ebp+var_2C8], eax
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_91D2A9

loc_91D25D:				; CODE XREF: MmCopyVirtualMemory+10E9E9j
		mov	[ebp+var_2C8], ecx
		mov	eax, [ecx]
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_91D25D
		jmp	short loc_91D2A3
; 

loc_91D26D:				; CODE XREF: MmCopyVirtualMemory+10E9CDj
		mov	eax, [eax+8]
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_2C8], eax
		jz	short loc_91D2A9
		mov	edx, eax
		mov	edi, [ebp+var_2E0]

loc_91D283:				; CODE XREF: MmCopyVirtualMemory+10EA0Fj
		cmp	[edx], edi
		jz	short loc_91D291
		mov	edi, edx
		mov	edx, [edx+8]
		and	edx, 0FFFFFFFCh
		jnz	short loc_91D283

loc_91D291:				; CODE XREF: MmCopyVirtualMemory+10EA05j
		mov	[ebp+var_2C8], edx
		mov	edi, [ebp+var_2D8]
		mov	edx, [ebp+var_2E4]

loc_91D2A3:				; CODE XREF: MmCopyVirtualMemory+10E9EBj
		mov	eax, [ebp+var_2C8]

loc_91D2A9:				; CODE XREF: MmCopyVirtualMemory+10E9DBj
					; MmCopyVirtualMemory+10E9F9j
		test	eax, eax
		mov	ecx, [ebp+var_2F4]
		jnz	loc_91D218

loc_91D2B7:				; CODE XREF: MmCopyVirtualMemory+10E9B7j
		test	eax, eax
		jz	short loc_91D2D1
		mov	eax, [ebp+var_2E8]
		mov	eax, [eax+0Ch]
		shl	eax, 0Ch
		sub	eax, edx
		mov	[ebp+var_2F4], eax
		jmp	short loc_91D2DD
; 

loc_91D2D1:				; CODE XREF: MmCopyVirtualMemory+10E992j
					; MmCopyVirtualMemory+10E9BCj ...
		mov	eax, [ebp+var_2DC]
		mov	[ebp+var_2F4], eax

loc_91D2DD:				; CODE XREF: MmCopyVirtualMemory+10E8DEj
					; MmCopyVirtualMemory+10EA4Fj
		mov	edx, [ebp+var_300]
		mov	ecx, ebx
		call	UNLOCK_ADDRESS_SPACE
		mov	eax, [ebp+var_2CC]
		jmp	loc_80EA65
; 

loc_91D2F5:				; CODE XREF: MmCopyVirtualMemory+281j
		mov	ecx, [ebp+var_2E4]
		call	_LOCK_ADDRESS_SPACE@8 ;	LOCK_ADDRESS_SPACE(x,x)
		mov	eax, [ebp+var_30C]
		mov	edx, [eax+350h]
		xor	al, al
		mov	[ebp+var_2EA], al
		xor	ah, ah
		mov	[ebp+var_30D], ah
		mov	ecx, [ebp+var_2D8]
		test	edx, edx
		jz	short loc_91D36D
		mov	ebx, ecx
		shr	ebx, 0Ch
		mov	[ebp+var_2E8], ebx

loc_91D331:				; CODE XREF: MmCopyVirtualMemory+10EB4Dj
		mov	ebx, [ebp+var_2E8]
		cmp	ebx, [edx+10h]
		mov	ebx, [ebp+var_2D4]
		ja	short loc_91D3B0
		mov	ebx, [ebp+var_2E8]
		cmp	ebx, [edx+0Ch]
		mov	ebx, [ebp+var_2D4]
		jnb	short loc_91D3D2
		mov	ecx, [edx]
		mov	[ebp+var_2FC], ecx
		test	ecx, ecx
		mov	ecx, [ebp+var_2D8]
		jnz	short loc_91D3C7
		xor	al, al

loc_91D367:				; CODE XREF: MmCopyVirtualMemory+10EB45j
		mov	[ebp+var_2EA], al

loc_91D36D:				; CODE XREF: MmCopyVirtualMemory+10EAA4j
					; MmCopyVirtualMemory+10EB5Aj
		test	ah, ah
		jnz	loc_91D400
		test	al, al
		jz	loc_91D41D
		mov	[ebp+var_2E0], edx
		mov	eax, [edx+4]
		test	eax, eax
		jz	short loc_91D3DC
		mov	edx, eax
		mov	eax, [edx]
		mov	[ebp+var_2E0], eax
		test	eax, eax
		jz	loc_91D41D
		mov	ebx, eax

loc_91D39E:				; CODE XREF: MmCopyVirtualMemory+10EB26j
		mov	edx, ebx
		mov	eax, [ebx]
		mov	ebx, eax
		test	eax, eax
		jnz	short loc_91D39E
		mov	ebx, [ebp+var_2D4]
		jmp	short loc_91D41D
; 

loc_91D3B0:				; CODE XREF: MmCopyVirtualMemory+10EAC0j
		mov	ecx, [edx+4]
		mov	[ebp+var_2FC], ecx
		test	ecx, ecx
		mov	ecx, [ebp+var_2D8]
		jnz	short loc_91D3C7
		mov	al, 1
		jmp	short loc_91D367
; 

loc_91D3C7:				; CODE XREF: MmCopyVirtualMemory+10EAE3j
					; MmCopyVirtualMemory+10EB41j
		mov	edx, [ebp+var_2FC]
		jmp	loc_91D331
; 

loc_91D3D2:				; CODE XREF: MmCopyVirtualMemory+10EAD1j
		mov	ah, 1
		mov	[ebp+var_30D], ah
		jmp	short loc_91D36D
; 

loc_91D3DC:				; CODE XREF: MmCopyVirtualMemory+10EB08j
		mov	edx, [edx+8]
		and	edx, 0FFFFFFFCh
		jz	short loc_91D41D
		mov	ecx, [ebp+var_2E0]

loc_91D3EA:				; CODE XREF: MmCopyVirtualMemory+10EB76j
		cmp	[edx], ecx
		jz	short loc_91D3F8
		mov	ecx, edx
		mov	edx, [edx+8]
		and	edx, 0FFFFFFFCh
		jnz	short loc_91D3EA

loc_91D3F8:				; CODE XREF: MmCopyVirtualMemory+10EB6Cj
		mov	ecx, [ebp+var_2D8]
		jmp	short loc_91D41D
; 

loc_91D400:				; CODE XREF: MmCopyVirtualMemory+10EAEFj
		mov	eax, [edx+1Ch]
		and	eax, 3100000h
		cmp	eax, 2100000h
		jnz	short loc_91D41D
		mov	ebx, edx
		mov	[ebp+var_2D4], ebx
		test	byte ptr [edx+28h], 4
		jz	short loc_91D450

loc_91D41D:				; CODE XREF: MmCopyVirtualMemory+10EAF7j
					; MmCopyVirtualMemory+10EB16j ...
		test	ebx, ebx
		jz	short loc_91D450
		mov	ebx, [ebx+10h]
		shl	ebx, 0Ch
		or	ebx, 0FFFh
		sub	ebx, ecx
		inc	ebx
		mov	eax, [ebp+var_2D4]
		mov	al, [eax+28h]
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		add	eax, 2
		mov	[ebp+var_2CC], eax
		jmp	loc_91D4DF
; 

loc_91D450:				; CODE XREF: MmCopyVirtualMemory+10EB9Bj
					; MmCopyVirtualMemory+10EB9Fj
		xor	eax, eax
		mov	ebx, [ebp+var_2DC]
		dec	ebx
		add	ebx, ecx
		shr	ebx, 0Ch
		mov	[ebp+var_2E0], ebx
		test	edx, edx
		jz	short loc_91D4D9

loc_91D468:				; CODE XREF: MmCopyVirtualMemory+10EC43j
		mov	[ebp+var_2E8], edx
		mov	eax, [edx+1Ch]
		and	eax, 3100000h
		cmp	eax, 2100000h
		jnz	short loc_91D483
		test	byte ptr [edx+28h], 4
		jnz	short loc_91D4C5

loc_91D483:				; CODE XREF: MmCopyVirtualMemory+10EBFBj
		cmp	[edx+10h], ebx
		jnb	short loc_91D4D9
		mov	ebx, edx
		mov	eax, [edx+4]
		test	eax, eax
		jz	short loc_91D4A5
		mov	edx, eax
		mov	ebx, [edx]
		test	ebx, ebx
		jz	short loc_91D4BB

loc_91D499:				; CODE XREF: MmCopyVirtualMemory+10EC21j
		mov	edx, ebx
		mov	eax, [ebx]
		mov	ebx, eax
		test	eax, eax
		jnz	short loc_91D499
		jmp	short loc_91D4BB
; 

loc_91D4A5:				; CODE XREF: MmCopyVirtualMemory+10EC0Fj
		mov	edx, [edx+8]
		and	edx, 0FFFFFFFCh
		jz	short loc_91D4BB

loc_91D4AD:				; CODE XREF: MmCopyVirtualMemory+10EC39j
		cmp	[edx], ebx
		jz	short loc_91D4BB
		mov	ebx, edx
		mov	edx, [edx+8]
		and	edx, 0FFFFFFFCh
		jnz	short loc_91D4AD

loc_91D4BB:				; CODE XREF: MmCopyVirtualMemory+10EC17j
					; MmCopyVirtualMemory+10EC23j ...
		test	edx, edx
		mov	ebx, [ebp+var_2E0]
		jnz	short loc_91D468

loc_91D4C5:				; CODE XREF: MmCopyVirtualMemory+10EC01j
		mov	eax, [ebp+var_2E8]
		test	edx, edx
		jz	short loc_91D4D9
		mov	ebx, [eax+0Ch]
		shl	ebx, 0Ch
		sub	ebx, ecx
		jmp	short loc_91D4DF
; 

loc_91D4D9:				; CODE XREF: MmCopyVirtualMemory+10EBE6j
					; MmCopyVirtualMemory+10EC06j ...
		mov	ebx, [ebp+var_2DC]

loc_91D4DF:				; CODE XREF: MmCopyVirtualMemory+10EBCBj
					; MmCopyVirtualMemory+10EC57j
		mov	[ebp+var_2FC], ebx
		mov	edx, [ebp+var_30C]
		mov	ecx, [ebp+var_2E4]
		call	UNLOCK_ADDRESS_SPACE
		mov	eax, [ebp+var_2CC]
		mov	edx, [ebp+var_30C]
		jmp	loc_80EB13
; 

loc_91D507:				; CODE XREF: MmCopyVirtualMemory+2E2j
		mov	edi, ecx
		mov	[ebp+var_2D8], ecx
		jmp	loc_80EB68
; 

loc_91D514:				; CODE XREF: MmCopyVirtualMemory+2EAj
		mov	edi, ebx
		mov	[ebp+var_2D8], edi
		jmp	loc_80EB70
; 

loc_91D521:				; CODE XREF: MmCopyVirtualMemory+323j
		cmp	edi, esi
		ja	loc_80EBC3
		jmp	loc_80EBC1
; 

loc_91D52E:				; CODE XREF: MmCopyVirtualMemory+64Bj
		shr	esi, 1
		cmp	esi, 200h
		ja	loc_80EEB0
		lea	eax, [ebp+var_224]
		mov	[ebp+var_304], eax
		mov	esi, 200h
		jmp	loc_80EED7
; 

loc_91D552:				; CODE XREF: MmCopyVirtualMemory+3A2j
					; MmCopyVirtualMemory+3AAj
		mov	byte ptr [ecx],	0
		jmp	loc_80EC30
; END OF FUNCTION CHUNK	FOR MmCopyVirtualMemory

;  S U B	R O U T	I N E 


sub_91D55A	proc near		; DATA XREF: .text:006A579Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-334h], eax
		mov	eax, 1
		retn
sub_91D55A	endp


;  S U B	R O U T	I N E 


sub_91D56D	proc near		; DATA XREF: .text:006A57A0o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-334h]
		jmp	loc_80F090
sub_91D56D	endp

; 
; START	OF FUNCTION CHUNK FOR MmCopyVirtualMemory

loc_91D57B:				; CODE XREF: MmCopyVirtualMemory+41Aj
		lea	eax, [ebp+var_31C]
		push	eax		; int
		push	1		; int
		push	esi		; size_t
		mov	edx, [ebp+var_304]
		mov	ecx, [ebp+var_308]
		call	_MiDbgReadWriteEnclave@20 ; MiDbgReadWriteEnclave(x,x,x,x,x)
		mov	edx, [ebp+var_2E4]
		jmp	short loc_91D5AD
; 

loc_91D59E:				; CODE XREF: MmCopyVirtualMemory+405j
					; MmCopyVirtualMemory+411j
		lea	eax, [ebp+var_31C]
		push	eax
		sub	esp, 0Ch
		call	_VslDebugReadWriteSecureProcess@24 ; VslDebugReadWriteSecureProcess(x,x,x,x,x,x)

loc_91D5AD:				; CODE XREF: MmCopyVirtualMemory+10ED1Cj
		mov	ecx, eax
		mov	[ebp+var_2F0], ecx
		mov	[ebp+var_2C8], ecx
		jmp	loc_80ECC1
; 

loc_91D5C0:				; CODE XREF: MmCopyVirtualMemory+74Aj
		lea	eax, [ebp+var_294]
		push	eax
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		jmp	loc_80EFE0
; 

loc_91D5D1:				; CODE XREF: MmCopyVirtualMemory+4BDj
					; MmCopyVirtualMemory+4C5j
		mov	byte ptr [ecx],	0
		jmp	loc_80ED4B
; END OF FUNCTION CHUNK	FOR MmCopyVirtualMemory

;  S U B	R O U T	I N E 


sub_91D5D9	proc near		; DATA XREF: .text:006A57B4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-348h], eax
		mov	eax, 1
		retn
sub_91D5D9	endp


;  S U B	R O U T	I N E 


sub_91D5EC	proc near		; DATA XREF: .text:006A57B8o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-348h]
		test	byte ptr [ebp-2D4h], 2
		jz	loc_80F090
		push	dword ptr [ebp-34Ch]
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		jmp	loc_80F090
sub_91D5EC	endp

; 
; START	OF FUNCTION CHUNK FOR MmCopyVirtualMemory

loc_91D612:				; CODE XREF: MmCopyVirtualMemory+4F6j
		lea	eax, [ebp+var_31C]
		push	eax		; int
		push	0		; int
		push	esi		; size_t
		mov	edx, [ebp+var_304]
		mov	ecx, [ebp+var_314]
		call	_MiDbgReadWriteEnclave@20 ; MiDbgReadWriteEnclave(x,x,x,x,x)
		jmp	short loc_91D63E
; 

loc_91D62F:				; CODE XREF: MmCopyVirtualMemory+4E1j
					; MmCopyVirtualMemory+4EDj
		lea	eax, [ebp+var_31C]
		push	eax
		sub	esp, 0Ch
		call	_VslDebugReadWriteSecureProcess@24 ; VslDebugReadWriteSecureProcess(x,x,x,x,x,x)

loc_91D63E:				; CODE XREF: MmCopyVirtualMemory+10EDADj
		mov	ebx, eax
		mov	[ebp+var_2F0], ebx
		jmp	loc_80ED9A
; 

loc_91D64B:				; CODE XREF: MmCopyVirtualMemory+526j
		mov	ecx, [ebp+var_31C]
		sub	ecx, [ebp+var_318]
		add	ecx, [ebp+var_314]
		mov	eax, [ebp+var_320]
		mov	[eax], ecx
		jmp	loc_91D70A
; END OF FUNCTION CHUNK	FOR MmCopyVirtualMemory

;  S U B	R O U T	I N E 


sub_91D66A	proc near		; DATA XREF: .text:006A57C0o
		lea	eax, [ebp-330h]
		push	eax
		lea	edx, [ebp-32Ch]
		mov	ecx, [ebp-14h]
		call	_MiGetExceptionInfo@12 ; MiGetExceptionInfo(x,x,x)
		retn
sub_91D66A	endp


;  S U B	R O U T	I N E 


sub_91D680	proc near		; DATA XREF: .text:006A57C4o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-2D4h]
		mov	[ebp-2CCh], eax
		test	al, 2
		jz	short loc_91D6DF
		lea	eax, [ebp-294h]
		push	eax
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		mov	eax, [ebp-2CCh]
		and	eax, 0FFFFFFFDh
		mov	[ebp-2CCh], eax
		mov	[ebp-2D4h], eax
		xor	edx, edx
		lea	ecx, [ebp-23Ch]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-2F0h]
		mov	[ebp-2C8h], ecx
		mov	edi, [ebp-2D8h]
		jmp	loc_80F002
; 

loc_91D6DF:				; CODE XREF: sub_91D680+11j
		mov	eax, [ebp-2F8h]
		sub	eax, [ebp-2D8h]
		mov	ecx, [ebp-320h]
		mov	[ecx], eax
		cmp	dword ptr [ebp-32Ch], 1
		jnz	short loc_91D70A
		mov	eax, [ebp-330h]
		sub	eax, [ebp-318h]
		mov	[ecx], eax
sub_91D680	endp

; START	OF FUNCTION CHUNK FOR MmCopyVirtualMemory

loc_91D70A:				; CODE XREF: MmCopyVirtualMemory+10EDE5j
					; sub_91D680+7Aj
		mov	ebx, 8000000Dh
		mov	[ebp+var_2F0], ebx
		jmp	loc_80F090
; END OF FUNCTION CHUNK	FOR MmCopyVirtualMemory
; 
; START	OF FUNCTION CHUNK FOR CmQueryValueKey

loc_91D71A:				; CODE XREF: CmQueryValueKey+AEj
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	KiStackAttachProcess
		mov	eax, [esp+98h+var_64]
		mov	[esp+98h+var_84], eax
		jmp	loc_80F159
; 

loc_91D739:				; CODE XREF: CmQueryValueKey+106j
		movsx	edx, di
		sub	edx, 1
		jz	loc_80F1AC
		lea	eax, ds:0[edx*4]
		mov	ecx, 1
		push	35364D43h
		mov	edx, eax
		mov	[esp+9Ch+var_78], eax
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_91D775
		mov	ebx, 0C000009Ah

loc_91D76C:				; CODE XREF: CmQueryValueKey+413j
					; CmQueryValueKey+5E9j
		mov	esi, [esp+98h+var_84]
		jmp	loc_80F52B
; 

loc_91D775:				; CODE XREF: CmQueryValueKey+10E6C5j
		push	[esp+98h+var_78] ; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		movzx	eax, word ptr [esi+22h]
		add	esp, 0Ch
		jmp	loc_80F1AC
; 

loc_91D78D:				; CODE XREF: CmQueryValueKey+5CBj
		mov	al, [ebx+1Ch]
		and	al, 1
		movzx	ebx, al
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 2A9h
		add	ebx, 0C000017Ch
		jmp	loc_80F4AA
; 

loc_91D7AA:				; CODE XREF: CmQueryValueKey+656j
					; CmQueryValueKey+65Fj
		mov	edi, [esp+98h+var_74]
		mov	edx, edi
		mov	ecx, [eax+1Ch]
		call	CmEqualTrans
		test	al, al
		jz	loc_80F25C
		mov	eax, [ebx+1Ch]
		jmp	loc_80F6DE
; 

loc_91D7C8:				; CODE XREF: CmQueryValueKey+640j
		mov	ebx, 0C0000425h
		jmp	loc_80F4AA
; 

loc_91D7D2:				; CODE XREF: CmQueryValueKey+1DEj
		mov	ecx, [esp+98h+var_84]
		mov	ecx, [ecx+eax*4-8]
		jmp	loc_80F288
; 

loc_91D7DF:				; CODE XREF: CmQueryValueKey+639j
		mov	ebx, 0C0000034h
		jmp	loc_80F49B
; 

loc_91D7E9:				; CODE XREF: CmQueryValueKey+43Dj
		mov	[esp+0D4h+var_C5], 1
		jmp	loc_80F4E8
; 

loc_91D7F3:				; CODE XREF: CmQueryValueKey+453j
		mov	dword ptr [ecx+1Ch], 0
		jmp	loc_80F4FC
; 

loc_91D7FF:				; CODE XREF: CmQueryValueKey+46Bj
		mov	ecx, [esp+0D4h+var_8C]
		test	dword ptr [ecx+4], 80000h
		jz	loc_80F511
		call	CmpFreeKeyControlBlock
		jmp	loc_80F511
; 

loc_91D81A:				; CODE XREF: CmQueryValueKey+4C2j
		mov	ecx, esi
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	loc_80F568
; END OF FUNCTION CHUNK	FOR CmQueryValueKey
; 
; START	OF FUNCTION CHUNK FOR HvpReleaseCellPaged

loc_91D826:				; CODE XREF: HvpReleaseCellPaged+26j
					; HvpReleaseCellPaged+6Cj
		push	271h
		push	ebx
		push	esi
		push	1
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_91D837:				; CODE XREF: ObpIncrementHandleCountEx+3A0j
		xor	ebx, ebx
		jmp	loc_80FCDD
; END OF FUNCTION CHUNK	FOR HvpReleaseCellPaged
; 
; START	OF FUNCTION CHUNK FOR ObpIncrementHandleCountEx

loc_91D83E:				; CODE XREF: ObpIncrementHandleCountEx+3BAj
		mov	[esp+60h+var_4C], 0C0000044h
		jmp	short loc_91D8BE
; 

loc_91D848:				; CODE XREF: ObpIncrementHandleCountEx+139j
		xor	ebx, ebx
		jmp	loc_80FA82
; 

loc_91D84F:				; CODE XREF: ObpIncrementHandleCountEx+23Cj
		mov	eax, [esp+60h+var_3C]
		test	eax, eax
		jz	short loc_91D863
		push	eax
		push	1
		xor	edx, edx
		mov	ecx, ebx
		call	PspReturnQuota

loc_91D863:				; CODE XREF: ObpIncrementHandleCountEx+10DF25j
		xor	ebx, ebx
		jmp	loc_80FA82
; 

loc_91D86A:				; CODE XREF: ObpIncrementHandleCountEx+157j
		mov	eax, [esp+60h+var_34]
		test	eax, eax
		jz	short loc_91D884
		mov	ecx, [eax+0Ch]
		test	ecx, ecx
		jz	short loc_91D884
		mov	edx, [esp+60h+var_38]
		push	0
		call	PsReturnSharedPoolQuota

loc_91D884:				; CODE XREF: ObpIncrementHandleCountEx+10DF40j
					; ObpIncrementHandleCountEx+10DF47j
		mov	[esp+60h+var_4C], 0C0000044h
		jmp	short loc_91D8BE
; 

loc_91D88E:				; CODE XREF: ObpIncrementHandleCountEx+51Cj
		cmp	eax, [esp+60h+var_48]
		jz	loc_80FE52

loc_91D898:				; CODE XREF: ObpIncrementHandleCountEx+189j
					; ObpIncrementHandleCountEx+4DBj ...
		mov	[esp+60h+var_4C], 0C0000022h
		jmp	short loc_91D8BE
; 

loc_91D8A2:				; CODE XREF: ObpIncrementHandleCountEx+4ECj
		mov	[esp+60h+var_4C], 0C000000Dh
		jmp	short loc_91D8BE
; 

loc_91D8AC:				; CODE XREF: ObpIncrementHandleCountEx+223j
		cmp	dword ptr [esi+60h], 0
		jz	loc_80FAC9
		mov	[esp+60h+var_4C], 0C0000001h

loc_91D8BE:				; CODE XREF: ObpIncrementHandleCountEx+25Dj
					; ObpIncrementHandleCountEx+36Aj ...
		mov	ecx, [esp+60h+var_2C]
		xor	edx, edx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_80FB26
; 

loc_91D8D3:				; CODE XREF: ObpIncrementHandleCountEx+548j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		lea	ecx, [esi+80h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+4]
		cmp	[eax], esi
		jz	short loc_91D8FC
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_91D8FC:				; CODE XREF: ObpIncrementHandleCountEx+10DFC3j
		mov	[edi], esi
		lea	ecx, [esi+80h]
		mov	[edi+4], eax
		xor	edx, edx
		mov	[eax], edi
		mov	[esi+4], edi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_80FB12
; END OF FUNCTION CHUNK	FOR ObpIncrementHandleCountEx
; 
; START	OF FUNCTION CHUNK FOR CmpPerformCompleteKcbCacheLookup

loc_91D924:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+228j
		mov	ecx, eax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	ecx, [esp+60h+var_24]
		movzx	eax, ax
		jmp	loc_811B33
; 

loc_91D937:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+262j
					; CmpPerformCompleteKcbCacheLookup+69Cj
		mov	edi, [esp+60h+var_50]
		mov	eax, [esp+60h+var_4C]
		jmp	loc_811A28
; 

loc_91D944:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+4FBj
		mov	eax, [ecx]
		mov	byte ptr [eax],	1
		and	byte ptr [ebx+18h], 0FBh
		jmp	loc_811E30
; 

loc_91D952:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+594j
		mov	bl, 1
		jmp	loc_811E9C
; 

loc_91D959:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+5A4j
		mov	eax, [esp+60h+var_4C]
		mov	dword ptr [eax+14h], 0
		jmp	loc_811EAD
; 

loc_91D969:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+5C2j
		test	dword ptr [ebx+4], 80000h
		jz	loc_811B99
		mov	ecx, ebx
		call	CmpFreeKeyControlBlock
		jmp	loc_811B99
; 

loc_91D982:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+2DDj
		mov	ecx, edi
		call	_CmpDeleteHive@4 ; CmpDeleteHive(x)
		jmp	loc_811BE3
; 

loc_91D98E:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+167j
		mov	ecx, edi
		call	_CmpDeleteHive@4 ; CmpDeleteHive(x)
		jmp	loc_811A6D
; 

loc_91D99A:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+390j
		mov	eax, large fs:124h
		cmp	[ecx+9ACh], eax
		jz	loc_811C96
		cmp	_CmpLoadingSystemHivesActive, 0
		mov	esi, 0C0000034h
		mov	ebx, [ebp+arg_8]
		jz	loc_91DB68
		mov	eax, _CmpMountThread
		cmp	eax, large fs:124h
		jz	loc_91DB68
		test	ebx, ebx
		jz	loc_91DB68
		mov	eax, [esp+60h+var_44]
		dec	eax
		lea	ecx, ds:0[eax*8]
		cmp	eax, 8
		jb	short loc_91D9F5
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+60h]
		mov	[ebp+arg_4], eax

loc_91D9F5:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+10C0EAj
		lea	eax, [ebx+54h]
		push	eax
		mov	eax, [ebp+arg_4]
		add	eax, 20h
		push	ecx
		add	ecx, eax
		call	CmpWaitForHiveMount
		test	al, al
		jz	loc_91DB68
		or	dword ptr [ebx], 100h
		mov	esi, 103h
		mov	edx, 60300h
		jmp	loc_91DB8D
; 

loc_91DA24:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+3B4j
		mov	dword ptr [edi], 0
		jmp	loc_811CBD
; 

loc_91DA2F:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+3CCj
		test	dword ptr [esi+4], 80000h
		jz	loc_811CD2
		mov	ecx, esi
		call	CmpFreeKeyControlBlock
		jmp	loc_811CD2
; 

loc_91DA48:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+622j
		cmp	byte ptr [ecx+6DCh], 1
		jnz	loc_811D16
		mov	bl, 1
		jmp	loc_811D18
; 

loc_91DA5C:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+65Fj
		mov	ebx, [esp+60h+var_20]
		mov	esi, [esp+60h+var_50]

loc_91DA64:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+402j
		mov	ecx, [esp+60h+var_50]
		mov	esi, [esi+8]
		mov	eax, [ecx+10h]
		mov	[esp+60h+var_1C], eax
		call	CmpLockHashEntryExclusiveByKcb
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esp+60h+var_50]
		mov	eax, large fs:124h
		mov	[edi], eax
		mov	[esp+60h+var_38], 0
		mov	eax, [ecx+6Ch]
		test	eax, eax
		jz	short loc_91DADE
		mov	eax, [eax+0Ch]
		test	eax, eax
		jz	short loc_91DADE
		mov	eax, [eax+8]
		mov	[esp+60h+var_38], eax
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	ecx, [esp+60h+var_38]
		xor	edx, edx
		lea	ecx, [ecx+18h]
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esp+60h+var_38]
		xor	edx, edx
		mov	eax, large fs:124h
		mov	[ecx+1Ch], eax
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, [esp+60h+var_50]
		mov	[edi], eax

loc_91DADE:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+10C199j
					; CmpPerformCompleteKcbCacheLookup+10C1A0j
		push	0
		lea	edx, [esp+64h+var_8]
		call	CmpDereferenceKeyControlBlockWithLock
		mov	ecx, [esp+60h+var_50]
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	eax, [esp+60h+var_38]
		test	eax, eax
		jz	short loc_91DB01
		mov	ecx, eax
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)

loc_91DB01:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+10C1F8j
		mov	ecx, [esp+60h+var_1C]
		push	esi
		call	_CmpUnlockHashEntry@8 ;	CmpUnlockHashEntry(x,x)
		xor	dl, dl
		lea	ecx, [esp+60h+var_8]
		call	CmpDrainDelayDerefContext
		jmp	loc_811D3E
; 

loc_91DB1B:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+438j
		mov	ecx, [esp+60h+var_28]
		call	CmpDoQueueLateUnloadWorker
		jmp	loc_811D3E
; 

loc_91DB29:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+506j
					; CmpPerformCompleteKcbCacheLookup+511j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_91DB30:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+285j
					; CmpPerformCompleteKcbCacheLookup+496j
		push	0
		push	0
		push	ebx
		push	24h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_91DB3E:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+486j
		push	0
		push	0
		push	ebx
		push	20h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_91DB4C:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+CEj
					; CmpPerformCompleteKcbCacheLookup+64Dj
		push	esi
		push	9
		push	ebx
		push	17h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_91DB59:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+2F3j
					; CmpPerformCompleteKcbCacheLookup+460j
		push	0
		push	0
		push	0
		push	1Fh
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_91DB68:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+10C0BBj
					; CmpPerformCompleteKcbCacheLookup+10C0CDj ...
		mov	edx, 60400h
		jmp	short loc_91DB8D
; 

loc_91DB6F:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+430j
		push	0
		push	0
		push	[esp+68h+var_50]
		push	25h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_91DB80:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+39Dj
		mov	ebx, [ebp+arg_8]
		mov	esi, 0C0000425h
		mov	edx, 60500h

loc_91DB8D:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+10C11Fj
					; CmpPerformCompleteKcbCacheLookup+10C26Dj
		push	esi
		mov	ecx, ebx
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		mov	ecx, [esp+20h]
		call	CmpDereferenceKeyControlBlockUnsafe
		mov	ebx, [esp+74h+var_64]
		mov	ecx, ebx
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		cmp	byte ptr [esp+0Fh], 0
		jz	short loc_91DBB7
		mov	ecx, ebx
		call	_CmpUnlockHashEntryByKcb@4 ; CmpUnlockHashEntryByKcb(x)

loc_91DBB7:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+10C2AEj
		test	ebx, ebx
		jz	loc_811AB7
		mov	ecx, ebx
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)
		jmp	loc_811AB7
; 

loc_91DBCB:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+41j
					; CmpPerformCompleteKcbCacheLookup+37Aj
		push	0
		push	0
		push	esi
		push	24h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_91DBD9:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+363j
		mov	edi, [esp+74h+var_64]
		jmp	loc_811EF2
; 

loc_91DBE2:				; CODE XREF: CmpPerformCompleteKcbCacheLookup+4Aj
					; CmpPerformCompleteKcbCacheLookup+383j
		push	0
		push	0
		push	0
		push	15h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_91DBF2:				; CODE XREF: CmpCallCallBacksEx+106j
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	loc_8120BC
		cmp	word ptr [ecx+13Eh], 0
		jnz	loc_8120BC
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_8120BC
; END OF FUNCTION CHUNK	FOR CmpPerformCompleteKcbCacheLookup
; 
; START	OF FUNCTION CHUNK FOR CmpCallCallBacksEx

loc_91DC16:				; CODE XREF: CmpCallCallBacksEx+130j
		or	eax, 0FFFFFFFFh
		mov	ecx, [ebp+var_44]
		lock xadd [ecx], eax
		dec	eax
		cmp	eax, 80000000h
		jnz	short loc_91DC4B
		mov	[ebp+var_40], 0
		xor	ecx, ecx
		lea	eax, [ebp+var_40]
		lock or	[eax], ecx
		cmp	_CallbackListDeleteEvent, ecx
		jz	short loc_91DC4B
		xor	edx, edx
		mov	ecx, offset _CallbackListDeleteEvent
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)

loc_91DC4B:				; CODE XREF: CmpCallCallBacksEx+10BC76j
					; CmpCallCallBacksEx+10BC8Dj
		mov	ebx, 0C000009Ah
		mov	[ebp+var_28], ebx
		mov	[ebp+var_19], 1
		xor	al, al
		mov	byte ptr [ebp+arg_C+3],	al
		jmp	loc_81216D
; 

loc_91DC61:				; CODE XREF: CmpCallCallBacksEx+182j
					; DATA XREF: PAGE:00812990o
		mov	dword ptr [esi+14h], 0
		jmp	loc_812300
; END OF FUNCTION CHUNK	FOR CmpCallCallBacksEx

;  S U B	R O U T	I N E 


sub_91DC6D	proc near		; DATA XREF: .text:006A57DCo
		mov	edx, [ebp-38h]
		mov	ecx, [ebp-14h]
		call	_CmpCallbackFatalFilter@8 ; CmpCallbackFatalFilter(x,x)

loc_91DC78:				; DATA XREF: .text:006A57E0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	al, [ebp+0Ch]
		mov	[ebp+17h], al
		mov	esi, [ebp-50h]
		mov	ebx, [ebp-28h]
		mov	eax, [ebp-38h]
		mov	[ebp-2Ch], eax
		mov	al, [ebp-1Bh]
		mov	[ebp-1Ah], al
		mov	ecx, [ebp-4Ch]
		jmp	loc_812331
sub_91DC6D	endp

; 
; START	OF FUNCTION CHUNK FOR CmpCallCallBacksEx

loc_91DCA2:				; CODE XREF: CmpCallCallBacksEx+38Fj
		mov	edx, [ecx]
		mov	eax, [ecx+4]
		cmp	[edx+4], ecx
		jnz	loc_91DF02
		cmp	[eax], ecx
		jnz	loc_91DF02
		mov	[eax], edx
		mov	[edx+4], eax
		mov	edx, [ebp+var_34]
		mov	eax, [edx+358h]
		test	eax, eax
		jz	short loc_91DCD2
		mov	eax, [eax]
		mov	[edx+358h], eax

loc_91DCD2:				; CODE XREF: CmpCallCallBacksEx+10BD18j
		call	_CmpFreeCallbackContext@4 ; CmpFreeCallbackContext(x)
		or	eax, 0FFFFFFFFh
		mov	ecx, [ebp+var_2C]
		lock xadd [ecx+8], eax
		dec	eax
		cmp	eax, 80000000h
		jnz	short loc_91DD0D
		mov	[ebp+var_54], 0
		xor	ecx, ecx
		lea	eax, [ebp+var_54]
		lock or	[eax], ecx
		cmp	_CallbackListDeleteEvent, ecx
		jz	short loc_91DD0D
		xor	edx, edx
		mov	ecx, offset _CallbackListDeleteEvent
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)

loc_91DD0D:				; CODE XREF: CmpCallCallBacksEx+10BD38j
					; CmpCallCallBacksEx+10BD4Fj
		xor	al, al
		mov	byte ptr [ebp+arg_C+3],	al
		mov	[ebp+var_19], 1
		jmp	loc_812170
; 

loc_91DD1B:				; CODE XREF: CmpCallCallBacksEx+3A3j
					; DATA XREF: PAGE:00812A4Co
		mov	eax, [ecx+10h]
		mov	[esi+10h], eax
		jmp	loc_812367
; 

loc_91DD26:				; CODE XREF: CmpCallCallBacksEx+1E2j
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	loc_812198
		cmp	word ptr [ecx+13Eh], 0
		jnz	loc_812198
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_812198
; 

loc_91DD4A:				; CODE XREF: CmpCallCallBacksEx+21Cj
		mov	ecx, 7
		xor	eax, eax
		lea	edi, [ebp+var_88]
		rep stosd
		lea	ecx, [ebp+var_88]
		mov	[ebp+var_20], ecx
		mov	edx, [ebp+arg_8]
		cmp	edx, 1Bh
		jz	short loc_91DD74
		cmp	edx, 1Dh
		jz	short loc_91DD74
		mov	eax, [ebp+var_58]
		jmp	short loc_91DD85
; 

loc_91DD74:				; CODE XREF: CmpCallCallBacksEx+10BDB8j
					; CmpCallCallBacksEx+10BDBDj
		cmp	ebx, 0C0000503h
		jnz	short loc_91DD83
		mov	eax, [esi+28h]
		mov	eax, [eax]
		jmp	short loc_91DD85
; 

loc_91DD83:				; CODE XREF: CmpCallCallBacksEx+10BDCAj
		xor	eax, eax

loc_91DD85:				; CODE XREF: CmpCallCallBacksEx+10BDC2j
					; CmpCallCallBacksEx+10BDD1j
		mov	[ebp+var_88], eax
		cmp	ebx, 0C0000503h
		jnz	short loc_91DDB5
		mov	eax, [ebp+var_24]
		cmp	eax, 1Ah
		jz	short loc_91DDA7
		cmp	eax, 1Ch
		jz	short loc_91DDA7
		xor	eax, eax
		mov	esi, [ebp+arg_0]
		jmp	short loc_91DDAD
; 

loc_91DDA7:				; CODE XREF: CmpCallCallBacksEx+10BDE9j
					; CmpCallCallBacksEx+10BDEEj
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+8]

loc_91DDAD:				; CODE XREF: CmpCallCallBacksEx+10BDF5j
		mov	[ebp+var_84], eax
		jmp	short loc_91DDC0
; 

loc_91DDB5:				; CODE XREF: CmpCallCallBacksEx+10BDE1j
		mov	[ebp+var_84], ebx
		mov	eax, ebx
		mov	esi, [ebp+arg_0]

loc_91DDC0:				; CODE XREF: CmpCallCallBacksEx+10BE03j
		mov	[ebp+var_7C], eax
		mov	eax, [ebp+var_5C]
		mov	[ebp+var_80], eax
		test	esi, esi
		jz	loc_8121E0
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_88]
		mov	[ebp+var_6C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_68], eax
		jmp	loc_8121E0
; 

loc_91DDEB:				; CODE XREF: CmpCallCallBacksEx+270j
					; DATA XREF: PAGE:off_8129D8o
		mov	ecx, [ecx]
		lea	edx, [edi+10h]
		call	CmpGetCallbackObjectContext
		mov	ecx, [ebp+var_20]
		mov	[ecx+8], eax
		mov	edx, [ebp+arg_8]
		jmp	loc_81222E
; 

loc_91DE03:				; CODE XREF: CmpCallCallBacksEx+270j
					; DATA XREF: PAGE:008129E0o
		mov	ecx, [ecx]
		lea	edx, [edi+10h]
		call	CmpGetCallbackObjectContext
		mov	ecx, [ebp+var_20]
		mov	[ecx+0Ch], eax
		mov	edx, [ebp+arg_8]
		jmp	loc_81222E
; 

loc_91DE1B:				; CODE XREF: CmpCallCallBacksEx+270j
					; DATA XREF: PAGE:008129DCo
		mov	ecx, [ecx]
		lea	edx, [edi+10h]
		call	CmpGetCallbackObjectContext
		mov	ecx, [ebp+var_20]
		mov	[ecx+1Ch], eax
		mov	edx, [ebp+arg_8]
		jmp	loc_81222E
; 

loc_91DE33:				; CODE XREF: CmpCallCallBacksEx+270j
					; DATA XREF: PAGE:008129E4o
		mov	ecx, [ecx]
		lea	edx, [edi+10h]
		call	CmpGetCallbackObjectContext
		mov	ecx, [ebp+var_20]
		mov	[ecx+14h], eax
		mov	edx, [ebp+arg_8]
		jmp	loc_81222E
; 

loc_91DE4B:				; CODE XREF: CmpCallCallBacksEx+270j
					; DATA XREF: PAGE:008129E8o
		mov	ecx, [ecx]
		lea	edx, [edi+10h]
		call	CmpGetCallbackObjectContext
		mov	ecx, [ebp+var_20]
		mov	[ecx+18h], eax
		mov	edx, [ebp+arg_8]
		jmp	loc_81222E
; 

loc_91DE63:				; CODE XREF: CmpCallCallBacksEx+270j
					; DATA XREF: PAGE:008129F4o
		mov	ecx, [ecx+4]
		lea	edx, [edi+10h]
		call	CmpGetCallbackObjectContext
		mov	ecx, [ebp+var_20]
		mov	[ecx+30h], eax
		mov	edx, [ebp+arg_8]
		jmp	loc_81222E
; 

loc_91DE7C:				; CODE XREF: CmpCallCallBacksEx+270j
					; DATA XREF: PAGE:008129F8o
		mov	ecx, [ecx]
		lea	edx, [edi+10h]
		call	CmpGetCallbackObjectContext
		mov	ecx, [ebp+var_20]
		mov	[ecx+24h], eax
		mov	edx, [ebp+arg_8]
		jmp	loc_81222E
; 

loc_91DE94:				; CODE XREF: CmpCallCallBacksEx+270j
					; DATA XREF: PAGE:008129FCo
		mov	ecx, [ecx]
		lea	edx, [edi+10h]
		call	CmpGetCallbackObjectContext
		mov	ecx, [ebp+var_20]
		mov	[ecx+10h], eax
		mov	edx, [ebp+arg_8]
		jmp	loc_81222E
; END OF FUNCTION CHUNK	FOR CmpCallCallBacksEx

;  S U B	R O U T	I N E 


sub_91DEAC	proc near		; DATA XREF: .text:006A57E8o
		mov	edx, [ebp-48h]
		mov	ecx, [ebp-14h]
		call	_CmpCallbackFatalFilter@8 ; CmpCallbackFatalFilter(x,x)

loc_91DEB7:				; DATA XREF: .text:006A57ECo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-48h]
		mov	esi, [ebp-60h]
		jmp	loc_812256
sub_91DEAC	endp

; 
; START	OF FUNCTION CHUNK FOR CmpCallCallBacksEx

loc_91DECC:				; CODE XREF: CmpCallCallBacksEx+2CBj
		mov	ecx, 40h
		jmp	loc_812281
; 

loc_91DED6:				; CODE XREF: CmpCallCallBacksEx+2FAj
		mov	[ebp+var_64], 0
		xor	ecx, ecx
		lea	eax, [ebp+var_64]
		lock or	[eax], ecx
		cmp	_CallbackListDeleteEvent, ecx
		jz	loc_8122B0
		xor	edx, edx
		mov	ecx, offset _CallbackListDeleteEvent
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	loc_8122B0
; 

loc_91DF02:				; CODE XREF: CmpCallCallBacksEx+15Fj
					; CmpCallCallBacksEx+242j ...
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_91DF09:				; CODE XREF: CmpCallCallBacksEx+1FCj
		test	ecx, ecx
		jz	loc_8121B2
		mov	ebx, [ecx+0Ch]
		test	ebx, ebx
		js	loc_8121B2
		mov	ebx, 0C0000503h
		jmp	loc_8121B2
; END OF FUNCTION CHUNK	FOR CmpCallCallBacksEx
; 
; START	OF FUNCTION CHUNK FOR MmQueryPfnList

loc_91DF26:				; CODE XREF: MmQueryPfnList+3Cj
		or	dword ptr [esi+0Ch], 2
		mov	esi, 0C00000F0h
		jmp	loc_812B03
; END OF FUNCTION CHUNK	FOR MmQueryPfnList
; 
; START	OF FUNCTION CHUNK FOR ExpGetProcessInformation

loc_91DF34:				; CODE XREF: ExpGetProcessInformation+10E3j
		mov	eax, 0C0000004h
		jmp	loc_813B2C
; 

loc_91DF3E:				; CODE XREF: ExpGetProcessInformation+1CDj
		cmp	edi, ds:_PsIdleProcess
		jz	loc_813AC4
		jmp	loc_812CF3
; 

loc_91DF4F:				; CODE XREF: ExpGetProcessInformation+1E5j
		cmp	eax, [ecx]
		jnz	loc_81362F
		jmp	loc_812D0B
; 

loc_91DF5C:				; CODE XREF: ExpGetProcessInformation+226j
		mov	[ebp+var_3CC], 0FFFFFFFFh
		mov	ebx, 0C0000095h
		or	esi, 0FFFFFFFFh
		jmp	loc_812D54
; 

loc_91DF73:				; CODE XREF: ExpGetProcessInformation+23Cj
					; ExpGetProcessInformation+285j ...
		mov	[ebp+var_3A8], ebx
		jmp	loc_813B0E
; END OF FUNCTION CHUNK	FOR ExpGetProcessInformation

;  S U B	R O U T	I N E 


sub_91DF7E	proc near		; DATA XREF: .text:006A5810o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-43Ch], eax
		mov	eax, large fs:124h
		mov	[ebp-4A4h], eax
		mov	eax, [ebp-4A4h]
		mov	al, [eax+15Ah]
		mov	[ebp-3E1h], al
		mov	cl, [ebp-3E1h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_91DF7E	endp


;  S U B	R O U T	I N E 


sub_91DFB7	proc near		; DATA XREF: .text:006A5814o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-43Ch]
		mov	[ebp-3B0h], ebx
		mov	dword ptr [ebp-4], 0
		mov	edi, [ebp-3C4h]
		mov	[ebp-3ACh], edi
		jmp	loc_812DE9
sub_91DFB7	endp

; 
; START	OF FUNCTION CHUNK FOR ExpGetProcessInformation

loc_91DFDE:				; CODE XREF: ExpGetProcessInformation+368j
		mov	eax, [ebp+var_3C8]
		mov	eax, [eax]
		lea	ecx, [ebx+1D0h]
		jmp	loc_812E64
; 

loc_91DFF1:				; CODE XREF: ExpGetProcessInformation+F98j
		xor	edi, edi
		jmp	loc_812EDF
; 

loc_91DFF8:				; CODE XREF: ExpGetProcessInformation+3F0j
		mov	[ebp+var_3CC], 0FFFFFFFFh
		mov	ebx, 0C0000095h
		or	esi, 0FFFFFFFFh
		jmp	loc_812F1E
; 

loc_91E00F:				; CODE XREF: ExpGetProcessInformation+406j
					; ExpGetProcessInformation+565j ...
		mov	[ebp+var_3A8], ebx
		jmp	loc_813B14
; 

loc_91E01A:				; CODE XREF: ExpGetProcessInformation+43Aj
		mov	eax, [ebp+var_404]
		sub	[ebp+var_3D4], eax
		sub	esi, eax
		mov	[ebp+var_3CC], esi
		jmp	loc_81309D
; 

loc_91E033:				; CODE XREF: ExpGetProcessInformation+CA3j
		mov	dword ptr [esi+40h], 0
		mov	dword ptr [esi+44h], 0
		jmp	loc_8137F3
; 

loc_91E046:				; CODE XREF: ExpGetProcessInformation+CDFj
		cmp	eax, ds:_MmHighestUserAddress
		jbe	loc_813805
		mov	dword ptr [esi+48h], 0
		jmp	loc_813808
; END OF FUNCTION CHUNK	FOR ExpGetProcessInformation

;  S U B	R O U T	I N E 


sub_91E05E	proc near		; DATA XREF: .text:006A581Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44Ch], eax
		mov	eax, large fs:124h
		mov	[ebp-448h], eax
		mov	eax, [ebp-448h]
		mov	al, [eax+15Ah]
		mov	[ebp-3E2h], al
		mov	cl, [ebp-3E2h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_91E05E	endp


;  S U B	R O U T	I N E 


sub_91E097	proc near		; DATA XREF: .text:006A5820o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-44Ch]
		mov	[ebp-3B0h], ebx
		mov	dword ptr [ebp-4], 0
		mov	edi, [ebp-3C4h]
		mov	[ebp-3ACh], edi
		mov	edi, [ebp-3BCh]
		mov	esi, [ebp-3D0h]
		jmp	loc_813083
sub_91E097	endp

; 
; START	OF FUNCTION CHUNK FOR ExpGetProcessInformation

loc_91E0CA:				; CODE XREF: ExpGetProcessInformation+846j
		mov	dl, [esi+1BBh]
		mov	ecx, esi
		call	_KeIsProcessPowerThrottled@8 ; KeIsProcessPowerThrottled(x,x)
		test	eax, eax
		jz	loc_81336C

loc_91E0DF:				; CODE XREF: ExpGetProcessInformation+839j
		or	dword ptr [ebx+30h], 20h
		jmp	loc_81336C
; END OF FUNCTION CHUNK	FOR ExpGetProcessInformation

;  S U B	R O U T	I N E 


sub_91E0E8	proc near		; DATA XREF: .text:006A5828o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-454h], eax
		mov	eax, large fs:124h
		mov	[ebp-450h], eax
		mov	eax, [ebp-450h]
		mov	al, [eax+15Ah]
		mov	[ebp-3F8h], al
		mov	cl, [ebp-3F8h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_91E0E8	endp


;  S U B	R O U T	I N E 


sub_91E121	proc near		; DATA XREF: .text:006A582Co
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-454h]
		mov	[ebp-3B0h], ebx
		mov	dword ptr [ebp-4], 0
		mov	esi, [ebp-3C4h]
		mov	[ebp-3ACh], esi
		jmp	loc_813379
sub_91E121	endp


;  S U B	R O U T	I N E 


sub_91E148	proc near		; DATA XREF: .text:006A5834o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-45Ch], eax
		mov	eax, large fs:124h
		mov	[ebp-458h], eax
		mov	eax, [ebp-458h]
		mov	al, [eax+15Ah]
		mov	[ebp-3E3h], al
		mov	cl, [ebp-3E3h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_91E148	endp


;  S U B	R O U T	I N E 


sub_91E181	proc near		; DATA XREF: .text:006A5838o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-45Ch]
		mov	[ebp-3B0h], ebx
		mov	dword ptr [ebp-4], 0
		mov	edx, [ebp-3F4h]
		mov	esi, [ebp-3C4h]
		mov	[ebp-3ACh], esi
		mov	ecx, [ebp-408h]
		mov	[ebp-3B4h], ecx
		mov	edi, [ebp-3BCh]
		mov	eax, [ebp-3D0h]
		jmp	loc_8139D2
sub_91E181	endp


;  S U B	R O U T	I N E 


sub_91E1C6	proc near		; DATA XREF: .text:006A5840o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-464h], eax
		mov	eax, large fs:124h
		mov	[ebp-460h], eax
		mov	eax, [ebp-460h]
		mov	al, [eax+15Ah]
		mov	[ebp-3E4h], al
		mov	cl, [ebp-3E4h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_91E1C6	endp


;  S U B	R O U T	I N E 


sub_91E1FF	proc near		; DATA XREF: .text:006A5844o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-464h]
		mov	[ebp-3B0h], ebx
		mov	dword ptr [ebp-4], 0
		mov	esi, [ebp-3C4h]
		mov	[ebp-3ACh], esi
		mov	ecx, [ebp-408h]
		mov	[ebp-3B4h], ecx
		mov	edi, [ebp-3BCh]
		mov	eax, [ebp-3D0h]
		jmp	loc_813C89
sub_91E1FF	endp


;  S U B	R O U T	I N E 


sub_91E23E	proc near		; DATA XREF: .text:006A584Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-46Ch], eax
		mov	eax, large fs:124h
		mov	[ebp-468h], eax
		mov	eax, [ebp-468h]
		mov	al, [eax+15Ah]
		mov	[ebp-3E5h], al
		mov	cl, [ebp-3E5h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_91E23E	endp

; 
byte_91E277	db 8Bh			; DATA XREF: .text:006A5850o
		dd 9D8BE865h, 0FFFFFB94h, 0FC509D89h, 45C7FFFFh, 0FCh
		db 0
; 
		mov	esi, [ebp-3C4h]
		mov	[ebp-3ACh], esi
		mov	edi, [ebp-3BCh]
		mov	eax, [ebp-3D0h]
		jmp	loc_813A8C
; 
; START	OF FUNCTION CHUNK FOR ExpGetProcessInformation

loc_91E2AA:				; CODE XREF: ExpGetProcessInformation+8BFj
		mov	ecx, dword_6BEE00
		test	ecx, ecx
		jz	loc_8133E5
		lea	eax, [ebp+var_3FC]
		push	eax
		push	esi
		call	ecx
		jmp	loc_813448
; 

loc_91E2C7:				; CODE XREF: ExpGetProcessInformation+8EEj
		mov	eax, 0C0000017h
		jmp	loc_813448
; 

loc_91E2D1:				; CODE XREF: ExpGetProcessInformation+930j
		mov	edx, [esi+1C0h]
		jmp	loc_81345C
; 

loc_91E2DC:				; CODE XREF: ExpGetProcessInformation+9EFj
		mov	[ebp+var_3CC], 0FFFFFFFFh
		mov	ebx, 0C0000095h
		or	edx, 0FFFFFFFFh
		jmp	loc_813523
; 

loc_91E2F3:				; CODE XREF: ExpGetProcessInformation+A32j
		mov	ecx, [ebp+var_3B4]
		jmp	loc_813580
; END OF FUNCTION CHUNK	FOR ExpGetProcessInformation

;  S U B	R O U T	I N E 


sub_91E2FE	proc near		; DATA XREF: .text:006A5858o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-478h], eax
		mov	eax, large fs:124h
		mov	[ebp-474h], eax
		mov	eax, [ebp-474h]
		mov	al, [eax+15Ah]
		mov	[ebp-3E6h], al
		mov	cl, [ebp-3E6h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_91E2FE	endp


;  S U B	R O U T	I N E 


sub_91E337	proc near		; DATA XREF: .text:006A585Co
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-478h]
		mov	[ebp-3B0h], ebx
		mov	dword ptr [ebp-4], 0
		mov	eax, [ebp-3F4h]
		mov	[ebp-3C0h], eax
		mov	eax, [ebp-3C4h]
		mov	[ebp-3ACh], eax
		mov	edi, [ebp-3BCh]
		mov	eax, [ebp-428h]
		mov	[ebp-3B4h], eax
		mov	esi, [ebp-3D0h]
		jmp	loc_813597
sub_91E337	endp


;  S U B	R O U T	I N E 


sub_91E382	proc near		; DATA XREF: .text:006A5864o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-480h], eax
		mov	eax, large fs:124h
		mov	[ebp-47Ch], eax
		mov	eax, [ebp-47Ch]
		mov	al, [eax+15Ah]
		mov	[ebp-3F5h], al
		mov	cl, [ebp-3F5h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_91E382	endp


;  S U B	R O U T	I N E 


sub_91E3BB	proc near		; DATA XREF: .text:006A5868o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-480h]
		mov	[ebp-3B0h], ebx
		mov	dword ptr [ebp-4], 0
		mov	eax, [ebp-3C4h]
		mov	[ebp-3ACh], eax
		mov	edi, [ebp-3BCh]
		jmp	loc_8135F4
sub_91E3BB	endp


;  S U B	R O U T	I N E 


sub_91E3E8	proc near		; DATA XREF: .text:006A5870o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-488h], eax
		mov	eax, large fs:124h
		mov	[ebp-484h], eax
		mov	eax, [ebp-484h]
		mov	al, [eax+15Ah]
		mov	[ebp-3F7h], al
		mov	cl, [ebp-3F7h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_91E3E8	endp


;  S U B	R O U T	I N E 


sub_91E421	proc near		; DATA XREF: .text:006A5874o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-488h]
		mov	[ebp-3B0h], ebx
		mov	dword ptr [ebp-4], 0
		mov	eax, [ebp-3C4h]
		mov	[ebp-3ACh], eax
		mov	edi, [ebp-3BCh]
		jmp	loc_813621
sub_91E421	endp

; 
; START	OF FUNCTION CHUNK FOR ExpGetProcessInformation

loc_91E44E:				; CODE XREF: ExpGetProcessInformation+BA9j
		mov	eax, [ebp+var_3C8]
		mov	eax, [eax]
		jmp	loc_81369C
; END OF FUNCTION CHUNK	FOR ExpGetProcessInformation

;  S U B	R O U T	I N E 


sub_91E45B	proc near		; DATA XREF: .text:006A587Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-494h], eax
		mov	eax, large fs:124h
		mov	[ebp-490h], eax
		mov	eax, [ebp-490h]
		mov	al, [eax+15Ah]
		mov	[ebp-3F6h], al
		mov	cl, [ebp-3F6h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_91E45B	endp


;  S U B	R O U T	I N E 


sub_91E494	proc near		; DATA XREF: .text:006A5880o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-494h]
		mov	[ebp-3B0h], eax
		mov	dword ptr [ebp-4], 0
		mov	eax, [ebp-3C4h]
		mov	[ebp-3ACh], eax
		jmp	loc_813BC2
sub_91E494	endp

; 
; START	OF FUNCTION CHUNK FOR ExpGetProcessInformation

loc_91E4BB:				; CODE XREF: ExpGetProcessInformation+10B0j
		mov	[ebp+var_3A8], eax
		jmp	loc_813B0E
; END OF FUNCTION CHUNK	FOR ExpGetProcessInformation

;  S U B	R O U T	I N E 


sub_91E4C6	proc near		; DATA XREF: .text:006A5808o
		mov	eax, [ebp-3C4h]
		mov	edi, [ebp-3BCh]
		jmp	sub_813DA4
sub_91E4C6	endp

; 
; START	OF FUNCTION CHUNK FOR sub_813DA4

loc_91E4D7:				; CODE XREF: sub_813DA4+2j
		cmp	eax, ds:_PsIdleProcess
		jz	loc_813DAC
		mov	edx, 6E457350h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag
		jmp	loc_813DAC
; 

loc_91E4F4:				; CODE XREF: sub_813DA4+Aj
		mov	eax, [edi+150h]
		cmp	eax, ds:_PsIdleProcess
		jz	loc_813DB4
		mov	edx, 6E457350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		jmp	loc_813DB4
; 

loc_91E517:				; CODE XREF: sub_813DA4+18j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	locret_813DC2
; END OF FUNCTION CHUNK	FOR sub_813DA4
; 
; START	OF FUNCTION CHUNK FOR ObpReferenceObjectByHandleWithTag

loc_91E524:				; CODE XREF: ObpReferenceObjectByHandleWithTag+37Fj
		cmp	[ebp+arg_4], 0
		jz	loc_8141E5

loc_91E52E:				; CODE XREF: ObpReferenceObjectByHandleWithTag+10A6FFj
		mov	eax, 0C0000022h
		jmp	loc_814018
; 

loc_91E538:				; CODE XREF: ObpReferenceObjectByHandleWithTag+39Aj
		push	[ebp+arg_8]
		mov	dl, 1
		mov	ecx, edi
		push	1
		call	_ObpPushStackInfo@16 ; ObpPushStackInfo(x,x,x,x)
		mov	eax, [ebp+arg_C]
		jmp	loc_814200
; 

loc_91E54E:				; CODE XREF: ObpReferenceObjectByHandleWithTag+3ADj
		push	ecx
		push	10h
		push	esi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_91E55B:				; CODE XREF: ObpReferenceObjectByHandleWithTag+216j
		cmp	[ebp+arg_4], 0
		jnz	short loc_91E52E
		jmp	loc_81407C
; 

loc_91E566:				; CODE XREF: ObpReferenceObjectByHandleWithTag+224j
		mov	dword ptr [ecx+4], 1FFFFFh
		mov	dword ptr [ecx], 0
		jmp	loc_81408A
; 

loc_91E578:				; CODE XREF: ObpReferenceObjectByHandleWithTag+231j
		push	[ebp+arg_8]
		mov	dl, 1
		mov	ecx, esi
		push	1
		call	_ObpPushStackInfo@16 ; ObpPushStackInfo(x,x,x,x)
		mov	eax, [ebp+arg_C]
		jmp	loc_814097
; 

loc_91E58E:				; CODE XREF: ObpReferenceObjectByHandleWithTag+244j
		push	ecx
		push	10h
		push	edi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_91E59B:				; CODE XREF: ObpReferenceObjectByHandleWithTag+342j
		mov	eax, 0C0000008h
		jmp	loc_814018
; 

loc_91E5A5:				; CODE XREF: ObpReferenceObjectByHandleWithTag+60j
		cmp	[ebp+arg_4], 0
		jnz	loc_813EC6
		mov	ecx, esi
		call	_VfCheckUserHandle@4 ; VfCheckUserHandle(x)
		jmp	loc_813EC6
; 

loc_91E5BB:				; CODE XREF: ObpReferenceObjectByHandleWithTag+3F0j
		add	eax, ecx
		push	eax
		push	10h
		lea	eax, [ebx+18h]
		push	eax
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_91E5CD:				; CODE XREF: ObpReferenceObjectByHandleWithTag+40Cj
		neg	eax
		lock xadd [ebx], eax
		jmp	loc_813F4A
; 

loc_91E5D8:				; CODE XREF: ObpReferenceObjectByHandleWithTag+2CCj
		add	eax, ecx
		push	eax
		push	10h
		lea	eax, [ebx+18h]
		push	eax
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_91E5EA:				; CODE XREF: ObpReferenceObjectByHandleWithTag+F1j
		push	[ebp+arg_8]
		mov	dl, 1
		mov	ecx, ebx
		push	1
		call	_ObpPushStackInfo@16 ; ObpPushStackInfo(x,x,x,x)
		jmp	loc_813F57
; 

loc_91E5FD:				; CODE XREF: ObpReferenceObjectByHandleWithTag+1E0j
		mov	esi, 0C000A006h
		jmp	loc_814296
; 

loc_91E607:				; CODE XREF: ObpReferenceObjectByHandleWithTag+178j
					; ObpReferenceObjectByHandleWithTag+339j
		mov	[esp+30h+var_1E], 1
		jmp	loc_813FE3
; 

loc_91E611:				; CODE XREF: ObpReferenceObjectByHandleWithTag+3DCj
		mov	edx, esi
		mov	ecx, eax
		call	_ExpGetHandleExtraInfo@8 ; ExpGetHandleExtraInfo(x,x)
		test	eax, eax
		jz	short loc_91E62B
		mov	edx, [ebp+arg_14]
		mov	ecx, [eax]
		mov	[edx], ecx
		mov	eax, [eax+4]
		mov	[edx+4], eax

loc_91E62B:				; CODE XREF: ObpReferenceObjectByHandleWithTag+10A7BCj
		mov	eax, [esp+30h+var_1C]
		jmp	loc_813FF1
; 

loc_91E634:				; CODE XREF: ObpReferenceObjectByHandleWithTag+196j
		mov	ecx, [esp+30h+var_14]
		test	ecx, ecx
		jz	loc_813FFC
		push	ecx
		push	ebx
		push	[esp+38h+var_18]
		mov	edx, esi
		mov	ecx, eax
		call	_ObpAuditObjectAccess@20 ; ObpAuditObjectAccess(x,x,x,x,x)
		test	al, al
		jnz	loc_813FFC
		mov	esi, 0C0000008h
		jmp	loc_814296
; 

loc_91E661:				; CODE XREF: ObpReferenceObjectByHandleWithTag+260j
					; ObpReferenceObjectByHandleWithTag+26Cj
		push	0
		push	0
		push	eax
		push	ebx
		push	189h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_91E671:				; CODE XREF: ObpReferenceObjectByHandleWithTag+47Cj
		mov	eax, large fs:124h
		mov	edx, esi
		mov	ecx, [esp+44h+var_30]
		movzx	eax, byte ptr [eax+15Ah]
		push	eax
		call	ExHandleLogBadReference
		jmp	loc_8142E2
; 

loc_91E68F:				; CODE XREF: ObpReferenceObjectByHandleWithTag+446j
		mov	ecx, [esp+30h+var_10]
		add	ecx, 0F0h
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_8142AC
; 

loc_91E6A3:				; CODE XREF: ObpReferenceObjectByHandleWithTag+85j
					; ObpReferenceObjectByHandleWithTag+97j
		mov	esi, 0C0000008h
		jmp	loc_8142AC
; END OF FUNCTION CHUNK	FOR ObpReferenceObjectByHandleWithTag
; 
; START	OF FUNCTION CHUNK FOR ExpLookupHandleTableEntry

loc_91E6AD:				; CODE XREF: ExpLookupHandleTableEntry+22j
		mov	edx, eax
		shr	edx, 0Bh
		mov	ecx, edx
		and	edx, 3FFh
		shr	ecx, 0Ah
		and	eax, 7FFh
		mov	ecx, [esi+ecx*4-2]
		mov	ecx, [ecx+edx*4]
		jmp	loc_814376
; END OF FUNCTION CHUNK	FOR ExpLookupHandleTableEntry
; 
; START	OF FUNCTION CHUNK FOR CmpUnlockKcbStack

loc_91E6CE:				; CODE XREF: CmpUnlockKcbStack+4Dj
		test	dword ptr [ebx+4], 80000h
		jz	loc_814423
		mov	ecx, ebx
		call	CmpFreeKeyControlBlock
		jmp	loc_814423
; END OF FUNCTION CHUNK	FOR CmpUnlockKcbStack
; 
; START	OF FUNCTION CHUNK FOR CmpStartKcbStack

loc_91E6E7:				; CODE XREF: CmpStartKcbStack+14j
		movsx	eax, di
		sub	eax, 1
		jz	loc_8165FA
		shl	eax, 2
		mov	ecx, 1
		push	35364D43h
		mov	edx, eax
		mov	[ebp+var_4], eax
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_91E71A
		mov	eax, 0C000009Ah
		jmp	loc_816609
; 

loc_91E71A:				; CODE XREF: CmpStartKcbStack+10812Ej
		push	[ebp+var_4]	; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_8165FA
; END OF FUNCTION CHUNK	FOR CmpStartKcbStack
; 
; START	OF FUNCTION CHUNK FOR ExMapHandleToPointer

loc_91E72D:				; CODE XREF: ExMapHandleToPointer+3Cj
		push	edx
		mov	edx, esi
		mov	ecx, edi
		call	_ExpBlockOnLockedHandleEntry@12	; ExpBlockOnLockedHandleEntry(x,x,x)
		jmp	loc_816630
; END OF FUNCTION CHUNK	FOR ExMapHandleToPointer
; 
; START	OF FUNCTION CHUNK FOR NtClose

loc_91E73C:				; CODE XREF: NtClose+27j
		test	bl, bl
		jnz	loc_8179AD
		xor	dl, dl
		mov	ecx, esi
		call	_ObpIsKernelHandle@8 ; ObpIsKernelHandle(x,x)
		test	al, al
		jnz	loc_8179AD
		call	_VfCheckUserHandle@4 ; VfCheckUserHandle(x)
		jmp	loc_8179AD
; 

loc_91E75F:				; CODE XREF: NtClose+147j
		cmp	byte ptr [ebp+var_2+1],	0
		jz	loc_817ACD
		push	[ebp+var_10]
		mov	edx, esi
		mov	ecx, eax
		call	ExHandleLogBadReference
		mov	eax, [ebp+arg_0]
		jmp	loc_817ACD
; 

loc_91E77D:				; CODE XREF: NtClose+15Fj NtClose+16Fj ...
		call	_KeIsAttachedProcess@0 ; KeIsAttachedProcess()
		test	al, al
		jnz	short loc_91E797
		push	0C0000008h
		call	_KeRaiseUserException@4	; KeRaiseUserException(x)
		mov	esi, eax
		jmp	loc_817A78
; 

loc_91E797:				; CODE XREF: NtClose+106E04j
		mov	esi, 0C0000008h
		jmp	loc_817A78
; 

loc_91E7A1:				; CODE XREF: NtClose+14Fj
		mov	eax, [edi+2FCh]
		test	al, 1
		jnz	loc_817A66
		mov	ecx, [ebp+var_C]
		cmp	dword ptr [ecx+17Ch], 0
		jz	loc_817A66
		cmp	_KdDebuggerEnabled, 0
		jz	loc_817A66
		push	0
		push	0
		push	1
		push	esi
		push	93h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_91E7DE:				; CODE XREF: CmpIsKeyStackDeleted+6Aj
					; NtClose+106E7Aj
		mov	ecx, [eax+24h]
		cmp	ecx, 2
		jz	short loc_91E801
		cmp	ecx, 0Bh
		jz	short loc_91E801
		push	10h
		lea	edx, [ebp-4]
		lea	ecx, [esi+70h]
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jnz	short loc_91E7DE
		jmp	loc_817C33
; 

loc_91E801:				; CODE XREF: NtClose+106E64j
					; NtClose+106E69j
		mov	ecx, [eax+1Ch]
		mov	edx, ebx
		call	CmEqualTrans
		test	al, al
		jnz	loc_817C42
		jmp	loc_817C33
; END OF FUNCTION CHUNK	FOR NtClose
; 
; START	OF FUNCTION CHUNK FOR CmpParseKey

loc_91E818:				; CODE XREF: CmpParseKey+95j
		mov	eax, 0C0000024h
		jmp	loc_81840C
; 

loc_91E822:				; CODE XREF: CmpParseKey+DCj
		push	34364D43h
		mov	edx, 0B4h
		mov	ecx, 1
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[esp+0A8h+var_68], ebx
		test	ebx, ebx
		jnz	short loc_91E84A
		mov	eax, 0C000009Ah
		jmp	loc_81840C
; 

loc_91E84A:				; CODE XREF: CmpParseKey+10672Ej
		push	0B4h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [ebx+3Ch], 0FFFFFFFFh
		lea	eax, [ebx+58h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ebx+7Ch]
		push	38h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_8181F2
; 

loc_91E87E:				; CODE XREF: CmpParseKey+3BAj
		mov	esi, 0C0000022h
		jmp	loc_8183FE
; 

loc_91E888:				; CODE XREF: CmpParseKey+3D2j
		mov	esi, 0C0000022h
		jmp	loc_8183FE
; 

loc_91E892:				; CODE XREF: CmpParseKey+1F4j
		cmp	esi, 0C0000503h
		jnz	short loc_91E915
		mov	esi, [esp+0A8h+var_78]
		cmp	esi, 104h
		jz	short loc_91E915
		cmp	esi, 368h
		jz	loc_8184F0
		mov	ecx, [ebp+arg_8]
		mov	eax, [esp+0A8h+var_30]
		or	[ecx+14h], eax
		or	eax, 2000000h
		not	eax
		and	[ecx+10h], eax
		xor	esi, esi
		jmp	loc_8183F9
; 

loc_91E8CD:				; CODE XREF: CmpParseKey+431j
		mov	edx, [ebx+50h]
		lea	eax, [esp+0A8h+var_5C]
		push	eax
		push	ecx
		mov	ecx, [ebx+4Ch]
		call	_CmpRollbackTransactionArray@16	; CmpRollbackTransactionArray(x,x,x,x)
		and	dword ptr [ebx+40h], 0FFFFFFFBh
		mov	dword ptr [ebx+4Ch], 0
		mov	dword ptr [ebx+50h], 0
		jmp	loc_818547
; 

loc_91E8F5:				; CODE XREF: CmpParseKey+427j
		mov	esi, 0C0000034h
		jmp	loc_81836B
; 

loc_91E8FF:				; CODE XREF: CmpParseKey+2BFj
		mov	[eax+14h], ecx
		or	ecx, 2000000h
		not	ecx
		and	ecx, [eax+18h]
		mov	[eax+10h], ecx
		jmp	loc_8183D5
; 

loc_91E915:				; CODE XREF: CmpParseKey+106788j
					; CmpParseKey+106794j
		mov	edi, [esp+0A8h+var_6C]
		jmp	loc_8183E5
; 

loc_91E91E:				; CODE XREF: CmpParseKey+2F4j
		xor	dl, dl
		mov	ecx, edi
		call	CmpCleanupParseContext
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	loc_81840A
; END OF FUNCTION CHUNK	FOR CmpParseKey
; 
; START	OF FUNCTION CHUNK FOR NtQueryValueKey

loc_91E933:				; CODE XREF: NtQueryValueKey+B6j
		mov	edx, 20000h
		lea	ecx, [ebp+var_80]
		call	@EtwGetKernelTraceTimestamp@8 ;	EtwGetKernelTraceTimestamp(x,x)
		jmp	loc_81865C
; 

loc_91E945:				; CODE XREF: NtQueryValueKey+154j
		mov	esi, 0C0000189h
		jmp	loc_818A0A
; 

loc_91E94F:				; CODE XREF: NtQueryValueKey+582j
		cmp	ds:_CmpTraceRoutine, edi
		jz	short loc_91E9AE
		test	esi, esi
		jz	short loc_91E9AE
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_F0], al
		mov	eax, ds:_CmKeyObjectType
		mov	[ebp+var_10C], edi
		push	0
		lea	ecx, [ebp+var_10C]
		push	ecx
		push	[ebp+var_F0]
		push	eax
		push	0
		push	esi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_91E9A8
		mov	ecx, [ebp+var_10C]
		mov	eax, [ecx+8]
		mov	[ebp+var_EC], eax
		call	ObfDereferenceObject

loc_91E9A8:				; CODE XREF: NtQueryValueKey+1063F2j
		mov	edi, [ebp+var_E0]

loc_91E9AE:				; CODE XREF: NtQueryValueKey+1063B5j
					; NtQueryValueKey+1063B9j
		mov	esi, 0C000000Dh
		jmp	loc_818A0A
; 

loc_91E9B8:				; CODE XREF: NtQueryValueKey+1B1j
		mov	eax, [ebp+var_E8]
		test	eax, eax
		jz	loc_818757
		mov	eax, [eax+8]
		mov	[ebp+var_EC], eax
		mov	[ebp+var_104], eax
		jmp	loc_818757
; 

loc_91E9DA:				; CODE XREF: NtQueryValueKey+1E9j
		mov	eax, ecx
		jmp	loc_81878F
; 

loc_91E9E1:				; CODE XREF: NtQueryValueKey+22Ej
					; NtQueryValueKey+236j
		mov	byte ptr [ecx],	0
		jmp	loc_8187DC
; 

loc_91E9E9:				; CODE XREF: NtQueryValueKey+25Cj
					; NtQueryValueKey+264j
		mov	byte ptr [ecx],	0
		jmp	loc_81880A
; 

loc_91E9F1:				; CODE XREF: NtQueryValueKey+277j
		mov	ecx, eax
		jmp	loc_81881D
; 

loc_91E9F8:				; CODE XREF: NtQueryValueKey+59Ej
		mov	esi, 0C000009Ah

loc_91E9FD:				; CODE XREF: NtQueryValueKey+10646Dj
		mov	[ebp+var_100], esi
		jmp	loc_818A00
; 

loc_91EA08:				; CODE XREF: NtQueryValueKey+2EFj
		mov	esi, 0C000000Dh
		jmp	short loc_91E9FD
; 

loc_91EA0F:				; CODE XREF: NtQueryValueKey+307j
		add	esi, 0FFFFFFFEh
		mov	[ebp+var_DC], si
		jmp	loc_818895
; 

loc_91EA1E:				; CODE XREF: NtQueryValueKey+39Fj
		mov	ebx, [ebp+arg_8]
		cmp	esi, 0C0000503h
		jnz	loc_818A0A
		xor	esi, esi
		jmp	loc_818A0A
; 

loc_91EA34:				; CODE XREF: NtQueryValueKey+3FAj
		push	[ebp+var_D8]	; int
		push	dword ptr [ebp+var_DC] ; __int16
		lea	eax, [ebp+var_F8]
		push	eax		; int
		push	ebx		; size_t
		push	[ebp+var_CC]	; int
		mov	edx, [ebp+arg_8]
		call	CmQueryValueKey
		mov	esi, eax
		test	esi, esi
		jns	loc_8189D2
		cmp	esi, 0C0000023h
		jz	loc_8189D2
		cmp	esi, 80000005h
		jz	loc_8189D2
		cmp	esi, 0C0000034h
		jnz	loc_818A07
		jmp	loc_8189A0
; END OF FUNCTION CHUNK	FOR NtQueryValueKey

;  S U B	R O U T	I N E 


sub_91EA89	proc near		; DATA XREF: .text:006A58A8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-124h], eax
		mov	eax, 1
		retn
sub_91EA89	endp


;  S U B	R O U T	I N E 


sub_91EA9C	proc near		; DATA XREF: .text:006A58ACo
		mov	esi, [ebp-124h]
		jmp	short loc_91EABF
; 

loc_91EAA4:				; DATA XREF: .text:006A58A0o
		xor	eax, eax
		mov	[ebp-0DCh], ax
		mov	[ebp-0D8h], eax
		mov	esi, [ebp-128h]
		mov	[ebp-100h], esi

loc_91EABF:				; CODE XREF: sub_91EA9C+6j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-0E0h]
		mov	eax, [ebp-104h]
		mov	[ebp-0ECh], eax
		jmp	loc_818A07
sub_91EA9C	endp

; 

loc_91EAE0:				; DATA XREF: .text:006A589Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-128h], eax
		mov	eax, 1
		retn
; 
; START	OF FUNCTION CHUNK FOR NtQueryValueKey

loc_91EAF3:				; CODE XREF: NtQueryValueKey+472j
		call	ObfDereferenceObject
		jmp	loc_818A18
; 

loc_91EAFD:				; CODE XREF: NtQueryValueKey+4D3j
		lea	ecx, [ebp+var_DC]
		push	ecx
		push	[ebp+var_EC]
		push	ebx
		push	esi
		lea	ecx, [ebp+var_80]
		push	ecx
		push	10h
		call	eax
		jmp	loc_818A79
; END OF FUNCTION CHUNK	FOR NtQueryValueKey
; 
; START	OF FUNCTION CHUNK FOR CmpBounceContextStart

loc_91EB19:				; CODE XREF: CmpBounceContextStart+4Dj
		mov	ecx, dword_6B2358
		xor	edx, edx
		mov	eax, ecx
		and	eax, 4
		cmp	eax, ecx
		jnz	loc_818C83
		cmp	edx, dword_6B235C
		jnz	loc_818C83
		lea	eax, [esp+78h+var_68]
		mov	[esp+78h+var_64], edx
		mov	[esp+78h+var_38], eax
		mov	al, [ebp+arg_8]
		mov	[esp+0Fh], al
		lea	eax, [esp+0Fh]
		mov	[esp+78h+var_28], eax
		lea	eax, [esi-1]
		mov	[esp+78h+var_34], edx
		mov	[esp+78h+var_2C], edx
		mov	[esp+78h+var_24], edx
		mov	[esp+78h+var_1C], edx
		mov	edx, esi
		mov	[esp+78h+var_68], 1
		mov	[esp+78h+var_30], 8
		mov	[esp+78h+var_20], 1
		test	eax, esi
		jz	short loc_91EB9C
		or	ecx, 0FFFFFFFFh
		mov	eax, esi
		test	esi, esi
		jz	short loc_91EB94

loc_91EB8F:				; CODE XREF: CmpBounceContextStart+105F62j
		inc	ecx
		shr	eax, 1
		jnz	short loc_91EB8F

loc_91EB94:				; CODE XREF: CmpBounceContextStart+105F5Dj
		inc	ecx
		mov	edx, 1
		shl	edx, cl

loc_91EB9C:				; CODE XREF: CmpBounceContextStart+105F54j
		lea	eax, [esp+78h+var_60]
		mov	[esp+78h+var_60], edx
		mov	[esp+78h+var_18], eax
		mov	edx, offset word_41A482
		lea	eax, [esp+78h+var_58]
		mov	[esp+78h+var_5C], 0
		push	eax
		push	5
		push	ecx
		mov	ecx, offset dword_6B2348
		mov	[esp+84h+var_14], 0
		mov	[esp+84h+var_10], 8
		mov	[esp+84h+var_C], 0
		call	__tlgWriteAgg@20 ; _tlgWriteAgg(x,x,x,x,x)
		jmp	loc_818C83
; 

loc_91EBE4:				; CODE XREF: CmpBounceContextStart+DBj
		mov	eax, 0C000009Ah
		jmp	loc_818C9C
; END OF FUNCTION CHUNK	FOR CmpBounceContextStart
; 

loc_91EBEE:				; CODE XREF: PAGE:008190FEj
		test	bl, bl
		jnz	short loc_91EBFA
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, [esi+38h]

loc_91EBFA:				; CODE XREF: PAGE:0091EBF0j
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)
		test	bl, bl
		jnz	loc_819104
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		jmp	loc_819104
; 

loc_91EC11:				; CODE XREF: PAGE:00819261j
		mov	edx, 20000h
		lea	ecx, [ebp-44h]
		call	@EtwGetKernelTraceTimestamp@8 ;	EtwGetKernelTraceTimestamp(x,x)
		jmp	loc_819267
; 

loc_91EC23:				; CODE XREF: PAGE:008192D7j
		mov	eax, ds:_CmpTraceRoutine
		test	eax, eax
		jz	short loc_91EC3F
		push	0
		push	0
		push	0
		push	0C0000189h
		lea	ecx, [ebp-44h]
		push	ecx
		push	0Bh
		call	eax

loc_91EC3F:				; CODE XREF: PAGE:0091EC2Aj
		mov	eax, 0C0000189h
		jmp	loc_81944F
; 

loc_91EC49:				; CODE XREF: PAGE:008192E6j
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)
		mov	eax, 0C00000F2h
		jmp	loc_81944F
; 

loc_91EC58:				; CODE XREF: PAGE:00819317j
		mov	ecx, edx
		jmp	loc_81931D
; 

loc_91EC5F:				; CODE XREF: PAGE:00819335j
		mov	ecx, eax
		jmp	loc_81933B
; 

loc_91EC66:				; CODE XREF: PAGE:0081935Cj
		mov	edx, eax
		jmp	loc_819362
; 

loc_91EC6D:				; CODE XREF: PAGE:008193A1j
					; PAGE:008193A9j
		mov	byte ptr [ecx],	0
		jmp	loc_8193AF
; 

loc_91EC75:				; DATA XREF: .text:006A58C4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-12Ch], eax
		mov	eax, 1
		retn
; 

loc_91EC88:				; DATA XREF: .text:006A58C8o
		mov	esp, [ebp-18h]
		xor	eax, eax
		mov	[ebp-108h], ax
		mov	[ebp-104h], eax
		mov	esi, [ebp-12Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-130h]
		mov	ecx, [ebp-10Ch]
		mov	eax, [ebp-134h]
		mov	[ebp-110h], eax
		mov	ebx, [ebp-118h]
		jmp	loc_8193BF
; 

loc_91ECCA:				; CODE XREF: PAGE:008193CAj
		test	ecx, ecx
		jz	loc_8193D0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp-118h], al
		mov	eax, ds:_CmKeyObjectType
		mov	dword ptr [ebp-11Ch], 0
		push	0
		lea	ecx, [ebp-11Ch]
		push	ecx
		push	dword ptr [ebp-118h]
		push	eax
		push	0
		push	dword ptr [ebp-10Ch]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	loc_8193D0
		mov	ecx, [ebp-11Ch]
		mov	eax, [ecx+8]
		mov	[ebp-120h], eax
		call	ObfDereferenceObject
		jmp	loc_8193D0
; 

loc_91ED31:				; DATA XREF: .text:006A58D0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-13Ch], eax
		mov	eax, 1
		retn
; 

loc_91ED44:				; DATA XREF: .text:006A58D4o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-13Ch]
		cmp	byte ptr [ebp-0FDh], 0
		jz	loc_819427
		push	dword ptr [ebp-114h]
		call	NtClose
		jmp	loc_819427
; 

loc_91ED6A:				; CODE XREF: PAGE:00819435j
		lea	ecx, [ebp-108h]
		push	ecx
		push	dword ptr [ebp-120h]
		push	0
		push	esi
		lea	ecx, [ebp-44h]
		push	ecx
		push	0Bh
		call	eax
		jmp	loc_81943B
; 
; START	OF FUNCTION CHUNK FOR SeCaptureSubjectContext

loc_91ED87:				; CODE XREF: SeCaptureSubjectContext+34j
		xor	eax, eax
		jmp	loc_81951F
; 

loc_91ED8E:				; CODE XREF: SeCaptureSubjectContext+6Cj
		test	edi, edi
		jz	short loc_91EDAC
		mov	eax, [edi+294h]
		add	eax, 98h
		lock inc dword ptr [eax]
		mov	eax, [esi+8]
		cmp	eax, _SepTokenLeakToken
		jnz	short loc_91EDAC
		int	3		; Trap to Debugger

loc_91EDAC:				; CODE XREF: SeCaptureSubjectContext+1058C0j
					; SeCaptureSubjectContext+1058D9j
		mov	eax, [esi]
		test	eax, eax
		jz	loc_819542
		mov	eax, [eax+294h]
		add	eax, 98h
		lock inc dword ptr [eax]
		mov	eax, [esi]
		cmp	eax, _SepTokenLeakToken
		jnz	loc_819542
		int	3		; Trap to Debugger
		jmp	loc_819542
; END OF FUNCTION CHUNK	FOR SeCaptureSubjectContext
; 
; START	OF FUNCTION CHUNK FOR SeReleaseSubjectContext

loc_91EDD8:				; CODE XREF: SeReleaseSubjectContext+10j
		mov	eax, [esi+8]
		test	eax, eax
		jz	loc_8195FF
		mov	eax, [eax+294h]
		add	eax, 98h
		lock dec dword ptr [eax]
		mov	eax, [esi+8]
		cmp	eax, _SepTokenLeakToken
		jnz	loc_8195FF
		int	3		; Trap to Debugger
		jmp	loc_8195FF
; 

loc_91EE06:				; CODE XREF: SeReleaseSubjectContext+55j
		mov	eax, [eax+294h]
		add	eax, 98h
		lock dec dword ptr [eax]
		mov	eax, [esi]
		cmp	eax, _SepTokenLeakToken
		jnz	loc_8195C6
		int	3		; Trap to Debugger
		jmp	loc_8195C6
; END OF FUNCTION CHUNK	FOR SeReleaseSubjectContext
; 
; START	OF FUNCTION CHUNK FOR ObOpenObjectByNameEx

loc_91EE28:				; CODE XREF: ObOpenObjectByNameEx+5B5j
		mov	eax, 0C000009Ah
		jmp	loc_8199AD
; 

loc_91EE32:				; CODE XREF: ObOpenObjectByNameEx+C2j
		mov	eax, large fs:20h
		mov	ebx, [eax+5E0h]
		mov	cx, [ebx+4]
		inc	dword ptr [ebx+14h]
		cmp	cx, [ebx+8]
		jb	short loc_91EE6C
		inc	dword ptr [ebx+18h]
		mov	ebx, [eax+5E4h]
		mov	ax, [ebx+4]
		inc	dword ptr [ebx+14h]
		cmp	ax, [ebx+8]
		jb	short loc_91EE6C
		mov	eax, [ebx+2Ch]
		inc	dword ptr [ebx+18h]
		push	esi
		call	eax
		jmp	short loc_91EE75
; 

loc_91EE6C:				; CODE XREF: ObOpenObjectByNameEx+105839j
					; ObOpenObjectByNameEx+10584Fj
		mov	edx, esi
		mov	ecx, ebx
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_91EE75:				; CODE XREF: ObOpenObjectByNameEx+10585Aj
		mov	eax, edi
		jmp	loc_8199AD
; 

loc_91EE7C:				; CODE XREF: ObOpenObjectByNameEx+104j
		xor	eax, eax
		mov	[esp+78h+var_68], eax
		mov	[esp+78h+var_3C], eax
		jmp	loc_819732
; 

loc_91EE8B:				; CODE XREF: ObOpenObjectByNameEx+3F4j
		xor	ebx, ebx
		mov	[esp+78h+var_68], ebx
		jmp	loc_819A2F
; 

loc_91EE96:				; CODE XREF: ObOpenObjectByNameEx+14Cj
		test	ebx, ebx
		jz	short loc_91EEB1
		mov	eax, [ebx+294h]
		add	eax, 98h
		lock inc dword ptr [eax]
		cmp	ebx, _SepTokenLeakToken
		jnz	short loc_91EEB1
		int	3		; Trap to Debugger

loc_91EEB1:				; CODE XREF: ObOpenObjectByNameEx+105888j
					; ObOpenObjectByNameEx+10589Ej
		test	ecx, ecx
		jz	loc_819762
		mov	eax, [ecx+294h]
		add	eax, 98h
		lock inc dword ptr [eax]
		cmp	ecx, _SepTokenLeakToken
		jnz	loc_819762
		int	3		; Trap to Debugger
		jmp	loc_819762
; 

loc_91EED9:				; CODE XREF: ObOpenObjectByNameEx+526j
		mov	ebx, 0C0000079h
		jmp	loc_8198F1
; 

loc_91EEE3:				; CODE XREF: ObOpenObjectByNameEx+215j
		movzx	eax, byte ptr [eax+8]
		push	1
		push	eax
		push	ecx
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)
		mov	ecx, [esp+78h+var_58]
		mov	eax, [ecx+10h]
		mov	dword ptr [eax+18h], 0
		mov	edx, [ecx+10h]
		jmp	loc_81982D
; 

loc_91EF06:				; CODE XREF: ObOpenObjectByNameEx+272j
		push	[esp+78h+var_64]
		call	_ObDereferenceObject@4 ; ObDereferenceObject(x)
		mov	ebx, 0C000000Dh
		jmp	loc_8198E5
; 

loc_91EF19:				; CODE XREF: ObOpenObjectByNameEx+2F3j
		mov	eax, [edi+24h]
		test	eax, eax
		jz	loc_819CD5
		mov	eax, [eax+294h]
		add	eax, 98h
		lock dec dword ptr [eax]
		mov	eax, [edi+24h]
		cmp	eax, _SepTokenLeakToken
		jnz	loc_819CD5
		int	3		; Trap to Debugger
		jmp	loc_819CD5
; 

loc_91EF47:				; CODE XREF: ObOpenObjectByNameEx+6D0j
		mov	eax, [eax+294h]
		add	eax, 98h
		lock dec dword ptr [eax]
		mov	eax, [edi+1Ch]
		cmp	eax, _SepTokenLeakToken
		jnz	loc_819909
		int	3		; Trap to Debugger
		jmp	loc_819909
; 

loc_91EF6A:				; CODE XREF: ObOpenObjectByNameEx+66j
					; ObOpenObjectByNameEx+70j
		mov	eax, 0C000000Dh
		jmp	loc_8199AD
; END OF FUNCTION CHUNK	FOR ObOpenObjectByNameEx
; 

loc_91EF74:				; CODE XREF: PAGE:00819D8Cj
		mov	ecx, edx
		jmp	loc_819D92
; 

loc_91EF7B:				; CODE XREF: PAGE:00819D98j
					; PAGE:00819DC0j
		mov	eax, 0C000000Dh
		mov	[ebp-20h], eax
		mov	[ebp-3Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_91EFFD
; 

loc_91EF8F:				; CODE XREF: PAGE:00819E69j
		mov	eax, ecx
		jmp	loc_819E6F
; 

loc_91EF96:				; CODE XREF: PAGE:00819ECDj
		mov	dword ptr [edi+18h], 0
		jmp	short loc_91EFFD
; 

loc_91EF9F:				; CODE XREF: PAGE:00819EF0j
		mov	eax, 0C000000Dh
		mov	[ebp-20h], eax
		jmp	short loc_91EFFD
; 

loc_91EFA9:				; CODE XREF: PAGE:00819EB4j
		mov	eax, 0C00000A5h
		mov	[ebp-20h], eax
		jmp	short loc_91EFFD
; 

loc_91EFB3:				; CODE XREF: PAGE:00819E37j
		mov	eax, 0C0000033h
		mov	[ebp-20h], eax
		jmp	short loc_91EFFD
; 

loc_91EFBD:				; DATA XREF: .text:006A58ECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-48h], eax
		mov	eax, large fs:124h
		mov	[ebp-44h], eax
		mov	eax, [ebp-44h]
		mov	al, [eax+15Ah]
		mov	[ebp-1Ah], al
		mov	cl, [ebp-1Ah]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
; 

loc_91EFE7:				; DATA XREF: .text:006A58F0o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-48h]
		mov	[ebp-20h], eax
		mov	[ebp-3Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp+10h]

loc_91EFFD:				; CODE XREF: PAGE:00819E15j
					; PAGE:0091EF8Dj ...
		mov	ecx, [edi+18h]
		test	ecx, ecx
		jz	loc_819E1D
		push	1
		movzx	eax, byte ptr [edi+8]
		push	eax
		push	ecx
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)
		mov	dword ptr [edi+18h], 0
		mov	eax, [ebp-20h]
		jmp	loc_819E1D
; 

loc_91F024:				; CODE XREF: PAGE:00819F8Aj
		mov	edx, eax
		jmp	loc_819F90
; 

loc_91F02B:				; CODE XREF: PAGE:00819FBAj
					; PAGE:00819FC2j
		mov	byte ptr [edx],	0
		jmp	loc_819FC8
; 

loc_91F033:				; CODE XREF: PAGE:0081A001j
		mov	dword ptr [ebp-24h], 0

loc_91F03A:				; CODE XREF: PAGE:0081A06Aj
		mov	dword ptr [ebp-20h], 0C000009Ah
		jmp	loc_81A083
; 

loc_91F046:				; CODE XREF: PAGE:00819FE0j
					; PAGE:00819FECj
		mov	dword ptr [ebp-20h], 0C0000033h
		jmp	loc_81A083
; 

loc_91F052:				; DATA XREF: .text:006A590Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		mov	eax, large fs:124h
		mov	[ebp-34h], eax
		mov	eax, [ebp-34h]
		mov	al, [eax+15Ah]
		mov	[ebp-19h], al
		mov	cl, [ebp-19h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
; 

loc_91F07C:				; DATA XREF: .text:006A5910o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-38h]
		mov	[ebp-20h], eax
		mov	eax, [ebp-24h]
		test	eax, eax
		jz	loc_81A083
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_81A083
; 
; START	OF FUNCTION CHUNK FOR CmpIsSystemEntity

loc_91F09D:				; CODE XREF: CmpIsSystemEntity+3Cj
		lea	eax, [esp+20h+var_10]
		push	eax
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		push	eax
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	bh, 1
		lea	edx, [esp+20h+var_10]
		jmp	loc_81A252
; 

loc_91F0BF:				; CODE XREF: CmpIsSystemEntity+7Ej
		lea	eax, [esp+20h+var_10]
		push	eax
		call	SeReleaseSubjectContext
		jmp	loc_81A294
; END OF FUNCTION CHUNK	FOR CmpIsSystemEntity
; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91F0CE:				; CODE XREF: NtSetInformationThread+2A0j
					; DATA XREF: PAGE:0081BE98o
		xor	eax, eax
		jmp	loc_81B329
; 

loc_91F0D5:				; CODE XREF: NtSetInformationThread+F0j
					; NtSetInformationThread+F8j
		mov	byte ptr [edx],	0
		jmp	loc_81B34E
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91F0DD	proc near		; DATA XREF: .text:006A592Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0ECh], eax
		mov	eax, 1
		retn
sub_91F0DD	endp


;  S U B	R O U T	I N E 


sub_91F0F0	proc near		; DATA XREF: .text:006A5930o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0ECh]
		jmp	loc_81B447
sub_91F0F0	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91F105:				; CODE XREF: NtSetInformationThread+811j
		mov	eax, ds:dword_A949F4
		push	eax
		mov	eax, ds:_SeIncreaseBasePriorityPrivilege
		push	eax
		push	ebx
		mov	edx, 400h
		mov	ecx, edi
		call	_SeCheckPrivilegedObject@20 ; SeCheckPrivilegedObject(x,x,x,x,x)
		test	al, al
		jnz	loc_81BA67

loc_91F126:				; CODE XREF: NtSetInformationThread+B09j
					; NtSetInformationThread+104323j ...
		mov	eax, 0C0000061h
		jmp	loc_81B447
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91F130	proc near		; DATA XREF: .text:006A5938o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-11Ch], eax
		mov	eax, 1
		retn
sub_91F130	endp


;  S U B	R O U T	I N E 


sub_91F143	proc near		; DATA XREF: .text:006A593Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-11Ch]
		jmp	loc_81B447
sub_91F143	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91F158:				; CODE XREF: NtSetInformationThread+7DBj
		xor	ecx, ecx
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	ecx, [ebp+var_34]
		mov	ecx, [ecx+80h]
		cmp	ecx, [eax+1F8h]
		jz	loc_81B5FA
		cmp	byte ptr [edx+1BBh], 4
		jz	loc_81B5FA
		mov	edi, 0C000000Dh
		jmp	loc_81B61B
; 

loc_91F18B:				; CODE XREF: NtSetInformationThread+492j
		cmp	byte ptr [edx+1BBh], 4
		jz	loc_81B60B
		mov	eax, [ebp+var_5C]
		test	eax, eax
		jle	loc_81B60E
		mov	esi, [ebp+var_2C]
		jmp	loc_81B618
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91F1AB	proc near		; DATA XREF: .text:006A5944o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-120h], eax
		mov	eax, 1
		retn
sub_91F1AB	endp


;  S U B	R O U T	I N E 


sub_91F1BE	proc near		; DATA XREF: .text:006A5948o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-120h]
		jmp	loc_81B447
sub_91F1BE	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91F1D3:				; CODE XREF: NtSetInformationThread+987j
		mov	ebx, 0C0000061h
		jmp	loc_81B6C2
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91F1DD	proc near		; DATA XREF: .text:006A5950o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-124h], eax
		mov	eax, 1
		retn
sub_91F1DD	endp


;  S U B	R O U T	I N E 


sub_91F1F0	proc near		; DATA XREF: .text:006A5954o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-124h]
		jmp	loc_81B447
sub_91F1F0	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91F205:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BEDCo
		cmp	ebx, 1
		jnz	loc_81BDAB
		mov	[ebp+var_4], 4
		mov	bl, [esi]
		mov	[ebp+var_55], bl
		mov	[ebp+var_4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_PsThreadType
		push	eax
		push	20h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_81B447
		mov	ecx, [ebp+var_2C]
		lea	eax, [ecx+5Ch]
		test	bl, bl
		jz	short loc_91F256
		lock bts dword ptr [eax], 2
		jmp	short loc_91F25B
; 

loc_91F256:				; CODE XREF: NtSetInformationThread+103FFDj
		lock btr dword ptr [eax], 2

loc_91F25B:				; CODE XREF: NtSetInformationThread+104004j
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_81B447
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91F26C	proc near		; DATA XREF: .text:006A595Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-128h], eax
		mov	eax, 1
		retn
sub_91F26C	endp


;  S U B	R O U T	I N E 


sub_91F27F	proc near		; DATA XREF: .text:006A5960o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-128h]
		jmp	loc_81B447
sub_91F27F	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91F294:				; CODE XREF: NtSetInformationThread+8C9j
		mov	esi, 0C000000Dh
		jmp	loc_81BB21
; 

loc_91F29E:				; CODE XREF: NtSetInformationThread+8BAj
		mov	esi, 0C000010Ah
		jmp	loc_81BB2C
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91F2A8	proc near		; DATA XREF: .text:006A5968o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-12Ch], eax
		mov	eax, 1
		retn
sub_91F2A8	endp


;  S U B	R O U T	I N E 


sub_91F2BB	proc near		; DATA XREF: .text:006A596Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-12Ch]
		jmp	loc_81B447
sub_91F2BB	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91F2D0:				; CODE XREF: NtSetInformationThread+A93j
		movzx	eax, word ptr [ebp+var_24]
		mov	ecx, [esi+eax*4+164h]
		test	ecx, ecx
		jz	short loc_91F2EB
		and	ecx, [ebp+var_28]
		cmp	ecx, [ebp+var_28]
		jz	loc_81BCE9

loc_91F2EB:				; CODE XREF: NtSetInformationThread+10408Dj
		mov	[ebp+var_4C], 0C0000001h
		mov	edi, [ebp+var_2C]
		jmp	loc_81BCFD
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91F2FA	proc near		; DATA XREF: .text:006A5974o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-130h], eax
		mov	eax, 1
		retn
sub_91F2FA	endp


;  S U B	R O U T	I N E 


sub_91F30D	proc near		; DATA XREF: .text:006A5978o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-130h]
		jmp	loc_81B447
sub_91F30D	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91F322:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BEE8o
		cmp	ebx, 4
		jnz	loc_81BDAB
		mov	[ebp+var_4], 8
		mov	esi, [esi]
		mov	[ebp+var_60], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	esi, 20h
		ja	loc_91FE0B
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_PsThreadType
		push	eax
		push	20h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_81B447
		push	esi
		mov	esi, [ebp+var_2C]
		push	esi
		call	_KeSetIdealProcessorThread@8 ; KeSetIdealProcessorThread(x,x)
		movzx	edi, al
		test	dword ptr [esi+58h], 400h
		jnz	short loc_91F38B
		mov	edx, esi
		mov	ecx, [ebp+var_34]
		call	PspWriteTebIdealProcessor

loc_91F38B:				; CODE XREF: NtSetInformationThread+10412Fj
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_81B447
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91F39E	proc near		; DATA XREF: .text:006A598Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0ACh], eax
		mov	eax, 1
		retn
sub_91F39E	endp


;  S U B	R O U T	I N E 


sub_91F3B1	proc near		; DATA XREF: .text:006A5990o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0ACh]
		jmp	loc_81B447
sub_91F3B1	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91F3C6:				; CODE XREF: NtSetInformationThread+939j
		xor	edx, edx
		jmp	loc_81BB92
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91F3CD	proc near		; DATA XREF: .text:006A5998o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B0h], eax
		mov	eax, 1
		retn
sub_91F3CD	endp


;  S U B	R O U T	I N E 


sub_91F3E0	proc near		; DATA XREF: .text:006A599Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0B0h]
		jmp	loc_81B447
sub_91F3E0	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91F3F5:				; CODE XREF: NtSetInformationThread+7B0j
		mov	eax, ecx
		jmp	loc_81BA06
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91F3FC	proc near		; DATA XREF: .text:006A59B0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B4h], eax
		mov	eax, 1
		retn
sub_91F3FC	endp


;  S U B	R O U T	I N E 


sub_91F40F	proc near		; DATA XREF: .text:006A59B4o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-0B4h]
		mov	[ebp-30h], eax
		mov	[ebp-3Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-2Ch]
		mov	edi, [ebp-34h]
		mov	ebx, [ebp-7Ch]
		jmp	loc_81B79D
sub_91F40F	endp

; 

loc_91F433:				; DATA XREF: .text:006A59A4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B8h], eax
		mov	eax, 1
		retn
; 

loc_91F446:				; DATA XREF: .text:006A59A8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0B8h]
		jmp	loc_81B447
; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91F45B:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BEF4o
		test	ebx, ebx
		jnz	loc_81BDAB
		push	ebx
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_PsThreadType
		push	eax
		push	20h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_81B447
		mov	edx, 4
		mov	ecx, [ebp+var_2C]
		lea	eax, [ecx+2FCh]
		lock or	[eax], edx
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_81B447
; 

loc_91F4AA:				; CODE XREF: NtSetInformationThread+B3Cj
		mov	edx, 0FFFFFFDFh
		lock and [eax],	edx
		jmp	loc_81BD9A
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91F4B7	proc near		; DATA XREF: .text:006A59BCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0BCh], eax
		mov	eax, 1
		retn
sub_91F4B7	endp


;  S U B	R O U T	I N E 


sub_91F4CA	proc near		; DATA XREF: .text:006A59C0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0BCh]
		jmp	loc_81B447
sub_91F4CA	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91F4DF:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BEFCo
		cmp	edi, 0FFFFFFFEh
		jnz	loc_91FE0B

loc_91F4E8:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BEF0o
		mov	eax, 0C0000002h
		jmp	loc_81B447
; 

loc_91F4F2:				; CODE XREF: NtSetInformationThread+565j
		cmp	ebx, 8
		jnz	loc_81BDAB
		cmp	ebx, 4
		jz	loc_81B7BB
		mov	[ebp+var_4], 0Eh
		mov	eax, [esi]
		mov	[ebp+var_A0], eax
		mov	ebx, [esi+4]
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	esi, [ebp+var_A0]
		jmp	loc_81B7D3
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91F52E	proc near		; DATA XREF: .text:006A59C8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C0h], eax
		mov	eax, 1
		retn
sub_91F52E	endp


;  S U B	R O U T	I N E 


sub_91F541	proc near		; DATA XREF: .text:006A59CCo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0C0h]
		jmp	loc_81B447
sub_91F541	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91F556:				; CODE XREF: NtSetInformationThread+58Fj
		mov	eax, ds:dword_A949F4
		push	eax
		mov	eax, ds:_SeIncreaseBasePriorityPrivilege
		push	eax
		push	[ebp+var_30]
		mov	edx, 20h
		mov	ecx, edi
		call	_SeCheckPrivilegedObject@20 ; SeCheckPrivilegedObject(x,x,x,x,x)
		test	al, al
		jz	loc_91F126
		jmp	loc_81B7E5
; 

loc_91F57E:				; CODE XREF: NtSetInformationThread+5BFj
		mov	eax, [edi+2FCh]
		shr	eax, 9
		and	eax, 7
		cmp	eax, esi
		jge	loc_81B815
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	IoBoostThreadIoPriority
		jmp	loc_81B815
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91F5A2	proc near		; DATA XREF: .text:006A59D4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C4h], eax
		mov	eax, 1
		retn
sub_91F5A2	endp


;  S U B	R O U T	I N E 


sub_91F5B5	proc near		; DATA XREF: .text:006A59D8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0C4h]
		jmp	loc_81B447
sub_91F5B5	endp


;  S U B	R O U T	I N E 


sub_91F5CA	proc near		; DATA XREF: .text:006A59E0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C8h], eax
		mov	eax, 1
		retn
sub_91F5CA	endp


;  S U B	R O U T	I N E 


sub_91F5DD	proc near		; DATA XREF: .text:006A59E4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0C8h]
		jmp	loc_81B447
sub_91F5DD	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91F5F2:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BF14o
		cmp	ebx, 18h
		jnz	loc_81BDAB
		mov	[ebp+var_4], 10h
		mov	eax, [esi]
		mov	[ebp+var_78], eax
		mov	eax, [esi+4]
		mov	[ebp+var_74], eax
		mov	eax, [esi+8]
		mov	[ebp+var_70], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_6C], eax
		mov	ecx, [esi+10h]
		mov	[ebp+var_68], ecx
		mov	eax, [esi+14h]
		mov	[ebp+var_64], eax
		test	cl, 3
		jz	short loc_91F62F
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_91F62F:				; CODE XREF: NtSetInformationThread+1043D8j
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_91F63B
		mov	byte ptr [eax],	0

loc_91F63B:				; CODE XREF: NtSetInformationThread+1043E6j
		mov	al, [ecx]
		mov	ecx, [ebp+var_68]
		mov	[ecx], al
		mov	al, [ecx+1BCh]
		mov	[ecx+1BCh], al
		mov	[ebp+var_4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_PsThreadType
		push	eax
		push	20h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_81B447
		mov	eax, [ebp+var_2C]
		cmp	eax, large fs:124h
		mov	esi, [ebp+var_2C]
		jnz	short loc_91F6B1
		mov	ecx, esi
		cmp	[ebp+var_6C], 0
		jnz	short loc_91F69C
		mov	edx, [ebp+var_68]
		call	_KeDisableProfiling@8 ;	KeDisableProfiling(x,x)
		mov	edi, eax
		jmp	short loc_91F6B6
; 

loc_91F69C:				; CODE XREF: NtSetInformationThread+10443Ej
		push	[ebp+var_68]
		push	[ebp+var_74]
		push	[ebp+var_78]
		mov	edx, [ebp+var_70]
		call	_KeEnableProfiling@20 ;	KeEnableProfiling(x,x,x,x,x)
		mov	edi, eax
		jmp	short loc_91F6B6
; 

loc_91F6B1:				; CODE XREF: NtSetInformationThread+104436j
		mov	edi, 0C00000BBh

loc_91F6B6:				; CODE XREF: NtSetInformationThread+10444Aj
					; NtSetInformationThread+10445Fj
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_81B447
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91F6C9	proc near		; DATA XREF: .text:006A59ECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0CCh], eax
		mov	eax, 1
		retn
sub_91F6C9	endp


;  S U B	R O U T	I N E 


sub_91F6DC	proc near		; DATA XREF: .text:006A59F0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0CCh]
		jmp	loc_81B447
sub_91F6DC	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91F6F1:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BF18o
		cmp	ebx, 4
		jnz	loc_81BDAB
		mov	[ebp+var_4], 11h
		mov	eax, [esi]
		mov	[ebp+var_4C], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_PsThreadType
		push	eax
		push	20h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_81B447
		lea	eax, [ebp+var_4C]
		push	eax
		mov	edx, eax
		mov	edi, [ebp+var_2C]
		mov	ecx, edi
		call	_KeSetIdealProcessorThreadByNumber@12 ;	KeSetIdealProcessorThreadByNumber(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_91F795
		test	dword ptr [edi+58h], 400h
		jnz	short loc_91F75A
		mov	edx, edi
		mov	ecx, [ebp+var_34]
		call	PspWriteTebIdealProcessor

loc_91F75A:				; CODE XREF: NtSetInformationThread+1044FEj
		mov	[ebp+var_4], 12h
		mov	eax, [ebp+var_4C]
		mov	[esi], eax
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_91F795
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91F76F	proc near		; DATA XREF: .text:006A5A04o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0D0h], eax
		mov	eax, 1
		retn
sub_91F76F	endp


;  S U B	R O U T	I N E 


sub_91F782	proc near		; DATA XREF: .text:006A5A08o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-0D0h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-2Ch]
sub_91F782	endp

; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91F795:				; CODE XREF: NtSetInformationThread+1044F5j
					; NtSetInformationThread+10451Dj
		mov	edx, 79517350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, ebx
		jmp	loc_81B447
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91F7A8	proc near		; DATA XREF: .text:006A59F8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0D4h], eax
		mov	eax, 1
		retn
sub_91F7A8	endp


;  S U B	R O U T	I N E 


sub_91F7BB	proc near		; DATA XREF: .text:006A59FCo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0D4h]
		jmp	loc_81B447
sub_91F7BB	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91F7D0:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BF0Co
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_PsThreadType
		push	eax
		push	10h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_81B447
		mov	edx, 79517350h
		mov	ecx, [ebp+var_2C]
		call	ObfDereferenceObjectWithTag
		mov	eax, 0C0000002h
		jmp	loc_81B447
; 

loc_91F80B:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BF1Co
		cmp	edi, 0FFFFFFFEh
		jnz	loc_91FE0B
		cmp	ebx, 4
		jnz	loc_81BDAB
		mov	[ebp+var_4], 13h
		mov	ecx, [esi]
		mov	[ebp+var_13C], ecx
		mov	[ebp+var_4], edi
		test	ecx, ecx
		jz	short loc_91F8A8
		push	0
		lea	eax, [ebp+var_80]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_MmSessionObjectType
		push	eax
		push	2
		push	ecx
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_81B447
		mov	esi, [ebp+var_80]
		mov	edx, [esi+14h]
		test	edx, edx
		jnz	short loc_91F877
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, 0C0000455h
		jmp	loc_81B447
; 

loc_91F877:				; CODE XREF: NtSetInformationThread+10460Fj
		mov	ebx, [ebp+var_34]
		mov	ecx, ebx
		call	KeSetThreadChargeOnlySchedulingGroup
		test	al, al
		jnz	short loc_91F89B
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, 0C0000456h
		jmp	loc_81B447
; 

loc_91F89B:				; CODE XREF: NtSetInformationThread+104633j
		mov	[ebx+290h], esi
		xor	eax, eax
		jmp	loc_81B447
; 

loc_91F8A8:				; CODE XREF: NtSetInformationThread+1045E1j
		xor	edx, edx
		mov	ebx, [ebp+var_34]
		mov	ecx, ebx
		call	KeSetThreadChargeOnlySchedulingGroup
		test	al, al
		jnz	short loc_91F8C2
		mov	eax, 0C0000457h
		jmp	loc_81B447
; 

loc_91F8C2:				; CODE XREF: NtSetInformationThread+104666j
		mov	ecx, [ebx+290h]
		call	ObfDereferenceObject
		mov	dword ptr [ebx+290h], 0
		xor	eax, eax
		jmp	loc_81B447
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91F8DE	proc near		; DATA XREF: .text:006A5A10o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0D8h], eax
		mov	eax, 1
		retn
sub_91F8DE	endp


;  S U B	R O U T	I N E 


sub_91F8F1	proc near		; DATA XREF: .text:006A5A14o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0D8h]
		jmp	loc_81B447
sub_91F8F1	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91F906:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BF20o
		cmp	ebx, 4
		jnz	loc_81BDAB
		mov	[ebp+var_4], 14h
		mov	esi, [ebx]
		mov	[ebp+var_140], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		cmp	esi, 8
		ja	loc_91FE0B
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_PsThreadType
		push	eax
		push	400h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_81B627
		mov	edx, esi
		mov	ecx, [ebp+var_2C]
		call	_KeSetUserHeteroCpuPolicyThread@8 ; KeSetUserHeteroCpuPolicyThread(x,x)
		mov	edx, 79517350h
		mov	ecx, [ebp+var_2C]
		call	ObfDereferenceObjectWithTag
		mov	eax, edi
		jmp	loc_81B447
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91F975	proc near		; DATA XREF: .text:006A5A1Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0DCh], eax
		mov	eax, 1
		retn
sub_91F975	endp


;  S U B	R O U T	I N E 


sub_91F988	proc near		; DATA XREF: .text:006A5A20o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0DCh]
		jmp	loc_81B447
sub_91F988	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91F99D:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BF28o
		test	bl, 7
		jnz	loc_81BDAB
		cmp	ebx, 8
		ja	loc_81BDAB
		mov	[ebp+var_4], 15h
		push	ebx		; size_t
		push	esi		; void *
		lea	eax, [ebp+var_16C]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_PsThreadType
		push	eax
		push	400h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_81B447
		lea	eax, [ebp+var_16C]
		push	eax
		shr	ebx, 3
		push	ebx
		mov	edi, [ebp+var_2C]
		push	edi
		call	_KeSetSelectedCpuSetsThread@12 ; KeSetSelectedCpuSetsThread(x,x,x)
		jmp	loc_81B4BA
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91FA0E	proc near		; DATA XREF: .text:006A5A28o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0E4h], eax
		mov	eax, large fs:124h
		mov	[ebp-0E0h], eax
		mov	eax, [ebp-0E0h]
		mov	al, [eax+15Ah]
		mov	[ebp-45h], al
		mov	cl, [ebp-45h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_91FA0E	endp


;  S U B	R O U T	I N E 


sub_91FA41	proc near		; DATA XREF: .text:006A5A2Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0E4h]
		jmp	loc_81B447
sub_91FA41	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91FA56:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BF2Co
		cmp	edi, 0FFFFFFFEh
		jnz	loc_91FE0B
		cmp	ebx, 4
		jnz	loc_81BDAB
		mov	[ebp+var_4], 16h
		mov	eax, [esi]
		mov	[ebp+var_144], eax
		mov	[ebp+var_4], edi
		cmp	eax, 1
		jnz	short loc_91FAA8
		mov	ecx, [ebp+var_34]
		mov	eax, [ecx+150h]
		test	dword ptr [eax+490h], 200h
		jz	loc_91FC15
		mov	edx, 40000h
		lea	eax, [ecx+2FCh]
		lock or	[eax], edx
		jmp	short loc_91FAC0
; 

loc_91FAA8:				; CODE XREF: NtSetInformationThread+10482Dj
		test	eax, eax
		jnz	loc_91FE0B
		mov	ecx, 0FFFBFFFFh
		mov	eax, [ebp+var_34]
		add	eax, 2FCh
		lock and [eax],	ecx

loc_91FAC0:				; CODE XREF: NtSetInformationThread+104856j
		xor	eax, eax
		jmp	loc_81B447
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91FAC7	proc near		; DATA XREF: .text:006A5A34o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0E8h], eax
		mov	eax, 1
		retn
sub_91FAC7	endp


;  S U B	R O U T	I N E 


sub_91FADA	proc near		; DATA XREF: .text:006A5A38o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0E8h]
		jmp	loc_81B447
sub_91FADA	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91FAEF:				; CODE XREF: NtSetInformationThread+60Bj
		mov	edi, 0C0000004h
		jmp	loc_91FB8A
; 

loc_91FAF9:				; CODE XREF: NtSetInformationThread+66Dj
		mov	esi, eax
		jmp	loc_81B8C3
; 

loc_91FB00:				; CODE XREF: NtSetInformationThread+6B8j
					; NtSetInformationThread+6C0j
		mov	byte ptr [esi],	0
		jmp	loc_81B916
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91FB08	proc near		; DATA XREF: .text:006A5A4Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0F0h], eax
		mov	eax, 1
		retn
sub_91FB08	endp


;  S U B	R O U T	I N E 


sub_91FB1B	proc near		; DATA XREF: .text:006A5A50o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-0F0h]
		mov	[ebp-3Ch], edi
		mov	dword ptr [ebp-4], 17h
		jmp	short loc_91FB8D
sub_91FB1B	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91FB30:				; CODE XREF: NtSetInformationThread+70Aj
		mov	edi, 0C000009Ah
		mov	[ebp+var_3C], edi
		jmp	loc_81B9BD
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91FB3D	proc near		; DATA XREF: .text:006A5A58o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0F8h], eax
		mov	eax, large fs:124h
		mov	[ebp-0F4h], eax
		mov	eax, [ebp-0F4h]
		mov	al, [eax+15Ah]
		mov	[ebp-46h], al
		mov	cl, [ebp-46h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_91FB3D	endp


;  S U B	R O U T	I N E 


sub_91FB70	proc near		; DATA XREF: .text:006A5A5Co
		mov	esp, [ebp-18h]
		mov	edi, [ebp-0F8h]
		mov	[ebp-3Ch], edi
		mov	dword ptr [ebp-4], 17h
		jmp	short loc_91FB8D
sub_91FB70	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91FB85:				; CODE XREF: NtSetInformationThread+6D6j
					; NtSetInformationThread+6E4j
		mov	edi, 0C000000Dh

loc_91FB8A:				; CODE XREF: NtSetInformationThread+1048A4j
		mov	[ebp+var_3C], edi

loc_91FB8D:				; CODE XREF: NtSetInformationThread+637j
					; sub_91FB1B+13j ...
		mov	ebx, [ebp+var_44]
		jmp	loc_81B9BD
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91FB95	proc near		; DATA XREF: .text:006A5A44o
		mov	edi, [ebp-3Ch]
		mov	ebx, [ebp-44h]
		jmp	sub_81BE47
sub_91FB95	endp

; 
; START	OF FUNCTION CHUNK FOR sub_81BE47

loc_91FBA0:				; CODE XREF: sub_81BE47+3Bj
		push	6D4E6854h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	locret_81BE88
; END OF FUNCTION CHUNK	FOR sub_81BE47
; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91FBB0:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BF30o
		cmp	ebx, 4
		jnz	loc_81BDAB
		mov	[ebp+var_4], 1Ah
		mov	ebx, [esi]
		mov	[ebp+var_148], ebx
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	esi, [ebp+var_30]
		test	dl, dl
		jz	short loc_91FC1F
		push	esi
		mov	eax, ds:dword_A94A14
		push	eax
		mov	eax, ds:_SeDebugPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_91F126
		mov	byte ptr [ebp+var_54], 51h
		mov	eax, [ebp+var_34]
		mov	eax, [eax+150h]
		mov	al, [eax+3A6h]
		mov	byte ptr [ebp+var_60], al
		push	[ebp+var_54]
		push	[ebp+var_60]
		call	_RtlTestProtectedAccess@8 ; RtlTestProtectedAccess(x,x)
		test	al, al
		jnz	short loc_91FC1F

loc_91FC15:				; CODE XREF: NtSetInformationThread+9A8j
					; NtSetInformationThread+9B0j ...
		mov	eax, 0C0000022h
		jmp	loc_81B447
; 

loc_91FC1F:				; CODE XREF: NtSetInformationThread+104984j
					; NtSetInformationThread+1049C3j
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	esi
		mov	eax, ds:_PsThreadType
		push	eax
		push	20h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_81BB38
		mov	ecx, [ebp+var_2C]
		lea	eax, [ecx+2FCh]
		test	ebx, ebx
		jnz	short loc_91FC5D
		mov	edx, 0FFF7FFFFh
		lock and [eax],	edx
		jmp	loc_81B4BE
; 

loc_91FC5D:				; CODE XREF: NtSetInformationThread+1049FEj
		mov	edx, 80000h
		lock or	[eax], edx
		jmp	loc_81B4BE
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91FC6A	proc near		; DATA XREF: .text:006A5A64o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0FCh], eax
		mov	eax, 1
		retn
sub_91FC6A	endp


;  S U B	R O U T	I N E 


sub_91FC7D	proc near		; DATA XREF: .text:006A5A68o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0FCh]
		jmp	loc_81B447
sub_91FC7D	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91FC92:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BF34o
		cmp	ebx, 4
		jnz	loc_81BDAB
		mov	[ebp+var_4], 1Ch
		mov	ebx, [esi]
		mov	[ebp+var_14C], ebx
		mov	[ebp+var_4], 0FFFFFFFEh
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		push	79517350h
		push	[ebp+var_30]
		mov	eax, ds:_PsThreadType
		push	eax
		push	20h
		push	edi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_81B447
		mov	ecx, [ebp+var_2C]
		lea	eax, [ecx+2FCh]
		test	ebx, ebx
		jnz	short loc_91FCF1
		mov	edx, 0FFDFFFFFh
		lock and [eax],	edx
		jmp	loc_81B4BE
; 

loc_91FCF1:				; CODE XREF: NtSetInformationThread+104A92j
		mov	edx, 200000h
		lock or	[eax], edx
		jmp	loc_81B4BE
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91FCFE	proc near		; DATA XREF: .text:006A5A7Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-100h], eax
		mov	eax, 1
		retn
sub_91FCFE	endp


;  S U B	R O U T	I N E 


sub_91FD11	proc near		; DATA XREF: .text:006A5A80o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-100h]
		jmp	loc_81B447
sub_91FD11	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91FD26:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BF38o
		cmp	edi, 0FFFFFFFEh
		jnz	loc_91FE0B
		cmp	ebx, 4
		jnz	loc_81BDAB
		mov	[ebp+var_4], 1Dh
		mov	eax, [esi]
		mov	[ebp+var_104], eax
		mov	[ebp+var_4], edi
		xor	edx, edx
		test	eax, eax
		jnz	short loc_91FD7E
		mov	ecx, large fs:124h
		call	PsIsThreadAttachedToSpecificSilo
		test	al, al
		jz	loc_91FE0B
		push	0FFFFFFFDh
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	edx, 6D497350h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		jmp	loc_81B447
; 

loc_91FD7E:				; CODE XREF: NtSetInformationThread+104AFEj
		mov	esi, large fs:124h
		mov	ecx, esi
		call	PsIsThreadAttachedToSpecificSilo
		test	al, al
		jnz	short loc_91FE0B
		push	0
		lea	eax, [ebp+var_50]
		push	eax
		push	6D497350h
		push	[ebp+var_30]
		mov	eax, ds:_PsJobType
		push	eax
		push	20h
		push	[ebp+var_104]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_81B447
		mov	edi, [ebp+var_50]
		test	byte ptr [edi+314h], 2
		jz	short loc_91FDFF
		push	esi
		call	_IoThreadToProcess@4 ; IoThreadToProcess(x)
		mov	ebx, eax
		push	ebx
		call	_PsGetProcessSilo@4 ; PsGetProcessSilo(x)
		mov	edx, eax
		mov	ecx, edi
		call	PspIsSiloInSilo
		test	al, al
		jz	short loc_91FDFF
		push	edi
		call	_PsGetEffectiveServerSilo@4 ; PsGetEffectiveServerSilo(x)
		mov	esi, eax
		push	ebx
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		cmp	eax, esi
		jnz	short loc_91FDFF
		push	edi
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		xor	eax, eax
		jmp	loc_81B447
; 

loc_91FDFF:				; CODE XREF: NtSetInformationThread+104B73j
					; NtSetInformationThread+104B8Ej ...
		mov	edx, 6D497350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_91FE0B:				; CODE XREF: NtSetInformationThread+114j
					; NtSetInformationThread+2C7j ...
		mov	eax, 0C000000Dh
		jmp	loc_81B447
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91FE15	proc near		; DATA XREF: .text:006A5A88o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-108h], eax
		mov	eax, 1
		retn
sub_91FE15	endp


;  S U B	R O U T	I N E 


sub_91FE28	proc near		; DATA XREF: .text:006A5A8Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-108h]
		jmp	loc_81B447
sub_91FE28	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91FE3D:				; CODE XREF: NtSetInformationThread+2C7j
					; DATA XREF: PAGE:0081BF3Co
		mov	eax, 0C00000BBh
		jmp	loc_81B447
; 

loc_91FE47:				; CODE XREF: NtSetInformationThread+BADj
		mov	esi, 3
		jmp	loc_81BE06
; 

loc_91FE51:				; CODE XREF: NtSetInformationThread+BA4j
		xor	esi, esi
		jmp	loc_81BE06
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91FE58	proc near		; DATA XREF: .text:006A5A94o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-10Ch], eax
		mov	eax, 1
		retn
sub_91FE58	endp


;  S U B	R O U T	I N E 


sub_91FE6B	proc near		; DATA XREF: .text:006A5A98o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-10Ch]
		jmp	loc_81B447
sub_91FE6B	endp


;  S U B	R O U T	I N E 


sub_91FE80	proc near		; DATA XREF: .text:006A5AA0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-110h], eax
		mov	eax, 1
		retn
sub_91FE80	endp


;  S U B	R O U T	I N E 


sub_91FE93	proc near		; DATA XREF: .text:006A5AA4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-110h]
		jmp	loc_81B447
sub_91FE93	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetInformationThread

loc_91FEA8:				; CODE XREF: NtSetInformationThread+2BAj
					; NtSetInformationThread+2C7j
					; DATA XREF: ...
		mov	eax, 0C0000003h
		jmp	loc_81B447
; END OF FUNCTION CHUNK	FOR NtSetInformationThread

;  S U B	R O U T	I N E 


sub_91FEB2	proc near		; DATA XREF: .text:006A5980o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-114h], eax
		mov	eax, 1
		retn
sub_91FEB2	endp


;  S U B	R O U T	I N E 


sub_91FEC5	proc near		; DATA XREF: .text:006A5984o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-114h]
		jmp	loc_81B447
sub_91FEC5	endp


;  S U B	R O U T	I N E 


sub_91FEDA	proc near		; DATA XREF: .text:006A5A70o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-118h], eax
		mov	eax, 1
		retn
sub_91FEDA	endp


;  S U B	R O U T	I N E 


sub_91FEED	proc near		; DATA XREF: .text:006A5A74o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-118h]
		jmp	loc_81B447
sub_91FEED	endp

; 
; START	OF FUNCTION CHUNK FOR IopValidateQueryInformationParameters

loc_91FF02:				; CODE XREF: IopValidateQueryInformationParameters+5Fj
		mov	eax, 0C0000004h
		jmp	loc_81C96D
; END OF FUNCTION CHUNK	FOR IopValidateQueryInformationParameters

;  S U B	R O U T	I N E 


sub_91FF0C	proc near		; DATA XREF: .text:006A5BA4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		mov	eax, 1
		retn
sub_91FF0C	endp


;  S U B	R O U T	I N E 


sub_91FF1C	proc near		; DATA XREF: .text:006A5BA8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_81C96D
sub_91FF1C	endp

; 
; START	OF FUNCTION CHUNK FOR IopValidateQueryInformationParameters

loc_91FF2E:				; CODE XREF: IopValidateQueryInformationParameters+43j
					; IopValidateQueryInformationParameters+51j
		mov	eax, 0C0000003h
		jmp	loc_81C96D
; END OF FUNCTION CHUNK	FOR IopValidateQueryInformationParameters
; 
; START	OF FUNCTION CHUNK FOR CmpCreateKeyBody

loc_91FF38:				; CODE XREF: CmpCreateKeyBody+34j
		push	0
		push	0
		push	ebx
		push	24h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_91FF46:				; CODE XREF: CmpCreateKeyBody+3Dj
		push	0
		push	0
		push	0
		push	15h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_91FF55:				; CODE XREF: CmpCreateKeyBody+312j
		mov	ecx, [ebp+arg_0]
		mov	edx, 20300h
		push	edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)

loc_91FF63:				; CODE XREF: CmpCreateKeyBody+219j
		mov	ecx, ebx
		call	CmpDereferenceKeyControlBlockUnsafe
		jmp	loc_81DCEF
; 

loc_91FF6F:				; CODE XREF: CmpCreateKeyBody+2F6j
		add	eax, 2Ch
		mov	[esp+40h+var_14], eax
		jmp	loc_81DB23
; 

loc_91FF7B:				; CODE XREF: CmpCreateKeyBody+2D5j
		mov	edi, 0C000009Ah
		jmp	loc_920093
; 

loc_91FF85:				; CODE XREF: CmpCreateKeyBody+C3j
		mov	eax, large fs:20h
		mov	edx, [eax+5C0h]
		mov	[esp+50h+var_2C], edx
		mov	cx, [edx+4]
		inc	dword ptr [edx+14h]
		cmp	cx, [edx+8]
		jb	short loc_91FFCA
		inc	dword ptr [edx+18h]
		mov	edx, [eax+5C4h]
		mov	[esp+50h+var_2C], edx
		mov	ax, [edx+4]
		inc	dword ptr [edx+14h]
		cmp	ax, [edx+8]
		jb	short loc_91FFCA
		mov	eax, [edx+2Ch]
		inc	dword ptr [edx+18h]
		push	edi
		call	eax
		jmp	loc_81DBF6
; 

loc_91FFCA:				; CODE XREF: CmpCreateKeyBody+1024D0j
					; CmpCreateKeyBody+1024EAj
		mov	ecx, [esp+50h+var_2C]
		mov	edx, edi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		jmp	loc_81DBF6
; 

loc_91FFDA:				; CODE XREF: CmpCreateKeyBody+D2j
		mov	ebx, 0C000000Dh
		jmp	short loc_920003
; 

loc_91FFE1:				; CODE XREF: CmpCreateKeyBody+DAj
		push	[esp+50h+var_30]
		mov	eax, ds:dword_A94A34
		push	eax
		mov	eax, ds:_SeCreatePermanentPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	loc_81DBB0
		mov	ebx, 0C0000061h

loc_920003:				; CODE XREF: CmpCreateKeyBody+10Dj
					; CmpCreateKeyBody+10250Fj
		cmp	[esp+50h+var_14], esi
		jz	short loc_920012
		lea	ecx, [esp+50h+var_18]
		call	ObpFreeObjectNameBuffer

loc_920012:				; CODE XREF: CmpCreateKeyBody+102537j
		mov	ecx, [edi+18h]
		test	ecx, ecx
		jz	short loc_920029
		movzx	eax, byte ptr [edi+8]
		push	1
		push	eax
		push	ecx
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)
		mov	[edi+18h], esi

loc_920029:				; CODE XREF: CmpCreateKeyBody+102547j
		mov	edx, large fs:20h
		mov	ecx, [edx+5C0h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	short loc_920067
		inc	dword ptr [ecx+18h]
		mov	ecx, [edx+5C4h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	short loc_920067
		mov	eax, [ecx+2Ch]
		inc	dword ptr [ecx+18h]
		push	edi
		call	eax
		jmp	loc_81DBF6
; 

loc_920067:				; CODE XREF: CmpCreateKeyBody+102571j
					; CmpCreateKeyBody+102587j
		mov	edx, edi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		jmp	loc_81DBF6
; 

loc_920073:				; CODE XREF: CmpCreateKeyBody+11Dj
		mov	ecx, esi
		call	_ObpRegisterObject@4 ; ObpRegisterObject(x)
		push	746C6644h
		push	1
		mov	dl, 1
		mov	ecx, esi
		call	_ObpPushStackInfo@16 ; ObpPushStackInfo(x,x,x,x)
		jmp	loc_81DBF3
; 

loc_92008F:				; CODE XREF: CmpCreateKeyBody+12Aj
		mov	ebx, [esp+50h+var_38]

loc_920093:				; CODE XREF: CmpCreateKeyBody+1024B0j
		mov	ecx, [ebp+arg_0]
		mov	edx, 20400h
		push	edi
		call	_CmpRecordParseFailure@12 ; CmpRecordParseFailure(x,x,x)
		jmp	loc_81DCD8
; 

loc_9200A6:				; CODE XREF: CmpCreateKeyBody+287j
		mov	ebx, [esp+50h+var_38]
		mov	edi, 0C000017Ch
		jmp	loc_81DCD8
; 

loc_9200B4:				; CODE XREF: CmpCreateKeyBody+1DAj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9200BB:				; CODE XREF: CmpCreateKeyBody+20Ej
		and	eax, 0FFFFFFFEh
		mov	ecx, eax
		call	ObfDereferenceObject
		jmp	loc_81DCE4
; END OF FUNCTION CHUNK	FOR CmpCreateKeyBody
; 
; START	OF FUNCTION CHUNK FOR RtlpNewSecurityObject

loc_9200CA:				; CODE XREF: RtlpNewSecurityObject+195j
		mov	dl, 1
		jmp	loc_81DF9D
; 

loc_9200D1:				; CODE XREF: RtlpNewSecurityObject+1A3j
		mov	[esp+1E8h+var_191], 1
		jmp	loc_81DFAD
; 

loc_9200DB:				; CODE XREF: RtlpNewSecurityObject+1AFj
		test	dl, dl
		jz	loc_81E21B
		jmp	loc_81DFB5
; 

loc_9200E8:				; CODE XREF: RtlpNewSecurityObject+221j
		mov	eax, _SepDefaultMandatorySid
		jmp	loc_81E029
; 

loc_9200F2:				; CODE XREF: RtlpNewSecurityObject+24Bj
		mov	dword ptr [esp+1E8h+var_1AC], 0
		jmp	loc_81E060
; 

loc_9200FF:				; CODE XREF: RtlpNewSecurityObject+262j
		mov	[esp+1E8h+var_174], 18h
		jmp	loc_81E077
; 

loc_92010C:				; CODE XREF: RtlpNewSecurityObject+279j
		xor	edx, edx
		jmp	loc_81E083
; 

loc_920113:				; CODE XREF: RtlpNewSecurityObject+34Dj
		xor	eax, eax
		mov	[esp+1E8h+var_1B3+3], eax
		jmp	loc_81E17F
; 

loc_92011E:				; CODE XREF: RtlpNewSecurityObject+3ADj
		mov	[esp+1E8h+var_165+1], 0
		jmp	loc_81E1DE
; 

loc_92012E:				; CODE XREF: RtlpNewSecurityObject+3E0j
		mov	[esp+1E8h+var_170], 0
		jmp	loc_81E1F5
; 

loc_92013B:				; CODE XREF: RtlpNewSecurityObject+43Dj
		mov	eax, [esp+1E8h+var_18C]
		test	eax, eax
		jnz	short loc_92014D
		mov	esi, 0C000005Ah
		jmp	loc_9207FE
; 

loc_92014D:				; CODE XREF: RtlpNewSecurityObject+102341j
		cmp	word ptr [eax+2], 0
		mov	ebx, [eax+4]
		jge	short loc_92015F
		add	eax, ebx
		neg	ebx
		sbb	ebx, ebx
		and	ebx, eax

loc_92015F:				; CODE XREF: RtlpNewSecurityObject+102355j
		mov	[esp+1E8h+var_1A8], ebx
		mov	byte ptr [esp+1E8h+var_1B3+1], 1
		test	ebx, ebx
		jnz	loc_81E260
		mov	esi, 0C000005Ah
		jmp	loc_9207FE
; 

loc_92017A:				; CODE XREF: RtlpNewSecurityObject+45Aj
		mov	esi, 0C000007Ch
		jmp	loc_9207FE
; 

loc_920184:				; CODE XREF: RtlpNewSecurityObject+478j
		mov	eax, [esp+1E8h+var_18C]
		test	eax, eax
		jnz	short loc_920196
		mov	esi, 0C000005Bh
		jmp	loc_9207FE
; 

loc_920196:				; CODE XREF: RtlpNewSecurityObject+10238Aj
		cmp	word ptr [eax+2], 0
		mov	ebx, [eax+8]
		jge	loc_81F399
		add	eax, ebx
		neg	ebx
		sbb	ebx, ebx
		and	ebx, eax
		mov	[esp+1E8h+var_19C], ebx
		jmp	loc_81E28E
; 

loc_9201B5:				; CODE XREF: RtlpNewSecurityObject+490j
		mov	esi, 0C000005Bh
		jmp	loc_9207FE
; 

loc_9201BF:				; CODE XREF: RtlpNewSecurityObject+4A2j
		mov	[esp+1E8h+var_1B8], 1
		jmp	loc_81E2AD
; 

loc_9201C9:				; CODE XREF: RtlpNewSecurityObject+4CCj
		mov	dword ptr [esp+1E8h+var_1AC], 8
		jmp	loc_81E2DA
; 

loc_9201D6:				; CODE XREF: RtlpNewSecurityObject+4EAj
		mov	edx, 1000h
		jmp	loc_81E2F2
; 

loc_9201E0:				; CODE XREF: RtlpNewSecurityObject+14D8j
		mov	eax, [esi+0Ch]
		mov	[esp+1E8h+var_1B3+3], eax
		jmp	loc_81E303
; 

loc_9201EC:				; CODE XREF: RtlpNewSecurityObject+127Ej
		mov	eax, dword ptr [esp+1E8h+var_1AC]
		inc	eax
		mov	dword ptr [esp+1E8h+var_1AC], eax
		cmp	eax, 2
		jnb	loc_81F084
		mov	eax, [esp+1E8h+var_188]
		jmp	loc_81EFF2
; 

loc_920207:				; CODE XREF: RtlpNewSecurityObject+15C1j
		push	0
		push	[esp+1ECh+var_1BC]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esp+1E8h+var_1BC], 0
		jmp	loc_81F084
; 

loc_92021F:				; CODE XREF: RtlpNewSecurityObject+15D1j
		mov	ecx, 8030h
		jmp	loc_81F3DC
; 

loc_920229:				; CODE XREF: RtlpNewSecurityObject+15EBj
		mov	eax, 2000h
		jmp	loc_81F3F3
; 

loc_920233:				; CODE XREF: RtlpNewSecurityObject+562j
		test	cl, 10h
		jnz	short loc_920242
		mov	[esp+1E8h+var_1BC], 0
		jmp	short loc_920260
; 

loc_920242:				; CODE XREF: RtlpNewSecurityObject+102436j
		test	dx, dx
		jns	short loc_920259
		mov	edx, [edi+0Ch]
		lea	eax, [edx+edi]
		neg	edx
		sbb	edx, edx
		and	edx, eax
		mov	[esp+1E8h+var_1BC], edx
		jmp	short loc_920260
; 

loc_920259:				; CODE XREF: RtlpNewSecurityObject+102445j
		mov	eax, [edi+0Ch]
		mov	[esp+1E8h+var_1BC], eax

loc_920260:				; CODE XREF: RtlpNewSecurityObject+102440j
					; RtlpNewSecurityObject+102457j
		and	ecx, 2000h
		mov	byte ptr [esp+1E8h+var_1B3], 1
		or	ecx, ebx
		or	ecx, 10h
		mov	eax, ecx
		mov	[esp+1E8h+var_1C0], eax
		jmp	loc_81E368
; 

loc_92027B:				; CODE XREF: RtlpNewSecurityObject+56Dj
		mov	[esp+1E8h+var_1AC], 1
		jmp	loc_81E378
; 

loc_920285:				; CODE XREF: RtlpNewSecurityObject+58Fj
		mov	edx, 8
		jmp	loc_81E397
; 

loc_92028F:				; CODE XREF: RtlpNewSecurityObject+14F6j
		mov	eax, [edi+0Ch]
		mov	[esp+1E8h+var_188], eax
		jmp	loc_81E3B0
; 

loc_92029B:				; CODE XREF: RtlpNewSecurityObject+134Bj
		mov	eax, dword ptr [esp+1E8h+var_1B8]
		inc	eax
		mov	dword ptr [esp+1E8h+var_1B8], eax
		cmp	eax, 2
		jnb	loc_81F151
		mov	eax, [esp+1E8h+var_148]
		jmp	loc_81F0B5
; 

loc_9202B9:				; CODE XREF: RtlpNewSecurityObject+1612j
		mov	eax, [esp+1E8h+var_1D8]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[esp+1E8h+var_1D8], eax
		jmp	loc_81F151
; 

loc_9202D0:				; CODE XREF: RtlpNewSecurityObject+5EFj
		test	cl, 10h
		jnz	short loc_9202E2
		mov	[esp+1E8h+var_1D8], 0
		jmp	loc_81E3F5
; 

loc_9202E2:				; CODE XREF: RtlpNewSecurityObject+1024D3j
		test	dx, dx
		jns	short loc_9202FC
		mov	ecx, [ebx+0Ch]
		lea	eax, [ecx+ebx]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	[esp+1E8h+var_1D8], ecx
		jmp	loc_81E3F5
; 

loc_9202FC:				; CODE XREF: RtlpNewSecurityObject+1024E5j
		mov	eax, [ebx+0Ch]
		mov	[esp+1E8h+var_1D8], eax
		jmp	loc_81E3F5
; 

loc_920308:				; CODE XREF: RtlpNewSecurityObject+637j
		mov	[esp+1E8h+var_1B3+3], 0

loc_920310:				; CODE XREF: RtlpNewSecurityObject+10254Aj
		movzx	eax, word ptr [ebx+2]
		mov	ecx, eax
		test	al, 10h
		jnz	short loc_92031E
		xor	ecx, ecx
		jmp	short loc_92032F
; 

loc_92031E:				; CODE XREF: RtlpNewSecurityObject+102518j
		test	cx, cx
		mov	ecx, [ebx+0Ch]
		jns	short loc_92032F
		lea	eax, [ecx+ebx]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_92032F:				; CODE XREF: RtlpNewSecurityObject+10251Cj
					; RtlpNewSecurityObject+102524j
		lea	eax, [esp+1E8h+var_1B3+3]
		push	eax
		push	14h
		push	ecx
		call	_RtlFindAceByType@12 ; RtlFindAceByType(x,x,x)
		inc	[esp+1E8h+var_1B3+3]
		test	eax, eax
		jz	short loc_920384
		mov	cl, [eax+1]
		test	cl, 8
		jnz	short loc_920310
		mov	edi, [eax+4]
		lea	ebx, [eax+8]
		movzx	eax, cl
		mov	[esp+1E8h+var_144], eax
		mov	eax, [esp+1E8h+var_124]
		test	eax, eax
		jz	short loc_920374
		mov	eax, [eax+4]
		and	eax, edi
		cmp	eax, edi
		jnz	short loc_920374
		test	ebx, ebx
		jnz	short loc_9203BB

loc_920374:				; CODE XREF: RtlpNewSecurityObject+102565j
					; RtlpNewSecurityObject+10256Ej ...
		mov	esi, 0C000000Dh

loc_920379:				; CODE XREF: RtlpNewSecurityObject+6A8j
					; RtlpNewSecurityObject+8A7j ...
		mov	edi, [esp+1E8h+var_1D8]
		xor	ebx, ebx
		jmp	loc_81EB62
; 

loc_920384:				; CODE XREF: RtlpNewSecurityObject+102542j
		mov	eax, [esp+1E8h+var_1D0]
		test	eax, eax
		jz	loc_81E43D
		mov	ecx, [esp+1E8h+var_124]
		test	ecx, ecx
		jnz	short loc_9203AB
		mov	edi, [esp+1E8h+var_1D8]
		mov	esi, 0C000000Dh
		xor	ebx, ebx
		jmp	loc_81EB62
; 

loc_9203AB:				; CODE XREF: RtlpNewSecurityObject+102599j
		mov	edi, [ecx+4]
		mov	ebx, eax
		mov	[esp+1E8h+var_144], 0

loc_9203BB:				; CODE XREF: RtlpNewSecurityObject+102572j
		push	2		; int
		push	58h		; size_t
		lea	eax, [esp+1F0h+var_60]
		push	eax		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_920379
		push	edi
		push	14h
		push	ebx
		push	[esp+1F4h+var_144]
		lea	eax, [esp+1F8h+var_60]
		push	2
		push	eax
		call	RtlAddProcessTrustLabelAce
		mov	esi, eax
		test	esi, esi
		js	short loc_920379
		mov	ebx, [esp+1E8h+var_1C4]
		lea	ecx, [esp+1E8h+var_178]
		mov	edi, [esp+1E8h+var_1D8]
		push	ecx
		lea	ecx, [esp+1ECh+var_130]
		movzx	eax, word ptr [ebx+2]
		push	ecx
		push	2
		push	[esp+1F4h+var_180]
		mov	edx, eax
		lea	ecx, [esp+1F8h+var_60]
		push	[esp+1F8h+var_19C]
		shr	edx, 1
		and	eax, 800h
		push	[esp+1FCh+var_1A8]
		and	edx, 18h
		push	4
		or	edx, eax
		push	ecx
		shr	edx, 1
		mov	ecx, edi
		call	_RtlpComputeMergedAcl@40 ; RtlpComputeMergedAcl(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_92044A
		mov	byte ptr [esp+1E8h+var_190+3], 1
		jmp	loc_81E448
; 

loc_92044A:				; CODE XREF: RtlpNewSecurityObject+10263Ej
		xor	ebx, ebx
		jmp	loc_81EB62
; 

loc_920451:				; CODE XREF: RtlpNewSecurityObject+691j
		test	dword ptr [esi+4], 0FF000000h
		jnz	loc_920374
		test	byte ptr [esi+1], 40h
		jz	short loc_920491
		lea	eax, [esp+1E8h+var_15C]
		push	eax
		push	ecx
		mov	ecx, [esp+1F0h+var_1D0]
		lea	edx, [esi+8]
		call	_RtlpValidTrustSubjectContext@16 ; RtlpValidTrustSubjectContext(x,x,x,x)
		test	al, al
		jnz	loc_81E497

loc_920481:				; CODE XREF: RtlpNewSecurityObject+168Ej
					; RtlpNewSecurityObject+177Ej
		mov	edi, [esp+1E8h+var_1D8]
		mov	esi, 0C0000022h
		xor	ebx, ebx
		jmp	loc_81EB62
; 

loc_920491:				; CODE XREF: RtlpNewSecurityObject+102662j
		push	6		; size_t
		lea	eax, [esp+1ECh+var_104]
		push	eax		; void *
		lea	eax, [esi+0Ah]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_920374
		cmp	byte ptr [esi+9], 1
		jnz	short loc_9204BE
		cmp	[esi+10h], eax
		jz	loc_81E497

loc_9204BE:				; CODE XREF: RtlpNewSecurityObject+1026B3j
		mov	esi, 0C000000Dh
		jmp	loc_81E4A6
; 

loc_9204C8:				; CODE XREF: RtlpNewSecurityObject+F04j
					; RtlpNewSecurityObject+F13j
		xor	edi, edi
		xor	esi, esi
		xor	cl, cl
		mov	[esp+1E8h+var_128], edi
		mov	[esp+1E8h+var_17C], edi
		mov	[esp+1E8h+var_1D1], cl
		jmp	loc_81E4E1
; 

loc_9204E2:				; CODE XREF: RtlpNewSecurityObject+173Ej
		mov	edi, [esp+1E8h+var_1D8]
		mov	esi, 0C0000446h
		xor	ebx, ebx
		jmp	loc_81EB62
; 

loc_9204F2:				; CODE XREF: RtlpNewSecurityObject+6FEj
		mov	edi, [esp+1E8h+var_1D8]
		mov	esi, 0C000007Ch
		xor	ebx, ebx
		jmp	loc_81EB62
; 

loc_920502:				; CODE XREF: RtlpNewSecurityObject+7D8j
		mov	edi, [esp+1E8h+var_1D8]
		mov	esi, 0C000000Dh
		xor	ebx, ebx
		jmp	loc_81EB62
; 

loc_920512:				; CODE XREF: RtlpNewSecurityObject+7E4j
		mov	edi, [esp+1E8h+var_1D8]
		mov	esi, 0C000000Dh
		xor	ebx, ebx
		jmp	loc_81EB62
; 

loc_920522:				; CODE XREF: RtlpNewSecurityObject+7F0j
		mov	edi, [esp+1E8h+var_1D8]
		mov	esi, 0C000000Dh
		xor	ebx, ebx
		jmp	loc_81EB62
; 

loc_920532:				; CODE XREF: RtlpNewSecurityObject+807j
		mov	edi, [esp+1E8h+var_1D8]
		mov	esi, 0C0000077h
		jmp	loc_81EB62
; 

loc_920540:				; CODE XREF: RtlpNewSecurityObject+829j
		movzx	eax, di
		lea	eax, [esp+eax+1E8h+var_E0]
		mov	[esp+1E8h+var_151+1], eax

loc_920551:				; CODE XREF: RtlpNewSecurityObject+102768j
		cmp	edx, eax
		jnb	short loc_92056F
		movzx	eax, word ptr [edx+2]
		inc	ebx
		add	edx, eax
		movzx	eax, cx
		cmp	ebx, eax
		mov	eax, [esp+1E8h+var_151+1]
		jb	short loc_920551
		jmp	loc_81E62F
; 

loc_92056F:				; CODE XREF: RtlpNewSecurityObject+102753j
		mov	edi, [esp+1E8h+var_1D8]
		mov	esi, 0C0000077h
		xor	ebx, ebx
		jmp	loc_81EB62
; 

loc_92057F:				; CODE XREF: RtlpNewSecurityObject+858j
					; RtlpNewSecurityObject+863j
		mov	esi, 0C0000099h
		jmp	loc_81E6A5
; 

loc_920589:				; CODE XREF: RtlpNewSecurityObject+F39j
		mov	edx, 8
		jmp	loc_81ED41
; 

loc_920593:				; CODE XREF: RtlpNewSecurityObject+F51j
		mov	ecx, 1000h
		jmp	loc_81ED59
; 

loc_92059D:				; CODE XREF: RtlpNewSecurityObject+1387j
		mov	eax, [esp+1E8h+var_15C]
		inc	eax
		mov	[esp+1E8h+var_15C], eax
		cmp	eax, 2
		jnb	loc_81E773
		mov	eax, dword ptr [esp+1E8h+var_1B8]
		mov	esi, [esp+1E8h+var_1D0]
		jmp	loc_81E6F8
; 

loc_9205C2:				; CODE XREF: RtlpNewSecurityObject+96Dj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ebx, ebx
		jmp	loc_81E773
; 

loc_9205D1:				; CODE XREF: RtlpNewSecurityObject+9BCj
		mov	eax, 40000000h
		jmp	loc_81E7C4
; 

loc_9205DB:				; CODE XREF: RtlpNewSecurityObject+A1Aj
		mov	edx, 30h
		jmp	loc_81E825
; 

loc_9205E5:				; CODE XREF: RtlpNewSecurityObject+A34j
		mov	ecx, 2000h
		jmp	loc_81E83C
; 

loc_9205EF:				; CODE XREF: RtlpNewSecurityObject+A79j
		mov	edi, [esp+1E8h+var_1D8]
		mov	esi, 0C000007Ch
		xor	ebx, ebx
		jmp	loc_81EB62
; 

loc_9205FF:				; CODE XREF: RtlpNewSecurityObject+AA4j
		mov	[esp+1E8h+var_192], 1
		jmp	loc_81E8AA
; 

loc_920609:				; CODE XREF: RtlpNewSecurityObject+AAFj
		mov	[esp+1E8h+var_184], 1
		jmp	loc_81E8BA
; 

loc_920613:				; CODE XREF: RtlpNewSecurityObject+11C5j
		mov	eax, [esp+1E8h+var_18C]
		mov	eax, [eax+10h]
		jmp	loc_81E8EC
; 

loc_92061F:				; CODE XREF: RtlpNewSecurityObject+1696j
		xor	eax, eax
		jmp	loc_81F4B2
; 

loc_920626:				; CODE XREF: RtlpNewSecurityObject+16AAj
		xor	eax, eax
		jmp	loc_81F4B2
; 

loc_92062D:				; CODE XREF: RtlpNewSecurityObject+1065j
		xor	edx, edx
		jmp	loc_81EE8A
; 

loc_920634:				; CODE XREF: RtlpNewSecurityObject+1080j
		xor	edx, edx
		jmp	loc_81EE8A
; 

loc_92063B:				; CODE XREF: RtlpNewSecurityObject+1075j
		mov	edx, [eax+10h]
		jmp	loc_81EE8A
; 

loc_920643:				; CODE XREF: RtlpNewSecurityObject+1394j
		or	edi, 1000h
		mov	[esp+1E8h+var_1C0], edi
		jmp	loc_81E95B
; 

loc_920652:				; CODE XREF: RtlpNewSecurityObject+16D7j
		mov	ecx, [esp+1E8h+var_198]
		test	ecx, ecx
		jnz	short loc_92066A
		mov	edi, [esp+1E8h+var_1D8]
		mov	esi, 0C000007Ch
		xor	ebx, ebx
		jmp	loc_81EB62
; 

loc_92066A:				; CODE XREF: RtlpNewSecurityObject+102858j
		mov	eax, ds:_SeSecurityPrivilege
		mov	[esp+1E8h+var_EC], eax
		mov	eax, ds:dword_A94A3C
		push	1
		mov	[esp+1ECh+var_E8], eax
		lea	eax, [esp+1ECh+var_F4]
		push	ecx
		push	eax
		mov	[esp+1F4h+var_F4], 1
		mov	[esp+1F4h+var_F0], 1
		mov	[esp+1F4h+var_E4], 0
		call	_SePrivilegeCheck@12 ; SePrivilegeCheck(x,x,x)
		mov	edx, [esp+1E8h+var_198]
		mov	bl, al
		mov	byte ptr [esp+1E8h+var_160], bl
		lea	eax, [esp+1E8h+var_F4]
		push	[esp+1E8h+var_160]
		xor	ecx, ecx
		push	eax
		call	_SePrivilegedServiceAuditAlarm@16 ; SePrivilegedServiceAuditAlarm(x,x,x,x)
		test	bl, bl
		jnz	short loc_9206EA
		mov	edi, [esp+1E8h+var_1D8]
		mov	esi, 0C0000061h
		xor	ebx, ebx
		jmp	loc_81EB62
; 

loc_9206EA:				; CODE XREF: RtlpNewSecurityObject+1028D8j
		mov	edx, [ebp+arg_10]
		mov	ebx, [esp+1E8h+var_1CC]
		jmp	loc_81E997
; 

loc_9206F6:				; CODE XREF: RtlpNewSecurityObject+B9Cj
		test	esi, esi
		mov	esi, [esp+1E8h+var_198]
		jnz	loc_81E9A6
		test	esi, esi
		jnz	short loc_920716
		mov	edi, [esp+1E8h+var_1D8]
		mov	esi, 0C000007Ch
		xor	ebx, ebx
		jmp	loc_81EB62
; 

loc_920716:				; CODE XREF: RtlpNewSecurityObject+102904j
		mov	eax, ds:_SeRelabelPrivilege
		mov	[esp+1E8h+var_EC], eax
		mov	eax, ds:dword_A94A4C
		push	1
		mov	[esp+1ECh+var_E8], eax
		lea	eax, [esp+1ECh+var_F4]
		push	esi
		push	eax
		mov	[esp+1F4h+var_F4], 1
		mov	[esp+1F4h+var_F0], 1
		mov	[esp+1F4h+var_E4], 0
		call	_SePrivilegeCheck@12 ; SePrivilegeCheck(x,x,x)
		mov	bl, al
		mov	edx, esi
		mov	byte ptr [esp+1E8h+var_160], bl
		lea	eax, [esp+1E8h+var_F4]
		push	[esp+1E8h+var_160]
		xor	ecx, ecx
		push	eax
		call	_SePrivilegedServiceAuditAlarm@16 ; SePrivilegedServiceAuditAlarm(x,x,x,x)
		test	bl, bl
		jnz	short loc_920794
		mov	edi, [esp+1E8h+var_1D8]
		mov	esi, 0C0000061h
		xor	ebx, ebx
		jmp	loc_81EB62
; 

loc_920794:				; CODE XREF: RtlpNewSecurityObject+102982j
		mov	edx, [ebp+arg_10]
		mov	ebx, [esp+1E8h+var_1CC]
		jmp	loc_81E9A6
; 

loc_9207A0:				; CODE XREF: RtlpNewSecurityObject+BD8j
		xor	esi, esi
		jmp	loc_81E9E9
; 

loc_9207A7:				; CODE XREF: RtlpNewSecurityObject+C59j
		mov	ebx, [esp+1E8h+var_1A4]
		mov	esi, 0C000009Ah
		mov	edi, [esp+1E8h+var_1D8]
		jmp	loc_81EB62
; 

loc_9207B9:				; CODE XREF: RtlpNewSecurityObject+CBFj
		mov	eax, ebx
		sub	eax, ecx
		push	eax		; size_t
		lea	eax, [ecx+esi]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_81EAC5
; 

loc_9207D1:				; CODE XREF: RtlpNewSecurityObject+D1Bj
		mov	eax, edi
		sub	eax, ecx
		push	eax		; size_t
		lea	eax, [ecx+esi]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_81EB21
; 

loc_9207E9:				; CODE XREF: RtlpNewSecurityObject+909j
					; RtlpNewSecurityObject+E33j ...
		mov	edi, [esp+1E8h+var_1D8]
		mov	esi, 0C0000017h
		xor	ebx, ebx
		jmp	loc_81EB62
; 

loc_9207F9:				; CODE XREF: RtlpNewSecurityObject+1205j
		mov	esi, 0C0000017h

loc_9207FE:				; CODE XREF: RtlpNewSecurityObject+102348j
					; RtlpNewSecurityObject+102375j ...
		xor	ebx, ebx
		xor	edi, edi
		jmp	loc_81EB62
; 

loc_920807:				; CODE XREF: RtlpNewSecurityObject+15B1j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_81EB7C
; 

loc_920814:				; CODE XREF: RtlpNewSecurityObject+165Ej
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_81EBC4
; 

loc_920821:				; CODE XREF: RtlpNewSecurityObject+2C6j
		push	[esp+1E8h+var_198]
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)
		mov	eax, 0C000009Ah
		jmp	loc_81EBDA
; END OF FUNCTION CHUNK	FOR RtlpNewSecurityObject
; 
; START	OF FUNCTION CHUNK FOR ObpRemoveObjectRoutine

loc_920834:				; CODE XREF: ObpRemoveObjectRoutine+37j
		push	0
		push	0
		push	ebx
		push	edi
		push	0F4h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_920845:				; CODE XREF: ObpFreeObject+15j
		lea	ecx, [esi-10h]
		mov	[ebp-4], ecx
		jmp	loc_81F972
; END OF FUNCTION CHUNK	FOR ObpRemoveObjectRoutine
; 
; START	OF FUNCTION CHUNK FOR ObpFreeObject

loc_920850:				; CODE XREF: ObpFreeObject+5Dj
		and	edx, 3Fh
		movzx	ecx, _ObpInfoMaskToOffset[edx]
		mov	edx, esi
		sub	edx, ecx
		mov	[ebp+var_10], edx
		jmp	loc_81F9BA
; 

loc_920866:				; CODE XREF: ObpFreeObject+ACj
		cmp	[eax], eax
		jz	loc_81FA02
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		lea	eax, [ecx+80h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_1C], eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_4]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		cmp	[ecx+4], eax
		jnz	short loc_9208C2
		cmp	[edx], eax
		jnz	short loc_9208C2
		mov	[edx], ecx
		mov	[ecx+4], edx
		xor	edx, edx
		mov	ecx, [ebp+var_1C]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [ebp+var_14]
		jmp	loc_81FA02
; 

loc_9208C2:				; CODE XREF: ObpFreeObject+100F49j
					; ObpFreeObject+100F4Dj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9208C9:				; CODE XREF: ObpFreeObject+112j
		xor	ebx, ebx
		lea	esi, [edi+40h]

loc_9208CE:				; CODE XREF: ObpFreeObject+100FDBj
		mov	al, ds:_PspResourceFlags[ebx*8]
		and	al, 3
		cmp	al, 1
		jnz	short loc_920924
		mov	eax, [esi+8]
		lea	edx, [esi+4]
		xor	ecx, ecx
		mov	[ebp+var_4], eax
		test	eax, eax
		mov	eax, [edx]
		setnz	cl
		mov	[ebp+var_20], ecx
		mov	ecx, [esi]
		add	eax, ecx
		mov	eax, [ebp+var_4]
		jz	short loc_920910
		test	eax, eax
		jz	short loc_92090A
		xor	ecx, ecx
		xchg	ecx, [edx]
		xor	eax, eax
		xchg	eax, [esi]
		add	ecx, eax
		mov	eax, [ebp+var_4]

loc_92090A:				; CODE XREF: ObpFreeObject+100FABj
		test	ecx, ecx
		jz	short loc_920912
		jmp	short loc_920916
; 

loc_920910:				; CODE XREF: ObpFreeObject+100FA7j
		xor	ecx, ecx

loc_920912:				; CODE XREF: ObpFreeObject+100FBCj
		test	eax, eax
		jz	short loc_920924

loc_920916:				; CODE XREF: ObpFreeObject+100FBEj
		push	[ebp+var_20]
		lea	edx, [esi-40h]
		push	ecx
		mov	ecx, ebx
		call	PspReturnResourceQuota

loc_920924:				; CODE XREF: ObpFreeObject+100F89j
					; ObpFreeObject+100FC4j
		inc	ebx
		sub	esi, 0FFFFFF80h
		cmp	ebx, 4
		jl	short loc_9208CE
		mov	ecx, edi
		call	_PspRemoveQuotaBlock@4 ; PspRemoveQuotaBlock(x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_24]
		mov	ebx, [ebp+var_28]
		jmp	loc_81FA68
; 

loc_920947:				; CODE XREF: ObpFreeObject+136j
		mov	eax, [edi]
		test	eax, eax
		jz	loc_81FA8C
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [edi], 0
		jmp	loc_81FA8C
; 

loc_920964:				; CODE XREF: ObpFreeObject+150j
		mov	eax, 546A624Fh
		jmp	loc_81FAAC
; END OF FUNCTION CHUNK	FOR ObpFreeObject
; 
; START	OF FUNCTION CHUNK FOR CmpDeleteKeyObject

loc_92096E:				; CODE XREF: CmpDeleteKeyObject+EDj
		push	0
		lea	edx, [esp+3Ch+var_18]
		call	_CmpKeyEnumStackFreeResumeContext@12 ; CmpKeyEnumStackFreeResumeContext(x,x,x)
		xor	dl, dl
		lea	ecx, [esp+38h+var_18]
		call	CmpDrainDelayDerefContext
		jmp	loc_81FD03
; 

loc_920989:				; CODE XREF: CmpDeleteKeyObject+191j
		mov	edx, 11h
		mov	bl, 1
		call	_CmpLogUnload@8	; CmpLogUnload(x,x)
		jmp	loc_81FD03
; END OF FUNCTION CHUNK	FOR CmpDeleteKeyObject
; 

loc_92099A:				; CODE XREF: PAGE:0081FE5Ej
					; PAGE:0081FE67j
		mov	esi, [edi+8]
		xor	edx, edx
		lea	ecx, [esi+18h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	bl, 1
		mov	[esi+1Ch], eax
		jmp	loc_81FE40
; 

loc_9209B7:				; CODE XREF: PAGE:0081FEE1j
		test	dword ptr [esi+4], 80000h
		jz	loc_81FEAD
		pop	edi
		mov	ecx, esi
		pop	esi
		pop	ebx
		jmp	CmpFreeKeyControlBlock
; 
; START	OF FUNCTION CHUNK FOR IopCheckBackupRestorePrivilege

loc_9209CE:				; CODE XREF: IopCheckBackupRestorePrivilege+4Dj
		or	ebx, 11F01BFh
		jmp	loc_8218C3
; END OF FUNCTION CHUNK	FOR IopCheckBackupRestorePrivilege
; 
; START	OF FUNCTION CHUNK FOR IopAllocRealFileObject

loc_9209D9:				; CODE XREF: IopAllocRealFileObject+396j
		mov	eax, 0C000009Ah

loc_9209DE:				; CODE XREF: IopAllocRealFileObject+110j
		cmp	[ebp+arg_14], 0
		jnz	loc_8220BC
		mov	ecx, [esp+54h+var_3C]
		mov	dword ptr [ecx], 0
		jmp	loc_8220BC
; 

loc_9209F7:				; CODE XREF: IopAllocRealFileObject+A3j
		mov	eax, large fs:20h
		mov	edx, [eax+5C0h]
		mov	[esp+58h+var_3C], edx
		mov	cx, [edx+4]
		inc	dword ptr [edx+14h]
		cmp	cx, [edx+8]
		jb	short loc_920A39
		inc	dword ptr [edx+18h]
		mov	edx, [eax+5C4h]
		mov	[esp+58h+var_3C], edx
		mov	ax, [edx+4]
		inc	dword ptr [edx+14h]
		cmp	ax, [edx+8]
		jb	short loc_920A39
		mov	eax, [edx+2Ch]
		inc	dword ptr [edx+18h]
		push	edi
		call	eax
		jmp	short loc_920A4F
; 

loc_920A39:				; CODE XREF: IopAllocRealFileObject+FEBB2j
					; IopAllocRealFileObject+FEBCCj
		mov	ecx, [esp+58h+var_3C]
		mov	edx, edi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		jmp	short loc_920A4F
; 

loc_920A46:				; CODE XREF: IopAllocRealFileObject+FEC75j
		mov	eax, [ecx+2Ch]
		inc	dword ptr [ecx+18h]
		push	edi
		call	eax

loc_920A4F:				; CODE XREF: IopAllocRealFileObject+FEBD7j
					; IopAllocRealFileObject+FEBE4j
		mov	eax, ebx
		mov	[esp+10h], eax
		jmp	loc_821F6E
; 

loc_920A5A:				; CODE XREF: IopAllocRealFileObject+B2j
		mov	ebx, 0C000000Dh
		jmp	short loc_920A81
; 

loc_920A61:				; CODE XREF: IopAllocRealFileObject+BAj
		mov	eax, ds:dword_A94A34
		push	0
		push	eax
		mov	eax, ds:_SeCreatePermanentPrivilege
		push	eax
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	loc_821F20
		mov	ebx, 0C0000061h

loc_920A81:				; CODE XREF: IopAllocRealFileObject+EFj
					; IopAllocRealFileObject+FEBFFj
		cmp	[esp+58h+var_2C], esi
		jz	short loc_920A90
		lea	ecx, [esp+58h+var_30]
		call	ObpFreeObjectNameBuffer

loc_920A90:				; CODE XREF: IopAllocRealFileObject+FEC25j
		mov	ecx, [edi+18h]
		test	ecx, ecx
		jz	short loc_920AA7
		movzx	eax, byte ptr [edi+8]
		push	1
		push	eax
		push	ecx
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)
		mov	[edi+18h], esi

loc_920AA7:				; CODE XREF: IopAllocRealFileObject+FEC35j
		mov	edx, large fs:20h
		mov	ecx, [edx+5C0h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	short loc_920ADB
		inc	dword ptr [ecx+18h]
		mov	ecx, [edx+5C4h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jnb	loc_920A46

loc_920ADB:				; CODE XREF: IopAllocRealFileObject+FEC5Fj
		mov	edx, edi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		mov	eax, ebx
		mov	[esp+58h+var_48], eax
		jmp	loc_821F6E
; 

loc_920AED:				; CODE XREF: IopAllocRealFileObject+FFj
		mov	ecx, esi
		call	_ObpRegisterObject@4 ; ObpRegisterObject(x)
		push	746C6644h
		push	1
		mov	dl, 1
		mov	ecx, esi
		call	_ObpPushStackInfo@16 ; ObpPushStackInfo(x,x,x,x)
		jmp	loc_821F65
; 

loc_920B09:				; CODE XREF: IopAllocRealFileObject+233j
		or	dword ptr [esi+2Ch], 20000h
		jmp	loc_822099
; END OF FUNCTION CHUNK	FOR IopAllocRealFileObject
; 
; START	OF FUNCTION CHUNK FOR IopSymlinkPropagateToExtensionIfNeeded

loc_920B15:				; CODE XREF: IopSymlinkPropagateToExtensionIfNeeded+52j
		movzx	ecx, word ptr [eax+0Ch]
		mov	eax, [ebp+arg_0]
		movzx	eax, word ptr [eax]
		add	eax, 2
		add	eax, ecx
		mov	[ebp+var_C], eax
		cmp	eax, 0FFFFh
		jb	short loc_920B38
		mov	esi, 0C0000106h
		jmp	loc_82227A
; 

loc_920B38:				; CODE XREF: IopSymlinkPropagateToExtensionIfNeeded+FE90Cj
		lea	ecx, [ebp+var_4]
		movzx	eax, ax
		push	ecx
		push	offset _IopSymlinkInfoLookasideList
		push	offset _IopSymlinkCleanupECP@8 ; IopSymlinkCleanupECP(x,x)
		push	0
		add	eax, 14h
		push	eax
		push	(offset	loc_A3F6CF+1)
		call	FsRtlAllocateExtraCreateParameterFromLookasideList
		mov	edi, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	loc_82227A
		mov	esi, [ebp+var_8]
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+var_C]
		push	0		; int
		movzx	eax, word ptr [esi+2]
		add	edx, 14h
		push	eax		; __int16
		movzx	eax, word ptr [esi+4]
		push	eax		; __int16
		movzx	eax, word ptr [esi+0Ch]
		push	eax		; __int16
		mov	eax, [esi+10h]
		push	eax		; void *
		movzx	eax, word ptr [ecx]
		push	0		; __int16
		push	eax		; __int16
		mov	eax, [ecx+4]
		mov	ecx, edi
		push	eax		; void *
		call	IopSymlinkInitializeSymlinkInfo
		mov	ax, [edi+0Ch]
		sub	ax, [esi+0Ch]
		add	ax, [esi]
		mov	[edi], ax
		jmp	loc_822293
; END OF FUNCTION CHUNK	FOR IopSymlinkPropagateToExtensionIfNeeded
; 
; START	OF FUNCTION CHUNK FOR SepTokenDeleteMethod

loc_920BAB:				; CODE XREF: SepTokenDeleteMethod+10j
		mov	ecx, esi
		call	_SepRemoveTokenLogonSession@4 ;	SepRemoveTokenLogonSession(x)
		mov	eax, [esi+294h]
		test	eax, eax
		jz	loc_8222D6
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8222D6
; 

loc_920BCD:				; CODE XREF: SepTokenDeleteMethod+1Dj
		mov	ecx, esi
		call	_SepDeleteTokenClaims@4	; SepDeleteTokenClaims(x)
		jmp	loc_8222E3
; 

loc_920BD9:				; CODE XREF: SepTokenDeleteMethod+2Aj
		mov	ecx, esi
		call	_SepDeleteTokenUserAndGroups@4 ; SepDeleteTokenUserAndGroups(x)
		jmp	loc_8222F0
; 

loc_920BE5:				; CODE XREF: SepTokenDeleteMethod+5Dj
		mov	ecx, [esi+0C0h]
		call	SepDereferenceCachedHandlesEntry
		jmp	loc_822323
; 

loc_920BF5:				; CODE XREF: SepTokenDeleteMethod+8Ej
		lea	ecx, [esi+58h]
		xor	dl, dl
		call	_SepModifyTokenPolicyCounter@8 ; SepModifyTokenPolicyCounter(x,x)
		jmp	loc_822354
; END OF FUNCTION CHUNK	FOR SepTokenDeleteMethod
; 
; START	OF FUNCTION CHUNK FOR IopRetrieveTransactionParameters

loc_920C04:				; CODE XREF: IopRetrieveTransactionParameters+7Aj
		mov	eax, large fs:124h
		test	dword ptr [eax+58h], 400h
		jnz	short loc_920C3A
		cmp	byte ptr [eax+16Ah], 1
		jz	short loc_920C3A
		mov	eax, [eax+0A8h]
		test	eax, eax
		jz	short loc_920C3A
		mov	eax, [eax+1D0h]
		movzx	eax, ax
		mov	[ebp+var_2C], eax
		mov	edi, [ebp+var_1C]
		jmp	loc_8226A0
; 

loc_920C3A:				; CODE XREF: IopRetrieveTransactionParameters+FE5F1j
					; IopRetrieveTransactionParameters+FE5FAj ...
		mov	edi, 0C0190018h
		mov	[ebp+var_1C], edi
		jmp	loc_8226A0
; END OF FUNCTION CHUNK	FOR IopRetrieveTransactionParameters

;  S U B	R O U T	I N E 


sub_920C47	proc near		; DATA XREF: .text:006A5C84o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		mov	eax, 1
		retn
sub_920C47	endp


;  S U B	R O U T	I N E 


sub_920C57	proc near		; DATA XREF: .text:006A5C88o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-30h]
		mov	[ebp-1Ch], edi
		cmp	edi, 0C0000001h
		jnz	short loc_920C76
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	eax, eax
		jmp	loc_8226B7
; 

loc_920C76:				; CODE XREF: sub_920C57+Fj
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-34h]
		mov	ebx, [ebp-38h]
		jmp	loc_8226A7
sub_920C57	endp

; 
; START	OF FUNCTION CHUNK FOR IopRetrieveTransactionParameters

loc_920C88:				; CODE XREF: IopRetrieveTransactionParameters+8Fj
		mov	ecx, ebx
		call	_IopCheckStackForTransactionSupport@4 ;	IopCheckStackForTransactionSupport(x)
		test	eax, eax
		jnz	short loc_920CB7
		and	word ptr [esi+2Eh], 1
		cmp	dword ptr [esi+3Ch], 1
		jnz	short loc_920CA7
		test	[ebp+arg_0], 0FEEDFF56h
		jz	short loc_920CB7

loc_920CA7:				; CODE XREF: IopRetrieveTransactionParameters+FE67Cj
		cmp	byte ptr [esi+55h], 0
		jnz	short loc_920CB7
		mov	eax, 0C019003Fh
		jmp	loc_8226B7
; 

loc_920CB7:				; CODE XREF: IopRetrieveTransactionParameters+FE671j
					; IopRetrieveTransactionParameters+FE685j ...
		mov	eax, ds:_TmTransactionObjectType
		mov	[ebp+var_24], 0
		push	0
		lea	ecx, [ebp+var_24]
		push	ecx
		push	1
		push	eax
		push	120037h
		push	[ebp+var_20]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_920D22
		push	0		; int
		lea	eax, [ebp+var_28]
		push	eax		; int
		push	1		; char
		push	8		; size_t
		xor	edx, edx
		mov	ecx, [ebp+arg_4]
		call	IopGetSetSpecificExtension
		mov	edi, eax
		test	edi, edi
		jns	short loc_920D04
		mov	ecx, [ebp+var_24]
		call	ObfDereferenceObject
		jmp	loc_8226B5
; 

loc_920D04:				; CODE XREF: IopRetrieveTransactionParameters+FE6D5j
		mov	eax, 8
		mov	ecx, [ebp+var_28]
		mov	[ecx], ax
		mov	ax, word ptr [ebp+var_2C]
		mov	[ecx+2], ax
		mov	eax, [ebp+var_24]
		mov	[ecx+4], eax
		jmp	loc_8226B5
; 

loc_920D22:				; CODE XREF: IopRetrieveTransactionParameters+FE6BBj
		mov	edi, 0C0190018h
		jmp	loc_8226B5
; END OF FUNCTION CHUNK	FOR IopRetrieveTransactionParameters
; 
; START	OF FUNCTION CHUNK FOR SeSinglePrivilegeCheck

loc_920D2C:				; CODE XREF: SeSinglePrivilegeCheck+4Bj
		xor	ebx, ebx
		jmp	loc_82274B
; 

loc_920D33:				; CODE XREF: SeSinglePrivilegeCheck+8Fj
		test	edi, edi
		jz	short loc_920D4E
		mov	eax, [edi+294h]
		add	eax, 98h
		lock inc dword ptr [eax]
		cmp	edi, _SepTokenLeakToken
		jnz	short loc_920D4E
		int	3		; Trap to Debugger

loc_920D4E:				; CODE XREF: SeSinglePrivilegeCheck+FE655j
					; SeSinglePrivilegeCheck+FE66Bj
		test	ebx, ebx
		jz	loc_822775
		mov	eax, [ebx+294h]
		add	eax, 98h
		lock inc dword ptr [eax]
		cmp	ebx, _SepTokenLeakToken
		jnz	loc_822775
		int	3		; Trap to Debugger
		jmp	loc_822775
; END OF FUNCTION CHUNK	FOR SeSinglePrivilegeCheck
; 
; START	OF FUNCTION CHUNK FOR SeDeleteAccessState

loc_920D76:				; CODE XREF: SeDeleteAccessState+17j
		mov	eax, [esi+24h]
		test	eax, eax
		jz	loc_822F88
		mov	eax, [eax+294h]
		add	eax, 98h
		lock dec dword ptr [eax]
		mov	eax, [esi+24h]
		cmp	eax, _SepTokenLeakToken
		jnz	loc_822F88
		int	3		; Trap to Debugger
		jmp	loc_822F88
; 

loc_920DA4:				; CODE XREF: SeDeleteAccessState+5Fj
		mov	eax, [eax+294h]
		add	eax, 98h
		lock dec dword ptr [eax]
		mov	eax, [esi+1Ch]
		cmp	eax, _SepTokenLeakToken
		jnz	loc_822F4D
		int	3		; Trap to Debugger
		jmp	loc_822F4D
; END OF FUNCTION CHUNK	FOR SeDeleteAccessState
; 
; START	OF FUNCTION CHUNK FOR SeCreateAccessState

loc_920DC7:				; CODE XREF: SeCreateAccessState+38j
		mov	[ebp+var_18], 0
		jmp	loc_822FF6
; 

loc_920DD3:				; CODE XREF: SeCreateAccessState+73j
		test	esi, esi
		jz	short loc_920DEE
		mov	eax, [esi+294h]
		add	eax, 98h
		lock inc dword ptr [eax]
		cmp	esi, _SepTokenLeakToken
		jnz	short loc_920DEE
		int	3		; Trap to Debugger

loc_920DEE:				; CODE XREF: SeCreateAccessState+FDE35j
					; SeCreateAccessState+FDE4Bj
		mov	ecx, [ebp+var_18]
		test	ecx, ecx
		jz	loc_823019
		mov	eax, [ecx+294h]
		add	eax, 98h
		lock inc dword ptr [eax]
		cmp	ecx, _SepTokenLeakToken
		jnz	loc_823019
		int	3		; Trap to Debugger
		jmp	loc_823019
; END OF FUNCTION CHUNK	FOR SeCreateAccessState
; 
; START	OF FUNCTION CHUNK FOR ObOpenObjectByPointer

loc_920E19:				; CODE XREF: ObOpenObjectByPointer+C7j
		xor	eax, eax
		mov	[esp+178h+var_16C], eax
		mov	[esp+178h+var_158], eax
		jmp	loc_823175
; 

loc_920E28:				; CODE XREF: ObOpenObjectByPointer+227j
		xor	esi, esi
		mov	[esp+178h+var_16C], esi
		jmp	loc_8232E2
; 

loc_920E33:				; CODE XREF: ObOpenObjectByPointer+10Fj
		test	esi, esi
		jz	short loc_920E4E
		mov	eax, [esi+294h]
		add	eax, 98h
		lock inc dword ptr [eax]
		cmp	esi, _SepTokenLeakToken
		jnz	short loc_920E4E
		int	3		; Trap to Debugger

loc_920E4E:				; CODE XREF: ObOpenObjectByPointer+FDDA5j
					; ObOpenObjectByPointer+FDDBBj
		test	ecx, ecx
		jz	loc_8231A5
		mov	eax, [ecx+294h]
		add	eax, 98h
		lock inc dword ptr [eax]
		cmp	ecx, _SepTokenLeakToken
		jnz	loc_8231A5
		int	3		; Trap to Debugger
		jmp	loc_8231A5
; 

loc_920E76:				; CODE XREF: ObOpenObjectByPointer+135j
		mov	edx, 6E48624Fh
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_823248
; 

loc_920E89:				; CODE XREF: ObOpenObjectByPointer+181j
		mov	eax, [esi+24h]
		test	eax, eax
		jz	loc_8233B0
		mov	eax, [eax+294h]
		add	eax, 98h
		lock dec dword ptr [eax]
		mov	eax, [esi+24h]
		cmp	eax, _SepTokenLeakToken
		jnz	loc_8233B0
		int	3		; Trap to Debugger
		jmp	loc_8233B0
; 

loc_920EB7:				; CODE XREF: ObOpenObjectByPointer+32Bj
		mov	eax, [eax+294h]
		add	eax, 98h
		lock dec dword ptr [eax]
		mov	eax, [esi+1Ch]
		cmp	eax, _SepTokenLeakToken
		jnz	loc_823217
		int	3		; Trap to Debugger
		jmp	loc_823217
; 

loc_920EDA:				; CODE XREF: ObOpenObjectByPointer+84j
					; ObOpenObjectByPointer+29Ej
		inc	_ObpInvalidOpenByPointer
		mov	edx, 6E48624Fh
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		mov	eax, 0C000000Dh
		jmp	loc_823248
; END OF FUNCTION CHUNK	FOR ObOpenObjectByPointer
; 
; START	OF FUNCTION CHUNK FOR NtAlertThreadByThreadId

loc_920EF6:				; CODE XREF: NtAlertThreadByThreadId+37j
		call	ObfDereferenceObject
		mov	eax, 0C0000022h
		jmp	loc_82344B
; END OF FUNCTION CHUNK	FOR NtAlertThreadByThreadId
; 
; START	OF FUNCTION CHUNK FOR PsLookupProcessByProcessId

loc_920F05:				; CODE XREF: PsLookupProcessByProcessId+39j
		lea	ecx, [edi+0E0h]
		mov	[ebp+var_4], 0
		xor	edx, edx
		lea	eax, [ebp+var_4]
		lock or	[eax], edx
		mov	eax, [ecx]
		test	al, 1
		jz	loc_8234E1
		call	@ExfAcquireReleasePushLockExclusive@4 ;	ExfAcquireReleasePushLockExclusive(x)
		jmp	loc_8234E1
; END OF FUNCTION CHUNK	FOR PsLookupProcessByProcessId
; 
; START	OF FUNCTION CHUNK FOR PspReferenceCidTableEntry

loc_920F2E:				; CODE XREF: PspReferenceCidTableEntry+71j
		xor	esi, esi
		jmp	loc_823815
; END OF FUNCTION CHUNK	FOR PspReferenceCidTableEntry
; 
; START	OF FUNCTION CHUNK FOR RtlpIsDuplicateAce

loc_920F35:				; CODE XREF: RtlpIsDuplicateAce+96j
		sub	cl, 5
		cmp	cl, 3
		ja	loc_8239C7
		sub	esp, 8
		mov	edx, ebx
		mov	ecx, esi
		call	_RtlpCompareKnownObjectAces@16 ; RtlpCompareKnownObjectAces(x,x,x,x)
		test	al, al
		jz	loc_8239C7
		jmp	loc_8239E3
; 

loc_920F5A:				; CODE XREF: RtlpIsDuplicateAce+9Fj
		cmp	cl, 8
		jbe	loc_8239C7
		jmp	loc_823995
; 

loc_920F68:				; CODE XREF: RtlpIsDuplicateAce+C0j
		mov	al, [ebx+1]
		xor	al, ah
		test	al, 0C0h
		jnz	loc_8239C7
		jmp	loc_8239B6
; END OF FUNCTION CHUNK	FOR RtlpIsDuplicateAce

;  S U B	R O U T	I N E 


sub_920F7A	proc near		; DATA XREF: .text:006A5D0Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		mov	eax, 1
		retn
sub_920F7A	endp


;  S U B	R O U T	I N E 


sub_920F8A	proc near		; DATA XREF: .text:006A5D10o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-24h]
		jmp	loc_823B0D
sub_920F8A	endp


;  S U B	R O U T	I N E 


sub_920F9C	proc near		; DATA XREF: .text:006A5D18o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		mov	eax, 1
		retn
sub_920F9C	endp


;  S U B	R O U T	I N E 


sub_920FAC	proc near		; DATA XREF: .text:006A5D1Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2Ch]
		jmp	loc_823B0D
sub_920FAC	endp

; 
; START	OF FUNCTION CHUNK FOR ObReferenceFileObjectForWrite

loc_920FBE:				; CODE XREF: ObReferenceFileObjectForWrite+103j
		or	edx, 8
		jmp	loc_823DB9
; 

loc_920FC6:				; CODE XREF: ObReferenceFileObjectForWrite+136j
		mov	esi, [ebp+arg_4]
		mov	edi, 0C000A006h
		jmp	short loc_921009
; 

loc_920FD0:				; CODE XREF: ObReferenceFileObjectForWrite+147j
		test	al, al
		jz	loc_823DFD
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		push	esi
		push	ebx
		push	[ebp+var_14]
		call	_ObpAuditObjectAccess@20 ; ObpAuditObjectAccess(x,x,x,x,x)
		test	al, al
		jnz	loc_823DFD
		mov	esi, [ebp+arg_4]
		mov	edi, 0C0000008h
		jmp	short loc_921009
; 

loc_920FFA:				; CODE XREF: ObReferenceFileObjectForWrite+118j
		mov	esi, [ebp+arg_4]
		mov	edi, 0C0000022h
		jmp	short loc_921009
; 

loc_921004:				; CODE XREF: ObReferenceFileObjectForWrite+D6j
		mov	edi, 0C0000024h

loc_921009:				; CODE XREF: ObReferenceFileObjectForWrite+FD31Ej
					; ObReferenceFileObjectForWrite+FD348j	...
		push	esi
		call	_ObDereferenceObject@4 ; ObDereferenceObject(x)
		jmp	loc_823E3F
; END OF FUNCTION CHUNK	FOR ObReferenceFileObjectForWrite
; 
; START	OF FUNCTION CHUNK FOR ObpReferenceObjectByHandle

loc_921014:				; CODE XREF: ObpReferenceObjectByHandle+7Aj
		mov	ecx, [edi]
		neg	eax
		lock xadd [ecx], eax
		jmp	loc_823EC9
; 

loc_921021:				; CODE XREF: ObpReferenceObjectByHandle+D7j
		xor	edx, edx
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	loc_823EC9
; 

loc_92102D:				; CODE XREF: ObpReferenceObjectByHandle+DEj
		mov	eax, large fs:124h
		mov	edx, edi
		mov	ecx, ebx
		movzx	eax, byte ptr [eax+15Ah]
		push	eax
		call	ExHandleLogBadReference
		jmp	loc_823F64
; END OF FUNCTION CHUNK	FOR ObpReferenceObjectByHandle
; 
; START	OF FUNCTION CHUNK FOR SeCreateClientSecurityEx

loc_921049:				; CODE XREF: SeCreateClientSecurityEx+166j
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_SepUpdateSiloInClientSecurity@8 ; SepUpdateSiloInClientSecurity(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_921060
		mov	ecx, edi
		call	ObfDereferenceObject

loc_921060:				; CODE XREF: SeCreateClientSecurityEx+FD0E7j
		mov	eax, esi
		jmp	loc_82404E
; END OF FUNCTION CHUNK	FOR SeCreateClientSecurityEx
; 
; START	OF FUNCTION CHUNK FOR SepCreateClientSecurityEx

loc_921067:				; CODE XREF: SepCreateClientSecurityEx+DFj
		mov	eax, 0C000000Dh
		jmp	loc_824179
; 

loc_921071:				; CODE XREF: SepCreateClientSecurityEx+B3j
		cmp	edx, 3
		jnz	loc_824227
		jmp	loc_8241A9
; 

loc_92107F:				; CODE XREF: SepCreateClientSecurityEx+150j
		mov	ecx, eax
		jmp	short loc_921090
; 

loc_921083:				; CODE XREF: SepCreateClientSecurityEx+16Aj
		mov	eax, [ecx+80h]
		jmp	loc_824266
; 

loc_92108E:				; CODE XREF: SepCreateClientSecurityEx+15Bj
		xor	ecx, ecx

loc_921090:				; CODE XREF: SepCreateClientSecurityEx+FCF91j
		lea	edx, [esp+20h+var_10]
		call	_SepGetAnonymousToken@8	; SepGetAnonymousToken(x,x)
		jmp	loc_82429A
; 

loc_92109E:				; CODE XREF: SepCreateClientSecurityEx+EFj
		mov	eax, [esp+20h+var_14]
		mov	[esp+20h+var_8], 0
		mov	ecx, [eax+18h]
		mov	[esp+20h+var_10], ecx
		mov	ecx, [eax+1Ch]
		mov	[esp+20h+var_4], ecx
		lea	ecx, [esp+20h+var_8]
		push	ecx
		push	eax
		call	_SeQueryServerSiloToken@8 ; SeQueryServerSiloToken(x,x)
		test	eax, eax
		js	short loc_921101
		push	[esp+20h+var_8]
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jz	short loc_921101
		cmp	[esp+20h+var_10], 3E7h
		jnz	short loc_921101
		cmp	[esp+20h+var_4], 0
		jnz	short loc_921101
		lea	eax, [esp+20h+var_C]
		push	eax
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		mov	edx, [edi+4]
		mov	ecx, [esp+24h+var_14]
		push	eax
		call	_SepCopyClientTokenAndSetSilo@16 ; SepCopyClientTokenAndSetSilo(x,x,x,x)
		jmp	loc_8241FD
; 

loc_921101:				; CODE XREF: SepCreateClientSecurityEx+FCFD5j
					; SepCreateClientSecurityEx+FCFE2j ...
		lea	eax, [esp+20h+var_C]
		push	eax
		push	0
		push	0
		jmp	loc_8241F0
; 

loc_92110F:				; CODE XREF: SepCreateClientSecurityEx+11Fj
		mov	eax, ecx
		jmp	loc_824179
; 

loc_921116:				; CODE XREF: SepCreateClientSecurityEx+5Fj
		mov	ecx, [esp+20h+var_14]
		lea	edx, [esi+14h]
		call	_SeGetTokenControlInformation@8	; SeGetTokenControlInformation(x,x)
		jmp	loc_824155
; END OF FUNCTION CHUNK	FOR SepCreateClientSecurityEx
; 
; START	OF FUNCTION CHUNK FOR PsReferenceEffectiveToken

loc_921127:				; CODE XREF: PsReferenceEffectiveToken+19j
		mov	ecx, [edi+150h]
		jmp	loc_824485
; 

loc_921132:				; CODE XREF: PsReferenceEffectiveToken+ACj
		xor	edi, edi
		jmp	loc_824555
; END OF FUNCTION CHUNK	FOR PsReferenceEffectiveToken
; 
; START	OF FUNCTION CHUNK FOR MmQueryVirtualMemory

loc_921139:				; CODE XREF: MmQueryVirtualMemory+421j
					; DATA XREF: PAGE:off_8251E8o
		cmp	[ebp+arg_8], 14h ; case	0x7
		jnb	loc_82481F	; case 0x2

loc_921143:				; CODE XREF: MmQueryVirtualMemory+C9j
					; MmQueryVirtualMemory+432j ...
		mov	eax, 0C0000004h
		jmp	loc_824B4A
; 

loc_92114D:				; CODE XREF: MmQueryVirtualMemory+421j
					; DATA XREF: PAGE:off_8251E8o
		cmp	[ebp+arg_8], 4	; case 0x5
		jnb	loc_82481F	; case 0x2
		jmp	short loc_921143
; 

loc_921159:				; CODE XREF: MmQueryVirtualMemory+421j
					; DATA XREF: PAGE:off_8251E8o
		cmp	[ebp+arg_8], 14h ; case	0xB
		jb	short loc_921143
		jmp	loc_824F43
; 

loc_921164:				; CODE XREF: MmQueryVirtualMemory+41Bj
					; MmQueryVirtualMemory+421j
					; DATA XREF: ...
		mov	eax, 0C0000003h	; default
		jmp	loc_824B4A
; 

loc_92116E:				; CODE XREF: MmQueryVirtualMemory+6BBj
		mov	ecx, eax
		jmp	loc_824E11
; END OF FUNCTION CHUNK	FOR MmQueryVirtualMemory

;  S U B	R O U T	I N E 


sub_921175	proc near		; DATA XREF: .text:006A5D34o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B0h], eax
		mov	eax, 1
		retn
sub_921175	endp


;  S U B	R O U T	I N E 


sub_921188	proc near		; DATA XREF: .text:006A5D38o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0B0h]
		jmp	loc_824B4A
sub_921188	endp

; 
; START	OF FUNCTION CHUNK FOR MmQueryVirtualMemory

loc_92119D:				; CODE XREF: MmQueryVirtualMemory+13Fj
		mov	[ebp+var_4], 1
		mov	ecx, 7
		mov	esi, [ebp+var_40]
		lea	edi, [ebp+var_E8]
		rep movsd
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	esi, [ebp+var_DC]
		mov	[ebp+var_DC], 0
		push	0
		push	1Ch
		lea	eax, [ebp+var_E8]
		push	eax
		call	_RtlCompareMemoryUlong@12 ; RtlCompareMemoryUlong(x,x,x)
		cmp	eax, 1Ch
		jnz	loc_825145
		mov	eax, [ebp+var_78]
		mov	edi, [ebp+var_4C]
		sub	eax, edi
		inc	eax
		cmp	esi, eax
		ja	loc_825145
		mov	eax, edi
		and	eax, 0FFFh
		add	esi, 0FFFh
		add	eax, esi
		and	eax, 0FFFFF000h
		add	eax, [ebp+var_54]
		mov	[ebp+var_68], eax
		mov	esi, [ebp+var_44]
		jmp	loc_824895
; END OF FUNCTION CHUNK	FOR MmQueryVirtualMemory

;  S U B	R O U T	I N E 


sub_921217	proc near		; DATA XREF: .text:006A5D40o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B4h], eax
		mov	eax, 1
		retn
sub_921217	endp


;  S U B	R O U T	I N E 


sub_92122A	proc near		; DATA XREF: .text:006A5D44o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0B4h]
		jmp	loc_824B4A
sub_92122A	endp

; 
; START	OF FUNCTION CHUNK FOR MmQueryVirtualMemory

loc_92123F:				; CODE XREF: MmQueryVirtualMemory+47Dj
		mov	ecx, 400h
		jmp	loc_824BD3
; 

loc_921249:				; CODE XREF: MmQueryVirtualMemory+4B9j
		mov	edx, 6D566D4Dh
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag
		mov	eax, 0C0000022h
		jmp	loc_824B4A
; 

loc_92125F:				; CODE XREF: MmQueryVirtualMemory+160j
		push	[ebp+var_A8]
		mov	ebx, [ebp+arg_8]
		push	ebx
		mov	edx, [ebp+var_40]
		mov	ecx, eax
		call	_MiQueryMemoryPhysicalContiguity@16 ; MiQueryMemoryPhysicalContiguity(x,x,x,x)
		mov	edi, eax
		cmp	esi, 0FFFFFFFFh
		jz	short loc_921287
		mov	edx, 6D566D4Dh
		mov	ecx, [ebp+var_44]
		call	ObfDereferenceObjectWithTag

loc_921287:				; CODE XREF: MmQueryVirtualMemory+FCB28j
		test	edi, edi
		js	loc_8251C8
		mov	[ebp+var_4], 2
		jmp	loc_824F7A
; END OF FUNCTION CHUNK	FOR MmQueryVirtualMemory

;  S U B	R O U T	I N E 


sub_92129B	proc near		; DATA XREF: .text:006A5D4Co
		mov	eax, 1
		retn
sub_92129B	endp


;  S U B	R O U T	I N E 


sub_9212A1	proc near		; DATA XREF: .text:006A5D50o
		mov	esp, [ebp-18h]
		jmp	loc_824B41
sub_9212A1	endp


;  S U B	R O U T	I N E 


sub_9212A9	proc near		; DATA XREF: .text:006A5D58o
		mov	eax, 1
		retn
sub_9212A9	endp


;  S U B	R O U T	I N E 


sub_9212AF	proc near		; DATA XREF: .text:006A5D5Co
		mov	esp, [ebp-18h]
		jmp	loc_824B41
sub_9212AF	endp

; 
; START	OF FUNCTION CHUNK FOR MmQueryVirtualMemory

loc_9212B7:				; CODE XREF: MmQueryVirtualMemory+A6Ej
		mov	edx, 6D566D4Dh
		mov	ecx, [ebp+var_44]
		call	ObfDereferenceObjectWithTag
		jmp	loc_8251C4
; 

loc_9212C9:				; CODE XREF: MmQueryVirtualMemory+A91j
		mov	eax, [ebp+var_74]
		lea	eax, ds:4[eax*4]
		mov	[ecx], eax
		jmp	loc_824B41
; END OF FUNCTION CHUNK	FOR MmQueryVirtualMemory

;  S U B	R O U T	I N E 


sub_9212DA	proc near		; DATA XREF: .text:006A5D64o
		mov	eax, 1
		retn
sub_9212DA	endp


;  S U B	R O U T	I N E 


sub_9212E0	proc near		; DATA XREF: .text:006A5D68o
		mov	esp, [ebp-18h]
		jmp	loc_824B41
sub_9212E0	endp

; 
; START	OF FUNCTION CHUNK FOR MmQueryVirtualMemory

loc_9212E8:				; CODE XREF: MmQueryVirtualMemory+17Bj
		mov	edi, [eax+418h]
		cmp	esi, 0FFFFFFFFh
		jz	short loc_921300
		mov	edx, 6D566D4Dh
		mov	ecx, [ebp+var_70]
		call	ObfDereferenceObjectWithTag

loc_921300:				; CODE XREF: MmQueryVirtualMemory+FCBA1j
		mov	[ebp+var_4], 5
		mov	eax, [ebp+var_40]
		mov	[eax], edi
		mov	ecx, [ebp+var_50]
		test	ecx, ecx
		jz	loc_824B41
		mov	dword ptr [ecx], 4
		jmp	loc_824B41
; END OF FUNCTION CHUNK	FOR MmQueryVirtualMemory

;  S U B	R O U T	I N E 


sub_921322	proc near		; DATA XREF: .text:006A5D70o
		mov	eax, 1
		retn
sub_921322	endp


;  S U B	R O U T	I N E 


sub_921328	proc near		; DATA XREF: .text:006A5D74o
		mov	esp, [ebp-18h]
		jmp	loc_824B41
sub_921328	endp

; 
; START	OF FUNCTION CHUNK FOR MmQueryVirtualMemory

loc_921330:				; CODE XREF: MmQueryVirtualMemory+844j
		mov	esi, [ebp+var_4C]
		mov	eax, esi
		and	eax, 0FFFFF000h
		mov	edi, [ebp+var_78]
		sub	edi, eax
		inc	edi
		jmp	loc_824FDD
; END OF FUNCTION CHUNK	FOR MmQueryVirtualMemory

;  S U B	R O U T	I N E 


sub_921345	proc near		; DATA XREF: .text:006A5D7Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B8h], eax
		mov	eax, 1
		retn
sub_921345	endp


;  S U B	R O U T	I N E 


sub_921358	proc near		; DATA XREF: .text:006A5D80o
		mov	esp, [ebp-18h]
		test	byte ptr [ebp-3Ch], 2
		jnz	loc_824B41
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0B8h]
		jmp	loc_824B4A
sub_921358	endp

; 
; START	OF FUNCTION CHUNK FOR MmQueryVirtualMemory

loc_921377:				; CODE XREF: MmQueryVirtualMemory+241j
		mov	edx, edi
		mov	ecx, [ebp+var_58]
		call	_MiUnlockVadShared@8 ; MiUnlockVadShared(x,x)
		mov	edx, edi
		mov	ecx, [ebp+var_58]
		call	_MiLockVad@8	; MiLockVad(x,x)
		mov	ecx, edi
		call	_MiWaitForVadDeletion@4	; MiWaitForVadDeletion(x)
		mov	ecx, edi
		call	MiUnlockAndDereferenceVad
		and	[ebp+var_3C], 0FFFFFFFDh
		mov	edi, [ebp+var_58]
		jmp	loc_8248E0
; 

loc_9213A5:				; CODE XREF: MmQueryVirtualMemory+763j
		or	eax, 10h
		mov	[ebp+var_3C], eax
		jmp	loc_824EB9
; 

loc_9213B0:				; CODE XREF: MmQueryVirtualMemory+778j
		or	eax, 20h
		mov	[ebp+var_3C], eax
		jmp	loc_824ECE
; 

loc_9213BB:				; CODE XREF: MmQueryVirtualMemory+78Dj
		or	eax, 8
		mov	[ebp+var_3C], eax
		jmp	loc_824A2D
; 

loc_9213C6:				; CODE XREF: MmQueryVirtualMemory+2CEj
		mov	eax, [edi+2Ch]
		mov	eax, [eax]
		test	dword ptr [eax+1Ch], 40000000h
		jz	loc_824A24
		jmp	short loc_9213E7
; 

loc_9213DA:				; CODE XREF: MmQueryVirtualMemory+46Cj
		test	dword ptr [eax+1Ch], 40000000h
		jz	loc_824A24

loc_9213E7:				; CODE XREF: MmQueryVirtualMemory+FCC88j
		or	[ebp+var_3C], 4
		jmp	loc_824A24
; 

loc_9213F0:				; CODE XREF: MmQueryVirtualMemory+398j
		mov	ebx, 1
		jmp	loc_824AF0
; 

loc_9213FA:				; CODE XREF: MmQueryVirtualMemory+3ACj
		or	edx, 1
		mov	[ebp+var_4C], edx
		mov	[ebp+var_7C], edx
		jmp	loc_824B02
; 

loc_921408:				; CODE XREF: MmQueryVirtualMemory+3EBj
		mov	dword ptr [ecx], 0Ch
		jmp	loc_824B41
; END OF FUNCTION CHUNK	FOR MmQueryVirtualMemory

;  S U B	R O U T	I N E 


sub_921413	proc near		; DATA XREF: .text:006A5D94o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C0h], eax
		mov	eax, large fs:124h
		mov	[ebp-0BCh], eax
		mov	eax, [ebp-0BCh]
		mov	al, [eax+15Ah]
		mov	[ebp-61h], al
		mov	cl, [ebp-61h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_921413	endp


;  S U B	R O U T	I N E 


sub_921446	proc near		; DATA XREF: .text:006A5D98o
		mov	esp, [ebp-18h]
		test	byte ptr [ebp-3Ch], 2
		jnz	loc_824B41
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0C0h]
		jmp	loc_824B4A
sub_921446	endp


;  S U B	R O U T	I N E 


sub_921465	proc near		; DATA XREF: .text:006A5DACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C4h], eax
		mov	eax, 1
		retn
sub_921465	endp


;  S U B	R O U T	I N E 


sub_921478	proc near		; DATA XREF: .text:006A5DB0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0C4h]
		jmp	loc_824E91
sub_921478	endp

; 

loc_921486:				; DATA XREF: .text:006A5DA0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C8h], eax
		mov	eax, 1
		retn
; 

loc_921499:				; DATA XREF: .text:006A5DA4o
		mov	esp, [ebp-18h]
		test	byte ptr [ebp-3Ch], 2
		jnz	loc_824B41
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0C8h]
		jmp	loc_824B4A
; 
; START	OF FUNCTION CHUNK FOR MmQueryVirtualMemory

loc_9214B8:				; CODE XREF: MmQueryVirtualMemory+58Dj
		mov	[ebp+var_5C], 0
		jmp	loc_824CE3
; 

loc_9214C4:				; CODE XREF: MmQueryVirtualMemory+980j
		mov	ecx, edi
		call	_MiGetAweVadPartition@4	; MiGetAweVadPartition(x)
		mov	esi, eax
		jmp	loc_8250F1
; 

loc_9214D2:				; CODE XREF: MmQueryVirtualMemory+98Bj
					; MmQueryVirtualMemory+99Bj
		mov	edx, 10h
		mov	ecx, edi
		call	_MiLocateVadEvent@8 ; MiLocateVadEvent(x,x)
		test	eax, eax
		jz	short loc_92150A
		mov	ecx, [eax+0Ch]
		mov	[ebp+var_54], ecx
		test	ecx, ecx
		jz	loc_824D0E
		mov	esi, [ecx]
		call	PsReferencePartitionSafe
		test	al, al
		jnz	short loc_921511
		mov	eax, 0C00004A0h
		mov	[ebp+var_68], eax
		xor	ecx, ecx
		jmp	loc_824D10
; 

loc_92150A:				; CODE XREF: MmQueryVirtualMemory+FCD90j
		xor	ecx, ecx
		jmp	loc_824D0E
; 

loc_921511:				; CODE XREF: MmQueryVirtualMemory+FCDA9j
		mov	ecx, [ebp+var_54]
		jmp	loc_824D0E
; 

loc_921519:				; CODE XREF: MmQueryVirtualMemory+5C2j
		mov	[ebp+var_54], 0
		jmp	loc_824D1E
; 

loc_921525:				; CODE XREF: MmQueryVirtualMemory+5D0j
		call	PsDereferencePartition
		jmp	loc_824D26
; 

loc_92152F:				; CODE XREF: MmQueryVirtualMemory+631j
		mov	ecx, ebx
		mov	dword ptr [ecx+8], 0
		mov	eax, [ebp+var_88]
		cmp	eax, 20000h
		jnz	short loc_921553
		mov	dword ptr [ecx+8], 1
		mov	ebx, 1
		jmp	short loc_9215A5
; 

loc_921553:				; CODE XREF: MmQueryVirtualMemory+FCDF3j
		test	dl, 8
		jz	short loc_921566
		mov	dword ptr [ecx+8], 10h
		mov	ebx, 10h
		jmp	short loc_9215A5
; 

loc_921566:				; CODE XREF: MmQueryVirtualMemory+FCE06j
		cmp	eax, 40000h
		jnz	short loc_92157B
		mov	dword ptr [ecx+8], 2
		mov	ebx, 2
		jmp	short loc_9215A5
; 

loc_92157B:				; CODE XREF: MmQueryVirtualMemory+FCE1Bj
		cmp	eax, 1000000h
		jnz	short loc_921590
		mov	dword ptr [ecx+8], 4
		mov	ebx, 4
		jmp	short loc_9215A5
; 

loc_921590:				; CODE XREF: MmQueryVirtualMemory+FCE30j
		xor	ebx, ebx
		cmp	eax, 8000000h
		jnz	short loc_9215A5
		mov	dword ptr [ecx+8], 8
		mov	ebx, 8

loc_9215A5:				; CODE XREF: MmQueryVirtualMemory+FCE01j
					; MmQueryVirtualMemory+FCE14j ...
		mov	ecx, edi
		call	_MiGetVadPageSize@4 ; MiGetVadPageSize(x)
		cmp	eax, 10h
		jnz	short loc_9215BD
		or	ebx, 80h
		mov	eax, [ebp+var_40]
		mov	[eax+8], ebx

loc_9215BD:				; CODE XREF: MmQueryVirtualMemory+FCE5Fj
		mov	eax, edx
		and	eax, 4
		shl	eax, 3
		or	eax, ebx
		mov	ebx, [ebp+var_40]
		mov	[ebx+8], eax
		mov	ecx, edx
		and	ecx, 10h
		shl	ecx, 2
		or	ecx, eax
		mov	[ebx+8], ecx
		mov	eax, edx
		and	eax, 20h
		shl	eax, 3
		or	eax, ecx
		mov	ecx, [ebp+var_5C]
		jmp	loc_824D8D
; 

loc_9215EC:				; CODE XREF: MmQueryVirtualMemory+678j
		dec	esi
		mov	[ebx+18h], esi
		jmp	loc_824DD5
; 

loc_9215F5:				; CODE XREF: MmQueryVirtualMemory+69Ej
		mov	[ecx], eax
		jmp	loc_824B41
; END OF FUNCTION CHUNK	FOR MmQueryVirtualMemory

;  S U B	R O U T	I N E 


sub_9215FC	proc near		; DATA XREF: .text:006A5D88o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0CCh], eax
		mov	eax, 1
		retn
sub_9215FC	endp


;  S U B	R O U T	I N E 


sub_92160F	proc near		; DATA XREF: .text:006A5D8Co
		mov	esp, [ebp-18h]
		test	byte ptr [ebp-3Ch], 2
		jnz	loc_824B41
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0CCh]
		jmp	loc_824B4A
sub_92160F	endp

; 
; START	OF FUNCTION CHUNK FOR MmQueryVirtualMemory

loc_92162E:				; CODE XREF: MmQueryVirtualMemory+835j
		mov	[ecx], ebx
		jmp	loc_824B41
; 

loc_921635:				; CODE XREF: MmQueryVirtualMemory+24Aj
					; MmQueryVirtualMemory+253j
		mov	ecx, edi
		call	MiUnlockAndDereferenceVadShared
		and	[ebp+var_3C], 0FFFFFFFDh
		mov	edi, [ebp+var_58]
		jmp	loc_8248E0
; END OF FUNCTION CHUNK	FOR MmQueryVirtualMemory

;  S U B	R O U T	I N E 


sub_921648	proc near		; DATA XREF: .text:006A61C4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		mov	eax, 1
		retn
sub_921648	endp


;  S U B	R O U T	I N E 


sub_921658	proc near		; DATA XREF: .text:006A61C8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_8283E8
sub_921658	endp

; 
; START	OF FUNCTION CHUNK FOR ObWaitForSingleObject

loc_92166A:				; CODE XREF: ObWaitForSingleObject+EBj
		mov	eax, [ebp+arg_4]
		movzx	eax, word ptr [eax+7Eh]
		mov	eax, [eax+ebx]
		jmp	loc_8284A3
; END OF FUNCTION CHUNK	FOR ObWaitForSingleObject

;  S U B	R O U T	I N E 


sub_921679	proc near		; DATA XREF: .text:006A61E4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	ecx, [eax]
		mov	[ebp-20h], ecx
		xor	eax, eax
		cmp	ecx, 0C0000191h
		setz	al
		retn
sub_921679	endp


;  S U B	R O U T	I N E 


sub_92168F	proc near		; DATA XREF: .text:006A61E8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		mov	[ebp-24h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-1Ch]
		jmp	loc_8284C7
sub_92168F	endp


;  S U B	R O U T	I N E 


sub_9216A7	proc near		; DATA XREF: .text:006A6204o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-90h], eax
		mov	eax, large fs:124h
		mov	[ebp-8Ch], eax
		mov	eax, [ebp-8Ch]
		mov	al, [eax+15Ah]
		mov	[ebp-5Dh], al
		mov	cl, [ebp-5Dh]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_9216A7	endp


;  S U B	R O U T	I N E 


sub_9216DA	proc near		; DATA XREF: .text:006A6208o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-90h]
		jmp	loc_828650
sub_9216DA	endp

; 
; START	OF FUNCTION CHUNK FOR NtRemoveIoCompletionEx

loc_9216EF:				; CODE XREF: NtRemoveIoCompletionEx+C1j
		lea	edx, ds:0[esi*4]
		call	sub_60DA17
		mov	[ebp+var_64], eax
		test	eax, eax
		jnz	loc_8285DD
		lea	esi, [eax+10h]
		jmp	loc_8285D7
; 

loc_92170E:				; CODE XREF: NtRemoveIoCompletionEx+124j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_82863A
; END OF FUNCTION CHUNK	FOR NtRemoveIoCompletionEx

;  S U B	R O U T	I N E 


sub_92171B	proc near		; DATA XREF: .text:006A6210o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-98h], eax
		mov	eax, 1
		retn
sub_92171B	endp


;  S U B	R O U T	I N E 


sub_92172E	proc near		; DATA XREF: .text:006A6214o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-98h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_82864E
sub_92172E	endp

; 
; START	OF FUNCTION CHUNK FOR NtRemoveIoCompletionEx

loc_921743:				; CODE XREF: NtRemoveIoCompletionEx+80j
					; NtRemoveIoCompletionEx+8Cj
		mov	eax, 0C000000Dh
		jmp	loc_828650
; END OF FUNCTION CHUNK	FOR NtRemoveIoCompletionEx
; 
; START	OF FUNCTION CHUNK FOR MiMapViewOfDataSection

loc_92174D:				; CODE XREF: MiMapViewOfDataSection+77j
		test	edx, edx
		jnz	short loc_921782
		test	ecx, ecx
		jnz	short loc_921782
		mov	edx, [ebp+arg_10]
		cmp	edx, 18h
		jz	short loc_921782
		mov	eax, edx
		and	eax, 0FFFFFFF8h
		cmp	eax, 10h
		jz	short loc_921782
		mov	eax, edx
		and	eax, 5
		cmp	al, 5
		jz	short loc_921782
		cmp	[edi+20h], ecx
		jz	short loc_92178C
		test	dword ptr [edi+1Ch], 40000000h

loc_92177C:				; CODE XREF: MiMapViewOfDataSection+F9099j
		jnz	loc_828785

loc_921782:				; CODE XREF: MiMapViewOfDataSection+35j
					; MiMapViewOfDataSection+42j ...
		mov	eax, 0C000000Dh
		jmp	loc_828C65
; 

loc_92178C:				; CODE XREF: MiMapViewOfDataSection+F9073j
		mov	eax, [esp+88h+var_50]
		mov	edx, 1000h
		test	[eax+8], dx
		jmp	short loc_92177C
; 

loc_92179B:				; CODE XREF: MiMapViewOfDataSection+7Fj
		test	ecx, ecx
		jnz	short loc_921782
		cmp	[ebx+3D4h], ecx
		jnz	loc_828785
		test	byte ptr [esi+30h], 1
		jz	short loc_921782
		jmp	loc_828785
; 

loc_9217B6:				; CODE XREF: MiMapViewOfDataSection+8Dj
		dec	eax
		test	[esi+10h], eax
		jz	loc_828793

loc_9217C0:				; CODE XREF: MiMapViewOfDataSection+880j
					; MiMapViewOfDataSection+88Fj
		mov	eax, 0C000001Fh
		jmp	loc_828C65
; 

loc_9217CA:				; CODE XREF: MiMapViewOfDataSection+121j
					; MiMapViewOfDataSection+12Dj
		mov	esi, 0C000001Fh
		jmp	loc_828FC2
; 

loc_9217D4:				; CODE XREF: MiMapViewOfDataSection+6BBj
		mov	eax, 1
		jmp	loc_828DC3
; 

loc_9217DE:				; CODE XREF: MiMapViewOfDataSection+221j
		mov	esi, 0C000009Ah
		jmp	loc_828FB1
; 

loc_9217E8:				; CODE XREF: MiMapViewOfDataSection+286j
		mov	eax, [esp+88h+var_74]
		mov	eax, [eax+24Ch]
		mov	byte ptr [eax+84h], 1
		jmp	loc_82898C
; 

loc_9217FE:				; CODE XREF: MiMapViewOfDataSection+2CAj
		mov	ecx, ebx
		call	_MiCreatePlaceholderStorage@4 ;	MiCreatePlaceholderStorage(x)
		mov	[esp+88h+var_6C], eax
		mov	[esp+88h+var_48], eax
		test	eax, eax
		jns	loc_8289D0
		mov	esi, eax
		jmp	loc_828FB1
; 

loc_92181C:				; CODE XREF: MiMapViewOfDataSection+2FBj
		mov	esi, 0C000010Ah
		jmp	loc_828F9B
; 

loc_921826:				; CODE XREF: MiMapViewOfDataSection+311j
		mov	ecx, [ebp+arg_4]
		mov	ecx, [ecx]
		add	ecx, eax
		jmp	loc_828E2B
; 

loc_921832:				; CODE XREF: MiMapViewOfDataSection+744j
		lea	eax, [esp+88h+var_48]
		push	eax
		movzx	eax, byte ptr [esi+44h]
		push	eax
		call	_MiFindPlaceholderVadToReplace@16 ; MiFindPlaceholderVadToReplace(x,x,x,x)
		mov	[esp+88h+var_58], eax
		test	eax, eax
		jnz	loc_828E68
		mov	esi, [esp+88h+var_48]
		jmp	loc_82900C
; 

loc_921856:				; CODE XREF: MiMapViewOfDataSection+7CBj
		or	eax, 0FFFFFFFFh
		mov	esi, offset dword_6CF3C8
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_92186F
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_92186F:				; CODE XREF: MiMapViewOfDataSection+F9166j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [esp+88h+var_70]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	esi, 0C000009Ah
		jmp	short loc_9218CA
; 

loc_921886:				; CODE XREF: MiMapViewOfDataSection+81Bj
					; MiMapViewOfDataSection+823j
		mov	eax, [esp+88h+var_2C]
		mov	[ecx], edx
		mov	[ecx+4], eax
		jmp	loc_828F29
; 

loc_921894:				; CODE XREF: MiMapViewOfDataSection+665j
		mov	esi, 0C000009Ah
		jmp	short loc_9218CA
; 

loc_92189B:				; CODE XREF: MiMapViewOfDataSection+450j
		mov	eax, [ebx+1Ch]
		and	eax, 0FFFFFFDFh
		or	eax, 50h
		mov	[ebx+1Ch], eax
		mov	eax, [ebx+28h]
		or	eax, 1000000h
		mov	[ebx+28h], eax
		mov	eax, [esp+88h+var_54]
		mov	[esp+88h+var_68], eax
		jmp	loc_828B56
; 

loc_9218BF:				; CODE XREF: MiMapViewOfDataSection+930j
		mov	esi, 0C000012Dh
		jmp	short loc_9218CA
; 

loc_9218C6:				; CODE XREF: MiMapViewOfDataSection+46Fj
					; MiMapViewOfDataSection+49Bj
		mov	esi, [esp+88h+var_6C]

loc_9218CA:				; CODE XREF: MiMapViewOfDataSection+F9184j
					; MiMapViewOfDataSection+F9199j ...
		mov	eax, [esp+88h+var_58]
		test	eax, eax
		jz	loc_82900C
		mov	ecx, [esp+88h+var_70]
		mov	edx, eax
		call	MiUnlockVad
		jmp	loc_82900C
; 

loc_9218E6:				; CODE XREF: MiMapViewOfDataSection+8ABj
		mov	edx, [esp+88h+var_74]
		mov	ecx, edi
		push	0
		call	MiRemoveSharedCommitNode
		jmp	loc_828FB1
; 

loc_9218F8:				; CODE XREF: MiMapViewOfDataSection+4AFj
		mov	eax, [ebx+1Ch]
		and	eax, 0FFF7FFFFh
		or	eax, 40000h
		mov	[ebx+1Ch], eax
		inc	dword ptr [ecx+9Ch]
		jmp	loc_828BB5
; 

loc_921913:				; CODE XREF: MiMapViewOfDataSection+4BBj
		mov	edx, [esp+88h+var_74]
		push	ecx
		mov	ecx, eax
		call	_MiPreparePlaceholderVadReplacement@12 ; MiPreparePlaceholderVadReplacement(x,x,x)
		xor	edx, edx
		lea	ecx, [ebx+18h]
		call	ExAcquirePushLockExclusiveEx
		jmp	loc_828BCC
; 

loc_92192E:				; CODE XREF: MiMapViewOfDataSection+519j
		mov	edx, 425h
		mov	ecx, ebx
		call	_MiLogMapFileEvent@8 ; MiLogMapFileEvent(x,x)
		mov	eax, [ebp+arg_10]
		jmp	loc_828C1F
; 

loc_921942:				; CODE XREF: MiMapViewOfDataSection+718j
		cmp	eax, 1
		jz	loc_828CEA
		cmp	eax, 4
		jz	loc_828CEA
		mov	eax, 0C0000045h

loc_921959:				; CODE XREF: MiMapViewOfDataSection+603j
		mov	edi, eax

loc_92195B:				; CODE XREF: MiMapViewOfDataSection+958j
		mov	esi, [esp+88h+var_58]
		mov	ecx, ebx
		push	0
		mov	edx, esi
		call	MiUnmapVad
		test	esi, esi
		jz	short loc_92197B
		mov	edx, [esp+88h+var_4C]
		mov	ecx, esi
		push	1
		call	_MiFinishPlaceholderVadReplacement@12 ;	MiFinishPlaceholderVadReplacement(x,x,x)

loc_92197B:				; CODE XREF: MiMapViewOfDataSection+F926Cj
		mov	eax, edi
		jmp	loc_828C65
; 

loc_921982:				; CODE XREF: MiMapViewOfDataSection+624j
		call	_MiUnlockAndDereferenceNestedVad@4 ; MiUnlockAndDereferenceNestedVad(x)
		jmp	short loc_9219B5
; 

loc_921989:				; CODE XREF: MiMapViewOfDataSection+53Cj
		mov	ebx, [esp+88h+var_C]
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9219A1
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9219A1:				; CODE XREF: MiMapViewOfDataSection+F9298j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	edx, [esp+88h+var_74]
		mov	ecx, [esp+88h+var_70]
		call	UNLOCK_ADDRESS_SPACE_UNORDERED

loc_9219B5:				; CODE XREF: MiMapViewOfDataSection+F9287j
		mov	edx, [esp+88h+var_4C]
		mov	ecx, esi
		push	0
		call	_MiFinishPlaceholderVadReplacement@12 ;	MiFinishPlaceholderVadReplacement(x,x,x)
		jmp	loc_828C5A
; 

loc_9219C7:				; CODE XREF: MiMapViewOfDataSection+8D1j
		mov	edx, edi
		mov	ecx, ebx
		call	MiDereferenceExtendInfo
		jmp	loc_828FD7
; 

loc_9219D5:				; CODE XREF: MiMapViewOfDataSection+8DCj
		call	ObfDereferenceObject
		jmp	loc_828FE2
; 

loc_9219DF:				; CODE XREF: MiMapViewOfDataSection+8F7j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_828FFD
; END OF FUNCTION CHUNK	FOR MiMapViewOfDataSection
; 
; START	OF FUNCTION CHUNK FOR MmCleanProcessAddressSpace

loc_9219EC:				; CODE XREF: MmCleanProcessAddressSpace+DFj
		call	_MiWaitForVadDeletion@4	; MiWaitForVadDeletion(x)
		mov	ecx, edi
		call	MiUnlockAndDereferenceVad
		mov	[ebp+var_8], 1
		jmp	loc_829197
; 

loc_921A04:				; CODE XREF: MmCleanProcessAddressSpace+11Dj
		call	MiUnlockVad
		mov	edx, edi
		mov	ecx, ebx
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)
		mov	edx, esi
		mov	ecx, ebx
		call	_MiLockVad@8	; MiLockVad(x,x)
		mov	ecx, esi
		call	_MiCleanVad@4	; MiCleanVad(x)
		mov	esi, edi
		jmp	loc_829101
; 

loc_921A29:				; CODE XREF: MmCleanProcessAddressSpace+159j
		mov	esi, edi
		mov	ecx, ebx
		mov	edx, esi
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)
		jmp	loc_829101
; 

loc_921A39:				; CODE XREF: MmCleanProcessAddressSpace+172j
		mov	esi, 1
		jmp	loc_82921A
; 

loc_921A43:				; CODE XREF: MmCleanProcessAddressSpace+184j
		push	0
		push	0
		push	0
		push	0
		lea	eax, [ebp+var_28]
		push	eax
		call	KeWaitForSingleObject
		jmp	loc_82922A
; 

loc_921A59:				; CODE XREF: MmCleanProcessAddressSpace+194j
		call	_MiClearCommitReleaseState@4 ; MiClearCommitReleaseState(x)
		jmp	loc_82923A
; 

loc_921A63:				; CODE XREF: MmCleanProcessAddressSpace+1C8j
		call	_MiDeleteAweInfoPages@4	; MiDeleteAweInfoPages(x)
		test	eax, eax
		jz	loc_82926E
		mov	edx, eax
		mov	dword ptr [edi+35Ch], 0
		mov	ecx, edi
		call	_MiReturnProcessCommitment@8 ; MiReturnProcessCommitment(x,x)
		jmp	loc_82926E
; END OF FUNCTION CHUNK	FOR MmCleanProcessAddressSpace
; 
; START	OF FUNCTION CHUNK FOR MiAdvanceVadHint

loc_921A88:				; CODE XREF: MiAdvanceVadHint+36j
		mov	ebx, 1
		mov	esi, eax
		mov	[ebp+arg_0], ebx
		jmp	loc_82930C
; 

loc_921A97:				; CODE XREF: MiAdvanceVadHint+3Ej
		mov	ebx, 1
		lea	edx, [ecx-1]
		mov	[ebp+arg_0], ebx
		jmp	loc_829314
; END OF FUNCTION CHUNK	FOR MiAdvanceVadHint
; 
; START	OF FUNCTION CHUNK FOR NtMapViewOfSection

loc_921AA7:				; CODE XREF: NtMapViewOfSection+6Aj
		cmp	esi, 15h
		jbe	loc_829400
		mov	eax, 0C000000Dh
		jmp	loc_8294ED
; END OF FUNCTION CHUNK	FOR NtMapViewOfSection

;  S U B	R O U T	I N E 


sub_921ABA	proc near		; DATA XREF: .text:006A622Co
		mov	eax, 1
		retn
sub_921ABA	endp


;  S U B	R O U T	I N E 


sub_921AC0	proc near		; DATA XREF: .text:006A6230o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp+1Ch]
		jmp	loc_8294D6
sub_921AC0	endp

; 
; START	OF FUNCTION CHUNK FOR MiMapViewOfSectionCommon

loc_921AD2:				; CODE XREF: MiMapViewOfSectionCommon+69j
		mov	eax, 0C0000045h
		jmp	loc_8296EF
; 

loc_921ADC:				; CODE XREF: MiMapViewOfSectionCommon+F8j
		mov	edx, eax
		jmp	loc_82965E
; 

loc_921AE3:				; CODE XREF: MiMapViewOfSectionCommon+10Ej
		mov	edi, eax
		jmp	loc_829674
; 

loc_921AEA:				; CODE XREF: MiMapViewOfSectionCommon+13Cj
		mov	byte ptr [eax],	0
		jmp	loc_8296A2
; 

loc_921AF2:				; CODE XREF: MiMapViewOfSectionCommon+167j
		mov	edi, 0C000000Dh
		jmp	short loc_921B41
; 

loc_921AF9:				; CODE XREF: MiMapViewOfSectionCommon+175j
		mov	edi, 0C000000Dh
		jmp	short loc_921B41
; 

loc_921B00:				; CODE XREF: MiMapViewOfSectionCommon+187j
		mov	edi, 0C000000Dh
		jmp	short loc_921B41
; END OF FUNCTION CHUNK	FOR MiMapViewOfSectionCommon

;  S U B	R O U T	I N E 


sub_921B07	proc near		; DATA XREF: .text:006A624Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		mov	eax, large fs:124h
		mov	[ebp-24h], eax
		mov	eax, [ebp-24h]
		mov	al, [eax+15Ah]
		mov	[ebp-19h], al
		mov	cl, [ebp-19h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_921B07	endp


;  S U B	R O U T	I N E 


sub_921B31	proc near		; DATA XREF: .text:006A6250o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-28h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp+24h]
sub_921B31	endp

; START	OF FUNCTION CHUNK FOR MiMapViewOfSectionCommon

loc_921B41:				; CODE XREF: MiMapViewOfSectionCommon+F8597j
					; MiMapViewOfSectionCommon+F859Ej ...
		cmp	[ebp+arg_0], 0
		jnz	short loc_921B5C
		mov	ecx, [esi+14h]
		call	ObfDereferenceObject
		mov	edx, 77566D4Dh
		mov	ecx, [esi+18h]
		call	ObfDereferenceObjectWithTag

loc_921B5C:				; CODE XREF: MiMapViewOfSectionCommon+F85E5j
		mov	eax, edi
		jmp	loc_8296EF
; END OF FUNCTION CHUNK	FOR MiMapViewOfSectionCommon
; 
; START	OF FUNCTION CHUNK FOR MiInsertSharedCommitNode

loc_921B63:				; CODE XREF: MiInsertSharedCommitNode+E5j
		mov	ebx, 0C000009Ah
		jmp	loc_82992D
; 

loc_921B6D:				; CODE XREF: MiInsertSharedCommitNode+126j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_921B74:				; CODE XREF: MiInsertSharedCommitNode+183j
		mov	eax, [ebp+arg_0]
		mov	edx, ebx
		or	eax, 7
		mov	ecx, edi
		push	eax
		call	MiRemoveSharedCommitNode
		jmp	loc_829919
; 

loc_921B89:				; CODE XREF: MiInsertSharedCommitNode+1D4j
		nop
		lea	eax, [edi+70h]
		cmp	[eax], eax
		jz	loc_82996A
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_82996A
; END OF FUNCTION CHUNK	FOR MiInsertSharedCommitNode
; 
; START	OF FUNCTION CHUNK FOR MiRemoveSharedCommitNode

loc_921B9F:				; CODE XREF: MiRemoveSharedCommitNode+19Dj
					; MiRemoveSharedCommitNode+1A8j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_921BA6:				; CODE XREF: MiRemoveSharedCommitNode+121j
		nop
		lea	eax, [ebx+70h]
		cmp	[eax], eax
		jz	loc_829B67
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
		jmp	loc_829B67
; END OF FUNCTION CHUNK	FOR MiRemoveSharedCommitNode
; 
; START	OF FUNCTION CHUNK FOR MiMapParametersInitialize

loc_921BBC:				; CODE XREF: MiMapParametersInitialize+59j
		mov	eax, 0C000000Dh
		jmp	loc_829D4D
; 

loc_921BC6:				; CODE XREF: MiMapParametersInitialize+92j
		or	edx, 0FFFFFFFFh
		shr	edx, cl
		cmp	edx, eax
		jbe	loc_829D18
		mov	edx, eax
		jmp	loc_829D18
; END OF FUNCTION CHUNK	FOR MiMapParametersInitialize
; 
; START	OF FUNCTION CHUNK FOR MiSectionDelete

loc_921BDA:				; CODE XREF: MiSectionDelete+1Fj
		mov	eax, large fs:124h
		mov	[ebp+arg_0], eax
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset dword_6CF3C8
		call	ExAcquirePushLockExclusiveEx
		push	esi
		push	offset dword_6CF3C4
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		or	eax, 0FFFFFFFFh
		mov	ecx, offset dword_6CF3C8
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_921C1E
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset dword_6CF3C8

loc_921C1E:				; CODE XREF: MiSectionDelete+F7E92j
		call	KeAbPostRelease
		mov	ecx, [ebp+arg_0]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_829DA5
; 

loc_921C30:				; CODE XREF: MiSectionDelete+5Ej
		cmp	dword ptr [ebx+20h], 0
		jnz	loc_829DE4
		xor	edx, edx
		mov	ecx, esi
		call	_MiLogSectionObjectEvent@8 ; MiLogSectionObjectEvent(x,x)
		jmp	loc_829DE4
; END OF FUNCTION CHUNK	FOR MiSectionDelete
; 
; START	OF FUNCTION CHUNK FOR NtCreateSection

loc_921C48:				; CODE XREF: NtCreateSection+23j
		and	edx, 0FFFFFFE0h
		mov	[esp+18h+var_4], ecx
		mov	[esp+18h+var_C], ecx
		lea	esi, [esp+18h+var_10]
		dec	eax
		mov	[esp+18h+var_10], 2
		xor	ecx, ecx
		mov	[esp+18h+var_8], eax
		inc	ecx
		jmp	loc_829EF3
; END OF FUNCTION CHUNK	FOR NtCreateSection
; 
; START	OF FUNCTION CHUNK FOR MiCaptureSectionCreateExtendedParameters

loc_921C6C:				; CODE XREF: MiCaptureSectionCreateExtendedParameters+22j
		test	esi, esi
		jnz	short loc_921C7A
		mov	eax, 0C000000Dh
		jmp	loc_829F4B
; 

loc_921C7A:				; CODE XREF: MiCaptureSectionCreateExtendedParameters+F7D56j
		mov	eax, edx
		push	10h
		pop	ecx
		mul	ecx
		push	edx
		push	eax
		lea	ecx, [ebp+var_24]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_829F4B
		xor	edi, edi
		and	[ebp+ms_exc.disabled], edi
		cmp	[ebp+arg_0], 0
		jz	short loc_921CA9
		push	8
		push	[ebp+var_24]
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_921CA9:				; CODE XREF: MiCaptureSectionCreateExtendedParameters+F7D84j
		mov	[ebp+var_28], esi
		mov	eax, [ebp+var_20]
		shl	eax, 4
		add	eax, esi
		mov	[ebp+var_20], eax
		push	0FFFFFFFEh
		pop	edx

loc_921CBA:				; CODE XREF: MiCaptureSectionCreateExtendedParameters+F7E1Ej
		cmp	esi, eax
		jnb	loc_921D48
		mov	ecx, [esi]
		and	ecx, 0FFh
		jz	short loc_921D38
		cmp	ecx, 3
		jnb	short loc_921D38
		cmp	dword ptr [esi+4], 0
		ja	short loc_921D38
		jb	short loc_921CE1
		cmp	dword ptr [esi], 100h
		jnb	short loc_921D38

loc_921CE1:				; CODE XREF: MiCaptureSectionCreateExtendedParameters+F7DBFj
		xor	eax, eax
		inc	eax
		shl	eax, cl
		test	al, 6
		jz	short loc_921D38
		test	eax, edi
		jnz	short loc_921D38
		bts	edi, ecx
		mov	[ebp+var_30], edi
		sub	ecx, 1
		jz	short loc_921D1A
		sub	ecx, 1
		jnz	short loc_921D38
		cmp	[esi+0Ch], ecx
		ja	short loc_921D38
		cmp	dword ptr [esi+8], 0FFFFFFFFh
		ja	short loc_921D38
		mov	eax, [esi+8]
		mov	[ebx+8], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_921D38
		inc	eax
		mov	[ebx+8], eax
		jmp	short loc_921D2D
; 

loc_921D1A:				; CODE XREF: MiCaptureSectionCreateExtendedParameters+F7DDFj
		mov	ecx, [esi+8]
		and	ecx, edx
		or	ecx, [esi+0Ch]
		jnz	short loc_921D38
		mov	byte ptr [ebx],	1
		mov	eax, [esi+8]
		mov	[ebx+4], eax

loc_921D2D:				; CODE XREF: MiCaptureSectionCreateExtendedParameters+F7E00j
		add	esi, 10h
		mov	[ebp+var_28], esi
		mov	eax, [ebp+var_20]
		jmp	short loc_921CBA
; 

loc_921D38:				; CODE XREF: MiCaptureSectionCreateExtendedParameters+F7DB2j
					; MiCaptureSectionCreateExtendedParameters+F7DB7j ...
		mov	eax, 0C000000Dh
		mov	[ebp+var_1C], eax
		mov	[ebp+ms_exc.disabled], edx
		jmp	loc_829F4B
; 

loc_921D48:				; CODE XREF: MiCaptureSectionCreateExtendedParameters+F7DA4j
		mov	[ebp+ms_exc.disabled], edx
		mov	[ebx+0Ch], edi
		xor	eax, eax
		jmp	loc_829F4B
; END OF FUNCTION CHUNK	FOR MiCaptureSectionCreateExtendedParameters

;  S U B	R O U T	I N E 


sub_921D55	proc near		; DATA XREF: .text:006A626Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_921D55	endp


;  S U B	R O U T	I N E 


sub_921D65	proc near		; DATA XREF: .text:006A6270o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-2Ch]
		mov	[ebp-1Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_829F4B
sub_921D65	endp

; 
; START	OF FUNCTION CHUNK FOR MiCreateSectionCommon

loc_921D7A:				; CODE XREF: MiCreateSectionCommon+85j
		mov	ecx, 1
		jmp	loc_829FEB
; 

loc_921D84:				; CODE XREF: MiCreateSectionCommon+92j
		test	ecx, ecx
		jnz	loc_829FF8
		mov	ecx, 1
		jmp	loc_829FFA
; 

loc_921D96:				; CODE XREF: MiCreateSectionCommon+11Cj
		mov	ecx, eax
		jmp	loc_82A082
; END OF FUNCTION CHUNK	FOR MiCreateSectionCommon

;  S U B	R O U T	I N E 


sub_921D9D	proc near		; DATA XREF: .text:006A628Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		mov	eax, 1
		retn
sub_921D9D	endp


;  S U B	R O U T	I N E 


sub_921DAD	proc near		; DATA XREF: .text:006A6290o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-24h]
		jmp	loc_82A1AC
sub_921DAD	endp

; 
; START	OF FUNCTION CHUNK FOR MiCreateSectionCommon

loc_921DBF:				; CODE XREF: MiCreateSectionCommon+13Cj
		mov	byte ptr [ebp+arg_4], bl
		jmp	loc_82A0A6
; 

loc_921DC7:				; CODE XREF: MiCreateSectionCommon+1CEj
		push	offset _MiHalfSecond
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	eax, [ebp+arg_4]
		jmp	loc_82A100
; END OF FUNCTION CHUNK	FOR MiCreateSectionCommon

;  S U B	R O U T	I N E 


sub_921DDD	proc near		; DATA XREF: .text:006A6298o
		mov	eax, 1
		retn
sub_921DDD	endp


;  S U B	R O U T	I N E 


sub_921DE3	proc near		; DATA XREF: .text:006A629Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp+0Ch]
		jmp	loc_82A1AA
sub_921DE3	endp

; 
; START	OF FUNCTION CHUNK FOR MiCreateSectionCommon

loc_921DF5:				; CODE XREF: MiCreateSectionCommon+EBj
		mov	eax, 0C0000045h
		jmp	loc_82A1AC
; END OF FUNCTION CHUNK	FOR MiCreateSectionCommon
; 
; START	OF FUNCTION CHUNK FOR MiCreateImageOrDataSection

loc_921DFF:				; CODE XREF: MiCreateImageOrDataSection+32j
					; MiCreateImageOrDataSection+41j ...
		mov	eax, 0C00000F4h
		jmp	loc_82A3E2
; 

loc_921E09:				; CODE XREF: MiCreateImageOrDataSection+1C3j
		test	byte ptr [esi],	1
		jnz	short loc_921DFF
		mov	eax, [esi+60h]
		or	eax, [esi+64h]
		jz	loc_82A3F9
		mov	eax, 0C00000F2h
		jmp	loc_82A3E2
; 

loc_921E24:				; CODE XREF: MiCreateImageOrDataSection+1CEj
		mov	eax, 0C0000020h
		jmp	loc_82A3E2
; 

loc_921E2E:				; CODE XREF: MiCreateImageOrDataSection+1D9j
		test	dword ptr [edx+0Ch], 200h
		jz	loc_82A40F
		mov	byte ptr [esi+2Ch], 0
		mov	eax, [ebx+14h]
		jmp	loc_82A40F
; 

loc_921E47:				; CODE XREF: MiCreateImageOrDataSection+1E1j
		add	eax, 8
		jmp	loc_82A417
; 

loc_921E4F:				; CODE XREF: MiCreateImageOrDataSection+21Ej
		mov	eax, [edx+8]
		mov	[ebp+var_8], eax
		mov	edi, [eax]
		jmp	short loc_921E64
; 

loc_921E59:				; CODE XREF: MiCreateImageOrDataSection+23Ej
		or	edi, [ebp+var_1C]
		jnz	loc_82A474
		mov	edi, [edx]

loc_921E64:				; CODE XREF: MiCreateImageOrDataSection+F7C27j
		or	edx, 0FFFFFFFFh
		add	edi, 10h
		or	eax, edx
		nop
		or	ebx, edx
		or	ecx, edx
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [ebp+var_C]
		mov	[esi+4Ch], edx
		mov	edx, [ebp+var_8]
		mov	[esi+48h], eax
		mov	eax, [ebp+var_4]
		jmp	loc_82A474
; 

loc_921E89:				; CODE XREF: MiCreateImageOrDataSection+A5j
		mov	[ebp+var_4], 0C0000020h
		jmp	loc_82A3D6
; 

loc_921E95:				; CODE XREF: MiCreateImageOrDataSection+BEj
		mov	[ebp+var_58], 0
		jmp	loc_82A2F7
; 

loc_921EA1:				; CODE XREF: MiCreateImageOrDataSection+E8j
		mov	[ebp+var_4], 0C0000022h
		mov	edi, 2
		jmp	loc_82A3D6
; 

loc_921EB2:				; CODE XREF: MiCreateImageOrDataSection+355j
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	edi, 2

loc_921EBE:				; CODE XREF: MiCreateImageOrDataSection+199j
					; MiCreateImageOrDataSection+2D3j
		test	byte ptr [esi],	1
		jnz	short loc_921ECA
		mov	ecx, ebx
		call	CcWaitForUninitializeCacheMap

loc_921ECA:				; CODE XREF: MiCreateImageOrDataSection+F7C91j
		mov	edx, [ebp+var_20]
		mov	ecx, [ebx+14h]
		call	MiForceSectionClosed
		test	eax, eax
		jz	loc_82A3CF
		cmp	eax, 1
		jz	loc_82A3CF
		test	dword ptr [esi], 1000000h
		jz	loc_82A3CF
		inc	dword_6D3020
		mov	esi, 0C000060Bh
		mov	[ebp+var_4], esi
		jmp	loc_82A3D2
; 

loc_921F05:				; CODE XREF: MiCreateImageOrDataSection+344j
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	edi, 2
		jmp	loc_82A3D6
; 

loc_921F16:				; CODE XREF: MiCreateImageOrDataSection+2DAj
		mov	eax, [eax]
		mov	[ebp+var_8], eax
		mov	[esi+28h], eax
		jmp	loc_82A510
; 

loc_921F23:				; CODE XREF: MiCreateImageOrDataSection+2F7j
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		lea	esi, [eax+348h]

loc_921F2E:				; CODE XREF: MiCreateImageOrDataSection+F7D19j
					; MiCreateImageOrDataSection+F7D1Ej
		mov	edi, [esi]
		mov	ebx, edi
		mov	edx, [esi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[ebp+var_10], edx
		adc	ecx, 0
		mov	eax, edi
		nop
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, edi
		jnz	short loc_921F2E
		cmp	edx, [ebp+var_10]
		jnz	short loc_921F2E
		mov	ecx, [ebp+var_8]
		mov	edx, 1
		call	_MiDereferenceControlAreaBySection@8 ; MiDereferenceControlAreaBySection(x,x)
		mov	esi, [ebp+var_18]
		mov	ebx, [ebp+var_C]
		mov	edi, [ebp+var_1C]
		jmp	loc_82A543
; 

loc_921F6B:				; CODE XREF: MiCreateImageOrDataSection+189j
		mov	ecx, esi
		call	MiDereferenceFailedControlArea
		mov	eax, [ebp+var_4]
		mov	edi, 2
		jmp	loc_82A3C4
; 

loc_921F7F:				; CODE XREF: MiCreateImageOrDataSection+130j
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	eax, [ebp+var_4]
		mov	edi, 2
		jmp	loc_82A3C4
; END OF FUNCTION CHUNK	FOR MiCreateImageOrDataSection
; 
; START	OF FUNCTION CHUNK FOR MiCreateSection

loc_921F93:				; CODE XREF: MiCreateSection+90j
					; MiCreateSection+9Cj
		mov	ecx, [esp+0B0h+var_14]
		test	ecx, ecx
		jz	short loc_921FA3
		call	PsDereferencePartition

loc_921FA3:				; CODE XREF: MiCreateSection+F79FCj
		mov	esi, [esp+0B0h+var_88]
		lea	eax, [esp+0B0h+var_88]
		push	88h		; size_t
		push	0		; int
		push	eax		; void *
		shr	esi, 19h
		call	_memset
		add	esp, 0Ch
		lea	ecx, [esp+0B0h+var_88]
		mov	edx, ebx
		push	[ebp+arg_2C]
		push	[ebp+arg_28]
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	MiInitializeCreateSectionPacket
		and	esi, 1
		mov	edi, eax
		shl	esi, 19h
		test	edi, edi
		jns	loc_82A610
		jmp	loc_82A6FA
; 

loc_922002:				; CODE XREF: MiCreateSection+12Ej
		mov	ecx, ebx
		call	ObfDereferenceObject
		jmp	loc_82A6FA
; 

loc_92200E:				; CODE XREF: MiCreateSection+154j
		cmp	dword ptr [esi+20h], 0
		jnz	loc_82A6FA
		mov	edx, 1
		mov	ecx, ebx
		call	_MiLogSectionObjectEvent@8 ; MiLogSectionObjectEvent(x,x)
		jmp	loc_82A6FA
; END OF FUNCTION CHUNK	FOR MiCreateSection
; 
; START	OF FUNCTION CHUNK FOR MiInitializeCreateSectionPacket

loc_922029:				; CODE XREF: MiInitializeCreateSectionPacket+15Fj
		mov	eax, 0C0000427h
		jmp	loc_82A854
; 

loc_922033:				; CODE XREF: MiInitializeCreateSectionPacket+80j
		or	dword ptr [esi], 200h
		and	ebx, 0FFEFFFFFh
		jmp	loc_82A7C6
; 

loc_922044:				; CODE XREF: MiInitializeCreateSectionPacket+1BEj
		mov	[esi+74h], ecx
		jmp	loc_82A909
; 

loc_92204C:				; CODE XREF: MiInitializeCreateSectionPacket+11Ej
		or	dword ptr [esi], 80000h
		jmp	loc_82A864
; 

loc_922057:				; CODE XREF: MiInitializeCreateSectionPacket+224j
		or	eax, 80000h
		mov	[esi], eax
		jmp	loc_82A811
; 

loc_922063:				; CODE XREF: MiInitializeCreateSectionPacket+14Ej
		or	eax, 80000h
		mov	[esi], eax
		jmp	loc_82A811
; 

loc_92206F:				; CODE XREF: MiInitializeCreateSectionPacket+BFj
		or	dword ptr [esi+14h], 200h
		jmp	loc_82A811
; 

loc_92207B:				; CODE XREF: MiInitializeCreateSectionPacket+E2j
					; MiInitializeCreateSectionPacket+168j
		mov	eax, 0C0000045h
		jmp	loc_82A854
; 

loc_922085:				; CODE XREF: MiInitializeCreateSectionPacket+10j
					; MiInitializeCreateSectionPacket+109j	...
		mov	eax, 0C000000Dh
		jmp	loc_82A854
; END OF FUNCTION CHUNK	FOR MiInitializeCreateSectionPacket
; 
; START	OF FUNCTION CHUNK FOR MiFinishCreateSection

loc_92208F:				; CODE XREF: MiFinishCreateSection+1BDj
		lock dec dword ptr [esi]
		mov	ecx, [ebx+24h]
		call	ObfDereferenceObject
		mov	ecx, ebx
		call	MiDereferenceFailedControlArea
		mov	eax, 0C0000024h
		jmp	loc_82AB0C
; 

loc_9220AB:				; CODE XREF: MiFinishCreateSection+1EEj
		mov	edx, [ebx+54h]
		mov	ecx, edi
		shr	edx, 0Ch
		and	edx, 7FFFFh
		call	_MiDereferencePerSessionProtos@8 ; MiDereferencePerSessionProtos(x,x)
		jmp	loc_82ABA4
; 

loc_9220C3:				; CODE XREF: MiFinishCreateSection+150j
		or	edx, 40h
		mov	[eax+20h], edx
		mov	ecx, [eax+1Ch]
		mov	edi, [eax+18h]
		mov	eax, dword_6CF3D4
		cdq
		cmp	ecx, edx
		jb	short loc_9220F1
		ja	short loc_9220DF
		cmp	edi, eax
		jbe	short loc_9220F1

loc_9220DF:				; CODE XREF: MiFinishCreateSection+F7729j
		mov	ecx, [ebp+var_8]
		call	ObfDereferenceObject
		mov	eax, 0C0000017h
		jmp	loc_82AB0C
; 

loc_9220F1:				; CODE XREF: MiFinishCreateSection+F7727j
					; MiFinishCreateSection+F772Dj
		mov	eax, large fs:124h
		mov	[ebp+var_10], eax
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset dword_6CF3C8
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [ebp+var_14]
		mov	edx, edi
		push	eax
		mov	eax, dword_6CF3D4
		mov	ecx, offset dword_6CF3C4
		push	eax
		push	10000h
		push	0
		push	10000h
		call	MiFindEmptyAddressRangeDownTree
		mov	[ebp+var_C], eax
		test	eax, eax
		jns	short loc_922171
		or	edx, 0FFFFFFFFh
		mov	esi, offset dword_6CF3C8
		lock xadd [esi], edx
		and	dl, 6
		cmp	dl, 2
		jnz	short loc_922152
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_922152:				; CODE XREF: MiFinishCreateSection+F7799j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_10]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, [ebp+var_8]
		call	ObfDereferenceObject
		mov	eax, [ebp+var_C]
		jmp	loc_82AB0C
; 

loc_922171:				; CODE XREF: MiFinishCreateSection+F7785j
		mov	ecx, [ebp+var_14]
		lea	eax, [edi+0FFFh]
		shr	ecx, 0Ch
		mov	[esi], ecx
		dec	ecx
		shr	eax, 0Ch
		add	eax, ecx
		mov	byte ptr [ebp+var_C], 0
		mov	ecx, [ebp+var_8]
		mov	[ecx+10h], eax
		mov	eax, dword_6CF3C4
		mov	esi, [esi]
		test	eax, eax
		jz	short loc_9221AD

loc_92219A:				; CODE XREF: MiFinishCreateSection+F784Bj
		cmp	esi, [eax+10h]
		ja	short loc_9221EC
		cmp	esi, [eax+0Ch]
		jnb	short loc_9221EC
		mov	edx, [eax]
		test	edx, edx
		jnz	short loc_9221F9
		mov	byte ptr [ebp+var_C], dl

loc_9221AD:				; CODE XREF: MiFinishCreateSection+F77E8j
					; MiFinishCreateSection+F7847j
		push	ecx
		push	[ebp+var_C]
		push	eax
		push	offset dword_6CF3C4
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		or	eax, 0FFFFFFFFh
		mov	esi, offset dword_6CF3C8
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9221D5
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9221D5:				; CODE XREF: MiFinishCreateSection+F781Cj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_10]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+var_8]
		jmp	loc_82AB06
; 

loc_9221EC:				; CODE XREF: MiFinishCreateSection+F77EDj
					; MiFinishCreateSection+F77F2j
		mov	edx, [eax+4]
		test	edx, edx
		jnz	short loc_9221F9
		mov	byte ptr [ebp+var_C], 1
		jmp	short loc_9221AD
; 

loc_9221F9:				; CODE XREF: MiFinishCreateSection+F77F8j
					; MiFinishCreateSection+F7841j
		mov	eax, edx
		jmp	short loc_92219A
; END OF FUNCTION CHUNK	FOR MiFinishCreateSection
; 
; START	OF FUNCTION CHUNK FOR NtCreateEvent

loc_9221FD:				; CODE XREF: NtCreateEvent+6Dj
		mov	ecx, eax
		jmp	loc_82AC93
; END OF FUNCTION CHUNK	FOR NtCreateEvent

;  S U B	R O U T	I N E 


sub_922204	proc near		; DATA XREF: .text:006A62B4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		mov	eax, 1
		retn
sub_922204	endp


;  S U B	R O U T	I N E 


sub_922214	proc near		; DATA XREF: .text:006A62B8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-24h]
		jmp	loc_82AD19
sub_922214	endp


;  S U B	R O U T	I N E 


sub_922226	proc near		; DATA XREF: .text:006A62C0o
		mov	eax, 1
		retn
sub_922226	endp


;  S U B	R O U T	I N E 


sub_92222C	proc near		; DATA XREF: .text:006A62C4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp+8]
		jmp	loc_82AD17
sub_92222C	endp

; 
; START	OF FUNCTION CHUNK FOR ObCreateObjectEx

loc_92223E:				; CODE XREF: ObCreateObjectEx+1A8j
		mov	eax, 0C000009Ah
		jmp	loc_82B7C5
; 

loc_922248:				; CODE XREF: ObCreateObjectEx+7Bj
		mov	eax, large fs:20h
		mov	edi, [eax+5C0h]
		mov	cx, [edi+4]
		inc	dword ptr [edi+14h]
		cmp	cx, [edi+8]
		jb	short loc_922282
		inc	dword ptr [edi+18h]
		mov	edi, [eax+5C4h]
		mov	ax, [edi+4]
		inc	dword ptr [edi+14h]
		cmp	ax, [edi+8]
		jb	short loc_922282
		mov	eax, [edi+2Ch]
		inc	dword ptr [edi+18h]
		push	esi
		call	eax
		jmp	short loc_92228B
; 

loc_922282:				; CODE XREF: ObCreateObjectEx+F6B7Fj
					; ObCreateObjectEx+F6B95j
		mov	edx, esi
		mov	ecx, edi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_92228B:				; CODE XREF: ObCreateObjectEx+F6BA0j
		mov	eax, [esp+30h+var_24]
		jmp	loc_82B7C5
; 

loc_922294:				; CODE XREF: ObCreateObjectEx+86j
		mov	edi, 0C000000Dh
		jmp	loc_82B7EC
; 

loc_92229E:				; CODE XREF: ObCreateObjectEx+D5j
		mov	ecx, esi
		call	_ObpRegisterObject@4 ; ObpRegisterObject(x)
		push	746C6644h
		push	1
		mov	dl, 1
		mov	ecx, esi
		call	_ObpPushStackInfo@16 ; ObpPushStackInfo(x,x,x,x)
		jmp	loc_82B7BB
; END OF FUNCTION CHUNK	FOR ObCreateObjectEx
; 
; START	OF FUNCTION CHUNK FOR SeDefaultObjectMethod

loc_9222BA:				; CODE XREF: SeDefaultObjectMethod:loc_82C110j
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_82C116
; 

loc_9222C6:				; CODE XREF: SeDefaultObjectMethod+124j
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_82C1D7
; 

loc_9222D2:				; CODE XREF: SeDefaultObjectMethod+Ej
		push	0		; default
		push	0
		push	0C000000Dh
		push	0
		push	29h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_9222E5:				; CODE XREF: ObLogSecurityDescriptor+DAj
		mov	eax, 0C000009Ah
		jmp	loc_82C3CC
; END OF FUNCTION CHUNK	FOR SeDefaultObjectMethod
; 
; START	OF FUNCTION CHUNK FOR SeCaptureSecurityDescriptor

loc_9222EF:				; CODE XREF: SeCaptureSecurityDescriptor+6Ej
		mov	eax, [ebp+arg_10]
		mov	[eax], ebx
		xor	eax, eax
		jmp	loc_82CB63
; 

loc_9222FB:				; CODE XREF: SeCaptureSecurityDescriptor+5AEj
		mov	eax, [ebp+arg_10]
		mov	[eax], edx
		xor	eax, eax
		jmp	loc_82CB63
; 

loc_922307:				; CODE XREF: SeCaptureSecurityDescriptor+94j
		mov	ecx, eax
		jmp	loc_82C6AA
; END OF FUNCTION CHUNK	FOR SeCaptureSecurityDescriptor

;  S U B	R O U T	I N E 


sub_92230E	proc near		; DATA XREF: .text:006A6384o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-74h], eax
		mov	eax, 1
		retn
sub_92230E	endp


;  S U B	R O U T	I N E 


sub_92231E	proc near		; DATA XREF: .text:006A6388o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-74h]
		jmp	loc_82CB63
sub_92231E	endp

; 
; START	OF FUNCTION CHUNK FOR SeCaptureSecurityDescriptor

loc_922330:				; CODE XREF: SeCaptureSecurityDescriptor+EEj
		mov	eax, 0C0000058h
		jmp	loc_82CB63
; 

loc_92233A:				; CODE XREF: SeCaptureSecurityDescriptor+59Dj
		xor	esi, esi
		jmp	loc_82C76E
; 

loc_922341:				; CODE XREF: SeCaptureSecurityDescriptor+641j
		mov	ecx, eax
		jmp	loc_82CC57
; 

loc_922348:				; CODE XREF: SeCaptureSecurityDescriptor+679j
					; SeCaptureSecurityDescriptor+681j
		mov	byte ptr [esi],	0
		jmp	loc_82CC97
; 

loc_922350:				; CODE XREF: SeCaptureSecurityDescriptor+656j
		mov	eax, [ebp+var_34]
		mov	[ebp+arg_C], eax
		jmp	loc_82CC9A
; END OF FUNCTION CHUNK	FOR SeCaptureSecurityDescriptor

;  S U B	R O U T	I N E 


sub_92235B	proc near		; DATA XREF: .text:006A639Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-78h], eax
		mov	eax, 1
		retn
sub_92235B	endp


;  S U B	R O U T	I N E 


sub_92236B	proc near		; DATA XREF: .text:006A63A0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-78h]
		jmp	loc_82CB63
sub_92236B	endp

; 
; START	OF FUNCTION CHUNK FOR SeCaptureSecurityDescriptor

loc_92237D:				; CODE XREF: SeCaptureSecurityDescriptor+1CFj
		mov	esi, eax
		jmp	loc_82C7E5
; 

loc_922384:				; CODE XREF: SeCaptureSecurityDescriptor+205j
					; SeCaptureSecurityDescriptor+20Dj
		mov	byte ptr [ecx],	0
		jmp	loc_82C823
; 

loc_92238C:				; CODE XREF: SeCaptureSecurityDescriptor+1E4j
		mov	esi, [ebp+var_30]
		mov	[ebp+var_1C], esi
		jmp	loc_82C823
; END OF FUNCTION CHUNK	FOR SeCaptureSecurityDescriptor

;  S U B	R O U T	I N E 


sub_922397	proc near		; DATA XREF: .text:006A63A8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-7Ch], eax
		mov	eax, 1
		retn
sub_922397	endp


;  S U B	R O U T	I N E 


sub_9223A7	proc near		; DATA XREF: .text:006A63ACo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-7Ch]
		jmp	loc_82CB63
sub_9223A7	endp

; 
; START	OF FUNCTION CHUNK FOR SeCaptureSecurityDescriptor

loc_9223B9:				; CODE XREF: SeCaptureSecurityDescriptor+256j
					; SeCaptureSecurityDescriptor+25Fj ...
		mov	eax, 0C0000077h
		jmp	loc_82CB63
; 

loc_9223C3:				; CODE XREF: SeCaptureSecurityDescriptor+28Aj
		mov	edx, eax
		jmp	loc_82C8A0
; 

loc_9223CA:				; CODE XREF: SeCaptureSecurityDescriptor+2CBj
					; SeCaptureSecurityDescriptor+2D3j
		mov	byte ptr [esi],	0
		jmp	loc_82C8E9
; 

loc_9223D2:				; CODE XREF: SeCaptureSecurityDescriptor+2ABj
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_20], eax
		jmp	loc_82C8E9
; END OF FUNCTION CHUNK	FOR SeCaptureSecurityDescriptor

;  S U B	R O U T	I N E 


sub_9223DD	proc near		; DATA XREF: .text:006A63B4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-80h], eax
		mov	eax, 1
		retn
sub_9223DD	endp


;  S U B	R O U T	I N E 


sub_9223ED	proc near		; DATA XREF: .text:006A63B8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-80h]
		jmp	loc_82CB63
sub_9223ED	endp

; 
; START	OF FUNCTION CHUNK FOR SeCaptureSecurityDescriptor

loc_9223FF:				; CODE XREF: SeCaptureSecurityDescriptor+335j
		mov	edi, eax
		jmp	loc_82C94B
; 

loc_922406:				; CODE XREF: SeCaptureSecurityDescriptor+376j
					; SeCaptureSecurityDescriptor+37Ej
		mov	byte ptr [ecx],	0
		jmp	loc_82C994
; 

loc_92240E:				; CODE XREF: SeCaptureSecurityDescriptor+356j
		mov	eax, [ebp+var_38]
		mov	[ebp+var_28], eax
		jmp	loc_82C994
; END OF FUNCTION CHUNK	FOR SeCaptureSecurityDescriptor

;  S U B	R O U T	I N E 


sub_922419	proc near		; DATA XREF: .text:006A63C0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-84h], eax
		mov	eax, 1
		retn
sub_922419	endp


;  S U B	R O U T	I N E 


sub_92242C	proc near		; DATA XREF: .text:006A63C4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-84h]
		jmp	loc_82CB63
sub_92242C	endp

; 
; START	OF FUNCTION CHUNK FOR SeCaptureSecurityDescriptor

loc_922441:				; CODE XREF: SeCaptureSecurityDescriptor+3E3j
		mov	eax, 0C000009Ah
		jmp	loc_82CB63
; END OF FUNCTION CHUNK	FOR SeCaptureSecurityDescriptor

;  S U B	R O U T	I N E 


sub_92244B	proc near		; DATA XREF: .text:006A63CCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-8Ch], eax
		mov	eax, 1
		retn
sub_92244B	endp


;  S U B	R O U T	I N E 


sub_92245E	proc near		; DATA XREF: .text:006A63D0o
		mov	esp, [ebp-18h]
		push	0
		push	dword ptr [ebp+10h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-8Ch]
		jmp	loc_82CB63
sub_92245E	endp


;  S U B	R O U T	I N E 


sub_92247D	proc near		; DATA XREF: .text:006A63D8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-90h], eax
		mov	eax, 1
		retn
sub_92247D	endp


;  S U B	R O U T	I N E 


sub_922490	proc near		; DATA XREF: .text:006A63DCo
		mov	esp, [ebp-18h]
		push	0
		push	dword ptr [ebp+10h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-90h]
		jmp	loc_82CB63
sub_922490	endp


;  S U B	R O U T	I N E 


sub_9224AF	proc near		; DATA XREF: .text:006A63E4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-94h], eax
		mov	eax, 1
		retn
sub_9224AF	endp


;  S U B	R O U T	I N E 


sub_9224C2	proc near		; DATA XREF: .text:006A63E8o
		mov	esp, [ebp-18h]
		push	0
		push	dword ptr [ebp+10h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-94h]
		jmp	loc_82CB63
sub_9224C2	endp


;  S U B	R O U T	I N E 


sub_9224E1	proc near		; DATA XREF: .text:006A63F0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-98h], eax
		mov	eax, 1
		retn
sub_9224E1	endp


;  S U B	R O U T	I N E 


sub_9224F4	proc near		; DATA XREF: .text:006A63F4o
		mov	esp, [ebp-18h]
		push	0
		push	dword ptr [ebp+10h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-98h]
		jmp	loc_82CB63
sub_9224F4	endp

; 

loc_922513:				; DATA XREF: .text:006A6390o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-9Ch], eax
		mov	eax, 1
		retn
; 

loc_922526:				; DATA XREF: .text:006A6394o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-9Ch]
		jmp	loc_82CB63
; 
; START	OF FUNCTION CHUNK FOR SepCreateImpersonationTokenDacl

loc_92253B:				; CODE XREF: SepCreateImpersonationTokenDacl+AAj
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 0
		mov	eax, 0C000009Ah
		jmp	loc_82CFDB
; END OF FUNCTION CHUNK	FOR SepCreateImpersonationTokenDacl
; 
; START	OF FUNCTION CHUNK FOR RtlpAddKnownAce

loc_92254E:				; CODE XREF: RtlpAddKnownAce+5Aj
		cmp	bh, 2
		jnz	short loc_92255A
		and	eax, 0FFFFFF3Fh
		jmp	short loc_922561
; 

loc_92255A:				; CODE XREF: RtlpAddKnownAce+F54C1j
		test	bh, bh
		jnz	short loc_922561
		and	eax, 0FFFFFFDFh

loc_922561:				; CODE XREF: RtlpAddKnownAce+F54C8j
					; RtlpAddKnownAce+F54CCj
		test	eax, eax
		jz	loc_82D0F0
		mov	eax, 0C000000Dh
		jmp	loc_82D18D
; 

loc_922573:				; CODE XREF: RtlpAddKnownAce+68j
					; RtlpAddKnownAce+89j
		mov	eax, 0C0000077h
		jmp	loc_82D18D
; 

loc_92257D:				; CODE XREF: RtlpAddKnownAce+3Cj
					; RtlpAddKnownAce+45j
		mov	eax, 0C0000059h
		jmp	loc_82D18D
; END OF FUNCTION CHUNK	FOR RtlpAddKnownAce
; 
; START	OF FUNCTION CHUNK FOR RtlValidAcl

loc_922587:				; CODE XREF: RtlValidAcl+F6j
		cmp	dl, 0Dh
		jb	loc_82D2AC
		jmp	loc_82D23C
; 

loc_922595:				; CODE XREF: RtlValidAcl+10Ej
		cmp	byte ptr [edi],	3
		jb	loc_82D2F6
		mov	ecx, esi
		call	_RtlpValidCompoundAce@4	; RtlpValidCompoundAce(x)
		test	al, al
		jz	loc_82D2F6
		jmp	loc_82D278
; 

loc_9225B2:				; CODE XREF: RtlValidAcl+117j
		cmp	dl, 5
		jb	loc_82D2CD
		jmp	short loc_9225C6
; 

loc_9225BD:				; CODE XREF: RtlValidAcl+120j
		cmp	dl, 0Bh
		jb	loc_82D2D6

loc_9225C6:				; CODE XREF: RtlValidAcl+12Cj
					; RtlValidAcl+F540Bj
		cmp	byte ptr [edi],	4
		jb	loc_82D2F6
		mov	ecx, esi
		call	_RtlpValidObjectAce@4 ;	RtlpValidObjectAce(x)
		test	al, al
		jz	loc_82D2F6
		jmp	loc_82D278
; 

loc_9225E3:				; CODE XREF: RtlValidAcl+135j
		cmp	dl, 15h
		jnz	short loc_9225FC
		mov	ecx, esi
		call	_RtlpValidAccessFilterAce@4 ; RtlpValidAccessFilterAce(x)
		test	al, al
		jz	loc_82D2F6
		jmp	loc_82D278
; 

loc_9225FC:				; CODE XREF: RtlValidAcl+F5436j
		cmp	word ptr [ebp+arg_0], 4
		jb	loc_82D2F6
		jmp	loc_82D278
; END OF FUNCTION CHUNK	FOR RtlValidAcl
; 
; START	OF FUNCTION CHUNK FOR NtOpenThreadTokenEx

loc_92260C:				; CODE XREF: NtOpenThreadTokenEx+C1j
		mov	ecx, edx
		jmp	loc_82D417
; END OF FUNCTION CHUNK	FOR NtOpenThreadTokenEx

;  S U B	R O U T	I N E 


sub_922613	proc near		; DATA XREF: .text:006A642Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		mov	eax, 1
		retn
sub_922613	endp


;  S U B	R O U T	I N E 


sub_922623	proc near		; DATA XREF: .text:006A6430o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-40h]
		jmp	loc_82D487
sub_922623	endp

; 
; START	OF FUNCTION CHUNK FOR NtOpenThreadTokenEx

loc_922635:				; CODE XREF: NtOpenThreadTokenEx+14Fj
		call	ObfDereferenceObject
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	eax, 0C00000A6h
		jmp	loc_82D487
; 

loc_92264B:				; CODE XREF: NtOpenThreadTokenEx+213j
		mov	[ebp+var_70], 0
		jmp	loc_82D56F
; END OF FUNCTION CHUNK	FOR NtOpenThreadTokenEx

;  S U B	R O U T	I N E 


sub_922657	proc near		; DATA XREF: .text:006A6438o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-48h], eax
		mov	eax, 1
		retn
sub_922657	endp


;  S U B	R O U T	I N E 


sub_922667	proc near		; DATA XREF: .text:006A643Co
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-48h]
		jmp	loc_82D487
sub_922667	endp

; 
; START	OF FUNCTION CHUNK FOR PsRestoreImpersonation

loc_922679:				; CODE XREF: PsRestoreImpersonation+35j
		xor	esi, esi
		jmp	loc_82D7D2
; 

loc_922680:				; CODE XREF: PsRestoreImpersonation+7Aj
		mov	eax, [edi+2C8h]
		and	eax, 0FFFFFFF8h
		mov	[ebp+var_10], eax
		mov	eax, [edi+368h]
		mov	[ebp+var_14], eax
		jmp	loc_82D7F0
; 

loc_92269A:				; CODE XREF: PsRestoreImpersonation+BEj
		call	ObfDereferenceObject
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_9226AD
		mov	ecx, eax
		call	ObfDereferenceObject

loc_9226AD:				; CODE XREF: PsRestoreImpersonation+F4F34j
		test	bl, bl
		jz	loc_82D834
		mov	edx, esi
		mov	ecx, edi
		call	PspWriteTebImpersonationInfo
		jmp	loc_82D834
; END OF FUNCTION CHUNK	FOR PsRestoreImpersonation
; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_9226C3:				; CODE XREF: NtQueryInformationThread+106j
					; NtQueryInformationThread+10Ej
		mov	byte ptr [ecx],	0
		jmp	loc_82D994
; 

loc_9226CB:				; CODE XREF: NtQueryInformationThread+4E5j
		mov	ecx, eax
		jmp	loc_82DD6B
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_9226D2	proc near		; DATA XREF: .text:006A6454o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0ECh], eax
		mov	eax, 1
		retn
sub_9226D2	endp


;  S U B	R O U T	I N E 


sub_9226E5	proc near		; DATA XREF: .text:006A6458o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0ECh]
		jmp	loc_82DA88
sub_9226E5	endp


;  S U B	R O U T	I N E 


sub_9226FA	proc near		; DATA XREF: .text:006A6460o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-110h], eax
		mov	eax, 1
		retn
sub_9226FA	endp


;  S U B	R O U T	I N E 


sub_92270D	proc near		; DATA XREF: .text:006A6464o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-110h]
		jmp	loc_82DA88
sub_92270D	endp


;  S U B	R O U T	I N E 


sub_922722	proc near		; DATA XREF: .text:006A646Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-114h], eax
		mov	eax, 1
		retn
sub_922722	endp


;  S U B	R O U T	I N E 


sub_922735	proc near		; DATA XREF: .text:006A6470o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-114h]
		jmp	loc_82DA88
sub_922735	endp


;  S U B	R O U T	I N E 


sub_92274A	proc near		; DATA XREF: .text:006A6478o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-118h], eax
		mov	eax, 1
		retn
sub_92274A	endp


;  S U B	R O U T	I N E 


sub_92275D	proc near		; DATA XREF: .text:006A647Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-118h]
		jmp	loc_82E17E
sub_92275D	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_92276B:				; CODE XREF: NtQueryInformationThread+298j
		mov	eax, [esi+288h]
		mov	[ebp+var_164], eax
		mov	eax, [esi+28Ch]
		mov	[ebp+var_160], eax
		jmp	loc_82DB32
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_922788	proc near		; DATA XREF: .text:006A6484o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-78h], eax
		mov	eax, 1
		retn
sub_922788	endp


;  S U B	R O U T	I N E 


sub_922798	proc near		; DATA XREF: .text:006A6488o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-78h]
		jmp	loc_82DA88
sub_922798	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_9227AA:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		push	0		; case 0x6
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	40h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_82DA88
		push	edi
		mov	eax, [ebp+arg_C]
		push	eax
		mov	edx, ebx
		mov	ecx, [ebp+var_1C]
		call	_PspQueryDescriptorThread@16 ; PspQueryDescriptorThread(x,x,x,x)
		jmp	short loc_9227F0
; 

loc_9227E1:				; CODE XREF: NtQueryInformationThread+F5292j
		push	edi
		mov	eax, [ebp+arg_C]
		push	eax
		mov	edx, ebx
		mov	ecx, [ebp+var_1C]
		call	_PspQueryLastCallThread@16 ; PspQueryLastCallThread(x,x,x,x)

loc_9227F0:				; CODE XREF: NtQueryInformationThread+F4F5Fj
		mov	esi, eax
		jmp	short loc_922804
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_9227F4	proc near		; DATA XREF: .text:006A65FCo
		mov	esp, [ebp-18h]
		mov	esi, [ebp-108h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
sub_9227F4	endp

; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_922804:				; CODE XREF: NtQueryInformationThread+F4F72j
					; sub_922B2A+10j ...
		mov	ecx, [ebp+var_1C]
		jmp	loc_82DC92
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_92280C	proc near		; DATA XREF: .text:006A6490o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-7Ch], eax
		mov	eax, 1
		retn
sub_92280C	endp


;  S U B	R O U T	I N E 


sub_92281C	proc near		; DATA XREF: .text:006A6494o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-7Ch]
		jmp	loc_82DA88
sub_92281C	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_92282E:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 8	; case 0xB
		jnz	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	40h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_82DE8A
		mov	edx, 79517350h
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObjectWithTag
		mov	[ebp+var_4], 6
		mov	dword ptr [ebx], 0
		mov	dword ptr [ebx+4], 0
		test	edi, edi
		jz	short loc_92288B
		mov	dword ptr [edi], 8

loc_92288B:				; CODE XREF: NtQueryInformationThread+F5003j
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_82DE8A
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_922897	proc near		; DATA XREF: .text:006A649Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-80h], eax
		mov	eax, 1
		retn
sub_922897	endp


;  S U B	R O U T	I N E 


sub_9228A7	proc near		; DATA XREF: .text:006A64A0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-80h]
		jmp	loc_82DA88
sub_9228A7	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_9228B9:				; CODE XREF: NtQueryInformationThread+50Bj
		mov	eax, 1
		jmp	loc_82DD93
; 

loc_9228C3:				; CODE XREF: NtQueryInformationThread+524j
		mov	dword ptr [edi], 4
		jmp	loc_82DA7F
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_9228CE	proc near		; DATA XREF: .text:006A64A8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-84h], eax
		mov	eax, 1
		retn
sub_9228CE	endp


;  S U B	R O U T	I N E 


sub_9228E1	proc near		; DATA XREF: .text:006A64ACo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-84h]
		jmp	loc_82DA88
sub_9228E1	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_9228F6:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 4	; case 0xE
		jnz	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp+arg_C], eax
		test	eax, eax
		js	loc_82DA88
		mov	ecx, [ebp+var_1C]
		mov	esi, [ecx+5Ch]
		shr	esi, 3
		and	esi, 1
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	[ebp+var_4], 8
		mov	[ebx], esi
		test	edi, edi
		jz	short loc_922955
		mov	dword ptr [edi], 4

loc_922955:				; CODE XREF: NtQueryInformationThread+F50CDj
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+arg_C]
		jmp	loc_82DA88
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_922964	proc near		; DATA XREF: .text:006A64B4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-88h], eax
		mov	eax, 1
		retn
sub_922964	endp


;  S U B	R O U T	I N E 


sub_922977	proc near		; DATA XREF: .text:006A64B8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-88h]
		jmp	loc_82DA88
sub_922977	endp


;  S U B	R O U T	I N E 


sub_92298C	proc near		; DATA XREF: .text:006A64C0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-8Ch], eax
		mov	eax, 1
		retn
sub_92298C	endp


;  S U B	R O U T	I N E 


sub_92299F	proc near		; DATA XREF: .text:006A64C4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-8Ch]
		jmp	loc_82DA88
sub_92299F	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_9229B4:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 4	; case 0x12
		jnz	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	40h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_82DA88
		mov	ecx, [ebp+var_1C]
		mov	esi, [ecx+2FCh]
		shr	esi, 5
		and	esi, 1
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	[ebp+var_4], 0Ah
		jmp	loc_82DA75
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_922A09	proc near		; DATA XREF: .text:006A64CCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-90h], eax
		mov	eax, 1
		retn
sub_922A09	endp


;  S U B	R O U T	I N E 


sub_922A1C	proc near		; DATA XREF: .text:006A64D0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-90h]
		jmp	loc_82DA88
sub_922A1C	endp


;  S U B	R O U T	I N E 


sub_922A31	proc near		; DATA XREF: .text:006A64D8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-94h], eax
		mov	eax, 1
		retn
sub_922A31	endp


;  S U B	R O U T	I N E 


sub_922A44	proc near		; DATA XREF: .text:006A64DCo
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-94h]
		jmp	loc_82DA88
sub_922A44	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_922A59:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 1	; case 0x11
		jnz	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	40h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_82DA88
		mov	[ebp+var_4], 0Ch
		mov	ecx, [ebp+var_1C]
		mov	eax, [ecx+2FCh]
		shr	eax, 2
		and	al, 1
		mov	[ebx], al
		test	edi, edi
		jz	short loc_922AAC
		mov	dword ptr [edi], 1

loc_922AAC:				; CODE XREF: NtQueryInformationThread+F5224j
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_922ADB
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_922AB5	proc near		; DATA XREF: .text:006A64E4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-98h], eax
		mov	eax, 1
		retn
sub_922AB5	endp


;  S U B	R O U T	I N E 


sub_922AC8	proc near		; DATA XREF: .text:006A64E8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-98h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-1Ch]
sub_922AC8	endp

; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_922ADB:				; CODE XREF: NtQueryInformationThread+F5233j
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_82DA88
; 

loc_922AEC:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		push	0		; case 0x15
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	8
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_82DA88
		jmp	loc_9227E1
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_922B17	proc near		; DATA XREF: .text:006A64F0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-9Ch], eax
		mov	eax, 1
		retn
sub_922B17	endp


;  S U B	R O U T	I N E 


sub_922B2A	proc near		; DATA XREF: .text:006A64F4o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-9Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_922804
sub_922B2A	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_922B3F:				; CODE XREF: NtQueryInformationThread+149j
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	800h
		push	ecx
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp+arg_C], eax
		test	eax, eax
		js	loc_82DA88
		mov	esi, [ebp+var_1C]
		jmp	loc_82D9D7
; 

loc_922B71:				; CODE XREF: NtQueryInformationThread+17Bj
		mov	dword ptr [edi], 10h
		jmp	loc_82DA01
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_922B7C	proc near		; DATA XREF: .text:006A64FCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0A0h], eax
		mov	eax, 1
		retn
sub_922B7C	endp


;  S U B	R O U T	I N E 


sub_922B8F	proc near		; DATA XREF: .text:006A6500o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-0A0h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-1Ch]
		jmp	loc_82DA0B
sub_922B8F	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_922BA7:				; CODE XREF: NtQueryInformationThread+18Fj
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		jmp	loc_82DA15
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_922BB8	proc near		; DATA XREF: .text:006A6508o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0A4h], eax
		mov	eax, 1
		retn
sub_922BB8	endp


;  S U B	R O U T	I N E 


sub_922BCB	proc near		; DATA XREF: .text:006A650Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0A4h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_922804
sub_922BCB	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_922BE0:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 0Ch ; case	0x1A
		jnz	loc_9235BE
		test	cl, cl
		jz	short loc_922C19
		mov	[ebp+var_4], 10h
		mov	ecx, [ebx]
		mov	[ebp+var_64], ecx
		mov	eax, [ebx+4]
		mov	[ebp+var_60], eax
		mov	eax, [ebx+8]
		mov	[ebp+var_5C], eax
		push	1
		push	eax
		push	ecx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	[ebp+var_4], 0FFFFFFFEh
		lea	ebx, [ebp+var_64]

loc_922C19:				; CODE XREF: NtQueryInformationThread+F536Cj
		mov	[ebp+arg_C], ebx
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	18h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp+var_24], eax
		test	eax, eax
		js	loc_82DA88
		mov	esi, [ebp+var_1C]
		test	dword ptr [esi+58h], 400h
		jz	short loc_922C8F
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, 0C0000008h
		jmp	loc_82DA88
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_922C67	proc near		; DATA XREF: .text:006A6514o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0A8h], eax
		mov	eax, 1
		retn
sub_922C67	endp


;  S U B	R O U T	I N E 


sub_922C7A	proc near		; DATA XREF: .text:006A6518o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0A8h]
		jmp	loc_82DA88
sub_922C7A	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_922C8F:				; CODE XREF: NtQueryInformationThread+F53CFj
		mov	eax, [esi+150h]
		mov	[ebp+arg_0], eax
		mov	ecx, [ebx+8]
		test	ecx, ecx
		jz	loc_922DDC
		mov	edx, [ebx+4]
		cmp	edx, 1000h
		jnb	loc_922DDC
		mov	eax, 1000h
		sub	eax, edx
		cmp	ecx, eax
		ja	loc_922DDC
		lea	ecx, [esi+2ECh]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_922CE6
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, 0C000004Bh
		jmp	loc_82DA88
; 

loc_922CE6:				; CODE XREF: NtQueryInformationThread+F544Ej
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		mov	edx, [ebp+arg_0]
		cmp	edx, ecx
		jnz	short loc_922D53
		mov	[ebp+var_4], 11h
		mov	eax, [ebx+8]
		push	eax		; size_t
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+0A8h]
		add	eax, [ebx+4]
		push	eax		; void *
		mov	eax, [ebx]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	esi, [ebp+var_24]
		jmp	short loc_922D7A
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_922D28	proc near		; DATA XREF: .text:006A6520o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0ACh], eax
		mov	eax, 1
		retn
sub_922D28	endp


;  S U B	R O U T	I N E 


sub_922D3B	proc near		; DATA XREF: .text:006A6524o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0ACh]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp+14h]
		mov	edi, [ebp+18h]
		jmp	short loc_922D7A
sub_922D3B	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_922D53:				; CODE XREF: NtQueryInformationThread+F5477j
		lea	eax, [ebp+var_B0]
		push	eax
		push	[ebp+var_20]
		mov	eax, [ebx+8]
		push	eax
		mov	eax, [ebx]
		push	eax
		push	ecx
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+0A8h]
		add	eax, [ebx+4]
		push	eax
		push	edx
		call	MmCopyVirtualMemory
		mov	esi, eax

loc_922D7A:				; CODE XREF: NtQueryInformationThread+F54A6j
					; sub_922D3B+16j
		mov	ecx, [ebp+var_1C]
		lea	ecx, [ecx+2ECh]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	edx, 79517350h
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObjectWithTag
		test	esi, esi
		js	loc_82DE8A
		mov	[ebp+var_4], 12h
		test	edi, edi
		jz	short loc_922DAD
		mov	eax, [ebx+8]
		mov	[edi], eax

loc_922DAD:				; CODE XREF: NtQueryInformationThread+F5526j
		xor	esi, esi
		jmp	short loc_922DCD
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_922DB1	proc near		; DATA XREF: .text:006A652Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B4h], eax
		mov	eax, 1
		retn
sub_922DB1	endp


;  S U B	R O U T	I N E 


sub_922DC4	proc near		; DATA XREF: .text:006A6530o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0B4h]
sub_922DC4	endp

; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_922DCD:				; CODE XREF: NtQueryInformationThread+F552Fj
		mov	[ebp+var_24], esi
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_82DE8A
; 

loc_922DDC:				; CODE XREF: NtQueryInformationThread+F541Dj
					; NtQueryInformationThread+F542Cj ...
		mov	edx, 79517350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_922DE8:				; CODE XREF: NtQueryInformationThread+54Cj
					; NtQueryInformationThread+F584Bj
		mov	eax, 0C000000Dh
		jmp	loc_82DA88
; 

loc_922DF2:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 1	; case 0x20
		jnz	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	40h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_82DA88
		mov	[ebp+var_4], 13h
		mov	ecx, [ebp+var_1C]
		cmp	dword ptr [ecx+0F4h], 0
		setnz	al
		mov	[ebx], al
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	short loc_922E6C
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_922E43	proc near		; DATA XREF: .text:006A6538o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B8h], eax
		mov	eax, 1
		retn
sub_922E43	endp


;  S U B	R O U T	I N E 


sub_922E56	proc near		; DATA XREF: .text:006A653Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0B8h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-1Ch]
		mov	edi, [ebp+18h]
sub_922E56	endp

; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_922E6C:				; CODE XREF: NtQueryInformationThread+F55C1j
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		test	esi, esi
		js	loc_82DE8A
		mov	[ebp+var_4], 14h
		test	edi, edi
		jz	short loc_922EAD
		mov	dword ptr [edi], 1
		jmp	short loc_922EAD
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_922E91	proc near		; DATA XREF: .text:006A6544o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0BCh], eax
		mov	eax, 1
		retn
sub_922E91	endp


;  S U B	R O U T	I N E 


sub_922EA4	proc near		; DATA XREF: .text:006A6548o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0BCh]
sub_922EA4	endp

; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_922EAD:				; CODE XREF: NtQueryInformationThread+F5607j
					; NtQueryInformationThread+F560Fj
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_82DE8A
; 

loc_922EB9:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 4	; case 0x21
		jnz	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_82DA88
		mov	[ebp+var_30], 200000h
		lea	eax, [ebp+var_30]
		push	eax
		mov	edx, eax
		mov	ecx, [ebp+var_1C]
		call	_KeSetIdealProcessorThreadByNumber@12 ;	KeSetIdealProcessorThreadByNumber(x,x,x)
		mov	edx, 79517350h
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObjectWithTag
		mov	[ebp+var_4], 15h
		mov	eax, [ebp+var_30]
		mov	[ebx], eax
		jmp	loc_82DA77
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_922F1F	proc near		; DATA XREF: .text:006A6550o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C0h], eax
		mov	eax, 1
		retn
sub_922F1F	endp


;  S U B	R O U T	I N E 


sub_922F32	proc near		; DATA XREF: .text:006A6554o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0C0h]
		jmp	loc_82DA88
sub_922F32	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_922F47:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		push	0		; case 0x1D
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	8
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_82DA88
		mov	edx, 79517350h
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObjectWithTag
		mov	eax, 0C0000002h
		jmp	loc_82DA88
; 

loc_922F84:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 1	; case 0x22
		jb	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	40h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp+var_24], eax
		test	eax, eax
		js	loc_82DA88
		mov	[ebp+var_4], 17h
		mov	eax, [ebp+var_1C]
		cmp	dword ptr [eax+50h], 0
		setnz	al
		mov	[ebx], al
		test	edi, edi
		jz	short loc_922FD4
		mov	dword ptr [edi], 1

loc_922FD4:				; CODE XREF: NtQueryInformationThread+F574Cj
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	esi, [ebp+var_24]
		jmp	loc_922804
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_922FE3	proc near		; DATA XREF: .text:006A6568o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C4h], eax
		mov	eax, 1
		retn
sub_922FE3	endp


;  S U B	R O U T	I N E 


sub_922FF6	proc near		; DATA XREF: .text:006A656Co
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0C4h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_922804
sub_922FF6	endp


;  S U B	R O U T	I N E 


sub_92300B	proc near		; DATA XREF: .text:006A6574o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0C8h], eax
		mov	eax, 1
		retn
sub_92300B	endp


;  S U B	R O U T	I N E 


sub_92301E	proc near		; DATA XREF: .text:006A6578o
		mov	edi, [ebp-0C8h]
		jmp	short loc_92302C
; 

loc_923026:				; DATA XREF: .text:006A65A8o
		mov	edi, [ebp-0E0h]

loc_92302C:				; CODE XREF: sub_92301E+6j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-1Ch]
		jmp	loc_82DF76
sub_92301E	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_92303E:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 4	; case 0x24
		jnz	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_82DE8A
		mov	edx, 1
		mov	ecx, [ebp+var_1C]
		call	@KeQueryHeteroCpuPolicyThread@8	; KeQueryHeteroCpuPolicyThread(x,x)
		mov	[ebp+var_4], 19h
		mov	[ebx], eax
		test	edi, edi
		jz	short loc_9230B1
		mov	dword ptr [edi], 4
		jmp	short loc_9230B1
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_923095	proc near		; DATA XREF: .text:006A6580o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0CCh], eax
		mov	eax, 1
		retn
sub_923095	endp


;  S U B	R O U T	I N E 


sub_9230A8	proc near		; DATA XREF: .text:006A6584o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0CCh]
sub_9230A8	endp

; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_9230B1:				; CODE XREF: NtQueryInformationThread+F580Bj
					; NtQueryInformationThread+F5813j
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_922804
; 

loc_9230BD:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 10h ; case	0x25
		jnz	loc_9235BE
		cmp	[ebp+arg_0], 0FFFFFFFEh
		jnz	loc_922DE8
		lea	eax, [ebp+var_12C]
		push	eax
		push	esi
		push	4
		call	PsGetEffectiveContainerId
		mov	ecx, eax
		test	ecx, ecx
		js	loc_82DA88
		mov	[ebp+var_4], 1Ah
		mov	eax, [ebp+var_12C]
		mov	[ebx], eax
		mov	eax, [ebp+var_128]
		mov	[ebx+4], eax
		mov	eax, [ebp+var_124]
		mov	[ebx+8], eax
		mov	eax, [ebp+var_120]
		mov	[ebx+0Ch], eax
		test	edi, edi
		jz	short loc_92313C
		mov	dword ptr [edi], 10h
		jmp	short loc_92313C
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_923120	proc near		; DATA XREF: .text:006A658Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0D0h], eax
		mov	eax, 1
		retn
sub_923120	endp


;  S U B	R O U T	I N E 


sub_923133	proc near		; DATA XREF: .text:006A6590o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-0D0h]
sub_923133	endp

; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_92313C:				; CODE XREF: NtQueryInformationThread+F5896j
					; NtQueryInformationThread+F589Ej
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, ecx
		jmp	loc_82DA88
; 

loc_92314A:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		mov	eax, [ebp+arg_C] ; case	0x27
		test	al, 7
		jnz	loc_9235BE
		cmp	eax, 8
		ja	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp+arg_0], eax
		mov	[ebp+var_24], eax
		test	eax, eax
		js	loc_82DA88
		push	ecx
		lea	edx, [ebp+var_190]
		mov	ecx, [ebp+var_1C]
		call	_KeQueryCpuSetsThread@12 ; KeQueryCpuSetsThread(x,x,x)
		mov	esi, eax
		mov	edx, 79517350h
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObjectWithTag
		shl	esi, 3
		mov	[ebp+var_D4], esi
		mov	[ebp+var_4], 1Bh
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_9231C4
		mov	[eax], esi

loc_9231C4:				; CODE XREF: NtQueryInformationThread+F5940j
		mov	eax, [ebp+arg_C]
		cmp	esi, eax
		jb	short loc_9231D3
		mov	esi, eax
		mov	[ebp+var_D4], esi

loc_9231D3:				; CODE XREF: NtQueryInformationThread+F5949j
		push	esi		; size_t
		lea	eax, [ebp+var_190]
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+arg_0]
		jmp	loc_82DA88
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_9231F3	proc near		; DATA XREF: .text:006A6598o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0DCh], eax
		mov	eax, large fs:124h
		mov	[ebp-0D8h], eax
		mov	eax, [ebp-0D8h]
		mov	al, [eax+15Ah]
		mov	[ebp-28h], al
		mov	cl, [ebp-28h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_9231F3	endp


;  S U B	R O U T	I N E 


sub_923226	proc near		; DATA XREF: .text:006A659Co
		mov	esp, [ebp-18h]
		mov	eax, [ebp-0DCh]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_82DA88
sub_923226	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_92323B:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 40h ; case	0x28
		jnz	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		js	loc_82DA88
		lea	edx, [ebp+var_14C]
		mov	esi, [ebp+var_1C]
		mov	ecx, esi
		call	KeQueryValuesThread
		mov	edx, 1
		mov	ecx, esi
		call	_PsQueryThreadStartAddress@8 ; PsQueryThreadStartAddress(x,x)
		cmp	ds:_MmHighestUserAddress, eax
		sbb	ecx, ecx
		not	ecx
		and	ecx, eax
		mov	[ebp+arg_C], ecx
		mov	[ebp+var_4], 1Ch
		mov	ecx, [ebp+var_144]
		movzx	eax, cl
		mov	[ebx+34h], eax
		movzx	eax, ch
		mov	[ebx+38h], eax
		movsx	eax, byte ptr [ebp+var_144+3]
		mov	[ebx+2Ch], eax
		movsx	eax, byte ptr [ebp+var_144+2]
		mov	[ebx+28h], eax
		mov	eax, [ebp+var_14C]
		mov	[ebx+18h], eax
		mov	eax, ds:_KeMaximumIncrement
		mul	dword ptr [esi+194h]
		mov	[ebx], eax
		mov	[ebx+4], edx
		mov	eax, ds:_KeMaximumIncrement
		mul	dword ptr [esi+1C0h]
		mov	[ebx+8], eax
		mov	[ebx+0Ch], edx
		mov	eax, [esi+280h]
		mov	ecx, [esi+284h]
		mov	[ebx+10h], eax
		mov	[ebx+14h], ecx
		mov	eax, [esi+8Ch]
		mov	[ebx+30h], eax
		mov	eax, [esi+2ACh]
		mov	ecx, [esi+2B0h]
		mov	[ebx+20h], eax
		mov	[ebx+24h], ecx
		mov	eax, [ebp+arg_C]
		mov	[ebx+1Ch], eax
		test	edi, edi
		jz	short loc_923330
		mov	dword ptr [edi], 40h

loc_923330:				; CODE XREF: NtQueryInformationThread+F5AA8j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	edi, [ebp+arg_0]
		jmp	loc_82DF76
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_92333F	proc near		; DATA XREF: .text:006A65A4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0E0h], eax
		mov	eax, 1
		retn
sub_92333F	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_923352:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 0Ch ; case	0x29
		jnz	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_82DA88
		lea	edx, [ebp+var_3C]
		mov	ecx, [ebp+var_1C]
		call	_KeQueryActualAffinityThread@8 ; KeQueryActualAffinityThread(x,x)
		mov	[ebp+var_4], 1Dh
		mov	eax, [ebp+var_3C]
		mov	[ebx], eax
		mov	eax, [ebp+var_38]
		mov	[ebx+4], eax
		mov	eax, [ebp+var_34]
		mov	[ebx+8], eax
		test	edi, edi
		jz	short loc_9233D2
		mov	dword ptr [edi], 0Ch
		jmp	short loc_9233D2
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_9233B6	proc near		; DATA XREF: .text:006A65B0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0E4h], eax
		mov	eax, 1
		retn
sub_9233B6	endp


;  S U B	R O U T	I N E 


sub_9233C9	proc near		; DATA XREF: .text:006A65B4o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0E4h]
sub_9233C9	endp

; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_9233D2:				; CODE XREF: NtQueryInformationThread+F5B2Cj
					; NtQueryInformationThread+F5B34j
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_922804
; 

loc_9233DE:				; CODE XREF: NtQueryInformationThread+47Bj
		mov	dword ptr [ebx], 1
		jmp	loc_82DC83
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_9233E9	proc near		; DATA XREF: .text:006A65BCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0E8h], eax
		mov	eax, 1
		retn
sub_9233E9	endp


;  S U B	R O U T	I N E 


sub_9233FC	proc near		; DATA XREF: .text:006A65C0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0E8h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_922804
sub_9233FC	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_923411:				; CODE XREF: NtQueryInformationThread+7A2j
		mov	ebx, 0C0000023h
		mov	[ebp+var_24], ebx
		jmp	loc_82E057
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_92341E	proc near		; DATA XREF: .text:006A65D4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0F8h], eax
		mov	eax, large fs:124h
		mov	[ebp-0F4h], eax
		mov	eax, [ebp-0F4h]
		mov	al, [eax+15Ah]
		mov	[ebp-29h], al
		mov	cl, [ebp-29h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_92341E	endp


;  S U B	R O U T	I N E 


sub_923451	proc near		; DATA XREF: .text:006A65D8o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-0F8h]
		mov	[ebp-24h], ebx
		mov	dword ptr [ebp-4], 1Fh
		mov	esi, [ebp-4Ch]
		jmp	short loc_92346C
sub_923451	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_923469:				; CODE XREF: NtQueryInformationThread+754j
		mov	ebx, [ebp+var_24]

loc_92346C:				; CODE XREF: sub_923451+16j
		mov	ecx, [ebp+var_1C]
		jmp	loc_82E064
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_923474	proc near		; DATA XREF: .text:006A65CCo
		mov	esi, [ebp-4Ch]
		mov	ecx, [ebp-1Ch]
		mov	ebx, [ebp-24h]
		jmp	sub_82E197
sub_923474	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_923482:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 4	; case 0x2B
		jnz	loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp+var_24], eax
		test	eax, eax
		js	loc_82DA88
		mov	[ebp+var_4], 21h
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+2FCh]
		shr	eax, 13h
		and	eax, 1
		mov	[ebx], eax
		test	edi, edi
		jz	short loc_9234DA
		mov	dword ptr [edi], 4

loc_9234DA:				; CODE XREF: NtQueryInformationThread+F5C52j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	esi, [ebp+var_24]
		jmp	loc_922804
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_9234E9	proc near		; DATA XREF: .text:006A65E0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0FCh], eax
		mov	eax, 1
		retn
sub_9234E9	endp


;  S U B	R O U T	I N E 


sub_9234FC	proc near		; DATA XREF: .text:006A65E4o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-0FCh]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_922804
sub_9234FC	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_923511:				; CODE XREF: NtQueryInformationThread+828j
		call	ObfDereferenceObject
		jmp	loc_82DDFD
; 

loc_92351B:				; CODE XREF: NtQueryInformationThread+5A6j
		mov	dword ptr [eax], 10h
		jmp	loc_82DA7F
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_923526	proc near		; DATA XREF: .text:006A65ECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-104h], eax
		mov	eax, large fs:124h
		mov	[ebp-100h], eax
		mov	eax, [ebp-100h]
		mov	al, [eax+15Ah]
		mov	[ebp-2Ah], al
		mov	cl, [ebp-2Ah]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_923526	endp


;  S U B	R O U T	I N E 


sub_923559	proc near		; DATA XREF: .text:006A65F0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-104h]
		jmp	loc_82DA88
sub_923559	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_92356E:				; CODE XREF: NtQueryInformationThread+132j
					; DATA XREF: PAGE:off_82E1C8o
		cmp	[ebp+arg_C], 4	; case 0x2D
		jnz	short loc_9235BE
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+var_20]
		mov	eax, ds:_PsThreadType
		push	eax
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_82DA88
		mov	[ebp+var_4], 23h
		mov	ecx, [ebp+var_1C]
		mov	eax, [ecx+37Ch]
		neg	eax
		sbb	eax, eax
		and	eax, dword_6BEE0C
		jmp	loc_82DC81
; 

loc_9235BE:				; CODE XREF: NtQueryInformationThread+13Dj
					; NtQueryInformationThread+1AFj ...
		mov	eax, 0C0000004h
		jmp	loc_82DA88
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread

;  S U B	R O U T	I N E 


sub_9235C8	proc near		; DATA XREF: .text:006A65F8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-108h], eax
		mov	eax, 1
		retn
sub_9235C8	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryInformationThread

loc_9235DB:				; CODE XREF: NtQueryInformationThread+12Cj
					; NtQueryInformationThread+132j
					; DATA XREF: ...
		mov	eax, 0C0000003h	; default
		jmp	loc_82DA88
; END OF FUNCTION CHUNK	FOR NtQueryInformationThread
; 
; START	OF FUNCTION CHUNK FOR AlpcpReferenceConnectedPort

loc_9235E5:				; CODE XREF: AlpcpReferenceConnectedPort+16j
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, ebx
		jmp	loc_82E2F5
; END OF FUNCTION CHUNK	FOR AlpcpReferenceConnectedPort
; 
; START	OF FUNCTION CHUNK FOR PsAssignImpersonationToken

loc_9235F1:				; CODE XREF: PsAssignImpersonationToken+63j
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, 0C00000A8h
		jmp	loc_82E4E6
; END OF FUNCTION CHUNK	FOR PsAssignImpersonationToken
; 
; START	OF FUNCTION CHUNK FOR PsImpersonateClient

loc_923602:				; CODE XREF: PsImpersonateClient+22Ej
		mov	edx, [esp+20h+var_C]
		lea	ecx, [esi+12Ch]
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		mov	eax, ebx
		jmp	loc_82E60D
; 

loc_923618:				; CODE XREF: PsImpersonateClient+1BDj
		mov	edx, [esp+20h+var_C]
		lea	ecx, [esi+12Ch]
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		mov	eax, [esp+20h+var_4]
		jmp	loc_82E60D
; 

loc_923630:				; CODE XREF: PsImpersonateClient+D2j
		mov	edx, [ebp+arg_10]
		mov	[esp+20h+var_8], edx
		jmp	loc_82E667
; END OF FUNCTION CHUNK	FOR PsImpersonateClient
; 
; START	OF FUNCTION CHUNK FOR PspWriteTebImpersonationInfo

loc_92363C:				; CODE XREF: PspWriteTebImpersonationInfo+80j
		lea	eax, [ebp+var_34]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		mov	[ebp+var_35], 1
		jmp	loc_82E839
; END OF FUNCTION CHUNK	FOR PspWriteTebImpersonationInfo

;  S U B	R O U T	I N E 


sub_923650	proc near		; DATA XREF: .text:006A6614o
		mov	eax, 1
		retn
sub_923650	endp


;  S U B	R O U T	I N E 


sub_923656	proc near		; DATA XREF: .text:006A6618o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-3Ch]
		mov	ebx, [ebp-40h]
		mov	esi, [ebp-44h]
		mov	dl, [ebp-36h]
		jmp	loc_82E884
sub_923656	endp

; 
; START	OF FUNCTION CHUNK FOR PspWriteTebImpersonationInfo

loc_923671:				; CODE XREF: PspWriteTebImpersonationInfo+FAj
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_82E8B0
; END OF FUNCTION CHUNK	FOR PspWriteTebImpersonationInfo
; 
; START	OF FUNCTION CHUNK FOR AlpcpUnlockBlob

loc_923680:				; CODE XREF: AlpcpUnlockBlob+D7j
		mov	eax, [ebx+4]
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_82ECD3
; 

loc_92368F:				; CODE XREF: AlpcpUnlockBlob:loc_82EC65j
		push	edx
		push	28h
		push	esi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_92369D:				; CODE XREF: NtAlpcImpersonateClientOfPort+AAj
		mov	ecx, edx
		jmp	loc_82EE00
; END OF FUNCTION CHUNK	FOR AlpcpUnlockBlob
; 
; START	OF FUNCTION CHUNK FOR NtAlpcImpersonateClientOfPort

loc_9236A4:				; CODE XREF: NtAlpcImpersonateClientOfPort+CBj
					; NtAlpcImpersonateClientOfPort+DCj
		mov	esi, 0C000000Dh
		mov	edi, [ebp+var_20]
		jmp	loc_82EEC2
; END OF FUNCTION CHUNK	FOR NtAlpcImpersonateClientOfPort

;  S U B	R O U T	I N E 


sub_9236B1	proc near		; DATA XREF: .text:006A6634o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		mov	eax, 1
		retn
sub_9236B1	endp


;  S U B	R O U T	I N E 


sub_9236C1	proc near		; DATA XREF: .text:006A6638o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-30h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-20h]
		mov	ecx, [ebp-34h]
		jmp	loc_82EEC4
sub_9236C1	endp

; 
; START	OF FUNCTION CHUNK FOR NtAlpcImpersonateClientOfPort

loc_9236D9:				; CODE XREF: NtAlpcImpersonateClientOfPort+7Aj
		mov	eax, [ebp+var_24]
		mov	[ebp+arg_4], eax
		mov	esi, [ebp+var_28]
		jmp	loc_82EE21
; 

loc_9236E7:				; CODE XREF: NtAlpcImpersonateClientOfPort+F6j
		mov	[ebp+arg_8], 1
		jmp	loc_82EE53
; 

loc_9236F3:				; CODE XREF: NtAlpcImpersonateClientOfPort+130j
		mov	ecx, edi
		call	AlpcpReferenceConnectedPort
		mov	esi, eax
		mov	[ebp+arg_4], esi
		test	esi, esi
		jnz	short loc_92370F
		mov	esi, 0C0000022h
		mov	ecx, eax
		jmp	loc_82EEC4
; 

loc_92370F:				; CODE XREF: NtAlpcImpersonateClientOfPort+F49B1j
		test	dword ptr [esi+98h], 10000h
		jnz	short loc_923727
		mov	esi, 0C0000022h
		mov	ecx, eax
		jmp	loc_82EEC4
; 

loc_923727:				; CODE XREF: NtAlpcImpersonateClientOfPort+F49C9j
		test	dword ptr [esi+0F4h], 400h
		jz	short loc_92373F
		mov	esi, 0C0000022h
		mov	ecx, eax
		jmp	loc_82EEC4
; 

loc_92373F:				; CODE XREF: NtAlpcImpersonateClientOfPort+F49E1j
		add	esi, 20h
		mov	ecx, 0Fh
		lea	edi, [ebp+var_74]
		rep movsd
		cmp	[ebp+arg_8], 0
		jz	short loc_923769
		cmp	ebx, [ebp+var_70]
		jle	short loc_923766
		mov	esi, 0C0000022h
		mov	edi, [ebp+var_1C]
		mov	ecx, eax
		jmp	loc_82EEC4
; 

loc_923766:				; CODE XREF: NtAlpcImpersonateClientOfPort+F4A05j
		mov	[ebp+var_70], ebx

loc_923769:				; CODE XREF: NtAlpcImpersonateClientOfPort+F4A00j
		push	0
		lea	eax, [ebp+var_74]
		push	eax
		call	_SeImpersonateClientEx@8 ; SeImpersonateClientEx(x,x)
		mov	esi, eax
		mov	edi, [ebp+var_1C]
		mov	ecx, [ebp+arg_4]
		jmp	loc_82EEC4
; END OF FUNCTION CHUNK	FOR NtAlpcImpersonateClientOfPort
; 
; START	OF FUNCTION CHUNK FOR AlpcpImpersonateMessage

loc_923781:				; CODE XREF: AlpcpImpersonateMessage+13Ej
		call	_AlpcpUnlockCommunicationInfoExclusive@4 ; AlpcpUnlockCommunicationInfoExclusive(x)
		mov	eax, 0C0000022h
		jmp	loc_82F04A
; 

loc_923790:				; CODE XREF: AlpcpImpersonateMessage+6Dj
		mov	esi, 0C0000022h
		jmp	loc_82F023
; 

loc_92379A:				; CODE XREF: AlpcpImpersonateMessage+91j
		mov	ecx, [ebp+arg_8]
		cmp	[ebx+0A0h], ecx
		jge	loc_82EFC7
		mov	esi, 0C0000022h
		jmp	loc_82F023
; 

loc_9237B3:				; CODE XREF: AlpcpImpersonateMessage+DDj
		mov	ecx, [ebp+arg_8]
		cmp	ecx, [eax+4]
		jle	short loc_9237C5
		mov	esi, 0C0000022h
		jmp	loc_82F023
; 

loc_9237C5:				; CODE XREF: AlpcpImpersonateMessage+F4889j
		mov	[ebp+var_84], ecx
		jmp	loc_82F013
; END OF FUNCTION CHUNK	FOR AlpcpImpersonateMessage
; 
; START	OF FUNCTION CHUNK FOR ObpCallPreOperationCallbacks

loc_9237D0:				; CODE XREF: ObpCallPreOperationCallbacks+CDj
		mov	ecx, edi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		xor	edi, edi
		jmp	loc_82F183
; 

loc_9237DE:				; CODE XREF: ObpCallPreOperationCallbacks+D7j
		push	6C46624Fh
		push	10h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_8], edx
		test	edx, edx
		jz	short loc_92382D
		mov	eax, [ebp+arg_0]
		mov	[edx+8], esi
		mov	dword ptr [edx+0Ch], 0
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_923826
		mov	[edx], eax
		mov	[edx+4], ecx
		mov	[ecx], edx
		mov	[eax+4], edx
		jmp	loc_82F18D
; 

loc_923818:				; CODE XREF: ObpCallPreOperationCallbacks+F2j
		mov	ecx, [ebp+var_8]
		mov	eax, [ebx+10h]
		mov	[ecx+0Ch], eax
		jmp	loc_82F1AB
; 

loc_923826:				; CODE XREF: ObpCallPreOperationCallbacks+F4757j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_92382D:				; CODE XREF: ObpCallPreOperationCallbacks+F4743j
		lea	ecx, [esi+20h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	edx, [ebp+arg_0]
		cmp	[edx], edx
		jz	short loc_923872
		mov	eax, [ebx]
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_28], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_24], eax
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_1C], eax
		mov	eax, [ebx+8]
		mov	[ebp+var_18], 0
		mov	[ebp+var_10], 0
		mov	[ebp+var_20], eax
		mov	[ebp+var_14], 0C000009Ah
		call	_ObpCallPostOperationCallbacks@8 ; ObpCallPostOperationCallbacks(x,x)
		jmp	short loc_923884
; 

loc_923872:				; CODE XREF: ObpCallPreOperationCallbacks+F478Aj
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebx+8]
		mov	edx, 6243624Fh
		call	ObfDereferenceObjectWithTag

loc_923884:				; CODE XREF: ObpCallPreOperationCallbacks+F47C0j
		mov	eax, 0C000009Ah
		jmp	loc_82F220
; END OF FUNCTION CHUNK	FOR ObpCallPreOperationCallbacks
; 
; START	OF FUNCTION CHUNK FOR AlpcpExposeHandleAttribute

loc_92388E:				; CODE XREF: AlpcpExposeHandleAttribute+116j
		mov	[ebp+var_20], 0C0000037h
		jmp	loc_82F334
; 

loc_92389A:				; CODE XREF: AlpcpExposeHandleAttribute+8Fj
		mov	[ebp+var_20], 0C0000022h
		jmp	loc_82F334
; 

loc_9238A6:				; CODE XREF: AlpcpExposeHandleAttribute+12Dj
		mov	[ebp+var_20], 0C0000022h
		jmp	loc_82F3D8
; 

loc_9238B2:				; CODE XREF: AlpcpExposeHandleAttribute+13Bj
		mov	[ebp+var_20], 0C0000024h
		jmp	loc_82F3D8
; 

loc_9238BE:				; CODE XREF: AlpcpExposeHandleAttribute+14Bj
		mov	[ebp+var_20], 0C0000022h
		jmp	loc_82F3D8
; END OF FUNCTION CHUNK	FOR AlpcpExposeHandleAttribute

;  S U B	R O U T	I N E 


sub_9238CA	proc near		; DATA XREF: .text:006A6654o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		mov	eax, large fs:124h
		mov	[ebp-30h], eax
		mov	eax, [ebp-30h]
		mov	al, [eax+15Ah]
		mov	[ebp-19h], al
		mov	cl, [ebp-19h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_9238CA	endp


;  S U B	R O U T	I N E 


sub_9238F4	proc near		; DATA XREF: .text:006A6658o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-34h]
		mov	[ebp-20h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-38h]
		mov	ebx, [ebp-3Ch]
		jmp	loc_82F3D8
sub_9238F4	endp


;  S U B	R O U T	I N E 


sub_92390F	proc near		; DATA XREF: .text:006A6674o
		mov	eax, 1
		retn
sub_92390F	endp


;  S U B	R O U T	I N E 


sub_923915	proc near		; DATA XREF: .text:006A6678o
		mov	esp, [ebp-18h]
		jmp	loc_82F518
sub_923915	endp

; 
; START	OF FUNCTION CHUNK FOR NtAlpcSendWaitReceivePort

loc_92391D:				; CODE XREF: NtAlpcSendWaitReceivePort+FBj
		mov	ebx, 0C00000F0h
		jmp	loc_82F6D0
; 

loc_923927:				; CODE XREF: NtAlpcSendWaitReceivePort+107j
		mov	ebx, 0C00000F0h
		jmp	loc_82F6D0
; 

loc_923931:				; CODE XREF: NtAlpcSendWaitReceivePort+113j
		mov	ebx, 0C00000F0h
		jmp	loc_82F6D0
; 

loc_92393B:				; CODE XREF: NtAlpcSendWaitReceivePort+11Ej
		mov	ebx, 0C0000705h
		jmp	loc_82F6D0
; 

loc_923945:				; CODE XREF: NtAlpcSendWaitReceivePort+171j
		mov	ebx, 0C00000F0h
		jmp	loc_82F6D0
; END OF FUNCTION CHUNK	FOR NtAlpcSendWaitReceivePort
; 
; START	OF FUNCTION CHUNK FOR AlpcpCompleteDispatchMessage

loc_92394F:				; CODE XREF: AlpcpCompleteDispatchMessage+58j
		mov	[esp+40h+var_30], 1
		jmp	loc_831206
; 

loc_92395C:				; CODE XREF: AlpcpCompleteDispatchMessage+94Cj
		mov	ecx, 3
		jmp	loc_83126B
; 

loc_923966:				; CODE XREF: AlpcpCompleteDispatchMessage+C5j
		mov	ecx, 80000003h
		jmp	loc_83126B
; 

loc_923970:				; CODE XREF: AlpcpCompleteDispatchMessage+EDj
		test	ecx, ecx
		jz	loc_831293
		mov	eax, large fs:124h
		cmp	byte ptr [eax+244h], 0
		jz	short loc_9239BE
		mov	eax, large fs:124h
		mov	eax, [eax+150h]
		mov	eax, [eax+64h]
		and	eax, 380h
		cmp	eax, 180h
		jz	short loc_9239BE
		mov	eax, large fs:124h
		mov	eax, [eax+244h]
		and	eax, 300h
		cmp	eax, 300h
		jnz	loc_831293

loc_9239BE:				; CODE XREF: AlpcpCompleteDispatchMessage+F27E5j
					; AlpcpCompleteDispatchMessage+F2800j
		mov	eax, [esi+90h]
		push	eax
		push	6
		push	0
		push	edx
		call	_PsChargeProcessWakeCounter@16 ; PsChargeProcessWakeCounter(x,x,x,x)
		mov	[esi+74h], eax
		jmp	loc_831293
; 

loc_9239D7:				; CODE XREF: AlpcpCompleteDispatchMessage+79Bj
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)
		jmp	loc_831941
; 

loc_9239E3:				; CODE XREF: AlpcpCompleteDispatchMessage+804j
		cmp	[esp+40h+var_2C], 0
		jnz	loc_83142C
		mov	eax, [edi+14h]
		cmp	eax, 4
		jb	short loc_923A13
		push	0
		push	0
		and	eax, 0FFFFFFFCh
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [edi+14h]
		test	cl, 2
		jz	short loc_923A13
		and	ecx, 0FFFFFFFCh
		call	ObfDereferenceObject

loc_923A13:				; CODE XREF: AlpcpCompleteDispatchMessage+F2854j
					; AlpcpCompleteDispatchMessage+F2869j
		mov	dword ptr [edi+14h], 0
		jmp	loc_83142C
; 

loc_923A1F:				; CODE XREF: AlpcpCompleteDispatchMessage+65Cj
		mov	ecx, esi
		call	_AlpcpLogSendMessage@4 ; AlpcpLogSendMessage(x)
		jmp	loc_831802
; 

loc_923A2B:				; CODE XREF: AlpcpCompleteDispatchMessage+695j
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)
		jmp	loc_83183B
; 

loc_923A37:				; CODE XREF: AlpcpCompleteDispatchMessage+66Bj
					; AlpcpCompleteDispatchMessage+676j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_923A3E:				; CODE XREF: AlpcpCompleteDispatchMessage+32Cj
		mov	[esp+40h+var_1C], 0
		jmp	loc_831504
; 

loc_923A4B:				; CODE XREF: AlpcpCompleteDispatchMessage+3C4j
		mov	eax, 0FFFFC00Fh
		and	[edx+4], ax
		jmp	loc_83156A
; 

loc_923A59:				; CODE XREF: AlpcpCompleteDispatchMessage+4CCj
		mov	eax, [esp+40h+var_24]
		mov	ecx, [ebx+0D4h]
		add	eax, 3Fh
		shr	eax, 6
		push	eax
		mov	eax, [esp+44h+var_18]
		mov	ecx, [ecx+34h]
		shr	eax, 6
		push	eax
		call	_AlpcpFreeBitmap@16 ; AlpcpFreeBitmap(x,x,x,x)
		jmp	loc_8312D4
; 

loc_923A7F:				; CODE XREF: AlpcpCompleteDispatchMessage+921j
					; AlpcpCompleteDispatchMessage+931j
		mov	[esp+40h+var_32], 0
		jmp	loc_8316A9
; 

loc_923A89:				; CODE XREF: AlpcpCompleteDispatchMessage+9C5j
		or	edx, 2000h
		mov	ecx, ebx
		mov	[esi+84h], dx
		mov	edx, esi
		inc	word ptr [esi-0Eh]
		call	_AlpcpInsertMessagePendingQueue@8 ; AlpcpInsertMessagePendingQueue(x,x)
		jmp	loc_831352
; 

loc_923AA8:				; CODE XREF: AlpcpCompleteDispatchMessage+1B9j
		mov	ecx, esi
		call	_AlpcpLogSendMessage@4 ; AlpcpLogSendMessage(x)
		jmp	loc_83135F
; 

loc_923AB4:				; CODE XREF: AlpcpCompleteDispatchMessage+3FBj
		mov	ecx, esi
		call	_AlpcpLogReceiveMessage@4 ; AlpcpLogReceiveMessage(x)
		jmp	loc_83136A
; 

loc_923AC0:				; CODE XREF: AlpcpCompleteDispatchMessage+40Bj
		mov	ecx, esi
		call	_AlpcpLogWaitForReply@4	; AlpcpLogWaitForReply(x)
		jmp	loc_831377
; 

loc_923ACC:				; CODE XREF: AlpcpCompleteDispatchMessage+1E5j
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)
		jmp	loc_83138B
; 

loc_923AD8:				; CODE XREF: AlpcpCompleteDispatchMessage:loc_831B7Dj
		push	edx
		push	28h
		push	esi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_923AE6:				; CODE XREF: AlpcpCaptureAttributes+9Ej
		mov	esi, eax
		jmp	loc_831C74
; 

loc_923AED:				; CODE XREF: AlpcpCompleteDispatchMessage+B76j
		mov	byte ptr [ecx],	0
		jmp	loc_831D1C
; 

loc_923AF5:				; CODE XREF: AlpcpCompleteDispatchMessage+B54j
					; AlpcpCompleteDispatchMessage+B5Fj
		push	4
		push	eax
		push	ebx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		jmp	loc_831D31
; 

loc_923B03:				; CODE XREF: AlpcpCompleteDispatchMessage+D22j
		test	ecx, ecx
		jnz	loc_831F3E
		add	eax, ebx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_923B1F
		cmp	eax, ebx
		jnb	loc_831D31

loc_923B1F:				; CODE XREF: AlpcpCompleteDispatchMessage+F2975j
		mov	byte ptr [ecx],	0
		jmp	loc_831D31
; END OF FUNCTION CHUNK	FOR AlpcpCompleteDispatchMessage

;  S U B	R O U T	I N E 


sub_923B27	proc near		; DATA XREF: .text:006A66ECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		mov	eax, 1
		retn
sub_923B27	endp


;  S U B	R O U T	I N E 


sub_923B37	proc near		; DATA XREF: .text:006A66F0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2Ch]
		jmp	loc_831E30
sub_923B37	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpCompleteDispatchMessage

loc_923B49:				; CODE XREF: AlpcpCompleteDispatchMessage+BA7j
		mov	eax, 0C000000Dh
		jmp	loc_831E30
; 

loc_923B53:				; CODE XREF: AlpcpCompleteDispatchMessage+C7Cj
		mov	ecx, ebx
		call	ObfDereferenceObject
		jmp	loc_831E22
; END OF FUNCTION CHUNK	FOR AlpcpCompleteDispatchMessage

;  S U B	R O U T	I N E 


sub_923B5F	proc near		; DATA XREF: .text:006A670Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		mov	eax, 1
		retn
sub_923B5F	endp


;  S U B	R O U T	I N E 


sub_923B6F	proc near		; DATA XREF: .text:006A6710o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_831FCD
sub_923B6F	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpLookupMessage

loc_923B81:				; CODE XREF: AlpcpLookupMessage+1EEj
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_923B91
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_923B91:				; CODE XREF: AlpcpLookupMessage+F1B98j
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	edx, 1
		mov	ecx, edi
		call	AlpcpDereferenceBlobEx
		mov	eax, 0C0000708h
		jmp	loc_83215C
; 

loc_923BAE:				; CODE XREF: AlpcpLookupMessage+1AFj
					; AlpcpLookupMessage+1CEj
		mov	eax, 0C00002F0h
		jmp	loc_83215C
; 

loc_923BB8:				; CODE XREF: AlpcpLookupMessage+1Ej
		mov	edx, ds:_AlpcpSecondaryMessageTables
		test	edx, edx
		jz	loc_832218
		mov	eax, edi
		shr	eax, 1Ah
		mov	edx, [edx+eax*4]
		jmp	loc_83201A
; 

loc_923BD3:				; CODE XREF: AlpcpLookupMessage+75j
		test	ebx, ebx
		jz	loc_83220B
		mov	ecx, [ebp+var_4]
		push	ebx
		call	_ExpBlockOnLockedHandleEntry@12	; ExpBlockOnLockedHandleEntry(x,x,x)
		mov	edx, [ebp+var_8]
		jmp	loc_832060
; 

loc_923BEC:				; CODE XREF: AlpcpLookupMessage+93j
		mov	eax, 1
		lock xadd [edx], eax
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_C]
		add	ecx, 20h
		mov	[ebp+var_C], 0
		xor	edx, edx
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	loc_832218
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	loc_832218
; 

loc_923C1C:				; CODE XREF: AlpcpLookupMessage+254j
		xor	edx, edx
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	loc_832218
; 

loc_923C28:				; CODE XREF: AlpcpLookupMessage+C8j
		test	eax, eax
		jg	loc_8320A7
		mov	edx, [ebp+var_8]
		test	eax, eax

loc_923C35:				; CODE XREF: AlpcpLookupMessage+B1j
		jz	short loc_923CB3
		push	eax
		push	20h
		push	esi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_923C44:				; CODE XREF: AlpcpLookupMessage+F8j
		push	eax
		push	26h
		push	esi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_923C51:				; CODE XREF: AlpcpLookupMessage+125j
		xor	edx, edx
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	loc_83211B
; 

loc_923C5D:				; CODE XREF: AlpcpLookupMessage+131j
					; AlpcpLookupMessage+141j
		cmp	_AlpcpMessageLogEnabled, 0
		jnz	short loc_923C71
		jmp	short loc_923C78
; 

loc_923C68:				; CODE XREF: AlpcpLookupMessage+17Bj
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_923C78

loc_923C71:				; CODE XREF: AlpcpLookupMessage+F1C74j
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_923C78:				; CODE XREF: AlpcpLookupMessage+F1C76j
					; AlpcpLookupMessage+F1C7Fj
		mov	ecx, esi
		call	AlpcpUnlockBlob
		jmp	loc_832218
; 

loc_923C84:				; CODE XREF: AlpcpLookupMessage+185j
					; AlpcpLookupMessage+19Dj
		cmp	_AlpcpMessageLogEnabled, 0
		jnz	short loc_923C98
		jmp	short loc_923C9F
; 

loc_923C8F:				; CODE XREF: AlpcpLookupMessage+15Fj
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_923C9F

loc_923C98:				; CODE XREF: AlpcpLookupMessage+F1C9Bj
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_923C9F:				; CODE XREF: AlpcpLookupMessage+F1C9Dj
					; AlpcpLookupMessage+F1CA6j
		mov	ecx, esi
		call	AlpcpUnlockBlob
		mov	eax, 0C0000022h
		jmp	loc_83215C
; 

loc_923CB0:				; CODE XREF: AlpcpLookupMessage+D1j
		mov	edx, [ebp+var_8]

loc_923CB3:				; CODE XREF: AlpcpLookupMessage:loc_923C35j
		mov	eax, 1
		lock xadd [edx], eax
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_1C]
		add	ecx, 20h
		mov	[ebp+var_1C], 0
		xor	edx, edx
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	loc_832218
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	loc_832218
; END OF FUNCTION CHUNK	FOR AlpcpLookupMessage
; 

loc_923CE3:				; CODE XREF: PAGE:00832800j
		mov	byte ptr [eax],	0
		jmp	loc_832806
; 

loc_923CEB:				; CODE XREF: PAGE:00832834j
		mov	ebx, eax
		jmp	loc_83283A
; 

loc_923CF2:				; CODE XREF: PAGE:00832896j
		add	eax, 4
		mov	[ebp-24h], eax
		jmp	loc_83289C
; 

loc_923CFD:				; CODE XREF: PAGE:008328C6j
		mov	byte ptr [ecx],	0
		jmp	loc_8328CC
; 

loc_923D05:				; CODE XREF: PAGE:008328AFj
		push	4
		push	eax
		push	edx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		jmp	loc_8328E1
; 

loc_923D13:				; CODE XREF: PAGE:00832821j
		xor	ebx, ebx
		jmp	loc_8328E1
; 

loc_923D1A:				; CODE XREF: PAGE:008328F4j
		mov	ecx, eax
		jmp	loc_8328FA
; 

loc_923D21:				; CODE XREF: PAGE:00832909j
		mov	ecx, eax
		jmp	loc_83290F
; 

loc_923D28:				; DATA XREF: .text:006A674Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-48h], eax
		mov	eax, 1
		retn
; 

loc_923D38:				; DATA XREF: .text:006A6750o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-48h]
		jmp	loc_832A6B
; 

loc_923D4A:				; CODE XREF: PAGE:008329B6j
		mov	eax, 0FFFFC00Fh
		and	[ecx+4], ax
		jmp	loc_8329BC
; 

loc_923D58:				; DATA XREF: .text:006A6758o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-54h], eax
		mov	eax, 1
		retn
; 

loc_923D68:				; DATA XREF: .text:006A675Co
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-54h]
		mov	[ebp-58h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-30h]
		mov	edi, [ebp-5Ch]
		jmp	loc_8329EB
; 

loc_923D83:				; CODE XREF: PAGE:00832B50j
		mov	dword ptr [esi+6Ch], 0
		push	10000h
		mov	edx, esi
		mov	ecx, edi
		call	@AlpcpCancelMessage@12 ; AlpcpCancelMessage(x,x,x)
		jmp	loc_832A69
; 

loc_923D9D:				; CODE XREF: PAGE:00832A0Bj
		mov	ecx, esi
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)
		jmp	loc_832A11
; 

loc_923DA9:				; CODE XREF: PAGE:loc_832A89j
		push	edx
		push	28h
		push	esi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
; START	OF FUNCTION CHUNK FOR AlpcMessageCleanupProcedure

loc_923DB7:				; CODE XREF: AlpcMessageCleanupProcedure+42j
		mov	edx, 1
		call	AlpcpDereferenceBlobEx
		mov	dword ptr [esi+50h], 0
		jmp	loc_832C08
; 

loc_923DCD:				; CODE XREF: AlpcMessageCleanupProcedure+5Cj
		mov	eax, [esi+90h]
		push	eax
		push	ecx
		call	_PsReleaseProcessWakeCounter@8 ; PsReleaseProcessWakeCounter(x,x)
		mov	dword ptr [esi+74h], 0
		jmp	loc_832C22
; END OF FUNCTION CHUNK	FOR AlpcMessageCleanupProcedure
; 
; START	OF FUNCTION CHUNK FOR AlpcMessageDestroyProcedure

loc_923DE6:				; CODE XREF: AlpcMessageDestroyProcedure+10j
		mov	ecx, esi
		call	_AlpcpEnterFreeEventMessageLog@4 ; AlpcpEnterFreeEventMessageLog(x)
		jmp	loc_832CC6
; END OF FUNCTION CHUNK	FOR AlpcMessageDestroyProcedure

;  S U B	R O U T	I N E 


sub_923DF2	proc near		; DATA XREF: .text:006A6774o
		mov	eax, 1
		retn
sub_923DF2	endp


;  S U B	R O U T	I N E 


sub_923DF8	proc near		; DATA XREF: .text:006A6778o
		mov	esp, [ebp-18h]
		jmp	loc_832DE9
sub_923DF8	endp

; 
; START	OF FUNCTION CHUNK FOR AlpcpTryLockForCachedReferenceBlob

loc_923E00:				; CODE XREF: AlpcpTryLockForCachedReferenceBlob+3Bj
		push	eax
		push	27h
		push	esi
		push	0
		push	18h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_923E0D:				; CODE XREF: AlpcpTryLockForCachedReferenceBlob+1Aj
		test	eax, eax
		jz	short loc_923E1A
		mov	edx, eax
		mov	ecx, edi
		call	KeAbPostReleaseEx

loc_923E1A:				; CODE XREF: AlpcpTryLockForCachedReferenceBlob+F09DFj
		xor	al, al
		jmp	loc_833473
; END OF FUNCTION CHUNK	FOR AlpcpTryLockForCachedReferenceBlob
; 
; START	OF FUNCTION CHUNK FOR AlpcpInsertCompletionListEntry

loc_923E21:				; CODE XREF: AlpcpInsertCompletionListEntry+C0j
					; AlpcpInsertCompletionListEntry+C9j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_923E35
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_923E35:				; CODE XREF: AlpcpInsertCompletionListEntry+F03CCj
		mov	ecx, edi
		call	KeAbPostRelease
		jmp	loc_923FD0
; 

loc_923E41:				; CODE XREF: AlpcpInsertCompletionListEntry+82j
					; AlpcpInsertCompletionListEntry+8Aj
		mov	edx, [ebp+var_10]
		cmp	eax, esi
		jnb	loc_923F88
		test	edx, edx
		ja	loc_923F88
		jb	short loc_923E5E
		cmp	ecx, esi
		jnb	loc_923F88

loc_923E5E:				; CODE XREF: AlpcpInsertCompletionListEntry+F03F4j
		add	ecx, 1
		push	0
		push	esi
		adc	edx, 0
		push	edx
		push	ecx
		call	__aullrem
		mov	ecx, [ebp+var_4]
		shld	edx, eax, 18h
		shl	eax, 18h
		xor	edx, edi
		xor	eax, ecx
		and	edx, 0FFFFh
		and	eax, 0FF000000h
		xor	edx, edi
		xor	eax, ecx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_10], eax
		mov	[ebp+var_1C], eax
		mov	eax, edx
		mov	edx, [ebp+var_10]
		shrd	edx, eax, 18h
		shr	eax, 18h
		mov	[ebp+var_10], eax
		mov	eax, edx
		xor	eax, [ebp+var_1C]
		and	eax, 0FFFFFFh
		or	eax, 0
		jnz	short loc_923F03
		mov	ecx, [ebp+var_8]
		or	eax, 0FFFFFFFFh
		mov	ebx, [ecx+0D4h]
		add	ebx, 0Ch
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_923ED2
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_923ED2:				; CODE XREF: AlpcpInsertCompletionListEntry+F0469j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	eax, [ebp+var_4]
		mov	edx, edi
		nop
		mov	ecx, edi
		mov	ebx, eax
		mov	edi, [ebp+var_C]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_18]
		cmp	eax, [ebp+var_4]
		jnz	loc_923FD0
		cmp	edx, edi
		jz	loc_833B79
		jmp	loc_923FD0
; 

loc_923F03:				; CODE XREF: AlpcpInsertCompletionListEntry+F0450j
		mov	eax, [ebx+2Ch]
		and	edx, 0FFFFFFh
		mov	[ebp+var_10], edx
		mov	ebx, edx
		mov	edx, [ebp+var_20]
		mov	[eax+ebx*4], edx
		mov	eax, ecx
		mov	edx, edi
		nop
		mov	ebx, [ebp+var_1C]
		mov	ecx, [ebp+var_2C]
		mov	edi, [ebp+var_C]
		lock cmpxchg8b qword ptr [edi]
		mov	ecx, [ebp+var_8]
		mov	edi, [ebp+var_18]
		mov	ebx, [ecx+0D4h]
		add	ebx, 0Ch
		cmp	eax, [ebp+var_4]
		jnz	short loc_923F6B
		cmp	edx, edi
		jnz	short loc_923F6B
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_923F55
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_923F55:				; CODE XREF: AlpcpInsertCompletionListEntry+F04ECj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	eax, [ebp+var_28]
		lock inc dword ptr [eax+80h]
		jmp	loc_833B58
; 

loc_923F6B:				; CODE XREF: AlpcpInsertCompletionListEntry+F04DBj
					; AlpcpInsertCompletionListEntry+F04DFj
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_923F7F
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_923F7F:				; CODE XREF: AlpcpInsertCompletionListEntry+F0516j
		mov	ecx, ebx
		call	KeAbPostRelease
		jmp	short loc_923FD0
; 

loc_923F88:				; CODE XREF: AlpcpInsertCompletionListEntry+F03E6j
					; AlpcpInsertCompletionListEntry+F03EEj ...
		mov	ecx, [ebp+var_8]
		or	eax, 0FFFFFFFFh
		mov	ebx, [ecx+0D4h]
		add	ebx, 0Ch
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_923FA8
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_923FA8:				; CODE XREF: AlpcpInsertCompletionListEntry+F053Fj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	eax, [ebp+var_4]
		mov	edx, edi
		nop
		mov	ecx, edi
		mov	ebx, eax
		mov	edi, [ebp+var_C]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_18]
		cmp	eax, [ebp+var_4]
		jnz	short loc_923FD0
		cmp	edx, edi
		jz	loc_833B79

loc_923FD0:				; CODE XREF: AlpcpInsertCompletionListEntry+F03DCj
					; AlpcpInsertCompletionListEntry+F0490j ...
		mov	eax, [ebp+var_24]
		inc	eax
		mov	[ebp+var_24], eax
		cmp	eax, esi
		jnb	loc_833B79
		mov	ebx, [ebp+var_30]
		mov	eax, [ebp+var_8]
		mov	edi, [ebp+var_C]
		jmp	loc_833AA0
; END OF FUNCTION CHUNK	FOR AlpcpInsertCompletionListEntry
; 
; START	OF FUNCTION CHUNK FOR AlpcpAllocateCompletionBuffer

loc_923FED:				; CODE XREF: AlpcpAllocateCompletionBuffer+66j
		test	esi, esi
		jz	loc_833C20
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		push	ebx
		call	AlpcpAllocateFromBitmap
		cmp	eax, 0FFFFFFFEh
		jnz	loc_833BEE
		jmp	loc_833C08
; END OF FUNCTION CHUNK	FOR AlpcpAllocateCompletionBuffer
; 
; START	OF FUNCTION CHUNK FOR AlpcpAllocateFromBitmap

loc_92400F:				; CODE XREF: AlpcpAllocateFromBitmap+8Fj
					; AlpcpAllocateFromBitmap+F041Bj
		mov	eax, [eax]
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	loc_833D75

loc_92401C:				; CODE XREF: AlpcpAllocateFromBitmap+F0405j
		mov	edx, [ebp+var_4]
		or	ecx, 0FFFFFFFFh
		lock cmpxchg [edx], ecx
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		cmp	ecx, [ebp+var_10]
		jz	short loc_92403C
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jz	short loc_92401C
		jmp	loc_833D75
; 

loc_92403C:				; CODE XREF: AlpcpAllocateFromBitmap+F03FEj
		mov	eax, [ebp+var_4]
		sub	esi, 20h
		add	eax, 4
		mov	[ebp+var_4], eax
		cmp	esi, 20h
		jnb	short loc_92400F
		jmp	loc_833CC5
; 

loc_924052:				; CODE XREF: AlpcpAllocateFromBitmap+147j
		mov	ecx, [ebp+var_18]
		push	edx
		push	edi
		call	_AlpcpFreeBitmap@16 ; AlpcpFreeBitmap(x,x,x,x)
		jmp	loc_833D7D
; 

loc_924061:				; CODE XREF: AlpcpAllocateFromBitmap+1Fj
					; AlpcpAllocateFromBitmap+60j
		or	eax, 0FFFFFFFFh
		jmp	loc_833CF7
; END OF FUNCTION CHUNK	FOR AlpcpAllocateFromBitmap

;  S U B	R O U T	I N E 


sub_924069	proc near		; DATA XREF: .text:006A6794o
		xor	eax, eax
		inc	eax
		retn
sub_924069	endp


;  S U B	R O U T	I N E 


sub_92406D	proc near		; DATA XREF: .text:006A6798o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-1Ch]
		movzx	eax, word ptr [eax+80h]
		push	eax		; size_t
		push	0		; int
		push	dword ptr [ebp-20h] ; void *
		call	_memset
		jmp	loc_833DC1
sub_92406D	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlpOplockUpperLowerCompatible

loc_92408A:				; CODE XREF: FsRtlpOplockUpperLowerCompatible+35j
		cmp	ecx, 7000h
		jz	loc_833E23
		cmp	ecx, edi
		jz	loc_833E23
		cmp	ecx, 4
		jnz	loc_833E17
		jmp	loc_833E23
; 

loc_9240AC:				; CODE XREF: FsRtlpOplockUpperLowerCompatible+20j
					; FsRtlpOplockUpperLowerCompatible+42j
		cmp	ecx, esi
		jz	loc_833E17
		cmp	ecx, 10h
		jz	loc_833E17
		jmp	loc_833E23
; END OF FUNCTION CHUNK	FOR FsRtlpOplockUpperLowerCompatible
; 
; START	OF FUNCTION CHUNK FOR FsRtlpOplockFsctrlInternal

loc_9240C2:				; CODE XREF: FsRtlpOplockFsctrlInternal+1E1j
		cmp	[ebp+arg_0], 1
		jnz	short loc_924136
		mov	eax, [esi+4]
		test	dword ptr [eax+8], 0FFFFFF7Fh
		jnz	short loc_924136
		mov	al, [esi+0Eh]
		and	al, 7
		cmp	al, 7
		jnz	short loc_924136
		mov	ecx, ebx
		call	FsRtlpAttachOplockKey
		mov	edi, eax
		test	edi, edi
		jnz	loc_833FF3
		push	[ebp+arg_8]
		push	0C8h
		push	eax
		push	1
		push	eax
		mov	edx, esi
		mov	ecx, [ebp+var_20]
		call	_FsRtlpRequestExclusiveOplock@28 ; FsRtlpRequestExclusiveOplock(x,x,x,x,x,x,x)
		mov	edi, eax
		jmp	loc_833FF3
; END OF FUNCTION CHUNK	FOR FsRtlpOplockFsctrlInternal

;  S U B	R O U T	I N E 


sub_92410B	proc near		; DATA XREF: .text:006A67D8o
		mov	edi, [ebp-24h]
		mov	esi, [ebp+0Ch]
		jmp	sub_83412E
sub_92410B	endp

; 
; START	OF FUNCTION CHUNK FOR sub_83412E

loc_924116:				; CODE XREF: sub_83412E+5j
		mov	ecx, esi
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		push	0
		push	dword ptr [ebp-1Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_834139
; END OF FUNCTION CHUNK	FOR sub_83412E

;  S U B	R O U T	I N E 


sub_92412C	proc near		; CODE XREF: FsRtlpOplockFsctrlInternal+2AAj
					; DATA XREF: PAGE:00834174o
		mov	edi, 4
		jmp	loc_8340E1
sub_92412C	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlpOplockFsctrlInternal

loc_924136:				; CODE XREF: FsRtlpOplockFsctrlInternal+322j
					; FsRtlpOplockFsctrlInternal+F0296j ...
		mov	edi, 0C00000E2h
		jmp	loc_833FF3
; 

loc_924140:				; CODE XREF: FsRtlpOplockFsctrlInternal+2AAj
					; DATA XREF: PAGE:0083415Co
		cmp	[ebp+arg_0], 0
		jnz	loc_834142
		push	ebx
		call	_IoIsOperationSynchronous@4 ; IoIsOperationSynchronous(x)
		test	al, al
		jnz	loc_834142
		test	byte ptr [ebx+8], 40h
		jnz	loc_834142
		mov	eax, [esi+18h]
		test	dword ptr [eax+2Ch], 4000h
		jnz	loc_834142
		push	[ebp+arg_8]
		push	0
		push	1
		push	0
		push	10h
		push	ebx
		mov	edx, esi
		mov	ecx, [ebp+var_20]
		call	_FsRtlpRequestShareableOplock@32 ; FsRtlpRequestShareableOplock(x,x,x,x,x,x,x,x)
		mov	edi, eax
		jmp	loc_833FF3
; 

loc_92418F:				; CODE XREF: FsRtlpOplockFsctrlInternal+2AAj
					; DATA XREF: PAGE:00834164o
		push	[ebp+arg_8]
		push	1
		push	ebx
		mov	edx, esi
		mov	ecx, [ecx]
		call	_FsRtlpAcknowledgeOplockBreak@20 ; FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)
		mov	edi, eax
		jmp	loc_833FF3
; END OF FUNCTION CHUNK	FOR FsRtlpOplockFsctrlInternal

;  S U B	R O U T	I N E 


sub_9241A5	proc near		; CODE XREF: FsRtlpOplockFsctrlInternal+2AAj
					; DATA XREF: PAGE:00834170o
		push	dword ptr [ebp+10h]
		push	0
		push	ebx
		mov	edx, esi
		mov	ecx, [ecx]
		call	_FsRtlpAcknowledgeOplockBreak@20 ; FsRtlpAcknowledgeOplockBreak(x,x,x,x,x)
		mov	edi, eax
		jmp	loc_833FF3
sub_9241A5	endp


;  S U B	R O U T	I N E 


sub_9241BB	proc near		; CODE XREF: FsRtlpOplockFsctrlInternal+2AAj
					; DATA XREF: PAGE:00834168o
		push	ebx
		mov	edx, esi
		mov	ecx, [ecx]
		call	_FsRtlpOpBatchBreakClosePending@12 ; FsRtlpOpBatchBreakClosePending(x,x,x)
		mov	edi, eax
		jmp	loc_833FF3
sub_9241BB	endp


;  S U B	R O U T	I N E 


sub_9241CC	proc near		; CODE XREF: FsRtlpOplockFsctrlInternal+2AAj
					; DATA XREF: PAGE:0083416Co
		push	ebx
		mov	ecx, [ecx]
		call	_FsRtlpOplockBreakNotify@12 ; FsRtlpOplockBreakNotify(x,x,x)
		mov	edi, eax
		jmp	loc_833FF3
sub_9241CC	endp


;  S U B	R O U T	I N E 


sub_9241DB	proc near		; CODE XREF: FsRtlpOplockFsctrlInternal+7Cj
					; FsRtlpOplockFsctrlInternal+29Dj ...
		mov	dword ptr [ebx+18h], 0C000000Dh
		mov	dl, 1
		mov	ecx, ebx
		call	IofCompleteRequest
		mov	edi, 0C000000Dh
		jmp	loc_833FF3
sub_9241DB	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlpOplockFsctrlInternal

loc_9241F5:				; CODE XREF: FsRtlpOplockFsctrlInternal+98j
		mov	[ebp+var_2C], 0
		jmp	loc_833ED5
; 

loc_924201:				; CODE XREF: FsRtlpOplockFsctrlInternal+ADj
		mov	edx, 4000h
		jmp	loc_833EE5
; 

loc_92420B:				; CODE XREF: FsRtlpOplockFsctrlInternal+BBj
		xor	eax, eax
		jmp	loc_833EF6
; 

loc_924212:				; CODE XREF: FsRtlpOplockFsctrlInternal+D0j
		cmp	eax, 5000h
		ja	loc_9242C7
		jz	loc_9242D2
		test	eax, eax
		jz	short loc_924234
		cmp	eax, 1000h
		jz	loc_833F06
		jmp	short sub_9241DB
; 

loc_924234:				; CODE XREF: FsRtlpOplockFsctrlInternal+F03F5j
		mov	edi, [ecx]
		test	edi, edi
		jz	loc_924419
		mov	[ebp+arg_8], 0
		test	dword ptr [edi+48h], 10000h
		jz	loc_924419
		lea	eax, [ebp+arg_8]
		push	eax
		mov	edx, [esi+18h]
		mov	ecx, edi
		call	_FsRtlpCallerIsAtomicRequestor@12 ; FsRtlpCallerIsAtomicRequestor(x,x,x)
		test	al, al
		jz	loc_924419
		mov	esi, [ebp+arg_8]
		mov	ecx, esi
		call	_FsRtlpOplockDequeueRH@4 ; FsRtlpOplockDequeueRH(x)
		lea	eax, [esi+1Ch]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_9242C0
		cmp	[ecx], eax
		jnz	short loc_9242C0
		mov	[ecx], edx
		mov	[edx+4], ecx
		lea	eax, [edi+3Ch]
		cmp	[eax], eax
		jnz	short loc_924296
		and	dword ptr [edi+48h], 0FFFCFFFFh

loc_924296:				; CODE XREF: FsRtlpOplockFsctrlInternal+F045Dj
		cmp	dword ptr [esi+14h], 0
		jz	short loc_9242A5
		mov	edx, esi
		mov	ecx, edi
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)

loc_9242A5:				; CODE XREF: FsRtlpOplockFsctrlInternal+F046Aj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, edi
		call	FsRtlpComputeShareableOplockState
		mov	ecx, edi
		call	FsRtlpReleaseIrpsWaitingForRH
		jmp	loc_924419
; 

loc_9242C0:				; CODE XREF: FsRtlpOplockFsctrlInternal+F044Dj
					; FsRtlpOplockFsctrlInternal+F0451j
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9242C7:				; CODE XREF: FsRtlpOplockFsctrlInternal+F03E7j
		cmp	eax, 7000h
		jnz	sub_9241DB

loc_9242D2:				; CODE XREF: FsRtlpOplockFsctrlInternal+F03EDj
		push	ebx
		call	_IoIsOperationSynchronous@4 ; IoIsOperationSynchronous(x)
		test	al, al
		jnz	loc_834142
		mov	eax, [esi+18h]
		test	dword ptr [eax+2Ch], 4000h
		jnz	loc_834142
		push	[ebp+arg_8]
		mov	ecx, [ebp+var_34]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 2000h
		mov	eax, [ebp+var_30]
		neg	eax
		sbb	eax, eax
		and	eax, 4000h
		add	eax, 40h
		or	ecx, eax
		shl	edi, 0Ch
		or	ecx, edi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	ebx
		mov	edx, esi
		mov	ecx, [ebp+var_20]
		call	_FsRtlpRequestExclusiveOplock@28 ; FsRtlpRequestExclusiveOplock(x,x,x,x,x,x,x)
		mov	edi, eax
		jmp	loc_833FF3
; 

loc_92432F:				; CODE XREF: FsRtlpOplockFsctrlInternal+107j
		xor	edi, edi
		jmp	loc_833F42
; 

loc_924336:				; CODE XREF: FsRtlpOplockFsctrlInternal+116j
		mov	edx, 4000h
		jmp	loc_833F4E
; 

loc_924340:				; CODE XREF: FsRtlpOplockFsctrlInternal+122j
		xor	eax, eax
		jmp	loc_833F5D
; 

loc_924347:				; CODE XREF: FsRtlpOplockFsctrlInternal+136j
		xor	eax, eax
		mov	ecx, [ebp+var_38]
		jmp	loc_833F91
; 

loc_924351:				; CODE XREF: FsRtlpOplockFsctrlInternal+163j
		mov	[ebp+arg_0], 0
		jmp	loc_833F9F
; 

loc_92435D:				; CODE XREF: FsRtlpOplockFsctrlInternal+172j
		xor	edi, edi
		jmp	loc_833FAD
; 

loc_924364:				; CODE XREF: FsRtlpOplockFsctrlInternal+180j
		mov	edx, 4000h
		jmp	loc_833FB8
; 

loc_92436E:				; CODE XREF: FsRtlpOplockFsctrlInternal+18Bj
		xor	eax, eax
		jmp	loc_833FC6
; END OF FUNCTION CHUNK	FOR FsRtlpOplockFsctrlInternal

;  S U B	R O U T	I N E 


sub_924375	proc near		; DATA XREF: .text:006A67E4o
		mov	edi, [ebp-24h]
		mov	esi, [ebp-20h]
		jmp	sub_834122
sub_924375	endp

; 
; START	OF FUNCTION CHUNK FOR sub_834122

loc_924380:				; CODE XREF: sub_834122+5j
		mov	ecx, [esi]
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		push	0
		push	dword ptr [ebp-1Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	locret_83412D
; END OF FUNCTION CHUNK	FOR sub_834122
; 
; START	OF FUNCTION CHUNK FOR FsRtlpOplockFsctrlInternal

loc_924396:				; CODE XREF: FsRtlpOplockFsctrlInternal+87j
		test	al, 2
		jz	sub_9241DB
		mov	eax, [edi+4]
		mov	[ebp+arg_4], eax
		mov	ecx, eax
		and	ecx, 6
		shl	ecx, 0Ch
		and	eax, 1
		shl	eax, 0Ch
		or	ecx, eax
		mov	[ebp+arg_0], ecx
		cmp	ecx, 3000h
		ja	short loc_9243D2
		jz	short loc_9243E6
		test	ecx, ecx
		jz	short loc_9243E6
		cmp	ecx, 1000h
		jz	short loc_9243E6
		jmp	sub_9241DB
; 

loc_9243D2:				; CODE XREF: FsRtlpOplockFsctrlInternal+F058Dj
		cmp	ecx, 5000h
		jz	short loc_9243E6
		cmp	ecx, 7000h
		jnz	sub_9241DB

loc_9243E6:				; CODE XREF: FsRtlpOplockFsctrlInternal+F058Fj
					; FsRtlpOplockFsctrlInternal+F0593j ...
		push	ebx
		call	_IoIsOperationSynchronous@4 ; IoIsOperationSynchronous(x)
		test	al, al
		jnz	sub_9241DB
		mov	eax, [esi+18h]
		test	dword ptr [eax+2Ch], 4000h
		jz	short loc_924430
		mov	ecx, 6
		xor	eax, eax
		rep stosd
		mov	eax, [ebp+var_28]
		mov	dword ptr [eax], 180001h
		mov	dword ptr [ebx+1Ch], 18h

loc_924419:				; CODE XREF: FsRtlpOplockFsctrlInternal+F0408j
					; FsRtlpOplockFsctrlInternal+F041Cj ...
		mov	dword ptr [ebx+18h], 0
		mov	dl, 1
		mov	ecx, ebx
		call	IofCompleteRequest
		xor	edi, edi
		jmp	loc_833FF3
; 

loc_924430:				; CODE XREF: FsRtlpOplockFsctrlInternal+F05CEj
		mov	[ebp+var_4], 2
		test	[ebp+arg_0], 2000h
		jz	short loc_924467
		push	6F725346h
		push	24h
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_1C], edi
		mov	ecx, 9
		xor	eax, eax
		rep stosd
		mov	eax, [ebp+var_28]
		mov	ecx, [eax+4]
		mov	eax, [ebp+var_1C]
		jmp	short loc_92446C
; 

loc_924467:				; CODE XREF: FsRtlpOplockFsctrlInternal+F060Ej
		xor	eax, eax
		mov	ecx, [ebp+arg_4]

loc_92446C:				; CODE XREF: FsRtlpOplockFsctrlInternal+F0635j
		neg	eax
		sbb	eax, eax
		lea	edx, [ebp+var_1C]
		and	eax, edx
		push	[ebp+arg_8]
		push	eax
		mov	eax, ecx
		and	eax, 1
		shl	eax, 0Ch
		and	ecx, 6
		shl	ecx, 0Ch
		or	eax, ecx
		push	eax
		push	ebx
		mov	edx, esi
		mov	esi, [ebp+var_20]
		mov	ecx, [esi]
		call	_FsRtlpAcknowledgeOplockBreakByCacheFlags@24 ; FsRtlpAcknowledgeOplockBreakByCacheFlags(x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_24], edi
		mov	[ebp+var_4], 0FFFFFFFEh
		call	sub_9244B3
		jmp	loc_833FF3
; END OF FUNCTION CHUNK	FOR FsRtlpOplockFsctrlInternal

;  S U B	R O U T	I N E 


sub_9244AD	proc near		; DATA XREF: .text:006A67F0o
		mov	edi, [ebp-24h]
		mov	esi, [ebp-20h]
sub_9244AD	endp


;  S U B	R O U T	I N E 


sub_9244B3	proc near		; CODE XREF: FsRtlpOplockFsctrlInternal+F0673p
		mov	edx, [ebp-1Ch]
		test	edx, edx
		jz	nullsub_9
		mov	ecx, [esi]
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		push	0
		push	dword ptr [ebp-1Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	nullsub_9
sub_9244B3	endp

; 
; START	OF FUNCTION CHUNK FOR FsRtlpOplockFsctrlInternal

loc_9244D4:				; CODE XREF: FsRtlpOplockFsctrlInternal+68j
					; FsRtlpOplockFsctrlInternal+72j
		mov	dword ptr [ebx+18h], 0C0000023h
		mov	dl, 1
		mov	ecx, ebx
		call	IofCompleteRequest
		mov	edi, 0C0000023h
		jmp	loc_833FF3
; END OF FUNCTION CHUNK	FOR FsRtlpOplockFsctrlInternal
; 
; START	OF FUNCTION CHUNK FOR EtwpRegisterUMGuid

loc_9244EE:				; CODE XREF: EtwpRegisterUMGuid+4Fj
		mov	eax, 0C0000022h
		jmp	loc_834FFF
; 

loc_9244F8:				; CODE XREF: EtwpRegisterUMGuid+363j
		mov	edi, 0C0000017h
		jmp	loc_834FFD
; 

loc_924502:				; CODE XREF: EtwpRegisterUMGuid+F3j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [esi+168h]
		xor	edx, edx
		add	ecx, 16Ch
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, large fs:124h
		mov	eax, [esi+168h]
		mov	[eax+170h], ecx
		jmp	loc_834E39
; 

loc_92453B:				; CODE XREF: EtwpRegisterUMGuid+13Aj
		lea	ecx, [eax+0B0h]
		mov	[ebx], ecx
		jmp	loc_834E80
; 

loc_924548:				; CODE XREF: EtwpRegisterUMGuid+143j
		mov	edi, 0C0000023h
		jmp	loc_834FB8
; 

loc_924552:				; CODE XREF: EtwpRegisterUMGuid+184j
		mov	ecx, 100h
		lea	eax, [edi+32h]
		lock or	[eax], cx
		jmp	loc_834ECA
; 

loc_924563:				; CODE XREF: EtwpRegisterUMGuid+1C7j
		cmp	dword ptr [ecx+40h], 0
		jz	short loc_92457F
		mov	dl, [edi+32h]
		lea	eax, [edi+36h]
		push	eax
		push	1
		shr	dl, 3
		push	1
		and	dl, 1
		call	EtwpUpdateEnableMask

loc_92457F:				; CODE XREF: EtwpRegisterUMGuid+EF827j
		mov	al, [edi+36h]
		mov	ecx, edi
		mov	dl, [edi+32h]
		mov	byte ptr [esp+58h+var_45], al
		lea	eax, [esp+58h+var_45]
		push	eax
		push	1
		shr	dl, 3
		push	0
		and	dl, 1
		call	EtwpApplyScopeFilters
		jmp	loc_834F0D
; 

loc_9245A4:				; CODE XREF: EtwpRegisterUMGuid+23Bj
		mov	edx, [ebp+arg_8]
		lea	ecx, [eax+0B0h]
		push	[esp+58h+var_45+1]
		mov	[edx], ecx
		lea	ecx, [ebx+0B0h]
		mov	edx, esi
		mov	dword ptr [ebx+0ACh], 80000000h
		mov	[ebx+0A8h], eax
		mov	dword ptr [ebx+0A0h], 88h
		mov	dword ptr [ebx+0A4h], 0
		call	_EtwpCopySchematizedFilters@12 ; EtwpCopySchematizedFilters(x,x,x)
		mov	eax, 1
		jmp	loc_834F81
; 

loc_9245EE:				; CODE XREF: EtwpRegisterUMGuid+26Ej
		push	ebx
		push	0
		push	1
		sub	esp, 8
		mov	ecx, offset _ETW_EVENT_PROVIDER_REGISTER
		call	_EtwpEventWriteTemplateSessAndProv@28 ;	EtwpEventWriteTemplateSessAndProv(x,x,x,x,x,x,x)
		jmp	loc_834FB4
; 

loc_924605:				; CODE XREF: EtwpRegisterUMGuid+2A3j
		mov	dword ptr [eax+170h], 0
		xor	edx, edx
		mov	ecx, [esi+168h]
		add	ecx, 16Ch
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_834FE9
; END OF FUNCTION CHUNK	FOR EtwpRegisterUMGuid
; 
; START	OF FUNCTION CHUNK FOR EtwpGetSchematizedFilterSize

loc_924633:				; CODE XREF: EtwpGetSchematizedFilterSize+47j
		xor	eax, eax
		mov	cl, dl
		inc	eax
		shl	eax, cl
		test	al, ch
		jz	loc_8350D7
		mov	eax, [ebp+var_8]
		mov	eax, [eax+10h]
		add	eax, 7
		and	eax, 0FFFFFFF8h
		add	esi, eax
		jmp	loc_8350D7
; END OF FUNCTION CHUNK	FOR EtwpGetSchematizedFilterSize
; 
; START	OF FUNCTION CHUNK FOR SeCaptureSubjectContextEx

loc_924655:				; CODE XREF: SeCaptureSubjectContextEx+87j
		xor	edi, edi
		jmp	loc_8351ED
; 

loc_92465C:				; CODE XREF: SeCaptureSubjectContextEx+4Bj
		test	edi, edi
		jz	short loc_92467A
		mov	eax, [edi+294h]
		add	eax, 98h
		lock inc dword ptr [eax]
		mov	eax, [esi+8]
		cmp	eax, _SepTokenLeakToken
		jnz	short loc_92467A
		int	3		; Trap to Debugger

loc_92467A:				; CODE XREF: SeCaptureSubjectContextEx+EF51Ej
					; SeCaptureSubjectContextEx+EF537j
		mov	eax, [esi]
		test	eax, eax
		jz	loc_835191
		mov	eax, [eax+294h]
		add	eax, 98h
		lock inc dword ptr [eax]
		mov	eax, [esi]
		cmp	eax, _SepTokenLeakToken
		jnz	loc_835191
		int	3		; Trap to Debugger
		jmp	loc_835191
; END OF FUNCTION CHUNK	FOR SeCaptureSubjectContextEx
; 
; START	OF FUNCTION CHUNK FOR EtwpDeleteRegistrationObject

loc_9246A6:				; CODE XREF: EtwpDeleteRegistrationObject+ECj
		mov	eax, [esi+10h]
		push	48h		; size_t
		mov	[esp+6Ch+var_4C], eax
		lea	eax, [esp+6Ch+var_48]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [esp+74h+var_4C]
		add	esp, 0Ch
		test	byte ptr [ecx+32h], 40h
		jnz	short loc_924700
		mov	eax, [ebx+14h]
		lea	edx, [esp+68h+var_48]
		mov	ecx, [ecx+18h]
		mov	[esp+68h+var_10], eax
		mov	eax, [ebx+18h]
		mov	[esp+68h+var_C], eax
		mov	eax, [ebx+1Ch]
		mov	[esp+68h+var_8], eax
		mov	eax, [ebx+20h]
		mov	[esp+68h+var_44], 48h
		mov	[esp+68h+var_48], 1
		mov	[esp+68h+var_4], eax
		call	EtwpQueueReply

loc_924700:				; CODE XREF: EtwpDeleteRegistrationObject+EF446j
		mov	edx, 2
		mov	ecx, esi
		call	_EtwpReleaseQueueEntry@8 ; EtwpReleaseQueueEntry(x,x)
		mov	eax, [esp+68h+var_54]
		jmp	loc_835372
; 

loc_924715:				; CODE XREF: EtwpDeleteRegistrationObject+204j
					; EtwpDeleteRegistrationObject+EF4ABj
		mov	esi, edi
		mov	edi, [edi]
		mov	ecx, [esi+8]
		call	_EtwpUnreferenceDataBlock@4 ; EtwpUnreferenceDataBlock(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	ebx, edi
		jnz	short loc_924715
		mov	esi, [esp+68h+var_50]
		jmp	loc_835466
; 

loc_924736:				; CODE XREF: EtwpDeleteRegistrationObject+1CAj
		push	0
		push	eax
		push	ebx
		push	3
		push	11Dh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_924747:				; CODE XREF: PAGE:008354ACj
		push	0
		push	0
		push	eax
		push	9
		push	11Dh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_924759:				; CODE XREF: EtwpReferenceGuidEntry+1Cj
		push	0
		push	0
		push	ecx
		push	9
		push	11Dh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_92476B:				; CODE XREF: EtwpTrackProviderRegistration+7Bj
					; EtwpTrackProviderRegistration+8Bj
		mov	dl, byte ptr [ebp+var_4+3]
		mov	ecx, eax
		push	edi
		call	EtwpProviderArrivalCallback
		mov	eax, [ebp+var_14]
		jmp	loc_835711
; END OF FUNCTION CHUNK	FOR EtwpDeleteRegistrationObject
; 
; START	OF FUNCTION CHUNK FOR EtwpTrackProviderRegistration

loc_92477E:				; CODE XREF: EtwpTrackProviderRegistration+48j
		mov	eax, [ecx+168h]
		mov	ecx, ds:_EtwpHostSiloState
		push	0
		movzx	edx, word ptr [eax+esi+66h]
		call	EtwpAcquireLoggerContextByLoggerId
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	short loc_9247C6
		test	byte ptr [edi+32h], 20h
		jnz	short loc_9247AF
		test	dword ptr [eax+258h], 2000000h
		jz	short loc_9247BD

loc_9247AF:				; CODE XREF: EtwpTrackProviderRegistration+EF121j
		mov	dl, [ebp+var_1]
		mov	ecx, eax
		push	edi
		call	EtwpProviderArrivalCallback
		mov	eax, [ebp+var_14]

loc_9247BD:				; CODE XREF: EtwpTrackProviderRegistration+EF12Dj
		xor	dl, dl
		mov	ecx, eax
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_9247C6:				; CODE XREF: EtwpTrackProviderRegistration+EF11Bj
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		jmp	loc_8356CE
; END OF FUNCTION CHUNK	FOR EtwpTrackProviderRegistration
; 
; START	OF FUNCTION CHUNK FOR EtwpApplyScopeFilters

loc_9247D1:				; CODE XREF: EtwpApplyScopeFilters+2Dj
		mov	eax, [eax+168h]
		mov	[ebp+var_8], eax
		jmp	loc_835793
; 

loc_9247DF:				; CODE XREF: EtwpApplyScopeFilters+62j
		test	dword ptr [esi], 400h
		jz	loc_8357A6
		jmp	loc_8357C8
; 

loc_9247F0:				; CODE XREF: EtwpApplyScopeFilters+B2j
		xor	al, al
		mov	[ebp+var_10], 0
		mov	[ebp+arg_3], al
		mov	eax, [ecx+28h]
		mov	eax, [eax+0E4h]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_18]
		mov	eax, [eax+4]
		mov	edx, [eax]
		test	edx, edx
		mov	[ebp+var_20], edx
		mov	edx, [ebp+arg_8]
		jz	short loc_924838
		add	eax, 4

loc_92481D:				; CODE XREF: EtwpApplyScopeFilters+EF0D6j
		mov	edx, [ebp+var_1C]
		cmp	[eax], edx
		mov	edx, [ebp+arg_8]
		jz	short loc_924848
		inc	[ebp+var_10]
		add	eax, 4
		mov	ecx, [ebp+var_20]
		cmp	[ebp+var_10], ecx
		mov	ecx, [ebp+var_C]
		jb	short loc_92481D

loc_924838:				; CODE XREF: EtwpApplyScopeFilters+EF0B8j
		mov	al, [ebp+arg_3]

loc_92483B:				; CODE XREF: EtwpApplyScopeFilters+EF0EDj
		test	al, al
		jz	loc_8357EE
		jmp	loc_83581B
; 

loc_924848:				; CODE XREF: EtwpApplyScopeFilters+EF0C5j
		mov	al, 1
		mov	[ebp+arg_3], al
		jmp	short loc_92483B
; 

loc_92484F:				; CODE XREF: EtwpApplyScopeFilters+C9j
		mov	eax, [ebp+var_18]
		mov	edx, [eax+8]
		call	_EtwpApplyExeFilter@8 ;	EtwpApplyExeFilter(x,x)
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+var_C]
		mov	[ebp+arg_3], al
		jmp	loc_83582F
; 

loc_924868:				; CODE XREF: EtwpApplyScopeFilters+F2j
					; EtwpApplyScopeFilters+107j
		mov	edx, [ebp+var_1C]
		mov	ecx, [ebp+var_C]
		mov	eax, [edx+10h]
		mov	edx, [edx+0Ch]
		push	eax
		call	_EtwpApplyPackageIdFilter@12 ; EtwpApplyPackageIdFilter(x,x,x)
		mov	edx, [ebp+arg_8]
		mov	[ebp+arg_3], al
		jmp	loc_83586D
; 

loc_924885:				; CODE XREF: EtwpApplyScopeFilters+12Bj
		mov	edx, [ecx+edi+14h]
		mov	ecx, [ebp+var_C]
		call	_EtwpApplyContainerFilter@8 ; EtwpApplyContainerFilter(x,x)
		mov	edx, [ebp+arg_8]
		jmp	loc_835894
; END OF FUNCTION CHUNK	FOR EtwpApplyScopeFilters
; 
; START	OF FUNCTION CHUNK FOR EtwpAddRegEntryToGroup

loc_924899:				; CODE XREF: EtwpAddRegEntryToGroup+60j
		mov	ecx, [esp+0B8h+var_8C]
		mov	edx, esi
		push	2
		call	_EtwpAddGuidEntry@12 ; EtwpAddGuidEntry(x,x,x)
		mov	ebx, eax
		mov	[esp+0B8h+var_90], eax
		test	ebx, ebx
		jnz	loc_835A56
		mov	esi, 0C0000017h
		jmp	loc_835CFA
; 

loc_9248BE:				; CODE XREF: EtwpAddRegEntryToGroup+160j
		lea	ecx, [eax+10h]
		add	[esi], ecx
		jmp	loc_835B56
; 

loc_9248C8:				; CODE XREF: EtwpAddRegEntryToGroup+171j
		mov	esi, 0C0000023h
		jmp	loc_835C85
; 

loc_9248D2:				; CODE XREF: EtwpAddRegEntryToGroup+18Cj
		mov	ecx, 3
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9248D9:				; CODE XREF: EtwpAddRegEntryToGroup+1A0j
		mov	eax, [ebx+168h]
		test	eax, eax
		jz	short loc_9248ED
		cmp	dword ptr [eax+40h], 0
		jnz	loc_835B96

loc_9248ED:				; CODE XREF: EtwpAddRegEntryToGroup+EEEF1j
		mov	dword ptr [esi], 0
		jmp	loc_835C83
; 

loc_9248F8:				; CODE XREF: EtwpAddRegEntryToGroup+348j
		mov	ecx, [esp+0B8h+var_A0]
		xor	dl, dl
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		jmp	loc_835BBA
; 

loc_924908:				; CODE XREF: EtwpAddRegEntryToGroup+370j
		mov	[esp+0B8h+var_A5+1], 0C0000022h
		jmp	loc_835D7A
; 

loc_924915:				; CODE XREF: EtwpAddRegEntryToGroup+3ACj
		mov	ecx, [esp+0B8h+var_A0]
		xor	dl, dl
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		jmp	loc_835BBA
; 

loc_924925:				; CODE XREF: EtwpAddRegEntryToGroup+20Aj
		xor	edx, edx
		mov	[esp+0B8h+var_A6], 0
		lea	ebx, [ecx+66h]
		mov	[esp+0B8h+var_A0], edx
		mov	[esp+0B8h+var_94], ebx
		xor	ecx, ecx
		mov	[esp+0B8h+var_A5+1], 8
		lea	eax, [edx+8]

loc_924944:				; CODE XREF: EtwpAddRegEntryToGroup+EF01Aj
		cmp	dword ptr [ebx-6], 0
		jz	loc_9249F7
		movzx	edx, word ptr [ebx]
		mov	ecx, ds:_EtwpHostSiloState
		push	0
		call	EtwpAcquireLoggerContextByLoggerId
		mov	edx, [edi+10h]
		mov	esi, eax
		add	edx, 14h
		mov	ecx, esi
		call	EtwpIsGuidAllowed
		test	al, al
		jnz	short loc_92497C
		xor	dl, dl
		mov	ecx, esi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		jmp	short loc_9249EF
; 

loc_92497C:				; CODE XREF: EtwpAddRegEntryToGroup+EEF7Fj
		lea	ebx, [esi+1F0h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	eax, [esi+234h]
		test	eax, eax
		jz	short loc_9249A7
		mov	ecx, [edi+10h]
		push	eax
		add	ecx, 14h
		call	_EtwpAccessCheckFromState@12 ; EtwpAccessCheckFromState(x,x,x)
		mov	[esp+0B8h+var_9C], eax
		jmp	short loc_9249AF
; 

loc_9249A7:				; CODE XREF: EtwpAddRegEntryToGroup+EEFA3j
		mov	[esp+0B8h+var_9C], 0C0000022h

loc_9249AF:				; CODE XREF: EtwpAddRegEntryToGroup+EEFB5j
		xor	edx, edx
		mov	eax, 11h
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_9249C6
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9249C6:				; CODE XREF: EtwpAddRegEntryToGroup+EEFCDj
		mov	ecx, ebx
		call	KeAbPostRelease
		cmp	[esp+0B8h+var_9C], 0
		jl	short loc_9249E2
		mov	edx, [esp+0B8h+var_A0]
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	[esp+0B8h+var_A6], al

loc_9249E2:				; CODE XREF: EtwpAddRegEntryToGroup+EEFE2j
		xor	dl, dl
		mov	ecx, esi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		mov	ebx, [esp+0B8h+var_94]

loc_9249EF:				; CODE XREF: EtwpAddRegEntryToGroup+EEF8Aj
		mov	ecx, [esp+0B8h+var_A0]
		mov	eax, [esp+0B8h+var_A5+1]

loc_9249F7:				; CODE XREF: EtwpAddRegEntryToGroup+EEF58j
		inc	ecx
		add	ebx, 20h
		sub	eax, 1
		mov	[esp+0B8h+var_A0], ecx
		mov	[esp+0B8h+var_94], ebx
		mov	[esp+0B8h+var_A5+1], eax
		jnz	loc_924944
		mov	bl, [esp+0B8h+var_A6]
		lea	eax, [esp+0B8h+var_A5]
		push	eax
		push	1
		push	2
		xor	dl, dl
		mov	byte ptr [esp+0C4h+var_A5], bl
		mov	ecx, edi
		call	EtwpApplyScopeFilters
		mov	al, byte ptr [esp+0B8h+var_A5]
		and	al, bl
		mov	ebx, [esp+0B8h+var_90]
		mov	[edi+37h], al
		mov	al, [edi+35h]
		jmp	loc_835C00
; 

loc_924A3F:				; CODE XREF: EtwpAddRegEntryToGroup+212j
		mov	al, [edi+37h]
		test	al, al
		jnz	loc_924AD0
		mov	esi, [esp+0B8h+var_88]
		mov	dword ptr [esi], 0
		jmp	loc_835C83
; 

loc_924A59:				; CODE XREF: EtwpAddRegEntryToGroup+403j
					; EtwpAddRegEntryToGroup+413j
		test	al, 1
		jz	short loc_924A67
		push	edi
		xor	dl, dl
		call	EtwpProviderArrivalCallback
		jmp	short loc_924AC7
; 

loc_924A67:				; CODE XREF: EtwpAddRegEntryToGroup+EF06Bj
		mov	ecx, [edi+28h]
		add	ecx, 0F0h
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_924AC7
		xor	eax, eax
		lea	edi, [esp+0B8h+var_34]
		mov	ecx, 6
		xor	edx, edx
		rep stosd
		mov	edi, [esp+0B8h+var_98]
		lea	eax, [esp+0B8h+var_34]
		push	eax
		mov	ecx, [edi+28h]
		call	KiStackAttachProcess
		mov	ecx, [esp+0B8h+var_A5+1]
		mov	dl, 1
		push	edi
		call	EtwpProviderArrivalCallback
		xor	edx, edx
		lea	ecx, [esp+0B8h+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [edi+28h]
		add	ecx, 0F0h
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_924AC7:				; CODE XREF: EtwpAddRegEntryToGroup+EF075j
					; EtwpAddRegEntryToGroup+EF087j
		mov	ecx, [esp+0B8h+var_A5+1]
		jmp	loc_835E09
; 

loc_924AD0:				; CODE XREF: EtwpAddRegEntryToGroup+24Dj
					; EtwpAddRegEntryToGroup+EF054j
		xor	ebx, ebx
		mov	esi, 8
		xor	edx, edx
		mov	[esp+0B8h+var_8C], esi
		mov	[esp+0B8h+var_9C], edx

loc_924AE1:				; CODE XREF: EtwpAddRegEntryToGroup+EF1C2j
		mov	eax, 1
		mov	ecx, ebx
		shl	eax, cl
		test	[edi+37h], al
		jz	loc_924BA3
		mov	eax, [edi+14h]
		mov	ecx, ds:_EtwpHostSiloState
		push	0
		mov	eax, [eax+168h]
		movzx	edx, word ptr [eax+edx+66h]
		call	EtwpAcquireLoggerContextByLoggerId
		mov	esi, eax
		movzx	eax, word ptr [edi+32h]
		test	al, 20h
		jnz	short loc_924B24
		test	dword ptr [esi+258h], 2000000h
		jz	short loc_924B92

loc_924B24:				; CODE XREF: EtwpAddRegEntryToGroup+EF126j
		test	al, 1
		jz	short loc_924B34
		push	edi
		xor	dl, dl
		mov	ecx, esi
		call	EtwpProviderArrivalCallback
		jmp	short loc_924B92
; 

loc_924B34:				; CODE XREF: EtwpAddRegEntryToGroup+EF136j
		mov	ecx, [edi+28h]
		add	ecx, 0F0h
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_924B92
		xor	eax, eax
		lea	edi, [esp+0B8h+var_1C]
		mov	ecx, 6
		xor	edx, edx
		rep stosd
		mov	edi, [esp+0B8h+var_98]
		lea	eax, [esp+0B8h+var_1C]
		push	eax
		mov	ecx, [edi+28h]
		call	KiStackAttachProcess
		push	edi
		mov	dl, 1
		mov	ecx, esi
		call	EtwpProviderArrivalCallback
		xor	edx, edx
		lea	ecx, [esp+0B8h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [edi+28h]
		add	ecx, 0F0h
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_924B92:				; CODE XREF: EtwpAddRegEntryToGroup+EF132j
					; EtwpAddRegEntryToGroup+EF142j ...
		xor	dl, dl
		mov	ecx, esi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		mov	edx, [esp+0B8h+var_9C]
		mov	esi, [esp+0B8h+var_8C]

loc_924BA3:				; CODE XREF: EtwpAddRegEntryToGroup+EF0FDj
		add	edx, 20h
		inc	ebx
		sub	esi, 1
		mov	[esp+0B8h+var_9C], edx
		mov	[esp+0B8h+var_8C], esi
		jnz	loc_924AE1
		mov	ebx, [esp+0B8h+var_90]
		jmp	loc_835C43
; 

loc_924BC1:				; CODE XREF: EtwpAddRegEntryToGroup+476j
		push	46777445h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_835E6C
		movzx	ecx, byte ptr [edi+34h]
		lea	eax, [esp+0B8h+var_48]
		mov	edx, [edi+10h]
		mov	[esp+0B8h+var_7C], eax
		mov	eax, [esp+0B8h+var_84]
		push	ecx
		mov	ecx, ebx
		mov	[esp+0BCh+var_48], ebx
		mov	[esp+0BCh+var_44], 0
		mov	[esp+0BCh+var_40], eax
		mov	[esp+0BCh+var_3C], 80000000h
		call	_EtwpCopySchematizedFilters@12 ; EtwpCopySchematizedFilters(x,x,x)
		jmp	loc_835E6C
; 

loc_924C13:				; CODE XREF: EtwpAddRegEntryToGroup+4A3j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_835E99
; 

loc_924C20:				; CODE XREF: EtwpAddRegEntryToGroup+282j
		lea	ecx, [eax+88h]
		mov	[esi], ecx
		mov	esi, [esp+0B8h+var_80]
		mov	dword ptr [esi+84h], 80000000h
		lea	ecx, [esi+88h]
		mov	[esi+80h], eax
		mov	dword ptr [esi+78h], 88h
		mov	dword ptr [esi+7Ch], 0
		movzx	eax, byte ptr [edi+34h]
		mov	edx, [edi+10h]
		push	eax
		call	_EtwpCopySchematizedFilters@12 ; EtwpCopySchematizedFilters(x,x,x)
		mov	dword ptr [esi+74h], 1
		jmp	loc_835C83
; 

loc_924C69:				; CODE XREF: EtwpAddRegEntryToGroup+304j
		sub	esp, 8
		mov	edx, edi
		call	_EtwpEventWriteGroupJoin@16 ; EtwpEventWriteGroupJoin(x,x,x,x)
		jmp	loc_835CFA
; END OF FUNCTION CHUNK	FOR EtwpAddRegEntryToGroup
; 
; START	OF FUNCTION CHUNK FOR EtwpAcquireLoggerContextByLoggerId

loc_924C78:				; CODE XREF: EtwpAcquireLoggerContextByLoggerId+Fj
		mov	eax, 1
		jmp	loc_835ECE
; 

loc_924C82:				; CODE XREF: EtwpAcquireLoggerContextByLoggerId+4Dj
		mov	ecx, [esi+188h]
		mov	edx, 1
		mov	ecx, [ecx+edi*4]
		call	@ExReleaseRundownProtectionCacheAwareEx@8 ; ExReleaseRundownProtectionCacheAwareEx(x,x)
		jmp	loc_835F20
; 

loc_924C9A:				; CODE XREF: EtwpAcquireLoggerContextByLoggerId+61j
		mov	dl, al
		mov	ecx, ebx
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		xor	eax, eax
		jmp	loc_835F19
; END OF FUNCTION CHUNK	FOR EtwpAcquireLoggerContextByLoggerId
; 
; START	OF FUNCTION CHUNK FOR ObReferenceObjectByName

loc_924CAA:				; CODE XREF: ObReferenceObjectByName+94j
					; ObReferenceObjectByName+BFj
		mov	eax, 0C0000033h
		jmp	loc_83617B
; END OF FUNCTION CHUNK	FOR ObReferenceObjectByName
; 
; START	OF FUNCTION CHUNK FOR ObpFreeObjectNameBuffer

loc_924CB4:				; CODE XREF: ObpFreeObjectNameBuffer+4Ej
		inc	dword ptr [ecx+18h]
		push	edx
		call	dword ptr [ecx+2Ch]
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR ObpFreeObjectNameBuffer
; 
; START	OF FUNCTION CHUNK FOR ObpInsertOrLocateNamedObject

loc_924CBD:				; CODE XREF: ObpInsertOrLocateNamedObject+A4j
		xor	esi, esi
		jmp	loc_8362BB
; 

loc_924CC4:				; CODE XREF: ObpInsertOrLocateNamedObject+375j
		mov	esi, [ebp+var_A4]
		test	esi, esi
		jz	short loc_924CDA
		push	[ebp+var_AC]
		push	esi
		call	_ObReleaseObjectSecurity@8 ; ObReleaseObjectSecurity(x,x)

loc_924CDA:				; CODE XREF: ObpInsertOrLocateNamedObject+EEACCj
		lea	ecx, [ebp+var_E0]
		call	_ObpDeleteDirectoryEntry@4 ; ObpDeleteDirectoryEntry(x)
		lea	ecx, [ebp+var_E0]
		call	_ObpReleaseLookupContext@4 ; ObpReleaseLookupContext(x)
		mov	ecx, [ebp+var_98]
		mov	edx, edi
		call	_ObpDecrementHandleCount@8 ; ObpDecrementHandleCount(x,x)
		mov	eax, [ebp+var_94]
		jmp	loc_83645C
; 

loc_924D08:				; CODE XREF: ObpInsertOrLocateNamedObject+3A0j
		mov	esi, [ebp+var_A4]
		test	esi, esi
		jz	short loc_924D1E
		push	[ebp+var_AC]
		push	esi
		call	_ObReleaseObjectSecurity@8 ; ObReleaseObjectSecurity(x,x)

loc_924D1E:				; CODE XREF: ObpInsertOrLocateNamedObject+EEB10j
		lea	ecx, [ebp+var_E0]
		call	_ObpDeleteDirectoryEntry@4 ; ObpDeleteDirectoryEntry(x)
		lea	ecx, [ebp+var_E0]
		call	_ObpReleaseLookupContext@4 ; ObpReleaseLookupContext(x)
		mov	ecx, [ebp+var_98]
		mov	edx, edi
		call	_ObpDecrementHandleCount@8 ; ObpDecrementHandleCount(x,x)
		mov	eax, [ebp+var_94]
		jmp	loc_83645C
; 

loc_924D4C:				; CODE XREF: ObpInsertOrLocateNamedObject+31Fj
		mov	ecx, [ebp+var_89+1]
		call	ObfDereferenceObject
		jmp	loc_83645A
; END OF FUNCTION CHUNK	FOR ObpInsertOrLocateNamedObject
; 
; START	OF FUNCTION CHUNK FOR RtlConvertSidToUnicodeString

loc_924D5C:				; CODE XREF: RtlConvertSidToUnicodeString+70j
					; RtlConvertSidToUnicodeString+7Aj
		push	offset ??_C@_15OEMMNBIC@?$AA0?$AAx@NNGAKEGL@
		lea	eax, [ebp+var_204]
		push	100h
		push	eax
		call	_wcscat_s
		movzx	ecx, byte ptr [edi+2]
		lea	esi, [ebp+var_1F8]
		movzx	eax, byte ptr [edi+3]
		add	esp, 0Ch
		shl	ecx, 8
		add	ecx, eax
		movzx	eax, byte ptr [edi+5]
		mov	[ebp+var_214], ecx
		movzx	ecx, byte ptr [edi+4]
		shl	ecx, 8
		add	ecx, eax
		movzx	eax, byte ptr [edi+6]
		shl	ecx, 8
		add	ecx, eax
		movzx	eax, byte ptr [edi+7]
		shl	ecx, 8
		add	ecx, eax
		mov	eax, esi
		push	eax
		mov	[ebp+var_218], ecx
		lea	ecx, [ebp+var_218]
		push	0FAh
		call	_RtlLargeIntegerToUnicode@16 ; RtlLargeIntegerToUnicode(x,x,x,x)
		jmp	loc_8367EF
; 

loc_924DCB:				; CODE XREF: RtlConvertSidToUnicodeString+3Ej
					; RtlConvertSidToUnicodeString+46j
		mov	eax, 0C0000078h
		jmp	loc_836872
; END OF FUNCTION CHUNK	FOR RtlConvertSidToUnicodeString
; 
; START	OF FUNCTION CHUNK FOR RtlIntegerToUnicode

loc_924DD5:				; CODE XREF: RtlIntegerToUnicode+120j
					; DATA XREF: PAGE:00836A84o
		mov	eax, 3
		jmp	loc_836A2C
; 

loc_924DDF:				; CODE XREF: RtlIntegerToUnicode+120j
					; DATA XREF: PAGE:00836A80o
		mov	eax, 1
		jmp	loc_836A2C
; 

loc_924DE9:				; CODE XREF: RtlIntegerToUnicode+120j
					; DATA XREF: PAGE:off_836A7Co
		mov	ebx, 0Ah
		jmp	loc_83694A
; 

loc_924DF3:				; CODE XREF: RtlIntegerToUnicode+113j
					; RtlIntegerToUnicode+120j
					; DATA XREF: ...
		mov	eax, 0C000000Dh
		jmp	loc_8369E7
; 

loc_924DFD:				; CODE XREF: RtlIntegerToUnicode+B6j
		mov	eax, 80000005h
		jmp	loc_8369E7
; END OF FUNCTION CHUNK	FOR RtlIntegerToUnicode

;  S U B	R O U T	I N E 


sub_924E07	proc near		; DATA XREF: .text:006A6884o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-70h], eax
		mov	eax, 1
		retn
sub_924E07	endp


;  S U B	R O U T	I N E 


sub_924E17	proc near		; DATA XREF: .text:006A6888o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-70h]
		jmp	loc_8369E7
sub_924E17	endp

; 
; START	OF FUNCTION CHUNK FOR RtlpSetSecurityObject

loc_924E29:				; CODE XREF: RtlpSetSecurityObject+6ECj
		mov	[esp+0F8h+var_E4], 0
		jmp	loc_836BC0
; 

loc_924E36:				; CODE XREF: RtlpSetSecurityObject+199j
		mov	ebx, 0C00000E7h
		jmp	loc_836FB5
; 

loc_924E40:				; CODE XREF: RtlpSetSecurityObject+1ABj
		mov	byte ptr [esp+0F8h+var_98], 1
		jmp	loc_836C66
; 

loc_924E4A:				; CODE XREF: RtlpSetSecurityObject+1B8j
		mov	[esp+0F8h+var_B4], 1
		jmp	loc_836C73
; 

loc_924E54:				; CODE XREF: RtlpSetSecurityObject+1D1j
		mov	[esp+0F8h+var_B5], 1
		jmp	loc_836C8C
; 

loc_924E5E:				; CODE XREF: RtlpSetSecurityObject+1E2j
		or	ebx, 1FFh
		mov	[esp+0F8h+var_E8], ebx
		test	edx, edx
		jnz	short loc_924E76
		and	ebx, 0FFFFFF7Fh
		mov	[esp+0F8h+var_E8], ebx

loc_924E76:				; CODE XREF: RtlpSetSecurityObject+EE3BAj
		cmp	[esp+0F8h+var_B5], 0
		jnz	short loc_924E87
		and	ebx, 0FFFFFEFFh
		mov	[esp+0F8h+var_E8], ebx

loc_924E87:				; CODE XREF: RtlpSetSecurityObject+EE3CBj
		test	esi, esi
		jnz	loc_836C98
		cmp	[esp+0F8h+var_E4], esi
		jnz	loc_836C98
		and	ebx, 0FFFFFE07h
		mov	[esp+0F8h+var_E8], ebx
		test	al, 10h
		jz	short loc_924EB3
		or	ebx, 8
		mov	[esp+0F8h+var_E8], ebx
		jmp	loc_836C98
; 

loc_924EB3:				; CODE XREF: RtlpSetSecurityObject+EE3F5j
		test	eax, 800h
		jz	loc_836C98
		mov	[esp+0F8h+var_B3], 1
		jmp	loc_836C98
; 

loc_924EC8:				; CODE XREF: RtlpSetSecurityObject+89Dj
		xor	edi, edi
		jmp	loc_837356
; 

loc_924ECF:				; CODE XREF: RtlpSetSecurityObject+1F6j
		mov	edi, [ecx+4]
		jmp	loc_836CBA
; 

loc_924ED7:				; CODE XREF: RtlpSetSecurityObject+9DEj
		xor	edi, edi
		jmp	loc_837497
; 

loc_924EDE:				; CODE XREF: RtlpSetSecurityObject+238j
		mov	edi, [eax+8]
		jmp	loc_836CFC
; 

loc_924EE6:				; CODE XREF: RtlpSetSecurityObject+243j
					; RtlpSetSecurityObject+252j ...
		mov	ebx, 0C000005Bh
		jmp	loc_836FB5
; 

loc_924EF0:				; CODE XREF: RtlpSetSecurityObject+59Fj
					; RtlpSetSecurityObject+5B8j ...
		mov	ebx, 0C0000446h
		jmp	loc_836FB5
; 

loc_924EFA:				; CODE XREF: RtlpSetSecurityObject+8D8j
					; RtlpSetSecurityObject+920j
		mov	ebx, 0C0000022h
		jmp	loc_836FB5
; 

loc_924F04:				; CODE XREF: RtlpSetSecurityObject+5F2j
		mov	ecx, [esp+0F8h+var_E4]
		mov	edx, edi
		call	_RtlpValidFilterAclSubjectContext@8 ; RtlpValidFilterAclSubjectContext(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_836FB5
		test	byte ptr [ebp+arg_8], 2
		jnz	short loc_924F32
		mov	edx, edi
		mov	ecx, esi
		call	_RtlpValidFilterAclSubjectContext@8 ; RtlpValidFilterAclSubjectContext(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_836FB5

loc_924F32:				; CODE XREF: RtlpSetSecurityObject+EE46Dj
		mov	ecx, [esp+0F8h+var_E0]
		mov	ebx, [esp+0F8h+var_E8]
		jmp	loc_8370A8
; 

loc_924F3F:				; CODE XREF: RtlpSetSecurityObject+9F7j
		mov	eax, [esp+0F8h+var_D0]
		mov	eax, [eax]
		movzx	ecx, word ptr [eax+2]
		lea	eax, [esp+0F8h+var_C4]
		push	eax
		lea	eax, [esp+0FCh+var_94]
		push	eax
		mov	eax, edx
		and	edx, 2800h
		push	2
		push	[ebp+arg_10]
		shr	eax, 1
		push	[esp+108h+var_CC]
		and	eax, 18h
		push	[esp+10Ch+var_C0]
		or	eax, edx
		mov	edx, ecx
		shr	edx, 1
		and	ecx, 2800h
		shr	eax, 1
		and	edx, 18h
		push	eax
		push	[esp+114h+var_E4]
		or	edx, ecx
		mov	ecx, esi
		shr	edx, 1
		call	_RtlpComputeMergedAcl@40 ; RtlpComputeMergedAcl(x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_924FD0
		mov	eax, [esp+0F8h+var_C4]
		mov	edx, eax
		mov	ebx, [esp+0F8h+var_E8]
		and	edx, 8
		mov	ecx, [esp+0F8h+var_E0]
		or	edx, 2004h
		and	eax, 1400h
		mov	[esp+0F8h+var_AF], 1
		add	edx, edx
		or	edx, eax
		mov	eax, [esp+0F8h+var_94]
		add	edx, edx
		mov	[esp+0F8h+var_A9+1], eax
		mov	eax, [esp+0F8h+var_D4]
		mov	[esp+0F8h+var_EC], edx
		jmp	loc_8370BF
; 

loc_924FD0:				; CODE XREF: RtlpSetSecurityObject+EE4E2j
		mov	eax, [esp+0F8h+var_94]
		mov	[esp+0F8h+var_A9+1], eax
		jmp	loc_836F5B
; 

loc_924FDD:				; CODE XREF: RtlpSetSecurityObject+993j
		mov	eax, [esp+0F8h+var_D0]
		mov	eax, [eax]
		movzx	ecx, word ptr [eax+2]
		lea	eax, [esp+0F8h+var_C4]
		push	eax
		lea	eax, [esp+0FCh+var_90]
		push	eax
		mov	eax, edx
		and	edx, 800h
		push	2
		push	[ebp+arg_10]
		shr	eax, 1
		push	[esp+108h+var_CC]
		and	eax, 18h
		push	[esp+10Ch+var_C0]
		or	eax, edx
		mov	edx, ecx
		shr	edx, 1
		and	ecx, 800h
		shr	eax, 1
		and	edx, 18h
		push	eax
		push	[esp+114h+var_E4]
		or	edx, ecx
		mov	ecx, esi
		shr	edx, 1
		call	_RtlpComputeMergedAcl@40 ; RtlpComputeMergedAcl(x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_925067
		mov	eax, [esp+0F8h+var_C4]
		mov	ecx, eax
		mov	ebx, [esp+0F8h+var_E8]
		and	ecx, 8
		or	ecx, 4
		mov	[esp+0F8h+var_AE], 1
		add	ecx, ecx
		and	eax, 1400h
		or	ecx, eax
		mov	eax, [esp+0F8h+var_90]
		add	ecx, ecx
		mov	[esp+0F8h+var_D8], eax
		or	[esp+0F8h+var_EC], ecx
		mov	ecx, [esp+0F8h+var_E0]
		jmp	loc_8370CC
; 

loc_925067:				; CODE XREF: RtlpSetSecurityObject+EE580j
		mov	edx, [esp+0F8h+var_90]
		mov	esi, [esp+0F8h+var_BC]
		mov	[esp+0F8h+var_D8], edx
		jmp	loc_836F63
; 

loc_925078:				; CODE XREF: RtlpSetSecurityObject+623j
		movzx	edx, word ptr [ebx+2]
		test	edi, edi
		jz	loc_925123
		mov	eax, [esp+0F8h+var_D0]
		mov	eax, [eax]
		movzx	ecx, word ptr [eax+2]
		lea	eax, [esp+0F8h+var_C4]
		push	eax
		lea	eax, [esp+0FCh+var_8C]
		push	eax
		mov	eax, edx
		and	edx, 800h
		push	2
		push	[ebp+arg_10]
		shr	eax, 1
		push	[esp+108h+var_CC]
		and	eax, 18h
		push	[esp+10Ch+var_C0]
		or	eax, edx
		mov	edx, ecx
		shr	edx, 1
		and	ecx, 800h
		shr	eax, 1
		and	edx, 18h
		push	eax
		push	[esp+114h+var_E4]
		or	edx, ecx
		mov	ecx, esi
		shr	edx, 1
		call	_RtlpComputeMergedAcl@40 ; RtlpComputeMergedAcl(x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_92510E
		mov	eax, [esp+0F8h+var_C4]
		mov	ecx, eax
		mov	ebx, [esp+0F8h+var_D4]
		and	ecx, 8
		or	ecx, 4
		mov	[esp+0F8h+var_AD], 1
		add	ecx, ecx
		and	eax, 1400h
		or	ecx, eax
		mov	eax, [esp+0F8h+var_8C]
		add	ecx, ecx
		mov	[esp+0F8h+var_DC], eax
		or	[esp+0F8h+var_EC], ecx
		mov	ecx, [esp+0F8h+var_E0]
		jmp	loc_8370DD
; 

loc_92510E:				; CODE XREF: RtlpSetSecurityObject+EE627j
		mov	eax, [esp+0F8h+var_8C]
		mov	esi, [esp+0F8h+var_BC]
		mov	edx, [esp+0F8h+var_D8]
		mov	[esp+0F8h+var_DC], eax
		jmp	loc_836F67
; 

loc_925123:				; CODE XREF: RtlpSetSecurityObject+EE5CEj
		mov	eax, [esp+0F8h+var_E4]
		mov	[esp+0F8h+var_DC], eax
		mov	eax, edx
		and	eax, 2000h
		and	edx, 0A00h
		or	eax, 10h
		or	[esp+0F8h+var_EC], eax
		cmp	edx, 0A00h
		jnz	loc_8370DD
		or	[esp+0F8h+var_EC], 800h
		jmp	loc_8370DD
; 

loc_925158:				; CODE XREF: RtlpSetSecurityObject+93Dj
		mov	eax, [esp+0F8h+var_D0]
		mov	eax, [eax]
		movzx	ecx, word ptr [eax+2]
		lea	eax, [esp+0F8h+var_C4]
		push	eax
		lea	eax, [esp+0FCh+var_88]
		push	eax
		mov	eax, edx
		and	edx, 800h
		push	2
		push	[ebp+arg_10]
		shr	eax, 1
		push	[esp+108h+var_CC]
		and	eax, 18h
		push	[esp+10Ch+var_C0]
		or	eax, edx
		mov	edx, ecx
		shr	edx, 1
		and	ecx, 800h
		shr	eax, 1
		and	edx, 18h
		push	eax
		push	[esp+114h+var_E4]
		or	edx, ecx
		mov	ecx, esi
		shr	edx, 1
		call	_RtlpComputeMergedAcl@40 ; RtlpComputeMergedAcl(x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9251E8
		mov	eax, [esp+0F8h+var_C4]
		mov	ecx, eax
		mov	edx, [esp+0F8h+var_EC]
		and	ecx, 8
		mov	ebx, [esp+0F8h+var_D4]
		or	ecx, 4
		add	ecx, ecx
		mov	[esp+0F8h+var_AC], 1
		and	eax, 1400h
		or	ecx, eax
		mov	eax, [esp+0F8h+var_88]
		add	ecx, ecx
		mov	[esp+0F8h+var_C8], eax
		or	edx, ecx
		mov	ecx, [esp+0F8h+var_E0]
		mov	[esp+0F8h+var_EC], edx
		jmp	loc_8370F0
; 

loc_9251E8:				; CODE XREF: RtlpSetSecurityObject+EE6FBj
		mov	edi, [esp+0F8h+var_88]
		mov	esi, [esp+0F8h+var_BC]
		mov	eax, [esp+0F8h+var_DC]
		mov	edx, [esp+0F8h+var_D8]
		jmp	loc_836F6B
; 

loc_9251FD:				; CODE XREF: RtlpSetSecurityObject+642j
		movzx	edx, word ptr [ebx+2]
		test	edi, edi
		mov	edi, [esp+0F8h+var_CC]
		jz	loc_92529B
		mov	eax, [esp+0F8h+var_D0]
		mov	eax, [eax]
		movzx	ecx, word ptr [eax+2]
		lea	eax, [esp+0F8h+var_C4]
		push	eax
		lea	eax, [esp+0FCh+var_84]
		push	eax
		mov	eax, edx
		and	edx, 800h
		push	2
		push	[ebp+arg_10]
		shr	eax, 1
		and	eax, 18h
		or	eax, edx
		mov	edx, ecx
		push	edi
		push	[esp+10Ch+var_C0]
		shr	edx, 1
		and	ecx, 800h
		shr	eax, 1
		and	edx, 18h
		push	eax
		push	[esp+114h+var_E4]
		or	edx, ecx
		mov	ecx, esi
		shr	edx, 1
		call	_RtlpComputeMergedAcl@40 ; RtlpComputeMergedAcl(x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_925292
		mov	eax, [esp+0F8h+var_C4]
		mov	ecx, eax
		mov	edx, [esp+0F8h+var_EC]
		and	ecx, 8
		mov	ebx, [esp+0F8h+var_D4]
		or	ecx, 4
		add	ecx, ecx
		mov	[esp+0F8h+var_AB], 1
		and	eax, 1400h
		or	ecx, eax
		mov	eax, [esp+0F8h+var_84]
		add	ecx, ecx
		or	edx, ecx
		mov	[esp+0F8h+var_EC], edx
		jmp	loc_8370FE
; 

loc_925292:				; CODE XREF: RtlpSetSecurityObject+EE7ADj
		mov	esi, [esp+0F8h+var_84]
		jmp	loc_836F5F
; 

loc_92529B:				; CODE XREF: RtlpSetSecurityObject+EE757j
		mov	eax, [esp+0F8h+var_E4]
		mov	[esp+0F8h+var_BC], eax
		mov	eax, edx
		and	eax, 2000h
		and	edx, 0A00h
		or	eax, 10h
		or	[esp+0F8h+var_EC], eax
		cmp	edx, 0A00h
		mov	edx, [esp+0F8h+var_EC]
		jnz	loc_837102
		or	edx, 800h
		mov	[esp+0F8h+var_EC], edx
		jmp	loc_837102
; 

loc_9252D6:				; CODE XREF: RtlpSetSecurityObject+292j
		test	ax, ax
		jnz	short loc_9252DF
		xor	ecx, ecx
		jmp	short loc_9252F0
; 

loc_9252DF:				; CODE XREF: RtlpSetSecurityObject+EE829j
		mov	ecx, [ebx+10h]
		test	dx, dx
		jns	short loc_9252F0
		lea	eax, [ecx+ebx]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_9252F0:				; CODE XREF: RtlpSetSecurityObject+EE82Dj
					; RtlpSetSecurityObject+EE835j
		mov	eax, [esp+0F8h+var_D0]
		mov	eax, [eax]
		movzx	ebx, word ptr [eax+2]
		mov	esi, ebx
		test	bl, 4
		jnz	short loc_925305
		xor	esi, esi
		jmp	short loc_925315
; 

loc_925305:				; CODE XREF: RtlpSetSecurityObject+EE84Fj
		test	si, si
		mov	esi, [eax+10h]
		jns	short loc_925315
		add	eax, esi
		neg	esi
		sbb	esi, esi
		and	esi, eax

loc_925315:				; CODE XREF: RtlpSetSecurityObject+EE853j
					; RtlpSetSecurityObject+EE85Bj
		lea	eax, [esp+0F8h+var_C4]
		and	edx, 140Ch
		push	eax
		lea	eax, [esp+0FCh+var_70]
		and	ebx, 140Ch
		push	eax
		push	1
		push	[ebp+arg_10]
		push	edi
		push	[esp+10Ch+var_C0]
		push	edx
		push	ecx
		mov	edx, ebx
		mov	ecx, esi
		call	_RtlpComputeMergedAcl@40 ; RtlpComputeMergedAcl(x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_836F5B
		mov	eax, [esp+0F8h+var_C4]
		mov	esi, [esp+0F8h+var_70]
		and	eax, 1408h
		or	eax, 4
		mov	[esp+0F8h+var_B0], 1
		or	[esp+0F8h+var_EC], eax
		mov	[esp+0F8h+var_E8], esi
		jmp	loc_836D87
; 

loc_925372:				; CODE XREF: RtlpSetSecurityObject+29Bj
		xor	esi, esi
		jmp	loc_836D5D
; 

loc_925379:				; CODE XREF: RtlpSetSecurityObject+536j
		xor	esi, esi
		jmp	loc_836D5D
; 

loc_925380:				; CODE XREF: RtlpSetSecurityObject+2DCj
		mov	ecx, [esp+0F8h+var_9C]
		lea	eax, [esp+0F8h+var_68]
		push	eax
		lea	eax, [esp+0FCh+var_54]
		mov	[esp+0FCh+var_60], 0
		push	eax
		lea	eax, [esp+100h+var_50]
		mov	[esp+100h+var_64], 0
		push	eax
		lea	eax, [esp+104h+var_4C]
		mov	[esp+104h+var_98], 0
		push	eax
		lea	eax, [esp+108h+var_98]
		mov	[esp+108h+var_4C], 0
		push	eax
		lea	eax, [esp+10Ch+var_64]
		mov	[esp+10Ch+var_50], 0
		push	eax
		lea	edx, [esp+110h+var_60]
		mov	[esp+110h+var_54], 0
		mov	[esp+110h+var_68], 0
		call	_SepGetDefaultsSubjectContext@32 ; SepGetDefaultsSubjectContext(x,x,x,x,x,x,x,x)
		mov	dl, [esp+0F8h+var_B4]
		lea	eax, [esp+0F8h+var_A9]
		push	eax		; int
		lea	eax, [esp+0FCh+var_6C]
		mov	ecx, esi
		push	eax		; void *
		push	[esp+100h+var_98] ; void *
		call	_RtlpCreateServerAcl@20	; RtlpCreateServerAcl(x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_836F50
		mov	esi, [esp+0F8h+var_6C]
		jmp	loc_8371E4
; 

loc_925439:				; CODE XREF: RtlpSetSecurityObject+718j
		xor	esi, esi
		jmp	loc_8371E4
; 

loc_925440:				; CODE XREF: RtlpSetSecurityObject+72Cj
		xor	esi, esi
		jmp	loc_8371E4
; 

loc_925447:				; CODE XREF: RtlpSetSecurityObject+721j
		mov	esi, [esi+10h]
		jmp	loc_8371E4
; 

loc_92544F:				; CODE XREF: RtlpSetSecurityObject+322j
		xor	eax, eax
		jmp	loc_836DE2
; 

loc_925456:				; CODE XREF: RtlpSetSecurityObject+355j
		mov	ebx, 0C0000017h
		jmp	loc_836F50
; 

loc_925460:				; CODE XREF: RtlpSetSecurityObject+36Aj
		or	[esp+0F8h+var_EC], 800h
		jmp	loc_836E20
; 

loc_92546D:				; CODE XREF: RtlpSetSecurityObject+38Dj
		mov	al, [eax+1]
		or	ecx, edx
		mov	[esi+1], al
		mov	[esi+2], cx
		jmp	loc_836E43
; 

loc_92547E:				; CODE XREF: RtlpSetSecurityObject+3C9j
		mov	eax, ebx
		sub	eax, ecx
		push	eax		; size_t
		lea	eax, [ecx+edi]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_836E7F
; 

loc_925496:				; CODE XREF: RtlpSetSecurityObject+3F4j
		mov	dword ptr [esi+10h], 0
		jmp	loc_836EDC
; 

loc_9254A2:				; CODE XREF: RtlpSetSecurityObject+424j
		mov	eax, ebx
		sub	eax, ecx
		push	eax		; size_t
		lea	eax, [ecx+edi]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_836EDA
; 

loc_9254BA:				; CODE XREF: RtlpSetSecurityObject+7EEj
		mov	cl, [eax+1]
		and	cl, 0FCh
		or	cl, 8
		inc	[esp+0F8h+var_E0]
		mov	[eax+1], cl
		jmp	loc_837260
; 

loc_9254CF:				; CODE XREF: RtlpSetSecurityObject+4A5j
		push	0
		push	[esp+0FCh+var_70]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_836F5B
; 

loc_9254E2:				; CODE XREF: RtlpSetSecurityObject+83Ej
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+0F8h+var_DC]
		mov	edx, [esp+0F8h+var_D8]
		jmp	loc_836F77
; 

loc_9254F7:				; CODE XREF: RtlpSetSecurityObject+7FEj
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+0F8h+var_DC]
		jmp	loc_836F7F
; 

loc_925508:				; CODE XREF: RtlpSetSecurityObject+80Ej
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_836F87
; 

loc_925515:				; CODE XREF: RtlpSetSecurityObject+81Ej
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_836F8F
; 

loc_925522:				; CODE XREF: RtlpSetSecurityObject+82Ej
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_836F97
; 

loc_92552F:				; CODE XREF: RtlpSetSecurityObject+4FFj
		push	0
		push	[esp+0FCh+var_6C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_836FB5
; 

loc_925542:				; CODE XREF: RtlpSetSecurityObject+201j
					; RtlpSetSecurityObject:loc_836CC0j ...
		mov	ebx, 0C000005Ah
		jmp	loc_836FB5
; END OF FUNCTION CHUNK	FOR RtlpSetSecurityObject

;  S U B	R O U T	I N E 


sub_92554C	proc near		; DATA XREF: .text:006A68A8o
		xor	edi, edi
		mov	esi, [ebp+8]
		jmp	sub_8376BA
sub_92554C	endp

; 
; START	OF FUNCTION CHUNK FOR sub_8376BA

loc_925556:				; CODE XREF: sub_8376BA+3j
		push	dword ptr [esi+4]
		call	_ExFreePool@4	; ExFreePool(x)
		mov	[esi+4], edi
		retn
; END OF FUNCTION CHUNK	FOR sub_8376BA
; 
; START	OF FUNCTION CHUNK FOR RtlDuplicateUnicodeString

loc_925562:				; CODE XREF: RtlDuplicateUnicodeString+72j
		test	esi, esi
		jnz	loc_837748

loc_92556A:				; CODE XREF: RtlDuplicateUnicodeString+56j
					; RtlDuplicateUnicodeString+5Fj
		mov	ebx, 0C000000Dh
		mov	[ebp+var_1C], ebx
		jmp	loc_8377FD
; 

loc_925577:				; CODE XREF: RtlDuplicateUnicodeString+A9j
		mov	ebx, 0C0000106h
		mov	[ebp+var_1C], ebx
		jmp	loc_837846
; 

loc_925584:				; CODE XREF: RtlDuplicateUnicodeString+EDj
		mov	ebx, 0C0000017h
		mov	[ebp+var_1C], ebx
		jmp	loc_8377FD
; END OF FUNCTION CHUNK	FOR RtlDuplicateUnicodeString

;  S U B	R O U T	I N E 


sub_925591	proc near		; DATA XREF: .text:006A68C8o
		mov	ebx, [ebp-1Ch]
		mov	ecx, [ebp-24h]
		jmp	sub_837837
sub_925591	endp

; 
; START	OF FUNCTION CHUNK FOR sub_837837

loc_92559C:				; CODE XREF: sub_837837+4j
		test	ecx, ecx
		jz	locret_837841
		push	ecx
		call	_ExFreePool@4	; ExFreePool(x)
		jmp	locret_837841
; END OF FUNCTION CHUNK	FOR sub_837837
; 
; START	OF FUNCTION CHUNK FOR ObSetSecurityDescriptorInfo

loc_9255AF:				; CODE XREF: ObSetSecurityDescriptorInfo+D2j
		push	8
		push	[ebp+var_8]
		call	ObDereferenceSecurityDescriptor
		jmp	loc_83798A
; END OF FUNCTION CHUNK	FOR ObSetSecurityDescriptorInfo
; 
; START	OF FUNCTION CHUNK FOR SepAppendAceToTokenObjectAcl

loc_9255BE:				; CODE XREF: SepAppendAceToTokenObjectAcl+72j
		mov	esi, [ebx+10h]
		jmp	loc_837AB2
; 

loc_9255C6:				; CODE XREF: SepAppendAceToTokenObjectAcl+111j
		mov	edi, 0C000009Ah
		jmp	loc_837AC9
; 

loc_9255D0:				; CODE XREF: SepAppendAceToTokenObjectAcl+A2j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_837AE0
; END OF FUNCTION CHUNK	FOR SepAppendAceToTokenObjectAcl
; 
; START	OF FUNCTION CHUNK FOR ObDereferenceSecurityDescriptor

loc_9255DD:				; CODE XREF: ObDereferenceSecurityDescriptor+79j
		mov	ecx, 0Eh
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_837CD7
; END OF FUNCTION CHUNK	FOR ObDereferenceSecurityDescriptor
; 
; START	OF FUNCTION CHUNK FOR ObpGetObjectSecurity

loc_9255E9:				; CODE XREF: ObpGetObjectSecurity+51j
		test	byte ptr [edi+2Ah], 8
		jnz	short loc_925625
		test	byte ptr [esi+0Eh], 2
		jnz	short loc_925625
		jmp	loc_837D67
; 

loc_9255FA:				; CODE XREF: ObpGetObjectSecurity+BFj
		mov	eax, [ebx]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax],	0
		mov	eax, [ebp+var_C]
		jmp	loc_837D69
; 

loc_925612:				; CODE XREF: ObpGetObjectSecurity+CAj
		mov	edi, [ebp+var_10]
		test	byte ptr [edi+2Ah], 8
		jnz	short loc_925625
		test	byte ptr [esi+0Eh], 2
		jz	loc_837D69

loc_925625:				; CODE XREF: ObpGetObjectSecurity+ED8DDj
					; ObpGetObjectSecurity+ED8E3j ...
		push	0
		push	1
		push	edi
		push	esi
		push	189h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_925635:				; CODE XREF: ObpGetObjectSecurity+82j
					; ObpGetObjectSecurity+F8j
		mov	eax, 0C000009Ah
		jmp	loc_837D69
; END OF FUNCTION CHUNK	FOR ObpGetObjectSecurity
; 
; START	OF FUNCTION CHUNK FOR ObpReferenceSecurityDescriptor

loc_92563F:				; CODE XREF: ObpReferenceSecurityDescriptor+77j
		mov	ecx, eax
		and	eax, 7
		add	eax, 7
		cmp	eax, 7
		jbe	loc_837EA1
		jmp	loc_837EC4
; END OF FUNCTION CHUNK	FOR ObpReferenceSecurityDescriptor
; 
; START	OF FUNCTION CHUNK FOR CmpSecurityMethod

loc_925655:				; CODE XREF: CmpSecurityMethod+56j
		mov	edx, 20000h
		lea	ecx, [esp+78h+var_28]
		call	@EtwGetKernelTraceTimestamp@8 ;	EtwGetKernelTraceTimestamp(x,x)
		jmp	loc_83802C
; 

loc_925668:				; CODE XREF: CmpSecurityMethod+80j
		test	ebx, ebx
		jz	loc_838056
		mov	eax, [ebx+8]
		mov	[esp+78h+var_54], eax
		jmp	loc_838056
; 

loc_92567C:				; CODE XREF: CmpSecurityMethod+E4j
		cmp	esi, 0C0000503h
		jnz	loc_838104
		xor	esi, esi
		jmp	loc_838104
; 

loc_92568F:				; CODE XREF: CmpSecurityMethod+1B0j
		mov	eax, [ebx+8]
		push	edi
		push	eax
		push	1
		push	5
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_92569F:				; CODE XREF: CmpSecurityMethod+141j
		push	0
		push	dword ptr [esp+28h]
		lea	eax, [esp+94h+var_3C]
		test	edi, edi
		push	0
		push	esi
		push	eax
		setnz	al
		add	al, 1Ch
		movzx	eax, al
		push	eax
		call	ecx
		jmp	loc_838117
; END OF FUNCTION CHUNK	FOR CmpSecurityMethod
; 
; START	OF FUNCTION CHUNK FOR CmpQueryKeySecurity

loc_9256BF:				; CODE XREF: CmpQueryKeySecurity+48j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	esi, 0C0000189h
		jmp	loc_83827C
; 

loc_9256D5:				; CODE XREF: CmpQueryKeySecurity+95j
					; CmpQueryKeySecurity+9Fj
		lea	edx, [ebp+var_C]
		mov	ecx, ebx
		call	CmpTransSearchAddTransFromKeyBody
		mov	esi, eax
		test	esi, esi
		js	loc_838274
		mov	edi, [ebp+var_C]
		mov	ecx, ebx
		mov	edx, edi
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	loc_838274
		jmp	loc_838248
; END OF FUNCTION CHUNK	FOR CmpQueryKeySecurity
; 
; START	OF FUNCTION CHUNK FOR SeQuerySecurityDescriptorInfo

loc_925704:				; CODE XREF: SeQuerySecurityDescriptorInfo+A2j
		xor	edi, edi
		mov	ecx, [ebp+var_24]
		jmp	short loc_92570E
; 

loc_92570B:				; CODE XREF: SeQuerySecurityDescriptorInfo+97j
		mov	edi, [eax+4]

loc_92570E:				; CODE XREF: SeQuerySecurityDescriptorInfo+ED439j
		mov	[ebp+arg_C], edi
		jmp	loc_838383
; 

loc_925716:				; CODE XREF: SeQuerySecurityDescriptorInfo+C0j
		xor	edi, edi
		jmp	loc_838398
; 

loc_92571D:				; CODE XREF: SeQuerySecurityDescriptorInfo+D1j
		xor	ebx, ebx
		jmp	loc_8383BB
; 

loc_925724:				; CODE XREF: SeQuerySecurityDescriptorInfo+3D8j
		and	ecx, 0FFFFFF7Fh
		mov	[eax], ecx
		jmp	loc_8386AE
; 

loc_925731:				; CODE XREF: SeQuerySecurityDescriptorInfo+3E6j
		and	ecx, 0FFFFFEFFh
		mov	[eax], ecx
		jmp	loc_838404
; 

loc_92573E:				; CODE XREF: SeQuerySecurityDescriptorInfo+1FCj
		mov	eax, [ebp+arg_4]
		jmp	loc_838507
; END OF FUNCTION CHUNK	FOR SeQuerySecurityDescriptorInfo

;  S U B	R O U T	I N E 


sub_925746	proc near		; DATA XREF: .text:006A68E4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		mov	eax, 1
		retn
sub_925746	endp


;  S U B	R O U T	I N E 


sub_925756	proc near		; DATA XREF: .text:006A68E8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-40h]
		jmp	loc_8385BB
sub_925756	endp

; 
; START	OF FUNCTION CHUNK FOR RtlpFilterSacl

loc_925768:				; CODE XREF: RtlpFilterSacl+3Dj
					; DATA XREF: PAGE:0083880Co
		test	bl, 40h
		jmp	loc_838703
; 

loc_925770:				; CODE XREF: RtlpFilterSacl+3Dj
					; DATA XREF: PAGE:00838814o
		test	ebx, 100h
		jmp	loc_838703
; 

loc_92577B:				; CODE XREF: RtlpFilterSacl+BEj
					; DATA XREF: PAGE:0083883Co
		mov	eax, ebx
		shr	eax, 6
		jmp	loc_838786
; 

loc_925785:				; CODE XREF: RtlpFilterSacl+BEj
					; DATA XREF: PAGE:00838844o
		mov	eax, ebx
		shr	eax, 8
		jmp	loc_838786
; 

loc_92578F:				; CODE XREF: RtlpFilterSacl+B1j
					; RtlpFilterSacl+BEj
					; DATA XREF: ...
		test	bl, 8
		jz	loc_8387D7
		mov	al, 1
		jmp	loc_838788
; END OF FUNCTION CHUNK	FOR RtlpFilterSacl

;  S U B	R O U T	I N E 


sub_92579F	proc near		; DATA XREF: .text:006A6904o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5Ch], eax
		mov	eax, 1
		retn
sub_92579F	endp


;  S U B	R O U T	I N E 


sub_9257AF	proc near		; DATA XREF: .text:006A6908o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-5Ch]
		jmp	loc_838B7F
sub_9257AF	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryObject

loc_9257C1:				; CODE XREF: NtQueryObject+B7j
		xor	ecx, ecx
		mov	[ebp+var_4C], ecx
		xor	ebx, ebx
		mov	[ebp+var_2C], ebx
		xor	edx, edx
		xor	eax, eax
		xor	edi, edi
		mov	[ebp+var_58], edi
		mov	[ebp+var_20], edi
		jmp	loc_8389FB
; 

loc_9257DC:				; CODE XREF: NtQueryObject+138j
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	eax, 0C0000004h
		jmp	loc_838B7F
; 

loc_9257ED:				; CODE XREF: NtQueryObject+18Dj
		or	esi, 20h
		mov	[ebp+var_AC], esi
		jmp	loc_838A73
; 

loc_9257FB:				; CODE XREF: NtQueryObject+1D5j
		mov	eax, [ebx]
		mov	[ebp+var_7C], eax
		mov	eax, [ebx+4]
		jmp	loc_838AC0
; END OF FUNCTION CHUNK	FOR NtQueryObject

;  S U B	R O U T	I N E 


sub_925808	proc near		; DATA XREF: .text:006A6910o
		mov	eax, large fs:124h
		mov	[ebp-60h], eax
		mov	eax, [ebp-60h]
		movzx	eax, byte ptr [eax+15Ah]
		mov	[ebp-21h], al
		movzx	eax, byte ptr [ebp-21h]
		xor	ecx, ecx
		test	al, al
		setnz	cl
		mov	eax, ecx
		retn
sub_925808	endp


;  S U B	R O U T	I N E 


sub_92582C	proc near		; DATA XREF: .text:006A6914o

; FUNCTION CHUNK AT 00925959 SIZE 00000008 BYTES

		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-20h]
		jmp	loc_925959
sub_92582C	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryObject

loc_92583E:				; CODE XREF: NtQueryObject+12Dj
					; DATA XREF: PAGE:off_838DE8o
		mov	[ebp+var_4], 2	; case 0x3
		mov	[ebp+arg_4], 4
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_B0], ecx
		cmp	[ebp+arg_C], 4
		jnb	short loc_925868
		mov	edi, 0C0000004h
		mov	[ebp+var_20], edi
		jmp	loc_838C27
; 

loc_925868:				; CODE XREF: NtQueryObject+ECF79j
		mov	dword ptr [ecx], 0
		xor	edx, edx

loc_925870:				; CODE XREF: NtQueryObject+ECFACj
		mov	[ebp+var_38], edx
		cmp	edx, 100h
		jnb	short loc_92588E
		mov	eax, _ObpObjectTypes[edx*4]
		mov	[ebp+var_34], eax
		test	eax, eax
		jz	short loc_92588E
		inc	dword ptr [ecx]
		inc	edx
		jmp	short loc_925870
; 

loc_92588E:				; CODE XREF: NtQueryObject+ECF99j
					; NtQueryObject+ECFA7j
		xor	esi, esi

loc_925890:				; CODE XREF: NtQueryObject+ED001j
		mov	[ebp+var_38], esi
		cmp	esi, 100h
		jnb	loc_838C27
		mov	edx, [ebp+arg_4]
		add	edx, ecx
		mov	[ebp+var_B4], edx
		mov	ecx, _ObpObjectTypes[esi*4]
		mov	[ebp+var_34], ecx
		test	ecx, ecx
		jz	loc_838C27
		lea	eax, [ebp+arg_4]
		push	eax
		push	[ebp+arg_C]
		call	ObQueryTypeInfo
		mov	edi, eax
		mov	[ebp+var_20], edi
		test	edi, edi
		jns	short loc_9258DD
		cmp	edi, 0C0000004h
		jnz	loc_838C27

loc_9258DD:				; CODE XREF: NtQueryObject+ECFEFj
		inc	esi
		mov	ecx, [ebp+arg_8]
		jmp	short loc_925890
; END OF FUNCTION CHUNK	FOR NtQueryObject

;  S U B	R O U T	I N E 


sub_9258E3	proc near		; DATA XREF: .text:006A691Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-68h], eax
		mov	eax, large fs:124h
		mov	[ebp-64h], eax
		mov	eax, [ebp-64h]
		mov	al, [eax+15Ah]
		mov	[ebp-22h], al
		mov	cl, [ebp-22h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_9258E3	endp


;  S U B	R O U T	I N E 


sub_92590D	proc near		; DATA XREF: .text:006A6920o

; FUNCTION CHUNK AT 0092594C SIZE 0000000D BYTES

		mov	edi, [ebp-68h]
		jmp	short loc_92594C
sub_92590D	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryObject

loc_925912:				; CODE XREF: NtQueryObject+322j
		mov	edi, 0C0000004h
		mov	[ebp+var_20], edi
		jmp	loc_838C27
; END OF FUNCTION CHUNK	FOR NtQueryObject

;  S U B	R O U T	I N E 


sub_92591F	proc near		; DATA XREF: .text:006A6928o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-70h], eax
		mov	eax, large fs:124h
		mov	[ebp-6Ch], eax
		mov	eax, [ebp-6Ch]
		mov	al, [eax+15Ah]
		mov	[ebp-23h], al
		mov	cl, [ebp-23h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_92591F	endp


;  S U B	R O U T	I N E 


sub_925949	proc near		; DATA XREF: .text:006A692Co
		mov	edi, [ebp-70h]
sub_925949	endp

; START	OF FUNCTION CHUNK FOR sub_92590D

loc_92594C:				; CODE XREF: sub_92590D+3j
		mov	[ebp-20h], edi
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
; END OF FUNCTION CHUNK	FOR sub_92590D
; START	OF FUNCTION CHUNK FOR sub_92582C

loc_925959:				; CODE XREF: sub_92582C+Dj
		mov	ebx, [ebp-2Ch]
		jmp	loc_838B59
; END OF FUNCTION CHUNK	FOR sub_92582C

;  S U B	R O U T	I N E 


sub_925961	proc near		; DATA XREF: .text:006A6934o
		mov	eax, large fs:124h
		mov	[ebp-74h], eax
		mov	eax, [ebp-74h]
		mov	al, [eax+15Ah]
		mov	[ebp-24h], al
		mov	cl, [ebp-24h]
		xor	eax, eax
		test	cl, cl
		setnz	al
		retn
sub_925961	endp


;  S U B	R O U T	I N E 


sub_925981	proc near		; DATA XREF: .text:006A6938o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-2Ch]
		mov	edi, [ebp-20h]
		jmp	loc_838B72
sub_925981	endp

; 
; START	OF FUNCTION CHUNK FOR NtQueryObject

loc_925996:				; CODE XREF: NtQueryObject+127j
		mov	ecx, ebx	; default
		call	ObfDereferenceObject
		mov	eax, 0C0000003h
		jmp	loc_838B7F
; END OF FUNCTION CHUNK	FOR NtQueryObject
; 
; START	OF FUNCTION CHUNK FOR ObpChargeQuotaForObject

loc_9259A7:				; CODE XREF: ObpChargeQuotaForObject+87j
		test	esi, esi
		jz	loc_838EB8
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	loc_838EB8
		push	0
		mov	edx, edi
		call	PsReturnSharedPoolQuota
		jmp	loc_838EB8
; END OF FUNCTION CHUNK	FOR ObpChargeQuotaForObject
; 
; START	OF FUNCTION CHUNK FOR PsChargeSharedPoolQuota

loc_9259C8:				; CODE XREF: PsChargeSharedPoolQuota+52j
		test	edi, edi
		jz	loc_838F1C
		push	edi
		push	1
		xor	edx, edx
		mov	ecx, esi
		call	PspReturnQuota
		jmp	loc_838F1C
; END OF FUNCTION CHUNK	FOR PsChargeSharedPoolQuota
; 
; START	OF FUNCTION CHUNK FOR ObQueryNameStringMode

loc_9259E1:				; CODE XREF: ObQueryNameStringMode+426j
		cmp	word ptr [edi+4], 0
		jz	loc_8393CC
		mov	cl, 1
		jmp	loc_8393CE
; 

loc_9259F3:				; CODE XREF: ObQueryNameStringMode+ECC19j
		xor	edi, edi

loc_9259F5:				; CODE XREF: ObQueryNameStringMode+ECC30j
		mov	[ebp+var_2C], edi
		mov	[ebp+var_1A], 0

loc_9259FC:				; CODE XREF: ObQueryNameStringMode+260j
		mov	ecx, [ebp+var_30]
		jmp	loc_83904C
; 

loc_925A04:				; CODE XREF: ObQueryNameStringMode+4DEj
		mov	[ebp+var_20], 0C0000004h
		jmp	loc_83944C
; END OF FUNCTION CHUNK	FOR ObQueryNameStringMode

;  S U B	R O U T	I N E 


sub_925A10	proc near		; DATA XREF: .text:006A6960o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		mov	eax, 1
		retn
sub_925A10	endp


;  S U B	R O U T	I N E 


sub_925A20	proc near		; DATA XREF: .text:006A6964o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-4Ch]

loc_925A26:				; CODE XREF: PAGE:00925A4Bj
		mov	[ebp-20h], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_8393DF
sub_925A20	endp

; 

loc_925A35:				; DATA XREF: .text:006A6954o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-50h], eax
		mov	eax, 1
		retn
; 

loc_925A45:				; DATA XREF: .text:006A6958o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-50h]
		jmp	short loc_925A26
; 
; START	OF FUNCTION CHUNK FOR ObQueryNameStringMode

loc_925A4D:				; CODE XREF: ObQueryNameStringMode+186j
					; ObQueryNameStringMode+19Ej ...
		xor	edx, edx
		mov	eax, 11h
		mov	edi, [ebp+var_2C]
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_925A67
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_925A67:				; CODE XREF: ObQueryNameStringMode+ECABEj
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+var_28]
		add	eax, 8
		mov	[ebp+var_28], eax
		jmp	loc_8391AB
; 

loc_925A81:				; CODE XREF: ObQueryNameStringMode+206j
					; ObQueryNameStringMode+210j
		mov	[ebp+var_20], 0C0000106h
		mov	[ebp+var_19], 0
		jmp	loc_8391D8
; 

loc_925A91:				; CODE XREF: ObQueryNameStringMode+C0j
					; ObQueryNameStringMode+CCj
		mov	eax, 2
		mov	[ebp+var_28], eax
		jmp	loc_8391B6
; END OF FUNCTION CHUNK	FOR ObQueryNameStringMode

;  S U B	R O U T	I N E 


sub_925A9E	proc near		; DATA XREF: .text:006A6978o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-54h], eax
		mov	eax, 1
		retn
sub_925A9E	endp


;  S U B	R O U T	I N E 


sub_925AAE	proc near		; DATA XREF: .text:006A697Co
		mov	esp, [ebp-18h]
		mov	eax, [ebp-54h]
		mov	[ebp-20h], eax
		mov	byte ptr [ebp-19h], 0
		mov	dword ptr [ebp-4], 2
		mov	ebx, [ebp-40h]
		mov	esi, [ebp-44h]
		jmp	loc_8391D8
sub_925AAE	endp

; 

loc_925ACD:				; DATA XREF: .text:006A6970o
		mov	ebx, [ebp-40h]
		mov	esi, [ebp-44h]
		jmp	sub_8394FB
; 
; START	OF FUNCTION CHUNK FOR ObQueryNameStringMode

loc_925AD8:				; CODE XREF: ObQueryNameStringMode+2A6j
		mov	[ebp+var_1A], 1
		jmp	loc_83941A
; 

loc_925AE1:				; CODE XREF: ObQueryNameStringMode+358j
		xor	ecx, ecx
		jmp	loc_83930D
; 

loc_925AE8:				; CODE XREF: ObQueryNameStringMode+3D2j
		mov	[ebp+var_1A], 1
		xor	ecx, ecx
		mov	eax, 11h
		mov	edi, [ebp+var_2C]
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jz	short loc_925B06
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_925B06:				; CODE XREF: ObQueryNameStringMode+ECB5Dj
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_83941A
; 

loc_925B17:				; CODE XREF: ObQueryNameStringMode+395j
					; ObQueryNameStringMode+39Ej
		xor	edx, edx
		mov	eax, 11h
		mov	ecx, [ebp+var_2C]
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_925B32
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp+var_2C]

loc_925B32:				; CODE XREF: ObQueryNameStringMode+ECB88j
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		add	edi, 0FFFFFFFAh
		mov	[ebp+arg_8], edi
		mov	edx, edi
		lea	ecx, [ebx+8]
		cmp	edi, ecx
		jnb	short loc_925B52
		mov	edi, ecx
		mov	[ebp+arg_8], edi
		mov	edx, ecx

loc_925B52:				; CODE XREF: ObQueryNameStringMode+ECBA9j
		mov	eax, dword ptr ds:??_C@_17LGKOMLJ@?$AA?4?$AA?4?$AA?4@NNGAKEGL@
		mov	[edi], eax
		mov	ax, word ptr ds:loc_8BC0B5+1
		mov	[edi+4], ax
		cmp	edx, ecx
		jnz	loc_8393E7
		lea	edi, [edx+2]
		mov	[ebp+arg_8], edi
		jmp	loc_8393E7
; 

loc_925B76:				; CODE XREF: ObQueryNameStringMode+289j
					; ObQueryNameStringMode+295j
		mov	edi, [ebp+var_38]
		jmp	loc_8393E7
; 

loc_925B7E:				; CODE XREF: ObQueryNameStringMode+474j
		push	ecx		; size_t
		push	edi		; void *
		push	eax		; void *
		call	_memmove
		add	esp, 0Ch
		mov	ecx, [ebp+var_58]
		add	ecx, 8
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		jmp	loc_83941A
; END OF FUNCTION CHUNK	FOR ObQueryNameStringMode

;  S U B	R O U T	I N E 


sub_925B99	proc near		; DATA XREF: .text:006A6984o
		mov	eax, 1
		retn
sub_925B99	endp


;  S U B	R O U T	I N E 


sub_925B9F	proc near		; DATA XREF: .text:006A6988o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-40h]
		mov	esi, [ebp-44h]
		jmp	loc_839421
sub_925B9F	endp

; 
; START	OF FUNCTION CHUNK FOR ObQueryNameStringMode

loc_925BB4:				; CODE XREF: ObQueryNameStringMode+491j
		mov	al, [esi+0Eh]
		test	al, 2
		jz	loc_9259F3
		movzx	eax, al
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		mov	edi, esi
		sub	edi, eax
		jmp	loc_9259F5
; END OF FUNCTION CHUNK	FOR ObQueryNameStringMode

;  S U B	R O U T	I N E 


sub_925BD5	proc near		; DATA XREF: .text:006A6990o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5Ch], eax
		mov	eax, 1
		retn
sub_925BD5	endp


;  S U B	R O U T	I N E 


sub_925BE5	proc near		; DATA XREF: .text:006A6994o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-5Ch]
		mov	[ebp-20h], eax
		jmp	loc_839445
sub_925BE5	endp


;  S U B	R O U T	I N E 


sub_925BF3	proc near		; DATA XREF: .text:006A69ACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_925BF3	endp


;  S U B	R O U T	I N E 


sub_925C01	proc near		; DATA XREF: .text:006A69B0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-20h]
		jmp	loc_8395E3
sub_925C01	endp

; 
; START	OF FUNCTION CHUNK FOR RtlAddAce

loc_925C0C:				; CODE XREF: RtlAddAce+3Cj
		mov	[ebp+var_1], cl
		jmp	loc_839648
; 

loc_925C14:				; CODE XREF: RtlAddAce+62j
		cmp	al, 4
		ja	short loc_925C1D
		cmp	ecx, 3
		jmp	short loc_925C28
; 

loc_925C1D:				; CODE XREF: RtlAddAce+EC610j
		cmp	al, 8
		ja	loc_83966E
		cmp	ecx, 4

loc_925C28:				; CODE XREF: RtlAddAce+EC615j
		jnb	loc_83966E

loc_925C2E:				; CODE XREF: RtlAddAce+1Aj
					; RtlAddAce+2Cj ...
		mov	eax, 0C000000Dh
		jmp	loc_8396CE
; 

loc_925C38:				; CODE XREF: RtlAddAce+58j
		mov	eax, [ebp+arg_10]
		jmp	loc_83967E
; 

loc_925C40:				; CODE XREF: RtlAddAce+D7j
		movzx	eax, word ptr [ecx+2]
		add	ecx, eax
		inc	edi
		cmp	edi, [ebp+arg_8]
		jb	loc_8396DB
		jmp	loc_8396E3
; 

loc_925C55:				; CODE XREF: RtlAddAce+E5j
					; RtlAddAce+EC658j
		mov	al, [edx+ecx]
		mov	[edi+edx], al
		sub	edx, 1
		jns	short loc_925C55
		jmp	loc_8396A9
; END OF FUNCTION CHUNK	FOR RtlAddAce
; 
; START	OF FUNCTION CHUNK FOR RtlSetDaclSecurityDescriptor

loc_925C65:				; CODE XREF: RtlSetDaclSecurityDescriptor+1Aj
		and	ecx, 0FFFBh

loc_925C6B:				; CODE XREF: RtlSetDaclSecurityDescriptor+5Bj
		mov	[eax+2], cx
		jmp	loc_8397FA
; END OF FUNCTION CHUNK	FOR RtlSetDaclSecurityDescriptor
; 
; START	OF FUNCTION CHUNK FOR PspDereferenceQuotaBlock

loc_925C74:				; CODE XREF: PspDereferenceQuotaBlock+18j
		push	esi
		push	edi
		xor	esi, esi
		lea	edi, [ebx+44h]

loc_925C7B:				; CODE XREF: PspDereferenceQuotaBlock+EC428j
		mov	al, ds:_PspResourceFlags[esi*8]
		and	al, 3
		cmp	al, 1
		jnz	short loc_925CC9
		mov	edx, [edi+4]
		xor	eax, eax
		mov	ecx, [edi-4]
		test	edx, edx
		setnz	al
		mov	[ebp+var_4], eax
		mov	eax, [edi]
		add	eax, ecx
		jz	short loc_925CB1
		test	edx, edx
		jz	short loc_925CB3
		xor	ecx, ecx
		xchg	ecx, [edi]
		xor	eax, eax
		lea	ebx, [edi-4]
		xchg	eax, [ebx]
		add	ecx, eax
		jmp	short loc_925CB3
; 

loc_925CB1:				; CODE XREF: PspDereferenceQuotaBlock+EC3F4j
		xor	ecx, ecx

loc_925CB3:				; CODE XREF: PspDereferenceQuotaBlock+EC3F8j
					; PspDereferenceQuotaBlock+EC407j
		test	ecx, ecx
		jnz	short loc_925CBB
		test	edx, edx
		jz	short loc_925CC9

loc_925CBB:				; CODE XREF: PspDereferenceQuotaBlock+EC40Dj
		push	[ebp+var_4]
		lea	edx, [edi-44h]
		push	ecx
		mov	ecx, esi
		call	PspReturnResourceQuota

loc_925CC9:				; CODE XREF: PspDereferenceQuotaBlock+EC3DEj
					; PspDereferenceQuotaBlock+EC411j
		inc	esi
		sub	edi, 0FFFFFF80h
		cmp	esi, 4
		jl	short loc_925C7B
		mov	ebx, [ebp+var_8]
		mov	ecx, ebx
		call	_PspRemoveQuotaBlock@4 ; PspRemoveQuotaBlock(x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		jmp	loc_8398C6
; END OF FUNCTION CHUNK	FOR PspDereferenceQuotaBlock
; 
; START	OF FUNCTION CHUNK FOR CmpGetVirtualizationID

loc_925CEB:				; CODE XREF: CmpGetVirtualizationID+36j
		cmp	dword ptr [edi+4], 2
		jge	loc_839909
		jmp	loc_839906
; END OF FUNCTION CHUNK	FOR CmpGetVirtualizationID
; 
; START	OF FUNCTION CHUNK FOR EtwpGetSidExtendedHeaderItem

loc_925CFA:				; CODE XREF: EtwpGetSidExtendedHeaderItem+DBj
		test	esi, esi
		jz	short loc_925D05
		mov	ecx, esi
		call	ObfDereferenceObject

loc_925D05:				; CODE XREF: EtwpGetSidExtendedHeaderItem+EC1D4j
		mov	eax, [ebp+var_58]
		push	dword ptr [eax+150h]
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		xor	edi, edi
		mov	esi, eax
		inc	edi
		jmp	loc_839B85
; END OF FUNCTION CHUNK	FOR EtwpGetSidExtendedHeaderItem
; 
; START	OF FUNCTION CHUNK FOR ObCheckCreateObjectAccess

loc_925D1D:				; CODE XREF: ObCheckCreateObjectAccess+90j
		push	[ebp+var_4]
		push	ebx
		call	SeAppendPrivileges
		push	[ebp+var_4]
		call	_SeFreePrivileges@4 ; SeFreePrivileges(x)
		jmp	loc_839D30
; END OF FUNCTION CHUNK	FOR ObCheckCreateObjectAccess
; 
; START	OF FUNCTION CHUNK FOR SeCaptureSid

loc_925D33:				; CODE XREF: SeCaptureSid+16j
		cmp	byte ptr [ebp+arg_C], bl
		jnz	short loc_925D42
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx
		jmp	loc_839E09
; 

loc_925D42:				; CODE XREF: SeCaptureSid+EBFDCj
		test	dl, dl
		jnz	loc_839D76
		movzx	eax, byte ptr [ecx+1]
		mov	[ebp+arg_C], eax
		cmp	eax, 3FFFFFF7h
		jbe	short loc_925D84
		or	esi, 0FFFFFFFFh
		jmp	short loc_925D8B
; 

loc_925D5D:				; CODE XREF: SeCaptureSid+2Aj
		mov	eax, edx
		jmp	loc_839D8A
; END OF FUNCTION CHUNK	FOR SeCaptureSid

;  S U B	R O U T	I N E 


sub_925D64	proc near		; DATA XREF: .text:006A69CCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_925D64	endp


;  S U B	R O U T	I N E 


sub_925D72	proc near		; DATA XREF: .text:006A69D0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	loc_839E0B
sub_925D72	endp

; 
; START	OF FUNCTION CHUNK FOR SeCaptureSid

loc_925D84:				; CODE XREF: SeCaptureSid+EBFFCj
		lea	esi, ds:8[eax*4]

loc_925D8B:				; CODE XREF: SeCaptureSid+EC001j
		mov	[ebp+var_1C], esi
		jmp	loc_839DC0
; END OF FUNCTION CHUNK	FOR SeCaptureSid

;  S U B	R O U T	I N E 


sub_925D93	proc near		; CODE XREF: SeCaptureSid+A9j
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[edi], ebx
		mov	eax, 0C0000078h
		jmp	loc_839E0B
sub_925D93	endp


;  S U B	R O U T	I N E 


sub_925DA6	proc near		; DATA XREF: .text:006A69D8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_925DA6	endp


;  S U B	R O U T	I N E 


sub_925DB4	proc near		; DATA XREF: .text:006A69DCo
		mov	esp, [ebp-18h]
		xor	ebx, ebx
		push	ebx
		mov	esi, [ebp+18h]
		push	dword ptr [esi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-28h]
		jmp	loc_839E0B
sub_925DB4	endp

; 
; START	OF FUNCTION CHUNK FOR IopQueryNameInternal

loc_925DD5:				; CODE XREF: IopQueryNameInternal+31Aj
		mov	esi, 0C000009Ah
		jmp	loc_83A118
; 

loc_925DDF:				; CODE XREF: IopQueryNameInternal+8Ej
		mov	[ebp+var_24], 0Ch
		cmp	edi, 0Ch
		jb	short loc_925E0C
		xor	esi, esi
		mov	dword ptr [edx], 20002h
		lea	eax, [edx+8]
		mov	ecx, 5Ch
		mov	[eax], cx
		mov	[edx+4], eax
		mov	eax, [ebp+var_24]
		jmp	loc_839F79
; 

loc_925E09:				; CODE XREF: IopQueryNameInternal+AEj
		mov	esi, [ebp+var_38]

loc_925E0C:				; CODE XREF: IopQueryNameInternal+EBF19j
		mov	ecx, [esi+4]
		jmp	loc_83A136
; 

loc_925E14:				; CODE XREF: IopQueryNameInternal+35Bj
		mov	[ebp+var_1D], 1
		jmp	loc_839F96
; 

loc_925E1D:				; CODE XREF: IopQueryNameInternal+E6j
		lea	eax, [edi-8]
		cmp	edi, 8
		sbb	ecx, ecx
		not	ecx
		and	ecx, eax
		jmp	loc_839FBF
; END OF FUNCTION CHUNK	FOR IopQueryNameInternal

;  S U B	R O U T	I N E 


sub_925E2E	proc near		; DATA XREF: .text:006A6A3Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		mov	eax, 1
		retn
sub_925E2E	endp


;  S U B	R O U T	I N E 


sub_925E3E	proc near		; DATA XREF: .text:006A6A40o

; FUNCTION CHUNK AT 00925EBA SIZE 00000012 BYTES

		mov	esi, [ebp-40h]
		jmp	short loc_925EBA
sub_925E3E	endp

; 
; START	OF FUNCTION CHUNK FOR IopQueryNameInternal

loc_925E43:				; CODE XREF: IopQueryNameInternal+124j
		add	esi, 2
		mov	[ebp+var_24], esi
		jmp	loc_839FFA
; END OF FUNCTION CHUNK	FOR IopQueryNameInternal

;  S U B	R O U T	I N E 


sub_925E4E	proc near		; DATA XREF: .text:006A6A48o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44h], eax
		mov	cl, [ebp+18h]
		call	_IopExceptionFilterMode@4 ; IopExceptionFilterMode(x)
		retn
sub_925E4E	endp


;  S U B	R O U T	I N E 


sub_925E61	proc near		; DATA XREF: .text:006A6A4Co
		mov	esi, [ebp-44h]
		jmp	short loc_925EBA
sub_925E61	endp

; 
; START	OF FUNCTION CHUNK FOR IopQueryNameInternal

loc_925E66:				; CODE XREF: IopQueryNameInternal+406j
		cmp	esi, 0C0000002h
		jz	loc_83A28B
		cmp	esi, 0C0000003h
		jnz	loc_83A118
		jmp	loc_83A28B
; 

loc_925E83:				; CODE XREF: IopQueryNameInternal+1C8j
		mov	eax, 4
		mov	[ebp+var_24], eax
		jmp	loc_83A09E
; 

loc_925E90:				; CODE XREF: IopQueryNameInternal+1E2j
		mov	edx, eax
		mov	[ebp+arg_0], edx
		jmp	loc_83A0B8
; 

loc_925E9A:				; CODE XREF: IopQueryNameInternal+1FDj
		mov	esi, 0C0000039h
		jmp	loc_83A118
; END OF FUNCTION CHUNK	FOR IopQueryNameInternal

;  S U B	R O U T	I N E 


sub_925EA4	proc near		; DATA XREF: .text:006A6A54o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-48h], eax
		mov	cl, [ebp+18h]
		call	_IopExceptionFilterMode@4 ; IopExceptionFilterMode(x)
		retn
sub_925EA4	endp


;  S U B	R O U T	I N E 


sub_925EB7	proc near		; DATA XREF: .text:006A6A58o
		mov	esi, [ebp-48h]
sub_925EB7	endp

; START	OF FUNCTION CHUNK FOR sub_925E3E

loc_925EBA:				; CODE XREF: sub_925E3E+3j
					; sub_925E61+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-3Ch]
		jmp	loc_83A118
; END OF FUNCTION CHUNK	FOR sub_925E3E
; 
; START	OF FUNCTION CHUNK FOR IopGetFileInformation

loc_925ECC:				; CODE XREF: IopGetFileInformation+56j
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	eax, 0C000009Ah
		jmp	loc_83A3C3
; END OF FUNCTION CHUNK	FOR IopGetFileInformation
; 
; START	OF FUNCTION CHUNK FOR NtApphelpCacheControl

loc_925EDD:				; CODE XREF: NtApphelpCacheControl+4Cj
		mov	ecx, [ebp+arg_4]
		call	_AhcCacheQueryHwId@4 ; AhcCacheQueryHwId(x)
		jmp	loc_83A48D
; 

loc_925EEA:				; CODE XREF: NtApphelpCacheControl+11Dj
		mov	ecx, [esp+38h+var_24]
		call	ObfDereferenceObject
		jmp	loc_83A440
; 

loc_925EF8:				; CODE XREF: NtApphelpCacheControl+A6j
		mov	esi, 0C0000001h
		jmp	loc_83A48F
; 

loc_925F02:				; CODE XREF: NtApphelpCacheControl+30j
					; NtApphelpCacheControl+55j ...
		mov	esi, 0C000000Dh
		jmp	loc_83A48F
; END OF FUNCTION CHUNK	FOR NtApphelpCacheControl
; 
; START	OF FUNCTION CHUNK FOR IoVolumeDeviceToDosName

loc_925F0C:				; CODE XREF: IoVolumeDeviceToDosName+68j
		cmp	eax, 2
		jz	loc_83A59E
		cmp	eax, 24h
		jz	loc_83A59E
		cmp	eax, 1Fh
		jz	loc_83A59E
		mov	eax, 0C000000Dh
		jmp	loc_83A756
; 

loc_925F31:				; CODE XREF: IoVolumeDeviceToDosName+B7j
		push	0
		push	0
		push	0
		push	0
		lea	eax, [esp+258h+var_22C]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esp+248h+var_234]
		jmp	loc_83A5ED
; 

loc_925F4C:				; CODE XREF: IoVolumeDeviceToDosName+148j
		push	0
		push	0
		push	0
		push	0
		lea	eax, [esp+258h+var_22C]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esp+248h+var_234]
		jmp	loc_83A67E
; 

loc_925F67:				; CODE XREF: IoVolumeDeviceToDosName+158j
		mov	ecx, [esp+248h+var_23C]
		call	ObfDereferenceObject
		mov	eax, esi
		jmp	loc_83A756
; 

loc_925F77:				; CODE XREF: IoVolumeDeviceToDosName+16Bj
		mov	ecx, [esp+248h+var_23C]
		call	ObfDereferenceObject
		mov	eax, 0C0000206h
		jmp	loc_83A756
; 

loc_925F8A:				; CODE XREF: IoVolumeDeviceToDosName+1BFj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_925F92:				; CODE XREF: IoVolumeDeviceToDosName+131j
					; IoVolumeDeviceToDosName+182j
		mov	ecx, [esp+248h+var_23C]
		call	ObfDereferenceObject

loc_925F9B:				; CODE XREF: IoVolumeDeviceToDosName+A3j
		mov	eax, 0C000009Ah
		jmp	loc_83A756
; 

loc_925FA5:				; CODE XREF: IoVolumeDeviceToDosName+1D6j
		push	0
		push	0
		push	0
		push	0
		lea	eax, [esp+258h+var_22C]
		push	eax
		call	KeWaitForSingleObject
		mov	edi, [esp+248h+var_234]
		jmp	loc_83A70C
; 

loc_925FC0:				; CODE XREF: IoVolumeDeviceToDosName+1DEj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [esp+248h+var_23C]
		call	ObfDereferenceObject
		mov	eax, edi
		jmp	loc_83A756
; END OF FUNCTION CHUNK	FOR IoVolumeDeviceToDosName
; 
; START	OF FUNCTION CHUNK FOR IoGetDeviceObjectPointer

loc_925FD8:				; CODE XREF: IoGetDeviceObjectPointer+33j
		mov	eax, 200h
		jmp	loc_83A7BE
; END OF FUNCTION CHUNK	FOR IoGetDeviceObjectPointer
; 
; START	OF FUNCTION CHUNK FOR ObQueryDeviceMapInformation

loc_925FE2:				; CODE XREF: ObQueryDeviceMapInformation+86j
		xor	edi, edi
		jmp	loc_83AEC1
; 

loc_925FE9:				; CODE XREF: ObQueryDeviceMapInformation+B5j
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		jmp	loc_83AEF8
; 

loc_925FF3:				; CODE XREF: ObQueryDeviceMapInformation+ECj
		test	esi, esi
		jz	short loc_925FFD
		lea	ebx, [esi+198h]

loc_925FFD:				; CODE XREF: ObQueryDeviceMapInformation+EB1C5j
		mov	ecx, [ebx]
		mov	[ebp+arg_0], ecx
		jmp	loc_83AF26
; 

loc_926007:				; CODE XREF: ObQueryDeviceMapInformation+F8j
		xor	edx, edx
		mov	ecx, [ebp+var_20]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, 0C0000011h
		jmp	loc_83AFBC
; END OF FUNCTION CHUNK	FOR ObQueryDeviceMapInformation

;  S U B	R O U T	I N E 


sub_926027	proc near		; DATA XREF: .text:006A6B14o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		mov	eax, 1
		retn
sub_926027	endp


;  S U B	R O U T	I N E 


sub_926037	proc near		; DATA XREF: .text:006A6B18o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-28h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_83AFBC
sub_926037	endp

; 
; START	OF FUNCTION CHUNK FOR ObQueryDeviceMapInformation

loc_926049:				; CODE XREF: ObQueryDeviceMapInformation+7Ej
					; ObQueryDeviceMapInformation+A3j
		mov	eax, 0C000000Dh
		jmp	loc_83AFBC
; END OF FUNCTION CHUNK	FOR ObQueryDeviceMapInformation
; 

loc_926053:				; CODE XREF: PAGE:0083B03Fj
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_83AFF4
; 
; START	OF FUNCTION CHUNK FOR ObpReferenceDeviceMap

loc_926069:				; CODE XREF: ObpReferenceDeviceMap+35j
		mov	cl, 1
		mov	[ebp+var_1], cl
		jmp	loc_83B0DE
; 

loc_926073:				; CODE XREF: ObpReferenceDeviceMap+5Aj
		call	ObSetCurrentProcessDeviceMap
		test	eax, eax
		js	loc_83B15F
		jmp	loc_83B100
; END OF FUNCTION CHUNK	FOR ObpReferenceDeviceMap
; 
; START	OF FUNCTION CHUNK FOR CmpCmdInit

loc_926085:				; CODE XREF: CmpCmdInit+4Cj
		push	3Ch
		pop	eax
		mov	_CmpEnableLazyFlushBootDelayInterval, eax
		jmp	loc_884A2C
; 

loc_926092:				; CODE XREF: CmpCmdInit+59j
		mov	eax, ecx
		mov	_CmpEnableLazyFlushBootDelayInterval, eax
		jmp	loc_884A39
; END OF FUNCTION CHUNK	FOR CmpCmdInit
; 
; START	OF FUNCTION CHUNK FOR PopUpdateDiskIdleTimeoutSetting

loc_92609E:				; CODE XREF: PopUpdateDiskIdleTimeoutSetting+1Cj
		push	offset _PopCurrentDiskIdleTimeout ; void *
		push	4
		pop	edx
		mov	ecx, offset _GUID_DISK_IDLE_TIMEOUT ; int
		mov	_PopCurrentDiskIdleTimeout, eax
		call	_PopSetPowerSettingValueAcDc@12	; PopSetPowerSettingValueAcDc(x,x,x)
		pop	ecx
		retn
; END OF FUNCTION CHUNK	FOR PopUpdateDiskIdleTimeoutSetting
; 
; START	OF FUNCTION CHUNK FOR PoRegisterCoalescingCallback

loc_9260B7:				; CODE XREF: PoRegisterCoalescingCallback+1Cj
		mov	eax, 0C000009Ah
		jmp	loc_884BB6
; END OF FUNCTION CHUNK	FOR PoRegisterCoalescingCallback
; 
; START	OF FUNCTION CHUNK FOR CmpInitializeLazyWriters

loc_9260C1:				; CODE XREF: CmpInitializeLazyWriters+ABj
		push	esi
		push	esi
		push	ebx
		push	18h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_9260CE:				; CODE XREF: PopGetLockConsoleTimeout+Aj
		cmp	_PopConsoleContext, ecx
		jnz	loc_83FCB4
		cmp	ecx, 0FFFFFFFFh
		jz	loc_83FCB4
		call	_PopGetLockConsoleTimeoutUnsafe@4 ; PopGetLockConsoleTimeoutUnsafe(x)
		pop	ecx
		retn
; END OF FUNCTION CHUNK	FOR CmpInitializeLazyWriters
; 
; START	OF FUNCTION CHUNK FOR PoRundownSystemTimer

loc_9260EA:				; CODE XREF: PoRundownSystemTimer+69j
		lea	eax, [ebp+var_6C]
		xor	edx, edx
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_74]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_7C]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	6
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_83FDAF
; END OF FUNCTION CHUNK	FOR PoRundownSystemTimer
; 
; START	OF FUNCTION CHUNK FOR ExTraceTimerResolution

loc_92615D:				; CODE XREF: ExTraceTimerResolution+21j
		lea	edx, [esi-374h]
		mov	cl, 1
		call	PoTraceSystemTimerResolution
		mov	esi, [esi]
		jmp	loc_83FDDF
; END OF FUNCTION CHUNK	FOR ExTraceTimerResolution
; 
; START	OF FUNCTION CHUNK FOR PopLoggingInformation

loc_926171:				; CODE XREF: PopLoggingInformation+29j
					; PopLoggingInformation+79j
		add	esi, 10h
		jmp	loc_83FE79
; 

loc_926179:				; CODE XREF: PopLoggingInformation+A9j
		xor	eax, eax
		mov	edi, ecx
		stosd
		stosd
		stosd
		stosd
		and	[ecx+8], ebx
		jmp	loc_83FEEA
; END OF FUNCTION CHUNK	FOR PopLoggingInformation
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceDeviceVerboseRundown

loc_926189:				; CODE XREF: PopDiagTraceDeviceVerboseRundown+D1j
		push	offset ??_C@_11LOCGONAA@@NNGAKEGL@
		lea	eax, [ebp+var_114]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	ebx, [ebp+var_114]
		jmp	loc_83FFD5
; END OF FUNCTION CHUNK	FOR PopDiagTraceDeviceVerboseRundown
; 
; START	OF FUNCTION CHUNK FOR PopFxTraceDeviceRegistration

loc_9261A5:				; CODE XREF: PopFxTraceDeviceRegistration+46j
		mov	ecx, [ebx+20h]
		lea	edx, [ebp+var_10]
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		call	_PopPepGetDeviceVetoMasks@8 ; PopPepGetDeviceVetoMasks(x,x)
		mov	edx, [ebx+1Ch]
		lea	eax, [ebp+var_10]
		mov	esi, [ebx+10h]
		mov	ecx, [ebp+var_18]
		push	eax
		push	dword ptr [ebx+23Ch]
		lea	eax, [edx+48h]
		push	eax
		push	esi
		push	dword ptr [edx+58h]
		push	dword ptr [ebx+24h]
		call	_PopDiagTraceFxDeviceRegistration@32 ; PopDiagTraceFxDeviceRegistration(x,x,x,x,x,x,x,x)
		cmp	[ebp+var_11], 0
		mov	eax, offset _POP_ETW_EVENT_COMPONENT_REGISTRATION_RUNDOWN
		jnz	short loc_9261ED
		mov	eax, offset _POP_ETW_EVENT_COMPONENT_REGISTRATION

loc_9261ED:				; CODE XREF: PopFxTraceDeviceRegistration+E605Cj
		push	eax
		push	dword_6C1D74
		mov	[ebp+var_24], eax
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_926358
		mov	ecx, [ebx+23Ch]
		mov	[ebp+var_2C], ecx
		test	ecx, ecx
		jz	loc_926358
		mov	edx, [ebx+240h]
		mov	eax, [edx]
		mov	edi, [eax+6Ch]
		cmp	ecx, 1
		jbe	short loc_926242
		add	edx, 4
		dec	ecx

loc_92622F:				; CODE XREF: PopFxTraceDeviceRegistration+E60B6j
		mov	eax, [edx]
		mov	eax, [eax+6Ch]
		cmp	eax, edi
		jbe	short loc_92623A
		mov	edi, eax

loc_92623A:				; CODE XREF: PopFxTraceDeviceRegistration+E60ACj
		add	edx, 4
		sub	ecx, 1
		jnz	short loc_92622F

loc_926242:				; CODE XREF: PopFxTraceDeviceRegistration+E609Fj
		imul	eax, edi, 1Ch
		push	4D584650h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_38], esi
		test	esi, esi
		jz	loc_926358
		imul	ecx, edi, 18h
		xor	edi, edi
		mov	[ebp+var_28], edi
		add	ecx, esi
		mov	[ebp+var_18], ecx
		cmp	[ebp+var_2C], edi
		jbe	loc_92634D

loc_926275:				; CODE XREF: PopFxTraceDeviceRegistration+E61BDj
		mov	eax, [ebx+240h]
		mov	eax, [eax+edi*4]
		mov	[ebp+var_1C], eax
		mov	eax, [eax+6Ch]
		shl	eax, 2
		push	eax		; size_t
		push	0		; int
		push	ecx		; void *
		call	_memset
		pop	ecx
		pop	ecx
		push	[ebp+var_18]
		mov	ecx, [ebx+20h]
		mov	edx, edi
		call	_PopPepGetComponentVetoMasks@16	; PopPepGetComponentVetoMasks(x,x,x,x)
		mov	edx, [ebp+var_1C]
		and	[ebp+var_20], 0
		cmp	dword ptr [edx+6Ch], 0
		jbe	short loc_92630D
		push	0FFFFFFF0h
		pop	eax
		sub	eax, esi
		lea	edi, [esi+10h]
		mov	esi, [ebp+var_18]
		mov	ebx, edx
		mov	[ebp+var_30], eax

loc_9262BC:				; CODE XREF: PopFxTraceDeviceRegistration+E6175j
		mov	ecx, [ebx+70h]
		lea	edx, [eax+edi]
		mov	eax, [edx+ecx]
		mov	[edi-10h], eax
		mov	eax, [edx+ecx+4]
		mov	[edi-0Ch], eax
		mov	ecx, [ebx+70h]
		mov	eax, [edx+ecx+8]
		mov	[edi-8], eax
		mov	eax, [edx+ecx+0Ch]
		mov	ecx, [ebp+var_20]
		mov	[edi-4], eax
		mov	eax, [ebx+70h]
		mov	eax, [edx+eax+10h]
		mov	[edi], eax
		lea	edi, [edi+18h]
		mov	eax, [esi+ecx*4]
		inc	ecx
		mov	[edi-14h], eax
		mov	eax, [ebp+var_30]
		mov	[ebp+var_20], ecx
		cmp	ecx, [ebx+6Ch]
		jb	short loc_9262BC
		mov	ebx, [ebp+var_34]
		mov	esi, [ebp+var_38]
		mov	edi, [ebp+var_28]
		mov	edx, [ebp+var_1C]

loc_92630D:				; CODE XREF: PopFxTraceDeviceRegistration+E6120j
		mov	ecx, [edx+34h]
		mov	eax, [edx+68h]
		push	esi
		push	dword ptr [edx+6Ch]
		mov	edx, [ebx+1Ch]
		push	eax
		shr	ecx, 1Fh
		push	ecx
		mov	ecx, [ebp+var_24]
		push	edi
		call	_PopDiagTraceFxComponentRegistration@28	; PopDiagTraceFxComponentRegistration(x,x,x,x,x,x,x)
		mov	eax, [ebp+var_1C]
		mov	ecx, [eax+168h]
		test	ecx, ecx
		jz	short loc_92633D
		mov	dl, [ebp+var_11]
		call	_PopFxTracePerfRegistration@8 ;	PopFxTracePerfRegistration(x,x)

loc_92633D:				; CODE XREF: PopFxTraceDeviceRegistration+E61A9j
		mov	ecx, [ebp+var_18]
		inc	edi
		mov	[ebp+var_28], edi
		cmp	edi, [ebp+var_2C]
		jb	loc_926275

loc_92634D:				; CODE XREF: PopFxTraceDeviceRegistration+E60E5j
		push	4D584650h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_926358:				; CODE XREF: PopFxTraceDeviceRegistration+E607Aj
					; PopFxTraceDeviceRegistration+E608Bj ...
		pop	edi
		pop	esi
		jmp	loc_8401D6
; END OF FUNCTION CHUNK	FOR PopFxTraceDeviceRegistration
; 
; START	OF FUNCTION CHUNK FOR PopTraceStandbyConnectivityRundown

loc_92635F:				; CODE XREF: PopTraceStandbyConnectivityRundown+39j
		push	4
		pop	eax
		mov	[ebp+var_1C], eax
		xor	ecx, ecx
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_24], offset _PopNetStandbyState
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], offset _PopNetStandbyReason
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_84031D
; END OF FUNCTION CHUNK	FOR PopTraceStandbyConnectivityRundown

;  S U B	R O U T	I N E 


sub_926398	proc near		; CODE XREF: PopDiagTraceDeviceComplianceRundown+35j
		push	ebx
		push	esi
		xor	esi, esi
		lea	ecx, [ebp-28h]
		mov	eax, esi
		push	4
		mov	[ebp-28h], eax
		pop	ebx

loc_9263A7:				; CODE XREF: sub_926398+54j
		lea	eax, _PopCsDeviceCompliance[eax*4]
		mov	[ebp-24h], ecx
		mov	[ebp-14h], eax
		lea	eax, [ebp-24h]
		push	eax
		push	2
		push	esi
		push	edi
		push	dword_6C1D74
		mov	[ebp-20h], esi
		push	_PopDiagHandle
		mov	[ebp-1Ch], ebx
		mov	[ebp-18h], esi
		mov	[ebp-10h], esi
		mov	[ebp-0Ch], ebx
		mov	[ebp-8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	eax, [ebp-28h]
		lea	ecx, [ebp-28h]
		inc	eax
		mov	[ebp-28h], eax
		cmp	eax, 5
		jb	short loc_9263A7
		pop	esi
		pop	ebx
		jmp	loc_840367
sub_926398	endp

; 
; START	OF FUNCTION CHUNK FOR PopDiagTracePowerStateEventRundown

loc_9263F5:				; CODE XREF: PopDiagTracePowerStateEventRundown+35j
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, edi

loc_9263FB:				; CODE XREF: PopDiagTracePowerStateEventRundown+E6071j
		mov	ecx, esi
		mov	[ebp+var_30], edi
		shl	ecx, 5
		add	ecx, offset _PopPowerEventTable
		mov	[ebp+var_2C], 4
		mov	[ebp+var_34], ecx
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		lea	eax, [ecx+8]
		mov	[ebp+var_1C], 4
		mov	[ebp+var_24], eax
		lea	eax, [ecx+10h]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edi
		push	ebx
		push	dword_6C1D74
		mov	[ebp+var_18], edi
		push	_PopDiagHandle
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], 8
		mov	[ebp+var_8], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		inc	esi
		cmp	esi, 30h
		jb	short loc_9263FB
		pop	edi
		pop	esi
		jmp	loc_840423
; END OF FUNCTION CHUNK	FOR PopDiagTracePowerStateEventRundown
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceSystemIdleRundown

loc_926462:				; CODE XREF: PopDiagTraceSystemIdleRundown+39j
		lea	eax, [ebp+var_14]
		mov	[ebp+var_14], offset _PopIdleScanInterval
		push	eax
		push	1
		xor	ecx, ecx
		mov	[ebp+var_C], 4
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_84046F
; END OF FUNCTION CHUNK	FOR PopDiagTraceSystemIdleRundown
; 
; START	OF FUNCTION CHUNK FOR NtSetInformationObject

loc_92648C:				; CODE XREF: NtSetInformationObject+C5j
					; NtSetInformationObject+182j
		mov	edi, 0C0000061h
		jmp	loc_8404FC
; 

loc_926496:				; CODE XREF: NtSetInformationObject+13Bj
		mov	edi, 0C0000022h
		call	ObfDereferenceObject
		jmp	loc_8405C5
; 

loc_9264A5:				; CODE XREF: NtSetInformationObject+10Aj
		mov	edi, 0C0000455h
		jmp	loc_8405CF
; 

loc_9264AF:				; CODE XREF: NtSetInformationObject+23j
		mov	eax, 0C0000004h
		jmp	loc_8404FE
; 

loc_9264B9:				; CODE XREF: NtSetInformationObject+4Ej
					; NtSetInformationObject+56j
		mov	[eax], bl
		jmp	loc_8404DA
; END OF FUNCTION CHUNK	FOR NtSetInformationObject

;  S U B	R O U T	I N E 


sub_9264C0	proc near		; DATA XREF: .text:006A6F1Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_9264C0	endp


;  S U B	R O U T	I N E 


sub_9264D0	proc near		; DATA XREF: .text:006A6F20o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-24h]
		jmp	loc_8404FE
sub_9264D0	endp

; 
; START	OF FUNCTION CHUNK FOR ObSetHandleAttributes

loc_9264E2:				; CODE XREF: ObSetHandleAttributes+5Aj
		mov	ecx, edi
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9264F9
		mov	eax, 0C0000008h
		jmp	loc_840772
; 

loc_9264F9:				; CODE XREF: ObSetHandleAttributes+E5E7Bj
		mov	[esp+38h+var_2A], 1
		jmp	loc_8406E4
; 

loc_926503:				; CODE XREF: ObSetHandleAttributes+A7j
		mov	eax, edx
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [edx+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		test	byte ptr [eax+30h], 2
		jnz	loc_84073A
		mov	eax, [ebp+arg_4]
		mov	cl, [esp+38h+var_29]
		jmp	loc_84071F
; 

loc_926537:				; CODE XREF: ObSetHandleAttributes+91j
		mov	ebx, 0C0000022h
		jmp	loc_840755
; 

loc_926541:				; CODE XREF: ObSetHandleAttributes+F8j
		mov	ecx, [esp+38h+var_28]
		lea	ecx, [ecx+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_840770
; END OF FUNCTION CHUNK	FOR ObSetHandleAttributes
; 
; START	OF FUNCTION CHUNK FOR ObpLookupDirectoryEntryEx

loc_926555:				; CODE XREF: ObpLookupDirectoryEntryEx+ABj
					; ObpLookupDirectoryEntryEx+E5DDDj
		mov	dl, [ebp+arg_8]
		mov	ecx, eax
		call	_ObpGetShadowDirectory@8 ; ObpGetShadowDirectory(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_92659E
		cmp	byte ptr [edi+12h], 0
		jz	short loc_92658E
		mov	esi, [ebp+var_4]
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edx, edi
		mov	ecx, esi
		call	_ObpUnlockDirectory@8 ;	ObpUnlockDirectory(x,x)
		mov	edx, ebx
		mov	ecx, edi
		call	_ObpLockDirectoryShared@8 ; ObpLockDirectoryShared(x,x)
		mov	ecx, esi
		call	ObfDereferenceObject

loc_92658E:				; CODE XREF: ObpLookupDirectoryEntryEx+E5D99j
		push	[ebp+arg_0]
		mov	edx, [ebp+var_8]
		mov	ecx, ebx
		push	edi
		call	ObpLookupDirectoryUsingHash
		mov	esi, eax

loc_92659E:				; CODE XREF: ObpLookupDirectoryEntryEx+E5D93j
		mov	eax, ebx
		mov	[ebp+var_4], eax
		test	esi, esi
		jnz	loc_840858
		test	ebx, ebx
		jnz	short loc_926555
		jmp	loc_840858
; END OF FUNCTION CHUNK	FOR ObpLookupDirectoryEntryEx
; 
; START	OF FUNCTION CHUNK FOR ObpLookupDirectoryUsingHash

loc_9265B4:				; CODE XREF: ObpLookupDirectoryUsingHash+A2j
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	_ObpUnlockDirectory@8 ;	ObpUnlockDirectory(x,x)
		jmp	loc_840928
; END OF FUNCTION CHUNK	FOR ObpLookupDirectoryUsingHash
; 
; START	OF FUNCTION CHUNK FOR ObpRemovePendingDirectoryItem

loc_9265C3:				; CODE XREF: ObpRemovePendingDirectoryItem+29j
		mov	eax, [esi]
		mov	edi, [esi+4]
		mov	_ObpPendingObjectDirectoryList,	eax
		jmp	loc_84097F
; 

loc_9265D2:				; CODE XREF: ObpRemovePendingDirectoryItem+3Fj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_840995
; END OF FUNCTION CHUNK	FOR ObpRemovePendingDirectoryItem
; 
; START	OF FUNCTION CHUNK FOR ObpMarkDirectoryObjectsTemporary

loc_9265DF:				; CODE XREF: ObpMarkDirectoryObjectsTemporary+7Bj
		and	[ebp+var_C], 0
		jmp	loc_840A31
; 

loc_9265E8:				; CODE XREF: ObpMarkDirectoryObjectsTemporary+C6j
		mov	eax, [ebp+var_C]
		cmp	dword ptr [eax+0Ch], 0
		jnz	loc_840A68
		mov	eax, edi
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [edi+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		mov	[ebp+var_20], eax
		cmp	eax, _ObpSymbolicLinkObjectType
		jnz	short loc_926626
		lea	ecx, [edi+18h]
		call	ObpDeleteSymbolicLinkName

loc_926626:				; CODE XREF: ObpMarkDirectoryObjectsTemporary+E5C80j
		mov	edx, [ebp+var_10]
		mov	ecx, esi
		mov	eax, [esi]
		mov	[ebp+var_24], ecx
		mov	[edx], eax
		mov	eax, [ebp+var_20]
		mov	esi, [esi]
		cmp	eax, _ObpDirectoryObjectType
		jnz	short loc_926649
		call	_ObpAddToPendingDirectoryList@4	; ObpAddToPendingDirectoryList(x)
		mov	edi, [ebp+var_8]
		jmp	short loc_92665D
; 

loc_926649:				; CODE XREF: ObpMarkDirectoryObjectsTemporary+E5CA1j
		mov	edi, [ebp+var_8]
		mov	ecx, edi
		call	ObfDereferenceObject
		push	0
		push	[ebp+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_92665D:				; CODE XREF: ObpMarkDirectoryObjectsTemporary+E5CABj
		mov	eax, [ebp+var_C]
		mov	ecx, ebx
		and	dword ptr [eax], 0
		call	ObfDereferenceObject
		mov	[ebp+var_1], 1
		jmp	loc_840A6B
; END OF FUNCTION CHUNK	FOR ObpMarkDirectoryObjectsTemporary
; 
; START	OF FUNCTION CHUNK FOR PopReleaseAdaptiveLock

loc_926673:				; CODE XREF: PopReleaseAdaptiveLock+32j
		push	6
		pop	ecx
		mov	esi, offset _PopLazyContext
		lea	edi, [ebp+var_38]
		rep movsd
		mov	_PopLazyContext, al
		jmp	loc_84106E
; 

loc_92668A:				; CODE XREF: PopReleaseAdaptiveLock+52j
		cmp	[ebp+var_26], 0
		mov	esi, [ebp+var_34]
		jz	short loc_92669D
		lea	ecx, [ebp+var_38]
		call	_PopSensorActiveInput@4	; PopSensorActiveInput(x)
		jmp	short loc_9266BD
; 

loc_92669D:				; CODE XREF: PopReleaseAdaptiveLock+E565Bj
		cmp	[ebp+var_28], 0
		jz	short loc_9266AD
		mov	edx, [ebp+var_30]
		mov	ecx, esi
		call	_PopSetWin32kInputTimeout@8 ; PopSetWin32kInputTimeout(x,x)

loc_9266AD:				; CODE XREF: PopReleaseAdaptiveLock+E566Bj
		cmp	[ebp+var_27], 0
		jz	short loc_9266BD
		mov	edx, [ebp+var_2C]
		mov	ecx, esi
		call	_PopSetWin32kDisplayTimeout@8 ;	PopSetWin32kDisplayTimeout(x,x)

loc_9266BD:				; CODE XREF: PopReleaseAdaptiveLock+E5665j
					; PopReleaseAdaptiveLock+E567Bj
		lea	edx, [ebp+var_20]
		mov	[ebp+var_20], esi
		lea	ecx, [ebp+var_1C]
		mov	[ebp+var_C], 7
		call	PopDispatchStateCallout
		cmp	[ebp+var_25], 0
		jz	loc_84108E
		mov	edx, [ebp+var_30]
		or	ecx, 0FFFFFFFFh
		call	_PopSetWin32kInputTimeout@8 ; PopSetWin32kInputTimeout(x,x)
		jmp	loc_84108E
; END OF FUNCTION CHUNK	FOR PopReleaseAdaptiveLock
; 
; START	OF FUNCTION CHUNK FOR PopAcquireAdaptiveLock

loc_9266EC:				; CODE XREF: PopAcquireAdaptiveLock+26j
		lea	ecx, [ebp+var_1C]
		call	PoBlockConsoleSwitch
		or	[ebp+var_24], 0FFFFFFFFh
		mov	esi, eax
		mov	ecx, _PopConsoleContext
		mov	[ebp+var_28], 0FFFE7960h
		cmp	esi, ecx
		jz	loc_8410C8

loc_92670F:				; CODE XREF: PopAcquireAdaptiveLock+E5687j
		lea	eax, [ebp+var_28]
		push	eax
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	eax, _PopConsoleContext
		cmp	esi, eax
		jnz	short loc_92670F
		jmp	loc_8410C8
; 

loc_92672A:				; CODE XREF: PopAcquireAdaptiveLock+53j
		push	6
		pop	ecx
		xor	eax, eax
		mov	edi, offset _PopLazyContext
		rep stosd
		mov	_PopLazyContext, 1
		mov	dword_6BFB64, esi
		jmp	loc_8410F5
; END OF FUNCTION CHUNK	FOR PopAcquireAdaptiveLock
; 
; START	OF FUNCTION CHUNK FOR PopEvaluateGlobalUserStatus

loc_926748:				; CODE XREF: PopEvaluateGlobalUserStatus+12j
					; PopEvaluateGlobalUserStatus+1Ej
		mov	esi, edi
		jmp	loc_841524
; END OF FUNCTION CHUNK	FOR PopEvaluateGlobalUserStatus
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceControlCallback

loc_92674F:				; CODE XREF: PopDiagTraceControlCallback+40j
		mov	eax, [ebp+arg_10]
		and	eax, 8000h
		or	edi, eax
		jz	short loc_926766
		xor	edx, edx
		push	5
		inc	edx
		pop	ecx
		call	PopTransitionTelemetryOsState

loc_926766:				; CODE XREF: PopDiagTraceControlCallback+E5069j
		mov	ecx, _PopPowerPlane
		test	ecx, ecx
		jz	loc_841715
		call	_PopPlTraceLogPowerPlane@4 ; PopPlTraceLogPowerPlane(x)
		jmp	loc_841715
; 

loc_92677E:				; CODE XREF: PopDiagTraceControlCallback+94j
		mov	dword_6C3884, edi
		jmp	loc_84178A
; END OF FUNCTION CHUNK	FOR PopDiagTraceControlCallback
; 
; START	OF FUNCTION CHUNK FOR NtSetThreadExecutionState

loc_926789:				; CODE XREF: NtSetThreadExecutionState+22j
		mov	esi, 0C00000BBh
		jmp	loc_841A5F
; 

loc_926793:				; CODE XREF: NtSetThreadExecutionState+3Bj
					; NtSetThreadExecutionState+E4E31j
		mov	esi, 0C000000Dh
		jmp	loc_841A5F
; 

loc_92679D:				; CODE XREF: NtSetThreadExecutionState+44j
		test	ebx, ebx
		jns	short loc_926793
		jmp	loc_8419B8
; 

loc_9267A6:				; CODE XREF: NtSetThreadExecutionState+59j
		mov	ecx, eax
		jmp	loc_8419CD
; 

loc_9267AD:				; CODE XREF: NtSetThreadExecutionState+ACj
		test	edi, edi
		jz	loc_841A5F
		mov	ecx, edi
		call	_PoDestroyReasonContext@4 ; PoDestroyReasonContext(x)
		jmp	loc_841A5F
; 

loc_9267C1:				; CODE XREF: NtSetThreadExecutionState+13Dj
		cmp	_PopLidOpened, bl
		jnz	loc_841AB1
		cmp	_PopConsoleExternalDisplayConnected, bl
		jnz	loc_841AB1
		mov	bl, 1
		jmp	loc_841AB1
; END OF FUNCTION CHUNK	FOR NtSetThreadExecutionState

;  S U B	R O U T	I N E 


sub_9267E0	proc near		; DATA XREF: .text:006A6F90o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_9267E0	endp


;  S U B	R O U T	I N E 


sub_9267EE	proc near		; DATA XREF: .text:006A6F94o
		mov	esi, [ebp-2Ch]
		jmp	short loc_926804
; 

loc_9267F3:				; DATA XREF: .text:006A6F84o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_926801:				; DATA XREF: .text:006A6F88o
		mov	esi, [ebp-30h]

loc_926804:				; CODE XREF: sub_9267EE+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_841A5F
sub_9267EE	endp

; 
; START	OF FUNCTION CHUNK FOR PopUnicodeStringDeepCopy

loc_926813:				; CODE XREF: PopUnicodeStringDeepCopy+29j
		movzx	eax, word ptr [ecx+2]
		cmp	eax, ebx
		jnb	loc_841B52
		jmp	loc_841B25
; 

loc_926824:				; CODE XREF: PopUnicodeStringDeepCopy+48j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_4]
		jmp	loc_841B44
; END OF FUNCTION CHUNK	FOR PopUnicodeStringDeepCopy
; 
; START	OF FUNCTION CHUNK FOR PopNotifySessionUserPowerRequestCreated

loc_926834:				; CODE XREF: PopNotifySessionUserPowerRequestCreated+88j
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		push	0
		push	0
		push	[ebp+arg_0]
		push	ebx
		call	_TtmpInsertPowerRequestToSession@24 ; TtmpInsertPowerRequestToSession(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		mov	byte ptr [ebp+arg_0], al
		push	[ebp+arg_0]
		call	_TtmiLogSessionPowerRequestCreated@12 ;	TtmiLogSessionPowerRequestCreated(x,x,x)
		jmp	loc_841CF4
; END OF FUNCTION CHUNK	FOR PopNotifySessionUserPowerRequestCreated
; 
; START	OF FUNCTION CHUNK FOR PopCreatePowerRequestObject

loc_92685B:				; CODE XREF: PopCreatePowerRequestObject+4Ej
		mov	eax, 0C000009Ah
		jmp	loc_8420EB
; 

loc_926865:				; CODE XREF: PopCreatePowerRequestObject+D7j
		mov	ecx, edi
		call	_PopPowerRequestDeleteEntryNoLock@4 ; PopPowerRequestDeleteEntryNoLock(x)
		mov	eax, [ebp+var_4]
		jmp	loc_8420EB
; END OF FUNCTION CHUNK	FOR PopCreatePowerRequestObject
; 
; START	OF FUNCTION CHUNK FOR PopAvlFindOrMakeStatsForPowerRequest

loc_926874:				; CODE XREF: PopAvlFindOrMakeStatsForPowerRequest+D2j
		lea	eax, [ebp+var_B9+1]
		push	eax
		push	edi
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)
		xor	esi, esi
		jmp	loc_8421D4
; END OF FUNCTION CHUNK	FOR PopAvlFindOrMakeStatsForPowerRequest
; 
; START	OF FUNCTION CHUNK FOR PopPowerRequestActionInfo

loc_926888:				; CODE XREF: PopPowerRequestActionInfo+50j
		cmp	bl, 1
		jz	loc_84294E
		mov	esi, 0C00000BBh
		jmp	loc_84296B
; 

loc_92689B:				; CODE XREF: PopPowerRequestActionInfo+66j
		push	dword ptr [edi+0Ch]
		call	_PopSetSpecialRequest@12 ; PopSetSpecialRequest(x,x,x)
		jmp	loc_842969
; END OF FUNCTION CHUNK	FOR PopPowerRequestActionInfo
; 
; START	OF FUNCTION CHUNK FOR PopAnsiStringToUnicodeString

loc_9268A8:				; CODE XREF: PopAnsiStringToUnicodeString+26j
		cmp	dword ptr [esi], 0
		jnz	loc_842D2F
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		jmp	loc_842CF4
; 

loc_9268BB:				; CODE XREF: PopAnsiStringToUnicodeString+32j
		movzx	eax, word ptr [ebx+2]
		cmp	eax, ecx
		jnb	loc_842D2E
		jmp	loc_842D00
; 

loc_9268CC:				; CODE XREF: PopAnsiStringToUnicodeString+52j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_8]
		jmp	loc_842D20
; END OF FUNCTION CHUNK	FOR PopAnsiStringToUnicodeString
; 
; START	OF FUNCTION CHUNK FOR PopInsertPowerRequestObject

loc_9268DC:				; CODE XREF: PopInsertPowerRequestObject+2j
		mov	eax, dword_6C3914
		mov	edx, offset _PopSpecialPowerRequestObjectList
		cmp	[eax], edx
		jnz	loc_842D7C
		inc	_PopSpecialPowerRequestObjectCount
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	dword_6C3914, ecx
		retn
; END OF FUNCTION CHUNK	FOR PopInsertPowerRequestObject
; 
; START	OF FUNCTION CHUNK FOR PopNotifySessionUserPowerRequestDeleted

loc_926902:				; CODE XREF: PopNotifySessionUserPowerRequestDeleted+1Bj
		push	44h		; size_t
		lea	eax, [ebp+var_48]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_48], 11h
		lea	ecx, [ebp+var_48]
		mov	[ebp+var_44], esi
		push	0
		push	44h
		pop	edx
		call	PopUmpoSendPowerMessage
		jmp	loc_842DC1
; END OF FUNCTION CHUNK	FOR PopNotifySessionUserPowerRequestDeleted
; 
; START	OF FUNCTION CHUNK FOR PspLocateInPEManifest

loc_92692E:				; CODE XREF: PspLocateInPEManifest+77j
		cmp	eax, 0C0000204h
		jz	loc_843055
		jmp	loc_843057
; END OF FUNCTION CHUNK	FOR PspLocateInPEManifest
; 
; START	OF FUNCTION CHUNK FOR LdrpResSearchResourceInsideDirectory

loc_92693E:				; CODE XREF: LdrpResSearchResourceInsideDirectory+32Cj
					; LdrpResSearchResourceInsideDirectory+5DDj
		mov	esi, 0C000000Dh
		jmp	loc_843A5B
; 

loc_926948:				; CODE XREF: LdrpResSearchResourceInsideDirectory+371j
		mov	eax, [ebp+var_38]
		mov	edx, [eax+4]
		mov	eax, [ebp+arg_4]
		add	edx, eax
		jmp	loc_843901
; 

loc_926958:				; CODE XREF: LdrpResSearchResourceInsideDirectory+239j
					; LdrpResSearchResourceInsideDirectory+2EAj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_843A67
; 

loc_926964:				; CODE XREF: LdrpResSearchResourceInsideDirectory+5B9j
		mov	edi, esi
		mov	[ebp+var_34], edi
		jmp	loc_843B5F
; 

loc_92696E:				; CODE XREF: LdrpResSearchResourceInsideDirectory+5F7j
		mov	eax, [ebp+arg_4]
		add	edx, eax
		mov	[ebp+var_28], edx
		mov	[ebp+var_30], edx
		jmp	loc_8437FD
; 

loc_92697E:				; CODE XREF: LdrpResSearchResourceInsideDirectory+642j
		mov	eax, [ebp+var_4C]
		dec	eax
		mov	[ebp+var_4C], eax
		mov	[ebp+var_54], eax
		jmp	loc_84375B
; 

loc_92698D:				; CODE XREF: LdrpResSearchResourceInsideDirectory+25Bj
		mov	edi, edx
		and	edi, 7FFFFFFFh
		mov	eax, [ebp+arg_4]
		add	edi, eax
		mov	[ebp+var_34], edi
		mov	edx, [ebp+var_28]
		jmp	loc_8437FD
; 

loc_9269A5:				; CODE XREF: LdrpResSearchResourceInsideDirectory+5A6j
		mov	eax, [ebp+var_60]
		inc	eax
		mov	[ebp+var_60], eax
		mov	[ebp+var_78], eax
		movzx	eax, ax
		mov	[ebp+var_54], eax
		mov	eax, [ebp+var_70]
		cwde
		cmp	[ebp+var_54], eax
		jge	short loc_9269D4
		mov	eax, [ebp+var_54]
		mov	edi, [ebp+arg_18]
		movzx	eax, word ptr [edi+eax*8+4]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_54], eax
		jmp	loc_84373C
; 

loc_9269D4:				; CODE XREF: LdrpResSearchResourceInsideDirectory+E3452j
		mov	eax, [ebp+arg_18]
		cmp	byte ptr [eax+204h], 0
		jnz	loc_843807
		mov	eax, [ebp+var_2C]
		or	eax, 20h
		mov	[ebp+var_2C], eax
		mov	[ebp+arg_24], eax
		jmp	loc_843732
; 

loc_9269F5:				; CODE XREF: LdrpResSearchResourceInsideDirectory+E3j
		mov	eax, [ebp+arg_4]
		jmp	loc_843915
; 

loc_9269FD:				; CODE XREF: LdrpResSearchResourceInsideDirectory+3C7j
					; LdrpResSearchResourceInsideDirectory+3DAj ...
		mov	[ebp+var_30], esi
		jmp	loc_843D34
; 

loc_926A05:				; CODE XREF: LdrpResSearchResourceInsideDirectory+656j
		mov	edx, 20Bh
		cmp	ax, dx
		jnz	short loc_926A1A
		mov	ecx, [ecx+98h]
		jmp	loc_843BCC
; 

loc_926A1A:				; CODE XREF: LdrpResSearchResourceInsideDirectory+E34A3j
		mov	ecx, esi
		mov	[ebp+arg_10], esi
		jmp	loc_843BCF
; 

loc_926A24:				; CODE XREF: LdrpResSearchResourceInsideDirectory+667j
		mov	[ebp+var_30], esi
		mov	esi, 0C0000089h
		jmp	loc_843A5B
; 

loc_926A31:				; CODE XREF: LdrpResSearchResourceInsideDirectory+40Aj
		mov	eax, esi
		mov	[ebp+arg_10], eax
		jmp	loc_8439CB
; 

loc_926A3B:				; CODE XREF: LdrpResSearchResourceInsideDirectory+46Cj
		mov	eax, [ebp+var_28]
		mov	eax, [eax]
		sub	eax, edx
		jmp	loc_843A11
; 

loc_926A47:				; CODE XREF: LdrpResSearchResourceInsideDirectory+5C0j
		cmp	[ebp+var_2C], 0
		jz	loc_843B30
		test	ecx, ecx
		jz	short loc_926A80
		lea	eax, [ebp+var_20]
		push	eax
		push	18h
		pop	edx
		mov	ecx, edi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_843D31
		and	ebx, 0FFFFFFFCh
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebx+edx]
		lea	eax, [edi+18h]
		cmp	eax, ecx
		jbe	short loc_926A86
		jmp	loc_843D31
; 

loc_926A80:				; CODE XREF: LdrpResSearchResourceInsideDirectory+E34E9j
		and	ebx, 0FFFFFFFCh
		mov	edx, [ebp+arg_0]

loc_926A86:				; CODE XREF: LdrpResSearchResourceInsideDirectory+E350Fj
		mov	ecx, [ebp+arg_1C]
		test	ecx, ecx
		jz	loc_843A5B
		cmp	[ebp+var_24], 0
		jz	short loc_926AAA
		cmp	edi, ebx
		jb	loc_843D34
		lea	eax, [ebx+edx]
		cmp	edi, eax
		ja	loc_843D34

loc_926AAA:				; CODE XREF: LdrpResSearchResourceInsideDirectory+E352Bj
		mov	[ecx], edi
		jmp	loc_843A5B
; END OF FUNCTION CHUNK	FOR LdrpResSearchResourceInsideDirectory

;  S U B	R O U T	I N E 


sub_926AB1	proc near		; DATA XREF: .text:006A7074o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-7Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_926AB1	endp


;  S U B	R O U T	I N E 


sub_926ABF	proc near		; DATA XREF: .text:006A7078o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-7Ch]
		jmp	loc_843A5B
sub_926ABF	endp

; 
; START	OF FUNCTION CHUNK FOR LdrpResSearchResourceInsideDirectory

loc_926ACA:				; CODE XREF: LdrpResSearchResourceInsideDirectory+27j
					; LdrpResSearchResourceInsideDirectory+30j ...
		mov	eax, 0C000000Dh
		jmp	loc_843A67
; END OF FUNCTION CHUNK	FOR LdrpResSearchResourceInsideDirectory
; 
; START	OF FUNCTION CHUNK FOR LdrpResCompareResourceNames

loc_926AD4:				; CODE XREF: LdrpResCompareResourceNames+63j
		mov	eax, [ebp+arg_14]
		or	dword ptr [eax], 0FFFFFFFFh
		jmp	loc_843D9C
; 

loc_926ADF:				; CODE XREF: LdrpResCompareResourceNames+CEj
					; LdrpResCompareResourceNames+E2DABj ...
		mov	eax, [ebp+arg_14]
		mov	dword ptr [eax], 1
		jmp	loc_843D9C
; 

loc_926AED:				; CODE XREF: LdrpResCompareResourceNames+3Fj
		test	eax, eax
		jz	short loc_926ADF
		test	ebx, edx
		jnz	short loc_926ADF
		jmp	loc_843E22
; 

loc_926AFA:				; CODE XREF: LdrpResCompareResourceNames+1Dj
					; LdrpResCompareResourceNames+28j
		mov	eax, 0C000000Dh
		jmp	loc_843D9F
; END OF FUNCTION CHUNK	FOR LdrpResCompareResourceNames
; 
; START	OF FUNCTION CHUNK FOR LdrpResGetResourceDirectory

loc_926B04:				; CODE XREF: LdrpResGetResourceDirectory+8Dj
		mov	ecx, 20Bh
		cmp	ax, cx
		jnz	loc_84400C
		push	3Ch
		pop	ecx
		lea	edi, [ebp+var_13C]
		rep movsd
		mov	cl, bl
		jmp	loc_843ED1
; 

loc_926B24:				; CODE XREF: LdrpResGetResourceDirectory+A9j
		mov	eax, [ebp+var_D0]
		jmp	loc_843EDF
; 

loc_926B2F:				; CODE XREF: LdrpResGetResourceDirectory+C0j
		mov	edi, [ebp+var_BC]
		jmp	loc_843EF6
; 

loc_926B3A:				; CODE XREF: LdrpResGetResourceDirectory+121j
					; LdrpResGetResourceDirectory+132j ...
		mov	ebx, 0C000007Bh
		jmp	loc_843F9F
; END OF FUNCTION CHUNK	FOR LdrpResGetResourceDirectory

;  S U B	R O U T	I N E 


sub_926B44	proc near		; DATA XREF: .text:006A70A0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		xor	eax, eax
		inc	eax
		retn
sub_926B44	endp


;  S U B	R O U T	I N E 


sub_926B52	proc near		; DATA XREF: .text:006A70A4o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-40h]
		jmp	loc_843FC7
sub_926B52	endp

; 
; START	OF FUNCTION CHUNK FOR LdrpResGetResourceDirectory

loc_926B5D:				; CODE XREF: LdrpResGetResourceDirectory+113j
		mov	ebx, 0C0000089h
		jmp	loc_843F9F
; END OF FUNCTION CHUNK	FOR LdrpResGetResourceDirectory

;  S U B	R O U T	I N E 


sub_926B67	proc near		; DATA XREF: .text:006A7094o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44h], eax
		xor	eax, eax
		inc	eax
		retn
sub_926B67	endp


;  S U B	R O U T	I N E 


sub_926B75	proc near		; DATA XREF: .text:006A7098o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-44h]
		jmp	loc_843FC4
sub_926B75	endp

; 
; START	OF FUNCTION CHUNK FOR LdrpResGetResourceDirectory

loc_926B80:				; CODE XREF: LdrpResGetResourceDirectory+2Cj
					; LdrpResGetResourceDirectory+35j ...
		mov	eax, 0C000000Dh
		jmp	loc_843FA1
; END OF FUNCTION CHUNK	FOR LdrpResGetResourceDirectory
; 
; START	OF FUNCTION CHUNK FOR LdrResFallbackLangList

loc_926B8A:				; CODE XREF: LdrResFallbackLangList+16j
		mov	ebx, 0C000000Dh
		jmp	loc_8440C2
; 

loc_926B94:				; CODE XREF: LdrResFallbackLangList+38j
		mov	ecx, 0EEEEh
		jmp	loc_844052
; 

loc_926B9E:				; CODE XREF: LdrResFallbackLangList+120j
		lea	edx, [ebp+var_4]
		mov	byte ptr [esi+204h], 1
		call	LdrpGetParentLangId
		test	eax, eax
		jns	short loc_926BB8
		mov	ecx, ebx
		mov	[ebp+var_4], ecx
		jmp	short loc_926BBB
; 

loc_926BB8:				; CODE XREF: LdrResFallbackLangList+E2B9Bj
		mov	ecx, [ebp+var_4]

loc_926BBB:				; CODE XREF: LdrResFallbackLangList+E2BA2j
		test	cx, cx
		jnz	short loc_926BC3
		or	edi, 0FFFFFFFFh

loc_926BC3:				; CODE XREF: LdrResFallbackLangList+E2BAAj
		mov	[ebp+var_8], edi
		jmp	loc_844142
; END OF FUNCTION CHUNK	FOR LdrResFallbackLangList
; 
; START	OF FUNCTION CHUNK FOR LdrpAccessResourceData

loc_926BCB:				; CODE XREF: LdrpAccessResourceData+19j
					; LdrpAccessResourceData+21j
		mov	eax, 0C000000Dh
		jmp	loc_84426D
; END OF FUNCTION CHUNK	FOR LdrpAccessResourceData
; 
; START	OF FUNCTION CHUNK FOR LdrpAccessResourceDataNoMultipleLanguage

loc_926BD5:				; CODE XREF: LdrpAccessResourceDataNoMultipleLanguage+28j
					; LdrpAccessResourceDataNoMultipleLanguage+95j	...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000089h
		jmp	loc_8443C2
; 

loc_926BE6:				; CODE XREF: LdrpAccessResourceDataNoMultipleLanguage+48j
					; LdrpAccessResourceDataNoMultipleLanguage+5Bj	...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, ecx
		jmp	loc_8443C2
; 

loc_926BF4:				; CODE XREF: LdrpAccessResourceDataNoMultipleLanguage+A7j
		mov	ecx, 20Bh
		cmp	ax, cx
		jnz	short loc_926C09
		mov	ecx, [esi+98h]
		jmp	loc_844353
; 

loc_926C09:				; CODE XREF: LdrpAccessResourceDataNoMultipleLanguage+E295Cj
		xor	ecx, ecx
		jmp	loc_844353
; 

loc_926C10:				; CODE XREF: LdrpAccessResourceDataNoMultipleLanguage+DFj
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_38], eax
		push	edx
		mov	ecx, esi
		call	RtlSectionTableFromVirtualAddress
		mov	[ebp+var_34], eax
		test	eax, eax
		jz	short loc_926BD5
		push	dword ptr [eax+0Ch]
		mov	edx, ebx
		mov	ecx, esi
		call	_RtlAddressInSectionTable@12 ; RtlAddressInSectionTable(x,x,x)
		mov	edx, [ebp+var_34]
		mov	ecx, [edx+0Ch]
		sub	ecx, [ebp+var_38]
		add	ecx, [ebp+var_24]
		sub	ecx, eax
		mov	edx, [ebp+var_28]
		add	edx, ecx
		mov	eax, [ebp+var_1C]
		jmp	loc_844388
; 

loc_926C4C:				; CODE XREF: LdrpAccessResourceDataNoMultipleLanguage+FDj
					; LdrpAccessResourceDataNoMultipleLanguage+150j
		and	dword ptr [ecx], 0
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000007Bh
		jmp	loc_8443C2
; END OF FUNCTION CHUNK	FOR LdrpAccessResourceDataNoMultipleLanguage

;  S U B	R O U T	I N E 


sub_926C60	proc near		; DATA XREF: .text:006A70DCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_926C60	endp


;  S U B	R O U T	I N E 


sub_926C6E	proc near		; DATA XREF: .text:006A70E0o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-3Ch]
		mov	[ebp-40h], edi
		jmp	loc_8443B9
sub_926C6E	endp

; 
; START	OF FUNCTION CHUNK FOR EtwpInitLoggerContext

loc_926C7C:				; CODE XREF: EtwpInitLoggerContext+240j
		mov	edi, eax
		shl	edi, 2
		mov	[ebp+var_4], edi
		jmp	loc_844E6A
; 

loc_926C89:				; CODE XREF: EtwpInitLoggerContext+E20C3j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_926C91:				; CODE XREF: EtwpInitLoggerContext+52j
		xor	eax, eax
		jmp	loc_844E52
; 

loc_926C98:				; CODE XREF: EtwpInitLoggerContext+71j
		mov	[esi+2D0h], edi
		add	edi, eax
		jmp	loc_844C9B
; 

loc_926CA5:				; CODE XREF: EtwpInitLoggerContext+269j
		and	eax, 7FFFFFFFh
		mov	[esi+0Ch], eax
		jmp	loc_844D00
; 

loc_926CB2:				; CODE XREF: EtwpInitLoggerContext+FCj
		lea	eax, [esi+0C4h]
		mov	[esi+0C0h], eax
		jmp	loc_844D2E
; 

loc_926CC3:				; CODE XREF: EtwpInitLoggerContext+104j
		mov	dword ptr [esi+0C0h], offset _EtwpGlobalSequence
		jmp	loc_844D2E
; 

loc_926CD2:				; CODE XREF: EtwpInitLoggerContext+13Fj
		mov	dword ptr [esi+4], 2000h
		jmp	loc_844D7C
; 

loc_926CDE:				; CODE XREF: EtwpInitLoggerContext+16Dj
		mov	ecx, esi
		call	_EtwpInitializeCompression@4 ; EtwpInitializeCompression(x)
		test	eax, eax
		js	short loc_926C89
		add	dword ptr [esi+98h], 4
		mov	eax, [esi+98h]
		jmp	loc_844D97
; END OF FUNCTION CHUNK	FOR EtwpInitLoggerContext
; 
; START	OF FUNCTION CHUNK FOR CmRegisterMachineHiveLoadedNotification

loc_926CFB:				; CODE XREF: CmRegisterMachineHiveLoadedNotification+12j
		mov	eax, 0C00000EFh
		jmp	loc_884DF2
; 

loc_926D05:				; CODE XREF: CmRegisterMachineHiveLoadedNotification+1Dj
		mov	eax, 0C00000F1h
		jmp	loc_884DF2
; 

loc_926D0F:				; CODE XREF: CmRegisterMachineHiveLoadedNotification+28j
		mov	eax, 0C00000F2h
		jmp	loc_884DF2
; 

loc_926D19:				; CODE XREF: CmRegisterMachineHiveLoadedNotification+50j
		mov	eax, 0C000009Ah
		jmp	loc_884DF2
; 

loc_926D23:				; CODE XREF: CmRegisterMachineHiveLoadedNotification+BDj
		mov	eax, ecx
		lock xadd dword_6B1694[edi], eax
		inc	eax
		cmp	eax, ecx
		jnz	loc_884DE1
		push	ecx
		push	dword_6B1690[edi]
		call	ExQueueWorkItem
		jmp	loc_884DE1
; END OF FUNCTION CHUNK	FOR CmRegisterMachineHiveLoadedNotification
; 
; START	OF FUNCTION CHUNK FOR CmpInitializeSystemHivesLoad

loc_926D47:				; CODE XREF: CmpInitializeSystemHivesLoad+C8j
		push	2
		pop	edx
		cmp	[edi], dx
		jnz	loc_884F81
		jmp	loc_884F54
; 

loc_926D58:				; CODE XREF: CmpInitializeSystemHivesLoad+121j
		mov	eax, ecx

loc_926D5A:				; CODE XREF: CmpInitializeSystemHivesLoad+A1EEEj
		cmp	_CmpMachineHiveList[eax], ecx
		jz	short loc_926D6C
		or	dword_6B1638[eax], 8000h

loc_926D6C:				; CODE XREF: CmpInitializeSystemHivesLoad+A1EDAj
		add	eax, 78h
		cmp	eax, 348h
		jb	short loc_926D5A
		jmp	loc_884FAD
; 

loc_926D7B:				; CODE XREF: CmpInitializeSystemHivesLoad+A0j
		push	edi
		push	ebx
		push	5

loc_926D7F:				; CODE XREF: CmpInitializeSystemHivesLoad+1E9j
		push	2
		push	74h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_926D89:				; CODE XREF: PnpBootPhaseComplete+21j
		push	ebx
		push	offset _PipUpdateSetupOobeCompleteWnfCallback@24 ; PipUpdateSetupOobeCompleteWnfCallback(x,x,x,x,x,x)
		push	ebx
		push	1
		push	offset _WNF_DEP_OOBE_COMPLETE
		push	offset _PnpSetupWnfSubscription
		call	_ExSubscribeWnfStateChange@24 ;	ExSubscribeWnfStateChange(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_885121
		mov	_PnpSetupOOBEInProgress, bl
		jmp	loc_885121
; END OF FUNCTION CHUNK	FOR CmpInitializeSystemHivesLoad
; 
; START	OF FUNCTION CHUNK FOR PpDevCfgProcessDevices

loc_926DB4:				; CODE XREF: PpDevCfgProcessDevices+51j
		lea	ecx, [ebp+var_8]
		call	PiPnpRtlBeginOperation
		mov	edi, eax
		test	edi, edi
		js	loc_926EB8
		mov	esi, [ebp+var_18]
		jmp	loc_926E6A
; 

loc_926DCE:				; CODE XREF: PpDevCfgProcessDevices+A1CE7j
		mov	edx, [esi+0Ch]
		lea	eax, [ebp+var_C]
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		call	__CmGetDeviceStatus@28 ; _CmGetDeviceStatus(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_926DF5
		test	byte ptr [ebp+var_4], 2
		jnz	short loc_926E68

loc_926DF5:				; CODE XREF: PpDevCfgProcessDevices+A1C65j
		push	3
		pop	ecx
		call	PpDevNodeLockTree
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceExclusiveLite
		push	0
		lea	ecx, [esi+8]
		xor	dl, dl
		call	PiDeviceRegistration
		mov	edx, [esi+0Ch]
		mov	ecx, _PiPnpRtlCtx
		push	0
		call	__CmDeleteDevice@12 ; _CmDeleteDevice(x,x,x)
		test	eax, eax
		js	short loc_926E39
		mov	bl, 1

loc_926E39:				; CODE XREF: PpDevCfgProcessDevices+A1CADj
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, offset _IopDeviceTreeLock
		call	ExReleaseResourceLite
		mov	ecx, offset _PiEngineLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_926E68:				; CODE XREF: PpDevCfgProcessDevices+A1C6Bj
		mov	esi, [esi]

loc_926E6A:				; CODE XREF: PpDevCfgProcessDevices+A1C41j
		lea	eax, [ebp+var_18]
		cmp	esi, eax
		jnz	loc_926DCE
		mov	ecx, [ebp+var_8]
		call	PiPnpRtlEndOperation
		test	bl, bl
		jz	short loc_926EB8
		mov	ecx, _IopRootDeviceNode
		push	0
		push	0
		push	0
		mov	ecx, [ecx+10h]
		push	0
		push	0
		push	8
		pop	edx
		call	PnpRequestDeviceAction
		jmp	short loc_926EB8
; 

loc_926E9E:				; CODE XREF: PpDevCfgProcessDevices+A1D45j
		mov	[ebp+var_18], eax
		lea	ecx, [ebp+var_18]
		mov	[eax+4], ecx
		lea	eax, [esi+8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_926EB8:				; CODE XREF: PpDevCfgProcessDevices+44j
					; PpDevCfgProcessDevices+A1C38j ...
		mov	esi, [ebp+var_18]
		jmp	loc_8851DF
; 

loc_926EC0:				; CODE XREF: PpDevCfgProcessDevices+5Cj
		lea	eax, [ebp+var_18]
		cmp	[esi+4], eax
		jnz	short loc_926ECF
		mov	eax, [esi]
		cmp	[eax+4], esi
		jz	short loc_926E9E

loc_926ECF:				; CODE XREF: PpDevCfgProcessDevices+A1D3Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_926ED4:				; CODE XREF: CmCompleteRegistryInitialization+2Cj
		mov	ebx, 0C0000022h
		jmp	loc_885346
; END OF FUNCTION CHUNK	FOR PpDevCfgProcessDevices
; 
; START	OF FUNCTION CHUNK FOR CmCompleteRegistryInitialization

loc_926EDE:				; CODE XREF: CmCompleteRegistryInitialization+79j
					; CmCompleteRegistryInitialization+89j
		mov	[esp+44h+var_31], al
		jmp	loc_885285
; 

loc_926EE7:				; CODE XREF: CmCompleteRegistryInitialization+F0j
		push	eax
		push	3
		push	3
		push	2
		push	74h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_926EF5:				; CODE XREF: CmCompleteRegistryInitialization+FAj
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esp+68h+var_40]
		push	eax
		call	KeWaitForSingleObject
		jmp	loc_8852F6
; 

loc_926F08:				; CODE XREF: CmCompleteRegistryInitialization+113j
		call	_ExpRefreshSystemTime@0	; ExpRefreshSystemTime()
		call	PsBootPhaseComplete
		jmp	loc_88530F
; END OF FUNCTION CHUNK	FOR CmCompleteRegistryInitialization
; 
; START	OF FUNCTION CHUNK FOR IopCopyBootLogRegistryToFile

loc_926F17:				; CODE XREF: IopCopyBootLogRegistryToFile+74j
		mov	ebx, large fs:124h
		dec	word ptr [ebx+13Ch]
		nop
		mov	eax, ds:dword_A933A4
		push	1
		add	eax, 20h
		push	eax
		call	ExAcquireResourceExclusiveLite
		mov	ecx, ds:dword_A933A4
		lea	ecx, [ecx+18h]
		call	_IopBootLogToFile@4 ; IopBootLogToFile(x)
		lea	eax, [ebp+var_338]
		push	eax
		push	offset _KeBootTime
		call	_ExSystemTimeToLocalTime@8 ; ExSystemTimeToLocalTime(x,x)
		lea	eax, [ebp+var_32C]
		push	eax
		lea	eax, [ebp+var_338]
		push	eax
		call	_RtlTimeToTimeFields@8 ; RtlTimeToTimeFields(x,x)
		movsx	eax, [ebp+var_320]
		mov	edi, 100h
		push	eax
		movsx	eax, [ebp+var_322]
		push	eax
		movsx	eax, [ebp+var_324]
		push	eax
		movsx	eax, [ebp+var_326]
		push	eax
		movsx	eax, word ptr [ebp+var_32C]
		push	eax
		movsx	eax, [ebp+var_328]
		push	eax
		movsx	eax, word ptr [ebp+var_32C+2]
		push	eax		; char
		push	(offset	loc_8B87AB+1) ;	char *
		lea	eax, [ebp+var_108]
		push	edi		; int
		push	eax		; char *
		call	RtlStringCchPrintfA
		add	esp, 28h
		lea	eax, [ebp+var_108]
		push	eax
		lea	eax, [ebp+var_340]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_340]
		push	eax
		lea	eax, [ebp+var_31C]
		push	eax
		call	RtlAnsiStringToUnicodeString
		lea	ecx, [ebp+var_31C]
		call	_IopBootLogToFile@4 ; IopBootLogToFile(x)
		lea	eax, [ebp+var_31C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		push	esi
		push	0F003Fh
		push	offset _CmRegistryMachineSystemCurrentControlSetControlBootLog
		xor	edx, edx
		lea	ecx, [ebp+var_310]
		call	IopOpenRegistryKey
		test	eax, eax
		js	loc_92710D
		mov	eax, ds:dword_A933A4
		cmp	[eax+58h], esi
		jbe	loc_9270EB

loc_927027:				; CODE XREF: IopCopyBootLogRegistryToFile+A1D95j
		push	esi		; char
		push	offset ??_C@_15KNBIKKIN@?$AA?$CF?$AAd@NNGAKEGL@	; wchar_t *
		lea	eax, [ebp+var_308]
		push	edi		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 10h
		lea	eax, [ebp+var_308]
		push	eax		; void *
		lea	eax, [ebp+var_348]
		push	eax		; int
		call	RtlCreateUnicodeString
		mov	edx, [ebp+var_310]
		lea	eax, [ebp+var_348]
		push	0
		push	0F003Fh
		push	eax
		lea	ecx, [ebp+var_30C]
		call	IopOpenRegistryKey
		test	eax, eax
		js	short loc_9270DC
		mov	ecx, [ebp+var_30C]
		lea	eax, [ebp+var_314]
		and	[ebp+var_314], 0
		mov	edx, offset ??_C@_11LOCGONAA@@NNGAKEGL@
		push	eax
		push	edi
		call	IopGetRegistryValue
		mov	edi, [ebp+var_314]
		test	eax, eax
		js	short loc_9270B9
		mov	eax, [edi+8]
		add	eax, edi
		push	eax
		lea	eax, [ebp+var_350]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	ecx, [ebp+var_350]
		call	_IopBootLogToFile@4 ; IopBootLogToFile(x)

loc_9270B9:				; CODE XREF: IopCopyBootLogRegistryToFile+A1D4Aj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	[ebp+var_30C]
		call	_ZwDeleteKey@4	; ZwDeleteKey(x)
		push	[ebp+var_30C]
		call	_ZwClose@4	; ZwClose(x)
		mov	edi, 100h

loc_9270DC:				; CODE XREF: IopCopyBootLogRegistryToFile+A1D21j
		mov	eax, ds:dword_A933A4
		inc	esi
		cmp	esi, [eax+58h]
		jb	loc_927027

loc_9270EB:				; CODE XREF: IopCopyBootLogRegistryToFile+A1CD1j
		push	[ebp+var_310]
		call	_ZwDeleteKey@4	; ZwDeleteKey(x)
		push	[ebp+var_310]
		call	_ZwClose@4	; ZwClose(x)
		mov	ecx, ds:dword_A933A4
		mov	byte ptr [ecx+5Ch], 1
		jmp	short loc_927113
; 

loc_92710D:				; CODE XREF: IopCopyBootLogRegistryToFile+A1CC3j
		mov	ecx, ds:dword_A933A4

loc_927113:				; CODE XREF: IopCopyBootLogRegistryToFile+A1DBBj
		add	ecx, 20h
		call	ExReleaseResourceLite
		mov	ecx, ebx
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_8853CA
; END OF FUNCTION CHUNK	FOR IopCopyBootLogRegistryToFile
; 
; START	OF FUNCTION CHUNK FOR ExNotifyPlatformBinaryExecuted

loc_927127:				; CODE XREF: ExNotifyPlatformBinaryExecuted+36j
		test	al, 4
		jnz	loc_885416
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_885416
; 

loc_92713B:				; CODE XREF: ExNotifyPlatformBinaryExecuted+4Cj
		push	54425057h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_88542C
; END OF FUNCTION CHUNK	FOR ExNotifyPlatformBinaryExecuted
; 
; START	OF FUNCTION CHUNK FOR PoEnableCriticalShutdown

loc_92714B:				; CODE XREF: PoEnableCriticalShutdown+1Dj
		xor	eax, eax
		mov	[ebp+var_1C], ecx
		push	ecx
		mov	[ebp+var_4], eax
		xor	edx, edx
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], 6
		mov	[ebp+var_8], 0C0000004h
		mov	[ebp+var_18], 80h
		push	5
		mov	ds:_PopCriticalShutdownInProgress, cl
		lea	ecx, [ebp+var_1C]
		push	eax
		call	PopExecutePowerAction
		jmp	loc_885453
; END OF FUNCTION CHUNK	FOR PoEnableCriticalShutdown
; 
; START	OF FUNCTION CHUNK FOR RtlpSystemBootStatusRequest

loc_92718A:				; CODE XREF: RtlpSystemBootStatusRequest+1Aj
		push	4
		pop	ecx
		mov	eax, esi
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_88571E
		mov	eax, [ebp+var_4]
		jmp	loc_885700
; END OF FUNCTION CHUNK	FOR RtlpSystemBootStatusRequest
; 
; START	OF FUNCTION CHUNK FOR PopNotifyPolicyDevice

loc_9271AB:				; CODE XREF: PopNotifyPolicyDevice+2Bj
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		test	bl, bl
		jz	short loc_9271C6
		cmp	byte_6C2E33, 0
		jz	short loc_9271DB
		mov	byte_6C2E33, 0
		jmp	short loc_9271D6
; 

loc_9271C6:				; CODE XREF: PopNotifyPolicyDevice+A19DAj
		cmp	byte_6C2E33, 1
		jz	short loc_9271DB
		mov	byte_6C2E33, 1

loc_9271D6:				; CODE XREF: PopNotifyPolicyDevice+A19ECj
		call	PopResetCurrentPolicies

loc_9271DB:				; CODE XREF: PopNotifyPolicyDevice+A19E3j
					; PopNotifyPolicyDevice+A19F5j
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		jmp	loc_885835
; 

loc_9271E5:				; CODE XREF: PopNotifyPolicyDevice+35j
		push	4
		pop	ecx
		call	_PopAcquireTransitionLock@4 ; PopAcquireTransitionLock(x)
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	bl, ds:_PopHiberEnabled
		xor	dl, dl
		xor	cl, cl
		call	_PopEnableHiberFile@8 ;	PopEnableHiberFile(x,x)
		test	bl, bl
		jz	short loc_92720E
		xor	dl, dl
		mov	cl, 1
		call	_PopEnableHiberFile@8 ;	PopEnableHiberFile(x,x)

loc_92720E:				; CODE XREF: PopNotifyPolicyDevice+A1A2Bj
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		push	4
		pop	ecx
		call	_PopReleaseTransitionLock@4 ; PopReleaseTransitionLock(x)
		jmp	loc_885835
; END OF FUNCTION CHUNK	FOR PopNotifyPolicyDevice
; 
; START	OF FUNCTION CHUNK FOR PnpSetCustomTargetEvent

loc_927220:				; CODE XREF: PnpSetCustomTargetEvent+14j
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 103h
		jmp	loc_845020
; 

loc_92722E:				; CODE XREF: PnpSetCustomTargetEvent+21j
		mov	eax, 0C0000189h
		jmp	loc_8450F5
; 

loc_927238:				; CODE XREF: PnpSetCustomTargetEvent+29j
		xor	eax, eax
		jmp	loc_84503E
; 

loc_92723F:				; CODE XREF: PnpSetCustomTargetEvent+62j
		mov	eax, 0C000009Ah
		jmp	loc_8450F5
; END OF FUNCTION CHUNK	FOR PnpSetCustomTargetEvent
; 
; START	OF FUNCTION CHUNK FOR PiUEventDereferenceEventEntry

loc_927249:				; CODE XREF: PiUEventDereferenceEventEntry+19j
		cmp	edi, 1
		jnz	loc_8451E3
		push	0
		push	0
		push	dword ptr [esi+0Ch]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_8451E3
; END OF FUNCTION CHUNK	FOR PiUEventDereferenceEventEntry
; 
; START	OF FUNCTION CHUNK FOR PiUEventProcessBroadcastNotifications

loc_927263:				; CODE XREF: PiUEventProcessBroadcastNotifications+FBj
					; PiUEventProcessBroadcastNotifications+1F6j ...
		mov	ebx, 0C000009Ah
		jmp	loc_84536B
; 

loc_92726D:				; CODE XREF: PiUEventProcessBroadcastNotifications+D3j
		mov	esi, 1B4h
		mov	ecx, esi
		call	_PiUEventAllocMem@4 ; PiUEventAllocMem(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_927263
		push	esi		; size_t
		xor	ebx, ebx
		push	ebx		; int
		push	edi		; void *
		call	_memset
		mov	edx, [esp+34h+var_C]
		lea	eax, [esp+34h+var_18]
		add	esp, 0Ch
		lea	esi, [edi+10h]
		xor	ecx, ecx
		inc	ecx
		mov	[edi+0Ch], ecx
		push	ebx
		push	eax
		push	4
		push	esi
		lea	eax, [esp+38h+var_1C]
		push	eax
		push	offset _DEVPKEY_Device_SessionId
		push	ebx
		push	ebx
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9272C7
		cmp	[esp+28h+var_18], 4
		jz	short loc_9272CC

loc_9272C7:				; CODE XREF: PiUEventProcessBroadcastNotifications+E202Cj
		xor	ebx, ebx
		or	dword ptr [esi], 0FFFFFFFFh

loc_9272CC:				; CODE XREF: PiUEventProcessBroadcastNotifications+E2033j
		mov	ecx, edi
		jmp	loc_8453DC
; 

loc_9272D3:				; CODE XREF: PiUEventProcessBroadcastNotifications+186j
		mov	esi, 1B4h
		mov	ecx, esi
		call	_PiUEventAllocMem@4 ; PiUEventAllocMem(x)
		mov	[esp+28h+var_C], eax
		test	eax, eax
		jz	loc_927263
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [edi+60h]
		push	eax
		lea	eax, [esp+2Ch+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	esi, [esp+28h+var_C]
		lea	ecx, [esp+28h+var_8]
		mov	dword ptr [esi+0Ch], 1
		call	_IopGetSessionIdFromSymbolicName@4 ; IopGetSessionIdFromSymbolicName(x)
		mov	[esi+10h], eax
		jmp	short loc_927323
; 

loc_92731E:				; CODE XREF: PiUEventProcessBroadcastNotifications+E2158j
					; PiUEventProcessBroadcastNotifications+E2169j
		xor	ebx, ebx
		or	dword ptr [edi], 0FFFFFFFFh

loc_927323:				; CODE XREF: PiUEventProcessBroadcastNotifications+E208Aj
					; PiUEventProcessBroadcastNotifications+E2163j
		mov	ecx, esi
		jmp	loc_8453DC
; 

loc_92732A:				; CODE XREF: PiUEventProcessBroadcastNotifications+1A0j
					; PiUEventProcessBroadcastNotifications+1C0j
		mov	esi, 1B4h
		mov	ecx, esi
		call	_PiUEventAllocMem@4 ; PiUEventAllocMem(x)
		mov	[esp+28h+var_10], eax
		test	eax, eax
		jz	loc_927263
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	ebx, [edi+60h]
		lea	eax, [esp+28h+var_8]
		push	ebx
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edi, [esp+28h+var_10]
		lea	ecx, [esp+28h+var_14]
		mov	esi, [esp+28h+var_C]
		mov	edx, 190h
		mov	dword ptr [edi+0Ch], 3
		add	edi, 14h
		movsd
		movsd
		movsd
		movsd
		mov	esi, [esp+28h+var_10]
		xor	edi, edi
		push	edi
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	edx
		lea	eax, [esi+24h]
		mov	[esp+34h+var_14], edx
		push	eax
		lea	eax, [esp+38h+var_1C]
		mov	edx, ebx
		push	eax
		push	offset _DEVPKEY_Device_InstanceId
		push	edi
		push	edi
		push	3
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_927400
		cmp	[esp+28h+var_1C], 12h
		jnz	short loc_927400
		xor	ecx, ecx
		mov	[esp+28h+var_14], 4
		push	ecx
		lea	eax, [esp+2Ch+var_14]
		push	eax
		push	4
		lea	edi, [esi+10h]
		push	edi
		lea	eax, [esp+38h+var_1C]
		push	eax
		push	offset _DEVPKEY_Device_SessionId
		push	ecx
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	edx, [esi+24h]
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_92731E
		cmp	[esp+28h+var_1C], 7
		jz	loc_927323
		jmp	loc_92731E
; 

loc_927400:				; CODE XREF: PiUEventProcessBroadcastNotifications+E2119j
					; PiUEventProcessBroadcastNotifications+E2120j
		push	59706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_84536B
; 

loc_927410:				; CODE XREF: PiUEventProcessBroadcastNotifications+1DCj
		push	esi		; size_t
		lea	eax, [edi+2Ch]
		push	offset _GUID_DEVICE_REMOVE_PENDING ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_845474
		push	esi		; size_t
		lea	eax, [edi+2Ch]
		push	offset _GUID_TARGET_DEVICE_REMOVE_COMPLETE ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_84536B
		jmp	loc_845474
; 

loc_927449:				; CODE XREF: PiUEventProcessBroadcastNotifications+3Dj
		mov	esi, 1B4h
		mov	ecx, esi
		call	_PiUEventAllocMem@4 ; PiUEventAllocMem(x)
		mov	[esp+28h+var_C], eax
		test	eax, eax
		jz	loc_927263
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [esp+34h+var_C]
		lea	esi, [edi+2Ch]
		add	esp, 0Ch
		mov	ecx, eax
		or	dword ptr [eax+10h], 0FFFFFFFFh
		lea	edi, [eax+14h]
		mov	dword ptr [eax+0Ch], 2
		movsd
		movsd
		movsd
		movsd
		jmp	loc_8453DC
; END OF FUNCTION CHUNK	FOR PiUEventProcessBroadcastNotifications
; 
; START	OF FUNCTION CHUNK FOR PiUEventNotifyTargetDeviceChange

loc_92748D:				; CODE XREF: PiUEventNotifyTargetDeviceChange+91j
		push	50h
		jmp	loc_8455B7
; 

loc_927494:				; CODE XREF: PiUEventNotifyTargetDeviceChange+B0j
		push	59706E50h
		push	1000h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9274B5
		mov	eax, 0C000009Ah
		jmp	loc_845662
; 

loc_9274B5:				; CODE XREF: PiUEventNotifyTargetDeviceChange+E1F99j
		push	1000h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		xor	ebx, ebx
		add	esp, 0Ch
		inc	ebx
		jmp	loc_8455C6
; 

loc_9274CD:				; CODE XREF: PiUEventNotifyTargetDeviceChange+127j
		cmp	ebx, 400h
		jnb	short loc_9274E4
		mov	eax, [ebp+var_C]
		mov	eax, [eax+1Ch]
		mov	[esi+ebx*4], eax
		inc	ebx
		jmp	loc_84563D
; 

loc_9274E4:				; CODE XREF: PiUEventNotifyTargetDeviceChange+E1FC3j
		mov	[ebp+var_2], 1
		jmp	loc_84563D
; 

loc_9274ED:				; CODE XREF: PiUEventNotifyTargetDeviceChange+137j
		cmp	ebx, 1
		jbe	loc_84564D
		cmp	[ebp+var_2], 0
		jz	short loc_92751B
		push	0FFCh		; size_t
		xor	ebx, ebx
		lea	eax, [esi+4]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		or	dword ptr [esi], 0FFFFFFFFh
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	4
		jmp	short loc_92752B
; 

loc_92751B:				; CODE XREF: PiUEventNotifyTargetDeviceChange+E1FEAj
		lea	eax, [ebx-1]
		mov	[esi], eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	1000h

loc_92752B:				; CODE XREF: PiUEventNotifyTargetDeviceChange+E2009j
		push	esi
		push	offset _WNF_PNPB_AWAITING_RESPONSE
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		jmp	loc_84564D
; 

loc_92753B:				; CODE XREF: PiUEventNotifyTargetDeviceChange+149j
		push	59706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_84565F
; END OF FUNCTION CHUNK	FOR PiUEventNotifyTargetDeviceChange
; 
; START	OF FUNCTION CHUNK FOR PiUEventNotifyClient

loc_92754B:				; CODE XREF: PiUEventNotifyClient+31j
		mov	esi, [edi+40h]
		lea	eax, [ebp+var_10]
		push	eax
		call	KeQuerySystemTime
		mov	ecx, [ebp+var_10]
		sub	ecx, [esi+8]
		mov	eax, [ebp+var_C]
		sbb	eax, [esi+0Ch]
		push	0
		push	2710h
		push	eax
		push	ecx
		call	__alldiv
		push	0
		push	dword ptr [edi+48h]
		push	edx
		push	eax
		call	__allmul
		test	edx, edx
		jl	loc_8456A3
		jg	short loc_927592
		cmp	eax, 927C0h
		jbe	loc_8456A3

loc_927592:				; CODE XREF: PiUEventNotifyClient+E1F19j
		inc	dword ptr [edi+50h]

loc_927595:				; CODE XREF: PiUEventNotifyClient+20j
		mov	[ebp+var_1], 1
		jmp	loc_8456A3
; 

loc_92759E:				; CODE XREF: PiUEventNotifyClient+7Aj
		mov	edx, [edi+40h]
		mov	ecx, edi
		push	0
		call	_PiUEventDequeuePendingEventWorker@12 ;	PiUEventDequeuePendingEventWorker(x,x,x)
		inc	dword ptr [edi+50h]
		mov	edx, esi
		mov	ecx, edi
		call	_PiUEventQueuePendingEvent@8 ; PiUEventQueuePendingEvent(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	loc_8456EC
		mov	ecx, [edi+8]
		inc	dword ptr [edi+50h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	loc_845704
; END OF FUNCTION CHUNK	FOR PiUEventNotifyClient
; 
; START	OF FUNCTION CHUNK FOR PiUEventApplyAdditionalFilters

loc_9275D0:				; CODE XREF: PiUEventApplyAdditionalFilters+4Cj
		cmp	eax, 0C0000034h
		jnz	loc_927663
		mov	edx, [edi+18h]
		mov	bl, 1
		test	edx, edx
		jz	short loc_927621
		mov	eax, 20000h
		mov	byte ptr [ebp+var_15], 0
		mov	[ebp+var_10], eax
		xor	ecx, ecx
		mov	[ebp+var_C], eax
		inc	ecx
		lea	eax, [ebp+var_15]
		mov	[ebp+var_15+1],	20001h
		push	eax
		push	esi
		lea	eax, [ebp+var_15+1]
		mov	[ebp+var_8], 0F0001h
		push	eax
		call	PiAuVerifyAccessToObject
		test	eax, eax
		js	short loc_927621
		mov	bl, byte ptr [ebp+var_15]
		test	bl, bl
		jz	loc_8457F9

loc_927621:				; CODE XREF: PiUEventApplyAdditionalFilters+E1E3Ej
					; PiUEventApplyAdditionalFilters+E1E70j
		cmp	dword ptr [edi+20h], 0FFFFFFFFh
		jz	loc_8457F9
		and	[ebp+var_1C], 0
		mov	eax, [esi]
		mov	byte ptr [ebp+var_15], 0
		test	eax, eax
		jnz	short loc_92763F
		mov	eax, [ebp+var_20]
		mov	eax, [eax+28h]

loc_92763F:				; CODE XREF: PiUEventApplyAdditionalFilters+E1E93j
		lea	ecx, [ebp+var_15]
		push	ecx
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	eax
		call	_SeQuerySessionIdTokenEx@12 ; SeQuerySessionIdTokenEx(x,x,x)
		cmp	byte ptr [ebp+var_15], 0
		jnz	loc_8457F9
		mov	eax, [ebp+var_1C]
		cmp	eax, [edi+20h]
		jz	loc_8457F9

loc_927663:				; CODE XREF: PiUEventApplyAdditionalFilters+E1E31j
		xor	bl, bl
		jmp	loc_8457F9
; END OF FUNCTION CHUNK	FOR PiUEventApplyAdditionalFilters
; 
; START	OF FUNCTION CHUNK FOR PnpInsertEventInQueue

loc_92766A:				; CODE XREF: PnpInsertEventInQueue+2Bj
		mov	esi, eax
		lea	edi, [ebp+var_34]
		movsd
		movsd
		movsd
		movsd
		jmp	loc_845870
; END OF FUNCTION CHUNK	FOR PnpInsertEventInQueue

;  S U B	R O U T	I N E 


sub_927678	proc near		; DATA XREF: .text:006A71ACo
		xor	eax, eax
		inc	eax
		retn
sub_927678	endp


;  S U B	R O U T	I N E 


sub_92767C	proc near		; DATA XREF: .text:006A71B0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-24h]
		jmp	loc_845870
sub_92767C	endp

; 
; START	OF FUNCTION CHUNK FOR PnpInsertEventInQueue

loc_92768E:				; CODE XREF: PnpInsertEventInQueue+55j
		lea	edi, [esi+48h]
		push	10h		; size_t
		push	offset _GUID_DEVICE_QUERY_AND_REMOVE ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_9276BD
		push	10h		; size_t
		push	offset _GUID_DEVICE_EJECT ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_84588D

loc_9276BD:				; CODE XREF: PnpInsertEventInQueue+E1E71j
		mov	eax, [esi+68h]
		test	eax, eax
		jz	short loc_9276CF
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_9276D1
; 

loc_9276CF:				; CODE XREF: PnpInsertEventInQueue+E1E90j
		xor	eax, eax

loc_9276D1:				; CODE XREF: PnpInsertEventInQueue+E1E9Bj
		push	dword ptr [eax+18h]
		push	ecx
		mov	edx, offset _KMPnPEvt_DeviceRemoval_Queue
		call	_McTemplateK0z_EtwWriteTransfer@16 ; McTemplateK0z_EtwWriteTransfer(x,x,x,x)
		jmp	loc_84588D
; 

loc_9276E4:				; CODE XREF: PnpInsertEventInQueue+93j
		mov	[ebp+var_20], 0C000009Ah
		jmp	loc_8458DC
; END OF FUNCTION CHUNK	FOR PnpInsertEventInQueue
; 
; START	OF FUNCTION CHUNK FOR RtlHashUnicodeString

loc_9276F0:				; CODE XREF: RtlHashUnicodeString+8Ej
		movzx	esi, cx
		mov	ecx, esi
		shr	ecx, 8
		movzx	edx, word ptr [edx+ecx*2]
		mov	ecx, esi
		shr	ecx, 4
		and	esi, 0Fh
		and	ecx, 0Fh
		add	edx, ecx
		mov	ecx, [ebp+arg_4]
		movzx	ecx, word ptr [ecx+edx*2]
		mov	edx, [ebp+arg_4]
		add	ecx, esi
		mov	cx, [edx+ecx*2]
		add	cx, word ptr [ebp+arg_0]
		jmp	loc_8459F7
; 

loc_927722:				; CODE XREF: RtlHashUnicodeString+31j
		mov	eax, 0C000000Dh
		jmp	loc_845A10
; 

loc_92772C:				; CODE XREF: RtlHashUnicodeString+10j
					; RtlHashUnicodeString+1Bj
		mov	eax, 0C000000Dh
		jmp	loc_845A12
; END OF FUNCTION CHUNK	FOR RtlHashUnicodeString
; 
; START	OF FUNCTION CHUNK FOR IoRegisterPlugPlayNotification

loc_927736:				; CODE XREF: IoRegisterPlugPlayNotification+196j
		sub	eax, 1
		jz	short loc_927745
		mov	esi, 0C00000EFh
		jmp	loc_87173F
; 

loc_927745:				; CODE XREF: IoRegisterPlugPlayNotification+B6327j
		mov	edx, [ebp+arg_10]
		mov	ecx, ebx
		push	esi
		push	[ebp+arg_14]
		call	_PiRegisterKernelSoftRestartNotification@16 ; PiRegisterKernelSoftRestartNotification(x,x,x,x)
		mov	esi, eax
		jmp	loc_871587
; 

loc_92775A:				; CODE XREF: IoRegisterPlugPlayNotification+1C9j
		mov	ecx, [esp+58h+var_48]
		mov	ecx, [ecx+10h]
		call	ObfDereferenceObject
		jmp	loc_87173A
; 

loc_92776B:				; CODE XREF: IoRegisterPlugPlayNotification+1E9j
		push	43706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [esp+58h+var_48]
		mov	ecx, [ecx+10h]
		jmp	short loc_92778D
; 

loc_92777F:				; CODE XREF: IoRegisterPlugPlayNotification+20Bj
		push	43706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebx+10h]

loc_92778D:				; CODE XREF: IoRegisterPlugPlayNotification+B636Bj
		call	ObfDereferenceObject
		jmp	loc_871587
; 

loc_927797:				; CODE XREF: IoRegisterPlugPlayNotification+B1j
		push	44706E50h
		push	ebx
		jmp	short loc_9277B3
; 

loc_92779F:				; CODE XREF: IoRegisterPlugPlayNotification+2B3j
		cmp	[ebx+0Ch], eax
		jnz	loc_871696
		jmp	loc_871686
; 

loc_9277AD:				; CODE XREF: IoRegisterPlugPlayNotification+2F4j
		push	39706E50h
		push	edi

loc_9277B3:				; CODE XREF: IoRegisterPlugPlayNotification+B638Bj
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_871587
; END OF FUNCTION CHUNK	FOR IoRegisterPlugPlayNotification
; 
; START	OF FUNCTION CHUNK FOR PnpInitializeNotifyEntry

loc_9277BD:				; CODE XREF: PnpInitializeNotifyEntry+A8j
		mov	esi, 0C000009Ah
		jmp	loc_8718BE
; END OF FUNCTION CHUNK	FOR PnpInitializeNotifyEntry
; 
; START	OF FUNCTION CHUNK FOR IopProcessSetInterfaceState

loc_9277C7:				; CODE XREF: IopProcessSetInterfaceState+F9j
		mov	esi, 0C000009Ah
		jmp	loc_859C30
; 

loc_9277D1:				; CODE XREF: IopProcessSetInterfaceState+174j
		mov	al, [esp+78h+var_6B]
		test	al, al
		jnz	short loc_9277E0
		xor	ecx, ecx
		jmp	loc_859A87
; 

loc_9277E0:				; CODE XREF: IopProcessSetInterfaceState+12Cj
					; IopProcessSetInterfaceState+13Fj ...
		mov	esi, 0C0000010h
		jmp	loc_859C30
; 

loc_9277EA:				; CODE XREF: IopProcessSetInterfaceState+1DFj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_859AE5
; 

loc_9277F7:				; CODE XREF: IopProcessSetInterfaceState+1FBj
		mov	esi, 0C000009Ah
		jmp	loc_859B24
; 

loc_927801:				; CODE XREF: IopProcessSetInterfaceState+269j
		mov	[esp+78h+var_6A], 1
		jmp	loc_859D09
; 

loc_92780B:				; CODE XREF: IopProcessSetInterfaceState+82j
					; IopProcessSetInterfaceState+8Bj ...
		mov	esi, 0C000000Dh
		jmp	loc_859BF2
; END OF FUNCTION CHUNK	FOR IopProcessSetInterfaceState
; 
; START	OF FUNCTION CHUNK FOR IopBuildGlobalSymbolicLinkString

loc_927815:				; CODE XREF: IopBuildGlobalSymbolicLinkString+49j
					; IopBuildGlobalSymbolicLinkString+CDB22j
		mov	esi, 0C000009Ah
		jmp	loc_859DCE
; 

loc_92781F:				; CODE XREF: IopBuildGlobalSymbolicLinkString+65j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_4]
		push	20207050h
		lea	eax, [esi+esi]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_927815
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		push	edi
		call	__CmGetDeviceInterfaceSymbolicLinkName@20 ; _CmGetDeviceInterfaceSymbolicLinkName(x,x,x,x,x)
		mov	esi, eax
		jmp	loc_859D87
; 

loc_927855:				; CODE XREF: IopBuildGlobalSymbolicLinkString+6Dj
		cmp	esi, 0C0000033h
		jnz	loc_859DCE
		add	esi, 0FFFFFFDAh
		jmp	loc_859DCE
; END OF FUNCTION CHUNK	FOR IopBuildGlobalSymbolicLinkString
; 
; START	OF FUNCTION CHUNK FOR IopAllocateUnicodeString

loc_927869:				; CODE XREF: IopAllocateUnicodeString+37j
		xor	eax, eax
		mov	esi, 0C000009Ah
		mov	[edi], ax
		jmp	loc_859E39
; END OF FUNCTION CHUNK	FOR IopAllocateUnicodeString
; 
; START	OF FUNCTION CHUNK FOR _PnpObjectRaisePropertyChangeEvent

loc_927878:				; CODE XREF: _PnpObjectRaisePropertyChangeEvent+51j
		push	esi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	__PnpInterfaceClassRaisePropertyChangeEventWorker@24 ; _PnpInterfaceClassRaisePropertyChangeEventWorker(x,x,x,x,x,x)
		jmp	loc_859F52
; 

loc_92788C:				; CODE XREF: _PnpObjectRaisePropertyChangeEvent+32j
		push	esi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	__PnpInstallerClassRaisePropertyChangeEventWorker@24 ; _PnpInstallerClassRaisePropertyChangeEventWorker(x,x,x,x,x,x)
		jmp	loc_859F52
; END OF FUNCTION CHUNK	FOR _PnpObjectRaisePropertyChangeEvent
; 
; START	OF FUNCTION CHUNK FOR PiPnpRtlObjectEventWorker

loc_9278A0:				; CODE XREF: PiPnpRtlObjectEventWorker+215j
		test	edi, edi
		jz	loc_85A298
		test	eax, eax
		jz	loc_85A298
		push	eax		; wchar_t *
		push	edi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_85A23D
		mov	ebx, [ebp+var_25+1]
		mov	ecx, [ebp+arg_8]
		jmp	loc_85A298
; 

loc_9278CC:				; CODE XREF: PiPnpRtlObjectEventWorker+152j
		mov	eax, [ebx+4]
		test	al, 4
		jnz	loc_85A1F4
		or	eax, 4
		mov	[ebx+4], eax
		mov	eax, [ebp+var_25+1]
		add	eax, 10h
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	ebx, [ebp+var_25+1]
		jmp	loc_85A1F4
; 

loc_927904:				; CODE XREF: PiPnpRtlObjectEventWorker+22Dj
		mov	[ebp+var_34], 0C000009Ah
		jmp	loc_85A23D
; 

loc_927910:				; CODE XREF: PiPnpRtlObjectEventWorker+B8j
		or	dword ptr [ecx+4], 2
		mov	eax, [ebp+var_25+1]
		mov	ecx, [eax+8]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_25+1]
		xor	edx, edx
		mov	ecx, [eax+8]
		mov	ebx, [ecx+18h]
		mov	eax, ebx
		and	eax, 0FFFFFFFEh
		mov	[ecx+18h], eax
		mov	ecx, [ebp+var_25+1]
		mov	ecx, [ecx+8]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	bl, 1
		jz	short loc_927969
		push	ecx
		mov	ecx, [ebp+var_38]
		mov	edx, edi
		call	PiDmRemoveCacheReferenceForObject

loc_927969:				; CODE XREF: PiPnpRtlObjectEventWorker+CD8C0j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PiPnpRtlRemoveOperationDispatchLock
		call	ExAcquireResourceExclusiveLite
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PiPnpRtlActiveOperationsLock
		call	ExAcquireResourceSharedLite
		mov	edi, _PiPnpRtlActiveOperations
		jmp	short loc_9279E1
; 

loc_9279A5:				; CODE XREF: PiPnpRtlObjectEventWorker+CD94Bj
		cmp	edi, [ebp+var_30]
		jz	short loc_9279DF
		lea	eax, [ebp+var_25+1]
		push	eax
		lea	ebx, [edi+0Ch]
		push	ebx
		call	_RtlLookupElementGenericTableAvl@8 ; RtlLookupElementGenericTableAvl(x,x)
		test	eax, eax
		jz	short loc_9279DF
		mov	esi, [eax]
		push	eax
		push	ebx
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)
		lea	eax, [edi+44h]
		add	esi, 20h
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_927AE2
		mov	[esi], eax
		mov	[esi+4], edx
		mov	[edx], esi
		mov	[eax+4], esi

loc_9279DF:				; CODE XREF: PiPnpRtlObjectEventWorker+CD90Cj
					; PiPnpRtlObjectEventWorker+CD91Dj
		mov	edi, [edi]

loc_9279E1:				; CODE XREF: PiPnpRtlObjectEventWorker+CD907j
		cmp	edi, offset _PiPnpRtlActiveOperations
		jnz	short loc_9279A5
		mov	ecx, offset _PiPnpRtlActiveOperationsLock
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [ebp+var_25+1]
		call	_PiPnpRtlObjectEventDispatch@4 ; PiPnpRtlObjectEventDispatch(x)
		mov	esi, [ebp+var_30]
		lea	eax, [ebp+var_25+1]
		push	eax
		lea	eax, [esi+0Ch]
		push	eax
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)
		mov	ecx, [esi+48h]
		add	esi, 44h
		mov	eax, [ebp+var_25+1]
		add	eax, 20h
		cmp	[ecx], esi
		jnz	loc_927AE2
		mov	[eax+4], ecx
		mov	[eax], esi
		mov	[ecx], eax
		mov	ecx, offset _PiPnpRtlRemoveOperationDispatchLock
		mov	[esi+4], eax
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	ecx, ecx
		mov	[ebp+var_25+1],	ecx
		jmp	loc_85A256
; 

loc_927A55:				; CODE XREF: PiPnpRtlObjectEventWorker+AFj
		or	dword ptr [ecx+4], 1
		jmp	loc_85A253
; 

loc_927A5E:				; CODE XREF: PiPnpRtlObjectEventWorker+4Cj
					; PiPnpRtlObjectEventWorker+9Aj
		mov	ecx, [ebp+var_25+1]

loc_927A61:				; CODE XREF: PiPnpRtlObjectEventWorker+1BEj
		test	ecx, ecx
		jz	short loc_927AC6
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	ebx, offset _PiPnpRtlRemoveOperationDispatchLock
		push	ebx
		call	ExAcquireResourceSharedLite
		mov	eax, [ebp+var_25+1]
		cmp	dword ptr [eax+20h], 0
		jnz	short loc_927AB3
		mov	esi, [ebp+var_30]
		lea	eax, [ebp+var_25+1]
		push	eax
		lea	eax, [esi+0Ch]
		push	eax
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)
		mov	ecx, [esi+48h]
		add	esi, 44h
		mov	eax, [ebp+var_25+1]
		add	eax, 20h
		cmp	[ecx], esi
		jnz	short loc_927AE2
		mov	[eax], esi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[esi+4], eax

loc_927AB3:				; CODE XREF: PiPnpRtlObjectEventWorker+CD9EBj
		mov	ecx, ebx
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_927AC6:				; CODE XREF: PiPnpRtlObjectEventWorker+3Cj
					; PiPnpRtlObjectEventWorker+CD9C7j
		mov	ecx, [ebp+var_38]
		call	PiDqGetObjectManagerForPnpObjectType
		test	eax, eax
		jz	loc_85A260
		mov	ecx, eax
		call	_PiDqObjectManagerMakeInconsistent@4 ; PiDqObjectManagerMakeInconsistent(x)
		jmp	loc_85A260
; 

loc_927AE2:				; CODE XREF: PiPnpRtlObjectEventWorker+CD933j
					; PiPnpRtlObjectEventWorker+CD989j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_927AE7:				; CODE XREF: PiDmObjectProcessPropertyChange+73j
		mov	edx, [ebp+var_2C]
		lea	eax, [ebp+arg_0]
		mov	ecx, [ebp-28h]
		push	eax
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_85A385
		mov	eax, [ebp+var_34]
		mov	byte ptr [ebp+var_4+3],	1
		jmp	loc_85A395
; END OF FUNCTION CHUNK	FOR PiPnpRtlObjectEventWorker
; 
; START	OF FUNCTION CHUNK FOR PiDmObjectProcessPropertyChange

loc_927B0C:				; CODE XREF: PiDmObjectProcessPropertyChange+B8j
		mov	esi, ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_24], ebx
		jmp	loc_85A3DA
; 

loc_927B19:				; CODE XREF: PiDmObjectProcessPropertyChange+E9j
		mov	eax, [ebp+arg_4]
		cmp	[eax+edi*8+0Ch], ebx
		jz	loc_85A4CB
		jmp	loc_85A530
; 

loc_927B2B:				; CODE XREF: PiDmObjectProcessPropertyChange+159j
		mov	esi, 0C000009Ah
		jmp	loc_85A530
; 

loc_927B35:				; CODE XREF: PiDmObjectProcessPropertyChange+141j
		mov	eax, ebx
		jmp	loc_85A47B
; 

loc_927B3C:				; CODE XREF: PiDmObjectProcessPropertyChange+283j
					; PiDmObjectProcessPropertyChange+292j
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_C]
		jmp	loc_85A583
; 

loc_927B47:				; CODE XREF: PiDmObjectProcessPropertyChange+20Fj
		mov	ecx, [ebp+arg_0]
		call	PiDmObjectRelease
		jmp	loc_85A385
; END OF FUNCTION CHUNK	FOR PiDmObjectProcessPropertyChange
; 
; START	OF FUNCTION CHUNK FOR PnpSetDeviceClassChange

loc_927B54:				; CODE XREF: PnpSetDeviceClassChange+18j
		mov	eax, 0C0000189h
		jmp	loc_85A70C
; END OF FUNCTION CHUNK	FOR PnpSetDeviceClassChange

;  S U B	R O U T	I N E 


sub_927B5E	proc near		; DATA XREF: .text:006A71CCo
		xor	eax, eax
		inc	eax
		retn
sub_927B5E	endp


;  S U B	R O U T	I N E 


sub_927B62	proc near		; DATA XREF: .text:006A71D0o
		mov	esp, [ebp-18h]
		jmp	loc_85A702
sub_927B62	endp

; 
; START	OF FUNCTION CHUNK FOR PiDmAddCacheReferenceForObject

loc_927B6A:				; CODE XREF: PiDmAddCacheReferenceForObject+97j
		mov	edx, [ebp+var_54]
		lea	eax, [ebp+var_50]
		mov	ecx, [ebp+var_64]
		push	eax
		call	PiDmObjectCreate
		mov	esi, eax
		test	esi, esi
		js	loc_85A801
		push	[ebp+var_58]	; int
		lea	eax, [ebp+var_50]
		push	[ebp+var_5C]	; int
		push	0		; int
		push	4		; size_t
		push	eax		; void *
		push	edi		; int
		call	RtlInsertElementGenericTableFullAvl
		test	eax, eax
		jz	short loc_927BAA
		mov	eax, [ebp+var_50]
		mov	dword ptr [eax+8], 1
		jmp	loc_85A7C8
; 

loc_927BAA:				; CODE XREF: PiDmAddCacheReferenceForObject+CD471j
		mov	ecx, [ebp+var_50]
		call	PiDmObjectRelease
		xor	eax, eax
		mov	esi, 0C000009Ah
		jmp	loc_85A7C8
; END OF FUNCTION CHUNK	FOR PiDmAddCacheReferenceForObject
; 
; START	OF FUNCTION CHUNK FOR PiDmRemoveCacheReferenceForObject

loc_927BBE:				; CODE XREF: PiDmRemoveCacheReferenceForObject+44j
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebx+38h]
		push	eax
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)
		mov	ecx, [ebp+var_4]
		call	PiDmObjectRelease
		jmp	loc_85A850
; END OF FUNCTION CHUNK	FOR PiDmRemoveCacheReferenceForObject
; 
; START	OF FUNCTION CHUNK FOR PnpNotifyDriverCallback

loc_927BD8:				; CODE XREF: PnpNotifyDriverCallback+EBj
					; PnpNotifyDriverCallback+FFj
		mov	ecx, [ebx+0Ch]
		call	_MmGetSessionById@4 ; MmGetSessionById(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_927C59
		lea	edx, [ebp+var_20]
		mov	ecx, edi
		call	MmAttachSession
		mov	esi, eax
		test	esi, esi
		js	short loc_927C4A
		mov	esi, ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		call	esi
		mov	ecx, large fs:124h
		push	dword ptr [ebx+18h]
		mov	[ebp+var_22], al
		push	[ebp+var_28]
		mov	eax, [ecx+13Ch]
		mov	[ebp+var_2C], eax
		call	dword ptr [ebx+14h]
		mov	[ebp+var_28], eax
		call	esi
		mov	ecx, large fs:124h
		mov	[ebp+var_21], al
		mov	eax, [ecx+13Ch]
		mov	[ebp+var_30], eax
		mov	eax, [ebp+var_34]
		test	eax, eax
		jz	short loc_927C3E
		mov	ecx, [ebp+var_28]
		mov	[eax], ecx

loc_927C3E:				; CODE XREF: PnpNotifyDriverCallback+B62B1j
		lea	edx, [ebp+var_20]
		mov	ecx, edi
		call	MmDetachSession
		mov	esi, eax

loc_927C4A:				; CODE XREF: PnpNotifyDriverCallback+B626Ej
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	edi, [ebp+var_30]
		jmp	loc_871A23
; 

loc_927C59:				; CODE XREF: PnpNotifyDriverCallback+B625Ej
		mov	esi, 0C0000001h
		jmp	loc_871A38
; 

loc_927C63:				; CODE XREF: PnpNotifyDriverCallback+A3j
					; PnpNotifyDriverCallback+ACj
		mov	ecx, [ebx+1Ch]
		test	ecx, ecx
		jz	short loc_927C9B
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+1Ch]
		xor	edx, edx
		cmp	[ecx+1Ch], dx
		jz	short loc_927C9B
		push	2
		pop	edx
		lea	ecx, [ecx+1Ch]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+1Ch]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+1Ch]

loc_927C9B:				; CODE XREF: PnpNotifyDriverCallback+B62E2j
					; PnpNotifyDriverCallback+B62F6j
		movzx	eax, [ebp+var_21]
		push	edi
		push	eax
		push	ecx
		push	0Ah
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_927CAF:				; CODE XREF: PopConnectToPolicyDevice+EFj
		mov	edx, 64506F50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		jmp	loc_885935
; END OF FUNCTION CHUNK	FOR PnpNotifyDriverCallback
; 
; START	OF FUNCTION CHUNK FOR PopConnectToPolicyDevice

loc_927CC0:				; CODE XREF: PopConnectToPolicyDevice+10Cj
		push	dword ptr [ebx+4]
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_885952
; END OF FUNCTION CHUNK	FOR PopConnectToPolicyDevice
; 
; START	OF FUNCTION CHUNK FOR PopThermalZoneAdd

loc_927CCE:				; CODE XREF: PopThermalZoneAdd+19j
		push	8
		pop	ecx
		push	4
		mov	word ptr [ebp+arg_0], cx
		mov	edx, offset _PopThermalZoneTimerCallback@8 ; PopThermalZoneTimerCallback(x,x)
		pop	ecx
		mov	word ptr [ebp+arg_0+2],	cx
		lea	ecx, [ebp+arg_0]
		push	2
		push	ecx
		push	esi
		mov	ecx, eax
		call	_KeInitializeIRTimer@20	; KeInitializeIRTimer(x,x,x,x,x)
		jmp	loc_8859AE
; END OF FUNCTION CHUNK	FOR PopThermalZoneAdd
; 
; START	OF FUNCTION CHUNK FOR PopGetPolicyDeviceObject

loc_927CF4:				; CODE XREF: PopGetPolicyDeviceObject+AEj
		mov	edx, 64506F50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		jmp	loc_885B40
; END OF FUNCTION CHUNK	FOR PopGetPolicyDeviceObject
; 
; START	OF FUNCTION CHUNK FOR PoCreateThermalRequest

loc_927D05:				; CODE XREF: PoCreateThermalRequest+63j
		mov	ebx, 0C000009Ah

loc_927D0A:				; CODE XREF: PoCreateThermalRequest+47j
		mov	esi, [ebp+var_4]

loc_927D0D:				; CODE XREF: PoCreateThermalRequest+ABj
					; PoCreateThermalRequest+B8j
		test	esi, esi
		jz	short loc_927D18
		mov	ecx, esi
		call	_PoDestroyReasonContext@4 ; PoDestroyReasonContext(x)

loc_927D18:				; CODE XREF: PoCreateThermalRequest+A2161j
		test	edi, edi
		jz	loc_885C6C
		push	6C6F4350h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_885C6C
; 

loc_927D30:				; CODE XREF: PoCreateThermalRequest+18j
					; PoCreateThermalRequest+21j ...
		mov	ebx, 0C000000Dh
		jmp	loc_885C64
; END OF FUNCTION CHUNK	FOR PoCreateThermalRequest
; 
; START	OF FUNCTION CHUNK FOR PopAssociateThermalRequest

loc_927D3A:				; CODE XREF: PopAssociateThermalRequest+21j
					; PopAssociateThermalRequest+82j
		mov	esi, 0C000009Ah
		jmp	loc_885E5D
; 

loc_927D44:				; CODE XREF: PopAssociateThermalRequest+C7j
		mov	ecx, edi
		call	_PopRegisterCoolingExtensionProtection@4 ; PopRegisterCoolingExtensionProtection(x)
		mov	esi, eax
		test	esi, esi
		js	loc_885E59
		jmp	loc_885D43
; 

loc_927D5A:				; CODE XREF: PopAssociateThermalRequest+4Fj
					; PopAssociateThermalRequest+F9j
		mov	al, [ebp+arg_0]
		jmp	loc_885DA7
; 

loc_927D62:				; CODE XREF: PopAssociateThermalRequest+133j
		mov	ecx, [esi+30h]
		call	_PopRegisterCoolingExtensionProtection@4 ; PopRegisterCoolingExtensionProtection(x)
		mov	esi, eax
		test	esi, esi
		jns	loc_885DAF
		cmp	dword_6C21A4, 0
		jz	short loc_927D84
		and	dword_6C21A4, 0

loc_927D84:				; CODE XREF: PopAssociateThermalRequest+A2105j
		xor	edx, edx
		mov	ecx, offset _PopCoolingExtensionLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_885E59
; END OF FUNCTION CHUNK	FOR PopAssociateThermalRequest
; 
; START	OF FUNCTION CHUNK FOR PoInitHiberServices

loc_927D9A:				; CODE XREF: PoInitHiberServices+30j
		test	eax, eax
		jz	loc_885F2C
		xor	bl, bl
		jmp	loc_885F2C
; 

loc_927DA9:				; CODE XREF: PoInitHiberServices+4Fj
					; PoInitHiberServices+5Cj
		mov	ds:_PopHiberFileType, eax
		jmp	loc_885F46
; 

loc_927DB3:				; CODE XREF: PoInitHiberServices+ECj
		cmp	[esi+4], eax
		ja	loc_885FD6
		lea	eax, [ebp+var_8]
		mov	bl, 1
		push	eax
		push	8
		push	2
		call	_PoDisableSleepStates@12 ; PoDisableSleepStates(x,x,x)
		jmp	loc_885FD6
; 

loc_927DD0:				; CODE XREF: PoInitHiberServices+FBj
		lea	eax, [ebp+var_8]
		mov	bl, 1
		push	eax
		push	8
		push	dword ptr ds:(loc_A401C7+1)[edi]
		call	_PoDisableSleepStates@12 ; PoDisableSleepStates(x,x,x)
		test	eax, eax
		jns	loc_885FE5
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	110h
		push	0A0h
		push	1
		call	_PoShutdownBugCheck@24 ; PoShutdownBugCheck(x,x,x,x,x,x)
		int	3		; Trap to Debugger

loc_927E02:				; CODE XREF: PopPreallocateHibernateMemory+19j
		mov	[ebp+var_8], edi
		mov	edi, 1A000h
		jmp	loc_8864DD
; END OF FUNCTION CHUNK	FOR PoInitHiberServices
; 
; START	OF FUNCTION CHUNK FOR PopPreallocateHibernateMemory

loc_927E0F:				; CODE XREF: PopPreallocateHibernateMemory+58j
		mov	[ebp+var_C], eax
		add	eax, 20h
		jmp	loc_88651C
; 

loc_927E1A:				; CODE XREF: PopPreallocateHibernateMemory+B1j
		push	72626968h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_927E25:				; CODE XREF: PopPreallocateHibernateMemory+34j
					; PopPreallocateHibernateMemory+A0j
		mov	ecx, 0C000009Ah
		jmp	loc_886604
; 

loc_927E2F:				; CODE XREF: PopPreallocateHibernateMemory+E1j
		mov	eax, [ebp+var_8]
		add	eax, esi
		mov	dword_6C2510, eax
		jmp	loc_8865A5
; 

loc_927E3E:				; CODE XREF: PopPreallocateHibernateMemory+118j
		mov	eax, [ebp+var_C]
		add	eax, esi
		mov	dword_6C2514, eax
		jmp	loc_8865DC
; END OF FUNCTION CHUNK	FOR PopPreallocateHibernateMemory
; 
; START	OF FUNCTION CHUNK FOR PdcPoReportButton

loc_927E4D:				; CODE XREF: PdcPoReportButton+16j
		cmp	_PopCapabilities, 0
		jz	loc_886A89
		mov	_PopCapabilities, 0
		jmp	loc_886A84
; 

loc_927E66:				; CODE XREF: PdcPoReportButton+35j
		test	bl, bl
		jz	short loc_927E80
		cmp	byte ptr unk_6C2E21, 1
		jz	loc_886A93
		mov	byte ptr unk_6C2E21, 1
		jmp	short loc_927E94
; 

loc_927E80:				; CODE XREF: PdcPoReportButton+A1410j
		cmp	byte ptr unk_6C2E21, 0
		jz	loc_886A93
		mov	byte ptr unk_6C2E21, 0

loc_927E94:				; CODE XREF: PdcPoReportButton+A1426j
		call	PopResetCurrentPolicies
		jmp	loc_886A93
; 

loc_927E9E:				; CODE XREF: PdcPoReportButton+3Fj
		test	bl, bl
		jz	short loc_927EB8
		cmp	byte_6C2E22, 1
		jz	loc_886A9D
		mov	byte_6C2E22, 1
		jmp	short loc_927ECC
; 

loc_927EB8:				; CODE XREF: PdcPoReportButton+A1448j
		cmp	byte_6C2E22, 0
		jz	loc_886A9D
		mov	byte_6C2E22, 0

loc_927ECC:				; CODE XREF: PdcPoReportButton+A145Ej
		call	PopResetCurrentPolicies
		jmp	loc_886A9D
; END OF FUNCTION CHUNK	FOR PdcPoReportButton
; 
; START	OF FUNCTION CHUNK FOR PopAdaptivePowerSettingCallback

loc_927ED6:				; CODE XREF: PopAdaptivePowerSettingCallback+8Bj
		mov	byte_6BFB73, 1
		mov	dword_6BFB68, eax
		test	eax, eax
		jnz	loc_886B39
		mov	ecx, _PopConsoleContext
		xor	dl, dl
		push	1
		call	_PopInputDisabled@12 ; PopInputDisabled(x,x,x)
		jmp	loc_886B39
; 

loc_927EFE:				; CODE XREF: PopAdaptivePowerSettingCallback+10j
					; PopAdaptivePowerSettingCallback+1Bj
		mov	edi, 0C000000Dh
		jmp	loc_886B4A
; END OF FUNCTION CHUNK	FOR PopAdaptivePowerSettingCallback
; 
; START	OF FUNCTION CHUNK FOR PopDiagTracePolicyChange

loc_927F08:				; CODE XREF: PopDiagTracePolicyChange+5Aj
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_60], ebx
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_74]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_7C]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	6
		push	ebx
		push	(offset	loc_407E2F+1)
		push	esi
		push	edi
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_886BCC
; END OF FUNCTION CHUNK	FOR PopDiagTracePolicyChange
; 
; START	OF FUNCTION CHUNK FOR PopHardDiskPowerSettingCallback

loc_927F7D:				; CODE XREF: PopHardDiskPowerSettingCallback+81j
		mov	_PopDiskIdleTimeout, eax
		call	PopUpdateDiskIdleTimeoutSetting
		jmp	loc_886C65
; END OF FUNCTION CHUNK	FOR PopHardDiskPowerSettingCallback
; 
; START	OF FUNCTION CHUNK FOR PopSleepPowerSettingCallback

loc_927F8C:				; CODE XREF: PopSleepPowerSettingCallback+FDj
		cmp	byte_6C2E23, 0
		jnz	loc_886E29
		cmp	byte ptr word_6C2E24, 0
		jnz	loc_886E29
		jmp	loc_886E31
; 

loc_927FAB:				; CODE XREF: PopSleepPowerSettingCallback+130j
		cmp	byte_6C2E26, 0
		jz	loc_886E5C
		cmp	byte_6C2E27, 0
		jz	loc_886E5C
		mov	[esp+0F8h+var_B8], 3
		jmp	loc_886E5C
; END OF FUNCTION CHUNK	FOR PopSleepPowerSettingCallback
; 
; START	OF FUNCTION CHUNK FOR PopPowerButtonSettingCallback

loc_927FD2:				; CODE XREF: PopPowerButtonSettingCallback+116j
		cmp	eax, 3
		jz	loc_886FA6
		cmp	eax, 8
		jz	loc_886FA6

loc_927FE4:				; CODE XREF: PopPowerButtonSettingCallback+AFj
					; PopPowerButtonSettingCallback+B7j
		mov	esi, 0C000000Dh
		jmp	loc_886FC5
; END OF FUNCTION CHUNK	FOR PopPowerButtonSettingCallback
; 
; START	OF FUNCTION CHUNK FOR PopBatteryUpdateAlarms

loc_927FEE:				; CODE XREF: PopBatteryUpdateAlarms+4Cj
		push	4
		xor	ebx, ebx
		pop	edi
		jmp	loc_887073
; END OF FUNCTION CHUNK	FOR PopBatteryUpdateAlarms
; 
; START	OF FUNCTION CHUNK FOR PopResetCurrentPolicies

loc_927FF8:				; CODE XREF: PopResetCurrentPolicies+7Ej
		lea	ecx, [esp+118h+var_F4] ; void *
		call	_PopDefaultPolicy@4 ; PopDefaultPolicy(x)
		mov	eax, 0E8h
		jmp	loc_8871D7
; END OF FUNCTION CHUNK	FOR PopResetCurrentPolicies
; 
; START	OF FUNCTION CHUNK FOR PopApplyPolicy

loc_92800B:				; CODE XREF: PopApplyPolicy+4Fj
		mov	eax, 0C0000023h
		jmp	loc_887363
; 

loc_928015:				; CODE XREF: PopApplyPolicy+55j
		mov	eax, 80000005h
		jmp	loc_887363
; END OF FUNCTION CHUNK	FOR PopApplyPolicy
; 
; START	OF FUNCTION CHUNK FOR PopVerifySystemPowerPolicy

loc_92801F:				; CODE XREF: PopVerifySystemPowerPolicy+1Cj
		mov	eax, 0C000000Dh
		jmp	loc_88755A
; 

loc_928029:				; CODE XREF: PopVerifySystemPowerPolicy+2Fj
		cmp	byte ptr word_6C2E24, 0
		jz	short loc_92803E
		mov	dword ptr [ebx+48h], 3
		jmp	loc_8873D8
; 

loc_92803E:				; CODE XREF: PopVerifySystemPowerPolicy+A0C90j
		cmp	byte_6C2E23, 0
		jz	loc_8873D8
		mov	[ebx+48h], ecx
		jmp	loc_8873D8
; 

loc_928053:				; CODE XREF: PopVerifySystemPowerPolicy+3Fj
		mov	[edi], ecx
		mov	eax, ecx
		jmp	loc_8873E5
; 

loc_92805C:				; CODE XREF: PopVerifySystemPowerPolicy+47j
		mov	[edi], edx
		mov	eax, edx
		jmp	loc_8873ED
; 

loc_928065:				; CODE XREF: PopVerifySystemPowerPolicy+55j
		push	2
		pop	ecx
		mov	[esi], ecx
		jmp	loc_8873FB
; 

loc_92806F:				; CODE XREF: PopVerifySystemPowerPolicy+5Dj
		mov	[esi], edx
		mov	ecx, edx
		jmp	loc_887403
; 

loc_928078:				; CODE XREF: PopVerifySystemPowerPolicy+65j
		mov	[esi], eax
		mov	ecx, eax
		jmp	loc_88740B
; 

loc_928081:				; CODE XREF: PopVerifySystemPowerPolicy+73j
		mov	[edi], edx
		jmp	loc_887419
; 

loc_928088:				; CODE XREF: PopVerifySystemPowerPolicy+80j
		mov	[esi], eax
		jmp	loc_887426
; 

loc_92808F:				; CODE XREF: PopVerifySystemPowerPolicy+94j
		mov	[ebx+0C0h], ecx
		mov	eax, ecx
		jmp	loc_88743A
; 

loc_92809C:				; CODE XREF: PopVerifySystemPowerPolicy+A2j
		mov	[ebx+0C0h], ecx
		jmp	loc_887448
; 

loc_9280A7:				; CODE XREF: PopVerifySystemPowerPolicy+B6j
		mov	[ebx+0D4h], ecx
		mov	eax, ecx
		jmp	loc_88745C
; 

loc_9280B4:				; CODE XREF: PopVerifySystemPowerPolicy+C4j
		mov	[ebx+0D4h], ecx
		jmp	loc_88746A
; 

loc_9280BF:				; CODE XREF: PopVerifySystemPowerPolicy+137j
		cmp	dword ptr [esi], 4
		jle	loc_8874DD
		xor	edx, edx
		mov	dword ptr [esi], 4
		inc	edx
		mov	ecx, esi
		call	PopVerifySystemPowerState
		jmp	loc_8874DD
; 

loc_9280DD:				; CODE XREF: PopVerifySystemPowerPolicy+148j
		or	eax, 10h
		jmp	loc_8874F1
; 

loc_9280E5:				; CODE XREF: PopVerifySystemPowerPolicy+15Aj
		mov	[edi-4], eax
		jmp	loc_887500
; 

loc_9280ED:				; CODE XREF: PopVerifySystemPowerPolicy+182j
		cmp	byte_6C2E27, 0
		jnz	loc_887528
		and	dword ptr [ebx+58h], 0
		xor	eax, eax
		jmp	loc_887528
; 

loc_928105:				; CODE XREF: PopVerifySystemPowerPolicy+192j
		cmp	ecx, esi
		jnb	loc_887538
		mov	[ebx+3Ch], esi
		mov	edx, esi
		jmp	loc_887538
; 

loc_928117:				; CODE XREF: PopVerifySystemPowerPolicy+1A5j
		test	al, al
		jnz	loc_88754B
		mov	byte ptr [ebx+40h], 5Ah
		jmp	loc_88754B
; END OF FUNCTION CHUNK	FOR PopVerifySystemPowerPolicy
; 
; START	OF FUNCTION CHUNK FOR EmpProviderRegister

loc_928128:				; CODE XREF: EmpProviderRegister+38j
		cmp	[ebp+arg_10], ebx
		jz	loc_887790

loc_928131:				; CODE XREF: EmpProviderRegister+26j
					; EmpProviderRegister+E4j ...
		mov	ebx, 0C000000Dh

loc_928136:				; CODE XREF: EmpProviderRegister+A0AAEj
					; EmpProviderRegister+A0B30j ...
		mov	[ebp+var_4], ebx
		test	esi, esi
		jz	loc_88798E
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_928153
		push	72704D45h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_928153:				; CODE XREF: EmpProviderRegister+A09F4j
		cmp	[esi+0Ch], edi
		jz	short loc_9281A7
		mov	[ebp+arg_8], edi
		cmp	[ebp+var_8], edi
		jbe	short loc_92819A
		mov	edx, edi

loc_928162:				; CODE XREF: EmpProviderRegister+A0A46j
		mov	eax, [esi+0Ch]
		add	eax, 8
		add	eax, edx
		mov	ecx, [eax]
		mov	[ebp+arg_4], ecx
		cmp	[ecx+4], eax
		jnz	loc_92829A
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_92829A
		mov	eax, [ebp+arg_4]
		add	edx, 10h
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	ecx, [ebp+arg_8]
		inc	ecx
		mov	[ebp+arg_8], ecx
		cmp	ecx, [ebp+var_8]
		jb	short loc_928162

loc_92819A:				; CODE XREF: EmpProviderRegister+A0A0Cj
		push	72704D45h
		push	dword ptr [esi+0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9281A7:				; CODE XREF: EmpProviderRegister+A0A04j
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_9281E1
		mov	ecx, edi
		cmp	[ebp+arg_10], ecx
		jbe	short loc_9281D6
		mov	ebx, eax

loc_9281B7:				; CODE XREF: EmpProviderRegister+A0A7Dj
		mov	edx, [eax+ecx*4]
		test	edx, edx
		jz	short loc_9281CB
		cmp	[edx+14h], edi
		jnz	short loc_9281CB
		mov	[edx+10h], edi
		mov	eax, [esi+14h]
		mov	ebx, eax

loc_9281CB:				; CODE XREF: EmpProviderRegister+A0A6Aj
					; EmpProviderRegister+A0A6Fj
		inc	ecx
		cmp	ecx, [ebp+arg_10]
		jb	short loc_9281B7
		mov	eax, ebx
		mov	ebx, [ebp+var_4]

loc_9281D6:				; CODE XREF: EmpProviderRegister+A0A61j
		push	72704D45h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9281E1:				; CODE XREF: EmpProviderRegister+A0A5Aj
		push	72704D45h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_88798E
; 

loc_9281F1:				; CODE XREF: EmpProviderRegister+50j
		mov	ebx, 0C000009Ah
		jmp	loc_88798E
; 

loc_9281FB:				; CODE XREF: EmpProviderRegister+93j
					; EmpProviderRegister+148j ...
		mov	ebx, 0C000009Ah
		jmp	loc_928136
; 

loc_928205:				; CODE XREF: EmpProviderRegister+B4j
		inc	dword ptr [esi+10h]
		jmp	loc_88780C
; 

loc_92820D:				; CODE XREF: EmpProviderRegister+C7j
		shl	eax, 4
		push	72704D45h
		push	eax
		push	1
		mov	[ebp+var_10], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+0Ch], eax
		test	eax, eax
		jz	short loc_9281FB
		push	[ebp+var_10]	; size_t
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_88781F
; 

loc_928239:				; CODE XREF: EmpProviderRegister+110j
		mov	ecx, [esi+0Ch]
		add	ecx, [ebp+var_C]
		mov	eax, [ebp+var_14]
		mov	[ecx], eax
		mov	eax, [edx]
		mov	[ecx+4], eax
		add	ecx, 8
		mov	eax, [ebp+var_18]
		add	eax, 24h
		mov	ebx, [eax+4]
		mov	[ebp+var_18], ebx
		cmp	[ebx], eax
		mov	ebx, edi
		jnz	short loc_92829A
		mov	edx, [ebp+var_18]
		inc	[ebp+var_8]
		add	[ebp+var_C], 10h
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	edx, [ebp+arg_4]
		mov	[eax+4], ecx
		mov	eax, [ebp+var_10]
		jmp	loc_887868
; 

loc_92827D:				; CODE XREF: EmpProviderRegister+F6j
					; EmpProviderRegister+18Ej
		mov	ebx, 0C0000225h
		jmp	loc_928136
; 

loc_928287:				; CODE XREF: EmpProviderRegister+199j
		cmp	eax, [ebp+arg_C]
		jz	loc_8878F1
		mov	ebx, 0C0000035h
		jmp	loc_928136
; 

loc_92829A:				; CODE XREF: EmpProviderRegister+A0A20j
					; EmpProviderRegister+A0A2Bj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_92829F:				; CODE XREF: RtlCharToInteger+14j
		mov	ecx, edx
		inc	edx
		mov	al, [edx]
		test	al, al
		jz	short loc_9282AF
		mov	bl, al
		jmp	loc_8879E7
; 

loc_9282AF:				; CODE XREF: EmpProviderRegister+A0B54j
		mov	edx, ecx
		jmp	loc_8879F1
; END OF FUNCTION CHUNK	FOR EmpProviderRegister
; 
; START	OF FUNCTION CHUNK FOR RtlCharToInteger

loc_9282B6:				; CODE XREF: RtlCharToInteger+20j
					; RtlCharToInteger+29j
		mov	cl, [edx]
		inc	edx
		jmp	loc_887A05
; 

loc_9282BE:				; CODE XREF: RtlCharToInteger+36j
		mov	[ebp+arg_4], 0Ah
		xor	edi, edi
		cmp	cl, 30h
		jnz	loc_887A37
		mov	cl, [edx]
		inc	edx
		cmp	cl, 78h
		jnz	short loc_9282E3
		mov	[ebp+arg_4], 10h
		push	4
		jmp	short loc_9282F1
; 

loc_9282E3:				; CODE XREF: RtlCharToInteger+A0900j
		cmp	cl, 6Fh
		jnz	short loc_9282F4
		mov	[ebp+arg_4], 8
		push	3

loc_9282F1:				; CODE XREF: RtlCharToInteger+A090Bj
		pop	edi
		jmp	short loc_928303
; 

loc_9282F4:				; CODE XREF: RtlCharToInteger+A0910j
		cmp	cl, 62h
		jnz	short loc_928307
		mov	[ebp+arg_4], 2
		xor	edi, edi
		inc	edi

loc_928303:				; CODE XREF: RtlCharToInteger+A091Cj
		mov	cl, [edx]
		jmp	short loc_928309
; 

loc_928307:				; CODE XREF: RtlCharToInteger+A0921j
		mov	edx, esi

loc_928309:				; CODE XREF: RtlCharToInteger+A092Fj
		inc	edx
		jmp	loc_887A37
; 

loc_92830F:				; CODE XREF: RtlCharToInteger+58j
		mov	eax, 0C000000Dh
		jmp	loc_887A77
; 

loc_928319:				; CODE XREF: RtlCharToInteger+49j
		push	3
		jmp	loc_887A36
; 

loc_928320:				; CODE XREF: RtlCharToInteger+40j
		xor	edi, edi
		inc	edi
		jmp	loc_887A37
; END OF FUNCTION CHUNK	FOR RtlCharToInteger

;  S U B	R O U T	I N E 


sub_928328	proc near		; DATA XREF: .text:006A720Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_928328	endp


;  S U B	R O U T	I N E 


sub_928336	proc near		; DATA XREF: .text:006A7210o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-1Ch]
		jmp	loc_887A77
sub_928336	endp

; 
; START	OF FUNCTION CHUNK FOR SdbpFindNextIndexedWildCardTag

loc_928348:				; CODE XREF: SdbpFindNextIndexedWildCardTag+8Aj
		lea	ecx, [ebp+var_10]
		call	_SdbpKeyToAnsiString@12	; SdbpKeyToAnsiString(x,x,x)
		mov	[ebp+var_8], 2Ah
		jmp	loc_887B52
; END OF FUNCTION CHUNK	FOR SdbpFindNextIndexedWildCardTag
; 
; START	OF FUNCTION CHUNK FOR AslStringPatternMatchA

loc_928359:				; CODE XREF: AslStringPatternMatchA+15j
		cmp	byte ptr [eax],	0
		jz	loc_887C5D
		jmp	loc_887BE5
; END OF FUNCTION CHUNK	FOR AslStringPatternMatchA
; 
; START	OF FUNCTION CHUNK FOR AslStringPatternMatchW

loc_928367:				; CODE XREF: AslStringPatternMatchW+6Ej
		push	2Ah
		mov	ebx, edx
		mov	eax, esi
		pop	edx
		jmp	loc_887CAC
; 

loc_928373:				; CODE XREF: AslStringPatternMatchW+77j
		mov	ecx, eax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	si, ax
		mov	eax, [ebp+var_4]
		mov	cx, [eax]
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		cmp	si, ax
		jnz	loc_887CDA
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		call	AslStringPatternMatchW
		test	eax, eax
		jnz	loc_887D0B
		jmp	loc_887CDA
; END OF FUNCTION CHUNK	FOR AslStringPatternMatchW
; 
; START	OF FUNCTION CHUNK FOR MiMarkBootGuardPage

loc_9283A9:				; CODE XREF: MiMarkBootGuardPage+D6j
		or	eax, 0FFFFFFFFh
		mov	ecx, offset unk_6D3628
		lock xadd [ecx], eax
		jmp	loc_887E60
; END OF FUNCTION CHUNK	FOR MiMarkBootGuardPage
; 
; START	OF FUNCTION CHUNK FOR MmAllocateIndependentPagesEx

loc_9283BA:				; CODE XREF: MmAllocateIndependentPagesEx+5Fj
		push	edi
		mov	edx, ebx
		mov	ecx, esi
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_9283C4:				; CODE XREF: MmAllocateIndependentPagesEx+4Dj
		xor	eax, eax
		jmp	loc_887FBF
; 

loc_9283CB:				; CODE XREF: MmAllocateIndependentPagesEx+C0j
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	_MiWaitForFreePage@8 ; MiWaitForFreePage(x,x)
		jmp	loc_887F1B
; 

loc_9283DC:				; CODE XREF: MmAllocateIndependentPagesEx+123j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_928412
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr word_6D07B8+1,	0
		jnz	loc_887F9D

loc_9283F5:				; CODE XREF: MmAllocateIndependentPagesEx+A05BCj
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	loc_887F9D
		mov	edx, [esp+48h+var_38]
		or	edx, 80000000h
		jmp	loc_887FA1
; 

loc_928412:				; CODE XREF: MmAllocateIndependentPagesEx+A0573j
		mov	eax, large fs:124h
		mov	ecx, [esp+48h+var_30]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_9283F5
		jmp	loc_887F9D
; 

loc_928433:				; CODE XREF: MmAllocateIndependentPagesEx+139j
		push	edx
		push	esi
		mov	ecx, ebx
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_887FAF
; END OF FUNCTION CHUNK	FOR MmAllocateIndependentPagesEx
; 
; START	OF FUNCTION CHUNK FOR KeInitializeTimerTable

loc_928441:				; CODE XREF: KeInitializeTimerTable+94j
		call	off_6B1378	; KeIsCetCapable()
		test	al, al
		jz	loc_888067
		mov	ds:_KiSerializeTimerExpiration,	1
		jmp	loc_888067
; 

loc_92845E:				; CODE XREF: KeInitializeTimerTable+B0j
		cmp	ds:_KiSerializeTimerExpiration,	0
		jnz	short loc_92849E
		push	6254654Bh
		push	ebx
		push	204h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_928487
		mov	eax, 0C000009Ah
		jmp	loc_888051
; 

loc_928487:				; CODE XREF: KeInitializeTimerTable+A04B3j
		push	ebx		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	cl, [esi+3C5h]
		jmp	loc_888091
; 

loc_92849E:				; CODE XREF: KeInitializeTimerTable+A049Dj
		xor	edi, edi
		jmp	loc_888091
; END OF FUNCTION CHUNK	FOR KeInitializeTimerTable
; 
; START	OF FUNCTION CHUNK FOR KiInitializeForceIdle

loc_9284A5:				; CODE XREF: KiInitializeForceIdle+7Bj
		mov	ds:_KiForceIdleDisabled, 1
		jmp	loc_8880C7
; END OF FUNCTION CHUNK	FOR KiInitializeForceIdle
; 
; START	OF FUNCTION CHUNK FOR HvlInitializeProcessor

loc_9284B4:				; CODE XREF: HvlInitializeProcessor+12j
		test	byte ptr ds:_HvlpFlags,	2
		jz	short loc_9284CA
		call	HvlpEnableRootVirtualProcessor
		test	eax, eax
		js	loc_888150

loc_9284CA:				; CODE XREF: HvlInitializeProcessor+A0385j
		mov	eax, ds:_HvlpFlags
		xor	ebx, ebx
		and	[ebp+var_4], ebx
		test	eax, 80000h
		jz	short loc_9284F7
		test	al, 2
		jnz	short loc_9284F7
		call	_HvlpAllocateOverlayPages@4 ; HvlpAllocateOverlayPages(x)
		mov	edx, eax
		mov	[ebp+var_4], edx
		test	edx, edx
		jz	loc_92858D
		mov	[esi+3FCCh], edx

loc_9284F7:				; CODE XREF: HvlInitializeProcessor+A03A3j
					; HvlInitializeProcessor+A03A7j
		mov	ecx, ds:_HvlpFlags
		test	cl, 2
		jnz	short loc_92851B
		test	ecx, 8000h
		jz	short loc_92851B
		call	_HvlpAllocateOverlayPages@4 ; HvlpAllocateOverlayPages(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_928566
		mov	[esi+4DCh], ebx

loc_92851B:				; CODE XREF: HvlInitializeProcessor+A03CAj
					; HvlInitializeProcessor+A03D2j
		mov	ecx, [esi+338h]
		push	ecx
		push	ecx
		movzx	edx, word ptr [ecx+8Ah]
		mov	ecx, 6000h
		call	MmAllocateIndependentPagesEx
		mov	edi, eax
		test	edi, edi
		jz	short loc_928566
		push	2
		mov	[esi+3FC8h], edi
		pop	ebx

loc_928543:				; CODE XREF: HvlInitializeProcessor+A0422j
		push	edi
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		mov	[edi+8], eax
		mov	[edi+0Ch], edx
		add	edi, 1000h
		sub	ebx, 1
		jnz	short loc_928543
		mov	ecx, esi
		call	_HvlpSetupCachedHypercallPages@4 ; HvlpSetupCachedHypercallPages(x)
		jmp	loc_88814E
; 

loc_928566:				; CODE XREF: HvlInitializeProcessor+A03DDj
					; HvlInitializeProcessor+A0402j
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_92857B
		mov	ecx, eax
		call	_HvlpFreeOverlayPages@4	; HvlpFreeOverlayPages(x)
		and	dword ptr [esi+3FCCh], 0

loc_92857B:				; CODE XREF: HvlInitializeProcessor+A0435j
		test	ebx, ebx
		jz	short loc_92858D
		mov	ecx, ebx
		call	_HvlpFreeOverlayPages@4	; HvlpFreeOverlayPages(x)
		and	dword ptr [esi+4DCh], 0

loc_92858D:				; CODE XREF: HvlInitializeProcessor+A03B5j
					; HvlInitializeProcessor+A0447j
		mov	eax, 0C000009Ah
		jmp	loc_888150
; END OF FUNCTION CHUNK	FOR HvlInitializeProcessor
; 
; START	OF FUNCTION CHUNK FOR MmCreateShadowMapping

loc_928597:				; CODE XREF: MmCreateShadowMapping+E1j
		lea	eax, [esp+124h+var_20]
		xor	edx, edx
		push	eax
		mov	ecx, edi
		call	KiStackAttachProcess
		jmp	loc_88823D
; 

loc_9285AD:				; CODE XREF: MmCreateShadowMapping+122j
		test	al, 4
		jnz	loc_88827E
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset dword_6D05C8
		jmp	loc_88827E
; 

loc_9285C4:				; CODE XREF: MmCreateShadowMapping+136j
		xor	edx, edx
		lea	ecx, [esp+124h+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_888292
; END OF FUNCTION CHUNK	FOR MmCreateShadowMapping
; 
; START	OF FUNCTION CHUNK FOR MiInitializeShadowPageTable

loc_9285D7:				; CODE XREF: MiInitializeShadowPageTable+5Cj
		mov	eax, ebx
		jmp	loc_888423
; END OF FUNCTION CHUNK	FOR MiInitializeShadowPageTable
; 
; START	OF FUNCTION CHUNK FOR CmpFinishBeingActiveFlusherAndReconciler

loc_9285DE:				; CODE XREF: CmpFinishBeingActiveFlusherAndReconciler+4Fj
		test	al, 4
		jnz	loc_888E33
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_888E33
; END OF FUNCTION CHUNK	FOR CmpFinishBeingActiveFlusherAndReconciler
; 
; START	OF FUNCTION CHUNK FOR HvpDropPagedBins

loc_9285F2:				; CODE XREF: HvpDropPagedBins+4Aj
		push	1456h
		push	[ebp+var_8]
		push	esi
		push	1
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_928604:				; CODE XREF: HvpDropPagedBins+E0j
		push	ecx
		mov	edx, ebx
		mov	ecx, edi
		call	_CmpProtectPool@12 ; CmpProtectPool(x,x,x)
		push	ebx
		push	edi
		call	dword ptr [esi+10h]
		mov	eax, [ebp+var_C]
		jmp	loc_888F4A
; END OF FUNCTION CHUNK	FOR HvpDropPagedBins
; 
; START	OF FUNCTION CHUNK FOR CmpBecomeActiveFlusherAndReconciler

loc_92861B:				; CODE XREF: CmpBecomeActiveFlusherAndReconciler+30j
		mov	edx, ebx
		mov	ecx, esi
		call	_CmpWaitOnHiveWriteQueue@8 ; CmpWaitOnHiveWriteQueue(x,x)
		jmp	loc_8890A9
; 

loc_928629:				; CODE XREF: CmpBecomeActiveFlusherAndReconciler+45j
		mov	edx, ebx
		mov	ecx, esi
		call	_CmpWaitOnHiveWriteQueue@8 ; CmpWaitOnHiveWriteQueue(x,x)
		lea	ebx, [esi+9C8h]
		jmp	loc_8890A9
; 

loc_92863D:				; CODE XREF: CmpBecomeActiveFlusherAndReconciler+63j
		test	al, 4
		jnz	loc_8890FB
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_8890FB
; END OF FUNCTION CHUNK	FOR CmpBecomeActiveFlusherAndReconciler
; 
; START	OF FUNCTION CHUNK FOR HvlPhase0Initialize

loc_928651:				; CODE XREF: HvlPhase0Initialize+38j
					; HvlPhase0Initialize+49j
		mov	ecx, esi
		call	_HvlpSetupBootProcessorEarlyHypercallPages@4 ; HvlpSetupBootProcessorEarlyHypercallPages(x)
		test	eax, eax
		js	loc_889167
		mov	ds:_HvlHypervisorConnected, 1
		call	_HvlpDetermineEnlightenments@0 ; HvlpDetermineEnlightenments()
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		test	eax, eax
		js	loc_889167
		test	byte ptr ds:_HvlpFlags,	2
		jz	short loc_9286A1
		mov	eax, ds:_KeLoaderBlock
		push	offset ??_C@_0O@LFBEJCLG@HYPERVISORDBG@NNGAKEGL@ ; char	*
		push	dword ptr [eax+78h] ; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_9286A1
		or	ds:_HvlpRootFlags, 8

loc_9286A1:				; CODE XREF: HvlPhase0Initialize+9F574j
					; HvlPhase0Initialize+9F58Cj
		mov	ecx, esi
		call	_HvlpPhase0Enlightenments@4 ; HvlpPhase0Enlightenments(x)
		test	eax, eax
		js	loc_889167
		mov	ecx, esi
		call	_HvlpInitializeBootProcessor@4 ; HvlpInitializeBootProcessor(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9286C7
		push	offset _HvlpHypervisorVersion
		call	_HviGetHypervisorVersion@4 ; HviGetHypervisorVersion(x)

loc_9286C7:				; CODE XREF: HvlPhase0Initialize+9F5AFj
		mov	eax, esi
		jmp	loc_889167
; END OF FUNCTION CHUNK	FOR HvlPhase0Initialize
; 
; START	OF FUNCTION CHUNK FOR KiStartDpcThread

loc_9286CE:				; CODE XREF: KiStartDpcThread+5Ej
		cmp	ds:_KeDpcWatchdogPeriod, 0
		jz	loc_889298
		lea	ecx, [ebx+3F98h]
		push	ecx
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		jmp	loc_889298
; END OF FUNCTION CHUNK	FOR KiStartDpcThread
; 
; START	OF FUNCTION CHUNK FOR PopPowerButtonBugcheckConfigure

loc_9286EC:				; CODE XREF: PopPowerButtonBugcheckConfigure+78j
		test	al, 4
		jnz	loc_889328
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_889328
; END OF FUNCTION CHUNK	FOR PopPowerButtonBugcheckConfigure
; 
; START	OF FUNCTION CHUNK FOR PopNetSetConnectivityConstraint

loc_928700:				; CODE XREF: PopNetSetConnectivityConstraint+12j
		cmp	ecx, 2
		jz	loc_88945A
		cmp	ecx, 3
		jz	loc_88945A
		jmp	loc_88945C
; END OF FUNCTION CHUNK	FOR PopNetSetConnectivityConstraint
; 
; START	OF FUNCTION CHUNK FOR PpmIdleRegisterDefaultStates

loc_928717:				; CODE XREF: PpmIdleRegisterDefaultStates+1Aj
		mov	ebx, ds:_HvlEnlightenments
		shr	ebx, 9
		and	bl, 1
		jmp	loc_8894F4
; 

loc_928728:				; CODE XREF: PpmIdleRegisterDefaultStates+41j
		mov	edi, 0C000009Ah
		jmp	loc_8895D9
; 

loc_928732:				; CODE XREF: PpmIdleRegisterDefaultStates+9Aj
		mov	eax, [esi+60h]
		and	eax, 7FFFFF00h
		mov	[ebp+var_4], 2
		or	eax, 97h
		mov	dword ptr [esi+18h], offset @PpmIdleGuestPreselect@8 ; PpmIdleGuestPreselect(x,x)
		mov	[esi+60h], eax
		lea	eax, [esi+70h]
		push	offset ??_C@_1CC@EDNLIPOI@?$AAE?$AAn?$AAl?$AAi?$AAg?$AAh?$AAt?$AAe?$AAn?$AAe?$AAd?$AA?5?$AAI?$AAd?$AAl@NNGAKEGL@
		push	eax
		mov	dword ptr [esi+1Ch], offset @PpmIdleGuestTest@12 ; PpmIdleGuestTest(x,x,x)
		mov	dword ptr [esi+24h], offset @PpmIdleGuestPreExecute@20 ; PpmIdleGuestPreExecute(x,x,x,x,x)
		mov	dword ptr [esi+30h], offset @PpmIdleGuestExecute@32 ; PpmIdleGuestExecute(x,x,x,x,x,x,x,x)
		mov	dword ptr [esi+34h], offset @PpmIdleGuestComplete@20 ; PpmIdleGuestComplete(x,x,x,x,x)
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	loc_889574
; END OF FUNCTION CHUNK	FOR PpmIdleRegisterDefaultStates
; 
; START	OF FUNCTION CHUNK FOR PpmUpdateIdleStates

loc_92877F:				; CODE XREF: PpmUpdateIdleStates+50j
					; PpmUpdateIdleStates+64j
		mov	esi, 0C000000Dh
		jmp	loc_88968B
; END OF FUNCTION CHUNK	FOR PpmUpdateIdleStates
; 
; START	OF FUNCTION CHUNK FOR ObCreateObjectTypeEx

loc_928789:				; CODE XREF: ObCreateObjectTypeEx+474j
		test	dl, 1
		jnz	loc_8897DE
		xor	edx, edx

loc_928794:				; CODE XREF: ObCreateObjectTypeEx+81j
					; ObCreateObjectTypeEx+8Fj ...
		push	offset ??_C@_0BM@GKKEIPNA@Error?5creating?5object?5type?6@NNGAKEGL@ ; char *
		push	edx		; int
		push	edx		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		int	3		; Trap to Debugger
		mov	eax, 0C000000Dh
		jmp	loc_889B45
; 

loc_9287AE:				; CODE XREF: ObCreateObjectTypeEx+FEj
		mov	eax, 0C0000033h
		jmp	loc_889B45
; 

loc_9287B8:				; CODE XREF: ObCreateObjectTypeEx+13Dj
		mov	esi, 0C0000035h
		jmp	short loc_9287C4
; 

loc_9287BF:				; CODE XREF: ObCreateObjectTypeEx+160j
		mov	esi, 0C000009Ah

loc_9287C4:				; CODE XREF: ObCreateObjectTypeEx+9F0BFj
		lea	ecx, [esp+128h+var_DC]
		call	_ObpReleaseLookupContext@4 ; ObpReleaseLookupContext(x)
		jmp	short loc_9287E9
; 

loc_9287CF:				; CODE XREF: ObCreateObjectTypeEx+430j
		and	ds:_ObTypeIndexTable[esi*4], 0
		mov	esi, edi

loc_9287D9:				; CODE XREF: ObCreateObjectTypeEx+401j
		lea	ecx, [esp+128h+var_DC]
		call	_ObpReleaseLookupContext@4 ; ObpReleaseLookupContext(x)
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_9287E9:				; CODE XREF: ObCreateObjectTypeEx+9F0CFj
		mov	eax, esi
		jmp	loc_889B45
; 

loc_9287F0:				; CODE XREF: ObCreateObjectTypeEx+1FBj
		lea	ecx, [esp+128h+var_DC]
		call	_ObpReleaseLookupContext@4 ; ObpReleaseLookupContext(x)
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+128h+var_FC]
		jmp	loc_889B45
; 

loc_928809:				; CODE XREF: ObCreateObjectTypeEx+231j
		lea	ecx, [esp+128h+var_DC]
		call	_ObpReleaseLookupContext@4 ; ObpReleaseLookupContext(x)
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	eax, edi
		jmp	loc_889B45
; 

loc_928820:				; CODE XREF: ObCreateObjectTypeEx+2EFj
		push	4
		pop	ecx

loc_928823:				; CODE XREF: ObCreateObjectTypeEx+284j
		cmp	[edi], cx
		jb	short loc_928838
		mov	eax, [edi+4]
		mov	eax, [eax]
		mov	[ebx+84h], eax
		jmp	loc_8899F3
; 

loc_928838:				; CODE XREF: ObCreateObjectTypeEx+9F128j
		mov	dword ptr [ebx+84h], 3F6A624Fh
		jmp	loc_8899F3
; 

loc_928847:				; CODE XREF: ObCreateObjectTypeEx+30Ej
		or	byte ptr [ebx+2Ah], 20h
		jmp	loc_889A12
; 

loc_928850:				; CODE XREF: ObCreateObjectTypeEx+3BCj
		mov	esi, edi
		jmp	loc_889ACB
; 

loc_928857:				; CODE XREF: ObCreateObjectTypeEx+3E6j
		mov	byte ptr [esp+128h+var_F8], 0FFh
		jmp	loc_889AFD
; END OF FUNCTION CHUNK	FOR ObCreateObjectTypeEx
; 
; START	OF FUNCTION CHUNK FOR ObpCreateDefaultObjectTypeSD

loc_928861:				; CODE XREF: ObpCreateDefaultObjectTypeSD+4Dj
		mov	esi, 0C000009Ah
		jmp	loc_889DBD
; END OF FUNCTION CHUNK	FOR ObpCreateDefaultObjectTypeSD
; 
; START	OF FUNCTION CHUNK FOR ObInitializeProcessor

loc_92886B:				; CODE XREF: ObInitializeProcessor+48j
		mov	esi, offset _ObpCreateInfoLookasideList
		jmp	loc_889ECB
; END OF FUNCTION CHUNK	FOR ObInitializeProcessor
; 
; START	OF FUNCTION CHUNK FOR IoInitializeProcessor

loc_928875:				; CODE XREF: IoInitializeProcessor+25j
		lea	ecx, [ebp+var_24]
		call	_IopQueryProcessorInitValues@4 ; IopQueryProcessorInitValues(x)
		lea	edi, [ebp+var_24]
		jmp	loc_889F4F
; 

loc_928885:				; CODE XREF: IoInitializeProcessor+4Cj
		mov	eax, [edi+1Ch]
		jmp	loc_889F7B
; END OF FUNCTION CHUNK	FOR IoInitializeProcessor
; 
; START	OF FUNCTION CHUNK FOR PsRegisterSiloMonitor

loc_92888D:				; CODE XREF: PsRegisterSiloMonitor+2Dj
		cmp	[esi+10h], ecx
		jnz	loc_88A135

loc_928896:				; CODE XREF: PsRegisterSiloMonitor+Ej
					; PsRegisterSiloMonitor+19j ...
		mov	eax, 0C000000Dh
		jmp	loc_88A1C0
; 

loc_9288A0:				; CODE XREF: PsRegisterSiloMonitor+40j
		mov	eax, 0C0000061h
		jmp	loc_88A1C0
; 

loc_9288AA:				; CODE XREF: PsRegisterSiloMonitor+B1j
		push	4D6C6953h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		jmp	loc_88A1C0
; END OF FUNCTION CHUNK	FOR PsRegisterSiloMonitor
; 
; START	OF FUNCTION CHUNK FOR PspStorageAllocSlot

loc_9288BC:				; CODE XREF: PspStorageAllocSlot+2Ej
		push	edi
		push	1
		push	offset _PspStorageExpansionBitmap
		call	RtlFindClearBitsAndSet
		mov	esi, eax
		cmp	esi, ebx
		jz	short loc_9288D7
		add	esi, 20h
		jmp	loc_88A202
; 

loc_9288D7:				; CODE XREF: PspStorageAllocSlot+9E6FFj
		mov	edi, 0C000009Ah
		jmp	loc_88A202
; 

loc_9288E1:				; CODE XREF: PspStorageAllocSlot+40j
		test	bl, 4
		jnz	loc_88A214
		mov	ecx, eax
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	eax, offset _PspStorageBitmapLock
		jmp	loc_88A214
; END OF FUNCTION CHUNK	FOR PspStorageAllocSlot
; 
; START	OF FUNCTION CHUNK FOR WheapInitializeErrorSource

loc_9288FB:				; CODE XREF: WheapInitializeErrorSource+11j
		mov	edi, 0C000000Dh
		jmp	loc_88A2FF
; END OF FUNCTION CHUNK	FOR WheapInitializeErrorSource
; 
; START	OF FUNCTION CHUNK FOR EtwInitialize

loc_928905:				; CODE XREF: EtwInitialize+96j
					; EtwInitialize+A4j
		lea	eax, [ebx+25Ch]
		lock bts dword ptr [eax], 8
		jb	loc_88A36E
		lea	ecx, [ebx+1B0h]
		call	_EtwpInsertQueueDpc@4 ;	EtwpInsertQueueDpc(x)
		jmp	loc_88A36E
; END OF FUNCTION CHUNK	FOR EtwInitialize
; 
; START	OF FUNCTION CHUNK FOR EtwpCCSwapInitializeProcessor

loc_928926:				; CODE XREF: EtwpCCSwapInitializeProcessor+13j
		cmp	dword ptr [edi], 0
		jnz	loc_88A445
		push	77734343h
		push	400h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi], eax
		test	eax, eax
		jnz	loc_88A445
		mov	eax, 0C0000017h
		jmp	loc_88A452
; END OF FUNCTION CHUNK	FOR EtwpCCSwapInitializeProcessor
; 
; START	OF FUNCTION CHUNK FOR PiPnpRtlInit

loc_928957:				; CODE XREF: PiPnpRtlInit+75j
		mov	eax, _PiPnpRtlCtx
		mov	ecx, ebx
		test	eax, eax
		jz	short loc_928965
		mov	ecx, [eax+74h]

loc_928965:				; CODE XREF: PiPnpRtlInit+9E49Cj
		lea	eax, [ebp+var_4]
		mov	esi, offset ??_C@_1BA@LMMHLKFA@?$AAD?$AAE?$AAV?$AAI?$AAC?$AAE?$AAS@NNGAKEGL@
		push	eax
		push	2000000h
		push	ebx
		push	esi
		mov	edx, 80000002h
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_88A53F
		push	ecx
		push	ecx
		push	[ebp+var_4]
		mov	edx, esi
		push	ecx
		push	2
		call	__PnpCtxRegisterMachineNode@28 ; _PnpCtxRegisterMachineNode(x,x,x,x,x,x,x)
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	loc_88A4E6
		jmp	loc_88A53F
; END OF FUNCTION CHUNK	FOR PiPnpRtlInit
; 
; START	OF FUNCTION CHUNK FOR PiDrvDbSetupNodes

loc_9289AD:				; CODE XREF: PiDrvDbSetupNodes+5Ej
		cmp	[ebp+var_4], 7
		jnz	loc_88A750
		cmp	[ebp+var_8], 4
		jz	loc_88A756
		jmp	loc_88A750
; 

loc_9289C6:				; CODE XREF: PiDrvDbSetupNodes+B3j
					; PiDrvDbSetupNodes+EFj
		and	dword ptr [esi+118h], 0
		or	dword ptr [esi+20h], 20h
		jmp	loc_88A7A5
; 

loc_9289D6:				; CODE XREF: PiDrvDbSetupNodes+BDj
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		call	_PiDrvDbSetupNodeHive@8	; PiDrvDbSetupNodeHive(x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_9289F7
		cmp	dword ptr [esi+118h], 0
		jl	short loc_9289F5
		mov	[esi+118h], edi

loc_9289F5:				; CODE XREF: PiDrvDbSetupNodes+9E301j
		xor	edi, edi

loc_9289F7:				; CODE XREF: PiDrvDbSetupNodes+9E2F8j
		cmp	ebx, 2
		jnz	loc_88A7AF
		mov	edx, [esi+0Ch]
		lea	eax, [esi+118h]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	4
		push	eax
		push	18h
		push	offset _DEVPKEY_DriverDatabase_SetupStatus
		push	0
		push	dword ptr [esi+24h]
		push	7
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		and	dword ptr [esi+20h], 0FFFFFFDFh
		jmp	loc_88A7AF
; END OF FUNCTION CHUNK	FOR PiDrvDbSetupNodes
; 
; START	OF FUNCTION CHUNK FOR DrvDbSuspendDatabase

loc_928A30:				; CODE XREF: DrvDbSuspendDatabase+19j
					; DrvDbSuspendDatabase+2Ej
		lea	edx, [ebx+0Ch]
		mov	eax, [edx]
		cmp	eax, edx
		jz	loc_88A874
		mov	bl, [ebp+arg_0]

loc_928A40:				; CODE XREF: DrvDbSuspendDatabase+9E236j
		mov	ecx, [eax+1Ch]
		test	bl, bl
		jz	short loc_928A4C
		or	ecx, 4
		jmp	short loc_928A4F
; 

loc_928A4C:				; CODE XREF: DrvDbSuspendDatabase+9E225j
		and	ecx, 0FFFFFFFBh

loc_928A4F:				; CODE XREF: DrvDbSuspendDatabase+9E22Aj
		mov	[eax+1Ch], ecx
		mov	eax, [eax]
		cmp	eax, edx
		jnz	short loc_928A40
		jmp	loc_88A874
; END OF FUNCTION CHUNK	FOR DrvDbSuspendDatabase
; 
; START	OF FUNCTION CHUNK FOR PiDrvDbRegisterNode

loc_928A5D:				; CODE XREF: PiDrvDbRegisterNode+88j
		mov	edi, 0C000009Ah
		jmp	loc_88A964
; 

loc_928A67:				; CODE XREF: PiDrvDbRegisterNode+D6j
		mov	edx, [esi+0Ch]
		lea	ebx, [esi+18h]
		movzx	eax, word ptr [ebx]
		mov	ecx, _PiPnpRtlCtx
		add	eax, 2
		push	0
		push	eax
		push	dword ptr [esi+1Ch]
		push	12h
		push	offset _DEVPKEY_DriverDatabase_FilePath
		push	0
		push	dword ptr [esi+24h]
		push	7
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_88A964
		mov	eax, [esi+1Ch]
		mov	[esp+38h+var_14], eax
		lea	eax, [esp+38h+var_8]
		push	offset ??_C@_1CE@FCOONEBJ@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA3?$AA2?$AA?2?$AAc?$AAo?$AAn?$AAf?$AAi@NNGAKEGL@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	1
		lea	eax, [esp+3Ch+var_8]
		push	eax
		push	ebx
		call	RtlFindUnicodeSubstring
		mov	ecx, eax
		push	2
		test	ecx, ecx
		jz	short loc_928AD0
		sub	ecx, [esi+1Ch]
		and	ecx, 0FFFFFFFEh
		pop	ebx
		jmp	short loc_928B26
; 

loc_928AD0:				; CODE XREF: PiDrvDbRegisterNode+9E23Fj
		movzx	eax, word ptr [ebx]
		mov	edi, 0FFFEh
		mov	edx, [esp+3Ch+var_14]
		mov	cx, ax
		pop	ebx
		mov	word ptr [esp+38h+var_18], cx
		cmp	ax, bx
		jbe	short loc_928B0A
		push	5Ch
		pop	esi

loc_928AED:				; CODE XREF: PiDrvDbRegisterNode+9E27Ej
		movzx	eax, cx
		shr	eax, 1
		cmp	[edx+eax*2-2], si
		jz	short loc_928B06
		add	cx, di
		mov	word ptr [esp+38h+var_18], cx
		cmp	cx, bx
		ja	short loc_928AED

loc_928B06:				; CODE XREF: PiDrvDbRegisterNode+9E271j
		mov	esi, [esp+38h+var_24]

loc_928B0A:				; CODE XREF: PiDrvDbRegisterNode+9E262j
		cmp	cx, bx
		jbe	short loc_928B2B
		movzx	eax, cx
		shr	eax, 1
		push	5Ch
		pop	edi
		cmp	[edx+eax*2-2], di
		mov	edi, 0FFFEh
		jnz	short loc_928B2B
		add	cx, di

loc_928B26:				; CODE XREF: PiDrvDbRegisterNode+9E248j
		mov	word ptr [esp+38h+var_18], cx

loc_928B2B:				; CODE XREF: PiDrvDbRegisterNode+9E287j
					; PiDrvDbRegisterNode+9E29Bj
		mov	word ptr [esp+38h+var_18+2], cx
		lea	edx, [esp+38h+var_10]
		lea	ecx, [esp+38h+var_18]
		call	_PiDrvDbQuerySystemPathWin32@8 ; PiDrvDbQuerySystemPathWin32(x,x)
		test	eax, eax
		jns	short loc_928B48
		xor	edi, edi
		jmp	loc_88A962
; 

loc_928B48:				; CODE XREF: PiDrvDbRegisterNode+9E2B9j
		movzx	eax, word ptr [esp+38h+var_10]
		mov	edx, [esi+0Ch]
		add	eax, ebx
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	eax
		push	[esp+40h+var_C]
		push	12h
		push	offset _DEVPKEY_DriverDatabase_SystemPath
		push	0
		push	dword ptr [esi+24h]
		push	7
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_88A964
		jmp	loc_88A962
; 

loc_928B81:				; CODE XREF: PiDrvDbRegisterNode+FAj
		cmp	[esp+38h+var_25], 0
		jz	short loc_928B91
		mov	edx, [esp+38h+var_1C]
		call	_DrvDbUnregisterDatabase@8 ; DrvDbUnregisterDatabase(x,x)

loc_928B91:				; CODE XREF: PiDrvDbRegisterNode+9E300j
		mov	ecx, esi
		call	_PiDrvDbDestroyNode@4 ;	PiDrvDbDestroyNode(x)
		jmp	loc_88A986
; END OF FUNCTION CHUNK	FOR PiDrvDbRegisterNode
; 
; START	OF FUNCTION CHUNK FOR PiDrvDbCreateNode

loc_928B9D:				; CODE XREF: PiDrvDbCreateNode+39j
		mov	ebx, 0C000009Ah
		jmp	loc_88AB7D
; 

loc_928BA7:				; CODE XREF: PiDrvDbCreateNode+6Aj
		push	[ebp+arg_0]	; void *
		push	edi		; int
		call	RtlCreateUnicodeString
		test	al, al
		jnz	loc_88AA53

loc_928BB8:				; CODE XREF: PiDrvDbCreateNode+5Ej
					; PiDrvDbCreateNode+8Fj ...
		mov	ebx, 0C000009Ah
		jmp	loc_88AB79
; 

loc_928BC2:				; CODE XREF: PiDrvDbCreateNode+C4j
		push	[ebp+arg_4]	; void *
		push	edi		; int
		call	RtlCreateUnicodeString
		test	al, al
		jnz	loc_88AAAD
		jmp	short loc_928BB8
; 

loc_928BD5:				; CODE XREF: PiDrvDbCreateNode+1B1j
		mov	eax, [esi+14h]
		lea	ecx, [ebp+var_C]
		push	ecx
		push	2000000h
		push	edi
		push	eax
		xor	edx, edx
		xor	ecx, ecx
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_88AB79
		mov	edx, [ebp+var_C]
		lea	eax, [esi+24h]
		push	eax
		push	2000000h
		push	edi
		push	offset ??_C@_1BO@JJFLMBDN@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAD?$AAa?$AAt?$AAa?$AAb?$AAa?$AAs?$AAe@NNGAKEGL@ ; "DriverDatabase"
		xor	ecx, ecx
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		push	[ebp+var_C]
		mov	ebx, eax
		call	_ZwClose@4	; ZwClose(x)
		test	ebx, ebx
		js	loc_88AB79
		jmp	loc_88AB4D
; END OF FUNCTION CHUNK	FOR PiDrvDbCreateNode
; 
; START	OF FUNCTION CHUNK FOR PiDrvDbLoadNodeWorkerCallback

loc_928C26:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+140j
		cmp	[esp+20h+var_14], 7
		jnz	loc_845B8E
		cmp	[esp+20h+var_10], 4
		jnz	loc_845B8E
		mov	eax, [esp+20h+var_C]
		jmp	loc_845B97
; 

loc_928C45:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+1A8j
		cmp	[esp+20h+var_14], 7
		jnz	loc_845BF6
		cmp	[esp+20h+var_10], 4
		jz	loc_845BFC
		jmp	loc_845BF6
; 

loc_928C60:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+1FBj
					; PiDrvDbLoadNodeWorkerCallback+206j
		mov	edx, [edi+0Ch]
		mov	ecx, edi
		call	_PiDrvDbSetupNodeHive@8	; PiDrvDbSetupNodeHive(x,x)
		mov	edx, [edi+0Ch]
		push	ebx
		push	4
		push	esi
		push	18h
		push	offset _DEVPKEY_DriverDatabase_SetupStatus
		push	ebx
		push	dword ptr [edi+24h]
		mov	[esi], eax
		mov	ecx, _PiPnpRtlCtx
		push	7
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		jmp	loc_845AF4
; 

loc_928C90:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+80j
		mov	byte ptr [edi+28h], 1
		jmp	loc_845AF2
; 

loc_928C99:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+D7j
		test	esi, esi
		jns	short loc_928C9F
		mov	esi, ebx

loc_928C9F:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+E3253j
		push	ebx
		push	dword ptr [edi+100h]
		call	_ZwSetEvent@8	; ZwSetEvent(x,x)
		jmp	short loc_928CC1
; 

loc_928CAD:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+5Dj
		cmp	esi, 0C0000034h
		jz	short loc_928CBD
		cmp	esi, 0C000003Ah
		jnz	short loc_928CC1

loc_928CBD:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+E326Bj
		mov	byte ptr [edi+28h], 1

loc_928CC1:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+E3263j
					; PiDrvDbLoadNodeWorkerCallback+E3273j
		cmp	esi, 0C0000189h
		jnz	loc_845B27
		mov	esi, 0C00002EBh
		jmp	loc_845B27
; 

loc_928CD7:				; CODE XREF: PiDrvDbLoadNodeWorkerCallback+103j
		push	esi
		mov	edx, edi
		mov	ecx, offset _KMPnPEvt_DriverDatabaseLoaded_Stop
		call	_PnpDiagnosticTraceObjectWithStatus@12 ; PnpDiagnosticTraceObjectWithStatus(x,x,x)
		jmp	loc_845B51
; END OF FUNCTION CHUNK	FOR PiDrvDbLoadNodeWorkerCallback
; 
; START	OF FUNCTION CHUNK FOR PiDrvDbUnloadHive

loc_928CE9:				; CODE XREF: PiDrvDbUnloadHive+26j
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_ZwUnloadKey2@8	; ZwUnloadKey2(x,x)
		leave
		retn
; END OF FUNCTION CHUNK	FOR PiDrvDbUnloadHive

;  S U B	R O U T	I N E 


sub_928CF5	proc near		; CODE XREF: PiDrvDbLoadHive+72j
		push	ebx
		lea	eax, [ebp-18h]
		push	eax
		call	_ZwUnloadKey2@8	; ZwUnloadKey2(x,x)
		jmp	loc_845DA2
sub_928CF5	endp

; 
; START	OF FUNCTION CHUNK FOR PiDcInitUpdateProperties

loc_928D04:				; CODE XREF: PiDcInitUpdateProperties+4Dj
		mov	esi, 0C000009Ah
		jmp	loc_88ADE0
; 

loc_928D0E:				; CODE XREF: PiDcInitUpdateProperties+1C7j
					; PiDcInitUpdateProperties+1D1j
		and	[ebp+var_8], 0
		jmp	loc_88AD78
; 

loc_928D17:				; CODE XREF: PiDcInitUpdateProperties+1F4j
		mov	esi, 0C000009Ah
		jmp	loc_88ADAA
; 

loc_928D21:				; CODE XREF: PiDcInitUpdateProperties+25Aj
		push	[ebp+var_34]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_88ADF8
; END OF FUNCTION CHUNK	FOR PiDcInitUpdateProperties
; 
; START	OF FUNCTION CHUNK FOR PpBootDDBHelper

loc_928D2E:				; CODE XREF: PpBootDDBHelper+3Dj
		mov	eax, ds:_PiLoggedErrorEventsMask
		test	al, 2
		jnz	short loc_928D66
		or	eax, 2
		xor	esi, esi
		mov	ds:_PiLoggedErrorEventsMask, eax
		lea	eax, [ebp+var_8]
		push	offset ??_C@_1BM@NIOJMEIL@?$AAO?$AAU?$AAT?$AA?5?$AAO?$AAF?$AA?5?$AAM?$AAE?$AAM?$AAO?$AAR?$AAY@NNGAKEGL@
		push	eax
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi		; size_t
		push	esi		; void *
		push	0C000036Dh	; int
		xor	edx, edx
		lea	ecx, [ebp+var_8]
		call	_PnpLogEvent@20	; PnpLogEvent(x,x,x,x,x)

loc_928D66:				; CODE XREF: PpBootDDBHelper+9DF1Dj
		mov	eax, 0C000009Ah
		jmp	loc_88AE84
; 

loc_928D70:				; CODE XREF: PpBootDDBHelper+5Dj
		xor	ebx, ebx
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, ds:_PiLoggedErrorEventsMask
		test	al, 4
		jnz	short loc_928DC2
		or	eax, 4
		mov	[ebp+var_8], ebx
		mov	ds:_PiLoggedErrorEventsMask, eax
		lea	eax, [ebp+var_8]
		push	offset ??_C@_1CK@LCFHMPII@?$AAI?$AAN?$AAI?$AAT?$AA?5?$AAD?$AAA?$AAT?$AAA?$AAB?$AAA?$AAS?$AAE?$AA?5?$AAF@NNGAKEGL@
		push	eax
		mov	[ebp+var_4], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx		; size_t
		push	ebx		; void *
		push	0C000036Dh	; int
		xor	edx, edx
		lea	ecx, [ebp+var_8]
		call	_PnpLogEvent@20	; PnpLogEvent(x,x,x,x,x)
		jmp	short loc_928DC2
; 

loc_928DB1:				; CODE XREF: PpBootDDBHelper+1Ej
					; PpBootDDBHelper+26j
		mov	eax, ds:_PiLoggedErrorEventsMask
		test	al, 1
		jnz	short loc_928DC2
		or	eax, 1
		mov	ds:_PiLoggedErrorEventsMask, eax

loc_928DC2:				; CODE XREF: PpBootDDBHelper+9DF68j
					; PpBootDDBHelper+9DF97j ...
		mov	eax, 0C0000001h
		jmp	loc_88AE84
; END OF FUNCTION CHUNK	FOR PpBootDDBHelper
; 
; START	OF FUNCTION CHUNK FOR PiUEventBroadcastEventWorker

loc_928DCC:				; CODE XREF: PiUEventBroadcastEventWorker+34j
		sub	eax, 1
		jz	short loc_928E03
		sub	eax, 1
		jz	short loc_928DF3
		sub	eax, 1
		jnz	loc_88AECE
		mov	ecx, [esi+10h]
		lea	eax, [esi+24h]
		push	eax
		lea	edx, [esi+14h]
		call	_PiUEventBroadcastPortsChangedEvent@12 ; PiUEventBroadcastPortsChangedEvent(x,x,x)
		jmp	loc_88AECE
; 

loc_928DF3:				; CODE XREF: PiUEventBroadcastEventWorker+9DF48j
		mov	ecx, [esi+10h]
		lea	edx, [esi+14h]
		call	_PiUEventBroadcastHardwareProfilesChangedEvent@8 ; PiUEventBroadcastHardwareProfilesChangedEvent(x,x)
		jmp	loc_88AECE
; 

loc_928E03:				; CODE XREF: PiUEventBroadcastEventWorker+9DF43j
		mov	ecx, [esi+10h]
		call	_PiUEventBroadcastVolumesChangedEvent@4	; PiUEventBroadcastVolumesChangedEvent(x)
		jmp	loc_88AECE
; END OF FUNCTION CHUNK	FOR PiUEventBroadcastEventWorker
; 
; START	OF FUNCTION CHUNK FOR IoCreateDriver

loc_928E10:				; CODE XREF: IoCreateDriver+41j
		xor	eax, eax
		inc	eax
		lock xadd _IopUniqueDriverObjectNumber,	eax
		inc	eax
		push	eax		; char
		push	offset ??_C@_1BK@DCDPNLIM@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?2?$AA?$CF?$AA0?$AA8?$AAu@NNGAKEGL@ ;	wchar_t	*
		lea	eax, [esp+0D0h+var_80]
		push	3Ch		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 10h
		lea	eax, [esp+0C8h+var_AC]
		lea	ecx, [esp+0C8h+var_80]
		push	eax
		push	3Ch
		pop	edx
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		test	eax, eax
		js	loc_88B1C0
		mov	eax, [esp+0C8h+var_AC]
		cmp	eax, 0FFFFh
		jbe	short loc_928E5F
		mov	eax, 80000005h
		jmp	loc_88B1C0
; 

loc_928E5F:				; CODE XREF: IoCreateDriver+9DED1j
		add	eax, eax
		mov	word ptr [esp+0C8h+var_BC], ax
		add	eax, 2
		mov	word ptr [esp+0C8h+var_BC+2], ax
		lea	eax, [esp+0C8h+var_80]
		jmp	loc_88AFD2
; 

loc_928E77:				; CODE XREF: IoCreateDriver+1DCj
		call	_ZwMakeTemporaryObject@4 ; ZwMakeTemporaryObject(x)
		push	[esp+0C8h+var_B4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_88B1BE
; 

loc_928E8A:				; CODE XREF: IoCreateDriver+14Ej
		mov	esi, [esp+0C8h+var_B0]
		mov	edi, 0C000009Ah

loc_928E93:				; CODE XREF: IoCreateDriver+22Dj
		push	esi
		call	_ObMakeTemporaryObject@4 ; ObMakeTemporaryObject(x)
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	loc_88B1BE
; END OF FUNCTION CHUNK	FOR IoCreateDriver
; 
; START	OF FUNCTION CHUNK FOR VRegSetup

loc_928EA5:				; CODE XREF: VRegSetup+74j
		push	edi
		push	ebx
		jmp	short loc_928EAC
; 

loc_928EA9:				; CODE XREF: VRegSetup+159j
		push	edi
		push	6

loc_928EAC:				; CODE XREF: VRegSetup+16Bj
					; VRegSetup+173j ...
		push	eax
		push	1Eh
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_928EB6:				; CODE XREF: VRegSetup+9Aj
		push	edi
		push	2
		jmp	short loc_928EAC
; END OF FUNCTION CHUNK	FOR VRegSetup
; 
; START	OF FUNCTION CHUNK FOR IoWMIRegistrationControl

loc_928EBB:				; CODE XREF: IoWMIRegistrationControl+18j
		mov	eax, 0C0000001h
		jmp	loc_88B5FD
; 

loc_928EC5:				; CODE XREF: IoWMIRegistrationControl+96j
		sub	ecx, 1
		jnz	short loc_928EFF
		mov	ecx, [ebp+arg_0]
		call	WmipFindRegEntryByDevice
		mov	esi, eax
		test	esi, esi
		jz	short loc_928EFF
		call	_WmipEnterSMCritSection@0 ; WmipEnterSMCritSection()
		mov	ecx, 20000000h
		lea	eax, [esi+18h]
		lock or	[eax], ecx
		push	ebx
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	ecx, esi
		call	WmipUnreferenceRegEntry
		jmp	loc_88B5FB
; 

loc_928EFF:				; CODE XREF: IoWMIRegistrationControl+9D912j
					; IoWMIRegistrationControl+9D920j
		mov	ebx, 0C000000Dh
		jmp	loc_88B5FB
; 

loc_928F09:				; CODE XREF: IoWMIRegistrationControl+8Dj
		mov	ecx, [ebp+arg_0]
		call	_WmipDeregisterDevice@4	; WmipDeregisterDevice(x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_88B5FB
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	WmipRegisterDevice
		jmp	loc_88B65A
; 

loc_928F2A:				; CODE XREF: IoWMIRegistrationControl+84j
		mov	ecx, [ebp+arg_0]
		call	_WmipDeregisterDevice@4	; WmipDeregisterDevice(x)
		jmp	loc_88B65A
; END OF FUNCTION CHUNK	FOR IoWMIRegistrationControl

;  S U B	R O U T	I N E 


sub_928F37	proc near		; CODE XREF: WmipRegisterDevice+94j
		push	ebx
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	edi, 0C000009Ah
		jmp	loc_88B722
sub_928F37	endp


;  S U B	R O U T	I N E 


sub_928F4C	proc near		; CODE XREF: WmipRegisterDevice+80j
		push	ebx
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	esi, [ebp-8]
		jmp	loc_88B722
sub_928F4C	endp

; 
; START	OF FUNCTION CHUNK FOR WmipUpdateDataSource

loc_928F5F:				; CODE XREF: WmipUpdateDataSource+18j
		mov	eax, 0C0000034h
		jmp	loc_88B9F2
; 

loc_928F69:				; CODE XREF: WmipUpdateDataSource+E8j
		mov	edx, edi
		mov	ecx, offset _WmipISChunkInfo
		call	WmipUnreferenceEntry
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], edi
		push	eax
		lea	eax, [ebp+var_28]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_1C]
		jmp	short loc_928FA2
; 

loc_928F87:				; CODE XREF: WmipUpdateDataSource+72j
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_24]
		jmp	short loc_928F9F
; 

loc_928F94:				; CODE XREF: WmipUpdateDataSource+7Bj
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_20]

loc_928F9F:				; CODE XREF: WmipUpdateDataSource+9D674j
		mov	edx, [ebp+var_4]

loc_928FA2:				; CODE XREF: WmipUpdateDataSource+9D667j
		push	eax
		mov	ecx, esi
		call	_WmipCachePtrs@20 ; WmipCachePtrs(x,x,x,x,x)
		jmp	loc_88B99F
; 

loc_928FAF:				; CODE XREF: WmipUpdateDataSource+B6j
		xor	eax, eax
		mov	[ebp+arg_0], eax
		test	ebx, ebx
		jz	loc_92906E

loc_928FBC:				; CODE XREF: WmipUpdateDataSource+9D746j
		mov	eax, [esi+eax*8]
		push	10h		; size_t
		push	offset _WmipBinaryMofGuid ; void *
		push	eax		; void *
		mov	[ebp+var_30], eax
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_928FEF
		mov	ecx, [ebp+arg_0]
		mov	edx, offset _GUID_MOF_RESOURCE_REMOVED_NOTIFICATION
		mov	ecx, [esi+ecx*8+4]
		call	_WmipGenerateBinaryMofNotification@8 ; WmipGenerateBinaryMofNotification(x,x)
		mov	eax, [ebp+arg_0]
		mov	ecx, [esi+eax*8]
		jmp	short loc_928FF5
; 

loc_928FEF:				; CODE XREF: WmipUpdateDataSource+9D6B6j
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_30]

loc_928FF5:				; CODE XREF: WmipUpdateDataSource+9D6CFj
		mov	esi, [esi+eax*8+4]
		mov	edx, esi
		call	_WmipDisableCollectionForRemovedGuid@8 ; WmipDisableCollectionForRemovedGuid(x,x)
		call	_WmipEnterSMCritSection@0 ; WmipEnterSMCritSection()
		cmp	dword ptr [esi], 0
		jz	short loc_929011
		mov	ecx, esi
		call	_WmipUnlinkInstanceSetFromGuidEntry@4 ;	WmipUnlinkInstanceSetFromGuidEntry(x)

loc_929011:				; CODE XREF: WmipUpdateDataSource+9D6EAj
		test	byte ptr [esi+8], 8
		jnz	short loc_929024
		mov	edx, [esi+1Ch]
		mov	ecx, offset _WmipGEChunkInfo
		call	WmipUnreferenceEntry

loc_929024:				; CODE XREF: WmipUpdateDataSource+9D6F7j
		and	dword ptr [esi+1Ch], 0
		lea	eax, [esi+14h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_929069
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_929069
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	edx, esi
		mov	ecx, offset _WmipISChunkInfo
		call	WmipUnreferenceEntry
		push	0
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, [ebp+arg_0]
		inc	eax
		mov	[ebp+arg_0], eax
		cmp	eax, ebx
		jnb	short loc_92906E
		mov	esi, [ebp+var_8]
		jmp	loc_928FBC
; 

loc_929069:				; CODE XREF: WmipUpdateDataSource+9D712j
					; WmipUpdateDataSource+9D719j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_92906E:				; CODE XREF: WmipUpdateDataSource+9D698j
					; WmipUpdateDataSource+9D741j
		mov	esi, [ebp+var_8]
		mov	edx, ebx
		push	esi
		push	2
		pop	ecx
		call	_WmipSendGuidUpdateNotifications@12 ; WmipSendGuidUpdateNotifications(x,x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_88B9DA
; 

loc_929089:				; CODE XREF: WmipUpdateDataSource+C1j
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_9290BE
		mov	edi, [ebp+var_10]

loc_929092:				; CODE XREF: WmipUpdateDataSource+9D79Bj
		push	10h		; size_t
		push	offset _WmipBinaryMofGuid ; void *
		push	dword ptr [edi+esi*8] ;	void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9290B6
		mov	ecx, [edi+esi*8+4]
		mov	edx, offset _GUID_MOF_RESOURCE_ADDED_NOTIFICATION
		call	_WmipGenerateBinaryMofNotification@8 ; WmipGenerateBinaryMofNotification(x,x)

loc_9290B6:				; CODE XREF: WmipUpdateDataSource+9D788j
		inc	esi
		cmp	esi, ebx
		jb	short loc_929092
		mov	edi, [ebp+var_C]

loc_9290BE:				; CODE XREF: WmipUpdateDataSource+9D76Fj
		mov	esi, [ebp+var_10]
		mov	edx, ebx
		push	esi
		push	4
		pop	ecx
		call	_WmipSendGuidUpdateNotifications@12 ; WmipSendGuidUpdateNotifications(x,x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_88B9E5
; 

loc_9290D9:				; CODE XREF: WmipUpdateDataSource+CCj
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_92911D

loc_9290DF:				; CODE XREF: WmipUpdateDataSource+9D7FDj
		mov	eax, [edi+esi*8]
		push	10h		; size_t
		push	offset _WmipBinaryMofGuid ; void *
		push	eax		; void *
		mov	[ebp+arg_0], eax
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_92910C
		mov	ecx, [edi+esi*8+4]
		mov	edx, offset _GUID_MOF_RESOURCE_ADDED_NOTIFICATION
		call	_WmipGenerateBinaryMofNotification@8 ; WmipGenerateBinaryMofNotification(x,x)
		mov	ecx, [edi+esi*8]
		jmp	short loc_92910F
; 

loc_92910C:				; CODE XREF: WmipUpdateDataSource+9D7D9j
		mov	ecx, [ebp+arg_0]

loc_92910F:				; CODE XREF: WmipUpdateDataSource+9D7ECj
		mov	edx, [edi+esi*8+4]
		call	WmipEnableCollectionForNewGuid
		inc	esi
		cmp	esi, ebx
		jb	short loc_9290DF

loc_92911D:				; CODE XREF: WmipUpdateDataSource+9D7BFj
		xor	ecx, ecx
		mov	edx, ebx
		push	edi
		inc	ecx
		call	_WmipSendGuidUpdateNotifications@12 ; WmipSendGuidUpdateNotifications(x,x,x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_88B9F0
; END OF FUNCTION CHUNK	FOR WmipUpdateDataSource
; 
; START	OF FUNCTION CHUNK FOR WmipUpdateModifyGuid

loc_929135:				; CODE XREF: WmipUpdateModifyGuid+38j
		push	[ebp+arg_8]
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_WmipUpdateAddGuid@20 ;	WmipUpdateAddGuid(x,x,x,x,x)
		mov	esi, eax
		jmp	loc_88BAA2
; 

loc_92914F:				; CODE XREF: WmipUpdateModifyGuid+75j
		push	0Dh
		pop	ecx
		mov	esi, ebx
		lea	edi, [ebp+var_40]
		rep movsd
		xor	esi, esi
		mov	[ebx+30h], esi
		mov	ecx, [ebx]
		cmp	[ecx+4], ebx
		jnz	loc_9291EA
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jnz	short loc_9291EA
		mov	edx, [ebp+arg_0]
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		push	dword ptr [eax+1Ch]
		push	ebx
		push	[ebp+arg_4]
		call	WmipBuildInstanceSet
		mov	edx, eax
		mov	[ebp+arg_4], edx
		test	edx, edx
		jns	short loc_9291B0
		mov	edx, [ebx+30h]
		test	edx, edx
		jz	short loc_9291A1
		push	esi
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9291A1:				; CODE XREF: WmipUpdateModifyGuid+9D78Cj
		mov	edx, [ebp+arg_4]
		lea	esi, [ebp+var_40]
		push	0Dh
		pop	ecx
		mov	edi, ebx
		rep movsd
		xor	esi, esi

loc_9291B0:				; CODE XREF: WmipUpdateModifyGuid+9D785j
		mov	eax, [ebx+1Ch]
		add	eax, 20h
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_9291EA
		mov	[ebx], ecx
		mov	[ebx+4], eax
		mov	[ecx+4], ebx
		mov	[eax], ebx
		test	edx, edx
		js	short loc_9291E2
		cmp	[ebp+var_10], 0
		jz	short loc_9291DA
		push	esi
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9291DA:				; CODE XREF: WmipUpdateModifyGuid+9D7C3j
		mov	eax, [ebp+arg_8]
		push	2
		pop	esi
		mov	[eax], ebx

loc_9291E2:				; CODE XREF: WmipUpdateModifyGuid+9D7BDj
		mov	edi, [ebp+var_C]
		jmp	loc_88BA87
; 

loc_9291EA:				; CODE XREF: WmipUpdateModifyGuid+9D757j
					; WmipUpdateModifyGuid+9D762j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9291EF:				; CODE XREF: WmipIsEqualInstanceSets+1Bj
		test	bl, 2
		jz	loc_88BB05
		mov	esi, [ecx+24h]
		cmp	esi, [edx+24h]
		jnz	loc_88BB13
		xor	edi, edi
		test	esi, esi
		jz	loc_88BB05
		mov	eax, [edx+30h]
		mov	ecx, [ecx+30h]
		sub	eax, ecx
		mov	[ebp+var_4], eax

loc_929219:				; CODE XREF: WmipUpdateModifyGuid+9D84Ej
		mov	edx, [eax+ecx]
		mov	eax, [ecx]

loc_92921E:				; CODE XREF: WmipUpdateModifyGuid+9D832j
		mov	bx, [eax]
		cmp	bx, [edx]
		jnz	short loc_929244
		test	bx, bx
		jz	short loc_929240
		mov	bx, [eax+2]
		cmp	bx, [edx+2]
		jnz	short loc_929244
		add	eax, 4
		add	edx, 4
		test	bx, bx
		jnz	short loc_92921E

loc_929240:				; CODE XREF: WmipUpdateModifyGuid+9D81Dj
		xor	eax, eax
		jmp	short loc_929249
; 

loc_929244:				; CODE XREF: WmipUpdateModifyGuid+9D818j
					; WmipUpdateModifyGuid+9D827j
		sbb	eax, eax
		or	eax, 1

loc_929249:				; CODE XREF: WmipUpdateModifyGuid+9D836j
		test	eax, eax
		jnz	loc_88BB13
		mov	eax, [ebp+var_4]
		inc	edi
		add	ecx, 4
		cmp	edi, esi
		jb	short loc_929219
		jmp	loc_88BB05
; END OF FUNCTION CHUNK	FOR WmipUpdateModifyGuid
; 
; START	OF FUNCTION CHUNK FOR WmipRegisterOrUpdateDS

loc_929261:				; CODE XREF: WmipRegisterOrUpdateDS+79j
					; WmipRegisterOrUpdateDS+E8j
		mov	eax, [edi]
		push	0
		push	edi
		mov	[esp+30h+var_18], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, 0C0000023h
		jmp	loc_88BB97
; 

loc_929279:				; CODE XREF: WmipRegisterOrUpdateDS+3Bj
		mov	esi, 0C000009Ah
		jmp	loc_88BB97
; END OF FUNCTION CHUNK	FOR WmipRegisterOrUpdateDS
; 
; START	OF FUNCTION CHUNK FOR WmipAddDataSource

loc_929283:				; CODE XREF: WmipAddDataSource+39j
		mov	ebx, 0C000009Ah
		jmp	loc_88BE2E
; 

loc_92928D:				; CODE XREF: WmipAddDataSource+18Aj
		mov	ebx, 0C000009Ah
		jmp	loc_88BE26
; 

loc_929297:				; CODE XREF: WmipAddDataSource+20Bj
		cmp	[ebx+4], esi
		jnz	loc_88BF1D
		mov	eax, [ebx]
		cmp	[eax+4], ebx
		jnz	loc_88BF1D
		mov	[esi], eax
		mov	[eax+4], esi
		push	dword ptr [ebx+8]
		call	WmipLegacyEtwWorker

loc_9292B8:				; CODE XREF: WmipAddDataSource+9D5F5j
		lea	ecx, [ebx+14h]
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	short loc_9292E9
		cmp	[eax+4], ecx
		jnz	loc_88BF1D
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_88BF1D
		mov	[ecx], edx
		add	eax, 8
		mov	[edx+4], ecx
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_9292B8
; 

loc_9292E9:				; CODE XREF: WmipAddDataSource+9D5CDj
		push	70696D57h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_88BEF9
; 

loc_9292F9:				; CODE XREF: WmipAddDataSource+218j
		cmp	[esi+4], ebx
		jnz	loc_88BF1D
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_88BF1D
		mov	[ebx], eax
		mov	[eax+4], ebx
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esi+10h]
		push	eax
		call	KeWaitForSingleObject
		push	70696D57h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_88BF06
; 

loc_929331:				; CODE XREF: WmipAddDataSource+D8j
		mov	edx, offset _GUID_MOF_RESOURCE_ADDED_NOTIFICATION
		mov	ecx, eax
		call	_WmipGenerateBinaryMofNotification@8 ; WmipGenerateBinaryMofNotification(x,x)
		jmp	loc_88BDD0
; 

loc_929342:				; CODE XREF: WmipAddDataSource+136j
		cmp	byte ptr [ebp+var_6+1],	0
		jz	loc_88BE2E
		or	dword ptr [edi+8], 1
		mov	edx, edi
		mov	ecx, offset _WmipDSChunkInfo
		call	WmipUnreferenceEntry
		jmp	loc_88BE2E
; END OF FUNCTION CHUNK	FOR WmipAddDataSource
; 
; START	OF FUNCTION CHUNK FOR WmipBuildInstanceSet

loc_929361:				; CODE XREF: WmipBuildInstanceSet+1E1j
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_20], eax
		jmp	loc_88C069
; 

loc_92936C:				; CODE XREF: WmipBuildInstanceSet+99j
					; WmipBuildInstanceSet+A4j ...
		mov	esi, 0C000000Dh
		jmp	loc_88C041
; 

loc_929376:				; CODE XREF: WmipBuildInstanceSet+CEj
					; WmipBuildInstanceSet+1FEj ...
		mov	esi, 0C000009Ah
		jmp	loc_88C041
; 

loc_929380:				; CODE XREF: WmipBuildInstanceSet+284j
		xor	eax, eax
		jmp	loc_88C039
; END OF FUNCTION CHUNK	FOR WmipBuildInstanceSet
; 
; START	OF FUNCTION CHUNK FOR WmipGenerateRegistrationNotification

loc_929387:				; CODE XREF: WmipGenerateRegistrationNotification+5Fj
		cmp	eax, 2
		jnz	loc_88C3B0
		mov	edx, esi
		mov	ecx, ebx
		call	_WmipDisableCollectionForRemovedGuid@8 ; WmipDisableCollectionForRemovedGuid(x,x)
		jmp	loc_88C3B0
; END OF FUNCTION CHUNK	FOR WmipGenerateRegistrationNotification
; 
; START	OF FUNCTION CHUNK FOR WmipEnableCollectionForNewGuid

loc_92939E:				; CODE XREF: WmipEnableCollectionForNewGuid+52j
		mov	eax, [esi+8]
		test	eax, 82000h
		jnz	loc_88C440
		or	eax, 2000h
		mov	[esi+8], eax
		xor	esi, esi
		or	dword ptr [ebx+8], 2
		push	esi
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	[ebp+var_34], esi
		lea	eax, [ebp+var_48]
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		mov	esi, edi
		lea	edi, [ebp+var_20]
		push	30h
		pop	ecx
		movsd
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		movsd
		lea	eax, [ebp+var_20]
		push	ecx
		push	eax
		movsd
		movsd
		mov	esi, [ebp+var_40]
		mov	[ebp+var_38], ecx
		mov	cl, 4
		mov	edx, [esi+20h]
		mov	edx, [edx+1Ch]
		call	_WmipSendWmiIrp@24 ; WmipSendWmiIrp(x,x,x,x,x,x)
		xor	edi, edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		cmp	[ebx+38h], edi
		jnz	short loc_929428
		push	2
		mov	dl, 1
		mov	ecx, ebx
		call	WmipDoDisableRequest
		jmp	short loc_92942C
; 

loc_929428:				; CODE XREF: WmipEnableCollectionForNewGuid+9D031j
		and	dword ptr [ebx+8], 0FFFFFFFDh

loc_92942C:				; CODE XREF: WmipEnableCollectionForNewGuid+9D03Ej
		mov	edi, [ebp+var_3C]
		jmp	loc_88C440
; 

loc_929434:				; CODE XREF: WmipEnableCollectionForNewGuid+5Cj
		mov	eax, [esi+8]
		and	eax, 4004h
		cmp	eax, 4
		jnz	loc_88C44A
		or	[ebx+8], eax
		or	dword ptr [esi+8], 4000h
		xor	esi, esi
		push	esi
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	edx, [ebp+var_40]
		lea	eax, [ebp+var_48]
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		mov	edx, [edx+20h]
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		mov	esi, edi
		lea	edi, [ebp+var_20]
		push	30h
		pop	ecx
		movsd
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		movsd
		lea	eax, [ebp+var_20]
		push	ecx
		push	eax
		movsd
		movsd
		mov	[ebp+var_38], ecx
		mov	cl, 6
		mov	edx, [edx+1Ch]
		call	_WmipSendWmiIrp@24 ; WmipSendWmiIrp(x,x,x,x,x,x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		cmp	dword ptr [ebx+3Ch], 0
		mov	ecx, ebx
		jnz	short loc_9294C3
		push	4
		xor	dl, dl
		call	WmipDoDisableRequest
		jmp	loc_88C44A
; 

loc_9294C3:				; CODE XREF: WmipEnableCollectionForNewGuid+9D0CBj
		and	dword ptr [ebx+8], 0FFFFFFFBh
		call	WmipReleaseCollectionEnabled
		jmp	loc_88C44A
; END OF FUNCTION CHUNK	FOR WmipEnableCollectionForNewGuid
; 
; START	OF FUNCTION CHUNK FOR WmipLinkDataSourceToList

loc_9294D1:				; CODE XREF: WmipLinkDataSourceToList+3Dj
		mov	eax, 0C000009Ah
		jmp	loc_88C69C
; END OF FUNCTION CHUNK	FOR WmipLinkDataSourceToList
; 
; START	OF FUNCTION CHUNK FOR WmipFindISinGEbyName

loc_9294DB:				; CODE XREF: WmipFindISinGEbyName+4Dj
		mov	ecx, [esi+30h]
		add	ecx, 4
		mov	edi, ecx
		lea	edx, [edi+2]

loc_9294E6:				; CODE XREF: WmipFindISinGEbyName+9CCB0j
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, word ptr [ebp+var_10]
		jnz	short loc_9294E6
		sub	edi, edx
		sar	edi, 1
		cmp	edi, ebx
		jnb	loc_88C8EE
		push	edi		; size_t
		push	ecx		; wchar_t *
		push	[ebp+var_8]	; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_88C8EE
		mov	eax, [ebp+var_8]
		lea	eax, [eax+edi*2]
		push	eax		; wchar_t *
		mov	[ebp-4], eax
		call	__wtoi
		mov	edi, eax
		mov	eax, [esi+30h]
		pop	ecx
		mov	ecx, [eax]
		mov	[ebp+var_14], ecx
		cmp	edi, ecx
		jb	loc_88C8EE
		mov	eax, [esi+24h]
		add	eax, ecx
		cmp	edi, eax
		jnb	loc_88C8EE
		test	edi, edi
		jnz	short loc_929559
		mov	ecx, [ebp-4]
		call	_WmipIsNumber@4	; WmipIsNumber(x)
		test	al, al
		jz	loc_88C8EE
		mov	ecx, [ebp+var_14]

loc_929559:				; CODE XREF: WmipFindISinGEbyName+9CD04j
		sub	edi, ecx
		mov	ecx, [ebp+arg_0]
		mov	[ecx], edi
		mov	ecx, esi
		call	WmipReferenceEntry
		xor	eax, eax
		push	eax
		jmp	loc_88C8FA
; END OF FUNCTION CHUNK	FOR WmipFindISinGEbyName
; 
; START	OF FUNCTION CHUNK FOR WmipAddMofResource

loc_92956F:				; CODE XREF: WmipAddMofResource+32j
		mov	edi, 0C000009Ah
		jmp	loc_88CA63
; 

loc_929579:				; CODE XREF: WmipAddMofResource+AFj
					; WmipAddMofResource+B7j
		mov	edi, 0C000009Ah
		jmp	loc_88CA57
; END OF FUNCTION CHUNK	FOR WmipAddMofResource
; 
; START	OF FUNCTION CHUNK FOR WmipInsertMofResource

loc_929583:				; CODE XREF: WmipInsertMofResource+34j
		mov	eax, [esi+28h]
		push	4
		pop	ecx
		mov	[ebp+var_C], eax
		mov	eax, ebx
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		push	4
		pop	ecx
		lea	eax, [ebx+4]
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_88CAC7
		push	70696D57h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9295D3
		mov	eax, 0C000009Ah
		jmp	loc_88CAC7
; 

loc_9295D3:				; CODE XREF: WmipInsertMofResource+9CB43j
		push	[ebp+var_4]	; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		push	[ebp+var_8]	; size_t
		push	dword ptr [esi+28h] ; void *
		push	edi		; void *
		call	_memcpy
		lea	eax, [esi+2Ch]
		add	esp, 18h
		cmp	[ebp+var_C], eax
		jz	short loc_9295FF
		push	0
		push	dword ptr [esi+28h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9295FF:				; CODE XREF: WmipInsertMofResource+9CB6Fj
		mov	edx, [ebp+var_10]
		lea	eax, [ebx+4]
		mov	[esi+28h], edi
		mov	[edi+ebx*4], edx
		mov	[esi+24h], eax
		jmp	loc_88CABE
; END OF FUNCTION CHUNK	FOR WmipInsertMofResource
; 
; START	OF FUNCTION CHUNK FOR WmipRegisterEtwProvider

loc_929613:				; CODE XREF: WmipRegisterEtwProvider+5Bj
		push	70696D57h
		push	24h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_88CBD6
		mov	ecx, [ebx+20h]
		or	dword ptr [ebx+8], 200000h
		call	WmipReferenceEntry
		mov	dword ptr [esi+8], 2
		mov	dword ptr [esi+18h], 1
		mov	eax, [ebx+20h]
		mov	[esi+20h], eax
		mov	eax, [edi+58h]
		mov	[esi+10h], eax
		mov	eax, [edi+5Ch]
		mov	[esi+14h], eax
		mov	byte ptr [esi+1Ch], 1
		jmp	loc_88CBBE
; END OF FUNCTION CHUNK	FOR WmipRegisterEtwProvider
; 
; START	OF FUNCTION CHUNK FOR WmipQueueLegacyEtwWork

loc_929663:				; CODE XREF: WmipQueueLegacyEtwWork+18j
		test	byte ptr [esi+8], 10h
		jnz	loc_88CD1E
		push	70696D57h
		push	1Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_88CD1E
		lea	ecx, [eax+0Ch]
		mov	[eax+8], esi
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		lea	ecx, [eax+14h]
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		mov	ecx, [ebx+4]
		cmp	[ecx], ebx
		jnz	loc_88CD62
		mov	[eax], ebx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[ebx+4], eax
		or	dword ptr [esi+8], 10h
		mov	[esi+60h], eax
		jmp	loc_88CD1E
; 

loc_9296B7:				; CODE XREF: WmipQueueLegacyEtwWork+26j
		mov	ecx, [eax+10h]
		add	eax, 0Ch
		cmp	[ecx], eax
		jnz	loc_88CD62
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi
		test	ebx, ebx
		jz	loc_88CD5B
		push	70696D57h
		push	20h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_88CD5B
		push	0
		push	0
		lea	ecx, [esi+10h]
		push	ecx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [ebx+0Ch]
		add	ebx, 8
		cmp	[eax], ebx
		jnz	loc_88CD62
		mov	[esi+4], eax
		mov	[esi], ebx
		mov	[eax], esi
		mov	eax, [ebp+arg_0]
		add	eax, 14h
		mov	[ebx+4], esi
		add	esi, 8
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_88CD62
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		jmp	loc_88CD5B
; END OF FUNCTION CHUNK	FOR WmipQueueLegacyEtwWork
; 
; START	OF FUNCTION CHUNK FOR IoRegisterFileSystem

loc_92973A:				; CODE XREF: IoRegisterFileSystem+7Bj
		lea	edx, [esi+34h]
		cmp	[eax+4], ecx
		jnz	loc_88CEFC
		mov	[edx], eax
		mov	[edx+4], ecx
		mov	[eax+4], edx
		mov	[ecx], edx
		jmp	loc_88CE60
; 

loc_929755:				; CODE XREF: IoRegisterFileSystem+8Aj
		mov	edx, eax
		mov	eax, [eax]
		jmp	loc_88CE3B
; END OF FUNCTION CHUNK	FOR IoRegisterFileSystem
; 
; START	OF FUNCTION CHUNK FOR PipDmgInitPhaseTwo

loc_92975E:				; CODE XREF: PipDmgInitPhaseTwo+1Bj
		call	_PipDmgInitReadGroupPolicy@0 ; PipDmgInitReadGroupPolicy()
		test	eax, eax
		jnz	short loc_92976A
		push	2
		pop	eax

loc_92976A:				; CODE XREF: PipDmgInitPhaseTwo+9C863j
		mov	_PipDmaGuardPolicy, eax
		call	_PipDmgReevaluateQueue@0 ; PipDmgReevaluateQueue()
		jmp	loc_88CF23
; 

loc_929779:				; CODE XREF: PipDmgInitPhaseTwo+40j
		mov	eax, _PipDmaGuardPolicy
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	3
		push	esi
		push	esi
		push	offset loc_41C19C
		push	edi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_88CF48
; END OF FUNCTION CHUNK	FOR PipDmgInitPhaseTwo
; 
; START	OF FUNCTION CHUNK FOR DrvDbOpenContext

loc_9297AC:				; CODE XREF: DrvDbOpenContext+36j
		mov	edi, 0C0000017h
		jmp	loc_88D03A
; 

loc_9297B6:				; CODE XREF: DrvDbOpenContext+87j
		push	0
		push	dword ptr [esi+1Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[esi+1Ch], ebx
		jmp	short loc_9297CA
; 

loc_9297C5:				; CODE XREF: DrvDbOpenContext+77j
		mov	edi, 0C000009Ah

loc_9297CA:				; CODE XREF: DrvDbOpenContext+9C86Bj
		test	edi, edi
		js	loc_88D032
		jmp	loc_88CFE5
; 

loc_9297D7:				; CODE XREF: DrvDbOpenContext+DCj
		test	ebx, ebx
		jz	short loc_9297E4
		mov	edx, ebx
		mov	ecx, esi
		call	_DrvDbDestroyDatabaseNode@8 ; DrvDbDestroyDatabaseNode(x,x)

loc_9297E4:				; CODE XREF: DrvDbOpenContext+9C881j
		mov	ebx, [esi+1Ch]
		test	ebx, ebx
		jz	short loc_9297F9
		push	ebx
		call	ExDeleteResourceLite
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9297F9:				; CODE XREF: DrvDbOpenContext+9C891j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_88D03A
; END OF FUNCTION CHUNK	FOR DrvDbOpenContext
; 
; START	OF FUNCTION CHUNK FOR DrvDbCreateDatabaseNode

loc_929806:				; CODE XREF: DrvDbCreateDatabaseNode+25j
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_92980B:				; CODE XREF: DrvDbCreateDatabaseNode+9C708j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_92980B
		sub	ecx, edx
		sar	ecx, 1
		push	42444450h
		lea	edi, ds:44h[ecx*2]
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_14], ebx
		test	ebx, ebx
		jz	short loc_929870
		push	offset ??_C@_1BO@JJFLMBDN@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAD?$AAa?$AAt?$AAa?$AAb?$AAa?$AAs?$AAe@NNGAKEGL@ ; "DriverDatabase"
		push	[ebp+var_C]
		shr	edi, 1
		push	offset ??_C@_1CE@BGEMHEPM@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@NNGAKEGL@ ; char
		push	offset ??_C@_1BI@OAILGCEN@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; wchar_t *
		push	800h		; int
		push	0		; int
		push	0		; int
		push	edi		; int
		push	ebx		; void *
		call	RtlStringCchPrintfExW
		mov	edi, eax
		add	esp, 24h
		test	edi, edi
		js	loc_88D202
		mov	edi, [ebp+var_C]
		jmp	loc_88D13D
; 

loc_929870:				; CODE XREF: DrvDbCreateDatabaseNode+43j
					; DrvDbCreateDatabaseNode+9C729j
		mov	edi, 0C0000017h
		jmp	loc_88D202
; 

loc_92987A:				; CODE XREF: DrvDbCreateDatabaseNode+8Aj
					; DrvDbCreateDatabaseNode+9Cj
		mov	edi, 0C000009Ah
		jmp	loc_88D202
; 

loc_929884:				; CODE XREF: DrvDbCreateDatabaseNode+C8j
		push	0
		push	dword ptr [esi+4Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+4Ch], 0
		jmp	short loc_929899
; 

loc_929894:				; CODE XREF: DrvDbCreateDatabaseNode+B8j
		mov	edi, 0C000009Ah

loc_929899:				; CODE XREF: DrvDbCreateDatabaseNode+9C786j
		test	edi, edi
		js	loc_88D202
		jmp	loc_88D1DA
; 

loc_9298A6:				; CODE XREF: DrvDbCreateDatabaseNode+E9j
		mov	eax, [ebp+var_4]
		mov	edx, [eax+14h]
		test	edx, edx
		jz	loc_88D1FB
		mov	ebx, [ebp+var_C]
		lea	ecx, [ebp+var_10]
		push	0
		push	ecx
		lea	ecx, [ebp+var_8]
		push	ecx
		push	1
		push	2000000h
		push	ebx
		push	1
		mov	ecx, eax
		call	DrvDbOpenObjectRegKey
		mov	edi, eax
		test	edi, edi
		js	loc_88D202
		cmp	[ebp+var_10], 1
		jnz	loc_88D1FB
		movzx	eax, word ptr [esi+14h]
		mov	edx, ebx	; wchar_t *
		mov	ecx, [ebp+var_4] ; int
		add	eax, 2
		push	eax		; int
		push	dword ptr [esi+18h] ; void *
		push	12h		; int
		push	offset _DEVPKEY_DriverDatabase_RegistryPath ; void *
		push	[ebp+var_8]	; int
		call	_DrvDbSetDriverDatabaseMappedProperty@28 ; DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_88D202
		jmp	loc_88D1FB
; 

loc_929914:				; CODE XREF: DrvDbCreateDatabaseNode+FAj
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_88D20C
; 

loc_929921:				; CODE XREF: DrvDbCreateDatabaseNode+102j
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_929940
		cmp	[eax+4], esi
		jnz	loc_88D22D
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_88D22D
		mov	[ecx], eax
		mov	[eax+4], ecx

loc_929940:				; CODE XREF: DrvDbCreateDatabaseNode+9C819j
		mov	ebx, [esi+4Ch]
		test	ebx, ebx
		jz	short loc_929955
		push	ebx
		call	ExDeleteResourceLite
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_929955:				; CODE XREF: DrvDbCreateDatabaseNode+9C839j
		lea	eax, [esi+8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+14h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_88D214
; 

loc_929974:				; CODE XREF: DrvDbCreateDatabaseNode+112j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_88D224
; END OF FUNCTION CHUNK	FOR DrvDbCreateDatabaseNode
; 
; START	OF FUNCTION CHUNK FOR PiDrvDbEnumDriverStoreNodes

loc_929981:				; CODE XREF: PiDrvDbEnumDriverStoreNodes+80j
		mov	esi, 0C000009Ah
		jmp	loc_88D337
; END OF FUNCTION CHUNK	FOR PiDrvDbEnumDriverStoreNodes
; 
; START	OF FUNCTION CHUNK FOR PiPnpRtlRegisterDriverMachineNodeCallback

loc_92998B:				; CODE XREF: PiPnpRtlRegisterDriverMachineNodeCallback+1Cj
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jnz	short loc_929998
		xor	ecx, ecx
		jmp	short loc_92999B
; 

loc_929998:				; CODE XREF: PiPnpRtlRegisterDriverMachineNodeCallback+9C656j
		mov	ecx, [eax+74h]

loc_92999B:				; CODE XREF: PiPnpRtlRegisterDriverMachineNodeCallback+9C65Aj
		lea	eax, [ebp+var_4]
		mov	edx, 80000002h
		push	eax
		push	2000000h
		push	0
		push	[ebp+arg_0]
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	ebx, eax
		cmp	ebx, 0C0000034h
		jz	loc_88D35E
		test	ebx, ebx
		js	loc_88D360
		mov	edx, [ebp+arg_0]
		push	ecx
		push	ecx
		push	[ebp+var_4]
		push	ecx
		push	3
		call	__PnpCtxRegisterMachineNode@28 ; _PnpCtxRegisterMachineNode(x,x,x,x,x,x,x)
		lea	ebx, [eax-40000000h]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, eax
		jmp	loc_88D360
; 

loc_9299EA:				; CODE XREF: PiPnpRtlRegisterDriverMachineNodeCallback+28j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_88D36A
; END OF FUNCTION CHUNK	FOR PiPnpRtlRegisterDriverMachineNodeCallback
; 
; START	OF FUNCTION CHUNK FOR PiDrvDbRegisterNodeCallback

loc_9299F7:				; CODE XREF: PiDrvDbRegisterNodeCallback+1Aj
		mov	ecx, [ebp+arg_0]
		lea	edx, [ecx+2]

loc_9299FD:				; CODE XREF: PiDrvDbRegisterNodeCallback+9C68Aj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_9299FD
		sub	ecx, edx
		sar	ecx, 1
		push	62647050h
		lea	ebx, ds:4Ch[ecx*2]
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_929A30
		mov	ebx, 0C000009Ah
		jmp	loc_88D39C
; 

loc_929A30:				; CODE XREF: PiDrvDbRegisterNodeCallback+9C6A8j
		push	offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@NNGAKEGL@
		push	offset ??_C@_1CE@FCOONEBJ@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA3?$AA2?$AA?2?$AAc?$AAo?$AAn?$AAf?$AAi@NNGAKEGL@
		push	[ebp+arg_0]
		shr	ebx, 1
		push	offset ??_C@_1BM@PNGDECLI@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAS?$AAt?$AAo?$AAr?$AAe?$AAs@NNGAKEGL@ ; "\\DriverStores"
		push	offset ??_C@_1BM@DLCGNMPA@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; wchar_t *
		push	ebx		; int
		push	edi		; wchar_t *
		call	RtlStringCchPrintfW
		mov	ebx, eax
		add	esp, 1Ch
		test	ebx, ebx
		js	short loc_929A72
		push	edi
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	0Ah
		pop	edx
		call	PiDrvDbRegisterNode
		lea	ebx, [eax-40000000h]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, eax

loc_929A72:				; CODE XREF: PiDrvDbRegisterNodeCallback+9C6DBj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_88D39C
; END OF FUNCTION CHUNK	FOR PiDrvDbRegisterNodeCallback
; 
; START	OF FUNCTION CHUNK FOR CmpInitializeNameCache

loc_929A7F:				; CODE XREF: CmpInitializeNameCache+20j
		push	0
		push	0
		push	2
		push	3
		push	67h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_929A8F:				; CODE XREF: CmpInitializeFreezeThaw+20j
		mov	_CmFreezeThawTimeoutInSeconds, 3Ch
		retn
; END OF FUNCTION CHUNK	FOR CmpInitializeNameCache
; 
; START	OF FUNCTION CHUNK FOR PsCreateMinimalProcess

loc_929A9A:				; CODE XREF: PsCreateMinimalProcess+D0j
		and	[esp+198h+var_18C], 0
		jmp	loc_88DA46
; 

loc_929AA4:				; CODE XREF: PsCreateMinimalProcess+DBj
		mov	eax, [esp+198h+var_18C]
		mov	[eax+3D4h], ecx
		jmp	loc_88D8DB
; 

loc_929AB3:				; CODE XREF: PsCreateMinimalProcess+165j
		push	3
		pop	ebx
		jmp	loc_88D965
; 

loc_929ABB:				; CODE XREF: PsCreateMinimalProcess+18Aj
		mov	ecx, [esp+198h+var_18C]
		xor	dl, dl
		call	_PspRundownSingleProcess@8 ; PspRundownSingleProcess(x,x)
		mov	eax, [esp+198h+var_188]
		mov	ebx, [esp+198h+var_184]
		mov	[esp+198h+var_188], eax
		jmp	loc_88D9E9
; 

loc_929AD7:				; CODE XREF: PsCreateMinimalProcess+19Bj
		push	0
		push	[esp+19Ch+var_18C]
		push	eax
		call	PsAssignProcessToJobObject
		mov	esi, eax
		test	esi, esi
		jns	loc_88D99B
		mov	ebx, [esp+198h+var_184]
		jmp	loc_88DA46
; END OF FUNCTION CHUNK	FOR PsCreateMinimalProcess
; 
; START	OF FUNCTION CHUNK FOR DbgkCreateMinimalProcess

loc_929AF6:				; CODE XREF: DbgkCreateMinimalProcess+44j
		push	7
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_90]
		rep stosd
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_B0], 3C0024h
		push	eax
		xor	edx, edx
		mov	[ebp+var_AC], 8
		mov	ecx, esi
		mov	[ebp+var_98], 2
		call	_DbgkpSendApiMessage@12	; DbgkpSendApiMessage(x,x,x)
		jmp	loc_88DAA0
; END OF FUNCTION CHUNK	FOR DbgkCreateMinimalProcess
; 
; START	OF FUNCTION CHUNK FOR CmpCreateRegistryProcessToken

loc_929B36:				; CODE XREF: CmpCreateRegistryProcessToken+72j
		mov	esi, 0C000009Ah
		jmp	loc_88DBEC
; END OF FUNCTION CHUNK	FOR CmpCreateRegistryProcessToken
; 
; START	OF FUNCTION CHUNK FOR SeFilterToken

loc_929B40:				; CODE XREF: SeFilterToken+47j
		mov	esi, [eax]
		add	eax, 4
		mov	[ebp+var_8], eax
		test	esi, esi
		jz	loc_88DC93
		add	eax, 4

loc_929B53:				; CODE XREF: SeFilterToken+9BF1Aj
		cmp	dword ptr [eax], 0
		jnz	short loc_929B68
		inc	edi
		add	eax, 8
		cmp	edi, esi
		jb	short loc_929B53
		mov	eax, [ebp+var_8]
		jmp	loc_88DC93
; 

loc_929B68:				; CODE XREF: SeFilterToken+9BF12j
		mov	eax, 0C000000Dh
		jmp	loc_88DCDB
; END OF FUNCTION CHUNK	FOR SeFilterToken
; 
; START	OF FUNCTION CHUNK FOR CmpAddProcessorConfigurationEntry

loc_929B72:				; CODE XREF: CmpAddProcessorConfigurationEntry+D5j
		mov	edx, offset _CmpProcessorString1
		add	ecx, 41h
		jmp	loc_88DE44
; 

loc_929B7F:				; CODE XREF: CmpAddProcessorConfigurationEntry+19Ej
		push	offset ??_C@_05FPNECAEJ@80387@NNGAKEGL@
		lea	eax, [ebp+var_8C]
		push	80h
		push	eax
		call	_strcpy_s
		add	esp, 0Ch
		jmp	loc_88DF08
; 

loc_929B9D:				; CODE XREF: CmpAddProcessorConfigurationEntry+212j
		call	Ke386CyrixId
		test	eax, eax
		jz	loc_88E0E3
		mov	edi, offset _CmpCyrixID	; "CyrixInstead"
		jmp	loc_88E0ED
; 

loc_929BB4:				; CODE XREF: CmpAddProcessorConfigurationEntry+302j
					; CmpAddProcessorConfigurationEntry+9BE59j
		inc	eax
		cmp	byte ptr [ebp+eax+var_D0], 20h
		jz	short loc_929BB4
		jmp	loc_88E06C
; 

loc_929BC4:				; CODE XREF: CmpAddProcessorConfigurationEntry+24Dj
					; CmpAddProcessorConfigurationEntry+2E2j
		mov	ebx, [ebp+var_E4]
		jmp	loc_88E0DD
; END OF FUNCTION CHUNK	FOR CmpAddProcessorConfigurationEntry
; 
; START	OF FUNCTION CHUNK FOR CmpInitializeRegistryNode

loc_929BCF:				; CODE XREF: CmpInitializeRegistryNode+9Fj
		xor	edx, edx
		jmp	loc_88E302
; 

loc_929BD6:				; CODE XREF: CmpInitializeRegistryNode+166j
					; CmpInitializeRegistryNode+19Ej ...
		push	[ebp+var_30]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, esi
		jmp	loc_88E486
; 

loc_929BE5:				; CODE XREF: CmpInitializeRegistryNode+251j
		push	20204D43h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_929C1F
		push	0
		push	ds:_CmpConfigurationData
		mov	ds:_CmpConfigurationAreaSize, ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	dword ptr [edi+24h]
		mov	ds:_CmpConfigurationData, esi
		lea	eax, [esi+8]
		push	dword ptr [edi+30h]
		jmp	loc_88E4B3
; 

loc_929C1F:				; CODE XREF: CmpInitializeRegistryNode+9B9A4j
		and	dword ptr [edi+24h], 0
		and	dword ptr [edi+30h], 0
		jmp	loc_88E439
; END OF FUNCTION CHUNK	FOR CmpInitializeRegistryNode
; 
; START	OF FUNCTION CHUNK FOR CmpSetupLoggingState

loc_929C2C:				; CODE XREF: CmpSetupLoggingState+Cj
		test	al, 4
		jnz	loc_88E51E
		push	ebx
		mov	byte ptr [esi+82h], 0
		mov	ebx, [edi]
		test	bl, 2
		jz	short loc_929C81
		and	ebx, 38h
		cmp	ebx, 20h
		setz	dl
		setnz	cl
		xor	eax, eax
		cmp	ebx, 20h
		setz	al
		add	eax, 4
		mov	[esi+68h], eax
		mov	[esi+80h], dl
		mov	[esi+81h], cl
		mov	eax, [edi+0Ch]
		mov	[esi+78h], eax
		mov	eax, [edi+8]
		mov	[esi+6Ch], eax
		mov	eax, [edi+0Ch]
		and	dword ptr [esi+74h], 0
		mov	[esi+70h], eax
		jmp	short loc_929CAB
; 

loc_929C81:				; CODE XREF: CmpSetupLoggingState+9B735j
		shr	ebx, 3
		mov	word ptr [esi+80h], 101h
		and	ebx, 7
		mov	[esi+68h], ebx
		mov	eax, [edi+0Ch]
		mov	[esi+78h], eax
		mov	eax, [edi+8]
		mov	[esi+6Ch], eax
		mov	eax, [edi+0Ch]
		mov	[esi+70h], eax
		mov	eax, [edi+10h]
		mov	[esi+74h], eax

loc_929CAB:				; CODE XREF: CmpSetupLoggingState+9B773j
		pop	ebx
		jmp	loc_88E51E
; END OF FUNCTION CHUNK	FOR CmpSetupLoggingState
; 
; START	OF FUNCTION CHUNK FOR EnlistKeyBodyWithKCB

loc_929CB1:				; CODE XREF: EnlistKeyBodyWithKCB+2Cj
		mov	ecx, [ebp+var_4]
		add	ebx, 4
		cmp	ebx, 10h
		jb	loc_88E646
		test	byte ptr [ebp+var_8], 2
		jz	short loc_929CE9
		mov	eax, ecx
		mov	eax, [eax+8]
		add	eax, 40h
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jz	short loc_929CDA
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_929CDA:				; CODE XREF: EnlistKeyBodyWithKCB+9B6A9j
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		jmp	loc_88E65C
; 

loc_929CE9:				; CODE XREF: EnlistKeyBodyWithKCB+9B69Aj
		mov	edi, 0C000022Dh
		jmp	loc_88E65C
; END OF FUNCTION CHUNK	FOR EnlistKeyBodyWithKCB
; 
; START	OF FUNCTION CHUNK FOR CmSetAcpiHwProfile

loc_929CF3:				; CODE XREF: CmSetAcpiHwProfile+11Bj
		and	[ebp+var_21C], ebx
		jmp	loc_88EAD6
; 

loc_929CFE:				; CODE XREF: CmSetAcpiHwProfile+1A4j
		and	[ebp+var_220], ebx
		jmp	loc_88EAD6
; 

loc_929D09:				; CODE XREF: CmSetAcpiHwProfile+20Bj
		and	[ebp+var_210], ebx
		jmp	loc_88EAD6
; 

loc_929D14:				; CODE XREF: CmSetAcpiHwProfile+2A2j
		cmp	[ebp+var_108], 3
		jnz	loc_88E90C
		push	20204D43h
		push	[ebp+var_100]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_929D5B
		mov	esi, 0C000009Ah

loc_929D3E:				; CODE XREF: CmSetAcpiHwProfile+C3j
					; CmSetAcpiHwProfile+151j ...
		cmp	[ebp+var_220], 0
		jz	loc_88EAEC
		push	[ebp+var_220]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_88EAEC
; 

loc_929D5B:				; CODE XREF: CmSetAcpiHwProfile+9B6D3j
		push	[ebp+var_100]	; size_t
		mov	eax, [ebp+var_104]
		lea	ecx, [ebp+var_10C]
		add	eax, ecx
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_88E90E
; 

loc_929D7E:				; CODE XREF: CmSetAcpiHwProfile+3A5j
		and	[ebp+var_244], 0
		jmp	loc_88EAD6
; 

loc_929D8A:				; CODE XREF: CmSetAcpiHwProfile+3CFj
		mov	edx, [ebp+var_210]
		push	ecx
		lea	ecx, [ebp+var_10C]
		push	ecx
		push	ecx
		lea	ecx, [ebp+var_20C]
		push	ecx
		mov	ecx, [ebp+var_21C]
		push	eax
		push	edi
		call	_CmpMoveBiosAliasTable@32 ; CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_929D3E
		mov	eax, [ebp+var_224]
		mov	edx, [ebp+var_25C]
		jmp	loc_88EA39
; 

loc_929DC4:				; CODE XREF: CmSetAcpiHwProfile+3DAj
					; CmSetAcpiHwProfile+3E2j
		mov	eax, [ebp+var_26C]
		push	[ebp+var_210]
		mov	byte ptr [eax],	1
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_210], 0
		test	esi, esi
		jz	short loc_929E1D
		mov	edx, [ebp+var_244]
		lea	eax, [ebp+var_224]
		mov	ecx, [ebp+var_21C]
		push	eax
		lea	eax, [ebp+var_220]
		push	eax
		mov	eax, [ebp+var_24C]
		movzx	eax, word ptr [eax]
		push	eax
		push	[ebp+var_224]
		push	[ebp+var_220]
		call	_CmpCloneHwProfile@28 ;	CmpCloneHwProfile(x,x,x,x,x,x,x)
		jmp	loc_929EAC
; 

loc_929E1D:				; CODE XREF: CmSetAcpiHwProfile+9B77Dj
		push	[ebp+var_220]
		call	_ZwClose@4	; ZwClose(x)
		push	[ebp+var_224]
		lea	eax, [ebp+var_20C]
		push	(offset	loc_8B74EF+1)
		push	80h
		push	eax
		call	_swprintf_s
		add	esp, 10h
		lea	eax, [ebp+var_20C]
		push	eax
		lea	eax, [ebp+var_218]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_244]
		and	[ebp+var_230], 0
		and	[ebp+var_22C], 0
		mov	[ebp+var_23C], eax
		lea	eax, [ebp+var_218]
		mov	[ebp+var_238], eax
		lea	eax, [ebp+var_240]
		push	eax
		push	20019h
		lea	eax, [ebp+var_220]
		mov	[ebp+var_240], 18h
		push	eax
		mov	[ebp+var_234], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)

loc_929EAC:				; CODE XREF: CmSetAcpiHwProfile+9B7B4j
		mov	esi, eax
		test	esi, esi
		jns	short loc_929EBE
		and	[ebp+var_220], 0
		jmp	loc_88EAD6
; 

loc_929EBE:				; CODE XREF: CmSetAcpiHwProfile+9B84Cj
		push	offset ??_C@_1CA@CEMLPECN@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAD?$AAo?$AAc?$AAk?$AAI?$AAn?$AAf?$AAo@NNGAKEGL@
		lea	eax, [ebp+var_218]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_21C]
		xor	ecx, ecx
		mov	[ebp+var_23C], eax
		lea	eax, [ebp+var_218]
		mov	[ebp+var_238], eax
		lea	eax, [ebp+var_268]
		push	eax
		push	1
		push	ecx
		push	ecx
		lea	eax, [ebp+var_240]
		mov	[ebp+var_240], 18h
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_210]
		mov	[ebp+var_234], 240h
		push	eax
		mov	[ebp+var_230], ecx
		mov	[ebp+var_22C], ecx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_929F3E
		and	[ebp+var_210], 0
		jmp	loc_88EAD6
; 

loc_929F3E:				; CODE XREF: CmSetAcpiHwProfile+9B8CCj
		push	offset ??_C@_1BM@EBFHNJCL@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg@NNGAKEGL@
		lea	eax, [ebp+var_218]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [ebp+var_224]
		push	eax
		push	4
		push	0
		lea	eax, [ebp+var_218]
		push	eax
		push	[ebp+var_21C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_88EA4C

loc_929F76:				; CODE XREF: CmSetAcpiHwProfile+2E0j
					; CmSetAcpiHwProfile+2EDj
		mov	esi, 0C000014Ch
		jmp	loc_929D3E
; 

loc_929F80:				; CODE XREF: CmSetAcpiHwProfile+460j
		mov	edx, [ebp+var_24C]
		lea	eax, [ebp+var_20C]
		mov	ecx, [ebp+var_21C]
		sub	esp, 10h
		push	eax
		push	[ebp+var_224]
		call	_CmpAddAcpiAliasEntry@32 ; CmpAddAcpiAliasEntry(x,x,x,x,x,x,x,x)
		mov	esi, eax
		jmp	loc_88EACA
; 

loc_929FA8:				; CODE XREF: CmSetAcpiHwProfile+46Cj
		mov	eax, [ebp+var_250]
		xor	ecx, ecx
		mov	[ebp+var_23C], eax
		lea	eax, [ebp+var_268]
		push	eax
		push	8
		push	ecx
		push	ecx
		lea	eax, [ebp+var_240]
		mov	[ebp+var_240], 18h
		push	eax
		push	20h
		lea	eax, [ebp+var_254]
		mov	[ebp+var_234], 340h
		push	eax
		mov	[ebp+var_238], (offset loc_A3F61F+1)
		mov	[ebp+var_230], ecx
		mov	[ebp+var_22C], ecx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		and	[ebp+var_218], 0
		mov	eax, 100h
		push	[ebp+var_224]
		mov	word ptr [ebp+var_218+2], ax
		lea	eax, [ebp+var_20C]
		mov	[ebp+var_214], eax
		lea	eax, [ebp+var_278]
		push	eax		; char
		lea	eax, [ebp+var_218]
		push	offset ??_C@_1HO@DPJFAAAO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; wchar_t *
		push	eax		; int
		call	_RtlUnicodeStringPrintf
		movzx	eax, word ptr [ebp+var_218]
		add	esp, 10h
		push	eax
		push	[ebp+var_214]
		push	6
		push	0
		push	offset _CmSymbolicLinkValueName
		push	[ebp+var_254]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		jmp	loc_88EAD6
; 

loc_92A069:				; CODE XREF: CmSetAcpiHwProfile+24Cj
					; CmSetAcpiHwProfile+259j
		mov	esi, 0C000014Ch
		jmp	loc_88EAD6
; 

loc_92A073:				; CODE XREF: CmSetAcpiHwProfile+48Fj
		push	[ebp+var_254]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_88EAF9
; 

loc_92A083:				; CODE XREF: CmSetAcpiHwProfile+4D3j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_88EB3D
; END OF FUNCTION CHUNK	FOR CmSetAcpiHwProfile
; 
; START	OF FUNCTION CHUNK FOR CmpFilterAcpiDockingState

loc_92A090:				; CODE XREF: CmpFilterAcpiDockingState+DAj
		mov	esi, [ebp+var_14]
		mov	cl, [ebp+var_1]

loc_92A096:				; CODE XREF: CmpFilterAcpiDockingState+2Fj
					; CmpFilterAcpiDockingState+38j
		cmp	[ebp+arg_0], 0
		jnz	loc_88ECC4
		test	cl, cl
		jnz	loc_88ECC4
		movzx	eax, word ptr [edx]
		cmp	esi, eax
		jnz	loc_88ECC4
		mov	[ebp+var_4], 1
		mov	[ebp+var_1], 1
		jmp	loc_88ECC4
; 

loc_92A0C0:				; CODE XREF: CmpFilterAcpiDockingState+118j
		mov	eax, [ebp+var_8]
		or	eax, 8
		inc	ebx
		mov	[edi], eax
		push	14h
		pop	eax
		add	edx, eax
		add	edi, eax
		add	esi, eax
		mov	[ebp+arg_0], edx
		add	ecx, eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+arg_C], ecx
		mov	eax, [eax+4]
		jmp	loc_88ED1F
; 

loc_92A0E5:				; CODE XREF: CmpFilterAcpiDockingState+108j
		test	byte ptr [ebp+var_8], 4
		jz	short loc_92A0F5
		cmp	[ebp+var_1], 0
		jz	loc_88ED0C

loc_92A0F5:				; CODE XREF: CmpFilterAcpiDockingState+9B505j
		test	byte ptr [ebp+var_8], 1
		jnz	loc_88ED0C
		test	byte ptr [ebp+var_8], 2
		jnz	loc_88ED0C
		cmp	[ebp+var_4], 0
		jz	loc_88ED2C
		mov	ecx, [ebp+arg_4]
		cmp	[esi], ecx
		mov	ecx, [ebp+arg_C]
		jmp	loc_88ED0A
; 

loc_92A120:				; CODE XREF: CmpFilterAcpiDockingState+152j
		imul	eax, [ebp+var_8], arg_C
		push	eax		; size_t
		push	edx		; void *
		push	ecx		; void *
		call	_memmove
		mov	eax, [ebp+arg_8]
		add	esp, 0Ch
		mov	edx, [ebp+arg_0]
		mov	eax, [eax+4]
		jmp	loc_88ED3C
; END OF FUNCTION CHUNK	FOR CmpFilterAcpiDockingState
; 
; START	OF FUNCTION CHUNK FOR CmpGetAcpiProfileInformation

loc_92A13D:				; CODE XREF: CmpGetAcpiProfileInformation+9Aj
		and	[ebp+var_58], 0
		jmp	loc_88F30F
; 

loc_92A146:				; CODE XREF: CmpGetAcpiProfileInformation+E2j
					; CmpGetAcpiProfileInformation+3EAj
		mov	esi, 0C000009Ah
		mov	[ebp+var_3C], esi
		jmp	loc_88F30F
; 

loc_92A153:				; CODE XREF: CmpGetAcpiProfileInformation+1C9j
					; CmpGetAcpiProfileInformation+1D3j
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_3C], eax
		mov	[ebp+var_84], eax
		jmp	loc_88EF2E
; 

loc_92A164:				; CODE XREF: CmpGetAcpiProfileInformation+20Fj
					; CmpGetAcpiProfileInformation+218j
		mov	esi, offset ??_C@_1BA@MAILMBPH@?$AA?9?$AA?9?$AA?9?$AA?9?$AA?9?$AA?9?$AA?9@NNGAKEGL@
		lea	edi, [ebp+var_A0]
		push	20204D43h
		push	10h
		movsd
		movsd
		movsd
		movsd
		pop	esi
		xor	edi, edi
		push	esi
		inc	edi
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_8C], esi
		mov	[ebp+var_88], eax
		test	eax, eax
		jz	short loc_92A1BC
		push	dword ptr [ebx+0Ch]
		lea	ecx, [ebp+var_A0]
		jmp	loc_88EF8F
; 

loc_92A1A3:				; CODE XREF: CmpGetAcpiProfileInformation+281j
					; CmpGetAcpiProfileInformation+28Aj ...
		mov	[ebp+var_7C], edi
		jmp	loc_88EFE3
; 

loc_92A1AB:				; CODE XREF: CmpGetAcpiProfileInformation+300j
		inc	esi
		add	edx, 14h
		cmp	esi, edi
		jb	loc_88F043
		jmp	loc_88F06C
; 

loc_92A1BC:				; CODE XREF: CmpGetAcpiProfileInformation+23Dj
					; CmpGetAcpiProfileInformation+598j ...
		mov	esi, 0C000009Ah
		jmp	short loc_92A1DC
; 

loc_92A1C3:				; CODE XREF: CmpGetAcpiProfileInformation+3A6j
		xor	esi, esi
		and	[ebp+var_54], esi
		mov	[ebp+var_3C], esi
		jmp	loc_88F31D
; 

loc_92A1D0:				; CODE XREF: CmpGetAcpiProfileInformation+568j
		xor	ecx, ecx
		jmp	loc_88F2C3
; 

loc_92A1D7:				; CODE XREF: CmpGetAcpiProfileInformation+4B7j
					; CmpGetAcpiProfileInformation+4C1j ...
		mov	esi, 0C000014Ch

loc_92A1DC:				; CODE XREF: CmpGetAcpiProfileInformation+9B47Bj
		push	[ebp+var_40]
		mov	[ebp+var_3C], esi
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_88F30F
; 

loc_92A1EC:				; CODE XREF: CmpGetAcpiProfileInformation+5E7j
		mov	eax, [ebp+var_5C]
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_92A22D
		xor	ebx, ebx
		cmp	[eax+4], ebx
		jbe	short loc_92A21F
		mov	esi, [ebp+var_5C]
		xor	edi, edi

loc_92A201:				; CODE XREF: CmpGetAcpiProfileInformation+9B4D4j
		mov	ecx, [edi+eax+0Ch]
		test	ecx, ecx
		jz	short loc_92A213
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi]

loc_92A213:				; CODE XREF: CmpGetAcpiProfileInformation+9B4C1j
		inc	ebx
		add	edi, 14h
		cmp	ebx, [eax+4]
		jb	short loc_92A201
		mov	esi, [ebp+var_3C]

loc_92A21F:				; CODE XREF: CmpGetAcpiProfileInformation+9B4B4j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_5C]
		and	dword ptr [eax], 0

loc_92A22D:				; CODE XREF: CmpGetAcpiProfileInformation+9B4ADj
		mov	eax, [ebp+var_50]
		mov	eax, [eax]
		test	eax, eax
		jz	loc_88F333
		xor	ebx, ebx
		cmp	[eax+4], ebx
		jbe	short loc_92A264
		mov	esi, [ebp+var_50]
		xor	edi, edi

loc_92A246:				; CODE XREF: CmpGetAcpiProfileInformation+9B519j
		mov	ecx, [edi+eax+14h]
		test	ecx, ecx
		jz	short loc_92A258
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi]

loc_92A258:				; CODE XREF: CmpGetAcpiProfileInformation+9B506j
		inc	ebx
		add	edi, 10h
		cmp	ebx, [eax+4]
		jb	short loc_92A246
		mov	esi, [ebp+var_3C]

loc_92A264:				; CODE XREF: CmpGetAcpiProfileInformation+9B4F9j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_50]
		and	dword ptr [eax], 0
		jmp	loc_88F333
; END OF FUNCTION CHUNK	FOR CmpGetAcpiProfileInformation
; 
; START	OF FUNCTION CHUNK FOR CmpLinkKeyToHive

loc_92A277:				; CODE XREF: CmpLinkKeyToHive+66j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_88FAB2
; END OF FUNCTION CHUNK	FOR CmpLinkKeyToHive
; 
; START	OF FUNCTION CHUNK FOR CmpCreatePerfKeys

loc_92A284:				; CODE XREF: CmpCreatePerfKeys+7Cj
		movzx	ecx, ds:_PsInstallUILanguageId
		mov	esi, 3FFh
		mov	eax, ecx
		push	4
		and	eax, esi
		pop	edx
		cmp	eax, edx
		jz	short loc_92A2BF
		cmp	eax, 16h
		jz	short loc_92A2A7
		push	3
		and	ecx, esi
		pop	edx
		jmp	short loc_92A2D5
; 

loc_92A2A7:				; CODE XREF: CmpCreatePerfKeys+9A7CAj
		mov	eax, ecx
		mov	esi, 400h
		and	eax, 0FC00h
		cmp	ax, si
		jz	short loc_92A2D5
		mov	ecx, 816h
		jmp	short loc_92A2D5
; 

loc_92A2BF:				; CODE XREF: CmpCreatePerfKeys+9A7C5j
		mov	eax, ecx
		mov	esi, 800h
		and	eax, 0FC00h
		cmp	ax, si
		jz	short loc_92A2D5
		mov	ecx, 404h

loc_92A2D5:				; CODE XREF: CmpCreatePerfKeys+9A7D1j
					; CmpCreatePerfKeys+9A7E2j ...
		movzx	eax, cx
		push	eax
		push	edx		; char
		push	offset ??_C@_19JIECANHN@?$AA?$CF?$AA0?$AA?$CK?$AAX@NNGAKEGL@ ; wchar_t *
		lea	eax, [ebp+var_10]
		push	0Ah		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	ecx, [ebp+var_14]
		lea	edx, [ebp+var_10]
		add	esp, 14h
		push	edi
		call	_CmpCreatePredefined@12	; CmpCreatePredefined(x,x,x)
		jmp	loc_88FB56
; END OF FUNCTION CHUNK	FOR CmpCreatePerfKeys
; 
; START	OF FUNCTION CHUNK FOR CmpSetVersionData

loc_92A2FE:				; CODE XREF: CmpSetVersionData+1ECj
		mov	ecx, _CmpEditionVersion
		mov	eax, ecx
		or	eax, 0F0000000h
		mov	_NtBuildNumber,	eax
		mov	ds:0FFDF0260h, ecx
		mov	eax, dword_6CE3E4
		mov	_NtBuildQfe, eax
		jmp	loc_88FE98
; 

loc_92A325:				; CODE XREF: CmpSetVersionData+26Cj
		mov	ecx, [ebp+var_18C]
		mov	edx, offset _CmpEditionVersion
		call	_CmpRestampVersion@8 ; CmpRestampVersion(x,x)
		jmp	loc_88FF18
; 

loc_92A33A:				; CODE XREF: CmpSetVersionData+303j
		movzx	eax, ax
		add	eax, 2
		push	eax
		push	dword_6CE76C
		push	1
		push	esi
		push	(offset	loc_A3F6A7+1)
		push	[ebp+var_18C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	eax, dword_6CE76C
		test	eax, eax
		jz	short loc_92A369
		push	eax
		call	_ExFreePool@4	; ExFreePool(x)

loc_92A369:				; CODE XREF: CmpSetVersionData+9A6BBj
		push	esi
		push	offset _CmCSDVersionString
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	loc_88FFBF
; 

loc_92A379:				; CODE XREF: CmpSetVersionData+37Fj
		movzx	eax, word ptr [ebp+var_194]
		add	eax, 2
		push	eax
		push	[ebp+var_190]
		push	1
		push	esi
		push	(offset	loc_A3F6AB+5)
		push	[ebp+var_18C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		jmp	loc_89002B
; 

loc_92A3A2:				; CODE XREF: CmpSetVersionData+320j
		push	(offset	loc_A3F6AB+5)
		push	[ebp+var_18C]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		jmp	loc_89002B
; END OF FUNCTION CHUNK	FOR CmpSetVersionData
; 
; START	OF FUNCTION CHUNK FOR CmpQueryEditionVersion

loc_92A3B7:				; CODE XREF: CmpQueryEditionVersion+99j
		lea	eax, [ebp+var_110]
		push	eax
		push	100h
		lea	eax, [ebp+var_10C]
		push	eax
		push	edi
		push	(offset	loc_A3F5EB+5)
		push	[ebp+var_114]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_92A6BA
		cmp	[ebp+var_108], 4
		jnz	loc_92A672
		cmp	[ebp+var_100], 4
		jnz	loc_92A679
		mov	ecx, [ebp+var_104]
		lea	eax, [ecx+4]
		cmp	eax, [ebp+var_110]
		jnz	loc_92A680
		mov	eax, [ebp+ecx+var_10C]
		mov	[ebx], eax
		lea	eax, [ebp+var_110]
		push	eax
		push	100h
		lea	eax, [ebp+var_10C]
		push	eax
		push	edi
		push	(offset	loc_A3F5E7+1)
		push	[ebp+var_114]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_92A6BA
		cmp	[ebp+var_108], 4
		jnz	loc_92A672
		cmp	[ebp+var_100], 4
		jnz	loc_92A679
		mov	ecx, [ebp+var_104]
		lea	eax, [ecx+4]
		cmp	eax, [ebp+var_110]
		jnz	loc_92A680
		mov	eax, [ebp+ecx+var_10C]
		mov	[ebx+4], eax
		lea	eax, [ebp+var_110]
		push	eax
		push	100h
		lea	eax, [ebp+var_10C]
		push	eax
		push	edi
		push	offset _CmpEditionBuildBranchString
		push	[ebp+var_114]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, 80h
		test	eax, eax
		js	short loc_92A520
		cmp	[ebp+var_108], edi
		jnz	short loc_92A520
		mov	ecx, [ebp+var_100]
		mov	edx, [ebp+var_104]
		mov	[ebp+var_118], ecx
		lea	eax, [edx+ecx]
		cmp	eax, [ebp+var_110]
		jnz	loc_92A680
		test	cl, 1
		jnz	loc_92A679
		lea	eax, [ecx+2]
		cmp	eax, esi
		ja	loc_92A687
		push	ecx		; size_t
		lea	eax, [ebp+var_10C]
		add	eax, edx
		lea	esi, [ebx+20h]
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+var_118]
		add	esp, 0Ch
		xor	ecx, ecx
		mov	[ebx+eax+20h], cx
		lea	eax, [ebx+8]
		push	esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	esi, 80h

loc_92A520:				; CODE XREF: CmpQueryEditionVersion+9A405j
					; CmpQueryEditionVersion+9A40Dj
		lea	eax, [ebp+var_110]
		push	eax
		push	100h
		lea	eax, [ebp+var_10C]
		push	eax
		push	edi
		push	offset _CmpEditionBuildLabString
		push	[ebp+var_114]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_92A5B8
		cmp	[ebp+var_108], edi
		jnz	short loc_92A5B8
		mov	ecx, [ebp+var_100]
		mov	edx, [ebp+var_104]
		mov	[ebp+var_118], ecx
		lea	eax, [edx+ecx]
		cmp	eax, [ebp+var_110]
		jnz	loc_92A680
		test	cl, 1
		jnz	loc_92A679
		lea	eax, [ecx+2]
		cmp	eax, esi
		ja	loc_92A687
		push	ecx		; size_t
		lea	eax, [ebp+var_10C]
		add	eax, edx
		lea	esi, [ebx+0A0h]
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+var_118]
		add	esp, 0Ch
		xor	ecx, ecx
		mov	[ebx+eax+0A0h],	cx
		lea	eax, [ebx+10h]
		push	esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_92A5B8:				; CODE XREF: CmpQueryEditionVersion+9A49Cj
					; CmpQueryEditionVersion+9A4A4j
		lea	eax, [ebp+var_110]
		push	eax
		push	100h
		lea	eax, [ebp+var_10C]
		push	eax
		push	edi
		push	offset _CmpEditionBuildLabExString
		push	[ebp+var_114]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_92A649
		cmp	[ebp+var_108], edi
		jnz	short loc_92A649
		mov	ecx, [ebp+var_100]
		mov	edx, [ebp+var_104]
		mov	[ebp+var_118], ecx
		lea	eax, [edx+ecx]
		cmp	eax, [ebp+var_110]
		jnz	short loc_92A680
		test	cl, 1
		jnz	short loc_92A679
		lea	eax, [ecx+2]
		mov	edi, 80h
		cmp	eax, edi
		ja	short loc_92A687
		push	ecx		; size_t
		lea	eax, [ebp+var_10C]
		add	eax, edx
		lea	esi, [ebx+120h]
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+var_118]
		add	esp, 0Ch
		xor	ecx, ecx
		mov	[ebx+eax+120h],	cx
		lea	eax, [ebx+18h]
		push	esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_92A649:				; CODE XREF: CmpQueryEditionVersion+9A534j
					; CmpQueryEditionVersion+9A53Cj
		xor	ecx, ecx
		mov	[ebp+var_120], 800000h
		lea	esi, [ebx+1A0h]
		mov	[ebp+var_11C], esi
		cmp	[ebx+1Ch], ecx
		jz	short loc_92A68E
		lea	eax, [ebx+18h]
		cmp	[eax], cx
		jz	short loc_92A68E
		push	ecx
		push	eax
		jmp	short loc_92A69D
; 

loc_92A672:				; CODE XREF: CmpQueryEditionVersion+9A342j
					; CmpQueryEditionVersion+9A3A8j
		mov	esi, 0C0000024h
		jmp	short loc_92A6BA
; 

loc_92A679:				; CODE XREF: CmpQueryEditionVersion+9A34Fj
					; CmpQueryEditionVersion+9A3B5j ...
		mov	esi, 0C0000206h
		jmp	short loc_92A6BA
; 

loc_92A680:				; CODE XREF: CmpQueryEditionVersion+9A364j
					; CmpQueryEditionVersion+9A3CAj ...
		mov	esi, 0C000003Ch
		jmp	short loc_92A6BA
; 

loc_92A687:				; CODE XREF: CmpQueryEditionVersion+9A43Ej
					; CmpQueryEditionVersion+9A4D5j ...
		mov	esi, 0C0000023h
		jmp	short loc_92A6BA
; 

loc_92A68E:				; CODE XREF: CmpQueryEditionVersion+9A5BAj
					; CmpQueryEditionVersion+9A5C2j
		cmp	[ebx+14h], ecx
		jz	short loc_92A6AD
		add	ebx, 10h
		cmp	[ebx], cx
		jz	short loc_92A6AD
		push	ecx
		push	ebx

loc_92A69D:				; CODE XREF: CmpQueryEditionVersion+9A5C6j
		lea	eax, [ebp+var_120]
		push	eax
		call	RtlUnicodeStringToAnsiString
		xor	ecx, ecx
		jmp	short loc_92A6B2
; 

loc_92A6AD:				; CODE XREF: CmpQueryEditionVersion+9A5E7j
					; CmpQueryEditionVersion+9A5EFj
		mov	eax, 80000022h

loc_92A6B2:				; CODE XREF: CmpQueryEditionVersion+9A601j
		test	eax, eax
		jns	short loc_92A6B8
		mov	[esi], cl

loc_92A6B8:				; CODE XREF: CmpQueryEditionVersion+9A60Aj
		mov	esi, ecx

loc_92A6BA:				; CODE XREF: CmpQueryEditionVersion+9A335j
					; CmpQueryEditionVersion+9A39Bj ...
		push	[ebp+var_114]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, esi
		jmp	loc_890149
; END OF FUNCTION CHUNK	FOR CmpQueryEditionVersion
; 
; START	OF FUNCTION CHUNK FOR CmpHiveRootSecurityDescriptor

loc_92A6CC:				; CODE XREF: CmpHiveRootSecurityDescriptor+1B6j
		push	0
		push	0
		push	3
		jmp	short loc_92A6DA
; 

loc_92A6D4:				; CODE XREF: CmpHiveRootSecurityDescriptor+ACj
					; CmpHiveRootSecurityDescriptor+B4j ...
		push	0
		push	0
		push	1

loc_92A6DA:				; CODE XREF: CmpHiveRootSecurityDescriptor+9A578j
					; CmpHiveRootSecurityDescriptor+9A58Fj	...
		push	0Bh
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_92A6E3:				; CODE XREF: CmpHiveRootSecurityDescriptor+1FFj
		push	0
		push	0
		push	4
		jmp	short loc_92A6DA
; 

loc_92A6EB:				; CODE XREF: CmpHiveRootSecurityDescriptor+214j
		push	eax
		push	5
		jmp	short loc_92A6DA
; 

loc_92A6F0:				; CODE XREF: CmpHiveRootSecurityDescriptor+352j
		push	0
		push	0
		push	7
		jmp	short loc_92A6DA
; 

loc_92A6F8:				; CODE XREF: CmpHiveRootSecurityDescriptor+377j
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	[ebp+var_6C]
		push	8
		jmp	short loc_92A6DA
; 

loc_92A707:				; CODE XREF: CmpHiveRootSecurityDescriptor+390j
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	[ebp+var_6C]
		push	9
		jmp	short loc_92A6DA
; 

loc_92A716:				; CODE XREF: CmpHiveRootSecurityDescriptor+230j
					; CmpHiveRootSecurityDescriptor+24Cj ...
		push	0
		push	eax
		push	6
		jmp	short loc_92A6DA
; 

loc_92A71D:				; CODE XREF: CmpHiveRootSecurityDescriptor+E2j
					; CmpHiveRootSecurityDescriptor+F6j ...
		push	0
		push	0
		push	2
		jmp	short loc_92A6DA
; END OF FUNCTION CHUNK	FOR CmpHiveRootSecurityDescriptor
; 
; START	OF FUNCTION CHUNK FOR PsBootPhaseComplete

loc_92A725:				; CODE XREF: PsBootPhaseComplete+C1j
		mov	eax, ds:_PspGlobalFlags
		xor	ecx, ecx
		cmp	[ebp+var_40], ecx
		setnz	cl
		and	eax, 0FFFFFFFEh
		or	eax, ecx
		mov	ds:_PspGlobalFlags, eax
		jmp	loc_890605
; 

loc_92A741:				; CODE XREF: PsBootPhaseComplete+192j
		mov	ecx, esi
		mov	[ebp+var_3C], ecx
		jmp	loc_8906D9
; 

loc_92A74B:				; CODE XREF: PsBootPhaseComplete+1C5j
		cmp	[ebp+var_34], 4
		jnz	loc_890709
		cmp	[ebp+var_30], 4
		jnz	loc_890709
		jmp	loc_890717
; END OF FUNCTION CHUNK	FOR PsBootPhaseComplete
; 
; START	OF FUNCTION CHUNK FOR RtlQueryImageFileExecutionOptions

loc_92A764:				; CODE XREF: RtlQueryImageFileExecutionOptions+37j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8907A9
; END OF FUNCTION CHUNK	FOR RtlQueryImageFileExecutionOptions
; 
; START	OF FUNCTION CHUNK FOR CmpInterlockedFunction

loc_92A771:				; CODE XREF: CmpInterlockedFunction+D4j
		cmp	ecx, 1
		jnz	short loc_92A780
		mov	esi, 0C0000001h
		jmp	loc_8909B8
; 

loc_92A780:				; CODE XREF: CmpInterlockedFunction+C4j
					; CmpInterlockedFunction+99EB4j
		push	ebx
		lea	eax, [ebp+var_20]
		mov	[ebp+var_20], 1
		push	eax
		push	ebx
		push	edi
		lea	eax, [ebp+var_2C]
		push	eax
		push	[ebp+var_1C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[ebp+var_1C]
		call	_ZwFlushKey@4	; ZwFlushKey(x)
		jmp	loc_89099A
; 

loc_92A7A7:				; CODE XREF: CmpInterlockedFunction+F2j
		push	ebx
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_20]
		push	eax
		push	ebx
		push	edi
		lea	eax, [ebp+var_2C]
		push	eax
		push	[ebp+var_1C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		jmp	loc_8909B8
; END OF FUNCTION CHUNK	FOR CmpInterlockedFunction
; 
; START	OF FUNCTION CHUNK FOR CmpMountPreloadedHives

loc_92A7C2:				; CODE XREF: CmpMountPreloadedHives+B5j
		push	0C000009Ah
		push	ebx
		push	1
		push	2
		jmp	short loc_92A830
; 

loc_92A7CE:				; CODE XREF: CmpMountPreloadedHives+99FD0j
		push	10h

loc_92A7D0:				; CODE XREF: CmpMountPreloadedHives+9A289j
					; CmpMountPreloadedHives+9A290j ...
		pop	ebx

loc_92A7D1:				; CODE XREF: CmpMountPreloadedHives+99F4Ej
		lea	ecx, [ebp+var_178]
		mov	[edi-40Ch], ecx
		mov	[ebp+var_178], esi
		mov	ecx, [edi-40Ch]
		xor	edx, edx
		push	ebx
		push	eax
		push	15h
		call	SetFailureLocation
		lea	eax, [ebp+var_180]
		xor	ebx, ebx
		mov	[ebp+var_190], eax
		inc	ebx
		lea	eax, [ebp+var_1CC]
		mov	ds:_CmpPuntBoot, bl
		push	eax		; int
		push	ebx		; int
		lea	eax, [ebp+var_190]
		push	eax		; void *
		push	ebx		; int
		push	ebx		; int
		push	0C0000218h	; int
		call	_ExRaiseHardError@24 ; ExRaiseHardError(x,x,x,x,x,x)
		push	[ebp+var_184]	; struct _exception *
		push	esi
		push	ebx
		push	2
		pop	eax
		push	eax

loc_92A830:				; CODE XREF: CmpMountPreloadedHives+99DFAj
		push	74h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_92A837:				; CODE XREF: CmpMountPreloadedHives+C7j
		mov	eax, [edi-3C4h]
		lea	esi, [edi-428h]
		mov	ecx, eax
		and	ecx, 1000000h
		mov	[ebp+var_18C], ecx
		test	al, 1
		jnz	loc_92AC4B
		mov	eax, 1000h
		mov	[ebp+var_17C], edx
		mov	[ebp+var_180], ebx
		lea	ecx, [edi+90h]
		lea	edx, [ebp+var_180]
		mov	word ptr [ebp+var_180+2], ax
		call	CmpQueryHiveRedirectionFileList
		test	al, al
		jz	short loc_92A896
		push	2
		pop	eax
		cmp	word ptr [ebp+var_180],	ax
		jnz	loc_92A952

loc_92A896:				; CODE XREF: CmpMountPreloadedHives+99EB2j
		mov	ecx, [ebp+var_1B0]
		mov	edx, 1000h
		mov	[ebp+var_180], ebx
		mov	word ptr [ebp+var_180+2], dx
		mov	[ebp+var_17C], ecx
		mov	eax, [edi-3C4h]
		test	eax, edx
		jz	short loc_92A905
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	ecx, eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		push	offset ??_C@_19JHEHLFPM@?$AA?2?$AA?$DP?$AA?$DP?$AA?2@NNGAKEGL@ ; "\\??\\"
		mov	eax, [eax+270h]
		mov	ax, [eax]
		mov	word ptr [ebp+var_19C],	ax
		lea	eax, [ebp+var_180]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		lea	eax, [ebp+var_19C]
		push	eax		; void *
		lea	eax, [ebp+var_180]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		push	(offset	??_C@_02GMHACPFF@?$CFu@NNGAKEGL@+4)
		jmp	short loc_92A934
; 

loc_92A905:				; CODE XREF: CmpMountPreloadedHives+99EEAj
		test	eax, 2000h
		jz	short loc_92A928
		lea	eax, [ebp+var_1BC]
		push	eax
		call	_SyspartGetSystemPartition@12 ;	SyspartGetSystemPartition(x,x,x)
		mov	[ebp+var_184], eax
		test	eax, eax
		js	loc_92A7D1
		jmp	short loc_92A940
; 

loc_92A928:				; CODE XREF: CmpMountPreloadedHives+99F38j
		test	eax, 200000h
		jz	short loc_92A940
		push	offset ??_C@_1BI@BNCMKGKH@?$AA?2?$AAO?$AAS?$AAD?$AAa?$AAt?$AAa?$AAR?$AAo?$AAo?$AAt@NNGAKEGL@ ; "\\OSDataRoot"

loc_92A934:				; CODE XREF: CmpMountPreloadedHives+99F31j
		lea	eax, [ebp+var_180]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)

loc_92A940:				; CODE XREF: CmpMountPreloadedHives+99F54j
					; CmpMountPreloadedHives+99F5Bj
		push	dword ptr [edi+84h] ; void *
		lea	eax, [ebp+var_180]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)

loc_92A952:				; CODE XREF: CmpMountPreloadedHives+99EBEj
		push	ebx
		push	dword ptr [edi+84h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	ebx
		xor	eax, eax
		mov	[edi+80h], ebx
		push	ebx
		mov	[edi+82h], ax
		lea	ecx, [ebp+var_180]
		lea	eax, [ebp+var_198]
		mov	[edi+84h], ebx
		push	eax
		push	ebx
		push	7
		lea	eax, [ebp+var_1A0]
		xor	edx, edx
		push	eax
		lea	eax, [ebp+var_1A4]
		push	eax
		call	CmpOpenHiveFile
		mov	[ebp+var_184], eax
		test	eax, eax
		js	loc_92A7CE
		push	2
		pop	ecx
		mov	eax, ecx
		mov	[ebp+var_188], ecx
		cmp	[ebp+var_1A0], ecx
		jnz	short loc_92A9C4
		push	12h
		pop	eax
		mov	[ebp+var_188], eax

loc_92A9C4:				; CODE XREF: CmpMountPreloadedHives+99FE7j
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	eax
		lea	eax, [ebp+var_1C0]
		push	eax
		lea	eax, [ebp+var_1A8]
		push	eax
		push	4
		pop	edx
		lea	ecx, [ebp+var_180]
		call	CmpOpenHiveFile
		mov	[ebp+var_184], eax
		test	eax, eax
		js	loc_92AC6E
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+var_188]
		lea	eax, [ebp+var_1C4]
		push	eax
		lea	eax, [ebp+var_1AC]
		push	eax
		push	5
		pop	edx
		lea	ecx, [ebp+var_180]
		call	CmpOpenHiveFile
		mov	[ebp+var_184], eax
		test	eax, eax
		js	loc_92AC67
		mov	eax, [ebp+var_1A4]
		mov	ecx, [ebp+var_198]
		mov	[edi-28h], eax
		mov	eax, [ebp+var_1A8]
		mov	[edi-18h], eax
		mov	eax, [ebp+var_1AC]
		mov	[edi-14h], eax
		mov	eax, [ebp+var_194]
		and	dword ptr [edi-3C4h], 0FFFFFFFDh
		mov	[edi-3ACh], eax
		mov	eax, [edi-360h]
		add	eax, 1000h
		mov	[ebp+var_190], eax
		cmp	[edi-3DCh], ecx
		jz	short loc_92AAD8
		lea	eax, [edi-3FCh]
		mov	[ebp+var_188], ebx
		cmp	[eax], ebx
		jbe	short loc_92AAC0
		mov	esi, ebx
		lea	ebx, [edi-3FCh]

loc_92AA8C:				; CODE XREF: CmpMountPreloadedHives+9A0DEj
		push	ecx
		push	esi
		push	ebx
		call	_RtlAreBitsClear@12 ; RtlAreBitsClear(x,x,x)
		test	al, al
		jnz	short loc_92AAA6
		mov	eax, [ebp+var_198]
		push	eax
		push	esi
		push	ebx
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)

loc_92AAA6:				; CODE XREF: CmpMountPreloadedHives+9A0C4j
		mov	ecx, [ebp+var_198]
		add	esi, ecx
		cmp	esi, [ebx]
		jb	short loc_92AA8C
		xor	ebx, ebx
		lea	esi, [edi-428h]
		lea	eax, [edi-3FCh]

loc_92AAC0:				; CODE XREF: CmpMountPreloadedHives+9A0B0j
		push	eax
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	[edi-3F4h], eax
		mov	eax, [ebp+var_198]
		mov	[edi-3DCh], eax

loc_92AAD8:				; CODE XREF: CmpMountPreloadedHives+9A0A0j
		lea	edx, [ebp+var_1C8]
		mov	ecx, esi
		call	CmpInitializeActualFileSizes
		mov	[ebp+var_184], eax
		test	eax, eax
		js	loc_92AC60
		push	1
		push	ebx
		push	[ebp+var_190]
		xor	edx, edx
		mov	ecx, esi
		call	CmpDoFileSetSizeEx
		test	eax, eax
		jns	short loc_92AB10
		mov	ds:_CmpCannotWriteConfiguration, 1

loc_92AB10:				; CODE XREF: CmpMountPreloadedHives+9A135j
		mov	ecx, [ebp+var_18C]
		test	ecx, ecx
		jz	short loc_92AB4B
		lea	eax, [ebp+var_1B8]
		push	eax
		call	KeQuerySystemTime
		mov	ecx, [edi-408h]
		mov	eax, [ebp+var_1B8]
		mov	[ecx+0Ch], eax
		mov	eax, [ebp+var_1B4]
		mov	[ecx+10h], eax
		mov	ecx, esi
		call	HvCheckAndUpdateHiveBackupTimeStamp
		mov	ecx, [ebp+var_18C]

loc_92AB4B:				; CODE XREF: CmpMountPreloadedHives+9A146j
		mov	eax, [edi-408h]
		cmp	[eax+0FFCh], ebx
		jnz	short loc_92AB5D
		test	ecx, ecx
		jz	short loc_92AB77

loc_92AB5D:				; CODE XREF: CmpMountPreloadedHives+9A185j
		lea	esi, [edi-3FCh]
		push	esi
		call	_RtlSetAllBits@4 ; RtlSetAllBits(x)
		mov	eax, [esi]
		lea	esi, [edi-428h]
		mov	[edi-3F4h], eax

loc_92AB77:				; CODE XREF: CmpMountPreloadedHives+9A189j
		mov	ecx, esi
		call	HvpDropPagedBins
		mov	[ebp+var_184], eax
		test	eax, eax
		js	loc_92AC59
		mov	eax, [edi-408h]
		cmp	[eax+0FFCh], ebx
		jnz	short loc_92ABA3
		cmp	[ebp+var_18C], 0
		jz	short loc_92ABC3

loc_92ABA3:				; CODE XREF: CmpMountPreloadedHives+9A1C6j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		push	0Ch
		pop	edx
		mov	ecx, esi
		call	CmpFlushHive
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		mov	eax, [edi-408h]
		mov	[eax+0FFCh], ebx

loc_92ABC3:				; CODE XREF: CmpMountPreloadedHives+9A1CFj
		cmp	ds:_CmpCannotWriteConfiguration, 0
		jz	short loc_92ABD1
		call	_CmpDiskFullWarning@0 ;	CmpDiskFullWarning()

loc_92ABD1:				; CODE XREF: CmpMountPreloadedHives+9A1F8j
		mov	ebx, [edi-3C4h]
		mov	eax, ebx
		and	eax, 0FFFFF7FFh
		mov	[edi-3C4h], eax
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	ecx, ds:_PsInitialSystemProcess
		lea	eax, [ebp+var_1C]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		shr	ebx, 0Bh
		mov	ecx, esi
		and	bl, 1
		mov	dl, bl
		call	CmpInitCmRM
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		or	dword ptr [edi+558h], 8
		mov	eax, [edi+578h]
		test	eax, eax
		jz	short loc_92AC3E
		push	eax
		push	offset _CmKtmNotification@28 ; CmKtmNotification(x,x,x,x,x,x,x)
		push	dword ptr [eax+1Ch]
		call	ds:__imp__TmEnableCallbacks@12 ; TmEnableCallbacks(x,x,x)
		mov	ecx, [edi+578h]
		call	CmRmFinalizeRecovery

loc_92AC3E:				; CODE XREF: CmpMountPreloadedHives+9A250j
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		mov	edx, [ebp+var_1B0]
		xor	ebx, ebx

loc_92AC4B:				; CODE XREF: CmpMountPreloadedHives+99E81j
		or	dword ptr [edi+558h], 4
		mov	edi, [edi]
		jmp	loc_890A93
; 

loc_92AC59:				; CODE XREF: CmpMountPreloadedHives+9A1B4j
		push	60h
		jmp	loc_92A7D0
; 

loc_92AC60:				; CODE XREF: CmpMountPreloadedHives+9A11Bj
		push	40h
		jmp	loc_92A7D0
; 

loc_92AC67:				; CODE XREF: CmpMountPreloadedHives+9A04Fj
		push	30h
		jmp	loc_92A7D0
; 

loc_92AC6E:				; CODE XREF: CmpMountPreloadedHives+9A01Bj
		push	20h
		jmp	loc_92A7D0
; END OF FUNCTION CHUNK	FOR CmpMountPreloadedHives
; 
; START	OF FUNCTION CHUNK FOR CmpAdminSystemSecurityDescriptor

loc_92AC75:				; CODE XREF: CmpAdminSystemSecurityDescriptor+BBj
		push	0
		push	0
		push	3
		jmp	short loc_92AC82
; 

loc_92AC7D:				; CODE XREF: CmpAdminSystemSecurityDescriptor+36j
					; CmpAdminSystemSecurityDescriptor+3Ej
		push	0
		push	0
		push	esi

loc_92AC82:				; CODE XREF: CmpAdminSystemSecurityDescriptor+9A1C5j
					; CmpAdminSystemSecurityDescriptor+9A1D8j ...
		push	0Bh
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_92AC8B:				; CODE XREF: CmpAdminSystemSecurityDescriptor+D0j
		push	eax
		push	4
		jmp	short loc_92AC82
; 

loc_92AC90:				; CODE XREF: CmpAdminSystemSecurityDescriptor+123j
		push	0
		push	0
		push	6
		jmp	short loc_92AC82
; 

loc_92AC98:				; CODE XREF: CmpAdminSystemSecurityDescriptor+14Aj
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	[ebp+var_4]
		push	7
		jmp	short loc_92AC82
; 

loc_92ACA7:				; CODE XREF: CmpAdminSystemSecurityDescriptor+163j
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	[ebp+var_4]
		push	8
		jmp	short loc_92AC82
; 

loc_92ACB6:				; CODE XREF: CmpAdminSystemSecurityDescriptor+EAj
					; CmpAdminSystemSecurityDescriptor+106j
		push	0
		push	eax
		push	5
		jmp	short loc_92AC82
; 

loc_92ACBD:				; CODE XREF: CmpAdminSystemSecurityDescriptor+51j
					; CmpAdminSystemSecurityDescriptor+65j
		push	0
		push	0
		push	2
		jmp	short loc_92AC82
; END OF FUNCTION CHUNK	FOR CmpAdminSystemSecurityDescriptor
; 
; START	OF FUNCTION CHUNK FOR CmpOpenDevicesControlSet

loc_92ACC5:				; CODE XREF: CmpOpenDevicesControlSet+DDj
		cmp	_CmStateSeparationEnabled, esi
		jz	loc_890D64
		mov	eax, 100h
		mov	[ebp+var_118], esi
		mov	ecx, (offset loc_A3F617+1)
		mov	word ptr [ebp+var_118+2], ax
		lea	eax, [ebp+var_10C]
		mov	ebx, ecx
		push	ecx		; char
		mov	[ebp+var_114], eax
		lea	eax, [ebp+var_118]
		push	offset ??_C@_1FA@FPGGIGOJ@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\Registry\\Machine\\%wZ\\CurrentControlSet"...
		push	eax		; int
		call	_RtlUnicodeStringPrintf
		mov	edi, eax
		add	esp, 0Ch
		test	edi, edi
		js	loc_890D64
		lea	eax, [ebp+var_138]
		push	eax
		push	20019h
		lea	eax, [ebp+var_110]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	edi, eax
		jmp	loc_890D21
; END OF FUNCTION CHUNK	FOR CmpOpenDevicesControlSet
; 
; START	OF FUNCTION CHUNK FOR PspIsDfssEnabled

loc_92AD34:				; CODE XREF: PspIsDfssEnabled+6Fj
		cmp	[ebp+var_8], 0
		jz	short loc_92AD58
		mov	eax, [ebp+var_C]
		add	edi, 8
		add	eax, 8
		mov	bl, 1
		mov	[ebp+var_C], eax
		cmp	edi, 10h
		jnb	loc_890E56
		xor	ecx, ecx
		jmp	loc_890DF5
; 

loc_92AD58:				; CODE XREF: PspIsDfssEnabled+99F62j
		xor	bl, bl
		jmp	loc_890E4F
; END OF FUNCTION CHUNK	FOR PspIsDfssEnabled
; 
; START	OF FUNCTION CHUNK FOR PfTLoggingWorker

loc_92AD5F:				; CODE XREF: PfTLoggingWorker+9Ej
		push	3
		pop	esi
		jmp	loc_890F02
; 

loc_92AD67:				; CODE XREF: PfTLoggingWorker+BDj
		cmp	esi, 1
		jnz	loc_890ED9
		jmp	loc_890FDF
; 

loc_92AD75:				; CODE XREF: PfTLoggingWorker+1A1j
		lea	eax, [esp+0A0h+var_90]
		xor	edi, edi
		push	eax
		push	edi
		push	edi
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	loc_890F55
; 

loc_92AD88:				; CODE XREF: PfTLoggingWorker+10Ej
					; PfTLoggingWorker+11Fj
		call	_PfTGenerateTrace@0 ; PfTGenerateTrace()
		jmp	loc_890ED9
; 

loc_92AD92:				; CODE XREF: PfTLoggingWorker+13Ej
		lea	eax, [esp+0A0h+var_90]
		push	eax
		push	edi
		push	edi
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	loc_890FA2
; 

loc_92ADA3:				; CODE XREF: PfTLoggingWorker+16Cj
		lea	eax, [esp+0A0h+var_90]
		push	eax
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	eax, 3E8h
		jmp	loc_890FD3
; 

loc_92ADBB:				; CODE XREF: PfTLoggingWorker+179j
		cmp	esi, 2710h
		jb	loc_890FAE
		jmp	loc_890FDD
; 

loc_92ADCC:				; CODE XREF: PfTLoggingWorker+C5j
		mov	ecx, [esp+0A0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; END OF FUNCTION CHUNK	FOR PfTLoggingWorker

;  S U B	R O U T	I N E 


sub_92ADE3	proc near		; DATA XREF: .text:006A7274o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		push	eax
		call	ds:__imp__RpcExceptionFilter@4 ; RpcExceptionFilter(x)
		retn
sub_92ADE3	endp


;  S U B	R O U T	I N E 


sub_92ADF5	proc near		; DATA XREF: .text:006A7278o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-28h]
		xor	edi, edi
		mov	[ebp-1Ch], edi
		jmp	loc_89107B
sub_92ADF5	endp

; 
; START	OF FUNCTION CHUNK FOR PiSwIrpInterfaceSetState

loc_92AE05:				; CODE XREF: PiSwIrpInterfaceSetState+A8j
		mov	esi, 0C00000BBh
		jmp	loc_8910E6
; 

loc_92AE0F:				; CODE XREF: PiSwIrpInterfaceSetState+28j
					; PiSwIrpInterfaceSetState+75j	...
		mov	esi, 0C000000Dh
		jmp	loc_8910F9
; END OF FUNCTION CHUNK	FOR PiSwIrpInterfaceSetState
; 
; START	OF FUNCTION CHUNK FOR PiSwIrpCleanup

loc_92AE19:				; CODE XREF: PiSwIrpCleanup+42j
		mov	ecx, [esp+18h+var_C]
		call	_PiSwFindSwDevice@4 ; PiSwFindSwDevice(x)
		test	eax, eax
		jz	loc_8911DA
		cmp	[eax+60h], ebx
		jnz	short loc_92AE39
		test	byte ptr [eax+4], 2
		jz	loc_8911AF

loc_92AE39:				; CODE XREF: PiSwIrpCleanup+99CEDj
		mov	eax, [eax+3Ch]
		jmp	loc_891169
; 

loc_92AE41:				; CODE XREF: PiSwIrpCleanup+74j
		xor	ecx, ecx
		add	eax, 38h
		xchg	ecx, [eax]
		test	ecx, ecx
		jz	loc_8911BA
		mov	edi, [esi+4Ch]
		and	dword ptr [esi+4Ch], 0
		jmp	loc_8911BA
; 

loc_92AE5C:				; CODE XREF: PiSwIrpCleanup+80j
		lea	ecx, [esi+28h]
		xor	dl, dl
		call	_PiSwCloseDescendants@8	; PiSwCloseDescendants(x,x)
		mov	ecx, esi
		call	_PiSwCloseDevice@4 ; PiSwCloseDevice(x)
		jmp	loc_8911C6
; 

loc_92AE72:				; CODE XREF: PiSwIrpCleanup+8Dj
		and	dword ptr [edi+1Ch], 0
		xor	dl, dl
		mov	ecx, edi
		mov	dword ptr [edi+18h], 0C0000120h
		call	IofCompleteRequest
		jmp	loc_8911D3
; END OF FUNCTION CHUNK	FOR PiSwIrpCleanup
; 
; START	OF FUNCTION CHUNK FOR PiSwIrpInterfaceRegister

loc_92AE8B:				; CODE XREF: PiSwIrpInterfaceRegister+37j
		mov	esi, 0C000000Dh

loc_92AE90:				; CODE XREF: PiSwIrpInterfaceRegister+52j
					; PiSwIrpInterfaceRegister+80j	...
		cmp	[ebp+var_24], 0
		jz	loc_891434
		cmp	[ebp+var_19], 0
		jz	loc_891434
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PiSwLockObj
		call	ExAcquireResourceExclusiveLite
		mov	eax, [ebp+var_24]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_891484
		cmp	[ecx], eax
		jnz	loc_891484
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, offset _PiSwLockObj
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [ebp+var_24]
		call	_PiSwInterfaceFree@4 ; PiSwInterfaceFree(x)
		jmp	loc_891434
; END OF FUNCTION CHUNK	FOR PiSwIrpInterfaceRegister

;  S U B	R O U T	I N E 


sub_92AEFF	proc near		; DATA XREF: .text:006A7294o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3Ch], eax
		push	eax
		call	ds:__imp__RpcExceptionFilter@4 ; RpcExceptionFilter(x)
		retn
sub_92AEFF	endp


;  S U B	R O U T	I N E 


sub_92AF11	proc near		; DATA XREF: .text:006A7298o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-3Ch]
		xor	ebx, ebx
		mov	[ebp-20h], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-40h]
		jmp	loc_89125C
sub_92AF11	endp

; 
; START	OF FUNCTION CHUNK FOR PiSwIrpInterfaceRegister

loc_92AF2B:				; CODE XREF: PiSwIrpInterfaceRegister+9Ej
		cmp	[eax+8], ebx
		jz	loc_891282

loc_92AF34:				; CODE XREF: PiSwIrpInterfaceRegister+8Bj
					; PiSwIrpInterfaceRegister+93j	...
		mov	esi, 0C000000Dh
		jmp	loc_89142C
; 

loc_92AF3E:				; CODE XREF: PiSwIrpInterfaceRegister+ACj
		test	ecx, ecx
		jnz	short loc_92AF34
		jmp	loc_891290
; 

loc_92AF47:				; CODE XREF: PiSwIrpInterfaceRegister+E4j
					; PiSwIrpInterfaceRegister+EEj
		mov	esi, 0C00000BBh
		jmp	loc_8913D0
; 

loc_92AF51:				; CODE XREF: PiSwIrpInterfaceRegister+13Cj
		mov	ecx, [ebp+var_20]
		push	dword ptr [ecx+8]
		push	dword ptr [ecx+0Ch]
		mov	edx, [eax+10h]
		mov	ecx, [eax+0Ch]
		call	PiSwUpdateArrayProperties
		mov	esi, eax
		jmp	loc_89135E
; END OF FUNCTION CHUNK	FOR PiSwIrpInterfaceRegister
; 
; START	OF FUNCTION CHUNK FOR PiSwInterfaceCreate

loc_92AF6C:				; CODE XREF: PiSwInterfaceCreate+25j
		mov	edi, 0C000009Ah

loc_92AF71:				; CODE XREF: PiSwInterfaceCreate+4Ej
					; PiSwInterfaceCreate+6Dj
		mov	ecx, [esi]
		test	ecx, ecx
		jz	loc_89159F
		call	_PiSwInterfaceFree@4 ; PiSwInterfaceFree(x)
		and	dword ptr [esi], 0
		jmp	loc_89159F
; END OF FUNCTION CHUNK	FOR PiSwInterfaceCreate
; 
; START	OF FUNCTION CHUNK FOR PiSwCompleteCreate

loc_92AF88:				; CODE XREF: PiSwCompleteCreate+94j
		mov	esi, 0C000000Dh
		jmp	loc_891750
; 

loc_92AF92:				; CODE XREF: PiSwCompleteCreate+B5j
		push	57706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_238]
		mov	[edi+28h], ebx
		mov	[edi+2Ch], ebx
		jmp	loc_891663
; 

loc_92AFAE:				; CODE XREF: PiSwCompleteCreate+191j
					; PiSwCompleteCreate+99A52j
		mov	edx, [edi+0Ch]
		lea	eax, [ebp+var_248]
		mov	ecx, [edi+8]
		push	eax
		push	dword ptr [edi+10h]
		call	PiSwInterfaceCreate
		mov	esi, eax
		test	esi, esi
		js	loc_891750
		mov	ecx, [ebp+var_230]
		lea	eax, [ebp+var_234]
		cmp	[ecx], eax
		jnz	short loc_92B001
		mov	edx, eax
		mov	eax, [ebp+var_248]
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[ebp+var_230], eax
		mov	edi, [edi]
		cmp	edi, [ebp+var_228]
		jnz	short loc_92AFAE
		jmp	loc_89173F
; 

loc_92B001:				; CODE XREF: PiSwCompleteCreate+99A33j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_92B006:				; CODE XREF: PiSwCompleteCreate+1E7j
		mov	edx, [edi+8]
		lea	eax, [ebp+var_220]
		push	eax
		call	__CmGetDeviceInterfaceClassGuid@12 ; _CmGetDeviceInterfaceClassGuid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_891795
		mov	edx, [edi+8]
		lea	eax, [ebp+var_254]
		push	eax
		push	104h
		lea	eax, [ebp+var_210]
		push	eax
		call	_CmGetDeviceInterfaceReferenceString
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_92B048
		mov	al, bl
		jmp	short loc_92B070
; 

loc_92B048:				; CODE XREF: PiSwCompleteCreate+99A9Aj
		test	esi, esi
		js	loc_891795
		lea	eax, [ebp+var_210]
		mov	[ebp+var_221], 1
		push	eax
		lea	eax, [ebp+var_25C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	al, [ebp+var_221]

loc_92B070:				; CODE XREF: PiSwCompleteCreate+99A9Ej
		movzx	eax, al
		lea	ecx, [ebp+var_264]
		neg	eax
		push	ecx
		sbb	eax, eax
		lea	ecx, [ebp+var_25C]
		and	eax, ecx
		push	eax
		lea	eax, [ebp+var_220]
		push	eax
		push	[ebp+var_23C]
		call	IoRegisterDeviceInterface
		mov	esi, eax
		test	esi, esi
		js	loc_891795
		push	dword ptr [edi+10h]
		mov	ecx, [edi+8]
		push	dword ptr [edi+0Ch]
		push	3
		pop	edx
		call	PiSwPropertySet
		mov	esi, eax
		test	esi, esi
		js	loc_891795
		mov	edi, [edi]
		jmp	loc_891787
; END OF FUNCTION CHUNK	FOR PiSwCompleteCreate
; 
; START	OF FUNCTION CHUNK FOR PiSwFreeInterfaceList

loc_92B0C5:				; CODE XREF: PiSwFreeInterfaceList+9j
		cmp	[ecx+4], esi
		jnz	short loc_92B0E0
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_92B0E0
		mov	[esi], eax
		mov	[eax+4], esi
		call	_PiSwInterfaceFree@4 ; PiSwInterfaceFree(x)
		jmp	loc_891811
; 

loc_92B0E0:				; CODE XREF: PiSwFreeInterfaceList+998BCj
					; PiSwFreeInterfaceList+998C3j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_92B0E5:				; CODE XREF: PiSwIrpStartCreate+24j
		mov	edi, 0C000000Dh
		jmp	loc_8918A3
; END OF FUNCTION CHUNK	FOR PiSwFreeInterfaceList
; 
; START	OF FUNCTION CHUNK FOR PiSwIrpStartCreate

loc_92B0EF:				; CODE XREF: PiSwIrpStartCreate+31j
		mov	edi, 0C0000023h
		jmp	loc_8918A3
; END OF FUNCTION CHUNK	FOR PiSwIrpStartCreate

;  S U B	R O U T	I N E 


sub_92B0F9	proc near		; DATA XREF: .text:006A72B4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		push	eax
		call	ds:__imp__RpcExceptionFilter@4 ; RpcExceptionFilter(x)
		retn
sub_92B0F9	endp


;  S U B	R O U T	I N E 


sub_92B10B	proc near		; DATA XREF: .text:006A72B8o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-24h]
		and	dword ptr [ebp-1Ch], 0
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-28h]
		jmp	loc_891890
sub_92B10B	endp

; 
; START	OF FUNCTION CHUNK FOR PiSwIrpStartCreate

loc_92B124:				; CODE XREF: PiSwIrpStartCreate+87j
		mov	[esi+18h], edi
		and	dword ptr [esi+1Ch], 0
		xor	dl, dl
		mov	ecx, esi
		call	IofCompleteRequest
		jmp	loc_8918AB
; END OF FUNCTION CHUNK	FOR PiSwIrpStartCreate
; 
; START	OF FUNCTION CHUNK FOR PiSwIrpStartCreateWorker

loc_92B139:				; CODE XREF: PiSwIrpStartCreateWorker+58j
		mov	esi, 0C00000BBh
		jmp	loc_89193E
; 

loc_92B143:				; CODE XREF: PiSwIrpStartCreateWorker+108j
		mov	esi, 0C000009Ah

loc_92B148:				; CODE XREF: PiSwIrpStartCreateWorker+DAj
					; PiSwIrpStartCreateWorker+139j ...
		cmp	[esp+30h+var_1D], 0
		jz	loc_891AB5
		lea	eax, [esp+30h+var_1C]
		push	eax
		push	offset _PiSwDeviceInstanceTable
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)
		mov	ecx, [esp+30h+var_1C]
		call	PiSwDeviceDereference
		mov	ecx, [esp+30h+var_1C]
		cmp	dword ptr [ecx+3Ch], 0
		jz	loc_891AB5
		call	_PiSwBusRelationRemove@4 ; PiSwBusRelationRemove(x)
		jmp	loc_891AB5
; 

loc_92B183:				; CODE XREF: PiSwIrpStartCreateWorker+BAj
		lock inc dword ptr [eax]
		mov	ecx, [esp+30h+var_1C]
		mov	eax, [ecx+4]
		test	al, 1
		jz	short loc_92B19B
		mov	esi, 0C0000035h
		jmp	loc_891AB5
; 

loc_92B19B:				; CODE XREF: PiSwIrpStartCreateWorker+998AFj
		test	al, 2
		jnz	loc_92B262
		mov	eax, [ecx+40h]
		test	eax, eax
		jz	loc_92B262
		mov	eax, [eax+28h]
		test	byte ptr [eax+4], 2
		jnz	short loc_92B227
		mov	edx, edi
		call	_PiSwDoesCreateChangesRequireReEnum@8 ;	PiSwDoesCreateChangesRequireReEnum(x,x)
		test	al, al
		jnz	short loc_92B223
		mov	edx, [edi+38h]
		lea	eax, [esp+30h+var_8]
		and	[esp+30h+var_C], 0
		and	[esp+30h+var_8], 0
		push	eax
		lea	eax, [esp+34h+var_C]
		push	eax
		push	ecx
		mov	ecx, [edi+34h]
		call	PnpCopyDevPropertyArray
		mov	esi, eax
		test	esi, esi
		js	loc_891AB5
		mov	ecx, [esp+30h+var_1C]
		mov	edx, [ecx+58h]
		test	edx, edx
		jz	short loc_92B208
		mov	ecx, [ecx+5Ch]
		push	57706E50h
		call	_PnpFreeDevPropertyArray@12 ; PnpFreeDevPropertyArray(x,x,x)
		mov	ecx, [esp+30h+var_1C]

loc_92B208:				; CODE XREF: PiSwIrpStartCreateWorker+99915j
		mov	eax, [esp+30h+var_C]
		mov	[ecx+5Ch], eax
		mov	ecx, [esp+30h+var_1C]
		mov	eax, [esp+30h+var_8]
		mov	[ecx+58h], eax
		mov	al, [esp+30h+var_1E]
		jmp	loc_891A50
; 

loc_92B223:				; CODE XREF: PiSwIrpStartCreateWorker+998E0j
		mov	ecx, [esp+30h+var_1C]

loc_92B227:				; CODE XREF: PiSwIrpStartCreateWorker+998D5j
		mov	eax, [ecx+30h]
		test	eax, eax
		jz	short loc_92B241
		mov	ecx, eax
		call	_PiSwQueuedCreateInfoFree@4 ; PiSwQueuedCreateInfoFree(x)
		mov	eax, [esp+30h+var_1C]
		and	dword ptr [eax+30h], 0
		mov	ecx, [esp+30h+var_1C]

loc_92B241:				; CODE XREF: PiSwIrpStartCreateWorker+9994Cj
		add	ecx, 30h
		mov	edx, edi
		call	_PiSwQueuedCreateInfoCreate@8 ;	PiSwQueuedCreateInfoCreate(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_891AB5
		mov	eax, [esp+30h+var_1C]
		or	dword ptr [eax+4], 2
		jmp	loc_891A35
; 

loc_92B262:				; CODE XREF: PiSwIrpStartCreateWorker+998BDj
					; PiSwIrpStartCreateWorker+998C8j
		mov	ecx, [ecx+3Ch]
		mov	edx, 746C6644h
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	esi, eax
		mov	eax, [esp+30h+var_1C]
		mov	[esp+30h+var_18], esi
		mov	[esp+30h+var_8], eax
		test	esi, esi
		jz	short loc_92B2BE
		push	1
		mov	edx, esi
		mov	ecx, eax
		call	_PiSwFindPdoAssociation@12 ; PiSwFindPdoAssociation(x,x,x)
		test	eax, eax
		jz	short loc_92B2BA
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	ecx, [esp+30h+var_1C]
		xor	eax, eax
		mov	edx, edi
		mov	[esp+30h+var_18], eax
		lea	ecx, [ecx+30h]
		call	_PiSwQueuedCreateInfoCreate@8 ;	PiSwQueuedCreateInfoCreate(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_891AB5
		jmp	loc_891A4A
; 

loc_92B2BA:				; CODE XREF: PiSwIrpStartCreateWorker+999AEj
		mov	eax, [esp+30h+var_8]

loc_92B2BE:				; CODE XREF: PiSwIrpStartCreateWorker+9999Fj
		and	dword ptr [eax+4], 0FFFFFFFBh
		mov	ecx, [esp+30h+var_1C]
		call	_PiSwBusRelationRemove@4 ; PiSwBusRelationRemove(x)
		mov	ecx, [esp+30h+var_1C]
		lea	ecx, [ecx+10h]
		call	_PiSwPnPInfoFree@4 ; PiSwPnPInfoFree(x)
		mov	ecx, [esp+30h+var_1C]
		mov	esi, 57706E50h
		mov	eax, [ecx+50h]
		test	eax, eax
		jz	short loc_92B302
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+30h+var_1C]
		and	dword ptr [eax+50h], 0
		mov	eax, [esp+30h+var_1C]
		and	dword ptr [eax+54h], 0
		mov	ecx, [esp+30h+var_1C]

loc_92B302:				; CODE XREF: PiSwIrpStartCreateWorker+99A05j
		mov	edx, [ecx+58h]
		test	edx, edx
		jz	short loc_92B326
		mov	ecx, [ecx+5Ch]
		push	esi
		call	_PnpFreeDevPropertyArray@12 ; PnpFreeDevPropertyArray(x,x,x)
		mov	eax, [esp+30h+var_1C]
		and	dword ptr [eax+5Ch], 0
		mov	eax, [esp+30h+var_1C]
		and	dword ptr [eax+58h], 0
		mov	ecx, [esp+30h+var_1C]

loc_92B326:				; CODE XREF: PiSwIrpStartCreateWorker+99A27j
		add	ecx, 64h
		call	PiSwFreeInterfaceList
		mov	ecx, [esp+30h+var_1C]
		mov	edx, edi
		lea	ecx, [ecx+10h]
		call	_PiSwPnPInfoInit@8 ; PiSwPnPInfoInit(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_891AB5
		mov	eax, [esp+30h+var_1C]
		mov	ecx, [edi+2Ch]
		mov	[eax+54h], ecx
		cmp	dword ptr [edi+30h], 0
		jz	short loc_92B389
		mov	ecx, [edi+2Ch]
		call	_PiSwAllocMem@4	; PiSwAllocMem(x)
		mov	ecx, [esp+30h+var_1C]
		mov	[ecx+50h], eax
		mov	eax, [esp+30h+var_1C]
		mov	eax, [eax+50h]
		test	eax, eax
		jnz	short loc_92B37A
		mov	esi, 0C000009Ah
		jmp	loc_891AB5
; 

loc_92B37A:				; CODE XREF: PiSwIrpStartCreateWorker+99A8Ej
		push	dword ptr [edi+2Ch] ; size_t
		push	dword ptr [edi+30h] ; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_92B389:				; CODE XREF: PiSwIrpStartCreateWorker+99A74j
		mov	ecx, [esp+30h+var_1C]
		mov	edx, [edi+38h]
		lea	eax, [ecx+58h]
		push	eax
		lea	eax, [ecx+5Ch]
		push	eax
		push	ecx
		mov	ecx, [edi+34h]
		call	PnpCopyDevPropertyArray
		mov	esi, eax
		test	esi, esi
		js	loc_891AB5
		mov	edx, [esp+30h+var_1C]
		mov	ecx, [edi+4]
		call	_PiSwBusRelationAdd@8 ;	PiSwBusRelationAdd(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_891AB5
		mov	eax, [esp+30h+var_1C]
		and	dword ptr [eax+4], 0FFFFFFFDh
		jmp	loc_891A4A
; 

loc_92B3CE:				; CODE XREF: PiSwIrpStartCreateWorker+18Aj
		mov	esi, 0C0000120h
		jmp	loc_92B148
; 

loc_92B3D8:				; CODE XREF: PiSwIrpStartCreateWorker+176j
		mov	eax, [esp+30h+var_1C]
		mov	edx, [esp+30h+var_10]
		mov	ecx, [ebx+0Ch]
		push	dword ptr [eax+2Ch]
		mov	edx, [edx+4]
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_92B148
		mov	ecx, [ebx+0Ch]
		lea	eax, [esp+30h+var_4]
		push	eax
		mov	eax, [esp+34h+var_10]
		mov	edx, [eax+4]
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_92B148
		jmp	loc_891A7E
; 

loc_92B41B:				; CODE XREF: PiSwIrpStartCreateWorker+A9j
		mov	esi, 0C000009Ah
		jmp	loc_891AAD
; 

loc_92B425:				; CODE XREF: PiSwIrpStartCreateWorker+1E4j
		mov	eax, [edi+38h]
		test	eax, eax
		jz	loc_891B0B
		push	dword ptr [edi+34h]
		mov	ecx, [ebx+0Ch]
		xor	edx, edx
		push	eax
		inc	edx
		call	PiSwPropertySet
		lea	esi, [eax+3FFFFFCCh]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jmp	loc_891B0B
; 

loc_92B450:				; CODE XREF: PiSwIrpStartCreateWorker+1F8j
		mov	eax, [esp+30h+var_4]
		add	eax, 2
		mov	[ebx+1Ch], eax

loc_92B45A:				; CODE XREF: PiSwIrpStartCreateWorker+235j
		xor	dl, dl
		mov	[ebx+18h], esi
		mov	ecx, ebx
		call	IofCompleteRequest
		jmp	loc_891AE3
; 

loc_92B46B:				; CODE XREF: PiSwIrpStartCreateWorker+1ECj
		test	esi, esi
		js	loc_891AE3
		mov	eax, [esp+30h+var_1C]
		mov	dword ptr [eax+60h], 1
		mov	ecx, [esp+30h+var_1C]
		call	PiSwIrpCleanup
		jmp	loc_891AE3
; END OF FUNCTION CHUNK	FOR PiSwIrpStartCreateWorker
; 
; START	OF FUNCTION CHUNK FOR PnpCopyDevPropertyArray

loc_92B48C:				; CODE XREF: PnpCopyDevPropertyArray+58j
		mov	ebx, 0C000009Ah
		mov	[ebp+var_4], ebx

loc_92B494:				; CODE XREF: PnpCopyDevPropertyArray+8Fj
		mov	eax, [esi]
		test	eax, eax
		jz	loc_891C90
		and	[ebp+arg_4], 0
		cmp	dword ptr [edi], 0
		jbe	short loc_92B4CC
		xor	ebx, ebx

loc_92B4A9:				; CODE XREF: PnpCopyDevPropertyArray+998E1j
		mov	eax, [esi]
		push	57706E50h
		push	dword ptr [ebx+eax+24h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_4]
		lea	ebx, [ebx+28h]
		inc	eax
		mov	[ebp+arg_4], eax
		cmp	eax, [edi]
		jb	short loc_92B4A9
		mov	eax, [esi]
		mov	ebx, [ebp+var_4]

loc_92B4CC:				; CODE XREF: PnpCopyDevPropertyArray+998C1j
		push	57706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi], 0
		and	dword ptr [esi], 0
		jmp	loc_891C90
; END OF FUNCTION CHUNK	FOR PnpCopyDevPropertyArray
; 
; START	OF FUNCTION CHUNK FOR PnpCopyDevProperty

loc_92B4E2:				; CODE XREF: PnpCopyDevProperty+2Ej
		push	esi
		push	edi
		mov	edx, 7FFFFFFFh
		call	PnpAllocatePWSTR
		mov	esi, eax
		test	esi, esi
		js	short loc_92B4FE
		jmp	loc_891CD0
; 

loc_92B4F9:				; CODE XREF: PnpCopyDevProperty+4Bj
		mov	esi, 0C000009Ah

loc_92B4FE:				; CODE XREF: PnpCopyDevProperty+99858j
		mov	edx, edi
		mov	ecx, ebx
		call	_PnpFreeDevProperty@8 ;	PnpFreeDevProperty(x,x)
		push	0Ah
		pop	ecx
		xor	eax, eax
		mov	edi, ebx
		rep stosd
		jmp	loc_891CFF
; END OF FUNCTION CHUNK	FOR PnpCopyDevProperty
; 
; START	OF FUNCTION CHUNK FOR PiSwValidateCreateData

loc_92B515:				; CODE XREF: PiSwValidateCreateData+203j
		cmp	[esi+10h], ebx
		jnz	loc_89215F
		cmp	[esi+18h], ebx
		jz	loc_89203F
		jmp	loc_89215F
; END OF FUNCTION CHUNK	FOR PiSwValidateCreateData

;  S U B	R O U T	I N E 


sub_92B52C	proc near		; DATA XREF: .text:006A72D4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		push	eax
		call	ds:__imp__RpcExceptionFilter@4 ; RpcExceptionFilter(x)
		retn
sub_92B52C	endp


;  S U B	R O U T	I N E 


sub_92B53E	proc near		; DATA XREF: .text:006A72D8o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-28h]
		xor	edi, edi
		mov	[ebp-1Ch], edi
		jmp	loc_892249
sub_92B53E	endp

; 
; START	OF FUNCTION CHUNK FOR PiSwIrpInterfacePropertySet

loc_92B54E:				; CODE XREF: PiSwIrpInterfacePropertySet+D1j
		mov	esi, 0C00000BBh
		jmp	loc_8922E5
; 

loc_92B558:				; CODE XREF: PiSwIrpInterfacePropertySet+E5j
		mov	esi, 0C0000225h
		jmp	loc_8922E5
; 

loc_92B562:				; CODE XREF: PiSwIrpInterfacePropertySet+28j
					; PiSwIrpInterfacePropertySet+79j ...
		mov	esi, 0C000000Dh
		jmp	loc_892311
; END OF FUNCTION CHUNK	FOR PiSwIrpInterfacePropertySet
; 
; START	OF FUNCTION CHUNK FOR IoRegisterDeviceInterface

loc_92B56C:				; CODE XREF: IoRegisterDeviceInterface+27j
					; IoRegisterDeviceInterface+3Bj ...
		mov	esi, 0C0000010h

loc_92B571:				; CODE XREF: IoRegisterDeviceInterface+FAj
		test	edi, edi
		jz	loc_892443
		push	edx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_892443
; END OF FUNCTION CHUNK	FOR IoRegisterDeviceInterface
; 
; START	OF FUNCTION CHUNK FOR IopRegisterDeviceInterface

loc_92B585:				; CODE XREF: IopRegisterDeviceInterface+A6j
					; IopRegisterDeviceInterface+99121j
		mov	esi, 0C000009Ah
		jmp	loc_92B668
; 

loc_92B58F:				; CODE XREF: IopRegisterDeviceInterface+CFj
		xor	eax, eax
		push	eax
		push	dword ptr [ebx]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [esp+100h+var_DC]
		push	20207050h
		lea	eax, [esi+esi]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx], eax
		test	eax, eax
		jz	short loc_92B585
		lea	ecx, [esp+100h+var_DC]
		push	ecx
		push	esi
		push	eax
		xor	eax, eax
		lea	edx, [esp+10Ch+var_A8]
		push	eax
		push	[esp+110h+var_CC]
		push	[esp+114h+var_E4]
		call	_CmGetDeviceInterfaceName
		mov	esi, eax
		jmp	loc_892565
; 

loc_92B5D5:				; CODE XREF: IopRegisterDeviceInterface+1CFj
		xor	eax, eax
		lea	edi, [esp+100h+Source2]
		stosd
		stosd
		stosd
		stosd
		jmp	loc_89266D
; 

loc_92B5E4:				; CODE XREF: IopRegisterDeviceInterface+228j
		lea	ecx, [esp+100h+var_C8]
		call	PiPnpRtlBeginOperation
		mov	esi, eax
		test	esi, esi
		js	loc_89275D
		mov	edx, [ebx]
		xor	eax, eax
		mov	ecx, _PiPnpRtlCtx
		push	eax
		lea	eax, [esp+104h+var_F1]
		push	eax
		lea	eax, [esp+108h+var_E0]
		push	eax
		push	2
		call	__CmCreateDeviceInterface@24 ; _CmCreateDeviceInterface(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_89275D
		jmp	loc_8926BE
; 

loc_92B622:				; CODE XREF: IopRegisterDeviceInterface+234j
		mov	edx, [ebx]
		lea	eax, [esp+100h+var_F1+1]
		push	eax
		push	3
		pop	ecx
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_89275D
		mov	edi, [esp+100h+var_F1+1]
		jmp	loc_8926CA
; 

loc_92B644:				; CODE XREF: IopRegisterDeviceInterface+2A3j
		cmp	byte ptr [esp+100h+var_F1], 0
		jz	loc_89275D
		mov	edx, [ebx]
		xor	eax, eax
		mov	ecx, _PiPnpRtlCtx
		push	eax
		call	__CmDeleteDeviceInterface@12 ; _CmDeleteDeviceInterface(x,x,x)
		jmp	loc_89275D
; 

loc_92B664:				; CODE XREF: IopRegisterDeviceInterface+2E5j
		mov	edi, [esp+100h+var_EC]

loc_92B668:				; CODE XREF: IopRegisterDeviceInterface+82j
					; IopRegisterDeviceInterface+D7j ...
		mov	eax, [ebx]
		test	eax, eax
		jz	loc_892790
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[ebx], eax
		jmp	loc_892790
; 

loc_92B684:				; CODE XREF: IopRegisterDeviceInterface+305j
		push	[esp+100h+var_E0]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_89279B
; 

loc_92B692:				; CODE XREF: IopRegisterDeviceInterface+311j
		call	PiPnpRtlEndOperation
		jmp	loc_8927A7
; END OF FUNCTION CHUNK	FOR IopRegisterDeviceInterface
; 
; START	OF FUNCTION CHUNK FOR PiDmListInitEnumCallback

loc_92B69C:				; CODE XREF: PiDmListInitEnumCallback+117j
		push	5A706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_892937
; 

loc_92B6AC:				; CODE XREF: PiDmListInitEnumCallback+7Dj
		mov	ecx, [esp+78h+var_68]
		xor	edx, edx
		jmp	loc_892855
; 

loc_92B6B7:				; CODE XREF: PiDmListInitEnumCallback+131j
		mov	edi, 0C000009Ah
		jmp	loc_89289D
; END OF FUNCTION CHUNK	FOR PiDmListInitEnumCallback
; 
; START	OF FUNCTION CHUNK FOR PiDmListUpdateAggregationCountWorker

loc_92B6C1:				; CODE XREF: PiDmListUpdateAggregationCountWorker+AEj
		cmp	[ebp+var_14], 11h
		jnz	loc_892B30
		mov	eax, [ebp+arg_0]
		add	[esi], eax
		jmp	loc_892B30
; 

loc_92B6D5:				; CODE XREF: PiDmListUpdateAggregationCountWorker+A4j
		cmp	eax, 0C0000225h
		jz	loc_892B30
		cmp	eax, 0C0000023h
		jz	loc_892B30
		jmp	loc_892B38
; END OF FUNCTION CHUNK	FOR PiDmListUpdateAggregationCountWorker
; 
; START	OF FUNCTION CHUNK FOR RtlpLoadInstallLanguageFallback

loc_92B6F0:				; CODE XREF: RtlpLoadInstallLanguageFallback+49j
		mov	esi, 0C0000017h
		jmp	loc_892D04
; 

loc_92B6FA:				; CODE XREF: RtlpLoadInstallLanguageFallback+BCj
		cmp	[ebp+var_10], 1
		jnz	short loc_92B723
		movzx	eax, word ptr [ebx]
		mov	edi, ebx
		mov	ecx, eax
		test	ax, ax
		jz	short loc_92B737

loc_92B70C:				; CODE XREF: RtlpLoadInstallLanguageFallback+98ADDj
		lea	eax, [edi+2]
		cmp	cx, 2Ch
		jz	short loc_92B72D
		mov	edi, eax
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		test	ax, ax
		jnz	short loc_92B70C
		jmp	short loc_92B752
; 

loc_92B723:				; CODE XREF: RtlpLoadInstallLanguageFallback+98ABCj
					; RtlpLoadInstallLanguageFallback+98B29j
		mov	esi, 0C0000001h
		jmp	loc_892D04
; 

loc_92B72D:				; CODE XREF: RtlpLoadInstallLanguageFallback+98AD1j
		xor	ecx, ecx
		mov	[edi], cx
		mov	edi, eax
		movzx	ecx, word ptr [eax]

loc_92B737:				; CODE XREF: RtlpLoadInstallLanguageFallback+98AC8j
		test	cx, cx
		jz	short loc_92B752
		movzx	ecx, cx

loc_92B73F:				; CODE XREF: RtlpLoadInstallLanguageFallback+98B0Ej
		cmp	cx, 20h
		jnz	short loc_92B752
		add	edi, 2
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		test	ax, ax
		jnz	short loc_92B73F

loc_92B752:				; CODE XREF: RtlpLoadInstallLanguageFallback+98ADFj
					; RtlpLoadInstallLanguageFallback+98AF8j ...
		push	ebx
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlCultureNameToLCID@8	; RtlCultureNameToLCID(x,x)
		test	al, al
		jz	short loc_92B723
		mov	ecx, [ebp+var_14]
		mov	ax, word ptr [ebp+var_8]
		mov	[ecx], ax
		xor	eax, eax
		cmp	[edi], ax
		jz	loc_892D04
		push	edi
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlCultureNameToLCID@8	; RtlCultureNameToLCID(x,x)
		test	al, al
		jnz	short loc_92B7AF
		mov	eax, [ebp+var_14]
		xor	ecx, ecx
		mov	esi, 0C0000001h
		mov	[eax], cx
		jmp	loc_892D04
; 

loc_92B7AF:				; CODE XREF: RtlpLoadInstallLanguageFallback+98B59j
		mov	ecx, [ebp+arg_0]
		mov	ax, word ptr [ebp+var_8]
		mov	[ecx], ax
		jmp	loc_892D04
; 

loc_92B7BE:				; CODE XREF: RtlpLoadInstallLanguageFallback+22j
					; RtlpLoadInstallLanguageFallback+2Aj ...
		mov	esi, 0C000000Dh
		jmp	loc_892D04
; END OF FUNCTION CHUNK	FOR RtlpLoadInstallLanguageFallback
; 
; START	OF FUNCTION CHUNK FOR HvHiveStartMemoryBacked

loc_92B7C8:				; CODE XREF: HvHiveStartMemoryBacked+372j
		cmp	eax, 3
		jz	loc_892D55
		jmp	loc_892F9D
; 

loc_92B7D6:				; CODE XREF: HvHiveStartMemoryBacked+2A0j
		push	60h
		jmp	short loc_92B7DF
; 

loc_92B7DA:				; CODE XREF: HvHiveStartMemoryBacked+98C47j
		push	0D0h

loc_92B7DF:				; CODE XREF: HvHiveStartMemoryBacked+98AB0j
					; HvHiveStartMemoryBacked+98B1Dj ...
		mov	esi, 0C000009Ah
		jmp	short loc_92B7EB
; 

loc_92B7E6:				; CODE XREF: HvHiveStartMemoryBacked+98C1Dj
		push	0A0h

loc_92B7EB:				; CODE XREF: HvHiveStartMemoryBacked+98ABCj
					; HvHiveStartMemoryBacked+98B99j
		push	esi
		push	19h
		xor	edx, edx
		mov	ecx, edi
		call	SetFailureLocation
		jmp	short loc_92B81D
; 

loc_92B7F9:				; CODE XREF: HvHiveStartMemoryBacked+231j
		mov	ecx, [ebp+arg_28]
		mov	esi, 0C000014Ch
		push	0F0h
		push	esi
		push	19h
		xor	edx, edx
		call	SetFailureLocation
		push	dword ptr [ebx+48h]
		push	dword ptr [ebx+20h]
		call	dword ptr [ebx+10h]
		and	dword ptr [ebx+20h], 0

loc_92B81D:				; CODE XREF: HvHiveStartMemoryBacked+98ACFj
		mov	eax, esi
		jmp	loc_892F83
; 

loc_92B824:				; CODE XREF: HvHiveStartMemoryBacked+2AFj
		push	dword ptr [ebx+48h]
		push	esi
		call	dword ptr [ebx+10h]
		push	32314D43h
		push	1
		push	1000h
		call	dword ptr [ebx+0Ch]
		mov	esi, eax
		mov	[ebp+arg_C], esi
		test	esi, esi
		jnz	short loc_92B847
		push	70h
		jmp	short loc_92B7DF
; 

loc_92B847:				; CODE XREF: HvHiveStartMemoryBacked+98B19j
		mov	eax, [ebp+arg_24]
		mov	dword ptr [ebx+48h], 1000h
		test	eax, eax
		jz	loc_892FEA
		mov	dword ptr [eax], 32314D43h
		jmp	loc_892FEA
; 

loc_92B864:				; CODE XREF: HvHiveStartMemoryBacked+304j
		mov	dword ptr [esi+90h], 2
		jmp	loc_893032
; 

loc_92B873:				; CODE XREF: HvHiveStartMemoryBacked+347j
		lea	edi, [esi+70h]
		mov	esi, ecx
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+arg_C]
		mov	esi, ecx
		lea	edi, [edi+80h]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+arg_C]
		jmp	loc_893075
; 

loc_92B893:				; CODE XREF: HvHiveStartMemoryBacked+351j
		lea	edi, [esi+94h]
		mov	esi, [ebp+arg_1C]
		movsd
		movsd
		movsd
		movsd
		jmp	loc_89307F
; 

loc_92B8A5:				; CODE XREF: HvHiveStartMemoryBacked+11Bj
		mov	ecx, esi
		call	_HvIsInPlaceBaseBlockValid@4 ; HvIsInPlaceBaseBlockValid(x)
		test	al, al
		jnz	short loc_92B8C6
		push	80h
		jmp	short loc_92B8BC
; 

loc_92B8B7:				; CODE XREF: HvHiveStartMemoryBacked+12Fj
					; HvHiveStartMemoryBacked+139j	...
		push	0B0h

loc_92B8BC:				; CODE XREF: HvHiveStartMemoryBacked+98B8Dj
		mov	esi, 0C000014Ch
		jmp	loc_92B7EB
; 

loc_92B8C6:				; CODE XREF: HvHiveStartMemoryBacked+98B86j
		mov	ecx, [esi+14h]
		mov	eax, [esi+18h]
		and	byte ptr [ebx+50h], 0FDh
		add	eax, 0FFFFF000h
		shl	ecx, 0Ch
		add	eax, ecx
		mov	[ebx+20h], esi
		mov	[ebx+9Ch], eax
		mov	ecx, ebx
		mov	dword ptr [ebx+98h], 1
		and	dword ptr [esi+0FF8h], 0
		mov	eax, [esi+4]
		mov	[ebx+6Ch], eax
		mov	[ebx+78h], eax
		mov	[ebx+70h], eax
		mov	edx, [esi+28h]
		push	0
		call	_HvpAdjustHiveFreeDisplay@12 ; HvpAdjustHiveFreeDisplay(x,x,x)
		mov	[ebp+arg_C], eax
		test	eax, eax
		jns	short loc_92B92C
		push	90h
		push	eax
		push	19h
		xor	edx, edx
		mov	ecx, edi
		call	SetFailureLocation
		mov	eax, [ebp+arg_C]
		jmp	loc_892F83
; 

loc_92B92C:				; CODE XREF: HvHiveStartMemoryBacked+98BE9j
		push	0
		lea	edx, [esi+1000h]
		mov	ecx, ebx
		call	HvpBuildMapForMemoryBackedHive
		mov	esi, eax
		test	esi, esi
		jns	loc_8930D9
		jmp	loc_92B7E6
; 

loc_92B94A:				; CODE XREF: HvHiveStartMemoryBacked+195j
		push	0C0h
		jmp	loc_92B7DF
; 

loc_92B954:				; CODE XREF: HvHiveStartMemoryBacked+1A4j
		push	dword ptr [ebx+48h]
		push	ecx
		call	dword ptr [ebx+10h]
		push	34314D43h
		push	1
		push	1000h
		call	dword ptr [ebx+0Ch]
		mov	[ebx+20h], eax
		test	eax, eax
		jz	loc_92B7DA
		mov	eax, [ebp+arg_24]
		mov	dword ptr [ebx+48h], 1000h
		test	eax, eax
		jz	loc_892EDF
		mov	dword ptr [eax], 34314D43h
		jmp	loc_892EDF
; 

loc_92B992:				; CODE XREF: HvHiveStartMemoryBacked+217j
		push	dword ptr [ebx+48h]
		push	dword ptr [ebx+20h]
		call	dword ptr [ebx+10h]
		mov	ecx, [ebp+arg_28]
		xor	edx, edx
		and	dword ptr [ebx+20h], 0
		push	0E0h
		push	edi
		push	19h
		call	SetFailureLocation
		mov	eax, edi
		jmp	loc_892F83
; 

loc_92B9B8:				; CODE XREF: HvHiveStartMemoryBacked+241j
		mov	ecx, [ebp+arg_20]
		test	ecx, ecx
		jz	loc_892F6F
		mov	byte ptr [ecx],	1
		mov	eax, [ebx+20h]
		jmp	loc_892F6F
; 

loc_92B9CE:				; CODE XREF: HvHiveStartMemoryBacked+123j
		mov	eax, 0C000000Dh
		jmp	loc_892F83
; END OF FUNCTION CHUNK	FOR HvHiveStartMemoryBacked
; 
; START	OF FUNCTION CHUNK FOR HvpBuildMapForMemoryBackedHive

loc_92B9D8:				; CODE XREF: HvpBuildMapForMemoryBackedHive+50j
		test	[ebp+arg_0], 20000h
		jnz	short loc_92BA28
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_92B9F3
		test	byte ptr _CmpBootType, 6
		jz	short loc_92BA28

loc_92B9F3:				; CODE XREF: HvpBuildMapForMemoryBackedHive+988FCj
		mov	eax, [ebp+var_C]
		mov	ecx, esi
		mov	[ebx+4], edx
		xor	edx, edx
		mov	dword ptr [ebx], 6E696268h
		inc	edx
		mov	dword ptr [ebx+8], 1000h
		mov	eax, [eax+20h]
		push	0
		push	edi
		push	4
		or	dword ptr [eax+0FF8h], 4
		mov	[ebp+var_1], 1
		call	SetFailureLocation
		jmp	loc_893142
; 

loc_92BA28:				; CODE XREF: HvpBuildMapForMemoryBackedHive+988F3j
					; HvpBuildMapForMemoryBackedHive+98905j
		mov	eax, 0C000014Ch
		push	0
		mov	edi, eax
		push	eax
		jmp	short loc_92BA3C
; 

loc_92BA34:				; CODE XREF: HvpBuildMapForMemoryBackedHive+60j
		mov	edi, 0C000009Ah
		push	10h
		push	edi

loc_92BA3C:				; CODE XREF: HvpBuildMapForMemoryBackedHive+98946j
		push	4
		xor	edx, edx
		mov	ecx, esi
		call	SetFailureLocation
		mov	eax, [ebp+var_10]
		mov	[esi+0F8h], eax
		mov	eax, [ebp+var_8]
		jmp	short loc_92BA76
; 

loc_92BA55:				; CODE XREF: HvpBuildMapForMemoryBackedHive+98j
		mov	eax, 0C000014Ch
		xor	edx, edx
		push	20h
		push	eax
		push	4
		mov	ecx, esi
		mov	edi, eax
		call	SetFailureLocation
		mov	eax, [ebx+8]
		mov	[esi+0F8h], eax
		mov	eax, [ebx+4]

loc_92BA76:				; CODE XREF: HvpBuildMapForMemoryBackedHive+98967j
		mov	[esi+0FCh], eax
		mov	[esi+100h], ebx
		jmp	loc_8931A3
; END OF FUNCTION CHUNK	FOR HvpBuildMapForMemoryBackedHive
; 
; START	OF FUNCTION CHUNK FOR CmpFindControlSet

loc_92BA87:				; CODE XREF: CmpFindControlSet+148j
		lea	eax, [ebp+var_1B4]
		push	eax
		push	[ebp+var_18C]
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_893576
		mov	edx, [ebp+var_18C]
		lea	ecx, [ebp+var_1CC]
		push	ecx
		lea	ecx, [ebp+var_1B8]
		push	ecx
		push	eax
		mov	ecx, esi
		call	CmpValueToData
		mov	edi, eax
		lea	eax, [ebp+var_1B4]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		test	edi, edi
		jz	loc_893576
		mov	al, [edi]
		mov	[ebx], al
		lea	eax, [ebp+var_1CC]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	loc_893323
; 

loc_92BAE5:				; CODE XREF: CmpFindControlSet+1C0j
		lea	ecx, [ebp+var_1B4]
		push	ecx
		jmp	loc_893572
; END OF FUNCTION CHUNK	FOR CmpFindControlSet

;  S U B	R O U T	I N E 


sub_92BAF1	proc near		; CODE XREF: CmpValueToData+32j
		push	ebx
		push	dword ptr [ebp-8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	dword ptr [ebp+8]
		push	esi
		push	ebx
		push	8
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_92BB09:				; CODE XREF: RtlpMuiRegLoadRegistryInfo+1Bj
		push	eax
		push	(offset	loc_8C9E55+1)
		call	_DbgPrint
		pop	ecx
		pop	ecx
		jmp	loc_8937C7
sub_92BAF1	endp

; 
; START	OF FUNCTION CHUNK FOR RtlpPopulateLanguageConfigList

loc_92BB1B:				; CODE XREF: RtlpPopulateLanguageConfigList+A7j
		cmp	[ebp+var_21C], 7
		jnz	loc_92BD81
		mov	ecx, [ebp+var_210]
		lea	eax, [ecx+18h]
		cmp	eax, 200h
		ja	loc_92BD81
		shr	ecx, 1
		lea	edx, [ebp+var_20C]
		mov	[ebp+var_240], ecx
		movzx	eax, word ptr [ebp+ecx*2+var_20C]
		mov	[ebp+var_23C], eax
		xor	eax, eax
		mov	word ptr [ebp+ecx*2+var_20C], ax
		lea	eax, [ebp+var_254]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_24C]
		lea	eax, [ebp+var_22E+1]
		push	eax
		call	_RtlpMuiRegGetLanguageSpec@20 ;	RtlpMuiRegGetLanguageSpec(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8938BB
		movzx	eax, byte ptr [ebp+var_22E+1]
		lea	esi, [ebp+var_220]
		mov	ecx, [ebp+var_23C]
		xor	edx, edx
		shl	ax, 0Eh
		mov	[ebp+var_230], ax
		mov	[ebp+var_22A], ax
		mov	ax, word ptr [ebp+var_254]
		mov	word ptr [ebp+var_22E+2], ax
		mov	eax, [ebp+var_240]
		mov	[ebp+var_228], edx
		mov	[ebp+var_224], edx
		mov	[ebp+var_23C], edx
		mov	word ptr [ebp+eax*2+var_20C], cx
		add	esi, [ebp+var_218]
		mov	[ebp+var_240], esi
		mov	byte ptr [ebp+var_22E],	dl
		mov	[ebp+var_258], edx
		jz	loc_92BD0C
		mov	ecx, [ebp+var_214]
		test	ecx, ecx
		jz	loc_92BD0C
		add	ecx, ecx
		mov	eax, edx
		mov	[ebp+var_244], ecx
		mov	[ebp+var_248], eax

loc_92BC17:				; CODE XREF: RtlpPopulateLanguageConfigList+984FCj
		cmp	[esi], dx
		jz	loc_92BD08
		test	ecx, ecx
		jle	loc_92BD08
		push	3
		pop	ecx
		cmp	ax, cx
		jnb	loc_92BD08
		lea	eax, [ebp+var_258]
		mov	edx, esi
		push	eax
		push	ecx
		mov	ecx, [ebp+var_24C]
		lea	eax, [ebp+var_22E]
		push	eax
		call	_RtlpMuiRegGetLanguageSpec@20 ;	RtlpMuiRegGetLanguageSpec(x,x,x,x,x)
		test	eax, eax
		js	short loc_92BCA6
		mov	eax, [ebp+var_248]
		movzx	ecx, ax
		push	3
		pop	eax
		mov	edx, eax
		add	ecx, ecx
		mov	al, byte ptr [ebp+var_22E]
		and	al, 3
		shl	dx, cl
		movzx	eax, al
		not	dx
		and	dx, [ebp+var_230]
		shl	ax, cl
		or	dx, ax
		mov	ax, word ptr [ebp+var_258]
		mov	[ebp+var_22A], dx
		mov	word ptr [ebp+ecx+var_228+2], ax
		mov	ax, [ebp+var_22A]
		mov	[ebp+var_230], ax

loc_92BCA6:				; CODE XREF: RtlpPopulateLanguageConfigList+9844Cj
		mov	edx, [ebp+var_244]
		lea	eax, [ebp+var_23C]
		push	eax
		mov	ecx, esi
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8938BB
		mov	esi, [ebp+var_240]
		mov	ecx, [ebp+var_244]
		add	esi, 2
		add	esi, [ebp+var_23C]
		push	0FFFFFFFEh
		pop	eax
		sub	eax, [ebp+var_23C]
		add	ecx, eax
		mov	[ebp+var_240], esi
		mov	eax, [ebp+var_248]
		inc	eax
		mov	[ebp+var_244], ecx
		mov	[ebp+var_248], eax
		push	0
		pop	edx
		test	esi, esi
		jnz	loc_92BC17

loc_92BD08:				; CODE XREF: RtlpPopulateLanguageConfigList+98414j
					; RtlpPopulateLanguageConfigList+9841Cj ...
		mov	esi, edx
		jmp	short loc_92BD11
; 

loc_92BD0C:				; CODE XREF: RtlpPopulateLanguageConfigList+983EDj
					; RtlpPopulateLanguageConfigList+983FBj
		mov	esi, 0C000000Dh

loc_92BD11:				; CODE XREF: RtlpPopulateLanguageConfigList+98504j
		test	esi, esi
		js	loc_8938BB
		mov	ecx, [ebp+var_24C]
		lea	edx, [ebp+var_22E+2]
		call	_RtlpMuiRegValidateConfigNode@8	; RtlpMuiRegValidateConfigNode(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8938BB
		test	edi, edi
		jnz	short loc_92BD52
		or	ecx, 0FFFFFFFFh
		call	_RtlpMuiRegCreateLanguageConfigList@4 ;	RtlpMuiRegCreateLanguageConfigList(x)
		mov	[ebp+var_234], eax
		test	eax, eax
		jz	short loc_92BD8C
		mov	ecx, [ebp+var_250]
		mov	[ecx], eax

loc_92BD52:				; CODE XREF: RtlpPopulateLanguageConfigList+98530j
		push	ecx
		lea	edx, [ebp+var_22E+2]
		lea	ecx, [ebp+var_234]
		call	_RtlpMuiRegConfigListAddLanguage@12 ; RtlpMuiRegConfigListAddLanguage(x,x,x)
		mov	edi, [ebp+var_234]
		mov	esi, eax
		test	esi, esi
		js	loc_8938BB
		mov	eax, [ebp+var_250]
		mov	[eax], edi
		jmp	loc_8938BB
; 

loc_92BD81:				; CODE XREF: RtlpPopulateLanguageConfigList+9831Cj
					; RtlpPopulateLanguageConfigList+98330j
		mov	eax, [ebp+var_238]
		jmp	loc_8938C8
; 

loc_92BD8C:				; CODE XREF: RtlpPopulateLanguageConfigList+98542j
		mov	esi, 0C0000017h
		jmp	loc_8938E0
; 

loc_92BD96:				; CODE XREF: RtlpPopulateLanguageConfigList+63j
					; RtlpPopulateLanguageConfigList+6Bj ...
		mov	esi, 0C000000Dh
		jmp	loc_8938D4
; 

loc_92BDA0:				; CODE XREF: RtlpPopulateLanguageConfigList+F2j
		test	edi, edi
		jz	loc_8938FE
		xor	eax, eax
		mov	[edi+4], ax
		jmp	loc_8938FE
; END OF FUNCTION CHUNK	FOR RtlpPopulateLanguageConfigList
; 
; START	OF FUNCTION CHUNK FOR _RtlpMuiRegLoadInstalled

loc_92BDB3:				; CODE XREF: _RtlpMuiRegLoadInstalled+Bj
		mov	eax, 0C000000Dh
		jmp	loc_893ADB
; 

loc_92BDBD:				; CODE XREF: _RtlpMuiRegLoadInstalled+6Bj
		mov	edi, 0C0000017h
		jmp	loc_893AE1
; END OF FUNCTION CHUNK	FOR _RtlpMuiRegLoadInstalled
; 
; START	OF FUNCTION CHUNK FOR RtlpMuiRegAddLanguageByName

loc_92BDC7:				; CODE XREF: RtlpMuiRegAddLanguageByName+47j
		lea	eax, [ebp+var_20]
		mov	edx, ebx
		push	eax
		mov	ecx, esi
		call	__RtlpMuiRegInitLIPLanguage@12 ; _RtlpMuiRegInitLIPLanguage(x,x,x)
		jmp	short loc_92BDE3
; 

loc_92BDD6:				; CODE XREF: RtlpMuiRegAddLanguageByName+50j
		lea	eax, [ebp+var_20]
		mov	edx, ebx
		push	eax
		mov	ecx, esi
		call	__RtlpMuiRegInitPartialLanguage@12 ; _RtlpMuiRegInitPartialLanguage(x,x,x)

loc_92BDE3:				; CODE XREF: RtlpMuiRegAddLanguageByName+982E4j
		mov	cl, byte ptr [ebp+var_20]
		jmp	loc_893B46
; END OF FUNCTION CHUNK	FOR RtlpMuiRegAddLanguageByName
; 
; START	OF FUNCTION CHUNK FOR LdrpQueryValueKey

loc_92BDEB:				; CODE XREF: LdrpQueryValueKey+1Dj
		mov	eax, 0C000000Dh
		jmp	loc_893C29
; 

loc_92BDF5:				; CODE XREF: LdrpQueryValueKey+30j
		xor	esi, esi
		jmp	loc_893BF1
; 

loc_92BDFC:				; CODE XREF: LdrpQueryValueKey+5Dj
		mov	ebx, 0C000009Ah
		jmp	loc_893C26
; END OF FUNCTION CHUNK	FOR LdrpQueryValueKey
; 
; START	OF FUNCTION CHUNK FOR _RtlpMuiRegValidateInstalled

loc_92BE06:				; CODE XREF: _RtlpMuiRegValidateInstalled+DFj
					; _RtlpMuiRegValidateInstalled+EAj
		push	55h
		pop	edx
		mov	[ebp+var_E0], edi
		call	_MuiRegAllocArray
		mov	ecx, eax
		mov	[ebp+var_F8], ecx
		test	ecx, ecx
		jnz	short loc_92BE2A
		mov	eax, 0C0000017h
		jmp	loc_893EEF
; 

loc_92BE2A:				; CODE XREF: _RtlpMuiRegValidateInstalled+9819Cj
		mov	eax, [ebp+var_D8]
		mov	[ebp+var_EC], ecx
		lea	ecx, [ebp+var_F0]
		movzx	eax, ax
		push	ecx
		push	eax
		mov	[ebp+var_F0], offset unk_AA0000
		call	_RtlLCIDToCultureName@8	; RtlLCIDToCultureName(x,x)
		test	al, al
		jz	loc_893DE1
		mov	edx, [ebp+var_EC]
		lea	eax, [ebp+var_E0]
		push	eax
		push	1
		mov	ecx, esi
		call	RtlpMuiRegGetOrAddString
		mov	ecx, edi
		test	eax, eax
		js	short loc_92BE7A
		mov	ecx, [ebp+var_E0]

loc_92BE7A:				; CODE XREF: _RtlpMuiRegValidateInstalled+981F0j
		push	31h
		pop	eax
		mov	word ptr [ebp+var_D4], ax
		xor	edx, edx
		xor	eax, eax
		mov	[ebp+var_CE], cx
		mov	word ptr [ebp+var_D4+2], ax
		mov	ecx, 3FFFh
		mov	eax, [ebp+var_D8]
		mov	[ebp+var_D0], ax
		xor	eax, eax
		and	ax, cx
		mov	[ebp+var_C8], edx
		mov	[ebp+var_CC], ax
		xor	eax, eax
		mov	[ebp+var_C4], edx
		mov	[ebp+var_C0], edx
		mov	[ebp+var_BC], edx
		mov	[ebp+var_CA], ax
		push	edx
		lea	ecx, [esi+14h]
		lea	edx, [ebp+var_D4]
		call	RtlpMuiRegGetOrAddLangInfo
		test	eax, eax
		js	loc_893DE1
		mov	edx, [esi+14h]
		movzx	eax, word ptr [edx+6]
		dec	eax
		jmp	loc_893D80
; 

loc_92BEF9:				; CODE XREF: _RtlpMuiRegValidateInstalled+14Fj
		mov	eax, [esi+14h]
		mov	edx, 0FFDFh
		mov	ecx, [ebp+var_E0]
		mov	eax, [eax+0Ch]
		and	[eax+ecx], dx
		mov	edx, 8000h
		mov	eax, [esi+14h]
		mov	eax, [eax+0Ch]
		or	[eax+ecx], dx
		jmp	loc_893DE1
; 

loc_92BF22:				; CODE XREF: _RtlpMuiRegValidateInstalled+19Ej
		mov	ecx, esi
		call	__RtlpMuiRegValidatePartialLanguage@8 ;	_RtlpMuiRegValidatePartialLanguage(x,x)
		mov	eax, [esi+14h]
		mov	ecx, [eax+0Ch]
		mov	[ebp+var_E8], ecx
		movzx	ecx, word ptr [ecx+edi]
		mov	[ebp+var_E0], ecx
		test	ecx, 1000h
		jnz	short loc_92BF4D
		inc	[ebp+var_E4]

loc_92BF4D:				; CODE XREF: _RtlpMuiRegValidateInstalled+982C3j
		mov	edx, [ebp+var_D8]
		mov	ecx, eax
		test	ebx, ebx
		jnz	loc_893E26
		cmp	edx, [ebp+var_DC]
		jz	loc_893E26
		mov	eax, [ebp+var_E4]
		cmp	eax, [esi+48h]
		jbe	loc_893E26
		mov	eax, [ebp+var_E0]
		mov	ecx, 0FFDFh
		and	eax, ecx
		mov	ecx, [ebp+var_E8]
		mov	[ecx+edi], ax
		mov	ecx, 8000h
		mov	eax, [esi+14h]
		mov	eax, [eax+0Ch]
		or	[eax+edi], cx
		mov	ecx, [esi+14h]
		jmp	loc_893E26
; 

loc_92BFA6:				; CODE XREF: _RtlpMuiRegValidateInstalled+217j
		mov	ecx, edx
		mov	edx, [ebp+var_E4]
		cmp	edx, [esi+48h]
		jbe	loc_893E9F
		mov	ecx, 0FFDFh
		and	eax, ecx
		mov	ecx, [ebp+var_E0]
		mov	[ecx+edi], ax
		mov	ecx, 8000h
		mov	eax, [esi+14h]
		mov	eax, [eax+0Ch]
		or	[eax+edi], cx
		mov	ecx, [esi+14h]
		jmp	loc_893E9F
; 

loc_92BFDF:				; CODE XREF: _RtlpMuiRegValidateInstalled+249j
		mov	edx, edi
		mov	ecx, esi
		call	__RtlpMuiRegValidateLIPLanguage@8 ; _RtlpMuiRegValidateLIPLanguage(x,x)
		mov	edx, [esi+14h]
		jmp	loc_893ED1
; 

loc_92BFF0:				; CODE XREF: _RtlpMuiRegValidateInstalled+265j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_893EED
; END OF FUNCTION CHUNK	FOR _RtlpMuiRegValidateInstalled
; 
; START	OF FUNCTION CHUNK FOR RtlpLoadLanguageConfigList

loc_92BFFD:				; CODE XREF: RtlpLoadLanguageConfigList+52j
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_10]
		mov	ecx, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_5]
		push	eax
		call	_RtlpLoadPolicyLanguageSpec@16 ; RtlpLoadPolicyLanguageSpec(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	loc_893F94
		push	[ebp+var_C]
		call	NtClose
		and	[ebp+var_C], 0
		jmp	loc_893F5E
; 

loc_92C02B:				; CODE XREF: RtlpLoadLanguageConfigList+79j
		cmp	edi, 0C0000034h
		jnz	loc_893F94
		xor	edi, edi
		jmp	loc_893F94
; 

loc_92C03E:				; CODE XREF: RtlpLoadLanguageConfigList+22j
					; RtlpLoadLanguageConfigList+2Bj
		mov	edi, 0C000000Dh
		jmp	loc_893F94
; 

loc_92C048:				; CODE XREF: RtlpLoadLanguageConfigList+9Ej
		test	esi, esi
		jz	loc_893FB3
		mov	eax, [esi]
		cmp	eax, ebx
		jz	loc_893FB3
		test	eax, eax
		jz	short loc_92C07F
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_92C07F
; 

loc_92C068:				; CODE XREF: RtlpLoadLanguageConfigList+A7j
		xor	ecx, ecx
		inc	ecx
		call	_RtlpMuiRegCreateLanguageConfigList@4 ;	RtlpMuiRegCreateLanguageConfigList(x)
		mov	[esi], eax
		test	eax, eax
		jnz	loc_893FB3
		mov	edi, 0C0000017h

loc_92C07F:				; CODE XREF: RtlpLoadLanguageConfigList+98156j
					; RtlpLoadLanguageConfigList+98160j
		mov	[esi], ebx
		jmp	loc_893FB3
; END OF FUNCTION CHUNK	FOR RtlpLoadLanguageConfigList
; 
; START	OF FUNCTION CHUNK FOR RtlpIsALicensedRegularLanguage

loc_92C086:				; CODE XREF: RtlpIsALicensedRegularLanguage+21j
		mov	edx, edi	; wchar_t *
		call	RtlpLangNameInMultiSzString
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFFCCh
		add	eax, 0C0000034h
		jmp	loc_89402E
; 

loc_92C0A3:				; CODE XREF: RtlpIsALicensedRegularLanguage+2Ej
		mov	edx, edi	; wchar_t *
		call	RtlpLangNameInMultiSzString
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 0C0000034h
		jmp	loc_89402E
; END OF FUNCTION CHUNK	FOR RtlpIsALicensedRegularLanguage
; 
; START	OF FUNCTION CHUNK FOR RtlpLangNameInMultiSzString

loc_92C0BB:				; CODE XREF: RtlpLangNameInMultiSzString+23j
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_92C0C0:				; CODE XREF: RtlpLangNameInMultiSzString+98091j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_92C0C0
		sub	ecx, edx
		sar	ecx, 1
		lea	esi, [esi+ecx*2]
		add	esi, 2
		jnz	loc_89404B
		jmp	loc_894063
; END OF FUNCTION CHUNK	FOR RtlpLangNameInMultiSzString
; 
; START	OF FUNCTION CHUNK FOR _RtlpMuiRegSerializeRegistryInfo

loc_92C0E0:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+5Aj
		mov	edx, [ebp+var_8]
		jmp	loc_894139
; 

loc_92C0E8:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+B2j
		mov	eax, [eax]
		add	eax, ecx
		cmp	eax, ecx
		jb	loc_92C1EB
		lea	ecx, [eax+7]
		and	ecx, edx
		mov	[ebp+var_10], ecx
		jmp	loc_89417A
; 

loc_92C101:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+BDj
		cmp	[esi+4Ch], ebx
		jz	loc_894185
		add	eax, ecx
		cmp	eax, ecx
		jb	loc_92C1EB
		lea	ecx, [eax+7]
		and	ecx, edx
		mov	[ebp+var_10], ecx
		jmp	loc_894185
; 

loc_92C121:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+C8j
		cmp	[esi+5Ch], ebx
		jz	loc_894190
		add	eax, ecx
		cmp	eax, ecx
		jb	loc_92C1EB
		lea	ecx, [eax+7]
		and	ecx, edx
		mov	[ebp+var_10], ecx
		jmp	loc_894190
; 

loc_92C141:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+114j
		mov	ebx, 0C0000023h
		jmp	loc_8941B3
; 

loc_92C14B:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+1DCj
		push	dword ptr [ecx]	; size_t
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		mov	ecx, [ebp+var_C]
		sub	eax, esi
		mov	[esi+24h], eax
		add	ecx, 7
		mov	eax, [edi+24h]
		mov	eax, [eax]
		add	ecx, eax
		and	ecx, 0FFFFFFF8h
		mov	[ebp+var_C], ecx
		lea	eax, [ecx+esi]
		mov	[ebp+var_8], eax
		jmp	loc_8942A4
; 

loc_92C17D:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+1E7j
		mov	edx, [edi+4Ch]
		test	edx, edx
		jz	loc_8942AF
		push	ecx		; size_t
		push	edx		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		mov	ecx, [ebp+var_C]
		sub	eax, esi
		add	ecx, 7
		mov	[esi+4Ch], eax
		add	ecx, [edi+58h]
		and	ecx, 0FFFFFFF8h
		mov	[ebp+var_C], ecx
		lea	eax, [ecx+esi]
		mov	[ebp+var_8], eax
		jmp	loc_8942AF
; 

loc_92C1B5:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+1F2j
		mov	edx, [edi+5Ch]
		test	edx, edx
		jz	loc_8942BA
		push	ecx		; size_t
		push	edx		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		mov	ecx, [ebp+var_C]
		sub	eax, esi
		mov	[esi+5Ch], eax
		add	ecx, 7
		mov	eax, [edi+60h]
		add	eax, ecx
		and	eax, 0FFFFFFF8h
		add	eax, esi
		mov	[ebp+var_8], eax
		jmp	loc_8942BA
; 

loc_92C1EB:				; CODE XREF: _RtlpMuiRegSerializeRegistryInfo+17j
					; _RtlpMuiRegSerializeRegistryInfo+22j	...
		mov	ebx, 0C000000Dh
		jmp	loc_8941B8
; END OF FUNCTION CHUNK	FOR _RtlpMuiRegSerializeRegistryInfo
; 
; START	OF FUNCTION CHUNK FOR RtlpMuiRegGetInstalledLanguageIndexByLangId

loc_92C1F5:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndexByLangId+6Dj
		mov	eax, [esp+20h+var_10]
		test	edi, 1000h
		jz	short loc_92C206
		mov	[esp+20h+var_11], 1

loc_92C206:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndexByLangId+59j
					; RtlpMuiRegGetInstalledLanguageIndexByLangId+97EFFj
		inc	ecx
		add	edx, 1Ch
		cmp	ecx, eax
		jl	loc_894355

loc_92C212:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndexByLangId+4Cj
		push	55h
		pop	edx
		call	_MuiRegAllocArray
		mov	edi, eax
		test	edi, edi
		jnz	short loc_92C22C
		mov	esi, 0C0000017h

loc_92C225:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndexByLangId+97F70j
					; RtlpMuiRegGetInstalledLanguageIndexByLangId+97F78j
		mov	eax, esi
		jmp	loc_89437C
; 

loc_92C22C:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndexByLangId+97F1Ej
		cmp	[ebp+arg_0], 0
		mov	[esp+20h+var_4], edi
		mov	[esp+20h+var_8], offset	unk_AA0000
		jz	short loc_92C263
		lea	eax, [esp+20h+var_8]
		push	eax
		movzx	eax, bx
		push	eax
		call	_RtlLCIDToCultureName@8	; RtlLCIDToCultureName(x,x)
		test	al, al
		jz	short loc_92C263
		push	[ebp+arg_4]
		mov	edx, [esp+24h+var_4]
		push	ecx
		mov	ecx, [esp+28h+var_C]
		call	_RtlpMuiRegGetInstalledLanguageIndexByName@16 ;	RtlpMuiRegGetInstalledLanguageIndexByName(x,x,x,x)
		mov	esi, eax

loc_92C263:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndexByLangId+97F3Cj
					; RtlpMuiRegGetInstalledLanguageIndexByLangId+97F4Ej
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[esp+20h+var_11], 0
		jz	short loc_92C225
		cmp	esi, 0C0000034h
		jnz	short loc_92C225
		mov	eax, 0C00000BBh
		jmp	loc_89437C
; END OF FUNCTION CHUNK	FOR RtlpMuiRegGetInstalledLanguageIndexByLangId
; 
; START	OF FUNCTION CHUNK FOR RtlpMuiRegGetOrAddString

loc_92C284:				; CODE XREF: RtlpMuiRegGetOrAddString+51j
		cmp	[ebp+arg_0], bl
		jz	loc_8944C7
		cmp	[ebp+var_C], ebx
		mov	ecx, [esi+18h]
		setz	al
		movzx	eax, al
		push	eax
		push	[ebp+var_8]
		call	_RtlpMuiRegGrowStringPool@16 ; RtlpMuiRegGrowStringPool(x,x,x,x)
		test	eax, eax
		jnz	short loc_92C2B3
		mov	eax, [ebp+var_4]
		mov	ebx, 0C0000017h
		jmp	loc_8944AF
; 

loc_92C2B3:				; CODE XREF: RtlpMuiRegGetOrAddString+97E4Cj
		or	dword ptr [esi], 2
		mov	edx, edi
		push	ebx
		push	1
		mov	ecx, eax
		mov	[esi+18h], eax
		call	RtlpMuiRegGetOrAddStringToPool
		movzx	eax, ax
		test	ax, ax
		jns	loc_8944AF
		mov	ebx, 0C0000017h
		jmp	loc_8944AF
; END OF FUNCTION CHUNK	FOR RtlpMuiRegGetOrAddString
; 
; START	OF FUNCTION CHUNK FOR RtlpMuiRegGetOrAddStringToPool

loc_92C2DB:				; CODE XREF: RtlpMuiRegGetOrAddStringToPool+71j
		test	esi, esi
		jz	loc_8945AC
		mov	[esi], edx
		jmp	loc_8945AC
; END OF FUNCTION CHUNK	FOR RtlpMuiRegGetOrAddStringToPool
; 
; START	OF FUNCTION CHUNK FOR NtSetDefaultLocale

loc_92C2EA:				; CODE XREF: NtSetDefaultLocale+41j
		mov	eax, large fs:124h
		mov	cl, [eax+15Ah]
		call	ExCheckFullProcessInformationAccess
		test	eax, eax
		js	loc_871C1B
		mov	edi, 240h
		mov	[esp+150h+var_13C], offset ??_C@_1IA@MCGGGFDM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		mov	ecx, offset ??_C@_1BA@GHOECOCL@?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt@NNGAKEGL@ ; "D"
		jmp	loc_871B0F
; 

loc_92C31A:				; CODE XREF: NtSetDefaultLocale+13Cj
		cmp	ecx, 46h
		ja	loc_871BE6
		lea	eax, [ecx-37h]
		jmp	loc_871BC8
; 

loc_92C32B:				; CODE XREF: NtSetDefaultLocale+145j
		cmp	ecx, 66h
		ja	loc_871BEF
		lea	eax, [ecx-57h]
		jmp	loc_871BC8
; 

loc_92C33C:				; CODE XREF: NtSetDefaultLocale+F9j
		cmp	[esp+150h+var_104], 4
		jnz	short loc_92C353
		cmp	[esp+150h+var_100], 4
		jnz	short loc_92C353
		mov	ebx, [esp+150h+var_FC]
		jmp	loc_871BEF
; 

loc_92C353:				; CODE XREF: NtSetDefaultLocale+BA89Dj
					; NtSetDefaultLocale+BA8A4j
		mov	edi, 0C0000001h
		jmp	loc_871BEF
; 

loc_92C35D:				; CODE XREF: NtSetDefaultLocale+ABj
		cmp	[ebp+arg_0], 0
		jz	short loc_92C39D
		call	RtlIsMultiSessionSku
		test	al, al
		jnz	short loc_92C39D
		lea	eax, [esp+150h+var_120]
		push	eax
		push	40000000h
		lea	eax, [esp+158h+var_140]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_871BF8
		lea	eax, [esp+150h+var_134]
		push	eax
		push	[esp+154h+var_140]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		jmp	loc_871BEF
; 

loc_92C39D:				; CODE XREF: NtSetDefaultLocale+BA8BDj
					; NtSetDefaultLocale+BA8C6j
		lea	eax, [esp+150h+var_120]
		push	eax
		push	40000000h
		lea	eax, [esp+158h+var_140]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_871BF8
		mov	cl, [ebp+arg_0]
		lea	edi, [esp+150h+var_108]
		xor	eax, eax
		test	cl, cl
		setnz	al
		lea	eax, ds:8[eax*8]
		add	edi, eax
		xor	eax, eax
		mov	[edi], ax
		sub	edi, 2
		lea	eax, [esp+150h+var_108]
		cmp	edi, eax
		jb	short loc_92C412
		push	9
		pop	esi

loc_92C3E5:				; CODE XREF: NtSetDefaultLocale+BA964j
		mov	ecx, ebx
		lea	edx, [edi-2]
		and	ecx, 0Fh
		cmp	esi, ecx
		sbb	eax, eax
		shr	ebx, 4
		and	eax, 7
		add	eax, 30h
		add	ax, cx
		mov	[edi], ax
		lea	eax, [esp+150h+var_108]
		mov	edi, edx
		cmp	edx, eax
		jnb	short loc_92C3E5
		mov	ebx, [ebp+arg_4]
		xor	esi, esi
		mov	cl, [ebp+arg_0]

loc_92C412:				; CODE XREF: NtSetDefaultLocale+BA93Cj
		xor	eax, eax
		test	cl, cl
		setnz	al
		lea	eax, ds:0Ah[eax*8]
		push	eax
		lea	eax, [esp+154h+var_108]
		push	eax
		push	1
		push	esi
		lea	eax, [esp+160h+var_134]
		push	eax
		push	[esp+164h+var_140]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	edi, eax
		jmp	loc_871BEF
; END OF FUNCTION CHUNK	FOR NtSetDefaultLocale
; 
; START	OF FUNCTION CHUNK FOR ExpSetPendingUILanguage

loc_92C43E:				; CODE XREF: ExpSetPendingUILanguage+184j
		cmp	[ebp+var_138], 4
		jb	loc_871DF2
		cmp	[ebp+var_13C], 7
		jnz	loc_871DF2
		push	offset ??_C@_1CK@CDBMDBEP@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAr?$AAr?$AAe?$AAd?$AAU?$AAI?$AAL?$AAa?$AAn?$AAg@NNGAKEGL@
		lea	eax, [ebp+var_458]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	[ebp+var_138]
		lea	eax, [ebp+var_134]
		push	eax
		push	7
		push	0
		lea	eax, [ebp+var_458]
		push	eax
		push	[ebp+var_46C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_871DF2
		mov	[ebp+var_426], 1
		mov	ecx, [ebp+var_138]
		lea	eax, [ecx+0Ch]
		cmp	eax, 100h
		jnb	loc_871DF2
		shr	ecx, 1
		xor	eax, eax
		mov	word ptr [ebp+ecx*2+var_138+2],	ax
		push	esi
		lea	eax, [ebp+var_458]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_458]
		push	eax
		push	[ebp+var_46C]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		lea	eax, [ebp+var_134]
		push	eax
		lea	eax, [ebp+var_478]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1GG@KFEAKJAE@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?5?$AAP?$AAa?$AAn?$AAe?$AAl?$AA?2?$AAD@NNGAKEGL@
		lea	eax, [ebp+var_450]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_448], edi
		mov	eax, [ebp+var_464]
		mov	[ebp+var_444], eax
		mov	esi, 640h
		mov	[ebp+var_43C], esi
		lea	eax, [ebp+var_450]
		mov	[ebp+var_440], eax
		and	[ebp+var_438], 0
		and	[ebp+var_434], 0
		lea	eax, [ebp+var_448]
		push	eax
		push	40000000h
		lea	eax, [ebp+var_460]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_871DF2
		lea	eax, [ebp+var_45C]
		push	eax
		push	210h
		lea	eax, [ebp+var_420]
		push	eax
		push	2
		lea	eax, [ebp+var_478]
		push	eax
		push	[ebp+var_460]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_871DF2
		cmp	[ebp+var_41C], 7
		jnz	loc_871DF2
		push	offset ??_C@_1FI@DIKMNOCP@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?5?$AAP?$AAa?$AAn?$AAe?$AAl?$AA?2?$AAD@NNGAKEGL@
		lea	eax, [ebp+var_450]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_448], edi
		mov	eax, [ebp+var_464]
		mov	[ebp+var_444], eax
		mov	[ebp+var_43C], esi
		lea	eax, [ebp+var_450]
		mov	[ebp+var_440], eax
		xor	eax, eax
		mov	[ebp+var_438], eax
		mov	[ebp+var_434], eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_448]
		push	eax
		push	40000000h
		lea	eax, [ebp+var_42C]
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_871DF2
		push	[ebp+var_418]
		lea	eax, [ebp+var_414]
		push	eax
		push	7
		push	0
		lea	eax, [ebp+var_478]
		push	eax
		push	[ebp+var_42C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_92C631
		lea	eax, [ebp+var_478]
		push	eax
		push	[ebp+var_460]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_92C631:				; CODE XREF: ExpSetPendingUILanguage+BA9B5j
		push	[ebp+var_42C]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_871DF2
; 

loc_92C641:				; CODE XREF: ExpSetPendingUILanguage+24Dj
		cmp	[ebp+var_424], 0
		jz	loc_871FA9
		push	offset ??_C@_1DI@CNCPGFIN@?$AAM?$AAa?$AAc?$AAh?$AAi?$AAn?$AAe?$AAP?$AAr?$AAe?$AAf?$AAe?$AAr?$AAr?$AAe@NNGAKEGL@	; "MachinePreferredUILanguages"
		lea	eax, [ebp+var_458]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_458]
		push	eax
		push	[ebp+var_424]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		jmp	loc_871FA9
; 

loc_92C676:				; CODE XREF: ExpSetPendingUILanguage+28Dj
		cmp	[ebp+var_138], 4
		jb	loc_871EFB
		cmp	[ebp+var_13C], 7
		jz	loc_871F55
		jmp	loc_871EFB
; 

loc_92C695:				; CODE XREF: ExpSetPendingUILanguage+2D7j
		mov	esi, 0C0000001h

loc_92C69A:				; CODE XREF: ExpSetPendingUILanguage+2B1j
					; ExpSetPendingUILanguage+2E7j
		push	esi		; char
		push	offset ??_C@_0EA@DMLFMMEC@sysinfo?3?5Can?8t?5set?5MachinePrefe@NNGAKEGL@ ; char	*
		push	0		; int
		push	0FFFFFFFFh	; int
		call	_DbgPrintEx
		add	esp, 10h
		cmp	[ebp+var_424], 0
		jz	loc_871F9E
		lea	eax, [ebp+var_458]
		push	eax
		push	[ebp+var_424]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		jmp	loc_871F9E
; 

loc_92C6D0:				; CODE XREF: ExpSetPendingUILanguage+330j
		push	offset ??_C@_0DA@PENNLMJM@sysinfo?3?5Can?8t?5set?5MachinePrefe@NNGAKEGL@ ; char	*
		push	0		; int
		push	0FFFFFFFFh	; int
		call	_DbgPrintEx
		add	esp, 0Ch
		jmp	loc_871F9E
; 

loc_92C6E6:				; CODE XREF: ExpSetPendingUILanguage+3A6j
		xor	esi, esi

loc_92C6E8:				; CODE XREF: ExpSetPendingUILanguage+BAB00j
		push	100h		; size_t
		push	0		; int
		lea	eax, [ebp+var_140]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_45C]
		push	eax
		push	0FEh
		lea	eax, [ebp+var_140]
		push	eax
		push	0
		push	esi
		push	[ebp+var_430]
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_872014
		lea	eax, [ebp+var_134]
		push	eax
		lea	eax, [ebp+var_458]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_458]
		push	eax
		push	[ebp+var_430]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		test	eax, eax
		jns	short loc_92C766
		lea	eax, [ebp+var_134]
		push	eax
		push	offset ??_C@_0EH@NNGDDGGC@?$CK?$CK?$CK?5MUI?3?5Failed?5to?5delete?5value@NNGAKEGL@
		call	_DbgPrint
		pop	ecx
		pop	ecx
		inc	esi

loc_92C766:				; CODE XREF: ExpSetPendingUILanguage+BAAE8j
		test	edi, edi
		jns	loc_92C6E8
		jmp	loc_872014
; 

loc_92C773:				; CODE XREF: ExpSetPendingUILanguage+40Dj
		mov	[ebp+var_468], esi
		jmp	loc_8720D8
; 

loc_92C77E:				; CODE XREF: ExpSetPendingUILanguage+BAC6Aj
					; ExpSetPendingUILanguage+BAC8Dj
		mov	esi, [ebp+var_470]
		jmp	loc_87207B
; 

loc_92C789:				; CODE XREF: ExpSetPendingUILanguage+45Fj
		mov	edx, [ebp+var_410]
		lea	eax, [edx+18h]
		cmp	eax, 210h
		ja	loc_92C900
		mov	eax, [ebp+var_414]
		add	eax, [ebp+var_418]
		cmp	eax, 210h
		ja	loc_92C900
		cmp	[ebp+var_41C], 7
		jnz	loc_92C900
		mov	eax, 0AAh
		cmp	edx, eax
		jnb	loc_92C900
		push	eax		; size_t
		push	0		; int
		lea	eax, [ebp+var_200]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	[ebp+var_410]	; size_t
		lea	eax, [ebp+var_40C]
		push	eax		; void *
		lea	eax, [ebp+var_200]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_200]
		push	eax
		lea	eax, [ebp+var_458]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, [ebp+var_430]
		test	ecx, ecx
		jnz	loc_92C8A2
		push	offset ??_C@_1DK@EOBOFKDB@?$AAM?$AAa?$AAc?$AAh?$AAi?$AAn?$AAe?$AAL?$AAa?$AAn?$AAg?$AAu?$AAa?$AAg?$AAe@NNGAKEGL@	; "MachineLanguageConfiguration"
		lea	eax, [ebp+var_450]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_448], 18h
		mov	eax, [ebp+var_424]
		mov	[ebp+var_444], eax
		mov	[ebp+var_43C], 640h
		lea	eax, [ebp+var_450]
		mov	[ebp+var_440], eax
		xor	eax, eax
		mov	[ebp+var_438], eax
		mov	[ebp+var_434], eax
		push	eax
		push	1
		push	eax
		push	eax
		lea	eax, [ebp+var_448]
		push	eax
		push	40000000h
		lea	eax, [ebp+var_430]
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_468], esi
		test	esi, esi
		js	loc_8720D8
		mov	[ebp+var_425], 0
		mov	ecx, [ebp+var_430]

loc_92C8A2:				; CODE XREF: ExpSetPendingUILanguage+BABAFj
		push	[ebp+var_414]
		mov	eax, [ebp+var_418]
		lea	edx, [ebp+var_420]
		add	eax, edx
		push	eax
		push	7
		push	0
		lea	eax, [ebp+var_458]
		push	eax
		push	ecx
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_468], eax
		test	esi, esi
		jns	loc_92C77E
		lea	eax, [ebp+var_200]
		push	eax
		push	offset ??_C@_0DO@JHBFNICF@?$CK?$CK?$CK?5MUI?3?5Can?8t?5copy?5language?5na@NNGAKEGL@
		call	_DbgPrint
		xor	esi, esi
		mov	[ebp+var_468], esi

loc_92C8F1:				; CODE XREF: ExpSetPendingUILanguage+BACA3j
		pop	ecx
		pop	ecx
		test	esi, esi
		jns	loc_92C77E
		jmp	loc_8720CD
; 

loc_92C900:				; CODE XREF: ExpSetPendingUILanguage+BAB2Fj
					; ExpSetPendingUILanguage+BAB46j ...
		push	edi
		push	offset ??_C@_0DO@KLNFOCHH@?$CK?$CK?$CK?5MUI?3?5Can?8t?5copy?5language?5na@NNGAKEGL@
		call	_DbgPrint
		jmp	short loc_92C8F1
; 

loc_92C90D:				; CODE XREF: ExpSetPendingUILanguage+48Bj
		lea	eax, [ebp+var_45C]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	[ebp+var_460]
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		mov	edi, 8000001Ah
		cmp	eax, edi
		jnz	short loc_92C939
		push	[ebp+var_460]
		call	_ZwDeleteKey@4	; ZwDeleteKey(x)

loc_92C939:				; CODE XREF: ExpSetPendingUILanguage+BACC4j
		push	[ebp+var_460]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8720FE
; 

loc_92C949:				; CODE XREF: ExpSetPendingUILanguage+4A7j
		cmp	[ebp+var_425], 0
		jz	loc_872143
		lea	ecx, [ebp+var_45C]
		push	ecx
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	eax
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		cmp	eax, edi
		jnz	loc_872143
		jmp	loc_872115
; 

loc_92C976:				; CODE XREF: ExpSetPendingUILanguage+4B5j
		push	eax
		call	_ZwDeleteKey@4	; ZwDeleteKey(x)
		jmp	loc_872123
; 

loc_92C981:				; CODE XREF: ExpSetPendingUILanguage+4D5j
		push	[ebp+var_424]
		call	_ZwDeleteKey@4	; ZwDeleteKey(x)
		jmp	loc_872143
; 

loc_92C991:				; CODE XREF: ExpSetPendingUILanguage+4EDj
		push	[ebp+var_430]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_87215B
; 

loc_92C9A1:				; CODE XREF: ExpSetPendingUILanguage+505j
		mov	eax, large fs:124h
		test	dword ptr [eax+58h], 400h
		jnz	short loc_92C9C1
		cmp	byte ptr [eax+16Ah], 1
		jz	short loc_92C9C1
		mov	eax, [eax+0A8h]
		jmp	short loc_92C9C3
; 

loc_92C9C1:				; CODE XREF: ExpSetPendingUILanguage+BAD46j
					; ExpSetPendingUILanguage+BAD4Fj
		xor	eax, eax

loc_92C9C3:				; CODE XREF: ExpSetPendingUILanguage+BAD57j
		test	eax, eax
		jz	loc_872173
		and	[ebp+var_4], 0
		and	dword ptr [eax+0FC4h], 0
		mov	[ebp+var_4], 0FFFFFFFEh
		jmp	loc_872173
; END OF FUNCTION CHUNK	FOR ExpSetPendingUILanguage

;  S U B	R O U T	I N E 


sub_92C9E2	proc near		; DATA XREF: .text:006A72F4o
		mov	ebx, [ebp-1Ch]
		xor	eax, eax
		inc	eax
		retn
sub_92C9E2	endp


;  S U B	R O U T	I N E 


sub_92C9E9	proc near		; DATA XREF: .text:006A72F8o
		mov	ebx, [ebp-1Ch]
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp-468h]
		jmp	loc_872173
sub_92C9E9	endp

; 
; START	OF FUNCTION CHUNK FOR RtlpGetWindowsPolicy

loc_92CA01:				; CODE XREF: RtlpGetWindowsPolicy+59j
		mov	ebx, [ebx]
		test	ebx, ebx
		jnz	loc_894707
		mov	eax, [ebp+arg_4]
		and	[eax], esi
		jmp	loc_894748
; 

loc_92CA15:				; CODE XREF: RtlpGetWindowsPolicy+1Cj
					; RtlpGetWindowsPolicy+27j ...
		mov	edi, 0C000000Dh
		jmp	loc_894751
; 

loc_92CA1F:				; CODE XREF: RtlpGetWindowsPolicy+BBj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_894748
; END OF FUNCTION CHUNK	FOR RtlpGetWindowsPolicy
; 
; START	OF FUNCTION CHUNK FOR RtlOpenCurrentUser

loc_92CA2C:				; CODE XREF: RtlOpenCurrentUser+68j
		push	ds:off_A4098C
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+arg_0]
		mov	[ebp+var_1C], ebx
		push	[ebp+arg_4]
		mov	[ebp+var_14], 640h
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		jmp	loc_872280
; END OF FUNCTION CHUNK	FOR RtlOpenCurrentUser
; 
; START	OF FUNCTION CHUNK FOR RtlpMuiRegFreeRegistryInfo

loc_92CA6A:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+87j
		test	byte ptr [esi],	8
		jz	short loc_92CA76
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_92CA76:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+982BDj
		mov	[esi+20h], edi
		jmp	loc_89483D
; 

loc_92CA7E:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+9Aj
		test	byte ptr [esi],	10h
		jz	short loc_92CA9B
		and	dword ptr [eax+20h], 0FFFFFFBFh
		mov	eax, [esi+24h]
		test	eax, eax
		jz	short loc_92CA9B
		test	byte ptr [eax+20h], 40h
		jnz	short loc_92CA9B
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_92CA9B:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+982D1j
					; RtlpMuiRegFreeRegistryInfo+982DCj ...
		mov	[esi+24h], edi
		jmp	loc_894850
; 

loc_92CAA3:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+ADj
		test	byte ptr [esi],	20h
		jz	short loc_92CAC0
		and	dword ptr [eax+20h], 0FFFFFFBFh
		mov	eax, [esi+28h]
		test	eax, eax
		jz	short loc_92CAC0
		test	byte ptr [eax+20h], 40h
		jnz	short loc_92CAC0
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_92CAC0:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+982F6j
					; RtlpMuiRegFreeRegistryInfo+98301j ...
		mov	[esi+28h], edi
		jmp	loc_894863
; 

loc_92CAC8:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+C0j
		test	byte ptr [esi],	40h
		jz	short loc_92CAE5
		and	dword ptr [eax+20h], 0FFFFFFBFh
		mov	eax, [esi+34h]
		test	eax, eax
		jz	short loc_92CAE5
		test	byte ptr [eax+20h], 40h
		jnz	short loc_92CAE5
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_92CAE5:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+9831Bj
					; RtlpMuiRegFreeRegistryInfo+98326j ...
		mov	[esi+34h], edi
		jmp	loc_894876
; 

loc_92CAED:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+D2j
		test	byte ptr [esi],	80h
		jz	short loc_92CB0A
		and	dword ptr [eax+20h], 0FFFFFFBFh
		mov	eax, [esi+30h]
		test	eax, eax
		jz	short loc_92CB0A
		test	byte ptr [eax+20h], 40h
		jnz	short loc_92CB0A
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_92CB0A:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+98340j
					; RtlpMuiRegFreeRegistryInfo+9834Bj ...
		mov	[esi+30h], edi
		jmp	loc_894888
; 

loc_92CB12:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+ECj
		test	[esi], ecx
		jz	short loc_92CB2E
		and	dword ptr [eax+20h], 0FFFFFFBFh
		mov	eax, [esi+38h]
		test	eax, eax
		jz	short loc_92CB2E
		test	byte ptr [eax+20h], 40h
		jnz	short loc_92CB2E
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_92CB2E:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+98364j
					; RtlpMuiRegFreeRegistryInfo+9836Fj ...
		mov	[esi+38h], edi
		jmp	loc_8948A2
; 

loc_92CB36:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+10Ej
		mov	edx, ebx
		call	RtlpMuiRegFreeRegistryInfo
		mov	eax, [esi+3Ch]
		test	eax, eax
		jz	short loc_92CB4B
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_92CB4B:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+98392j
		mov	[esi+3Ch], edi
		jmp	loc_8948C4
; 

loc_92CB53:				; CODE XREF: RtlpMuiRegFreeRegistryInfo+14j
					; RtlpMuiRegFreeRegistryInfo+1Cj
		mov	edi, 0C000000Dh
		jmp	loc_8948C4
; END OF FUNCTION CHUNK	FOR RtlpMuiRegFreeRegistryInfo
; 
; START	OF FUNCTION CHUNK FOR HvpViewMapMakeViewRangeUnCOWByPolicy

loc_92CB5D:				; CODE XREF: HvpViewMapMakeViewRangeUnCOWByPolicy+95j
		lea	eax, [ebp+var_C]
		push	eax
		mov	eax, [ebp+var_4]
		push	80000002h
		push	1000h
		push	edx
		mov	edx, [eax+18h]
		call	_CmSiProtectViewOfSection@24 ; CmSiProtectViewOfSection(x,x,x,x,x,x)
		mov	ecx, [ebp+arg_4]
		jmp	loc_894A7C
; END OF FUNCTION CHUNK	FOR HvpViewMapMakeViewRangeUnCOWByPolicy
; 
; START	OF FUNCTION CHUNK FOR _CmGetMatchingDeviceList

loc_92CB7F:				; CODE XREF: _CmGetMatchingDeviceList+6Dj
		cmp	eax, edi
		jz	short loc_92CB8C
		test	eax, eax
		jnz	short loc_92CBBF
		jmp	loc_894B1F
; 

loc_92CB8C:				; CODE XREF: _CmGetMatchingDeviceList+980D7j
					; _CmGetMatchingDeviceList+9810Bj
		mov	esi, [ebp+var_30]
		jmp	loc_894B4B
; 

loc_92CB94:				; CODE XREF: _CmGetMatchingDeviceList+9Bj
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	4
		push	1
		push	0
		push	[ebp+var_34]
		call	ebx
		cmp	eax, 0C0000002h
		jz	loc_894B4B
		cmp	eax, edi
		jz	short loc_92CB8C
		test	eax, eax
		jz	loc_894B4B

loc_92CBBF:				; CODE XREF: _CmGetMatchingDeviceList+980DBj
		mov	esi, 0C00000E5h
		jmp	loc_894B4B
; END OF FUNCTION CHUNK	FOR _CmGetMatchingDeviceList
; 
; START	OF FUNCTION CHUNK FOR _PnpDispatchDevicePanel

loc_92CBC9:				; CODE XREF: _PnpDispatchDevicePanel+1Bj
					; DATA XREF: PAGE:off_894C1Eo
		mov	edx, [ebp+arg_4] ; case	0x0
		call	__CmValidateDevicePanelName@8 ;	_CmValidateDevicePanelName(x,x)
		jmp	loc_894C10
; 

loc_92CBD6:				; CODE XREF: _PnpDispatchDevicePanel+1Bj
					; DATA XREF: PAGE:off_894C1Eo
		mov	ecx, [ebp+arg_10] ; case 0x1
		mov	edx, [ebp+arg_4]
		lea	eax, [ecx+0Ch]
		push	eax
		push	dword ptr [ecx+8]
		movzx	eax, byte ptr [ecx+4]
		push	eax
		push	dword ptr [ecx]
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		call	__CmOpenDevicePanelRegKey@32 ; _CmOpenDevicePanelRegKey(x,x,x,x,x,x,x,x)
		jmp	loc_894C10
; 

loc_92CBF9:				; CODE XREF: _PnpDispatchDevicePanel+1Bj
					; DATA XREF: PAGE:off_894C1Eo
		mov	eax, 0C0000002h	; case 0x2
		jmp	loc_894C10
; 

loc_92CC03:				; CODE XREF: _PnpDispatchDevicePanel+29j
		mov	[ebp+var_8], eax
		lea	esi, [ebp+var_8]
		mov	eax, [ecx+4]
		mov	edx, offset __PnpCmMatchCallbackRoutine@16 ; _PnpCmMatchCallbackRoutine(x,x,x,x)
		mov	[ebp+var_4], eax
		jmp	loc_894BF5
; 

loc_92CC19:				; CODE XREF: _PnpDispatchDevicePanel+1Bj
					; DATA XREF: PAGE:off_894C1Eo
		mov	eax, [ebp+arg_10] ; case 0x5
		push	dword ptr [eax+14h]
		push	dword ptr [eax+10h]
		push	dword ptr [eax+0Ch]
		push	ecx
		push	ecx
		call	__CmGetDevicePanelMappedPropertyKeys@28	; _CmGetDevicePanelMappedPropertyKeys(x,x,x,x,x,x,x)
		jmp	loc_894C10
; 

loc_92CC31:				; CODE XREF: _PnpDispatchDevicePanel+1Bj
					; DATA XREF: PAGE:off_894C1Eo
		mov	eax, [ebp+arg_10] ; case 0x6
		push	dword ptr [eax+10h] ; int
		push	dword ptr [eax+0Ch] ; int
		push	dword ptr [eax+8] ; int
		push	dword ptr [eax+4] ; void *
		push	ecx		; int
		call	__CmGetDevicePanelMappedPropertyLocales@28 ; _CmGetDevicePanelMappedPropertyLocales(x,x,x,x,x,x,x)
		jmp	loc_894C10
; 

loc_92CC4B:				; CODE XREF: _PnpDispatchDevicePanel+1Bj
					; DATA XREF: PAGE:off_894C1Eo
		mov	eax, [ebp+arg_10] ; case 0x7
		mov	edx, [ebp+arg_4]
		push	dword ptr [eax+18h] ; int
		push	dword ptr [eax+14h] ; int
		push	dword ptr [eax+10h] ; int
		push	dword ptr [eax+0Ch] ; void *
		push	dword ptr [eax+8] ; void *
		push	dword ptr [eax+4] ; int
		push	ecx		; int
		call	__CmGetDevicePanelMappedProperty@36 ; _CmGetDevicePanelMappedProperty(x,x,x,x,x,x,x,x,x)
		jmp	loc_894C10
; 

loc_92CC6E:				; CODE XREF: _PnpDispatchDevicePanel+1Bj
					; DATA XREF: PAGE:off_894C1Eo
		mov	eax, [ebp+arg_10] ; case 0x8
		sub	esp, 0Ch	; int
		push	dword ptr [eax+8] ; void *
		push	dword ptr [eax+4] ; int
		push	ecx		; int
		call	__CmSetDevicePanelMappedProperty@32 ; _CmSetDevicePanelMappedProperty(x,x,x,x,x,x,x,x)
		jmp	loc_894C10
; END OF FUNCTION CHUNK	FOR _PnpDispatchDevicePanel
; 
; START	OF FUNCTION CHUNK FOR _CmGetMatchingDevicePanelList

loc_92CC85:				; CODE XREF: _CmGetMatchingDevicePanelList+6Dj
		cmp	eax, edi
		jz	short loc_92CC92
		test	eax, eax
		jnz	short loc_92CCC5
		jmp	loc_894CB7
; 

loc_92CC92:				; CODE XREF: _CmGetMatchingDevicePanelList+98045j
					; _CmGetMatchingDevicePanelList+98079j
		mov	esi, [ebp+var_30]
		jmp	loc_894CDB
; 

loc_92CC9A:				; CODE XREF: _CmGetMatchingDevicePanelList+93j
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	4
		push	6
		push	0
		push	[ebp+var_34]
		call	ebx
		cmp	eax, 0C0000002h
		jz	loc_894CDB
		cmp	eax, edi
		jz	short loc_92CC92
		test	eax, eax
		jz	loc_894CDB

loc_92CCC5:				; CODE XREF: _CmGetMatchingDevicePanelList+98049j
		mov	esi, 0C00000E5h
		jmp	loc_894CDB
; END OF FUNCTION CHUNK	FOR _CmGetMatchingDevicePanelList
; 
; START	OF FUNCTION CHUNK FOR _CmGetMatchingDeviceListForSubkey

loc_92CCCF:				; CODE XREF: _CmGetMatchingDeviceListForSubkey+4Bj
		mov	[ebp+var_10], 5Ch

loc_92CCD6:				; CODE XREF: _CmGetMatchingDeviceListForSubkey+9801Aj
		movzx	edx, word ptr [eax]
		test	dx, dx
		jz	short loc_92CD19
		cmp	dx, word ptr [ebp+var_10]
		jz	short loc_92CD19
		inc	ecx
		mov	[ebp+var_8], ecx
		cmp	ecx, 2
		ja	short loc_92CD0F
		push	5Ch
		pop	ecx
		push	ecx		; wchar_t
		push	eax		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_894D3F
		mov	ecx, [ebp+var_8]
		inc	eax
		add	eax, 1
		jnz	short loc_92CCD6
		jmp	loc_894D3F
; 

loc_92CD0F:				; CODE XREF: _CmGetMatchingDeviceListForSubkey+97FFDj
		mov	esi, 0C000000Dh
		jmp	loc_894E3B
; 

loc_92CD19:				; CODE XREF: _CmGetMatchingDeviceListForSubkey+97FEEj
					; _CmGetMatchingDeviceListForSubkey+97FF4j
		mov	esi, 0C000000Dh
		jmp	loc_894D3F
; 

loc_92CD23:				; CODE XREF: _CmGetMatchingDeviceListForSubkey+5Bj
		xor	ecx, ecx
		jmp	loc_894D52
; 

loc_92CD2A:				; CODE XREF: _CmGetMatchingDeviceListForSubkey+7Dj
		mov	esi, 0C00000E5h
		jmp	loc_894E3B
; 

loc_92CD34:				; CODE XREF: _CmGetMatchingDeviceListForSubkey+A0j
		mov	esi, 0C0000017h
		jmp	loc_894E3B
; END OF FUNCTION CHUNK	FOR _CmGetMatchingDeviceListForSubkey
; 
; START	OF FUNCTION CHUNK FOR _CmGetMatchingDevicePanelListWorker

loc_92CD3E:				; CODE XREF: _CmGetMatchingDevicePanelListWorker+56j
		mov	edi, 0C0000017h
		jmp	loc_894F25
; 

loc_92CD48:				; CODE XREF: _CmGetMatchingDevicePanelListWorker+BDj
		inc	eax
		mov	[ecx], eax
		test	ebx, ebx
		jz	short loc_92CD60
		cmp	[ebp+arg_8], eax
		jb	short loc_92CD60
		xor	ecx, ecx
		mov	[ebx+eax*2-2], cx
		jmp	loc_894F1D
; 

loc_92CD60:				; CODE XREF: _CmGetMatchingDevicePanelListWorker+97EF3j
					; _CmGetMatchingDevicePanelListWorker+97EF8j
		mov	edi, 0C0000023h
		jmp	loc_894F1D
; END OF FUNCTION CHUNK	FOR _CmGetMatchingDevicePanelListWorker
; 
; START	OF FUNCTION CHUNK FOR _CmGetMatchingDeviceContainerList

loc_92CD6A:				; CODE XREF: _CmGetMatchingDeviceContainerList+6Dj
		cmp	eax, edi
		jz	short loc_92CD77
		test	eax, eax
		jnz	short loc_92CDAA
		jmp	loc_894FA3
; 

loc_92CD77:				; CODE XREF: _CmGetMatchingDeviceContainerList+97E3Ej
					; _CmGetMatchingDeviceContainerList+97E72j
		mov	esi, [ebp+var_30]
		jmp	loc_894FC5
; 

loc_92CD7F:				; CODE XREF: _CmGetMatchingDeviceContainerList+91j
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	4
		push	5
		push	0
		push	[ebp+var_34]
		call	ebx
		cmp	eax, 0C0000002h
		jz	loc_894FC5
		cmp	eax, edi
		jz	short loc_92CD77
		test	eax, eax
		jz	loc_894FC5

loc_92CDAA:				; CODE XREF: _CmGetMatchingDeviceContainerList+97E42j
		mov	esi, 0C00000E5h
		jmp	loc_894FC5
; END OF FUNCTION CHUNK	FOR _CmGetMatchingDeviceContainerList
; 
; START	OF FUNCTION CHUNK FOR _CmGetMatchingFilteredDeviceInterfaceListWorker

loc_92CDB4:				; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceListWorker+39j
					; _CmGetMatchingFilteredDeviceInterfaceListWorker+45j ...
		mov	esi, 0C000000Dh
		jmp	loc_8951A1
; 

loc_92CDBE:				; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceListWorker+69j
		mov	ecx, ebx
		call	__PnpIsValidGuidString@4 ; _PnpIsValidGuidString(x)
		test	al, al
		jz	short loc_92CDB4
		mov	dword ptr [ebp+arg_1C],	2
		jmp	loc_895098
; 

loc_92CDD5:				; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceListWorker+7Bj
		xor	ecx, ecx
		jmp	loc_8950A6
; 

loc_92CDDC:				; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceListWorker+9Dj
		mov	esi, 0C00000E5h
		jmp	loc_8951A1
; 

loc_92CDE6:				; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceListWorker+C0j
		mov	esi, 0C0000017h
		jmp	loc_8951A1
; 

loc_92CDF0:				; CODE XREF: _CmGetMatchingFilteredDeviceInterfaceListWorker+153j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_89517B
; END OF FUNCTION CHUNK	FOR _CmGetMatchingFilteredDeviceInterfaceListWorker
; 
; START	OF FUNCTION CHUNK FOR _CmGetMatchingCommonClassList

loc_92CDFD:				; CODE XREF: _CmGetMatchingCommonClassList+72j
		cmp	eax, 0C0000120h
		jz	short loc_92CE0D
		test	eax, eax
		jnz	short loc_92CE42
		jmp	loc_8952C0
; 

loc_92CE0D:				; CODE XREF: _CmGetMatchingCommonClassList+97BBCj
					; _CmGetMatchingCommonClassList+97BF2j
		mov	esi, [ebp+var_30]
		jmp	loc_8952E6
; 

loc_92CE15:				; CODE XREF: _CmGetMatchingCommonClassList+9Aj
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	4
		push	[ebp+var_34]
		push	0
		push	edi
		call	ebx
		cmp	eax, 0C0000002h
		jz	loc_8952E6
		cmp	eax, 0C0000120h
		jz	short loc_92CE0D
		test	eax, eax
		jz	loc_8952E6

loc_92CE42:				; CODE XREF: _CmGetMatchingCommonClassList+97BC0j
		mov	esi, 0C00000E5h
		jmp	loc_8952E6
; END OF FUNCTION CHUNK	FOR _CmGetMatchingCommonClassList
; 
; START	OF FUNCTION CHUNK FOR _CmGetMatchingCommonClassListWorker

loc_92CE4C:				; CODE XREF: _CmGetMatchingCommonClassListWorker+5Dj
		mov	edi, 0C0000017h
		jmp	loc_8953D6
; 

loc_92CE56:				; CODE XREF: _CmGetMatchingCommonClassListWorker+A8j
		mov	eax, [ebp+var_4]
		mov	ecx, ebx
		mov	[esi+4], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	9
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8953CA
		mov	edx, [ebp+var_4]
		cmp	edx, [esi+4]
		jz	loc_8953A8
		push	esi
		push	offset _CmClassSubkeyCallback
		mov	ecx, ebx
		call	__PnpCtxRegEnumKeyWithCallback@16 ; _PnpCtxRegEnumKeyWithCallback(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_8953CA
		jmp	loc_8953A8
; END OF FUNCTION CHUNK	FOR _CmGetMatchingCommonClassListWorker
; 
; START	OF FUNCTION CHUNK FOR _RegRtlDeleteTreeInternal

loc_92CE9C:				; CODE XREF: _RegRtlDeleteTreeInternal+52j
		mov	esi, 0C000009Ah
		jmp	loc_89550D
; 

loc_92CEA6:				; CODE XREF: _RegRtlDeleteTreeInternal+9Dj
		lea	ecx, [esp+30h+var_1C]
		xor	edx, edx
		push	ecx
		inc	edx
		mov	ecx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_89550D
		mov	eax, [esp+30h+var_1C]
		push	2
		pop	ecx
		jmp	loc_89549D
; 

loc_92CECB:				; CODE XREF: _RegRtlDeleteTreeInternal+BCj
		push	4C474552h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_8954BC
		mov	esi, 0C0000017h
		jmp	loc_89550D
; 

loc_92CEEC:				; CODE XREF: _RegRtlDeleteTreeInternal+EAj
		cmp	eax, 0C000017Ch
		jz	loc_8954EA
		cmp	eax, 0C0000023h
		jnz	short loc_92CF48
		mov	eax, [esp+30h+var_10]
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [esp+30h+var_18]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_89550D
		test	edi, edi
		jz	short loc_92CF28
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_92CF28:				; CODE XREF: _RegRtlDeleteTreeInternal+97B24j
		mov	ebx, [esp+30h+var_18]
		push	4C474552h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_92CF7E
		mov	eax, [esp+30h+var_1C]
		jmp	loc_8954C2
; 

loc_92CF48:				; CODE XREF: _RegRtlDeleteTreeInternal+97B02j
		test	eax, eax
		jnz	loc_8954EA
		mov	eax, [esp+30h+var_14]
		xor	ecx, ecx
		push	[ebp+arg_4]
		mov	edx, edi
		push	[ebp+arg_0]
		mov	[edi+eax*2-2], cx
		mov	ecx, [esp+38h+var_20]
		call	_RegRtlDeleteTreeInternal
		test	eax, eax
		jz	loc_8954BC
		mov	eax, [esp+30h+var_1C]
		inc	eax
		jmp	loc_8954BE
; 

loc_92CF7E:				; CODE XREF: _RegRtlDeleteTreeInternal+97B43j
		mov	esi, 0C0000017h
		jmp	loc_8954EA
; 

loc_92CF88:				; CODE XREF: _RegRtlDeleteTreeInternal+109j
		cmp	[esp+30h+var_1C], 0
		jnz	loc_895530
		mov	ecx, [esp+30h+var_8]
		cmp	ecx, 0Ah
		jnb	loc_895530
		inc	ecx
		mov	[esp+30h+var_8], ecx
		jmp	loc_8954BC
; 

loc_92CFAA:				; CODE XREF: _RegRtlDeleteTreeInternal+125j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_895525
; END OF FUNCTION CHUNK	FOR _RegRtlDeleteTreeInternal
; 
; START	OF FUNCTION CHUNK FOR _RegRtlEnumKeyWithCallback

loc_92CFB7:				; CODE XREF: _RegRtlEnumKeyWithCallback+5Cj
		mov	esi, 0C000009Ah
		jmp	loc_89571F
; 

loc_92CFC1:				; CODE XREF: _RegRtlEnumKeyWithCallback+10Bj
		mov	eax, [esp+80h+var_6C]
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [esp+80h+var_64]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_89571B
		test	edi, edi
		jz	short loc_92CFEB
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_92CFEB:				; CODE XREF: _RegRtlEnumKeyWithCallback+97A21j
		mov	ebx, [esp+80h+var_64]
		push	4C474552h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_89575B
		mov	ecx, [esp+80h+var_74]
		jmp	loc_895697
; 

loc_92D00F:				; CODE XREF: _RegRtlEnumKeyWithCallback+13Bj
		sub	ecx, 1
		jz	short loc_92D022
		sub	ecx, 1
		jnz	short loc_92D029
		mov	ecx, [esp+80h+var_74]
		jmp	loc_89570A
; 

loc_92D022:				; CODE XREF: _RegRtlEnumKeyWithCallback+97A52j
		xor	ecx, ecx
		jmp	loc_895706
; 

loc_92D029:				; CODE XREF: _RegRtlEnumKeyWithCallback+97A57j
		sub	ecx, 1
		jz	short loc_92D038
		mov	esi, 0C00000E5h
		jmp	loc_89571B
; 

loc_92D038:				; CODE XREF: _RegRtlEnumKeyWithCallback+97A6Cj
		mov	esi, 0C0000240h
		jmp	loc_89571B
; END OF FUNCTION CHUNK	FOR _RegRtlEnumKeyWithCallback
; 
; START	OF FUNCTION CHUNK FOR _RegRtlEnumKey

loc_92D042:				; CODE XREF: _RegRtlEnumKey+E0j
		mov	esi, 0C0000023h
		jmp	loc_895893
; 

loc_92D04C:				; CODE XREF: _RegRtlEnumKey+188j
		mov	esi, 0C0000017h
		jmp	loc_895893
; 

loc_92D056:				; CODE XREF: _RegRtlEnumKey+1AFj
		cmp	esi, 80000005h
		jnz	loc_895887
		jmp	loc_89591B
; 

loc_92D067:				; CODE XREF: _RegRtlEnumKey+1F1j
		mov	esi, 0C0000023h
		jmp	loc_895887
; END OF FUNCTION CHUNK	FOR _RegRtlEnumKey
; 
; START	OF FUNCTION CHUNK FOR _CmDeviceClassesSubkeyCallback

loc_92D071:				; CODE XREF: _CmDeviceClassesSubkeyCallback+28Bj
		push	52504E50h
		push	190h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+48h+var_30], eax
		test	eax, eax
		jz	loc_895B9D
		lea	ecx, [esp+48h+var_34]
		mov	[esp+48h+var_34], 190h
		push	ecx
		mov	ecx, [esp+4Ch+var_39+1]
		mov	edx, offset ??_C@_1BO@PDEOPOFH@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe@NNGAKEGL@	; "DeviceInstance"
		push	eax
		lea	eax, [esp+50h+var_2C]
		push	eax
		call	_RegRtlQueryValue
		cmp	eax, 0C000017Ch
		jz	short loc_92D112
		test	eax, eax
		js	short loc_92D112
		cmp	[esp+48h+var_2C], 1
		jnz	short loc_92D112
		cmp	[esp+48h+var_34], 2
		jb	short loc_92D112
		mov	eax, [esp+48h+var_30]
		xor	ecx, ecx
		push	eax
		mov	[eax+18Eh], cx
		lea	eax, [esp+4Ch+var_10]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_92D112
		lea	eax, [esi+3F4h]
		push	eax
		lea	eax, [esp+4Ch+var_18]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_92D112
		push	1
		lea	eax, [esp+4Ch+var_18]
		push	eax
		lea	eax, [esp+50h+var_10]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	loc_895C05

loc_92D112:				; CODE XREF: _CmDeviceClassesSubkeyCallback+108j
					; _CmDeviceClassesSubkeyCallback+97740j ...
		xor	ebx, ebx
		jmp	loc_895B91
; 

loc_92D119:				; CODE XREF: _CmDeviceClassesSubkeyCallback+1BCj
		lea	eax, [esp+48h+var_39]
		mov	edx, edi
		push	eax
		push	ecx
		mov	ecx, [ebp+arg_0]
		call	__CmIsDeviceInterfaceEnabled@16	; _CmIsDeviceInterfaceEnabled(x,x,x,x)
		test	eax, eax
		js	loc_895B84
		cmp	byte ptr [esp+48h+var_39], 0
		jz	loc_895B84
		jmp	loc_895B36
; 

loc_92D141:				; CODE XREF: _CmDeviceClassesSubkeyCallback+1CAj
		push	dword ptr [esi+594h]
		push	3
		push	edi
		push	[ebp+arg_0]
		call	eax
		test	al, al
		jz	loc_895B84
		jmp	loc_895B44
; 

loc_92D15C:				; CODE XREF: _CmDeviceClassesSubkeyCallback+223j
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_895B9D
; END OF FUNCTION CHUNK	FOR _CmDeviceClassesSubkeyCallback
; 
; START	OF FUNCTION CHUNK FOR _CmEnumSubkeyCallback

loc_92D168:				; CODE XREF: _CmEnumSubkeyCallback+15Cj
		xor	eax, eax
		mov	ecx, eax
		jmp	loc_895EE3
; 

loc_92D171:				; CODE XREF: _CmEnumSubkeyCallback+E0j
		mov	ecx, [ebp+arg_0]
		lea	eax, [esp+13h]
		push	eax
		mov	edx, edi
		call	__CmIsDevicePresent@12 ; _CmIsDevicePresent(x,x,x)
		test	eax, eax
		js	loc_895EB6
		cmp	[esp+28h+var_15], bl
		jz	loc_895EB6
		jmp	loc_895E64
; 

loc_92D197:				; CODE XREF: _CmEnumSubkeyCallback+EEj
		push	dword ptr [esi+19Ch]
		push	1
		push	edi
		push	[ebp+arg_0]
		call	eax
		test	al, al
		jz	loc_895EB6
		jmp	loc_895E72
; END OF FUNCTION CHUNK	FOR _CmEnumSubkeyCallback
; 
; START	OF FUNCTION CHUNK FOR _CmClassSubkeyCallback

loc_92D1B2:				; CODE XREF: _CmClassSubkeyCallback+21j
		mov	eax, [ebp+arg_0]
		mov	ecx, ebx
		test	eax, eax
		jz	short loc_92D1BE
		mov	ecx, [eax+74h]

loc_92D1BE:				; CODE XREF: _CmClassSubkeyCallback+971C9j
		lea	eax, [ebp+var_4]
		push	eax
		push	20019h
		push	ebx
		push	edi
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_896017
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_89606C
; 

loc_92D1E3:				; CODE XREF: _CmClassSubkeyCallback+51j
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi]
		push	edi
		push	[ebp+arg_0]
		call	eax
		test	al, al
		jz	loc_89606C
		jmp	loc_896047
; END OF FUNCTION CHUNK	FOR _CmClassSubkeyCallback
; 
; START	OF FUNCTION CHUNK FOR _CmContainerListGenericObjectCallback

loc_92D1FB:				; CODE XREF: _CmContainerListGenericObjectCallback+22j
		push	dword ptr [esi+4]
		push	5
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	eax
		mov	bl, al
		jmp	loc_89610E
; END OF FUNCTION CHUNK	FOR _CmContainerListGenericObjectCallback
; 
; START	OF FUNCTION CHUNK FOR RtlInitNlsTables

loc_92D20F:				; CODE XREF: RtlInitNlsTables+24j
		and	ds:dword_AFD0A0, 0
		and	ds:dword_AFD0A4, 0
		jmp	loc_8961CE
; END OF FUNCTION CHUNK	FOR RtlInitNlsTables
; 
; START	OF FUNCTION CHUNK FOR RtlInitCodePageTable

loc_92D222:				; CODE XREF: RtlInitCodePageTable+13j
					; RtlInitCodePageTable+20j
		mov	ebx, [ebp+arg_4]
		push	4
		mov	[ebx], ax
		pop	eax
		mov	[ebx+2], ax
		mov	eax, 0FFFDh
		push	3Fh
		pop	ecx
		mov	[ebx+6], ax
		xor	eax, eax
		xor	edx, edx
		mov	[ebx+4], cx
		mov	[ebx+8], cx
		mov	[ebx+0Ah], cx
		mov	[ebx+0Ch], ax
		mov	[ebx+1Ch], edx
		mov	[ebx+24h], edx
		mov	[ebx+28h], edx
		jmp	loc_896287
; END OF FUNCTION CHUNK	FOR RtlInitCodePageTable
; 
; START	OF FUNCTION CHUNK FOR RtlResetRtlTranslations

loc_92D25D:				; CODE XREF: RtlResetRtlTranslations+47j
		mov	esi, ds:dword_AFD09C
		mov	ecx, 80h
		mov	edi, offset _NlsLeadByteInfoTable
		rep movsd
		jmp	loc_8962FA
; 

loc_92D274:				; CODE XREF: RtlResetRtlTranslations+AAj
		mov	esi, ds:dword_AFD070
		mov	ecx, 80h
		mov	edi, offset _NlsOemLeadByteInfoTable
		rep movsd
		jmp	loc_89635D
; 

loc_92D28B:				; CODE XREF: RtlResetRtlTranslations+17j
					; RtlResetRtlTranslations+2Aj
		xor	ebx, ebx
		mov	ds:_NlsAnsiCodePage, dx
		mov	ds:_NlsOemCodePage, dx
		mov	al, bl
		mov	ds:_NlsActiveCodePageIsUTF8, 1
		mov	ds:_NlsOemCodePageIsUTF8, 1
		mov	ds:_NlsMbCodePageTag, bl
		mov	ds:_NlsMbAnsiCodePageTables, ebx
		mov	ds:_NlsAnsiToUnicodeData, ebx
		mov	ds:_NlsUnicodeToAnsiData, ebx
		mov	ds:_NlsUnicodeToMbAnsiData, ebx
		mov	ds:_NlsMbOemCodePageTables, ebx
		mov	ds:_NlsOemToUnicodeData, ebx
		jmp	loc_896387
; END OF FUNCTION CHUNK	FOR RtlResetRtlTranslations
; 
; START	OF FUNCTION CHUNK FOR PspSanitizeResourceLimits

loc_92D2DA:				; CODE XREF: PspSanitizeResourceLimits+12j
		mov	eax, [esi]
		mov	edx, eax
		and	edx, 7Fh
		cmp	edx, 64h
		ja	short loc_92D2F5
		test	edx, edx
		jz	short loc_92D2F5
		cmp	eax, 80h
		jb	loc_8963EC

loc_92D2F5:				; CODE XREF: PspSanitizeResourceLimits+96F1Cj
					; PspSanitizeResourceLimits+96F20j
		test	ebx, ebx
		jz	short loc_92D33C
		and	eax, 0FFFFFFE4h
		or	eax, 64h
		mov	[esi], eax
		jmp	loc_8963EC
; 

loc_92D306:				; CODE XREF: PspSanitizeResourceLimits+3Cj
		cmp	eax, edx
		jnb	short loc_92D314
		shl	eax, 14h
		mov	[ecx], eax
		jmp	loc_89640A
; 

loc_92D314:				; CODE XREF: PspSanitizeResourceLimits+96F40j
		test	ebx, ebx
		jz	short loc_92D33C
		or	dword ptr [ecx], 0FFFFFFFFh
		jmp	loc_89640A
; 

loc_92D320:				; CODE XREF: PspSanitizeResourceLimits+48j
		cmp	eax, edx
		jnb	short loc_92D32F
		shl	eax, 14h
		mov	[ecx+4], eax
		jmp	loc_896416
; 

loc_92D32F:				; CODE XREF: PspSanitizeResourceLimits+96F5Aj
		test	ebx, ebx
		jz	short loc_92D33C
		or	dword ptr [ecx+4], 0FFFFFFFFh
		jmp	loc_896416
; 

loc_92D33C:				; CODE XREF: PspSanitizeResourceLimits+96F2Fj
					; PspSanitizeResourceLimits+96F4Ej ...
		mov	eax, 0C000000Dh
		jmp	loc_896418
; END OF FUNCTION CHUNK	FOR PspSanitizeResourceLimits
; 
; START	OF FUNCTION CHUNK FOR ExpParseSuiteMask

loc_92D346:				; CODE XREF: ExpParseSuiteMask+16Ej
		mov	ecx, ds:off_A414BC
		mov	eax, edi

loc_92D34E:				; CODE XREF: ExpParseSuiteMask+96E8Cj
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	short loc_92D374
		test	dx, dx
		jz	short loc_92D370
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	short loc_92D374
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_92D34E

loc_92D370:				; CODE XREF: ExpParseSuiteMask+96E77j
		mov	eax, ebx
		jmp	short loc_92D379
; 

loc_92D374:				; CODE XREF: ExpParseSuiteMask+96E72j
					; ExpParseSuiteMask+96E81j
		sbb	eax, eax
		or	eax, 1

loc_92D379:				; CODE XREF: ExpParseSuiteMask+96E90j
		test	eax, eax
		jnz	short loc_92D385
		or	esi, 40h
		jmp	loc_896659
; 

loc_92D385:				; CODE XREF: ExpParseSuiteMask+96E99j
		mov	ecx, ds:off_A414C0
		mov	eax, edi

loc_92D38D:				; CODE XREF: ExpParseSuiteMask+96ECBj
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	short loc_92D3B3
		test	dx, dx
		jz	short loc_92D3AF
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	short loc_92D3B3
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_92D38D

loc_92D3AF:				; CODE XREF: ExpParseSuiteMask+96EB6j
		mov	eax, ebx
		jmp	short loc_92D3B8
; 

loc_92D3B3:				; CODE XREF: ExpParseSuiteMask+96EB1j
					; ExpParseSuiteMask+96EC0j
		sbb	eax, eax
		or	eax, 1

loc_92D3B8:				; CODE XREF: ExpParseSuiteMask+96ECFj
		test	eax, eax
		jnz	short loc_92D3C7
		or	esi, 80h
		jmp	loc_896659
; 

loc_92D3C7:				; CODE XREF: ExpParseSuiteMask+96ED8j
		mov	ecx, ds:off_A414C4
		mov	eax, edi

loc_92D3CF:				; CODE XREF: ExpParseSuiteMask+96F0Dj
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	short loc_92D3F5
		test	dx, dx
		jz	short loc_92D3F1
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	short loc_92D3F5
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_92D3CF

loc_92D3F1:				; CODE XREF: ExpParseSuiteMask+96EF8j
		mov	eax, ebx
		jmp	short loc_92D3FA
; 

loc_92D3F5:				; CODE XREF: ExpParseSuiteMask+96EF3j
					; ExpParseSuiteMask+96F02j
		sbb	eax, eax
		or	eax, 1

loc_92D3FA:				; CODE XREF: ExpParseSuiteMask+96F11j
		test	eax, eax
		jnz	short loc_92D409
		or	esi, 200h
		jmp	loc_896659
; 

loc_92D409:				; CODE XREF: ExpParseSuiteMask+96F1Aj
		mov	ecx, ds:off_A414C8
		mov	eax, edi

loc_92D411:				; CODE XREF: ExpParseSuiteMask+96F4Fj
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	short loc_92D437
		test	dx, dx
		jz	short loc_92D433
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	short loc_92D437
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_92D411

loc_92D433:				; CODE XREF: ExpParseSuiteMask+96F3Aj
		mov	eax, ebx
		jmp	short loc_92D43C
; 

loc_92D437:				; CODE XREF: ExpParseSuiteMask+96F35j
					; ExpParseSuiteMask+96F44j
		sbb	eax, eax
		or	eax, 1

loc_92D43C:				; CODE XREF: ExpParseSuiteMask+96F53j
		test	eax, eax
		jnz	short loc_92D44B
		or	esi, 400h
		jmp	loc_896659
; 

loc_92D44B:				; CODE XREF: ExpParseSuiteMask+96F5Cj
		mov	ecx, ds:off_A414CC
		mov	eax, edi

loc_92D453:				; CODE XREF: ExpParseSuiteMask+96F91j
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	short loc_92D479
		test	dx, dx
		jz	short loc_92D475
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	short loc_92D479
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_92D453

loc_92D475:				; CODE XREF: ExpParseSuiteMask+96F7Cj
		mov	eax, ebx
		jmp	short loc_92D47E
; 

loc_92D479:				; CODE XREF: ExpParseSuiteMask+96F77j
					; ExpParseSuiteMask+96F86j
		sbb	eax, eax
		or	eax, 1

loc_92D47E:				; CODE XREF: ExpParseSuiteMask+96F95j
		test	eax, eax
		jnz	short loc_92D48D
		or	esi, 800h
		jmp	loc_896659
; 

loc_92D48D:				; CODE XREF: ExpParseSuiteMask+96F9Ej
		mov	ecx, ds:off_A414D0
		mov	eax, edi

loc_92D495:				; CODE XREF: ExpParseSuiteMask+96FD3j
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	short loc_92D4BB
		test	dx, dx
		jz	short loc_92D4B7
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	short loc_92D4BB
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_92D495

loc_92D4B7:				; CODE XREF: ExpParseSuiteMask+96FBEj
		mov	eax, ebx
		jmp	short loc_92D4C0
; 

loc_92D4BB:				; CODE XREF: ExpParseSuiteMask+96FB9j
					; ExpParseSuiteMask+96FC8j
		sbb	eax, eax
		or	eax, 1

loc_92D4C0:				; CODE XREF: ExpParseSuiteMask+96FD7j
		test	eax, eax
		jnz	short loc_92D4CF
		or	esi, 1000h
		jmp	loc_896659
; 

loc_92D4CF:				; CODE XREF: ExpParseSuiteMask+96FE0j
		mov	ecx, ds:off_A414D4
		mov	eax, edi

loc_92D4D7:				; CODE XREF: ExpParseSuiteMask+97015j
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	short loc_92D4FD
		test	dx, dx
		jz	short loc_92D4F9
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	short loc_92D4FD
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_92D4D7

loc_92D4F9:				; CODE XREF: ExpParseSuiteMask+97000j
		mov	eax, ebx
		jmp	short loc_92D502
; 

loc_92D4FD:				; CODE XREF: ExpParseSuiteMask+96FFBj
					; ExpParseSuiteMask+9700Aj
		sbb	eax, eax
		or	eax, 1

loc_92D502:				; CODE XREF: ExpParseSuiteMask+97019j
		test	eax, eax
		jnz	short loc_92D511
		or	esi, 2000h
		jmp	loc_896659
; 

loc_92D511:				; CODE XREF: ExpParseSuiteMask+97022j
		mov	ecx, ds:off_A414D8
		mov	eax, edi

loc_92D519:				; CODE XREF: ExpParseSuiteMask+97057j
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	short loc_92D53F
		test	dx, dx
		jz	short loc_92D53B
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	short loc_92D53F
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_92D519

loc_92D53B:				; CODE XREF: ExpParseSuiteMask+97042j
		mov	eax, ebx
		jmp	short loc_92D544
; 

loc_92D53F:				; CODE XREF: ExpParseSuiteMask+9703Dj
					; ExpParseSuiteMask+9704Cj
		sbb	eax, eax
		or	eax, 1

loc_92D544:				; CODE XREF: ExpParseSuiteMask+9705Bj
		test	eax, eax
		jnz	short loc_92D553
		or	esi, 4000h
		jmp	loc_896659
; 

loc_92D553:				; CODE XREF: ExpParseSuiteMask+97064j
		mov	ecx, ds:off_A414DC
		mov	eax, edi

loc_92D55B:				; CODE XREF: ExpParseSuiteMask+97099j
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	short loc_92D581
		test	dx, dx
		jz	short loc_92D57D
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	short loc_92D581
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_92D55B

loc_92D57D:				; CODE XREF: ExpParseSuiteMask+97084j
		mov	eax, ebx
		jmp	short loc_92D586
; 

loc_92D581:				; CODE XREF: ExpParseSuiteMask+9707Fj
					; ExpParseSuiteMask+9708Ej
		sbb	eax, eax
		or	eax, 1

loc_92D586:				; CODE XREF: ExpParseSuiteMask+9709Dj
		test	eax, eax
		jnz	short loc_92D595
		or	esi, 8000h
		jmp	loc_896659
; 

loc_92D595:				; CODE XREF: ExpParseSuiteMask+970A6j
		mov	ecx, ds:off_A414E4
		mov	eax, edi

loc_92D59D:				; CODE XREF: ExpParseSuiteMask+970DBj
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	short loc_92D5C3
		test	dx, dx
		jz	short loc_92D5BF
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	short loc_92D5C3
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_92D59D

loc_92D5BF:				; CODE XREF: ExpParseSuiteMask+970C6j
		mov	eax, ebx
		jmp	short loc_92D5C8
; 

loc_92D5C3:				; CODE XREF: ExpParseSuiteMask+970C1j
					; ExpParseSuiteMask+970D0j
		sbb	eax, eax
		or	eax, 1

loc_92D5C8:				; CODE XREF: ExpParseSuiteMask+970DFj
		test	eax, eax
		jnz	loc_896659
		or	esi, 10000h
		jmp	loc_896659
; END OF FUNCTION CHUNK	FOR ExpParseSuiteMask
; 
; START	OF FUNCTION CHUNK FOR DbgkpCreateNotificationEvent

loc_92D5DB:				; CODE XREF: DbgkpCreateNotificationEvent+D1j
		mov	eax, 0C000009Ah
		jmp	loc_896975
; 

loc_92D5E5:				; CODE XREF: DbgkpCreateNotificationEvent+1ABj
		push	0

loc_92D5E7:				; CODE XREF: DbgkpCreateNotificationEvent+E6j
					; DbgkpCreateNotificationEvent+109j ...
		push	esi

loc_92D5E8:				; CODE XREF: DbgkpCreateNotificationEvent+195j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_896973
; END OF FUNCTION CHUNK	FOR DbgkpCreateNotificationEvent
; 
; START	OF FUNCTION CHUNK FOR PspInitializeProtectedProcessParameters

loc_92D5F2:				; CODE XREF: PspInitializeProtectedProcessParameters+62j
		mov	eax, 0C000009Ah
		jmp	loc_896A97
; END OF FUNCTION CHUNK	FOR PspInitializeProtectedProcessParameters
; 
; START	OF FUNCTION CHUNK FOR InitializeSidLookupTable

loc_92D5FC:				; CODE XREF: InitializeSidLookupTable+58j
		cmp	[esi-0Ch], eax
		jnz	loc_896D62
		jmp	loc_896D1E
; 

loc_92D60A:				; CODE XREF: InitializeSidLookupTable+6Aj
					; DATA XREF: PAGE:off_896DE8o
		lea	eax, [ebp+var_18] ; case 0x1
		jmp	loc_896D74
; END OF FUNCTION CHUNK	FOR InitializeSidLookupTable
; 
; START	OF FUNCTION CHUNK FOR ExRegisterExtension

loc_92D612:				; CODE XREF: ExRegisterExtension+23j
		cmp	[ebx+4], di
		jz	loc_896E99

loc_92D61C:				; CODE XREF: ExRegisterExtension+15j
					; ExRegisterExtension+967C8j ...
		mov	eax, 0C000000Dh
		jmp	loc_896FD4
; 

loc_92D626:				; CODE XREF: ExRegisterExtension+9Cj
		mov	eax, 0C0000225h
		jmp	loc_896FD4
; 

loc_92D630:				; CODE XREF: ExRegisterExtension+AAj
		or	eax, 0FFFFFFFFh
		lock xadd [esi+8], eax
		jnz	short loc_92D61C
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_92D61C
; 

loc_92D643:				; CODE XREF: ExRegisterExtension+BDj
		or	eax, 0FFFFFFFFh
		lock xadd [esi+8], eax
		jnz	short loc_92D654
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_92D654:				; CODE XREF: ExRegisterExtension+967DBj
		mov	eax, 0C0000022h
		jmp	loc_896FD4
; 

loc_92D65E:				; CODE XREF: ExRegisterExtension+EFj
		push	edi
		mov	edx, eax
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [ebp+arg_4]
		jmp	loc_896F65
; 

loc_92D670:				; CODE XREF: ExRegisterExtension+11Dj
		mov	eax, ds:_MmBadPointer
		jmp	loc_896F93
; 

loc_92D67A:				; CODE XREF: ExRegisterExtension+13Dj
		test	al, 4
		jnz	loc_896FB3
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_896FB3
; 

loc_92D68E:				; CODE XREF: ExRegisterExtension+101j
					; ExRegisterExtension+10Bj
		or	ebx, 0FFFFFFFFh
		mov	eax, ebx
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_92D6A4
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_92D6A4:				; CODE XREF: ExRegisterExtension+9682Bj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		lock xadd [esi+8], ebx
		dec	ebx
		jnz	short loc_92D6C7
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_92D6C7:				; CODE XREF: ExRegisterExtension+9684Dj
		mov	eax, 0C0000035h
		jmp	loc_896FD4
; END OF FUNCTION CHUNK	FOR ExRegisterExtension
; 
; START	OF FUNCTION CHUNK FOR ExRegisterHost

loc_92D6D1:				; CODE XREF: ExRegisterHost+23j
		mov	eax, 0C000009Ah
		jmp	loc_897100
; 

loc_92D6DB:				; CODE XREF: ExRegisterHost+73j
		push	edi
		mov	edx, esi
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx
		jmp	loc_897093
; 

loc_92D6EA:				; CODE XREF: ExRegisterHost+97j
		mov	edi, 0C0000035h
		lea	edx, [ebx+8]
		mov	eax, ecx
		lock xadd [edx], eax
		jnz	short loc_92D705
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		or	ecx, 0FFFFFFFFh

loc_92D705:				; CODE XREF: ExRegisterHost+966DEj
		mov	eax, ecx
		lock xadd [esi+8], eax
		jnz	loc_8970D9
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		or	ecx, 0FFFFFFFFh
		jmp	loc_8970D9
; 

loc_92D722:				; CODE XREF: ExRegisterHost+CBj
		test	cl, 4
		jnz	loc_8970EB
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_8970EB
; END OF FUNCTION CHUNK	FOR ExRegisterHost
; 
; START	OF FUNCTION CHUNK FOR ExpPcwHostCallback

loc_92D737:				; CODE XREF: ExpPcwHostCallback+19j
		call	_EtwUnregisterCounters@0 ; EtwUnregisterCounters()
		mov	eax, _PcwpSynchCounterSet
		xor	esi, esi
		test	eax, eax
		jz	short loc_92D753
		push	eax
		call	_PcwUnregister@4 ; PcwUnregister(x)
		mov	_PcwpSynchCounterSet, esi

loc_92D753:				; CODE XREF: ExpPcwHostCallback+9656Dj
		mov	eax, _PcwpSynchNumaCounterSet
		test	eax, eax
		jz	short loc_92D768
		push	eax
		call	_PcwUnregister@4 ; PcwUnregister(x)
		mov	_PcwpSynchNumaCounterSet, esi

loc_92D768:				; CODE XREF: ExpPcwHostCallback+96582j
		mov	eax, _PcwpProcessorCounterSet
		test	eax, eax
		jz	short loc_92D77D
		push	eax
		call	_PcwUnregister@4 ; PcwUnregister(x)
		mov	_PcwpProcessorCounterSet, esi

loc_92D77D:				; CODE XREF: ExpPcwHostCallback+96597j
		mov	eax, _PcwpFileSystemDiskIOCounterSet
		test	eax, eax
		jz	short loc_92D792
		push	eax
		call	_PcwUnregister@4 ; PcwUnregister(x)
		mov	_PcwpFileSystemDiskIOCounterSet, esi

loc_92D792:				; CODE XREF: ExpPcwHostCallback+965ACj
		mov	eax, _PcwpThermalCounterSet
		test	eax, eax
		jz	loc_8971F7
		push	eax
		call	_PcwUnregister@4 ; PcwUnregister(x)
		mov	_PcwpThermalCounterSet,	esi
		jmp	loc_8971F7
; END OF FUNCTION CHUNK	FOR ExpPcwHostCallback
; 
; START	OF FUNCTION CHUNK FOR PcwRegister

loc_92D7B0:				; CODE XREF: PcwRegister+14j
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax], 0
		call	_ExpPcwDisabledStatus@0	; ExpPcwDisabledStatus()
		mov	esi, eax
		jmp	loc_8973CF
; END OF FUNCTION CHUNK	FOR PcwRegister
; 
; START	OF FUNCTION CHUNK FOR SepIsOptionPresent

loc_92D7C2:				; CODE XREF: SepIsOptionPresent+26j
					; SepIsOptionPresent+96369j
		mov	al, [esi]
		inc	esi
		test	al, al
		jnz	short loc_92D7C2
		sub	esi, ecx
		cmp	edx, ebx
		jz	short loc_92D7D9
		cmp	byte ptr [edx-1], 20h
		jnz	loc_89747B

loc_92D7D9:				; CODE XREF: SepIsOptionPresent+9636Fj
		mov	al, [esi+edx]
		cmp	al, 20h
		jz	short loc_92D7E8
		test	al, al
		jnz	loc_89747B

loc_92D7E8:				; CODE XREF: SepIsOptionPresent+96380j
		xor	edi, edi
		inc	edi
		jmp	loc_89747B
; END OF FUNCTION CHUNK	FOR SepIsOptionPresent
; 
; START	OF FUNCTION CHUNK FOR RtlAddProcessTrustLabelAce

loc_92D7F0:				; CODE XREF: RtlAddProcessTrustLabelAce+3Bj
		mov	eax, 0C0000078h
		jmp	loc_8975D0
; 

loc_92D7FA:				; CODE XREF: RtlAddProcessTrustLabelAce+55j
					; RtlAddProcessTrustLabelAce+61j
		mov	eax, 0C0000059h
		jmp	loc_8975D0
; 

loc_92D804:				; CODE XREF: RtlAddProcessTrustLabelAce+2Aj
					; RtlAddProcessTrustLabelAce+4Aj ...
		mov	eax, 0C000000Dh
		jmp	loc_8975D0
; END OF FUNCTION CHUNK	FOR RtlAddProcessTrustLabelAce
; 
; START	OF FUNCTION CHUNK FOR MmStoreRegister

loc_92D80E:				; CODE XREF: MmStoreRegister+25j
		mov	eax, 0C0000147h
		jmp	loc_8977DE
; 

loc_92D818:				; CODE XREF: MmStoreRegister+3Fj
		mov	eax, 0C000009Ah
		jmp	loc_8977DE
; 

loc_92D822:				; CODE XREF: MmStoreRegister+7Bj
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8977DC
; 

loc_92D82E:				; CODE XREF: MmStoreRegister+100j
					; MmStoreRegister+108j
		and	[esp+28h+var_C], 0
		mov	ecx, eax
		jmp	loc_89771A
; 

loc_92D83A:				; CODE XREF: MmStoreRegister+128j
		mov	eax, [esp+28h+var_18]
		mov	edi, 0C000009Ah
		mov	dword ptr [esi+14h], 1
		jmp	loc_8977B5
; 

loc_92D84F:				; CODE XREF: MmStoreRegister+13Dj
		mov	dword ptr [esi+14h], 1
		jmp	loc_8977B5
; 

loc_92D85B:				; CODE XREF: MmStoreRegister+1ABj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8977BD
; 

loc_92D868:				; CODE XREF: MmStoreRegister+1B3j
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	_MiDeletePagefile@8 ; MiDeletePagefile(x,x)
		jmp	loc_8977C5
; 

loc_92D877:				; CODE XREF: MmStoreRegister+ABj
		mov	dword ptr [esi+14h], 1
		mov	edi, 0C000009Ah
		jmp	loc_8977C7
; END OF FUNCTION CHUNK	FOR MmStoreRegister
; 
; START	OF FUNCTION CHUNK FOR MiCreatePagingFile

loc_92D888:				; CODE XREF: MiCreatePagingFile+61j
		test	esi, esi
		jnz	loc_897DBF
		jmp	loc_897881
; 

loc_92D895:				; CODE XREF: MiCreatePagingFile+D4j
		mov	ecx, eax
		jmp	loc_8978F4
; 

loc_92D89C:				; CODE XREF: MiCreatePagingFile+F2j
		mov	edx, eax
		jmp	loc_897912
; 

loc_92D8A3:				; CODE XREF: MiCreatePagingFile+10Dj
		mov	edx, eax
		jmp	loc_89792D
; END OF FUNCTION CHUNK	FOR MiCreatePagingFile

;  S U B	R O U T	I N E 


sub_92D8AA	proc near		; DATA XREF: .text:006A7314o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-70h], eax
		xor	eax, eax
		inc	eax
		retn
sub_92D8AA	endp


;  S U B	R O U T	I N E 


sub_92D8B8	proc near		; DATA XREF: .text:006A7318o

; FUNCTION CHUNK AT 0092D917 SIZE 00000005 BYTES
; FUNCTION CHUNK AT 0092D959 SIZE 0000000C BYTES

		mov	eax, [ebp-70h]
		jmp	short loc_92D917
sub_92D8B8	endp

; 
; START	OF FUNCTION CHUNK FOR MiCreatePagingFile

loc_92D8BD:				; CODE XREF: MiCreatePagingFile+B3j
					; MiCreatePagingFile+C0j
		mov	eax, 0C0000061h
		jmp	loc_897DC4
; 

loc_92D8C7:				; CODE XREF: MiCreatePagingFile+97j
		mov	eax, [ebx]
		mov	[ebp+var_54], eax
		mov	edi, [ebx+4]
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], edi
		mov	ecx, [ebp+arg_0]
		jmp	loc_897945
; END OF FUNCTION CHUNK	FOR MiCreatePagingFile

;  S U B	R O U T	I N E 


sub_92D8DD	proc near		; DATA XREF: .text:006A7320o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-74h], eax
		xor	eax, eax
		inc	eax
		retn
sub_92D8DD	endp


;  S U B	R O U T	I N E 


sub_92D8EB	proc near		; DATA XREF: .text:006A7324o
		mov	eax, [ebp-74h]
		jmp	short loc_92D917
sub_92D8EB	endp

; 
; START	OF FUNCTION CHUNK FOR MiCreatePagingFile

loc_92D8F0:				; CODE XREF: MiCreatePagingFile+163j
		mov	eax, [ecx]
		mov	[ebp+var_40], eax
		mov	[ebp+var_64], eax
		mov	ecx, [ecx+4]
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_60], ecx
		jmp	loc_8979A2
; END OF FUNCTION CHUNK	FOR MiCreatePagingFile

;  S U B	R O U T	I N E 


sub_92D906	proc near		; DATA XREF: .text:006A732Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-78h], eax
		xor	eax, eax
		inc	eax
		retn
sub_92D906	endp


;  S U B	R O U T	I N E 


sub_92D914	proc near		; DATA XREF: .text:006A7330o
		mov	eax, [ebp-78h]
sub_92D914	endp

; START	OF FUNCTION CHUNK FOR sub_92D8B8

loc_92D917:				; CODE XREF: sub_92D8B8+3j
					; sub_92D8EB+3j
		mov	esp, [ebp-18h]
		jmp	short loc_92D959
; END OF FUNCTION CHUNK	FOR sub_92D8B8
; 
; START	OF FUNCTION CHUNK FOR MiCreatePagingFile

loc_92D91C:				; CODE XREF: MiCreatePagingFile+1B6j
		mov	ecx, [ebp+var_28]
		mov	eax, [ecx]
		mov	[ebp+var_24], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_20], eax
		jmp	loc_8979F2
; 

loc_92D92F:				; CODE XREF: MiCreatePagingFile+23Cj
					; MiCreatePagingFile+244j
		mov	byte ptr [edi],	0
		mov	cx, word ptr [ebp+var_24]
		jmp	loc_897A64
; END OF FUNCTION CHUNK	FOR MiCreatePagingFile

;  S U B	R O U T	I N E 


sub_92D93B	proc near		; DATA XREF: .text:006A7338o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-7Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_92D93B	endp


;  S U B	R O U T	I N E 


sub_92D949	proc near		; DATA XREF: .text:006A733Co
		mov	esp, [ebp-18h]
		push	0
		push	dword ptr [ebp+8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp-7Ch]
sub_92D949	endp

; START	OF FUNCTION CHUNK FOR sub_92D8B8

loc_92D959:				; CODE XREF: sub_92D8B8+62j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_897DC4
; END OF FUNCTION CHUNK	FOR sub_92D8B8
; 
; START	OF FUNCTION CHUNK FOR MiCreatePagingFile

loc_92D965:				; CODE XREF: MiCreatePagingFile+216j
		movzx	eax, word ptr [ebp+var_24]
		push	eax		; size_t
		push	[ebp+var_20]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_897A7E
; 

loc_92D97B:				; CODE XREF: MiCreatePagingFile+26Dj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C00000BBh
		jmp	loc_897DC4
; 

loc_92D98D:				; CODE XREF: MiCreatePagingFile+2CAj
		mov	edi, 0C000009Ah
		jmp	loc_897F53
; 

loc_92D997:				; CODE XREF: MiCreatePagingFile+492j
		cmp	eax, 14h
		jz	loc_897CB2
		cmp	eax, 36h
		jz	loc_897CB2
		cmp	eax, 35h
		jz	loc_897CB2
		mov	edi, 0C000014Fh
		jmp	loc_897F47
; 

loc_92D9BC:				; CODE XREF: MiCreatePagingFile+4D2j
		mov	edi, 0C0000164h
		jmp	loc_897F47
; 

loc_92D9C6:				; CODE XREF: MiCreatePagingFile+50Bj
		xor	dl, dl
		mov	ecx, esi
		call	PiPagePathSetState
		jmp	loc_897F47
; 

loc_92D9D4:				; CODE XREF: MiCreatePagingFile+552j
		xor	edx, edx
		inc	edx
		mov	ecx, esi
		call	_MiDeletePagefile@8 ; MiDeletePagefile(x,x)
		jmp	loc_897F7C
; 

loc_92D9E3:				; CODE XREF: MiCreatePagingFile+56Dj
		and	[ebp+var_38], 0
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	edi, offset unk_718494
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		or	eax, 0FFFFFFFFh
		cmp	ds:dword_718490, eax
		jnz	short loc_92DA3D
		mov	eax, dword_6D3018
		mov	eax, [eax]
		mov	edx, [eax+0F48h]
		lea	eax, [ebp+var_38]
		push	eax
		push	0
		shr	edx, 9
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	_SmpDirtyStoreCreate@16	; SmpDirtyStoreCreate(x,x,x,x)
		test	eax, eax
		js	short loc_92DA3A
		mov	eax, [ebp+var_38]
		mov	ds:dword_718490, eax

loc_92DA3A:				; CODE XREF: MiCreatePagingFile+96216j
		or	eax, 0FFFFFFFFh

loc_92DA3D:				; CODE XREF: MiCreatePagingFile+961F2j
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_92DA4E
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_92DA4E:				; CODE XREF: MiCreatePagingFile+9622Bj
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_897D8D
; 

loc_92DA5F:				; CODE XREF: MiCreatePagingFile+5F4j
		and	[ebp+var_1C], 0
		jmp	loc_897F63
; 

loc_92DA68:				; CODE XREF: MiCreatePagingFile+689j
		mov	eax, [ebp+arg_8]

loc_92DA6B:				; CODE XREF: MiCreatePagingFile+674j
		mov	ecx, [ebp+var_28]
		inc	ecx
		mov	[ebp+var_28], ecx
		add	eax, 4
		mov	[ebp+arg_8], eax
		cmp	ecx, [ebp+var_48]
		jb	loc_897E82
		jmp	loc_897EC2
; 

loc_92DA86:				; CODE XREF: MiCreatePagingFile+6A0j
		mov	edi, 0C000000Dh
		jmp	loc_897F15
; 

loc_92DA90:				; CODE XREF: MiCreatePagingFile+6AAj
		mov	edi, 0C0000225h
		jmp	loc_897F15
; 

loc_92DA9A:				; CODE XREF: MiCreatePagingFile+6CDj
		mov	edi, 0C00000F0h
		jmp	loc_897F15
; 

loc_92DAA4:				; CODE XREF: MiCreatePagingFile+6D8j
		mov	edi, 0C00000F1h
		jmp	loc_897F15
; 

loc_92DAAE:				; CODE XREF: MiCreatePagingFile+6DEj
		test	byte ptr [ebx+74h], 10h
		jnz	short loc_92DADD
		mov	ecx, edx
		sub	ecx, eax
		mov	[ebp+arg_4], ecx
		push	0
		push	0
		push	ecx
		xor	edx, edx
		mov	ecx, [ebp+arg_C]
		call	MiIncreaseCommitLimits
		test	eax, eax
		jnz	short loc_92DADA
		xor	ebx, ebx
		mov	edi, 0C00000F1h
		jmp	loc_897F18
; 

loc_92DADA:				; CODE XREF: MiCreatePagingFile+962B2j
		mov	edx, [ebp+var_38]

loc_92DADD:				; CODE XREF: MiCreatePagingFile+96298j
		and	[ebp+var_2C], 0
		cmp	dword ptr [ebx+80h], 0
		jz	short loc_92DB02
		mov	ecx, edx
		call	_MiReservePageHash@4 ; MiReservePageHash(x)
		mov	[ebp+var_2C], eax
		test	eax, eax
		jnz	short loc_92DB02

loc_92DAF8:				; CODE XREF: MiCreatePagingFile+962F2j
		mov	edi, 0C000009Ah
		jmp	loc_897F15
; 

loc_92DB02:				; CODE XREF: MiCreatePagingFile+962CEj
					; MiCreatePagingFile+962DCj
		mov	ecx, [ebp+var_38]
		call	_MiCreatePageFileSpaceBitmaps@4	; MiCreatePageFileSpaceBitmaps(x)
		test	eax, eax
		jz	short loc_92DAF8
		push	[ebp+var_2C]
		mov	edx, eax
		mov	ecx, ebx
		call	_MiExtendPagingFileMaximum@12 ;	MiExtendPagingFileMaximum(x,x,x)
		mov	ecx, [ebp+arg_C]
		mov	eax, [ecx+10BCh]
		mov	ecx, [ecx+1114h]
		add	eax, 64h
		cmp	eax, ecx
		jbe	short loc_92DB51
		push	0
		mov	edx, 0C8h
		mov	ecx, [ebp+arg_C]
		call	MiChargeCommit
		cmp	eax, 1
		jnz	short loc_92DB51
		mov	edx, 0C8h
		mov	ecx, [ebp+arg_C]
		call	MiReturnCommit

loc_92DB51:				; CODE XREF: MiCreatePagingFile+96314j
					; MiCreatePagingFile+96328j
		mov	ecx, [ebp+arg_8]
		jmp	loc_897EFE
; 

loc_92DB59:				; CODE XREF: MiCreatePagingFile+96358j
		mov	ecx, ebx
		call	_MiCheckAndUpdatePagingFileMinimum@8 ; MiCheckAndUpdatePagingFileMinimum(x,x)
		cmp	eax, 1
		jz	loc_897F07
		mov	ecx, [ebp+arg_8]

loc_92DB6C:				; CODE XREF: MiCreatePagingFile+6E7j
		mov	eax, [ebx]
		mov	edx, ecx
		cmp	ecx, eax
		jbe	short loc_92DB59
		push	[ebp+var_28]
		push	1
		sub	edx, eax
		mov	ecx, [ebp+arg_C]
		call	_MiIssuePageExtendRequest@16 ; MiIssuePageExtendRequest(x,x,x,x)
		mov	eax, [ebp+arg_8]
		cmp	[ebx+8], eax
		jnb	loc_897F07
		mov	edi, 0C000009Ah
		jmp	loc_897F07
; 

loc_92DB99:				; CODE XREF: MiCreatePagingFile+710j
		test	al, 4
		jnz	loc_897F30
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_897F30
; 

loc_92DBAD:				; CODE XREF: MiCreatePagingFile+727j
		push	ebx
		xor	edx, edx
		mov	ecx, [ebp+arg_C]
		call	_MiReduceCommitLimits@12 ; MiReduceCommitLimits(x,x,x)
		jmp	loc_897F47
; 

loc_92DBBD:				; CODE XREF: MiCreatePagingFile+20Ej
					; MiCreatePagingFile+541j
		mov	eax, 0C000009Ah
		jmp	loc_897DC4
; 

loc_92DBC7:				; CODE XREF: MiCreatePagingFile+1E3j
					; MiCreatePagingFile+1F1j
		mov	eax, 0C0000033h
		jmp	loc_897DC4
; 

loc_92DBD1:				; CODE XREF: MiCreatePagingFile+190j
					; MiCreatePagingFile+19Bj ...
		mov	eax, 0C00000F1h
		jmp	loc_897DC4
; 

loc_92DBDB:				; CODE XREF: MiCreatePagingFile+136j
					; MiCreatePagingFile+142j ...
		mov	eax, 0C00000F0h
		jmp	loc_897DC4
; END OF FUNCTION CHUNK	FOR MiCreatePagingFile
; 
; START	OF FUNCTION CHUNK FOR MiInsertPageFileInList

loc_92DBE5:				; CODE XREF: MiInsertPageFileInList+7Ej
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_92DBF9
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_92DBF9:				; CODE XREF: MiInsertPageFileInList+95C68j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	esi, 0C000010Ah
		jmp	loc_92DCCF
; 

loc_92DC0A:				; CODE XREF: MiInsertPageFileInList+1A1j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_92DC1E
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_92DC1E:				; CODE XREF: MiInsertPageFileInList+95C8Dj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	esi, 0C000012Dh
		jmp	loc_92DCCF
; 

loc_92DC2F:				; CODE XREF: MiInsertPageFileInList+1CBj
		or	ecx, 0FFFFFFFFh
		lock xadd [esi], ecx
		and	cl, 6
		cmp	cl, 2
		jnz	short loc_92DC45
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_92DC45:				; CODE XREF: MiInsertPageFileInList+95CB4j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	esi, [ebp+var_C]
		jmp	short loc_92DCCF
; 

loc_92DC51:				; CODE XREF: MiInsertPageFileInList+DAj
		inc	esi
		jmp	loc_898068
; 

loc_92DC57:				; CODE XREF: MiInsertPageFileInList+F6j
		test	ecx, 810h
		jnz	short loc_92DC6B
		or	ecx, 20h
		mov	[edi+74h], cx
		jmp	loc_898084
; 

loc_92DC6B:				; CODE XREF: MiInsertPageFileInList+95CD5j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_92DC7F
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_92DC7F:				; CODE XREF: MiInsertPageFileInList+95CEEj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	esi, 0C00000BBh
		jmp	short loc_92DCCF
; 

loc_92DC8D:				; CODE XREF: MiInsertPageFileInList+116j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_92DCA1
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_92DCA1:				; CODE XREF: MiInsertPageFileInList+95D10j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	esi, 0C00000F1h
		jmp	short loc_92DCCF
; 

loc_92DCAF:				; CODE XREF: MiInsertPageFileInList+9Aj
					; MiInsertPageFileInList+1EBj
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_92DCC3
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_92DCC3:				; CODE XREF: MiInsertPageFileInList+95D32j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	esi, 0C0000097h

loc_92DCCF:				; CODE XREF: MiInsertPageFileInList+95C7Dj
					; MiInsertPageFileInList+95CA2j ...
		mov	ecx, [ebp+var_8]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, esi
		jmp	loc_89811B
; 

loc_92DCDE:				; CODE XREF: MiInsertPageFileInList+163j
		test	al, 4
		jnz	loc_8980F1
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_8980F1
; END OF FUNCTION CHUNK	FOR MiInsertPageFileInList
; 
; START	OF FUNCTION CHUNK FOR MiCreatePagefile

loc_92DCF2:				; CODE XREF: MiCreatePagefile+4Fj
		lea	edi, [esp+0C0h+var_A0]
		jmp	loc_8981CD
; 

loc_92DCFB:				; CODE XREF: MiCreatePagefile+D5j
		or	word ptr [edi+74h], 20h
		jmp	loc_898253
; 

loc_92DD05:				; CODE XREF: MiCreatePagefile+E1j
		mov	eax, 80h
		jmp	loc_8983D4
; 

loc_92DD0F:				; CODE XREF: MiCreatePagefile+EDj
		mov	eax, 400h
		or	[edi+74h], ax
		jmp	loc_89826B
; 

loc_92DD1D:				; CODE XREF: MiCreatePagefile+109j
		shr	eax, 1Ah
		mov	[edi+70h], eax
		jmp	loc_898287
; 

loc_92DD28:				; CODE XREF: MiCreatePagefile+115j
					; MiCreatePagefile+14Ej ...
		lea	eax, [esp+0C0h+var_A0]
		xor	edx, edx
		cmp	edi, eax
		mov	ecx, edi
		setnz	dl
		call	_MiDeletePagefile@8 ; MiDeletePagefile(x,x)
		xor	eax, eax
		jmp	loc_8983BA
; END OF FUNCTION CHUNK	FOR MiCreatePagefile
; 
; START	OF FUNCTION CHUNK FOR IoInitializeCrashDump

loc_92DD41:				; CODE XREF: IoInitializeCrashDump+43j
		cmp	_CapsuleDumpAllowed, 0
		jz	loc_898594
		call	_IopInitDumpCapsuleSupport@0 ; IopInitDumpCapsuleSupport()
		jmp	loc_898594
; END OF FUNCTION CHUNK	FOR IoInitializeCrashDump
; 
; START	OF FUNCTION CHUNK FOR IopInitializeCrashDump

loc_92DD58:				; CODE XREF: IopInitializeCrashDump+3Dj
		cmp	_CrashdmpInitialized, bl
		jnz	loc_898690
		jmp	loc_8985F7
; 

loc_92DD69:				; CODE XREF: IopInitializeCrashDump+6Cj
		mov	ecx, dword_6D4AF4
		test	ecx, ecx
		jz	loc_898699
		xor	eax, eax
		mov	[ebp+var_11], bl
		mov	[ebp+var_13], ax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_18], eax
		mov	al, byte ptr [ebp+var_10+1]
		mov	[ebp+var_14], al
		lea	eax, [ebp+var_28]
		push	eax
		mov	[ebp+var_28], 18h
		mov	[ebp+var_24], offset _SecureDump_Get_SecureDumpHeader@12 ; SecureDump_Get_SecureDumpHeader(x,x,x)
		mov	[ebp+var_20], offset _SecureDump_Encrypt_DmpData@28 ; SecureDump_Encrypt_DmpData(x,x,x,x,x,x,x)
		call	ecx
		test	eax, eax
		js	loc_898699
		jmp	loc_898626
; 

loc_92DDBA:				; CODE XREF: IopInitializeCrashDump+86j
		mov	_CrashdmpDumpBlock, ebx
		jmp	loc_898699
; END OF FUNCTION CHUNK	FOR IopInitializeCrashDump
; 
; START	OF FUNCTION CHUNK FOR MmReserveViewInSystemCache

loc_92DDC5:				; CODE XREF: MmReserveViewInSystemCache+Cj
		inc	dword_6D3CC0
		xor	eax, eax
		pop	ecx
		retn
; END OF FUNCTION CHUNK	FOR MmReserveViewInSystemCache
; 
; START	OF FUNCTION CHUNK FOR PiDmObjectManagerPopulate

loc_92DDCF:				; CODE XREF: PiDmObjectManagerPopulate+23j
		push	5A706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_898797
; 

loc_92DDDF:				; CODE XREF: PiDmObjectManagerPopulate+3Fj
		mov	edi, 0C000009Ah
		jmp	loc_8987D4
; 

loc_92DDE9:				; CODE XREF: PiDmObjectManagerPopulate+B6j
		mov	ecx, [ebp+var_8]
		call	PiDmObjectRelease
		mov	edi, 0C000009Ah
		jmp	loc_89884C
; 

loc_92DDFB:				; CODE XREF: PiDmObjectManagerPopulate+956A7j
		push	esi
		push	ebx
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)
		mov	ecx, [esi]
		call	PiDmObjectRelease

loc_92DE09:				; CODE XREF: PiDmObjectManagerPopulate+FEj
		push	1
		push	ebx
		call	_RtlEnumerateGenericTableAvl@8 ; RtlEnumerateGenericTableAvl(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_92DDFB
		jmp	loc_898862
; END OF FUNCTION CHUNK	FOR PiDmObjectManagerPopulate
; 
; START	OF FUNCTION CHUNK FOR PiDmObjectCreate

loc_92DE1C:				; CODE XREF: PiDmObjectCreate+55j
		mov	esi, 0C000009Ah
		jmp	loc_8989BE
; 

loc_92DE26:				; CODE XREF: PiDmObjectCreate+168j
		mov	esi, 0C00000E5h
		jmp	loc_8989B1
; END OF FUNCTION CHUNK	FOR PiDmObjectCreate
; 
; START	OF FUNCTION CHUNK FOR WdipSemCleanupGroupPolicy

loc_92DE30:				; CODE XREF: WdipSemCleanupGroupPolicy+7j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	_WdipSemDisabledScenarioTable, 0
		retn
; END OF FUNCTION CHUNK	FOR WdipSemCleanupGroupPolicy
; 
; START	OF FUNCTION CHUNK FOR WdipSemLoadGroupPolicy

loc_92DE40:				; CODE XREF: WdipSemLoadGroupPolicy+29j
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_8]
		mov	edx, offset ??_C@_1DC@HIPLPNKJ@?$AAS?$AAc?$AAe?$AAn?$AAa?$AAr?$AAi?$AAo?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAi@NNGAKEGL@
		push	eax
		push	esi
		push	esi
		call	WdipSemQueryValueFromRegistry
		mov	esi, eax
		test	esi, esi
		jns	short loc_92DE79
		mov	ecx, [ebp+var_4]
		call	_WdipSemLoadLocalGroupPolicy@4 ; WdipSemLoadLocalGroupPolicy(x)
		mov	esi, eax
		test	esi, esi
		jns	loc_898C3B
		call	WdipSemCleanupGroupPolicy
		jmp	loc_898C39
; 

loc_92DE79:				; CODE XREF: WdipSemLoadGroupPolicy+95251j
		cmp	[ebp+var_8], 0
		jnz	loc_898C3B
		mov	esi, 0C0000001h
		jmp	loc_898C3B
; 

loc_92DE8D:				; CODE XREF: WdipSemLoadGroupPolicy+35j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_898C45
; END OF FUNCTION CHUNK	FOR WdipSemLoadGroupPolicy
; 
; START	OF FUNCTION CHUNK FOR WdipSemLoadConfigInfo

loc_92DE9A:				; CODE XREF: WdipSemLoadConfigInfo+73j
		mov	_WdipSemTimeoutEnabled,	bl
		mov	eax, 258h
		jmp	loc_898CCD
; END OF FUNCTION CHUNK	FOR WdipSemLoadConfigInfo
; 
; START	OF FUNCTION CHUNK FOR WdipSemLoadNextEndEvent

loc_92DEAA:				; CODE XREF: WdipSemLoadNextEndEvent+70j
					; WdipSemLoadNextEndEvent+78j
		mov	esi, 0C000000Dh
		jmp	loc_89906F
; 

loc_92DEB4:				; CODE XREF: WdipSemLoadNextEndEvent+D7j
		mov	esi, 80000005h
		jmp	loc_89905B
; 

loc_92DEBE:				; CODE XREF: WdipSemLoadNextEndEvent+147j
					; WdipSemLoadNextEndEvent+150j	...
		mov	esi, 0C0000001h
		jmp	loc_89905B
; 

loc_92DEC8:				; CODE XREF: WdipSemLoadNextEndEvent+22Bj
		cmp	esi, 0C0000034h
		jnz	loc_89905B

loc_92DED4:				; CODE XREF: WdipSemLoadNextEndEvent+239j
		mov	byte ptr [edi+12h], 0FFh
		jmp	loc_898FDE
; 

loc_92DEDD:				; CODE XREF: WdipSemLoadNextEndEvent+268j
		cmp	esi, 0C0000034h
		jnz	loc_89905B

loc_92DEE9:				; CODE XREF: WdipSemLoadNextEndEvent+27Ej
		or	dword ptr [edi+18h], 0FFFFFFFFh
		or	dword ptr [edi+1Ch], 0FFFFFFFFh
		jmp	loc_899026
; END OF FUNCTION CHUNK	FOR WdipSemLoadNextEndEvent
; 
; START	OF FUNCTION CHUNK FOR WdipSemLoadNextContextProvider

loc_92DEF6:				; CODE XREF: WdipSemLoadNextContextProvider+74j
					; WdipSemLoadNextContextProvider+7Cj
		mov	esi, 0C000000Dh
		jmp	loc_8992EB
; 

loc_92DF00:				; CODE XREF: WdipSemLoadNextContextProvider+D9j
		mov	esi, 80000005h
		jmp	loc_8992D7
; 

loc_92DF0A:				; CODE XREF: WdipSemLoadNextContextProvider+127j
		mov	esi, 0C0000001h
		jmp	loc_8992D7
; 

loc_92DF14:				; CODE XREF: WdipSemLoadNextContextProvider+175j
		cmp	esi, 0C0000034h
		jnz	loc_8992D7

loc_92DF20:				; CODE XREF: WdipSemLoadNextContextProvider+183j
		mov	byte ptr [edi+12h], 0FFh
		jmp	loc_899222
; 

loc_92DF29:				; CODE XREF: WdipSemLoadNextContextProvider+1B2j
		cmp	esi, 0C0000034h
		jnz	loc_8992D7
		jmp	loc_899302
; 

loc_92DF3A:				; CODE XREF: WdipSemLoadNextContextProvider+1FAj
		mov	eax, [ebp+var_AC]
		mov	[edi+20h], eax
		jmp	loc_8992A2
; END OF FUNCTION CHUNK	FOR WdipSemLoadNextContextProvider
; 
; START	OF FUNCTION CHUNK FOR WdipSemLoadScenarioTable

loc_92DF48:				; CODE XREF: WdipSemLoadScenarioTable+19Ej
		mov	eax, [edi+400h]
		and	[ebp+var_B8], 0
		mov	[ebp+var_E4], eax
		test	eax, eax
		jz	loc_8994CA

loc_92DF63:				; CODE XREF: WdipSemLoadScenarioTable+94C6Fj
		push	10h
		pop	eax
		push	eax		; size_t
		lea	eax, [ebp+var_B0]
		push	edi		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_8993D7
		mov	eax, [ebp+var_B8]
		add	edi, 10h
		inc	eax
		mov	[ebp+var_B8], eax
		cmp	eax, [ebp+var_E4]
		jb	short loc_92DF63
		jmp	loc_8994CA
; 

loc_92DF9C:				; CODE XREF: WdipSemLoadScenarioTable+33Cj
		cmp	[ebp+var_D4], 0
		mov	edi, [ebp+var_C4]
		jz	loc_8993DD
		jmp	loc_899668
; 

loc_92DFB4:				; CODE XREF: WdipSemLoadScenarioTable+366j
					; WdipSemLoadScenarioTable+373j ...
		mov	ecx, [ebp+var_BC]
		lea	eax, [ebp+var_D0]
		push	eax
		lea	eax, [ebp+var_B8]
		mov	edx, offset ??_C@_1CO@LFGCHFN@?$AAS?$AAc?$AAe?$AAn?$AAa?$AAr?$AAi?$AAo?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@NNGAKEGL@
		push	eax
		push	4
		push	4
		call	WdipSemQueryValueFromRegistry
		test	eax, eax
		js	loc_899520
		cmp	[ebp+var_B8], 0
		setz	al
		dec	al
		and	[ebp+var_B1], al
		jmp	loc_899520
; 

loc_92DFF5:				; CODE XREF: WdipSemLoadScenarioTable+286j
		push	offset _WDI_SEM_EVENT_INIT_MISCONFIG
		push	dword_6BCB74
		push	_WdipSemRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_8995F3
		mov	dx, [esi+10h]
		mov	ecx, esi
		push	edi
		call	_WdipSemWriteMisconfigEvent@12 ; WdipSemWriteMisconfigEvent(x,x,x)
		jmp	loc_8995F3
; 

loc_92E024:				; CODE XREF: WdipSemLoadScenarioTable+2A8j
					; WdipSemLoadScenarioTable+2FCj
		mov	ecx, edi
		call	_WdipSemRollBackProviderTable@4	; WdipSemRollBackProviderTable(x)
		jmp	loc_8995F3
; 

loc_92E030:				; CODE XREF: WdipSemLoadScenarioTable+293j
		push	offset _WDI_SEM_EVENT_INIT_SCENARIO_MAX
		push	dword_6BCB74
		push	_WdipSemRegHandle
		call	EtwEventEnabled
		mov	edi, [ebp+var_C4]
		test	al, al
		jz	loc_8993DD
		movzx	eax, word ptr [esi+10h]
		mov	edx, esi
		push	eax
		mov	ecx, offset _WDI_SEM_EVENT_INIT_SCENARIO_MAX
		call	_WdipSemWriteScenarioLimitExceededEvent@12 ; WdipSemWriteScenarioLimitExceededEvent(x,x,x)
		jmp	loc_8993D7
; 

loc_92E06A:				; CODE XREF: WdipSemLoadScenarioTable+2ECj
		mov	edi, 0C000009Ah
		jmp	loc_89970C
; 

loc_92E074:				; CODE XREF: WdipSemLoadScenarioTable+156j
		mov	edi, 80000005h
		jmp	loc_89970C
; 

loc_92E07E:				; CODE XREF: WdipSemLoadScenarioTable+408j
		push	[ebp+var_C0]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_C0], 0
		jmp	loc_899734
; 

loc_92E095:				; CODE XREF: WdipSemLoadScenarioTable+415j
		push	[ebp+var_BC]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_BC], 0
		jmp	loc_899741
; 

loc_92E0AC:				; CODE XREF: WdipSemLoadScenarioTable+422j
		push	[ebp+var_C8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_89974E
; END OF FUNCTION CHUNK	FOR WdipSemLoadScenarioTable
; 
; START	OF FUNCTION CHUNK FOR WdipSemLoadNextScenario

loc_92E0BC:				; CODE XREF: WdipSemLoadNextScenario+88j
					; WdipSemLoadNextScenario+90j
		mov	esi, 0C000000Dh
		jmp	loc_899AB7
; 

loc_92E0C6:				; CODE XREF: WdipSemLoadNextScenario+EFj
		mov	esi, 80000005h
		jmp	loc_899A7B
; 

loc_92E0D0:				; CODE XREF: WdipSemLoadNextScenario+949ADj
		movzx	eax, word ptr [edi+10h]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	_WdipSemWriteScenarioLimitExceededEvent@12 ; WdipSemWriteScenarioLimitExceededEvent(x,x,x)

loc_92E0DE:				; CODE XREF: WdipSemLoadNextScenario+15Fj
					; WdipSemLoadNextScenario+16Aj	...
		mov	esi, 0C0000001h
		jmp	loc_899A7B
; 

loc_92E0E8:				; CODE XREF: WdipSemLoadNextScenario+292j
		cmp	esi, 0C0000034h
		jnz	loc_899A7B
		jmp	loc_899AFE
; 

loc_92E0F9:				; CODE XREF: WdipSemLoadNextScenario+4FAj
		mov	esi, offset _WDI_SEM_EVENT_INIT_SCENARIO_END_EVENT_MAX
		jmp	short loc_92E105
; 

loc_92E100:				; CODE XREF: WdipSemLoadNextScenario+4C6j
		mov	esi, offset _WDI_SEM_EVENT_INIT_SCENARIO_CONTEXT_PROVIDER_MAX

loc_92E105:				; CODE XREF: WdipSemLoadNextScenario+94990j
		push	esi
		push	dword_6BCB74
		push	_WdipSemRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_92E0DE
		jmp	short loc_92E0D0
; 

loc_92E11D:				; CODE XREF: WdipSemLoadNextScenario+3D8j
					; WdipSemLoadNextScenario+47Ej
		mov	esi, 0C000009Ah
		jmp	loc_899A7B
; END OF FUNCTION CHUNK	FOR WdipSemLoadNextScenario
; 
; START	OF FUNCTION CHUNK FOR WdipSemQueryValueFromRegistry

loc_92E127:				; CODE XREF: WdipSemQueryValueFromRegistry+53j
					; WdipSemQueryValueFromRegistry+5Bj ...
		mov	esi, 0C000000Dh
		jmp	loc_899DB8
; END OF FUNCTION CHUNK	FOR WdipSemQueryValueFromRegistry
; 
; START	OF FUNCTION CHUNK FOR WdipSemUpdateProviderTableWithScenario

loc_92E131:				; CODE XREF: WdipSemUpdateProviderTableWithScenario+Bj
		mov	eax, 0C000000Dh
		jmp	loc_899F92
; END OF FUNCTION CHUNK	FOR WdipSemUpdateProviderTableWithScenario
; 
; START	OF FUNCTION CHUNK FOR WdipSemUpdateProviderTableWithEvent

loc_92E13B:				; CODE XREF: WdipSemUpdateProviderTableWithEvent+12j
		mov	ebx, 0C000000Dh
		jmp	loc_899FF8
; 

loc_92E145:				; CODE XREF: WdipSemUpdateProviderTableWithEvent+34j
		push	offset _WDI_SEM_EVENT_INIT_PROVIDER_MAX
		push	dword_6BCB74
		push	_WdipSemRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_92E166
		mov	ecx, esi
		call	_WdipSemWriteProviderLimitExceededEvent@4 ; WdipSemWriteProviderLimitExceededEvent(x)

loc_92E166:				; CODE XREF: WdipSemUpdateProviderTableWithEvent+94189j
		mov	ebx, 0C0000001h
		jmp	loc_899FF8
; END OF FUNCTION CHUNK	FOR WdipSemUpdateProviderTableWithEvent
; 
; START	OF FUNCTION CHUNK FOR WdipSemEnableAllProviders

loc_92E170:				; CODE XREF: WdipSemEnableAllProviders+7Ej
		push	8
		pop	ecx
		xor	eax, eax
		rep stosd

loc_92E177:				; CODE XREF: WdipSemEnableAllProviders+BDj
		push	8
		pop	ecx
		mov	edi, esi
		xor	eax, eax
		rep stosd
		jmp	loc_89A146
; END OF FUNCTION CHUNK	FOR WdipSemEnableAllProviders
; 
; START	OF FUNCTION CHUNK FOR WdipSemAddScenarioToTable

loc_92E185:				; CODE XREF: WdipSemAddScenarioToTable+Fj
		mov	esi, 0C000000Dh
		jmp	loc_89A1DB
; END OF FUNCTION CHUNK	FOR WdipSemAddScenarioToTable
; 
; START	OF FUNCTION CHUNK FOR WdipSemMergeScenarios

loc_92E18F:				; CODE XREF: WdipSemMergeScenarios+16j
					; WdipSemMergeScenarios+1Ej
		mov	edi, 0C000000Dh
		jmp	loc_89A2D7
; END OF FUNCTION CHUNK	FOR WdipSemMergeScenarios
; 
; START	OF FUNCTION CHUNK FOR WdipSemAddContextEventToScenario

loc_92E199:				; CODE XREF: WdipSemAddContextEventToScenario+15j
					; WdipSemAddContextEventToScenario+1Dj
		mov	ebx, 0C000000Dh
		jmp	loc_89A369
; 

loc_92E1A3:				; CODE XREF: WdipSemAddContextEventToScenario+70j
		push	30h
		pop	ecx
		call	_WdipSemAllocatePool@4 ; WdipSemAllocatePool(x)
		mov	edx, eax
		test	edx, edx
		jnz	loc_89A354
		mov	ebx, 0C000009Ah
		jmp	loc_89A368
; END OF FUNCTION CHUNK	FOR WdipSemAddContextEventToScenario
; 
; START	OF FUNCTION CHUNK FOR WdipSemAddEndEventToScenario

loc_92E1BF:				; CODE XREF: WdipSemAddEndEventToScenario+46j
					; WdipSemAddEndEventToScenario+57j
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		inc	eax
		add	ecx, 4
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], ecx
		cmp	eax, edi
		jb	loc_89A3B5

loc_92E1D7:				; CODE XREF: WdipSemAddEndEventToScenario+24j
		cmp	edi, 10h
		jb	short loc_92E1E6
		mov	ebx, 0C0000001h
		jmp	loc_89A3E6
; 

loc_92E1E6:				; CODE XREF: WdipSemAddEndEventToScenario+93E58j
		mov	ecx, offset unk_6BDBD8
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_92E20E
		push	30h
		pop	ecx
		call	_WdipSemAllocatePool@4 ; WdipSemAllocatePool(x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_92E20E
		mov	ebx, 0C000009Ah
		jmp	loc_89A3E6
; 

loc_92E20E:				; CODE XREF: WdipSemAddEndEventToScenario+93E72j
					; WdipSemAddEndEventToScenario+93E80j
		mov	eax, [ebp+var_10]
		mov	edi, edx
		push	0Ch
		pop	ecx
		rep movsd
		mov	ecx, [eax+34h]
		mov	[eax+ecx*4+228h], edx
		inc	dword ptr [eax+34h]
		jmp	loc_89A3E6
; END OF FUNCTION CHUNK	FOR WdipSemAddEndEventToScenario

;  S U B	R O U T	I N E 


sub_92E22A	proc near		; DATA XREF: .text:006A7354o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_92E22A	endp


;  S U B	R O U T	I N E 


sub_92E23A	proc near		; DATA XREF: .text:006A7358o

; FUNCTION CHUNK AT 0092E25C SIZE 0000000F BYTES

		mov	eax, [ebp-24h]
		jmp	short loc_92E25C
sub_92E23A	endp

; 
; START	OF FUNCTION CHUNK FOR ExpQueryModuleInformationEx

loc_92E23F:				; CODE XREF: ExpQueryModuleInformationEx+4Dj
		mov	eax, 0C0000001h
		jmp	loc_89A59B
; END OF FUNCTION CHUNK	FOR ExpQueryModuleInformationEx

;  S U B	R O U T	I N E 


sub_92E249	proc near		; DATA XREF: .text:006A7360o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_92E249	endp


;  S U B	R O U T	I N E 


sub_92E259	proc near		; DATA XREF: .text:006A7364o
		mov	eax, [ebp-28h]
sub_92E259	endp

; START	OF FUNCTION CHUNK FOR sub_92E23A

loc_92E25C:				; CODE XREF: sub_92E23A+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_89A59B
; END OF FUNCTION CHUNK	FOR sub_92E23A
; 
; START	OF FUNCTION CHUNK FOR PipApplyFunctionToServiceInstances

loc_92E26B:				; CODE XREF: PipApplyFunctionToServiceInstances+54j
		cmp	edi, 0C0000034h
		jnz	loc_89A735
		mov	edi, ebx
		jmp	loc_89A6D8
; 

loc_92E27E:				; CODE XREF: PipApplyFunctionToServiceInstances+92j
		mov	edi, 0C000009Ah
		jmp	loc_89A735
; END OF FUNCTION CHUNK	FOR PipApplyFunctionToServiceInstances
; 
; START	OF FUNCTION CHUNK FOR PoFxRegisterCoreDevice

loc_92E288:				; CODE XREF: PoFxRegisterCoreDevice+4Ej
		mov	esi, 0C000009Ah
		jmp	loc_89A928
; 

loc_92E292:				; CODE XREF: PoFxRegisterCoreDevice+24j
					; PoFxRegisterCoreDevice+30j ...
		mov	esi, 0C000000Dh
		jmp	loc_89A919
; END OF FUNCTION CHUNK	FOR PoFxRegisterCoreDevice
; 
; START	OF FUNCTION CHUNK FOR PoFxRegisterDevice

loc_92E29C:				; CODE XREF: PoFxRegisterDevice+1Bj
		mov	edi, 0C000000Dh
		jmp	loc_89AA6A
; 

loc_92E2A6:				; CODE XREF: PoFxRegisterDevice+130j
		mov	eax, [esi+28h]
		lea	ebx, [esi+30h]
		mov	edx, [esi+2Ch]
		mov	[esp+50h+var_3C], eax
		mov	eax, [esi+10h]
		mov	[esp+50h+var_28], eax
		mov	eax, [esi+14h]
		mov	[esp+50h+var_24], eax
		mov	eax, [esi+18h]
		mov	[esp+50h+var_20], eax
		mov	eax, [esi+1Ch]
		mov	[esp+50h+var_1C], eax
		mov	eax, [esi+20h]
		mov	[esp+50h+var_18], eax
		mov	eax, [esi+24h]
		mov	[esp+50h+var_14], eax
		mov	eax, [esi+8]
		mov	[esp+50h+var_34], eax
		mov	eax, [esi+0Ch]
		mov	[esp+50h+var_38], eax
		jmp	loc_89AA10
; 

loc_92E2F0:				; CODE XREF: PoFxRegisterDevice+213j
		cmp	[esp+50h+var_24], 0
		jnz	loc_89AA57
		cmp	[esp+50h+var_20], 0
		jnz	loc_89AA57
		cmp	[esp+50h+var_1C], 0
		jnz	loc_89AA57
		cmp	[esp+50h+var_18], 0
		jnz	loc_89AA57
		lock or	[edx], eax
		jmp	loc_89AA57
; 

loc_92E324:				; CODE XREF: PoFxRegisterDevice+DBj
					; PoFxRegisterDevice+139j ...
		mov	edi, 0C000000Dh
		jmp	loc_89AA54
; END OF FUNCTION CHUNK	FOR PoFxRegisterDevice
; 
; START	OF FUNCTION CHUNK FOR PopFxRegisterDevice

loc_92E32E:				; CODE XREF: PopFxRegisterDevice+27j
		mov	edi, 0C000000Dh
		jmp	loc_89AC80
; 

loc_92E338:				; CODE XREF: PopFxRegisterDevice+3Dj
		mov	edi, 0C000000Dh
		jmp	loc_89AC78
; 

loc_92E342:				; CODE XREF: PopFxRegisterDevice+4Ej
		mov	edi, 0C000000Dh
		jmp	short loc_92E34D
; 

loc_92E349:				; CODE XREF: PopFxRegisterDevice+A1j
		and	[ebp+var_4], 0

loc_92E34D:				; CODE XREF: PopFxRegisterDevice+937DDj
					; PopFxRegisterDevice+937F0j
		mov	ecx, [ebp+var_8]
		jmp	loc_89AC70
; 

loc_92E355:				; CODE XREF: PopFxRegisterDevice+6Dj
		mov	edi, 0C00000A3h
		jmp	short loc_92E34D
; 

loc_92E35C:				; CODE XREF: PopFxRegisterDevice+B2j
		mov	edx, [esi+10h]
		mov	ecx, 600h
		push	edi
		push	edi
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_92E36B:				; CODE XREF: PopFxRegisterDevice+108j
		mov	edx, 78466F50h
		call	ObfDereferenceObjectWithTag
		jmp	loc_89AC78
; 

loc_92E37A:				; CODE XREF: PopFxRegisterDevice+110j
		mov	edx, 78466F50h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		jmp	loc_89AC80
; END OF FUNCTION CHUNK	FOR PopFxRegisterDevice
; 
; START	OF FUNCTION CHUNK FOR PopPepRegisterDevice

loc_92E38B:				; CODE XREF: PopPepRegisterDevice+247j
		push	54706550h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_89B67A
; END OF FUNCTION CHUNK	FOR PopPepRegisterDevice
; 
; START	OF FUNCTION CHUNK FOR PipProcessStartPhase1

loc_92E39B:				; CODE XREF: PipProcessStartPhase1+1Dj
		push	dword ptr [esi+18h]
		mov	edx, offset _KMPnPEvt_ProcessDeviceStart_Start
		push	1
		push	ecx
		call	_McTemplateK0dz_EtwWriteTransfer@20 ; McTemplateK0dz_EtwWriteTransfer(x,x,x,x,x)
		jmp	loc_89B6C5
; 

loc_92E3B0:				; CODE XREF: PipProcessStartPhase1+39j
		xor	cl, cl
		call	_PpProfileBeginHardwareProfileTransition@4 ; PpProfileBeginHardwareProfileTransition(x)
		push	2
		pop	edx
		mov	ecx, esi
		call	_PpProfileIncludeInHardwareProfileTransition@8 ; PpProfileIncludeInHardwareProfileTransition(x,x)
		push	ebx
		lea	eax, [ebp+var_4]
		xor	cl, cl
		push	eax
		push	2
		pop	edx
		call	_PpProfileQueryHardwareProfileChange@16	; PpProfileQueryHardwareProfileChange(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_89B6F9
		mov	edi, [ebp+var_8]
		jmp	loc_89B6E1
; 

loc_92E3E2:				; CODE XREF: PipProcessStartPhase1+45j
		mov	ecx, [esi+1D0h]
		test	ecx, ecx
		jz	loc_89B6ED
		call	_PiIommuUnblockDevice@4	; PiIommuUnblockDevice(x)
		mov	ebx, eax
		test	ebx, ebx
		jns	loc_89B6ED
		mov	edx, 1F4h
		lea	edi, [esi+14h]
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		xor	edx, edx
		cmp	[edi], dx
		jz	short loc_92E42C
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [edi+4]
		call	IoAddTriageDumpDataBlock
		xor	edx, edx

loc_92E42C:				; CODE XREF: PipProcessStartPhase1+92D71j
		lea	edi, [esi+1Ch]
		cmp	[edi], dx
		jz	short loc_92E44B
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [esi+20h]
		call	IoAddTriageDumpDataBlock
		xor	edx, edx

loc_92E44B:				; CODE XREF: PipProcessStartPhase1+92D90j
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_92E471
		lea	ecx, [eax+1Ch]
		cmp	[ecx], dx
		jz	short loc_92E471
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_92E471:				; CODE XREF: PipProcessStartPhase1+92DAEj
					; PipProcessStartPhase1+92DB6j
		push	esi
		push	ebx
		push	1000h
		push	13h
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_92E484:				; CODE XREF: PipProcessStartPhase1+5Ej
		push	dword ptr [esi+18h]
		mov	edx, offset _KMPnPEvt_ProcessDeviceStart_Stop
		push	1
		push	ecx
		call	_McTemplateK0dz_EtwWriteTransfer@20 ; McTemplateK0dz_EtwWriteTransfer(x,x,x,x,x)
		jmp	loc_89B706
; END OF FUNCTION CHUNK	FOR PipProcessStartPhase1
; 
; START	OF FUNCTION CHUNK FOR PnpStartDeviceNode

loc_92E499:				; CODE XREF: PnpStartDeviceNode+90j
		xor	ebx, ebx

loc_92E49B:				; CODE XREF: PnpStartDeviceNode+3Cj
					; PnpStartDeviceNode+49j ...
		lea	edx, [esi+14h]
		mov	ecx, offset _KMPnPEvt_DeviceStart_Start
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)
		push	ebx
		push	1
		lea	eax, [ebp+var_18]
		mov	[ebp+var_8], 0C0000001h
		push	eax
		mov	[ebp+var_1C], ebx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	ecx, [esi+10h]
		lea	eax, [ebp+var_1C]
		push	eax
		mov	edx, offset _PnpDiagnosticCompletionRoutine@12 ; PnpDiagnosticCompletionRoutine(x,x,x)
		call	_PnpStartDevice@12 ; PnpStartDevice(x,x,x)
		mov	ebx, eax
		cmp	ebx, 103h
		jnz	short loc_92E4EB
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	KeWaitForSingleObject
		mov	ebx, [ebp+var_8]

loc_92E4EB:				; CODE XREF: PnpStartDeviceNode+92DB5j
		test	ebx, ebx
		js	short loc_92E51C
		mov	ecx, [esi+10h]
		call	PipUpdatePostStartCharacteristics
		mov	edx, [esi+18h]
		xor	eax, eax
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_DriverProblemDesc ; "~\vT@Ej\vL\v"
		push	eax
		push	eax
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [esi+10h]
		call	PiSwProcessParentStartIrp

loc_92E51C:				; CODE XREF: PnpStartDeviceNode+92DCBj
		push	[ebp+var_1C]
		mov	edx, ebx
		mov	[esi+108h], ebx
		mov	ecx, esi
		call	PnpTraceStartDevice
		push	ecx
		lea	edx, [edi+306h]
		mov	ecx, esi
		call	PipSetDevNodeState
		jmp	loc_89B808
; END OF FUNCTION CHUNK	FOR PnpStartDeviceNode
; 
; START	OF FUNCTION CHUNK FOR PopFxFindDeviceAndAllocateUniqueId

loc_92E541:				; CODE XREF: PopFxFindDeviceAndAllocateUniqueId+35j
		mov	eax, [ebp+var_C]
		mov	ecx, 2000h
		mov	[esi+48h], eax
		mov	eax, [ebp+var_8]
		mov	[esi+4Ch], eax
		lea	eax, [esi+0A8h]
		lock or	[eax], ecx
		jmp	loc_89B88D
; 

loc_92E560:				; CODE XREF: PopFxFindDeviceAndAllocateUniqueId+41j
		cmp	[ebp+var_8], 0
		jz	loc_89B88F
		push	4D584650h
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_89B88F
; END OF FUNCTION CHUNK	FOR PopFxFindDeviceAndAllocateUniqueId
; 
; START	OF FUNCTION CHUNK FOR IopUncacheInterfaceInformation

loc_92E57C:				; CODE XREF: IopUncacheInterfaceInformation+4Dj
		mov	eax, [esi+0Ch]
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_92E599
		push	dword ptr [eax+4]
		call	dword ptr [eax+0Ch]
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_92E599:				; CODE XREF: IopUncacheInterfaceInformation+92CDDj
		mov	esi, [esi]
		push	0
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_89B8F5
; 

loc_92E5AA:				; CODE XREF: IopUncacheInterfaceInformation+5Dj
		mov	eax, [esi+0Ch]
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_92E5C7
		push	dword ptr [eax+4]
		call	dword ptr [eax+0Ch]
		push	0
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_92E5C7:				; CODE XREF: IopUncacheInterfaceInformation+92D0Bj
		mov	esi, [esi]
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_89B905
; END OF FUNCTION CHUNK	FOR IopUncacheInterfaceInformation
; 
; START	OF FUNCTION CHUNK FOR PopFxConvertV1Components

loc_92E5D8:				; CODE XREF: PopFxConvertV1Components+1B1j
		push	4D584650h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_89BB0B
; END OF FUNCTION CHUNK	FOR PopFxConvertV1Components
; 
; START	OF FUNCTION CHUNK FOR IopRegistryInitializeCallbacks

loc_92E5E8:				; CODE XREF: IopRegistryInitializeCallbacks+33j
		and	dword ptr [esi+4], 0
		jmp	loc_89BBA1
; END OF FUNCTION CHUNK	FOR IopRegistryInitializeCallbacks
; 
; START	OF FUNCTION CHUNK FOR IopRegistryCallback

loc_92E5F1:				; CODE XREF: IopRegistryCallback+50j
		push	dword_6B2D3C[edi]
		call	off_6B2D38[edi]	; IopSymlinkRegistryCallback(x)
		mov	eax, dword_6B2D34[edi]
		lea	esi, dword_6B2D60[edi]
		mov	ecx, dword_6B2D40[edi]
		xor	edx, edx
		push	1
		push	edx
		push	edx
		push	1
		push	eax
		push	esi
		push	1
		push	ebx
		push	edx
		push	ecx
		call	_ZwNotifyChangeKey@40 ;	ZwNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	loc_89BC76
		jmp	loc_89BC14
; 

loc_92E630:				; CODE XREF: IopRegistryCallback+90j
		push	dword_6B2D3C[edi]
		or	dword_6B2D44[edi], 1
		call	off_6B2D38[edi]	; IopSymlinkRegistryCallback(x)
		jmp	loc_89BC4E
; 

loc_92E648:				; CODE XREF: IopRegistryCallback+70j
					; IopRegistryCallback+B8j
		push	dword_6B2D40[edi]
		call	_ZwClose@4	; ZwClose(x)
		and	dword_6B2D34[edi], 0
		jmp	loc_89BC76
; END OF FUNCTION CHUNK	FOR IopRegistryCallback
; 
; START	OF FUNCTION CHUNK FOR NtLockProductActivationKeys

loc_92E65F:				; CODE XREF: NtLockProductActivationKeys+60j
		mov	eax, 0C0000001h
		jmp	loc_89C13C
; 

loc_92E669:				; CODE XREF: NtLockProductActivationKeys+10Aj
		and	[ebp+ms_exc.disabled], 0
		test	ebx, ebx
		jz	short loc_92E689
		mov	ecx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_92E67E
		mov	ecx, eax

loc_92E67E:				; CODE XREF: NtLockProductActivationKeys+92850j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, _InitSafeBootMode
		mov	[ebx], eax

loc_92E689:				; CODE XREF: NtLockProductActivationKeys+92845j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_89BF42
; END OF FUNCTION CHUNK	FOR NtLockProductActivationKeys

;  S U B	R O U T	I N E 


sub_92E695	proc near		; DATA XREF: .text:006A737Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-874h], eax
		xor	eax, eax
		inc	eax
		retn
sub_92E695	endp


;  S U B	R O U T	I N E 


sub_92E6A6	proc near		; DATA XREF: .text:006A7380o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-874h]
		jmp	loc_89C13C
sub_92E6A6	endp

; 
; START	OF FUNCTION CHUNK FOR NtLockProductActivationKeys

loc_92E6BB:				; CODE XREF: NtLockProductActivationKeys+112j
		mov	eax, _InitSafeBootMode
		mov	[ebx], eax
		jmp	loc_89BF42
; 

loc_92E6C7:				; CODE XREF: NtLockProductActivationKeys+1DDj
		mov	ebx, 0C0000017h
		mov	eax, [ebp+var_860]
		jmp	loc_89C10C
; END OF FUNCTION CHUNK	FOR NtLockProductActivationKeys
; 
; START	OF FUNCTION CHUNK FOR CmpFindSubkeyInHashByChildCell

loc_92E6D7:				; CODE XREF: CmpFindSubkeyInHashByChildCell+3Cj
		mov	eax, 0C000009Ah
		jmp	loc_89C263
; 

loc_92E6E1:				; CODE XREF: CmpFindSubkeyInHashByChildCell+54j
		mov	[ebp+var_14], ecx
		lea	ecx, [ebp+var_18]
		mov	word ptr [ebp+var_18], dx
		mov	word ptr [ebp+var_18+2], dx
		call	_CmpHashUnicodeComponent@4 ; CmpHashUnicodeComponent(x)
		jmp	loc_89C207
; 

loc_92E6F9:				; CODE XREF: CmpFindSubkeyInHashByChildCell+A6j
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+arg_4]
		mov	byte ptr [ebp+var_5], 0

loc_92E706:				; CODE XREF: CmpFindSubkeyInHashByChildCell+9259Aj
		cmp	ecx, [esi]
		jnz	short loc_92E73D
		cmp	edx, [esi+0Ch]
		jnz	short loc_92E73D
		cmp	eax, [esi+8]
		jnz	short loc_92E73D
		lea	eax, [ebp+var_5]
		add	esi, 0FFFFFFF8h
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	_CmpIsKcbLockAllowed@12	; CmpIsKcbLockAllowed(x,x,x)
		test	al, al
		jnz	short loc_92E749
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		lea	ecx, [esi+18h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lock inc dword ptr [esi+1Ch]
		jmp	short loc_92E777
; 

loc_92E73D:				; CODE XREF: CmpFindSubkeyInHashByChildCell+92560j
					; CmpFindSubkeyInHashByChildCell+92565j ...
		mov	esi, [esi+4]
		test	esi, esi
		jnz	short loc_92E706
		jmp	loc_89C254
; 

loc_92E749:				; CODE XREF: CmpFindSubkeyInHashByChildCell+9257Ej
		test	ebx, ebx
		jz	short loc_92E775
		lea	eax, [ebp+var_5]
		mov	edx, esi
		push	eax
		mov	ecx, ebx
		call	_CmpIsKcbLockAllowed@12	; CmpIsKcbLockAllowed(x,x,x)
		test	al, al
		jnz	short loc_92E775
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		lea	ecx, [esi+18h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lock inc dword ptr [esi+1Ch]
		mov	edi, ebx
		jmp	short loc_92E777
; 

loc_92E775:				; CODE XREF: CmpFindSubkeyInHashByChildCell+925A3j
					; CmpFindSubkeyInHashByChildCell+925B4j
		mov	edi, esi

loc_92E777:				; CODE XREF: CmpFindSubkeyInHashByChildCell+92593j
					; CmpFindSubkeyInHashByChildCell+925CBj
		lea	ecx, [edi+18h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lock inc dword ptr [edi+1Ch]
		mov	ecx, esi
		call	CmpReferenceKeyControlBlock
		mov	eax, [ebp+arg_8]
		mov	ecx, esi
		mov	[eax], esi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		jmp	loc_89C254
; END OF FUNCTION CHUNK	FOR CmpFindSubkeyInHashByChildCell
; 
; START	OF FUNCTION CHUNK FOR SdbpResolveMatchingFile

loc_92E79D:				; CODE XREF: SdbpResolveMatchingFile+2Fj
		push	offset ??_C@_0BK@MOBDPHHJ@Invalid?5match?5file?5length@NNGAKEGL@
		push	2DEh
		push	(offset	loc_8C28AD+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_89C80A
; 

loc_92E7BB:				; CODE XREF: SdbpResolveMatchingFile+55j
		push	eax
		push	offset ??_C@_0CE@JCOOOONA@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@
		push	2F3h
		jmp	short loc_92E7D3
; 

loc_92E7C8:				; CODE XREF: SdbpResolveMatchingFile+98j
		push	eax
		push	(offset	loc_8C2871+1)
		push	304h

loc_92E7D3:				; CODE XREF: SdbpResolveMatchingFile+92196j
		push	(offset	loc_8C28AD+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_89C809
; 

loc_92E7E7:				; CODE XREF: SdbpResolveMatchingFile+3Fj
		mov	edx, eax
		lea	ecx, [ebp+var_4]
		mov	eax, [ebp+arg_8]
		push	ecx
		mov	ecx, [eax+4]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jns	short loc_92E808
		push	offset ??_C@_0BC@IOBBHNBA@Invalid?5path?5size@NNGAKEGL@
		push	311h
		jmp	short loc_92E859
; 

loc_92E808:				; CODE XREF: SdbpResolveMatchingFile+921CAj
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		xor	edx, edx
		push	eax
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jns	short loc_92E827
		push	offset ??_C@_0BC@IOBBHNBA@Invalid?5path?5size@NNGAKEGL@
		push	316h
		jmp	short loc_92E859
; 

loc_92E827:				; CODE XREF: SdbpResolveMatchingFile+921E9j
		mov	ecx, [ebp+var_4]
		jmp	loc_89C6D7
; 

loc_92E82F:				; CODE XREF: SdbpResolveMatchingFile+B5j
		push	offset ??_C@_0BC@IOBBHNBA@Invalid?5path?5size@NNGAKEGL@
		push	31Ch
		jmp	short loc_92E859
; 

loc_92E83B:				; CODE XREF: SdbpResolveMatchingFile+CFj
		push	(offset	loc_8C2A1D+1)
		push	321h
		jmp	short loc_92E859
; 

loc_92E847:				; CODE XREF: SdbpResolveMatchingFile+DDj
		mov	edi, [ebp+var_4]
		jmp	loc_89C713
; 

loc_92E84F:				; CODE XREF: SdbpResolveMatchingFile+EFj
		push	offset ??_C@_0O@NALGGDJF@Out?5of?5memory@NNGAKEGL@
		push	329h

loc_92E859:				; CODE XREF: SdbpResolveMatchingFile+921D6j
					; SdbpResolveMatchingFile+921F5j ...
		push	(offset	loc_8C28AD+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_89C809
; 

loc_92E86D:				; CODE XREF: SdbpResolveMatchingFile+114j
		push	eax
		push	offset ??_C@_0CE@JCOOOONA@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@
		push	335h
		jmp	short loc_92E885
; 

loc_92E87A:				; CODE XREF: SdbpResolveMatchingFile+168j
		push	eax
		push	(offset	loc_8C298B+1)
		push	35Fh

loc_92E885:				; CODE XREF: SdbpResolveMatchingFile+92248j
		push	(offset	loc_8C28AD+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_89C801
; 

loc_92E899:				; CODE XREF: SdbpResolveMatchingFile+156j
		push	eax
		push	[ebp+arg_0]
		push	(offset	loc_8C29CF+1)
		push	346h
		push	(offset	loc_8C28AD+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		jmp	loc_89C801
; 

loc_92E8BB:				; CODE XREF: SdbpResolveMatchingFile+FEj
		mov	ecx, [ebp+arg_8]
		mov	eax, [ecx+4]
		add	eax, eax
		push	eax		; size_t
		push	dword ptr [ecx]	; void *
		push	esi		; void *
		call	_memmove
		mov	eax, [ebp+arg_4]
		lea	eax, ds:2[eax*2]
		push	eax		; size_t
		mov	eax, [ebp+arg_8]
		push	[ebp+arg_0]	; void *
		mov	eax, [eax+4]
		lea	eax, [esi+eax*2]
		push	eax		; void *
		call	_memmove
		add	esp, 18h
		shr	edi, 1
		jmp	loc_89C78C
; 

loc_92E8F3:				; CODE XREF: SdbpResolveMatchingFile+17Aj
		push	74705041h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_14]
		jmp	loc_89C7F7
; 

loc_92E906:				; CODE XREF: SdbpResolveMatchingFile+1D3j
		push	74705041h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_89C809
; END OF FUNCTION CHUNK	FOR SdbpResolveMatchingFile
; 
; START	OF FUNCTION CHUNK FOR AslEnvExpandStrings2

loc_92E916:				; CODE XREF: AslEnvExpandStrings2+65j
		push	(offset	loc_8C5375+5)
		mov	esi, 0C00000E5h
		push	307h
		jmp	short loc_92E936
; 

loc_92E927:				; CODE XREF: AslEnvExpandStrings2+80j
		push	offset ??_C@_0O@NALGGDJF@Out?5of?5memory@NNGAKEGL@
		mov	esi, 0C0000017h
		push	30Fh

loc_92E936:				; CODE XREF: AslEnvExpandStrings2+92113j
		push	(offset	loc_8C532C+4)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_89C917
; 

loc_92E94A:				; CODE XREF: AslEnvExpandStrings2+B5j
		push	esi
		push	offset ??_C@_0BP@FBDBOKFK@AslpEnvResolveVars?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	31Bh
		jmp	short loc_92E962
; 

loc_92E957:				; CODE XREF: AslEnvExpandStrings2+F0j
		push	esi
		push	offset ??_C@_0CA@IDIOIIBO@AslEnvExpandStrings?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	32Ah

loc_92E962:				; CODE XREF: AslEnvExpandStrings2+92143j
		push	(offset	loc_8C532C+4)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_89C908
; END OF FUNCTION CHUNK	FOR AslEnvExpandStrings2
; 
; START	OF FUNCTION CHUNK FOR AslpEnvResolveVars

loc_92E976:				; CODE XREF: AslpEnvResolveVars+95j
		movzx	eax, cx
		push	eax
		movzx	eax, si
		push	eax
		push	offset ??_C@_0HA@EFIDDFNE@Invalid?5combination?5of?5Host?1Cur@NNGAKEGL@
		push	3C3h
		push	offset ??_C@_0BD@FJEPFPIH@AslpEnvResolveVars@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 18h

loc_92E997:				; CODE XREF: AslpEnvResolveVars+6Bj
		cmp	[ebp+var_4], 0
		jnz	loc_89C9BB
		push	off_6B306C[ebx]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	RtlStringCchCopyW
		mov	esi, eax
		test	esi, esi
		js	short loc_92EA35
		mov	eax, dword_6B3070[ebx]
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+arg_4]
		lea	eax, [ecx+eax*2]
		mov	ecx, [ebp+arg_0]
		push	eax
		call	_RtlStringCchCatW@12 ; RtlStringCchCatW(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_89C9BB
		push	esi
		push	offset ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	3DAh
		jmp	short loc_92EA21
; 

loc_92E9E7:				; CODE XREF: AslpEnvResolveVars+4Fj
		mov	eax, [ebp+var_C]
		jmp	loc_89C9C4
; 

loc_92E9EF:				; CODE XREF: AslpEnvResolveVars+129j
		push	esi
		push	offset ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	3B8h
		jmp	short loc_92EA21
; 

loc_92E9FC:				; CODE XREF: AslpEnvResolveVars+107j
		push	esi
		push	offset ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	3B2h
		jmp	short loc_92EA21
; 

loc_92EA09:				; CODE XREF: AslpEnvResolveVars+E9j
		push	esi
		push	offset ??_C@_0BO@LFCDCAJH@RtlStringCchCopyW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	3ACh
		jmp	short loc_92EA21
; 

loc_92EA16:				; CODE XREF: AslpEnvResolveVars+92158j
		push	esi
		push	offset ??_C@_0BO@LFCDCAJH@RtlStringCchCopyW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	3FAh

loc_92EA21:				; CODE XREF: AslpEnvResolveVars+920C5j
					; AslpEnvResolveVars+920DAj ...
		push	offset ??_C@_0BD@FJEPFPIH@AslpEnvResolveVars@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_89C9E3
; 

loc_92EA35:				; CODE XREF: AslpEnvResolveVars+92096j
		push	esi
		push	offset ??_C@_0BO@LFCDCAJH@RtlStringCchCopyW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	3D4h
		jmp	short loc_92EA21
; 

loc_92EA42:				; CODE XREF: AslpEnvResolveVars+B4j
		test	eax, eax
		jnz	loc_89CA65
		mov	edi, esi
		cmp	esi, [ebp+arg_4]
		jbe	short loc_92EA60
		mov	eax, [ebp+arg_10]
		mov	[eax], esi
		mov	esi, 0C0000023h
		jmp	loc_89C9E3
; 

loc_92EA60:				; CODE XREF: AslpEnvResolveVars+9212Fj
		push	[ebp+var_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	RtlStringCchCopyW
		mov	esi, eax
		test	esi, esi
		jns	loc_89CA65
		jmp	short loc_92EA16
; END OF FUNCTION CHUNK	FOR AslpEnvResolveVars
; 
; START	OF FUNCTION CHUNK FOR AslEnvExpandStrings

loc_92EA7A:				; CODE XREF: AslEnvExpandStrings+11Ej
		cmp	eax, 0C0000100h
		jz	short loc_92EA9B
		push	eax
		push	offset ??_C@_0BL@JLFODMA@AslEnvVarQuery?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	27Fh
		push	offset ??_C@_0BE@MJPLEBLE@AslEnvExpandStrings@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_92EA9B:				; CODE XREF: AslEnvExpandStrings+92013j
		mov	ecx, [ebp+var_4]
		mov	edi, [ebp+arg_0]
		inc	ecx
		mov	esi, [ebp+var_C]
		jmp	loc_89CB80
; 

loc_92EAAA:				; CODE XREF: AslEnvExpandStrings+13Aj
		mov	[ebp+var_8], edx
		mov	edx, [ebp+arg_8]
		jmp	loc_89CAD4
; 

loc_92EAB5:				; CODE XREF: AslEnvExpandStrings+50j
		mov	[ebp+var_8], 0C0000023h
		jmp	loc_89CACF
; 

loc_92EAC1:				; CODE XREF: AslEnvExpandStrings+7Fj
		mov	eax, 0C0000023h
		jmp	loc_89CAF6
; END OF FUNCTION CHUNK	FOR AslEnvExpandStrings
; 
; START	OF FUNCTION CHUNK FOR AslEnvVarQuery

loc_92EACB:				; CODE XREF: AslEnvVarQuery+77j
		cmp	[ebp+arg_8], 1
		jb	loc_89CC41
		xor	ecx, ecx
		mov	[eax], cx
		jmp	loc_89CC41
; 

loc_92EADF:				; CODE XREF: AslEnvVarQuery+35j
					; AslEnvVarQuery+4Ej
		test	ebx, ebx
		jz	loc_92EBDF

loc_92EAE7:				; CODE XREF: AslEnvVarQuery+91FF5j
		cmp	[ebx], si
		jz	loc_92EBDF
		mov	edi, [ebp+var_4]
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_8], ebx
		push	3Dh
		pop	ecx
		cmp	edi, edx
		jnb	short loc_92EB31

loc_92EB00:				; CODE XREF: AslEnvVarQuery+91F64j
		movzx	ecx, word ptr [ebx]
		test	cx, cx
		jz	short loc_92EB2A
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	cx, [edi]
		mov	si, ax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	edx, [ebp+arg_0]
		cmp	si, ax
		jnz	short loc_92EB2A
		add	edi, 2
		add	ebx, 2
		cmp	edi, edx
		jb	short loc_92EB00

loc_92EB2A:				; CODE XREF: AslEnvVarQuery+91F42j
					; AslEnvVarQuery+91F5Aj
		push	3Dh
		xor	esi, esi
		cmp	edi, edx
		pop	ecx

loc_92EB31:				; CODE XREF: AslEnvVarQuery+91F3Aj
		jnz	short loc_92EB3D
		cmp	[ebx], cx
		jnz	short loc_92EB3D
		xor	edi, edi
		inc	edi
		jmp	short loc_92EB6C
; 

loc_92EB3D:				; CODE XREF: AslEnvVarQuery:loc_92EB31j
					; AslEnvVarQuery+91F72j
		movzx	eax, word ptr [ebx]
		mov	edi, esi
		mov	ecx, eax
		test	ax, ax
		jz	short loc_92EB67
		mov	edx, eax

loc_92EB4B:				; CODE XREF: AslEnvVarQuery+91FA1j
		push	3Dh
		pop	eax
		cmp	dx, ax
		jnz	short loc_92EB58
		cmp	ebx, [ebp+var_8]
		jnz	short loc_92EB6C

loc_92EB58:				; CODE XREF: AslEnvVarQuery+91F8Dj
		add	ebx, 2
		movzx	eax, word ptr [ebx]
		mov	edx, eax
		mov	ecx, eax
		test	ax, ax
		jnz	short loc_92EB4B

loc_92EB67:				; CODE XREF: AslEnvVarQuery+91F83j
		test	cx, cx
		jz	short loc_92EBB6

loc_92EB6C:				; CODE XREF: AslEnvVarQuery+91F77j
					; AslEnvVarQuery+91F92j
		mov	ecx, ebx
		cmp	[ebx], si
		jz	short loc_92EB8C
		mov	edx, esi

loc_92EB75:				; CODE XREF: AslEnvVarQuery+91FC6j
		mov	eax, edx
		and	eax, 0FFFFFFFEh
		cmp	eax, 0FFFEh
		jge	short loc_92EB8C
		add	ebx, 2
		add	edx, 2
		cmp	[ebx], si
		jnz	short loc_92EB75

loc_92EB8C:				; CODE XREF: AslEnvVarQuery+91FADj
					; AslEnvVarQuery+91FBBj
		test	edi, edi
		jz	short loc_92EBB6
		add	ecx, 2
		sub	ebx, ecx
		sar	ebx, 1
		cmp	ebx, [ebp+arg_8]
		jb	short loc_92EBBE
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_92EBAE
		cmp	[ebp+arg_8], 1
		jb	short loc_92EBAE
		xor	ecx, ecx
		mov	[eax], cx

loc_92EBAE:				; CODE XREF: AslEnvVarQuery+91FDDj
					; AslEnvVarQuery+91FE3j
		mov	eax, 0C0000023h
		inc	ebx
		jmp	short loc_92EBD5
; 

loc_92EBB6:				; CODE XREF: AslEnvVarQuery+91FA6j
					; AslEnvVarQuery+91FCAj
		add	ebx, 2
		jmp	loc_92EAE7
; 

loc_92EBBE:				; CODE XREF: AslEnvVarQuery+91FD6j
		mov	esi, [ebp+arg_4]
		lea	edi, [ebx+ebx]
		push	edi		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax
		mov	[edi+esi], ax

loc_92EBD5:				; CODE XREF: AslEnvVarQuery+91FF0j
		mov	ecx, [ebp+arg_C]
		mov	[ecx], ebx
		jmp	loc_89CC4E
; 

loc_92EBDF:				; CODE XREF: AslEnvVarQuery+91F1Dj
					; AslEnvVarQuery+91F26j
		mov	eax, 0C0000100h
		jmp	loc_89CC4E
; END OF FUNCTION CHUNK	FOR AslEnvVarQuery
; 
; START	OF FUNCTION CHUNK FOR AslImageFileToArchitecture

loc_92EBE9:				; CODE XREF: AslImageFileToArchitecture+Aj
		mov	ax, word_6B6494[eax*4]
		retn
; END OF FUNCTION CHUNK	FOR AslImageFileToArchitecture
; 
; START	OF FUNCTION CHUNK FOR AslEnvGetProcessWowInfo

loc_92EBF2:				; CODE XREF: AslEnvGetProcessWowInfo+43j
		push	esi
		push	offset ??_C@_0CF@MHINMGAF@ZwQuerySystemInformation?5failed@NNGAKEGL@
		push	6F7h
		jmp	short loc_92EC0A
; 

loc_92EBFF:				; CODE XREF: AslEnvGetProcessWowInfo+69j
		push	esi
		push	offset ??_C@_0CF@MHINMGAF@ZwQuerySystemInformation?5failed@NNGAKEGL@
		push	722h

loc_92EC0A:				; CODE XREF: AslEnvGetProcessWowInfo+91F6Fj
		push	offset ??_C@_0BI@EDMELJOD@AslEnvGetProcessWowInfo@NNGAKEGL@
		push	edi
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_89CD06
; END OF FUNCTION CHUNK	FOR AslEnvGetProcessWowInfo
; 
; START	OF FUNCTION CHUNK FOR AslPathToNetworkPathNt

loc_92EC1D:				; CODE XREF: AslPathToNetworkPathNt+21j
		mov	ecx, offset ??_C@_1BC@MAMPPFNN@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAU?$AAN?$AAC?$AA?2@NNGAKEGL@
		lea	edx, [ecx+2]

loc_92EC25:				; CODE XREF: AslPathToNetworkPathNt+91F14j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_92EC25
		sub	ecx, edx
		mov	edx, ebx
		push	edi
		sar	ecx, 1
		lea	edi, [edx+2]

loc_92EC3A:				; CODE XREF: AslPathToNetworkPathNt+91F29j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, si
		jnz	short loc_92EC3A
		sub	edx, edi
		sar	edx, 1
		push	ecx
		lea	ebx, [edx+1]
		add	ebx, ecx
		lea	edx, [ebx+ebx]
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_92EC7D
		push	offset ??_C@_0O@NALGGDJF@Out?5of?5memory@NNGAKEGL@
		push	15Fh
		push	offset ??_C@_0BH@JIFINNLN@AslPathToNetworkPathNt@NNGAKEGL@
		push	1
		mov	esi, 0C0000017h
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	short loc_92EC9F
; 

loc_92EC7D:				; CODE XREF: AslPathToNetworkPathNt+91F41j
		push	offset ??_C@_1BC@MAMPPFNN@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAU?$AAN?$AAC?$AA?2@NNGAKEGL@
		push	ebx
		push	edi
		call	_wcscpy_s
		mov	eax, [ebp+var_4]
		add	eax, 4
		push	eax
		push	ebx
		push	edi
		call	_wcscat_s
		add	esp, 18h
		mov	eax, [ebp+var_8]
		mov	[eax], edi

loc_92EC9F:				; CODE XREF: AslPathToNetworkPathNt+91F61j
		pop	edi
		jmp	loc_89CD46
; END OF FUNCTION CHUNK	FOR AslPathToNetworkPathNt
; 
; START	OF FUNCTION CHUNK FOR AslpDetermineDosPathNameType

loc_92ECA5:				; CODE XREF: AslpDetermineDosPathNameType+2Bj
					; AslpDetermineDosPathNameType+34j
		movzx	eax, word ptr [ecx+2]
		cmp	ax, si
		jz	short loc_92ECBA
		cmp	ax, dx
		jz	short loc_92ECBA
		push	4
		jmp	loc_89CD9D
; 

loc_92ECBA:				; CODE XREF: AslpDetermineDosPathNameType+91F60j
					; AslpDetermineDosPathNameType+91F65j
		movzx	eax, word ptr [ecx+4]
		cmp	eax, 2Eh
		jz	short loc_92ECD0
		cmp	eax, 3Fh
		jz	short loc_92ECD0
		xor	edx, edx
		inc	edx
		jmp	loc_89CD9E
; 

loc_92ECD0:				; CODE XREF: AslpDetermineDosPathNameType+91F75j
					; AslpDetermineDosPathNameType+91F7Aj
		movzx	eax, word ptr [ecx+6]
		cmp	ax, si
		jz	short loc_92ECF0
		cmp	ax, dx
		jz	short loc_92ECF0
		xor	edx, edx
		test	ax, ax
		setnz	dl
		dec	edx
		and	edx, 6
		inc	edx
		jmp	loc_89CD9E
; 

loc_92ECF0:				; CODE XREF: AslpDetermineDosPathNameType+91F8Bj
					; AslpDetermineDosPathNameType+91F90j
		push	6
		jmp	loc_89CD9D
; END OF FUNCTION CHUNK	FOR AslpDetermineDosPathNameType
; 
; START	OF FUNCTION CHUNK FOR AslPathClean

loc_92ECF7:				; CODE XREF: AslPathClean+31j
		mov	eax, 0C0000023h
		jmp	loc_89CEA6
; 

loc_92ED01:				; CODE XREF: AslPathClean+46j
		push	4
		pop	esi
		push	esi		; size_t
		push	offset ??_C@_19JHEHLFPM@?$AA?2?$AA?$DP?$AA?$DP?$AA?2@NNGAKEGL@ ; "\\??\\"
		push	ebx		; wchar_t *
		mov	[ebp+arg_0], esi
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_89CE04
		push	2		; size_t
		push	offset ??_C@_15LEKKCGMK@?$AA?2?$AA?2@NNGAKEGL@ ; wchar_t *
		push	ebx		; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_92ED3A
		push	2
		pop	esi
		jmp	loc_89CE01
; 

loc_92ED3A:				; CODE XREF: AslPathClean+91F80j
		push	5Ch
		pop	eax
		push	eax		; wchar_t
		push	ebx		; wchar_t *
		call	_wcschr
		mov	esi, eax
		pop	ecx
		pop	ecx
		test	esi, esi
		jnz	loc_89CDFC
		inc	esi
		jmp	loc_89CE01
; 

loc_92ED56:				; CODE XREF: AslPathClean+DEj
		push	2Eh
		pop	edi
		cmp	[edx+ecx*2-4], di
		mov	edi, [ebp+var_C]
		jz	loc_89CE94
		dec	ecx
		jmp	loc_89CE94
; 

loc_92ED6D:				; CODE XREF: AslPathClean+98j
		lea	edx, [eax+1]
		mov	[ebp+var_14], edx
		cmp	edx, edi
		jz	loc_89CE9A
		movzx	edx, word ptr [ebx+eax*2+2]
		push	5Ch
		pop	ebx
		cmp	dx, bx
		mov	ebx, [ebp+var_4]
		jz	short loc_92EE05
		cmp	dx, word ptr [ebp+var_10]
		jz	short loc_92EE05
		cmp	dx, word ptr [ebp+var_18]
		jnz	loc_89CE95
		lea	edx, [eax+2]
		cmp	edx, edi
		jz	short loc_92EDBB
		movzx	edx, word ptr [ebx+edx*2]
		push	5Ch
		pop	edi
		cmp	dx, di
		mov	edi, [ebp+var_C]
		jz	short loc_92EDBB
		cmp	dx, word ptr [ebp+var_10]
		jnz	loc_89CE95

loc_92EDBB:				; CODE XREF: AslPathClean+91FF0j
					; AslPathClean+91FFFj
		cmp	ecx, esi
		jb	short loc_92EE04
		mov	edx, [ebp+var_8]
		push	5Ch
		pop	ebx

loc_92EDC5:				; CODE XREF: AslPathClean+92027j
		movzx	eax, word ptr [edx+ecx*2]
		xor	edi, edi
		mov	[edx+ecx*2], di
		cmp	ax, bx
		jz	short loc_92EDD9
		dec	ecx
		cmp	ecx, esi
		jnb	short loc_92EDC5

loc_92EDD9:				; CODE XREF: AslPathClean+92022j
		mov	edi, [ebp+var_C]
		mov	ebx, [ebp+var_4]
		cmp	ecx, esi
		jb	short loc_92EE04
		push	5Ch
		pop	ebx

loc_92EDE6:				; CODE XREF: AslPathClean+92048j
		movzx	eax, word ptr [edx+ecx*2]
		xor	edi, edi
		mov	[edx+ecx*2], di
		cmp	ax, bx
		jz	short loc_92EDFA
		dec	ecx
		cmp	ecx, esi
		jnb	short loc_92EDE6

loc_92EDFA:				; CODE XREF: AslPathClean+92043j
		mov	edi, [ebp+var_C]
		mov	ebx, [ebp+var_4]
		cmp	ecx, esi
		jnb	short loc_92EE05

loc_92EE04:				; CODE XREF: AslPathClean+9200Dj
					; AslPathClean+92031j
		inc	ecx

loc_92EE05:				; CODE XREF: AslPathClean+91FD9j
					; AslPathClean+91FDFj ...
		mov	eax, [ebp+var_14]
		jmp	loc_89CE95
; END OF FUNCTION CHUNK	FOR AslPathClean
; 
; START	OF FUNCTION CHUNK FOR SdbpInitializeSearchDBContext

loc_92EE0D:				; CODE XREF: SdbpInitializeSearchDBContext+21j
		mov	ecx, [edi+1Ch]
		test	ecx, ecx
		jz	loc_89CEF5
		push	dword ptr [edi+14h] ; void *
		mov	edx, [edi+10h]
		call	_SdbpGetProcessHistory@12 ; SdbpGetProcessHistory(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_89CF69
		push	offset ??_C@_0CD@BOEHPKLM@Failed?5to?5retrieve?5process?5hist@NNGAKEGL@
		push	206h
		jmp	short loc_92EE43
; 

loc_92EE39:				; CODE XREF: SdbpInitializeSearchDBContext+6Bj
		push	(offset	loc_8C2767+5)
		push	1F7h

loc_92EE43:				; CODE XREF: SdbpInitializeSearchDBContext+91F69j
		push	offset ??_C@_0BO@POGEIBOE@SdbpInitializeSearchDBContext@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		xor	eax, eax
		jmp	loc_89CF7D
; END OF FUNCTION CHUNK	FOR SdbpInitializeSearchDBContext
; 
; START	OF FUNCTION CHUNK FOR SdbpCreateSearchPathPartsFromPath

loc_92EE59:				; CODE XREF: SdbpCreateSearchPathPartsFromPath+1Bj
		push	offset ??_C@_0BB@HMGGCEBG@Invalid?5argument@NNGAKEGL@
		push	56Ch
		push	offset ??_C@_0CC@DNOBBHPD@SdbpCreateSearchPathPartsFromPa@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		xor	eax, eax
		jmp	loc_89D035
; 

loc_92EE79:				; CODE XREF: SdbpCreateSearchPathPartsFromPath+3Bj
		push	3Bh
		pop	esi

loc_92EE7C:				; CODE XREF: SdbpCreateSearchPathPartsFromPath+91F03j
		add	eax, 2
		inc	ebx
		push	esi		; wchar_t
		push	eax		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_92EE7C
		mov	esi, [ebp+var_8]
		jmp	loc_89CFC9
; 

loc_92EE95:				; CODE XREF: SdbpCreateSearchPathPartsFromPath+57j
		push	offset ??_C@_0CF@LECMDEAC@Failed?5to?5allocate?5search?5path?5@NNGAKEGL@
		push	589h
		push	offset ??_C@_0CC@DNOBBHPD@SdbpCreateSearchPathPartsFromPa@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		xor	eax, eax
		jmp	loc_89D034
; 

loc_92EEB5:				; CODE XREF: SdbpCreateSearchPathPartsFromPath+94j
		cmp	cx, word ptr [ebp+var_4]
		jnz	short loc_92EEBE
		add	eax, 2

loc_92EEBE:				; CODE XREF: SdbpCreateSearchPathPartsFromPath+91F31j
		sub	esi, eax
		mov	[ebx-4], eax
		sar	esi, 1
		inc	esi
		mov	[ebx], esi
		add	ebx, 18h
		mov	esi, edx
		jmp	loc_89D022
; END OF FUNCTION CHUNK	FOR SdbpCreateSearchPathPartsFromPath
; 
; START	OF FUNCTION CHUNK FOR ExpWorkQueueManagerThread

loc_92EED2:				; CODE XREF: ExpWorkQueueManagerThread+65j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[esp+60h+var_4C], 0
		jmp	loc_89D0B2
; 

loc_92EEE4:				; CODE XREF: ExpWorkQueueManagerThread+25Ej
		mov	[esp+60h+var_4E], 0
		xor	esi, esi

loc_92EEEB:				; CODE XREF: ExpWorkQueueManagerThread+91F30j
		mov	edx, [ebx+4]
		mov	ecx, [ebx]
		push	esi
		call	_ExpPartitionGetQueue@12 ; ExpPartitionGetQueue(x,x,x)
		mov	edi, eax
		mov	ecx, [edi+1A4h]
		cmp	ecx, [edi+1A8h]
		jnz	short loc_92EF6E
		mov	edx, 3FFFh
		mov	ecx, edi
		call	_ExpNewThreadNecessary@8 ; ExpNewThreadNecessary(x,x)
		test	al, al
		jz	short loc_92EF6E
		mov	eax, _ExpWorkerQueueTestFlags
		test	al, 2
		jnz	loc_92EFD9
		xor	ecx, ecx
		inc	ecx
		cmp	esi, ecx
		jnz	short loc_92EF58
		cmp	[esp+60h+var_4D], 0
		jnz	short loc_92EF58
		mov	eax, [esp+60h+var_4C]
		push	3
		mov	[eax], ecx
		mov	ecx, [esp+64h+var_48]
		mov	[eax+4], edi
		push	ecx
		and	dword ptr [ecx], 0
		mov	dword ptr [ecx+8], offset _ExpIoPoolDeadlockWorker@4 ; ExpIoPoolDeadlockWorker(x)
		mov	[ecx+0Ch], eax
		call	ExQueueWorkItem
		mov	[esp+60h+var_4D], 1

loc_92EF58:				; CODE XREF: ExpWorkQueueManagerThread+91EE6j
					; ExpWorkQueueManagerThread+91EEDj
		lea	edx, [ebx+0B0h]
		mov	ecx, edi
		call	ExpCreateWorkerThread
		test	eax, eax
		jns	short loc_92EF6E
		mov	[esp+60h+var_4F], 1

loc_92EF6E:				; CODE XREF: ExpWorkQueueManagerThread+91EC2j
					; ExpWorkQueueManagerThread+91ED2j ...
		inc	esi
		cmp	esi, 1
		jle	loc_92EEEB
		jmp	loc_89D1AE
; 

loc_92EF7D:				; CODE XREF: ExpWorkQueueManagerThread+13Aj
		mov	ecx, [esp+60h+var_3C]
		push	edi
		call	_ExpPartitionCreatePoolDelayed@12 ; ExpPartitionCreatePoolDelayed(x,x,x)
		jmp	loc_89D184
; 

loc_92EF8C:				; CODE XREF: ExpWorkQueueManagerThread+144j
					; ExpWorkQueueManagerThread+256j
		mov	[esp+60h+var_4F], 1
		jmp	loc_89D1A1
; 

loc_92EF96:				; CODE XREF: ExpWorkQueueManagerThread+197j
					; ExpWorkQueueManagerThread+1A2j
		mov	al, 1
		mov	[esp+60h+var_4E], al
		jmp	loc_89D1EE
; 

loc_92EFA1:				; CODE XREF: ExpWorkQueueManagerThread+1B4j
		push	0
		push	0A0h
		push	0
		push	0FFFFFFFFh
		push	0FF676980h
		lea	eax, [ebx+18h]
		push	eax
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)
		jmp	loc_89D1FC
; 

loc_92EFBF:				; CODE XREF: ExpWorkQueueManagerThread+1E4j
					; ExpWorkQueueManagerThread+1F4j
		lea	edx, [esp+60h+var_1C]
		call	_KeSetAffinityThread@8 ; KeSetAffinityThread(x,x)
		jmp	loc_89D23C
; 

loc_92EFCD:				; CODE XREF: ExpWorkQueueManagerThread+22Bj
		mov	ecx, eax
		call	_KeSetMaximumCountPriQueue@8 ; KeSetMaximumCountPriQueue(x,x)
		jmp	loc_89D251
; 

loc_92EFD9:				; CODE XREF: ExpWorkQueueManagerThread+91EDBj
		push	0
		push	0
		push	2
		push	eax
		push	163h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_92EFEA:				; CODE XREF: ExpWorkQueueManagerThread+117j
		mov	esi, [esp+74h+var_60]
		test	esi, esi
		jz	short loc_92EFFA
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_92EFFA:				; CODE XREF: ExpWorkQueueManagerThread+91FAEj
		mov	edi, [esp+74h+var_5C]
		test	edi, edi
		jz	short loc_92F00A
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_92F00A:				; CODE XREF: ExpWorkQueueManagerThread+91FBEj
		mov	ecx, [esp+74h+var_18]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; END OF FUNCTION CHUNK	FOR ExpWorkQueueManagerThread
; 
; START	OF FUNCTION CHUNK FOR IopReleaseFilteredBootResources

loc_92F01E:				; CODE XREF: IopReleaseFilteredBootResources+49j
		xor	edi, edi
		jmp	loc_89D35A
; 

loc_92F025:				; CODE XREF: IopReleaseFilteredBootResources+CBj
		push	0
		push	dword ptr [esi]
		mov	dword ptr [esi-18h], 10h
		mov	[esi+8], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi], 0
		jmp	loc_89D3D3
; 

loc_92F040:				; CODE XREF: IopReleaseFilteredBootResources+79j
					; IopReleaseFilteredBootResources+82j
		cmp	dword ptr [esi+8], 0C0000908h
		jz	loc_89D38A
		mov	dword ptr [esi+8], 0C0000018h
		jmp	loc_89D38A
; END OF FUNCTION CHUNK	FOR IopReleaseFilteredBootResources
; 
; START	OF FUNCTION CHUNK FOR PnpIsRangeWithin

loc_92F059:				; CODE XREF: PnpIsRangeWithin+EFj
		sub	eax, 1
		jz	loc_89D580
		jmp	loc_89D5DE
; 

loc_92F067:				; CODE XREF: PnpIsRangeWithin+E5j
		mov	ecx, [edi+4]
		mov	eax, [ebx+4]
		jmp	loc_89D549
; END OF FUNCTION CHUNK	FOR PnpIsRangeWithin
; 
; START	OF FUNCTION CHUNK FOR EtwSetInformation

loc_92F072:				; CODE XREF: EtwSetInformation+16j
		sub	eax, 1
		jz	short loc_92F081
		mov	eax, 0C0000010h
		jmp	loc_8722C8
; 

loc_92F081:				; CODE XREF: EtwSetInformation+BCDE7j
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	loc_8722D5
		cmp	[ebp+arg_10], 1
		jnz	loc_8722D5
		mov	dl, [eax]
		call	_EtwpUseDescriptorTypeKm@8 ; EtwpUseDescriptorTypeKm(x,x)
		jmp	loc_8722C8
; END OF FUNCTION CHUNK	FOR EtwSetInformation
; 
; START	OF FUNCTION CHUNK FOR PdcPortOpenCommon

loc_92F0A2:				; CODE XREF: PdcPortOpenCommon+42j
					; PdcPortOpenCommon+C1j
		mov	edi, 0C0000017h
		jmp	loc_89D7C4
; END OF FUNCTION CHUNK	FOR PdcPortOpenCommon
; 
; START	OF FUNCTION CHUNK FOR LocalpConvertStringSidToSid

loc_92F0AC:				; CODE XREF: LocalpConvertStringSidToSid+6Fj
		cmp	eax, 73h
		jz	loc_89D847

loc_92F0B5:				; CODE XREF: LocalpConvertStringSidToSid+7Cj
					; LocalpConvertStringSidToSid+B9j ...
		mov	eax, 0C0000078h
		jmp	loc_89DC00
; 

loc_92F0BF:				; CODE XREF: LocalpConvertStringSidToSid+97j
		movzx	eax, word ptr [esi+2]
		cmp	ax, cx
		jz	short loc_92F0D1
		cmp	ax, dx
		jnz	loc_89D86F

loc_92F0D1:				; CODE XREF: LocalpConvertStringSidToSid+918F4j
		push	10h
		pop	ebx
		mov	[ebp+var_22C], ebx
		jmp	loc_89D86F
; 

loc_92F0DF:				; CODE XREF: LocalpConvertStringSidToSid+106j
		movzx	eax, word ptr [esi+2]
		push	78h
		pop	ecx
		cmp	ax, cx
		jz	short loc_92F0F7
		push	58h
		pop	ecx
		cmp	ax, cx
		jnz	loc_89D8DE

loc_92F0F7:				; CODE XREF: LocalpConvertStringSidToSid+91917j
		push	10h
		pop	eax
		jmp	loc_89D8E0
; 

loc_92F0FF:				; CODE XREF: LocalpConvertStringSidToSid+266j
		cmp	ax, word ptr [ebp+var_240]
		jz	short loc_92F11E
		cmp	ax, word ptr [ebp+var_244]
		jz	short loc_92F11E
		cmp	ax, word ptr [ebp+var_248]
		jnz	loc_89DA3E

loc_92F11E:				; CODE XREF: LocalpConvertStringSidToSid+91934j
					; LocalpConvertStringSidToSid+9193Dj
		push	2Dh
		pop	edx
		jmp	loc_89DAAA
; 

loc_92F126:				; CODE XREF: LocalpConvertStringSidToSid+273j
					; LocalpConvertStringSidToSid+27Cj
		cmp	eax, 61h
		jb	short loc_92F134
		cmp	eax, 66h
		jbe	loc_89DA54

loc_92F134:				; CODE XREF: LocalpConvertStringSidToSid+91957j
		cmp	eax, 41h
		jb	short loc_92F142
		cmp	eax, 46h
		jbe	loc_89DA54

loc_92F142:				; CODE XREF: LocalpConvertStringSidToSid+91965j
		mov	edi, 0C0000078h
		jmp	loc_92F253
; 

loc_92F14C:				; CODE XREF: LocalpConvertStringSidToSid+289j
		push	3Ah
		pop	eax
		cmp	dx, ax
		jnz	loc_89DA61
		mov	eax, esi
		mov	[ebp+var_228], ebx
		sub	eax, ebx
		sar	eax, 1
		lea	ecx, [eax+eax]
		mov	[ebp+var_20C], ecx
		cmp	eax, 100h
		jge	short loc_92F17C
		lea	ebx, [ebp+var_204]
		jmp	short loc_92F1A1
; 

loc_92F17C:				; CODE XREF: LocalpConvertStringSidToSid+919A0j
		push	ecx
		add	ecx, 2
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	[ebp+var_230], eax
		test	eax, eax
		jnz	short loc_92F199
		mov	edi, 0C0000017h
		jmp	loc_89DBFE
; 

loc_92F199:				; CODE XREF: LocalpConvertStringSidToSid+919BBj
		mov	ecx, [ebp+var_20C]
		mov	ebx, eax

loc_92F1A1:				; CODE XREF: LocalpConvertStringSidToSid+919A8j
		push	ecx		; size_t
		push	[ebp+var_228]	; void *
		push	ebx		; void *
		call	_memcpy
		mov	eax, [ebp+var_20C]
		xor	ecx, ecx
		add	esp, 0Ch
		mov	[eax+ebx], cx
		mov	eax, [ebp+var_220]
		mov	cl, [ebp+var_205]
		inc	cl
		mov	[ebp+var_205], cl
		mov	[eax], esi
		jmp	loc_89DACC
; 

loc_92F1D8:				; CODE XREF: LocalpConvertStringSidToSid+2DCj
		mov	edi, 0C0000078h
		add	esi, 0FFFFFFFEh
		jmp	loc_89DABC
; 

loc_92F1E5:				; CODE XREF: LocalpConvertStringSidToSid+330j
		mov	edi, 0C0000017h
		jmp	loc_89DC38
; 

loc_92F1EF:				; CODE XREF: LocalpConvertStringSidToSid+39Ej
		push	3Ah
		pop	ecx
		cmp	[ebx+2], cx
		jnz	short loc_92F228
		push	4Fh
		pop	ecx
		cmp	ax, cx
		jz	loc_89DB76
		push	47h
		pop	ecx
		cmp	ax, cx
		jz	loc_89DB76
		push	44h
		pop	ecx
		cmp	ax, cx
		jz	loc_89DB76
		push	53h
		pop	ecx
		cmp	ax, cx
		jz	loc_89DB76

loc_92F228:				; CODE XREF: LocalpConvertStringSidToSid+91A24j
		mov	edi, 0C0000078h
		jmp	loc_89DBE1
; 

loc_92F232:				; CODE XREF: LocalpConvertStringSidToSid+2FCj
					; LocalpConvertStringSidToSid+30Bj
		mov	edi, 0C0000078h
		test	edi, edi

loc_92F239:				; CODE XREF: LocalpConvertStringSidToSid+2F4j
		js	loc_89DC38
		jmp	loc_89DB82
; 

loc_92F244:				; CODE XREF: LocalpConvertStringSidToSid+3D2j
		mov	edi, 0C0000017h
		jmp	loc_89DBE1
; 

loc_92F24E:				; CODE XREF: LocalpConvertStringSidToSid+215j
		mov	edi, 0C0000095h

loc_92F253:				; CODE XREF: LocalpConvertStringSidToSid+91975j
		mov	eax, [ebp+var_220]
		mov	[eax], esi
		jmp	loc_89DBFE
; 

loc_92F260:				; CODE XREF: LocalpConvertStringSidToSid+4Aj
					; LocalpConvertStringSidToSid+52j ...
		mov	eax, 0C000000Dh
		jmp	loc_89DC00
; END OF FUNCTION CHUNK	FOR LocalpConvertStringSidToSid
; 
; START	OF FUNCTION CHUNK FOR MmFreeMappingAddress

loc_92F26A:				; CODE XREF: MmFreeMappingAddress+1Ej
		push	0
		push	edi
		push	[ebp+arg_0]
		push	102h
		jmp	short loc_92F281
; 

loc_92F277:				; CODE XREF: MmFreeMappingAddress+F2j
		push	ebx
		push	edi
		push	[ebp+arg_0]
		push	109h

loc_92F281:				; CODE XREF: MmFreeMappingAddress+9162Bj
					; MmFreeMappingAddress+91653j
		push	0DAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_92F28B:				; CODE XREF: MmFreeMappingAddress+61j
		mov	eax, [ebp+arg_4]
		jmp	loc_89DCC2
; 

loc_92F293:				; CODE XREF: MmFreeMappingAddress+7Aj
		push	ebx
		push	edi
		push	[ebp+arg_0]
		push	103h
		jmp	short loc_92F281
; 

loc_92F29F:				; CODE XREF: MmFreeMappingAddress+95j
		push	ebx
		xor	ecx, ecx
		call	_MiRemovePteTracker@12 ; MiRemovePteTracker(x,x,x)
		jmp	loc_89DCE5
; END OF FUNCTION CHUNK	FOR MmFreeMappingAddress
; 
; START	OF FUNCTION CHUNK FOR MmAllocateMappingAddressEx

loc_92F2AC:				; CODE XREF: MmAllocateMappingAddressEx+37j
		push	dword ptr [ebp+4]
		push	ebx
		push	0
		push	100h
		push	0DAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_92F2C1:				; CODE XREF: MmAllocateMappingAddressEx+6Dj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_89DE39
; 

loc_92F2CE:				; CODE XREF: MmAllocateMappingAddressEx+B2j
		xor	ecx, ecx
		shl	esi, 0Ch
		push	1
		push	ecx
		push	2
		mov	[esp+44h+var_24], ecx
		mov	[esp+44h+var_20], ecx
		mov	[esp+44h+var_10], ecx
		mov	[esp+44h+var_C], ecx
		mov	[esp+44h+var_8], ecx
		lea	ecx, [esp+44h+var_24]
		pop	edx
		mov	[esp+40h+var_18], eax
		mov	[esp+40h+var_14], ebx
		mov	[esp+40h+var_1C], esi
		call	_MiInsertPteTracker@16 ; MiInsertPteTracker(x,x,x,x)
		jmp	loc_89DE1A
; END OF FUNCTION CHUNK	FOR MmAllocateMappingAddressEx
; 
; START	OF FUNCTION CHUNK FOR PipChangeDeviceObjectFromRegistryProperties

loc_92F307:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+38j
		xor	esi, esi
		jmp	loc_89DE7F
; 

loc_92F30E:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+2A3j
		mov	edi, 0C0000001h
		jmp	loc_89E06E
; 

loc_92F318:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+12Dj
		xor	esi, esi
		inc	esi
		mov	[ebp+var_24], esi
		jmp	loc_89DF71
; 

loc_92F323:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+151j
		mov	esi, [ebp+var_24]
		or	esi, 2
		mov	[ebp+var_24], esi
		jmp	loc_89DF95
; 

loc_92F331:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+179j
		mov	esi, [ebp+var_24]
		or	esi, 8
		mov	[ebp+var_24], esi
		jmp	loc_89DFBD
; 

loc_92F33F:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+1CBj
		cmp	[ebp+var_44], 0
		jz	loc_89E00F
		or	dword ptr [ebx+1Ch], 8
		jmp	loc_89E00F
; 

loc_92F352:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+20Cj
		mov	eax, [ebx+0B0h]
		mov	eax, [eax+14h]
		or	dword ptr [eax+10Ch], 0C00000h
		jmp	loc_89E050
; 

loc_92F36A:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+121j
					; PipChangeDeviceObjectFromRegistryProperties+147j ...
		mov	dl, byte ptr [ebp+var_1A+1]
		jmp	loc_89E05B
; 

loc_92F372:				; CODE XREF: PipChangeDeviceObjectFromRegistryProperties+235j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_89E079
; END OF FUNCTION CHUNK	FOR PipChangeDeviceObjectFromRegistryProperties
; 
; START	OF FUNCTION CHUNK FOR EtwpAllocateFilter

loc_92F37F:				; CODE XREF: EtwpAllocateFilter+13j
		mov	edx, [ebp+arg_0]
		jmp	short loc_92F38A
; 

loc_92F384:				; CODE XREF: EtwpAllocateFilter+37j
		mov	edx, [ebp+arg_0]
		lea	edx, [edx+0Ch]

loc_92F38A:				; CODE XREF: EtwpAllocateFilter+90E9Cj
					; EtwpAllocateFilter+90EB6j ...
		mov	ecx, edi
		call	_EtwpAllocateStringFilterData@8	; EtwpAllocateStringFilterData(x,x)
		jmp	loc_89E590
; 

loc_92F396:				; CODE XREF: EtwpAllocateFilter+1Fj
		mov	edx, [ebp+arg_0]
		lea	edx, [edx+4]
		jmp	short loc_92F38A
; 

loc_92F39E:				; CODE XREF: EtwpAllocateFilter+2Bj
		mov	edx, [ebp+arg_0]
		lea	edx, [edx+8]
		jmp	short loc_92F38A
; 

loc_92F3A6:				; CODE XREF: EtwpAllocateFilter+43j
		mov	ebx, [edi]
		mov	edi, [edi+8]
		lea	eax, [edi-6]
		cmp	eax, 3FAh
		ja	loc_89E59C
		movzx	ecx, word ptr [ebx+2]
		mov	edx, ecx
		lea	eax, ds:4[edx*2]
		cmp	edi, eax
		jnz	loc_89E59C
		test	cx, cx
		jz	loc_89E59C
		cmp	ecx, 40h
		ja	loc_89E59C
		test	edx, edx
		jz	short loc_92F3FD
		lea	eax, [ebx+4]
		mov	edi, 0FFFFh

loc_92F3EC:				; CODE XREF: EtwpAllocateFilter+90F15j
		cmp	[eax], di
		jz	loc_89E59C
		inc	esi
		add	eax, 2
		cmp	esi, edx
		jb	short loc_92F3EC

loc_92F3FD:				; CODE XREF: EtwpAllocateFilter+90EFCj
		mov	eax, [ebp+arg_0]
		add	eax, 14h
		jmp	loc_89E584
; 

loc_92F408:				; CODE XREF: EtwpAllocateFilter+4Fj
		cmp	ecx, 80000400h
		jnz	short loc_92F42A
		mov	edx, [ebp+arg_0]
		lea	edx, [edx+18h]
		jmp	short loc_92F41E
; 

loc_92F418:				; CODE XREF: EtwpAllocateFilter+90F4Aj
		mov	edx, [ebp+arg_0]
		lea	edx, [edx+1Ch]

loc_92F41E:				; CODE XREF: EtwpAllocateFilter+90F30j
		mov	ecx, edi
		call	_EtwpAllocateEventNameFilter@8 ; EtwpAllocateEventNameFilter(x,x)
		jmp	loc_89E590
; 

loc_92F42A:				; CODE XREF: EtwpAllocateFilter+90F28j
		cmp	ecx, 80002000h
		jz	short loc_92F418
		cmp	ecx, 80000100h
		jnz	loc_89E592
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jnz	short loc_92F44F
		mov	eax, 0C000000Dh
		jmp	loc_89E594
; 

loc_92F44F:				; CODE XREF: EtwpAllocateFilter+90F5Dj
		mov	eax, [ebp+arg_0]
		add	eax, 24h
		push	eax
		call	_EtwpAllocatePayloadFilterData@12 ; EtwpAllocatePayloadFilterData(x,x,x)
		jmp	loc_89E590
; END OF FUNCTION CHUNK	FOR EtwpAllocateFilter
; 
; START	OF FUNCTION CHUNK FOR EtwpCreatePerfectHashFunction

loc_92F460:				; CODE XREF: EtwpCreatePerfectHashFunction+68j
					; EtwpCreatePerfectHashFunction+C7j
		mov	eax, 0C0000001h
		jmp	loc_89E712
; END OF FUNCTION CHUNK	FOR EtwpCreatePerfectHashFunction
; 
; START	OF FUNCTION CHUNK FOR EtwpFillPerfectHashTable

loc_92F46A:				; CODE XREF: EtwpFillPerfectHashTable+76j
		mov	eax, [ebp+arg_8]
		movzx	ecx, dx
		cmp	[esi+ecx*4+2], ax
		jz	loc_89E816
		movzx	eax, byte ptr [esi+ecx*4]
		inc	ebx
		cmp	ax, word ptr [ebp+var_C]
		jnz	short loc_92F48D
		movzx	eax, di
		inc	edi
		mov	[esi+ecx*4], al

loc_92F48D:				; CODE XREF: EtwpFillPerfectHashTable+90CEAj
		mov	ecx, [ebp+arg_C]
		movzx	edx, ax
		cmp	bx, [ecx]
		jbe	short loc_92F49B
		mov	[ecx], bx

loc_92F49B:				; CODE XREF: EtwpFillPerfectHashTable+90CFCj
		movzx	eax, ax
		jmp	loc_89E806
; 

loc_92F4A3:				; CODE XREF: EtwpFillPerfectHashTable+B3j
		cmp	dx, word ptr [ebp+arg_4]
		jnb	loc_89E853
		cmp	byte ptr [esi+ebx*4], 0FFh
		jnz	short loc_92F525
		mov	ecx, [ebp+arg_4]
		mov	ebx, 0FFFFh

loc_92F4BB:				; CODE XREF: EtwpFillPerfectHashTable+90D2Fj
		movzx	eax, dx
		cmp	[esi+eax*4+2], bx
		jz	short loc_92F4CB
		inc	edx
		cmp	dx, cx
		jb	short loc_92F4BB

loc_92F4CB:				; CODE XREF: EtwpFillPerfectHashTable+90D29j
		mov	ebx, [ebp+arg_8]
		cmp	dx, cx
		jnb	loc_89E853
		mov	ax, [esi+ebx*4+2]
		movzx	ecx, dx
		mov	[esi+ecx*4+2], ax
		xor	eax, eax
		xor	ecx, ecx
		cmp	ax, di
		jnb	short loc_92F50B

loc_92F4ED:				; CODE XREF: EtwpFillPerfectHashTable+90D67j
		movzx	eax, cx
		mov	[ebp+arg_8], eax
		movzx	eax, byte ptr [esi+eax*4]
		cmp	ax, word ptr [ebp+arg_0]
		jz	short loc_92F505
		inc	ecx
		cmp	cx, di
		jb	short loc_92F4ED
		jmp	short loc_92F50B
; 

loc_92F505:				; CODE XREF: EtwpFillPerfectHashTable+90D61j
		mov	eax, [ebp+arg_8]
		mov	[esi+eax*4], dl

loc_92F50B:				; CODE XREF: EtwpFillPerfectHashTable+90D51j
					; EtwpFillPerfectHashTable+90D69j
		movzx	eax, di
		mov	ecx, 0FFFFh
		dec	eax
		mov	[esi+ebx*4+2], cx
		cmp	ebx, eax
		mov	eax, [ebp+arg_C]
		jnz	short loc_92F522
		add	edi, ecx

loc_92F522:				; CODE XREF: EtwpFillPerfectHashTable+90D84j
		mov	ecx, [ebp+arg_0]

loc_92F525:				; CODE XREF: EtwpFillPerfectHashTable+90D17j
		mov	ebx, 0FFFFh
		add	ecx, ebx
		inc	edx
		jmp	loc_89E842
; 

loc_92F532:				; CODE XREF: EtwpFillPerfectHashTable+CBj
					; EtwpFillPerfectHashTable+90E1Aj
		cmp	cx, dx
		jnb	loc_89E86B
		mov	ebx, 0FFFFh

loc_92F540:				; CODE XREF: EtwpFillPerfectHashTable+90DB4j
		movzx	eax, cx
		cmp	[esi+eax*4+2], bx
		jz	short loc_92F550
		inc	ecx
		cmp	cx, dx
		jb	short loc_92F540

loc_92F550:				; CODE XREF: EtwpFillPerfectHashTable+90DAEj
		mov	ebx, [ebp+arg_0]
		cmp	cx, dx
		jnb	loc_89E86B
		movzx	eax, cx
		mov	[ebp+arg_4], eax
		mov	ax, [esi+ebx*4+2]
		mov	ebx, [ebp+arg_4]
		mov	[esi+ebx*4+2], ax
		xor	eax, eax
		xor	ebx, ebx
		cmp	ax, di
		jnb	short loc_92F595

loc_92F578:				; CODE XREF: EtwpFillPerfectHashTable+90DF1j
		movzx	eax, bx
		mov	[ebp+arg_8], eax
		movzx	eax, byte ptr [esi+eax*4]
		cmp	ax, dx
		jz	short loc_92F58F
		inc	ebx
		cmp	bx, di
		jb	short loc_92F578
		jmp	short loc_92F595
; 

loc_92F58F:				; CODE XREF: EtwpFillPerfectHashTable+90DEBj
		mov	eax, [ebp+arg_8]
		mov	[esi+eax*4], cl

loc_92F595:				; CODE XREF: EtwpFillPerfectHashTable+90DDCj
					; EtwpFillPerfectHashTable+90DF3j
		mov	eax, [ebp+arg_0]
		mov	ebx, [ebp+arg_4]
		mov	al, [esi+eax*4]
		mov	[esi+ebx*4], al
		mov	eax, 0FFFFh
		add	edx, eax
		add	edi, eax
		movzx	ebx, dx
		inc	ecx
		mov	[ebp+arg_0], ebx
		cmp	ebx, [ebp+arg_C]
		ja	loc_92F532
		jmp	loc_89E86B
; END OF FUNCTION CHUNK	FOR EtwpFillPerfectHashTable
; 
; START	OF FUNCTION CHUNK FOR _CmSetDeviceRegPropWorker

loc_92F5BF:				; CODE XREF: _CmSetDeviceRegPropWorker+1Cj
					; _CmSetDeviceRegPropWorker+35j ...
		mov	esi, 0C000000Dh
		jmp	loc_89E980
; 

loc_92F5C9:				; CODE XREF: _CmSetDeviceRegPropWorker+27j
		and	dword ptr [ebp+arg_14],	esi
		jmp	loc_89E8B1
; 

loc_92F5D1:				; CODE XREF: _CmSetDeviceRegPropWorker+6Aj
		mov	esi, 0C0000022h
		jmp	loc_89E980
; 

loc_92F5DB:				; CODE XREF: _CmSetDeviceRegPropWorker+79j
		mov	esi, 0C0000230h
		jmp	loc_89E980
; 

loc_92F5E5:				; CODE XREF: _CmSetDeviceRegPropWorker+9Dj
		test	ebx, ebx
		jz	loc_89E919
		push	0
		push	ebx
		push	dword ptr [ebp+arg_14]
		call	_RtlValidRelativeSecurityDescriptor@12 ; RtlValidRelativeSecurityDescriptor(x,x,x)
		test	al, al
		jz	short loc_92F60C
		push	dword ptr [ebp+arg_14]
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		cmp	eax, ebx
		jz	loc_89E919

loc_92F60C:				; CODE XREF: _CmSetDeviceRegPropWorker+90D84j
		mov	esi, 0C000000Dh
		jmp	loc_89E976
; 

loc_92F616:				; CODE XREF: _CmSetDeviceRegPropWorker+94j
		test	ebx, ebx
		jz	loc_89E919
		mov	eax, dword ptr [ebp+arg_14]
		test	eax, eax
		jz	short loc_92F5BF
		cmp	ebx, 4
		jnz	short loc_92F5BF
		cmp	[eax], esi
		jz	loc_89E919
		mov	ecx, [ebp+var_8]
		call	__CmIsRootDevice@4 ; _CmIsRootDevice(x)
		test	al, al
		jz	loc_89E919
		mov	esi, 0C0000010h
		jmp	loc_89E980
; 

loc_92F64C:				; CODE XREF: _CmSetDeviceRegPropWorker+8Bj
		cmp	ebx, 40h
		ja	loc_92F5BF
		jmp	loc_89E919
; 

loc_92F65A:				; CODE XREF: _CmSetDeviceRegPropWorker+A8j
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_C]
		push	0
		push	eax
		push	0
		push	2000002h
		push	0
		push	10h
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_89E976
		jmp	loc_89E924
; 

loc_92F685:				; CODE XREF: _CmSetDeviceRegPropWorker+C4j
		test	ebx, ebx
		jz	short loc_92F68E
		mov	[ebp+arg_10], ebx
		jmp	short loc_92F694
; 

loc_92F68E:				; CODE XREF: _CmSetDeviceRegPropWorker+90E11j
		mov	eax, [ebp+var_4]
		mov	[ebp+arg_10], eax

loc_92F694:				; CODE XREF: _CmSetDeviceRegPropWorker+90E16j
		and	[ebp+var_14], 0
		lea	eax, [ebp+var_14]
		and	[ebp+var_10], 0
		push	edx
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_92F6BA
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+arg_10]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		mov	esi, eax

loc_92F6BA:				; CODE XREF: _CmSetDeviceRegPropWorker+90E34j
		cmp	esi, 0C0000034h
		jz	short loc_92F6CE
		cmp	esi, 0C000017Ch
		jnz	loc_89E95F

loc_92F6CE:				; CODE XREF: _CmSetDeviceRegPropWorker+90E4Aj
		mov	esi, 0C0000225h
		jmp	loc_89E95F
; 

loc_92F6D8:				; CODE XREF: _CmSetDeviceRegPropWorker+104j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_89E980
; END OF FUNCTION CHUNK	FOR _CmSetDeviceRegPropWorker
; 
; START	OF FUNCTION CHUNK FOR _CmRaisePropertyChangeEvent

loc_92F6E5:				; CODE XREF: _CmRaisePropertyChangeEvent+3Ej
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_4], ecx
		lea	ecx, [ebp+var_8]
		push	ecx
		push	4
		push	[ebp+arg_0]
		mov	[ebp+var_8], ebx
		push	edi
		push	esi
		call	eax
		jmp	loc_89EA18
; END OF FUNCTION CHUNK	FOR _CmRaisePropertyChangeEvent
; 
; START	OF FUNCTION CHUNK FOR _CmMapRegPropToPropertyKey

loc_92F700:				; CODE XREF: _CmMapRegPropToPropertyKey+Bj
		sub	ecx, 1
		jnz	loc_89EA54
		mov	ecx, offset __CmClassRegPropMap
		push	9
		jmp	loc_89EA38
; END OF FUNCTION CHUNK	FOR _CmMapRegPropToPropertyKey
; 
; START	OF FUNCTION CHUNK FOR AdtpGetCategoryAndSubCategoryId

loc_92F715:				; CODE XREF: AdtpGetCategoryAndSubCategoryId+19j
		test	esi, esi
		jz	loc_89EE2F
		jmp	loc_89EDF9
; END OF FUNCTION CHUNK	FOR AdtpGetCategoryAndSubCategoryId
; 
; START	OF FUNCTION CHUNK FOR AdtpEtwBuildString

loc_92F722:				; CODE XREF: AdtpEtwBuildString+50j
		push	6B416553h
		lea	eax, [edi+edi]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_92F742
		mov	eax, 0C0000017h
		jmp	loc_89EECD
; 

loc_92F742:				; CODE XREF: AdtpEtwBuildString+90900j
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	1
		movzx	eax, word ptr [ebx]
		jmp	loc_89EE9D
; END OF FUNCTION CHUNK	FOR AdtpEtwBuildString
; 
; START	OF FUNCTION CHUNK FOR AdtpBuildMessageString

loc_92F750:				; CODE XREF: AdtpBuildMessageString+23j
		push	6B416553h
		push	1Ah
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_92F76E
		mov	eax, 0C0000017h
		jmp	loc_89F055
; 

loc_92F76E:				; CODE XREF: AdtpBuildMessageString+9078Cj
		xor	eax, eax
		inc	eax
		jmp	loc_89F009
; 

loc_92F776:				; CODE XREF: AdtpBuildMessageString+4Dj
		cmp	byte ptr [edi],	1
		jnz	loc_89F05C
		xor	ebx, ebx
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[edi], bl
		jmp	loc_89F05C
; END OF FUNCTION CHUNK	FOR AdtpBuildMessageString
; 
; START	OF FUNCTION CHUNK FOR AdtpBuildLogonIdStrings

loc_92F78F:				; CODE XREF: AdtpBuildLogonIdStrings+25j
		mov	eax, [ebp+var_8]
		cmp	dword ptr [eax], 3E7h
		jnz	short loc_92F7BE
		cmp	[eax+4], ebx
		jnz	short loc_92F7BE
		mov	edi, offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@NNGAKEGL@
		push	edi
		push	[ebp+arg_4]
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		push	esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+arg_8]
		mov	[eax], bl
		mov	eax, [ebp+arg_10]
		jmp	short loc_92F7FB
; 

loc_92F7BE:				; CODE XREF: AdtpBuildLogonIdStrings+90734j
					; AdtpBuildLogonIdStrings+90739j
		cmp	edi, 0C000005Fh
		jnz	loc_89F0B7
		mov	esi, offset ??_C@_13IMODFHAA@?$AA?9@NNGAKEGL@
		push	esi
		push	[ebp+arg_4]
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		push	[ebp+arg_C]
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+arg_8]
		mov	[eax], bl
		mov	eax, [ebp+arg_10]
		mov	[eax], bl
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_92F7FD
		mov	dword ptr [eax], offset	_AdtpNullSid
		mov	eax, [ebp+arg_0]

loc_92F7FB:				; CODE XREF: AdtpBuildLogonIdStrings+90758j
		mov	[eax], bl

loc_92F7FD:				; CODE XREF: AdtpBuildLogonIdStrings+9078Cj
		mov	edi, ebx
		jmp	loc_89F0B7
; END OF FUNCTION CHUNK	FOR AdtpBuildLogonIdStrings
; 
; START	OF FUNCTION CHUNK FOR SepGetLogonSessionAccountInfo

loc_92F804:				; CODE XREF: SepGetLogonSessionAccountInfo+57j
					; SepGetLogonSessionAccountInfo+63j
		mov	esi, [esi]
		test	esi, esi
		jnz	loc_89F130

loc_92F80E:				; CODE XREF: SepGetLogonSessionAccountInfo+4Cj
		mov	edi, 0C000005Fh
		jmp	loc_89F1CA
; 

loc_92F818:				; CODE XREF: SepGetLogonSessionAccountInfo+90j
		movzx	eax, word ptr [esi+26h]
		push	6B416553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+var_4]
		mov	[ecx+4], eax
		test	eax, eax
		jz	short loc_92F857
		jmp	loc_89F172
; 

loc_92F838:				; CODE XREF: SepGetLogonSessionAccountInfo+99j
		movzx	eax, word ptr [esi+2Eh]
		push	6B416553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	[ecx+4], eax
		test	eax, eax
		jnz	loc_89F17B

loc_92F857:				; CODE XREF: SepGetLogonSessionAccountInfo+90755j
		mov	edi, 0C000009Ah
		jmp	loc_89F17B
; 

loc_92F861:				; CODE XREF: SepGetLogonSessionAccountInfo+10Fj
		mov	eax, [eax+94h]
		push	69536553h
		mov	eax, [eax]
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:8[eax*4]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_89F18E
		mov	edi, 0C000009Ah
		jmp	loc_89F18E
; 

loc_92F895:				; CODE XREF: SepGetLogonSessionAccountInfo+A7j
					; SepGetLogonSessionAccountInfo+B4j
		mov	eax, [ebp+var_4]
		mov	eax, [eax+4]
		test	eax, eax
		jz	short loc_92F8A7
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_92F8A7:				; CODE XREF: SepGetLogonSessionAccountInfo+907C1j
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+4]
		test	eax, eax
		jz	short loc_92F8B9
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_92F8B9:				; CODE XREF: SepGetLogonSessionAccountInfo+907D3j
		test	ebx, ebx
		jz	loc_89F1CA
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_89F1CA
; 

loc_92F8CE:				; CODE XREF: SepGetLogonSessionAccountInfo+E8j
		mov	eax, [ebp+var_8]
		mov	eax, [eax+94h]
		mov	ecx, [eax]
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	ecx		; void *
		push	ebx		; void *
		call	_memcpy
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		mov	[eax], ebx
		jmp	loc_89F1CA
; END OF FUNCTION CHUNK	FOR SepGetLogonSessionAccountInfo
; 
; START	OF FUNCTION CHUNK FOR IopGetRootDevices

loc_92F8F9:				; CODE XREF: IopGetRootDevices+8Bj
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_89F281
; 

loc_92F905:				; CODE XREF: IopGetRootDevices+140j
		push	[esp+38h+var_2C]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_89F36C
; 

loc_92F913:				; CODE XREF: IopGetRootDevices+1B0j
		mov	esi, 0C000009Ah

loc_92F918:				; CODE XREF: IopGetRootDevices+1DAj
		and	[esp+38h+var_20], 0
		test	edi, edi
		jz	loc_89F3D0
		mov	ebx, [esp+38h+var_20]

loc_92F929:				; CODE XREF: IopGetRootDevices+90748j
		mov	ecx, [esp+38h+var_4]
		mov	ecx, [ecx+ebx*4]
		call	ObfDereferenceObject
		inc	ebx
		cmp	ebx, edi
		jb	short loc_92F929
		mov	ebx, [esp+38h+var_1C]
		jmp	loc_89F3D0
; 

loc_92F943:				; CODE XREF: IopGetRootDevices+115j
					; IopGetRootDevices+151j ...
		mov	edi, [esp+38h+var_8]
		test	edi, edi
		jnz	loc_89F3C8

loc_92F94F:				; CODE XREF: IopGetRootDevices+18Ej
		mov	esi, 0C0000001h
		jmp	loc_89F3C8
; 

loc_92F959:				; CODE XREF: IopGetRootDevices+ACj
		mov	esi, 0C000009Ah
		jmp	loc_89F3D0
; 

loc_92F963:				; CODE XREF: IopGetRootDevices+45j
		mov	eax, 0C000009Ah
		jmp	loc_89F3FF
; END OF FUNCTION CHUNK	FOR IopGetRootDevices
; 
; START	OF FUNCTION CHUNK FOR IopInitializeDeviceInstanceKey

loc_92F96D:				; CODE XREF: IopInitializeDeviceInstanceKey+30j
		mov	ecx, [ebp+var_4]
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_92F984
		cmp	dword ptr [ecx+0Ch], 4
		jb	short loc_92F984
		mov	eax, [ecx+8]
		mov	esi, [ecx+eax]
		jmp	short loc_92F986
; 

loc_92F984:				; CODE XREF: IopInitializeDeviceInstanceKey+9056Ej
					; IopInitializeDeviceInstanceKey+90574j
		mov	esi, ebx

loc_92F986:				; CODE XREF: IopInitializeDeviceInstanceKey+9057Cj
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jz	loc_89F43C
		jmp	loc_89F47C
; 

loc_92F99A:				; CODE XREF: IopInitializeDeviceInstanceKey+3Fj
		push	64647050h
		lea	esi, ds:400h[esi*4]
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_92F9DF
		mov	eax, [ebx+8]
		shl	eax, 2
		push	eax		; size_t
		push	dword ptr [ebx+0Ch] ; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	0
		push	dword ptr [ebx+0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		shr	esi, 2
		mov	[ebx+0Ch], edi
		mov	[ebx+4], esi
		jmp	loc_89F44B
; 

loc_92F9DF:				; CODE XREF: IopInitializeDeviceInstanceKey+905ACj
		mov	dword ptr [ebx], 0C000009Ah
		jmp	loc_92FB0A
; 

loc_92F9EA:				; CODE XREF: IopInitializeDeviceInstanceKey+64j
		mov	ecx, edx
		call	ObfDereferenceObject
		jmp	loc_89F47C
; 

loc_92F9F6:				; CODE XREF: IopInitializeDeviceInstanceKey+14Dj
					; IopInitializeDeviceInstanceKey+157j
		xor	eax, eax
		mov	[ebp+var_8], eax
		jmp	loc_89F566
; 

loc_92FA00:				; CODE XREF: IopInitializeDeviceInstanceKey+162j
		push	0
		push	12h
		jmp	short loc_92FA13
; 

loc_92FA06:				; CODE XREF: IopInitializeDeviceInstanceKey+175j
		mov	ecx, [edi+18h]
		mov	edx, esi
		call	_PiDevCfgGetFailedInstallProblemStatus@8 ; PiDevCfgGetFailedInstallProblemStatus(x,x)
		push	eax
		push	1Ch

loc_92FA13:				; CODE XREF: IopInitializeDeviceInstanceKey+905FEj
					; IopInitializeDeviceInstanceKey+90614j
		pop	edx
		jmp	short loc_92FA2D
; 

loc_92FA16:				; CODE XREF: IopInitializeDeviceInstanceKey+16Dj
		push	0
		push	10h
		jmp	short loc_92FA13
; 

loc_92FA1C:				; CODE XREF: IopInitializeDeviceInstanceKey+143j
		mov	ecx, 0C0000225h
		cmp	eax, ecx
		jnz	loc_89F581
		xor	edx, edx
		push	ecx
		inc	edx

loc_92FA2D:				; CODE XREF: IopInitializeDeviceInstanceKey+9060Ej
		mov	ecx, edi
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		jmp	loc_89F581
; 

loc_92FA39:				; CODE XREF: IopInitializeDeviceInstanceKey+1A6j
		test	dword ptr [edi+10Ch], 2000h
		jz	short loc_92FA52
		cmp	dword ptr [edi+114h], 1
		jz	loc_89F5B2

loc_92FA52:				; CODE XREF: IopInitializeDeviceInstanceKey+9063Dj
		mov	ecx, edi
		call	PipClearDevNodeProblem
		push	0
		push	1Dh
		pop	edx
		mov	ecx, edi
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		jmp	loc_89F5B2
; 

loc_92FA6A:				; CODE XREF: IopInitializeDeviceInstanceKey+1FEj
		push	[ebp+var_24]
		call	_PpDevCfgProcessDevice@12 ; PpDevCfgProcessDevice(x,x,x)
		jmp	loc_89F60F
; 

loc_92FA77:				; CODE XREF: IopInitializeDeviceInstanceKey+214j
		cmp	dword ptr [edi+114h], 16h
		jz	loc_89F63C
		jmp	loc_89F620
; 

loc_92FA89:				; CODE XREF: IopInitializeDeviceInstanceKey+21Cj
		cmp	dword ptr [edi+114h], 1Dh
		jz	loc_89F63C
		jmp	loc_89F628
; 

loc_92FA9B:				; CODE XREF: IopInitializeDeviceInstanceKey+230j
		mov	ecx, edi
		call	PipClearDevNodeProblem
		push	0
		push	16h
		pop	edx
		mov	ecx, edi
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		jmp	loc_89F63C
; 

loc_92FAB3:				; CODE XREF: IopInitializeDeviceInstanceKey+26Dj
		cmp	[ebp+arg_0], 0
		jz	loc_89F679
		push	[ebp+arg_0]
		push	dword ptr [edi+10h]
		push	4
		call	_IopAllocateBootResourcesRoutine
		test	eax, eax
		js	short loc_92FAD9
		push	40h
		pop	edx
		mov	ecx, edi
		call	PipSetDevNodeFlags

loc_92FAD9:				; CODE XREF: IopInitializeDeviceInstanceKey+906C7j
		push	0
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_89F679
; 

loc_92FAE8:				; CODE XREF: IopInitializeDeviceInstanceKey+D9j
		push	esi
		call	IoDeleteDevice
		mov	eax, [ebp+arg_0]
		jmp	short loc_92FAFE
; 

loc_92FAF3:				; CODE XREF: IopInitializeDeviceInstanceKey+B3j
					; IopInitializeDeviceInstanceKey+BEj
		push	esi
		call	IoDeleteDevice
		mov	eax, 0C000009Ah

loc_92FAFE:				; CODE XREF: IopInitializeDeviceInstanceKey+906EBj
		xor	esi, esi
		test	eax, eax
		jns	loc_89F680

loc_92FB08:				; CODE XREF: IopInitializeDeviceInstanceKey+8Aj
		mov	[ebx], eax

loc_92FB0A:				; CODE XREF: IopInitializeDeviceInstanceKey+905DFj
		xor	eax, eax
		jmp	loc_89F47F
; END OF FUNCTION CHUNK	FOR IopInitializeDeviceInstanceKey
; 
; START	OF FUNCTION CHUNK FOR PipAllocateDeviceNode

loc_92FB11:				; CODE XREF: PipAllocateDeviceNode+22j
		mov	eax, 0C000009Ah
		jmp	loc_89F852
; END OF FUNCTION CHUNK	FOR PipAllocateDeviceNode
; 
; START	OF FUNCTION CHUNK FOR WmipTranslatePDOInstanceNames

loc_92FB1B:				; CODE XREF: WmipTranslatePDOInstanceNames+317j
		mov	ecx, ebx
		call	ObfDereferenceObject
		xor	ebx, ebx
		jmp	loc_89F92E
; 

loc_92FB29:				; CODE XREF: WmipTranslatePDOInstanceNames+250j
		add	eax, ecx
		mov	ecx, [eax+4]
		jmp	loc_89FAF6
; 

loc_92FB33:				; CODE XREF: WmipTranslatePDOInstanceNames+28Ej
		cmp	ebx, [ebp+var_8]
		jz	loc_89FB46

loc_92FB3C:				; CODE XREF: WmipTranslatePDOInstanceNames+286j
		mov	[ebp+var_2], 0
		test	ebx, ebx
		jz	loc_89FB46
		mov	ecx, ebx
		call	ObfDereferenceObject
		xor	ebx, ebx
		jmp	loc_89FB46
; 

loc_92FB56:				; CODE XREF: WmipTranslatePDOInstanceNames+FEj
					; WmipTranslatePDOInstanceNames+10Bj
		mov	[ebp+var_1], 1
		jmp	loc_89FA85
; END OF FUNCTION CHUNK	FOR WmipTranslatePDOInstanceNames
; 
; START	OF FUNCTION CHUNK FOR RtlpUpdateDynamicTimeZones

loc_92FB5F:				; CODE XREF: RtlpUpdateDynamicTimeZones+259j
		push	2Ch
		lea	eax, [ebp+var_5C]
		push	eax
		push	3
		push	offset ??_C@_17LIOBIM@?$AAT?$AAZ?$AAI@NNGAKEGL@	; "TZI"
		push	[ebp+var_174]
		push	40000000h
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)
		jmp	loc_89FE29
; END OF FUNCTION CHUNK	FOR RtlpUpdateDynamicTimeZones
; 
; START	OF FUNCTION CHUNK FOR PpmRegisterPerfStates

loc_92FB81:				; CODE XREF: PpmRegisterPerfStates+B3j
					; PpmRegisterPerfStates+8FCDBj
		mov	ebx, [esp+0A4h+var_80]
		mov	esi, 0C000000Dh
		jmp	short loc_92FBDC
; 

loc_92FB8C:				; CODE XREF: PpmRegisterPerfStates+D7j
		cmp	edx, 0FFFFFFFFh
		jz	short loc_92FB81
		jmp	loc_89FF91
; 

loc_92FB96:				; CODE XREF: PpmRegisterPerfStates+127j
		mov	esi, 0C000009Ah
		jmp	short loc_92FBDC
; 

loc_92FB9D:				; CODE XREF: PpmRegisterPerfStates+278j
		cmp	byte ptr [esi+0Bh], 0
		jz	loc_8A0132
		mov	al, 1
		jmp	loc_8A0134
; 

loc_92FBAE:				; CODE XREF: PpmRegisterPerfStates+286j
		call	KeQueryInterruptTime
		mov	[edi+14h], eax
		mov	eax, [esp+0A0h+var_88]
		push	64h
		mov	[edi+18h], edx
		mov	edx, [esp+0A4h+var_84]
		pop	ecx
		sub	ecx, [eax+8]
		call	_PopDiagTraceProcessorThrottlePerfTrack@8 ; PopDiagTraceProcessorThrottlePerfTrack(x,x)
		jmp	loc_8A0140
; 

loc_92FBD1:				; CODE XREF: PpmRegisterPerfStates+19Ej
					; PpmRegisterPerfStates+1ADj
		mov	esi, 0C000000Dh
		jmp	short loc_92FBDC
; 

loc_92FBD8:				; CODE XREF: PpmRegisterPerfStates+1D2j
		mov	esi, [esp+0A0h+var_80]

loc_92FBDC:				; CODE XREF: PpmRegisterPerfStates+8FCD6j
					; PpmRegisterPerfStates+8FCE7j	...
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		jmp	loc_8A0588
; 

loc_92FBEB:				; CODE XREF: PpmRegisterPerfStates+34Ej
		or	ecx, 0FFFFFFFFh
		jmp	loc_8A020F
; 

loc_92FBF3:				; CODE XREF: PpmRegisterPerfStates+45Bj
					; PpmRegisterPerfStates+469j
		mov	al, dl
		jmp	loc_8A0323
; 

loc_92FBFA:				; CODE XREF: PpmRegisterPerfStates+4CEj
		or	_PpmAllowedActions, 40h
		jmp	loc_8A0388
; 

loc_92FC06:				; CODE XREF: PpmRegisterPerfStates+4E3j
		or	_PpmAllowedActions, 200h
		jmp	loc_8A039D
; 

loc_92FC15:				; CODE XREF: PpmRegisterPerfStates+4ECj
		or	_PpmAllowedActions, 80h
		jmp	loc_8A03A6
; 

loc_92FC24:				; CODE XREF: PpmRegisterPerfStates+4F5j
		or	_PpmAllowedActions, 100h
		jmp	loc_8A03AF
; 

loc_92FC33:				; CODE XREF: PpmRegisterPerfStates+4FFj
		mov	ds:_PpmPerfEppViaPerfControl, 1
		jmp	loc_8A03B9
; 

loc_92FC3F:				; CODE XREF: PpmRegisterPerfStates+509j
		mov	ds:_PpmPerfAutonomousActivityWindowViaPerfControl, 1
		jmp	loc_8A03C3
; 

loc_92FC4B:				; CODE XREF: PpmRegisterPerfStates+63Bj
		mov	_PpmCheckPollForFeedback, 1
		jmp	loc_8A04F5
; 

loc_92FC57:				; CODE XREF: PpmRegisterPerfStates+6D9j
		cmp	ds:_PpmPerfDomainCount,	1
		ja	loc_8A0593
		jmp	loc_8A05B1
; 

loc_92FC69:				; CODE XREF: PpmRegisterPerfStates+6FFj
		push	704D5050h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A05B9
; END OF FUNCTION CHUNK	FOR PpmRegisterPerfStates
; 
; START	OF FUNCTION CHUNK FOR PpmCheckInitProcessors

loc_92FC79:				; CODE XREF: PpmCheckInitProcessors+63j
		mov	ecx, edi
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		jmp	loc_8A06E6
; 

loc_92FC85:				; CODE XREF: PpmCheckInitProcessors+D8j
		mov	eax, 400h
		lea	ecx, [ebp+var_14]
		or	_PpmAllowedActions, eax
		xor	edx, edx
		or	[ebp+var_14], eax
		call	PpmUpdateProcessorPolicy
		jmp	loc_8A06DC
; END OF FUNCTION CHUNK	FOR PpmCheckInitProcessors
; 
; START	OF FUNCTION CHUNK FOR PpmReapplyPerfPolicy

loc_92FCA2:				; CODE XREF: PpmReapplyPerfPolicy+24j
		test	al, al
		jz	loc_8A0788
		jmp	loc_8A0780
; 

loc_92FCAF:				; CODE XREF: PpmReapplyPerfPolicy+43j
		call	_PpmPerfResizeHistoryAll@0 ; PpmPerfResizeHistoryAll()
		mov	eax, [esi]
		jmp	loc_8A079F
; END OF FUNCTION CHUNK	FOR PpmReapplyPerfPolicy
; 
; START	OF FUNCTION CHUNK FOR PpmParkUpdateConcurrencyTracking

loc_92FCBB:				; CODE XREF: PpmParkUpdateConcurrencyTracking+51j
		and	cl, 0F7h
		mov	[esi+6Ah], cl
		lea	ecx, [ebp+var_10]
		and	[ebp+var_8], 0
		and	[ebp+var_C], 0
		mov	word ptr [ebp+var_10], dx
		mov	word ptr [ebp+var_10+2], dx
		mov	edx, offset _PpmIdleRemoveConcurrency@12 ; PpmIdleRemoveConcurrency(x,x,x)
		mov	eax, [esi+8]
		push	0
		push	0
		mov	[ebp+var_8], eax
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)
		jmp	short loc_92FD46
; 

loc_92FCEA:				; CODE XREF: PpmParkUpdateConcurrencyTracking+49j
		test	al, al
		jnz	loc_8A09AF
		push	2
		or	cl, 8
		lea	edi, [esi+58h]
		pop	eax
		mov	[esi+6Ah], cl
		lea	ebx, [esi+70h]
		mov	[ebp+var_18], eax

loc_92FD04:				; CODE XREF: PpmParkUpdateConcurrencyTracking+8F3E9j
		cmp	byte ptr [edi],	0
		jbe	short loc_92FD37
		and	[ebp+var_8], 0
		lea	ecx, [ebp+var_10]
		and	[ebp+var_C], 0
		mov	word ptr [ebp+var_10], dx
		mov	word ptr [ebp+var_10+2], dx
		mov	edx, offset _PpmIdleInstallConcurrency@12 ; PpmIdleInstallConcurrency(x,x,x)
		mov	eax, [ebx-64h]
		mov	[ebp+var_8], eax
		push	dword ptr [ebx]
		push	dword ptr [esi+28h]
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)
		mov	eax, [ebp+var_18]
		xor	edx, edx
		inc	edx

loc_92FD37:				; CODE XREF: PpmParkUpdateConcurrencyTracking+8F3AFj
		add	ebx, 4
		inc	edi
		sub	eax, 1
		mov	[ebp+var_18], eax
		jnz	short loc_92FD04
		mov	ebx, [ebp+var_1C]

loc_92FD46:				; CODE XREF: PpmParkUpdateConcurrencyTracking+8F390j
		mov	ch, [ebp+var_11]
		jmp	loc_8A09AF
; END OF FUNCTION CHUNK	FOR PpmParkUpdateConcurrencyTracking
; 
; START	OF FUNCTION CHUNK FOR PpmEventHeteroPolicy

loc_92FD4E:				; CODE XREF: PpmEventHeteroPolicy+45j
		xor	ecx, ecx
		mov	[ebp+var_94], offset _PpmHeteroPolicy
		push	4
		pop	eax
		mov	[ebp+var_8C], eax
		mov	[ebp+var_7C], eax
		mov	[ebp+var_6C], eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_4C], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_94]
		push	eax
		push	9
		push	ecx
		push	esi
		push	edi
		push	ebx
		mov	[ebp+var_90], ecx
		mov	[ebp+var_88], ecx
		mov	[ebp+var_84], offset _PopHeteroSystem
		mov	[ebp+var_80], ecx
		mov	[ebp+var_78], ecx
		mov	[ebp+var_74], offset _KiDesiredHeteroCpuPolicy
		mov	[ebp+var_70], ecx
		mov	[ebp+var_68], ecx
		mov	[ebp+var_64], offset unk_705114
		mov	[ebp+var_60], ecx
		mov	[ebp+var_58], ecx
		mov	[ebp+var_54], offset _KiDynamicHeteroCpuPolicyMask
		mov	[ebp+var_50], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], offset unk_705104
		mov	[ebp+var_40], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], offset _KiDynamicHeteroCpuPolicy
		mov	[ebp+var_30], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], offset _KiDynamicHeteroCpuPolicyImportantPriority
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], offset _KiDynamicHeteroCpuPolicyExpectedRuntime
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_8A0F0D
; END OF FUNCTION CHUNK	FOR PpmEventHeteroPolicy
; 
; START	OF FUNCTION CHUNK FOR PpmEventHeteroConfigUpdate

loc_92FE09:				; CODE XREF: PpmEventHeteroConfigUpdate+43j
		xor	eax, eax
		push	ebx
		mov	[ebp+var_60], ax
		xor	ebx, ebx
		mov	eax, dword_6B5BAC
		inc	ebx
		mov	[ebp+var_64], eax
		mov	[ebp+var_68], offset _PpmCheckRegistered

loc_92FE22:				; CODE XREF: PpmEventHeteroConfigUpdate+8EFA3j
		lea	eax, [ebp+var_68]
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	loc_92FEC4
		mov	ecx, [ebp+var_58]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	edx, eax
		lea	eax, [ebp+var_5C]
		movzx	ecx, byte ptr [edx+3C5h]
		mov	[ebp+var_54], eax
		lea	eax, [edx+3C4h]
		mov	[ebp+var_44], eax
		lea	eax, [edx+3ED0h]
		mov	[ebp+var_34], eax
		lea	eax, [edx+3ED1h]
		mov	[ebp+var_24], eax
		lea	eax, [edx+3ED2h]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		push	esi
		push	edi
		push	dword_6BFD04
		mov	[ebp+var_5C], ecx
		push	_PpmEtwHandle
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], 2
		mov	[ebp+var_48], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_92FE22
; 

loc_92FEC4:				; CODE XREF: PpmEventHeteroConfigUpdate+8EF15j
		pop	ebx
		jmp	loc_8A0F65
; END OF FUNCTION CHUNK	FOR PpmEventHeteroConfigUpdate
; 
; START	OF FUNCTION CHUNK FOR KeConfigureHeteroPolicy

loc_92FECA:				; CODE XREF: KeConfigureHeteroPolicy+14j
		mov	[edi], ebx
		jmp	loc_8A1468
; 

loc_92FED1:				; CODE XREF: KeConfigureHeteroPolicy+29j
		mov	[eax], ebx
		jmp	loc_8A147D
; 

loc_92FED8:				; CODE XREF: KeConfigureHeteroPolicy+48j
		mov	[edi+34h], ebx
		mov	edx, ebx
		jmp	loc_8A149C
; END OF FUNCTION CHUNK	FOR KeConfigureHeteroPolicy
; 
; START	OF FUNCTION CHUNK FOR PopDetectSimulatedHeteroProcessors

loc_92FEE2:				; CODE XREF: PopDetectSimulatedHeteroProcessors+8Bj
		push	4
		lea	eax, [ebp+var_20]
		mov	edi, ebx
		mov	[ebp+var_4C], eax
		pop	eax
		mov	word ptr [ebp+var_50+2], ax
		lea	eax, [ebp+var_64]
		push	offset ??_C@_1CG@NAOAFBPG@?$AAS?$AAm?$AAa?$AAl?$AAl?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo?$AAr?$AAM@NNGAKEGL@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_38]
		mov	[ebp+var_78], eax

loc_92FF05:				; CODE XREF: PopDetectSimulatedHeteroProcessors+8EA95j
		lea	ecx, [ebp+var_40]
		push	ecx
		push	18h
		lea	ecx, [ebp+var_30]
		push	ecx
		push	ebx
		push	edi
		push	eax
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_92FFC7
		mov	eax, [ebp+var_24]
		mov	[ebp+var_40], eax
		cmp	eax, 4
		ja	loc_92FFC8
		mov	word ptr [ebp+var_50], ax
		lea	eax, [ebp+var_3C]
		push	eax
		push	0Ah
		lea	eax, [ebp+var_50]
		push	eax
		call	RtlUnicodeStringToInteger
		mov	esi, eax
		test	esi, esi
		js	loc_92FFD4
		cmp	[ebp+var_3C], 1
		jnb	short loc_92FFC8
		mov	eax, [ebp+var_50]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_20]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_7C]
		push	eax
		push	1
		lea	eax, [ebp+var_44]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_92FFC7
		lea	eax, [ebp+var_40]
		push	eax
		push	10h
		lea	eax, [ebp+var_18]
		push	eax
		push	4
		lea	eax, [ebp+var_64]
		push	eax
		push	[ebp+var_44]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_92FFBF
		cmp	[ebp+var_18], 4
		jz	short loc_92FF9E
		cmp	[ebp+var_18], 0Bh
		jnz	short loc_92FFBF

loc_92FF9E:				; CODE XREF: PopDetectSimulatedHeteroProcessors+8EA5Cj
		cmp	[ebp+var_14], 4
		mov	[ebp+var_31], 1
		jnz	short loc_92FFB3
		mov	eax, [ebp+var_10]
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], ebx
		jmp	short loc_92FFBC
; 

loc_92FFB3:				; CODE XREF: PopDetectSimulatedHeteroProcessors+8EA6Cj
		cmp	[ebp+var_14], 8
		jnz	short loc_92FFBF
		mov	eax, [ebp+var_10]

loc_92FFBC:				; CODE XREF: PopDetectSimulatedHeteroProcessors+8EA77j
		or	[ebp+var_48], eax

loc_92FFBF:				; CODE XREF: PopDetectSimulatedHeteroProcessors+8EA56j
					; PopDetectSimulatedHeteroProcessors+8EA62j ...
		push	[ebp+var_44]
		call	_ZwClose@4	; ZwClose(x)

loc_92FFC7:				; CODE XREF: PopDetectSimulatedHeteroProcessors+8E9E1j
					; PopDetectSimulatedHeteroProcessors+8EA38j
		inc	edi

loc_92FFC8:				; CODE XREF: PopDetectSimulatedHeteroProcessors+8E9F0j
					; PopDetectSimulatedHeteroProcessors+8EA17j
		test	esi, esi
		js	short loc_92FFD4
		mov	eax, [ebp+var_38]
		jmp	loc_92FF05
; 

loc_92FFD4:				; CODE XREF: PopDetectSimulatedHeteroProcessors+8EA0Dj
					; PopDetectSimulatedHeteroProcessors+8EA90j
		push	[ebp+var_38]
		call	_ZwClose@4	; ZwClose(x)
		cmp	[ebp+var_31], bl
		jz	loc_8A15CB
		push	0FFFFh
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	esi, [ebp+var_54]
		mov	edi, eax
		mov	[ebp+var_3C], eax
		add	esi, 8

loc_92FFFA:				; CODE XREF: PopDetectSimulatedHeteroProcessors+8EADCj
		mov	edx, [ebp+var_48]
		mov	ecx, ebx
		shr	edx, cl
		and	edx, 1
		mov	al, dl
		xor	al, 1
		inc	ebx
		mov	[esi], al
		lea	esi, [esi+3]
		mov	[esi-4], dl
		mov	[esi-5], al
		cmp	ebx, edi
		jbe	short loc_92FFFA
		mov	edi, [ebp+var_54]
		mov	word ptr [edi+4], 101h
		jmp	loc_8A15CB
; END OF FUNCTION CHUNK	FOR PopDetectSimulatedHeteroProcessors
; 
; START	OF FUNCTION CHUNK FOR PpmHeteroComputeRelativePerformance

loc_930026:				; CODE XREF: PpmHeteroComputeRelativePerformance+1Ej
		cmp	dword_6B5BE8, eax
		jnz	loc_8A1602
		mov	eax, ds:_PpmPerfDomainHead
		mov	ecx, ebx
		mov	edx, ebx
		cmp	eax, offset _PpmPerfDomainHead
		jz	loc_8A1602
		push	esi
		push	edi

loc_930048:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EA85j
		mov	edi, [eax+74h]
		mov	esi, [eax+70h]
		cmp	edx, edi
		ja	short loc_93005C
		jb	short loc_930058
		cmp	ecx, esi
		ja	short loc_93005C

loc_930058:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EA74j
		mov	ecx, esi
		mov	edx, edi

loc_93005C:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EA72j
					; PpmHeteroComputeRelativePerformance+8EA78j
		mov	eax, [eax]
		cmp	eax, offset _PpmPerfDomainHead
		jnz	short loc_930048
		mov	eax, ecx
		or	eax, edx
		jz	loc_9302F2
		xor	esi, esi
		mov	[ebp+var_14], ebx
		cmp	edx, 7FFFh
		jb	short loc_930094
		ja	short loc_930083
		cmp	ecx, 0FFFFFFFFh
		jb	short loc_930094

loc_930083:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EA9Ej
		lea	eax, [edx+0FFFFh]
		bsr	ebx, eax
		sub	ebx, 0Eh
		mov	[ebp+var_14], ebx
		mov	esi, ebx

loc_930094:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EA9Cj
					; PpmHeteroComputeRelativePerformance+8EAA3j
		mov	eax, ecx
		mov	ecx, esi
		call	__aullshr
		mov	esi, ds:_PpmPerfDomainHead
		mov	[ebp+var_8], eax
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_C], edx
		mov	[ebp+var_10], eax
		jmp	loc_930169
; 

loc_9300B4:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EB91j
		mov	eax, [esi+70h]
		mov	ecx, ebx
		mov	edx, [esi+74h]
		call	__aullshr
		push	64h
		pop	ecx
		mov	ebx, edx
		mov	edi, eax
		mov	eax, ebx
		mul	ecx
		push	64h
		pop	edx
		push	[ebp+var_C]
		mov	ecx, eax
		mov	eax, edi
		push	[ebp+var_8]
		mul	edx
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		mov	edx, [ebp+var_C]
		mov	[esi+78h], al
		mov	eax, [ebp+var_8]
		cmp	edi, eax
		jnz	short loc_9300FE
		cmp	ebx, edx
		jnz	short loc_9300FE
		mov	ecx, 10000h
		xor	eax, eax
		jmp	short loc_93012E
; 

loc_9300FE:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EB11j
					; PpmHeteroComputeRelativePerformance+8EB15j
		shld	ebx, edi, 10h
		mov	ecx, edx
		shrd	eax, ecx, 1
		push	edx
		push	[ebp+var_8]
		shr	ecx, 1
		shl	edi, 10h
		add	edi, eax
		adc	ebx, ecx
		push	ebx
		push	edi
		call	__aulldiv
		mov	ecx, eax
		xor	eax, eax
		cmp	edx, eax
		ja	short loc_930130
		jb	short loc_93012B
		cmp	ecx, 1
		ja	short loc_930130

loc_93012B:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EB46j
		xor	ecx, ecx
		inc	ecx

loc_93012E:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EB1Ej
		mov	edx, eax

loc_930130:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EB44j
					; PpmHeteroComputeRelativePerformance+8EB4Bj
		mov	edi, eax
		cmp	[esi+1Ch], eax
		jbe	short loc_93014D
		mov	ebx, eax

loc_930139:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EB6Bj
		mov	eax, [esi+24h]
		inc	edi
		mov	eax, [eax+ebx]
		lea	ebx, [ebx+78h]
		mov	[eax+24h], ecx
		cmp	edi, [esi+1Ch]
		jb	short loc_930139
		xor	eax, eax

loc_93014D:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EB57j
		cmp	eax, edx
		jb	short loc_930161
		ja	short loc_93015A
		mov	eax, [ebp+var_10]
		cmp	eax, ecx
		jb	short loc_930164

loc_93015A:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EB73j
		mov	eax, ecx
		mov	[ebp+var_10], eax
		jmp	short loc_930164
; 

loc_930161:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EB71j
		mov	eax, [ebp+var_10]

loc_930164:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EB7Aj
					; PpmHeteroComputeRelativePerformance+8EB81j
		mov	esi, [esi]
		mov	ebx, [ebp+var_14]

loc_930169:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EAD1j
		cmp	esi, offset _PpmPerfDomainHead
		jnz	loc_9300B4
		mov	edx, ds:_PpmPerfDomainCount
		mov	ds:_PpmHeteroMinRelativePerformance, eax
		xor	eax, eax
		mov	[ebp+var_10], eax
		mov	bl, al
		mov	[ebp+var_C], eax
		mov	[ebp+var_14], edx
		test	edx, edx
		jz	short loc_93020A

loc_930191:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EC28j
		mov	eax, ds:_PpmPerfDomainHead
		or	esi, 0FFFFFFFFh
		or	edi, 0FFFFFFFFh
		cmp	eax, offset _PpmPerfDomainHead
		jz	short loc_9301D3

loc_9301A3:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EBF0j
		mov	edx, [eax+74h]
		mov	ecx, [eax+70h]
		mov	[ebp+var_1C], edx
		cmp	edx, [ebp+var_C]
		jb	short loc_9301C7
		ja	short loc_9301B8
		cmp	ecx, [ebp+var_10]
		jbe	short loc_9301C7

loc_9301B8:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EBD3j
		cmp	edi, edx
		jb	short loc_9301C7
		ja	short loc_9301C2
		cmp	esi, ecx
		jb	short loc_9301C7

loc_9301C2:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EBDEj
		mov	edi, [ebp+var_1C]
		mov	esi, ecx

loc_9301C7:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EBD1j
					; PpmHeteroComputeRelativePerformance+8EBD8j ...
		mov	eax, [eax]
		cmp	eax, offset _PpmPerfDomainHead
		jnz	short loc_9301A3
		mov	edx, [ebp+var_14]

loc_9301D3:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EBC3j
		mov	ecx, ds:_PpmPerfDomainHead
		cmp	ecx, offset _PpmPerfDomainHead
		jz	short loc_9301FC

loc_9301E1:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EC19j
		cmp	[ecx+70h], esi
		jnz	short loc_9301EF
		cmp	[ecx+74h], edi
		jnz	short loc_9301EF
		mov	[ecx+21h], bl
		dec	edx

loc_9301EF:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EC06j
					; PpmHeteroComputeRelativePerformance+8EC0Bj
		mov	ecx, [ecx]
		cmp	ecx, offset _PpmPerfDomainHead
		jnz	short loc_9301E1
		mov	[ebp+var_14], edx

loc_9301FC:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EC01j
		inc	bl
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], edi
		test	edx, edx
		jnz	short loc_930191
		xor	eax, eax

loc_93020A:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EBB1j
		mov	edi, ds:_PpmPerfDomainCount
		mov	ds:_PpmHeteroNominalPerformanceClasses,	bl
		mov	bl, al
		mov	[ebp+var_18], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_14], edi
		jmp	loc_9302E4
; 

loc_930226:				; CODE XREF: PpmHeteroComputeRelativePerformance+8ED08j
		mov	esi, ds:_PpmPerfDomainHead
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_C], eax
		mov	eax, offset _PpmPerfDomainHead
		mov	[ebp+var_8], ecx
		cmp	esi, eax
		jz	short loc_930290
		mov	edi, [ebp+var_C]

loc_930241:				; CODE XREF: PpmHeteroComputeRelativePerformance+8ECAAj
		mov	ecx, [esi+58h]
		mov	eax, [esi+74h]
		mul	ecx
		mov	[ebp+var_10], eax
		mov	eax, [esi+70h]
		mul	ecx
		mov	ecx, [ebp+var_10]
		add	ecx, edx
		mov	[ebp+var_10], ecx
		cmp	ecx, [ebp+var_1C]
		jb	short loc_93027C
		ja	short loc_930265
		cmp	eax, [ebp+var_18]
		jbe	short loc_93027C

loc_930265:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EC80j
		cmp	edi, ecx
		jb	short loc_93027C
		ja	short loc_930272
		mov	ecx, [ebp+var_8]
		cmp	ecx, eax
		jb	short loc_93027F

loc_930272:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EC8Bj
		mov	edi, [ebp+var_10]
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		jmp	short loc_93027F
; 

loc_93027C:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EC7Ej
					; PpmHeteroComputeRelativePerformance+8EC85j ...
		mov	ecx, [ebp+var_8]

loc_93027F:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EC92j
					; PpmHeteroComputeRelativePerformance+8EC9Cj
		mov	esi, [esi]
		mov	eax, offset _PpmPerfDomainHead
		cmp	esi, eax
		jnz	short loc_930241
		mov	[ebp+var_C], edi
		mov	edi, [ebp+var_14]

loc_930290:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EC5Ej
		mov	esi, ds:_PpmPerfDomainHead
		cmp	esi, eax
		jz	short loc_9302D6

loc_93029A:				; CODE XREF: PpmHeteroComputeRelativePerformance+8ECF3j
		mov	ecx, [esi+58h]
		mov	eax, [esi+74h]
		mul	ecx
		mov	[ebp+var_10], eax
		mov	eax, [esi+70h]
		mul	ecx
		mov	ecx, [ebp+var_8]
		add	[ebp+var_10], edx
		cmp	eax, ecx
		jnz	short loc_9302C9
		mov	eax, [ebp+var_10]
		cmp	eax, [ebp+var_C]
		jnz	short loc_9302C9
		cmp	[esi+22h], bl
		jz	short loc_9302C8
		mov	[ebp+var_1], 1
		mov	[esi+22h], bl

loc_9302C8:				; CODE XREF: PpmHeteroComputeRelativePerformance+8ECE1j
		dec	edi

loc_9302C9:				; CODE XREF: PpmHeteroComputeRelativePerformance+8ECD4j
					; PpmHeteroComputeRelativePerformance+8ECDCj
		mov	esi, [esi]
		cmp	esi, offset _PpmPerfDomainHead
		jnz	short loc_93029A
		mov	[ebp+var_14], edi

loc_9302D6:				; CODE XREF: PpmHeteroComputeRelativePerformance+8ECBAj
		mov	eax, [ebp+var_C]
		inc	bl
		push	0
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], ecx
		pop	eax

loc_9302E4:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EC43j
		test	edi, edi
		jnz	loc_930226
		mov	ds:_PpmHeteroHighestPerformanceClasses,	bl

loc_9302F2:				; CODE XREF: PpmHeteroComputeRelativePerformance+8EA8Bj
		pop	edi
		pop	esi
		jmp	loc_8A1602
; END OF FUNCTION CHUNK	FOR PpmHeteroComputeRelativePerformance
; 
; START	OF FUNCTION CHUNK FOR PspAssignPrimaryToken

loc_9302F9:				; CODE XREF: PspAssignPrimaryToken+59j
		push	ds:dword_A94A04
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		push	ds:_SeAssignPrimaryTokenPrivilege
		push	edi
		call	_SeCheckPrivilegedObject@20 ; SeCheckPrivilegedObject(x,x,x,x,x)
		test	al, al
		jnz	loc_8A1667
		mov	esi, 0C0000061h
		jmp	loc_8A174A
; 

loc_930322:				; CODE XREF: PspAssignPrimaryToken+ACj
		mov	esi, 0C00000BBh
		jmp	loc_8A1717
; 

loc_93032C:				; CODE XREF: PspAssignPrimaryToken+96j
		mov	esi, 0C00000BBh
		jmp	loc_8A1721
; END OF FUNCTION CHUNK	FOR PspAssignPrimaryToken
; 
; START	OF FUNCTION CHUNK FOR SeAssignPrimaryToken

loc_930336:				; CODE XREF: SeAssignPrimaryToken+29j
		xor	edx, edx
		lea	ecx, [edi+12Ch]
		call	@ObFastReplaceObject@8 ; ObFastReplaceObject(x,x)
		mov	ecx, eax
		mov	byte ptr [eax+0B4h], 0
		call	ObfDereferenceObject
		jmp	loc_8A1789
; END OF FUNCTION CHUNK	FOR SeAssignPrimaryToken
; 
; START	OF FUNCTION CHUNK FOR SeExchangePrimaryToken

loc_930356:				; CODE XREF: SeExchangePrimaryToken+1Fj
		mov	eax, 0C00000A8h
		jmp	loc_8A18E7
; 

loc_930360:				; CODE XREF: SeExchangePrimaryToken+2Dj
		cmp	ds:_SeTokenDoesNotTrackSessionObject, edi
		jnz	loc_8A17DB
		mov	ecx, eax
		call	MmGetSessionObjectById
		mov	edi, eax
		jmp	loc_8A17DB
; 

loc_93037A:				; CODE XREF: SeExchangePrimaryToken+5Ej
		and	[ebp+arg_0], ecx
		lea	eax, [ebp+arg_0]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	edi, edi
		jz	short loc_93039D
		mov	ecx, edi
		call	ObfDereferenceObject

loc_93039D:				; CODE XREF: SeExchangePrimaryToken+8EBECj
		mov	eax, 0C000012Bh
		jmp	loc_8A18E7
; 

loc_9303A7:				; CODE XREF: SeExchangePrimaryToken+7Dj
		and	[ebp+arg_0], 0
		lea	eax, [ebp+arg_0]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	edi, edi
		jz	short loc_9303CB
		mov	ecx, edi

loc_9303C6:				; CODE XREF: SeExchangePrimaryToken+8EC98j
		call	ObfDereferenceObject

loc_9303CB:				; CODE XREF: SeExchangePrimaryToken+8EC1Aj
					; SeExchangePrimaryToken+8EC96j
		mov	eax, [ebp+var_10]
		jmp	loc_8A18E7
; 

loc_9303D3:				; CODE XREF: SeExchangePrimaryToken+8Dj
		mov	ecx, [esi+78h]
		cmp	ecx, [ebp+var_8]
		jz	loc_8A183B
		mov	edx, [esi+274h]
		call	SepDereferenceLowBoxNumberEntry
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		and	dword ptr [esi+274h], 0
		mov	ecx, esi
		push	eax
		push	edi
		push	1
		call	_SepSetTokenSessionById@20 ; SepSetTokenSessionById(x,x,x,x,x)
		mov	eax, [ebp+var_8]
		mov	ecx, esi
		mov	edx, [esi+1E0h]
		mov	[esi+78h], eax
		call	SepSetTokenLowboxNumber
		mov	[ebp+var_10], eax
		test	eax, eax
		jns	loc_8A183B
		and	[ebp+arg_0], 0
		lea	eax, [ebp+arg_0]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jz	short loc_9303CB
		jmp	short loc_9303C6
; 

loc_930442:				; CODE XREF: SeExchangePrimaryToken+C7j
		call	ObfDereferenceObject
		jmp	loc_8A1875
; END OF FUNCTION CHUNK	FOR SeExchangePrimaryToken
; 
; START	OF FUNCTION CHUNK FOR SepAuditAssignPrimaryToken

loc_93044C:				; CODE XREF: SepAuditAssignPrimaryToken+96j
		mov	esi, 0C000007Ch
		jmp	loc_8A1AF7
; END OF FUNCTION CHUNK	FOR SepAuditAssignPrimaryToken
; 
; START	OF FUNCTION CHUNK FOR BcdUtilGetBootOptionString

loc_930456:				; CODE XREF: BcdUtilGetBootOptionString+1Cj
		mov	eax, [edx+4]
		mov	ecx, [ebp+arg_0]
		add	eax, edx
		mov	[ecx+4], eax
		movzx	eax, word ptr [edx+8]
		mov	[ecx], ax
		mov	[ecx+2], ax
		xor	eax, eax
		jmp	loc_8A1B6D
; END OF FUNCTION CHUNK	FOR BcdUtilGetBootOptionString
; 
; START	OF FUNCTION CHUNK FOR BcdUtilGetBootOptionInteger

loc_930473:				; CODE XREF: BcdUtilGetBootOptionInteger+1Dj
		mov	edx, [esi+4]
		mov	ecx, [ebp+arg_0]
		mov	eax, [esi+edx]
		mov	[ecx], eax
		mov	eax, [esi+edx+4]
		mov	[ecx+4], eax
		xor	eax, eax
		jmp	loc_8A1BA0
; END OF FUNCTION CHUNK	FOR BcdUtilGetBootOptionInteger
; 
; START	OF FUNCTION CHUNK FOR SeAuditBootConfiguration

loc_93048C:				; CODE XREF: SeAuditBootConfiguration+15Fj
		mov	si, word ptr [ebp+var_2B8]
		test	si, si
		jz	loc_8A1D11
		cmp	si, word ptr [ebp+var_2B8+2]
		jnz	loc_8A1D29
		add	si, cx
		mov	word ptr [ebp+var_2B8],	si
		jmp	loc_8A1D29
; 

loc_9304B8:				; CODE XREF: SeAuditBootConfiguration+1F9j
		mov	ecx, [ebp+var_2AC]
		mov	eax, [ebp+var_2B0]
		jmp	loc_8A1DBB
; 

loc_9304C9:				; CODE XREF: SeAuditBootConfiguration+2DBj
		mov	ecx, [ebp+var_2AC]
		mov	eax, [ebp+var_2B0]
		jmp	loc_8A1E9D
; 

loc_9304DA:				; CODE XREF: SeAuditBootConfiguration+404j
		mov	eax, [ebp+var_2C0]
		test	ax, ax
		jz	loc_8A1FB6
		cmp	ax, word ptr [ebp+var_2C0+2]
		jnz	loc_8A1FCD
		mov	ecx, 0FFFEh
		add	si, cx
		mov	word ptr [ebp+var_2B8],	si
		jmp	loc_8A1FCD
; 

loc_93050A:				; CODE XREF: SeAuditBootConfiguration+457j
		mov	ecx, [ebp+var_2AC]
		mov	edx, [ebp+var_2B0]
		jmp	loc_8A200D
; END OF FUNCTION CHUNK	FOR SeAuditBootConfiguration
; 
; START	OF FUNCTION CHUNK FOR BcdUtilGetBootOption

loc_93051B:				; CODE XREF: BcdUtilGetBootOption+1Bj
		add	ecx, eax
		mov	edx, ebx
		add	ecx, edi
		call	BcdUtilGetBootOption
		test	eax, eax
		jnz	loc_8A211A
		jmp	loc_8A2111
; END OF FUNCTION CHUNK	FOR BcdUtilGetBootOption
; 
; START	OF FUNCTION CHUNK FOR SeAuditProcessCreation

loc_930533:				; CODE XREF: SeAuditProcessCreation+BBj
		mov	ecx, 734h
		mov	[esp+348h+var_324], ecx
		jmp	loc_8A21F8
; 

loc_930541:				; CODE XREF: SeAuditProcessCreation+ABj
		mov	ecx, 735h
		mov	[esp+348h+var_324], ecx
		jmp	loc_8A2204
; 

loc_93054F:				; CODE XREF: SeAuditProcessCreation+E6j
		mov	ebx, 0C000007Ch
		jmp	loc_8A24DC
; 

loc_930559:				; CODE XREF: SeAuditProcessCreation+F7j
		mov	[esp+348h+var_318], 792h
		jmp	loc_8A2236
; 

loc_930566:				; CODE XREF: SeAuditProcessCreation+125j
		mov	eax, ds:_SeNullSid
		mov	[esp+348h+var_30C], eax
		jmp	loc_8A226D
; 

loc_930574:				; CODE XREF: SeAuditProcessCreation+15Bj
		mov	eax, [esp+348h+var_300]
		test	eax, eax
		jnz	short loc_9305E4
		mov	esi, [esp+348h+var_320]
		lea	eax, [esp+348h+var_334]
		push	eax
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	ebx
		push	esi
		call	PsQueryProcessCommandLine
		cmp	eax, 0C0000004h
		jnz	loc_8A2289
		push	4C436553h
		push	[esp+34Ch+var_334]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8A2289
		lea	eax, [esp+348h+var_334]
		push	eax
		push	ebx
		push	[esp+350h+var_334]
		push	edi
		push	esi
		call	PsQueryProcessCommandLine
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_9305DA
		xor	ebx, ebx
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A2289
; 

loc_9305DA:				; CODE XREF: SeAuditProcessCreation+8E4A2j
		mov	[esp+348h+var_335], 1
		jmp	loc_8A229C
; 

loc_9305E4:				; CODE XREF: SeAuditProcessCreation+8E452j
		mov	edi, eax
		jmp	loc_8A229C
; 

loc_9305EB:				; CODE XREF: SeAuditProcessCreation+1D2j
					; SeAuditProcessCreation+1DAj
		mov	[esp+348h+var_336], 1
		jmp	loc_8A2308
; 

loc_9305F5:				; CODE XREF: SeAuditProcessCreation+2EDj
		mov	eax, [esp+348h+var_310]
		mov	[esp+348h+var_230], 23h
		mov	[esp+348h+var_22C], ecx
		mov	[esp+348h+var_228], eax
		mov	[esp+348h+var_224], esi
		jmp	loc_8A2426
; 

loc_93061E:				; CODE XREF: SeAuditProcessCreation+304j
		mov	[esp+348h+var_21C], 15h
		mov	[esp+348h+var_218], edx
		mov	[esp+348h+var_214], eax
		jmp	loc_8A2455
; 

loc_93063C:				; CODE XREF: SeAuditProcessCreation+399j
		test	edi, edi
		jz	loc_8A24C7
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A24C7
; END OF FUNCTION CHUNK	FOR SeAuditProcessCreation
; 
; START	OF FUNCTION CHUNK FOR PiNormalizeDeviceText

loc_930651:				; CODE XREF: PiNormalizeDeviceText+95j
		mov	esi, 0C000009Ah
		jmp	loc_8A2803
; 

loc_93065B:				; CODE XREF: PiNormalizeDeviceText+189j
					; PiNormalizeDeviceText+2ABj
		mov	esi, 0C000009Ah
		jmp	loc_8A27E5
; 

loc_930665:				; CODE XREF: PiNormalizeDeviceText+345j
		test	edi, edi
		jz	loc_8A282F
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A282F
; END OF FUNCTION CHUNK	FOR PiNormalizeDeviceText
; 
; START	OF FUNCTION CHUNK FOR PiGetDefaultMessageString

loc_93067B:				; CODE XREF: PiGetDefaultMessageString+5Aj
		mov	esi, 0C0000001h
		jmp	loc_8A294D
; 

loc_930685:				; CODE XREF: PiGetDefaultMessageString+8Aj
		test	cl, 2
		jz	short loc_9306AA
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], ebx
		push	eax
		mov	[ebp+var_8], ebx
		call	_RtlInitUTF8String@8 ; RtlInitUTF8String(x,x)
		push	1
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlUTF8StringToUnicodeString@12 ; RtlUTF8StringToUnicodeString(x,x,x)
		jmp	short loc_9306C2
; 

loc_9306AA:				; CODE XREF: PiGetDefaultMessageString+8DE48j
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	RtlAnsiStringToUnicodeString

loc_9306C2:				; CODE XREF: PiGetDefaultMessageString+8DE68j
		mov	esi, eax
		test	esi, esi
		js	loc_8A294D
		jmp	loc_8A28E1
; END OF FUNCTION CHUNK	FOR PiGetDefaultMessageString
; 
; START	OF FUNCTION CHUNK FOR SepParseElamCertResources

loc_9306D1:				; CODE XREF: SepParseElamCertResources+FBj
		test	cl, cl
		jnz	loc_8A2AF5

loc_9306D9:				; CODE XREF: SepParseElamCertResources+36j
					; SepParseElamCertResources+7Aj ...
		mov	eax, 0C000000Dh
		jmp	loc_8A2D84
; 

loc_9306E3:				; CODE XREF: SepParseElamCertResources+1D2j
		mov	ecx, [ebp+var_1E4]
		test	ecx, ecx
		jz	loc_8A2D1D
		jmp	loc_8A2BB0
; END OF FUNCTION CHUNK	FOR SepParseElamCertResources
; 
; START	OF FUNCTION CHUNK FOR SmEtwEnableCallback

loc_9306F6:				; CODE XREF: SmEtwEnableCallback+3Dj
		push	ecx
		mov	edx, edi
		mov	ecx, offset unk_718648
		call	_SmKmEtwLogStoreStats@12 ; SmKmEtwLogStoreStats(x,x,x)
		push	offset _SmEventStoreRundown
		mov	edx, edi
		mov	ecx, offset unk_718648
		call	_SmKmEtwLogStoreChange@12 ; SmKmEtwLogStoreChange(x,x,x)
		mov	edx, esi
		mov	ecx, ebx
		and	edx, 3FFh
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_8A2DFB
; END OF FUNCTION CHUNK	FOR SmEtwEnableCallback
; 
; START	OF FUNCTION CHUNK FOR EmpCheckOperator

loc_930730:				; CODE XREF: EmpCheckOperator+F8j
		cmp	edi, [ebp+arg_0]
		jmp	short loc_930738
; 

loc_930735:				; CODE XREF: EmpCheckOperator+16Dj
		cmp	[ebp+arg_0], edi

loc_930738:				; CODE XREF: EmpCheckOperator+8D831j
		sbb	ecx, ecx
		neg	ecx
		jmp	loc_8A2F38
; 

loc_930741:				; CODE XREF: EmpCheckOperator+11Fj
					; EmpCheckOperator+146j
		cmp	[ebp+arg_0], edi
		jmp	loc_8A309B
; 

loc_930749:				; CODE XREF: EmpCheckOperator+83j
					; EmpCheckOperator+AAj	...
		xor	ecx, ecx
		cmp	edi, [ebp+arg_0]
		setnz	cl
		jmp	loc_8A2F38
; END OF FUNCTION CHUNK	FOR EmpCheckOperator
; 
; START	OF FUNCTION CHUNK FOR PipDmgGetDriverDmarCompatLevel

loc_930756:				; CODE XREF: PipDmgGetDriverDmarCompatLevel+E1j
		test	byte ptr _MmVerifierData, 80h
		jz	loc_8A343A
		mov	ecx, [ebx+0Ch]
		call	_VfTargetDriversIsEnabled@4 ; VfTargetDriversIsEnabled(x)
		test	eax, eax
		jz	loc_8A343A
		jmp	loc_8A3480
; END OF FUNCTION CHUNK	FOR PipDmgGetDriverDmarCompatLevel
; 
; START	OF FUNCTION CHUNK FOR KeAllocateCalloutStackEx

loc_930778:				; CODE XREF: KeAllocateCalloutStackEx+14j
		sub	eax, 1
		jz	short loc_930787
		mov	eax, 0C00000EFh
		jmp	loc_8A359B
; 

loc_930787:				; CODE XREF: KeAllocateCalloutStackEx+8D2B7j
		mov	bl, 1
		jmp	loc_8A34E0
; 

loc_93078E:				; CODE XREF: KeAllocateCalloutStackEx+25j
		mov	eax, 0C00000F0h
		jmp	loc_8A359B
; 

loc_930798:				; CODE XREF: KeAllocateCalloutStackEx+2Fj
		mov	eax, 0C00000F1h
		jmp	loc_8A359B
; 

loc_9307A2:				; CODE XREF: KeAllocateCalloutStackEx+5Bj
		mov	eax, 0C0000017h
		jmp	loc_8A359B
; 

loc_9307AC:				; CODE XREF: KeAllocateCalloutStackEx+94j
		test	edi, edi
		jz	short loc_9307CF
		lea	ebx, [esi+24h]
		mov	esi, [esp+20h+var_8]
		lea	ebx, [ebx+edi*4]

loc_9307BA:				; CODE XREF: KeAllocateCalloutStackEx+8D305j
		mov	ecx, [ebx]
		mov	edx, esi
		call	_MmDeleteKernelStack@8 ; MmDeleteKernelStack(x,x)
		lea	ebx, [ebx-4]
		sub	edi, 1
		jnz	short loc_9307BA
		mov	esi, [esp+20h+var_4]

loc_9307CF:				; CODE XREF: KeAllocateCalloutStackEx+8D2EAj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C000009Ah
		jmp	loc_8A359B
; END OF FUNCTION CHUNK	FOR KeAllocateCalloutStackEx
; 
; START	OF FUNCTION CHUNK FOR IopCreateCmResourceList

loc_9307E1:				; CODE XREF: IopCreateCmResourceList+68j
		mov	edx, [esi+4]
		and	[ebp+var_C], 0
		add	edx, 10h
		adc	[ebp+var_C], 0
		jmp	loc_8A3612
; 

loc_9307F4:				; CODE XREF: IopCreateCmResourceList+D8j
					; IopCreateCmResourceList+E0j
		test	ebx, ebx
		jnz	loc_93094E
		cmp	edi, 0FFFFFFFFh
		ja	loc_93094E
		push	20207050h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_930822
		mov	eax, [ebp+arg_4]
		and	[eax], esi
		jmp	loc_8A3656
; 

loc_930822:				; CODE XREF: IopCreateCmResourceList+8D272j
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		mov	ecx, [ebp+var_8]
		sub	eax, edi
		sbb	ecx, ebx
		add	eax, 4
		push	0
		pop	edi
		adc	ecx, edi
		mov	[ebp+var_4], eax
		mov	[ebp+var_2C], ecx
		jnz	loc_930907
		cmp	eax, 0FFFFFFFFh
		ja	loc_930907
		push	20207050h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_C], ebx
		mov	[eax], ebx
		test	ebx, ebx
		jz	loc_93090C
		mov	ecx, [ebp+var_4]
		push	ecx		; size_t
		push	edi		; int
		push	ebx		; void *
		call	_memset
		lea	eax, [ebx+4]
		mov	[esi], edi
		mov	[ebp+var_14], eax
		lea	edx, [esi+4]
		mov	eax, [ebp+var_18]
		add	esp, 0Ch
		mov	[ebx], edi
		mov	[ebp+arg_4], edx
		mov	[ebp+var_1C], edi
		cmp	[eax], edi
		jbe	loc_930947
		mov	ecx, [ebp+var_10]

loc_9308A3:				; CODE XREF: IopCreateCmResourceList+8D39Dj
		and	[ebp+var_20], 0
		lea	eax, [ecx+10h]
		mov	[ebp+var_2C], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_28], eax
		push	10h
		pop	edi
		test	eax, eax
		jz	short loc_9308E6
		mov	ecx, [ebp+var_2C]
		mov	ebx, eax

loc_9308BF:				; CODE XREF: IopCreateCmResourceList+8D337j
		push	10h
		xor	edx, edx
		cmp	byte ptr [ecx],	5
		pop	eax
		jnz	short loc_9308D1
		mov	eax, [ecx+4]
		add	eax, 10h
		adc	edx, edx

loc_9308D1:				; CODE XREF: IopCreateCmResourceList+8D323j
		add	edi, eax
		adc	[ebp+var_20], edx
		add	ecx, eax
		sub	ebx, 1
		jnz	short loc_9308BF
		mov	ebx, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		mov	edx, [ebp+arg_4]

loc_9308E6:				; CODE XREF: IopCreateCmResourceList+8D314j
		mov	eax, [ebp+var_24]
		cmp	[ecx], eax
		jnz	short loc_930918
		mov	eax, [ebp+arg_0]
		cmp	[ecx+4], eax
		jnz	short loc_930918
		inc	dword ptr [esi]
		push	edi		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		add	[ebp+arg_4], edi
		jmp	short loc_93092A
; 

loc_930907:				; CODE XREF: IopCreateCmResourceList+8D2A2j
					; IopCreateCmResourceList+8D2ABj
		mov	eax, [ebp+arg_4]
		mov	[eax], edi

loc_93090C:				; CODE XREF: IopCreateCmResourceList+8D2CAj
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A3656
; 

loc_930918:				; CODE XREF: IopCreateCmResourceList+8D347j
					; IopCreateCmResourceList+8D34Fj
		inc	dword ptr [ebx]
		push	edi		; size_t
		push	ecx		; void *
		push	[ebp+var_14]	; void *
		call	_memcpy
		add	esp, 0Ch
		add	[ebp+var_14], edi

loc_93092A:				; CODE XREF: IopCreateCmResourceList+8D361j
		mov	ecx, [ebp+var_10]
		mov	edx, [ebp+var_1C]
		add	ecx, edi
		mov	eax, [ebp+var_18]
		inc	edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_10], ecx
		cmp	edx, [eax]
		mov	edx, [ebp+arg_4]
		jb	loc_9308A3

loc_930947:				; CODE XREF: IopCreateCmResourceList+8D2F6j
		mov	eax, esi
		jmp	loc_8A3658
; 

loc_93094E:				; CODE XREF: IopCreateCmResourceList+8D252j
					; IopCreateCmResourceList+8D25Bj
		xor	edx, edx
		jmp	loc_8A368A
; END OF FUNCTION CHUNK	FOR IopCreateCmResourceList
; 
; START	OF FUNCTION CHUNK FOR IopCombineCmResourceList

loc_930955:				; CODE XREF: IopCombineCmResourceList+Fj
		test	edi, edi
		jnz	short loc_930960
		mov	eax, ebx
		jmp	loc_8A36AB
; 

loc_930960:				; CODE XREF: IopCombineCmResourceList+8D2C3j
		push	esi
		xor	esi, esi
		call	_PnpDetermineResourceListSize@4	; PnpDetermineResourceListSize(x)
		mov	ecx, edi
		mov	[ebp+var_4], eax
		call	_PnpDetermineResourceListSize@4	; PnpDetermineResourceListSize(x)
		mov	ecx, eax
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_9309BD
		test	ecx, ecx
		jz	short loc_9309BD
		add	ecx, 0FFFFFFFCh
		push	20207050h
		add	eax, ecx
		mov	[ebp+var_8], ecx
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9309BD
		push	[ebp+var_4]	; size_t
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		push	[ebp+var_8]	; size_t
		lea	eax, [edi+4]
		push	eax		; void *
		mov	eax, [ebp+var_4]
		add	eax, esi
		push	eax		; void *
		call	_memcpy
		mov	eax, [edi]
		add	esp, 18h
		add	[esi], eax

loc_9309BD:				; CODE XREF: IopCombineCmResourceList+8D2E5j
					; IopCombineCmResourceList+8D2E9j ...
		mov	eax, esi
		pop	esi
		jmp	loc_8A36AB
; END OF FUNCTION CHUNK	FOR IopCombineCmResourceList
; 
; START	OF FUNCTION CHUNK FOR AdtpObjsInitialize

loc_9309C5:				; CODE XREF: AdtpObjsInitialize+18Fj
					; AdtpObjsInitialize+1CAj ...
		mov	eax, 0C0000017h
		jmp	loc_8A3D71
; END OF FUNCTION CHUNK	FOR AdtpObjsInitialize
; 
; START	OF FUNCTION CHUNK FOR AdtpInitializeDriveLetters

loc_9309CF:				; CODE XREF: AdtpInitializeDriveLetters+E1j
		push	0
		push	[ebp+var_78]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	loc_8A3E06
; 

loc_9309E6:				; CODE XREF: AdtpInitializeDriveLetters+BBj
		mov	ebx, 0C0000017h
		jmp	loc_8A3E6F
; 

loc_9309F0:				; CODE XREF: AdtpInitializeDriveLetters+12Ej
		push	0
		push	esi
		push	[ebp+var_48]
		call	NtQuerySymbolicLinkObject
		test	eax, eax
		js	short loc_930A03
		mov	bl, 1
		jmp	short loc_930A15
; 

loc_930A03:				; CODE XREF: AdtpInitializeDriveLetters+8CC7Dj
		push	0
		push	dword ptr [esi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_930A15:				; CODE XREF: AdtpInitializeDriveLetters+8CC81j
		push	[ebp+var_48]
		call	NtClose
		test	bl, bl
		jnz	loc_8A3EB8
		jmp	loc_8A3EB4
; END OF FUNCTION CHUNK	FOR AdtpInitializeDriveLetters
; 
; START	OF FUNCTION CHUNK FOR KseRegisterShimEx

loc_930A2A:				; CODE XREF: KseRegisterShimEx+Ej
		mov	eax, 0C000000Dh
		jmp	loc_8A4045
; 

loc_930A34:				; CODE XREF: KseRegisterShimEx+1Dj
		mov	eax, 0C0000001h
		jmp	loc_8A4045
; 

loc_930A3E:				; CODE XREF: KseRegisterShimEx+47j
		xor	eax, eax
		mov	ebx, 0C0000001h
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		mov	ecx, 0CDh
		test	_KsepDebugFlag,	2
		mov	dword_6C7024[eax*8], ebx
		mov	word_6C7022[eax*8], di
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_930A8A
		mov	eax, [esi+4]
		push	dword ptr [eax]	; char
		push	offset ??_C@_0CB@FKCCKKCN@KSE?3?5Shim?5?$FL0x?$CF08X?$FN?5is?5not?5valid@NNGAKEGL@ ; char *
		push	edi		; int
		call	_KsepDebugPrint
		add	esp, 0Ch

loc_930A8A:				; CODE XREF: KseRegisterShimEx+8CB7Bj
		mov	eax, [esi+4]
		push	dword ptr [eax]	; char
		push	offset ??_C@_0CB@FKCCKKCN@KSE?3?5Shim?5?$FL0x?$CF08X?$FN?5is?5not?5valid@NNGAKEGL@ ; char *
		push	edi		; int
		call	_KsepLogError
		jmp	loc_8A4034
; 

loc_930A9F:				; CODE XREF: KseRegisterShimEx+59j
		mov	ebx, 0C000009Ah
		jmp	loc_8A4037
; 

loc_930AA9:				; CODE XREF: KseRegisterShimEx+8Dj
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_930ABD
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_930ABD:				; CODE XREF: KseRegisterShimEx+8CBBAj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	eax, eax
		mov	ebx, 0C0000035h
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		mov	ecx, 0EEh
		push	2
		pop	edx
		mov	dword_6C7024[eax*8], ebx
		mov	word_6C7022[eax*8], dx
		mov	_KsepHistoryErrors[eax*8], cx
		test	_KsepDebugFlag,	dl
		jz	short loc_930B21
		mov	eax, [esi+4]
		push	dword ptr [eax]	; char
		push	offset ??_C@_0CL@CABHPPDE@KSE?3?5Attempt?5to?5re?9register?5shi@NNGAKEGL@ ; char *
		push	edx		; int
		call	_KsepDebugPrint
		add	esp, 0Ch
		push	2
		pop	edx

loc_930B21:				; CODE XREF: KseRegisterShimEx+8CC0Fj
		mov	eax, [esi+4]
		push	dword ptr [eax]	; char
		push	offset ??_C@_0CL@CABHPPDE@KSE?3?5Attempt?5to?5re?9register?5shi@NNGAKEGL@ ; char *
		push	edx		; int
		call	_KsepLogError
		add	esp, 0Ch
		mov	ecx, edi
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
		jmp	loc_8A4037
; 

loc_930B40:				; CODE XREF: KseRegisterShimEx+CDj
		test	al, 4
		jnz	loc_8A3FCD
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_8A3FCD
; 

loc_930B54:				; CODE XREF: KseRegisterShimEx+124j
		mov	eax, [esi+4]
		push	dword ptr [eax]	; char
		push	offset ??_C@_0CL@NFECGAAK@KSE?3?5Succeeded?5shim?5?$FL0x?$CF08X?$FN?5re@NNGAKEGL@ ; "KSE: Succeeded shim [0x%08X] registrati"...
		push	edi		; int
		call	_KsepDebugPrint
		add	esp, 0Ch
		jmp	loc_8A4024
; END OF FUNCTION CHUNK	FOR KseRegisterShimEx
; 
; START	OF FUNCTION CHUNK FOR KsepIsShimRegistered

loc_930B6C:				; CODE XREF: KsepIsShimRegistered+40j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_930B75
		mov	[eax], edi

loc_930B75:				; CODE XREF: KsepIsShimRegistered+8CB1Fj
		xor	ebx, ebx
		inc	ebx
		jmp	loc_8A40A2
; END OF FUNCTION CHUNK	FOR KsepIsShimRegistered
; 
; START	OF FUNCTION CHUNK FOR KsepValidateShimProviderAndData

loc_930B7D:				; CODE XREF: KsepValidateShimProviderAndData+5Bj
		cmp	eax, ebx
		jnb	loc_8A4129
		jmp	loc_8A4111
; END OF FUNCTION CHUNK	FOR KsepValidateShimProviderAndData
; 
; START	OF FUNCTION CHUNK FOR SepRmCommandServerThread

loc_930B8A:				; CODE XREF: SepRmCommandServerThread+6Cj
		push	ds:dword_A94E28
		call	_ZwClose@4	; ZwClose(x)
		push	esi
		mov	ds:dword_A94E28, edi
		call	_SepAuditFailed@4 ; SepAuditFailed(x)

loc_930BA1:				; CODE XREF: SepRmCommandServerThread+8CAFEj
		mov	ecx, [esp+250h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_930BB8:				; CODE XREF: SepRmCommandServerThread+B3j
		cmp	eax, 0C0000001h
		jz	loc_8A42AF
		cmp	eax, 0C000000Bh
		jz	loc_8A42AF
		cmp	eax, 0C000021Fh
		jz	loc_8A42AF
		jmp	loc_8A42D3
; 

loc_930BDE:				; CODE XREF: SepRmCommandServerThread+143j
		push	esi
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jz	loc_930CFB
		xor	eax, eax
		lea	edi, [esp+250h+var_238]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+250h+var_218]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+250h+var_228]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esp+250h+var_238]
		xor	edi, edi
		push	edi
		push	edi
		push	eax
		mov	_SepRmAuditingEnabled, edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		lea	eax, [esp+258h+var_218]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		lea	eax, [esp+258h+var_228]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	ebx
		mov	esi, offset unk_6D7130
		push	esi
		call	ExAcquireResourceExclusiveLite
		cmp	_SepLsaAuditQueueInfo, offset _SepLsaAuditQueueInfo
		lea	eax, [esp+250h+var_238]
		mov	ecx, esi
		mov	dword_6D7188, eax
		setz	bl
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		lea	ecx, [esp+250h+var_228]
		call	_SepAdtInitLsaDeadEventForNonPagedList@4 ; SepAdtInitLsaDeadEventForNonPagedList(x)
		mov	bh, al
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	esi, offset unk_6D7088
		push	esi
		call	ExAcquireResourceExclusiveLite
		cmp	_SepLsaDeletedLogonQueueInfo, offset _SepLsaDeletedLogonQueueInfo
		lea	eax, [esp+250h+var_218]
		mov	ecx, esi
		mov	dword_6D70E0, eax
		setz	[esp+250h+var_241]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	bl, bl
		jnz	short loc_930CBC
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [esp+260h+var_238]
		push	eax
		call	KeWaitForSingleObject

loc_930CBC:				; CODE XREF: SepRmCommandServerThread+8CA92j
		test	bh, bh
		jz	short loc_930CCE
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [esp+260h+var_228]
		push	eax
		call	KeWaitForSingleObject

loc_930CCE:				; CODE XREF: SepRmCommandServerThread+8CAA4j
		cmp	[esp+250h+var_241], 0
		jnz	short loc_930CE3
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [esp+260h+var_218]
		push	eax
		call	KeWaitForSingleObject

loc_930CE3:				; CODE XREF: SepRmCommandServerThread+8CAB9j
		push	ds:dword_A94E28
		call	_ZwClose@4	; ZwClose(x)
		mov	esi, [esp+250h+var_240]
		xor	ebx, ebx
		mov	ds:dword_A94E28, edi
		inc	ebx

loc_930CFB:				; CODE XREF: SepRmCommandServerThread+8C9CCj
		mov	ecx, esi
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		lea	ecx, [eax+1C0h]
		call	_SepRmCleanupRmLsaState@4 ; SepRmCleanupRmLsaState(x)
		push	[esp+250h+var_240]
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jnz	loc_930BA1
		mov	ecx, [esp+250h+var_240]
		mov	edx, 74536553h
		call	ObfDereferenceObjectWithTag
		mov	eax, ds:_MmBadPointer
		mov	[esp+250h+var_240], eax
		jmp	loc_8A4379
; END OF FUNCTION CHUNK	FOR SepRmCommandServerThread
; 
; START	OF FUNCTION CHUNK FOR SepRmGlobalSaclSetWrkr

loc_930D3A:				; CODE XREF: SepRmGlobalSaclSetWrkr+4Ej
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	ebx, ebx
		inc	ebx
		push	ebx
		push	offset _SepRmGlobalSaclLock
		call	ExAcquireResourceExclusiveLite
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		lea	edx, [ebp+var_10]
		lea	ecx, [ebp+var_8]
		call	_SepRmGlobalSaclFind@16	; SepRmGlobalSaclFind(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_930DE4
		cmp	[ebp+var_C], 0
		mov	esi, [ebp+var_8]
		jz	short loc_930D9F
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_930D85
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_930D85:				; CODE XREF: SepRmGlobalSaclSetWrkr+8C9F9j
		mov	eax, [ebp+var_4]
		mov	[esi+0Ch], eax

loc_930D8B:				; CODE XREF: SepRmGlobalSaclSetWrkr+60j
		mov	ecx, offset _SepRmGlobalSaclLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_8A43E8
; 

loc_930D9F:				; CODE XREF: SepRmGlobalSaclSetWrkr+8C9F2j
		mov	ecx, [ebp+var_10]
		mov	eax, [esi]
		test	ecx, ecx
		jnz	short loc_930DAF
		mov	_SepRmGlobalSaclHead, eax
		jmp	short loc_930DB1
; 

loc_930DAF:				; CODE XREF: SepRmGlobalSaclSetWrkr+8CA24j
		mov	[ecx], eax

loc_930DB1:				; CODE XREF: SepRmGlobalSaclSetWrkr+8CA2Bj
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_930DC4
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+8], 0

loc_930DC4:				; CODE XREF: SepRmGlobalSaclSetWrkr+8CA34j
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_930DD7
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+0Ch], 0

loc_930DD7:				; CODE XREF: SepRmGlobalSaclSetWrkr+8CA47j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A43D6
; 

loc_930DE4:				; CODE XREF: SepRmGlobalSaclSetWrkr+8C9E9j
		cmp	[ebp+var_C], 0
		jz	loc_8A43D6
		push	6C635347h
		push	10h
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_930E23
		mov	eax, [ebp+arg_0]
		push	6C635347h
		movzx	eax, ax
		push	eax
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esi+8], ecx
		test	ecx, ecx
		jnz	short loc_930E2D
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_930E23:				; CODE XREF: SepRmGlobalSaclSetWrkr+8CA7Dj
		mov	edi, 0C0000017h
		jmp	loc_8A43D6
; 

loc_930E2D:				; CODE XREF: SepRmGlobalSaclSetWrkr+8CA98j
		mov	ax, word ptr [ebp+var_1C+2]
		mov	edx, [ebp+arg_0]
		mov	[esi+6], ax
		mov	[esi+4], ax
		movzx	eax, dx
		push	eax		; size_t
		push	[ebp+var_14]	; void *
		push	ecx		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		and	[ebp+var_4], 0
		mov	[esi+0Ch], eax
		mov	eax, _SepRmGlobalSaclHead
		mov	[esi], eax
		mov	_SepRmGlobalSaclHead, esi
		jmp	loc_8A43D6
; 

loc_930E68:				; CODE XREF: SepRmGlobalSaclSetWrkr+58j
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A43E0
; END OF FUNCTION CHUNK	FOR SepRmGlobalSaclSetWrkr
; 
; START	OF FUNCTION CHUNK FOR SepRmFetchGlobalSacl

loc_930E77:				; CODE XREF: SepRmFetchGlobalSacl+6Bj
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		push	0
		push	2
		push	offset _DefaultKey
		push	[ebp+var_8]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_930EA0
		cmp	esi, 0C0000023h
		jnz	loc_8A4467

loc_930EA0:				; CODE XREF: SepRmFetchGlobalSacl+8CA9Cj
		cmp	[ebp+var_4], 1000Bh
		ja	loc_8A4467
		xor	esi, esi
		cmp	[ebp+var_4], 0Ch
		ja	short loc_930EC4
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+arg_0]
		and	[ecx], esi
		and	[eax], esi
		jmp	loc_8A4467
; 

loc_930EC4:				; CODE XREF: SepRmFetchGlobalSacl+8CABDj
		push	6C635347h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8A4486
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_4]
		push	ebx
		push	2
		push	offset _DefaultKey
		push	[ebp+var_8]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_930F3A
		mov	eax, [ebp+var_4]
		sub	eax, 0Ch
		push	6C635347h
		push	eax
		push	1
		mov	[ebp+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	edx, eax
		mov	[ecx], edx
		test	edx, edx
		jnz	short loc_930F22
		mov	esi, 0C0000017h
		jmp	short loc_930F3A
; 

loc_930F22:				; CODE XREF: SepRmFetchGlobalSacl+8CB23j
		push	[ebp+var_4]	; size_t
		lea	eax, [ebx+0Ch]
		push	eax		; void *
		push	edx		; void *
		call	_memcpy
		mov	ecx, [ebp+var_C]
		add	esp, 0Ch
		mov	eax, [ebp+var_4]
		mov	[ecx], eax

loc_930F3A:				; CODE XREF: SepRmFetchGlobalSacl+8CB02j
					; SepRmFetchGlobalSacl+8CB2Aj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A4467
; 

loc_930F47:				; CODE XREF: SepRmFetchGlobalSacl+75j
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_8], 0
		jmp	loc_8A4471
; END OF FUNCTION CHUNK	FOR SepRmFetchGlobalSacl
; 
; START	OF FUNCTION CHUNK FOR SepRmCapUpdateWrkr

loc_930F58:				; CODE XREF: SepRmCapUpdateWrkr+2Bj
		mov	dword ptr [ecx+24h], 1
		jmp	loc_8A44BF
; 

loc_930F64:				; CODE XREF: SepRmCapUpdateWrkr+73j
		cmp	_InitSafeBootMode, 1
		jnz	loc_8A4507
		mov	ecx, ds:_SepRmCapTable
		mov	eax, edi
		lock xadd [ecx+24h], eax
		dec	eax
		test	eax, eax
		jg	short loc_930F91
		jz	short loc_930F8C
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_930F91
; 

loc_930F8C:				; CODE XREF: SepRmCapUpdateWrkr+8CAF5j
		call	_SepRmDestroyCapTable@4	; SepRmDestroyCapTable(x)

loc_930F91:				; CODE XREF: SepRmCapUpdateWrkr+8CAF3j
					; SepRmCapUpdateWrkr+8CAFCj
		mov	eax, ds:_SepRmDefaultCap
		mov	ds:_SepRmCapTable, 0
		mov	ecx, [eax+24h]
		mov	eax, ds:_SeDefaultRecoveryCapeSd
		mov	[ecx+10h], eax
		jmp	loc_8A4507
; 

loc_930FB0:				; CODE XREF: SepRmCapUpdateWrkr+81j
		test	al, 4
		jnz	loc_8A4515
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_8A4515
; 

loc_930FC4:				; CODE XREF: SepRmCapUpdateWrkr+9Cj
		lock xadd [ebx+24h], edi
		dec	edi
		test	edi, edi
		jg	loc_8A4530
		jz	short loc_930FDE
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_8A4530
; 

loc_930FDE:				; CODE XREF: SepRmCapUpdateWrkr+8CB44j
		mov	ecx, ebx
		call	_SepRmDestroyCapTable@4	; SepRmDestroyCapTable(x)
		jmp	loc_8A4530
; 

loc_930FEA:				; CODE XREF: SepRmCapUpdateWrkr+20j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _SepRmCapTableLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	_SepRmEnforceCap, 1
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_931021
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_931021:				; CODE XREF: SepRmCapUpdateWrkr+8CB8Aj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_8A4530
; END OF FUNCTION CHUNK	FOR SepRmCapUpdateWrkr
; 
; START	OF FUNCTION CHUNK FOR SepReadAndPopulateCapes

loc_931039:				; CODE XREF: SepReadAndPopulateCapes+82j
		cmp	esi, 80000005h
		jz	short loc_93104D
		cmp	esi, 0C0000023h
		jnz	loc_8A45E9

loc_93104D:				; CODE XREF: SepReadAndPopulateCapes+8CAFFj
		push	70536553h
		push	[ebp+var_4F4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_514], ebx
		test	ebx, ebx
		jz	short loc_9310D0
		mov	eax, [ebp+var_4F4]
		lea	ecx, [ebp+var_4F4]
		push	ecx
		push	eax
		push	ebx
		push	2
		push	[ebp+var_508]
		mov	[ebp+var_4E9], 1
		mov	[ebp+var_500], eax
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_8A45C8

loc_93109E:				; CODE XREF: SepReadAndPopulateCapes+ABj
					; SepReadAndPopulateCapes+8CB95j ...
		cmp	[ebp+var_4F0], 0
		jz	short loc_9310B2
		push	[ebp+var_4F0]
		call	_ZwClose@4	; ZwClose(x)

loc_9310B2:				; CODE XREF: SepReadAndPopulateCapes+8CB65j
		mov	eax, [ebp+var_510]
		test	eax, eax
		jz	loc_8A45F1
		push	70536553h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A45F1
; 

loc_9310D0:				; CODE XREF: SepReadAndPopulateCapes+8CB29j
					; SepReadAndPopulateCapes+8CBC6j ...
		mov	esi, 0C000009Ah
		jmp	short loc_93109E
; 

loc_9310D7:				; CODE XREF: SepReadAndPopulateCapes+93j
		imul	eax, 1Ch
		push	70536553h
		mov	[ebp+var_518], eax
		mov	[ebp+var_4F8], eax
		mov	eax, [ebp+var_504]
		add	eax, 12h
		push	eax
		push	1
		mov	[ebp+var_4FC], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_9310D0
		xor	eax, eax
		mov	[ebp+var_504], eax
		cmp	[ebp+var_50C], eax
		jbe	loc_931349

loc_93111C:				; CODE XREF: SepReadAndPopulateCapes+8CE03j
		push	eax
		push	offset ??_C@_1KO@LFEDCLJF@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; char
		push	offset ??_C@_1M@PIGKLJLL@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAd@NNGAKEGL@ ; wchar_t *
		lea	eax, [ebp+var_2B8]
		push	157h		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	esi, eax
		add	esp, 14h
		test	esi, esi
		js	loc_93109E
		lea	eax, [ebp+var_4F0]
		mov	edx, 201h
		push	eax
		lea	ecx, [ebp+var_2B8]
		call	_SepRegOpenKey@12 ; SepRegOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93109E
		lea	eax, [ebp+var_4F4]
		push	eax
		push	[ebp+var_500]
		push	ebx
		push	2
		push	[ebp+var_4F0]
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_931204
		cmp	esi, 80000005h
		jz	short loc_93119B
		cmp	esi, 0C0000023h
		jnz	loc_8A45E9

loc_93119B:				; CODE XREF: SepReadAndPopulateCapes+8CC4Dj
		cmp	[ebp+var_4E9], 0
		jz	short loc_9311AF
		push	70536553h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9311AF:				; CODE XREF: SepReadAndPopulateCapes+8CC62j
		push	70536553h
		push	[ebp+var_4F4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_514], ebx
		test	ebx, ebx
		jz	loc_9310D0
		mov	eax, [ebp+var_4F4]
		lea	ecx, [ebp+var_4F4]
		push	ecx
		push	eax
		push	ebx
		push	2
		push	[ebp+var_4F0]
		mov	[ebp+var_4E9], 1
		mov	[ebp+var_500], eax
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93109E

loc_931204:				; CODE XREF: SepReadAndPopulateCapes+8CC45j
		mov	esi, [ebx+28h]
		mov	eax, [ebp+var_4FC]
		add	esi, 12h
		cmp	esi, eax
		jbe	short loc_93122F
		mov	edx, esi
		mov	ecx, edi
		call	_SepRmCapPoolExpand@8 ;	SepRmCapPoolExpand(x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9310D0
		mov	eax, esi
		mov	[ebp+var_4FC], eax

loc_93122F:				; CODE XREF: SepReadAndPopulateCapes+8CCD2j
		lea	ecx, [ebp+var_4F4]
		push	ecx
		push	eax
		push	edi
		push	2
		push	offset _CapeName
		push	[ebp+var_4F0]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93109E
		mov	eax, [ebp+var_4F8]
		inc	eax
		and	eax, 0FFFFFFFEh
		add	eax, [edi+8]
		mov	[ebp+var_4F8], eax
		lea	eax, [ebp+var_4F4]
		push	eax
		push	[ebp+var_4FC]
		push	edi
		push	2
		push	offset _CapePredicate
		push	[ebp+var_4F0]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93109E
		mov	eax, [ebp+var_4F8]
		add	eax, [edi+8]
		mov	[ebp+var_4F8], eax
		lea	eax, [ebp+var_4F4]
		push	eax
		push	[ebp+var_4FC]
		push	edi
		push	2
		push	offset _CapeSD
		push	[ebp+var_4F0]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93109E
		mov	eax, [ebp+var_4F8]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		add	eax, [edi+8]
		mov	[ebp+var_508], eax
		lea	eax, [ebp+var_4F4]
		push	eax
		push	[ebp+var_4FC]
		push	edi
		push	2
		push	offset _CapeStagedSD
		push	[ebp+var_4F0]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93109E
		mov	eax, [ebp+var_508]
		push	[ebp+var_4F0]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		add	eax, [edi+8]
		mov	[ebp+var_4F8], eax
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [ebp+var_504]
		and	[ebp+var_4F0], 0
		inc	eax
		mov	[ebp+var_504], eax
		cmp	eax, [ebp+var_50C]
		jb	loc_93111C

loc_931349:				; CODE XREF: SepReadAndPopulateCapes+8CBD6j
		mov	ebx, [ebp+var_4F8]
		push	70536553h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_510], ecx
		test	ecx, ecx
		jz	loc_9310D0
		push	ebx		; size_t
		push	0		; int
		push	ecx		; void *
		call	_memset
		mov	ecx, [ebp+var_510]
		xor	edx, edx
		mov	eax, [ebp+var_518]
		add	esp, 0Ch
		add	eax, ecx
		mov	[ebp+var_508], edx
		mov	[ebp+var_4F8], eax
		lea	eax, [ecx+ebx]
		mov	[ebp+var_504], eax
		mov	eax, [ebp+var_50C]
		test	eax, eax
		jz	loc_931652
		lea	ebx, [ecx+2]
		mov	[ebp+var_500], ebx

loc_9313B4:				; CODE XREF: SepReadAndPopulateCapes+8D106j
		push	edx
		push	offset ??_C@_1KO@LFEDCLJF@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; char
		push	offset ??_C@_1M@PIGKLJLL@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAd@NNGAKEGL@ ; wchar_t *
		lea	eax, [ebp+var_2B8]
		push	157h		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	esi, eax
		add	esp, 14h
		test	esi, esi
		js	loc_93109E
		lea	eax, [ebp+var_4F0]
		mov	edx, 201h
		push	eax
		lea	ecx, [ebp+var_2B8]
		call	_SepRegOpenKey@12 ; SepRegOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93109E
		lea	eax, [ebp+var_4F4]
		push	eax
		push	[ebp+var_4FC]
		push	edi
		push	2
		push	offset _CapeFlags
		push	[ebp+var_4F0]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93109E
		cmp	dword ptr [edi+8], 4
		jnz	loc_93167B
		mov	eax, [edi+0Ch]
		mov	[ebx+16h], eax
		lea	eax, [ebp+var_4F4]
		push	eax
		push	[ebp+var_4FC]
		push	edi
		push	2
		push	offset _CapeName
		push	[ebp+var_4F0]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93109E
		mov	ebx, [ebp+var_4F8]
		mov	eax, [edi+8]
		inc	ebx
		and	ebx, 0FFFFFFFEh
		add	eax, ebx
		cmp	eax, [ebp+var_504]
		ja	loc_931671
		mov	ecx, [ebp+var_500]
		movzx	eax, word ptr [edi+8]
		mov	[ecx], ax
		mov	[ecx-2], ax
		lea	eax, [edi+0Ch]
		mov	[ecx+2], ebx
		push	dword ptr [edi+8] ; size_t
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		add	ebx, [edi+8]
		lea	eax, [ebp+var_4F4]
		add	esp, 0Ch
		push	eax
		push	[ebp+var_4FC]
		push	edi
		push	2
		push	offset _CapePredicate
		push	[ebp+var_4F0]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93109E
		mov	ecx, [edi+8]
		lea	eax, [ecx+ebx]
		cmp	eax, [ebp+var_504]
		ja	loc_931671
		mov	eax, [ebp+var_500]
		mov	[eax+6], ecx
		cmp	dword ptr [edi+8], 0
		jz	short loc_931504
		mov	[eax+0Ah], ebx
		lea	eax, [edi+0Ch]
		push	dword ptr [edi+8] ; size_t
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_931508
; 

loc_931504:				; CODE XREF: SepReadAndPopulateCapes+8CFADj
		and	dword ptr [eax+0Ah], 0

loc_931508:				; CODE XREF: SepReadAndPopulateCapes+8CFC2j
		add	ebx, [edi+8]
		lea	eax, [ebp+var_4F4]
		push	eax
		push	[ebp+var_4FC]
		push	edi
		push	2
		push	offset _CapeSD
		push	[ebp+var_4F0]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93109E
		mov	eax, [edi+8]
		lea	ecx, [ebx+3]
		and	ecx, 0FFFFFFFCh
		add	eax, ecx
		mov	[ebp+var_518], ecx
		cmp	eax, [ebp+var_504]
		ja	loc_931671
		mov	ebx, [ebp+var_500]
		lea	eax, [edi+0Ch]
		mov	[ebx+0Eh], ecx
		push	dword ptr [edi+8] ; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		mov	eax, [edi+8]
		add	esp, 0Ch
		mov	[ebp+var_500], eax
		push	dword ptr [ebx+0Eh]
		push	eax
		call	_SeValidSecurityDescriptor@8 ; SeValidSecurityDescriptor(x,x)
		test	al, al
		jz	loc_931667
		lea	eax, [ebp+var_4F4]
		push	eax
		push	[ebp+var_4FC]
		push	edi
		push	2
		push	offset _CapeStagedSD
		push	[ebp+var_4F0]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93109E
		mov	eax, [ebp+var_518]
		mov	ecx, [ebp+var_500]
		add	eax, 3
		mov	edx, [edi+8]
		add	ecx, eax
		and	ecx, 0FFFFFFFCh
		mov	[ebp+var_4F8], ecx
		lea	eax, [edx+ecx]
		cmp	eax, [ebp+var_504]
		ja	loc_931671
		test	edx, edx
		jz	short loc_931609
		mov	[ebx+12h], ecx
		lea	eax, [edi+0Ch]
		push	dword ptr [edi+8] ; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	dword ptr [ebx+12h]
		push	dword ptr [edi+8]
		call	_SeValidSecurityDescriptor@8 ; SeValidSecurityDescriptor(x,x)
		test	al, al
		jz	short loc_931667
		mov	ecx, [ebp+var_4F8]
		jmp	short loc_93160D
; 

loc_931609:				; CODE XREF: SepReadAndPopulateCapes+8D09Dj
		and	dword ptr [ebx+12h], 0

loc_93160D:				; CODE XREF: SepReadAndPopulateCapes+8D0C7j
		add	ecx, [edi+8]
		push	[ebp+var_4F0]
		mov	[ebp+var_4F8], ecx
		call	_ZwClose@4	; ZwClose(x)
		mov	edx, [ebp+var_508]
		add	ebx, 1Ch
		and	[ebp+var_4F0], 0
		inc	edx
		mov	eax, [ebp+var_50C]
		mov	[ebp+var_508], edx
		mov	[ebp+var_500], ebx
		cmp	edx, eax
		jb	loc_9313B4
		mov	ecx, [ebp+var_510]

loc_931652:				; CODE XREF: SepReadAndPopulateCapes+8CE65j
		mov	edx, [ebp+var_51C]
		mov	[edx], ecx
		mov	ecx, [ebp+var_520]
		mov	[ecx], eax
		jmp	loc_8A45E9
; 

loc_931667:				; CODE XREF: SepReadAndPopulateCapes+8D03Fj
					; SepReadAndPopulateCapes+8D0BFj
		mov	esi, 0C0000079h
		jmp	loc_93109E
; 

loc_931671:				; CODE XREF: SepReadAndPopulateCapes+8CF37j
					; SepReadAndPopulateCapes+8CF9Aj ...
		mov	esi, 0C0000023h
		jmp	loc_93109E
; 

loc_93167B:				; CODE XREF: SepReadAndPopulateCapes+8CEECj
		mov	esi, 0C000000Dh
		jmp	loc_93109E
; 

loc_931685:				; CODE XREF: SepReadAndPopulateCapes+B8j
		mov	eax, [ebp+var_514]
		test	eax, eax
		jz	loc_8A45FE
		push	70536553h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A45FE
; 

loc_9316A3:				; CODE XREF: SepReadAndPopulateCapes+C0j
		push	70536553h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A4606
; END OF FUNCTION CHUNK	FOR SepReadAndPopulateCapes
; 
; START	OF FUNCTION CHUNK FOR SepRmSetAuditEventWrkr

loc_9316B3:				; CODE XREF: SepRmSetAuditEventWrkr+101j
		push	21h
		pop	ecx
		push	11h
		pop	edx
		push	41h
		jmp	loc_8A46D5
; END OF FUNCTION CHUNK	FOR SepRmSetAuditEventWrkr
; 
; START	OF FUNCTION CHUNK FOR SepRmLsaConnectRequest

loc_9316C0:				; CODE XREF: SepRmLsaConnectRequest+91j
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_9316C8:				; CODE XREF: SepRmLsaConnectRequest+6Bj
					; SepRmLsaConnectRequest+8CFC3j
		push	esi
		push	esi
		push	esi
		push	[ebp+var_24]
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], esi
		push	esi
		push	eax
		call	_ZwAcceptConnectPort@24	; ZwAcceptConnectPort(x,x,x,x,x,x)
		mov	esi, eax
		test	ebx, ebx
		jz	short loc_9316E8
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_9316E8:				; CODE XREF: SepRmLsaConnectRequest+8CFA9j
		mov	eax, esi
		jmp	loc_8A491D
; 

loc_9316EF:				; CODE XREF: SepRmLsaConnectRequest+AFj
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)
		xor	esi, esi
		jmp	short loc_9316C8
; 

loc_9316FB:				; CODE XREF: SepRmLsaConnectRequest+D3j
		mov	edx, 74536553h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	eax, esi
		jmp	loc_8A4812
; 

loc_93170E:				; CODE XREF: SepRmLsaConnectRequest+F5j
		cmp	[ebp+var_11], 0
		jnz	loc_8A492C
		mov	edx, 74536553h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		jmp	loc_8A492C
; 

loc_931729:				; CODE XREF: SepRmLsaConnectRequest+1ADj
		mov	ebx, 0C0000001h
		jmp	loc_8A492C
; END OF FUNCTION CHUNK	FOR SepRmLsaConnectRequest
; 
; START	OF FUNCTION CHUNK FOR PopRequestShutdownWait

loc_931733:				; CODE XREF: PopRequestShutdownWait+3Dj
		mov	edx, 64536F50h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, 0C0000001h
		jmp	loc_8A49BE
; END OF FUNCTION CHUNK	FOR PopRequestShutdownWait
; 
; START	OF FUNCTION CHUNK FOR SepRmVerifyLsaProtectionLevel

loc_931751:				; CODE XREF: SepRmVerifyLsaProtectionLevel+6Cj
		mov	eax, [esi]
		lea	ecx, [ebp+var_1C]
		push	ebx
		push	ecx
		push	ebx
		push	ebx
		push	2000000h
		push	eax
		mov	[ebp+var_1C], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_93178A
		mov	ecx, [ebp+var_1C]
		mov	bl, [ecx+3A6h]
		call	ObfDereferenceObject
		cmp	bl, 41h
		jz	loc_8A4A44
		mov	eax, 0C0000022h
		xor	ebx, ebx

loc_93178A:				; CODE XREF: SepRmVerifyLsaProtectionLevel+8CD98j
		push	ebx
		push	295h
		push	offset ??_C@_0BL@ELDGEOIE@minkernel?2ntos?2se?2rmmain?4c@NNGAKEGL@ ; "minkernel\\ntos\\se\\rmmain.c"
		push	eax
		push	29h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_93179E:				; CODE XREF: _CmGetDeviceRegKeySecurityDescriptor+56j
		cmp	[ecx+4], bl
		jz	loc_8A4AAE
		jmp	loc_8A4ADA
; END OF FUNCTION CHUNK	FOR SepRmVerifyLsaProtectionLevel
; 
; START	OF FUNCTION CHUNK FOR _CmGetDeviceRegKeySecurityDescriptor

loc_9317AC:				; CODE XREF: _CmGetDeviceRegKeySecurityDescriptor+15j
					; _CmGetDeviceRegKeySecurityDescriptor+21j
		mov	esi, 0C000000Dh

loc_9317B1:				; CODE XREF: _CmGetDeviceRegKeySecurityDescriptor+8Fj
		test	eax, eax
		jz	loc_8A4AC3
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A4AC3
; END OF FUNCTION CHUNK	FOR _CmGetDeviceRegKeySecurityDescriptor
; 
; START	OF FUNCTION CHUNK FOR _CmGetRegKeySecurityDescriptor

loc_9317C6:				; CODE XREF: _CmGetRegKeySecurityDescriptor+7Cj
					; _CmGetRegKeySecurityDescriptor+B2j ...
		mov	esi, 0C000003Eh
		jmp	loc_8A4D6E
; 

loc_9317D0:				; CODE XREF: _CmGetRegKeySecurityDescriptor+105j
		push	2
		lea	eax, [ebp+var_58]
		push	eax
		lea	edi, [ebp+var_3C]
		mov	eax, edi
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A4D6E
		push	0
		mov	eax, edi
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		xor	esi, esi
		inc	esi
		push	esi
		mov	dword ptr [eax], 2
		mov	eax, edi
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	[eax], esi
		mov	eax, edi
		push	eax
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	short loc_9317C6
		jmp	loc_8A4BF1
; 

loc_93181A:				; CODE XREF: _CmGetRegKeySecurityDescriptor+131j
		push	edi
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	esi, 8
		add	esi, eax
		jmp	loc_8A4C1D
; 

loc_93182A:				; CODE XREF: _CmGetRegKeySecurityDescriptor+148j
		mov	esi, 0C0000017h
		jmp	loc_8A4D6E
; 

loc_931834:				; CODE XREF: _CmGetRegKeySecurityDescriptor+1C8j
		push	0
		push	edi
		push	20019h
		push	2
		push	2
		pop	edx
		mov	ecx, ebx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	loc_8A4D66
		jmp	loc_8A4CB4
; 

loc_931857:				; CODE XREF: _CmGetRegKeySecurityDescriptor+27Aj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A4D66
; END OF FUNCTION CHUNK	FOR _CmGetRegKeySecurityDescriptor
; 
; START	OF FUNCTION CHUNK FOR PopGenerateDeviceFriendlyName

loc_931864:				; CODE XREF: PopGenerateDeviceFriendlyName+44j
					; PopGenerateDeviceFriendlyName+5Dj
		mov	esi, 80000005h
		jmp	loc_8A4EAD
; 

loc_93186E:				; CODE XREF: PopGenerateDeviceFriendlyName+74j
					; PopGenerateDeviceFriendlyName+8CB07j
		mov	esi, 0C000009Ah
		jmp	loc_8A4EAD
; 

loc_931878:				; CODE XREF: PopGenerateDeviceFriendlyName+34j
		cmp	esi, 0C0000034h
		jnz	loc_8A4E9B
		add	ebx, 48h
		push	4D584650h
		movzx	eax, word ptr [ebx]
		push	eax
		push	1
		mov	esi, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_93186E
		mov	[edi+4], eax
		xor	eax, eax
		push	ebx
		push	edi
		mov	[edi], ax
		mov	[edi+2], si
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		jmp	loc_8A4E8F
; 

loc_9318B5:				; CODE XREF: PopGenerateDeviceFriendlyName+101j
		push	4D584650h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A4E9B
; END OF FUNCTION CHUNK	FOR PopGenerateDeviceFriendlyName
; 
; START	OF FUNCTION CHUNK FOR PipMakeGloballyUniqueId

loc_9318C5:				; CODE XREF: PipMakeGloballyUniqueId+5Cj
		mov	eax, edx
		mov	[ebp+var_34], edx
		jmp	loc_8A4F24
; 

loc_9318CF:				; CODE XREF: PipMakeGloballyUniqueId+C5j
		cmp	[ebp+var_14], 4
		jnz	short loc_931911
		cmp	[ebp+var_10], 4
		jnz	short loc_931911
		mov	eax, [ebp+var_C]
		push	6E657050h
		push	12h
		push	1
		mov	[ebp+var_28], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_931AB3
		push	[ebp+var_28]	; char
		push	offset ??_C@_15LHNHECKK@?$AA?$CF?$AAx@NNGAKEGL@	; wchar_t *
		push	12h		; int
		push	edi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 10h
		jmp	loc_8A500B
; 

loc_931911:				; CODE XREF: PipMakeGloballyUniqueId+124j
					; PipMakeGloballyUniqueId+8CA1Dj ...
		mov	esi, 0C000000Dh
		jmp	loc_8A5080
; 

loc_93191B:				; CODE XREF: PipMakeGloballyUniqueId+11Aj
		mov	eax, [ebp+var_34]
		push	1
		add	eax, 14h
		mov	[ebp+var_1C], 1Fh
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	RtlUpcaseUnicodeString
		mov	esi, eax
		test	esi, esi
		js	loc_8A5080
		movzx	ecx, word ptr [ebp+var_24]
		xor	eax, eax
		mov	edx, [ebp+var_20]
		shr	ecx, 1
		lea	eax, [edx+ecx*2]
		cmp	eax, edx
		sbb	esi, esi
		not	esi
		and	esi, ecx
		jbe	short loc_93196B
		mov	ebx, edi

loc_931958:				; CODE XREF: PipMakeGloballyUniqueId+8CAB0j
		movzx	eax, word ptr [edx]
		lea	edx, [edx+2]
		imul	edi, 25h
		add	edi, eax
		inc	ebx
		cmp	ebx, esi
		jb	short loc_931958
		mov	ebx, [ebp+var_38]

loc_93196B:				; CODE XREF: PipMakeGloballyUniqueId+8CA9Ej
		imul	eax, edi, 12B9B0A5h
		mov	ecx, 3B9ACA07h
		cdq
		xor	eax, edx
		sub	eax, edx
		cdq
		idiv	ecx
		lea	eax, [ebp+var_24]
		push	eax
		mov	[ebp+var_38], edx
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, [ebp+var_1C]
		push	6E657050h
		lea	esi, [eax+eax]
		push	esi
		push	1
		mov	[ebp+var_40], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_931AB3
		mov	eax, [ebp+var_34]
		push	dword ptr [eax+54h]
		push	[ebp+var_38]
		push	(offset	loc_8B991D+1) ;	char
		push	(offset	loc_8B990B+1) ;	wchar_t	*
		push	esi		; int
		push	edi		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_3C]
		add	esp, 18h
		push	eax
		push	5
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A5080
		push	edi
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_1C]
		push	eax
		push	10h
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_3C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_931A1A
		cmp	[ebp+var_14], 4
		jnz	short loc_931A1A
		cmp	[ebp+var_10], 4
		jnz	short loc_931A1A
		mov	eax, [ebp+var_C]
		jmp	short loc_931A1C
; 

loc_931A1A:				; CODE XREF: PipMakeGloballyUniqueId+8CB51j
					; PipMakeGloballyUniqueId+8CB57j ...
		xor	eax, eax

loc_931A1C:				; CODE XREF: PipMakeGloballyUniqueId+8CB62j
		inc	eax
		push	4
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_30]
		push	eax
		push	4
		xor	eax, eax
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_3C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A5080
		mov	eax, [ebp+var_30]
		xor	esi, esi
		push	1Eh
		pop	ecx
		push	1Ch
		dec	eax
		mov	word ptr [ebp+var_24+2], cx
		pop	ecx
		push	eax
		push	[ebp+var_38]
		mov	[ebp+var_30], eax
		mov	eax, [ebp+var_34]
		mov	word ptr [ebp+var_24], cx
		mov	[ebp+var_20], (offset loc_8B9894+6)
		mov	[ebp+var_28], edi
		push	dword ptr [eax+54h] ; char
		lea	eax, [ebp+var_28]
		push	(offset	loc_8B98F9+1) ;	wchar_t	*
		push	esi		; int
		push	esi		; int
		push	eax		; int
		mov	eax, [ebp+var_40]
		shr	eax, 1
		push	eax		; int
		push	edi		; void *
		call	RtlStringCchPrintfExW
		mov	eax, [ebp+var_28]
		add	esp, 24h
		sub	eax, edi
		sar	eax, 1
		inc	eax
		mov	[ebp+var_1C], eax
		add	eax, eax
		push	eax
		push	edi
		push	1
		push	esi
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_2C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A5080
		jmp	loc_8A500B
; 

loc_931AB3:				; CODE XREF: PipMakeGloballyUniqueId+FAj
					; PipMakeGloballyUniqueId+141j	...
		mov	esi, 0C000009Ah
		jmp	loc_8A5080
; END OF FUNCTION CHUNK	FOR PipMakeGloballyUniqueId
; 
; START	OF FUNCTION CHUNK FOR PiAuAllocateAndInitializeSid

loc_931ABD:				; CODE XREF: PiAuAllocateAndInitializeSid+2Fj
		mov	esi, 0C000009Ah

loc_931AC2:				; CODE XREF: PiAuAllocateAndInitializeSid+41j
		mov	eax, [edi]
		test	eax, eax
		jz	loc_8A5155
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi], 0
		jmp	loc_8A5155
; END OF FUNCTION CHUNK	FOR PiAuAllocateAndInitializeSid
; 
; START	OF FUNCTION CHUNK FOR PiCreateDriverRedirectedStateKey

loc_931ADC:				; CODE XREF: PiCreateDriverRedirectedStateKey+72j
		mov	eax, [ebp+var_10]
		movzx	edx, word ptr [ebp+var_20]
		movzx	ecx, word ptr [eax]
		lea	eax, [ebp+var_18]
		add	ecx, 2
		push	eax
		mov	[ebp+var_18], ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A54A2
		mov	edx, [ebp+var_18]
		cmp	edx, 0FFFEh
		jbe	short loc_931B14
		mov	esi, 80000005h
		jmp	loc_8A54A2
; 

loc_931B14:				; CODE XREF: PiCreateDriverRedirectedStateKey+8C6DEj
		lea	ecx, [ebp+var_28]
		call	IopAllocateUnicodeString
		mov	esi, eax
		test	esi, esi
		js	loc_8A54A2
		push	[ebp+var_10]
		lea	eax, [ebp+var_20]
		push	eax		; char
		push	offset ??_C@_1BA@IHOFGBGC@?$AA?$CF?$AAw?$AAZ?$AA?2?$AA?$CF?$AAw?$AAZ@NNGAKEGL@ ; int
		push	800h		; void *
		lea	eax, [ebp+var_28]
		push	0		; int
		push	eax		; int
		call	_RtlUnicodeStringPrintfEx
		mov	esi, eax
		add	esp, 18h
		test	esi, esi
		js	loc_8A54A2
		lea	eax, [ebp+var_28]
		mov	[ebp+var_40], 18h
		mov	[ebp+var_38], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_40]
		mov	[ebp+var_3C], ecx
		push	eax
		push	4
		lea	eax, [ebp+var_8]
		mov	[ebp+var_34], 240h
		push	eax
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_931C04
		lea	ecx, [ebp+var_14]
		call	_PiAuGetServiceStateSecurityObject@4 ; PiAuGetServiceStateSecurityObject(x)
		mov	ebx, [ebp+var_14]
		mov	esi, eax
		test	esi, esi
		js	loc_8A54A2
		lea	eax, [ebp+var_C]
		push	eax
		push	ebx
		lea	ecx, [ebp+var_20]
		call	_PiCreateRegistryPath@16 ; PiCreateRegistryPath(x,x,x,x)
		mov	edi, [ebp+var_C]
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_931BFA
		test	esi, esi
		js	loc_8A54A2
		mov	eax, [ebp+var_10]
		mov	[ebp+var_38], eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_40]
		push	eax
		push	4
		lea	eax, [ebp+var_8]
		mov	[ebp+var_40], 18h
		push	eax
		mov	[ebp+var_3C], edi
		mov	[ebp+var_34], 240h
		mov	[ebp+var_30], ebx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_931C04

loc_931BFA:				; CODE XREF: PiCreateDriverRedirectedStateKey+8C78Aj
		mov	esi, 0C00000E5h
		jmp	loc_8A54A2
; 

loc_931C04:				; CODE XREF: PiCreateDriverRedirectedStateKey+8C75Bj
					; PiCreateDriverRedirectedStateKey+8C7CEj
		test	esi, esi
		js	loc_8A54A2
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		mov	[ecx], eax
		jmp	loc_8A54A2
; 

loc_931C1D:				; CODE XREF: PiCreateDriverRedirectedStateKey+8Ej
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8A54BE
; 

loc_931C2A:				; CODE XREF: PiCreateDriverRedirectedStateKey+9Aj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A54CA
; END OF FUNCTION CHUNK	FOR PiCreateDriverRedirectedStateKey
; 
; START	OF FUNCTION CHUNK FOR PiGetStateRootPath

loc_931C37:				; CODE XREF: PiGetStateRootPath+16j
		mov	esi, 0C000000Dh
		jmp	loc_8A5526
; 

loc_931C41:				; CODE XREF: PiGetStateRootPath+36j
		mov	esi, 0C0000001h
		jmp	loc_8A5526
; 

loc_931C4B:				; CODE XREF: PiGetStateRootPath+9Bj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A5526
; END OF FUNCTION CHUNK	FOR PiGetStateRootPath
; 
; START	OF FUNCTION CHUNK FOR KseShimDatabaseBootRelease

loc_931C58:				; CODE XREF: KseShimDatabaseBootRelease+42j
		test	al, 4
		jnz	loc_8A56AE
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_8A56AE
; END OF FUNCTION CHUNK	FOR KseShimDatabaseBootRelease
; 
; START	OF FUNCTION CHUNK FOR PpReleaseBootDDB

loc_931C6C:				; CODE XREF: PpReleaseBootDDB+51j
		call	SdbReleaseDatabase
		push	edi
		push	ds:_PpBootDDBPatch
		mov	ds:_PpDDBPatchHandle, edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ds:_PpBootDDBPatch, edi
		jmp	loc_8A5763
; END OF FUNCTION CHUNK	FOR PpReleaseBootDDB
; 
; START	OF FUNCTION CHUNK FOR EtwInitializeSiloState

loc_931C8E:				; CODE XREF: EtwInitializeSiloState+18Aj
		test	edi, edi
		jz	short loc_931CA5

loc_931C92:				; CODE XREF: EtwInitializeSiloState+8C4F9j
		mov	eax, [ebx+188h]
		push	dword ptr [eax+esi*4]
		call	_ExFreeCacheAwareRundownProtection@4 ; ExFreeCacheAwareRundownProtection(x)
		inc	esi
		cmp	esi, edi
		jb	short loc_931C92

loc_931CA5:				; CODE XREF: EtwInitializeSiloState+87j
					; EtwInitializeSiloState+138j ...
		mov	eax, [ebx+8D8h]
		mov	esi, 61777445h
		test	eax, eax
		jz	short loc_931CBB
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_931CBB:				; CODE XREF: EtwInitializeSiloState+8C508j
		mov	eax, [ebx+188h]
		test	eax, eax
		jz	short loc_931CCC
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_931CCC:				; CODE XREF: EtwInitializeSiloState+8C519j
		mov	eax, [ebx+908h]
		test	eax, eax
		jz	short loc_931CDD
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_931CDD:				; CODE XREF: EtwInitializeSiloState+8C52Aj
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_931CE4:				; CODE XREF: EtwInitializeSiloState+2Bj
		mov	esi, 0C0000017h
		jmp	loc_8A5AB0
; END OF FUNCTION CHUNK	FOR EtwInitializeSiloState
; 
; START	OF FUNCTION CHUNK FOR EtwpInitializeAutoLoggers

loc_931CEE:				; CODE XREF: EtwpInitializeAutoLoggers+11Ej
		lea	eax, [esp+180h+var_16C]
		xor	edx, edx
		push	eax
		mov	ecx, esi
		call	EtwpEnumerateAutologgerPath

loc_931CFC:				; CODE XREF: EtwpInitializeAutoLoggers+CCj
		test	esi, esi
		jz	loc_8A5C1A
		push	74777445h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A5C1A
; 

loc_931D14:				; CODE XREF: EtwpInitializeAutoLoggers+126j
		push	74777445h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A5C22
; END OF FUNCTION CHUNK	FOR EtwpInitializeAutoLoggers
; 
; START	OF FUNCTION CHUNK FOR EtwpEnumerateAutologgerPath

loc_931D24:				; CODE XREF: EtwpEnumerateAutologgerPath+8Aj
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_931D29:				; CODE XREF: EtwpEnumerateAutologgerPath+8C0F6j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_13C]
		jnz	short loc_931D29
		sub	ecx, edx
		xor	edx, edx
		sar	ecx, 1
		cmp	esi, ecx
		jbe	short loc_931D54
		mov	esi, edi
		lea	ecx, [esi+2]

loc_931D47:				; CODE XREF: EtwpEnumerateAutologgerPath+8C110j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, dx
		jnz	short loc_931D47
		jmp	short loc_931D64
; 

loc_931D54:				; CODE XREF: EtwpEnumerateAutologgerPath+8C100j
		mov	esi, ebx
		lea	ecx, [esi+2]

loc_931D59:				; CODE XREF: EtwpEnumerateAutologgerPath+8C122j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, dx
		jnz	short loc_931D59

loc_931D64:				; CODE XREF: EtwpEnumerateAutologgerPath+8C112j
		sub	esi, ecx
		sar	esi, 1
		jmp	loc_8A5CD0
; 

loc_931D6D:				; CODE XREF: EtwpEnumerateAutologgerPath+117j
		push	74777445h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_134], esi
		test	esi, esi
		jz	loc_8A5E2F
		jmp	loc_8A5D5D
; 

loc_931D8F:				; CODE XREF: EtwpEnumerateAutologgerPath+1BBj
		lea	eax, [ebp+var_11C]
		push	eax
		push	ebx		; char
		push	offset ??_C@_1BA@NPEHGALP@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; wchar_t *
		push	[ebp+var_144]	; int
		push	[ebp+var_134]	; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 14h
		test	eax, eax
		jnz	loc_8A5E14
		jmp	loc_8A5E01
; END OF FUNCTION CHUNK	FOR EtwpEnumerateAutologgerPath
; 
; START	OF FUNCTION CHUNK FOR PnpSetDeviceInterfacePropertyData

loc_931DBD:				; CODE XREF: PnpSetDeviceInterfacePropertyData+6Cj
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_BC], offset unk_AA0000
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_BC]
		push	eax
		push	[ebp+arg_0]
		call	_RtlLCIDToCultureName@8	; RtlLCIDToCultureName(x,x)
		test	al, al
		jnz	loc_8A5F76
		mov	esi, 0C0000001h
		jmp	loc_8A5FFB
; 

loc_931DF4:				; CODE XREF: PnpSetDeviceInterfacePropertyData+51j
					; PnpSetDeviceInterfacePropertyData+5Aj ...
		mov	esi, 0C000000Dh
		jmp	loc_8A5FFB
; END OF FUNCTION CHUNK	FOR PnpSetDeviceInterfacePropertyData

;  S U B	R O U T	I N E 


sub_931DFE	proc near		; DATA XREF: .text:006A739Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44h], eax
		push	eax
		call	ds:__imp__RpcExceptionFilter@4 ; RpcExceptionFilter(x)
		retn
sub_931DFE	endp


;  S U B	R O U T	I N E 


sub_931E10	proc near		; DATA XREF: .text:006A73A0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-44h]
		xor	ebx, ebx
		mov	[ebp-20h], ebx
		jmp	loc_8A6081
sub_931E10	endp

; 
; START	OF FUNCTION CHUNK FOR PiDqIrpPropertySet

loc_931E20:				; CODE XREF: PiDqIrpPropertySet+F0j
		mov	[ebp+var_19], 1
		jmp	loc_8A610C
; 

loc_931E29:				; CODE XREF: PiDqIrpPropertySet+10Ej
					; PiDqIrpPropertySet+8BE29j
		mov	esi, 0C0000022h
		jmp	loc_8A61BB
; 

loc_931E33:				; CODE XREF: PiDqIrpPropertySet+118j
		mov	ecx, 100h
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jz	short loc_931E29
		cmp	[ebp+var_19], 0
		jz	loc_8A6134
		push	ecx
		push	ecx
		lea	eax, [ebp+var_28]
		push	eax
		push	ebx
		push	1
		push	7
		push	edi
		mov	edx, [ebp+var_20]
		mov	edx, [edx+4]
		xor	ecx, ecx
		inc	ecx
		call	_PiDqOpenObjectRegKey@36 ; PiDqOpenObjectRegKey(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A61BB
		jmp	loc_8A6134
; 

loc_931E74:				; CODE XREF: PiDqIrpPropertySet+159j
		push	ecx
		push	ecx
		push	edx
		push	esi
		push	edi
		push	[ebp+var_30]
		mov	edx, [ebp+var_28]
		mov	ecx, _PiPnpRtlCtx
		call	__PnpSetGenericStoreProperty@32	; _PnpSetGenericStoreProperty(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A6193
		mov	[ebp+var_54], ebx
		mov	eax, [edi+18h]
		mov	[ebp+var_50], eax
		mov	[ebp+var_4C], edi
		push	1
		lea	eax, [ebp+var_54]
		push	eax
		push	4
		mov	edx, [ebp+var_34]
		mov	ecx, [ebp+var_20]
		mov	ecx, [ecx+4]
		call	PiPnpRtlObjectEventWorker
		jmp	loc_8A6193
; 

loc_931EBB:				; CODE XREF: PiDqIrpPropertySet+2Ej
					; PiDqIrpPropertySet+7Fj ...
		mov	esi, 0C000000Dh
		jmp	loc_8A61BB
; 

loc_931EC5:				; CODE XREF: PiDqIrpPropertySet+1B7j
		push	[ebp+var_28]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8A61D3
; END OF FUNCTION CHUNK	FOR PiDqIrpPropertySet
; 
; START	OF FUNCTION CHUNK FOR PsLocateSystemDlls

loc_931ED2:				; CODE XREF: PsLocateSystemDlls+Ej
		test	ds:_PsEmbeddedNTMask, 1
		jnz	loc_8A625F
		jmp	loc_8A6242
; 

loc_931EE4:				; CODE XREF: PsLocateSystemDlls+4Ej
		mov	ecx, ds:_PspSystemDlls[esi*4]
		test	byte ptr [ecx+8], 1
		jz	loc_8A6259
		push	0
		push	esi
		push	2
		push	eax
		push	6Bh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_931F03:				; CODE XREF: PspLocateSystemDll+AAj
		push	esi
		push	3
		jmp	short loc_931F0C
; END OF FUNCTION CHUNK	FOR PsLocateSystemDlls
; 
; START	OF FUNCTION CHUNK FOR PspLocateSystemDll

loc_931F08:				; CODE XREF: PspLocateSystemDll+11Ej
		push	esi
		push	esi
		push	5

loc_931F0C:				; CODE XREF: PspLocateSystemDll+12Ej
					; PspLocateSystemDll+137j ...
		push	eax
		push	6Bh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_931F15:				; CODE XREF: ExpGetNtProductTypeFromLicenseValue+54j
		cmp	eax, 3
		ja	loc_8A6418
		mov	ds:0FFDF0264h, eax
		mov	al, 1
		leave
		retn
; END OF FUNCTION CHUNK	FOR PspLocateSystemDll
; 
; START	OF FUNCTION CHUNK FOR PnpCallAddDevice

loc_931F27:				; CODE XREF: PnpCallAddDevice+32j
		push	dword ptr [ebx+18h]
		mov	ax, [esi+1Ch]
		push	dword ptr [esi+20h]
		shr	ax, 1
		movzx	eax, ax
		push	eax
		push	[ebp+arg_4]
		push	ecx
		call	_McTemplateK0qhzr1z_EtwWriteTransfer@28	; McTemplateK0qhzr1z_EtwWriteTransfer(x,x,x,x,x,x,x)
		jmp	loc_8A6454
; 

loc_931F46:				; CODE XREF: PnpCallAddDevice+8Dj
		lea	eax, [ebp+var_10]
		push	eax
		call	KeRevertToUserGroupAffinityThread
		jmp	loc_8A64AF
; END OF FUNCTION CHUNK	FOR PnpCallAddDevice
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceFxDeviceStartPowerManagement

loc_931F54:				; CODE XREF: PopDiagTraceFxDeviceStartPowerManagement+47j
		lea	eax, [ebp+var_18]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	1
		push	ebx
		push	offset _POP_ETW_EVENT_DEVICE_START_POWER_MANAGEMENT
		push	esi
		push	edi
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_8A6521
; END OF FUNCTION CHUNK	FOR PopDiagTraceFxDeviceStartPowerManagement
; 
; START	OF FUNCTION CHUNK FOR PfTInitialize

loc_931F7F:				; CODE XREF: PfTInitialize+1Cj
		mov	ecx, ebx
		call	ExAcquireFastMutex
		mov	ecx, ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		push	0Ah
		xor	eax, eax
		lea	edi, [esi+200h]
		pop	ecx
		rep stosd
		xor	edi, edi
		jmp	loc_8A6573
; 

loc_931FA1:				; CODE XREF: PfTInitialize+B4j
		call	ExAcquireFastMutex
		jmp	loc_8A65EF
; 

loc_931FAB:				; CODE XREF: PfTInitialize+D9j
		mov	ecx, ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	loc_8A661D
; 

loc_931FB7:				; CODE XREF: PfTInitialize+F8j
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		push	edi
		call	_KeResetEvent@4	; KeResetEvent(x)
		lea	eax, [esi+44h]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		lea	eax, [esi+80h]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		xor	edi, edi
		jmp	loc_8A665D
; END OF FUNCTION CHUNK	FOR PfTInitialize
; 
; START	OF FUNCTION CHUNK FOR PfFbBufferListInitialize

loc_931FDF:				; CODE XREF: PfFbBufferListInitialize+13j
		mov	[edx+40h], eax
		mov	[edx+44h], eax
		mov	[edx+48h], eax
		jmp	loc_8A673C
; END OF FUNCTION CHUNK	FOR PfFbBufferListInitialize
; 
; START	OF FUNCTION CHUNK FOR PfpSetBaseTime

loc_931FED:				; CODE XREF: PfpSetBaseTime+68j
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], ebx
		push	eax
		lea	eax, [ebp+var_4]
		mov	edx, offset ??_C@_1BC@FBKCDMNG@?$AAB?$AAa?$AAs?$AAe?$AAT?$AAi?$AAm?$AAe@NNGAKEGL@ ; "BaseTime"
		push	eax
		push	ebx
		mov	ecx, esi
		call	_PfpGetParameter@20 ; PfpGetParameter(x,x,x,x,x)
		mov	ecx, eax
		jmp	loc_8A67E4
; END OF FUNCTION CHUNK	FOR PfpSetBaseTime
; 
; START	OF FUNCTION CHUNK FOR PfpParametersRead

loc_93200C:				; CODE XREF: PfpParametersRead+48j
					; PfpParametersRead+55j
		mov	[ebp+var_20], 80000000h
		jmp	loc_8A6891
; END OF FUNCTION CHUNK	FOR PfpParametersRead
; 
; START	OF FUNCTION CHUNK FOR PfSnParametersRead

loc_932018:				; CODE XREF: PfSnParametersRead+5Ej
		xor	esi, esi
		jmp	loc_8A69A4
; END OF FUNCTION CHUNK	FOR PfSnParametersRead
; 
; START	OF FUNCTION CHUNK FOR PfSnParametersVerify

loc_93201F:				; CODE XREF: PfSnParametersVerify+1Fj
		mov	ecx, 0C000000Dh
		jmp	loc_8A6E19
; END OF FUNCTION CHUNK	FOR PfSnParametersVerify
; 
; START	OF FUNCTION CHUNK FOR PfTStart

loc_932029:				; CODE XREF: PfTStart+27j
		and	ebx, 0FFFFFFFEh
		jmp	loc_8A6E4D
; 

loc_932031:				; CODE XREF: PfTStart+39j
		cmp	dword_6D46C0, 1
		jz	loc_8A6E5F
		cmp	dword_6D46C4, 1
		jz	loc_8A6E5F
		and	ebx, 0FFFFFFFDh
		jmp	loc_8A6E5F
; 

loc_932053:				; CODE XREF: PfTStart+65j PfTStart+83j ...
		mov	ecx, esi
		call	_PfTCleanup@8	; PfTCleanup(x,x)
		push	1		; char
		mov	ecx, esi	; void *
		call	PfTInitialize
		jmp	loc_8A7019
; END OF FUNCTION CHUNK	FOR PfTStart
; 
; START	OF FUNCTION CHUNK FOR PfTAllocateBuffers

loc_932068:				; CODE XREF: PfTAllocateBuffers+36j
		mov	ebx, 0C000009Ah
		jmp	loc_8A70A7
; END OF FUNCTION CHUNK	FOR PfTAllocateBuffers
; 
; START	OF FUNCTION CHUNK FOR PfpCreateEvent

loc_932072:				; CODE XREF: PfpCreateEvent+71j
		mov	esi, 0C000009Ah
		jmp	loc_8A728B
; END OF FUNCTION CHUNK	FOR PfpCreateEvent
; 
; START	OF FUNCTION CHUNK FOR AslFileMappingCreateFromImageView

loc_93207C:				; CODE XREF: AslFileMappingCreateFromImageView+4Fj
		push	edi
		push	(offset	loc_8C3E05+1)
		push	13Fh
		push	offset ??_C@_0CC@LALKCCNO@AslFileMappingCreateFromImageVi@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_8A7387
; 

loc_93209B:				; CODE XREF: AslFileMappingCreateFromImageView+95j
		push	eax
		push	dword ptr [esi]
		push	offset ??_C@_0CK@IADOKJDF@AslpFileMappingGetFileKind?5fail@NNGAKEGL@
		push	160h
		push	offset ??_C@_0CC@LALKCCNO@AslFileMappingCreateFromImageVi@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		mov	dword ptr [edi], 3
		jmp	loc_8A737F
; 

loc_9320C2:				; CODE XREF: AslFileMappingCreateFromImageView+Fj
					; AslFileMappingCreateFromImageView+1Aj ...
		mov	eax, 0C000000Dh
		jmp	loc_8A738D
; END OF FUNCTION CHUNK	FOR AslFileMappingCreateFromImageView
; 
; START	OF FUNCTION CHUNK FOR AslpFileMappingGetFileKind

loc_9320CC:				; CODE XREF: AslpFileMappingGetFileKind+2Ej
					; AslpFileMappingGetFileKind+37j
		mov	eax, [ebp+var_24]
		mov	dword ptr [eax], 3
		jmp	short loc_932155
; 

loc_9320D7:				; CODE XREF: AslpFileMappingGetFileKind+83j
		mov	edx, 454Eh
		cmp	[eax+ecx], dx
		jnz	loc_8A743A
		mov	[ebp+var_1C], 5
		jmp	loc_8A743A
; END OF FUNCTION CHUNK	FOR AslpFileMappingGetFileKind

;  S U B	R O U T	I N E 


sub_9320F2	proc near		; DATA XREF: .text:006A73BCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		xor	eax, eax
		inc	eax
		retn
sub_9320F2	endp


;  S U B	R O U T	I N E 


sub_932100	proc near		; DATA XREF: .text:006A73C0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-28h]
		mov	[ebp-20h], esi
		push	esi
		push	(offset	loc_8C4D43+3)
		push	51Eh
		push	(offset	loc_8C4D06+4)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_8A743D
sub_932100	endp

; 
; START	OF FUNCTION CHUNK FOR AslpFileMappingGetFileKind

loc_932128:				; CODE XREF: AslpFileMappingGetFileKind+49j
					; AslpFileMappingGetFileKind+52j
		mov	esi, 0C000000Dh
		push	esi
		push	offset ??_C@_0BK@JBDFECNJ@File?5mapping?5invalid?5?$FL?$CFx?$FN@NNGAKEGL@
		push	4E8h
		push	(offset	loc_8C4D06+4)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_8A7444
; 

loc_93214C:				; CODE XREF: AslpFileMappingGetFileKind+19j
					; AslpFileMappingGetFileKind+24j
		mov	eax, [ebp+var_24]
		mov	dword ptr [eax], 1

loc_932155:				; CODE XREF: AslpFileMappingGetFileKind+8AD2Bj
		xor	eax, eax
		jmp	loc_8A744E
; END OF FUNCTION CHUNK	FOR AslpFileMappingGetFileKind
; 
; START	OF FUNCTION CHUNK FOR KsepCacheInitialize

loc_93215C:				; CODE XREF: KsepCacheInitialize+51j
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)

loc_932161:				; CODE XREF: KsepCacheInitialize+15j
		mov	ecx, esi
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
		xor	esi, esi
		jmp	loc_8A74CE
; END OF FUNCTION CHUNK	FOR KsepCacheInitialize
; 
; START	OF FUNCTION CHUNK FOR KsepRegistryQueryDWORD

loc_93216F:				; CODE XREF: KsepRegistryQueryDWORD+2Dj
		mov	eax, esi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		mov	edx, 286h
		test	_KsepDebugFlag,	4
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	word_6C7022[eax*8], cx
		mov	_KsepHistoryErrors[eax*8], dx
		jz	loc_8A751B
		push	0
		push	edx
		push	offset ??_C@_0CD@GDPINNHE@minkernel?2ntos?2kshim?2kseregistr@NNGAKEGL@
		push	offset ??_C@_0BC@LLGAOKNE@KeyHandle?5?$CB?$DN?5NULL@NNGAKEGL@ ;	"KeyHandle != NULL"
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		push	4
		pop	ecx
		jmp	loc_8A751B
; 

loc_9321C4:				; CODE XREF: KsepRegistryQueryDWORD+35j
		lock xadd _KsepHistoryErrorsIndex, esi
		inc	esi
		and	esi, 3Fh
		mov	eax, 287h
		test	_KsepDebugFlag,	4
		mov	dword_6C7024[esi*8], 0C0000420h
		mov	word_6C7022[esi*8], cx
		mov	_KsepHistoryErrors[esi*8], ax
		jz	loc_8A7523
		push	0
		push	eax
		push	offset ??_C@_0CD@GDPINNHE@minkernel?2ntos?2kshim?2kseregistr@NNGAKEGL@
		push	offset ??_C@_0O@PAGCFJBO@Value?5?$CB?$DN?5NULL@NNGAKEGL@
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		jmp	loc_8A7523
; 

loc_932214:				; CODE XREF: KsepRegistryQueryDWORD+6Cj
		cmp	[ebp+var_14], 4
		jnz	short loc_93222A
		cmp	[ebp+var_18], 4
		jnz	short loc_93222A
		mov	eax, [ebp+var_10]
		mov	[edi], eax
		jmp	loc_8A755A
; 

loc_93222A:				; CODE XREF: KsepRegistryQueryDWORD+8AD30j
					; KsepRegistryQueryDWORD+8AD36j
		mov	ecx, 0C0000024h
		jmp	loc_8A755A
; END OF FUNCTION CHUNK	FOR KsepRegistryQueryDWORD
; 
; START	OF FUNCTION CHUNK FOR KsepRegistryQuerySZ

loc_932234:				; CODE XREF: KsepRegistryQuerySZ+26j
		mov	eax, esi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		mov	ebx, 351h
		test	_KsepDebugFlag,	4
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	word_6C7022[eax*8], dx
		mov	_KsepHistoryErrors[eax*8], bx
		jz	loc_8A75B6
		push	ecx
		push	ebx
		push	offset ??_C@_0CD@GDPINNHE@minkernel?2ntos?2kshim?2kseregistr@NNGAKEGL@
		push	offset ??_C@_0BC@LLGAOKNE@KeyHandle?5?$CB?$DN?5NULL@NNGAKEGL@ ;	"KeyHandle != NULL"
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		push	4
		xor	ecx, ecx
		pop	edx
		jmp	loc_8A75B6
; 

loc_93228A:				; CODE XREF: KsepRegistryQuerySZ+30j
		mov	eax, esi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		mov	word_6C7022[eax*8], dx
		mov	edx, 352h
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], dx
		jz	loc_8A75C0
		push	ecx
		push	edx
		push	offset ??_C@_0CD@GDPINNHE@minkernel?2ntos?2kshim?2kseregistr@NNGAKEGL@
		push	offset ??_C@_0BE@MEPHNDGO@ValueBuffer?5?$CB?$DN?5NULL@NNGAKEGL@	; "ValueBuffer != NULL"
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		jmp	loc_8A75C0
; 

loc_9322DB:				; CODE XREF: KsepRegistryQuerySZ+3Bj
		mov	eax, esi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		push	4
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 353h
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], cx
		jz	loc_8A75CB
		push	0
		push	ecx
		push	offset ??_C@_0CD@GDPINNHE@minkernel?2ntos?2kshim?2kseregistr@NNGAKEGL@
		push	offset ??_C@_0BF@GHHEJLCO@ActualLength?5?$CB?$DN?5NULL@NNGAKEGL@ ; "ActualLength != NULL"
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		jmp	loc_8A75CB
; 

loc_932330:				; CODE XREF: KsepRegistryQuerySZ+69j
		test	edi, edi
		js	loc_8A764F
		lock xadd _KsepHistoryErrorsIndex, esi
		inc	esi
		and	esi, 3Fh
		test	_KsepDebugFlag,	4
		push	4
		pop	eax
		mov	word_6C7022[esi*8], ax
		mov	eax, 365h
		mov	dword_6C7024[esi*8], 0C0000420h
		mov	_KsepHistoryErrors[esi*8], ax
		jz	loc_8A764F
		push	0
		push	eax
		push	offset ??_C@_0CD@GDPINNHE@minkernel?2ntos?2kshim?2kseregistr@NNGAKEGL@
		push	offset ??_C@_0BE@EEDFCNFH@?$CBNT_SUCCESS?$CIStatus?$CJ@NNGAKEGL@ ; "!NT_SUCCESS(Status)"
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		jmp	loc_8A764F
; END OF FUNCTION CHUNK	FOR KsepRegistryQuerySZ
; 
; START	OF FUNCTION CHUNK FOR PopDirectedDripsWorkerRoutine

loc_93238B:				; CODE XREF: PopDirectedDripsWorkerRoutine+67j
		and	[ebp+var_10], 0
		bsf	ecx, esi
		add	ecx, 20h
		jmp	loc_8A771C
; 

loc_93239A:				; CODE XREF: PopDirectedDripsWorkerRoutine+93j
					; PopDirectedDripsWorkerRoutine+9Bj
		cmp	eax, 400h
		jnz	short loc_9323B1
		test	edx, edx
		jnz	short loc_9323B1
		mov	ecx, edi
		call	_PopDirectedDripsHandleResiliencyNotification@4	; PopDirectedDripsHandleResiliencyNotification(x)
		jmp	loc_8A7750
; 

loc_9323B1:				; CODE XREF: PopDirectedDripsWorkerRoutine+8ACF7j
					; PopDirectedDripsWorkerRoutine+8ACFBj
		cmp	eax, 800h
		jnz	short loc_9323DD
		test	edx, edx
		jnz	short loc_9323DD
		cmp	[edi+80h], dl
		jz	loc_8A7750
		mov	dl, 1
		mov	ecx, edi
		call	_PopDirectedDripsResumeDevices@8 ; PopDirectedDripsResumeDevices(x,x)
		mov	ecx, edi
		call	_PopDirectedDripsSuspendDevices@4 ; PopDirectedDripsSuspendDevices(x)
		jmp	loc_8A7750
; 

loc_9323DD:				; CODE XREF: PopDirectedDripsWorkerRoutine+8AD0Ej
					; PopDirectedDripsWorkerRoutine+8AD12j
		test	eax, eax
		jnz	loc_8A7750
		cmp	edx, 8
		jnz	loc_8A7750
		push	edx
		pop	ecx
		call	PopDeepSleepClearDisengageReason
		jmp	loc_8A7750
; END OF FUNCTION CHUNK	FOR PopDirectedDripsWorkerRoutine
; 
; START	OF FUNCTION CHUNK FOR _PnpDeletePropertyWorker

loc_9323FA:				; CODE XREF: _PnpDeletePropertyWorker+3Dj
		lea	eax, [ebp+var_70]
		mov	ecx, ebx
		push	eax
		push	55h
		pop	edx
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A7918
		mov	esi, [ebp+var_78]
		jmp	loc_8A7859
; 

loc_93241A:				; CODE XREF: _PnpDeletePropertyWorker+98j
		mov	esi, 0C00000E5h
		jmp	loc_8A7918
; 

loc_932424:				; CODE XREF: _PnpDeletePropertyWorker+2Bj
					; _PnpDeletePropertyWorker+35j
		mov	esi, 0C000000Dh
		jmp	loc_8A7918
; END OF FUNCTION CHUNK	FOR _PnpDeletePropertyWorker
; 
; START	OF FUNCTION CHUNK FOR PopThermalWorker

loc_93242E:				; CODE XREF: PopThermalWorker+84j
		xor	eax, eax
		push	eax
		mov	[ebx+20h], al
		push	eax
		jmp	short loc_93243F
; 

loc_932437:				; CODE XREF: PopThermalWorker+2D4j
		push	0
		mov	byte ptr [ebx+20h], 5
		push	0

loc_93243F:				; CODE XREF: PopThermalWorker+8AAE7j
		lea	eax, [ebx+158h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_8A7B14
; 

loc_932450:				; CODE XREF: PopThermalWorker+AAj
					; DATA XREF: PAGE:off_8A7D3Ao
		mov	byte ptr [ebx+0C4h], 1 ; case 0x6
		mov	[ebx+20h], dl

loc_93245A:				; CODE XREF: PopThermalWorker+AAj
					; DATA XREF: PAGE:off_8A7D3Ao
		mov	ecx, [ebx+0B8h]	; case 0x7
		cmp	ecx, 64h
		mov	eax, [ebx+30h]
		setb	byte ptr [esp+50h+var_34]
		sub	eax, ecx
		imul	ecx, eax, 0Ah
		mov	al, [ebx+21h]
		mov	[esp+50h+var_2C], ecx
		test	al, 2
		jnz	loc_8A7BB1
		or	al, 2
		lea	edx, [ebx+398h]
		push	edi
		lea	ecx, [ebx+50h]
		mov	[ebx+21h], al
		call	PopDiagTraceThermalZoneEnumeration
		jmp	loc_8A7BB1
; 

loc_932498:				; CODE XREF: PopThermalWorker+3ABj
		cmp	edi, esi
		jb	loc_8A7BF5
		jmp	loc_8A7BED
; 

loc_9324A5:				; CODE XREF: PopThermalWorker+2A1j
		mov	edx, [esp+50h+var_30]
		lea	ecx, [ebx+50h]
		push	0
		push	0
		call	PopDiagTraceActiveCooling
		mov	edx, [esp+50h+var_30]
		lea	ecx, [ebx+50h]
		push	1
		push	0
		call	PopDiagTraceActiveCooling
		jmp	loc_8A7BF5
; 

loc_9324CA:				; CODE XREF: PopThermalWorker+D6j
		test	cl, cl
		jnz	loc_8A7A32

loc_9324D2:				; CODE XREF: PopThermalWorker+DEj
		mov	edi, [esp+50h+var_30]

loc_9324D6:				; CODE XREF: PopThermalWorker+8AC03j
		push	0
		push	[esp+54h+var_2C]
		lea	esi, [ebx+50h]
		mov	edx, edi
		push	[esp+58h+var_34]
		mov	ecx, esi
		call	_PopDiagTracePassiveCooling@20 ; PopDiagTracePassiveCooling(x,x,x,x,x)
		cmp	byte ptr [esp+50h+var_34], 0
		mov	al, [ebx+21h]
		jz	short loc_932553
		test	al, 1
		jnz	short loc_932553
		push	1
		push	[esp+54h+var_2C]
		mov	edx, edi
		mov	ecx, esi
		push	1
		call	_PopDiagTracePassiveCooling@20 ; PopDiagTracePassiveCooling(x,x,x,x,x)
		mov	eax, [esp+50h+var_28]
		mov	[ebx+0E0h], eax
		mov	eax, [esp+50h+var_3C]
		mov	[ebx+0E4h], eax
		jmp	short loc_93259B
; 

loc_932521:				; CODE XREF: PopThermalWorker+C8j
		mov	dl, [ebx+30h]
		lea	ecx, [ebx+180h]
		call	_PopThermalUpdatePassiveTimeTracking@8 ; PopThermalUpdatePassiveTimeTracking(x,x)
		mov	edi, [esp+50h+var_30]
		mov	eax, [ebx+0B8h]
		push	edi
		push	64h
		pop	ecx
		sub	ecx, eax
		mov	[esp+54h+var_35], 1
		mov	edx, ecx
		mov	[ebx+34h], eax
		mov	ecx, [ebx+60h]
		call	_PopDiagTraceThermalZoneThrottlePerfTrack@12 ; PopDiagTraceThermalZoneThrottlePerfTrack(x,x,x)
		jmp	short loc_9324D6
; 

loc_932553:				; CODE XREF: PopThermalWorker+8ABA6j
					; PopThermalWorker+8ABAAj
		mov	cl, byte ptr [esp+50h+var_34]
		test	cl, cl
		jnz	short loc_93259F
		test	al, 1
		jz	short loc_93259F
		push	1
		push	[esp+54h+var_2C]
		mov	edx, edi
		mov	ecx, esi
		push	0
		call	_PopDiagTracePassiveCooling@20 ; PopDiagTracePassiveCooling(x,x,x,x,x)
		mov	ecx, [esp+50h+var_28]
		sub	ecx, [ebx+0E0h]
		mov	eax, [esp+50h+var_3C]
		sbb	eax, [ebx+0E4h]
		push	0
		push	2710h
		push	eax
		push	ecx
		call	__aulldiv
		mov	edx, edi
		mov	ecx, eax
		call	_PopDiagTraceThermalZoneThrottleDurationPerfTrack@8 ; PopDiagTraceThermalZoneThrottleDurationPerfTrack(x,x)

loc_93259B:				; CODE XREF: PopThermalWorker+8ABD1j
		mov	cl, byte ptr [esp+50h+var_34]

loc_93259F:				; CODE XREF: PopThermalWorker+8AC0Bj
					; PopThermalWorker+8AC0Fj
		mov	al, [ebx+21h]
		test	cl, cl
		jnz	short loc_9325AA
		and	al, 0FEh
		jmp	short loc_9325AC
; 

loc_9325AA:				; CODE XREF: PopThermalWorker+8AC56j
		or	al, 1

loc_9325AC:				; CODE XREF: PopThermalWorker+8AC5Aj
		mov	[ebx+21h], al
		jmp	loc_8A7A32
; 

loc_9325B4:				; CODE XREF: PopThermalWorker+331j
		mov	cl, [ebx+23h]
		call	_PopFireThermalWmiEvent@4 ; PopFireThermalWmiEvent(x)
		jmp	loc_8A7C85
; 

loc_9325C1:				; CODE XREF: PopThermalWorker+AAj
					; DATA XREF: PAGE:off_8A7D3Ao
		mov	eax, [ebx+34h]	; case 0x3
		mov	[ebx+30h], eax
		jmp	loc_8A7A3C
; 

loc_9325CC:				; CODE XREF: PopThermalWorker+A4j
					; PopThermalWorker+AAj
					; DATA XREF: ...
		push	edi		; default
		push	70h
		pop	edx
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		push	edi
		push	[esp+54h+var_20]
		push	5
		push	500h
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_9325EB:				; CODE XREF: PopThermalWorker+12Ej
		mov	byte ptr [ebx+20h], 4
		lea	ecx, [ebx+34h]
		mov	edx, 29808Ch
		jmp	loc_8A7B4D
; 

loc_9325FC:				; CODE XREF: PopThermalWorker+151j
		mov	[ebx+20h], dl
		mov	byte ptr [ebx+0B0h], 1
		jmp	loc_8A7CB3
; 

loc_93260B:				; CODE XREF: PopThermalWorker+163j
		mov	eax, [ebx+48h]
		test	eax, eax
		jz	loc_8A7AB7
		xor	esi, esi
		add	eax, [ebx+40h]
		adc	esi, [ebx+44h]
		cmp	esi, [esp+50h+var_3C]
		jl	short loc_932635
		jg	short loc_93262C
		cmp	eax, [esp+50h+var_28]
		jbe	short loc_932635

loc_93262C:				; CODE XREF: PopThermalWorker+8ACD6j
		mov	ecx, eax
		mov	edx, esi
		jmp	loc_8A7AB7
; 

loc_932635:				; CODE XREF: PopThermalWorker+8ACD4j
					; PopThermalWorker+8ACDCj
		and	[ebx+50h], ecx
		jmp	loc_8A7AB7
; 

loc_93263D:				; CODE XREF: PopThermalWorker+175j
		mov	esi, [ebx+0C8h]
		test	esi, esi
		jz	short loc_932681
		xor	edi, edi
		add	esi, [ebx+0D0h]
		adc	edi, [ebx+0D4h]
		cmp	edi, [esp+50h+var_3C]
		jl	short loc_932679
		jg	short loc_932663
		cmp	esi, [esp+50h+var_28]
		jbe	short loc_932679

loc_932663:				; CODE XREF: PopThermalWorker+8AD0Dj
		mov	eax, ecx
		or	eax, edx
		jz	short loc_932673
		cmp	edx, edi
		jl	short loc_932681
		jg	short loc_932673
		cmp	ecx, esi
		jb	short loc_932681

loc_932673:				; CODE XREF: PopThermalWorker+8AD19j
					; PopThermalWorker+8AD1Fj
		mov	ecx, esi
		mov	edx, edi
		jmp	short loc_932681
; 

loc_932679:				; CODE XREF: PopThermalWorker+8AD0Bj
					; PopThermalWorker+8AD13j
		and	dword ptr [ebx+50h], 0
		xor	ecx, ecx
		xor	edx, edx

loc_932681:				; CODE XREF: PopThermalWorker+8ACF7j
					; PopThermalWorker+8AD1Dj ...
		cmp	_PopThermalPollingWakesAllowed,	0
		jnz	short loc_93269D
		or	[esp+50h+var_10], 0FFFFFFFFh
		lea	esi, [esp+50h+var_18]
		or	[esp+50h+var_C], 0FFFFFFFFh
		jmp	loc_8A7AC9
; 

loc_93269D:				; CODE XREF: PopThermalWorker+8AD3Aj
		mov	esi, [esp+50h+var_24]
		jmp	loc_8A7AC9
; 

loc_9326A6:				; CODE XREF: PopThermalWorker+17Fj
		mov	eax, [esp+50h+var_28]
		push	esi
		sub	eax, ecx
		mov	ecx, [esp+54h+var_3C]
		push	0
		push	0
		sbb	ecx, edx
		push	ecx
		push	eax
		lea	eax, [ebx+0F8h]
		push	eax
		call	KeSetTimer2
		jmp	loc_8A7AD3
; END OF FUNCTION CHUNK	FOR PopThermalWorker
; 
; START	OF FUNCTION CHUNK FOR PopCheckThermalPolicy

loc_9326CA:				; CODE XREF: PopCheckThermalPolicy+26j
		mov	ecx, ebx
		jmp	loc_8A7DD9
; 

loc_9326D1:				; CODE XREF: PopCheckThermalPolicy+37j
		mov	ecx, offset ??_C@_11LOCGONAA@@NNGAKEGL@
		jmp	loc_8A7DE4
; 

loc_9326DB:				; CODE XREF: PopCheckThermalPolicy+5Cj
		push	eax
		push	edx
		push	esi
		push	ecx
		push	offset ??_C@_0FJ@PBIKHEAM@Thermal?5Zone?5?$CFS?5?$CI?$CFp?$CJ?3?5Above?5cri@NNGAKEGL@
		push	ebx
		call	_PopPrintEx
		add	esp, 18h
		mov	al, 1
		jmp	loc_8A7E08
; 

loc_9326F4:				; CODE XREF: PopCheckThermalPolicy+72j
		cmp	[esi+60h], eax
		mov	al, 1
		jnb	loc_8A7E1E
		jmp	loc_8A7E1C
; 

loc_932704:				; CODE XREF: PopCheckThermalPolicy+85j
		mov	cl, [esi+0B3h]
		cmp	[esi+60h], eax
		jb	short loc_932723
		test	cl, cl
		jnz	loc_8A7E2F
		mov	byte ptr [esi+0B3h], 1
		jmp	loc_8A7E2F
; 

loc_932723:				; CODE XREF: PopCheckThermalPolicy+8A969j
		test	cl, cl
		jz	loc_8A7E2F
		mov	[esi+0B3h], bl
		jmp	loc_8A7E2F
; 

loc_932736:				; CODE XREF: PopCheckThermalPolicy+C9j
					; PopCheckThermalPolicy+D1j
		mov	eax, [ebp+arg_8]
		mov	[eax], ebx
		mov	bl, [esi+21h]
		and	ebx, 0FFFFFF01h
		jmp	loc_8A7EA5
; 

loc_932749:				; CODE XREF: PopCheckThermalPolicy+E1j
					; PopCheckThermalPolicy+F0j
		test	byte ptr [esi+21h], 1
		jnz	short loc_932761
		imul	eax, [esi+5Ch],	2710h
		mov	[esi+48h], eax
		mov	eax, [esi+64h]
		mov	[ebp+var_4], eax
		jmp	short loc_93276D
; 

loc_932761:				; CODE XREF: PopCheckThermalPolicy+8A9A9j
		mov	ecx, [esi+64h]
		mov	eax, [esi+4Ch]
		mov	[ebp+var_4], ecx
		mov	ecx, [ebp+var_8]

loc_93276D:				; CODE XREF: PopCheckThermalPolicy+8A9BBj
		mov	edx, [esi+2Ch]
		mov	edi, ecx
		sub	ecx, [ebp+var_4]
		sub	edi, eax
		mov	eax, [esi+54h]
		imul	ecx, [esi+58h]
		imul	eax, edi
		add	ecx, eax
		test	edi, edi
		jz	short loc_93278D
		mov	eax, ecx
		xor	eax, edi
		jl	short loc_93278F

loc_93278D:				; CODE XREF: PopCheckThermalPolicy+8A9E1j
		sub	edx, ecx

loc_93278F:				; CODE XREF: PopCheckThermalPolicy+8A9E7j
		mov	eax, 3E8h
		cmp	edx, eax
		jle	short loc_93279A
		mov	edx, eax

loc_93279A:				; CODE XREF: PopCheckThermalPolicy+8A9F2j
		test	edx, edx
		jns	short loc_9327A0
		mov	edx, ebx

loc_9327A0:				; CODE XREF: PopCheckThermalPolicy+8A9F8j
		imul	eax, [esi+0A0h], 0Ah
		cmp	edx, eax
		jge	short loc_9327AD
		mov	edx, eax

loc_9327AD:				; CODE XREF: PopCheckThermalPolicy+8AA05j
		mov	[esi+2Ch], edx
		lea	eax, [edx+5]
		cdq
		push	0Ah
		pop	ecx
		idiv	ecx
		mov	edi, [ebp+var_C]
		cmp	eax, [esi+0A4h]
		mov	[esi+0B8h], eax
		setb	al
		mov	[esi+0C0h], al
		mov	eax, [ebp+var_8]
		mov	[esi+4Ch], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+40h], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+44h], eax
		mov	eax, [ebp+arg_8]
		mov	dword ptr [esi+0B4h], 1
		mov	[eax], ebx
		mov	bl, 1
		jmp	loc_8A7EA5
; END OF FUNCTION CHUNK	FOR PopCheckThermalPolicy
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceActiveCooling

loc_9327F9:				; CODE XREF: PopDiagTraceActiveCooling+48j
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jnz	short loc_93281E
		push	offset _POP_ETW_EVENT_ACTIVE_COOLING_DIAGNOSTIC
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_8A7F10

loc_93281E:				; CODE XREF: PopDiagTraceActiveCooling+8A93Cj
		cmp	esi, 1
		jnz	short loc_932841
		push	offset _POP_ETW_EVENT_ACTIVE_COOLING_OPERATIONAL
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_8A7F10

loc_932841:				; CODE XREF: PopDiagTraceActiveCooling+8A95Fj
		test	esi, esi
		jz	short loc_93284E
		cmp	esi, 1
		jnz	loc_8A7F10

loc_93284E:				; CODE XREF: PopDiagTraceActiveCooling+8A981j
		mov	edx, 67446F50h
		mov	ecx, edi
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	edi, eax
		mov	[ebp+var_140], edi
		test	edi, edi
		jz	short loc_932871
		mov	ecx, [edi+0B0h]
		mov	edx, [ecx+14h]
		jmp	short loc_932873
; 

loc_932871:				; CODE XREF: PopDiagTraceActiveCooling+8A9A2j
		xor	edx, edx

loc_932873:				; CODE XREF: PopDiagTraceActiveCooling+8A9ADj
		test	edx, edx
		jz	loc_9329F6
		mov	cx, [edx+48h]
		xor	edi, edi
		shr	cx, 1
		movzx	eax, cx
		mov	[ebp+var_128], eax
		lea	eax, [ebp+var_128]
		push	2
		mov	[ebp+var_F8], eax
		pop	esi
		mov	[ebp+var_F4], edi
		mov	[ebp+var_F0], esi
		mov	[ebp+var_EC], edi
		mov	eax, [edx+4Ch]
		mov	[ebp+var_E8], eax
		movzx	eax, cx
		add	eax, eax
		mov	[ebp+var_E4], edi
		mov	[ebp+var_E0], eax
		lea	eax, [ebp+var_138]
		push	eax
		mov	[ebp+var_DC], edi
		mov	[ebp+var_138], edi
		mov	[ebp+var_134], edi
		call	KeQuerySystemTime
		lea	eax, [ebp+var_148]
		push	eax
		lea	eax, [ebp+var_138]
		push	eax
		call	_ExSystemTimeToLocalTime@8 ; ExSystemTimeToLocalTime(x,x)
		lea	eax, [ebp+var_148]
		mov	[ebp+var_C0], esi
		mov	[ebp+var_D8], eax
		mov	esi, edi
		xor	eax, eax
		mov	[ebp+var_D4], edi
		cmp	[ebp+arg_0], al
		push	0Ah
		setnz	al
		mov	[ebp+var_CC], edi
		movzx	eax, ax
		mov	[ebp+var_12C], eax
		lea	eax, [ebp+var_12C]
		mov	[ebp+var_C8], eax
		pop	eax
		mov	[ebp+var_C4], edi
		mov	[ebp+var_BC], edi
		lea	edi, [ebx+24h]
		mov	[ebp+var_D0], 8
		lea	ebx, [ebp+var_AC]
		mov	[ebp+var_134], eax
		mov	[ebp+var_124], eax

loc_932964:				; CODE XREF: PopDiagTraceActiveCooling+8AAD4j
		mov	eax, [edi]
		lea	ecx, [ebp+var_120]
		xor	edx, edx
		lea	ecx, [ecx+esi*4]
		div	[ebp+var_134]
		push	4
		mov	[ecx], eax
		mov	[ebx-0Ch], ecx
		xor	ecx, ecx
		pop	eax
		inc	esi
		mov	[ebx-8], ecx
		add	edi, eax
		mov	[ebx-4], eax
		sub	[ebp+var_124], 1
		mov	[ebx], ecx
		lea	ebx, [ebx+10h]
		jnz	short loc_932964
		mov	eax, [ebp+var_13C]
		xor	edx, edx
		push	0Ah
		pop	ebx
		mov	edi, [ebp+var_140]
		mov	eax, [eax+10h]
		div	ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_124], eax
		lea	eax, [ebp+var_124]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_F8]
		push	eax
		push	0Fh
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], ecx
		push	ecx
		cmp	[ebp+arg_4], ecx
		jnz	short loc_9329E0
		push	offset _POP_ETW_EVENT_ACTIVE_COOLING_DIAGNOSTIC
		jmp	short loc_9329E5
; 

loc_9329E0:				; CODE XREF: PopDiagTraceActiveCooling+8AB15j
		push	offset _POP_ETW_EVENT_ACTIVE_COOLING_OPERATIONAL

loc_9329E5:				; CODE XREF: PopDiagTraceActiveCooling+8AB1Cj
		push	dword_6C1D74
		push	_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9329F6:				; CODE XREF: PopDiagTraceActiveCooling+8A9B3j
		test	edi, edi
		jz	loc_8A7F10
		mov	edx, 67446F50h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		jmp	loc_8A7F10
; END OF FUNCTION CHUNK	FOR PopDiagTraceActiveCooling
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceThermalCoolingMode

loc_932A0F:				; CODE XREF: PopDiagTraceThermalCoolingMode+2Ej
		push	offset _POP_ETW_EVENT_COOLING_MODE
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_8A7F56
		mov	edx, 67446F50h
		mov	ecx, esi
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	esi, eax
		test	esi, esi
		jz	short loc_932A4A
		mov	ecx, [esi+0B0h]
		mov	edx, [ecx+14h]
		jmp	short loc_932A4C
; 

loc_932A4A:				; CODE XREF: PopDiagTraceThermalCoolingMode+8AB1Bj
		mov	edx, ebx

loc_932A4C:				; CODE XREF: PopDiagTraceThermalCoolingMode+8AB26j
		test	edx, edx
		jz	loc_932AF2
		mov	cx, [edx+48h]
		shr	cx, 1
		movzx	eax, cx
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], 2
		mov	[ebp+var_3C], ebx
		mov	eax, [edx+4Ch]
		mov	[ebp+var_38], eax
		movzx	eax, cx
		add	eax, eax
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], eax
		mov	eax, offset ??_C@_1O@IBNPCBAA@?$AAa?$AAc?$AAt?$AAi?$AAv?$AAe@NNGAKEGL@
		mov	[ebp+var_2C], ebx
		test	di, di
		jz	short loc_932A97
		mov	eax, offset ??_C@_1BA@INHNFGAO@?$AAp?$AAa?$AAs?$AAs?$AAi?$AAv?$AAe@NNGAKEGL@

loc_932A97:				; CODE XREF: PopDiagTraceThermalCoolingMode+8AB6Ej
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	cx, word ptr [ebp+var_58]
		shr	cx, 1
		movzx	eax, cx
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_54]
		mov	[ebp+var_18], eax
		movzx	eax, cx
		add	eax, eax
		mov	[ebp+var_24], ebx
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	4
		push	ebx
		push	offset _POP_ETW_EVENT_COOLING_MODE
		push	dword_6C1D74
		mov	[ebp+var_20], 2
		push	_PopDiagHandle
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_932AF2:				; CODE XREF: PopDiagTraceThermalCoolingMode+8AB2Cj
		test	esi, esi
		jz	loc_8A7F56
		mov	edx, 67446F50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		jmp	loc_8A7F56
; END OF FUNCTION CHUNK	FOR PopDiagTraceThermalCoolingMode
; 
; START	OF FUNCTION CHUNK FOR PiUEventNotifyDeviceInstancePropertyChange

loc_932B0B:				; CODE XREF: PiUEventNotifyDeviceInstancePropertyChange+46j
					; PiUEventNotifyDeviceInstancePropertyChange+8ABE6j
		mov	eax, edi
		mov	edi, [edi]
		mov	[ebp+var_4], eax
		cmp	esi, 1
		jnb	short loc_932B2F
		mov	eax, [eax+0Ch]
		push	dword ptr [eax+0Ch] ; wchar_t *
		lea	eax, [ebx+50h]
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_932B49
		mov	eax, [ebp+var_4]

loc_932B2F:				; CODE XREF: PiUEventNotifyDeviceInstancePropertyChange+8ABAFj
		mov	edx, eax
		mov	ecx, ebx
		call	PiUEventApplyAdditionalFilters
		test	al, al
		jz	short loc_932B49
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		call	PiUEventNotifyClient
		mov	[ebp+var_8], eax

loc_932B49:				; CODE XREF: PiUEventNotifyDeviceInstancePropertyChange+8ABC4j
					; PiUEventNotifyDeviceInstancePropertyChange+8ABD4j
		cmp	edi, [ebp+var_C]
		jnz	short loc_932B0B
		jmp	loc_8A7FB2
; END OF FUNCTION CHUNK	FOR PiUEventNotifyDeviceInstancePropertyChange
; 
; START	OF FUNCTION CHUNK FOR PiDeferSetInterfaceState

loc_932B53:				; CODE XREF: PiDeferSetInterfaceState+31j
		push	0
		push	esi
		mov	edi, 0C000009Ah
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A8026
; END OF FUNCTION CHUNK	FOR PiDeferSetInterfaceState
; 
; START	OF FUNCTION CHUNK FOR PiDmGetReferencedObjectFromProperty

loc_932B65:				; CODE XREF: PiDmGetReferencedObjectFromProperty+4Cj
		call	PiDmObjectRelease
		and	dword ptr [ebx], 0
		mov	esi, 0C0000034h
		jmp	loc_8A808C
; 

loc_932B77:				; CODE XREF: PiDmGetReferencedObjectFromProperty+3Ej
		cmp	esi, 0C0000016h
		jnz	loc_8A808C
		push	0
		lea	eax, [ebp+var_68]
		mov	ecx, 5A706E50h
		push	eax
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		push	[ebp+var_60]
		push	0
		push	0
		push	edi
		push	[ebp+var_64]
		push	10h
		pop	edx
		call	PnpGetObjectProperty
		mov	edi, [ebp+var_5C]
		mov	esi, eax
		test	esi, esi
		js	short loc_932BE8
		cmp	[ebp+var_58], 0Dh
		jz	short loc_932BC9
		cmp	[ebp+var_58], 12h
		jz	short loc_932BC5
		mov	esi, 0C0000034h
		jmp	short loc_932BE8
; 

loc_932BC5:				; CODE XREF: PiDmGetReferencedObjectFromProperty+8AB82j
		mov	edx, edi
		jmp	short loc_932BDD
; 

loc_932BC9:				; CODE XREF: PiDmGetReferencedObjectFromProperty+8AB7Cj
		push	ecx		; int
		lea	edx, [ebp+var_54] ; void *
		mov	ecx, edi	; int
		call	_PnpStringFromGuid@12 ;	PnpStringFromGuid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_932BE8
		lea	edx, [ebp+var_54]

loc_932BDD:				; CODE XREF: PiDmGetReferencedObjectFromProperty+8AB8Dj
		mov	ecx, [ebp+arg_C]
		push	ebx
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	esi, eax

loc_932BE8:				; CODE XREF: PiDmGetReferencedObjectFromProperty+8AB76j
					; PiDmGetReferencedObjectFromProperty+8AB89j ...
		test	edi, edi
		jz	loc_8A808C
		push	5A706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A808C
; END OF FUNCTION CHUNK	FOR PiDmGetReferencedObjectFromProperty
; 
; START	OF FUNCTION CHUNK FOR FsRtlGetSectorSizeInformation

loc_932C00:				; CODE XREF: FsRtlGetSectorSizeInformation+1C0j
		xor	edi, edi

loc_932C02:				; CODE XREF: FsRtlGetSectorSizeInformation+139j
					; FsRtlGetSectorSizeInformation+146j ...
		mov	ebx, [esp+118h+var_1C]
		mov	ecx, ebx
		mov	[esp+118h+var_64], edi
		mov	[esp+118h+var_60], edi
		mov	[esp+118h+var_5C], edi
		mov	[esp+118h+var_58], edi
		or	edi, 0FFFFFFFFh
		mov	[esp+118h+var_54], ebx
		mov	[esp+118h+var_50], ecx
		mov	[esp+118h+var_4C], edi
		jmp	loc_8A82E3
; 

loc_932C44:				; CODE XREF: FsRtlGetSectorSizeInformation+1FCj
		mov	dword ptr [esi+10h], 2
		jmp	loc_8A8318
; 

loc_932C50:				; CODE XREF: FsRtlGetSectorSizeInformation+255j
		and	dword ptr [esi+10h], 0FFFFFFFDh
		jmp	loc_8A8371
; 

loc_932C59:				; CODE XREF: FsRtlGetSectorSizeInformation+1E9j
		mov	ebx, [esp+118h+var_104]
		jmp	loc_8A8371
; 

loc_932C62:				; CODE XREF: FsRtlGetSectorSizeInformation+2B9j
		cmp	eax, edi
		jb	loc_8A83D5
		cmp	[esp+118h+var_48], edi
		jb	loc_8A83D5
		cmp	[esp+118h+var_44], eax
		jb	loc_8A83D5
		or	dword ptr [esi+10h], 4
		jmp	loc_8A83D5
; 

loc_932C8D:				; CODE XREF: FsRtlGetSectorSizeInformation+31Dj
		cmp	eax, edi
		jb	loc_8A8439
		cmp	[esp+118h+var_3C], edi
		jb	loc_8A8439
		cmp	[esp+118h+var_38], eax
		jb	loc_8A8439
		or	dword ptr [esi+10h], 8
		jmp	loc_8A8439
; 

loc_932CB8:				; CODE XREF: FsRtlGetSectorSizeInformation+373j
		cmp	[esp+118h+var_108], 10h
		jnz	loc_8A848F
		mov	eax, [esp+118h+var_10]
		and	eax, 1
		or	eax, 0
		jz	loc_8A848F
		or	dword ptr [esi+10h], 10h
		jmp	loc_8A848F
; 

loc_932CDF:				; CODE XREF: FsRtlGetSectorSizeInformation+B0j
					; FsRtlGetSectorSizeInformation+BBj
		mov	eax, 0C00000CBh
		jmp	loc_8A8491
; END OF FUNCTION CHUNK	FOR FsRtlGetSectorSizeInformation
; 
; START	OF FUNCTION CHUNK FOR FsRtlIssueDeviceIoControl

loc_932CE9:				; CODE XREF: FsRtlIssueDeviceIoControl+70j
		push	esi
		push	esi
		push	esi
		push	esi
		lea	eax, [esp+30h+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	ecx, [esp+20h+var_18]
		jmp	loc_8A8524
; END OF FUNCTION CHUNK	FOR FsRtlIssueDeviceIoControl
; 
; START	OF FUNCTION CHUNK FOR DrvDbGetDriverDatabaseMappedProperty

loc_932D00:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+3Bj
		mov	esi, 0C00000BBh
		jmp	loc_8A863A
; 

loc_932D0A:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+116j
		mov	edx, [esp+28h+var_8]
		mov	ecx, edx
		mov	dword ptr [ebx], 12h
		xor	ebx, ebx
		lea	edi, [ecx+2]

loc_932D1B:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+8A7DCj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_932D1B
		mov	eax, [ebp+arg_14]
		sub	ecx, edi
		sar	ecx, 1
		lea	ecx, ds:2[ecx*2]
		mov	[eax], ecx
		cmp	[ebp+arg_C], ebx
		jz	short loc_932D52
		cmp	[ebp+arg_10], ecx
		jb	short loc_932D52
		push	ecx		; size_t
		push	edx		; void *
		push	[ebp+arg_C]	; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_8A863A
; 

loc_932D52:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+8A7F1j
					; DrvDbGetDriverDatabaseMappedProperty+8A7F6j ...
		mov	esi, 0C0000023h
		jmp	loc_8A863A
; 

loc_932D5C:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+133j
		mov	edx, [esp+28h+var_8]
		lea	eax, [esp+28h+var_18]
		mov	ecx, [esp+28h+var_14]
		push	eax
		call	_DrvDbFindDatabaseNode@12 ; DrvDbFindDatabaseNode(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A863A
		mov	eax, [edi+10h]
		cmp	eax, 5
		jnz	short loc_932DBE
		push	10h		; size_t
		push	offset _DEVPKEY_DriverDatabase_Loaded ;	void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8A863A
		mov	ecx, [ebp+arg_14]
		inc	eax
		mov	dword ptr [ebx], 11h
		mov	[ecx], eax
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	short loc_932D52
		cmp	[ebp+arg_10], eax
		jb	short loc_932D52
		mov	eax, [esp+28h+var_18]
		xor	ebx, ebx
		cmp	[eax+30h], ebx
		setz	al
		jmp	short loc_932E09
; 

loc_932DBE:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+8A836j
		cmp	eax, 6
		jnz	short loc_932E0D
		push	10h		; size_t
		push	offset _DEVPKEY_DriverDatabase_Selected	; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8A863A
		mov	ecx, [ebp+arg_14]
		inc	eax
		mov	dword ptr [ebx], 11h
		mov	[ecx], eax
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	loc_932D52
		cmp	[ebp+arg_10], eax
		jb	loc_932D52
		mov	eax, [esp+28h+var_14]
		mov	eax, [eax+18h]
		cmp	eax, [esp+28h+var_18]
		setnz	al

loc_932E09:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+8A874j
		dec	al
		jmp	short loc_932E62
; 

loc_932E0D:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+8A879j
		cmp	eax, 7
		jnz	short loc_932E69
		push	10h		; size_t
		push	offset _DEVPKEY_DriverDatabase_Disabled	; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8A863A
		mov	ecx, [ebp+arg_14]
		inc	eax
		mov	dword ptr [ebx], 11h
		mov	[ecx], eax
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	loc_932D52
		cmp	[ebp+arg_10], eax
		jb	loc_932D52
		mov	eax, [esp+28h+var_18]
		mov	eax, [eax+1Ch]
		and	al, 4
		jmp	short loc_932E5E
; 

loc_932E55:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+8A9F7j
		mov	eax, [esp+28h+var_18]
		mov	eax, [eax+1Ch]
		and	al, 10h

loc_932E5E:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+8A90Bj
		neg	al
		sbb	al, al

loc_932E62:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+8A8C3j
		mov	[ecx], al
		jmp	loc_8A863A
; 

loc_932E69:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+8A8C8j
		cmp	eax, 0Bh
		jnz	short loc_932EB1
		push	10h		; size_t
		push	offset _DEVPKEY_DriverDatabase_AccessMask ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8A863A
		mov	eax, [ebp+arg_14]
		mov	ecx, [ebp+arg_C]
		mov	dword ptr [ebx], 7
		push	4
		pop	edx
		mov	[eax], edx
		test	ecx, ecx
		jz	loc_932D52
		cmp	[ebp+arg_10], edx
		jb	loc_932D52
		mov	eax, [esp+28h+var_14]
		mov	eax, [eax+8]
		jmp	short loc_932EF7
; 

loc_932EB1:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+8A924j
		cmp	eax, 0Fh
		jnz	short loc_932EFE
		push	10h		; size_t
		push	offset _DEVPKEY_DriverDatabase_LoadStatus ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8A863A
		mov	eax, [ebp+arg_14]
		mov	ecx, [ebp+arg_C]
		mov	dword ptr [ebx], 18h
		push	4
		pop	edx
		mov	[eax], edx
		test	ecx, ecx
		jz	loc_932D52
		cmp	[ebp+arg_10], edx
		jb	loc_932D52
		mov	eax, [esp+28h+var_18]
		mov	eax, [eax+50h]

loc_932EF7:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+8A967j
		mov	[ecx], eax
		jmp	loc_8A863A
; 

loc_932EFE:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+8A96Cj
		cmp	eax, 17h
		jnz	loc_8A863A
		push	10h		; size_t
		push	offset _DEVPKEY_DriverDatabase_Extended	; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8A863A
		mov	ecx, [ebp+arg_14]
		inc	eax
		mov	dword ptr [ebx], 11h
		mov	[ecx], eax
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	loc_932D52
		cmp	[ebp+arg_10], eax
		jb	loc_932D52
		jmp	loc_932E55
; 

loc_932F44:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+A4j
		mov	eax, [esp+28h+var_4]
		mov	edx, [esp+28h+var_10]
		jmp	loc_8A85CC
; 

loc_932F51:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+B7j
		mov	edx, [esp+28h+var_10]
		xor	ecx, ecx
		mov	eax, ecx
		mov	ebx, ecx
		mov	[esp+28h+var_4], eax
		mov	esi, ecx

loc_932F61:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+8AA47j
		mov	ecx, ds:off_405080[esi]
		cmp	[ecx+10h], edx
		jnz	short loc_932F84
		push	10h		; size_t
		push	edi		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_932F93
		mov	eax, [esp+28h+var_4]
		mov	edx, [esp+28h+var_10]

loc_932F84:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+8AA22j
		inc	eax
		add	esi, 18h
		mov	[esp+28h+var_4], eax
		cmp	esi, 60h
		jb	short loc_932F61
		jmp	short loc_932F9E
; 

loc_932F93:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+8AA32j
		imul	ebx, [esp+28h+var_4], arg_10
		add	ebx, offset off_405080

loc_932F9E:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+8AA49j
		test	ebx, ebx
		jnz	short loc_932FAC
		mov	esi, 0C0000016h
		jmp	loc_8A863A
; 

loc_932FAC:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+8AA58j
		mov	edi, [esp+28h+var_8]
		lea	eax, [esp+28h+var_18]
		mov	ecx, [esp+28h+var_14]
		mov	edx, edi
		push	eax
		call	_DrvDbFindDatabaseNode@12 ; DrvDbFindDatabaseNode(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8A863A
		jmp	loc_8A8609
; 

loc_932FCF:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+CDj
		test	byte ptr [eax+1Ch], 10h
		jz	loc_8A861B
		jmp	loc_8A868A
; 

loc_932FDE:				; CODE XREF: DrvDbGetDriverDatabaseMappedProperty+144j
		test	byte ptr [eax+1Ch], 10h
		jz	loc_8A8692
		xor	ecx, ecx
		lea	eax, [esp+28h+var_C]
		push	ecx
		push	ecx
		push	eax
		push	ecx
		xor	eax, eax
		inc	eax
		push	eax
		push	edi
		push	eax
		mov	eax, [esp+44h+var_14]
		mov	ecx, eax
		mov	edx, [eax+14h]
		call	DrvDbOpenObjectRegKey
		jmp	loc_8A86A8
; END OF FUNCTION CHUNK	FOR DrvDbGetDriverDatabaseMappedProperty
; 
; START	OF FUNCTION CHUNK FOR DrvDbOpenDriverDatabaseRegKey

loc_93300B:				; CODE XREF: DrvDbOpenDriverDatabaseRegKey+26j
		mov	eax, [edi+14h]
		mov	[ebp+var_8], eax
		jmp	loc_8A870B
; 

loc_933016:				; CODE XREF: DrvDbOpenDriverDatabaseRegKey+41j
		cmp	[ebp+arg_4], 0
		jz	loc_8A877E
		lea	eax, [ebp+var_8]
		mov	edx, ebx
		push	eax
		xor	eax, eax
		mov	ecx, edi
		push	eax
		push	eax
		push	10h
		push	eax
		push	eax
		call	DrvDbCreateDatabaseNode
		mov	esi, eax
		test	esi, esi
		js	loc_8A877E
		mov	[ebp+var_1], 1
		jmp	loc_8A870B
; 

loc_933048:				; CODE XREF: DrvDbOpenDriverDatabaseRegKey+6Aj
		mov	edx, ebx
		mov	ecx, edi
		call	DrvDbLoadDatabaseNode
		mov	esi, eax
		test	esi, esi
		js	loc_8A8762
		jmp	loc_8A8730
; 

loc_933060:				; CODE XREF: DrvDbOpenDriverDatabaseRegKey+91j
		mov	edx, ebx
		mov	ecx, edi
		call	DrvDbUnloadDatabaseNode
		jmp	loc_8A8757
; 

loc_93306E:				; CODE XREF: DrvDbOpenDriverDatabaseRegKey+B8j
		cmp	[ebp+var_1], 0
		jz	loc_8A877E
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		call	_DrvDbDestroyDatabaseNode@8 ; DrvDbDestroyDatabaseNode(x,x)
		jmp	loc_8A877E
; END OF FUNCTION CHUNK	FOR DrvDbOpenDriverDatabaseRegKey
; 
; START	OF FUNCTION CHUNK FOR CmLockKeyForWrite

loc_933087:				; CODE XREF: CmLockKeyForWrite+30j
		mov	esi, 0C00000BBh
		jmp	loc_8A899A
; 

loc_933091:				; CODE XREF: CmLockKeyForWrite+6Fj
		mov	esi, 0C000000Dh
		jmp	short loc_9330AD
; 

loc_933098:				; CODE XREF: CmLockKeyForWrite+ABj
		xor	esi, esi

loc_93309A:				; CODE XREF: CmLockKeyForWrite+99j
					; CmLockKeyForWrite+11Bj
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_9330AD:				; CODE XREF: CmLockKeyForWrite+60j
					; CmLockKeyForWrite+E8j ...
		mov	ecx, edi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	loc_8A8993
		mov	ecx, eax
		call	_CmpFreeSiloKeyLockEntry@4 ; CmpFreeSiloKeyLockEntry(x)
		jmp	loc_8A8993
; 

loc_9330CB:				; CODE XREF: CmLockKeyForWrite+D4j
		mov	esi, 0C000009Ah
		jmp	short loc_9330AD
; END OF FUNCTION CHUNK	FOR CmLockKeyForWrite
; 
; START	OF FUNCTION CHUNK FOR CmpGlobalLockKeyForWrite

loc_9330D2:				; CODE XREF: CmpGlobalLockKeyForWrite+33j
		test	esi, esi
		jz	loc_8A8A03
		xor	eax, eax
		inc	eax
		lock xadd [esi+8], eax
		inc	eax
		cmp	eax, 1
		jg	loc_8A8A66
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	loc_8A8A66
; END OF FUNCTION CHUNK	FOR CmpGlobalLockKeyForWrite
; 
; START	OF FUNCTION CHUNK FOR PiSwProcessParentStartIrp

loc_9330F6:				; CODE XREF: PiSwProcessParentStartIrp+54j
		push	5
		push	esi
		call	IoInvalidateDeviceRelations
		jmp	loc_8A8B68
; END OF FUNCTION CHUNK	FOR PiSwProcessParentStartIrp
; 
; START	OF FUNCTION CHUNK FOR PiDevCfgQueryObjectProperties

loc_933103:				; CODE XREF: PiDevCfgQueryObjectProperties+74j
		mov	edx, ecx
		mov	[ebp+var_4], ecx
		mov	ecx, [edx+4]
		movzx	edx, word ptr [edx+2]
		mov	[ebp+var_C], ecx
		jmp	loc_8A8CDC
; 

loc_933117:				; CODE XREF: PiDevCfgQueryObjectProperties+87j
		test	ebx, ebx
		jnz	short loc_933140
		push	63647050h
		mov	esi, 104h
		push	esi
		push	1
		mov	[ebp+var_14], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_933143
		mov	esi, 0C000009Ah
		jmp	loc_8A8D72
; 

loc_933140:				; CODE XREF: PiDevCfgQueryObjectProperties+8A4BFj
		mov	esi, [ebp+var_14]

loc_933143:				; CODE XREF: PiDevCfgQueryObjectProperties+8A4DAj
					; PiDevCfgQueryObjectProperties+8A526j
		mov	edx, esi
		mov	ecx, ebx
		mov	[ebp+arg_8], edx
		mov	[ebp+var_C], ecx
		jmp	loc_8A8CE7
; 

loc_933152:				; CODE XREF: PiDevCfgQueryObjectProperties+C3j
		test	byte ptr [edi+0Ch], 2
		mov	edx, [ebp+arg_8]
		jz	short loc_933191
		cmp	[ebp+var_8], edx
		jbe	short loc_93318C
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_8]
		push	63647050h
		push	esi
		push	1
		mov	[ebp+var_14], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_933143
		mov	esi, 0C000009Ah
		jmp	loc_8A8D23
; 

loc_93318C:				; CODE XREF: PiDevCfgQueryObjectProperties+8A504j
		mov	esi, 0C00000E5h

loc_933191:				; CODE XREF: PiDevCfgQueryObjectProperties+8A4FFj
					; PiDevCfgQueryObjectProperties+8A659j
		mov	ecx, [ebp+var_4]
		jmp	loc_8A8D39
; 

loc_933199:				; CODE XREF: PiDevCfgQueryObjectProperties+D3j
		mov	eax, [ebp+var_18]
		mov	edx, [ebp+var_8]
		test	eax, eax
		jnz	short loc_9331A9
		xor	eax, eax
		mov	[edi], eax
		jmp	short loc_9331FC
; 

loc_9331A9:				; CODE XREF: PiDevCfgQueryObjectProperties+8A547j
		cmp	eax, [edi]
		jz	short loc_9331B7
		mov	esi, 0C0000001h
		jmp	loc_8A8D33
; 

loc_9331B7:				; CODE XREF: PiDevCfgQueryObjectProperties+8A551j
		sub	eax, 12h
		jz	short loc_9331DD
		push	2
		pop	ecx
		sub	eax, ecx
		jz	short loc_9331DD
		sub	eax, 5
		jz	short loc_9331DD
		sub	eax, 1FF9h
		jnz	short loc_9331FC
		mov	ecx, [ebp+var_C]
		call	_PnpValidateMultiSzData@8 ; PnpValidateMultiSzData(x,x)
		test	al, al
		jz	short loc_9331F7
		jmp	short loc_9331FC
; 

loc_9331DD:				; CODE XREF: PiDevCfgQueryObjectProperties+8A560j
					; PiDevCfgQueryObjectProperties+8A567j	...
		push	2
		pop	eax
		cmp	edx, eax
		jb	short loc_9331F7
		mov	ecx, [ebp+var_C]
		mov	eax, edx
		shr	eax, 1
		xor	edi, edi
		cmp	[ecx+eax*2-2], di
		mov	edi, [ebp+var_1C]
		jz	short loc_9331FC

loc_9331F7:				; CODE XREF: PiDevCfgQueryObjectProperties+8A57Fj
					; PiDevCfgQueryObjectProperties+8A588j
		mov	esi, 0C0000001h

loc_9331FC:				; CODE XREF: PiDevCfgQueryObjectProperties+8A54Dj
					; PiDevCfgQueryObjectProperties+8A573j	...
		mov	ecx, [ebp+var_4]
		test	esi, esi
		js	loc_8A8D36
		test	ecx, ecx
		jz	short loc_933218
		cmp	edx, 0FFFEh
		jbe	short loc_933218
		mov	esi, 80000005h

loc_933218:				; CODE XREF: PiDevCfgQueryObjectProperties+8A5AFj
					; PiDevCfgQueryObjectProperties+8A5B7j
		test	esi, esi
		js	loc_8A8D36
		test	byte ptr [edi+0Ch], 2
		jz	short loc_933273
		test	ecx, ecx
		jz	short loc_933248
		push	edx
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	edx, [ebp+var_4]
		mov	[edx+4], eax
		test	eax, eax
		jz	loc_93330F
		mov	cx, word ptr [ebp+var_8]
		mov	[edx+2], cx
		jmp	short loc_933260
; 

loc_933248:				; CODE XREF: PiDevCfgQueryObjectProperties+8A5CEj
		push	63647050h
		push	edx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_93330F

loc_933260:				; CODE XREF: PiDevCfgQueryObjectProperties+8A5ECj
		push	[ebp+var_8]	; size_t
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		mov	edx, [ebp+var_8]

loc_933273:				; CODE XREF: PiDevCfgQueryObjectProperties+8A5CAj
		test	ecx, ecx
		jz	short loc_9332C7
		mov	[ecx], dx
		cmp	[ebp+var_18], 2012h
		jz	loc_8A8D36
		mov	edx, [ecx+4]
		test	edx, edx
		jz	loc_8A8D36
		mov	ecx, [ebp+var_8]
		push	2
		pop	eax
		cmp	cx, ax
		jb	loc_8A8D33
		movzx	eax, cx
		xor	edi, edi
		shr	eax, 1
		cmp	[edx+eax*2-2], di
		mov	edi, [ebp+var_1C]
		mov	edx, [ebp+arg_8]
		jnz	loc_933191
		lea	eax, [ecx-2]
		mov	ecx, [ebp+var_4]
		mov	[ecx], ax
		jmp	loc_8A8D39
; 

loc_9332C7:				; CODE XREF: PiDevCfgQueryObjectProperties+8A61Bj
		test	byte ptr [edi+0Ch], 2
		jz	short loc_9332D8
		mov	eax, [edi+4]
		mov	edx, [ebp+var_C]
		mov	[eax], edx
		mov	edx, [ebp+var_8]

loc_9332D8:				; CODE XREF: PiDevCfgQueryObjectProperties+8A671j
		mov	[edi+8], edx
		jmp	loc_8A8D36
; 

loc_9332E0:				; CODE XREF: PiDevCfgQueryObjectProperties+EAj
		test	ecx, ecx
		jz	short loc_9332F2
		xor	eax, eax
		push	eax
		push	ecx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	loc_8A8D4A
; 

loc_9332F2:				; CODE XREF: PiDevCfgQueryObjectProperties+8A688j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	loc_8A8D4A
		push	edx		; size_t
		xor	ecx, ecx
		push	ecx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_8A8D4A
; 

loc_93330F:				; CODE XREF: PiDevCfgQueryObjectProperties+8A5DEj
					; PiDevCfgQueryObjectProperties+8A600j
		mov	esi, 0C000009Ah
		jmp	loc_8A8D6A
; 

loc_933319:				; CODE XREF: PiDevCfgQueryObjectProperties+112j
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A8D72
; END OF FUNCTION CHUNK	FOR PiDevCfgQueryObjectProperties
; 
; START	OF FUNCTION CHUNK FOR SdbpCheckKObject

loc_933327:				; CODE XREF: SdbpCheckKObject+36j
		push	[ebp+arg_C]
		lea	ecx, [ebp+var_8]
		push	[ebp+arg_8]
		push	0FFFFFFFFh
		call	AslFileMappingCreate
		test	eax, eax
		js	loc_8A8E9C
		mov	eax, [ebp+var_8]
		jmp	loc_8A8DC6
; 

loc_933347:				; CODE XREF: SdbpCheckKObject+A2j
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	6025h
		push	eax
		mov	edx, [edx]
		call	_SdbpMatchDeviceString@16 ; SdbpMatchDeviceString(x,x,x,x)
		test	eax, eax
		jz	short loc_9333BF
		mov	eax, [ebp+arg_0]
		mov	ecx, edi
		push	6026h
		push	[ebp+arg_C]
		mov	edx, [eax+4]
		call	_SdbpMatchDeviceString@16 ; SdbpMatchDeviceString(x,x,x,x)
		test	eax, eax
		jz	short loc_9333BF
		mov	eax, [ebp+arg_0]
		mov	ecx, edi
		push	4036h
		push	4035h
		push	4034h
		push	[ebp+arg_C]
		mov	edx, [eax+1Ch]
		call	_SdbpMatchDeviceDWORD@24 ; SdbpMatchDeviceDWORD(x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_9333BF
		mov	eax, [ebp+arg_0]
		mov	ecx, edi
		push	4042h
		push	4041h
		push	4040h
		push	[ebp+arg_C]
		mov	edx, [eax+20h]
		call	_SdbpMatchDeviceDWORD@24 ; SdbpMatchDeviceDWORD(x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_9333BF
		xor	esi, esi
		inc	esi

loc_9333BF:				; CODE XREF: SdbpCheckKObject+8A5D1j
					; SdbpCheckKObject+8A5EAj ...
		test	esi, esi
		jz	loc_8A8E9C
		jmp	loc_8A8E32
; 

loc_9333CC:				; CODE XREF: SdbpCheckKObject+C4j
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	6025h
		push	eax
		mov	edx, [edx]
		call	_SdbpMatchDeviceString@16 ; SdbpMatchDeviceString(x,x,x,x)
		test	eax, eax
		jz	short loc_933421
		mov	eax, [ebp+arg_0]
		mov	ecx, edi
		push	6026h
		push	[ebp+arg_C]
		mov	edx, [eax+4]
		call	_SdbpMatchDeviceString@16 ; SdbpMatchDeviceString(x,x,x,x)
		test	eax, eax
		jz	short loc_933421
		mov	eax, [ebp+arg_0]
		mov	ecx, edi
		push	4036h
		push	4035h
		push	4034h
		push	[ebp+arg_C]
		mov	edx, [eax+1Ch]
		call	_SdbpMatchDeviceDWORD@24 ; SdbpMatchDeviceDWORD(x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_933421
		xor	esi, esi
		inc	esi

loc_933421:				; CODE XREF: SdbpCheckKObject+8A656j
					; SdbpCheckKObject+8A66Fj ...
		test	esi, esi
		jz	loc_8A8E9C
		jmp	loc_8A8E54
; 

loc_93342E:				; CODE XREF: SdbpCheckKObject+E5j
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	6025h
		push	ebx
		mov	edx, [edx]
		call	_SdbpMatchDeviceString@16 ; SdbpMatchDeviceString(x,x,x,x)
		test	eax, eax
		jz	short loc_933468
		mov	eax, [ebp+arg_0]
		mov	ecx, edi
		push	4039h
		push	4038h
		push	4037h
		mov	edx, [eax+18h]
		push	ebx
		call	_SdbpMatchDeviceDWORD@24 ; SdbpMatchDeviceDWORD(x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_933468
		xor	esi, esi
		inc	esi

loc_933468:				; CODE XREF: SdbpCheckKObject+8A6B8j
					; SdbpCheckKObject+8A6D9j
		test	esi, esi
		jz	loc_8A8E9C
		jmp	loc_8A8E75
; 

loc_933475:				; CODE XREF: SdbpCheckKObject+109j
		mov	edx, [ebp+arg_10]
		mov	ecx, edi
		push	6025h
		push	ebx
		mov	edx, [edx]
		call	_SdbpMatchDeviceString@16 ; SdbpMatchDeviceString(x,x,x,x)
		test	eax, eax
		jz	loc_8A8E9C
		mov	eax, [ebp+arg_10]
		mov	ecx, edi
		push	403Ch
		push	403Bh
		push	403Ah
		mov	edx, [eax+10h]
		push	ebx
		call	_SdbpMatchDeviceDWORD@24 ; SdbpMatchDeviceDWORD(x,x,x,x,x,x)
		test	eax, eax
		jz	loc_8A8E9C
		mov	eax, [ebp+arg_10]
		mov	ecx, edi
		push	403Fh
		push	403Eh
		push	403Dh
		mov	edx, [eax+14h]
		push	ebx
		call	_SdbpMatchDeviceDWORD@24 ; SdbpMatchDeviceDWORD(x,x,x,x,x,x)
		test	eax, eax
		jz	loc_8A8E9C
		jmp	loc_8A8E99
; END OF FUNCTION CHUNK	FOR SdbpCheckKObject
; 
; START	OF FUNCTION CHUNK FOR SdbpCheckForMatch

loc_9334DE:				; CODE XREF: SdbpCheckForMatch+2Cj
		mov	[ebp+var_8], 1
		jmp	loc_8A8EE8
; 

loc_9334EA:				; CODE XREF: SdbpCheckForMatch+87j
		push	2
		mov	edx, eax
		mov	ecx, edi
		call	SdbReadWORDTag
		movzx	eax, ax
		mov	[ebx], eax
		jmp	loc_8A8F49
; END OF FUNCTION CHUNK	FOR SdbpCheckForMatch
; 
; START	OF FUNCTION CHUNK FOR SdbpMatchOsVersion

loc_9334FF:				; CODE XREF: SdbpMatchOsVersion+94j
		mov	ecx, [ebp+var_12C]
		mov	edx, eax
		push	0
		push	0
		call	SdbReadQWORDTag
		push	ebx
		push	edi
		push	edx
		push	eax
		call	_SdbpCheckVersion@16 ; SdbpCheckVersion(x,x,x,x)
		mov	esi, eax
		neg	esi
		sbb	esi, esi
		neg	esi
		jmp	loc_8A900A
; 

loc_933526:				; CODE XREF: SdbpMatchOsVersion+B2j
		mov	ecx, [ebp+var_12C]
		mov	edx, eax
		push	0
		push	0
		call	SdbReadQWORDTag
		test	esi, esi
		jz	short loc_933550
		push	ebx
		push	edi
		push	edx
		push	eax
		call	_SdbpCheckFromVersion@16 ; SdbpCheckFromVersion(x,x,x,x)
		test	eax, eax
		jz	short loc_933550
		xor	esi, esi
		inc	esi
		jmp	loc_8A9028
; 

loc_933550:				; CODE XREF: SdbpMatchOsVersion+8A5C9j
					; SdbpMatchOsVersion+8A5D6j
		xor	esi, esi
		jmp	loc_8A9028
; 

loc_933557:				; CODE XREF: SdbpMatchOsVersion+D0j
		mov	ecx, [ebp+var_12C]
		mov	edx, eax
		push	0
		push	0
		call	SdbReadQWORDTag
		test	esi, esi
		jz	short loc_933581
		push	ebx
		push	edi
		push	edx
		push	eax
		call	_SdbpCheckUptoVersion@16 ; SdbpCheckUptoVersion(x,x,x,x)
		test	eax, eax
		jz	short loc_933581
		xor	esi, esi
		inc	esi
		jmp	loc_8A9046
; 

loc_933581:				; CODE XREF: SdbpMatchOsVersion+8A5FAj
					; SdbpMatchOsVersion+8A607j
		xor	esi, esi
		jmp	loc_8A9046
; END OF FUNCTION CHUNK	FOR SdbpMatchOsVersion
; 
; START	OF FUNCTION CHUNK FOR SdbpGetExeEntryFlags

loc_933588:				; CODE XREF: SdbpGetExeEntryFlags+3Bj
		push	esi
		push	offset ??_C@_0CJ@GFAHPFCA@Failed?5to?5read?5TAG_EXE_ID?5for?5t@NNGAKEGL@
		push	28Fh
		jmp	short loc_9335A0
; 

loc_933595:				; CODE XREF: SdbpGetExeEntryFlags+52j
		push	esi
		push	offset ??_C@_0CH@BBAMENNN@Failed?5to?5read?5the?5GUID?5for?5tiE@NNGAKEGL@
		push	294h

loc_9335A0:				; CODE XREF: SdbpGetExeEntryFlags+8A53Bj
		push	(offset	loc_8C28C2+4)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		xor	eax, eax
		jmp	loc_8A90F9
; 

loc_9335B6:				; CODE XREF: SdbpGetExeEntryFlags+7Dj
		push	4010h
		mov	edx, eax
		mov	ecx, ebx
		or	esi, 1000h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	loc_8A90DB
		push	0
		mov	edx, eax
		mov	ecx, ebx
		call	SdbReadDWORDTag
		cmp	eax, 2
		jnz	loc_8A90DB
		or	esi, 2000h
		jmp	loc_8A90DB
; 

loc_9335F1:				; CODE XREF: SdbpGetExeEntryFlags+93j
		push	0
		mov	edx, eax
		mov	ecx, ebx
		call	SdbReadDWORDTag
		shl	eax, 10h
		or	esi, eax
		jmp	loc_8A90F1
; END OF FUNCTION CHUNK	FOR SdbpGetExeEntryFlags
; 
; START	OF FUNCTION CHUNK FOR SdbGetEntryFlags

loc_933606:				; CODE XREF: SdbGetEntryFlags+28j
		push	eax
		push	offset ??_C@_0CI@PFNDBMLC@Failed?5to?5convert?5EXE?5id?5to?5str@NNGAKEGL@
		push	7Dh
		push	(offset	loc_8C4335+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_8A916B
; END OF FUNCTION CHUNK	FOR SdbGetEntryFlags
; 
; START	OF FUNCTION CHUNK FOR SdbpQueryAppCompatFlagsByExeID

loc_933622:				; CODE XREF: SdbpQueryAppCompatFlagsByExeID+39j
		push	esi
		push	(offset	loc_8C42EC+4)
		push	40h
		push	(offset	loc_8C429C+4)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_8A91C7
; 

loc_93363E:				; CODE XREF: SdbpQueryAppCompatFlagsByExeID+2Dj
		mov	edx, [ebp+var_4]
		lea	ecx, [ebp+var_8]
		push	ebx
		call	_AslRegistryGetUInt32@12 ; AslRegistryGetUInt32(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_93367D
		cmp	esi, 0C0000034h
		jz	loc_8A91C7
		push	esi
		push	(offset	loc_8C3BF0+2)
		push	offset ??_C@_0DA@DPCBJIIG@AslRegistryGetUInt32?5failed?5for@NNGAKEGL@
		push	4Bh
		push	(offset	loc_8C429C+4)
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		jmp	loc_8A91C7
; 

loc_93367D:				; CODE XREF: SdbpQueryAppCompatFlagsByExeID+8A4C6j
		xor	esi, esi
		jmp	loc_8A91C7
; 

loc_933684:				; CODE XREF: SdbpQueryAppCompatFlagsByExeID+4Bj
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8A91D9
; END OF FUNCTION CHUNK	FOR SdbpQueryAppCompatFlagsByExeID
; 
; START	OF FUNCTION CHUNK FOR AslRegistryGetKey

loc_933691:				; CODE XREF: AslRegistryGetKey+AEj
		push	esi
		push	ebx
		push	offset ??_C@_0DA@HFFCFNMM@AslRegistryBuildMachinePath?5fai@NNGAKEGL@
		push	614h
		jmp	short loc_9336AB
; 

loc_93369F:				; CODE XREF: AslRegistryGetKey+82j
		push	esi
		push	ebx
		push	offset ??_C@_0BO@KHIHGBEI@NtOpenKey?5failed?5for?5?$CFws?5?$FL?$CFx?$FN@NNGAKEGL@
		push	63Fh

loc_9336AB:				; CODE XREF: AslRegistryGetKey+8A4BBj
					; AslRegistryGetKey+8A4E9j
		push	(offset	loc_8C4ADE+4)
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		jmp	loc_8A926A
; 

loc_9336BF:				; CODE XREF: AslRegistryGetKey+3Fj
		push	esi
		push	ebx
		push	offset ??_C@_0CN@KKHNGCDN@AslRegistryBuildUserPath?5failed@NNGAKEGL@
		push	61Bh
		jmp	short loc_9336AB
; 

loc_9336CD:				; CODE XREF: AslRegistryGetKey+76j
		mov	ecx, [ebp+var_C]
		mov	esi, edi
		mov	eax, [ebp+var_8]
		mov	[ebp+var_8], edi
		mov	[ecx], eax
		jmp	loc_8A926A
; END OF FUNCTION CHUNK	FOR AslRegistryGetKey
; 
; START	OF FUNCTION CHUNK FOR AslRegistryBuildMachinePath

loc_9336DF:				; CODE XREF: AslRegistryBuildMachinePath+58j
		movzx	eax, word ptr [esi+2]
		mov	edi, 0C0000017h
		push	eax
		push	offset ??_C@_0DA@BGOMJCLG@Failed?5to?5allocate?5?$CFd?5bytes?5for@NNGAKEGL@
		push	58Ch
		push	(offset	loc_8C4B68+4)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_8A9313
; 

loc_933707:				; CODE XREF: AslRegistryBuildMachinePath+70j
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@ ; void	*
		push	esi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		jmp	loc_8A930C
; END OF FUNCTION CHUNK	FOR AslRegistryBuildMachinePath
; 
; START	OF FUNCTION CHUNK FOR AslRegistryBuildUserPath

loc_933717:				; CODE XREF: AslRegistryBuildUserPath+24j
		push	esi
		push	(offset	loc_8C4B87+1)
		push	5C4h
		push	offset ??_C@_0BJ@MEOLBDOB@AslRegistryBuildUserPath@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_8A9391
; 

loc_933736:				; CODE XREF: AslRegistryBuildUserPath+60j
		push	offset ??_C@_0O@NALGGDJF@Out?5of?5memory@NNGAKEGL@
		push	5D0h
		push	offset ??_C@_0BJ@MEOLBDOB@AslRegistryBuildUserPath@NNGAKEGL@
		push	1
		mov	esi, 0C0000017h
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_8A9391
; END OF FUNCTION CHUNK	FOR AslRegistryBuildUserPath
; 
; START	OF FUNCTION CHUNK FOR AslGuidToString

loc_933759:				; CODE XREF: AslGuidToString+50j
		push	esi
		push	offset ??_C@_0CA@FFNDHPE@RtlStringCchPrintfW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	149h
		push	(offset	loc_8C4829+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_8A93FA
; END OF FUNCTION CHUNK	FOR AslGuidToString
; 
; START	OF FUNCTION CHUNK FOR MiMapViewOfPhysicalSection

loc_933778:				; CODE XREF: MiMapViewOfPhysicalSection+7Dj
		mov	eax, 0C000009Ah
		jmp	loc_8A9637
; 

loc_933782:				; CODE XREF: MiMapViewOfPhysicalSection+E1j
		mov	[esp+48h+var_34], 0C000010Ah

loc_93378A:				; CODE XREF: MiMapViewOfPhysicalSection+125j
					; MiMapViewOfPhysicalSection+8A43Bj
		mov	ebx, [esp+48h+var_30]

loc_93378E:				; CODE XREF: MiMapViewOfPhysicalSection+1E8j
					; MiMapViewOfPhysicalSection+26Dj
		mov	edx, [esp+48h+var_3C]
		mov	ecx, [esp+48h+var_28]
		call	UNLOCK_ADDRESS_SPACE
		mov	eax, [esp+48h+var_2C]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9337EF
		or	[esp+48h+var_8], 0FFFFFFFFh
		xor	esi, esi
		cmp	ebx, eax
		ja	short loc_9337EF
		mov	edi, [esp+48h+var_8]

loc_9337B3:				; CODE XREF: MiMapViewOfPhysicalSection+8A3E7j
		mov	ecx, ebx
		call	_MiIsPfn@4	; MiIsPfn(x)
		test	eax, eax
		jnz	short loc_9337C5
		test	esi, esi
		jnz	short loc_9337C4
		mov	edi, ebx

loc_9337C4:				; CODE XREF: MiMapViewOfPhysicalSection+8A3BEj
		inc	esi

loc_9337C5:				; CODE XREF: MiMapViewOfPhysicalSection+8A3BAj
		cmp	eax, 1
		jz	short loc_9337D0
		cmp	ebx, [esp+48h+var_2C]
		jnz	short loc_9337E4

loc_9337D0:				; CODE XREF: MiMapViewOfPhysicalSection+8A3C6j
		test	esi, esi
		jz	short loc_9337E4
		xor	ecx, ecx
		mov	edx, edi
		push	esi
		inc	ecx
		call	MiDereferenceIoPages
		or	edi, 0FFFFFFFFh
		xor	esi, esi

loc_9337E4:				; CODE XREF: MiMapViewOfPhysicalSection+8A3CCj
					; MiMapViewOfPhysicalSection+8A3D0j
		inc	ebx
		cmp	ebx, [esp+48h+var_2C]
		jbe	short loc_9337B3
		mov	edi, [esp+48h+var_4]

loc_9337EF:				; CODE XREF: MiMapViewOfPhysicalSection+8A3A0j
					; MiMapViewOfPhysicalSection+8A3ABj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+48h+var_34]
		jmp	loc_8A9637
; 

loc_933800:				; CODE XREF: MiMapViewOfPhysicalSection+EEj
		movzx	ecx, word ptr [eax]
		mov	eax, [esp+48h+var_8]
		mov	edx, [ebx+0Ch]
		push	dword ptr [ebx+4]
		dec	edx
		mov	eax, [eax]
		add	ecx, eax
		push	dword ptr [ebx]
		add	edx, ecx
		mov	[esp+50h+var_C], ecx
		mov	[esp+50h+var_18], edx
		sub	edx, ecx
		inc	edx
		mov	[esp+50h+var_14], ecx
		push	edx
		mov	edx, ecx
		mov	ecx, [esp+54h+var_3C]
		call	MiIsVaRangeAvailable
		test	eax, eax
		jnz	short loc_933842
		mov	[esp+48h+var_34], 0C0000018h
		jmp	loc_93378A
; 

loc_933842:				; CODE XREF: MiMapViewOfPhysicalSection+8A431j
		mov	edx, [esp+48h+var_18]
		mov	eax, [esp+48h+var_14]
		jmp	loc_8A9546
; 

loc_93384F:				; CODE XREF: MiMapViewOfPhysicalSection+170j
		test	byte ptr [ebp+arg_4], 7
		jz	loc_8A9583
		mov	[esp+48h+var_24], 2
		jmp	loc_8A9583
; 

loc_933866:				; CODE XREF: MiMapViewOfPhysicalSection+218j
		call	_MiIsProcessCfgEnabled@0 ; MiIsProcessCfgEnabled()
		test	eax, eax
		jz	loc_8A9620
		mov	esi, [esp+48h+var_28]
		mov	edx, edi
		mov	ecx, esi
		call	_MiLockVad@8	; MiLockVad(x,x)
		mov	edx, ebx
		mov	ecx, esi
		call	UNLOCK_ADDRESS_SPACE_UNORDERED
		push	[ebp+arg_8]
		xor	edx, edx
		mov	ecx, edi
		call	MiCommitVadCfgBits
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_9338B4
		mov	ecx, edi
		call	_MiReferenceVad@4 ; MiReferenceVad(x)
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	_MiDeleteVad@12	; MiDeleteVad(x,x,x)
		mov	eax, ebx
		jmp	loc_8A9637
; 

loc_9338B4:				; CODE XREF: MiMapViewOfPhysicalSection+8A497j
		mov	edx, edi
		mov	ecx, esi
		call	MiUnlockVad
		jmp	loc_8A962B
; 

loc_9338C2:				; CODE XREF: MiMapViewOfPhysicalSection+39j
					; MiMapViewOfPhysicalSection+47j ...
		mov	eax, 0C0000045h
		jmp	loc_8A9637
; 

loc_9338CC:				; CODE XREF: MiMapViewOfPhysicalSection+18j
					; MiMapViewOfPhysicalSection+23j
		mov	eax, 0C000000Dh
		jmp	loc_8A9637
; END OF FUNCTION CHUNK	FOR MiMapViewOfPhysicalSection
; 
; START	OF FUNCTION CHUNK FOR CmpTransMgrPrepare

loc_9338D6:				; CODE XREF: CmpTransMgrPrepare+4Fj
		mov	eax, [ebp+var_20]
		xor	esi, esi
		mov	[eax], bl
		jmp	loc_8A98EE
; 

loc_9338E2:				; CODE XREF: CmpTransMgrPrepare+A2j
		lea	edi, [esi+430h]
		mov	ecx, edi
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_9338FA
		xor	esi, esi
		jmp	loc_8A98DF
; 

loc_9338FA:				; CODE XREF: CmpTransMgrPrepare+8A125j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	ecx, esi
		call	CmpTransMgrSyncHive
		mov	esi, eax
		mov	ecx, edi
		jmp	short loc_933912
; 

loc_93390C:				; CODE XREF: CmpTransMgrPrepare+EAj
		lea	ecx, [edi+430h]

loc_933912:				; CODE XREF: CmpTransMgrPrepare+8A13Ej
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_8A98E4
; 

loc_93391C:				; CODE XREF: CmpTransMgrPrepare+107j
		mov	ecx, esi
		call	_HvLockHiveFlusherExclusive@4 ;	HvLockHiveFlusherExclusive(x)
		mov	ecx, esi
		call	_HvLockHiveWriter@4 ; HvLockHiveWriter(x)
		push	0
		push	20h
		xor	edx, edx
		mov	ecx, esi
		call	HvpMarkDirty
		mov	ecx, esi
		mov	bl, al
		call	HvUnlockHiveWriter
		mov	ecx, esi
		test	bl, bl
		jnz	short loc_933955
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)
		mov	esi, 0C000009Ah
		jmp	loc_8A98DF
; 

loc_933955:				; CODE XREF: CmpTransMgrPrepare+8A178j
		mov	eax, [esi+20h]
		or	dword ptr [eax+90h], 1
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	edx, edx
		mov	ecx, esi
		xor	bl, bl
		call	CmpFlushHive
		test	eax, eax
		jns	loc_8A98D9
		mov	esi, 0C000009Ah
		jmp	loc_8A98E4
; END OF FUNCTION CHUNK	FOR CmpTransMgrPrepare
; 
; START	OF FUNCTION CHUNK FOR CmpTransMgrSyncHive

loc_933986:				; CODE XREF: CmpTransMgrSyncHive+51j
		test	cl, 4
		jnz	loc_8A9983
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_8A9983
; 

loc_93399B:				; CODE XREF: CmpTransMgrSyncHive+62j
		mov	edi, 0C000009Ah
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9339B4
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9339B4:				; CODE XREF: CmpTransMgrSyncHive+8A07Fj
		mov	ecx, esi
		call	KeAbPostRelease
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		jmp	loc_8A99C8
; 

loc_9339C5:				; CODE XREF: CmpTransMgrSyncHive+7Bj
		test	al, 4
		jnz	loc_8A99AD
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_8A99AD
; END OF FUNCTION CHUNK	FOR CmpTransMgrSyncHive
; 
; START	OF FUNCTION CHUNK FOR WheaAddErrorSourceDeviceDriver

loc_9339D9:				; CODE XREF: WheaAddErrorSourceDeviceDriver+1A9j
		test	ebx, ebx
		jz	short loc_9339E8
		push	41454857h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9339E8:				; CODE XREF: WheaAddErrorSourceDeviceDriver+89FA5j
		test	esi, esi
		jz	loc_8A9BE5
		push	41454857h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A9BE5
; 

loc_933A00:				; CODE XREF: WheaAddErrorSourceDeviceDriver+29j
		mov	eax, 0C00000F0h
		jmp	loc_8A9BE9
; 

loc_933A0A:				; CODE XREF: WheaAddErrorSourceDeviceDriver+14j
					; WheaAddErrorSourceDeviceDriver+1Dj
		mov	eax, 0C000000Dh
		jmp	loc_8A9BE9
; END OF FUNCTION CHUNK	FOR WheaAddErrorSourceDeviceDriver
; 
; START	OF FUNCTION CHUNK FOR WheaAddErrorSource

loc_933A14:				; CODE XREF: WheaAddErrorSource+2Bj
		mov	ebx, 0C00000BBh
		jmp	loc_8A9CA6
; 

loc_933A1E:				; CODE XREF: WheaAddErrorSource+4Aj
		mov	ebx, 0C000009Ah
		jmp	loc_8A9CA6
; 

loc_933A28:				; CODE XREF: WheaAddErrorSource+7Bj
		push	61656857h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8A9CA0
; 

loc_933A38:				; CODE XREF: WheaAddErrorSource+9Cj
		xor	edx, edx
		mov	dword ptr [ebx+5Ch], 2
		inc	edx
		mov	ecx, ebx
		call	_WheapCallErrorSourceInitialize@8 ; WheapCallErrorSourceInitialize(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jns	short loc_933A56
		mov	dword ptr [ebx+5Ch], 1

loc_933A56:				; CODE XREF: WheaAddErrorSource+89E4Fj
		mov	ebx, eax
		jmp	loc_8A9CA6
; END OF FUNCTION CHUNK	FOR WheaAddErrorSource
; 
; START	OF FUNCTION CHUNK FOR PiUEventNotifyDeviceInstanceChange

loc_933A5D:				; CODE XREF: PiUEventNotifyDeviceInstanceChange+78j
		mov	eax, [eax+0Ch]
		push	dword ptr [eax+0Ch] ; wchar_t *
		lea	eax, [ebx+50h]
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_8A9F28
		mov	eax, [ebp+var_4]
		jmp	loc_8A9F0E
; END OF FUNCTION CHUNK	FOR PiUEventNotifyDeviceInstanceChange
; 
; START	OF FUNCTION CHUNK FOR IopQueryLegacyBusInformation

loc_933A7E:				; CODE XREF: IopQueryLegacyBusInformation+4Aj
		mov	ecx, [esi+0B0h]
		mov	eax, [ecx+14h]
		test	eax, eax
		jz	loc_8A9F6C
		mov	eax, [eax+8]
		test	eax, eax
		jz	loc_8A9F6C
		cmp	[eax+20h], ebx
		jz	loc_8A9F6C
		add	eax, 1Ch
		push	eax
		push	offset ??_C@_0EH@NFBHGJOA@?$CK?$CK?$CK?5IopQueryLegacyBusInformatio@NNGAKEGL@
		call	_DbgPrint
		push	offset ??_C@_0EC@EPJBAAAK@?5?5?5?5for?5IRP_MN_QUERY_LEGACY_BUS@NNGAKEGL@
		call	_DbgPrint
		add	esp, 0Ch
		jmp	loc_8A9F6C
; END OF FUNCTION CHUNK	FOR IopQueryLegacyBusInformation
; 
; START	OF FUNCTION CHUNK FOR ExpPartitionCreatePool

loc_933AC3:				; CODE XREF: ExpPartitionCreatePool+8Ej
		mov	edx, [ebp+var_8]
		movzx	ecx, bx
		push	0
		push	0
		mov	eax, [edx+4]
		mov	eax, [eax+ecx*4]
		mov	edi, [ebp+var_4]
		mov	[eax+edi*4], esi
		mov	eax, [edx+8]
		mov	eax, [eax+ecx*4]
		add	eax, 8
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	eax, [ebp+var_C]
		jmp	loc_8AA11A
; 

loc_933AF0:				; CODE XREF: ExpPartitionCreatePool+20j
		mov	ecx, 0C0000017h
		jmp	loc_8AA136
; END OF FUNCTION CHUNK	FOR ExpPartitionCreatePool
; 
; START	OF FUNCTION CHUNK FOR ExpPartitionInitialize

loc_933AFA:				; CODE XREF: ExpPartitionInitialize+25j
		mov	edi, 0C0000017h

loc_933AFF:				; CODE XREF: ExpPartitionInitialize+186j
		mov	eax, edi
		jmp	loc_8AA2C0
; 

loc_933B06:				; CODE XREF: ExpPartitionInitialize+B4j
		and	[ebp+var_4], 0
		jmp	loc_8AA20A
; 

loc_933B0F:				; CODE XREF: ExpPartitionInitialize+55j
					; ExpPartitionInitialize+82j ...
		mov	edi, 0C0000017h
		jmp	loc_8AA2C5
; END OF FUNCTION CHUNK	FOR ExpPartitionInitialize
; 
; START	OF FUNCTION CHUNK FOR ExpPartitionCreatePoolInternal

loc_933B19:				; CODE XREF: ExpPartitionCreatePoolInternal+7Aj
		mov	ecx, edi
		call	_ExpWorkQueueDestroy@4 ; ExpWorkQueueDestroy(x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8AA352
; END OF FUNCTION CHUNK	FOR ExpPartitionCreatePoolInternal
; 
; START	OF FUNCTION CHUNK FOR CmpWaitForHiveMount

loc_933B2D:				; CODE XREF: CmpWaitForHiveMount+2Fj
		add	edx, 2
		add	cx, ax
		jnz	loc_8AA52A
		jmp	loc_8AA533
; 

loc_933B3E:				; CODE XREF: CmpWaitForHiveMount+1Ej
					; CmpWaitForHiveMount+3Bj
		mov	eax, offset dword_6B19F4
		lock bts dword ptr [eax], 0
		jmp	loc_8AA584
; END OF FUNCTION CHUNK	FOR CmpWaitForHiveMount
; 
; START	OF FUNCTION CHUNK FOR PopBootStatGet

loc_933B4D:				; CODE XREF: PopBootStatGet+75j
		mov	edi, 0C000009Ah
		jmp	loc_8AA86A
; 

loc_933B57:				; CODE XREF: PopBootStatGet+9Bj
					; PopBootStatGet+A3j
		mov	[ecx], bl
		jmp	loc_8AA765
; END OF FUNCTION CHUNK	FOR PopBootStatGet

;  S U B	R O U T	I N E 


sub_933B5E	proc near		; DATA XREF: .text:006A73FCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		xor	eax, eax
		inc	eax
		retn
sub_933B5E	endp


;  S U B	R O U T	I N E 


sub_933B6C	proc near		; DATA XREF: .text:006A7400o
		mov	edi, [ebp-40h]
		jmp	short loc_933B74
; 

loc_933B71:				; DATA XREF: .text:006A740Co
		mov	edi, [ebp-4Ch]

loc_933B74:				; CODE XREF: sub_933B6C+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp-2Ch]
		mov	al, [ebp-1Ah]
		mov	[ebp-19h], al
		jmp	loc_8AA86A
sub_933B6C	endp


;  S U B	R O U T	I N E 


sub_933B8E	proc near		; DATA XREF: .text:006A7408o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_933B8E	endp

; 
; START	OF FUNCTION CHUNK FOR PopBootStatGet

loc_933B9C:				; CODE XREF: PopBootStatGet+19Fj
		mov	eax, [ebp+var_28]
		mov	ecx, [ebp+var_30]
		mov	[edx+ecx*4], eax
		jmp	loc_8AA861
; END OF FUNCTION CHUNK	FOR PopBootStatGet
; 
; START	OF FUNCTION CHUNK FOR PpmWmiDispatch

loc_933BAA:				; CODE XREF: PpmWmiDispatch+30j
					; PpmWmiDispatch+6Aj
		mov	eax, [ebp+arg_14]
		mov	esi, [ebp+arg_4]
		push	10h
		pop	edi
		push	edi		; size_t
		push	esi		; void *
		push	offset _PPM_PERFSTATE_CHANGE_GUID ; void *
		mov	[eax], edx
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_933BD2
		mov	ecx, offset _WmiPerfStateEventEnabled
		jmp	loc_933C52
; 

loc_933BD2:				; CODE XREF: PpmWmiDispatch+892D4j
		push	edi		; size_t
		push	esi		; void *
		push	offset _PPM_PERFSTATE_DOMAIN_CHANGE_GUID ; void	*
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_933BEC
		mov	ecx, offset _WmiPerfStateDomainEventEnabled
		jmp	short loc_933C52
; 

loc_933BEC:				; CODE XREF: PpmWmiDispatch+892F1j
		push	edi		; size_t
		push	esi		; void *
		push	offset _PPM_IDLESTATE_CHANGE_GUID ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_933C06
		mov	ecx, offset _WmiIdleStateEventEnabled
		jmp	short loc_933C52
; 

loc_933C06:				; CODE XREF: PpmWmiDispatch+8930Bj
		push	edi		; size_t
		push	esi		; void *
		push	offset _PPM_IDLE_ACCOUNTING_EX_GUID ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_933C20
		mov	ecx, offset _WmiIdleAccntEventEnabled
		jmp	short loc_933C52
; 

loc_933C20:				; CODE XREF: PpmWmiDispatch+89325j
		push	edi		; size_t
		push	esi		; void *
		push	offset _PPM_THERMALCONSTRAINT_GUID ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_933C3A
		mov	ecx, offset _WmiThermalEventEnabled
		jmp	short loc_933C52
; 

loc_933C3A:				; CODE XREF: PpmWmiDispatch+8933Fj
		push	edi		; size_t
		push	esi		; void *
		push	(offset	loc_42E0E4+4) ;	void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_933CBB
		mov	ecx, offset _WmiThermalPolicyEventEnabled ; int

loc_933C52:				; CODE XREF: PpmWmiDispatch+892DBj
					; PpmWmiDispatch+892F8j ...
		test	bl, bl
		jnz	short loc_933C7F
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		dec	eax
		jnz	loc_8AA956
		cmp	ecx, offset _WmiIdleAccntEventEnabled
		jnz	loc_8AA956
		push	offset _PpmWmiIdleAccountingTimer
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		jmp	loc_8AA956
; 

loc_933C7F:				; CODE XREF: PpmWmiDispatch+89362j
		xor	eax, eax
		inc	eax
		lock xadd [ecx], eax
		inc	eax
		cmp	eax, 1
		jnz	loc_8AA956
		cmp	ecx, offset _WmiIdleAccntEventEnabled
		jnz	loc_8AA956
		push	0
		push	0
		push	offset _PpmWmiIdleAccountingDpc
		push	0
		mov	edx, 2710h
		mov	ecx, offset _PpmWmiIdleAccountingTimer
		call	KiSetTimerEx
		jmp	loc_8AA956
; 

loc_933CBB:				; CODE XREF: PpmWmiDispatch+89359j
		mov	eax, 0C0000295h
		jmp	loc_8AA937
; 

loc_933CC5:				; CODE XREF: PpmWmiDispatch+22j
					; PpmWmiDispatch+73j
		push	dword ptr [ebp+arg_10] ; char
		mov	edx, [ebp+arg_4] ; void	*
		push	[ebp+arg_14]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		call	_PpmWmiGetAllData@24 ; PpmWmiGetAllData(x,x,x,x,x,x)
		jmp	loc_8AA952
; END OF FUNCTION CHUNK	FOR PpmWmiDispatch
; 
; START	OF FUNCTION CHUNK FOR PpmWmiRegisterInfo

loc_933CDE:				; CODE XREF: PpmWmiRegisterInfo+14j
		cmp	eax, 4
		jb	short loc_933CEB
		mov	eax, [ebp+arg_4]
		push	4
		mov	[eax], ebx
		pop	ebx

loc_933CEB:				; CODE XREF: PpmWmiRegisterInfo+89377j
		mov	ecx, 0C0000023h
		jmp	loc_8AAA11
; END OF FUNCTION CHUNK	FOR PpmWmiRegisterInfo
; 
; START	OF FUNCTION CHUNK FOR PpmGetPolicyAction

loc_933CF5:				; CODE XREF: PpmGetPolicyAction+CBj
		or	dword ptr [edx], 40h
		jmp	loc_8AAAEF
; 

loc_933CFD:				; CODE XREF: PpmGetPolicyAction+107j
		or	dword ptr [edx], 400h
		jmp	loc_8AAA42
; 

loc_933D08:				; CODE XREF: PpmGetPolicyAction+2Dj
		cmp	ds:_PpmPerfEppViaPerfControl, 0
		jz	loc_8AAA51
		or	dword ptr [edx], 2
		jmp	loc_8AAA51
; 

loc_933D1D:				; CODE XREF: PpmGetPolicyAction+56j
		or	dword ptr [edx], 1000h
		jmp	loc_8AAA7A
; 

loc_933D28:				; CODE XREF: PpmGetPolicyAction+95j
		or	dword ptr [edx], 1
		jmp	loc_8AAAB9
; 

loc_933D30:				; CODE XREF: PpmGetPolicyAction+A6j
		or	dword ptr [edx], 10h
		retn
; END OF FUNCTION CHUNK	FOR PpmGetPolicyAction
; 
; START	OF FUNCTION CHUNK FOR PiUEventCoalesceBroadcastEvents

loc_933D34:				; CODE XREF: PiUEventCoalesceBroadcastEvents+3Cj
		push	10h		; size_t
		lea	eax, [edi+14h]
		push	eax		; void *
		lea	eax, [esi+14h]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_8AAC39
		lea	eax, [edi+24h]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esi+24h]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	loc_8AAC31
		jmp	loc_8AAC39
; 

loc_933D84:				; CODE XREF: PiUEventCoalesceBroadcastEvents+45j
		push	10h		; size_t
		lea	eax, [esi+14h]
		push	eax		; void *
		lea	eax, [edi+14h]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_8AAC31
		jmp	loc_8AAC39
; END OF FUNCTION CHUNK	FOR PiUEventCoalesceBroadcastEvents
; 
; START	OF FUNCTION CHUNK FOR PsStartSiloMonitor

loc_933DA3:				; CODE XREF: PsStartSiloMonitor+6Aj
		mov	ecx, eax
		call	_PsIsSiloStartedAndNotTerminated@4 ; PsIsSiloStartedAndNotTerminated(x)
		test	al, al
		jnz	short loc_933DB7
		mov	ecx, [esp+30h+var_20]
		jmp	loc_8AAC9F
; 

loc_933DB7:				; CODE XREF: PsStartSiloMonitor+8916Aj
		mov	edi, 0C00000BBh
		jmp	loc_8AAD5D
; 

loc_933DC1:				; CODE XREF: PsStartSiloMonitor+A6j
		cmp	[esi+14h], ebx
		jz	loc_8AACEE
		mov	ecx, [esp+30h+var_20]
		mov	edx, esi
		call	_PspInvokeTerminateCallback@8 ;	PspInvokeTerminateCallback(x,x)
		jmp	loc_8AACEE
; 

loc_933DDA:				; CODE XREF: PsStartSiloMonitor+E2j
					; PsStartSiloMonitor+891C3j
		mov	ecx, edi
		call	_PsIsSiloStartedAndNotTerminated@4 ; PsIsSiloStartedAndNotTerminated(x)
		test	al, al
		jz	short loc_933DF8
		mov	edx, esi
		mov	ecx, edi
		inc	ebx
		call	_PspInvokeCreateCallback@8 ; PspInvokeCreateCallback(x,x)
		test	eax, eax
		jns	short loc_933DF8
		mov	[esp+30h+var_21], 1

loc_933DF8:				; CODE XREF: PsStartSiloMonitor+891A1j
					; PsStartSiloMonitor+891AFj
		mov	dl, 1
		mov	ecx, edi
		call	_PspGetNextSilo@8 ; PspGetNextSilo(x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_933DDA
		mov	[esp+30h+var_20], ebx
		xor	ebx, ebx
		jmp	loc_8AAD2A
; 

loc_933E12:				; CODE XREF: PsStartSiloMonitor+F8j
		cmp	[esi+14h], ebx
		jz	short loc_933E78
		mov	ecx, ds:_PsInitialSystemProcess
		lea	eax, [esp+30h+var_1C]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		xor	ecx, ecx
		jmp	short loc_933E44
; 

loc_933E2D:				; CODE XREF: PsStartSiloMonitor+8920Dj
		mov	ecx, edi
		call	_PsIsSiloStartedAndNotTerminated@4 ; PsIsSiloStartedAndNotTerminated(x)
		test	al, al
		jz	short loc_933E42
		mov	edx, esi
		mov	ecx, edi
		call	_PspInvokeTerminateCallback@8 ;	PspInvokeTerminateCallback(x,x)
		inc	ebx

loc_933E42:				; CODE XREF: PsStartSiloMonitor+891F4j
		mov	ecx, edi

loc_933E44:				; CODE XREF: PsStartSiloMonitor+891E9j
		mov	dl, 1
		call	_PspGetNextSilo@8 ; PspGetNextSilo(x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_933E2D
		cmp	[esp+30h+var_20], ebx
		jz	short loc_933E59
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_933E59:				; CODE XREF: PsStartSiloMonitor+89213j
		cmp	byte ptr [esi+8], 0
		jz	short loc_933E6D
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	edx, esi
		mov	ecx, eax
		call	_PspInvokeCreateCallback@8 ; PspInvokeCreateCallback(x,x)

loc_933E6D:				; CODE XREF: PsStartSiloMonitor+8921Bj
		xor	edx, edx
		lea	ecx, [esp+30h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_933E78:				; CODE XREF: PsStartSiloMonitor+891D3j
		mov	edi, 0C0000240h
		jmp	loc_8AAD5D
; 

loc_933E82:				; CODE XREF: PsStartSiloMonitor+129j
		test	al, 4
		jnz	loc_8AAD71
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_8AAD71
; END OF FUNCTION CHUNK	FOR PsStartSiloMonitor
; 
; START	OF FUNCTION CHUNK FOR PiSwDeviceMakeCompatibleIds

loc_933E96:				; CODE XREF: PiSwDeviceMakeCompatibleIds+9Aj
		mov	ebx, 0C000009Ah
		jmp	loc_8AAEF5
; END OF FUNCTION CHUNK	FOR PiSwDeviceMakeCompatibleIds
; 
; START	OF FUNCTION CHUNK FOR IoReportDetectedDevice

loc_933EA0:				; CODE XREF: IoReportDetectedDevice+99j
		mov	eax, [eax+0B0h]
		mov	esi, [eax+14h]
		mov	[esp+210h+var_1F4], esi
		test	esi, esi
		jnz	loc_8AB00F
		mov	eax, 0C00000F6h
		jmp	loc_8AB2A4
; 

loc_933EBF:				; CODE XREF: IoReportDetectedDevice+123j
		test	esi, esi
		jz	loc_8AB059
		mov	[esp+210h+var_1D8], 1
		jmp	loc_8AB059
; 

loc_933ED4:				; CODE XREF: IoReportDetectedDevice+1C2j
		mov	eax, 190h
		sub	eax, [esp+210h+var_1F0]
		jmp	loc_8AB0FB
; 

loc_933EE2:				; CODE XREF: IoReportDetectedDevice+224j
		push	[esp+210h+var_1FC]
		call	_ZwClose@4	; ZwClose(x)
		mov	edx, [esp+210h+var_1C0]
		mov	ecx, [esp+210h+var_1A8]
		inc	edx
		mov	edi, [esp+210h+var_1A4]
		mov	eax, [esp+210h+var_1A0]
		jmp	loc_8AB0B0
; 

loc_933F01:				; CODE XREF: IoReportDetectedDevice+23Ej
		mov	edi, 0C0000001h
		xor	esi, esi
		jmp	loc_8AB17D
; 

loc_933F0D:				; CODE XREF: IoReportDetectedDevice+25Bj
		lea	ecx, [esp+210h+var_1DC]
		call	_IopCreateRootEnumeratedDeviceObject@4 ; IopCreateRootEnumeratedDeviceObject(x)
		mov	edi, eax
		test	edi, edi
		js	loc_93418E
		mov	edi, [esp+210h+var_1DC]
		lea	edx, [esp+210h+var_1F4]
		mov	ecx, edi
		mov	[esp+210h+var_1F5], 1
		or	dword ptr [edi+1Ch], 1000h
		call	PipAllocateDeviceNode
		mov	esi, [esp+210h+var_1F4]
		cmp	eax, 0C000036Eh
		jz	loc_934212
		test	esi, esi
		jz	loc_934212
		mov	eax, [esp+210h+var_1D0]
		test	byte ptr [eax+8], 4
		jnz	short loc_933F94
		movzx	eax, word ptr [ebx]
		push	48706E50h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+20h], eax
		test	eax, eax
		jz	loc_93417C
		mov	ax, [ebx]
		push	0
		mov	[esi+1Eh], ax
		lea	eax, [esi+1Ch]
		push	ebx
		push	eax
		call	RtlUpcaseUnicodeString
		mov	edi, eax
		test	edi, edi
		js	loc_9341ED

loc_933F94:				; CODE XREF: IoReportDetectedDevice+8902Aj
		movzx	edx, word ptr [esp+210h+var_1F0]
		mov	ecx, esi
		add	edx, 2
		call	_PnpAllocateDeviceInstancePath@8 ; PnpAllocateDeviceInstancePath(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9341ED
		push	0
		lea	ecx, [esp+214h+var_1F0]
		lea	eax, [esi+14h]
		push	ecx
		push	eax
		call	RtlUpcaseUnicodeString
		mov	edi, eax
		test	edi, edi
		js	loc_9341ED
		movzx	ecx, word ptr [esi+14h]
		xor	edx, edx
		mov	eax, [esi+18h]
		shr	ecx, 1
		push	edx
		push	4
		mov	[eax+ecx*2], dx
		lea	eax, [esp+218h+var_1BC]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	4
		push	0Bh
		push	[esp+224h+var_1FC]
		mov	[esp+228h+var_1BC], 20h
		mov	edx, [esi+18h]
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9341FD
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [esp+19h]
		push	0
		push	1
		push	eax
		push	11h
		push	offset _DEVPKEY_Device_Reported
		push	0
		push	[esp+228h+var_1FC]
		mov	[esp+22Ch+var_1F7], 0FFh
		mov	edx, [esi+18h]
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9341FD
		push	ebx
		lea	edx, [esp+214h+var_1B8]
		lea	ecx, [esp+214h+var_1E0]
		call	PnpUnicodeStringToWstr
		mov	edi, eax
		test	edi, edi
		js	loc_9341FD
		mov	edx, [esp+210h+var_1B8]
		lea	eax, [esp+210h+var_1B4]
		mov	ecx, [esp+210h+var_1E0]
		push	eax
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9341F2
		mov	eax, [esp+210h+var_1B4]
		mov	edx, [esi+18h]
		add	eax, 2
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	eax
		push	[esp+218h+var_1E0]
		push	1
		push	5
		push	[esp+224h+var_1FC]
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	ecx, [esp+210h+var_1E0]
		mov	edx, ebx
		mov	edi, eax
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)
		test	edi, edi
		js	loc_9341FD
		mov	edx, [esi+18h]
		lea	eax, [esp+210h+var_1E4]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	eax
		push	1
		push	0F003Fh
		push	0
		push	13h
		call	_CmOpenDeviceRegKey
		mov	edi, eax
		test	edi, edi
		js	loc_9341FD
		push	ecx
		mov	ecx, [esp+214h+var_1E4]
		mov	edx, offset ??_C@_1BO@DEANAFMF@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAR?$AAe?$AAp?$AAo?$AAr?$AAt?$AAe?$AAd@NNGAKEGL@	; "DeviceReported"
		call	_PnpSetRegistryDword@12	; PnpSetRegistryDword(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9341FD
		mov	edi, [esp+210h+var_1D0]
		mov	eax, [edi+8]
		test	al, 4
		jnz	short loc_93410C
		lea	eax, [esi+1Ch]
		mov	dl, 1
		push	eax
		lea	ecx, [esp+214h+var_1F0]
		call	PiDeviceRegistration
		mov	eax, [edi+8]
		test	al, 4
		jz	short loc_934110

loc_93410C:				; CODE XREF: IoReportDetectedDevice+891C4j
		lea	ebx, [esp+210h+var_1CC]

loc_934110:				; CODE XREF: IoReportDetectedDevice+891DAj
		push	[esp+210h+var_1D4] ; size_t
		mov	edx, ebx
		mov	ebx, [esp+214h+var_1DC]
		mov	ecx, ebx
		call	_IopCreateLegacyDeviceIds@12 ; IopCreateLegacyDeviceIds(x,x,x)
		mov	edi, eax
		mov	ecx, esi
		test	edi, edi
		js	loc_934204
		push	11h
		pop	edx
		call	PipSetDevNodeFlags
		mov	eax, _IopRootDeviceNode
		mov	edx, 302h
		push	ecx
		mov	ecx, esi
		mov	eax, [eax+1A4h]
		mov	[esi+1A4h], eax
		call	PipSetDevNodeState
		mov	ecx, _IopRootDeviceNode
		mov	edx, esi
		call	PpDevNodeInsertIntoTree
		lea	edx, [esi+14h]
		mov	ecx, ebx
		call	_PnpMapDeviceObjectToDeviceInstance@8 ;	PnpMapDeviceObjectToDeviceInstance(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9341ED
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		jmp	loc_8AB1CD
; 

loc_93417C:				; CODE XREF: IoReportDetectedDevice+89041j
					; IoReportDetectedDevice+893E5j
		mov	eax, 0C000009Ah
		mov	ecx, esi
		push	eax
		push	3
		pop	edx
		mov	edi, eax
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)

loc_93418E:				; CODE XREF: IoReportDetectedDevice+1F9j
					; IoReportDetectedDevice+253j ...
		cmp	[esp+210h+var_1FD], 0
		jz	loc_8AB258
		cmp	[esp+210h+var_1E8], 0
		jz	short loc_9341A9
		push	[esp+210h+var_1E8]
		call	_ZwDeleteKey@4	; ZwDeleteKey(x)

loc_9341A9:				; CODE XREF: IoReportDetectedDevice+8926Ej
		cmp	[esp+210h+var_1E4], 0
		jz	short loc_9341B9
		push	[esp+210h+var_1E4]
		call	_ZwDeleteKey@4	; ZwDeleteKey(x)

loc_9341B9:				; CODE XREF: IoReportDetectedDevice+8927Ej
		cmp	[esp+210h+var_1FC], 0
		jz	short loc_9341C9
		push	[esp+210h+var_1FC]
		call	_ZwDeleteKey@4	; ZwDeleteKey(x)

loc_9341C9:				; CODE XREF: IoReportDetectedDevice+8928Ej
		lea	ecx, [esi+14h]
		call	_PnpCleanupDeviceRegistryValues@4 ; PnpCleanupDeviceRegistryValues(x)
		mov	ecx, esi
		call	_PpDevNodeRemoveFromTree@4 ; PpDevNodeRemoveFromTree(x)
		push	dword ptr [esi+10h]
		call	IoDeleteDevice
		mov	ecx, [esi+10h]
		call	ObfDereferenceObject
		jmp	loc_8AB258
; 

loc_9341ED:				; CODE XREF: IoReportDetectedDevice+8905Ej
					; IoReportDetectedDevice+89077j ...
		push	edi
		push	3
		jmp	short loc_934200
; 

loc_9341F2:				; CODE XREF: IoReportDetectedDevice+89139j
		mov	ecx, [esp+210h+var_1E0]
		mov	edx, ebx
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)

loc_9341FD:				; CODE XREF: IoReportDetectedDevice+890D0j
					; IoReportDetectedDevice+89105j ...
		push	edi
		push	13h

loc_934200:				; CODE XREF: IoReportDetectedDevice+892C0j
		mov	ecx, esi
		jmp	short loc_934207
; 

loc_934204:				; CODE XREF: IoReportDetectedDevice+891F7j
		push	edi
		push	13h

loc_934207:				; CODE XREF: IoReportDetectedDevice+892D2j
		pop	edx
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		jmp	loc_8AB219
; 

loc_934212:				; CODE XREF: IoReportDetectedDevice+89014j
					; IoReportDetectedDevice+8901Cj
		push	edi
		call	IoDeleteDevice
		mov	edi, 0C000009Ah
		jmp	loc_93418E
; 

loc_934222:				; CODE XREF: IoReportDetectedDevice+281j
		mov	eax, [esi+114h]
		cmp	eax, 1
		jz	loc_8AB1B7
		cmp	eax, 12h
		jz	loc_8AB1B7
		cmp	eax, 1Ch
		jz	loc_8AB1B7

loc_934243:				; CODE XREF: IoReportDetectedDevice+271j
		mov	ecx, [esi+10h]
		call	ObfDereferenceObject
		mov	edi, 0C000000Eh
		jmp	loc_93418E
; 

loc_934255:				; CODE XREF: IoReportDetectedDevice+28Cj
		mov	ecx, esi
		call	PipClearDevNodeProblem
		jmp	loc_8AB1C2
; 

loc_934261:				; CODE XREF: IoReportDetectedDevice+297j
		mov	ecx, [esi+10h]
		lea	edx, [esp+210h+var_1FC]
		push	0F003Fh
		call	_PnpDeviceObjectToDeviceInstance@12 ; PnpDeviceObjectToDeviceInstance(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_93418E
		jmp	loc_8AB1CD
; 

loc_934281:				; CODE XREF: IoReportDetectedDevice+2A3j
					; IoReportDetectedDevice+2ADj
		mov	edx, [esi+18h]
		lea	eax, [esp+210h+var_1E8]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	eax
		push	1
		push	0F003Fh
		push	0
		push	14h
		call	_CmOpenDeviceRegKey
		mov	edi, eax
		test	edi, edi
		js	loc_9341FD
		test	ebx, ebx
		jz	short loc_9342C3
		mov	ecx, [esp+210h+var_1E8]
		push	ebx
		call	_PnpSetRegistryResourceList@12 ; PnpSetRegistryResourceList(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9341FD

loc_9342C3:				; CODE XREF: IoReportDetectedDevice+8937Dj
		mov	eax, [esp+210h+var_1B0]
		test	eax, eax
		jz	loc_8AB1E3
		mov	ecx, [esp+210h+var_1E8]
		push	eax
		call	_PnpSetRegistryRequirementsList@12 ; PnpSetRegistryRequirementsList(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9341FD
		jmp	loc_8AB1E3
; 

loc_9342E8:				; CODE XREF: IoReportDetectedDevice+3D1j
		cmp	dword ptr [ebx], 0
		jz	loc_8AB307
		cmp	dword ptr [ebx+10h], 0
		jz	loc_8AB307
		mov	ecx, ebx
		call	_PnpDetermineResourceListSize@4	; PnpDetermineResourceListSize(x)
		push	47706E50h
		mov	edi, eax
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_93417C
		push	edi		; size_t
		push	[esp+214h+var_1D4] ; void *
		push	ebx		; void *
		call	_memcpy
		mov	eax, [esi+10h]
		lea	ecx, [esp+26h]
		add	esp, 0Ch
		mov	[esp+210h+var_1F6], 0
		push	ecx
		push	ecx
		push	ecx
		push	ebx
		push	eax
		push	ecx
		push	0
		push	dword ptr [eax+8]
		xor	ecx, ecx
		call	_IoReportResourceUsageInternal@40 ; IoReportResourceUsageInternal(x,x,x,x,x,x,x,x,x,x)
		push	47706E50h
		push	ebx
		mov	edi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		js	short loc_934363
		cmp	[esp+210h+var_1F6], 0
		jz	loc_8AB219

loc_934363:				; CODE XREF: IoReportDetectedDevice+89426j
		mov	ecx, esi
		call	_PipIsDevNodeDNStarted@4 ; PipIsDevNodeDNStarted(x)
		test	eax, eax
		jnz	short loc_934377
		push	edi
		push	0Ch
		pop	edx
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)

loc_934377:				; CODE XREF: IoReportDetectedDevice+8943Cj
		mov	edi, 0C0000018h
		jmp	loc_8AB219
; 

loc_934381:				; CODE XREF: IoReportDetectedDevice+319j
		mov	edx, 80000000h
		mov	ecx, esi
		call	PipSetDevNodeFlags
		jmp	loc_8AB24F
; 

loc_934392:				; CODE XREF: IoReportDetectedDevice+344j
		push	[esp+210h+var_1E8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8AB27A
; 

loc_9343A0:				; CODE XREF: IoReportDetectedDevice+34Fj
		push	[esp+210h+var_1E4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8AB285
; END OF FUNCTION CHUNK	FOR IoReportDetectedDevice
; 
; START	OF FUNCTION CHUNK FOR IopIsReportedAlready

loc_9343AE:				; CODE XREF: IopIsReportedAlready+123j
		mov	ecx, [ebp+var_21C]
		lea	eax, [ebp+var_220]
		push	eax
		push	0
		mov	edx, offset ??_C@_1BG@MNAOJKEG@?$AAB?$AAo?$AAo?$AAt?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg@NNGAKEGL@ ; "B"
		call	IopGetRegistryValue
		push	[ebp+var_21C]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		mov	esi, [ebp+var_220]
		js	loc_8AB441
		cmp	dword ptr [esi+4], 8
		jnz	loc_8AB441
		mov	eax, [ebp+var_214]
		cmp	[esi+0Ch], ebx
		jz	loc_8AB447
		mov	edi, [esi+8]
		add	edi, esi
		test	eax, eax
		jz	loc_8AB44F
		test	edi, edi
		jz	loc_8AB447
		push	ecx
		push	ecx
		mov	edx, edi
		mov	ecx, eax
		call	_PnpIsDuplicateDevice@16 ; PnpIsDuplicateDevice(x,x,x,x)
		test	eax, eax
		jz	loc_8AB441
		mov	eax, [ebp+var_210]
		mov	dword ptr [eax], 1
		jmp	loc_8AB441
; 

loc_934434:				; CODE XREF: IopIsReportedAlready+A4j
					; IopIsReportedAlready+B1j ...
		mov	edi, [ebp+var_210]
		jmp	loc_8AB45F
; 

loc_93443F:				; CODE XREF: IopIsReportedAlready+170j
		mov	ecx, [ebp+var_218]
		lea	eax, [ebp+var_23C]
		push	eax
		push	0
		mov	edx, offset ??_C@_1BO@DEANAFMF@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAR?$AAe?$AAp?$AAo?$AAr?$AAt?$AAe?$AAd@NNGAKEGL@	; "DeviceReported"
		call	IopGetRegistryValue
		test	eax, eax
		jns	loc_8AB55B
		jmp	loc_8AB48E
; 

loc_934465:				; CODE XREF: IopIsReportedAlready+222j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8AB540
; 

loc_934472:				; CODE XREF: IopIsReportedAlready+22Aj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8AB548
; END OF FUNCTION CHUNK	FOR IopIsReportedAlready
; 
; START	OF FUNCTION CHUNK FOR IopDuplicateDetection

loc_93447F:				; CODE XREF: IopDuplicateDetection+37j
		mov	esi, [ebp+var_4]
		test	esi, esi
		jz	loc_8AB5DB
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_0]
		push	edi
		push	ebx
		push	dword ptr [esi+4]
		call	dword ptr [esi+10h]
		test	eax, eax
		js	short loc_9344B6
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_9344B6
		mov	eax, [eax+0B0h]
		xor	edi, edi
		mov	ecx, [ebp+arg_4]
		mov	eax, [eax+14h]
		mov	[ecx], eax
		jmp	short loc_9344BB
; 

loc_9344B6:				; CODE XREF: IopDuplicateDetection+88EFDj
					; IopDuplicateDetection+88F04j
		mov	edi, 0C0000010h

loc_9344BB:				; CODE XREF: IopDuplicateDetection+88F16j
		push	dword ptr [esi+4]
		call	dword ptr [esi+0Ch]
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		jmp	loc_8AB5E0
; END OF FUNCTION CHUNK	FOR IopDuplicateDetection
; 
; START	OF FUNCTION CHUNK FOR PpmRegisterProfiles

loc_9344D0:				; CODE XREF: PpmRegisterProfiles+1Cj
		mov	eax, 0C000000Dh
		jmp	loc_8AB7F7
; 

loc_9344DA:				; CODE XREF: PpmRegisterProfiles+B2j
		mov	eax, 0C000009Ah
		jmp	loc_8AB7F5
; END OF FUNCTION CHUNK	FOR PpmRegisterProfiles
; 
; START	OF FUNCTION CHUNK FOR PpmEventTraceProfiles

loc_9344E4:				; CODE XREF: PpmEventTraceProfiles+4Aj
		test	bh, bh
		jnz	short loc_9344EF
		push	offset _PPM_ETW_PROCESSOR_PROFILE_REGISTERED
		jmp	short loc_9344F4
; 

loc_9344EF:				; CODE XREF: PpmEventTraceProfiles+88CECj
		push	offset _PPM_ETW_PROCESSOR_PROFILE_RUNDOWN

loc_9344F4:				; CODE XREF: PpmEventTraceProfiles+88CF3j
		push	dword_6BFD04
		push	_PpmEtwHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_8AB84A
		push	esi
		mov	esi, _PpmCurrentProfile
		xor	bl, bl
		push	edi
		mov	edi, offset _PpmDefaultProfile
		mov	[ebp+var_B4], esi
		call	KeQueryInterruptTime
		mov	ecx, edx
		mov	[ebp+var_B8], eax
		push	ecx
		mov	[ebp+var_BC], ecx
		mov	ecx, esi
		push	eax
		call	_PpmEndProfileAccumulation@12 ;	PpmEndProfileAccumulation(x,x,x)

loc_93453E:				; CODE XREF: PpmEventTraceProfiles+88EBDj
		mov	esi, [edi]
		lea	eax, [ebp+var_98]
		push	eax
		mov	edx, 7FFFFFFFh
		mov	ecx, esi
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	eax, [ebp+var_98]
		xor	ecx, ecx
		push	ecx
		xor	edx, edx
		mov	[ebp+var_90], ecx
		inc	edx
		mov	[ebp+var_88], ecx
		lea	eax, ds:2[eax*2]
		mov	[ebp+var_80], ecx
		mov	[ebp+var_8C], eax
		lea	eax, [edi+4]
		mov	[ebp+var_84], eax
		lea	eax, [edi+1Ch]
		mov	[ebp+var_74], eax
		lea	eax, [edi+18h]
		mov	[ebp+var_64], eax
		lea	eax, [edi+8]
		push	0Ah
		mov	[ebp+var_7C], edx
		mov	[ebp+var_78], ecx
		mov	[ebp+var_70], ecx
		mov	[ebp+var_6C], edx
		mov	[ebp+var_68], ecx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_58], ecx
		mov	[ebp+var_54], eax
		mov	[ebp+var_50], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_94], esi
		mov	[ebp+var_5C], 4
		mov	[ebp+var_4C], 10h
		push	dword ptr [edi+214h]
		push	dword ptr [edi+210h]
		call	__aulldiv
		push	0
		push	0Ah
		mov	[ebp+var_A0], eax
		mov	[ebp+var_9C], edx
		push	dword ptr [edi+21Ch]
		push	dword ptr [edi+218h]
		call	__aulldiv
		push	0
		push	0Ah
		mov	[ebp+var_A8], eax
		mov	[ebp+var_A4], edx
		push	dword ptr [edi+224h]
		push	dword ptr [edi+220h]
		call	__aulldiv
		mov	[ebp+var_B0], eax
		xor	ecx, ecx
		mov	[ebp+var_AC], edx
		lea	eax, [edi+208h]
		lea	edx, [ebp+var_A0]
		mov	[ebp+var_44], eax
		push	8
		pop	eax
		mov	[ebp+var_34], edx
		lea	edx, [ebp+var_A8]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_24], edx
		lea	edx, [ebp+var_B0]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_94]
		mov	[ebp+var_40], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		push	eax
		push	9
		push	ecx
		test	bh, bh
		jz	short loc_934688
		push	offset _PPM_ETW_PROCESSOR_PROFILE_RUNDOWN
		jmp	short loc_93468D
; 

loc_934688:				; CODE XREF: PpmEventTraceProfiles+88E85j
		push	offset _PPM_ETW_PROCESSOR_PROFILE_REGISTERED

loc_93468D:				; CODE XREF: PpmEventTraceProfiles+88E8Cj
		push	dword_6BFD04
		push	_PpmEtwHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		cmp	bl, _PpmProfileCount
		jz	short loc_9346BC
		movzx	eax, bl
		imul	edi, eax, 228h
		add	edi, _PpmProfiles
		inc	bl
		jmp	loc_93453E
; 

loc_9346BC:				; CODE XREF: PpmEventTraceProfiles+88EAAj
		mov	eax, [ebp+var_B4]
		mov	ecx, [ebp+var_B8]
		pop	edi
		pop	esi
		mov	[eax+200h], ecx
		mov	ecx, [ebp+var_BC]
		mov	[eax+204h], ecx
		jmp	loc_8AB84A
; END OF FUNCTION CHUNK	FOR PpmEventTraceProfiles
; 
; START	OF FUNCTION CHUNK FOR KeQueryCpuSetInformation

loc_9346E1:				; CODE XREF: KeQueryCpuSetInformation+75j
		inc	edi
		mov	[ebp+var_24], edi
		movzx	eax, ds:_KiActiveGroups
		cmp	edi, eax
		jnb	loc_8AB999
		mov	eax, ds:_KiGroupBlock[edi*8]
		mov	[ebp+var_20], eax
		jmp	loc_8AB991
; 

loc_934703:				; CODE XREF: KeQueryCpuSetInformation+FCj
		xor	eax, eax
		inc	eax
		mov	[ebp+var_1C], eax
		or	[edx+13h], al
		xor	ecx, ecx
		inc	ecx
		jmp	loc_8AB95A
; 

loc_934714:				; CODE XREF: KeQueryCpuSetInformation+109j
		mov	eax, ecx
		test	ebx, ebx
		jz	short loc_934739
		test	[ebx+edi*4], esi
		jz	short loc_934739
		or	eax, 4
		mov	[ebp+var_1C], eax
		jmp	short loc_934739
; 

loc_934727:				; CODE XREF: KeQueryCpuSetInformation+114j
		test	dword ptr [esi+0F8h], 8000000h
		jz	loc_8AB972
		mov	eax, ecx

loc_934739:				; CODE XREF: KeQueryCpuSetInformation+88EC0j
					; KeQueryCpuSetInformation+88EC5j ...
		or	eax, 0Ah
		mov	[ebp+var_1C], eax
		jmp	loc_8AB972
; END OF FUNCTION CHUNK	FOR KeQueryCpuSetInformation

;  S U B	R O U T	I N E 


sub_934744	proc near		; DATA XREF: .text:006A7424o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_934744	endp


;  S U B	R O U T	I N E 


sub_934754	proc near		; DATA XREF: .text:006A7428o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-44h]
		jmp	loc_8AB9BD
sub_934754	endp

; 
; START	OF FUNCTION CHUNK FOR PpmEventTraceProfileSetting

loc_934766:				; CODE XREF: PpmEventTraceProfileSetting+41j
		xor	eax, eax
		mov	ecx, esi
		cmp	[ebp+arg_10], eax
		setnz	al
		mov	[ebp+var_7C], eax
		lea	edx, [ecx+1]

loc_934776:				; CODE XREF: PpmEventTraceProfileSetting+88D9Dj
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_934776
		sub	ecx, edx
		mov	[ebp+var_64], esi
		lea	eax, [ebp+var_78]
		mov	[ebp+var_2C], 10h
		mov	[ebp+var_74], eax
		xor	edx, edx
		push	edi
		lea	eax, [ecx+1]
		xor	edi, edi
		mov	[ebp+var_5C], eax
		inc	edx
		mov	[ebp+var_70], edi
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_C]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_74]
		mov	[ebp+var_6C], edx
		mov	[ebp+var_68], edi
		mov	[ebp+var_60], edi
		mov	[ebp+var_58], edi
		mov	[ebp+var_50], edi
		mov	[ebp+var_48], edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], edi
		push	4
		pop	ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_1C], ecx
		push	eax
		push	7
		push	edi
		test	bl, bl
		jz	short loc_93480A
		push	offset _PPM_ETW_PROCESSOR_PROFILE_SETTING_RUNDOWN
		jmp	short loc_93480F
; 

loc_93480A:				; CODE XREF: PpmEventTraceProfileSetting+88E23j
		push	offset _PPM_ETW_PROCESSOR_PROFILE_SETTING_CHANGE

loc_93480F:				; CODE XREF: PpmEventTraceProfileSetting+88E2Aj
		push	dword_6BFD04
		push	_PpmEtwHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	edi
		jmp	loc_8ABA25
; END OF FUNCTION CHUNK	FOR PpmEventTraceProfileSetting
; 
; START	OF FUNCTION CHUNK FOR IoGetDmaAdapter

loc_934826:				; CODE XREF: IoGetDmaAdapter+75j
					; IoGetDmaAdapter+7Ej
		cmp	dword ptr [edi], 3
		jnb	short loc_93482F
		push	28h
		jmp	short loc_934833
; 

loc_93482F:				; CODE XREF: IoGetDmaAdapter+88D2Fj
		jnz	short loc_934836
		push	40h

loc_934833:				; CODE XREF: IoGetDmaAdapter+88D33j
		pop	eax
		jmp	short loc_934838
; 

loc_934836:				; CODE XREF: IoGetDmaAdapter:loc_93482Fj
		xor	eax, eax

loc_934838:				; CODE XREF: IoGetDmaAdapter+88D3Aj
		push	eax		; size_t
		lea	eax, [esp+6Ch+var_50]
		push	edi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [esp+68h+var_54]
		push	eax
		lea	eax, [esp+6Ch+var_3C]
		push	eax
		push	4
		push	0Dh
		push	esi
		call	IoGetDeviceProperty
		test	eax, eax
		jns	short loc_934867
		mov	[esp+68h+var_3C], 1

loc_934867:				; CODE XREF: IoGetDmaAdapter+88D63j
		lea	edi, [esp+68h+var_50]
		jmp	loc_8ABB7E
; 

loc_934870:				; CODE XREF: IoGetDmaAdapter+4Bj
					; IoGetDmaAdapter+5Bj
		movzx	edx, word ptr [esi+2]
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_9348B1
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		xor	ebx, ebx
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_9348B3
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		jmp	short loc_9348B3
; 

loc_9348B1:				; CODE XREF: IoGetDmaAdapter+88D86j
		xor	ebx, ebx

loc_9348B3:				; CODE XREF: IoGetDmaAdapter+88D9Cj
					; IoGetDmaAdapter+88DB5j
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_934951
		mov	edx, 1F4h
		lea	edi, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		cmp	[edi], bx
		jz	short loc_9348EB
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [edi+4]
		call	IoAddTriageDumpDataBlock

loc_9348EB:				; CODE XREF: IoGetDmaAdapter+88DDAj
		mov	edx, [esi+0B0h]
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_93491F
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [esi+0B0h]

loc_93491F:				; CODE XREF: IoGetDmaAdapter+88E00j
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_934951
		lea	ecx, [eax+1Ch]
		cmp	[ecx], bx
		jz	short loc_934951
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_934951:				; CODE XREF: IoGetDmaAdapter+88DC4j
					; IoGetDmaAdapter+88E2Dj ...
		push	ebx
		push	ebx
		push	esi
		push	2
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_934961:				; CODE XREF: PiGetDmaAdapterFromBusInterface+2Ej
					; PiGetDmaAdapterFromBusInterface+3Ej
		movzx	edx, word ptr [esi+2]
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_93499E
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		add	ecx, 1Ch
		cmp	[ecx], di
		jz	short loc_93499E
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_93499E:				; CODE XREF: IoGetDmaAdapter+88E77j
					; IoGetDmaAdapter+88E8Bj
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_934A3C
		mov	edx, 1F4h
		lea	ebx, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		cmp	[ebx], di
		jz	short loc_9349D6
		push	2
		pop	edx
		mov	ecx, ebx
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [ebx]
		mov	ecx, [ebx+4]
		call	IoAddTriageDumpDataBlock

loc_9349D6:				; CODE XREF: IoGetDmaAdapter+88EC5j
		mov	edx, [esi+0B0h]
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], di
		jz	short loc_934A0A
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [esi+0B0h]

loc_934A0A:				; CODE XREF: IoGetDmaAdapter+88EEBj
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_934A3C
		lea	ecx, [eax+1Ch]
		cmp	[ecx], di
		jz	short loc_934A3C
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_934A3C:				; CODE XREF: PiGetDmaAdapterFromBusInterface+1Dj
					; IoGetDmaAdapter+88EAFj ...
		push	edi
		push	edi
		push	esi
		push	2
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_934A4C:				; CODE XREF: PiDqActionDataGetChangedProperties+D6j
		cmp	byte ptr [ebp+arg_4], dl
		jnz	loc_8ABE26

loc_934A55:				; CODE XREF: PiDqActionDataGetChangedProperties+C0j
					; PiDqActionDataGetChangedProperties+CBj
		mov	eax, [ebp+var_4C]
		jmp	loc_8ABDE5
; END OF FUNCTION CHUNK	FOR IoGetDmaAdapter
; 
; START	OF FUNCTION CHUNK FOR PiDqActionDataGetChangedProperties

loc_934A5D:				; CODE XREF: PiDqActionDataGetChangedProperties+7Bj
		mov	eax, [ecx+14h]
		jmp	loc_8ABE2B
; 

loc_934A65:				; CODE XREF: PiDqActionDataGetChangedProperties+E3j
		sub	eax, 1
		jnz	loc_934C1F
		cmp	[ebp+var_48], eax
		jnz	short loc_934AA0
		mov	edx, [ebp+var_50]
		lea	eax, [ebp+var_48]
		push	ecx
		push	ecx
		push	eax
		push	[ebp+var_64]
		xor	ebx, ebx
		xor	ecx, ecx
		push	ebx
		push	1
		push	[ebp+var_54]
		inc	ecx
		call	_PiDqOpenObjectRegKey@36 ; PiDqOpenObjectRegKey(x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_30], eax
		cmp	eax, 0C0000034h
		jnz	short loc_934AA0
		or	[ebp+var_48], 0FFFFFFFFh
		mov	[ebp+var_30], ebx

loc_934AA0:				; CODE XREF: PiDqActionDataGetChangedProperties+88D27j
					; PiDqActionDataGetChangedProperties+88D4Dj
		mov	esi, [ebp+var_48]
		cmp	esi, 0FFFFFFFFh
		jz	loc_934C17
		mov	ebx, [ebp+var_30]
		jmp	loc_8ABE36
; 

loc_934AB4:				; CODE XREF: PiDqActionDataGetChangedProperties+F8j
		mov	ecx, [ebp+var_50]
		lea	eax, [ebp+var_2C]
		push	eax
		mov	eax, [ebp+var_34]
		mov	edx, edi
		push	[ebp+var_58]
		push	dword ptr [eax+14h]
		push	eax
		push	esi
		call	_PiDqPnPGetObjectPropertyInBestLocale@28 ; PiDqPnPGetObjectPropertyInBestLocale(x,x,x,x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_30], ebx
		test	ebx, ebx
		js	loc_8ABEC3
		mov	eax, [ebp+var_58]
		mov	edi, [ebp+var_14]

loc_934AE0:				; CODE XREF: PiDqActionDataGetChangedProperties+88DF6j
		movzx	esi, word ptr [eax]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		mov	eax, [ebp+var_34]
		mov	eax, [eax+18h]
		cmp	eax, esi
		jz	short loc_934B42
		test	eax, eax
		jz	short loc_934B08
		test	esi, esi
		jz	short loc_934B08
		push	esi		; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_934B42

loc_934B08:				; CODE XREF: PiDqActionDataGetChangedProperties+88DABj
					; PiDqActionDataGetChangedProperties+88DAFj
		cmp	edi, esi
		jz	short loc_934B7F
		test	edi, edi
		jz	short loc_934B21
		test	esi, esi
		jz	short loc_934B7F
		push	esi		; wchar_t *
		push	edi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_934B7F

loc_934B21:				; CODE XREF: PiDqActionDataGetChangedProperties+88DC4j
		test	esi, esi
		jz	short loc_934B7F
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_934B2A:				; CODE XREF: PiDqActionDataGetChangedProperties+88DEAj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_68]
		jnz	short loc_934B2A
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, [ecx+1]
		lea	eax, [esi+eax*2]
		jmp	short loc_934AE0
; 

loc_934B42:				; CODE XREF: PiDqActionDataGetChangedProperties+88DA7j
					; PiDqActionDataGetChangedProperties+88DBCj
		xor	eax, eax
		mov	edi, eax
		mov	eax, [ebp+var_44]
		mov	ebx, [eax]
		test	ebx, ebx
		jz	short loc_934B9C
		mov	eax, [ebp+var_40]
		mov	esi, [eax]
		mov	eax, [ebp+var_1C]
		add	esi, 14h

loc_934B5A:				; CODE XREF: PiDqActionDataGetChangedProperties+88E50j
		cmp	eax, [esi-4]
		jnz	short loc_934B94
		push	10h		; size_t
		lea	eax, [esi-14h]
		push	eax		; void *
		lea	eax, [ebp+var_2C]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_934B91
		mov	eax, [ebp+var_18]
		cmp	eax, [esi]
		jnz	short loc_934B91
		mov	ebx, [ebp+var_30]

loc_934B7F:				; CODE XREF: PiDqActionDataGetChangedProperties+88DC0j
					; PiDqActionDataGetChangedProperties+88DC8j ...
		mov	edx, 58706E50h
		lea	ecx, [ebp+var_2C]
		call	_PnpFreeDevProperty@8 ;	PnpFreeDevProperty(x,x)
		jmp	loc_8ABEA2
; 

loc_934B91:				; CODE XREF: PiDqActionDataGetChangedProperties+88E29j
					; PiDqActionDataGetChangedProperties+88E30j
		mov	eax, [ebp+var_1C]

loc_934B94:				; CODE XREF: PiDqActionDataGetChangedProperties+88E13j
		inc	edi
		add	esi, 28h
		cmp	edi, ebx
		jb	short loc_934B5A

loc_934B9C:				; CODE XREF: PiDqActionDataGetChangedProperties+88E03j
		mov	ecx, [ebp+var_3C]
		cmp	ecx, ebx
		ja	short loc_934BE7
		cmp	[ebp+arg_10], 0
		jbe	short loc_934BAE
		mov	ecx, [ebp+arg_10]
		jmp	short loc_934BBE
; 

loc_934BAE:				; CODE XREF: PiDqActionDataGetChangedProperties+88E5Dj
		mov	eax, [ebp+var_38]
		mov	eax, [eax+2Ch]
		cmp	eax, 5
		ja	short loc_934BBC
		push	5
		pop	eax

loc_934BBC:				; CODE XREF: PiDqActionDataGetChangedProperties+88E6Dj
		add	ecx, eax

loc_934BBE:				; CODE XREF: PiDqActionDataGetChangedProperties+88E62j
		mov	[ebp+var_3C], ecx
		mov	edx, ebx
		push	ecx
		mov	ecx, [ebp+var_40]
		call	PiDqGrowPropertyArray
		mov	ebx, eax
		mov	[ebp+var_30], eax
		test	ebx, ebx
		jns	short loc_934BEA
		mov	edx, 58706E50h
		lea	ecx, [ebp+var_2C]
		call	_PnpFreeDevProperty@8 ;	PnpFreeDevProperty(x,x)
		jmp	loc_8ABEC3
; 

loc_934BE7:				; CODE XREF: PiDqActionDataGetChangedProperties+88E57j
		mov	ebx, [ebp+var_30]

loc_934BEA:				; CODE XREF: PiDqActionDataGetChangedProperties+88E89j
		mov	eax, [ebp+var_44]
		lea	esi, [ebp+var_2C]
		mov	ecx, [ebp+var_40]
		push	0Ah
		imul	edi, [eax], 28h
		add	edi, [ecx]
		pop	ecx
		rep movsd
		jmp	loc_8ABEA0
; 

loc_934C02:				; CODE XREF: PiDqActionDataGetChangedProperties+10Ej
		mov	eax, [ebp+var_38]
		mov	eax, [eax+2Ch]
		cmp	eax, 5
		ja	short loc_934C10
		push	5
		pop	eax

loc_934C10:				; CODE XREF: PiDqActionDataGetChangedProperties+88EC1j
		add	ecx, eax
		jmp	loc_8ABE61
; 

loc_934C17:				; CODE XREF: PiDqActionDataGetChangedProperties+88D5Cj
		mov	ecx, [ebp+var_34]
		jmp	loc_8ABDEE
; 

loc_934C1F:				; CODE XREF: PiDqActionDataGetChangedProperties+88D1Ej
		mov	ebx, 0C000000Dh
		jmp	loc_8ABEC3
; 

loc_934C29:				; CODE XREF: PiDqActionDataGetChangedProperties+17Ej
		cmp	esi, 0FFFFFFFFh
		jz	loc_8ABECE
		push	esi
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8ABECE
; END OF FUNCTION CHUNK	FOR PiDqActionDataGetChangedProperties
; 
; START	OF FUNCTION CHUNK FOR PiDqGrowPropertyArray

loc_934C3D:				; CODE XREF: PiDqGrowPropertyArray+2Bj
		imul	eax, [ebp+var_4], 28h
		push	eax		; size_t
		push	ecx		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	58706E50h
		push	dword ptr [esi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8ABF23
; END OF FUNCTION CHUNK	FOR PiDqGrowPropertyArray
; 
; START	OF FUNCTION CHUNK FOR PpmEnableProfile

loc_934C5D:				; CODE XREF: PpmEnableProfile+37j
		mov	_PpmBackgroundProfile, esi
		jmp	short loc_934C73
; 

loc_934C65:				; CODE XREF: PpmEnableProfile+4Fj
		mov	_PpmEntryLevelPerfProfile, esi
		jmp	short loc_934C73
; 

loc_934C6D:				; CODE XREF: PpmEnableProfile+67j
		mov	_PpmMultimediaQosProfile, esi

loc_934C73:				; CODE XREF: PpmEnableProfile+88D2Dj
					; PpmEnableProfile+88D35j
		mov	cl, 1
		call	_PpmReinitializeHeteroEngine@4 ; PpmReinitializeHeteroEngine(x)
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		jmp	loc_8ABFA3
; END OF FUNCTION CHUNK	FOR PpmEnableProfile

;  S U B	R O U T	I N E 


sub_934C89	proc near		; CODE XREF: PpmEventTraceProfileEnable+26j
		push	ebx
		mov	ebx, _PpmEtwHandle
		push	edi
		mov	edi, dword_6BFD04
		push	esi
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jz	short loc_934CC5
		lea	eax, [ebp-18h]
		xor	ecx, ecx
		mov	[ebp-14h], eax
		inc	ecx
		lea	eax, [ebp-14h]
		mov	[ebp-0Ch], ecx
		push	eax
		push	ecx
		xor	edx, edx
		push	edx
		push	esi
		push	edi
		push	ebx
		mov	[ebp-10h], edx
		mov	[ebp-8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_934CC5:				; CODE XREF: sub_934C89+18j
		pop	edi
		pop	ebx
		jmp	loc_8ABFE4
sub_934C89	endp

; 
; START	OF FUNCTION CHUNK FOR RtlSelfRelativeToAbsoluteSD

loc_934CCC:				; CODE XREF: RtlSelfRelativeToAbsoluteSD+29j
		mov	eax, 0C00000E7h
		jmp	locret_8AC0FB
; 

loc_934CD6:				; CODE XREF: RtlSelfRelativeToAbsoluteSD+D6j
		movzx	eax, word ptr [ecx+2]
		mov	esi, [ebp+arg_14]
		push	eax		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memmove
		add	esp, 0Ch
		mov	[edi+0Ch], esi
		jmp	loc_8AC0DA
; END OF FUNCTION CHUNK	FOR RtlSelfRelativeToAbsoluteSD
; 
; START	OF FUNCTION CHUNK FOR WmipLegacyEtwWorker

loc_934CF0:				; CODE XREF: WmipLegacyEtwWorker+2Bj
		add	ebx, 0Ch
		jmp	loc_8AC196
; 

loc_934CF8:				; CODE XREF: WmipLegacyEtwWorker+5Dj
		sub	eax, 1
		jz	short loc_934D14
		sub	eax, 1
		jnz	loc_8AC1CE
		mov	edx, esi
		mov	ecx, edi
		call	_WmipProcessLegacyEtwCallback@8	; WmipProcessLegacyEtwCallback(x,x)
		jmp	loc_8AC1CE
; 

loc_934D14:				; CODE XREF: WmipLegacyEtwWorker+88B99j
		mov	ecx, esi
		call	_WmipProcessLegacyEtwUnregister@4 ; WmipProcessLegacyEtwUnregister(x)
		jmp	loc_8AC1CE
; END OF FUNCTION CHUNK	FOR WmipLegacyEtwWorker
; 
; START	OF FUNCTION CHUNK FOR EtwpGetAutoLoggerEventNameFilter

loc_934D20:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+174j
		mov	ecx, eax
		lea	edx, [ecx+2]

loc_934D25:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+88A54j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_934D25
		mov	esi, [ebp+var_32C]
		sub	ecx, edx
		mov	edx, esi
		sar	ecx, 1
		lea	edi, [edx+2]

loc_934D3F:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+88A72j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [ebp+var_31C]
		jnz	short loc_934D3F
		sub	edx, edi
		sar	edx, 1
		push	50777445h
		lea	eax, [edx+ecx]
		lea	eax, ds:4[eax*2]
		push	eax
		push	1
		mov	[ebp+var_324], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_8AC472
		mov	edx, dword ptr [ebp+var_310]
		push	esi
		push	edx		; char
		push	offset ??_C@_1BA@NPEHGALP@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; wchar_t *
		push	[ebp+var_324]	; int
		push	edi		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	ecx, eax
		add	esp, 14h
		test	ecx, ecx
		jnz	loc_8AC470
		push	edi
		lea	eax, [ebp+var_334]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_334]
		mov	[ebp+var_34C], 18h
		mov	[ebp+var_344], eax
		xor	esi, esi
		lea	eax, [ebp+var_34C]
		mov	[ebp+var_348], esi
		push	eax
		push	20019h
		lea	eax, [ebp+var_30C]
		mov	[ebp+var_340], 240h
		push	eax
		mov	[ebp+var_33C], esi
		mov	[ebp+var_338], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jns	loc_8AC454
		mov	[ebp+var_30C], esi
		jmp	loc_8AC454
; 

loc_934E0D:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+181j
					; EtwpGetAutoLoggerEventNameFilter+18Ej
		mov	eax, [ebp+var_320]
		mov	ecx, 1000h
		push	50777445h
		push	ecx
		push	1
		mov	[eax], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebx], esi
		test	esi, esi
		jz	loc_8AC472
		xor	eax, eax
		push	24Ch		; size_t
		push	eax		; int
		lea	eax, [ebp+var_304]
		push	eax		; void *
		call	_memset
		lea	eax, [ebp+var_B4]
		mov	[ebp+var_B0], esi
		mov	[ebp+var_2F8], eax
		add	esp, 0Ch
		lea	eax, [ebp+var_AC]
		mov	[ebp+var_2FC], offset ??_C@_1CA@DAIDIDOO@?$AAM?$AAa?$AAt?$AAc?$AAh?$AAA?$AAn?$AAy?$AAK?$AAe?$AAy?$AAw?$AAo?$AAr?$AAd@NNGAKEGL@
		mov	[ebp+var_2DC], eax
		mov	edx, offset EtwpQueryRegistryCallback
		lea	eax, [esi+8]
		mov	[ebp+var_304], edx
		mov	[ebp+var_A8], eax
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_2C0], eax
		lea	eax, [esi+10h]
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_2A4], eax
		lea	eax, [esi+11h]
		push	0Bh
		pop	ecx
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_94]
		push	4
		mov	[ebp+var_288], eax
		lea	eax, [esi+12h]
		mov	[ebp+var_2F4], ecx
		xor	esi, esi
		mov	[ebp+var_B4], ecx
		mov	[ebp+var_2D8], ecx
		mov	[ebp+var_AC], ecx
		pop	ecx
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_2BC], ecx
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_2A0], ecx
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_284], ecx
		mov	[ebp+var_94], ecx
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_26C], eax
		push	ecx
		lea	eax, [ebp+var_350]
		mov	[ebp+var_2E8], edx
		mov	[ebp+var_264], eax
		lea	eax, [ebp+var_318]
		push	ecx
		mov	[ebp+var_88], eax
		lea	eax, [ebp+var_304]
		push	esi
		mov	[ebp+var_2CC], edx
		mov	[ebp+var_2B0], edx
		mov	[ebp+var_294], edx
		mov	[ebp+var_278], edx
		mov	edx, [ebp+var_308]
		mov	[ebp+var_268], ecx
		mov	[ebp+var_8C], ecx
		mov	ecx, 40000000h
		push	eax
		mov	[ebp+var_2E0], offset ??_C@_1CA@DABEMIJN@?$AAM?$AAa?$AAt?$AAc?$AAh?$AAA?$AAl?$AAl?$AAK?$AAe?$AAy?$AAw?$AAo?$AAr?$AAd@NNGAKEGL@
		mov	[ebp+var_2C4], (offset loc_8BFEC1+1)
		mov	[ebp+var_2A8], (offset loc_8C0CB7+1)
		mov	[ebp+var_28C], offset ??_C@_1BE@LJMECDMA@?$AAN?$AAa?$AAm?$AAe?$AAC?$AAo?$AAu?$AAn?$AAt@NNGAKEGL@
		mov	[ebp+var_270], (offset loc_8C0CE9+1)
		call	RtlpQueryRegistryValues
		test	eax, eax
		js	loc_8AC474
		mov	edx, [ebp+var_30C]
		test	edx, edx
		jz	short loc_935012
		mov	ecx, [ebx]
		push	1
		push	ecx
		push	esi
		lea	eax, [ecx+8]
		mov	[ebp+var_2F0], ecx
		mov	[ebp+var_2D4], eax
		lea	eax, [ecx+10h]
		mov	[ebp+var_2B8], eax
		lea	eax, [ecx+11h]
		mov	[ebp+var_29C], eax
		lea	eax, [ecx+12h]
		mov	[ebp+var_280], eax
		mov	ecx, 40000000h
		mov	eax, [ebp+var_314]
		mov	[ebp+var_264], eax
		movzx	eax, word ptr [ebp+var_318]
		mov	[ebp+var_260], eax
		lea	eax, [ebp+var_304]
		push	eax
		call	RtlpQueryRegistryValues

loc_935012:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+88CDCj
		mov	edx, [ebp+var_318]
		mov	ecx, esi
		movzx	eax, dx
		test	eax, 0FFFFFFFEh
		jbe	short loc_935047

loc_935024:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+88D6Bj
		mov	eax, [ebp+var_314]
		cmp	word ptr [eax+ecx*2], 3Bh
		jnz	short loc_93503D
		xor	edx, edx
		mov	[eax+ecx*2], dx
		mov	edx, [ebp+var_318]

loc_93503D:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+88D55j
		movzx	eax, dx
		inc	ecx
		shr	eax, 1
		cmp	ecx, eax
		jb	short loc_935024

loc_935047:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+88D48j
		mov	esi, [ebp+var_320]
		movzx	eax, dx
		add	eax, 2
		push	eax
		push	[ebp+var_314]
		mov	ecx, [esi]
		lea	eax, [ebp+var_310]
		push	eax
		mov	eax, [ebx]
		sub	ecx, 14h
		push	ecx
		add	eax, 14h
		mov	dword ptr [ebp+var_310], ecx
		push	eax
		call	RtlUnicodeToUTF8N
		mov	ecx, eax
		test	ecx, ecx
		jnz	loc_8AC470
		mov	eax, dword ptr [ebp+var_310]
		add	eax, 14h
		mov	[esi], eax
		jmp	loc_8AC46E
; 

loc_935092:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+1A6j
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebx], esi
		jmp	loc_8AC486
; 

loc_9350A0:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+1B3j
		push	[ebp+var_308]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8AC493
; 

loc_9350B0:				; CODE XREF: EtwpGetAutoLoggerEventNameFilter+1D1j
		push	[ebp+var_30C]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8AC4B1
; END OF FUNCTION CHUNK	FOR EtwpGetAutoLoggerEventNameFilter
; 
; START	OF FUNCTION CHUNK FOR NtCreateKeyedEvent

loc_9350C0:				; CODE XREF: NtCreateKeyedEvent+28j
		mov	eax, [ebp+arg_0]
		test	al, 3
		jz	short loc_9350CC
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9350CC:				; CODE XREF: NtCreateKeyedEvent+88AD5j
		mov	edx, ds:_MmUserProbeAddress
		cmp	[ebp+arg_0], edx
		jb	short loc_9350D9
		mov	eax, edx

loc_9350D9:				; CODE XREF: NtCreateKeyedEvent+88AE5j
		nop
		mov	al, [eax]
		jmp	loc_8AC61E
; 

loc_9350E1:				; CODE XREF: NtCreateKeyedEvent+3Dj
		mov	eax, 0C00000F2h
		jmp	loc_8AC69B
; END OF FUNCTION CHUNK	FOR NtCreateKeyedEvent

;  S U B	R O U T	I N E 


sub_9350EB	proc near		; DATA XREF: .text:006A7450o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_9350EB	endp


;  S U B	R O U T	I N E 


sub_9350FB	proc near		; DATA XREF: .text:006A7454o
		mov	esp, [ebp-18h]
		mov	edx, [ebp-28h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_8AC699
sub_9350FB	endp

; 

loc_93510D:				; DATA XREF: .text:006A7444o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_93511D:				; DATA XREF: .text:006A7448o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2Ch]
		jmp	loc_8AC69B
; 
; START	OF FUNCTION CHUNK FOR PfpRpCHashEmpty

loc_93512F:				; CODE XREF: PfpRpCHashEmpty+2Fj
		inc	ebx
		jmp	loc_8AC727
; 

loc_935135:				; CODE XREF: PfpRpCHashEmpty+D6j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8AC7CE
; END OF FUNCTION CHUNK	FOR PfpRpCHashEmpty
; 
; START	OF FUNCTION CHUNK FOR IoOpenDeviceInterfaceRegistryKey

loc_935142:				; CODE XREF: IoOpenDeviceInterfaceRegistryKey+14j
					; IoOpenDeviceInterfaceRegistryKey+1Dj	...
		mov	edi, 0C000000Dh
		jmp	loc_8AC873
; END OF FUNCTION CHUNK	FOR IoOpenDeviceInterfaceRegistryKey
; 
; START	OF FUNCTION CHUNK FOR FsRtlGetTunnelParameterValue

loc_93514C:				; CODE XREF: FsRtlGetTunnelParameterValue+A6j
		lea	eax, [ebp+var_68]
		cmp	esi, eax
		jz	short loc_93515B
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_93515B:				; CODE XREF: FsRtlGetTunnelParameterValue+88885j
		push	4B6E7554h
		add	ebx, 100h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_935184
		lea	eax, [ebp+var_70]
		push	eax
		push	ebx
		push	esi
		push	1
		push	[ebp+var_74]
		jmp	loc_8AC962
; 

loc_935184:				; CODE XREF: FsRtlGetTunnelParameterValue+888A6j
		mov	eax, 0C0000017h
		jmp	loc_8AC995
; 

loc_93518E:				; CODE XREF: FsRtlGetTunnelParameterValue+B6j
		cmp	dword ptr [esi+0Ch], 0
		jz	short loc_9351A4
		mov	eax, [esi+8]
		mov	ecx, [ebp+var_78]
		mov	eax, [esi+eax]
		mov	[ecx], eax
		jmp	loc_8AC988
; 

loc_9351A4:				; CODE XREF: FsRtlGetTunnelParameterValue+888C6j
		mov	edi, 0C0000034h
		jmp	loc_8AC988
; 

loc_9351AE:				; CODE XREF: FsRtlGetTunnelParameterValue+C1j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8AC993
; END OF FUNCTION CHUNK	FOR FsRtlGetTunnelParameterValue

;  S U B	R O U T	I N E 


sub_9351BB	proc near		; DATA XREF: .text:006A746Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_9351BB	endp


;  S U B	R O U T	I N E 


sub_9351CB	proc near		; DATA XREF: .text:006A7470o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-24h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_8ACA23
sub_9351CB	endp

; 
; START	OF FUNCTION CHUNK FOR MmGetNodeChannelRanges

loc_9351DD:				; CODE XREF: MmGetNodeChannelRanges+42j
		mov	edi, 0C000009Ah
		jmp	loc_8ACB2A
; END OF FUNCTION CHUNK	FOR MmGetNodeChannelRanges
; 
; START	OF FUNCTION CHUNK FOR KeRegisterProcessorChangeCallback

loc_9351E7:				; CODE XREF: KeRegisterProcessorChangeCallback+8Aj
		xor	eax, eax
		jmp	loc_8ACC17
; 

loc_9351EE:				; CODE XREF: KeRegisterProcessorChangeCallback+145j
					; KeRegisterProcessorChangeCallback+154j
		push	ebx
		mov	[esp+70h+var_2C], 2
		call	ExUnregisterCallback
		mov	eax, [esp+6Ch+var_60]
		mov	ebx, esi
		mov	[esp+6Ch+var_50], esi
		jmp	loc_8ACCAC
; END OF FUNCTION CHUNK	FOR KeRegisterProcessorChangeCallback
; 
; START	OF FUNCTION CHUNK FOR EtwpRealtimeRestoreState

loc_93520B:				; CODE XREF: EtwpRealtimeRestoreState+B2j
		mov	eax, 0C0000011h
		jmp	loc_8ACD6D
; 

loc_935215:				; CODE XREF: EtwpRealtimeRestoreState+216j
		lea	ecx, [ebx+10h]
		cmp	dword ptr [ecx], 0
		jl	loc_8ACD6B
		mov	eax, 0C0000188h
		xchg	eax, [ecx]
		push	offset _ETW_EVENT_BACKING_FILE_FULL
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_8ACD6B
		push	dword ptr [ebx+0Ch]
		lea	eax, [ebx+5Ch]
		push	ecx
		push	eax
		push	ecx
		push	ecx
		call	_EtwpEventWriteTemplateBackingFile@28 ;	EtwpEventWriteTemplateBackingFile(x,x,x,x,x,x,x)
		jmp	loc_8ACD6B
; 

loc_93525A:				; CODE XREF: EtwpRealtimeRestoreState+73j
					; EtwpRealtimeRestoreState+7Cj	...
		mov	eax, 0C0000102h
		jmp	loc_8ACD6D
; END OF FUNCTION CHUNK	FOR EtwpRealtimeRestoreState
; 
; START	OF FUNCTION CHUNK FOR FsRtlRegisterUncProviderEx2

loc_935264:				; CODE XREF: FsRtlRegisterUncProviderEx2+11j
		mov	eax, [ebp+arg_C]
		or	dword ptr [eax], 0FFFFFFFFh
		mov	eax, 0C000000Dh
		jmp	loc_8ACF54
; END OF FUNCTION CHUNK	FOR FsRtlRegisterUncProviderEx2
; 
; START	OF FUNCTION CHUNK FOR FsRtlpRegisterUncProvider

loc_935274:				; CODE XREF: FsRtlpRegisterUncProvider+67j
					; FsRtlpRegisterUncProvider+7Fj
		mov	eax, [ebp+var_4]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_935286
		test	eax, eax
		jz	short loc_935286
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_935286:				; CODE XREF: FsRtlpRegisterUncProvider+88322j
					; FsRtlpRegisterUncProvider+88326j
		mov	eax, [ebp+arg_4]
		or	dword ptr [eax], 0FFFFFFFFh
		jmp	loc_8ACFEB
; 

loc_935291:				; CODE XREF: FsRtlpRegisterUncProvider+12j
					; FsRtlpRegisterUncProvider+1Dj ...
		mov	eax, [ebp+arg_4]
		or	dword ptr [eax], 0FFFFFFFFh
		mov	eax, 0C000000Dh
		jmp	loc_8ACFFE
; END OF FUNCTION CHUNK	FOR FsRtlpRegisterUncProvider
; 
; START	OF FUNCTION CHUNK FOR FsRtlpRegisterProviderWithMUP

loc_9352A1:				; CODE XREF: FsRtlpRegisterProviderWithMUP+86j
		push	0
		push	0
		push	ebx
		call	_ZwWaitForSingleObject@12 ; ZwWaitForSingleObject(x,x,x)
		mov	edi, [ebp+var_C]
		jmp	loc_8AD090
; END OF FUNCTION CHUNK	FOR FsRtlpRegisterProviderWithMUP
; 
; START	OF FUNCTION CHUNK FOR NtSetUuidSeed

loc_9352B3:				; CODE XREF: NtSetUuidSeed+AFj
					; NtSetUuidSeed+10Ej
		push	0C000009Ah
		jmp	short loc_9352BF
; 

loc_9352BA:				; CODE XREF: NtSetUuidSeed+1A2j
		push	0C0000022h

loc_9352BF:				; CODE XREF: NtSetUuidSeed+88196j
					; NtSetUuidSeed+881A3j
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_9352C4:				; CODE XREF: NtSetUuidSeed+C6j
					; NtSetUuidSeed+124j ...
		push	eax
		jmp	short loc_9352BF
; 

loc_9352C7:				; CODE XREF: NtSetUuidSeed+1B4j
		mov	edx, eax
		jmp	loc_8AD2DC
; END OF FUNCTION CHUNK	FOR NtSetUuidSeed

;  S U B	R O U T	I N E 


sub_9352CE	proc near		; DATA XREF: .text:006A748Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-68h], eax
		xor	eax, eax
		inc	eax
		retn
sub_9352CE	endp


;  S U B	R O U T	I N E 


sub_9352DC	proc near		; DATA XREF: .text:006A7490o
		mov	esp, [ebp-18h]
		mov	eax, [ebp-68h]
		mov	[ebp-3Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		jmp	loc_8AD2F6
sub_9352DC	endp


;  S U B	R O U T	I N E 


sub_9352F3	proc near		; CODE XREF: NtSetUuidSeed+21Dj
		push	ebx
		mov	edx, esi
		mov	ecx, ebx
		call	ExfAcquirePushLockExclusiveEx
		jmp	loc_8AD345
sub_9352F3	endp

; 
; START	OF FUNCTION CHUNK FOR NtSetUuidSeed

loc_935302:				; CODE XREF: NtSetUuidSeed+255j
		test	al, 4
		jnz	loc_8AD37D
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_8AD37D
; END OF FUNCTION CHUNK	FOR NtSetUuidSeed
; 
; START	OF FUNCTION CHUNK FOR WarbirdKmEncryptPointer

loc_935316:				; CODE XREF: WarbirdKmEncryptPointer+4Ej
		mov	ecx, edx
		shl	eax, cl
		or	[ebp+var_1C], eax
		jmp	loc_8AD4E0
; 

loc_935322:				; CODE XREF: WarbirdKmEncryptPointer+A6j
		rol	ebx, 8
		mov	ecx, ebx
		jmp	loc_8AD535
; END OF FUNCTION CHUNK	FOR WarbirdKmEncryptPointer
; 
; START	OF FUNCTION CHUNK FOR PipSetDevNodeUserFlags

loc_93532C:				; CODE XREF: PipSetDevNodeUserFlags+3Ej
		mov	edx, [esi+18h]
		push	1Dh
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		mov	ecx, [esi+110h]
		jmp	loc_8AD658
; 

loc_935341:				; CODE XREF: PipSetDevNodeUserFlags+4Bj
		mov	edx, [esi+18h]
		push	1Eh
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		jmp	loc_8AD634
; END OF FUNCTION CHUNK	FOR PipSetDevNodeUserFlags
; 
; START	OF FUNCTION CHUNK FOR IoReportRootDevice

loc_935350:				; CODE XREF: IoReportRootDevice+A2j
		mov	eax, 0C0000033h
		jmp	loc_8AD832
; 

loc_93535A:				; CODE XREF: IoReportRootDevice+14Bj
		sub	ebx, [esp+368h+var_35A+2]
		movzx	eax, bx
		jmp	loc_8AD7C1
; 

loc_935366:				; CODE XREF: IoReportRootDevice+192j
		movzx	edx, word ptr [esp+368h+var_340]
		xor	esi, esi
		mov	ecx, [esp+368h+var_33C]
		add	edx, 4
		push	esi
		push	edx
		mov	eax, edx
		push	ecx
		shr	eax, 1
		push	7
		push	2
		push	edi
		mov	[ecx+eax*2-4], esi
		mov	edx, [esp+380h+var_354]
		mov	ecx, _PiPnpRtlCtx
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93544D
		mov	edx, [esp+368h+var_354]
		lea	eax, [esp+368h+var_348]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	4
		push	eax
		push	4
		push	0Bh
		push	edi
		mov	[esp+380h+var_348], 20h
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93544D
		mov	edx, [esp+368h+var_354]
		lea	eax, [esp+368h+var_35A+1]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	1
		push	eax
		push	11h
		push	offset _DEVPKEY_Device_Reported
		push	0
		push	edi
		push	1
		mov	byte ptr [esp+388h+var_35A+1], 0FFh
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_93544D
		mov	ecx, [esp+368h+var_338]
		mov	edx, [esp+368h+var_354]
		push	0
		movzx	eax, word ptr [ecx]
		add	eax, 2
		push	eax
		push	dword ptr [ecx+4]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	5
		push	edi
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_93544D
		mov	eax, [esp+368h+var_334]
		or	dword ptr [eax+8], 800h
		xor	eax, eax
		mov	ecx, _IopRootDeviceNode
		push	eax
		push	eax
		push	eax
		mov	ecx, [ecx+10h]
		push	eax
		push	eax
		push	8
		pop	edx
		call	PnpRequestDeviceAction
		jmp	loc_8AD802
; 

loc_93544D:				; CODE XREF: IoReportRootDevice+18Aj
					; IoReportRootDevice+87D2Dj ...
		test	bl, bl
		jz	loc_8AD802
		mov	edx, [esp+368h+var_354]
		mov	ecx, _PiPnpRtlCtx
		push	0
		call	__CmDeleteDevice@12 ; _CmDeleteDevice(x,x,x)
		lea	ecx, [esp+368h+var_35A+2]
		call	_PnpCleanupDeviceRegistryValues@4 ; PnpCleanupDeviceRegistryValues(x)
		jmp	loc_8AD802
; END OF FUNCTION CHUNK	FOR IoReportRootDevice
; 
; START	OF FUNCTION CHUNK FOR PnpUnloadAttachedDriver

loc_935474:				; CODE XREF: PnpUnloadAttachedDriver+1Ej
		movzx	ebx, word ptr ds:_CmRegistryMachineSystemCurrentControlSetServices
		movzx	ecx, word ptr [esi+0Ch]
		add	ebx, 6
		push	65647050h
		add	ebx, ecx
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9354A1
		mov	eax, 0C000009Ah
		jmp	loc_8AD870
; 

loc_9354A1:				; CODE XREF: PnpUnloadAttachedDriver+87C4Bj
		push	dword ptr [esi+10h]
		push	ds:dword_A94334	; char
		push	offset ??_C@_1M@DFKENGJN@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@ ; "%s\\%s"
		push	ebx		; int
		push	edi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 14h
		lea	eax, [ebp+var_8]
		push	edi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	dl, 1
		lea	ecx, [ebp+var_8]
		call	IopUnloadDriver
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8AD86E
; END OF FUNCTION CHUNK	FOR PnpUnloadAttachedDriver
; 
; START	OF FUNCTION CHUNK FOR EtwpAcquireTokenAccessInformation

loc_9354DC:				; CODE XREF: EtwpAcquireTokenAccessInformation+5Dj
		test	cl, 4
		jnz	loc_8AD8D9
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_8AD8D9
; END OF FUNCTION CHUNK	FOR EtwpAcquireTokenAccessInformation

;  S U B	R O U T	I N E 


sub_9354F1	proc near		; DATA XREF: .text:006A74CCo
		mov	edx, [ebp+8]
		mov	ecx, [ebp-14h]
		call	_CmpMachineHiveCallbackFatalFilter@8 ; CmpMachineHiveCallbackFatalFilter(x,x)

loc_9354FC:				; DATA XREF: .text:006A74D0o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, [ebp+8]
		jmp	loc_8ADA39
sub_9354F1	endp

; 
; START	OF FUNCTION CHUNK FOR CmpMachineHiveLoadedWorkItem

loc_93550E:				; CODE XREF: CmpMachineHiveLoadedWorkItem+A9j
		push	0
		push	0
		push	offset _CmpMachineHiveCallbackEvent
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_8AD9CA
; END OF FUNCTION CHUNK	FOR CmpMachineHiveLoadedWorkItem
; 
; START	OF FUNCTION CHUNK FOR CmFcpManagerSoftwareHiveReady

loc_935521:				; CODE XREF: CmFcpManagerSoftwareHiveReady+49j
		test	al, 4
		jnz	loc_8ADAAB
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_8ADAAB
; END OF FUNCTION CHUNK	FOR CmFcpManagerSoftwareHiveReady
; 
; START	OF FUNCTION CHUNK FOR CmFcpManagerDrainUsageNotifications

loc_935535:				; CODE XREF: CmFcpManagerDrainUsageNotifications+8Dj
					; CmFcpManagerDrainUsageNotifications+87B2Cj
		mov	esi, [esp+40h+var_28]
		add	eax, esi
		mov	[esp+40h+var_20], eax
		cmp	esi, eax
		jnb	loc_9355DE
		mov	ecx, [esp+40h+var_30]
		imul	ebx, esi, 0Ch

loc_93554E:				; CODE XREF: CmFcpManagerDrainUsageNotifications+87B14j
		lea	edi, [ecx+10h]
		add	edi, ebx
		cmp	dword ptr [edi], 0
		jbe	short loc_93555F
		cmp	[esp+40h+var_31], 0
		jz	short loc_9355CE

loc_93555F:				; CODE XREF: CmFcpManagerDrainUsageNotifications+87A92j
		push	[esp+40h+var_1C]
		mov	edx, [esp+44h+var_18]
		lea	ecx, [edi+4]
		call	_RtlpFcSendFeatureUsageNotifications@12	; RtlpFcSendFeatureUsageNotifications(x,x,x)
		mov	ecx, [edi]
		inc	ecx
		mov	[edi], ecx
		test	eax, eax
		jns	short loc_9355A5
		cmp	eax, 0C0000017h
		jz	short loc_93558D
		cmp	eax, 0C000009Ah
		jz	short loc_93558D
		cmp	eax, 0C0000225h
		jz	short loc_9355A5

loc_93558D:				; CODE XREF: CmFcpManagerDrainUsageNotifications+87AB9j
					; CmFcpManagerDrainUsageNotifications+87AC0j
		cmp	ecx, 5
		jb	short loc_9355A5
		mov	edi, [esp+40h+var_2C]
		mov	eax, [esp+40h+var_20]
		inc	edi
		mov	ecx, [esp+40h+var_30]
		mov	[esp+40h+var_2C], edi
		jmp	short loc_9355D2
; 

loc_9355A5:				; CODE XREF: CmFcpManagerDrainUsageNotifications+87AB2j
					; CmFcpManagerDrainUsageNotifications+87AC7j ...
		xor	eax, eax
		mov	edx, esi
		stosd
		shr	edx, 3
		add	edx, [esp+40h+var_4]
		stosd
		stosd
		mov	eax, esi
		movsx	ecx, byte ptr [edx]
		and	eax, 7
		btr	ecx, eax
		mov	eax, [esp+40h+var_30]
		mov	[edx], cl
		mov	ecx, [esp+40h+var_30]
		dec	dword ptr [eax]
		mov	eax, [esp+40h+var_20]

loc_9355CE:				; CODE XREF: CmFcpManagerDrainUsageNotifications+87A99j
		mov	edi, [esp+40h+var_2C]

loc_9355D2:				; CODE XREF: CmFcpManagerDrainUsageNotifications+87ADFj
		inc	esi
		add	ebx, 0Ch
		cmp	esi, eax
		jb	loc_93554E

loc_9355DE:				; CODE XREF: CmFcpManagerDrainUsageNotifications+87A7Dj
		lea	ecx, [esp+40h+var_28]
		mov	edx, eax
		push	ecx
		lea	ecx, [esp+44h+var_8]
		call	RtlFindNextForwardRunSet
		test	eax, eax
		jnz	loc_935535
		mov	ebx, [esp+40h+var_C]
		jmp	loc_8ADB57
; END OF FUNCTION CHUNK	FOR CmFcpManagerDrainUsageNotifications
; 
; START	OF FUNCTION CHUNK FOR PfSnPrefetchCacheCtxStart

loc_9355FF:				; CODE XREF: PfSnPrefetchCacheCtxStart+27j
		mov	eax, 0C000009Ah
		jmp	loc_8ADCD7
; 

loc_935609:				; CODE XREF: PfSnPrefetchCacheCtxStart+70j
					; PfSnPrefetchCacheCtxStart+87A4Ej
		mov	edx, [edi+8]
		mov	edi, [ebp+var_8]
		mov	[ebp+var_10], edx

loc_935612:				; CODE XREF: PfSnPrefetchCacheCtxStart+87A40j
		mov	ecx, [edx+ebx*4]
		mov	[ebp+var_C], ecx
		test	ecx, 1
		jnz	short loc_935662
		mov	eax, [ecx]
		mov	[edx+ebx*4], eax
		mov	edx, [ecx+4]
		and	edx, edi
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	[ebp+var_4], edx
		imul	ecx, eax, 25h
		movzx	eax, dh
		mov	edx, [ebp+var_C]
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+3]
		imul	ecx, 25h
		add	ecx, eax
		and	ecx, 1Fh
		mov	eax, [esi+ecx*4]
		mov	[edx], eax
		mov	[esi+ecx*4], edx
		mov	edx, [ebp+var_10]
		jmp	short loc_935612
; 

loc_935662:				; CODE XREF: PfSnPrefetchCacheCtxStart+879FEj
		mov	edi, [ebp+var_14]
		inc	ebx
		mov	eax, [edi+4]
		shr	eax, 5
		cmp	ebx, eax
		jb	short loc_935609
		jmp	loc_8ADC96
; END OF FUNCTION CHUNK	FOR PfSnPrefetchCacheCtxStart
; 
; START	OF FUNCTION CHUNK FOR PiDqQueryCompletePendedIrp

loc_935675:				; CODE XREF: PiDqQueryCompletePendedIrp+2Ej
		push	0
		push	0
		mov	edx, 0C000009Ah
		jmp	loc_8ADD28
; END OF FUNCTION CHUNK	FOR PiDqQueryCompletePendedIrp
; 
; START	OF FUNCTION CHUNK FOR IopInsertLegacyBusDeviceNode

loc_935683:				; CODE XREF: IopInsertLegacyBusDeviceNode+18j
		xor	esi, esi
		inc	esi
		jmp	loc_8ADD5A
; END OF FUNCTION CHUNK	FOR IopInsertLegacyBusDeviceNode
; 
; START	OF FUNCTION CHUNK FOR CmReferenceKtmTransaction

loc_93568B:				; CODE XREF: CmReferenceKtmTransaction+16j
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	edi, 0C0190003h
		jmp	loc_8ADDEC
; END OF FUNCTION CHUNK	FOR CmReferenceKtmTransaction
; 
; START	OF FUNCTION CHUNK FOR ExpWnfGetPermanentDataStoreHandleByScopeId

loc_93569C:				; CODE XREF: ExpWnfGetPermanentDataStoreHandleByScopeId+1Fj
		cmp	ecx, 4
		jz	loc_8ADE47
		cmp	ecx, 2
		jz	loc_8ADE47

loc_9356AE:				; CODE XREF: ExpWnfGetPermanentDataStoreHandleByScopeId+17j
					; ExpWnfGetPermanentDataStoreHandleByScopeId+878A2j
		mov	eax, [ebp+arg_C]
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFFCEh
		add	eax, 0C0000034h
		jmp	loc_8ADE5F
; 

loc_9356C2:				; CODE XREF: ExpWnfGetPermanentDataStoreHandleByScopeId+28j
		test	edx, edx
		jnz	short loc_9356AE
		mov	edx, [ebp+arg_10]
		mov	ecx, [ebp+arg_0]
		call	_ExpWnfGetPermanentPerUserDataStoreHandle@8 ; ExpWnfGetPermanentPerUserDataStoreHandle(x,x)
		jmp	loc_8ADE5F
; END OF FUNCTION CHUNK	FOR ExpWnfGetPermanentDataStoreHandleByScopeId
; 
; START	OF FUNCTION CHUNK FOR PopDiagTraceDirectedDripsInitialization

loc_9356D6:				; CODE XREF: PopDiagTraceDirectedDripsInitialization+41j
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_5C], esi
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	3
		push	ebx
		push	ebx
		push	offset loc_41E121
		push	edi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], 4
		mov	[ebp+var_2C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_8ADEF7
; 

loc_935704:				; CODE XREF: PopDiagTraceDirectedDripsInitialization+69j
		push	4
		pop	ecx
		lea	eax, [ebp+var_60]
		mov	[ebp+var_60], ebx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	2
		push	ebx
		push	offset _POP_ETW_EVENT_DIRECTED_DRIPS_ENGAGED
		push	esi
		push	edi
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_8ADF1F
; END OF FUNCTION CHUNK	FOR PopDiagTraceDirectedDripsInitialization
; 
; START	OF FUNCTION CHUNK FOR PopDirectedDripsQueryPs4Support

loc_935740:				; CODE XREF: PopDirectedDripsQueryPs4Support+3Dj
		lea	ecx, [ebp+var_1]
		call	_PopDirectedDripsQueryEmSettings@4 ; PopDirectedDripsQueryEmSettings(x)
		cmp	byte ptr [ebp+var_1], bl
		jz	short loc_935754
		push	4
		jmp	loc_8ADFEF
; 

loc_935754:				; CODE XREF: PopDirectedDripsQueryPs4Support+877A1j
		mov	eax, ds:_PopDripsCallbackInterval
		test	eax, eax
		jnz	short loc_935764
		push	5
		jmp	loc_8ADFEF
; 

loc_935764:				; CODE XREF: PopDirectedDripsQueryPs4Support+877B1j
		mov	ecx, ds:_PopDirectedDripsTimeout
		cmp	ecx, eax
		jb	short loc_93577A
		cmp	ecx, ds:_PopDripsWatchdogTimeout
		jbe	loc_8ADFF0

loc_93577A:				; CODE XREF: PopDirectedDripsQueryPs4Support+877C2j
		push	8
		jmp	loc_8ADFEF
; END OF FUNCTION CHUNK	FOR PopDirectedDripsQueryPs4Support
; 
; START	OF FUNCTION CHUNK FOR PopDirectedDripsQueryRegistryValues

loc_935781:				; CODE XREF: PopDirectedDripsQueryRegistryValues+EEj
		cmp	[ebp+var_10], 4
		jnz	loc_8AE126
		mov	eax, [ebp+var_C]
		mov	[ebx], eax
		jmp	loc_8AE126
; END OF FUNCTION CHUNK	FOR PopDirectedDripsQueryRegistryValues
; 
; START	OF FUNCTION CHUNK FOR _PnpCtxOpenMachine

loc_935795:				; CODE XREF: _PnpCtxOpenMachine+2Bj
		mov	ebx, 0C0000017h
		jmp	loc_8AE365
; 

loc_93579F:				; CODE XREF: _PnpCtxOpenMachine+D9j
		mov	ebx, 0C0000017h
		jmp	loc_8AE359
; 

loc_9357A9:				; CODE XREF: _PnpCtxOpenMachine+F5j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8AE2A7
; 

loc_9357B6:				; CODE XREF: _PnpCtxOpenMachine+1B3j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8AE365
; END OF FUNCTION CHUNK	FOR _PnpCtxOpenMachine
; 
; START	OF FUNCTION CHUNK FOR _PnpCtxCreateNode

loc_9357C3:				; CODE XREF: _PnpCtxCreateNode+2Bj
		mov	ebx, 0C0000017h
		jmp	loc_8AE440
; 

loc_9357CD:				; CODE XREF: _PnpCtxCreateNode+49j
		mov	ebx, 0C0000017h
		jmp	loc_8AE450
; 

loc_9357D7:				; CODE XREF: _PnpCtxCreateNode+A4j
		sub	eax, 1
		jz	loc_8AE42C
		sub	eax, 1
		jz	short loc_9357EF
		mov	ebx, 0C000000Dh
		jmp	loc_8AE438
; 

loc_9357EF:				; CODE XREF: _PnpCtxCreateNode+87461j
		or	eax, 0FFFFFFFFh
		mov	[esi+20h], eax
		mov	[esi+30h], eax
		mov	[esi+34h], eax
		mov	[esi+38h], eax
		mov	[esi+40h], eax
		mov	[esi+44h], eax
		mov	[esi+48h], eax
		jmp	loc_8AE42C
; END OF FUNCTION CHUNK	FOR _PnpCtxCreateNode
; 
; START	OF FUNCTION CHUNK FOR _SysCtxOpenMachine

loc_93580C:				; CODE XREF: _SysCtxOpenMachine+64j
		mov	esi, 0C0000017h
		jmp	loc_8AE608
; 

loc_935816:				; CODE XREF: _SysCtxOpenMachine+7Aj
		push	118h		; size_t
		lea	eax, [esp+15Ch+var_124]
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+158h+var_128], 11Ch
		lea	eax, [esp+158h+var_128]
		push	eax
		call	RtlGetVersion
		mov	esi, eax
		test	esi, esi
		js	loc_8AE608
		movzx	ecx, byte ptr [esp+158h+var_124]
		movzx	eax, [esp+158h+var_14]
		shl	cx, 8
		movzx	edx, cx
		movzx	ecx, [esp+158h+var_120]
		or	edx, ecx
		shl	ax, 8
		shl	edx, 10h
		movzx	eax, ax
		or	edx, eax
		movzx	eax, [esp+158h+var_12]
		or	edx, eax
		jmp	loc_8AE4E6
; 

loc_93587B:				; CODE XREF: _SysCtxOpenMachine+88j
		push	2
		push	edi
		push	edi
		lea	ecx, [esp+164h+var_14C]
		push	ecx
		push	0FFFFFFFFh
		push	eax
		push	0FFFFFFFFh
		call	_ZwDuplicateObject@28 ;	ZwDuplicateObject(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_8AE4F4
		mov	[esp+158h+var_14C], edi
		jmp	loc_8AE5BF
; 

loc_9358A1:				; CODE XREF: _SysCtxOpenMachine+99j
		cmp	eax, 0FFFFFFFFh
		jz	loc_8AE529
		push	[esp+158h+var_14C]
		lea	ecx, [esp+15Ch+var_148]
		push	ecx
		push	edx
		xor	edx, edx
		mov	ecx, eax
		jmp	loc_8AE519
; 

loc_9358BD:				; CODE XREF: _SysCtxOpenMachine+E9j
		cmp	eax, 0FFFFFFFFh
		jz	loc_8AE57A
		push	[esp+158h+var_14C]
		lea	ecx, [esp+15Ch+var_144]
		push	ecx
		mov	ecx, eax
		jmp	loc_8AE563
; 

loc_9358D6:				; CODE XREF: _SysCtxOpenMachine+15Ej
		push	[esp+158h+var_148]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8AE5CA
; 

loc_9358E4:				; CODE XREF: _SysCtxOpenMachine+169j
		push	[esp+158h+var_13C]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8AE5D5
; 

loc_9358F2:				; CODE XREF: _SysCtxOpenMachine+174j
		push	[esp+158h+var_140]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8AE5E0
; 

loc_935900:				; CODE XREF: _SysCtxOpenMachine+17Fj
		push	[esp+158h+var_144]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8AE5EB
; END OF FUNCTION CHUNK	FOR _SysCtxOpenMachine
; 
; START	OF FUNCTION CHUNK FOR _SysCtxOpenControlSet

loc_93590E:				; CODE XREF: _SysCtxOpenControlSet+48j
		cmp	esi, 0C0000034h
		jnz	loc_8AE66E
		push	ebx
		lea	eax, [ebp+var_28]
		mov	edx, offset ??_C@_1O@PMDCHDHI@?$AAS?$AAe?$AAl?$AAe?$AAc?$AAt@NNGAKEGL@
		push	eax
		push	1
		push	0
		mov	ecx, edi
		call	_RegRtlOpenKeyTransacted
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_935954
		push	ebx
		xor	ecx, ecx
		lea	eax, [ebp+var_28]
		push	ecx
		push	eax
		push	ecx
		push	ecx
		push	3
		push	ecx
		mov	edx, offset ??_C@_1O@PMDCHDHI@?$AAS?$AAe?$AAl?$AAe?$AAc?$AAt@NNGAKEGL@
		mov	ecx, edi
		call	_RegRtlCreateKeyTransacted
		mov	esi, eax

loc_935954:				; CODE XREF: _SysCtxOpenControlSet+87317j
		test	esi, esi
		jnz	loc_8AE66E
		mov	ecx, [ebp+var_28]
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_38], 4
		push	eax
		lea	eax, [ebp+var_34]
		mov	edx, offset ??_C@_1BA@OFLJGHK@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt@NNGAKEGL@
		push	eax
		call	_RegRtlQueryValue
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_9359B2
		mov	ecx, [ebp+var_28]
		lea	eax, [ebp+var_2C]
		push	4
		push	eax
		push	4
		mov	edx, offset ??_C@_1BA@OFLJGHK@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt@NNGAKEGL@
		mov	[ebp+var_21], 1
		mov	dword ptr [ebp+var_2C],	1
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_8AE66E
		jmp	short loc_9359C6
; 

loc_9359B2:				; CODE XREF: _SysCtxOpenControlSet+87364j
		test	esi, esi
		jnz	loc_8AE66E
		cmp	[ebp+var_34], 4
		jnz	short loc_935A36
		cmp	[ebp+var_38], 4
		jnz	short loc_935A36

loc_9359C6:				; CODE XREF: _SysCtxOpenControlSet+87390j
		cmp	dword ptr [ebp+var_2C],	3E7h
		ja	short loc_935A36
		push	dword ptr [ebp+var_2C] ; char
		lea	eax, [ebp+var_20]
		push	offset ??_C@_1BO@KHANIFDG@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAS?$AAe?$AAt?$AA?$CF?$AA0?$AA3?$AAd@NNGAKEGL@ ;	wchar_t	*
		push	0Eh		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 10h
		test	eax, eax
		js	short loc_935A36
		push	ebx
		push	[ebp+var_30]
		lea	edx, [ebp+var_20]
		mov	ecx, edi
		push	2000000h
		push	0
		call	_RegRtlOpenKeyTransacted
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	loc_8AE66E
		cmp	[ebp+var_21], 0
		jz	loc_8AE66E
		push	ebx
		xor	eax, eax
		lea	edx, [ebp+var_20]
		push	eax
		push	[ebp+var_30]
		mov	ecx, edi
		push	eax
		push	eax
		push	2000000h
		push	eax
		call	_RegRtlCreateKeyTransacted
		mov	esi, eax
		jmp	loc_8AE66E
; 

loc_935A36:				; CODE XREF: _SysCtxOpenControlSet+8739Ej
					; _SysCtxOpenControlSet+873A4j	...
		mov	esi, 0C000000Dh
		jmp	loc_8AE66E
; 

loc_935A40:				; CODE XREF: _SysCtxOpenControlSet+52j
		push	[ebp+var_28]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8AE678
; END OF FUNCTION CHUNK	FOR _SysCtxOpenControlSet
; 
; START	OF FUNCTION CHUNK FOR EtwpGetAutoLoggerLevelKwFilter

loc_935A4D:				; CODE XREF: EtwpGetAutoLoggerLevelKwFilter+11Cj
		mov	ecx, eax
		lea	edx, [ecx+2]

loc_935A52:				; CODE XREF: EtwpGetAutoLoggerLevelKwFilter+872C1j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_935A52
		sub	ecx, edx
		sar	ecx, 1
		push	50777445h
		lea	esi, ds:28h[ecx*2]
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8AE8DA
		mov	edx, dword ptr [ebp+var_314]
		push	edx		; char
		push	offset ??_C@_1CO@KJDELHKH@?$AA?$CF?$AAw?$AAs?$AA?2?$AAS?$AAt?$AAa?$AAc?$AAk?$AAL?$AAe?$AAv?$AAe?$AAl?$AAK@NNGAKEGL@ ; wchar_t *
		push	esi		; int
		push	ebx		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	edi, eax
		add	esp, 10h
		test	edi, edi
		jnz	loc_8AE8D8
		push	ebx
		lea	eax, [ebp+var_31C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_31C]
		mov	[ebp+var_334], 18h
		mov	[ebp+var_32C], eax
		xor	esi, esi
		lea	eax, [ebp+var_334]
		mov	[ebp+var_330], esi
		push	eax
		push	20019h
		lea	eax, [ebp+var_30C]
		mov	[ebp+var_328], 240h
		push	eax
		mov	[ebp+var_324], esi
		mov	[ebp+var_320], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	loc_8AE8BC
		mov	[ebp+var_30C], esi
		jmp	loc_8AE8BC
; 

loc_935B0D:				; CODE XREF: EtwpGetAutoLoggerLevelKwFilter+129j
					; EtwpGetAutoLoggerLevelKwFilter+136j
		push	50777445h
		push	18h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_310]
		mov	[eax], esi
		test	esi, esi
		jz	loc_8AE8DA
		push	24Ch		; size_t
		lea	eax, [ebp+var_304]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_2FC], offset ??_C@_1CA@DAIDIDOO@?$AAM?$AAa?$AAt?$AAc?$AAh?$AAA?$AAn?$AAy?$AAK?$AAe?$AAy?$AAw?$AAo?$AAr?$AAd@NNGAKEGL@
		lea	eax, [ebp+var_B4]
		mov	[ebp+var_B0], esi
		mov	[ebp+var_2F8], eax
		mov	edx, offset EtwpQueryRegistryCallback
		lea	eax, [ebp+var_AC]
		mov	[ebp+var_304], edx
		mov	[ebp+var_2DC], eax
		lea	eax, [esi+8]
		push	0Bh
		pop	ecx
		mov	[ebp+var_A8], eax
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_2C0], eax
		lea	eax, [esi+10h]
		push	4
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_2F4], ecx
		mov	[ebp+var_B4], ecx
		mov	[ebp+var_2D8], ecx
		mov	[ebp+var_AC], ecx
		pop	ecx
		push	1
		mov	[ebp+var_2A4], eax
		lea	eax, [esi+11h]
		push	ecx
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_304]
		push	0
		mov	[ebp+var_2E8], edx
		mov	[ebp+var_2CC], edx
		mov	[ebp+var_2BC], ecx
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_2B0], edx
		mov	edx, [ebp+var_308]
		mov	[ebp+var_2A0], ecx
		mov	[ebp+var_9C], ecx
		mov	ecx, 40000000h
		push	eax
		mov	[ebp+var_2E0], offset ??_C@_1CA@DABEMIJN@?$AAM?$AAa?$AAt?$AAc?$AAh?$AAA?$AAl?$AAl?$AAK?$AAe?$AAy?$AAw?$AAo?$AAr?$AAd@NNGAKEGL@
		mov	[ebp+var_2C4], (offset loc_8BFEC1+1)
		mov	[ebp+var_2A8], (offset loc_8C0CB7+1)
		call	RtlpQueryRegistryValues
		mov	edi, eax
		test	edi, edi
		js	loc_8AE8DA
		mov	edx, [ebp+var_30C]
		test	edx, edx
		jz	loc_8AE8D6
		mov	eax, [ebp+var_310]
		push	1
		push	ecx
		push	0
		mov	esi, [eax]
		mov	ecx, 40000000h
		mov	[ebp+var_2F0], esi
		lea	eax, [esi+8]
		mov	[ebp+var_2D4], eax
		lea	eax, [esi+10h]
		mov	[ebp+var_2B8], eax
		lea	eax, [esi+11h]
		mov	[ebp+var_29C], eax
		lea	eax, [ebp+var_304]
		push	eax
		call	RtlpQueryRegistryValues
		jmp	loc_8AE8D6
; 

loc_935C87:				; CODE XREF: EtwpGetAutoLoggerLevelKwFilter+14Aj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi], 0
		jmp	loc_8AE8EA
; 

loc_935C97:				; CODE XREF: EtwpGetAutoLoggerLevelKwFilter+157j
		push	[ebp+var_308]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8AE8F7
; 

loc_935CA7:				; CODE XREF: EtwpGetAutoLoggerLevelKwFilter+17Bj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8AE91B
; END OF FUNCTION CHUNK	FOR EtwpGetAutoLoggerLevelKwFilter
; 
; START	OF FUNCTION CHUNK FOR IoConnectInterrupt

loc_935CB4:				; CODE XREF: IoConnectInterrupt+10j
					; IoGetIommuInterface+Dj
		push	0
		push	0
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	1
		push	121h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_935CCF:				; CODE XREF: IopConnectInterruptFullySpecified+62j
		mov	byte ptr [ebp+arg_14], al
		jmp	loc_8AE9FC
; END OF FUNCTION CHUNK	FOR IoConnectInterrupt
; 
; START	OF FUNCTION CHUNK FOR IopConnectInterruptFullySpecified

loc_935CD7:				; CODE XREF: IopConnectInterruptFullySpecified+43j
					; IopConnectInterruptFullySpecified+54j ...
		mov	eax, 0C000000Dh
		jmp	loc_8AEAA7
; END OF FUNCTION CHUNK	FOR IopConnectInterruptFullySpecified
; 
; START	OF FUNCTION CHUNK FOR _CmSetDeviceContainerMappedProperty

loc_935CE1:				; CODE XREF: _CmSetDeviceContainerMappedProperty+27j
		push	10h		; size_t
		push	eax		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_935CF9
		mov	ecx, [ebp+arg_4]
		jmp	loc_8AEAF5
; 

loc_935CF9:				; CODE XREF: _CmSetDeviceContainerMappedProperty+87227j
		mov	edi, 0C0000022h
		jmp	loc_8AEAFD
; END OF FUNCTION CHUNK	FOR _CmSetDeviceContainerMappedProperty
; 
; START	OF FUNCTION CHUNK FOR IopInitializeTriageDumpData

loc_935D03:				; CODE XREF: IopInitializeTriageDumpData+6Cj
					; IopInitializeTriageDumpData+C3j
		mov	eax, _IopTriageDumpDataArray
		test	eax, eax
		jz	loc_8AEBCF
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	_IopTriageDumpDataArray, ebx
		jmp	loc_8AEBCF
; END OF FUNCTION CHUNK	FOR IopInitializeTriageDumpData
; 
; START	OF FUNCTION CHUNK FOR PiHotSwapGetDefaultBusRemovalPolicy

loc_935D22:				; CODE XREF: PiHotSwapGetDefaultBusRemovalPolicy+A5j
		mov	eax, [esi+8]
		cmp	word ptr [eax+1Ch], 0Ch
		jnz	loc_8AEC7F
		push	(offset	loc_8BAEC3+1) ;	wchar_t	*
		push	dword ptr [eax+20h] ; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_8AEC9B
		jmp	loc_8AEC7F
; END OF FUNCTION CHUNK	FOR PiHotSwapGetDefaultBusRemovalPolicy
; 
; START	OF FUNCTION CHUNK FOR CmpHandlePageFileOpenNotification

loc_935D4C:				; CODE XREF: CmpHandlePageFileOpenNotification+29j
		mov	esi, 0C0000022h
		jmp	loc_8AED72
; 

loc_935D56:				; CODE XREF: CmpHandlePageFileOpenNotification+36j
		mov	esi, 0C0000189h
		jmp	loc_8AED72
; END OF FUNCTION CHUNK	FOR CmpHandlePageFileOpenNotification
; 
; START	OF FUNCTION CHUNK FOR CmpVolumeContextSendDeviceUsageNotification

loc_935D60:				; CODE XREF: CmpVolumeContextSendDeviceUsageNotification+Fj
		mov	ebx, 0C00000BBh
		jmp	loc_8AEDC8
; 

loc_935D6A:				; CODE XREF: CmpVolumeContextSendDeviceUsageNotification+9Aj
		test	al, 4
		jnz	loc_8AEE24
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_8AEE24
; 

loc_935D7E:				; CODE XREF: CmpVolumeContextSendDeviceUsageNotification+AEj
		mov	ecx, [edi+20h]
		xor	dl, dl
		call	PiPagePathSetState
		jmp	loc_8AEDC8
; END OF FUNCTION CHUNK	FOR CmpVolumeContextSendDeviceUsageNotification
; 
; START	OF FUNCTION CHUNK FOR PiPagePathSetState

loc_935D8D:				; CODE XREF: PiPagePathSetState+57j
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	eax, 0C0000017h
		jmp	loc_8AEF65
; 

loc_935D9E:				; CODE XREF: PiPagePathSetState+7Ej
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [esp+50h+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esp+40h+var_18]
		jmp	loc_8AEF32
; END OF FUNCTION CHUNK	FOR PiPagePathSetState
; 
; START	OF FUNCTION CHUNK FOR PiSwDeviceInterfacesUpdateState

loc_935DB5:				; CODE XREF: PiSwDeviceInterfacesUpdateState+92j
		push	57706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8AF102
; END OF FUNCTION CHUNK	FOR PiSwDeviceInterfacesUpdateState
; 
; START	OF FUNCTION CHUNK FOR EtwpCoverageEnsureStringBuffer

loc_935DC5:				; CODE XREF: EtwpCoverageEnsureStringBuffer+Dj
		mov	eax, [edx+8]
		sub	eax, [edx+0Ch]
		cmp	eax, 200h
		jnb	short loc_935DD9
		mov	edx, [edx]
		jmp	loc_8AF533
; 

loc_935DD9:				; CODE XREF: EtwpCoverageEnsureStringBuffer+868A8j
		mov	[ebx+1Ch], edx
		xor	eax, eax
		jmp	loc_8AF576
; END OF FUNCTION CHUNK	FOR EtwpCoverageEnsureStringBuffer
; 
; START	OF FUNCTION CHUNK FOR SdbReadQWORDTag

loc_935DE3:				; CODE XREF: SdbReadQWORDTag+38j
		call	SdbGetTagFromTagID
		movzx	ecx, ax
		push	ecx
		push	esi
		push	(offset	loc_8C3631+5)
		push	9Dh
		push	(offset	loc_8C36A8+2)
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		jmp	loc_8AF65E
; END OF FUNCTION CHUNK	FOR SdbReadQWORDTag
; 
; START	OF FUNCTION CHUNK FOR SepSetSystemPaths

loc_935E0B:				; CODE XREF: SepSetSystemPaths+8Aj
		push	63734943h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8AF9DC
; END OF FUNCTION CHUNK	FOR SepSetSystemPaths
; 
; START	OF FUNCTION CHUNK FOR SepLoadNgenLocations

loc_935E1B:				; CODE XREF: SepLoadNgenLocations+83j
		cmp	esi, 0C0000034h
		jnz	loc_8AFD1E
		jmp	loc_8AFD45
; 

loc_935E2C:				; CODE XREF: SepLoadNgenLocations+117j
					; SepLoadNgenLocations+124j
		mov	eax, [esp+0A0h+var_90]
		jmp	loc_8AFB38
; 

loc_935E35:				; CODE XREF: SepLoadNgenLocations+19Dj
		mov	esi, 0C0000017h
		jmp	loc_8AFD1E
; 

loc_935E3F:				; CODE XREF: SepLoadNgenLocations+1B7j
		mov	esi, 0C0000017h
		jmp	loc_8AFD10
; 

loc_935E49:				; CODE XREF: SepLoadNgenLocations+24Dj
		add	edi, 0FFFFFFFEh
		mov	[ecx+8], edi
		mov	edx, edi
		cmp	edi, 2
		jnb	loc_8AFC2E
		jmp	loc_8AFC3D
; 

loc_935E5F:				; CODE XREF: SepLoadNgenLocations+25Fj
					; SepLoadNgenLocations+26Dj
		mov	esi, 80000005h
		jmp	loc_8AFD08
; 

loc_935E69:				; CODE XREF: SepLoadNgenLocations+320j
		push	63734943h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8AFD10
; END OF FUNCTION CHUNK	FOR SepLoadNgenLocations
; 
; START	OF FUNCTION CHUNK FOR IopQueryPassiveInterruptRegistryOptions

loc_935E79:				; CODE XREF: IopQueryPassiveInterruptRegistryOptions+D2j
		cmp	al, 15h
		jbe	short loc_935E7F
		mov	al, 15h

loc_935E7F:				; CODE XREF: IopQueryPassiveInterruptRegistryOptions+8606Fj
		mov	_PassiveInterruptRealtimeWorkerPriority, al
		jmp	loc_8AFEE4
; END OF FUNCTION CHUNK	FOR IopQueryPassiveInterruptRegistryOptions
; 
; START	OF FUNCTION CHUNK FOR ObInitServerSilo

loc_935E89:				; CODE XREF: ObInitServerSilo+49j
		lea	eax, [esp+30h+var_24]
		push	eax
		push	ds:_PsObjectDirectorySiloContextSlot
		push	esi
		call	PsGetPermanentSiloContext
		test	eax, eax
		js	loc_8AFF49
		lea	eax, [esp+30h+var_20]
		push	eax
		push	edi
		push	_ObpDirectoryObjectType
		push	2
		push	edi
		push	240h
		push	[esp+48h+var_24]
		call	ObOpenObjectByPointer
		test	eax, eax
		js	loc_8AFF49
		mov	esi, [esp+30h+var_20]
		lea	eax, [esp+30h+var_1C]
		push	eax
		push	edi
		push	edi
		push	_ObpDirectoryObjectType
		xor	edx, edx
		mov	[esp+40h+var_18], 18h
		push	2
		lea	ecx, [esp+44h+var_18]
		mov	[esp+44h+var_14], esi
		mov	[esp+44h+var_C], 240h
		mov	[esp+44h+var_10], offset _ObpGlobalDirectoryName
		mov	[esp+44h+var_8], edi
		mov	[esp+44h+var_4], edi
		call	ObReferenceObjectByNameEx
		push	esi
		mov	edi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	edi, edi
		jns	short loc_935F1C
		mov	eax, edi
		jmp	loc_8AFF49
; 

loc_935F1C:				; CODE XREF: ObInitServerSilo+8601Bj
		mov	ecx, [esp+30h+var_1C]
		mov	eax, [ecx+98h]
		mov	[ebx], eax
		call	ObfDereferenceObject
		jmp	loc_8AFF47
; END OF FUNCTION CHUNK	FOR ObInitServerSilo
; 
; START	OF FUNCTION CHUNK FOR EtwpCCSwapStart

loc_935F32:				; CODE XREF: EtwpCCSwapStart+59j
		xor	eax, eax
		mov	[ebp+var_4], eax
		test	ebx, ebx
		jz	short loc_935F69

loc_935F3B:				; CODE XREF: EtwpCCSwapStart+85FAFj
		mov	ecx, eax
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		push	0
		mov	esi, [eax+4054h]
		push	dword ptr [esi+edi*4+128h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_4]
		and	dword ptr [esi+edi*4+128h], 0
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, ebx
		jb	short loc_935F3B

loc_935F69:				; CODE XREF: EtwpCCSwapStart+85F81j
		mov	eax, 0C0000017h
		jmp	loc_8B0038
; END OF FUNCTION CHUNK	FOR EtwpCCSwapStart
; 
; START	OF FUNCTION CHUNK FOR IoRegisterFsRegistrationChangeMountAware

loc_935F73:				; CODE XREF: IoRegisterFsRegistrationChangeMountAware+22j
		lea	ecx, [edi+1Ch]
		call	_IopIsKnownGoodLegacyFsFilter@4	; IopIsKnownGoodLegacyFsFilter(x)
		test	al, al
		jnz	loc_8B0074
		mov	ebx, dword_6CCFDC
		mov	eax, _IoMgrTraceHandle
		push	offset _IoMgr_LegacyFsFilterBlockedByPolicy
		push	ebx
		push	eax
		mov	[ebp+var_2C], eax
		call	EtwEventEnabled
		test	al, al
		jz	short loc_935FEF
		movzx	ecx, word ptr [edi+1Ch]
		xor	esi, esi
		mov	ax, cx
		mov	[ebp+var_20], esi
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_24], eax
		mov	eax, [edi+20h]
		mov	[ebp+var_14], eax
		mov	eax, ecx
		push	2
		pop	edx
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_8], esi
		call	_IoGetActivityIdThread@0 ; IoGetActivityIdThread()
		push	eax
		push	offset _IoMgr_LegacyFsFilterBlockedByPolicy
		push	ebx
		push	[ebp+var_2C]
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_935FEF:				; CODE XREF: IoRegisterFsRegistrationChangeMountAware+85F53j
		mov	eax, 0C00000BBh
		jmp	loc_8B00E5
; 

loc_935FF9:				; CODE XREF: IoRegisterFsRegistrationChangeMountAware+5Bj
		call	_IopGetFsRegistrationInProgress@0 ; IopGetFsRegistrationInProgress()
		test	al, al
		jz	short loc_93600C
		mov	esi, 0C000022Dh
		jmp	loc_8B00D7
; 

loc_93600C:				; CODE XREF: IoRegisterFsRegistrationChangeMountAware+48j
					; IoRegisterFsRegistrationChangeMountAware+85FB4j
		push	1
		push	offset _IopDatabaseResource
		call	ExAcquireResourceExclusiveLite
		jmp	loc_8B00AD
; 

loc_93601D:				; CODE XREF: IoRegisterFsRegistrationChangeMountAware+BAj
		mov	ecx, offset _IopDatabaseResource
		call	ExReleaseResourceLite
		mov	esi, 0C000009Ah
		jmp	loc_8B00D7
; 

loc_936031:				; CODE XREF: IoRegisterFsRegistrationChangeMountAware+EDj
		inc	_IopMountCompletionWaiters
		mov	ecx, offset _IopDatabaseResource
		call	ExReleaseResourceLite
		push	esi
		push	esi
		push	esi
		push	esi
		push	offset _IopMountCompletionEvent
		call	KeWaitForSingleObject
		push	1
		push	offset _IopDatabaseResource
		call	ExAcquireResourceExclusiveLite
		sub	_IopMountCompletionWaiters, 1
		jz	short loc_936070
		cmp	_IopMountsInProgress, esi
		jz	loc_8B013F

loc_936070:				; CODE XREF: IoRegisterFsRegistrationChangeMountAware+86016j
		push	offset _IopMountCompletionEvent
		call	_KeResetEvent@4	; KeResetEvent(x)
		jmp	loc_8B0133
; END OF FUNCTION CHUNK	FOR IoRegisterFsRegistrationChangeMountAware
; 
; START	OF FUNCTION CHUNK FOR IopNotifyAlreadyRegisteredFileSystems

loc_93607F:				; CODE XREF: IopNotifyAlreadyRegisteredFileSystems+1Bj
					; IopNotifyAlreadyRegisteredFileSystems+23j
		lea	eax, [edi-34h]
		mov	edi, ecx
		push	1
		push	eax
		call	edx
		mov	edx, [ebp+var_4]
		cmp	edi, esi
		jnz	loc_8B01B7
		jmp	loc_8B01C9
; END OF FUNCTION CHUNK	FOR IopNotifyAlreadyRegisteredFileSystems
; 
; START	OF FUNCTION CHUNK FOR PiSwDeviceCompareObjects

loc_936099:				; CODE XREF: PiSwDeviceCompareObjects+22j
		push	dword ptr [edi+8] ; wchar_t *
		push	dword ptr [esi+8] ; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		mov	ecx, eax
		jmp	loc_8B01F8
; END OF FUNCTION CHUNK	FOR PiSwDeviceCompareObjects
; 
; START	OF FUNCTION CHUNK FOR _PnpGetEnumSecurityDescriptor

loc_9360AD:				; CODE XREF: _PnpGetEnumSecurityDescriptor+2AFj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8B054D
; END OF FUNCTION CHUNK	FOR _PnpGetEnumSecurityDescriptor
; 
; START	OF FUNCTION CHUNK FOR IoCreateSystemThread

loc_9360BA:				; CODE XREF: IoCreateSystemThread+16j
		cmp	ax, 4
		jz	loc_8B0596
		push	0
		push	edi
		push	[ebp+arg_18]
		push	0
		push	148h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_9360D6:				; CODE XREF: IoCreateSystemThread+66j
		mov	ecx, edi
		call	ObfDereferenceObject
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+24h+var_18]
		jmp	loc_8B05E6
; END OF FUNCTION CHUNK	FOR IoCreateSystemThread
; 
; START	OF FUNCTION CHUNK FOR Ke386CyrixId

loc_9360EE:				; CODE XREF: Ke386CyrixId+15j
					; Ke386CyrixId+45j
		xor	eax, eax
		sahf
		lahf
		mov	[ebp+var_1], ah
		mov	eax, 5
		mov	ecx, 2
		div	cl
		lahf
		sub	[ebp+var_1], ah
		cmp	[ebp+var_1], bl
		jnz	short loc_936154
		mov	cl, 0C3h
		call	ReadCyrixRegister
		mov	dh, al
		mov	dl, dh
		xor	dl, 80h
		call	WriteCyrixRegister
		mov	cl, 0C0h
		call	ReadCyrixRegister
		add	cl, 3
		call	ReadCyrixRegister
		call	ReadCyrixRegister
		cmp	al, dh
		jz	short loc_936140
		mov	cl, 0FEh
		call	ReadCyrixRegister
		movzx	ebx, al
		inc	ebx

loc_936140:				; CODE XREF: Ke386CyrixId+7F7EDj
		mov	dl, dh
		mov	cl, 0C3h
		call	WriteCyrixRegister
		push	7Fh
		pop	eax
		cmp	eax, ebx
		sbb	ecx, ecx
		not	ecx
		and	ebx, ecx

loc_936154:				; CODE XREF: Ke386CyrixId+7F7C2j
		mov	eax, ebx
		jmp	loc_8B6993
; END OF FUNCTION CHUNK	FOR Ke386CyrixId
; 
; START	OF FUNCTION CHUNK FOR ExpRegisterFirmwareTableInformationHandler

loc_93615B:				; CODE XREF: ExpRegisterFirmwareTableInformationHandler+10j
		mov	esi, 0C0000061h
		jmp	loc_8B07BC
; 

loc_936165:				; CODE XREF: ExpRegisterFirmwareTableInformationHandler+5Aj
		cmp	byte ptr [edi+4], 0
		jnz	short loc_9361AD
		mov	eax, [ebx+0Ch]
		cmp	eax, [edi+0Ch]
		jnz	loc_8B07D1
		lea	eax, [ebx+10h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_8B07C5
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_8B07C5
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, [ebx+0Ch]
		call	ObfDereferenceObject
		push	54465241h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8B07A6
; 

loc_9361AD:				; CODE XREF: ExpRegisterFirmwareTableInformationHandler+85A7Fj
		mov	esi, 40000000h
		jmp	loc_8B07A6
; 

loc_9361B7:				; CODE XREF: ExpRegisterFirmwareTableInformationHandler+18j
					; ExpRegisterFirmwareTableInformationHandler+21j
		mov	esi, 0C0000004h
		jmp	loc_8B07BC
; END OF FUNCTION CHUNK	FOR ExpRegisterFirmwareTableInformationHandler
; 
; START	OF FUNCTION CHUNK FOR SepBuildDefaultCap

loc_9361C1:				; CODE XREF: SepBuildDefaultCap+33j
		mov	esi, 0C000009Ah

loc_9361C6:				; CODE XREF: SepBuildDefaultCap+1Fj
		cmp	[ebp+var_4], edi
		jz	loc_8B0844
		push	ebx
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8B0844
; END OF FUNCTION CHUNK	FOR SepBuildDefaultCap
; 
; START	OF FUNCTION CHUNK FOR KsepCacheDeviceInsertData

loc_9361DD:				; CODE XREF: KsepCacheDeviceInsertData+6Bj
		lea	ecx, [esi+8]
		call	KsepStringFree
		mov	ecx, [esi+18h]
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
		mov	ecx, esi
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
		jmp	loc_8B08BD
; 

loc_9361F9:				; CODE XREF: KsepCacheDeviceInsertData+12Dj
		test	bl, bl
		jz	short loc_936204
		mov	ecx, esi
		call	ObfDereferenceObject

loc_936204:				; CODE XREF: KsepCacheDeviceInsertData+859AFj
		push	1
		push	0
		push	esi
		push	0
		call	PspClosePartitionHandle
		test	edi, edi
		jns	loc_8B097F
		mov	ecx, esi
		call	PsDereferencePartition
		jmp	loc_8B097F
; END OF FUNCTION CHUNK	FOR KsepCacheDeviceInsertData
; 
; START	OF FUNCTION CHUNK FOR PopLogSleepDisabled

loc_936224:				; CODE XREF: PopLogSleepDisabled+16j
		mov	edi, 0C0000035h
		jmp	loc_8B0A30
; 

loc_93622E:				; CODE XREF: PopLogSleepDisabled+34j
		mov	edi, 0C000009Ah
		jmp	loc_8B0A2F
; 

loc_936238:				; CODE XREF: PopLogSleepDisabled+7Cj
		push	eax		; size_t
		push	[ebp+arg_0]	; void *
		mov	[esi+14h], eax
		lea	eax, [esi+18h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_8B0A14
; END OF FUNCTION CHUNK	FOR PopLogSleepDisabled
; 
; START	OF FUNCTION CHUNK FOR AlpcpInitSystem

loc_936250:				; CODE XREF: AlpcpInitSystem+55j
		mov	esi, 0C000009Ah
		jmp	loc_8B0C60
; 

loc_93625A:				; CODE XREF: AlpcpInitSystem+1C2j
		mov	edx, 8000h
		mov	ecx, 1000h
		call	AlpcpInitializeMessageLog
		jmp	loc_8B0C4B
; END OF FUNCTION CHUNK	FOR AlpcpInitSystem
; 
; START	OF FUNCTION CHUNK FOR AlpcpInitializeMessageLog

loc_93626E:				; CODE XREF: AlpcpInitializeMessageLog+48j
		test	edi, edi
		jz	loc_8B0CCC
		push	6C4D6C41h
		push	2000h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	_AlpcpMessageLogLookupTable, eax
		test	eax, eax
		jz	short loc_9362EA
		mov	ecx, 400h

loc_936295:				; CODE XREF: AlpcpInitializeMessageLog+85622j
		mov	[eax+4], eax
		mov	[eax], eax
		add	eax, 8
		sub	ecx, 1
		jnz	short loc_936295
		imul	eax, ebx, 24h
		push	6C4D6C41h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_9362DE
		imul	eax, edi, 48h
		push	734D6C41h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_9362F4
		push	esi
		push	_AlpcpMessageLogLookupTable
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	esi
		push	ebx
		jmp	short loc_9362E5
; 

loc_9362DE:				; CODE XREF: AlpcpInitializeMessageLog+85638j
		push	esi
		push	_AlpcpMessageLogLookupTable

loc_9362E5:				; CODE XREF: AlpcpInitializeMessageLog+8565Ej
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9362EA:				; CODE XREF: AlpcpInitializeMessageLog+85610j
		mov	eax, 0C000009Ah
		jmp	loc_8B0CCE
; 

loc_9362F4:				; CODE XREF: AlpcpInitializeMessageLog+8564Ej
		mov	[ebp+var_4], esi
		cmp	[ebp+var_8], esi
		jbe	short loc_936334
		lea	edx, [ebx+1Ch]

loc_9362FF:				; CODE XREF: AlpcpInitializeMessageLog+856B4j
		mov	[edx+4], edx
		mov	[edx], edx
		mov	ebx, dword_6C6F4C
		cmp	dword ptr [ebx], offset	_AlpcpFreeMessageLogListHead
		jnz	short loc_936364
		lea	eax, [edx-1Ch]
		mov	[edx-18h], ebx
		mov	dword ptr [eax], offset	_AlpcpFreeMessageLogListHead
		add	edx, 24h
		mov	[ebx], eax
		mov	dword_6C6F4C, eax
		mov	eax, [ebp+var_4]
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, [ebp+var_8]
		jb	short loc_9362FF

loc_936334:				; CODE XREF: AlpcpInitializeMessageLog+8567Cj
		test	edi, edi
		jz	loc_8B0CCC
		mov	edx, offset _AlpcpFreeMessageSnapshotListHead

loc_936341:				; CODE XREF: AlpcpInitializeMessageLog+856DFj
		mov	eax, dword_6C6F44
		cmp	[eax], edx
		jnz	short loc_936364
		mov	[ecx], edx
		inc	esi
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	dword_6C6F44, ecx
		add	ecx, 48h
		cmp	esi, edi
		jb	short loc_936341
		jmp	loc_8B0CCC
; 

loc_936364:				; CODE XREF: AlpcpInitializeMessageLog+85692j
					; AlpcpInitializeMessageLog+856CAj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_936369:				; CODE XREF: PipClearDevNodeProblem+27j
					; PipClearDevNodeProblem+2Fj
		lea	ecx, [ebp+var_4]
		call	PiPnpRtlBeginOperation
		mov	edx, 2000h
		mov	ecx, esi
		call	PipClearDevNodeFlags
		and	dword ptr [esi+114h], 0
		and	dword ptr [esi+118h], 0
		mov	edx, [esi+18h]
		test	edx, edx
		jz	short loc_9363DC
		push	0Ch
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		cmp	[esi+118h], ebx
		jz	short loc_9363AB
		mov	edx, [esi+18h]
		push	0Dh
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent

loc_9363AB:				; CODE XREF: AlpcpInitializeMessageLog+85721j
		push	ebx
		push	edi
		lea	edx, [esi+1Ch]
		lea	ecx, [esi+14h]
		call	_PnpTraceClearDevNodeProblem@16	; PnpTraceClearDevNodeProblem(x,x,x,x)
		cmp	edi, 16h
		jnz	short loc_9363DC
		xor	edx, edx
		lea	ecx, [edi+74h]
		call	SeAuditingWithTokenForSubcategory
		test	al, al
		jz	short loc_9363DC
		push	ecx
		push	dword ptr [esi+114h]
		lea	ecx, [esi+14h]
		push	edi
		pop	edx
		call	_PiAuditDeviceEnableDisableAction@16 ; PiAuditDeviceEnableDisableAction(x,x,x,x)

loc_9363DC:				; CODE XREF: AlpcpInitializeMessageLog+85712j
					; AlpcpInitializeMessageLog+8573Dj ...
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	loc_8B0D09
		call	PiPnpRtlEndOperation
		jmp	loc_8B0D09
; END OF FUNCTION CHUNK	FOR AlpcpInitializeMessageLog
; 
; START	OF FUNCTION CHUNK FOR PopNetEvaluateStateMask

loc_9363F1:				; CODE XREF: PopNetEvaluateStateMask+Bj
		mov	dword ptr [ecx], 2
		mov	dword ptr [edx], 3
		retn
; 

loc_9363FE:				; CODE XREF: PopNetEvaluateStateMask+13j
		cmp	_PopNetResiliencyEngaged, 0
		jz	short loc_936429
		test	al, 2
		jz	short loc_936418
		mov	dword ptr [ecx], 2
		mov	dword ptr [edx], 1
		retn
; 

loc_936418:				; CODE XREF: PopNetEvaluateStateMask+856FBj
		test	al, al
		jns	short loc_936429
		mov	dword ptr [ecx], 2
		mov	dword ptr [edx], 7
		retn
; 

loc_936429:				; CODE XREF: PopNetEvaluateStateMask+856F7j
					; PopNetEvaluateStateMask+8570Cj
		and	dword ptr [ecx], 0
		and	dword ptr [edx], 0
		retn
; END OF FUNCTION CHUNK	FOR PopNetEvaluateStateMask
; 
; START	OF FUNCTION CHUNK FOR PopTraceStandbyConnectivityUpdate

loc_936430:				; CODE XREF: PopTraceStandbyConnectivityUpdate+45j
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_7C], edi
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_80]
		push	4
		pop	ecx
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_90]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	5
		push	ebx
		push	ebx
		push	offset loc_41E343
		push	offset dword_6B23F8
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_80], esi
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_90], 1000000h
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], 8
		mov	[ebp+var_2C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_8B0D87
; END OF FUNCTION CHUNK	FOR PopTraceStandbyConnectivityUpdate
; 
; START	OF FUNCTION CHUNK FOR PopNetUpdateCsConsumptionFlags

loc_936499:				; CODE XREF: PopNetUpdateCsConsumptionFlags+Bj
		mov	cl, byte_6D4581
		test	cl, 1
		jnz	locret_8B0E47
		cmp	_PopNetCompliantNicCount, 0
		setnz	al
		and	cl, 0FEh
		or	cl, al
		mov	byte_6D4581, cl
		retn
; END OF FUNCTION CHUNK	FOR PopNetUpdateCsConsumptionFlags
; 
; START	OF FUNCTION CHUNK FOR AslFileNotFound

loc_9364BE:				; CODE XREF: AslFileNotFound+14j
		cmp	ecx, 0C00000CCh
		jz	loc_8B0E50
		xor	eax, eax
		retn
; END OF FUNCTION CHUNK	FOR AslFileNotFound
; 
; START	OF FUNCTION CHUNK FOR CmpAssignKeySecurity

loc_9364CD:				; CODE XREF: CmpAssignKeySecurity+4Dj
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	esi, 0C0000189h
		jmp	loc_8B111F
; 

loc_9364E3:				; CODE XREF: CmpAssignKeySecurity+DCj
		cmp	dword ptr [ebx+4C0h], 0
		jz	loc_8B10A4
		mov	eax, [ebx+4CCh]
		mov	ecx, [eax+4]
		add	ecx, 18h
		mov	[ebp+var_10], ecx
		jmp	loc_8B10A4
; END OF FUNCTION CHUNK	FOR CmpAssignKeySecurity
; 
; START	OF FUNCTION CHUNK FOR DbgkRegisterErrorPort

loc_936504:				; CODE XREF: DbgkRegisterErrorPort+75j
		mov	eax, 0C000009Ah
		jmp	loc_8B1351
; END OF FUNCTION CHUNK	FOR DbgkRegisterErrorPort

;  S U B	R O U T	I N E 


sub_93650E	proc near		; DATA XREF: .text:006A74ECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-60h], eax
		xor	eax, eax
		inc	eax
		retn
sub_93650E	endp


;  S U B	R O U T	I N E 


sub_93651C	proc near		; DATA XREF: .text:006A74F0o
		mov	esp, [ebp-18h]
		mov	edi, [ebp-60h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	esi, esi
		jmp	loc_8B11FA
sub_93651C	endp

; 
; START	OF FUNCTION CHUNK FOR DbgkRegisterErrorPort

loc_936530:				; CODE XREF: DbgkRegisterErrorPort+B6j
		mov	edi, 0C000009Ah
		jmp	loc_8B1346
; 

loc_93653A:				; CODE XREF: DbgkRegisterErrorPort+1B3j
		test	al, 4
		jnz	loc_8B1317
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_8B1317
; 

loc_93654E:				; CODE XREF: DbgkRegisterErrorPort+1D1j
		lea	eax, [ecx+4]
		lock bts dword ptr [eax], 0
		jb	short loc_936564
		push	esi
		push	dword ptr [ecx+8]
		call	_ZwAlpcDisconnectPort@8	; ZwAlpcDisconnectPort(x,x)
		mov	ecx, [ebp+var_4C]

loc_936564:				; CODE XREF: DbgkRegisterErrorPort+853F8j
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		jnz	loc_8B1335
		call	@DbgkpDeleteErrorPort@4	; DbgkpDeleteErrorPort(x)
		jmp	loc_8B1335
; 

loc_93657B:				; CODE XREF: DbgkRegisterErrorPort+48j
					; DbgkRegisterErrorPort+51j ...
		mov	eax, 0C000000Dh
		jmp	loc_8B1351
; END OF FUNCTION CHUNK	FOR DbgkRegisterErrorPort
; 
; START	OF FUNCTION CHUNK FOR SleepstudyHelperCreateLibrary

loc_936585:				; CODE XREF: SleepstudyHelperCreateLibrary+Cj
		mov	edi, 0C000000Dh
		jmp	loc_8B13F8
; 

loc_93658F:				; CODE XREF: SleepstudyHelperCreateLibrary+19j
		mov	edi, 0C00000BBh
		jmp	loc_8B13F8
; 

loc_936599:				; CODE XREF: SleepstudyHelperCreateLibrary+117j
		test	al, 4
		jnz	loc_8B1487
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_8B1487
; END OF FUNCTION CHUNK	FOR SleepstudyHelperCreateLibrary
; 
; START	OF FUNCTION CHUNK FOR IopCompareReqAlternativePriority

loc_9365AD:				; CODE XREF: IopCompareReqAlternativePriority+1Cj
		jb	loc_8B14CC
		cmp	ecx, eax
		jnb	loc_8B14C4
		jmp	loc_8B14CC
; END OF FUNCTION CHUNK	FOR IopCompareReqAlternativePriority
; 
; START	OF FUNCTION CHUNK FOR RtlpMuiRegGetOrAddLangInfo

loc_9365C0:				; CODE XREF: RtlpMuiRegGetOrAddLangInfo+20j
		cmp	[ebx+6], ax
		jl	loc_8B1543
		jmp	loc_8B14F8
; 

loc_9365CF:				; CODE XREF: RtlpMuiRegGetOrAddLangInfo+3Dj
		mov	ecx, esi
		call	_RtlpMuiRegGrowLanguages@8 ; RtlpMuiRegGrowLanguages(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9365E3
		mov	[edi], esi
		jmp	loc_8B1515
; 

loc_9365E3:				; CODE XREF: RtlpMuiRegGetOrAddLangInfo+85108j
		mov	eax, 0C0000017h
		jmp	loc_8B153C
; END OF FUNCTION CHUNK	FOR RtlpMuiRegGetOrAddLangInfo
; 
; START	OF FUNCTION CHUNK FOR RtlpMuiRegGetLangInfoIndex

loc_9365ED:				; CODE XREF: RtlpMuiRegGetLangInfoIndex+3Aj
		movzx	ecx, word ptr [edi+6]
		cmp	eax, ecx
		jl	loc_8B15B2
		jmp	loc_8B158A
; 

loc_9365FE:				; CODE XREF: RtlpMuiRegGetLangInfoIndex+57j
					; RtlpMuiRegGetLangInfoIndex+5Fj
		movzx	eax, word ptr [esi]
		mov	edx, [ebp+var_10]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_4]

loc_93660A:				; CODE XREF: RtlpMuiRegGetLangInfoIndex+85177j
					; RtlpMuiRegGetLangInfoIndex+85186j
		mov	ecx, [ebp+var_18]
		imul	edi, ebx, 1Ch
		add	edi, edx
		cmp	[edi], cx
		mov	ecx, [ebp+var_C]
		jnz	loc_9366AC
		cmp	[edi+4], cx
		jnz	loc_9366AC
		mov	ax, [edi+6]
		cmp	ax, [esi+6]
		jnz	short loc_9366A9
		mov	ax, [edi+0Ah]
		cmp	ax, [esi+0Ah]
		jnz	short loc_9366A9
		movzx	eax, word ptr [edi+8]
		movzx	ecx, word ptr [esi+8]
		mov	[ebp+var_20], eax
		xor	eax, ecx
		mov	[ebp+var_24], ecx
		test	eax, 0C000h
		jnz	short loc_9366A9
		and	[ebp+var_1C], 0
		lea	ecx, [esi+0Ch]
		mov	ebx, [ebp+var_20]
		sub	edi, esi
		mov	esi, [ebp+var_1C]
		mov	al, 1
		mov	[ebp+var_8], ecx

loc_936667:				; CODE XREF: RtlpMuiRegGetLangInfoIndex+85150j
		cmp	esi, 4
		jnb	short loc_93669C
		lea	eax, [esi+esi]
		mov	edx, ebx
		xor	edx, [ebp+var_24]
		mov	cx, ax
		shr	dx, cl
		mov	ecx, [ebp+var_8]
		test	dl, 3
		jnz	short loc_93668F
		mov	ax, [edi+ecx]
		cmp	ax, [ecx]
		jnz	short loc_93668F
		mov	al, 1
		jmp	short loc_936691
; 

loc_93668F:				; CODE XREF: RtlpMuiRegGetLangInfoIndex+85136j
					; RtlpMuiRegGetLangInfoIndex+8513Fj
		xor	al, al

loc_936691:				; CODE XREF: RtlpMuiRegGetLangInfoIndex+85143j
		add	ecx, 2
		inc	esi
		mov	[ebp+var_8], ecx
		test	al, al
		jnz	short loc_936667

loc_93669C:				; CODE XREF: RtlpMuiRegGetLangInfoIndex+85120j
		mov	esi, [ebp+var_28]
		mov	ebx, [ebp+var_14]
		test	al, al
		jnz	short loc_9366D5
		mov	edx, [ebp+var_10]

loc_9366A9:				; CODE XREF: RtlpMuiRegGetLangInfoIndex+850E6j
					; RtlpMuiRegGetLangInfoIndex+850F0j ...
		mov	eax, [ebp+var_4]

loc_9366AC:				; CODE XREF: RtlpMuiRegGetLangInfoIndex+850CEj
					; RtlpMuiRegGetLangInfoIndex+850D8j
		add	ebx, 1
		mov	[ebp+var_14], ebx
		adc	eax, 0
		mov	[ebp+var_4], eax
		cmp	eax, [ebp+var_2C]
		jg	loc_8B15AF
		jl	loc_93660A
		cmp	ebx, [ebp+var_30]
		jnb	loc_8B15AF
		jmp	loc_93660A
; 

loc_9366D5:				; CODE XREF: RtlpMuiRegGetLangInfoIndex+8515Aj
		mov	ax, bx
		jmp	loc_8B15B2
; END OF FUNCTION CHUNK	FOR RtlpMuiRegGetLangInfoIndex
; 
; START	OF FUNCTION CHUNK FOR EtwpCrimsonProvEnableCallback

loc_9366DD:				; CODE XREF: EtwpCrimsonProvEnableCallback+70j
		or	esi, 2
		jmp	loc_8B165E
; 

loc_9366E5:				; CODE XREF: EtwpCrimsonProvEnableCallback+84j
		or	esi, 4
		jmp	loc_8B1672
; 

loc_9366ED:				; CODE XREF: EtwpCrimsonProvEnableCallback+98j
		or	esi, 80000h
		jmp	loc_8B1686
; 

loc_9366F8:				; CODE XREF: EtwpCrimsonProvEnableCallback+F7j
		push	[ebp+arg_10]
		mov	ecx, offset _PsProvGuid
		push	[ebp+arg_C]
		call	_EtwpPsProvCaptureState@12 ; EtwpPsProvCaptureState(x,x,x)
		jmp	loc_8B16E5
; 

loc_93670D:				; CODE XREF: EtwpCrimsonProvEnableCallback+2Bj
		cmp	esi, 2000000h
		jnz	short loc_936776
		mov	ebx, _EtwpFileProvRegHandle
		push	edi
		push	10h
		push	edi
		mov	edi, dword_6BC314
		push	edi
		push	ebx
		call	EtwProviderEnabled
		push	0
		push	60h
		movzx	esi, al
		push	0
		neg	esi
		push	edi
		sbb	esi, esi
		push	ebx
		and	esi, 200h
		call	EtwProviderEnabled
		test	al, al
		jz	short loc_936750
		or	esi, 2000000h

loc_936750:				; CODE XREF: EtwpCrimsonProvEnableCallback+85160j
		push	0
		push	1FA0h
		push	0
		push	edi
		push	ebx
		call	EtwProviderEnabled
		test	al, al
		jz	short loc_93676A
		or	esi, 4000000h

loc_93676A:				; CODE XREF: EtwpCrimsonProvEnableCallback+8517Aj
		mov	[ebp+var_44], 6000200h
		mov	[ebp+var_40], esi
		jmp	short loc_9367D7
; 

loc_936776:				; CODE XREF: EtwpCrimsonProvEnableCallback+8512Bj
		cmp	esi, 20000001h
		jnz	short loc_9367C8
		mov	esi, _EtwpMemoryProvRegHandle
		push	edi
		push	420h
		push	edi
		mov	edi, dword_6BC304
		push	edi
		push	esi
		call	EtwProviderEnabled
		push	0
		push	40h
		movzx	ebx, al
		push	0
		neg	ebx
		push	edi
		sbb	ebx, ebx
		push	esi
		and	ebx, 20080000h
		call	EtwProviderEnabled
		test	al, al
		jz	short loc_9367BC
		or	ebx, 20800000h

loc_9367BC:				; CODE XREF: EtwpCrimsonProvEnableCallback+851CCj
		mov	[ebp+var_44], 20880000h
		mov	[ebp+var_40], ebx
		jmp	short loc_9367D7
; 

loc_9367C8:				; CODE XREF: EtwpCrimsonProvEnableCallback+85194j
		mov	eax, [ebp+arg_4]
		neg	eax
		mov	[ebp+var_44], esi
		sbb	eax, eax
		and	eax, esi
		mov	[ebp+var_40], eax

loc_9367D7:				; CODE XREF: EtwpCrimsonProvEnableCallback+8518Cj
					; EtwpCrimsonProvEnableCallback+851DEj
		xor	edi, edi
		inc	edi
		jmp	loc_8B16E5
; END OF FUNCTION CHUNK	FOR EtwpCrimsonProvEnableCallback
; 
; START	OF FUNCTION CHUNK FOR CmpUpdateReorganizeRegistryValues

loc_9367DF:				; CODE XREF: CmpUpdateReorganizeRegistryValues+39j
		cmp	_CmpAccessBitForPhase, 2
		jnz	loc_8B17E5
		push	offset ??_C@_1MA@KCGLEHPJ@?$AA?2?$AAr?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAm?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		push	esi
		push	esi
		lea	eax, [ebp+var_30]
		mov	[ebp+var_60], 18h
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_60]
		push	esi
		push	eax
		push	2
		lea	eax, [ebp+var_28]
		mov	[ebp+var_5C], esi
		push	eax
		mov	[ebp+var_54], 2C0h
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_8B17E5
		lea	eax, [ebp+var_38]
		push	eax
		push	offset _CmpReorganizeLastRun
		call	_ExSystemTimeToLocalTime@8 ; ExSystemTimeToLocalTime(x,x)
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		call	_RtlTimeToTimeFields@8 ; RtlTimeToTimeFields(x,x)
		movsx	eax, word ptr [ebp+var_48]
		mov	ecx, 2710h
		cdq
		idiv	ecx
		movsx	eax, [ebp+var_44]
		push	edx
		push	eax
		movsx	eax, word ptr [ebp+var_48+2]
		push	eax
		push	offset ??_C@_1BO@JBMIMNMP@?$AA?$CF?$AA0?$AA2?$AAd?$AA?3?$AA?$CF?$AA0?$AA2?$AAd?$AA?3?$AA?$CF?$AA0?$AA4?$AAd@NNGAKEGL@
		lea	eax, [ebp+var_24]
		push	10h
		push	eax
		call	_swprintf_s
		add	esp, 18h
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9368DE
		push	offset ??_C@_1BA@LAKJGBNI@?$AAL?$AAa?$AAs?$AAt?$AAR?$AAu?$AAn@NNGAKEGL@
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	ecx, [ebp+var_24]
		lea	edx, [ecx+2]

loc_936890:				; CODE XREF: CmpUpdateReorganizeRegistryValues+850F3j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_936890
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, [ecx+ecx]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		push	1
		push	esi
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_28]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9368DE
		push	offset ??_C@_1CA@DFGBBCPM@?$AAT?$AAo?$AAt?$AAa?$AAl?$AAB?$AAy?$AAt?$AAe?$AAs?$AAS?$AAa?$AAv?$AAe?$AAd@NNGAKEGL@
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	8
		push	offset _CmpReorganizeTotalBytesSaved
		push	0Bh
		push	esi
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_28]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_9368DE:				; CODE XREF: CmpUpdateReorganizeRegistryValues+850D4j
					; CmpUpdateReorganizeRegistryValues+85112j
		push	[ebp+var_28]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8B17E5
; END OF FUNCTION CHUNK	FOR CmpUpdateReorganizeRegistryValues
; 
; START	OF FUNCTION CHUNK FOR PspInitializeQuotaBlock

loc_9368EB:				; CODE XREF: PspInitializeQuotaBlock+3Dj
		test	byte ptr [edi+30h], 10h
		jz	loc_8B18FE
		cmp	[edi], esi
		jnz	short loc_936918
		cmp	[edi+10h], esi
		jnz	short loc_936918
		cmp	[edi+4], esi
		jnz	short loc_936918
		cmp	[edi+20h], esi
		jnz	short loc_936918
		mov	eax, offset _PspDefaultResourceLimits
		mov	edi, esi
		mov	[esp+18h+var_8], eax
		jmp	loc_8B1902
; 

loc_936918:				; CODE XREF: PspInitializeQuotaBlock+8505Fj
					; PspInitializeQuotaBlock+85064j ...
		mov	eax, 0C000000Dh
		jmp	loc_8B192C
; 

loc_936922:				; CODE XREF: PspInitializeQuotaBlock+7Fj
		mov	eax, dword ptr ds:_PspQuotaLimitOffsets[esi*4]
		mov	eax, [edi+eax]
		jmp	loc_8B1920
; 

loc_936931:				; CODE XREF: PspInitializeQuotaBlock+48j
		test	eax, eax
		jz	loc_8B18F8
		and	[esp+18h+var_4], 0
		lea	ecx, [esp+18h+var_4]
		push	ecx
		push	eax
		mov	ecx, esi
		call	_PspExpandLimit@16 ; PspExpandLimit(x,x,x,x)
		test	al, al
		jz	short loc_936961
		test	esi, esi
		jnz	loc_8B18F8
		call	_IoEnableIrpCredits@0 ;	IoEnableIrpCredits()
		jmp	loc_8B18F8
; 

loc_936961:				; CODE XREF: PspInitializeQuotaBlock+850B5j
		mov	eax, 0C000009Ah
		jmp	loc_8B192C
; END OF FUNCTION CHUNK	FOR PspInitializeQuotaBlock
; 
; START	OF FUNCTION CHUNK FOR MmInitializeHandBuiltProcess

loc_93696B:				; CODE XREF: MmInitializeHandBuiltProcess+2Aj
		mov	eax, 0C000009Ah
		jmp	loc_8B1A6A
; END OF FUNCTION CHUNK	FOR MmInitializeHandBuiltProcess
; 
; START	OF FUNCTION CHUNK FOR TlgAggregateInternalRegisteredProviderEtwCallback

loc_936975:				; CODE XREF: TlgAggregateInternalRegisteredProviderEtwCallback+17j
		cmp	[ebp+arg_4], 2
		jnz	loc_8B1BB4
		mov	ecx, esi
		call	LookUpTableFlushPartial
		jmp	loc_8B1BB4
; END OF FUNCTION CHUNK	FOR TlgAggregateInternalRegisteredProviderEtwCallback
; 
; START	OF FUNCTION CHUNK FOR LookUpTableFlushComplete

loc_93698B:				; CODE XREF: LookUpTableFlushComplete+24j
		call	UpdateInternalStatsOnFlush
		lea	ebx, [ecx+98h]
		mov	eax, [ebx]
		or	eax, [ebx+4]
		push	0
		mov	[esp+84h+var_4C], ebx
		pop	ebx
		jz	loc_936A9E
		cmp	dword_6B30A8, 5
		jbe	loc_936A82
		push	4000h
		push	ebx
		mov	ecx, offset dword_6B30A8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_936A82
		mov	ecx, [esp+80h+var_74]
		lea	edi, [esp+80h+var_14]
		mov	[esp+80h+var_44], ebx
		mov	edx, (offset loc_424A83+6)
		mov	eax, [ecx+0A8h]
		mov	[esp+80h+var_48], eax
		mov	eax, [ecx+0C8h]
		mov	esi, [eax+4]
		mov	eax, [ecx+0BCh]
		sub	esi, 10h
		movsd
		movsd
		movsd
		movsd
		mov	[esp+80h+var_70], eax
		mov	eax, [ecx+0B8h]
		mov	[esp+80h+var_6C], eax
		mov	eax, [ecx+0B4h]
		mov	[esp+80h+var_68], eax
		mov	eax, [ecx+0B0h]
		mov	[esp+80h+var_64], eax
		mov	eax, [ecx+0ACh]
		mov	[esp+80h+var_60], eax
		lea	eax, [ecx+98h]
		mov	[esp+80h+var_5C], eax
		lea	eax, [esp+80h+var_48]
		mov	[esp+80h+var_58], eax
		lea	eax, [ecx+0A0h]
		mov	[esp+80h+var_54], eax
		lea	eax, [esp+80h+var_14]
		mov	[esp+80h+var_50], eax
		lea	eax, [esp+80h+var_70]
		push	eax
		lea	eax, [esp+84h+var_6C]
		push	eax
		lea	eax, [esp+88h+var_68]
		push	eax
		lea	eax, [esp+8Ch+var_64]
		push	eax
		lea	eax, [esp+90h+var_60]
		push	eax
		lea	eax, [esp+94h+var_5C]
		push	eax
		lea	eax, [esp+98h+var_58]
		push	eax
		lea	eax, [esp+9Ch+var_54]
		push	eax
		lea	eax, [esp+0A0h+var_50]
		push	eax
		push	ecx
		push	ecx
		call	??$Write@U?$_tlgWrapperByRef@$0BA@@@U?$_tlgWrapperByRef@$07@@U2@U2@U?$_tlgWrapperByVal@$03@@U3@U3@U3@U3@@?$_tlgWriteTemplate@$$A6GJPBU_tlgProvider_t@@PBXPBU_GUID@@2IPAU_EVENT_DATA_DESCRIPTOR@@@Z$1?_tlgWriteTransfer_EtwWriteTransfer@@YGJ0122I3@ZPBU2@PBU2@@@SGJPBU_tlgProvider_t@@PBXPBU_GUID@@2ABU?$_tlgWrapperByRef@$0BA@@@ABU?$_tlgWrapperByRef@$07@@44ABU?$_tlgWrapperByVal@$03@@5555@Z	; _tlgWriteTemplate<long (_tlgProvider_t const *,void const *,_GUID const *,_GUID const	*,uint,_EVENT_DATA_DESCRIPTOR *),&_tlgWriteTransfer_EtwWriteTransfer(_tlgProvider_t const *,void const *,_GUID const *,_GUID const *,uint,_EVENT_DATA_DESCRIPTOR *),_GUID const	*,_GUID	const *>::Write<_tlgWrapperByRef<16>,_tlgWrapperByRef<8>,_tlgWrapperByRef<8>,_tlgWrapperByRef<8>,_tlgWrapperByVal<4>,_tlgWrapperByVal<4>,_tlgWrapperByVal<4>,_tlgWrapperByVal<4>,_tlgWrapperByVal<4>>(_tlgProvider_t const *,void const	*,_GUID	const *,_GUID const *,_tlgWrapperByRef<16> const &,_tlgWrapperByRef<8> const &,_tlgWrapperByRef<8> cons

loc_936A82:				; CODE XREF: LookUpTableFlushComplete+84DD3j
					; LookUpTableFlushComplete+84DEBj
		push	0Ah
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+80h+var_40]
		rep stosd
		mov	edi, [esp+80h+var_4C]
		lea	esi, [esp+80h+var_40]
		push	0Ah
		pop	ecx
		rep movsd
		mov	ecx, [esp+80h+var_74]

loc_936A9E:				; CODE XREF: LookUpTableFlushComplete+84DC6j
					; LookUpTableFlushComplete+84ED1j
		mov	edx, ebx
		call	FlushLookUpTableBucket
		mov	ecx, [esp+80h+var_74]
		inc	ebx
		cmp	ebx, 20h
		jb	short loc_936A9E
		jmp	loc_8B1C06
; END OF FUNCTION CHUNK	FOR LookUpTableFlushComplete
; 
; START	OF FUNCTION CHUNK FOR EtwpTraceLoggingProvEnableCallback

loc_936AB4:				; CODE XREF: EtwpTraceLoggingProvEnableCallback+Cj
		cmp	ecx, offset _PsProvTraceLoggingGuid
		jnz	loc_8B1C2A
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	_EtwpPsProvCaptureState@12 ; EtwpPsProvCaptureState(x,x,x)
		jmp	loc_8B1C2A
; END OF FUNCTION CHUNK	FOR EtwpTraceLoggingProvEnableCallback
; 
; START	OF FUNCTION CHUNK FOR HeadlessTerminalAddResources

loc_936AD0:				; CODE XREF: HeadlessTerminalAddResources+25j
		test	dword ptr [eax+18h], 1000h
		jnz	loc_8B1C5D
		lea	eax, [edi+20h]
		mov	[ebx], eax
		cmp	eax, edi
		jb	loc_936B8B
		push	736C6448h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		test	esi, esi
		jz	loc_936B89
		push	edi		; size_t
		push	[ebp+var_8]	; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, _HeadlessGlobals
		xor	ebx, ebx
		add	esp, 0Ch
		mov	eax, [eax+24h]
		cmp	[ebp+arg_0], bl
		jz	short loc_936B42
		lea	ecx, [ebp+var_10]
		mov	[ebp+var_4], 1
		push	ecx
		lea	ecx, [ebp+var_4]
		push	ecx
		push	ebx
		push	eax
		push	ebx
		push	ebx
		call	ds:__imp__HalTranslateBusAddress@24 ; HalTranslateBusAddress(x,x,x,x,x,x)
		mov	eax, [ebp+arg_4]
		mov	esi, [eax]
		jmp	short loc_936B48
; 

loc_936B42:				; CODE XREF: HeadlessTerminalAddResources+84EEEj
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], ebx

loc_936B48:				; CODE XREF: HeadlessTerminalAddResources+84F0Ej
		inc	dword ptr [esi]
		xor	ecx, ecx
		inc	ecx
		mov	[esi+edi+4], ebx
		xor	eax, eax
		mov	[esi+edi], ecx
		mov	[esi+edi+8], eax
		mov	[esi+edi+0Ch], ecx
		mov	[esi+edi+10h], cl
		mov	byte ptr [esi+edi+11h],	2
		mov	[esi+edi+12h], cx
		mov	eax, [ebp+var_10]
		mov	[esi+edi+14h], eax
		mov	eax, [ebp+var_C]
		mov	[esi+edi+18h], eax
		xor	eax, eax
		mov	dword ptr [esi+edi+1Ch], 8
		jmp	loc_8B1C66
; 

loc_936B89:				; CODE XREF: HeadlessTerminalAddResources+84ECEj
		xor	ecx, ecx

loc_936B8B:				; CODE XREF: HeadlessTerminalAddResources+84EB2j
		mov	eax, 0C000009Ah
		jmp	loc_8B1C64
; END OF FUNCTION CHUNK	FOR HeadlessTerminalAddResources
; 
; START	OF FUNCTION CHUNK FOR SdbTagIDToTagRef

loc_936B95:				; CODE XREF: SdbTagIDToTagRef+1Cj
		push	offset ??_C@_07PANBMHCG@Bad?5PDB@NNGAKEGL@
		push	105h
		push	(offset	loc_8C3A37+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		mov	eax, esi
		jmp	loc_8B1F70
; END OF FUNCTION CHUNK	FOR SdbTagIDToTagRef
; 
; START	OF FUNCTION CHUNK FOR _RegRtlOpenPredefinedKey

loc_936BB5:				; CODE XREF: _RegRtlOpenPredefinedKey+52j
		cmp	ecx, 80000005h
		jnz	short loc_936BC8
		mov	edx, ds:off_405028
		jmp	loc_8B224B
; 

loc_936BC8:				; CODE XREF: _RegRtlOpenPredefinedKey+84993j
		cmp	ecx, 80000001h
		jnz	short loc_936BEB
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlFormatCurrentUserKeyPath@4 ; RtlFormatCurrentUserKeyPath(x)
		mov	esi, eax
		test	esi, esi
		js	loc_8B225C
		mov	edx, [ebp+var_4]
		jmp	loc_8B224B
; 

loc_936BEB:				; CODE XREF: _RegRtlOpenPredefinedKey+849A6j
		mov	esi, 0C0000008h
		jmp	loc_8B225C
; END OF FUNCTION CHUNK	FOR _RegRtlOpenPredefinedKey
; 
; START	OF FUNCTION CHUNK FOR EtwTraceTimeZoneInformationRefresh

loc_936BF5:				; CODE XREF: EtwTraceTimeZoneInformationRefresh+33j
		mov	al, 55h
		jmp	loc_8B22CB
; 

loc_936BFC:				; CODE XREF: EtwTraceTimeZoneInformationRefresh+2Aj
		mov	al, 53h
		jmp	loc_8B22CB
; END OF FUNCTION CHUNK	FOR EtwTraceTimeZoneInformationRefresh
; 
; START	OF FUNCTION CHUNK FOR ExpNtDeleteWnfStateData

loc_936C03:				; CODE XREF: ExpNtDeleteWnfStateData+5Fj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_8B25C7
; 

loc_936C0F:				; CODE XREF: ExpNtDeleteWnfStateData+A5j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_8B25C1
; 

loc_936C1B:				; CODE XREF: ExpNtDeleteWnfStateData+B7j
		mov	[ebp+var_4C], 1
		jmp	loc_8B250B
; 

loc_936C27:				; CODE XREF: ExpNtDeleteWnfStateData+C5j
		push	ebx
		push	edi
		call	_ExpWnfCheckCrossScopeAccess@8 ; ExpWnfCheckCrossScopeAccess(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8B25C1
		mov	al, [ebp+var_35]
		jmp	loc_8B250B
; 

loc_936C40:				; CODE XREF: ExpNtDeleteWnfStateData+CDj
		and	[ebp+var_64], 0
		mov	ecx, ds:_PsInitialSystemProcess
		mov	[ebp+var_3C], ecx
		mov	eax, [ebp+var_30]
		jmp	loc_8B2538
; 

loc_936C55:				; CODE XREF: ExpNtDeleteWnfStateData+FBj
		mov	ecx, edi
		xor	ecx, 0A3BC0074h
		mov	eax, ebx
		xor	eax, 41C64E6Dh
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], eax
		push	0
		push	0
		push	0
		lea	eax, [ebp+var_24]
		push	eax
		xor	edx, edx
		inc	edx
		call	_ExpCrossVmWnfPush@24 ;	ExpCrossVmWnfPush(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000002h
		jz	short loc_936C8E
		test	esi, esi
		js	loc_8B25C1

loc_936C8E:				; CODE XREF: ExpNtDeleteWnfStateData+84844j
		mov	eax, [ebp+var_30]
		jmp	loc_8B2541
; 

loc_936C96:				; CODE XREF: ExpNtDeleteWnfStateData+12Ej
		cmp	[ebp+var_50], 3
		jz	loc_8B2574
		push	ebx
		push	edi
		lea	ecx, [ebp+var_48]
		call	ExpWnfLookupPermanentName
		mov	esi, eax
		test	esi, esi
		js	loc_8B25C1
		cmp	[ebp+var_4C], 0
		jnz	short loc_936CD2
		push	2
		pop	edx
		mov	ecx, [ebp+var_48]
		mov	ecx, [ecx+8]
		call	_ExpWnfCheckCallerAccess@8 ; ExpWnfCheckCallerAccess(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8B25C1

loc_936CD2:				; CODE XREF: ExpNtDeleteWnfStateData+84878j
		mov	ecx, edi
		mov	eax, ebx
		shrd	ecx, eax, 0Ah
		test	cl, 1
		jz	loc_8B25BF
		push	ebx
		push	edi
		mov	ecx, [ebp+var_44]
		call	_ExpWnfDeletePermanentStateData@12 ; ExpWnfDeletePermanentStateData(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	loc_8B25C1
		jmp	loc_8B25BF
; 

loc_936D00:				; CODE XREF: ExpNtDeleteWnfStateData+156j
		mov	eax, [ebp+var_40]
		mov	ecx, [ebp+var_3C]
		cmp	[eax+54h], ecx
		jz	loc_8B259C
		mov	esi, 0C0000022h
		jmp	loc_8B25C1
; 

loc_936D19:				; CODE XREF: ExpNtDeleteWnfStateData+167j
		push	ebx
		push	edi
		mov	ecx, [ebp+var_44]
		call	_ExpWnfDeletePermanentStateData@12 ; ExpWnfDeletePermanentStateData(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_8B25AD
		test	esi, esi
		js	loc_8B25C1
		jmp	loc_8B25AD
; 

loc_936D3E:				; CODE XREF: ExpNtDeleteWnfStateData+179j
		xor	edi, 0A3BC0074h
		xor	ebx, 41C64E6Dh
		mov	[ebp+var_2C], edi
		mov	[ebp+var_28], ebx
		push	0
		push	0
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		xor	edx, edx
		call	_ExpCrossVmWnfPush@24 ;	ExpCrossVmWnfPush(x,x,x,x,x,x)
		jmp	loc_8B25BF
; END OF FUNCTION CHUNK	FOR ExpNtDeleteWnfStateData

;  S U B	R O U T	I N E 


sub_936D66	proc near		; DATA XREF: .text:006A750Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-70h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_936D66	endp


;  S U B	R O U T	I N E 


sub_936D76	proc near		; DATA XREF: .text:006A7510o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-70h]
		mov	[ebp-68h], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-54h]
		jmp	loc_8B25C4
sub_936D76	endp

; 
; START	OF FUNCTION CHUNK FOR ExpNtDeleteWnfStateData

loc_936D8E:				; CODE XREF: ExpNtDeleteWnfStateData+1A9j
		push	20666E57h
		push	[ebp+var_48]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8B25EF
; END OF FUNCTION CHUNK	FOR ExpNtDeleteWnfStateData
; 
; START	OF FUNCTION CHUNK FOR FsRtlBalanceReads

loc_936DA0:				; CODE XREF: FsRtlBalanceReads+5Cj
		push	esi
		push	esi
		push	esi
		push	esi
		lea	eax, [esp+30h+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esp+20h+var_18]
		jmp	loc_8B267A
; END OF FUNCTION CHUNK	FOR FsRtlBalanceReads
; 
; START	OF FUNCTION CHUNK FOR CmpVolumeContextCreate

loc_936DB7:				; CODE XREF: CmpVolumeContextCreate+4Ej
		mov	ecx, esi
		call	_CmpVolumeContextCleanup@4 ; CmpVolumeContextCleanup(x)
		mov	ecx, esi
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	loc_8B2776
; END OF FUNCTION CHUNK	FOR CmpVolumeContextCreate
; 
; START	OF FUNCTION CHUNK FOR CmpVolumeContextStart

loc_936DCA:				; CODE XREF: CmpVolumeContextStart+3Fj
		mov	ecx, eax
		call	CmpUuidCreate
		mov	esi, eax
		xor	edi, edi
		jmp	loc_8B2857
; END OF FUNCTION CHUNK	FOR CmpVolumeContextStart
; 
; START	OF FUNCTION CHUNK FOR DbgkLkmdRegisterCallback

loc_936DDA:				; CODE XREF: DbgkLkmdRegisterCallback+24j
		mov	ecx, [ebp+arg_0]
		mov	edx, eax
		cmp	ecx, [eax+4]
		mov	ecx, esi
		jz	short loc_936DF0
		call	_ExDereferenceCallBackBlock@8 ;	ExDereferenceCallBackBlock(x,x)
		jmp	loc_8B28B6
; 

loc_936DF0:				; CODE XREF: DbgkLkmdRegisterCallback+84558j
		call	_ExDereferenceCallBackBlock@8 ;	ExDereferenceCallBackBlock(x,x)
		mov	eax, 0C0000718h
		jmp	loc_8B28F3
; 

loc_936DFF:				; CODE XREF: DbgkLkmdRegisterCallback+55j
		inc	esi
		add	edi, 8
		cmp	esi, 8
		jb	loc_8B28D4
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C000042Bh
		jmp	loc_8B28F3
; END OF FUNCTION CHUNK	FOR DbgkLkmdRegisterCallback
; 
; START	OF FUNCTION CHUNK FOR SdbTagRefToTagID

loc_936E1E:				; CODE XREF: SdbTagRefToTagID+49j
		test	dl, 1
		jz	loc_8B2994
		and	[eax+28h], ecx
		lea	esi, [eax+14h]
		lea	edi, [ebp+var_14]
		movsd
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		movsd
		lea	edx, [ebp+var_14]
		push	ecx
		mov	ecx, [ebp+var_20]
		movsd
		movsd
		call	_SdbpOpenLocalDatabaseEx@20 ; SdbpOpenLocalDatabaseEx(x,x,x,x,x)
		mov	ecx, [ebp+var_18]
		mov	ebx, eax
		jmp	loc_8B2964
; END OF FUNCTION CHUNK	FOR SdbTagRefToTagID
; 
; START	OF FUNCTION CHUNK FOR PiRemoveDeferredSetInterfaceState

loc_936E52:				; CODE XREF: PiRemoveDeferredSetInterfaceState+37j
		cmp	[edi+4], esi
		jnz	short loc_936E7A
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_936E7A
		mov	[eax], edi
		xor	ebx, ebx
		push	ebx
		mov	[edi+4], eax
		push	dword ptr [esi+0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8B29E5
; 

loc_936E7A:				; CODE XREF: PiRemoveDeferredSetInterfaceState+844B7j
					; PiRemoveDeferredSetInterfaceState+844BEj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_936E7F:				; CODE XREF: SmProcessConfigRequest+17j
		mov	ebx, 0C0000206h
		jmp	loc_936F34
; END OF FUNCTION CHUNK	FOR PiRemoveDeferredSetInterfaceState
; 
; START	OF FUNCTION CHUNK FOR SmProcessConfigRequest

loc_936E89:				; CODE XREF: SmProcessConfigRequest+35j
		mov	[eax], bl
		jmp	loc_8B2AF3
; 

loc_936E90:				; CODE XREF: SmProcessConfigRequest+59j
		mov	ebx, 0C0000059h
		jmp	loc_936F34
; 

loc_936E9A:				; CODE XREF: SmProcessConfigRequest+78j
		sub	eax, 1
		jz	short loc_936EC3
		sub	eax, 1
		jnz	loc_936F34
		lea	eax, [ecx-4]
		cmp	eax, 1Ch
		ja	short loc_936F12
		test	ecx, ecx
		jz	short loc_936F12
		lea	eax, [ecx-1]
		test	eax, ecx
		jnz	short loc_936F12
		mov	dword_6D3488, ecx
		jmp	short loc_936F34
; 

loc_936EC3:				; CODE XREF: SmProcessConfigRequest+843E5j
		cmp	ecx, 1
		ja	short loc_936F12
		mov	_PspOutSwapSharedPages,	ecx
		jmp	short loc_936F34
; 

loc_936ED0:				; CODE XREF: SmProcessConfigRequest+ACj
					; SmProcessConfigRequest+B5j
		push	dword ptr [ebp+arg_0]
		push	ds:dword_A94A5C
		push	ds:_SeLockMemoryPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	loc_8B2B73
		mov	ebx, 0C0000022h
		jmp	short loc_936F34
; 

loc_936EF3:				; CODE XREF: SmProcessConfigRequest+116j
					; SmProcessConfigRequest+14Aj
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_936F04
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_936F04:				; CODE XREF: SmProcessConfigRequest+84443j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	short loc_936F34
; 

loc_936F12:				; CODE XREF: SmProcessConfigRequest+64j
					; SmProcessConfigRequest+70j ...
		mov	ebx, 0C000000Dh
		jmp	short loc_936F34
; END OF FUNCTION CHUNK	FOR SmProcessConfigRequest

;  S U B	R O U T	I N E 


sub_936F19	proc near		; DATA XREF: .text:006A752Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
sub_936F19	endp


;  S U B	R O U T	I N E 


sub_936F27	proc near		; DATA XREF: .text:006A7530o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-20h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
sub_936F27	endp

; START	OF FUNCTION CHUNK FOR SmProcessConfigRequest

loc_936F34:				; CODE XREF: SmProcessConfigRequest+E8j
					; PiRemoveDeferredSetInterfaceState+844E6j ...
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_936F48:				; CODE XREF: SmProcessConfigRequest+1ADj
		mov	edi, offset _PopAlpcMonitorClientPort

loc_936F4D:				; CODE XREF: SmProcessConfigRequest+8459Dj
		movzx	eax, [esp+0A8h+var_50]
		and	eax, 0FFFF00FFh
		cmp	eax, 3
		jz	loc_937028
		cmp	eax, 4
		jbe	loc_937035
		cmp	eax, 6
		jbe	loc_937015
		cmp	eax, 0Ah
		jnz	loc_937035
		mov	eax, _PopAlpcMonitorClientPort
		test	eax, eax
		jz	short loc_936F90
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		mov	_PopAlpcMonitorClientPort, esi

loc_936F90:				; CODE XREF: SmProcessConfigRequest+844CAj
		push	2Ch		; size_t
		lea	eax, [esp+0ACh+var_80]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+0A8h+var_80], 100000h
		lea	eax, [esp+0A8h+var_54]
		mov	[esp+0A8h+var_70], 100h
		mov	[esp+0A8h+var_98], 18h
		mov	[esp+0A8h+var_94], esi
		push	1
		push	esi
		push	eax
		push	esi
		lea	eax, [esp+0B8h+var_80]
		mov	[esp+0B8h+var_8C], 200h
		push	eax
		lea	eax, [esp+0BCh+var_98]
		mov	[esp+0BCh+var_90], esi
		push	eax
		push	esi
		push	_PopAlpcMonitorServerPort
		mov	[esp+0C8h+var_88], esi
		push	edi
		mov	[esp+0CCh+var_84], esi
		call	_ZwAlpcAcceptConnectPort@36 ; ZwAlpcAcceptConnectPort(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_937035
		push	esi
		push	esi
		lea	eax, [esp+0B0h+var_54]
		push	eax
		push	esi
		lea	eax, [esp+0B8h+var_80]
		push	eax
		lea	eax, [esp+0BCh+var_98]
		push	eax
		push	esi
		push	_PopAlpcMonitorServerPort
		push	edi
		call	_ZwAlpcAcceptConnectPort@36 ; ZwAlpcAcceptConnectPort(x,x,x,x,x,x,x,x,x)
		jmp	short loc_937035
; 

loc_937015:				; CODE XREF: SmProcessConfigRequest+844B4j
		push	_PopAlpcMonitorClientPort
		call	_ZwClose@4	; ZwClose(x)
		mov	_PopAlpcMonitorClientPort, esi
		jmp	short loc_937035
; 

loc_937028:				; CODE XREF: SmProcessConfigRequest+844A2j
		mov	edx, [esp+0A8h+var_38]
		mov	ecx, [esp+0A8h+var_3C]
		call	_PopMonitorProcessBrightnessAction@8 ; PopMonitorProcessBrightnessAction(x,x)

loc_937035:				; CODE XREF: SmProcessConfigRequest+844ABj
					; SmProcessConfigRequest+844BDj ...
		push	esi
		push	esi
		lea	eax, [esp+0B0h+var_9C]
		mov	[esp+0B0h+var_9C], ebx
		push	eax
		lea	eax, [esp+0B4h+var_54]
		push	eax
		push	esi
		push	esi
		push	esi
		push	_PopAlpcMonitorServerPort
		call	_ZwAlpcSendWaitReceivePort@32 ;	ZwAlpcSendWaitReceivePort(x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	loc_936F4D
		jmp	loc_8B2C6B
; END OF FUNCTION CHUNK	FOR SmProcessConfigRequest
; 
; START	OF FUNCTION CHUNK FOR PopThermalHandlePreviousShutdown

loc_937060:				; CODE XREF: PopThermalHandlePreviousShutdown+A1j
		push	4
		pop	esi
		cmp	[ebp+var_58], esi
		jnz	loc_8B2D25
		cmp	[ebp+var_54], esi
		jnz	loc_8B2D25
		lea	eax, [ebp+var_64]
		push	eax
		push	14h
		lea	eax, [ebp+var_5C]
		push	eax
		push	2
		lea	eax, [ebp+var_80]
		push	eax
		push	edi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9370A5
		cmp	[ebp+var_58], esi
		jnz	short loc_9370A5
		cmp	[ebp+var_54], esi
		jnz	short loc_9370A5
		mov	eax, [ebp+var_50]
		mov	[ebp+var_5D], 1
		mov	[ebp+var_70], eax
		jmp	short loc_9370A8
; 

loc_9370A5:				; CODE XREF: PopThermalHandlePreviousShutdown+8440Fj
					; PopThermalHandlePreviousShutdown+84414j ...
		mov	[ebp+var_5D], bl

loc_9370A8:				; CODE XREF: PopThermalHandlePreviousShutdown+84425j
		lea	eax, [ebp+var_64]
		mov	[ebp+var_68], 10h
		push	eax
		push	0
		push	0
		push	2
		lea	eax, [ebp+var_78]
		mov	esi, ebx
		push	eax
		push	edi
		mov	ebx, (offset loc_8B7595+1)
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_937123
		mov	eax, [ebp+var_64]
		push	6D726854h
		add	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_937123
		mov	ecx, [ebp+var_64]
		add	ecx, 2
		push	ecx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_64]
		push	eax
		push	[ebp+var_64]
		lea	eax, [ebp+var_78]
		push	esi
		push	2
		push	eax
		push	edi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_937123
		cmp	dword ptr [esi+4], 1
		jnz	short loc_937123
		mov	eax, [esi+8]
		lea	ebx, [esi+0Ch]
		mov	[ebp+var_68], eax

loc_937123:				; CODE XREF: PopThermalHandlePreviousShutdown+84451j
					; PopThermalHandlePreviousShutdown+8446Aj ...
		lea	eax, [ebp+var_88]
		push	eax
		push	edi
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		test	eax, eax
		js	loc_9371FC
		lea	edx, [ebp+var_6C]
		mov	cl, 1
		call	PopOpenThermalLoggingKey
		test	eax, eax
		js	short loc_93717E
		push	[ebp+var_68]
		lea	eax, [ebp+var_78]
		push	ebx
		push	1
		push	0
		push	eax
		push	[ebp+var_6C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		cmp	[ebp+var_5D], 0
		jz	short loc_937176
		push	4
		lea	eax, [ebp+var_70]
		push	eax
		push	4
		push	0
		lea	eax, [ebp+var_80]
		push	eax
		push	[ebp+var_6C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_937176:				; CODE XREF: PopThermalHandlePreviousShutdown+844E0j
		push	[ebp+var_6C]
		call	_ZwClose@4	; ZwClose(x)

loc_93717E:				; CODE XREF: PopThermalHandlePreviousShutdown+844C6j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WNF_PO_THERMAL_SHUTDOWN_OCCURRED
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		cmp	dword_6B23F8, 5
		jbe	short loc_9371E8
		push	4000h
		push	0
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9371E8
		mov	edx, ebx
		lea	ecx, [ebp+var_28]
		call	_tlgCreate1Sz_wchar_t
		mov	eax, [ebp+var_70]
		xor	ecx, ecx
		push	4
		pop	edx
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	edx
		push	ecx
		push	ecx
		push	offset loc_41D812
		push	offset dword_6B23F8
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9371E8:				; CODE XREF: PopThermalHandlePreviousShutdown+84519j
					; PopThermalHandlePreviousShutdown+8452Ej
		lea	eax, [ebp+var_80]
		push	eax
		push	edi
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		lea	eax, [ebp+var_78]
		push	eax
		push	edi
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_9371FC:				; CODE XREF: PopThermalHandlePreviousShutdown+844B4j
		test	esi, esi
		jz	loc_8B2D25
		push	6D726854h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8B2D25
; END OF FUNCTION CHUNK	FOR PopThermalHandlePreviousShutdown
; 
; START	OF FUNCTION CHUNK FOR SmProcessRegistrationRequest

loc_937214:				; CODE XREF: SmProcessRegistrationRequest+19j
		mov	ecx, 0C0000206h
		jmp	loc_8B2E3F
; END OF FUNCTION CHUNK	FOR SmProcessRegistrationRequest

;  S U B	R O U T	I N E 


sub_93721E	proc near		; DATA XREF: .text:006A7558o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_93721E	endp


;  S U B	R O U T	I N E 


sub_93722C	proc near		; DATA XREF: .text:006A755Co
		mov	ecx, [ebp-1Ch]
		jmp	short loc_937242
; 

loc_937231:				; DATA XREF: .text:006A754Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_93723F:				; DATA XREF: .text:006A7550o
		mov	ecx, [ebp-20h]

loc_937242:				; CODE XREF: sub_93722C+3j
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_8B2E3F
sub_93722C	endp

; 
; START	OF FUNCTION CHUNK FOR SmGetRegistrationInfo

loc_937251:				; CODE XREF: SmGetRegistrationInfo+28j
		mov	ecx, offset dword_7185B0
		call	_SmRegistrationCtxStart@4 ; SmRegistrationCtxStart(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_937268
		or	ds:dword_718450, 8

loc_937268:				; CODE XREF: SmGetRegistrationInfo+30j
					; SmGetRegistrationInfo+843FBj
		or	eax, 0FFFFFFFFh
		mov	ecx, offset unk_718464
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	loc_8B2E99
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset unk_718464
		jmp	loc_8B2E99
; END OF FUNCTION CHUNK	FOR SmGetRegistrationInfo

;  S U B	R O U T	I N E 


sub_93728D	proc near		; DATA XREF: .text:006A7574o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_93728D	endp


;  S U B	R O U T	I N E 


sub_93729B	proc near		; DATA XREF: .text:006A7578o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-2Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_8B30A5
sub_93729B	endp

; 
; START	OF FUNCTION CHUNK FOR NtFlushInstallUILanguage

loc_9372AD:				; CODE XREF: NtFlushInstallUILanguage+39j
		mov	eax, 0C0000022h
		jmp	loc_8B318D
; 

loc_9372B7:				; CODE XREF: NtFlushInstallUILanguage+46j
		movzx	eax, ds:_PsInstallUILanguageId
		cmp	[ebp+arg_0], eax
		jnz	short loc_9372E2
		xor	eax, eax
		jmp	loc_8B318D
; 

loc_9372CA:				; CODE XREF: NtFlushInstallUILanguage+A0j
		mov	ds:_PsInstallUILanguageId, ax
		mov	ds:_PsMachineUILanguageId, ax
		call	_MigrateOOBELanguageToInstallationLanguage@0 ; MigrateOOBELanguageToInstallationLanguage()
		mov	esi, eax
		jmp	loc_8B3174
; 

loc_9372E2:				; CODE XREF: NtFlushInstallUILanguage+1Cj
					; NtFlushInstallUILanguage+841F5j
		mov	eax, 0C0000001h
		jmp	loc_8B318D
; END OF FUNCTION CHUNK	FOR NtFlushInstallUILanguage
; 
; START	OF FUNCTION CHUNK FOR MUIInitializeResourceLock

loc_9372EC:				; CODE XREF: MUIInitializeResourceLock+4Ej
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8B31E8
; END OF FUNCTION CHUNK	FOR MUIInitializeResourceLock
; 
; START	OF FUNCTION CHUNK FOR PopPdcRegister

loc_9372F9:				; CODE XREF: PopPdcRegister+Aj
		mov	eax, 0C000000Dh
		jmp	loc_8B3323
; END OF FUNCTION CHUNK	FOR PopPdcRegister
; 
; START	OF FUNCTION CHUNK FOR ExpQueryInterruptSteeringInformation

loc_937303:				; CODE XREF: ExpQueryInterruptSteeringInformation+28j
		mov	ebx, 0C0000022h
		jmp	loc_8B33CC
; 

loc_93730D:				; CODE XREF: ExpQueryInterruptSteeringInformation+71j
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_937320
		mov	[ebp+ms_exc.disabled], 1
		mov	[eax], ecx
		mov	[ebp+ms_exc.disabled], edi

loc_937320:				; CODE XREF: ExpQueryInterruptSteeringInformation+30j
					; ExpQueryInterruptSteeringInformation+39j ...
		mov	ebx, 0C0000004h
		jmp	loc_8B33CC
; END OF FUNCTION CHUNK	FOR ExpQueryInterruptSteeringInformation

;  S U B	R O U T	I N E 


sub_93732A	proc near		; DATA XREF: .text:006A75A0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-30h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_93732A	endp


;  S U B	R O U T	I N E 


sub_93733A	proc near		; DATA XREF: .text:006A75A4o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_937320
sub_93733A	endp

; 
; START	OF FUNCTION CHUNK FOR ExpQueryInterruptSteeringInformation

loc_937346:				; CODE XREF: ExpQueryInterruptSteeringInformation+85j
					; ExpQueryInterruptSteeringInformation+8Ej
		xor	eax, eax
		cmp	[ebp+var_1B], al
		setnz	al
		lea	ecx, [ebp+var_3C]
		push	ecx
		push	eax
		push	[ebp+var_1F]
		call	_KeIntSteerGetSteeringMode@20 ;	KeIntSteerGetSteeringMode(x,x,x,x,x)
		test	eax, eax
		jmp	loc_8B33C1
; END OF FUNCTION CHUNK	FOR ExpQueryInterruptSteeringInformation

;  S U B	R O U T	I N E 


sub_937362	proc near		; DATA XREF: .text:006A75ACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_937362	endp


;  S U B	R O U T	I N E 


sub_937372	proc near		; DATA XREF: .text:006A75B0o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-28h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_8B33CC
sub_937372	endp

; 

loc_937384:				; DATA XREF: .text:006A7594o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-2Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_937394:				; DATA XREF: .text:006A7598o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-2Ch]
		jmp	loc_8B33CE
; 
; START	OF FUNCTION CHUNK FOR NtCreateKeyTransacted

loc_9373A6:				; CODE XREF: NtCreateKeyTransacted+25j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	bl, bl
		jnz	loc_8B340B
		mov	edi, 0C0000189h
		jmp	loc_8B34BC
; 

loc_9373C4:				; CODE XREF: NtCreateKeyTransacted+63j
		test	edi, edi
		js	loc_8B3497
		or	esi, 1
		jmp	loc_8B3478
; END OF FUNCTION CHUNK	FOR NtCreateKeyTransacted
; 
; START	OF FUNCTION CHUNK FOR PnpMergeFilteredResourceRequirementsList

loc_9373D4:				; CODE XREF: PnpMergeFilteredResourceRequirementsList+16j
					; PnpMergeFilteredResourceRequirementsList+1Fj
		test	edi, edi
		jz	loc_8B354A
		cmp	[edi+1Ch], ecx
		jz	loc_8B354A
		jmp	loc_8B34E9
; 

loc_9373EA:				; CODE XREF: PnpMergeFilteredResourceRequirementsList+91j
					; PnpMergeFilteredResourceRequirementsList+98j
		test	ebx, ebx
		jz	loc_8B34FB
		push	75737050h
		push	dword ptr [ebx]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_8B3561
		push	dword ptr [ebx]	; size_t
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	[eax], esi
		jmp	loc_8B354A
; END OF FUNCTION CHUNK	FOR PnpMergeFilteredResourceRequirementsList
; 
; START	OF FUNCTION CHUNK FOR ExpGetSystemPlatformBinary

loc_937420:				; CODE XREF: ExpGetSystemPlatformBinary+3Ej
		mov	ebx, 0C000000Dh
		mov	esi, offset _ExpPlatformBinaryLock
		jmp	loc_8B36E8
; 

loc_93742F:				; CODE XREF: ExpGetSystemPlatformBinary+8Dj
		mov	ebx, 0C00000BBh
		jmp	loc_8B36EB
; 

loc_937439:				; CODE XREF: ExpGetSystemPlatformBinary+FDj
		push	54425057h
		mov	ebx, [ebp+var_40]
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_3C], edi
		test	edi, edi
		jnz	short loc_93745F
		mov	ebx, 0C000009Ah
		jmp	loc_8B36E8
; 

loc_93745F:				; CODE XREF: ExpGetSystemPlatformBinary+83E7Fj
		mov	dword ptr [edi], 41435049h
		mov	dword ptr [edi+4], 1
		mov	dword ptr [edi+8], 54425057h
		lea	eax, [ebx-10h]
		mov	[edi+0Ch], eax
		lea	eax, [ebp+var_40]
		push	eax
		push	ebx
		xor	dl, dl
		mov	ecx, edi
		call	ExpGetSystemFirmwareTableInformation
		mov	ebx, eax
		test	ebx, ebx
		js	loc_8B36E8
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, ds:_ExpPlatformBinaryTableInformation
		test	ecx, ecx
		jnz	short loc_9374FF
		mov	ds:_ExpPlatformBinaryTableInformation, edi
		xor	edi, edi
		mov	[ebp+var_3C], edi

loc_9374BD:				; CODE XREF: ExpGetSystemPlatformBinary+83F30j
		push	11h
		pop	ecx
		xor	eax, eax
		inc	eax
		lock cmpxchg [esi], ecx

loc_9374C7:				; CODE XREF: ExpGetSystemPlatformBinary+95j
		test	byte ptr [ebp+var_38], 1
		jz	short loc_937534
		mov	ebx, 0C000000Dh

loc_9374D2:				; CODE XREF: ExpGetSystemPlatformBinary+119j
					; ExpGetSystemPlatformBinary+83FDCj ...
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_9374E7
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9374E7:				; CODE XREF: ExpGetSystemPlatformBinary+83F0Aj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_8B36F3
; 

loc_9374FF:				; CODE XREF: ExpGetSystemPlatformBinary+83EDCj
		or	eax, 0FFFFFFFFh
		cmp	ecx, eax
		jnz	short loc_9374BD
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_937517
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_937517:				; CODE XREF: ExpGetSystemPlatformBinary+83F3Aj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ebx, 0C00000BBh
		jmp	loc_8B36E8
; 

loc_937534:				; CODE XREF: ExpGetSystemPlatformBinary+83EF7j
		mov	ebx, ds:_ExpPlatformBinaryTableInformation
		mov	[ebp+var_64], ebx
		cmp	byte ptr [ebx+40h], 1
		jnz	loc_9376AF
		cmp	byte ptr [ebx+41h], 1
		jnz	loc_9376AF
		movzx	ecx, word ptr [ebx+42h]
		test	cl, 1
		jnz	loc_9376AF
		mov	eax, [ebx+38h]
		mov	[ebp+var_5C], eax
		mov	edx, [ebx+3Ch]
		mov	[ebp+var_40], edx
		or	eax, edx
		jz	loc_9376AF
		mov	eax, [ebx+28h]
		sub	eax, 1
		jnz	loc_9376AF
		mov	edx, [ebx+34h]
		cmp	edx, [ebp+var_44]
		ja	loc_93765D
		cmp	ecx, [ebp+var_38]
		ja	loc_93765D
		mov	[ebp+var_58], edx
		push	2
		push	edx
		push	[ebp+var_40]
		push	[ebp+var_5C]
		call	_MmMapIoSpaceEx@16 ; MmMapIoSpaceEx(x,x,x,x)
		mov	[ebp+var_50], eax
		test	eax, eax
		jnz	short loc_9375B5
		mov	ebx, 0C000009Ah
		jmp	loc_9374D2
; 

loc_9375B5:				; CODE XREF: ExpGetSystemPlatformBinary+83FD5j
		mov	[ebp+ms_exc.disabled], 2
		mov	eax, [ebx+38h]
		mov	ecx, [ebp+var_54]
		mov	[ecx], eax
		mov	eax, [ebx+3Ch]
		mov	[ecx+4], eax
		cmp	[ebp+arg_0], 0
		jz	short loc_9375DD
		push	4
		push	[ebp+var_44]
		push	[ebp+var_48]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_9375DD:				; CODE XREF: ExpGetSystemPlatformBinary+83FFAj
		push	dword ptr [ebx+34h] ; size_t
		push	[ebp+var_50]	; void *
		push	[ebp+var_48]	; void *
		call	_memcpy
		add	esp, 0Ch
		movzx	eax, word ptr [ebx+42h]
		test	ax, ax
		jz	short loc_937621
		cmp	[ebp+arg_0], 0
		jz	short loc_93760E
		push	2
		push	[ebp+var_38]
		push	[ebp+var_4C]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		movzx	eax, word ptr [ebx+42h]

loc_93760E:				; CODE XREF: ExpGetSystemPlatformBinary+84027j
		movzx	eax, ax
		push	eax		; size_t
		lea	eax, [ebx+44h]
		push	eax		; void *
		push	[ebp+var_4C]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_937621:				; CODE XREF: ExpGetSystemPlatformBinary+84021j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	al, 1
		jmp	loc_8B36EB
; END OF FUNCTION CHUNK	FOR ExpGetSystemPlatformBinary

;  S U B	R O U T	I N E 


sub_937631	proc near		; DATA XREF: .text:006A75E4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-60h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_937631	endp


;  S U B	R O U T	I N E 


sub_937641	proc near		; DATA XREF: .text:006A75E8o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-60h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	al, 1
		mov	esi, offset _ExpPlatformBinaryLock
		mov	edi, [ebp-3Ch]
		jmp	loc_8B36EB
sub_937641	endp

; 
; START	OF FUNCTION CHUNK FOR ExpGetSystemPlatformBinary

loc_93765D:				; CODE XREF: ExpGetSystemPlatformBinary+83FB0j
					; ExpGetSystemPlatformBinary+83FB9j
		mov	ebx, 0C0000023h
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_54]
		mov	[ecx+10h], edx
		mov	eax, [ebp+var_64]
		movzx	eax, word ptr [eax+42h]
		mov	[ecx+14h], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_9374D2
; END OF FUNCTION CHUNK	FOR ExpGetSystemPlatformBinary

;  S U B	R O U T	I N E 


sub_937685	proc near		; DATA XREF: .text:006A75D8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-68h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_937685	endp


;  S U B	R O U T	I N E 


sub_937695	proc near		; DATA XREF: .text:006A75DCo
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-68h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, offset _ExpPlatformBinaryLock
		mov	edi, [ebp-3Ch]
		jmp	loc_9374D2
sub_937695	endp

; 
; START	OF FUNCTION CHUNK FOR ExpGetSystemPlatformBinary

loc_9376AF:				; CODE XREF: ExpGetSystemPlatformBinary+83F6Dj
					; ExpGetSystemPlatformBinary+83F77j ...
		mov	ebx, 0C000007Bh
		jmp	loc_9374D2
; END OF FUNCTION CHUNK	FOR ExpGetSystemPlatformBinary

;  S U B	R O U T	I N E 


sub_9376B9	proc near		; DATA XREF: .text:006A75CCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-6Ch], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_9376B9	endp


;  S U B	R O U T	I N E 


sub_9376C9	proc near		; DATA XREF: .text:006A75D0o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-6Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	esi, offset _ExpPlatformBinaryLock
		mov	edi, [ebp-3Ch]
		mov	al, [ebp-32h]
		jmp	loc_8B36EB
sub_9376C9	endp

; 
; START	OF FUNCTION CHUNK FOR ExpGetSystemPlatformBinary

loc_9376E6:				; CODE XREF: ExpGetSystemPlatformBinary+124j
		push	[ebp+var_58]
		push	eax
		call	MmUnmapIoSpace
		jmp	loc_8B36FE
; 

loc_9376F4:				; CODE XREF: ExpGetSystemPlatformBinary+12Cj
		push	54425057h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8B3706
; END OF FUNCTION CHUNK	FOR ExpGetSystemPlatformBinary
; 
; START	OF FUNCTION CHUNK FOR ExGetSystemFirmwareTable

loc_937704:				; CODE XREF: ExGetSystemFirmwareTable+18j
		mov	eax, 0C000000Dh
		jmp	loc_8B37C9
; 

loc_93770E:				; CODE XREF: ExGetSystemFirmwareTable+33j
		mov	edi, 0C000009Ah
		jmp	loc_8B37C6
; END OF FUNCTION CHUNK	FOR ExGetSystemFirmwareTable
; 
; START	OF FUNCTION CHUNK FOR KitpReadUlongFromKey

loc_937718:				; CODE XREF: KitpReadUlongFromKey+41j
		cmp	[ebp+var_14], 4
		jnz	short loc_937730
		cmp	[ebp+var_10], 4
		jnz	short loc_937730
		mov	eax, [ebp+var_C]
		mov	[esi], eax
		xor	eax, eax
		jmp	loc_8B38CB
; 

loc_937730:				; CODE XREF: KitpReadUlongFromKey+83E98j
					; KitpReadUlongFromKey+83E9Ej
		mov	eax, 0C0000024h
		jmp	loc_8B38CB
; END OF FUNCTION CHUNK	FOR KitpReadUlongFromKey
; 
; START	OF FUNCTION CHUNK FOR EtwpUpdateSchematizedFilterData

loc_93773A:				; CODE XREF: EtwpUpdateSchematizedFilterData+14j
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+8]
		cmp	eax, 18h
		jnb	short loc_93774F
		mov	esi, 0C000000Dh
		jmp	loc_8B39CB
; 

loc_93774F:				; CODE XREF: EtwpUpdateSchematizedFilterData+83D99j
		push	46777445h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_93776C
		mov	esi, 0C0000017h
		jmp	loc_8B39CB
; 

loc_93776C:				; CODE XREF: EtwpUpdateSchematizedFilterData+83DB6j
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax+8] ; size_t
		push	dword ptr [eax]	; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		mov	eax, [eax+8]
		mov	[edi+10h], eax
		xor	eax, eax
		inc	eax
		mov	[edi+14h], esi
		call	__allshl
		mov	[edi+8], eax
		mov	[edi+0Ch], edx
		mov	eax, [ebx+2Ch]

loc_93779F:				; CODE XREF: EtwpUpdateSchematizedFilterData+2Cj
		mov	[ebx+2Ch], edi
		test	eax, eax
		jz	loc_8B39CB
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8B39CB
; END OF FUNCTION CHUNK	FOR EtwpUpdateSchematizedFilterData
; 
; START	OF FUNCTION CHUNK FOR PopExecutionRequiredSettingCallback

loc_9377B6:				; CODE XREF: PopExecutionRequiredSettingCallback+7Cj
		cmp	ds:_PopPowerRequestActiveAudioEnablesExecutionRequired,	0
		jz	short loc_9377CB
		cmp	byte_6C3862, bl
		jnz	loc_8B3A5E

loc_9377CB:				; CODE XREF: PopExecutionRequiredSettingCallback+83DE1j
		cmp	byte_6C3861, bl
		jnz	loc_8B3A5E
		call	KeQueryInterruptTime
		mov	esi, eax
		mov	ecx, edx
		sub	esi, dword_6C3868
		mov	edx, 989680h
		mov	eax, ds:_PopExecutionRequiredTimeout
		sbb	ecx, dword_6C386C
		mul	edx
		cmp	ecx, edx
		ja	loc_8B3A60
		jb	loc_8B3A5E
		cmp	esi, eax
		jnb	loc_8B3A60
		jmp	loc_8B3A5E
; END OF FUNCTION CHUNK	FOR PopExecutionRequiredSettingCallback
; 
; START	OF FUNCTION CHUNK FOR PopEnableExecutionRequiredPowerRequests

loc_937813:				; CODE XREF: PopEnableExecutionRequiredPowerRequests+1Fj
		mov	ecx, esi
		call	_PopPowerRequestIsExecutionRequiredStatusHeld@4	; PopPowerRequestIsExecutionRequiredStatusHeld(x)
		test	al, al
		jz	loc_8B3AC7
		mov	dl, bl
		call	_PopUpdatePowerRequestProcessWakeCounter@8 ; PopUpdatePowerRequestProcessWakeCounter(x,x)
		jmp	loc_8B3AC7
; END OF FUNCTION CHUNK	FOR PopEnableExecutionRequiredPowerRequests
; 
; START	OF FUNCTION CHUNK FOR PopSetExecutionRequiredTimer

loc_93782E:				; CODE XREF: PopSetExecutionRequiredTimer+7j
		cmp	ds:_PopExecutionRequiredTimeout, 0
		jz	locret_8B3ADD
		push	esi
		push	edi
		call	KeQueryInterruptTime
		mov	esi, eax
		mov	edi, edx
		mov	eax, ds:_PopExecutionRequiredTimeout
		mov	ecx, 989680h
		mul	ecx
		sub	esi, dword_6C3868
		sbb	edi, dword_6C386C
		cmp	edi, edx
		jb	short loc_93786C
		ja	short loc_937868
		cmp	esi, eax
		jb	short loc_93786C

loc_937868:				; CODE XREF: PopSetExecutionRequiredTimer+83D92j
		xor	edx, edx
		jmp	short loc_937872
; 

loc_93786C:				; CODE XREF: PopSetExecutionRequiredTimer+83D90j
					; PopSetExecutionRequiredTimer+83D96j
		mov	ecx, eax
		sub	ecx, esi
		sbb	edx, edi

loc_937872:				; CODE XREF: PopSetExecutionRequiredTimer+83D9Aj
		neg	ecx
		adc	edx, 0
		neg	edx
		push	edx
		push	ecx
		push	offset _PopExecutionRequiredTimeoutDpc
		push	0
		xor	edx, edx
		mov	ecx, offset _PopExecutionRequiredTimer
		call	KiSetTimerEx
		pop	edi
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR PopSetExecutionRequiredTimer
; 
; START	OF FUNCTION CHUNK FOR MmInitializeHandBuiltProcess2

loc_937891:				; CODE XREF: MmInitializeHandBuiltProcess2+85j
		test	eax, 10000000h
		jnz	loc_8B3DCD
		mov	ecx, ebx
		call	_MiInitializeLockedPagesTracking@4 ; MiInitializeLockedPagesTracking(x)
		jmp	loc_8B3DCD
; END OF FUNCTION CHUNK	FOR MmInitializeHandBuiltProcess2
; 
; START	OF FUNCTION CHUNK FOR ExIsMultiSessionSku

loc_9378A8:				; CODE XREF: ExIsMultiSessionSku+41j
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_1]
		push	eax
		push	ebx
		call	PsQueryCurrentApiSetSchema
		lea	edx, [ebp+var_10]
		mov	ecx, eax
		call	ApiSetResolveToHost
		mov	edx, eax
		test	edx, edx
		js	loc_8B3F36
		mov	cl, byte ptr [ebp+var_1]
		test	cl, cl
		jz	short loc_9378DE
		xor	eax, eax
		sub	ax, word ptr [ebp+var_18]
		neg	ax
		sbb	al, al
		and	cl, al

loc_9378DE:				; CODE XREF: ExIsMultiSessionSku+839E3j
		mov	[esi], cl
		jmp	loc_8B3F36
; END OF FUNCTION CHUNK	FOR ExIsMultiSessionSku
; 
; START	OF FUNCTION CHUNK FOR _RegRtlQueryKeyPathName

loc_9378E5:				; CODE XREF: _RegRtlQueryKeyPathName+2Ej
		lea	edx, [ebp+var_8]
		call	_RegRtlOpenPredefinedKey
		mov	esi, eax
		test	esi, esi
		js	loc_8B40A6
		jmp	loc_8B402C
; 

loc_9378FC:				; CODE XREF: _RegRtlQueryKeyPathName+8394Dj
		mov	ecx, [ebp+arg_0]
		shr	eax, 1
		mov	[ecx], eax

loc_937903:				; CODE XREF: _RegRtlQueryKeyPathName+8Ej
		mov	esi, 0C0000023h
		jmp	loc_8B40A6
; 

loc_93790D:				; CODE XREF: _RegRtlQueryKeyPathName+77j
		cmp	esi, 0C0000004h
		jz	short loc_937927
		test	esi, esi
		js	loc_8B40A6
		mov	esi, 0C00000E5h
		jmp	loc_8B40A6
; 

loc_937927:				; CODE XREF: _RegRtlQueryKeyPathName+8391Bj
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_14]
		push	eax
		push	8
		pop	edx
		call	_RtlULongPtrSub@12 ; RtlULongPtrSub(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8B40A6
		mov	eax, [ebp+var_14]
		cmp	ebx, eax
		jb	short loc_9378FC
		push	4C474552h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_937966
		mov	esi, 0C0000017h
		jmp	loc_8B40A6
; 

loc_937966:				; CODE XREF: _RegRtlQueryKeyPathName+83962j
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	short loc_937970
		mov	eax, [ebp+var_18]

loc_937970:				; CODE XREF: _RegRtlQueryKeyPathName+83973j
		lea	ecx, [ebp+var_4]
		push	ecx
		push	[ebp+var_4]
		push	edi
		push	1
		push	eax
		call	_ZwQueryObject@20 ; ZwQueryObject(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9379C7
		jz	short loc_93798F
		mov	esi, 0C00000E5h
		jmp	short loc_9379C7
; 

loc_93798F:				; CODE XREF: _RegRtlQueryKeyPathName+8398Ej
		movzx	edx, word ptr [edi]
		mov	ebx, [ebp+arg_0]
		lea	eax, [edx+2]
		mov	ecx, eax
		shr	ecx, 1
		mov	[ebp+var_18], ecx
		mov	[ebx], ecx
		cmp	[ebp+var_C], eax
		jb	short loc_9379C2
		mov	ebx, [ebp+var_1C]
		push	edx		; size_t
		push	dword ptr [edi+4] ; void *
		push	ebx		; void *
		call	_memcpy
		mov	eax, [ebp+var_18]
		add	esp, 0Ch
		xor	ecx, ecx
		mov	[ebx+eax*2-2], cx
		jmp	short loc_9379C7
; 

loc_9379C2:				; CODE XREF: _RegRtlQueryKeyPathName+839ACj
		mov	esi, 0C0000023h

loc_9379C7:				; CODE XREF: _RegRtlQueryKeyPathName+8398Cj
					; _RegRtlQueryKeyPathName+83995j ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8B40A6	; char
; END OF FUNCTION CHUNK	FOR _RegRtlQueryKeyPathName
; 
; START	OF FUNCTION CHUNK FOR KsepSdbBootInitialize

loc_9379D4:				; CODE XREF: KsepSdbBootInitialize+17j
		xor	eax, eax
		mov	esi, 0C000009Ah
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		mov	edi, offset ??_C@_0DP@NPGLAOMH@KSE?3?5Failed?5to?5allocate?5memory?5@NNGAKEGL@
		test	_KsepDebugFlag,	2
		push	9
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 0A4h
		mov	dword_6C7024[eax*8], esi
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_937A1F
		push	edi		; char *
		push	0		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx

loc_937A1F:				; CODE XREF: KsepSdbBootInitialize+8394Dj
		push	edi		; char *
		push	0		; int
		call	_KsepLogError
		pop	ecx
		pop	ecx
		jmp	loc_8B4114
; 

loc_937A2E:				; CODE XREF: KsepSdbBootInitialize+33j
		xor	eax, eax
		mov	esi, 0C0000001h
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		mov	ebx, offset ??_C@_0DC@IMHFKBEN@KSE?3?5SdbInitDatabaseInMemory?5fa@NNGAKEGL@
		test	_KsepDebugFlag,	2
		push	9
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 0B4h
		mov	dword_6C7024[eax*8], esi
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_937A79
		push	ebx		; char *
		push	1		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx

loc_937A79:				; CODE XREF: KsepSdbBootInitialize+839A7j
		push	ebx		; char *
		push	1		; int
		call	_KsepLogError
		pop	ecx
		pop	ecx
		mov	ecx, edi
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
		jmp	loc_8B4114
; END OF FUNCTION CHUNK	FOR KsepSdbBootInitialize
; 

loc_937A8F:				; CODE XREF: PAGE:008B4178j
		lea	ecx, [esi+1Ch]
		call	_WheapGenerateETWEvents@4 ; WheapGenerateETWEvents(x)
		mov	ecx, esi
		call	_WheapFreeErrorRecord@4	; WheapFreeErrorRecord(x)
		jmp	loc_8B4142
; 

loc_937AA3:				; CODE XREF: PAGE:008B41B9j
		lea	eax, [esi+8]
		push	eax
		call	WheaLogInternalEvent
		jmp	loc_8B4183
; 
; START	OF FUNCTION CHUNK FOR _CmGetMatchingDeviceInterfaceList

loc_937AB1:				; CODE XREF: _CmGetMatchingDeviceInterfaceList+6Dj
		cmp	eax, edi
		jz	short loc_937ABE
		test	eax, eax
		jnz	short loc_937AF1
		jmp	loc_8B42B5
; 

loc_937ABE:				; CODE XREF: _CmGetMatchingDeviceInterfaceList+83873j
					; _CmGetMatchingDeviceInterfaceList+838A7j
		mov	esi, [ebp+var_30]
		jmp	loc_8B42D9
; 

loc_937AC6:				; CODE XREF: _CmGetMatchingDeviceInterfaceList+93j
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	4
		push	3
		push	0
		push	[ebp+var_34]
		call	ebx ; ??_C@_0DC@IMHFKBEN@KSE?3?5SdbInitDatabaseInMemory?5fa@NNGAKEGL@
		cmp	eax, 0C0000002h
		jz	loc_8B42D9
		cmp	eax, edi
		jz	short loc_937ABE
		test	eax, eax
		jz	loc_8B42D9

loc_937AF1:				; CODE XREF: _CmGetMatchingDeviceInterfaceList+83877j
		mov	esi, 0C00000E5h
		jmp	loc_8B42D9
; END OF FUNCTION CHUNK	FOR _CmGetMatchingDeviceInterfaceList
; 
; START	OF FUNCTION CHUNK FOR PnpDriverLoadingFailed

loc_937AFB:				; CODE XREF: PnpDriverLoadingFailed+3Bj
		push	esi
		lea	ecx, [ebp+var_38]
		mov	edx, 20019h
		push	ecx
		lea	ecx, [ebp+var_44]
		push	ecx
		mov	ecx, eax
		call	PipOpenServiceEnumKeys
		mov	edi, [ebp+var_44]
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_50], edi
		jmp	loc_8B4386
; 

loc_937B1E:				; CODE XREF: PnpDriverLoadingFailed+68j
		push	20h
		pop	eax
		push	1Eh
		mov	word ptr [ebp+var_34+2], ax
		pop	eax
		push	4
		mov	word ptr [ebp+var_34], ax
		lea	eax, [ebp+var_5C]
		push	eax
		push	4
		push	esi
		lea	eax, [ebp+var_34]
		mov	[ebp+var_30], offset ??_C@_1CA@KLKNBMIL@?$AAI?$AAN?$AAI?$AAT?$AAS?$AAT?$AAA?$AAR?$AAT?$AAF?$AAA?$AAI?$AAL?$AAE?$AAD@NNGAKEGL@
		push	eax
		push	[ebp+var_38]
		mov	[ebp+var_5C], ebx
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	ecx, [ebp+var_38]
		lea	eax, [ebp+var_40]
		push	eax
		push	esi
		mov	edx, offset ??_C@_1M@NBCIMFHI@?$AAC?$AAo?$AAu?$AAn?$AAt@NNGAKEGL@ ; "C"
		call	IopGetRegistryValue
		mov	ebx, eax
		mov	[ebp+var_44], esi
		test	ebx, ebx
		js	loc_937E14
		mov	ecx, [ebp+var_40]
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_937B82
		cmp	dword ptr [ecx+0Ch], 4
		jb	short loc_937B82
		mov	eax, [ecx+8]
		mov	esi, [ecx+eax]
		mov	[ebp+var_44], esi

loc_937B82:				; CODE XREF: PnpDriverLoadingFailed+83851j
					; PnpDriverLoadingFailed+83857j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jz	loc_937E14
		xor	eax, eax
		mov	[ebp+var_48], esi
		mov	[ebp+var_3C], eax
		test	esi, esi
		jz	loc_937DF9

loc_937BA2:				; CODE XREF: PnpDriverLoadingFailed+83957j
		mov	edx, [ebp+var_60]
		push	ecx
		push	ecx
		lea	ecx, [ebp+var_58]
		push	ecx
		push	eax
		mov	ecx, edi
		call	_PipServiceInstanceToDeviceInstance@24 ; PipServiceInstanceToDeviceInstance(x,x,x,x,x,x)
		test	eax, eax
		js	loc_937C6E
		mov	edx, 746C6644h
		lea	ecx, [ebp+var_58]
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_937BEC
		mov	ecx, [ebx+0B0h]
		mov	ecx, [ecx+14h]
		test	ecx, ecx
		jz	short loc_937BEC
		call	_PipIsDevNodeDNStarted@4 ; PipIsDevNodeDNStarted(x)
		test	eax, eax
		jnz	short loc_937BEC
		xor	edx, edx
		inc	edx
		call	_IopReleaseDeviceResources@8 ; IopReleaseDeviceResources(x,x)

loc_937BEC:				; CODE XREF: PnpDriverLoadingFailed+838ACj
					; PnpDriverLoadingFailed+838B9j ...
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceSharedLite
		test	ebx, ebx
		jz	short loc_937C55
		mov	eax, [ebx+0B0h]
		mov	esi, [eax+14h]
		test	esi, esi
		jz	short loc_937C4B
		test	byte ptr [esi+10Ch], 1
		jz	short loc_937C4B
		mov	eax, [esi+0ACh]
		cmp	eax, 308h
		jz	short loc_937C2B
		cmp	eax, 307h
		jnz	short loc_937C4B

loc_937C2B:				; CODE XREF: PnpDriverLoadingFailed+83902j
		mov	ecx, esi
		call	_PoFxAbandonDevice@4 ; PoFxAbandonDevice(x)
		push	ecx
		mov	edx, 312h
		mov	ecx, esi
		call	PipSetDevNodeState
		push	0
		push	18h
		pop	edx
		mov	ecx, esi
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)

loc_937C4B:				; CODE XREF: PnpDriverLoadingFailed+838ECj
					; PnpDriverLoadingFailed+838F5j ...
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	esi, [ebp+var_44]

loc_937C55:				; CODE XREF: PnpDriverLoadingFailed+838DFj
		push	0
		push	[ebp+var_54]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_937C6E:				; CODE XREF: PnpDriverLoadingFailed+83895j
		mov	eax, [ebp+var_3C]
		inc	eax
		mov	[ebp+var_3C], eax
		cmp	eax, esi
		jb	loc_937BA2
		cmp	[ebp+var_48], esi
		jz	loc_937DF9
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceSharedLite
		cmp	[ebp+var_48], 0
		jz	loc_937D95
		xor	edi, edi
		xor	ebx, ebx

loc_937CA5:				; CODE XREF: PnpDriverLoadingFailed+83A6Cj
		push	ebx		; char
		push	offset ??_C@_15EFLNJKHH@?$AA?$CF?$AAu@NNGAKEGL@	; wchar_t *
		push	0		; int
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_3C]
		push	0		; int
		push	eax		; int
		lea	eax, [ebp+var_2C]
		push	0Ah		; int
		push	eax		; void *
		call	RtlStringCchPrintfExW
		mov	eax, [ebp+var_3C]
		lea	ecx, [ebp+var_2C]
		add	esp, 1Ch
		sub	eax, ecx
		sar	eax, 1
		push	14h
		pop	ecx
		mov	word ptr [ebp+var_34+2], cx
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_937CE3
		mov	word ptr [ebp+var_34], cx
		jmp	short loc_937CE9
; 

loc_937CE3:				; CODE XREF: PnpDriverLoadingFailed+839BBj
		add	eax, eax
		mov	word ptr [ebp+var_34], ax

loc_937CE9:				; CODE XREF: PnpDriverLoadingFailed+839C1j
		mov	ecx, [ebp+var_38]
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_30], eax
		lea	edx, [ebp+var_2C]
		lea	eax, [ebp+var_40]
		push	eax
		push	0
		call	IopGetRegistryValue
		test	eax, eax
		js	loc_937D89
		cmp	ebx, edi
		jz	short loc_937D7E
		lea	eax, [ebp+var_34]
		push	eax
		push	[ebp+var_38]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		push	edi		; char
		push	offset ??_C@_15EFLNJKHH@?$AA?$CF?$AAu@NNGAKEGL@	; wchar_t *
		push	0		; int
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_3C]
		push	0		; int
		push	eax		; int
		lea	eax, [ebp+var_2C]
		push	0Ah		; int
		push	eax		; void *
		call	RtlStringCchPrintfExW
		mov	eax, [ebp+var_3C]
		lea	ecx, [ebp+var_2C]
		add	esp, 1Ch
		sub	eax, ecx
		sar	eax, 1
		push	14h
		pop	ecx
		mov	word ptr [ebp+var_34+2], cx
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_937D56
		mov	word ptr [ebp+var_34], cx
		jmp	short loc_937D5C
; 

loc_937D56:				; CODE XREF: PnpDriverLoadingFailed+83A2Ej
		add	eax, eax
		mov	word ptr [ebp+var_34], ax

loc_937D5C:				; CODE XREF: PnpDriverLoadingFailed+83A34j
		mov	ecx, [ebp+var_40]
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_30], eax
		push	dword ptr [ecx+0Ch]
		mov	eax, [ecx+8]
		add	eax, ecx
		push	eax
		push	1
		push	0
		lea	eax, [ebp+var_34]
		push	eax
		push	[ebp+var_38]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_937D7E:				; CODE XREF: PnpDriverLoadingFailed+839EAj
		push	0
		push	[ebp+var_40]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		inc	edi

loc_937D89:				; CODE XREF: PnpDriverLoadingFailed+839E2j
		inc	ebx
		cmp	ebx, esi
		jb	loc_937CA5
		mov	edi, [ebp+var_50]

loc_937D95:				; CODE XREF: PnpDriverLoadingFailed+8397Bj
		push	0Ch
		pop	eax
		push	0Ah
		mov	word ptr [ebp+var_34+2], ax
		pop	eax
		push	4
		pop	ebx
		push	ebx
		mov	word ptr [ebp+var_34], ax
		lea	eax, [ebp+var_48]
		push	eax
		push	ebx
		push	0
		lea	eax, [ebp+var_34]
		mov	[ebp+var_30], offset ??_C@_1M@NBCIMFHI@?$AAC?$AAo?$AAu?$AAn?$AAt@NNGAKEGL@ ; "C"
		push	eax
		push	[ebp+var_38]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	1Ah
		pop	eax
		push	18h
		mov	word ptr [ebp+var_34+2], ax
		pop	eax
		push	ebx
		mov	word ptr [ebp+var_34], ax
		lea	eax, [ebp+var_48]
		push	eax
		push	ebx
		push	0
		lea	eax, [ebp+var_34]
		mov	[ebp+var_30], offset ??_C@_1BK@IOIONMMG@?$AAN?$AAe?$AAx?$AAt?$AAI?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe@NNGAKEGL@
		push	eax
		push	[ebp+var_38]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_937DF9:				; CODE XREF: PnpDriverLoadingFailed+8387Cj
					; PnpDriverLoadingFailed+83960j
		push	[ebp+var_38]
		call	_ZwClose@4	; ZwClose(x)
		cmp	[ebp+var_4C], 0
		jz	short loc_937E0D
		push	edi
		call	_ZwClose@4	; ZwClose(x)

loc_937E0D:				; CODE XREF: PnpDriverLoadingFailed+83AE5j
		xor	eax, eax
		jmp	loc_8B438E
; 

loc_937E14:				; CODE XREF: PnpDriverLoadingFailed+83844j
					; PnpDriverLoadingFailed+8386Cj
		push	[ebp+var_38]
		call	_ZwClose@4	; ZwClose(x)
		cmp	[ebp+var_4C], 0
		jz	short loc_937E28
		push	edi
		call	_ZwClose@4	; ZwClose(x)

loc_937E28:				; CODE XREF: PnpDriverLoadingFailed+83B00j
		mov	eax, ebx
		jmp	loc_8B438E
; END OF FUNCTION CHUNK	FOR PnpDriverLoadingFailed
; 
; START	OF FUNCTION CHUNK FOR CmFcpMapSection

loc_937E2F:				; CODE XREF: CmFcpMapSection+19j
		mov	[ebp+var_8], ecx
		lea	ecx, [ebp+var_8]
		push	ecx
		lea	ecx, [ebp+var_4]
		push	ecx
		push	eax
		call	_MmMapViewInSystemSpace@12 ; MmMapViewInSystemSpace(x,x,x)
		test	eax, eax
		js	loc_8B43D4
		xor	eax, eax
		mov	edi, esi
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ebp+var_4]
		mov	[esi+8], eax
		mov	eax, [ebx+0Ch]
		mov	[esi+0Ch], eax
		mov	eax, [ebx]
		mov	[esi], eax
		mov	eax, [ebx+4]
		mov	[esi+4], eax
		xor	eax, eax
		jmp	loc_8B43D4
; END OF FUNCTION CHUNK	FOR CmFcpMapSection
; 
; START	OF FUNCTION CHUNK FOR ExpGetSystemFlushInformation

loc_937E6D:				; CODE XREF: ExpGetSystemFlushInformation+36j
		or	edx, 2
		jmp	loc_8B4438
; END OF FUNCTION CHUNK	FOR ExpGetSystemFlushInformation

;  S U B	R O U T	I N E 


sub_937E75	proc near		; DATA XREF: .text:006A7624o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-48h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_937E75	endp


;  S U B	R O U T	I N E 


sub_937E85	proc near		; DATA XREF: .text:006A7628o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-48h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	esi, esi
		mov	edi, [ebp-38h]
		mov	[ebp-3Ch], edi
		jmp	loc_8B4465
sub_937E85	endp

; 
; START	OF FUNCTION CHUNK FOR ExpGetSystemFlushInformation

loc_937E9F:				; CODE XREF: ExpGetSystemFlushInformation+A8j
		push	54425057h
		push	[ebp+var_34]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_8B44AA
		mov	dword ptr [ebx], 41435049h
		mov	dword ptr [ebx+4], 1
		mov	dword ptr [ebx+8], 5449464Eh
		mov	ecx, [ebp+var_34]
		lea	eax, [ecx-10h]
		mov	[ebx+0Ch], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	ecx
		xor	dl, dl
		mov	ecx, ebx
		call	ExpGetSystemFirmwareTableInformation
		test	eax, eax
		js	short loc_937F4D
		mov	ecx, [ebx+14h]
		mov	[ebp+var_44], ecx
		mov	eax, [ebp+var_34]
		add	eax, 0FFFFFFF0h
		cmp	ecx, eax
		jb	short loc_937F4D
		lea	edx, [ecx+10h]
		lea	ecx, [ebx+38h]
		jmp	short loc_937F44
; 

loc_937EFF:				; CODE XREF: ExpGetSystemFlushInformation+83B4Fj
		movzx	edx, word ptr [ecx+2]
		lea	eax, [ecx+edx]
		mov	[ebp+var_40], eax
		mov	eax, [ebp+var_44]
		add	eax, 10h
		add	eax, ebx
		cmp	[ebp+var_40], eax
		mov	edi, [ebp+var_3C]
		ja	short loc_937F4D
		test	dx, dx
		jz	short loc_937F4D
		cmp	word ptr [ecx],	7
		jnz	short loc_937F38
		cmp	edx, 10h
		jb	short loc_937F38
		test	byte ptr [ecx+8], 1
		jz	short loc_937F4D
		mov	[ebp+var_38], 1
		jmp	short loc_937F4D
; 

loc_937F38:				; CODE XREF: ExpGetSystemFlushInformation+83B26j
					; ExpGetSystemFlushInformation+83B2Bj
		mov	ecx, [ebp+var_40]
		mov	edx, [ebp+var_44]
		add	edx, 10h
		mov	edi, [ebp+var_3C]

loc_937F44:				; CODE XREF: ExpGetSystemFlushInformation+83B01j
		add	edx, ebx
		lea	eax, [ecx+4]
		cmp	eax, edx
		jbe	short loc_937EFF

loc_937F4D:				; CODE XREF: ExpGetSystemFlushInformation+83AE9j
					; ExpGetSystemFlushInformation+83AF9j ...
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8B44AA
; END OF FUNCTION CHUNK	FOR ExpGetSystemFlushInformation
; 
; START	OF FUNCTION CHUNK FOR EtwTraceLeapSecondDataUpdate

loc_937F59:				; CODE XREF: EtwTraceLeapSecondDataUpdate+45j
		lea	eax, [ebp+var_AC]
		mov	[ebp+var_AC], edi
		mov	[ebp+var_88], eax
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_78], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_B4]
		push	4
		pop	edi
		mov	[ebp+var_68], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_A8]
		push	eax
		push	6
		push	ebx
		push	ebx
		push	offset loc_422F6D
		push	offset dword_6B2A40
		mov	[ebp+var_84], ebx
		mov	[ebp+var_80], edi
		mov	[ebp+var_7C], ebx
		mov	[ebp+var_B0], esi
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], edi
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], edi
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_8B4534
; END OF FUNCTION CHUNK	FOR EtwTraceLeapSecondDataUpdate
; 
; START	OF FUNCTION CHUNK FOR EtwpLoadMicroarchitecturalPmcs

loc_937FE7:				; CODE XREF: EtwpLoadMicroarchitecturalPmcs+FEj
					; EtwpLoadMicroarchitecturalPmcs+83B3Aj
		lea	eax, [ebp+var_24C]
		inc	ebx
		push	eax
		push	216h
		lea	eax, [ebp+var_220]
		push	eax
		push	esi
		push	ebx
		push	[ebp+var_228]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9380CF
		mov	eax, [ebp+var_214]
		cmp	eax, 1FEh
		jnb	loc_9380CF
		shr	eax, 1
		xor	ecx, ecx
		mov	word ptr [ebp+eax*2+var_210], cx
		lea	eax, [ebp+var_210]
		push	eax
		push	offset ??_C@_1IK@FCPDDGMM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; char
		push	offset ??_C@_1BA@NPEHGALP@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; wchar_t *
		push	[ebp+var_250]	; int
		push	edi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 14h
		test	eax, eax
		js	loc_9380E1
		push	edi
		lea	eax, [ebp+var_230]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		and	[ebp+var_244], 0
		lea	eax, [ebp+var_230]
		and	[ebp+var_238], 0
		and	[ebp+var_234], 0
		mov	[ebp+var_240], eax
		lea	eax, [ebp+var_248]
		push	eax
		push	20019h
		lea	eax, [ebp+var_224]
		mov	[ebp+var_248], 18h
		push	eax
		mov	[ebp+var_23C], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_9380E1
		mov	ecx, [ebp+var_224]
		mov	edx, edi
		call	_EtwpLoadMicroarchitecturalProfileGroup@8 ; EtwpLoadMicroarchitecturalProfileGroup(x,x)
		push	[ebp+var_224]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_9380E1
; 

loc_9380CF:				; CODE XREF: EtwpLoadMicroarchitecturalPmcs+83A60j
					; EtwpLoadMicroarchitecturalPmcs+83A71j
		cmp	esi, 0C0000023h
		jz	short loc_9380DF
		cmp	esi, 80000005h
		jnz	short loc_9380E1

loc_9380DF:				; CODE XREF: EtwpLoadMicroarchitecturalPmcs+83B29j
		xor	esi, esi

loc_9380E1:				; CODE XREF: EtwpLoadMicroarchitecturalPmcs+83AA5j
					; EtwpLoadMicroarchitecturalPmcs+83B07j ...
		push	0
		test	esi, esi
		pop	esi
		jns	loc_937FE7
		push	[ebp+var_228]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8B468D
; END OF FUNCTION CHUNK	FOR EtwpLoadMicroarchitecturalPmcs
; 
; START	OF FUNCTION CHUNK FOR EtwpCoverageProvEnableCallback

loc_9380FC:				; CODE XREF: EtwpCoverageProvEnableCallback+23j
		cmp	_EtwpCoverageCoreTracingEnabled, 0
		jnz	loc_8B46DB
		mov	eax, dword_6B3760
		cmp	eax, ds:0FFDF037Ch
		jnb	loc_8B46DB
		cmp	dword_6B375C, 0
		jnz	short loc_938136
		mov	ecx, off_6B3758
		lea	edx, [ebp+var_4]
		call	_TelemetryCoverageStringHashInternal@8 ; TelemetryCoverageStringHashInternal(x,x)
		mov	dword_6B375C, eax

loc_938136:				; CODE XREF: EtwpCoverageProvEnableCallback+83A71j
		push	offset off_6B3758
		call	_EtwTelemetryCoverageReport@4 ;	EtwTelemetryCoverageReport(x)
		jmp	loc_8B46DB
; 

loc_938145:				; CODE XREF: EtwpCoverageProvEnableCallback+5Aj
		movzx	eax, bl
		cmp	_EtwpCoverageCoreTracingEnabled, eax
		jz	loc_8B4710
		test	bl, bl
		jz	short loc_938171
		mov	dword ptr ds:0FFDF037Ch, 0FFFFFF00h
		mov	eax, [ecx+8]
		xor	ecx, ecx
		inc	ecx
		or	[eax+2], cx
		jmp	loc_8B4710
; 

loc_938171:				; CODE XREF: EtwpCoverageProvEnableCallback+83AA6j
		mov	eax, [ecx+8]
		mov	eax, [eax+18h]
		mov	ds:0FFDF037Ch, eax
		mov	eax, [ecx+8]
		mov	ecx, 0FFFEh
		and	[eax+2], cx
		jmp	loc_8B4710
; 

loc_93818D:				; CODE XREF: EtwpCoverageProvEnableCallback+78j
		test	al, 4
		jnz	loc_8B472E
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_8B472E
; END OF FUNCTION CHUNK	FOR EtwpCoverageProvEnableCallback
; 
; START	OF FUNCTION CHUNK FOR PipUpdateSetupInProgress

loc_9381A1:				; CODE XREF: PipUpdateSetupInProgress+89j
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		mov	edx, offset ??_C@_1CG@NMIHHCCE@?$AAP?$AAn?$AAp?$AAS?$AAe?$AAt?$AAu?$AAp?$AAI?$AAn?$AAP?$AAr?$AAo?$AAg?$AAr@NNGAKEGL@
		call	IopGetRegistryValue
		test	eax, eax
		js	loc_8B47D7
		mov	ecx, [ebp+var_4]
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_9381D0
		cmp	dword ptr [ecx+0Ch], 4
		jnz	short loc_9381D0
		mov	eax, [ecx+8]
		mov	edi, [ecx+eax]

loc_9381D0:				; CODE XREF: PipUpdateSetupInProgress+83A7Aj
					; PipUpdateSetupInProgress+83A80j
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		jz	loc_8B47D7
		jmp	loc_8B47EB
; END OF FUNCTION CHUNK	FOR PipUpdateSetupInProgress
; 
; START	OF FUNCTION CHUNK FOR PopExtendConnectionState

loc_9381E4:				; CODE XREF: PopExtendConnectionState+Cj
		lea	eax, [esi+esi]
		cmp	eax, ecx
		jbe	short loc_9381F3
		shr	esi, 2
		jmp	loc_8B4805
; 

loc_9381F3:				; CODE XREF: PopExtendConnectionState+839F9j
		lea	esi, [ecx+8]
		shr	esi, 3
		jmp	loc_8B4805
; 

loc_9381FE:				; CODE XREF: PopExtendConnectionState+3Dj
		mov	eax, _PopMaximumConnectionSessions
		shr	eax, 3
		push	eax		; size_t
		push	ebx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	73655350h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8B4833
; END OF FUNCTION CHUNK	FOR PopExtendConnectionState
; 
; START	OF FUNCTION CHUNK FOR NtSetDefaultHardErrorPort

loc_938221:				; CODE XREF: NtSetDefaultHardErrorPort+35j
		mov	eax, 0C0000061h
		jmp	loc_8B49D9
; END OF FUNCTION CHUNK	FOR NtSetDefaultHardErrorPort
; 
; START	OF FUNCTION CHUNK FOR ExpGetSystemWriteConstraintInformation

loc_93822B:				; CODE XREF: ExpGetSystemWriteConstraintInformation+75j
		test	esi, esi
		js	loc_8B4A63
		mov	[ebp+var_50], 18h
		mov	[ebp+var_4C], edi
		mov	[ebp+var_44], 240h
		mov	[ebp+var_48], edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], edi
		push	edi
		push	1
		lea	eax, [ebp+var_50]
		push	eax
		push	1F0003h
		lea	eax, [ebp+var_24]
		push	eax
		call	_ZwCreateEvent@20 ; ZwCreateEvent(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8B4A63
		push	8
		lea	eax, [ebp+var_38]
		push	eax
		push	edi
		push	edi
		push	220A0Ch
		lea	eax, [ebp+var_30]
		push	eax
		push	edi
		push	edi
		push	[ebp+var_24]
		push	[ebp+var_20]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8B4A63
		mov	esi, [ebp+var_30]
		jmp	loc_8B4A63
; 

loc_93829C:				; CODE XREF: ExpGetSystemWriteConstraintInformation+80j
		push	[ebp+var_20]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8B4A6C
; 

loc_9382A9:				; CODE XREF: ExpGetSystemWriteConstraintInformation+89j
		push	[ebp+var_24]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_8B4A75
; END OF FUNCTION CHUNK	FOR ExpGetSystemWriteConstraintInformation

;  S U B	R O U T	I N E 


sub_9382B6	proc near		; DATA XREF: .text:006A7644o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_9382B6	endp


;  S U B	R O U T	I N E 


sub_9382C6	proc near		; DATA XREF: .text:006A7648o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-28h]
		jmp	loc_8B4A83
sub_9382C6	endp


;  S U B	R O U T	I N E 


sub_9382D1	proc near		; DATA XREF: .text:006A7664o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-24h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_9382D1	endp


;  S U B	R O U T	I N E 


sub_9382E1	proc near		; DATA XREF: .text:006A7668o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-24h]
		jmp	loc_8B4B21
sub_9382E1	endp


;  S U B	R O U T	I N E 


sub_9382F3	proc near		; DATA XREF: .text:006A7670o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-28h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_9382F3	endp


;  S U B	R O U T	I N E 


sub_938303	proc near		; DATA XREF: .text:006A7674o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-28h]
		jmp	loc_8B4B10
sub_938303	endp

; 
; START	OF FUNCTION CHUNK FOR NtOpenPartition

loc_93830E:				; CODE XREF: NtOpenPartition+7Dj
		push	[ebp+var_20]
		push	[ebp+var_1C]
		call	ObCloseHandle
		jmp	loc_8B4B1F
; END OF FUNCTION CHUNK	FOR NtOpenPartition
; 
; START	OF FUNCTION CHUNK FOR SeOpenObjectAuditAlarmForNonObObject

loc_93831E:				; CODE XREF: SeOpenObjectAuditAlarmForNonObObject+33j
		mov	ecx, [esi]
		mov	[esp+18h+var_A+2], ecx
		test	ecx, ecx
		jnz	short loc_93832F
		mov	eax, [esi+8]
		mov	[esp+18h+var_A+2], eax

loc_93832F:				; CODE XREF: SeOpenObjectAuditAlarmForNonObObject+837CCj
		mov	edi, [ebp+arg_10]
		movzx	eax, word ptr [edi+2]
		mov	ecx, eax
		mov	[esp+18h+var_4], ecx
		test	al, 10h
		jnz	short loc_938346
		xor	edx, edx
		xor	ecx, ecx
		jmp	short loc_93836A
; 

loc_938346:				; CODE XREF: SeOpenObjectAuditAlarmForNonObObject+837E4j
		test	cx, cx
		mov	ecx, [edi+0Ch]
		mov	edx, ecx
		jns	short loc_938359
		neg	edx
		lea	eax, [ecx+edi]
		sbb	edx, edx
		and	edx, eax

loc_938359:				; CODE XREF: SeOpenObjectAuditAlarmForNonObObject+837F4j
		cmp	word ptr [esp+18h+var_4], 0
		jge	short loc_93836A
		lea	eax, [ecx+edi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_93836A:				; CODE XREF: SeOpenObjectAuditAlarmForNonObObject+837EAj
					; SeOpenObjectAuditAlarmForNonObObject+83805j
		mov	eax, [ebp+arg_18]
		lea	ebx, [esp+0Fh]
		or	eax, [ebp+arg_1C]
		push	ebx
		lea	ebx, [esp+1Ch+var_A]
		mov	[esp+1Ch+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_24]
		push	ebx
		push	eax
		push	[esp+28h+var_A+2]
		push	edx
		push	ecx
		call	_SeExamineSacl@28 ; SeExamineSacl(x,x,x,x,x,x,x)
		mov	edx, [esi]
		mov	[esp+18h+var_A+2], edx
		test	edx, edx
		jnz	short loc_93839F
		mov	eax, [esi+8]
		mov	[esp+18h+var_A+2], eax

loc_93839F:				; CODE XREF: SeOpenObjectAuditAlarmForNonObObject+8383Cj
		movzx	eax, word ptr [edi+2]
		mov	ecx, eax
		test	al, 10h
		jnz	short loc_9383AD
		xor	edx, edx
		jmp	short loc_9383BE
; 

loc_9383AD:				; CODE XREF: SeOpenObjectAuditAlarmForNonObObject+8384Dj
		mov	edx, [edi+0Ch]
		test	cx, cx
		jns	short loc_9383BE
		lea	eax, [edx+edi]
		neg	edx
		sbb	edx, edx
		and	edx, eax

loc_9383BE:				; CODE XREF: SeOpenObjectAuditAlarmForNonObObject+83851j
					; SeOpenObjectAuditAlarmForNonObObject+83859j
		mov	ecx, [ebp+arg_0]
		lea	eax, [esp+18h+var_A+1]
		push	eax
		lea	eax, [esp+1Ch+var_A]
		push	eax
		push	ebx
		push	[esp+24h+var_4]
		push	[esp+28h+var_A+2]
		call	_SeExamineGlobalSacl@28	; SeExamineGlobalSacl(x,x,x,x,x,x,x)
		cmp	byte ptr [esp+18h+var_A], 0
		jz	loc_8B4B93
		xor	eax, eax
		mov	edx, [ebp+arg_0]
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		mov	eax, large fs:124h
		push	2
		mov	eax, [eax+80h]
		push	dword ptr [eax+0E4h]
		lea	eax, [ebp+arg_4]
		push	ebx
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	dword ptr [esi+8]
		push	dword ptr [esi]
		push	edi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	eax
		push	77h
		pop	ecx
		call	_SepAdtOpenObjectAuditAlarm@76 ; SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	eax, [ebp+arg_28]
		mov	byte ptr [eax],	1
		jmp	loc_8B4B9D
; 

loc_93842F:				; CODE XREF: SeOpenObjectAuditAlarmForNonObObject+3Dj
		test	bl, bl
		jz	loc_8B4B9D
		mov	eax, large fs:124h
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	[ebp+arg_20]
		mov	eax, [eax+80h]
		push	[ebp+arg_18]
		push	dword ptr [eax+0E4h]
		push	dword ptr [esi+8]
		push	dword ptr [esi]
		push	[ebp+arg_4]
		push	[ebp+arg_C]
		call	SepAdtPrivilegeObjectAuditAlarm
		jmp	loc_8B4B9D
; END OF FUNCTION CHUNK	FOR SeOpenObjectAuditAlarmForNonObObject
; 
; START	OF FUNCTION CHUNK FOR NtSerializeBoot

loc_93846B:				; CODE XREF: NtSerializeBoot+Dj
		mov	eax, 0C0000022h
		jmp	nullsub_10
; 

loc_938475:				; CODE XREF: NtSerializeBoot+28j
		mov	eax, 0C0000061h
		jmp	nullsub_10
; END OF FUNCTION CHUNK	FOR NtSerializeBoot
; 
; START	OF FUNCTION CHUNK FOR PopEsPowerSettingPolicyCallback

loc_93847F:				; CODE XREF: PopEsPowerSettingPolicyCallback+50j
		cmp	byte_6C2D54, bl
		jnz	loc_8B4C70
		mov	byte_6C2D54, 1
		jmp	short loc_93849A
; 

loc_938494:				; CODE XREF: PopEsPowerSettingPolicyCallback+60j
		mov	byte_6C2D54, bl

loc_93849A:				; CODE XREF: PopEsPowerSettingPolicyCallback+83888j
		mov	byte ptr [ebp+arg_4+3],	1
		jmp	loc_8B4C70
; 

loc_9384A3:				; CODE XREF: PopEsPowerSettingPolicyCallback+82j
		push	4
		pop	ecx
		call	_PopEsWorkItemSchedule@4 ; PopEsWorkItemSchedule(x)
		jmp	loc_8B4C92
; 

loc_9384B0:				; CODE XREF: PopEsPowerSettingPolicyCallback+Cj
					; PopEsPowerSettingPolicyCallback+16j
		mov	ebx, 0C000000Dh
		jmp	loc_8B4C92
; END OF FUNCTION CHUNK	FOR PopEsPowerSettingPolicyCallback
; 
; START	OF FUNCTION CHUNK FOR HvlQueryEnlightenmentInfo

loc_9384BA:				; CODE XREF: HvlQueryEnlightenmentInfo+10j
		mov	edx, 0C0000022h
		jmp	loc_8B4EEC
; 

loc_9384C4:				; CODE XREF: HvlQueryEnlightenmentInfo+19j
		mov	edx, 0C00000F0h
		jmp	loc_8B4EEC
; END OF FUNCTION CHUNK	FOR HvlQueryEnlightenmentInfo

;  S U B	R O U T	I N E 


sub_9384CE	proc near		; DATA XREF: .text:006A768Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_9384CE	endp


;  S U B	R O U T	I N E 


sub_9384DC	proc near		; DATA XREF: .text:006A7690o
		mov	esp, [ebp-18h]
		mov	edx, [ebp-1Ch]
		jmp	loc_8B4EC4
sub_9384DC	endp

; 
; START	OF FUNCTION CHUNK FOR TtmInit

loc_9384E7:				; CODE XREF: TtmInit+1Dj
		push	esi		; size_t
		lea	eax, [ebp+var_60]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	al, byte ptr [ebp+var_60+2]
		lea	edi, [ebp+var_54]
		mov	word ptr [ebp+var_60], si
		lea	ecx, [ebp+var_8]
		and	al, 0F3h
		mov	[ebp+var_58], 190h
		mov	esi, offset _TtmpQueueMapping
		or	al, 2
		mov	byte ptr [ebp+var_60+2], al
		add	esp, 4
		mov	edx, offset ??_C@_1CG@BCIHPCJG@?$AAT?$AAe?$AAr?$AAm?$AAi?$AAn?$AAa?$AAl?$AAE?$AAv?$AAe?$AAn?$AAt?$AAQ?$AAu@NNGAKEGL@
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+var_44], 1F0003h
		mov	[ebp+var_3C], 200h
		mov	[ebp+var_34], 60h
		mov	[ebp+var_2C], offset _TtmpOpenQueueHandle@24 ; TtmpOpenQueueHandle(x,x,x,x,x,x)
		mov	[ebp+var_28], offset _TtmpCloseQueueHandle@16 ;	TtmpCloseQueueHandle(x,x,x,x)
		mov	[ebp+var_24], offset _TtmpDeleteQueue@4	; TtmpDeleteQueue(x)
		call	RtlUnicodeStringInitWorker
		push	offset _TtmpQueueObjectType
		push	44h
		push	ebx
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	ObCreateObjectTypeEx
		test	eax, eax
		jns	short loc_93857C
		push	ebx
		push	ebx
		push	eax
		push	2
		jmp	short loc_938572
; END OF FUNCTION CHUNK	FOR TtmInit

;  S U B	R O U T	I N E 


sub_93856D	proc near		; CODE XREF: TtmInit+83724j
		push	ebx
		push	ebx
		push	eax
		push	1
sub_93856D	endp

; START	OF FUNCTION CHUNK FOR TtmInit

loc_938572:				; CODE XREF: TtmInit+83677j
		push	19Bh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_93857C:				; CODE XREF: TtmInit+83670j
		push	58h
		pop	esi
		jmp	loc_8B4F1D
; 

loc_938584:				; CODE XREF: TtmInit+46j
		cmp	ds:_TtmpProximityEscapeMsec, ebx
		jnz	short loc_938596
		mov	ds:_TtmpProximityEscapeMsec, 0BB8h

loc_938596:				; CODE XREF: TtmInit+83696j
		push	esi		; size_t
		lea	eax, [ebp+var_60]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	al, byte ptr [ebp+var_60+2]
		lea	edi, [ebp+var_54]
		mov	word ptr [ebp+var_60], si
		lea	ecx, [ebp+var_8]
		and	al, 0F7h
		mov	[ebp+var_58], 190h
		mov	esi, offset _TtmpTerminalMapping
		or	al, 6
		mov	byte ptr [ebp+var_60+2], al
		add	esp, 4
		mov	edx, (offset loc_8BDCCF+1)
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+var_44], 1F0003h
		mov	[ebp+var_3C], 200h
		mov	[ebp+var_34], 0C8h
		mov	[ebp+var_2C], offset _TtmpOpenTerminalHandle@24	; TtmpOpenTerminalHandle(x,x,x,x,x,x)
		mov	[ebp+var_28], offset _TtmpCloseTerminalHandle@16 ; TtmpCloseTerminalHandle(x,x,x,x)
		mov	[ebp+var_24], offset _TtmpDeleteTerminal@4 ; TtmpDeleteTerminal(x)
		call	RtlUnicodeStringInitWorker
		push	offset _TtmpTerminalObjectType
		push	ebx
		push	ebx
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	ObCreateObjectTypeEx
		test	eax, eax
		jns	loc_8B4F46
		jmp	sub_93856D
; END OF FUNCTION CHUNK	FOR TtmInit
; 
; START	OF FUNCTION CHUNK FOR PopUserPresencePredictionModeCallback

loc_93861D:				; CODE XREF: PopUserPresencePredictionModeCallback+37j
		xor	ecx, ecx
		inc	ecx
		cmp	eax, ecx
		jnz	loc_8B50D2
		push	44h		; size_t
		lea	eax, [ebp+var_44]
		mov	dword_6C2D60, ecx
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	[ebp+var_40], 3
		jmp	loc_8B50BC
; END OF FUNCTION CHUNK	FOR PopUserPresencePredictionModeCallback
; 
; START	OF FUNCTION CHUNK FOR WmipSaveGuidSecurityDescriptor

loc_938646:				; CODE XREF: WmipSaveGuidSecurityDescriptor+28j
		push	70696D57h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_8B5114
		mov	eax, 0C000009Ah
		jmp	loc_8B516F
; 

loc_938667:				; CODE XREF: WmipSaveGuidSecurityDescriptor+4Dj
		test	esi, esi
		jz	short loc_938675
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi

loc_938675:				; CODE XREF: WmipSaveGuidSecurityDescriptor+83583j
		mov	edi, [esp+18h+var_C]
		jmp	loc_8B510C
; 

loc_93867E:				; CODE XREF: WmipSaveGuidSecurityDescriptor+55j
		push	[esp+18h+var_8]
		mov	eax, [esp+1Ch+var_4]
		push	ebx
		push	3
		push	dword ptr [eax+4]
		push	esi
		push	0
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)
		mov	edi, eax
		jmp	loc_8B5141
; 

loc_93869B:				; CODE XREF: WmipSaveGuidSecurityDescriptor+81j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8B516D
; END OF FUNCTION CHUNK	FOR WmipSaveGuidSecurityDescriptor
; 
; START	OF FUNCTION CHUNK FOR MiLoadUserSymbols

loc_9386A8:				; CODE XREF: MiLoadUserSymbols+25j
		mov	edx, ebx
		mov	ecx, edi
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)
		jmp	loc_8B534B
; END OF FUNCTION CHUNK	FOR MiLoadUserSymbols
; 
; START	OF FUNCTION CHUNK FOR PopPpmHeteroPolicyCallback

loc_9386B6:				; CODE XREF: PopPpmHeteroPolicyCallback+4Aj
		mov	eax, ds:_PopHeteroSystem
		mov	ds:_PpmHeteroDesiredPolicy, esi
		cmp	eax, 1
		jz	short loc_9386D6
		cmp	eax, 2
		jz	short loc_9386D6
		sub	eax, 5
		neg	eax
		sbb	eax, eax
		not	eax
		and	esi, eax

loc_9386D6:				; CODE XREF: PopPpmHeteroPolicyCallback+83372j
					; PopPpmHeteroPolicyCallback+83377j
		cmp	esi, ds:_PpmHeteroPolicy
		jz	loc_8B53A2
		mov	cl, 1
		mov	ds:_PpmHeteroPolicy, esi
		call	_PpmReinitializeHeteroEngine@4 ; PpmReinitializeHeteroEngine(x)
		jmp	loc_8B53A9
; END OF FUNCTION CHUNK	FOR PopPpmHeteroPolicyCallback

;  S U B	R O U T	I N E 


sub_9386F4	proc near		; DATA XREF: .text:006A76ACo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_9386F4	endp


;  S U B	R O U T	I N E 


sub_938702	proc near		; DATA XREF: .text:006A76B0o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-1Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_8B55B6
sub_938702	endp

; 
; START	OF FUNCTION CHUNK FOR CmSiRWLockReleaseExclusive

loc_938714:				; CODE XREF: CmSiRWLockReleaseExclusive+Ej
		test	al, 4
		jnz	loc_8B55E6
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_8B55E6
; END OF FUNCTION CHUNK	FOR CmSiRWLockReleaseExclusive
; 
; START	OF FUNCTION CHUNK FOR PopCoalescingPowerSettingCallback

loc_938726:				; CODE XREF: PopCoalescingPowerSettingCallback+47j
		mov	_PopDiskCoalescingTimeout, eax
		call	PopUpdateDiskIdleTimeoutSetting
		jmp	loc_8B563B
; END OF FUNCTION CHUNK	FOR PopCoalescingPowerSettingCallback
; 
; START	OF FUNCTION CHUNK FOR CmRegisterSystemHiveLimitCallback

loc_938735:				; CODE XREF: CmRegisterSystemHiveLimitCallback+5Ej
		mov	ecx, esi
		mov	_CmpSystemHiveHysteresisHighSeen, 1
		call	_CmpDoQueueSystemHiveHysteresis@4 ; CmpDoQueueSystemHiveHysteresis(x)
		test	al, al
		jz	loc_8B56B2
		mov	_CmpSystemHiveHysteresisLowSeen, 0
		jmp	loc_8B56B9
; END OF FUNCTION CHUNK	FOR CmRegisterSystemHiveLimitCallback
; 
; START	OF FUNCTION CHUNK FOR NtSystemDebugControl

loc_938757:				; CODE XREF: NtSystemDebugControl+4Aj
					; NtSystemDebugControl+53j ...
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_1D], al
		mov	byte ptr [ebp+var_2C], al
		cmp	esi, 26h
		jz	short loc_938793
		push	[ebp+var_2C]
		push	ds:dword_A94A14
		push	ds:_SeDebugPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_938790
		mov	eax, 0C0000022h
		jmp	loc_8B57C4
; 

loc_938790:				; CODE XREF: NtSystemDebugControl+8301Ej
		mov	al, [ebp+var_1D]

loc_938793:				; CODE XREF: NtSystemDebugControl+83006j
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		and	[ebp+ms_exc.disabled], ebx
		test	al, al
		jz	short loc_9387F3
		cmp	[ebp+arg_8], ebx
		jz	short loc_9387C7
		test	byte ptr [ebp+arg_4], 3
		jz	short loc_9387AF
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9387AF:				; CODE XREF: NtSystemDebugControl+83042j
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		add	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_9387C4
		cmp	edx, ecx
		jnb	short loc_9387C7

loc_9387C4:				; CODE XREF: NtSystemDebugControl+83058j
		mov	byte ptr [eax],	0

loc_9387C7:				; CODE XREF: NtSystemDebugControl+8303Cj
					; NtSystemDebugControl+8305Cj
		mov	edi, [ebp+arg_10]
		push	4
		pop	ecx
		test	edi, edi
		jz	short loc_9387DB
		push	ecx
		push	edi
		push	[ebp+arg_C]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_9387DB:				; CODE XREF: NtSystemDebugControl+83069j
		mov	ecx, [ebp+arg_14]
		test	ecx, ecx
		jz	short loc_9387F6
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_9387ED
		mov	ecx, eax

loc_9387ED:				; CODE XREF: NtSystemDebugControl+83083j
		mov	eax, [ecx]
		mov	[ecx], eax
		jmp	short loc_9387F6
; 

loc_9387F3:				; CODE XREF: NtSystemDebugControl+83037j
		mov	edi, [ebp+arg_10]

loc_9387F6:				; CODE XREF: NtSystemDebugControl+8307Aj
					; NtSystemDebugControl+8308Bj
		push	4
		pop	eax
		push	0FFFFFFFEh
		pop	edx
		mov	[ebp+ms_exc.disabled], edx
		jmp	short loc_938827
; END OF FUNCTION CHUNK	FOR NtSystemDebugControl

;  S U B	R O U T	I N E 


sub_938801	proc near		; DATA XREF: .text:006A76CCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_938801	endp


;  S U B	R O U T	I N E 


sub_93880F	proc near		; DATA XREF: .text:006A76D0o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-3Ch]
		mov	[ebp-1Ch], ebx
		push	0FFFFFFFEh
		pop	edx
		mov	[ebp-4], edx
		push	4
		pop	eax
		mov	esi, [ebp+8]
		mov	edi, [ebp+18h]
sub_93880F	endp

; START	OF FUNCTION CHUNK FOR NtSystemDebugControl

loc_938827:				; CODE XREF: NtSystemDebugControl+83099j
		test	ebx, ebx
		jnz	loc_938DE7
		cmp	esi, 1Ch
		jg	loc_938A8F
		jz	loc_938A56
		cmp	esi, 17h
		jg	loc_938946
		jz	loc_9388EE
		test	esi, esi
		js	loc_938DB2	; default
		cmp	esi, 5
		jle	loc_9388E4
		cmp	esi, 6
		jz	short loc_938899
		jle	loc_938DB2	; default
		cmp	esi, 14h
		jle	short loc_9388E4
		cmp	esi, 15h
		jz	short loc_938892
		cmp	esi, 16h
		jnz	loc_938DB2	; default
		call	_KdDisableDebugger@0 ; KdDisableDebugger()
		jmp	short loc_93888B
; 

loc_938883:				; CODE XREF: NtSystemDebugControl+8363Cj
		mov	ecx, [ebp+arg_4]
		call	_ExpKdPullRemoteFileForUser@4 ;	ExpKdPullRemoteFileForUser(x)

loc_93888B:				; CODE XREF: NtSystemDebugControl+8311Bj
					; NtSystemDebugControl+83131j ...
		mov	ebx, eax
		jmp	loc_938DB7
; 

loc_938892:				; CODE XREF: NtSystemDebugControl+8310Bj
		call	_KdEnableDebugger@0 ; KdEnableDebugger()
		jmp	short loc_93888B
; 

loc_938899:				; CODE XREF: NtSystemDebugControl+830FBj
		cmp	_KdDebuggerEnabled, 1
		jnz	short loc_9388DA
		mov	[ebp+ms_exc.disabled], 1
		push	6
		call	_DbgBreakPointWithStatus@4 ; DbgBreakPointWithStatus(x)
		jmp	short loc_9388CE
; END OF FUNCTION CHUNK	FOR NtSystemDebugControl

;  S U B	R O U T	I N E 


sub_9388B2	proc near		; DATA XREF: .text:006A76D8o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		xor	eax, eax
		inc	eax
		retn
sub_9388B2	endp


;  S U B	R O U T	I N E 


sub_9388C0	proc near		; DATA XREF: .text:006A76DCo
		mov	ebx, [ebp-40h]
		jmp	short loc_9388C8
; 

loc_9388C5:				; DATA XREF: .text:006A773Co
		mov	ebx, [ebp-60h]

loc_9388C8:				; CODE XREF: sub_9388C0+3j
					; sub_938941+3j ...
		mov	esp, [ebp-18h]
		mov	[ebp-1Ch], ebx
sub_9388C0	endp

; START	OF FUNCTION CHUNK FOR NtSystemDebugControl

loc_9388CE:				; CODE XREF: NtSystemDebugControl+8314Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_938DBA
; 

loc_9388DA:				; CODE XREF: NtSystemDebugControl+8313Aj
		mov	ebx, 0C0000001h
		jmp	loc_938DB7
; 

loc_9388E4:				; CODE XREF: NtSystemDebugControl+830F2j
					; NtSystemDebugControl+83106j
		mov	eax, 0C0000002h
		jmp	loc_8B57C4
; 

loc_9388EE:				; CODE XREF: NtSystemDebugControl+830E1j
		cmp	edi, 1
		jnz	loc_938DA8
		mov	[ebp+ms_exc.disabled], 2
		mov	cl, _KdAutoEnableOnEvent
		jmp	short loc_938913
; 

loc_938906:				; CODE XREF: NtSystemDebugControl+83345j
		mov	[ebp+ms_exc.disabled], 8
		mov	cl, _KdBlockEnable

loc_938913:				; CODE XREF: NtSystemDebugControl+8319Ej
					; NtSystemDebugControl+8321Aj
		mov	eax, [ebp+arg_C]
		mov	[eax], cl
		jmp	short loc_93892B
; 

loc_93891A:				; CODE XREF: NtSystemDebugControl+8336Aj
		mov	[ebp+ms_exc.disabled], 9
		mov	eax, [ebp+arg_4]
		mov	al, [eax]
		mov	_KdBlockEnable,	al

loc_93892B:				; CODE XREF: NtSystemDebugControl+831B2j
					; NtSystemDebugControl+8329Cj ...
		mov	[ebp+ms_exc.disabled], edx
		jmp	loc_938DBA
; END OF FUNCTION CHUNK	FOR NtSystemDebugControl

;  S U B	R O U T	I N E 


sub_938933	proc near		; DATA XREF: .text:006A76E4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44h], eax
		xor	eax, eax
		inc	eax
		retn
sub_938933	endp


;  S U B	R O U T	I N E 


sub_938941	proc near		; DATA XREF: .text:006A76E8o
		mov	ebx, [ebp-44h]
		jmp	short loc_9388C8
sub_938941	endp

; 
; START	OF FUNCTION CHUNK FOR NtSystemDebugControl

loc_938946:				; CODE XREF: NtSystemDebugControl+830DBj
		sub	esi, 18h
		jz	loc_938A1D
		sub	esi, 1
		jz	loc_9389EC
		sub	esi, 1
		jz	short loc_938998
		sub	esi, 1
		jnz	loc_938DB2	; default
		cmp	edi, 1
		jnz	loc_938DA8
		mov	[ebp+ms_exc.disabled], 6
		cmp	_KdIgnoreUmExceptions, 0
		setz	cl
		jmp	short loc_938913
; END OF FUNCTION CHUNK	FOR NtSystemDebugControl

;  S U B	R O U T	I N E 


sub_938982	proc near		; DATA XREF: .text:006A7714o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-48h], eax
		xor	eax, eax
		inc	eax
		retn
sub_938982	endp


;  S U B	R O U T	I N E 


sub_938990	proc near		; DATA XREF: .text:006A7718o
		mov	ebx, [ebp-48h]
		jmp	loc_9388C8
sub_938990	endp

; 
; START	OF FUNCTION CHUNK FOR NtSystemDebugControl

loc_938998:				; CODE XREF: NtSystemDebugControl+831F5j
		cmp	[ebp+arg_8], eax
		jnz	loc_938DA8
		and	[ebp+var_28], 0
		mov	[ebp+ms_exc.disabled], 5
		mov	eax, [ebp+arg_4]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		mov	[ebp+ms_exc.disabled], edx
		jmp	short loc_9389D7
; END OF FUNCTION CHUNK	FOR NtSystemDebugControl

;  S U B	R O U T	I N E 


sub_9389B9	proc near		; DATA XREF: .text:006A7708o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-4Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_9389B9	endp


;  S U B	R O U T	I N E 


sub_9389C7	proc near		; DATA XREF: .text:006A770Co
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-4Ch]
		mov	[ebp-1Ch], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
sub_9389C7	endp

; START	OF FUNCTION CHUNK FOR NtSystemDebugControl

loc_9389D7:				; CODE XREF: NtSystemDebugControl+83251j
		test	ebx, ebx
		jnz	loc_938DBA
		mov	ecx, [ebp+var_28]
		call	_KdSetDbgPrintBufferSize@4 ; KdSetDbgPrintBufferSize(x)
		jmp	loc_93888B
; 

loc_9389EC:				; CODE XREF: NtSystemDebugControl+831ECj
		cmp	edi, eax
		jnz	loc_938DA8
		mov	[ebp+ms_exc.disabled], eax
		mov	ecx, ds:_KdPrintBufferSize
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		jmp	loc_93892B
; END OF FUNCTION CHUNK	FOR NtSystemDebugControl

;  S U B	R O U T	I N E 


sub_938A07	proc near		; DATA XREF: .text:006A76FCo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-50h], eax
		xor	eax, eax
		inc	eax
		retn
sub_938A07	endp


;  S U B	R O U T	I N E 


sub_938A15	proc near		; DATA XREF: .text:006A7700o
		mov	ebx, [ebp-50h]
		jmp	loc_9388C8
sub_938A15	endp

; 
; START	OF FUNCTION CHUNK FOR NtSystemDebugControl

loc_938A1D:				; CODE XREF: NtSystemDebugControl+831E3j
		cmp	[ebp+arg_8], 1
		jnz	loc_938DA8
		mov	[ebp+ms_exc.disabled], 3
		mov	eax, [ebp+arg_4]
		cmp	byte ptr [eax],	0
		setnz	_KdAutoEnableOnEvent
		jmp	loc_93892B
; END OF FUNCTION CHUNK	FOR NtSystemDebugControl

;  S U B	R O U T	I N E 


sub_938A40	proc near		; DATA XREF: .text:006A76F0o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-54h], eax
		xor	eax, eax
		inc	eax
		retn
sub_938A40	endp


;  S U B	R O U T	I N E 


sub_938A4E	proc near		; DATA XREF: .text:006A76F4o
		mov	ebx, [ebp-54h]
		jmp	loc_9388C8
sub_938A4E	endp

; 
; START	OF FUNCTION CHUNK FOR NtSystemDebugControl

loc_938A56:				; CODE XREF: NtSystemDebugControl+830D2j
		cmp	[ebp+arg_8], 1
		jnz	loc_938DA8
		mov	[ebp+ms_exc.disabled], 7
		mov	eax, [ebp+arg_4]
		cmp	byte ptr [eax],	0
		setz	_KdIgnoreUmExceptions
		jmp	loc_93892B
; END OF FUNCTION CHUNK	FOR NtSystemDebugControl

;  S U B	R O U T	I N E 


sub_938A79	proc near		; DATA XREF: .text:006A7720o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-58h], eax
		xor	eax, eax
		inc	eax
		retn
sub_938A79	endp


;  S U B	R O U T	I N E 


sub_938A87	proc near		; DATA XREF: .text:006A7724o
		mov	ebx, [ebp-58h]
		jmp	loc_9388C8
sub_938A87	endp

; 
; START	OF FUNCTION CHUNK FOR NtSystemDebugControl

loc_938A8F:				; CODE XREF: NtSystemDebugControl+830CCj
		add	esi, 0FFFFFFE3h	; switch 10 cases
		cmp	esi, 9
		ja	loc_938DB2	; default
		jmp	ds:off_938DEF[esi*4] ; switch jump

loc_938AA2:				; DATA XREF: PAGE:off_938DEFo
		cmp	edi, 1		; case 0x1E
		jnz	loc_938DA8
		jmp	loc_938906
; END OF FUNCTION CHUNK	FOR NtSystemDebugControl

;  S U B	R O U T	I N E 


sub_938AB0	proc near		; DATA XREF: .text:006A772Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-5Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_938AB0	endp


;  S U B	R O U T	I N E 


sub_938ABE	proc near		; DATA XREF: .text:006A7730o
		mov	ebx, [ebp-5Ch]
		jmp	loc_9388C8
sub_938ABE	endp

; 
; START	OF FUNCTION CHUNK FOR NtSystemDebugControl

loc_938AC6:				; CODE XREF: NtSystemDebugControl+83335j
					; DATA XREF: PAGE:off_938DEFo
		cmp	[ebp+arg_8], 1	; case 0x1F
		jnz	loc_938DA8
		jmp	loc_93891A
; END OF FUNCTION CHUNK	FOR NtSystemDebugControl

;  S U B	R O U T	I N E 


sub_938AD5	proc near		; DATA XREF: .text:006A7738o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-60h], eax
		xor	eax, eax
		inc	eax
		retn
sub_938AD5	endp

; 
; START	OF FUNCTION CHUNK FOR NtSystemDebugControl

loc_938AE3:				; CODE XREF: NtSystemDebugControl+83335j
					; DATA XREF: PAGE:off_938DEFo
		mov	_KdUmBreakMarker, 0DB1DBBBBh ; case 0x20
		jmp	short loc_938AF9
; 

loc_938AEF:				; CODE XREF: NtSystemDebugControl+83335j
					; NtSystemDebugControl+83446j
					; DATA XREF: ...
		mov	_KdUmAttachPid,	0 ; case 0x24

loc_938AF9:				; CODE XREF: NtSystemDebugControl+83387j
					; NtSystemDebugControl+833E6j ...
		xor	ebx, ebx
		jmp	loc_938DB7
; 

loc_938B00:				; CODE XREF: NtSystemDebugControl+83335j
					; DATA XREF: PAGE:off_938DEFo
		cmp	edi, eax	; case 0x21
		jnz	loc_938DA8
		mov	[ebp+ms_exc.disabled], 0Ah
		mov	ecx, _KdUmBreakPid
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		mov	[ebp+ms_exc.disabled], edx
		jmp	short loc_938B3D
; END OF FUNCTION CHUNK	FOR NtSystemDebugControl

;  S U B	R O U T	I N E 


sub_938B1F	proc near		; DATA XREF: .text:006A7744o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-64h], eax
		xor	eax, eax
		inc	eax
		retn
sub_938B1F	endp


;  S U B	R O U T	I N E 


sub_938B2D	proc near		; DATA XREF: .text:006A7748o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-64h]
		mov	[ebp-1Ch], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
sub_938B2D	endp

; START	OF FUNCTION CHUNK FOR NtSystemDebugControl

loc_938B3D:				; CODE XREF: NtSystemDebugControl+833B7j
		test	ebx, ebx
		js	loc_938DBA
		cmp	_KdResetUmBreakPid, 0
		jz	short loc_938AF9

loc_938B4E:				; CODE XREF: NtSystemDebugControl+83335j
					; DATA XREF: PAGE:off_938DEFo
		mov	_KdUmBreakPid, 0 ; case	0x22
		jmp	short loc_938AF9
; 

loc_938B5A:				; CODE XREF: NtSystemDebugControl+83335j
					; DATA XREF: PAGE:off_938DEFo
		cmp	edi, eax	; case 0x23
		jnz	loc_938DA8
		mov	[ebp+ms_exc.disabled], 0Bh
		mov	ecx, _KdUmAttachPid
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		mov	[ebp+ms_exc.disabled], edx
		jmp	short loc_938B97
; END OF FUNCTION CHUNK	FOR NtSystemDebugControl

;  S U B	R O U T	I N E 


sub_938B79	proc near		; DATA XREF: .text:006A7750o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-68h], eax
		xor	eax, eax
		inc	eax
		retn
sub_938B79	endp


;  S U B	R O U T	I N E 


sub_938B87	proc near		; DATA XREF: .text:006A7754o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-68h]
		mov	[ebp-1Ch], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
sub_938B87	endp

; START	OF FUNCTION CHUNK FOR NtSystemDebugControl

loc_938B97:				; CODE XREF: NtSystemDebugControl+83411j
		test	ebx, ebx
		js	loc_938DBA
		cmp	_KdResetUmAttachPid, 0
		jz	loc_938AF9
		jmp	loc_938AEF	; case 0x24
; 

loc_938BB1:				; CODE XREF: NtSystemDebugControl+83335j
					; DATA XREF: PAGE:off_938DEFo
		cmp	[ebp+arg_8], 24h ; case	0x1D
		jnz	loc_938DA8
		cmp	edi, 20000h
		jb	loc_938DA8
		mov	[ebp+ms_exc.disabled], 0Ch
		push	9
		pop	ecx
		mov	esi, [ebp+arg_4]
		lea	edi, [ebp+var_98]
		rep movsd
		jmp	short loc_938BF8
; END OF FUNCTION CHUNK	FOR NtSystemDebugControl

;  S U B	R O U T	I N E 


sub_938BDE	proc near		; DATA XREF: .text:006A775Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-6Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_938BDE	endp


;  S U B	R O U T	I N E 


sub_938BEC	proc near		; DATA XREF: .text:006A7760o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-6Ch]
		mov	[ebp-1Ch], ebx
		push	0FFFFFFFEh
		pop	edx
sub_938BEC	endp

; START	OF FUNCTION CHUNK FOR NtSystemDebugControl

loc_938BF8:				; CODE XREF: NtSystemDebugControl+83476j
		mov	[ebp+ms_exc.disabled], edx
		push	4
		pop	ecx
		test	ebx, ebx
		jnz	loc_938DBA
		cmp	[ebp+var_80], ebx
		jnz	loc_938D3A
		mov	eax, [ebp+var_7C]
		test	eax, eax
		jz	loc_938D3A
		test	[ebp+var_98], edx
		jnz	loc_938D3A
		mul	ecx
		push	edx
		push	eax
		lea	ecx, [ebp+var_30]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	ecx, 0C0000000h
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_938D3A
		mov	eax, 100000h
		mov	[ebp+arg_8], eax
		mov	esi, [ebp+arg_10]
		cmp	esi, eax
		ja	short loc_938C55
		mov	eax, esi
		mov	[ebp+arg_8], esi

loc_938C55:				; CODE XREF: NtSystemDebugControl+834E8j
		push	704E534Bh
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+arg_4], edi
		test	edi, edi
		jnz	short loc_938C78
		mov	ebx, 0C0000017h
		jmp	loc_938DB7
; 

loc_938C78:				; CODE XREF: NtSystemDebugControl+83506j
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		push	0
		push	[ebp+var_2C]
		mov	edx, [ebp+var_30]
		mov	ecx, [ebp+var_78]
		call	ExLockUserBuffer
		mov	ebx, eax
		mov	[ebp+var_1C], ebx
		test	ebx, ebx
		jns	short loc_938CA6
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_938DBA
; 

loc_938CA6:				; CODE XREF: NtSystemDebugControl+83531j
		mov	ebx, [ebp+arg_8]
		push	ebx		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, [ebp+var_34]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	ebx
		mov	edx, edi
		lea	ecx, [ebp+var_98]
		call	_DbgkCaptureLiveDump@16	; DbgkCaptureLiveDump(x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_1C], ebx
		test	ebx, ebx
		js	short loc_938D25
		cmp	[ebp+var_24], esi
		jbe	short loc_938CE5
		mov	ebx, 0C0000001h
		mov	[ebp+var_1C], ebx
		jmp	short loc_938D25
; 

loc_938CE5:				; CODE XREF: NtSystemDebugControl+83573j
		mov	[ebp+ms_exc.disabled], 0Dh
		push	[ebp+var_24]	; size_t
		push	edi		; void *
		push	[ebp+arg_C]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_938D25
; END OF FUNCTION CHUNK	FOR NtSystemDebugControl

;  S U B	R O U T	I N E 


sub_938D04	proc near		; DATA XREF: .text:006A7768o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-70h], eax
		xor	eax, eax
		inc	eax
		retn
sub_938D04	endp


;  S U B	R O U T	I N E 


sub_938D12	proc near		; DATA XREF: .text:006A776Co
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-70h]
		mov	[ebp-1Ch], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp+0Ch]
sub_938D12	endp

; START	OF FUNCTION CHUNK FOR NtSystemDebugControl

loc_938D25:				; CODE XREF: NtSystemDebugControl+8356Ej
					; NtSystemDebugControl+8357Dj ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_38]
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)
		jmp	loc_938DBA
; 

loc_938D3A:				; CODE XREF: NtSystemDebugControl+834A3j
					; NtSystemDebugControl+834AEj ...
		mov	eax, 0C000000Dh
		jmp	loc_8B57C4
; 

loc_938D44:				; CODE XREF: NtSystemDebugControl+83335j
					; DATA XREF: PAGE:off_938DEFo
		cmp	[ebp+arg_8], 28h ; case	0x25
		jnz	short loc_938DA8
		test	edi, edi
		jnz	short loc_938DA8
		mov	[ebp+ms_exc.disabled], 0Eh
		push	0Ah
		pop	ecx
		mov	esi, [ebp+arg_4]
		lea	edi, [ebp+var_C0]
		rep movsd
		mov	[ebp+ms_exc.disabled], edx
		jmp	short loc_938D86
; END OF FUNCTION CHUNK	FOR NtSystemDebugControl

;  S U B	R O U T	I N E 


sub_938D68	proc near		; DATA XREF: .text:006A7774o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-74h], eax
		xor	eax, eax
		inc	eax
		retn
sub_938D68	endp


;  S U B	R O U T	I N E 


sub_938D76	proc near		; DATA XREF: .text:006A7778o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-74h]
		mov	[ebp-1Ch], ebx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
sub_938D76	endp

; START	OF FUNCTION CHUNK FOR NtSystemDebugControl

loc_938D86:				; CODE XREF: NtSystemDebugControl+83600j
		test	ebx, ebx
		jnz	short loc_938DBA
		lea	ecx, [ebp+var_C0]
		call	_DbgkCaptureLiveKernelDump@4 ; DbgkCaptureLiveKernelDump(x)
		jmp	loc_93888B
; 

loc_938D9A:				; CODE XREF: NtSystemDebugControl+83335j
					; DATA XREF: PAGE:off_938DEFo
		cmp	[ebp+arg_8], 8	; case 0x26
		jnz	short loc_938DA8
		test	edi, edi
		jz	loc_938883

loc_938DA8:				; CODE XREF: NtSystemDebugControl+8318Bj
					; NtSystemDebugControl+83203j ...
		mov	eax, 0C0000004h
		jmp	loc_8B57C4
; 

loc_938DB2:				; CODE XREF: NtSystemDebugControl+830E9j
					; NtSystemDebugControl+830FDj ...
		mov	ebx, 0C0000003h	; default

loc_938DB7:				; CODE XREF: NtSystemDebugControl+83127j
					; NtSystemDebugControl+83179j ...
		mov	[ebp+var_1C], ebx

loc_938DBA:				; CODE XREF: NtSystemDebugControl+8316Fj
					; NtSystemDebugControl+831C8j ...
		mov	ecx, [ebp+arg_14]
		test	ecx, ecx
		jz	short loc_938DE7
		mov	[ebp+ms_exc.disabled], 0Fh
		mov	eax, [ebp+var_24]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_938DE7
; END OF FUNCTION CHUNK	FOR NtSystemDebugControl

;  S U B	R O U T	I N E 


sub_938DD6	proc near		; DATA XREF: .text:006A7780o
		xor	eax, eax
		inc	eax
		retn
sub_938DD6	endp


;  S U B	R O U T	I N E 


sub_938DDA	proc near		; DATA XREF: .text:006A7784o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp-1Ch]
sub_938DDA	endp

; START	OF FUNCTION CHUNK FOR NtSystemDebugControl

loc_938DE7:				; CODE XREF: NtSystemDebugControl+830C3j
					; NtSystemDebugControl+83659j ...
		mov	eax, ebx
		jmp	loc_8B57C4
; END OF FUNCTION CHUNK	FOR NtSystemDebugControl
; 
		db 90h
off_938DEF	dd offset loc_938BB1	; DATA XREF: NtSystemDebugControl+83335r
		dd offset loc_938AA2	; jump table for switch	statement
		dd offset loc_938AC6
		dd offset loc_938AE3
		dd offset loc_938B00
		dd offset loc_938B4E
		dd offset loc_938B5A
		dd offset loc_938AEF
		dd offset loc_938D44
		dd offset loc_938D9A
; 

loc_938E17:				; DATA XREF: .text:006A779Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_938E25:				; DATA XREF: .text:006A77A0o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-1Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_8B581C
; 
; START	OF FUNCTION CHUNK FOR PopAllowAwayModeSettingCallback

loc_938E37:				; CODE XREF: PopAllowAwayModeSettingCallback+39j
		mov	byte_6C2D12, bl
		cmp	byte_6C2D11, bl
		jz	loc_8B58D4
		push	7
		pop	edx
		call	PopSetSystemState
		jmp	loc_8B58D4
; END OF FUNCTION CHUNK	FOR PopAllowAwayModeSettingCallback
; 
; START	OF FUNCTION CHUNK FOR PspSetThreadPpmPolicy

loc_938E56:				; CODE XREF: PspSetThreadPpmPolicy+12j
		sub	eax, 1
		jz	short loc_938E6E
		sub	eax, 1
		jnz	loc_8B5D20
		mov	esi, 300h
		jmp	loc_8B5CFF
; 

loc_938E6E:				; CODE XREF: PspSetThreadPpmPolicy+83177j
		mov	esi, 200h
		jmp	loc_8B5CFF
; END OF FUNCTION CHUNK	FOR PspSetThreadPpmPolicy
; 
; START	OF FUNCTION CHUNK FOR DrvDbCheckSchemaVersionSupported

loc_938E78:				; CODE XREF: DrvDbCheckSchemaVersionSupported+Fj
		shr	ecx, 10h
		dec	cx
		neg	cx
		sbb	cl, cl
		inc	cl
		jmp	loc_8B5E5D
; END OF FUNCTION CHUNK	FOR DrvDbCheckSchemaVersionSupported
; 
; START	OF FUNCTION CHUNK FOR PopSetupHighPerfPowerRequest

loc_938E89:				; CODE XREF: PopSetupHighPerfPowerRequest+13j
					; PopSetupHighPerfPowerRequest+26j
		and	ds:_PpmPerfBootHeteroPolicyOverrideEnabled, 0
		cmp	ds:_PopHeteroSystem, 0
		jz	loc_8B5E84
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		xor	cl, cl
		call	_PpmReinitializeHeteroEngine@4 ; PpmReinitializeHeteroEngine(x)
		jmp	loc_8B5E84
; END OF FUNCTION CHUNK	FOR PopSetupHighPerfPowerRequest
; 
; START	OF FUNCTION CHUNK FOR PsEstablishWin32Callouts

loc_938EB3:				; CODE XREF: PsEstablishWin32Callouts+26j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8B5F03
; END OF FUNCTION CHUNK	FOR PsEstablishWin32Callouts
; 
; START	OF FUNCTION CHUNK FOR CmpVolumeManagerUnlockContextListExclusive

loc_938EC0:				; CODE XREF: CmpVolumeManagerUnlockContextListExclusive+Ej
		test	al, 4
		jnz	loc_8B5F9C
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_8B5F9C
; END OF FUNCTION CHUNK	FOR CmpVolumeManagerUnlockContextListExclusive
; 
; START	OF FUNCTION CHUNK FOR EtwpInitializeLastBranchTracing

loc_938ED2:				; CODE XREF: EtwpInitializeLastBranchTracing+33j
		mov	eax, [ebp+var_4]
		mov	ds:_EtwpLastBranchStackSize, eax
		mov	eax, [ebp+var_8]
		mov	ds:_EtwpLastBranchSupportedOptions, eax
		leave
		retn
; END OF FUNCTION CHUNK	FOR EtwpInitializeLastBranchTracing
; 
; START	OF FUNCTION CHUNK FOR EtwTiLogDriverObjectUnLoad

loc_938EE4:				; CODE XREF: EtwTiLogDriverObjectUnLoad+31j
		push	0
		push	40000000h
		push	0
		push	esi
		push	edi
		call	EtwProviderEnabled
		test	al, al
		jz	loc_8B60A7
		test	ebx, ebx
		jz	short loc_938F31
		movzx	edx, word ptr [ebx]
		test	dx, dx
		jz	short loc_938F31
		and	[ebp+var_20], 0
		mov	ax, dx
		and	[ebp+var_18], 0
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_24], eax
		mov	eax, [ebx+4]
		xor	ebx, ebx
		mov	[ebp+var_14], eax
		mov	eax, edx
		mov	[ebp+var_C], eax
		jmp	short loc_938F54
; 

loc_938F31:				; CODE XREF: EtwTiLogDriverObjectUnLoad+82E8Ej
					; EtwTiLogDriverObjectUnLoad+82E96j
		xor	ebx, ebx
		mov	[ebp+var_28], 6
		lea	eax, [ebp+var_28]
		mov	[ebp+var_20], ebx
		mov	[ebp+var_24], eax
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], offset ??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@NNGAKEGL@ ;	"(null)"
		mov	[ebp+var_C], 0Ch

loc_938F54:				; CODE XREF: EtwTiLogDriverObjectUnLoad+82EBFj
		push	2
		pop	ecx
		lea	eax, [ebp+var_24]
		mov	[ebp+var_8], ebx
		push	eax
		push	ecx
		push	ebx
		push	offset _THREATINT_DRIVER_OBJECT_UNLOAD
		push	esi
		push	edi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_1C], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_8B60A7
; END OF FUNCTION CHUNK	FOR EtwTiLogDriverObjectUnLoad
; 
; START	OF FUNCTION CHUNK FOR PopInitializePreSleepNotifications

loc_938F77:				; CODE XREF: PopInitializePreSleepNotifications+8j
		push	78h
		pop	eax
		mov	_PopPreSleepNotificationSeconds, eax
		jmp	loc_8B611E
; END OF FUNCTION CHUNK	FOR PopInitializePreSleepNotifications
; 
; START	OF FUNCTION CHUNK FOR PpmEventTraceControlCallback

loc_938F84:				; CODE XREF: PpmEventTraceControlCallback+21j
					; PpmEventTraceControlCallback+29j
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		xor	eax, eax
		mov	[esp+20h+var_4], ax
		mov	eax, ds:dword_70E328
		mov	[esp+20h+var_8], eax
		mov	[esp+20h+var_C], offset	_KeActiveProcessors

loc_938FA6:				; CODE XREF: PpmEventTraceControlCallback+82E51j
		lea	eax, [esp+20h+var_C]
		push	eax
		lea	eax, [esp+24h+var_10]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_938FCB
		mov	ecx, [esp+20h+var_10]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, eax
		call	_PpmEventTraceProcessorPerformance@4 ; PpmEventTraceProcessorPerformance(x)
		jmp	short loc_938FA6
; 

loc_938FCB:				; CODE XREF: PpmEventTraceControlCallback+82E3Fj
		mov	esi, ds:_PpmPerfDomainHead
		jmp	short loc_938FE1
; 

loc_938FD3:				; CODE XREF: PpmEventTraceControlCallback+82E6Fj
		cmp	edi, 2
		jnz	short loc_938FDF
		mov	ecx, esi
		call	_PpmEventTraceProcessorPerformanceDomainRundown@4 ; PpmEventTraceProcessorPerformanceDomainRundown(x)

loc_938FDF:				; CODE XREF: PpmEventTraceControlCallback+82E5Ej
		mov	esi, [esi]

loc_938FE1:				; CODE XREF: PpmEventTraceControlCallback+82E59j
		cmp	esi, offset _PpmPerfDomainHead
		jnz	short loc_938FD3
		cmp	edi, 2
		jnz	short loc_939006
		call	_PpmEventTraceLPIState@0 ; PpmEventTraceLPIState()
		call	_PpmEventStaticPolicyRundown@0 ; PpmEventStaticPolicyRundown()
		mov	cl, 1
		call	PpmEventQosSupport
		mov	cl, 1
		call	PpmEventHeteroPolicy

loc_939006:				; CODE XREF: PpmEventTraceControlCallback+82E74j
		mov	esi, ebx
		cmp	_PpmParkNumNodes, ebx
		jbe	short loc_93902F

loc_939010:				; CODE XREF: PpmEventTraceControlCallback+82EB3j
		mov	ecx, _PpmParkNodes
		lea	ecx, [ebx+ecx]
		call	_PpmEventTraceParkNodeRundown@4	; PpmEventTraceParkNodeRundown(x)
		inc	esi
		lea	ebx, [ebx+0D0h]
		cmp	esi, _PpmParkNumNodes
		jb	short loc_939010
		xor	ebx, ebx

loc_93902F:				; CODE XREF: PpmEventTraceControlCallback+82E96j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PpmIdlePolicyLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C2ADC, eax
		call	_PpmEventTracePpmProfileStatusRundown@0	; PpmEventTracePpmProfileStatusRundown()
		mov	cl, 1
		call	PpmEventTraceProfiles
		cmp	_PpmEtwRegistered, 0
		jz	short loc_93908A
		push	offset _PPM_ETW_PROCESSOR_PROFILE_SETTING_RUNDOWN
		push	dword_6BFD04
		push	_PpmEtwHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_93908A
		call	_PpmInfoTraceProfileSettings@0 ; PpmInfoTraceProfileSettings()

loc_93908A:				; CODE XREF: PpmEventTraceControlCallback+82EF1j
					; PpmEventTraceControlCallback+82F0Bj
		cmp	dword_6C2ADC, 0
		jz	short loc_939099
		mov	dword_6C2ADC, ebx

loc_939099:				; CODE XREF: PpmEventTraceControlCallback+82F19j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		cmp	edi, 2
		jnz	loc_8B61A7
		call	_PpmEventTraceAccountingBucketIntervalsRundown@0 ; PpmEventTraceAccountingBucketIntervalsRundown()
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		call	_PpmEventTraceCoordinatedIdleStates@0 ;	PpmEventTraceCoordinatedIdleStates()
		call	_PpmEventTracePlatformIdleAccounting@0 ; PpmEventTracePlatformIdleAccounting()
		call	_PpmEventVetoReasonRundown@0 ; PpmEventVetoReasonRundown()
		call	_PpmEventPlatformVetoRundown@0 ; PpmEventPlatformVetoRundown()
		xor	eax, eax
		mov	edi, offset _KeActiveProcessors
		mov	[esp+20h+var_4], ax
		mov	eax, ds:dword_70E328
		mov	[esp+20h+var_8], eax
		mov	[esp+20h+var_C], edi

loc_939103:				; CODE XREF: PpmEventTraceControlCallback+82FB7j
		lea	eax, [esp+20h+var_C]
		push	eax
		lea	eax, [esp+24h+var_10]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_939131
		mov	ecx, [esp+20h+var_10]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	esi, eax
		mov	ecx, esi
		call	_PpmEventProcessorVetoRundown@4	; PpmEventProcessorVetoRundown(x)
		mov	ecx, esi
		call	_PpmEventTraceProcessorIdle@4 ;	PpmEventTraceProcessorIdle(x)
		jmp	short loc_939103
; 

loc_939131:				; CODE XREF: PpmEventTraceControlCallback+82F9Cj
		push	ebx
		push	ebx
		mov	edx, offset _PpmEventTraceProcessorIdleAccounting@12 ; PpmEventTraceProcessorIdleAccounting(x,x,x)
		mov	ecx, edi
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)
		cmp	dword_6C2ADC, 0
		jz	short loc_93914E
		mov	dword_6C2ADC, ebx

loc_93914E:				; CODE XREF: PpmEventTraceControlCallback+82FCEj
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_8B61A7
; END OF FUNCTION CHUNK	FOR PpmEventTraceControlCallback
; 
; START	OF FUNCTION CHUNK FOR SshSetPdcPhaseActive

loc_939164:				; CODE XREF: SshSetPdcPhaseActive+30j
		mov	ecx, offset unk_6BF020
		jmp	loc_8B6229
; 

loc_93916E:				; CODE XREF: SshSetPdcPhaseActive+27j
		mov	ecx, offset unk_6BF010
		jmp	loc_8B6229
; 

loc_939178:				; CODE XREF: SshSetPdcPhaseActive+1Ej
		mov	ecx, offset unk_6BF000
		jmp	loc_8B6229
; 

loc_939182:				; CODE XREF: SshSetPdcPhaseActive+15j
		mov	ecx, offset unk_6BEFF0
		jmp	loc_8B6229
; 

loc_93918C:				; CODE XREF: SshSetPdcPhaseActive+Cj
		mov	ecx, offset unk_6BEFE0
		jmp	loc_8B6229
; 

loc_939196:				; CODE XREF: SshSetPdcPhaseActive+3j
		mov	ecx, offset unk_6BEFD0
		jmp	loc_8B6229
; END OF FUNCTION CHUNK	FOR SshSetPdcPhaseActive
; 
; START	OF FUNCTION CHUNK FOR CmpEtwDumpTxR

loc_9391A0:				; CODE XREF: CmpEtwDumpTxR+Ej
		test	cl, cl
		jz	loc_8B6402
		mov	eax, [ebp+arg_C]
		cmp	dword ptr [eax+4], 0
		jz	loc_8B6402
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		push	[ebp+arg_8]
		push	ecx
		call	esi
		jmp	loc_8B6402
; END OF FUNCTION CHUNK	FOR CmpEtwDumpTxR
; 
; START	OF FUNCTION CHUNK FOR SeQuerySecureBootPolicyValue

loc_9391C8:				; CODE XREF: SeQuerySecureBootPolicyValue+17j
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		call	_SepSecureBootFindMatchingRegistryRule@12 ; SepSecureBootFindMatchingRegistryRule(x,x,x)
		test	eax, eax
		jnz	short loc_9391E1
		mov	esi, 0C0000034h
		jmp	loc_8B6454
; 

loc_9391E1:				; CODE XREF: SeQuerySecureBootPolicyValue+82DA3j
		mov	edx, [ebp+arg_8]
		lea	ecx, [ebp+var_4]
		push	ecx
		lea	ecx, [ebp+var_8]
		push	ecx
		mov	ecx, [eax+0Ch]
		add	ecx, dword_6FE12C
		call	_SepSecureBootGetPolicyValueByRef@16 ; SepSecureBootGetPolicyValueByRef(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_8B6454
		cmp	[ebp+arg_C], 0
		mov	ecx, [ebp+arg_14]
		mov	edx, [ebp+var_4]
		mov	[ecx], edx
		jz	loc_8B6454
		cmp	[ebp+arg_10], edx
		jnb	short loc_939225
		mov	esi, 0C0000023h
		jmp	loc_8B6454
; 

loc_939225:				; CODE XREF: SeQuerySecureBootPolicyValue+82DE7j
		push	edx		; size_t
		push	[ebp+var_8]	; void *
		push	[ebp+arg_C]	; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_8B6454
; END OF FUNCTION CHUNK	FOR SeQuerySecureBootPolicyValue
; 
; START	OF FUNCTION CHUNK FOR IopDecDisableableDepends

loc_939239:				; CODE XREF: IopDecDisableableDepends+19j
		mov	edx, [esi+18h]
		test	edx, edx
		jz	short loc_939247
		push	0Bh
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent

loc_939247:				; CODE XREF: IopDecDisableableDepends+82D5Ej
		mov	esi, [esi+8]
		jmp	loc_8B64E9
; END OF FUNCTION CHUNK	FOR IopDecDisableableDepends
; 
; START	OF FUNCTION CHUNK FOR CmpEtwGetHivePath

loc_93924F:				; CODE XREF: CmpEtwGetHivePath+Cj
		mov	ecx, [ecx+400h]
		jmp	CmpQueryNameString
; END OF FUNCTION CHUNK	FOR CmpEtwGetHivePath
; 
; START	OF FUNCTION CHUNK FOR PopCheckSkipTick

loc_93925A:				; CODE XREF: PopCheckSkipTick+8j
		test	ds:_HvlEnlightenments, 4000h
		jz	short loc_939273
		test	byte ptr ds:_HvlpFlags,	2
		jz	loc_8B657E

loc_939273:				; CODE XREF: PopCheckSkipTick+82CF4j
		cmp	eax, 3
		jnz	short loc_93928B
		push	0FFFFh
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		cmp	eax, 20h
		jbe	loc_8B657E

loc_93928B:				; CODE XREF: PopCheckSkipTick+82D06j
		xor	al, al
		retn
; END OF FUNCTION CHUNK	FOR PopCheckSkipTick
; 
; START	OF FUNCTION CHUNK FOR PiSwDeviceDereference

loc_93928E:				; CODE XREF: PiSwDeviceDereference+11j
		call	_PiSwDeviceFree@4 ; PiSwDeviceFree(x)
		push	57706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_8B65CD
; END OF FUNCTION CHUNK	FOR PiSwDeviceDereference
; 
; START	OF FUNCTION CHUNK FOR EtwpTracingProvEnableCallback

loc_9392A3:				; CODE XREF: EtwpTracingProvEnableCallback+15j
		mov	ecx, ds:_EtwpHostSiloState
		xor	esi, esi
		cmp	[ecx+8], esi
		jbe	short loc_9392E2

loc_9392B0:				; CODE XREF: EtwpTracingProvEnableCallback+82CCEj
		push	0
		mov	edx, esi
		call	EtwpAcquireLoggerContextByLoggerId
		mov	edi, eax
		test	edi, edi
		jz	short loc_9392D6
		push	ecx
		push	ecx
		mov	edx, edi
		mov	ecx, offset _ETW_EVENT_SESSION_INFO
		call	_EtwpEventWriteTemplateSession@16 ; EtwpEventWriteTemplateSession(x,x,x,x)
		xor	dl, dl
		mov	ecx, edi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_9392D6:				; CODE XREF: EtwpTracingProvEnableCallback+82CABj
		mov	ecx, ds:_EtwpHostSiloState
		inc	esi
		cmp	esi, [ecx+8]
		jb	short loc_9392B0

loc_9392E2:				; CODE XREF: EtwpTracingProvEnableCallback+82C9Cj
		xor	edx, edx
		jmp	loc_939398
; 

loc_9392E9:				; CODE XREF: EtwpTracingProvEnableCallback+82D91j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+16Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		push	offset _ETW_EVENT_GROUP_ENTRY_INFO
		mov	[esi+170h], eax
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_939338
		push	ecx
		push	ecx
		mov	edx, esi
		mov	ecx, offset _ETW_EVENT_GROUP_ENTRY_INFO
		call	_EtwpEventWriteGuidEntry@16 ; EtwpEventWriteGuidEntry(x,x,x,x)

loc_939338:				; CODE XREF: EtwpTracingProvEnableCallback+82D16j
		xor	ebx, ebx
		lea	edi, [esi+60h]

loc_93933D:				; CODE XREF: EtwpTracingProvEnableCallback+82D5Cj
		cmp	dword ptr [edi], 0
		jz	short loc_939367
		push	offset _ETW_EVENT_ENABLE_INFO
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_939367
		push	ecx
		push	ecx
		mov	dl, bl
		mov	ecx, esi
		call	_EtwpEventWriteEnableInfo@16 ; EtwpEventWriteEnableInfo(x,x,x,x)

loc_939367:				; CODE XREF: EtwpTracingProvEnableCallback+82D2Ej
					; EtwpTracingProvEnableCallback+82D48j
		inc	ebx
		add	edi, 20h
		cmp	ebx, 8
		jb	short loc_93933D
		and	dword ptr [esi+170h], 0
		lea	ecx, [esi+16Ch]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, ds:_EtwpHostSiloState
		mov	edx, esi

loc_939398:				; CODE XREF: EtwpTracingProvEnableCallback+82CD2j
		push	2
		call	_EtwpGetNextGuidEntry@12 ; EtwpGetNextGuidEntry(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_9392E9
		xor	edx, edx
		jmp	loc_9394B1
; 

loc_9393B0:				; CODE XREF: EtwpTracingProvEnableCallback+82EB0j
		push	10h		; size_t
		lea	eax, [esi+14h]
		push	offset _EventTracingProvGuid ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_9393F3
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+16Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+170h], eax
		mov	[esp+10h+var_1], 1

loc_9393F3:				; CODE XREF: EtwpTracingProvEnableCallback+82DB3j
		push	offset _ETW_EVENT_GUID_ENTRY_INFO
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_93941B
		push	ecx
		push	ecx
		mov	edx, esi
		mov	ecx, offset _ETW_EVENT_GUID_ENTRY_INFO
		call	_EtwpEventWriteGuidEntry@16 ; EtwpEventWriteGuidEntry(x,x,x,x)

loc_93941B:				; CODE XREF: EtwpTracingProvEnableCallback+82DF9j
		xor	ebx, ebx
		lea	edi, [esi+60h]

loc_939420:				; CODE XREF: EtwpTracingProvEnableCallback+82E3Fj
		cmp	dword ptr [edi], 0
		jz	short loc_93944A
		push	offset _ETW_EVENT_ENABLE_INFO
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_93944A
		push	ecx
		push	ecx
		mov	dl, bl
		mov	ecx, esi
		call	_EtwpEventWriteEnableInfo@16 ; EtwpEventWriteEnableInfo(x,x,x,x)

loc_93944A:				; CODE XREF: EtwpTracingProvEnableCallback+82E11j
					; EtwpTracingProvEnableCallback+82E2Bj
		inc	ebx
		add	edi, 20h
		cmp	ebx, 8
		jb	short loc_939420
		lea	ebx, [esi+24h]
		mov	edi, [ebx]
		jmp	short loc_93947F
; 

loc_93945A:				; CODE XREF: EtwpTracingProvEnableCallback+82E6Fj
		push	offset _ETW_EVENT_REG_ENTRY_INFO
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_93947D
		push	ecx
		push	ecx
		mov	ecx, edi
		call	_EtwpEventWriteRegEntry@12 ; EtwpEventWriteRegEntry(x,x,x)

loc_93947D:				; CODE XREF: EtwpTracingProvEnableCallback+82E60j
		mov	edi, [edi]

loc_93947F:				; CODE XREF: EtwpTracingProvEnableCallback+82E46j
		cmp	edi, ebx
		jnz	short loc_93945A
		cmp	[esp+10h+var_1], 0
		jz	short loc_9394AF
		and	dword ptr [esi+170h], 0
		lea	ecx, [esi+16Ch]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	[esp+10h+var_1], 0

loc_9394AF:				; CODE XREF: EtwpTracingProvEnableCallback+82E76j
		mov	edx, esi

loc_9394B1:				; CODE XREF: EtwpTracingProvEnableCallback+82D99j
		mov	ecx, ds:_EtwpHostSiloState
		push	0
		call	_EtwpGetNextGuidEntry@12 ; EtwpGetNextGuidEntry(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_9393B0
		jmp	loc_8B662D
; END OF FUNCTION CHUNK	FOR EtwpTracingProvEnableCallback
; 
; START	OF FUNCTION CHUNK FOR WmipReleaseCollectionEnabled

loc_9394CD:				; CODE XREF: WmipReleaseCollectionEnabled+9j
		push	0
		push	0
		push	dword ptr [esi+40h]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		and	dword ptr [esi+8], 0FFFFFFF7h
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR WmipReleaseCollectionEnabled
; 
; START	OF FUNCTION CHUNK FOR TlgAggregateInternalProviderCallback

loc_9394DF:				; CODE XREF: TlgAggregateInternalProviderCallback+Ej
		cmp	[ebp+arg_C], 20h
		jnz	loc_8B668C
		cmp	[ebp+arg_10], 0
		jnz	loc_8B668C
		mov	edi, offset unk_6F9FF4
		xor	edx, edx
		push	1
		mov	ecx, edi
		call	KeAbPreAcquire
		lock bts dword ptr [edi], 0
		jb	short loc_93954B
		test	eax, eax
		jz	short loc_939512
		or	byte ptr [eax+0Eh], 1

loc_939512:				; CODE XREF: TlgAggregateInternalProviderCallback+82E94j
		mov	esi, dword_6FD8D4
		jmp	short loc_939527
; 

loc_93951A:				; CODE XREF: TlgAggregateInternalProviderCallback+82EB1j
		mov	ecx, esi
		call	LookUpTableFlushComplete
		mov	esi, [esi+0CCh]

loc_939527:				; CODE XREF: TlgAggregateInternalProviderCallback+82EA0j
		test	esi, esi
		jnz	short loc_93951A
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_93953F
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_93953F:				; CODE XREF: TlgAggregateInternalProviderCallback+82EBEj
		mov	ecx, edi
		call	KeAbPostRelease
		jmp	loc_8B668C
; 

loc_93954B:				; CODE XREF: TlgAggregateInternalProviderCallback+82E90j
		test	eax, eax
		jz	loc_8B668C
		mov	edx, eax
		mov	ecx, edi
		call	KeAbPostReleaseEx
		jmp	loc_8B668C
; END OF FUNCTION CHUNK	FOR TlgAggregateInternalProviderCallback
; 
; START	OF FUNCTION CHUNK FOR PfSnDetermineEnablePrefetcher

loc_939561:				; CODE XREF: PfSnDetermineEnablePrefetcher+7j
		and	dword_6D46C0, 0
		and	dword_6D46C4, 0
		retn
; END OF FUNCTION CHUNK	FOR PfSnDetermineEnablePrefetcher
; 
; START	OF FUNCTION CHUNK FOR PopExternalMonitorUpdatedWorker

loc_939570:				; CODE XREF: PopExternalMonitorUpdatedWorker+7j
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	ecx, offset _PopExternalMonitorUpdatedWorkItem
		call	_PopOkayToQueueNextWorkItem@4 ;	PopOkayToQueueNextWorkItem(x)
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		call	_PopEvaluateInputSuppressionAction@0 ; PopEvaluateInputSuppressionAction()
		jmp	locret_8B66AF
; END OF FUNCTION CHUNK	FOR PopExternalMonitorUpdatedWorker

;  S U B	R O U T	I N E 


; __stdcall ObGetExtendedUserInfo(x)
_ObGetExtendedUserInfo@4 proc near	; CODE XREF: PsInsertSiloContext(x,x,x)+26p
		mov	al, [ecx-0Ah]
		add	ecx, 0FFFFFFE8h
		test	al, 40h
		jz	short loc_9395AD
		movzx	eax, al
		and	eax, 7Fh
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		mov	eax, [ecx]
		add	eax, 10h
		retn
; 

loc_9395AD:				; CODE XREF: ObGetExtendedUserInfo(x)+8j
		xor	eax, eax
		retn
_ObGetExtendedUserInfo@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpReleaseKeyNodeForKcb(x, x)
_CmpReleaseKeyNodeForKcb@8 proc	near	; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+44Cp
					; CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1257p ...
		mov	eax, [ecx+10h]
		push	edx
		push	eax
		call	dword ptr [eax+8]
		retn
_CmpReleaseKeyNodeForKcb@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 194. CcFastCopyRead

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcFastCopyRead(x, x, x, x, x, x)
		public _CcFastCopyRead@24
_CcFastCopyRead@24 proc	near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_4]
		and	[ebp+var_4], 0
		push	0
		push	[ebp+arg_14]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		push	[ebp+arg_10]
		push	1
		push	[ebp+arg_8]
		push	eax
		push	[ebp+arg_0]
		call	CcCopyReadEx
		leave
		retn	18h
_CcFastCopyRead@24 endp

; 

; __stdcall CcFreeVacbArray(x)
_CcFreeVacbArray@4:			; CODE XREF: CcDereferenceVacbArray+126982p
		xor	eax, eax
		cmp	[ecx+4], eax
		jnz	short loc_9395FF
		push	61566356h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
; 

loc_9395FF:				; CODE XREF: PAGE:009395F1j
		push	eax
		push	eax
		push	0C0000420h
		push	25Eh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh
		align 8
; Exported entry 230. CcSetBcbOwnerPointer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcSetBcbOwnerPointer(x, x)
		public _CcSetBcbOwnerPointer@8
_CcSetBcbOwnerPointer@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, 2FAh
		push	esi
		cmp	[eax], cx
		jnz	short loc_939647
		lea	esi, [eax+10h]
		jmp	short loc_93963F
; 

loc_939630:				; CODE XREF: CcSetBcbOwnerPointer(x,x)+2Bj
		push	[ebp+arg_4]
		add	eax, 38h
		push	eax
		call	ExSetResourceOwnerPointer
		lea	esi, [esi+4]

loc_93963F:				; CODE XREF: CcSetBcbOwnerPointer(x,x)+16j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_939630
		jmp	short loc_939653
; 

loc_939647:				; CODE XREF: CcSetBcbOwnerPointer(x,x)+11j
		push	[ebp+arg_4]
		add	eax, 38h
		push	eax
		call	ExSetResourceOwnerPointer

loc_939653:				; CODE XREF: CcSetBcbOwnerPointer(x,x)+2Dj
		pop	esi
		pop	ebp
		retn	8
_CcSetBcbOwnerPointer@8	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 245. CcUnpinDataForThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CcUnpinDataForThread(x, x)
		public _CcUnpinDataForThread@8
_CcUnpinDataForThread@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		test	bl, 1
		jz	short loc_939670
		and	ebx, 0FFFFFFFEh
		jmp	short loc_9396A5
; 

loc_939670:				; CODE XREF: CcUnpinDataForThread(x,x)+Cj
		mov	eax, 2FAh
		cmp	[ebx], ax
		jnz	short loc_939699
		push	esi
		lea	esi, [ebx+10h]
		jmp	short loc_939689
; 

loc_939680:				; CODE XREF: CcUnpinDataForThread(x,x)+30j
		push	eax
		call	_CcUnpinData@4	; CcUnpinData(x)
		lea	esi, [esi+4]

loc_939689:				; CODE XREF: CcUnpinDataForThread(x,x)+21j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_939680
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		jmp	short loc_9396B0
; 

loc_939699:				; CODE XREF: CcUnpinDataForThread(x,x)+1Bj
		push	[ebp+arg_4]
		lea	eax, [ebx+38h]
		push	eax
		call	ExReleaseResourceForThreadLite

loc_9396A5:				; CODE XREF: CcUnpinDataForThread(x,x)+11j
		push	0
		mov	dl, 1
		mov	ecx, ebx
		call	CcUnpinFileDataEx

loc_9396B0:				; CODE XREF: CcUnpinDataForThread(x,x)+3Aj
		pop	ebx
		pop	ebp
		retn	8
_CcUnpinDataForThread@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmBootLastKnownGood(x, x, x, x)
_CmBootLastKnownGood@16	proc near	; CODE XREF: IopLoadDriver+B07D9p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_CmFirstTime, 1
		jnz	short loc_9396F0
		lea	eax, [ecx-2]
		cmp	eax, 1
		ja	short loc_9396F0
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		test	ecx, ecx
		jz	short loc_9396D9
		mov	ecx, [ecx+4]
		jmp	short loc_9396DB
; 

loc_9396D9:				; CODE XREF: CmBootLastKnownGood(x,x,x,x)+1Dj
		mov	ecx, eax

loc_9396DB:				; CODE XREF: CmBootLastKnownGood(x,x,x,x)+22j
		test	edx, edx
		jz	short loc_9396E2
		mov	eax, [edx+4]

loc_9396E2:				; CODE XREF: CmBootLastKnownGood(x,x,x,x)+28j
		push	[ebp+arg_4]
		push	ecx
		push	eax
		push	1
		push	5Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_9396F0:				; CODE XREF: CmBootLastKnownGood(x,x,x,x)+Cj
					; CmBootLastKnownGood(x,x,x,x)+14j
		pop	ebp
		retn	8
_CmBootLastKnownGood@16	endp ; sp = -14h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRestampVersion(x, x)
_CmpRestampVersion@8 proc near		; CODE XREF: CmpSetVersionData+9A68Ap

var_108		= dword	ptr -108h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		movzx	eax, word ptr [edi]
		push	eax
		push	offset ??_C@_15EFLNJKHH@?$AA?$CF?$AAu@NNGAKEGL@
		lea	eax, [ebp+var_108]
		push	80h
		push	eax
		call	_swprintf_s
		add	esp, 10h
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_93973C
		mov	eax, 80000005h
		jmp	loc_9397F2
; 

loc_93973C:				; CODE XREF: CmpRestampVersion(x,x)+3Cj
		add	eax, eax
		movzx	esi, ax
		lea	eax, [ebp+var_108]
		add	esi, 2
		push	esi
		push	eax
		push	1
		push	0
		push	(offset	loc_A3F697+1)
		push	ebx
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	esi
		lea	eax, [ebp+var_108]
		xor	esi, esi
		push	eax
		push	1
		push	esi
		push	(offset	loc_A3F68F+1)
		push	ebx
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	4
		lea	eax, [edi+4]
		push	eax
		push	4
		push	esi
		push	offset _CmpUBRString
		push	ebx
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	ecx, [edi+0Ch]
		test	ecx, ecx
		jz	short loc_9397AA
		movzx	eax, word ptr [edi+8]
		test	ax, ax
		jz	short loc_9397AA
		add	eax, 2
		push	eax
		push	ecx
		push	1
		push	esi
		push	(offset	loc_A3F67F+1)
		push	ebx
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_9397AA:				; CODE XREF: CmpRestampVersion(x,x)+98j
					; CmpRestampVersion(x,x)+A1j
		mov	ecx, [edi+14h]
		test	ecx, ecx
		jz	short loc_9397CD
		movzx	eax, word ptr [edi+10h]
		test	ax, ax
		jz	short loc_9397CD
		add	eax, 2
		push	eax
		push	ecx
		push	1
		push	esi
		push	(offset	loc_A3F677+1)
		push	ebx
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_9397CD:				; CODE XREF: CmpRestampVersion(x,x)+BBj
					; CmpRestampVersion(x,x)+C4j
		mov	ecx, [edi+1Ch]
		test	ecx, ecx
		jz	short loc_9397F0
		movzx	eax, word ptr [edi+18h]
		test	ax, ax
		jz	short loc_9397F0
		add	eax, 2
		push	eax
		push	ecx
		push	1
		push	esi
		push	(offset	loc_A3F66F+1)
		push	ebx
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_9397F0:				; CODE XREF: CmpRestampVersion(x,x)+DEj
					; CmpRestampVersion(x,x)+E7j
		xor	eax, eax

loc_9397F2:				; CODE XREF: CmpRestampVersion(x,x)+43j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpRestampVersion@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSaveBootControlSet(x)
_CmpSaveBootControlSet@4 proc near	; CODE XREF: CmpAcceptBoot+9C2D2p

var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_16E		= word ptr -16Eh
var_169		= byte ptr -169h
var_168		= dword	ptr -168h
var_161		= byte ptr -161h
var_160		= dword	ptr -160h
var_148		= dword	ptr -148h
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1CCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_16E], cx
		lea	edi, [ebp+var_1CC]
		push	6
		pop	ecx
		xor	eax, eax
		xor	edx, edx
		rep stosd
		push	6
		pop	ecx
		lea	edi, [ebp+var_160]
		mov	[ebp+var_1A8], edx
		rep stosd
		lea	edi, [ebp+var_1B4]
		mov	[ebp+var_1A4], edx
		stosd
		lea	ecx, [ebp+var_198]
		mov	[ebp+var_19C], edx
		mov	bl, dl
		mov	[ebp+var_198], edx
		mov	[ebp+var_194], edx
		stosd
		mov	[ebp+var_161], dl
		mov	[ebp+var_174], edx
		mov	[ebp+var_180], edx
		mov	[ebp+var_1A0], edx
		mov	[ebp+var_184], edx
		mov	[ebp+var_168], edx
		mov	[ebp+var_18C], edx
		mov	[ebp+var_17C], edx
		stosd
		mov	[ebp+var_178], edx
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		call	CmpAcquireShutdownRundown
		mov	[ebp+var_169], al
		test	al, al
		jnz	short loc_9398BD
		mov	esi, 0C0000189h
		jmp	loc_939B95
; 

loc_9398BD:				; CODE XREF: CmpSaveBootControlSet(x)+B0j
		xor	eax, eax
		mov	[ebp+var_1CC], 18h
		mov	[ebp+var_1C8], eax
		mov	[ebp+var_1BC], eax
		mov	[ebp+var_1B8], eax
		lea	eax, [ebp+var_1CC]
		push	eax
		push	20019h
		lea	eax, [ebp+var_174]
		mov	[ebp+var_1C0], 240h
		push	eax
		mov	[ebp+var_1C4], offset _CmRegistryMachineSystemCurrentControlSet
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_939B95
		lea	eax, [ebp+var_17C]
		push	eax
		push	0
		push	0
		push	4
		push	[ebp+var_174]
		call	_ZwQuerySecurityObject@20 ; ZwQuerySecurityObject(x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_939973
		mov	edx, [ebp+var_17C]
		xor	ecx, ecx
		push	20204D43h
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_939979
		lea	eax, [ebp+var_17C]
		push	eax
		push	[ebp+var_17C]
		push	edi
		push	4
		push	[ebp+var_174]
		call	_ZwQuerySecurityObject@20 ; ZwQuerySecurityObject(x,x,x,x,x)
		test	eax, eax
		jns	short loc_939979
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)
		xor	edi, edi
		jmp	short loc_939979
; 

loc_939973:				; CODE XREF: CmpSaveBootControlSet(x)+12Dj
		mov	edi, [ebp+var_18C]

loc_939979:				; CODE XREF: CmpSaveBootControlSet(x)+146j
					; CmpSaveBootControlSet(x)+165j ...
		mov	eax, 100h
		mov	word ptr [ebp+var_1A8+2], ax
		lea	eax, [ebp+var_108]
		mov	[ebp+var_1A4], eax
		movzx	eax, [ebp+var_16E]
		push	eax		; char
		lea	eax, [ebp+var_1A8]
		push	offset ??_C@_1FA@BCFKMFHE@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; wchar_t *
		push	eax		; int
		call	_RtlUnicodeStringPrintf
		add	esp, 0Ch
		mov	[ebp+var_1CC], 18h
		lea	eax, [ebp+var_1A8]
		mov	[ebp+var_1C0], 240h
		mov	[ebp+var_1C4], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_19C]
		mov	[ebp+var_1C8], ecx
		push	eax
		push	ecx
		push	ecx
		push	ecx
		lea	eax, [ebp+var_1CC]
		mov	[ebp+var_1BC], edi
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_184]
		mov	[ebp+var_1B8], ecx
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_939A10
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_939A10:				; CODE XREF: CmpSaveBootControlSet(x)+206j
		test	esi, esi
		js	loc_939B95
		push	0
		lea	eax, [ebp+var_180]
		mov	edx, 20019h
		push	eax
		push	0
		push	ecx
		mov	ecx, [ebp+var_174]
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_939B95
		push	0
		lea	eax, [ebp+var_168]
		mov	edx, 20006h
		push	eax
		push	0
		push	ecx
		mov	ecx, [ebp+var_184]
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_939B95
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		mov	edi, [ebp+var_180]
		xor	edx, edx
		mov	ecx, edi
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	loc_939B93
		xor	bl, bl

loc_939A84:				; CODE XREF: CmpSaveBootControlSet(x)+38Cj
		mov	ecx, [ebp+var_168]
		xor	edx, edx
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	loc_939B93
		mov	eax, [ebp+var_168]
		lea	ecx, [ebp+var_1B4]
		push	ecx
		push	ecx
		mov	dl, 1
		mov	eax, [eax+8]
		mov	ecx, eax
		mov	[ebp-170h], eax
		call	CmpTryAcquireKcbIXLocks
		mov	esi, eax
		cmp	esi, 0C000022Dh
		jnz	short loc_939AC9
		mov	bh, 1
		jmp	short loc_939AD3
; 

loc_939AC9:				; CODE XREF: CmpSaveBootControlSet(x)+2C2j
		xor	bh, bh
		test	esi, esi
		js	loc_939B93

loc_939AD3:				; CODE XREF: CmpSaveBootControlSet(x)+2C6j
		mov	ecx, [ebp-170h]
		lea	eax, [ebp+var_1B4]
		push	eax
		xor	edx, edx
		call	_CmpPrepareToInvalidateAllHigherLayerKcbs@12 ; CmpPrepareToInvalidateAllHigherLayerKcbs(x,x,x)
		mov	esi, eax
		cmp	esi, 0C000022Dh
		jnz	short loc_939AF5
		mov	bh, 1
		jmp	short loc_939AFD
; 

loc_939AF5:				; CODE XREF: CmpSaveBootControlSet(x)+2EEj
		test	esi, esi
		js	loc_939B93

loc_939AFD:				; CODE XREF: CmpSaveBootControlSet(x)+2F2j
		mov	ecx, [ebp-170h]
		lea	eax, [ebp+var_1B4]
		push	eax
		xor	edx, edx
		call	_CmpPrepareForSubtreeInvalidation@12 ; CmpPrepareForSubtreeInvalidation(x,x,x)
		mov	esi, eax
		cmp	esi, 0C000022Dh
		jz	short loc_939B27
		test	esi, esi
		js	short loc_939B93
		test	bh, bh
		jz	loc_939C8F

loc_939B27:				; CODE XREF: CmpSaveBootControlSet(x)+318j
		mov	ecx, [ebp-170h]
		lea	eax, [ebp+var_1B4]
		push	eax
		push	0Ch
		pop	edx
		call	_CmpLogTransactionAbortedForRollbackPacket@12 ;	CmpLogTransactionAbortedForRollbackPacket(x,x,x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	edx, edx
		lea	ecx, [ebp+var_1B4]
		call	_CmpAbortRollbackPacket@8 ; CmpAbortRollbackPacket(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_939B95
		lea	ecx, [ebp+var_178]
		call	_CmpRetryBackOff@4 ; CmpRetryBackOff(x)
		lea	ecx, [ebp+var_1B4]
		call	CmpCleanupRollbackPacket
		xor	eax, eax
		lea	edi, [ebp+var_1B4]
		stosd
		stosd
		stosd
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		mov	edi, [ebp+var_180]
		xor	edx, edx
		mov	ecx, edi
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		jns	loc_939A84

loc_939B93:				; CODE XREF: CmpSaveBootControlSet(x)+27Bj
					; CmpSaveBootControlSet(x)+294j ...
		mov	bl, 1

loc_939B95:				; CODE XREF: CmpSaveBootControlSet(x)+B7j
					; CmpSaveBootControlSet(x)+10Aj ...
		mov	edi, [ebp+var_168]
		mov	bh, [ebp+var_161]

loc_939BA1:				; CODE XREF: CmpSaveBootControlSet(x)+535j
					; CmpSaveBootControlSet(x)+53Cj
		xor	dl, dl
		lea	ecx, [ebp+var_198]
		call	CmpDrainDelayDerefContext
		test	bl, bl
		jz	short loc_939BB7
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_939BB7:				; CODE XREF: CmpSaveBootControlSet(x)+3AFj
		test	bh, bh
		jz	short loc_939BC8
		xor	edx, edx
		lea	ecx, [ebp+var_160]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_939BC8:				; CODE XREF: CmpSaveBootControlSet(x)+3B8j
		lea	ecx, [ebp+var_1B4]
		call	CmpCleanupRollbackPacket
		mov	ecx, [ebp+var_180]
		test	ecx, ecx
		jz	short loc_939BE2
		call	ObfDereferenceObject

loc_939BE2:				; CODE XREF: CmpSaveBootControlSet(x)+3DAj
		test	edi, edi
		jz	short loc_939BED
		mov	ecx, edi
		call	ObfDereferenceObject

loc_939BED:				; CODE XREF: CmpSaveBootControlSet(x)+3E3j
		cmp	[ebp+var_174], 0
		jz	short loc_939C01
		push	[ebp+var_174]
		call	_ZwClose@4	; ZwClose(x)

loc_939C01:				; CODE XREF: CmpSaveBootControlSet(x)+3F3j
		cmp	[ebp+var_184], 0
		jz	short loc_939C15
		push	[ebp+var_184]
		call	_ZwClose@4	; ZwClose(x)

loc_939C15:				; CODE XREF: CmpSaveBootControlSet(x)+407j
		cmp	[ebp+var_169], 0
		jz	short loc_939C23
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_939C23:				; CODE XREF: CmpSaveBootControlSet(x)+41Bj
		test	esi, esi
		js	loc_939D42
		cmp	dword_6B2348, 5
		jbe	loc_939DD5
		push	4000h
		xor	ebx, ebx
		mov	edi, offset dword_6B2348
		push	ebx
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_939DD5
		mov	eax, [ebp+var_1A0]
		mov	[ebp+var_178], eax
		lea	eax, [ebp+var_178]
		push	4
		mov	[ebp+var_128], eax
		lea	eax, [ebp+var_190]
		pop	ecx
		mov	[ebp+var_118], eax
		lea	eax, [ebp+var_148]
		push	eax
		push	ecx
		push	ebx
		push	ebx
		push	offset loc_4198E6
		jmp	loc_939D97
; 

loc_939C8F:				; CODE XREF: CmpSaveBootControlSet(x)+320j
		mov	ebx, [ebp-170h]
		lea	eax, [ebp+var_198]
		push	eax
		push	0
		push	8
		pop	edx
		mov	ecx, ebx
		call	_CmpInvalidateAllHigherLayerKcbs@16 ; CmpInvalidateAllHigherLayerKcbs(x,x,x,x)
		lea	eax, [ebp+var_1A0]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_198]
		push	eax
		push	0
		push	8
		pop	edx
		call	_CmpInvalidateSubtree@20 ; CmpInvalidateSubtree(x,x,x,x,x)
		lea	ecx, [ebp+var_160]
		call	CmpAttachToRegistryProcess
		cmp	[ebp+var_19C], 1
		mov	bh, 1
		mov	eax, [ebp+var_168]
		jnz	short loc_939CF4
		mov	ecx, [eax+8]
		xor	esi, esi
		mov	eax, [edi+8]
		mov	edi, [eax+10h]
		mov	edx, [eax+14h]
		mov	eax, [ecx+10h]
		mov	ecx, [ecx+14h]
		jmp	short loc_939D09
; 

loc_939CF4:				; CODE XREF: CmpSaveBootControlSet(x)+4DBj
		mov	esi, [eax+8]
		mov	eax, [edi+8]
		mov	ecx, [esi+14h]
		mov	edi, [eax+10h]
		mov	edx, [eax+14h]
		mov	eax, [esi+10h]
		xor	esi, esi
		inc	esi

loc_939D09:				; CODE XREF: CmpSaveBootControlSet(x)+4F1j
		push	esi
		push	2
		push	ecx
		push	eax
		mov	ecx, edi
		call	_CmpCopySyncTree@24 ; CmpCopySyncTree(x,x,x,x,x,x)
		mov	edi, [ebp+var_168]
		lea	edx, [ebp+var_198]
		mov	bl, al
		mov	ecx, [edi+8]
		call	_CmpRebuildKcbCache@8 ;	CmpRebuildKcbCache(x,x)
		test	bl, bl
		mov	bl, 1
		jnz	short loc_939D3B
		mov	esi, 0C000014Ch
		jmp	loc_939BA1
; 

loc_939D3B:				; CODE XREF: CmpSaveBootControlSet(x)+52Ej
		xor	esi, esi
		jmp	loc_939BA1
; 

loc_939D42:				; CODE XREF: CmpSaveBootControlSet(x)+424j
		cmp	dword_6B2348, 5
		jbe	loc_939DD5
		push	4000h
		xor	ebx, ebx
		mov	edi, offset dword_6B2348
		push	ebx
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_939DD5
		lea	eax, [ebp+var_178]
		mov	[ebp+var_178], esi
		push	4
		mov	[ebp+var_128], eax
		lea	eax, [ebp+var_190]
		pop	ecx
		mov	[ebp+var_118], eax
		lea	eax, [ebp+var_148]
		push	eax
		push	ecx
		push	ebx
		push	ebx
		push	offset byte_4198A1

loc_939D97:				; CODE XREF: CmpSaveBootControlSet(x)+489j
		push	edi
		mov	[ebp+var_124], ebx
		mov	[ebp+var_120], ecx
		mov	[ebp+var_11C], ebx
		mov	[ebp+var_190], 1000000h
		mov	[ebp+var_18C], ebx
		mov	[ebp+var_114], ebx
		mov	[ebp+var_110], 8
		mov	[ebp+var_10C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_939DD5:				; CODE XREF: CmpSaveBootControlSet(x)+431j
					; CmpSaveBootControlSet(x)+44Dj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpSaveBootControlSet@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmInitializeProcessor(x)
_CmInitializeProcessor@4 proc near	; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+437p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_38], 18h
		xor	esi, esi
		mov	[ebp+var_2C], 240h
		lea	edi, [ebp+var_10]
		mov	[ebp+var_14], esi
		stosd
		mov	ebx, ecx
		push	esi
		push	esi
		push	esi
		stosd
		push	esi
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], offset _CmRegistryMachineHardwareDescriptionSystemName
		stosd
		lea	eax, [ebp+var_38]
		push	eax
		push	20019h
		lea	eax, [ebp+var_14]
		mov	[ebp+var_28], esi
		push	eax
		mov	[ebp+var_24], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_939EB9
		push	20204D43h
		push	ds:_CmpConfigurationAreaSize
		xor	edi, edi
		inc	edi
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ds:_CmpConfigurationData, eax
		test	eax, eax
		jnz	short loc_939E66
		mov	esi, 0C000009Ah
		jmp	short loc_939EAF
; 

loc_939E66:				; CODE XREF: CmInitializeProcessor(x)+77j
		mov	ecx, [ebx+3CCh]
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_20]
		shl	edi, cl
		push	eax
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_20], edi
		call	KeSetSystemGroupAffinityThread
		push	[ebp+var_14]
		mov	edx, [ebx+3CCh]
		mov	ecx, ebx
		call	CmpAddProcessorConfigurationEntry
		lea	eax, [ebp+var_10]
		push	eax
		call	KeRevertToUserGroupAffinityThread
		push	esi
		push	ds:_CmpConfigurationData
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ds:_CmpConfigurationData, esi

loc_939EAF:				; CODE XREF: CmInitializeProcessor(x)+7Ej
		push	[ebp+var_14]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, esi

loc_939EB9:				; CODE XREF: CmInitializeProcessor(x)+5Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmInitializeProcessor@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmIsStateSeparationDevModeEnabled()
_CmIsStateSeparationDevModeEnabled@0 proc near ; CODE XREF: INIT:00AC2C77p
		cmp	_CmStateSeparationDevMode, 0
		setnz	al
		retn
_CmIsStateSeparationDevModeEnabled@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	NtCompactKeys(int,void *)
_NtCompactKeys@8 proc near		; DATA XREF: .text:005811ACo

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	28h
		push	offset dword_6A7828
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	edi, ebx
		mov	eax, ebx
		mov	[ebp+var_28], eax
		mov	[ebp+var_19], al
		mov	[ebp+var_1A], al
		call	_CmCheckNoTxContext@0 ;	CmCheckNoTxContext()
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		js	loc_93A0FD
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_1B], al
		mov	byte ptr [ebp+var_2C], al
		push	[ebp+var_2C]
		push	ds:dword_A949E4
		push	ds:_SeBackupPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_939F37
		mov	esi, 0C0000061h

loc_939F2F:				; CODE XREF: NtCompactKeys(x,x)+6Dj
					; NtCompactKeys(x,x)+7Cj ...
		mov	[ebp+var_24], esi
		jmp	loc_93A0FD
; 

loc_939F37:				; CODE XREF: NtCompactKeys(x,x)+55j
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jnz	short loc_939F42
		mov	esi, ebx
		jmp	short loc_939F2F
; 

loc_939F42:				; CODE XREF: NtCompactKeys(x,x)+69j
		cmp	esi, 3FFFFFFFh
		jb	short loc_939F51

loc_939F4A:				; CODE XREF: NtCompactKeys(x,x)+1B0j
					; NtCompactKeys(x,x)+1BDj ...
		mov	esi, 0C000000Dh
		jmp	short loc_939F2F
; 

loc_939F51:				; CODE XREF: NtCompactKeys(x,x)+75j
		mov	edx, esi
		shl	edx, 2
		push	61624D43h
		call	_CmpAllocateTransientPoolWithQuotaTag@12 ; CmpAllocateTransientPoolWithQuotaTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_30], edi
		test	edi, edi
		jnz	short loc_939F70
		mov	esi, 0C000009Ah
		jmp	short loc_939F2F
; 

loc_939F70:				; CODE XREF: NtCompactKeys(x,x)+94j
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, esi
		shl	eax, 2
		cmp	[ebp+var_1B], 1
		jnz	short loc_939FA8
		test	eax, eax
		jz	short loc_939FA8
		test	byte ptr [ebp+arg_4], 3
		jz	short loc_939F8D
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_939F8D:				; CODE XREF: NtCompactKeys(x,x)+B3j
		mov	edx, [ebp+arg_4]
		lea	ecx, [eax+edx]
		mov	[ebp+var_24], ecx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	[ebp+var_24], ecx
		ja	short loc_939FA6
		cmp	[ebp+var_24], edx
		jnb	short loc_939FA8

loc_939FA6:				; CODE XREF: NtCompactKeys(x,x)+CCj
		mov	[ecx], bl

loc_939FA8:				; CODE XREF: NtCompactKeys(x,x)+A9j
					; NtCompactKeys(x,x)+ADj ...
		push	eax		; size_t
		push	[ebp+arg_4]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	esi, esi
		jz	short loc_939FFB
		mov	eax, edi
		mov	[ebp+arg_4], edi

loc_939FC5:				; CODE XREF: NtCompactKeys(x,x)+126j
		push	ebx
		push	eax
		push	[ebp+var_2C]
		push	ecx
		mov	edx, 20006h
		mov	ecx, [eax]
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		js	loc_93A0FD
		mov	ecx, [ebp+var_28]
		inc	ecx
		mov	[ebp+var_28], ecx
		mov	eax, [ebp+arg_4]
		add	eax, 4
		mov	[ebp+arg_4], eax
		mov	esi, [ebp+arg_0]
		cmp	ecx, esi
		jb	short loc_939FC5

loc_939FFB:				; CODE XREF: NtCompactKeys(x,x)+EBj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpShutdownRundown
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	[ebp+var_1A], al
		test	al, al
		jnz	short loc_93A037
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	al, [ebp+var_1A]
		test	al, al
		jnz	short loc_93A037
		mov	esi, 0C0000189h
		jmp	loc_939F2F
; 

loc_93A037:				; CODE XREF: NtCompactKeys(x,x)+145j
					; NtCompactKeys(x,x)+158j
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		mov	[ebp+var_19], 1
		mov	[ebp+arg_4], ebx
		mov	ecx, ebx
		mov	[ebp+var_2C], ecx
		test	esi, esi
		jz	short loc_93A0AE

loc_93A04C:				; CODE XREF: NtCompactKeys(x,x)+1D9j
		mov	eax, [edi+ecx*4]
		mov	[ebp+var_30], eax
		xor	edx, edx
		mov	ecx, eax
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		js	loc_93A0FD
		mov	eax, [ebp+var_30]
		mov	eax, [eax+8]
		mov	ecx, [ebp+var_2C]
		test	ecx, ecx
		jnz	short loc_93A07D
		mov	edx, [eax+10h]
		mov	[ebp+arg_4], edx
		jmp	short loc_93A080
; 

loc_93A07D:				; CODE XREF: NtCompactKeys(x,x)+1A0j
		mov	edx, [ebp+arg_4]

loc_93A080:				; CODE XREF: NtCompactKeys(x,x)+1A8j
		cmp	edx, [eax+10h]
		jnz	loc_939F4A
		movzx	edx, word ptr [eax+6Ah]
		test	dl, 4
		jnz	loc_939F4A
		test	dl, 10h
		jnz	loc_939F4A
		cmp	[eax+22h], bx
		jnz	short loc_93A0C5
		inc	ecx
		mov	[ebp+var_2C], ecx
		cmp	ecx, [ebp+arg_0]
		jb	short loc_93A04C

loc_93A0AE:				; CODE XREF: NtCompactKeys(x,x)+177j
		mov	esi, ebx
		mov	[ebp+var_24], esi
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	[ebp+var_19], bl
		push	7
		pop	ecx
		call	_CmpLogUnsupportedOperation@4 ;	CmpLogUnsupportedOperation(x)
		jmp	short loc_93A0FD
; 

loc_93A0C5:				; CODE XREF: NtCompactKeys(x,x)+1D0j
		mov	esi, 0C0000002h
		jmp	loc_939F2F
; 

loc_93A0CF:				; DATA XREF: .text:006A783Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_93A0DD:				; DATA XREF: .text:006A7840o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_34]
		mov	[ebp+var_24], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	edi, [ebp+var_30]
		mov	eax, ebx
		mov	[ebp+var_28], eax
		mov	[ebp+var_19], al
		mov	[ebp+var_1A], al

loc_93A0FD:				; CODE XREF: NtCompactKeys(x,x)+27j
					; NtCompactKeys(x,x)+5Fj ...
		cmp	[ebp+var_19], 0
		jz	short loc_93A108
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_93A108:				; CODE XREF: NtCompactKeys(x,x)+22Ej
		cmp	[ebp+var_1A], 0
		jz	short loc_93A124
		mov	ecx, offset _CmpShutdownRundown
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_93A124:				; CODE XREF: NtCompactKeys(x,x)+239j
		test	edi, edi
		jz	short loc_93A148
		cmp	[ebp+var_28], 0
		jbe	short loc_93A141
		mov	esi, [ebp+var_28]

loc_93A131:				; CODE XREF: NtCompactKeys(x,x)+269j
		mov	ecx, [edi+ebx*4]
		call	ObfDereferenceObject
		inc	ebx
		cmp	ebx, esi
		jb	short loc_93A131
		mov	esi, [ebp+var_24]

loc_93A141:				; CODE XREF: NtCompactKeys(x,x)+259j
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_93A148:				; CODE XREF: NtCompactKeys(x,x)+253j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_NtCompactKeys@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCompressKey(x)
_NtCompressKey@4 proc near		; DATA XREF: .text:00581198o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		and	[esp+30h+var_24], eax
		push	esi
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+38h+var_1C]
		rep stosd
		call	_CmCheckNoTxContext@0 ;	CmCheckNoTxContext()
		mov	esi, eax
		test	esi, esi
		js	loc_93A2A5
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+38h+var_28], al
		push	[esp+38h+var_28]
		push	ds:dword_A949E4
		push	ds:_SeBackupPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_93A1C9
		mov	esi, 0C0000061h
		jmp	loc_93A2A5
; 

loc_93A1C9:				; CODE XREF: NtCompressKey(x)+61j
		mov	eax, ebx
		mov	edx, 20006h
		and	eax, 3
		push	0
		mov	[esp+3Ch+var_20], eax
		lea	eax, [esp+3Ch+var_24]
		push	eax
		push	[esp+40h+var_28]
		push	ecx
		mov	ecx, ebx
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [esp+38h+var_24]
		mov	esi, eax
		test	esi, esi
		js	loc_93A29A
		call	CmpAcquireShutdownRundown
		test	al, al
		jnz	short loc_93A24E
		mov	esi, 0C0000189h
		jmp	loc_93A29A
; 

loc_93A20B:				; CODE XREF: NtCompressKey(x)+104j
		mov	eax, [edi+8]
		mov	esi, [eax+10h]
		mov	eax, [eax+14h]
		mov	ecx, [esi+20h]
		cmp	eax, [ecx+24h]
		jnz	short loc_93A28B
		lea	ebx, [esi+9C8h]
		mov	ecx, ebx
		call	_CmpIsWriteQueueActive@4 ; CmpIsWriteQueueActive(x)
		test	al, al
		jnz	short loc_93A23E
		lea	ebx, [esi+9C0h]
		mov	ecx, ebx
		call	_CmpIsWriteQueueActive@4 ; CmpIsWriteQueueActive(x)
		test	al, al
		jz	short loc_93A264

loc_93A23E:				; CODE XREF: NtCompressKey(x)+CFj
		mov	ecx, esi
		call	_HvLockHiveFlusherExclusive@4 ;	HvLockHiveFlusherExclusive(x)
		mov	edx, ebx
		mov	ecx, esi
		call	_CmpWaitOnHiveWriteQueue@8 ; CmpWaitOnHiveWriteQueue(x,x)

loc_93A24E:				; CODE XREF: NtCompressKey(x)+A3j
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		xor	edx, edx
		mov	ecx, edi
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		jns	short loc_93A20B
		jmp	short loc_93A290
; 

loc_93A264:				; CODE XREF: NtCompressKey(x)+E0j
		lea	ecx, [esp+38h+var_1C]
		call	CmpAttachToRegistryProcess
		mov	ecx, [edi+8]
		mov	edx, [esp+38h+var_20]
		mov	ecx, [ecx+10h]
		call	_CmCompressKey@8 ; CmCompressKey(x,x)
		xor	edx, edx
		lea	ecx, [esp+38h+var_1C]
		mov	esi, eax
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	short loc_93A290
; 

loc_93A28B:				; CODE XREF: NtCompressKey(x)+BEj
		mov	esi, 0C000000Dh

loc_93A290:				; CODE XREF: NtCompressKey(x)+106j
					; NtCompressKey(x)+12Dj
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_93A29A:				; CODE XREF: NtCompressKey(x)+96j
					; NtCompressKey(x)+AAj
		test	edi, edi
		jz	short loc_93A2A5
		mov	ecx, edi
		call	ObfDereferenceObject

loc_93A2A5:				; CODE XREF: NtCompressKey(x)+34j
					; NtCompressKey(x)+68j	...
		mov	ecx, [esp+38h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_NtCompressKey@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtFreezeRegistry(x)
_NtFreezeRegistry@4 proc near		; DATA XREF: .text:00581028o

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+20h+var_4], eax
		push	esi
		push	edi
		push	6
		xor	eax, eax
		lea	edi, [esp+2Ch+var_1C]
		cmp	[ebp+arg_0], 384h
		pop	ecx
		rep stosd
		jbe	short loc_93A2EE
		mov	esi, 0C000000Dh
		jmp	short loc_93A33C
; 

loc_93A2EE:				; CODE XREF: NtFreezeRegistry(x)+2Aj
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+28h+var_20], al
		push	[esp+28h+var_20]
		push	ds:dword_A949E4
		push	ds:_SeBackupPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_93A31E
		mov	esi, 0C0000061h
		jmp	short loc_93A33C
; 

loc_93A31E:				; CODE XREF: NtFreezeRegistry(x)+5Aj
		lea	ecx, [esp+28h+var_1C]
		call	CmpAttachToRegistryProcess
		mov	ecx, [ebp+arg_0]
		call	_CmFreezeRegistry@4 ; CmFreezeRegistry(x)
		xor	edx, edx
		lea	ecx, [esp+28h+var_1C]
		mov	esi, eax
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_93A33C:				; CODE XREF: NtFreezeRegistry(x)+31j
					; NtFreezeRegistry(x)+61j
		mov	ecx, [esp+28h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_NtFreezeRegistry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtOpenKeyTransacted(x, x, x, x)
_NtOpenKeyTransacted@16	proc near	; DATA XREF: .text:00580F3Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	NtOpenKeyTransactedEx
		pop	ebp
		retn	10h
_NtOpenKeyTransacted@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtOpenRegistryTransaction(x, x, x)
_NtOpenRegistryTransaction@12 proc near	; DATA XREF: .text:005812B4o

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	1Ch
		push	offset dword_6A7800
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+var_20], esi
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpShutdownRundown
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	bl, al
		mov	[ebp+var_19], bl
		test	bl, bl
		jnz	short loc_93A3B9
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	bl, bl
		jnz	short loc_93A3B9
		mov	esi, 0C0000189h
		jmp	loc_93A472
; 

loc_93A3B9:				; CODE XREF: NtOpenRegistryTransaction(x,x,x)+30j
					; NtOpenRegistryTransaction(x,x,x)+40j
		mov	eax, large fs:124h
		mov	bh, [eax+15Ah]
		mov	byte ptr [ebp+var_28], bh
		cmp	bh, 1
		jnz	short loc_93A40C
		mov	[ebp+ms_exc.disabled], esi
		mov	edi, [ebp+arg_0]
		mov	eax, edi
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edi, ecx
		jb	short loc_93A3E1
		mov	eax, ecx

loc_93A3E1:				; CODE XREF: NtOpenRegistryTransaction(x,x,x)+70j
		mov	[eax], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_93A411
; 

loc_93A3EC:				; DATA XREF: .text:006A7814o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_93A3FA:				; DATA XREF: .text:006A7818o
		mov	esi, [ebp+var_24]

loc_93A3FD:				; CODE XREF: NtOpenRegistryTransaction(x,x,x)+F8j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	bl, [ebp+var_19]
		jmp	short loc_93A472
; 

loc_93A40C:				; CODE XREF: NtOpenRegistryTransaction(x,x,x)+5Ej
		mov	edi, [ebp+arg_0]
		mov	[edi], esi

loc_93A411:				; CODE XREF: NtOpenRegistryTransaction(x,x,x)+7Dj
		mov	esi, _CmRegistryTransactionType
		lea	eax, [ebp+var_20]
		push	eax
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		push	0
		push	[ebp+arg_4]
		push	0
		push	[ebp+var_28]
		push	esi
		push	[ebp+arg_8]
		call	ObOpenObjectByNameEx
		mov	esi, eax
		test	esi, esi
		js	short loc_93A472
		cmp	bh, 1
		jnz	short loc_93A467
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_20]
		mov	[edi], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_93A46C
; 

loc_93A454:				; DATA XREF: .text:006A7820o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_93A462:				; DATA XREF: .text:006A7824o
		mov	esi, [ebp+var_2C]
		jmp	short loc_93A3FD
; 

loc_93A467:				; CODE XREF: NtOpenRegistryTransaction(x,x,x)+D0j
		mov	eax, [ebp+var_20]
		mov	[edi], eax

loc_93A46C:				; CODE XREF: NtOpenRegistryTransaction(x,x,x)+E5j
		and	[ebp+var_20], 0
		xor	esi, esi

loc_93A472:				; CODE XREF: NtOpenRegistryTransaction(x,x,x)+47j
					; NtOpenRegistryTransaction(x,x,x)+9Dj	...
		cmp	[ebp+var_20], 0
		jz	short loc_93A480
		push	[ebp+var_20]
		call	NtClose

loc_93A480:				; CODE XREF: NtOpenRegistryTransaction(x,x,x)+109j
		test	bl, bl
		jz	short loc_93A49A
		mov	ecx, offset _CmpShutdownRundown
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_93A49A:				; CODE XREF: NtOpenRegistryTransaction(x,x,x)+115j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_NtOpenRegistryTransaction@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQueryOpenSubKeys(x, x)
_NtQueryOpenSubKeys@8 proc near		; DATA XREF: .text:00580E2Co

var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EA		= byte ptr -0EAh
var_E9		= byte ptr -0E9h
var_E8		= dword	ptr -0E8h
var_AC		= dword	ptr -0ACh
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_6C		= dword	ptr -6Ch
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	0F8h
		push	offset dword_6A78A0
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_F8], eax
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_FC], esi
		xor	ebx, ebx
		mov	[ebp+var_108], ebx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		mov	[ebp+var_F0], ebx
		push	0B4h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_E8]
		push	eax		; void *
		call	_memset
		or	[ebp+var_AC], 0FFFFFFFFh
		mov	[ebp+var_90], ebx
		mov	[ebp+var_8C], ebx
		lea	eax, [ebp+var_90]
		mov	[ebp+var_8C], eax
		mov	[ebp+var_90], eax
		push	38h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_6C]
		push	eax		; void *
		call	_memset
		add	esp, 18h
		mov	[ebp+var_E9], bl
		call	CmpAcquireShutdownRundown
		mov	bh, al
		mov	[ebp+var_EA], bh
		test	bh, bh
		jnz	short loc_93A54E
		mov	esi, 0C0000189h
		jmp	loc_93A679
; 

loc_93A54E:				; CODE XREF: NtQueryOpenSubKeys(x,x)+94j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_F4], al
		and	[ebp+ms_exc.disabled], 0
		cmp	al, 1
		jnz	short loc_93A579
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_93A575
		mov	ecx, eax

loc_93A575:				; CODE XREF: NtQueryOpenSubKeys(x,x)+C3j
		mov	eax, [ecx]
		mov	[ecx], eax

loc_93A579:				; CODE XREF: NtQueryOpenSubKeys(x,x)+B8j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		lea	eax, [ebp+var_F0]
		push	eax
		lea	eax, [ebp+var_E8]
		push	eax
		push	[ebp+var_F4]
		push	ds:_CmKeyObjectType
		push	20019h
		xor	edx, edx
		mov	ecx, [ebp+var_F8]
		call	ObReferenceObjectByNameEx
		mov	esi, eax
		test	esi, esi
		js	loc_93A679
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		mov	bl, 1
		xor	edx, edx
		mov	edi, [ebp+var_F0]
		mov	ecx, edi
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	loc_93A679
		mov	eax, [edi+8]
		test	dword ptr [eax+68h], 40000h
		jnz	short loc_93A5EC
		mov	esi, 0C000000Dh
		jmp	loc_93A679
; 

loc_93A5EC:				; CODE XREF: NtQueryOpenSubKeys(x,x)+132j
		lea	ecx, [ebp+var_34]
		call	CmpAttachToRegistryProcess
		push	0
		xor	edx, edx
		mov	ecx, [edi+8]
		call	CmpSearchForOpenSubKeys
		mov	esi, eax
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	bl, bl
		mov	[ebp+var_E9], bl
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_FC]
		mov	[eax], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	esi, esi
		jmp	short loc_93A679
; 

loc_93A633:				; DATA XREF: .text:006A78C0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_100], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_93A644:				; DATA XREF: .text:006A78C4o
		mov	esi, [ebp+var_100]
		jmp	short loc_93A663
; 

loc_93A64C:				; DATA XREF: .text:006A78B4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_104], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_93A65D:				; DATA XREF: .text:006A78B8o
		mov	esi, [ebp+var_104]

loc_93A663:				; CODE XREF: NtQueryOpenSubKeys(x,x)+19Cj
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	bh, [ebp+var_EA]
		mov	bl, [ebp+var_E9]

loc_93A679:				; CODE XREF: NtQueryOpenSubKeys(x,x)+9Bj
					; NtQueryOpenSubKeys(x,x)+102j	...
		test	bl, bl
		jz	short loc_93A682
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_93A682:				; CODE XREF: NtQueryOpenSubKeys(x,x)+1CDj
		xor	dl, dl
		lea	ecx, [ebp+var_E8]
		call	CmpCleanupParseContext
		test	bh, bh
		jz	short loc_93A698
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_93A698:				; CODE XREF: NtQueryOpenSubKeys(x,x)+1E3j
		mov	edi, [ebp+var_F0]
		test	edi, edi
		jz	short loc_93A6A9
		mov	ecx, edi
		call	ObfDereferenceObject

loc_93A6A9:				; CODE XREF: NtQueryOpenSubKeys(x,x)+1F2j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_NtQueryOpenSubKeys@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQueryOpenSubKeysEx(x, x, x, x)
_NtQueryOpenSubKeysEx@16 proc near	; DATA XREF: .text:00580E28o

var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EB		= byte ptr -0EBh
var_EA		= byte ptr -0EAh
var_E9		= byte ptr -0E9h
var_E8		= dword	ptr -0E8h
var_AC		= dword	ptr -0ACh
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_6C		= dword	ptr -6Ch
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	11Ch
		push	offset dword_6A7868
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_118], eax
		mov	ebx, [ebp+arg_4]
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_11C], esi
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_F8], eax
		xor	edx, edx
		mov	[ebp+var_12C], edx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		mov	[ebp+var_F0], edx
		push	0B4h		; size_t
		push	edx		; int
		lea	eax, [ebp+var_E8]
		push	eax		; void *
		call	_memset
		or	[ebp+var_AC], 0FFFFFFFFh
		xor	ecx, ecx
		mov	[ebp+var_90], ecx
		mov	[ebp+var_8C], ecx
		lea	eax, [ebp+var_90]
		mov	[ebp+var_8C], eax
		mov	[ebp+var_90], eax
		push	38h		; size_t
		push	ecx		; int
		lea	eax, [ebp+var_6C]
		push	eax		; void *
		call	_memset
		add	esp, 18h
		push	7
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_114]
		rep stosd
		mov	[ebp+var_E9], al
		call	CmpAcquireShutdownRundown
		mov	[ebp+var_EB], al
		test	al, al
		jnz	short loc_93A776
		mov	esi, 0C0000189h
		jmp	loc_93A9D3
; 

loc_93A776:				; CODE XREF: NtQueryOpenSubKeysEx(x,x,x,x)+ADj
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_EA], al
		mov	byte ptr [ebp+var_F4], al
		push	[ebp+var_F4]
		push	ds:dword_A949DC
		push	ds:_SeRestorePrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_93A7B3
		mov	esi, 0C0000061h
		jmp	loc_93A9D3
; 

loc_93A7B3:				; CODE XREF: NtQueryOpenSubKeysEx(x,x,x,x)+EAj
		cmp	ebx, 4
		jnb	short loc_93A7C2
		mov	esi, 0C0000023h
		jmp	loc_93A9D3
; 

loc_93A7C2:				; CODE XREF: NtQueryOpenSubKeysEx(x,x,x,x)+F9j
		test	bl, 1
		jz	short loc_93A7D1

loc_93A7C7:				; CODE XREF: NtQueryOpenSubKeysEx(x,x,x,x)+1E4j
		mov	esi, 0C000000Dh
		jmp	loc_93A9D3
; 

loc_93A7D1:				; CODE XREF: NtQueryOpenSubKeysEx(x,x,x,x)+108j
		and	[ebp+ms_exc.disabled], 0
		cmp	[ebp+var_EA], 1
		jnz	short loc_93A7FE
		mov	edx, [ebp+var_F8]
		mov	ecx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_93A7F1
		mov	ecx, eax

loc_93A7F1:				; CODE XREF: NtQueryOpenSubKeysEx(x,x,x,x)+130j
		mov	eax, [ecx]
		mov	[ecx], eax
		push	4
		push	ebx
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_93A7FE:				; CODE XREF: NtQueryOpenSubKeysEx(x,x,x,x)+11Fj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		lea	eax, [ebp+var_F0]
		push	eax
		lea	eax, [ebp+var_E8]
		push	eax
		push	[ebp+var_F4]
		push	ds:_CmKeyObjectType
		push	20019h
		xor	edx, edx
		mov	ecx, [ebp+var_118]
		call	ObReferenceObjectByNameEx
		mov	esi, eax
		test	esi, esi
		js	loc_93A9D3
		mov	[ebp+var_114], ebx
		push	31384D43h
		mov	edx, ebx
		call	_CmpAllocateTransientPoolWithQuotaTag@12 ; CmpAllocateTransientPoolWithQuotaTag(x,x,x)
		mov	[ebp+var_110], eax
		test	eax, eax
		jnz	short loc_93A861
		mov	esi, 0C000009Ah
		jmp	loc_93A9D3
; 

loc_93A861:				; CODE XREF: NtQueryOpenSubKeysEx(x,x,x,x)+198j
		push	[ebp+var_114]	; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		mov	[ebp+var_E9], 1
		xor	edx, edx
		mov	edi, [ebp+var_F0]
		mov	ecx, edi
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	loc_93A9D3
		mov	eax, [edi+8]
		test	dword ptr [eax+68h], 40000h
		jz	loc_93A7C7
		mov	eax, [ebp+var_110]
		and	dword ptr [eax], 0
		push	4
		pop	eax
		mov	[ebp+var_10C], eax
		mov	[ebp+var_104], eax
		mov	eax, [ebp+var_110]
		add	eax, ebx
		mov	[ebp+var_FC], eax
		mov	eax, edi
		mov	[ebp+var_100], eax
		and	[ebp+var_108], 0
		lea	ecx, [ebp+var_34]
		call	CmpAttachToRegistryProcess
		lea	eax, [ebp+var_114]
		push	eax
		xor	edx, edx
		mov	ecx, [edi+8]
		call	CmpSearchForOpenSubKeys
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	esi, [ebp+var_108]
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	[ebp+var_E9], 0
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_10C]
		mov	ecx, [ebp+var_F8]
		mov	[ecx], eax
		mov	ecx, [ebp+var_110]
		mov	eax, [ecx]
		mov	edi, [ebp+var_11C]
		mov	[edi], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	esi, esi
		js	loc_93A9D3
		mov	edx, ecx
		sub	edx, edi
		xor	esi, esi
		cmp	[ecx], esi
		jbe	short loc_93A963
		xor	eax, eax

loc_93A951:				; CODE XREF: NtQueryOpenSubKeysEx(x,x,x,x)+2A4j
		sub	[eax+ecx+0Ch], edx
		inc	esi
		lea	eax, [eax+0Ch]
		mov	ecx, [ebp+var_110]
		cmp	esi, [ecx]
		jb	short loc_93A951

loc_93A963:				; CODE XREF: NtQueryOpenSubKeysEx(x,x,x,x)+290j
		mov	[ebp+ms_exc.disabled], 2
		push	ebx		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	esi, esi
		jmp	short loc_93A9D3
; 

loc_93A980:				; DATA XREF: .text:006A7894o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_120], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_93A991:				; DATA XREF: .text:006A7898o
		mov	esi, [ebp+var_120]
		jmp	short loc_93A9C9
; 

loc_93A999:				; DATA XREF: .text:006A7888o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_124], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_93A9AA:				; DATA XREF: .text:006A788Co
		mov	esi, [ebp+var_124]
		jmp	short loc_93A9C9
; 

loc_93A9B2:				; DATA XREF: .text:006A787Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_128], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_93A9C3:				; DATA XREF: .text:006A7880o
		mov	esi, [ebp+var_128]

loc_93A9C9:				; CODE XREF: NtQueryOpenSubKeysEx(x,x,x,x)+2DAj
					; NtQueryOpenSubKeysEx(x,x,x,x)+2F3j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_93A9D3:				; CODE XREF: NtQueryOpenSubKeysEx(x,x,x,x)+B4j
					; NtQueryOpenSubKeysEx(x,x,x,x)+F1j ...
		cmp	[ebp+var_E9], 0
		jz	short loc_93A9E1
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_93A9E1:				; CODE XREF: NtQueryOpenSubKeysEx(x,x,x,x)+31Dj
		xor	dl, dl
		lea	ecx, [ebp+var_E8]
		call	CmpCleanupParseContext
		cmp	[ebp+var_EB], 0
		jz	short loc_93A9FC
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_93A9FC:				; CODE XREF: NtQueryOpenSubKeysEx(x,x,x,x)+338j
		mov	edi, [ebp+var_F0]
		test	edi, edi
		jz	short loc_93AA0D
		mov	ecx, edi
		call	ObfDereferenceObject

loc_93AA0D:				; CODE XREF: NtQueryOpenSubKeysEx(x,x,x,x)+347j
		mov	ecx, [ebp+var_110]
		test	ecx, ecx
		jz	short loc_93AA1C
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_93AA1C:				; CODE XREF: NtQueryOpenSubKeysEx(x,x,x,x)+358j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_NtQueryOpenSubKeysEx@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtRenameKey(x, x)
_NtRenameKey@8	proc near		; DATA XREF: .text:00580D78o

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= byte ptr -48h
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= byte ptr -38h
var_37		= byte ptr -37h
var_36		= byte ptr -36h
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	88h
		push	offset dword_6A7848
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_6C], eax
		mov	esi, [ebp+arg_4]
		xor	ebx, ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ebx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		mov	[ebp+var_45], bl
		mov	[ebp+var_38], al
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_4C], ebx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_36], al
		mov	byte ptr [ebp+var_50], al
		mov	[ebp+var_37], bl
		xor	eax, eax
		lea	edi, [ebp+var_98]
		stosd
		stosd
		stosd
		stosd
		stosd
		or	[ebp+var_84], 0FFFFFFFFh
		lea	eax, [ebp+var_60]
		mov	[ebp+var_5C], eax
		mov	[ebp+var_60], eax
		mov	[ebp+var_54], ebx
		xor	eax, eax
		lea	edi, [ebp+var_80]
		stosd
		stosd
		stosd
		stosd
		call	CmpAcquireShutdownRundown
		mov	[ebp+var_48], al
		test	al, al
		jnz	short loc_93AABC
		mov	esi, 0C0000189h

loc_93AAB5:				; CODE XREF: NtRenameKey(x,x)+2DFj
		mov	al, bl
		jmp	loc_93AD3A
; 

loc_93AABC:				; CODE XREF: NtRenameKey(x,x)+7Ej
		mov	[ebp+ms_exc.disabled], ebx
		mov	cl, [ebp+var_36]
		cmp	cl, 1
		jnz	short loc_93AB17
		mov	[ebp+var_68], ebx
		mov	[ebp+var_64], ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_93AAD8
		mov	esi, eax

loc_93AAD8:				; CODE XREF: NtRenameKey(x,x)+A4j
		nop
		mov	ecx, [esi]
		mov	[ebp+var_68], ecx
		mov	ebx, [esi+4]
		mov	[ebp+var_64], ebx
		mov	eax, [ebp+var_68]
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], ebx
		movzx	eax, cx
		test	ax, ax
		jz	short loc_93AB26
		test	bl, 1
		jnz	loc_93ADA8
		add	eax, ebx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_93AB0E
		cmp	eax, ebx
		jnb	short loc_93AB26

loc_93AB0E:				; CODE XREF: NtRenameKey(x,x)+D8j
		xor	eax, eax
		mov	[ecx], al
		mov	ebx, [ebp+var_40]
		jmp	short loc_93AB28
; 

loc_93AB17:				; CODE XREF: NtRenameKey(x,x)+95j
		mov	eax, [esi]
		mov	[ebp+var_44], eax
		mov	ebx, [esi+4]
		mov	[ebp+var_40], ebx
		xor	eax, eax
		jmp	short loc_93AB2B
; 

loc_93AB26:				; CODE XREF: NtRenameKey(x,x)+C3j
					; NtRenameKey(x,x)+DCj
		xor	eax, eax

loc_93AB28:				; CODE XREF: NtRenameKey(x,x)+E5j
		mov	cl, [ebp+var_36]

loc_93AB2B:				; CODE XREF: NtRenameKey(x,x)+F4j
		mov	edx, 200h
		mov	si, word ptr [ebp+var_44]
		cmp	si, dx
		ja	loc_93ACFE
		test	si, si
		jz	loc_93ACFE
		test	byte ptr [ebp+var_44], 1
		jnz	loc_93ACFE
		cmp	[ebx], ax
		jz	loc_93ACFE
		movsx	ecx, cl
		mov	edx, ebx
		call	_CmpDoesBufferRequireCapturing@8 ; CmpDoesBufferRequireCapturing(x,x)
		test	al, al
		jz	short loc_93ABA6
		push	426E4D43h
		movzx	edx, si
		call	_CmpAllocateTransientPoolWithQuotaTag@12 ; CmpAllocateTransientPoolWithQuotaTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_4C], ebx
		test	ebx, ebx
		jnz	short loc_93AB87
		mov	esi, 0C000009Ah
		jmp	loc_93AD03
; 

loc_93AB87:				; CODE XREF: NtRenameKey(x,x)+14Bj
		movzx	eax, word ptr [ebp+var_44]
		push	eax		; size_t
		push	[ebp+var_40]	; void *
		mov	ebx, [ebp+var_4C]
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_40], ebx
		mov	si, word ptr [ebp+var_44]
		mov	word ptr [ebp+var_44+2], si

loc_93ABA6:				; CODE XREF: NtRenameKey(x,x)+135j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		movzx	ecx, si
		shr	ecx, 1
		jz	short loc_93ABC2

loc_93ABB6:				; CODE XREF: NtRenameKey(x,x)+190j
		cmp	word ptr [ebx+eax*2], 5Ch
		jz	short loc_93AC0F
		inc	eax
		cmp	eax, ecx
		jb	short loc_93ABB6

loc_93ABC2:				; CODE XREF: NtRenameKey(x,x)+184j
		xor	ebx, ebx
		push	ebx
		lea	eax, [ebp+var_3C]
		push	eax
		push	[ebp+var_50]
		push	ecx
		mov	edx, 20006h
		mov	edi, [ebp+var_6C]
		mov	ecx, edi
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000022h
		jnz	short loc_93AC47
		lea	eax, [ebp+var_80]
		push	eax
		call	SeCaptureSubjectContext
		mov	[ebp+var_35], 1
		lea	edx, [ebp+var_54]
		lea	ecx, [ebp+var_80]
		call	CmDoVirtualTest
		test	al, al
		jnz	short loc_93AC19

loc_93AC02:				; CODE XREF: NtRenameKey(x,x)+20Ej
		mov	esi, 0C0000022h

loc_93AC07:				; CODE XREF: NtRenameKey(x,x)+202j
		mov	al, [ebp+var_35]
		jmp	loc_93AD3A
; 

loc_93AC0F:				; CODE XREF: NtRenameKey(x,x)+18Bj
		mov	esi, 0C000000Dh
		jmp	loc_93AD0D
; 

loc_93AC19:				; CODE XREF: NtRenameKey(x,x)+1D0j
		push	ebx
		lea	eax, [ebp+var_3C]
		push	eax
		push	[ebp+var_50]
		push	ecx
		mov	edx, 20019h
		mov	ecx, edi
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_93AC07
		mov	ecx, [ebp+var_3C]
		call	_CmKeyBodyNeedsVirtualImage@4 ;	CmKeyBodyNeedsVirtualImage(x)
		test	al, al
		jz	short loc_93AC02
		mov	al, 1
		mov	[ebp+var_37], al
		jmp	short loc_93AC49
; 

loc_93AC47:				; CODE XREF: NtRenameKey(x,x)+1B4j
		mov	al, bl

loc_93AC49:				; CODE XREF: NtRenameKey(x,x)+215j
		test	esi, esi
		js	loc_93AD3A
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	[ebp+var_38], 1
		cmp	_CmpCallBackCount, ebx
		jz	short loc_93ACB2
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredSharedLite
		test	eax, eax
		jnz	short loc_93ACB2
		mov	ecx, [ebp+var_3C]
		mov	[ebp+var_98], ecx
		lea	eax, [ebp+var_44]
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_60]
		push	eax
		push	ecx
		push	13h
		push	ecx
		lea	edx, [ebp+var_98]
		push	4
		pop	ecx
		call	_CmpCallCallBacks@24 ; CmpCallCallBacks(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_93ACB0
		lea	esi, [eax+3FFFFAFDh]
		neg	esi
		sbb	esi, esi
		and	esi, eax

loc_93ACA8:				; CODE XREF: NtRenameKey(x,x)+2CCj
		mov	al, [ebp+var_37]
		jmp	loc_93AD3A
; 

loc_93ACB0:				; CODE XREF: NtRenameKey(x,x)+26Aj
		mov	bl, 1

loc_93ACB2:				; CODE XREF: NtRenameKey(x,x)+230j
					; NtRenameKey(x,x)+23Ej
		cmp	[ebp+var_37], 0
		jz	short loc_93ACD9
		lea	eax, [ebp+var_54]
		push	eax
		lea	eax, [ebp+var_80]
		push	eax
		push	20006h
		mov	dl, [ebp+var_36]
		lea	ecx, [ebp+var_3C]
		call	_CmKeyBodyReplicateToVirtual@20	; CmKeyBodyReplicateToVirtual(x,x,x,x,x)
		mov	esi, eax
		mov	al, [ebp+var_37]
		test	esi, esi
		js	short loc_93AD3A

loc_93ACD9:				; CODE XREF: NtRenameKey(x,x)+286j
		lea	ecx, [ebp+var_34]
		call	CmpAttachToRegistryProcess
		push	[ebp+var_40]
		push	[ebp+var_44]
		mov	dl, [ebp+var_36]
		mov	ecx, [ebp+var_3C]
		call	_CmRenameKey@16	; CmRenameKey(x,x,x,x)
		mov	esi, eax
		lea	ecx, [ebp+var_34]
		call	_CmpDetachFromRegistryProcess@4	; CmpDetachFromRegistryProcess(x)
		jmp	short loc_93ACA8
; 

loc_93ACFE:				; CODE XREF: NtRenameKey(x,x)+107j
					; NtRenameKey(x,x)+110j ...
		mov	esi, 0C000000Dh

loc_93AD03:				; CODE XREF: NtRenameKey(x,x)+152j
		mov	[ebp+var_58], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_93AD0D:				; CODE XREF: NtRenameKey(x,x)+1E4j
		xor	ebx, ebx
		jmp	loc_93AAB5
; 

loc_93AD14:				; DATA XREF: .text:006A785Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_70], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_93AD22:				; DATA XREF: .text:006A7860o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_70]
		mov	[ebp+var_58], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	bl, [ebp+var_45]
		mov	al, bl
		mov	[ebp+var_38], al

loc_93AD3A:				; CODE XREF: NtRenameKey(x,x)+87j
					; NtRenameKey(x,x)+1DAj ...
		test	al, al
		jz	short loc_93AD47
		lea	eax, [ebp+var_80]
		push	eax
		call	SeReleaseSubjectContext

loc_93AD47:				; CODE XREF: NtRenameKey(x,x)+30Cj
		test	bl, bl
		jz	short loc_93AD64
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_98]
		push	eax
		push	esi
		mov	edx, [ebp+var_3C]
		push	13h
		pop	ecx
		call	_CmPostCallbackNotification@20 ; CmPostCallbackNotification(x,x,x,x,x)
		mov	esi, eax

loc_93AD64:				; CODE XREF: NtRenameKey(x,x)+319j
		cmp	[ebp+var_38], 0
		jz	short loc_93AD6F
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_93AD6F:				; CODE XREF: NtRenameKey(x,x)+338j
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jz	short loc_93AD7B
		call	ObfDereferenceObject

loc_93AD7B:				; CODE XREF: NtRenameKey(x,x)+344j
		mov	ebx, [ebp+var_4C]
		test	ebx, ebx
		jz	short loc_93AD89
		mov	ecx, ebx
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_93AD89:				; CODE XREF: NtRenameKey(x,x)+350j
		cmp	[ebp+var_48], 0
		jz	short loc_93AD94
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_93AD94:				; CODE XREF: NtRenameKey(x,x)+35Dj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_93ADA8:				; CODE XREF: NtRenameKey(x,x)+C8j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger
_NtRenameKey@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtReplaceKey(x, x, x)
_NtReplaceKey@12 proc near		; DATA XREF: .text:00580D70o

var_D8		= dword	ptr -0D8h
var_D1		= byte ptr -0D1h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0DCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0DCh+var_4], eax
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	[esp+0DCh+var_B0], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+0DCh+var_A8], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	[esp+0E0h+var_AC], eax
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	byte ptr [esp+0E8h+var_D8], cl
		lea	edi, [esp+0E8h+var_90]
		mov	bl, [eax+15Ah]
		xor	eax, eax
		mov	[esp+0E8h+var_C8], ecx
		mov	[esp+0E8h+var_C4], ecx
		mov	[esp+0E8h+var_D0], ecx
		mov	[esp+0E8h+var_CC], ecx
		mov	[esp+0E8h+var_BC], ecx
		push	6
		pop	ecx
		rep stosd
		lea	eax, [esp+0E8h+var_B8]
		mov	byte ptr [esp+0E8h+var_C0], bl
		mov	[esp+0E8h+var_B4], eax
		mov	[esp+0E8h+var_B8], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpShutdownRundown
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	[esp+0E8h+var_D1], al
		test	al, al
		jnz	loc_93AF47
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	esi, 0C0000189h

loc_93AE58:				; CODE XREF: NtReplaceKey(x,x,x)+1A2j
					; NtReplaceKey(x,x,x)+1C6j ...
		mov	ebx, [esp+0E8h+var_D8]

loc_93AE5C:				; CODE XREF: NtReplaceKey(x,x,x)+24Aj
					; NtReplaceKey(x,x,x)+257j ...
		cmp	[esp+0E8h+var_CC], 0
		jz	short loc_93AE6E
		push	0
		push	[esp+0ECh+var_CC]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_93AE6E:				; CODE XREF: NtReplaceKey(x,x,x)+B3j
		cmp	[esp+0E8h+var_C4], 0
		jz	short loc_93AE80
		push	0
		push	[esp+0ECh+var_C4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_93AE80:				; CODE XREF: NtReplaceKey(x,x,x)+C5j
		test	bl, bl
		jz	short loc_93AE90
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_93AE90:				; CODE XREF: NtReplaceKey(x,x,x)+D4j
		cmp	[esp+0E8h+var_D1], 0
		jz	short loc_93AEAD
		mov	ecx, offset _CmpShutdownRundown
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_93AEAD:				; CODE XREF: NtReplaceKey(x,x,x)+E7j
		test	esi, esi
		jns	loc_93B0AC
		cmp	dword_6B2348, 5
		jbe	loc_93B114
		push	4000h
		xor	ebx, ebx
		mov	edi, offset dword_6B2348
		push	ebx
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_93B114
		lea	eax, [esp+0E8h+var_A4]
		mov	[esp+0E8h+var_A4], esi
		push	4
		mov	[esp+0ECh+var_58], eax
		lea	eax, [esp+0ECh+var_A0]
		pop	ecx
		mov	[esp+0E8h+var_48], eax
		lea	eax, [esp+0E8h+var_78]
		push	eax
		push	ecx
		push	ebx
		push	ebx
		mov	[esp+0F8h+var_54], ebx
		mov	[esp+0F8h+var_50], ecx
		mov	[esp+0F8h+var_4C], ebx
		mov	[esp+0F8h+var_A0], 1000000h
		mov	[esp+0F8h+var_9C], ebx
		mov	[esp+0F8h+var_44], ebx
		mov	[esp+0F8h+var_40], 8
		mov	[esp+0F8h+var_3C], ebx
		push	offset loc_41998F
		jmp	loc_93B10E
; 

loc_93AF47:				; CODE XREF: NtReplaceKey(x,x,x)+93j
		call	_CmCheckNoTxContext@0 ;	CmCheckNoTxContext()
		mov	esi, eax
		test	esi, esi
		js	loc_93AE58
		push	[esp+0E8h+var_C0]
		push	ds:dword_A949DC
		push	ds:_SeRestorePrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_93AF79
		mov	esi, 0C0000061h
		jmp	loc_93AE58
; 

loc_93AF79:				; CODE XREF: NtReplaceKey(x,x,x)+1BFj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [esp+0E8h+var_B0]
		lea	eax, [esp+0E8h+var_C8]
		push	eax
		mov	dl, bl
		mov	[esp+0ECh+var_D8], 1
		call	CmpNameFromAttributes
		mov	esi, eax
		test	esi, esi
		js	loc_93B0A4
		mov	ecx, [esp+0E8h+var_AC]
		lea	eax, [esp+0E8h+var_D0]
		push	eax
		mov	dl, bl
		call	CmpNameFromAttributes
		mov	esi, eax
		test	esi, esi
		js	loc_93AE58
		push	0
		lea	eax, [esp+0ECh+var_BC]
		xor	edx, edx
		push	eax
		push	[esp+0F0h+var_C0]
		push	ecx
		mov	ecx, [esp+0F8h+var_A8]
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [esp+0E8h+var_BC]
		mov	esi, eax
		test	esi, esi
		js	short loc_93AFF2
		mov	eax, [edi+8]
		test	byte ptr [eax+4], 80h
		jz	short loc_93B00A
		mov	esi, 0C0000022h

loc_93AFF2:				; CODE XREF: NtReplaceKey(x,x,x)+234j
		mov	ebx, [esp+0E8h+var_D8]

loc_93AFF6:				; CODE XREF: NtReplaceKey(x,x,x)+2AFj
					; NtReplaceKey(x,x,x)+2B3j ...
		test	edi, edi
		jz	loc_93AE5C
		mov	ecx, edi
		call	ObfDereferenceObject
		jmp	loc_93AE5C
; 

loc_93B00A:				; CODE XREF: NtReplaceKey(x,x,x)+23Dj
		cmp	_CmpCallBackCount, 0
		jz	short loc_93B063
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredSharedLite
		mov	ebx, [esp+0E8h+var_D8]
		test	eax, eax
		jnz	short loc_93B067
		lea	eax, [esp+0E8h+var_D0]
		mov	[esp+0E8h+var_90], edi
		mov	[esp+0E8h+var_8C], eax
		lea	edx, [esp+0E8h+var_90]
		lea	eax, [esp+0E8h+var_C8]
		mov	[esp+0E8h+var_88], eax
		lea	eax, [esp+0E8h+var_B8]
		push	eax
		push	0
		push	2Eh
		push	ebx
		push	0
		push	2Dh
		pop	ecx
		call	CmpCallCallBacksEx
		mov	esi, eax
		test	esi, esi
		jns	short loc_93B067
		cmp	esi, 0C0000503h
		jnz	short loc_93AFF6
		xor	esi, esi
		jmp	short loc_93AFF6
; 

loc_93B063:				; CODE XREF: NtReplaceKey(x,x,x)+263j
		mov	ebx, [esp+0E8h+var_D8]

loc_93B067:				; CODE XREF: NtReplaceKey(x,x,x)+275j
					; NtReplaceKey(x,x,x)+2A7j
		mov	ecx, [edi+8]
		lea	eax, [esp+0E8h+var_D0]
		push	eax
		lea	eax, [esp+0ECh+var_C8]
		push	eax
		mov	ecx, [ecx+10h]
		call	_CmReplaceKey@16 ; CmReplaceKey(x,x,x,x)
		lea	edx, [esp+0E8h+var_B8]
		push	edx
		push	0
		lea	edx, [esp+0F0h+var_90]
		push	edx
		push	eax
		push	2Eh
		mov	edx, edi
		pop	ecx
		call	_CmPostCallbackNotificationEx@24 ; CmPostCallbackNotificationEx(x,x,x,x,x,x)
		lea	esi, [eax+3FFFFAFDh]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jmp	loc_93AFF6
; 

loc_93B0A4:				; CODE XREF: NtReplaceKey(x,x,x)+1F5j
		xor	ebx, ebx
		inc	ebx
		jmp	loc_93AE5C
; 

loc_93B0AC:				; CODE XREF: NtReplaceKey(x,x,x)+101j
		cmp	dword_6B2348, 5
		jbe	short loc_93B114
		push	4000h
		xor	ebx, ebx
		mov	edi, offset dword_6B2348
		push	ebx
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_93B114
		lea	eax, [esp+0E8h+var_98]
		mov	[esp+0E8h+var_98], 1000000h
		mov	[esp+0E8h+var_18], eax
		lea	eax, [esp+0E8h+var_38]
		push	eax
		push	3
		push	ebx
		push	ebx
		mov	[esp+0F8h+var_94], ebx
		mov	[esp+0F8h+var_14], ebx
		mov	[esp+0F8h+var_10], 8
		mov	[esp+0F8h+var_C], ebx
		push	offset loc_4199CB

loc_93B10E:				; CODE XREF: NtReplaceKey(x,x,x)+194j
		push	edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_93B114:				; CODE XREF: NtReplaceKey(x,x,x)+10Ej
					; NtReplaceKey(x,x,x)+12Aj ...
		mov	ecx, [esp+0E8h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_NtReplaceKey@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtRestoreKey(x, x, x)
_NtRestoreKey@12 proc near		; DATA XREF: .text:00580D48o

var_4E		= byte ptr -4Eh
var_4D		= byte ptr -4Dh
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	ebx, [ebp+arg_4]
		lea	edi, [esp+60h+var_34]
		mov	[esp+60h+var_38], eax
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd
		push	6
		mov	[esp+64h+var_4E], al
		lea	edi, [esp+64h+var_1C]
		mov	[esp+64h+var_48], eax
		mov	[esp+64h+var_4C], eax
		pop	ecx
		rep stosd
		lea	eax, [esp+60h+var_40]
		mov	[esp+60h+var_3C], eax
		mov	[esp+60h+var_40], eax
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[esp+60h+var_4D], al
		mov	byte ptr [esp+60h+var_44], al
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpShutdownRundown
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_93B1C2
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	esi, 0C0000189h
		jmp	loc_93B34E
; 

loc_93B1C2:				; CODE XREF: NtRestoreKey(x,x,x)+7Dj
		call	_CmCheckNoTxContext@0 ;	CmCheckNoTxContext()
		mov	esi, eax
		test	esi, esi
		js	loc_93B338
		push	[esp+60h+var_44]
		push	ds:dword_A949DC
		push	ds:_SeRestorePrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_93B1F4
		mov	esi, 0C0000061h
		jmp	loc_93B338
; 

loc_93B1F4:				; CODE XREF: NtRestoreKey(x,x,x)+BBj
		cmp	[esp+60h+var_4D], 1
		jnz	short loc_93B21B
		lea	eax, [esp+60h+var_4C]
		push	eax
		push	0
		push	1
		push	1
		push	ebx
		call	_IoConvertFileHandleToKernelHandle@20 ;	IoConvertFileHandleToKernelHandle(x,x,x,x,x)
		mov	edi, [esp+60h+var_4C]
		mov	esi, eax
		test	esi, esi
		jns	short loc_93B221
		jmp	loc_93B32A
; 

loc_93B21B:				; CODE XREF: NtRestoreKey(x,x,x)+CCj
		mov	edi, ebx
		mov	[esp+60h+var_4C], edi

loc_93B221:				; CODE XREF: NtRestoreKey(x,x,x)+E7j
		push	0
		lea	eax, [esp+64h+var_48]
		xor	edx, edx
		push	eax
		push	[esp+68h+var_44]
		push	ecx
		mov	ecx, [esp+70h+var_38]
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, [esp+60h+var_48]
		mov	esi, eax
		test	esi, esi
		js	loc_93B321
		mov	eax, [ecx+8]
		test	byte ptr [eax+4], 80h
		jz	short loc_93B259
		mov	esi, 0C0000022h
		jmp	loc_93B321
; 

loc_93B259:				; CODE XREF: NtRestoreKey(x,x,x)+120j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		cmp	_CmpCallBackCount, 0
		mov	edi, [esp+60h+var_48]
		jz	short loc_93B2C5
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredSharedLite
		test	eax, eax
		jnz	short loc_93B2C5
		mov	eax, [esp+60h+var_4C]
		lea	edx, [esp+60h+var_34]
		mov	[esp+60h+var_30], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+60h+var_2C], eax
		lea	eax, [esp+60h+var_40]
		push	eax
		push	0
		push	2Ah
		push	1
		push	0
		push	29h
		pop	ecx
		mov	[esp+74h+var_34], edi
		call	CmpCallCallBacksEx
		mov	esi, eax
		test	esi, esi
		jns	short loc_93B2C0
		cmp	esi, 0C0000503h
		jnz	short loc_93B30D
		xor	esi, esi
		jmp	short loc_93B30D
; 

loc_93B2C0:				; CODE XREF: NtRestoreKey(x,x,x)+185j
		mov	[esp+60h+var_4E], 1

loc_93B2C5:				; CODE XREF: NtRestoreKey(x,x,x)+145j
					; NtRestoreKey(x,x,x)+153j
		lea	ecx, [esp+60h+var_1C]
		call	CmpAttachToRegistryProcess
		push	[esp+60h+var_44]
		mov	edx, [esp+64h+var_4C]
		mov	ecx, edi
		push	[ebp+arg_8]
		call	_CmRestoreKey@16 ; CmRestoreKey(x,x,x,x)
		xor	edx, edx
		lea	ecx, [esp+60h+var_1C]
		mov	esi, eax
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		cmp	[esp+60h+var_4E], 0
		jz	short loc_93B30D
		lea	eax, [esp+60h+var_40]
		mov	edx, edi
		push	eax
		push	0
		lea	eax, [esp+68h+var_34]
		push	eax
		push	esi
		push	2Ah
		pop	ecx
		call	_CmPostCallbackNotificationEx@24 ; CmPostCallbackNotificationEx(x,x,x,x,x,x)
		mov	esi, eax

loc_93B30D:				; CODE XREF: NtRestoreKey(x,x,x)+18Dj
					; NtRestoreKey(x,x,x)+191j ...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [esp+60h+var_48]
		mov	edi, [esp+60h+var_4C]

loc_93B321:				; CODE XREF: NtRestoreKey(x,x,x)+113j
					; NtRestoreKey(x,x,x)+127j
		test	ecx, ecx
		jz	short loc_93B32A
		call	ObfDereferenceObject

loc_93B32A:				; CODE XREF: NtRestoreKey(x,x,x)+E9j
					; NtRestoreKey(x,x,x)+1F6j
		test	edi, edi
		jz	short loc_93B338
		cmp	edi, ebx
		jz	short loc_93B338
		push	edi
		call	_ZwClose@4	; ZwClose(x)

loc_93B338:				; CODE XREF: NtRestoreKey(x,x,x)+9Ej
					; NtRestoreKey(x,x,x)+C2j ...
		mov	ecx, offset _CmpShutdownRundown
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_93B34E:				; CODE XREF: NtRestoreKey(x,x,x)+90j
		mov	ecx, [esp+60h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_NtRestoreKey@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtRollbackRegistryTransaction(x, x)
_NtRollbackRegistryTransaction@8 proc near ; DATA XREF:	.text:005812BCo

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+30h+var_1C]
		rep stosd
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _CmpShutdownRundown
		mov	ecx, ebx
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_93B3BF
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	esi, 0C0000189h
		jmp	loc_93B445
; 

loc_93B3BF:				; CODE XREF: NtRollbackRegistryTransaction(x,x)+43j
		cmp	[ebp+arg_4], 0
		jz	short loc_93B3CC
		mov	esi, 0C000000Dh
		jmp	short loc_93B432
; 

loc_93B3CC:				; CODE XREF: NtRollbackRegistryTransaction(x,x)+5Fj
		mov	eax, large fs:124h
		lea	ecx, [esp+30h+var_24]
		and	[esp+30h+var_24], 0
		push	0
		push	ecx
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+38h+var_20], al
		push	[esp+38h+var_20]
		mov	eax, _CmRegistryTransactionType
		push	eax
		push	10h
		push	esi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [esp+30h+var_24]
		mov	esi, eax
		test	esi, esi
		js	short loc_93B427
		lea	ecx, [esp+30h+var_1C]
		call	CmpAttachToRegistryProcess
		mov	ecx, edi
		call	CmpRollbackLightWeightTransaction
		xor	edx, edx
		lea	ecx, [esp+30h+var_1C]
		mov	esi, eax
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		test	esi, esi
		js	short loc_93B427
		xor	esi, esi

loc_93B427:				; CODE XREF: NtRollbackRegistryTransaction(x,x)+9Ej
					; NtRollbackRegistryTransaction(x,x)+BFj
		test	edi, edi
		jz	short loc_93B432
		mov	ecx, edi
		call	ObfDereferenceObject

loc_93B432:				; CODE XREF: NtRollbackRegistryTransaction(x,x)+66j
					; NtRollbackRegistryTransaction(x,x)+C5j
		mov	ecx, ebx
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_93B445:				; CODE XREF: NtRollbackRegistryTransaction(x,x)+56j
		mov	ecx, [esp+30h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_NtRollbackRegistryTransaction@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSaveKey(x, x)
_NtSaveKey@8	proc near		; DATA XREF: .text:00580D28o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	1
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_NtSaveKeyEx@12	; NtSaveKeyEx(x,x,x)
		pop	ebp
		retn	8
_NtSaveKey@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSaveKeyEx(x, x, x)
_NtSaveKeyEx@12	proc near		; CODE XREF: NtSaveKey(x,x)+Dp
					; DATA XREF: .text:00580D24o

var_52		= byte ptr -52h
var_51		= byte ptr -51h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	[esp+60h+var_38], eax
		lea	edi, [esp+60h+var_34]
		push	6
		xor	eax, eax
		mov	[esp+64h+var_44], ebx
		pop	ecx
		rep stosd
		push	6
		pop	ecx
		lea	edi, [esp+60h+var_1C]
		rep stosd
		lea	eax, [esp+60h+var_40]
		xor	edi, edi
		mov	[esp+60h+var_3C], eax
		mov	[esp+60h+var_40], eax
		mov	eax, large fs:124h
		mov	[esp+60h+var_48], edi
		mov	[esp+60h+var_4C], edi
		mov	al, [eax+15Ah]
		mov	[esp+60h+var_51], al
		mov	byte ptr [esp+60h+var_50], al
		call	CmpAcquireShutdownRundown
		test	al, al
		jnz	short loc_93B4E9
		mov	esi, 0C0000189h
		jmp	loc_93B65E
; 

loc_93B4E9:				; CODE XREF: NtSaveKeyEx(x,x,x)+6Cj
		call	_CmCheckNoTxContext@0 ;	CmCheckNoTxContext()
		mov	esi, eax
		test	esi, esi
		js	loc_93B659
		push	[esp+60h+var_50]
		push	ds:dword_A949E4
		push	ds:_SeBackupPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_93B51B
		mov	esi, 0C0000061h
		jmp	loc_93B659
; 

loc_93B51B:				; CODE XREF: NtSaveKeyEx(x,x,x)+9Ej
		mov	eax, [ebp+arg_8]
		cmp	eax, 1
		jz	short loc_93B537
		cmp	eax, 2
		jz	short loc_93B537
		cmp	eax, 4
		jz	short loc_93B537
		mov	esi, 0C000000Dh
		jmp	loc_93B659
; 

loc_93B537:				; CODE XREF: NtSaveKeyEx(x,x,x)+B0j
					; NtSaveKeyEx(x,x,x)+B5j ...
		cmp	[esp+60h+var_51], 1
		jnz	short loc_93B55D
		lea	eax, [esp+60h+var_4C]
		push	eax
		push	edi
		push	2
		push	1
		push	ebx
		call	_IoConvertFileHandleToKernelHandle@20 ;	IoConvertFileHandleToKernelHandle(x,x,x,x,x)
		mov	edi, [esp+60h+var_4C]
		mov	esi, eax
		test	esi, esi
		jns	short loc_93B55F
		jmp	loc_93B64B
; 

loc_93B55D:				; CODE XREF: NtSaveKeyEx(x,x,x)+CBj
		mov	edi, ebx

loc_93B55F:				; CODE XREF: NtSaveKeyEx(x,x,x)+E5j
		push	0
		lea	eax, [esp+64h+var_48]
		xor	edx, edx
		push	eax
		push	[esp+68h+var_50]
		push	ecx
		mov	ecx, [esp+70h+var_38]
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, [esp+60h+var_48]
		mov	esi, eax
		test	esi, esi
		js	loc_93B63C
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		cmp	_CmpCallBackCount, 0
		jz	short loc_93B5DA
		push	offset _CmpRegistryLock
		call	ExIsResourceAcquiredSharedLite
		test	eax, eax
		jnz	short loc_93B5DA
		mov	eax, [ebp+arg_8]
		lea	edx, [esp+60h+var_34]
		mov	[esp+60h+var_2C], eax
		lea	eax, [esp+60h+var_40]
		push	eax
		push	0
		push	2Ch
		push	1
		push	0
		push	2Bh
		pop	ecx
		mov	[esp+74h+var_34], ebx
		mov	[esp+74h+var_30], edi
		call	CmpCallCallBacksEx
		mov	esi, eax
		test	esi, esi
		jns	short loc_93B5DA
		cmp	esi, 0C0000503h
		jnz	short loc_93B637
		xor	esi, esi
		jmp	short loc_93B637
; 

loc_93B5DA:				; CODE XREF: NtSaveKeyEx(x,x,x)+11Fj
					; NtSaveKeyEx(x,x,x)+12Dj ...
		lea	ecx, [esp+60h+var_1C]
		call	CmpAttachToRegistryProcess
		mov	ecx, [ebp+arg_8]
		mov	edx, edi
		push	[esp+60h+var_50]
		cmp	ecx, 4
		jnz	short loc_93B5FA
		mov	ecx, ebx
		call	_CmDumpKey@12	; CmDumpKey(x,x,x)
		jmp	short loc_93B611
; 

loc_93B5FA:				; CODE XREF: NtSaveKeyEx(x,x,x)+17Ej
		xor	eax, eax
		cmp	ecx, 2
		mov	ecx, ebx
		setz	al
		lea	eax, ds:3[eax*2]
		push	eax
		call	_CmSaveKey@16	; CmSaveKey(x,x,x,x)

loc_93B611:				; CODE XREF: NtSaveKeyEx(x,x,x)+187j
		xor	edx, edx
		lea	ecx, [esp+60h+var_1C]
		mov	esi, eax
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		lea	eax, [esp+60h+var_40]
		mov	edx, ebx
		push	eax
		push	0
		lea	eax, [esp+68h+var_34]
		push	eax
		push	esi
		push	2Ch
		pop	ecx
		call	_CmPostCallbackNotificationEx@24 ; CmPostCallbackNotificationEx(x,x,x,x,x,x)
		mov	esi, eax

loc_93B637:				; CODE XREF: NtSaveKeyEx(x,x,x)+163j
					; NtSaveKeyEx(x,x,x)+167j
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_93B63C:				; CODE XREF: NtSaveKeyEx(x,x,x)+10Dj
		test	ebx, ebx
		jz	short loc_93B647
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_93B647:				; CODE XREF: NtSaveKeyEx(x,x,x)+1CDj
		mov	ebx, [esp+60h+var_44]

loc_93B64B:				; CODE XREF: NtSaveKeyEx(x,x,x)+E7j
		test	edi, edi
		jz	short loc_93B659
		cmp	edi, ebx
		jz	short loc_93B659
		push	edi
		call	_ZwClose@4	; ZwClose(x)

loc_93B659:				; CODE XREF: NtSaveKeyEx(x,x,x)+81j
					; NtSaveKeyEx(x,x,x)+A5j ...
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_93B65E:				; CODE XREF: NtSaveKeyEx(x,x,x)+73j
		mov	ecx, [esp+60h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_NtSaveKeyEx@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSaveMergedKeys(x,	x, x)
_NtSaveMergedKeys@12 proc near		; DATA XREF: .text:00580D20o

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+44h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[esp+50h+var_2C], eax
		lea	edi, [esp+50h+var_1C]
		mov	eax, [ebp+arg_4]
		mov	[esp+50h+var_28], eax
		mov	eax, [ebp+arg_8]
		push	6
		mov	[esp+54h+var_24], eax
		xor	eax, eax
		pop	ecx
		rep stosd
		mov	[esp+50h+var_30], eax
		mov	[esp+50h+var_34], eax
		mov	[esp+50h+var_40], eax
		mov	[esp+50h+var_3C], eax
		mov	[esp+50h+var_38], eax
		call	CmpAcquireShutdownRundown
		test	al, al
		jnz	short loc_93B6D4
		mov	esi, 0C0000189h
		jmp	loc_93B829
; 

loc_93B6D4:				; CODE XREF: NtSaveMergedKeys(x,x,x)+54j
		call	_CmCheckNoTxContext@0 ;	CmCheckNoTxContext()
		mov	esi, eax
		test	esi, esi
		js	loc_93B7DA
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [esp+50h+var_20], bl
		mov	edi, [esp+50h+var_20]
		push	edi
		push	ds:dword_A949E4
		push	ds:_SeBackupPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_93B717
		mov	esi, 0C0000061h
		jmp	loc_93B7DA
; 

loc_93B717:				; CODE XREF: NtSaveMergedKeys(x,x,x)+97j
		test	bl, bl
		jz	short loc_93B77E
		mov	ecx, [esp+50h+var_2C]
		lea	eax, [esp+50h+var_38]
		push	eax
		xor	ebx, ebx
		push	ebx
		push	edi
		call	_CmConvertHandleToKernelHandle@20 ; CmConvertHandleToKernelHandle(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93B7DA
		mov	ecx, [esp+50h+var_28]
		lea	eax, [esp+50h+var_3C]
		push	eax
		push	ebx
		push	edi
		call	_CmConvertHandleToKernelHandle@20 ; CmConvertHandleToKernelHandle(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93B7DA
		lea	eax, [esp+50h+var_40]
		push	eax
		push	ebx
		push	2
		push	edi
		push	[esp+60h+var_24]
		call	_IoConvertFileHandleToKernelHandle@20 ;	IoConvertFileHandleToKernelHandle(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_93B7DA
		push	[esp+50h+var_40]
		push	[esp+54h+var_3C]
		push	[esp+58h+var_38]
		call	_ZwSaveMergedKeys@12 ; ZwSaveMergedKeys(x,x,x)
		mov	esi, eax
		jmp	short loc_93B7DA
; 

loc_93B77E:				; CODE XREF: NtSaveMergedKeys(x,x,x)+A5j
		xor	ebx, ebx
		lea	eax, [esp+50h+var_30]
		push	ebx
		push	eax
		push	ebx
		push	ecx
		mov	ecx, [esp+60h+var_2C]
		xor	edx, edx
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_93B7DA
		push	ebx
		lea	eax, [esp+54h+var_34]
		xor	edx, edx
		push	eax
		push	ebx
		push	ecx
		mov	ecx, [esp+60h+var_28]
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_93B7DA
		lea	ecx, [esp+50h+var_1C]
		call	CmpAttachToRegistryProcess
		mov	edx, [esp+50h+var_34]
		mov	ecx, [esp+50h+var_30]
		push	ebx
		push	[esp+54h+var_24]
		call	_CmSaveMergedKeys@16 ; CmSaveMergedKeys(x,x,x,x)
		xor	edx, edx
		lea	ecx, [esp+50h+var_1C]
		mov	esi, eax
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_93B7DA:				; CODE XREF: NtSaveMergedKeys(x,x,x)+69j
					; NtSaveMergedKeys(x,x,x)+9Ej ...
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)
		mov	ecx, [esp+50h+var_34]
		test	ecx, ecx
		jz	short loc_93B7EC
		call	ObfDereferenceObject

loc_93B7EC:				; CODE XREF: NtSaveMergedKeys(x,x,x)+171j
		mov	ecx, [esp+50h+var_30]
		test	ecx, ecx
		jz	short loc_93B7F9
		call	ObfDereferenceObject

loc_93B7F9:				; CODE XREF: NtSaveMergedKeys(x,x,x)+17Ej
		cmp	[esp+50h+var_40], 0
		jz	short loc_93B809
		push	[esp+50h+var_40]
		call	_ZwClose@4	; ZwClose(x)

loc_93B809:				; CODE XREF: NtSaveMergedKeys(x,x,x)+18Aj
		cmp	[esp+50h+var_3C], 0
		jz	short loc_93B819
		push	[esp+50h+var_3C]
		call	_ZwClose@4	; ZwClose(x)

loc_93B819:				; CODE XREF: NtSaveMergedKeys(x,x,x)+19Aj
		cmp	[esp+50h+var_38], 0
		jz	short loc_93B829
		push	[esp+50h+var_38]
		call	_ZwClose@4	; ZwClose(x)

loc_93B829:				; CODE XREF: NtSaveMergedKeys(x,x,x)+5Bj
					; NtSaveMergedKeys(x,x,x)+1AAj
		mov	ecx, [esp+50h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_NtSaveMergedKeys@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtThawRegistry()
_NtThawRegistry@0 proc near		; DATA XREF: .text:00580C08o

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+20h+var_4], eax
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+28h+var_1C]
		rep stosd
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+28h+var_20], al
		push	[esp+28h+var_20]
		push	ds:dword_A949E4
		push	ds:_SeBackupPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_93B892
		mov	esi, 0C0000061h
		jmp	short loc_93B8AD
; 

loc_93B892:				; CODE XREF: NtThawRegistry()+4Aj
		lea	ecx, [esp+28h+var_1C]
		call	CmpAttachToRegistryProcess
		call	_CmThawRegistry@0 ; CmThawRegistry()
		xor	edx, edx
		lea	ecx, [esp+28h+var_1C]
		mov	esi, eax
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_93B8AD:				; CODE XREF: NtThawRegistry()+51j
		mov	ecx, [esp+28h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_NtThawRegistry@0 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 251. CmCallbackGetKeyObjectID

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmCallbackGetKeyObjectID(x,	x, x, x)
		public _CmCallbackGetKeyObjectID@16
_CmCallbackGetKeyObjectID@16 proc near	; CODE XREF: EtwpRegTraceCallback(x,x,x)+175p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	eax, eax
		and	[esp+38h+var_34], 0
		push	esi
		push	edi
		mov	esi, [ebp+arg_C]
		lea	edi, [esp+40h+var_1C]
		mov	edx, [ebp+arg_8]
		push	6
		pop	ecx
		rep stosd
		lea	edi, [esp+40h+var_2C]
		mov	[esp+40h+var_30], esi
		stosd
		stosd
		stosd
		stosd
		or	eax, 0FFFFFFFFh
		mov	word ptr [esp+40h+var_2C+2], ax
		test	ebx, ebx
		jz	loc_93B9A3
		cmp	dword ptr [ebx], 6B793032h
		jnz	loc_93B9A3
		cmp	[ebp+arg_0], 0
		jz	short loc_93B9A3
		mov	ebx, [ebx+8]
		test	edx, edx
		jz	short loc_93B92E
		mov	[edx], ebx

loc_93B92E:				; CODE XREF: CmCallbackGetKeyObjectID(x,x,x,x)+65j
		test	esi, esi
		jz	short loc_93B9A8
		test	bl, 1
		jnz	short loc_93B9A3
		lea	ecx, [esp+40h+var_1C]
		call	CmpAttachToRegistryProcess
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	edx, ebx
		lea	ecx, [esp+40h+var_2C]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_93B991
		lea	ecx, [esp+40h+var_2C]
		call	_CmpLockKcbStackShared@4 ; CmpLockKcbStackShared(x)
		cmp	dword ptr [ebx+28h], 0
		jnz	short loc_93B96C

loc_93B965:				; CODE XREF: CmCallbackGetKeyObjectID(x,x,x,x)+B5j
		mov	esi, 0C000009Ah
		jmp	short loc_93B988
; 

loc_93B96C:				; CODE XREF: CmCallbackGetKeyObjectID(x,x,x,x)+9Ej
		push	ecx
		lea	edx, [esp+44h+var_34]
		mov	ecx, ebx
		call	CmpConstructAndCacheName
		test	eax, eax
		js	short loc_93B965
		mov	ecx, [esp+40h+var_30]
		xor	esi, esi
		mov	eax, [esp+40h+var_34]
		mov	[ecx], eax

loc_93B988:				; CODE XREF: CmCallbackGetKeyObjectID(x,x,x,x)+A5j
		lea	ecx, [esp+40h+var_2C]
		call	CmpUnlockKcbStack

loc_93B991:				; CODE XREF: CmCallbackGetKeyObjectID(x,x,x,x)+8Fj
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	edx, edx
		lea	ecx, [esp+40h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	short loc_93B9A8
; 

loc_93B9A3:				; CODE XREF: CmCallbackGetKeyObjectID(x,x,x,x)+48j
					; CmCallbackGetKeyObjectID(x,x,x,x)+54j ...
		mov	esi, 0C000000Dh

loc_93B9A8:				; CODE XREF: CmCallbackGetKeyObjectID(x,x,x,x)+6Bj
					; CmCallbackGetKeyObjectID(x,x,x,x)+DCj
		mov	ecx, [esp+40h+var_20]
		test	ecx, ecx
		jz	short loc_93B9B5
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_93B9B5:				; CODE XREF: CmCallbackGetKeyObjectID(x,x,x,x)+E9j
		mov	ecx, [esp+40h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_CmCallbackGetKeyObjectID@16 endp

; 
		align 10h
; Exported entry 255. CmGetCallbackVersion

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmGetCallbackVersion(x, x)
		public _CmGetCallbackVersion@8
_CmGetCallbackVersion@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		inc	ecx
		test	eax, eax
		jz	short loc_93B9E1
		mov	[eax], ecx

loc_93B9E1:				; CODE XREF: CmGetCallbackVersion(x,x)+Dj
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_93B9EA
		mov	[eax], ecx

loc_93B9EA:				; CODE XREF: CmGetCallbackVersion(x,x)+16j
		pop	ebp
		retn	8
_CmGetCallbackVersion@8	endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 258. CmRegisterCallbackEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmRegisterCallbackEx(x, x, x, x, x,	x)
		public _CmRegisterCallbackEx@24
_CmRegisterCallbackEx@24 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_8], 0
		jnz	short loc_93BA05
		mov	eax, 0C00000F1h
		jmp	short loc_93BA27
; 

loc_93BA05:				; CODE XREF: CmRegisterCallbackEx(x,x,x,x,x,x)+9j
		cmp	[ebp+arg_14], 0
		jz	short loc_93BA12
		mov	eax, 0C00000F4h
		jmp	short loc_93BA27
; 

loc_93BA12:				; CODE XREF: CmRegisterCallbackEx(x,x,x,x,x,x)+16j
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+arg_0]
		push	0
		push	0
		push	[ebp+arg_4]
		call	CmpRegisterCallbackInternal

loc_93BA27:				; CODE XREF: CmRegisterCallbackEx(x,x,x,x,x,x)+10j
					; CmRegisterCallbackEx(x,x,x,x,x,x)+1Dj
		pop	ebp
		retn	18h
_CmRegisterCallbackEx@24 endp

; 

; __stdcall CmpCallbackFatalFilter(x, x)
_CmpCallbackFatalFilter@8:		; CODE XREF: sub_8CA952+6p
					; sub_91DC6D+6p ...
		mov	eax, [ecx]
		push	edx
		push	dword ptr [edx+1Ch]
		push	dword ptr [ecx+4]
		push	dword ptr [eax]
		push	135h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 262. CmUnregisterMachineHiveLoadedNotification

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmUnregisterMachineHiveLoadedNotification(x)
		public _CmUnregisterMachineHiveLoadedNotification@4
_CmUnregisterMachineHiveLoadedNotification@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_93BACC
		imul	eax, [esi+10h],	78h
		xor	edx, edx
		push	ebx
		push	edi
		lea	edi, dword_6B1684[eax]
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		xor	ebx, ebx
		jmp	short loc_93BA9A
; 

loc_93BA6C:				; CODE XREF: CmUnregisterMachineHiveLoadedNotification(x)+57j
		push	offset _CmpMachineHiveCallbackEvent
		mov	byte ptr [esi+16h], 1
		call	_KeResetEvent@4	; KeResetEvent(x)
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _CmpMachineHiveCallbackEvent
		call	KeWaitForSingleObject
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx

loc_93BA9A:				; CODE XREF: CmUnregisterMachineHiveLoadedNotification(x)+24j
		cmp	[esi+14h], bl
		jnz	short loc_93BA6C
		cmp	[esi+15h], bl
		jz	short loc_93BABA
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_93BAD1
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_93BAD1
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	[esi+15h], bl

loc_93BABA:				; CODE XREF: CmUnregisterMachineHiveLoadedNotification(x)+5Cj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	ebx

loc_93BACC:				; CODE XREF: CmUnregisterMachineHiveLoadedNotification(x)+Bj
		pop	esi
		pop	ebp
		retn	4
; 

loc_93BAD1:				; CODE XREF: CmUnregisterMachineHiveLoadedNotification(x)+63j
					; CmUnregisterMachineHiveLoadedNotification(x)+6Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_CmUnregisterMachineHiveLoadedNotification@4 endp ; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpMachineHiveCallbackFatalFilter(x, x)
_CmpMachineHiveCallbackFatalFilter@8 proc near ; CODE XREF: sub_9354F1+6p

var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_6C		= dword	ptr -6Ch
var_64		= dword	ptr -64h
var_4C		= dword	ptr -4Ch
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h

		mov	eax, [ecx]
		push	edx
		push	dword ptr [edx+8]
		push	dword ptr [ecx+4]
		push	dword ptr [eax]
		push	13Fh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

; __stdcall CmpPostApcRunDown(x)
_CmpPostApcRunDown@4:			; DATA XREF: NtNotifyChangeMultipleKeys+398o
		push	0Ch
		push	offset dword_6A7910
		call	__SEH_prolog4
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_19], al
		mov	eax, [ebp+arg_0]
		mov	esi, [eax+28h]
		mov	[ebp+arg_0], esi
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, [esi+20h]
		lea	eax, [ecx+38h]
		cmp	[eax], eax
		jnz	short loc_93BB3A
		push	ecx
		push	offset ??_C@_0DD@BGFPCJCC@IoStatusBlock?5pointing?5onto?5its@NNGAKEGL@ ; "IoStatusBlock	pointing onto itself Asyn"...
		call	_DbgPrint
		pop	ecx
		pop	ecx
		cmp	_KdDebuggerEnabled, 0
		jz	short loc_93BB3A
		cmp	_KdDebuggerNotPresent, 0
		jnz	short loc_93BB3A
		int	3		; Trap to Debugger

loc_93BB3A:				; CODE XREF: CmpMachineHiveCallbackFatalFilter(x,x)+42j
					; CmpMachineHiveCallbackFatalFilter(x,x)+58j ...
		mov	eax, [esi+20h]
		mov	eax, [eax+38h]
		mov	dword ptr [eax], 10Bh
		mov	eax, [esi+20h]
		mov	eax, [eax+38h]
		and	dword ptr [eax+4], 0
		mov	ecx, [esi+20h]
		lea	eax, [ecx+38h]
		cmp	[eax], eax
		jnz	short loc_93BB7A
		push	ecx
		push	offset ??_C@_0DD@BGFPCJCC@IoStatusBlock?5pointing?5onto?5its@NNGAKEGL@ ; "IoStatusBlock	pointing onto itself Asyn"...
		call	_DbgPrint
		pop	ecx
		pop	ecx
		cmp	_KdDebuggerEnabled, 0
		jz	short loc_93BB7A
		cmp	_KdDebuggerNotPresent, 0
		jnz	short loc_93BB7A
		int	3		; Trap to Debugger

loc_93BB7A:				; CODE XREF: CmpMachineHiveCallbackFatalFilter(x,x)+82j
					; CmpMachineHiveCallbackFatalFilter(x,x)+98j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_93BB94
; 

loc_93BB83:				; DATA XREF: .text:006A7924o
		xor	eax, eax
		inc	eax
		retn
; 

loc_93BB87:				; DATA XREF: .text:006A7928o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+arg_0]

loc_93BB94:				; CODE XREF: CmpMachineHiveCallbackFatalFilter(x,x)+ABj
		mov	eax, [esi+20h]
		mov	eax, [eax+4]
		test	eax, eax
		jz	short loc_93BBB3
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [esi+20h]
		mov	ecx, [ecx+4]
		call	ObfDereferenceObject

loc_93BBB3:				; CODE XREF: CmpMachineHiveCallbackFatalFilter(x,x)+C6j
		lea	eax, [esi+8]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_93BBF2
		cmp	[ecx], eax
		jnz	short loc_93BBF2
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, esi
		call	_CmpFreeSubordinatePost@4 ; CmpFreeSubordinatePost(x)
		mov	ecx, esi
		call	_CmpFreePostBlock@4 ; CmpFreePostBlock(x)
		mov	cl, [ebp+var_19]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_93BBF2:				; CODE XREF: CmpMachineHiveCallbackFatalFilter(x,x)+E8j
					; CmpMachineHiveCallbackFatalFilter(x,x)+ECj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall CmEtwRunDown(x, x, x, x, x)
_CmEtwRunDown@20:			; CODE XREF: EtwpKernelTraceRundown+129F6Cp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+ms_exc.msEH_ptr], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_80], ecx
		lea	edi, [ebp+var_CC]
		push	6
		xor	eax, eax
		xor	esi, esi
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_4C]
		mov	[ebp+var_9C], esi
		stosd
		mov	ebx, edx
		push	6
		pop	ecx
		push	6
		stosd
		mov	[ebp+var_88], ebx
		mov	[ebp+var_B4], esi
		mov	[ebp+var_B0], esi
		stosd
		mov	[ebp+var_A4], esi
		mov	[ebp+var_8C], esi
		mov	[ebp+var_AC], esi
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_7C]
		mov	[ebp+var_A8], esi
		rep stosd
		lea	edi, [ebp+var_64]
		mov	[ebp+var_A0], esi
		pop	ecx
		rep stosd
		cmp	[ebp+arg_8], al
		jnz	loc_93BEBD
		lea	ecx, [ebp+var_64]
		call	CmpAttachToRegistryProcess
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_38], esi
		mov	[ebp+var_3C], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_34], 14h
		mov	[ebp+var_30], esi
		mov	[ebp-1Ch], eax
		mov	[ebp+ms_exc.old_esp], esi
		mov	[ebp+ms_exc.exc_ptr], 2
		mov	[ebp+ms_exc.prev_er], esi
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	esi, eax
		mov	[ebp+var_98], esi
		test	esi, esi
		jz	loc_93BDCD
		mov	edi, [ebp+var_80]

loc_93BCC6:				; CODE XREF: CmpMachineHiveCallbackFatalFilter(x,x)+2F1j
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		cmp	[ebp+arg_4], 0
		jz	short loc_93BCDB
		push	ebx
		mov	edx, edi
		mov	ecx, esi
		call	_CmpLogHiveRundownEvent@12 ; CmpLogHiveRundownEvent(x,x,x)

loc_93BCDB:				; CODE XREF: CmpMachineHiveCallbackFatalFilter(x,x)+1F9j
		cmp	byte ptr [ebp+arg_0], 0
		jz	loc_93BDB1
		mov	ebx, [esi+438h]
		mov	eax, [esi+434h]
		mov	[ebp+var_94], ebx
		test	ebx, ebx
		jz	loc_93BDAB
		mov	esi, [ebp+var_88]
		add	eax, 8
		mov	[ebp+var_90], eax

loc_93BD0E:				; CODE XREF: CmpMachineHiveCallbackFatalFilter(x,x)+2C6j
		mov	edi, [eax]
		test	edi, edi
		jz	short loc_93BD8A
		mov	ebx, [ebp+var_80]

loc_93BD17:				; CODE XREF: CmpMachineHiveCallbackFatalFilter(x,x)+2A6j
		and	[ebp+var_84], 0
		lea	ecx, [edi-8]
		lea	edx, [ebp+var_84]
		call	CmpConstructNameWithStatus
		mov	eax, [ebp+var_84]
		test	eax, eax
		jz	short loc_93BD77
		movzx	ecx, word ptr [eax]
		mov	eax, [eax+4]
		and	[ebp+var_28], 0
		and	[ebp+var_20], 0
		push	offset byte_401802
		push	919h
		push	esi
		push	ebx
		mov	[ebp+var_2C], eax
		lea	eax, [edi-8]
		push	3
		mov	[ebp+var_24], ecx
		lea	ecx, [ebp+var_3C]
		pop	edx
		mov	[ebp+var_6C], eax
		call	_EtwTraceSiloDcEvent@24	; EtwTraceSiloDcEvent(x,x,x,x,x,x)
		mov	ecx, [ebp+var_84]
		mov	edx, 624E4D43h
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_93BD77:				; CODE XREF: CmpMachineHiveCallbackFatalFilter(x,x)+25Ej
		mov	edi, [edi+4]
		test	edi, edi
		jnz	short loc_93BD17
		mov	ebx, [ebp+var_94]
		mov	eax, [ebp+var_90]

loc_93BD8A:				; CODE XREF: CmpMachineHiveCallbackFatalFilter(x,x)+23Cj
		add	eax, 0Ch
		sub	ebx, 1
		mov	[ebp+var_90], eax
		mov	[ebp+var_94], ebx
		jnz	loc_93BD0E
		mov	esi, [ebp+var_98]
		mov	edi, [ebp+var_80]

loc_93BDAB:				; CODE XREF: CmpMachineHiveCallbackFatalFilter(x,x)+223j
		mov	ebx, [ebp+var_88]

loc_93BDB1:				; CODE XREF: CmpMachineHiveCallbackFatalFilter(x,x)+209j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	ecx, esi
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	esi, eax
		mov	[ebp+var_98], eax
		test	esi, esi
		jnz	loc_93BCC6

loc_93BDCD:				; CODE XREF: CmpMachineHiveCallbackFatalFilter(x,x)+1E7j
		xor	edx, edx
		lea	ecx, [ebp+var_64]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		push	offset ??_C@_1EA@KMDJMPOH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\Registry\\Machine\\System\\Select"
		lea	eax, [ebp+var_AC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_AC]
		mov	[ebp+var_CC], 18h
		mov	[ebp+var_C4], eax
		xor	esi, esi
		lea	eax, [ebp+var_CC]
		mov	[ebp+var_C8], esi
		push	eax
		push	20019h
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_C0], 240h
		push	eax
		mov	[ebp+var_BC], esi
		mov	[ebp+var_B8], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_93BEBD
		push	offset ??_C@_1BA@OFLJGHK@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt@NNGAKEGL@
		lea	eax, [ebp+var_B4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_A4]
		push	eax
		push	10h
		lea	eax, [ebp+var_4C]
		push	eax
		push	2
		lea	eax, [ebp+var_B4]
		push	eax
		push	[ebp+var_8C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		push	[ebp+var_8C]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_93BEBB
		mov	eax, [ebp+var_40]
		lea	ecx, [ebp+var_3C]
		push	offset byte_401802
		push	923h
		push	ebx
		push	[ebp+var_80]
		mov	[ebp+var_9C], eax
		xor	esi, esi
		xor	edx, edx
		mov	[ebp+var_38], esi
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_34], 4
		inc	edx
		mov	[ebp+var_3C], eax
		mov	[ebp+var_30], esi
		call	_EtwTraceSiloDcEvent@24	; EtwTraceSiloDcEvent(x,x,x,x,x,x)
		jmp	short loc_93BEBD
; 

loc_93BEBB:				; CODE XREF: CmpMachineHiveCallbackFatalFilter(x,x)+3A7j
		xor	esi, esi

loc_93BEBD:				; CODE XREF: CmpMachineHiveCallbackFatalFilter(x,x)+19Fj
					; CmpMachineHiveCallbackFatalFilter(x,x)+360j ...
		push	offset byte_401802
		push	922h
		push	ebx
		push	[ebp+var_80]
		xor	edx, edx
		mov	[ebp+var_3C], offset _CmPerfCounters
		inc	edx
		mov	[ebp+var_38], esi
		lea	ecx, [ebp+var_3C]
		mov	[ebp+var_34], 58h
		mov	[ebp+var_30], esi
		call	_EtwTraceSiloDcEvent@24	; EtwTraceSiloDcEvent(x,x,x,x,x,x)
		mov	ecx, [ebp+ms_exc.msEH_ptr]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_CmpMachineHiveCallbackFatalFilter@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpEtwDumpKcb(x, x)
_CmpEtwDumpKcb@8 proc near		; CODE XREF: CmpLinkHiveToMaster+182DA6p
					; CmpCleanUpKcbCacheWithLock+1154FEp ...

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_48], edx
		mov	edx, ds:_CmpTraceRoutine
		lea	edi, [ebp+var_40]
		push	8
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_4C], edx
		rep stosd
		lea	edi, [ebp+var_1C]
		push	6
		pop	ecx
		rep stosd
		test	edx, edx
		jz	short loc_93BF78
		lea	ecx, [ebp+var_1C]
		call	CmpAttachToRegistryProcess
		xor	edi, edi
		lea	edx, [ebp+var_44]
		mov	ecx, ebx
		mov	[ebp+var_44], edi
		call	CmpConstructNameWithStatus
		cmp	[ebp+var_44], edi
		jz	short loc_93BF6E
		push	[ebp+var_44]
		lea	eax, [ebp+var_40]
		push	ebx
		push	edi
		push	edi
		push	eax
		push	[ebp+var_48]
		call	[ebp+var_4C]
		mov	ecx, [ebp+var_44]
		mov	edx, 624E4D43h
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_93BF6E:				; CODE XREF: CmpEtwDumpKcb(x,x)+52j
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_93BF78:				; CODE XREF: CmpEtwDumpKcb(x,x)+36j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpEtwDumpKcb@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpFlushTraceLoggingProvider()
_CmpFlushTraceLoggingProvider@0	proc near ; CODE XREF: CmShutdownSystem(x)+62p
		mov	edi, edi
		push	ecx
		call	_CmpFlushUnsupportedOperationTelemetry@0 ; CmpFlushUnsupportedOperationTelemetry()
		mov	ecx, offset dword_6B2348
		call	_TlgAggregateFlush@4 ; TlgAggregateFlush(x)
		pop	ecx
		retn
_CmpFlushTraceLoggingProvider@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLogHiveDestroyEvent(x)
_CmpLogHiveDestroyEvent@4 proc near	; CODE XREF: CmpRemoveHiveFromNamespace(x,x,x)+72p

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_5C], ecx
		push	esi
		xor	edx, edx
		mov	[ebp+var_58], ebx
		mov	esi, [ecx+4B4h]
		lea	eax, [ebp+var_5C]
		push	edi
		mov	edi, [ecx+4BCh]
		inc	edx
		mov	[ebp+var_54], eax
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], 4
		mov	[ebp+var_48], ebx
		push	2
		test	esi, esi
		jz	short loc_93BFF7
		movzx	eax, word ptr [ecx+4B0h]
		mov	[ebp+var_44], esi
		pop	esi
		mov	[ebp+var_40], ebx
		mov	edx, esi
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], ebx
		jmp	short loc_93BFF8
; 

loc_93BFF7:				; CODE XREF: CmpLogHiveDestroyEvent(x)+43j
		pop	esi

loc_93BFF8:				; CODE XREF: CmpLogHiveDestroyEvent(x)+5Bj
		mov	eax, edx
		lea	ebx, [ebp+var_58]
		add	eax, eax
		mov	[ebp+eax*8+var_54], ebx
		xor	ebx, ebx
		inc	edx
		mov	[ebp+eax*8+var_50], ebx
		mov	[ebp+eax*8+var_4C], esi
		mov	[ebp+eax*8+var_48], ebx
		test	edi, edi
		jz	short loc_93C032
		movzx	ecx, word ptr [ecx+4B8h]
		mov	eax, edx
		add	eax, eax
		inc	edx
		mov	[ebp+eax*8+var_54], edi
		mov	[ebp+eax*8+var_50], ebx
		mov	[ebp+eax*8+var_4C], ecx
		mov	[ebp+eax*8+var_48], ebx

loc_93C032:				; CODE XREF: CmpLogHiveDestroyEvent(x)+7Aj
		mov	eax, edx
		lea	ecx, [ebp+var_58]
		add	eax, eax
		inc	edx
		push	offset loc_501902
		push	925h
		push	41000000h
		mov	[ebp+eax*8+var_54], ecx
		lea	ecx, [ebp+var_54]
		mov	[ebp+eax*8+var_50], ebx
		mov	[ebp+eax*8+var_4C], esi
		mov	[ebp+eax*8+var_48], ebx
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpLogHiveDestroyEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLogHiveInitializeEvent(x, x, x, x)
_CmpLogHiveInitializeEvent@16 proc near	; CODE XREF: CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+883p

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	[ebp+var_6C], edx
		mov	[ebp+var_68], ecx
		mov	eax, [ecx+20h]
		mov	ecx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		mov	eax, [eax+28h]
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_74], esi
		mov	[ebp+var_60], esi
		mov	[ebp+var_58], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_48], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], esi
		mov	[ebp+var_28], esi
		push	4
		pop	edx
		mov	[ebp+var_5C], edx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_2C], edx
		test	ecx, ecx
		jz	short loc_93C0F6
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_93C0F6
		mov	[ebp+var_24], eax
		movzx	eax, word ptr [ecx]
		push	5
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], esi
		pop	edx

loc_93C0F6:				; CODE XREF: CmpLogHiveInitializeEvent(x,x,x,x)+6Bj
					; CmpLogHiveInitializeEvent(x,x,x,x)+72j
		mov	eax, edx
		lea	ecx, [ebp+var_74]
		add	eax, eax
		inc	edx
		push	offset loc_501902
		push	924h
		push	41000000h
		mov	[ebp+eax*8+var_64], ecx
		lea	ecx, [ebp+var_64]
		mov	[ebp+eax*8+var_60], esi
		mov	[ebp+eax*8+var_5C], 2
		mov	[ebp+eax*8+var_58], esi
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_CmpLogHiveInitializeEvent@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLogHiveLinkEvent(x, x)
_CmpLogHiveLinkEvent@8 proc near	; CODE XREF: CmpLinkHiveToMaster+182E26p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, edx
		mov	[ebp+var_38], ecx
		lea	ecx, [ebp+var_38]
		mov	[ebp+var_2C], 4
		xor	edx, edx
		mov	[ebp+var_34], ecx
		push	esi
		mov	ecx, [eax+4]
		xor	esi, esi
		inc	edx
		mov	[ebp+var_3C], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_28], esi
		test	ecx, ecx
		jz	short loc_93C184
		movzx	eax, word ptr [eax]
		push	2
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], esi
		pop	edx

loc_93C184:				; CODE XREF: CmpLogHiveLinkEvent(x,x)+38j
		mov	eax, edx
		lea	ecx, [ebp+var_3C]
		add	eax, eax
		inc	edx
		push	offset loc_501902
		push	926h
		push	41000000h
		mov	[ebp+eax*8+var_34], ecx
		lea	ecx, [ebp+var_34]
		mov	[ebp+eax*8+var_30], esi
		mov	[ebp+eax*8+var_2C], 2
		mov	[ebp+eax*8+var_28], esi
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpLogHiveLinkEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLogHiveRundownEvent(x, x, x)
_CmpLogHiveRundownEvent@12 proc	near	; CODE XREF: CmpMachineHiveCallbackFatalFilter(x,x)+200p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_7C], ecx
		xor	edx, edx
		lea	eax, [ecx+490h]
		push	edi
		mov	[ebp+var_78], edx
		mov	esi, [ecx+4B4h]
		mov	edi, [ecx+4BCh]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_64], eax
		lea	eax, [ecx+0BECh]
		mov	[ebp+var_70], edx
		mov	[ebp+var_68], edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_58], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_6C], 8
		mov	[ebp+var_5C], 4
		mov	[ebp+var_54], eax
		mov	[ebp+var_4C], 4
		push	3
		pop	edx
		test	esi, esi
		jz	short loc_93C24D
		movzx	eax, word ptr [ecx+4B0h]
		mov	[ebp+var_44], esi
		xor	esi, esi
		push	4
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], esi
		pop	edx

loc_93C24D:				; CODE XREF: CmpLogHiveRundownEvent(x,x,x)+6Fj
		mov	eax, edx
		lea	esi, [ebp+var_78]
		add	eax, eax
		mov	[ebp+eax*8+var_74], esi
		xor	esi, esi
		inc	edx
		mov	[ebp+eax*8+var_70], esi
		mov	[ebp+eax*8+var_6C], 2
		mov	[ebp+eax*8+var_68], esi
		test	edi, edi
		jz	short loc_93C28B
		movzx	ecx, word ptr [ecx+4B8h]
		mov	eax, edx
		add	eax, eax
		inc	edx
		mov	[ebp+eax*8+var_74], edi
		mov	[ebp+eax*8+var_70], esi
		mov	[ebp+eax*8+var_6C], ecx
		mov	[ebp+eax*8+var_68], esi

loc_93C28B:				; CODE XREF: CmpLogHiveRundownEvent(x,x,x)+A9j
		mov	eax, edx
		lea	ecx, [ebp+var_78]
		add	eax, eax
		inc	edx
		push	offset byte_401802
		push	927h
		push	[ebp+arg_0]
		mov	[ebp+eax*8+var_74], ecx
		lea	ecx, [ebp+var_74]
		push	ebx
		mov	[ebp+eax*8+var_70], esi
		mov	[ebp+eax*8+var_6C], 2
		mov	[ebp+eax*8+var_68], esi
		call	_EtwTraceSiloDcEvent@24	; EtwTraceSiloDcEvent(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_CmpLogHiveRundownEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTraceHiveFlushFinishWaitForActive()
_CmpTraceHiveFlushFinishWaitForActive@0	proc near
					; CODE XREF: CmpWaitOnHiveWriteQueue(x,x):loc_94305Ap

var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_HIVE_FLUSH_FINISH_WAIT_FOR_ACTIVE
		lea	edi, [ebp+var_18]
		lea	eax, [ebp+var_18]
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ds:dword_A93DD4
		mov	edi, ds:_EtwpRegTraceHandle
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_93C319
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_93C319:				; CODE XREF: CmpTraceHiveFlushFinishWaitForActive()+39j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpTraceHiveFlushFinishWaitForActive@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTraceHiveFlushStartWaitForActive()
_CmpTraceHiveFlushStartWaitForActive@0 proc near
					; CODE XREF: CmpWaitOnHiveWriteQueue(x,x)+56p

var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_HIVE_FLUSH_START_WAIT_FOR_ACTIVE
		lea	edi, [ebp+var_18]
		lea	eax, [ebp+var_18]
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ds:dword_A93DD4
		mov	edi, ds:_EtwpRegTraceHandle
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_93C372
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_93C372:				; CODE XREF: CmpTraceHiveFlushStartWaitForActive()+39j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpTraceHiveFlushStartWaitForActive@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTraceHiveMountLogEntryApplied(x,	x)
_CmpTraceHiveMountLogEntryApplied@8 proc near
					; CODE XREF: HvpApplyIncrementalLogFile(x,x,x,x,x,x,x,x,x,x,x,x,x)+130p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_HIVE_MOUNT_LOG_ENTRY_APPLIED
		mov	[ebp+var_40], edx
		lea	edi, [ebp+var_38]
		mov	[ebp+var_3C], ecx
		lea	eax, [ebp+var_38]
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ds:dword_A93DD4
		mov	edi, ds:_EtwpRegTraceHandle
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_93C3F6
		push	4
		pop	ecx
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_28], eax
		xor	edx, edx
		lea	eax, [ebp+var_40]
		mov	[ebp+var_24], edx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	2
		push	edx
		lea	eax, [ebp+var_38]
		mov	[ebp+var_1C], edx
		push	eax
		push	esi
		push	edi
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_93C3F6:				; CODE XREF: CmpTraceHiveMountLogEntryApplied(x,x)+3Fj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpTraceHiveMountLogEntryApplied@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTraceHiveRestoreStart(x,	x)
_CmpTraceHiveRestoreStart@8 proc near	; CODE XREF: CmRestoreKey(x,x,x,x)+10Bp

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_50], 0
		lea	eax, [ebp+var_48]
		and	[ebp+var_4C], 0
		push	ebx
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_HIVE_RESTORE_START
		mov	[ebp+var_58], edx
		lea	edi, [ebp+var_48]
		mov	ebx, ecx
		push	eax
		push	ds:dword_A93DD4
		movsd
		push	ds:_EtwpRegTraceHandle
		movsd
		movsd
		movsd
		call	EtwEventEnabled
		test	al, al
		jz	loc_93C4E0
		xor	esi, esi
		mov	ecx, esi
		test	ebx, ebx
		jz	short loc_93C47B
		lea	edx, [ebp+var_50]
		mov	ecx, ebx
		call	CmpQueryNameString
		test	eax, eax
		js	short loc_93C4E0
		mov	eax, [ebp+var_4C]
		xor	ecx, ecx
		mov	[ebp+var_38], eax
		inc	ecx
		movzx	eax, word ptr [ebp+var_50]
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], esi

loc_93C47B:				; CODE XREF: CmpTraceHiveRestoreStart(x,x)+51j
		mov	eax, ecx
		mov	[ebp+var_54], esi
		add	eax, eax
		lea	edx, [ebp+var_54]
		mov	[ebp+eax*8+var_38], edx
		lea	edx, [ebp+var_58]
		mov	[ebp+eax*8+var_34], esi
		mov	[ebp+eax*8+var_30], 2
		mov	[ebp+eax*8+var_2C], esi
		lea	eax, [ecx+1]
		add	eax, eax
		mov	[ebp+eax*8+var_38], edx
		mov	[ebp+eax*8+var_34], esi
		mov	[ebp+eax*8+var_30], 4
		mov	[ebp+eax*8+var_2C], esi
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ecx+2]
		push	eax
		push	esi
		lea	eax, [ebp+var_48]
		push	eax
		push	ds:dword_A93DD4
		push	ds:_EtwpRegTraceHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		test	ebx, ebx
		jz	short loc_93C4E0
		lea	eax, [ebp+var_50]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_93C4E0:				; CODE XREF: CmpTraceHiveRestoreStart(x,x)+45j
					; CmpTraceHiveRestoreStart(x,x)+5Fj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpTraceHiveRestoreStart@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTraceHiveRestoreStop(x)
_CmpTraceHiveRestoreStop@4 proc	near	; CODE XREF: CmRestoreKey(x,x,x,x)+1ABp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_HIVE_RESTORE_STOP
		mov	[ebp+var_2C], ecx
		lea	edi, [ebp+var_28]
		lea	eax, [ebp+var_28]
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ds:dword_A93DD4
		mov	edi, ds:_EtwpRegTraceHandle
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_93C554
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_10], 4
		mov	[ebp+var_18], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_18]
		mov	[ebp+var_14], ecx
		push	eax
		push	1
		push	ecx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_C], ecx
		push	eax
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_93C554:				; CODE XREF: CmpTraceHiveRestoreStop(x)+3Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpTraceHiveRestoreStop@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTraceHiveSaveFileCopied()
_CmpTraceHiveSaveFileCopied@0 proc near	; CODE XREF: CmSaveKey(x,x,x,x)+25Cp

var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_HIVE_SAVE_FILE_COPIED
		lea	edi, [ebp+var_18]
		lea	eax, [ebp+var_18]
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ds:dword_A93DD4
		mov	edi, ds:_EtwpRegTraceHandle
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_93C5AD
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_93C5AD:				; CODE XREF: CmpTraceHiveSaveFileCopied()+39j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpTraceHiveSaveFileCopied@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTraceHiveSaveStart(x)
_CmpTraceHiveSaveStart@4 proc near	; CODE XREF: CmSaveKey(x,x,x,x)+F4p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_HIVE_SAVE_START
		lea	edi, [ebp+var_38]
		lea	eax, [ebp+var_38]
		mov	ebx, ecx
		push	eax
		push	ds:dword_A93DD4
		movsd
		push	ds:_EtwpRegTraceHandle
		movsd
		movsd
		movsd
		call	EtwEventEnabled
		test	al, al
		jz	short loc_93C65D
		xor	edi, edi
		lea	edx, [ebp+var_3C]
		mov	ecx, ebx
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], edi
		call	CmpConstructNameWithStatus
		mov	esi, [ebp+var_3C]
		test	esi, esi
		jz	short loc_93C65D
		movzx	ecx, word ptr [esi]
		mov	eax, [esi+4]
		mov	[ebp+var_28], eax
		mov	eax, ecx
		push	2
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_40]
		pop	ecx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	ecx
		push	edi
		lea	eax, [ebp+var_38]
		mov	[ebp+var_24], edi
		push	eax
		push	ds:dword_A93DD4
		mov	[ebp+var_1C], edi
		push	ds:_EtwpRegTraceHandle
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	edx, 624E4D43h
		mov	ecx, esi
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_93C65D:				; CODE XREF: CmpTraceHiveSaveStart(x)+3Aj
					; CmpTraceHiveSaveStart(x)+53j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpTraceHiveSaveStart@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTraceHiveSaveStop(x)
_CmpTraceHiveSaveStop@4	proc near	; CODE XREF: CmSaveKey(x,x,x,x)+1F7p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_HIVE_SAVE_STOP
		mov	[ebp+var_2C], ecx
		lea	edi, [ebp+var_28]
		lea	eax, [ebp+var_28]
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ds:dword_A93DD4
		mov	edi, ds:_EtwpRegTraceHandle
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_93C6D1
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_10], 4
		mov	[ebp+var_18], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_18]
		mov	[ebp+var_14], ecx
		push	eax
		push	1
		push	ecx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_C], ecx
		push	eax
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_93C6D1:				; CODE XREF: CmpTraceHiveSaveStop(x)+3Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpTraceHiveSaveStop@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTraceHiveSaveTreeCopied()
_CmpTraceHiveSaveTreeCopied@0 proc near	; CODE XREF: CmSaveKey(x,x,x,x)+295p

var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_HIVE_SAVE_TREE_COPIED
		lea	edi, [ebp+var_18]
		lea	eax, [ebp+var_18]
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ds:dword_A93DD4
		mov	edi, ds:_EtwpRegTraceHandle
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_93C72A
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_93C72A:				; CODE XREF: CmpTraceHiveSaveTreeCopied()+39j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpTraceHiveSaveTreeCopied@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTraceShutdownFlushStart()
_CmpTraceShutdownFlushStart@0 proc near	; CODE XREF: CmShutdownSystem(x)+1ADp

var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_SHUTDOWN_FLUSH_START
		lea	edi, [ebp+var_18]
		lea	eax, [ebp+var_18]
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ds:dword_A93DD4
		mov	edi, ds:_EtwpRegTraceHandle
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_93C783
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_93C783:				; CODE XREF: CmpTraceShutdownFlushStart()+39j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpTraceShutdownFlushStart@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTraceShutdownFlushStop()
_CmpTraceShutdownFlushStop@0 proc near	; CODE XREF: CmShutdownSystem(x)+1E7p

var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_SHUTDOWN_FLUSH_STOP
		lea	edi, [ebp+var_18]
		lea	eax, [ebp+var_18]
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ds:dword_A93DD4
		mov	edi, ds:_EtwpRegTraceHandle
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_93C7DC
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_93C7DC:				; CODE XREF: CmpTraceShutdownFlushStop()+39j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpTraceShutdownFlushStop@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTraceShutdownRundownComplete()
_CmpTraceShutdownRundownComplete@0 proc	near ; CODE XREF: CmShutdownSystem(x)+5Dp

var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_SHUTDOWN_RUNDOWN_COMPLETE
		lea	edi, [ebp+var_18]
		lea	eax, [ebp+var_18]
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ds:dword_A93DD4
		mov	edi, ds:_EtwpRegTraceHandle
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_93C835
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_93C835:				; CODE XREF: CmpTraceShutdownRundownComplete()+39j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpTraceShutdownRundownComplete@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTraceShutdownStart()
_CmpTraceShutdownStart@0 proc near	; CODE XREF: CmShutdownSystem(x):loc_93CEE8p

var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_SHUTDOWN_START
		lea	edi, [ebp+var_18]
		lea	eax, [ebp+var_18]
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ds:dword_A93DD4
		mov	edi, ds:_EtwpRegTraceHandle
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_93C88E
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_93C88E:				; CODE XREF: CmpTraceShutdownStart()+39j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpTraceShutdownStart@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTraceShutdownStop()
_CmpTraceShutdownStop@0	proc near	; CODE XREF: CmShutdownSystem(x):loc_93D1BFp

var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, offset _REGISTRY_PERF_EVENT_SHUTDOWN_STOP
		lea	edi, [ebp+var_18]
		lea	eax, [ebp+var_18]
		push	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ds:dword_A93DD4
		mov	edi, ds:_EtwpRegTraceHandle
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_93C8E7
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_93C8E7:				; CODE XREF: CmpTraceShutdownStop()+39j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpTraceShutdownStop@0	endp


;  S U B	R O U T	I N E 


__tlgDefineProvider_annotation__TlgCmpTraceLoggingHandleProv proc near
		mov	edi, edi
		retn
__tlgDefineProvider_annotation__TlgCmpTraceLoggingHandleProv endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmFcRegisterFeatureConfigurationChangeNotification(x, x, x,	x)
_CmFcRegisterFeatureConfigurationChangeNotification@16 proc near
					; CODE XREF: RtlRegisterFeatureConfigurationChangeNotification(x,x,x,x)+37p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		mov	edx, ecx
		call	_CmFcManagerRegisterFeatureConfigurationChangeNotification@20 ;	CmFcManagerRegisterFeatureConfigurationChangeNotification(x,x,x,x,x)
		pop	ebp
		retn	8
_CmFcRegisterFeatureConfigurationChangeNotification@16 endp


;  S U B	R O U T	I N E 


; __stdcall CmFcShutdownSystem(x)
_CmFcShutdownSystem@4 proc near		; CODE XREF: CmShutdownSystem(x)+3Fp
		mov	edi, edi
		push	ecx
		cmp	ecx, 1
		jnz	short loc_93C926
		call	_CmFcManagerDrainAllFeatureUsageNotifications@4	; CmFcManagerDrainAllFeatureUsageNotifications(x)
		mov	ecx, offset dword_6B1EB8
		call	_TlgAggregateFlush@4 ; TlgAggregateFlush(x)

loc_93C926:				; CODE XREF: CmFcShutdownSystem(x)+6j
		pop	ecx
		retn
_CmFcShutdownSystem@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmUpdateFeatureConfiguration(x, x, x)
_CmUpdateFeatureConfiguration@12 proc near ; CODE XREF:	PAGE:007B4B84p

var_44		= dword	ptr -44h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	34h
		push	offset dword_6A7950
		call	__SEH_prolog4
		mov	[ebp+var_2C], edx
		mov	[ebp+var_30], ecx
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_28], ebx
		xor	eax, eax
		lea	edi, [ebp+var_44]
		stosd
		stosd
		stosd
		stosd
		mov	esi, ebx
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, large fs:124h
		lea	edx, [ebp+var_44]
		push	edx
		push	eax
		push	ecx
		call	SeCaptureSubjectContextEx
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		push	[ebp+arg_0]
		push	offset _CmFcFeatureConfigMapping
		push	ebx
		push	ebx
		push	1
		push	ebx
		lea	eax, [ebp+var_44]
		push	eax
		push	_CmFcFeatureConfigSecurityDescriptor
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		mov	bl, al
		lea	eax, [ebp+var_44]
		push	eax
		call	SeReleaseSubjectContext
		test	bl, bl
		jnz	short loc_93C9A9
		mov	edi, [ebp+var_24]
		jmp	loc_93CA69
; 

loc_93C9A9:				; CODE XREF: CmUpdateFeatureConfiguration(x,x,x)+77j
		mov	ebx, [ebp+var_2C]
		cmp	ebx, 10h
		jnb	short loc_93C9BB

loc_93C9B1:				; CODE XREF: CmUpdateFeatureConfiguration(x,x,x)+102j
		mov	edi, 0C0000004h
		jmp	loc_93CA69
; 

loc_93C9BB:				; CODE XREF: CmUpdateFeatureConfiguration(x,x,x)+87j
		push	63466D43h
		mov	edx, ebx
		xor	ecx, ecx
		inc	ecx
		call	_CmpAllocatePoolWithQuotaTag@12	; CmpAllocatePoolWithQuotaTag(x,x,x)
		mov	esi, eax
		mov	[ebp+arg_0], esi
		test	esi, esi
		jnz	short loc_93C9DD
		mov	edi, 0C000009Ah
		jmp	loc_93CA69
; 

loc_93C9DD:				; CODE XREF: CmUpdateFeatureConfiguration(x,x,x)+A9j
		and	[ebp+ms_exc.disabled], 0
		push	ebx		; size_t
		push	[ebp+var_30]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [esi+0Ch]
		mov	eax, edi
		push	20h
		pop	ecx
		mul	ecx
		push	edx
		push	eax
		lea	ecx, [ebp+var_20]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		jns	short loc_93CA14

loc_93CA0D:				; CODE XREF: CmUpdateFeatureConfiguration(x,x,x)+FDj
					; CmUpdateFeatureConfiguration(x,x,x)+108j
		mov	edi, 0C000000Dh
		jmp	short loc_93CA69
; 

loc_93CA14:				; CODE XREF: CmUpdateFeatureConfiguration(x,x,x)+E3j
		lea	eax, [ebp+var_20]
		push	eax
		push	10h
		pop	edx
		mov	ecx, [ebp+var_20]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_93CA0D
		cmp	[ebp+var_20], ebx
		jnz	short loc_93C9B1
		cmp	dword ptr [esi+8], 1
		jnz	short loc_93CA0D
		push	ecx
		push	edi
		lea	eax, [esi+10h]
		push	eax
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		xor	edx, edx
		inc	edx
		call	_CmFcManagerUpdateFeatureConfigurations@28 ; CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)
		mov	edi, eax
		jmp	short loc_93CA69
; 

loc_93CA49:				; DATA XREF: .text:006A7964o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_93CA59:				; DATA XREF: .text:006A7968o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_34]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+arg_0]

loc_93CA69:				; CODE XREF: CmUpdateFeatureConfiguration(x,x,x)+7Cj
					; CmUpdateFeatureConfiguration(x,x,x)+8Ej ...
		test	esi, esi
		jz	short loc_93CA74
		mov	ecx, esi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_93CA74:				; CODE XREF: CmUpdateFeatureConfiguration(x,x,x)+143j
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_CmUpdateFeatureConfiguration@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmUpdateFeatureUsageSubscription(x,	x, x)
_CmUpdateFeatureUsageSubscription@12 proc near ; CODE XREF: PAGE:007B4B96p

var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	2Ch
		push	offset dword_6A7930
		call	__SEH_prolog4
		mov	esi, edx
		mov	[ebp+var_28], ecx
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_24], ebx
		xor	eax, eax
		lea	edi, [ebp+var_3C]
		stosd
		stosd
		stosd
		stosd
		mov	edi, ebx
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, large fs:124h
		lea	edx, [ebp+var_3C]
		push	edx
		push	eax
		push	ecx
		call	SeCaptureSubjectContextEx
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+arg_0]
		push	offset _CmFcFeatureConfigMapping
		push	ebx
		push	ebx
		push	2
		push	ebx
		lea	eax, [ebp+var_3C]
		push	eax
		push	_CmFcFeatureConfigSecurityDescriptor
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		mov	bl, al
		lea	eax, [ebp+var_3C]
		push	eax
		call	SeReleaseSubjectContext
		test	bl, bl
		jnz	short loc_93CB08
		mov	esi, [ebp+var_20]
		jmp	loc_93CBB2
; 

loc_93CB08:				; CODE XREF: CmUpdateFeatureUsageSubscription(x,x,x)+76j
		cmp	esi, 4
		jnb	short loc_93CB17

loc_93CB0D:				; CODE XREF: CmUpdateFeatureUsageSubscription(x,x,x)+FAj
		mov	esi, 0C0000004h
		jmp	loc_93CBB2
; 

loc_93CB17:				; CODE XREF: CmUpdateFeatureUsageSubscription(x,x,x)+83j
		push	63466D43h
		mov	edx, esi
		xor	ecx, ecx
		inc	ecx
		call	_CmpAllocatePoolWithQuotaTag@12	; CmpAllocatePoolWithQuotaTag(x,x,x)
		mov	edi, eax
		mov	[ebp+arg_0], edi
		test	edi, edi
		jnz	short loc_93CB36
		mov	esi, 0C000009Ah
		jmp	short loc_93CBB2
; 

loc_93CB36:				; CODE XREF: CmUpdateFeatureUsageSubscription(x,x,x)+A5j
		and	[ebp+ms_exc.disabled], 0
		push	esi		; size_t
		push	[ebp+var_28]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [edi]
		mov	eax, ebx
		push	14h
		pop	ecx
		mul	ecx
		push	edx
		push	eax
		lea	ecx, [ebp+var_1C]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		jns	short loc_93CB6C

loc_93CB65:				; CODE XREF: CmUpdateFeatureUsageSubscription(x,x,x)+F5j
		mov	esi, 0C000000Dh
		jmp	short loc_93CBB2
; 

loc_93CB6C:				; CODE XREF: CmUpdateFeatureUsageSubscription(x,x,x)+DBj
		lea	eax, [ebp+var_1C]
		push	eax
		push	4
		pop	edx
		mov	ecx, [ebp+var_1C]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_93CB65
		cmp	[ebp+var_1C], esi
		jnz	short loc_93CB0D
		push	ecx		; int
		push	ebx		; size_t
		lea	edx, [edi+4]
		call	_CmFcManagerUpdateFeatureUsageSubscriptions@16 ; CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)
		mov	esi, eax
		jmp	short loc_93CBB2
; 

loc_93CB92:				; DATA XREF: .text:006A7944o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_93CBA2:				; DATA XREF: .text:006A7948o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_2C]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+arg_0]

loc_93CBB2:				; CODE XREF: CmUpdateFeatureUsageSubscription(x,x,x)+7Bj
					; CmUpdateFeatureUsageSubscription(x,x,x)+8Aj ...
		test	edi, edi
		jz	short loc_93CBBD
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_93CBBD:				; CODE XREF: CmUpdateFeatureUsageSubscription(x,x,x)+12Cj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_CmUpdateFeatureUsageSubscription@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmQueryRegistryQuotaInformation(x)
_CmQueryRegistryQuotaInformation@4 proc	near ; CODE XREF: PAGE:0077FCB3p

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	0Ch
		push	offset dword_6A79B8
		call	__SEH_prolog4
		mov	esi, ecx
		call	CmpUpdateGlobalQuotaAllowed
		and	[ebp+ms_exc.disabled], 0
		mov	eax, ds:_CmpGlobalQuota
		mov	[esi], eax
		mov	eax, ds:_CmpGlobalQuotaUsed
		mov	[esi+4], eax
		mov	eax, ds:_CmpSizeOfPagedPoolInBytes
		mov	[esi+8], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	short loc_93CC25
; 

loc_93CC0A:				; DATA XREF: .text:006A79CCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_93CC18:				; DATA XREF: .text:006A79D0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]

loc_93CC25:				; CODE XREF: CmQueryRegistryQuotaInformation(x)+37j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmQueryRegistryQuotaInformation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmSetRegistryQuotaInformation(x)
_CmSetRegistryQuotaInformation@4 proc near ; CODE XREF:	PAGE:007B36BEp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	10h
		push	offset dword_6A7998
		call	__SEH_prolog4
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, [ecx]
		mov	[ebp+var_20], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ds:_CmpQuotaExplicitlySet, 1
		mov	eax, 7FFFFFFFh
		cmp	ecx, eax
		jbe	short loc_93CC63
		mov	ecx, eax

loc_93CC63:				; CODE XREF: CmSetRegistryQuotaInformation(x)+2Aj
		mov	eax, 1000000h
		cmp	ecx, eax
		jnb	short loc_93CC6E
		mov	ecx, eax

loc_93CC6E:				; CODE XREF: CmSetRegistryQuotaInformation(x)+35j
		mov	ds:_CmpGlobalQuota, ecx
		mov	eax, ecx
		xor	edx, edx
		push	64h
		pop	esi
		div	esi
		imul	eax, 5Fh
		mov	ds:_CmpGlobalQuotaWarning, eax
		mov	ds:_CmpGlobalQuotaAllowed, ecx
		xor	eax, eax
		jmp	short loc_93CCAA
; 

loc_93CC8F:				; DATA XREF: .text:006A79ACo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_93CC9D:				; DATA XREF: .text:006A79B0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]

loc_93CCAA:				; CODE XREF: CmSetRegistryQuotaInformation(x)+58j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmSetRegistryQuotaInformation@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpDoQueueSystemHiveHysteresis(x)
_CmpDoQueueSystemHiveHysteresis@4 proc near
					; CODE XREF: CmpUpdateSystemHiveHysteresis+18B2EEp
					; CmpUpdateSystemHiveHysteresis+18B332p ...
		mov	edi, edi
		push	esi
		push	20204D43h
		push	10h
		push	200h
		mov	esi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_93CCF3
		and	dword ptr [eax], 0
		push	1
		push	eax
		mov	_CmpSystemHiveHysteresisHitRatio, esi
		mov	dword ptr [eax+8], offset _CmpSystemHiveHysteresisWorker@4 ; CmpSystemHiveHysteresisWorker(x)
		mov	[eax+0Ch], eax
		call	ExQueueWorkItem
		mov	al, 1
		pop	esi
		retn
; 

loc_93CCF3:				; CODE XREF: CmpDoQueueSystemHiveHysteresis(x)+18j
		xor	al, al
		pop	esi
		retn
_CmpDoQueueSystemHiveHysteresis@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLogEvent(x, x, x)
_CmpLogEvent@12	proc near		; CODE XREF: HvpFinishPrimaryWrite+18AE19p
					; CmpInitHiveFromFile+17DE8Fp

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, _EtwKernelProvRegHandle
		mov	ebx, ecx
		push	edi
		mov	edi, dword_6BC12C
		xor	ecx, ecx
		mov	eax, esi
		mov	[ebp+var_8C], edx
		or	eax, edi
		mov	[ebp+var_88], ecx
		jz	short loc_93CDA6
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_84], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_80], ecx
		mov	[ebp+var_7C], 4
		mov	[ebp+var_78], ecx
		test	edx, edx
		jz	short loc_93CD94
		movzx	ecx, word ptr [edx]
		and	[ebp+var_70], 0
		mov	ax, cx
		and	[ebp+var_68], 0
		and	[ebp+var_60], 0
		shr	ax, 1
		and	[ebp+var_58], 0
		movzx	eax, ax
		mov	[ebp+var_88], eax
		lea	eax, [ebp+var_88]
		mov	[ebp+var_74], eax
		mov	eax, [edx+4]
		mov	[ebp+var_64], eax
		mov	eax, ecx
		push	3
		mov	[ebp+var_5C], eax
		mov	[ebp+var_6C], 2
		pop	eax

loc_93CD94:				; CODE XREF: CmpLogEvent(x,x,x)+5Bj
		lea	ecx, [ebp+var_84]
		push	ecx
		push	eax
		push	0
		push	ebx
		push	edi
		push	esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_93CDA6:				; CODE XREF: CmpLogEvent(x,x,x)+38j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_CmpLogEvent@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLogReorganizeEvent(x, x,	x)
_CmpLogReorganizeEvent@12 proc near	; CODE XREF: CmpReorganizeHive+184D86p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, _EtwKernelProvRegHandle
		mov	eax, esi
		push	edi
		mov	edi, dword_6BC12C
		or	eax, edi
		mov	[ebp+var_4C], edx
		jz	short loc_93CE4A
		movzx	edx, word ptr [ecx]
		mov	ax, dx
		mov	[ebp+var_3C], 2
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_44], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_34], eax
		mov	eax, edx
		push	ebx
		mov	[ebp+var_2C], eax
		xor	ebx, ebx
		push	4
		pop	ecx
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_40], ebx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	ebx
		push	offset _REG_EVENT_REORGANIZE
		push	edi
		push	esi
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	ebx

loc_93CE4A:				; CODE XREF: CmpLogReorganizeEvent(x,x,x)+27j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_CmpLogReorganizeEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpQuotaWarningWorker(x)
_CmpQuotaWarningWorker@4 proc near	; DATA XREF: CmpCanGrowHive+18AA4Eo
					; CmpClaimGlobalQuota+186EDDo

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		xor	esi, esi
		push	esi
		push	[ebp+arg_0]
		mov	[ebp+var_4], esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	1		; int
		push	esi		; void *
		push	esi		; int
		push	esi		; int
		push	0C0000256h	; int
		call	_ExRaiseHardError@24 ; ExRaiseHardError(x,x,x,x,x,x)
		pop	esi
		leave
		retn	4
_CmpQuotaWarningWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSystemHiveHysteresisWorker(x)
_CmpSystemHiveHysteresisWorker@4 proc near
					; DATA XREF: CmpDoQueueSystemHiveHysteresis(x)+26o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, _CmpSystemHiveHysteresisCallback
		test	eax, eax
		jz	short loc_93CEAD
		push	_CmpSystemHiveHysteresisHitRatio
		push	_CmpSystemHiveHysteresisContext
		call	eax

loc_93CEAD:				; CODE XREF: CmpSystemHiveHysteresisWorker(x)+16j
		pop	ebp
		retn	4
_CmpSystemHiveHysteresisWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmShutdownSystem(x)
_CmShutdownSystem@4 proc near		; CODE XREF: PopGracefulShutdown(x)+FEp
					; PopGracefulShutdown(x)+163p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edx, ecx
		lea	edi, [ebp+var_1C]
		push	6
		xor	eax, eax
		pop	ecx
		rep stosd
		test	edx, edx
		jnz	short loc_93CEE8
		and	_CmpDoIdleProcessing, eax
		mov	_CmpNoMoreTx, 1
		jmp	loc_93D1C4
; 

loc_93CEE8:				; CODE XREF: CmShutdownSystem(x)+23j
		call	_CmpTraceShutdownStart@0 ; CmpTraceShutdownStart()
		xor	ecx, ecx
		inc	ecx
		call	_CmFcShutdownSystem@4 ;	CmFcShutdownSystem(x)
		mov	ecx, ds:_CmpRegistryRootObject
		test	ecx, ecx
		jz	short loc_93CF04
		call	ObfDereferenceObject

loc_93CF04:				; CODE XREF: CmShutdownSystem(x)+4Cj
		call	_CmpRecordShutdownStopTime@0 ; CmpRecordShutdownStopTime()
		call	_CmpWaitForShutdownRundownRelease@0 ; CmpWaitForShutdownRundownRelease()
		call	_CmpTraceShutdownRundownComplete@0 ; CmpTraceShutdownRundownComplete()
		call	_CmpFlushTraceLoggingProvider@0	; CmpFlushTraceLoggingProvider()
		call	_LockShutdownExclusive@0 ; LockShutdownExclusive()
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		mov	eax, _CmpActiveHiveRundownCount
		xor	ebx, ebx
		mov	[ebp+var_20], eax
		cmp	eax, ebx
		jle	short loc_93CF6B
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()

loc_93CF3F:				; CODE XREF: CmShutdownSystem(x)+AEj
		push	ebx
		push	4
		lea	eax, [ebp+var_20]
		mov	edx, offset _CmpActiveHiveRundownCount
		push	eax
		mov	ecx, offset _CmpActiveHiveRundownEvent
		call	ExBlockOnAddressPushLock
		mov	eax, _CmpActiveHiveRundownCount
		mov	[ebp+var_20], eax
		cmp	eax, ebx
		jg	short loc_93CF3F
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()

loc_93CF6B:				; CODE XREF: CmShutdownSystem(x)+82j
		xor	ecx, ecx
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_93CFC7

loc_93CF78:				; CODE XREF: CmShutdownSystem(x)+112j
		mov	ecx, [esi+9A0h]
		mov	dl, 1
		call	_CmCloseRmHandle@8 ; CmCloseRmHandle(x,x)
		mov	ecx, [esi+9A0h]
		mov	edi, eax
		call	_CmCloseTmHandle@8 ; CmCloseTmHandle(x,x)
		mov	ebx, eax
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		test	edi, edi
		jz	short loc_93CFAE
		push	edi
		call	_ZwClose@4	; ZwClose(x)
		push	ebx
		call	_ZwClose@4	; ZwClose(x)

loc_93CFAE:				; CODE XREF: CmShutdownSystem(x)+EFj
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		mov	ecx, esi
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_93CF78
		xor	ebx, ebx

loc_93CFC7:				; CODE XREF: CmShutdownSystem(x)+C5j
		cmp	ds:_CmFirstTime, 0
		jnz	short loc_93CFD5
		call	_CmpShutdownWorkers@0 ;	CmpShutdownWorkers()

loc_93CFD5:				; CODE XREF: CmShutdownSystem(x)+11Dj
		mov	ecx, esi
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	edi, 90h
		jmp	short loc_93D013
; 

loc_93CFE3:				; CODE XREF: CmShutdownSystem(x)+166j
		mov	eax, [esi+9A0h]
		test	eax, eax
		jz	short loc_93D00C
		mov	edx, [esi+20h]
		add	eax, 8
		add	edx, edi
		mov	ecx, [edx]
		cmp	[eax], eax
		jnz	short loc_93D000
		and	ecx, 0FFFFFFFEh
		jmp	short loc_93D003
; 

loc_93D000:				; CODE XREF: CmShutdownSystem(x)+148j
		or	ecx, 1

loc_93D003:				; CODE XREF: CmShutdownSystem(x)+14Dj
		mov	[edx], ecx
		mov	ecx, esi
		call	_HvMarkBaseBlockDirty@4	; HvMarkBaseBlockDirty(x)

loc_93D00C:				; CODE XREF: CmShutdownSystem(x)+13Aj
		mov	ecx, esi
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)

loc_93D013:				; CODE XREF: CmShutdownSystem(x)+130j
		mov	esi, eax
		test	esi, esi
		jnz	short loc_93CFE3
		mov	eax, _CmRmSystem
		mov	esi, dword_6B179C
		test	eax, eax
		jz	short loc_93D047
		mov	edx, [esi+20h]
		add	eax, 8
		add	edx, edi
		mov	ecx, [edx]
		cmp	[eax], eax
		jnz	short loc_93D03B
		and	ecx, 0FFFFFFFEh
		jmp	short loc_93D03E
; 

loc_93D03B:				; CODE XREF: CmShutdownSystem(x)+183j
		or	ecx, 1

loc_93D03E:				; CODE XREF: CmShutdownSystem(x)+188j
		mov	[edx], ecx
		mov	ecx, esi
		call	_HvMarkBaseBlockDirty@4	; HvMarkBaseBlockDirty(x)

loc_93D047:				; CODE XREF: CmShutdownSystem(x)+175j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		call	_UnlockShutdown@0 ; UnlockShutdown()
		lea	ecx, [ebp+var_1C]
		call	CmpAttachToRegistryProcess
		call	_CmpTraceShutdownFlushStart@0 ;	CmpTraceShutdownFlushStart()
		xor	ecx, ecx
		jmp	short loc_93D08D
; 

loc_93D067:				; CODE XREF: CmShutdownSystem(x)+1E5j
		cmp	ds:_CmpNoWrite,	0
		jnz	short loc_93D08B
		test	byte ptr [esi+64h], 2
		jnz	short loc_93D08B
		push	0Ch
		pop	edx
		mov	ecx, esi
		call	CmpFlushHive
		test	eax, eax
		setns	al
		mov	[esi+0BF8h], al

loc_93D08B:				; CODE XREF: CmShutdownSystem(x)+1BDj
					; CmShutdownSystem(x)+1C3j
		mov	ecx, esi

loc_93D08D:				; CODE XREF: CmShutdownSystem(x)+1B4j
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_93D067
		call	_CmpTraceShutdownFlushStop@0 ; CmpTraceShutdownFlushStop()
		lea	ecx, [ebp+var_1C]
		call	_CmpDetachFromRegistryProcess@4	; CmpDetachFromRegistryProcess(x)
		call	_LockShutdownExclusive@0 ; LockShutdownExclusive()
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		xor	ecx, ecx
		jmp	short loc_93D0C7
; 

loc_93D0B8:				; CODE XREF: CmShutdownSystem(x)+21Fj
		mov	ecx, [esi+9A0h]
		xor	dl, dl
		call	_CmShutdownCmRM@8 ; CmShutdownCmRM(x,x)
		mov	ecx, esi

loc_93D0C7:				; CODE XREF: CmShutdownSystem(x)+205j
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_93D0B8
		xor	ecx, ecx
		jmp	loc_93D15F
; 

loc_93D0D9:				; CODE XREF: CmShutdownSystem(x)+2B7j
		mov	ecx, esi
		call	_CmpUnJoinClassOfTrust@4 ; CmpUnJoinClassOfTrust(x)
		mov	ecx, esi
		call	_CmpVERemoveHiveFromSIDMappingTable@4 ;	CmpVERemoveHiveFromSIDMappingTable(x)
		mov	edi, [esi+0C8h]
		lea	ecx, [ebp+var_1C]
		add	edi, 1000h
		call	CmpAttachToRegistryProcess
		mov	ecx, esi
		call	HvHiveCleanup
		lea	ecx, [ebp+var_1C]
		call	_CmpDetachFromRegistryProcess@4	; CmpDetachFromRegistryProcess(x)
		cmp	byte ptr [esi+0BF8h], 0
		jz	short loc_93D147
		test	dword ptr [esi+64h], 8000h
		jnz	short loc_93D147
		mov	ecx, [esi+490h]
		mov	eax, [esi+494h]
		sub	ecx, edi
		sbb	eax, ebx
		mov	[ebp+var_24], eax
		js	short loc_93D147
		jg	short loc_93D13B
		cmp	ecx, 100000h
		jbe	short loc_93D147

loc_93D13B:				; CODE XREF: CmShutdownSystem(x)+280j
		push	ebx
		push	ebx
		push	edi
		xor	edx, edx
		mov	ecx, esi
		call	CmpDoFileSetSizeEx

loc_93D147:				; CODE XREF: CmShutdownSystem(x)+260j
					; CmShutdownSystem(x)+269j ...
		mov	ecx, esi
		call	_CmpCmdHiveClose@4 ; CmpCmdHiveClose(x)
		mov	ecx, [esi+0BFCh]
		test	ecx, ecx
		jz	short loc_93D15D
		call	CmpVolumeContextDecrementRefCount

loc_93D15D:				; CODE XREF: CmShutdownSystem(x)+2A5j
		mov	ecx, esi

loc_93D15F:				; CODE XREF: CmShutdownSystem(x)+223j
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_93D0D9
		test	byte ptr _PopShutdownCleanly, 8
		mov	ds:_HvShutdownComplete,	1
		jz	short loc_93D18B
		cmp	ds:_CmFirstTime, al
		jnz	short loc_93D18B
		call	_CmpFreeAllMemory@0 ; CmpFreeAllMemory()

loc_93D18B:				; CODE XREF: CmShutdownSystem(x)+2CBj
					; CmShutdownSystem(x)+2D3j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		call	_UnlockShutdown@0 ; UnlockShutdown()
		cmp	ds:_CmpWellKnownVolumeList, 0
		mov	eax, offset _CmpWellKnownVolumeList
		jz	short loc_93D1BF
		mov	esi, eax

loc_93D1AA:				; CODE XREF: CmShutdownSystem(x)+30Cj
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_93D1B6
		call	CmpVolumeContextDecrementRefCount

loc_93D1B6:				; CODE XREF: CmShutdownSystem(x)+2FEj
		add	esi, 8
		mov	eax, esi
		cmp	[esi], ebx
		jnz	short loc_93D1AA

loc_93D1BF:				; CODE XREF: CmShutdownSystem(x)+2F5j
		call	_CmpTraceShutdownStop@0	; CmpTraceShutdownStop()

loc_93D1C4:				; CODE XREF: CmShutdownSystem(x)+32j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmShutdownSystem@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFreeAllMemory()
_CmpFreeAllMemory@0 proc near		; CODE XREF: CmShutdownSystem(x)+2D5p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		rep stosd
		xor	ebx, ebx
		xor	ecx, ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_1D], bl
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_93D2D7

loc_93D20B:				; CODE XREF: CmpFreeAllMemory()+EDj
		mov	edx, [edi+438h]
		xor	ecx, ecx
		mov	eax, [edi+434h]
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		test	edx, edx
		jle	short loc_93D266
		mov	bl, [ebp+var_1D]
		add	eax, 8
		mov	[ebp+var_24], eax

loc_93D22C:				; CODE XREF: CmpFreeAllMemory()+8Bj
		mov	esi, [eax]
		test	esi, esi
		jz	short loc_93D252

loc_93D232:				; CODE XREF: CmpFreeAllMemory()+77j
		lea	ecx, [esi-8]
		test	bl, bl
		jnz	short loc_93D23B
		inc	bl

loc_93D23B:				; CODE XREF: CmpFreeAllMemory()+64j
		push	0
		lea	edx, [ebp+var_2C]
		call	_CmpDumpKeyBodyList@12 ; CmpDumpKeyBodyList(x,x,x)
		mov	esi, [esi+4]
		test	esi, esi
		jnz	short loc_93D232
		mov	eax, [ebp+var_24]
		mov	edx, [ebp+var_28]

loc_93D252:				; CODE XREF: CmpFreeAllMemory()+5Dj
		add	eax, 0Ch
		sub	edx, 1
		mov	[ebp+var_24], eax
		mov	[ebp+var_28], edx
		jnz	short loc_93D22C
		mov	ecx, [ebp+var_2C]
		mov	ebx, [ebp+var_30]

loc_93D266:				; CODE XREF: CmpFreeAllMemory()+4Ej
		mov	eax, [edi+418h]
		add	ebx, ecx
		xor	dl, dl
		mov	[ebp+var_30], ebx
		mov	[ebp+var_1D], dl
		jmp	short loc_93D298
; 

loc_93D278:				; CODE XREF: CmpFreeAllMemory()+C7j
		lea	esi, [eax+8]
		mov	ecx, [esi]
		cmp	ecx, esi
		jz	short loc_93D296

loc_93D281:				; CODE XREF: CmpFreeAllMemory()+BEj
		cmp	dword ptr [ecx+18h], 0
		jz	short loc_93D28D
		test	dl, dl
		jnz	short loc_93D28D
		inc	dl

loc_93D28D:				; CODE XREF: CmpFreeAllMemory()+B2j
					; CmpFreeAllMemory()+B6j
		mov	ecx, [ecx]
		cmp	ecx, esi
		jnz	short loc_93D281
		mov	[ebp+var_1D], dl

loc_93D296:				; CODE XREF: CmpFreeAllMemory()+ACj
		mov	eax, [eax]

loc_93D298:				; CODE XREF: CmpFreeAllMemory()+A3j
		test	eax, eax
		jnz	short loc_93D278
		lea	ecx, [ebp+var_1C]
		call	CmpAttachToRegistryProcess
		mov	ecx, edi
		call	_CmpDestroyHive@4 ; CmpDestroyHive(x)
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, edi
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_93D20B
		test	ebx, ebx
		jz	short loc_93D2D7
		push	eax
		push	ebx
		push	1
		push	0Fh
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_93D2D7:				; CODE XREF: CmpFreeAllMemory()+32j
					; CmpFreeAllMemory()+F5j
		push	0
		push	_CmpNameCacheTable
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpFreeAllMemory@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpReadBuildLab(x, x)
_CmpReadBuildLab@8 proc	near		; CODE XREF: CmpRecordShutdownStopTime()+12Bp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_10], ecx
		push	offset ??_C@_1HO@BGPGFBAF@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@ ; "\\REGISTRY\\MACHINE\\SOFTWARE\\MICROSOFT\\WI"...
		lea	eax, [ebp+var_18]
		mov	[ebp+var_4], esi
		push	eax
		mov	ebx, edx
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_18]
		mov	[ebp+var_30], 18h
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_30]
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_2C], esi
		push	eax
		mov	[ebp+var_24], 240h
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_93D3F0
		push	offset ??_C@_1BC@HJOIIEGB@?$AAB?$AAu?$AAi?$AAl?$AAd?$AAL?$AAa?$AAb@NNGAKEGL@
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		push	esi
		push	2
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+var_4]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000023h
		jnz	short loc_93D3F0
		mov	edx, [ebp+var_8]
		xor	ecx, ecx
		push	30384D43h
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_93D3A4

loc_93D39D:				; CODE XREF: CmpReadBuildLab(x,x)+E6j
		mov	edi, 0C000009Ah
		jmp	short loc_93D3F0
; 

loc_93D3A4:				; CODE XREF: CmpReadBuildLab(x,x)+A8j
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+var_8]
		lea	eax, [ebp+var_18]
		push	esi
		push	2
		push	eax
		push	[ebp+var_4]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_93D3F0
		mov	edx, [esi+8]
		xor	ecx, ecx
		push	30384D43h
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+var_10]
		mov	[eax], ecx
		test	ecx, ecx
		jz	short loc_93D39D
		push	dword ptr [esi+8] ; size_t
		lea	eax, [esi+0Ch]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		mov	eax, [esi+8]
		add	esp, 0Ch
		mov	[ebx], eax

loc_93D3F0:				; CODE XREF: CmpReadBuildLab(x,x)+62j
					; CmpReadBuildLab(x,x)+92j ...
		cmp	[ebp+var_4], 0
		jz	short loc_93D3FE
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_93D3FE:				; CODE XREF: CmpReadBuildLab(x,x)+101j
		test	esi, esi
		jz	short loc_93D409
		mov	ecx, esi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_93D409:				; CODE XREF: CmpReadBuildLab(x,x)+10Dj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpReadBuildLab@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRecordShutdownStopTime()
_CmpRecordShutdownStopTime@0 proc near	; CODE XREF: CmShutdownSystem(x):loc_93CF04p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		lea	edi, [ebp+var_40]
		push	6
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_4], esi
		rep stosd
		xor	ecx, ecx
		mov	[ebp+var_20], esi
		mov	edi, esi
		mov	[ebp+var_1C], esi
		push	30384D43h
		mov	edx, 410h
		mov	[ebp+var_28], esi
		inc	ecx
		mov	[ebp+var_24], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_8], edi
		mov	[ebp+var_C], esi
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_93D466
		mov	esi, 0C000009Ah
		jmp	loc_93D579
; 

loc_93D466:				; CODE XREF: CmpRecordShutdownStopTime()+4Aj
		push	esi		; int
		push	410h		; int
		push	ebx		; void *
		push	esi		; int
		push	offset ??_C@_1IK@DKMPJJDM@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@ ; void	*
		push	esi		; int
		push	offset ??_C@_1BK@DJDGPBNF@?$AAS?$AAh?$AAu?$AAt?$AAd?$AAo?$AAw?$AAn?$AAP?$AAa?$AAt?$AAh@NNGAKEGL@ ; int
		call	RtlGetPersistedStateLocation
		mov	esi, eax
		test	esi, esi
		js	loc_93D572
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	ecx, ecx
		mov	[ebp+var_40], 18h
		push	ecx
		push	ecx
		push	ecx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_40]
		push	ecx
		push	eax
		push	20006h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_34], 240h
		push	eax
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ecx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93D572
		lea	eax, [ebp+var_28]
		push	eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_14]
		push	offset ??_C@_1DI@KMNHGFKK@?$AAS?$AAh?$AAu?$AAt?$AAd?$AAo?$AAw?$AAn?$AAS?$AAt?$AAo?$AAp?$AAT?$AAi?$AAm@NNGAKEGL@
		push	eax
		mov	[ebp+var_1C], edx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	8
		lea	eax, [ebp+var_20]
		push	eax
		push	0Bh
		push	0
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_93D572
		push	offset ??_C@_1DK@HHNMLAIB@?$AAL?$AAa?$AAs?$AAt?$AAB?$AAo?$AAo?$AAt?$AAP?$AAe?$AAr?$AAf?$AAC?$AAo?$AAu@NNGAKEGL@
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	8
		lea	eax, [ebp+var_28]
		push	eax
		push	0Bh
		push	0
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_93D572
		lea	edx, [ebp+var_C]
		lea	ecx, [ebp+var_8]
		call	_CmpReadBuildLab@8 ; CmpReadBuildLab(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_93D56F
		push	offset ??_C@_1EI@GHNPDKLI@?$AAS?$AAh?$AAu?$AAt?$AAd?$AAo?$AAw?$AAn?$AAS?$AAt?$AAo?$AAp?$AAT?$AAi?$AAm@NNGAKEGL@
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	[ebp+var_C]
		mov	edi, [ebp+var_8]
		lea	eax, [ebp+var_14]
		push	edi
		push	1
		push	0
		push	eax
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		jmp	short loc_93D572
; 

loc_93D56F:				; CODE XREF: CmpRecordShutdownStopTime()+134j
		mov	edi, [ebp+var_8]

loc_93D572:				; CODE XREF: CmpRecordShutdownStopTime()+72j
					; CmpRecordShutdownStopTime()+BBj ...
		mov	ecx, ebx
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_93D579:				; CODE XREF: CmpRecordShutdownStopTime()+51j
		cmp	[ebp+var_4], 0
		jz	short loc_93D587
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_93D587:				; CODE XREF: CmpRecordShutdownStopTime()+16Dj
		test	edi, edi
		jz	short loc_93D592
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_93D592:				; CODE XREF: CmpRecordShutdownStopTime()+179j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_CmpRecordShutdownStopTime@0 endp


;  S U B	R O U T	I N E 


; __stdcall CmWorkerEngineDequeueWorkItem(x)
_CmWorkerEngineDequeueWorkItem@4 proc near ; CODE XREF:	CmpUnfreezeHive(x)+2Bp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, offset _CmpWorkerEngineLock
		mov	ecx, edi
		xor	bl, bl
		call	ExAcquireFastMutex
		mov	eax, [esi]
		cmp	eax, esi
		jz	short loc_93D5CC
		cmp	[eax+4], esi
		jnz	short loc_93D5D9
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_93D5D9
		mov	[ecx], eax
		inc	bl
		mov	[eax+4], ecx
		mov	[esi+4], esi
		mov	[esi], esi

loc_93D5CC:				; CODE XREF: CmWorkerEngineDequeueWorkItem(x)+19j
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		retn
; 

loc_93D5D9:				; CODE XREF: CmWorkerEngineDequeueWorkItem(x)+1Ej
					; CmWorkerEngineDequeueWorkItem(x)+25j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_CmWorkerEngineDequeueWorkItem@4 endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall CmCompressKey(x, x)
_CmCompressKey@8 proc near		; CODE XREF: NtCompressKey(x)+11Bp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	esi, ds:_CmpMasterHive
		jz	short loc_93D629
		test	edx, 0FFFFFFFCh
		jnz	short loc_93D629
		cmp	dword ptr [esi+400h], 0
		jz	short loc_93D629
		test	dword ptr [esi+64h], 8003h
		jnz	short loc_93D629
		mov	eax, [esi+20h]
		lea	ecx, [edx-3]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, edx
		mov	[eax+0A8h], ecx
		mov	ecx, esi
		and	dword ptr [eax+0ACh], 0
		call	_HvMarkBaseBlockDirty@4	; HvMarkBaseBlockDirty(x)
		xor	eax, eax
		pop	esi
		retn
; 

loc_93D629:				; CODE XREF: CmCompressKey(x,x)+Bj
					; CmCompressKey(x,x)+13j ...
		mov	eax, 0C000000Dh
		pop	esi
		retn
_CmCompressKey@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmEnumerateValueFromLayeredKey(int,int,size_t,int)
_CmEnumerateValueFromLayeredKey@24 proc	near ; CODE XREF: CmEnumerateValueKey+111EBCp

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3A		= word ptr -3Ah
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_84], eax
		mov	esi, ecx
		mov	eax, [ebp+arg_C]
		push	3Ch		; size_t
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_40]
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_4C], edx
		mov	[ebp+var_44], esi
		call	_memset
		xor	eax, eax
		mov	byte ptr [ebp+var_50], 0
		lea	edi, [ebp+var_6C]
		add	esp, 0Ch
		stosd
		lea	ecx, [ebp+var_40] ; void *
		or	ebx, 0FFFFFFFFh
		stosd
		stosd
		stosd
		mov	word ptr [ebp+var_6C+2], bx
		call	_CmpValueEnumStackInitialize@4 ; CmpValueEnumStackInitialize(x)
		mov	edx, [esi+8]
		xor	ecx, ecx
		xor	eax, eax
		mov	[ebp+var_78], ecx
		mov	[ebp+var_7C], ebx
		mov	edi, ecx
		mov	ebx, ecx
		mov	[ebp+var_5C], ecx
		or	[ebp+var_5C], 0FFFFFFFFh
		mov	[ebp+var_58], ecx
		mov	[ebp+var_74], ecx
		or	[ebp+var_74], 0FFFFFFFFh
		mov	[ebp+var_70], ecx
		lea	ecx, [ebp+var_6C]
		mov	word ptr [ebp+var_78], ax
		mov	[ebp+var_54], ebx
		mov	word ptr [ebp+var_58], ax
		mov	word ptr [ebp+var_70], ax
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93D871
		lea	ecx, [ebp+var_6C]
		call	_CmpLockKcbStackShared@4 ; CmpLockKcbStackShared(x)
		mov	esi, [ebp+var_44]
		xor	edx, edx
		mov	ecx, esi
		mov	[ebp+var_50], 1
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jz	short loc_93D70D
		mov	al, [esi+1Ch]
		and	al, 1
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 2A9h
		add	esi, 0C000017Ch
		jmp	loc_93D871
; 

loc_93D70D:				; CODE XREF: CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+BEj
		movzx	edx, word ptr [ebp+var_6C+2]
		mov	eax, edx
		test	ax, ax
		jle	loc_93D7CF
		movsx	ecx, ax
		lea	esi, [ebp+var_68]
		mov	eax, [ebp+var_60]
		lea	esi, [esi+ecx*4]
		lea	eax, [eax+ecx*4]
		mov	ecx, [ebp+var_50]
		add	eax, 0FFFFFFF8h

loc_93D731:				; CODE XREF: CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+121j
		push	2
		pop	edi
		cmp	dx, di
		mov	edi, eax
		jge	short loc_93D73D
		mov	edi, esi

loc_93D73D:				; CODE XREF: CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+109j
		mov	edi, [edi]
		cmp	dword ptr [edi+14h], 0FFFFFFFFh
		jz	short loc_93D747
		mov	bl, cl

loc_93D747:				; CODE XREF: CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+113j
		dec	edx
		sub	eax, 4
		sub	esi, 4
		test	dx, dx
		jg	short loc_93D731
		test	bl, bl
		mov	ebx, [ebp+var_54]
		jz	short loc_93D7CF
		push	[ebp+var_44]
		lea	edx, [ebp+var_6C]
		lea	ecx, [ebp+var_40]
		call	_CmpValueEnumStackStartFromKcbStack@12 ; CmpValueEnumStackStartFromKcbStack(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93D871
		lea	ecx, [ebp+var_40]
		call	_CmpValueEnumStackAdvance@4 ; CmpValueEnumStackAdvance(x)
		mov	esi, eax
		test	esi, esi
		js	loc_93D871
		and	[ebp+var_44], ebx
		cmp	[ebp+var_4C], ebx
		jbe	short loc_93D7AA

loc_93D78C:				; CODE XREF: CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+178j
		lea	ecx, [ebp+var_40]
		call	_CmpValueEnumStackAdvance@4 ; CmpValueEnumStackAdvance(x)
		mov	esi, eax
		test	esi, esi
		js	loc_93D871
		mov	eax, [ebp+var_44]
		inc	eax
		mov	[ebp+var_44], eax
		cmp	eax, [ebp+var_4C]
		jb	short loc_93D78C

loc_93D7AA:				; CODE XREF: CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+15Aj
		mov	ebx, [ebp+var_40]
		movsx	esi, [ebp+var_3A]
		push	2
		pop	ecx
		cmp	[ebp+var_3A], cx
		lfence	eax
		jl	short loc_93D7C6
		mov	eax, [ebp+var_60]
		mov	esi, [eax+esi*4-8]
		jmp	short loc_93D7CA
; 

loc_93D7C6:				; CODE XREF: CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+18Bj
		mov	esi, [ebp+esi*4+var_68]

loc_93D7CA:				; CODE XREF: CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+194j
		mov	[ebp+var_44], esi
		jmp	short loc_93D82C
; 

loc_93D7CF:				; CODE XREF: CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+E6j
					; CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+128j
		mov	edi, [ebp+var_68]
		lea	edx, [ebp+var_5C]
		mov	esi, edi
		mov	ecx, edi
		push	0
		mov	[ebp+var_44], esi
		call	CmpGetKeyNodeForKcb
		mov	ebx, eax
		test	byte ptr [ebx+2], 40h
		jz	short loc_93D7F2
		mov	esi, 0C0000008h
		jmp	short loc_93D871
; 

loc_93D7F2:				; CODE XREF: CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+1B9j
		mov	eax, [ebp+var_4C]
		cmp	[ebx+24h], eax
		ja	short loc_93D801
		mov	esi, 8000001Ah
		jmp	short loc_93D871
; 

loc_93D801:				; CODE XREF: CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+1C8j
		mov	eax, [ebx+28h]
		lea	edx, [ebp+var_74]
		mov	ecx, [edi+10h]
		push	edx
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		mov	ecx, [ebp+var_4C]
		mov	ebx, [eax+ecx*4]
		lea	ecx, [ebp+var_74]
		mov	eax, [edi+10h]
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		mov	eax, [edi+10h]
		lea	ecx, [ebp+var_5C]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_93D82C:				; CODE XREF: CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+19Dj
		mov	eax, [esi+10h]
		lea	ecx, [ebp+var_7C]
		push	ecx
		push	ebx
		push	eax
		call	dword ptr [eax+4]
		push	[ebp+var_80]	; int
		mov	edx, ebx
		mov	[ebp+var_54], eax
		push	[ebp+arg_8]	; size_t
		mov	ecx, esi
		push	[ebp+var_84]	; int
		push	[ebp+arg_0]	; int
		push	eax		; size_t
		call	CmpQueryKeyValueData
		mov	esi, eax
		test	esi, esi
		js	short loc_93D85C
		xor	esi, esi

loc_93D85C:				; CODE XREF: CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+228j
		xor	ebx, ebx
		cmp	[ebp+var_54], ebx
		jz	short loc_93D871
		mov	eax, [ebp+var_44]
		lea	ecx, [ebp+var_7C]
		push	ecx
		mov	eax, [eax+10h]
		push	eax
		call	dword ptr [eax+8]

loc_93D871:				; CODE XREF: CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+9Bj
					; CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+D8j ...
		lea	ecx, [ebp+var_40]
		call	_CmpValueEnumStackCleanup@4 ; CmpValueEnumStackCleanup(x)
		test	ebx, ebx
		jz	short loc_93D888
		mov	eax, [edi+10h]
		lea	ecx, [ebp+var_5C]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_93D888:				; CODE XREF: CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+24Bj
		cmp	byte ptr [ebp+var_50], 0
		jz	short loc_93D896
		lea	ecx, [ebp+var_6C]
		call	CmpUnlockKcbStack

loc_93D896:				; CODE XREF: CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+25Cj
		mov	ecx, [ebp+var_60]
		test	ecx, ecx
		jz	short loc_93D8A2
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_93D8A2:				; CODE XREF: CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+26Bj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_CmEnumerateValueFromLayeredKey@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmQueryMultipleValueForLayeredKey(x, x, x, x, x, x)
_CmQueryMultipleValueForLayeredKey@24 proc near	; CODE XREF: CmQueryMultipleValueKey+129980p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	6Ch
		push	offset dword_6A79D8
		call	__SEH_prolog4
		mov	[ebp+var_40], edx
		mov	[ebp+var_38], ecx
		xor	eax, eax
		lea	edi, [ebp+var_7C]
		stosd
		stosd
		stosd
		stosd
		or	edx, 0FFFFFFFFh
		mov	word ptr [ebp+var_7C+2], dx
		xor	ebx, ebx
		mov	byte ptr [ebp+var_2C], bl
		mov	edi, ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_64], edx
		xor	eax, eax
		mov	word ptr [ebp+var_60], ax
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_68], ebx
		mov	[ebp+var_6C], edx
		mov	word ptr [ebp+var_68], ax
		mov	[ebp+var_20], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_1A], bl
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_5C], edx
		mov	word ptr [ebp+var_58], ax
		mov	[ebp+var_24], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_19], bl
		mov	eax, [ecx+8]
		mov	[ebp+var_48], eax
		mov	edx, eax
		lea	ecx, [ebp+var_7C]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93DBC5
		lea	ecx, [ebp+var_7C]
		call	_CmpLockKcbStackShared@4 ; CmpLockKcbStackShared(x)
		xor	eax, eax
		inc	eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_1B], al
		xor	edx, edx
		mov	ecx, [ebp+var_38]
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	loc_93DBC5
		mov	eax, ebx

loc_93D95A:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+2EBj
		mov	[ebp+var_44], eax
		cmp	eax, [ebp+arg_0]
		jnb	loc_93DBA5
		shl	eax, 4
		mov	[ebp+var_50], eax
		mov	ecx, [ebp+var_40]
		mov	esi, [eax+ecx]
		mov	[ebp+var_3C], esi
		movzx	eax, word ptr [esi]
		test	ax, ax
		jz	short loc_93D99C
		mov	edx, [esi+4]
		mov	ecx, eax

loc_93D982:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+E5j
		movzx	eax, cx
		dec	eax
		shr	eax, 1
		cmp	[edx+eax*2], bx
		jnz	short loc_93D99C
		lea	eax, [ecx-2]
		mov	[esi], ax
		movzx	ecx, ax
		test	ax, ax
		jnz	short loc_93D982

loc_93D99C:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+C6j
					; CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+D7j
		or	[ebp+var_30], 0FFFFFFFFh
		mov	eax, [ebp+var_48]
		movzx	ecx, word ptr [eax+22h]
		test	cx, cx
		js	loc_93DA3C

loc_93D9B0:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+181j
		movzx	eax, cx
		mov	[ebp+var_4C], eax
		movsx	edi, cx
		cmp	cx, 2
		jl	short loc_93D9C8
		mov	eax, [ebp+var_70]
		mov	edi, [eax+edi*4-8]
		jmp	short loc_93D9CC
; 

loc_93D9C8:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+108j
		mov	edi, [ebp+edi*4+var_78]

loc_93D9CC:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+111j
		mov	edx, [ebp+var_38]
		mov	ecx, edi
		call	_CmpGetEffectiveKcbSemantics@8 ; CmpGetEffectiveKcbSemantics(x,x)
		cmp	eax, [ebp+var_2C]
		jz	short loc_93DA3C
		cmp	dword ptr [edi+14h], 0FFFFFFFFh
		jz	short loc_93DA2A
		push	ebx
		lea	edx, [ebp+var_6C]
		call	CmpGetKeyNodeForKcb
		lea	ecx, [ebp+var_30]
		push	ecx
		push	ebx
		push	ebx
		push	esi
		lea	edx, [eax+24h]
		mov	ecx, [edi+10h]
		call	_CmpFindNameInListWithStatus@24	; CmpFindNameInListWithStatus(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [edi+10h]
		lea	ecx, [ebp+var_6C]
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		test	esi, esi
		jns	short loc_93DA4F
		cmp	esi, 0C0000034h
		jnz	loc_93DBC3
		mov	edx, [ebp+var_38]
		mov	ecx, edi
		call	_CmpGetEffectiveKcbSemantics@8 ; CmpGetEffectiveKcbSemantics(x,x)
		test	eax, eax
		jnz	short loc_93DA3C
		mov	esi, [ebp+var_3C]

loc_93DA2A:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+12Aj
		mov	eax, [ebp+var_4C]
		dec	eax
		movzx	eax, ax
		mov	ecx, eax
		test	ax, ax
		jns	loc_93D9B0

loc_93DA3C:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+F5j
					; CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+124j ...
		mov	esi, [ebp+var_20]

loc_93DA3F:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+19Fj
		cmp	[ebp+var_30], 0FFFFFFFFh
		jnz	short loc_93DA56
		mov	esi, 0C0000034h
		jmp	loc_93DBC3
; 

loc_93DA4F:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+156j
		mov	esi, edi
		mov	[ebp+var_20], esi
		jmp	short loc_93DA3F
; 

loc_93DA56:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+18Ej
		mov	eax, [esi+10h]
		lea	ecx, [ebp+var_64]
		push	ecx
		push	[ebp+var_30]
		push	eax
		call	dword ptr [eax+4]
		mov	edi, eax
		mov	[ebp+var_4C], edi
		mov	ecx, [esi+10h]
		mov	edx, edi
		call	_CmpIsValueTombstone@8 ; CmpIsValueTombstone(x,x)
		test	al, al
		jz	short loc_93DA81
		mov	esi, 0C0000034h
		jmp	loc_93DBC5
; 

loc_93DA81:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+1C0j
		mov	esi, [edi+4]
		cmp	esi, 80000000h
		jb	short loc_93DA92
		add	esi, 80000000h

loc_93DA92:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+1D5j
		mov	[ebp+var_3C], esi
		mov	eax, [ebp+var_24]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_24], eax
		mov	edx, [ebp+var_34]
		add	edx, 3
		and	edx, 0FFFFFFFCh
		mov	[ebp+var_34], edx
		cmp	[ebp+var_19], 0
		jnz	loc_93DB86
		lea	edx, [esi+eax]
		mov	eax, [ebp+arg_8]
		cmp	edx, [eax]
		mov	eax, [ebp+var_24]
		ja	loc_93DB86
		cmp	edx, eax
		jb	loc_93DB86
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_1A]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		push	edi
		mov	edx, [ebp+var_30]
		call	CmpGetValueData
		test	al, al
		jnz	short loc_93DAF7
		mov	esi, 0C000009Ah
		jmp	loc_93DBC5
; 

loc_93DAF7:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+236j
		mov	[ebp+ms_exc.disabled], ebx
		mov	esi, [ebp+var_3C]
		push	esi		; size_t
		push	[ebp+var_28]	; void *
		mov	eax, [ebp+var_24]
		add	eax, [ebp+arg_4]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [edi+0Ch]
		mov	ecx, [ebp+var_50]
		mov	edx, [ebp+var_40]
		mov	[ecx+edx+0Ch], eax
		mov	[ecx+edx+4], esi
		mov	eax, [ebp+var_24]
		mov	[ecx+edx+8], eax
		add	eax, esi
		mov	[ebp+var_24], eax
		cmp	[ebp+var_1A], 0
		jz	short loc_93DB48
		push	ebx
		push	[ebp+var_28]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [ebp+var_20]
		jmp	short loc_93DB56
; 

loc_93DB48:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+283j
		mov	edi, [ebp+var_20]
		mov	eax, [edi+10h]
		lea	ecx, [ebp+var_5C]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_93DB56:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+291j
		mov	[ebp+var_28], ebx
		mov	ecx, [edi+10h]
		jmp	short loc_93DB8C
; 

loc_93DB5E:				; DATA XREF: .text:006A79ECo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_54], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_93DB6C:				; DATA XREF: .text:006A79F0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_54]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	al, [ebp+var_1B]
		mov	[ebp+var_2C], eax
		mov	edi, [ebp+var_4C]
		jmp	short loc_93DBC5
; 

loc_93DB86:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+1FCj
					; CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+20Dj ...
		mov	al, byte ptr [ebp+var_2C]
		mov	[ebp+var_19], al

loc_93DB8C:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+2A7j
		mov	edi, [ebp+var_34]
		add	edi, esi
		mov	[ebp+var_34], edi
		lea	eax, [ebp+var_64]
		push	eax
		push	ecx
		call	dword ptr [ecx+8]
		mov	eax, [ebp+var_44]
		inc	eax
		jmp	loc_93D95A
; 

loc_93DBA5:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+ABj
		mov	eax, [ebp+var_24]
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_93DBB6
		mov	[eax], edi

loc_93DBB6:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+2FDj
		cmp	[ebp+var_19], 0
		mov	esi, 80000005h
		jnz	short loc_93DBC3
		mov	esi, ebx

loc_93DBC3:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+15Ej
					; CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+195j ...
		mov	edi, ebx

loc_93DBC5:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+78j
					; CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+9Dj ...
		mov	eax, [ebp+var_28]
		test	eax, eax
		jz	short loc_93DBD9
		cmp	[ebp+var_1A], 0
		jz	short loc_93DC19
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_93DBD9:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+315j
		mov	ebx, [ebp+var_20]

loc_93DBDC:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+372j
		test	edi, edi
		jz	short loc_93DBEB
		mov	eax, [ebx+10h]
		lea	ecx, [ebp+var_64]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_93DBEB:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+329j
		cmp	byte ptr [ebp+var_2C], 0
		jz	short loc_93DBF9
		lea	ecx, [ebp+var_7C]
		call	CmpUnlockKcbStack

loc_93DBF9:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+33Aj
		mov	ecx, [ebp+var_70]
		test	ecx, ecx
		jz	short loc_93DC05
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_93DC05:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+349j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_93DC19:				; CODE XREF: CmQueryMultipleValueForLayeredKey(x,x,x,x,x,x)+31Bj
		mov	ebx, [ebp+var_20]
		mov	eax, [ebx+10h]
		lea	ecx, [ebp+var_5C]
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		jmp	short loc_93DBDC
_CmQueryMultipleValueForLayeredKey@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmRenameKey(x, x, x, x)
_CmRenameKey@16	proc near		; CODE XREF: NtRenameKey(x,x)+2BDp

var_11E		= byte ptr -11Eh
var_119		= byte ptr -119h
var_118		= dword	ptr -118h
var_112		= byte ptr -112h
var_110		= dword	ptr -110h
var_10C		= byte ptr -10Ch
var_109		= byte ptr -109h
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+10Ch+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[esp+110h+var_68], edx
		push	esi
		push	edi
		push	3Ch		; size_t
		push	eax		; int
		mov	[esp+120h+var_F4], eax
		mov	ebx, ecx
		mov	[esp+120h+var_E8], eax
		mov	[esp+120h+var_E4], eax
		mov	[esp+120h+var_A4], eax
		mov	[esp+120h+var_90], eax
		mov	[esp+120h+var_8C], eax
		lea	eax, [esp+120h+var_40]
		push	eax		; void *
		mov	[esp+124h+var_FC], ebx
		call	_memset
		xor	eax, eax
		lea	edi, [esp+124h+var_C0]
		stosd
		lea	ecx, [esp+124h+var_40]
		xor	edx, edx
		or	esi, 0FFFFFFFFh
		mov	[esp+124h+var_74], edx
		add	esp, 0Ch
		mov	[esp+118h+var_9C], edx
		stosd
		mov	[esp+118h+var_6C], edx
		mov	[esp+118h+var_94], edx
		mov	[esp+118h+var_7C], edx
		stosd
		xor	eax, eax
		lea	edi, [esp+118h+var_64]
		mov	[esp+118h+var_B4], edx
		stosd
		mov	[esp+118h+var_108], edx
		mov	[esp+118h+var_104], edx
		mov	[esp+118h+var_100], edx
		stosd
		mov	[esp+118h+var_EC], edx
		mov	[esp+118h+var_F0], edx
		mov	[esp+118h+var_78], esi
		stosd
		mov	[esp+118h+var_A0], esi
		mov	[esp+118h+var_C8], esi
		mov	[esp+118h+var_70], esi
		stosd
		xor	eax, eax
		lea	edi, [esp+118h+var_50]
		mov	word ptr [esp+118h+var_64+2], si
		stosd
		mov	[esp+118h+var_98], esi
		mov	[esp+118h+var_A8], esi
		mov	[esp+118h+var_D8], edx
		stosd
		mov	[esp+118h+var_80], esi
		mov	[esp+118h+var_B0], edx
		stosd
		stosd
		xor	eax, eax
		mov	word ptr [esp+118h+var_74], ax
		mov	word ptr [esp+118h+var_9C], ax
		mov	[esp+118h+var_CC], eax
		mov	[esp+118h+var_84], eax
		mov	word ptr [esp+118h+var_6C], ax
		mov	word ptr [esp+118h+var_94], ax
		mov	word ptr [esp+118h+var_7C], ax
		mov	eax, esi
		mov	word ptr [esp+118h+var_50+2], si
		mov	[esp+118h+var_D4], eax
		mov	[esp+118h+var_E0], eax
		mov	[esp+118h+var_D0], eax
		mov	[esp+118h+var_DC], eax
		call	_CmpSubtreeEnumeratorInitialize@4 ; CmpSubtreeEnumeratorInitialize(x)
		lea	ecx, [esp+118h+var_E8]
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		lea	eax, [esp+118h+var_90]
		push	eax
		call	KeQuerySystemTime
		call	_CmpIsShutdownRundownActive@0 ;	CmpIsShutdownRundownActive()
		test	al, al
		jnz	loc_93E9F8

loc_93DD9B:				; CODE XREF: CmRenameKey(x,x,x,x)+649j
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		mov	edi, [ebx+8]
		lea	ecx, [esp+118h+var_64]
		mov	edx, edi
		mov	[esp+118h+var_109], 1
		mov	[esp+118h+var_108], edi
		mov	esi, [edi+24h]
		mov	[esp+118h+var_104], esi
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_93E9F2
		mov	edx, esi
		lea	ecx, [esp+118h+var_50]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_93E9F2
		test	dword ptr [edi+4], 180h
		jnz	loc_93E9ED
		mov	ecx, edi
		call	_CmpIsKcbImmutable@4 ; CmpIsKcbImmutable(x)
		test	al, al
		jnz	loc_93E9ED
		mov	eax, [edi+10h]
		cmp	eax, ds:_CmpMasterHive
		jz	loc_93E9ED
		test	dword ptr [edi+68h], 40000h
		jnz	loc_93E9ED
		mov	ecx, [esp+118h+var_FC]
		xor	edx, edx
		call	CmpPerformKeyBodyDeletionCheck
		mov	ebx, eax
		test	ebx, ebx
		js	loc_93E9F2
		mov	eax, [esp+118h+var_FC]
		xor	ecx, ecx
		cmp	[eax+20h], ecx
		jnz	short loc_93DE48
		cmp	[eax+24h], ecx
		jnz	short loc_93DE48
		mov	eax, ecx
		mov	[esp+118h+var_F4], eax
		jmp	short loc_93DE7A
; 

loc_93DE48:				; CODE XREF: CmRenameKey(x,x,x,x)+210j
					; CmRenameKey(x,x,x,x)+215j
		lea	edx, [esp+118h+var_F4]
		mov	ecx, eax
		call	CmpTransSearchAddTransFromKeyBody
		mov	ebx, eax
		test	ebx, ebx
		js	loc_93E9F2
		mov	edx, [esp+118h+var_F4]
		mov	ecx, [esp+118h+var_FC]
		call	CmpPerformKeyBodyDeletionCheck
		mov	ebx, eax
		test	ebx, ebx
		js	loc_93E9F2
		mov	eax, [esp+118h+var_F4]
		xor	ecx, ecx

loc_93DE7A:				; CODE XREF: CmRenameKey(x,x,x,x)+21Dj
		cmp	[edi+22h], cx
		jz	short loc_93DE88
		test	eax, eax
		jnz	loc_93E277

loc_93DE88:				; CODE XREF: CmRenameKey(x,x,x,x)+255j
		test	eax, eax
		jnz	loc_93E9E6
		push	ecx
		push	4
		push	[esp+120h+var_68]
		xor	edx, edx
		lea	ecx, [esp+124h+var_50]
		call	_CmpCheckKcbStackAccess@20 ; CmpCheckKcbStackAccess(x,x,x,x,x)
		mov	ebx, eax
		xor	eax, eax
		test	ebx, ebx
		js	loc_93E9F4
		push	ecx
		xor	ecx, ecx
		cmp	[edi+22h], cx
		lea	ecx, [esp+11Ch+var_64]
		setz	al
		xor	edx, edx
		dec	eax
		and	eax, 20019h
		add	eax, 10000h
		push	eax
		push	[esp+120h+var_68]
		call	_CmpDoAccessCheckOnKcbSubtree@20 ; CmpDoAccessCheckOnKcbSubtree(x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_93E9F2
		push	1
		lea	eax, [esp+11Ch+var_E8]
		xor	edx, edx
		push	eax
		mov	ecx, edi
		call	CmpFlushNotifiesOnKeyBodyList
		xor	eax, eax
		xor	edx, edx
		push	eax
		push	1
		mov	ecx, edi
		call	CmpReportNotify
		lea	eax, [esp+118h+var_C0]
		mov	dl, 1
		push	eax
		push	ecx
		mov	ecx, edi
		call	CmpTryAcquireKcbIXLocks
		mov	ebx, eax
		cmp	ebx, 0C000022Dh
		jnz	short loc_93DF27
		mov	byte ptr [esp+0Dh], 1
		jmp	short loc_93DF35
; 

loc_93DF27:				; CODE XREF: CmRenameKey(x,x,x,x)+2F5j
		xor	eax, eax
		mov	[esp+0Dh], al
		test	ebx, ebx
		js	loc_93E9F4

loc_93DF35:				; CODE XREF: CmRenameKey(x,x,x,x)+2FCj
		lea	eax, [esp+118h+var_C0]
		mov	dl, 1
		push	eax
		push	ecx
		mov	ecx, esi
		call	CmpTryAcquireKcbIXLocks
		mov	ebx, eax
		cmp	ebx, 0C000022Dh
		jz	loc_93E1F0
		test	ebx, ebx
		js	loc_93E9F2
		cmp	byte ptr [esp+0Dh], 0
		jnz	loc_93E1F0
		mov	ebx, [esp+118h+var_104]
		or	eax, 0FFFFFFFFh
		or	[esp+118h+var_C4], 0FFFFFFFFh
		mov	[esp+118h+var_F8], eax
		mov	[esp+118h+var_AC], eax
		xor	eax, eax
		movzx	esi, word ptr [ebx+22h]
		mov	[esp+118h+var_F0], eax
		test	si, si
		js	loc_93E088

loc_93DF8C:				; CODE XREF: CmRenameKey(x,x,x,x)+3E3j
		mov	edx, esi
		lea	ecx, [esp+118h+var_50]
		call	_CmpGetKcbAtLayerHeight@8 ; CmpGetKcbAtLayerHeight(x,x)
		mov	edx, [esp+118h+var_FC]
		mov	ebx, eax
		mov	ecx, ebx
		mov	[esp+118h+var_F8], ebx
		call	_CmpGetEffectiveKcbSemantics@8 ; CmpGetEffectiveKcbSemantics(x,x)
		cmp	eax, 1
		jz	short loc_93E012
		cmp	dword ptr [ebx+14h], 0FFFFFFFFh
		jz	short loc_93E008
		push	1
		lea	edx, [esp+11Ch+var_A0]
		call	CmpGetKeyNodeForKcb
		lea	ecx, [esp+118h+var_AC]
		mov	edx, eax
		push	ecx
		lea	ecx, [ebp+arg_0]
		push	ecx
		mov	ecx, [ebx+10h]
		call	CmpFindSubKeyByNameWithStatus
		mov	ecx, [esp+118h+var_F8]
		lea	edx, [esp+118h+var_A0]
		mov	ebx, eax
		call	_CmpReleaseKeyNodeForKcb@8 ; CmpReleaseKeyNodeForKcb(x,x)
		test	ebx, ebx
		jns	loc_93E070
		cmp	ebx, 0C0000034h
		jnz	loc_93E9F2
		mov	edx, [esp+118h+var_FC]
		mov	ecx, [esp+118h+var_F8]
		call	_CmpGetEffectiveKcbSemantics@8 ; CmpGetEffectiveKcbSemantics(x,x)
		test	eax, eax
		jnz	short loc_93E012

loc_93E008:				; CODE XREF: CmRenameKey(x,x,x,x)+38Bj
		dec	esi
		test	si, si
		jns	loc_93DF8C

loc_93E012:				; CODE XREF: CmRenameKey(x,x,x,x)+385j
					; CmRenameKey(x,x,x,x)+3DDj
		mov	ebx, [esp+118h+var_F0]

loc_93E016:				; CODE XREF: CmRenameKey(x,x,x,x)+459j
		mov	eax, [esp+118h+var_AC]
		mov	[esp+118h+var_F8], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_93E084
		lea	ecx, [esp+118h+var_78]
		push	ecx
		push	eax
		push	ebx
		call	dword ptr [ebx+4]
		mov	esi, eax
		mov	ecx, ebx
		mov	edx, esi
		call	_CmpGetEffectiveKeyNodeSemantics@8 ; CmpGetEffectiveKeyNodeSemantics(x,x)
		cmp	eax, 1
		jnz	loc_93E289
		lea	eax, [esp+124h+var_84]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		mov	ebx, [esp+12Ch+var_118]
		mov	eax, [esp+12Ch+var_D8]
		mov	[esp+12Ch+var_11E], 1
		cmp	ax, [ebx+22h]
		jz	short loc_93E08E
		or	dword ptr [esp+12Ch+var_10C], 0FFFFFFFFh
		xor	eax, eax
		mov	[esp+12Ch+var_104], eax
		jmp	short loc_93E08E
; 

loc_93E070:				; CODE XREF: CmRenameKey(x,x,x,x)+3BCj
		mov	eax, [esp+118h+var_F8]
		mov	ebx, [eax+10h]
		movzx	eax, si
		mov	[esp+118h+var_F0], ebx
		mov	[esp+118h+var_C4], eax
		jmp	short loc_93E016
; 

loc_93E084:				; CODE XREF: CmRenameKey(x,x,x,x)+3F8j
		mov	ebx, [esp+118h+var_104]

loc_93E088:				; CODE XREF: CmRenameKey(x,x,x,x)+35Dj
		xor	eax, eax
		mov	[esp+0Eh], al

loc_93E08E:				; CODE XREF: CmRenameKey(x,x,x,x)+438j
					; CmRenameKey(x,x,x,x)+445j
		lea	ecx, [ebp+arg_0]
		call	_CmpHashUnicodeComponent@4 ; CmpHashUnicodeComponent(x)
		imul	edi, [ebx+8], 25h
		mov	esi, eax
		mov	ecx, [ebx+10h]
		lea	eax, [ebp+arg_0]
		push	eax
		mov	edx, ebx
		mov	[esp+11Ch+var_AC], esi
		add	edi, esi
		push	edi
		mov	[esp+120h+var_54], edi
		call	CmpFindKcbInHashEntryByName
		mov	ebx, eax
		mov	[esp+118h+var_100], ebx
		test	ebx, ebx
		jz	loc_93E148
		mov	ecx, ebx
		call	CmpReferenceKeyControlBlock
		lea	eax, [esp+118h+var_C0]
		mov	dl, 1
		push	eax
		push	ecx
		mov	ecx, ebx
		call	CmpTryAcquireKcbIXLocks
		mov	ebx, eax
		cmp	ebx, 0C000022Dh
		jnz	short loc_93E0ED
		mov	byte ptr [esp+0Dh], 1
		jmp	short loc_93E0F5
; 

loc_93E0ED:				; CODE XREF: CmRenameKey(x,x,x,x)+4BBj
		test	ebx, ebx
		js	loc_93E293

loc_93E0F5:				; CODE XREF: CmRenameKey(x,x,x,x)+4C2j
		mov	ecx, [esp+118h+var_100]
		lea	eax, [esp+118h+var_C0]
		push	eax
		push	2
		pop	edx
		call	_CmpPrepareToInvalidateAllHigherLayerKcbs@12 ; CmpPrepareToInvalidateAllHigherLayerKcbs(x,x,x)
		mov	ebx, eax
		cmp	ebx, 0C000022Dh
		jnz	short loc_93E117
		mov	byte ptr [esp+0Dh], 1
		jmp	short loc_93E11F
; 

loc_93E117:				; CODE XREF: CmRenameKey(x,x,x,x)+4E5j
		test	ebx, ebx
		js	loc_93E293

loc_93E11F:				; CODE XREF: CmRenameKey(x,x,x,x)+4ECj
		mov	ecx, [esp+118h+var_100]
		lea	eax, [esp+118h+var_C0]
		push	eax
		xor	edx, edx
		call	_CmpPrepareForSubtreeInvalidation@12 ; CmpPrepareForSubtreeInvalidation(x,x,x)
		mov	ebx, eax
		cmp	ebx, 0C000022Dh
		jnz	short loc_93E140
		mov	byte ptr [esp+0Dh], 1
		jmp	short loc_93E148
; 

loc_93E140:				; CODE XREF: CmRenameKey(x,x,x,x)+50Ej
		test	ebx, ebx
		js	loc_93E293

loc_93E148:				; CODE XREF: CmRenameKey(x,x,x,x)+497j
					; CmRenameKey(x,x,x,x)+515j
		mov	ecx, [esp+118h+var_108]
		lea	eax, [esp+118h+var_C0]
		push	eax
		push	2
		pop	edx
		call	_CmpPrepareToInvalidateAllHigherLayerKcbs@12 ; CmpPrepareToInvalidateAllHigherLayerKcbs(x,x,x)
		mov	ebx, eax
		cmp	ebx, 0C000022Dh
		jnz	short loc_93E16A
		mov	byte ptr [esp+0Dh], 1
		jmp	short loc_93E172
; 

loc_93E16A:				; CODE XREF: CmRenameKey(x,x,x,x)+538j
		test	ebx, ebx
		js	loc_93E293

loc_93E172:				; CODE XREF: CmRenameKey(x,x,x,x)+53Fj
		mov	ebx, [esp+118h+var_108]
		xor	eax, eax
		cmp	[ebx+22h], ax
		jz	short loc_93E1A2
		lea	eax, [esp+118h+var_C0]
		xor	edx, edx
		push	eax
		mov	ecx, ebx
		call	_CmpPrepareForSubtreeInvalidation@12 ; CmpPrepareForSubtreeInvalidation(x,x,x)
		mov	ebx, eax
		cmp	ebx, 0C000022Dh
		jz	short loc_93E1AD
		test	ebx, ebx
		js	loc_93E293
		mov	ebx, [esp+118h+var_108]

loc_93E1A2:				; CODE XREF: CmRenameKey(x,x,x,x)+553j
		cmp	byte ptr [esp+0Dh], 0
		jz	loc_93E29A

loc_93E1AD:				; CODE XREF: CmRenameKey(x,x,x,x)+56Bj
		mov	edi, [esp+118h+var_108]
		lea	eax, [esp+118h+var_C0]
		push	eax
		push	4
		pop	edx
		mov	ecx, edi
		call	_CmpLogTransactionAbortedForRollbackPacket@12 ;	CmpLogTransactionAbortedForRollbackPacket(x,x,x)
		mov	esi, [esp+118h+var_100]
		xor	ebx, ebx
		test	esi, esi
		jz	short loc_93E1DA
		push	ebx
		lea	edx, [esp+11Ch+var_E8]
		mov	ecx, esi
		call	CmpDereferenceKeyControlBlockWithLock
		mov	[esp+118h+var_100], ebx

loc_93E1DA:				; CODE XREF: CmRenameKey(x,x,x,x)+59Fj
		xor	dl, dl
		lea	ecx, [esp+118h+var_E8]
		call	CmpDrainDelayDerefContext
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	[esp+118h+var_109], bl
		jmp	short loc_93E215
; 

loc_93E1F0:				; CODE XREF: CmRenameKey(x,x,x,x)+323j
					; CmRenameKey(x,x,x,x)+336j
		lea	eax, [esp+118h+var_C0]
		mov	ecx, edi
		push	eax
		push	4
		pop	edx
		call	_CmpLogTransactionAbortedForRollbackPacket@12 ;	CmpLogTransactionAbortedForRollbackPacket(x,x,x)
		xor	dl, dl
		lea	ecx, [esp+118h+var_E8]
		call	CmpDrainDelayDerefContext
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	eax, eax
		mov	[esp+118h+var_109], al

loc_93E215:				; CODE XREF: CmRenameKey(x,x,x,x)+5C5j
		xor	edx, edx
		lea	ecx, [esp+118h+var_C0]
		call	_CmpAbortRollbackPacket@8 ; CmpAbortRollbackPacket(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_93E9F2
		lea	ecx, [esp+118h+var_C0]
		call	CmpCleanupRollbackPacket
		xor	eax, eax
		lea	edi, [esp+118h+var_C0]
		stosd
		lea	ecx, [esp+118h+var_64]
		stosd
		stosd
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		lea	ecx, [esp+118h+var_50]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		lea	eax, [esp+118h+var_90]
		push	eax
		call	KeQuerySystemTime
		call	_CmpIsShutdownRundownActive@0 ;	CmpIsShutdownRundownActive()
		test	al, al
		jnz	loc_93E9F8
		mov	ebx, [esp+118h+var_FC]
		jmp	loc_93DD9B
; 

loc_93E277:				; CODE XREF: CmRenameKey(x,x,x,x)+259j
		push	1Ah

loc_93E279:				; CODE XREF: CmRenameKey(x,x,x,x)+DBFj
		pop	ecx
		call	_CmpLogUnsupportedOperation@4 ;	CmpLogUnsupportedOperation(x)
		mov	ebx, 0C0000002h
		jmp	loc_93E9F2
; 

loc_93E289:				; CODE XREF: CmRenameKey(x,x,x,x)+415j
		mov	ebx, 0C0000121h
		jmp	loc_93EA09
; 

loc_93E293:				; CODE XREF: CmRenameKey(x,x,x,x)+4C6j
					; CmRenameKey(x,x,x,x)+4F0j ...
		xor	eax, eax
		jmp	loc_93EA03
; 

loc_93E29A:				; CODE XREF: CmRenameKey(x,x,x,x)+57Ej
		mov	eax, [esp+118h+var_100]
		test	eax, eax
		jz	short loc_93E2E4
		lea	ecx, [esp+118h+var_E8]
		push	ecx
		push	2
		push	8
		pop	edx
		mov	ecx, eax
		call	_CmpInvalidateAllHigherLayerKcbs@16 ; CmpInvalidateAllHigherLayerKcbs(x,x,x,x)
		xor	ecx, ecx
		lea	eax, [esp+118h+var_E8]
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [esp+124h+var_100]
		push	8
		pop	edx
		call	_CmpInvalidateSubtree@20 ; CmpInvalidateSubtree(x,x,x,x,x)
		mov	ecx, [esp+118h+var_100]
		lea	eax, [esp+118h+var_E8]
		push	1
		push	eax
		push	8
		pop	edx
		call	CmpFlushNotifiesOnKeyBodyList
		mov	ecx, [esp+118h+var_100]
		call	_CmpDiscardKcb@4 ; CmpDiscardKcb(x)

loc_93E2E4:				; CODE XREF: CmRenameKey(x,x,x,x)+677j
		lea	eax, [esp+118h+var_E8]
		mov	ecx, ebx
		push	eax
		push	2
		push	8
		pop	edx
		call	_CmpInvalidateAllHigherLayerKcbs@16 ; CmpInvalidateAllHigherLayerKcbs(x,x,x,x)
		movzx	eax, word ptr [ebx+22h]
		mov	ecx, eax
		test	ax, ax
		jz	short loc_93E317
		xor	ecx, ecx
		lea	eax, [esp+118h+var_E8]
		push	ecx
		push	eax
		push	ecx
		push	8
		pop	edx
		mov	ecx, ebx
		call	_CmpInvalidateSubtree@20 ; CmpInvalidateSubtree(x,x,x,x,x)
		movzx	ecx, word ptr [ebx+22h]

loc_93E317:				; CODE XREF: CmRenameKey(x,x,x,x)+6D5j
		xor	eax, eax
		xor	edx, edx
		mov	[esp+118h+var_C4], eax
		cmp	dx, cx
		jge	loc_93E42E

loc_93E328:				; CODE XREF: CmRenameKey(x,x,x,x)+7E8j
		mov	edx, eax
		lea	ecx, [esp+118h+var_50]
		call	_CmpGetKcbAtLayerHeight@8 ; CmpGetKcbAtLayerHeight(x,x)
		mov	[esp+118h+var_F4], eax
		lea	eax, [ebp+arg_0]
		push	eax
		mov	eax, [esp+11Ch+var_104]
		mov	edx, eax
		push	edi
		mov	ecx, [eax+10h]
		call	CmpFindKcbInHashEntryByName
		mov	[esp+118h+var_FC], eax
		test	eax, eax
		jz	short loc_93E36A
		mov	ecx, eax
		call	CmpReferenceKeyControlBlock
		mov	ecx, [esp+118h+var_EC]
		call	CmpDereferenceKeyControlBlockUnsafe
		jmp	loc_93E3FC
; 

loc_93E36A:				; CODE XREF: CmRenameKey(x,x,x,x)+72Aj
		mov	ebx, [esp+118h+var_F4]
		cmp	dword ptr [ebx+14h], 0FFFFFFFFh
		jz	short loc_93E3B9
		push	1
		lea	edx, [esp+11Ch+var_A0]
		mov	ecx, ebx
		call	CmpGetKeyNodeForKcb
		lea	ecx, [esp+118h+var_A4]
		mov	edx, eax
		push	ecx
		lea	ecx, [ebp+arg_0]
		push	ecx
		mov	ecx, [ebx+10h]
		call	CmpFindSubKeyByNameWithStatus
		mov	ecx, [esp+118h+var_F4]
		lea	edx, [esp+118h+var_A0]
		mov	ebx, eax
		call	_CmpReleaseKeyNodeForKcb@8 ; CmpReleaseKeyNodeForKcb(x,x)
		cmp	ebx, 0C0000034h
		jz	short loc_93E3B9
		test	ebx, ebx
		js	loc_93E293
		mov	edx, [esp+118h+var_A4]
		jmp	short loc_93E3C0
; 

loc_93E3B9:				; CODE XREF: CmRenameKey(x,x,x,x)+749j
					; CmRenameKey(x,x,x,x)+780j
		or	edx, 0FFFFFFFFh
		mov	[esp+118h+var_A4], edx

loc_93E3C0:				; CODE XREF: CmRenameKey(x,x,x,x)+78Ej
		lea	eax, [esp+118h+var_FC]
		push	eax
		push	edi
		push	esi
		lea	eax, [ebp+arg_0]
		push	eax
		xor	eax, eax
		push	eax
		mov	eax, [esp+12Ch+var_F4]
		push	[esp+12Ch+var_EC]
		push	eax
		mov	ecx, [eax+10h]
		call	CmpCreateKeyControlBlock
		mov	ebx, eax
		test	ebx, ebx
		js	loc_93E293
		mov	eax, [esp+118h+var_EC]
		test	eax, eax
		jz	short loc_93E3F8
		mov	ecx, eax
		call	CmpDereferenceKeyControlBlockUnsafe

loc_93E3F8:				; CODE XREF: CmRenameKey(x,x,x,x)+7C6j
		mov	ebx, [esp+118h+var_108]

loc_93E3FC:				; CODE XREF: CmRenameKey(x,x,x,x)+73Cj
		mov	eax, [esp+118h+var_C4]
		mov	ecx, [esp+118h+var_FC]
		inc	eax
		mov	[esp+118h+var_EC], ecx
		mov	[esp+118h+var_C4], eax
		cmp	ax, [ebx+22h]
		jl	loc_93E328
		test	ecx, ecx
		jz	short loc_93E42E
		call	_CmpAllocateLayerInfoForKcb@4 ;	CmpAllocateLayerInfoForKcb(x)
		mov	ebx, eax
		xor	eax, eax
		mov	esi, eax
		test	ebx, ebx
		js	loc_93EA05

loc_93E42E:				; CODE XREF: CmRenameKey(x,x,x,x)+6F9j
					; CmRenameKey(x,x,x,x)+7F0j
		mov	edi, [esp+118h+var_108]
		xor	ebx, ebx
		cmp	[edi+22h], bx
		jz	short loc_93E46F
		push	ebx
		mov	dl, 1
		lea	ecx, [esp+11Ch+var_64]
		call	_CmpPromoteKey@12 ; CmpPromoteKey(x,x,x)
		mov	ebx, eax
		xor	eax, eax
		mov	esi, eax
		test	ebx, ebx
		js	loc_93EA09
		lea	ecx, [esp+118h+var_64]
		call	_CmpPromoteSubtreeForKcbStack@8	; CmpPromoteSubtreeForKcbStack(x,x)
		mov	ebx, eax
		xor	eax, eax
		test	ebx, ebx
		js	loc_93EA09

loc_93E46F:				; CODE XREF: CmRenameKey(x,x,x,x)+80Fj
		mov	ebx, [esp+118h+var_104]
		push	1
		mov	edx, [ebx+14h]
		mov	ecx, [ebx+10h]
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jnz	short loc_93E48E

loc_93E484:				; CODE XREF: CmRenameKey(x,x,x,x)+88Dj
					; CmRenameKey(x,x,x,x)+8A1j ...
		mov	ebx, 0C000017Dh
		jmp	loc_93E9F2
; 

loc_93E48E:				; CODE XREF: CmRenameKey(x,x,x,x)+859j
		push	1
		lea	edx, [esp+11Ch+var_80]
		mov	ecx, ebx
		call	CmpGetKeyNodeForKcb
		mov	esi, eax
		mov	[esp+118h+var_D8], esi
		mov	edx, [esi+1Ch]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_93E4B8
		mov	ecx, [ebx+10h]
		call	_CmpMarkEntireIndexDirty@8 ; CmpMarkEntireIndexDirty(x,x)
		test	al, al
		jz	short loc_93E484

loc_93E4B8:				; CODE XREF: CmRenameKey(x,x,x,x)+881j
		mov	edx, [esi+20h]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_93E4CC
		mov	ecx, [ebx+10h]
		call	_CmpMarkEntireIndexDirty@8 ; CmpMarkEntireIndexDirty(x,x)
		test	al, al
		jz	short loc_93E484

loc_93E4CC:				; CODE XREF: CmRenameKey(x,x,x,x)+895j
		mov	edx, [edi+14h]
		mov	ecx, [edi+10h]
		push	1
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jz	short loc_93E484
		mov	eax, [esp+118h+var_F8]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_93E4F7
		push	ecx
		mov	ecx, [ebx+10h]
		mov	edx, eax
		push	1
		call	CmpMarkKeyDirty
		test	al, al
		jz	short loc_93E484

loc_93E4F7:				; CODE XREF: CmRenameKey(x,x,x,x)+8BBj
		cmp	byte ptr [esp+0Eh], 0
		jnz	short loc_93E560
		mov	edx, [edi+14h]
		mov	ecx, [edi+10h]
		call	_CmpMarkAllChildrenDirty@8 ; CmpMarkAllChildrenDirty(x,x)
		test	al, al
		jz	loc_93E484

loc_93E511:				; CODE XREF: CmRenameKey(x,x,x,x)+99Dj
		lea	ecx, [ebp+arg_0]
		call	_CmpHKeyNodeSize@4 ; CmpHKeyNodeSize(x)
		lea	ecx, [esp+118h+var_70]
		mov	edx, eax
		push	ecx
		lea	ecx, [esp+11Ch+var_84]
		push	ecx
		mov	ecx, [edi+14h]
		shr	ecx, 1Fh
		push	ecx
		mov	ecx, [edi+10h]
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	[esp+118h+var_C8], eax
		cmp	eax, 0FFFFFFFFh
		jnz	loc_93E5D7
		xor	eax, eax
		mov	ebx, 0C000017Dh
		mov	esi, eax
		mov	eax, [esp+118h+var_84]
		mov	[esp+118h+var_CC], eax
		jmp	loc_93EA09
; 

loc_93E560:				; CODE XREF: CmRenameKey(x,x,x,x)+8D3j
		lea	edx, [esp+118h+var_64]
		lea	ecx, [esp+118h+var_40]
		call	_CmpSubtreeEnumeratorStartForKcbStack@8	; CmpSubtreeEnumeratorStartForKcbStack(x,x)
		mov	ebx, eax
		xor	eax, eax
		mov	esi, eax
		test	ebx, ebx
		js	loc_93EA09
		jmp	short loc_93E5B3
; 

loc_93E583:				; CODE XREF: CmRenameKey(x,x,x,x)+99Bj
		lea	eax, [esp+118h+var_B4]
		xor	edx, edx
		push	eax
		lea	ecx, [esp+11Ch+var_40]
		call	_CmpSubtreeEnumeratorGetCurrentKeyStacks@12 ; CmpSubtreeEnumeratorGetCurrentKeyStacks(x,x,x)
		mov	dx, [edi+22h]
		mov	ecx, [esp+118h+var_B4]
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		push	1
		mov	edx, [eax+4]
		mov	ecx, [eax]
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jz	short loc_93E5CB

loc_93E5B3:				; CODE XREF: CmRenameKey(x,x,x,x)+958j
		lea	ecx, [esp+118h+var_40]
		call	_CmpSubtreeEnumeratorAdvance@4 ; CmpSubtreeEnumeratorAdvance(x)
		cmp	eax, 8000001Ah
		jnz	short loc_93E583
		jmp	loc_93E511
; 

loc_93E5CB:				; CODE XREF: CmRenameKey(x,x,x,x)+988j
		mov	ebx, 0C000017Dh
		xor	eax, eax
		jmp	loc_93EA09
; 

loc_93E5D7:				; CODE XREF: CmRenameKey(x,x,x,x)+918j
		push	1
		lea	edx, [esp+11Ch+var_98]
		mov	ecx, edi
		call	CmpGetKeyNodeForKcb
		mov	ebx, [esp+118h+var_84]
		lea	edx, [esp+118h+var_98]
		push	13h
		pop	ecx
		mov	esi, eax
		mov	[esp+118h+var_CC], ebx
		mov	edi, ebx
		rep movsd
		mov	edi, [esp+118h+var_108]
		mov	ecx, edi
		call	_CmpReleaseKeyNodeForKcb@8 ; CmpReleaseKeyNodeForKcb(x,x)
		lea	ecx, [ebx+4Ch]
		lea	edx, [ebp+arg_0]
		call	CmpCopyName
		push	20h
		mov	[ebx+48h], ax
		pop	ecx
		cmp	ax, word ptr [ebp+arg_0]
		jnb	short loc_93E62B
		or	[ebx+2], cx
		jmp	short loc_93E634
; 

loc_93E62B:				; CODE XREF: CmRenameKey(x,x,x,x)+9FAj
		mov	eax, 0FFDFh
		and	[ebx+2], ax

loc_93E634:				; CODE XREF: CmRenameKey(x,x,x,x)+A00j
		cmp	byte ptr [esp+0Eh], 0
		mov	eax, [esp+118h+var_90]
		mov	[ebx+4], eax
		mov	eax, [esp+118h+var_8C]
		mov	[ebx+8], eax
		jz	short loc_93E653
		or	byte ptr [ebx+0Dh], 3

loc_93E653:				; CODE XREF: CmRenameKey(x,x,x,x)+A24j
		xor	eax, eax
		cmp	[edi+22h], ax
		jz	short loc_93E67F
		mov	edx, [ebx+2Ch]
		mov	ecx, [edi+10h]
		call	_CmpReferenceSecurityNode@8 ; CmpReferenceSecurityNode(x,x)
		mov	ebx, eax
		xor	eax, eax
		mov	esi, eax
		test	ebx, ebx
		js	loc_93EA09
		mov	eax, [esp+118h+var_CC]
		mov	eax, [eax+2Ch]
		mov	[esp+118h+var_A8], eax

loc_93E67F:				; CODE XREF: CmRenameKey(x,x,x,x)+A30j
		mov	eax, [edi+10h]
		lea	ecx, [esp+118h+var_70]
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		push	ecx
		xor	ebx, ebx
		lea	edx, [esp+124h+var_B4]
		lea	ecx, [ebp+arg_0]
		mov	[esp+124h+var_D4], ebx
		call	CmpGetNameControlBlock
		mov	[esp+120h+var_B8], eax
		test	eax, eax
		jnz	short loc_93E6B3

loc_93E6A9:				; CODE XREF: CmRenameKey(x,x,x,x)+AB0j
					; CmRenameKey(x,x,x,x)+AD3j
		mov	ebx, 0C000009Ah
		jmp	loc_93E9F2
; 

loc_93E6B3:				; CODE XREF: CmRenameKey(x,x,x,x)+A7Ej
		mov	esi, [esp+120h+var_E0]
		mov	edx, [esi+1Ch]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_93E6DB
		push	ebx
		mov	ebx, dword ptr [esp+124h+var_10C]
		mov	ecx, [ebx+10h]
		call	_CmpDuplicateIndex@12 ;	CmpDuplicateIndex(x,x,x)
		mov	[esp+120h+var_DC], eax
		mov	[esp+120h+var_E8], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_93E6DF
		jmp	short loc_93E6A9
; 

loc_93E6DB:				; CODE XREF: CmRenameKey(x,x,x,x)+A94j
		mov	ebx, dword ptr [esp+120h+var_10C]

loc_93E6DF:				; CODE XREF: CmRenameKey(x,x,x,x)+AAEj
		mov	edx, [esi+20h]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_93E6FE
		mov	ecx, [ebx+10h]
		push	1
		call	_CmpDuplicateIndex@12 ;	CmpDuplicateIndex(x,x,x)
		mov	[esp+120h+var_D8], eax
		mov	[esp+120h+var_E4], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_93E6A9

loc_93E6FE:				; CODE XREF: CmRenameKey(x,x,x,x)+ABCj
		mov	eax, [esp+120h+var_100]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_93E73C
		mov	ecx, [ebx+10h]
		lea	edx, [esp+120h+var_E8]
		push	eax
		shr	eax, 1Fh
		lea	edx, [edx+eax*4]
		call	_CmpRemoveSubKeyFromList@12 ; CmpRemoveSubKeyFromList(x,x,x)
		test	al, al
		jnz	short loc_93E73C

loc_93E71E:				; CODE XREF: CmRenameKey(x,x,x,x)+B57j
		mov	ebx, 0C000017Dh

loc_93E723:				; CODE XREF: CmRenameKey(x,x,x,x)+B35j
		xor	eax, eax
		mov	esi, eax
		mov	eax, [esp+120h+var_E4]
		mov	[esp+120h+var_D8], eax
		mov	eax, [esp+120h+var_E8]
		mov	[esp+120h+var_DC], eax
		jmp	loc_93EA09
; 

loc_93E73C:				; CODE XREF: CmRenameKey(x,x,x,x)+ADCj
					; CmRenameKey(x,x,x,x)+AF3j
		mov	eax, [esp+120h+var_D0]
		lea	edx, [esp+120h+var_E8]
		mov	ecx, [ebx+10h]
		mov	esi, eax
		shr	esi, 1Fh
		push	eax
		lea	edx, [edx+esi*4]
		call	CmpAddSubKeyToList
		test	al, al
		jnz	short loc_93E760
		mov	ebx, 0C000009Ah
		jmp	short loc_93E723
; 

loc_93E760:				; CODE XREF: CmRenameKey(x,x,x,x)+B2Ej
		xor	edx, edx
		cmp	[edi+22h], dx
		jnz	short loc_93E784
		mov	eax, [edi+14h]
		lea	edx, [esp+120h+var_E8]
		mov	ecx, [ebx+10h]
		push	eax
		shr	eax, 1Fh
		lea	edx, [edx+eax*4]
		call	_CmpRemoveSubKeyFromList@12 ; CmpRemoveSubKeyFromList(x,x,x)
		test	al, al
		jz	short loc_93E71E
		xor	edx, edx

loc_93E784:				; CODE XREF: CmRenameKey(x,x,x,x)+B3Dj
		mov	ecx, [esp+120h+var_E0]
		mov	eax, [ecx+1Ch]
		mov	[esp+120h+var_DC], eax
		mov	eax, [esp+120h+var_E8]
		mov	[ecx+1Ch], eax
		mov	eax, [ecx+20h]
		mov	[esp+120h+var_D8], eax
		mov	eax, [esp+120h+var_E4]
		mov	[ecx+20h], eax
		mov	eax, [esp+120h+var_100]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_93E7B4
		shr	eax, 1Fh
		dec	dword ptr [ecx+eax*4+14h]

loc_93E7B4:				; CODE XREF: CmRenameKey(x,x,x,x)+B82j
		inc	dword ptr [ecx+esi*4+14h]
		cmp	[edi+22h], dx
		jnz	short loc_93E7C8
		mov	eax, [edi+14h]
		shr	eax, 1Fh
		dec	dword ptr [ecx+eax*4+14h]

loc_93E7C8:				; CODE XREF: CmRenameKey(x,x,x,x)+B93j
		mov	dl, 1
		mov	ecx, ebx
		call	CmpCleanUpSubKeyInfo
		mov	esi, [esp+120h+var_E0]
		mov	dx, word ptr [ebp+arg_0]
		cmp	[esi+34h], dx
		jnb	short loc_93E7E7
		mov	[esi+34h], dx
		mov	[ebx+60h], dx

loc_93E7E7:				; CODE XREF: CmRenameKey(x,x,x,x)+BB4j
		xor	eax, eax
		cmp	[edi+22h], ax
		jnz	short loc_93E7FC
		mov	edx, [edi+14h]
		mov	ecx, [edi+10h]
		call	HvFreeCell
		jmp	short loc_93E864
; 

loc_93E7FC:				; CODE XREF: CmRenameKey(x,x,x,x)+BC4j
		push	1
		lea	edx, [esp+124h+var_A0]
		mov	ecx, edi
		call	CmpGetKeyNodeForKcb
		push	20h
		pop	ecx
		xor	edx, edx
		and	[eax+2], cx
		mov	cl, [eax+0Dh]
		and	cl, 7Ch
		mov	[eax+14h], edx
		or	cl, 1
		mov	[eax+18h], edx
		mov	[eax+0Dh], cl
		or	ecx, 0FFFFFFFFh
		mov	[eax+1Ch], ecx
		mov	[eax+20h], ecx
		mov	[eax+28h], ecx
		mov	[eax+30h], ecx
		xor	ecx, ecx
		mov	[eax+34h], cx
		and	dword ptr [eax+34h], 0FF00FFFFh
		mov	[eax+24h], edx
		mov	[eax+37h], dl
		mov	[eax+38h], edx
		mov	[eax+3Ch], edx
		mov	[eax+40h], edx
		lea	edx, [esp+120h+var_A0]
		mov	[eax+4Ah], cx
		mov	ecx, edi
		call	_CmpReleaseKeyNodeForKcb@8 ; CmpReleaseKeyNodeForKcb(x,x)

loc_93E864:				; CODE XREF: CmRenameKey(x,x,x,x)+BD1j
		mov	eax, [esp+120h+var_D0]
		or	[esp+120h+var_D0], 0FFFFFFFFh
		mov	[edi+14h], eax
		or	eax, 0FFFFFFFFh
		mov	[esp+120h+var_B0], eax
		xor	eax, eax
		cmp	[edi+22h], ax
		jz	short loc_93E8C5
		mov	eax, [edi+6Ch]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_93E935
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_93E935
		mov	[ecx], edx
		xor	eax, eax
		mov	[edx+4], ecx
		lea	edx, [esp+120h+var_F0]
		push	eax
		mov	eax, [edi+6Ch]
		mov	ecx, [eax+0Ch]
		mov	ecx, [ecx+8]
		call	CmpDereferenceKeyControlBlockWithLock
		mov	eax, [edi+6Ch]
		xor	ecx, ecx
		mov	edx, edi
		mov	[eax+0Ch], ecx
		mov	ecx, [esp+120h+var_F4]
		call	_CmpCreateLayerLink@8 ;	CmpCreateLayerLink(x,x)

loc_93E8C5:				; CODE XREF: CmRenameKey(x,x,x,x)+C54j
		mov	ecx, edi
		call	_CmpRemoveKeyControlBlock@4 ; CmpRemoveKeyControlBlock(x)
		mov	eax, [esp+120h+var_5C]
		lea	edx, [edi+8]
		push	ecx
		mov	ecx, [edi+10h]
		mov	[edx], eax
		call	_CmpInsertKeyHash@12 ; CmpInsertKeyHash(x,x,x)
		mov	eax, [edi+28h]
		mov	ecx, [esp+120h+var_B8]
		mov	[edi+28h], ecx
		mov	ecx, edi
		mov	[esp+120h+var_B8], eax
		call	CmpMarkCachedFullKCBNameStale
		cmp	[esp+120h+var_112], 0
		jz	short loc_93E901
		mov	byte ptr [edi+21h], 3

loc_93E901:				; CODE XREF: CmRenameKey(x,x,x,x)+CD2j
		mov	edx, [edi+14h]
		push	ecx
		mov	ecx, [edi+10h]
		call	_CmpUpdateParentForEachSon@12 ;	CmpUpdateParentForEachSon(x,x,x)
		cmp	[esp+120h+var_112], 0
		jz	short loc_93E974
		lea	ecx, [esp+120h+var_48]
		call	_CmpSubtreeEnumeratorReset@4 ; CmpSubtreeEnumeratorReset(x)
		lea	edx, [esp+120h+var_6C]
		lea	ecx, [esp+120h+var_48]
		call	_CmpSubtreeEnumeratorBeginForKcbStack@8	; CmpSubtreeEnumeratorBeginForKcbStack(x,x)
		jmp	short loc_93E961
; 

loc_93E935:				; CODE XREF: CmRenameKey(x,x,x,x)+C5Ej
					; CmRenameKey(x,x,x,x)+C69j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_93E93A:				; CODE XREF: CmRenameKey(x,x,x,x)+D49j
		lea	eax, [esp+120h+var_BC]
		xor	edx, edx
		push	eax
		lea	ecx, [esp+124h+var_48]
		call	_CmpSubtreeEnumeratorGetCurrentKeyStacks@12 ; CmpSubtreeEnumeratorGetCurrentKeyStacks(x,x,x)
		mov	dx, [edi+22h]
		mov	ecx, [esp+120h+var_BC]
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	eax, [eax+8]
		or	byte ptr [eax+0Dh], 3

loc_93E961:				; CODE XREF: CmRenameKey(x,x,x,x)+D0Aj
		lea	ecx, [esp+120h+var_48]
		call	_CmpSubtreeEnumeratorAdvance@4 ; CmpSubtreeEnumeratorAdvance(x)
		cmp	eax, 8000001Ah
		jnz	short loc_93E93A

loc_93E974:				; CODE XREF: CmRenameKey(x,x,x,x)+CE9j
		mov	eax, [esp+120h+var_98]
		lea	edx, [esp+120h+var_88]
		mov	ecx, [esp+120h+var_94]
		mov	[esi+8], ecx
		mov	[esi+4], eax
		mov	[ebx+5Ch], ecx
		mov	ecx, ebx
		mov	[ebx+58h], eax
		call	_CmpReleaseKeyNodeForKcb@8 ; CmpReleaseKeyNodeForKcb(x,x)
		xor	eax, eax
		xor	edx, edx
		push	eax
		inc	edx
		mov	[esp+124h+var_E0], eax
		mov	ecx, edi
		call	CmpSearchForOpenSubKeys
		add	dword ptr [ebx+0A8h], 1
		mov	eax, [esp+120h+var_100]
		push	0
		pop	ecx
		adc	[ebx+0ACh], ecx
		add	dword ptr [edi+0A8h], 1
		adc	[edi+0ACh], ecx
		cmp	eax, 0FFFFFFFFh
		jz	short loc_93E9E0
		push	ecx
		mov	ecx, [ebx+10h]
		mov	edx, eax
		call	CmpFreeKeyByCell
		xor	ecx, ecx

loc_93E9E0:				; CODE XREF: CmRenameKey(x,x,x,x)+DA8j
		mov	ebx, ecx
		mov	esi, ecx
		jmp	short loc_93EA09
; 

loc_93E9E6:				; CODE XREF: CmRenameKey(x,x,x,x)+261j
		push	18h
		jmp	loc_93E279
; 

loc_93E9ED:				; CODE XREF: CmRenameKey(x,x,x,x)+1C1j
					; CmRenameKey(x,x,x,x)+1D0j ...
		mov	ebx, 0C0000022h

loc_93E9F2:				; CODE XREF: CmRenameKey(x,x,x,x)+19Cj
					; CmRenameKey(x,x,x,x)+1B4j ...
		xor	eax, eax

loc_93E9F4:				; CODE XREF: CmRenameKey(x,x,x,x)+285j
					; CmRenameKey(x,x,x,x)+306j
		mov	esi, eax
		jmp	short loc_93EA09
; 

loc_93E9F8:				; CODE XREF: CmRenameKey(x,x,x,x)+16Cj
					; CmRenameKey(x,x,x,x)+63Fj
		xor	eax, eax
		mov	ebx, 0C0000189h
		mov	[esp+118h+var_109], al

loc_93EA03:				; CODE XREF: CmRenameKey(x,x,x,x)+66Cj
		mov	esi, eax

loc_93EA05:				; CODE XREF: CmRenameKey(x,x,x,x)+7FFj
		mov	edi, [esp+118h+var_108]

loc_93EA09:				; CODE XREF: CmRenameKey(x,x,x,x)+665j
					; CmRenameKey(x,x,x,x)+828j ...
		lea	ecx, [esp+118h+var_40]
		call	_CmpSubtreeEnumeratorCleanup@4 ; CmpSubtreeEnumeratorCleanup(x)
		cmp	[esp+118h+var_D8], 0
		jz	short loc_93EA2C
		mov	ecx, [esp+118h+var_104]
		lea	edx, [esp+118h+var_80]
		call	_CmpReleaseKeyNodeForKcb@8 ; CmpReleaseKeyNodeForKcb(x,x)

loc_93EA2C:				; CODE XREF: CmRenameKey(x,x,x,x)+DF1j
		test	esi, esi
		jz	short loc_93EA40
		lea	eax, [esp+118h+var_78]
		push	eax
		mov	eax, [esp+11Ch+var_F0]
		push	eax
		call	dword ptr [eax+8]

loc_93EA40:				; CODE XREF: CmRenameKey(x,x,x,x)+E05j
		mov	eax, [esp+120h+var_B0]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_93EA53
		mov	ecx, [edi+10h]
		mov	edx, eax
		call	_CmpDereferenceSecurityNode@8 ;	CmpDereferenceSecurityNode(x,x)

loc_93EA53:				; CODE XREF: CmRenameKey(x,x,x,x)+E1Ej
		cmp	[esp+120h+var_D4], 0
		jz	short loc_93EA69
		mov	eax, [edi+10h]
		lea	ecx, [esp+120h+var_78]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_93EA69:				; CODE XREF: CmRenameKey(x,x,x,x)+E2Fj
		mov	eax, [esp+128h+var_E4]
		mov	esi, [esp+14h]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_93EA80
		mov	ecx, [esi+10h]
		mov	edx, eax
		call	_CmpFreeIndexByCell@8 ;	CmpFreeIndexByCell(x,x)

loc_93EA80:				; CODE XREF: CmRenameKey(x,x,x,x)+E4Bj
		mov	eax, [esp+128h+var_E0]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_93EA93
		mov	ecx, [esi+10h]
		mov	edx, eax
		call	_CmpFreeIndexByCell@8 ;	CmpFreeIndexByCell(x,x)

loc_93EA93:				; CODE XREF: CmRenameKey(x,x,x,x)+E5Ej
		mov	eax, [esp+128h+var_D8]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_93EAA6
		mov	ecx, [edi+10h]
		mov	edx, eax
		call	HvFreeCell

loc_93EAA6:				; CODE XREF: CmRenameKey(x,x,x,x)+E71j
		mov	eax, [esp+128h+var_C0]
		test	eax, eax
		jz	short loc_93EAB5
		mov	ecx, eax
		call	_CmpDereferenceNameControlBlockWithLock@4 ; CmpDereferenceNameControlBlockWithLock(x)

loc_93EAB5:				; CODE XREF: CmRenameKey(x,x,x,x)+E83j
		mov	eax, [esp+128h+var_FC]
		xor	esi, esi
		test	eax, eax
		jz	short loc_93EACB
		push	esi
		lea	edx, [esp+12Ch+var_F8]
		mov	ecx, eax
		call	CmpDereferenceKeyControlBlockWithLock

loc_93EACB:				; CODE XREF: CmRenameKey(x,x,x,x)+E94j
		mov	eax, [esp+128h+var_110]
		test	eax, eax
		jz	short loc_93EADF
		push	esi
		lea	edx, [esp+12Ch+var_F8]
		mov	ecx, eax
		call	CmpDereferenceKeyControlBlockWithLock

loc_93EADF:				; CODE XREF: CmRenameKey(x,x,x,x)+EA8j
		xor	dl, dl
		lea	ecx, [esp+128h+var_F8]
		call	CmpDrainDelayDerefContext
		cmp	[esp+128h+var_119], 0
		jz	short loc_93EAF6
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_93EAF6:				; CODE XREF: CmRenameKey(x,x,x,x)+EC6j
		lea	ecx, [esp+128h+var_74]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		lea	ecx, [esp+128h+var_60]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		lea	ecx, [esp+128h+var_D0]
		call	CmpCleanupRollbackPacket
		mov	ecx, [esp+128h+var_14]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_CmRenameKey@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmReplaceKey(x, x, x, x)
_CmReplaceKey@16 proc near		; CODE XREF: NtReplaceKey(x,x,x)+2C9p

var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_223		= byte ptr -223h
var_222		= byte ptr -222h
var_221		= byte ptr -221h
var_220		= dword	ptr -220h
var_208		= dword	ptr -208h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 23Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		push	6
		mov	[ebp+var_22C], eax
		lea	edi, [ebp+var_220]
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_238], edx
		rep stosd
		xor	ecx, ecx
		mov	[ebp+var_234], edx
		mov	[ebp+var_223], dl
		inc	ecx
		mov	[ebp+var_221], dl
		mov	[ebp+var_222], dl
		mov	[ebp+var_228], edx
		mov	edx, 154h
		push	33394D43h
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	[ebp+var_230], eax
		test	eax, eax
		jnz	short loc_93EBAF
		mov	esi, 0C000009Ah
		jmp	loc_93EDA1
; 

loc_93EBAF:				; CODE XREF: CmReplaceKey(x,x,x,x)+73j
		push	eax
		xor	eax, eax
		xor	dl, dl
		push	eax
		push	eax
		push	eax
		push	1190001h
		lea	eax, [ebp+var_228]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_223]
		push	eax
		call	_CmpCmdHiveOpen@36 ; CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93ED3D
		lea	ecx, [ebp+var_220]
		call	CmpAttachToRegistryProcess
		mov	[ebp+var_221], 1
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, ebx
		call	_HvLockHiveFlusherExclusive@4 ;	HvLockHiveFlusherExclusive(x)
		test	byte ptr [ebx+64h], 4
		jz	short loc_93EC09

loc_93EBFF:				; CODE XREF: CmReplaceKey(x,x,x,x)+15Fj
		mov	esi, 0C00000D5h
		jmp	loc_93ED21
; 

loc_93EC09:				; CODE XREF: CmReplaceKey(x,x,x,x)+CDj
		test	byte ptr [ebx+980h], 20h
		jz	short loc_93EC1C

loc_93EC12:				; CODE XREF: CmReplaceKey(x,x,x,x)+16Cj
		mov	esi, 0C000000Dh
		jmp	loc_93ED21
; 

loc_93EC1C:				; CODE XREF: CmReplaceKey(x,x,x,x)+E0j
		mov	edi, [ebp+var_228]
		cmp	ebx, dword_6B179C
		jnz	short loc_93EC3D
		mov	edx, edi
		mov	ecx, ebx
		call	_CmpPreserveSystemHiveData@8 ; CmpPreserveSystemHiveData(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93ED21

loc_93EC3D:				; CODE XREF: CmReplaceKey(x,x,x,x)+F8j
		mov	ecx, ebx
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		push	0Ch
		pop	edx
		mov	ecx, edi
		call	CmpFlushHive
		mov	esi, eax
		test	esi, esi
		js	loc_93ED3D
		xor	edx, edx
		lea	ecx, [ebp+var_220]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, ebx
		mov	[ebp+var_221], 0
		call	CmpBecomeActiveFlusherAndReconciler
		mov	[ebp+var_222], 1
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, ebx
		call	_HvLockHiveFlusherExclusive@4 ;	HvLockHiveFlusherExclusive(x)
		test	byte ptr [ebx+64h], 4
		jnz	loc_93EBFF
		test	byte ptr [ebx+980h], 20h
		jnz	loc_93EC12
		mov	ecx, [ebx+400h]
		lea	edx, [ebp+var_208]
		push	0
		push	200h
		push	[ebp+var_22C]
		call	_CmpCmdRenameHive@20 ; CmpCmdRenameHive(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_93ED21
		or	dword ptr [ebx+64h], 4
		lea	eax, [ebp+var_208]
		mov	ecx, [edi+400h]
		xor	edx, edx
		push	0
		push	0
		push	eax
		call	_CmpCmdRenameHive@20 ; CmpCmdRenameHive(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_93ED00
		lea	eax, [ebp+var_238]
		push	eax
		push	dword ptr [edi+400h]
		call	_ZwFlushBuffersFile@8 ;	ZwFlushBuffersFile(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_93ED21

loc_93ED00:				; CODE XREF: CmReplaceKey(x,x,x,x)+1B6j
		mov	ecx, [ebx+400h]
		lea	eax, [ebp+var_208]
		push	0
		push	0
		push	eax
		xor	edx, edx
		call	_CmpCmdRenameHive@20 ; CmpCmdRenameHive(x,x,x,x,x)
		test	eax, eax
		jns	short loc_93ED21
		mov	esi, 0C000014Ch

loc_93ED21:				; CODE XREF: CmReplaceKey(x,x,x,x)+D4j
					; CmReplaceKey(x,x,x,x)+E7j ...
		mov	ecx, ebx
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		cmp	[ebp+var_222], 0
		jz	short loc_93ED3D
		mov	ecx, ebx
		call	CmpFinishBeingActiveFlusherAndReconciler

loc_93ED3D:				; CODE XREF: CmReplaceKey(x,x,x,x)+A5j
					; CmReplaceKey(x,x,x,x)+127j ...
		mov	edx, [ebp+var_228]
		test	edx, edx
		jz	short loc_93ED80
		cmp	[ebp+var_221], 0
		jnz	short loc_93ED68
		lea	ecx, [ebp+var_220]
		call	CmpAttachToRegistryProcess
		mov	edx, [ebp+var_228]
		mov	[ebp+var_221], 1

loc_93ED68:				; CODE XREF: CmReplaceKey(x,x,x,x)+21Ej
		test	esi, esi
		js	short loc_93ED79
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [edx+400h]
		rep stosd

loc_93ED79:				; CODE XREF: CmReplaceKey(x,x,x,x)+23Aj
		mov	ecx, edx
		call	_CmpDestroyHive@4 ; CmpDestroyHive(x)

loc_93ED80:				; CODE XREF: CmReplaceKey(x,x,x,x)+215j
		cmp	[ebp+var_221], 0
		jz	short loc_93ED96
		xor	edx, edx
		lea	ecx, [ebp+var_220]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_93ED96:				; CODE XREF: CmReplaceKey(x,x,x,x)+257j
		mov	ecx, [ebp+var_230]
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_93EDA1:				; CODE XREF: CmReplaceKey(x,x,x,x)+7Aj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_CmReplaceKey@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmSetKeyFlags(x, x,	x)
_CmSetKeyFlags@12 proc near		; CODE XREF: NtSetInformationKey+12890Bp

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+64h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+70h+var_5C], ecx
		push	6
		pop	ecx
		lea	edi, [esp+70h+var_1C]
		mov	esi, edx
		rep stosd
		lea	edi, [esp+70h+var_48]
		mov	[esp+70h+var_54], esi
		stosd
		lea	ecx, [esp+70h+var_1C]
		xor	edx, edx
		mov	[esp+70h+var_4C], edx
		mov	[esp+70h+var_38], edx
		stosd
		mov	[esp+70h+var_34], edx
		mov	[esp+70h+var_60], edx
		mov	[esp+70h+var_20], edx
		stosd
		mov	[esp+70h+var_58], edx
		stosd
		or	eax, 0FFFFFFFFh
		mov	word ptr [esp+70h+var_48+2], ax
		lea	edi, [esp+70h+var_2C]
		mov	[esp+70h+var_50], eax
		xor	eax, eax
		mov	word ptr [esp+70h+var_4C], ax
		stosd
		stosd
		stosd
		call	CmpAttachToRegistryProcess
		mov	ebx, [ebp+arg_0]
		cmp	esi, 1
		jnz	short loc_93EE41
		test	ebx, 0FFFFFFF0h
		jz	short loc_93EE41
		mov	edi, 0C000000Dh
		jmp	loc_93F21B
; 

loc_93EE41:				; CODE XREF: CmSetKeyFlags(x,x,x)+79j
					; CmSetKeyFlags(x,x,x)+81j ...
		mov	eax, _CmpShutdownRundown
		test	al, 1
		jnz	loc_93F216
		lea	eax, [esp+70h+var_38]
		push	eax
		call	KeQuerySystemTime
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	edi, [esp+70h+var_5C]
		lea	ecx, [esp+70h+var_48]
		mov	esi, [edi+8]
		mov	edx, esi
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		lea	ecx, [esp+70h+var_48]
		call	_CmpLockKcbStackTopExclusiveRestShared@4 ; CmpLockKcbStackTopExclusiveRestShared(x)
		xor	edx, edx
		mov	ecx, edi
		call	CmpPerformKeyBodyDeletionCheck
		mov	edi, eax
		test	edi, edi
		js	loc_93F206
		mov	eax, [esp+70h+var_5C]
		cmp	dword ptr [eax+20h], 0
		jnz	short loc_93EE9B
		cmp	dword ptr [eax+24h], 0
		jz	short loc_93EED8

loc_93EE9B:				; CODE XREF: CmSetKeyFlags(x,x,x)+DFj
		lea	edx, [esp+70h+var_60]
		mov	ecx, eax
		call	CmpTransSearchAddTransFromKeyBody
		mov	edi, eax
		test	edi, edi
		js	loc_93F206
		mov	eax, [esi+10h]
		test	byte ptr [eax+64h], 2
		jnz	loc_93F201
		mov	edx, [esp+70h+var_60]
		mov	ecx, [esp+70h+var_5C]
		call	CmpPerformKeyBodyDeletionCheck
		mov	edi, eax
		test	edi, edi
		js	loc_93F206
		mov	eax, [esp+70h+var_5C]

loc_93EED8:				; CODE XREF: CmSetKeyFlags(x,x,x)+E5j
		mov	edx, eax
		mov	ecx, esi
		call	_CmpGetEffectiveKcbSemantics@8 ; CmpGetEffectiveKcbSemantics(x,x)
		cmp	eax, 1
		jz	loc_93F1FA
		mov	eax, [esp+70h+var_54]
		cmp	eax, 2
		jz	short loc_93EEFD
		cmp	eax, 3
		jz	short loc_93EEFD
		cmp	eax, 4
		jnz	short loc_93EF05

loc_93EEFD:				; CODE XREF: CmSetKeyFlags(x,x,x)+13Dj
					; CmSetKeyFlags(x,x,x)+142j
		xor	eax, eax
		mov	[esp+70h+var_60], eax
		jmp	short loc_93EF09
; 

loc_93EF05:				; CODE XREF: CmSetKeyFlags(x,x,x)+147j
		mov	eax, [esp+70h+var_60]

loc_93EF09:				; CODE XREF: CmSetKeyFlags(x,x,x)+14Fj
		test	eax, eax
		jnz	loc_93F155
		lea	eax, [esp+70h+var_2C]
		xor	dl, dl
		push	eax
		push	ecx
		call	CmpTryAcquireKcbIXLocks
		mov	edi, eax
		cmp	edi, 0C000022Dh
		jnz	short loc_93EF7B
		push	[esp+70h+var_2C]
		xor	edx, edx
		push	ecx
		push	3
		mov	ecx, esi
		call	CmpLogTransactionAbortedWithChildName
		lea	ecx, [esp+70h+var_48]
		call	CmpUnlockKcbStack
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	edx, edx
		lea	ecx, [esp+70h+var_2C]
		call	_CmpAbortRollbackPacket@8 ; CmpAbortRollbackPacket(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_93F21B
		lea	ecx, [esp+70h+var_20]
		call	_CmpRetryBackOff@4 ; CmpRetryBackOff(x)
		lea	ecx, [esp+70h+var_2C]
		call	CmpCleanupRollbackPacket
		xor	eax, eax
		lea	edi, [esp+70h+var_2C]
		stosd
		stosd
		stosd
		jmp	loc_93EE41
; 

loc_93EF7B:				; CODE XREF: CmSetKeyFlags(x,x,x)+172j
		test	edi, edi
		js	loc_93F206
		cmp	dword ptr [esi+14h], 0FFFFFFFFh
		jnz	short loc_93EFD2
		lea	ecx, [esp+70h+var_48]
		call	CmpUnlockKcbStack
		push	0
		xor	dl, dl
		lea	ecx, [esp+74h+var_48]
		call	_CmpPromoteKey@12 ; CmpPromoteKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_93F20F
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	ecx, [esp+70h+var_3C]
		test	ecx, ecx
		jz	short loc_93EFBB
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_93EFBB:				; CODE XREF: CmSetKeyFlags(x,x,x)+200j
		xor	eax, eax
		lea	edi, [esp+70h+var_48]
		stosd
		stosd
		stosd
		stosd
		or	eax, 0FFFFFFFFh
		mov	word ptr [esp+70h+var_48+2], ax
		jmp	loc_93EE41
; 

loc_93EFD2:				; CODE XREF: CmSetKeyFlags(x,x,x)+1D3j
		mov	ecx, [esi+10h]
		xor	edx, edx
		add	ecx, 24h
		call	ExAcquirePushLockSharedEx
		mov	edx, [esi+14h]
		xor	edi, edi
		mov	ecx, [esi+10h]
		push	edi
		push	edi
		call	HvpMarkCellDirty
		test	al, al
		jnz	short loc_93EFFC
		mov	edi, 0C000017Dh
		jmp	loc_93F110
; 

loc_93EFFC:				; CODE XREF: CmSetKeyFlags(x,x,x)+23Cj
		push	1
		lea	edx, [esp+74h+var_50]
		mov	ecx, esi
		call	CmpGetKeyNodeForKcb
		mov	edx, eax
		mov	eax, [esp+70h+var_54]
		sub	eax, 1
		jz	loc_93F0C5
		sub	eax, 1
		jz	short loc_93F08E
		sub	eax, 1
		jz	short loc_93F038
		sub	eax, 1
		jnz	loc_93F0E3
		mov	al, bl
		mov	[edx+37h], bl
		mov	[esi+69h], al
		jmp	loc_93F0E3
; 

loc_93F038:				; CODE XREF: CmSetKeyFlags(x,x,x)+26Cj
		movzx	eax, word ptr [edx+2]
		test	bl, 4
		jz	short loc_93F055
		mov	ecx, 80h
		or	eax, ecx
		mov	[edx+2], ax
		or	[esi+6Ah], cx
		jmp	loc_93F0E3
; 

loc_93F055:				; CODE XREF: CmSetKeyFlags(x,x,x)+28Bj
		test	bl, 1
		jz	short loc_93F06B
		mov	ecx, 300h
		or	eax, ecx
		mov	[edx+2], ax
		or	[esi+6Ah], cx
		jmp	short loc_93F07A
; 

loc_93F06B:				; CODE XREF: CmSetKeyFlags(x,x,x)+2A4j
		mov	ecx, 0FEFFh
		and	eax, ecx
		mov	[edx+2], ax
		and	[esi+6Ah], cx

loc_93F07A:				; CODE XREF: CmSetKeyFlags(x,x,x)+2B5j
		test	bl, 2
		jz	short loc_93F0E3
		mov	eax, 200h
		or	[edx+2], ax
		or	[esi+6Ah], ax
		jmp	short loc_93F0E3
; 

loc_93F08E:				; CODE XREF: CmSetKeyFlags(x,x,x)+267j
		mov	eax, ebx
		shl	eax, 14h
		xor	eax, [edx+34h]
		and	eax, 0F00000h
		xor	[edx+34h], eax
		movzx	eax, word ptr [edx+36h]
		xor	eax, [esi+68h]
		and	eax, 0F0h
		xor	[esi+68h], eax
		test	bl, 2
		jz	short loc_93F0E3
		mov	eax, 0FF7Fh
		and	[edx+2], ax
		mov	ax, [edx+2]
		mov	[esi+6Ah], ax
		jmp	short loc_93F0E3
; 

loc_93F0C5:				; CODE XREF: CmSetKeyFlags(x,x,x)+25Ej
		shl	ebx, 10h
		xor	ebx, [edx+34h]
		and	ebx, 0F0000h
		xor	ebx, [edx+34h]
		mov	[edx+34h], ebx
		shr	ebx, 10h
		xor	ebx, [esi+68h]
		and	ebx, 0Fh
		xor	[esi+68h], ebx

loc_93F0E3:				; CODE XREF: CmSetKeyFlags(x,x,x)+271j
					; CmSetKeyFlags(x,x,x)+27Fj ...
		mov	ecx, [esp+70h+var_38]
		mov	eax, [esp+70h+var_34]
		mov	[edx+4], ecx
		mov	[edx+8], eax
		add	dword ptr [esi+0A8h], 1
		mov	[esi+58h], ecx
		adc	[esi+0ACh], edi
		mov	[esi+5Ch], eax
		mov	eax, [esi+10h]
		lea	ecx, [esp+70h+var_50]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_93F110:				; CODE XREF: CmSetKeyFlags(x,x,x)+243j
		mov	esi, [esi+10h]
		xor	edx, edx
		push	11h
		add	esi, 24h
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_93F12B
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_93F12B:				; CODE XREF: CmSetKeyFlags(x,x,x)+36Ej
		mov	ecx, esi
		call	KeAbPostRelease

loc_93F132:				; CODE XREF: CmSetKeyFlags(x,x,x)+3EFj
					; CmSetKeyFlags(x,x,x)+40Cj ...
		mov	ebx, [esp+78h+var_60]
		test	ebx, ebx
		jz	loc_93F206
		mov	ecx, ebx
		call	CmpRundownUnitOfWork
		push	77554D43h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_93F206
; 

loc_93F155:				; CODE XREF: CmSetKeyFlags(x,x,x)+157j
		call	_CmpAllocateUnitOfWork@0 ; CmpAllocateUnitOfWork()
		mov	edi, eax
		mov	[esp+70h+var_58], edi
		test	edi, edi
		jnz	short loc_93F16E
		mov	edi, 0C000009Ah
		jmp	loc_93F206
; 

loc_93F16E:				; CODE XREF: CmSetKeyFlags(x,x,x)+3AEj
		lea	eax, [esi+70h]
		mov	ecx, [eax+4]
		lea	edx, [edi+10h]
		cmp	[ecx], eax
		jz	short loc_93F180
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_93F180:				; CODE XREF: CmSetKeyFlags(x,x,x)+3C5j
		mov	[edx+4], ecx
		mov	[edx], eax
		mov	[ecx], edx
		mov	ecx, esi
		mov	[eax+4], edx
		call	CmpReferenceKeyControlBlock
		mov	edx, [esp+70h+var_60]
		mov	ecx, edi
		mov	[edi+18h], esi
		call	CmpTransEnlistUowInCmTrans
		mov	edi, eax
		test	edi, edi
		js	short loc_93F132
		mov	edi, [esp+70h+var_58]
		mov	edx, edi
		push	ecx
		lea	ecx, [esi+84h]
		call	CmpLockIXLockIntent
		test	al, al
		jnz	short loc_93F1C5

loc_93F1BB:				; CODE XREF: CmSetKeyFlags(x,x,x)+422j
		mov	edi, 0C0190001h
		jmp	loc_93F132
; 

loc_93F1C5:				; CODE XREF: CmSetKeyFlags(x,x,x)+405j
		push	1
		lea	ecx, [esi+8Ch]
		mov	edx, edi
		call	CmpLockIXLockExclusive
		test	al, al
		jz	short loc_93F1BB
		xor	edx, edx
		mov	dword ptr [edi+24h], 7
		inc	edx
		mov	[edi+30h], ebx
		mov	ecx, edi
		call	_CmAddLogForAction@8 ; CmAddLogForAction(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_93F132
		xor	edi, edi
		jmp	short loc_93F206
; 

loc_93F1FA:				; CODE XREF: CmSetKeyFlags(x,x,x)+130j
		mov	edi, 0C0000022h
		jmp	short loc_93F206
; 

loc_93F201:				; CODE XREF: CmSetKeyFlags(x,x,x)+103j
		mov	edi, 0C0190001h

loc_93F206:				; CODE XREF: CmSetKeyFlags(x,x,x)+D1j
					; CmSetKeyFlags(x,x,x)+F6j ...
		lea	ecx, [esp+70h+var_48]
		call	CmpUnlockKcbStack

loc_93F20F:				; CODE XREF: CmSetKeyFlags(x,x,x)+1EFj
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		jmp	short loc_93F21B
; 

loc_93F216:				; CODE XREF: CmSetKeyFlags(x,x,x)+94j
		mov	edi, 0C0000189h

loc_93F21B:				; CODE XREF: CmSetKeyFlags(x,x,x)+88j
					; CmSetKeyFlags(x,x,x)+1A1j ...
		xor	edx, edx
		lea	ecx, [esp+70h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [esp+70h+var_3C]
		test	ecx, ecx
		jz	short loc_93F233
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_93F233:				; CODE XREF: CmSetKeyFlags(x,x,x)+478j
		lea	ecx, [esp+70h+var_2C]
		call	CmpCleanupRollbackPacket
		mov	ecx, [esp+70h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_CmSetKeyFlags@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmSetLastWriteTimeKey(x, x)
_CmSetLastWriteTimeKey@8 proc near	; CODE XREF: NtSetInformationKey+1288B3p

var_52		= byte ptr -52h
var_51		= byte ptr -51h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[esp+58h+var_38], edx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[esp+60h+var_30], eax
		push	6
		pop	ecx
		mov	[esp+60h+var_4C], eax
		lea	edi, [esp+60h+var_1C]
		rep stosd
		mov	[esp+60h+var_20], eax
		lea	edi, [esp+60h+var_48]
		mov	ebx, eax
		mov	word ptr [esp+60h+var_30], ax
		stosd
		or	ecx, 0FFFFFFFFh
		mov	[esp+60h+var_34], ecx
		mov	[esp+60h+var_50], esi
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+60h+var_2C]
		mov	word ptr [esp+60h+var_48+2], cx
		stosd
		lea	ecx, [esp+60h+var_1C]
		stosd
		stosd
		call	CmpAttachToRegistryProcess

loc_93F2B9:				; CODE XREF: CmSetLastWriteTimeKey(x,x)+1A7j
		mov	eax, _CmpShutdownRundown
		test	al, 1
		jnz	loc_93F57C
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	edi, [esi+8]
		mov	ecx, edi
		mov	[esp+60h+var_51], 1
		call	_CmpIsKcbImmutable@4 ; CmpIsKcbImmutable(x)
		test	al, al
		jnz	loc_93F575
		mov	edx, edi
		lea	ecx, [esp+60h+var_48]
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93F585
		lea	ecx, [esp+60h+var_48]
		call	_CmpLockKcbStackTopExclusiveRestShared@4 ; CmpLockKcbStackTopExclusiveRestShared(x)
		mov	ecx, [esp+60h+var_50]
		xor	edx, edx
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	loc_93F56A
		cmp	byte ptr [edi+21h], 1
		jz	loc_93F565
		mov	eax, [esp+60h+var_50]
		cmp	[eax+20h], ebx
		jnz	short loc_93F32D
		cmp	[eax+24h], ebx
		jz	short loc_93F370

loc_93F32D:				; CODE XREF: CmSetLastWriteTimeKey(x,x)+D4j
		lea	edx, [esp+60h+var_4C]
		mov	ecx, eax
		call	CmpTransSearchAddTransFromKeyBody
		mov	esi, eax
		test	esi, esi
		js	loc_93F56A
		mov	edx, [esp+60h+var_4C]
		mov	ecx, [esp+60h+var_50]
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	loc_93F56A
		mov	eax, [edi+10h]
		test	byte ptr [eax+64h], 2
		jnz	loc_93F55E
		cmp	[esp+60h+var_4C], ebx
		jnz	loc_93F4C3

loc_93F370:				; CODE XREF: CmSetLastWriteTimeKey(x,x)+D9j
		lea	eax, [esp+60h+var_2C]
		xor	dl, dl
		push	eax
		push	ecx
		mov	ecx, edi
		call	CmpTryAcquireKcbIXLocks
		mov	esi, eax
		cmp	esi, 0C000022Dh
		jnz	short loc_93F3FE
		lea	eax, [esp+60h+var_2C]
		mov	ecx, edi
		push	eax
		push	2
		pop	edx
		call	_CmpLogTransactionAbortedForRollbackPacket@12 ;	CmpLogTransactionAbortedForRollbackPacket(x,x,x)
		lea	ecx, [esp+60h+var_48]
		call	CmpUnlockKcbStack
		lea	ecx, [esp+60h+var_48]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		xor	eax, eax
		lea	edi, [esp+60h+var_48]
		stosd
		stosd
		stosd
		stosd
		or	eax, 0FFFFFFFFh
		mov	word ptr [esp+60h+var_48+2], ax
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	edx, edx
		mov	[esp+60h+var_51], bl
		lea	ecx, [esp+60h+var_2C]
		call	_CmpAbortRollbackPacket@8 ; CmpAbortRollbackPacket(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93F585
		lea	ecx, [esp+60h+var_20]
		call	_CmpRetryBackOff@4 ; CmpRetryBackOff(x)
		lea	ecx, [esp+60h+var_2C]
		call	CmpCleanupRollbackPacket
		xor	eax, eax
		lea	edi, [esp+60h+var_2C]
		stosd
		stosd
		stosd

loc_93F3F5:				; CODE XREF: CmSetLastWriteTimeKey(x,x)+1FCj
		mov	esi, [esp+60h+var_50]
		jmp	loc_93F2B9
; 

loc_93F3FE:				; CODE XREF: CmSetLastWriteTimeKey(x,x)+135j
		test	esi, esi
		js	loc_93F56A
		or	eax, 0FFFFFFFFh
		cmp	[edi+14h], eax
		jnz	short loc_93F450
		lea	ecx, [esp+60h+var_48]
		call	CmpUnlockKcbStack
		push	0
		xor	dl, dl
		lea	ecx, [esp+64h+var_48]
		call	_CmpPromoteKey@12 ; CmpPromoteKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_93F585
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		lea	ecx, [esp+60h+var_48]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		xor	eax, eax
		lea	edi, [esp+60h+var_48]
		stosd
		stosd
		stosd
		stosd
		or	eax, 0FFFFFFFFh
		mov	word ptr [esp+60h+var_48+2], ax
		jmp	short loc_93F3F5
; 

loc_93F450:				; CODE XREF: CmSetLastWriteTimeKey(x,x)+1BAj
		mov	ecx, [edi+10h]
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	edx, [edi+14h]
		mov	ecx, [edi+10h]
		push	0
		push	0
		call	HvpMarkCellDirty
		test	al, al
		jnz	short loc_93F472
		mov	esi, 0C000017Dh
		jmp	short loc_93F4B6
; 

loc_93F472:				; CODE XREF: CmSetLastWriteTimeKey(x,x)+217j
		push	1
		lea	edx, [esp+64h+var_34]
		mov	ecx, edi
		call	CmpGetKeyNodeForKcb
		mov	edx, [esp+60h+var_38]
		mov	ecx, eax
		mov	eax, [edx]
		mov	[ecx+4], eax
		mov	eax, [edx+4]
		mov	[ecx+8], eax
		lea	ecx, [esp+60h+var_34]
		mov	eax, [edx]
		mov	[edi+58h], eax
		mov	eax, [edx+4]
		add	dword ptr [edi+0A8h], 1
		mov	[edi+5Ch], eax
		mov	eax, [edi+10h]
		adc	[edi+0ACh], ebx
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		xor	esi, esi

loc_93F4B6:				; CODE XREF: CmSetLastWriteTimeKey(x,x)+21Ej
		mov	ecx, [edi+10h]
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		jmp	loc_93F546
; 

loc_93F4C3:				; CODE XREF: CmSetLastWriteTimeKey(x,x)+118j
		call	_CmpAllocateUnitOfWork@0 ; CmpAllocateUnitOfWork()
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_93F4D8
		mov	esi, 0C000009Ah
		jmp	loc_93F56A
; 

loc_93F4D8:				; CODE XREF: CmSetLastWriteTimeKey(x,x)+27Aj
		mov	edx, edi
		mov	ecx, ebx
		call	_CmpTransEnlistUowInKcb@8 ; CmpTransEnlistUowInKcb(x,x)
		mov	edx, [esp+60h+var_4C]
		mov	ecx, ebx
		call	CmpTransEnlistUowInCmTrans
		mov	esi, eax
		test	esi, esi
		js	short loc_93F546
		push	ecx
		lea	ecx, [edi+84h]
		mov	edx, ebx
		call	CmpLockIXLockIntent
		test	al, al
		jz	short loc_93F541
		push	1
		lea	ecx, [edi+8Ch]
		mov	edx, ebx
		call	CmpLockIXLockExclusive
		test	al, al
		jz	short loc_93F541
		mov	ecx, [esp+60h+var_38]
		xor	edx, edx
		mov	dword ptr [ebx+24h], 8
		inc	edx
		mov	eax, [ecx]
		mov	[ebx+30h], eax
		mov	eax, [ecx+4]
		mov	ecx, ebx
		mov	[ebx+34h], eax
		call	_CmAddLogForAction@8 ; CmAddLogForAction(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_93F546
		xor	esi, esi
		jmp	short loc_93F56A
; 

loc_93F541:				; CODE XREF: CmSetLastWriteTimeKey(x,x)+2B0j
					; CmSetLastWriteTimeKey(x,x)+2C3j
		mov	esi, 0C0190001h

loc_93F546:				; CODE XREF: CmSetLastWriteTimeKey(x,x)+26Cj
					; CmSetLastWriteTimeKey(x,x)+29Ej ...
		test	ebx, ebx
		jz	short loc_93F56A
		mov	ecx, ebx
		call	CmpRundownUnitOfWork
		push	77554D43h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_93F56A
; 

loc_93F55E:				; CODE XREF: CmSetLastWriteTimeKey(x,x)+10Ej
		mov	esi, 0C0190001h
		jmp	short loc_93F56A
; 

loc_93F565:				; CODE XREF: CmSetLastWriteTimeKey(x,x)+C7j
		mov	esi, 0C0000022h

loc_93F56A:				; CODE XREF: CmSetLastWriteTimeKey(x,x)+BDj
					; CmSetLastWriteTimeKey(x,x)+EAj ...
		lea	ecx, [esp+60h+var_48]
		call	CmpUnlockKcbStack
		jmp	short loc_93F585
; 

loc_93F575:				; CODE XREF: CmSetLastWriteTimeKey(x,x)+8Aj
		mov	esi, 0C0000022h
		jmp	short loc_93F585
; 

loc_93F57C:				; CODE XREF: CmSetLastWriteTimeKey(x,x)+6Ej
		mov	esi, 0C0000189h
		mov	[esp+60h+var_51], bl

loc_93F585:				; CODE XREF: CmSetLastWriteTimeKey(x,x)+9Fj
					; CmSetLastWriteTimeKey(x,x)+182j ...
		lea	ecx, [esp+60h+var_48]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		lea	ecx, [esp+60h+var_2C]
		call	CmpCleanupRollbackPacket
		cmp	[esp+60h+var_51], 0
		jz	short loc_93F5A3
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_93F5A3:				; CODE XREF: CmSetLastWriteTimeKey(x,x)+34Aj
		xor	edx, edx
		lea	ecx, [esp+60h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [esp+60h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_CmSetLastWriteTimeKey@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAddValueKeyTombstone(x, x, x)
_CmpAddValueKeyTombstone@12 proc near	; CODE XREF: CmpSetValueKeyTombstone(x,x,x,x,x)+30p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, edx
		xor	ecx, ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], ecx
		or	[ebp+var_10], 0FFFFFFFFh
		mov	[ebp+var_4], ecx
		mov	word ptr [ebp+var_C], cx
		mov	ecx, eax
		call	_CmpNameSize@4	; CmpNameSize(x)
		movzx	esi, ax
		lea	ecx, [ebp+var_4]
		lea	eax, [ebp+var_10]
		add	esi, 14h
		push	eax
		push	ecx
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, edi
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	ebx, eax
		cmp	ebx, 0FFFFFFFFh
		jnz	short loc_93F613
		or	eax, eax
		jmp	short loc_93F663
; 

loc_93F613:				; CODE XREF: CmpAddValueKeyTombstone(x,x,x)+4Bj
		push	esi		; size_t
		mov	esi, [ebp+var_4]
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	edx, [ebp+var_8]
		lea	ecx, [esi+14h]
		add	esp, 0Ch
		mov	eax, 6B76h
		mov	[esi], ax
		push	2
		pop	eax
		mov	[esi+10h], ax
		and	dword ptr [esi+4], 0
		or	dword ptr [esi+8], 0FFFFFFFFh
		and	dword ptr [esi+0Ch], 0
		call	CmpCopyName
		mov	ecx, [ebp+var_8]
		mov	[esi+2], ax
		cmp	ax, [ecx]
		jnb	short loc_93F659
		or	word ptr [esi+10h], 1

loc_93F659:				; CODE XREF: CmpAddValueKeyTombstone(x,x,x)+90j
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		mov	eax, ebx

loc_93F663:				; CODE XREF: CmpAddValueKeyTombstone(x,x,x)+4Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_CmpAddValueKeyTombstone@12 endp


;  S U B	R O U T	I N E 


; __stdcall CmpGetPhaseAccessBit()
_CmpGetPhaseAccessBit@0	proc near	; CODE XREF: CmpCreateTombstone(x,x)+BFp
		mov	al, _CmpAccessBitForPhase
		retn
_CmpGetPhaseAccessBit@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpIsHiveAlreadyLoaded(x, x, x, x, x)
_CmpIsHiveAlreadyLoaded@20 proc	near	; CODE XREF: CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+146p

var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	bl, bl
		mov	[ebp+var_4], edx
		test	[ebp+arg_0], 20h
		mov	esi, ecx
		push	edi
		jnz	loc_93F765
		test	esi, esi
		jz	short loc_93F701
		xor	edx, edx
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	loc_93F765
		mov	eax, [esi+8]
		mov	edi, [ebp+arg_4]
		test	dword ptr [eax+68h], 40000h
		mov	edx, [eax+10h]
		mov	[edi], edx
		jz	loc_93F765
		mov	edx, [edx+400h]
		mov	ecx, [ebp+var_4]
		call	_CmpIsThisSameFile@8 ; CmpIsThisSameFile(x,x)
		test	al, al
		jz	loc_93F765
		mov	ecx, [edi]
		test	byte ptr [ecx+980h], 40h
		jnz	loc_93F765
		mov	eax, [esi+8]
		test	dword ptr [eax+4], 40000h
		jnz	short loc_93F765
		inc	bl
		cmp	[ecx+6DCh], bl
		jnz	short loc_93F765
		call	_CmpUnfreezeHive@4 ; CmpUnfreezeHive(x)
		mov	eax, [edi]
		mov	byte ptr [eax+6DCh], 0
		jmp	short loc_93F765
; 

loc_93F701:				; CODE XREF: CmpIsHiveAlreadyLoaded(x,x,x,x,x)+1Dj
		test	[ebp+arg_0], 10h
		jz	short loc_93F765
		xor	ecx, ecx
		jmp	short loc_93F731
; 

loc_93F70B:				; CODE XREF: CmpIsHiveAlreadyLoaded(x,x,x,x,x)+CAj
		test	byte ptr [edi+980h], 20h
		jz	short loc_93F72F
		mov	edx, [edi+400h]
		mov	ecx, [ebp+var_4]
		call	_CmpIsThisSameFile@8 ; CmpIsThisSameFile(x,x)
		test	al, al
		jz	short loc_93F72F
		test	byte ptr [edi+980h], 40h
		jz	short loc_93F73E

loc_93F72F:				; CODE XREF: CmpIsHiveAlreadyLoaded(x,x,x,x,x)+A2j
					; CmpIsHiveAlreadyLoaded(x,x,x,x,x)+B4j
		mov	ecx, edi

loc_93F731:				; CODE XREF: CmpIsHiveAlreadyLoaded(x,x,x,x,x)+99j
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_93F70B
		jmp	short loc_93F765
; 

loc_93F73E:				; CODE XREF: CmpIsHiveAlreadyLoaded(x,x,x,x,x)+BDj
		mov	eax, [ebp+arg_4]
		mov	ecx, [edi+6D8h]
		mov	[eax], edi
		call	_CmpConstructName@4 ; CmpConstructName(x)
		mov	esi, eax
		lea	ecx, [edi+430h]
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		test	esi, esi
		setnz	bl

loc_93F765:				; CODE XREF: CmpIsHiveAlreadyLoaded(x,x,x,x,x)+15j
					; CmpIsHiveAlreadyLoaded(x,x,x,x,x)+28j ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	0Ch
_CmpIsHiveAlreadyLoaded@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpResolveHiveLoadConflict(x, x, x,	x, x, x, x, x, x)
_CmpResolveHiveLoadConflict@36 proc near ; CODE	XREF: CmLoadKey+11B3F0p
					; CmLoadKey+11B476p

var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_84		= dword	ptr -84h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_44		= dword	ptr -44h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0E8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_C]
		mov	[ebp+var_D4], eax
		mov	eax, [ebp+arg_8]
		push	esi
		mov	[ebp+var_E4], eax
		mov	esi, ecx
		mov	eax, [ebp+arg_14]
		push	edi
		mov	[ebp+var_D8], eax
		xor	edi, edi
		mov	eax, [ebp+arg_18]
		push	0B4h		; size_t
		mov	[ebp+var_E0], eax
		lea	eax, [ebp+var_C0]
		push	edi		; int
		push	eax		; void *
		mov	[ebp+var_DC], edx
		mov	[ebp+var_D0], ebx
		mov	[ebp+var_C8], edi
		mov	[ebp+var_C4], edi
		mov	[ebp+var_CC], edi
		call	_memset
		or	[ebp+var_84], 0FFFFFFFFh
		lea	eax, [ebp+var_68]
		add	esp, 0Ch
		mov	[ebp+var_64], eax
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_44]
		push	38h		; size_t
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_C4]
		xor	edx, edx
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_C0]
		push	eax
		push	edi
		push	ds:_CmKeyObjectType
		push	20019h
		call	ObReferenceObjectByNameEx
		mov	edi, [ebp+var_C4]
		test	eax, eax
		jns	short loc_93F83A
		mov	esi, 0C0000225h
		jmp	loc_93F9AC
; 

loc_93F83A:				; CODE XREF: CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+C0j
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()
		mov	cl, 1
		call	CmpLockRegistryFreezeAware
		mov	esi, [ebp+var_D4]
		test	esi, esi
		jz	short loc_93F89B
		xor	edx, edx
		mov	ecx, esi
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jz	short loc_93F86C
		mov	esi, 0C000017Ch
		mov	ecx, ebx
		push	10h
		push	esi
		jmp	loc_93F999
; 

loc_93F86C:				; CODE XREF: CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+EDj
		mov	eax, [esi+8]
		mov	dl, byte ptr [ebp+arg_10]
		mov	eax, [eax+10h]
		mov	ecx, eax
		mov	[ebp+var_CC], eax
		call	_CmpPerformTrustClassAccessCheck@8 ; CmpPerformTrustClassAccessCheck(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_93F89B
		push	20h
		mov	ecx, ebx

loc_93F88C:				; CODE XREF: CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+1D9j
		push	esi
		xor	edx, edx
		push	21h
		call	SetFailureLocation
		jmp	loc_93F97A
; 

loc_93F89B:				; CODE XREF: CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+E0j
					; CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+118j
		push	[ebp+var_D8]
		mov	esi, [ebp+arg_0]
		lea	eax, [ebp+var_C8]
		mov	edx, [ebp+var_DC]
		mov	ecx, edi
		push	eax
		push	esi
		call	_CmpIsHiveAlreadyLoaded@20 ; CmpIsHiveAlreadyLoaded(x,x,x,x,x)
		test	al, al
		jnz	short loc_93F8C6
		push	30h
		mov	ecx, ebx
		jmp	loc_93F991
; 

loc_93F8C6:				; CODE XREF: CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+14Dj
		mov	ebx, [ebp+var_C8]
		mov	edx, [ebx+64h]
		bt	edx, 0Fh
		setb	cl
		bt	esi, 0Dh
		setnb	al
		test	cl, al
		jnz	loc_93F989
		bt	edx, 0Fh
		setnb	cl
		bt	esi, 0Dh
		setb	al
		test	cl, al
		jnz	loc_93F989
		mov	ecx, [edi+8]
		call	_CmpLockKcbExclusive@4 ; CmpLockKcbExclusive(x)
		test	esi, 800h
		jz	short loc_93F91E
		mov	ecx, [edi+8]
		call	CmpReferenceKeyControlBlock
		mov	ecx, [ebp+var_E0]
		mov	eax, [edi+8]
		mov	[ecx], eax

loc_93F91E:				; CODE XREF: CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+19Bj
		mov	eax, [ebp+var_E4]
		test	eax, eax
		jz	short loc_93F94C
		mov	edx, eax
		mov	ecx, ebx
		call	CmpRecordUnloadEventForHive
		mov	esi, eax
		test	esi, esi
		jns	short loc_93F94C
		mov	ecx, [edi+8]
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	ecx, [ebp+var_D0]
		push	50h
		jmp	loc_93F88C
; 

loc_93F94C:				; CODE XREF: CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+1B8j
					; CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+1C7j
		mov	ecx, [edi+8]
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	esi, [ebp+var_CC]
		test	esi, esi
		jz	short loc_93F978
		mov	ecx, ebx
		call	_CmpUnJoinClassOfTrust@4 ; CmpUnJoinClassOfTrust(x)
		push	[ebp+arg_10]
		or	dword ptr [ebx+980h], 1
		mov	edx, esi
		mov	ecx, ebx
		call	_CmpJoinClassOfTrust@12	; CmpJoinClassOfTrust(x,x,x)

loc_93F978:				; CODE XREF: CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+1EEj
		xor	esi, esi

loc_93F97A:				; CODE XREF: CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+128j
		cmp	esi, 0C0000225h
		jnz	short loc_93F9A2
		mov	esi, 0C0000001h
		jmp	short loc_93F9A2
; 

loc_93F989:				; CODE XREF: CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+171j
					; CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+187j
		mov	ecx, [ebp+var_D0]
		push	40h

loc_93F991:				; CODE XREF: CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+153j
		mov	eax, 0C0000043h
		push	eax
		mov	esi, eax

loc_93F999:				; CODE XREF: CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+F9j
		push	21h
		xor	edx, edx
		call	SetFailureLocation

loc_93F9A2:				; CODE XREF: CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+212j
					; CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+219j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()

loc_93F9AC:				; CODE XREF: CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+C7j
		test	edi, edi
		jz	short loc_93F9B7
		mov	ecx, edi
		call	ObfDereferenceObject

loc_93F9B7:				; CODE XREF: CmpResolveHiveLoadConflict(x,x,x,x,x,x,x,x,x)+240j
		xor	dl, dl
		lea	ecx, [ebp+var_C0]
		call	CmpCleanupParseContext
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
_CmpResolveHiveLoadConflict@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSetValueKeyTombstone(x, x, x, x,	x)
_CmpSetValueKeyTombstone@20 proc near	; CODE XREF: CmDeleteValueKey+1817F4p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		lea	esi, [edx+24h]
		xor	eax, eax
		mov	ebx, ecx
		push	edi
		cmp	[esi], eax
		jz	short loc_93F9FF
		mov	edx, [edx+28h]
		push	eax
		push	eax
		call	HvpMarkCellDirty
		test	al, al
		jnz	short loc_93F9FF
		mov	esi, 0C000017Dh
		jmp	short loc_93FA45
; 

loc_93F9FF:				; CODE XREF: CmpSetValueKeyTombstone(x,x,x,x,x)+11j
					; CmpSetValueKeyTombstone(x,x,x,x,x)+1Fj
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	_CmpAddValueKeyTombstone@12 ; CmpAddValueKeyTombstone(x,x,x)
		mov	edi, eax
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_93FA1A
		mov	esi, 0C000009Ah
		jmp	short loc_93FA45
; 

loc_93FA1A:				; CODE XREF: CmpSetValueKeyTombstone(x,x,x,x,x)+3Aj
		push	1
		push	esi
		push	[ebp+arg_8]
		mov	edx, edi
		mov	ecx, ebx
		push	[ebp+arg_4]
		call	CmpAddValueToListEx
		mov	esi, eax
		test	esi, esi
		js	short loc_93FA37
		or	edi, 0FFFFFFFFh
		xor	esi, esi

loc_93FA37:				; CODE XREF: CmpSetValueKeyTombstone(x,x,x,x,x)+59j
		cmp	edi, 0FFFFFFFFh
		jz	short loc_93FA45
		mov	edx, edi
		mov	ecx, ebx
		call	_CmpFreeValue@8	; CmpFreeValue(x,x)

loc_93FA45:				; CODE XREF: CmpSetValueKeyTombstone(x,x,x,x,x)+26j
					; CmpSetValueKeyTombstone(x,x,x,x,x)+41j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_CmpSetValueKeyTombstone@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpUnfreezeHive(x)
_CmpUnfreezeHive@4 proc	near		; CODE XREF: CmpPerformUnloadKey+18B6B5p
					; CmpIsHiveAlreadyLoaded(x,x,x,x,x)+81p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		mov	ecx, [esi+6E0h]
		mov	[esi+6DCh], bl
		test	ecx, ecx
		jz	short loc_93FA9C
		call	_CmWorkerEngineDequeueWorkItem@4 ; CmWorkerEngineDequeueWorkItem(x)
		test	al, al
		jz	short loc_93FA96
		or	eax, 0FFFFFFFFh
		lock xadd [esi+9D8h], eax
		jnz	short loc_93FA96
		mov	ecx, esi
		call	_CmpDeleteHive@4 ; CmpDeleteHive(x)

loc_93FA96:				; CODE XREF: CmpUnfreezeHive(x)+32j
					; CmpUnfreezeHive(x)+3Fj
		mov	[esi+6E0h], ebx

loc_93FA9C:				; CODE XREF: CmpUnfreezeHive(x)+29j
		mov	ecx, [esi+6D8h]
		test	ecx, ecx
		jz	short loc_93FAB5
		push	ebx
		lea	edx, [ebp+var_8]
		call	CmpDereferenceKeyControlBlockWithLock
		mov	[esi+6D8h], ebx

loc_93FAB5:				; CODE XREF: CmpUnfreezeHive(x)+56j
		xor	dl, dl
		lea	ecx, [ebp+var_8]
		call	CmpDrainDelayDerefContext
		pop	esi
		pop	ebx
		leave
		retn
_CmpUnfreezeHive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpIsKcbLockAllowed(x, x, x)
_CmpIsKcbLockAllowed@12	proc near	; CODE XREF: CmpFindSubkeyInHashByChildCell+92577p
					; CmpFindSubkeyInHashByChildCell+925ADp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, edx
		mov	byte ptr [esi],	0
		cmp	ecx, edi
		jnz	short loc_93FAE2
		mov	byte ptr [esi],	1
		mov	al, 1
		jmp	short loc_93FAF5
; 

loc_93FAE2:				; CODE XREF: CmpIsKcbLockAllowed(x,x,x)+16j
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+arg_0]
		push	eax
		call	CmpGetCorrectKcbLockOrder
		cmp	[ebp+var_4], edi
		setz	al

loc_93FAF5:				; CODE XREF: CmpIsKcbLockAllowed(x,x,x)+1Dj
		pop	edi
		pop	esi
		leave
		retn	4
_CmpIsKcbLockAllowed@12	endp


;  S U B	R O U T	I N E 


; __stdcall CmpCloneToUnbackedKcb(x, x)
_CmpCloneToUnbackedKcb@8 proc near	; CODE XREF: CmpPrepareDiscardReplacePost(x,x,x)+1Ap
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		call	_CmpAllocateKeyControlBlock@0 ;	CmpAllocateKeyControlBlock()
		mov	esi, eax
		test	esi, esi
		jnz	short loc_93FB19
		mov	edi, 0C000009Ah
		jmp	loc_93FC01
; 

loc_93FB19:				; CODE XREF: CmpCloneToUnbackedKcb(x,x)+12j
		mov	ecx, esi
		call	_InitializeKCBKeyBodyList@4 ; InitializeKCBKeyBodyList(x)
		xor	edx, edx
		xor	ecx, ecx
		inc	edx
		mov	[esi], edx
		mov	eax, [edi+10h]
		or	dword ptr [esi+14h], 0FFFFFFFFh
		mov	[esi+10h], eax
		mov	eax, [edi+8]
		or	dword ptr [esi+98h], 0FFFFFFFFh
		mov	[esi+8], eax
		lea	eax, [esi+70h]
		mov	[esi+18h], ecx
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+78h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[esi+80h], ecx
		mov	[esi+84h], ecx
		mov	[esi+88h], ecx
		mov	[esi+8Ch], ecx
		mov	[esi+90h], ecx
		mov	[esi+94h], ecx
		mov	[esi+9Ch], ecx
		mov	ecx, [edi+28h]
		mov	eax, [ecx]
		and	eax, 0FFFFFFFEh
		cmp	eax, 0FFFFFFFEh
		jnz	short loc_93FB8F
		mov	edi, 0C000009Ah
		jmp	short loc_93FBDF
; 

loc_93FB8F:				; CODE XREF: CmpCloneToUnbackedKcb(x,x)+8Bj
		mov	[esi+28h], ecx
		add	dword ptr [ecx], 2
		mov	eax, [edi+24h]
		test	eax, eax
		jz	short loc_93FBBA
		mov	al, [eax+21h]
		cmp	al, 1
		jz	short loc_93FBA9
		cmp	al, 3
		jz	short loc_93FBA9
		xor	dl, dl

loc_93FBA9:				; CODE XREF: CmpCloneToUnbackedKcb(x,x)+A6j
					; CmpCloneToUnbackedKcb(x,x)+AAj
		mov	[esi+21h], dl
		mov	ecx, [edi+24h]
		call	CmpReferenceKeyControlBlockUnsafe
		mov	eax, [edi+24h]
		mov	[esi+24h], eax

loc_93FBBA:				; CODE XREF: CmpCloneToUnbackedKcb(x,x)+9Fj
		mov	eax, [edi+4]
		xor	eax, [esi+4]
		and	eax, 7FE00000h
		xor	[esi+4], eax
		mov	eax, [esi+10h]
		cmp	byte ptr [eax+6DCh], 1
		jnz	short loc_93FBD9
		or	word ptr [esi+4], 20h

loc_93FBD9:				; CODE XREF: CmpCloneToUnbackedKcb(x,x)+D7j
		mov	[ebx], esi
		xor	esi, esi
		xor	edi, edi

loc_93FBDF:				; CODE XREF: CmpCloneToUnbackedKcb(x,x)+92j
		test	esi, esi
		jz	short loc_93FC01
		mov	ecx, [esi+28h]
		test	ecx, ecx
		jz	short loc_93FBF3
		call	_CmpDereferenceNameControlBlockWithLock@4 ; CmpDereferenceNameControlBlockWithLock(x)
		and	dword ptr [esi+28h], 0

loc_93FBF3:				; CODE XREF: CmpCloneToUnbackedKcb(x,x)+EDj
		or	dword ptr [esi+4], 80000h
		mov	ecx, esi
		call	CmpFreeKeyControlBlock

loc_93FC01:				; CODE XREF: CmpCloneToUnbackedKcb(x,x)+19j
					; CmpCloneToUnbackedKcb(x,x)+E6j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_CmpCloneToUnbackedKcb@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpDereferenceNameControlBlockWithLock(x)
_CmpDereferenceNameControlBlockWithLock@4 proc near
					; CODE XREF: CmpCreateKeyControlBlock+112D2Bp
					; CmRenameKey(x,x,x,x)+E87p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	ebx, [edi+4]
		mov	eax, [ebx]
		push	eax
		call	_CmpGetHashIndex@4 ; CmpGetHashIndex(x)
		mov	ecx, _CmpNameCacheTable
		mov	esi, eax
		shl	esi, 3
		xor	edx, edx
		lea	ecx, [esi+ecx]
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [edi]
		mov	eax, ecx
		shr	eax, 1
		and	ecx, 1
		lea	eax, ds:0FFFFFFFEh[eax*2]
		or	eax, ecx
		mov	[edi], eax
		cmp	eax, 2
		jnb	short loc_93FC78
		mov	ecx, _CmpNameCacheTable
		add	ecx, 4
		add	ecx, esi
		jz	short loc_93FC6C

loc_93FC54:				; CODE XREF: CmpDereferenceNameControlBlockWithLock(x)+5Cj
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_93FC6C
		cmp	eax, ebx
		jz	short loc_93FC67
		lea	ecx, [eax+4]
		test	ecx, ecx
		jnz	short loc_93FC54
		jmp	short loc_93FC6C
; 

loc_93FC67:				; CODE XREF: CmpDereferenceNameControlBlockWithLock(x)+55j
		mov	eax, [eax+4]
		mov	[ecx], eax

loc_93FC6C:				; CODE XREF: CmpDereferenceNameControlBlockWithLock(x)+4Bj
					; CmpDereferenceNameControlBlockWithLock(x)+51j ...
		mov	edx, 624E4D43h
		mov	ecx, edi
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_93FC78:				; CODE XREF: CmpDereferenceNameControlBlockWithLock(x)+3Ej
		mov	ecx, _CmpNameCacheTable
		xor	edx, edx
		pop	edi
		lea	ecx, [esi+ecx]
		pop	esi
		pop	ebx
		jmp	ExReleasePushLockEx
_CmpDereferenceNameControlBlockWithLock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDumpKeyBodyList(x, x, x)
_CmpDumpKeyBodyList@12 proc near	; CODE XREF: CmpSearchForOpenSubKeys+18BE04p
					; CmpFreeAllMemory()+6Dp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		cmp	dword ptr [ecx], 0
		push	ebx
		push	esi
		mov	[ebp+var_8], edx
		mov	dl, 1
		push	edi
		jz	loc_93FD62
		lea	ebx, [ecx+48h]
		xor	esi, esi
		mov	[ebp+var_C], ebx
		mov	eax, ebx

loc_93FCAE:				; CODE XREF: CmpDumpKeyBodyList(x,x,x)+2Fj
		cmp	dword ptr [eax], 0
		jnz	short loc_93FCBE
		inc	esi
		add	eax, 4
		cmp	esi, 4
		jb	short loc_93FCAE
		jmp	short loc_93FCC0
; 

loc_93FCBE:				; CODE XREF: CmpDumpKeyBodyList(x,x,x)+26j
		xor	dl, dl

loc_93FCC0:				; CODE XREF: CmpDumpKeyBodyList(x,x,x)+31j
		lea	esi, [ecx+40h]
		cmp	[esi], esi
		jnz	short loc_93FCD0
		cmp	dl, 1
		jz	loc_93FD62

loc_93FCD0:				; CODE XREF: CmpDumpKeyBodyList(x,x,x)+3Aj
		call	_CmpConstructName@4 ; CmpConstructName(x)
		mov	edx, eax
		mov	[ebp+var_4], edx
		test	edx, edx
		jnz	short loc_93FCEE
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_93FD62
		mov	dword ptr [eax+0Ch], 0C000009Ah
		jmp	short loc_93FD62
; 

loc_93FCEE:				; CODE XREF: CmpDumpKeyBodyList(x,x,x)+51j
		mov	edi, [esi]
		cmp	edi, esi
		jz	short loc_93FD13
		mov	ebx, eax

loc_93FCF6:				; CODE XREF: CmpDumpKeyBodyList(x,x,x)+80j
		push	[ebp+arg_0]
		lea	edx, [edi-14h]
		push	ebx
		call	_CmpDumpOneKeyBody@16 ;	CmpDumpOneKeyBody(x,x,x,x)
		mov	ecx, [ebp+var_8]
		inc	dword ptr [ecx]
		mov	edi, [edi]
		cmp	edi, esi
		jnz	short loc_93FCF6
		mov	ebx, [ebp+var_C]
		mov	edx, [ebp+var_4]

loc_93FD13:				; CODE XREF: CmpDumpKeyBodyList(x,x,x)+67j
		push	4
		pop	edi

loc_93FD16:				; CODE XREF: CmpDumpKeyBodyList(x,x,x)+C8j
		mov	esi, [ebx]
		test	esi, esi
		jz	short loc_93FD4A
		cmp	esi, 1
		jz	short loc_93FD4A
		cmp	esi, 2
		jz	short loc_93FD4A
		xor	ecx, ecx
		mov	eax, esi
		inc	ecx
		lock cmpxchg [ebx], ecx
		cmp	eax, esi
		jnz	short loc_93FD4A
		push	[ebp+arg_0]
		push	edx
		mov	edx, esi
		call	_CmpDumpOneKeyBody@16 ;	CmpDumpOneKeyBody(x,x,x,x)
		mov	eax, [ebp+var_8]
		inc	dword ptr [eax]
		xor	eax, eax
		inc	eax
		lock cmpxchg [ebx], esi

loc_93FD4A:				; CODE XREF: CmpDumpKeyBodyList(x,x,x)+8Fj
					; CmpDumpKeyBodyList(x,x,x)+94j ...
		mov	edx, [ebp+var_4]
		add	ebx, 4
		sub	edi, 1
		jnz	short loc_93FD16
		mov	ecx, [ebp+var_4]
		mov	edx, 624E4D43h
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_93FD62:				; CODE XREF: CmpDumpKeyBodyList(x,x,x)+13j
					; CmpDumpKeyBodyList(x,x,x)+3Fj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_CmpDumpKeyBodyList@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDumpOneKeyBody(x, x, x, x)
_CmpDumpOneKeyBody@16 proc near		; CODE XREF: CmpDumpKeyBodyList(x,x,x)+72p
					; CmpDumpKeyBodyList(x,x,x)+AEp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		test	esi, esi
		jnz	short loc_93FDA8
		lea	eax, [ebp+arg_0]
		mov	[ebp+arg_0], esi
		push	eax
		push	dword ptr [edx+10h]
		call	PsLookupProcessByProcessId
		test	eax, eax
		js	short loc_93FD8F
		mov	esi, [ebp+arg_0]

loc_93FD8F:				; CODE XREF: CmpDumpOneKeyBody(x,x,x,x)+21j
		test	esi, esi
		jz	loc_93FE2E
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		jmp	loc_93FE2E
; 

loc_93FDA8:				; CODE XREF: CmpDumpOneKeyBody(x,x,x,x)+Ej
		mov	edi, [esi+4]
		cmp	[esi+14h], edx
		jz	short loc_93FE2E
		mov	eax, [ebp+arg_0]
		movzx	ebx, word ptr [eax]
		add	ebx, 0Ch
		add	[esi+8], ebx
		cmp	dword ptr [esi+0Ch], 0
		jl	short loc_93FE2C
		mov	eax, [esi+10h]
		add	eax, ebx
		cmp	eax, [esi]
		jbe	short loc_93FDD4
		mov	dword ptr [esi+0Ch], 80000005h
		jmp	short loc_93FE2C
; 

loc_93FDD4:				; CODE XREF: CmpDumpOneKeyBody(x,x,x,x)+60j
		imul	ecx, [edi], 0Ch
		mov	eax, [edx+10h]
		mov	edx, [ebp+arg_0]
		mov	[ecx+edi+4], eax
		imul	ecx, [edi], 0Ch
		mov	ax, [edx]
		mov	[ecx+edi+8], ax
		imul	ecx, [edi], 0Ch
		mov	ax, [edx]
		mov	[ecx+edi+0Ah], ax
		movzx	eax, word ptr [edx]
		mov	ecx, [esi+18h]
		sub	ecx, eax
		mov	eax, [edi]
		inc	eax
		imul	eax, 0Ch
		mov	[eax+edi], ecx
		movzx	eax, word ptr [edx]
		push	eax		; size_t
		mov	eax, [edi]
		push	dword ptr [edx+4] ; void *
		inc	eax
		imul	eax, 0Ch
		push	dword ptr [eax+edi] ; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		movzx	eax, word ptr [eax]
		sub	[esi+18h], eax
		add	[esi+10h], ebx

loc_93FE2C:				; CODE XREF: CmpDumpOneKeyBody(x,x,x,x)+57j
					; CmpDumpOneKeyBody(x,x,x,x)+69j
		inc	dword ptr [edi]

loc_93FE2E:				; CODE XREF: CmpDumpOneKeyBody(x,x,x,x)+28j
					; CmpDumpOneKeyBody(x,x,x,x)+3Aj ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
_CmpDumpOneKeyBody@16 endp


;  S U B	R O U T	I N E 


; __stdcall CmpFatalFilter(x, x)
_CmpFatalFilter@8 proc near		; CODE XREF: sub_8F0AD0+Ap
		mov	eax, [ecx]
		push	0
		push	dword ptr [ecx+4]
		push	dword ptr [eax]
		push	21h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_CmpFatalFilter@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFindKcbInHashEntryByCellIndex(x,	x, x)
_CmpFindKcbInHashEntryByCellIndex@12 proc near ; CODE XREF: CmDeleteLayeredKey(x,x,x)+325p
					; CmpGetVirtualStoreRoot(x,x,x,x)+50p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		push	esi
		mov	[ebp+var_4], edx
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		imul	edi, eax, 0Ch
		mov	eax, [ebx+434h]
		mov	eax, [edi+eax+8]
		test	eax, eax
		jz	short loc_93FE87
		mov	edx, [ebp+var_4]

loc_93FE74:				; CODE XREF: CmpFindKcbInHashEntryByCellIndex(x,x,x)+3Cj
		cmp	[eax], esi
		jnz	short loc_93FE80
		lea	ecx, [eax-8]
		cmp	[ecx+14h], edx
		jz	short loc_93FE89

loc_93FE80:				; CODE XREF: CmpFindKcbInHashEntryByCellIndex(x,x,x)+2Dj
		mov	eax, [eax+4]
		test	eax, eax
		jnz	short loc_93FE74

loc_93FE87:				; CODE XREF: CmpFindKcbInHashEntryByCellIndex(x,x,x)+26j
		xor	ecx, ecx

loc_93FE89:				; CODE XREF: CmpFindKcbInHashEntryByCellIndex(x,x,x)+35j
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	4
_CmpFindKcbInHashEntryByCellIndex@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFindKcbInHashEntryByCompressedName(x, x,	x, x, x)
_CmpFindKcbInHashEntryByCompressedName@20 proc near
					; CODE XREF: CmpSubtreeEnumeratorAdvance(x)+10Bp
					; CmpPartialPromoteSubkeys(x)+12Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		push	esi
		mov	[ebp+var_4], edx
		mov	edi, ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		imul	ecx, eax, 0Ch
		mov	eax, [edi+434h]
		mov	edi, [ecx+eax+8]
		jmp	short loc_93FF19
; 

loc_93FEC2:				; CODE XREF: CmpFindKcbInHashEntryByCompressedName(x,x,x,x,x)+89j
		cmp	[edi], esi
		jnz	short loc_93FF16
		mov	ecx, [ebp+var_4]
		lea	eax, [edi-8]
		mov	[ebp+var_8], eax
		cmp	[eax+24h], ecx
		jnz	short loc_93FF16
		mov	eax, [eax+28h]
		movzx	edx, [ebp+arg_8]
		test	byte ptr [eax],	1
		lea	ecx, [eax+0Eh]
		mov	[ebp+arg_0], ecx
		movzx	ecx, word ptr [eax+0Ch]
		mov	eax, [ebp+arg_0]
		jz	short loc_93FEF9
		push	ecx
		mov	ecx, [ebp+arg_4]
		push	eax
		call	CmpCompareTwoCompressedNames
		jmp	short loc_93FF12
; 

loc_93FEF9:				; CODE XREF: CmpFindKcbInHashEntryByCompressedName(x,x,x,x,x)+59j
		push	1
		mov	word ptr [ebp+var_10], cx
		mov	word ptr [ebp+var_10+2], cx
		lea	ecx, [ebp+var_10]
		push	edx
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_C], eax
		call	_CmpCompareCompressedName@16 ; CmpCompareCompressedName(x,x,x,x)

loc_93FF12:				; CODE XREF: CmpFindKcbInHashEntryByCompressedName(x,x,x,x,x)+65j
		test	eax, eax
		jz	short loc_93FF1F

loc_93FF16:				; CODE XREF: CmpFindKcbInHashEntryByCompressedName(x,x,x,x,x)+32j
					; CmpFindKcbInHashEntryByCompressedName(x,x,x,x,x)+40j
		mov	edi, [edi+4]

loc_93FF19:				; CODE XREF: CmpFindKcbInHashEntryByCompressedName(x,x,x,x,x)+2Ej
		test	edi, edi
		jnz	short loc_93FEC2
		jmp	short loc_93FF22
; 

loc_93FF1F:				; CODE XREF: CmpFindKcbInHashEntryByCompressedName(x,x,x,x,x)+82j
		mov	ebx, [ebp+var_8]

loc_93FF22:				; CODE XREF: CmpFindKcbInHashEntryByCompressedName(x,x,x,x,x)+8Bj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
_CmpFindKcbInHashEntryByCompressedName@20 endp


;  S U B	R O U T	I N E 


; __stdcall CmpIncrementKcbSequenceNumber(x)
_CmpIncrementKcbSequenceNumber@4 proc near ; CODE XREF:	CmDeleteLayeredKey(x,x,x)+39Bp
					; CmpCreateTombstone(x,x)+1A0p	...
		add	dword ptr [ecx+0A8h], 1
		adc	dword ptr [ecx+0ACh], 0
		retn
_CmpIncrementKcbSequenceNumber@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpInsertKeyHash(x,	x, x)
_CmpInsertKeyHash@12 proc near		; CODE XREF: CmRenameKey(x,x,x,x)+CB3p
					; CmpRehashKcbSubtree(x,x)+69p
		mov	edi, edi
		push	esi
		mov	esi, [ecx+434h]
		push	edi
		mov	edi, edx
		push	dword ptr [edi]
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		imul	edx, eax, 0Ch
		mov	ecx, edi
		push	0
		add	edx, esi
		call	CmpAddKeyHashToEntry
		pop	edi
		pop	esi
		retn	4
_CmpInsertKeyHash@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpInvalidateSubtreeWorker(x, x)
_CmpInvalidateSubtreeWorker@8 proc near	; DATA XREF: CmpInvalidateSubtree(x,x,x,x,x)+27o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, [esi+0Ch]
		test	dword ptr [edi+4], 20000h
		jnz	short loc_93FFA0
		mov	edx, [esi]
		mov	ecx, edi
		push	1
		push	ebx
		call	CmpFlushNotifiesOnKeyBodyList
		mov	ecx, [edi+24h]
		xor	dl, dl
		call	CmpCleanUpSubKeyInfo
		mov	edx, ebx
		mov	ecx, edi
		call	_CmpMarkKeyUnbacked@8 ;	CmpMarkKeyUnbacked(x,x)
		mov	ecx, edi
		call	_CmpDiscardKcb@4 ; CmpDiscardKcb(x)

loc_93FFA0:				; CODE XREF: CmpInvalidateSubtreeWorker(x,x)+18j
		test	byte ptr [esi+8], 1
		jz	short loc_93FFAF
		mov	edx, ebx
		mov	ecx, edi
		call	_CmpRemoveLayerLinkForDiscardedKcb@8 ; CmpRemoveLayerLinkForDiscardedKcb(x,x)

loc_93FFAF:				; CODE XREF: CmpInvalidateSubtreeWorker(x,x)+44j
		inc	dword ptr [esi+4]
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_CmpInvalidateSubtreeWorker@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpPrepareForSubtreeInvalidationWorker(x, x)
_CmpPrepareForSubtreeInvalidationWorker@8 proc near
					; DATA XREF: CmpPrepareForSubtreeInvalidation(x,x,x)+22o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		test	byte ptr [esi+10h], 4
		jnz	short loc_93FFE1
		test	byte ptr [ecx+4], 80h
		jz	short loc_93FFE1
		inc	dword ptr [esi+4]

loc_93FFD7:				; CODE XREF: CmpPrepareForSubtreeInvalidationWorker(x,x)+42j
		xor	ebx, ebx

loc_93FFD9:				; CODE XREF: CmpPrepareForSubtreeInvalidationWorker(x,x)+46j
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	8
; 

loc_93FFE1:				; CODE XREF: CmpPrepareForSubtreeInvalidationWorker(x,x)+11j
					; CmpPrepareForSubtreeInvalidationWorker(x,x)+17j
		push	dword ptr [esi+0Ch]
		xor	ebx, ebx
		inc	ebx
		push	ecx
		mov	dl, bl
		call	CmpTryAcquireKcbIXLocks
		cmp	eax, 0C000022Dh
		jnz	short loc_93FFFB
		inc	dword ptr [esi+8]
		xor	eax, eax

loc_93FFFB:				; CODE XREF: CmpPrepareForSubtreeInvalidationWorker(x,x)+39j
		test	eax, eax
		jns	short loc_93FFD7
		mov	[esi], eax
		jmp	short loc_93FFD9
_CmpPrepareForSubtreeInvalidationWorker@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRehashKcbSubtree(x, x)
_CmpRehashKcbSubtree@8 proc near	; CODE XREF: CmpSearchAndRehashWorker(x,x)+Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, edx
		mov	edx, ecx
		push	esi
		xor	ecx, ecx
		mov	[ebp+var_4], eax
		push	edi
		mov	edi, ecx
		test	edx, edx
		jmp	short loc_940025
; 

loc_94001B:				; CODE XREF: CmpRehashKcbSubtree(x,x)+24j
		mov	eax, [esi+24h]
		mov	[esi+24h], edi
		mov	edi, esi
		cmp	edi, edx

loc_940025:				; CODE XREF: CmpRehashKcbSubtree(x,x)+16j
		mov	esi, eax
		jnz	short loc_94001B
		test	edi, edi
		jz	short loc_94007F
		push	ebx

loc_94002E:				; CODE XREF: CmpRehashKcbSubtree(x,x)+79j
		mov	edx, [edi+24h]
		mov	[ebp+var_8], edx
		mov	[edi+24h], esi
		test	esi, esi
		jz	short loc_940047
		imul	esi, [esi+8], 25h
		mov	eax, [edi+28h]
		add	esi, [eax+4]
		jmp	short loc_94004D
; 

loc_940047:				; CODE XREF: CmpRehashKcbSubtree(x,x)+36j
		mov	esi, [edi+28h]
		mov	esi, [esi+4]

loc_94004D:				; CODE XREF: CmpRehashKcbSubtree(x,x)+42j
		lea	ebx, [edi+8]
		cmp	esi, [ebx]
		jz	short loc_940076
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		mov	ecx, [ecx+10h]
		call	_CmpRemoveKeyHash@8 ; CmpRemoveKeyHash(x,x)
		mov	eax, [ebp+var_4]
		mov	edx, ebx
		mov	[ebx], esi
		push	ecx
		mov	ecx, [eax+10h]
		call	_CmpInsertKeyHash@12 ; CmpInsertKeyHash(x,x,x)
		mov	edx, [ebp+var_8]
		mov	cl, 1

loc_940076:				; CODE XREF: CmpRehashKcbSubtree(x,x)+4Fj
		mov	esi, edi
		mov	edi, edx
		test	edx, edx
		jnz	short loc_94002E
		pop	ebx

loc_94007F:				; CODE XREF: CmpRehashKcbSubtree(x,x)+28j
		pop	edi
		mov	al, cl
		pop	esi
		leave
		retn
_CmpRehashKcbSubtree@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpRemoveKeyControlBlock(x)
_CmpRemoveKeyControlBlock@4 proc near	; CODE XREF: CmRenameKey(x,x,x,x)+C9Ep
		lea	edx, [ecx+8]
		mov	ecx, [ecx+10h]
		jmp	_CmpRemoveKeyHash@8 ; CmpRemoveKeyHash(x,x)
_CmpRemoveKeyControlBlock@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpSearchAndCountWorker(x, x)
_CmpSearchAndCountWorker@8 proc	near	; DATA XREF: CmpSearchForOpenSubKeys+18BDFDo
		mov	edi, edi
_CmpSearchAndCountWorker@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_940092	proc near		; DATA XREF: KiInitializeReservedCpuSets+1Bo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	dword ptr [edx+8]
		add	edx, 4
		call	_CmpDumpKeyBodyList@12 ; CmpDumpKeyBodyList(x,x,x)
		xor	eax, eax
		pop	ebp
		retn	8
sub_940092	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSearchAndRehashWorker(x,	x)
_CmpSearchAndRehashWorker@8 proc near	; DATA XREF: CmpSearchForOpenSubKeys:loc_73FC33o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ecx, [esi]
		call	_CmpRehashKcbSubtree@8 ; CmpRehashKcbSubtree(x,x)
		test	al, al
		jnz	short loc_9400C7
		xor	eax, eax
		jmp	short loc_9400CD
; 

loc_9400C7:				; CODE XREF: CmpSearchAndRehashWorker(x,x)+15j
		inc	dword ptr [esi+4]
		push	2
		pop	eax

loc_9400CD:				; CODE XREF: CmpSearchAndRehashWorker(x,x)+19j
		pop	esi
		pop	ebp
		retn	8
_CmpSearchAndRehashWorker@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSearchKeyControlBlockTree(x, x, x, x)
_CmpSearchKeyControlBlockTree@16 proc near
					; CODE XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+20DFp
					; CmpRefreshHive(x)+35Bp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	1
		push	0
		push	[ebp+arg_0]
		call	_CmpSearchKeyControlBlockTreeEx@20 ; CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)
		pop	ebp
		retn	8
_CmpSearchKeyControlBlockTree@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSearchKeyControlBlockTreeEx(x, x, x, x, x)
_CmpSearchKeyControlBlockTreeEx@20 proc	near
					; CODE XREF: CmpSearchKeyControlBlockTree(x,x,x,x)+Cp
					; CmKeyBodyReplicateToVirtual(x,x,x,x,x)+241p ...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	eax, edx
		mov	[ebp+var_3C], ecx
		mov	ecx, [ebp+arg_0]
		push	edi
		mov	[ebp+var_30], ecx
		lea	edi, [ebp+var_20]
		mov	ecx, [ebp+arg_4]
		mov	ebx, [eax+438h]
		mov	esi, [eax+434h]
		mov	[ebp+var_38], ecx
		push	6
		mov	[ebp+var_2C], eax
		xor	eax, eax
		pop	ecx
		rep stosd
		lea	ecx, [ebp+var_20]
		mov	[ebp+var_44], ebx
		call	CmpAttachToRegistryProcess
		xor	eax, eax
		mov	[ebp+var_34], eax
		mov	edi, eax
		test	ebx, ebx
		jz	loc_940232
		mov	bl, [ebp+arg_8]
		add	esi, 8
		mov	[ebp+var_24], esi

loc_940149:				; CODE XREF: CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+145j
		test	bl, bl
		jz	short loc_940157
		mov	ecx, [ebp+var_2C]
		mov	edx, edi
		call	_CmpLockHashEntryByIndexExclusive@8 ; CmpLockHashEntryByIndexExclusive(x,x)

loc_940157:				; CODE XREF: CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+64j
		mov	eax, [esi]
		mov	[ebp+var_28], esi
		jmp	loc_94020C
; 

loc_940161:				; CODE XREF: CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+127j
		lea	esi, [eax-8]
		test	bl, bl
		jz	short loc_94017B
		lea	ecx, [esi+18h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+1Ch], eax

loc_94017B:				; CODE XREF: CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+7Fj
		cmp	dword ptr [esi], 0
		jnz	short loc_9401B8
		mov	ecx, esi
		call	_CmpRemoveFromDelayedClose@4 ; CmpRemoveFromDelayedClose(x)
		mov	edx, [ebp+var_30]
		mov	ecx, esi
		call	CmpCleanUpKcbCacheWithLock
		test	bl, bl
		jz	short loc_94019E
		mov	ecx, esi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		jmp	short loc_9401AE
; 

loc_94019E:				; CODE XREF: CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+ACj
		test	dword ptr [esi+4], 80000h
		jz	short loc_9401AE
		mov	ecx, esi
		call	CmpFreeKeyControlBlock

loc_9401AE:				; CODE XREF: CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+B5j
					; CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+BEj
		mov	esi, [ebp+var_24]
		mov	eax, esi
		mov	[ebp+var_28], eax
		jmp	short loc_94020A
; 

loc_9401B8:				; CODE XREF: CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+97j
		push	[ebp+var_38]
		mov	eax, [esi+0Ch]
		push	[ebp+var_30]
		mov	[ebp+var_40], eax
		push	[ebp+var_2C]
		push	esi
		call	[ebp+var_3C]
		cmp	eax, 1
		jz	loc_94025C
		cmp	eax, 3
		jz	short loc_94024F
		cmp	eax, 2
		jnz	short loc_9401F3
		test	bl, bl
		jz	short loc_9401E9
		mov	ecx, esi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)

loc_9401E9:				; CODE XREF: CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+F9j
		mov	eax, [ebp+var_28]
		mov	ecx, [ebp+var_40]
		mov	[eax], ecx
		jmp	short loc_940207
; 

loc_9401F3:				; CODE XREF: CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+F5j
		lea	eax, [esi+0Ch]
		mov	[ebp+var_28], eax
		test	bl, bl
		jz	short loc_940207
		mov	ecx, esi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	eax, [ebp+var_28]

loc_940207:				; CODE XREF: CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+10Aj
					; CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+114j
		mov	esi, [ebp+var_24]

loc_94020A:				; CODE XREF: CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+CFj
		mov	eax, [eax]

loc_94020C:				; CODE XREF: CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+75j
		test	eax, eax
		jnz	loc_940161
		test	bl, bl
		jz	short loc_940222
		mov	ecx, [ebp+var_2C]
		mov	edx, edi
		call	_CmpUnlockHashEntryByIndex@8 ; CmpUnlockHashEntryByIndex(x,x)

loc_940222:				; CODE XREF: CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+12Fj
		inc	edi
		add	esi, 0Ch
		mov	[ebp+var_24], esi
		cmp	edi, [ebp+var_44]
		jb	loc_940149

loc_940232:				; CODE XREF: CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+53j
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	al, 1

loc_94023E:				; CODE XREF: CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+191j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_94024F:				; CODE XREF: CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+F0j
		test	bl, bl
		jz	short loc_94026B
		mov	ecx, esi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		jmp	short loc_94026B
; 

loc_94025C:				; CODE XREF: CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+E7j
		test	bl, bl
		jz	short loc_940267
		mov	ecx, esi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)

loc_940267:				; CODE XREF: CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+177j
		mov	byte ptr [ebp+var_34], 1

loc_94026B:				; CODE XREF: CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+16Aj
					; CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+173j
		mov	ecx, [ebp+var_2C]
		mov	edx, edi
		call	_CmpUnlockHashEntryByIndex@8 ; CmpUnlockHashEntryByIndex(x,x)
		mov	al, byte ptr [ebp+var_34]
		jmp	short loc_94023E
_CmpSearchKeyControlBlockTreeEx@20 endp


;  S U B	R O U T	I N E 


; __stdcall InitializeKCBKeyBodyList(x)
_InitializeKCBKeyBodyList@4 proc near	; CODE XREF: CmpCloneToUnbackedKcb(x,x)+20p
		mov	edi, edi
		push	edi
		lea	eax, [ecx+40h]
		mov	[eax+4], eax
		lea	edi, [ecx+48h]
		mov	[eax], eax
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		pop	edi
		retn
_InitializeKCBKeyBodyList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAllocateKeyControlBlock()
_CmpAllocateKeyControlBlock@0 proc near	; CODE XREF: CmpCloneToUnbackedKcb(x,x)+9p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi

loc_94029A:				; CODE XREF: CmpAllocateKeyControlBlock()+36j
					; CmpAllocateKeyControlBlock()+3Aj
		mov	esi, ds:_CmPerfCounters
		mov	ebx, esi
		mov	edi, ds:dword_A94394
		add	ebx, 1
		mov	ecx, edi
		mov	[ebp+var_4], edi
		mov	edx, edi
		adc	ecx, 0
		mov	eax, esi
		mov	edi, offset _CmPerfCounters
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_4]
		cmp	eax, esi
		jnz	short loc_94029A
		cmp	edx, edi
		jnz	short loc_94029A
		inc	dword_6F9D8C
		mov	esi, offset _CmpKcbLookaside
		mov	ecx, esi
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edi, eax
		mov	[ebp+var_4], edi
		test	edi, edi
		jnz	short loc_94030F
		inc	dword_6F9D90
		push	esi
		push	dword_6F9DA0
		push	dword_6F9DA4
		push	dword_6F9D9C
		call	dword_6F9DA8
		mov	edi, eax
		mov	[ebp+var_4], edi
		test	edi, edi
		jz	short loc_940350

loc_94030F:				; CODE XREF: CmpAllocateKeyControlBlock()+55j
					; CmpAllocateKeyControlBlock()+A6j ...
		mov	esi, ds:dword_A943B0
		mov	edi, offset dword_A943B0
		mov	edx, ds:dword_A943B4
		mov	ebx, esi
		add	ebx, 1
		mov	[ebp+var_8], edx
		mov	ecx, edx
		mov	eax, esi
		adc	ecx, 0
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_94030F
		cmp	edx, [ebp+var_8]
		jnz	short loc_94030F
		mov	edi, [ebp+var_4]
		push	0B0h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch

loc_940350:				; CODE XREF: CmpAllocateKeyControlBlock()+7Dj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpAllocateKeyControlBlock@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmEnumerateValueKeyFromMergedView(char,int,int,int,size_t,int,int)
_CmEnumerateValueKeyFromMergedView@36 proc near	; CODE XREF: NtEnumerateValueKey+112226p
					; CmQueryKey+11180Dp

var_A0		= dword	ptr -0A0h
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[esp+6Ch+var_44], edx
		or	ecx, 0FFFFFFFFh
		mov	[esp+6Ch+var_40], ebx
		push	edi
		xor	edi, edi
		mov	[esp+70h+var_10], ecx
		cmp	[ebp+arg_0], 0
		mov	esi, edi
		mov	[esp+70h+var_50], edi
		mov	[esp+70h+var_38], edi
		mov	[esp+70h+var_C], edi
		mov	[esp+70h+var_34], edi
		mov	[esp+70h+var_8], ecx
		mov	[esp+70h+var_4], edi
		mov	[esp+70h+var_4C], edi
		mov	[esp+70h+var_5C], edi
		mov	[esp+70h+var_48], edi
		mov	[esp+70h+var_58], edi
		mov	[esp+70h+var_54], edi
		mov	[esp+70h+var_20], ecx
		mov	[esp+70h+var_1C], edi
		mov	[esp+70h+var_18], ecx
		mov	[esp+70h+var_14], edi
		mov	[esp+70h+var_30], ecx
		mov	[esp+70h+var_2C], edi
		mov	[esp+70h+var_28], edi
		mov	[esp+70h+var_24], edi
		mov	[esp+70h+var_3C], edi
		jnz	short loc_9403D5
		call	_CmpLockRegistry@0 ; CmpLockRegistry()

loc_9403D5:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+77j
		cmp	[ebx+20h], edi
		jnz	short loc_9403DF
		cmp	[ebx+24h], edi
		jz	short loc_9403FF

loc_9403DF:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+81j
		lea	edx, [esp+70h+var_50]
		mov	ecx, ebx
		call	CmpTransSearchAddTransFromKeyBody
		mov	esi, eax
		test	esi, esi
		jns	short loc_9403FF
		cmp	[ebp+arg_0], 0
		jnz	loc_94052A
		jmp	loc_940525
; 

loc_9403FF:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+86j
					; CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+97j
		cmp	[ebp+arg_0], 0
		mov	eax, [esp+70h+var_44]
		mov	ebx, [ebx+8]
		mov	eax, [eax+8]
		mov	[esp+70h+var_60], eax
		jnz	short loc_94041C
		mov	edx, eax
		mov	ecx, ebx
		call	_CmpLockTwoKcbsShared@8	; CmpLockTwoKcbsShared(x,x)

loc_94041C:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+BAj
		mov	edx, [esp+70h+var_50]
		mov	ecx, [esp+70h+var_40]
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jz	short loc_94044E
		mov	eax, [esp+70h+var_40]

loc_940431:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+10Cj
		mov	al, [eax+1Ch]
		and	al, 1
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 2A9h
		add	esi, 0C000017Ch
		jmp	loc_940514
; 

loc_94044E:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+D4j
		mov	edx, [esp+70h+var_50]
		mov	ecx, [esp+70h+var_44]
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jz	short loc_940465
		mov	eax, [esp+70h+var_44]
		jmp	short loc_940431
; 

loc_940465:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+106j
		mov	eax, [esp+70h+var_50]
		test	eax, eax
		jz	short loc_94049D
		cmp	[ebx+9Ch], eax
		jnz	short loc_940481
		lea	edx, [ebx+94h]
		mov	[esp+70h+var_4C], edx
		jmp	short loc_940483
; 

loc_940481:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+11Cj
		mov	edx, edi

loc_940483:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+128j
		mov	ecx, [esp+70h+var_60]
		cmp	[ecx+9Ch], eax
		jnz	short loc_940499
		lea	eax, [ecx+94h]
		mov	[esp+70h+var_5C], eax

loc_940499:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+136j
		test	edx, edx
		jnz	short loc_9404C7

loc_94049D:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+114j
		mov	eax, [ebx+14h]
		lea	edx, [esp+70h+var_10]
		mov	ecx, [ebx+10h]
		push	edx
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		mov	[esp+7Ch+var_44], eax
		test	eax, eax
		jnz	short loc_9404BC
		mov	esi, 0C000009Ah
		jmp	short loc_940514
; 

loc_9404BC:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+15Cj
		mov	ecx, [esp+7Ch+var_6C]
		add	eax, 24h
		mov	[esp+7Ch+var_58], eax

loc_9404C7:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+144j
		cmp	[esp+7Ch+var_68], edi
		jnz	short loc_94053C
		mov	eax, [ecx+14h]
		lea	edx, [esp+7Ch+var_14]
		mov	ecx, [ecx+10h]
		push	edx
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		mov	[esp+88h+var_4C], eax
		test	eax, eax
		jnz	short loc_940535

loc_9404E5:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+21Ej
		mov	esi, 0C000009Ah

loc_9404EA:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+383j
		mov	edi, [esp+88h+var_78]

loc_9404EE:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+399j
		cmp	[esp+88h+var_50], 0
		jz	short loc_940501
		mov	eax, [ebx+10h]
		lea	ecx, [esp+88h+var_28]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_940501:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+19Cj
		cmp	[esp+90h+var_54], 0
		jz	short loc_940514
		mov	eax, [edi+10h]
		lea	ecx, [esp+90h+var_28]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_940514:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+F2j
					; CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+163j ...
		cmp	[ebp+arg_0], 0
		jnz	short loc_94052A
		mov	edx, [esp+98h+var_88]
		mov	ecx, ebx
		call	CmpUnlockTwoKcbs

loc_940525:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+A3j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_94052A:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+9Dj
					; CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+1C1j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_940535:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+18Cj
		add	eax, 24h
		mov	[esp+88h+var_74], eax

loc_94053C:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+174j
		mov	ecx, [ebp+arg_4]

loc_94053F:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+2C8j
		mov	eax, [esp+88h+var_64]
		mov	edx, [esp+88h+var_60]
		cmp	edx, [eax]
		mov	edx, [esp+88h+var_70]
		jnb	loc_94063C
		mov	eax, [esp+88h+var_6C]
		test	eax, eax
		jnz	short loc_94057B
		mov	eax, [esp+88h+var_64]
		lea	edx, [esp+88h+var_38]
		mov	ecx, [ebx+10h]
		push	edx
		mov	eax, [eax+4]
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		mov	[esp+94h+var_78], eax
		test	eax, eax
		jz	loc_9404E5

loc_94057B:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+202j
		mov	ecx, [esp+94h+var_6C]
		lea	edx, [esp+94h+var_54]
		push	edx
		mov	ecx, [eax+ecx*4]
		mov	eax, [ebx+10h]
		push	ecx
		push	eax
		mov	[esp+0A0h+var_64], ecx
		mov	[esp+0A0h+var_74], eax
		call	dword ptr [eax+4]
		mov	[esp+0A0h+var_74], eax
		test	eax, eax
		jz	loc_940632
		mov	edx, [esp+0A0h+var_8C]
		lea	ecx, [eax+14h]
		mov	[esp+0A0h+var_54], ecx
		mov	cx, [eax+2]
		movzx	eax, word ptr [eax+10h]
		mov	word ptr [esp+0A0h+var_58], cx
		and	eax, 1
		lea	ecx, [esp+0A0h+var_6C]
		shl	eax, 10h
		push	ecx
		push	edi
		push	eax
		lea	eax, [esp+0ACh+var_58]
		push	eax
		mov	eax, [esp+0B0h+var_90]
		mov	ecx, [eax+10h]
		call	_CmpFindNameInList@24 ;	CmpFindNameInList(x,x,x,x,x,x)
		test	al, al
		jz	short loc_9405F2
		cmp	[esp+0A0h+var_6C], 0FFFFFFFFh
		jnz	short loc_9405F2
		mov	eax, [esp+0A0h+var_88]
		cmp	eax, [ebp+arg_4]
		jz	short loc_94062A
		inc	eax
		mov	[esp+0A0h+var_88], eax

loc_9405F2:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+284j
					; CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+28Bj
		mov	eax, [ebx+10h]
		lea	ecx, [esp+0A0h+var_60]
		inc	[esp+0A0h+var_78]
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		cmp	[esp+0A8h+var_8C], edi
		jz	short loc_940618
		mov	eax, [ebx+10h]
		lea	ecx, [esp+0A8h+var_58]
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		mov	[esp+0B0h+var_94], edi

loc_940618:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+2AFj
		mov	ecx, [ebp+arg_4]
		cmp	[esp+0B0h+var_98], ecx
		jbe	loc_94053F
		jmp	loc_9406C5
; 

loc_94062A:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+294j
		mov	eax, [esp+0A0h+var_74]
		mov	esi, ebx
		jmp	short loc_940697
; 

loc_940632:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+246j
					; CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+317j ...
		mov	esi, 0C000009Ah
		jmp	loc_9406C5
; 

loc_94063C:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+1F6j
		mov	esi, [esp+88h+var_74]
		add	edx, [esi]
		cmp	edx, ecx
		ja	short loc_940656
		mov	eax, [ebp+arg_18]
		mov	esi, 8000001Ah
		test	eax, eax
		jz	short loc_9406C5
		mov	[eax], edx
		jmp	short loc_9406C5
; 

loc_940656:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+2EDj
		mov	eax, [esi+4]
		lea	edx, [esp+88h+var_30]
		mov	esi, [esp+88h+var_78]
		push	edx
		push	eax
		mov	ecx, [esi+10h]
		push	ecx
		call	dword ptr [ecx+4]
		mov	edi, eax
		test	edi, edi
		jz	short loc_940632
		mov	ecx, [ebp+arg_4]
		lea	edx, [esp+94h+var_54]
		sub	ecx, [esp+94h+var_7C]
		mov	eax, [esi+10h]
		push	edx
		mov	[esp+98h+var_74], eax
		mov	ecx, [edi+ecx*4]
		push	ecx
		push	eax
		mov	[esp+0A0h+var_64], ecx
		call	dword ptr [eax+4]
		mov	[esp+0A0h+var_74], eax
		test	eax, eax
		jz	short loc_940632

loc_940697:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+2D9j
		push	[ebp+arg_14]	; int
		mov	edx, [esp+0A4h+var_70]
		mov	ecx, esi
		push	[ebp+arg_10]	; size_t
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		push	eax		; size_t
		call	CmpQueryKeyValueData
		mov	esi, eax
		cmp	[esp+0A0h+var_74], 0
		jz	short loc_9406C5
		lea	eax, [esp+0A0h+var_60]
		push	eax
		mov	eax, [esp+0A4h+var_80]
		push	eax
		call	dword ptr [eax+8]

loc_9406C5:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+2CEj
					; CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+2E0j ...
		cmp	[esp+0A8h+var_8C], 0
		jz	short loc_9406D8
		mov	eax, [ebx+10h]
		lea	ecx, [esp+0A8h+var_58]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_9406D8:				; CODE XREF: CmEnumerateValueKeyFromMergedView(x,x,x,x,x,x,x,x,x)+373j
		test	edi, edi
		jz	loc_9404EA
		mov	edi, [esp+0B0h+var_A0]
		lea	ecx, [esp+0B0h+var_58]
		push	ecx
		mov	eax, [edi+10h]
		push	eax
		call	dword ptr [eax+8]
		jmp	loc_9404EE
_CmEnumerateValueKeyFromMergedView@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmKeyBodyNeedsVirtualImage(x)
_CmKeyBodyNeedsVirtualImage@4 proc near	; CODE XREF: NtDeleteKey+18207Bp
					; NtDeleteValueKey+181745p ...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_1], 0
		push	esi
		push	edi
		mov	eax, [ebx+8]
		mov	edi, [eax+10h]
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	esi, [ebx+8]
		xor	edx, edx
		lea	ecx, [esi+18h]
		call	ExAcquirePushLockSharedEx
		lock inc dword ptr [esi+1Ch]
		xor	edx, edx
		mov	ecx, ebx
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	short loc_94073A
		test	byte ptr [edi+980h], 10h
		jz	short loc_94073A
		mov	[ebp+var_1], 1

loc_94073A:				; CODE XREF: CmKeyBodyNeedsVirtualImage(x)+36j
					; CmKeyBodyNeedsVirtualImage(x)+3Fj
		mov	ecx, [ebx+8]
		mov	ebx, [ebx+1Ch]
		and	bl, 10h
		movzx	eax, word ptr [ecx+22h]
		test	ax, ax
		setnz	dl
		dec	dl
		and	dl, [ebp+var_1]
		neg	bl
		sbb	bl, bl
		not	bl
		and	bl, dl
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_CmKeyBodyNeedsVirtualImage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmKeyBodyRemapToVirtual(x, x, x, x,	x)
_CmKeyBodyRemapToVirtual@20 proc near	; CODE XREF: NtDeleteKey+1820F3p
					; NtDeleteValueKey+1817E8p

var_24A		= byte ptr -24Ah
var_249		= byte ptr -249h
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_20C		= dword	ptr -20Ch
var_1E8		= dword	ptr -1E8h
var_1DC		= dword	ptr -1DCh
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_19C		= dword	ptr -19Ch
var_160		= dword	ptr -160h
var_148		= dword	ptr -148h
var_D0		= dword	ptr -0D0h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24Ch+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, ecx
		push	edi
		xor	edi, edi
		mov	[esp+258h+var_240], eax
		push	74h		; size_t
		lea	eax, [esp+25Ch+var_148]
		mov	[esp+25Ch+var_249], dl
		push	edi		; int
		push	eax		; void *
		mov	[esp+264h+var_234], ebx
		mov	[esp+264h+var_238], esi
		mov	[esp+264h+var_248], edi
		mov	[esp+264h+var_244], edi
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+258h+var_D0]
		push	0C4h		; size_t
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+258h+var_248]
		push	edi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+258h+var_160]
		rep stosd
		push	0B4h		; size_t
		xor	edi, edi
		lea	eax, [esp+25Ch+var_218]
		push	edi		; int
		push	eax		; void *
		call	_memset
		or	[esp+264h+var_1DC], 0FFFFFFFFh
		lea	eax, [esp+264h+var_1C0]
		add	esp, 0Ch
		mov	[esp+258h+var_1BC], eax
		mov	[esp+258h+var_1C0], eax
		lea	eax, [esp+258h+var_19C]
		push	38h		; size_t
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	ebx, [ebx]
		xor	eax, eax
		mov	[esp+264h+var_23C], edi
		add	esp, 0Ch
		mov	edi, [ebx+8]
		cmp	[edi+22h], ax
		jz	short loc_94084E

loc_940844:				; CODE XREF: CmKeyBodyRemapToVirtual(x,x,x,x,x)+E7j
					; CmKeyBodyRemapToVirtual(x,x,x,x,x)+F8j ...
		mov	esi, 0C0000022h
		jmp	loc_9408CE
; 

loc_94084E:				; CODE XREF: CmKeyBodyRemapToVirtual(x,x,x,x,x)+D7j
		test	byte ptr [ebx+1Ch], 10h
		jnz	short loc_940844
		push	[esp+258h+var_240]
		mov	edx, esi
		mov	ecx, edi
		call	sub_5009EC
		test	al, al
		jz	short loc_940844
		mov	eax, [edi+68h]
		test	eax, 800000h
		jz	short loc_940844
		test	al, 20h
		jnz	short loc_940844
		lea	ecx, [esp+258h+var_160]
		call	CmpAttachToRegistryProcess
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, edi
		call	_CmpLockKcbShared@4 ; CmpLockKcbShared(x)
		xor	edx, edx
		mov	ecx, ebx
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	short loc_9408B4
		mov	esi, [esp+258h+var_238]
		lea	eax, [esp+258h+var_248]
		push	eax
		push	esi
		mov	ecx, edi
		call	_CmpReparseToVirtualPath@16 ; CmpReparseToVirtualPath(x,x,x,x)
		test	al, al
		jnz	short loc_940903
		mov	esi, 0C0000022h

loc_9408B4:				; CODE XREF: CmKeyBodyRemapToVirtual(x,x,x,x,x)+12Dj
		mov	ecx, edi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_9408C0:				; CODE XREF: CmKeyBodyRemapToVirtual(x,x,x,x,x)+1EAj
					; CmKeyBodyRemapToVirtual(x,x,x,x,x)+26Bj
		xor	edx, edx
		lea	ecx, [esp+258h+var_160]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_9408CE:				; CODE XREF: CmKeyBodyRemapToVirtual(x,x,x,x,x)+DEj
		cmp	[esp+258h+var_244], 0
		jz	short loc_9408DF
		lea	eax, [esp+258h+var_248]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_9408DF:				; CODE XREF: CmKeyBodyRemapToVirtual(x,x,x,x,x)+168j
		xor	dl, dl
		lea	ecx, [esp+258h+var_218]
		call	CmpCleanupParseContext
		mov	ecx, [esp+258h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_940903:				; CODE XREF: CmKeyBodyRemapToVirtual(x,x,x,x,x)+142j
		mov	edi, [esp+258h+var_234]
		mov	ecx, [edi]
		mov	ecx, [ecx+8]
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	ecx, [esp+258h+var_240]
		lea	edx, [esp+258h+var_148]
		mov	[esp+258h+var_218], 8
		mov	eax, [ecx]
		mov	ecx, esi
		mov	[esp+258h+var_20C], eax
		mov	eax, [ebx+20h]
		mov	[esp+258h+var_1E8], eax
		mov	eax, ds:_CmKeyObjectType
		add	eax, 34h
		push	eax		; int
		push	[ebp+arg_0]	; int
		lea	eax, [esp+260h+var_D0]
		push	eax		; void *
		call	_SeCreateAccessStateFromSubjectContext@20 ; SeCreateAccessStateFromSubjectContext(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9408C0
		xor	eax, eax
		mov	[esp+258h+var_230], 18h
		xor	esi, esi
		lea	edx, [esp+258h+var_148]
		cmp	[esp+258h+var_249], 1
		mov	[esp+258h+var_22C], esi
		setz	al
		mov	[esp+258h+var_220], esi
		dec	eax
		mov	[esp+258h+var_21C], esi
		and	eax, 0FFFFFC00h
		add	eax, 640h
		mov	[esp+258h+var_224], eax
		lea	eax, [esp+258h+var_248]
		mov	[esp+258h+var_228], eax
		lea	eax, [esp+258h+var_23C]
		push	eax
		lea	eax, [esp+25Ch+var_218]
		push	eax
		push	esi
		push	ecx
		push	[ebp+arg_0]
		lea	ecx, [esp+26Ch+var_230]
		call	_CmObReferenceObjectByName@28 ;	CmObReferenceObjectByName(x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_9409BC
		mov	esi, 0C0000022h
		jmp	short loc_9409C9
; 

loc_9409BC:				; CODE XREF: CmKeyBodyRemapToVirtual(x,x,x,x,x)+248j
		mov	eax, [esp+258h+var_23C]
		mov	ecx, ebx
		mov	[edi], eax
		call	ObfDereferenceObject

loc_9409C9:				; CODE XREF: CmKeyBodyRemapToVirtual(x,x,x,x,x)+24Fj
		lea	eax, [esp+258h+var_148]
		push	eax
		call	SeDeleteAccessState
		jmp	loc_9408C0
_CmKeyBodyRemapToVirtual@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmKeyBodyReplicateToVirtual(x, x, x, x, x)
_CmKeyBodyReplicateToVirtual@20	proc near ; CODE XREF: NtSetInformationKey+1288D5p
					; NtSetValueKey+11711Fp ...

var_25C		= byte ptr -25Ch
var_25B		= byte ptr -25Bh
var_25A		= dword	ptr -25Ah
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_1E8		= dword	ptr -1E8h
var_1DC		= dword	ptr -1DCh
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_19C		= dword	ptr -19Ch
var_160		= dword	ptr -160h
var_148		= dword	ptr -148h
var_D0		= dword	ptr -0D0h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 25Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+25Ch+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		push	6
		mov	esi, ecx
		mov	[esp+26Ch+var_238], eax
		pop	ecx
		xor	eax, eax
		mov	byte ptr [esp+268h+var_25A+1], dl
		xor	edx, edx
		mov	[esp+268h+var_234], esi
		lea	edi, [esp+268h+var_160]
		mov	[esp+268h+var_254], edx
		push	74h		; size_t
		rep stosd
		push	edx		; int
		lea	eax, [esp+270h+var_148]
		mov	[esp+270h+var_250], edx
		push	eax		; void *
		mov	[esp+274h+var_25B], dl
		mov	[esp+274h+var_24C], edx
		mov	byte ptr [esp+274h+var_25A], dl
		mov	[esp+274h+var_240], edx
		mov	[esp+274h+var_23C], edx
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+268h+var_D0]
		push	0C4h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	edi, [esp+268h+var_230]
		xor	eax, eax
		mov	byte ptr [esp+268h+var_25A+2], al
		push	6
		pop	ecx
		push	eax
		rep stosd
		lea	eax, [esp+26Ch+var_254]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	esi, [esi]
		lea	eax, [esp+268h+var_218]
		push	0B4h		; size_t
		push	0		; int
		push	eax		; void *
		mov	[esp+274h+var_248], esi
		call	_memset
		or	[esp+274h+var_1DC], 0FFFFFFFFh
		lea	eax, [esp+274h+var_1C0]
		add	esp, 0Ch
		mov	[esp+268h+var_1BC], eax
		xor	ecx, ecx
		mov	[esp+268h+var_1C0], eax
		lea	eax, [esp+268h+var_19C]
		push	38h		; size_t
		push	ecx		; int
		push	eax		; void *
		call	_memset
		and	[esp+274h+var_244], 0
		lea	ecx, [esp+274h+var_240]
		add	esp, 0Ch
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		lea	ecx, [esp+268h+var_160]
		call	CmpAttachToRegistryProcess
		mov	al, byte ptr [esp+268h+var_25A+2]

loc_940AE8:				; CODE XREF: CmKeyBodyReplicateToVirtual(x,x,x,x,x)+1CAj
		test	al, al
		jz	short loc_940AF3
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		jmp	short loc_940AF8
; 

loc_940AF3:				; CODE XREF: CmKeyBodyReplicateToVirtual(x,x,x,x,x)+10Fj
		call	_CmpLockRegistry@0 ; CmpLockRegistry()

loc_940AF8:				; CODE XREF: CmKeyBodyReplicateToVirtual(x,x,x,x,x)+116j
		mov	edi, [esi+8]
		mov	ecx, edi
		call	_CmpLockKcbExclusive@4 ; CmpLockKcbExclusive(x)
		push	[esp+268h+var_238]
		mov	ecx, [esi+8]
		mov	edx, ebx
		call	sub_5009EC
		test	al, al
		jz	loc_940CFA
		xor	edx, edx
		mov	ecx, esi
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	loc_940CFF
		lea	eax, [esp+268h+var_254]
		mov	ecx, edi
		push	eax
		push	ebx
		call	_CmpReparseToVirtualPath@16 ; CmpReparseToVirtualPath(x,x,x,x)
		test	al, al
		jnz	loc_940C23
		test	byte ptr [edi+68h], 20h
		jnz	loc_940CFA
		mov	edx, [edi+2Ch]
		lea	eax, [esp+0Dh]
		mov	ecx, [ebp+arg_0]
		add	edx, 18h
		push	eax
		push	ebx
		call	CmpCheckAdminAccess
		mov	esi, eax
		test	esi, esi
		js	loc_940CFF
		cmp	[esp+268h+var_25B], 0
		jz	loc_940CFA
		lea	eax, [esp+268h+var_24C]
		mov	edx, ebx
		push	eax
		push	[esp+26Ch+var_25A+2]
		mov	ecx, edi
		call	_CmpReplicateKeyToVirtual@16 ; CmpReplicateKeyToVirtual(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000055h
		jnz	short loc_940BAA
		mov	ecx, edi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	esi, [esp+268h+var_248]
		mov	al, 1
		mov	byte ptr [esp+268h+var_25A+2], al
		jmp	loc_940AE8
; 

loc_940BAA:				; CODE XREF: CmKeyBodyReplicateToVirtual(x,x,x,x,x)+1B2j
		test	esi, esi
		js	loc_940CFF
		mov	ecx, [edi+2Ch]
		lea	eax, [esp+268h+var_25A]
		push	eax
		add	ecx, 18h
		mov	edx, ebx
		call	_CmpExamineSaclForAuditEvent@12	; CmpExamineSaclForAuditEvent(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_940CFF
		cmp	byte ptr [esp+268h+var_25A], 0
		jz	short loc_940BE8
		mov	edx, ebx
		mov	ecx, edi
		call	_CmpReportAuditVirtualizationEvent@8 ; CmpReportAuditVirtualizationEvent(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_940CFF

loc_940BE8:				; CODE XREF: CmKeyBodyReplicateToVirtual(x,x,x,x,x)+1F8j
		lea	eax, [esp+268h+var_254]
		mov	ecx, edi
		push	eax
		push	ebx
		call	_CmpReparseToVirtualPath@16 ; CmpReparseToVirtualPath(x,x,x,x)
		test	al, al
		jnz	short loc_940C03
		mov	esi, 0C000009Ah
		jmp	loc_940CFF
; 

loc_940C03:				; CODE XREF: CmKeyBodyReplicateToVirtual(x,x,x,x,x)+21Cj
		mov	ecx, edi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	edx, [esp+268h+var_24C]
		lea	eax, [esp+268h+var_240]
		push	1
		push	0
		push	eax
		mov	ecx, offset _CmpSyncKcbCacheForHive@16 ; CmpSyncKcbCacheForHive(x,x,x,x)
		call	_CmpSearchKeyControlBlockTreeEx@20 ; CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)
		jmp	short loc_940C2A
; 

loc_940C23:				; CODE XREF: CmKeyBodyReplicateToVirtual(x,x,x,x,x)+15Fj
		mov	ecx, edi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)

loc_940C2A:				; CODE XREF: CmKeyBodyReplicateToVirtual(x,x,x,x,x)+246j
		xor	dl, dl
		lea	ecx, [esp+268h+var_240]
		call	CmpDrainDelayDerefContext
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	edi, [esp+268h+var_248]
		lea	edx, [esp+268h+var_148]
		mov	[esp+268h+var_218], 8
		mov	ecx, ebx
		mov	eax, [edi+20h]
		mov	[esp+268h+var_1E8], eax
		mov	eax, ds:_CmKeyObjectType
		add	eax, 34h
		push	eax		; int
		push	[ebp+arg_0]	; int
		lea	eax, [esp+270h+var_D0]
		push	eax		; void *
		call	_SeCreateAccessStateFromSubjectContext@20 ; SeCreateAccessStateFromSubjectContext(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_940D0B
		xor	eax, eax
		mov	[esp+268h+var_230], 18h
		xor	ebx, ebx
		lea	edx, [esp+268h+var_148]
		cmp	byte ptr [esp+268h+var_25A+1], 1
		mov	[esp+268h+var_22C], ebx
		setz	al
		mov	[esp+268h+var_220], ebx
		dec	eax
		mov	[esp+268h+var_21C], ebx
		and	eax, 0FFFFFC00h
		add	eax, 640h
		mov	[esp+268h+var_224], eax
		lea	eax, [esp+268h+var_254]
		mov	[esp+268h+var_228], eax
		lea	eax, [esp+268h+var_244]
		push	eax
		lea	eax, [esp+26Ch+var_218]
		push	eax
		push	ebx
		push	ecx
		push	[ebp+arg_0]
		lea	ecx, [esp+27Ch+var_230]
		call	_CmObReferenceObjectByName@28 ;	CmObReferenceObjectByName(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_940CEB
		mov	ecx, [esp+268h+var_234]
		mov	eax, [esp+268h+var_244]
		mov	[ecx], eax
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	esi, ebx

loc_940CEB:				; CODE XREF: CmKeyBodyReplicateToVirtual(x,x,x,x,x)+2FBj
		lea	eax, [esp+268h+var_148]
		push	eax
		call	SeDeleteAccessState
		jmp	short loc_940D0B
; 

loc_940CFA:				; CODE XREF: CmKeyBodyReplicateToVirtual(x,x,x,x,x)+137j
					; CmKeyBodyReplicateToVirtual(x,x,x,x,x)+169j ...
		mov	esi, 0C0000022h

loc_940CFF:				; CODE XREF: CmKeyBodyReplicateToVirtual(x,x,x,x,x)+14Aj
					; CmKeyBodyReplicateToVirtual(x,x,x,x,x)+187j ...
		mov	ecx, edi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_940D0B:				; CODE XREF: CmKeyBodyReplicateToVirtual(x,x,x,x,x)+29Bj
					; CmKeyBodyReplicateToVirtual(x,x,x,x,x)+31Dj
		xor	dl, dl
		lea	ecx, [esp+268h+var_218]
		call	CmpCleanupParseContext
		cmp	[esp+268h+var_250], 0
		jz	short loc_940D27
		lea	eax, [esp+268h+var_254]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_940D27:				; CODE XREF: CmKeyBodyReplicateToVirtual(x,x,x,x,x)+340j
		xor	edx, edx
		lea	ecx, [esp+268h+var_160]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [esp+268h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_CmKeyBodyReplicateToVirtual@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmVirtualKCBToRealPath(x, x)
_CmVirtualKCBToRealPath@8 proc near	; CODE XREF: CmpDoQueryKeyName+D98C8p
					; CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+2E2p	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		cmp	_CmpVEEnabled, 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	esi, 0C000009Ah
		jnz	short loc_940D74
		mov	eax, 0C000000Dh
		jmp	loc_940E5A
; 

loc_940D74:				; CODE XREF: CmVirtualKCBToRealPath(x,x)+1Aj
		xor	ebx, ebx
		lea	edx, [ebp+var_8]
		mov	[ebp+var_8], ebx
		call	CmpConstructNameWithStatus
		mov	edi, [ebp+var_8]
		test	edi, edi
		jz	loc_940E58
		mov	eax, [edi+4]
		mov	edx, ebx
		push	5
		pop	ecx
		mov	[ebp+var_8], eax

loc_940D97:				; CODE XREF: CmVirtualKCBToRealPath(x,x)+69j
		cmp	word ptr [edx+eax], 5Ch
		jnz	short loc_940DA3
		sub	ecx, 1
		jz	short loc_940DB9

loc_940DA3:				; CODE XREF: CmVirtualKCBToRealPath(x,x)+4Ej
		movzx	eax, word ptr [edi]
		inc	ebx
		lea	edx, [ebx+ebx]
		cmp	edx, eax
		jnb	loc_940E47
		mov	eax, [ebp+var_8]
		test	ecx, ecx
		jnz	short loc_940D97

loc_940DB9:				; CODE XREF: CmVirtualKCBToRealPath(x,x)+53j
		movzx	eax, word ptr [edi]
		lea	ecx, [ebx+ebx]
		push	12h
		sub	eax, ecx
		pop	ecx
		add	eax, ecx
		push	624E4D43h
		push	eax
		push	1
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+var_4]
		mov	[ecx+4], eax
		test	eax, eax
		jz	short loc_940E4C
		mov	eax, [ebp+var_8]
		mov	[ecx+2], ax
		xor	eax, eax
		mov	[ecx], ax
		mov	eax, [edi]
		mov	[ebp+var_10], eax
		mov	eax, [edi+4]
		push	12h
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		pop	eax
		mov	word ptr [ebp+var_10], ax
		lea	eax, [ebp+var_10]
		push	eax
		push	ecx
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_940E3C
		mov	cx, [edi]
		lea	eax, [ebx+ebx]
		sub	cx, ax
		mov	eax, [ebp+var_8]
		mov	word ptr [ebp+var_10], cx
		lea	eax, [eax+ebx*2]
		mov	ebx, [ebp+var_4]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_10]
		push	eax
		push	ebx
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_940E4C
		jmp	short loc_940E3F
; 

loc_940E3C:				; CODE XREF: CmVirtualKCBToRealPath(x,x)+C1j
		mov	ebx, [ebp+var_4]

loc_940E3F:				; CODE XREF: CmVirtualKCBToRealPath(x,x)+ECj
		push	ebx
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	short loc_940E4C
; 

loc_940E47:				; CODE XREF: CmVirtualKCBToRealPath(x,x)+5Ej
		mov	esi, 0C000000Dh

loc_940E4C:				; CODE XREF: CmVirtualKCBToRealPath(x,x)+90j
					; CmVirtualKCBToRealPath(x,x)+EAj ...
		mov	edx, 624E4D43h
		mov	ecx, edi
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_940E58:				; CODE XREF: CmVirtualKCBToRealPath(x,x)+38j
		mov	eax, esi

loc_940E5A:				; CODE XREF: CmVirtualKCBToRealPath(x,x)+21j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmVirtualKCBToRealPath@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpBuildVirtualReplicationStack(x, x, x, x)
_CmpBuildVirtualReplicationStack@16 proc near
					; CODE XREF: CmpReplicateKeyToVirtual(x,x,x,x)+E4p

var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_4]
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		and	dword ptr [eax], 0
		mov	ebx, ecx
		push	edi
		push	1Ch
		pop	ecx
		mov	eax, [ebx+4]
		mov	esi, edx
		shr	eax, 15h
		and	eax, 3FFh
		mov	[ebp+var_C], ebx
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_940F9A
		push	20204D43h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_8], edi
		test	edi, edi
		jnz	short loc_940EBF
		mov	eax, 0C000009Ah
		jmp	loc_940F9A
; 

loc_940EBF:				; CODE XREF: CmpBuildVirtualReplicationStack(x,x,x,x)+54j
		push	[ebp+var_4]	; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	eax, [esi]
		add	esp, 0Ch
		mov	esi, [esi+4]
		mov	[ebp+var_14], eax
		mov	dx, word ptr [ebp+var_14]
		push	4
		pop	ecx
		push	2
		mov	[ebp+var_4], 0FFFEh
		pop	eax

loc_940EE6:				; CODE XREF: CmpBuildVirtualReplicationStack(x,x,x,x)+A5j
		push	5Ch
		pop	eax
		cmp	[esi], ax
		push	2
		pop	eax
		jnz	short loc_940EF6
		sub	ecx, 1
		jz	short loc_940F06

loc_940EF6:				; CODE XREF: CmpBuildVirtualReplicationStack(x,x,x,x)+90j
		add	dx, word ptr [ebp+var_4]
		jz	loc_940F8D
		add	esi, eax
		test	ecx, ecx
		jnz	short loc_940EE6

loc_940F06:				; CODE XREF: CmpBuildVirtualReplicationStack(x,x,x,x)+95j
		add	esi, eax
		add	dx, word ptr [ebp+var_4]
		jz	short loc_940F56
		push	5Ch
		mov	ebx, edi
		pop	edi

loc_940F13:				; CODE XREF: CmpBuildVirtualReplicationStack(x,x,x,x)+EFj
		mov	[ebx+4], esi
		test	dx, dx
		jz	short loc_940F2B

loc_940F1B:				; CODE XREF: CmpBuildVirtualReplicationStack(x,x,x,x)+CAj
		cmp	[esi], di
		jz	short loc_940F2B
		add	[ebx], ax
		add	esi, eax
		add	dx, word ptr [ebp+var_4]
		jnz	short loc_940F1B

loc_940F2B:				; CODE XREF: CmpBuildVirtualReplicationStack(x,x,x,x)+BAj
					; CmpBuildVirtualReplicationStack(x,x,x,x)+BFj
		mov	ax, [ebx]
		inc	ecx
		mov	[ebx+2], ax
		add	ebx, 1Ch
		test	dx, dx
		jz	short loc_940F50
		push	2
		pop	eax

loc_940F3E:				; CODE XREF: CmpBuildVirtualReplicationStack(x,x,x,x)+EAj
		cmp	[esi], di
		jnz	short loc_940F4B
		add	esi, eax
		add	dx, word ptr [ebp+var_4]
		jnz	short loc_940F3E

loc_940F4B:				; CODE XREF: CmpBuildVirtualReplicationStack(x,x,x,x)+E2j
		test	dx, dx
		jnz	short loc_940F13

loc_940F50:				; CODE XREF: CmpBuildVirtualReplicationStack(x,x,x,x)+DAj
		mov	edi, [ebp+var_8]
		mov	ebx, [ebp+var_C]

loc_940F56:				; CODE XREF: CmpBuildVirtualReplicationStack(x,x,x,x)+ADj
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		cmp	ecx, 1
		jbe	short loc_940F80
		imul	eax, ecx, 1Ch
		lea	edx, [edi+18h]
		add	edx, eax

loc_940F68:				; CODE XREF: CmpBuildVirtualReplicationStack(x,x,x,x)+11Fj
		test	ebx, ebx
		jz	short loc_940F8D
		mov	eax, [ebx+14h]
		sub	edx, 1Ch
		shr	eax, 1Fh
		dec	ecx
		mov	[edx], eax
		mov	ebx, [ebx+24h]
		cmp	ecx, 1
		ja	short loc_940F68

loc_940F80:				; CODE XREF: CmpBuildVirtualReplicationStack(x,x,x,x)+FFj
		mov	eax, [ebp+arg_4]
		and	dword ptr [edi+18h], 0
		mov	[eax], edi
		xor	eax, eax
		jmp	short loc_940F9A
; 

loc_940F8D:				; CODE XREF: CmpBuildVirtualReplicationStack(x,x,x,x)+9Bj
					; CmpBuildVirtualReplicationStack(x,x,x,x)+10Bj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C000000Dh

loc_940F9A:				; CODE XREF: CmpBuildVirtualReplicationStack(x,x,x,x)+38j
					; CmpBuildVirtualReplicationStack(x,x,x,x)+5Bj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_CmpBuildVirtualReplicationStack@16 endp


;  S U B	R O U T	I N E 


; __stdcall CmpDestroyVirtualStack(x, x, x)
_CmpDestroyVirtualStack@12 proc	near	; CODE XREF: CmpReplicateKeyToVirtual(x,x,x,x)+14Cp
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, edx
		xor	esi, esi
		push	edi
		test	ebx, ebx
		jz	short loc_940FDD
		lea	eax, [ebx-1]
		lea	edi, [ecx+0Ch]

loc_940FB4:				; CODE XREF: CmpDestroyVirtualStack(x,x,x)+3Aj
		mov	ecx, [edi-4]
		test	ecx, ecx
		jz	short loc_940FC3
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)
		lea	eax, [ebx-1]

loc_940FC3:				; CODE XREF: CmpDestroyVirtualStack(x,x,x)+18j
		cmp	esi, eax
		jnz	short loc_940FD5
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_940FD5
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)
		lea	eax, [ebx-1]

loc_940FD5:				; CODE XREF: CmpDestroyVirtualStack(x,x,x)+24j
					; CmpDestroyVirtualStack(x,x,x)+2Aj
		inc	esi
		add	edi, 1Ch
		cmp	esi, ebx
		jb	short loc_940FB4

loc_940FDD:				; CODE XREF: CmpDestroyVirtualStack(x,x,x)+Bj
		pop	edi
		pop	esi
		pop	ebx
		retn	4
_CmpDestroyVirtualStack@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoAccessCheckOnKCB(x, x,	x, x)
_CmpDoAccessCheckOnKCB@16 proc near	; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+C3p
					; CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+D9p

var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_80		= dword	ptr -80h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 15Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	74h		; size_t
		xor	ebx, ebx
		mov	[ebp+var_158], edx
		lea	eax, [ebp+var_80]
		mov	[ebp+var_150], ecx
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_148]
		push	0C4h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	edx, ds:_CmKeyObjectType
		lea	eax, [ebp+var_14C]
		add	esp, 0Ch
		mov	[ebp+var_14C], ebx
		push	ebx
		push	eax
		push	ebx
		push	ebx
		push	38h
		push	ecx
		push	[ebp+arg_4]
		mov	cl, byte ptr [ebp+arg_4]
		push	ebx
		call	ObCreateObjectEx
		test	eax, eax
		jns	short loc_94105D
		xor	al, al
		jmp	loc_9410F7
; 

loc_94105D:				; CODE XREF: CmpDoAccessCheckOnKCB(x,x,x,x)+71j
		mov	edi, [ebp+var_14C]
		xor	eax, eax
		mov	esi, large fs:124h
		mov	[edi+20h], ebx
		mov	[edi+24h], ebx
		mov	dword ptr [edi], 6B793032h
		mov	[edi+8], ebx
		mov	[edi+1Ch], eax
		lea	eax, [edi+28h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, ds:_CmKeyObjectType
		add	eax, 34h
		push	eax		; int
		push	[ebp+arg_0]	; int
		lea	eax, [ebp+var_148]
		push	eax		; void *
		lea	eax, [ebp+var_80]
		push	eax		; void *
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		push	eax		; int
		push	esi		; int
		call	_SeCreateAccessStateEx@24 ; SeCreateAccessStateEx(x,x,x,x,x,x)
		mov	[ebp+var_154], eax
		test	eax, eax
		js	short loc_9410EA
		mov	eax, [ebp+var_150]
		mov	edx, [ebp+var_158]
		mov	ecx, [ebp+var_14C]
		mov	[edi+8], eax
		lea	eax, [ebp+var_154]
		push	eax
		push	[ebp+arg_4]
		lea	eax, [ebp+var_80]
		push	eax
		call	CmpCheckKeyBodyAccess
		mov	bl, al
		lea	eax, [ebp+var_80]
		push	eax
		call	SeDeleteAccessState
		and	dword ptr [edi+8], 0

loc_9410EA:				; CODE XREF: CmpDoAccessCheckOnKCB(x,x,x,x)+CEj
		mov	ecx, [ebp+var_14C]
		call	ObfDereferenceObject
		mov	al, bl

loc_9410F7:				; CODE XREF: CmpDoAccessCheckOnKCB(x,x,x,x)+75j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_CmpDoAccessCheckOnKCB@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFindSubKeyByNumberFromMergedView(x, x, x, x, x, x, x, x,	x)
_CmpFindSubKeyByNumberFromMergedView@36	proc near ; CODE XREF: CmEnumerateKey+11249Ap
					; CmQueryKey+111785p ...

var_60		= byte ptr -60h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		or	eax, 0FFFFFFFFh
		mov	[esp+44h+var_38], edx
		push	ebx
		xor	ebx, ebx
		mov	[esp+48h+var_34], ecx
		mov	ecx, ebx
		mov	[esp+48h+var_8], eax
		mov	dl, bl
		mov	[esp+48h+var_10], eax
		mov	[esp+48h+var_30], eax
		mov	[esp+48h+var_18], ebx
		mov	[esp+48h+var_14], ebx
		mov	[esp+48h+var_20], ebx
		mov	[esp+48h+var_4], ebx
		mov	[esp+48h+var_24], ebx
		mov	[esp+48h+var_C], ebx
		mov	ebx, eax
		xor	al, al
		mov	[esp+48h+var_1C], 0C000009Ah
		mov	byte ptr [esp+48h+var_44+1], al
		mov	eax, [ebp+arg_C]
		push	esi
		push	edi
		xor	esi, esi
		mov	byte ptr [esp+50h+var_44], dl
		and	[eax], ecx
		xor	edi, edi
		mov	eax, [ebp+arg_10]
		mov	[esp+50h+var_40], ecx
		mov	[esp+50h+var_3C], ebx
		mov	byte ptr [esp+50h+var_44+2], cl
		or	[eax], ebx
		mov	[esp+50h+var_2C], esi
		mov	[esp+50h+var_28], edi
		cmp	[esp+50h+var_38], ecx
		jnz	short loc_94118C
		mov	byte ptr [esp+50h+var_44+1], 1

loc_94118C:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+7Dj
					; CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+33Aj ...
		test	dl, dl
		jz	short loc_941199
		cmp	ecx, [ebp+arg_0]
		jnb	loc_94146A

loc_941199:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+86j
		test	esi, esi
		jz	short loc_9411AD
		mov	edx, [ebp+arg_8]
		mov	ecx, esi
		call	_CmpDelayDerefKeyControlBlock@8	; CmpDelayDerefKeyControlBlock(x,x)
		xor	esi, esi
		mov	[esp+50h+var_2C], esi

loc_9411AD:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+93j
		test	edi, edi
		jz	short loc_9411C1
		mov	edx, [ebp+arg_8]
		mov	ecx, edi
		call	_CmpDelayDerefKeyControlBlock@8	; CmpDelayDerefKeyControlBlock(x,x)
		xor	edi, edi
		mov	[esp+50h+var_28], edi

loc_9411C1:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+A7j
		cmp	byte ptr [esp+50h+var_44+2], 0
		jnz	short loc_94122B
		cmp	ebx, 0FFFFFFFFh
		jnz	short loc_94122B
		mov	ecx, [ebp+arg_4]
		lea	edx, [esp+50h+var_2C]
		mov	eax, ecx
		neg	eax
		sbb	eax, eax
		and	eax, edx
		push	eax
		push	[ebp+arg_8]
		mov	eax, ecx
		neg	eax
		push	ecx
		sbb	eax, eax
		and	eax, [esp+5Ch+var_38]
		push	eax
		mov	eax, ecx
		mov	ecx, [esp+60h+var_34]
		neg	eax
		sbb	eax, eax
		mov	edx, [ecx+14h]
		and	eax, ecx
		mov	ecx, [ecx+10h]
		push	eax
		lea	eax, [esp+64h+var_3C]
		push	eax
		push	[esp+68h+var_18]
		call	CmpFindSubKeyByNumberEx
		mov	esi, [esp+50h+var_2C]
		mov	ebx, eax
		mov	[esp+50h+var_1C], ebx
		test	ebx, ebx
		js	loc_941499
		cmp	[esp+50h+var_3C], 0FFFFFFFFh
		jnz	short loc_94122B
		mov	byte ptr [esp+50h+var_44+2], 1

loc_94122B:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+BEj
					; CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+C3j ...
		mov	al, byte ptr [esp+50h+var_44+1]
		mov	ecx, [esp+50h+var_30]
		test	al, al
		jnz	short loc_9412A3
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_9412A3
		mov	ecx, [ebp+arg_4]
		lea	edx, [esp+50h+var_28]
		mov	eax, ecx
		neg	eax
		sbb	eax, eax
		and	eax, edx
		push	eax
		push	[ebp+arg_8]
		mov	eax, ecx
		neg	eax
		push	ecx
		sbb	eax, eax
		and	eax, [esp+5Ch+var_34]
		push	eax
		mov	eax, ecx
		mov	ecx, [esp+60h+var_38]
		neg	eax
		sbb	eax, eax
		mov	edx, [ecx+14h]
		and	eax, ecx
		mov	ecx, [ecx+10h]
		push	eax
		lea	eax, [esp+64h+var_30]
		push	eax
		push	[esp+68h+var_14]
		call	CmpFindSubKeyByNumberEx
		mov	edi, [esp+50h+var_28]
		mov	ebx, eax
		mov	[esp+50h+var_1C], ebx
		test	ebx, ebx
		js	loc_941499
		mov	ecx, [esp+50h+var_30]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_94129F
		mov	al, 1
		mov	byte ptr [esp+50h+var_44+1], al
		jmp	short loc_9412A3
; 

loc_94129F:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+18Dj
		mov	al, byte ptr [esp+50h+var_44+1]

loc_9412A3:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+12Dj
					; CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+132j ...
		cmp	byte ptr [esp+50h+var_44+2], 0
		jz	short loc_9412B7
		test	al, al
		jnz	loc_94146A
		push	2
		pop	ebx
		jmp	short loc_9412BE
; 

loc_9412B7:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+1A0j
		xor	ebx, ebx
		test	al, al
		setnz	bl

loc_9412BE:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+1ADj
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_9412E0
		mov	eax, [esp+50h+var_38]
		lea	edx, [esp+50h+var_10]
		push	edx
		push	ecx
		mov	eax, [eax+10h]
		push	eax
		call	dword ptr [eax+4]
		mov	[esp+5Ch+var_30], eax
		test	eax, eax
		jz	loc_941495

loc_9412E0:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+1B9j
		mov	edx, [esp+5Ch+var_48]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_94130E
		mov	eax, [esp+5Ch+var_40]
		mov	ecx, [eax+10h]
		lea	eax, [esp+5Ch+var_14]
		push	eax
		push	edx
		push	ecx
		call	dword ptr [ecx+4]
		mov	ecx, eax
		mov	[esp+68h+var_38], ecx
		test	ecx, ecx
		jz	loc_941495
		mov	edx, [esp+68h+var_54]
		jmp	short loc_941312
; 

loc_94130E:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+1DFj
		mov	ecx, [esp+5Ch+var_2C]

loc_941312:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+204j
		xor	al, al
		mov	byte ptr [esp+5Ch+var_50+3], al
		sub	ebx, 0
		jz	loc_9413A6
		sub	ebx, 1
		jz	short loc_941376
		sub	ebx, 1
		jnz	loc_941415
		mov	ecx, [esp+5Ch+var_4C]

loc_941333:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x):loc_9413D7j
		cmp	byte ptr [esp+5Ch+var_50], 0
		jz	short loc_94133F
		inc	ecx
		mov	[esp+5Ch+var_4C], ecx

loc_94133F:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+230j
		mov	byte ptr [esp+5Ch+var_50], 1
		cmp	ecx, [ebp+arg_0]
		jnz	loc_941407
		mov	eax, [esp+5Ch+var_44]
		mov	ecx, [ebp+arg_C]
		mov	eax, [eax+10h]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_10]
		mov	eax, [esp+5Ch+var_3C]
		mov	[ecx], eax
		mov	eax, [ebp+arg_14]
		test	eax, eax
		jz	loc_941491
		mov	[eax], edi
		xor	edi, edi
		jmp	loc_941491
; 

loc_941376:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+21Cj
		cmp	byte ptr [esp+5Ch+var_50], 0
		mov	ecx, [esp+5Ch+var_4C]
		jz	short loc_941386
		inc	ecx
		mov	[esp+5Ch+var_4C], ecx

loc_941386:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+277j
		mov	byte ptr [esp+5Ch+var_50], 1
		cmp	ecx, [ebp+arg_0]
		jnz	short loc_9413F5
		mov	eax, [esp+5Ch+var_40]
		mov	ecx, [ebp+arg_C]
		mov	eax, [eax+10h]
		mov	[ecx], eax
		mov	eax, [ebp+arg_10]
		mov	[eax], edx
		jmp	loc_941486
; 

loc_9413A6:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+213j
		mov	edx, [esp+5Ch+var_30]
		call	_CmpCompareKeysByName@8	; CmpCompareKeysByName(x,x)
		mov	ecx, [esp+50h+var_40]
		test	eax, eax
		jns	short loc_9413D7
		cmp	byte ptr [esp+50h+var_44], 0
		jz	short loc_9413C3
		inc	ecx
		mov	[esp+50h+var_40], ecx

loc_9413C3:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+2B4j
		mov	byte ptr [esp+50h+var_44], 1
		cmp	ecx, [ebp+arg_0]
		jz	loc_941471
		mov	al, byte ptr [esp+50h+var_44+3]
		jmp	short loc_9413F5
; 

loc_9413D7:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+2ADj
		jg	loc_941333
		cmp	byte ptr [esp+50h+var_44], 0
		jz	short loc_9413E9
		inc	ecx
		mov	[esp+50h+var_40], ecx

loc_9413E9:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+2DAj
		mov	byte ptr [esp+50h+var_44], 1
		cmp	ecx, [ebp+arg_0]
		jz	short loc_941471
		mov	al, 1

loc_9413F5:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+286j
					; CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+2CDj
		or	[esp+50h+var_3C], 0FFFFFFFFh
		inc	[esp+50h+var_18]
		mov	byte ptr [esp+50h+var_44], 1
		test	al, al
		jz	short loc_941415

loc_941407:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+23Fj
		or	[esp+50h+var_30], 0FFFFFFFFh
		inc	[esp+50h+var_14]
		mov	byte ptr [esp+50h+var_44], 1

loc_941415:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+221j
					; CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+2FDj
		cmp	[esp+50h+var_20], 0
		jz	short loc_941431
		mov	eax, [esp+50h+var_34]
		lea	ecx, [esp+50h+var_8]
		push	ecx
		mov	eax, [eax+10h]
		push	eax
		call	dword ptr [eax+8]
		and	[esp+58h+var_28], 0

loc_941431:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+312j
		cmp	[esp+58h+var_2C], 0
		mov	ecx, [esp+58h+var_48]
		mov	dl, byte ptr [esp+58h+var_4C]
		mov	ebx, [esp+58h+var_44]
		jz	loc_94118C
		mov	eax, [esp+58h+var_40]
		lea	ecx, [esp+58h+var_18]
		push	ecx
		mov	eax, [eax+10h]
		push	eax
		call	dword ptr [eax+8]
		and	[esp+60h+var_34], 0
		mov	ecx, [esp+60h+var_50]
		mov	dl, byte ptr [esp+60h+var_54]
		jmp	loc_94118C
; 

loc_94146A:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+8Bj
					; CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+1A4j
		mov	ebx, 8000001Ah
		jmp	short loc_941499
; 

loc_941471:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+2C3j
					; CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+2E9j
		mov	eax, [esp+50h+var_34]
		mov	ecx, [ebp+arg_C]
		mov	eax, [eax+10h]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_10]
		mov	eax, [esp+50h+var_3C]
		mov	[ecx], eax

loc_941486:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+299j
		mov	eax, [ebp+arg_14]
		test	eax, eax
		jz	short loc_941491
		mov	[eax], esi
		xor	esi, esi

loc_941491:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+25Fj
					; CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+269j ...
		xor	ebx, ebx
		jmp	short loc_941499
; 

loc_941495:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+1D2j
					; CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+1FAj
		mov	ebx, [esp+5Ch+var_28]

loc_941499:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+111j
					; CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+180j ...
		test	esi, esi
		jz	short loc_9414A7
		mov	edx, [ebp+arg_8]
		mov	ecx, esi
		call	_CmpDelayDerefKeyControlBlock@8	; CmpDelayDerefKeyControlBlock(x,x)

loc_9414A7:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+393j
		test	edi, edi
		jz	short loc_9414B5
		mov	edx, [ebp+arg_8]
		mov	ecx, edi
		call	_CmpDelayDerefKeyControlBlock@8	; CmpDelayDerefKeyControlBlock(x,x)

loc_9414B5:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+3A1j
		cmp	[esp+5Ch+var_30], 0
		jz	short loc_9414CC
		mov	eax, [esp+5Ch+var_44]
		lea	ecx, [esp+5Ch+var_1C]
		push	ecx
		mov	eax, [eax+10h]
		push	eax
		call	dword ptr [eax+8]

loc_9414CC:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+3B2j
		cmp	[esp+64h+var_34], 0
		jz	short loc_9414E3
		mov	eax, [esp+64h+var_48]
		lea	ecx, [esp+64h+var_1C]
		push	ecx
		mov	eax, [eax+10h]
		push	eax
		call	dword ptr [eax+8]

loc_9414E3:				; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+3C9j
		mov	eax, [esp+6Ch+var_5C]
		movzx	ecx, [esp+6Ch+var_60]
		inc	eax
		neg	ecx
		pop	edi
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, [ebp+arg_18]
		pop	esi
		mov	[eax], ecx
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_CmpFindSubKeyByNumberFromMergedView@36	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpReparseToVirtualPath(x, x, x, x)
_CmpReparseToVirtualPath@16 proc near	; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+83p
					; CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+1F5p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	eax, [ebp+var_8]
		push	ebx
		push	eax
		mov	esi, ecx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		test	dword ptr [esi+68h], (offset loc_7FFFFF+1)
		jz	short loc_941566
		lea	eax, [ebp+var_8]
		xor	edx, edx
		push	eax
		push	[ebp+arg_0]
		mov	ecx, esi
		call	_CmRealKCBToVirtualPath@16 ; CmRealKCBToVirtualPath(x,x,x,x)
		test	eax, eax
		js	short loc_941566
		lea	ecx, [ebp+var_8]
		call	_CmpVirtualPathPresent@4 ; CmpVirtualPathPresent(x)
		mov	bl, al
		test	bl, bl
		jz	short loc_941566
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_8]
		push	0
		mov	[ecx], eax
		mov	eax, [ebp+var_4]
		mov	[ecx+4], eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	bl, 1

loc_941566:				; CODE XREF: CmpReparseToVirtualPath(x,x,x,x)+24j
					; CmpReparseToVirtualPath(x,x,x,x)+38j	...
		cmp	[ebp+var_4], 0
		jz	short loc_941575
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_941575:				; CODE XREF: CmpReparseToVirtualPath(x,x,x,x)+67j
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	8
_CmpReparseToVirtualPath@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpReplicateKeyToVirtual(x,	x, x, x)
_CmpReplicateKeyToVirtual@16 proc near	; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+12Bp
					; CmKeyBodyReplicateToVirtual(x,x,x,x,x)+1A5p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_54], eax
		push	8
		xor	eax, eax
		lea	edi, [ebp+var_28]
		mov	esi, edx
		xor	edx, edx
		pop	ecx
		rep stosd
		mov	edi, edx
		mov	[ebp+var_48], esi
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], edi
		cmp	ds:_CmpTraceRoutine, eax
		jz	short loc_9415D0
		mov	edx, 20000h
		lea	ecx, [ebp+var_28]
		call	@EtwGetKernelTraceTimestamp@8 ;	EtwGetKernelTraceTimestamp(x,x)
		xor	edx, edx

loc_9415D0:				; CODE XREF: CmpReplicateKeyToVirtual(x,x,x,x)+42j
		push	edx
		lea	eax, [ebp+var_38]
		mov	[ebp+var_40], edx
		push	eax
		mov	[ebp+var_3C], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_29], dl
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		and	[ebp+var_44], edi
		cmp	ds:_CmpTraceRoutine, edi
		jz	short loc_9415FA
		test	ebx, ebx
		jz	short loc_9415FA
		mov	edi, ebx
		mov	[ebp+var_4C], ebx

loc_9415FA:				; CODE XREF: CmpReplicateKeyToVirtual(x,x,x,x)+72j
					; CmpReplicateKeyToVirtual(x,x,x,x)+76j
		cmp	[ebp+arg_0], 0
		jnz	short loc_941616
		call	_ExTryConvertSharedToExclusiveLite@4 ; ExTryConvertSharedToExclusiveLite(x)
		mov	[ebp+var_29], al
		test	al, al
		jnz	short loc_941616
		mov	esi, 0C0000055h
		jmp	loc_9416ED
; 

loc_941616:				; CODE XREF: CmpReplicateKeyToVirtual(x,x,x,x)+81j
					; CmpReplicateKeyToVirtual(x,x,x,x)+8Dj
		mov	ecx, ebx
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		lea	eax, [ebp+var_38]
		xor	edx, edx
		push	eax
		push	esi
		mov	ecx, ebx
		call	_CmRealKCBToVirtualPath@16 ; CmRealKCBToVirtualPath(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_941654
		mov	ecx, ds:_CmpTraceRoutine
		test	ecx, ecx
		jz	loc_941717
		lea	eax, [ebp+var_38]
		push	eax
		push	edi
		push	0
		push	esi
		lea	eax, [ebp+var_28]
		push	eax
		push	1Ah
		call	ecx
		jmp	loc_941717
; 

loc_941654:				; CODE XREF: CmpReplicateKeyToVirtual(x,x,x,x)+B2j
		lea	eax, [ebp+var_3C]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		lea	edx, [ebp+var_38]
		call	_CmpBuildVirtualReplicationStack@16 ; CmpBuildVirtualReplicationStack(x,x,x,x)
		test	eax, eax
		jns	short loc_941671
		mov	esi, 0C000009Ah
		jmp	short loc_9416D6
; 

loc_941671:				; CODE XREF: CmpReplicateKeyToVirtual(x,x,x,x)+EBj
		cmp	[ebp+var_30], 0
		mov	edi, [ebp+var_3C]
		jnz	short loc_941681
		mov	esi, 0C000000Dh
		jmp	short loc_9416BF
; 

loc_941681:				; CODE XREF: CmpReplicateKeyToVirtual(x,x,x,x)+FBj
		mov	ecx, [ebp+var_48]
		lea	eax, [ebp+var_44]
		push	eax
		lea	eax, [ebp+var_50]
		push	eax
		lea	edx, [ebp+var_40]
		call	_CmpGetVirtualStoreRoot@16 ; CmpGetVirtualStoreRoot(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9416BF
		mov	eax, [ebp+var_54]
		mov	ecx, [ebp+var_44]
		push	[ebp+var_48]
		mov	edx, [ebp+var_40]
		mov	[eax], edx
		mov	eax, [ecx+14h]
		push	ebx
		mov	[edi+10h], eax
		mov	[edi+8], ecx
		mov	ecx, edi
		push	edx
		mov	edx, [ebp+var_30]
		call	_CmpDoBuildVirtualStack@20 ; CmpDoBuildVirtualStack(x,x,x,x,x)
		mov	esi, eax

loc_9416BF:				; CODE XREF: CmpReplicateKeyToVirtual(x,x,x,x)+102j
					; CmpReplicateKeyToVirtual(x,x,x,x)+11Bj
		test	edi, edi
		jz	short loc_9416D6
		mov	edx, [ebp+var_30]
		push	ecx
		mov	ecx, edi
		call	_CmpDestroyVirtualStack@12 ; CmpDestroyVirtualStack(x,x,x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9416D6:				; CODE XREF: CmpReplicateKeyToVirtual(x,x,x,x)+F2j
					; CmpReplicateKeyToVirtual(x,x,x,x)+144j
		mov	ecx, ebx
		call	_CmpLockKcbExclusive@4 ; CmpLockKcbExclusive(x)
		cmp	[ebp+var_29], 0
		jz	short loc_9416ED
		push	offset _CmpRegistryLock
		call	ExConvertExclusiveToSharedLite

loc_9416ED:				; CODE XREF: CmpReplicateKeyToVirtual(x,x,x,x)+94j
					; CmpReplicateKeyToVirtual(x,x,x,x)+164j
		mov	eax, ds:_CmpTraceRoutine
		test	eax, eax
		jz	short loc_941708
		lea	ecx, [ebp+var_38]
		push	ecx
		push	[ebp+var_4C]
		lea	ecx, [ebp+var_28]
		push	0
		push	esi
		push	ecx
		push	1Ah
		call	eax

loc_941708:				; CODE XREF: CmpReplicateKeyToVirtual(x,x,x,x)+177j
		cmp	[ebp+var_34], 0
		jz	short loc_941717
		lea	eax, [ebp+var_38]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_941717:				; CODE XREF: CmpReplicateKeyToVirtual(x,x,x,x)+BCj
					; CmpReplicateKeyToVirtual(x,x,x,x)+D2j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_CmpReplicateKeyToVirtual@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSyncKcbCacheForHive(x, x, x, x)
_CmpSyncKcbCacheForHive@16 proc	near	; DATA XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+20DAo
					; CmKeyBodyReplicateToVirtual(x,x,x,x,x)+23Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		test	eax, eax
		jz	short loc_94173F
		cmp	[esi+10h], eax
		jnz	short loc_941765

loc_94173F:				; CODE XREF: CmpSyncKcbCacheForHive(x,x,x,x)+Ej
		xor	edx, edx
		mov	ecx, esi
		call	_CmpIsKeyDeleted@8 ; CmpIsKeyDeleted(x,x)
		test	al, al
		jnz	short loc_941765
		cmp	dword ptr [esi+10h], 0
		jz	short loc_941765
		test	dword ptr [esi+68h], 100000h
		jnz	short loc_941765
		mov	edx, [ebp+arg_8]
		mov	ecx, esi
		call	_CmpRebuildKcbCache@8 ;	CmpRebuildKcbCache(x,x)

loc_941765:				; CODE XREF: CmpSyncKcbCacheForHive(x,x,x,x)+13j
					; CmpSyncKcbCacheForHive(x,x,x,x)+20j ...
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	10h
_CmpSyncKcbCacheForHive@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpVEExecuteVirtualStoreParseLogic(x, x, x,	x)
_CmpVEExecuteVirtualStoreParseLogic@16 proc near ; CODE	XREF: CmpVEExecuteParseLogic+114FBBp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	edi, eax
		mov	byte ptr [ebp+var_1], al
		push	eax
		mov	[ebp+var_24], eax
		mov	esi, edx
		mov	[ebp+var_20], eax
		mov	ebx, ecx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+arg_0]
		mov	edx, esi
		mov	ecx, ebx
		or	dword ptr [eax], 8
		lea	eax, [ebp+var_1]
		push	eax
		call	_CmpVirtualBranchIsReplicated@12 ; CmpVirtualBranchIsReplicated(x,x,x)
		test	al, al
		jz	short loc_9417CF

loc_9417C5:				; CODE XREF: CmpVEExecuteVirtualStoreParseLogic(x,x,x,x)+11Fj
					; CmpVEExecuteVirtualStoreParseLogic(x,x,x,x)+166j
		mov	esi, 0C0000271h
		jmp	loc_941914
; 

loc_9417CF:				; CODE XREF: CmpVEExecuteVirtualStoreParseLogic(x,x,x,x)+57j
		lea	edx, [ebp+var_24]
		mov	ecx, ebx
		call	_CmVirtualKCBToRealPath@8 ; CmVirtualKCBToRealPath(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_941914
		mov	esi, [ebp+var_C]
		movzx	eax, word ptr [ebp+var_24]
		add	eax, 2
		movzx	ecx, word ptr [esi]
		add	eax, ecx
		cmp	eax, 0FFFFh
		jbe	short loc_941803
		mov	esi, 0C000000Dh
		jmp	loc_941914
; 

loc_941803:				; CODE XREF: CmpVEExecuteVirtualStoreParseLogic(x,x,x,x)+8Bj
		movzx	eax, ax
		push	624E4D43h
		push	eax
		push	1
		mov	word ptr [ebp+var_1C+2], ax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jnz	short loc_941828
		mov	esi, 0C000009Ah
		jmp	loc_941924
; 

loc_941828:				; CODE XREF: CmpVEExecuteVirtualStoreParseLogic(x,x,x,x)+B0j
		lea	edx, [ebp+var_24]
		lea	ecx, [ebp+var_1C]
		call	_RtlUnicodeStringCopy@8	; RtlUnicodeStringCopy(x,x)
		lea	ecx, [ebp+var_1C]
		call	_CmpUnicodeStringAppendCharacter@8 ; CmpUnicodeStringAppendCharacter(x,x)
		mov	edx, esi
		call	_RtlUnicodeStringCat@8 ; RtlUnicodeStringCat(x,x)
		mov	eax, [ebp+arg_0]
		test	byte ptr [eax],	1
		jz	short loc_9418C5
		cmp	byte ptr [ebp+var_1], 0
		jz	short loc_9418C5
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		push	eax
		push	10h
		pop	edx
		call	CmpBlockHiveWrites
		mov	esi, eax
		test	esi, esi
		js	short loc_9418C0
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		push	10h
		push	0
		lea	edx, [ebp+var_1C]
		call	_CmpFindPathByNameEx@24	; CmpFindPathByNameEx(x,x,x,x,x,x)
		push	[ebp+var_8]
		xor	ecx, ecx
		mov	bl, al
		push	10h
		pop	edx
		call	CmpUnblockHiveWrites
		test	bl, bl
		jz	loc_9417C5
		mov	esi, [ebp+arg_4]
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_9418A3
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9418A3:				; CODE XREF: CmpVEExecuteVirtualStoreParseLogic(x,x,x,x)+12Dj
		mov	eax, [ebp+var_1C]
		mov	[esi], eax
		mov	eax, [ebp+var_18]
		mov	[esi+4], eax
		lea	eax, [ebp+var_1C]
		push	0
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	esi, 104h
		jmp	short loc_941914
; 

loc_9418C0:				; CODE XREF: CmpVEExecuteVirtualStoreParseLogic(x,x,x,x)+F6j
		mov	edi, [ebp+var_8]
		jmp	short loc_941905
; 

loc_9418C5:				; CODE XREF: CmpVEExecuteVirtualStoreParseLogic(x,x,x,x)+DCj
					; CmpVEExecuteVirtualStoreParseLogic(x,x,x,x)+E2j
		mov	eax, [ebx+4]
		and	eax, 7FE00000h
		cmp	eax, 800000h
		jbe	loc_9417C5
		mov	esi, [ebp+arg_4]
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_9418EA
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9418EA:				; CODE XREF: CmpVEExecuteVirtualStoreParseLogic(x,x,x,x)+174j
		mov	eax, [ebp+var_1C]
		mov	[esi], eax
		mov	eax, [ebp+var_18]
		mov	[esi+4], eax
		lea	eax, [ebp+var_1C]
		push	0
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	esi, 104h

loc_941905:				; CODE XREF: CmpVEExecuteVirtualStoreParseLogic(x,x,x,x)+157j
		test	edi, edi
		jz	short loc_941914
		push	edi
		push	10h
		pop	edx
		xor	ecx, ecx
		call	CmpUnblockHiveWrites

loc_941914:				; CODE XREF: CmpVEExecuteVirtualStoreParseLogic(x,x,x,x)+5Ej
					; CmpVEExecuteVirtualStoreParseLogic(x,x,x,x)+71j ...
		cmp	[ebp+var_18], 0
		jz	short loc_941924
		push	0
		push	[ebp+var_18]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_941924:				; CODE XREF: CmpVEExecuteVirtualStoreParseLogic(x,x,x,x)+B7j
					; CmpVEExecuteVirtualStoreParseLogic(x,x,x,x)+1ACj
		cmp	[ebp+var_20], 0
		jz	short loc_941934
		push	0
		push	[ebp+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_941934:				; CODE XREF: CmpVEExecuteVirtualStoreParseLogic(x,x,x,x)+1BCj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_CmpVEExecuteVirtualStoreParseLogic@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpVirtualPathPresent(x)
_CmpVirtualPathPresent@4 proc near	; CODE XREF: CmpReparseToVirtualPath(x,x,x,x)+3Dp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		or	[ebp+var_18], 0FFFFFFFFh
		lea	edx, [ebp+var_4]
		push	ebx
		mov	ebx, ds:_CmpMasterHive
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_14], eax
		mov	esi, eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_10], ebx
		call	_CmpGetCmHiveFromVirtualPath@8 ; CmpGetCmHiveFromVirtualPath(x,x)
		test	eax, eax
		js	short loc_9419E9
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		push	1
		call	CmpBlockTwoHiveWrites
		test	eax, eax
		js	short loc_9419E9
		lea	eax, [ebp+var_8]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		push	eax
		push	esi
		push	esi
		call	_CmpFindPathByNameEx@24	; CmpFindPathByNameEx(x,x,x,x,x,x)
		mov	edi, [ebp+var_8]
		mov	bl, al
		test	edi, edi
		jz	short loc_9419AC
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+var_C]
		push	edi
		call	dword ptr [edi+4]
		mov	esi, eax

loc_9419AC:				; CODE XREF: CmpVirtualPathPresent(x)+60j
		test	bl, bl
		jz	short loc_9419CE
		test	esi, esi
		jz	short loc_9419CC
		cmp	_CmpVEEnabled, 0
		jz	short loc_9419CC
		mov	eax, 100h
		test	[esi+2], ax
		jz	short loc_9419CC
		mov	bl, 1
		jmp	short loc_9419CE
; 

loc_9419CC:				; CODE XREF: CmpVirtualPathPresent(x)+75j
					; CmpVirtualPathPresent(x)+7Ej	...
		xor	bl, bl

loc_9419CE:				; CODE XREF: CmpVirtualPathPresent(x)+71j
					; CmpVirtualPathPresent(x)+8Dj
		test	esi, esi
		jz	short loc_9419DA
		lea	eax, [ebp+var_18]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_9419DA:				; CODE XREF: CmpVirtualPathPresent(x)+93j
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_10]
		call	CmpUnblockTwoHiveWrites
		mov	al, bl
		jmp	short loc_9419EB
; 

loc_9419E9:				; CODE XREF: CmpVirtualPathPresent(x)+34j
					; CmpVirtualPathPresent(x)+44j
		xor	al, al

loc_9419EB:				; CODE XREF: CmpVirtualPathPresent(x)+AAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpVirtualPathPresent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFlushBackupHive(x)
_CmpFlushBackupHive@4 proc near		; CODE XREF: CmpSyncNextBackupHive()+B5p

var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_1FD		= dword	ptr -1FDh
var_1F8		= dword	ptr -1F8h
var_A0		= dword	ptr -0A0h
var_88		= dword	ptr -88h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 22Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edx, edx
		mov	byte ptr [ebp+var_1FD],	1
		push	6
		mov	esi, ecx
		mov	[ebp+var_21C], edx
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_218], edx
		lea	edi, [ebp+var_A0]
		mov	[ebp+var_214], edx
		push	154h		; size_t
		rep stosd
		push	edx		; int
		lea	eax, [ebp+var_1F8]
		mov	[ebp+var_20C], edx
		push	eax		; void *
		mov	[ebp+var_1FD+1], edx
		mov	[ebp+var_210], edx
		mov	[ebp+var_22C], edx
		mov	[ebp+var_228], edx
		call	_memset
		add	esp, 0Ch
		imul	esi, 78h
		lea	eax, [ebp+var_88]
		mov	[ebp+var_208], 800000h
		mov	[ebp+var_204], eax
		lea	eax, [ebp+var_21C]
		push	offset ??_C@_1EK@IKDAGJBP@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@ ; "\\"
		push	eax
		mov	[ebp+var_220], esi
		mov	ebx, dword_6B1644[esi]
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_21C]
		push	eax
		lea	eax, [ebp+var_208]
		push	eax
		call	_RtlAppendStringToString@8 ; RtlAppendStringToString(x,x)
		push	_CmpMachineHiveList[esi]
		lea	eax, [ebp+var_21C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_21C]
		push	eax
		lea	eax, [ebp+var_208]
		push	eax
		call	_RtlAppendStringToString@8 ; RtlAppendStringToString(x,x)
		push	offset ??_C@_19NBLAHBNG@?$AA?4?$AAO?$AAL?$AAD@NNGAKEGL@	; void *
		lea	eax, [ebp+var_208]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, [ebx+40Ch]
		mov	[ebp+var_224], esi
		test	esi, esi
		jnz	short loc_941AFE
		mov	edi, 0C0000189h
		jmp	loc_941D35
; 

loc_941AFE:				; CODE XREF: CmpFlushBackupHive(x)+102j
		push	1
		push	0
		lea	eax, [ebp+var_208]
		xor	edx, edx
		push	eax
		mov	ecx, esi
		call	_CmpCmdRenameHive@20 ; CmpCmdRenameHive(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_941D35
		mov	edx, [ebp+var_220]
		mov	eax, 0FFF8h
		add	word ptr [ebp+var_208],	ax
		mov	ecx, ebx
		and	dword ptr [ebx+40Ch], 0
		mov	edx, _CmpMachineHiveList[edx]
		call	_CmpInitBackupHive@8 ; CmpInitBackupHive(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_941CE1
		lea	ecx, [ebp+var_A0]
		call	CmpAttachToRegistryProcess
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		cmp	_CmpDoIdleProcessing, 0
		jz	short loc_941BAB
		lea	ecx, [ebx+24h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [ebp+var_210]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_1FD+1]
		push	eax
		lea	edx, [ebp+var_20C]
		call	_HvSnapshotHiveToOffsetArray@16	; HvSnapshotHiveToOffsetArray(x,x,x,x)
		mov	edi, eax
		lea	ecx, [ebx+24h]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_941BA4
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [ebx+24h]

loc_941BA4:				; CODE XREF: CmpFlushBackupHive(x)+1AAj
		call	KeAbPostRelease
		jmp	short loc_941BB0
; 

loc_941BAB:				; CODE XREF: CmpFlushBackupHive(x)+173j
		mov	edi, 0C0000189h

loc_941BB0:				; CODE XREF: CmpFlushBackupHive(x)+1B9j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	edx, edx
		lea	ecx, [ebp+var_A0]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		test	edi, edi
		js	loc_941CE1
		push	dword ptr [ebx+40Ch]
		mov	edx, [ebp+var_20C]
		push	[ebp+var_210]
		push	[ebp+var_1FD+1]
		call	_CmpWriteOffsetArrayToFile@20 ;	CmpWriteOffsetArrayToFile(x,x,x,x,x)
		mov	edx, [ebp+var_1FD+1]
		mov	edi, eax
		mov	ecx, [ebp+var_20C]
		call	_CmpFreeOffsetArray@8 ;	CmpFreeOffsetArray(x,x)
		test	edi, edi
		js	loc_941CE1
		push	2
		lea	eax, [ebp+var_1FD+1]
		mov	word ptr [ebp+var_1FD+1], 0
		push	eax
		push	4
		push	dword ptr [ebx+40Ch]
		call	_ZwSetInformationObject@16 ; ZwSetInformationObject(x,x,x,x)
		push	dword ptr [ebx+40Ch]
		call	_ZwClose@4	; ZwClose(x)
		xor	ecx, ecx
		lea	eax, [ebp+var_1F8]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	1190001h
		lea	eax, [ebp+var_214]
		mov	[ebx+40Ch], ecx
		push	eax
		lea	eax, [ebp-1F9h]
		mov	[ebp-1F9h], cl
		push	eax
		xor	dl, dl
		lea	ecx, [ebp+var_208]
		call	_CmpCmdHiveOpen@36 ; CmpCmdHiveOpen(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_941CE1
		mov	esi, [ebp+var_214]
		lea	ecx, [ebp+var_A0]
		mov	eax, [esi+400h]
		mov	[ebx+40Ch], eax
		xor	ebx, ebx
		mov	[esi+400h], ebx
		call	CmpAttachToRegistryProcess
		mov	ecx, esi
		call	_CmpDestroyHive@4 ; CmpDestroyHive(x)
		xor	edx, edx
		lea	ecx, [ebp+var_A0]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	esi, [ebp+var_224]
		lea	eax, [ebp+var_1FD]
		push	0Dh
		push	1
		push	eax
		lea	eax, [ebp+var_22C]
		push	eax
		push	esi
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		push	2
		lea	eax, [ebp+var_1FD+1]
		mov	word ptr [ebp+var_1FD+1], bx
		push	eax
		push	4
		push	esi
		call	_ZwSetInformationObject@16 ; ZwSetInformationObject(x,x,x,x)
		push	esi
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_941D35
; 

loc_941CE1:				; CODE XREF: CmpFlushBackupHive(x)+156j
					; CmpFlushBackupHive(x)+1D4j ...
		mov	eax, [ebx+40Ch]
		test	eax, eax
		jz	short loc_941D17
		push	2
		lea	ecx, [ebp+var_1FD+1]
		mov	word ptr [ebp+var_1FD+1], 0
		push	ecx
		push	4
		push	eax
		call	_ZwSetInformationObject@16 ; ZwSetInformationObject(x,x,x,x)
		push	dword ptr [ebx+40Ch]
		call	_ZwClose@4	; ZwClose(x)
		and	dword ptr [ebx+40Ch], 0

loc_941D17:				; CODE XREF: CmpFlushBackupHive(x)+2F9j
		push	1
		push	0
		lea	eax, [ebp+var_208]
		xor	edx, edx
		push	eax
		mov	ecx, esi
		call	_CmpCmdRenameHive@20 ; CmpCmdRenameHive(x,x,x,x,x)
		test	eax, eax
		js	short loc_941D35
		mov	[ebx+40Ch], esi

loc_941D35:				; CODE XREF: CmpFlushBackupHive(x)+109j
					; CmpFlushBackupHive(x)+126j ...
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpFlushBackupHive@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpFreeOffsetArray(x, x)
_CmpFreeOffsetArray@8 proc near		; CODE XREF: CmpFlushBackupHive(x)+205p
					; CmDumpKey(x,x,x)+162p
		mov	edi, edi
		push	ebx
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		test	edi, edi
		jz	short loc_941D68
		push	esi
		lea	esi, [ebx+4]

loc_941D56:				; CODE XREF: CmpFreeOffsetArray(x,x)+1Fj
		push	0
		push	dword ptr [esi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lea	esi, [esi+0Ch]
		sub	edi, 1
		jnz	short loc_941D56
		pop	esi

loc_941D68:				; CODE XREF: CmpFreeOffsetArray(x,x)+Aj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	ebx
		retn
_CmpFreeOffsetArray@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpInitBackupHive(x, x)
_CmpInitBackupHive@8 proc near		; CODE XREF: PAGE:0088889Fp
					; PAGE:00888C58p ...

var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0BCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_98], 800000h
		push	ebx
		push	esi
		mov	[ebp+var_A0], eax
		mov	esi, edx
		mov	[ebp+var_9C], eax
		mov	ebx, 80h
		mov	[ebp+var_90], eax
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_88]
		push	edi
		mov	[ebp+var_94], eax
		mov	edi, ecx
		push	offset ??_C@_1EK@IKDAGJBP@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@ ; "\\"
		lea	eax, [ebp+var_90]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_90]
		push	eax
		lea	eax, [ebp+var_98]
		push	eax
		call	_RtlAppendStringToString@8 ; RtlAppendStringToString(x,x)
		push	esi
		lea	eax, [ebp+var_90]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_90]
		push	eax
		lea	eax, [ebp+var_98]
		push	eax
		call	_RtlAppendStringToString@8 ; RtlAppendStringToString(x,x)
		xor	ecx, ecx
		mov	[ebp+var_B8], 18h
		push	ecx
		push	ecx
		push	0C808h
		push	3
		push	ecx
		push	ebx
		lea	eax, [ebp+var_98]
		mov	[ebp+var_B4], ecx
		mov	[ebp+var_B0], eax
		mov	eax, _CmpAdminSystemFileSecurityDescriptor
		mov	[ebp+var_A8], eax
		lea	eax, [ebp+var_A0]
		push	ecx
		push	eax
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_AC], 240h
		push	eax
		push	10003h
		lea	eax, [edi+40Ch]
		mov	[ebp+var_A4], ecx
		push	eax
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpInitBackupHive@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSyncNextBackupHive()
_CmpSyncNextBackupHive@0 proc near	; CODE XREF: NtInitializeRegistry:loc_90C31Cp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_24]
		xor	esi, esi
		rep stosd
		mov	[ebp+var_C], esi
		call	_TryLockShutdownShared@0 ; TryLockShutdownShared()
		test	al, al
		jnz	short loc_941EA8
		mov	esi, 8000001Ah
		jmp	loc_941FCA
; 

loc_941EA8:				; CODE XREF: CmpSyncNextBackupHive()+21j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _CmpShutdownRundown
		mov	ecx, edi
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	bl, al
		test	bl, bl
		jnz	short loc_941EDE
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_941ED4:				; CODE XREF: CmpSyncNextBackupHive()+69j
		mov	esi, 0C0000189h
		jmp	loc_941F9B
; 

loc_941EDE:				; CODE XREF: CmpSyncNextBackupHive()+4Bj
		cmp	_CmpDoIdleProcessing, esi
		jz	short loc_941ED4

loc_941EE6:				; CODE XREF: CmpSyncNextBackupHive()+97j
		mov	eax, _CmpPeriodicBackupFlushHiveCount
		mov	[ebp+var_8], eax
		cmp	[ebp+var_8], 6
		jnb	short loc_941EFD
		mov	eax, [ebp+var_8]
		inc	eax
		mov	[ebp+var_4], eax
		jmp	short loc_941F00
; 

loc_941EFD:				; CODE XREF: CmpSyncNextBackupHive()+77j
		mov	[ebp+var_4], esi

loc_941F00:				; CODE XREF: CmpSyncNextBackupHive()+80j
		mov	eax, [ebp+var_8]
		mov	edx, offset _CmpPeriodicBackupFlushHiveCount
		mov	ecx, [ebp+var_4]
		lock cmpxchg [edx], ecx
		cmp	eax, [ebp+var_8]
		jnz	short loc_941EE6
		imul	eax, [ebp+var_4], 78h
		test	byte ptr dword_6B1638[eax], 1
		jnz	short loc_941F35
		imul	eax, [ebp+var_4], 78h
		cmp	dword_6B1644[eax], esi
		jz	short loc_941F35
		mov	ecx, [ebp+var_4]
		call	_CmpFlushBackupHive@4 ;	CmpFlushBackupHive(x)

loc_941F35:				; CODE XREF: CmpSyncNextBackupHive()+A4j
					; CmpSyncNextBackupHive()+B0j
		cmp	[ebp+var_4], 6
		jnz	short loc_941F9B
		push	esi
		push	esi
		push	esi
		push	esi
		lea	eax, [ebp+var_24]
		mov	[ebp+var_24], 18h
		push	eax
		push	2
		lea	eax, [ebp+var_C]
		mov	[ebp+var_20], esi
		push	eax
		mov	[ebp+var_18], 240h
		mov	[ebp+var_1C], offset _CmpConfigurationManagerKeyName
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_941F96
		lock inc _CmpBackupCount
		push	4
		push	offset _CmpBackupCount
		push	4
		push	esi
		push	offset _CmpBackupCountValueName
		push	[ebp+var_C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_941F96:				; CODE XREF: CmpSyncNextBackupHive()+F3j
		mov	esi, 8000001Ah

loc_941F9B:				; CODE XREF: CmpSyncNextBackupHive()+5Ej
					; CmpSyncNextBackupHive()+BEj
		xor	edx, edx
		mov	ecx, offset _CmpShutdownLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	bl, bl
		jz	short loc_941FCA
		mov	ecx, edi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_941FCA:				; CODE XREF: CmpSyncNextBackupHive()+28j
					; CmpSyncNextBackupHive()+13Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_CmpSyncNextBackupHive@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpWriteOffsetArrayToFile(x, x, x, x, x)
_CmpWriteOffsetArrayToFile@20 proc near	; CODE XREF: CmpFlushBackupHive(x)+1F2p
					; CmDumpKey(x,x,x)+147p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_4]
		push	esi
		push	edi
		push	14h
		mov	[ebp+var_10], eax
		xor	edi, edi
		push	8
		lea	eax, [ebp+var_10]
		mov	[ebp+var_8], edi
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], edi
		push	eax
		push	[ebp+arg_8]
		mov	esi, edx
		mov	[ebp+var_C], edi
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		test	eax, eax
		js	short loc_942024
		push	ecx
		mov	ecx, [ebp+arg_8]
		push	edi
		push	esi
		push	[ebp+arg_0]
		call	CmpDoFileWrite
		test	eax, eax
		js	short loc_942024
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_8]
		call	_ZwFlushBuffersFile@8 ;	ZwFlushBuffersFile(x,x)

loc_942024:				; CODE XREF: CmpWriteOffsetArrayToFile(x,x,x,x,x)+33j
					; CmpWriteOffsetArrayToFile(x,x,x,x,x)+45j
		pop	edi
		pop	esi
		leave
		retn	0Ch
_CmpWriteOffsetArrayToFile@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmpAssignSecurityDescriptor(int,void *,int)
_CmpAssignSecurityDescriptor@20	proc near ; CODE XREF: CmpCreateTombstone(x,x)+153p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [esi+2Ch]
		push	eax		; int
		push	0		; int
		push	[ebp+arg_4]	; void *
		push	esi		; int
		call	_CmpGetSecurityDescriptorNode@24 ; CmpGetSecurityDescriptorNode(x,x,x,x,x,x)
		pop	esi
		pop	ebp
		retn	0Ch
_CmpAssignSecurityDescriptor@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCheckKcbStackAccess(x, x, x, x, x)
_CmpCheckKcbStackAccess@20 proc	near	; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+1E2p
					; CmRenameKey(x,x,x,x)+27Ap

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	0
		call	_CmpGetSecurityCacheEntryForKcbStack@12	; CmpGetSecurityCacheEntryForKcbStack(x,x,x)
		push	[ebp+arg_8]
		mov	dl, [ebp+arg_0]
		push	[ebp+arg_4]
		lea	ecx, [eax+18h]
		call	CmpCheckKeySecurityDescriptorAccess
		pop	ecx
		pop	ebp
		retn	0Ch
_CmpCheckKcbStackAccess@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCheckKeyAccess(x, x, x, x, x)
_CmpCheckKeyAccess@20 proc near		; CODE XREF: CmpDoAccessCheckOnSubtree(x,x,x,x,x)+92p
					; CmRestoreKey(x,x,x,x)+4B4p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		or	[ebp+var_8], 0FFFFFFFFh
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	edi, ecx
		test	edi, edi
		jz	short loc_9420BE
		cmp	edx, 0FFFFFFFFh
		jz	short loc_9420BE
		test	edx, edx
		jz	short loc_9420BE
		lea	eax, [ebp+var_8]
		push	eax
		push	edx
		push	edi
		call	dword ptr [edi+4]
		test	eax, eax
		jnz	short loc_94209F
		mov	eax, 0C000009Ah
		jmp	short loc_9420C3
; 

loc_94209F:				; CODE XREF: CmpCheckKeyAccess(x,x,x,x,x)+2Cj
		mov	esi, [eax+2Ch]
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		push	[ebp+arg_8]
		mov	edx, esi
		mov	ecx, edi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_CmpCheckSecurityCellAccess@20 ; CmpCheckSecurityCellAccess(x,x,x,x,x)
		jmp	short loc_9420C3
; 

loc_9420BE:				; CODE XREF: CmpCheckKeyAccess(x,x,x,x,x)+16j
					; CmpCheckKeyAccess(x,x,x,x,x)+1Bj ...
		mov	eax, 0C000017Ch

loc_9420C3:				; CODE XREF: CmpCheckKeyAccess(x,x,x,x,x)+33j
					; CmpCheckKeyAccess(x,x,x,x,x)+52j
		pop	edi
		pop	esi
		leave
		retn	0Ch
_CmpCheckKeyAccess@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCheckKeyNodeStackAccess(x, x, x,	x)
_CmpCheckKeyNodeStackAccess@16 proc near
					; CODE XREF: CmpDoAccessCheckOnLayeredSubtree(x,x,x,x,x,x)+7Ep
					; CmpDoAccessCheckOnLayeredSubtree(x,x,x,x,x,x)+F5p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		push	esi
		mov	[ebp+var_C], eax
		mov	bl, dl
		mov	[ebp+var_10], eax
		lea	edx, [ebp+var_8]
		or	[ebp+var_10], 0FFFFFFFFh
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	word ptr [ebp+var_C], ax
		lea	eax, [ebp+var_4]
		push	edi
		push	eax
		call	_CmpGetSecurityCellForKeyNodeStack@12 ;	CmpGetSecurityCellForKeyNodeStack(x,x,x)
		mov	edi, [ebp+var_8]
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_4]
		push	edi
		call	dword ptr [edi+4]
		push	[ebp+arg_4]
		mov	esi, eax
		mov	dl, bl
		push	[ebp+arg_0]
		lea	ecx, [esi+14h]
		call	CmpCheckKeySecurityDescriptorAccess
		mov	ebx, eax
		test	esi, esi
		jz	short loc_942126
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_942126:				; CODE XREF: CmpCheckKeyNodeStackAccess(x,x,x,x)+53j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_CmpCheckKeyNodeStackAccess@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCopySaclToVirtualKey(x, x, x, x,	x)
_CmpCopySaclToVirtualKey@20 proc near	; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+3BEp

var_4C		= dword	ptr -4Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		push	ebx
		xor	eax, eax
		or	[ebp+var_38], 0FFFFFFFFh
		push	esi
		push	edi
		lea	edi, [ebp+var_4C]
		or	[ebp+var_30], 0FFFFFFFFh
		stosd
		xor	ebx, ebx
		mov	[ebp+var_28], ecx
		mov	byte ptr [ebp+var_C], bl
		mov	byte ptr [ebp+var_8], bl
		stosd
		mov	[ebp+var_34], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_2C], ebx
		stosd
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		stosd
		stosd
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+2Ch]
		mov	[ebp+var_24], eax
		mov	eax, [edx+2Ch]
		lea	edx, [ebp+var_38]
		push	edx
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		test	eax, eax
		jnz	short loc_942192
		mov	eax, 0C000009Ah
		jmp	loc_94238C
; 

loc_942192:				; CODE XREF: CmpCopySaclToVirtualKey(x,x,x,x,x)+57j
		lea	ecx, [ebp+var_8]
		add	eax, 14h
		push	ecx
		lea	ecx, [ebp+var_18]
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		push	eax
		call	_RtlGetSaclSecurityDescriptor@16 ; RtlGetSaclSecurityDescriptor(x,x,x,x)
		mov	edi, [ebp+arg_0]
		mov	esi, eax
		test	esi, esi
		js	loc_942350
		cmp	byte ptr [ebp+var_C], bl
		jz	loc_942350
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_24]
		push	edi
		call	dword ptr [edi+4]
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_942350
		movzx	ecx, byte ptr [ebx+14h]
		lea	eax, [ebp+var_4C]
		push	ecx
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_942350
		push	[ebp+var_8]
		mov	ax, [ebx+16h]
		mov	ecx, 7FFFh
		push	[ebp+var_18]
		and	ax, cx
		push	[ebp+var_C]
		mov	word ptr [ebp+var_4C+2], ax
		lea	eax, [ebp+var_4C]
		push	eax
		call	_RtlSetSaclSecurityDescriptor@16 ; RtlSetSaclSecurityDescriptor(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_942350
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebx+14h]
		push	eax
		call	_RtlGetOwnerSecurityDescriptor@12 ; RtlGetOwnerSecurityDescriptor(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_942350
		push	[ebp+var_8]
		lea	eax, [ebp+var_4C]
		push	[ebp+var_14]
		push	eax
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_942350
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebx+14h]
		push	eax
		call	_RtlGetGroupSecurityDescriptor@12 ; RtlGetGroupSecurityDescriptor(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_942350
		push	[ebp+var_8]
		lea	eax, [ebp+var_4C]
		push	[ebp+var_14]
		push	eax
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_942350
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebx+14h]
		push	eax
		call	_RtlGetDaclSecurityDescriptor@16 ; RtlGetDaclSecurityDescriptor(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_942350
		push	[ebp+var_8]
		lea	eax, [ebp+var_4C]
		push	[ebp+var_18]
		push	[ebp+var_C]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	loc_942350
		lea	eax, [ebp+var_10]
		push	eax		; int
		push	1		; int
		push	1		; int
		push	0		; char
		lea	eax, [ebp+var_4C]
		push	eax		; size_t
		call	SeCaptureSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	short loc_942350
		mov	edx, [ebp+var_24]
		xor	esi, esi
		push	esi
		push	esi
		mov	ecx, edi
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_942340
		mov	edx, [ebx+4]
		mov	ecx, edi
		push	esi
		push	esi
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_942340
		mov	edx, [ebx+8]
		mov	ecx, edi
		push	esi
		push	esi
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_942340
		mov	edx, [ebp+arg_8]
		lea	eax, [ebp+var_1C]
		push	eax		; int
		push	esi		; int
		push	[ebp+var_10]	; void *
		mov	ecx, edi
		push	[ebp+arg_4]	; int
		call	_CmpGetSecurityDescriptorNode@24 ; CmpGetSecurityDescriptorNode(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_942338
		mov	edx, [ebp+arg_8]
		mov	ecx, edi
		call	_CmpFreeSecurityDescriptor@8 ; CmpFreeSecurityDescriptor(x,x)
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_1C]
		or	[ebp+var_20], 0FFFFFFFFh
		mov	[ecx+2Ch], eax
		jmp	short loc_942350
; 

loc_942338:				; CODE XREF: CmpCopySaclToVirtualKey(x,x,x,x,x)+1EEj
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_20], eax
		jmp	short loc_942350
; 

loc_942340:				; CODE XREF: CmpCopySaclToVirtualKey(x,x,x,x,x)+1B3j
					; CmpCopySaclToVirtualKey(x,x,x,x,x)+1C3j ...
		push	1
		push	esi
		push	[ebp+var_10]
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)
		mov	esi, 0C000017Dh

loc_942350:				; CODE XREF: CmpCopySaclToVirtualKey(x,x,x,x,x)+7Fj
					; CmpCopySaclToVirtualKey(x,x,x,x,x)+88j ...
		cmp	[ebp+var_10], 0
		jz	short loc_942362
		push	1
		push	0
		push	[ebp+var_10]
		call	_SeReleaseSecurityDescriptor@12	; SeReleaseSecurityDescriptor(x,x,x)

loc_942362:				; CODE XREF: CmpCopySaclToVirtualKey(x,x,x,x,x)+225j
		test	ebx, ebx
		jz	short loc_94236E
		lea	eax, [ebp+var_30]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_94236E:				; CODE XREF: CmpCopySaclToVirtualKey(x,x,x,x,x)+235j
		lea	eax, [ebp+var_38]
		push	eax
		mov	eax, [ebp+var_28]
		push	eax
		call	dword ptr [eax+8]
		mov	eax, [ebp+var_20]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_94238A
		mov	edx, eax
		mov	ecx, edi
		call	_CmpDereferenceSecurityNode@8 ;	CmpDereferenceSecurityNode(x,x)

loc_94238A:				; CODE XREF: CmpCopySaclToVirtualKey(x,x,x,x,x)+250j
		mov	eax, esi

loc_94238C:				; CODE XREF: CmpCopySaclToVirtualKey(x,x,x,x,x)+5Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_CmpCopySaclToVirtualKey@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoAccessCheckOnKcbSubtree(x, x, x, x, x)
_CmpDoAccessCheckOnKcbSubtree@20 proc near ; CODE XREF:	CmRenameKey(x,x,x,x)+2B1p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	1
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	0
		call	_CmpDoAccessCheckOnLayeredSubtree@24 ; CmpDoAccessCheckOnLayeredSubtree(x,x,x,x,x,x)
		pop	ecx
		pop	ebp
		retn	0Ch
_CmpDoAccessCheckOnKcbSubtree@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoAccessCheckOnLayeredSubtree(x,	x, x, x, x, x)
_CmpDoAccessCheckOnLayeredSubtree@24 proc near
					; CODE XREF: CmpDoAccessCheckOnKcbSubtree(x,x,x,x,x)+10p
					; CmSaveKey(x,x,x,x)+14Ep

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		push	3Ch		; size_t
		push	eax		; int
		mov	[ebp+var_48], eax
		mov	edi, ecx
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_40]
		push	eax		; void *
		mov	[ebp+var_4C], edx
		mov	[ebp+var_44], esi
		call	_memset
		add	esp, 0Ch
		lea	ecx, [ebp+var_38] ; void *
		push	0FFFFFFFEh
		pop	eax
		mov	word ptr [ebp+var_40], ax
		call	_CmpInitializeKeyNodeStack@4 ; CmpInitializeKeyNodeStack(x)
		mov	ebx, [ebp+arg_C]
		shr	ebx, 1
		and	bl, 1
		test	byte ptr [ebp+arg_C], 1
		jz	short loc_942439
		test	edi, edi
		jz	short loc_942422
		mov	edx, [ebp+var_4C]
		mov	ecx, edi
		push	0
		call	_CmpGetSecurityCacheEntryForKcbStack@12	; CmpGetSecurityCacheEntryForKcbStack(x,x,x)
		mov	dl, [ebp+arg_4]
		push	ebx
		push	[ebp+arg_8]
		lea	ecx, [eax+18h]
		call	CmpCheckKeySecurityDescriptorAccess
		jmp	short loc_942430
; 

loc_942422:				; CODE XREF: CmpDoAccessCheckOnLayeredSubtree(x,x,x,x,x,x)+56j
		mov	dl, [ebp+arg_4]
		mov	ecx, esi
		push	ebx
		push	[ebp+arg_8]
		call	_CmpCheckKeyNodeStackAccess@16 ; CmpCheckKeyNodeStackAccess(x,x,x,x)

loc_942430:				; CODE XREF: CmpDoAccessCheckOnLayeredSubtree(x,x,x,x,x,x)+73j
		mov	esi, eax
		test	esi, esi
		js	short loc_9424AB
		mov	esi, [ebp+var_44]

loc_942439:				; CODE XREF: CmpDoAccessCheckOnLayeredSubtree(x,x,x,x,x,x)+52j
		lea	ecx, [ebp+var_40]
		test	edi, edi
		jz	short loc_942449
		mov	edx, edi
		call	_CmpSubtreeEnumeratorStartForKcbStack@8	; CmpSubtreeEnumeratorStartForKcbStack(x,x)
		jmp	short loc_942490
; 

loc_942449:				; CODE XREF: CmpDoAccessCheckOnLayeredSubtree(x,x,x,x,x,x)+91j
		mov	edx, esi
		call	_CmpSubtreeEnumeratorStartForKeyNodeStack@8 ; CmpSubtreeEnumeratorStartForKeyNodeStack(x,x)
		jmp	short loc_942490
; 

loc_942452:				; CODE XREF: CmpDoAccessCheckOnLayeredSubtree(x,x,x,x,x,x)+E7j
		lea	ecx, [ebp+var_40]
		call	_CmpSubtreeEnumeratorAdvance@4 ; CmpSubtreeEnumeratorAdvance(x)
		cmp	eax, 8000001Ah
		jz	short loc_9424A9
		lea	eax, [ebp+var_50]
		push	eax
		lea	edx, [ebp+var_48]
		lea	ecx, [ebp+var_40]
		call	_CmpSubtreeEnumeratorGetCurrentKeyStacks@12 ; CmpSubtreeEnumeratorGetCurrentKeyStacks(x,x,x)
		mov	ecx, [ebp+var_48]
		test	ecx, ecx
		jz	short loc_942498
		mov	edx, [ebp+var_4C]
		push	0
		call	_CmpGetSecurityCacheEntryForKcbStack@12	; CmpGetSecurityCacheEntryForKcbStack(x,x,x)
		mov	dl, [ebp+arg_4]
		push	ebx
		push	[ebp+arg_8]
		lea	ecx, [eax+18h]
		call	CmpCheckKeySecurityDescriptorAccess

loc_942490:				; CODE XREF: CmpDoAccessCheckOnLayeredSubtree(x,x,x,x,x,x)+9Aj
					; CmpDoAccessCheckOnLayeredSubtree(x,x,x,x,x,x)+A3j ...
		mov	esi, eax
		test	esi, esi
		jns	short loc_942452
		jmp	short loc_9424AB
; 

loc_942498:				; CODE XREF: CmpDoAccessCheckOnLayeredSubtree(x,x,x,x,x,x)+C8j
		mov	dl, [ebp+arg_4]
		mov	ecx, [ebp+var_50]
		push	ebx
		push	[ebp+arg_8]
		call	_CmpCheckKeyNodeStackAccess@16 ; CmpCheckKeyNodeStackAccess(x,x,x,x)
		jmp	short loc_942490
; 

loc_9424A9:				; CODE XREF: CmpDoAccessCheckOnLayeredSubtree(x,x,x,x,x,x)+B2j
		xor	esi, esi

loc_9424AB:				; CODE XREF: CmpDoAccessCheckOnLayeredSubtree(x,x,x,x,x,x)+87j
					; CmpDoAccessCheckOnLayeredSubtree(x,x,x,x,x,x)+E9j
		lea	ecx, [ebp+var_40]
		call	_CmpSubtreeEnumeratorCleanup@4 ; CmpSubtreeEnumeratorCleanup(x)
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_CmpDoAccessCheckOnLayeredSubtree@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoAccessCheckOnSubtree(x, x, x, x, x)
_CmpDoAccessCheckOnSubtree@20 proc near	; CODE XREF: CmDumpKey(x,x,x)+CCp
					; CmRestoreKey(x,x,x,x)+580p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_8]
		or	[ebp+var_18], 0FFFFFFFFh
		and	eax, 1
		and	[ebp+var_14], 0
		and	[ebp+var_8], 0
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		shr	eax, 1
		mov	ebx, ecx
		push	esi
		and	al, 1
		mov	esi, edx
		test	[ebp+arg_8], 0FFFFFFFCh
		push	edi
		mov	byte ptr [ebp+var_C], al
		jz	short loc_942507
		mov	esi, 0C000000Dh
		jmp	loc_942612
; 

loc_942507:				; CODE XREF: CmpDoAccessCheckOnSubtree(x,x,x,x,x)+35j
		xor	ecx, ecx
		mov	edx, 2800h
		push	74634D43h
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jnz	short loc_94252C
		mov	esi, 0C000009Ah
		jmp	loc_942612
; 

loc_94252C:				; CODE XREF: CmpDoAccessCheckOnSubtree(x,x,x,x,x)+5Aj
		mov	eax, [ebp+var_4]
		mov	edi, ecx
		and	dword ptr [ecx+0Ch], 0
		xor	al, 1
		mov	[ecx], esi
		xor	esi, esi
		mov	[ecx+10h], al
		mov	[ebp+arg_8], esi

loc_942541:				; CODE XREF: CmpDoAccessCheckOnSubtree(x,x,x,x,x)+118j
		cmp	byte ptr [edi+10h], 0
		jnz	short loc_94256A
		push	[ebp+var_C]
		mov	edx, [edi]
		mov	ecx, ebx
		push	[ebp+arg_4]
		mov	byte ptr [edi+10h], 1
		push	[ebp+arg_0]
		call	_CmpCheckKeyAccess@20 ;	CmpCheckKeyAccess(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_942605
		mov	esi, [ebp+arg_8]

loc_94256A:				; CODE XREF: CmpDoAccessCheckOnSubtree(x,x,x,x,x)+7Fj
		mov	eax, [edi]
		lea	ecx, [ebp+var_18]
		push	ecx
		push	eax
		push	ebx
		call	dword ptr [ebx+4]
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_942600
		mov	ecx, [eax+18h]
		add	ecx, [eax+14h]
		mov	edx, [edi+0Ch]
		cmp	edx, ecx
		jnb	short loc_9425C9
		lea	ecx, [ebp+var_8]
		push	ecx
		push	edx
		mov	edx, eax
		mov	ecx, ebx
		call	_CmpFindSubKeyByNumber@16 ; CmpFindSubKeyByNumber(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9425EF
		mov	eax, [ebp+var_8]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9425EA
		inc	dword ptr [edi+0Ch]
		add	edi, 14h
		mov	esi, [ebp+arg_8]
		cmp	esi, 1FFh
		jz	short loc_9425EA
		and	dword ptr [edi+0Ch], 0
		mov	[edi], eax
		xor	eax, eax
		mov	byte ptr [edi+10h], 0
		inc	eax
		jmp	short loc_9425CF
; 

loc_9425C9:				; CODE XREF: CmpDoAccessCheckOnSubtree(x,x,x,x,x)+C5j
		sub	edi, 14h
		or	eax, 0FFFFFFFFh

loc_9425CF:				; CODE XREF: CmpDoAccessCheckOnSubtree(x,x,x,x,x)+101j
		add	esi, eax
		lea	eax, [ebp+var_18]
		push	eax
		push	ebx
		mov	[ebp+arg_8], esi
		call	dword ptr [ebx+8]
		test	esi, esi
		jns	loc_942541
		xor	esi, esi
		xor	eax, eax
		jmp	short loc_9425F2
; 

loc_9425EA:				; CODE XREF: CmpDoAccessCheckOnSubtree(x,x,x,x,x)+E1j
					; CmpDoAccessCheckOnSubtree(x,x,x,x,x)+F2j
		mov	esi, 0C000009Ah

loc_9425EF:				; CODE XREF: CmpDoAccessCheckOnSubtree(x,x,x,x,x)+D9j
		mov	eax, [ebp+var_4]

loc_9425F2:				; CODE XREF: CmpDoAccessCheckOnSubtree(x,x,x,x,x)+122j
		test	eax, eax
		jz	short loc_942605
		lea	eax, [ebp+var_18]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		jmp	short loc_942605
; 

loc_942600:				; CODE XREF: CmpDoAccessCheckOnSubtree(x,x,x,x,x)+B4j
		mov	esi, 0C000009Ah

loc_942605:				; CODE XREF: CmpDoAccessCheckOnSubtree(x,x,x,x,x)+9Bj
					; CmpDoAccessCheckOnSubtree(x,x,x,x,x)+12Ej ...
		mov	ecx, [ebp+var_10]
		mov	edx, 74634D43h
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_942612:				; CODE XREF: CmpDoAccessCheckOnSubtree(x,x,x,x,x)+3Cj
					; CmpDoAccessCheckOnSubtree(x,x,x,x,x)+61j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_CmpDoAccessCheckOnSubtree@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpExamineSaclForAuditEvent(x, x, x)
_CmpExamineSaclForAuditEvent@12	proc near
					; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+14Bp
					; CmKeyBodyReplicateToVirtual(x,x,x,x,x)+1E4p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	eax, eax
		mov	ebx, edx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	byte ptr [ebp+var_1], al
		mov	[ebp+var_2], al
		mov	[ebp+var_3], al
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[edi], al
		mov	[ebp+var_8], eax
		lea	eax, [ebp+arg_0+3]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_3]
		push	eax
		push	ecx
		call	_RtlGetSaclSecurityDescriptor@16 ; RtlGetSaclSecurityDescriptor(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9426C4
		cmp	[ebp+var_3], 0
		jz	short loc_942683
		lea	eax, [ebp-2]
		xor	edx, edx
		push	eax
		lea	eax, [ebp+var_1]
		mov	ecx, ebx
		push	eax
		push	1
		push	0F003Fh
		call	CmpEffectiveTokenForSubject
		push	eax
		push	[ebp+var_8]
		push	[ebp+var_8]
		call	_SeExamineSacl@28 ; SeExamineSacl(x,x,x,x,x,x,x)

loc_942683:				; CODE XREF: CmpExamineSaclForAuditEvent(x,x,x)+42j
		push	offset ??_C@_17KACEIPNC@?$AAK?$AAe?$AAy@NNGAKEGL@ ; "K"
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp-2]
		xor	edx, edx
		push	eax
		lea	eax, [ebp+var_1]
		mov	ecx, ebx
		push	eax
		push	1
		push	0F003Fh
		call	CmpEffectiveTokenForSubject
		mov	edx, [ebp+var_8]
		lea	ecx, [ebp+var_10]
		push	eax
		call	_SeExamineGlobalSacl@28	; SeExamineGlobalSacl(x,x,x,x,x,x,x)
		cmp	byte ptr [ebp+var_1], 0
		jnz	short loc_9426C1
		cmp	[ebp+var_2], 0
		jz	short loc_9426C4

loc_9426C1:				; CODE XREF: CmpExamineSaclForAuditEvent(x,x,x)+9Ej
		mov	byte ptr [edi],	1

loc_9426C4:				; CODE XREF: CmpExamineSaclForAuditEvent(x,x,x)+3Cj
					; CmpExamineSaclForAuditEvent(x,x,x)+A4j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_CmpExamineSaclForAuditEvent@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGetSecurityCellForKeyNodeStack(x, x, x)
_CmpGetSecurityCellForKeyNodeStack@12 proc near
					; CODE XREF: CmpCheckKeyNodeStackAccess(x,x,x,x)+2Ap
					; CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+86p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		xor	esi, esi
		movzx	edx, word ptr [edi]
		test	dx, dx
		js	short loc_942727

loc_9426E4:				; CODE XREF: CmpGetSecurityCellForKeyNodeStack(x,x,x)+58j
		movzx	eax, dx
		mov	ecx, edi
		mov	[ebp+var_4], eax
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	edx, eax
		mov	eax, [edx+8]
		test	eax, eax
		jz	short loc_942719
		mov	ecx, [edx]
		test	dword ptr [ecx+64h], 80000h
		jz	short loc_942717
		movzx	eax, byte ptr [eax+0Dh]
		and	eax, 3
		cmp	eax, 1
		jz	short loc_942727
		mov	esi, edx
		test	eax, eax
		jnz	short loc_942727

loc_942717:				; CODE XREF: CmpGetSecurityCellForKeyNodeStack(x,x,x)+36j
		mov	esi, edx

loc_942719:				; CODE XREF: CmpGetSecurityCellForKeyNodeStack(x,x,x)+2Bj
		mov	eax, [ebp+var_4]
		dec	eax
		movzx	eax, ax
		mov	edx, eax
		test	ax, ax
		jns	short loc_9426E4

loc_942727:				; CODE XREF: CmpGetSecurityCellForKeyNodeStack(x,x,x)+15j
					; CmpGetSecurityCellForKeyNodeStack(x,x,x)+42j	...
		mov	eax, [esi]
		mov	[ebx], eax
		mov	eax, [esi+8]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [eax+2Ch]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		leave
		retn	4
_CmpGetSecurityCellForKeyNodeStack@12 endp


;  S U B	R O U T	I N E 


; __stdcall CmpGetSecurityDescriptorForKcbStack(x, x)
_CmpGetSecurityDescriptorForKcbStack@8 proc near ; CODE	XREF: CmpCreateTombstone(x,x)+13Bp
		push	0
		call	_CmpGetSecurityCacheEntryForKcbStack@12	; CmpGetSecurityCacheEntryForKcbStack(x,x,x)
		add	eax, 18h
		retn
_CmpGetSecurityDescriptorForKcbStack@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpReportAuditVirtualizationEvent(x, x)
_CmpReportAuditVirtualizationEvent@8 proc near
					; CODE XREF: CmpVEExecuteCreateLogic(x,x,x,x,x,x,x,x,x)+161p
					; CmKeyBodyReplicateToVirtual(x,x,x,x,x)+1FEp

var_2CC		= dword	ptr -2CCh
var_2C8		= dword	ptr -2C8h
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_28E		= word ptr -28Eh
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2CCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	298h		; size_t
		lea	eax, [ebp+var_2A0]
		mov	[ebp+var_2A4], ecx
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_2B4], esi
		call	_memset
		xor	eax, eax
		add	esp, 0Ch
		mov	[ebp+var_2C4], eax
		mov	ebx, eax
		mov	[ebp+var_2C0], eax
		mov	edi, eax
		mov	[ebp+var_2BC], eax
		mov	[ebp+var_2B8], eax
		mov	[ebp+var_2B0], eax
		mov	[ebp+var_2AC], eax
		mov	[ebp+var_2A8], eax
		lea	eax, [ebp+var_2C4]
		push	offset ??_C@_1BC@FCJNIDNL@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy@NNGAKEGL@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		and	[ebp+var_298], ebx
		xor	edx, edx
		push	8
		pop	eax
		mov	ecx, esi
		mov	[ebp+var_29C], 13AFh
		mov	[ebp+var_2A0], 3
		mov	[ebp+var_28E], ax
		call	CmpEffectiveTokenForSubject
		mov	ecx, [eax+18h]
		mov	[ebp+var_2CC], ecx
		mov	eax, [eax+1Ch]
		mov	[ebp+var_2C8], eax
		lea	eax, [ebp+var_2CC]
		push	eax
		push	edx
		push	5
		lea	eax, [ebp+var_2A0]
		push	eax
		call	SeSetAuditParameter
		inc	[ebp+var_298]
		mov	esi, eax
		test	esi, esi
		js	loc_9429B2
		mov	esi, [ebp+var_2A4]
		cmp	_CmpVEEnabled, bl
		jz	short loc_942887
		test	dword ptr [esi+68h], 1000000h
		jz	short loc_942887
		and	[ebp+var_2A4], ebx
		lea	edx, [ebp+var_2A4]
		mov	ecx, esi
		call	CmpConstructNameWithStatus
		mov	edi, [ebp+var_2A4]
		test	edi, edi
		jnz	short loc_942868

loc_94285E:				; CODE XREF: CmpReportAuditVirtualizationEvent(x,x)+15Aj
		mov	esi, 0C000009Ah
		jmp	loc_9429B2
; 

loc_942868:				; CODE XREF: CmpReportAuditVirtualizationEvent(x,x)+114j
		lea	edx, [ebp+var_2B0]
		mov	ecx, esi
		call	_CmVirtualKCBToRealPath@8 ; CmVirtualKCBToRealPath(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9429B2
		lea	ebx, [ebp+var_2B0]
		jmp	short loc_9428DC
; 

loc_942887:				; CODE XREF: CmpReportAuditVirtualizationEvent(x,x)+EEj
					; CmpReportAuditVirtualizationEvent(x,x)+F7j
		and	[ebp+var_2A4], ebx
		lea	edx, [ebp+var_2A4]
		mov	ecx, esi
		call	CmpConstructNameWithStatus
		mov	ebx, [ebp+var_2A4]
		test	ebx, ebx
		jz	short loc_94285E
		push	0
		lea	eax, [ebp+var_2BC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_2B0]
		mov	ecx, esi
		push	eax
		push	[ebp+var_2B4]
		lea	edx, [ebp+var_2BC]
		call	_CmRealKCBToVirtualPath@16 ; CmRealKCBToVirtualPath(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9429B2
		lea	edi, [ebp+var_2B0]

loc_9428DC:				; CODE XREF: CmpReportAuditVirtualizationEvent(x,x)+13Dj
		push	ebx
		push	[ebp+var_298]
		lea	eax, [ebp+var_2A0]
		push	1
		push	eax
		call	SeSetAuditParameter
		mov	esi, eax
		mov	eax, [ebp+var_298]
		inc	eax
		mov	[ebp+var_298], eax
		test	esi, esi
		js	loc_9429B2
		push	edi
		push	eax
		push	1
		lea	eax, [ebp+var_2A0]
		push	eax
		call	SeSetAuditParameter
		inc	[ebp+var_298]
		mov	esi, eax
		test	esi, esi
		js	loc_9429B2
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		lea	edx, [ebp+var_2A8]
		mov	ecx, eax
		call	PsGetAllocatedFullProcessImageNameEx
		mov	esi, eax
		test	esi, esi
		js	short loc_9429B2
		mov	eax, [ebp+var_2B4]
		push	dword ptr [eax+0Ch]
		lea	eax, [ebp+var_2A0]
		push	[ebp+var_298]
		push	0Bh
		push	eax
		call	SeSetAuditParameter
		mov	esi, eax
		mov	eax, [ebp+var_298]
		inc	eax
		mov	[ebp+var_298], eax
		test	esi, esi
		js	short loc_9429B2
		push	[ebp+var_2A8]
		push	eax
		push	2
		lea	eax, [ebp+var_2A0]
		push	eax
		call	SeSetAuditParameter
		inc	[ebp+var_298]
		mov	esi, eax
		test	esi, esi
		js	short loc_9429B2
		push	76h
		lea	eax, [ebp+var_2A0]
		push	eax
		push	0
		lea	eax, [ebp+var_2C4]
		push	eax
		push	0
		call	SeReportSecurityEventWithSubCategory
		mov	esi, eax
		test	esi, esi
		js	short loc_9429B2
		xor	esi, esi

loc_9429B2:				; CODE XREF: CmpReportAuditVirtualizationEvent(x,x)+DCj
					; CmpReportAuditVirtualizationEvent(x,x)+11Bj ...
		cmp	[ebp+var_2A8], 0
		jz	short loc_9429CB
		push	61506553h
		push	[ebp+var_2A8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9429CB:				; CODE XREF: CmpReportAuditVirtualizationEvent(x,x)+271j
		lea	eax, [ebp+var_2B0]
		cmp	ebx, eax
		jnz	short loc_9429DD
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	short loc_9429ED
; 

loc_9429DD:				; CODE XREF: CmpReportAuditVirtualizationEvent(x,x)+28Bj
		test	ebx, ebx
		jz	short loc_9429ED
		mov	edx, 624E4D43h
		mov	ecx, ebx
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_9429ED:				; CODE XREF: CmpReportAuditVirtualizationEvent(x,x)+293j
					; CmpReportAuditVirtualizationEvent(x,x)+297j
		lea	eax, [ebp+var_2B0]
		cmp	edi, eax
		jnz	short loc_9429FF
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	short loc_942A0F
; 

loc_9429FF:				; CODE XREF: CmpReportAuditVirtualizationEvent(x,x)+2ADj
		test	edi, edi
		jz	short loc_942A0F
		mov	edx, 624E4D43h
		mov	ecx, edi
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_942A0F:				; CODE XREF: CmpReportAuditVirtualizationEvent(x,x)+2B5j
					; CmpReportAuditVirtualizationEvent(x,x)+2B9j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpReportAuditVirtualizationEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSetAccessStateForBackupRestore(x, x, x, x)
_CmpSetAccessStateForBackupRestore@16 proc near
					; CODE XREF: CmpCheckOpenAccessOnKeyBody(x,x,x,x,x,x,x,x,x)+3Bp
					; CmpCheckCreateAccessOnKcbStack+126066p ...

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		push	edi
		and	dword ptr [esi+14h], 0
		lea	ecx, [esi+1Ch]
		push	ds:dword_A949E4
		push	ds:_SeBackupPrivilege
		call	_SeSinglePrivilegeCheckEx@16 ; SeSinglePrivilegeCheckEx(x,x,x,x)
		test	al, al
		jz	short loc_942A54
		or	dword ptr [esi+0Ch], 2
		or	dword ptr [esi+14h], 1020019h

loc_942A54:				; CODE XREF: CmpSetAccessStateForBackupRestore(x,x,x,x)+27j
		push	ds:dword_A949DC
		mov	dl, bl
		lea	ecx, [esi+1Ch]
		push	ds:_SeRestorePrivilege
		call	_SeSinglePrivilegeCheckEx@16 ; SeSinglePrivilegeCheckEx(x,x,x,x)
		mov	ecx, [esi+14h]
		test	al, al
		jz	short loc_942A7E
		or	dword ptr [esi+0Ch], 4
		or	ecx, 10F0006h
		mov	[esi+14h], ecx

loc_942A7E:				; CODE XREF: CmpSetAccessStateForBackupRestore(x,x,x,x)+4Fj
		cmp	[ebp+arg_4], 0
		jz	short loc_942A87
		mov	[esi+18h], ecx

loc_942A87:				; CODE XREF: CmpSetAccessStateForBackupRestore(x,x,x,x)+62j
		test	ecx, ecx
		jnz	short loc_942A92
		mov	eax, 0C0000022h
		jmp	short loc_942AB2
; 

loc_942A92:				; CODE XREF: CmpSetAccessStateForBackupRestore(x,x,x,x)+69j
		mov	edx, [ebp+arg_0]
		mov	ecx, ds:_CmKeyObjectType
		push	esi
		push	1
		call	_SepAdjustAccessStateForConstraints@16 ; SepAdjustAccessStateForConstraints(x,x,x,x)
		mov	ecx, [esi+14h]
		mov	eax, [esi+18h]
		not	ecx
		and	eax, ecx
		mov	[esi+10h], eax
		xor	eax, eax

loc_942AB2:				; CODE XREF: CmpSetAccessStateForBackupRestore(x,x,x,x)+70j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
_CmpSetAccessStateForBackupRestore@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSnapshotKcbStackSecurity(x, x, x, x)
_CmpSnapshotKcbStackSecurity@16	proc near ; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+596p
					; CmDeleteValueKey+181708p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		push	esi
		call	_CmpGetSecurityCacheEntryForKcbStack@12	; CmpGetSecurityCacheEntryForKcbStack(x,x,x)
		push	[ebp+arg_0]
		mov	edi, eax
		xor	ecx, ecx
		inc	ecx
		mov	edx, [edi+10h]
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_942AE7
		mov	esi, 0C000009Ah
		jmp	short loc_942AFC
; 

loc_942AE7:				; CODE XREF: CmpSnapshotKcbStackSecurity(x,x,x,x)+24j
		push	dword ptr [edi+10h] ; size_t
		lea	ecx, [edi+18h]
		push	ecx		; void *
		push	ebx		; void *
		call	_memcpy
		mov	ecx, [ebp+arg_4]
		add	esp, 0Ch
		mov	[ecx], ebx

loc_942AFC:				; CODE XREF: CmpSnapshotKcbStackSecurity(x,x,x,x)+2Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_CmpSnapshotKcbStackSecurity@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmFreezeRegistry(x)
_CmFreezeRegistry@4 proc near		; CODE XREF: NtFreezeRegistry(x)+6Fp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		dec	word ptr [eax+13Ch]
		mov	[ebp+var_4], edi
		nop
		mov	ecx, offset _CmpShutdownRundown
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_942B47
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	esi, 0C0000189h
		jmp	loc_942CEB
; 

loc_942B47:				; CODE XREF: CmFreezeRegistry(x)+2Aj
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		cmp	_CmpFreezeThawState, esi
		jz	short loc_942B63
		mov	esi, 0C0000189h
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		jmp	loc_942CD5
; 

loc_942B63:				; CODE XREF: CmFreezeRegistry(x)+4Dj
		xor	ecx, ecx
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_942C3F

loc_942B74:				; CODE XREF: CmFreezeRegistry(x)+131j
		test	byte ptr [ebx+64h], 3
		jnz	loc_942C2B
		mov	eax, [ebx+20h]
		lea	esi, [eax+70h]
		lea	edi, [eax+0FD8h]
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ebx+20h]
		lea	esi, [eax+94h]
		lea	edi, [eax+0FC8h]
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ebx+20h]
		lea	esi, [eax+80h]
		lea	edi, [eax+0FE8h]
		xor	eax, eax
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebx+20h]
		xor	esi, esi
		add	edi, 70h
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	edi, [ebx+20h]
		add	edi, 94h
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	edi, [ebx+20h]
		sub	edi, 0FFFFFF80h
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ebx+20h]
		mov	[eax+0A4h], esi
		mov	eax, [ebx+980h]
		and	eax, 300h
		cmp	eax, 100h
		jz	short loc_942C2B
		cmp	[ebx+34h], esi
		jnz	short loc_942C2B
		lea	edi, [ebx+28h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, ebx
		call	_HvMarkBaseBlockDirty@4	; HvMarkBaseBlockDirty(x)
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_942C24
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_942C24:				; CODE XREF: CmFreezeRegistry(x)+116j
		mov	ecx, edi
		call	KeAbPostRelease

loc_942C2B:				; CODE XREF: CmFreezeRegistry(x)+73j
					; CmFreezeRegistry(x)+F1j ...
		mov	ecx, ebx
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_942B74
		mov	edi, [ebp+var_4]

loc_942C3F:				; CODE XREF: CmFreezeRegistry(x)+69j
		mov	_CmpFreezeThawState, 1
		test	edi, edi
		jnz	short loc_942C53
		mov	edi, _CmFreezeThawTimeoutInSeconds

loc_942C53:				; CODE XREF: CmFreezeRegistry(x)+146j
		mov	ecx, 0FF676980h
		mov	eax, edi
		imul	ecx
		mov	ecx, offset _CmpFreezeThawTimer
		push	edx
		push	eax
		push	offset _CmpFreezeThawDpc
		push	esi
		xor	edx, edx
		call	KiSetTimerEx
		push	2
		pop	ecx
		call	_CmpDisableLazyFlush@4 ; CmpDisableLazyFlush(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	ecx, ecx
		jmp	short loc_942CA7
; 

loc_942C8F:				; CODE XREF: CmFreezeRegistry(x)+1ABj
		test	byte ptr [edi+64h], 3
		jnz	short loc_942CA5
		push	0Dh
		pop	edx
		mov	ecx, edi
		call	CmpFlushHive
		mov	esi, eax
		test	esi, esi
		js	short loc_942CB4

loc_942CA5:				; CODE XREF: CmFreezeRegistry(x)+18Ej
		mov	ecx, edi

loc_942CA7:				; CODE XREF: CmFreezeRegistry(x)+188j
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_942C8F
		jmp	short loc_942CC9
; 

loc_942CB4:				; CODE XREF: CmFreezeRegistry(x)+19Ej
		lea	ecx, [edi+430h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		call	_CmThawRegistry@0 ; CmThawRegistry()
		mov	esi, 0C000014Dh

loc_942CC9:				; CODE XREF: CmFreezeRegistry(x)+1ADj
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_942CD5:				; CODE XREF: CmFreezeRegistry(x)+59j
		mov	ecx, offset _CmpShutdownRundown
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_942CEB:				; CODE XREF: CmFreezeRegistry(x)+3Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_CmFreezeRegistry@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmThawRegistry()
_CmThawRegistry@0 proc near		; CODE XREF: NtThawRegistry()+5Cp
					; CmFreezeRegistry(x)+1BAp ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	offset _CmpFreezeThawTimer
		xor	esi, esi
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpShutdownRundown
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_942D35
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	esi, 0C0000189h
		jmp	loc_942E75
; 

loc_942D35:				; CODE XREF: CmThawRegistry()+2Bj
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		cmp	_CmpFreezeThawState, 1
		jz	short loc_942D4D
		mov	esi, 0C0000189h
		jmp	loc_942E5A
; 

loc_942D4D:				; CODE XREF: CmThawRegistry()+4Fj
		xor	ecx, ecx
		jmp	loc_942DEC
; 

loc_942D54:				; CODE XREF: CmThawRegistry()+103j
		mov	edi, [ebx+20h]
		cmp	[edi+0A4h], esi
		jnz	loc_942DEA
		lea	esi, [edi+0FD8h]
		add	edi, 70h
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ebx+20h]
		lea	esi, [eax+0FC8h]
		lea	edi, [eax+94h]
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ebx+20h]
		lea	esi, [eax+0FE8h]
		lea	edi, [eax+80h]
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ebx+20h]
		xor	esi, esi
		mov	dword ptr [eax+0A4h], 6D746D72h
		mov	eax, [ebx+980h]
		and	eax, 300h
		cmp	eax, 100h
		jz	short loc_942DEA
		cmp	[ebx+34h], esi
		jnz	short loc_942DEA
		lea	edi, [ebx+28h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, ebx
		call	_HvMarkBaseBlockDirty@4	; HvMarkBaseBlockDirty(x)
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_942DE3
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_942DE3:				; CODE XREF: CmThawRegistry()+E8j
		mov	ecx, edi
		call	KeAbPostRelease

loc_942DEA:				; CODE XREF: CmThawRegistry()+6Bj
					; CmThawRegistry()+C3j	...
		mov	ecx, ebx

loc_942DEC:				; CODE XREF: CmThawRegistry()+5Dj
		call	_CmpGetNextActiveHive@4	; CmpGetNextActiveHive(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_942D54
		mov	ebx, offset _CmpFreezeThawWaitListHead

loc_942E00:				; CODE XREF: CmThawRegistry()+153j
		cmp	_CmpFreezeThawWaitListHead, ebx
		jz	short loc_942E4C
		xor	edx, edx
		mov	ecx, offset _CmpFreezeListLock
		call	ExAcquirePushLockExclusiveEx
		mov	edi, _CmpFreezeThawWaitListHead
		cmp	[edi+4], ebx
		jnz	short loc_942E47
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	short loc_942E47
		mov	_CmpFreezeThawWaitListHead, eax
		xor	edx, edx
		mov	ecx, offset _CmpFreezeListLock
		mov	[eax+4], ebx
		call	ExReleasePushLockEx
		push	esi
		push	esi
		lea	eax, [edi+8]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_942E00
; 

loc_942E47:				; CODE XREF: CmThawRegistry()+12Bj
					; CmThawRegistry()+132j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_942E4C:				; CODE XREF: CmThawRegistry()+114j
		push	2
		pop	ecx
		mov	_CmpFreezeThawState, esi
		call	_CmpEnableLazyFlush@4 ;	CmpEnableLazyFlush(x)

loc_942E5A:				; CODE XREF: CmThawRegistry()+56j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	ecx, offset _CmpShutdownRundown
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_942E75:				; CODE XREF: CmThawRegistry()+3Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_CmThawRegistry@0 endp


;  S U B	R O U T	I N E 


; __stdcall CmpFreezeThawWorker(x)
_CmpFreezeThawWorker@4 proc near	; DATA XREF: CmpCmdInit+9Ao
		and	_CmpFreezeThawPending, 0
		cmp	_CmpFreezeThawState, 1
		jnz	short locret_942E90
		call	_CmThawRegistry@0 ; CmThawRegistry()

locret_942E90:				; CODE XREF: CmpFreezeThawWorker(x)+Ej
		retn	4
_CmpFreezeThawWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpLogEntryCheckDataChecksum(x, x, x)
_HvpLogEntryCheckDataChecksum@12 proc near
					; CODE XREF: HvpApplyIncrementalLogFile(x,x,x,x,x,x,x,x,x,x,x,x,x)+D4p

var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [edx-28h]
		lea	edx, [ecx+28h]
		mov	ecx, offset _HvSymcryptSeed
		push	eax
		call	@SymCryptMarvin32@16 ; SymCryptMarvin32(x,x,x,x)
		push	8		; size_t
		lea	eax, [ebp+var_C]
		push	eax		; void *
		mov	eax, [ebp+arg_0]
		add	eax, 18h
		push	eax		; void *
		call	_memcmp
		xor	ecx, ecx
		add	esp, 0Ch
		test	eax, eax
		setz	cl
		mov	eax, ecx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_HvpLogEntryCheckDataChecksum@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpLogEntryCheckHeaderChecksum(x)
_HvpLogEntryCheckHeaderChecksum@4 proc near
					; CODE XREF: HvpIsLogEntryHeaderCoherent(x,x,x):loc_951492p

var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ecx
		cmp	dword ptr [esi], 454C7648h
		jz	short loc_942F07
		xor	eax, eax
		jmp	short loc_942F34
; 

loc_942F07:				; CODE XREF: HvpLogEntryCheckHeaderChecksum(x)+1Bj
		lea	eax, [ebp+var_C]
		mov	edx, esi
		push	eax
		push	20h
		mov	ecx, offset _HvSymcryptSeed
		call	@SymCryptMarvin32@16 ; SymCryptMarvin32(x,x,x,x)
		push	8		; size_t
		lea	eax, [ebp+var_C]
		push	eax		; void *
		lea	eax, [esi+20h]
		push	eax		; void *
		call	_memcmp
		xor	ecx, ecx
		add	esp, 0Ch
		test	eax, eax
		setz	cl
		mov	eax, ecx

loc_942F34:				; CODE XREF: HvpLogEntryCheckHeaderChecksum(x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_HvpLogEntryCheckHeaderChecksum@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmReconcileAndValidateAllHives()
_CmReconcileAndValidateAllHives@0 proc near ; CODE XREF: PAGE:loc_7B4759p

var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+20h+var_4], eax
		push	esi
		push	edi
		push	6
		xor	eax, eax
		lea	edi, [esp+2Ch+var_1C]
		pop	ecx
		rep stosd
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _CmpShutdownRundown
		mov	ecx, esi
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_942FA5
		lea	ecx, [esp+28h+var_1C]
		call	CmpAttachToRegistryProcess
		push	0Ch
		pop	ecx
		call	_CmpDoFlushAll@4 ; CmpDoFlushAll(x)
		xor	edx, edx
		lea	ecx, [esp+28h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, esi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_942FA5:				; CODE XREF: CmReconcileAndValidateAllHives()+3Fj
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [esp+28h+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_CmReconcileAndValidateAllHives@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpWaitOnHiveWriteQueue(x, x)
_CmpWaitOnHiveWriteQueue@8 proc	near	; CODE XREF: CmpFlushHive+17D999p
					; CmpFlushHive+17D9C9p	...

var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		push	6
		mov	esi, ecx
		lea	edi, [ebp+var_18]
		pop	ecx
		xor	eax, eax
		mov	ebx, edx
		rep stosd
		xor	edi, edi
		lea	eax, [ebp+var_18]
		push	edi
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [ebx+4]
		add	esi, 24h
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_18]
		mov	[ebx+4], eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_94300E
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_94300E:				; CODE XREF: CmpWaitOnHiveWriteQueue(x,x)+41j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_CmpTraceHiveFlushStartWaitForActive@0 ; CmpTraceHiveFlushStartWaitForActive()
		push	edi
		xor	edx, edx
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	esi, eax
		test	esi, esi
		jz	short loc_943036
		mov	ecx, esi
		call	_KeAbPreWait@4	; KeAbPreWait(x)

loc_943036:				; CODE XREF: CmpWaitOnHiveWriteQueue(x,x)+69j
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_18]
		push	eax
		call	KeWaitForSingleObject
		test	esi, esi
		jz	short loc_94305A
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	edx, eax
		mov	ecx, ebx
		call	KeAbPostReleaseEx

loc_94305A:				; CODE XREF: CmpWaitOnHiveWriteQueue(x,x)+81j
		call	_CmpTraceHiveFlushFinishWaitForActive@0	; CmpTraceHiveFlushFinishWaitForActive()
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpWaitOnHiveWriteQueue@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpFreeSiloKeyLockEntry(x)
_CmpFreeSiloKeyLockEntry@4 proc	near	; CODE XREF: CmLockKeyForWrite+8A8B5p
					; CmpStopSiloKeyLockTracker(x)+87p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, [esi+0Ch]
		test	edx, edx
		jz	short loc_94307B
		mov	ecx, [esi+8]
		call	_CmpGlobalUnlockKeyForWrite@8 ;	CmpGlobalUnlockKeyForWrite(x,x)

loc_94307B:				; CODE XREF: CmpFreeSiloKeyLockEntry(x)+Aj
		mov	ecx, [esi+8]
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)
		mov	edx, 34374D43h
		mov	ecx, esi
		pop	esi
		jmp	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
_CmpFreeSiloKeyLockEntry@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpGlobalUnlockKeyForWrite(x, x)
_CmpGlobalUnlockKeyForWrite@8 proc near	; CODE XREF: CmpFreeSiloKeyLockEntry(x)+Fp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		lea	ecx, [edi+8]
		mov	edx, [ecx]
		lea	esi, [edx-1]
		jmp	short loc_9430B6
; 

loc_9430A3:				; CODE XREF: CmpGlobalUnlockKeyForWrite(x,x)+28j
		mov	eax, edx
		lock cmpxchg [ecx], esi
		mov	esi, eax
		cmp	esi, edx
		jz	loc_943179
		mov	edx, esi
		dec	esi

loc_9430B6:				; CODE XREF: CmpGlobalUnlockKeyForWrite(x,x)+11j
		test	esi, esi
		jg	short loc_9430A3
		jz	short loc_9430C1
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9430C1:				; CODE XREF: CmpGlobalUnlockKeyForWrite(x,x)+2Aj
		lea	ecx, [ebx+18h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[ebx+1Ch], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _CmpKeyLockTracker
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		or	edx, 0FFFFFFFFh
		lea	eax, [edi+8]
		lock xadd [eax], edx
		dec	edx
		test	edx, edx
		jg	short loc_943106
		jz	short loc_943125
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_943106:				; CODE XREF: CmpGlobalUnlockKeyForWrite(x,x)+6Dj
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, ebx
		pop	edi
		pop	esi
		pop	ebx
		jmp	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
; 

loc_943125:				; CODE XREF: CmpGlobalUnlockKeyForWrite(x,x)+6Fj
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	short loc_943174
		mov	edx, [edi+4]
		cmp	[edx], edi
		jnz	short loc_943174
		mov	[edx], eax
		mov	ecx, esi
		mov	[eax+4], edx
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, 0FF7Fh
		mov	ecx, ebx
		and	[ebx+4], ax
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	ecx, [edi+0Ch]
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)
		mov	edx, 33374D43h
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
; 

loc_943174:				; CODE XREF: CmpGlobalUnlockKeyForWrite(x,x)+9Aj
					; CmpGlobalUnlockKeyForWrite(x,x)+A1j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_943179:				; CODE XREF: CmpGlobalUnlockKeyForWrite(x,x)+1Dj
		pop	edi
		pop	esi
		pop	ebx
		retn
_CmpGlobalUnlockKeyForWrite@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpStopSiloKeyLockTracker(x)
_CmpStopSiloKeyLockTracker@4 proc near	; CODE XREF: CmpFreeSiloContextCallback(x)+Bp
					; PspDeleteExternalServerSiloState(x)+59p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+4]
		lea	ecx, [esi+8]
		and	eax, 0FFFFFFFEh
		or	eax, 2
		mov	[esi+4], eax
		lea	eax, [esp+10h+var_8]
		mov	edx, [ecx]
		mov	[esp+10h+var_4], eax
		mov	[esp+10h+var_8], eax
		cmp	edx, ecx
		jz	short loc_9431DC
		mov	eax, [ecx+4]
		lea	edi, [esp+10h+var_8]
		mov	[esp+10h+var_8], edx
		mov	[esp+10h+var_4], eax
		mov	[edx+4], edi
		mov	edx, edi
		mov	[eax], edx
		mov	[ecx+4], ecx
		mov	[ecx], ecx

loc_9431DC:				; CODE XREF: CmpStopSiloKeyLockTracker(x)+42j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		lea	eax, [esp+10h+var_8]
		cmp	[esp+10h+var_8], eax
		jz	short loc_943233
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		jmp	short loc_943209
; 

loc_943202:				; CODE XREF: CmpStopSiloKeyLockTracker(x)+AFj
		mov	ecx, eax
		call	_CmpFreeSiloKeyLockEntry@4 ; CmpFreeSiloKeyLockEntry(x)

loc_943209:				; CODE XREF: CmpStopSiloKeyLockTracker(x)+83j
		mov	eax, [esp+10h+var_8]
		lea	ecx, [esp+10h+var_8]
		cmp	[eax+4], ecx
		jnz	short loc_943239
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_943239
		lea	edx, [esp+10h+var_8]
		mov	[esp+10h+var_8], ecx
		mov	[ecx+4], edx
		mov	ecx, edx
		cmp	eax, ecx
		jnz	short loc_943202
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_943233:				; CODE XREF: CmpStopSiloKeyLockTracker(x)+7Cj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_943239:				; CODE XREF: CmpStopSiloKeyLockTracker(x)+97j
					; CmpStopSiloKeyLockTracker(x)+9Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall CmObliterateRMTxArray(x)
_CmObliterateRMTxArray@4:		; CODE XREF: CmpTryToRundownHive+17656Dp
					; CmpPerformUnloadKey+18B738p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	edi, ecx
		nop
		mov	ecx, offset _CmpTransactionListLock
		call	ExAcquireFastMutexUnsafe
		mov	edx, _CmpLazyCommitListHead
		mov	ebx, offset _CmpLazyCommitListHead
		jmp	short loc_9432A7
; 

loc_943279:				; CODE XREF: CmpStopSiloKeyLockTracker(x)+12Cj
		cmp	[edx+10h], edi
		mov	esi, edx
		mov	edx, [edx]
		jnz	short loc_9432A7
		cmp	[edx+4], esi
		jnz	short loc_9432F2
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_9432F2
		mov	[eax], edx
		lea	ecx, [ebp+var_8]
		mov	[edx+4], eax
		mov	eax, [ebp+var_4]
		cmp	[eax], ecx
		jnz	short loc_9432F2
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[ebp+var_4], esi

loc_9432A7:				; CODE XREF: CmpStopSiloKeyLockTracker(x)+FAj
					; CmpStopSiloKeyLockTracker(x)+103j
		cmp	edx, ebx
		jnz	short loc_943279
		mov	ecx, offset _CmpTransactionListLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_9432C1:				; CODE XREF: CmpStopSiloKeyLockTracker(x)+173j
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_8]
		cmp	[edx+4], eax
		jnz	short loc_9432F2
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	short loc_9432F2
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_8], eax
		mov	[eax+4], ecx
		mov	eax, ecx
		cmp	edx, eax
		jz	short loc_9432F7
		push	0
		push	8
		add	edx, 0FFFFFFF0h
		mov	ecx, edi
		call	_CmpCleanupTransactionState@16 ; CmpCleanupTransactionState(x,x,x,x)
		jmp	short loc_9432C1
; 

loc_9432F2:				; CODE XREF: CmpStopSiloKeyLockTracker(x)+108j
					; CmpStopSiloKeyLockTracker(x)+10Fj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9432F7:				; CODE XREF: CmpStopSiloKeyLockTracker(x)+163j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpStopSiloKeyLockTracker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLazyCommitWorker(x)
_CmpLazyCommitWorker@4 proc near	; DATA XREF: CmpInitializeTransactions()+6Ao

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_C], 0
		lea	eax, [esp+0Ch+var_8]
		mov	[esp+0Ch+var_4], eax
		mov	[esp+0Ch+var_8], eax
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	bl, 1
		nop
		mov	ecx, offset _CmpShutdownRundown
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_94334D

loc_943338:				; CODE XREF: CmpLazyCommitWorker(x)+1E4j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_94334D:				; CODE XREF: CmpLazyCommitWorker(x)+3Aj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _CmpShutdownLock
		call	ExAcquirePushLockSharedEx
		call	_LOCK_HIVE_LOAD@0 ; LOCK_HIVE_LOAD()

loc_94336C:				; CODE XREF: CmpLazyCommitWorker(x)+E9j
					; CmpLazyCommitWorker(x)+108j
		mov	eax, large fs:124h
		mov	edi, offset _CmpLazyCommitListHead
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _CmpTransactionListLock
		call	ExAcquireFastMutexUnsafe
		mov	esi, _CmpLazyCommitListHead
		cmp	[esi+4], edi
		jnz	loc_9434E5
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_9434E5
		mov	_CmpLazyCommitListHead,	eax
		mov	[eax+4], edi
		cmp	esi, edi
		jz	short loc_943409
		mov	ecx, offset _CmpTransactionListLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		lea	eax, [esp+18h+var_C]
		push	eax
		lea	edx, [esi-10h]
		call	_CmpTransMgrCommit@12 ;	CmpTransMgrCommit(x,x,x)
		test	eax, eax
		js	short loc_9433E7
		mov	ecx, [esi+10h]
		lea	edx, [esi-10h]
		push	0
		push	4
		call	_CmpCleanupTransactionState@16 ; CmpCleanupTransactionState(x,x,x,x)
		jmp	short loc_94336C
; 

loc_9433E7:				; CODE XREF: CmpLazyCommitWorker(x)+D8j
		mov	eax, [esp+18h+var_4]
		lea	ecx, [esp+18h+var_8]
		cmp	[eax], ecx
		jnz	loc_9434E5
		mov	[esi], ecx
		xor	bl, bl
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[esp+18h+var_4], esi
		jmp	loc_94336C
; 

loc_943409:				; CODE XREF: CmpLazyCommitWorker(x)+B1j
		test	bl, bl
		mov	esi, offset _CmpTransactionListLock
		mov	ecx, esi
		setz	_CmpLazyCommitWorkItemActive
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	bl, bl
		jnz	loc_9434B9
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, esi
		call	ExAcquireFastMutexUnsafe

loc_943447:				; CODE XREF: CmpLazyCommitWorker(x)+18Ej
		mov	eax, [esp+18h+var_8]
		lea	ecx, [esp+18h+var_8]
		cmp	[eax+4], ecx
		jnz	loc_9434E5
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_9434E5
		lea	edx, [esp+18h+var_8]
		mov	[esp+18h+var_8], ecx
		mov	[ecx+4], edx
		mov	ecx, edx
		cmp	eax, ecx
		jz	short loc_94348C
		mov	ecx, dword_6CDED4
		cmp	[ecx], edi
		jnz	short loc_9434E5
		mov	[eax], edi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	dword_6CDED4, eax
		jmp	short loc_943447
; 

loc_94348C:				; CODE XREF: CmpLazyCommitWorker(x)+176j
		mov	ecx, esi
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	0FFFFFFFFh
		push	0EE1E5D00h
		push	offset _CmpLazyCommitDpc
		push	0
		xor	edx, edx
		mov	ecx, offset _CmpLazyCommitTimer
		call	KiSetTimerEx

loc_9434B9:				; CODE XREF: CmpLazyCommitWorker(x)+130j
		call	_UNLOCK_HIVE_LOAD@0 ; UNLOCK_HIVE_LOAD()
		xor	edx, edx
		mov	ecx, offset _CmpShutdownLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, offset _CmpShutdownRundown
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	loc_943338
; 

loc_9434E5:				; CODE XREF: CmpLazyCommitWorker(x)+96j
					; CmpLazyCommitWorker(x)+A1j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall CmpTransGetTransPtr(x)
_CmpTransGetTransPtr@4:			; CODE XREF: CmpTransIsTransActive(x)+8p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		and	eax, 0FFFFFFFEh
		pop	ebp
		retn	4
_CmpLazyCommitWorker@4 endp ; sp = -1Ch


;  S U B	R O U T	I N E 


; int __fastcall CmpTransUowIsEqual(void *Source1,void *Source2)
_CmpTransUowIsEqual@8 proc near		; CODE XREF: CmpSearchForTrans+75AD3p
					; CmpLockHashEntryShared+119BDBj
		push	10h		; Length
		push	edx		; Source2
		push	ecx		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 10h
		setz	al
		retn
_CmpTransUowIsEqual@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpVolumeContextCleanup(x)
_CmpVolumeContextCleanup@4 proc	near	; CODE XREF: CmpVolumeContextDecrementRefCount+189FD1p
					; CmpVolumeContextCreate+84697p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	byte ptr [esi+28h], 0
		jz	short loc_94351C
		mov	ecx, [esi+20h]
		call	_PpPagePathRelease@4 ; PpPagePathRelease(x)

loc_94351C:				; CODE XREF: CmpVolumeContextCleanup(x)+9j
		mov	ecx, [esi+20h]
		test	ecx, ecx
		jz	short loc_943529
		pop	esi
		jmp	ObfDereferenceObject
; 

loc_943529:				; CODE XREF: CmpVolumeContextCleanup(x)+18j
		pop	esi
		retn
_CmpVolumeContextCleanup@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpVolumeContextFree(x)
_CmpVolumeContextFree@4	proc near	; CODE XREF: CmpVolumeManagerGetContextForFile+1848EFp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_CmpVolumeContextCleanup@4 ; CmpVolumeContextCleanup(x)
		mov	ecx, esi
		pop	esi
		jmp	_CmpFreePool@4	; CmpFreePool(x)
_CmpVolumeContextFree@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGetHashIndex(x)
_CmpGetHashIndex@4 proc	near		; CODE XREF: CmpGetNameControlBlock+112873p
					; CmpDereferenceNameControlBlockWithLock(x)+Dp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		shr	eax, 9
		xor	eax, [ebp+arg_0]
		imul	ecx, eax, 18AA3h
		mov	eax, ecx
		shr	eax, 9
		xor	eax, ecx
		and	eax, 7FFh
		pop	ebp
		retn	4
_CmpGetHashIndex@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAbortLightWeightTransaction(x)
_CmpAbortLightWeightTransaction@4 proc near
					; CODE XREF: CmpCommitLightWeightTransaction(x)+7Fp
					; CmpRollbackLightWeightTransaction+40p

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		cmp	dword_6B2348, 5
		mov	ebx, offset dword_6B2348
		mov	[ebp+var_5C], edi
		jbe	short loc_9435AC
		push	edi
		push	1
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9435AC
		lea	eax, [ebp+var_58]
		push	eax
		push	2
		push	edi
		push	edi
		push	offset loc_41A379
		push	ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9435AC:				; CODE XREF: CmpAbortLightWeightTransaction(x)+28j
					; CmpAbortLightWeightTransaction(x)+36j
		mov	esi, [esi+8]
		test	esi, esi
		jz	short loc_9435C7
		lea	edx, [ebp+var_5C]
		mov	ecx, esi
		call	_CmpTransMgrRollback@8 ; CmpTransMgrRollback(x,x)
		push	8
		pop	edx
		mov	ecx, esi
		call	_CmpCleanupLightWeightTransaction@8 ; CmpCleanupLightWeightTransaction(x,x)

loc_9435C7:				; CODE XREF: CmpAbortLightWeightTransaction(x)+50j
		cmp	dword_6B2348, 5
		jbe	short loc_94360A
		push	edi
		push	1
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_94360A
		mov	eax, [ebp+var_5C]
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	3
		push	edi
		push	edi
		push	offset loc_41A343
		push	ebx
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_94360A:				; CODE XREF: CmpAbortLightWeightTransaction(x)+6Dj
					; CmpAbortLightWeightTransaction(x)+7Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpAbortLightWeightTransaction@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCreateEmptyHiveClone(x, x)
_CmpCreateEmptyHiveClone@8 proc	near	; CODE XREF: CmpReorganizeHive+184819p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		push	30314D43h
		push	0
		push	0C00h
		mov	edi, edx
		mov	[ebp+var_10], ecx
		call	CmpAllocate
		mov	esi, eax
		test	esi, esi
		jnz	short loc_94364A
		mov	ebx, 0C000009Ah
		jmp	loc_9437A1
; 

loc_94364A:				; CODE XREF: CmpCreateEmptyHiveClone(x,x)+25j
		mov	ecx, esi	; void *
		call	_CmpHiveInitialize@4 ; CmpHiveInitialize(x)
		mov	eax, [edi+980h]
		xor	ecx, ecx
		and	eax, 0FFFEFFFFh
		mov	[ebp+var_4], ecx
		mov	edx, edi
		mov	[esi+980h], eax
		lea	eax, [esi+400h]
		sub	edx, esi
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], edx

loc_943677:				; CODE XREF: CmpCreateEmptyHiveClone(x,x)+9Ej
		mov	ebx, [edx+eax]
		test	ebx, ebx
		jz	short loc_9436AA
		xor	ecx, ecx
		push	ecx
		push	2
		push	200h
		push	ecx
		push	eax
		push	ecx
		push	ebx
		push	ds:_PsInitialSystemProcess
		call	ObDuplicateObject
		mov	ebx, eax
		test	ebx, ebx
		js	loc_943796
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_C]

loc_9436AA:				; CODE XREF: CmpCreateEmptyHiveClone(x,x)+63j
		inc	ecx
		add	eax, 4
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], eax
		cmp	ecx, 6
		jb	short loc_943677
		mov	eax, [edi+488h]
		mov	[esi+488h], eax
		mov	eax, [edi+490h]
		mov	[esi+490h], eax
		mov	eax, [edi+494h]
		mov	[esi+494h], eax
		mov	eax, [edi+498h]
		mov	[esi+498h], eax
		mov	eax, [edi+49Ch]
		mov	[esi+49Ch], eax
		mov	eax, [edi+4A0h]
		mov	[esi+4A0h], eax
		mov	eax, [edi+4A4h]
		mov	[esi+4A4h], eax
		mov	eax, [edi+990h]
		mov	[esi+990h], eax
		mov	eax, [edi+994h]
		mov	[esi+994h], eax
		mov	eax, [edi+998h]
		mov	[esi+998h], eax
		mov	eax, [edi+99Ch]
		mov	[esi+99Ch], eax
		mov	eax, [edi+9B8h]
		mov	[esi+9B8h], eax
		mov	eax, [edi+9BCh]
		mov	[esi+9BCh], eax
		mov	ecx, [edi+0BFCh]
		test	ecx, ecx
		jz	short loc_94377E
		xor	eax, eax
		inc	eax
		lock xadd [ecx+0Ch], eax
		inc	eax
		cmp	eax, 1
		jg	short loc_943772
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_943772:				; CODE XREF: CmpCreateEmptyHiveClone(x,x)+152j
		mov	eax, [edi+0BFCh]
		mov	[esi+0BFCh], eax

loc_94377E:				; CODE XREF: CmpCreateEmptyHiveClone(x,x)+144j
		mov	edx, edi
		mov	ecx, esi
		call	_HvHiveStartEmptyClone@8 ; HvHiveStartEmptyClone(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_943796
		mov	eax, [ebp+var_10]
		mov	[eax], esi
		xor	esi, esi
		xor	ebx, ebx

loc_943796:				; CODE XREF: CmpCreateEmptyHiveClone(x,x)+82j
					; CmpCreateEmptyHiveClone(x,x)+172j
		test	esi, esi
		jz	short loc_9437A1
		mov	ecx, esi
		call	_CmpDestroyHive@4 ; CmpDestroyHive(x)

loc_9437A1:				; CODE XREF: CmpCreateEmptyHiveClone(x,x)+2Cj
					; CmpCreateEmptyHiveClone(x,x)+17Fj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_CmpCreateEmptyHiveClone@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpDestroyHive(x)
_CmpDestroyHive@4 proc near		; CODE XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+192p
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+44Bp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_CmpDestroySecurityCache@4 ; CmpDestroySecurityCache(x)
		mov	ecx, esi
		call	_CmpUnJoinClassOfTrust@4 ; CmpUnJoinClassOfTrust(x)
		mov	ecx, esi
		call	_CmpVERemoveHiveFromSIDMappingTable@4 ;	CmpVERemoveHiveFromSIDMappingTable(x)
		mov	ecx, esi
		call	HvHiveCleanup
		mov	ecx, esi
		call	_CmpCmdHiveClose@4 ; CmpCmdHiveClose(x)
		mov	ecx, [esi+0BFCh]
		test	ecx, ecx
		jz	short loc_9437DD
		call	CmpVolumeContextDecrementRefCount

loc_9437DD:				; CODE XREF: CmpDestroyHive(x)+2Ej
		or	eax, 0FFFFFFFFh
		lock xadd [esi+9D8h], eax
		jnz	short loc_9437F2
		mov	ecx, esi
		pop	esi
		jmp	_CmpDeleteHive@4 ; CmpDeleteHive(x)
; 

loc_9437F2:				; CODE XREF: CmpDestroyHive(x)+40j
		pop	esi
		retn
_CmpDestroyHive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpOpenFileWithExtremePrejudice(x, x, x, x,	x)
_CmpOpenFileWithExtremePrejudice@20 proc near ;	CODE XREF: CmpOpenHiveFile+17D8E2p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	ebx, edx
		mov	[ebp+var_3C], eax
		mov	edx, ecx
		lea	edi, [ebp+var_34]
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_40], edx
		rep stosd
		lea	eax, [ebp+var_34]
		xor	esi, esi
		push	eax
		push	ebx
		mov	[ebp+var_38], esi
		mov	[ebp+var_48], esi
		mov	[ebp+var_44], esi
		mov	[edx], esi
		call	_ZwQueryAttributesFile@8 ; ZwQueryAttributesFile(x,x)
		test	eax, eax
		js	short loc_94389F
		and	[ebp+var_14], 0FFFFFFFEh
		lea	eax, [ebp+var_48]
		push	4000h
		push	7
		push	eax
		push	ebx
		push	100h
		lea	eax, [ebp+var_38]
		push	eax
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_94389F
		push	4
		push	28h
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_38]
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		push	[ebp+var_38]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		jns	short loc_943883
		mov	eax, esi
		jmp	short loc_94389F
; 

loc_943883:				; CODE XREF: CmpOpenFileWithExtremePrejudice(x,x,x,x,x)+89j
		xor	eax, eax
		push	eax
		push	eax
		push	[ebp+arg_8]
		push	1
		push	eax
		push	[ebp+arg_4]
		push	eax
		push	[ebp+var_3C]
		push	ebx
		push	3
		push	[ebp+var_40]
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)

loc_94389F:				; CODE XREF: CmpOpenFileWithExtremePrejudice(x,x,x,x,x)+45j
					; CmpOpenFileWithExtremePrejudice(x,x,x,x,x)+67j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_CmpOpenFileWithExtremePrejudice@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSwapHiveStorage(x, x)
_CmpSwapHiveStorage@8 proc near		; CODE XREF: CmpReorganizeHive+184C5Cp
					; CmpRefreshHive(x)+373p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	[ebp+var_8], edi
		mov	[ebp+var_10], esi
		call	_HvSwapHiveStorage@8 ; HvSwapHiveStorage(x,x)
		mov	ebx, edi
		lea	edx, [esi+400h]
		push	6
		sub	ebx, esi
		pop	edi

loc_9438D7:				; CODE XREF: CmpSwapHiveStorage(x,x)+37j
		mov	ecx, [edx]
		mov	eax, [ebx+edx]
		mov	[edx], eax
		mov	[ebx+edx], ecx
		lea	edx, [edx+4]
		sub	edi, 1
		jnz	short loc_9438D7
		mov	edi, [ebp+var_8]
		mov	ecx, [esi+488h]
		mov	[ebp+var_4], 40h
		mov	eax, [edi+488h]
		mov	[esi+488h], eax
		mov	eax, [edi+498h]
		mov	[edi+488h], ecx
		mov	ecx, [esi+498h]
		mov	edx, [esi+49Ch]
		mov	[esi+498h], eax
		mov	eax, [edi+49Ch]
		mov	[esi+49Ch], eax
		mov	eax, [edi+4A0h]
		mov	[edi+498h], ecx
		mov	[edi+49Ch], edx
		mov	ecx, [esi+4A0h]
		mov	edx, [esi+4A4h]
		mov	[esi+4A0h], eax
		mov	eax, [edi+4A4h]
		mov	[esi+4A4h], eax
		mov	eax, [edi+4C0h]
		mov	[edi+4A0h], ecx
		mov	[edi+4A4h], edx
		mov	ecx, [esi+4C0h]
		mov	[esi+4C0h], eax
		mov	eax, [edi+4C4h]
		mov	[edi+4C0h], ecx
		mov	ecx, [esi+4C4h]
		mov	[esi+4C4h], eax
		mov	eax, [edi+4C8h]
		mov	[edi+4C4h], ecx
		mov	ecx, [esi+4C8h]
		mov	[esi+4C8h], eax
		mov	eax, [edi+4CCh]
		mov	[edi+4C8h], ecx
		mov	ecx, [esi+4CCh]
		mov	[esi+4CCh], eax
		mov	eax, esi
		mov	[edi+4CCh], ecx
		sub	eax, edi
		lea	ecx, [edi+4D0h]
		mov	edi, eax

loc_9439D7:				; CODE XREF: CmpSwapHiveStorage(x,x)+194j
		lea	ebx, [ebp+var_18]
		lea	edx, [edi+ecx]
		mov	[ebp+var_14], ebx
		mov	esi, [edx]
		mov	eax, ebx
		mov	[ebp+var_18], eax
		cmp	esi, edx
		jz	short loc_943A08
		mov	eax, [ecx+edi+4]
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], eax
		mov	[esi+4], ebx
		mov	esi, ebx
		mov	[eax], esi
		mov	ebx, [ebp+var_14]
		mov	eax, [ebp+var_18]
		mov	[ecx+edi+4], edx
		mov	[edx], edx

loc_943A08:				; CODE XREF: CmpSwapHiveStorage(x,x)+139j
		mov	esi, [ecx]
		mov	[ebp+var_C], esi
		cmp	esi, ecx
		jz	short loc_943A2C
		mov	eax, [ecx+4]
		mov	ebx, esi
		mov	[edx], ebx
		mov	[edi+ecx+4], eax
		mov	[ebx+4], edx
		mov	[eax], edx
		mov	ebx, [ebp+var_14]
		mov	eax, [ebp+var_18]
		mov	[ecx+4], ecx
		mov	[ecx], ecx

loc_943A2C:				; CODE XREF: CmpSwapHiveStorage(x,x)+15Fj
		lea	edx, [ebp+var_18]
		cmp	eax, edx
		jz	short loc_943A3D
		mov	[ecx], eax
		mov	[ecx+4], ebx
		mov	[eax+4], ecx
		mov	[ebx], ecx

loc_943A3D:				; CODE XREF: CmpSwapHiveStorage(x,x)+181j
		add	ecx, 8
		sub	[ebp+var_4], 1
		jnz	short loc_9439D7
		mov	esi, [ebp+var_10]
		mov	edi, [ebp+var_8]
		mov	ecx, [esi+990h]
		mov	eax, [edi+990h]
		mov	edx, [esi+994h]
		mov	[esi+990h], eax
		mov	eax, [edi+994h]
		mov	[esi+994h], eax
		mov	eax, [edi+998h]
		mov	[edi+990h], ecx
		mov	[edi+994h], edx
		mov	ecx, [esi+998h]
		mov	edx, [esi+99Ch]
		mov	[esi+998h], eax
		mov	eax, [edi+99Ch]
		mov	[esi+99Ch], eax
		mov	eax, [edi+9B8h]
		mov	[edi+998h], ecx
		mov	[edi+99Ch], edx
		mov	ecx, [esi+9B8h]
		mov	edx, [esi+9BCh]
		mov	[esi+9B8h], eax
		mov	eax, [edi+9BCh]
		mov	[esi+9BCh], eax
		mov	eax, [edi+9D0h]
		mov	[edi+9B8h], ecx
		mov	[edi+9BCh], edx
		mov	ecx, [esi+9D0h]
		mov	[esi+9D0h], eax
		mov	eax, [edi+9D4h]
		mov	[edi+9D0h], ecx
		mov	ecx, [esi+9D4h]
		mov	[esi+9D4h], eax
		mov	eax, [edi+0BE0h]
		mov	[edi+9D4h], ecx
		mov	ecx, [esi+0BE0h]
		mov	[esi+0BE0h], eax
		mov	eax, [edi+0BE4h]
		mov	[edi+0BE0h], ecx
		mov	ecx, [esi+0BE4h]
		mov	[esi+0BE4h], eax
		mov	eax, [edi+0BE8h]
		mov	[edi+0BE4h], ecx
		mov	ecx, [esi+0BE8h]
		mov	[esi+0BE8h], eax
		mov	eax, [edi+0BECh]
		mov	[edi+0BE8h], ecx
		mov	ecx, [esi+0BECh]
		mov	[esi+0BECh], eax
		mov	eax, [edi+0BFCh]
		mov	[edi+0BECh], ecx
		mov	ecx, [esi+0BFCh]
		mov	[esi+0BFCh], eax
		mov	[edi+0BFCh], ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpSwapHiveStorage@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFreeSiloContextCallback(x)
_CmpFreeSiloContextCallback@4 proc near	; DATA XREF: CmpAllocateSiloContext(x,x)+11o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	_CmpStopSiloKeyLockTracker@4 ; CmpStopSiloKeyLockTracker(x)
		mov	ecx, [esi+10h]
		pop	esi
		test	ecx, ecx
		jz	short loc_943BA6
		call	ObfDereferenceObject

loc_943BA6:				; CODE XREF: CmpFreeSiloContextCallback(x)+16j
		pop	ebp
		retn	4
_CmpFreeSiloContextCallback@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpRemoveFromHiveFileList(x)
_CmpRemoveFromHiveFileList@4 proc near	; CODE XREF: CmpCompleteUnloadKey(x,x,x)+E8p
		lea	eax, [ecx+4B8h]
		push	eax
		push	_CmpHiveFileListHandle
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		retn
_CmpRemoveFromHiveFileList@4 endp


;  S U B	R O U T	I N E 


; __stdcall HvpAllExceptionsFatalFilter(x)
_HvpAllExceptionsFatalFilter@4 proc near ; CODE	XREF: sub_943EDE+3p
		push	dword ptr [ecx+4]
		mov	edx, [ecx]
		push	edx
		push	21h
		pop	ecx
		mov	edx, [edx]
		call	_CmSiBugCheck@16 ; CmSiBugCheck(x,x,x,x)
		int	3		; Trap to Debugger
_HvpAllExceptionsFatalFilter@4 endp


;  S U B	R O U T	I N E 


; __stdcall HvpInpageErrorFilter(x, x)
_HvpInpageErrorFilter@8	proc near	; CODE XREF: sub_8CDB63+6p
		mov	eax, [ecx]
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, 0C0000006h
		mov	edx, [eax]
		cmp	edx, esi
		jz	short loc_943BEB
		push	dword ptr [ecx+4]
		push	eax
		push	21h
		pop	ecx
		call	_CmSiBugCheck@16 ; CmSiBugCheck(x,x,x,x)

loc_943BEB:				; CODE XREF: HvpInpageErrorFilter(x,x)+Fj
		cmp	dword ptr [eax+10h], 2
		jb	short loc_943BF4
		mov	esi, [eax+1Ch]

loc_943BF4:				; CODE XREF: HvpInpageErrorFilter(x,x)+21j
		mov	[edi], esi
		xor	eax, eax
		pop	edi
		inc	eax
		pop	esi
		retn
_HvpInpageErrorFilter@8	endp ; sp = -8


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpMappedViewGetPropertiesForFileOffset(x, x, x)
_HvpMappedViewGetPropertiesForFileOffset@12 proc near
					; CODE XREF: HvpViewMapMakeViewRangeWriteable(x,x,x,x,x,x)+76p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		sub	eax, [ecx+10h]
		shr	eax, 0Ch
		add	eax, 38h
		add	eax, ecx
		pop	ebp
		retn	8
_HvpMappedViewGetPropertiesForFileOffset@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpViewMapMakeViewRangeInvalid(x, x, x, x, x, x)
_HvpViewMapMakeViewRangeInvalid@24 proc	near ; CODE XREF: CmpAddSecurityCellToCache+188C93p
					; CmpAddSecurityCellToCache+188CD7p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_4]
		and	[ebp+var_10], 0
		push	ebx
		mov	ebx, [ebp+arg_C]
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_8], eax
		push	esi
		mov	esi, edx
		mov	edx, ecx
		mov	[ebp+var_4], edx
		push	edi
		mov	edi, [ebp+arg_8]
		cmp	eax, ebx
		jg	short loc_943CA4
		jl	short loc_943C45
		cmp	ecx, edi
		jnb	short loc_943CA4

loc_943C45:				; CODE XREF: HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)+2Cj
					; HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)+86j ...
		cmp	dword ptr [esi+34h], 0
		jz	short loc_943CA1
		mov	ecx, [esi+10h]
		mov	eax, edx
		sub	eax, ecx
		shr	eax, 0Ch
		mov	[ebp+arg_C], eax
		test	byte ptr [eax+esi+38h],	10h
		jz	short loc_943C85
		mov	eax, [esi+30h]
		sub	eax, ecx
		add	eax, edx
		push	1000h
		push	eax
		mov	eax, [ebp+var_C]
		mov	edx, [eax+18h]
		call	_CmSiUnlockViewOfSection@16 ; CmSiUnlockViewOfSection(x,x,x,x)
		mov	eax, [ebp+arg_C]
		mov	edx, [ebp+var_4]
		and	byte ptr [eax+esi+38h],	0EFh
		dec	dword ptr [esi+34h]

loc_943C85:				; CODE XREF: HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)+4Aj
		mov	eax, [ebp+var_8]
		add	edx, 1000h
		mov	[ebp+var_4], edx
		adc	eax, 0
		mov	[ebp+var_8], eax
		cmp	eax, ebx
		jl	short loc_943C45
		jg	short loc_943CA1
		cmp	edx, edi
		jb	short loc_943C45

loc_943CA1:				; CODE XREF: HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)+36j
					; HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)+88j
		mov	ecx, [ebp+arg_0]

loc_943CA4:				; CODE XREF: HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)+2Aj
					; HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)+30j
		lea	eax, [ebp+var_10]
		push	eax
		push	80000001h
		mov	eax, edi
		sub	eax, ecx
		push	eax
		mov	eax, [esi+30h]
		sub	eax, [esi+10h]
		add	eax, ecx
		push	eax
		mov	eax, [ebp+var_C]
		mov	edx, [eax+18h]
		call	_CmSiProtectViewOfSection@24 ; CmSiProtectViewOfSection(x,x,x,x,x,x)
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	edx, ecx
		cmp	eax, ebx
		jg	short loc_943CFD
		jl	short loc_943CD8
		cmp	ecx, edi
		jnb	short loc_943CFD

loc_943CD8:				; CODE XREF: HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)+BFj
		mov	ecx, eax

loc_943CDA:				; CODE XREF: HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)+DFj
					; HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)+E5j
		mov	eax, edx
		sub	eax, [esi+10h]
		shr	eax, 0Ch
		add	edx, 1000h
		adc	ecx, 0
		mov	byte ptr [eax+esi+38h],	0
		cmp	ecx, ebx
		jl	short loc_943CDA
		jg	short loc_943CFA
		cmp	edx, edi
		jb	short loc_943CDA

loc_943CFA:				; CODE XREF: HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)+E1j
		mov	ecx, [ebp+arg_0]

loc_943CFD:				; CODE XREF: HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)+BDj
					; HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)+C3j
		mov	eax, [esi+28h]
		mov	edx, [esi+2Ch]
		mov	[ebp+arg_C], eax
		cmp	[esi+20h], ecx
		jnz	short loc_943D31
		mov	eax, [esi+24h]
		cmp	eax, [ebp+arg_4]
		jnz	short loc_943D31
		cmp	[ebp+arg_C], edi
		jnz	short loc_943D29
		cmp	edx, ebx
		jnz	short loc_943D29
		xor	eax, eax
		mov	[esi+20h], eax
		mov	[esi+24h], eax
		mov	[esi+28h], eax
		jmp	short loc_943D40
; 

loc_943D29:				; CODE XREF: HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)+103j
					; HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)+107j
		mov	[esi+20h], edi
		mov	[esi+24h], ebx
		jmp	short loc_943D43
; 

loc_943D31:				; CODE XREF: HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)+F6j
					; HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)+FEj
		cmp	[ebp+arg_C], edi
		jnz	short loc_943D43
		cmp	edx, ebx
		jnz	short loc_943D43
		mov	eax, [ebp+arg_4]
		mov	[esi+28h], ecx

loc_943D40:				; CODE XREF: HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)+114j
		mov	[esi+2Ch], eax

loc_943D43:				; CODE XREF: HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)+11Cj
					; HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)+121j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_HvpViewMapMakeViewRangeInvalid@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpViewMapMigrateCOWData(x,	x, x)
_HvpViewMapMigrateCOWData@12 proc near	; CODE XREF: CmpAddSecurityCellToCache+188B02p

var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	44h
		push	offset dword_6A79F8
		call	__SEH_prolog4
		mov	eax, edx
		mov	[ebp+var_20], eax
		mov	[ebp+var_28], ecx
		mov	esi, [eax+20h]
		mov	edi, [eax+24h]
		mov	ecx, [ebp+arg_0]
		mov	edx, [ecx+20h]
		mov	ebx, [ecx+24h]
		cmp	ebx, edi
		jg	short loc_943D77
		jl	short loc_943D7B
		cmp	edx, esi
		jb	short loc_943D7B

loc_943D77:				; CODE XREF: HvpViewMapMigrateCOWData(x,x,x)+25j
		mov	esi, edx
		mov	edi, ebx

loc_943D7B:				; CODE XREF: HvpViewMapMigrateCOWData(x,x,x)+27j
					; HvpViewMapMigrateCOWData(x,x,x)+2Bj
		push	dword ptr [eax+2Ch]
		push	dword ptr [eax+28h]
		push	dword ptr [ecx+2Ch]
		push	dword ptr [ecx+28h]
		call	_HvpMinLong64@16 ; HvpMinLong64(x,x,x,x)
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], edx

loc_943D92:				; CODE XREF: HvpViewMapMigrateCOWData(x,x,x)+97j
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], edi
		cmp	edi, [ebp+var_34]
		jg	loc_943ECA
		jl	short loc_943DAC
		cmp	esi, [ebp+var_38]
		jnb	loc_943ECA

loc_943DAC:				; CODE XREF: HvpViewMapMigrateCOWData(x,x,x)+57j
		mov	edx, [ecx+10h]
		mov	[ebp+var_2C], edx
		mov	eax, esi
		sub	eax, edx
		shr	eax, 0Ch
		add	ecx, 38h
		add	eax, ecx
		mov	[ebp+var_50], eax
		mov	al, [eax]
		mov	[ebp+var_19], al
		mov	ebx, esi
		add	ebx, 1000h
		mov	ecx, edi
		adc	ecx, 0
		mov	[ebp+var_24], ecx
		test	al, 6
		jnz	short loc_943DE3
		mov	edi, ecx

loc_943DDC:				; CODE XREF: HvpViewMapMigrateCOWData(x,x,x)+17Bj
		mov	esi, ebx
		mov	ecx, [ebp+arg_0]
		jmp	short loc_943D92
; 

loc_943DE3:				; CODE XREF: HvpViewMapMigrateCOWData(x,x,x)+8Ej
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ecx
		cmp	ecx, [ebp+var_34]
		jg	short loc_943E3E
		jl	short loc_943DF5
		cmp	ebx, [ebp+var_38]
		jnb	short loc_943E3E

loc_943DF5:				; CODE XREF: HvpViewMapMigrateCOWData(x,x,x)+A4j
		shr	al, 1
		and	al, 1
		mov	[ebp+var_1A], al
		mov	edx, [ebp+arg_0]

loc_943DFF:				; CODE XREF: HvpViewMapMigrateCOWData(x,x,x)+E8j
					; HvpViewMapMigrateCOWData(x,x,x)+EFj
		mov	eax, ebx
		sub	eax, [ebp+var_2C]
		shr	eax, 0Ch
		mov	ah, [edx+eax+38h]
		mov	al, ah
		shr	al, 1
		and	al, 1
		cmp	al, [ebp+var_1A]
		mov	al, [ebp+var_19]
		jnz	short loc_943E3B
		xor	ah, al
		test	ah, 4
		jnz	short loc_943E3B
		add	ebx, 1000h
		mov	[ebp+var_48], ebx
		adc	ecx, 0
		mov	[ebp+var_44], ecx
		cmp	ecx, [ebp+var_34]
		jl	short loc_943DFF
		jg	short loc_943E3B
		cmp	ebx, [ebp+var_38]
		jb	short loc_943DFF

loc_943E3B:				; CODE XREF: HvpViewMapMigrateCOWData(x,x,x)+CDj
					; HvpViewMapMigrateCOWData(x,x,x)+D4j ...
		mov	[ebp+var_24], ecx

loc_943E3E:				; CODE XREF: HvpViewMapMigrateCOWData(x,x,x)+A2j
					; HvpViewMapMigrateCOWData(x,x,x)+A9j
		push	ecx
		mov	edx, [ebp+var_20]
		push	ebx
		mov	ecx, [ebp+var_28]
		push	edi
		push	esi
		test	al, 2
		jz	short loc_943E57
		call	HvpViewMapMakeViewRangeCOWByCaller
		test	eax, eax
		js	short loc_943ECC
		jmp	short loc_943E5C
; 

loc_943E57:				; CODE XREF: HvpViewMapMigrateCOWData(x,x,x)+100j
		call	_HvpViewMapMakeViewRangeWriteable@24 ; HvpViewMapMakeViewRangeWriteable(x,x,x,x,x,x)

loc_943E5C:				; CODE XREF: HvpViewMapMigrateCOWData(x,x,x)+10Bj
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+30h]
		sub	ecx, [eax+10h]
		add	ecx, esi
		mov	eax, [ebp+var_20]
		mov	edx, [eax+30h]
		sub	edx, [eax+10h]
		add	edx, esi
		mov	eax, ebx
		sub	eax, esi
		and	[ebp+ms_exc.disabled], 0
		push	eax		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_24]
		jmp	short loc_943EAB
; 
		retn
; 

loc_943E92:				; DATA XREF: .text:006A7A10o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_3C]
		mov	esi, [ebp+var_40]
		mov	ecx, [ebp+var_44]
		mov	[ebp+var_24], ecx
		mov	ebx, [ebp+var_48]

loc_943EAB:				; CODE XREF: HvpViewMapMigrateCOWData(x,x,x)+145j
		mov	eax, [ebp+var_50]
		test	byte ptr [eax],	2
		jnz	short loc_943EC2
		push	ecx
		push	ebx
		push	edi
		push	esi
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_28]
		call	_HvpViewMapMakeViewRangeReadOnly@24 ; HvpViewMapMakeViewRangeReadOnly(x,x,x,x,x,x)

loc_943EC2:				; CODE XREF: HvpViewMapMigrateCOWData(x,x,x)+167j
		mov	edi, [ebp+var_24]
		jmp	loc_943DDC
; 

loc_943ECA:				; CODE XREF: HvpViewMapMigrateCOWData(x,x,x)+51j
					; HvpViewMapMigrateCOWData(x,x,x)+5Cj
		xor	eax, eax

loc_943ECC:				; CODE XREF: HvpViewMapMigrateCOWData(x,x,x)+109j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_HvpViewMapMigrateCOWData@12 endp


;  S U B	R O U T	I N E 


sub_943EDE	proc near		; DATA XREF: .text:006A7A0Co
		mov	ecx, [ebp-14h]
		call	_HvpAllExceptionsFatalFilter@4 ; HvpAllExceptionsFatalFilter(x)
		int	3		; Trap to Debugger
sub_943EDE	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpViewMapShrinkStorage(x, x)
_HvpViewMapShrinkStorage@8 proc	near	; CODE XREF: HvpAddBin+18ADA3p
					; HvFreeHivePartial+18A392p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		mov	ebx, ecx
		lea	eax, [edx+1000h]
		xor	ecx, ecx
		mov	[ebp+var_18], eax
		push	esi
		mov	[ebp+var_8], ecx
		lea	esi, [ebp+var_20]
		push	edi
		mov	edi, [ebx+0Ch]
		mov	edx, eax
		mov	[ebp+var_4], ecx
		mov	ecx, [ebx+8]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], edi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_20], esi
		cmp	[ebp+var_8], edi
		jg	loc_943FF3
		jl	short loc_943F2F
		cmp	eax, ecx
		jnb	loc_943FF3

loc_943F2F:				; CODE XREF: HvpViewMapShrinkStorage(x,x)+3Ej
		lea	edi, [ebx+20h]

loc_943F32:				; CODE XREF: HvpViewMapShrinkStorage(x,x)+F5j
					; HvpViewMapShrinkStorage(x,x)+100j
		test	byte ptr [edi+4], 1
		mov	esi, [edi]
		jz	short loc_943F46
		test	esi, esi
		jz	short loc_943F42
		xor	esi, edi
		jmp	short loc_943F46
; 

loc_943F42:				; CODE XREF: HvpViewMapShrinkStorage(x,x)+55j
		xor	eax, eax
		mov	esi, eax

loc_943F46:				; CODE XREF: HvpViewMapShrinkStorage(x,x)+51j
					; HvpViewMapShrinkStorage(x,x)+59j
		movzx	ecx, byte ptr [edi+4]
		and	ecx, 1
		test	esi, esi
		jz	short loc_943F88
		mov	edi, [ebp+var_4]

loc_943F54:				; CODE XREF: HvpViewMapShrinkStorage(x,x)+9Cj
		cmp	edi, [esi+24h]
		jl	short loc_943F71
		jg	short loc_943F60
		cmp	edx, [esi+20h]
		jb	short loc_943F71

loc_943F60:				; CODE XREF: HvpViewMapShrinkStorage(x,x)+72j
		cmp	edi, [esi+2Ch]
		jl	short loc_943F85
		jg	short loc_943F6C
		cmp	edx, [esi+28h]
		jb	short loc_943F85

loc_943F6C:				; CODE XREF: HvpViewMapShrinkStorage(x,x)+7Ej
		mov	eax, [esi+4]
		jmp	short loc_943F73
; 

loc_943F71:				; CODE XREF: HvpViewMapShrinkStorage(x,x)+70j
					; HvpViewMapShrinkStorage(x,x)+77j
		mov	eax, [esi]

loc_943F73:				; CODE XREF: HvpViewMapShrinkStorage(x,x)+88j
		test	ecx, ecx
		jz	short loc_943F7F
		test	eax, eax
		jz	short loc_943F7F
		xor	esi, eax
		jmp	short loc_943F81
; 

loc_943F7F:				; CODE XREF: HvpViewMapShrinkStorage(x,x)+8Ej
					; HvpViewMapShrinkStorage(x,x)+92j
		mov	esi, eax

loc_943F81:				; CODE XREF: HvpViewMapShrinkStorage(x,x)+96j
		test	esi, esi
		jnz	short loc_943F54

loc_943F85:				; CODE XREF: HvpViewMapShrinkStorage(x,x)+7Cj
					; HvpViewMapShrinkStorage(x,x)+83j
		lea	edi, [ebx+20h]

loc_943F88:				; CODE XREF: HvpViewMapShrinkStorage(x,x)+68j
		mov	ecx, [esi+2Ch]
		mov	eax, [esi+28h]
		push	ecx
		push	eax
		push	[ebp+var_4]
		mov	[ebp+var_C], ecx
		mov	ecx, ebx
		push	edx
		mov	edx, esi
		mov	[ebp+var_8], eax
		call	_HvpViewMapMakeViewRangeInvalid@24 ; HvpViewMapMakeViewRangeInvalid(x,x,x,x,x,x)
		mov	eax, [esi+20h]
		cmp	eax, [esi+28h]
		jnz	short loc_943FCE
		mov	eax, [esi+24h]
		cmp	eax, [esi+2Ch]
		jnz	short loc_943FCE
		push	esi
		push	edi
		call	RtlRbRemoveNode
		mov	eax, [ebp+var_1C]
		lea	ecx, [ebp+var_20]
		cmp	[eax], ecx
		jnz	short loc_94403A
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[ebp+var_1C], esi

loc_943FCE:				; CODE XREF: HvpViewMapShrinkStorage(x,x)+C2j
					; HvpViewMapShrinkStorage(x,x)+CAj
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_8]
		mov	edx, eax
		mov	[ebp+var_4], ecx
		cmp	ecx, [ebp+var_10]
		jl	loc_943F32
		jg	short loc_943FED
		cmp	eax, [ebp+var_14]
		jb	loc_943F32

loc_943FED:				; CODE XREF: HvpViewMapShrinkStorage(x,x)+FBj
		mov	esi, [ebp+var_20]
		mov	eax, [ebp+var_18]

loc_943FF3:				; CODE XREF: HvpViewMapShrinkStorage(x,x)+38j
					; HvpViewMapShrinkStorage(x,x)+42j
		mov	[ebx+8], eax
		xor	eax, eax
		mov	[ebx+0Ch], eax
		jmp	short loc_944017
; 

loc_943FFD:				; CODE XREF: HvpViewMapShrinkStorage(x,x)+14Cj
		mov	eax, [esi+30h]
		test	eax, eax
		jz	short loc_94400D
		mov	edx, [ebx+18h]
		push	eax
		call	_CmSiUnmapViewOfSection@12 ; CmSiUnmapViewOfSection(x,x,x)

loc_94400D:				; CODE XREF: HvpViewMapShrinkStorage(x,x)+11Bj
		mov	ecx, esi
		call	_CmpFreePool@4	; CmpFreePool(x)
		mov	esi, [ebp+var_20]

loc_944017:				; CODE XREF: HvpViewMapShrinkStorage(x,x)+114j
		lea	eax, [ebp+var_20]
		cmp	[esi+4], eax
		jnz	short loc_94403A
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_94403A
		lea	ecx, [ebp+var_20]
		mov	[ebp+var_20], eax
		mov	[eax+4], ecx
		mov	eax, ecx
		cmp	esi, eax
		jnz	short loc_943FFD
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_94403A:				; CODE XREF: HvpViewMapShrinkStorage(x,x)+DBj
					; HvpViewMapShrinkStorage(x,x)+136j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_HvpViewMapShrinkStorage@8 endp		; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall HvHiveStartEmptyClone(x, x)
_HvHiveStartEmptyClone@8 proc near	; CODE XREF: CmpCreateEmptyHiveClone(x,x)+169p
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		push	32334D43h
		mov	eax, [ebx+4]
		push	1
		mov	[edi+4], eax
		mov	eax, [ebx+8]
		mov	[edi+8], eax
		mov	esi, [ebx+0Ch]
		mov	[edi+0Ch], esi
		mov	eax, [ebx+10h]
		mov	[edi+10h], eax
		mov	eax, [ebx+14h]
		mov	[edi+14h], eax
		mov	eax, [ebx+18h]
		mov	[edi+18h], eax
		mov	eax, [ebx+48h]
		push	eax
		mov	[edi+48h], eax
		call	esi
		mov	[edi+20h], eax
		test	eax, eax
		jnz	short loc_94408D
		mov	eax, 0C000009Ah
		jmp	loc_944196
; 

loc_94408D:				; CODE XREF: HvHiveStartEmptyClone(x,x)+42j
		push	dword ptr [edi+48h] ; size_t
		push	dword ptr [ebx+20h] ; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [edi+20h]
		add	esp, 0Ch
		and	dword ptr [eax+28h], 0
		mov	eax, [edi+20h]
		or	dword ptr [eax+24h], 0FFFFFFFFh
		mov	eax, [ebx+4Ch]
		mov	[edi+4Ch], eax
		mov	al, [edi+50h]
		xor	al, [ebx+50h]
		and	al, 1
		xor	[edi+50h], al
		mov	cl, [ebx+50h]
		mov	al, [edi+50h]
		xor	cl, al
		and	cl, 2
		xor	cl, al
		mov	[edi+50h], cl
		mov	eax, [ebx+64h]
		and	eax, 0FFFFFFEFh
		mov	[edi+64h], eax
		mov	eax, [ebx+68h]
		mov	[edi+68h], eax
		mov	eax, [ebx+6Ch]
		mov	[edi+6Ch], eax
		mov	eax, [ebx+70h]
		mov	[edi+70h], eax
		mov	eax, [ebx+74h]
		mov	[edi+74h], eax
		mov	eax, [ebx+78h]
		mov	[edi+78h], eax
		mov	eax, [ebx+7Ch]
		mov	[edi+7Ch], eax
		mov	ax, [ebx+80h]
		mov	[edi+80h], ax
		mov	al, [ebx+82h]
		mov	[edi+82h], al
		mov	al, [ebx+83h]
		mov	[edi+83h], al
		mov	eax, [ebx+88h]
		mov	[edi+88h], eax
		mov	eax, [ebx+8Ch]
		mov	[edi+8Ch], eax
		mov	ax, [ebx+90h]
		mov	[edi+90h], ax
		mov	eax, [ebx+94h]
		mov	[edi+94h], eax
		mov	eax, [ebx+98h]
		mov	[edi+98h], eax
		mov	eax, [ebx+9Ch]
		mov	[edi+9Ch], eax
		test	dword ptr [ebx+64h], 20000h
		jz	short loc_944194
		push	dword ptr [ebx+0BCh]
		mov	edx, [edi+400h]
		lea	ecx, [edi+0A0h]
		push	dword ptr [ebx+0B8h]
		push	0
		call	_HvpViewMapStart@20 ; HvpViewMapStart(x,x,x,x,x)
		test	eax, eax
		js	short loc_944196

loc_944194:				; CODE XREF: HvHiveStartEmptyClone(x,x)+130j
		xor	eax, eax

loc_944196:				; CODE XREF: HvHiveStartEmptyClone(x,x)+49j
					; HvHiveStartEmptyClone(x,x)+153j
		pop	edi
		pop	esi
		pop	ebx
		retn
_HvHiveStartEmptyClone@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvSwapHiveStorage(x, x)
_HvSwapHiveStorage@8 proc near		; CODE XREF: CmpSwapHiveStorage(x,x)+15p

var_38		= dword	ptr -38h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, [ecx+4]
		mov	[ebp+var_C], eax
		push	ebx
		mov	ebx, [edx+8]
		mov	[ebp+var_4], edx
		mov	edx, [ecx+14h]
		mov	[ebp+var_8], ecx
		mov	[ebp+var_10], ebx
		mov	ebx, [ebp+var_4]
		push	esi
		mov	esi, [ecx+10h]
		push	edi
		mov	eax, [ebx+4]
		mov	edi, [ecx+0Ch]
		mov	ebx, [ebp+var_8]
		mov	ecx, [ecx+18h]
		mov	[ebx+4], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+8]
		mov	[ebx+8], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+0Ch]
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+10h]
		mov	[ebx+10h], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+14h]
		mov	[ebx+14h], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+18h]
		mov	[ebx+18h], eax
		mov	ebx, [ebp+var_4]
		mov	eax, [ebp+var_C]
		mov	[ebx+4], eax
		mov	eax, [ebp+var_4]
		mov	ebx, [ebp+var_10]
		mov	[eax+0Ch], edi
		mov	edi, eax
		mov	[eax+8], ebx
		mov	ebx, [ebp+var_8]
		mov	eax, [edi+20h]
		mov	[edi+10h], esi
		mov	[edi+14h], edx
		mov	[edi+18h], ecx
		mov	ecx, [ebx+20h]
		mov	[ebx+20h], eax
		mov	eax, [edi+38h]
		mov	[edi+20h], ecx
		mov	ecx, [ebx+38h]
		mov	[ebx+38h], eax
		mov	eax, [edi+30h]
		mov	[edi+38h], ecx
		mov	ecx, [ebx+30h]
		mov	[ebx+30h], eax
		mov	eax, [edi+2Ch]
		mov	[edi+30h], ecx
		mov	ecx, [ebx+2Ch]
		mov	[ebx+2Ch], eax
		mov	eax, [edi+34h]
		mov	[edi+2Ch], ecx
		mov	ecx, [ebx+34h]
		mov	[ebx+34h], eax
		mov	eax, [edi+40h]
		mov	[edi+34h], ecx
		mov	ecx, [ebx+40h]
		mov	[ebx+40h], eax
		mov	eax, [edi+3Ch]
		mov	[edi+40h], ecx
		mov	ecx, [ebx+3Ch]
		mov	[ebx+3Ch], eax
		mov	eax, [edi+44h]
		mov	[edi+3Ch], ecx
		mov	ecx, [ebx+44h]
		mov	[ebx+44h], eax
		mov	eax, [edi+48h]
		mov	[edi+44h], ecx
		mov	ecx, [ebx+48h]
		mov	[ebx+48h], eax
		mov	[edi+48h], ecx
		mov	ecx, [ebx+4Ch]
		mov	eax, [edi+4Ch]
		mov	[ebx+4Ch], eax
		mov	al, [edi+50h]
		mov	[edi+4Ch], ecx
		mov	cl, [ebx+50h]
		xor	al, cl
		and	al, 1
		xor	al, cl
		mov	[ebx+50h], al
		mov	al, [edi+50h]
		xor	al, cl
		and	al, 1
		xor	[edi+50h], al
		mov	al, [edi+50h]
		mov	cl, [ebx+50h]
		xor	al, cl
		and	al, 2
		xor	al, cl
		mov	[ebx+50h], al
		mov	al, [edi+50h]
		xor	al, cl
		and	al, 2
		xor	[edi+50h], al
		mov	al, [edi+51h]
		mov	cl, [ebx+51h]
		mov	[ebx+51h], al
		mov	eax, [edi+54h]
		mov	[edi+51h], cl
		mov	ecx, [ebx+54h]
		mov	[ebx+54h], eax
		mov	eax, [edi+58h]
		mov	[edi+54h], ecx
		mov	ecx, [ebx+58h]
		mov	[ebx+58h], eax
		mov	eax, [edi+5Ch]
		mov	[edi+58h], ecx
		mov	ecx, [ebx+5Ch]
		mov	[ebx+5Ch], eax
		mov	eax, [edi+60h]
		mov	[edi+5Ch], ecx
		mov	ecx, [ebx+60h]
		mov	[ebx+60h], eax
		mov	[edi+60h], ecx
		mov	ecx, [ebx+64h]
		mov	eax, ecx
		and	eax, 0FFE07FECh
		mov	[ebx+64h], eax
		mov	edx, [edi+64h]
		mov	eax, edx
		xor	eax, ecx
		mov	ecx, 1F8013h
		and	eax, ecx
		xor	eax, edx
		and	edx, ecx
		mov	[edi+64h], eax
		lea	eax, [ebx+0A0h]
		or	[ebx+64h], edx
		mov	esi, eax
		lea	edx, [edi+0A0h]
		push	0Ah
		pop	ecx
		push	0Ah
		lea	edi, [ebp+var_38]
		rep movsd
		pop	ecx
		mov	edi, eax
		mov	esi, edx
		mov	eax, [ebp+var_4]
		rep movsd
		push	0Ah
		pop	ecx
		lea	esi, [ebp+var_38]
		mov	edi, edx
		rep movsd
		sub	eax, ebx
		lea	esi, [ebx+0C8h]
		push	2
		mov	[ebp+var_4], eax
		pop	edi

loc_944364:				; CODE XREF: HvSwapHiveStorage(x,x)+1E0j
		lea	edx, [eax+esi]
		mov	ecx, esi
		call	_HvpSwapDual@8	; HvpSwapDual(x,x)
		mov	eax, [ebp+var_4]
		add	esi, 19Ch
		sub	edi, 1
		jnz	short loc_944364
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_HvSwapHiveStorage@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpAddDummyBinToHive(x, x, x, x)
_HvpAddDummyBinToHive@16 proc near	; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+164p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_4]
		xor	esi, esi
		push	eax
		push	30334D43h
		push	esi
		mov	edx, 1000h
		mov	[ebp+var_4], esi
		mov	ebx, ecx
		call	_HvpAllocateBin@20 ; HvpAllocateBin(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_944416
		mov	edi, [ebp+var_4]
		push	1000h		; size_t
		push	esi		; int
		push	edi		; void *
		call	_memset
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		cmp	ds:_CmpSelfHeal, 0
		mov	edx, 1000h
		mov	[edi+4], ecx
		mov	[edi+8], edx
		jnz	short loc_9443DD
		test	byte ptr _CmpBootType, 6
		jz	short loc_9443F6

loc_9443DD:				; CODE XREF: HvpAddDummyBinToHive(x,x,x,x)+51j
		mov	dword ptr [edi], 6E696268h
		mov	dword ptr [edi+20h], 0FE0h
		mov	eax, [ebx+20h]
		or	dword ptr [eax+0FF8h], 4
		jmp	short loc_9443FF
; 

loc_9443F6:				; CODE XREF: HvpAddDummyBinToHive(x,x,x,x)+5Aj
		mov	[edi], esi
		mov	dword ptr [edi+20h], 0FFFFF020h

loc_9443FF:				; CODE XREF: HvpAddDummyBinToHive(x,x,x,x)+73j
		push	esi
		push	1
		push	ecx
		push	edx
		mov	edx, edi
		mov	ecx, ebx
		call	HvpPointMapEntriesToBuffer
		mov	eax, [ebp+arg_4]
		mov	[eax], edi
		mov	edi, esi
		jmp	short loc_944419
; 

loc_944416:				; CODE XREF: HvpAddDummyBinToHive(x,x,x,x)+28j
		mov	esi, [ebp+var_4]

loc_944419:				; CODE XREF: HvpAddDummyBinToHive(x,x,x,x)+93j
		test	esi, esi
		jz	short loc_944433
		push	ecx
		mov	edx, 1000h
		mov	ecx, esi
		call	_CmpProtectPool@12 ; CmpProtectPool(x,x,x)
		push	1000h
		push	esi
		call	dword ptr [ebx+10h]

loc_944433:				; CODE XREF: HvpAddDummyBinToHive(x,x,x,x)+9Aj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_HvpAddDummyBinToHive@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpApplyLogEntryDataToFileBackedHive(x, x, x, x, x,	x)
_HvpApplyLogEntryDataToFileBackedHive@24 proc near
					; CODE XREF: HvpApplyIncrementalLogFile(x,x,x,x,x,x,x,x,x,x,x,x,x)+108p
					; HvpApplyLegacyLogFile(x,x,x,x,x,x,x,x)+18Dp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		mov	ecx, [ecx+20h]
		xor	esi, esi
		mov	eax, [edx+10h]
		push	edi
		mov	edi, esi
		mov	[ecx+28h], eax
		cmp	[edx+14h], esi
		jbe	short loc_944498

loc_94445D:				; CODE XREF: HvpApplyLogEntryDataToFileBackedHive(x,x,x,x,x,x)+5Aj
		mov	eax, [ebp+arg_8]
		push	4
		mov	ecx, [eax+edi*8]
		mov	edx, ecx
		mov	ebx, [eax+edi*8+4]
		mov	[ebp+var_4], ecx
		mov	ecx, [ebp+arg_0]
		push	ebx
		call	HvpSetRangeProtection
		test	al, al
		jz	short loc_9444A9
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	[ebp+arg_C]
		call	_HvpCopyModifiedData@16	; HvpCopyModifiedData(x,x,x,x)
		mov	eax, [ebp+arg_4]
		add	esi, ebx
		add	[ebp+arg_C], ebx
		inc	edi
		cmp	edi, [eax+14h]
		jb	short loc_94445D

loc_944498:				; CODE XREF: HvpApplyLogEntryDataToFileBackedHive(x,x,x,x,x,x)+1Fj
		mov	ecx, [ebp+arg_14]
		mov	eax, 40000009h
		mov	[ecx], esi

loc_9444A2:				; CODE XREF: HvpApplyLogEntryDataToFileBackedHive(x,x,x,x,x,x)+72j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_9444A9:				; CODE XREF: HvpApplyLogEntryDataToFileBackedHive(x,x,x,x,x,x)+3Dj
		mov	eax, 0C000009Ah
		jmp	short loc_9444A2
_HvpApplyLogEntryDataToFileBackedHive@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpCopyModifiedData(x, x, x, x)
_HvpCopyModifiedData@16	proc near	; CODE XREF: HvpApplyLogEntryDataToFileBackedHive(x,x,x,x,x,x)+49p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		cmp	[ebp+arg_4], 0
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		jbe	short loc_944508
		push	edi
		mov	edi, [ebp+arg_0]
		sub	edi, esi

loc_9444CC:				; CODE XREF: HvpCopyModifiedData(x,x,x,x)+55j
		mov	edx, esi
		mov	ecx, ebx
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		test	eax, eax
		jz	short loc_94450E
		push	1000h		; size_t
		lea	ecx, [edi+esi]
		push	ecx		; void *
		mov	ecx, [eax+4]
		and	ecx, 0FFFFFFF0h
		add	ecx, [eax]
		push	ecx		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		mov	ecx, 1000h
		add	eax, ecx
		add	esp, 0Ch
		add	esi, ecx
		mov	[ebp+var_4], eax
		cmp	eax, [ebp+arg_4]
		jb	short loc_9444CC
		pop	edi

loc_944508:				; CODE XREF: HvpCopyModifiedData(x,x,x,x)+14j
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_94450E:				; CODE XREF: HvpCopyModifiedData(x,x,x,x)+27j
		push	0C2Dh
		push	esi
		push	ebx
		push	1
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

; __stdcall HvpMapHiveImage(x, x, x, x,	x)
_HvpMapHiveImage@20:			; CODE XREF: HvpMapHiveImageFromFile(x,x,x,x,x)+71p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_C], 0
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		and	[ebp+var_10], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	eax, [ebx+1Ch]
		mov	[ebp+var_14], eax

loc_944542:				; CODE XREF: HvpCopyModifiedData(x,x,x,x)+B1j
					; HvpCopyModifiedData(x,x,x,x)+124j
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+arg_8]
		call	_HvpReadHiveDataFromFile@12 ; HvpReadHiveDataFromFile(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_944607
		xor	edi, edi
		cmp	[ebp+var_8], edi
		jbe	short loc_944542

loc_944563:				; CODE XREF: HvpCopyModifiedData(x,x,x,x)+122j
		mov	eax, [ebp+var_C]
		mov	edx, 1000h
		add	eax, edi
		mov	ecx, ebx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	31334D43h
		push	0
		call	_HvpAllocateBin@20 ; HvpAllocateBin(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9445D9
		mov	esi, 1000h
		push	esi		; size_t
		push	[ebp+var_18]	; void *
		push	[ebp+var_4]	; void *
		call	_memcpy
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		mov	edx, esi
		push	2
		call	_ExProtectPool@12 ; ExProtectPool(x,x,x)
		mov	esi, [ebp+var_10]
		mov	ecx, ebx
		mov	edx, [ebp+var_4]
		push	0
		push	1
		push	esi
		push	1000h
		call	HvpPointMapEntriesToBuffer
		and	[ebp+var_4], 0
		mov	eax, 1000h
		add	esi, eax
		add	edi, eax
		mov	[ebp+var_10], esi
		cmp	edi, [ebp+var_8]
		jb	short loc_944563
		jmp	loc_944542
; 

loc_9445D9:				; CODE XREF: HvpCopyModifiedData(x,x,x,x)+D6j
		mov	ecx, [ebp+var_14]
		xor	edx, edx
		push	10h
		push	esi
		push	7
		call	SetFailureLocation
		mov	edi, [ebp+var_4]
		test	edi, edi
		jz	short loc_944622
		push	ecx
		mov	edx, 1000h
		mov	ecx, edi
		call	_CmpProtectPool@12 ; CmpProtectPool(x,x,x)
		push	1000h
		push	edi
		call	dword ptr [ebx+10h]
		jmp	short loc_944622
; 

loc_944607:				; CODE XREF: HvpCopyModifiedData(x,x,x,x)+A6j
		cmp	esi, 0C0000011h
		jnz	short loc_944613
		xor	esi, esi
		jmp	short loc_944622
; 

loc_944613:				; CODE XREF: HvpCopyModifiedData(x,x,x,x)+15Dj
		mov	ecx, [ebp+var_14]
		xor	edx, edx
		push	0
		push	esi
		push	7
		call	SetFailureLocation

loc_944622:				; CODE XREF: HvpCopyModifiedData(x,x,x,x)+13Dj
					; HvpCopyModifiedData(x,x,x,x)+155j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_HvpCopyModifiedData@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpMapHiveImageFromFile(x, x, x, x,	x)
_HvpMapHiveImageFromFile@20 proc near	; CODE XREF: HvLoadHive+189AC4p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], 1000h
		push	edi
		xor	edi, edi
		mov	[ebp+var_1C], esi
		mov	ecx, 200000h
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], eax
		cmp	eax, ecx
		jb	short loc_94465D
		mov	eax, ecx

loc_94465D:				; CODE XREF: HvpMapHiveImageFromFile(x,x,x,x,x)+2Ej
		mov	[ebp+var_C], eax

loc_944660:				; CODE XREF: HvpMapHiveImageFromFile(x,x,x,x,x)+60j
		push	6F494D43h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	short loc_944694
		mov	eax, [ebp+var_C]
		shr	eax, 1
		add	eax, 0FFFh
		and	eax, 0FFFFF000h
		mov	[ebp+var_C], eax
		cmp	eax, 10000h
		jnb	short loc_944660
		mov	esi, 0C0000017h
		jmp	short loc_9446B1
; 

loc_944694:				; CODE XREF: HvpMapHiveImageFromFile(x,x,x,x,x)+47j
		lea	eax, [ebp+var_1C]
		push	eax
		push	ecx
		push	ecx
		mov	ecx, esi
		call	_HvpMapHiveImage@20 ; HvpMapHiveImage(x,x,x,x,x)
		mov	esi, eax
		cmp	[ebp+var_10], edi
		jz	short loc_9446B1
		push	edi
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9446B1:				; CODE XREF: HvpMapHiveImageFromFile(x,x,x,x,x)+67j
					; HvpMapHiveImageFromFile(x,x,x,x,x)+7Bj
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	0Ch
_HvpMapHiveImageFromFile@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpPerformLogFileRecovery(x, x, x, x)
_HvpPerformLogFileRecovery@16 proc near	; CODE XREF: HvLoadHive+189AE4p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_40]
		stosd
		mov	ebx, ecx
		xor	ecx, ecx
		mov	esi, edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_20], ecx
		stosd
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_18], ecx
		stosd
		mov	[ebp+var_14], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_10], esi
		stosd
		mov	eax, [ebx+20h]
		mov	edi, [eax+28h]
		mov	ecx, edi
		mov	[ebp+var_8], edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_4], ecx
		test	esi, esi
		jz	loc_94483C
		mov	eax, [ebp+arg_0]
		add	eax, 10h

loc_94470A:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+5Fj
		mov	edx, [eax]
		cmp	edx, ecx
		jbe	short loc_944712
		mov	ecx, edx

loc_944712:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+55j
		add	eax, 18h
		sub	esi, 1
		jnz	short loc_94470A
		mov	eax, [ebp+var_8]
		mov	[ebp+var_4], ecx
		cmp	ecx, eax
		jbe	loc_94483C
		test	dword ptr [ebx+64h], 8001h
		jnz	short loc_94478C
		push	1
		lea	eax, [ecx+1000h]
		xor	edx, edx
		push	esi
		push	eax
		mov	ecx, ebx
		call	CmpDoFileSetSizeEx
		mov	esi, eax
		test	esi, esi
		jns	short loc_94475D
		push	0

loc_94474C:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+E6j
					; HvpPerformLogFileRecovery(x,x,x,x)+104j ...
		push	esi
		push	1Bh
		xor	edx, edx
		mov	ecx, edi
		call	SetFailureLocation
		jmp	loc_944ACA
; 

loc_94475D:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+8Fj
		test	dword ptr [ebx+64h], 20000h
		jz	short loc_944786
		mov	edx, [ebp+var_4]
		lea	ecx, [ebx+0A0h]
		call	_HvpViewMapExtendStorage@8 ; HvpViewMapExtendStorage(x,x)
		test	eax, eax
		jns	short loc_944786
		push	10h
		push	eax
		push	1Bh
		xor	edx, edx
		mov	ecx, edi
		call	SetFailureLocation

loc_944786:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+ABj
					; HvpPerformLogFileRecovery(x,x,x,x)+BDj
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_4]

loc_94478C:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+76j
		push	ecx
		push	eax
		xor	edx, edx
		mov	ecx, ebx
		call	HvpExpandMap
		mov	esi, eax
		test	esi, esi
		jns	short loc_9447A1
		push	20h
		jmp	short loc_94474C
; 

loc_9447A1:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+E2j
		mov	eax, [ebp+var_4]
		mov	ecx, ebx
		push	0
		mov	edx, eax
		mov	[ebx+0C8h], eax
		call	_HvpAdjustHiveFreeDisplay@12 ; HvpAdjustHiveFreeDisplay(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9447BF
		push	30h
		jmp	short loc_94474C
; 

loc_9447BF:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+100j
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		call	HvpGrowDirtyVectors
		mov	esi, eax
		test	esi, esi
		jns	short loc_9447D6
		push	40h
		jmp	loc_94474C
; 

loc_9447D6:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+114j
		test	dword ptr [ebx+64h], 20000h
		jz	short loc_9447EC
		mov	eax, [ebx+0A8h]
		sub	eax, 1000h
		jmp	short loc_9447EE
; 

loc_9447EC:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+124j
		xor	eax, eax

loc_9447EE:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+131j
		mov	ecx, [ebp+var_8]
		mov	[ebp+arg_4], eax
		cmp	ecx, eax
		jnb	short loc_944834
		sub	eax, ecx
		mov	edx, ecx
		push	eax
		mov	ecx, ebx
		call	_HvpMapHiveImageFromViewMap@12 ; HvpMapHiveImageFromViewMap(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_944811
		push	50h
		jmp	loc_94474C
; 

loc_944811:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+14Fj
		mov	ecx, [ebp+arg_4]
		jmp	short loc_944831
; 

loc_944816:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+17Ej
		lea	eax, [ebp+var_20]
		push	eax
		push	ecx
		mov	ecx, ebx
		call	_HvpAddDummyBinToHive@16 ; HvpAddDummyBinToHive(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_944871
		mov	ecx, [ebp+var_8]
		add	ecx, 1000h

loc_944831:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+15Bj
		mov	[ebp+var_8], ecx

loc_944834:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+13Dj
		cmp	ecx, [ebp+var_4]
		jb	short loc_944816
		mov	ecx, [ebp+var_4]

loc_94483C:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+45j
					; HvpPerformLogFileRecovery(x,x,x,x)+69j
		mov	eax, ecx
		xor	ecx, ecx
		shr	eax, 9
		inc	ecx
		mov	esi, eax
		mov	[ebp+arg_4], eax
		shr	esi, 3
		add	esi, 3
		and	esi, 0FFFFFFFCh
		push	38334D43h
		mov	edx, esi
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jnz	short loc_944878
		mov	esi, 0C000009Ah
		push	70h
		jmp	loc_94474C
; 

loc_944871:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+16Dj
		push	60h
		jmp	loc_94474C
; 

loc_944878:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+1AAj
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		mov	ecx, [ebp+arg_0]
		and	[ebp+arg_4], 0
		cmp	[ebp+var_10], 0
		mov	[ebp+var_30], eax
		mov	eax, [ebp+var_18]
		mov	[ebp+var_2C], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_28], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_20], eax
		jbe	loc_944948
		and	[ebp+var_1C], 0
		lea	edx, [ecx+4]
		mov	[ebp+var_8], edx

loc_9448B7:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+283j
		mov	eax, [edx]
		add	edx, 0FFFFFFFCh
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_40], ebx
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		push	dword ptr [ebx+10h]
		lea	eax, [ebp+var_40]
		push	dword ptr [ebx+0Ch]
		push	ebx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [ebx+20h]
		call	_HvApplyLogFile@48 ; HvApplyLogFile(x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_944986
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_1C]
		mov	eax, [edx]
		mov	[ebp+var_14], eax
		shl	ax, cl
		or	[ebx+90h], ax
		cmp	[ebp+var_C], 0FFh
		mov	eax, [ebp+arg_4]
		jnb	short loc_944921
		mov	edx, [ebp+var_C]
		mov	[eax+ebx+92h], dl
		mov	edx, [ebp+var_8]
		jmp	short loc_944929
; 

loc_944921:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+257j
		mov	byte ptr [eax+ebx+92h],	0FFh

loc_944929:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+266j
		inc	eax
		add	edx, 18h
		add	ecx, 3
		mov	[ebp+arg_4], eax
		mov	[ebp+var_8], edx
		mov	[ebp+var_1C], ecx
		cmp	eax, [ebp+var_10]
		jb	loc_9448B7
		mov	eax, [ebp+var_20]
		mov	[ebp+var_1C], eax

loc_944948:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+1EEj
		mov	eax, [ebx+20h]
		xor	edx, edx
		push	2
		mov	ecx, ebx
		push	dword ptr [eax+28h]
		call	HvpSetRangeProtection
		lea	esi, [ebx+3Ch]
		lea	edx, [ebp+var_30]
		mov	ecx, esi
		call	_RtlMergeBitMaps@8 ; RtlMergeBitMaps(x,x)
		push	esi
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	ecx, ebx
		mov	[ebx+44h], eax
		call	HvCheckAndUpdateHiveBackupTimeStamp
		mov	esi, eax
		test	esi, esi
		jns	short loc_944990
		push	90h
		jmp	loc_94474C
; 

loc_944986:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+232j
		push	80h
		jmp	loc_94474C
; 

loc_944990:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+2C1j
		mov	eax, [ebp+var_28]
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_1C]
		mov	[ebx+78h], eax
		imul	eax, [ebp+var_10], 18h
		mov	[ebx+6Ch], ecx
		mov	byte ptr [ebx+82h], 0
		cmp	byte ptr [eax+edx-4], 0
		jnz	short loc_9449E0
		mov	ecx, [ebp+var_14]
		mov	[ebx+68h], ecx
		mov	eax, [eax+edx-10h]
		mov	[ebx+70h], eax
		mov	eax, [ebp+var_24]
		mov	[ebx+74h], eax
		mov	byte ptr [ebx+80h], 1
		cmp	ecx, 1
		jz	loc_944AB4
		mov	byte ptr [ebx+81h], 1
		jmp	loc_944AB4
; 

loc_9449E0:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+2F6j
		mov	edx, [ebp+var_14]
		cmp	edx, 1
		jz	short loc_944A24
		xor	eax, eax
		push	4
		pop	esi
		cmp	edx, esi
		setz	al
		add	eax, esi
		mov	[ebx+68h], eax
		xor	eax, eax
		and	dword ptr [ebx+74h], 0
		cmp	edx, esi
		mov	[ebx+70h], ecx
		lea	ecx, [esi+7Ch]
		setnz	al
		add	eax, ecx
		mov	byte ptr [eax+ebx], 1
		mov	eax, [ebx+68h]
		cmp	eax, 1
		jz	short loc_944A1B
		cmp	eax, esi
		jz	short loc_944A1B
		inc	ecx

loc_944A1B:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+35Bj
					; HvpPerformLogFileRecovery(x,x,x,x)+35Fj
		mov	byte ptr [ecx+ebx], 0
		jmp	loc_944AB4
; 

loc_944A24:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+32Dj
		test	dword ptr [ebx+64h], 8001h
		jnz	loc_944AB4
		lea	esi, [ebx+2Ch]
		mov	edx, esi
		lea	ecx, [ebx+3Ch]
		call	_RtlMergeBitMaps@8 ; RtlMergeBitMaps(x,x)
		lea	eax, [ebx+3Ch]
		push	eax
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		push	esi
		mov	[ebx+44h], eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		and	dword ptr [ebx+34h], 0
		xor	dl, dl
		or	dword ptr [ebx+64h], 100h
		mov	ecx, ebx
		push	0
		call	HvWriteHivePrimaryFile
		mov	esi, eax
		test	esi, esi
		jns	short loc_944A76
		push	100h
		jmp	loc_94474C
; 

loc_944A76:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+3B1j
		mov	eax, [ebx+6Ch]
		mov	dl, 1
		push	0
		push	0
		mov	ecx, ebx
		mov	[ebx+78h], eax
		call	HvValidateOrInvalidatePrimaryFileHeader
		mov	esi, eax
		test	esi, esi
		jns	short loc_944A99
		push	110h
		jmp	loc_94474C
; 

loc_944A99:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+3D4j
		lea	eax, [ebx+3Ch]
		push	eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		and	dword ptr [ebx+44h], 0
		mov	ecx, ebx
		call	_HvResetLogFileStatusAll@4 ; HvResetLogFileStatusAll(x)
		mov	dword ptr [ebx+68h], 1

loc_944AB4:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+315j
					; HvpPerformLogFileRecovery(x,x,x,x)+322j ...
		mov	eax, [ebx+20h]
		mov	edx, [eax+28h]
		cmp	edx, [ebp+var_4]
		jnb	short loc_944AC8
		push	0
		mov	ecx, ebx
		call	HvFreeHivePartial

loc_944AC8:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+404j
		xor	esi, esi

loc_944ACA:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+9Fj
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jz	short loc_944AD6
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_944AD6:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+416j
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	short loc_944AE4
		mov	ecx, eax
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_944AE4:				; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+422j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_HvpPerformLogFileRecovery@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpReadHiveDataFromFile(x, x, x)
_HvpReadHiveDataFromFile@12 proc near	; CODE XREF: HvpCopyModifiedData(x,x,x,x)+9Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[eax], ebx
		mov	eax, [ebp+arg_8]
		push	edi
		mov	[eax], ebx
		mov	edi, [esi+18h]
		sub	edi, [esi+14h]
		mov	eax, [esi+10h]
		cmp	edi, eax
		jbe	short loc_944B13
		mov	edi, eax

loc_944B13:				; CODE XREF: HvpReadHiveDataFromFile(x,x,x)+22j
		test	edi, edi
		jnz	short loc_944B1E
		mov	ebx, 0C0000011h
		jmp	short loc_944B4C
; 

loc_944B1E:				; CODE XREF: HvpReadHiveDataFromFile(x,x,x)+28j
		mov	eax, [esi]
		push	edi
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	eax
		call	dword ptr [eax+18h]
		test	eax, eax
		jns	short loc_944B39
		mov	ebx, 0C000014Dh
		jmp	short loc_944B4C
; 

loc_944B39:				; CODE XREF: HvpReadHiveDataFromFile(x,x,x)+43j
		mov	eax, [ebp+arg_4]
		add	[esi+8], edi
		add	[esi+14h], edi
		mov	ecx, [esi+0Ch]
		mov	[eax], ecx
		mov	eax, [ebp+arg_8]
		mov	[eax], edi

loc_944B4C:				; CODE XREF: HvpReadHiveDataFromFile(x,x,x)+2Fj
					; HvpReadHiveDataFromFile(x,x,x)+4Aj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	0Ch
_HvpReadHiveDataFromFile@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpRecoverDataReadRoutine(x, x, x, x)
_HvpRecoverDataReadRoutine@16 proc near	; CODE XREF: HvpApplyIncrementalLogFile(x,x,x,x,x,x,x,x,x,x,x,x,x)+A4p
					; HvpApplyLegacyLogFile(x,x,x,x,x,x,x,x)+66p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_4]
		add	eax, ebx
		push	esi
		push	edi
		xor	edi, edi
		cmp	eax, ebx
		jnb	short loc_944B7B
		test	eax, eax
		jz	short loc_944B7B

loc_944B71:				; CODE XREF: HvpRecoverDataReadRoutine(x,x,x,x)+51j
		mov	esi, 0C000000Dh
		jmp	loc_944C40
; 

loc_944B7B:				; CODE XREF: HvpRecoverDataReadRoutine(x,x,x,x)+16j
					; HvpRecoverDataReadRoutine(x,x,x,x)+1Aj
		mov	edx, [ebp+arg_0]
		mov	eax, [edx]
		mov	[ebp+var_8], eax
		mov	eax, [eax+4Ch]
		shl	eax, 9
		lea	ecx, [eax-1]
		add	eax, ebx
		not	ecx
		mov	esi, ecx
		and	esi, ebx
		mov	ebx, [ebp+arg_8]
		mov	[ebp+var_4], esi
		lea	esi, [ebx-1]
		add	esi, eax
		and	esi, ecx
		sub	esi, [ebp+var_4]
		cmp	esi, ebx
		jb	short loc_944B71
		mov	ebx, 10000h
		cmp	esi, ebx
		jb	short loc_944BB3
		mov	ebx, esi

loc_944BB3:				; CODE XREF: HvpRecoverDataReadRoutine(x,x,x,x)+5Aj
		mov	ecx, [edx+4]
		test	ecx, ecx
		jz	short loc_944BDB
		mov	eax, [edx+8]
		cmp	eax, ebx
		jb	short loc_944BC7
		mov	edi, ecx
		mov	ebx, eax
		jmp	short loc_944BCF
; 

loc_944BC7:				; CODE XREF: HvpRecoverDataReadRoutine(x,x,x,x)+6Aj
		call	_CmpFreePool@4	; CmpFreePool(x)
		mov	edx, [ebp+arg_0]

loc_944BCF:				; CODE XREF: HvpRecoverDataReadRoutine(x,x,x,x)+70j
		and	dword ptr [edx+4], 0
		and	dword ptr [edx+8], 0
		test	edi, edi
		jnz	short loc_944BFC

loc_944BDB:				; CODE XREF: HvpRecoverDataReadRoutine(x,x,x,x)+63j
		xor	ecx, ecx
		mov	edx, esi
		push	6F494D43h
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_944BF7
		mov	esi, 0C0000017h
		jmp	short loc_944C40
; 

loc_944BF7:				; CODE XREF: HvpRecoverDataReadRoutine(x,x,x,x)+99j
		mov	edx, [ebp+arg_0]
		mov	ebx, esi

loc_944BFC:				; CODE XREF: HvpRecoverDataReadRoutine(x,x,x,x)+84j
		mov	eax, [ebp+var_8]
		push	esi
		push	edi
		push	[ebp+var_4]
		push	dword ptr [edx+0Ch]
		push	eax
		call	dword ptr [eax+18h]
		mov	esi, eax
		test	esi, esi
		js	short loc_944C35
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	eax, [ebp+arg_4]
		mov	[ecx+4], edi
		mov	[ecx+8], ebx
		mov	ecx, [ebp+var_8]
		mov	ecx, [ecx+4Ch]
		shl	ecx, 9
		div	ecx
		mov	eax, [ebp+arg_C]
		add	edx, edi
		xor	edi, edi
		xor	esi, esi
		mov	[eax], edx

loc_944C35:				; CODE XREF: HvpRecoverDataReadRoutine(x,x,x,x)+BAj
		test	edi, edi
		jz	short loc_944C40
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_944C40:				; CODE XREF: HvpRecoverDataReadRoutine(x,x,x,x)+21j
					; HvpRecoverDataReadRoutine(x,x,x,x)+A0j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_HvpRecoverDataReadRoutine@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpSwapDual(x, x)
_HvpSwapDual@8	proc near		; CODE XREF: HvSwapHiveStorage(x,x)+1CFp

var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1B0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	eax, ecx
		mov	[ebp+var_1B0], edx
		push	edi
		push	67h
		pop	ecx
		mov	esi, eax
		mov	[ebp+var_1A4], eax
		lea	edi, [ebp+var_1A0]
		rep movsd
		lea	ecx, [ebp+var_10]
		lea	ebx, [eax+190h]
		mov	[ebp+var_1AC], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_1A8], ecx
		mov	[ebp+var_10], ecx
		mov	ecx, [ebx]
		cmp	ecx, ebx
		jz	short loc_944CCD
		mov	eax, [ebx+4]
		lea	esi, [ebp+var_10]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], eax
		mov	[ecx+4], esi
		mov	ecx, esi
		mov	[eax], ecx
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_1AC], eax
		mov	eax, [ebp+var_1A4]
		mov	[ebx+4], ebx
		mov	[ebx], ebx
		mov	[ebp+var_1A8], ecx

loc_944CCD:				; CODE XREF: HvpSwapDual(x,x)+52j
		mov	esi, edx
		mov	edi, eax
		push	67h
		add	edx, 190h
		pop	ecx
		rep movsd
		mov	[ebx+4], ebx
		mov	[ebx], ebx
		mov	esi, [edx]
		cmp	esi, edx
		jz	short loc_944D0C
		mov	eax, [edx+4]
		mov	[ebx+4], eax
		mov	[ebx], esi
		mov	[esi+4], ebx
		mov	[eax], ebx
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_1AC], eax
		mov	eax, [ebp+var_1A4]
		mov	[ebp+var_1A8], ecx

loc_944D0C:				; CODE XREF: HvpSwapDual(x,x)+9Cj
		mov	ebx, [ebp+var_1B0]
		lea	esi, [ebp+var_1A0]
		push	67h
		pop	ecx
		mov	edi, ebx
		rep movsd
		mov	ecx, [ebp+var_1A8]
		lea	esi, [ebp+var_10]
		mov	[edx+4], edx
		mov	[edx], edx
		cmp	ecx, esi
		jz	short loc_944D41
		mov	esi, [ebp+var_1AC]
		mov	[edx], ecx
		mov	[edx+4], esi
		mov	[ecx+4], edx
		mov	[esi], edx

loc_944D41:				; CODE XREF: HvpSwapDual(x,x)+E6j
		lea	edx, [ebx+8]
		cmp	[eax+4], edx
		jnz	short loc_944D57
		mov	ecx, [ebp+var_1A4]
		add	eax, 8
		mov	[ecx+4], eax
		mov	eax, ecx

loc_944D57:				; CODE XREF: HvpSwapDual(x,x)+FEj
		add	eax, 8
		cmp	[ebx+4], eax
		jnz	short loc_944D62
		mov	[ebx+4], edx

loc_944D62:				; CODE XREF: HvpSwapDual(x,x)+114j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_HvpSwapDual@8	endp


;  S U B	R O U T	I N E 


; __stdcall CmpFileFlush(x, x)
_CmpFileFlush@8	proc near		; CODE XREF: CmpSaveKeyByFileCopy(x,x)+FDp
					; CmpSaveKeyByFileCopy(x,x)+145p
		mov	ecx, [ecx+edx*4+400h]
		test	ecx, ecx
		jnz	short loc_944D7F
		xor	eax, eax
		retn
; 

loc_944D7F:				; CODE XREF: CmpFileFlush(x,x)+9j
		jmp	CmpDoFileFlush
_CmpFileFlush@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAbortRollbackPacket(x, x)
_CmpAbortRollbackPacket@8 proc near	; CODE XREF: CmpTryToRundownHive+176558p
					; CmpPerformUnloadKey+18B69Ap ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_C], edx
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		push	esi
		push	edi
		test	edx, edx
		jz	short loc_944D9F
		mov	[edx], cl

loc_944D9F:				; CODE XREF: CmpAbortRollbackPacket(x,x)+17j
		xor	edi, edi
		cmp	[ebx], ecx
		jbe	short loc_944E1C

loc_944DA5:				; CODE XREF: CmpAbortRollbackPacket(x,x)+96j
		mov	eax, [ebx+8]
		mov	eax, [eax+edi*4]
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_944E17
		test	al, 1
		jz	short loc_944DC5
		and	eax, 0FFFFFFFEh
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	CmpRollbackLightWeightTransaction
		jmp	short loc_944DCE
; 

loc_944DC5:				; CODE XREF: CmpAbortRollbackPacket(x,x)+30j
		push	0
		push	eax
		call	ds:__imp__TmRollbackEnlistment@8 ; TmRollbackEnlistment(x,x)

loc_944DCE:				; CODE XREF: CmpAbortRollbackPacket(x,x)+3Fj
		mov	esi, eax
		test	esi, esi
		js	short loc_944DE3
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject
		mov	eax, [ebx+8]
		and	dword ptr [eax+edi*4], 0

loc_944DE3:				; CODE XREF: CmpAbortRollbackPacket(x,x)+4Ej
		cmp	esi, 0C0190015h
		jz	short loc_944DFB
		cmp	esi, 0C0190013h
		jz	short loc_944DFB
		cmp	esi, 0C0190016h
		jnz	short loc_944E07

loc_944DFB:				; CODE XREF: CmpAbortRollbackPacket(x,x)+65j
					; CmpAbortRollbackPacket(x,x)+6Dj
		mov	edx, [ebp+var_C]
		xor	esi, esi
		test	edx, edx
		jz	short loc_944E07
		mov	byte ptr [edx],	1

loc_944E07:				; CODE XREF: CmpAbortRollbackPacket(x,x)+75j
					; CmpAbortRollbackPacket(x,x)+7Ej
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		js	short loc_944E17
		test	esi, esi
		jns	short loc_944E17
		mov	ecx, esi
		mov	[ebp+var_8], ecx

loc_944E17:				; CODE XREF: CmpAbortRollbackPacket(x,x)+2Cj
					; CmpAbortRollbackPacket(x,x)+88j ...
		inc	edi
		cmp	edi, [ebx]
		jb	short loc_944DA5

loc_944E1C:				; CODE XREF: CmpAbortRollbackPacket(x,x)+1Fj
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn
_CmpAbortRollbackPacket@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpAddEnlistmentToRollbackPacket(x,	x)
_CmpAddEnlistmentToRollbackPacket@8 proc near ;	CODE XREF: CmSnapshotRMTxArray+11B6F0p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edx, edi
		mov	ecx, esi
		call	_CmpAddPointerToRollbackPacket@8 ; CmpAddPointerToRollbackPacket(x,x)
		mov	esi, eax
		cmp	esi, 0C0000718h
		jnz	short loc_944E53
		xor	esi, esi

loc_944E47:				; CODE XREF: CmpAddEnlistmentToRollbackPacket(x,x)+32j
		mov	ecx, edi
		call	ObfDereferenceObject

loc_944E4E:				; CODE XREF: CmpAddEnlistmentToRollbackPacket(x,x)+36j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
; 

loc_944E53:				; CODE XREF: CmpAddEnlistmentToRollbackPacket(x,x)+20j
		test	esi, esi
		js	short loc_944E47
		xor	esi, esi
		jmp	short loc_944E4E
_CmpAddEnlistmentToRollbackPacket@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpAddPointerToRollbackPacket(x, x)
_CmpAddPointerToRollbackPacket@8 proc near
					; CODE XREF: CmpAddEnlistmentToRollbackPacket(x,x)+13p
					; CmpAddUoWToRollbackPacket(x,x)+2Ap
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	edi, [esi]
		cmp	[esi+4], edi
		jnz	short loc_944E72
		mov	eax, 0C000009Ah
		jmp	short loc_944E91
; 

loc_944E72:				; CODE XREF: CmpAddPointerToRollbackPacket(x,x)+Ej
		xor	eax, eax
		mov	edx, eax
		test	edi, edi
		jz	short loc_944E89
		mov	ecx, [esi+8]

loc_944E7D:				; CODE XREF: CmpAddPointerToRollbackPacket(x,x)+2Cj
		cmp	[ecx], ebx
		jz	short loc_944E95
		inc	edx
		add	ecx, 4
		cmp	edx, edi
		jb	short loc_944E7D

loc_944E89:				; CODE XREF: CmpAddPointerToRollbackPacket(x,x)+1Dj
		mov	ecx, [esi+8]
		mov	[ecx+edi*4], ebx
		inc	dword ptr [esi]

loc_944E91:				; CODE XREF: CmpAddPointerToRollbackPacket(x,x)+15j
					; CmpAddPointerToRollbackPacket(x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_944E95:				; CODE XREF: CmpAddPointerToRollbackPacket(x,x)+24j
		mov	eax, 0C0000718h
		jmp	short loc_944E91
_CmpAddPointerToRollbackPacket@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpAddUoWToRollbackPacket(x, x)
_CmpAddUoWToRollbackPacket@8 proc near	; CODE XREF: CmpSnapshotTxOwnerArrayToRollbackPacket(x,x)+45p
					; CmpSnapshotTxOwnerArrayToRollbackPacket(x,x)+5Ep
		mov	edi, edi
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [ebx+1Ch]
		test	byte ptr [esi+18h], 80h
		jz	short loc_944EB8
		mov	esi, [esi+1Ch]
		mov	ecx, esi
		and	ecx, 0FFFFFFFEh
		jmp	short loc_944EBD
; 

loc_944EB8:				; CODE XREF: CmpAddUoWToRollbackPacket(x,x)+10j
		mov	esi, [esi+24h]
		mov	ecx, esi

loc_944EBD:				; CODE XREF: CmpAddUoWToRollbackPacket(x,x)+1Aj
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edx, esi
		mov	ecx, edi
		call	_CmpAddPointerToRollbackPacket@8 ; CmpAddPointerToRollbackPacket(x,x)
		mov	edi, eax
		cmp	edi, 0C0000718h
		jnz	short loc_944ED9
		xor	edi, edi
		jmp	short loc_944EE1
; 

loc_944ED9:				; CODE XREF: CmpAddUoWToRollbackPacket(x,x)+37j
		test	edi, edi
		js	short loc_944EE1
		xor	esi, esi
		mov	edi, esi

loc_944EE1:				; CODE XREF: CmpAddUoWToRollbackPacket(x,x)+3Bj
					; CmpAddUoWToRollbackPacket(x,x)+3Fj
		test	esi, esi
		jz	short loc_944EFE
		mov	ecx, [ebx+1Ch]
		test	byte ptr [ecx+18h], 80h
		jz	short loc_944EF6
		mov	ecx, [ecx+1Ch]
		and	ecx, 0FFFFFFFEh
		jmp	short loc_944EF9
; 

loc_944EF6:				; CODE XREF: CmpAddUoWToRollbackPacket(x,x)+50j
		mov	ecx, [ecx+24h]

loc_944EF9:				; CODE XREF: CmpAddUoWToRollbackPacket(x,x)+58j
		call	ObfDereferenceObject

loc_944EFE:				; CODE XREF: CmpAddUoWToRollbackPacket(x,x)+47j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_CmpAddUoWToRollbackPacket@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLogTransactionAborted(x,	x, x, x)
_CmpLogTransactionAborted@16 proc near	; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+2D1p

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		push	ecx
		push	edx
		xor	edx, edx
		call	CmpLogTransactionAbortedWithChildName
		pop	ebp
		retn	8
_CmpLogTransactionAborted@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLogTransactionAbortedByName(x, x, x, x)
_CmpLogTransactionAbortedByName@16 proc	near
					; CODE XREF: CmpLogTransactionAbortedWithChildName+118A6Ep

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		test	esi, esi
		jz	short loc_944FAD

loc_944F39:				; CODE XREF: CmpLogTransactionAbortedByName(x,x,x,x)+92j
		cmp	dword_6B2348, 4
		jbe	short loc_944FA8
		push	0
		push	1
		mov	ecx, offset dword_6B2348
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_944FA8
		lea	eax, [ebp+var_20]
		mov	[ebp+var_30], 2
		mov	[ebp+var_38], eax
		xor	ecx, ecx
		mov	eax, [edi+4]
		mov	[ebp+var_28], eax
		movzx	eax, word ptr [edi]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	5
		push	ecx
		push	ecx
		push	offset dword_41A950
		push	offset dword_6B2348
		mov	[ebp+var_34], ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_944FA8:				; CODE XREF: CmpLogTransactionAbortedByName(x,x,x,x)+27j
					; CmpLogTransactionAbortedByName(x,x,x,x)+39j
		sub	esi, 1
		jnz	short loc_944F39

loc_944FAD:				; CODE XREF: CmpLogTransactionAbortedByName(x,x,x,x)+1Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_CmpLogTransactionAbortedByName@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLogTxrInitEvent(x, x, x)
_CmpLogTxrInitEvent@12 proc near	; CODE XREF: CmpInitCmRM+11D529p
					; CmpInitCmRM+11D5DCp ...

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [edx+9A4h]
		push	ebx
		mov	ebx, dword_6BC12C
		push	esi
		push	edi
		mov	edi, _EtwKernelProvRegHandle
		mov	esi, offset ??_C@_1EG@OMAKEJKM@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@ ; "\\"
		mov	[ebp+var_70], eax
		mov	eax, edi
		or	eax, ebx
		push	44h
		pop	ecx
		jz	loc_9450A1
		cmp	dword_6B179C, edx
		jz	short loc_945014
		mov	eax, [edx+4B0h]
		mov	cx, ax
		mov	esi, [edx+4B4h]
		mov	[ebp+var_6C], eax

loc_945014:				; CODE XREF: CmpLogTxrInitEvent(x,x,x)+42j
		mov	ax, cx
		and	[ebp+var_60], 0
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_64], eax
		movzx	eax, cx
		mov	ecx, [edx+20h]
		and	[ebp+var_58], 0
		mov	[ebp+var_4C], eax
		push	10h
		lea	eax, [ecx+94h]
		mov	[ebp+var_54], esi
		mov	[ebp+var_44], eax
		xor	esi, esi
		pop	edx
		lea	eax, [ecx+70h]
		mov	[ebp+var_5C], 2
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_0]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	6
		push	esi
		push	offset _REG_EVENT_TXR_INIT
		push	ebx
		push	edi
		mov	[ebp+var_50], esi
		mov	[ebp+var_48], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9450A1:				; CODE XREF: CmpLogTxrInitEvent(x,x,x)+36j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_CmpLogTxrInitEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRecoverEnlistment(x, x, x)
_CmpRecoverEnlistment@12 proc near	; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+9Ep

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		mov	ebx, [ebp+arg_0]
		lea	edx, [ebp+var_18]
		push	esi
		push	edi
		mov	[ebp+var_C], ecx
		lea	edi, [ebp+var_38]
		push	6
		xor	esi, esi
		xor	eax, eax
		pop	ecx
		rep stosd
		push	1
		mov	ecx, ebx
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_8], esi
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		test	eax, eax
		js	short loc_94516B
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		push	eax
		push	1
		lea	edx, [ebx+10h]
		push	esi
		call	CmpTransSearchAddTransFromRm
		mov	edi, eax
		test	edi, edi
		js	short loc_945157
		lea	eax, [ebp+var_38]
		mov	[ebp+var_38], 18h
		push	eax
		mov	eax, [ebp+var_C]
		push	ebx
		mov	[ebp+var_34], esi
		mov	[ebp+var_2C], 240h
		push	dword ptr [eax+18h]
		lea	eax, [ebp+var_8]
		mov	[ebp+var_30], esi
		push	0F001Fh
		push	eax
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		call	_ZwOpenEnlistment@20 ; ZwOpenEnlistment(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_945157
		push	[ebp+var_10]
		push	[ebp+var_8]
		call	_ZwRecoverEnlistment@8 ; ZwRecoverEnlistment(x,x)
		push	[ebp+var_8]
		mov	edi, eax
		call	_ZwClose@4	; ZwClose(x)

loc_945157:				; CODE XREF: CmpRecoverEnlistment(x,x,x)+55j
					; CmpRecoverEnlistment(x,x,x)+8Ej
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, edi

loc_94516B:				; CODE XREF: CmpRecoverEnlistment(x,x,x)+3Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_CmpRecoverEnlistment@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpReserveRollbackPacketSpace(x, x)
_CmpReserveRollbackPacketSpace@8 proc near ; CODE XREF:	CmSnapshotRMTxArray+11B6CFp
					; CmpSnapshotTxOwnerArrayToRollbackPacket(x,x)+2Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		xor	edi, edi
		mov	eax, [esi+4]
		mov	ecx, [esi]
		sub	eax, ecx
		cmp	eax, edx
		jnb	short loc_9451EE
		lea	eax, [ecx+edx]
		xor	ecx, ecx
		push	ebx
		mov	edx, eax
		mov	[ebp+var_8], eax
		push	36344D43h
		shl	edx, 2
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9451B3
		mov	edi, 0C000009Ah
		jmp	short loc_9451ED
; 

loc_9451B3:				; CODE XREF: CmpReserveRollbackPacketSpace(x,x)+38j
		mov	eax, [esi]
		shl	eax, 2
		push	eax		; size_t
		push	dword ptr [esi+8] ; void *
		push	ebx		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		shl	eax, 2
		push	eax		; size_t
		mov	eax, [esi]
		push	edi		; int
		lea	eax, [ebx+eax*4]
		push	eax		; void *
		call	_memset
		mov	ecx, [esi+8]
		add	esp, 18h
		test	ecx, ecx
		jz	short loc_9451E4
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_9451E4:				; CODE XREF: CmpReserveRollbackPacketSpace(x,x)+6Bj
		mov	eax, [ebp+var_8]
		mov	[esi+8], ebx
		mov	[esi+4], eax

loc_9451ED:				; CODE XREF: CmpReserveRollbackPacketSpace(x,x)+3Fj
		pop	ebx

loc_9451EE:				; CODE XREF: CmpReserveRollbackPacketSpace(x,x)+19j
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn
_CmpReserveRollbackPacketSpace@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRetryBackOff(x)
_CmpRetryBackOff@4 proc	near		; CODE XREF: CmUnloadKey+18B9BDp
					; CmpSaveBootControlSet(x)+359p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		inc	dword ptr [esi]
		cmp	dword ptr [esi], 0Ah
		jbe	short loc_945220
		or	[ebp+var_4], 0FFFFFFFFh
		lea	eax, [ebp+var_8]
		push	eax
		push	0
		push	0
		mov	[ebp+var_8], 0FF676980h
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		and	dword ptr [esi], 0

loc_945220:				; CODE XREF: CmpRetryBackOff(x)+Fj
		pop	esi
		leave
		retn
_CmpRetryBackOff@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRollbackTransactionArray(x, x, x, x)
_CmpRollbackTransactionArray@16	proc near ; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+2B0p
					; CmSetValueKey(x,x,x,x,x,x,x)+319p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	eax, ecx
		mov	[ebp+var_8], edx
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_C], eax
		xor	edi, edi
		mov	[ebp+var_4], ebx
		test	eax, eax
		jz	short loc_9452AF

loc_945241:				; CODE XREF: CmpRollbackTransactionArray(x,x,x,x)+7Bj
		mov	ebx, [edx+edi*4]
		test	bl, 1
		jz	short loc_945255
		and	ebx, 0FFFFFFFEh
		mov	ecx, ebx
		call	CmpRollbackLightWeightTransaction
		jmp	short loc_945264
; 

loc_945255:				; CODE XREF: CmpRollbackTransactionArray(x,x,x,x)+24j
		push	0
		push	ebx
		call	ds:__imp__TmRollbackEnlistment@8 ; TmRollbackEnlistment(x,x)
		mov	ebx, [ebp+var_8]
		mov	ebx, [ebx+edi*4]

loc_945264:				; CODE XREF: CmpRollbackTransactionArray(x,x,x,x)+30j
		mov	ecx, ebx
		mov	esi, eax
		call	ObfDereferenceObject
		mov	ebx, [ebp+var_4]
		test	esi, esi
		jns	short loc_945295
		test	ebx, ebx
		js	short loc_945295
		cmp	esi, 0C0190015h
		jz	short loc_945295
		cmp	esi, 0C0190013h
		jz	short loc_945295
		cmp	esi, 0C0190016h
		jz	short loc_945295
		mov	ebx, esi
		mov	[ebp+var_4], ebx

loc_945295:				; CODE XREF: CmpRollbackTransactionArray(x,x,x,x)+4Fj
					; CmpRollbackTransactionArray(x,x,x,x)+53j ...
		mov	eax, [ebp+var_C]
		inc	edi
		mov	edx, [ebp+var_8]
		cmp	edi, eax
		jb	short loc_945241
		test	eax, eax
		jz	short loc_9452AF
		push	36344D43h
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9452AF:				; CODE XREF: CmpRollbackTransactionArray(x,x,x,x)+1Cj
					; CmpRollbackTransactionArray(x,x,x,x)+7Fj
		mov	ecx, [ebp+arg_4]
		call	_CmpRetryBackOff@4 ; CmpRetryBackOff(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_CmpRollbackTransactionArray@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSnapshotTxOwnerArrayToRollbackPacket(x, x)
_CmpSnapshotTxOwnerArrayToRollbackPacket@8 proc	near
					; CODE XREF: CmpTryAcquireIXLockWithRollbackPacket(x,x,x)+31p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		mov	eax, edx
		push	esi
		push	edi
		mov	[ebp+var_4], eax
		mov	esi, [ebx]
		mov	[ebp+var_8], ebx
		test	esi, esi
		jnz	short loc_9452E0
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9452E0:				; CODE XREF: CmpSnapshotTxOwnerArrayToRollbackPacket(x,x)+19j
		and	esi, 7FFFFFFFh
		mov	ecx, eax
		mov	edx, esi
		call	_CmpReserveRollbackPacketSpace@8 ; CmpReserveRollbackPacketSpace(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_94532B
		xor	edi, edi
		mov	[ebp+var_C], edi
		cmp	esi, 1
		jnz	short loc_94530C
		mov	edx, [ebx+4]
		mov	ecx, [ebp+var_4]
		call	_CmpAddUoWToRollbackPacket@8 ; CmpAddUoWToRollbackPacket(x,x)
		jmp	short loc_94532B
; 

loc_94530C:				; CODE XREF: CmpSnapshotTxOwnerArrayToRollbackPacket(x,x)+3Dj
		mov	ebx, edi
		test	esi, esi
		jz	short loc_94532B
		mov	edi, [ebp+var_8]

loc_945315:				; CODE XREF: CmpSnapshotTxOwnerArrayToRollbackPacket(x,x)+66j
		mov	edx, [edi+4]
		mov	ecx, [ebp+var_4]
		mov	edx, [edx+ebx*4]
		call	_CmpAddUoWToRollbackPacket@8 ; CmpAddUoWToRollbackPacket(x,x)
		inc	ebx
		cmp	ebx, esi
		jb	short loc_945315
		mov	edi, [ebp+var_C]

loc_94532B:				; CODE XREF: CmpSnapshotTxOwnerArrayToRollbackPacket(x,x)+33j
					; CmpSnapshotTxOwnerArrayToRollbackPacket(x,x)+4Aj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpSnapshotTxOwnerArrayToRollbackPacket@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpTransMgrRollback(x, x)
_CmpTransMgrRollback@8 proc near	; CODE XREF: CmKtmNotification(x,x,x,x,x,x,x)+1EBp
					; CmKtmNotification(x,x,x,x,x,x,x)+2B4p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	ebx, ebx
		dec	word ptr [eax+13Ch]
		mov	esi, ecx
		mov	[ebp+var_4], ebx
		mov	[edi], ebx
		nop
		mov	ecx, offset _CmpTransactionListLock
		call	ExAcquireFastMutexUnsafe
		or	dword ptr [esi+18h], 2

loc_945362:				; CODE XREF: CmpTransMgrRollback(x,x)+48j
					; CmpTransMgrRollback(x,x)+7Cj
		push	ebx
		lea	edx, [ebp+var_4]
		lea	ecx, [esi+8]
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_9453B0
		mov	edx, [ecx+20h]
		test	dl, 1
		jnz	short loc_945362
		inc	dword ptr [edi]
		mov	eax, [ecx+24h]
		test	eax, eax
		jnz	short loc_945395
		cmp	[ecx+30h], ebx
		jnz	short loc_9453A8
		mov	eax, [ecx+18h]
		mov	eax, [eax+14h]
		mov	[ecx+30h], eax
		jmp	short loc_9453A8
; 

loc_945395:				; CODE XREF: CmpTransMgrRollback(x,x)+51j
		cmp	eax, 0Ch
		jnz	short loc_9453A8
		cmp	[ecx+34h], ebx
		jnz	short loc_9453A8
		mov	eax, [ecx+18h]
		mov	eax, [eax+14h]
		mov	[ecx+34h], eax

loc_9453A8:				; CODE XREF: CmpTransMgrRollback(x,x)+56j
					; CmpTransMgrRollback(x,x)+61j	...
		or	edx, 1
		mov	[ecx+20h], edx
		jmp	short loc_945362
; 

loc_9453B0:				; CODE XREF: CmpTransMgrRollback(x,x)+40j
		mov	ecx, offset _CmpTransactionListLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
_CmpTransMgrRollback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAddRemoveRMLogContainer(x, x)
_CmpAddRemoveRMLogContainer@8 proc near	; CODE XREF: CmpTransWriteLog+75561p
					; CmpTransWriteLog+755E1p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		and	[ebp+var_34], eax
		and	[ebp+var_2C], eax
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_38], eax
		mov	[ebp+var_30], eax
		cmp	edi, _CmRmSystem
		jnz	short loc_945408
		mov	eax, dword_6B179C
		mov	[ebp+var_3C], offset _CmpLogPath
		jmp	short loc_94542C
; 

loc_945408:				; CODE XREF: CmpAddRemoveRMLogContainer(x,x)+2Bj
		mov	ecx, [edi+30h]
		lea	edx, [ebp+var_38]
		mov	ecx, [ecx+400h]
		call	CmpQueryNameString
		mov	esi, eax
		test	esi, esi
		js	loc_9454D0
		lea	eax, [ebp+var_38]
		mov	[ebp+var_3C], eax
		mov	eax, [edi+30h]

loc_94542C:				; CODE XREF: CmpAddRemoveRMLogContainer(x,x)+39j
		mov	ecx, [eax+20h]
		lea	edx, [ebp+var_30]
		push	1
		add	ecx, 70h
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9454C1
		mov	ebx, [edi+24h]

loc_945445:				; CODE XREF: CmpAddRemoveRMLogContainer(x,x)+B3j
		cmp	ebx, 100h
		jnb	short loc_94548B
		lea	eax, [edi+28h]
		mov	edx, [ebp+var_3C]
		mov	ecx, [edi+34h]
		push	1
		push	eax
		push	ebx
		push	offset _CmpContainerSuffix
		push	offset _CmpLogExt
		lea	eax, [ebp+var_30]
		push	eax
		call	_CmpAddRemoveContainerToCLFSLog@32 ; CmpAddRemoveContainerToCLFSLog(x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000035h
		jz	short loc_94547F
		cmp	esi, 0C00000BDh
		jnz	short loc_945482

loc_94547F:				; CODE XREF: CmpAddRemoveRMLogContainer(x,x)+A8j
		inc	ebx
		jmp	short loc_945445
; 

loc_945482:				; CODE XREF: CmpAddRemoveRMLogContainer(x,x)+B0j
		test	esi, esi
		js	short loc_9454C1
		inc	dword ptr [edi+24h]
		jmp	short loc_9454C1
; 

loc_94548B:				; CODE XREF: CmpAddRemoveRMLogContainer(x,x)+7Ej
		cmp	dword_6B2348, 5
		jbe	short loc_9454BC
		xor	esi, esi
		mov	edi, offset dword_6B2348
		push	esi
		push	1
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9454BC
		lea	eax, [ebp+var_28]
		push	eax
		push	2
		push	esi
		push	esi
		push	offset dword_41AA3C
		push	edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9454BC:				; CODE XREF: CmpAddRemoveRMLogContainer(x,x)+C5j
					; CmpAddRemoveRMLogContainer(x,x)+DAj
		mov	esi, 0C000009Ah

loc_9454C1:				; CODE XREF: CmpAddRemoveRMLogContainer(x,x)+73j
					; CmpAddRemoveRMLogContainer(x,x)+B7j ...
		cmp	[ebp+var_2C], 0
		jz	short loc_9454D0
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_9454D0:				; CODE XREF: CmpAddRemoveRMLogContainer(x,x)+50j
					; CmpAddRemoveRMLogContainer(x,x)+F8j
		cmp	[ebp+var_34], 0
		jz	short loc_9454DF
		lea	eax, [ebp+var_38]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_9454DF:				; CODE XREF: CmpAddRemoveRMLogContainer(x,x)+107j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpAddRemoveRMLogContainer@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpRealignLogBuffers(x)
_CmpRealignLogBuffers@4	proc near	; CODE XREF: CmpRmReDoPhase(x,x,x)+EEp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, [esi+0Ch]
		lea	eax, [edx-1]	; switch 10 cases
		cmp	eax, 9
		ja	loc_945597	; default
		jmp	ds:off_94559C[eax*4] ; switch jump

loc_94550B:				; DATA XREF: PAGE:off_94559Co
		movzx	eax, word ptr [esi+20h]	; case 0x1
		lea	edx, [esi+34h]
		mov	ecx, eax
		mov	[esi+22h], ax
		mov	[esi+24h], edx
		lea	eax, [ecx+edx]
		mov	[esi+30h], eax
		mov	eax, [esi+4]
		sub	eax, ecx
		sub	eax, 34h
		mov	[esi+2Ch], eax
		pop	esi
		retn
; 

loc_94552E:				; CODE XREF: CmpRealignLogBuffers(x)+14j
					; DATA XREF: PAGE:off_94559Co
		movzx	eax, word ptr [esi+20h]	; case 0x3
		lea	ecx, [esi+3Ch]
		mov	[esi+24h], ecx
		add	ecx, eax
		mov	[esi+22h], ax
		movzx	eax, word ptr [esi+28h]
		mov	[esi+2Ch], ecx
		mov	[esi+2Ah], ax
		cmp	edx, 5
		jz	short loc_945597 ; default
		add	eax, ecx
		mov	[esi+38h], eax
		pop	esi
		retn
; 

loc_945555:				; CODE XREF: CmpRealignLogBuffers(x)+14j
					; DATA XREF: PAGE:off_94559Co
		lea	eax, [esi+2Ch]	; case 0x6

loc_945558:				; CODE XREF: CmpRealignLogBuffers(x)+78j
		mov	[esi+24h], eax
		mov	ax, [esi+20h]
		mov	[esi+22h], ax
		pop	esi
		retn
; 

loc_945565:				; CODE XREF: CmpRealignLogBuffers(x)+14j
					; DATA XREF: PAGE:off_94559Co
		lea	eax, [esi+30h]	; case 0x7
		jmp	short loc_945558
; 

loc_94556A:				; CODE XREF: CmpRealignLogBuffers(x)+14j
					; DATA XREF: PAGE:off_94559Co
		movzx	eax, word ptr [esi+20h]	; case 0x8
		lea	ecx, [esi+30h]
		mov	[esi+22h], ax
		add	eax, ecx
		mov	[esi+2Ch], eax
		jmp	short loc_945594
; 

loc_94557C:				; CODE XREF: CmpRealignLogBuffers(x)+14j
					; DATA XREF: PAGE:off_94559Co
		movzx	eax, word ptr [esi+20h]	; case 0x9
		lea	ecx, [esi+30h]
		mov	[esi+22h], ax
		add	eax, ecx
		mov	[esi+2Ch], eax
		mov	ax, [esi+28h]
		mov	[esi+2Ah], ax

loc_945594:				; CODE XREF: CmpRealignLogBuffers(x)+8Aj
		mov	[esi+24h], ecx

loc_945597:				; CODE XREF: CmpRealignLogBuffers(x)+Ej
					; CmpRealignLogBuffers(x)+5Cj
		pop	esi		; default
		retn
_CmpRealignLogBuffers@4	endp

; 
		align 4
off_94559C	dd offset loc_94550B	; DATA XREF: CmpRealignLogBuffers(x)+14r
		dd offset loc_94550B	; jump table for switch	statement
		dd offset loc_94552E
		dd offset loc_94552E
		dd offset loc_94552E
		dd offset loc_945555
		dd offset loc_945565
		dd offset loc_94556A
		dd offset loc_94557C
		dd offset loc_94556A

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRmAnalysisPhase(x, x, x)
_CmpRmAnalysisPhase@12 proc near	; CODE XREF: CmpRmRecover(x,x,x)+Fp

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		xor	eax, eax
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], eax
		push	edi
		mov	[ebp+var_10], esi
		mov	[ebp+var_8], eax
		lea	edi, [esi+8]
		mov	[ebp+var_18], eax
		mov	ecx, [edi]
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		mov	byte ptr [ebp+var_1], al
		mov	[ebp+var_C], eax
		cmp	ecx, edi
		jz	short loc_94561C
		mov	eax, [esi+0Ch]
		mov	[ecx+4], eax
		mov	ecx, [esi+0Ch]
		mov	eax, [edi]
		mov	[ecx], eax
		mov	eax, [edi]
		mov	[ebp+var_1C], eax
		mov	eax, [eax+4]
		mov	[edi+4], edi
		mov	[edi], edi
		jmp	short loc_94561F
; 

loc_94561C:				; CODE XREF: CmpRmAnalysisPhase(x,x,x)+3Aj
		mov	[ebp+var_1C], eax

loc_94561F:				; CODE XREF: CmpRmAnalysisPhase(x,x,x)+56j
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ebp+var_1]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	3
		lea	eax, [ebp+arg_0]
		push	eax
		push	dword ptr [esi+38h]
		call	ds:__imp__ClfsReadLogRecord@36 ; ClfsReadLogRecord(x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_9456EF
		xor	esi, esi

loc_945655:				; CODE XREF: CmpRmAnalysisPhase(x,x,x)+122j
		test	byte ptr [ebp+var_1], 1
		jz	short loc_9456B4
		cmp	[ebp+var_18], 28h
		jb	short loc_9456B4
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		push	eax
		push	1
		lea	edx, [edx+10h]
		push	esi
		call	CmpTransSearchAddTransFromRm
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9456EC
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	loc_945721
		mov	ecx, [ebp+var_8]
		cmp	dword ptr [ecx+8], 10h
		jnz	short loc_94569A
		or	dword ptr [eax+18h], 4
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_C]

loc_94569A:				; CODE XREF: CmpRmAnalysisPhase(x,x,x)+CAj
		cmp	dword ptr [ecx+8], 8
		jnz	short loc_9456AA
		or	dword ptr [eax+18h], 2
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_C]

loc_9456AA:				; CODE XREF: CmpRmAnalysisPhase(x,x,x)+DAj
		cmp	dword ptr [ecx+8], 4
		jnz	short loc_9456B4
		or	dword ptr [eax+18h], 1

loc_9456B4:				; CODE XREF: CmpRmAnalysisPhase(x,x,x)+95j
					; CmpRmAnalysisPhase(x,x,x)+9Bj ...
		lea	eax, [ebp+var_40]
		mov	byte ptr [ebp+var_1], 1
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		push	esi
		lea	eax, [ebp+var_1]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_14]
		call	ds:__imp__ClfsReadNextLogRecord@32 ; ClfsReadNextLogRecord(x,x,x,x,x,x,x,x)
		mov	ebx, eax
		cmp	ebx, 0C0000011h
		jz	short loc_945728
		test	ebx, ebx
		jns	loc_945655

loc_9456EC:				; CODE XREF: CmpRmAnalysisPhase(x,x,x)+B6j
					; CmpRmAnalysisPhase(x,x,x)+162j ...
		mov	esi, [ebp+var_10]

loc_9456EF:				; CODE XREF: CmpRmAnalysisPhase(x,x,x)+89j
		cmp	[ebp+var_14], 0
		jz	short loc_9456FE
		push	[ebp+var_14]
		call	ds:__imp__ClfsTerminateReadLog@4 ; ClfsTerminateReadLog(x)

loc_9456FE:				; CODE XREF: CmpRmAnalysisPhase(x,x,x)+12Fj
		mov	ecx, [ebp+var_1C]
		test	ecx, ecx
		jz	short loc_945718
		mov	edx, [ebp+var_20]
		mov	[edx], edi
		mov	eax, [esi+0Ch]
		mov	[ecx+4], eax
		mov	eax, [esi+0Ch]
		mov	[eax], ecx
		mov	[esi+0Ch], edx

loc_945718:				; CODE XREF: CmpRmAnalysisPhase(x,x,x)+13Fj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_945721:				; CODE XREF: CmpRmAnalysisPhase(x,x,x)+BDj
		mov	ebx, 0C0190002h
		jmp	short loc_9456EC
; 

loc_945728:				; CODE XREF: CmpRmAnalysisPhase(x,x,x)+11Ej
		mov	ebx, esi

loc_94572A:				; CODE XREF: CmpRmAnalysisPhase(x,x,x)+1A8j
		mov	[ebp+var_24], esi

loc_94572D:				; CODE XREF: CmpRmAnalysisPhase(x,x,x)+186j
		push	esi
		lea	edx, [ebp+var_24]
		mov	ecx, edi
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_9456EC
		mov	ecx, [eax+18h]
		test	cl, 1
		jz	short loc_94574C
		test	cl, 6
		jz	short loc_94572D

loc_94574C:				; CODE XREF: CmpRmAnalysisPhase(x,x,x)+181j
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_94576E
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_94576E
		mov	[edx], ecx
		push	72544D43h
		mov	[ecx+4], edx
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_94572A
; 

loc_94576E:				; CODE XREF: CmpRmAnalysisPhase(x,x,x)+18Dj
					; CmpRmAnalysisPhase(x,x,x)+194j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_CmpRmAnalysisPhase@12 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRmReDoPhase(x, x, x)
_CmpRmReDoPhase@12 proc	near		; CODE XREF: CmpRmRecover(x,x,x)+20p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		xor	eax, eax
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	byte ptr [ebp+var_1], al
		mov	[ebp+var_10], eax
		lea	eax, [ebx+8]
		push	esi
		push	edi
		cmp	[eax], eax
		jz	loc_9458CE
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_1]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	3
		lea	eax, [ebp+arg_0]
		push	eax
		push	dword ptr [ebx+38h]
		call	ds:__imp__ClfsReadLogRecord@36 ; ClfsReadLogRecord(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_9458BF
		xor	esi, esi

loc_9457DF:				; CODE XREF: CmpRmReDoPhase(x,x,x)+146j
		test	byte ptr [ebp+var_1], 1
		jz	loc_94588A
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		push	esi
		lea	edx, [edx+10h]
		mov	ecx, ebx
		call	CmpTransSearchAddTransFromRm
		test	eax, eax
		js	loc_94588A
		mov	edx, [ebp+var_14]
		mov	edi, [ebp+var_8]
		mov	[ebp+var_18], edi
		mov	[ebp+var_1C], edx
		cmp	edx, 28h
		jb	loc_9458BF
		cmp	[edi+0Ch], esi
		jge	short loc_94583F
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	edx
		mov	edx, edi
		call	_CmpDoReadTxRBigLogRecord@20 ; CmpDoReadTxRBigLogRecord(x,x,x,x,x)
		test	eax, eax
		js	loc_9458BF
		mov	edi, [ebp+var_18]
		mov	edx, [ebp+var_1C]

loc_94583F:				; CODE XREF: CmpRmReDoPhase(x,x,x)+A9j
		mov	ecx, edi
		call	_CmpVerifyLogRecord@8 ;	CmpVerifyLogRecord(x,x)
		test	eax, eax
		jns	short loc_94585F
		cmp	_KdDebuggerEnabled, 0
		jz	short loc_945870
		cmp	_KdDebuggerNotPresent, 0
		jnz	short loc_945870
		int	3		; Trap to Debugger
		jmp	short loc_945870
; 

loc_94585F:				; CODE XREF: CmpRmReDoPhase(x,x,x)+D5j
		mov	ecx, edi
		call	_CmpRealignLogBuffers@4	; CmpRealignLogBuffers(x)
		mov	ecx, [ebp+var_10]
		mov	edx, edi
		call	_CmpDoReDoRecord@8 ; CmpDoReDoRecord(x,x)

loc_945870:				; CODE XREF: CmpRmReDoPhase(x,x,x)+DEj
					; CmpRmReDoPhase(x,x,x)+E7j ...
		test	eax, eax
		jns	short loc_94587B
		mov	eax, [ebp+var_10]
		or	dword ptr [eax+18h], 2

loc_94587B:				; CODE XREF: CmpRmReDoPhase(x,x,x)+FFj
		mov	eax, [ebp+var_8]
		cmp	[eax+0Ch], esi
		jge	short loc_94588A
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_94588A:				; CODE XREF: CmpRmReDoPhase(x,x,x)+70j
					; CmpRmReDoPhase(x,x,x)+8Bj ...
		lea	eax, [ebp+var_38]
		mov	byte ptr [ebp+var_1], 1
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		lea	eax, [ebp+var_1]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_C]
		call	ds:__imp__ClfsReadNextLogRecord@32 ; ClfsReadNextLogRecord(x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000011h
		jz	short loc_9458BF
		test	eax, eax
		jns	loc_9457DF

loc_9458BF:				; CODE XREF: CmpRmReDoPhase(x,x,x)+64j
					; CmpRmReDoPhase(x,x,x)+A0j ...
		cmp	[ebp+var_C], 0
		jz	short loc_9458CE
		push	[ebp+var_C]
		call	ds:__imp__ClfsTerminateReadLog@4 ; ClfsTerminateReadLog(x)

loc_9458CE:				; CODE XREF: CmpRmReDoPhase(x,x,x)+35j
					; CmpRmReDoPhase(x,x,x)+150j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_CmpRmReDoPhase@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRmRecover(x, x, x)
_CmpRmRecover@12 proc near		; CODE XREF: CmpStartRMLog+75897p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	[ebp+arg_4]
		mov	esi, ecx
		push	[ebp+arg_0]
		call	_CmpRmAnalysisPhase@12 ; CmpRmAnalysisPhase(x,x,x)
		test	eax, eax
		js	short loc_945901
		push	[ebp+arg_4]
		mov	ecx, esi
		push	[ebp+arg_0]
		call	_CmpRmReDoPhase@12 ; CmpRmReDoPhase(x,x,x)
		mov	ecx, esi
		call	_CmpRmUnDoPhase@4 ; CmpRmUnDoPhase(x)

loc_945901:				; CODE XREF: CmpRmRecover(x,x,x)+16j
		pop	esi
		pop	ecx
		pop	ebp
		retn	8
_CmpRmRecover@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRmUnDoPhase(x)
_CmpRmUnDoPhase@4 proc near		; CODE XREF: CmpRmRecover(x,x,x)+27p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= dword	ptr -1Dh
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_44]
		push	6
		xor	eax, eax
		and	[ebp+var_28], eax
		and	[ebp+var_24], eax
		pop	ecx
		rep stosd
		push	6
		pop	ecx
		lea	edi, [ebp+var_1D+1]
		mov	byte ptr [ebp+var_1D], al
		rep stosd

loc_945939:				; CODE XREF: CmpRmUnDoPhase(x)+BCj
					; CmpRmUnDoPhase(x)+111j
		and	[ebp+var_2C], 0

loc_94593D:				; CODE XREF: CmpRmUnDoPhase(x)+92j
		push	0
		lea	edx, [ebp+var_2C]
		lea	ecx, [ebx+8]
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_945A22
		test	byte ptr [esi+18h], 2
		jnz	short loc_9459D4
		xor	eax, eax
		mov	[ebp+var_44], 18h
		push	eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		lea	eax, [esi+2Ch]
		push	eax
		lea	eax, [ebp+var_44]
		mov	[ebp+var_38], 200h
		push	eax
		push	1F003Fh
		lea	eax, [ebp+var_28]
		push	eax
		call	_ZwOpenTransaction@20 ;	ZwOpenTransaction(x,x,x,x,x)
		test	eax, eax
		js	short loc_94599B
		push	[ebp+var_28]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_94593D
; 

loc_94599B:				; CODE XREF: CmpRmUnDoPhase(x)+88j
		lea	eax, [ebp+var_1D]
		mov	edx, esi
		push	eax
		lea	eax, [ebp+var_24]
		mov	ecx, ebx
		push	eax
		call	CmpTransMgrPrepare
		test	eax, eax
		js	short loc_9459BF
		lea	eax, [ebp+var_24]
		mov	edx, esi
		push	eax
		call	_CmpTransMgrCommit@12 ;	CmpTransMgrCommit(x,x,x)
		test	eax, eax
		jns	short loc_9459C8

loc_9459BF:				; CODE XREF: CmpRmUnDoPhase(x)+A7j
		or	dword ptr [esi+18h], 2
		jmp	loc_945939
; 

loc_9459C8:				; CODE XREF: CmpRmUnDoPhase(x)+B6j
		lea	ecx, [ebp+var_1D+1]
		call	CmpAttachToRegistryProcess
		push	4
		jmp	short loc_9459E8
; 

loc_9459D4:				; CODE XREF: CmpRmUnDoPhase(x)+51j
		lea	edx, [ebp+var_24]
		mov	ecx, esi
		call	_CmpTransMgrRollback@8 ; CmpTransMgrRollback(x,x)
		lea	ecx, [ebp+var_1D+1]
		call	CmpAttachToRegistryProcess
		push	8

loc_9459E8:				; CODE XREF: CmpRmUnDoPhase(x)+CBj
		pop	edx
		mov	ecx, esi
		call	_CmpTransMgrFreeVolatileData@8 ; CmpTransMgrFreeVolatileData(x,x)
		xor	edx, edx
		lea	ecx, [ebp+var_1D+1]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_945A1D
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_945A1D
		push	72544D43h
		mov	[eax], ecx
		push	esi
		mov	[ecx+4], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_945939
; 

loc_945A1D:				; CODE XREF: CmpRmUnDoPhase(x)+F8j
					; CmpRmUnDoPhase(x)+FFj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_945A22:				; CODE XREF: CmpRmUnDoPhase(x)+47j
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpRmUnDoPhase@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmLockHiveSecurityShared(x)
_CmLockHiveSecurityShared@4 proc near	; CODE XREF: CmSaveMergedKeys(x,x,x,x)+179p
					; CmSaveMergedKeys(x,x,x,x)+1A7p
		add	ecx, 484h
		xor	edx, edx
		jmp	ExAcquirePushLockSharedEx
_CmLockHiveSecurityShared@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpIsShutdownRundownActive()
_CmpIsShutdownRundownActive@0 proc near	; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+18Ap
					; CmSetValueKey(x,x,x,x,x,x,x)+328p ...
		mov	eax, _CmpShutdownRundown
		and	al, 1
		retn
_CmpIsShutdownRundownActive@0 endp


;  S U B	R O U T	I N E 


; __stdcall CmpLockHashEntryByIndexExclusive(x,	x)
_CmpLockHashEntryByIndexExclusive@8 proc near
					; CODE XREF: CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+6Bp
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, edx
		xor	edx, edx
		push	edi
		mov	edi, ecx
		imul	eax, ebx, 0Ch
		mov	esi, [edi+434h]
		add	esi, eax
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, edi
		mov	[esi+4], eax
		call	_CmpReferenceHive@4 ; CmpReferenceHive(x)
		test	al, al
		jnz	short loc_945A86
		push	ebx
		push	0Bh
		push	edi
		push	17h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_945A86:				; CODE XREF: CmpLockHashEntryByIndexExclusive(x,x)+2Fj
		pop	edi
		pop	esi
		pop	ebx
		retn
_CmpLockHashEntryByIndexExclusive@8 endp ; sp =	-14h


;  S U B	R O U T	I N E 


; __stdcall CmpUnlockHashEntryByIndex(x, x)
_CmpUnlockHashEntryByIndex@8 proc near	; CODE XREF: CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+136p
					; CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)+189p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		imul	edx, 0Ch
		mov	ecx, [esi+434h]
		add	ecx, edx
		xor	edx, edx
		and	dword ptr [ecx+4], 0
		call	ExReleasePushLockEx
		or	eax, 0FFFFFFFFh
		lock xadd [esi+9D8h], eax
		jnz	short loc_945ABA
		mov	ecx, esi
		pop	esi
		jmp	_CmpDeleteHive@4 ; CmpDeleteHive(x)
; 

loc_945ABA:				; CODE XREF: CmpUnlockHashEntryByIndex(x,x)+26j
		pop	esi
		retn
_CmpUnlockHashEntryByIndex@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpWaitForShutdownRundownRelease()
_CmpWaitForShutdownRundownRelease@0 proc near ;	CODE XREF: CmShutdownSystem(x)+58p
		mov	edi, edi
		push	esi
		mov	esi, offset _CmpShutdownRundown
		mov	ecx, esi
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	ecx, esi
		pop	esi
		jmp	@ExRundownCompleted@4 ;	ExRundownCompleted(x)
_CmpWaitForShutdownRundownRelease@0 endp


;  S U B	R O U T	I N E 


; __stdcall LockShutdownExclusive()
_LockShutdownExclusive@0 proc near	; CODE XREF: CmShutdownSystem(x)+67p
					; CmShutdownSystem(x)+1F4p
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _CmpShutdownLock
		jmp	ExAcquirePushLockExclusiveEx
_LockShutdownExclusive@0 endp


;  S U B	R O U T	I N E 


; __stdcall TryLockShutdownShared()
_TryLockShutdownShared@0 proc near	; CODE XREF: CmpSyncNextBackupHive()+1Ap
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		xor	ebx, ebx
		mov	edi, offset _CmpShutdownLock
		inc	ebx
		xor	edx, edx
		push	ebx
		mov	ecx, edi
		call	KeAbPreAcquire
		push	11h
		mov	esi, eax
		xor	eax, eax
		pop	ecx
		lock cmpxchg [edi], ecx
		test	eax, eax
		jz	short loc_945B47
		mov	ecx, edi
		call	@ExfTryAcquirePushLockShared@4 ; ExfTryAcquirePushLockShared(x)
		test	al, al
		jnz	short loc_945B47
		test	esi, esi
		jz	short loc_945B37
		mov	edx, esi
		mov	ecx, edi
		call	KeAbPostReleaseEx

loc_945B37:				; CODE XREF: TryLockShutdownShared()+3Fj
		mov	ecx, large fs:124h
		xor	bl, bl
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	short loc_945B4F
; 

loc_945B47:				; CODE XREF: TryLockShutdownShared()+30j
					; TryLockShutdownShared()+3Bj
		test	esi, esi
		jz	short loc_945B4F
		or	byte ptr [esi+0Eh], 1

loc_945B4F:				; CODE XREF: TryLockShutdownShared()+58j
					; TryLockShutdownShared()+5Cj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		retn
_TryLockShutdownShared@0 endp


;  S U B	R O U T	I N E 


; __stdcall HvClearBinTrimStatus(x, x)
_HvClearBinTrimStatus@8	proc near	; CODE XREF: HvFreeCell+187D23p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, [edx+4]
		mov	ebx, ecx
		push	edi
		mov	edi, [edx+8]
		add	edi, esi
		jmp	short loc_945B79
; 

loc_945B66:				; CODE XREF: HvClearBinTrimStatus(x,x)+26j
		mov	edx, esi
		mov	ecx, ebx
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		and	dword ptr [eax+4], 0FFFFFFFBh
		add	esi, 1000h

loc_945B79:				; CODE XREF: HvClearBinTrimStatus(x,x)+Fj
		cmp	esi, edi
		jb	short loc_945B66
		pop	edi
		pop	esi
		pop	ebx
		retn
_HvClearBinTrimStatus@8	endp


;  S U B	R O U T	I N E 


; __stdcall HvpGetCellContextInitialize(x)
_HvpGetCellContextInitialize@4 proc near ; CODE	XREF: CmpDereferenceSecurityNode(x,x)+1Ap
					; CmpValueEnumStackEntryInitialize(x)+10j ...
		and	dword ptr [ecx], 0
		and	dword ptr [ecx+4], 0
		or	dword ptr [ecx], 0FFFFFFFFh
		retn
_HvpGetCellContextInitialize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpGetCellFlat(x, x, x)
_HvpGetCellFlat@12 proc	near		; DATA XREF: HvHiveStartMemoryBacked+38Ao

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_945BB0
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+20h]
		mov	eax, [ebp+arg_8]
		mov	[eax], edx
		lea	eax, [edx+1004h]
		add	eax, ecx
		pop	ebp
		retn	0Ch
; 

loc_945BB0:				; CODE XREF: HvpGetCellFlat(x,x,x)+Bj
		push	0FFFFFFFFh
		push	[ebp+arg_0]
		push	1
		push	32h
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

; __stdcall CmpCompareKeysByName(x, x)
_CmpCompareKeysByName@8:		; CODE XREF: CmpFindSubKeyByNumberFromMergedView(x,x,x,x,x,x,x,x,x)+2A2p
					; CmpKeyEnumStackAdvanceInternal(x)+80p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		push	ebx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	ax, [edx+2]
		push	esi
		and	ax, 20h
		lea	esi, [edx+4Ch]
		test	byte ptr [ecx+2], 20h
		push	edi
		lea	edi, [ecx+4Ch]
		movzx	ebx, ax
		jz	short loc_945C27
		movzx	eax, word ptr [edx+48h]
		movzx	ecx, word ptr [ecx+48h]
		test	bx, bx
		jz	short loc_945C0B
		push	eax
		mov	edx, ecx
		mov	ecx, edi
		push	esi
		call	CmpCompareTwoCompressedNames
		jmp	short loc_945C74
; 

loc_945C0B:				; CODE XREF: HvpGetCellFlat(x,x,x)+70j
		push	0
		push	ecx
		mov	edx, edi
		mov	[ebp+var_4], esi
		lea	ecx, [ebp+var_8]
		mov	word ptr [ebp+var_8], ax
		mov	word ptr [ebp+var_8+2],	ax
		call	_CmpCompareCompressedName@16 ; CmpCompareCompressedName(x,x,x,x)
		neg	eax
		jmp	short loc_945C74
; 

loc_945C27:				; CODE XREF: HvpGetCellFlat(x,x,x)+63j
		mov	[ebp+var_C], edi
		push	0
		test	bx, bx
		jz	short loc_945C4E
		mov	ax, [ecx+48h]
		lea	ecx, [ebp+var_10]
		mov	word ptr [ebp+var_10], ax
		mov	word ptr [ebp+var_10+2], ax
		movzx	eax, word ptr [edx+48h]
		mov	edx, esi
		push	eax
		call	_CmpCompareCompressedName@16 ; CmpCompareCompressedName(x,x,x,x)
		jmp	short loc_945C74
; 

loc_945C4E:				; CODE XREF: HvpGetCellFlat(x,x,x)+A3j
		mov	ax, [edx+48h]
		lea	edx, [ebp+var_8]
		mov	word ptr [ebp+var_8], ax
		mov	word ptr [ebp+var_8+2],	ax
		mov	ax, [ecx+48h]
		lea	ecx, [ebp+var_10]
		mov	[ebp+var_4], esi
		mov	word ptr [ebp+var_10], ax
		mov	word ptr [ebp+var_10+2], ax
		call	CmpCompareUnicodeString

loc_945C74:				; CODE XREF: HvpGetCellFlat(x,x,x)+7Dj
					; HvpGetCellFlat(x,x,x)+99j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_HvpGetCellFlat@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCleanUpHigherLayerKcbCachesPostCallback(x, x, x)
_CmpCleanUpHigherLayerKcbCachesPostCallback@12 proc near
					; DATA XREF: CmRestoreKey(x,x,x,x)+690o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi+10h]
		call	_CmpCleanUpKCBCacheTable@4 ; CmpCleanUpKCBCacheTable(x)
		cmp	dword ptr [esi], 1
		jnz	short loc_945C94
		or	word ptr [esi+4], 20h

loc_945C94:				; CODE XREF: CmpCleanUpHigherLayerKcbCachesPostCallback(x,x,x)+14j
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	0Ch
_CmpCleanUpHigherLayerKcbCachesPostCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCleanupDiscardReplacePost(x, x, x)
_CmpCleanupDiscardReplacePost@12 proc near
					; CODE XREF: CmpCleanupDiscardReplaceContext+181F02p
					; DATA XREF: CmpCleanupDiscardReplaceContext+181EE7o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		add	edi, 8
		mov	esi, [edi]
		cmp	[esi+4], edi
		jnz	short loc_945CE2
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_945CE2
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	[edi], eax
		push	0
		mov	[eax+4], edi
		call	CmpDereferenceKeyControlBlockWithLock
		mov	edx, [ebp+arg_4]
		lea	ecx, [esi-40h]
		push	0
		call	CmpDereferenceKeyControlBlockWithLock
		xor	eax, eax
		cmp	[edi], edi
		pop	edi
		setz	al
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_945CE2:				; CODE XREF: CmpCleanupDiscardReplacePost(x,x,x)+12j
					; CmpCleanupDiscardReplacePost(x,x,x)+19j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_CmpCleanupDiscardReplacePost@12 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpPrepareDiscardReplacePre(x, x)
_CmpPrepareDiscardReplacePre@8 proc near
					; DATA XREF: CmpCleanupDiscardReplaceContext+181EECo
					; CmpCommitDiscardAndReplaceKcbAndUnbackedHigherLayers(x,x,x)+14o ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		cmp	dword ptr [ecx+14h], 0FFFFFFFFh
		setz	al
		pop	ebp
		retn	8
_CmpPrepareDiscardReplacePre@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCommitDiscardAndReplaceKcbAndUnbackedHigherLayers(x, x, x)
_CmpCommitDiscardAndReplaceKcbAndUnbackedHigherLayers@12 proc near
					; CODE XREF: CmDeleteLayeredKey(x,x,x)+256p
					; CmDeleteLayeredKey(x,x,x)+3F5p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		push	0
		push	1
		mov	esi, edx
		mov	edi, ecx
		push	esi
		push	[ebp+arg_0]
		mov	edx, offset _CmpPrepareDiscardReplacePre@8 ; CmpPrepareDiscardReplacePre(x,x)
		push	offset _CmpCommitDiscardReplacePost@12 ; CmpCommitDiscardReplacePost(x,x,x)
		call	_CmpEnumerateAllHigherLayerKcbs@28 ; CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)
		push	esi
		push	[ebp+arg_0]
		push	edi
		call	_CmpCommitDiscardReplacePost@12	; CmpCommitDiscardReplacePost(x,x,x)
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
_CmpCommitDiscardAndReplaceKcbAndUnbackedHigherLayers@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCommitDiscardReplacePost(x, x, x)
_CmpCommitDiscardReplacePost@12	proc near
					; CODE XREF: CmpCommitDiscardAndReplaceKcbAndUnbackedHigherLayers(x,x,x)+28p
					; DATA XREF: CmpCommitDiscardAndReplaceKcbAndUnbackedHigherLayers(x,x,x)+19o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	ecx, [ebp+arg_8]
		sub	esp, 0Ch
		add	ecx, 8
		push	ebx
		mov	eax, [ecx]
		push	esi
		push	edi
		cmp	[eax+4], ecx
		jnz	loc_945E58
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_945E58
		mov	esi, [ebp+arg_0]
		lea	ebx, [eax-40h]
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	[eax+4], eax
		mov	[eax], eax
		mov	ax, [esi+22h]
		mov	[ebx+22h], ax
		mov	eax, [esi+6Ch]
		mov	[ebx+6Ch], eax
		xor	eax, eax
		and	dword ptr [esi+6Ch], 0
		mov	[esi+22h], ax
		mov	eax, [ebx+6Ch]
		mov	[eax+8], ebx
		mov	eax, [esi+14h]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_945DA7
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		mov	[ebx+14h], eax
		call	_CmpMarkKeyUnbacked@8 ;	CmpMarkKeyUnbacked(x,x)
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		call	_CmpRebuildKcbCache@8 ;	CmpRebuildKcbCache(x,x)

loc_945DA7:				; CODE XREF: CmpCommitDiscardReplacePost(x,x,x)+5Ej
		mov	ecx, esi
		call	_CmpDiscardKcb@4 ; CmpDiscardKcb(x)
		mov	esi, [ebx+10h]
		lea	edi, [ebx+8]
		push	dword ptr [edi]
		mov	ecx, esi
		call	_CmpGetHashIndexInHive@8 ; CmpGetHashIndexInHive(x,x)
		imul	ecx, eax, 0Ch
		add	ecx, [esi+434h]
		mov	esi, [ebp+arg_0]
		mov	eax, [ecx+8]
		mov	[ebx+0Ch], eax
		mov	[ecx+8], edi
		mov	ecx, [ebx+6Ch]
		lea	eax, [ecx+10h]
		mov	edi, [eax]

loc_945DDA:				; CODE XREF: CmpCommitDiscardReplacePost(x,x,x)+C4j
		cmp	edi, eax
		jz	short loc_945DF6
		mov	ecx, ebx
		call	CmpReferenceKeyControlBlockUnsafe
		mov	ecx, esi
		call	CmpDereferenceKeyControlBlockUnsafe
		mov	ecx, [ebx+6Ch]
		mov	edi, [edi]
		lea	eax, [ecx+10h]
		jmp	short loc_945DDA
; 

loc_945DF6:				; CODE XREF: CmpCommitDiscardReplacePost(x,x,x)+ACj
		lea	eax, [ecx+18h]
		mov	edi, [eax]
		jmp	short loc_945E13
; 

loc_945DFD:				; CODE XREF: CmpCommitDiscardReplacePost(x,x,x)+E5j
		mov	ecx, ebx
		call	CmpReferenceKeyControlBlockUnsafe
		mov	ecx, esi
		call	CmpDereferenceKeyControlBlockUnsafe
		mov	eax, [ebx+6Ch]
		mov	edi, [edi]
		add	eax, 18h

loc_945E13:				; CODE XREF: CmpCommitDiscardReplacePost(x,x,x)+CBj
		cmp	edi, eax
		jnz	short loc_945DFD
		xor	edi, edi
		mov	[esp+18h+var_8], esi
		push	edi
		lea	eax, [esp+1Ch+var_8]
		mov	[esp+1Ch+var_4], ebx
		mov	edx, [ebx+10h]
		mov	ecx, offset _CmpRefreshParent@16 ; CmpRefreshParent(x,x,x,x)
		push	eax
		push	[ebp+arg_4]
		call	_CmpSearchKeyControlBlockTreeEx@20 ; CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		push	edi
		call	CmpDereferenceKeyControlBlockWithLock
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		push	edi
		call	CmpDereferenceKeyControlBlockWithLock
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_945E58:				; CODE XREF: CmpCommitDiscardReplacePost(x,x,x)+19j
					; CmpCommitDiscardReplacePost(x,x,x)+24j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_CmpCommitDiscardReplacePost@12	endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpEnumerateAllHigherLayerKcbs(x, x, x, x, x, x, x)
_CmpEnumerateAllHigherLayerKcbs@28 proc	near
					; CODE XREF: CmpCleanupDiscardReplaceContext+181EF1p
					; CmpCommitDiscardAndReplaceKcbAndUnbackedHigherLayers(x,x,x)+1Ep ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= byte ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	eax, ecx
		mov	[ebp+var_8], edx
		push	esi
		push	edi
		xor	dl, dl
		mov	[ebp+var_10], eax
		mov	edi, [eax+6Ch]
		mov	[ebp+var_1], dl
		test	edi, edi
		jz	loc_945F62
		mov	esi, [edi+10h]
		lea	eax, [edi+10h]
		xor	cl, cl
		jmp	loc_945F5A
; 

loc_945E8D:				; CODE XREF: CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)+FFj
		lea	eax, [edi+10h]
		cmp	esi, eax
		jnz	short loc_945EA0

loc_945E94:				; CODE XREF: CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)+ECj
		mov	esi, edi
		mov	cl, 1
		mov	edi, [edi+0Ch]
		jmp	loc_945F51
; 

loc_945EA0:				; CODE XREF: CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)+35j
		mov	ebx, [esi+8]
		mov	[ebp+var_C], esi
		test	cl, cl
		jnz	short loc_945F13
		cmp	[ebp+arg_C], cl
		jnz	short loc_945ED8
		xor	edx, edx
		lea	ecx, [ebx+18h]
		cmp	[ebp+arg_10], dl
		jz	short loc_945ECB
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		lea	ecx, [ebx+1Ch]
		mov	[ecx], eax
		jmp	short loc_945EDF
; 

loc_945ECB:				; CODE XREF: CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)+5Aj
		call	ExAcquirePushLockSharedEx
		lea	ecx, [ebx+1Ch]
		lock inc dword ptr [ecx]
		jmp	short loc_945EDF
; 

loc_945ED8:				; CODE XREF: CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)+50j
		mov	ecx, ebx
		call	CmpReferenceKeyControlBlock

loc_945EDF:				; CODE XREF: CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)+6Cj
					; CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)+79j
		push	[ebp+arg_8]
		push	ebx
		call	[ebp+var_8]
		cmp	eax, 1
		jnz	short loc_945EF3
		mov	esi, [esi+10h]
		mov	edi, [ebp+var_C]
		jmp	short loc_945F0E
; 

loc_945EF3:				; CODE XREF: CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)+8Cj
		cmp	[ebp+arg_C], 0
		mov	ecx, ebx
		mov	esi, [esi]
		jnz	short loc_945F04
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		jmp	short loc_945F0E
; 

loc_945F04:				; CODE XREF: CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)+9Ej
		mov	edx, [ebp+arg_4]
		push	0
		call	CmpDereferenceKeyControlBlockWithLock

loc_945F0E:				; CODE XREF: CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)+94j
					; CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)+A5j
		mov	dl, [ebp+var_1]
		jmp	short loc_945F4F
; 

loc_945F13:				; CODE XREF: CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)+4Bj
		mov	esi, [esi]
		test	dl, dl
		jnz	short loc_945F2B
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	ebx
		call	[ebp+arg_0]
		cmp	eax, 1
		jnz	short loc_945F2B
		mov	[ebp+var_1], al

loc_945F2B:				; CODE XREF: CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)+BAj
					; CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)+C9j
		cmp	[ebp+arg_C], 0
		mov	ecx, ebx
		jnz	short loc_945F3A
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		jmp	short loc_945F44
; 

loc_945F3A:				; CODE XREF: CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)+D4j
		mov	edx, [ebp+arg_4]
		push	0
		call	CmpDereferenceKeyControlBlockWithLock

loc_945F44:				; CODE XREF: CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)+DBj
		mov	dl, [ebp+var_1]
		test	dl, dl
		jnz	loc_945E94

loc_945F4F:				; CODE XREF: CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)+B4j
		xor	cl, cl

loc_945F51:				; CODE XREF: CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)+3Ej
		mov	eax, [ebp+var_10]
		mov	eax, [eax+6Ch]
		add	eax, 10h

loc_945F5A:				; CODE XREF: CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)+2Bj
		cmp	esi, eax
		jnz	loc_945E8D

loc_945F62:				; CODE XREF: CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)+1Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_CmpEnumerateAllHigherLayerKcbs@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFlushNotifiesOnAllUnbackedHigherLayerKcbs(x, x, x, x)
_CmpFlushNotifiesOnAllUnbackedHigherLayerKcbs@16 proc near
					; CODE XREF: CmDeleteLayeredKey(x,x,x)+18Ap
					; CmDeleteLayeredKey(x,x,x)+3C2p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		mov	edx, offset _CmpFlushNotifiesPreCallback@8 ; CmpFlushNotifiesPreCallback(x,x)
		mov	eax, [ebp+arg_4]
		push	1
		push	eax
		mov	byte ptr [ebp+var_4+1],	al
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_0]
		mov	[ebp+var_8], 8
		push	offset _CmpFlushNotifiesPostCallback@12	; CmpFlushNotifiesPostCallback(x,x,x)
		mov	byte ptr [ebp+var_4], 1
		call	_CmpEnumerateAllHigherLayerKcbs@28 ; CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)
		leave
		retn	8
_CmpFlushNotifiesOnAllUnbackedHigherLayerKcbs@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFlushNotifiesPostCallback(x, x, x)
_CmpFlushNotifiesPostCallback@12 proc near
					; DATA XREF: CmpFlushNotifiesOnAllUnbackedHigherLayerKcbs(x,x,x,x)+27o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		movzx	eax, byte ptr [edx+5]
		mov	edx, [edx]
		push	eax
		push	[ebp+arg_4]
		call	CmpFlushNotifiesOnKeyBodyList
		xor	eax, eax
		pop	ebp
		retn	0Ch
_CmpFlushNotifiesPostCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFlushNotifiesPreCallback(x, x)
_CmpFlushNotifiesPreCallback@8 proc near
					; DATA XREF: CmpFlushNotifiesOnAllUnbackedHigherLayerKcbs(x,x,x,x)+Bo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	dword ptr [eax+14h], 0FFFFFFFFh
		jz	short loc_945FDD
		mov	eax, [ebp+arg_4]
		cmp	byte ptr [eax+4], 0
		jz	short loc_945FDD
		xor	eax, eax
		jmp	short loc_945FE0
; 

loc_945FDD:				; CODE XREF: CmpFlushNotifiesPreCallback(x,x)+Cj
					; CmpFlushNotifiesPreCallback(x,x)+15j
		xor	eax, eax
		inc	eax

loc_945FE0:				; CODE XREF: CmpFlushNotifiesPreCallback(x,x)+19j
		pop	ebp
		retn	8
_CmpFlushNotifiesPreCallback@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpGetEffectiveKeyNodeSemantics(x, x)
_CmpGetEffectiveKeyNodeSemantics@8 proc	near
					; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+9Ap
					; CmpValueEnumStackStartFromKeyNodeStack(x,x)+A6p ...
		test	dword ptr [ecx+64h], 80000h
		jnz	short loc_945FF0
		xor	eax, eax
		retn
; 

loc_945FF0:				; CODE XREF: CmpGetEffectiveKeyNodeSemantics(x,x)+7j
		movzx	eax, byte ptr [edx+0Dh]
		and	eax, 3
		retn
_CmpGetEffectiveKeyNodeSemantics@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpInitializeDiscardReplaceContext(x)
_CmpInitializeDiscardReplaceContext@4 proc near	; CODE XREF: CmDeleteLayeredKey(x,x,x)+74p
		mov	edi, edi
		push	edi
		xor	eax, eax
		mov	edi, ecx
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ecx+8]
		mov	dword ptr [ecx+4], 0C0000001h
		mov	[eax+4], eax
		mov	[eax], eax
		pop	edi
		retn
_CmpInitializeDiscardReplaceContext@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpInvalidateAllHigherLayerKcbs(x, x, x, x)
_CmpInvalidateAllHigherLayerKcbs@16 proc near ;	CODE XREF: PAGE:00854FA8p
					; CmpSaveBootControlSet(x)+4A2p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		push	1
		push	1
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_4]
		mov	[ebp+var_8], edx
		mov	edx, offset _CmpCleanUpHigherLayerKcbCachesPreCallback@8 ; CmpCleanUpHigherLayerKcbCachesPreCallback(x,x)
		push	offset _CmpInvalidateAllHigherLayerKcbsPostCallback@12 ; CmpInvalidateAllHigherLayerKcbsPostCallback(x,x,x)
		call	_CmpEnumerateAllHigherLayerKcbs@28 ; CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)
		leave
		retn	8
_CmpInvalidateAllHigherLayerKcbs@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpInvalidateAllHigherLayerKcbsPostCallback(x, x, x)
_CmpInvalidateAllHigherLayerKcbsPostCallback@12	proc near
					; DATA XREF: CmpInvalidateAllHigherLayerKcbs(x,x,x,x)+20o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_8]
		push	0
		push	[ebp+arg_4]
		push	dword ptr [esi+4]
		mov	edx, [esi]
		call	_CmpInvalidateSubtree@20 ; CmpInvalidateSubtree(x,x,x,x,x)
		test	byte ptr [esi+4], 2
		jz	short loc_946085
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	_CmpMarkKeyUnbacked@8 ;	CmpMarkKeyUnbacked(x,x)
		mov	edx, [esi]
		mov	ecx, [ebp+arg_0]
		push	1
		push	[ebp+arg_4]
		call	CmpFlushNotifiesOnKeyBodyList
		mov	ecx, [ebp+arg_0]
		call	_CmpDiscardKcb@4 ; CmpDiscardKcb(x)

loc_946085:				; CODE XREF: CmpInvalidateAllHigherLayerKcbsPostCallback(x,x,x)+1Fj
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	0Ch
_CmpInvalidateAllHigherLayerKcbsPostCallback@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpKeyNodeStackEntryPopulate(x, x, x)
_CmpKeyNodeStackEntryPopulate@12 proc near ; CODE XREF:	CmSaveKey(x,x,x,x)+2B3p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		lea	eax, [edi+0Ch]
		mov	[edi], edx
		push	eax
		push	esi
		push	edx
		mov	[edi+4], esi
		call	dword ptr [edx+4]
		mov	[edi+8], eax
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_CmpKeyNodeStackEntryPopulate@12 endp


;  S U B	R O U T	I N E 


; __stdcall CmpKeyNodeStackEntryReset(x)
_CmpKeyNodeStackEntryReset@4 proc near	; CODE XREF: CmpResetKeyNodeStack(x)+1Ap
					; CmpKeyEnumStackAdvanceInternal(x)+43p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		cmp	[esi+8], edi
		jz	short loc_9460C6
		mov	edx, [esi]
		lea	eax, [esi+0Ch]
		push	eax
		push	edx
		call	dword ptr [edx+8]

loc_9460C6:				; CODE XREF: CmpKeyNodeStackEntryReset(x)+Bj
		mov	[esi], edi
		xor	eax, eax
		mov	[esi+8], edi
		or	dword ptr [esi+4], 0FFFFFFFFh
		mov	[esi+0Ch], edi
		mov	[esi+10h], edi
		or	dword ptr [esi+0Ch], 0FFFFFFFFh
		pop	edi
		mov	[esi+10h], ax
		pop	esi
		retn
_CmpKeyNodeStackEntryReset@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLogUnsupportedOperation(x)
_CmpLogUnsupportedOperation@4 proc near	; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+300p
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+34Ap ...

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		push	esi
		mov	esi, ecx
		xor	eax, eax
		inc	eax
		lea	ecx, _CmpUnsupportedOperationHits[esi*4]
		lock xadd [ecx], eax
		inc	eax
		cmp	eax, 7FFFFFFFh
		jnz	short loc_946120
		xor	edx, edx
		xchg	edx, [ecx]
		test	edx, edx
		jz	short loc_946120
		mov	ecx, esi
		call	_CmpSendUnsupportedOperationTelemetryEvent@8 ; CmpSendUnsupportedOperationTelemetryEvent(x,x)

loc_946120:				; CODE XREF: CmpLogUnsupportedOperation(x)+2Dj
					; CmpLogUnsupportedOperation(x)+35j
		cmp	dword_6B2348, 5
		jbe	short loc_94615F
		lea	eax, [esp+40h+var_3C]
		mov	[esp+40h+var_3C], esi
		mov	[esp+40h+var_18], eax
		xor	ecx, ecx
		lea	eax, [esp+40h+var_38]
		mov	[esp+40h+var_14], ecx
		push	eax
		push	3
		push	ecx
		push	ecx
		push	offset byte_41AACB
		push	offset dword_6B2348
		mov	[esp+58h+var_10], 4
		mov	[esp+58h+var_C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_94615F:				; CODE XREF: CmpLogUnsupportedOperation(x)+45j
		mov	ecx, [esp+40h+var_4]
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_CmpLogUnsupportedOperation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpPopulateKeyNodeStackFromKeyNodeStack(x, x)
_CmpPopulateKeyNodeStackFromKeyNodeStack@8 proc	near
					; CODE XREF: CmpSubtreeEnumeratorBeginForKeyNodeStack(x,x)+Bp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	eax, ecx
		push	esi
		mov	[ebp+var_4], eax
		movzx	esi, word ptr [ebx]
		test	si, si
		js	short loc_9461BE
		push	edi

loc_946187:				; CODE XREF: CmpPopulateKeyNodeStackFromKeyNodeStack(x,x)+4Cj
		mov	edx, esi
		mov	ecx, eax
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	ecx, ebx
		mov	edi, eax
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	edx, [eax+4]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_9461B4
		mov	ecx, [eax]
		lea	eax, [edi+0Ch]
		push	eax
		push	edx
		push	ecx
		mov	[edi], ecx
		mov	[edi+4], edx
		call	dword ptr [ecx+4]
		mov	[edi+8], eax

loc_9461B4:				; CODE XREF: CmpPopulateKeyNodeStackFromKeyNodeStack(x,x)+30j
		mov	eax, [ebp+var_4]
		dec	esi
		test	si, si
		jns	short loc_946187
		pop	edi

loc_9461BE:				; CODE XREF: CmpPopulateKeyNodeStackFromKeyNodeStack(x,x)+15j
		pop	esi
		pop	ebx
		leave
		retn
_CmpPopulateKeyNodeStackFromKeyNodeStack@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpPrepareDiscardAndReplaceKcbAndUnbackedHigherLayers(x, x)
_CmpPrepareDiscardAndReplaceKcbAndUnbackedHigherLayers@8 proc near
					; CODE XREF: CmDeleteLayeredKey(x,x,x)+105p
					; CmDeleteKey+1821C7p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	eax, eax
		mov	ebx, ecx
		push	edi
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_8], eax
		mov	edi, edx
		mov	[ebp+var_4], eax
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		push	eax
		push	1
		mov	[edi+4], eax
		mov	edx, offset _CmpPrepareDiscardReplacePre@8 ; CmpPrepareDiscardReplacePre(x,x)
		push	edi
		mov	eax, ecx
		mov	[edi], ebx
		push	eax
		push	offset _CmpPrepareDiscardReplacePost@12	; CmpPrepareDiscardReplacePost(x,x,x)
		mov	ecx, ebx
		call	_CmpEnumerateAllHigherLayerKcbs@28 ; CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)
		mov	esi, [edi+4]
		test	esi, esi
		js	short loc_946219
		push	edi
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		call	_CmpPrepareDiscardReplacePost@12 ; CmpPrepareDiscardReplacePost(x,x,x)
		mov	esi, [edi+4]
		test	esi, esi
		js	short loc_946219
		xor	esi, esi

loc_946219:				; CODE XREF: CmpPrepareDiscardAndReplaceKcbAndUnbackedHigherLayers(x,x)+41j
					; CmpPrepareDiscardAndReplaceKcbAndUnbackedHigherLayers(x,x)+53j
		xor	dl, dl
		lea	ecx, [ebp+var_8]
		call	CmpDrainDelayDerefContext
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_CmpPrepareDiscardAndReplaceKcbAndUnbackedHigherLayers@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpPrepareDiscardReplacePost(x, x, x)
_CmpPrepareDiscardReplacePost@12 proc near
					; CODE XREF: CmpPrepareDiscardAndReplaceKcbAndUnbackedHigherLayers(x,x)+49p
					; DATA XREF: CmpPrepareDiscardAndReplaceKcbAndUnbackedHigherLayers(x,x)+30o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		and	[ebp+var_4], 0
		push	esi
		call	CmpReferenceKeyControlBlock
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_4]
		call	_CmpCloneToUnbackedKcb@8 ; CmpCloneToUnbackedKcb(x,x)
		mov	esi, [ebp+arg_8]
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_946273
		mov	eax, [ebp+var_4]
		lea	ecx, [esi+8]
		mov	edx, [ecx+4]
		add	eax, 40h
		cmp	[edx], ecx
		jz	short loc_946267
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_946267:				; CODE XREF: CmpPrepareDiscardReplacePost(x,x,x)+36j
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		xor	ecx, ecx

loc_946273:				; CODE XREF: CmpPrepareDiscardReplacePost(x,x,x)+26j
		xor	eax, eax
		mov	[esi+4], ecx
		test	ecx, ecx
		pop	esi
		sets	al
		leave
		retn	0Ch
_CmpPrepareDiscardReplacePost@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpPrepareToInvalidateAllHigherLayerKcbs(x,	x, x)
_CmpPrepareToInvalidateAllHigherLayerKcbs@12 proc near ; CODE XREF: PAGE:00854F7Cp
					; CmpSaveBootControlSet(x)+2E1p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_10], eax
		xor	ecx, ecx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_14], ecx
		lea	ecx, [ebp+var_8]
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		push	1
		push	1
		lea	eax, [ebp+var_14]
		mov	edx, offset _CmpCleanUpHigherLayerKcbCachesPreCallback@8 ; CmpCleanUpHigherLayerKcbCachesPreCallback(x,x)
		push	eax
		mov	eax, ecx
		mov	ecx, esi
		push	eax
		push	offset _CmpPrepareToInvalidateAllHigherLayerKcbsPostCallback@12	; CmpPrepareToInvalidateAllHigherLayerKcbsPostCallback(x,x,x)
		call	_CmpEnumerateAllHigherLayerKcbs@28 ; CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)
		xor	dl, dl
		lea	ecx, [ebp+var_8]
		call	CmpDrainDelayDerefContext
		mov	eax, [ebp+var_14]
		pop	esi
		leave
		retn	4
_CmpPrepareToInvalidateAllHigherLayerKcbs@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpPrepareToInvalidateAllHigherLayerKcbsPostCallback(x, x, x)
_CmpPrepareToInvalidateAllHigherLayerKcbsPostCallback@12 proc near
					; DATA XREF: CmpPrepareToInvalidateAllHigherLayerKcbs(x,x,x)+39o

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_8]
		push	dword ptr [esi+4]
		mov	edx, [esi+8]
		call	_CmpPrepareForSubtreeInvalidation@12 ; CmpPrepareForSubtreeInvalidation(x,x,x)
		mov	ecx, 0C000022Dh
		cmp	eax, ecx
		jnz	short loc_946300
		mov	[esi], ecx

loc_9462F9:				; CODE XREF: CmpPrepareToInvalidateAllHigherLayerKcbsPostCallback(x,x,x)+2Bj
		xor	eax, eax

loc_9462FB:				; CODE XREF: CmpPrepareToInvalidateAllHigherLayerKcbsPostCallback(x,x,x)+32j
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_946300:				; CODE XREF: CmpPrepareToInvalidateAllHigherLayerKcbsPostCallback(x,x,x)+1Ej
		test	eax, eax
		jns	short loc_9462F9
		mov	[esi], eax
		xor	eax, eax
		inc	eax
		jmp	short loc_9462FB
_CmpPrepareToInvalidateAllHigherLayerKcbsPostCallback@12 endp


;  S U B	R O U T	I N E 


; __stdcall CmpResetKeyNodeStack(x)
_CmpResetKeyNodeStack@4	proc near	; CODE XREF: CmpSubtreeEnumeratorReset(x)+35j
					; CmpKeyEnumStackReset(x)+Ep
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		xor	eax, eax
		xor	esi, esi
		cmp	ax, [edi]
		jg	short loc_946330

loc_94631A:				; CODE XREF: CmpResetKeyNodeStack(x)+23j
		mov	edx, esi
		mov	ecx, edi
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	ecx, eax
		call	_CmpKeyNodeStackEntryReset@4 ; CmpKeyNodeStackEntryReset(x)
		inc	esi
		cmp	si, [edi]
		jle	short loc_94631A

loc_946330:				; CODE XREF: CmpResetKeyNodeStack(x)+Dj
		pop	edi
		pop	esi
		retn
_CmpResetKeyNodeStack@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSendUnsupportedOperationTelemetryEvent(x, x)
_CmpSendUnsupportedOperationTelemetryEvent@8 proc near
					; CODE XREF: CmpFlushUnsupportedOperationTelemetry()+26p
					; CmpLogUnsupportedOperation(x)+39p

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	dword_6B2348, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	short loc_9463C6
		push	4000h
		xor	ebx, ebx
		mov	ecx, offset dword_6B2348
		push	ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9463C6
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_5C], edi
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_60]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	5
		push	ebx
		push	ebx
		push	offset byte_41AAFB
		push	offset dword_6B2348
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_60], esi
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_68], 1000000h
		mov	[ebp+var_64], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], 8
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9463C6:				; CODE XREF: CmpSendUnsupportedOperationTelemetryEvent(x,x)+20j
					; CmpSendUnsupportedOperationTelemetryEvent(x,x)+36j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpSendUnsupportedOperationTelemetryEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpStartKeyNodeStack(x, x)
_CmpStartKeyNodeStack@8	proc near	; CODE XREF: CmpStartKeyNodeStackFromKcbStack(x,x,x)+Fp
					; CmpSubtreeEnumeratorStart(x,x)+B4p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	esi, esi
		mov	[ebp+var_8], edi
		mov	edx, ecx
		mov	[ebp+var_4], edx
		cmp	di, 2
		jl	short loc_946452
		lea	eax, [edi-1]
		xor	ecx, ecx
		movzx	ebx, ax
		inc	ecx
		movsx	eax, bx
		imul	edx, eax, 14h
		push	39364D43h
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	edx, [ebp+var_4]
		mov	[edx+2Ch], eax
		test	eax, eax
		jnz	short loc_94641B
		mov	esi, 0C000009Ah
		jmp	short loc_946455
; 

loc_94641B:				; CODE XREF: CmpStartKeyNodeStack(x,x)+3Dj
		xor	eax, eax
		cmp	ax, bx
		jge	short loc_946452
		mov	ecx, esi

loc_946424:				; CODE XREF: CmpStartKeyNodeStack(x,x)+78j
		mov	eax, [edx+2Ch]
		xor	edi, edi
		mov	[ecx+eax], esi
		lea	ecx, [ecx+14h]
		mov	[ecx+eax-0Ch], esi
		or	dword ptr [ecx+eax-10h], 0FFFFFFFFh
		mov	[ecx+eax-8], esi
		mov	[ecx+eax-4], esi
		or	dword ptr [ecx+eax-8], 0FFFFFFFFh
		mov	[ecx+eax-4], di
		sub	ebx, 1
		jnz	short loc_946424
		mov	edi, [ebp+var_8]

loc_946452:				; CODE XREF: CmpStartKeyNodeStack(x,x)+1Aj
					; CmpStartKeyNodeStack(x,x)+4Bj
		mov	[edx], di

loc_946455:				; CODE XREF: CmpStartKeyNodeStack(x,x)+44j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_CmpStartKeyNodeStack@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSubtreeEnumeratorAdvance(x)
_CmpSubtreeEnumeratorAdvance@4 proc near ; CODE	XREF: CmRenameKey(x,x,x,x)+991p
					; CmRenameKey(x,x,x,x)+D3Fp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_C], esi
		mov	[ebp+var_14], ebx
		movzx	eax, word ptr [esi]
		mov	[ebp+var_10], ebx
		test	ax, ax
		js	short loc_9464CA

loc_94647C:				; CODE XREF: CmpSubtreeEnumeratorAdvance(x)+6Cj
		cwde
		imul	edi, eax, 118h
		add	edi, [esi+38h]
		cmp	[edi], bl
		jnz	short loc_946499
		mov	edx, [edi+8]
		lea	ecx, [edi+1Ch]
		push	ebx
		call	_CmpKeyEnumStackBeginEnumerationForKeyNodeStack@12 ; CmpKeyEnumStackBeginEnumerationForKeyNodeStack(x,x,x)
		mov	byte ptr [edi],	1

loc_946499:				; CODE XREF: CmpSubtreeEnumeratorAdvance(x)+2Cj
		lea	ecx, [edi+1Ch]
		call	_CmpKeyEnumStackAdvance@4 ; CmpKeyEnumStackAdvance(x)
		cmp	eax, 8000001Ah
		jnz	short loc_9464D6
		lea	ecx, [edi+1Ch]
		call	_CmpKeyEnumStackReset@4	; CmpKeyEnumStackReset(x)
		mov	[edi+8], ebx
		mov	[edi+4], ebx
		mov	[edi], bl
		mov	ax, [esi]
		dec	ax
		movzx	ecx, ax
		mov	[esi], ax
		mov	eax, ecx
		test	cx, cx
		jns	short loc_94647C

loc_9464CA:				; CODE XREF: CmpSubtreeEnumeratorAdvance(x)+1Ej
		mov	ebx, 8000001Ah

loc_9464CF:				; CODE XREF: CmpSubtreeEnumeratorAdvance(x)+15Aj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_9464D6:				; CODE XREF: CmpSubtreeEnumeratorAdvance(x)+4Aj
		mov	ecx, [edi+4]
		test	ecx, ecx
		jnz	short loc_9464E4
		mov	eax, ebx
		jmp	loc_946591
; 

loc_9464E4:				; CODE XREF: CmpSubtreeEnumeratorAdvance(x)+7Fj
		movzx	eax, word ptr [esi+2]
		movsx	edx, ax
		lfence	eax
		cmp	ax, 2
		jl	short loc_946500
		mov	eax, [ecx+0Ch]
		mov	ecx, [eax+edx*4-8]
		mov	[ebp+var_4], ecx
		jmp	short loc_946507
; 

loc_946500:				; CODE XREF: CmpSubtreeEnumeratorAdvance(x)+96j
		mov	eax, [ecx+edx*4+4]
		mov	[ebp+var_4], eax

loc_946507:				; CODE XREF: CmpSubtreeEnumeratorAdvance(x)+A2j
		movzx	edx, word ptr [esi+2]
		mov	eax, ebx
		test	dx, dx
		js	short loc_946529

loc_946512:				; CODE XREF: CmpSubtreeEnumeratorAdvance(x)+C9j
		lea	ecx, [edi+24h]
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	eax, [eax+8]
		test	eax, eax
		jnz	short loc_946529
		dec	edx
		test	dx, dx
		jns	short loc_946512
		mov	eax, ebx

loc_946529:				; CODE XREF: CmpSubtreeEnumeratorAdvance(x)+B4j
					; CmpSubtreeEnumeratorAdvance(x)+C3j
		test	byte ptr [eax+2], 20h
		lea	ecx, [eax+4Ch]
		mov	[ebp+var_10], ecx
		movzx	ecx, word ptr [eax+48h]
		mov	[ebp+var_8], ecx
		mov	word ptr [ebp+var_14], cx
		mov	word ptr [ebp+var_14+2], cx
		jz	short loc_94656E
		movzx	edx, cx
		mov	ecx, [ebp+var_10]
		call	_CmpHashCompressedComponent@8 ;	CmpHashCompressedComponent(x,x)
		mov	ecx, [ebp+var_4]
		push	[ebp+var_8]
		push	[ebp+var_10]
		imul	ecx, [ecx+8], 25h
		add	eax, ecx
		push	eax
		mov	eax, [ebp+var_4]
		mov	edx, eax
		mov	ecx, [eax+10h]
		call	_CmpFindKcbInHashEntryByCompressedName@20 ; CmpFindKcbInHashEntryByCompressedName(x,x,x,x,x)
		jmp	short loc_946591
; 

loc_94656E:				; CODE XREF: CmpSubtreeEnumeratorAdvance(x)+E6j
		lea	ecx, [ebp+var_14]
		call	_CmpHashUnicodeComponent@4 ; CmpHashUnicodeComponent(x)
		mov	ecx, [ebp+var_4]
		imul	ecx, [ecx+8], 25h
		add	eax, ecx
		lea	ecx, [ebp+var_14]
		push	ecx
		push	eax
		mov	eax, [ebp+var_4]
		mov	edx, eax
		mov	ecx, [eax+10h]
		call	CmpFindKcbInHashEntryByName

loc_946591:				; CODE XREF: CmpSubtreeEnumeratorAdvance(x)+83j
					; CmpSubtreeEnumeratorAdvance(x)+110j
		lea	ecx, [edi+24h]
		mov	[edi+120h], ecx
		test	eax, eax
		jz	short loc_9465B3
		lea	esi, [edi+0Ch]
		mov	edx, eax
		mov	ecx, esi
		call	_CmpPopulateKcbStack@8 ; CmpPopulateKcbStack(x,x)
		mov	[edi+11Ch], esi
		mov	esi, [ebp+var_C]

loc_9465B3:				; CODE XREF: CmpSubtreeEnumeratorAdvance(x)+140j
		inc	word ptr [esi]
		jmp	loc_9464CF
_CmpSubtreeEnumeratorAdvance@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpSubtreeEnumeratorBeginForKcbStack(x, x)
_CmpSubtreeEnumeratorBeginForKcbStack@8	proc near ; CODE XREF: CmRenameKey(x,x,x,x)+D05p
					; CmpSubtreeEnumeratorStartForKcbStack(x,x)+19p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		lea	esi, [ebx+8]
		mov	[ebx+4], edi
		push	0
		mov	ecx, esi
		call	_CmpPopulateKeyNodeStackFromKcbStack@12	; CmpPopulateKeyNodeStackFromKcbStack(x,x,x)
		mov	eax, [ebx+38h]
		mov	[eax+4], edi
		mov	[eax+8], esi
		xor	eax, eax
		pop	edi
		pop	esi
		mov	[ebx], ax
		pop	ebx
		retn
_CmpSubtreeEnumeratorBeginForKcbStack@8	endp


;  S U B	R O U T	I N E 


; __stdcall CmpSubtreeEnumeratorBeginForKeyNodeStack(x,	x)
_CmpSubtreeEnumeratorBeginForKeyNodeStack@8 proc near
					; CODE XREF: CmpSubtreeEnumeratorStartForKeyNodeStack(x,x)+18p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		lea	esi, [edi+8]
		mov	ecx, esi
		call	_CmpPopulateKeyNodeStackFromKeyNodeStack@8 ; CmpPopulateKeyNodeStackFromKeyNodeStack(x,x)
		mov	eax, [edi+38h]
		and	dword ptr [eax+4], 0
		mov	[eax+8], esi
		xor	eax, eax
		mov	[edi], ax
		pop	edi
		pop	esi
		retn
_CmpSubtreeEnumeratorBeginForKeyNodeStack@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSubtreeEnumeratorCleanup(x)
_CmpSubtreeEnumeratorCleanup@4 proc near ; CODE	XREF: CmRenameKey(x,x,x,x)+DE7p
					; CmpDoAccessCheckOnLayeredSubtree(x,x,x,x,x,x)+101p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		cmp	[esi+38h], edi
		jz	short loc_94664F
		mov	[ebp+var_4], 200h
		push	ebx

loc_946620:				; CODE XREF: CmpSubtreeEnumeratorCleanup(x)+3Dj
		mov	ebx, [esi+38h]
		mov	ecx, [ebx+edi+18h]
		test	ecx, ecx
		jz	short loc_946630
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_946630:				; CODE XREF: CmpSubtreeEnumeratorCleanup(x)+22j
		lea	ecx, [ebx+1Ch]
		add	ecx, edi
		call	_CmpKeyEnumStackCleanup@4 ; CmpKeyEnumStackCleanup(x)
		add	edi, 118h
		sub	[ebp+var_4], 1
		jnz	short loc_946620
		mov	ecx, [esi+38h]
		call	_CmpFreePool@4	; CmpFreePool(x)
		pop	ebx

loc_94664F:				; CODE XREF: CmpSubtreeEnumeratorCleanup(x)+Fj
		lea	ecx, [esi+8]
		call	CmpCleanupKeyNodeStack
		pop	edi
		pop	esi
		leave
		retn
_CmpSubtreeEnumeratorCleanup@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSubtreeEnumeratorGetCurrentKeyStacks(x, x, x)
_CmpSubtreeEnumeratorGetCurrentKeyStacks@12 proc near ;	CODE XREF: CmRenameKey(x,x,x,x)+968p
					; CmRenameKey(x,x,x,x)+D1Fp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movsx	eax, word ptr [ecx]
		push	esi
		imul	esi, eax, 118h
		add	esi, [ecx+38h]
		test	edx, edx
		jz	short loc_946676
		mov	eax, [esi+4]
		mov	[edx], eax

loc_946676:				; CODE XREF: CmpSubtreeEnumeratorGetCurrentKeyStacks(x,x,x)+14j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_946682
		mov	eax, [esi+8]
		mov	[ecx], eax

loc_946682:				; CODE XREF: CmpSubtreeEnumeratorGetCurrentKeyStacks(x,x,x)+20j
		pop	esi
		pop	ebp
		retn	4
_CmpSubtreeEnumeratorGetCurrentKeyStacks@12 endp


;  S U B	R O U T	I N E 


; int __fastcall CmpSubtreeEnumeratorInitialize(void *)
_CmpSubtreeEnumeratorInitialize@4 proc near ; CODE XREF: CmRenameKey(x,x,x,x)+14Ap
		mov	edi, edi
		push	esi
		push	3Ch		; size_t
		mov	esi, ecx
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [esi+8]
		push	0FFFFFFFEh
		pop	eax
		mov	[esi], ax
		pop	esi
		jmp	_CmpInitializeKeyNodeStack@4 ; CmpInitializeKeyNodeStack(x)
_CmpSubtreeEnumeratorInitialize@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpSubtreeEnumeratorReset(x)
_CmpSubtreeEnumeratorReset@4 proc near	; CODE XREF: CmRenameKey(x,x,x,x)+CF2p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		mov	ebx, 200h

loc_9466B6:				; CODE XREF: CmpSubtreeEnumeratorReset(x)+24j
		mov	ecx, [esi+38h]
		add	ecx, 1Ch
		add	ecx, edi
		call	_CmpKeyEnumStackReset@4	; CmpKeyEnumStackReset(x)
		add	edi, 118h
		sub	ebx, 1
		jnz	short loc_9466B6
		and	[esi+4], ebx
		lea	ecx, [esi+8]
		push	0FFFFFFFEh
		pop	eax
		pop	edi
		mov	[esi], ax
		pop	esi
		pop	ebx
		jmp	_CmpResetKeyNodeStack@4	; CmpResetKeyNodeStack(x)
_CmpSubtreeEnumeratorReset@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSubtreeEnumeratorStart(x, x)
_CmpSubtreeEnumeratorStart@8 proc near	; CODE XREF: CmpSubtreeEnumeratorStartForKcbStack(x,x)+Cp
					; CmpSubtreeEnumeratorStartForKeyNodeStack(x,x)+Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		push	31394D43h
		inc	ecx
		mov	[edi+2], dx
		mov	edx, 23000h
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	[edi+38h], eax
		test	eax, eax
		jnz	short loc_946713
		mov	eax, 0C000009Ah
		jmp	loc_94679D
; 

loc_946713:				; CODE XREF: CmpSubtreeEnumeratorStart(x,x)+25j
		push	ebx
		xor	ebx, ebx
		mov	ecx, 200h
		mov	eax, ebx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], eax
		push	esi

loc_946724:				; CODE XREF: CmpSubtreeEnumeratorStart(x,x)+74j
		mov	esi, [edi+38h]
		push	118h		; size_t
		add	esi, eax
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [esi+1Ch]	; void *
		or	eax, 0FFFFFFFFh
		mov	[esi+0Eh], ax
		call	_CmpKeyEnumStackInitialize@4 ; CmpKeyEnumStackInitialize(x)
		mov	eax, [ebp+var_4]
		add	eax, 118h
		sub	[ebp+var_8], 1
		mov	[ebp+var_4], eax
		jnz	short loc_946724

loc_946758:				; CODE XREF: CmpSubtreeEnumeratorStart(x,x)+ABj
		mov	dx, [edi+2]
		movsx	eax, bx
		imul	esi, eax, 118h
		add	esi, [edi+38h]
		lea	ecx, [esi+0Ch]
		call	CmpStartKcbStack
		test	eax, eax
		js	short loc_94679B
		mov	dx, [edi+2]
		lea	ecx, [esi+1Ch]
		call	_CmpKeyEnumStackStart@8	; CmpKeyEnumStackStart(x,x)
		test	eax, eax
		js	short loc_94679B
		inc	ebx
		mov	eax, 200h
		cmp	bx, ax
		jl	short loc_946758
		mov	dx, [edi+2]
		lea	ecx, [edi+8]
		call	_CmpStartKeyNodeStack@8	; CmpStartKeyNodeStack(x,x)

loc_94679B:				; CODE XREF: CmpSubtreeEnumeratorStart(x,x)+90j
					; CmpSubtreeEnumeratorStart(x,x)+A0j
		pop	esi
		pop	ebx

loc_94679D:				; CODE XREF: CmpSubtreeEnumeratorStart(x,x)+2Cj
		pop	edi
		leave
		retn
_CmpSubtreeEnumeratorStart@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpSubtreeEnumeratorStartForKcbStack(x, x)
_CmpSubtreeEnumeratorStartForKcbStack@8	proc near ; CODE XREF: CmRenameKey(x,x,x,x)+945p
					; CmpDoAccessCheckOnLayeredSubtree(x,x,x,x,x,x)+95p ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	dx, [esi+2]
		call	_CmpSubtreeEnumeratorStart@8 ; CmpSubtreeEnumeratorStart(x,x)
		test	eax, eax
		js	short loc_9467C0
		mov	edx, esi
		mov	ecx, edi
		call	_CmpSubtreeEnumeratorBeginForKcbStack@8	; CmpSubtreeEnumeratorBeginForKcbStack(x,x)
		xor	eax, eax

loc_9467C0:				; CODE XREF: CmpSubtreeEnumeratorStartForKcbStack(x,x)+13j
		pop	edi
		pop	esi
		retn
_CmpSubtreeEnumeratorStartForKcbStack@8	endp


;  S U B	R O U T	I N E 


; __stdcall CmpSubtreeEnumeratorStartForKeyNodeStack(x,	x)
_CmpSubtreeEnumeratorStartForKeyNodeStack@8 proc near
					; CODE XREF: CmpDoAccessCheckOnLayeredSubtree(x,x,x,x,x,x)+9Ep
					; CmpPromoteSubtree(x,x,x)+5Ep
		mov	edi, edi
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	dx, [esi]
		call	_CmpSubtreeEnumeratorStart@8 ; CmpSubtreeEnumeratorStart(x,x)
		test	eax, eax
		js	short loc_9467E2
		mov	edx, esi
		mov	ecx, edi
		call	_CmpSubtreeEnumeratorBeginForKeyNodeStack@8 ; CmpSubtreeEnumeratorBeginForKeyNodeStack(x,x)
		xor	eax, eax

loc_9467E2:				; CODE XREF: CmpSubtreeEnumeratorStartForKeyNodeStack(x,x)+12j
		pop	edi
		pop	esi
		retn
_CmpSubtreeEnumeratorStartForKeyNodeStack@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLogFailureToGetFileSize(x, x, x)
_CmpLogFailureToGetFileSize@12 proc near ; CODE	XREF: PAGE:0088899Ap
					; PAGE:008889D8p ...

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5D		= dword	ptr -5Dh
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	dword_6B2348, 5
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		jbe	short loc_94687C
		push	4000h
		xor	esi, esi
		mov	edi, offset dword_6B2348
		push	esi
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_94687C
		lea	eax, [ebp+var_5D]
		mov	byte ptr [ebp+var_5D], bl
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_5D+1]
		push	eax
		push	5
		push	esi
		push	esi
		push	offset byte_41AB4D
		push	edi
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], 1
		mov	[ebp+var_30], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], 4
		mov	[ebp+var_20], esi
		mov	[ebp+var_6C], 1000000h
		mov	[ebp+var_68], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], 8
		mov	[ebp+var_10], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_94687C:				; CODE XREF: CmpLogFailureToGetFileSize(x,x,x)+1Ej
					; CmpLogFailureToGetFileSize(x,x,x)+36j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_CmpLogFailureToGetFileSize@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvExtendHivePrimaryFileValidDataLength(x, x, x)
_HvExtendHivePrimaryFileValidDataLength@12 proc	near ; CODE XREF: CmpFlushHive+17DA87p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	esi
		push	edi
		push	[ebp+arg_0]
		lea	eax, [edx-4]
		mov	[ebp+var_4], 0FEFEFEFEh
		mov	[ebp+var_10], eax
		mov	edi, ecx
		lea	eax, [ebp+var_4]
		mov	[ebp+var_8], 4
		push	1
		mov	[ebp+var_C], eax
		xor	esi, esi
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		push	edi
		call	dword ptr [edi+14h]
		test	eax, eax
		js	short loc_9468D4
		xor	edx, edx
		mov	ecx, edi
		call	CmpFileFlushAndPurge
		test	eax, eax
		jns	short loc_9468D9

loc_9468D4:				; CODE XREF: HvExtendHivePrimaryFileValidDataLength(x,x,x)+38j
		mov	esi, 0C000014Dh

loc_9468D9:				; CODE XREF: HvExtendHivePrimaryFileValidDataLength(x,x,x)+45j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	4
_HvExtendHivePrimaryFileValidDataLength@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvFoldBackDirtyData(x)
_HvFoldBackDirtyData@4 proc near	; CODE XREF: CmpFlushHive+17DB1Cp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		cmp	dword ptr [esi+450h], 0
		jz	short loc_946964
		mov	eax, [esi+44Ch]
		lea	edi, [esi+28h]
		xor	edx, edx
		mov	[ebp+var_4], eax
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		xor	ebx, ebx
		cmp	[ebp+var_4], ebx
		jbe	short loc_946949
		push	8
		pop	edi

loc_946914:				; CODE XREF: HvFoldBackDirtyData(x)+63j
		mov	eax, [esi+450h]
		mov	edx, ebx
		shr	edx, 5
		mov	ecx, ebx
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		sar	eax, cl
		test	al, 1
		jz	short loc_94693A
		push	0
		push	1
		mov	edx, edi
		mov	ecx, esi
		call	HvpMarkDirty

loc_94693A:				; CODE XREF: HvFoldBackDirtyData(x)+4Aj
		inc	ebx
		add	edi, 200h
		cmp	ebx, [ebp+var_4]
		jb	short loc_946914
		lea	edi, [esi+28h]

loc_946949:				; CODE XREF: HvFoldBackDirtyData(x)+2Ej
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_94695D
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_94695D:				; CODE XREF: HvFoldBackDirtyData(x)+73j
		mov	ecx, edi
		call	KeAbPostRelease

loc_946964:				; CODE XREF: HvFoldBackDirtyData(x)+12j
		mov	ecx, esi
		call	_HvFreeDirtyData@4 ; HvFreeDirtyData(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_HvFoldBackDirtyData@4 endp


;  S U B	R O U T	I N E 


; __stdcall HvFoldBackUnreconciledData(x)
_HvFoldBackUnreconciledData@4 proc near	; CODE XREF: CmpFlushHive:loc_8D18EAp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		lea	esi, [edi+3Ch]
		lea	edx, [edi+46Ch]
		mov	ecx, esi
		call	_RtlMergeBitMaps@8 ; RtlMergeBitMaps(x,x)
		push	esi
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		cmp	byte ptr [edi+468h], 0
		mov	[edi+44h], eax
		jz	short loc_94699F
		mov	byte ptr [edi+83h], 1

loc_94699F:				; CODE XREF: HvFoldBackUnreconciledData(x)+26j
		mov	ecx, edi
		pop	edi
		pop	esi
		jmp	_HvFreeUnreconciledData@4 ; HvFreeUnreconciledData(x)
_HvFoldBackUnreconciledData@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvWriteExternal(x)
_HvWriteExternal@4 proc	near		; CODE XREF: CmSaveKey(x,x,x,x)+317p
					; CmSaveMergedKeys(x,x,x,x)+2DEp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		xor	eax, eax
		push	ebx
		push	edi
		lea	edi, [ebp+var_18]
		mov	ebx, ecx
		stosd
		stosd
		stosd
		xor	edi, edi
		cmp	[ebx+408h], edi
		jnz	short loc_9469D0
		mov	eax, 0C000000Dh
		jmp	loc_946B37
; 

loc_9469D0:				; CODE XREF: HvWriteExternal(x)+1Cj
		mov	eax, [ebx+0C8h]
		push	esi
		push	edi
		push	edi
		mov	[ebp+var_4], eax
		add	eax, 1000h
		push	eax
		push	2
		pop	edx
		call	CmpDoFileSetSizeEx
		mov	[ebp+var_8], eax
		test	eax, eax
		js	loc_946B36
		mov	esi, edi
		cmp	[ebp+var_4], esi
		jbe	short loc_946A2B

loc_9469FC:				; CODE XREF: HvWriteExternal(x)+7Ej
		mov	edx, esi
		mov	ecx, ebx
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		test	eax, eax
		jz	short loc_946A69
		mov	eax, [eax+4]
		and	eax, 0FFFFFFF0h
		mov	eax, [eax+8]
		add	esi, eax
		cmp	esi, [ebx+0C8h]
		ja	short loc_946A5F
		test	eax, 0FFFh
		jnz	short loc_946A5F
		cmp	esi, [ebp+var_4]
		jb	short loc_9469FC
		mov	eax, [ebp+var_8]

loc_946A2B:				; CODE XREF: HvWriteExternal(x)+52j
		cmp	esi, [ebx+0C8h]
		jb	loc_946B36
		push	20204D43h
		mov	eax, 1000h
		push	eax
		push	5
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_C], esi
		test	esi, esi
		jnz	short loc_946A79
		mov	eax, 0C000009Ah
		jmp	loc_946B36
; 

loc_946A5F:				; CODE XREF: HvWriteExternal(x)+72j
					; HvWriteExternal(x)+79j
		mov	edi, 0C000014Ch
		jmp	loc_946B34
; 

loc_946A69:				; CODE XREF: HvWriteExternal(x)+5Fj
		push	0CE4h

loc_946A6E:				; CODE XREF: HvWriteExternal(x)+198j
		push	esi
		push	ebx
		push	1
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_946A79:				; CODE XREF: HvWriteExternal(x)+ABj
		mov	ecx, 1000h
		push	ecx		; size_t
		push	dword ptr [ebx+20h] ; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		mov	ecx, esi
		mov	[esi+28h], eax
		mov	dword ptr [esi+2Ch], 1
		call	_HvpHeaderCheckSum@4 ; HvpHeaderCheckSum(x)
		push	edi
		mov	[esi+1FCh], eax
		lea	eax, [ebp+var_18]
		push	1
		push	eax
		push	2
		push	ebx
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], 1000h
		call	dword ptr [ebx+14h]
		push	edi
		push	[ebp+var_C]
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jns	short loc_946AD2
		mov	eax, 0C000014Dh
		jmp	short loc_946B36
; 

loc_946AD2:				; CODE XREF: HvWriteExternal(x)+121j
		mov	esi, edi
		cmp	[ebp+var_4], esi
		jbe	short loc_946B1C

loc_946AD9:				; CODE XREF: HvWriteExternal(x)+172j
		mov	edx, esi
		mov	ecx, ebx
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		test	eax, eax
		jz	short loc_946B3B
		mov	eax, [eax+4]
		mov	ecx, [ebp+var_8]
		and	eax, 0FFFFFFF0h
		push	edi
		push	1
		mov	edx, [eax+8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		push	ebx
		mov	[ebp+var_C], edx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], edx
		call	dword ptr [ebx+14h]
		test	eax, eax
		js	short loc_946B2F
		mov	eax, [ebp+var_C]
		add	esi, eax
		add	[ebp+var_8], eax
		cmp	esi, [ebp+var_4]
		jb	short loc_946AD9

loc_946B1C:				; CODE XREF: HvWriteExternal(x)+12Fj
		mov	ecx, [ebx+408h]
		test	ecx, ecx
		jz	short loc_946B34
		call	CmpDoFileFlush
		test	eax, eax
		jns	short loc_946B34

loc_946B2F:				; CODE XREF: HvWriteExternal(x)+165j
		mov	edi, 0C000014Dh

loc_946B34:				; CODE XREF: HvWriteExternal(x)+BCj
					; HvWriteExternal(x)+17Cj ...
		mov	eax, edi

loc_946B36:				; CODE XREF: HvWriteExternal(x)+47j
					; HvWriteExternal(x)+89j ...
		pop	esi

loc_946B37:				; CODE XREF: HvWriteExternal(x)+23j
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_946B3B:				; CODE XREF: HvWriteExternal(x)+13Cj
		push	0D39h
		jmp	loc_946A6E
_HvWriteExternal@4 endp


;  S U B	R O U T	I N E 


; __stdcall HvIsInPlaceBaseBlockValid(x)
_HvIsInPlaceBaseBlockValid@4 proc near	; CODE XREF: HvHiveStartMemoryBacked+98B7Fp
		cmp	dword ptr [ecx], 66676572h
		jnz	short loc_946B91
		cmp	dword ptr [ecx+1Ch], 0
		jnz	short loc_946B91
		cmp	dword ptr [ecx+14h], 1
		ja	short loc_946B91
		mov	eax, [ecx+18h]
		sub	eax, 3
		cmp	eax, 3
		ja	short loc_946B91
		cmp	dword ptr [ecx+20h], 1
		jnz	short loc_946B91
		mov	edx, [ecx+28h]
		test	edx, edx
		jz	short loc_946B91
		test	edx, 0FFFh
		jnz	short loc_946B91
		cmp	edx, 7FFFE000h
		ja	short loc_946B91
		call	_HvpHeaderCheckSum@4 ; HvpHeaderCheckSum(x)
		cmp	eax, [ecx+1FCh]
		jnz	short loc_946B91
		mov	al, 1
		retn
; 

loc_946B91:				; CODE XREF: HvIsInPlaceBaseBlockValid(x)+6j
					; HvIsInPlaceBaseBlockValid(x)+Cj ...
		xor	al, al
		retn
_HvIsInPlaceBaseBlockValid@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCmdRenameHive(x,	x, x, x, x)
_CmpCmdRenameHive@20 proc near		; CODE XREF: CmReplaceKey(x,x,x,x)+18Bp
					; CmReplaceKey(x,x,x,x)+1ADp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, ecx
		test	edx, edx
		jz	short loc_946BBE
		lea	eax, [ebp+arg_4]
		push	eax
		push	[ebp+arg_4]
		push	edx
		push	1
		push	ebx
		call	_ZwQueryObject@20 ; ZwQueryObject(x,x,x,x,x)
		test	eax, eax
		js	short loc_946C27

loc_946BBE:				; CODE XREF: CmpCmdRenameHive(x,x,x,x,x)+14j
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	20204D43h
		movzx	eax, word ptr [esi]
		add	eax, 10h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_946BE3
		mov	eax, 0C000009Ah
		jmp	short loc_946C25
; 

loc_946BE3:				; CODE XREF: CmpCmdRenameHive(x,x,x,x,x)+46j
		mov	al, [ebp+arg_8]
		and	dword ptr [edi+4], 0
		mov	[edi], al
		movzx	eax, word ptr [esi]
		mov	[edi+8], eax
		movzx	eax, word ptr [esi]
		push	eax		; size_t
		push	dword ptr [esi+4] ; void *
		lea	eax, [edi+0Ch]
		push	eax		; void *
		call	_memcpy
		movzx	eax, word ptr [esi]
		add	esp, 0Ch
		add	eax, 10h
		push	0Ah
		push	eax
		push	edi
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		push	0
		push	edi
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi

loc_946C25:				; CODE XREF: CmpCmdRenameHive(x,x,x,x,x)+4Dj
		pop	edi
		pop	esi

loc_946C27:				; CODE XREF: CmpCmdRenameHive(x,x,x,x,x)+28j
		pop	ebx
		leave
		retn	0Ch
_CmpCmdRenameHive@20 endp


;  S U B	R O U T	I N E 


; __stdcall CmpDiskFullWarning()
_CmpDiskFullWarning@0 proc near		; CODE XREF: CmpLazyWriteWorker:loc_5F7BC5p
					; PAGE:00888C1Cp ...
		cmp	ds:_CmpDiskFullWorkerPopupDisplayed, 0
		jnz	short locret_946C81
		cmp	ds:_CmpCannotWriteConfiguration, 0
		jz	short locret_946C81
		cmp	_ExReadyForErrors, 0
		jz	short locret_946C81
		cmp	ds:_CmpProfileLoaded, 0
		jz	short locret_946C81
		push	20204D43h
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short locret_946C81
		and	dword ptr [eax], 0
		push	1
		push	eax
		mov	ds:_CmpDiskFullWorkerPopupDisplayed, 1
		mov	dword ptr [eax+8], offset _CmpDiskFullWarningWorker@4 ;	CmpDiskFullWarningWorker(x)
		mov	[eax+0Ch], eax
		call	ExQueueWorkItem

locret_946C81:				; CODE XREF: CmpDiskFullWarning()+7j
					; CmpDiskFullWarning()+10j ...
		retn
_CmpDiskFullWarning@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDiskFullWarningWorker(x)
_CmpDiskFullWarningWorker@4 proc near	; DATA XREF: CmpDiskFullWarning()+46o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		xor	esi, esi
		push	esi
		push	[ebp+arg_0]
		mov	[ebp+var_4], esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	1		; int
		push	esi		; void *
		push	esi		; int
		push	esi		; int
		push	0C000007Fh	; int
		call	_ExRaiseHardError@24 ; ExRaiseHardError(x,x,x,x,x,x)
		pop	esi
		leave
		retn	4
_CmpDiskFullWarningWorker@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpForceFlushForCoalescing()
_CmpForceFlushForCoalescing@0 proc near	; CODE XREF: CmpCoalescingCallback(x,x,x)+25p
					; HvpMarkDirty:loc_8CD9CEp
		cmp	ds:_CmpNoWrite,	0
		jnz	short locret_946CE8
		cmp	_CmpWorkerDataInitialized, 0
		jz	short locret_946CE8
		cmp	_CmpForceFlushPending, 0
		jnz	short locret_946CE8
		xor	ecx, ecx
		mov	edx, offset _CmpForceFlushPending
		inc	ecx
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	short locret_946CE8
		push	1
		push	offset _CmpForceFlushWorkItem
		call	ExQueueWorkItem

locret_946CE8:				; CODE XREF: CmpForceFlushForCoalescing()+7j
					; CmpForceFlushForCoalescing()+10j ...
		retn
_CmpForceFlushForCoalescing@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpForceFlushWorker(x)
_CmpForceFlushWorker@4 proc near	; DATA XREF: CmpCmdInit+18o

var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+20h+var_4], eax
		push	esi
		push	edi
		push	6
		xor	eax, eax
		lea	edi, [esp+2Ch+var_1C]
		pop	ecx
		rep stosd
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _CmpShutdownRundown
		mov	ecx, esi
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_946D4C
		lea	ecx, [esp+28h+var_1C]
		call	CmpAttachToRegistryProcess
		xor	ecx, ecx
		call	_CmpDoFlushAll@4 ; CmpDoFlushAll(x)
		xor	edx, edx
		lea	ecx, [esp+28h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, esi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_946D4C:				; CODE XREF: CmpForceFlushWorker(x)+3Fj
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	eax, eax
		mov	ecx, offset _CmpForceFlushPending
		xchg	eax, [ecx]
		mov	ecx, [esp+28h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_CmpForceFlushWorker@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpShutdownWorkers()
_CmpShutdownWorkers@0 proc near		; CODE XREF: CmShutdownSystem(x)+11Fp
		mov	edi, edi
		push	esi
		push	edi
		push	3
		mov	esi, offset _CmpLazyWriterData
		pop	edi

loc_946D80:				; CODE XREF: CmpShutdownWorkers()+18j
		push	esi
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		add	esi, 78h
		sub	edi, 1
		jnz	short loc_946D80
		pop	edi
		pop	esi
		retn
_CmpShutdownWorkers@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmDeleteKeyRecursive(x, x, x, x, x)
_CmDeleteKeyRecursive@20 proc near	; CODE XREF: CmDeleteKeyRecursive(x,x,x,x,x)+F2p
					; CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+450p ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_18]
		push	edx
		push	eax
		mov	esi, ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_8], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_18]
		mov	[ebp+var_30], 18h
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_30]
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_8]
		mov	[ebp+var_2C], esi
		push	eax
		mov	[ebp+var_24], 240h
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_946EE2
		mov	esi, [ebp+arg_0]
		lea	eax, [ebp+var_C]
		push	eax
		push	0FEh
		push	esi
		push	ebx
		push	ebx
		push	[ebp+var_8]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_946EC0
		lea	ebx, [esi+10h]

loc_946E14:				; CODE XREF: CmDeleteKeyRecursive(x,x,x,x,x)+122j
		mov	eax, [esi+0Ch]
		xor	ecx, ecx
		shr	eax, 1
		xor	edi, edi
		mov	[esi+eax*2+10h], cx
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_946E27:				; CODE XREF: CmDeleteKeyRecursive(x,x,x,x,x)+9Fj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_946E27
		sub	ecx, edx
		sar	ecx, 1
		push	20204D43h
		lea	eax, ds:2[ecx*2]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+arg_0], edi
		test	edi, edi
		jz	short loc_946EBB
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_946E58:				; CODE XREF: CmDeleteKeyRecursive(x,x,x,x,x)+D1j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_10]
		jnz	short loc_946E58
		sub	ecx, edx
		sar	ecx, 1
		push	ebx
		lea	eax, [ecx+1]
		push	eax
		push	edi
		call	_wcscpy_s
		mov	ecx, [ebp+var_8]
		add	esp, 0Ch
		mov	edx, edi
		push	1
		push	100h
		push	esi
		call	_CmDeleteKeyRecursive@20 ; CmDeleteKeyRecursive(x,x,x,x,x)
		mov	edi, eax
		xor	eax, eax
		push	eax
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		js	short loc_946EC0
		lea	eax, [ebp+var_C]
		push	eax
		push	0FEh
		push	esi
		xor	eax, eax
		push	eax
		push	eax
		push	[ebp+var_8]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	loc_946E14
		jmp	short loc_946EC0
; 

loc_946EBB:				; CODE XREF: CmDeleteKeyRecursive(x,x,x,x,x)+C0j
		mov	edi, 0C000009Ah

loc_946EC0:				; CODE XREF: CmDeleteKeyRecursive(x,x,x,x,x)+7Aj
					; CmDeleteKeyRecursive(x,x,x,x,x)+106j	...
		lea	esi, [edi+7FFFFFE6h]
		neg	esi
		sbb	esi, esi
		and	esi, edi
		jl	short loc_946ED8
		push	[ebp+var_8]
		call	_ZwDeleteKey@4	; ZwDeleteKey(x)
		mov	esi, eax

loc_946ED8:				; CODE XREF: CmDeleteKeyRecursive(x,x,x,x,x)+13Bj
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, esi

loc_946EE2:				; CODE XREF: CmDeleteKeyRecursive(x,x,x,x,x)+59j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_CmDeleteKeyRecursive@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAddAcpiAliasEntry(x, x, x, x, x,	x, x, x)
_CmpAddAcpiAliasEntry@32 proc near	; CODE XREF: CmSetAcpiHwProfile+9B938p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_1C], eax
		mov	edi, eax
		mov	[ebp+var_18], eax
		mov	ebx, edx
		mov	[ebp+var_8], eax
		mov	esi, ecx
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_1C]
		push	offset ??_C@_1BE@EFIOFOBM@?$AAA?$AAc?$AAp?$AAi?$AAA?$AAl?$AAi?$AAa?$AAs@NNGAKEGL@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		and	[ebp+var_24], edi
		lea	eax, [ebp+var_1C]
		and	[ebp+var_20], edi
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_8]
		mov	[ebp+var_34], 18h
		push	eax
		mov	[ebp+var_30], esi
		mov	[ebp+var_28], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_946F75
		lea	eax, [ebp+var_10]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_8]
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax

loc_946F75:				; CODE XREF: CmpAddAcpiAliasEntry(x,x,x,x,x,x,x,x)+6Dj
		test	esi, esi
		jns	short loc_946F81
		and	[ebp+var_8], edi
		jmp	loc_9470BA
; 

loc_946F81:				; CODE XREF: CmpAddAcpiAliasEntry(x,x,x,x,x,x,x,x)+8Ej
					; CmpAddAcpiAliasEntry(x,x,x,x,x,x,x,x)+107j
		inc	edi
		push	edi
		push	offset ??_C@_19BLGDCJIP@?$AA?$CF?$AA0?$AA4?$AAd@NNGAKEGL@
		push	80h
		push	[ebp+arg_4]
		call	_swprintf_s
		add	esp, 10h
		lea	eax, [ebp+var_1C]
		push	[ebp+arg_4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_8]
		and	[ebp+var_24], 0
		and	[ebp+var_20], 0
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_4]
		mov	[ebp+var_34], 18h
		push	eax
		mov	[ebp+var_28], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_946FF4
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_4], 0
		cmp	edi, 0C8h
		jb	short loc_946F81
		jmp	short loc_947000
; 

loc_946FF4:				; CODE XREF: CmpAddAcpiAliasEntry(x,x,x,x,x,x,x,x)+F3j
		lea	eax, [esi+3FFFFFCCh]
		neg	eax
		sbb	eax, eax
		and	esi, eax

loc_947000:				; CODE XREF: CmpAddAcpiAliasEntry(x,x,x,x,x,x,x,x)+109j
		test	esi, esi
		jns	short loc_94700D
		and	[ebp+var_4], 0
		jmp	loc_9470AC
; 

loc_94700D:				; CODE XREF: CmpAddAcpiAliasEntry(x,x,x,x,x,x,x,x)+119j
		lea	eax, [ebp+var_10]
		xor	edi, edi
		push	eax
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_34]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_4]
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_947033
		mov	[ebp+var_4], edi
		jmp	short loc_9470AC
; 

loc_947033:				; CODE XREF: CmpAddAcpiAliasEntry(x,x,x,x,x,x,x,x)+143j
		movzx	eax, word ptr [ebx]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_1C]
		push	offset ??_C@_1BK@DIMLADLC@?$AAD?$AAo?$AAc?$AAk?$AAi?$AAn?$AAg?$AAS?$AAt?$AAa?$AAt?$AAe@NNGAKEGL@ ; "DockingState"
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		pop	esi
		push	esi
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1CC@GFOCCCFH@?$AAA?$AAc?$AAp?$AAi?$AAS?$AAe?$AAr?$AAi?$AAa?$AAl?$AAN?$AAu?$AAm?$AAb?$AAe@NNGAKEGL@	; "AcpiSerialNumber"
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	eax, word ptr [ebx+2]
		push	eax
		lea	eax, [ebx+4]
		push	eax
		push	3
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_1C]
		push	offset ??_C@_1BM@IAAGELMO@?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl?$AAe?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr@NNGAKEGL@ ;	"P"
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax

loc_9470AC:				; CODE XREF: CmpAddAcpiAliasEntry(x,x,x,x,x,x,x,x)+11Fj
					; CmpAddAcpiAliasEntry(x,x,x,x,x,x,x,x)+148j
		cmp	[ebp+var_8], 0
		jz	short loc_9470BA
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_9470BA:				; CODE XREF: CmpAddAcpiAliasEntry(x,x,x,x,x,x,x,x)+93j
					; CmpAddAcpiAliasEntry(x,x,x,x,x,x,x,x)+1C7j
		cmp	[ebp+var_4], 0
		jz	short loc_9470C8
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_9470C8:				; CODE XREF: CmpAddAcpiAliasEntry(x,x,x,x,x,x,x,x)+1D5j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
_CmpAddAcpiAliasEntry@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCloneHwProfile(x, x, x, x, x, x,	x)
_CmpCloneHwProfile@28 proc near		; CODE XREF: CmSetAcpiHwProfile+9B7AFp
					; CmpCreateHardwareProfiles+1D3A4p

var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_18C		= dword	ptr -18Ch
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= word ptr -0FCh
var_F8		= dword	ptr -0F8h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 210h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_10]
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		mov	[ebp+var_1DC], eax
		lea	edi, [ebp+var_1D4]
		xor	eax, eax
		mov	[ebp+var_1E0], ecx
		push	6
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_19C]
		mov	[ebp+var_1BC], edx
		xor	edx, edx
		stosd
		mov	[esi], edx
		lea	ecx, [ebp+var_20C]
		mov	[ebp+var_1A0], esi
		mov	[ebp+var_204], edx
		stosd
		mov	[ebp+var_200], edx
		mov	[ebp+var_1AC], edx
		mov	[ebp+var_1A8], edx
		stosd
		mov	[ebp+var_1FC], edx
		mov	[ebp+var_1F8], edx
		mov	[ebp+var_1EC], edx
		stosd
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_1E8], edx
		mov	[ebp+var_1D8], edx
		mov	[ebp+var_1B0], edx
		mov	[ebp+var_1F0], edx
		mov	[ebp+var_1A4], edx
		mov	[ebp+var_1F4], edx
		mov	[ebp+var_1B8], edx
		mov	[ebp+var_1B4], edx
		mov	[ebp+var_20C], edx
		mov	[ebp+var_208], edx
		mov	[ebx], eax
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		mov	eax, [ebx]
		cmp	eax, 0C8h
		jnb	loc_947267
		mov	edi, [ebp+var_1BC]
		jmp	short loc_9471B6
; 

loc_9471B0:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+172j
		mov	esi, [ebp+var_1A0]

loc_9471B6:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+DDj
		inc	eax
		push	eax
		push	offset ??_C@_19BLGDCJIP@?$AA?$CF?$AA0?$AA4?$AAd@NNGAKEGL@
		mov	[ebx], eax
		lea	eax, [ebp+var_18C]
		push	40h
		push	eax
		call	_swprintf_s
		add	esp, 10h
		lea	eax, [ebp+var_18C]
		push	eax
		lea	eax, [ebp+var_204]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		and	[ebp+var_1C4], 0
		lea	eax, [ebp+var_204]
		and	[ebp+var_1C0], 0
		mov	[ebp+var_1CC], eax
		lea	eax, [ebp+var_1D4]
		push	eax
		push	2001Fh
		push	esi
		mov	[ebp+var_1D4], 18h
		mov	[ebp+var_1D0], edi
		mov	[ebp+var_1C8], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_94724B
		mov	eax, [ebp+var_1A0]
		push	dword ptr [eax]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [ebx]
		cmp	eax, 0C8h
		jb	loc_9471B0
		jmp	short loc_947257
; 

loc_94724B:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+15Cj
		lea	eax, [esi+3FFFFFCCh]
		neg	eax
		sbb	eax, eax
		and	esi, eax

loc_947257:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+178j
		test	esi, esi
		js	loc_9478AB
		mov	esi, [ebp+var_1A0]
		xor	edx, edx

loc_947267:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+D1j
		lea	eax, [ebp+var_1D8]
		push	eax
		push	edx
		push	edx
		push	4
		push	[ebp+var_1DC]
		call	_ZwQuerySecurityObject@20 ; ZwQuerySecurityObject(x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_9472C3
		push	20204D43h
		push	[ebp+var_1D8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_9472C5
		lea	eax, [ebp+var_1D8]
		push	eax
		push	[ebp+var_1D8]
		push	edi
		push	4
		push	[ebp+var_1DC]
		call	_ZwQuerySecurityObject@20 ; ZwQuerySecurityObject(x,x,x,x,x)
		test	eax, eax
		jns	short loc_9472C5
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9472C3:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+1B1j
		xor	edi, edi

loc_9472C5:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+1C9j
					; CmpCloneHwProfile(x,x,x,x,x,x,x)+1E8j
		mov	eax, [ebp+var_1BC]
		and	[ebp+var_1C0], 0
		mov	[ebp+var_1D0], eax
		lea	eax, [ebp+var_204]
		mov	[ebp+var_1CC], eax
		lea	eax, [ebp+var_1F0]
		push	eax
		xor	eax, eax
		mov	[ebp+var_1D4], 18h
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_1D4]
		mov	[ebp+var_1C8], 240h
		push	eax
		push	2001Fh
		push	esi
		mov	[ebp+var_1C4], edi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_94732A
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_94732A:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+24Fj
		test	esi, esi
		js	loc_9478AB
		cmp	[ebp+var_1F0], 1
		jz	short loc_947342
		xor	esi, esi
		jmp	loc_9478AB
; 

loc_947342:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+268j
		push	dword ptr [ebx]
		lea	eax, [ebp+var_18C]
		push	offset ??_C@_1CO@NILKMGBN@?$AAH?$AAa?$AAr?$AAd?$AAw?$AAa?$AAr?$AAe?$AA?5?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl@NNGAKEGL@
		push	40h
		push	eax
		call	_swprintf_s
		add	esp, 10h
		lea	eax, [ebp+var_18C]
		push	eax
		lea	eax, [ebp+var_1AC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edi, [ebp+var_1E0]
		lea	eax, [ebp+var_1AC]
		mov	[ebp+var_1CC], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_1F0]
		mov	[ebp+var_1D4], 18h
		push	eax
		push	ecx
		push	ecx
		push	ecx
		lea	eax, [ebp+var_1D4]
		mov	[ebp+var_1D0], edi
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_1B0]
		mov	[ebp+var_1C8], 240h
		push	eax
		mov	[ebp+var_1C4], ecx
		mov	[ebp+var_1C0], ecx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9473DB
		and	[ebp+var_1B0], 0
		jmp	loc_9478AB
; 

loc_9473DB:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+2FCj
		push	offset ??_C@_1CE@JCFICPFJ@?$AAH?$AAa?$AAr?$AAd?$AAw?$AAa?$AAr?$AAe?$AA?5?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl@NNGAKEGL@ ; "Hardware Profiles"
		lea	eax, [ebp+var_1AC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_1AC]
		mov	[ebp+var_1D0], edi
		mov	[ebp+var_1CC], eax
		xor	edi, edi
		lea	eax, [ebp+var_1D4]
		mov	[ebp+var_1D4], 18h
		push	eax
		push	20019h
		lea	eax, [ebp+var_1B8]
		mov	[ebp+var_1C8], 240h
		push	eax
		mov	[ebp+var_1C4], edi
		mov	[ebp+var_1C0], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_947449
		mov	[ebp+var_1B8], edi
		jmp	loc_9478AB
; 

loc_947449:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+36Bj
		lea	eax, [ebp+var_1F4]
		push	eax
		push	100h
		lea	eax, [ebp+var_10C]
		push	eax
		push	2
		push	[ebp+var_1B8]
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9478AB
		mov	edi, [ebp+var_F8]
		or	eax, 0FFFFFFFFh
		xor	esi, esi
		mov	[ebp+var_1A4], eax
		test	edi, edi
		jz	loc_9475F4

loc_94748C:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+517j
		lea	eax, [ebp+var_1F4]
		push	eax
		push	0FEh
		lea	eax, [ebp+var_10C]
		push	eax
		push	0
		push	esi
		push	[ebp+var_1B8]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_9475EE
		mov	eax, [ebp+var_100]
		xor	ecx, ecx
		shr	eax, 1
		mov	[ebp+eax*2+var_FC], cx
		lea	eax, [ebp+var_FC]
		push	eax		; wchar_t *
		call	__wtoi
		pop	ecx
		test	eax, eax
		jz	loc_9475E5
		lea	eax, [ebp+var_FC]
		push	eax		; wchar_t *
		call	__wtoi
		pop	ecx
		cmp	eax, [ebx]
		jz	loc_9475E5
		mov	eax, [ebp+var_100]
		and	[ebp+var_1C4], 0
		and	[ebp+var_1C0], 0
		mov	word ptr [ebp+var_1AC],	ax
		add	eax, 2
		mov	word ptr [ebp+var_1AC+2], ax
		lea	eax, [ebp+var_FC]
		mov	[ebp+var_1A8], eax
		mov	eax, [ebp+var_1B8]
		mov	[ebp+var_1D0], eax
		lea	eax, [ebp+var_1AC]
		mov	[ebp+var_1CC], eax
		lea	eax, [ebp+var_1D4]
		push	eax
		push	20019h
		lea	eax, [ebp+var_1B4]
		mov	[ebp+var_1D4], 18h
		push	eax
		mov	[ebp+var_1C8], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_9475DE
		push	offset ??_C@_1CA@DNKLCGOJ@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAr?$AAe?$AAn?$AAc?$AAe?$AAO?$AAr?$AAd?$AAe?$AAr@NNGAKEGL@	; "P"
		lea	eax, [ebp+var_1AC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_1F4]
		push	eax
		push	100h
		lea	eax, [ebp+var_10C]
		push	eax
		push	1
		lea	eax, [ebp+var_1AC]
		push	eax
		push	[ebp+var_1B4]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9475D3
		cmp	[ebp+var_108], 4
		jnz	short loc_9475D3
		mov	eax, [ebp+var_104]
		mov	eax, [ebp+eax+var_10C]
		cmp	eax, [ebp+var_1A4]
		ja	short loc_9475CD
		cmp	[ebp+var_1A4], 0FFFFFFFFh
		jnz	short loc_9475D3

loc_9475CD:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+4F1j
		mov	[ebp+var_1A4], eax

loc_9475D3:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+4D3j
					; CmpCloneHwProfile(x,x,x,x,x,x,x)+4DCj ...
		push	[ebp+var_1B4]
		call	_ZwClose@4	; ZwClose(x)

loc_9475DE:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+497j
		and	[ebp+var_1B4], 0

loc_9475E5:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+405j
					; CmpCloneHwProfile(x,x,x,x,x,x,x)+41Aj
		inc	esi
		cmp	esi, edi
		jb	loc_94748C

loc_9475EE:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+3DEj
		mov	eax, [ebp+var_1A4]

loc_9475F4:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+3B5j
		inc	eax
		mov	[ebp+var_1A4], eax
		lea	eax, [ebp+var_1AC]
		push	offset ??_C@_1CA@DNKLCGOJ@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAr?$AAe?$AAn?$AAc?$AAe?$AAO?$AAr?$AAd?$AAe?$AAr@NNGAKEGL@	; "P"
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		pop	esi
		push	esi
		lea	eax, [ebp+var_1A4]
		push	eax
		push	esi
		push	0
		lea	eax, [ebp+var_1AC]
		push	eax
		push	[ebp+var_1B0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		movzx	edx, [ebp+arg_8]
		lea	eax, [ebp+var_1FC]
		mov	ecx, [ebp+var_1E0]
		push	eax
		push	dword ptr [ebx]
		call	_CmpCreateHwProfileFriendlyName@16 ; CmpCreateHwProfileFriendlyName(x,x,x,x)
		test	eax, eax
		js	short loc_94768F
		push	offset ??_C@_1BK@BFIEKNFP@?$AAF?$AAr?$AAi?$AAe?$AAn?$AAd?$AAl?$AAy?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@ ; "FriendlyName"
		lea	eax, [ebp+var_1AC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	eax, word ptr [ebp+var_1FC]
		xor	ebx, ebx
		add	eax, 2
		push	eax
		push	[ebp+var_1F8]
		lea	eax, [ebp+var_1AC]
		push	1
		push	ebx
		push	eax
		push	[ebp+var_1B0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		lea	eax, [ebp+var_1FC]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	short loc_947691
; 

loc_94768F:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+575j
		xor	ebx, ebx

loc_947691:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+5BCj
		push	offset ??_C@_1BE@CCJOPAOC@?$AAA?$AAl?$AAi?$AAa?$AAs?$AAa?$AAb?$AAl?$AAe@NNGAKEGL@
		lea	eax, [ebp+var_1AC]
		mov	[ebp+var_1A4], ebx
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_1A4]
		push	eax
		push	esi
		push	ebx
		lea	eax, [ebp+var_1AC]
		push	eax
		push	[ebp+var_1B0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1O@DHDEGGFC@?$AAC?$AAl?$AAo?$AAn?$AAe?$AAd@NNGAKEGL@
		lea	eax, [ebp+var_1AC]
		mov	[ebp+var_1A4], 1
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_1A4]
		push	eax
		push	esi
		push	ebx
		lea	eax, [ebp+var_1AC]
		push	eax
		push	[ebp+var_1B0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		lea	eax, [ebp+var_19C]
		push	eax
		call	ExUuidCreate
		test	eax, eax
		js	short loc_947762
		push	1
		lea	edx, [ebp+var_1EC]
		lea	ecx, [ebp+var_19C]
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		test	eax, eax
		js	short loc_947762
		push	offset ??_C@_1BM@PBKGKIHI@?$AAH?$AAw?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl?$AAe?$AAG?$AAu?$AAi?$AAd@NNGAKEGL@
		lea	eax, [ebp+var_1AC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	eax, word ptr [ebp+var_1EC+2]
		push	eax
		push	[ebp+var_1E8]
		lea	eax, [ebp+var_1AC]
		push	1
		push	ebx
		push	eax
		push	[ebp+var_1B0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		lea	eax, [ebp+var_1EC]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_947762:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+638j
					; CmpCloneHwProfile(x,x,x,x,x,x,x)+64Fj
		mov	eax, ds:_CmKeyObjectType
		lea	ecx, [ebp+var_1BC]
		push	ebx
		push	ecx
		push	ebx
		push	eax
		push	20019h
		push	[ebp+var_1DC]
		mov	[ebp+var_1BC], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [ebp+var_1A0]
		mov	esi, eax
		test	esi, esi
		js	loc_9478B1
		mov	eax, ds:_CmKeyObjectType
		lea	edx, [ebp+var_1E0]
		mov	ecx, [edi]
		push	ebx
		push	edx
		push	ebx
		push	eax
		push	20006h
		push	ecx
		mov	[ebp+var_1E0], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9478B1
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		mov	esi, [ebp+var_1E0]
		mov	edi, [ebp+var_1BC]
		push	ebx
		push	2
		mov	eax, [esi+8]
		mov	ecx, [edi+8]
		push	dword ptr [eax+14h]
		mov	edx, [ecx+14h]
		push	dword ptr [eax+10h]
		mov	ecx, [ecx+10h]
		call	_CmpCopySyncTree@24 ; CmpCopySyncTree(x,x,x,x,x,x)
		test	al, al
		jz	loc_947894
		mov	eax, [edi+8]
		lea	edx, [ebp+var_1E4]
		or	[ebp+var_1E4], 0FFFFFFFFh
		or	[ebp+var_1EC], 0FFFFFFFFh
		mov	[ebp+var_1E0], ebx
		mov	[ebp+var_1E8], ebx
		mov	ecx, [eax+14h]
		mov	eax, [eax+10h]
		push	edx
		push	ecx
		push	eax
		call	dword ptr [eax+4]
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_94788D
		mov	ecx, [esi+8]
		lea	eax, [ebp+var_1EC]
		push	eax
		mov	edx, [ecx+14h]
		mov	ecx, [ecx+10h]
		push	edx
		push	ecx
		call	dword ptr [ecx+4]
		test	eax, eax
		jz	short loc_947875
		mov	cx, [ebx+34h]
		lea	edx, [ebp+var_20C]
		mov	[eax+34h], cx
		mov	ecx, [ebx+38h]
		mov	[eax+38h], ecx
		mov	ecx, [esi+8]
		call	_CmpRebuildKcbCache@8 ;	CmpRebuildKcbCache(x,x)
		mov	eax, [esi+8]
		lea	ecx, [ebp+var_1EC]
		push	ecx
		mov	eax, [eax+10h]
		push	eax
		call	dword ptr [eax+8]
		xor	esi, esi
		jmp	short loc_94787A
; 

loc_947875:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+771j
		mov	esi, 0C000009Ah

loc_94787A:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+7A2j
		mov	eax, [edi+8]
		lea	ecx, [ebp+var_1E4]
		push	ecx
		mov	eax, [eax+10h]
		push	eax
		call	dword ptr [eax+8]
		jmp	short loc_947899
; 

loc_94788D:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+758j
		mov	esi, 0C000009Ah
		jmp	short loc_947899
; 

loc_947894:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+71Fj
		mov	esi, 0C000014Ch

loc_947899:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+7BAj
					; CmpCloneHwProfile(x,x,x,x,x,x,x)+7C1j
		xor	dl, dl
		lea	ecx, [ebp+var_20C]
		call	CmpDrainDelayDerefContext
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_9478AB:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+188j
					; CmpCloneHwProfile(x,x,x,x,x,x,x)+25Bj ...
		mov	edi, [ebp+var_1A0]

loc_9478B1:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+6C0j
					; CmpCloneHwProfile(x,x,x,x,x,x,x)+6ECj
		push	[ebp+var_1DC]
		call	_ZwClose@4	; ZwClose(x)
		cmp	[ebp+var_1B0], 0
		jz	short loc_9478D0
		push	[ebp+var_1B0]
		call	_ZwClose@4	; ZwClose(x)

loc_9478D0:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+7F2j
		cmp	[ebp+var_1B8], 0
		jz	short loc_9478E4
		push	[ebp+var_1B8]
		call	_ZwClose@4	; ZwClose(x)

loc_9478E4:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+806j
		test	esi, esi
		jns	short loc_9478F4
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_9478F4
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_9478F4:				; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+815j
					; CmpCloneHwProfile(x,x,x,x,x,x,x)+81Bj
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_CmpCloneHwProfile@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCreateHwProfileFriendlyName(x, x, x, x)
_CmpCreateHwProfileFriendlyName@16 proc	near
					; CODE XREF: CmpCloneHwProfile(x,x,x,x,x,x,x)+56Ep

var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_A8		= dword	ptr -0A8h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1ECh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	eax, eax
		mov	[ebp+var_1CC], eax
		mov	[ebp+var_1C8], eax
		mov	[ebp+var_1B8], eax
		mov	[ebp+var_1B4], eax
		mov	[ebp+var_1C0], eax
		mov	[ebp+var_1BC], eax
		mov	[ebp+var_1D4], eax
		mov	[ebp+var_1D0], eax
		mov	[ebp+var_1C4], eax
		mov	[ebp+var_1B0], eax
		mov	[ebp+var_1AC], eax
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [ebp+var_1EC]
		push	6
		pop	ecx
		rep stosd
		test	ebx, ebx
		jnz	short loc_947981
		mov	eax, 0C000000Dh
		jmp	loc_947BD7
; 

loc_947981:				; CODE XREF: CmpCreateHwProfileFriendlyName(x,x,x,x)+6Ej
		test	esi, esi
		jz	loc_947B9B
		mov	eax, edx
		mov	ecx, 40010003h
		and	eax, 3
		cmp	al, 3
		jz	short loc_9479B7
		test	dl, 2
		jz	short loc_9479A6
		lea	edi, [ecx-1]
		mov	eax, (offset loc_8B7587+1)
		jmp	short loc_9479BE
; 

loc_9479A6:				; CODE XREF: CmpCreateHwProfileFriendlyName(x,x,x,x)+93j
		test	dl, 1
		jz	short loc_9479B7
		mov	edi, 40010001h
		mov	eax, (offset loc_8B75B1+1)
		jmp	short loc_9479BE
; 

loc_9479B7:				; CODE XREF: CmpCreateHwProfileFriendlyName(x,x,x,x)+8Ej
					; CmpCreateHwProfileFriendlyName(x,x,x,x)+A2j
		mov	eax, (offset loc_8B7595+1)
		mov	edi, ecx

loc_9479BE:				; CODE XREF: CmpCreateHwProfileFriendlyName(x,x,x,x)+9Dj
					; CmpCreateHwProfileFriendlyName(x,x,x,x)+AEj
		push	eax
		lea	eax, [ebp+var_1C0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	edx, [ebp+var_1CC]
		mov	ecx, edi
		call	_KeGetBugMessageText@8 ; KeGetBugMessageText(x,x)
		test	al, al
		jz	loc_947B9B
		push	1
		lea	eax, [ebp+var_1CC]
		push	eax
		lea	eax, [ebp+var_1B8]
		push	eax
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	loc_947B9B
		mov	ax, word ptr [ebp+var_1B8]
		push	4
		pop	ecx
		cmp	ax, cx
		jbe	short loc_947A33
		mov	ecx, 0FFFCh
		add	ax, cx
		movzx	ecx, ax
		mov	word ptr [ebp+var_1B8],	ax
		mov	eax, [ebp+var_1B4]
		shr	ecx, 1
		xor	edx, edx
		mov	[eax+ecx*2], dx
		mov	ax, word ptr [ebp+var_1B8]

loc_947A33:				; CODE XREF: CmpCreateHwProfileFriendlyName(x,x,x,x)+103j
		movzx	eax, ax
		add	eax, 0Ch
		cmp	eax, 0A0h
		jbe	short loc_947A4A
		mov	esi, 0C0000001h
		jmp	loc_947B77
; 

loc_947A4A:				; CODE XREF: CmpCreateHwProfileFriendlyName(x,x,x,x)+137j
		push	offset ??_C@_1CE@JCFICPFJ@?$AAH?$AAa?$AAr?$AAd?$AAw?$AAa?$AAr?$AAe?$AA?5?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl@NNGAKEGL@ ; "Hardware Profiles"
		lea	eax, [ebp+var_1D4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		and	[ebp+var_1DC], 0
		lea	eax, [ebp+var_1D4]
		and	[ebp+var_1D8], 0
		mov	[ebp+var_1E4], eax
		lea	eax, [ebp+var_1EC]
		push	eax
		push	20019h
		lea	eax, [ebp+var_1AC]
		mov	[ebp+var_1EC], 18h
		push	eax
		mov	[ebp+var_1E8], esi
		mov	[ebp+var_1E0], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_947AB9
		and	[ebp+var_1AC], 0
		jmp	loc_947B77
; 

loc_947AB9:				; CODE XREF: CmpCreateHwProfileFriendlyName(x,x,x,x)+1A4j
		lea	eax, [ebp+var_1C4]
		push	eax
		push	100h
		lea	eax, [ebp+var_1A8]
		push	eax
		push	1
		lea	eax, [ebp+var_1C0]
		push	eax
		push	[ebp+var_1AC]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		push	4
		pop	ecx
		test	eax, eax
		js	short loc_947AFF
		cmp	[ebp+var_1A4], ecx
		jnz	short loc_947AFF
		mov	eax, [ebp+var_1A0]
		mov	eax, [ebp+eax+var_1A8]
		inc	eax
		jmp	short loc_947B02
; 

loc_947AFF:				; CODE XREF: CmpCreateHwProfileFriendlyName(x,x,x,x)+1DEj
					; CmpCreateHwProfileFriendlyName(x,x,x,x)+1E6j
		xor	eax, eax
		inc	eax

loc_947B02:				; CODE XREF: CmpCreateHwProfileFriendlyName(x,x,x,x)+1F6j
		push	ecx
		mov	[ebp+var_1B0], eax
		lea	eax, [ebp+var_1B0]
		push	eax
		push	ecx
		push	0
		lea	eax, [ebp+var_1C0]
		push	eax
		push	[ebp+var_1AC]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_947B77
		cmp	edi, 40010003h
		jz	short loc_947B55
		cmp	[ebp+var_1B0], 1
		ja	short loc_947B55
		push	[ebp+var_1B4]
		lea	eax, [ebp+var_A8]
		push	50h
		push	eax
		call	_wcscpy_s
		add	esp, 0Ch
		jmp	short loc_947B77
; 

loc_947B55:				; CODE XREF: CmpCreateHwProfileFriendlyName(x,x,x,x)+22Aj
					; CmpCreateHwProfileFriendlyName(x,x,x,x)+233j
		push	[ebp+var_1B0]
		lea	eax, [ebp+var_A8]
		push	[ebp+var_1B4]
		push	offset ??_C@_1M@OLDAANJO@?$AA?$CF?$AAs?$AA?5?$AA?$CF?$AAu@NNGAKEGL@
		push	50h
		push	eax
		call	_swprintf_s
		add	esp, 14h

loc_947B77:				; CODE XREF: CmpCreateHwProfileFriendlyName(x,x,x,x)+13Ej
					; CmpCreateHwProfileFriendlyName(x,x,x,x)+1ADj	...
		lea	eax, [ebp+var_1B8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	[ebp+var_1AC], 0
		jz	short loc_947B97
		push	[ebp+var_1AC]
		call	_ZwClose@4	; ZwClose(x)

loc_947B97:				; CODE XREF: CmpCreateHwProfileFriendlyName(x,x,x,x)+283j
		test	esi, esi
		jns	short loc_947BBF

loc_947B9B:				; CODE XREF: CmpCreateHwProfileFriendlyName(x,x,x,x)+7Cj
					; CmpCreateHwProfileFriendlyName(x,x,x,x)+D3j ...
		push	[ebp+arg_0]
		xor	eax, eax
		push	offset ??_C@_19BLGDCJIP@?$AA?$CF?$AA0?$AA4?$AAd@NNGAKEGL@
		mov	word ptr [ebp+var_A8], ax
		lea	eax, [ebp+var_A8]
		push	50h
		push	eax
		call	_swprintf_s
		add	esp, 10h
		xor	esi, esi

loc_947BBF:				; CODE XREF: CmpCreateHwProfileFriendlyName(x,x,x,x)+292j
		lea	eax, [ebp+var_A8]
		push	eax		; void *
		push	ebx		; int
		call	RtlCreateUnicodeString
		test	al, al
		jnz	short loc_947BD5
		mov	esi, 0C0000001h

loc_947BD5:				; CODE XREF: CmpCreateHwProfileFriendlyName(x,x,x,x)+2C7j
		mov	eax, esi

loc_947BD7:				; CODE XREF: CmpCreateHwProfileFriendlyName(x,x,x,x)+75j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_CmpCreateHwProfileFriendlyName@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpMoveBiosAliasTable(x, x,	x, x, x, x, x, x)
_CmpMoveBiosAliasTable@32 proc near	; CODE XREF: CmSetAcpiHwProfile+9B744p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_10]
		push	esi
		push	edi
		push	6
		mov	[ebp+var_6C], ecx
		lea	edi, [ebp+var_68]
		pop	ecx
		mov	[ebp+var_70], eax
		mov	esi, edx
		xor	edx, edx
		xor	eax, eax
		push	30h		; size_t
		rep stosd
		push	edx		; int
		lea	eax, [ebp+var_38]
		mov	[ebp+var_50], edx
		push	eax		; void *
		mov	[ebp+var_3C], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_44], edx
		mov	[ebp+var_4C], edx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_48]
		push	offset ??_C@_1BK@GBMCOKGG@?$AAS?$AAe?$AAr?$AAi?$AAa?$AAl?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr@NNGAKEGL@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4C]
		mov	edi, 100h
		push	eax
		push	edi
		push	ebx
		push	1
		lea	eax, [ebp+var_48]
		push	eax
		push	esi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_948073
		cmp	dword ptr [ebx+4], 4
		jnz	loc_948073
		mov	eax, [ebx+8]
		push	offset ??_C@_1O@KHOHJKPL@?$AAD?$AAo?$AAc?$AAk?$AAI?$AAD@NNGAKEGL@
		mov	eax, [ebx+eax]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4C]
		push	eax
		push	edi
		push	ebx
		push	1
		lea	eax, [ebp+var_48]
		push	eax
		push	esi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_948073
		cmp	dword ptr [ebx+4], 4
		jnz	loc_948073
		mov	eax, [ebx+8]
		push	(offset	loc_8B7531+1)
		mov	eax, [ebx+eax]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_6C]
		xor	edi, edi
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	20019h
		lea	eax, [ebp+var_50]
		mov	[ebp+var_68], 18h
		push	eax
		mov	[ebp+var_5C], 240h
		mov	[ebp+var_58], edi
		mov	[ebp+var_54], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		jns	short loc_947D03
		mov	esi, edi
		mov	[ebp+var_50], edi
		jmp	loc_948086
; 

loc_947D03:				; CODE XREF: CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+10Fj
		lea	eax, [ebp+var_4C]
		push	eax
		push	30h
		lea	eax, [ebp+var_38]
		push	eax
		push	2
		push	[ebp+var_50]
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_948078
		cmp	[ebp+var_24], edi
		jbe	loc_948078

loc_947D2A:				; CODE XREF: CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+47Ej
		lea	eax, [ebp+var_4C]
		push	eax
		push	0FEh
		push	ebx
		push	0
		push	edi
		push	[ebp+var_50]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_948078
		mov	eax, [ebx+0Ch]
		xor	ecx, ecx
		shr	eax, 1
		mov	[ebx+eax*2+10h], cx
		movzx	eax, word ptr [ebx+0Ch]
		and	[ebp+var_58], ecx
		and	[ebp+var_54], ecx
		mov	word ptr [ebp+var_48], ax
		add	eax, 2
		mov	word ptr [ebp+var_48+2], ax
		lea	eax, [ebx+10h]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+var_50]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_68], 18h
		push	eax
		mov	[ebp+var_5C], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_948078
		push	offset ??_C@_1BM@IAAGELMO@?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl?$AAe?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr@NNGAKEGL@ ;	"P"
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4C]
		push	eax
		push	100h
		push	ebx
		push	1
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_3C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_948073
		cmp	dword ptr [ebx+4], 4
		jnz	loc_948073
		mov	eax, [ebx+8]
		mov	ecx, [ebp+arg_0]
		cmp	ecx, [ebx+eax]
		jz	short loc_947DF8

loc_947DEB:				; CODE XREF: CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+253j
					; CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+298j
		push	[ebp+var_3C]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_94805E
; 

loc_947DF8:				; CODE XREF: CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+201j
		push	offset ??_C@_1O@KHOHJKPL@?$AAD?$AAo?$AAc?$AAk?$AAI?$AAD@NNGAKEGL@
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4C]
		push	eax
		push	100h
		push	ebx
		push	1
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_3C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_948073
		cmp	dword ptr [ebx+4], 4
		jnz	loc_948073
		mov	eax, [ebx+8]
		mov	ecx, [ebp+var_74]
		cmp	ecx, [ebx+eax]
		jnz	short loc_947DEB
		push	offset ??_C@_1BK@GBMCOKGG@?$AAS?$AAe?$AAr?$AAi?$AAa?$AAl?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr@NNGAKEGL@
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4C]
		push	eax
		push	100h
		push	ebx
		push	1
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_3C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_948073
		cmp	dword ptr [ebx+4], 4
		jnz	loc_948073
		mov	eax, [ebx+8]
		mov	ecx, [ebp+var_78]
		cmp	ecx, [ebx+eax]
		jnz	loc_947DEB
		push	offset ??_C@_1BM@IAAGELMO@?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl?$AAe?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr@NNGAKEGL@ ;	"P"
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [ebp+arg_4]
		xor	esi, esi
		push	eax
		push	4
		push	esi
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_3C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[ebp+var_3C]
		call	_ZwClose@4	; ZwClose(x)
		push	offset ??_C@_1CE@JCFICPFJ@?$AAH?$AAa?$AAr?$AAd?$AAw?$AAa?$AAr?$AAe?$AA?5?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl@NNGAKEGL@ ; "Hardware Profiles"
		lea	eax, [ebp+var_48]
		mov	[ebp+var_3C], esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_6C]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_40]
		mov	[ebp+var_68], 18h
		push	eax
		mov	[ebp+var_5C], 240h
		mov	[ebp+var_58], esi
		mov	[ebp+var_54], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_948070
		push	[ebp+arg_0]
		mov	esi, [ebp+var_70]
		push	(offset	loc_8B74EF+1)
		push	80h
		push	esi
		call	_swprintf_s
		add	esp, 10h
		lea	eax, [ebp+var_48]
		push	esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_40]
		xor	esi, esi
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_68], 18h
		push	eax
		mov	[ebp+var_5C], 240h
		mov	[ebp+var_58], esi
		mov	[ebp+var_54], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_9480B5
		push	offset ??_C@_1O@DHDEGGFC@?$AAC?$AAl?$AAo?$AAn?$AAe?$AAd@NNGAKEGL@
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4C]
		push	eax
		push	100h
		push	ebx
		push	1
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_3C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_948073
		cmp	dword ptr [ebx+4], 4
		jnz	loc_948073
		mov	eax, [ebx+8]
		push	[ebp+var_3C]
		cmp	dword ptr [ebx+eax], 0
		jz	loc_94804D
		call	_ZwDeleteKey@4	; ZwDeleteKey(x)
		push	[ebp+var_3C]
		call	_ZwClose@4	; ZwClose(x)
		push	[ebp+var_40]
		call	_ZwClose@4	; ZwClose(x)
		xor	esi, esi
		lea	edx, [ebp+var_3C]
		push	esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], esi
		call	CmpOpenDevicesControlSet
		test	eax, eax
		js	loc_948070
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_40]
		mov	[ebp+var_68], 18h
		push	eax
		mov	[ebp+var_5C], 240h
		mov	[ebp+var_60], (offset loc_A3F627+1)
		mov	[ebp+var_58], esi
		mov	[ebp+var_54], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		push	[ebp+var_3C]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_3C], 0
		test	esi, esi
		js	short loc_94806E
		push	[ebp+arg_0]
		mov	esi, [ebp+var_70]
		push	(offset	loc_8B74EF+1)
		push	80h
		push	esi
		call	_swprintf_s
		pop	ecx
		pop	ecx
		mov	ecx, [ebp+var_40]
		mov	edx, esi
		push	ebx
		call	_CmDeleteKeyRecursive@20 ; CmDeleteKeyRecursive(x,x,x,x,x)
		push	[ebp+var_40]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_40], 0
		jmp	short loc_948062
; 

loc_94804D:				; CODE XREF: CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+3B9j
		call	_ZwClose@4	; ZwClose(x)
		push	[ebp+var_40]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_40], 0

loc_94805E:				; CODE XREF: CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+20Bj
		and	[ebp+var_3C], 0

loc_948062:				; CODE XREF: CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+463j
		inc	edi
		cmp	edi, [ebp+var_24]
		jb	loc_947D2A
		jmp	short loc_948078
; 

loc_94806E:				; CODE XREF: CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+430j
		xor	esi, esi

loc_948070:				; CODE XREF: CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+310j
					; CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+3E7j
		mov	[ebp+var_40], esi

loc_948073:				; CODE XREF: CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+77j
					; CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+81j ...
		mov	esi, 0C000014Ch

loc_948078:				; CODE XREF: CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+133j
					; CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+13Cj ...
		cmp	[ebp+var_50], 0
		jz	short loc_948086
		push	[ebp+var_50]
		call	_ZwClose@4	; ZwClose(x)

loc_948086:				; CODE XREF: CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+116j
					; CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+494j
		cmp	[ebp+var_3C], 0
		jz	short loc_948094
		push	[ebp+var_3C]
		call	_ZwClose@4	; ZwClose(x)

loc_948094:				; CODE XREF: CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+4A2j
		cmp	[ebp+var_40], 0
		jz	short loc_9480A2
		push	[ebp+var_40]
		call	_ZwClose@4	; ZwClose(x)

loc_9480A2:				; CODE XREF: CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+4B0j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_9480B5:				; CODE XREF: CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+36Fj
		mov	[ebp+var_3C], esi
		jmp	short loc_948073
_CmpMoveBiosAliasTable@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSnapshotTxOwnerArray(x, x, x)
_CmpSnapshotTxOwnerArray@12 proc near	; CODE XREF: CmpCreateChild(x,x,x,x,x,x,x,x,x)+71Cp
					; CmpCreateChild(x,x,x,x,x,x,x,x,x)+783p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ecx
		mov	[ebp+var_8], edx
		push	esi
		mov	[ebp+var_4], eax
		mov	esi, [eax]
		test	esi, esi
		jnz	short loc_9480DA
		mov	eax, 0C000000Dh
		jmp	loc_9481A0
; 

loc_9480DA:				; CODE XREF: CmpSnapshotTxOwnerArray(x,x,x)+14j
		push	ebx
		push	edi
		and	esi, 7FFFFFFFh
		xor	edi, edi
		mov	eax, esi
		mov	[edx], edi
		push	36344D43h
		shl	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, [ebp+arg_0]
		mov	[ebx], eax
		test	eax, eax
		jnz	short loc_94810B
		mov	eax, 0C000009Ah
		jmp	loc_94819E
; 

loc_94810B:				; CODE XREF: CmpSnapshotTxOwnerArray(x,x,x)+45j
		mov	ecx, esi
		shl	ecx, 2
		push	ecx		; size_t
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		cmp	esi, 1
		jnz	short loc_948151
		mov	eax, [ebp+var_4]
		mov	edx, [ebx]
		mov	ecx, [eax+4]
		mov	eax, [ecx+1Ch]
		test	byte ptr [eax+18h], 80h
		jz	short loc_948141
		mov	eax, [eax+1Ch]
		mov	[edx], eax
		mov	eax, [ecx+1Ch]
		mov	ecx, [eax+1Ch]
		and	ecx, 0FFFFFFFEh
		jmp	short loc_94814A
; 

loc_948141:				; CODE XREF: CmpSnapshotTxOwnerArray(x,x,x)+75j
		mov	eax, [eax+24h]
		mov	[edx], eax
		mov	eax, [ebx]
		mov	ecx, [eax]

loc_94814A:				; CODE XREF: CmpSnapshotTxOwnerArray(x,x,x)+85j
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		jmp	short loc_948197
; 

loc_948151:				; CODE XREF: CmpSnapshotTxOwnerArray(x,x,x)+64j
		test	esi, esi
		jz	short loc_948197

loc_948155:				; CODE XREF: CmpSnapshotTxOwnerArray(x,x,x)+DBj
		mov	eax, [ebp+var_4]
		mov	edx, edi
		mov	ecx, [ebx]
		mov	eax, [eax+4]
		mov	eax, [eax+edx*4]
		mov	[ebp+arg_0], eax
		mov	eax, [eax+1Ch]
		test	byte ptr [eax+18h], 80h
		jz	short loc_948182
		mov	eax, [eax+1Ch]
		mov	[ecx+edx*4], eax
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+1Ch]
		mov	ecx, [eax+1Ch]
		and	ecx, 0FFFFFFFEh
		jmp	short loc_94818D
; 

loc_948182:				; CODE XREF: CmpSnapshotTxOwnerArray(x,x,x)+B2j
		mov	eax, [eax+24h]
		mov	[ecx+edx*4], eax
		mov	eax, [ebx]
		mov	ecx, [eax+edx*4]

loc_94818D:				; CODE XREF: CmpSnapshotTxOwnerArray(x,x,x)+C6j
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		inc	edi
		cmp	edi, esi
		jb	short loc_948155

loc_948197:				; CODE XREF: CmpSnapshotTxOwnerArray(x,x,x)+95j
					; CmpSnapshotTxOwnerArray(x,x,x)+99j
		mov	eax, [ebp+var_8]
		mov	[eax], esi
		xor	eax, eax

loc_94819E:				; CODE XREF: CmpSnapshotTxOwnerArray(x,x,x)+4Cj
		pop	edi
		pop	ebx

loc_9481A0:				; CODE XREF: CmpSnapshotTxOwnerArray(x,x,x)+1Bj
		pop	esi
		leave
		retn	4
_CmpSnapshotTxOwnerArray@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpConcatenateValueLists(x,	x, x, x, x)
_CmpConcatenateValueLists@20 proc near	; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+1CBp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		xor	esi, esi
		mov	eax, edx
		mov	edx, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		mov	[ebp+var_18], esi
		xor	ecx, ecx
		mov	[ebp+var_10], esi
		mov	edx, [edx]
		mov	word ptr [ebp+var_18], cx
		mov	word ptr [ebp+var_10], cx
		lea	ecx, [ebp+var_C]
		push	ecx
		mov	ecx, [eax]
		mov	[ebp+var_1C], esi
		or	[ebp+var_1C], 0FFFFFFFFh
		mov	[ebp+var_14], esi
		or	[ebp+var_14], 0FFFFFFFFh
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], esi
		mov	[ebp+var_4], esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jns	short loc_9481FB
		mov	esi, 0C000009Ah
		jmp	loc_9482C8
; 

loc_9481FB:				; CODE XREF: CmpConcatenateValueLists(x,x,x,x,x)+4Aj
		mov	ebx, [ebp+var_C]
		test	ebx, ebx
		jnz	short loc_948210
		mov	eax, [ebp+arg_8]
		or	dword ptr [eax+4], 0FFFFFFFFh
		mov	[eax], esi
		jmp	loc_9482C8
; 

loc_948210:				; CODE XREF: CmpConcatenateValueLists(x,x,x,x,x)+5Bj
		lea	eax, [ebp+var_1C]
		mov	edx, ebx
		push	eax
		lea	eax, [ebp+var_4]
		shl	edx, 2
		push	eax
		push	[ebp+arg_4]
		mov	ecx, edi
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	[ebp+var_C], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_948239
		mov	esi, 0C000009Ah
		jmp	loc_9482BA
; 

loc_948239:				; CODE XREF: CmpConcatenateValueLists(x,x,x,x,x)+88j
		mov	eax, [ebp+var_8]
		mov	[ebp+arg_4], esi
		cmp	[eax], esi
		jz	short loc_948276
		mov	eax, [eax+4]
		lea	ecx, [ebp+var_14]
		push	ecx
		push	eax
		push	edi
		call	dword ptr [edi+4]
		mov	ecx, eax
		mov	eax, [ebp+var_8]
		mov	eax, [eax]
		shl	eax, 2
		push	eax		; size_t
		push	ecx		; void *
		push	[ebp+var_4]	; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_14]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		mov	eax, [ebp+var_8]
		mov	eax, [eax]
		mov	[ebp+arg_4], eax

loc_948276:				; CODE XREF: CmpConcatenateValueLists(x,x,x,x,x)+9Cj
		mov	eax, [ebp+arg_0]
		cmp	[eax], esi
		jz	short loc_9482AF
		mov	eax, [eax+4]
		lea	ecx, [ebp+var_14]
		push	ecx
		push	eax
		push	edi
		call	dword ptr [edi+4]
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		mov	eax, [edx]
		shl	eax, 2
		push	eax		; size_t
		mov	eax, [ebp+var_4]
		push	ecx		; void *
		mov	ecx, [ebp+arg_4]
		lea	eax, [eax+ecx*4]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_14]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_9482AF:				; CODE XREF: CmpConcatenateValueLists(x,x,x,x,x)+D6j
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_C]
		mov	[eax], ebx
		mov	[eax+4], ecx

loc_9482BA:				; CODE XREF: CmpConcatenateValueLists(x,x,x,x,x)+8Fj
		cmp	[ebp+var_4], 0
		jz	short loc_9482C8
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_9482C8:				; CODE XREF: CmpConcatenateValueLists(x,x,x,x,x)+51j
					; CmpConcatenateValueLists(x,x,x,x,x)+66j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_CmpConcatenateValueLists@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCopyKeyPartial(x, x, x, x, x, x,	x)
_CmpCopyKeyPartial@28 proc near		; CODE XREF: CmpReorganizeHive+18483Fp
					; CmpCopySyncTree2(x,x,x,x,x,x,x)+43Cp	...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_24], edx
		push	esi
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_10], esi
		mov	eax, ecx
		mov	[ebp+var_8], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_48], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_38], esi
		mov	[ebp+var_30], esi
		mov	esi, [ebp+arg_10]
		mov	[ebp+var_4], eax
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_2C], ebx
		push	edi
		mov	edi, ebx
		cmp	esi, 2
		jnz	short loc_948331
		mov	ecx, [ebp+arg_4]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_948329
		mov	esi, ebx
		jmp	short loc_94832E
; 

loc_948329:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+52j
		mov	esi, ecx
		shr	esi, 1Fh

loc_94832E:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+56j
		mov	[ebp+arg_10], esi

loc_948331:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+4Aj
		lea	ecx, [ebp+var_40]
		push	ecx
		push	edx
		push	eax
		call	dword ptr [eax+4]
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	loc_9485FE
		mov	ecx, [eax+2Ch]
		mov	[ebp+var_28], ecx
		mov	ecx, [eax+30h]
		mov	[ebp+var_14], ecx
		movzx	ecx, word ptr [eax+4Ah]
		mov	eax, [ebp+arg_8]
		and	eax, 2
		jnz	short loc_948361
		or	[ebp+var_14], 0FFFFFFFFh

loc_948361:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+8Aj
		mov	edx, [ebp+var_24]
		neg	eax
		push	esi
		mov	esi, [ebp+arg_0]
		sbb	eax, eax
		and	eax, ecx
		mov	ecx, [ebp+var_4]
		push	esi
		mov	[ebp+var_18], eax
		call	_CmpCopyCell@16	; CmpCopyCell(x,x,x,x)
		mov	[ebp+arg_0], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_94859B
		cmp	[ebp+var_18], ebx
		jbe	short loc_9483A9
		push	[ebp+arg_10]
		mov	edx, [ebp+var_14]
		mov	ecx, [ebp+var_4]
		push	esi
		call	_CmpCopyCell@16	; CmpCopyCell(x,x,x,x)
		mov	[ebp+var_10], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_94859B
		mov	eax, [ebp+arg_0]

loc_9483A9:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+B8j
		lea	ecx, [ebp+var_48]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	edi, eax
		mov	[ebp+var_24], edi
		test	edi, edi
		jz	loc_94859B
		mov	eax, [ebp+var_10]
		or	dword ptr [edi+2Ch], 0FFFFFFFFh
		or	dword ptr [edi+1Ch], 0FFFFFFFFh
		or	dword ptr [edi+20h], 0FFFFFFFFh
		test	[ebp+arg_8], 100h
		mov	edx, [ebp+arg_4]
		mov	[edi+30h], eax
		mov	eax, [ebp+var_18]
		mov	[edi+4Ah], ax
		mov	[edi+14h], ebx
		mov	[edi+18h], ebx
		mov	[edi+10h], edx
		mov	[edi+0Ch], bl
		jz	short loc_9483F4
		and	byte ptr [edi+0Dh], 0FCh

loc_9483F4:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+11Dj
		test	byte ptr [ebp+arg_8], 80h
		jz	short loc_9483FE
		or	byte ptr [edi+0Dh], 80h

loc_9483FE:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+127j
		mov	ecx, [ebp+var_20]
		mov	ax, [ecx+2]
		and	ax, 30h
		test	byte ptr [ebp+arg_8], 20h
		mov	[edi+2], ax
		movzx	eax, ax
		jz	short loc_94842C
		mov	ax, [ecx+2]
		mov	[ebp+arg_4], 0FFBFh
		and	ax, word ptr [ebp+arg_4]
		mov	[edi+2], ax
		movzx	eax, ax

loc_94842C:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+143j
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_948438
		or	eax, 0Ch
		mov	[edi+2], ax

loc_948438:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+15Ej
		test	byte ptr [ebp+arg_8], 10h
		jnz	loc_9484ED
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		call	_CmpLockTwoSecurityCachesExclusiveShared@8 ; CmpLockTwoSecurityCachesExclusiveShared(x,x)
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_CmpFindSecurityCellCacheIndex@12 ; CmpFindSecurityCellCacheIndex(x,x,x)
		test	al, al
		jnz	short loc_94848F
		cmp	esi, [ebp+var_4]
		jz	short loc_94847B
		xor	edx, edx
		lea	ecx, [esi+484h]
		call	ExReleasePushLockEx
		mov	eax, [ebp+var_4]
		add	eax, 484h
		jmp	short loc_948481
; 

loc_94847B:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+191j
		lea	eax, [esi+484h]

loc_948481:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+1A8j
		xor	edx, edx
		mov	ecx, eax
		call	ExReleasePushLockEx
		jmp	loc_94859B
; 

loc_94848F:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+18Cj
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+arg_0]
		mov	ecx, [eax+4CCh]
		mov	eax, [ebp+var_1C]
		mov	eax, [ecx+eax*8+4]
		lea	ecx, [edi+2Ch]
		push	ecx		; int
		push	ebx		; int
		add	eax, 18h
		mov	ecx, esi
		push	eax		; void *
		push	edi		; int
		call	_CmpGetSecurityDescriptorNode@24 ; CmpGetSecurityDescriptorNode(x,x,x,x,x,x)
		mov	[ebp+arg_4], eax
		cmp	esi, [ebp+var_4]
		jz	short loc_9484D2
		xor	edx, edx
		lea	ecx, [esi+484h]
		call	ExReleasePushLockEx
		mov	eax, [ebp+var_4]
		add	eax, 484h
		jmp	short loc_9484D8
; 

loc_9484D2:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+1E8j
		lea	eax, [esi+484h]

loc_9484D8:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+1FFj
		xor	edx, edx
		mov	ecx, eax
		call	ExReleasePushLockEx
		cmp	[ebp+arg_4], ebx
		jl	loc_94859B
		mov	ecx, [ebp+var_20]

loc_9484ED:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+16Bj
		test	byte ptr [ecx+2], 40h
		jz	short loc_9484FA
		mov	eax, ebx
		mov	[ebp+arg_4], ebx
		jmp	short loc_948500
; 

loc_9484FA:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+220j
		mov	eax, [ecx+24h]
		mov	[ebp+arg_4], eax

loc_948500:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+227j
		or	dword ptr [edi+28h], 0FFFFFFFFh
		mov	[edi+24h], ebx
		test	eax, eax
		jz	loc_948599
		test	byte ptr [ebp+arg_8], 4
		jz	loc_948599
		mov	eax, [ecx+28h]
		lea	ecx, [ebp+var_50]
		push	ecx
		push	eax
		mov	eax, [ebp+var_4]
		push	eax
		call	dword ptr [eax+4]
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	short loc_94859B
		mov	eax, ebx
		mov	[ebp+arg_8], ebx
		cmp	[ebp+arg_4], eax
		jbe	short loc_948599

loc_94853B:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+2C6j
		push	[ebp+arg_10]
		mov	edx, [ecx+eax*4]
		mov	ecx, [ebp+var_4]
		push	esi
		call	_CmpCopyValue@16 ; CmpCopyValue(x,x,x,x)
		mov	[ebp+var_28], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_948653
		lea	ecx, [ebp+var_30]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_948653
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		push	[ebp+arg_4]
		mov	edx, [ebp+var_28]
		lea	eax, [edi+24h]
		push	eax
		push	[ebp+arg_10]
		mov	ecx, esi
		push	[ebp+arg_8]
		call	CmpAddValueToListEx
		test	eax, eax
		js	short loc_948608
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_C]
		inc	eax
		mov	[ebp+arg_8], eax
		cmp	eax, [ebp+arg_4]
		jb	short loc_94853B

loc_948599:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+238j
					; CmpCopyKeyPartial(x,x,x,x,x,x,x)+242j ...
		mov	bl, 1

loc_94859B:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+AFj
					; CmpCopyKeyPartial(x,x,x,x,x,x,x)+CFj	...
		lea	eax, [ebp+var_40]
		push	eax
		mov	eax, [ebp+var_4]
		push	eax
		call	dword ptr [eax+8]
		test	edi, edi
		jz	short loc_9485B2
		lea	eax, [ebp+var_48]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_9485B2:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+2D7j
		cmp	[ebp+var_C], 0
		jz	short loc_9485C3
		lea	eax, [ebp+var_50]
		push	eax
		mov	eax, [ebp+var_4]
		push	eax
		call	dword ptr [eax+8]

loc_9485C3:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+2E5j
		test	bl, bl
		jnz	loc_94865E
		mov	eax, [ebp+var_8]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9485DC
		mov	edx, eax
		mov	ecx, esi
		call	HvFreeCell

loc_9485DC:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+300j
		mov	eax, [ebp+var_10]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9485ED
		mov	edx, eax
		mov	ecx, esi
		call	HvFreeCell

loc_9485ED:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+311j
		mov	eax, [ebp+arg_0]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9485FE
		mov	edx, eax
		mov	ecx, esi
		call	HvFreeCell

loc_9485FE:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+6Ej
					; CmpCopyKeyPartial(x,x,x,x,x,x,x)+322j
		or	eax, 0FFFFFFFFh

loc_948601:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+390j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_948608:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+2B7j
		mov	eax, [edi+28h]
		mov	[ebp+var_8], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_94859B
		lea	ecx, [ebp+var_38]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_94859B
		cmp	[ebp+arg_8], ebx
		jbe	short loc_948646
		mov	ebx, [ebp+arg_8]
		lea	edi, [ebx-1]
		lea	edi, [eax+edi*4]

loc_948632:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+370j
		mov	edx, [edi]
		mov	ecx, esi
		call	HvFreeCell
		lea	edi, [edi-4]
		sub	ebx, 1
		jnz	short loc_948632
		mov	edi, [ebp+var_24]

loc_948646:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+356j
		lea	eax, [ebp+var_38]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	loc_94859B
; 

loc_948653:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+27Fj
					; CmpCopyKeyPartial(x,x,x,x,x,x,x)+290j
		mov	ecx, [edi+28h]
		mov	[ebp+var_8], ecx
		jmp	loc_94859B
; 

loc_94865E:				; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+2F4j
		mov	eax, [ebp+arg_0]
		jmp	short loc_948601
_CmpCopyKeyPartial@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCopyMergeOfLayeredKeyNode(x, x, x, x, x,	x)
_CmpCopyMergeOfLayeredKeyNode@24 proc near ; CODE XREF:	CmSaveKey(x,x,x,x)+286p
					; CmpPartialPromoteSingleKeyFromKeyNodeStacks(x,x)+85p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		mov	ebx, [ebp+arg_8]
		xor	eax, eax
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		push	edi
		mov	[ebp+var_34], ecx
		mov	edi, edx
		or	[ebp+var_34], 0FFFFFFFFh
		mov	[ebp+var_2C], ecx
		or	[ebp+var_2C], 0FFFFFFFFh
		mov	[ebp+var_30], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_8], edi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_4], ecx
		mov	word ptr [ebp+var_30], ax
		mov	word ptr [ebp+var_28], ax
		cmp	ebx, 2
		jnz	short loc_9486BA
		mov	eax, [ebp+arg_0]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9486B5
		mov	ebx, eax
		shr	ebx, 1Fh
		jmp	short loc_9486B7
; 

loc_9486B5:				; CODE XREF: CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+49j
		mov	ebx, ecx

loc_9486B7:				; CODE XREF: CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+50j
		mov	[ebp+arg_8], ebx

loc_9486BA:				; CODE XREF: CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+41j
		movzx	eax, word ptr [esi]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_24], eax
		movzx	edx, ax
		jmp	short loc_9486D6
; 

loc_9486C8:				; CODE XREF: CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+76j
		mov	ecx, esi
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		cmp	dword ptr [eax+4], 0FFFFFFFFh
		jnz	short loc_9486DD
		dec	edx

loc_9486D6:				; CODE XREF: CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+63j
		test	dx, dx
		jns	short loc_9486C8
		jmp	short loc_9486E0
; 

loc_9486DD:				; CODE XREF: CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+70j
		mov	[ebp+var_C], eax

loc_9486E0:				; CODE XREF: CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+78j
		lea	eax, [ebp+var_10]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_14]
		call	_CmpGetSecurityCellForKeyNodeStack@12 ;	CmpGetSecurityCellForKeyNodeStack(x,x,x)
		and	[ebp+var_20], 0
		or	[ebp+var_1C], 0FFFFFFFFh
		and	[ebp+var_18], 0
		test	byte ptr [ebp+arg_4], 1
		jz	short loc_948767
		mov	eax, [ebp+var_24]
		movzx	edx, ax
		jmp	short loc_94874D
; 

loc_948708:				; CODE XREF: CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+EDj
		mov	ecx, esi
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		cmp	dword ptr [eax+4], 0FFFFFFFFh
		jz	short loc_94874C
		mov	ecx, [eax]
		mov	[ebp+var_24], ecx
		mov	ecx, [ecx+64h]
		and	ecx, 80000h
		mov	[ebp+arg_4], ecx
		mov	ecx, [eax+8]
		jz	short loc_948737
		movzx	eax, byte ptr [ecx+0Dh]
		and	eax, 3
		cmp	eax, 1
		jz	short loc_948767

loc_948737:				; CODE XREF: CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+C6j
		mov	al, [ecx+0Dh]
		test	al, al
		jns	short loc_948754
		cmp	[ebp+arg_4], 0
		jz	short loc_94874C
		movzx	eax, al
		and	eax, 3
		jnz	short loc_948767

loc_94874C:				; CODE XREF: CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+B0j
					; CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+DFj
		dec	edx

loc_94874D:				; CODE XREF: CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+A3j
		test	dx, dx
		jns	short loc_948708
		jmp	short loc_948767
; 

loc_948754:				; CODE XREF: CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+D9j
		mov	eax, [ebp+var_24]
		mov	[ebp+var_20], eax
		mov	eax, [ecx+30h]
		mov	[ebp+var_1C], eax
		movzx	eax, word ptr [ecx+4Ah]
		mov	[ebp+var_18], eax

loc_948767:				; CODE XREF: CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+9Bj
					; CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+D2j ...
		mov	eax, [ebp+var_C]
		mov	ecx, edi
		mov	eax, [eax+8]
		movzx	esi, word ptr [eax+48h]
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_4]
		add	esi, 4Ch
		push	eax
		push	ebx
		mov	edx, esi
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	ebx, eax
		mov	[ebp+arg_4], ebx
		cmp	ebx, 0FFFFFFFFh
		jnz	short loc_94879D
		mov	esi, [ebp+var_4]
		mov	edi, 0C000009Ah
		jmp	loc_948896
; 

loc_94879D:				; CODE XREF: CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+12Bj
		mov	ebx, [ebp+var_4]
		push	esi		; size_t
		mov	esi, [ebp+var_C]
		push	dword ptr [esi+8] ; void *
		push	ebx		; void *
		call	_memcpy
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	[ebx+0Ch], dl
		add	esp, 0Ch
		mov	al, [ebx+0Dh]
		and	al, 0FCh
		or	al, 80h
		mov	[ebx+0Dh], al
		lea	eax, [ebx+2Ch]
		mov	[ebx+10h], ecx
		mov	[ebx+14h], edx
		or	dword ptr [ebx+1Ch], 0FFFFFFFFh
		mov	[ebx+18h], edx
		or	dword ptr [ebx+20h], 0FFFFFFFFh
		mov	[ebx+24h], edx
		or	dword ptr [ebx+28h], 0FFFFFFFFh
		or	dword ptr [eax], 0FFFFFFFFh
		or	dword ptr [ebx+30h], 0FFFFFFFFh
		mov	[ebp+arg_0], eax
		xor	eax, eax
		mov	[ebx+34h], ax
		mov	[ebx+38h], edx
		mov	[ebx+3Ch], edx
		mov	[ebx+40h], edx
		mov	[ebx+44h], edx
		mov	edx, 0FFBFh
		mov	[ebx+4Ah], ax
		mov	eax, [esi+8]
		mov	ax, [eax+2]
		and	ax, dx
		mov	[ebx+2], ax
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_94881D
		or	ax, 0Ch
		mov	[ebx+2], ax

loc_94881D:				; CODE XREF: CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+1B0j
		mov	ebx, [ebp+var_14]
		lea	eax, [ebp+var_2C]
		push	eax
		push	[ebp+var_10]
		push	ebx
		call	dword ptr [ebx+4]
		xor	edx, edx
		lea	ecx, [edi+484h]
		mov	esi, eax
		call	ExAcquirePushLockExclusiveEx
		push	[ebp+arg_0]	; int
		mov	edx, [ebp+arg_4]
		lea	eax, [esi+14h]
		mov	esi, [ebp+var_4]
		mov	ecx, edi
		push	0		; int
		push	eax		; void *
		push	esi		; int
		call	_CmpGetSecurityDescriptorNode@24 ; CmpGetSecurityDescriptorNode(x,x,x,x,x,x)
		xor	edx, edx
		mov	[ebp+arg_0], eax
		lea	ecx, [edi+484h]
		call	ExReleasePushLockEx
		lea	eax, [ebp+var_2C]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		mov	edi, [ebp+arg_0]
		test	edi, edi
		js	short loc_948893
		mov	edi, [ebp+var_18]
		test	di, di
		jz	short loc_9488C5
		push	[ebp+arg_8]
		mov	edx, [ebp+var_1C]
		push	[ebp+var_8]
		mov	ecx, [ebp+var_20]
		call	_CmpCopyCell@16	; CmpCopyCell(x,x,x,x)
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_9488BE
		mov	edi, 0C000009Ah

loc_948893:				; CODE XREF: CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+20Bj
		mov	ebx, [ebp+arg_4]

loc_948896:				; CODE XREF: CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+135j
					; CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+26Fj
		test	esi, esi
		mov	esi, [ebp+var_8]
		jz	short loc_9488A5
		lea	eax, [ebp+var_34]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_9488A5:				; CODE XREF: CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+238j
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_9488B5
		push	0
		mov	edx, ebx
		mov	ecx, esi
		call	CmpFreeKeyByCell

loc_9488B5:				; CODE XREF: CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+245j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_9488BE:				; CODE XREF: CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+229j
		mov	[esi+30h], eax
		mov	[esi+4Ah], di

loc_9488C5:				; CODE XREF: CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)+213j
		mov	eax, [ebp+arg_C]
		or	ebx, 0FFFFFFFFh
		mov	ecx, [ebp+arg_4]
		xor	edi, edi
		mov	[eax], ecx
		jmp	short loc_948896
_CmpCopyMergeOfLayeredKeyNode@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCopySyncTree2(x,	x, x, x, x, x, x)
_CmpCopySyncTree2@28 proc near		; CODE XREF: CmpCopySyncTree(x,x,x,x,x,x)+4Fp

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_9		= byte ptr -9
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, [ebp+arg_C]
		push	ebx
		xor	ebx, ebx
		and	eax, 1
		push	esi
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_20], ebx
		cmp	[ebp+arg_10], 1
		push	edi
		mov	edi, ecx
		mov	[ebp+var_9], bl
		mov	ecx, ebx
		mov	[ebp+var_24], edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_2], bl
		mov	[ebp+var_68], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_48], esi
		mov	[ebp+var_44], ebx
		mov	[ebp+var_60], esi
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], esi
		mov	[ebp+var_54], ebx
		mov	[ebp+var_78], esi
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], esi
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_38], esi
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_34], eax
		jz	short loc_948940
		cmp	[ebp+arg_10], 2
		jz	short loc_948940
		mov	dh, bl
		mov	[ebp+var_1], bl
		jmp	short loc_948945
; 

loc_948940:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+5Dj
					; CmpCopySyncTree2(x,x,x,x,x,x,x)+63j
		mov	dh, 1
		mov	[ebp+var_1], dh

loc_948945:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+6Aj
		mov	[ebp+var_3C], ebx
		mov	eax, ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_30], ebx
		xor	ebx, ebx
		inc	ebx
		mov	[ebp+var_40], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_28], ebx
		test	dh, dh
		jz	short loc_948985
		push	6E5A6D43h
		push	200h
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_2C], esi
		test	esi, esi
		jnz	short loc_948980
		xor	al, al
		jmp	loc_948EBA
; 

loc_948980:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+A3j
		mov	ecx, [ebp+var_10]
		mov	eax, ecx

loc_948985:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+8Aj
		mov	ebx, [ebp+arg_8]

loc_948988:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+570j
		imul	esi, ecx, 14h
		add	esi, edi
		mov	edi, [ebp+arg_4]
		and	dword ptr [esi+8], 0

loc_948994:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+390j
					; CmpCopySyncTree2(x,x,x,x,x,x,x)+399j	...
		test	eax, eax
		jz	short loc_9489A0
		lea	eax, [ebp+var_58]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_9489A0:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+C2j
		mov	eax, [esi]
		lea	ecx, [ebp+var_58]
		push	ecx
		push	eax
		push	edi
		call	dword ptr [edi+4]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_948E99
		lea	ecx, [ebp+var_20]
		mov	edx, eax
		push	ecx
		push	dword ptr [esi+8]
		mov	ecx, edi
		call	_CmpFindSubKeyByNumber@16 ; CmpFindSubKeyByNumber(x,x,x,x)
		test	eax, eax
		js	loc_948E6F
		inc	dword ptr [esi+8]
		mov	eax, [ebp+var_20]
		cmp	eax, 0FFFFFFFFh
		jz	loc_948ACE
		cmp	byte ptr [ebp+var_34], 0
		jnz	short loc_9489EB
		test	eax, eax
		js	loc_948ACE

loc_9489EB:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+10Dj
		cmp	[ebp+var_1], 0
		jz	short loc_948A66
		lea	ecx, [ebp+var_48]
		push	ecx
		push	eax
		push	edi
		call	dword ptr [edi+4]
		mov	edi, eax
		test	edi, edi
		jz	loc_948E4B
		push	[ebp+var_2C]
		lea	edx, [ebp+var_68]
		mov	ecx, edi
		call	_CmpInitializeKeyNameString@12 ; CmpInitializeKeyNameString(x,x,x)
		mov	eax, [esi+4]
		lea	ecx, [ebp+var_70]
		push	ecx
		push	eax
		push	ebx
		call	dword ptr [ebx+4]
		test	eax, eax
		jz	loc_948E4B
		and	[ebp+arg_8], 0
		lea	ecx, [ebp+arg_8]
		push	ecx
		lea	ecx, [ebp+var_68]
		mov	edx, eax
		push	ecx
		mov	ecx, ebx
		call	CmpFindSubKeyByNameWithStatus
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_70]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		mov	eax, [ebp+arg_8]
		cmp	eax, 0FFFFFFFFh
		jnz	loc_948C83
		mov	edi, [ebp+arg_4]
		lea	eax, [ebp+var_48]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		mov	eax, [ebp+var_20]
		mov	[ebp+var_2], 1

loc_948A66:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+11Bj
		test	byte ptr [ebp+arg_C], 40h
		jz	loc_948CFD
		lea	ecx, [ebp+var_40]
		push	ecx
		push	eax
		push	edi
		call	dword ptr [edi+4]
		test	eax, eax
		jz	loc_948E6F
		mov	al, [eax+0Ch]
		test	al, 2
		jz	short loc_948A8D
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_948A98
; 

loc_948A8D:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+1B2j
		not	al
		movzx	ecx, al
		and	ecx, 1
		or	ecx, 2

loc_948A98:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+1B7j
		cmp	ecx, [ebp+var_28]
		jle	short loc_948AAE
		or	byte ptr [esi+10h], 1
		lea	eax, [ebp+var_40]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		jmp	loc_948C7B
; 

loc_948AAE:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+1C7j
		mov	eax, [esi+0Ch]
		mov	edx, [edi+8]
		shl	eax, 1Dh
		sar	eax, 1Dh
		cmp	ecx, eax
		lea	eax, [ebp+var_40]
		push	eax
		push	edi
		jg	loc_948CFB
		call	edx
		jmp	loc_948C7B
; 

loc_948ACE:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+103j
					; CmpCopySyncTree2(x,x,x,x,x,x,x)+111j
		cmp	[ebp+var_1], 0
		jz	short loc_948B2F
		cmp	[ebp+arg_10], 2
		jz	short loc_948B2F
		mov	eax, [esi+4]
		lea	ecx, [ebp+var_78]
		push	ecx
		push	eax
		push	ebx
		call	dword ptr [ebx+4]
		mov	edx, eax
		test	edx, edx
		jz	loc_948E6F
		cmp	byte ptr [ebp+var_34], 0
		jz	short loc_948B01
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+18h]
		mov	[ebp+arg_8], eax
		jmp	short loc_948B05
; 

loc_948B01:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+220j
		and	[ebp+arg_8], 0

loc_948B05:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+22Bj
		mov	eax, [ebp+var_8]
		mov	ecx, [edx+18h]
		add	ecx, [edx+14h]
		mov	eax, [eax+14h]
		add	eax, [ebp+arg_8]
		cmp	ecx, eax
		jbe	short loc_948B27
		push	[ebp+var_2C]
		mov	ecx, edi
		push	edx
		mov	edx, [ebp+var_8]
		push	ebx
		call	_CmpSyncSubKeysAfterDelete@20 ;	CmpSyncSubKeysAfterDelete(x,x,x,x,x)

loc_948B27:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+242j
		lea	eax, [ebp+var_78]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]

loc_948B2F:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+1FEj
					; CmpCopySyncTree2(x,x,x,x,x,x,x)+204j
		mov	cl, [esi+10h]
		mov	edx, [ebp+var_14]
		test	cl, 1
		jz	loc_948BC3
		mov	edi, [ebp+var_30]
		inc	edx
		mov	[ebp+var_14], edx
		cmp	edx, edi
		jb	short loc_948BA2
		mov	eax, edi
		shr	eax, 1
		add	eax, edi
		inc	edi
		cmp	edi, eax
		ja	short loc_948B56
		mov	edi, eax

loc_948B56:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+27Ej
		imul	eax, edi, 14h
		push	20204D43h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+arg_8], ecx
		test	ecx, ecx
		jz	loc_948E6F
		imul	eax, [ebp+var_30], arg_C
		push	eax		; size_t
		push	[ebp+var_1C]	; void *
		push	ecx		; void *
		call	_memcpy
		mov	eax, [ebp+var_1C]
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_948B93
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_948B93:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+2B5j
		mov	eax, [ebp+arg_8]
		mov	cl, [esi+10h]
		mov	edx, [ebp+var_14]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_30], edi

loc_948BA2:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+273j
		mov	eax, [esi+0Ch]
		and	cl, 0FEh
		xor	eax, [ebp+var_28]
		and	dword ptr [esi+8], 0
		and	eax, 7
		xor	[esi+0Ch], eax
		imul	edi, edx, 14h
		mov	[esi+10h], cl
		push	5
		pop	ecx
		add	edi, [ebp+var_1C]
		rep movsd

loc_948BC3:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+264j
		mov	ecx, [ebp+var_10]
		test	ecx, ecx
		jnz	loc_948C50
		cmp	edx, 0FFFFFFFFh
		jz	loc_948E59
		mov	edi, [ebp+var_1C]
		imul	esi, edx, 14h
		push	5
		pop	ecx
		mov	eax, [edi+0Ch]
		add	esi, edi
		dec	edx
		mov	[ebp+var_14], edx
		xor	eax, [esi+0Ch]
		test	al, 7
		jnz	short loc_948BF9
		mov	eax, [ebp+var_24]
		mov	edi, eax
		rep movsd
		jmp	short loc_948C1D
; 

loc_948BF9:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+31Aj
		mov	esi, edi
		lea	eax, [edx+1]
		mov	edi, [ebp+var_24]
		imul	eax, 14h
		rep movsd
		mov	ecx, [ebp+var_1C]
		push	eax		; size_t
		lea	eax, [ecx+14h]
		push	eax		; void *
		push	ecx		; void *
		call	_memmove
		mov	edx, [ebp+var_14]
		add	esp, 0Ch
		mov	eax, [ebp+var_24]

loc_948C1D:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+323j
		mov	eax, [eax+0Ch]
		xor	ecx, ecx
		mov	esi, [ebp+var_28]
		inc	ecx
		shl	eax, 1Dh
		sar	eax, 1Dh
		cmp	esi, eax
		jnz	short loc_948C50
		mov	eax, [ebx+0C8h]
		inc	esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_14], edx
		cmp	esi, 2
		jnz	short loc_948C4A
		mov	[ebx+0BE0h], eax
		jmp	short loc_948C50
; 

loc_948C4A:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+36Cj
		mov	[ebx+0BE4h], eax

loc_948C50:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+2F4j
					; CmpCopySyncTree2(x,x,x,x,x,x,x)+35Aj	...
		mov	edi, [ebp+arg_4]
		dec	ecx
		mov	eax, [ebp+var_8]
		imul	esi, ecx, 14h
		mov	[ebp+var_10], ecx
		add	esi, [ebp+var_24]
		cmp	[ebp+var_2], 0
		jz	loc_948994
		cmp	ecx, [ebp+var_38]
		jnz	loc_948994
		mov	[ebp+var_1], 1
		mov	[ebp+var_2], 0

loc_948C7B:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+1D5j
					; CmpCopySyncTree2(x,x,x,x,x,x,x)+1F5j
		mov	eax, [ebp+var_8]
		jmp	loc_948994
; 

loc_948C83:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+17Aj
		lea	ecx, [ebp+var_60]
		push	ecx
		push	eax
		push	ebx
		call	dword ptr [ebx+4]
		mov	esi, eax
		test	esi, esi
		jz	loc_948E73
		cmp	[ebp+arg_10], 2
		jz	short loc_948CBF
		mov	eax, [esi+8]
		cmp	eax, [edi+8]
		jg	short loc_948CE1
		jl	short loc_948CAE
		mov	eax, [esi+4]
		cmp	eax, [edi+4]
		jnb	short loc_948CE1

loc_948CAE:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+3D0j
		push	ecx
		mov	ecx, [ebp+arg_4]
		push	esi
		push	[ebp+var_18]
		push	ebx
		push	edi
		call	_CmpSyncKeyValues@28 ; CmpSyncKeyValues(x,x,x,x,x,x,x)
		jmp	short loc_948CCD
; 

loc_948CBF:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+3C6j
		mov	ecx, [ebp+arg_4]
		push	esi
		push	[ebp+var_18]
		push	ebx
		push	edi
		call	_CmpMergeKeyValues@24 ;	CmpMergeKeyValues(x,x,x,x,x,x)

loc_948CCD:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+3E9j
		test	al, al
		jz	loc_948E73
		mov	eax, [edi+4]
		mov	[esi+4], eax
		mov	eax, [edi+8]
		mov	[esi+8], eax

loc_948CE1:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+3CEj
					; CmpCopySyncTree2(x,x,x,x,x,x,x)+3D8j
		lea	eax, [ebp+var_60]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		lea	eax, [ebp+var_48]
		push	eax
		mov	eax, [ebp+arg_4]
		push	eax
		call	dword ptr [eax+8]
		xor	dl, dl
		jmp	loc_948E0A
; 

loc_948CFB:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+1EDj
		call	edx

loc_948CFD:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+196j
		mov	eax, [ebp+arg_C]
		mov	edx, [ebp+var_20]
		or	eax, 4
		push	2
		push	ecx
		push	eax
		push	dword ptr [esi+4]
		mov	ecx, edi
		push	ebx
		call	_CmpCopyKeyPartial@28 ;	CmpCopyKeyPartial(x,x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_18], edi
		cmp	edi, 0FFFFFFFFh
		jz	loc_948E6F
		test	byte ptr [esi+10h], 2
		mov	byte ptr [ebp+arg_8+3],	1
		jnz	short loc_948D47
		mov	edx, [esi+4]
		mov	ecx, ebx
		push	0
		push	0
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_948E6F
		or	byte ptr [esi+10h], 2

loc_948D47:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+457j
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+var_8]
		mov	edx, [esi+4]
		shr	eax, 1Fh
		mov	eax, [ecx+eax*4+14h]
		mov	ecx, ebx
		push	eax
		push	edi
		call	_CmpAddSubKeyEx@16 ; CmpAddSubKeyEx(x,x,x,x)
		test	al, al
		jz	loc_948E6F
		mov	eax, [esi+4]
		lea	ecx, [ebp+var_50]
		or	[ebp+var_50], 0FFFFFFFFh
		and	[ebp+var_4C], 0
		or	[ebp+var_80], 0FFFFFFFFh
		and	[ebp+var_7C], 0
		push	ecx
		push	eax
		push	ebx
		call	dword ptr [ebx+4]
		mov	esi, eax
		test	esi, esi
		jz	loc_948E6F
		lea	eax, [ebp+var_80]
		push	eax
		push	edi
		push	ebx
		call	dword ptr [ebx+4]
		mov	edi, eax
		test	edi, edi
		jz	loc_948E4F
		test	byte ptr [edi+2], 20h
		movzx	edx, word ptr [edi+48h]
		jz	short loc_948DB1
		lea	eax, [edx+edx]
		movzx	edx, ax

loc_948DB1:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+4D5j
		cmp	[esi+34h], dx
		jnb	short loc_948DBB
		mov	[esi+34h], dx

loc_948DBB:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+4E1j
		movzx	eax, word ptr [edi+4Ah]
		cmp	[esi+38h], eax
		jnb	short loc_948DC7
		mov	[esi+38h], eax

loc_948DC7:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+4EEj
		lea	eax, [ebp+var_80]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		lea	eax, [ebp+var_50]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		cmp	[ebp+var_1], 0
		jz	short loc_948E07
		cmp	[ebp+var_2], 0
		mov	esi, [ebp+var_18]
		jz	short loc_948E02
		mov	edx, esi
		mov	ecx, ebx
		call	_CmpMarkKeyParentDirty@8 ; CmpMarkKeyParentDirty(x,x)
		test	al, al
		jz	short loc_948E6F
		mov	eax, [ebp+var_10]
		mov	dl, byte ptr [ebp+arg_8+3]
		mov	[ebp+var_38], eax
		mov	[ebp+var_1], 0
		jmp	short loc_948E10
; 

loc_948E02:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+510j
		mov	dl, byte ptr [ebp+arg_8+3]
		jmp	short loc_948E0D
; 

loc_948E07:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+507j
		mov	dl, byte ptr [ebp+arg_8+3]

loc_948E0A:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+422j
		mov	esi, [ebp+var_18]

loc_948E0D:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+531j
		mov	eax, [ebp+var_10]

loc_948E10:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+52Cj
		inc	eax
		mov	[ebp+var_10], eax
		cmp	eax, 200h
		jnb	short loc_948E49
		mov	edi, [ebp+var_24]
		add	dl, dl
		imul	ecx, eax, 14h
		mov	eax, [ebp+var_20]
		and	dword ptr [ecx+edi+0Ch], 0FFFFFFF8h
		mov	[ecx+edi], eax
		mov	al, [ecx+edi+10h]
		and	al, 0FCh
		mov	[ecx+edi+4], esi
		or	al, dl
		mov	[ecx+edi+10h], al
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_8]
		jmp	loc_948988
; 

loc_948E49:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+545j
		xor	edi, edi

loc_948E4B:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+12Aj
					; CmpCopySyncTree2(x,x,x,x,x,x,x)+14Bj
		xor	esi, esi
		jmp	short loc_948E73
; 

loc_948E4F:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+4C7j
		lea	eax, [ebp+var_50]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		jmp	short loc_948E6F
; 

loc_948E59:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+2FDj
		test	byte ptr [ebp+arg_C], 40h
		jz	short loc_948E6B
		mov	eax, [ebx+0C8h]
		mov	[ebx+0BE8h], eax

loc_948E6B:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+589j
		mov	[ebp+var_9], 1

loc_948E6F:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+F4j
					; CmpCopySyncTree2(x,x,x,x,x,x,x)+1A7j	...
		xor	esi, esi
		xor	edi, edi

loc_948E73:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+3BCj
					; CmpCopySyncTree2(x,x,x,x,x,x,x)+3FBj	...
		lea	eax, [ebp+var_58]
		push	eax
		mov	eax, [ebp+arg_4]
		push	eax
		call	dword ptr [eax+8]
		test	edi, edi
		jz	short loc_948E8D
		lea	eax, [ebp+var_48]
		push	eax
		mov	eax, [ebp+arg_4]
		push	eax
		call	dword ptr [eax+8]

loc_948E8D:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+5ACj
		test	esi, esi
		jz	short loc_948E99
		lea	eax, [ebp+var_60]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]

loc_948E99:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+DCj
					; CmpCopySyncTree2(x,x,x,x,x,x,x)+5BBj
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jz	short loc_948EA8
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_948EA8:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+5CAj
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_948EB7
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_948EB7:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+5D9j
		mov	al, [ebp+var_9]

loc_948EBA:				; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+A7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_CmpCopySyncTree2@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCopySyncTree(x, x, x, x,	x, x)
_CmpCopySyncTree@24 proc near		; CODE XREF: CmpReorganizeHive+18486Bp
					; CmpSaveBootControlSet(x)+50Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	20204D43h
		push	2800h
		push	1
		mov	edi, edx
		mov	ebx, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_948EE9
		xor	al, al
		jmp	short loc_948F20
; 

loc_948EE9:				; CODE XREF: CmpCopySyncTree(x,x,x,x,x,x)+22j
		push	[ebp+arg_C]
		mov	eax, [ebp+arg_4]
		mov	edx, 200h
		push	[ebp+arg_8]
		and	dword ptr [esi+0Ch], 0FFFFFFF8h
		mov	ecx, esi
		push	[ebp+arg_0]
		and	byte ptr [esi+10h], 0FCh
		mov	[esi], edi
		xor	edi, edi
		push	ebx
		push	edi
		mov	[esi+4], eax
		mov	[esi+8], edi
		call	_CmpCopySyncTree2@28 ; CmpCopySyncTree2(x,x,x,x,x,x,x)
		push	edi
		push	esi
		mov	bl, al
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	al, bl

loc_948F20:				; CODE XREF: CmpCopySyncTree(x,x,x,x,x,x)+26j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	10h
_CmpCopySyncTree@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCopyValue(x, x, x, x)
_CmpCopyValue@16 proc near		; CODE XREF: CmpCopyKeyPartial(x,x,x,x,x,x,x)+274p
					; CmpMergeKeyValues(x,x,x,x,x,x)+119p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		and	[ebp+var_10], 0
		lea	eax, [ebp+var_2C]
		or	[ebp+var_2C], 0FFFFFFFFh
		and	[ebp+var_28], 0
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		push	eax
		push	esi
		push	edi
		mov	[ebp+var_18], esi
		call	dword ptr [edi+4]
		mov	edx, eax
		mov	[ebp+var_8], edx
		test	edx, edx
		jnz	short loc_948F60
		or	esi, 0FFFFFFFFh
		jmp	loc_949027
; 

loc_948F60:				; CODE XREF: CmpCopyValue(x,x,x,x)+2Ej
		mov	eax, [edx+4]
		mov	[ebp+var_20], eax
		lea	ecx, [eax-80000000h]
		cmp	eax, 80000000h
		jnb	short loc_948F75
		mov	ecx, eax

loc_948F75:				; CODE XREF: CmpCopyValue(x,x,x,x)+49j
		push	[ebp+arg_4]
		mov	ebx, [ebp+arg_0]
		lea	eax, [edx+8]
		mov	[ebp+var_4], ecx
		mov	edx, esi
		mov	[ebp+var_14], ecx
		mov	ecx, edi
		mov	[ebp+var_C], eax
		mov	eax, [eax]
		push	ebx
		mov	[ebp+var_1C], eax
		call	_CmpCopyCell@16	; CmpCopyCell(x,x,x,x)
		mov	esi, eax
		mov	[ebp+arg_0], esi
		cmp	esi, 0FFFFFFFFh
		jz	short loc_949018
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_949018
		cmp	eax, 4
		jbe	loc_9490EC
		add	eax, 0FFFFC027h
		mov	ecx, 7FFFC026h
		cmp	dword ptr [edi+9Ch], 4
		jb	short loc_948FC7
		cmp	eax, ecx
		jbe	short loc_948FDC

loc_948FC7:				; CODE XREF: CmpCopyValue(x,x,x,x)+99j
		cmp	dword ptr [ebx+9Ch], 4
		jb	loc_949087
		cmp	eax, ecx
		ja	loc_949087

loc_948FDC:				; CODE XREF: CmpCopyValue(x,x,x,x)+9Dj
		mov	edx, [ebp+var_18]
		xor	eax, eax
		or	[ebp+var_24], 0FFFFFFFFh
		mov	ecx, edi
		mov	[ebp+var_C], eax
		mov	byte ptr [ebp+arg_0+3],	al
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+arg_0+3]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	CmpGetValueData
		mov	ecx, ebx
		test	al, al
		jnz	short loc_949030

loc_94900E:				; CODE XREF: CmpCopyValue(x,x,x,x)+13Ej
		mov	edx, esi
		call	HvFreeCell
		or	esi, 0FFFFFFFFh

loc_949018:				; CODE XREF: CmpCopyValue(x,x,x,x)+76j
					; CmpCopyValue(x,x,x,x)+7Dj
		mov	eax, [ebp+var_8]

loc_94901B:				; CODE XREF: CmpCopyValue(x,x,x,x)+225j
		test	eax, eax
		jz	short loc_949027
		lea	eax, [ebp+var_2C]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_949027:				; CODE XREF: CmpCopyValue(x,x,x,x)+33j
					; CmpCopyValue(x,x,x,x)+F5j ...
		mov	eax, esi

loc_949029:				; CODE XREF: CmpCopyValue(x,x,x,x)+1A6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_949030:				; CODE XREF: CmpCopyValue(x,x,x,x)+E4j
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+arg_4]
		mov	eax, [ebp+var_14]
		push	eax
		mov	[ebp+var_4], eax
		call	CmpSetValueDataNew
		test	eax, eax
		jns	short loc_949068
		cmp	byte ptr [ebp+arg_0+3],	1
		jnz	short loc_94905C
		push	0
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_949064
; 

loc_94905C:				; CODE XREF: CmpCopyValue(x,x,x,x)+126j
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_949064:				; CODE XREF: CmpCopyValue(x,x,x,x)+132j
					; CmpCopyValue(x,x,x,x)+173j
		mov	ecx, ebx
		jmp	short loc_94900E
; 

loc_949068:				; CODE XREF: CmpCopyValue(x,x,x,x)+120j
		cmp	byte ptr [ebp+arg_0+3],	1
		jnz	short loc_94907D
		push	0
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_949078:				; CODE XREF: CmpCopyValue(x,x,x,x)+15Dj
		mov	eax, [ebp+var_10]
		jmp	short loc_949095
; 

loc_94907D:				; CODE XREF: CmpCopyValue(x,x,x,x)+144j
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		jmp	short loc_949078
; 

loc_949087:				; CODE XREF: CmpCopyValue(x,x,x,x)+A6j
					; CmpCopyValue(x,x,x,x)+AEj
		push	[ebp+arg_4]
		mov	edx, [ebp+var_1C]
		mov	ecx, edi
		push	ebx
		call	_CmpCopyCell@16	; CmpCopyCell(x,x,x,x)

loc_949095:				; CODE XREF: CmpCopyValue(x,x,x,x)+153j
		mov	[ebp+arg_4], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_949064
		lea	eax, [ebp+var_2C]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		lea	eax, [ebp+var_2C]
		push	eax
		push	esi
		push	ebx
		call	dword ptr [ebx+4]
		mov	edx, eax
		test	edx, edx
		jnz	short loc_9490D3
		mov	edx, esi
		mov	ecx, ebx
		call	HvFreeCell
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+arg_4]
		push	ecx
		mov	ecx, ebx
		call	CmpFreeValueData

loc_9490CB:				; CODE XREF: CmpCopyValue(x,x,x,x)+233j
		or	eax, 0FFFFFFFFh
		jmp	loc_949029
; 

loc_9490D3:				; CODE XREF: CmpCopyValue(x,x,x,x)+18Aj
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+var_4]
		mov	[edx+8], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	ebx
		mov	[edx+4], ecx
		call	dword ptr [ebx+8]
		jmp	loc_949027
; 

loc_9490EC:				; CODE XREF: CmpCopyValue(x,x,x,x)+82j
		cmp	[ebp+var_20], 80000000h
		jb	short loc_9490FA
		mov	eax, [ebp+var_C]
		jmp	short loc_949117
; 

loc_9490FA:				; CODE XREF: CmpCopyValue(x,x,x,x)+1CBj
		mov	esi, [ebp+var_C]
		lea	eax, [ebp+var_2C]
		push	eax
		push	edi
		mov	esi, [esi]
		call	dword ptr [edi+8]
		lea	eax, [ebp+var_2C]
		push	eax
		push	esi
		push	edi
		call	dword ptr [edi+4]
		mov	esi, [ebp+arg_0]
		test	eax, eax
		jz	short loc_949152

loc_949117:				; CODE XREF: CmpCopyValue(x,x,x,x)+1D0j
		mov	eax, [eax]
		mov	[ebp+arg_4], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		lea	eax, [ebp+var_2C]
		push	eax
		push	esi
		push	ebx
		call	dword ptr [ebx+4]
		test	eax, eax
		jz	short loc_949152
		mov	ecx, [ebp+arg_4]
		mov	[eax+8], ecx
		mov	ecx, [ebp+var_4]
		add	ecx, 80000000h
		mov	[eax+4], ecx
		lea	eax, [ebp+var_2C]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		xor	eax, eax
		jmp	loc_94901B
; 

loc_949152:				; CODE XREF: CmpCopyValue(x,x,x,x)+1EDj
					; CmpCopyValue(x,x,x,x)+207j
		mov	edx, esi
		mov	ecx, ebx
		call	HvFreeCell
		jmp	loc_9490CB
_CmpCopyValue@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFreeKeyValueList(x, x)
_CmpFreeKeyValueList@8 proc near	; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+318p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, edx
		mov	[ebp+var_C], esi
		xor	eax, eax
		or	[ebp+var_C], 0FFFFFFFFh
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], esi
		mov	word ptr [ebp+var_8], ax
		cmp	[ebx], esi
		jz	short loc_9491C2
		mov	eax, [ebx+4]
		lea	ecx, [ebp+var_C]
		push	ecx
		push	eax
		push	edi
		call	dword ptr [edi+4]
		mov	[ebp+var_4], eax
		cmp	[ebx], esi
		jbe	short loc_9491AA

loc_949198:				; CODE XREF: CmpFreeKeyValueList(x,x)+48j
		mov	edx, [eax+esi*4]
		mov	ecx, edi
		call	_CmpFreeValue@8	; CmpFreeValue(x,x)
		mov	eax, [ebp+var_4]
		inc	esi
		cmp	esi, [ebx]
		jb	short loc_949198

loc_9491AA:				; CODE XREF: CmpFreeKeyValueList(x,x)+36j
		mov	edx, [ebx+4]
		mov	ecx, edi
		call	HvFreeCell
		cmp	[ebp+var_4], 0
		jz	short loc_9491C2
		lea	eax, [ebp+var_C]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_9491C2:				; CODE XREF: CmpFreeKeyValueList(x,x)+23j
					; CmpFreeKeyValueList(x,x)+58j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpFreeKeyValueList@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFreeKeyValues(x,	x, x)
_CmpFreeKeyValues@12 proc near		; CODE XREF: CmDeleteLayeredKey(x,x,x)+366p
					; CmpSyncKeyValues(x,x,x,x,x,x,x)+46p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		or	[ebp+var_8], 0FFFFFFFFh
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		push	esi
		mov	edi, ecx
		mov	[ebp+var_4], ebx
		call	_CmpMarkKeyValuesDirty@12 ; CmpMarkKeyValuesDirty(x,x,x)
		test	al, al
		jz	short loc_949264
		test	byte ptr [esi+2], 2
		jnz	short loc_949258
		cmp	[esi+24h], ebx
		jbe	short loc_949237
		mov	eax, [esi+28h]
		lea	ecx, [ebp+var_8]
		push	ecx
		push	eax
		push	edi
		call	dword ptr [edi+4]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_949264
		cmp	[esi+24h], ebx
		jbe	short loc_949223

loc_94920C:				; CODE XREF: CmpFreeKeyValues(x,x,x)+5Aj
		mov	edx, [eax+ebx*4]
		mov	ecx, edi
		call	_CmpFreeValue@8	; CmpFreeValue(x,x)
		test	al, al
		jz	short loc_94925C
		mov	eax, [ebp+arg_0]
		inc	ebx
		cmp	ebx, [esi+24h]
		jb	short loc_94920C

loc_949223:				; CODE XREF: CmpFreeKeyValues(x,x,x)+43j
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		mov	edx, [esi+28h]
		mov	ecx, edi
		call	HvFreeCell
		xor	ebx, ebx

loc_949237:				; CODE XREF: CmpFreeKeyValues(x,x,x)+2Bj
		or	dword ptr [esi+28h], 0FFFFFFFFh
		mov	[esi+24h], ebx
		cmp	[esi+4Ah], bx
		jbe	short loc_949258
		mov	edx, [esi+30h]
		mov	ecx, edi
		call	HvFreeCell
		or	dword ptr [esi+30h], 0FFFFFFFFh
		xor	eax, eax
		mov	[esi+4Ah], ax

loc_949258:				; CODE XREF: CmpFreeKeyValues(x,x,x)+26j
					; CmpFreeKeyValues(x,x,x)+7Bj
		mov	al, 1
		jmp	short loc_949266
; 

loc_94925C:				; CODE XREF: CmpFreeKeyValues(x,x,x)+51j
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_949264:				; CODE XREF: CmpFreeKeyValues(x,x,x)+20j
					; CmpFreeKeyValues(x,x,x)+3Ej
		xor	al, al

loc_949266:				; CODE XREF: CmpFreeKeyValues(x,x,x)+93j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_CmpFreeKeyValues@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpInitializeKeyNameString(x, x, x)
_CmpInitializeKeyNameString@12 proc near ; CODE	XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+138p
					; CmpSyncSubKeysAfterDelete(x,x,x,x,x)+67p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr [ecx+2], 20h
		movzx	eax, word ptr [ecx+48h]
		push	edi
		mov	edi, edx
		jz	short loc_9492B0
		push	ebx
		add	eax, eax
		mov	ebx, 200h
		mov	[edi], ax
		push	esi
		cmp	ax, bx
		ja	short loc_9492C6
		movzx	eax, word ptr [ecx+48h]
		mov	edx, ebx
		mov	esi, [ebp+arg_0]
		push	eax
		lea	eax, [ecx+4Ch]
		mov	ecx, esi
		push	eax
		call	_CmpCopyCompressedName@16 ; CmpCopyCompressedName(x,x,x,x)
		mov	[edi+4], esi
		pop	esi
		mov	[edi+2], bx
		pop	ebx
		jmp	short loc_9492C1
; 

loc_9492B0:				; CODE XREF: CmpInitializeKeyNameString(x,x,x)+10j
		mov	[edi], ax
		lea	eax, [ecx+4Ch]
		mov	[edi+4], eax
		mov	ax, [ecx+34h]
		mov	[edi+2], ax

loc_9492C1:				; CODE XREF: CmpInitializeKeyNameString(x,x,x)+41j
		pop	edi
		pop	ebp
		retn	4
; 

loc_9492C6:				; CODE XREF: CmpInitializeKeyNameString(x,x,x)+21j
		movzx	eax, ax
		xor	edx, edx
		push	eax
		push	ecx
		push	31h
		pop	ecx
		call	_CmSiBugCheck@16 ; CmSiBugCheck(x,x,x,x)
		int	3		; Trap to Debugger

; __stdcall CmpMarkKeyParentDirty(x, x)
_CmpMarkKeyParentDirty@8:		; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+516p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		or	[ebp+var_C], 0FFFFFFFFh
		mov	eax, edx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_4], eax
		lea	ecx, [ebp+var_C]
		xor	ebx, ebx
		push	ecx
		push	eax
		push	esi
		mov	[ebp+var_8], ebx
		call	dword ptr [esi+4]
		test	eax, eax
		jz	short loc_949333
		test	byte ptr [eax+2], 4
		jz	short loc_949308
		mov	bl, 1
		jmp	short loc_94932B
; 

loc_949308:				; CODE XREF: CmpInitializeKeyNameString(x,x,x)+95j
		mov	edi, [eax+10h]
		mov	ecx, esi
		push	[ebp+var_4]
		mov	edx, edi
		call	CmpMarkIndexDirty
		test	al, al
		jz	short loc_94932B
		push	ebx
		push	ebx
		mov	edx, edi
		mov	ecx, esi
		call	HvpMarkCellDirty
		test	al, al
		setnz	bl

loc_94932B:				; CODE XREF: CmpInitializeKeyNameString(x,x,x)+99j
					; CmpInitializeKeyNameString(x,x,x)+ACj
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_949333:				; CODE XREF: CmpInitializeKeyNameString(x,x,x)+8Fj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_CmpInitializeKeyNameString@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpMarkKeyValuesDirty(x, x,	x)
_CmpMarkKeyValuesDirty@12 proc near	; CODE XREF: CmpFreeKeyValues(x,x,x)+19p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		or	[ebp+var_1C], 0FFFFFFFFh
		xor	eax, eax
		or	[ebp+var_C], 0FFFFFFFFh
		or	[ebp+var_14], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		inc	ebx
		mov	[ebp+var_18], eax
		mov	esi, ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], eax
		test	byte ptr [edi+2], 2
		jz	short loc_949371

loc_94936A:				; CODE XREF: CmpMarkKeyValuesDirty(x,x,x)+C6j
					; CmpMarkKeyValuesDirty(x,x,x)+D1j ...
		mov	al, bl
		jmp	loc_9494A8
; 

loc_949371:				; CODE XREF: CmpMarkKeyValuesDirty(x,x,x)+2Ej
		push	eax
		push	eax
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_9494A6
		mov	edx, [edi+30h]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_94939B
		push	0
		push	0
		mov	ecx, esi
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_9494A6

loc_94939B:				; CODE XREF: CmpMarkKeyValuesDirty(x,x,x)+4Cj
		mov	edx, [edi+2Ch]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_949406
		push	0
		push	0
		mov	ecx, esi
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_9494A6
		mov	eax, [edi+2Ch]
		lea	ecx, [ebp+var_C]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	loc_9494A6
		mov	edx, [eax+4]
		mov	ecx, esi
		push	0
		push	0
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_9493F4
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	0
		push	0
		mov	edx, [edx+8]
		call	HvpMarkCellDirty
		test	al, al
		jnz	short loc_9493F6

loc_9493F4:				; CODE XREF: CmpMarkKeyValuesDirty(x,x,x)+A3j
		xor	bl, bl

loc_9493F6:				; CODE XREF: CmpMarkKeyValuesDirty(x,x,x)+B8j
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		test	bl, bl
		jz	loc_94936A

loc_949406:				; CODE XREF: CmpMarkKeyValuesDirty(x,x,x)+67j
		xor	eax, eax
		cmp	[edi+24h], eax
		jbe	loc_94936A
		mov	edx, [edi+28h]
		mov	ecx, esi
		push	eax
		push	eax
		call	HvpMarkCellDirty
		test	al, al
		jnz	short loc_949428

loc_949421:				; CODE XREF: CmpMarkKeyValuesDirty(x,x,x)+101j
		xor	bl, bl
		jmp	loc_94936A
; 

loc_949428:				; CODE XREF: CmpMarkKeyValuesDirty(x,x,x)+E5j
		mov	eax, [edi+28h]
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	short loc_949421
		xor	eax, eax
		mov	[ebp+arg_0], eax
		cmp	[edi+24h], eax
		jbe	short loc_949499

loc_949447:				; CODE XREF: CmpMarkKeyValuesDirty(x,x,x)+159j
		mov	edx, [ecx+eax*4]
		mov	ecx, esi
		push	0
		push	0
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_949497
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+arg_0]
		mov	eax, [ecx+eax*4]
		lea	ecx, [ebp+var_14]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	short loc_949497
		mov	edx, eax
		mov	ecx, esi
		call	_CmpMarkValueDataDirty@8 ; CmpMarkValueDataDirty(x,x)
		mov	bl, al
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		test	bl, bl
		jz	short loc_949499
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		inc	eax
		mov	[ebp+arg_0], eax
		cmp	eax, [edi+24h]
		jb	short loc_949447
		jmp	short loc_949499
; 

loc_949497:				; CODE XREF: CmpMarkKeyValuesDirty(x,x,x)+11Dj
					; CmpMarkKeyValuesDirty(x,x,x)+133j
		xor	bl, bl

loc_949499:				; CODE XREF: CmpMarkKeyValuesDirty(x,x,x)+10Bj
					; CmpMarkKeyValuesDirty(x,x,x)+14Aj ...
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	loc_94936A
; 

loc_9494A6:				; CODE XREF: CmpMarkKeyValuesDirty(x,x,x)+40j
					; CmpMarkKeyValuesDirty(x,x,x)+5Bj ...
		xor	al, al

loc_9494A8:				; CODE XREF: CmpMarkKeyValuesDirty(x,x,x)+32j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_CmpMarkKeyValuesDirty@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpMergeKeyValues(x, x, x, x, x, x)
_CmpMergeKeyValues@24 proc near		; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+3F4p
					; CmSaveMergedKeys(x,x,x,x)+274p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, [ebp+arg_C]
		xor	edx, edx
		or	[ebp+var_28], 0FFFFFFFFh
		or	[ebp+var_18], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, ecx
		mov	bl, dl
		mov	[ebp+var_24], edx
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], edx
		mov	ecx, [edi+3Ch]
		mov	[ebp+var_14], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], edx
		cmp	[eax+3Ch], ecx
		jnb	short loc_9494EB
		mov	[eax+3Ch], ecx

loc_9494EB:				; CODE XREF: CmpMergeKeyValues(x,x,x,x,x,x)+37j
		mov	ecx, [edi+40h]
		cmp	[eax+40h], ecx
		jnb	short loc_9494F6
		mov	[eax+40h], ecx

loc_9494F6:				; CODE XREF: CmpMergeKeyValues(x,x,x,x,x,x)+42j
		lea	ecx, [eax+24h]
		mov	[ebp+arg_C], ecx
		cmp	[ecx], edx
		jnz	short loc_949515
		push	ecx
		push	eax
		push	[ebp+arg_8]
		mov	ecx, esi
		push	[ebp+arg_4]
		push	edi
		call	_CmpSyncKeyValues@28 ; CmpSyncKeyValues(x,x,x,x,x,x,x)
		jmp	loc_94960E
; 

loc_949515:				; CODE XREF: CmpMergeKeyValues(x,x,x,x,x,x)+4Fj
		mov	eax, [edi+24h]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jnz	short loc_949526
		mov	bl, 1
		jmp	loc_94960C
; 

loc_949526:				; CODE XREF: CmpMergeKeyValues(x,x,x,x,x,x)+6Ej
		push	20204D43h
		push	7FFFh
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	short loc_949545
		xor	al, al
		jmp	loc_94960E
; 

loc_949545:				; CODE XREF: CmpMergeKeyValues(x,x,x,x,x,x)+8Dj
		mov	eax, [ebp+arg_8]
		lea	ecx, [ebp+var_28]
		shr	eax, 1Fh
		push	ecx
		mov	[ebp+arg_8], eax
		mov	eax, [edi+28h]
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_949602
		xor	edi, edi
		cmp	[ebp+arg_0], edi
		jbe	loc_9495F8

loc_949570:				; CODE XREF: CmpMergeKeyValues(x,x,x,x,x,x)+143j
		mov	eax, [eax+edi*4]
		lea	ecx, [ebp+var_18]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	short loc_9495FA
		push	[ebp+var_10]
		lea	edx, [ebp+var_20]
		mov	ecx, eax
		call	_CmpInitializeValueNameString@12 ; CmpInitializeValueNameString(x,x,x)
		mov	edx, [ebp+arg_C]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_4]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	0
		lea	eax, [ebp+var_20]
		push	eax
		call	_CmpFindNameInList@24 ;	CmpFindNameInList(x,x,x,x,x,x)
		mov	ecx, [esi+8]
		test	al, al
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		jz	short loc_949615
		call	ecx
		cmp	[ebp+var_4], 0FFFFFFFFh
		jnz	short loc_9495EB
		push	[ebp+arg_8]
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		push	[ebp+arg_4]
		mov	edx, [edx+edi*4]
		call	_CmpCopyValue@16 ; CmpCopyValue(x,x,x,x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9495FA
		mov	ecx, [ebp+arg_4]
		mov	edx, eax
		push	1
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+var_8]
		call	CmpAddValueToListEx
		test	eax, eax
		js	short loc_9495FA

loc_9495EB:				; CODE XREF: CmpMergeKeyValues(x,x,x,x,x,x)+109j
		mov	eax, [ebp+var_C]
		inc	edi
		cmp	edi, [ebp+arg_0]
		jb	loc_949570

loc_9495F8:				; CODE XREF: CmpMergeKeyValues(x,x,x,x,x,x)+BBj
		mov	bl, 1

loc_9495FA:				; CODE XREF: CmpMergeKeyValues(x,x,x,x,x,x)+CFj
					; CmpMergeKeyValues(x,x,x,x,x,x)+121j ...
		lea	eax, [ebp+var_28]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_949602:				; CODE XREF: CmpMergeKeyValues(x,x,x,x,x,x)+B0j
		push	0
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_94960C:				; CODE XREF: CmpMergeKeyValues(x,x,x,x,x,x)+72j
		mov	al, bl

loc_94960E:				; CODE XREF: CmpMergeKeyValues(x,x,x,x,x,x)+61j
					; CmpMergeKeyValues(x,x,x,x,x,x)+91j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_949615:				; CODE XREF: CmpMergeKeyValues(x,x,x,x,x,x)+101j
		call	ecx
		jmp	short loc_9495FA
_CmpMergeKeyValues@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpPreserveSystemHiveData(x, x)
_CmpPreserveSystemHiveData@8 proc near	; CODE XREF: CmReplaceKey(x,x,x,x)+FEp

var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= byte ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= byte ptr -7Ch
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0F4h
		xor	eax, eax
		mov	[ebp+var_F0], (offset loc_8B75C3+1)
		push	ebx
		push	esi
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_2C], eax
		push	edi
		mov	edi, ecx
		mov	[ebp+var_70], eax
		mov	[ebp+var_60], eax
		mov	ebx, edx
		mov	[ebp+var_48], eax
		mov	[ebp+var_58], eax
		mov	[ebp+var_68], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_EC], eax
		mov	[ebp+var_E4], eax
		mov	[ebp+var_DC], eax
		mov	[ebp+var_D4], eax
		mov	[ebp+var_CC], eax
		mov	[ebp+var_C8], eax
		mov	[ebp+var_C0], eax
		mov	[ebp+var_BC], eax
		mov	[ebp+var_B8], al
		mov	[ebp+var_A8], eax
		mov	[ebp+var_A0], eax
		mov	[ebp+var_98], eax
		mov	[ebp+var_90], eax
		mov	[ebp+var_8C], eax
		mov	[ebp+var_84], eax
		mov	[ebp+var_80], eax
		mov	[ebp+var_7C], al
		mov	[ebp+var_20], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_18], eax
		mov	eax, [edi+20h]
		mov	[ebp+var_30], esi
		mov	[ebp+var_74], esi
		mov	[ebp+var_64], esi
		mov	[ebp+var_4C], esi
		mov	[ebp+var_5C], esi
		mov	[ebp+var_6C], esi
		mov	[ebp+var_3C], esi
		mov	[ebp+var_E8], esi
		mov	[ebp+var_E0], esi
		mov	[ebp+var_D8], esi
		mov	[ebp+var_D0], esi
		mov	[ebp+var_C4], esi
		mov	[ebp+var_B4], offset ??_C@_1CO@CJDHJLDB@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt@NNGAKEGL@
		mov	[ebp+var_B0], offset ??_C@_1BM@NLGAGAOC@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@NNGAKEGL@
		mov	[ebp+var_AC], esi
		mov	[ebp+var_A4], esi
		mov	[ebp+var_9C], esi
		mov	[ebp+var_94], esi
		mov	[ebp+var_88], esi
		mov	ecx, [eax+24h]
		mov	[ebp+var_54], ebx
		mov	[ebp+var_14], (offset loc_8B75E7+1)
		mov	[ebp+var_C], ecx
		mov	[ebp+var_34], 2
		cmp	ecx, esi
		jz	loc_949B9E
		mov	eax, [ebx+20h]
		mov	esi, [eax+24h]
		mov	[ebp+var_1C], esi
		cmp	esi, 0FFFFFFFFh
		jz	loc_949B9E
		lea	eax, [ebp+var_6C]
		push	eax
		push	ecx
		push	edi
		call	dword ptr [edi+4]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	esi
		push	ebx
		call	dword ptr [ebx+4]
		cmp	[ebp+var_24], 0
		mov	edx, eax
		mov	[ebp+var_18], edx
		jz	loc_949870
		test	edx, edx
		jz	loc_949870
		xor	eax, eax
		mov	[ebp+var_8], eax

loc_94978B:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+1C4j
		mov	esi, [ebp+eax*4+var_14]
		mov	ecx, edi
		mov	edx, [ebp+var_C]
		push	esi
		call	_CmpWalkPath@12	; CmpWalkPath(x,x,x)
		mov	edx, [ebp+var_1C]
		mov	ecx, ebx
		push	esi
		mov	[ebp+var_10], eax
		call	_CmpWalkPath@12	; CmpWalkPath(x,x,x)
		mov	edx, [ebp+var_10]
		or	esi, 0FFFFFFFFh
		cmp	edx, esi
		jz	loc_949B9E
		cmp	eax, esi
		jz	loc_949B9E
		push	1
		push	2
		push	eax
		push	ebx
		mov	ecx, edi
		call	_CmpCopySyncTree@24 ; CmpCopySyncTree(x,x,x,x,x,x)
		test	al, al
		jz	loc_949B9E
		mov	eax, [ebp+var_8]
		inc	eax
		mov	[ebp+var_8], eax
		cmp	eax, 1
		jb	short loc_94978B
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		push	offset ??_C@_1CE@MEIKCFL@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAS@NNGAKEGL@
		call	_CmpWalkPath@12	; CmpWalkPath(x,x,x)
		mov	[ebp+var_10], eax
		cmp	eax, esi
		jnz	short loc_9497FC

loc_9497F5:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+2F5j
					; CmpPreserveSystemHiveData(x,x)+3CFj ...
		xor	esi, esi
		jmp	loc_949BA3
; 

loc_9497FC:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+1DAj
		lea	ecx, [ebp+var_5C]
		push	ecx
		push	eax
		push	edi
		call	dword ptr [edi+4]
		test	eax, eax
		jz	short loc_949870
		xor	edx, edx
		lea	ecx, [ebp+var_8]
		push	ecx
		push	edx
		push	edx
		mov	[ebp+var_8], edx
		mov	ecx, edi
		push	offset _CmSymbolicLinkValueName
		lea	edx, [eax+24h]
		call	_CmpFindNameInList@24 ;	CmpFindNameInList(x,x,x,x,x,x)
		lea	eax, [ebp+var_5C]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		cmp	[ebp+var_8], esi
		jz	loc_94991B
		lea	eax, [ebp+var_3C]
		push	eax
		push	[ebp+var_8]
		push	edi
		call	dword ptr [edi+4]
		mov	esi, eax
		test	esi, esi
		jz	loc_94991B
		cmp	dword ptr [esi+0Ch], 6
		jnz	loc_949913
		mov	eax, [esi+8]
		lea	ecx, [ebp+var_4C]
		push	ecx
		push	eax
		push	edi
		call	dword ptr [edi+4]
		mov	ecx, eax
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jnz	short loc_94987A
		lea	eax, [ebp+var_3C]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_949870:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+15Fj
					; CmpPreserveSystemHiveData(x,x)+167j ...
		mov	esi, 0C000009Ah
		jmp	loc_949BA3
; 

loc_94987A:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+24Dj
		mov	eax, [esi+4]
		lea	esi, [ecx-2]
		add	esi, eax
		lea	eax, [ebp+var_3C]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		push	5Ch
		pop	edx
		xor	ecx, ecx
		cmp	[esi], dx
		jz	short loc_9498A4
		mov	eax, [ebp+var_14]

loc_949897:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+289j
		cmp	esi, eax
		jb	short loc_9498A4
		sub	esi, 2
		inc	ecx
		cmp	[esi], dx
		jnz	short loc_949897

loc_9498A4:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+279j
					; CmpPreserveSystemHiveData(x,x)+280j
		lea	eax, [ecx+ecx]
		mov	[ebp+var_8], eax
		add	eax, 2
		push	68504D43h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		jnz	short loc_9498D5
		lea	eax, [ebp+var_4C]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		mov	esi, 0C0000017h
		jmp	loc_949BA3
; 

loc_9498D5:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+2A8j
		push	[ebp+var_8]	; size_t
		lea	eax, [esi+2]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		mov	ecx, [ebp+var_28]
		add	esp, 0Ch
		mov	eax, [ebp+var_8]
		xor	edx, edx
		push	ecx
		mov	[eax+ecx], dx
		mov	ecx, edi
		mov	edx, [ebp+var_C]
		call	_CmpWalkPath@12	; CmpWalkPath(x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	edi
		mov	[ebp+var_10], esi
		call	dword ptr [edi+8]
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_94991B
		jmp	loc_9497F5
; 

loc_949913:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+234j
		lea	eax, [ebp+var_3C]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_94991B:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+215j
					; CmpPreserveSystemHiveData(x,x)+22Aj ...
		xor	al, al
		lea	esi, [ebp+var_E8]
		and	[ebp+var_C], 0
		mov	[ebp+var_1], al

loc_94992A:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+3C7j
		push	dword ptr [esi-8]
		mov	edx, [ebp+var_10]
		mov	ecx, edi
		call	_CmpWalkPath@12	; CmpWalkPath(x,x,x)
		mov	[esi], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_9499D0
		cmp	dword ptr [esi-4], 0
		jz	loc_949A32
		lea	ecx, [esi+8]
		push	ecx
		push	eax
		push	edi
		call	dword ptr [edi+4]
		mov	[esi+4], eax
		test	eax, eax
		jz	loc_949870
		push	dword ptr [esi-4]
		lea	eax, [ebp+var_44]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, [esi+4]
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		add	edx, 24h
		push	eax
		push	ecx
		push	ecx
		lea	eax, [ebp+var_44]
		mov	[ebp+var_8], ecx
		push	eax
		mov	ecx, edi
		call	_CmpFindNameInList@24 ;	CmpFindNameInList(x,x,x,x,x,x)
		mov	ecx, [ebp+var_8]
		mov	[esi+10h], ecx
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_9499D0
		lea	eax, [esi+18h]
		mov	[ebp+var_1], 1
		push	eax
		push	ecx
		push	edi
		call	dword ptr [edi+4]
		mov	edx, eax
		mov	[esi+14h], edx
		test	edx, edx
		jz	loc_949870
		lea	ecx, [esi+24h]
		push	ecx
		lea	ecx, [esi+30h]
		push	ecx
		lea	ecx, [esi+20h]
		push	ecx
		lea	eax, [esi+2Ch]
		mov	ecx, edi
		push	eax
		push	edx
		mov	edx, [esi+10h]
		call	CmpGetValueData
		test	al, al
		jz	loc_949B9E

loc_9499D0:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+323j
					; CmpPreserveSystemHiveData(x,x)+378j
		mov	al, [ebp+var_1]

loc_9499D3:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+41Ej
		mov	ecx, [ebp+var_C]
		add	esi, 3Ch
		inc	ecx
		mov	[ebp+var_C], ecx
		cmp	ecx, 2
		jb	loc_94992A
		test	al, al
		jz	loc_9497F5
		mov	edx, [ebp+var_18]
		xor	eax, eax
		mov	[ebp+var_14], eax
		cmp	[edx+14h], eax
		jbe	loc_9497F5

loc_9499FF:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+57Aj
		lea	ecx, [ebp+var_20]
		push	ecx
		push	eax
		mov	ecx, ebx
		call	_CmpFindSubKeyByNumber@16 ; CmpFindSubKeyByNumber(x,x,x,x)
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_20]
		push	ebx
		call	dword ptr [ebx+4]
		test	eax, eax
		jz	loc_949870
		cmp	word ptr [eax+48h], 0Dh
		jz	short loc_949A39
		lea	eax, [ebp+var_30]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		jmp	loc_949B86
; 

loc_949A32:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+32Dj
		mov	al, 1
		mov	[ebp+var_1], al
		jmp	short loc_9499D3
; 

loc_949A39:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+40Aj
		test	byte ptr [eax+2], 20h
		lea	ecx, [eax+4Ch]
		push	0Ah		; size_t
		jz	short loc_949A5D
		push	offset ??_C@_0O@OPFGLDE@ControlSet000@NNGAKEGL@	; char *
		push	ecx		; char *
		call	__strnicmp
		add	esp, 0Ch
		neg	eax
		sbb	al, al
		inc	al
		mov	[ebp+var_10], eax
		jmp	short loc_949A74 ; size_t
; 

loc_949A5D:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+429j
		push	offset ??_C@_1BM@DEAICIBD@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAS?$AAe?$AAt?$AA0?$AA0?$AA0@NNGAKEGL@ ;	wchar_t	*
		push	ecx		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		neg	eax
		sbb	al, al
		inc	al
		mov	byte ptr [ebp+var_10], al

loc_949A74:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+442j
		lea	eax, [ebp+var_30]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		cmp	byte ptr [ebp+var_10], 0
		jz	loc_949B86
		and	[ebp+var_C], 0
		lea	esi, [ebp+var_E8]
		mov	eax, [ebp+var_C]
		push	2
		mov	[ebp+var_1C], esi
		pop	edx

loc_949A99:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+567j
		cmp	dword ptr [esi], 0FFFFFFFFh
		jz	loc_949B74
		cmp	dword ptr [esi-4], 0
		jz	short loc_949AB2
		cmp	dword ptr [esi+10h], 0FFFFFFFFh
		jz	loc_949B74

loc_949AB2:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+48Dj
		push	dword ptr [esi-8]
		mov	edx, [ebp+var_20]
		mov	ecx, ebx
		call	_CmpWalkPath@12	; CmpWalkPath(x,x,x)
		cmp	eax, 0FFFFFFFFh
		jz	loc_949B6E
		cmp	dword ptr [esi-4], 0
		jnz	short loc_949AE2
		mov	edx, [esi]
		mov	ecx, edi
		push	1
		push	2
		push	eax
		push	ebx
		call	_CmpCopySyncTree@24 ; CmpCopySyncTree(x,x,x,x,x,x)
		jmp	loc_949B6E
; 

loc_949AE2:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+4B3j
		lea	ecx, [ebp+var_30]
		push	ecx
		push	eax
		push	ebx
		call	dword ptr [ebx+4]
		mov	[ebp+var_50], eax
		test	eax, eax
		jz	loc_949870
		push	dword ptr [esi-4]
		lea	eax, [ebp+var_44]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, [ebp+var_50]
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		add	edx, 24h
		push	eax
		push	ecx
		push	ecx
		lea	eax, [ebp+var_44]
		mov	[ebp+var_8], ecx
		push	eax
		mov	ecx, ebx
		call	_CmpFindNameInList@24 ;	CmpFindNameInList(x,x,x,x,x,x)
		lea	eax, [ebp+var_30]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		cmp	[ebp+var_8], 0FFFFFFFFh
		jz	short loc_949B6E
		lea	eax, [ebp+var_64]
		push	eax
		push	[ebp+var_8]
		push	ebx
		call	dword ptr [ebx+4]
		test	eax, eax
		jz	loc_949870
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_8]
		shr	ecx, 1Fh
		push	ecx		; int
		push	dword ptr [esi+2Ch] ; size_t
		mov	ecx, [esi+14h]
		push	dword ptr [esi+20h] ; void *
		push	dword ptr [ecx+0Ch] ; int
		mov	ecx, ebx
		push	eax		; int
		call	CmpSetValueKeyExisting
		mov	esi, eax
		lea	eax, [ebp+var_64]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		test	esi, esi
		js	short loc_949BA3
		mov	esi, [ebp+var_1C]

loc_949B6E:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+4A9j
					; CmpPreserveSystemHiveData(x,x)+4C4j ...
		mov	eax, [ebp+var_C]
		push	2
		pop	edx

loc_949B74:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+483j
					; CmpPreserveSystemHiveData(x,x)+493j
		inc	eax
		add	esi, 3Ch
		mov	[ebp+var_C], eax
		mov	[ebp+var_1C], esi
		cmp	eax, edx
		jb	loc_949A99

loc_949B86:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+414j
					; CmpPreserveSystemHiveData(x,x)+467j
		mov	eax, [ebp+var_14]
		mov	edx, [ebp+var_18]
		inc	eax
		mov	[ebp+var_14], eax
		cmp	eax, [edx+14h]
		jb	loc_9499FF
		jmp	loc_9497F5
; 

loc_949B9E:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+129j
					; CmpPreserveSystemHiveData(x,x)+13Bj ...
		mov	esi, 0C000014Ch

loc_949BA3:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+1DEj
					; CmpPreserveSystemHiveData(x,x)+25Cj ...
		lea	ebx, [ebp+var_E0]

loc_949BA9:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+5CFj
		cmp	dword ptr [ebx-4], 0
		jz	short loc_949BB4
		push	ebx
		push	edi
		call	dword ptr [edi+8]

loc_949BB4:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+594j
		cmp	dword ptr [ebx+0Ch], 0
		jz	short loc_949BC2
		lea	eax, [ebx+10h]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_949BC2:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+59Fj
		mov	eax, [ebx+18h]
		test	eax, eax
		jz	short loc_949BE1
		cmp	byte ptr [ebx+28h], 0
		jz	short loc_949BD9
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_949BE1
; 

loc_949BD9:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+5B4j
		lea	eax, [ebx+1Ch]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_949BE1:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+5AEj
					; CmpPreserveSystemHiveData(x,x)+5BEj
		add	ebx, 3Ch
		sub	[ebp+var_34], 1
		jnz	short loc_949BA9
		cmp	[ebp+var_24], 0
		jz	short loc_949BF8
		lea	eax, [ebp+var_6C]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_949BF8:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+5D5j
		cmp	[ebp+var_18], 0
		jz	short loc_949C09
		lea	eax, [ebp+var_74]
		push	eax
		mov	eax, [ebp+var_54]
		push	eax
		call	dword ptr [eax+8]

loc_949C09:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+5E3j
		mov	eax, [ebp+var_28]
		test	eax, eax
		jz	short loc_949C18
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_949C18:				; CODE XREF: CmpPreserveSystemHiveData(x,x)+5F5j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_CmpPreserveSystemHiveData@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSyncKeyValues(x,	x, x, x, x, x, x)
_CmpSyncKeyValues@28 proc near		; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+3E4p
					; CmpMergeKeyValues(x,x,x,x,x,x)+5Cp

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4C], ebx
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_28], edi
		mov	eax, ecx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_48], ecx
		mov	edx, edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_58], ecx
		mov	ecx, esi
		mov	[ebp+var_44], ebx
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], ebx
		mov	[ebp+var_54], ebx
		call	_CmpLockTwoSecurityCachesExclusiveShared@8 ; CmpLockTwoSecurityCachesExclusiveShared(x,x)
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_8]
		mov	ecx, esi
		call	_CmpFreeKeyValues@12 ; CmpFreeKeyValues(x,x,x)
		test	al, al
		jnz	short loc_949C93
		lea	ecx, [esi+484h]
		cmp	esi, edi
		jz	short loc_949C85
		xor	edx, edx
		call	ExReleasePushLockEx
		lea	ecx, [edi+484h]

loc_949C85:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+57j
		xor	edx, edx
		call	ExReleasePushLockEx
		xor	al, al
		jmp	loc_949F7E
; 

loc_949C93:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+4Dj
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_8]
		shr	ecx, 1Fh
		mov	[ebp+var_18], ecx
		cmp	[eax+4Ah], bx
		jbe	short loc_949CF5
		mov	edx, [eax+30h]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_949CF5
		push	ecx
		push	esi
		mov	ecx, edi
		call	_CmpCopyCell@16	; CmpCopyCell(x,x,x,x)
		mov	[ebp+var_10], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_949CE5
		lea	ecx, [esi+484h]
		xor	edx, edx
		call	ExReleasePushLockEx
		cmp	esi, edi
		jz	loc_949F7C
		lea	ecx, [edi+484h]
		xor	edx, edx
		call	ExReleasePushLockEx
		jmp	loc_949F7C
; 

loc_949CE5:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+9Dj
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_C]
		mov	ax, [edx+4Ah]
		mov	[ecx+4Ah], ax
		jmp	short loc_949CF7
; 

loc_949CF5:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+84j
					; CmpSyncKeyValues(x,x,x,x,x,x,x)+8Cj
		mov	edx, eax

loc_949CF7:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+D4j
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+var_10]
		mov	[eax+30h], ecx
		lea	eax, [ebp+var_C]
		mov	edx, [edx+2Ch]
		mov	ecx, edi
		push	eax
		call	_CmpFindSecurityCellCacheIndex@12 ; CmpFindSecurityCellCacheIndex(x,x,x)
		test	al, al
		jnz	short loc_949D35

loc_949D12:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+154j
					; CmpSyncKeyValues(x,x,x,x,x,x,x)+195j	...
		lea	ecx, [esi+484h]
		cmp	esi, edi
		jz	short loc_949D29
		xor	edx, edx
		call	ExReleasePushLockEx
		lea	ecx, [edi+484h]

loc_949D29:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+FBj
		xor	edx, edx
		call	ExReleasePushLockEx
		jmp	loc_949F6B
; 

loc_949D35:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+F1j
		mov	ecx, [edi+4CCh]
		mov	eax, [ebp+var_C]
		mov	eax, [ecx+eax*8+4]
		mov	ecx, [ebp+arg_C]
		add	eax, 18h
		lea	edx, [ecx+2Ch]
		mov	esi, [edx]
		or	dword ptr [edx], 0FFFFFFFFh
		push	edx		; int
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_C], edx
		mov	edx, [ebp+arg_8]
		mov	[ebp+var_4], esi
		mov	esi, [ebp+arg_4]
		push	ecx		; int
		mov	ecx, esi
		call	_CmpGetSecurityDescriptorNode@24 ; CmpGetSecurityDescriptorNode(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		test	eax, eax
		mov	eax, [ebp+var_C]
		jns	short loc_949D75
		mov	[eax], ecx
		jmp	short loc_949D12
; 

loc_949D75:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+150j
		mov	edx, [eax]
		mov	[eax], ecx
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_14], edx
		test	byte ptr [eax+2], 4
		jz	loc_949E62
		cmp	edx, ecx
		jz	loc_949E62
		or	[ebp+var_30], 0FFFFFFFFh
		lea	eax, [ebp+var_30]
		or	[ebp+var_38], 0FFFFFFFFh
		or	[ebp+var_40], 0FFFFFFFFh
		push	eax
		push	edx
		push	esi
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_3C], ebx
		call	dword ptr [esi+4]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	loc_949D12
		lea	eax, [ebp+var_38]
		push	eax
		push	[ebp+var_4]
		push	esi
		call	dword ptr [esi+4]
		mov	[ebp+var_20], eax
		test	eax, eax
		jnz	short loc_949DD9
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	loc_949D12
; 

loc_949DD9:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+1ABj
		mov	eax, [eax+8]
		lea	ecx, [ebp+var_40]
		push	ecx
		push	eax
		push	esi
		mov	[ebp+arg_4], eax
		call	dword ptr [esi+4]
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	short loc_949E04
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		lea	eax, [ebp+var_38]

loc_949DFA:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+2B6j
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	loc_949D12
; 

loc_949E04:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+1CEj
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		push	ebx
		push	ebx
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_949EC2
		mov	edx, [ebp+arg_4]
		mov	ecx, esi
		push	ebx
		push	ebx
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_949EC2
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+var_4]
		mov	[ecx+4], eax
		mov	eax, [ebp+arg_4]
		mov	[ecx+8], eax
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+var_14]
		mov	[ecx+8], eax
		mov	ecx, [ebp+var_24]
		mov	[ecx+4], eax
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		lea	eax, [ebp+var_38]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		lea	eax, [ebp+var_40]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_949E62:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+164j
					; CmpSyncKeyValues(x,x,x,x,x,x,x)+16Cj
		mov	edx, [ebp+arg_8]
		mov	ecx, esi
		call	_CmpFreeSecurityDescriptor@8 ; CmpFreeSecurityDescriptor(x,x)
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_14]
		mov	[eax], ecx
		lea	ecx, [esi+484h]
		cmp	esi, edi
		jz	short loc_949E8B
		xor	edx, edx
		call	ExReleasePushLockEx
		lea	ecx, [edi+484h]

loc_949E8B:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+25Dj
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_C]
		mov	eax, [edx+24h]
		or	dword ptr [ecx+28h], 0FFFFFFFFh
		mov	[ebp+arg_8], eax
		lea	eax, [ecx+24h]
		mov	[ebp+arg_4], eax
		mov	[eax], ebx
		mov	eax, [edx+3Ch]
		mov	[ecx+3Ch], eax
		mov	eax, [edx+40h]
		mov	[ecx+40h], eax
		cmp	[ebp+arg_8], ebx
		jnz	short loc_949EDA
		mov	bl, 1
		jmp	loc_949F7C
; 

loc_949EC2:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+1F3j
					; CmpSyncKeyValues(x,x,x,x,x,x,x)+207j
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		lea	eax, [ebp+var_38]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		lea	eax, [ebp+var_40]
		jmp	loc_949DFA
; 

loc_949EDA:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+29Aj
		mov	eax, [edx+28h]
		lea	ecx, [ebp+var_50]
		push	ecx
		push	eax
		push	edi
		call	dword ptr [edi+4]
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	short loc_949F6B
		mov	eax, ebx
		mov	[ebp+arg_0], ebx
		cmp	[ebp+arg_8], eax
		jbe	short loc_949F4C

loc_949EF9:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+32Bj
		push	[ebp+var_18]
		mov	edx, [ecx+eax*4]
		mov	ecx, edi
		push	esi
		call	_CmpCopyValue@16 ; CmpCopyValue(x,x,x,x)
		mov	[ebp+var_24], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_949FCE
		lea	ecx, [ebp+var_58]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_949FCE
		mov	edx, [ebp+var_24]
		mov	ecx, esi
		push	1
		push	[ebp+arg_4]
		push	[ebp+var_18]
		push	[ebp+arg_0]
		call	CmpAddValueToListEx
		test	eax, eax
		js	short loc_949F85
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_20]
		inc	eax
		mov	[ebp+arg_0], eax
		cmp	eax, [ebp+arg_8]
		jb	short loc_949EF9

loc_949F4C:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+2D8j
		mov	bl, 1

loc_949F4E:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+372j
					; CmpSyncKeyValues(x,x,x,x,x,x,x)+37Fj	...
		lea	eax, [ebp+var_50]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		test	bl, bl
		jnz	short loc_949F7C
		mov	eax, [ebp+var_8]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_949F6B
		mov	edx, eax
		mov	ecx, esi
		call	HvFreeCell

loc_949F6B:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+111j
					; CmpSyncKeyValues(x,x,x,x,x,x,x)+2CEj	...
		mov	eax, [ebp+var_10]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_949F7C
		mov	edx, eax
		mov	ecx, esi
		call	HvFreeCell

loc_949F7C:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+AEj
					; CmpSyncKeyValues(x,x,x,x,x,x,x)+C1j ...
		mov	al, bl

loc_949F7E:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+6Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_949F85:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+31Cj
		mov	eax, [ebp+arg_C]
		mov	eax, [eax+28h]
		mov	[ebp+var_8], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_949F4E
		lea	ecx, [ebp+var_48]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	short loc_949F4E
		cmp	[ebp+arg_0], ebx
		jbe	short loc_949FC4
		mov	edi, [ebp+arg_0]
		lea	ebx, [edi-1]
		lea	ebx, [eax+ebx*4]

loc_949FAE:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+39Ej
		mov	edx, [ebx]
		mov	ecx, esi
		call	HvFreeCell
		lea	ebx, [ebx-4]
		sub	edi, 1
		jnz	short loc_949FAE
		mov	edi, [ebp+var_28]
		xor	ebx, ebx

loc_949FC4:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+384j
		lea	eax, [ebp+var_48]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	short loc_949F4E
; 

loc_949FCE:				; CODE XREF: CmpSyncKeyValues(x,x,x,x,x,x,x)+2EEj
					; CmpSyncKeyValues(x,x,x,x,x,x,x)+2FFj
		mov	eax, [ebp+arg_C]
		mov	eax, [eax+28h]
		mov	[ebp+var_8], eax
		jmp	loc_949F4E
_CmpSyncKeyValues@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSyncSubKeysAfterDelete(x, x, x, x, x)
_CmpSyncSubKeysAfterDelete@20 proc near	; CODE XREF: CmpCopySyncTree2(x,x,x,x,x,x,x)+24Ep

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		xor	eax, eax
		mov	[ebp+var_C], edx
		or	[ebp+var_18], 0FFFFFFFFh
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, eax
		push	edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_14], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax

loc_94A007:				; CODE XREF: CmpSyncSubKeysAfterDelete(x,x,x,x,x)+C1j
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		mov	ecx, esi
		call	_CmpFindSubKeyByNumber@16 ; CmpFindSubKeyByNumber(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_94A0B3
		cmp	[ebp+var_4], 0FFFFFFFFh
		jz	loc_94A0B3
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+var_4]
		push	esi
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jz	short loc_94A0A2
		push	[ebp+arg_8]
		lea	edx, [ebp+var_20]
		mov	ecx, edi
		call	_CmpInitializeKeyNameString@12 ; CmpInitializeKeyNameString(x,x,x)
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_10]
		and	[ebp+arg_0], 0
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		call	CmpFindSubKeyByNameWithStatus
		cmp	[ebp+arg_0], 0FFFFFFFFh
		jnz	short loc_94A08E
		mov	eax, [edi+18h]
		add	eax, [edi+14h]
		jz	short loc_94A077
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		call	_CmpDeleteTree@8 ; CmpDeleteTree(x,x)

loc_94A077:				; CODE XREF: CmpSyncSubKeysAfterDelete(x,x,x,x,x)+8Fj
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		push	1
		call	CmpFreeKeyByCell
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_94A0A7
		mov	ebx, [ebp+var_8]
		jmp	short loc_94A095
; 

loc_94A08E:				; CODE XREF: CmpSyncSubKeysAfterDelete(x,x,x,x,x)+87j
		mov	ebx, [ebp+var_8]
		inc	ebx
		mov	[ebp+var_8], ebx

loc_94A095:				; CODE XREF: CmpSyncSubKeysAfterDelete(x,x,x,x,x)+B0j
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	loc_94A007
; 

loc_94A0A2:				; CODE XREF: CmpSyncSubKeysAfterDelete(x,x,x,x,x)+5Dj
		mov	ebx, 0C000009Ah

loc_94A0A7:				; CODE XREF: CmpSyncSubKeysAfterDelete(x,x,x,x,x)+ABj
		test	edi, edi
		jz	short loc_94A0B3
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_94A0B3:				; CODE XREF: CmpSyncSubKeysAfterDelete(x,x,x,x,x)+3Ej
					; CmpSyncSubKeysAfterDelete(x,x,x,x,x)+48j ...
		shr	ebx, 1Fh
		pop	edi
		xor	bl, 1
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	0Ch
_CmpSyncSubKeysAfterDelete@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAddSubKey(x, x, x)
_CmpAddSubKey@12 proc near		; CODE XREF: CmpCreateTombstone(x,x)+191p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	0
		push	[ebp+arg_0]
		call	_CmpAddSubKeyEx@16 ; CmpAddSubKeyEx(x,x,x,x)
		pop	ecx
		pop	ebp
		retn	4
_CmpAddSubKey@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDuplicateIndex(x, x, x)
_CmpDuplicateIndex@12 proc near		; CODE XREF: CmRenameKey(x,x,x,x)+A9Ep
					; CmRenameKey(x,x,x,x)+AC3p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		or	[ebp+var_20], 0FFFFFFFFh
		mov	eax, edx
		or	[ebp+var_28], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_14], eax
		lea	ecx, [ebp+var_20]
		xor	ebx, ebx
		push	ecx
		push	eax
		push	esi
		mov	[ebp+var_1C], ebx
		mov	edi, ebx
		mov	[ebp+var_24], ebx
		call	dword ptr [esi+4]
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	short loc_94A113

loc_94A10B:				; CODE XREF: CmpDuplicateIndex(x,x,x)+68j
		or	eax, 0FFFFFFFFh
		jmp	loc_94A1CB
; 

loc_94A113:				; CODE XREF: CmpDuplicateIndex(x,x,x)+32j
		mov	edx, [ebp+var_14]
		mov	ecx, 6972h
		cmp	[eax], cx
		mov	ecx, esi
		jnz	loc_94A20A
		push	ebx
		push	[ebp+arg_0]
		call	HvDuplicateCell
		mov	[ebp+var_C], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_94A141

loc_94A137:				; CODE XREF: CmpDuplicateIndex(x,x,x)+12Ej
		lea	eax, [ebp+var_20]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	short loc_94A10B
; 

loc_94A141:				; CODE XREF: CmpDuplicateIndex(x,x,x)+5Ej
		lea	ecx, [ebp+var_28]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jz	loc_94A1FB
		mov	eax, [ebp+var_4]
		xor	edx, edx
		mov	dword ptr [edi], 6972h
		mov	[ebp+var_10], ebx
		lea	ecx, [eax+2]
		mov	[ebp+var_18], ecx
		cmp	dx, [ecx]
		jnb	short loc_94A1B2
		lea	ecx, [edi+4]
		sub	eax, edi
		mov	[ebp+var_8], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_4], eax

loc_94A17B:				; CODE XREF: CmpDuplicateIndex(x,x,x)+D9j
		mov	edx, [eax+ecx]
		mov	ecx, esi
		push	1
		push	[ebp+arg_0]
		call	HvDuplicateCell
		cmp	eax, 0FFFFFFFFh
		jz	short loc_94A1D2
		mov	ecx, [ebp+var_14]
		mov	edx, [ebp+var_10]
		mov	[ecx], eax
		add	ecx, 4
		mov	eax, [ebp+var_18]
		inc	word ptr [edi+2]
		inc	edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_14], ecx
		movzx	eax, word ptr [eax]
		cmp	edx, eax
		mov	eax, [ebp+var_4]
		jb	short loc_94A17B

loc_94A1B2:				; CODE XREF: CmpDuplicateIndex(x,x,x)+94j
		mov	ebx, [ebp+var_C]

loc_94A1B5:				; CODE XREF: CmpDuplicateIndex(x,x,x)+13Fj
		test	edi, edi
		jz	short loc_94A1C1
		lea	eax, [ebp+var_28]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_94A1C1:				; CODE XREF: CmpDuplicateIndex(x,x,x)+E0j
		lea	eax, [ebp+var_20]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	eax, ebx

loc_94A1CB:				; CODE XREF: CmpDuplicateIndex(x,x,x)+37j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_94A1D2:				; CODE XREF: CmpDuplicateIndex(x,x,x)+B6j
		xor	eax, eax
		cmp	ax, [edi+2]
		jnb	short loc_94A1F3

loc_94A1DA:				; CODE XREF: CmpDuplicateIndex(x,x,x)+11Aj
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		mov	edx, [edx]
		call	HvFreeCell
		movzx	eax, word ptr [edi+2]
		inc	ebx
		add	[ebp+var_8], 4
		cmp	ebx, eax
		jb	short loc_94A1DA

loc_94A1F3:				; CODE XREF: CmpDuplicateIndex(x,x,x)+101j
		lea	eax, [ebp+var_28]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_94A1FB:				; CODE XREF: CmpDuplicateIndex(x,x,x)+77j
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		call	HvFreeCell
		jmp	loc_94A137
; 

loc_94A20A:				; CODE XREF: CmpDuplicateIndex(x,x,x)+49j
		push	1
		push	[ebp+arg_0]
		call	HvDuplicateCell
		mov	ebx, eax
		jmp	short loc_94A1B5
_CmpDuplicateIndex@12 endp


;  S U B	R O U T	I N E 


; __stdcall CmpFindCellInIndex(x, x)
_CmpFindCellInIndex@8 proc near		; CODE XREF: CmpRemoveSubKeyCellNoCellRef(x,x,x)+D2p
					; CmpRemoveSubKeyCellNoCellRef(x,x,x)+149p ...
		mov	edi, edi
		push	ebx
		movzx	ebx, word ptr [ecx+2]
		xor	eax, eax
		push	esi
		xor	esi, esi
		cmp	ax, bx
		jnb	short loc_94A25A
		push	edi
		movzx	edi, word ptr [ecx]

loc_94A22D:				; CODE XREF: CmpFindCellInIndex(x,x)+3Fj
		mov	eax, 666Ch
		cmp	di, ax
		jz	short loc_94A24A
		mov	eax, 686Ch
		cmp	di, ax
		jz	short loc_94A24A
		movzx	eax, si
		cmp	[ecx+eax*4+4], edx
		jmp	short loc_94A251
; 

loc_94A24A:				; CODE XREF: CmpFindCellInIndex(x,x)+1Dj
					; CmpFindCellInIndex(x,x)+27j
		movzx	eax, si
		cmp	[ecx+eax*8+4], edx

loc_94A251:				; CODE XREF: CmpFindCellInIndex(x,x)+30j
		jz	short loc_94A259
		inc	esi
		cmp	si, bx
		jb	short loc_94A22D

loc_94A259:				; CODE XREF: CmpFindCellInIndex(x,x):loc_94A251j
		pop	edi

loc_94A25A:				; CODE XREF: CmpFindCellInIndex(x,x)+Fj
		mov	ax, si
		pop	esi
		pop	ebx
		retn
_CmpFindCellInIndex@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFreeIndexByCell(x, x)
_CmpFreeIndexByCell@8 proc near		; CODE XREF: CmRenameKey(x,x,x,x)+E52p
					; CmRenameKey(x,x,x,x)+E65p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		or	[ebp+var_10], 0FFFFFFFFh
		mov	eax, edx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_8], eax
		lea	ecx, [ebp+var_10]
		xor	ebx, ebx
		push	ecx
		push	eax
		push	esi
		mov	[ebp+var_C], ebx
		call	dword ptr [esi+4]
		mov	edi, eax
		mov	eax, 6972h
		cmp	[edi], ax
		jnz	short loc_94A2B9
		xor	eax, eax
		cmp	ax, [edi+2]
		jnb	short loc_94A2B9
		lea	ecx, [edi+4]
		mov	[ebp+var_4], ecx

loc_94A29E:				; CODE XREF: CmpFreeIndexByCell(x,x)+57j
		mov	edx, [ecx]
		mov	ecx, esi
		call	HvFreeCell
		mov	ecx, [ebp+var_4]
		inc	ebx
		movzx	eax, word ptr [edi+2]
		add	ecx, 4
		mov	[ebp+var_4], ecx
		cmp	ebx, eax
		jb	short loc_94A29E

loc_94A2B9:				; CODE XREF: CmpFreeIndexByCell(x,x)+2Ej
					; CmpFreeIndexByCell(x,x)+36j
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	HvFreeCell
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpFreeIndexByCell@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGetSubKeyCountForKeyNodeStack(x,	x)
_CmpGetSubKeyCountForKeyNodeStack@8 proc near
					; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+25Bp
					; CmpGetSubKeyCountForKcbStack(x,x,x)+48p

var_108		= dword	ptr -108h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+10Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	0FCh		; size_t
		lea	eax, [esp+11Ch+var_108]
		mov	ebx, edx
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		add	esp, 0Ch
		lea	ecx, [esp+118h+var_108]	; void *
		call	_CmpKeyEnumStackInitialize@4 ; CmpKeyEnumStackInitialize(x)
		movzx	edx, word ptr [esi]
		jmp	short loc_94A323
; 

loc_94A315:				; CODE XREF: CmpGetSubKeyCountForKeyNodeStack(x,x)+56j
		mov	ecx, esi
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		cmp	dword ptr [eax+8], 0
		jnz	short loc_94A355
		dec	edx

loc_94A323:				; CODE XREF: CmpGetSubKeyCountForKeyNodeStack(x,x)+43j
		test	dx, dx
		jg	short loc_94A315
		mov	eax, [esi+0Ch]
		mov	esi, [eax+18h]
		add	esi, [eax+14h]

loc_94A331:				; CODE XREF: CmpGetSubKeyCountForKeyNodeStack(x,x)+ABj
		mov	[ebx], esi
		xor	edi, edi

loc_94A335:				; CODE XREF: CmpGetSubKeyCountForKeyNodeStack(x,x)+96j
					; CmpGetSubKeyCountForKeyNodeStack(x,x)+AFj
		lea	ecx, [esp+118h+var_108]
		call	_CmpKeyEnumStackCleanup@4 ; CmpKeyEnumStackCleanup(x)
		mov	ecx, [esp+118h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_94A355:				; CODE XREF: CmpGetSubKeyCountForKeyNodeStack(x,x)+50j
		push	0
		mov	edx, esi
		lea	ecx, [esp+11Ch+var_108]
		call	_CmpKeyEnumStackStartFromKeyNodeStack@12 ; CmpKeyEnumStackStartFromKeyNodeStack(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_94A335
		xor	esi, esi

loc_94A36A:				; CODE XREF: CmpGetSubKeyCountForKeyNodeStack(x,x)+B2j
		lea	ecx, [esp+118h+var_108]
		call	_CmpKeyEnumStackAdvance@4 ; CmpKeyEnumStackAdvance(x)
		mov	edi, eax
		cmp	edi, 8000001Ah
		jz	short loc_94A331
		test	edi, edi
		js	short loc_94A335
		inc	esi
		jmp	short loc_94A36A
_CmpGetSubKeyCountForKeyNodeStack@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpKeyEnumStackAdvance(x)
_CmpKeyEnumStackAdvance@4 proc near	; CODE XREF: CmpEnumerateLayeredKey+18CCCBp
					; CmpEnumerateLayeredKey+18CD51p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jmp	short loc_94A3F0
; 

loc_94A391:				; CODE XREF: CmpKeyEnumStackAdvance(x)+73j
		movzx	edx, word ptr [esi]
		jmp	short loc_94A3D0
; 

loc_94A396:				; CODE XREF: CmpKeyEnumStackAdvance(x)+4Fj
		lea	ecx, [esi+8]
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	ecx, esi
		mov	edi, eax
		call	CmpKeyEnumStackGetEntryAtLayerHeight
		mov	ecx, [edi+8]
		test	ecx, ecx
		jnz	short loc_94A3D7
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_94A3C9
		mov	eax, [eax]
		test	dword ptr [eax+64h], 80000h
		jz	short loc_94A3C9
		movzx	eax, byte ptr [ecx+0Dh]
		and	eax, 3
		jnz	short loc_94A3EE

loc_94A3C9:				; CODE XREF: CmpKeyEnumStackAdvance(x)+2Fj
					; CmpKeyEnumStackAdvance(x)+3Aj
		cmp	dx, [esi+2]
		jz	short loc_94A3EE
		dec	edx

loc_94A3D0:				; CODE XREF: CmpKeyEnumStackAdvance(x)+10j
		test	dx, dx
		jns	short loc_94A396
		jmp	short loc_94A3EE
; 

loc_94A3D7:				; CODE XREF: CmpKeyEnumStackAdvance(x)+28j
		mov	eax, [edi]
		test	dword ptr [eax+64h], 80000h
		jz	short loc_94A3FB
		movzx	eax, byte ptr [ecx+0Dh]
		and	eax, 3
		cmp	eax, 1
		jnz	short loc_94A3FB

loc_94A3EE:				; CODE XREF: CmpKeyEnumStackAdvance(x)+43j
					; CmpKeyEnumStackAdvance(x)+49j ...
		mov	ecx, esi

loc_94A3F0:				; CODE XREF: CmpKeyEnumStackAdvance(x)+Bj
		call	_CmpKeyEnumStackAdvanceInternal@4 ; CmpKeyEnumStackAdvanceInternal(x)
		test	eax, eax
		jns	short loc_94A391
		jmp	short loc_94A3FD
; 

loc_94A3FB:				; CODE XREF: CmpKeyEnumStackAdvance(x)+5Cj
					; CmpKeyEnumStackAdvance(x)+68j
		xor	eax, eax

loc_94A3FD:				; CODE XREF: CmpKeyEnumStackAdvance(x)+75j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpKeyEnumStackAdvance@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpKeyEnumStackAdvanceInternal(x)
_CmpKeyEnumStackAdvanceInternal@4 proc near
					; CODE XREF: CmpKeyEnumStackAdvance(x):loc_94A3F0p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		xor	edi, edi
		cmp	byte ptr [ebx+4], 0
		jz	short loc_94A453
		xor	eax, eax
		mov	esi, edi
		cmp	ax, [ebx]
		jg	short loc_94A453
		lea	eax, [ebx+8]

loc_94A423:				; CODE XREF: CmpKeyEnumStackAdvanceInternal(x)+4Fj
		mov	edx, esi
		mov	ecx, eax
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	[ebp+var_8], eax
		cmp	[eax+8], edi
		jz	short loc_94A44A
		mov	ecx, ebx
		call	CmpKeyEnumStackGetEntryAtLayerHeight
		mov	ecx, eax
		call	_CmpKeyEnumStackEntryAdvance@4 ; CmpKeyEnumStackEntryAdvance(x)
		mov	ecx, [ebp+var_8]
		call	_CmpKeyNodeStackEntryReset@4 ; CmpKeyNodeStackEntryReset(x)

loc_94A44A:				; CODE XREF: CmpKeyEnumStackAdvanceInternal(x)+30j
		inc	esi
		lea	eax, [ebx+8]
		cmp	si, [ebx]
		jle	short loc_94A423

loc_94A453:				; CODE XREF: CmpKeyEnumStackAdvanceInternal(x)+13j
					; CmpKeyEnumStackAdvanceInternal(x)+1Cj
		movzx	esi, word ptr [ebx]
		or	[ebp+var_4], 0FFFFFFFFh
		mov	byte ptr [ebx+4], 1
		test	si, si
		js	loc_94A50A

loc_94A467:				; CODE XREF: CmpKeyEnumStackAdvanceInternal(x)+9Dj
		mov	edx, esi
		mov	ecx, ebx
		call	CmpKeyEnumStackGetEntryAtLayerHeight
		mov	eax, [eax+5Ch]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_94A498
		test	edi, edi
		jz	short loc_94A48E
		mov	edx, edi
		mov	ecx, eax
		call	_CmpCompareKeysByName@8	; CmpCompareKeysByName(x,x)
		test	eax, eax
		jns	short loc_94A498
		mov	eax, [ebp+var_8]

loc_94A48E:				; CODE XREF: CmpKeyEnumStackAdvanceInternal(x)+7Aj
		mov	edi, eax
		movzx	eax, si
		mov	[ebp+var_4], eax
		jmp	short loc_94A49B
; 

loc_94A498:				; CODE XREF: CmpKeyEnumStackAdvanceInternal(x)+76j
					; CmpKeyEnumStackAdvanceInternal(x)+87j
		mov	eax, [ebp+var_4]

loc_94A49B:				; CODE XREF: CmpKeyEnumStackAdvanceInternal(x)+94j
		dec	esi
		test	si, si
		jns	short loc_94A467
		mov	[ebp+var_4], edi
		test	edi, edi
		jz	short loc_94A50A
		movzx	esi, ax
		test	ax, ax
		jmp	short loc_94A501
; 

loc_94A4B0:				; CODE XREF: CmpKeyEnumStackAdvanceInternal(x)+102j
		mov	edx, esi
		mov	ecx, ebx
		call	CmpKeyEnumStackGetEntryAtLayerHeight
		mov	[ebp+var_C], eax
		mov	ecx, [eax+5Ch]
		test	ecx, ecx
		jz	short loc_94A4FD
		cmp	ecx, edi
		jz	short loc_94A4D2
		mov	edx, edi
		call	_CmpCompareKeysByName@8	; CmpCompareKeysByName(x,x)
		test	eax, eax
		jnz	short loc_94A4FD

loc_94A4D2:				; CODE XREF: CmpKeyEnumStackAdvanceInternal(x)+C3j
		lea	ecx, [ebx+8]
		mov	edx, esi
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	esi, [ebp+var_C]
		mov	edi, eax
		mov	edx, [esi+58h]
		lea	ecx, [edi+0Ch]
		mov	esi, [esi]
		push	ecx
		push	edx
		push	esi
		mov	[edi], esi
		mov	[edi+4], edx
		call	dword ptr [esi+4]
		mov	esi, [ebp+var_8]
		mov	[edi+8], eax
		mov	edi, [ebp+var_4]

loc_94A4FD:				; CODE XREF: CmpKeyEnumStackAdvanceInternal(x)+BFj
					; CmpKeyEnumStackAdvanceInternal(x)+CEj
		dec	esi
		test	si, si

loc_94A501:				; CODE XREF: CmpKeyEnumStackAdvanceInternal(x)+ACj
		mov	[ebp+var_8], esi
		jns	short loc_94A4B0
		xor	eax, eax
		jmp	short loc_94A50F
; 

loc_94A50A:				; CODE XREF: CmpKeyEnumStackAdvanceInternal(x)+5Fj
					; CmpKeyEnumStackAdvanceInternal(x)+A4j
		mov	eax, 8000001Ah

loc_94A50F:				; CODE XREF: CmpKeyEnumStackAdvanceInternal(x)+106j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpKeyEnumStackAdvanceInternal@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpKeyEnumStackBeginEnumerationForKeyNodeStack(x, x, x)
_CmpKeyEnumStackBeginEnumerationForKeyNodeStack@12 proc	near
					; CODE XREF: CmpSubtreeEnumeratorAdvance(x)+35p
					; CmpKeyEnumStackStartFromKeyNodeStack(x,x,x)+1Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, ecx
		mov	eax, edx
		push	esi
		push	edi
		mov	[ebp+var_C], eax
		movzx	edx, word ptr [ebx]
		test	dx, dx
		js	short loc_94A5A4

loc_94A52E:				; CODE XREF: CmpKeyEnumStackBeginEnumerationForKeyNodeStack(x,x,x)+8Ej
		movzx	ecx, dx
		mov	[ebp+var_8], ecx
		mov	ecx, eax
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	ecx, ebx
		mov	edi, eax
		call	CmpKeyEnumStackGetEntryAtLayerHeight
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_94A55B
		movsx	ecx, dx
		lea	edx, [eax+8]
		imul	ecx, 18h
		add	edx, ecx
		jmp	short loc_94A55D
; 

loc_94A55B:				; CODE XREF: CmpKeyEnumStackBeginEnumerationForKeyNodeStack(x,x,x)+38j
		xor	edx, edx

loc_94A55D:				; CODE XREF: CmpKeyEnumStackBeginEnumerationForKeyNodeStack(x,x,x)+45j
		mov	ecx, [edi+8]
		test	ecx, ecx
		jz	short loc_94A593
		mov	eax, [edi]
		test	dword ptr [eax+64h], 80000h
		jnz	short loc_94A573
		xor	esi, esi
		jmp	short loc_94A57F
; 

loc_94A573:				; CODE XREF: CmpKeyEnumStackBeginEnumerationForKeyNodeStack(x,x,x)+59j
		movzx	esi, byte ptr [ecx+0Dh]
		and	esi, 3
		cmp	esi, 1
		jz	short loc_94A5A4

loc_94A57F:				; CODE XREF: CmpKeyEnumStackBeginEnumerationForKeyNodeStack(x,x,x)+5Dj
		mov	ecx, [ebp+var_4]
		push	edx
		mov	edx, edi
		call	_CmpKeyEnumStackEntryBegin@12 ;	CmpKeyEnumStackEntryBegin(x,x,x)
		test	esi, esi
		jz	short loc_94A593
		cmp	esi, 2
		jnz	short loc_94A5A4

loc_94A593:				; CODE XREF: CmpKeyEnumStackBeginEnumerationForKeyNodeStack(x,x,x)+4Ej
					; CmpKeyEnumStackBeginEnumerationForKeyNodeStack(x,x,x)+78j
		mov	eax, [ebp+var_8]
		dec	eax
		movzx	eax, ax
		mov	edx, eax
		test	ax, ax
		mov	eax, [ebp+var_C]
		jns	short loc_94A52E

loc_94A5A4:				; CODE XREF: CmpKeyEnumStackBeginEnumerationForKeyNodeStack(x,x,x)+18j
					; CmpKeyEnumStackBeginEnumerationForKeyNodeStack(x,x,x)+69j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_CmpKeyEnumStackBeginEnumerationForKeyNodeStack@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpKeyEnumStackCreateResumeContext(x, x, x,	x, x)
_CmpKeyEnumStackCreateResumeContext@20 proc near ; CODE	XREF: CmpEnumerateLayeredKey+18CD1Cp
					; CmpEnumerateLayeredKey+18CD8Cp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ecx
		mov	[ebp+var_10], edx
		push	ebx
		push	esi
		mov	[ebp+var_4], eax
		xor	ecx, ecx
		movzx	ebx, word ptr [eax+2]
		inc	ecx
		push	edi
		movsx	eax, bx
		imul	edi, eax, 18h
		mov	[ebp+var_8], ebx
		add	edi, 20h
		cmp	[ebp+arg_4], 0
		mov	edx, edi
		jz	short loc_94A5EA
		push	36374D43h
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_C], esi
		jmp	short loc_94A5F9
; 

loc_94A5EA:				; CODE XREF: CmpKeyEnumStackCreateResumeContext(x,x,x,x,x)+2Cj
		push	37374D43h
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_C], eax

loc_94A5F9:				; CODE XREF: CmpKeyEnumStackCreateResumeContext(x,x,x,x,x)+3Dj
		test	esi, esi
		jnz	short loc_94A607
		mov	edi, 0C000009Ah
		jmp	loc_94A6B1
; 

loc_94A607:				; CODE XREF: CmpKeyEnumStackCreateResumeContext(x,x,x,x,x)+50j
		push	edi		; size_t
		xor	edi, edi
		push	edi		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	[esi+4], eax
		mov	al, [ebp+arg_4]
		mov	[esi+2], al
		xor	eax, eax
		mov	[esi], bx
		mov	ebx, edi
		cmp	ax, word ptr [ebp+var_8]
		jg	short loc_94A6AC
		lea	eax, [esi+14h]
		push	0FFFFFFF8h
		mov	dword ptr [ebp+arg_4], eax
		pop	esi

loc_94A636:				; CODE XREF: CmpKeyEnumStackCreateResumeContext(x,x,x,x,x)+FAj
		mov	ecx, [ebp+var_10]
		mov	edx, ebx
		call	CmpKeyEnumStackGetEntryAtLayerHeight
		mov	edi, eax
		push	2
		pop	eax
		cmp	bx, ax
		mov	eax, [ebp+var_4]
		jl	short loc_94A655
		mov	ecx, [eax+0Ch]
		mov	eax, [esi+ecx]
		jmp	short loc_94A659
; 

loc_94A655:				; CODE XREF: CmpKeyEnumStackCreateResumeContext(x,x,x,x,x)+A0j
		mov	eax, [esi+eax+0Ch]

loc_94A659:				; CODE XREF: CmpKeyEnumStackCreateResumeContext(x,x,x,x,x)+A8j
		mov	ecx, eax
		mov	[ebp+arg_0], eax
		call	CmpReferenceKeyControlBlockUnsafe
		mov	ecx, dword ptr [ebp+arg_4]
		add	edi, 10h
		mov	edx, [ebp+arg_0]
		push	2
		mov	[ecx-4], edx
		mov	eax, [edx+0A8h]
		mov	[ecx-0Ch], eax
		mov	eax, [edx+0ACh]
		mov	edx, ecx
		mov	[ecx-8], eax
		pop	eax
		mov	ecx, eax

loc_94A688:				; CODE XREF: CmpKeyEnumStackCreateResumeContext(x,x,x,x,x)+EAj
		mov	eax, [edi]
		lea	edi, [edi+4]
		mov	[edx], eax
		lea	edx, [edx+4]
		sub	ecx, 1
		jnz	short loc_94A688
		add	dword ptr [ebp+arg_4], 18h
		inc	ebx
		mov	edi, [ebp+var_8]
		add	esi, 4
		cmp	bx, di
		jle	short loc_94A636
		mov	esi, [ebp+var_C]
		xor	edi, edi

loc_94A6AC:				; CODE XREF: CmpKeyEnumStackCreateResumeContext(x,x,x,x,x)+80j
		mov	ecx, [ebp+arg_8]
		mov	[ecx], esi

loc_94A6B1:				; CODE XREF: CmpKeyEnumStackCreateResumeContext(x,x,x,x,x)+57j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_CmpKeyEnumStackCreateResumeContext@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpKeyEnumStackEntryAdvance(x)
_CmpKeyEnumStackEntryAdvance@4 proc near ; CODE	XREF: CmpKeyEnumStackAdvanceInternal(x)+3Bp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		push	2
		pop	ecx
		mov	[ebp+var_4], ecx
		mov	edx, [esi+5Ch]
		lea	eax, [esi+40h]

loc_94A6D3:				; CODE XREF: CmpKeyEnumStackEntryAdvance(x)+23j
		cmp	[eax], edx
		jz	short loc_94A6E1
		inc	edi
		add	eax, 4
		cmp	edi, ecx
		jl	short loc_94A6D3
		jmp	short loc_94A726
; 

loc_94A6E1:				; CODE XREF: CmpKeyEnumStackEntryAdvance(x)+1Bj
		mov	eax, [esi]
		lea	ebx, [esi+48h]
		lea	ebx, [ebx+edi*8]
		push	ebx
		push	eax
		call	dword ptr [eax+8]
		mov	eax, [esi+edi*4+10h]
		and	dword ptr [esi+edi*4+40h], 0
		or	dword ptr [esi+edi*4+38h], 0FFFFFFFFh
		inc	eax
		mov	[esi+edi*4+10h], eax
		cmp	eax, [esi+edi*4+18h]
		jnb	short loc_94A723
		mov	edx, [esi+edi*4+20h]
		mov	ecx, [esi]
		push	eax
		call	CmpDoFindSubKeyByNumber
		push	ebx
		mov	[esi+edi*4+38h], eax
		mov	ecx, [esi]
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		mov	[esi+edi*4+40h], eax

loc_94A723:				; CODE XREF: CmpKeyEnumStackEntryAdvance(x)+4Bj
		push	2
		pop	ecx

loc_94A726:				; CODE XREF: CmpKeyEnumStackEntryAdvance(x)+25j
		and	dword ptr [esi+5Ch], 0
		lea	edi, [esi+38h]
		or	dword ptr [esi+58h], 0FFFFFFFFh

loc_94A731:				; CODE XREF: CmpKeyEnumStackEntryAdvance(x)+A4j
		mov	ebx, [edi+8]
		test	ebx, ebx
		jz	short loc_94A755
		mov	edx, [esi+5Ch]
		test	edx, edx
		jz	short loc_94A74A
		mov	ecx, ebx
		call	_CmpCompareKeysByName@8	; CmpCompareKeysByName(x,x)
		test	eax, eax
		jns	short loc_94A752

loc_94A74A:				; CODE XREF: CmpKeyEnumStackEntryAdvance(x)+83j
		mov	[esi+5Ch], ebx
		mov	eax, [edi]
		mov	[esi+58h], eax

loc_94A752:				; CODE XREF: CmpKeyEnumStackEntryAdvance(x)+8Ej
		mov	ecx, [ebp+var_4]

loc_94A755:				; CODE XREF: CmpKeyEnumStackEntryAdvance(x)+7Cj
		add	edi, 4
		sub	ecx, 1
		mov	[ebp+var_4], ecx
		jnz	short loc_94A731
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpKeyEnumStackEntryAdvance@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpKeyEnumStackEntryBegin(x, x, x)
_CmpKeyEnumStackEntryBegin@12 proc near	; CODE XREF: CmpKeyEnumStackBeginEnumerationForKeyNodeStack(x,x,x)+71p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [edx]
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[edi], eax
		lea	eax, [edi+8]
		mov	esi, [edx+4]
		mov	edx, [edx]
		push	eax
		push	esi
		push	edx
		call	dword ptr [edx+4]
		push	4
		mov	[edi+4], eax
		lea	ebx, [edi+48h]
		pop	eax
		push	0Ch
		sub	eax, edi
		mov	[ebp+var_4], 2
		pop	ecx
		sub	ecx, edi
		mov	[ebp+var_10], eax
		lea	esi, [edi+10h]
		mov	[ebp+var_8], ecx

loc_94A7A4:				; CODE XREF: CmpKeyEnumStackEntryBegin(x,x,x)+C0j
		lea	ecx, [eax+esi]
		mov	eax, [edi+4]
		mov	edx, [ecx+eax]
		mov	eax, [ebp+arg_0]
		mov	[esi+8], edx
		test	eax, eax
		jz	short loc_94A7BD
		mov	eax, [ecx+eax-8]
		jmp	short loc_94A7BF
; 

loc_94A7BD:				; CODE XREF: CmpKeyEnumStackEntryBegin(x,x,x)+50j
		xor	eax, eax

loc_94A7BF:				; CODE XREF: CmpKeyEnumStackEntryBegin(x,x,x)+56j
		mov	[esi], eax
		cmp	edx, eax
		jbe	short loc_94A818
		mov	ecx, [ebp+var_8]
		mov	eax, [edi+4]
		add	ecx, esi
		mov	edx, [edi]
		mov	ecx, [ecx+eax]
		lea	eax, [ebx-20h]
		push	eax
		push	ecx
		push	edx
		call	dword ptr [edx+4]
		push	dword ptr [esi]
		mov	[esi+10h], eax
		mov	edx, eax
		mov	ecx, [edi]
		call	CmpDoFindSubKeyByNumber
		push	ebx
		mov	[esi+28h], eax
		mov	ecx, [edi]
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		mov	[esi+30h], eax
		mov	edx, [edi+5Ch]
		mov	[ebp+var_C], eax
		test	edx, edx
		jz	short loc_94A80F
		mov	ecx, eax
		call	_CmpCompareKeysByName@8	; CmpCompareKeysByName(x,x)
		test	eax, eax
		jns	short loc_94A818
		mov	eax, [ebp+var_C]

loc_94A80F:				; CODE XREF: CmpKeyEnumStackEntryBegin(x,x,x)+9Aj
		mov	[edi+5Ch], eax
		mov	eax, [esi+28h]
		mov	[edi+58h], eax

loc_94A818:				; CODE XREF: CmpKeyEnumStackEntryBegin(x,x,x)+5Ej
					; CmpKeyEnumStackEntryBegin(x,x,x)+A5j
		mov	eax, [ebp+var_10]
		add	esi, 4
		add	ebx, 8
		sub	[ebp+var_4], 1
		jnz	loc_94A7A4
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_CmpKeyEnumStackEntryBegin@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpKeyEnumStackEntryNotifyPromotion(x)
_CmpKeyEnumStackEntryNotifyPromotion@4 proc near
					; CODE XREF: CmpKeyEnumStackNotifyPromotion(x)+13p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	edx, edx
		push	2
		pop	ebx
		mov	ecx, [edi+4]
		lea	esi, [edi+18h]
		add	ecx, 14h

loc_94A84B:				; CODE XREF: CmpKeyEnumStackEntryNotifyPromotion(x)+28j
		mov	eax, [esi]
		cmp	eax, [ecx]
		jnz	short loc_94A85E
		inc	edx
		add	ecx, 4
		add	esi, 4
		cmp	edx, ebx
		jl	short loc_94A84B
		jmp	short loc_94A860
; 

loc_94A85E:				; CODE XREF: CmpKeyEnumStackEntryNotifyPromotion(x)+1Dj
		mov	ebx, edx

loc_94A860:				; CODE XREF: CmpKeyEnumStackEntryNotifyPromotion(x)+2Aj
		and	dword ptr [edi+5Ch], 0
		mov	esi, ebx
		or	dword ptr [edi+58h], 0FFFFFFFFh
		shl	esi, 3
		cmp	dword ptr [edi+ebx*4+40h], 0
		jz	short loc_94A88A
		mov	ecx, [edi]
		lea	eax, [edi+48h]
		add	eax, esi
		push	eax
		push	ecx
		call	dword ptr [ecx+8]
		and	dword ptr [edi+ebx*4+40h], 0
		or	dword ptr [edi+ebx*4+38h], 0FFFFFFFFh

loc_94A88A:				; CODE XREF: CmpKeyEnumStackEntryNotifyPromotion(x)+40j
		add	esi, edi
		cmp	dword ptr [edi+ebx*4+20h], 0
		mov	[ebp+var_4], esi
		jz	short loc_94A8A7
		mov	ecx, [edi]
		lea	eax, [esi+28h]
		push	eax
		push	ecx
		call	dword ptr [ecx+8]
		and	dword ptr [edi+ebx*4+20h], 0
		jmp	short loc_94A8AA
; 

loc_94A8A7:				; CODE XREF: CmpKeyEnumStackEntryNotifyPromotion(x)+62j
		mov	[ebp+var_4], esi

loc_94A8AA:				; CODE XREF: CmpKeyEnumStackEntryNotifyPromotion(x)+73j
		mov	ecx, [edi+4]
		mov	eax, [ecx+ebx*4+14h]
		mov	[edi+ebx*4+18h], eax
		lea	eax, [esi+28h]
		mov	ecx, [ecx+ebx*4+1Ch]
		mov	edx, [edi]
		push	eax
		push	ecx
		push	edx
		call	dword ptr [edx+4]
		push	dword ptr [edi+ebx*4+10h]
		mov	[edi+ebx*4+20h], eax
		mov	edx, eax
		mov	ecx, [edi]
		call	CmpDoFindSubKeyByNumber
		mov	ecx, [ebp+var_4]
		mov	esi, eax
		add	ecx, 48h
		mov	[edi+ebx*4+38h], esi
		mov	edx, [edi]
		push	ecx
		push	esi
		push	edx
		call	dword ptr [edx+4]
		mov	[edi+ebx*4+40h], eax
		mov	[edi+58h], esi
		mov	[edi+5Ch], eax
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpKeyEnumStackEntryNotifyPromotion@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpKeyEnumStackFreeResumeContext(x,	x, x)
_CmpKeyEnumStackFreeResumeContext@12 proc near ; CODE XREF: CmpEnumerateLayeredKey+18CDEEp
					; CmpEnumerateLayeredKey+18CE02p ...

var_8		= dword	ptr -8
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		mov	[ebp+var_8], esi
		movzx	eax, word ptr [esi]
		cmp	cx, ax
		jg	short loc_94A941
		push	ebx
		push	edi
		inc	eax
		lea	edi, [esi+10h]
		movzx	ebx, ax
		mov	esi, edx

loc_94A91A:				; CODE XREF: CmpKeyEnumStackFreeResumeContext(x,x,x)+42j
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_94A934
		cmp	[ebp+arg_0], 0
		jnz	short loc_94A92D
		call	_CmpDereferenceKeyControlBlock@4 ; CmpDereferenceKeyControlBlock(x)
		jmp	short loc_94A934
; 

loc_94A92D:				; CODE XREF: CmpKeyEnumStackFreeResumeContext(x,x,x)+2Cj
		mov	edx, esi
		call	_CmpDelayDerefKeyControlBlock@8	; CmpDelayDerefKeyControlBlock(x,x)

loc_94A934:				; CODE XREF: CmpKeyEnumStackFreeResumeContext(x,x,x)+26j
					; CmpKeyEnumStackFreeResumeContext(x,x,x)+33j
		add	edi, 18h
		sub	ebx, 1
		jnz	short loc_94A91A
		mov	esi, [ebp+var_8]
		pop	edi
		pop	ebx

loc_94A941:				; CODE XREF: CmpKeyEnumStackFreeResumeContext(x,x,x)+15j
		cmp	byte ptr [esi+2], 0
		mov	ecx, esi
		jz	short loc_94A950
		call	_CmpFreePool@4	; CmpFreePool(x)
		jmp	short loc_94A955
; 

loc_94A950:				; CODE XREF: CmpKeyEnumStackFreeResumeContext(x,x,x)+4Fj
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_94A955:				; CODE XREF: CmpKeyEnumStackFreeResumeContext(x,x,x)+56j
		pop	esi
		leave
		retn	4
_CmpKeyEnumStackFreeResumeContext@12 endp


;  S U B	R O U T	I N E 


; __stdcall CmpKeyEnumStackNotifyPromotion(x)
_CmpKeyEnumStackNotifyPromotion@4 proc near ; CODE XREF: CmpPartialPromoteSubkeys(x)+192p
					; CmpPromoteSubtree(x,x,x)+12Dp
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	dx, [esi]
		call	CmpKeyEnumStackGetEntryAtLayerHeight
		mov	edi, eax
		mov	ecx, edi
		call	_CmpKeyEnumStackEntryNotifyPromotion@4 ; CmpKeyEnumStackEntryNotifyPromotion(x)
		mov	dx, [esi]
		lea	ecx, [esi+8]
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	esi, eax
		cmp	dword ptr [esi+4], 0FFFFFFFFh
		jnz	short loc_94A9A2
		mov	ecx, esi
		call	_CmpKeyNodeStackEntryReset@4 ; CmpKeyNodeStackEntryReset(x)
		mov	ecx, [edi+58h]
		lea	eax, [esi+0Ch]
		mov	edx, [edi]
		push	eax
		push	ecx
		push	edx
		mov	[esi], edx
		mov	[esi+4], ecx
		call	dword ptr [edx+4]
		mov	[esi+8], eax

loc_94A9A2:				; CODE XREF: CmpKeyEnumStackNotifyPromotion(x)+29j
		pop	edi
		pop	esi
		pop	ecx
		retn
_CmpKeyEnumStackNotifyPromotion@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpKeyEnumStackReset(x)
_CmpKeyEnumStackReset@4	proc near	; CODE XREF: CmpSubtreeEnumeratorAdvance(x)+4Fp
					; CmpSubtreeEnumeratorReset(x)+16p
		mov	edi, edi
		push	ebx
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		lea	ecx, [edi+8]
		mov	[edi+4], bl
		call	_CmpResetKeyNodeStack@4	; CmpResetKeyNodeStack(x)
		xor	eax, eax
		cmp	ax, [edi]
		jg	short loc_94A9E1
		push	esi

loc_94A9C1:				; CODE XREF: CmpKeyEnumStackReset(x)+38j
		mov	edx, ebx
		mov	ecx, edi
		call	CmpKeyEnumStackGetEntryAtLayerHeight
		mov	esi, eax
		mov	ecx, esi
		call	CmpKeyEnumStackEntryCleanup
		mov	ecx, esi	; void *
		call	_CmpKeyEnumStackEntryInitialize@4 ; CmpKeyEnumStackEntryInitialize(x)
		inc	ebx
		cmp	bx, [edi]
		jle	short loc_94A9C1
		pop	esi

loc_94A9E1:				; CODE XREF: CmpKeyEnumStackReset(x)+18j
		pop	edi
		pop	ebx
		retn
_CmpKeyEnumStackReset@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpKeyEnumStackStart(x, x)
_CmpKeyEnumStackStart@8	proc near	; CODE XREF: CmpSubtreeEnumeratorStart(x,x)+99p
					; CmpKeyEnumStackStartFromKeyNodeStack(x,x,x)+Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_8], esi
		push	edi
		mov	edi, ecx
		cmp	si, 2
		jl	short loc_94AA4F
		lea	eax, [esi-1]
		xor	ecx, ecx
		movzx	ebx, ax
		inc	ecx
		movsx	eax, bx
		imul	edx, eax, 60h
		push	38364D43h
		mov	[ebp+var_4], ebx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	[edi+0F8h], eax
		test	eax, eax
		jnz	short loc_94AA28
		mov	eax, 0C000009Ah
		jmp	short loc_94AA5C
; 

loc_94AA28:				; CODE XREF: CmpKeyEnumStackStart(x,x)+3Bj
		xor	eax, eax
		cmp	ax, bx
		jge	short loc_94AA4F
		mov	eax, [ebp+var_4]
		xor	ebx, ebx
		movzx	esi, ax

loc_94AA37:				; CODE XREF: CmpKeyEnumStackStart(x,x)+66j
		mov	ecx, [edi+0F8h]
		add	ecx, ebx	; void *
		call	_CmpKeyEnumStackEntryInitialize@4 ; CmpKeyEnumStackEntryInitialize(x)
		add	ebx, 60h
		sub	esi, 1
		jnz	short loc_94AA37
		mov	esi, [ebp+var_8]

loc_94AA4F:				; CODE XREF: CmpKeyEnumStackStart(x,x)+15j
					; CmpKeyEnumStackStart(x,x)+49j
		lea	ecx, [edi+8]
		mov	[edi], si
		mov	edx, esi
		call	_CmpStartKeyNodeStack@8	; CmpStartKeyNodeStack(x,x)

loc_94AA5C:				; CODE XREF: CmpKeyEnumStackStart(x,x)+42j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpKeyEnumStackStart@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpKeyEnumStackStartFromKeyNodeStack(x, x, x)
_CmpKeyEnumStackStartFromKeyNodeStack@12 proc near
					; CODE XREF: CmpKeyEnumStackStartFromKcbStack(x,x,x,x)+5Bp
					; CmpGetSubKeyCountForKeyNodeStack(x,x)+8Dp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	dx, [esi]
		call	_CmpKeyEnumStackStart@8	; CmpKeyEnumStackStart(x,x)
		test	eax, eax
		js	short loc_94AA87
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, edi
		call	_CmpKeyEnumStackBeginEnumerationForKeyNodeStack@12 ; CmpKeyEnumStackBeginEnumerationForKeyNodeStack(x,x,x)
		xor	eax, eax

loc_94AA87:				; CODE XREF: CmpKeyEnumStackStartFromKeyNodeStack(x,x,x)+16j
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
_CmpKeyEnumStackStartFromKeyNodeStack@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpKeyEnumStackVerifyResumeContext(x, x)
_CmpKeyEnumStackVerifyResumeContext@8 proc near	; CODE XREF: CmpEnumerateLayeredKey+18CC6Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	eax, edx
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], eax
		xor	edx, edx
		movzx	ecx, word ptr [ebx+2]
		mov	[ebp+var_8], ecx
		push	edi
		mov	edi, esi
		cmp	dx, cx
		jg	short loc_94AB04

loc_94AAB1:				; CODE XREF: CmpKeyEnumStackVerifyResumeContext(x,x)+6Dj
		movsx	edx, di
		cmp	di, 2
		jl	short loc_94AAC6
		mov	eax, [ebx+0Ch]
		mov	ecx, [eax+edx*4-8]
		mov	eax, [ebp+var_4]
		jmp	short loc_94AACA
; 

loc_94AAC6:				; CODE XREF: CmpKeyEnumStackVerifyResumeContext(x,x)+2Aj
		mov	ecx, [ebx+edx*4+4]

loc_94AACA:				; CODE XREF: CmpKeyEnumStackVerifyResumeContext(x,x)+36j
		imul	edx, 18h
		cmp	ecx, [edx+eax+10h]
		jnz	short loc_94AAFF
		mov	esi, [ebp+var_4]
		mov	eax, [ecx+0A8h]
		push	0
		cmp	eax, [edx+esi+8]
		pop	esi
		jnz	short loc_94AAFF
		mov	eax, [ecx+0ACh]
		mov	ecx, [ebp+var_4]
		cmp	eax, [edx+ecx+0Ch]
		jnz	short loc_94AAFF
		inc	edi
		mov	eax, ecx
		cmp	di, word ptr [ebp+var_8]
		jle	short loc_94AAB1
		jmp	short loc_94AB04
; 

loc_94AAFF:				; CODE XREF: CmpKeyEnumStackVerifyResumeContext(x,x)+43j
					; CmpKeyEnumStackVerifyResumeContext(x,x)+55j ...
		mov	esi, 0C0000059h

loc_94AB04:				; CODE XREF: CmpKeyEnumStackVerifyResumeContext(x,x)+21j
					; CmpKeyEnumStackVerifyResumeContext(x,x)+6Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_CmpKeyEnumStackVerifyResumeContext@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpMarkAllChildrenDirty(x, x)
_CmpMarkAllChildrenDirty@8 proc	near	; CODE XREF: CmRenameKey(x,x,x,x)+8DBp
					; CmpLightWeightPrepareRenameKeyUoW(x)+1C9p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		or	[ebp+var_14], 0FFFFFFFFh
		lea	eax, [ebp+var_14]
		push	ebx
		push	esi
		push	edi
		push	eax
		mov	esi, ecx
		xor	ebx, ebx
		push	edx
		push	esi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_4], ebx
		call	dword ptr [esi+4]
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	short loc_94AB7D
		mov	eax, [ecx+18h]
		mov	edi, ebx
		add	eax, [ecx+14h]
		mov	[ebp+var_8], eax
		jz	short loc_94AB73

loc_94AB43:				; CODE XREF: CmpMarkAllChildrenDirty(x,x)+66j
		lea	eax, [ebp+var_4]
		mov	edx, ecx
		push	eax
		push	edi
		mov	ecx, esi
		call	_CmpFindSubKeyByNumber@16 ; CmpFindSubKeyByNumber(x,x,x,x)
		test	eax, eax
		js	short loc_94AB75
		mov	edx, [ebp+var_4]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_94AB75
		push	ebx
		push	ebx
		mov	ecx, esi
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_94AB75
		mov	ecx, [ebp+var_C]
		inc	edi
		cmp	edi, [ebp+var_8]
		jb	short loc_94AB43

loc_94AB73:				; CODE XREF: CmpMarkAllChildrenDirty(x,x)+36j
		mov	bl, 1

loc_94AB75:				; CODE XREF: CmpMarkAllChildrenDirty(x,x)+48j
					; CmpMarkAllChildrenDirty(x,x)+50j ...
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_94AB7D:				; CODE XREF: CmpMarkAllChildrenDirty(x,x)+29j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_CmpMarkAllChildrenDirty@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpMarkEntireIndexDirty(x, x)
_CmpMarkEntireIndexDirty@8 proc	near	; CODE XREF: CmRenameKey(x,x,x,x)+886p
					; CmRenameKey(x,x,x,x)+89Ap ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_14], 0
		xor	eax, eax
		and	[ebp+var_18], 0
		or	[ebp+var_18], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		mov	word ptr [ebp+var_14], ax
		mov	esi, edx
		lea	eax, [ebp+var_18]
		mov	ebx, ecx
		push	eax
		push	esi
		push	ebx
		mov	[ebp+var_4], ebx
		call	dword ptr [ebx+4]
		mov	edi, eax
		xor	edx, edx
		lea	eax, [ebx+28h]
		mov	ecx, eax
		mov	[ebp+var_10], eax
		call	ExAcquirePushLockExclusiveEx
		push	0
		push	1
		mov	edx, esi
		mov	ecx, ebx
		call	HvpMarkCellDirty
		mov	bl, al
		test	bl, bl
		jz	short loc_94ABE1
		mov	eax, 6972h
		cmp	[edi], ax
		jz	short loc_94AC14
		mov	bl, 1

loc_94ABE1:				; CODE XREF: CmpMarkEntireIndexDirty(x,x)+4Fj
		mov	esi, [ebp+var_4]

loc_94ABE4:				; CODE XREF: CmpMarkEntireIndexDirty(x,x)+B6j
					; CmpMarkEntireIndexDirty(x,x)+D2j
		mov	ecx, [ebp+var_10]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_94ABFC
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [esi+28h]

loc_94ABFC:				; CODE XREF: CmpMarkEntireIndexDirty(x,x)+6Ej
		call	KeAbPostRelease
		test	edi, edi
		jz	short loc_94AC0D
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_94AC0D:				; CODE XREF: CmpMarkEntireIndexDirty(x,x)+7Fj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_94AC14:				; CODE XREF: CmpMarkEntireIndexDirty(x,x)+59j
		and	[ebp+var_8], 0
		xor	eax, eax
		mov	esi, [ebp+var_4]
		cmp	ax, [edi+2]
		jnb	short loc_94AC54
		lea	edx, [edi+4]
		mov	[ebp+var_C], edx

loc_94AC29:				; CODE XREF: CmpMarkEntireIndexDirty(x,x)+CEj
		mov	edx, [edx]
		mov	ecx, esi
		push	0
		push	1
		call	HvpMarkCellDirty
		mov	bl, al
		test	bl, bl
		jz	short loc_94ABE4
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_C]
		inc	ecx
		movzx	eax, word ptr [edi+2]
		add	edx, 4
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], edx
		cmp	ecx, eax
		jb	short loc_94AC29

loc_94AC54:				; CODE XREF: CmpMarkEntireIndexDirty(x,x)+9Dj
		mov	bl, 1
		jmp	short loc_94ABE4
_CmpMarkEntireIndexDirty@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpRemoveCellFromIndex(x, x)
_CmpRemoveCellFromIndex@8 proc near	; CODE XREF: CmpRemoveSubKeyCellNoCellRef(x,x,x)+160p
					; CmpRemoveSubKeyCellNoCellRef(x,x,x)+174p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, 666Ch
		push	edi
		movzx	eax, word ptr [esi]
		cmp	ax, cx
		jz	short loc_94ACA3
		mov	ecx, 686Ch
		cmp	ax, cx
		jz	short loc_94ACA3
		movzx	eax, word ptr [esi+2]
		cmp	dx, ax
		jnb	short loc_94ACE0
		dec	eax
		movzx	edi, ax
		mov	[esi+2], ax
		test	di, di
		jz	short loc_94ACE0
		movzx	ecx, dx
		mov	eax, edi
		sub	eax, ecx
		shl	eax, 2
		push	eax
		lea	eax, [ecx+2]
		inc	ecx
		lea	eax, [esi+eax*4]
		push	eax
		lea	eax, [esi+ecx*4]
		jmp	short loc_94ACD7
; 

loc_94ACA3:				; CODE XREF: CmpRemoveCellFromIndex(x,x)+11j
					; CmpRemoveCellFromIndex(x,x)+1Bj
		movzx	eax, word ptr [esi+2]
		cmp	dx, ax
		jnb	short loc_94ACE0
		dec	eax
		movzx	edi, ax
		mov	[esi+2], ax
		test	di, di
		jz	short loc_94ACE0
		movzx	ecx, dx
		mov	eax, edi
		sub	eax, ecx
		shl	eax, 3
		push	eax		; size_t
		lea	eax, ds:0Ch[ecx*8]
		add	eax, esi
		push	eax		; void *
		lea	eax, ds:4[ecx*8]
		add	eax, esi

loc_94ACD7:				; CODE XREF: CmpRemoveCellFromIndex(x,x)+49j
		push	eax		; void *
		call	_memmove
		add	esp, 0Ch

loc_94ACE0:				; CODE XREF: CmpRemoveCellFromIndex(x,x)+24j
					; CmpRemoveCellFromIndex(x,x)+31j ...
		pop	edi
		pop	esi
		retn
_CmpRemoveCellFromIndex@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRemoveSubKeyCellNoCellRef(x, x, x)
_CmpRemoveSubKeyCellNoCellRef@12 proc near
					; CODE XREF: CmpCheckRegistry2(x,x,x,x,x,x,x,x)+278p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		or	[ebp+var_40], 0FFFFFFFFh
		mov	eax, edx
		or	[ebp+var_38], 0FFFFFFFFh
		or	[ebp+var_30], 0FFFFFFFFh
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_20], eax
		xor	ecx, ecx
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_3C], ecx
		inc	ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_2C], ecx
		lea	ecx, [ebp+var_40]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	edi, eax
		xor	eax, eax
		mov	[ebp+var_28], edi
		test	edi, edi
		jnz	short loc_94AD2D
		mov	bl, al
		jmp	loc_94AF15
; 

loc_94AD2D:				; CODE XREF: CmpRemoveSubKeyCellNoCellRef(x,x,x)+41j
		mov	edx, [ebp+var_20]
		mov	ecx, esi
		push	eax
		push	eax
		call	HvpMarkCellDirty
		test	al, al
		jnz	short loc_94AD46

loc_94AD3D:				; CODE XREF: CmpRemoveSubKeyCellNoCellRef(x,x,x)+76j
		xor	eax, eax
		mov	bl, al
		jmp	loc_94AF0D
; 

loc_94AD46:				; CODE XREF: CmpRemoveSubKeyCellNoCellRef(x,x,x)+58j
		mov	eax, [edi+1Ch]
		lea	ecx, [ebp+var_38]
		push	ecx
		push	eax
		push	esi
		mov	[ebp+var_C], eax
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jz	short loc_94AD3D
		mov	eax, 6972h
		cmp	[edi], ax
		jnz	loc_94AE8B
		movzx	ecx, word ptr [edi+2]
		xor	edx, edx
		mov	[ebp+var_1C], ecx
		mov	eax, edx
		movzx	ecx, cx
		mov	[ebp+var_18], eax
		test	ecx, ecx
		jz	loc_94AEDD
		lea	ecx, [edi+4]
		mov	[ebp+var_8], ecx

loc_94AD88:				; CODE XREF: CmpRemoveSubKeyCellNoCellRef(x,x,x)+101j
		test	eax, eax
		jz	short loc_94AD97
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	ecx, [ebp+var_8]

loc_94AD97:				; CODE XREF: CmpRemoveSubKeyCellNoCellRef(x,x,x)+A7j
		mov	eax, [ecx]
		lea	ecx, [ebp+var_30]
		push	ecx
		push	eax
		push	esi
		mov	[ebp+var_14], eax
		call	dword ptr [esi+4]
		mov	ecx, eax
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jz	loc_94AE85
		mov	edx, [ebp+arg_0]
		call	_CmpFindCellInIndex@8 ;	CmpFindCellInIndex(x,x)
		movzx	edx, ax
		movzx	eax, word ptr [ecx+2]
		mov	[ebp+var_24], edx
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		cmp	dx, ax
		jb	short loc_94ADEB
		mov	eax, [ebp+var_18]
		mov	ecx, [ebp+var_1C]
		inc	eax
		add	[ebp+var_8], 4
		movzx	edx, cx
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_18], eax
		cmp	eax, edx
		jb	short loc_94AD88
		jmp	loc_94AEDB
; 

loc_94ADEB:				; CODE XREF: CmpRemoveSubKeyCellNoCellRef(x,x,x)+E9j
		mov	eax, [ebp+var_1C]
		mov	ecx, esi
		mov	edx, [ebp+var_14]
		movzx	eax, ax
		mov	[ebp+arg_0], eax
		xor	eax, eax
		push	eax
		push	eax
		call	HvpMarkCellDirty
		test	al, al
		jnz	short loc_94AE0F

loc_94AE06:				; CODE XREF: CmpRemoveSubKeyCellNoCellRef(x,x,x)+142j
					; CmpRemoveSubKeyCellNoCellRef(x,x,x)+158j
		xor	eax, eax
		mov	bl, al
		jmp	loc_94AEF3
; 

loc_94AE0F:				; CODE XREF: CmpRemoveSubKeyCellNoCellRef(x,x,x)+121j
		cmp	word ptr [ebp+var_20], bx
		jnz	short loc_94AE3D
		mov	edx, [ebp+var_C]
		xor	eax, eax
		push	eax
		push	eax
		mov	ecx, esi
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_94AE06
		mov	edx, [ebp+var_14]
		mov	ecx, edi
		call	_CmpFindCellInIndex@8 ;	CmpFindCellInIndex(x,x)
		movzx	eax, ax
		mov	[ebp+arg_0], eax
		cmp	ax, [edi+2]
		jnb	short loc_94AE06

loc_94AE3D:				; CODE XREF: CmpRemoveSubKeyCellNoCellRef(x,x,x)+130j
		mov	edx, [ebp+var_24]
		mov	ecx, [ebp+var_10]
		call	_CmpRemoveCellFromIndex@8 ; CmpRemoveCellFromIndex(x,x)
		cmp	word ptr [ebp+var_20], bx
		jnz	loc_94AEDB
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_CmpRemoveCellFromIndex@8 ; CmpRemoveCellFromIndex(x,x)
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edx, [ebp+var_14]
		xor	eax, eax
		mov	ecx, esi
		mov	[ebp+var_10], eax
		call	HvFreeCell
		xor	edx, edx
		cmp	[edi+2], dx
		jnz	short loc_94AEDD
		lea	eax, [ebp+var_38]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	short loc_94AECD
; 

loc_94AE85:				; CODE XREF: CmpRemoveSubKeyCellNoCellRef(x,x,x)+C9j
					; CmpRemoveSubKeyCellNoCellRef(x,x,x)+1BCj ...
		xor	eax, eax
		mov	bl, al
		jmp	short loc_94AF01
; 

loc_94AE8B:				; CODE XREF: CmpRemoveSubKeyCellNoCellRef(x,x,x)+80j
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_CmpFindCellInIndex@8 ;	CmpFindCellInIndex(x,x)
		movzx	eax, ax
		mov	[ebp+arg_0], eax
		cmp	ax, [edi+2]
		jnb	short loc_94AE85
		mov	edx, [ebp+var_C]
		xor	eax, eax
		push	eax
		push	eax
		mov	ecx, esi
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_94AE85
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_CmpRemoveCellFromIndex@8 ; CmpRemoveCellFromIndex(x,x)
		xor	edx, edx
		cmp	[edi+2], dx
		jnz	short loc_94AEDD
		lea	eax, [ebp+var_38]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_94AECD:				; CODE XREF: CmpRemoveSubKeyCellNoCellRef(x,x,x)+1A0j
		mov	edx, [ebp+var_C]
		xor	eax, eax
		mov	ecx, esi
		mov	edi, eax
		call	HvFreeCell

loc_94AEDB:				; CODE XREF: CmpRemoveSubKeyCellNoCellRef(x,x,x)+103j
					; CmpRemoveSubKeyCellNoCellRef(x,x,x)+169j
		xor	edx, edx

loc_94AEDD:				; CODE XREF: CmpRemoveSubKeyCellNoCellRef(x,x,x)+99j
					; CmpRemoveSubKeyCellNoCellRef(x,x,x)+196j ...
		mov	eax, [ebp+var_28]
		sub	dword ptr [eax+14h], 1
		jnz	short loc_94AEF3
		or	dword ptr [eax+1Ch], 0FFFFFFFFh
		xor	ecx, ecx
		mov	[eax+34h], cx
		mov	[eax+38h], edx

loc_94AEF3:				; CODE XREF: CmpRemoveSubKeyCellNoCellRef(x,x,x)+127j
					; CmpRemoveSubKeyCellNoCellRef(x,x,x)+201j
		cmp	[ebp+var_10], 0
		jz	short loc_94AF01
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_94AF01:				; CODE XREF: CmpRemoveSubKeyCellNoCellRef(x,x,x)+1A6j
					; CmpRemoveSubKeyCellNoCellRef(x,x,x)+214j
		test	edi, edi
		jz	short loc_94AF0D
		lea	eax, [ebp+var_38]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_94AF0D:				; CODE XREF: CmpRemoveSubKeyCellNoCellRef(x,x,x)+5Ej
					; CmpRemoveSubKeyCellNoCellRef(x,x,x)+220j
		lea	eax, [ebp+var_40]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_94AF15:				; CODE XREF: CmpRemoveSubKeyCellNoCellRef(x,x,x)+45j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
_CmpRemoveSubKeyCellNoCellRef@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSelectLeaf(x, x,	x, x, x)
_CmpSelectLeaf@20 proc near		; CODE XREF: CmpAddSubKeyToList+188752p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		or	[ebp+var_24], 0FFFFFFFFh
		xor	eax, eax
		or	[ebp+var_1C], 0FFFFFFFFh
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_4], eax
		push	edi
		push	eax
		push	eax
		mov	edx, [ebx]
		mov	esi, ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_20], eax
		mov	[ebp+var_18], eax
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_94B0E1
		mov	eax, [ebx]
		lea	ecx, [ebp+var_24]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jz	loc_94B0E1
		jmp	loc_94B0B8
; 

loc_94AF6E:				; CODE XREF: CmpSelectLeaf(x,x,x,x,x)+1B1j
		mov	ebx, [ebp+var_4]
		cmp	ebx, 0FFFFFFFFh
		jnz	loc_94B063
		lea	ebx, [edi+eax*4]
		lea	ecx, [ebp+var_1C]
		mov	[ebp+var_C], ebx
		lea	eax, [ebx+4]
		push	ecx
		push	dword ptr [eax]
		mov	[ebp+var_14], eax
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_94B0D5
		push	dword ptr [eax+4]
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	0
		call	_CmpDoCompareKeyName@16	; CmpDoCompareKeyName(x,x,x,x)
		cmp	eax, 2
		jz	loc_94B0F0
		mov	ecx, [esi+8]
		test	eax, eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		jns	short loc_94AFF3
		call	ecx
		cmp	[ebp+var_8], 0
		lea	eax, [ebp+var_1C]
		push	eax
		jbe	short loc_94AFCC
		mov	ebx, [ebx]
		jmp	short loc_94B040
; 

loc_94AFCC:				; CODE XREF: CmpSelectLeaf(x,x,x,x,x)+A8j
		mov	ebx, [edi+4]
		push	ebx
		push	esi
		mov	[ebp+var_4], ebx
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_94B0D5
		mov	ecx, 3F5h
		cmp	[eax+2], cx
		jb	loc_94B100
		jmp	loc_94B07B
; 

loc_94AFF3:				; CODE XREF: CmpSelectLeaf(x,x,x,x,x)+9Cj
		call	ecx
		mov	ebx, [ebp+var_14]
		lea	eax, [ebp+var_1C]
		push	eax
		mov	ebx, [ebx]
		push	ebx
		push	esi
		mov	[ebp+var_4], ebx
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_94B0D5
		mov	ecx, 3F5h
		cmp	[eax+2], cx
		jb	loc_94B0EB
		movzx	eax, word ptr [edi+2]
		mov	ebx, [ebp+var_8]
		dec	eax
		cmp	ebx, eax
		jnb	short loc_94B07B
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		add	ebx, 2
		lea	eax, [edi+ebx*4]
		mov	ebx, [eax]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_1C]
		push	eax

loc_94B040:				; CODE XREF: CmpSelectLeaf(x,x,x,x,x)+ACj
		push	ebx
		push	esi
		mov	[ebp+var_4], ebx
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_94B0D5
		mov	ecx, 3F5h
		cmp	[eax+2], cx
		jnb	short loc_94B07B
		mov	edi, [ebp+var_C]
		jmp	loc_94B103
; 

loc_94B063:				; CODE XREF: CmpSelectLeaf(x,x,x,x,x)+56j
		lea	eax, [ebp+var_1C]
		push	eax
		push	ebx
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	short loc_94B0D5
		mov	ecx, 3F5h
		cmp	[eax+2], cx
		jb	short loc_94B0FA

loc_94B07B:				; CODE XREF: CmpSelectLeaf(x,x,x,x,x)+D0j
					; CmpSelectLeaf(x,x,x,x,x)+109j ...
		push	[ebp+arg_4]
		mov	edx, [ebp+var_10]
		mov	ecx, esi
		push	[ebp+var_8]
		mov	edx, [edx]
		call	_CmpSplitLeaf@16 ; CmpSplitLeaf(x,x,x,x)
		mov	ebx, eax
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_94B0F0
		lea	eax, [ebp+var_24]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	eax, [ebp+var_10]
		mov	[eax], ebx
		lea	eax, [ebp+var_24]
		push	eax
		push	ebx
		push	esi
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jz	short loc_94B0F0
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_94B0B8:				; CODE XREF: CmpSelectLeaf(x,x,x,x,x)+4Bj
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		push	0
		push	[ebp+arg_0]
		mov	ecx, esi
		call	_CmpFindSubKeyInRoot@20	; CmpFindSubKeyInRoot(x,x,x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jns	loc_94AF6E

loc_94B0D5:				; CODE XREF: CmpSelectLeaf(x,x,x,x,x)+74j
					; CmpSelectLeaf(x,x,x,x,x)+BBj	...
		test	edi, edi
		jz	short loc_94B0E1
		lea	ecx, [ebp+var_24]
		push	ecx
		push	esi
		call	dword ptr [esi+8]

loc_94B0E1:				; CODE XREF: CmpSelectLeaf(x,x,x,x,x)+30j
					; CmpSelectLeaf(x,x,x,x,x)+45j	...
		or	eax, 0FFFFFFFFh

loc_94B0E4:				; CODE XREF: CmpSelectLeaf(x,x,x,x,x)+1FCj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_94B0EB:				; CODE XREF: CmpSelectLeaf(x,x,x,x,x)+F9j
		mov	edi, [ebp+var_14]
		jmp	short loc_94B103
; 

loc_94B0F0:				; CODE XREF: CmpSelectLeaf(x,x,x,x,x)+8Cj
					; CmpSelectLeaf(x,x,x,x,x)+174j ...
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	short loc_94B0D5
; 

loc_94B0FA:				; CODE XREF: CmpSelectLeaf(x,x,x,x,x)+15Bj
		mov	eax, [ebp+var_8]
		lea	edi, [edi+eax*4]

loc_94B100:				; CODE XREF: CmpSelectLeaf(x,x,x,x,x)+CAj
		add	edi, 4

loc_94B103:				; CODE XREF: CmpSelectLeaf(x,x,x,x,x)+140j
					; CmpSelectLeaf(x,x,x,x,x)+1D0j
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		lea	eax, [ebp+var_24]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	eax, ebx
		jmp	short loc_94B0E4
_CmpSelectLeaf@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSplitLeaf(x, x, x, x)
_CmpSplitLeaf@16 proc near		; CODE XREF: CmpSelectLeaf(x,x,x,x,x)+16Ap

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		or	[ebp+var_28], 0FFFFFFFFh
		mov	eax, edx
		or	[ebp+var_38], 0FFFFFFFFh
		or	[ebp+var_30], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_8], eax
		lea	ecx, [ebp+var_28]
		xor	ebx, ebx
		push	ecx
		push	eax
		push	esi
		mov	[ebp+var_24], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_4], ebx
		call	dword ptr [esi+4]
		mov	edi, eax
		test	edi, edi
		jz	loc_94B371
		mov	eax, 0FFFFh
		cmp	[edi+2], ax
		jz	loc_94B365
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_38]
		push	ecx
		mov	eax, [edi+eax*4+4]
		push	eax
		push	esi
		mov	[ebp+var_1C], eax
		call	dword ptr [esi+4]
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_94B365
		movzx	edx, word ptr [eax+2]
		movzx	eax, word ptr [eax]
		mov	cx, dx
		shr	cx, 1
		movzx	ecx, cx
		sub	edx, ecx
		mov	[ebp+var_C], ecx
		movzx	ecx, dx
		mov	edx, 686Ch
		mov	[ebp+var_18], ecx
		mov	ecx, 666Ch
		cmp	ax, dx
		jz	short loc_94B1BE
		mov	[ebp+var_10], 4
		cmp	ax, cx
		jnz	short loc_94B1C5

loc_94B1BE:				; CODE XREF: CmpSplitLeaf(x,x,x,x)+94j
		mov	[ebp+var_10], 8

loc_94B1C5:				; CODE XREF: CmpSplitLeaf(x,x,x,x)+A0j
		mov	edx, [ebp+var_1C]
		mov	ecx, esi
		push	ebx
		push	ebx
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_94B351
		mov	eax, [ebp+var_18]
		lea	ecx, [ebp+var_30]
		movzx	eax, ax
		imul	eax, [ebp+var_10]
		push	ecx
		lea	ecx, [ebp+var_4]
		push	ecx
		push	[ebp+arg_4]
		mov	ecx, esi
		mov	[ebp+var_10], eax
		lea	edx, [eax+5]
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	[ebp+var_1C], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_94B34E
		mov	eax, [ebp+var_14]
		mov	edx, [ebp+var_4]
		push	0FFFFFFF8h
		mov	cx, [eax]
		mov	[edx], cx
		mov	eax, [edi-4]
		movzx	ecx, word ptr [edi+2]
		mov	[ebp+arg_4], eax
		shl	ecx, 2
		pop	eax
		sub	eax, ecx
		sub	eax, [ebp+arg_4]
		push	0FFFFFFFCh
		pop	ecx
		and	eax, ecx
		cmp	eax, 4
		jnb	short loc_94B297
		sub	ecx, [ebp+arg_4]
		lea	eax, [ebp+var_28]
		push	eax
		push	esi
		mov	[ebp+var_20], ecx
		call	dword ptr [esi+8]
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+arg_4], ebx
		push	eax
		mov	eax, [ebp+var_20]
		mov	ecx, esi
		push	ebx
		add	eax, 4
		push	eax
		call	_HvReallocateCell@24 ; HvReallocateCell(x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_94B27E
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edx, [ebp+var_1C]
		mov	ecx, esi
		call	HvFreeCell
		mov	edi, [ebp+arg_4]
		jmp	loc_94B351
; 

loc_94B27E:				; CODE XREF: CmpSplitLeaf(x,x,x,x)+146j
		mov	eax, [ebp+var_8]
		cmp	eax, edi
		jz	short loc_94B291
		mov	edx, eax
		mov	ecx, esi
		call	HvFreeCell
		mov	[ebp+var_8], edi

loc_94B291:				; CODE XREF: CmpSplitLeaf(x,x,x,x)+167j
		mov	edx, [ebp+var_4]
		mov	edi, [ebp+arg_4]

loc_94B297:				; CODE XREF: CmpSplitLeaf(x,x,x,x)+114j
		mov	ebx, [ebp+var_14]
		mov	ecx, 686Ch
		movzx	eax, word ptr [ebx]
		cmp	ax, cx
		jz	short loc_94B2BD
		mov	ecx, 666Ch
		cmp	ax, cx
		jz	short loc_94B2BD
		mov	eax, [ebp+var_C]
		movzx	eax, ax
		inc	eax
		lea	eax, [ebx+eax*4]
		jmp	short loc_94B2CC
; 

loc_94B2BD:				; CODE XREF: CmpSplitLeaf(x,x,x,x)+189j
					; CmpSplitLeaf(x,x,x,x)+193j
		mov	eax, [ebp+var_C]
		movzx	eax, ax
		lea	eax, ds:4[eax*8]
		add	eax, ebx

loc_94B2CC:				; CODE XREF: CmpSplitLeaf(x,x,x,x)+19Fj
		push	[ebp+var_10]	; size_t
		push	eax		; void *
		lea	eax, [edx+4]
		push	eax		; void *
		call	_memmove
		mov	eax, [ebp+var_C]
		add	esp, 0Ch
		mov	ecx, [ebp+var_18]
		mov	[ebx+2], ax
		mov	eax, [ebp+var_4]
		mov	[eax+2], cx
		lea	eax, [ebp+var_38]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		movzx	eax, word ptr [edi+2]
		mov	ebx, [ebp+arg_0]
		mov	ecx, eax
		mov	edx, eax
		lea	eax, [ecx-1]
		cmp	ebx, eax
		jnb	short loc_94B333
		sub	ecx, ebx
		lea	eax, ds:0FFFFFFFCh[ecx*4]
		push	eax		; size_t
		lea	eax, [ebx+2]
		lea	eax, [edi+eax*4]
		push	eax		; void *
		lea	eax, [ebx+3]
		lea	eax, [edi+eax*4]
		push	eax		; void *
		call	_memmove
		movzx	edx, word ptr [edi+2]
		add	esp, 0Ch

loc_94B333:				; CODE XREF: CmpSplitLeaf(x,x,x,x)+1F1j
		lea	eax, [edx+1]
		mov	[edi+2], ax
		mov	eax, [ebp+var_1C]
		mov	[edi+ebx*4+8], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	eax, [ebp+var_8]
		jmp	short loc_94B374
; 

loc_94B34E:				; CODE XREF: CmpSplitLeaf(x,x,x,x)+E5j
		mov	ebx, [ebp+var_4]

loc_94B351:				; CODE XREF: CmpSplitLeaf(x,x,x,x)+B7j
					; CmpSplitLeaf(x,x,x,x)+15Dj
		lea	eax, [ebp+var_38]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		test	ebx, ebx
		jz	short loc_94B365
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_94B365:				; CODE XREF: CmpSplitLeaf(x,x,x,x)+48j
					; CmpSplitLeaf(x,x,x,x)+66j ...
		test	edi, edi
		jz	short loc_94B371
		lea	eax, [ebp+var_28]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_94B371:				; CODE XREF: CmpSplitLeaf(x,x,x,x)+39j
					; CmpSplitLeaf(x,x,x,x)+24Bj
		or	eax, 0FFFFFFFFh

loc_94B374:				; CODE XREF: CmpSplitLeaf(x,x,x,x)+230j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_CmpSplitLeaf@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpUpdateParentForEachSon(x, x, x)
_CmpUpdateParentForEachSon@12 proc near	; CODE XREF: CmRenameKey(x,x,x,x)+CDFp
					; CmpLightWeightCommitRenameKeyUoW(x,x,x)+2Ep

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		or	[ebp+var_20], 0FFFFFFFFh
		mov	eax, edx
		or	[ebp+var_18], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_8], eax
		lea	ecx, [ebp+var_20]
		xor	ebx, ebx
		push	ecx
		push	eax
		push	esi
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_4], ebx
		call	dword ptr [esi+4]
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	short loc_94B401
		mov	ecx, [eax+18h]
		mov	edi, ebx
		add	ecx, [eax+14h]
		mov	[ebp+var_C], ecx
		jz	short loc_94B3F7

loc_94B3BD:				; CODE XREF: CmpUpdateParentForEachSon(x,x,x)+7Aj
		lea	ecx, [ebp+var_4]
		mov	edx, eax
		push	ecx
		push	edi
		mov	ecx, esi
		call	_CmpFindSubKeyByNumber@16 ; CmpFindSubKeyByNumber(x,x,x,x)
		cmp	[ebp+var_4], 0FFFFFFFFh
		jz	short loc_94B3F9
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+var_4]
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	short loc_94B3F9
		mov	ecx, [ebp+var_8]
		mov	[eax+10h], ecx
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	eax, [ebp+var_10]
		inc	edi
		cmp	edi, [ebp+var_C]
		jb	short loc_94B3BD

loc_94B3F7:				; CODE XREF: CmpUpdateParentForEachSon(x,x,x)+40j
		mov	bl, 1

loc_94B3F9:				; CODE XREF: CmpUpdateParentForEachSon(x,x,x)+54j
					; CmpUpdateParentForEachSon(x,x,x)+63j
		lea	eax, [ebp+var_20]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_94B401:				; CODE XREF: CmpUpdateParentForEachSon(x,x,x)+33j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
_CmpUpdateParentForEachSon@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAddValueToList(x, x, x, x, x)
_CmpAddValueToList@20 proc near		; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+7A6p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	1
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	CmpAddValueToListEx
		pop	ecx
		pop	ebp
		retn	0Ch
_CmpAddValueToList@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGetValueForAudit(x, x, x, x)
_CmpGetValueForAudit@16	proc near	; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+5F5p
					; CmDeleteValueKey+18172Fp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	eax, edx
		mov	edi, ecx
		xor	edx, edx
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_20], edx
		mov	ebx, edx
		mov	word ptr [ebp+var_18], cx
		mov	word ptr [ebp+var_20], cx
		lea	ecx, [ebp+var_24]
		push	ecx
		push	eax
		mov	[ebp+var_1C], edx
		or	[ebp+var_1C], 0FFFFFFFFh
		mov	[ebp+var_24], edx
		or	[ebp+var_24], 0FFFFFFFFh
		push	edi
		mov	[ebp+var_8], edx
		mov	byte ptr [ebp+var_1], dl
		call	dword ptr [edi+4]
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	short loc_94B479
		mov	esi, 0C000009Ah
		jmp	loc_94B50B
; 

loc_94B479:				; CODE XREF: CmpGetValueForAudit(x,x,x,x)+48j
		xor	esi, esi
		mov	[ebp+var_C], esi
		cmp	[eax+4], ebx
		jz	short loc_94B4D3
		mov	edx, [ebp+var_14]
		lea	ecx, [ebp+var_1C]
		push	ecx
		lea	ecx, [ebp+var_1]
		push	ecx
		lea	ecx, [ebp+var_8]
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		push	eax
		mov	ecx, edi
		call	CmpGetValueData
		test	al, al
		jnz	short loc_94B4A9

loc_94B4A2:				; CODE XREF: CmpGetValueForAudit(x,x,x,x)+9Cj
		mov	esi, 0C000009Ah
		jmp	short loc_94B4E3
; 

loc_94B4A9:				; CODE XREF: CmpGetValueForAudit(x,x,x,x)+7Bj
		mov	esi, [ebp+var_C]
		test	esi, esi
		jz	short loc_94B4D0
		push	[ebp+arg_4]
		xor	ecx, ecx
		mov	edx, esi
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_94B4A2
		push	esi		; size_t
		push	[ebp+var_8]	; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_94B4D0:				; CODE XREF: CmpGetValueForAudit(x,x,x,x)+89j
		mov	eax, [ebp+var_10]

loc_94B4D3:				; CODE XREF: CmpGetValueForAudit(x,x,x,x)+5Cj
		mov	ecx, [ebp+arg_0]
		mov	eax, [eax+0Ch]
		mov	[ecx+4], esi
		xor	esi, esi
		mov	[ecx], eax
		mov	[ecx+8], ebx

loc_94B4E3:				; CODE XREF: CmpGetValueForAudit(x,x,x,x)+82j
		cmp	[ebp+var_8], 0
		jz	short loc_94B503
		cmp	byte ptr [ebp+var_1], 0
		jz	short loc_94B4FB
		push	0
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_94B503
; 

loc_94B4FB:				; CODE XREF: CmpGetValueForAudit(x,x,x,x)+C8j
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_94B503:				; CODE XREF: CmpGetValueForAudit(x,x,x,x)+C2j
					; CmpGetValueForAudit(x,x,x,x)+D4j
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_94B50B:				; CODE XREF: CmpGetValueForAudit(x,x,x,x)+4Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_CmpGetValueForAudit@16	endp


;  S U B	R O U T	I N E 


; __stdcall CmpSortedValueEnumStackAdvance(x)
_CmpSortedValueEnumStackAdvance@4 proc near
					; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+F6p
					; CmpGetValueCountForKeyNodeStack(x,x)+10Bp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		jmp	short loc_94B525
; 

loc_94B51B:				; CODE XREF: CmpSortedValueEnumStackAdvance(x)+18j
		mov	eax, [esi]
		test	byte ptr [eax+10h], 2
		jz	short loc_94B530
		mov	ecx, esi

loc_94B525:				; CODE XREF: CmpSortedValueEnumStackAdvance(x)+5j
		call	_CmpSortedValueEnumStackAdvanceInternal@4 ; CmpSortedValueEnumStackAdvanceInternal(x)
		test	eax, eax
		jns	short loc_94B51B
		pop	esi
		retn
; 

loc_94B530:				; CODE XREF: CmpSortedValueEnumStackAdvance(x)+Dj
		xor	eax, eax
		pop	esi
		retn
_CmpSortedValueEnumStackAdvance@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSortedValueEnumStackAdvanceInternal(x)
_CmpSortedValueEnumStackAdvanceInternal@4 proc near
					; CODE XREF: CmpSortedValueEnumStackAdvance(x):loc_94B525p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		cmp	byte ptr [edi+6], 0
		jz	short loc_94B5A8
		cmp	[edi], esi
		jnz	short loc_94B557
		mov	esi, 8000001Ah
		jmp	loc_94B609
; 

loc_94B557:				; CODE XREF: CmpSortedValueEnumStackAdvanceInternal(x)+17j
		xor	eax, eax
		mov	ebx, esi
		cmp	ax, [edi+4]
		jg	short loc_94B5A8

loc_94B561:				; CODE XREF: CmpSortedValueEnumStackAdvanceInternal(x)+72j
		mov	edx, ebx
		mov	ecx, edi
		call	_CmpSortedValueEnumStackGetEntryAtLayerHeight@8	; CmpSortedValueEnumStackGetEntryAtLayerHeight(x,x)
		mov	[ebp+var_C], eax
		mov	ecx, [eax+10h]
		mov	[ebp+var_8], ecx
		cmp	ecx, [eax+0Ch]
		jnb	short loc_94B5A1
		mov	eax, [eax+4]
		mov	eax, [eax+ecx*4]
		mov	[ebp+var_4], eax
		cmp	eax, [edi]
		jz	short loc_94B598
		lea	eax, [ebp+var_4]
		push	edi		; void *
		push	eax		; void *
		call	_CmpSortedValueEnumStackValueCompareFunction
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_94B5A1
		mov	ecx, [ebp+var_8]

loc_94B598:				; CODE XREF: CmpSortedValueEnumStackAdvanceInternal(x)+4Fj
		lea	eax, [ecx+1]
		mov	ecx, [ebp+var_C]
		mov	[ecx+10h], eax

loc_94B5A1:				; CODE XREF: CmpSortedValueEnumStackAdvanceInternal(x)+42j
					; CmpSortedValueEnumStackAdvanceInternal(x)+5Fj
		inc	ebx
		cmp	bx, [edi+4]
		jle	short loc_94B561

loc_94B5A8:				; CODE XREF: CmpSortedValueEnumStackAdvanceInternal(x)+13j
					; CmpSortedValueEnumStackAdvanceInternal(x)+2Bj
		movzx	ebx, word ptr [edi+4]
		mov	[ebp+var_8], esi
		jmp	short loc_94B5EE
; 

loc_94B5B1:				; CODE XREF: CmpSortedValueEnumStackAdvanceInternal(x)+BDj
		mov	edx, ebx
		mov	ecx, edi
		call	_CmpSortedValueEnumStackGetEntryAtLayerHeight@8	; CmpSortedValueEnumStackGetEntryAtLayerHeight(x,x)
		mov	ecx, [eax+10h]
		cmp	ecx, [eax+0Ch]
		jnb	short loc_94B5ED
		mov	eax, [eax+4]
		mov	eax, [eax+ecx*4]
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], eax
		test	esi, esi
		jz	short loc_94B5E8
		lea	eax, [ebp+var_4]
		push	eax		; void *
		lea	eax, [ebp+var_8]
		push	eax		; void *
		call	_CmpSortedValueEnumStackValueCompareFunction
		pop	ecx
		pop	ecx
		test	eax, eax
		jle	short loc_94B5ED
		mov	eax, [ebp+var_C]

loc_94B5E8:				; CODE XREF: CmpSortedValueEnumStackAdvanceInternal(x)+9Cj
		mov	esi, eax
		mov	[ebp+var_8], esi

loc_94B5ED:				; CODE XREF: CmpSortedValueEnumStackAdvanceInternal(x)+8Cj
					; CmpSortedValueEnumStackAdvanceInternal(x)+AFj
		dec	ebx

loc_94B5EE:				; CODE XREF: CmpSortedValueEnumStackAdvanceInternal(x)+7Bj
		test	bx, bx
		jns	short loc_94B5B1
		mov	[edi], esi
		neg	esi
		mov	byte ptr [edi+6], 1
		sbb	esi, esi
		and	esi, 7FFFFFE6h
		add	esi, 8000001Ah

loc_94B609:				; CODE XREF: CmpSortedValueEnumStackAdvanceInternal(x)+1Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_CmpSortedValueEnumStackAdvanceInternal@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpSortedValueEnumStackCleanup(x)
_CmpSortedValueEnumStackCleanup@4 proc near
					; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+12Ap
					; CmpGetValueCountForKeyNodeStack(x,x)+185p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	eax, eax
		push	edi
		xor	edi, edi
		cmp	ax, [esi+4]
		jg	short loc_94B637

loc_94B620:				; CODE XREF: CmpSortedValueEnumStackCleanup(x)+25j
		mov	edx, edi
		mov	ecx, esi
		call	_CmpSortedValueEnumStackGetEntryAtLayerHeight@8	; CmpSortedValueEnumStackGetEntryAtLayerHeight(x,x)
		mov	ecx, eax
		call	_CmpSortedValueEnumStackEntryCleanup@4 ; CmpSortedValueEnumStackEntryCleanup(x)
		inc	edi
		cmp	di, [esi+4]
		jle	short loc_94B620

loc_94B637:				; CODE XREF: CmpSortedValueEnumStackCleanup(x)+Ej
		mov	ecx, [esi+30h]
		pop	edi
		pop	esi
		test	ecx, ecx
		jnz	_CmpFreePool@4	; CmpFreePool(x)
		retn
_CmpSortedValueEnumStackCleanup@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpSortedValueEnumStackEntryCleanup(x)
_CmpSortedValueEnumStackEntryCleanup@4 proc near
					; CODE XREF: CmpSortedValueEnumStackCleanup(x)+1Bp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_94B656
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_94B656:				; CODE XREF: CmpSortedValueEnumStackEntryCleanup(x)+Aj
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_94B682
		push	edi
		xor	edi, edi
		cmp	[esi+0Ch], edi
		jbe	short loc_94B67B

loc_94B665:				; CODE XREF: CmpSortedValueEnumStackEntryCleanup(x)+31j
		mov	eax, [esi+8]
		mov	ecx, [esi]
		lea	eax, [eax+edi*8]
		push	eax
		push	ecx
		call	dword ptr [ecx+8]
		inc	edi
		cmp	edi, [esi+0Ch]
		jb	short loc_94B665
		mov	ecx, [esi+8]

loc_94B67B:				; CODE XREF: CmpSortedValueEnumStackEntryCleanup(x)+1Ej
		pop	edi
		pop	esi
		jmp	_CmpFreePool@4	; CmpFreePool(x)
; 

loc_94B682:				; CODE XREF: CmpSortedValueEnumStackEntryCleanup(x)+16j
		pop	esi
		retn
_CmpSortedValueEnumStackEntryCleanup@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSortedValueEnumStackEntryStart(x, x, x)
_CmpSortedValueEnumStackEntryStart@12 proc near
					; CODE XREF: CmpSortedValueEnumStackStartFromKeyNodeStack(x,x)+AEp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, edx
		push	esi
		xor	esi, esi
		mov	[ecx], eax
		mov	[ebp+var_28], esi
		xor	edx, edx
		mov	ebx, [ebx+24h]
		or	[ebp+var_28], 0FFFFFFFFh
		mov	[ebp+var_24], esi
		mov	[ebp+var_4], eax
		mov	[ebp+var_20], ecx
		mov	word ptr [ebp+var_24], dx
		mov	[ebp+var_1C], ebx
		test	ebx, ebx
		jz	loc_94B796
		push	edi
		xor	ecx, ecx
		mov	edx, ebx
		push	38374D43h
		shl	edx, 2
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_18], edi
		test	edi, edi
		jnz	short loc_94B6E1
		mov	esi, 0C000009Ah
		jmp	loc_94B795
; 

loc_94B6E1:				; CODE XREF: CmpSortedValueEnumStackEntryStart(x,x,x)+51j
		xor	ecx, ecx
		mov	edx, ebx
		push	38374D43h
		shl	edx, 3
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	short loc_94B704
		mov	esi, 0C000009Ah
		jmp	loc_94B78A
; 

loc_94B704:				; CODE XREF: CmpSortedValueEnumStackEntryStart(x,x,x)+74j
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_28]
		push	ecx
		mov	eax, [eax+28h]
		push	eax
		mov	eax, [ebp+var_4]
		push	eax
		call	dword ptr [eax+4]
		mov	ecx, eax
		test	ebx, ebx
		jz	short loc_94B75D
		sub	ecx, edi
		mov	[ebp+arg_0], edi
		mov	edx, edi
		mov	[ebp+var_8], ebx
		mov	edi, [ebp+var_4]
		mov	ebx, [ebp+var_C]
		mov	[ebp+var_14], ecx

loc_94B72F:				; CODE XREF: CmpSortedValueEnumStackEntryStart(x,x,x)+D1j
		mov	[ebx], esi
		mov	[ebx+4], esi
		or	dword ptr [ebx], 0FFFFFFFFh
		mov	eax, [ecx+edx]
		push	ebx
		push	eax
		push	edi
		call	dword ptr [edi+4]
		mov	edx, [ebp+arg_0]
		add	ebx, 8
		mov	ecx, [ebp+var_14]
		mov	[edx], eax
		add	edx, 4
		sub	[ebp+var_8], 1
		mov	[ebp+arg_0], edx
		jnz	short loc_94B72F
		mov	edi, [ebp+var_18]
		mov	ebx, [ebp+var_1C]

loc_94B75D:				; CODE XREF: CmpSortedValueEnumStackEntryStart(x,x,x)+96j
		lea	eax, [ebp+var_28]
		push	eax
		mov	eax, [ebp+var_4]
		push	eax
		call	dword ptr [eax+8]
		push	offset _CmpSortedValueEnumStackValueCompareFunction ; int __cdecl (*)(const void *,const void *)
		push	4		; size_t
		push	ebx		; size_t
		push	edi		; void *
		call	_qsort
		mov	eax, [ebp+var_20]
		add	esp, 10h
		mov	ecx, [ebp+var_C]
		mov	[eax+4], edi
		mov	edi, esi
		mov	[eax+8], ecx
		mov	[eax+0Ch], ebx

loc_94B78A:				; CODE XREF: CmpSortedValueEnumStackEntryStart(x,x,x)+7Bj
		test	edi, edi
		jz	short loc_94B795
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_94B795:				; CODE XREF: CmpSortedValueEnumStackEntryStart(x,x,x)+58j
					; CmpSortedValueEnumStackEntryStart(x,x,x)+108j
		pop	edi

loc_94B796:				; CODE XREF: CmpSortedValueEnumStackEntryStart(x,x,x)+31j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_CmpSortedValueEnumStackEntryStart@12 endp


;  S U B	R O U T	I N E 


; __stdcall CmpSortedValueEnumStackGetEntryAtLayerHeight(x, x)
_CmpSortedValueEnumStackGetEntryAtLayerHeight@8	proc near
					; CODE XREF: CmpSortedValueEnumStackAdvanceInternal(x)+31p
					; CmpSortedValueEnumStackAdvanceInternal(x)+81p ...
		cmp	dx, 2
		jl	short loc_94B7AF
		lea	eax, [edx-2]
		cwde
		imul	eax, 14h
		add	eax, [ecx+30h]
		retn
; 

loc_94B7AF:				; CODE XREF: CmpSortedValueEnumStackGetEntryAtLayerHeight(x,x)+4j
		movsx	eax, dx
		imul	eax, 14h
		add	eax, 8
		add	eax, ecx
		retn
_CmpSortedValueEnumStackGetEntryAtLayerHeight@8	endp


;  S U B	R O U T	I N E 


; __stdcall CmpSortedValueEnumStackInitialize(x)
_CmpSortedValueEnumStackInitialize@4 proc near
					; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+51p
					; CmpGetValueCountForKeyNodeStack(x,x)+133p
		and	dword ptr [ecx], 0
		xor	eax, eax
		mov	[ecx+6], ax
		and	[ecx+30h], eax
		or	eax, 0FFFFFFFFh
		push	edi
		mov	[ecx+4], ax
		lea	edi, [ecx+8]
		push	0Ah
		pop	ecx
		xor	eax, eax
		rep stosd
		pop	edi
		retn
_CmpSortedValueEnumStackInitialize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSortedValueEnumStackStartFromKeyNodeStack(x, x)
_CmpSortedValueEnumStackStartFromKeyNodeStack@8	proc near
					; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+E5p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, edx
		push	ebx
		push	esi
		mov	[ebp+var_4], eax
		mov	ebx, ecx
		movzx	esi, word ptr [eax]
		push	edi
		lea	eax, [esi+1]
		movzx	eax, ax
		cmp	ax, 2
		jle	short loc_94B844
		add	eax, 0FFFFFFFEh
		xor	ecx, ecx
		movzx	edi, ax
		inc	ecx
		movsx	eax, di
		imul	edx, eax, 14h
		push	39374D43h
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	[ebx+30h], eax
		test	eax, eax
		jnz	short loc_94B825
		mov	eax, 0C000009Ah
		jmp	loc_94B8B1
; 

loc_94B825:				; CODE XREF: CmpSortedValueEnumStackStartFromKeyNodeStack(x,x)+3Ej
		xor	eax, eax
		cmp	ax, di
		jge	short loc_94B844
		xor	ecx, ecx
		mov	edx, edi

loc_94B830:				; CODE XREF: CmpSortedValueEnumStackStartFromKeyNodeStack(x,x)+67j
		mov	edi, [ebx+30h]
		xor	eax, eax
		add	edi, ecx
		add	ecx, 14h
		stosd
		stosd
		stosd
		stosd
		stosd
		sub	edx, 1
		jnz	short loc_94B830

loc_94B844:				; CODE XREF: CmpSortedValueEnumStackStartFromKeyNodeStack(x,x)+1Ej
					; CmpSortedValueEnumStackStartFromKeyNodeStack(x,x)+4Fj
		mov	[ebx+4], si
		mov	edi, esi
		test	si, si
		js	short loc_94B8AF

loc_94B84F:				; CODE XREF: CmpSortedValueEnumStackStartFromKeyNodeStack(x,x)+D2j
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	ecx, ebx
		mov	esi, eax
		call	_CmpSortedValueEnumStackGetEntryAtLayerHeight@8	; CmpSortedValueEnumStackGetEntryAtLayerHeight(x,x)
		mov	ecx, [esi+8]
		mov	[ebp+var_8], eax
		test	ecx, ecx
		jz	short loc_94B8A9
		mov	edx, [esi]
		test	dword ptr [edx+64h], 80000h
		jz	short loc_94B886
		movzx	eax, byte ptr [ecx+0Dh]
		and	eax, 3
		cmp	eax, 1
		jz	short loc_94B8AF
		mov	eax, [ebp+var_8]

loc_94B886:				; CODE XREF: CmpSortedValueEnumStackStartFromKeyNodeStack(x,x)+9Aj
		push	ecx
		mov	ecx, eax
		call	_CmpSortedValueEnumStackEntryStart@12 ;	CmpSortedValueEnumStackEntryStart(x,x,x)
		test	eax, eax
		js	short loc_94B8B1
		mov	eax, [esi]
		test	dword ptr [eax+64h], 80000h
		jz	short loc_94B8A9
		mov	eax, [esi+8]
		movzx	eax, byte ptr [eax+0Dh]
		and	eax, 3
		jnz	short loc_94B8AF

loc_94B8A9:				; CODE XREF: CmpSortedValueEnumStackStartFromKeyNodeStack(x,x)+8Fj
					; CmpSortedValueEnumStackStartFromKeyNodeStack(x,x)+C0j
		dec	edi
		test	di, di
		jns	short loc_94B84F

loc_94B8AF:				; CODE XREF: CmpSortedValueEnumStackStartFromKeyNodeStack(x,x)+72j
					; CmpSortedValueEnumStackStartFromKeyNodeStack(x,x)+A6j ...
		xor	eax, eax

loc_94B8B1:				; CODE XREF: CmpSortedValueEnumStackStartFromKeyNodeStack(x,x)+45j
					; CmpSortedValueEnumStackStartFromKeyNodeStack(x,x)+B5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpSortedValueEnumStackStartFromKeyNodeStack@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl CmpSortedValueEnumStackValueCompareFunction(const	void *,const void *)
_CmpSortedValueEnumStackValueCompareFunction proc near
					; CODE XREF: CmpSortedValueEnumStackAdvanceInternal(x)+56p
					; CmpSortedValueEnumStackAdvanceInternal(x)+A6p
					; DATA XREF: ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	ecx, [eax]
		mov	eax, [ebp+arg_4]
		mov	[ebp+arg_0], 1
		movzx	edi, word ptr [ecx+2]
		lea	edx, [ecx+14h]
		mov	eax, [eax]
		mov	si, [ecx+10h]
		mov	[ebp+var_4], edx
		mov	word ptr [ebp+var_8], di
		lea	ebx, [eax+14h]
		movzx	edx, word ptr [eax+2]
		mov	word ptr [ebp+var_8+2],	di
		mov	[ebp+var_C], ebx
		mov	word ptr [ebp+var_10], dx
		mov	word ptr [ebp+var_10+2], dx
		and	si, word ptr [ebp+arg_0]
		jz	short loc_94B914
		test	byte ptr [eax+10h], 1
		jz	short loc_94B929
		push	edx
		push	ebx
		mov	edx, edi
		lea	ecx, [ecx+14h]
		call	CmpCompareTwoCompressedNames
		jmp	short loc_94B950
; 

loc_94B914:				; CODE XREF: _CmpSortedValueEnumStackValueCompareFunction+48j
		test	byte ptr [eax+10h], 1
		jz	short loc_94B929
		push	0
		push	edx
		mov	edx, ebx
		lea	ecx, [ebp+var_8]
		call	_CmpCompareCompressedName@16 ; CmpCompareCompressedName(x,x,x,x)
		jmp	short loc_94B950
; 

loc_94B929:				; CODE XREF: _CmpSortedValueEnumStackValueCompareFunction+4Ej
					; _CmpSortedValueEnumStackValueCompareFunction+62j
		test	si, si
		jz	short loc_94B940
		mov	edx, [ebp+var_4]
		lea	ecx, [ebp+var_10]
		push	0
		push	edi
		call	_CmpCompareCompressedName@16 ; CmpCompareCompressedName(x,x,x,x)
		neg	eax
		jmp	short loc_94B950
; 

loc_94B940:				; CODE XREF: _CmpSortedValueEnumStackValueCompareFunction+76j
		push	[ebp+arg_0]
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)

loc_94B950:				; CODE XREF: _CmpSortedValueEnumStackValueCompareFunction+5Cj
					; _CmpSortedValueEnumStackValueCompareFunction+71j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpSortedValueEnumStackValueCompareFunction endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpValueEnumStackAdvance(x)
_CmpValueEnumStackAdvance@4 proc near	; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+151p
					; CmpGetValueCountForKeyNodeStack(x,x)+166p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		mov	word ptr [ebp+var_8], ax
		mov	al, [esi+4]
		mov	[ebp+var_C], ecx
		or	[ebp+var_C], 0FFFFFFFFh
		mov	byte ptr [ebp+var_1], cl
		push	edi
		test	al, al
		jz	short loc_94B98B
		cmp	dword ptr [esi], 0FFFFFFFFh
		jz	loc_94BA35
		test	al, al
		jnz	short loc_94B99E

loc_94B98B:				; CODE XREF: CmpValueEnumStackAdvance(x)+27j
		movzx	eax, word ptr [esi+0Ch]
		mov	edi, ecx
		mov	byte ptr [esi+4], 1
		mov	[esi+8], ecx
		mov	[esi+6], ax
		jmp	short loc_94B9A8
; 

loc_94B99E:				; CODE XREF: CmpValueEnumStackAdvance(x)+34j
		inc	dword ptr [esi+8]
		mov	edi, [esi+8]
		movzx	eax, word ptr [esi+6]

loc_94B9A8:				; CODE XREF: CmpValueEnumStackAdvance(x)+47j
		or	dword ptr [esi], 0FFFFFFFFh
		test	ax, ax
		js	loc_94BA35
		movzx	edx, ax

loc_94B9B7:				; CODE XREF: CmpValueEnumStackAdvance(x)+DEj
		mov	ecx, esi
		call	_CmpValueEnumStackGetEntryAtLayerHeight@8 ; CmpValueEnumStackGetEntryAtLayerHeight(x,x)
		mov	ebx, eax
		jmp	short loc_94BA16
; 

loc_94B9C2:				; CODE XREF: CmpValueEnumStackAdvance(x)+C4j
		mov	eax, [ebx+4]
		lea	edx, [ebp+var_C]
		mov	ecx, [ebx]
		push	edx
		mov	eax, [eax+edi*4]
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		mov	ecx, [ebx]
		mov	edx, eax
		call	_CmpIsValueTombstone@8 ; CmpIsValueTombstone(x,x)
		test	al, al
		jz	short loc_94B9EA
		lea	eax, [ebp+var_C]
		push	eax
		push	ecx
		call	dword ptr [ecx+8]
		jmp	short loc_94BA10
; 

loc_94B9EA:				; CODE XREF: CmpValueEnumStackAdvance(x)+89j
		lea	eax, [ebp+var_1]
		mov	ecx, esi
		push	eax
		push	edx
		mov	dx, [esi+6]
		call	_CmpValueEnumStackMatchingValueInUpperLayer@16 ; CmpValueEnumStackMatchingValueInUpperLayer(x,x,x,x)
		mov	ecx, [ebx]
		mov	edi, eax
		lea	eax, [ebp+var_C]
		push	eax
		push	ecx
		call	dword ptr [ecx+8]
		test	edi, edi
		js	short loc_94BA3A
		cmp	byte ptr [ebp+var_1], 0
		jz	short loc_94BA41

loc_94BA10:				; CODE XREF: CmpValueEnumStackAdvance(x)+93j
		inc	dword ptr [esi+8]
		mov	edi, [esi+8]

loc_94BA16:				; CODE XREF: CmpValueEnumStackAdvance(x)+6Bj
		cmp	edi, [ebx+10h]
		jb	short loc_94B9C2
		mov	ax, [esi+6]
		xor	edi, edi
		and	dword ptr [esi+8], 0
		dec	ax
		movzx	ecx, ax
		mov	[esi+6], ax
		mov	edx, ecx
		test	cx, cx
		jns	short loc_94B9B7

loc_94BA35:				; CODE XREF: CmpValueEnumStackAdvance(x)+2Cj
					; CmpValueEnumStackAdvance(x)+59j
		mov	edi, 8000001Ah

loc_94BA3A:				; CODE XREF: CmpValueEnumStackAdvance(x)+B3j
					; CmpValueEnumStackAdvance(x)+F9j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_94BA41:				; CODE XREF: CmpValueEnumStackAdvance(x)+B9j
		mov	eax, [ebx+4]
		xor	edi, edi
		mov	ecx, [esi+8]
		mov	eax, [eax+ecx*4]
		mov	[esi], eax
		jmp	short loc_94BA3A
_CmpValueEnumStackAdvance@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpValueEnumStackCleanup(x)
_CmpValueEnumStackCleanup@4 proc near	; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+17Cp
					; CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+244p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	eax, eax
		push	edi
		xor	edi, edi
		cmp	ax, [esi+0Ch]
		jg	short loc_94BA77

loc_94BA60:				; CODE XREF: CmpValueEnumStackCleanup(x)+25j
		mov	edx, edi
		mov	ecx, esi
		call	_CmpValueEnumStackGetEntryAtLayerHeight@8 ; CmpValueEnumStackGetEntryAtLayerHeight(x,x)
		mov	ecx, eax
		call	_CmpValueEnumStackEntryCleanup@4 ; CmpValueEnumStackEntryCleanup(x)
		inc	edi
		cmp	di, [esi+0Ch]
		jle	short loc_94BA60

loc_94BA77:				; CODE XREF: CmpValueEnumStackCleanup(x)+Ej
		mov	ecx, [esi+38h]
		pop	edi
		pop	esi
		test	ecx, ecx
		jnz	_CmpFreePool@4	; CmpFreePool(x)
		retn
_CmpValueEnumStackCleanup@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpValueEnumStackGetEntryAtLayerHeight(x, x)
_CmpValueEnumStackGetEntryAtLayerHeight@8 proc near
					; CODE XREF: CmpValueEnumStackGetCurrentValueHive(x)+4p
					; CmpValueEnumStackStartFromKeyNodeStack(x,x)+87p ...
		cmp	dx, 2
		jl	short loc_94BA96
		lea	eax, [edx-2]
		cwde
		imul	eax, 14h
		add	eax, [ecx+38h]
		retn
; 

loc_94BA96:				; CODE XREF: CmpValueEnumStackGetEntryAtLayerHeight(x,x)+4j
		movsx	eax, dx
		imul	eax, 14h
		add	eax, 10h
		add	eax, ecx
		retn
_CmpValueEnumStackGetEntryAtLayerHeight@8 endp


;  S U B	R O U T	I N E 


; int __fastcall CmpValueEnumStackInitialize(void *)
_CmpValueEnumStackInitialize@4 proc near
					; CODE XREF: CmpGetValueCountForKeyNodeStack(x,x)+5Ap
					; CmEnumerateValueFromLayeredKey(x,x,x,x,x,x)+56p ...
		mov	edi, edi
		push	esi
		push	edi
		push	3Ch		; size_t
		mov	esi, ecx
		push	0		; int
		push	esi		; void *
		call	_memset
		or	dword ptr [esi], 0FFFFFFFFh
		add	esp, 0Ch
		add	esi, 10h
		push	2
		pop	edi

loc_94BABE:				; CODE XREF: CmpValueEnumStackInitialize(x)+29j
		mov	ecx, esi
		call	_CmpValueEnumStackEntryInitialize@4 ; CmpValueEnumStackEntryInitialize(x)
		add	esi, 14h
		sub	edi, 1
		jnz	short loc_94BABE
		pop	edi
		pop	esi
		retn
_CmpValueEnumStackInitialize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpValueEnumStackMatchingValueInUpperLayer(x, x, x,	x)
_CmpValueEnumStackMatchingValueInUpperLayer@16 proc near
					; CODE XREF: CmpValueEnumStackAdvance(x)+A0p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		push	ebx
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], ebx
		push	eax
		mov	esi, edx
		mov	[ebp+var_8], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, [ebp+arg_0]
		movzx	edi, word ptr [edx+10h]
		lea	eax, [edx+14h]
		mov	[ebp+var_8], eax
		and	edi, 1
		movzx	eax, word ptr [edx+2]
		mov	word ptr [ebp+var_C], ax
		mov	word ptr [ebp+var_C+2],	ax
		lea	eax, [esi+1]
		shl	edi, 10h
		movzx	esi, ax
		jmp	short loc_94BB46
; 

loc_94BB19:				; CODE XREF: CmpValueEnumStackMatchingValueInUpperLayer(x,x,x,x)+7Dj
		mov	edx, esi
		mov	ecx, eax
		call	_CmpValueEnumStackGetEntryAtLayerHeight@8 ; CmpValueEnumStackGetEntryAtLayerHeight(x,x)
		lea	ecx, [ebp+arg_0]
		push	ecx
		push	0
		mov	edx, [eax+4]
		lea	ecx, [ebp+var_C]
		push	edi
		push	ecx
		push	dword ptr [eax+10h]
		mov	ecx, [eax]
		call	CmpFindNameInListCellWithStatus
		test	eax, eax
		jns	short loc_94BB51
		cmp	eax, 0C0000034h
		jnz	short loc_94BB5A
		inc	esi

loc_94BB46:				; CODE XREF: CmpValueEnumStackMatchingValueInUpperLayer(x,x,x,x)+47j
		mov	eax, [ebp+var_4]
		cmp	si, [eax+0Ch]
		jle	short loc_94BB19
		jmp	short loc_94BB53
; 

loc_94BB51:				; CODE XREF: CmpValueEnumStackMatchingValueInUpperLayer(x,x,x,x)+6Cj
		mov	bl, 1

loc_94BB53:				; CODE XREF: CmpValueEnumStackMatchingValueInUpperLayer(x,x,x,x)+7Fj
		mov	eax, [ebp+arg_4]
		mov	[eax], bl
		xor	eax, eax

loc_94BB5A:				; CODE XREF: CmpValueEnumStackMatchingValueInUpperLayer(x,x,x,x)+73j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_CmpValueEnumStackMatchingValueInUpperLayer@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvIsRangeDirty(x, x, x)
_HvIsRangeDirty@12 proc	near		; CODE XREF: HvpRemapAndEnlistHiveBins+187A59p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, edx
		test	byte ptr [ebx+64h], 1
		jnz	short loc_94BBBA
		test	esi, esi
		js	short loc_94BBBA
		push	edi
		lea	edi, [ebx+28h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		push	[ebp+arg_0]
		shr	esi, 9
		lea	eax, [ebx+2Ch]
		push	esi
		push	eax
		call	_RtlAreBitsClear@12 ; RtlAreBitsClear(x,x,x)
		mov	bl, al
		or	edx, 0FFFFFFFFh
		lock xadd [edi], edx
		and	dl, 6
		cmp	dl, 2
		jnz	short loc_94BBAB
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_94BBAB:				; CODE XREF: HvIsRangeDirty(x,x,x)+41j
		mov	ecx, edi
		call	KeAbPostRelease
		test	bl, bl
		pop	edi
		setz	al
		jmp	short loc_94BBBC
; 

loc_94BBBA:				; CODE XREF: HvIsRangeDirty(x,x,x)+Fj
					; HvIsRangeDirty(x,x,x)+13j
		mov	al, 1

loc_94BBBC:				; CODE XREF: HvIsRangeDirty(x,x,x)+57j
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_HvIsRangeDirty@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvMarkCellDirty(x, x, x)
_HvMarkCellDirty@12 proc near		; CODE XREF: CmpKeySecurityMarkDirtyForReferenceCountDecrement(x,x,x,x)+12p
					; CmpKeySecurityMarkDirtyForReferenceCountDecrement(x,x,x,x)+24p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_0]
		call	HvpMarkCellDirty
		pop	ebp
		retn	4
_HvMarkCellDirty@12 endp


;  S U B	R O U T	I N E 


; __stdcall CmpLockTwoSecurityCachesExclusiveShared(x, x)
_CmpLockTwoSecurityCachesExclusiveShared@8 proc	near
					; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+3A8p
					; CmpCopyKeyPartial(x,x,x,x,x,x,x)+176p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [edx+484h]
		cmp	esi, edx
		jnb	short loc_94BBFD
		lea	ecx, [esi+484h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, edi
		xor	edx, edx
		pop	edi
		pop	esi
		jmp	ExAcquirePushLockSharedEx
; 

loc_94BBFD:				; CODE XREF: CmpLockTwoSecurityCachesExclusiveShared(x,x)+Ej
		mov	ecx, edi
		jbe	short loc_94BC0E
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lea	ecx, [esi+484h]

loc_94BC0E:				; CODE XREF: CmpLockTwoSecurityCachesExclusiveShared(x,x)+2Aj
		pop	edi
		xor	edx, edx
		pop	esi
		jmp	ExAcquirePushLockExclusiveEx
_CmpLockTwoSecurityCachesExclusiveShared@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpUnlockTwoSecurityCaches(x, x)
_CmpUnlockTwoSecurityCaches@8 proc near	; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+3CEp
		mov	edi, edi
		push	esi
		mov	esi, edx
		lea	eax, [ecx+484h]
		cmp	ecx, esi
		jz	short loc_94BC35
		xor	edx, edx
		mov	ecx, eax
		call	ExReleasePushLockEx
		lea	eax, [esi+484h]

loc_94BC35:				; CODE XREF: CmpUnlockTwoSecurityCaches(x,x)+Dj
		xor	edx, edx
		mov	ecx, eax
		pop	esi
		jmp	ExReleasePushLockEx
_CmpUnlockTwoSecurityCaches@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpQuitNextActiveHive(x)
_CmpQuitNextActiveHive@4 proc near	; CODE XREF: CmpLockKcbStackFlusherLocksExclusive(x)+4Aj
		add	ecx, 430h
		jmp	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
_CmpQuitNextActiveHive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmDumpKey(x, x, x)
_CmDumpKey@12	proc near		; CODE XREF: NtSaveKeyEx(x,x,x)+182p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_10], edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], edi
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	esi, [edi+8]
		mov	bl, 1
		mov	[ebp+var_1], bl
		mov	eax, [esi+10h]
		cmp	eax, ds:_CmpMasterHive
		jnz	short loc_94BC8A
		mov	edi, 0C0000022h
		jmp	loc_94BDE8
; 

loc_94BC8A:				; CODE XREF: CmDumpKey(x,x,x)+34j
		lea	ecx, [esi+18h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lock inc dword ptr [esi+1Ch]
		xor	edx, edx
		mov	ecx, edi
		call	CmpPerformKeyBodyDeletionCheck
		mov	edi, eax
		test	edi, edi
		js	loc_94BDDD
		test	dword ptr [esi+68h], 40000h
		jnz	short loc_94BCBE
		mov	edi, 0C000000Dh
		jmp	loc_94BDDD
; 

loc_94BCBE:				; CODE XREF: CmDumpKey(x,x,x)+68j
		xor	eax, eax
		cmp	[esi+22h], ax
		jz	short loc_94BCE9
		mov	ecx, esi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		push	[ebp+arg_0]
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_18]
		push	5
		call	_CmSaveKey@16	; CmSaveKey(x,x,x,x)
		mov	edi, eax
		jmp	loc_94BDED
; 

loc_94BCE9:				; CODE XREF: CmDumpKey(x,x,x)+7Aj
		mov	ecx, [esi+10h]
		xor	edx, edx
		add	ecx, 24h
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esi+10h]
		xor	edx, edx
		add	ecx, 484h
		call	ExAcquirePushLockSharedEx
		mov	edx, [esi+14h]
		mov	ecx, [esi+10h]
		push	3
		push	20019h
		push	[ebp+arg_0]
		call	_CmpDoAccessCheckOnSubtree@20 ;	CmpDoAccessCheckOnSubtree(x,x,x,x,x)
		mov	ecx, [esi+10h]
		xor	edx, edx
		add	ecx, 484h
		mov	edi, eax
		call	ExReleasePushLockEx
		or	eax, 0FFFFFFFFh
		test	edi, edi
		js	loc_94BDB8
		mov	ecx, [esi+10h]
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	edx, [ebp+var_C]
		call	_HvSnapshotHiveToOffsetArray@16	; HvSnapshotHiveToOffsetArray(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_94BDA0
		mov	edi, [esi+10h]
		or	eax, 0FFFFFFFFh
		add	edi, 24h
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_94BD6B
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_94BD6B:				; CODE XREF: CmDumpKey(x,x,x)+118j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, esi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		push	[ebp+var_10]
		mov	edx, [ebp+var_C]
		xor	eax, eax
		push	[ebp+var_14]
		mov	bl, al
		push	[ebp+var_8]
		mov	[ebp+var_1], bl
		call	_CmpWriteOffsetArrayToFile@20 ;	CmpWriteOffsetArrayToFile(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_94BDA0
		xor	eax, eax
		mov	edi, eax

loc_94BDA0:				; CODE XREF: CmDumpKey(x,x,x)+105j
					; CmDumpKey(x,x,x)+150j
		cmp	[ebp+var_8], 0
		jz	short loc_94BDB1
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		call	_CmpFreeOffsetArray@8 ;	CmpFreeOffsetArray(x,x)

loc_94BDB1:				; CODE XREF: CmDumpKey(x,x,x)+15Aj
		test	bl, bl
		jz	short loc_94BDED
		or	eax, 0FFFFFFFFh

loc_94BDB8:				; CODE XREF: CmDumpKey(x,x,x)+E8j
		mov	ebx, [esi+10h]
		add	ebx, 24h
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_94BDCF
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_94BDCF:				; CODE XREF: CmDumpKey(x,x,x)+17Cj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	bl, [ebp+var_1]
		test	bl, bl
		jz	short loc_94BDED

loc_94BDDD:				; CODE XREF: CmDumpKey(x,x,x)+5Bj
					; CmDumpKey(x,x,x)+6Fj
		mov	ecx, esi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		test	bl, bl
		jz	short loc_94BDED

loc_94BDE8:				; CODE XREF: CmDumpKey(x,x,x)+3Bj
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_94BDED:				; CODE XREF: CmDumpKey(x,x,x)+9Aj
					; CmDumpKey(x,x,x)+169j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_CmDumpKey@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmRestoreKey(x, x, x, x)
_CmRestoreKey@16 proc near		; CODE XREF: NtRestoreKey(x,x,x)+1AEp

var_200		= dword	ptr -200h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_171		= byte ptr -171h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_161		= byte ptr -161h
var_160		= dword	ptr -160h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 204h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_188], ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_1F0], eax
		lea	edi, [ebp+var_200]
		mov	[ebp+var_1DC], eax
		xor	ecx, ecx
		mov	[ebp+var_1A8], eax
		mov	ebx, edx
		mov	[ebp+var_1BC], eax
		mov	[ebp+var_1CC], eax
		xor	eax, eax
		stosd
		push	154h		; size_t
		push	ecx		; int
		mov	[ebp+var_170], ebx
		stosd
		mov	[ebp+var_1D4], ecx
		mov	[ebp+var_1EC], ecx
		mov	[ebp+var_180], ecx
		stosd
		mov	[ebp+var_1D8], ecx
		mov	[ebp+var_16C], ecx
		mov	[ebp+var_1A4], ecx
		stosd
		lea	eax, [ebp+var_160]
		push	eax		; void *
		mov	[ebp+var_1B8], ecx
		mov	[ebp+var_184], ecx
		mov	[ebp+var_1C8], ecx
		mov	[ebp+var_1C4], ecx
		mov	[ebp+var_1C0], ecx
		call	_memset
		xor	eax, eax
		lea	edi, [ebp+var_1B4]
		stosd
		lea	ecx, [ebp+var_1A0]
		add	esp, 0Ch
		xor	edx, edx
		mov	[ebp+var_190], edx
		mov	[ebp+var_1A0], edx
		stosd
		mov	[ebp+var_19C], edx
		stosd
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		mov	edi, [ebp+var_188]
		mov	[ebp+var_161], dl
		mov	eax, [edi+8]
		mov	[ebp+var_168], eax
		mov	esi, [eax+10h]
		mov	[ebp+var_194], esi
		test	dword ptr [esi+64h], 100000h
		jz	short loc_94BEFC
		mov	edi, 0C0000022h
		mov	ebx, edx
		jmp	short loc_94BF2B
; 

loc_94BEFC:				; CODE XREF: CmRestoreKey(x,x,x,x)+FBj
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	_CmpTraceHiveRestoreStart@8 ; CmpTraceHiveRestoreStart(x,x)
		mov	edx, [ebp+arg_0]
		test	edx, 0FFFFFFFDh
		setnz	cl
		test	dl, 2
		setnz	al
		test	cl, al
		jz	loc_94BFB9
		mov	edi, 0C000000Dh

loc_94BF25:				; CODE XREF: CmRestoreKey(x,x,x,x)+1EDj
					; CmRestoreKey(x,x,x,x)+24Ej ...
		mov	ebx, [ebp+var_16C]

loc_94BF2B:				; CODE XREF: CmRestoreKey(x,x,x,x)+104j
					; CmRestoreKey(x,x,x,x)+B44j ...
		xor	dl, dl
		lea	ecx, [ebp+var_1A0]
		call	CmpDrainDelayDerefContext
		cmp	[ebp+var_161], 0
		jz	short loc_94BF46
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_94BF46:				; CODE XREF: CmRestoreKey(x,x,x,x)+149j
		mov	ecx, [ebp+var_184]
		test	ecx, ecx
		jz	short loc_94BF5D
		call	_CmpDestroyHive@4 ; CmpDestroyHive(x)
		xor	eax, eax
		mov	[ebp+var_184], eax

loc_94BF5D:				; CODE XREF: CmRestoreKey(x,x,x,x)+158j
		cmp	[ebp+var_1D4], 0
		jz	short loc_94BF71
		lea	eax, [ebp+var_1F0]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_94BF71:				; CODE XREF: CmRestoreKey(x,x,x,x)+16Ej
		test	ebx, ebx
		jz	short loc_94BF80
		lea	eax, [ebp+var_1A8]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_94BF80:				; CODE XREF: CmRestoreKey(x,x,x,x)+17Dj
		cmp	[ebp+var_180], 0
		jz	short loc_94BF94
		lea	eax, [ebp+var_1DC]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_94BF94:				; CODE XREF: CmRestoreKey(x,x,x,x)+191j
		lea	ecx, [ebp+var_1B4]
		call	CmpCleanupRollbackPacket
		mov	ecx, edi
		call	_CmpTraceHiveRestoreStop@4 ; CmpTraceHiveRestoreStop(x)
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_94BFB9:				; CODE XREF: CmRestoreKey(x,x,x,x)+124j
		xor	ecx, ecx
		cmp	[edi+20h], ecx
		jnz	loc_94C9A2
		cmp	[edi+24h], ecx
		jnz	loc_94C9A2
		xor	ebx, ebx
		inc	ebx
		test	dl, bl
		jz	short loc_94BFE8
		mov	edx, [ebp+var_170]
		mov	ecx, edi
		call	_CmpLoadHiveVolatile@8 ; CmpLoadHiveVolatile(x,x)

loc_94BFE1:				; CODE XREF: CmRestoreKey(x,x,x,x)+1FEj
		mov	edi, eax
		jmp	loc_94BF25
; 

loc_94BFE8:				; CODE XREF: CmRestoreKey(x,x,x,x)+1DCj
		test	dl, 2
		jz	short loc_94BFF6
		mov	ecx, edi
		call	_CmpRefreshHive@4 ; CmpRefreshHive(x)
		jmp	short loc_94BFE1
; 

loc_94BFF6:				; CODE XREF: CmRestoreKey(x,x,x,x)+1F5j
		lea	eax, [ebp+var_1C4]
		mov	[ebp+var_1C0], eax
		mov	[ebp+var_1C4], eax
		mov	eax, [ebp+var_170]
		mov	[ebp+var_200], eax
		lea	eax, [ebp+var_160]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	1190001h
		push	ecx
		lea	eax, [ebp+var_200]
		push	eax
		push	ecx
		push	ecx
		push	8000h
		push	2
		pop	edx
		lea	ecx, [ebp+var_184]
		call	_CmpCreateHive@48 ; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_94BF25
		xor	cl, cl
		call	CmpLockRegistryFreezeAware
		mov	edi, [ebp+var_168]
		mov	ecx, edi
		mov	[ebp+var_161], bl
		call	_CmpLockKcbShared@4 ; CmpLockKcbShared(x)
		mov	eax, [edi+14h]
		xor	ecx, ecx
		mov	[ebp+var_178], eax
		cmp	[edi+22h], cx
		jz	short loc_94C087
		push	11h
		pop	ecx
		call	_CmpLogUnsupportedOperation@4 ;	CmpLogUnsupportedOperation(x)
		mov	edi, 0C0000002h
		jmp	loc_94C992
; 

loc_94C087:				; CODE XREF: CmRestoreKey(x,x,x,x)+27Dj
		mov	ecx, [ebp+var_188]
		xor	edx, edx
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jz	short loc_94C0A2
		mov	edi, 0C0000121h
		jmp	loc_94C992
; 

loc_94C0A2:				; CODE XREF: CmRestoreKey(x,x,x,x)+2A0j
		cmp	[edi+21h], bl
		jnz	short loc_94C0B1

loc_94C0A7:				; CODE XREF: CmRestoreKey(x,x,x,x)+2C1j
		mov	edi, 0C0000022h
		jmp	loc_94C992
; 

loc_94C0B1:				; CODE XREF: CmRestoreKey(x,x,x,x)+2AFj
		cmp	esi, ds:_CmpMasterHive
		jz	short loc_94C0A7
		cmp	[esi+6DCh], bl
		jnz	short loc_94C0CB
		mov	edi, 0C0000189h
		jmp	loc_94C992
; 

loc_94C0CB:				; CODE XREF: CmRestoreKey(x,x,x,x)+2C9j
		mov	ecx, esi
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		lea	eax, [ebp+var_1A8]
		mov	[ebp+var_171], bl
		push	eax
		push	[ebp+var_178]
		push	esi
		call	dword ptr [esi+4]
		mov	[ebp+var_16C], eax
		test	eax, eax
		jnz	short loc_94C0FD

loc_94C0F3:				; CODE XREF: CmRestoreKey(x,x,x,x)+34Cj
		mov	edi, 0C000009Ah
		jmp	loc_94C983
; 

loc_94C0FD:				; CODE XREF: CmRestoreKey(x,x,x,x)+2FBj
		test	byte ptr [eax+2], 4
		jz	short loc_94C108
		or	eax, 0FFFFFFFFh
		jmp	short loc_94C10B
; 

loc_94C108:				; CODE XREF: CmRestoreKey(x,x,x,x)+30Bj
		mov	eax, [eax+10h]

loc_94C10B:				; CODE XREF: CmRestoreKey(x,x,x,x)+310j
		mov	ecx, [ebp+var_178]
		shr	ecx, 1Fh
		push	ecx
		push	ecx
		mov	[ebp+var_198], ecx
		mov	ecx, [ebp+var_184]
		push	6
		push	eax
		push	esi
		mov	edx, [ecx+20h]
		mov	[ebp+var_170], eax
		mov	edx, [edx+24h]
		call	_CmpCopyKeyPartial@28 ;	CmpCopyKeyPartial(x,x,x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_1D0], ecx
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_94C0F3
		mov	edx, [ebp+var_16C]
		movzx	eax, word ptr [edx+48h]
		lea	edx, [ebp+var_1DC]
		push	edx
		lea	edx, [ebp+var_180]
		add	eax, 4Ch
		push	edx
		push	ebx
		mov	edx, ecx
		mov	ecx, esi
		push	eax
		call	_HvReallocateCell@24 ; HvReallocateCell(x,x,x,x,x,x)
		mov	[ebp+var_17C], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_94C17F

loc_94C175:				; CODE XREF: CmRestoreKey(x,x,x,x)+3FFj
		mov	edi, 0C000009Ah
		jmp	loc_94C958
; 

loc_94C17F:				; CODE XREF: CmRestoreKey(x,x,x,x)+37Dj
		mov	ecx, [ebp+var_16C]
		mov	[ebp+var_1D0], eax
		movzx	eax, word ptr [ecx+48h]
		push	eax		; size_t
		lea	eax, [ecx+4Ch]
		push	eax		; void *
		mov	eax, [ebp+var_180]
		add	eax, 4Ch
		push	eax		; void *
		call	_memcpy
		mov	edx, [ebp+var_16C]
		add	esp, 0Ch
		mov	ecx, [ebp+var_180]
		mov	ax, [edx+48h]
		mov	[ecx+48h], ax
		test	byte ptr [edx+2], 20h
		jz	short loc_94C1C7
		or	word ptr [ecx+2], 20h
		jmp	short loc_94C1D6
; 

loc_94C1C7:				; CODE XREF: CmRestoreKey(x,x,x,x)+3C8j
		mov	eax, [ebp+var_180]
		mov	ecx, 0FFDFh
		and	[eax+2], cx

loc_94C1D6:				; CODE XREF: CmRestoreKey(x,x,x,x)+3CFj
		mov	ecx, [ebp+var_184]
		xor	eax, eax
		push	eax
		push	2
		push	[ebp+var_17C]
		mov	edx, [ecx+20h]
		push	esi
		mov	edx, [edx+24h]
		call	_CmpCopySyncTree@24 ; CmpCopySyncTree(x,x,x,x,x,x)
		test	al, al
		jz	loc_94C175
		mov	ecx, esi
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		xor	ecx, ecx
		mov	[ebp+var_171], cl
		mov	ecx, edi
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		lea	eax, [ebp+var_1A8]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		xor	eax, eax
		mov	[ebp+var_16C], eax
		lea	eax, [ebp+var_1DC]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		xor	eax, eax
		mov	cl, bl
		mov	[ebp+var_180], eax
		call	CmpLockRegistryFreezeAware

loc_94C243:				; CODE XREF: CmRestoreKey(x,x,x,x)+561j
		xor	eax, eax
		mov	[ebp+var_161], al
		mov	eax, _CmpShutdownRundown
		test	al, bl
		jnz	loc_94C94D
		mov	ecx, [ebp+var_188]
		xor	edx, edx
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	loc_94C49F
		mov	eax, [ebp+var_178]
		cmp	eax, [edi+14h]
		jnz	loc_94C946
		test	dword ptr [edi+4], 40000h
		jnz	loc_94C93F
		cmp	[esi+6DCh], bl
		jz	loc_94C94D
		mov	eax, [ebp+var_170]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_94C2B9
		push	ebx
		push	4
		push	[ebp+arg_4]
		mov	edx, eax
		mov	ecx, esi
		call	_CmpCheckKeyAccess@20 ;	CmpCheckKeyAccess(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_94C952

loc_94C2B9:				; CODE XREF: CmRestoreKey(x,x,x,x)+4A8j
		mov	edx, [ebp+var_178]
		mov	ecx, esi
		push	ebx
		push	10000h
		push	[ebp+arg_4]
		call	_CmpCheckKeyAccess@20 ;	CmpCheckKeyAccess(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_94C952
		lea	eax, [ebp+var_1B4]
		mov	dl, bl
		push	eax
		push	ecx
		mov	ecx, [ebp+var_168]
		call	CmpTryAcquireKcbIXLocks
		mov	edi, eax
		cmp	edi, 0C000022Dh
		jnz	short loc_94C35C
		mov	ecx, [ebp+var_168]
		lea	eax, [ebp+var_1B4]
		push	eax
		push	7
		pop	edx
		call	_CmpLogTransactionAbortedForRollbackPacket@12 ;	CmpLogTransactionAbortedForRollbackPacket(x,x,x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	edx, edx
		lea	ecx, [ebp+var_1B4]
		call	_CmpAbortRollbackPacket@8 ; CmpAbortRollbackPacket(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_94C431

loc_94C329:				; CODE XREF: CmRestoreKey(x,x,x,x)+629j
		lea	ecx, [ebp+var_1B4]
		call	CmpCleanupRollbackPacket
		xor	eax, eax
		lea	edi, [ebp+var_1B4]
		stosd
		lea	ecx, [ebp+var_190]
		stosd
		stosd
		call	_CmpRetryBackOff@4 ; CmpRetryBackOff(x)
		mov	cl, bl
		call	CmpLockRegistryFreezeAware
		mov	edi, [ebp+var_168]
		jmp	loc_94C243
; 

loc_94C35C:				; CODE XREF: CmRestoreKey(x,x,x,x)+500j
		test	edi, edi
		js	loc_94C952
		mov	edx, [ebp+var_178]
		mov	ecx, esi
		push	2
		push	10000h
		push	[ebp+arg_4]
		call	_CmpDoAccessCheckOnSubtree@20 ;	CmpDoAccessCheckOnSubtree(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_94C952
		test	byte ptr [ebp+arg_0], 8
		mov	ecx, [ebp+var_168]
		jz	loc_94C47B
		lea	eax, [ebp+var_1B4]
		xor	edx, edx
		push	eax
		call	_CmpPrepareToInvalidateAllHigherLayerKcbs@12 ; CmpPrepareToInvalidateAllHigherLayerKcbs(x,x,x)
		mov	edi, eax
		cmp	edi, 0C000022Dh
		jnz	short loc_94C3B5
		mov	[ebp+var_161], bl
		jmp	short loc_94C3BD
; 

loc_94C3B5:				; CODE XREF: CmRestoreKey(x,x,x,x)+5B5j
		test	edi, edi
		js	loc_94C952

loc_94C3BD:				; CODE XREF: CmRestoreKey(x,x,x,x)+5BDj
		mov	ecx, [ebp+var_168]
		lea	eax, [ebp+var_1B4]
		push	eax
		xor	edx, edx
		call	_CmpPrepareForSubtreeInvalidation@12 ; CmpPrepareForSubtreeInvalidation(x,x,x)
		mov	edi, eax
		cmp	edi, 0C000022Dh
		jz	short loc_94C3EC
		test	edi, edi
		js	loc_94C952
		cmp	[ebp+var_161], 0
		jz	short loc_94C43D

loc_94C3EC:				; CODE XREF: CmRestoreKey(x,x,x,x)+5E3j
		mov	ecx, [ebp+var_168]
		lea	eax, [ebp+var_1B4]
		push	eax
		push	7
		pop	edx
		call	_CmpLogTransactionAbortedForRollbackPacket@12 ;	CmpLogTransactionAbortedForRollbackPacket(x,x,x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	eax, eax
		lea	ecx, [ebp+var_1B4]
		xor	edx, edx
		mov	[ebp+var_161], al
		call	_CmpAbortRollbackPacket@8 ; CmpAbortRollbackPacket(x,x)
		mov	edi, eax
		test	edi, edi
		jns	loc_94C329
		mov	cl, bl
		call	CmpLockRegistryFreezeAware
		jmp	loc_94C958
; 

loc_94C431:				; CODE XREF: CmRestoreKey(x,x,x,x)+52Dj
		mov	cl, bl
		call	CmpLockRegistryFreezeAware
		jmp	loc_94C952
; 

loc_94C43D:				; CODE XREF: CmRestoreKey(x,x,x,x)+5F4j
		mov	ecx, [ebp+var_168]
		lea	eax, [ebp+var_1A0]
		push	eax
		xor	eax, eax
		mov	edx, ebx
		push	eax
		call	_CmpInvalidateAllHigherLayerKcbs@16 ; CmpInvalidateAllHigherLayerKcbs(x,x,x,x)
		xor	ecx, ecx
		lea	eax, [ebp+var_1A0]
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_168]
		mov	edx, ebx
		call	_CmpInvalidateSubtree@20 ; CmpInvalidateSubtree(x,x,x,x,x)
		xor	dl, dl
		lea	ecx, [ebp+var_1A0]
		call	CmpDrainDelayDerefContext
		jmp	short loc_94C4B3
; 

loc_94C47B:				; CODE XREF: CmRestoreKey(x,x,x,x)+599j
		push	ebx
		push	ebx
		xor	eax, eax
		mov	edx, offset _CmpCleanUpHigherLayerKcbCachesPreCallback@8 ; CmpCleanUpHigherLayerKcbCachesPreCallback(x,x)
		push	eax
		push	eax
		push	offset _CmpCleanUpHigherLayerKcbCachesPostCallback@12 ;	CmpCleanUpHigherLayerKcbCachesPostCallback(x,x,x)
		call	_CmpEnumerateAllHigherLayerKcbs@28 ; CmpEnumerateAllHigherLayerKcbs(x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_168]
		call	_CmpDoesKeyHaveOpenSubkeys@4 ; CmpDoesKeyHaveOpenSubkeys(x)
		test	al, al
		jz	short loc_94C4A9

loc_94C49F:				; CODE XREF: CmRestoreKey(x,x,x,x)+471j
					; CmRestoreKey(x,x,x,x)+6BBj
		mov	edi, 0C0000121h
		jmp	loc_94C952
; 

loc_94C4A9:				; CODE XREF: CmRestoreKey(x,x,x,x)+6A7j
		mov	eax, [ebp+var_168]
		cmp	[eax], ebx
		jnz	short loc_94C49F

loc_94C4B3:				; CODE XREF: CmRestoreKey(x,x,x,x)+683j
		mov	edx, [ebp+var_17C]
		xor	eax, eax
		push	eax
		push	eax
		mov	ecx, esi
		call	HvpMarkCellDirty
		test	al, al
		jnz	short loc_94C4D2

loc_94C4C8:				; CODE XREF: CmRestoreKey(x,x,x,x)+790j
					; CmRestoreKey(x,x,x,x)+9F5j
		mov	edi, 0C000017Dh
		jmp	loc_94C952
; 

loc_94C4D2:				; CODE XREF: CmRestoreKey(x,x,x,x)+6D0j
		lea	eax, [ebp+var_1DC]
		push	eax
		push	[ebp+var_178]
		push	esi
		call	dword ptr [esi+4]
		mov	[ebp+var_180], eax
		test	eax, eax
		jnz	short loc_94C4F7

loc_94C4ED:				; CODE XREF: CmRestoreKey(x,x,x,x)+729j
					; CmRestoreKey(x,x,x,x)+75Fj ...
		mov	edi, 0C000009Ah
		jmp	loc_94C952
; 

loc_94C4F7:				; CODE XREF: CmRestoreKey(x,x,x,x)+6F5j
		mov	eax, [ebp+var_180]
		test	byte ptr [eax+2], 4
		mov	ecx, [eax+10h]
		mov	[ebp+var_170], ecx
		jz	short loc_94C577
		mov	eax, ds:_CmpMasterHive
		lea	edx, [ebp+var_1BC]
		push	edx
		push	ecx
		push	eax
		call	dword ptr [eax+4]
		test	eax, eax
		jz	short loc_94C4ED
		mov	edx, [ebp+var_17C]
		lea	ecx, [ebp+var_1BC]
		mov	[eax+1Ch], edx
		mov	eax, ds:_CmpMasterHive
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		lea	eax, [ebp+var_1A8]
		push	eax
		push	[ebp+var_17C]
		push	esi
		call	dword ptr [esi+4]
		mov	ecx, eax
		mov	[ebp+var_16C], ecx
		test	ecx, ecx
		jz	short loc_94C4ED
		mov	eax, [ebp+var_170]
		mov	edx, [ebp+var_17C]
		mov	[ecx+10h], eax
		mov	eax, [esi+20h]
		mov	[eax+24h], edx
		lea	eax, [ebp+var_1A8]
		jmp	loc_94C76F
; 

loc_94C577:				; CODE XREF: CmRestoreKey(x,x,x,x)+714j
		xor	eax, eax
		mov	edx, ecx
		push	eax
		push	eax
		mov	ecx, esi
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_94C4C8
		lea	eax, [ebp+var_1BC]
		push	eax
		mov	eax, [ebp+var_170]
		push	eax
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_94C4ED
		mov	esi, [ebp+var_198]
		mov	esi, [eax+esi*4+1Ch]
		lea	eax, [ebp+var_1BC]
		push	eax
		mov	eax, [ebp+var_194]
		push	eax
		mov	[ebp+var_1E0], esi
		call	dword ptr [eax+8]
		lea	eax, [ebp+var_1F0]
		push	eax
		push	esi
		mov	esi, [ebp+var_194]
		push	esi
		call	dword ptr [esi+4]
		mov	[ebp+var_1D4], eax
		test	eax, eax
		jz	loc_94C4ED
		mov	ecx, 6972h
		cmp	[eax], cx
		jnz	short loc_94C600
		movzx	ecx, word ptr [eax+2]
		lea	edx, [eax+4]
		mov	[ebp+var_198], ecx
		jmp	short loc_94C60E
; 

loc_94C600:				; CODE XREF: CmRestoreKey(x,x,x,x)+7F9j
		mov	ecx, ebx
		mov	[ebp+var_198], ebx
		lea	edx, [ebp+var_1E0]

loc_94C60E:				; CODE XREF: CmRestoreKey(x,x,x,x)+808j
		xor	eax, eax
		mov	[ebp+var_190], edx
		mov	[ebp+var_188], eax
		test	ecx, ecx
		jz	loc_94C724

loc_94C624:				; CODE XREF: CmRestoreKey(x,x,x,x)+914j
		mov	eax, [edx+eax*4]
		lea	ecx, [ebp+var_1CC]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	[ebp+var_18C], eax
		test	eax, eax
		jz	loc_94C4ED
		mov	eax, [ebp+var_190]
		mov	ecx, esi
		mov	edx, [ebp+var_188]
		mov	edx, [eax+edx*4]
		xor	eax, eax
		push	eax
		push	eax
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_94C7E0
		mov	eax, [ebp+var_18C]
		mov	edx, 666Ch
		movzx	ecx, word ptr [eax]
		cmp	cx, dx
		jz	short loc_94C6B1
		mov	edx, 686Ch
		cmp	cx, dx
		jz	short loc_94C6B1
		movzx	edx, word ptr [eax+2]
		xor	ecx, ecx
		mov	[ebp+var_18C], edx
		test	edx, edx
		jz	short loc_94C6E4
		lea	edx, [eax+4]

loc_94C693:				; CODE XREF: CmRestoreKey(x,x,x,x)+8B7j
		mov	esi, [ebp+var_178]
		cmp	[edx], esi
		mov	esi, [ebp+var_194]
		jz	short loc_94C70F
		inc	ecx
		add	edx, 4
		cmp	ecx, [ebp+var_18C]
		jb	short loc_94C693
		jmp	short loc_94C6E4
; 

loc_94C6B1:				; CODE XREF: CmRestoreKey(x,x,x,x)+87Ej
					; CmRestoreKey(x,x,x,x)+888j
		movzx	edx, word ptr [eax+2]
		xor	ecx, ecx
		mov	[ebp+var_18C], edx
		test	edx, edx
		jz	short loc_94C6E4
		lea	edx, [eax+4]

loc_94C6C4:				; CODE XREF: CmRestoreKey(x,x,x,x)+8ECj
		mov	esi, [ebp+var_178]
		cmp	[edx], esi
		mov	esi, [ebp+var_194]
		jz	loc_94C7D1
		inc	ecx
		add	edx, 8
		cmp	ecx, [ebp+var_18C]
		jb	short loc_94C6C4

loc_94C6E4:				; CODE XREF: CmRestoreKey(x,x,x,x)+898j
					; CmRestoreKey(x,x,x,x)+8B9j ...
		lea	eax, [ebp+var_1CC]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	eax, [ebp+var_188]
		inc	eax
		mov	[ebp+var_188], eax
		cmp	eax, [ebp+var_198]
		jnb	short loc_94C724
		mov	edx, [ebp+var_190]
		jmp	loc_94C624
; 

loc_94C70F:				; CODE XREF: CmRestoreKey(x,x,x,x)+8ABj
		mov	edx, [ebp+var_17C]
		mov	[eax+ecx*4+4], edx

loc_94C719:				; CODE XREF: CmRestoreKey(x,x,x,x)+9E5j
		lea	eax, [ebp+var_1CC]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_94C724:				; CODE XREF: CmRestoreKey(x,x,x,x)+828j
					; CmRestoreKey(x,x,x,x)+90Cj
		lea	eax, [ebp+var_1BC]
		push	eax
		push	[ebp+var_170]
		push	esi
		call	dword ptr [esi+4]
		mov	[ebp+var_18C], eax
		lea	eax, [ebp+var_1A8]
		push	eax
		push	[ebp+var_17C]
		push	esi
		call	dword ptr [esi+4]
		movzx	ecx, word ptr [eax+4Ah]
		mov	eax, [ebp+var_18C]
		cmp	[eax+38h], ecx
		jnb	short loc_94C75E
		mov	[eax+38h], ecx

loc_94C75E:				; CODE XREF: CmRestoreKey(x,x,x,x)+963j
		lea	eax, [ebp+var_1A8]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		lea	eax, [ebp+var_1BC]

loc_94C76F:				; CODE XREF: CmRestoreKey(x,x,x,x)+77Cj
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	eax, [ebp+var_168]
		lea	edx, [ebp+var_1A0]
		mov	ecx, [ebp+var_17C]
		mov	[eax+14h], ecx
		mov	ecx, eax
		call	_CmpCleanUpKcbCachedSymlink@8 ;	CmpCleanUpKcbCachedSymlink(x,x)
		mov	ecx, [ebp+var_168]
		lea	edx, [ebp+var_1E8]
		or	[ebp+var_1E8], 0FFFFFFFFh
		xor	eax, eax
		mov	[ebp+var_1E4], eax
		push	edx
		mov	eax, [ecx+14h]
		mov	ecx, [ecx+10h]
		push	eax
		push	ecx
		call	dword ptr [ecx+4]
		mov	[ebp+var_170], eax
		test	eax, eax
		jnz	short loc_94C7F0
		mov	edi, 0C000009Ah
		mov	[ebp+var_16C], eax
		jmp	loc_94C952
; 

loc_94C7D1:				; CODE XREF: CmRestoreKey(x,x,x,x)+8DCj
		mov	edx, [ebp+var_17C]
		mov	[eax+ecx*8+4], edx
		jmp	loc_94C719
; 

loc_94C7E0:				; CODE XREF: CmRestoreKey(x,x,x,x)+867j
		lea	eax, [ebp+var_1CC]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	loc_94C4C8
; 

loc_94C7F0:				; CODE XREF: CmRestoreKey(x,x,x,x)+9C9j
		mov	ecx, [eax+28h]
		mov	edx, [ebp+var_168]
		mov	eax, [eax+24h]
		mov	[edx+34h], ecx
		mov	ecx, [ebp+var_170]
		mov	[edx+30h], eax
		mov	ax, [ecx+2]
		mov	[edx+6Ah], ax
		xor	eax, eax
		mov	edx, [ecx+2Ch]
		mov	ecx, [ebp+var_168]
		push	eax
		push	eax
		push	eax
		call	CmpAssignSecurityToKcb
		mov	ecx, [ebp+var_168]
		mov	dl, bl
		call	CmpCleanUpSubKeyInfo
		mov	edx, [ebp+var_168]
		mov	ecx, [ebp+var_170]
		push	0
		pop	eax
		add	[edx+0A8h], ebx
		adc	[edx+0ACh], eax
		mov	eax, [ecx+4]
		mov	[edx+58h], eax
		mov	eax, [ecx+8]
		mov	[edx+5Ch], eax
		mov	ax, [ecx+34h]
		mov	[edx+60h], ax
		mov	ax, [ecx+3Ch]
		mov	[edx+62h], ax
		mov	eax, [ecx+40h]
		mov	[edx+64h], eax
		movzx	eax, word ptr [ecx+36h]
		xor	eax, [edx+68h]
		and	eax, 0Fh
		xor	[edx+68h], eax
		movzx	ecx, word ptr [ecx+36h]
		mov	eax, [edx+68h]
		xor	ecx, eax
		and	ecx, 0F0h
		xor	ecx, eax
		mov	[edx+68h], ecx
		mov	ecx, [ebp+var_170]
		mov	al, [ecx+37h]
		lea	ecx, [ebp+var_1E8]
		mov	[edx+69h], al
		mov	eax, [edx+10h]
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		mov	eax, [ebp+var_168]
		mov	edx, [ebp+var_178]
		push	40h
		pop	ecx
		mov	[eax+4], cx
		mov	ecx, esi
		call	_CmpDeleteTree@8 ; CmpDeleteTree(x,x)
		test	al, al
		jz	short loc_94C8D6
		mov	edx, [ebp+var_178]
		xor	eax, eax
		push	eax
		mov	ecx, esi
		call	CmpFreeKeyByCell

loc_94C8D6:				; CODE XREF: CmRestoreKey(x,x,x,x)+ACEj
		mov	ecx, [ebp+var_168]
		lea	eax, [ebp+var_1C4]
		push	eax
		push	ebx
		xor	edx, edx
		call	CmpReportNotify
		cmp	ds:_CmpProfileLoaded, 0
		jnz	short loc_94C904
		mov	eax, ds:_CmpGlobalQuota
		mov	ds:_CmpProfileLoaded, bl
		mov	ds:_CmpGlobalQuotaAllowed, eax

loc_94C904:				; CODE XREF: CmRestoreKey(x,x,x,x)+AFCj
		xor	dl, dl
		lea	ecx, [ebp+var_1A0]
		call	CmpDrainDelayDerefContext
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	ecx, [ebp+var_184]
		xor	ebx, ebx
		mov	[ebp+var_161], bl
		call	_CmpDestroyHive@4 ; CmpDestroyHive(x)
		lea	ecx, [ebp+var_1C4]
		mov	[ebp+var_184], ebx
		call	_CmpSignalDeferredPosts@4 ; CmpSignalDeferredPosts(x)
		jmp	loc_94BF2B
; 

loc_94C93F:				; CODE XREF: CmRestoreKey(x,x,x,x)+48Dj
		mov	edi, 0C0000425h
		jmp	short loc_94C952
; 

loc_94C946:				; CODE XREF: CmRestoreKey(x,x,x,x)+480j
		mov	edi, 0C000017Ch
		jmp	short loc_94C952
; 

loc_94C94D:				; CODE XREF: CmRestoreKey(x,x,x,x)+45Cj
					; CmRestoreKey(x,x,x,x)+499j
		mov	edi, 0C0000189h

loc_94C952:				; CODE XREF: CmRestoreKey(x,x,x,x)+4BDj
					; CmRestoreKey(x,x,x,x)+4DDj ...
		mov	[ebp+var_161], bl

loc_94C958:				; CODE XREF: CmRestoreKey(x,x,x,x)+384j
					; CmRestoreKey(x,x,x,x)+636j
		mov	ebx, [ebp+var_1D0]
		mov	ecx, esi
		mov	edx, ebx
		call	_CmpDeleteTree@8 ; CmpDeleteTree(x,x)
		test	al, al
		jz	short loc_94C977
		xor	eax, eax
		mov	edx, ebx
		push	eax
		mov	ecx, esi
		call	CmpFreeKeyByCell

loc_94C977:				; CODE XREF: CmRestoreKey(x,x,x,x)+B73j
		mov	al, [ebp+var_171]
		mov	bl, al
		test	al, al
		jz	short loc_94C98A

loc_94C983:				; CODE XREF: CmRestoreKey(x,x,x,x)+302j
		mov	ecx, esi
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)

loc_94C98A:				; CODE XREF: CmRestoreKey(x,x,x,x)+B8Bj
		test	bl, bl
		jz	loc_94BF25

loc_94C992:				; CODE XREF: CmRestoreKey(x,x,x,x)+28Cj
					; CmRestoreKey(x,x,x,x)+2A7j ...
		mov	ecx, [ebp+var_168]
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		jmp	loc_94BF25
; 

loc_94C9A2:				; CODE XREF: CmRestoreKey(x,x,x,x)+1C8j
					; CmRestoreKey(x,x,x,x)+1D1j
		mov	edi, 0C000000Dh
		mov	ebx, ecx
		jmp	loc_94BF2B
_CmRestoreKey@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmSaveKey(x, x, x, x)
_CmSaveKey@16	proc near		; CODE XREF: NtSaveKeyEx(x,x,x)+19Bp
					; CmDumpKey(x,x,x)+93p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_57		= byte ptr -57h
var_56		= byte ptr -56h
var_55		= byte ptr -55h
var_54		= dword	ptr -54h
var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[ebp+var_7C], edx
		push	esi
		push	edi
		lea	edi, [ebp+var_24]
		mov	[ebp+var_74], ecx
		stosd
		xor	ebx, ebx
		push	30h		; size_t
		push	ebx		; int
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_54]
		push	eax		; void *
		call	_memset
		xor	eax, eax
		lea	edi, [ebp+var_70]
		stosd
		lea	ecx, [ebp+var_54]
		add	esp, 0Ch
		or	esi, 0FFFFFFFFh
		stosd
		stosd
		stosd
		mov	word ptr [ebp+var_70+2], si
		call	_CmpInitializeKeyNodeStack@4 ; CmpInitializeKeyNodeStack(x)
		lea	ecx, [ebp+var_24]
		mov	byte ptr [ebp+var_60], bl
		mov	[ebp+var_55], bl
		xor	edi, edi
		mov	[ebp+var_57], bl
		mov	[ebp+var_56], bl
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_78], esi
		call	CmpUuidCreate
		mov	esi, eax
		test	esi, esi
		js	loc_94CB50
		lea	ecx, [ebp+var_14]
		call	CmpUuidCreate
		mov	esi, eax
		test	esi, esi
		js	loc_94CB50
		lea	edx, [ebp+var_14]
		lea	ecx, [ebp+var_24]
		call	_CmpCreateTemporaryHive@8 ; CmpCreateTemporaryHive(x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_94CA57
		mov	esi, 0C000009Ah
		jmp	loc_94CB50
; 

loc_94CA57:				; CODE XREF: CmSaveKey(x,x,x,x)+9Dj
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ebx, [ebp+var_74]
		lea	ecx, [ebp+var_70]
		mov	[ebp+var_60], 1
		mov	ebx, [ebx+8]
		mov	edx, ebx
		call	_CmpStartKcbStackForTopLayerKcb@8 ; CmpStartKcbStackForTopLayerKcb(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_94CB4D
		lea	ecx, [ebp+var_70]
		call	_CmpLockKcbStackShared@4 ; CmpLockKcbStackShared(x)
		mov	al, byte ptr [ebp+var_60]
		mov	[ebp+var_55], al
		mov	eax, [ebx+10h]
		cmp	eax, ds:_CmpMasterHive
		jnz	short loc_94CAA0
		mov	esi, 0C0000022h
		jmp	loc_94CB4D
; 

loc_94CAA0:				; CODE XREF: CmSaveKey(x,x,x,x)+E6j
		mov	ecx, ebx
		call	_CmpTraceHiveSaveStart@4 ; CmpTraceHiveSaveStart(x)
		mov	al, byte ptr [ebp+var_60]
		xor	edx, edx
		mov	ecx, [ebp+var_74]
		mov	[ebp+var_57], al
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	loc_94CB4D
		movzx	edx, word ptr [ebx+22h]
		lea	ecx, [ebp+var_54]
		inc	dx
		call	_CmpStartKeyNodeStack@8	; CmpStartKeyNodeStack(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_94CB4D
		lea	ecx, [ebp+var_70]
		call	_CmpLockKcbStackFlusherLocksExclusive@4	; CmpLockKcbStackFlusherLocksExclusive(x)
		push	0
		lea	edx, [ebp+var_70]
		lea	ecx, [ebp+var_54]
		call	_CmpPopulateKeyNodeStackFromKcbStack@12	; CmpPopulateKeyNodeStackFromKcbStack(x,x,x)
		push	3
		push	20019h
		push	[ebp+arg_4]
		lea	eax, [ebp+var_54]
		xor	edx, edx
		push	eax
		xor	ecx, ecx
		call	_CmpDoAccessCheckOnLayeredSubtree@24 ; CmpDoAccessCheckOnLayeredSubtree(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_94CB45
		mov	esi, [ebx+10h]
		mov	[ebp+var_5C], esi
		test	byte ptr [esi+64h], 2
		jz	loc_94CC14
		xor	eax, eax
		cmp	[esi+34h], eax
		jz	loc_94CC14
		cmp	[esi+400h], eax
		jz	loc_94CC14
		cmp	[ebx+22h], ax
		jz	loc_94CBBD
		push	19h
		pop	ecx
		call	_CmpLogUnsupportedOperation@4 ;	CmpLogUnsupportedOperation(x)
		mov	esi, 0C0000002h

loc_94CB45:				; CODE XREF: CmSaveKey(x,x,x,x)+157j
					; CmSaveKey(x,x,x,x)+226j ...
		lea	ecx, [ebp+var_70]
		call	_CmpUnlockKcbStackFlusherLocksExclusive@4 ; CmpUnlockKcbStackFlusherLocksExclusive(x)

loc_94CB4D:				; CODE XREF: CmSaveKey(x,x,x,x)+C9j
					; CmSaveKey(x,x,x,x)+EDj ...
		mov	ebx, [ebp+var_5C]

loc_94CB50:				; CODE XREF: CmSaveKey(x,x,x,x)+76j
					; CmSaveKey(x,x,x,x)+88j ...
		lea	ecx, [ebp+var_54]
		call	CmpCleanupKeyNodeStack
		cmp	[ebp+var_55], 0
		jz	short loc_94CB66
		lea	ecx, [ebp+var_70]
		call	CmpUnlockKcbStack

loc_94CB66:				; CODE XREF: CmSaveKey(x,x,x,x)+1AEj
		cmp	byte ptr [ebp+var_60], 0
		jz	short loc_94CB71
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_94CB71:				; CODE XREF: CmSaveKey(x,x,x,x)+1BCj
		cmp	[ebp+var_56], 0
		jz	short loc_94CB82
		lea	ecx, [ebx+430h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_94CB82:				; CODE XREF: CmSaveKey(x,x,x,x)+1C7j
		lea	ecx, [ebp+var_70]
		call	_CmpCleanupKcbStack@4 ;	CmpCleanupKcbStack(x)
		test	edi, edi
		jz	short loc_94CB9D
		xor	eax, eax
		mov	ecx, edi
		mov	[edi+408h], eax
		call	_CmpDestroyHive@4 ; CmpDestroyHive(x)

loc_94CB9D:				; CODE XREF: CmSaveKey(x,x,x,x)+1DEj
		cmp	[ebp+var_57], 0
		jz	short loc_94CBAA
		mov	ecx, esi
		call	_CmpTraceHiveSaveStop@4	; CmpTraceHiveSaveStop(x)

loc_94CBAA:				; CODE XREF: CmSaveKey(x,x,x,x)+1F3j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_94CBBD:				; CODE XREF: CmSaveKey(x,x,x,x)+184j
		lea	ecx, [esi+430h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	[ebp+var_56], al
		test	al, al
		jnz	short loc_94CBD9
		mov	esi, 0C000017Ch
		jmp	loc_94CB45
; 

loc_94CBD9:				; CODE XREF: CmSaveKey(x,x,x,x)+21Fj
		lea	ecx, [ebp+var_70]
		call	_CmpUnlockKcbStackFlusherLocksExclusive@4 ; CmpUnlockKcbStackFlusherLocksExclusive(x)
		lea	ecx, [ebp+var_70]
		call	CmpUnlockKcbStack
		xor	ebx, ebx
		mov	[ebp+var_55], bl
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	edx, [ebp+var_7C]
		mov	ecx, esi
		mov	byte ptr [ebp+var_60], bl
		call	_CmpSaveKeyByFileCopy@8	; CmpSaveKeyByFileCopy(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_94CB4D
		call	_CmpTraceHiveSaveFileCopied@0 ;	CmpTraceHiveSaveFileCopied()
		jmp	loc_94CB4D
; 

loc_94CC14:				; CODE XREF: CmSaveKey(x,x,x,x)+163j
					; CmSaveKey(x,x,x,x)+16Ej ...
		mov	eax, [edi+20h]
		xor	ebx, ebx
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		mov	[eax+18h], ecx
		lea	eax, [ebp+var_78]
		push	eax
		push	ebx
		push	[ebp+var_60]
		mov	[edi+9Ch], ecx
		lea	ecx, [ebp+var_54]
		push	0FFFFFFFFh
		call	_CmpCopyMergeOfLayeredKeyNode@24 ; CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_94CB45
		call	_CmpTraceHiveSaveTreeCopied@0 ;	CmpTraceHiveSaveTreeCopied()
		mov	eax, [edi+20h]
		mov	ecx, [ebp+var_78]
		push	ecx
		mov	[eax+24h], ecx
		lea	ecx, [ebp+var_54]
		mov	edx, [ebp+var_54]
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	edx, edi
		mov	ecx, eax
		call	_CmpKeyNodeStackEntryPopulate@12 ; CmpKeyNodeStackEntryPopulate(x,x,x)
		lea	edx, [ebp+var_54]
		xor	ecx, ecx
		call	_CmpFullPromoteSingleKeyFromKeyNodeStacks@8 ; CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_94CB45
		push	ecx
		lea	edx, [ebp+var_54]
		xor	ecx, ecx
		call	_CmpPromoteSubtree@12 ;	CmpPromoteSubtree(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_94CB45
		lea	ecx, [ebp+var_70]
		call	_CmpUnlockKcbStackFlusherLocksExclusive@4 ; CmpUnlockKcbStackFlusherLocksExclusive(x)
		lea	ecx, [ebp+var_54]
		call	CmpCleanupKeyNodeStack
		lea	ecx, [ebp+var_54] ; void *
		call	_CmpInitializeKeyNodeStack@4 ; CmpInitializeKeyNodeStack(x)
		lea	ecx, [ebp+var_70]
		call	CmpUnlockKcbStack
		mov	[ebp+var_55], bl
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	eax, [ebp+var_7C]
		mov	ecx, edi
		mov	byte ptr [ebp+var_60], bl
		mov	[edi+408h], eax
		call	_HvWriteExternal@4 ; HvWriteExternal(x)
		mov	esi, eax
		test	esi, esi
		js	loc_94CB4D
		mov	esi, ebx
		jmp	loc_94CB4D
_CmSaveKey@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmSaveMergedKeys(x,	x, x, x)
_CmSaveMergedKeys@16 proc near		; CODE XREF: NtSaveMergedKeys(x,x,x)+154p

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_59		= byte ptr -59h
var_58		= dword	ptr -58h
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		or	[ebp+var_94], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_58]
		or	[ebp+var_8C], 0FFFFFFFFh
		stosd
		mov	ebx, edx
		xor	edx, edx
		mov	[ebp+var_98], ecx
		mov	[ebp+var_90], edx
		mov	[ebp+var_88], edx
		stosd
		mov	[ebp+var_84], edx
		mov	[ebp+var_78], edx
		mov	[ebp+var_60], edx
		stosd
		mov	[ebp+var_7C], ebx
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_48]
		stosd
		stosd
		stosd
		stosd
		mov	edi, edx
		mov	edx, [ecx+8]
		mov	ecx, [ebx+8]
		mov	[ebp+var_68], ecx
		mov	[ebp+var_6C], edx
		mov	eax, [edx+10h]
		mov	ebx, [ecx+10h]
		mov	[ebp+var_64], eax
		mov	eax, [edx+14h]
		mov	[ebp+var_70], eax
		mov	eax, [ecx+14h]
		lea	ecx, [ebp+var_58]
		mov	[ebp+var_74], eax
		xor	eax, eax
		mov	[ebp+var_59], al
		call	CmpUuidCreate
		mov	esi, eax
		test	esi, esi
		js	loc_94D063
		lea	ecx, [ebp+var_48]
		call	CmpUuidCreate
		mov	esi, eax
		test	esi, esi
		js	loc_94D063
		mov	eax, ds:_CmpMasterHive
		cmp	ebx, eax
		jz	loc_94CFE6
		mov	esi, [ebp+var_64]
		cmp	esi, eax
		jz	loc_94CFE6
		cmp	ebx, esi
		jnz	short loc_94CDAA

loc_94CDA0:				; CODE XREF: CmSaveMergedKeys(x,x,x,x)+131j
					; CmSaveMergedKeys(x,x,x,x)+13Cj
		mov	esi, 0C000000Dh
		jmp	loc_94D063
; 

loc_94CDAA:				; CODE XREF: CmSaveMergedKeys(x,x,x,x)+C3j
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	edx, [ebp+var_68]
		mov	ecx, [ebp+var_6C]
		call	_CmpLockTwoKcbsShared@8	; CmpLockTwoKcbsShared(x,x)
		mov	eax, [ebp+var_6C]
		xor	ecx, ecx
		mov	[ebp+var_59], 1
		cmp	[eax+22h], cx
		jnz	loc_94CFD7
		mov	eax, [ebp+var_68]
		cmp	[eax+22h], cx
		jnz	loc_94CFD7
		mov	ecx, [ebp+var_98]
		xor	edx, edx
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	loc_94CFCD
		mov	ecx, [ebp+var_7C]
		xor	edx, edx
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jnz	loc_94CFCD
		xor	eax, eax
		test	byte ptr [esi+64h], 2
		jz	short loc_94CE0E
		cmp	[esi+34h], eax
		jnz	short loc_94CDA0

loc_94CE0E:				; CODE XREF: CmSaveMergedKeys(x,x,x,x)+12Cj
		test	byte ptr [ebx+64h], 2
		jz	short loc_94CE19
		cmp	[ebx+34h], eax
		jnz	short loc_94CDA0

loc_94CE19:				; CODE XREF: CmSaveMergedKeys(x,x,x,x)+137j
		lea	edx, [ebp+var_48]
		lea	ecx, [ebp+var_58]
		call	_CmpCreateTemporaryHive@8 ; CmpCreateTemporaryHive(x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_94CE34

loc_94CE2A:				; CODE XREF: CmSaveMergedKeys(x,x,x,x)+1FDj
					; CmSaveMergedKeys(x,x,x,x)+21Cj ...
		mov	esi, 0C000009Ah
		jmp	loc_94D063
; 

loc_94CE34:				; CODE XREF: CmSaveMergedKeys(x,x,x,x)+14Dj
		xor	eax, eax
		mov	edx, esi
		push	eax
		mov	ecx, ebx
		call	CmpBlockTwoHiveWrites
		mov	esi, eax
		test	esi, esi
		js	loc_94D063
		mov	ecx, [ebp+var_64]
		mov	[ebp+var_60], 6
		call	_CmLockHiveSecurityShared@4 ; CmLockHiveSecurityShared(x)
		mov	edx, [ebp+var_70]
		mov	ecx, [ebp+var_64]
		push	3
		push	20019h
		push	[ebp+arg_4]
		call	_CmpDoAccessCheckOnSubtree@20 ;	CmpDoAccessCheckOnSubtree(x,x,x,x,x)
		mov	ecx, [ebp+var_64]
		mov	esi, eax
		call	_CmUnlockHiveSecurity@4	; CmUnlockHiveSecurity(x)
		test	esi, esi
		js	loc_94D063
		mov	ecx, ebx
		call	_CmLockHiveSecurityShared@4 ; CmLockHiveSecurityShared(x)
		mov	edx, [ebp+var_74]
		mov	ecx, ebx
		push	3
		push	20019h
		push	[ebp+arg_4]
		call	_CmpDoAccessCheckOnSubtree@20 ;	CmpDoAccessCheckOnSubtree(x,x,x,x,x)
		mov	ecx, ebx
		mov	esi, eax
		call	_CmUnlockHiveSecurity@4	; CmUnlockHiveSecurity(x)
		test	esi, esi
		js	loc_94D063
		mov	ecx, edi
		call	_HvLockHiveFlusherExclusive@4 ;	HvLockHiveFlusherExclusive(x)
		mov	esi, [ebp+var_64]
		xor	eax, eax
		mov	edx, [ebp+var_70]
		push	eax
		push	ecx
		push	6
		push	0FFFFFFFFh
		push	edi
		mov	ecx, esi
		mov	[ebp+var_60], 7
		call	_CmpCopyKeyPartial@28 ;	CmpCopyKeyPartial(x,x,x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_7C], ecx
		cmp	ecx, 0FFFFFFFFh
		jz	loc_94CE2A
		mov	eax, [edi+20h]
		mov	edx, [ebp+var_70]
		mov	[eax+24h], ecx
		xor	eax, eax
		push	eax
		push	2
		push	ecx
		push	edi
		mov	ecx, esi
		call	_CmpCopySyncTree@24 ; CmpCopySyncTree(x,x,x,x,x,x)
		test	al, al
		jz	loc_94CE2A
		mov	ecx, esi
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_60], 5
		push	eax
		push	[ebp+var_74]
		push	ebx
		call	dword ptr [ebx+4]
		mov	[ebp+var_78], eax
		test	eax, eax
		jz	loc_94CE2A
		mov	esi, [ebp+var_7C]
		lea	eax, [ebp+var_94]
		push	eax
		push	esi
		push	edi
		call	dword ptr [edi+4]
		mov	[ebp+var_84], eax
		test	eax, eax
		jnz	short loc_94CF47

loc_94CF3D:				; CODE XREF: CmSaveMergedKeys(x,x,x,x)+27Bj
		mov	esi, 0C000009Ah
		jmp	loc_94D03E
; 

loc_94CF47:				; CODE XREF: CmSaveMergedKeys(x,x,x,x)+260j
		push	eax
		push	esi
		push	edi
		push	[ebp+var_78]
		mov	ecx, ebx
		call	_CmpMergeKeyValues@24 ;	CmpMergeKeyValues(x,x,x,x,x,x)
		test	al, al
		jz	short loc_94CF3D
		lea	eax, [ebp+var_8C]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		lea	eax, [ebp+var_94]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		mov	edx, [ebp+var_74]
		mov	ecx, ebx
		push	2
		push	2
		push	esi
		push	edi
		call	_CmpCopySyncTree@24 ; CmpCopySyncTree(x,x,x,x,x,x)
		test	al, al
		jz	loc_94CE2A
		mov	ecx, ebx
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)
		mov	ecx, edi
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)
		mov	edx, [ebp+var_68]
		xor	eax, eax
		mov	ecx, [ebp+var_6C]
		mov	[ebp+var_60], eax
		call	CmpUnlockTwoKcbs
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		xor	eax, eax
		mov	ecx, edi
		mov	[ebp+var_59], al
		mov	eax, [ebp+arg_0]
		mov	[edi+408h], eax
		call	_HvWriteExternal@4 ; HvWriteExternal(x)
		mov	esi, eax
		xor	eax, eax
		mov	[edi+408h], eax
		jmp	loc_94D063
; 

loc_94CFCD:				; CODE XREF: CmSaveMergedKeys(x,x,x,x)+10Ej
					; CmSaveMergedKeys(x,x,x,x)+120j
		mov	esi, 0C000017Ch
		jmp	loc_94D063
; 

loc_94CFD7:				; CODE XREF: CmSaveMergedKeys(x,x,x,x)+ECj
					; CmSaveMergedKeys(x,x,x,x)+F9j
		push	13h
		pop	ecx
		call	_CmpLogUnsupportedOperation@4 ;	CmpLogUnsupportedOperation(x)
		mov	esi, 0C0000002h
		jmp	short loc_94D063
; 

loc_94CFE6:				; CODE XREF: CmSaveMergedKeys(x,x,x,x)+B0j
					; CmSaveMergedKeys(x,x,x,x)+BBj
		cmp	dword_6B2348, 5
		jbe	short loc_94D039
		push	4000h
		xor	eax, eax
		mov	esi, offset dword_6B2348
		push	eax
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_94D039
		lea	eax, [ebp+var_80]
		mov	[ebp+var_80], 1000000h
		mov	[ebp+var_18], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_38]
		mov	[ebp+var_7C], ecx
		push	eax
		push	3
		push	ecx
		push	ecx
		push	offset dword_41AC7C
		push	esi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], 8
		mov	[ebp+var_C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_94D039:				; CODE XREF: CmSaveMergedKeys(x,x,x,x)+312j
					; CmSaveMergedKeys(x,x,x,x)+32Aj
		mov	esi, 0C0000022h

loc_94D03E:				; CODE XREF: CmSaveMergedKeys(x,x,x,x)+267j
		cmp	[ebp+var_78], 0
		jz	short loc_94D04F
		lea	eax, [ebp+var_8C]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]

loc_94D04F:				; CODE XREF: CmSaveMergedKeys(x,x,x,x)+367j
		cmp	[ebp+var_84], 0
		jz	short loc_94D063
		lea	eax, [ebp+var_94]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_94D063:				; CODE XREF: CmSaveMergedKeys(x,x,x,x)+91j
					; CmSaveMergedKeys(x,x,x,x)+A3j ...
		test	byte ptr [ebp+var_60], 4
		jz	short loc_94D070
		mov	ecx, ebx
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)

loc_94D070:				; CODE XREF: CmSaveMergedKeys(x,x,x,x)+38Cj
		mov	ebx, [ebp+var_60]
		test	bl, 2
		jz	short loc_94D080
		mov	ecx, [ebp+var_64]
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)

loc_94D080:				; CODE XREF: CmSaveMergedKeys(x,x,x,x)+39Bj
		test	bl, 1
		jz	short loc_94D08C
		mov	ecx, edi
		call	_HvUnlockHiveFlusherExclusive@4	; HvUnlockHiveFlusherExclusive(x)

loc_94D08C:				; CODE XREF: CmSaveMergedKeys(x,x,x,x)+3A8j
		cmp	[ebp+var_59], 0
		jz	short loc_94D0A2
		mov	edx, [ebp+var_68]
		mov	ecx, [ebp+var_6C]
		call	CmpUnlockTwoKcbs
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_94D0A2:				; CODE XREF: CmSaveMergedKeys(x,x,x,x)+3B5j
		test	edi, edi
		jz	short loc_94D0AD
		mov	ecx, edi
		call	_CmpDestroyHive@4 ; CmpDestroyHive(x)

loc_94D0AD:				; CODE XREF: CmSaveMergedKeys(x,x,x,x)+3C9j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_CmSaveMergedKeys@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCreateTemporaryHive(x, x)
_CmpCreateTemporaryHive@8 proc near	; CODE XREF: CmSaveKey(x,x,x,x)+94p
					; CmSaveMergedKeys(x,x,x,x)+144p

var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 164h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_160]
		push	154h		; size_t
		push	ebx		; int
		push	eax		; void *
		mov	edi, edx
		mov	[ebp+var_164], ebx
		mov	esi, ecx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_160]
		xor	edx, edx
		lea	ecx, [ebp+var_164]
		push	eax
		push	ebx
		push	edi
		push	esi
		push	1120000h
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	1
		call	_CmpCreateHive@48 ; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_94D127
		mov	eax, [ebp+var_164]
		jmp	short loc_94D129
; 

loc_94D127:				; CODE XREF: CmpCreateTemporaryHive(x,x)+5Dj
		xor	eax, eax

loc_94D129:				; CODE XREF: CmpCreateTemporaryHive(x,x)+65j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpCreateTemporaryHive@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLoadHiveVolatile(x, x)
_CmpLoadHiveVolatile@8 proc near	; CODE XREF: CmRestoreKey(x,x,x,x)+1E6p

var_1C0		= dword	ptr -1C0h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		or	[ebp+var_1A0], 0FFFFFFFFh
		push	esi
		push	edi
		lea	edi, [ebp+var_24]
		mov	[ebp+var_1A4], edx
		stosd
		xor	edx, edx
		push	154h		; size_t
		push	edx		; int
		mov	[ebp+var_1A8], ecx
		mov	ebx, edx
		stosd
		mov	[ebp+var_19C], edx
		mov	[ebp+var_184], edx
		mov	[ebp+var_190], edx
		stosd
		mov	[ebp+var_198], edx
		mov	[ebp+var_194], edx
		mov	[ebp+var_18C], edx
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_14]
		mov	[ebp+var_188], edx
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_180]
		mov	edi, [ecx+8]
		push	eax		; void *
		mov	[ebp+var_1B0], edi
		call	_memset
		add	esp, 0Ch
		call	CmpAcquireShutdownRundown
		test	al, al
		jnz	short loc_94D1D4
		mov	eax, 0C0000189h
		jmp	loc_94D3C0
; 

loc_94D1D4:				; CODE XREF: CmpLoadHiveVolatile(x,x)+90j
		lea	ecx, [ebp+var_24]
		call	CmpUuidCreate
		mov	esi, eax
		test	esi, esi
		js	loc_94D3B9
		lea	ecx, [ebp+var_14]
		call	CmpUuidCreate
		mov	esi, eax
		test	esi, esi
		js	loc_94D3B9
		mov	eax, [edi+10h]
		mov	[ebp+var_1AC], eax
		cmp	eax, ds:_CmpMasterHive
		jz	short loc_94D213
		mov	esi, 0C000000Dh
		jmp	loc_94D3B9
; 

loc_94D213:				; CODE XREF: CmpLoadHiveVolatile(x,x)+CFj
		xor	eax, eax
		lea	edi, [ebp+var_1C0]
		stosd
		lea	ecx, [ebp+var_190]
		stosd
		stosd
		stosd
		mov	eax, [ebp+var_1A4]
		xor	edi, edi
		mov	[ebp+var_1C0], eax
		lea	eax, [ebp+var_180]
		push	eax
		push	edi
		push	edi
		push	edi
		push	1190001h
		push	edi
		lea	eax, [ebp+var_1C0]
		push	eax
		push	edi
		push	edi
		push	8000h
		push	2
		pop	eax
		mov	edx, eax
		call	_CmpCreateHive@48 ; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_94D266
		mov	esi, eax
		jmp	loc_94D3B9
; 

loc_94D266:				; CODE XREF: CmpLoadHiveVolatile(x,x)+125j
		lea	eax, [ebp+var_180]
		xor	edx, edx
		push	eax
		push	edi
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		push	1120000h
		push	edi
		push	edi
		push	edi
		push	edi
		push	1
		lea	ecx, [ebp+var_184]
		call	_CmpCreateHive@48 ; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_94D39E
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		mov	ecx, [ebp+var_1A8]
		xor	edx, edx
		call	CmpIsKeyDeletedForKeyBody
		test	al, al
		jz	short loc_94D2B8
		mov	esi, 0C000017Ch
		jmp	loc_94D38E
; 

loc_94D2B8:				; CODE XREF: CmpLoadHiveVolatile(x,x)+174j
		mov	eax, [ebp+var_1AC]
		cmp	byte ptr [eax+6DCh], 1
		jnz	short loc_94D2D1
		mov	esi, 0C0000189h
		jmp	loc_94D38E
; 

loc_94D2D1:				; CODE XREF: CmpLoadHiveVolatile(x,x)+18Dj
		push	1
		push	ecx
		push	2
		pop	ecx
		push	ecx
		mov	ecx, [ebp+var_190]
		push	0FFFFFFFFh
		push	[ebp+var_184]
		mov	edx, [ecx+20h]
		mov	edx, [edx+24h]
		call	_CmpCopyKeyPartial@28 ;	CmpCopyKeyPartial(x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0FFFFFFFFh
		jz	loc_94D389
		mov	eax, [ebp+var_184]
		push	edi
		push	2
		mov	eax, [eax+20h]
		mov	[eax+24h], esi
		mov	ecx, [ebp+var_190]
		pop	eax
		push	eax
		push	esi
		mov	edx, [ecx+20h]
		push	[ebp+var_184]
		mov	edx, [edx+24h]
		call	_CmpCopySyncTree@24 ; CmpCopySyncTree(x,x,x,x,x,x)
		test	al, al
		jz	short loc_94D389
		lea	eax, [ebp+var_1A0]
		push	eax
		mov	eax, [ebp+var_184]
		push	esi
		push	eax
		call	dword ptr [eax+4]
		mov	edi, eax
		test	edi, edi
		jz	short loc_94D389
		mov	ecx, [ebp+var_1B0]
		call	_CmpConstructName@4 ; CmpConstructName(x)
		mov	ecx, edi
		mov	ebx, eax
		call	_CmpHKeyNameLen@4 ; CmpHKeyNameLen(x)
		add	ax, [ebx]
		push	2
		pop	ecx
		add	ax, cx
		push	20204D43h
		movzx	esi, ax
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_188], eax
		test	eax, eax
		jnz	short loc_94D3CF
		lea	eax, [ebp+var_1A0]
		push	eax
		mov	eax, [ebp+var_184]
		push	eax
		call	dword ptr [eax+8]

loc_94D389:				; CODE XREF: CmpLoadHiveVolatile(x,x)+1BEj
					; CmpLoadHiveVolatile(x,x)+1EFj ...
		mov	esi, 0C000009Ah

loc_94D38E:				; CODE XREF: CmpLoadHiveVolatile(x,x)+17Bj
					; CmpLoadHiveVolatile(x,x)+194j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	ecx, [ebp+var_184]
		call	_CmpDestroyHive@4 ; CmpDestroyHive(x)

loc_94D39E:				; CODE XREF: CmpLoadHiveVolatile(x,x)+15Aj
		mov	ecx, [ebp+var_190]
		call	_CmpDestroyHive@4 ; CmpDestroyHive(x)
		test	ebx, ebx
		jz	short loc_94D3B9
		mov	edx, 624E4D43h
		mov	ecx, ebx
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_94D3B9:				; CODE XREF: CmpLoadHiveVolatile(x,x)+A8j
					; CmpLoadHiveVolatile(x,x)+BAj	...
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)
		mov	eax, esi

loc_94D3C0:				; CODE XREF: CmpLoadHiveVolatile(x,x)+97j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_94D3CF:				; CODE XREF: CmpLoadHiveVolatile(x,x)+23Ej
		push	ebx
		lea	eax, [ebp+var_18C]
		mov	word ptr [ebp+var_18C+2], si
		push	eax
		mov	word ptr [ebp+var_18C],	si
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@ ; void	*
		lea	eax, [ebp+var_18C]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		test	byte ptr [edi+2], 20h
		lea	edx, [edi+4Ch]
		jz	short loc_94D440
		movzx	esi, word ptr [ebp+var_18C]
		mov	ecx, edi
		call	_CmpHKeyNameLen@4 ; CmpHKeyNameLen(x)
		movzx	eax, ax
		push	eax
		mov	eax, [ebp+var_188]
		push	edx
		movzx	edx, word ptr [ebp+var_18C+2]
		sub	edx, esi
		shr	esi, 1
		lea	ecx, [eax+esi*2]
		call	_CmpCopyCompressedName@16 ; CmpCopyCompressedName(x,x,x,x)
		mov	ecx, edi
		call	_CmpHKeyNameLen@4 ; CmpHKeyNameLen(x)
		add	word ptr [ebp+var_18C],	ax
		jmp	short loc_94D46B
; 

loc_94D440:				; CODE XREF: CmpLoadHiveVolatile(x,x)+2CAj
		mov	ax, [edi+48h]
		mov	word ptr [ebp+var_198+2], ax
		mov	word ptr [ebp+var_198],	ax
		lea	eax, [ebp+var_198]
		push	eax
		lea	eax, [ebp+var_18C]
		mov	[ebp+var_194], edx
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)

loc_94D46B:				; CODE XREF: CmpLoadHiveVolatile(x,x)+306j
		lea	eax, [ebp+var_1A0]
		push	eax
		mov	eax, [ebp+var_184]
		push	eax
		call	dword ptr [eax+8]
		lea	eax, [ebp+var_180]
		xor	edi, edi
		push	eax
		push	1
		push	edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	200h
		push	edi
		push	[ebp+var_184]
		xor	edx, edx
		lea	ecx, [ebp+var_18C]
		call	CmpLinkHiveToMaster
		mov	esi, eax
		test	esi, esi
		js	short loc_94D513
		mov	ecx, [ebp+var_184]
		call	CmpAddToHiveFileList
		xor	edx, edx
		mov	ecx, offset _CmpHiveListHeadLock
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, ds:dword_A940F4
		mov	edx, offset _CmpHiveListHead
		mov	eax, [ebp+var_184]
		add	eax, 420h
		cmp	[ecx], edx
		jz	short loc_94D4E1
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_94D4E1:				; CODE XREF: CmpLoadHiveVolatile(x,x)+3A2j
		mov	[eax], edx
		xor	edx, edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	ecx, offset _CmpHiveListHeadLock
		mov	ds:dword_A940F4, eax
		call	ExReleasePushLockEx
		cmp	ds:_CmpProfileLoaded, 0
		jnz	short loc_94D513
		mov	eax, ds:_CmpGlobalQuota
		mov	ds:_CmpProfileLoaded, 1
		mov	ds:_CmpGlobalQuotaAllowed, eax

loc_94D513:				; CODE XREF: CmpLoadHiveVolatile(x,x)+371j
					; CmpLoadHiveVolatile(x,x)+3C8j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		test	esi, esi
		jns	short loc_94D527
		mov	ecx, [ebp+var_184]
		call	_CmpDestroyHive@4 ; CmpDestroyHive(x)

loc_94D527:				; CODE XREF: CmpLoadHiveVolatile(x,x)+3E2j
		mov	ecx, [ebp+var_190]
		call	_CmpDestroyHive@4 ; CmpDestroyHive(x)
		push	edi
		push	[ebp+var_188]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	624E4D43h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_94D3B9
_CmpLoadHiveVolatile@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRefreshHive(x)
_CmpRefreshHive@4 proc near		; CODE XREF: CmRestoreKey(x,x,x,x)+1F9p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_44]
		stosd
		mov	edx, ecx
		xor	ecx, ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_24], ecx
		mov	bl, cl
		or	[ebp+var_24], 0FFFFFFFFh
		stosd
		mov	[ebp+var_20], ecx
		mov	[ebp+var_2C], ecx
		or	[ebp+var_2C], 0FFFFFFFFh
		stosd
		mov	[ebp+var_28], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ecx
		stosd
		xor	eax, eax
		mov	[ebp+var_8], ecx
		mov	[ebp+var_1], cl
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_14], ecx
		lea	ecx, [ebp+var_34]
		mov	word ptr [ebp+var_20], ax
		mov	word ptr [ebp+var_28], ax
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		mov	edi, [edx+8]
		mov	[ebp+var_C], edi
		mov	esi, [edi+10h]
		lea	ecx, [esi+430h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	[ebp+var_3], al
		test	al, al
		jnz	short loc_94D5C8
		mov	edi, 0C0000425h
		jmp	short loc_94D609
; 

loc_94D5C8:				; CODE XREF: CmpRefreshHive(x)+71j
		mov	ecx, esi
		call	CmpBecomeActiveFlusherAndReconciler
		xor	ebx, ebx
		inc	ebx
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	ecx, edi
		call	_CmpLockKcbShared@4 ; CmpLockKcbShared(x)
		mov	ecx, [ebp+var_18]
		xor	edx, edx
		mov	[ebp+var_2], bl
		call	CmpPerformKeyBodyDeletionCheck
		mov	edi, eax
		test	edi, edi
		js	short loc_94D5FE
		cmp	[esi+6DCh], bl
		jnz	short loc_94D65B
		mov	edi, 0C0000189h

loc_94D5FE:				; CODE XREF: CmpRefreshHive(x)+A1j
					; CmpRefreshHive(x)+118j ...
		mov	ecx, [ebp+var_C]

loc_94D601:				; CODE XREF: CmpRefreshHive(x)+166j
					; CmpRefreshHive(x)+179j
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	[ebp+var_1], bl

loc_94D609:				; CODE XREF: CmpRefreshHive(x)+78j
					; CmpRefreshHive(x)+1AFj ...
		xor	dl, dl
		lea	ecx, [ebp+var_34]
		call	CmpDrainDelayDerefContext
		cmp	[ebp+var_1], 0
		jz	short loc_94D61E
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_94D61E:				; CODE XREF: CmpRefreshHive(x)+C9j
		test	bl, bl
		jz	short loc_94D629
		mov	ecx, esi
		call	CmpFinishBeingActiveFlusherAndReconciler

loc_94D629:				; CODE XREF: CmpRefreshHive(x)+D2j
		cmp	[ebp+var_3], 0
		jz	short loc_94D63A
		lea	ecx, [esi+430h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_94D63A:				; CODE XREF: CmpRefreshHive(x)+DFj
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_94D646
		call	_CmpDestroyHive@4 ; CmpDestroyHive(x)

loc_94D646:				; CODE XREF: CmpRefreshHive(x)+F1j
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_94D654
		mov	ecx, eax
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_94D654:				; CODE XREF: CmpRefreshHive(x)+FDj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_94D65B:				; CODE XREF: CmpRefreshHive(x)+A9j
		test	byte ptr [esi+64h], 2
		jnz	short loc_94D668
		mov	edi, 0C000000Dh
		jmp	short loc_94D5FE
; 

loc_94D668:				; CODE XREF: CmpRefreshHive(x)+111j
		mov	ecx, esi
		call	_HvLockHiveFlusherShared@4 ; HvLockHiveFlusherShared(x)
		mov	ecx, esi
		call	_HvLockHiveWriter@4 ; HvLockHiveWriter(x)
		cmp	dword ptr [esi+264h], 0
		mov	ecx, esi
		jz	short loc_94D697
		mov	edi, 0C0000001h
		call	HvUnlockHiveWriter
		mov	ecx, esi
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		jmp	loc_94D841
; 

loc_94D697:				; CODE XREF: CmpRefreshHive(x)+131j
		call	HvUnlockHiveWriter
		mov	ecx, esi
		call	_HvUnlockHiveFlusherShared@4 ; HvUnlockHiveFlusherShared(x)
		mov	ecx, [ebp+var_C]
		test	dword ptr [ecx+68h], 40000h
		jnz	short loc_94D6B9
		mov	edi, 0C000000Dh
		jmp	loc_94D601
; 

loc_94D6B9:				; CODE XREF: CmpRefreshHive(x)+15Fj
		cmp	dword ptr [esi+6D0h], 0
		jbe	short loc_94D6CC
		mov	edi, 0C0000001h
		jmp	loc_94D601
; 

loc_94D6CC:				; CODE XREF: CmpRefreshHive(x)+172j
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		mov	[ebp+var_2], 0
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		push	33394D43h
		mov	edx, 154h
		mov	[ebp+var_1], 0
		mov	ecx, ebx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_1C], edi
		test	edi, edi
		jnz	short loc_94D702
		mov	edi, 0C000009Ah
		jmp	loc_94D609
; 

loc_94D702:				; CODE XREF: CmpRefreshHive(x)+1A8j
		push	154h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	eax, [esi+400h]
		add	esp, 0Ch
		mov	[ebp+var_44], eax
		mov	eax, [esi+68h]
		test	eax, eax
		jnz	short loc_94D726
		xor	edx, edx
		jmp	short loc_94D74C
; 

loc_94D726:				; CODE XREF: CmpRefreshHive(x)+1D2j
		cmp	eax, ebx
		jnz	short loc_94D737
		mov	eax, [esi+404h]
		mov	edx, ebx
		mov	[ebp+var_40], eax
		jmp	short loc_94D74C
; 

loc_94D737:				; CODE XREF: CmpRefreshHive(x)+1DAj
		mov	eax, [esi+410h]
		push	2
		mov	[ebp+var_40], eax
		mov	eax, [esi+414h]
		pop	edx
		mov	[ebp+var_3C], eax

loc_94D74C:				; CODE XREF: CmpRefreshHive(x)+1D6j
					; CmpRefreshHive(x)+1E7j
		mov	eax, [esi+980h]
		mov	ecx, [esi+64h]
		and	eax, 10000h
		push	edi
		push	0
		and	ecx, 0FFFEFFFFh
		neg	eax
		push	0
		push	0
		sbb	eax, eax
		and	eax, 0FFFFFFE0h
		add	eax, 1190042h
		push	eax
		push	0
		lea	eax, [ebp+var_44]
		push	eax
		push	0
		push	edx
		push	ecx
		push	2
		pop	edx
		lea	ecx, [ebp+var_8]
		call	_CmpCreateHive@48 ; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_94D609
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		mov	ecx, [ebp+var_18]
		xor	edx, edx
		mov	[ebp+var_1], bl
		call	CmpPerformKeyBodyDeletionCheck
		mov	edi, eax
		test	edi, edi
		js	loc_94D609
		cmp	[esi+6DCh], bl
		jnz	short loc_94D7C1
		mov	edi, 0C0000189h
		jmp	loc_94D609
; 

loc_94D7C1:				; CODE XREF: CmpRefreshHive(x)+267j
		test	byte ptr [esi+64h], 2
		jnz	short loc_94D7D1

loc_94D7C7:				; CODE XREF: CmpRefreshHive(x)+2A0j
					; CmpRefreshHive(x)+2BAj
		mov	edi, 0C000000Dh
		jmp	loc_94D609
; 

loc_94D7D1:				; CODE XREF: CmpRefreshHive(x)+277j
		cmp	dword ptr [esi+264h], 0
		jz	short loc_94D7E4

loc_94D7DA:				; CODE XREF: CmpRefreshHive(x)+2A9j
		mov	edi, 0C0000001h
		jmp	loc_94D609
; 

loc_94D7E4:				; CODE XREF: CmpRefreshHive(x)+28Aj
		mov	edi, [ebp+var_C]
		test	dword ptr [edi+68h], 40000h
		jz	short loc_94D7C7
		cmp	dword ptr [esi+6D0h], 0
		ja	short loc_94D7DA
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+20h]
		mov	edx, [eax+24h]
		mov	eax, [esi+20h]
		cmp	edx, [eax+24h]
		jnz	short loc_94D7C7
		lea	eax, [ebp+var_2C]
		push	eax
		push	edx
		push	ecx
		call	dword ptr [ecx+4]
		mov	ecx, [esi+20h]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		mov	ecx, [ecx+24h]
		push	ecx
		push	esi
		call	dword ptr [esi+4]
		mov	ecx, [ebp+var_8]
		push	0
		mov	[ebp+var_10], eax
		mov	edx, [ecx+20h]
		mov	edx, [edx+24h]
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jnz	short loc_94D872
		mov	edi, 0C000017Dh

loc_94D841:				; CODE XREF: CmpRefreshHive(x)+144j
		cmp	[ebp+var_10], 0
		jz	short loc_94D84F
		lea	eax, [ebp+var_24]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_94D84F:				; CODE XREF: CmpRefreshHive(x)+2F7j
		cmp	[ebp+var_14], 0
		jz	short loc_94D860
		lea	eax, [ebp+var_2C]
		push	eax
		mov	eax, [ebp+var_8]
		push	eax
		call	dword ptr [eax+8]

loc_94D860:				; CODE XREF: CmpRefreshHive(x)+305j
		cmp	[ebp+var_2], 0
		mov	[ebp+var_1], bl
		jz	loc_94D609
		jmp	loc_94D5FE
; 

loc_94D872:				; CODE XREF: CmpRefreshHive(x)+2ECj
		mov	ecx, [ebp+var_14]
		mov	eax, [ebp+var_10]
		mov	eax, [eax+10h]
		or	word ptr [ecx+2], 0Ch
		mov	[ecx+10h], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		lea	eax, [ebp+var_2C]
		push	eax
		mov	eax, [ebp+var_8]
		push	eax
		call	dword ptr [eax+8]
		mov	ecx, esi
		call	_CmpCleanUpKCBCacheTable@4 ; CmpCleanUpKCBCacheTable(x)
		push	ecx
		lea	eax, [ebp+var_34]
		mov	edx, esi
		push	eax
		mov	ecx, offset _CmpRefreshWorkerRoutine@16	; CmpRefreshWorkerRoutine(x,x,x,x)
		call	_CmpSearchKeyControlBlockTree@16 ; CmpSearchKeyControlBlockTree(x,x,x,x)
		push	ebx
		lea	eax, [ebp+var_34]
		xor	edx, edx
		push	eax
		mov	ecx, edi
		call	CmpFlushNotifiesOnKeyBodyList
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	_CmpSwapHiveStorage@8 ;	CmpSwapHiveStorage(x,x)
		lea	edx, [ebp+var_34]
		mov	ecx, edi
		call	_CmpRebuildKcbCache@8 ;	CmpRebuildKcbCache(x,x)
		inc	dword ptr [esi+94h]
		xor	edi, edi
		jmp	loc_94D609
_CmpRefreshHive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRefreshWorkerRoutine(x, x, x, x)
_CmpRefreshWorkerRoutine@16 proc near	; DATA XREF: CmpRefreshHive(x)+356o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+10h]
		cmp	eax, [ebp+arg_4]
		jnz	short loc_94D91C
		test	dword ptr [esi+68h], 40000h
		jnz	short loc_94D91C
		push	1
		push	[ebp+arg_8]
		mov	ecx, esi
		push	8
		pop	edx
		call	CmpFlushNotifiesOnKeyBodyList
		mov	edx, [ebp+arg_8]
		mov	ecx, esi
		call	_CmpMarkKeyUnbacked@8 ;	CmpMarkKeyUnbacked(x,x)
		mov	ecx, esi
		call	_CmpDiscardKcb@4 ; CmpDiscardKcb(x)
		push	2
		pop	eax
		jmp	short loc_94D91E
; 

loc_94D91C:				; CODE XREF: CmpRefreshWorkerRoutine(x,x,x,x)+Fj
					; CmpRefreshWorkerRoutine(x,x,x,x)+18j
		xor	eax, eax

loc_94D91E:				; CODE XREF: CmpRefreshWorkerRoutine(x,x,x,x)+3Dj
		pop	esi
		pop	ebp
		retn	10h
_CmpRefreshWorkerRoutine@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSaveKeyByFileCopy(x, x)
_CmpSaveKeyByFileCopy@8	proc near	; CODE XREF: CmSaveKey(x,x,x,x)+24Dp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		push	20204D43h
		push	10000h
		push	0Dh
		mov	esi, edx
		mov	edi, ecx
		call	ExAllocatePoolWithQuotaTag
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_94D953
		mov	esi, 0C000009Ah
		jmp	loc_94DA8C
; 

loc_94D953:				; CODE XREF: CmpSaveKeyByFileCopy(x,x)+24j
		mov	ecx, edi
		call	CmpBecomeActiveFlusherAndReconciler
		test	byte ptr [edi+9D0h], 2
		jz	short loc_94D96D
		mov	esi, 0C000009Ah
		jmp	loc_94DA76
; 

loc_94D96D:				; CODE XREF: CmpSaveKeyByFileCopy(x,x)+3Ej
		push	1000h
		push	ebx
		push	0
		push	0
		push	edi
		mov	[edi+408h], esi
		call	_CmpFileRead@20	; CmpFileRead(x,x,x,x,x)
		test	eax, eax
		js	loc_94DA71
		mov	esi, [ebx+28h]
		lea	eax, [ebp+var_18]
		inc	dword ptr [ebx+4]
		and	[ebp+var_18], 0
		push	0
		push	1
		push	eax
		push	2
		push	edi
		mov	[ebp+var_C], esi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], 1000h
		call	_CmpFileWrite@20 ; CmpFileWrite(x,x,x,x,x)
		test	eax, eax
		js	loc_94DA71
		xor	eax, eax
		mov	[ebp+var_4], eax
		test	esi, esi
		jz	short loc_94DA1B

loc_94D9C3:				; CODE XREF: CmpSaveKeyByFileCopy(x,x)+F6j
		lea	ecx, [eax+1000h]
		sub	esi, eax
		mov	eax, 10000h
		mov	[ebp+var_8], ecx
		cmp	esi, eax
		jbe	short loc_94D9D9
		mov	esi, eax

loc_94D9D9:				; CODE XREF: CmpSaveKeyByFileCopy(x,x)+B2j
		push	esi
		push	ebx
		push	ecx
		push	0
		push	edi
		call	_CmpFileRead@20	; CmpFileRead(x,x,x,x,x)
		test	eax, eax
		js	loc_94DA71
		mov	eax, [ebp+var_8]
		push	0
		push	1
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		push	edi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], esi
		call	_CmpFileWrite@20 ; CmpFileWrite(x,x,x,x,x)
		test	eax, eax
		js	short loc_94DA71
		mov	eax, [ebp+var_4]
		add	eax, esi
		mov	esi, [ebp+var_C]
		mov	[ebp+var_4], eax
		cmp	eax, esi
		jb	short loc_94D9C3

loc_94DA1B:				; CODE XREF: CmpSaveKeyByFileCopy(x,x)+9Ej
		push	2
		pop	edx
		mov	ecx, edi
		call	_CmpFileFlush@8	; CmpFileFlush(x,x)
		test	eax, eax
		js	short loc_94DA71
		push	1000h
		push	ebx
		xor	esi, esi
		push	esi
		push	esi
		push	edi
		call	_CmpFileRead@20	; CmpFileRead(x,x,x,x,x)
		test	eax, eax
		js	short loc_94DA71
		inc	dword ptr [ebx+4]
		lea	eax, [ebp+var_18]
		inc	dword ptr [ebx+8]
		push	esi
		push	1
		push	eax
		push	2
		push	edi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], 1000h
		call	_CmpFileWrite@20 ; CmpFileWrite(x,x,x,x,x)
		test	eax, eax
		js	short loc_94DA71
		push	2
		pop	edx
		mov	ecx, edi
		call	_CmpFileFlush@8	; CmpFileFlush(x,x)
		test	eax, eax
		jns	short loc_94DA76

loc_94DA71:				; CODE XREF: CmpSaveKeyByFileCopy(x,x)+62j
					; CmpSaveKeyByFileCopy(x,x)+91j ...
		mov	esi, 0C000014Dh

loc_94DA76:				; CODE XREF: CmpSaveKeyByFileCopy(x,x)+45j
					; CmpSaveKeyByFileCopy(x,x)+14Cj
		and	dword ptr [edi+408h], 0
		mov	ecx, edi
		call	CmpFinishBeingActiveFlusherAndReconciler
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_94DA8C:				; CODE XREF: CmpSaveKeyByFileCopy(x,x)+2Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_CmpSaveKeyByFileCopy@8	endp


;  S U B	R O U T	I N E 


; __stdcall CmFcManagerDrainAllFeatureUsageNotifications(x)
_CmFcManagerDrainAllFeatureUsageNotifications@4	proc near
					; CODE XREF: CmFcShutdownSystem(x)+8p
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset unk_6CE1F8
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	esi, offset _CmFcSystemManager
		mov	dl, 1
		mov	ecx, esi
		call	CmFcpManagerDrainUsageNotifications
		mov	dl, 1
		mov	ecx, esi
		call	CmFcpManagerDrainUsageNotifications
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_94DADC
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_94DADC:				; CODE XREF: CmFcManagerDrainAllFeatureUsageNotifications(x)+40j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		pop	edi
		pop	esi
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_CmFcManagerDrainAllFeatureUsageNotifications@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmFcManagerRegisterFeatureConfigurationChangeNotification(x, x, x, x, x)
_CmFcManagerRegisterFeatureConfigurationChangeNotification@20 proc near
					; CODE XREF: CmFcRegisterFeatureConfigurationChangeNotification(x,x,x,x)+Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		push	[ebp+arg_0]
		call	_CmFcpManagerAllocateChangeSubscription@12 ; CmFcpManagerAllocateChangeSubscription(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_94DB11
		mov	eax, 0C000009Ah
		jmp	loc_94DB9D
; 

loc_94DB11:				; CODE XREF: CmFcManagerRegisterFeatureConfigurationChangeNotification(x,x,x,x,x)+14j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset unk_6CE278
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, dword_6CE280
		mov	ecx, offset dword_6CE27C
		cmp	[eax], ecx
		jz	short loc_94DB40
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_94DB40:				; CODE XREF: CmFcManagerRegisterFeatureConfigurationChangeNotification(x,x,x,x,x)+48j
		mov	[esi+4], eax
		mov	[esi], ecx
		mov	[eax], esi
		or	eax, 0FFFFFFFFh
		mov	dword_6CE280, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_94DB61
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_94DB61:				; CODE XREF: CmFcManagerRegisterFeatureConfigurationChangeNotification(x,x,x,x,x)+67j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_94DB96
		mov	ecx, offset dword_6CE12C
		call	_RtlpFcReadHighLowHigh@4 ; RtlpFcReadHighLowHigh(x)
		cmp	eax, [edi]
		jnz	short loc_94DB8E
		cmp	edx, [edi+4]
		jz	short loc_94DB96

loc_94DB8E:				; CODE XREF: CmFcManagerRegisterFeatureConfigurationChangeNotification(x,x,x,x,x)+96j
		lea	ecx, [esi+8]
		call	_CmFcpWorkItemQueueWork@4 ; CmFcpWorkItemQueueWork(x)

loc_94DB96:				; CODE XREF: CmFcManagerRegisterFeatureConfigurationChangeNotification(x,x,x,x,x)+88j
					; CmFcManagerRegisterFeatureConfigurationChangeNotification(x,x,x,x,x)+9Bj
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		xor	eax, eax

loc_94DB9D:				; CODE XREF: CmFcManagerRegisterFeatureConfigurationChangeNotification(x,x,x,x,x)+1Bj
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	0Ch
_CmFcManagerRegisterFeatureConfigurationChangeNotification@20 endp


;  S U B	R O U T	I N E 


; __stdcall CmFcManagerUnregisterFeatureConfigurationChangeNotification(x, x)
_CmFcManagerUnregisterFeatureConfigurationChangeNotification@8 proc near
					; CODE XREF: RtlUnregisterFeatureConfigurationChangeNotification(x)+8p
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	edi, edx
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset unk_6CE278
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [edi]
		cmp	[ecx+4], edi
		jnz	short loc_94DC29
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	short loc_94DC29
		mov	[eax], ecx
		mov	[ecx+4], eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_94DBEB
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_94DBEB:				; CODE XREF: CmFcManagerUnregisterFeatureConfigurationChangeNotification(x,x)+3Ej
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		lea	ecx, [edi+18h]
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		lea	ecx, [edi+18h]
		call	@ExRundownCompleted@4 ;	ExRundownCompleted(x)
		cmp	edi, offset unk_6CE284
		jb	short loc_94DC1E
		cmp	edi, offset unk_6CE32C
		jb	short loc_94DC26

loc_94DC1E:				; CODE XREF: CmFcManagerUnregisterFeatureConfigurationChangeNotification(x,x)+70j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_94DC26:				; CODE XREF: CmFcManagerUnregisterFeatureConfigurationChangeNotification(x,x)+78j
		pop	edi
		pop	esi
		retn
; 

loc_94DC29:				; CODE XREF: CmFcManagerUnregisterFeatureConfigurationChangeNotification(x,x)+25j
					; CmFcManagerUnregisterFeatureConfigurationChangeNotification(x,x)+2Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_CmFcManagerUnregisterFeatureConfigurationChangeNotification@8 endp ; AL = character to	display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmFcManagerUpdateFeatureConfigurations(x, x, x, x, x, x, x)
_CmFcManagerUpdateFeatureConfigurations@28 proc	near
					; CODE XREF: CmUpdateFeatureConfiguration(x,x,x)+118p

var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0A4h+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		mov	[esp+0B0h+var_78], eax
		lea	edi, [esp+0B0h+var_90]
		xor	eax, eax
		xor	ebx, ebx
		stosd
		mov	esi, edx
		push	30h		; size_t
		push	ebx		; int
		mov	[esp+0B8h+var_A0], ebx
		stosd
		mov	[esp+0B8h+var_9C], ebx
		mov	[esp+0B8h+var_A4], ebx
		stosd
		stosd
		lea	eax, [esp+0B8h+var_68]
		push	eax		; void *
		call	_memset
		xor	ecx, ecx
		mov	[esp+0BCh+var_98], ebx
		inc	ecx
		mov	[esp+0BCh+var_70], ebx
		mov	[esp+0BCh+var_94], ecx
		lea	edi, [esp+0BCh+var_68]
		mov	eax, [esp+esi*4+0BCh+var_98]
		add	esp, 0Ch
		mov	[esp+0B0h+var_6C], ecx
		mov	esi, [esp+esi*4+0B0h+var_70]
		shl	esi, 4
		mov	[esp+0B0h+var_98], eax
		add	edi, esi
		mov	[esp+0B0h+var_70], esi
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	ecx, offset unk_6CE128
		call	_CmSiRWLockAcquireExclusive@4 ;	CmSiRWLockAcquireExclusive(x)
		lea	eax, [esp+0B0h+var_A4]
		mov	ecx, offset unk_6CE168
		push	eax
		lea	edx, [esp+0B4h+var_A0]
		call	_RtlpFcBufferManagerReferenceBuffers@12	; RtlpFcBufferManagerReferenceBuffers(x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	eax, ecx
		mov	edx, [ebp+arg_4]
		or	eax, edx
		mov	ebx, [esp+0B0h+var_A4]
		jz	short loc_94DCF5
		cmp	[esp+0B0h+var_A0], ecx
		jnz	short loc_94DCE8
		cmp	[esp+0B0h+var_9C], edx
		jz	short loc_94DCF5

loc_94DCE8:				; CODE XREF: CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+B2j
		mov	[esp+0B0h+var_A4], 0C0000001h
		jmp	loc_94DE3C
; 

loc_94DCF5:				; CODE XREF: CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+ACj
					; CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+B8j
		push	[esp+0B0h+var_9C]
		push	[esp+0B4h+var_A0]
		call	_CmFcpIncrementChangeStamp@8 ; CmFcpIncrementChangeStamp(x,x)
		and	[esp+0B0h+var_7C], 0
		mov	ecx, edx
		mov	[esp+0B0h+var_A0], eax
		mov	[esp+0B0h+var_90], eax
		mov	[edi], eax
		lea	eax, [esp+0B0h+var_7C]
		push	eax		; size_t
		push	0		; void *
		push	[ebp+arg_C]	; size_t
		mov	[esp+0BCh+var_74], ecx
		push	[esp+0BCh+var_78] ; void *
		mov	[esp+0C0h+var_8C], ecx
		mov	[edi+4], ecx
		mov	ecx, [esi+ebx+8]
		call	_RtlpFcUpdateFeatureConfiguration@24 ; RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)
		mov	esi, eax
		mov	[esp+0B0h+var_A4], esi
		test	esi, esi
		jns	loc_94DE5F
		cmp	esi, 80000005h
		jnz	loc_94DE3C
		mov	edx, _CmFcSystemManager
		lea	eax, [esp+0B0h+var_90]
		mov	ecx, [esp+0B0h+var_7C]
		push	eax
		push	[esp+0B4h+var_74]
		push	[esp+0B8h+var_A0]
		call	_CmFcpManagerCreateSection@20 ;	CmFcpManagerCreateSection(x,x,x,x,x)
		mov	esi, eax
		mov	[esp+0B0h+var_A4], esi
		test	esi, esi
		js	loc_94DE3C
		mov	edx, edi
		lea	ecx, [esp+0B0h+var_90]
		call	CmFcpMapSection
		mov	esi, eax
		mov	[esp+0B0h+var_A4], esi
		test	esi, esi
		js	loc_94DE3C
		mov	ecx, [esp+0B0h+var_70]
		lea	eax, [edi+0Ch]
		push	eax		; size_t
		push	dword ptr [edi+8] ; void *
		push	[ebp+arg_C]	; size_t
		mov	ecx, [ecx+ebx+8]
		push	[esp+0BCh+var_78] ; void *
		call	_RtlpFcUpdateFeatureConfiguration@24 ; RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)
		mov	esi, eax
		mov	[esp+0B0h+var_A4], esi
		test	esi, esi
		js	loc_94DE3C
		mov	edx, [edi+0Ch]
		mov	ecx, [edi+8]
		call	_RtlpFcValidateFeatureConfigurationBuffer@8 ; RtlpFcValidateFeatureConfigurationBuffer(x,x)
		test	eax, eax
		jns	loc_94DE5F
		cmp	dword_6B1EB8, 5
		jbe	short loc_94DE34
		push	4000h
		mov	esi, offset dword_6B1EB8
		push	1
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_94DE34
		lea	eax, [esp+0B0h+var_98]
		mov	[esp+0B0h+var_98], 1000000h
		mov	[esp+0B0h+var_18], eax
		xor	ecx, ecx
		lea	eax, [esp+0B0h+var_38]
		mov	[esp+0B0h+var_94], ecx
		push	eax
		push	3
		push	ecx
		push	ecx
		push	offset byte_41AD0B
		push	esi
		mov	[esp+0C8h+var_14], ecx
		mov	[esp+0C8h+var_10], 8
		mov	[esp+0C8h+var_C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_94DE34:				; CODE XREF: CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+1A7j
					; CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+1BEj
		mov	[esp+0B0h+var_A4], 0C00000E5h

loc_94DE3C:				; CODE XREF: CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+C2j
					; CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+11Bj ...
		mov	ecx, offset unk_6CE128
		call	CmSiRWLockReleaseExclusive
		test	ebx, ebx
		jz	loc_94DF08
		mov	edx, ebx
		mov	ecx, offset unk_6CE168
		call	_RtlpFcBufferManagerDereferenceBuffers@8 ; RtlpFcBufferManagerDereferenceBuffers(x,x)
		jmp	loc_94DF08
; 

loc_94DE5F:				; CODE XREF: CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+10Fj
					; CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+19Aj
		mov	edx, ebx
		mov	ecx, offset unk_6CE168
		call	_RtlpFcBufferManagerDereferenceBuffers@8 ; RtlpFcBufferManagerDereferenceBuffers(x,x)
		mov	edi, offset unk_6CE124
		mov	ecx, edi
		call	_CmSiRWLockAcquireExclusive@4 ;	CmSiRWLockAcquireExclusive(x)
		mov	ebx, [esp+0B0h+var_98]
		mov	edx, [esp+0B0h+var_90]
		mov	esi, [esp+0B0h+var_74]
		shl	ebx, 4
		add	ebx, offset dword_6CE138
		push	esi
		mov	eax, [ebx]
		mov	ecx, [ebx+4]
		mov	[ebx], edx
		mov	edx, [esp+0B4h+var_8C]
		mov	[ebx+4], edx
		lea	edx, [esp+0B4h+var_68]
		mov	[esp+0B4h+var_8C], ecx
		mov	ecx, [ebx+8]
		mov	[esp+0B4h+var_90], eax
		mov	eax, [esp+0B4h+var_88]
		mov	[ebx+8], eax
		mov	eax, [esp+0B4h+var_84]
		mov	[esp+0B4h+var_88], ecx
		mov	ecx, [ebx+0Ch]
		mov	[ebx+0Ch], eax
		mov	ebx, [esp+0B4h+var_A0]
		mov	[esp+0B4h+var_84], ecx
		mov	ecx, offset unk_6CE168
		push	ebx
		call	_RtlpFcBufferManagerUpdateBuffers@16 ; RtlpFcBufferManagerUpdateBuffers(x,x,x,x)
		push	esi
		push	ebx
		mov	ecx, offset dword_6CE12C
		call	_RtlpFcWriteHighLowHigh@12 ; RtlpFcWriteHighLowHigh(x,x,x)
		push	esi
		push	ebx
		mov	ecx, 0FFDF0710h
		call	_RtlpFcWriteHighLowHigh@12 ; RtlpFcWriteHighLowHigh(x,x,x)
		mov	ecx, edi
		call	CmSiRWLockReleaseExclusive
		mov	ecx, offset unk_6CE128
		call	CmSiRWLockReleaseExclusive
		push	esi
		push	ebx
		call	_CmFcpManagerPublishChangeNotifications@12 ; CmFcpManagerPublishChangeNotifications(x,x,x)
		xor	esi, esi
		mov	[esp+0B0h+var_A4], esi

loc_94DF08:				; CODE XREF: CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+21Aj
					; CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+22Cj
		push	3
		lea	edi, [esp+0B4h+var_68]
		pop	esi

loc_94DF0F:				; CODE XREF: CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+2EEj
		mov	ecx, edi
		call	_CmFcpUnmapSection@4 ; CmFcpUnmapSection(x)
		add	edi, 10h
		sub	esi, 1
		jnz	short loc_94DF0F
		lea	ecx, [esp+0B0h+var_90]
		call	_CmFcpCleanupSectionState@4 ; CmFcpCleanupSectionState(x)
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [esp+0B0h+var_4]
		mov	eax, [esp+0B0h+var_A4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
_CmFcManagerUpdateFeatureConfigurations@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmFcManagerUpdateFeatureUsageSubscriptions(size_t,int)
_CmFcManagerUpdateFeatureUsageSubscriptions@16 proc near
					; CODE XREF: CmUpdateFeatureUsageSubscription(x,x,x)+101p

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+94h+var_4], eax
		push	ebx
		push	esi
		xor	esi, esi
		lea	eax, [esp+9Ch+var_68]
		push	edi
		push	30h		; size_t
		mov	ebx, edx
		mov	[esp+0A4h+var_90], esi
		push	esi		; int
		push	eax		; void *
		mov	[esp+0ACh+var_70], ebx
		mov	[esp+0ACh+var_8C], esi
		mov	[esp+0ACh+var_94], esi
		mov	[esp+0ACh+var_80], esi
		mov	[esp+0ACh+var_7C], esi
		call	_memset
		add	esp, 0Ch
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	ecx, offset unk_6CE128
		call	_CmSiRWLockAcquireExclusive@4 ;	CmSiRWLockAcquireExclusive(x)
		lea	eax, [esp+0A0h+var_94]
		mov	ecx, offset unk_6CE168
		push	eax
		lea	edx, [esp+0A4h+var_90]
		call	_RtlpFcBufferManagerReferenceBuffers@12	; RtlpFcBufferManagerReferenceBuffers(x,x,x)
		push	[esp+0A0h+var_8C]
		mov	edi, [esp+0A4h+var_94]
		push	[esp+0A4h+var_90]
		call	_CmFcpIncrementChangeStamp@8 ; CmFcpIncrementChangeStamp(x,x)
		mov	[esp+0A0h+var_90], eax
		mov	ecx, edx
		mov	[esp+0A0h+var_88], eax
		mov	[esp+0A0h+var_48], eax
		lea	eax, [esp+0A0h+var_94]
		push	eax		; int
		push	esi		; int
		push	[ebp+arg_0]	; size_t
		mov	[esp+0ACh+var_74], ecx
		mov	[esp+0ACh+var_84], ecx
		mov	[esp+0ACh+var_44], ecx
		mov	ecx, [edi+28h]
		push	ebx		; void *
		mov	[esp+0B0h+var_94], esi
		call	_RtlpFcUpdateUsageTriggers@24 ;	RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)
		mov	esi, eax
		push	3
		pop	ebx
		test	esi, esi
		jns	loc_94E111
		cmp	esi, 80000005h
		jnz	loc_94E0EE
		mov	edx, _CmFcSystemManager
		lea	eax, [esp+0A0h+var_88]
		mov	ecx, [esp+0A0h+var_94]
		push	eax
		push	[esp+0A4h+var_74]
		push	[esp+0A8h+var_90]
		call	_CmFcpManagerCreateSection@20 ;	CmFcpManagerCreateSection(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_94E0EE
		lea	edx, [esp+0A0h+var_48]
		lea	ecx, [esp+0A0h+var_88]
		call	CmFcpMapSection
		mov	esi, eax
		test	esi, esi
		js	loc_94E0EE
		mov	ecx, [edi+28h]
		lea	eax, [esp+0A0h+var_3C]
		push	eax		; int
		push	[esp+0A4h+var_40] ; int
		push	[ebp+arg_0]	; size_t
		push	[esp+0ACh+var_70] ; void *
		call	_RtlpFcUpdateUsageTriggers@24 ;	RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_94E0EE
		mov	edx, [esp+0A0h+var_3C]
		mov	ecx, [esp+0A0h+var_40]
		call	_RtlpFcValidateFeatureUsageSubscriptionBuffer@8	; RtlpFcValidateFeatureUsageSubscriptionBuffer(x,x)
		test	eax, eax
		jns	loc_94E111
		cmp	dword_6B1EB8, 5
		jbe	short loc_94E0E9
		push	4000h
		push	1
		mov	ecx, offset dword_6B1EB8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_94E0E9
		lea	eax, [esp+0A0h+var_70]
		mov	[esp+0A0h+var_70], 1000000h
		mov	[esp+0A0h+var_18], eax
		xor	esi, esi
		lea	eax, [esp+0A0h+var_38]
		mov	[esp+0A0h+var_6C], esi
		push	eax
		push	ebx
		push	esi
		push	esi
		push	offset dword_41ACC4
		push	offset dword_6B1EB8
		mov	[esp+0B8h+var_14], esi
		mov	[esp+0B8h+var_10], 8
		mov	[esp+0B8h+var_C], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_94E0E9:				; CODE XREF: CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+142j
					; CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+157j
		mov	esi, 0C00000E5h

loc_94E0EE:				; CODE XREF: CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+C1j
					; CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+E7j ...
		mov	ecx, offset unk_6CE128
		call	CmSiRWLockReleaseExclusive
		test	edi, edi
		jz	loc_94E1C1
		mov	edx, edi
		mov	ecx, offset unk_6CE168
		call	_RtlpFcBufferManagerDereferenceBuffers@8 ; RtlpFcBufferManagerDereferenceBuffers(x,x)
		jmp	loc_94E1C1
; 

loc_94E111:				; CODE XREF: CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+B5j
					; CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+135j
		mov	edx, edi
		mov	ecx, offset unk_6CE168
		call	_RtlpFcBufferManagerDereferenceBuffers@8 ; RtlpFcBufferManagerDereferenceBuffers(x,x)
		mov	ecx, offset unk_6CE124
		call	_CmSiRWLockAcquireExclusive@4 ;	CmSiRWLockAcquireExclusive(x)
		mov	eax, dword_6CE158
		mov	edx, [esp+0A0h+var_88]
		mov	ecx, dword_6CE15C
		mov	edi, [esp+0A0h+var_74]
		mov	esi, [esp+0A0h+var_90]
		mov	dword_6CE158, edx
		mov	edx, [esp+0A0h+var_84]
		mov	[esp+0A0h+var_84], ecx
		mov	ecx, [esp+0A0h+var_80]
		mov	[esp+0A0h+var_88], eax
		mov	eax, dword_6CE160
		mov	dword_6CE160, ecx
		mov	ecx, [esp+0A0h+var_7C]
		mov	[esp+0A0h+var_80], eax
		mov	eax, dword_6CE164
		push	edi
		mov	dword_6CE15C, edx
		lea	edx, [esp+0A4h+var_68]
		mov	dword_6CE164, ecx
		mov	ecx, offset unk_6CE168
		push	esi
		mov	[esp+0A8h+var_7C], eax
		call	_RtlpFcBufferManagerUpdateBuffers@16 ; RtlpFcBufferManagerUpdateBuffers(x,x,x,x)
		push	edi
		push	esi
		mov	ecx, offset dword_6CE12C
		call	_RtlpFcWriteHighLowHigh@12 ; RtlpFcWriteHighLowHigh(x,x,x)
		push	edi
		push	esi
		mov	ecx, 0FFDF0710h
		call	_RtlpFcWriteHighLowHigh@12 ; RtlpFcWriteHighLowHigh(x,x,x)
		mov	ecx, offset unk_6CE124
		call	CmSiRWLockReleaseExclusive
		mov	ecx, offset unk_6CE128
		call	CmSiRWLockReleaseExclusive
		push	edi
		push	esi
		call	_CmFcpManagerPublishChangeNotifications@12 ; CmFcpManagerPublishChangeNotifications(x,x,x)
		xor	esi, esi

loc_94E1C1:				; CODE XREF: CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+1B3j
					; CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+1C5j
		lea	edi, [esp+0A0h+var_68]

loc_94E1C5:				; CODE XREF: CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+28Bj
		mov	ecx, edi
		call	_CmFcpUnmapSection@4 ; CmFcpUnmapSection(x)
		add	edi, 10h
		sub	ebx, 1
		jnz	short loc_94E1C5
		lea	ecx, [esp+0A0h+var_88]
		call	_CmFcpCleanupSectionState@4 ; CmFcpCleanupSectionState(x)
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [esp+0A0h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_CmFcManagerUpdateFeatureUsageSubscriptions@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmFcpChangeSubscriptionWrapper(x, x)
_CmFcpChangeSubscriptionWrapper@8 proc near
					; DATA XREF: CmFcpInitializeChangeSubscription(x,x,x)+1Eo

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	6
		mov	[esp+34h+var_20], eax
		lea	edi, [esp+34h+var_1C]
		xor	eax, eax
		xor	esi, esi
		test	byte ptr [ebx+28h], 1
		pop	ecx
		rep stosd
		jz	short loc_94E24E
		mov	ecx, [ebx+2Ch]
		call	_MmGetSessionById@4 ; MmGetSessionById(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_94E26B
		lea	edx, [esp+30h+var_1C]
		mov	ecx, esi
		call	MmAttachSession
		test	eax, eax
		js	short loc_94E264

loc_94E24E:				; CODE XREF: CmFcpChangeSubscriptionWrapper(x,x)+34j
		push	[esp+30h+var_20]
		call	dword ptr [ebx+24h]
		test	esi, esi
		jz	short loc_94E26B
		lea	edx, [esp+34h+var_20]
		mov	ecx, esi
		call	MmDetachSession

loc_94E264:				; CODE XREF: CmFcpChangeSubscriptionWrapper(x,x)+51j
		mov	ecx, esi
		call	_MmQuitNextSession@4 ; MmQuitNextSession(x)

loc_94E26B:				; CODE XREF: CmFcpChangeSubscriptionWrapper(x,x)+42j
					; CmFcpChangeSubscriptionWrapper(x,x)+5Cj
		mov	ecx, [esp+34h+var_8]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_CmFcpChangeSubscriptionWrapper@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall CmFcpInitializeChangeSubscription(void	*,int,int)
_CmFcpInitializeChangeSubscription@12 proc near
					; CODE XREF: CmFcpManagerAllocateChangeSubscription(x,x,x)+52p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	38h		; size_t
		mov	esi, ecx
		mov	edi, edx
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [esi+8]
		push	[ebp+arg_0]
		push	offset _CmFcpChangeSubscriptionWrapper@8 ; CmFcpChangeSubscriptionWrapper(x,x)
		call	_CmFcpWorkItemInitialize@16 ; CmFcpWorkItemInitialize(x,x,x,x)
		mov	ecx, edi
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		test	eax, eax
		jz	short loc_94E2C5
		or	dword ptr [esi+30h], 1
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	ecx, eax
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	[esi+34h], eax

loc_94E2C5:				; CODE XREF: CmFcpInitializeChangeSubscription(x,x,x)+31j
		mov	[esi+2Ch], edi
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_CmFcpInitializeChangeSubscription@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmFcpManagerAllocateChangeSubscription(x, x, x)
_CmFcpManagerAllocateChangeSubscription@12 proc	near
					; CODE XREF: CmFcManagerRegisterFeatureConfigurationChangeNotification(x,x,x,x,x)+Bp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	al, byte_6CE1FE
		push	esi
		push	edi
		mov	edi, edx
		test	al, al
		jnz	short loc_94E303
		xor	eax, eax
		inc	eax
		lock xadd dword_6CE200,	eax
		inc	eax
		cmp	eax, 3
		jbe	short loc_94E2F8
		xor	esi, esi
		jmp	short loc_94E325
; 

loc_94E2F8:				; CODE XREF: CmFcpManagerAllocateChangeSubscription(x,x,x)+24j
		imul	esi, eax, 38h
		add	esi, offset unk_6CE24C
		jmp	short loc_94E319
; 

loc_94E303:				; CODE XREF: CmFcpManagerAllocateChangeSubscription(x,x,x)+13j
		push	63466D43h
		push	38h
		push	0
		push	40h
		call	_ExAllocatePool2@16 ; ExAllocatePool2(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_94E325

loc_94E319:				; CODE XREF: CmFcpManagerAllocateChangeSubscription(x,x,x)+33j
		push	[ebp+arg_0]	; int
		mov	edx, edi	; int
		mov	ecx, esi	; void *
		call	_CmFcpInitializeChangeSubscription@12 ;	CmFcpInitializeChangeSubscription(x,x,x)

loc_94E325:				; CODE XREF: CmFcpManagerAllocateChangeSubscription(x,x,x)+28j
					; CmFcpManagerAllocateChangeSubscription(x,x,x)+49j
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
_CmFcpManagerAllocateChangeSubscription@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmFcpManagerCreateSection(x, x, x, x, x)
_CmFcpManagerCreateSection@20 proc near	; CODE XREF: CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+138p
					; CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+DEp ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_2C], 18h
		push	ebx
		push	8000000h
		push	4
		lea	eax, [ebp+var_14]
		mov	[ebp+var_8], ebx
		push	eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_28], ebx
		push	eax
		push	6
		lea	eax, [ebp+var_8]
		mov	[ebp+var_20], 200h
		mov	edi, ecx
		mov	[ebp+var_24], ebx
		push	eax
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], ebx
		call	_ZwCreateSection@28 ; ZwCreateSection(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_94E3BA
		mov	eax, ds:_MmSectionObjectType
		lea	ecx, [ebp+var_C]
		push	ebx
		push	ecx
		push	ebx
		push	eax
		push	6
		push	[ebp+var_8]
		mov	[ebp+var_C], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_94E3BA
		mov	ecx, [ebp+arg_8]
		mov	esi, ebx
		mov	eax, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, [ebp+arg_4]
		mov	[ecx+4], eax
		mov	eax, [ebp+var_C]
		mov	[ecx+8], eax
		mov	[ecx+0Ch], edi

loc_94E3BA:				; CODE XREF: CmFcpManagerCreateSection(x,x,x,x,x)+51j
					; CmFcpManagerCreateSection(x,x,x,x,x)+70j
		cmp	[ebp+var_8], ebx
		jz	short loc_94E3C7
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_94E3C7:				; CODE XREF: CmFcpManagerCreateSection(x,x,x,x,x)+8Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_CmFcpManagerCreateSection@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmFcpManagerCreateSectionFromBuffer(x, x, x, x, x, x)
_CmFcpManagerCreateSectionFromBuffer@24	proc near
					; CODE XREF: CmFcManagerStartRuntimePhase(x)+CFp
					; CmFcManagerStartRuntimePhase(x)+107p

var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		xor	eax, eax
		mov	[ebp+var_4], ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	ebx, edx
		stosd
		mov	ecx, ebx
		mov	edx, [ebp+arg_8]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_28]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_CmFcpManagerCreateSection@20 ;	CmFcpManagerCreateSection(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_94E444
		lea	edx, [ebp+var_28]
		lea	ecx, [ebp+var_18]
		call	CmFcpMapSection
		mov	esi, eax
		test	esi, esi
		js	short loc_94E444
		push	ebx		; size_t
		push	[ebp+var_4]	; void *
		mov	ebx, [ebp+var_20]
		push	ebx		; void *
		call	_memcpy
		mov	edi, [ebp+arg_C]
		lea	esi, [ebp+var_18]
		xor	eax, eax
		add	esp, 0Ch
		movsd
		movsd
		movsd
		movsd
		lea	edi, [ebp+var_18]
		xor	esi, esi
		stosd
		stosd
		stosd
		stosd
		jmp	short loc_94E447
; 

loc_94E444:				; CODE XREF: CmFcpManagerCreateSectionFromBuffer(x,x,x,x,x,x)+3Aj
					; CmFcpManagerCreateSectionFromBuffer(x,x,x,x,x,x)+4Bj
		mov	ebx, [ebp+var_20]

loc_94E447:				; CODE XREF: CmFcpManagerCreateSectionFromBuffer(x,x,x,x,x,x)+72j
		test	ebx, ebx
		jz	short loc_94E451
		push	ebx
		call	_MmUnmapViewInSystemSpace@4 ; MmUnmapViewInSystemSpace(x)

loc_94E451:				; CODE XREF: CmFcpManagerCreateSectionFromBuffer(x,x,x,x,x,x)+79j
		mov	ecx, [ebp+var_10]
		test	ecx, ecx
		jz	short loc_94E45D
		call	ObfDereferenceObject

loc_94E45D:				; CODE XREF: CmFcpManagerCreateSectionFromBuffer(x,x,x,x,x,x)+86j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_CmFcpManagerCreateSectionFromBuffer@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmFcpManagerDrainUsageNotificationsWorker(x, x)
_CmFcpManagerDrainUsageNotificationsWorker@8 proc near
					; DATA XREF: CmFcManagerInitialize(x)+93o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+arg_4]
		xor	edx, edx
		lea	edi, [esi+0D8h]
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		xor	dl, dl
		mov	ecx, esi
		call	CmFcpManagerDrainUsageNotifications
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_94E4AA
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_94E4AA:				; CODE XREF: CmFcpManagerDrainUsageNotificationsWorker(x,x)+3Bj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_CmFcpManagerDrainUsageNotificationsWorker@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmFcpManagerPublishChangeNotifications(x, x, x)
_CmFcpManagerPublishChangeNotifications@12 proc	near
					; CODE XREF: CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+2CFp
					; CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+273p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, offset unk_6CE278
		xor	edx, edx
		mov	[ebp+var_8], edi
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	esi, dword_6CE27C
		jmp	short loc_94E4F3
; 

loc_94E4E9:				; CODE XREF: CmFcpManagerPublishChangeNotifications(x,x,x)+36j
		lea	ecx, [esi+8]
		call	_CmFcpWorkItemQueueWork@4 ; CmFcpWorkItemQueueWork(x)
		mov	esi, [esi]

loc_94E4F3:				; CODE XREF: CmFcpManagerPublishChangeNotifications(x,x,x)+24j
		cmp	esi, offset dword_6CE27C
		jnz	short loc_94E4E9
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_94E510
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_94E510:				; CODE XREF: CmFcpManagerPublishChangeNotifications(x,x,x)+44j
		mov	ecx, ebx
		call	KeAbPostRelease
		push	8
		pop	esi
		mov	ebx, offset _CmFcpWnfTypeId
		jmp	short loc_94E550
; 

loc_94E521:				; CODE XREF: CmFcpManagerPublishChangeNotifications(x,x,x)+B0j
		mov	eax, [ebp+var_C]
		cmp	eax, [ebp+arg_4]
		ja	short loc_94E575
		jb	short loc_94E533
		mov	eax, [ebp+var_10]
		cmp	eax, [ebp+arg_0]
		jnb	short loc_94E575

loc_94E533:				; CODE XREF: CmFcpManagerPublishChangeNotifications(x,x,x)+66j
		push	1
		push	[ebp+var_8]
		lea	eax, [ebp+arg_0]
		push	edi
		push	ebx
		push	esi
		push	eax
		push	offset _WNF_CMFC_FEATURE_CONFIGURATION_CHANGED
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		cmp	eax, 0C0000001h
		jnz	short loc_94E575

loc_94E550:				; CODE XREF: CmFcpManagerPublishChangeNotifications(x,x,x)+5Cj
		lea	eax, [ebp+var_4]
		mov	[ebp+var_10], edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_C], edi
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], esi
		push	eax
		push	edi
		push	ebx
		push	offset _WNF_CMFC_FEATURE_CONFIGURATION_CHANGED
		call	_ZwQueryWnfStateData@24	; ZwQueryWnfStateData(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_94E521

loc_94E575:				; CODE XREF: CmFcpManagerPublishChangeNotifications(x,x,x)+64j
					; CmFcpManagerPublishChangeNotifications(x,x,x)+6Ej ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_CmFcpManagerPublishChangeNotifications@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmFcpManagerRetryUsageNotificationsWorker(x, x)
_CmFcpManagerRetryUsageNotificationsWorker@8 proc near
					; DATA XREF: CmFcManagerInitialize(x)+A3o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+arg_4]
		xor	edx, edx
		lea	edi, [esi+0D8h]
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	dl, 1
		mov	byte ptr [esi+0DDh], 0
		mov	ecx, esi
		call	CmFcpManagerDrainUsageNotifications
		mov	dl, 1
		mov	ecx, esi
		call	CmFcpManagerDrainUsageNotifications
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_94E5D0
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_94E5D0:				; CODE XREF: CmFcpManagerRetryUsageNotificationsWorker(x,x)+4Bj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_CmFcpManagerRetryUsageNotificationsWorker@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmFcpSwapSectionState(x, x)
_CmFcpSwapSectionState@8 proc near	; CODE XREF: CmFcManagerStartRuntimePhase(x)+175p
		mov	edi, edi
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		push	esi
		push	edi
		mov	eax, [ebx]
		mov	esi, [edx]
		mov	edi, [edx+4]
		mov	[edx], eax
		mov	eax, [ebx+4]
		mov	[edx+4], eax
		mov	eax, [ebx+8]
		mov	[ebx], esi
		mov	[ebx+4], edi
		mov	ecx, [edx+8]
		mov	[edx+8], eax
		mov	eax, [ebx+0Ch]
		mov	[ebx+8], ecx
		mov	ecx, [edx+0Ch]
		pop	edi
		mov	[edx+0Ch], eax
		pop	esi
		mov	[ebx+0Ch], ecx
		pop	ebx
		retn
_CmFcpSwapSectionState@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDeleteTree(x, x)
_CmpDeleteTree@8 proc near		; CODE XREF: CmpSyncSubKeysAfterDelete(x,x,x,x,x)+96p
					; CmRestoreKey(x,x,x,x)+AC7p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_8], 0
		mov	eax, edx
		or	[ebp+var_14], 0FFFFFFFFh
		and	[ebp+var_10], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_C], eax
		mov	edi, ecx
		mov	ebx, eax

loc_94E642:				; CODE XREF: CmpDeleteTree(x,x)+7Dj
					; CmpDeleteTree(x,x)+A2j
		mov	[ebp+var_4], ebx

loc_94E645:				; CODE XREF: CmpDeleteTree(x,x)+91j
		lea	eax, [ebp+var_14]
		push	eax
		push	ebx
		push	edi
		call	dword ptr [edi+4]
		mov	edx, eax
		test	edx, edx
		jz	short loc_94E6CD
		mov	eax, [edx+18h]
		mov	esi, [edx+10h]
		add	eax, [edx+14h]
		jz	short loc_94E6B5
		lea	eax, [ebp+var_8]
		mov	ecx, edi
		push	eax
		push	0
		call	_CmpFindSubKeyByNumber@16 ; CmpFindSubKeyByNumber(x,x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_14]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		test	esi, esi
		js	short loc_94E6CD
		mov	ebx, [ebp+var_8]
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_94E6CD
		lea	eax, [ebp+var_14]
		push	eax
		push	ebx
		push	edi
		call	dword ptr [edi+4]
		test	eax, eax
		jz	short loc_94E6CD
		mov	esi, [eax+18h]
		add	esi, [eax+14h]
		lea	eax, [ebp+var_14]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		test	esi, esi
		jnz	short loc_94E642
		push	1
		mov	edx, ebx
		mov	ecx, edi
		call	CmpFreeKeyByCell
		test	eax, eax
		js	short loc_94E6CD
		mov	ebx, [ebp+var_4]
		jmp	short loc_94E645
; 

loc_94E6B5:				; CODE XREF: CmpDeleteTree(x,x)+3Bj
		lea	eax, [ebp+var_14]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		cmp	ebx, [ebp+var_C]
		jz	short loc_94E6C9
		mov	ebx, esi
		jmp	loc_94E642
; 

loc_94E6C9:				; CODE XREF: CmpDeleteTree(x,x)+9Ej
		mov	al, 1
		jmp	short loc_94E6CF
; 

loc_94E6CD:				; CODE XREF: CmpDeleteTree(x,x)+30j
					; CmpDeleteTree(x,x)+56j ...
		xor	al, al

loc_94E6CF:				; CODE XREF: CmpDeleteTree(x,x)+A9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpDeleteTree@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmpFreeUnitOfWork(x)
_CmpFreeUnitOfWork@4 proc near		; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+4AAp
					; CmSetValueKey(x,x,x,x,x,x,x)+8CAp ...
		push	77554D43h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
_CmpFreeUnitOfWork@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpLightWeightCleanupModifyKeyDataUoW(x, x)
_CmpLightWeightCleanupModifyKeyDataUoW@8 proc near
					; CODE XREF: CmpCleanupLightWeightUoWData(x,x,x)+BBp
					; CmpLightWeightCommitAddKeyUoW(x,x)+114p ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		sub	dword ptr [esi], 1
		jnz	short loc_94E717
		mov	edx, [esi+0Ch]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_94E6FA
		call	_CmpFreeIndexByCell@8 ;	CmpFreeIndexByCell(x,x)

loc_94E6FA:				; CODE XREF: CmpLightWeightCleanupModifyKeyDataUoW(x,x)+13j
		mov	edx, [esi+10h]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_94E709
		mov	ecx, edi
		call	_CmpFreeIndexByCell@8 ;	CmpFreeIndexByCell(x,x)

loc_94E709:				; CODE XREF: CmpLightWeightCleanupModifyKeyDataUoW(x,x)+20j
		pop	edi
		mov	ecx, esi
		mov	edx, 77554D43h
		pop	esi
		jmp	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
; 

loc_94E717:				; CODE XREF: CmpLightWeightCleanupModifyKeyDataUoW(x,x)+Bj
		pop	edi
		pop	esi
		retn
_CmpLightWeightCleanupModifyKeyDataUoW@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLightWeightCommitAddKeyUoW(x, x)
_CmpLightWeightCommitAddKeyUoW@8 proc near
					; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x):loc_85548Ap

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		or	[ebp+var_1C], 0FFFFFFFFh
		and	[ebp+var_18], 0
		or	[ebp+var_14], 0FFFFFFFFh
		and	[ebp+var_10], 0
		push	ebx
		mov	ebx, ecx
		lea	ecx, [ebp+var_1C]
		push	esi
		push	edi
		push	ecx
		mov	eax, [ebx+40h]
		mov	esi, edx
		mov	[ebp+var_C], eax
		mov	eax, [ebx+18h]
		mov	edi, [eax+10h]
		mov	eax, [eax+14h]
		push	eax
		push	edi
		call	dword ptr [edi+4]
		mov	ecx, [ebx+18h]
		mov	[ebp+var_4], eax
		mov	edx, [eax+2Ch]
		mov	ecx, [ecx+24h]
		mov	ecx, [ecx+14h]
		mov	[eax+10h], ecx
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		mov	ecx, [ebx+18h]
		call	CmpAssignSecurityToKcb
		mov	eax, [ebx+18h]
		lea	ecx, [ebp+var_14]
		push	ecx
		add	dword ptr [eax+0A8h], 1
		adc	dword ptr [eax+0ACh], 0
		mov	eax, [ebx+18h]
		mov	eax, [eax+24h]
		mov	eax, [eax+14h]
		push	eax
		push	edi
		call	dword ptr [edi+4]
		mov	ecx, [esi]
		mov	[ebp+var_8], eax
		mov	[eax+4], ecx
		mov	ecx, [esi+4]
		mov	[eax+8], ecx
		mov	ecx, [ebx+18h]
		mov	edx, [ecx+24h]
		mov	ecx, [esi]
		mov	[edx+58h], ecx
		mov	ecx, [esi+4]
		mov	[edx+5Ch], ecx
		mov	eax, [ebx+18h]
		mov	ecx, [ebp+var_4]
		mov	eax, [eax+24h]
		add	dword ptr [eax+0A8h], 1
		adc	dword ptr [eax+0ACh], 0
		test	byte ptr [ecx+2], 20h
		movzx	eax, word ptr [ecx+48h]
		jz	short loc_94E7DA
		add	eax, eax
		movzx	edx, ax
		jmp	short loc_94E7DC
; 

loc_94E7DA:				; CODE XREF: CmpLightWeightCommitAddKeyUoW(x,x)+B7j
		mov	edx, eax

loc_94E7DC:				; CODE XREF: CmpLightWeightCommitAddKeyUoW(x,x)+BEj
		mov	esi, [ebp+var_8]
		cmp	[esi+34h], dx
		jnb	short loc_94E7F3
		mov	[esi+34h], dx
		mov	eax, [ebx+18h]
		mov	eax, [eax+24h]
		mov	[eax+60h], dx

loc_94E7F3:				; CODE XREF: CmpLightWeightCommitAddKeyUoW(x,x)+C9j
		mov	eax, ecx
		movzx	eax, word ptr [eax+4Ah]
		cmp	[esi+38h], eax
		jnb	short loc_94E801
		mov	[esi+38h], eax

loc_94E801:				; CODE XREF: CmpLightWeightCommitAddKeyUoW(x,x)+E2j
		mov	esi, [ebp+var_C]
		cmp	dword ptr [esi], 1
		jnz	short loc_94E81A
		mov	eax, [ebx+18h]
		mov	ecx, edi
		push	esi
		mov	edx, [eax+24h]
		mov	edx, [edx+14h]
		call	_CmpLightWeightSwapParentSubKeyList@12 ; CmpLightWeightSwapParentSubKeyList(x,x,x)

loc_94E81A:				; CODE XREF: CmpLightWeightCommitAddKeyUoW(x,x)+EDj
		lea	eax, [ebp+var_14]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		mov	edx, esi
		mov	ecx, edi
		call	_CmpLightWeightCleanupModifyKeyDataUoW@8 ; CmpLightWeightCleanupModifyKeyDataUoW(x,x)
		mov	eax, [ebx+18h]
		and	dword ptr [ebx+40h], 0
		pop	edi
		pop	esi
		and	dword ptr [eax+80h], 0
		pop	ebx
		leave
		retn
_CmpLightWeightCommitAddKeyUoW@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLightWeightCommitDeleteKeyUoW(x,	x, x)
_CmpLightWeightCommitDeleteKeyUoW@12 proc near
					; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+74p

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		or	[ebp+var_60], 0FFFFFFFFh
		and	[ebp+var_5C], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_54], eax
		push	edi
		mov	[ebp+var_58], edx
		push	0
		mov	eax, [esi+18h]
		mov	ebx, [esi+40h]
		mov	edi, [eax+10h]
		mov	ecx, edi
		mov	edx, [eax+14h]
		call	CmpFreeKeyByCell
		mov	[ebp+var_50], eax
		test	eax, eax
		jns	short loc_94E8F5
		cmp	dword_6B2348, 5
		jbe	short loc_94E8F5
		push	2000h
		push	0
		mov	ecx, offset dword_6B2348
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_94E8F5
		mov	eax, [ebp+var_50]
		xor	edx, edx
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_50]
		push	4
		pop	ecx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	ecx
		push	edx
		push	edx
		push	offset byte_41AD55
		push	offset dword_6B2348
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_6C], 1000000h
		mov	[ebp+var_68], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], 8
		mov	[ebp+var_10], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_94E8F5:				; CODE XREF: CmpLightWeightCommitDeleteKeyUoW(x,x,x)+42j
					; CmpLightWeightCommitDeleteKeyUoW(x,x,x)+4Bj ...
		cmp	dword ptr [ebx], 1
		mov	eax, [esi+18h]
		mov	eax, [eax+24h]
		mov	[ebp+var_50], eax
		jnz	short loc_94E911
		mov	edx, [eax+14h]
		mov	ecx, edi
		push	ebx
		call	_CmpLightWeightSwapParentSubKeyList@12 ; CmpLightWeightSwapParentSubKeyList(x,x,x)
		mov	eax, [ebp+var_50]

loc_94E911:				; CODE XREF: CmpLightWeightCommitDeleteKeyUoW(x,x,x)+BBj
		mov	dl, 1
		mov	ecx, eax
		call	CmpCleanUpSubKeyInfo
		mov	ecx, [ebp+var_50]
		mov	eax, [ecx+14h]
		lea	ecx, [ebp+var_60]
		push	ecx
		push	eax
		push	edi
		call	dword ptr [edi+4]
		mov	edx, [ebp+var_50]
		mov	cx, [eax+34h]
		mov	[edx+60h], cx
		mov	ecx, [ebp+var_58]
		mov	ecx, [ecx]
		mov	[eax+4], ecx
		mov	ecx, [ebp+var_58]
		mov	ecx, [ecx+4]
		mov	[eax+8], ecx
		mov	ecx, [ebp+var_58]
		mov	eax, [ecx]
		mov	[edx+58h], eax
		mov	eax, [ecx+4]
		add	dword ptr [edx+0A8h], 1
		mov	[edx+5Ch], eax
		lea	eax, [ebp+var_60]
		adc	dword ptr [edx+0ACh], 0
		push	eax
		push	edi
		call	dword ptr [edi+8]
		mov	ecx, [esi+18h]
		push	1
		push	[ebp+var_54]
		call	_CmpFlushNotifiesOnAllUnbackedHigherLayerKcbs@16 ; CmpFlushNotifiesOnAllUnbackedHigherLayerKcbs(x,x,x,x)
		mov	ecx, [esi+18h]
		push	1
		push	[ebp+var_54]
		push	8
		pop	edx
		call	CmpFlushNotifiesOnKeyBodyList
		mov	edx, [ebp+var_54]
		mov	ecx, [esi+18h]
		call	_CmpMarkKeyUnbacked@8 ;	CmpMarkKeyUnbacked(x,x)
		mov	edx, [esi+44h]
		mov	ecx, [esi+18h]
		test	edx, edx
		jz	short loc_94E9BC
		push	[ebp+var_54]
		call	_CmpCommitDiscardAndReplaceKcbAndUnbackedHigherLayers@12 ; CmpCommitDiscardAndReplaceKcbAndUnbackedHigherLayers(x,x,x)
		mov	edx, [ebp+var_54]
		mov	ecx, [esi+44h]
		call	CmpCleanupDiscardReplaceContext
		mov	ecx, [esi+44h]
		call	_CmpFreePool@4	; CmpFreePool(x)
		and	dword ptr [esi+44h], 0
		jmp	short loc_94E9C1
; 

loc_94E9BC:				; CODE XREF: CmpLightWeightCommitDeleteKeyUoW(x,x,x)+153j
		call	_CmpDiscardKcb@4 ; CmpDiscardKcb(x)

loc_94E9C1:				; CODE XREF: CmpLightWeightCommitDeleteKeyUoW(x,x,x)+174j
		mov	edx, ebx
		mov	ecx, edi
		call	_CmpLightWeightCleanupModifyKeyDataUoW@8 ; CmpLightWeightCleanupModifyKeyDataUoW(x,x)
		and	dword ptr [esi+40h], 0
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_CmpLightWeightCommitDeleteKeyUoW@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLightWeightCommitDeleteValueKeyUoW(x, x,	x)
_CmpLightWeightCommitDeleteValueKeyUoW@12 proc near
					; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+E9p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		or	[ebp+var_10], 0FFFFFFFFh
		and	[ebp+var_C], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, edx
		push	edi
		mov	eax, [ebx+18h]
		mov	edx, [ebx+40h]
		mov	[ebp+var_8], edx
		lea	edx, [ebp+var_10]
		push	edx
		mov	ecx, [eax+10h]
		mov	eax, [eax+14h]
		push	eax
		push	ecx
		mov	[ebp+var_4], ecx
		call	dword ptr [ecx+4]
		mov	edx, [ebx+44h]
		mov	edi, eax
		mov	ecx, [ebp+var_4]
		mov	edx, [edx+4]
		call	_CmpFreeValue@8	; CmpFreeValue(x,x)
		mov	ecx, [ebx+44h]
		mov	edx, 77554D43h
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
		and	dword ptr [ebx+44h], 0
		mov	eax, [esi]
		mov	[edi+4], eax
		mov	eax, [esi+4]
		mov	[edi+8], eax
		mov	ecx, [ebx+18h]
		mov	eax, [esi]
		mov	[ecx+58h], eax
		mov	eax, [esi+4]
		mov	esi, [ebp+var_8]
		mov	[ecx+5Ch], eax
		mov	eax, [ebx+18h]
		add	dword ptr [eax+0A8h], 1
		adc	dword ptr [eax+0ACh], 0
		cmp	dword ptr [esi], 1
		jnz	short loc_94EAB2
		mov	ecx, [edi+24h]
		mov	eax, [esi+4]
		mov	edx, [edi+28h]
		mov	[edi+24h], eax
		mov	eax, [esi+8]
		mov	[edi+28h], eax
		mov	[esi+8], edx
		mov	edx, [ebp+arg_0]
		mov	[esi+4], ecx
		mov	ecx, [ebx+18h]
		call	_CmpCleanUpKcbCachedSymlink@8 ;	CmpCleanUpKcbCachedSymlink(x,x)
		mov	ecx, [ebx+18h]
		mov	edx, [edi+28h]
		mov	eax, [edi+24h]
		mov	[ecx+34h], edx
		xor	edx, edx
		mov	[ecx+30h], eax
		cmp	[edi+24h], edx
		jnz	short loc_94EAB2
		mov	[edi+3Ch], edx
		xor	ecx, ecx
		mov	[edi+40h], edx
		mov	eax, [ebx+18h]
		mov	[eax+62h], cx
		mov	eax, [ebx+18h]
		mov	[eax+64h], edx

loc_94EAB2:				; CODE XREF: CmpLightWeightCommitDeleteValueKeyUoW(x,x,x)+83j
					; CmpLightWeightCommitDeleteValueKeyUoW(x,x,x)+BCj
		mov	edx, esi
		mov	esi, [ebp+var_4]
		mov	ecx, esi
		call	_CmpLightWeightCleanupSetValueKeyUoW@8 ; CmpLightWeightCleanupSetValueKeyUoW(x,x)
		and	dword ptr [ebx+40h], 0
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_CmpLightWeightCommitDeleteValueKeyUoW@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLightWeightCommitRenameKeyUoW(x,	x, x)
_CmpLightWeightCommitRenameKeyUoW@12 proc near
					; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+B0p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		or	[ebp+var_10], 0FFFFFFFFh
		and	[ebp+var_C], 0
		or	[ebp+var_18], 0FFFFFFFFh
		and	[ebp+var_14], 0
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		push	ecx
		mov	edx, [ebx+18h]
		mov	esi, [edx+10h]
		mov	ecx, esi
		mov	edx, [edx+14h]
		mov	[ebp+var_4], esi
		call	_CmpUpdateParentForEachSon@12 ;	CmpUpdateParentForEachSon(x,x,x)
		mov	eax, [ebx+18h]
		lea	ecx, [ebp+var_10]
		push	ecx
		add	dword ptr [eax+0A8h], 1
		adc	dword ptr [eax+0ACh], 0
		mov	eax, [ebx+18h]
		mov	eax, [eax+14h]
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	ecx, [ebx+18h]
		mov	esi, eax
		lea	eax, [ebp+var_18]
		push	eax
		mov	eax, [ebp+var_4]
		mov	ecx, [ecx+24h]
		mov	ecx, [ecx+14h]
		mov	[esi+10h], ecx
		mov	ecx, [ebx+18h]
		mov	ecx, [ecx+24h]
		mov	ecx, [ecx+14h]
		push	ecx
		push	eax
		call	dword ptr [eax+4]
		mov	ecx, [edi]
		mov	[ebp+var_8], eax
		mov	[eax+4], ecx
		mov	ecx, [edi+4]
		mov	[eax+8], ecx
		mov	ecx, [ebx+18h]
		mov	edx, [ecx+24h]
		mov	ecx, [edi]
		mov	[edx+58h], ecx
		mov	ecx, [edi+4]
		mov	[edx+5Ch], ecx
		mov	ecx, esi
		mov	eax, [ebx+18h]
		mov	eax, [eax+24h]
		add	dword ptr [eax+0A8h], 1
		adc	dword ptr [eax+0ACh], 0
		call	_CmpHKeyNameLen@4 ; CmpHKeyNameLen(x)
		mov	esi, [ebp+var_8]
		movzx	edx, ax
		cmp	[esi+34h], dx
		jnb	short loc_94EB9B
		mov	[esi+34h], dx
		mov	eax, [ebx+18h]
		mov	eax, [eax+24h]
		mov	[eax+60h], dx

loc_94EB9B:				; CODE XREF: CmpLightWeightCommitRenameKeyUoW(x,x,x)+BAj
		mov	esi, [ebp+var_4]
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	eax, [ebx+18h]
		mov	edx, esi
		mov	edi, [ebp+arg_0]
		mov	ecx, offset _CmpRefreshParent@16 ; CmpRefreshParent(x,x,x,x)
		mov	[ebp+var_1C], eax
		mov	eax, [ebx+30h]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_20]
		push	0
		push	eax
		push	edi
		call	_CmpSearchKeyControlBlockTreeEx@20 ; CmpSearchKeyControlBlockTreeEx(x,x,x,x,x)
		mov	ecx, [ebx+18h]
		xor	edx, edx
		push	0
		inc	edx
		call	CmpSearchForOpenSubKeys
		mov	edx, [ebx+30h]
		mov	ecx, esi
		mov	edx, [edx+14h]
		call	HvFreeCell
		mov	ecx, [ebx+30h]
		push	1
		push	edi
		push	8
		pop	edx
		call	CmpFlushNotifiesOnKeyBodyList
		mov	ecx, [ebx+30h]
		mov	edx, edi
		call	_CmpMarkKeyUnbacked@8 ;	CmpMarkKeyUnbacked(x,x)
		mov	ecx, [ebx+30h]
		call	_CmpDiscardKcb@4 ; CmpDiscardKcb(x)
		mov	eax, [ebx+40h]
		mov	[ebp+arg_0], eax
		cmp	dword ptr [eax], 1
		jnz	short loc_94EC29
		push	eax
		mov	eax, [ebx+18h]
		mov	ecx, esi
		mov	edx, [eax+24h]
		mov	edx, [edx+14h]
		call	_CmpLightWeightSwapParentSubKeyList@12 ; CmpLightWeightSwapParentSubKeyList(x,x,x)
		mov	eax, [ebp+arg_0]

loc_94EC29:				; CODE XREF: CmpLightWeightCommitRenameKeyUoW(x,x,x)+142j
		mov	edx, eax
		mov	ecx, esi
		call	_CmpLightWeightCleanupModifyKeyDataUoW@8 ; CmpLightWeightCleanupModifyKeyDataUoW(x,x)
		mov	ecx, [ebx+18h]
		xor	esi, esi
		push	esi
		mov	edx, edi
		mov	[ebx+40h], esi
		call	CmpDereferenceKeyControlBlockWithLock
		mov	ecx, [ebx+30h]
		mov	edx, edi
		push	esi
		call	CmpDereferenceKeyControlBlockWithLock
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_CmpLightWeightCommitRenameKeyUoW@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLightWeightCommitSetSecDescUoW(x, x)
_CmpLightWeightCommitSetSecDescUoW@8 proc near
					; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x):loc_85557Ap

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		or	[ebp+var_20], 0FFFFFFFFh
		and	[ebp+var_1C], 0
		or	[ebp+var_18], 0FFFFFFFFh
		and	[ebp+var_14], 0
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		lea	ecx, [ebp+var_20]
		mov	eax, [ebx+18h]
		mov	edi, [ebx+40h]
		push	ecx
		mov	esi, [eax+10h]
		mov	eax, [eax+14h]
		push	eax
		push	esi
		call	dword ptr [esi+4]
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_C], eax
		push	ecx
		mov	eax, [eax+2Ch]
		push	eax
		push	esi
		mov	[ebp+var_8], eax
		call	dword ptr [esi+4]
		mov	ecx, [edi]
		mov	edx, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_10], edx
		mov	[eax+2Ch], ecx
		mov	eax, [edx+0Ch]
		cmp	eax, 1
		jnz	short loc_94ECD2
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		and	[ebp+var_10], 0
		call	_CmpRemoveSecurityCellList@8 ; CmpRemoveSecurityCellList(x,x)
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		call	HvFreeCell
		jmp	short loc_94ECD6
; 

loc_94ECD2:				; CODE XREF: CmpLightWeightCommitSetSecDescUoW(x,x)+5Aj
		dec	eax
		mov	[edx+0Ch], eax

loc_94ECD6:				; CODE XREF: CmpLightWeightCommitSetSecDescUoW(x,x)+7Cj
		or	dword ptr [edi], 0FFFFFFFFh
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_C]
		push	0
		mov	eax, [ecx]
		mov	[edx+4], eax
		mov	eax, [ecx+4]
		mov	[edx+8], eax
		mov	ecx, [ebx+18h]
		mov	eax, [ebp+var_4]
		mov	eax, [eax]
		mov	[ecx+58h], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+4]
		mov	[ecx+5Ch], eax
		mov	eax, [ebx+18h]
		pop	ecx
		push	ecx
		push	ecx
		add	dword ptr [eax+0A8h], 1
		push	ecx
		adc	[eax+0ACh], ecx
		mov	edx, [edx+2Ch]
		mov	ecx, [ebx+18h]
		call	CmpAssignSecurityToKcb
		lea	eax, [ebp+var_20]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		cmp	[ebp+var_10], 0
		jz	short loc_94ED35
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_94ED35:				; CODE XREF: CmpLightWeightCommitSetSecDescUoW(x,x)+D7j
		mov	edx, [edi]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_94ED44
		mov	ecx, [edi+4]
		call	_CmpDereferenceSecurityNode@8 ;	CmpDereferenceSecurityNode(x,x)

loc_94ED44:				; CODE XREF: CmpLightWeightCommitSetSecDescUoW(x,x)+E6j
		push	77554D43h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [ebx+40h], 0
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpLightWeightCommitSetSecDescUoW@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLightWeightCommitSetUserFlagsUoW(x, x)
_CmpLightWeightCommitSetUserFlagsUoW@8 proc near
					; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+114p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		or	[ebp+var_C], 0FFFFFFFFh
		and	[ebp+var_8], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		lea	edx, [ebp+var_C]
		mov	eax, [ebx+18h]
		push	edx
		mov	ecx, [eax+10h]
		mov	eax, [eax+14h]
		push	eax
		push	ecx
		mov	[ebp+var_4], ecx
		call	dword ptr [ecx+4]
		mov	edx, [ebx+30h]
		mov	esi, eax
		shl	edx, 10h
		xor	edx, [esi+34h]
		and	edx, 0F0000h
		xor	edx, [esi+34h]
		mov	[esi+34h], edx
		mov	ecx, [ebx+18h]
		shr	edx, 10h
		xor	edx, [ecx+68h]
		and	edx, 0Fh
		xor	[ecx+68h], edx
		mov	eax, [edi]
		mov	[esi+4], eax
		mov	eax, [edi+4]
		mov	[esi+8], eax
		mov	eax, [ebx+18h]
		add	dword ptr [eax+0A8h], 1
		adc	dword ptr [eax+0ACh], 0
		lea	eax, [ebp+var_C]
		push	eax
		mov	eax, [ebp+var_4]
		push	eax
		call	dword ptr [eax+8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpLightWeightCommitSetUserFlagsUoW@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLightWeightCreateModificationData(x, x)
_CmpLightWeightCreateModificationData@8	proc near
					; CODE XREF: CmpLightWeightPrepareAddKeyUoW(x)+4Ap
					; CmpLightWeightPrepareDeleteKeyUoW(x,x)+35p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		push	77554D43h
		mov	eax, [ebx+18h]
		xor	ecx, ecx
		push	14h
		pop	edx
		inc	ecx
		mov	edi, [eax+10h]
		mov	[ebp+var_8], edi
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_94EE0C
		mov	edi, 0C000009Ah
		jmp	short loc_94EE64
; 

loc_94EE0C:				; CODE XREF: CmpLightWeightCreateModificationData(x,x)+2Dj
		xor	eax, eax
		mov	ecx, edi
		mov	[esi], eax
		mov	[esi+4], eax
		mov	[esi+8], eax
		or	dword ptr [esi+0Ch], 0FFFFFFFFh
		or	dword ptr [esi+10h], 0FFFFFFFFh
		inc	dword ptr [esi]
		mov	eax, [ebx+18h]
		push	esi
		mov	edx, [eax+24h]
		mov	edx, [edx+14h]
		call	_CmpLightWeightDuplicateParentLists@12 ; CmpLightWeightDuplicateParentLists(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_94EE56
		mov	edx, [ebx+18h]
		mov	ecx, esi
		push	dword ptr [ebx+1Ch]
		mov	edx, [edx+24h]
		call	_CmpLightWeightUpdateModificationActions@12 ; CmpLightWeightUpdateModificationActions(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_94EE56
		mov	eax, [ebp+var_4]
		xor	edi, edi
		mov	[eax], esi
		xor	esi, esi

loc_94EE56:				; CODE XREF: CmpLightWeightCreateModificationData(x,x)+5Fj
					; CmpLightWeightCreateModificationData(x,x)+75j
		test	esi, esi
		jz	short loc_94EE64
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	_CmpLightWeightCleanupModifyKeyDataUoW@8 ; CmpLightWeightCleanupModifyKeyDataUoW(x,x)

loc_94EE64:				; CODE XREF: CmpLightWeightCreateModificationData(x,x)+34j
					; CmpLightWeightCreateModificationData(x,x)+82j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpLightWeightCreateModificationData@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLightWeightDuplicateParentLists(x, x, x)
_CmpLightWeightDuplicateParentLists@12 proc near
					; CODE XREF: CmpLightWeightCreateModificationData(x,x)+56p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	esi, esi
		xor	eax, eax
		push	edi
		mov	[ebp+var_C], esi
		mov	edi, ecx
		mov	word ptr [ebp+var_C], ax
		lea	eax, [ebp+var_10]
		push	eax
		push	edx
		mov	[ebp+var_10], esi
		or	[ebp+var_10], 0FFFFFFFFh
		push	edi
		call	dword ptr [edi+4]
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_94EEA0
		mov	esi, 0C000009Ah
		jmp	short loc_94EF10
; 

loc_94EEA0:				; CODE XREF: CmpLightWeightDuplicateParentLists(x,x,x)+2Cj
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		add	edx, 4
		mov	[ebp+var_4], ecx
		mov	[ebp+arg_0], edx
		add	ebx, 14h

loc_94EEB1:				; CODE XREF: CmpLightWeightDuplicateParentLists(x,x,x)+8Dj
		mov	eax, [ebx+8]
		mov	[ebp+var_8], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_94EEE8
		mov	edx, eax
		mov	ecx, edi
		call	_CmpMarkEntireIndexDirty@8 ; CmpMarkEntireIndexDirty(x,x)
		test	al, al
		jz	short loc_94EF03
		push	[ebp+var_4]
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		call	_CmpDuplicateIndex@12 ;	CmpDuplicateIndex(x,x,x)
		mov	edx, [ebp+arg_0]
		mov	[edx+8], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_94EEFC
		mov	eax, [ebx]
		mov	ecx, [ebp+var_4]
		mov	[edx], eax

loc_94EEE8:				; CODE XREF: CmpLightWeightDuplicateParentLists(x,x,x)+4Fj
		inc	ecx
		add	edx, 4
		add	ebx, 4
		mov	[ebp+var_4], ecx
		mov	[ebp+arg_0], edx
		cmp	ecx, 2
		jl	short loc_94EEB1
		jmp	short loc_94EF08
; 

loc_94EEFC:				; CODE XREF: CmpLightWeightDuplicateParentLists(x,x,x)+74j
		mov	esi, 0C000009Ah
		jmp	short loc_94EF08
; 

loc_94EF03:				; CODE XREF: CmpLightWeightDuplicateParentLists(x,x,x)+5Cj
		mov	esi, 0C000017Dh

loc_94EF08:				; CODE XREF: CmpLightWeightDuplicateParentLists(x,x,x)+8Fj
					; CmpLightWeightDuplicateParentLists(x,x,x)+96j
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_94EF10:				; CODE XREF: CmpLightWeightDuplicateParentLists(x,x,x)+33j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_CmpLightWeightDuplicateParentLists@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLightWeightPrepareAddKeyUoW(x)
_CmpLightWeightPrepareAddKeyUoW@4 proc near
					; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+32p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		or	[ebp+var_2C], 0FFFFFFFFh
		and	[ebp+var_28], 0
		or	[ebp+var_24], 0FFFFFFFFh
		and	[ebp+var_20], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	[ebp+var_18], ebx
		mov	eax, [ebx+18h]
		mov	esi, [eax+10h]
		mov	eax, [ebx+28h]
		mov	[ebp+var_4], eax
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_8], eax
		xor	eax, eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	eax, [ebx+2Ch]
		mov	edi, [eax+40h]
		mov	[ebp+var_C], edi
		test	edi, edi
		jnz	short loc_94EF7A
		lea	edx, [ebp+var_C]
		call	_CmpLightWeightCreateModificationData@8	; CmpLightWeightCreateModificationData(x,x)
		mov	edi, [ebp+var_C]
		mov	ebx, eax
		test	ebx, ebx
		js	loc_94F0F7
		mov	ebx, [ebp+var_18]
		jmp	short loc_94EF7C
; 

loc_94EF7A:				; CODE XREF: CmpLightWeightPrepareAddKeyUoW(x)+45j
		inc	dword ptr [edi]

loc_94EF7C:				; CODE XREF: CmpLightWeightPrepareAddKeyUoW(x)+5Fj
		mov	eax, [ebx+18h]
		lea	ecx, [ebp+var_2C]
		push	ecx
		mov	eax, [eax+24h]
		mov	[ebp+var_C], eax
		mov	eax, [eax+14h]
		push	eax
		push	esi
		call	dword ptr [esi+4]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jnz	short loc_94EFA2
		mov	ebx, 0C000009Ah
		jmp	loc_94F0F7
; 

loc_94EFA2:				; CODE XREF: CmpLightWeightPrepareAddKeyUoW(x)+7Dj
		mov	eax, [ebx+18h]
		mov	ecx, esi
		push	0
		push	1
		mov	edx, [eax+14h]
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_94F0C9
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		push	0
		push	1
		mov	edx, [edx+14h]
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_94F0C9
		mov	eax, [ebp+var_4]
		mov	ecx, esi
		mov	edx, [ebp+var_1C]
		push	0
		push	1
		mov	edx, [edx+eax*4+1Ch]
		call	HvpMarkCellDirty
		test	al, al
		jz	loc_94F0C9
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+3]
		lea	ecx, [edi+ecx*4]
		cmp	dword ptr [ecx], 0FFFFFFFFh
		mov	[ebp+var_1C], ecx
		jnz	short loc_94F06B
		mov	ecx, [esi+9Ch]
		mov	[ebp+var_14], ecx
		lea	ecx, [ebp+var_24]
		push	ecx
		lea	ecx, [ebp+var_10]
		push	ecx
		push	eax
		push	0Ch
		pop	edx
		mov	ecx, esi
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	edx, eax
		mov	eax, [ebp+var_10]
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_94F035
		mov	ebx, 0C000009Ah
		mov	[ebp+var_14], eax
		jmp	loc_94F0CE
; 

loc_94F035:				; CODE XREF: CmpLightWeightPrepareAddKeyUoW(x)+10Dj
		cmp	[ebp+var_14], 5
		sbb	ecx, ecx
		and	ecx, 0FFFFFE00h
		add	ecx, 686Ch
		mov	[eax], cx
		xor	ecx, ecx
		mov	[eax+2], cx
		mov	eax, [ebp+var_1C]
		mov	[eax], edx
		mov	eax, [ebp+var_4]
		and	[edi+eax*4+4], ecx
		lea	eax, [ebp+var_24]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		and	[ebp+var_14], 0
		mov	eax, [ebp+var_4]

loc_94F06B:				; CODE XREF: CmpLightWeightPrepareAddKeyUoW(x)+E7j
		mov	edx, [ebx+18h]
		push	eax
		mov	eax, [ebp+var_C]
		push	ecx
		mov	edx, [edx+14h]
		mov	ecx, esi
		push	26h
		push	dword ptr [eax+14h]
		push	esi
		call	_CmpCopyKeyPartial@28 ;	CmpCopyKeyPartial(x,x,x,x,x,x,x)
		mov	[ebp+var_8], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_94F092

loc_94F08B:				; CODE XREF: CmpLightWeightPrepareAddKeyUoW(x)+186j
		mov	ebx, 0C000009Ah
		jmp	short loc_94F0CE
; 

loc_94F092:				; CODE XREF: CmpLightWeightPrepareAddKeyUoW(x)+170j
		mov	edx, [ebp+var_1C]
		mov	ecx, esi
		push	eax
		call	CmpAddSubKeyToList
		test	al, al
		jz	short loc_94F08B
		mov	eax, [ebp+var_4]
		inc	dword ptr [edi+eax*4+4]
		mov	ecx, [ebx+18h]
		mov	eax, [ecx+14h]
		mov	[ebx+30h], eax
		xor	ebx, ebx
		mov	eax, [ebp+var_8]
		mov	[ecx+14h], eax
		mov	eax, [ebp+var_18]
		mov	[eax+40h], edi
		xor	edi, edi
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_8], eax
		jmp	short loc_94F0CE
; 

loc_94F0C9:				; CODE XREF: CmpLightWeightPrepareAddKeyUoW(x)+9Cj
					; CmpLightWeightPrepareAddKeyUoW(x)+B5j ...
		mov	ebx, 0C000017Dh

loc_94F0CE:				; CODE XREF: CmpLightWeightPrepareAddKeyUoW(x)+117j
					; CmpLightWeightPrepareAddKeyUoW(x)+177j ...
		lea	eax, [ebp+var_2C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		cmp	[ebp+var_14], 0
		jz	short loc_94F0E4
		lea	eax, [ebp+var_24]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_94F0E4:				; CODE XREF: CmpLightWeightPrepareAddKeyUoW(x)+1C1j
		mov	eax, [ebp+var_8]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_94F0F7
		push	0
		mov	edx, eax
		mov	ecx, esi
		call	CmpFreeKeyByCell

loc_94F0F7:				; CODE XREF: CmpLightWeightPrepareAddKeyUoW(x)+56j
					; CmpLightWeightPrepareAddKeyUoW(x)+84j ...
		test	edi, edi
		jz	short loc_94F10B
		mov	edx, edi
		mov	ecx, esi
		call	_CmpLightWeightCleanupModifyKeyDataUoW@8 ; CmpLightWeightCleanupModifyKeyDataUoW(x,x)
		mov	eax, [ebp+var_18]
		and	dword ptr [eax+40h], 0

loc_94F10B:				; CODE XREF: CmpLightWeightPrepareAddKeyUoW(x)+1E0j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_CmpLightWeightPrepareAddKeyUoW@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLightWeightPrepareDeleteKeyUoW(x, x)
_CmpLightWeightPrepareDeleteKeyUoW@8 proc near
					; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+53p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		or	[ebp+var_18], 0FFFFFFFFh
		and	[ebp+var_14], 0
		and	[ebp+var_C], 0
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_10], edx
		push	esi
		push	edi
		mov	eax, [ebx+18h]
		mov	edi, [eax+10h]
		mov	eax, [ebx+2Ch]
		mov	[ebp+var_8], edi
		mov	esi, [eax+40h]
		mov	[ebp+var_4], esi
		test	esi, esi
		jnz	short loc_94F15E
		lea	edx, [ebp+var_4]
		call	_CmpLightWeightCreateModificationData@8	; CmpLightWeightCreateModificationData(x,x)
		mov	esi, [ebp+var_4]
		mov	edi, eax
		test	edi, edi
		js	loc_94F249
		mov	edi, [ebp+var_8]
		jmp	short loc_94F160
; 

loc_94F15E:				; CODE XREF: CmpLightWeightPrepareDeleteKeyUoW(x,x)+30j
		inc	dword ptr [esi]

loc_94F160:				; CODE XREF: CmpLightWeightPrepareDeleteKeyUoW(x,x)+4Aj
		mov	eax, [ebx+18h]
		lea	ecx, [ebp+var_18]
		push	ecx
		mov	eax, [eax+14h]
		push	eax
		push	edi
		mov	[ebp+var_4], eax
		call	dword ptr [edi+4]
		test	eax, eax
		jnz	short loc_94F180

loc_94F176:				; CODE XREF: CmpLightWeightPrepareDeleteKeyUoW(x,x)+D1j
		mov	edi, 0C000009Ah
		jmp	loc_94F249
; 

loc_94F180:				; CODE XREF: CmpLightWeightPrepareDeleteKeyUoW(x,x)+62j
		lea	eax, [ebp+var_18]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		mov	edx, [ebp+var_4]
		push	ecx
		push	0
		mov	ecx, edi
		call	CmpMarkKeyDirty
		test	al, al
		jnz	short loc_94F1A3

loc_94F199:				; CODE XREF: CmpLightWeightPrepareDeleteKeyUoW(x,x)+A7j
		mov	edi, 0C000017Dh
		jmp	loc_94F249
; 

loc_94F1A3:				; CODE XREF: CmpLightWeightPrepareDeleteKeyUoW(x,x)+85j
		mov	eax, [ebx+18h]
		mov	ecx, edi
		push	0
		push	0
		mov	eax, [eax+24h]
		mov	edx, [eax+14h]
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_94F199
		mov	eax, [ebx+18h]
		mov	eax, [eax+6Ch]
		test	eax, eax
		jz	short loc_94F20F
		add	eax, 10h
		cmp	[eax], eax
		jz	short loc_94F20F
		push	31374D43h
		push	10h
		xor	ecx, ecx
		pop	edx
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	short loc_94F176
		mov	edi, ecx
		xor	eax, eax
		mov	edx, ecx
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ecx+8]
		mov	dword ptr [ecx+4], 0C0000001h
		mov	[eax+4], eax
		mov	[eax], eax
		mov	ecx, [ebx+18h]
		call	_CmpPrepareDiscardAndReplaceKcbAndUnbackedHigherLayers@8 ; CmpPrepareDiscardAndReplaceKcbAndUnbackedHigherLayers(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_94F231
		mov	edi, [ebp+var_8]

loc_94F20F:				; CODE XREF: CmpLightWeightPrepareDeleteKeyUoW(x,x)+B1j
					; CmpLightWeightPrepareDeleteKeyUoW(x,x)+B8j
		mov	ecx, [ebp+var_4]
		mov	eax, ecx
		shr	eax, 1Fh
		push	ecx
		mov	ecx, edi
		mov	[ebp+var_4], eax
		lea	edx, [eax+3]
		lea	edx, [esi+edx*4]
		call	_CmpRemoveSubKeyFromList@12 ; CmpRemoveSubKeyFromList(x,x,x)
		test	al, al
		jnz	short loc_94F259
		mov	edi, 0C000009Ah

loc_94F231:				; CODE XREF: CmpLightWeightPrepareDeleteKeyUoW(x,x)+F8j
		mov	ebx, [ebp+var_C]
		test	ebx, ebx
		jz	short loc_94F249
		mov	edx, [ebp+var_10]
		mov	ecx, ebx
		call	CmpCleanupDiscardReplaceContext
		mov	ecx, ebx
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_94F249:				; CODE XREF: CmpLightWeightPrepareDeleteKeyUoW(x,x)+41j
					; CmpLightWeightPrepareDeleteKeyUoW(x,x)+69j ...
		test	esi, esi
		jz	short loc_94F26B
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	_CmpLightWeightCleanupModifyKeyDataUoW@8 ; CmpLightWeightCleanupModifyKeyDataUoW(x,x)
		jmp	short loc_94F26B
; 

loc_94F259:				; CODE XREF: CmpLightWeightPrepareDeleteKeyUoW(x,x)+118j
		mov	eax, [ebp+var_4]
		dec	dword ptr [esi+eax*4+4]
		xor	edi, edi
		mov	eax, [ebp+var_C]
		mov	[ebx+40h], esi
		mov	[ebx+44h], eax

loc_94F26B:				; CODE XREF: CmpLightWeightPrepareDeleteKeyUoW(x,x)+139j
					; CmpLightWeightPrepareDeleteKeyUoW(x,x)+145j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpLightWeightPrepareDeleteKeyUoW@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLightWeightPrepareDeleteValueKeyUoW(x)
_CmpLightWeightPrepareDeleteValueKeyUoW@4 proc near
					; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+D9p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		or	[ebp+var_2C], 0FFFFFFFFh
		xor	eax, eax
		or	[ebp+var_24], 0FFFFFFFFh
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_28], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], eax
		mov	eax, [ebx+18h]
		push	esi
		mov	esi, [ebx+40h]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], esi
		push	edi
		mov	edi, [eax+10h]
		test	esi, esi
		jnz	short loc_94F2CF
		lea	edx, [ebp+var_8]
		call	CmpLightWeightCreateSetValueData
		mov	esi, eax
		test	esi, esi
		js	loc_94F3F9
		mov	esi, [ebp+var_8]
		mov	ecx, esi
		mov	edx, [ebx+18h]
		call	_CmpLightWeightUpdateSharedSetValueData@8 ; CmpLightWeightUpdateSharedSetValueData(x,x)
		dec	dword ptr [esi]

loc_94F2CF:				; CODE XREF: CmpLightWeightPrepareDeleteValueKeyUoW(x)+3Aj
		push	77554D43h
		push	10h
		xor	ecx, ecx
		pop	edx
		inc	ecx
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_94F2EF
		mov	esi, 0C000009Ah
		jmp	loc_94F3F9
; 

loc_94F2EF:				; CODE XREF: CmpLightWeightPrepareDeleteValueKeyUoW(x)+71j
		and	dword ptr [ebx+8], 0
		lea	ecx, [ebp+var_2C]
		and	dword ptr [ebx+0Ch], 0
		mov	eax, [ebp+var_10]
		or	dword ptr [ebx], 0FFFFFFFFh
		or	dword ptr [ebx+4], 0FFFFFFFFh
		push	ecx
		mov	eax, [eax+30h]
		push	eax
		push	edi
		call	dword ptr [edi+4]
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	short loc_94F31E
		mov	esi, 0C000009Ah
		jmp	loc_94F3E9
; 

loc_94F31E:				; CODE XREF: CmpLightWeightPrepareDeleteValueKeyUoW(x)+A0j
		push	62534D43h
		push	8000h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_1C], eax
		test	eax, eax
		jnz	short loc_94F340

loc_94F336:				; CODE XREF: CmpLightWeightPrepareDeleteValueKeyUoW(x)+F9j
		mov	esi, 0C000009Ah
		jmp	loc_94F3D2
; 

loc_94F340:				; CODE XREF: CmpLightWeightPrepareDeleteValueKeyUoW(x)+C2j
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_18]
		push	eax
		call	_CmpInitializeValueNameString@12 ; CmpInitializeValueNameString(x,x,x)
		lea	ecx, [ebp+var_4]
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		lea	eax, [esi+4]
		push	0
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_8], eax
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	_CmpFindNameInList@24 ;	CmpFindNameInList(x,x,x,x,x,x)
		test	al, al
		jz	short loc_94F336
		mov	esi, [ebp+var_4]
		lea	eax, [ebp+var_24]
		push	eax
		push	esi
		push	edi
		call	dword ptr [edi+4]
		mov	edx, eax
		mov	[ebp+var_14], eax
		mov	ecx, edi
		call	_CmpMarkValueDataDirty@8 ; CmpMarkValueDataDirty(x,x)
		test	al, al
		jnz	short loc_94F390

loc_94F389:				; CODE XREF: CmpLightWeightPrepareDeleteValueKeyUoW(x)+12Dj
		mov	esi, 0C000017Dh
		jmp	short loc_94F3C4
; 

loc_94F390:				; CODE XREF: CmpLightWeightPrepareDeleteValueKeyUoW(x)+115j
		push	0
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_94F389
		push	[ebp+var_8]
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		call	_CmpRemoveValueFromList@12 ; CmpRemoveValueFromList(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_94F3C4
		mov	eax, [ebp+var_4]
		xor	esi, esi
		mov	[ebx+4], eax
		mov	eax, [ebp+var_10]
		mov	[eax+44h], ebx
		xor	ebx, ebx

loc_94F3C4:				; CODE XREF: CmpLightWeightPrepareDeleteValueKeyUoW(x)+11Cj
					; CmpLightWeightPrepareDeleteValueKeyUoW(x)+140j
		cmp	[ebp+var_14], 0
		jz	short loc_94F3D2
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_94F3D2:				; CODE XREF: CmpLightWeightPrepareDeleteValueKeyUoW(x)+C9j
					; CmpLightWeightPrepareDeleteValueKeyUoW(x)+156j
		lea	eax, [ebp+var_2C]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_94F3E9
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_94F3E9:				; CODE XREF: CmpLightWeightPrepareDeleteValueKeyUoW(x)+A7j
					; CmpLightWeightPrepareDeleteValueKeyUoW(x)+16Dj
		test	ebx, ebx
		jz	short loc_94F3F9
		mov	edx, 77554D43h
		mov	ecx, ebx
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_94F3F9:				; CODE XREF: CmpLightWeightPrepareDeleteValueKeyUoW(x)+48j
					; CmpLightWeightPrepareDeleteValueKeyUoW(x)+78j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_CmpLightWeightPrepareDeleteValueKeyUoW@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLightWeightPrepareRenameKeyUoW(x)
_CmpLightWeightPrepareRenameKeyUoW@4 proc near
					; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+9Ap

var_44		= dword	ptr -44h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		or	[ebp+var_38], 0FFFFFFFFh
		xor	eax, eax
		or	[ebp+var_30], 0FFFFFFFFh
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_34], eax
		mov	[ebp+var_2C], eax
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_14], eax
		mov	eax, [esi+18h]
		push	edi
		lea	edi, [ebp+var_44]
		mov	[ebp+var_1C], esi
		mov	ebx, [eax+10h]
		mov	eax, [esi+28h]
		mov	[ebp+var_8], eax
		xor	eax, eax
		stosd
		stosd
		stosd
		call	_CmpInitializeDelayDerefContext@4 ; CmpInitializeDelayDerefContext(x)
		mov	eax, [esi+2Ch]
		mov	edi, [eax+40h]
		mov	[ebp+var_10], edi
		test	edi, edi
		jnz	short loc_94F46E
		lea	edx, [ebp+var_10]
		mov	ecx, esi
		call	_CmpLightWeightCreateModificationData@8	; CmpLightWeightCreateModificationData(x,x)
		mov	edi, [ebp+var_10]
		mov	esi, eax
		test	esi, esi
		js	loc_94F682
		mov	esi, [ebp+var_1C]
		jmp	short loc_94F470
; 

loc_94F46E:				; CODE XREF: CmpLightWeightPrepareRenameKeyUoW(x)+50j
		inc	dword ptr [edi]

loc_94F470:				; CODE XREF: CmpLightWeightPrepareRenameKeyUoW(x)+6Cj
		mov	ecx, [esi+18h]
		call	CmpReferenceKeyControlBlock
		mov	eax, [esi+18h]
		mov	ecx, [esi+30h]
		mov	[ebp+var_10], eax
		call	CmpReferenceKeyControlBlock
		mov	eax, [esi+30h]
		lea	ecx, [ebp+var_38]
		mov	[ebp+var_C], eax
		mov	eax, [esi+18h]
		push	ecx
		mov	eax, [eax+24h]
		mov	eax, [eax+14h]
		push	eax
		push	ebx
		call	dword ptr [ebx+4]
		test	eax, eax
		jnz	short loc_94F4AC
		mov	esi, 0C000009Ah
		jmp	loc_94F65C
; 

loc_94F4AC:				; CODE XREF: CmpLightWeightPrepareRenameKeyUoW(x)+A0j
		mov	eax, [esi+18h]
		mov	ecx, ebx
		push	0
		push	1
		mov	eax, [eax+24h]
		mov	edx, [eax+14h]
		call	HvpMarkCellDirty
		test	al, al
		jnz	short loc_94F4CE

loc_94F4C4:				; CODE XREF: CmpLightWeightPrepareRenameKeyUoW(x)+E1j
					; CmpLightWeightPrepareRenameKeyUoW(x)+F6j
		mov	esi, 0C000017Dh
		jmp	loc_94F654
; 

loc_94F4CE:				; CODE XREF: CmpLightWeightPrepareRenameKeyUoW(x)+C2j
		mov	eax, [esi+18h]
		mov	ecx, ebx
		push	0
		push	1
		mov	edx, [eax+14h]
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_94F4C4
		mov	eax, [esi+30h]
		mov	ecx, ebx
		push	0
		push	1
		mov	edx, [eax+14h]
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_94F4C4
		mov	edx, [esi+18h]
		mov	ecx, ebx
		mov	eax, [ebp+var_8]
		push	eax
		push	ebx
		mov	edx, [edx+14h]
		call	_CmpCopyCell@16	; CmpCopyCell(x,x,x,x)
		mov	[ebp+var_4], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_94F51C
		mov	esi, 0C000009Ah
		jmp	loc_94F654
; 

loc_94F51C:				; CODE XREF: CmpLightWeightPrepareRenameKeyUoW(x)+110j
		mov	ecx, [ebp+var_8]
		lea	edx, [ecx+3]
		lea	edx, [edi+edx*4]
		cmp	dword ptr [edx], 0FFFFFFFFh
		mov	[ebp+var_18], edx
		jnz	short loc_94F590
		mov	eax, [ebx+9Ch]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		push	ecx
		push	0Ch
		pop	edx
		mov	ecx, ebx
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	ecx, [ebp+var_18]
		mov	[ecx], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_94F55D

loc_94F553:				; CODE XREF: CmpLightWeightPrepareRenameKeyUoW(x)+19Aj
					; CmpLightWeightPrepareRenameKeyUoW(x)+1BEj ...
		mov	esi, 0C000009Ah
		jmp	loc_94F641
; 

loc_94F55D:				; CODE XREF: CmpLightWeightPrepareRenameKeyUoW(x)+151j
		cmp	[ebp+var_20], 5
		mov	eax, [ebp+var_14]
		sbb	ecx, ecx
		and	ecx, 0FFFFFE00h
		add	ecx, 686Ch
		mov	[eax], cx
		xor	ecx, ecx
		mov	[eax+2], cx
		mov	eax, [ebp+var_8]
		and	[edi+eax*4+4], ecx
		lea	eax, [ebp+var_30]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+var_18]

loc_94F590:				; CODE XREF: CmpLightWeightPrepareRenameKeyUoW(x)+12Bj
		push	eax
		mov	ecx, ebx
		call	CmpAddSubKeyToList
		test	al, al
		jz	short loc_94F553
		mov	eax, [ebp+var_8]
		mov	ecx, ebx
		inc	dword ptr [edi+eax*4+4]
		mov	eax, [esi+30h]
		mov	eax, [eax+14h]
		mov	esi, eax
		shr	esi, 1Fh
		push	eax
		lea	edx, [esi+3]
		lea	edx, [edi+edx*4]
		call	_CmpRemoveSubKeyFromList@12 ; CmpRemoveSubKeyFromList(x,x,x)
		test	al, al
		jz	short loc_94F553
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		dec	dword ptr [edi+esi*4+4]
		call	_CmpMarkAllChildrenDirty@8 ; CmpMarkAllChildrenDirty(x,x)
		test	al, al
		jz	short loc_94F553
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_44]
		xor	edx, edx
		push	eax
		inc	edx
		call	_CmpPrepareToInvalidateAllHigherLayerKcbs@12 ; CmpPrepareToInvalidateAllHigherLayerKcbs(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_94F641
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_44]
		xor	edx, edx
		push	eax
		inc	edx
		call	_CmpPrepareToInvalidateAllHigherLayerKcbs@12 ; CmpPrepareToInvalidateAllHigherLayerKcbs(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_94F641
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_28]
		push	eax
		xor	edx, edx
		push	8
		inc	edx
		call	_CmpInvalidateAllHigherLayerKcbs@16 ; CmpInvalidateAllHigherLayerKcbs(x,x,x,x)
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_28]
		push	eax
		xor	edx, edx
		push	8
		inc	edx
		call	_CmpInvalidateAllHigherLayerKcbs@16 ; CmpInvalidateAllHigherLayerKcbs(x,x,x,x)
		mov	edx, [ebp+var_1C]
		xor	esi, esi
		and	[ebp+var_C], esi
		mov	ecx, [edx+18h]
		mov	[edx+40h], edi
		xor	edi, edi
		mov	eax, [ecx+14h]
		mov	[edx+34h], eax
		mov	eax, [ebp+var_4]
		or	[ebp+var_4], 0FFFFFFFFh
		and	[ebp+var_10], esi
		mov	[ecx+14h], eax

loc_94F641:				; CODE XREF: CmpLightWeightPrepareRenameKeyUoW(x)+158j
					; CmpLightWeightPrepareRenameKeyUoW(x)+1E5j ...
		mov	eax, [ebp+var_4]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_94F654
		push	0
		mov	edx, eax
		mov	ecx, ebx
		call	CmpFreeKeyByCell

loc_94F654:				; CODE XREF: CmpLightWeightPrepareRenameKeyUoW(x)+C9j
					; CmpLightWeightPrepareRenameKeyUoW(x)+117j ...
		lea	eax, [ebp+var_38]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]

loc_94F65C:				; CODE XREF: CmpLightWeightPrepareRenameKeyUoW(x)+A7j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_94F66F
		push	0
		lea	edx, [ebp+var_28]
		mov	ecx, eax
		call	CmpDereferenceKeyControlBlockWithLock

loc_94F66F:				; CODE XREF: CmpLightWeightPrepareRenameKeyUoW(x)+261j
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_94F682
		push	0
		lea	edx, [ebp+var_28]
		mov	ecx, eax
		call	CmpDereferenceKeyControlBlockWithLock

loc_94F682:				; CODE XREF: CmpLightWeightPrepareRenameKeyUoW(x)+63j
					; CmpLightWeightPrepareRenameKeyUoW(x)+274j
		test	edi, edi
		jz	short loc_94F68F
		mov	edx, edi
		mov	ecx, ebx
		call	_CmpLightWeightCleanupModifyKeyDataUoW@8 ; CmpLightWeightCleanupModifyKeyDataUoW(x,x)

loc_94F68F:				; CODE XREF: CmpLightWeightPrepareRenameKeyUoW(x)+284j
		lea	ecx, [ebp+var_44]
		call	CmpCleanupRollbackPacket
		xor	dl, dl
		lea	ecx, [ebp+var_28]
		call	CmpDrainDelayDerefContext
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_CmpLightWeightPrepareRenameKeyUoW@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLightWeightPrepareSetKeyUserFlags(x)
_CmpLightWeightPrepareSetKeyUserFlags@4	proc near
					; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+104p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ecx+18h]
		or	[ebp+var_8], 0FFFFFFFFh
		and	[ebp+var_4], 0
		push	esi
		mov	esi, [eax+14h]
		push	edi
		mov	edi, [eax+10h]
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		push	edi
		call	dword ptr [edi+4]
		test	eax, eax
		jnz	short loc_94F6D6
		mov	esi, 0C000009Ah
		jmp	short loc_94F6FE
; 

loc_94F6D6:				; CODE XREF: CmpLightWeightPrepareSetKeyUserFlags(x)+25j
		push	0
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	HvpMarkCellDirty
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 3FFFFE83h
		add	esi, 0C000017Dh
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_94F6FE:				; CODE XREF: CmpLightWeightPrepareSetKeyUserFlags(x)+2Cj
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_CmpLightWeightPrepareSetKeyUserFlags@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLightWeightPrepareSetSecDescUoW(x)
_CmpLightWeightPrepareSetSecDescUoW@4 proc near
					; CODE XREF: CmpProcessLightWeightUOW(x,x,x,x)+11Fp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		or	[ebp+var_30], 0FFFFFFFFh
		mov	eax, ecx
		or	[ebp+var_28], 0FFFFFFFFh
		xor	ecx, ecx
		or	[ebp+var_38], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_C], eax
		mov	eax, [eax+18h]
		push	77554D43h
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_34], ecx
		mov	esi, [eax+14h]
		mov	edi, [eax+10h]
		push	8
		push	1
		mov	[ebp+var_8], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_20], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_94F75B
		mov	esi, 0C000009Ah
		jmp	loc_94F89E
; 

loc_94F75B:				; CODE XREF: CmpLightWeightPrepareSetSecDescUoW(x)+4Bj
		or	dword ptr [ebx], 0FFFFFFFFh
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		push	edi
		mov	[ebx+4], edi
		call	dword ptr [edi+4]
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	short loc_94F77B

loc_94F771:				; CODE XREF: CmpLightWeightPrepareSetSecDescUoW(x)+A0j
					; CmpLightWeightPrepareSetSecDescUoW(x)+B9j
		mov	esi, 0C000009Ah
		jmp	loc_94F85A
; 

loc_94F77B:				; CODE XREF: CmpLightWeightPrepareSetSecDescUoW(x)+6Bj
		push	1
		mov	edx, esi
		mov	ecx, edi
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jz	loc_94F855
		mov	eax, [ebp+var_C]
		lea	ecx, [ebp+var_28]
		push	ecx
		mov	eax, [eax+34h]
		push	eax
		push	edi
		call	dword ptr [edi+4]
		mov	esi, eax
		mov	[ebp+var_8], esi
		test	esi, esi
		jz	short loc_94F771
		mov	eax, [ebp+var_4]
		lea	ecx, [ebp+var_38]
		push	ecx
		mov	eax, [eax+2Ch]
		push	eax
		push	edi
		mov	[ebp+var_14], eax
		call	dword ptr [edi+4]
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	short loc_94F771
		mov	ecx, [eax+8]
		mov	eax, [eax+4]
		mov	edx, [ebp+var_14]
		mov	[ebp+var_18], ecx
		mov	ecx, edi
		push	1
		mov	[ebp+var_1C], eax
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jz	short loc_94F855
		mov	edx, [ebp+var_18]
		mov	ecx, edi
		push	1
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jz	short loc_94F855
		mov	edx, [ebp+var_1C]
		mov	ecx, edi
		push	1
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		test	al, al
		jz	short loc_94F855
		mov	edx, [ebp+var_20]
		lea	eax, [esi+14h]
		push	ebx		; int
		push	1		; int
		push	eax		; void *
		mov	eax, edx
		mov	ecx, edi
		shr	eax, 1Fh
		push	eax		; int
		push	[ebp+var_4]	; int
		call	_CmpGetSecurityDescriptorNodeEx@28 ; CmpGetSecurityDescriptorNodeEx(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_94F85A
		lea	eax, [ebp+var_28]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		mov	eax, [ebx]
		lea	ecx, [ebp+var_28]
		push	ecx
		push	eax
		push	edi
		call	dword ptr [edi+4]
		push	1
		mov	ecx, edi
		mov	[ebp+var_8], eax
		mov	edx, [eax+8]
		mov	esi, [eax+4]
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		push	1
		mov	edx, esi
		mov	ecx, edi
		call	_HvMarkCellDirty@12 ; HvMarkCellDirty(x,x,x)
		mov	eax, [ebp+var_C]
		xor	esi, esi
		mov	[eax+40h], ebx
		jmp	short loc_94F874
; 

loc_94F855:				; CODE XREF: CmpLightWeightPrepareSetSecDescUoW(x)+84j
					; CmpLightWeightPrepareSetSecDescUoW(x)+D5j ...
		mov	esi, 0C000017Dh

loc_94F85A:				; CODE XREF: CmpLightWeightPrepareSetSecDescUoW(x)+72j
					; CmpLightWeightPrepareSetSecDescUoW(x)+115j
		mov	edx, [ebx]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_94F869
		mov	ecx, [ebx+4]
		call	_CmpDereferenceSecurityNode@8 ;	CmpDereferenceSecurityNode(x,x)

loc_94F869:				; CODE XREF: CmpLightWeightPrepareSetSecDescUoW(x)+15Bj
		push	77554D43h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_94F874:				; CODE XREF: CmpLightWeightPrepareSetSecDescUoW(x)+14Fj
		cmp	[ebp+var_4], 0
		jz	short loc_94F882
		lea	eax, [ebp+var_30]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_94F882:				; CODE XREF: CmpLightWeightPrepareSetSecDescUoW(x)+174j
		cmp	[ebp+var_8], 0
		jz	short loc_94F890
		lea	eax, [ebp+var_28]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_94F890:				; CODE XREF: CmpLightWeightPrepareSetSecDescUoW(x)+182j
		cmp	[ebp+var_10], 0
		jz	short loc_94F89E
		lea	eax, [ebp+var_38]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_94F89E:				; CODE XREF: CmpLightWeightPrepareSetSecDescUoW(x)+52j
					; CmpLightWeightPrepareSetSecDescUoW(x)+190j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_CmpLightWeightPrepareSetSecDescUoW@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLightWeightSwapParentSubKeyList(x, x, x)
_CmpLightWeightSwapParentSubKeyList@12 proc near
					; CODE XREF: CmpLightWeightCommitAddKeyUoW(x,x)+FBp
					; CmpLightWeightCommitDeleteKeyUoW(x,x,x)+C3p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		or	[ebp+var_10], 0FFFFFFFFh
		lea	eax, [ebp+var_10]
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		push	edi
		push	eax
		mov	edi, ecx
		push	edx
		push	edi
		mov	[ebp+var_8], edi
		call	dword ptr [edi+4]
		mov	ebx, [ebp+arg_0]
		mov	esi, eax
		push	2
		mov	[ebp+var_4], esi
		add	ebx, 4
		lea	edi, [esi+14h]
		pop	esi

loc_94F8D7:				; CODE XREF: CmpLightWeightSwapParentSubKeyList(x,x,x)+4Fj
		mov	eax, [ebx+8]
		mov	ecx, [edi+8]
		mov	edx, [edi]
		mov	[edi+8], eax
		mov	eax, [ebx]
		mov	[edi], eax
		lea	edi, [edi+4]
		mov	[ebx+8], ecx
		mov	[ebx], edx
		lea	ebx, [ebx+4]
		sub	esi, 1
		jnz	short loc_94F8D7
		mov	esi, [ebp+var_4]
		mov	edi, [ebp+var_8]
		mov	eax, [esi+18h]
		add	eax, [esi+14h]
		jnz	short loc_94F90D
		xor	eax, eax
		and	[esi+38h], eax
		mov	[esi+34h], ax

loc_94F90D:				; CODE XREF: CmpLightWeightSwapParentSubKeyList(x,x,x)+5Dj
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_CmpLightWeightSwapParentSubKeyList@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLightWeightUpdateModificationActions(x, x, x)
_CmpLightWeightUpdateModificationActions@12 proc near
					; CODE XREF: CmpLightWeightCreateModificationData(x,x)+6Cp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	ebx, [edx+70h]
		mov	esi, ecx

loc_94F931:				; CODE XREF: CmpLightWeightUpdateModificationActions(x,x,x)+36j
					; CmpLightWeightUpdateModificationActions(x,x,x)+3Bj ...
		push	10h
		lea	edx, [ebp+var_4]
		mov	ecx, ebx
		call	_CmListGetNextElement@12 ; CmListGetNextElement(x,x,x)
		test	eax, eax
		jz	short loc_94F95E
		mov	ecx, [eax+24h]
		sub	ecx, 1
		jz	short loc_94F954
		dec	ecx
		sub	ecx, 1
		jz	short loc_94F954
		sub	ecx, 7
		jnz	short loc_94F931

loc_94F954:				; CODE XREF: CmpLightWeightUpdateModificationActions(x,x,x)+2Bj
					; CmpLightWeightUpdateModificationActions(x,x,x)+31j
		cmp	[eax+1Ch], edi
		jnz	short loc_94F931
		mov	[eax+40h], esi
		jmp	short loc_94F931
; 

loc_94F95E:				; CODE XREF: CmpLightWeightUpdateModificationActions(x,x,x)+23j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	4
_CmpLightWeightUpdateModificationActions@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpRefreshParent(x,	x, x, x)
_CmpRefreshParent@16 proc near		; DATA XREF: CmpCommitDiscardReplacePost(x,x,x)+F9o
					; CmpLightWeightCommitRenameKeyUoW(x,x,x)+E5o

arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		push	esi
		mov	esi, [eax]
		mov	ecx, [eax+4]
		mov	eax, [ebp+arg_0]
		cmp	[eax+24h], esi
		jnz	short loc_94F99F
		add	dword ptr [eax+0A8h], 1
		mov	[eax+24h], ecx
		adc	dword ptr [eax+0ACh], 0
		cmp	dword ptr [esi], 0
		jz	short loc_94F99F
		call	CmpReferenceKeyControlBlockUnsafe
		mov	ecx, esi
		call	CmpDereferenceKeyControlBlockUnsafe

loc_94F99F:				; CODE XREF: CmpRefreshParent(x,x,x,x)+14j
					; CmpRefreshParent(x,x,x,x)+2Aj
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	10h
_CmpRefreshParent@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFullPromoteHiveRootFromKcbStack(x)
_CmpFullPromoteHiveRootFromKcbStack@4 proc near	; CODE XREF: CmpPromoteKey(x,x,x)+11Ep

var_34		= dword	ptr -34h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		lea	eax, [ebp+var_34]
		mov	edi, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [ebp+var_34] ; void *
		call	_CmpInitializeKeyNodeStack@4 ; CmpInitializeKeyNodeStack(x)
		movzx	eax, word ptr [edi+2]
		movsx	ebx, ax
		lfence	eax
		cmp	ax, 2
		jl	short loc_94F9EE
		mov	eax, [edi+0Ch]
		mov	ebx, [eax+ebx*4-8]
		jmp	short loc_94F9F2
; 

loc_94F9EE:				; CODE XREF: CmpFullPromoteHiveRootFromKcbStack(x)+3Dj
		mov	ebx, [edi+ebx*4+4]

loc_94F9F2:				; CODE XREF: CmpFullPromoteHiveRootFromKcbStack(x)+46j
		push	0
		mov	edx, edi
		lea	ecx, [ebp+var_34]
		call	_CmpStartKeyNodeStackFromKcbStack@12 ; CmpStartKeyNodeStackFromKcbStack(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_94FA3C
		lea	edx, [ebp+var_34]
		xor	ecx, ecx
		call	_CmpFullPromoteSingleKeyFromKeyNodeStacks@8 ; CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_94FA3C
		mov	dx, [edi+2]
		lea	ecx, [ebp+var_34]
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		add	dword ptr [ebx+0A8h], 1
		mov	ecx, ebx
		push	0
		pop	esi
		adc	[ebx+0ACh], esi
		mov	edx, [eax+8]
		push	esi
		push	esi
		call	_CmpRebuildKcbCacheFromNode@16 ; CmpRebuildKcbCacheFromNode(x,x,x,x)

loc_94FA3C:				; CODE XREF: CmpFullPromoteHiveRootFromKcbStack(x)+5Cj
					; CmpFullPromoteHiveRootFromKcbStack(x)+6Cj
		lea	ecx, [ebp+var_34]
		call	CmpCleanupKeyNodeStack
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpFullPromoteHiveRootFromKcbStack@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFullPromoteSingleKeyFromKeyNodeStacks(x,	x)
_CmpFullPromoteSingleKeyFromKeyNodeStacks@8 proc near ;	CODE XREF: CmSaveKey(x,x,x,x)+2BDp
					; CmpFullPromoteHiveRootFromKcbStack(x)+63p ...

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3A		= word ptr -3Ah
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	3Ch		; size_t
		xor	edi, edi
		lea	eax, [ebp+var_40]
		mov	ebx, edx
		mov	esi, ecx
		push	edi		; int
		push	eax		; void *
		mov	[ebp+var_48], ebx
		call	_memset
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_68], edi
		mov	eax, ecx
		mov	[ebp+var_58], ecx
		add	esp, 0Ch
		mov	[ebp+var_44], eax
		mov	[ebp+var_70], eax
		xor	eax, eax
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_6C], ecx
		lea	ecx, [ebp+var_40] ; void *
		mov	[ebp+var_60], edi
		mov	[ebp+var_50], edi
		mov	[ebp+var_74], edi
		mov	word ptr [ebp+var_68], ax
		call	_CmpValueEnumStackInitialize@4 ; CmpValueEnumStackInitialize(x)
		movzx	edx, word ptr [ebx]
		mov	ecx, ebx
		mov	[ebp+var_78], edx
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	edi, eax
		test	esi, esi
		jz	short loc_94FACC
		mov	ecx, esi
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		jmp	short loc_94FACE
; 

loc_94FACC:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+6Cj
		xor	eax, eax

loc_94FACE:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+75j
		mov	ebx, [edi]
		mov	[ebp+var_54], eax
		mov	eax, [edi+4]
		shr	eax, 1Fh
		mov	[ebp+var_5C], eax
		mov	eax, [edi+8]
		cmp	byte ptr [eax+0Dh], 0
		jge	short loc_94FB41
		lea	eax, [edx-1]
		movzx	edx, ax
		test	dx, dx
		js	short loc_94FB41
		mov	ecx, [ebp+var_48]

loc_94FAF3:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+B6j
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	esi, eax
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_94FB07
		cmp	byte ptr [eax+0Dh], 0
		jge	short loc_94FB0F

loc_94FB07:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+AAj
		dec	edx
		test	dx, dx
		jns	short loc_94FAF3
		jmp	short loc_94FB41
; 

loc_94FB0F:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+B0j
		xor	ecx, ecx
		cmp	[eax+4Ah], cx
		jz	short loc_94FB41
		push	[ebp+var_5C]
		mov	edx, [eax+30h]
		mov	ecx, [esi]
		push	ebx
		call	_CmpCopyCell@16	; CmpCopyCell(x,x,x,x)
		mov	[ebp+var_58], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_94FB37

loc_94FB2D:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+14Bj
		mov	esi, 0C000009Ah
		jmp	loc_94FD57
; 

loc_94FB37:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+D6j
		mov	eax, [esi+8]
		movzx	eax, word ptr [eax+4Ah]
		mov	[ebp+var_60], eax

loc_94FB41:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+8Ej
					; CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+99j ...
		mov	edx, [ebp+var_48]
		lea	ecx, [ebp+var_40]
		call	_CmpValueEnumStackStartFromKeyNodeStack@8 ; CmpValueEnumStackStartFromKeyNodeStack(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_94FD57
		xor	eax, eax
		mov	[ebp+var_64], eax
		mov	[ebp+var_48], eax

loc_94FB5E:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+12Ej
					; CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+1A7j
		lea	ecx, [ebp+var_40]
		call	_CmpValueEnumStackAdvance@4 ; CmpValueEnumStackAdvance(x)
		mov	esi, eax
		cmp	esi, 8000001Ah
		jz	loc_94FC07
		test	esi, esi
		js	loc_94FD57
		mov	eax, [ebp+var_78]
		cmp	[ebp+var_3A], ax
		jz	short loc_94FB5E
		lea	ecx, [ebp+var_40]
		call	_CmpValueEnumStackGetCurrentValueHive@4	; CmpValueEnumStackGetCurrentValueHive(x)
		push	[ebp+var_5C]
		mov	edx, [ebp+var_40]
		mov	ecx, eax
		push	ebx
		call	_CmpCopyValue@16 ; CmpCopyValue(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0FFFFFFFFh
		jz	short loc_94FB2D
		lea	eax, [ebp+var_6C]
		push	eax
		push	esi
		push	ebx
		call	dword ptr [ebx+4]
		test	byte ptr [eax+10h], 1
		movzx	ecx, word ptr [eax+2]
		jz	short loc_94FBBA
		add	ecx, ecx
		movzx	ecx, cx

loc_94FBBA:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+15Ej
		mov	eax, [eax+4]
		movzx	ecx, cx
		cmp	eax, 80000000h
		jb	short loc_94FBCC
		add	eax, 80000000h

loc_94FBCC:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+170j
		cmp	eax, [ebp+var_64]
		jbe	short loc_94FBD4
		mov	[ebp+var_64], eax

loc_94FBD4:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+17Aj
		cmp	ecx, [ebp+var_48]
		jbe	short loc_94FBDC
		mov	[ebp+var_48], ecx

loc_94FBDC:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+182j
		lea	eax, [ebp+var_6C]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		push	1
		lea	eax, [ebp+var_50]
		mov	edx, esi
		push	eax
		push	1
		push	[ebp+var_50]
		mov	ecx, ebx
		call	CmpAddValueToListEx
		mov	esi, eax
		test	esi, esi
		jns	loc_94FB5E
		jmp	loc_94FD57
; 

loc_94FC07:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+119j
		cmp	[ebp+var_50], 0
		jz	short loc_94FC3B
		mov	edx, [edi+8]
		lea	eax, [ebp+var_74]
		push	eax
		push	[ebp+var_5C]
		lea	eax, [ebp+var_50]
		add	edx, 24h
		push	eax
		mov	ecx, ebx
		call	_CmpConcatenateValueLists@20 ; CmpConcatenateValueLists(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_94FC33
		mov	esi, [ebp+var_70]
		mov	[ebp+var_44], esi
		jmp	short loc_94FC3E
; 

loc_94FC33:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+1D4j
		mov	edi, [ebp+var_70]
		jmp	loc_94FD5A
; 

loc_94FC3B:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+1B6j
		mov	esi, [ebp+var_44]

loc_94FC3E:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+1DCj
		mov	eax, [edi+8]
		cmp	byte ptr [eax+0Dh], 0
		jge	short loc_94FC8D
		mov	edx, [edi+4]
		xor	eax, eax
		mov	ecx, [edi]
		push	eax
		push	eax
		call	HvpMarkCellDirty
		test	al, al
		jnz	short loc_94FC63

loc_94FC59:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+236j
					; CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+24Dj ...
		mov	esi, 0C000017Dh
		jmp	loc_94FD57
; 

loc_94FC63:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+202j
		mov	edx, [ebp+var_54]
		test	edx, edx
		jz	short loc_94FC8D
		mov	ecx, [edx+8]
		mov	eax, [ebp+var_60]
		movzx	eax, ax
		cmp	[ecx+38h], eax
		jnb	short loc_94FC8D
		mov	ecx, [ebp+var_54]
		xor	eax, eax
		mov	edx, [edx+4]
		push	eax
		push	eax
		mov	ecx, [ecx]
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_94FC59

loc_94FC8D:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+1F0j
					; CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+213j ...
		cmp	esi, 0FFFFFFFFh
		jz	short loc_94FCBE
		mov	edx, [edi+4]
		xor	eax, eax
		mov	ecx, [edi]
		push	eax
		push	eax
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_94FC59
		mov	eax, [edi+8]
		mov	edx, [eax+28h]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_94FCBE
		mov	ecx, [edi]
		xor	eax, eax
		push	eax
		push	eax
		call	HvpMarkCellDirty
		test	al, al
		jz	short loc_94FC59

loc_94FCBE:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+23Bj
					; CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+258j
		mov	ecx, [edi+8]
		mov	al, [ecx+0Dh]
		test	al, al
		jns	short loc_94FCF9
		and	al, 7Fh
		mov	[ecx+0Dh], al
		mov	eax, [edi+8]
		mov	ecx, [ebp+var_58]
		or	[ebp+var_58], 0FFFFFFFFh
		mov	[eax+30h], ecx
		mov	eax, [edi+8]
		mov	ecx, [ebp+var_60]
		mov	[eax+4Ah], cx
		mov	eax, [ebp+var_54]
		test	eax, eax
		jz	short loc_94FCF9
		mov	eax, [eax+8]
		movzx	ecx, cx
		cmp	[eax+38h], ecx
		jnb	short loc_94FCF9
		mov	[eax+38h], ecx

loc_94FCF9:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+271j
					; CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+294j ...
		cmp	esi, 0FFFFFFFFh
		jz	short loc_94FD53
		mov	eax, [edi+8]
		mov	edx, [eax+28h]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_94FD13
		mov	ecx, [edi]
		call	HvFreeCell
		mov	eax, [edi+8]

loc_94FD13:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+2B2j
		mov	ecx, [ebp+var_74]
		mov	[eax+24h], ecx
		mov	ecx, [ebp+var_64]
		mov	[eax+28h], esi
		or	esi, 0FFFFFFFFh
		mov	eax, [edi+8]
		mov	[ebp+var_44], esi
		cmp	[eax+40h], ecx
		jnb	short loc_94FD33
		mov	[eax+40h], ecx
		mov	eax, [edi+8]

loc_94FD33:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+2D6j
		mov	ecx, [ebp+var_48]
		cmp	[eax+3Ch], ecx
		jnb	short loc_94FD3E
		mov	[eax+3Ch], ecx

loc_94FD3E:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+2E4j
		mov	edx, [ebp+var_4C]
		mov	ecx, ebx
		call	HvFreeCell
		or	[ebp+var_4C], 0FFFFFFFFh
		xor	eax, eax
		mov	[ebp+var_50], eax
		jmp	short loc_94FD55
; 

loc_94FD53:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+2A7j
		xor	eax, eax

loc_94FD55:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+2FCj
		mov	esi, eax

loc_94FD57:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+DDj
					; CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+FBj ...
		mov	edi, [ebp+var_44]

loc_94FD5A:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+1E1j
		lea	ecx, [ebp+var_40]
		call	_CmpValueEnumStackCleanup@4 ; CmpValueEnumStackCleanup(x)
		cmp	[ebp+var_4C], 0FFFFFFFFh
		jz	short loc_94FD72
		lea	edx, [ebp+var_50]
		mov	ecx, ebx
		call	_CmpFreeKeyValueList@8 ; CmpFreeKeyValueList(x,x)

loc_94FD72:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+311j
		cmp	edi, 0FFFFFFFFh
		jz	short loc_94FD80
		mov	edx, edi
		mov	ecx, ebx
		call	HvFreeCell

loc_94FD80:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+320j
		mov	eax, [ebp+var_58]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_94FD91
		mov	edx, eax
		mov	ecx, ebx
		call	HvFreeCell

loc_94FD91:				; CODE XREF: CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)+331j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpFullPromoteSingleKeyFromKeyNodeStacks@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpPartialPromoteSingleKeyFromKeyNodeStacks(x, x)
_CmpPartialPromoteSingleKeyFromKeyNodeStacks@8 proc near
					; CODE XREF: CmpPromoteSingleKeyFromKcbStacks(x,x,x)+D5p
					; CmpPromoteSingleKeyFromParentKcbAndChildKeyNode(x,x,x)+87p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		or	[ebp+var_4], 0FFFFFFFFh
		mov	eax, edx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], eax
		push	edi
		mov	ecx, eax
		movzx	edi, word ptr [esi]
		mov	edx, edi
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	ebx, eax
		mov	ecx, esi
		mov	[ebp+var_14], ebx
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		cmp	dword ptr [ebx+4], 0FFFFFFFFh
		mov	esi, eax
		mov	[ebp+var_10], esi
		jz	short loc_94FDDF
		xor	edi, edi
		jmp	short loc_94FE5C
; 

loc_94FDDF:				; CODE XREF: CmpPartialPromoteSingleKeyFromKeyNodeStacks(x,x)+37j
		xor	eax, eax
		test	di, di
		mov	edi, [ebp+var_C]
		mov	[ebp+var_8], eax
		js	short loc_94FE07

loc_94FDEC:				; CODE XREF: CmpPartialPromoteSingleKeyFromKeyNodeStacks(x,x)+5Bj
		mov	ecx, edi
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		cmp	dword ptr [eax+4], 0FFFFFFFFh
		jnz	short loc_94FE04
		dec	edx
		test	dx, dx
		jns	short loc_94FDEC
		mov	eax, [ebp+var_8]
		jmp	short loc_94FE07
; 

loc_94FE04:				; CODE XREF: CmpPartialPromoteSingleKeyFromKeyNodeStacks(x,x)+55j
		mov	[ebp+var_8], eax

loc_94FE07:				; CODE XREF: CmpPartialPromoteSingleKeyFromKeyNodeStacks(x,x)+48j
					; CmpPartialPromoteSingleKeyFromKeyNodeStacks(x,x)+60j
		mov	ecx, [esi+4]
		test	ecx, ecx
		jns	short loc_94FE13
		xor	eax, eax
		inc	eax
		jmp	short loc_94FE19
; 

loc_94FE13:				; CODE XREF: CmpPartialPromoteSingleKeyFromKeyNodeStacks(x,x)+6Aj
		mov	eax, [eax+4]
		shr	eax, 1Fh

loc_94FE19:				; CODE XREF: CmpPartialPromoteSingleKeyFromKeyNodeStacks(x,x)+6Fj
		mov	ebx, [esi]
		lea	edx, [ebp+var_4]
		push	edx
		push	eax
		push	2
		push	ecx
		mov	edx, ebx
		mov	ecx, edi
		call	_CmpCopyMergeOfLayeredKeyNode@24 ; CmpCopyMergeOfLayeredKeyNode(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_94FE49
		mov	edx, [esi+4]
		xor	edi, edi
		push	edi
		push	edi
		mov	ecx, ebx
		call	HvpMarkCellDirty
		test	al, al
		jnz	short loc_94FE63
		mov	edi, 0C000017Dh

loc_94FE49:				; CODE XREF: CmpPartialPromoteSingleKeyFromKeyNodeStacks(x,x)+8Ej
		mov	esi, [ebp+var_4]

loc_94FE4C:				; CODE XREF: CmpPartialPromoteSingleKeyFromKeyNodeStacks(x,x)+D9j
					; CmpPartialPromoteSingleKeyFromKeyNodeStacks(x,x)+11Ej
		cmp	esi, 0FFFFFFFFh
		jz	short loc_94FE5C
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	CmpFreeKeyByCell

loc_94FE5C:				; CODE XREF: CmpPartialPromoteSingleKeyFromKeyNodeStacks(x,x)+3Bj
					; CmpPartialPromoteSingleKeyFromKeyNodeStacks(x,x)+ADj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_94FE63:				; CODE XREF: CmpPartialPromoteSingleKeyFromKeyNodeStacks(x,x)+A0j
		mov	edx, [esi+4]
		mov	ecx, ebx
		mov	esi, [ebp+var_4]
		push	edi
		push	esi
		call	_CmpAddSubKeyEx@16 ; CmpAddSubKeyEx(x,x,x,x)
		test	al, al
		jnz	short loc_94FE7D
		mov	edi, 0C000009Ah
		jmp	short loc_94FE4C
; 

loc_94FE7D:				; CODE XREF: CmpPartialPromoteSingleKeyFromKeyNodeStacks(x,x)+D2j
		mov	eax, [ebp+var_8]
		mov	eax, [eax+8]
		test	byte ptr [eax+2], 20h
		movzx	ecx, word ptr [eax+48h]
		jz	short loc_94FE95
		lea	eax, [ecx+ecx]
		movzx	edx, ax
		jmp	short loc_94FE97
; 

loc_94FE95:				; CODE XREF: CmpPartialPromoteSingleKeyFromKeyNodeStacks(x,x)+E9j
		mov	edx, ecx

loc_94FE97:				; CODE XREF: CmpPartialPromoteSingleKeyFromKeyNodeStacks(x,x)+F1j
		mov	eax, [ebp+var_10]
		mov	edi, [eax+8]
		cmp	[edi+34h], dx
		jnb	short loc_94FEA7
		mov	[edi+34h], dx

loc_94FEA7:				; CODE XREF: CmpPartialPromoteSingleKeyFromKeyNodeStacks(x,x)+FFj
		mov	edi, [ebp+var_14]
		lea	eax, [edi+0Ch]
		mov	[edi], ebx
		push	eax
		push	esi
		push	ebx
		mov	[edi+4], esi
		call	dword ptr [ebx+4]
		mov	[edi+8], eax
		or	esi, 0FFFFFFFFh
		xor	edi, edi
		jmp	short loc_94FE4C
_CmpPartialPromoteSingleKeyFromKeyNodeStacks@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpPartialPromoteSubkeys(x)
_CmpPartialPromoteSubkeys@4 proc near	; CODE XREF: CmpSetKeySecurity(x,x,x,x,x,x)+21Ep

var_124		= dword	ptr -124h
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_100		= dword	ptr -100h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 124h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	0FCh		; size_t
		xor	esi, esi
		lea	eax, [ebp+var_108]
		push	esi		; int
		push	eax		; void *
		mov	ebx, ecx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_110], esi
		lea	ecx, [ebp+var_108] ; void *
		mov	[ebp+var_10C], esi
		call	_CmpKeyEnumStackInitialize@4 ; CmpKeyEnumStackInitialize(x)
		xor	eax, eax
		lea	edi, [ebp+var_124]
		stosd
		stosd
		stosd
		stosd
		or	eax, 0FFFFFFFFh
		mov	word ptr [ebp+var_124+2], ax
		movzx	eax, word ptr [ebx+2]
		movsx	edi, ax
		lfence	eax
		cmp	ax, 2
		jl	short loc_94FF39
		mov	eax, [ebx+0Ch]
		mov	edi, [eax+edi*4-8]
		jmp	short loc_94FF3D
; 

loc_94FF39:				; CODE XREF: CmpPartialPromoteSubkeys(x)+6Cj
		mov	edi, [ebx+edi*4+4]

loc_94FF3D:				; CODE XREF: CmpPartialPromoteSubkeys(x)+75j
		mov	dx, [ebx+2]
		lea	ecx, [ebp+var_124]
		call	CmpStartKcbStack
		mov	esi, eax
		test	esi, esi
		js	loc_950078
		push	0
		push	0
		mov	edx, ebx
		lea	ecx, [ebp+var_108]
		call	_CmpKeyEnumStackStartFromKcbStack@16 ; CmpKeyEnumStackStartFromKcbStack(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_950078
		jmp	loc_950059
; 

loc_94FF76:				; CODE XREF: CmpPartialPromoteSubkeys(x)+1A4j
		movzx	esi, word ptr [edi+22h]
		xor	eax, eax
		mov	edx, esi
		mov	[ebp+var_114], eax
		test	dx, dx
		js	short loc_94FFA6

loc_94FF89:				; CODE XREF: CmpPartialPromoteSubkeys(x)+DCj
		lea	ecx, [ebp+var_100]
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		cmp	dword ptr [eax+8], 0
		jnz	short loc_94FFA6
		dec	edx
		test	dx, dx
		jns	short loc_94FF89
		mov	eax, [ebp+var_114]

loc_94FFA6:				; CODE XREF: CmpPartialPromoteSubkeys(x)+C5j
					; CmpPartialPromoteSubkeys(x)+D6j
		cmp	dx, si
		jz	loc_950059
		mov	eax, [eax+8]
		test	byte ptr [eax+2], 20h
		lea	ecx, [eax+4Ch]
		movzx	esi, word ptr [eax+48h]
		mov	[ebp+var_10C], ecx
		mov	word ptr [ebp+var_110],	si
		mov	word ptr [ebp+var_110+2], si
		jz	short loc_94FFF4
		mov	edx, esi
		call	_CmpHashCompressedComponent@8 ;	CmpHashCompressedComponent(x,x)
		imul	ecx, [edi+8], 25h
		mov	edx, edi
		push	esi
		push	[ebp+var_10C]
		add	eax, ecx
		mov	ecx, [edi+10h]
		push	eax
		call	_CmpFindKcbInHashEntryByCompressedName@20 ; CmpFindKcbInHashEntryByCompressedName(x,x,x,x,x)
		jmp	short loc_950017
; 

loc_94FFF4:				; CODE XREF: CmpPartialPromoteSubkeys(x)+10Fj
		lea	ecx, [ebp+var_110]
		call	_CmpHashUnicodeComponent@4 ; CmpHashUnicodeComponent(x)
		imul	ecx, [edi+8], 25h
		mov	edx, edi
		add	eax, ecx
		lea	ecx, [ebp+var_110]
		push	ecx
		mov	ecx, [edi+10h]
		push	eax
		call	CmpFindKcbInHashEntryByName

loc_950017:				; CODE XREF: CmpPartialPromoteSubkeys(x)+130j
		test	eax, eax
		jz	short loc_950039
		mov	edx, eax
		lea	ecx, [ebp+var_124]
		call	_CmpPopulateKcbStack@8 ; CmpPopulateKcbStack(x,x)
		push	0
		lea	edx, [ebp+var_124]
		mov	ecx, ebx
		call	_CmpPromoteSingleKeyFromKcbStacks@12 ; CmpPromoteSingleKeyFromKcbStacks(x,x,x)
		jmp	short loc_950048
; 

loc_950039:				; CODE XREF: CmpPartialPromoteSubkeys(x)+157j
		push	0
		lea	edx, [ebp+var_100]
		mov	ecx, ebx
		call	_CmpPromoteSingleKeyFromParentKcbAndChildKeyNode@12 ; CmpPromoteSingleKeyFromParentKcbAndChildKeyNode(x,x,x)

loc_950048:				; CODE XREF: CmpPartialPromoteSubkeys(x)+175j
		mov	esi, eax
		test	esi, esi
		js	short loc_950078
		lea	ecx, [ebp+var_108]
		call	_CmpKeyEnumStackNotifyPromotion@4 ; CmpKeyEnumStackNotifyPromotion(x)

loc_950059:				; CODE XREF: CmpPartialPromoteSubkeys(x)+AFj
					; CmpPartialPromoteSubkeys(x)+E7j
		lea	ecx, [ebp+var_108]
		call	_CmpKeyEnumStackAdvance@4 ; CmpKeyEnumStackAdvance(x)
		test	eax, eax
		jns	loc_94FF76
		lea	esi, [eax+7FFFFFE6h]
		neg	esi
		sbb	esi, esi
		and	esi, eax

loc_950078:				; CODE XREF: CmpPartialPromoteSubkeys(x)+8Ej
					; CmpPartialPromoteSubkeys(x)+A9j ...
		mov	ecx, [ebp+var_118]
		test	ecx, ecx
		jz	short loc_950087
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_950087:				; CODE XREF: CmpPartialPromoteSubkeys(x)+1BEj
		lea	ecx, [ebp+var_108]
		call	_CmpKeyEnumStackCleanup@4 ; CmpKeyEnumStackCleanup(x)
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpPartialPromoteSubkeys@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpPromoteKey(x, x,	x)
_CmpPromoteKey@12 proc near		; CODE XREF: CmDeleteLayeredKey(x,x,x)+13Fp
					; CmpSetKeySecurity(x,x,x,x,x,x)+20Cp ...

var_3C		= dword	ptr -3Ch
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_14], edx
		push	esi
		push	edi
		lea	edi, [ebp+var_3C]
		or	edx, 0FFFFFFFFh
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	word ptr [ebp+var_3C+2], dx
		lea	edi, [ebp+var_2C]
		stosd
		stosd
		stosd
		stosd
		movzx	edi, word ptr [ecx+2]
		mov	word ptr [ebp+var_2C+2], dx
		movsx	ebx, di
		lfence	eax
		cmp	di, 2
		jl	short loc_9500E7
		mov	eax, [ecx+0Ch]
		mov	ebx, [eax+ebx*4-8]
		jmp	short loc_9500EB
; 

loc_9500E7:				; CODE XREF: CmpPromoteKey(x,x,x)+39j
		mov	ebx, [ecx+ebx*4+4]

loc_9500EB:				; CODE XREF: CmpPromoteKey(x,x,x)+42j
		mov	edx, edi
		mov	[ebp+var_C], ebx
		lea	ecx, [ebp+var_3C]
		call	CmpStartKcbStack
		mov	esi, eax
		test	esi, esi
		js	loc_95020E
		mov	edx, edi
		lea	ecx, [ebp+var_2C]
		call	CmpStartKcbStack
		mov	esi, eax
		test	esi, esi
		js	loc_95020E
		mov	ebx, [ebx+4]
		xor	ecx, ecx
		shr	ebx, 15h
		inc	ecx
		and	ebx, 3FFh
		inc	ebx
		mov	esi, ebx
		shl	esi, 2
		push	37364D43h
		mov	edx, esi
		call	_CmpAllocateTransientPoolWithTag@12 ; CmpAllocateTransientPoolWithTag(x,x,x)
		mov	[ebp+var_1C], eax
		test	eax, eax
		jnz	short loc_950148
		mov	esi, 0C000009Ah
		jmp	loc_95020E
; 

loc_950148:				; CODE XREF: CmpPromoteKey(x,x,x)+99j
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_C]
		mov	ecx, 40000h
		add	esp, 0Ch
		mov	[ebp+var_18], eax
		mov	edi, ebx
		mov	esi, eax
		test	[eax+68h], ecx
		jnz	short loc_950185
		mov	eax, [ebp+var_1C]

loc_95016B:				; CODE XREF: CmpPromoteKey(x,x,x)+DDj
		mov	edi, [esi+4]
		shr	edi, 15h
		and	edi, 3FFh
		mov	[eax+edi*4], esi
		mov	esi, [esi+24h]
		test	[esi+68h], ecx
		jz	short loc_95016B
		mov	[ebp+var_18], esi

loc_950185:				; CODE XREF: CmpPromoteKey(x,x,x)+C3j
		lea	ecx, [ebp+var_3C]
		mov	edx, esi
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_10], ecx
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	_CmpPopulateKcbStack@8 ; CmpPopulateKcbStack(x,x)
		lea	ecx, [ebp+var_2C]
		call	_CmpLockKcbStackTopExclusiveRestShared@4 ; CmpLockKcbStackTopExclusiveRestShared(x)
		cmp	esi, [ebp+var_C]
		jnz	loc_95022F
		cmp	byte ptr [ebp+var_14], 0
		jz	short loc_9501F1
		mov	ecx, [esi+10h]
		xor	edx, edx
		add	ecx, 24h
		call	ExAcquirePushLockSharedEx
		lea	ecx, [ebp+var_2C]
		call	_CmpFullPromoteHiveRootFromKcbStack@4 ;	CmpFullPromoteHiveRootFromKcbStack(x)
		mov	esi, eax
		xor	edx, edx
		mov	eax, [ebp+var_18]
		push	11h
		mov	edi, [eax+10h]
		add	edi, 24h
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_9501E6
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9501E6:				; CODE XREF: CmpPromoteKey(x,x,x)+13Aj
		mov	ecx, edi
		call	KeAbPostRelease
		test	esi, esi
		js	short loc_9501FE

loc_9501F1:				; CODE XREF: CmpPromoteKey(x,x,x)+10Cj
					; CmpPromoteKey(x,x,x)+18Ej ...
		xor	esi, esi
		cmp	[ebp+arg_0], 0
		setz	al

loc_9501FA:				; CODE XREF: CmpPromoteKey(x,x,x)+264j
		test	al, al
		jz	short loc_950206

loc_9501FE:				; CODE XREF: CmpPromoteKey(x,x,x)+14Cj
		mov	ecx, [ebp+var_8]
		call	CmpUnlockKcbStack

loc_950206:				; CODE XREF: CmpPromoteKey(x,x,x)+159j
		mov	ecx, [ebp+var_1C]
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_95020E:				; CODE XREF: CmpPromoteKey(x,x,x)+59j
					; CmpPromoteKey(x,x,x)+6Dj ...
		mov	ecx, [ebp+var_30]
		test	ecx, ecx
		jz	short loc_95021A
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_95021A:				; CODE XREF: CmpPromoteKey(x,x,x)+170j
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jz	short loc_950226
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_950226:				; CODE XREF: CmpPromoteKey(x,x,x)+17Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_95022F:				; CODE XREF: CmpPromoteKey(x,x,x)+102j
		cmp	edi, ebx
		jnb	short loc_9501F1
		lea	esi, [ebp+var_3C]

loc_950236:				; CODE XREF: CmpPromoteKey(x,x,x)+249j
		mov	eax, [ebp+var_1C]
		mov	ecx, esi
		mov	eax, [eax+edi*4]
		mov	edx, eax
		mov	[ebp+var_18], eax
		call	_CmpPopulateKcbStack@8 ; CmpPopulateKcbStack(x,x)
		mov	ecx, esi
		call	_CmpLockKcbStackTopExclusiveRestShared@4 ; CmpLockKcbStackTopExclusiveRestShared(x)
		xor	edx, edx
		mov	ecx, esi
		call	CmpIsKeyStackDeleted
		test	al, al
		jnz	loc_9502F7
		mov	eax, [ebp+var_18]
		mov	ecx, [eax+14h]
		cmp	eax, [ebp+var_C]
		jz	short loc_950281
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_9502D6
		mov	ecx, [eax+10h]
		xor	edx, edx
		add	ecx, 24h
		call	ExAcquirePushLockSharedEx
		push	0
		jmp	short loc_95029C
; 

loc_950281:				; CODE XREF: CmpPromoteKey(x,x,x)+1C6j
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_95028C
		cmp	byte ptr [ebp+var_14], 0
		jz	short loc_9502D6

loc_95028C:				; CODE XREF: CmpPromoteKey(x,x,x)+1E1j
		mov	ecx, [eax+10h]
		xor	edx, edx
		add	ecx, 24h
		call	ExAcquirePushLockSharedEx
		push	[ebp+var_14]

loc_95029C:				; CODE XREF: CmpPromoteKey(x,x,x)+1DCj
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	_CmpPromoteSingleKeyFromKcbStacks@12 ; CmpPromoteSingleKeyFromKcbStacks(x,x,x)
		mov	esi, eax
		xor	edx, edx
		mov	eax, [ebp+var_18]
		push	11h
		mov	ecx, [eax+10h]
		add	ecx, 24h
		pop	eax
		mov	[ebp+var_18], ecx
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_9502CA
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp+var_18]

loc_9502CA:				; CODE XREF: CmpPromoteKey(x,x,x)+21Dj
		call	KeAbPostRelease
		test	esi, esi
		js	short loc_9502FC
		mov	esi, [ebp+var_10]

loc_9502D6:				; CODE XREF: CmpPromoteKey(x,x,x)+1CBj
					; CmpPromoteKey(x,x,x)+1E7j
		mov	ecx, [ebp+var_8]
		call	CmpUnlockKcbStack
		mov	eax, esi
		inc	edi
		mov	esi, [ebp+var_8]
		mov	[ebp+var_10], esi
		mov	[ebp+var_8], eax
		cmp	edi, ebx
		jb	loc_950236
		jmp	loc_9501F1
; 

loc_9502F7:				; CODE XREF: CmpPromoteKey(x,x,x)+1B7j
		mov	esi, 0C000017Ch

loc_9502FC:				; CODE XREF: CmpPromoteKey(x,x,x)+22Ej
		mov	ecx, [ebp+var_10]
		call	CmpUnlockKcbStack
		xor	eax, eax
		inc	eax
		jmp	loc_9501FA
_CmpPromoteKey@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpPromoteSingleKeyFromKcbStacks(x,	x, x)
_CmpPromoteSingleKeyFromKcbStacks@12 proc near ; CODE XREF: CmpPartialPromoteSubkeys(x)+170p
					; CmpPromoteKey(x,x,x)+1FEp ...

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_69		= byte ptr -69h
var_68		= dword	ptr -68h
var_38		= dword	ptr -38h
var_8		= dword	ptr -8
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 78h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		xor	ebx, ebx
		mov	[ebp+var_70], edx
		lea	eax, [ebp+var_68]
		mov	esi, ecx
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_38]
		push	30h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [ebp+var_68] ; void *
		call	_CmpInitializeKeyNodeStack@4 ; CmpInitializeKeyNodeStack(x)
		lea	ecx, [ebp+var_38] ; void *
		call	_CmpInitializeKeyNodeStack@4 ; CmpInitializeKeyNodeStack(x)
		movzx	ecx, word ptr [esi+2]
		push	2
		pop	edx
		mov	[ebp+var_69], bl
		mov	[ebp+var_74], ecx
		movsx	edi, cx
		lfence	eax
		cmp	cx, dx
		jl	short loc_950377
		mov	eax, [esi+0Ch]
		mov	ebx, [eax+edi*4-8]
		jmp	short loc_95037B
; 

loc_950377:				; CODE XREF: CmpPromoteSingleKeyFromKcbStacks(x,x,x)+60j
		mov	ebx, [esi+edi*4+4]

loc_95037B:				; CODE XREF: CmpPromoteSingleKeyFromKcbStacks(x,x,x)+69j
		mov	eax, [ebp+var_70]
		lfence	eax
		jl	short loc_95038C
		mov	eax, [eax+0Ch]
		mov	edi, [eax+edi*4-8]
		jmp	short loc_950390
; 

loc_95038C:				; CODE XREF: CmpPromoteSingleKeyFromKcbStacks(x,x,x)+75j
		mov	edi, [eax+edi*4+4]

loc_950390:				; CODE XREF: CmpPromoteSingleKeyFromKcbStacks(x,x,x)+7Ej
		push	0
		mov	edx, esi
		lea	ecx, [ebp+var_68]
		call	_CmpStartKeyNodeStackFromKcbStack@12 ; CmpStartKeyNodeStackFromKcbStack(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_950461
		mov	edx, [ebp+var_70]
		lea	ecx, [ebp+var_38]
		push	0
		call	_CmpStartKeyNodeStackFromKcbStack@12 ; CmpStartKeyNodeStackFromKcbStack(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_950461
		mov	edx, [ebp+var_74]
		lea	ecx, [ebp+var_68]
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		lea	ecx, [ebp+var_38]
		mov	[ebp+var_74], eax
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		cmp	dword ptr [edi+14h], 0FFFFFFFFh
		mov	[ebp+var_70], eax
		jnz	short loc_9503FC
		mov	edx, ecx
		lea	ecx, [ebp+var_68]
		call	_CmpPartialPromoteSingleKeyFromKeyNodeStacks@8 ; CmpPartialPromoteSingleKeyFromKeyNodeStacks(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_950461
		mov	eax, [ebp+var_70]
		mov	eax, [eax+4]
		mov	[edi+14h], eax
		mov	al, 1
		mov	[ebp+var_69], al
		jmp	short loc_9503FF
; 

loc_9503FC:				; CODE XREF: CmpPromoteSingleKeyFromKcbStacks(x,x,x)+CEj
		mov	al, [ebp+var_69]

loc_9503FF:				; CODE XREF: CmpPromoteSingleKeyFromKcbStacks(x,x,x)+EEj
		cmp	[ebp+arg_0], 0
		jz	short loc_950418
		lea	edx, [ebp+var_38]
		lea	ecx, [ebp+var_68]
		call	_CmpFullPromoteSingleKeyFromKeyNodeStacks@8 ; CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_95041C
		mov	al, 1

loc_950418:				; CODE XREF: CmpPromoteSingleKeyFromKcbStacks(x,x,x)+F7j
		xor	esi, esi
		jmp	short loc_95041F
; 

loc_95041C:				; CODE XREF: CmpPromoteSingleKeyFromKcbStacks(x,x,x)+108j
		mov	al, [ebp+var_69]

loc_95041F:				; CODE XREF: CmpPromoteSingleKeyFromKcbStacks(x,x,x)+10Ej
		test	al, al
		jz	short loc_950461
		add	dword ptr [edi+0A8h], 1
		mov	ecx, edi
		mov	eax, [ebp+var_70]
		adc	dword ptr [edi+0ACh], 0
		push	0
		push	0
		mov	edx, [eax+8]
		call	_CmpRebuildKcbCacheFromNode@16 ; CmpRebuildKcbCacheFromNode(x,x,x,x)
		add	dword ptr [ebx+0A8h], 1
		mov	ecx, ebx
		mov	edx, [ebp+var_74]
		push	0
		pop	eax
		adc	[ebx+0ACh], eax
		mov	edx, [edx+8]
		push	eax
		push	eax
		call	_CmpRebuildKcbCacheFromNode@16 ; CmpRebuildKcbCacheFromNode(x,x,x,x)

loc_950461:				; CODE XREF: CmpPromoteSingleKeyFromKcbStacks(x,x,x)+94j
					; CmpPromoteSingleKeyFromKcbStacks(x,x,x)+ABj ...
		lea	ecx, [ebp+var_38]
		call	CmpCleanupKeyNodeStack
		lea	ecx, [ebp+var_68]
		call	CmpCleanupKeyNodeStack
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_CmpPromoteSingleKeyFromKcbStacks@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpPromoteSingleKeyFromParentKcbAndChildKeyNode(x, x, x)
_CmpPromoteSingleKeyFromParentKcbAndChildKeyNode@12 proc near
					; CODE XREF: CmpPartialPromoteSubkeys(x)+181p
					; CmpPromoteSubtree(x,x,x)+E6p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_8		= dword	ptr -8
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		lea	eax, [ebp+var_38]
		mov	[ebp+var_40], edx
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		add	esp, 0Ch
		lea	ecx, [ebp+var_38] ; void *
		xor	bl, bl
		call	_CmpInitializeKeyNodeStack@4 ; CmpInitializeKeyNodeStack(x)
		movzx	eax, word ptr [esi+2]
		mov	[ebp+var_3C], eax
		movsx	edi, ax
		lfence	eax
		cmp	ax, 2
		jl	short loc_9504D4
		mov	eax, [esi+0Ch]
		mov	edi, [eax+edi*4-8]
		jmp	short loc_9504D8
; 

loc_9504D4:				; CODE XREF: CmpPromoteSingleKeyFromParentKcbAndChildKeyNode(x,x,x)+45j
		mov	edi, [esi+edi*4+4]

loc_9504D8:				; CODE XREF: CmpPromoteSingleKeyFromParentKcbAndChildKeyNode(x,x,x)+4Ej
		push	0
		mov	edx, esi
		lea	ecx, [ebp+var_38]
		call	_CmpStartKeyNodeStackFromKcbStack@12 ; CmpStartKeyNodeStackFromKcbStack(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_950558
		mov	edx, [ebp+var_3C]
		lea	ecx, [ebp+var_38]
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	ecx, [ebp+var_40]
		mov	[ebp+var_3C], eax
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		cmp	dword ptr [eax+4], 0FFFFFFFFh
		jnz	short loc_95051B
		mov	edx, ecx
		lea	ecx, [ebp+var_38]
		call	_CmpPartialPromoteSingleKeyFromKeyNodeStacks@8 ; CmpPartialPromoteSingleKeyFromKeyNodeStacks(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_950558
		mov	ecx, [ebp+var_40]
		mov	bl, 1

loc_95051B:				; CODE XREF: CmpPromoteSingleKeyFromParentKcbAndChildKeyNode(x,x,x)+80j
		cmp	[ebp+arg_0], 0
		jz	short loc_950533
		mov	edx, ecx
		lea	ecx, [ebp+var_38]
		call	_CmpFullPromoteSingleKeyFromKeyNodeStacks@8 ; CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_950535
		mov	bl, 1

loc_950533:				; CODE XREF: CmpPromoteSingleKeyFromParentKcbAndChildKeyNode(x,x,x)+9Bj
		xor	esi, esi

loc_950535:				; CODE XREF: CmpPromoteSingleKeyFromParentKcbAndChildKeyNode(x,x,x)+ABj
		test	bl, bl
		jz	short loc_950558
		add	dword ptr [edi+0A8h], 1
		mov	ecx, edi
		mov	edx, [ebp+var_3C]
		adc	dword ptr [edi+0ACh], 0
		push	0
		push	0
		mov	edx, [edx+8]
		call	_CmpRebuildKcbCacheFromNode@16 ; CmpRebuildKcbCacheFromNode(x,x,x,x)

loc_950558:				; CODE XREF: CmpPromoteSingleKeyFromParentKcbAndChildKeyNode(x,x,x)+64j
					; CmpPromoteSingleKeyFromParentKcbAndChildKeyNode(x,x,x)+90j ...
		lea	ecx, [ebp+var_38]
		call	CmpCleanupKeyNodeStack
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_CmpPromoteSingleKeyFromParentKcbAndChildKeyNode@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpPromoteSubtree(x, x, x)
_CmpPromoteSubtree@12 proc near		; CODE XREF: CmSaveKey(x,x,x,x)+2D2p
					; CmpPromoteSubtreeForKcbStack(x,x)+6p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_40]
		push	3Ch		; size_t
		push	ebx		; int
		push	eax		; void *
		mov	edi, edx
		mov	[ebp+var_4C], ebx
		mov	esi, ecx
		mov	[ebp+var_48], ebx
		call	_memset
		add	esp, 0Ch
		lea	ecx, [ebp+var_38] ; void *
		push	0FFFFFFFEh
		pop	eax
		mov	word ptr [ebp+var_40], ax
		call	_CmpInitializeKeyNodeStack@4 ; CmpInitializeKeyNodeStack(x)
		lea	ecx, [ebp+var_40]
		test	esi, esi
		jz	short loc_9505C9
		movzx	ebx, word ptr [esi+2]
		mov	edx, esi
		mov	[ebp+var_44], ebx
		call	_CmpSubtreeEnumeratorStartForKcbStack@8	; CmpSubtreeEnumeratorStartForKcbStack(x,x)
		jmp	short loc_9505D6
; 

loc_9505C9:				; CODE XREF: CmpPromoteSubtree(x,x,x)+44j
		movzx	eax, word ptr [edi]
		mov	edx, edi
		mov	[ebp+var_44], eax
		call	_CmpSubtreeEnumeratorStartForKeyNodeStack@8 ; CmpSubtreeEnumeratorStartForKeyNodeStack(x,x)

loc_9505D6:				; CODE XREF: CmpPromoteSubtree(x,x,x)+54j
		mov	esi, eax
		test	esi, esi
		js	loc_9506AC

loc_9505E0:				; CODE XREF: CmpPromoteSubtree(x,x,x)+113j
					; CmpPromoteSubtree(x,x,x)+132j
		lea	ecx, [ebp+var_40]
		call	_CmpSubtreeEnumeratorAdvance@4 ; CmpSubtreeEnumeratorAdvance(x)
		mov	esi, eax
		cmp	esi, 8000001Ah
		jz	loc_9506AA
		test	esi, esi
		js	loc_9506AC
		lea	eax, [ebp+var_48]
		push	eax
		lea	edx, [ebp+var_4C]
		lea	ecx, [ebp+var_40]
		call	_CmpSubtreeEnumeratorGetCurrentKeyStacks@12 ; CmpSubtreeEnumeratorGetCurrentKeyStacks(x,x,x)
		movsx	eax, word ptr [ebp+var_40]
		mov	edi, [ebp+var_48]
		mov	edx, [ebp+var_44]
		imul	ecx, eax, 118h
		mov	eax, [ebp+var_8]
		mov	esi, [ecx+eax-114h]
		mov	ebx, [ecx+eax-110h]
		mov	ecx, edi
		call	CmpKeyNodeStackGetEntryAtLayerHeight
		mov	edx, [ebp+var_4C]
		mov	eax, [eax+8]
		mov	[ebp+var_50], eax
		test	edx, edx
		jz	short loc_95064F
		push	1
		mov	ecx, esi
		call	_CmpPromoteSingleKeyFromKcbStacks@12 ; CmpPromoteSingleKeyFromKcbStacks(x,x,x)

loc_95064B:				; CODE XREF: CmpPromoteSubtree(x,x,x)+EBj
		mov	esi, eax
		jmp	short loc_95067E
; 

loc_95064F:				; CODE XREF: CmpPromoteSubtree(x,x,x)+CDj
		mov	edx, edi
		test	esi, esi
		jz	short loc_950660
		push	1
		mov	ecx, esi
		call	_CmpPromoteSingleKeyFromParentKcbAndChildKeyNode@12 ; CmpPromoteSingleKeyFromParentKcbAndChildKeyNode(x,x,x)
		jmp	short loc_95064B
; 

loc_950660:				; CODE XREF: CmpPromoteSubtree(x,x,x)+E0j
		mov	ecx, ebx
		call	_CmpPartialPromoteSingleKeyFromKeyNodeStacks@8 ; CmpPartialPromoteSingleKeyFromKeyNodeStacks(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9506AC
		mov	edx, edi
		mov	ecx, ebx
		call	_CmpFullPromoteSingleKeyFromKeyNodeStacks@8 ; CmpFullPromoteSingleKeyFromKeyNodeStacks(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9506AC
		xor	esi, esi

loc_95067E:				; CODE XREF: CmpPromoteSubtree(x,x,x)+DAj
		test	esi, esi
		js	short loc_9506AC
		cmp	[ebp+var_50], 0
		jnz	loc_9505E0
		movsx	eax, word ptr [ebp+var_40]
		imul	ecx, eax, 118h
		mov	eax, [ebp+var_8]
		add	eax, 0FFFFFF04h
		add	ecx, eax
		call	_CmpKeyEnumStackNotifyPromotion@4 ; CmpKeyEnumStackNotifyPromotion(x)
		jmp	loc_9505E0
; 

loc_9506AA:				; CODE XREF: CmpPromoteSubtree(x,x,x)+7Dj
		xor	esi, esi

loc_9506AC:				; CODE XREF: CmpPromoteSubtree(x,x,x)+67j
					; CmpPromoteSubtree(x,x,x)+85j	...
		lea	ecx, [ebp+var_40]
		call	_CmpSubtreeEnumeratorCleanup@4 ; CmpSubtreeEnumeratorCleanup(x)
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_CmpPromoteSubtree@12 endp


;  S U B	R O U T	I N E 


; __stdcall CmpPromoteSubtreeForKcbStack(x, x)
_CmpPromoteSubtreeForKcbStack@8	proc near ; CODE XREF: CmRenameKey(x,x,x,x)+835p
		mov	edi, edi
		push	ecx
		push	ecx
		xor	edx, edx
		call	_CmpPromoteSubtree@12 ;	CmpPromoteSubtree(x,x,x)
		pop	ecx
		retn
_CmpPromoteSubtreeForKcbStack@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvSnapshotHiveToOffsetArray(x, x, x, x)
_HvSnapshotHiveToOffsetArray@16	proc near ; CODE XREF: CmpFlushBackupHive(x)+195p
					; CmDumpKey(x,x,x)+FCp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ecx+0C8h]
		push	esi
		and	dword ptr [eax], 0
		xor	esi, esi
		mov	eax, [ecx+20h]
		push	edi
		mov	edi, edx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], eax
		and	dword ptr [edi], 0
		test	ebx, ebx
		jz	short loc_950733

loc_950702:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+5Dj
		mov	edx, esi
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		mov	eax, [eax+4]
		and	eax, 0FFFFFFF0h
		cmp	dword ptr [eax], 6E696268h
		jnz	short loc_95076D
		cmp	[eax+4], esi
		jnz	short loc_95076D
		mov	eax, [eax+8]
		add	esi, eax
		cmp	esi, ebx
		ja	short loc_95076D
		test	eax, 0FFFh
		jnz	short loc_95076D
		mov	ecx, [ebp+var_18]
		cmp	esi, ebx
		jb	short loc_950702

loc_950733:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+2Cj
		lea	esi, [ebx+1000h]
		mov	eax, esi
		shr	eax, 14h
		test	esi, 0FFFFFh
		jz	short loc_950747
		inc	eax

loc_950747:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+70j
		imul	eax, 0Ch
		push	20204D43h
		push	eax
		push	1
		mov	[ebp+var_1C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, [ebp+arg_0]
		mov	[ebx], eax
		test	eax, eax
		jnz	short loc_950777
		mov	esi, 0C0000017h
		jmp	loc_950949
; 

loc_95076D:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+41j
					; HvSnapshotHiveToOffsetArray(x,x,x,x)+46j ...
		mov	esi, 0C000014Ch
		jmp	loc_950946
; 

loc_950777:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+8Dj
		push	[ebp+var_1C]	; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		mov	[eax], esi
		mov	eax, 100000h
		cmp	esi, eax
		jb	short loc_950795
		mov	esi, eax

loc_950795:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+BDj
		push	20204D43h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, [ebx]
		mov	[ebp+var_C], ebx
		mov	[ebx+4], eax
		test	eax, eax
		jnz	short loc_9507B8

loc_9507AE:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+18Aj
		mov	esi, 0C0000017h
		jmp	loc_950946
; 

loc_9507B8:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+D8j
		and	dword ptr [ebx], 0
		mov	eax, 1000h
		push	eax		; size_t
		push	[ebp+var_14]	; void *
		mov	[ebx+8], esi
		push	dword ptr [ebx+4] ; void *
		mov	[ebp+var_4], eax
		call	_memcpy
		mov	ecx, [ebx+4]
		add	esp, 0Ch
		mov	eax, [ebp+var_10]
		mov	[ecx+28h], eax
		mov	eax, [ecx+4]
		mov	[ecx+8], eax
		call	_HvpHeaderCheckSum@4 ; HvpHeaderCheckSum(x)
		mov	[ecx+1FCh], eax
		mov	edx, 1000h
		mov	ecx, [ebp+var_18]
		xor	eax, eax
		and	[ebp+var_10], eax
		xor	ebx, ebx
		mov	[ebp+arg_4], eax
		mov	[ebp+var_8], edx
		mov	ecx, [ecx+0C8h]
		mov	dword ptr [edi], 1
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jz	loc_950982
		xor	ecx, ecx
		inc	ecx

loc_95081E:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+268j
		mov	[ebp+var_1C], ecx
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_C], ecx
		cmp	edx, esi
		jnz	short loc_950880
		mov	esi, [ebp+var_14]
		sub	esi, eax
		mov	eax, 100000h
		cmp	esi, eax
		jb	short loc_95083B
		mov	esi, eax

loc_95083B:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+163j
		push	20204D43h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, [edi]
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_1C], edx
		imul	edx, 0Ch
		mov	ecx, [ecx]
		mov	[ebp+var_C], ecx
		mov	[edx+ecx+4], eax
		test	eax, eax
		jz	loc_9507AE
		mov	eax, [ebp+var_8]
		mov	[edx+ecx], eax
		mov	eax, [ebp+arg_4]
		mov	[edx+ecx+8], esi
		mov	edx, [ebp+var_1C]
		inc	edx
		and	[ebp+var_4], 0
		mov	[ebp+var_1C], edx
		mov	[edi], edx
		jmp	short loc_950883
; 

loc_950880:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+155j
		mov	edx, [ebp+var_1C]

loc_950883:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+1AAj
		test	ebx, ebx
		jz	short loc_9508C2
		cmp	ebx, esi
		ja	short loc_950892
		mov	eax, ebx
		mov	[ebp+var_14], eax
		jmp	short loc_950897
; 

loc_950892:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+1B5j
		mov	eax, esi
		mov	[ebp+var_14], esi

loc_950897:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+1BCj
		push	eax		; size_t
		push	[ebp+var_10]	; void *
		imul	eax, edx, 0Ch
		push	dword ptr [eax+ecx-8] ;	void *
		call	_memcpy
		mov	eax, [ebp+var_14]
		add	esp, 0Ch
		mov	edx, [ebp+var_4]
		sub	ebx, eax
		add	[ebp+arg_4], eax
		add	edx, eax
		add	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_4], edx
		jmp	short loc_950929
; 

loc_9508C2:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+1B1j
		mov	ecx, [ebp+var_18]
		mov	edx, eax
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		test	eax, eax
		jz	short loc_950941
		mov	ecx, [eax+4]
		mov	ebx, esi
		mov	edx, [ebp+var_4]
		and	ecx, 0FFFFFFF0h
		sub	ebx, edx
		mov	[ebp+var_10], ecx
		mov	eax, [ecx+8]
		cmp	eax, ebx
		ja	short loc_9508ED
		mov	ebx, eax
		xor	eax, eax
		jmp	short loc_9508EF
; 

loc_9508ED:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+211j
		sub	eax, ebx

loc_9508EF:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+217j
		mov	[ebp+var_14], eax
		imul	eax, [ebp+var_1C], arg_4
		push	ebx		; size_t
		push	ecx		; void *
		mov	ecx, [ebp+var_C]
		mov	eax, [eax+ecx-8]
		add	eax, edx
		push	eax		; void *
		call	_memcpy
		mov	edx, [ebp+var_4]
		add	esp, 0Ch
		mov	eax, [ebp+arg_4]
		add	edx, ebx
		add	[ebp+var_8], ebx
		add	eax, ebx
		cmp	[ebp+var_14], 0
		mov	[ebp+var_4], edx
		mov	[ebp+arg_4], eax
		jz	short loc_950926
		add	[ebp+var_10], ebx

loc_950926:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+24Dj
		mov	ebx, [ebp+var_14]

loc_950929:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+1ECj
		mov	ecx, [ebp+var_18]
		mov	ecx, [ecx+0C8h]
		mov	[ebp+var_14], ecx
		cmp	eax, ecx
		jnb	short loc_950982
		mov	ecx, [ebp+var_1C]
		jmp	loc_95081E
; 

loc_950941:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+1FAj
		mov	esi, 0C0000225h

loc_950946:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+9Ej
					; HvSnapshotHiveToOffsetArray(x,x,x,x)+DFj
		mov	ebx, [ebp+arg_0]

loc_950949:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+94j
		mov	eax, [ebx]
		mov	[ebp+arg_4], esi
		test	eax, eax
		jz	short loc_950984
		xor	ebx, ebx
		cmp	[edi], ebx
		jbe	short loc_950977
		mov	esi, [ebp+arg_0]

loc_95095B:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+29Aj
		dec	dword ptr [edi]
		imul	ecx, [edi], 0Ch
		mov	eax, [esi]
		push	ebx
		push	dword ptr [ecx+eax+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[edi], ebx
		ja	short loc_95095B
		mov	eax, esi
		mov	esi, [ebp+arg_4]
		mov	eax, [eax]

loc_950977:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+282j
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[edi], ebx
		jmp	short loc_950984
; 

loc_950982:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+141j
					; HvSnapshotHiveToOffsetArray(x,x,x,x)+263j
		xor	esi, esi

loc_950984:				; CODE XREF: HvSnapshotHiveToOffsetArray(x,x,x,x)+27Cj
					; HvSnapshotHiveToOffsetArray(x,x,x,x)+2ACj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_HvSnapshotHiveToOffsetArray@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpShrinkMap(x, x, x, x)
_HvpShrinkMap@16 proc near		; CODE XREF: HvpAddBin+18AD44p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_10], edx
		mov	[ebp+var_4], ecx
		push	edi
		test	esi, esi
		jnz	short loc_9509C5
		imul	eax, edx, 19Ch
		mov	edi, [eax+ecx+0D0h]
		cmp	edi, [eax+ecx+0CCh]
		jnz	short loc_9509C5
		push	1800h
		push	edi
		call	dword ptr [ecx+10h]
		jmp	short loc_950A36
; 

loc_9509C5:				; CODE XREF: HvpShrinkMap(x,x,x,x)+15j
					; HvpShrinkMap(x,x,x,x)+2Bj
		mov	eax, edx
		shl	eax, 1Fh
		push	ebx
		mov	ebx, [ebp+arg_0]
		lea	edi, [eax+ebx]
		add	eax, esi
		mov	[ebp+var_C], edi
		cmp	eax, edi
		jnb	short loc_950A05
		mov	ebx, ecx
		mov	esi, eax

loc_9509DE:				; CODE XREF: HvpShrinkMap(x,x,x,x)+6Aj
		mov	edx, esi
		mov	ecx, ebx
		call	_HvpGetCellMap@8 ; HvpGetCellMap(x,x)
		mov	edi, eax
		add	esi, 1000h
		xor	eax, eax
		stosd
		stosd
		stosd
		cmp	esi, [ebp+var_C]
		jb	short loc_9509DE
		mov	esi, [ebp+arg_4]
		mov	ebx, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_10]

loc_950A05:				; CODE XREF: HvpShrinkMap(x,x,x,x)+4Bj
		shr	esi, 0Ch
		mov	eax, 1FFh
		shr	ebx, 0Ch
		add	esi, eax
		add	ebx, eax
		shr	esi, 9
		shr	ebx, 9
		cmp	esi, ebx
		jnb	short loc_950A35
		imul	edx, 19Ch
		lea	eax, [ebx-1]
		push	eax
		push	esi
		mov	edx, [edx+ecx+0CCh]
		call	_HvpFreeMap@16	; HvpFreeMap(x,x,x,x)

loc_950A35:				; CODE XREF: HvpShrinkMap(x,x,x,x)+8Fj
		pop	ebx

loc_950A36:				; CODE XREF: HvpShrinkMap(x,x,x,x)+36j
		pop	edi
		pop	esi
		leave
		retn	8
_HvpShrinkMap@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvAnalyzeLogFiles(x, x, x, x, x, x,	x, x)
_HvAnalyzeLogFiles@32 proc near		; CODE XREF: HvLoadHive+189974p

var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E3		= dword	ptr -0E3h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= byte ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= byte ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 114h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		xor	ebx, ebx
		mov	[ebp+var_F4], eax
		mov	eax, [ebp+arg_10]
		push	edi
		mov	[ebp+var_F8], eax
		mov	eax, [ebp+arg_14]
		push	30h		; size_t
		mov	[ebp+var_E3+3],	eax
		lea	eax, [ebp+var_34]
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_EC], edx
		mov	[ebp+var_FC], ecx
		mov	[ebp+var_104], esi
		mov	[ebp+var_10C], ebx
		mov	[ebp+var_108], ebx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_DC], ebx
		cmp	[ebp+arg_4], ebx
		jbe	short loc_950AFE
		lea	edi, [ebp+var_10C]
		add	esi, 8

loc_950AB5:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+C0j
		push	edi
		push	200h
		push	ebx
		push	dword ptr [esi]
		call	dword ptr [esi-4]
		mov	[ebp+var_110], eax
		test	eax, eax
		jns	short loc_950AE6
		mov	ecx, eax
		call	_HvpIsReadErrorTransient@4 ; HvpIsReadErrorTransient(x)
		test	al, al
		jnz	short loc_950B4E
		mov	edx, [ebp+var_110]
		mov	ecx, [esi-8]
		call	_HvpLogUnreadableLog@8 ; HvpLogUnreadableLog(x,x)
		mov	[edi], ebx

loc_950AE6:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+8Dj
		mov	eax, [ebp+var_DC]
		add	esi, 0Ch
		inc	eax
		add	edi, 4
		mov	[ebp+var_DC], eax
		cmp	eax, [ebp+arg_4]
		jb	short loc_950AB5

loc_950AFE:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+6Ej
		mov	edi, ebx
		mov	esi, ebx
		cmp	[ebp+arg_4], ebx
		jbe	loc_950F0E
		mov	eax, [ebp+var_104]
		mov	[ebp+var_DC], eax

loc_950B17:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+147j
		mov	ecx, [ebp+esi*4+var_10C]
		test	ecx, ecx
		jz	short loc_950B78
		mov	edx, [ebp+var_FC]
		call	_HvpIsLogFileBaseBlockValid@8 ;	HvpIsLogFileBaseBlockValid(x,x)
		test	al, al
		jnz	short loc_950B58
		push	ecx
		mov	ecx, [ebp+var_DC]
		mov	edx, [ecx]
		mov	ecx, [ebp+var_FC]
		call	_HvpLogInvalidLogHeader@12 ; HvpLogInvalidLogHeader(x,x,x)

loc_950B45:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+139j
		mov	[ebp+esi*4+var_10C], ebx
		jmp	short loc_950B78
; 

loc_950B4E:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+98j
					; HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+22Aj
		mov	ebx, 0C000014Dh
		jmp	loc_950F6A
; 

loc_950B58:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+F3j
		mov	eax, [ecx+4]
		mov	ecx, [ebp+var_EC]
		cmp	eax, ecx
		jnb	short loc_950B77
		mov	edx, ecx
		mov	ecx, [ebp+var_DC]
		push	eax
		mov	ecx, [ecx]
		call	_HvpLogIneligibleLogHeader@12 ;	HvpLogIneligibleLogHeader(x,x,x)
		jmp	short loc_950B45
; 

loc_950B77:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+127j
		inc	edi

loc_950B78:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+E4j
					; HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+110j
		add	[ebp+var_DC], 0Ch
		inc	esi
		cmp	esi, [ebp+arg_4]
		jb	short loc_950B17
		test	edi, edi
		jz	loc_950F0E
		cmp	[ebp+var_E3+3],	ebx
		jz	short loc_950C03
		cmp	edi, 1
		jnz	short loc_950BA7
		xor	eax, eax
		cmp	[ebp+var_10C], eax
		setz	al
		jmp	short loc_950BD0
; 

loc_950BA7:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+15Cj
		mov	eax, [ebp+var_10C]
		lea	ecx, [ebp+var_100]
		mov	eax, [eax+4]
		mov	[ebp+var_100], eax
		mov	eax, [ebp+var_108]
		mov	eax, [eax+8]
		mov	[ebp+var_FC], eax
		call	_HvpDetermineLatestLogFile@4 ; HvpDetermineLatestLogFile(x)

loc_950BD0:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+169j
		mov	esi, [ebp+eax*4+var_10C]
		mov	ecx, 80h
		mov	eax, [ebp+var_E3+3]
		mov	edi, eax
		push	0E00h		; size_t
		add	eax, 200h
		push	ebx		; int
		rep movsd
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_E3+3]
		add	esp, 0Ch
		mov	[eax+1Ch], ebx

loc_950C03:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+157j
		mov	ecx, [ebp+var_104]
		lea	esi, [ebp+var_20]
		add	ecx, 4
		mov	[ebp+var_E3+3],	ebx
		mov	edi, ebx
		mov	[ebp+var_DC], ecx

loc_950C1D:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+25Fj
		mov	edx, [ebp+edi*4+var_10C]
		test	edx, edx
		jz	short loc_950C8E
		cmp	dword ptr [edx+1Ch], 6
		mov	eax, [ecx-4]
		mov	ecx, [ebp+var_DC]
		mov	[esi-10h], eax
		mov	eax, [edx+4]
		mov	[ebp+var_EC], eax
		mov	[esi-0Ch], eax
		lea	eax, [esi-8]
		mov	[esi-14h], edi
		jnz	short loc_950C6E
		lea	edx, [esi-4]
		mov	[esi], bl
		push	edx
		mov	edx, [ecx+4]
		mov	ecx, [ecx]
		push	eax
		mov	[ebp+edi*4+var_10C], ebx
		call	_HvpDetermineIncrementalLogFileMaximums@16 ; HvpDetermineIncrementalLogFileMaximums(x,x,x,x)
		test	eax, eax
		js	loc_950B4E
		jmp	short loc_950C7F
; 

loc_950C6E:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+20Ej
		mov	ecx, [ebp+var_EC]
		mov	[eax], ecx
		mov	eax, [edx+28h]
		mov	byte ptr [esi],	1
		mov	[esi-4], eax

loc_950C7F:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+230j
		inc	[ebp+var_E3+3]
		add	esi, 18h
		mov	ecx, [ebp+var_DC]

loc_950C8E:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+1EAj
		inc	edi
		add	ecx, 0Ch
		mov	[ebp+var_DC], ecx
		cmp	edi, [ebp+arg_4]
		jb	short loc_950C1D
		cmp	dword_6B2348, 5
		mov	esi, offset dword_6B2348
		mov	ecx, [ebp+var_14]
		push	8
		pop	edi
		jbe	loc_950D99
		push	ebx
		push	edi
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_950D96
		mov	eax, [ebp+var_E3+3]
		xor	ecx, ecx
		mov	byte ptr [ebp+var_E3+2], al
		inc	ecx
		lea	eax, [ebp+var_E3+2]
		mov	[ebp+var_B0], ecx
		mov	[ebp+var_B8], eax
		mov	al, [ebp+var_30]
		mov	byte ptr [ebp+var_E3+1], al
		lea	eax, [ebp+var_E3+1]
		mov	[ebp+var_A8], eax
		mov	al, [ebp+var_18]
		mov	byte ptr [ebp+var_E3], al
		lea	eax, [ebp+var_E3]
		mov	[ebp+var_98], eax
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_EC], eax
		lea	eax, [ebp+var_EC]
		mov	[ebp+var_88], eax
		mov	eax, [ebp+var_14]
		push	4
		mov	[ebp+var_110], eax
		lea	eax, [ebp+var_110]
		mov	[ebp+var_A0], ecx
		mov	[ebp+var_90], ecx
		pop	ecx
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_D8]
		push	eax
		push	7
		push	ebx
		push	ebx
		push	offset dword_41ADD4
		push	esi
		mov	[ebp+var_B4], ebx
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_A4], ebx
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_94], ebx
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_84], ebx
		mov	[ebp+var_80], ecx
		mov	[ebp+var_7C], ebx
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], ecx
		mov	[ebp+var_6C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_950D96:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+284j
		mov	ecx, [ebp+var_14]

loc_950D99:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+273j
		xor	edx, edx
		inc	edx
		cmp	[ebp+var_E3+3],	edx
		jnz	short loc_950DBF
		mov	eax, [ebp+var_F4]
		lea	esi, [ebp+var_34]
		push	6
		pop	ecx
		mov	[eax], edx

loc_950DB2:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+4CDj
		mov	edi, [ebp+var_F8]

loc_950DB8:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+4C2j
		rep movsd
		jmp	loc_950F6A
; 

loc_950DBF:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+366j
		mov	eax, [ebp+var_2C]
		cmp	[ebp+arg_0], bl
		jnz	loc_950E98
		lea	edx, [ebp+var_34]
		cmp	eax, ecx
		jnb	short loc_950DE0
		mov	eax, [ebp+var_28]
		mov	[ebp+var_FC], edx
		lea	edx, [ebp+var_1C]
		jmp	short loc_950DEE
; 

loc_950DE0:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+394j
		mov	ecx, eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_FC], eax
		mov	eax, [ebp+var_10]

loc_950DEE:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+3A2j
		inc	eax
		mov	[ebp+var_104], edx
		cmp	eax, ecx
		jz	short loc_950E6A
		cmp	dword_6B2348, 5
		jbe	short loc_950E48
		push	4000h
		push	ebx
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_950E48
		lea	eax, [ebp+var_F0]
		mov	[ebp+var_F0], 1000000h
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	3
		push	ebx
		push	ebx
		push	offset byte_41AD97
		push	esi
		mov	[ebp+var_EC], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_950E48:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+3C4j
					; HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+3D5j
		mov	eax, [ebp+var_F4]
		mov	esi, [ebp+var_104]
		mov	edi, [ebp+var_F8]
		push	6
		pop	ecx
		rep movsd
		mov	dword ptr [eax], 1
		jmp	loc_950F6A
; 

loc_950E6A:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+3BBj
		mov	eax, [ebp+var_F8]
		mov	edi, eax
		mov	esi, [ebp+var_FC]
		push	6
		pop	ecx
		rep movsd
		lea	edi, [eax+18h]
		mov	esi, edx
		mov	eax, [ebp+var_F4]
		push	6
		pop	ecx
		rep movsd
		mov	dword ptr [eax], 2
		jmp	loc_950F6A
; 

loc_950E98:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+389j
		mov	[ebp+var_FC], ecx
		lea	ecx, [ebp+var_100]
		mov	[ebp+var_100], eax
		call	_HvpDetermineLatestLogFile@4 ; HvpDetermineLatestLogFile(x)
		mov	edx, eax
		lea	esi, [ebp+var_34]
		neg	edx
		push	6
		sbb	edx, edx
		imul	ecx, eax, 18h
		and	edx, 0FFFFFFE8h
		add	edx, 18h
		add	esi, ecx
		mov	eax, [ebp+edx+var_28]
		inc	eax
		mov	[ebp+var_EC], esi
		cmp	eax, [ebp+ecx+var_2C]
		mov	eax, [ebp+var_F4]
		pop	ecx
		jnz	short loc_950F03
		mov	dword ptr [eax], 2
		lea	esi, [ebp+var_34]
		mov	eax, [ebp+var_F8]
		add	esi, edx
		mov	edi, eax
		rep movsd
		mov	esi, [ebp+var_EC]
		lea	edi, [eax+18h]
		push	6
		pop	ecx
		jmp	loc_950DB8
; 

loc_950F03:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+49Fj
		mov	dword ptr [eax], 1
		jmp	loc_950DB2
; 

loc_950F0E:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+C9j
					; HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+14Bj
		cmp	dword_6B2348, 5
		jbe	short loc_950F65
		push	4000h
		push	8
		pop	edi
		mov	esi, offset dword_6B2348
		push	edi
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_950F65
		lea	eax, [ebp+var_F0]
		mov	[ebp+var_F0], 1000000h
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	3
		push	ebx
		push	ebx
		push	offset byte_41AE31
		push	esi
		mov	[ebp+var_EC], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_950F65:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+4D9j
					; HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+4F2j
		mov	ebx, 0C000014Ch

loc_950F6A:				; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+117j
					; HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+37Ej ...
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_HvAnalyzeLogFiles@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvApplyLogFile(x, x, x, x, x, x, x,	x, x, x, x, x)
_HvApplyLogFile@48 proc	near		; CODE XREF: HvpPerformLogFileRecovery(x,x,x,x)+229p

arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, edx
		cmp	byte ptr [esi+14h], 0
		jz	short loc_950FCD
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	ecx
		push	[ebp+arg_4]
		call	_HvpApplyLegacyLogFile@32 ; HvpApplyLegacyLogFile(x,x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_950FF0
		mov	eax, [ebp+arg_1C]
		test	eax, eax
		jz	short loc_950FB4
		mov	ecx, [esi+0Ch]
		inc	ecx
		mov	[eax], ecx

loc_950FB4:				; CODE XREF: HvApplyLogFile(x,x,x,x,x,x,x,x,x,x,x,x)+2Fj
		mov	eax, [ebp+arg_20]
		test	eax, eax
		jz	short loc_950FC1
		mov	dword ptr [eax], 1

loc_950FC1:				; CODE XREF: HvApplyLogFile(x,x,x,x,x,x,x,x,x,x,x,x)+3Cj
		mov	eax, [ebp+arg_24]
		test	eax, eax
		jz	short loc_950FF0
		and	dword ptr [eax], 0
		jmp	short loc_950FF0
; 

loc_950FCD:				; CODE XREF: HvApplyLogFile(x,x,x,x,x,x,x,x,x,x,x,x)+Dj
		push	[ebp+arg_24]
		mov	edx, [esi+8]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	ecx
		push	ecx
		push	[ebp+arg_C]
		push	ecx
		push	[ebp+arg_4]
		push	ecx
		push	dword ptr [esi+10h]
		call	_HvpApplyIncrementalLogFile@52 ; HvpApplyIncrementalLogFile(x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	edx, eax

loc_950FF0:				; CODE XREF: HvApplyLogFile(x,x,x,x,x,x,x,x,x,x,x,x)+28j
					; HvApplyLogFile(x,x,x,x,x,x,x,x,x,x,x,x)+49j ...
		mov	eax, edx
		pop	esi
		pop	ecx
		pop	ebp
		retn	28h
_HvApplyLogFile@48 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpApplyIncrementalLogFile(x, x, x,	x, x, x, x, x, x, x, x,	x, x)
_HvpApplyIncrementalLogFile@52 proc near
					; CODE XREF: HvApplyLogFile(x,x,x,x,x,x,x,x,x,x,x,x)+6Cp

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= byte ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		and	[ebp+var_48], 0
		and	[ebp+var_38], 0
		mov	[ebp+var_44], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	ebx, [ebp+arg_28]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+arg_1C]
		push	esi
		push	edi
		mov	[ebp+var_54], eax
		lea	edi, [ebp+var_30]
		mov	eax, [ebp+arg_20]
		mov	esi, 200h
		mov	[ebp+var_58], eax
		mov	eax, [ebp+arg_24]
		mov	[ebp+var_50], ecx
		push	0Ah
		mov	[ebp+var_5C], eax
		xor	eax, eax
		pop	ecx
		mov	[ebp+var_40], edx
		xor	edx, edx
		rep stosd
		mov	edi, [ebp+var_40]
		xor	cl, cl
		mov	[ebp+var_3C], edx
		mov	[ebp+var_31], cl

loc_951058:				; CODE XREF: HvpApplyIncrementalLogFile(x,x,x,x,x,x,x,x,x,x,x,x,x)+14Cj
		lea	eax, [ebp+var_30]
		mov	edx, offset _HvpRecoverDataReadRoutine@16 ; HvpRecoverDataReadRoutine(x,x,x,x)
		push	eax
		push	[ebp+var_44]
		mov	ecx, esi
		call	_HvpReadLogEntryHeader@16 ; HvpReadLogEntryHeader(x,x,x,x)
		test	eax, eax
		js	loc_95114F
		push	[ebp+arg_0]
		mov	edx, esi
		lea	ecx, [ebp+var_30]
		call	_HvpIsLogEntryHeaderCoherent@12	; HvpIsLogEntryHeaderCoherent(x,x,x)
		test	al, al
		jz	loc_951164
		cmp	[ebp+var_24], edi
		jnz	loc_951164
		lea	eax, [ebp+var_38]
		push	eax
		push	[ebp+var_2C]
		push	esi
		push	[ebp+var_44]
		call	_HvpRecoverDataReadRoutine@16 ;	HvpRecoverDataReadRoutine(x,x,x,x)
		test	eax, eax
		js	loc_95114F
		mov	edx, [ebp+var_38]
		lea	ecx, [ebp+var_30]
		push	[ebp+var_1C]
		add	edx, 28h
		call	_HvpIsMetadataArrayCoherent@12 ; HvpIsMetadataArrayCoherent(x,x,x)
		test	al, al
		jz	loc_951164
		mov	edx, [ebp+var_2C]
		lea	eax, [ebp+var_30]
		mov	ecx, [ebp+var_38]
		push	eax
		call	_HvpLogEntryCheckDataChecksum@12 ; HvpLogEntryCheckDataChecksum(x,x,x)
		test	eax, eax
		jz	loc_951164
		mov	edx, [ebp+var_38]
		mov	eax, [ebp+var_1C]
		lea	ecx, [edx+28h]
		mov	[ebp+var_40], ecx
		lea	ecx, [ecx+eax*8]
		lea	eax, [ebp+var_48]
		push	eax
		mov	eax, [ebp+var_2C]
		sub	eax, ecx
		add	eax, edx
		push	eax
		push	ecx
		lea	eax, [edx+28h]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_4C]
		call	_HvpApplyLogEntryDataToFileBackedHive@24 ; HvpApplyLogEntryDataToFileBackedHive(x,x,x,x,x,x)
		test	[ebp+var_28], 1
		mov	ecx, [ebp+var_50]
		mov	eax, [ebp+var_20]
		mov	[ecx+28h], eax
		jz	short loc_95111B
		or	dword ptr [ecx+90h], 1

loc_95111B:				; CODE XREF: HvpApplyIncrementalLogFile(x,x,x,x,x,x,x,x,x,x,x,x,x)+11Aj
		mov	edx, [ebp+var_48]
		mov	ecx, [ebp+var_2C]
		inc	[ebp+var_3C]
		mov	[ebp+var_31], 1
		call	_CmpTraceHiveMountLogEntryApplied@8 ; CmpTraceHiveMountLogEntryApplied(x,x)
		mov	eax, [ebp+var_54]
		test	eax, eax
		jz	short loc_951140
		mov	edx, [ebp+var_1C]
		mov	ecx, [ebp+var_40]
		push	eax
		call	_HvpUpdateRecoveryVector@12 ; HvpUpdateRecoveryVector(x,x,x)

loc_951140:				; CODE XREF: HvpApplyIncrementalLogFile(x,x,x,x,x,x,x,x,x,x,x,x,x)+13Aj
		inc	edi
		add	esi, [ebp+var_2C]
		jnz	loc_951058
		mov	eax, 8000001Ah

loc_95114F:				; CODE XREF: HvpApplyIncrementalLogFile(x,x,x,x,x,x,x,x,x,x,x,x,x)+75j
					; HvpApplyIncrementalLogFile(x,x,x,x,x,x,x,x,x,x,x,x,x)+ABj
		cmp	eax, 0C0000017h
		jz	short loc_951197
		cmp	eax, 0C000009Ah
		jz	short loc_951197
		cmp	eax, 0C000014Ch
		jz	short loc_951197

loc_951164:				; CODE XREF: HvpApplyIncrementalLogFile(x,x,x,x,x,x,x,x,x,x,x,x,x)+8Aj
					; HvpApplyIncrementalLogFile(x,x,x,x,x,x,x,x,x,x,x,x,x)+93j ...
		mov	cl, [ebp+var_31]
		mov	edx, [ebp+var_58]
		movzx	eax, cl
		neg	eax
		sbb	eax, eax
		and	eax, 40000009h
		test	edx, edx
		jz	short loc_95117C
		mov	[edx], edi

loc_95117C:				; CODE XREF: HvpApplyIncrementalLogFile(x,x,x,x,x,x,x,x,x,x,x,x,x)+180j
		mov	edi, [ebp+var_5C]
		test	edi, edi
		jz	short loc_951188
		mov	edx, [ebp+var_3C]
		mov	[edi], edx

loc_951188:				; CODE XREF: HvpApplyIncrementalLogFile(x,x,x,x,x,x,x,x,x,x,x,x,x)+189j
		test	ebx, ebx
		jz	short loc_951197
		test	cl, cl
		jnz	short loc_951195
		and	dword ptr [ebx], 0
		jmp	short loc_951197
; 

loc_951195:				; CODE XREF: HvpApplyIncrementalLogFile(x,x,x,x,x,x,x,x,x,x,x,x,x)+196j
		mov	[ebx], esi

loc_951197:				; CODE XREF: HvpApplyIncrementalLogFile(x,x,x,x,x,x,x,x,x,x,x,x,x)+15Cj
					; HvpApplyIncrementalLogFile(x,x,x,x,x,x,x,x,x,x,x,x,x)+163j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	2Ch
_HvpApplyIncrementalLogFile@52 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpApplyLegacyLogFile(x, x,	x, x, x, x, x, x)
_HvpApplyLegacyLogFile@32 proc near	; CODE XREF: HvApplyLogFile(x,x,x,x,x,x,x,x,x,x,x,x)+1Fp

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		lea	edx, [ebp+var_34]
		push	ebx
		mov	ebx, [ebp+arg_C]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+arg_10]
		push	esi
		push	edi
		mov	[ebp+var_58], eax
		mov	edi, ecx
		mov	eax, [ebp+arg_14]
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_54], eax
		xor	eax, eax
		mov	[ebp+var_48], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_30], eax
		mov	eax, [edi+28h]
		shr	eax, 0Ch
		push	edx
		mov	[ebp+var_40], eax
		add	eax, 4
		push	eax
		push	200h
		push	ecx
		mov	[ebp+var_44], ecx
		call	_HvpRecoverDataReadRoutine@16 ;	HvpRecoverDataReadRoutine(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9512EF
		mov	ecx, [ebp+var_34]
		cmp	dword ptr [ecx], 54524944h
		jz	short loc_951255
		cmp	ds:_CmpSelfHeal, 0
		jnz	short loc_951244
		test	byte ptr _CmpBootType, 6
		jnz	short loc_951244
		mov	esi, 0C000014Ch
		jmp	loc_9512EF
; 

loc_951244:				; CODE XREF: HvpApplyLegacyLogFile(x,x,x,x,x,x,x,x)+87j
					; HvpApplyLegacyLogFile(x,x,x,x,x,x,x,x)+90j
		or	dword ptr [edi+0FF8h], 4
		mov	esi, 40000009h
		jmp	loc_9512EF
; 

loc_951255:				; CODE XREF: HvpApplyLegacyLogFile(x,x,x,x,x,x,x,x)+7Ej
		mov	eax, [edi+28h]
		shr	eax, 9
		mov	[ebp+var_3C], eax
		lea	eax, [ecx+4]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_3C]
		push	eax
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9512EF
		lea	eax, [ebp+var_30]
		shl	esi, 9
		push	eax
		xor	edx, edx
		mov	[ebp+var_4C], esi
		lea	ecx, [ebp+var_3C]
		call	_HvpGenerateLogMetadata@12 ; HvpGenerateLogMetadata(x,x,x)
		mov	eax, [ebp+var_30]
		push	33334D43h
		push	0
		shl	eax, 3
		push	eax
		call	ebx
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9512A4
		mov	esi, 0C0000017h
		jmp	short loc_9512EF
; 

loc_9512A4:				; CODE XREF: HvpApplyLegacyLogFile(x,x,x,x,x,x,x,x)+F3j
		lea	eax, [ebp+var_30]
		mov	edx, ebx
		push	eax
		lea	ecx, [ebp+var_3C]
		call	_HvpGenerateLogMetadata@12 ; HvpGenerateLogMetadata(x,x,x)
		mov	ecx, [ebp+var_30]
		mov	edx, ebx
		mov	eax, [edi+28h]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], ecx
		lea	eax, [ecx+5]
		mov	[ebp+var_2C], 454C7648h
		lea	eax, [esi+eax*8]
		push	ecx
		lea	ecx, [ebp+var_2C]
		mov	[ebp+var_28], eax
		call	_HvpIsMetadataArrayCoherent@12 ; HvpIsMetadataArrayCoherent(x,x,x)
		test	al, al
		jnz	short loc_951302
		mov	esi, 0C000014Ch

loc_9512E2:				; CODE XREF: HvpApplyLegacyLogFile(x,x,x,x,x,x,x,x)+179j
					; HvpApplyLegacyLogFile(x,x,x,x,x,x,x,x)+196j
		mov	edi, [ebp+var_30]

loc_9512E5:				; CODE XREF: HvpApplyLegacyLogFile(x,x,x,x,x,x,x,x)+1BEj
		mov	eax, edi
		shl	eax, 3
		push	eax
		push	ebx
		call	[ebp+var_58]

loc_9512EF:				; CODE XREF: HvpApplyLegacyLogFile(x,x,x,x,x,x,x,x)+6Fj
					; HvpApplyLegacyLogFile(x,x,x,x,x,x,x,x)+97j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_951302:				; CODE XREF: HvpApplyLegacyLogFile(x,x,x,x,x,x,x,x)+133j
		lea	eax, [ebp+var_34]
		push	eax
		mov	eax, [ebp+var_40]
		add	eax, 403h
		push	esi
		and	eax, 0FFFFFE00h
		push	eax
		push	[ebp+var_44]
		call	_HvpRecoverDataReadRoutine@16 ;	HvpRecoverDataReadRoutine(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9512E2
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_4C]
		lea	eax, [ebp+var_2C]
		push	[ebp+var_34]
		push	ebx
		push	eax
		push	[ebp+var_50]
		call	_HvpApplyLogEntryDataToFileBackedHive@24 ; HvpApplyLogEntryDataToFileBackedHive(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9512E2
		test	byte ptr [ebp+var_24], 1
		jz	short loc_95134D
		or	dword ptr [edi+90h], 1

loc_95134D:				; CODE XREF: HvpApplyLegacyLogFile(x,x,x,x,x,x,x,x)+19Cj
		mov	eax, [ebp+var_54]
		mov	edi, [ebp+var_30]
		test	eax, eax
		jz	short loc_951361
		push	eax
		mov	edx, edi
		mov	ecx, ebx
		call	_HvpUpdateRecoveryVector@12 ; HvpUpdateRecoveryVector(x,x,x)

loc_951361:				; CODE XREF: HvpApplyLegacyLogFile(x,x,x,x,x,x,x,x)+1ADj
		mov	esi, 40000009h
		jmp	loc_9512E5
_HvpApplyLegacyLogFile@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpDetermineIncrementalLogFileMaximums(x, x, x, x)
_HvpDetermineIncrementalLogFileMaximums@16 proc	near
					; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+223p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		mov	[ebp+var_34], edx
		lea	edi, [ebp+var_2C]
		mov	edx, [ebp+arg_4]
		mov	esi, 200h
		and	[ebx], eax
		mov	[ebp+var_38], ecx
		push	0Ah
		and	[edx], eax
		pop	ecx
		rep stosd
		mov	edi, edx

loc_9513A1:				; CODE XREF: HvpDetermineIncrementalLogFileMaximums(x,x,x,x)+7Cj
		mov	edx, [ebp+var_38]
		lea	eax, [ebp+var_2C]
		push	eax
		push	[ebp+var_34]
		mov	ecx, esi
		call	_HvpReadLogEntryHeader@16 ; HvpReadLogEntryHeader(x,x,x,x)
		cmp	eax, 0C0000011h
		jz	short loc_9513E9
		test	eax, eax
		js	short loc_9513EB
		push	0
		mov	edx, esi
		lea	ecx, [ebp+var_2C]
		call	_HvpIsLogEntryHeaderCoherent@12	; HvpIsLogEntryHeaderCoherent(x,x,x)
		test	al, al
		jz	short loc_9513E9
		mov	eax, [ebp+var_1C]
		cmp	eax, [edi]
		jbe	short loc_9513D6
		mov	[edi], eax

loc_9513D6:				; CODE XREF: HvpDetermineIncrementalLogFileMaximums(x,x,x,x)+67j
		mov	eax, [ebp+var_20]
		cmp	eax, [ebx]
		jbe	short loc_9513DF
		mov	[ebx], eax

loc_9513DF:				; CODE XREF: HvpDetermineIncrementalLogFileMaximums(x,x,x,x)+70j
		add	esi, [ebp+var_28]
		lea	eax, [esi+28h]
		cmp	eax, esi
		jnb	short loc_9513A1

loc_9513E9:				; CODE XREF: HvpDetermineIncrementalLogFileMaximums(x,x,x,x)+4Cj
					; HvpDetermineIncrementalLogFileMaximums(x,x,x,x)+60j
		xor	eax, eax

loc_9513EB:				; CODE XREF: HvpDetermineIncrementalLogFileMaximums(x,x,x,x)+50j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_HvpDetermineIncrementalLogFileMaximums@16 endp


;  S U B	R O U T	I N E 


; __stdcall HvpDetermineLatestLogFile(x)
_HvpDetermineLatestLogFile@4 proc near	; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+18Fp
					; HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+46Ep
		mov	edx, [ecx]
		mov	ecx, [ecx+4]
		cmp	edx, ecx
		jnb	short loc_95140B
		mov	eax, ecx
		sub	eax, edx
		jmp	short loc_95140F
; 

loc_95140B:				; CODE XREF: HvpDetermineLatestLogFile(x)+7j
		mov	eax, edx
		sub	eax, ecx

loc_95140F:				; CODE XREF: HvpDetermineLatestLogFile(x)+Dj
		cmp	eax, 7FFFFFFFh
		jbe	short loc_95141C
		cmp	edx, ecx
		sbb	eax, eax
		inc	eax
		retn
; 

loc_95141C:				; CODE XREF: HvpDetermineLatestLogFile(x)+18j
		cmp	edx, ecx
		sbb	eax, eax
		neg	eax
		retn
_HvpDetermineLatestLogFile@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpIsLogEntryHeaderCoherent(x, x, x)
_HvpIsLogEntryHeaderCoherent@12	proc near
					; CODE XREF: HvpApplyIncrementalLogFile(x,x,x,x,x,x,x,x,x,x,x,x,x)+83p
					; HvpDetermineIncrementalLogFileMaximums(x,x,x,x)+59p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dword ptr [ecx], 454C7648h
		push	esi
		push	edi
		jnz	short loc_95149F
		mov	esi, [ecx+4]
		cmp	esi, 28h
		jbe	short loc_95149F
		xor	edi, edi
		xor	eax, eax
		add	edx, esi
		adc	eax, edi
		cmp	eax, edi
		ja	short loc_95149F
		jb	short loc_95144D
		cmp	edx, 0FFFFFFFFh
		ja	short loc_95149F

loc_95144D:				; CODE XREF: HvpIsLogEntryHeaderCoherent(x,x,x)+23j
		mov	eax, [ecx+10h]
		test	eax, eax
		jz	short loc_95149F
		cmp	eax, 7FFFE000h
		ja	short loc_95149F
		test	eax, 0FFFh
		jnz	short loc_95149F
		cmp	[ebp+arg_0], edi
		jz	short loc_95146C
		cmp	eax, [ebp+arg_0]
		ja	short loc_95149F

loc_95146C:				; CODE XREF: HvpIsLogEntryHeaderCoherent(x,x,x)+42j
		mov	eax, [ecx+14h]
		test	eax, eax
		jz	short loc_95149F
		push	8
		pop	edx
		mul	edx
		add	eax, 28h
		adc	edx, edi
		cmp	edx, edi
		ja	short loc_95149F
		jb	short loc_951488
		cmp	eax, 0FFFFFFFFh
		ja	short loc_95149F

loc_951488:				; CODE XREF: HvpIsLogEntryHeaderCoherent(x,x,x)+5Ej
		cmp	edi, edx
		jb	short loc_95149F
		ja	short loc_951492
		cmp	esi, eax
		jb	short loc_95149F

loc_951492:				; CODE XREF: HvpIsLogEntryHeaderCoherent(x,x,x)+69j
		call	_HvpLogEntryCheckHeaderChecksum@4 ; HvpLogEntryCheckHeaderChecksum(x)
		test	eax, eax
		jz	short loc_95149F
		mov	al, 1
		jmp	short loc_9514A1
; 

loc_95149F:				; CODE XREF: HvpIsLogEntryHeaderCoherent(x,x,x)+Dj
					; HvpIsLogEntryHeaderCoherent(x,x,x)+15j ...
		xor	al, al

loc_9514A1:				; CODE XREF: HvpIsLogEntryHeaderCoherent(x,x,x)+7Aj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_HvpIsLogEntryHeaderCoherent@12	endp


;  S U B	R O U T	I N E 


; __stdcall HvpIsLogFileBaseBlockValid(x, x)
_HvpIsLogFileBaseBlockValid@8 proc near	; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+ECp
		cmp	dword ptr [ecx], 66676572h
		jnz	short loc_9514FA
		mov	eax, [ecx+4]
		cmp	eax, [ecx+8]
		jnz	short loc_9514FA
		mov	eax, [ecx+0Ch]
		cmp	eax, [edx]
		jnz	short loc_9514FA
		mov	eax, [ecx+10h]
		cmp	eax, [edx+4]
		jnz	short loc_9514FA
		mov	eax, [ecx+1Ch]
		cmp	eax, 6
		jz	short loc_9514D3
		cmp	eax, 1
		jnz	short loc_9514FA

loc_9514D3:				; CODE XREF: HvpIsLogFileBaseBlockValid(x,x)+25j
		mov	edx, [ecx+28h]
		test	edx, edx
		jz	short loc_9514FA
		cmp	edx, 7FFFE000h
		ja	short loc_9514FA
		test	edx, 0FFFh
		jnz	short loc_9514FA
		call	_HvpHeaderCheckSum@4 ; HvpHeaderCheckSum(x)
		cmp	[ecx+1FCh], eax
		jnz	short loc_9514FA
		mov	al, 1
		retn
; 

loc_9514FA:				; CODE XREF: HvpIsLogFileBaseBlockValid(x,x)+6j
					; HvpIsLogFileBaseBlockValid(x,x)+Ej ...
		xor	al, al
		retn
_HvpIsLogFileBaseBlockValid@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpIsMetadataArrayCoherent(x, x, x)
_HvpIsMetadataArrayCoherent@12 proc near
					; CODE XREF: HvpApplyIncrementalLogFile(x,x,x,x,x,x,x,x,x,x,x,x,x)+BDp
					; HvpApplyLegacyLogFile(x,x,x,x,x,x,x,x)+12Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	eax, ecx
		mov	esi, edx
		push	edi
		mov	[ebp+var_C], eax
		push	8
		mov	eax, [eax+14h]
		pop	ecx
		mul	ecx
		add	eax, 28h
		mov	ebx, edx
		mov	[ebp+var_8], eax
		adc	ebx, 0
		xor	eax, eax
		mov	[ebp+var_4], eax
		cmp	[ebp+arg_0], eax
		jbe	short loc_9515A3
		lea	ecx, [esi-8]

loc_95152F:				; CODE XREF: HvpIsMetadataArrayCoherent(x,x,x)+A4j
		mov	edx, [ecx+0Ch]
		test	edx, edx
		jz	short loc_9515AC
		test	edx, 0FFFh
		jnz	short loc_9515AC
		mov	esi, [ecx+8]
		test	esi, 0FFFh
		jnz	short loc_9515AC
		lea	eax, [esi+edx]
		cmp	eax, esi
		mov	eax, [ebp+var_4]
		jb	short loc_9515AC
		mov	edi, [ebp+var_C]
		lea	eax, [esi+edx]
		cmp	eax, [edi+10h]
		mov	edi, [ebp+var_8]
		mov	eax, [ebp+var_4]
		ja	short loc_9515AC
		test	eax, eax
		jz	short loc_951574
		mov	eax, [ecx+4]
		add	eax, [ecx]
		cmp	esi, eax
		jbe	short loc_9515AC
		mov	eax, [ebp+var_4]

loc_951574:				; CODE XREF: HvpIsMetadataArrayCoherent(x,x,x)+69j
		add	edi, edx
		mov	[ebp+var_8], edi
		adc	ebx, 0
		test	ebx, ebx
		ja	short loc_9515AC
		jb	short loc_951587
		cmp	edi, 0FFFFFFFFh
		ja	short loc_9515AC

loc_951587:				; CODE XREF: HvpIsMetadataArrayCoherent(x,x,x)+83j
		mov	edx, [ebp+var_C]
		mov	edx, [edx+4]
		test	ebx, ebx
		ja	short loc_9515AC
		jb	short loc_951597
		cmp	edi, edx
		ja	short loc_9515AC

loc_951597:				; CODE XREF: HvpIsMetadataArrayCoherent(x,x,x)+94j
		inc	eax
		add	ecx, 8
		mov	[ebp+var_4], eax
		cmp	eax, [ebp+arg_0]
		jb	short loc_95152F

loc_9515A3:				; CODE XREF: HvpIsMetadataArrayCoherent(x,x,x)+2Dj
		mov	al, 1

loc_9515A5:				; CODE XREF: HvpIsMetadataArrayCoherent(x,x,x)+B1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_9515AC:				; CODE XREF: HvpIsMetadataArrayCoherent(x,x,x)+37j
					; HvpIsMetadataArrayCoherent(x,x,x)+3Fj ...
		xor	al, al
		jmp	short loc_9515A5
_HvpIsMetadataArrayCoherent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpIsReadErrorTransient(x)
_HvpIsReadErrorTransient@4 proc	near	; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+91p

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		cmp	esi, 0C0000011h
		jz	loc_951676
		cmp	esi, 0C0000017h
		jz	loc_951687
		cmp	esi, 0C000009Ah
		jz	loc_951687
		cmp	esi, 0C00000A1h
		jz	loc_951687
		cmp	dword_6B2348, 5
		jbe	short loc_951676
		push	4000h
		xor	edi, edi
		mov	ebx, offset dword_6B2348
		push	edi
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_951676
		lea	eax, [ebp+var_68]
		mov	[ebp+var_68], 1
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_5C]
		push	8
		pop	edx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	5
		mov	[ebp+var_30], edx
		mov	[ebp+var_10], edx
		mov	edx, offset loc_41AF7C
		push	ecx
		mov	ecx, ebx
		mov	[ebp+var_64], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_2C], edi
		mov	[ebp+var_5C], esi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], 4
		mov	[ebp+var_1C], edi
		mov	[ebp+var_70], 1000000h
		mov	[ebp+var_6C], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_C], edi
		call	__tlgWriteAgg@20 ; _tlgWriteAgg(x,x,x,x,x)

loc_951676:				; CODE XREF: HvpIsReadErrorTransient(x)+1Dj
					; HvpIsReadErrorTransient(x)+4Ej ...
		xor	al, al

loc_951678:				; CODE XREF: HvpIsReadErrorTransient(x)+D9j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_951687:				; CODE XREF: HvpIsReadErrorTransient(x)+29j
					; HvpIsReadErrorTransient(x)+35j ...
		mov	al, 1
		jmp	short loc_951678
_HvpIsReadErrorTransient@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpLogIneligibleLogHeader(x, x, x)
_HvpLogIneligibleLogHeader@12 proc near	; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+134p

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5D		= dword	ptr -5Dh
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	dword_6B2348, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	ebx, ecx
		jbe	short loc_951717
		xor	edi, edi
		mov	ecx, offset dword_6B2348
		push	edi
		push	8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_951717
		lea	eax, [ebp+var_5D]
		mov	byte ptr [ebp+var_5D], bl
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_0]
		push	4
		pop	ecx
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_5D+1]
		push	eax
		push	5
		push	edi
		push	edi
		push	offset byte_41AE65
		push	offset dword_6B2348
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], 1
		mov	[ebp+var_30], edi
		mov	[ebp+var_64], esi
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_951717:				; CODE XREF: HvpLogIneligibleLogHeader(x,x,x)+20j
					; HvpLogIneligibleLogHeader(x,x,x)+33j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_HvpLogIneligibleLogHeader@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpLogInvalidLogHeader(x, x, x)
_HvpLogInvalidLogHeader@12 proc	near	; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+104p

var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_CD		= dword	ptr -0CDh
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 100h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	dword_6B2348, 5
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		jbe	loc_9518D1
		push	0
		push	8
		mov	ecx, offset dword_6B2348
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9518D1
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_CD]
		mov	[ebp+var_AC], eax
		push	4
		pop	edi
		mov	eax, [ecx]
		mov	[ebp+var_D4], eax
		lea	eax, [ebp+var_D4]
		mov	[ebp+var_9C], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_D8], eax
		lea	eax, [ebp+var_D8]
		mov	[ebp+var_8C], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_DC], eax
		lea	eax, [ebp+var_DC]
		mov	[ebp+var_7C], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_F4], eax
		mov	eax, [ecx+10h]
		mov	[ebp+var_F0], eax
		lea	eax, [ebp+var_F4]
		mov	[ebp+var_6C], eax
		mov	eax, [esi]
		mov	[ebp+var_FC], eax
		mov	eax, [esi+4]
		mov	[ebp+var_F8], eax
		lea	eax, [ebp+var_FC]
		mov	[ebp+var_5C], eax
		mov	eax, [ecx+1Ch]
		mov	[ebp+var_E0], eax
		lea	eax, [ebp+var_E0]
		mov	[ebp+var_4C], eax
		mov	eax, [ecx+28h]
		mov	[ebp+var_E4], eax
		lea	eax, [ebp+var_E4]
		mov	[ebp+var_3C], eax
		mov	eax, [ecx+1FCh]
		push	8
		pop	edx
		mov	[ebp+var_E8], eax
		lea	eax, [ebp+var_E8]
		mov	byte ptr [ebp+var_CD], bl
		xor	ebx, ebx
		mov	[ebp+var_A8], ebx
		mov	[ebp+var_A4], 1
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_98], ebx
		mov	[ebp+var_94], edi
		mov	[ebp+var_90], ebx
		mov	[ebp+var_88], ebx
		mov	[ebp+var_84], edi
		mov	[ebp+var_80], ebx
		mov	[ebp+var_78], ebx
		mov	[ebp+var_74], edi
		mov	[ebp+var_70], ebx
		mov	[ebp+var_68], ebx
		mov	[ebp+var_64], edx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_54], edx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], ebx
		call	_HvpHeaderCheckSum@4 ; HvpHeaderCheckSum(x)
		mov	[ebp+var_EC], eax
		lea	eax, [ebp+var_EC]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_CD+1]
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], ebx
		push	eax
		push	0Ch
		push	ebx
		push	ebx
		push	offset byte_41AEAF
		push	offset dword_6B2348
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9518D1:				; CODE XREF: HvpLogInvalidLogHeader(x,x,x)+23j
					; HvpLogInvalidLogHeader(x,x,x)+39j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_HvpLogInvalidLogHeader@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpLogUnreadableLog(x, x)
_HvpLogUnreadableLog@8 proc near	; CODE XREF: HvAnalyzeLogFiles(x,x,x,x,x,x,x,x)+A3p

var_50		= dword	ptr -50h
var_49		= dword	ptr -49h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	dword_6B2348, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	ebx, ecx
		jbe	short loc_951958
		xor	edi, edi
		mov	ecx, offset dword_6B2348
		push	edi
		push	8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_951958
		push	4
		lea	eax, [ebp+var_49]
		mov	byte ptr [ebp+var_49], bl
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_49+1]
		push	eax
		push	ecx
		push	edi
		push	edi
		push	offset dword_41AF44
		push	offset dword_6B2348
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], 1
		mov	[ebp+var_1C], edi
		mov	[ebp+var_50], esi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_951958:				; CODE XREF: HvpLogUnreadableLog(x,x)+20j
					; HvpLogUnreadableLog(x,x)+33j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_HvpLogUnreadableLog@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpReadLogEntryHeader(x, x,	x, x)
_HvpReadLogEntryHeader@16 proc near	; CODE XREF: HvpApplyIncrementalLogFile(x,x,x,x,x,x,x,x,x,x,x,x,x)+6Ep
					; HvpDetermineIncrementalLogFileMaximums(x,x,x,x)+42p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		push	28h
		push	ecx
		push	[ebp+arg_0]
		call	edx ; loc_41AF7C
		test	eax, eax
		js	short locret_951990
		push	esi
		mov	esi, [ebp+var_4]
		push	edi
		mov	edi, [ebp+arg_4]
		push	0Ah
		pop	ecx
		rep movsd
		pop	edi
		pop	esi

locret_951990:				; CODE XREF: HvpReadLogEntryHeader(x,x,x,x)+18j
		leave
		retn	8
_HvpReadLogEntryHeader@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvpUpdateRecoveryVector(x, x, x)
_HvpUpdateRecoveryVector@12 proc near	; CODE XREF: HvpApplyIncrementalLogFile(x,x,x,x,x,x,x,x,x,x,x,x,x)+143p
					; HvpApplyLegacyLogFile(x,x,x,x,x,x,x,x)+1B4p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	eax, ecx
		xor	esi, esi
		mov	[ebp+var_4], eax
		test	edi, edi
		jz	short loc_9519DE
		push	ebx

loc_9519AA:				; CODE XREF: HvpUpdateRecoveryVector(x,x,x)+47j
		mov	ebx, [ebp+arg_0]
		mov	edx, [eax+esi*8]
		mov	ecx, [eax+esi*8+4]
		shr	edx, 9
		mov	ebx, [ebx]
		shr	ecx, 9
		cmp	edx, ebx
		jnb	short loc_9519DD
		lea	eax, [ecx+edx]
		cmp	eax, ebx
		jbe	short loc_9519CB
		mov	ecx, ebx
		sub	ecx, edx

loc_9519CB:				; CODE XREF: HvpUpdateRecoveryVector(x,x,x)+31j
		push	ecx
		push	edx
		push	[ebp+arg_0]
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		mov	eax, [ebp+var_4]
		inc	esi
		cmp	esi, edi
		jb	short loc_9519AA

loc_9519DD:				; CODE XREF: HvpUpdateRecoveryVector(x,x,x)+2Aj
		pop	ebx

loc_9519DE:				; CODE XREF: HvpUpdateRecoveryVector(x,x,x)+13j
		pop	edi
		pop	esi
		leave
		retn	4
_HvpUpdateRecoveryVector@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAddRemoveContainerToCLFSLog(x, x, x, x, x, x, x,	x)
_CmpAddRemoveContainerToCLFSLog@32 proc	near ; CODE XREF: CmpStartCLFSLog+754D9p
					; CmpAddRemoveRMLogContainer(x,x)+9Bp

var_C8		= dword	ptr -0C8h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_91		= dword	ptr -91h
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_A0], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	[ebp+var_AC], eax
		mov	ebx, ecx
		mov	eax, [ebp+arg_8]
		push	esi
		push	edi
		mov	[ebp+var_B0], eax
		lea	edi, [ebp+var_C8]
		mov	eax, [ebp+arg_10]
		mov	esi, edx
		mov	[ebp+var_B4], eax
		xor	edx, edx
		xor	eax, eax
		mov	[ebp+var_BC], edx
		stosd
		push	6
		pop	ecx
		push	edx
		stosd
		mov	[ebp+var_B8], edx
		mov	[ebp+var_9C], edx
		mov	[ebp+var_98], edx
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_91+1]
		mov	[ebp+var_A8], edx
		rep stosd
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_A4], edx
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, [ebp+var_B0]
		mov	ax, [esi]
		mov	edi, [ebp+var_A0]
		push	20204D43h
		add	ax, [ecx]
		mov	ecx, [ebp+var_AC]
		add	ax, 22h
		add	ax, [ecx]
		add	ax, [edi]
		mov	word ptr [ebp+var_9C+2], ax
		movzx	eax, ax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_98], eax
		test	eax, eax
		jnz	short loc_951ABC
		mov	eax, 0C000009Ah
		jmp	loc_951C92
; 

loc_951ABC:				; CODE XREF: CmpAddRemoveContainerToCLFSLog(x,x,x,x,x,x,x,x)+CCj
		push	esi
		lea	eax, [ebp+var_9C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	edi
		lea	eax, [ebp+var_9C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	[ebp+var_AC]
		lea	eax, [ebp+var_9C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	[ebp+arg_C]
		lea	eax, [ebp+var_14]
		push	offset ??_C@_03PCJIPBFG@?4?$CFu@NNGAKEGL@
		push	10h
		push	eax
		call	_sprintf_s
		add	esp, 10h
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_BC]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		xor	edi, edi
		lea	eax, [ebp+var_BC]
		inc	edi
		push	edi
		push	eax
		lea	eax, [ebp+var_A8]
		push	eax
		call	RtlAnsiStringToUnicodeString
		mov	esi, eax
		test	esi, esi
		js	loc_951BDF
		cmp	word ptr [ebp+var_A8], 20h
		ja	loc_951BDF
		lea	eax, [ebp+var_A8]
		push	eax
		lea	eax, [ebp+var_9C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	[ebp+var_B0]
		lea	eax, [ebp+var_9C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_C8]
		push	ecx
		push	eax
		call	_PsDisableImpersonation@8 ; PsDisableImpersonation(x,x)
		mov	ecx, ds:_PsInitialSystemProcess
		xor	edx, edx
		mov	byte ptr [ebp+var_91], al
		lea	eax, [ebp+var_91+1]
		push	eax
		call	KiStackAttachProcess
		cmp	[ebp+arg_14], 1
		lea	eax, [ebp+var_9C]
		jnz	short loc_951BAB
		push	eax
		push	[ebp+var_B4]
		push	ebx
		call	ds:__imp__ClfsAddLogContainer@12 ; ClfsAddLogContainer(x,x,x)
		jmp	short loc_951BB4
; 

loc_951BAB:				; CODE XREF: CmpAddRemoveContainerToCLFSLog(x,x,x,x,x,x,x,x)+1B5j
		push	edi
		push	eax
		push	ebx
		call	ds:__imp__ClfsRemoveLogContainer@12 ; ClfsRemoveLogContainer(x,x,x)

loc_951BB4:				; CODE XREF: CmpAddRemoveContainerToCLFSLog(x,x,x,x,x,x,x,x)+1C5j
		xor	edx, edx
		lea	ecx, [ebp+var_91+1]
		mov	esi, eax
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		cmp	byte ptr [ebp+var_91], 0
		jz	short loc_951BDF
		lea	eax, [ebp+var_C8]
		push	eax
		mov	eax, large fs:124h
		push	eax
		call	PsRestoreImpersonation

loc_951BDF:				; CODE XREF: CmpAddRemoveContainerToCLFSLog(x,x,x,x,x,x,x,x)+145j
					; CmpAddRemoveContainerToCLFSLog(x,x,x,x,x,x,x,x)+153j	...
		xor	ebx, ebx
		cmp	dword_6B2348, 5
		jbe	loc_951C78
		push	ebx
		push	edi
		mov	ecx, offset dword_6B2348
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_951C78
		mov	al, [ebp+arg_14]
		mov	byte ptr [ebp+var_91], al
		lea	eax, [ebp+var_91]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_20]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_98]
		mov	[ebp+var_28], eax
		movzx	eax, word ptr [ebp+var_9C]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	6
		push	ebx
		push	ebx
		push	offset byte_41AFC7
		push	offset dword_6B2348
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_A0], esi
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], 4
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], 2
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_1C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_951C78:				; CODE XREF: CmpAddRemoveContainerToCLFSLog(x,x,x,x,x,x,x,x)+204j
					; CmpAddRemoveContainerToCLFSLog(x,x,x,x,x,x,x,x)+218j
		lea	eax, [ebp+var_A8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		push	ebx
		push	[ebp+var_98]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi

loc_951C92:				; CODE XREF: CmpAddRemoveContainerToCLFSLog(x,x,x,x,x,x,x,x)+D3j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_CmpAddRemoveContainerToCLFSLog@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoReDoCreateKey(x, x)
_CmpDoReDoCreateKey@8 proc near		; CODE XREF: CmpDoReDoRecord(x,x):loc_951DE4p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		lea	eax, [ebp+var_1C]
		xor	ebx, ebx
		lea	edx, [ebp+var_14]
		mov	esi, ecx
		mov	[ebp+var_4], ebx
		push	eax
		lea	ecx, [edi+20h]
		mov	[ebp+var_8], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_C], ebx
		call	_CmpSplitParentKeyName@12 ; CmpSplitParentKeyName(x,x,x)
		lea	eax, [ebp+var_4]
		mov	ecx, esi
		push	eax
		push	20006h
		lea	edx, [ebp+var_14]
		call	_CmpDoReOpenTransKey@16	; CmpDoReOpenTransKey(x,x,x,x)
		test	eax, eax
		js	short loc_951D4C
		mov	esi, [ebp+var_4]
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_2C], eax
		mov	eax, [edi+30h]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_C]
		push	eax
		mov	eax, [edi+28h]
		dec	eax
		mov	[ebp+var_34], 18h
		neg	eax
		mov	[ebp+var_30], esi
		mov	[ebp+var_28], 1340h
		sbb	eax, eax
		mov	[ebp+var_20], ebx
		add	eax, 9
		push	eax
		push	ebx
		push	ebx
		lea	eax, [ebp+var_34]
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_8]
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		push	esi
		mov	edi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	edi, edi
		js	short loc_951D4A
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_951D4A:				; CODE XREF: CmpDoReDoCreateKey(x,x)+9Dj
		mov	eax, edi

loc_951D4C:				; CODE XREF: CmpDoReDoCreateKey(x,x)+4Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpDoReDoCreateKey@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoReDoDeleteKey(x, x)
_CmpDoReDoDeleteKey@8 proc near		; CODE XREF: CmpDoReDoRecord(x,x):loc_951DEBp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	eax
		push	10000h
		add	edx, 20h
		call	_CmpDoReOpenTransKey@16	; CmpDoReOpenTransKey(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_951D85
		push	[ebp+var_4]
		call	_ZwDeleteKey@4	; ZwDeleteKey(x)
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)

loc_951D85:				; CODE XREF: CmpDoReDoDeleteKey(x,x)+20j
		mov	eax, esi
		pop	esi
		leave
		retn
_CmpDoReDoDeleteKey@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoReDoDeleteValue(x, x)
_CmpDoReDoDeleteValue@8	proc near	; CODE XREF: CmpDoReDoRecord(x,x):loc_951E00p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		mov	edi, edx
		push	eax
		push	2
		lea	edx, [edi+20h]
		call	_CmpDoReOpenTransKey@16	; CmpDoReOpenTransKey(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_951DC3
		lea	eax, [edi+28h]
		push	eax
		push	[ebp+var_4]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)

loc_951DC3:				; CODE XREF: CmpDoReDoDeleteValue(x,x)+21j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_CmpDoReDoDeleteValue@8	endp


;  S U B	R O U T	I N E 


; __stdcall CmpDoReDoRecord(x, x)
_CmpDoReDoRecord@8 proc	near		; CODE XREF: CmpRmReDoPhase(x,x,x)+F8p
		mov	edi, edi
		push	esi
		xor	esi, esi
		test	byte ptr [edx+8], 1Ch
		jnz	short loc_951E2E
		mov	eax, [edx+0Ch]
		dec	eax
		cmp	eax, 9		; switch 10 cases
		ja	short loc_951E2A ; default
		jmp	ds:off_951E35[eax*4] ; switch jump

loc_951DE4:				; DATA XREF: PAGE:off_951E35o
		call	_CmpDoReDoCreateKey@8 ;	case 0x0
		jmp	short loc_951E28
; 

loc_951DEB:				; CODE XREF: CmpDoReDoRecord(x,x)+14j
					; DATA XREF: PAGE:off_951E35o
		call	_CmpDoReDoDeleteKey@8 ;	case 0x1
		jmp	short loc_951E28
; 

loc_951DF2:				; CODE XREF: CmpDoReDoRecord(x,x)+14j
					; DATA XREF: PAGE:off_951E35o
		call	_CmpDoReDoSetValueExisting@8 ; case 0x2
		jmp	short loc_951E28
; 

loc_951DF9:				; CODE XREF: CmpDoReDoRecord(x,x)+14j
					; DATA XREF: PAGE:off_951E35o
		call	_CmpDoReDoSetValueExisting@8 ; case 0x3
		jmp	short loc_951E28
; 

loc_951E00:				; CODE XREF: CmpDoReDoRecord(x,x)+14j
					; DATA XREF: PAGE:off_951E35o
		call	_CmpDoReDoDeleteValue@8	; case 0x4
		jmp	short loc_951E28
; 

loc_951E07:				; CODE XREF: CmpDoReDoRecord(x,x)+14j
					; DATA XREF: PAGE:off_951E35o
		call	_CmpDoReDoSetKeyUserFlags@8 ; case 0x5
		jmp	short loc_951E28
; 

loc_951E0E:				; CODE XREF: CmpDoReDoRecord(x,x)+14j
					; DATA XREF: PAGE:off_951E35o
		call	_CmpDoReDoSetLastWriteTime@8 ; case 0x6
		jmp	short loc_951E28
; 

loc_951E15:				; CODE XREF: CmpDoReDoRecord(x,x)+14j
					; DATA XREF: PAGE:off_951E35o
		call	_CmpDoReDoSetSecurityDescriptor@8 ; case 0x7
		jmp	short loc_951E28
; 

loc_951E1C:				; CODE XREF: CmpDoReDoRecord(x,x)+14j
					; DATA XREF: PAGE:off_951E35o
		call	_CmpDoReDoSetEntireSecurityDescriptor@8	; case 0x9
		jmp	short loc_951E28
; 

loc_951E23:				; CODE XREF: CmpDoReDoRecord(x,x)+14j
					; DATA XREF: PAGE:off_951E35o
		call	_CmpDoReDoRenameKey@8 ;	case 0x8

loc_951E28:				; CODE XREF: CmpDoReDoRecord(x,x)+20j
					; CmpDoReDoRecord(x,x)+27j ...
		mov	esi, eax

loc_951E2A:				; CODE XREF: CmpDoReDoRecord(x,x)+12j
		mov	eax, esi	; default
		pop	esi
		retn
; 

loc_951E2E:				; CODE XREF: CmpDoReDoRecord(x,x)+9j
		xor	eax, eax
		pop	esi
		retn
_CmpDoReDoRecord@8 endp

; 
		dw 498Dh
		db 0
off_951E35	dd offset loc_951DE4	; DATA XREF: CmpDoReDoRecord(x,x)+14r
		dd offset loc_951DEB	; jump table for switch	statement
		dd offset loc_951DF2
		dd offset loc_951DF9
		dd offset loc_951E00
		dd offset loc_951E07
		dd offset loc_951E0E
		dd offset loc_951E15
		dd offset loc_951E23
		dd offset loc_951E1C

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoReDoRenameKey(x, x)
_CmpDoReDoRenameKey@8 proc near		; CODE XREF: CmpDoReDoRecord(x,x):loc_951E23p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		mov	edi, edx
		push	eax
		push	20006h
		lea	edx, [edi+20h]
		call	_CmpDoReOpenTransKey@16	; CmpDoReOpenTransKey(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_951E99
		lea	eax, [edi+28h]
		push	eax
		push	[ebp+var_4]
		call	_ZwRenameKey@8	; ZwRenameKey(x,x)
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)

loc_951E99:				; CODE XREF: CmpDoReDoRenameKey(x,x)+24j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_CmpDoReDoRenameKey@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoReDoSetKeyUserFlags(x,	x)
_CmpDoReDoSetKeyUserFlags@8 proc near	; CODE XREF: CmpDoReDoRecord(x,x):loc_951E07p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		mov	edi, edx
		push	eax
		push	2
		lea	edx, [edi+20h]
		call	_CmpDoReOpenTransKey@16	; CmpDoReOpenTransKey(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_951EE2
		mov	eax, [edi+28h]
		push	4
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		push	[ebp+var_4]
		call	_ZwSetInformationKey@16	; ZwSetInformationKey(x,x,x,x)
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)

loc_951EE2:				; CODE XREF: CmpDoReDoSetKeyUserFlags(x,x)+21j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_CmpDoReDoSetKeyUserFlags@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoReDoSetLastWriteTime(x, x)
_CmpDoReDoSetLastWriteTime@8 proc near	; CODE XREF: CmpDoReDoRecord(x,x):loc_951E0Ep

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		mov	edi, edx
		push	eax
		push	2
		lea	edx, [edi+20h]
		call	_CmpDoReOpenTransKey@16	; CmpDoReOpenTransKey(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_951F32
		mov	eax, [edi+28h]
		mov	[ebp+var_10], eax
		mov	eax, [edi+2Ch]
		push	8
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_10]
		push	eax
		push	0
		push	[ebp+var_4]
		call	_ZwSetInformationKey@16	; ZwSetInformationKey(x,x,x,x)
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)

loc_951F32:				; CODE XREF: CmpDoReDoSetLastWriteTime(x,x)+22j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_CmpDoReDoSetLastWriteTime@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoReDoSetSecurityDescriptor(x, x)
_CmpDoReDoSetSecurityDescriptor@8 proc near ; CODE XREF: CmpDoReDoRecord(x,x):loc_951E15p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		mov	edi, edx
		push	eax
		push	40000h
		lea	edx, [edi+20h]
		call	_CmpDoReOpenTransKey@16	; CmpDoReOpenTransKey(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_951F75
		push	dword ptr [edi+2Ch]
		push	4
		push	[ebp+var_4]
		call	_ZwSetSecurityObject@12	; ZwSetSecurityObject(x,x,x)
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)

loc_951F75:				; CODE XREF: CmpDoReDoSetSecurityDescriptor(x,x)+24j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_CmpDoReDoSetSecurityDescriptor@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoReDoSetValueExisting(x, x)
_CmpDoReDoSetValueExisting@8 proc near	; CODE XREF: CmpDoReDoRecord(x,x):loc_951DF2p
					; CmpDoReDoRecord(x,x):loc_951DF9p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		mov	esi, edx
		push	eax
		push	2
		lea	edx, [esi+20h]
		call	_CmpDoReOpenTransKey@16	; CmpDoReOpenTransKey(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_951FBF
		push	dword ptr [esi+34h]
		lea	eax, [esi+28h]
		push	dword ptr [esi+38h]
		push	dword ptr [esi+30h]
		push	0
		push	eax
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[ebp+var_4]
		mov	edi, eax
		call	_ZwClose@4	; ZwClose(x)

loc_951FBF:				; CODE XREF: CmpDoReDoSetValueExisting(x,x)+21j
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn
_CmpDoReDoSetValueExisting@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoReOpenTransKey(x, x, x, x)
_CmpDoReOpenTransKey@16	proc near	; CODE XREF: CmpDoReDoSetEntireSecurityDescriptor(x,x)+1Bp
					; CmpDoReDoCreateKey(x,x)+43p ...

var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C1		= byte ptr -0C1h
var_C0		= dword	ptr -0C0h
var_AC		= dword	ptr -0ACh
var_84		= dword	ptr -84h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_44		= dword	ptr -44h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 104h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_104], eax
		push	edi
		mov	[ebp+var_D0], ecx
		xor	ecx, ecx
		push	offset _CmpRegistryLock
		mov	eax, [esi]
		mov	[ebp+var_DC], eax
		mov	eax, [esi+4]
		mov	[ebp+var_E4], ecx
		mov	[ebp+var_E0], ecx
		mov	[ebp+var_D8], eax
		mov	[ebp+var_D4], ecx
		mov	[ebp+var_C8], ecx
		call	ExIsResourceAcquiredSharedLite
		test	eax, eax
		mov	ebx, 0C000003Eh
		setnz	[ebp+var_C1]
		cmp	word ptr [ebp+var_DC], 0
		jz	loc_95230D

loc_95203F:				; CODE XREF: CmpDoReOpenTransKey(x,x,x,x)+144j
		push	0B4h		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_C0]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		or	[ebp+var_84], 0FFFFFFFFh
		lea	eax, [ebp+var_68]
		add	esp, 0Ch
		mov	[ebp+var_64], eax
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_44]
		push	38h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_AC], 8
		lea	eax, [ebp+var_DC]
		mov	[ebp+var_FC], 18h
		mov	[ebp+var_F4], eax
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_F8], ebx
		push	eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_F0], 1340h
		push	eax
		push	[ebp+arg_0]
		lea	eax, [ebp+var_FC]
		mov	[ebp+var_EC], ebx
		push	ebx
		push	ebx
		push	ds:_CmKeyObjectType
		mov	[ebp+var_E8], ebx
		push	eax
		call	_ObOpenObjectByName@28 ; ObOpenObjectByName(x,x,x,x,x,x,x)
		mov	dl, [ebp+var_C1]
		lea	ecx, [ebp+var_C0]
		mov	ebx, eax
		call	CmpCleanupParseContext
		test	ebx, ebx
		jns	short loc_95211A
		lea	eax, [ebp+var_E4]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_DC]
		call	_CmpSplitParentKeyName@12 ; CmpSplitParentKeyName(x,x,x)
		cmp	word ptr [ebp+var_DC], 0
		jnz	loc_95203F
		mov	esi, [ebp+var_C8]
		jmp	loc_952303
; 

loc_95211A:				; CODE XREF: CmpDoReOpenTransKey(x,x,x,x)+126j
		mov	eax, ds:_CmKeyObjectType
		lea	ecx, [ebp+var_CC]
		mov	esi, [ebp+var_C8]
		xor	edx, edx
		push	edx
		push	ecx
		push	edx
		push	eax
		push	edx
		push	esi
		mov	[ebp+var_CC], edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [ebp+var_CC]
		mov	ebx, eax
		test	ebx, ebx
		js	loc_9522F8
		mov	bl, [ebp+var_C1]
		test	bl, bl
		jnz	short loc_95215D
		call	_CmpLockRegistry@0 ; CmpLockRegistry()

loc_95215D:				; CODE XREF: CmpDoReOpenTransKey(x,x,x,x)+191j
		mov	eax, [edi+8]
		mov	dl, bl
		mov	ebx, [ebp+var_D0]
		xor	dl, 1
		mov	ecx, [eax+10h]
		mov	eax, [ebx+20h]
		cmp	eax, [ecx+9A0h]
		jz	short loc_952183

loc_952179:				; CODE XREF: CmpDoReOpenTransKey(x,x,x,x)+2F1j
		mov	ebx, 0C000003Eh
		jmp	loc_9522EF
; 

loc_952183:				; CODE XREF: CmpDoReOpenTransKey(x,x,x,x)+1B2j
		test	dl, dl
		jz	short loc_95218C
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_95218C:				; CODE XREF: CmpDoReOpenTransKey(x,x,x,x)+1C0j
		lea	eax, [ebx+2Ch]
		mov	ecx, edi
		mov	[ebp+var_100], eax
		mov	[edi+24h], eax
		call	ObfDereferenceObject
		xor	ebx, ebx
		mov	edi, ebx
		mov	dl, bl
		cmp	word ptr [ebp+var_E4], bx
		jz	loc_9522E3
		push	0B4h		; size_t
		lea	eax, [ebp+var_C0]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		or	[ebp+var_84], 0FFFFFFFFh
		lea	eax, [ebp+var_68]
		add	esp, 0Ch
		mov	[ebp+var_64], eax
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_44]
		push	38h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_AC], 8
		lea	eax, [ebp+var_E4]
		mov	[ebp+var_FC], 18h
		mov	[ebp+var_F4], eax
		lea	eax, [ebp+var_D4]
		mov	[ebp+var_F8], esi
		push	eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_F0], 1340h
		push	eax
		push	[ebp+arg_0]
		lea	eax, [ebp+var_FC]
		mov	[ebp+var_EC], ebx
		push	ebx
		push	ebx
		push	ds:_CmKeyObjectType
		mov	[ebp+var_E8], ebx
		push	eax
		call	_ObOpenObjectByName@28 ; ObOpenObjectByName(x,x,x,x,x,x,x)
		mov	dl, [ebp+var_C1]
		lea	ecx, [ebp+var_C0]
		mov	ebx, eax
		call	CmpCleanupParseContext
		xor	dl, dl
		test	ebx, ebx
		js	loc_9522EF
		mov	eax, ds:_CmKeyObjectType
		lea	ecx, [ebp+var_C8]
		xor	edx, edx
		push	edx
		push	ecx
		push	edx
		push	eax
		push	edx
		push	esi
		mov	[ebp+var_C8], edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [ebp+var_C8]
		mov	ebx, eax
		xor	dl, dl
		test	ebx, ebx
		js	short loc_9522EF
		xor	ebx, ebx
		cmp	[ebp+var_C1], dl
		jnz	short loc_9522A1
		call	_CmpLockRegistry@0 ; CmpLockRegistry()
		mov	dl, 1

loc_9522A1:				; CODE XREF: CmpDoReOpenTransKey(x,x,x,x)+2D3j
		mov	eax, [edi+8]
		mov	ecx, [eax+10h]
		mov	eax, [ebp+var_D0]
		mov	eax, [eax+20h]
		cmp	eax, [ecx+9A0h]
		jnz	loc_952179
		test	dl, dl
		jz	short loc_9522C5
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_9522C5:				; CODE XREF: CmpDoReOpenTransKey(x,x,x,x)+2F9j
		mov	eax, [ebp+var_100]
		mov	ecx, edi
		mov	[edi+24h], eax
		call	ObfDereferenceObject
		push	esi
		call	_ZwClose@4	; ZwClose(x)
		mov	esi, [ebp+var_D4]
		mov	dl, bl

loc_9522E3:				; CODE XREF: CmpDoReOpenTransKey(x,x,x,x)+1E7j
		mov	eax, [ebp+var_104]
		mov	[eax], esi
		xor	esi, esi
		xor	edi, edi

loc_9522EF:				; CODE XREF: CmpDoReOpenTransKey(x,x,x,x)+1B9j
					; CmpDoReOpenTransKey(x,x,x,x)+299j ...
		test	dl, dl
		jz	short loc_9522F8
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()

loc_9522F8:				; CODE XREF: CmpDoReOpenTransKey(x,x,x,x)+183j
					; CmpDoReOpenTransKey(x,x,x,x)+32Cj
		test	edi, edi
		jz	short loc_952303
		mov	ecx, edi
		call	ObfDereferenceObject

loc_952303:				; CODE XREF: CmpDoReOpenTransKey(x,x,x,x)+150j
					; CmpDoReOpenTransKey(x,x,x,x)+335j
		test	esi, esi
		jz	short loc_95230D
		push	esi
		call	_ZwClose@4	; ZwClose(x)

loc_95230D:				; CODE XREF: CmpDoReOpenTransKey(x,x,x,x)+74j
					; CmpDoReOpenTransKey(x,x,x,x)+340j
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_CmpDoReOpenTransKey@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpPopulateKeyBasicInformation(x, x, x, x, x)
_CmpPopulateKeyBasicInformation@20 proc	near
					; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+1CAp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	byte ptr [edx+2], 20h
		movzx	eax, word ptr [edx+48h]
		push	ebx
		push	edi
		mov	edi, ecx
		jz	short loc_952339
		add	eax, eax
		movzx	eax, ax

loc_952339:				; CODE XREF: CmpPopulateKeyBasicInformation(x,x,x,x,x)+12j
		movzx	ecx, ax
		mov	eax, [ebp+arg_8]
		lea	ebx, [ecx+10h]
		mov	[ebp+var_4], ebx
		mov	[eax], ebx
		mov	ebx, [ebp+arg_4]
		cmp	ebx, 10h
		jnb	short loc_952356
		mov	eax, 0C0000023h
		jmp	short loc_9523AD
; 

loc_952356:				; CODE XREF: CmpPopulateKeyBasicInformation(x,x,x,x,x)+2Dj
		mov	eax, [edi]
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[esi], eax
		mov	eax, [edi+4]
		mov	[esi+4], eax
		mov	eax, [edi+8]
		lea	edi, [ebx-10h]
		mov	[esi+8], eax
		mov	[esi+0Ch], ecx
		test	byte ptr [edx+2], 20h
		jz	short loc_95238B
		movzx	eax, word ptr [edx+48h]
		lea	ecx, [esi+10h]
		push	eax
		lea	eax, [edx+4Ch]
		mov	edx, edi
		push	eax
		call	_CmpCopyCompressedName@16 ; CmpCopyCompressedName(x,x,x,x)
		jmp	short loc_9523A2
; 

loc_95238B:				; CODE XREF: CmpPopulateKeyBasicInformation(x,x,x,x,x)+54j
		cmp	edi, ecx
		ja	short loc_952391
		mov	ecx, edi

loc_952391:				; CODE XREF: CmpPopulateKeyBasicInformation(x,x,x,x,x)+6Dj
		push	ecx		; size_t
		lea	eax, [edx+4Ch]
		push	eax		; void *
		lea	eax, [esi+10h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_9523A2:				; CODE XREF: CmpPopulateKeyBasicInformation(x,x,x,x,x)+69j
		cmp	ebx, [ebp+var_4]
		pop	esi
		sbb	eax, eax
		and	eax, 80000005h

loc_9523AD:				; CODE XREF: CmpPopulateKeyBasicInformation(x,x,x,x,x)+34j
		pop	edi
		pop	ebx
		leave
		retn	0Ch
_CmpPopulateKeyBasicInformation@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpPopulateKeyCachedInformation(x, x, x, x)
_CmpPopulateKeyCachedInformation@16 proc near
					; CODE XREF: CmpQueryKeyDataFromKeyNodeStack(x,x,x,x,x)+301p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	esi
		push	28h
		mov	esi, ecx
		pop	ecx
		mov	[eax], ecx
		cmp	[ebp+arg_0], ecx
		jnb	short loc_9523CF
		mov	eax, 0C0000023h
		jmp	short loc_9523DA
; 

loc_9523CF:				; CODE XREF: CmpPopulateKeyCachedInformation(x,x,x,x)+13j
		push	edi
		push	0Ah
		pop	ecx
		mov	edi, edx
		xor	eax, eax
		rep movsd
		pop	edi

loc_9523DA:				; CODE XREF: CmpPopulateKeyCachedInformation(x,x,x,x)+1Aj
		pop	esi
		pop	ebp
		retn	8
_CmpPopulateKeyCachedInformation@16 endp


;  S U B	R O U T	I N E 


; __stdcall TraceLoggingRegister_EtwRegister_EtwSetInformation(x)
_TraceLoggingRegister_EtwRegister_EtwSetInformation@4 proc near	; CODE XREF: sub_8820B8+4Fp
		push	0
		xor	edx, edx
		call	_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 ; TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)
		retn
_TraceLoggingRegister_EtwRegister_EtwSetInformation@4 endp


;  S U B	R O U T	I N E 


; __stdcall TraceLoggingUnregister_EtwUnregister(x)
_TraceLoggingUnregister_EtwUnregister@4	proc near
					; CODE XREF: IopInitializePlugPlayServices(x,x)+B0Ap
		mov	edi, edi
		push	ecx
		mov	eax, [ecx+1Ch]
		mov	edx, [ecx+18h]
		and	dword ptr [ecx], 0
		and	dword ptr [ecx+18h], 0
		and	dword ptr [ecx+1Ch], 0
		push	eax
		push	edx
		call	EtwUnregister
		pop	ecx
		retn
_TraceLoggingUnregister_EtwUnregister@4	endp


;  S U B	R O U T	I N E 


; __stdcall VrpDecrementSiloCount()
_VrpDecrementSiloCount@0 proc near	; CODE XREF: VrpJobContextDelete(x)+1Dp
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _VrpActiveSilosLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		sub	_VrpNumActiveSilos, 1
		jnz	short loc_95243D
		push	dword_6CDCAC
		push	_VrpCallbackCookie
		call	CmUnRegisterCallback

loc_95243D:				; CODE XREF: VrpDecrementSiloCount()+24j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_952451
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_952451:				; CODE XREF: VrpDecrementSiloCount()+42j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		pop	esi
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_VrpDecrementSiloCount@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpJobContextDelete(x)
_VrpJobContextDelete@4 proc near	; DATA XREF: VRegSetup+133o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		cmp	dword ptr [esi+34h], 0
		jnz	short loc_95247B
		mov	ecx, esi
		call	VrpCleanupNamespace

loc_95247B:				; CODE XREF: VrpJobContextDelete(x)+Dj
		cmp	dword ptr [esi+38h], 0
		pop	esi
		jz	short loc_952487
		call	_VrpDecrementSiloCount@0 ; VrpDecrementSiloCount()

loc_952487:				; CODE XREF: VrpJobContextDelete(x)+1Bj
		pop	ebp
		retn	4
_VrpJobContextDelete@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpRegistryUnload(x)
_VrpRegistryUnload@4 proc near		; DATA XREF: VRegSetup+C1o

var_2C		= dword	ptr -2Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		push	esi
		push	_VrpDeviceObject
		call	IoDeleteDevice
		push	_VrpSiloContextSlot
		xor	esi, esi
		mov	_VrpDeviceObject, esi
		call	_PsFreeSiloContextSlot@4 ; PsFreeSiloContextSlot(x)
		cmp	dword_6B2370, 5
		jbe	short loc_9524E1
		lea	eax, [esp+34h+var_2C]
		push	eax
		push	2
		push	esi
		push	esi
		push	offset loc_41B0D7
		push	offset dword_6B2370
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9524E1:				; CODE XREF: VrpRegistryUnload(x)+3Cj
		mov	eax, dword_6B238C
		mov	ecx, dword_6B2388
		push	eax
		push	ecx
		mov	dword_6B2370, esi
		mov	dword_6B2388, esi
		mov	dword_6B238C, esi
		call	EtwUnregister
		mov	ecx, [esp+34h+var_8]
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_VrpRegistryUnload@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpHandleIoctlCreateMultipleNamespaceNodes(x, x, x,	x, x, x)
_VrpHandleIoctlCreateMultipleNamespaceNodes@24 proc near
					; CODE XREF: VrpIoctlDeviceDispatch+18F7ACp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_14], edx
		mov	[ebp+var_24], ecx
		mov	eax, ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		push	esi
		mov	esi, ebx
		push	edi
		cmp	edx, 8
		jnb	short loc_952549
		mov	edi, 0C000000Dh
		jmp	loc_95279A
; 

loc_952549:				; CODE XREF: VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+26j
		push	ebx
		lea	eax, [ebp+var_10]
		push	eax
		push	52566D43h
		push	[ebp+arg_0]
		push	ds:_PsJobType
		push	6
		push	dword ptr [ecx]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_10]
		call	_PsGetJobSilo@8	; PsGetJobSilo(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_95278F
		mov	ecx, large fs:124h
		mov	edx, [ebp+var_8]
		call	PsIsThreadInSilo
		test	al, al
		jz	short loc_952598
		mov	edi, 0C000000Dh
		jmp	loc_952797
; 

loc_952598:				; CODE XREF: VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+75j
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_18], ebx
		call	VRegEnabledInJob
		lea	eax, [ebp+var_4]
		push	eax
		push	_VrpSiloContextSlot
		push	[ebp+var_8]
		call	PsGetPermanentSiloContext
		mov	edi, eax
		test	edi, edi
		js	loc_95278F
		mov	edi, [ebp+var_4]
		mov	ecx, edi
		mov	[ebp+var_8], 8
		call	_VrpLockJobContextExclusive@4 ;	VrpLockJobContextExclusive(x)
		mov	ecx, [ebp+var_24]
		mov	[ebp+var_C], 1
		mov	[ebp+var_20], ebx
		cmp	[ecx+4], ebx
		jbe	loc_952715

loc_9525E6:				; CODE XREF: VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+1F5j
		mov	eax, [ebp+var_8]
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		lea	edx, [eax+ecx]
		mov	[ebp+var_30], ebx
		lea	ecx, [eax+0Ch]
		mov	[ebp+var_1C], ebx
		mov	[ebp+arg_0], edx
		cmp	eax, ecx
		ja	loc_95276B
		cmp	[ebp+var_14], ecx
		jb	loc_95276B
		movzx	edx, word ptr [edx+4]
		test	dl, 1
		jnz	loc_95276B
		test	dx, dx
		jz	loc_95276B
		mov	eax, edx
		mov	[ebp+var_28], eax
		add	eax, ecx
		mov	[ebp+var_8], eax
		cmp	ecx, eax
		ja	loc_95276B
		mov	eax, [ebp+arg_0]
		movzx	ecx, word ptr [eax+6]
		test	cl, 1
		jnz	loc_95276B
		test	cx, cx
		jz	loc_95276B
		mov	edi, [ebp+var_8]
		lea	eax, [edi+ecx]
		cmp	edi, eax
		mov	[ebp+var_8], eax
		mov	edi, [ebp+var_4]
		ja	loc_95276B
		cmp	[ebp+var_14], eax
		jb	loc_95276B
		mov	eax, [ebp+arg_0]
		add	eax, 0Ch
		mov	word ptr [ebp+var_3C+2], dx
		mov	[ebp+var_38], eax
		mov	eax, edx
		shr	eax, 1
		add	eax, 6
		mov	word ptr [ebp+var_3C], dx
		mov	edx, [ebp+arg_0]
		mov	word ptr [ebp+var_34+2], cx
		mov	word ptr [ebp+var_34], cx
		mov	ecx, [edx+8]
		lea	eax, [edx+eax*2]
		mov	[ebp+var_30], eax
		mov	eax, [edx]
		mov	[ebp+arg_0], eax
		mov	eax, ecx
		and	eax, 7
		mov	[ebp+var_28], ecx
		cmp	eax, ecx
		jnz	loc_95276B
		push	67655256h
		push	8
		push	[ebp+var_C]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_2C], eax
		test	eax, eax
		jz	loc_952764
		mov	[eax], esi
		lea	edx, [ebp+var_3C]
		mov	[eax+4], ebx
		mov	esi, eax
		lea	eax, [ebp+var_1C]
		mov	ecx, edi
		push	eax
		push	[ebp+arg_0]
		lea	eax, [ebp+var_34]
		push	[ebp+var_28]
		push	eax
		push	[ebp+var_18]
		call	VrpCreateNamespaceNode
		mov	edi, eax
		test	edi, edi
		js	loc_95278F
		mov	eax, [ebp+var_1C]
		mov	ecx, esi
		mov	[ecx+4], eax
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+var_24]
		inc	eax
		mov	[ebp+var_20], eax
		cmp	eax, [ecx+4]
		jb	loc_9525E6
		mov	edi, [ebp+var_4]

loc_952715:				; CODE XREF: VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+C9j
		mov	[ebp+arg_0], esi
		mov	eax, esi
		test	esi, esi
		jz	short loc_95273D

loc_95271E:				; CODE XREF: VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+224j
		mov	edx, [eax+4]
		mov	ecx, edi
		call	VrpAddNamespaceNodeToList
		mov	edi, eax
		test	edi, edi
		js	short loc_95278F
		mov	eax, [ebp+arg_0]
		mov	edi, [ebp+var_4]
		mov	eax, [eax]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jnz	short loc_95271E

loc_95273D:				; CODE XREF: VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+205j
		mov	[ebp+arg_0], esi
		mov	eax, esi
		test	esi, esi
		jz	short loc_952760

loc_952746:				; CODE XREF: VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+247j
		mov	ecx, [eax+4]
		call	_VrpCreateNamespaceNodePlaceholderKey@4	; VrpCreateNamespaceNodePlaceholderKey(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_95278F
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jnz	short loc_952746

loc_952760:				; CODE XREF: VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+22Dj
		mov	edi, ebx
		jmp	short loc_95278F
; 

loc_952764:				; CODE XREF: VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+1AEj
		mov	edi, 0C000009Ah
		jmp	short loc_95278F
; 

loc_95276B:				; CODE XREF: VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+ECj
					; VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+F5j ...
		mov	edi, 0C000000Dh
		jmp	short loc_95278F
; 

loc_952772:				; CODE XREF: VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+285j
		test	edi, edi
		jns	short loc_952784
		mov	edx, [ebx+4]
		test	edx, edx
		jz	short loc_952784
		mov	ecx, eax
		call	VrpDestroyNamespaceNode

loc_952784:				; CODE XREF: VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+25Dj
					; VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+264j
		push	67655256h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95278F:				; CODE XREF: VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+5Ej
					; VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+A2j ...
		mov	ebx, esi
		test	esi, esi
		jz	short loc_952797
		mov	esi, [esi]

loc_952797:				; CODE XREF: VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+7Cj
					; VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+27Cj
		mov	eax, [ebp+var_4]

loc_95279A:				; CODE XREF: VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+2Dj
		test	ebx, ebx
		jnz	short loc_952772
		cmp	[ebp+var_C], ebx
		jz	short loc_9527AB
		mov	ecx, [ebp+var_4]
		call	VrpUnlockJobContextExclusive

loc_9527AB:				; CODE XREF: VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+28Aj
		mov	ecx, [ebp+var_10]
		test	ecx, ecx
		jz	short loc_9527BC
		mov	edx, 52566D43h
		call	ObfDereferenceObjectWithTag

loc_9527BC:				; CODE XREF: VrpHandleIoctlCreateMultipleNamespaceNodes(x,x,x,x,x,x)+299j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_VrpHandleIoctlCreateMultipleNamespaceNodes@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpHandleIoctlGetVirtualRootKey(x, x, x, x,	x, x)
_VrpHandleIoctlGetVirtualRootKey@24 proc near ;	CODE XREF: VrpIoctlDeviceDispatch+18F850p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_24]
		mov	[ebp+var_C], eax
		mov	ebx, ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		push	6
		pop	ecx
		rep stosd
		cmp	edx, 8
		jb	loc_9528D6
		cmp	dword ptr [ebx+4], 2
		ja	loc_9528D6
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	52566D43h
		push	[ebp+arg_0]
		push	ds:_PsJobType
		push	4
		push	dword ptr [ebx]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9528C3
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+var_8]
		call	_PsGetJobSilo@8	; PsGetJobSilo(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9528C3
		mov	ecx, large fs:124h
		mov	edx, [ebp+var_C]
		call	PsIsThreadInSilo
		test	al, al
		jz	short loc_95284E
		mov	esi, 0C000000Dh
		jmp	short loc_9528C3
; 

loc_95284E:				; CODE XREF: VrpHandleIoctlGetVirtualRootKey(x,x,x,x,x,x)+80j
		push	edx
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		and	[ebp+var_20], 0
		mov	edi, eax
		mov	eax, [ebx+4]
		xor	ecx, ecx
		cmp	byte ptr [ebp+arg_0], 1
		mov	[ebp+var_24], 18h
		setz	cl
		xor	ebx, ebx
		lea	eax, _VrpRootKeyPaths[eax*8]
		mov	[ebp+var_14], ebx
		mov	[ebp+var_1C], eax
		dec	ecx
		lea	eax, [ebp+var_24]
		mov	[ebp+var_10], ebx
		push	eax
		and	ecx, 0FFFFFE00h
		lea	eax, [ebp+var_4]
		push	80000000h
		add	ecx, 440h
		push	eax
		mov	[ebp+var_18], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9528BD
		mov	eax, [ebp+arg_C]
		mov	esi, ebx
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_4], ebx
		mov	dword ptr [eax], 4
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx

loc_9528BD:				; CODE XREF: VrpHandleIoctlGetVirtualRootKey(x,x,x,x,x,x)+E0j
		push	edi
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)

loc_9528C3:				; CODE XREF: VrpHandleIoctlGetVirtualRootKey(x,x,x,x,x,x)+53j
					; VrpHandleIoctlGetVirtualRootKey(x,x,x,x,x,x)+69j ...
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_9528DB
		mov	edx, 52566D43h
		call	ObfDereferenceObjectWithTag
		jmp	short loc_9528DB
; 

loc_9528D6:				; CODE XREF: VrpHandleIoctlGetVirtualRootKey(x,x,x,x,x,x)+23j
					; VrpHandleIoctlGetVirtualRootKey(x,x,x,x,x,x)+2Dj
		mov	esi, 0C000000Dh

loc_9528DB:				; CODE XREF: VrpHandleIoctlGetVirtualRootKey(x,x,x,x,x,x)+103j
					; VrpHandleIoctlGetVirtualRootKey(x,x,x,x,x,x)+10Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_VrpHandleIoctlGetVirtualRootKey@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpHandleIoctlLoadDifferencingHiveForHost(x, x, x, x, x, x)
_VrpHandleIoctlLoadDifferencingHiveForHost@24 proc near
					; CODE XREF: VrpIoctlDeviceDispatch+18F835p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	ebx, ecx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		push	edi
		mov	edi, eax
		cmp	esi, 18h
		jnb	short loc_952918

loc_95290E:				; CODE XREF: VrpHandleIoctlLoadDifferencingHiveForHost(x,x,x,x,x,x)+60j
					; VrpHandleIoctlLoadDifferencingHiveForHost(x,x,x,x,x,x)+65j ...
		mov	esi, 0C000000Dh
		jmp	loc_952A93
; 

loc_952918:				; CODE XREF: VrpHandleIoctlLoadDifferencingHiveForHost(x,x,x,x,x,x)+28j
		movzx	eax, word ptr [ebx+8]
		test	al, 1
		jnz	loc_952A82
		movzx	ecx, word ptr [ebx+0Ah]
		test	cl, 1
		jnz	loc_952A82
		movzx	edx, word ptr [ebx+0Ch]
		mov	[ebp+var_4], edx
		test	dl, 1
		jnz	loc_952A82
		test	ax, ax
		jz	short loc_95290E
		test	cx, cx
		jz	short loc_95290E
		lea	edx, [eax+14h]
		cmp	edx, 14h
		jb	short loc_95290E
		add	ecx, edx
		cmp	edx, ecx
		ja	short loc_95290E
		mov	eax, [ebp+var_4]
		movzx	eax, ax
		add	eax, ecx
		cmp	ecx, eax
		ja	short loc_95290E
		cmp	esi, eax
		jb	short loc_95290E
		push	[ebp+arg_0]
		push	ds:dword_A949E4
		push	ds:_SeBackupPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_95298B

loc_952981:				; CODE XREF: VrpHandleIoctlLoadDifferencingHiveForHost(x,x,x,x,x,x)+BDj
		mov	esi, 0C0000061h
		jmp	loc_952A93
; 

loc_95298B:				; CODE XREF: VrpHandleIoctlLoadDifferencingHiveForHost(x,x,x,x,x,x)+9Bj
		push	[ebp+arg_0]
		push	ds:dword_A949DC
		push	ds:_SeRestorePrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	short loc_952981
		movzx	ecx, word ptr [ebx+8]
		lea	edx, [ebx+14h]
		mov	esi, ecx
		mov	word ptr [ebp+var_C+2],	cx
		mov	eax, esi
		mov	word ptr [ebp+var_C], cx
		shr	eax, 1
		push	67655256h
		mov	[ebp+var_8], edx
		lea	ecx, [edx+eax*2]
		movzx	eax, word ptr [ebx+0Ah]
		mov	word ptr [ebp+var_1C+2], ax
		mov	word ptr [ebp+var_1C], ax
		shr	eax, 1
		mov	[ebp+var_18], ecx
		lea	eax, [ecx+eax*2]
		mov	[ebp+var_10], eax
		mov	ax, [ebx+0Ch]
		mov	word ptr [ebp+var_14+2], ax
		mov	word ptr [ebp+var_14], ax
		lea	eax, [esi+6]
		push	eax
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	edi, eax
		test	edi, edi
		jnz	short loc_952A01
		mov	esi, 0C000009Ah
		jmp	loc_952A93
; 

loc_952A01:				; CODE XREF: VrpHandleIoctlLoadDifferencingHiveForHost(x,x,x,x,x,x)+111j
		mov	ax, word ptr [ebp+var_C]
		mov	[edi+4], ax
		movzx	eax, word ptr [ebp+var_C]
		push	eax		; size_t
		push	[ebp+var_8]	; void *
		lea	eax, [edi+6]
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebx+4]
		lea	edx, [ebp+var_1C]
		add	esp, 0Ch
		mov	eax, ecx
		shr	eax, 1
		and	ecx, 1
		and	eax, 1
		push	dword ptr [ebx+10h]
		push	0
		push	eax
		push	ecx
		push	dword ptr [ebx]
		lea	eax, [ebp+var_14]
		push	eax
		lea	ecx, [ebp+var_C]
		call	_VrpLoadDifferencingHive@32 ; VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_952A87
		mov	esi, offset _VrpHostLoadedHivesLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, _VrpHostLoadedHives
		mov	[edi], eax
		or	eax, 0FFFFFFFFh
		mov	_VrpHostLoadedHives, edi
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_952A77
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_952A77:				; CODE XREF: VrpHandleIoctlLoadDifferencingHiveForHost(x,x,x,x,x,x)+18Aj
		mov	ecx, esi
		call	KeAbPostRelease
		xor	esi, esi
		jmp	short loc_952A93
; 

loc_952A82:				; CODE XREF: VrpHandleIoctlLoadDifferencingHiveForHost(x,x,x,x,x,x)+3Aj
					; VrpHandleIoctlLoadDifferencingHiveForHost(x,x,x,x,x,x)+47j ...
		mov	esi, 0C000000Dh

loc_952A87:				; CODE XREF: VrpHandleIoctlLoadDifferencingHiveForHost(x,x,x,x,x,x)+162j
		test	edi, edi
		jz	short loc_952A93
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_952A93:				; CODE XREF: VrpHandleIoctlLoadDifferencingHiveForHost(x,x,x,x,x,x)+2Fj
					; VrpHandleIoctlLoadDifferencingHiveForHost(x,x,x,x,x,x)+A2j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_VrpHandleIoctlLoadDifferencingHiveForHost@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpHandleIoctlModifyFlags(x, x, x, x, x, x)
_VrpHandleIoctlModifyFlags@24 proc near	; CODE XREF: VrpIoctlDeviceDispatch+18F794p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		xor	ecx, ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], ecx
		push	esi
		push	edi
		cmp	edx, 0Ch
		jnb	short loc_952AC3

loc_952AB9:				; CODE XREF: VrpHandleIoctlModifyFlags(x,x,x,x,x,x)+2Dj
		mov	edi, 0C000000Dh
		jmp	loc_952B4F
; 

loc_952AC3:				; CODE XREF: VrpHandleIoctlModifyFlags(x,x,x,x,x,x)+1Bj
		mov	eax, [ebx+4]
		test	[ebx+8], eax
		jnz	short loc_952AB9
		push	ecx
		lea	eax, [ebp+var_4]
		push	eax
		push	52566D43h
		push	[ebp+arg_0]
		push	ds:_PsJobType
		push	6
		push	dword ptr [ebx]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, [ebp+var_4]
		mov	edi, eax
		test	edi, edi
		js	short loc_952B3F
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		call	_PsGetJobSilo@8	; PsGetJobSilo(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_952B3F
		lea	eax, [ebp+var_8]
		push	eax
		push	_VrpSiloContextSlot
		push	[ebp+var_C]
		call	PsGetPermanentSiloContext
		mov	edi, eax
		test	edi, edi
		js	short loc_952B3F
		mov	esi, [ebp+var_8]
		mov	ecx, esi
		call	_VrpLockJobContextExclusive@4 ;	VrpLockJobContextExclusive(x)
		mov	eax, [esi+30h]
		mov	ecx, [ebx+4]
		or	ecx, eax
		mov	eax, [ebx+8]
		not	eax
		and	ecx, eax
		mov	[esi+30h], ecx
		mov	ecx, [ebp+var_8]
		call	VrpUnlockJobContextExclusive
		mov	esi, [ebp+var_4]

loc_952B3F:				; CODE XREF: VrpHandleIoctlModifyFlags(x,x,x,x,x,x)+52j
					; VrpHandleIoctlModifyFlags(x,x,x,x,x,x)+62j ...
		test	esi, esi
		jz	short loc_952B4F
		mov	edx, 52566D43h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_952B4F:				; CODE XREF: VrpHandleIoctlModifyFlags(x,x,x,x,x,x)+22j
					; VrpHandleIoctlModifyFlags(x,x,x,x,x,x)+A5j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_VrpHandleIoctlModifyFlags@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpHandleIoctlUnloadDifferencingHiveForHost(x, x, x, x, x, x)
_VrpHandleIoctlUnloadDifferencingHiveForHost@24	proc near
					; CODE XREF: VrpIoctlDeviceDispatch+18F7D4p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		cmp	edx, 8
		jnb	short loc_952B7E

loc_952B74:				; CODE XREF: VrpHandleIoctlUnloadDifferencingHiveForHost(x,x,x,x,x,x)+2Cj
					; VrpHandleIoctlUnloadDifferencingHiveForHost(x,x,x,x,x,x)+31j	...
		mov	esi, 0C000000Dh
		jmp	loc_952CC4
; 

loc_952B7E:				; CODE XREF: VrpHandleIoctlUnloadDifferencingHiveForHost(x,x,x,x,x,x)+1Aj
		movzx	eax, word ptr [esi+4]
		test	al, 1
		jnz	short loc_952B74
		test	ax, ax
		jz	short loc_952B74
		cmp	[esi], edi
		jnz	short loc_952B74
		add	eax, 6
		cmp	eax, 6
		jb	short loc_952B74
		cmp	edx, eax
		jb	short loc_952B74
		push	[ebp+arg_0]
		push	ds:dword_A949E4
		push	ds:_SeBackupPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_952BBD

loc_952BB3:				; CODE XREF: VrpHandleIoctlUnloadDifferencingHiveForHost(x,x,x,x,x,x)+7Bj
		mov	esi, 0C0000061h
		jmp	loc_952CC4
; 

loc_952BBD:				; CODE XREF: VrpHandleIoctlUnloadDifferencingHiveForHost(x,x,x,x,x,x)+59j
		push	[ebp+arg_0]
		push	ds:dword_A949DC
		push	ds:_SeRestorePrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	short loc_952BB3
		lea	eax, [esi+6]
		mov	ebx, offset _VrpHostLoadedHivesLock
		mov	[ebp+var_4], eax
		xor	edx, edx
		mov	ax, [esi+4]
		mov	ecx, ebx
		mov	word ptr [ebp+var_8+2],	ax
		mov	word ptr [ebp+var_8], ax
		call	ExAcquirePushLockExclusiveEx
		mov	esi, _VrpHostLoadedHives
		mov	eax, offset _VrpHostLoadedHives
		mov	[ebp+arg_0], eax
		test	esi, esi
		jz	short loc_952C47

loc_952C07:				; CODE XREF: VrpHandleIoctlUnloadDifferencingHiveForHost(x,x,x,x,x,x)+DDj
		mov	ebx, [esi]
		lea	eax, [esi+6]
		mov	[ebp+var_C], eax
		movzx	eax, word ptr [esi+4]
		mov	word ptr [ebp+var_10], ax
		mov	word ptr [ebp+var_10+2], ax
		lea	eax, [ebp+var_10]
		push	1
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_952C39
		mov	[ebp+arg_0], esi
		mov	esi, ebx
		test	esi, esi
		jnz	short loc_952C07
		jmp	short loc_952C42
; 

loc_952C39:				; CODE XREF: VrpHandleIoctlUnloadDifferencingHiveForHost(x,x,x,x,x,x)+D4j
		mov	eax, [ebp+arg_0]
		mov	[eax], ebx
		and	[esi], edi
		mov	edi, esi

loc_952C42:				; CODE XREF: VrpHandleIoctlUnloadDifferencingHiveForHost(x,x,x,x,x,x)+DFj
		mov	ebx, offset _VrpHostLoadedHivesLock

loc_952C47:				; CODE XREF: VrpHandleIoctlUnloadDifferencingHiveForHost(x,x,x,x,x,x)+ADj
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_952C5B
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_952C5B:				; CODE XREF: VrpHandleIoctlUnloadDifferencingHiveForHost(x,x,x,x,x,x)+FAj
		mov	ecx, ebx
		call	KeAbPostRelease
		test	edi, edi
		jnz	short loc_952C6D
		mov	esi, 0C0000034h
		jmp	short loc_952CC4
; 

loc_952C6D:				; CODE XREF: VrpHandleIoctlUnloadDifferencingHiveForHost(x,x,x,x,x,x)+10Cj
		lea	ecx, [ebp+var_8]
		call	VrpUnloadDifferencingHive
		lea	esi, [eax+3FFFFFCCh]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jl	short loc_952C8F
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edi, edi
		xor	esi, esi

loc_952C8F:				; CODE XREF: VrpHandleIoctlUnloadDifferencingHiveForHost(x,x,x,x,x,x)+129j
		test	edi, edi
		jz	short loc_952CC4
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, _VrpHostLoadedHives
		mov	[edi], eax
		or	eax, 0FFFFFFFFh
		mov	_VrpHostLoadedHives, edi
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_952CBD
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_952CBD:				; CODE XREF: VrpHandleIoctlUnloadDifferencingHiveForHost(x,x,x,x,x,x)+15Cj
		mov	ecx, ebx
		call	KeAbPostRelease

loc_952CC4:				; CODE XREF: VrpHandleIoctlUnloadDifferencingHiveForHost(x,x,x,x,x,x)+21j
					; VrpHandleIoctlUnloadDifferencingHiveForHost(x,x,x,x,x,x)+60j	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_VrpHandleIoctlUnloadDifferencingHiveForHost@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpPostUnloadKey(x,	x)
_VrpPostUnloadKey@8 proc near		; CODE XREF: VrpRegistryCallback+18ED4Ap

var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		mov	esi, edx
		mov	ebx, ecx
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_14]
		push	eax
		push	3
		call	EtwActivityIdControl
		mov	edx, [ebx+10h]
		test	edx, edx
		jz	short loc_952D38
		cmp	dword ptr [ebx+4], 0
		jl	short loc_952D0E
		mov	ecx, esi
		call	VrpDestroyNamespaceNode

loc_952D0E:				; CODE XREF: VrpPostUnloadKey(x,x)+38j
		add	esi, 10h
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_952D25
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_952D25:				; CODE XREF: VrpPostUnloadKey(x,x)+4Fj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_952D38:				; CODE XREF: VrpPostUnloadKey(x,x)+32j
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_VrpPostUnloadKey@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpPreFlushKey(x, x)
_VrpPreFlushKey@8 proc near		; CODE XREF: VrpRegistryCallback+18ED56p

var_58		= dword	ptr -58h
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_58]
		stosd
		mov	esi, edx
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_58]
		push	eax
		push	3
		call	EtwActivityIdControl
		mov	eax, [esi+30h]
		test	al, 1
		jz	short loc_952DA5
		cmp	dword_6B2370, 5
		jbe	short loc_952D9E
		lea	eax, [ebp+var_28]
		push	eax
		push	2
		push	0
		lea	eax, [ebp+var_58]
		push	eax
		push	offset loc_41B315
		push	offset dword_6B2370
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_952D9E:				; CODE XREF: VrpPreFlushKey(x,x)+38j
		mov	eax, 0C0000503h
		jmp	short loc_952DCB
; 

loc_952DA5:				; CODE XREF: VrpPreFlushKey(x,x)+2Fj
		cmp	dword_6B2370, 5
		jbe	short loc_952DC9
		lea	eax, [ebp+var_48]
		push	eax
		push	2
		push	0
		lea	eax, [ebp+var_58]
		push	eax
		push	offset loc_41B372
		push	offset dword_6B2370
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_952DC9:				; CODE XREF: VrpPreFlushKey(x,x)+63j
		xor	eax, eax

loc_952DCB:				; CODE XREF: VrpPreFlushKey(x,x)+5Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_VrpPreFlushKey@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpPreLoadKey(x, x)
_VrpPreLoadKey@8 proc near		; CODE XREF: VrpRegistryCallback+18ED2Ep

var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_161		= byte ptr -161h
var_160		= dword	ptr -160h
var_150		= dword	ptr -150h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
ms_exc		= CPPEH_RECORD ptr -18h

		push	1F0h
		push	offset dword_6A7A78
		call	__SEH_prolog4_GS
		mov	eax, edx
		mov	[ebp+var_168], eax
		mov	esi, ecx
		mov	[ebp+var_1A0], esi
		mov	[ebp+var_1C8], eax
		xor	ebx, ebx
		mov	[ebp+var_174], ebx
		mov	[ebp+var_170], ebx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_1E8]
		rep stosd
		mov	[ebp+var_17C], ebx
		mov	[ebp+var_178], ebx
		push	6
		pop	ecx
		lea	edi, [ebp+var_200]
		rep stosd
		mov	[ebp+var_1B0], ebx
		mov	[ebp+var_1AC], ebx
		mov	[ebp+var_1A8], ebx
		mov	[ebp+var_1A4], ebx
		lea	edi, [ebp+var_160]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_160]
		push	eax
		push	3
		call	EtwActivityIdControl
		mov	edi, [esi]
		lea	eax, [ebp+var_70]
		mov	[ebp+var_184], eax
		xor	eax, eax
		mov	word ptr [ebp+var_188],	ax
		push	4Eh
		pop	eax
		mov	word ptr [ebp+var_188+2], ax
		mov	[ebp+var_161], bl
		mov	[ebp+var_1C0], ebx
		mov	ecx, [edi+24h]
		mov	[ebp+var_18C], ebx
		mov	[ebp+var_1B4], ebx
		mov	[ebp+var_190], ebx
		mov	[ebp+var_194], ebx
		mov	[ebp+var_180], ebx
		mov	[ebp+var_1C4], ebx
		mov	[ebp+var_1BC], ebx
		mov	[ebp+var_1B8], ebx
		mov	[ebp+var_198], ebx
		mov	[ebp+var_19C], ebx
		mov	eax, [edi+4]
		test	ecx, ecx
		jz	short loc_952EFA
		lea	edx, [ebp+var_174]
		push	edx
		add	ecx, 10h
		mov	edx, eax
		call	_VrpBuildKeyPath@12 ; VrpBuildKeyPath(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_95372C
		mov	[ebp+var_161], 1
		mov	esi, [ebp+var_174]
		jmp	short loc_952F0B
; 

loc_952EFA:				; CODE XREF: VrpPreLoadKey(x,x)+F5j
		mov	esi, [eax]
		mov	[ebp+var_174], esi
		mov	eax, [eax+4]
		mov	[ebp+var_170], eax

loc_952F0B:				; CODE XREF: VrpPreLoadKey(x,x)+11Fj
		cmp	dword_6B2370, 5
		jbe	short loc_952F87
		cmp	[ebp+var_170], ebx
		lea	edx, [ebp+var_174]
		jnz	short loc_952F27
		mov	edx, (offset loc_403A20+4)

loc_952F27:				; CODE XREF: VrpPreLoadKey(x,x)+147j
		movzx	ecx, word ptr [edx]
		mov	eax, [edx+4]
		lea	edx, [ebp+var_E8]
		mov	[ebp+var_100], edx
		mov	[ebp+var_FC], ebx
		mov	[ebp+var_F8], 2
		mov	[ebp+var_F4], ebx
		mov	[ebp+var_F0], eax
		mov	[ebp+var_EC], ebx
		mov	[ebp+var_E8], ecx
		mov	[ebp+var_E4], ebx
		lea	eax, [ebp+var_120]
		push	eax
		push	4
		push	ebx
		lea	eax, [ebp+var_160]
		push	eax
		push	(offset	loc_41B140+4)
		push	offset dword_6B2370
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_952F87:				; CODE XREF: VrpPreLoadKey(x,x)+139j
		lea	eax, [ebp+var_1A8]
		push	eax
		lea	edx, [ebp+var_1B4]
		lea	ecx, [ebp+var_174]
		call	_VrpGetNextToken@12 ; VrpGetNextToken(x,x,x)
		push	1
		push	offset _VrpRegistryString
		lea	eax, [ebp+var_1A8]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_952FC0

loc_952FB6:				; CODE XREF: VrpPreLoadKey(x,x)+3F4j
					; VrpPreLoadKey(x,x)+435j
		mov	esi, 0C0000022h
		jmp	loc_953738
; 

loc_952FC0:				; CODE XREF: VrpPreLoadKey(x,x)+1DBj
		lea	eax, [ebp+var_1A8]
		push	eax
		lea	edx, [ebp+var_1B4]
		lea	ecx, [ebp+var_174]
		call	_VrpGetNextToken@12 ; VrpGetNextToken(x,x,x)
		push	1
		push	(offset	loc_403A1B+1)
		lea	eax, [ebp+var_1A8]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	loc_953722
		push	1
		push	offset _VrpWcString
		lea	eax, [ebp+var_1A8]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	loc_953722
		test	byte ptr [edi+0Ch], 10h
		jz	loc_953193
		mov	esi, ebx

loc_95301A:				; CODE XREF: VrpPreLoadKey(x,x)+94Dj
					; VrpPreLoadKey(x,x)+959j
		mov	edi, [ebp+var_168]

loc_953020:				; CODE XREF: VrpPreLoadKey(x,x)+96Dj
					; VrpPreLoadKey(x,x)+97Cj
		or	eax, 0FFFFFFFFh
		cmp	[ebp+var_1C0], 0
		jz	short loc_95306F
		add	edi, 10h
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_953040
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_953040:				; CODE XREF: VrpPreLoadKey(x,x)+25Ej
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		nop
		add	word ptr [ecx+13Ch], 1
		jnz	short loc_95306F
		nop
		lea	eax, [ecx+70h]
		cmp	[eax], eax
		jz	short loc_95306F
		cmp	[ecx+13Eh], bx
		jnz	short loc_95306F
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_95306F:				; CODE XREF: VrpPreLoadKey(x,x)+251j
					; VrpPreLoadKey(x,x)+27Ej ...
		test	esi, esi
		jns	short loc_9530CC
		cmp	esi, 0C0000503h
		jz	short loc_9530CC
		cmp	dword_6B2370, 2
		jbe	short loc_9530CC
		mov	[ebp+var_1D0], esi
		lea	eax, [ebp+var_1D0]
		mov	[ebp+var_130], eax
		mov	[ebp+var_12C], ebx
		mov	[ebp+var_128], 4
		mov	[ebp+var_124], ebx
		lea	eax, [ebp+var_150]
		push	eax
		push	3
		push	ebx
		lea	eax, [ebp+var_160]
		push	eax
		push	offset loc_41B1AB
		push	offset dword_6B2370
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9530CC:				; CODE XREF: VrpPreLoadKey(x,x)+298j
					; VrpPreLoadKey(x,x)+2A0j ...
		mov	ecx, [ebp+var_1B8]
		test	ecx, ecx
		jz	short loc_9530DB
		call	_VrpFreeKeyContext@4 ; VrpFreeKeyContext(x)

loc_9530DB:				; CODE XREF: VrpPreLoadKey(x,x)+2FBj
		cmp	[ebp+var_190], 0
		jz	short loc_9530F0
		push	ebx
		push	[ebp+var_190]
		call	ObCloseHandle

loc_9530F0:				; CODE XREF: VrpPreLoadKey(x,x)+309j
		cmp	[ebp+var_194], 0
		jz	short loc_953105
		push	ebx
		push	[ebp+var_194]
		call	ObCloseHandle

loc_953105:				; CODE XREF: VrpPreLoadKey(x,x)+31Ej
		cmp	[ebp+var_198], 0
		jz	short loc_95311A
		push	ebx
		push	[ebp+var_198]
		call	ObCloseHandle

loc_95311A:				; CODE XREF: VrpPreLoadKey(x,x)+333j
		cmp	[ebp+var_19C], 0
		jz	short loc_95312F
		push	ebx
		push	[ebp+var_19C]
		call	ObCloseHandle

loc_95312F:				; CODE XREF: VrpPreLoadKey(x,x)+348j
		cmp	[ebp+var_180], 0
		jz	short loc_953144
		push	ebx
		push	[ebp+var_180]
		call	ObCloseHandle

loc_953144:				; CODE XREF: VrpPreLoadKey(x,x)+35Dj
		mov	ecx, [ebp+var_1C4]
		test	ecx, ecx
		jz	short loc_953153
		call	ObfDereferenceObject

loc_953153:				; CODE XREF: VrpPreLoadKey(x,x)+373j
		cmp	[ebp+var_161], 1
		jnz	short loc_95316C
		push	67655256h
		push	[ebp+var_170]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95316C:				; CODE XREF: VrpPreLoadKey(x,x)+381j
		mov	eax, [ebp+var_178]
		test	eax, eax
		jz	short loc_953181
		push	67655256h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_953181:				; CODE XREF: VrpPreLoadKey(x,x)+39Bj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_953193:				; CODE XREF: VrpPreLoadKey(x,x)+239j
		push	1
		mov	eax, (offset loc_403A13+1)
		mov	[ebp+var_16C], eax
		push	eax
		lea	eax, [ebp+var_1A8]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_9531D3
		push	1
		mov	eax, offset _VrpUserString
		mov	[ebp+var_16C], eax
		push	eax
		lea	eax, [ebp+var_1A8]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	loc_952FB6

loc_9531D3:				; CODE XREF: VrpPreLoadKey(x,x)+3D6j
		mov	ecx, [ebp+var_1B4]
		mov	eax, [ebp+var_170]
		lea	eax, [eax+ecx*2]
		mov	[ebp+var_1AC], eax
		lea	eax, [ecx+ecx]
		sub	esi, eax
		mov	word ptr [ebp+var_1B0],	si
		mov	word ptr [ebp+var_1B0+2], si
		lea	ecx, [ebp+var_1B0]
		call	_VrpStripTrailingCharacters@8 ;	VrpStripTrailingCharacters(x,x)
		push	ecx
		call	_VrpIsCharInString@12 ;	VrpIsCharInString(x,x,x)
		test	al, al
		jnz	loc_952FB6
		push	ebx
		lea	edx, [ebp+var_188]
		mov	ecx, [ebp+var_168]
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_95372C
		add	[ebp+var_184], 2
		mov	eax, 0FFFCh
		mov	cx, word ptr [ebp+var_188]
		add	cx, ax
		mov	word ptr [ebp+var_188],	cx
		add	word ptr [ebp+var_188+2], ax
		mov	eax, [ebp+var_16C]
		mov	ax, [eax]
		add	cx, 28h
		add	ax, cx
		add	ax, word ptr [ebp+var_1B0]
		mov	word ptr [ebp+var_17C+2], ax
		push	67655256h
		movzx	eax, ax
		push	eax
		xor	esi, esi
		inc	esi
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_178], eax
		test	eax, eax
		jnz	short loc_953298
		mov	esi, 0C000009Ah
		jmp	loc_953738
; 

loc_953298:				; CODE XREF: VrpPreLoadKey(x,x)+4B3j
		push	(offset	loc_403A2B+1)
		lea	eax, [ebp+var_17C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	offset ??_C@_1O@KICFGMEB@?$AA?2?$AAS?$AAi?$AAl?$AAo?$AA_@NNGAKEGL@ ; "\\"
		lea	eax, [ebp+var_17C]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		lea	eax, [ebp+var_188]
		push	eax
		lea	eax, [ebp+var_17C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	offset ??_C@_13ENNFDPBH@?$AA_@NNGAKEGL@	; void *
		lea	eax, [ebp+var_17C]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		push	[ebp+var_16C]
		lea	eax, [ebp+var_17C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	offset ??_C@_13ENNFDPBH@?$AA_@NNGAKEGL@	; void *
		lea	eax, [ebp+var_17C]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		lea	eax, [ebp+var_1B0]
		push	eax
		lea	eax, [ebp+var_17C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebp+var_168]
		lea	ecx, [ecx+10h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	[ebp+var_1C0], esi
		lea	eax, [ebp+var_18C]
		push	eax
		or	eax, 0FFFFFFFFh
		push	eax
		push	80000000h
		lea	eax, [ebp+var_17C]
		push	eax
		push	ebx
		lea	edx, [ebp+var_174]
		mov	ecx, [ebp+var_168]
		call	VrpCreateNamespaceNode
		mov	esi, eax
		test	esi, esi
		js	loc_95372C
		mov	edx, [ebp+var_18C]
		mov	ecx, [ebp+var_168]
		call	VrpAddNamespaceNodeToList
		mov	esi, eax
		test	esi, esi
		js	loc_95372C
		mov	ecx, [ebp+var_18C]
		call	_VrpCreateNamespaceNodePlaceholderKey@4	; VrpCreateNamespaceNodePlaceholderKey(x)
		mov	esi, eax
		test	esi, esi
		js	loc_95372C
		push	18h
		pop	ecx
		mov	[ebp+var_1E8], ecx
		mov	[ebp+var_1E4], ebx
		mov	edx, 240h
		mov	[ebp+var_1DC], edx
		mov	eax, [edi+8]
		mov	[ebp+var_1E0], eax
		mov	[ebp+var_1D8], ebx
		mov	[ebp+var_1D4], ebx
		mov	[ebp+var_200], ecx
		mov	[ebp+var_1FC], ebx
		mov	[ebp+var_1F4], edx
		lea	eax, [ebp+var_17C]
		mov	[ebp+var_1F8], eax
		mov	[ebp+var_1F0], ebx
		mov	[ebp+var_1EC], ebx
		mov	eax, [edi+10h]
		test	eax, eax
		jz	short loc_953420
		lea	ecx, [ebp+var_190]
		push	ecx
		push	ebx
		push	ds:_CmKeyObjectType
		push	ebx
		push	ebx
		push	200h
		push	eax
		call	ObOpenObjectByPointer
		mov	esi, eax
		test	esi, esi
		js	loc_95372C

loc_953420:				; CODE XREF: VrpPreLoadKey(x,x)+620j
		mov	eax, [edi+14h]
		test	eax, eax
		jz	short loc_95344D
		lea	ecx, [ebp+var_194]
		push	ecx
		push	ebx
		push	ds:_ExEventObjectType
		push	2
		push	ebx
		push	200h
		push	eax
		call	ObOpenObjectByPointer
		mov	esi, eax
		test	esi, esi
		js	loc_95372C

loc_95344D:				; CODE XREF: VrpPreLoadKey(x,x)+64Cj
		mov	eax, [ebp+var_1A0]
		mov	eax, [eax+4]
		test	eax, eax
		jz	short loc_95347F
		lea	ecx, [ebp+var_198]
		push	ecx
		push	ebx
		push	ds:_CmKeyObjectType
		push	ebx
		push	ebx
		push	200h
		push	eax
		call	ObOpenObjectByPointer
		mov	esi, eax
		test	esi, esi
		js	loc_95372C

loc_95347F:				; CODE XREF: VrpPreLoadKey(x,x)+67Fj
		cmp	dword ptr [edi+28h], 2
		jnz	short loc_9534B1
		mov	eax, [edi+2Ch]
		test	eax, eax
		jz	short loc_9534B1
		lea	ecx, [ebp+var_19C]
		push	ecx
		push	ebx
		push	ds:_SeTokenObjectType
		push	ebx
		push	ebx
		push	200h
		push	eax
		call	ObOpenObjectByPointer
		mov	esi, eax
		test	esi, esi
		js	loc_95372C

loc_9534B1:				; CODE XREF: VrpPreLoadKey(x,x)+6AAj
					; VrpPreLoadKey(x,x)+6B1j
		push	ebx
		push	[ebp+var_19C]
		mov	eax, [ebp+var_1A0]
		movzx	eax, byte ptr [eax+8]
		push	eax
		push	[ebp+var_198]
		push	ebx
		mov	eax, [edi+1Ch]
		neg	eax
		sbb	eax, eax
		lea	ecx, [ebp+var_180]
		and	eax, ecx
		push	eax
		push	dword ptr [edi+18h]
		push	[ebp+var_194]
		push	[ebp+var_190]
		push	dword ptr [edi+0Ch]
		lea	edx, [ebp+var_1E8]
		lea	ecx, [ebp+var_200]
		call	CmLoadDifferencingKey
		mov	esi, eax
		test	esi, esi
		js	loc_95372C
		cmp	[edi+1Ch], ebx
		jz	loc_95362D
		cmp	[ebp+var_180], ebx
		jz	loc_9535FA
		mov	eax, ds:_CmKeyObjectType
		mov	ecx, [edi+18h]
		mov	[ebp+var_16C], ebx
		push	ebx
		lea	edx, [ebp+var_16C]
		push	edx
		push	ebx
		push	eax
		push	ecx
		push	[ebp+var_180]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, [ebp+var_16C]
		mov	[ebp+var_1C4], ecx
		test	eax, eax
		js	loc_9535FA
		mov	ecx, [ebp+var_168]
		call	_VrpAllocateKeyContext@4 ; VrpAllocateKeyContext(x)
		mov	esi, eax
		mov	[ebp+var_1B8], esi
		test	esi, esi
		jz	loc_9535FA
		lea	ecx, [esi+10h]
		push	ecx
		lea	edx, [ebp+var_174]
		xor	ecx, ecx
		call	_VrpBuildKeyPath@12 ; VrpBuildKeyPath(x,x,x)
		test	eax, eax
		js	short loc_9535FA
		mov	dword ptr [esi+1Ch], 20000000h
		push	ebx
		push	esi
		push	offset _VrpCallbackCookie
		push	[ebp+var_16C]
		call	CmSetCallbackObjectContext
		test	eax, eax
		js	short loc_9535FA
		mov	[ebp+var_1B8], ebx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_1A0],	al
		lea	eax, [ebp+var_1BC]
		push	eax
		push	[ebp+var_1A0]
		push	ds:_CmKeyObjectType
		push	dword ptr [edi+18h]
		push	ebx
		mov	eax, large fs:124h
		xor	ecx, ecx
		cmp	[eax+15Ah], cl
		setz	cl
		dec	ecx
		and	ecx, 0FFFFFE00h
		add	ecx, 240h
		push	ecx
		push	[ebp+var_16C]
		call	ObOpenObjectByPointer

loc_9535FA:				; CODE XREF: VrpPreLoadKey(x,x)+73Dj
					; VrpPreLoadKey(x,x)+775j ...
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, [edi+1Ch]
		mov	eax, [ebp+var_1BC]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_95362D
; 

loc_953611:				; DATA XREF: .text:006A7A8Co
		xor	eax, eax
		inc	eax
		retn
; 

loc_953615:				; DATA XREF: .text:006A7A90o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	eax, [ebp+var_1C8]
		mov	[ebp+var_168], eax

loc_95362D:				; CODE XREF: VrpPreLoadKey(x,x)+731j
					; VrpPreLoadKey(x,x)+836j
		mov	ecx, (offset loc_403A20+4)
		mov	esi, 0C0000503h
		cmp	dword_6B2370, 5
		jbe	loc_953724
		cmp	[ebp+var_170], 0
		lea	edx, [ebp+var_174]
		jnz	short loc_953655
		mov	edx, ecx

loc_953655:				; CODE XREF: VrpPreLoadKey(x,x)+878j
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_C0], eax
		mov	[ebp+var_BC], ebx
		mov	[ebp+var_B8], 2
		mov	[ebp+var_B4], ebx
		mov	eax, [edx+4]
		mov	[ebp+var_B0], eax
		mov	[ebp+var_AC], ebx
		movzx	eax, word ptr [edx]
		mov	[ebp+var_A8], eax
		mov	[ebp+var_A4], ebx
		cmp	[ebp+var_178], 0
		jz	short loc_9536A4
		lea	ecx, [ebp+var_17C]

loc_9536A4:				; CODE XREF: VrpPreLoadKey(x,x)+8C3j
		lea	eax, [ebp+var_88]
		mov	[ebp+var_A0], eax
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_98], 2
		mov	[ebp+var_94], ebx
		mov	eax, [ecx+4]
		mov	[ebp+var_90], eax
		mov	[ebp+var_8C], ebx
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_88], eax
		mov	[ebp+var_84], ebx
		mov	[ebp+var_1CC], esi
		lea	eax, [ebp+var_1CC]
		mov	[ebp+var_80], eax
		mov	[ebp+var_7C], ebx
		mov	[ebp+var_78], 4
		mov	[ebp+var_74], ebx
		lea	eax, [ebp+var_E0]
		push	eax
		push	7
		push	ebx
		lea	eax, [ebp+var_160]
		push	eax
		push	offset loc_41B4CE
		push	offset dword_6B2370
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	short loc_953724
; 

loc_953722:				; CODE XREF: VrpPreLoadKey(x,x)+214j
					; VrpPreLoadKey(x,x)+22Fj
		mov	esi, ebx

loc_953724:				; CODE XREF: VrpPreLoadKey(x,x)+865j
					; VrpPreLoadKey(x,x)+947j
		test	esi, esi
		jns	loc_95301A

loc_95372C:				; CODE XREF: VrpPreLoadKey(x,x)+10Cj
					; VrpPreLoadKey(x,x)+451j ...
		cmp	esi, 0C0000503h
		jz	loc_95301A

loc_953738:				; CODE XREF: VrpPreLoadKey(x,x)+1E2j
					; VrpPreLoadKey(x,x)+4BAj
		mov	eax, [ebp+var_18C]
		mov	edi, [ebp+var_168]
		test	eax, eax
		jz	loc_953020
		mov	edx, eax
		mov	ecx, edi
		call	VrpDestroyNamespaceNode
		jmp	loc_953020
_VrpPreLoadKey@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpPreQueryKeyName(x, x)
_VrpPreQueryKeyName@8 proc near		; CODE XREF: VrpRegistryCallback+18ED20p

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_70		= dword	ptr -70h
var_60		= dword	ptr -60h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
ms_exc		= CPPEH_RECORD ptr -18h

		push	88h
		push	offset dword_6A7A58
		call	__SEH_prolog4_GS
		mov	[ebp+var_88], ecx
		xor	eax, eax
		lea	edi, [ebp+var_80]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_80]
		push	eax
		push	3
		call	EtwActivityIdControl
		mov	edi, [ebp+var_88]
		mov	edx, [edi+14h]
		mov	[ebp+var_8C], edx
		mov	[ebp+var_98], edx
		push	2
		pop	ebx
		cmp	dword_6B2370, ebx
		jbe	short loc_9537F5
		xor	esi, esi
		cmp	[edx+14h], esi
		lea	eax, [edx+10h]
		jnz	short loc_9537B2
		mov	eax, (offset loc_403A20+4)

loc_9537B2:				; CODE XREF: VrpPreQueryKeyName(x,x)+51j
		movzx	ecx, word ptr [eax]
		mov	eax, [eax+4]
		lea	edx, [ebp+var_28]
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], esi
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], esi
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], esi
		lea	eax, [ebp+var_60]
		push	eax
		push	4
		push	esi
		lea	eax, [ebp+var_80]
		push	eax
		push	offset loc_41B3F2
		push	offset dword_6B2370
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		mov	edx, [ebp+var_8C]
		jmp	short loc_9537F7
; 

loc_9537F5:				; CODE XREF: VrpPreQueryKeyName(x,x)+47j
		xor	esi, esi

loc_9537F7:				; CODE XREF: VrpPreQueryKeyName(x,x)+99j
		lea	ebx, [edx+10h]
		mov	[ebp+var_84], ebx
		mov	[ebp+var_88], ebx
		movzx	ecx, word ptr [ebx]
		add	ecx, 0Ah
		mov	eax, [edi+0Ch]
		mov	[eax], ecx
		cmp	[edi+8], ecx
		jnb	loc_9538A1
		mov	edi, 0C0000004h
		mov	ecx, ebx

loc_953821:				; CODE XREF: VrpPreQueryKeyName(x,x)+1E1j
					; VrpPreQueryKeyName(x,x)+1EDj
		cmp	dword_6B2370, 5
		jbe	short loc_95388F
		cmp	[edx+14h], esi
		jnz	short loc_953834
		mov	ecx, (offset loc_403A20+4)

loc_953834:				; CODE XREF: VrpPreQueryKeyName(x,x)+D3j
		lea	eax, [ebp+var_38]
		mov	[ebp+var_50], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_40], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_70]
		push	eax
		push	5
		push	esi
		lea	eax, [ebp+var_80]
		push	eax
		push	offset loc_41B293

loc_95385F:				; CODE XREF: VrpPreQueryKeyName(x,x)+235j
		push	offset dword_6B2370
		mov	[ebp+var_4C], esi
		mov	[ebp+var_48], 2
		mov	[ebp+var_44], esi
		mov	[ebp+var_3C], esi
		mov	[ebp+var_34], esi
		mov	[ebp+var_84], edi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_28], 4
		mov	[ebp+var_24], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_95388F:				; CODE XREF: VrpPreQueryKeyName(x,x)+CEj
					; VrpPreQueryKeyName(x,x)+1FAj
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_9538A1:				; CODE XREF: VrpPreQueryKeyName(x,x)+BAj
		mov	ecx, [edi+4]
		add	ecx, 8
		mov	[ebp+var_90], ecx
		mov	[ebp+ms_exc.disabled], esi
		movzx	eax, word ptr [ebx]
		push	eax		; size_t
		push	dword ptr [edx+14h] ; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		movzx	eax, word ptr [ebx]
		shr	eax, 1
		xor	ecx, ecx
		mov	edx, [ebp+var_90]
		mov	[edx+eax*2], cx
		mov	ecx, [edi+4]
		mov	ax, [ebx]
		mov	[ecx], ax
		mov	ecx, [edi+4]
		mov	ax, [ebx]
		mov	[ecx+2], ax
		mov	eax, [edi+4]
		mov	[eax+4], edx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, 0C0000503h
		mov	edx, [ebp+var_8C]
		mov	ecx, ebx
		jmp	short loc_953935
; 

loc_953900:				; DATA XREF: .text:006A7A6Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_94], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_953911:				; DATA XREF: .text:006A7A70o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_94]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	esi, esi
		mov	edx, [ebp+var_98]
		mov	ebx, [ebp+var_84]
		mov	ecx, [ebp+var_88]

loc_953935:				; CODE XREF: VrpPreQueryKeyName(x,x)+1A4j
		cmp	edi, 0C0000503h
		jz	loc_953821
		cmp	edi, 0C0000004h
		jz	loc_953821
		cmp	dword_6B2370, 2
		jbe	loc_95388F
		cmp	[edx+14h], esi
		jnz	short loc_953964
		mov	ebx, (offset loc_403A20+4)

loc_953964:				; CODE XREF: VrpPreQueryKeyName(x,x)+203j
		lea	eax, [ebp+var_38]
		mov	[ebp+var_50], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_40], eax
		movzx	eax, word ptr [ebx]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_70]
		push	eax
		push	5
		push	esi
		lea	eax, [ebp+var_80]
		push	eax
		push	offset byte_41B16D
		jmp	loc_95385F
_VrpPreQueryKeyName@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpPreUnloadKey(x, x)
_VrpPreUnloadKey@8 proc	near		; CODE XREF: VrpRegistryCallback+18ED3Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ecx
		push	ebx
		push	esi
		mov	[ebp+var_4], eax
		mov	esi, [eax+0Ch]
		mov	eax, large fs:124h
		push	edi
		mov	edi, edx
		dec	word ptr [eax+13Ch]
		nop
		lea	ebx, [edi+10h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [ebp+var_8]
		mov	ecx, edi
		push	eax
		lea	edx, [esi+10h]
		call	_VrpFindExactNamespaceNode@12 ;	VrpFindExactNamespaceNode(x,x,x)
		test	eax, eax
		jnz	short loc_953A00
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9539E9
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9539E9:				; CODE XREF: VrpPreUnloadKey(x,x)+4Cj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	eax, eax
		jmp	short loc_953A3D
; 

loc_953A00:				; CODE XREF: VrpPreUnloadKey(x,x)+3Fj
		xor	esi, esi
		cmp	[eax+1Ch], esi
		jl	short loc_953A35
		mov	esi, 0C0000022h
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_953A20
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_953A20:				; CODE XREF: VrpPreUnloadKey(x,x)+83j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	short loc_953A3B
; 

loc_953A35:				; CODE XREF: VrpPreUnloadKey(x,x)+71j
		mov	ecx, [ebp+var_4]
		mov	[ecx+8], eax

loc_953A3B:				; CODE XREF: VrpPreUnloadKey(x,x)+9Fj
		mov	eax, esi

loc_953A3D:				; CODE XREF: VrpPreUnloadKey(x,x)+6Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VrpPreUnloadKey@8 endp


;  S U B	R O U T	I N E 


; __stdcall VrpDecrementDiffHiveEntryHardRefCount(x)
_VrpDecrementDiffHiveEntryHardRefCount@4 proc near
					; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+2B2p
		mov	edi, edi
		push	esi
		mov	esi, [ecx+10h]
		sub	esi, 1
		mov	[ecx+10h], esi
		jnz	short loc_953A55
		call	VrpDereferenceDiffHiveEntryUnsafe

loc_953A55:				; CODE XREF: VrpDecrementDiffHiveEntryHardRefCount(x)+Cj
		xor	eax, eax
		cmp	eax, esi
		pop	esi
		sbb	al, al
		inc	al
		retn
_VrpDecrementDiffHiveEntryHardRefCount@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VrpWaitForDiffHiveEntryTransitionOwnerToLeave(x)
_VrpWaitForDiffHiveEntryTransitionOwnerToLeave@4 proc near
					; CODE XREF: VrpLoadDifferencingHive(x,x,x,x,x,x,x,x)+19Bp

var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		push	7
		mov	ebx, ecx
		lea	edi, [ebp+var_1C]
		pop	ecx
		xor	eax, eax
		xor	esi, esi
		rep stosd
		mov	eax, large fs:124h
		push	esi
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_10]
		push	1
		push	eax
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	ecx, [ebx+18h]
		lea	edx, [ebp+var_1C]
		call	RtlInsertHeadCircularList
		lea	edi, [ebx+0Ch]
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_953ABB
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_953ABB:				; CODE XREF: VrpWaitForDiffHiveEntryTransitionOwnerToLeave(x)+53j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		add	ebx, 14h
		xor	edx, edx
		push	esi
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	esi, eax
		test	esi, esi
		jz	short loc_953AE8
		mov	ecx, esi
		call	_KeAbPreWait@4	; KeAbPreWait(x)

loc_953AE8:				; CODE XREF: VrpWaitForDiffHiveEntryTransitionOwnerToLeave(x)+80j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	KeWaitForSingleObject
		test	esi, esi
		jz	short loc_953B0F
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	edx, esi
		mov	ecx, ebx
		call	KeAbPostReleaseEx

loc_953B0F:				; CODE XREF: VrpWaitForDiffHiveEntryTransitionOwnerToLeave(x)+9Aj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VrpWaitForDiffHiveEntryTransitionOwnerToLeave@4 endp


;  S U B	R O U T	I N E 


; __stdcall VrpIsCharInString(x, x, x)
_VrpIsCharInString@12 proc near		; CODE XREF: VrpPreLoadKey(x,x)+42Ep
		movzx	edx, word ptr [ecx]
		xor	eax, eax
		push	esi
		test	edx, edx
		jz	short loc_953B49
		mov	esi, [ecx+4]
		mov	ecx, eax

loc_953B3A:				; CODE XREF: VrpIsCharInString(x,x,x)+1Cj
		cmp	word ptr [ecx+esi], 5Ch
		jz	short loc_953B4F
		inc	eax
		lea	ecx, [eax+eax]
		cmp	ecx, edx
		jb	short loc_953B3A

loc_953B49:				; CODE XREF: VrpIsCharInString(x,x,x)+8j
		xor	al, al

loc_953B4B:				; CODE XREF: VrpIsCharInString(x,x,x)+26j
		pop	esi
		retn	4
; 

loc_953B4F:				; CODE XREF: VrpIsCharInString(x,x,x)+14j
		mov	al, 1
		jmp	short loc_953B4B
_VrpIsCharInString@12 endp


;  S U B	R O U T	I N E 


; __stdcall DbgkCleanupServerSiloState(x)
_DbgkCleanupServerSiloState@4 proc near	; CODE XREF: PspDeleteServerSiloGlobals(x)+Dp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_953B6D
		mov	edx, 6B676244h
		call	ObfDereferenceObjectWithTag
		and	dword ptr [esi+0Ch], 0

loc_953B6D:				; CODE XREF: DbgkCleanupServerSiloState(x)+Aj
		pop	esi
		retn
_DbgkCleanupServerSiloState@4 endp


;  S U B	R O U T	I N E 


; __stdcall DbgkInitializeServerSilo(x)
_DbgkInitializeServerSilo@4 proc near	; CODE XREF: PspInitializeServerSiloDeferred(x)+A9p
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		push	esi
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	ecx, esi
		mov	edi, eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		and	dword ptr [eax+238h], 0
		lea	ecx, [eax+238h]
		call	_DbgkpInitializePhase1SiloState@4 ; DbgkpInitializePhase1SiloState(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_953B9E
		xor	esi, esi

loc_953B9E:				; CODE XREF: DbgkInitializeServerSilo(x)+2Bj
		push	edi
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_DbgkInitializeServerSilo@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkOpenProcessDebugPort(x,	x, x)
_DbgkOpenProcessDebugPort@12 proc near	; CODE XREF: PAGE:0083C182p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	[ebp+var_4], esi
		mov	edi, 0C0000353h
		cmp	dword ptr [esi+190h], 0
		jz	short loc_953C3E
		mov	ecx, offset _DbgkpProcessDebugPortMutex
		call	ExAcquireFastMutex
		mov	esi, [esi+190h]
		test	esi, esi
		jz	short loc_953BE2
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_953BE2:				; CODE XREF: DbgkOpenProcessDebugPort(x,x,x)+30j
		mov	ecx, offset _DbgkpProcessDebugPortMutex
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	esi, esi
		jz	short loc_953C3E
		mov	eax, large fs:124h
		mov	cl, bl
		push	[ebp+var_4]
		mov	edx, [eax+80h]
		call	_DbgkpValidateDebugTarget@12 ; DbgkpValidateDebugTarget(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_953C37
		test	bl, bl
		jz	short loc_953C14
		xor	eax, eax
		jmp	short loc_953C19
; 

loc_953C14:				; CODE XREF: DbgkOpenProcessDebugPort(x,x,x)+65j
		mov	eax, 200h

loc_953C19:				; CODE XREF: DbgkOpenProcessDebugPort(x,x,x)+69j
		push	[ebp+arg_0]
		push	ebx
		push	ds:_DbgkDebugObjectType
		push	2000000h
		push	0
		push	eax
		push	esi
		call	ObOpenObjectByPointer
		mov	edi, eax
		test	edi, edi
		jns	short loc_953C3E

loc_953C37:				; CODE XREF: DbgkOpenProcessDebugPort(x,x,x)+61j
		mov	ecx, esi
		call	ObfDereferenceObject

loc_953C3E:				; CODE XREF: DbgkOpenProcessDebugPort(x,x,x)+1Cj
					; DbgkOpenProcessDebugPort(x,x,x)+45j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_DbgkOpenProcessDebugPort@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkSendSystemDllMessages(x, x, x)
_DbgkSendSystemDllMessages@12 proc near	; CODE XREF: DbgkCreateThread+169ACBp
					; DbgkpPostFakeThreadMessages(x,x,x,x,x)+34Bp

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_39		= byte ptr -39h
var_38		= dword	ptr -38h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	6Ch
		push	offset dword_6A7B40
		call	__SEH_prolog4_GS
		mov	esi, ecx
		mov	[ebp+var_44], esi
		mov	[ebp+var_5C], edx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_54], eax
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_38]
		rep stosd
		xor	ebx, ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], ebx
		push	6
		pop	ecx
		lea	edi, [ebp+var_7C]
		rep stosd
		mov	[ebp+var_40], ebx
		test	esi, esi
		jnz	short loc_953C90
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		jmp	short loc_953C98
; 

loc_953C90:				; CODE XREF: DbgkSendSystemDllMessages(x,x,x)+39j
		mov	eax, esi
		mov	eax, [eax+150h]

loc_953C98:				; CODE XREF: DbgkSendSystemDllMessages(x,x,x)+47j
		mov	[ebp+var_48], eax
		mov	esi, [ebp+var_54]
		add	esi, 20h
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], ebx

loc_953CA7:				; CODE XREF: DbgkSendSystemDllMessages(x,x,x)+224j
		mov	edx, [ebp+var_4C]
		cmp	edx, 6
		jge	loc_953E70
		mov	ecx, edx
		call	_PsQuerySystemDllInfo@4	; PsQuerySystemDllInfo(x)
		mov	ecx, eax
		mov	[ebp+var_58], ecx
		test	ecx, ecx
		jz	loc_953E68
		test	edx, edx
		jle	short loc_953CD5
		cmp	[ecx+2], bx
		jz	loc_953E68

loc_953CD5:				; CODE XREF: DbgkSendSystemDllMessages(x,x,x)+82j
		xor	eax, eax
		mov	edi, esi
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_40], ebx
		mov	edi, [ecx+0Ch]
		mov	[esi+4], edi
		cmp	[ebp+var_44], 0
		jz	short loc_953D07
		cmp	[ebp+var_4C], 0
		jz	short loc_953D07
		mov	[ebp+var_39], 1
		lea	eax, [ebp+var_38]
		push	eax
		xor	edx, edx
		mov	ecx, [ebp+var_48]
		call	KiStackAttachProcess
		jmp	short loc_953D0A
; 

loc_953D07:				; CODE XREF: DbgkSendSystemDllMessages(x,x,x)+A4j
					; DbgkSendSystemDllMessages(x,x,x)+AAj
		mov	[ebp+var_39], bl

loc_953D0A:				; CODE XREF: DbgkSendSystemDllMessages(x,x,x)+BEj
		mov	[ebp+ms_exc.disabled], ebx
		push	edi
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jz	short loc_953D23
		mov	ecx, [eax+0Ch]
		mov	[esi+8], ecx
		mov	eax, [eax+10h]
		mov	[esi+0Ch], eax

loc_953D23:				; CODE XREF: DbgkSendSystemDllMessages(x,x,x)+CEj
		cmp	[ebp+var_44], 0
		jnz	short loc_953D90
		mov	eax, large fs:124h
		test	dword ptr [eax+58h], 400h
		jnz	short loc_953D4C
		cmp	byte ptr [eax+16Ah], 1
		jz	short loc_953D4C
		mov	eax, [eax+0A8h]
		mov	[ebp+var_40], eax
		jmp	short loc_953D4F
; 

loc_953D4C:				; CODE XREF: DbgkSendSystemDllMessages(x,x,x)+EFj
					; DbgkSendSystemDllMessages(x,x,x)+F8j
		mov	[ebp+var_40], ebx

loc_953D4F:				; CODE XREF: DbgkSendSystemDllMessages(x,x,x)+103j
		mov	edi, [ebp+var_40]
		test	edi, edi
		jz	short loc_953D90
		lea	esi, [edi+0C00h]
		mov	eax, [ebp+var_58]
		push	dword ptr [eax+14h]
		mov	edx, 20Ah
		mov	ecx, esi
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		lea	eax, [edi+14h]
		mov	[eax], esi
		mov	esi, [ebp+var_50]
		mov	[esi+10h], eax
		jmp	short loc_953D90
; 

loc_953D7B:				; DATA XREF: .text:006A7B54o
		xor	eax, eax
		inc	eax
		retn
; 

loc_953D7F:				; DATA XREF: .text:006A7B58o
		mov	esp, [ebp+ms_exc.old_esp]
		xor	ebx, ebx
		mov	esi, [ebp+var_50]
		mov	[esi+8], ebx
		mov	[esi+0Ch], ebx
		mov	[esi+10h], ebx

loc_953D90:				; CODE XREF: DbgkSendSystemDllMessages(x,x,x)+E0j
					; DbgkSendSystemDllMessages(x,x,x)+10Dj ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+var_39], 0
		jz	short loc_953DA7
		xor	edx, edx
		lea	ecx, [ebp+var_38]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_953DA7:				; CODE XREF: DbgkSendSystemDllMessages(x,x,x)+154j
		mov	eax, [ebp+var_58]
		add	eax, 4
		mov	[ebp+var_7C], 18h
		mov	[ebp+var_78], ebx
		mov	[ebp+var_70], 640h
		mov	[ebp+var_74], eax
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_68], ebx
		push	20h
		push	7
		lea	eax, [ebp+var_64]
		push	eax
		lea	eax, [ebp+var_7C]
		push	eax
		push	80100000h
		push	esi
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_953DE4
		mov	[esi], ebx

loc_953DE4:				; CODE XREF: DbgkSendSystemDllMessages(x,x,x)+199j
		mov	eax, [ebp+var_54]
		mov	dword ptr [eax], 34001Ch
		mov	dword ptr [eax+4], 8
		mov	dword ptr [eax+18h], 5
		mov	ecx, [ebp+var_48]
		cmp	[ebp+var_44], 0
		jnz	short loc_953E49
		push	eax
		push	3
		pop	edx
		call	_DbgkpSendApiMessage@12	; DbgkpSendApiMessage(x,x,x)
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_953E1A
		push	ebx
		push	eax
		call	ObCloseHandle

loc_953E1A:				; CODE XREF: DbgkSendSystemDllMessages(x,x,x)+1CAj
		mov	[ebp+ms_exc.disabled], 1
		mov	edi, [ebp+var_40]
		test	edi, edi
		jz	short loc_953E2B
		mov	[edi+14h], ebx

loc_953E2B:				; CODE XREF: DbgkSendSystemDllMessages(x,x,x)+1DFj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_953E68
; 

loc_953E34:				; DATA XREF: .text:006A7B60o
		xor	eax, eax
		inc	eax
		retn
; 

loc_953E38:				; DATA XREF: .text:006A7B64o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp+var_50]
		jmp	short loc_953E68
; 

loc_953E49:				; CODE XREF: DbgkSendSystemDllMessages(x,x,x)+1BBj
		push	[ebp+var_5C]
		push	2
		push	eax
		mov	edx, [ebp+var_44]
		call	_DbgkpQueueMessage@20 ;	DbgkpQueueMessage(x,x,x,x,x)
		test	eax, eax
		jns	short loc_953E68
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_953E68
		push	ebx
		push	eax
		call	ObCloseHandle

loc_953E68:				; CODE XREF: DbgkSendSystemDllMessages(x,x,x)+7Aj
					; DbgkSendSystemDllMessages(x,x,x)+88j	...
		inc	[ebp+var_4C]
		jmp	loc_953CA7
; 

loc_953E70:				; CODE XREF: DbgkSendSystemDllMessages(x,x,x)+66j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_DbgkSendSystemDllMessages@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpCloseObject(x,	x, x, x)
_DbgkpCloseObject@16 proc near		; DATA XREF: DbgkpInitializePhase0()+9Ao

var_A		= byte ptr -0Ah
var_9		= byte ptr -9
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		cmp	[ebp+arg_C], 1
		push	ebx
		push	esi
		push	edi
		ja	loc_953F79
		mov	ebx, [ebp+arg_4]
		lea	ecx, [ebx+10h]
		call	ExAcquireFastMutex
		or	dword ptr [ebx+38h], 1
		lea	eax, [ebx+30h]
		mov	edi, [eax]
		lea	ecx, [ebx+10h]
		mov	[esp+18h+var_4], eax
		mov	[eax+4], eax
		mov	[eax], eax
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		push	0
		push	0
		push	ebx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	eax, [ebx+38h]
		xor	ecx, ecx
		and	eax, 2
		mov	[esp+18h+var_8], eax
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_953F5F
		cmp	[esp+18h+var_8], 0
		setz	al
		dec	al
		and	al, 2
		mov	[esp+18h+var_9], al

loc_953EF0:				; CODE XREF: DbgkpCloseObject(x,x,x,x)+DBj
		cmp	[esi+190h], ebx
		jnz	short loc_953F4E
		and	al, 0FEh
		mov	ecx, offset _DbgkpProcessDebugPortMutex
		mov	[esp+18h+var_9], al
		call	ExAcquireFastMutex
		cmp	[esi+190h], ebx
		jnz	short loc_953F1C
		and	dword ptr [esi+190h], 0
		or	[esp+18h+var_9], 1

loc_953F1C:				; CODE XREF: DbgkpCloseObject(x,x,x,x)+8Cj
		mov	ecx, offset _DbgkpProcessDebugPortMutex
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	[esp+18h+var_9], 1
		jz	short loc_953F4E
		mov	ecx, esi
		call	_DbgkpMarkProcessPeb@4 ; DbgkpMarkProcessPeb(x)
		test	[esp+18h+var_9], 2
		jz	short loc_953F47
		mov	edx, 0C0000354h
		mov	ecx, esi
		call	_PsTerminateProcess@8 ;	PsTerminateProcess(x,x)

loc_953F47:				; CODE XREF: DbgkpCloseObject(x,x,x,x)+B7j
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_953F4E:				; CODE XREF: DbgkpCloseObject(x,x,x,x)+74j
					; DbgkpCloseObject(x,x,x,x)+A9j
		mov	ecx, esi
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	esi, eax
		mov	al, [esp+18h+var_9]
		test	esi, esi
		jnz	short loc_953EF0

loc_953F5F:				; CODE XREF: DbgkpCloseObject(x,x,x,x)+5Cj
		mov	esi, [esp+18h+var_4]
		jmp	short loc_953F75
; 

loc_953F65:				; CODE XREF: DbgkpCloseObject(x,x,x,x)+F5j
		mov	ecx, edi
		mov	edi, [edi]
		mov	dword ptr [ecx+28h], 0C0000354h
		call	_DbgkpWakeTarget@4 ; DbgkpWakeTarget(x)

loc_953F75:				; CODE XREF: DbgkpCloseObject(x,x,x,x)+E1j
		cmp	edi, esi
		jnz	short loc_953F65

loc_953F79:				; CODE XREF: DbgkpCloseObject(x,x,x,x)+12j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_DbgkpCloseObject@16 endp


;  S U B	R O U T	I N E 


; __stdcall DbgkpConvertKernelToUserStateChange(x, x)
_DbgkpConvertKernelToUserStateChange@8 proc near
					; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+1BBp
		mov	eax, [edx+18h]
		mov	[ecx+4], eax
		mov	eax, [edx+1Ch]
		mov	[ecx+8], eax
		mov	eax, [edx+50h]
		push	esi
		push	edi
		sub	eax, 0
		jz	loc_95401E
		sub	eax, 1
		jz	short loc_95400A
		sub	eax, 1
		jz	short loc_953FF3
		sub	eax, 1
		jz	short loc_953FE5
		sub	eax, 1
		jz	short loc_953FDD
		sub	eax, 1
		jz	short loc_953FC6
		sub	eax, 1
		jnz	loc_95404F
		mov	dword ptr [ecx], 0Ah
		jmp	short loc_953FEB
; 

loc_953FC6:				; CODE XREF: DbgkpConvertKernelToUserStateChange(x,x)+31j
		mov	dword ptr [ecx], 9
		lea	edi, [ecx+0Ch]
		push	5
		pop	ecx
		lea	esi, [edx+58h]
		rep movsd
		and	dword ptr [edx+58h], 0
		jmp	short loc_95404F
; 

loc_953FDD:				; CODE XREF: DbgkpConvertKernelToUserStateChange(x,x)+2Cj
		mov	dword ptr [ecx], 5
		jmp	short loc_953FEB
; 

loc_953FE5:				; CODE XREF: DbgkpConvertKernelToUserStateChange(x,x)+27j
		mov	dword ptr [ecx], 4

loc_953FEB:				; CODE XREF: DbgkpConvertKernelToUserStateChange(x,x)+42j
					; DbgkpConvertKernelToUserStateChange(x,x)+61j
		mov	eax, [edx+58h]
		mov	[ecx+0Ch], eax
		jmp	short loc_95404F
; 

loc_953FF3:				; CODE XREF: DbgkpConvertKernelToUserStateChange(x,x)+22j
		mov	dword ptr [ecx], 3
		lea	edi, [ecx+14h]
		push	7
		lea	esi, [edx+58h]
		pop	ecx
		rep movsd
		and	dword ptr [edx+5Ch], 0
		jmp	short loc_95404F
; 

loc_95400A:				; CODE XREF: DbgkpConvertKernelToUserStateChange(x,x)+1Dj
		mov	dword ptr [ecx], 2
		mov	eax, [edx+58h]
		mov	[ecx+10h], eax
		mov	eax, [edx+5Ch]
		mov	[ecx+14h], eax
		jmp	short loc_95404F
; 

loc_95401E:				; CODE XREF: DbgkpConvertKernelToUserStateChange(x,x)+14j
		lea	esi, [edx+58h]
		mov	edx, [esi]
		cmp	edx, 80000003h
		jz	short loc_954041
		xor	eax, eax
		cmp	edx, 80000004h
		setz	al
		lea	eax, ds:6[eax*2]
		mov	[ecx], eax
		jmp	short loc_954047
; 

loc_954041:				; CODE XREF: DbgkpConvertKernelToUserStateChange(x,x)+A7j
		mov	dword ptr [ecx], 7

loc_954047:				; CODE XREF: DbgkpConvertKernelToUserStateChange(x,x)+BDj
		lea	edi, [ecx+0Ch]
		push	15h
		pop	ecx
		rep movsd

loc_95404F:				; CODE XREF: DbgkpConvertKernelToUserStateChange(x,x)+36j
					; DbgkpConvertKernelToUserStateChange(x,x)+59j	...
		pop	edi
		pop	esi
		retn
_DbgkpConvertKernelToUserStateChange@8 endp


;  S U B	R O U T	I N E 


; __stdcall DbgkpFreeDebugEvent(x)
_DbgkpFreeDebugEvent@4 proc near	; CODE XREF: DbgkpWakeTarget(x)+45j
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+50h]
		dec	eax
		sub	eax, 1
		jz	short loc_95406A
		sub	eax, 3
		jnz	short loc_954079
		mov	eax, [esi+58h]
		jmp	short loc_95406D
; 

loc_95406A:				; CODE XREF: DbgkpFreeDebugEvent(x)+Cj
		mov	eax, [esi+5Ch]

loc_95406D:				; CODE XREF: DbgkpFreeDebugEvent(x)+16j
		test	eax, eax
		jz	short loc_954079
		push	0
		push	eax
		call	ObCloseHandle

loc_954079:				; CODE XREF: DbgkpFreeDebugEvent(x)+11j
					; DbgkpFreeDebugEvent(x)+1Dj
		mov	ecx, [esi+20h]
		mov	edx, 4F676244h
		call	ObfDereferenceObjectWithTag
		mov	ecx, [esi+24h]
		mov	edx, 4F676244h
		call	ObfDereferenceObjectWithTag
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
_DbgkpFreeDebugEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpMarkProcessPeb(x)
_DbgkpMarkProcessPeb@4 proc near	; CODE XREF: DbgkClearProcessDebugObject+56p
					; DbgkCopyProcessDebugPort+14AA38p ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h

		push	28h
		push	offset dword_6A7B90
		call	__SEH_prolog4_GS
		mov	esi, ecx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		lea	ecx, [esi+0F0h]
		mov	[ebp+var_38], ecx
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_954129
		xor	edi, edi
		cmp	[esi+17Ch], edi
		jz	short loc_954121
		lea	eax, [ebp+var_34]
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	KiStackAttachProcess
		mov	ecx, offset _DbgkpProcessDebugPortMutex
		call	ExAcquireFastMutex
		mov	[ebp+ms_exc.disabled], edi
		cmp	[esi+190h], edi
		setnz	cl
		mov	eax, [esi+17Ch]
		mov	[eax+2], cl
		jmp	short loc_954106
; 

loc_9540FF:				; DATA XREF: .text:006A7BA4o
		xor	eax, eax
		inc	eax
		retn
; 

loc_954103:				; DATA XREF: .text:006A7BA8o
		mov	esp, [ebp+ms_exc.old_esp]

loc_954106:				; CODE XREF: DbgkpMarkProcessPeb(x)+60j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, offset _DbgkpProcessDebugPortMutex
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_954121:				; CODE XREF: DbgkpMarkProcessPeb(x)+32j
		mov	ecx, [ebp+var_38]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_954129:				; CODE XREF: DbgkpMarkProcessPeb(x)+28j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_DbgkpMarkProcessPeb@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpOpenHandles(x,	x, x)
_DbgkpOpenHandles@12 proc near		; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+267p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+10h+var_4], edx
		mov	eax, [edi]
		dec	eax
		sub	eax, 1
		jz	loc_9541EB
		sub	eax, 1
		jz	short loc_954176
		sub	eax, 6
		jnz	loc_95420D
		lea	ebx, [edi+0Ch]
		mov	edi, [ebx]
		test	edi, edi
		jz	loc_95420D
		xor	esi, esi
		jmp	short loc_9541C2
; 

loc_954176:				; CODE XREF: DbgkpOpenHandles(x,x,x)+21j
		lea	ebx, [edi+10h]
		xor	esi, esi
		push	ebx
		push	esi
		push	ds:_PsThreadType
		push	12007Bh
		push	esi
		push	esi
		push	[ebp+arg_0]
		call	ObOpenObjectByPointer
		test	eax, eax
		jns	short loc_954198
		mov	[ebx], esi

loc_954198:				; CODE XREF: DbgkpOpenHandles(x,x,x)+5Bj
		lea	ebx, [edi+0Ch]
		push	ebx
		push	esi
		push	ds:_PsProcessType
		push	12067Bh
		push	esi
		push	esi
		push	[esp+28h+var_4]
		call	ObOpenObjectByPointer
		test	eax, eax
		jns	short loc_9541B9
		mov	[ebx], esi

loc_9541B9:				; CODE XREF: DbgkpOpenHandles(x,x,x)+7Cj
		lea	ebx, [edi+18h]
		mov	edi, [ebx]
		test	edi, edi
		jz	short loc_95420D

loc_9541C2:				; CODE XREF: DbgkpOpenHandles(x,x,x)+3Bj
		mov	eax, large fs:124h
		push	esi
		push	2
		push	esi
		mov	eax, [eax+80h]
		push	esi
		push	ebx
		push	eax
		push	edi
		push	eax
		call	ObDuplicateObject
		test	eax, eax
		jns	short loc_9541E2
		mov	[ebx], esi

loc_9541E2:				; CODE XREF: DbgkpOpenHandles(x,x,x)+A5j
		push	esi
		push	edi
		call	ObCloseHandle
		jmp	short loc_95420D
; 

loc_9541EB:				; CODE XREF: DbgkpOpenHandles(x,x,x)+18j
		add	edi, 0Ch
		xor	esi, esi
		push	edi
		push	esi
		push	ds:_PsThreadType
		push	12007Bh
		push	esi
		push	esi
		push	[ebp+arg_0]
		call	ObOpenObjectByPointer
		test	eax, eax
		jns	short loc_95420D
		mov	[edi], esi

loc_95420D:				; CODE XREF: DbgkpOpenHandles(x,x,x)+26j
					; DbgkpOpenHandles(x,x,x)+33j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_DbgkpOpenHandles@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpPostFakeProcessCreateMessages(x, x, x)
_DbgkpPostFakeProcessCreateMessages@12 proc near ; CODE	XREF: NtDebugActiveProcess(x,x)+C6p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		push	6
		mov	[ebp+var_2C], ecx
		lea	edi, [ebp+var_20]
		pop	ecx
		rep stosd
		mov	edi, [ebp+var_2C]
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_30], edx
		xor	esi, esi
		mov	ecx, edi
		push	eax
		push	esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_28], esi
		call	_DbgkpPostFakeThreadMessages@20	; DbgkpPostFakeThreadMessages(x,x,x,x,x)
		test	eax, eax
		js	short loc_954293
		lea	eax, [ebp+var_20]
		xor	edx, edx
		push	eax
		mov	ecx, edi
		call	KiStackAttachProcess
		push	[ebp+var_30]
		mov	edx, [ebp+var_24]
		mov	ecx, edi
		call	_DbgkpPostModuleMessages@12 ; DbgkpPostModuleMessages(x,x,x)
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [ebp+var_24]
		mov	edx, 4F676244h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		mov	esi, [ebp+var_28]

loc_954293:				; CODE XREF: DbgkpPostFakeProcessCreateMessages(x,x,x)+45j
		mov	ecx, [ebp+var_8]
		pop	edi
		mov	[ebx], esi
		xor	ecx, ebp
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_DbgkpPostFakeProcessCreateMessages@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpPostFakeThreadMessages(x, x, x, x, x)
_DbgkpPostFakeThreadMessages@20	proc near
					; CODE XREF: DbgkpPostFakeProcessCreateMessages(x,x,x)+3Ep
					; DbgkpSetProcessDebugObject(x,x,x,x)+B8p

var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E6		= byte ptr -0E6h
var_E5		= byte ptr -0E5h
var_E4		= dword	ptr -0E4h
var_CC		= dword	ptr -0CCh
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_AC		= dword	ptr -0ACh
var_38		= dword	ptr -38h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	104h
		push	offset dword_6A7B20
		call	__SEH_prolog4_GS
		mov	eax, ecx
		mov	[ebp+var_F0], eax
		mov	[ebp+var_10C], eax
		mov	[ebp+var_F8], edx
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_EC], esi
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_110], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_114], eax
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_38]
		rep stosd
		push	0A8h		; size_t
		xor	ebx, ebx
		push	ebx		; int
		lea	eax, [ebp+var_E4]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_F4], ebx
		mov	edi, ebx
		mov	eax, large fs:124h
		mov	[ebp+var_104], eax
		mov	[ebp+var_100], 0C0000001h
		test	esi, esi
		jz	short loc_95433B
		mov	[ebp+var_F4], esi
		mov	edx, 4F676244h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		jmp	short loc_95434A
; 

loc_95433B:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+7Fj
		push	ebx
		mov	eax, [ebp+var_F0]
		push	eax
		call	_PsGetNextProcessThread@8 ; PsGetNextProcessThread(x,x)
		mov	esi, eax

loc_95434A:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+93j
		cmp	[ebp+var_EC], ebx
		setz	[ebp+var_E6]

loc_954357:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+35Ej
		mov	[ebp+var_FC], esi
		test	esi, esi
		jz	loc_95458D
		test	edi, edi
		jz	short loc_954375
		mov	edx, 4F676244h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_954375:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+C1j
		mov	edi, esi
		mov	[ebp+var_108], edi
		mov	edx, 4F676244h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		test	dword ptr [esi+58h], 400h
		jnz	loc_9545F6
		test	byte ptr [esi+2FCh], 2
		jnz	short loc_9543B9
		mov	edx, [ebp+var_104]
		mov	ecx, esi
		call	@PsSynchronizeWithThreadInsertion@8 ; PsSynchronizeWithThreadInsertion(x,x)
		test	byte ptr [esi+2FCh], 2
		jz	loc_9545F6

loc_9543B9:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+F7j
		lea	ecx, [esi+2ECh]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_9543E9
		mov	[ebp+var_EC], 0Ah
		push	ebx
		push	esi
		call	PsSuspendThread
		test	eax, eax
		js	short loc_9543F3
		mov	[ebp+var_EC], 2Ah
		jmp	short loc_9543F3
; 

loc_9543E9:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+120j
		mov	[ebp+var_EC], 12h

loc_9543F3:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+135j
					; DbgkpPostFakeThreadMessages(x,x,x,x,x)+141j
		push	0A8h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_E4]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		cmp	[ebp+var_E6], 0
		jz	loc_9544F2
		test	byte ptr [ebp+var_EC], 10h
		jnz	loc_9544F2
		mov	[ebp+var_E5], 1
		mov	[ebp+var_CC], 2
		mov	ecx, [ebp+var_F0]
		mov	eax, [ecx+15Ch]
		test	eax, eax
		jz	short loc_954458
		mov	ecx, eax
		call	_DbgkpSectionToFileHandle@4 ; DbgkpSectionToFileHandle(x)
		mov	[ebp+var_C0], eax
		mov	ecx, [ebp+var_F0]
		jmp	short loc_95445E
; 

loc_954458:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+19Bj
		mov	[ebp+var_C0], ebx

loc_95445E:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+1B0j
		mov	eax, [ecx+160h]
		mov	[ebp+var_BC], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	ecx
		call	KeStackAttachProcess
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+var_F0]
		push	dword ptr [eax+160h]
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jz	short loc_9544A4
		mov	[ebp+var_AC], ebx
		mov	ecx, [eax+0Ch]
		mov	[ebp+var_B8], ecx
		mov	eax, [eax+10h]
		mov	[ebp+var_B4], eax

loc_9544A4:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+1E4j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9544E7
; 

loc_9544AD:				; DATA XREF: .text:006A7B34o
		xor	eax, eax
		inc	eax
		retn
; 

loc_9544B1:				; DATA XREF: .text:006A7B38o
		mov	esp, [ebp+ms_exc.old_esp]
		xor	ebx, ebx
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_B8], ebx
		mov	[ebp+var_B4], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_108]
		mov	esi, [ebp+var_FC]
		mov	eax, [ebp+var_10C]
		mov	[ebp+var_F0], eax

loc_9544E7:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+205j
		lea	eax, [ebp+var_38]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		jmp	short loc_954511
; 

loc_9544F2:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+169j
					; DbgkpPostFakeThreadMessages(x,x,x,x,x)+176j
		mov	[ebp+var_E5], bl
		mov	[ebp+var_CC], 1
		xor	edx, edx
		mov	ecx, esi
		call	_PsQueryThreadStartAddress@8 ; PsQueryThreadStartAddress(x,x)
		mov	[ebp+var_C0], eax

loc_954511:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+24Aj
		push	[ebp+var_F8]
		push	[ebp+var_EC]
		lea	eax, [ebp+var_E4]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp+var_F0]
		call	_DbgkpQueueMessage@20 ;	DbgkpQueueMessage(x,x,x,x,x)
		mov	[ebp+var_100], eax
		test	eax, eax
		jns	loc_9545C1
		test	byte ptr [ebp+var_EC], 20h
		jz	short loc_95454F
		push	ebx
		push	esi
		call	PsResumeThread

loc_95454F:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+2A0j
		test	byte ptr [ebp+var_EC], 8
		jz	short loc_954563
		lea	ecx, [esi+2ECh]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_954563:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+2B0j
		cmp	[ebp+var_CC], 2
		jnz	short loc_954581
		cmp	[ebp+var_C0], 0
		jz	short loc_954581
		push	ebx
		push	[ebp+var_C0]
		call	ObCloseHandle

loc_954581:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+2C4j
					; DbgkpPostFakeThreadMessages(x,x,x,x,x)+2CDj
		mov	edx, 6E457350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_95458D:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+B9j
		mov	esi, [ebp+var_100]
		mov	ecx, [ebp+var_F4]
		test	esi, esi
		jns	short loc_954609
		test	ecx, ecx
		jz	short loc_9545AB
		mov	edx, 4F676244h
		call	ObfDereferenceObjectWithTag

loc_9545AB:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+2F9j
		test	edi, edi
		jz	loc_954634
		mov	edx, 4F676244h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		jmp	short loc_954634
; 

loc_9545C1:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+293j
		cmp	[ebp+var_E5], 0
		jz	short loc_9545F6
		mov	[ebp+var_E6], bl
		mov	edx, 4F676244h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	[ebp+var_F4], esi
		lea	eax, [ebp+var_E4]
		push	eax
		mov	edx, [ebp+var_F8]
		mov	ecx, esi
		call	_DbgkSendSystemDllMessages@12 ;	DbgkSendSystemDllMessages(x,x,x)

loc_9545F6:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+EAj
					; DbgkpPostFakeThreadMessages(x,x,x,x,x)+10Dj ...
		push	esi
		push	[ebp+var_F0]
		call	_PsGetNextProcessThread@8 ; PsGetNextProcessThread(x,x)
		mov	esi, eax
		jmp	loc_954357
; 

loc_954609:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+2F5j
		test	ecx, ecx
		jz	short loc_95461F
		mov	eax, [ebp+var_110]
		mov	[eax], ecx
		mov	eax, [ebp+var_114]
		mov	[eax], edi
		jmp	short loc_954634
; 

loc_95461F:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+365j
		test	edi, edi
		jz	short loc_95462F
		mov	edx, 4F676244h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_95462F:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+37Bj
		mov	esi, 0C0000001h

loc_954634:				; CODE XREF: DbgkpPostFakeThreadMessages(x,x,x,x,x)+307j
					; DbgkpPostFakeThreadMessages(x,x,x,x,x)+319j ...
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_DbgkpPostFakeThreadMessages@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpPostModuleMessages(x, x, x)
_DbgkpPostModuleMessages@12 proc near	; CODE XREF: DbgkCreateThread+169B5Fp
					; DbgkpPostFakeProcessCreateMessages(x,x,x)+5Cp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	18h
		push	offset dword_6A7B00
		call	__SEH_prolog4
		mov	edi, edx
		mov	esi, ecx
		mov	eax, [esi+17Ch]
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [eax+0Ch]
		add	eax, 0Ch
		mov	[ebp+var_28], eax
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_954677
		mov	eax, ecx

loc_954677:				; CODE XREF: DbgkpPostModuleMessages(x,x,x)+2Bj
		nop
		mov	al, [eax]
		mov	edx, [ebp+var_28]
		mov	eax, [edx]
		xor	ecx, ecx
		mov	[ebp+var_24], ecx

loc_954684:				; CODE XREF: DbgkpPostModuleMessages(x,x,x)+C9j
		mov	[ebp+var_1C], eax
		cmp	eax, edx
		jz	loc_95471D
		cmp	ecx, ds:_DbgkpMaxModuleMsgs
		jnb	loc_95471D
		cmp	ecx, 1
		jbe	short loc_9546F3
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_9546AC
		mov	eax, ecx

loc_9546AC:				; CODE XREF: DbgkpPostModuleMessages(x,x,x)+60j
		nop
		mov	al, [eax]
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+18h]
		mov	[ebp+var_20], eax
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_9546C4
		mov	eax, ecx

loc_9546C4:				; CODE XREF: DbgkpPostModuleMessages(x,x,x)+78j
		nop
		mov	al, [eax]
		push	[ebp+var_20]
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		test	eax, eax
		jz	short loc_9546DB
		mov	ecx, [eax+0Ch]
		mov	eax, [eax+10h]
		jmp	short loc_9546DF
; 

loc_9546DB:				; CODE XREF: DbgkpPostModuleMessages(x,x,x)+89j
		xor	ecx, ecx
		xor	eax, eax

loc_9546DF:				; CODE XREF: DbgkpPostModuleMessages(x,x,x)+91j
		push	[ebp+arg_0]
		push	eax
		push	ecx
		push	[ebp+var_20]
		mov	edx, edi
		mov	ecx, esi
		call	_DbgkPostModuleMessage@24 ; DbgkPostModuleMessage(x,x,x,x,x,x)
		mov	eax, [ebp+var_1C]

loc_9546F3:				; CODE XREF: DbgkpPostModuleMessages(x,x,x)+56j
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_9546FF
		mov	eax, ecx

loc_9546FF:				; CODE XREF: DbgkpPostModuleMessages(x,x,x)+B3j
		nop
		mov	al, [eax]
		mov	eax, [ebp+var_1C]
		mov	eax, [eax]
		mov	ecx, [ebp+var_24]
		inc	ecx
		mov	[ebp+var_24], ecx
		mov	edx, [ebp+var_28]
		jmp	loc_954684
; 

loc_954716:				; DATA XREF: .text:006A7B14o
		xor	eax, eax
		inc	eax
		retn
; 

loc_95471A:				; DATA XREF: .text:006A7B18o
		mov	esp, [ebp+ms_exc.old_esp]

loc_95471D:				; CODE XREF: DbgkpPostModuleMessages(x,x,x)+41j
					; DbgkpPostModuleMessages(x,x,x)+4Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_DbgkpPostModuleMessages@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpQueueMessage(x, x, x, x, x)
_DbgkpQueueMessage@20 proc near		; CODE XREF: DbgkPostModuleMessage(x,x,x,x,x,x)+EFp
					; DbgkSendSystemDllMessages(x,x,x)+20Bp ...

var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E0		= dword	ptr -0E0h
var_BC		= dword	ptr -0BCh
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0FCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0FCh+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[esp+108h+var_EC], eax
		mov	ebx, 0E0h
		mov	eax, [ebp+arg_8]
		mov	esi, edx
		push	ebx		; size_t
		mov	[esp+10Ch+var_FC], eax
		lea	eax, [esp+10Ch+var_E8]
		push	0		; int
		push	eax		; void *
		mov	[esp+114h+var_F4], esi
		mov	[esp+114h+var_F8], ecx
		call	_memset
		mov	edi, [ebp+arg_4]
		add	esp, 0Ch
		mov	eax, edi
		and	eax, 2
		mov	[esp+108h+var_F0], eax
		jz	short loc_9547DD
		push	45676244h
		push	ebx
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9547B0
		mov	eax, 0C000009Ah
		jmp	loc_95495E
; 

loc_9547B0:				; CODE XREF: DbgkpQueueMessage(x,x,x,x,x)+6Ej
		mov	ecx, [esp+108h+var_F8]
		or	edi, 4
		mov	[ebx+2Ch], edi
		mov	edi, 4F676244h
		mov	edx, edi
		call	ObfReferenceObjectWithTag
		mov	edx, edi
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	eax, large fs:124h
		mov	[ebx+30h], eax
		jmp	loc_954875
; 

loc_9547DD:				; CODE XREF: DbgkpQueueMessage(x,x,x,x,x)+58j
		mov	ecx, offset _DbgkpProcessDebugPortMutex
		mov	[esp+108h+var_BC], edi
		lea	ebx, [esp+108h+var_E8]
		call	ExAcquireFastMutex
		mov	eax, [esp+108h+var_F8]
		mov	esi, [eax+190h]
		mov	eax, [esp+108h+var_EC]
		mov	[esp+108h+var_FC], esi
		mov	ecx, [eax+18h]
		cmp	ecx, 1
		jz	short loc_95480E
		cmp	ecx, 2
		jnz	short loc_95482B

loc_95480E:				; CODE XREF: DbgkpQueueMessage(x,x,x,x,x)+D1j
		mov	edx, [esp+108h+var_F4]
		mov	al, [edx+2FCh]
		and	al, 40h
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	esi, eax
		mov	[esp+108h+var_FC], esi
		jmp	short loc_95482F
; 

loc_95482B:				; CODE XREF: DbgkpQueueMessage(x,x,x,x,x)+D6j
		mov	edx, [esp+108h+var_F4]

loc_95482F:				; CODE XREF: DbgkpQueueMessage(x,x,x,x,x)+F3j
		cmp	ecx, 5
		jnz	short loc_954846
		mov	eax, [edx+2FCh]
		and	eax, edi
		test	al, 40h
		jz	short loc_954867
		xor	esi, esi
		mov	[esp+108h+var_FC], esi

loc_954846:				; CODE XREF: DbgkpQueueMessage(x,x,x,x,x)+FCj
		cmp	ecx, 3
		jz	short loc_954850
		cmp	ecx, 4
		jnz	short loc_954867

loc_954850:				; CODE XREF: DbgkpQueueMessage(x,x,x,x,x)+113j
		mov	al, [edx+2FCh]
		and	al, 80h
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, esi
		mov	[esp+108h+var_FC], eax

loc_954867:				; CODE XREF: DbgkpQueueMessage(x,x,x,x,x)+108j
					; DbgkpQueueMessage(x,x,x,x,x)+118j
		push	0
		push	1
		lea	eax, [esp+110h+var_E0]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)

loc_954875:				; CODE XREF: DbgkpQueueMessage(x,x,x,x,x)+A2j
		mov	edx, [esp+108h+var_F4]
		lea	edi, [ebx+38h]
		mov	eax, [esp+108h+var_F8]
		mov	esi, [esp+108h+var_EC]
		push	2Ah
		mov	[ebx+20h], eax
		mov	[ebx+24h], edx
		pop	ecx
		rep movsd
		mov	eax, [edx+2ACh]
		mov	esi, [esp+108h+var_FC]
		mov	[ebx+18h], eax
		mov	eax, [edx+2B0h]
		mov	[ebx+1Ch], eax
		test	esi, esi
		jnz	short loc_9548B0
		mov	esi, 0C0000353h
		jmp	short loc_9548FA
; 

loc_9548B0:				; CODE XREF: DbgkpQueueMessage(x,x,x,x,x)+171j
		lea	edi, [esi+10h]
		mov	ecx, edi
		call	ExAcquireFastMutex
		test	byte ptr [esi+38h], 1
		jnz	short loc_9548EE
		lea	eax, [esi+30h]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jz	short loc_9548CF
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9548CF:				; CODE XREF: DbgkpQueueMessage(x,x,x,x,x)+192j
		cmp	[esp+108h+var_F0], 0
		mov	[ebx], eax
		mov	[ebx+4], ecx
		mov	[ecx], ebx
		mov	[eax+4], ebx
		jnz	short loc_9548EA
		push	0
		push	0
		push	esi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_9548EA:				; CODE XREF: DbgkpQueueMessage(x,x,x,x,x)+1A8j
		xor	esi, esi
		jmp	short loc_9548F3
; 

loc_9548EE:				; CODE XREF: DbgkpQueueMessage(x,x,x,x,x)+188j
		mov	esi, 0C0000354h

loc_9548F3:				; CODE XREF: DbgkpQueueMessage(x,x,x,x,x)+1B6j
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_9548FA:				; CODE XREF: DbgkpQueueMessage(x,x,x,x,x)+178j
		cmp	[esp+108h+var_F0], 0
		jnz	short loc_954935
		mov	ecx, offset _DbgkpProcessDebugPortMutex
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	esi, esi
		js	short loc_95495C
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebx+8]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [ebx+28h]
		lea	esi, [ebx+38h]
		mov	edi, [esp+108h+var_EC]
		push	2Ah
		pop	ecx
		rep movsd
		mov	[esp+108h+var_F0], eax
		mov	esi, eax
		jmp	short loc_95495C
; 

loc_954935:				; CODE XREF: DbgkpQueueMessage(x,x,x,x,x)+1C9j
		test	esi, esi
		jns	short loc_95495C
		mov	ecx, [esp+108h+var_F8]
		mov	edi, 4F676244h
		mov	edx, edi
		call	ObfDereferenceObjectWithTag
		mov	ecx, [esp+108h+var_F4]
		mov	edx, edi
		call	ObfDereferenceObjectWithTag
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95495C:				; CODE XREF: DbgkpQueueMessage(x,x,x,x,x)+1D7j
					; DbgkpQueueMessage(x,x,x,x,x)+1FDj ...
		mov	eax, esi

loc_95495E:				; CODE XREF: DbgkpQueueMessage(x,x,x,x,x)+75j
		mov	ecx, [esp+108h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_DbgkpQueueMessage@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpSetProcessDebugObject(x, x, x,	x)
_DbgkpSetProcessDebugObject@16 proc near ; CODE	XREF: NtDebugActiveProcess(x,x)+D6p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, large fs:124h
		and	[ebp+var_C], 0
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	ebx
		push	esi
		mov	[ebp+var_20], eax
		mov	esi, ecx
		mov	[ebp+var_24], eax
		xor	eax, eax
		push	edi
		mov	edi, [ebp+arg_0]
		inc	eax
		mov	[ebp+var_8], edx
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], eax
		mov	[ebp+var_1], 0
		test	edi, edi
		jns	short loc_9549B6
		xor	ebx, ebx
		mov	[ebp+arg_4], ebx
		jmp	short loc_9549BB
; 

loc_9549B6:				; CODE XREF: DbgkpSetProcessDebugObject(x,x,x,x)+38j
		mov	ebx, [ebp+arg_4]
		xor	edi, edi

loc_9549BB:				; CODE XREF: DbgkpSetProcessDebugObject(x,x,x,x)+3Fj
		test	edi, edi
		js	loc_954A59

loc_9549C3:				; CODE XREF: DbgkpSetProcessDebugObject(x,x,x,x)+D6j
		mov	ecx, offset _DbgkpProcessDebugPortMutex
		mov	[ebp+var_1], al
		call	ExAcquireFastMutex
		cmp	dword ptr [esi+190h], 0
		jnz	short loc_954A54
		mov	eax, [ebp+var_8]
		mov	edx, 4F676244h
		mov	ecx, ebx
		mov	[esi+190h], eax
		call	ObfReferenceObjectWithTag
		push	ebx
		push	esi
		call	_PsGetNextProcessThread@8 ; PsGetNextProcessThread(x,x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_954A59
		and	dword ptr [esi+190h], 0
		mov	ecx, offset _DbgkpProcessDebugPortMutex
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	edx, 4F676244h
		mov	[ebp+var_1], 0
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+arg_4]
		push	eax
		lea	eax, [ebp+var_C]
		mov	ecx, esi
		push	eax
		push	[ebp+arg_0]
		call	_DbgkpPostFakeThreadMessages@20	; DbgkpPostFakeThreadMessages(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_954A50
		mov	ecx, [ebp+var_C]
		mov	edx, 4F676244h
		call	ObfDereferenceObjectWithTag
		mov	ebx, [ebp+arg_4]
		xor	eax, eax
		inc	eax
		jmp	loc_9549C3
; 

loc_954A50:				; CODE XREF: DbgkpSetProcessDebugObject(x,x,x,x)+C1j
		xor	ebx, ebx
		jmp	short loc_954A59
; 

loc_954A54:				; CODE XREF: DbgkpSetProcessDebugObject(x,x,x,x)+62j
		mov	edi, 0C0000048h

loc_954A59:				; CODE XREF: DbgkpSetProcessDebugObject(x,x,x,x)+48j
					; DbgkpSetProcessDebugObject(x,x,x,x)+85j ...
		mov	eax, [ebp+var_8]
		add	eax, 10h
		mov	ecx, eax
		mov	[ebp+var_1C], eax
		call	ExAcquireFastMutex
		mov	edx, [ebp+var_8]
		push	3
		pop	ecx
		test	edi, edi
		js	short loc_954A9A
		test	byte ptr [edx+38h], 1
		jnz	short loc_954A8E
		lea	eax, [esi+0FCh]
		lock or	[eax], ecx
		mov	ecx, edx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edx, [ebp+var_8]
		jmp	short loc_954A9A
; 

loc_954A8E:				; CODE XREF: DbgkpSetProcessDebugObject(x,x,x,x)+102j
		and	dword ptr [esi+190h], 0
		mov	edi, 0C0000354h

loc_954A9A:				; CODE XREF: DbgkpSetProcessDebugObject(x,x,x,x)+FCj
					; DbgkpSetProcessDebugObject(x,x,x,x)+117j
		lea	eax, [edx+30h]
		mov	ecx, [eax]
		mov	[ebp+var_C], eax
		cmp	ecx, eax
		jz	loc_954B92

loc_954AAA:				; CODE XREF: DbgkpSetProcessDebugObject(x,x,x,x)+214j
		mov	esi, ecx
		mov	ecx, [ecx]
		mov	[ebp+arg_0], ecx
		mov	eax, [esi+2Ch]
		test	al, 4
		jz	loc_954B86
		mov	edx, [ebp+var_14]
		cmp	[esi+30h], edx
		jnz	loc_954B86
		mov	edx, [esi+24h]
		mov	[ebp+arg_4], edx
		mov	edx, [ebp+var_8]
		test	edi, edi
		js	short loc_954B37
		test	al, 10h
		jz	short loc_954B06
		mov	eax, [ebp+arg_4]
		mov	edx, 80h
		add	eax, 2FCh
		lock or	[eax], edx
		mov	edx, [esi]
		cmp	[edx+4], esi
		jnz	loc_954BE0
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	loc_954BE0
		mov	[eax], edx
		mov	[edx+4], eax
		jmp	short loc_954B50
; 

loc_954B06:				; CODE XREF: DbgkpSetProcessDebugObject(x,x,x,x)+162j
		cmp	byte ptr [ebp+var_10], 0
		jz	short loc_954B23
		push	0
		push	0
		and	eax, 0FFFFFFFBh
		push	edx
		mov	[esi+2Ch], eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	byte ptr [ebp+var_10], 0

loc_954B23:				; CODE XREF: DbgkpSetProcessDebugObject(x,x,x,x)+195j
		mov	eax, [ebp+arg_4]
		and	dword ptr [esi+30h], 0
		add	eax, 2FCh
		push	40h
		pop	edx
		lock or	[eax], edx
		jmp	short loc_954B68
; 

loc_954B37:				; CODE XREF: DbgkpSetProcessDebugObject(x,x,x,x)+15Ej
		cmp	[ecx+4], esi
		jnz	loc_954BE0
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	loc_954BE0
		mov	[eax], ecx
		mov	[ecx+4], eax

loc_954B50:				; CODE XREF: DbgkpSetProcessDebugObject(x,x,x,x)+18Fj
		mov	eax, [ebp+var_20]
		lea	edx, [ebp+var_24]
		cmp	[eax], edx
		jnz	loc_954BE0
		mov	[esi], edx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[ebp+var_20], esi

loc_954B68:				; CODE XREF: DbgkpSetProcessDebugObject(x,x,x,x)+1C0j
		mov	eax, [esi+2Ch]
		mov	edx, [ebp+arg_4]
		test	al, 8
		jz	short loc_954B86
		and	eax, 0FFFFFFF7h
		lea	ecx, [edx+2ECh]
		mov	[esi+2Ch], eax
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, [ebp+arg_0]

loc_954B86:				; CODE XREF: DbgkpSetProcessDebugObject(x,x,x,x)+141j
					; DbgkpSetProcessDebugObject(x,x,x,x)+14Dj ...
		cmp	ecx, [ebp+var_C]
		jnz	loc_954AAA
		mov	esi, [ebp+var_18]

loc_954B92:				; CODE XREF: DbgkpSetProcessDebugObject(x,x,x,x)+12Fj
		mov	ecx, [ebp+var_1C]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		cmp	[ebp+var_1], 0
		jz	short loc_954BAA
		mov	ecx, offset _DbgkpProcessDebugPortMutex
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_954BAA:				; CODE XREF: DbgkpSetProcessDebugObject(x,x,x,x)+229j
		test	ebx, ebx
		jz	short loc_954BBA
		mov	edx, 4F676244h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_954BBA:				; CODE XREF: DbgkpSetProcessDebugObject(x,x,x,x)+237j
					; DbgkpSetProcessDebugObject(x,x,x,x)+269j
		mov	ecx, [ebp+var_24]
		lea	eax, [ebp+var_24]
		cmp	ecx, eax
		jz	short loc_954BE5
		cmp	[ecx+4], eax
		jnz	short loc_954BE0
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_954BE0
		lea	edx, [ebp+var_24]
		mov	[ebp+var_24], eax
		mov	[eax+4], edx
		call	_DbgkpWakeTarget@4 ; DbgkpWakeTarget(x)
		jmp	short loc_954BBA
; 

loc_954BE0:				; CODE XREF: DbgkpSetProcessDebugObject(x,x,x,x)+179j
					; DbgkpSetProcessDebugObject(x,x,x,x)+184j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_954BE5:				; CODE XREF: DbgkpSetProcessDebugObject(x,x,x,x)+24Dj
		test	edi, edi
		js	short loc_954BF0
		mov	ecx, esi
		call	_DbgkpMarkProcessPeb@4 ; DbgkpMarkProcessPeb(x)

loc_954BF0:				; CODE XREF: DbgkpSetProcessDebugObject(x,x,x,x)+272j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_DbgkpSetProcessDebugObject@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpValidateDebugTarget(x,	x, x)
_DbgkpValidateDebugTarget@12 proc near	; CODE XREF: DbgkCopyProcessDebugPort+14A9E0p
					; DbgkOpenProcessDebugPort(x,x,x)+58p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		call	_PsTestProtectedProcessIncompatibility@12 ; PsTestProtectedProcessIncompatibility(x,x,x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 0C0000712h
		pop	ebp
		retn	4
_DbgkpValidateDebugTarget@12 endp


;  S U B	R O U T	I N E 


; __stdcall DbgkpWakeTarget(x)
_DbgkpWakeTarget@4 proc	near		; CODE XREF: DbgkClearProcessDebugObject+A6AC6p
					; DbgkpCloseObject(x,x,x,x)+EEp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, [esi+2Ch]
		mov	edi, [esi+24h]
		test	al, 20h
		jz	short loc_954C31
		push	0
		push	edi
		call	PsResumeThread
		mov	eax, [esi+2Ch]

loc_954C31:				; CODE XREF: DbgkpWakeTarget(x)+Ej
		test	al, 8
		jz	short loc_954C43
		lea	ecx, [edi+2ECh]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	eax, [esi+2Ch]

loc_954C43:				; CODE XREF: DbgkpWakeTarget(x)+1Dj
		test	al, 2
		jnz	short loc_954C57
		push	0
		push	0
		lea	eax, [esi+8]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	edi
		pop	esi
		retn
; 

loc_954C57:				; CODE XREF: DbgkpWakeTarget(x)+2Fj
		pop	edi
		mov	ecx, esi
		pop	esi
		jmp	_DbgkpFreeDebugEvent@4 ; DbgkpFreeDebugEvent(x)
_DbgkpWakeTarget@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCreateDebugObject(x, x, x, x)
_NtCreateDebugObject@16	proc near	; DATA XREF: .text:00581180o

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	1Ch
		push	offset dword_6A7B68
		call	__SEH_prolog4
		xor	edi, edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edi
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_24], bl
		mov	[ebp+ms_exc.disabled], edi
		test	bl, bl
		jz	short loc_954C9C
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_954C98
		mov	ecx, eax

loc_954C98:				; CODE XREF: NtCreateDebugObject(x,x,x,x)+34j
		mov	eax, [ecx]
		mov	[ecx], eax

loc_954C9C:				; CODE XREF: NtCreateDebugObject(x,x,x,x)+28j
		mov	eax, [ebp+arg_0]
		mov	[eax], edi
		push	0FFFFFFFEh
		pop	eax
		mov	[ebp+ms_exc.disabled], eax
		test	[ebp+arg_C], eax
		jz	short loc_954CB6
		mov	eax, 0C000000Dh
		jmp	loc_954D78
; 

loc_954CB6:				; CODE XREF: NtCreateDebugObject(x,x,x,x)+4Aj
		mov	edx, ds:_DbgkDebugObjectType
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		push	edi
		push	3Ch
		push	ecx
		push	[ebp+var_24]
		push	[ebp+arg_8]
		mov	cl, bl
		call	ObCreateObjectEx
		test	eax, eax
		js	loc_954D78
		mov	esi, [ebp+var_1C]
		xor	ebx, ebx
		inc	ebx
		mov	[esi+10h], ebx
		mov	[esi+14h], edi
		mov	[esi+18h], edi
		push	edi
		push	ebx
		lea	eax, [esi+1Ch]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esi+30h]
		mov	[eax+4], eax
		mov	[eax], eax
		push	edi
		push	edi
		push	esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	ecx, [ebp+arg_C]
		movzx	eax, cl
		and	eax, ebx
		add	eax, eax
		mov	[esi+38h], eax
		lea	eax, [ebp+var_20]
		push	eax
		push	edi
		push	edi
		push	edi
		push	[ebp+arg_4]
		xor	edx, edx
		mov	ecx, esi
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jns	short loc_954D2F

loc_954D2B:				; CODE XREF: NtCreateDebugObject(x,x,x,x)+F9j
		mov	eax, edx
		jmp	short loc_954D78
; 

loc_954D2F:				; CODE XREF: NtCreateDebugObject(x,x,x,x)+C9j
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jmp	short loc_954D52
; 

loc_954D3C:				; DATA XREF: .text:006A7B88o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_954D4C:				; DATA XREF: .text:006A7B8Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edx, [ebp+var_28]

loc_954D52:				; CODE XREF: NtCreateDebugObject(x,x,x,x)+DAj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_954D2B
; 

loc_954D5B:				; DATA XREF: .text:006A7B7Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_954D6B:				; DATA XREF: .text:006A7B80o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_2C]

loc_954D78:				; CODE XREF: NtCreateDebugObject(x,x,x,x)+51j
					; NtCreateDebugObject(x,x,x,x)+75j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_NtCreateDebugObject@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtDebugActiveProcess(x, x)
_NtDebugActiveProcess@8	proc near	; DATA XREF: .text:005810CCo

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, large fs:124h
		xor	ecx, ecx
		push	ebx
		push	esi
		push	edi
		mov	bl, [eax+15Ah]
		lea	eax, [esp+20h+var_C]
		push	ecx
		push	eax
		push	4F676244h
		mov	byte ptr [esp+2Ch+var_8], bl
		push	[esp+2Ch+var_8]
		mov	[esp+30h+var_C], ecx
		push	ds:_PsProcessType
		mov	[esp+34h+var_4], ecx
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_954E93
		mov	eax, large fs:124h
		mov	edi, [esp+20h+var_C]
		mov	edx, [eax+80h]
		cmp	edi, edx
		jz	loc_954E80
		cmp	edi, ds:_PsInitialSystemProcess
		jz	loc_954E80
		push	edi
		mov	cl, bl
		call	_DbgkpValidateDebugTarget@12 ; DbgkpValidateDebugTarget(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_954E85
		mov	eax, ds:_DbgkDebugObjectType
		lea	ecx, [esp+20h+var_10]
		and	[esp+20h+var_10], 0
		push	0
		push	ecx
		push	[esp+28h+var_8]
		push	eax
		push	2
		push	[ebp+arg_4]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_954E85
		lea	ebx, [edi+0F0h]
		mov	ecx, ebx
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_954E70
		mov	edx, [esp+20h+var_10]
		lea	eax, [esp+20h+var_4]
		push	eax
		mov	ecx, edi
		call	_DbgkpPostFakeProcessCreateMessages@12 ; DbgkpPostFakeProcessCreateMessages(x,x,x)
		push	[esp+20h+var_4]
		mov	edx, [esp+24h+var_10]
		mov	ecx, edi
		push	eax
		call	_DbgkpSetProcessDebugObject@16 ; DbgkpSetProcessDebugObject(x,x,x,x)
		mov	ecx, ebx
		mov	esi, eax
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	short loc_954E75
; 

loc_954E70:				; CODE XREF: NtDebugActiveProcess(x,x)+B9j
		mov	esi, 0C000010Ah

loc_954E75:				; CODE XREF: NtDebugActiveProcess(x,x)+E4j
		mov	ecx, [esp+20h+var_10]
		call	ObfDereferenceObject
		jmp	short loc_954E85
; 

loc_954E80:				; CODE XREF: NtDebugActiveProcess(x,x)+64j
					; NtDebugActiveProcess(x,x)+70j
		mov	esi, 0C0000022h

loc_954E85:				; CODE XREF: NtDebugActiveProcess(x,x)+82j
					; NtDebugActiveProcess(x,x)+A8j ...
		mov	edx, 4F676244h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi

loc_954E93:				; CODE XREF: NtDebugActiveProcess(x,x)+4Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_NtDebugActiveProcess@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtDebugContinue(x, x, x)
_NtDebugContinue@12 proc near		; DATA XREF: .text:005810C8o

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	24h
		push	offset dword_6A7AB8
		call	__SEH_prolog4
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		xor	edx, edx
		mov	[ebp+ms_exc.disabled], edx
		test	al, al
		jz	short loc_954ED2
		mov	eax, [ebp+arg_4]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_954ECF
		mov	eax, ecx

loc_954ECF:				; CODE XREF: NtDebugContinue(x,x,x)+2Fj
		nop
		mov	al, [eax]

loc_954ED2:				; CODE XREF: NtDebugContinue(x,x,x)+22j
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_34], ecx
		mov	eax, [eax+4]
		mov	[ebp+var_28], eax
		mov	[ebp+var_30], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+arg_8]
		cmp	esi, 80010001h
		jz	short loc_954F2A
		cmp	esi, 10000h
		jle	short loc_954F20
		cmp	esi, 10002h
		jle	short loc_954F2A
		cmp	esi, 40010001h
		jz	short loc_954F2A
		cmp	esi, 40010002h
		jle	short loc_954F20
		cmp	esi, 40010004h
		jle	short loc_954F2A

loc_954F20:				; CODE XREF: NtDebugContinue(x,x,x)+62j
					; NtDebugContinue(x,x,x)+7Aj
		mov	eax, 0C000000Dh
		jmp	loc_955030
; 

loc_954F2A:				; CODE XREF: NtDebugContinue(x,x,x)+5Aj
					; NtDebugContinue(x,x,x)+6Aj ...
		mov	eax, ds:_DbgkDebugObjectType
		mov	[ebp+var_1C], edx
		push	edx
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_24]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_955030
		mov	byte ptr [ebp+arg_4+3],	0
		xor	edi, edi
		mov	eax, [ebp+var_1C]
		add	eax, 10h
		mov	[ebp+var_24], eax
		mov	ecx, eax
		call	ExAcquireFastMutex
		mov	ecx, [ebp+var_1C]
		lea	edx, [ecx+30h]
		mov	[ebp+arg_0], edx
		mov	eax, [edx]
		cmp	eax, edx
		jz	short loc_954FCB
		mov	edx, [ebp+var_20]

loc_954F77:				; CODE XREF: NtDebugContinue(x,x,x)+118j
		cmp	[eax+18h], edx
		jnz	short loc_954FAF
		cmp	byte ptr [ebp+arg_4+3],	0
		jnz	short loc_954FBD
		mov	esi, [ebp+var_28]
		cmp	[eax+1Ch], esi
		mov	esi, [ebp+arg_8]
		jnz	short loc_954FAF
		test	byte ptr [eax+2Ch], 1
		jz	short loc_954FAF
		mov	edi, [eax]
		mov	edx, [eax+4]
		cmp	[edi+4], eax
		jnz	short loc_954FB8
		cmp	[edx], eax
		jnz	short loc_954FB8
		mov	[edx], edi
		mov	[edi+4], edx
		mov	edi, eax
		mov	byte ptr [ebp+arg_4+3],	1
		mov	edx, [ebp+var_20]

loc_954FAF:				; CODE XREF: NtDebugContinue(x,x,x)+DEj
					; NtDebugContinue(x,x,x)+EFj ...
		mov	eax, [eax]
		cmp	eax, [ebp+arg_0]
		jnz	short loc_954F77
		jmp	short loc_954FCB
; 

loc_954FB8:				; CODE XREF: NtDebugContinue(x,x,x)+FFj
					; NtDebugContinue(x,x,x)+103j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_954FBD:				; CODE XREF: NtDebugContinue(x,x,x)+E4j
		and	dword ptr [eax+2Ch], 0FFFFFFFBh
		push	0
		push	0
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_954FCB:				; CODE XREF: NtDebugContinue(x,x,x)+D6j
					; NtDebugContinue(x,x,x)+11Aj
		mov	ecx, [ebp+var_24]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObject
		cmp	byte ptr [ebp+arg_4+3],	0
		jz	short loc_95500A
		test	ds:_PerfGlobalGroupMask, 400000h
		jz	short loc_954FFA
		push	2
		mov	edx, [edi+24h]
		mov	ecx, [edi+20h]
		call	@EtwTraceDebuggerEvent@12 ; EtwTraceDebuggerEvent(x,x,x)

loc_954FFA:				; CODE XREF: NtDebugContinue(x,x,x)+14Fj
		mov	[edi+54h], esi
		and	dword ptr [edi+28h], 0
		mov	ecx, edi
		call	_DbgkpWakeTarget@4 ; DbgkpWakeTarget(x)
		jmp	short loc_95500F
; 

loc_95500A:				; CODE XREF: NtDebugContinue(x,x,x)+143j
		mov	ebx, 0C000000Dh

loc_95500F:				; CODE XREF: NtDebugContinue(x,x,x)+16Cj
		mov	eax, ebx
		jmp	short loc_955030
; 

loc_955013:				; DATA XREF: .text:006A7ACCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_955023:				; DATA XREF: .text:006A7AD0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_2C]

loc_955030:				; CODE XREF: NtDebugContinue(x,x,x)+89j
					; NtDebugContinue(x,x,x)+ADj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_NtDebugContinue@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtRemoveProcessDebug(x, x)
_NtRemoveProcessDebug@8	proc near	; DATA XREF: .text:00580D7Co

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	edi
		xor	edi, edi
		mov	bl, [eax+15Ah]
		lea	eax, [ebp+var_4]
		push	edi
		push	eax
		push	4F676244h
		mov	byte ptr [ebp+var_C], bl
		push	[ebp+var_C]
		mov	[ebp+var_4], edi
		push	ds:_PsProcessType
		push	800h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9550E7
		mov	eax, large fs:124h
		mov	cl, bl
		push	esi
		push	[ebp+var_4]
		mov	edx, [eax+80h]
		call	_DbgkpValidateDebugTarget@12 ; DbgkpValidateDebugTarget(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9550D7
		mov	eax, ds:_DbgkDebugObjectType
		lea	ecx, [ebp+var_8]
		push	edi
		push	ecx
		push	[ebp+var_C]
		mov	[ebp+var_8], edi
		push	eax
		push	2
		push	[ebp+arg_4]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9550D7
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		call	DbgkClearProcessDebugObject
		mov	ecx, [ebp+var_8]
		mov	esi, eax
		call	ObfDereferenceObject

loc_9550D7:				; CODE XREF: NtRemoveProcessDebug(x,x)+5Dj
					; NtRemoveProcessDebug(x,x)+7Ej
		mov	ecx, [ebp+var_4]
		mov	edx, 4F676244h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		pop	esi

loc_9550E7:				; CODE XREF: NtRemoveProcessDebug(x,x)+40j
		pop	edi
		pop	ebx
		leave
		retn	8
_NtRemoveProcessDebug@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSetInformationDebugObject(x, x, x, x, x)
_NtSetInformationDebugObject@20	proc near ; DATA XREF: .text:00580CD8o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	18h
		push	offset dword_6A7A98
		call	__SEH_prolog4
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_20], al
		xor	ebx, ebx
		mov	[ebp+ms_exc.disabled], ebx
		test	al, al
		jz	short loc_955152
		cmp	[ebp+arg_C], ebx
		jz	short loc_955138
		test	byte ptr [ebp+arg_8], 3
		jz	short loc_955121
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_955121:				; CODE XREF: NtSetInformationDebugObject(x,x,x,x,x)+2Dj
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+arg_8]
		add	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_955136
		cmp	edx, ecx
		jnb	short loc_955138

loc_955136:				; CODE XREF: NtSetInformationDebugObject(x,x,x,x,x)+43j
		mov	[eax], bl

loc_955138:				; CODE XREF: NtSetInformationDebugObject(x,x,x,x,x)+27j
					; NtSetInformationDebugObject(x,x,x,x,x)+47j
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	short loc_95515B
		mov	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_95514C
		mov	edx, eax

loc_95514C:				; CODE XREF: NtSetInformationDebugObject(x,x,x,x,x)+5Bj
		mov	eax, [edx]
		mov	[edx], eax
		jmp	short loc_955155
; 

loc_955152:				; CODE XREF: NtSetInformationDebugObject(x,x,x,x,x)+22j
		mov	ecx, [ebp+arg_10]

loc_955155:				; CODE XREF: NtSetInformationDebugObject(x,x,x,x,x)+63j
		test	ecx, ecx
		jz	short loc_95515B
		mov	[ecx], ebx

loc_95515B:				; CODE XREF: NtSetInformationDebugObject(x,x,x,x,x)+50j
					; NtSetInformationDebugObject(x,x,x,x,x)+6Aj
		sub	[ebp+arg_4], 1
		jz	short loc_955172
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_955168:				; CODE XREF: NtSetInformationDebugObject(x,x,x,x,x)+B4j
		mov	eax, 0C000000Dh
		jmp	loc_955211
; 

loc_955172:				; CODE XREF: NtSetInformationDebugObject(x,x,x,x,x)+72j
		push	4
		pop	edx
		cmp	[ebp+arg_C], edx
		jz	short loc_955191
		test	ecx, ecx
		jz	short loc_955180
		mov	[ecx], edx

loc_955180:				; CODE XREF: NtSetInformationDebugObject(x,x,x,x,x)+8Fj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_955211
; 

loc_955191:				; CODE XREF: NtSetInformationDebugObject(x,x,x,x,x)+8Bj
		mov	eax, [ebp+arg_8]
		mov	ebx, [eax]
		mov	[ebp+var_28], ebx
		push	0FFFFFFFEh
		pop	eax
		mov	[ebp+ms_exc.disabled], eax
		test	ebx, eax
		jnz	short loc_955168
		mov	eax, ds:_DbgkDebugObjectType
		and	[ebp+var_1C], 0
		push	0
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_20]
		push	eax
		push	edx
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_955211
		mov	esi, [ebp+var_1C]
		lea	ecx, [esi+10h]
		call	ExAcquireFastMutex
		mov	eax, [esi+38h]
		test	bl, 1
		jz	short loc_9551DB
		or	eax, 2
		jmp	short loc_9551DE
; 

loc_9551DB:				; CODE XREF: NtSetInformationDebugObject(x,x,x,x,x)+E7j
		and	eax, 0FFFFFFFDh

loc_9551DE:				; CODE XREF: NtSetInformationDebugObject(x,x,x,x,x)+ECj
		mov	[esi+38h], eax
		lea	ecx, [esi+10h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, esi
		call	ObfDereferenceObject
		xor	eax, eax
		jmp	short loc_955211
; 

loc_9551F4:				; DATA XREF: .text:006A7AACo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_955204:				; DATA XREF: .text:006A7AB0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_24]

loc_955211:				; CODE XREF: NtSetInformationDebugObject(x,x,x,x,x)+80j
					; NtSetInformationDebugObject(x,x,x,x,x)+9Fj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_NtSetInformationDebugObject@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtWaitForDebugEvent(x, x, x, x)
_NtWaitForDebugEvent@16	proc near	; DATA XREF: .text:00580BC0o

var_B8		= dword	ptr -0B8h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	0A8h
		push	offset dword_6A7AD8
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], ecx
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_28], bl
		push	60h		; size_t
		push	ecx		; int
		lea	eax, [ebp+var_B8]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		and	[ebp+ms_exc.disabled], 0
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jz	short loc_95529B
		test	bl, bl
		jz	short loc_955281
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_95527B
		mov	esi, eax

loc_95527B:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+54j
		nop
		mov	al, [esi]
		mov	esi, [ebp+arg_8]

loc_955281:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+4Bj
		mov	eax, [esi]
		mov	[ebp+var_20], eax
		mov	eax, [esi+4]
		mov	[ebp+var_1C], eax
		lea	esi, [ebp+var_20]
		mov	[ebp+arg_8], esi
		lea	eax, [ebp+var_38]
		push	eax
		call	KeQuerySystemTime

loc_95529B:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+47j
		test	bl, bl
		jz	short loc_9552BC
		mov	eax, ds:_MmUserProbeAddress
		cmp	[ebp+arg_C], eax
		jb	short loc_9552AC
		mov	byte ptr [eax],	0

loc_9552AC:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+84j
		mov	ecx, [ebp+arg_C]
		mov	al, [ecx]
		mov	[ecx], al
		mov	al, [ecx+5Fh]
		mov	[ecx+5Fh], al
		mov	esi, [ebp+arg_8]

loc_9552BC:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+7Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, ds:_DbgkDebugObjectType
		xor	ebx, ebx
		mov	[ebp+var_24], ebx
		push	ebx
		lea	ecx, [ebp+var_24]
		push	ecx
		push	[ebp+var_28]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	loc_955505
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_30], ebx
		push	esi
		push	[ebp+arg_4]
		push	[ebp+var_28]
		push	ebx
		mov	edi, [ebp+var_24]
		push	edi
		call	KeWaitForSingleObject
		mov	ebx, eax
		test	ebx, ebx
		js	loc_9554A9
		mov	eax, [ebp+var_34]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+var_38]
		mov	[ebp+var_48], eax

loc_955315:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+24Cj
		cmp	ebx, 102h
		jz	loc_9554A9
		cmp	ebx, 101h
		jz	loc_9554A9
		cmp	ebx, 0C0h
		jz	loc_9554A9
		xor	bl, bl
		mov	byte ptr [ebp+arg_0+3],	bl
		xor	ecx, ecx
		mov	[ebp+var_44], ecx
		lea	ecx, [edi+10h]
		call	ExAcquireFastMutex
		test	byte ptr [edi+38h], 1
		jnz	loc_9553F3
		lea	edx, [edi+30h]
		mov	eax, [edx]
		jmp	short loc_9553A6
; 

loc_95535C:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+185j
		mov	[ebp+var_44], eax
		mov	ecx, [eax+2Ch]
		mov	[ebp+var_34], ecx
		test	cl, 5
		jnz	short loc_9553A4
		mov	bl, 1
		mov	byte ptr [ebp+arg_0+3],	bl
		mov	ecx, [edx]
		cmp	ecx, eax
		jz	short loc_9553A0
		mov	edi, [eax+18h]
		mov	[ebp+var_50], edi

loc_95537B:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+167j
		mov	edi, [ebp+var_50]
		cmp	edi, [ecx+18h]
		mov	edi, [ebp+var_24]
		jz	short loc_95538E
		mov	ecx, [ecx]
		cmp	ecx, eax
		jnz	short loc_95537B
		jmp	short loc_9553A0
; 

loc_95538E:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+161j
		mov	ecx, [ebp+var_34]
		or	ecx, 4
		mov	[eax+2Ch], ecx
		and	dword ptr [eax+30h], 0
		xor	bl, bl
		mov	byte ptr [ebp+arg_0+3],	bl

loc_9553A0:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+150j
					; NtWaitForDebugEvent(x,x,x,x)+169j
		test	bl, bl
		jnz	short loc_9553AE

loc_9553A4:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+145j
		mov	eax, [eax]

loc_9553A6:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+137j
		cmp	eax, edx
		jnz	short loc_95535C
		test	bl, bl
		jz	short loc_9553E9

loc_9553AE:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+17Fj
		mov	ebx, [ebp+var_44]
		mov	eax, [ebx+20h]
		mov	[ebp+var_2C], eax
		mov	eax, [ebx+24h]
		mov	[ebp+var_30], eax
		mov	edx, 4F676244h
		mov	ecx, eax
		call	ObfReferenceObjectWithTag
		mov	edx, 4F676244h
		mov	ecx, [ebp+var_2C]
		call	ObfReferenceObjectWithTag
		mov	edx, ebx
		lea	ecx, [ebp+var_B8]
		call	_DbgkpConvertKernelToUserStateChange@8 ; DbgkpConvertKernelToUserStateChange(x,x)
		or	dword ptr [ebx+2Ch], 1
		jmp	short loc_9553EF
; 

loc_9553E9:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+189j
		push	edi
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_9553EF:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+1C4j
		xor	ebx, ebx
		jmp	short loc_9553F8
; 

loc_9553F3:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+12Cj
		mov	ebx, 0C0000354h

loc_9553F8:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+1CEj
		lea	ecx, [edi+10h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	ebx, ebx
		js	loc_9554A9
		cmp	byte ptr [ebp+arg_0+3],	0
		jnz	short loc_95547E
		xor	ebx, ebx
		cmp	[ebp+var_1C], ebx
		jg	short loc_95545D
		jl	short loc_95541C
		cmp	[ebp+var_20], ebx
		jnb	short loc_95545D

loc_95541C:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+1F2j
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ebx
		lea	eax, [ebp+var_40]
		push	eax
		call	KeQuerySystemTime
		mov	eax, [ebp+var_40]
		sub	eax, [ebp+var_48]
		mov	ecx, [ebp+var_3C]
		sbb	ecx, [ebp+var_4C]
		mov	edx, [ebp+var_20]
		add	edx, eax
		mov	[ebp+var_20], edx
		mov	eax, [ebp+var_1C]
		adc	eax, ecx
		mov	[ebp+var_1C], eax
		mov	ecx, [ebp+var_40]
		mov	[ebp+var_48], ecx
		mov	ecx, [ebp+var_3C]
		mov	[ebp+var_4C], ecx
		cmp	eax, ebx
		jg	short loc_955477
		jl	short loc_95545D
		cmp	edx, ebx
		jnb	short loc_955477

loc_95545D:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+1F0j
					; NtWaitForDebugEvent(x,x,x,x)+1F7j ...
		push	esi
		push	[ebp+arg_4]
		push	[ebp+var_28]
		push	ebx
		push	edi
		call	KeWaitForSingleObject
		mov	ebx, eax
		test	ebx, ebx
		jns	loc_955315
		jmp	short loc_9554A9
; 

loc_955477:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+232j
					; NtWaitForDebugEvent(x,x,x,x)+238j
		mov	ebx, 102h
		jmp	short loc_9554A9
; 

loc_95547E:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+1E9j
		push	[ebp+var_30]
		mov	edx, [ebp+var_2C]
		lea	ecx, [ebp+var_B8]
		call	_DbgkpOpenHandles@12 ; DbgkpOpenHandles(x,x,x)
		mov	edx, 4F676244h
		mov	ecx, [ebp+var_30]
		call	ObfDereferenceObjectWithTag
		mov	edx, 4F676244h
		mov	ecx, [ebp+var_2C]
		call	ObfDereferenceObjectWithTag

loc_9554A9:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+E0j
					; NtWaitForDebugEvent(x,x,x,x)+F8j ...
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	[ebp+ms_exc.disabled], 1
		push	18h
		pop	ecx
		lea	esi, [ebp+var_B8]
		mov	edi, [ebp+arg_C]
		rep movsd
		jmp	short loc_9554DD
; 

loc_9554C7:				; DATA XREF: .text:006A7AF8o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_54], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_9554D7:				; DATA XREF: .text:006A7AFCo
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_54]

loc_9554DD:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+2A2j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, ebx
		jmp	short loc_955505
; 

loc_9554E8:				; DATA XREF: .text:006A7AECo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_58], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_9554F8:				; DATA XREF: .text:006A7AF0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_58]

loc_955505:				; CODE XREF: NtWaitForDebugEvent(x,x,x,x)+BFj
					; NtWaitForDebugEvent(x,x,x,x)+2C3j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_NtWaitForDebugEvent@16	endp


;  S U B	R O U T	I N E 


; __fastcall DbgkpDeleteErrorPort(x)
@DbgkpDeleteErrorPort@4	proc near	; CODE XREF: DbgkpDereferenceErrorPort(x)+7j
					; DbgkpSendErrorMessage+351p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	0
		push	dword ptr [esi+8]
		call	ObCloseHandle
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
@DbgkpDeleteErrorPort@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkQueueUserExceptionReport(x, x, x)
_DbgkQueueUserExceptionReport@12 proc near ; CODE XREF:	SepLogLpacAccessFailure(x)+D4p
					; MiForceCrashForInvalidAccess(x,x)+B1p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_22		= byte ptr -22h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_28], edx
		push	6
		xor	eax, eax
		mov	[ebp+var_21], 0
		lea	edi, [ebp+var_20]
		mov	[ebp+var_22], 0
		pop	ecx
		rep stosd
		cmp	ds:_DbgkEnableWerUserReporting,	eax
		jnz	short loc_95556E
		mov	eax, 0C0000356h
		jmp	loc_9556B3
; 

loc_95556E:				; CODE XREF: DbgkQueueUserExceptionReport(x,x,x)+32j
		test	dword ptr [ebx+58h], 400h
		jnz	loc_9556AE
		push	ebx
		call	_IoThreadToProcess@4 ; IoThreadToProcess(x)
		test	byte ptr [eax+3A8h], 1
		jnz	loc_9556AE
		lea	eax, [ebx+2FCh]
		lock bts dword ptr [eax], 15h
		jnb	short loc_9555A5
		mov	eax, 0C0000704h
		jmp	loc_9556B3
; 

loc_9555A5:				; CODE XREF: DbgkQueueUserExceptionReport(x,x,x)+69j
		push	4B474244h
		push	6Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_2C], esi
		test	esi, esi
		jnz	short loc_9555C9
		mov	eax, 0C000009Ah
		jmp	loc_9556B3
; 

loc_9555C9:				; CODE XREF: DbgkQueueUserExceptionReport(x,x,x)+8Dj
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		cmp	[ebp+arg_0], 0
		mov	eax, [ebp+var_28]
		mov	[esi+4], eax
		lea	eax, [esi+0Ch]
		mov	[esi], ebx
		jz	short loc_9555F2
		mov	esi, [ebp+arg_0]
		mov	edi, eax
		push	14h
		pop	ecx
		rep movsd
		mov	esi, [ebp+var_2C]
		mov	al, 1
		jmp	short loc_955601
; 

loc_9555F2:				; CODE XREF: DbgkQueueUserExceptionReport(x,x,x)+AFj
		push	50h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	al, al

loc_955601:				; CODE XREF: DbgkQueueUserExceptionReport(x,x,x)+C0j
		mov	[esi+8], al
		and	dword ptr [esi+5Ch], 0
		push	ebx
		mov	dword ptr [esi+64h], offset _DbgkUserReportWorkRoutine@4 ; DbgkUserReportWorkRoutine(x)
		mov	[esi+68h], esi
		call	_IoThreadToProcess@4 ; IoThreadToProcess(x)
		mov	ecx, large fs:124h
		cmp	eax, [ecx+80h]
		jz	short loc_955638
		lea	ecx, [ebp+var_20]
		xor	edx, edx
		push	ecx
		mov	ecx, eax
		call	KiStackAttachProcess
		mov	[ebp+var_22], 1

loc_955638:				; CODE XREF: DbgkQueueUserExceptionReport(x,x,x)+F5j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	0
		push	ebx
		call	PsSuspendThread
		mov	edi, eax
		test	edi, edi
		js	short loc_955663
		push	1
		lea	eax, [esi+5Ch]
		mov	[ebp+var_21], 1
		push	eax
		call	ExQueueWorkItem

loc_955663:				; CODE XREF: DbgkQueueUserExceptionReport(x,x,x)+122j
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	edi, edi
		jns	short loc_95569A
		push	4B474244h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, 0FFDFFFFFh
		lea	eax, [ebx+2FCh]
		lock and [eax],	ecx
		cmp	[ebp+var_21], 0
		jz	short loc_955693
		push	0
		push	ebx
		call	PsResumeThread

loc_955693:				; CODE XREF: DbgkQueueUserExceptionReport(x,x,x)+159j
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_95569A:				; CODE XREF: DbgkQueueUserExceptionReport(x,x,x)+13Aj
		cmp	[ebp+var_22], 0
		jz	short loc_9556AA
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_9556AA:				; CODE XREF: DbgkQueueUserExceptionReport(x,x,x)+16Ej
		mov	eax, edi
		jmp	short loc_9556B3
; 

loc_9556AE:				; CODE XREF: DbgkQueueUserExceptionReport(x,x,x)+45j
					; DbgkQueueUserExceptionReport(x,x,x)+58j
		mov	eax, 0C00000BBh

loc_9556B3:				; CODE XREF: DbgkQueueUserExceptionReport(x,x,x)+39j
					; DbgkQueueUserExceptionReport(x,x,x)+70j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_DbgkQueueUserExceptionReport@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkUserReportWorkRoutine(x)
_DbgkUserReportWorkRoutine@4 proc near	; DATA XREF: DbgkQueueUserExceptionReport(x,x,x)+D9o

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	60h
		push	offset dword_6A7BB0
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_44], eax
		mov	[ebp+var_58], eax
		xor	ebx, ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_48], 58h
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		push	6
		pop	ecx
		lea	edi, [ebp+var_70]
		rep stosd
		mov	edi, [ebp+var_44]
		mov	esi, [edi]
		mov	[ebp+var_4C], esi
		mov	[ebp+var_54], esi
		push	esi
		call	_IoThreadToProcess@4 ; IoThreadToProcess(x)
		lea	ecx, [ebp+var_34]
		push	ecx
		xor	edx, edx
		mov	ecx, eax
		call	KiStackAttachProcess
		lea	eax, [ebp+var_40]
		push	eax
		push	1
		push	ds:_PsThreadType
		push	72h
		push	ebx
		push	ebx
		push	esi
		call	ObOpenObjectByPointer
		mov	edx, eax
		test	edx, edx
		js	loc_955828
		push	4
		push	3000h
		lea	eax, [ebp+var_48]
		push	eax
		push	ebx
		lea	eax, [ebp+var_38]
		push	eax
		push	0FFFFFFFFh
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jns	short loc_955760
		mov	[ebp+var_38], ebx
		jmp	loc_9557FD
; 

loc_955760:				; CODE XREF: DbgkUserReportWorkRoutine(x)+92j
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, [edi+4]
		mov	eax, [ebp+var_38]
		mov	[eax+4], ecx
		mov	ecx, [ebp+var_38]
		mov	eax, [ebp+var_40]
		mov	[ecx], eax
		cmp	byte ptr [edi+8], 0
		jz	short loc_95578E
		lea	esi, [edi+0Ch]
		mov	edi, [ebp+var_38]
		add	edi, 8
		push	14h
		pop	ecx
		rep movsd
		mov	esi, [ebp+var_4C]
		mov	edi, [ebp+var_44]

loc_95578E:				; CODE XREF: DbgkUserReportWorkRoutine(x)+B4j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9557BA
; 

loc_955797:				; DATA XREF: .text:006A7BC4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_50], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9557A5:				; DATA XREF: .text:006A7BC8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edx, [ebp+var_50]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp+var_54]
		mov	edi, [ebp+var_58]

loc_9557BA:				; CODE XREF: DbgkUserReportWorkRoutine(x)+D1j
		test	edx, edx
		js	short loc_955828
		mov	[ebp+var_70], 18h
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_64], 200h
		mov	[ebp+var_68], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	27h
		push	[ebp+var_38]
		push	_DbgkWerReportExceptionWorker
		push	0FFFFFFFFh
		lea	eax, [ebp+var_70]
		push	eax
		push	1FFFFFh
		lea	eax, [ebp+var_3C]
		push	eax
		call	_ZwCreateThreadEx@44 ; ZwCreateThreadEx(x,x,x,x,x,x,x,x,x,x,x)
		mov	edx, eax

loc_9557FD:				; CODE XREF: DbgkUserReportWorkRoutine(x)+97j
		test	edx, edx
		js	short loc_955828
		push	4
		push	offset dword_4270C4
		push	2Eh
		push	[ebp+var_3C]
		call	_ZwSetInformationThread@16 ; ZwSetInformationThread(x,x,x,x)
		push	ebx
		push	[ebp+var_3C]
		call	_ZwResumeThread@8 ; ZwResumeThread(x,x)
		push	[ebp+var_3C]
		call	_ZwClose@4	; ZwClose(x)
		mov	[ebp+var_3C], ebx
		jmp	short loc_955864
; 

loc_955828:				; CODE XREF: DbgkUserReportWorkRoutine(x)+71j
					; DbgkUserReportWorkRoutine(x)+F8j ...
		mov	ecx, 0FFDFFFFFh
		lea	eax, [esi+2FCh]
		lock and [eax],	ecx
		cmp	[ebp+var_40], 0
		jz	short loc_955846
		push	1
		push	[ebp+var_40]
		call	ObCloseHandle

loc_955846:				; CODE XREF: DbgkUserReportWorkRoutine(x)+176j
		push	ebx
		push	esi
		call	PsResumeThread
		cmp	[ebp+var_38], 0
		jz	short loc_955864
		push	8000h
		push	ebx
		lea	eax, [ebp+var_38]
		push	eax
		push	0FFFFFFFFh
		call	_ZwFreeVirtualMemory@16	; ZwFreeVirtualMemory(x,x,x,x)

loc_955864:				; CODE XREF: DbgkUserReportWorkRoutine(x)+162j
					; DbgkUserReportWorkRoutine(x)+18Dj
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		push	4B474244h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_DbgkUserReportWorkRoutine@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpRemoveErrorPort(x, x, x)
_DbgkpRemoveErrorPort@12 proc near	; CODE XREF: DbgkFlushErrorPort+16BA69p
					; DbgkpSendErrorMessage+B3D11p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, edx
		mov	[ebp+var_4], ecx
		lea	eax, [edi+4]
		lock bts dword ptr [eax], 0
		jb	short loc_955922
		push	ebx		; struct _exception *
		xor	ebx, ebx
		dec	word ptr [ecx+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		cmp	[esi+4], edi
		jnz	short loc_9558EB
		mov	[esi+8], ebx
		mov	[esi+4], ebx
		inc	ebx
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	ecx, eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		add	eax, 238h
		cmp	esi, eax
		jnz	short loc_9558EB
		mov	eax, 0FFDF02F0h
		lock btr dword ptr [eax], 0

loc_9558EB:				; CODE XREF: DbgkpRemoveErrorPort(x,x,x)+31j
					; DbgkpRemoveErrorPort(x,x,x)+4Dj
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9558FF
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9558FF:				; CODE XREF: DbgkpRemoveErrorPort(x,x,x)+64j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_4]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		test	ebx, ebx
		pop	ebx
		jz	short loc_955922
		mov	ecx, edi
		call	_DbgkpDereferenceErrorPort@4 ; DbgkpDereferenceErrorPort(x)
		push	dword ptr [esi+0Ch]
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_955922:				; CODE XREF: DbgkpRemoveErrorPort(x,x,x)+18j
					; DbgkpRemoveErrorPort(x,x,x)+7Fj
		pop	edi
		pop	esi
		leave
		retn	4
_DbgkpRemoveErrorPort@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpSendApiMessage(x, x, x)
_DbgkpSendApiMessage@12	proc near	; CODE XREF: DbgkPostModuleMessage(x,x,x,x,x,x)+FAp
					; DbgkMapViewOfSection+172F7Fp	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		test	ds:_PerfGlobalGroupMask, 400000h
		push	ebx
		push	esi
		mov	ebx, edx
		push	edi
		mov	[esp+18h+var_4], ebx
		mov	edi, ecx
		jz	short loc_955965
		mov	edx, large fs:124h
		mov	ecx, large fs:124h
		push	1
		mov	ecx, [ecx+80h]
		call	@EtwTraceDebuggerEvent@12 ; EtwTraceDebuggerEvent(x,x,x)

loc_955965:				; CODE XREF: DbgkpSendApiMessage(x,x,x)+20j
		mov	esi, ebx
		and	esi, 2
		shl	esi, 5
		jmp	short loc_955973
; 

loc_95596F:				; CODE XREF: DbgkpSendApiMessage(x,x,x)+B2j
		mov	ebx, [esp+18h+var_4]

loc_955973:				; CODE XREF: DbgkpSendApiMessage(x,x,x)+45j
		mov	eax, large fs:124h
		and	[esp+18h+var_8], 0
		cmp	edi, [eax+80h]
		jnz	short loc_955999
		test	bl, 1
		jz	short loc_955999
		mov	ecx, edi
		call	DbgkpSuspendProcess
		movzx	eax, al
		mov	[esp+18h+var_8], eax

loc_955999:				; CODE XREF: DbgkpSendApiMessage(x,x,x)+5Cj
					; DbgkpSendApiMessage(x,x,x)+61j
		mov	eax, [ebp+arg_0]
		mov	ecx, edi
		mov	edx, large fs:124h
		push	0
		push	esi
		push	eax
		mov	dword ptr [eax+1Ch], 103h
		call	_DbgkpQueueMessage@20 ;	DbgkpQueueMessage(x,x,x,x,x)
		cmp	[esp+18h+var_8], 0
		mov	ebx, eax
		jz	short loc_9559CC
		xor	dl, dl
		mov	ecx, edi
		call	PsThawProcess
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9559CC:				; CODE XREF: DbgkpSendApiMessage(x,x,x)+94j
		test	ebx, ebx
		js	short loc_9559DC
		mov	eax, [ebp+arg_0]
		cmp	dword ptr [eax+1Ch], 40010001h
		jz	short loc_95596F

loc_9559DC:				; CODE XREF: DbgkpSendApiMessage(x,x,x)+A6j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_DbgkpSendApiMessage@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkCreateMinimalThread(x)
_DbgkCreateMinimalThread@4 proc	near	; CODE XREF: PspUserThreadStartup+169AC1p

var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0B4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0B4h+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	80h		; size_t
		xor	ebx, ebx
		lea	eax, [esp+0C4h+var_88]
		push	ebx		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		mov	edi, [esi+80h]
		add	esp, 0Ch
		cmp	[edi+190h], ebx
		jz	short loc_955A73
		xor	edx, edx
		mov	[esp+0C0h+var_A8], ebx
		mov	ecx, esi
		mov	[esp+0C0h+var_A4], ebx
		mov	[esp+0C0h+var_A0], ebx
		mov	[esp+0C0h+var_9C], ebx
		mov	[esp+0C0h+var_94], ebx
		mov	[esp+0C0h+var_90], ebx
		call	_PsQueryThreadStartAddress@8 ; PsQueryThreadStartAddress(x,x)
		mov	[esp+0C0h+var_8C], eax
		xor	edx, edx
		lea	eax, [esp+0C0h+var_B0]
		mov	[esp+0C0h+var_B0], 280010h
		inc	edx
		mov	[esp+0C0h+var_AC], 8
		push	eax
		mov	ecx, edi
		mov	[esp+0C4h+var_98], edx
		call	_DbgkpSendApiMessage@12	; DbgkpSendApiMessage(x,x,x)

loc_955A73:				; CODE XREF: DbgkCreateMinimalThread(x)+42j
		mov	ecx, [esp+0C0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_DbgkCreateMinimalThread@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkExitProcess(x)
_DbgkExitProcess@4 proc	near		; CODE XREF: PspExitThread+1685D1p

var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0B0h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0B0h+var_4], eax
		push	esi
		push	edi
		push	0A8h		; size_t
		lea	eax, [esp+0BCh+var_B0]
		mov	edi, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		mov	esi, [eax+80h]
		mov	eax, large fs:124h
		mov	ecx, [eax+2FCh]
		test	cl, 4
		jnz	short loc_955B1D
		cmp	dword ptr [esi+190h], 0
		jz	short loc_955B1D
		test	cl, 2
		jz	short loc_955B1D
		lea	eax, [esi+388h]
		push	eax
		call	KeQuerySystemTime
		lea	eax, [esp+0B8h+var_B0]
		mov	[esp+0B8h+var_90], edi
		push	eax
		xor	edx, edx
		mov	[esp+0BCh+var_B0], 24000Ch
		mov	ecx, esi
		mov	[esp+0BCh+var_AC], 8
		mov	[esp+0BCh+var_98], 4
		call	_DbgkpSendApiMessage@12	; DbgkpSendApiMessage(x,x,x)

loc_955B1D:				; CODE XREF: DbgkExitProcess(x)+4Fj
					; DbgkExitProcess(x)+58j ...
		mov	ecx, [esp+0B8h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_DbgkExitProcess@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkExitThread(x)
_DbgkExitThread@4 proc near		; CODE XREF: PspExitThread+1685DEp

var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0B4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0B4h+var_4], eax
		push	esi
		push	0A8h		; size_t
		lea	eax, [esp+0BCh+var_B0]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		mov	ecx, [eax+80h]
		mov	eax, large fs:124h
		mov	edx, [eax+2FCh]
		test	dl, 4
		jnz	short loc_955BB8
		cmp	dword ptr [ecx+190h], 0
		jz	short loc_955BB8
		test	dl, 2
		jz	short loc_955BB8
		lea	eax, [esp+0B8h+var_B0]
		mov	[esp+0B8h+var_90], esi
		xor	edx, edx
		mov	[esp+0B8h+var_B0], 24000Ch
		push	eax
		inc	edx
		mov	[esp+0BCh+var_AC], 8
		mov	[esp+0BCh+var_98], 3
		call	_DbgkpSendApiMessage@12	; DbgkpSendApiMessage(x,x,x)

loc_955BB8:				; CODE XREF: DbgkExitThread(x)+4Ej
					; DbgkExitThread(x)+57j ...
		mov	ecx, [esp+0B8h+var_4]
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_DbgkExitThread@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpSectionToFileHandle(x)
_DbgkpSectionToFileHandle@4 proc near	; CODE XREF: DbgkMapViewOfSection+172EDFp
					; DbgkCreateThread+1699F5p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		xor	ebx, ebx
		lea	edx, [ebp+var_4]
		push	esi
		push	edi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	_MmGetFileNameForSection@8 ; MmGetFileNameForSection(x,x)
		test	eax, eax
		js	short loc_955C39
		mov	edi, [ebp+var_4]
		lea	eax, [ebp+var_10]
		push	20h
		push	7
		push	eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_28], 18h
		push	eax
		push	80100000h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_24], ebx
		push	eax
		mov	[ebp+var_1C], 640h
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		push	ebx
		push	edi
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		js	short loc_955C39
		mov	eax, [ebp+var_8]
		jmp	short loc_955C3B
; 

loc_955C39:				; CODE XREF: DbgkpSectionToFileHandle(x)+23j
					; DbgkpSectionToFileHandle(x)+67j
		xor	eax, eax

loc_955C3B:				; CODE XREF: DbgkpSectionToFileHandle(x)+6Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_DbgkpSectionToFileHandle@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpSuppressDbgMsg(x)
_DbgkpSuppressDbgMsg@4 proc near	; CODE XREF: DbgkMapViewOfSection+172EBDp
					; DbgkUnMapViewOfSection+165D1Ap

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	0Ch
		push	offset dword_6A7BD0
		call	__SEH_prolog4
		and	[ebp+var_1C], 0
		and	[ebp+ms_exc.disabled], 0
		test	byte ptr [ecx+0FCAh], 80h
		jz	short loc_955C6D
		mov	[ebp+var_1C], 1
		jmp	short loc_955C6D
; 

loc_955C66:				; DATA XREF: .text:006A7BE4o
		xor	eax, eax
		inc	eax
		retn
; 

loc_955C6A:				; DATA XREF: .text:006A7BE8o
		mov	esp, [ebp+ms_exc.old_esp]

loc_955C6D:				; CODE XREF: DbgkpSuppressDbgMsg(x)+1Bj
					; DbgkpSuppressDbgMsg(x)+24j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_DbgkpSuppressDbgMsg@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkCaptureLiveDump(x, x, x, x)
_DbgkCaptureLiveDump@16	proc near	; CODE XREF: NtSystemDebugControl+83562p

var_126		= byte ptr -126h
var_125		= byte ptr -125h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= byte ptr -0E0h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_68		= dword	ptr -68h
var_50		= dword	ptr -50h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 114h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+114h+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	[esp+118h+var_D4], eax
		xor	ebx, ebx
		mov	eax, large fs:124h
		push	esi
		push	edi
		push	0B8h		; size_t
		mov	al, [eax+15Ah]
		mov	esi, ecx
		mov	[esp+124h+var_E0], al
		lea	eax, [esp+124h+var_D0]
		push	ebx		; int
		push	eax		; void *
		mov	[esp+12Ch+var_F4], edx
		mov	[esp+12Ch+var_10C], ebx
		mov	[esp+12Ch+var_F8], ebx
		call	_memset
		xor	eax, eax
		lea	edi, [esp+12Ch+var_14]
		stosd
		add	esp, 0Ch
		stosd
		stosd
		stosd
		xor	edi, edi
		mov	[esp+120h+var_E8], edi
		mov	[esp+120h+var_E4], edi
		mov	[esp+120h+var_EC], edi
		mov	[esp+120h+var_108], edi
		mov	[esp+120h+var_104], edi
		cmp	[esi+1Ch], edi
		jz	loc_95607A
		cmp	[ebp+arg_0], 20000h
		jb	loc_95607A
		test	dword ptr [esi], 0FFFFFFFEh
		jnz	loc_95607A
		call	_DbgkpLkmdSqmIsOptedIn@0 ; DbgkpLkmdSqmIsOptedIn()
		test	al, al
		jz	short loc_955D59
		lea	eax, [esp+120h+var_108]
		push	eax
		push	edi
		push	edi
		push	offset dword_4270D8
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		mov	ecx, [esp+120h+var_108]
		mov	eax, ecx
		mov	edx, [esp+120h+var_104]
		or	eax, edx
		jz	short loc_955D59
		push	edx
		push	ecx
		mov	ecx, 0CDCh
		call	_DbgkpLkmdSqmIncrementDword@16 ; DbgkpLkmdSqmIncrementDword(x,x,x,x)

loc_955D59:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+A5j
					; DbgkCaptureLiveDump(x,x,x,x)+C4j
		mov	edx, [esp+120h+var_F4]
		lea	edi, [esp+120h+var_50]
		push	8
		pop	ecx
		xor	eax, eax
		rep stosd
		lea	eax, [esp+120h+var_30]
		push	eax
		push	[ebp+arg_0]
		lea	ecx, [esp+128h+var_50]
		call	_DbgkpTriageDumpInitialize@16 ;	DbgkpTriageDumpInitialize(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_956037
		push	dword ptr [esi+14h]
		lea	eax, [esp+124h+var_50]
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	eax
		call	[esp+138h+var_30]
		mov	edi, eax
		test	edi, edi
		js	loc_956037
		lea	ecx, [esp+138h+var_E8]
		call	_DbgkpLkmdSnapGlobals@4	; DbgkpLkmdSnapGlobals(x)
		mov	eax, [esi+1Ch]
		push	704E534Bh
		lea	eax, ds:4[eax*4]
		push	eax
		push	1
		mov	[esp+144h+var_F0], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_955DF9
		xor	eax, eax
		cmp	[esi+1Ch], eax
		jbe	short loc_955DF2

loc_955DE5:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+169j
		mov	dword ptr [ebx+eax*4], 0C0000001h
		inc	eax
		cmp	eax, [esi+1Ch]
		jb	short loc_955DE5

loc_955DF2:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+15Cj
		mov	dword ptr [ebx+eax*4], 42534354h

loc_955DF9:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+155j
		xor	eax, eax
		mov	[esp+138h+var_125], 1
		mov	edi, 0C0000022h
		mov	[esp+138h+var_114], eax
		mov	[esp+138h+var_10C], edi
		cmp	[esi+1Ch], eax
		jbe	loc_956014

loc_955E16:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+2F6j
		mov	ecx, [esi+18h]
		lea	edx, [esp+138h+var_108]
		and	[esp+138h+var_24], 0
		add	ecx, eax
		mov	eax, [esi+20h]
		and	[esp+138h+var_20], 0
		and	[esp+138h+var_28], 0
		and	[esp+138h+var_108], 0
		push	0
		push	edx
		push	[esp+140h+var_F8]
		mov	[esp+144h+var_2C], 0C0000001h
		mov	ecx, [eax+ecx*4]
		mov	eax, ds:_PsThreadType
		push	eax
		push	1FFFFFh
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edx, [esp+138h+var_108]
		mov	ecx, eax
		cmp	ecx, edi
		mov	[esp+138h+var_F4], ecx
		mov	[esp+138h+var_124], edx
		setnz	al
		dec	al
		and	[esp+138h+var_125], al
		test	ecx, ecx
		jns	short loc_955EBD
		test	ebx, ebx
		jz	short loc_955E8D
		mov	eax, [esp+138h+var_114]
		mov	[ebx+eax*4], ecx

loc_955E8D:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+1FDj
		mov	edi, [esp+138h+var_120]
		mov	eax, edi
		mov	ecx, [esp+138h+var_11C]
		or	eax, ecx
		jz	loc_955F6D
		mov	eax, [esp+138h+var_F4]
		push	ecx
		push	edi
		lea	ecx, [esp+140h+var_2C]
		mov	[esp+140h+var_2C], eax
		call	_DbgkpLkmdSqmStatus@12 ; DbgkpLkmdSqmStatus(x,x,x)
		jmp	loc_955F6D
; 

loc_955EBD:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+1F9j
		cmp	[esp+138h+var_110], 0
		jnz	short loc_955EFA
		push	edx
		call	_IoThreadToProcess@4 ; IoThreadToProcess(x)
		mov	edi, eax
		mov	[esp+138h+var_110], edi
		test	edi, edi
		jz	short loc_955EF6
		mov	edx, 4C676244h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag
		push	0
		push	0
		push	4
		push	500h
		mov	edx, edi
		lea	ecx, [esp+148h+var_E8]
		call	_DbgkpLkmdSnapDataEx@24	; DbgkpLkmdSnapDataEx(x,x,x,x,x,x)

loc_955EF6:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+24Bj
		mov	edx, [esp+138h+var_124]

loc_955EFA:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+23Bj
		lea	eax, [esp+138h+var_2C]
		push	eax
		push	edx
		mov	edx, esi
		lea	ecx, [esp+140h+var_E8]
		call	_DbgkpLkmdSnapThread@16	; DbgkpLkmdSnapThread(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_955F1B
		mov	ecx, [esp+138h+var_2C]

loc_955F1B:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+28Bj
		test	ebx, ebx
		jz	short loc_955F26
		mov	eax, [esp+138h+var_114]
		mov	[ebx+eax*4], ecx

loc_955F26:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+296j
		push	[esp+138h+var_124]
		lea	ecx, [esp+13Ch+var_E8]
		push	2
		pop	edx
		call	_DbgkpLkmdFireCallbacks@12 ; DbgkpLkmdFireCallbacks(x,x,x)
		mov	edi, [esp+138h+var_120]
		mov	eax, edi
		mov	ecx, [esp+138h+var_11C]
		or	eax, ecx
		jz	short loc_955F52
		push	ecx
		push	edi
		lea	ecx, [esp+140h+var_2C]
		call	_DbgkpLkmdSqmStatus@12 ; DbgkpLkmdSqmStatus(x,x,x)

loc_955F52:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+2BBj
		mov	ecx, [esp+138h+var_124]
		call	ObfDereferenceObject
		and	[esp+138h+var_124], 0
		cmp	[esp+138h+var_2C], 0C000009Ah
		jz	short loc_955F83

loc_955F6D:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+212j
					; DbgkCaptureLiveDump(x,x,x,x)+231j
		mov	eax, [esp+138h+var_114]
		mov	edi, [esp+138h+var_10C]
		inc	eax
		mov	[esp+138h+var_114], eax
		cmp	eax, [esi+1Ch]
		jb	loc_955E16

loc_955F83:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+2E4j
		cmp	[esp+138h+var_125], 0
		jnz	loc_956010
		mov	eax, [esp+138h+var_110]
		test	eax, eax
		jz	short loc_955FA3
		xor	edx, edx
		lea	ecx, [esp+138h+var_E8]
		push	eax
		inc	edx
		call	_DbgkpLkmdFireCallbacks@12 ; DbgkpLkmdFireCallbacks(x,x,x)

loc_955FA3:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+30Dj
		mov	eax, [esi+1Ch]
		mov	[esp+138h+var_100], eax
		lea	eax, [esp+138h+var_100]
		push	8
		push	eax
		lea	eax, [esp+140h+var_E8]
		mov	[esp+140h+var_FC], ebx
		push	eax
		call	_DbgkpLkmdSnapData@12 ;	DbgkpLkmdSnapData(x,x,x)
		test	ebx, ebx
		jz	short loc_955FD2
		push	[esp+138h+var_F0]
		lea	eax, [esp+13Ch+var_E8]
		push	ebx
		push	eax
		call	_DbgkpLkmdSnapData@12 ;	DbgkpLkmdSnapData(x,x,x)

loc_955FD2:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+33Aj
		lea	eax, [esp+138h+var_104]
		mov	edx, offset _DbgkpLkmdLiveDumpDiagnosticInformation
		push	eax
		push	0
		push	0
		push	4
		lea	ecx, [esp+148h+var_E8]
		call	_DbgkpLkmdSnapDataEx@24	; DbgkpLkmdSnapDataEx(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_955FF9
		mov	eax, [esp+138h+var_104]
		lea	ecx, [esp+138h+var_100]
		mov	[eax], ecx

loc_955FF9:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+366j
		push	[esp+138h+var_EC]
		lea	eax, [esp+13Ch+var_68]
		push	eax
		call	[esp+140h+var_34]
		mov	edi, eax
		jmp	short loc_956014
; 

loc_956010:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+301j
		mov	edi, [esp+138h+var_10C]

loc_956014:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+189j
					; DbgkCaptureLiveDump(x,x,x,x)+387j
		mov	eax, [esp+138h+var_110]
		test	eax, eax
		jz	short loc_956028
		mov	edx, 4C676244h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag

loc_956028:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+393j
		mov	eax, [esp+138h+var_124]
		test	eax, eax
		jz	short loc_956037
		mov	ecx, eax
		call	ObfDereferenceObject

loc_956037:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+FFj
					; DbgkCaptureLiveDump(x,x,x,x)+127j ...
		cmp	[esp+138h+var_50], 0
		jz	short loc_956052
		push	4D574454h
		push	[esp+13Ch+var_50]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_956052:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+3B8j
		test	ebx, ebx
		jz	short loc_956061
		push	704E534Bh
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_956061:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+3CDj
		mov	ecx, [esp+138h+var_120]
		mov	eax, ecx
		mov	edx, [esp+138h+var_11C]
		or	eax, edx
		jz	short loc_956076
		push	edx
		push	ecx
		call	EtwUnregister

loc_956076:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+3E6j
		mov	eax, edi
		jmp	short loc_95607F
; 

loc_95607A:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+7Fj
					; DbgkCaptureLiveDump(x,x,x,x)+8Cj ...
		mov	eax, 0C000000Dh

loc_95607F:				; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+3F1j
		mov	ecx, [esp+120h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_DbgkCaptureLiveDump@16	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 275. DbgkLkmdUnregisterCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkLkmdUnregisterCallback(x)
		public _DbgkLkmdUnregisterCallback@4
_DbgkLkmdUnregisterCallback@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edi, offset unk_6D6C80

loc_9560AA:				; CODE XREF: DbgkLkmdUnregisterCallback(x)+42j
		mov	ecx, edi
		call	ExReferenceCallBackBlock
		mov	esi, eax
		test	esi, esi
		jz	short loc_9560D6
		mov	eax, [ebp+arg_0]
		cmp	eax, [esi+4]
		jnz	short loc_9560CD
		push	esi
		xor	edx, edx
		mov	ecx, edi
		call	ExCompareExchangeCallBack
		test	al, al
		jnz	short loc_9560EB

loc_9560CD:				; CODE XREF: DbgkLkmdUnregisterCallback(x)+22j
		mov	edx, esi
		mov	ecx, edi
		call	_ExDereferenceCallBackBlock@8 ;	ExDereferenceCallBackBlock(x,x)

loc_9560D6:				; CODE XREF: DbgkLkmdUnregisterCallback(x)+1Aj
		inc	ebx
		add	edi, 8
		cmp	ebx, 8
		jb	short loc_9560AA
		mov	eax, 0C0000225h

loc_9560E4:				; CODE XREF: DbgkLkmdUnregisterCallback(x)+6Fj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_9560EB:				; CODE XREF: DbgkLkmdUnregisterCallback(x)+30j
		lea	ecx, unk_6D6C80[ebx*8]
		mov	edx, esi
		call	_ExDereferenceCallBackBlock@8 ;	ExDereferenceCallBackBlock(x,x)
		mov	ecx, esi
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		jmp	short loc_9560E4
_DbgkLkmdUnregisterCallback@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpLkmdFireCallbacks(x, x, x)
_DbgkpLkmdFireCallbacks@12 proc	near	; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+2AAp
					; DbgkCaptureLiveDump(x,x,x,x)+317p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		mov	eax, edx
		inc	ebx
		mov	[ebp+var_10], eax
		push	esi
		push	edi
		test	al, bl
		jz	short loc_95614C
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		push	[ebp+arg_0]
		mov	esi, eax
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		cmp	esi, eax
		jnz	short loc_95614A
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_95614C

loc_95614A:				; CODE XREF: DbgkpLkmdFireCallbacks(x,x,x)+37j
		xor	bl, bl

loc_95614C:				; CODE XREF: DbgkpLkmdFireCallbacks(x,x,x)+18j
					; DbgkpLkmdFireCallbacks(x,x,x)+3Cj
		push	8
		pop	esi
		mov	edi, offset unk_6D6C80
		mov	[ebp+var_C], esi

loc_956157:				; CODE XREF: DbgkpLkmdFireCallbacks(x,x,x)+C1j
		mov	ecx, edi
		call	ExReferenceCallBackBlock
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_9561C4
		mov	ecx, [edi+4]
		test	[ebp+var_10], ecx
		jz	short loc_9561BB
		test	cl, 4
		jz	short loc_956176
		test	bl, bl
		jz	short loc_9561BB

loc_956176:				; CODE XREF: DbgkpLkmdFireCallbacks(x,x,x)+64j
		mov	esi, [eax+4]
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+80h]
		push	ecx
		mov	[ebp+var_14], ecx
		call	dword ptr [eax+0ACh]
		mov	ecx, [ebp+var_8]
		push	[ebp+arg_0]
		mov	eax, [ecx+8]
		push	eax
		push	[ebp+var_4]
		push	offset _DbgkpLkmdIsMemoryBlockPresentFromCallback@12 ; DbgkpLkmdIsMemoryBlockPresentFromCallback(x,x,x)
		push	offset _DbgkpLkmdSnapData@12 ; DbgkpLkmdSnapData(x,x,x)
		call	esi
		test	eax, eax
		jns	short loc_9561B5
		mov	eax, [ebp+var_4]
		push	[ebp+var_14]
		call	dword ptr [eax+0B0h]

loc_9561B5:				; CODE XREF: DbgkpLkmdFireCallbacks(x,x,x)+9Bj
		mov	esi, [ebp+var_C]
		mov	eax, [ebp+var_8]

loc_9561BB:				; CODE XREF: DbgkpLkmdFireCallbacks(x,x,x)+5Fj
					; DbgkpLkmdFireCallbacks(x,x,x)+68j
		mov	edx, eax
		mov	ecx, edi
		call	_ExDereferenceCallBackBlock@8 ;	ExDereferenceCallBackBlock(x,x)

loc_9561C4:				; CODE XREF: DbgkpLkmdFireCallbacks(x,x,x)+57j
		add	edi, 8
		sub	esi, 1
		mov	[ebp+var_C], esi
		jnz	short loc_956157
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_DbgkpLkmdFireCallbacks@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpLkmdIsMemoryBlockPresentFromCallback(x, x, x)
_DbgkpLkmdIsMemoryBlockPresentFromCallback@12 proc near
					; DATA XREF: DbgkpLkmdFireCallbacks(x,x,x)+8Do

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_4]
		lea	eax, [ecx+80h]
		push	eax
		call	dword ptr [ecx+0A4h]
		pop	ebp
		retn	0Ch
_DbgkpLkmdIsMemoryBlockPresentFromCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpLkmdLaunchSnapApc(x, x, x, x)
_DbgkpLkmdLaunchSnapApc@16 proc	near	; CODE XREF: DbgkpLkmdSnapThread(x,x,x,x)+1Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	704E534Bh
		push	50h
		push	200h
		mov	edi, edx
		mov	ebx, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_956224
		mov	eax, 0C0000017h
		jmp	loc_9562DA
; 

loc_956224:				; CODE XREF: DbgkpLkmdLaunchSnapApc(x,x,x,x)+23j
		xor	ecx, ecx
		mov	[esi+38h], edi
		push	ecx
		push	ecx
		mov	[esi+34h], ebx
		lea	edi, [esi+40h]
		mov	ebx, [ebp+arg_4]
		push	edi
		mov	[esi+30h], ecx
		mov	[esi+3Ch], ebx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DbgkpLkmdSnapThreadApc@20 ; DbgkpLkmdSnapThreadApc(x,x,x,x,x)
		push	eax
		push	[ebp+arg_0]
		push	esi
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		push	2
		lea	eax, [esi+30h]
		push	eax
		push	esi
		push	esi
		call	KeInsertQueueApc
		test	al, al
		jnz	short loc_95627F
		push	704E534Bh
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		or	dword ptr [ebx+4], 4000h
		mov	eax, 0C0000001h
		jmp	short loc_9562DA
; 

loc_95627F:				; CODE XREF: DbgkpLkmdLaunchSnapApc(x,x,x,x)+6Fj
		or	[ebp+var_4], 0FFFFFFFFh
		lea	eax, [ebp+var_8]
		push	eax
		xor	eax, eax
		mov	[ebp+var_8], 0FD050F80h
		push	eax
		push	eax
		push	eax
		push	edi
		jmp	short loc_9562C2
; 

loc_956296:				; CODE XREF: DbgkpLkmdLaunchSnapApc(x,x,x,x)+D6j
		cmp	edi, 102h
		jnz	short loc_9562A5
		or	dword ptr [ebx+4], 8000h

loc_9562A5:				; CODE XREF: DbgkpLkmdLaunchSnapApc(x,x,x,x)+A7j
		xor	ecx, ecx
		lea	edx, [esi+30h]
		inc	ecx
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	short loc_9562D8
		lea	eax, [ebp+var_8]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esi+40h]
		push	eax

loc_9562C2:				; CODE XREF: DbgkpLkmdLaunchSnapApc(x,x,x,x)+9Fj
		call	KeWaitForSingleObject
		mov	edi, eax
		test	edi, edi
		jnz	short loc_956296
		push	704E534Bh
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9562D8:				; CODE XREF: DbgkpLkmdLaunchSnapApc(x,x,x,x)+BEj
		mov	eax, edi

loc_9562DA:				; CODE XREF: DbgkpLkmdLaunchSnapApc(x,x,x,x)+2Aj
					; DbgkpLkmdLaunchSnapApc(x,x,x,x)+88j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_DbgkpLkmdLaunchSnapApc@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpLkmdSnapPendingIrps(x,	x, x)
_DbgkpLkmdSnapPendingIrps@12 proc near	; CODE XREF: PAGE:00956412p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		lea	eax, [edx+2CCh]
		mov	ebx, ecx
		push	esi
		mov	esi, [eax]
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], eax
		cmp	esi, eax
		jnz	short loc_95630C
		mov	eax, [ebp+arg_0]
		or	dword ptr [eax+4], 8
		xor	eax, eax
		jmp	loc_9563CE
; 

loc_95630C:				; CODE XREF: DbgkpLkmdSnapPendingIrps(x,x,x)+1Bj
		push	edi
		mov	edi, [ebp+arg_0]

loc_956310:				; CODE XREF: DbgkpLkmdSnapPendingIrps(x,x,x)+D7j
		inc	dword ptr [edi+8]
		push	8
		push	esi
		push	ebx
		call	_DbgkpLkmdSnapData@12 ;	DbgkpLkmdSnapData(x,x,x)
		test	eax, eax
		js	loc_9563CB
		lea	ebx, [esi-10h]
		cmp	word ptr [ebx],	6
		jnz	loc_9563C6
		movzx	eax, word ptr [ebx+2]
		push	eax
		push	ebx
		push	[ebp+var_4]
		call	_DbgkpLkmdSnapData@12 ;	DbgkpLkmdSnapData(x,x,x)
		test	eax, eax
		js	loc_9563CB
		inc	dword ptr [edi+0Ch]
		mov	al, [ebx+23h]
		cmp	al, [ebx+22h]
		jle	short loc_956357
		mov	ebx, [ebp+var_4]
		jmp	short loc_9563B3
; 

loc_956357:				; CODE XREF: DbgkpLkmdSnapPendingIrps(x,x,x)+6Fj
		mov	eax, [ebx+60h]
		mov	ebx, [ebp+var_4]
		push	24h
		push	eax
		push	ebx
		mov	[ebp+arg_0], eax
		call	_DbgkpLkmdSnapData@12 ;	DbgkpLkmdSnapData(x,x,x)
		cmp	eax, 0C0000005h
		jz	short loc_9563B3
		cmp	eax, 0C000009Ah
		jz	short loc_9563CB
		mov	eax, [ebp+arg_0]
		mov	edx, [eax+18h]
		test	edx, edx
		jz	short loc_95638D
		push	5
		mov	ecx, ebx
		call	_DbgkpLkmdSnapObject@12	; DbgkpLkmdSnapObject(x,x,x)
		mov	eax, [ebp+arg_0]

loc_95638D:				; CODE XREF: DbgkpLkmdSnapPendingIrps(x,x,x)+9Ej
		mov	edx, [eax+14h]
		test	edx, edx
		jz	short loc_9563B3
		push	3
		mov	ecx, ebx
		call	_DbgkpLkmdSnapObject@12	; DbgkpLkmdSnapObject(x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+14h]
		mov	edx, [eax+8]
		test	edx, edx
		jz	short loc_9563B3
		push	4
		mov	ecx, ebx
		call	_DbgkpLkmdSnapObject@12	; DbgkpLkmdSnapObject(x,x,x)

loc_9563B3:				; CODE XREF: DbgkpLkmdSnapPendingIrps(x,x,x)+74j
					; DbgkpLkmdSnapPendingIrps(x,x,x)+8Dj ...
		mov	esi, [esi]
		cmp	esi, [ebp+var_8]
		jnz	loc_956310
		or	dword ptr [edi+4], 8
		xor	eax, eax
		jmp	short loc_9563CB
; 

loc_9563C6:				; CODE XREF: DbgkpLkmdSnapPendingIrps(x,x,x)+4Aj
		mov	eax, 0C0000141h

loc_9563CB:				; CODE XREF: DbgkpLkmdSnapPendingIrps(x,x,x)+3Dj
					; DbgkpLkmdSnapPendingIrps(x,x,x)+60j ...
		mov	[edi], eax
		pop	edi

loc_9563CE:				; CODE XREF: DbgkpLkmdSnapPendingIrps(x,x,x)+26j
		pop	esi
		pop	ebx
		leave
		retn	4
_DbgkpLkmdSnapPendingIrps@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpLkmdSnapThreadApc(x, x, x, x, x)
_DbgkpLkmdSnapThreadApc@20 proc	near	; DATA XREF: DbgkpLkmdLaunchSnapApc(x,x,x,x)+51o

arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	edx, [eax]
		mov	eax, [ebp+arg_10]
		push	2
		pop	ecx
		mov	esi, [eax]
		xor	eax, eax
		lock cmpxchg [esi], ecx
_DbgkpLkmdSnapThreadApc@20 endp

		test	eax, eax
		jnz	short loc_956426
		push	dword ptr [esi+0Ch]
		mov	ecx, [esi+4]
		mov	edx, edi
		call	_DbgkpLkmdSnapThreadInContext@12 ; DbgkpLkmdSnapThreadInContext(x,x,x)
		test	eax, eax
		js	short loc_956417
		push	dword ptr [esi+0Ch]
		mov	ecx, [esi+4]
		mov	edx, edi
		call	_DbgkpLkmdSnapPendingIrps@12 ; DbgkpLkmdSnapPendingIrps(x,x,x)

loc_956417:				; CODE XREF: PAGE:00956408j
		push	0
		push	0
		lea	eax, [esi+10h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_956431
; 

loc_956426:				; CODE XREF: PAGE:009563F7j
		push	704E534Bh
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_956431:				; CODE XREF: PAGE:00956424j
		pop	edi
		pop	esi
		pop	ebp
		retn	14h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpLkmdSnapThreadInContext(x, x, x)
_DbgkpLkmdSnapThreadInContext@12 proc near ; CODE XREF:	PAGE:00956401p

var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2D8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_2D8], 0
		lea	eax, [ebp+var_2D8]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, edx
		push	edi
		push	eax
		push	0
		push	3
		push	4E0h
		mov	edi, ecx
		call	_DbgkpLkmdSnapDataEx@24	; DbgkpLkmdSnapDataEx(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_95647A
		mov	[esi], eax
		jmp	short loc_9564F3
; 

loc_95647A:				; CODE XREF: DbgkpLkmdSnapThreadInContext(x,x,x)+3Dj
		or	dword ptr [esi+4], 1
		xor	ecx, ecx
		mov	[esi], ecx
		mov	eax, [edi]
		mov	byte ptr [ebp+var_2D4],	1
		test	eax, eax
		jz	short loc_9564B0
		mov	byte ptr [ebp+var_2D4],	1
		cmp	[eax+4], ecx
		jnz	short loc_9564B0
		mov	[eax+4], ebx
		mov	eax, [ebp+var_2D8]
		mov	byte ptr [ebp+var_2D4],	cl
		mov	[eax+148h], ecx

loc_9564B0:				; CODE XREF: DbgkpLkmdSnapThreadInContext(x,x,x)+56j
					; DbgkpLkmdSnapThreadInContext(x,x,x)+62j
		lea	eax, [ebp+var_2D0]
		push	eax
		call	_RtlCaptureContext@4 ; RtlCaptureContext(x)
		push	0
		push	0
		push	1
		push	2CCh
		lea	edx, [ebp+var_2D0]
		mov	ecx, edi
		call	_DbgkpLkmdSnapDataEx@24	; DbgkpLkmdSnapDataEx(x,x,x,x,x,x)
		push	esi
		lea	eax, [ebp+var_2D0]
		mov	edx, ebx
		push	eax
		push	[ebp+var_2D4]
		mov	ecx, edi
		push	[ebp+var_2D8]
		call	_DbgkpLkmdSnapKernelStack@24 ; DbgkpLkmdSnapKernelStack(x,x,x,x,x,x)
		xor	eax, eax

loc_9564F3:				; CODE XREF: DbgkpLkmdSnapThreadInContext(x,x,x)+41j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_DbgkpLkmdSnapThreadInContext@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpLkmdSqmIsOptedIn()
_DbgkpLkmdSqmIsOptedIn@0 proc near	; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+9Ep

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	edi
		xor	eax, eax
		mov	[ebp+var_44], offset ??_C@_1IA@DFJIGEFL@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@	; "\\Registry\\Machine\\Software\\Policies\\Mic"...
		lea	edi, [ebp+var_18]
		mov	[ebp+var_4C], offset ??_C@_1GO@NDGGKOHN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@	; "\\Registry\\Machine\\Software\\Microsoft\\SQ"...
		stosd
		push	7Eh
		mov	[ebp+var_24], offset ??_C@_1BG@OLBJDGGK@?$AAC?$AAE?$AAI?$AAP?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe@NNGAKEGL@ ; "C"
		mov	[ebp+var_40], 18h
		stosd
		mov	[ebp+var_34], 240h
		stosd
		stosd
		stosd
		pop	eax
		push	6Ch
		mov	word ptr [ebp+var_48], ax
		xor	edi, edi
		add	eax, 2
		mov	[ebp+var_1C], edi
		mov	word ptr [ebp+var_48+2], ax
		pop	eax
		push	6Eh
		mov	word ptr [ebp+var_50], ax
		pop	eax
		push	14h
		pop	ebx
		push	16h
		mov	word ptr [ebp+var_50+2], ax
		pop	eax
		mov	word ptr [ebp+var_28+2], ax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_40]
		push	eax
		push	20019h
		lea	eax, [ebp+var_1C]
		mov	word ptr [ebp+var_28], bx
		push	eax
		mov	[ebp+var_20], edi
		mov	[ebp+var_3C], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_9565DC
		lea	eax, [ebp+var_20]
		push	eax
		push	ebx
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		lea	eax, [ebp+var_28]
		push	eax
		push	[ebp+var_1C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9565D4
		cmp	[ebp+var_14], 4
		jnz	short loc_9565D4
		cmp	[ebp+var_10], 4
		jnz	short loc_9565D4

loc_9565C3:				; CODE XREF: DbgkpLkmdSqmIsOptedIn()+130j
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)
		cmp	[ebp+var_C], 1
		setz	al
		jmp	short loc_956640
; 

loc_9565D4:				; CODE XREF: DbgkpLkmdSqmIsOptedIn()+B1j
					; DbgkpLkmdSqmIsOptedIn()+B7j ...
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_9565DC:				; CODE XREF: DbgkpLkmdSqmIsOptedIn()+96j
		lea	eax, [ebp+var_50]
		mov	[ebp+var_40], 18h
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_40]
		push	eax
		push	20019h
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_3C], edi
		push	eax
		mov	[ebp+var_34], 240h
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_95663E
		lea	eax, [ebp+var_20]
		push	eax
		push	ebx
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		lea	eax, [ebp+var_28]
		push	eax
		push	[ebp+var_1C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_956636
		cmp	[ebp+var_14], 4
		jnz	short loc_956636
		cmp	[ebp+var_10], 4
		jz	short loc_9565C3

loc_956636:				; CODE XREF: DbgkpLkmdSqmIsOptedIn()+124j
					; DbgkpLkmdSqmIsOptedIn()+12Aj
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_95663E:				; CODE XREF: DbgkpLkmdSqmIsOptedIn()+109j
		xor	al, al

loc_956640:				; CODE XREF: DbgkpLkmdSqmIsOptedIn()+CEj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_DbgkpLkmdSqmIsOptedIn@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpLkmdSqmStatus(x, x, x)
_DbgkpLkmdSqmStatus@12 proc near	; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+22Cp
					; DbgkCaptureLiveDump(x,x,x,x)+2C6p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	eax, [ebx+4]
		mov	edi, [ebp+arg_0]
		test	al, 2
		jz	short loc_956674
		push	esi
		push	edi
		mov	ecx, 0CE1h
		call	_DbgkpLkmdSqmIncrementDword@16 ; DbgkpLkmdSqmIncrementDword(x,x,x,x)
		mov	eax, [ebx+4]

loc_956674:				; CODE XREF: DbgkpLkmdSqmStatus(x,x,x)+15j
		test	al, 8
		jz	short loc_956687
		push	esi
		push	edi
		mov	ecx, 0CE2h
		call	_DbgkpLkmdSqmIncrementDword@16 ; DbgkpLkmdSqmIncrementDword(x,x,x,x)
		mov	eax, [ebx+4]

loc_956687:				; CODE XREF: DbgkpLkmdSqmStatus(x,x,x)+28j
		test	eax, 4000h
		jz	short loc_95669D
		push	esi
		push	edi
		mov	ecx, 0CDEh
		call	_DbgkpLkmdSqmIncrementDword@16 ; DbgkpLkmdSqmIncrementDword(x,x,x,x)
		mov	eax, [ebx+4]

loc_95669D:				; CODE XREF: DbgkpLkmdSqmStatus(x,x,x)+3Ej
		test	eax, 8000h
		jz	short loc_9566B0
		push	esi
		push	edi
		mov	ecx, 0CDFh
		call	_DbgkpLkmdSqmIncrementDword@16 ; DbgkpLkmdSqmIncrementDword(x,x,x,x)

loc_9566B0:				; CODE XREF: DbgkpLkmdSqmStatus(x,x,x)+54j
		cmp	dword ptr [ebx], 0
		jl	short loc_9566C1
		push	esi
		push	edi
		mov	ecx, 0CE0h
		call	_DbgkpLkmdSqmIncrementDword@16 ; DbgkpLkmdSqmIncrementDword(x,x,x,x)

loc_9566C1:				; CODE XREF: DbgkpLkmdSqmStatus(x,x,x)+65j
		push	esi
		push	edi
		mov	ecx, 0CDDh
		call	_DbgkpLkmdSqmIncrementDword@16 ; DbgkpLkmdSqmIncrementDword(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_DbgkpLkmdSqmStatus@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall DbgkWerAddSecondaryData(int,int,int,int,void *,char)
_DbgkWerAddSecondaryData@16 proc near	; DATA XREF: DbgkpWerInvokeCallbacks(x)+44o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi		; char
		test	ebx, ebx
		jz	loc_9567F8
		cmp	[ebp+arg_8], 0
		jz	loc_9567F8
		cmp	[ebp+arg_4], 0
		jz	loc_9567F8
		mov	ecx, dword ptr [ebp+arg_C]
		test	ecx, ecx
		jz	loc_9567F8
		mov	eax, [ebx+48h]
		cmp	eax, 1
		jnz	short loc_956717
		lea	edx, [ebx+68h]
		mov	[ebp+arg_0], edx
		jmp	short loc_956731
; 

loc_956717:				; CODE XREF: DbgkWerAddSecondaryData(x,x,x,x)+39j
		cmp	eax, 2
		jnz	loc_9567F1
		mov	eax, [ebx+58h]
		test	eax, eax
		jz	loc_956809
		add	eax, 18h
		mov	[ebp+arg_0], eax

loc_956731:				; CODE XREF: DbgkWerAddSecondaryData(x,x,x,x)+41j
		mov	edx, [ebx+40h]
		mov	eax, edx
		mov	esi, [ebx+44h]
		sub	eax, esi
		cmp	ecx, eax
		jbe	short loc_95675D
		push	esi
		push	edx
		push	ecx		; char
		push	offset ??_C@_0GG@IEDCCMKH@DBGK?3?5DbgkWerAddSecondaryData?3?5@NNGAKEGL@	; "DBGK: DbgkWerAddSecondaryData: Secondar"...
		push	0		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 18h
		mov	eax, 0C000009Ah
		jmp	loc_95680E
; 

loc_95675D:				; CODE XREF: DbgkWerAddSecondaryData(x,x,x,x)+69j
		push	57676244h
		push	20h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_4], esi
		test	esi, esi
		jnz	short loc_95677E

loc_956774:				; CODE XREF: DbgkWerAddSecondaryData(x,x,x,x)+E0j
		mov	eax, 0C0000017h
		jmp	loc_95680E
; 

loc_95677E:				; CODE XREF: DbgkWerAddSecondaryData(x,x,x,x)+9Ej
		push	8
		pop	ecx
		xor	eax, eax
		mov	edi, esi
		rep stosd
		mov	edi, dword ptr [ebp+arg_C]
		push	57676244h
		lea	eax, [edi+0FFFh]
		and	eax, 0FFFFF000h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+10h], eax
		test	eax, eax
		jnz	short loc_9567B6
		push	57676244h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_956774
; 

loc_9567B6:				; CODE XREF: DbgkWerAddSecondaryData(x,x,x,x)+D3j
		push	edi		; size_t
		push	[ebp+arg_8]	; void *
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		mov	esi, [ebp+arg_4]
		mov	edi, ecx
		mov	eax, dword ptr [ebp+arg_C]
		movsd
		movsd
		movsd
		movsd
		mov	[ecx+14h], eax
		add	[ebx+44h], eax
		cmp	dword ptr [ebx+48h], 1
		jnz	short loc_9567E1
		inc	dword ptr [ebx+74h]

loc_9567E1:				; CODE XREF: DbgkWerAddSecondaryData(x,x,x,x)+108j
		mov	edx, [ebp+arg_0]
		mov	eax, [edx+8]
		mov	[ecx+1Ch], eax
		xor	eax, eax
		mov	[edx+8], ecx
		jmp	short loc_95680E
; 

loc_9567F1:				; CODE XREF: DbgkWerAddSecondaryData(x,x,x,x)+46j
		mov	eax, 0C00000BBh
		jmp	short loc_95680E
; 

loc_9567F8:				; CODE XREF: DbgkWerAddSecondaryData(x,x,x,x)+Ej
					; DbgkWerAddSecondaryData(x,x,x,x)+18j	...
		push	offset ??_C@_0DE@OKPJIPEF@DBGK?3?5DbgkWerAddSecondaryData?3?5@NNGAKEGL@	; "DBGK: DbgkWerAddSecondaryData: Invalid "...
		push	0		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 0Ch

loc_956809:				; CODE XREF: DbgkWerAddSecondaryData(x,x,x,x)+51j
		mov	eax, 0C000000Dh

loc_95680E:				; CODE XREF: DbgkWerAddSecondaryData(x,x,x,x)+84j
					; DbgkWerAddSecondaryData(x,x,x,x)+A5j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_DbgkWerAddSecondaryData@16 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 276. DbgkWerCaptureLiveKernelDump

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall DbgkWerCaptureLiveKernelDump(int,int,int,int,int,int,int,int,int,int,int)
		public _DbgkWerCaptureLiveKernelDump@36
_DbgkWerCaptureLiveKernelDump@36 proc near
					; CODE XREF: PopFxEnforceDirectedPowerTransition(x,x,x)+72p
					; PopUserPresentSet+81BE6p ...

var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_A		= byte ptr -0Ah
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		xor	esi, esi
		inc	ebx
		mov	[esp+14h+var_8], esi
		push	edi		; char
		mov	[esp+0Fh], bl
		mov	[esp+18h+var_4], esi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	al, al
		jz	short loc_95685D
		push	offset ??_C@_0EE@GNJPNGPG@DBGK?3?5DbgkWerCaptureLiveKernelD@NNGAKEGL@ ;	char *
		push	ebx		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		mov	eax, 0C0000148h
		jmp	loc_9569CC
; 

loc_95685D:				; CODE XREF: DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+27j
		cmp	_DbgkpWerInitialized, 0
		jnz	short loc_956880
		push	offset ??_C@_0ED@CCPHDIIL@DBGK?3?5DbgkWerCaptureLiveKernelD@NNGAKEGL@ ;	char *
		push	ebx		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		mov	eax, 0C00000A3h
		jmp	loc_9569CC
; 

loc_956880:				; CODE XREF: DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+4Aj
		call	_DbgkpWerIsFullLiveDumpDisabled@0 ; DbgkpWerIsFullLiveDumpDisabled()
		test	al, al
		jz	short loc_9568A3
		push	offset ??_C@_0DN@OGIPNPDE@DBGK?3?5Full?5Live?5Kernel?5Dumps?5ar@NNGAKEGL@ ; "DBGK: Full	Live Kernel Dumps are disabl"...
		push	ebx		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		mov	eax, 0C0000804h
		jmp	loc_9569CC
; 

loc_9568A3:				; CODE XREF: DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+6Dj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, ebx
		mov	ecx, offset _DbgkpBusy
		xchg	eax, [ecx]
		cmp	eax, ebx
		jnz	short loc_9568C8
		mov	esi, 0C000022Dh
		jmp	loc_9569C5
; 

loc_9568C8:				; CODE XREF: DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+A2j
		push	57676244h
		push	78h
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9568E5
		mov	esi, 0C000009Ah
		jmp	loc_9569BC
; 

loc_9568E5:				; CODE XREF: DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+BFj
		push	78h		; size_t
		push	esi		; int
		push	edi		; void *
		call	_memset
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		push	esi
		push	10h
		pop	edx
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9569AA
		push	[ebp+arg_0]
		mov	ecx, edi
		push	10h
		pop	edx
		call	RtlStringCchCopyW
		mov	esi, eax
		test	esi, esi
		js	loc_9569AA
		mov	eax, [ebp+arg_20]
		test	al, 2
		jz	short loc_95692B
		mov	[esp+18h+var_8], ebx
		jmp	short loc_956935
; 

loc_95692B:				; CODE XREF: DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+109j
		mov	ecx, _DbgkpWerDefaultPolicy
		mov	[esp+18h+var_8], ecx

loc_956935:				; CODE XREF: DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+10Fj
		mov	ecx, [ebp+arg_4]
		mov	[edi+20h], ecx
		mov	ecx, [ebp+arg_8]
		mov	[edi+24h], ecx
		mov	ecx, [ebp+arg_C]
		mov	[edi+28h], ecx
		mov	ecx, [ebp+arg_10]
		mov	[edi+3Ch], eax
		lea	eax, [esp+18h+var_4]
		mov	[edi+2Ch], ecx
		mov	ecx, [ebp+arg_14]
		push	eax
		mov	[edi+30h], ecx
		lea	eax, [esp+1Ch+var_8]
		mov	ecx, [ebp+arg_18]
		push	eax
		mov	[edi+34h], ecx
		mov	ecx, [ebp+arg_1C]
		push	edi
		mov	[edi+38h], ecx
		call	ds:__imp__WerLiveKernelCreateReport@12 ; WerLiveKernelCreateReport(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_95698D
		push	esi		; char
		push	offset ??_C@_0FF@CDLFGOPC@DBGK?3?5DbgkWerCaptureLiveKernelD@NNGAKEGL@ ;	char *
		push	0		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 10h
		jmp	short loc_9569AA
; 

loc_95698D:				; CODE XREF: DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+15Dj
		mov	edx, [esp+24h+var_14]
		lea	eax, [esp+0Fh]
		push	eax
		push	[esp+28h+var_10]
		mov	ecx, edi
		call	_DbgkpWerProcessPolicyResult@16	; DbgkpWerProcessPolicyResult(x,x,x,x)
		mov	esi, eax
		cmp	[esp+24h+var_15], 0
		jz	short loc_9569C5

loc_9569AA:				; CODE XREF: DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+E7j
					; DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+FEj ...
		mov	ecx, edi	; char
		call	_DbgkpWerCleanupContext@4 ; DbgkpWerCleanupContext(x)
		push	57676244h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9569BC:				; CODE XREF: DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+C6j
		xor	eax, eax
		mov	ecx, offset _DbgkpBusy
		xchg	eax, [ecx]

loc_9569C5:				; CODE XREF: DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+A9j
					; DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+18Ej
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, esi

loc_9569CC:				; CODE XREF: DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+3Ej
					; DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+61j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
_DbgkWerCaptureLiveKernelDump@36 endp


;  S U B	R O U T	I N E 


; __stdcall DbgkpWerAllocatePool(x)
_DbgkpWerAllocatePool@4	proc near	; CODE XREF: DbgkCaptureLiveKernelDump(x)+B3p
		push	57676244h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		retn
_DbgkpWerAllocatePool@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall DbgkpWerCaptureLiveFullDump(char)
_DbgkpWerCaptureLiveFullDump@8 proc near
					; CODE XREF: DbgkpWerProcessPolicyResult(x,x,x,x)+31p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		mov	eax, edx
		push	ebx
		push	esi
		push	edi		; char
		push	1
		mov	ebx, ecx
		mov	[ebp+var_C], eax
		push	ebx		; char
		push	offset ??_C@_0DK@HACPALBM@DBGK?3?5Creating?5full?5dump?4?5?5Comp@NNGAKEGL@ ; char *
		push	3		; int
		push	5		; int
		mov	dword ptr [ebx+40h], 10000000h
		mov	byte ptr [eax],	1
		call	_DbgPrintEx
		add	esp, 14h
		xor	esi, esi
		inc	esi
		push	57676244h
		push	24h
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_956A47
		push	offset ??_C@_0CJ@OGLEMCBF@DBGK?3?5Could?5not?5allocate?5an?5Io?5@NNGAKEGL@ ; char *
		push	eax		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		mov	esi, 0C0000017h
		jmp	loc_956B23
; 

loc_956A47:				; CODE XREF: DbgkpWerCaptureLiveFullDump(x,x)+48j
		xor	edx, edx
		mov	[edi+8], edx
		mov	[edi+0Ch], edx
		mov	[edi+10h], edx
		mov	[edi+14h], edx
		mov	[edi+18h], edx
		mov	[edi+1Ch], edx
		mov	[edi+20h], edx
		mov	[ebx+58h], edi
		mov	[edi], esi
		mov	dword ptr [edi+4], 24h
		mov	ecx, [ebx+3Ch]
		test	cl, 1
		jz	short loc_956A79
		or	dword ptr [edi+10h], 4
		mov	ecx, [ebx+3Ch]

loc_956A79:				; CODE XREF: DbgkpWerCaptureLiveFullDump(x,x)+8Dj
		mov	eax, [edi+10h]
		test	cl, 4
		jz	short loc_956A84
		or	[edi+14h], esi

loc_956A84:				; CODE XREF: DbgkpWerCaptureLiveFullDump(x,x)+9Cj
		or	eax, 10h
		mov	[edi+10h], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	dword ptr [ebx+4Ch]
		mov	[ebp+var_4], edx
		call	ds:__imp__WerLiveKernelOpenDumpFile@8 ;	WerLiveKernelOpenDumpFile(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_956AB4
		push	esi		; char
		push	offset ??_C@_0DH@FNCDKNFE@DBGK?3?5WerLiveKernelOpenDumpFile@NNGAKEGL@ ;	char *

loc_956AA6:				; CODE XREF: DbgkpWerCaptureLiveFullDump(x,x)+126j
		push	0		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 10h
		jmp	short loc_956B23
; 

loc_956AB4:				; CODE XREF: DbgkpWerCaptureLiveFullDump(x,x)+BBj
		mov	eax, [ebp+var_4]
		mov	ecx, ebx
		mov	[edi+8], eax
		or	dword ptr [ebx+50h], 2
		or	dword ptr [edi+10h], 8
		call	_DbgkpWerInitializeDeferredLiveDump@4 ;	DbgkpWerInitializeDeferredLiveDump(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_956B23
		mov	ecx, ebx	; char
		call	_DbgkpWerInvokeCallbacks@4 ; DbgkpWerInvokeCallbacks(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_956B23
		mov	edx, [ebx+24h]
		lea	eax, [ebp+var_8]
		mov	ecx, [ebx+20h]
		push	eax
		push	edi
		push	dword ptr [ebx+30h]
		push	dword ptr [ebx+2Ch]
		push	dword ptr [ebx+28h]
		call	_IoCaptureLiveDump@28 ;	IoCaptureLiveDump(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_956B0B
		cmp	esi, 0C0000016h
		jz	short loc_956B0B
		push	esi
		push	offset ??_C@_0EO@DIEJBPEN@DBGK?3?5DbgkpWerCaptureLiveFullDu@NNGAKEGL@
		jmp	short loc_956AA6
; 

loc_956B0B:				; CODE XREF: DbgkpWerCaptureLiveFullDump(x,x)+116j
					; DbgkpWerCaptureLiveFullDump(x,x)+11Ej
		mov	eax, [ebp+var_8]
		push	1
		push	dword ptr [ebx+54h]
		mov	[ebx+5Ch], eax
		call	ExQueueWorkItem
		mov	eax, [ebp+var_C]
		xor	esi, esi
		mov	byte ptr [eax],	0

loc_956B23:				; CODE XREF: DbgkpWerCaptureLiveFullDump(x,x)+5Fj
					; DbgkpWerCaptureLiveFullDump(x,x)+CFj	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_DbgkpWerCaptureLiveFullDump@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall DbgkpWerCaptureLiveTriageDump(char)
_DbgkpWerCaptureLiveTriageDump@4 proc near
					; CODE XREF: DbgkpWerProcessPolicyResult(x,x,x,x)+23p

var_2D8		= dword	ptr -2D8h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2DCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi		; char
		mov	edi, ecx
		push	edi		; char
		push	offset ??_C@_0DC@EABLBAKN@DBGK?3?5Creating?5mini?5live?5dump?4?5@NNGAKEGL@ ; char *
		push	3		; int
		push	5		; int
		call	_DbgPrintEx
		push	2CCh		; size_t
		xor	ebx, ebx
		mov	dword ptr [edi+40h], 0FFFFCh
		lea	eax, [ebp+var_2D8]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 1Ch
		push	57676244h
		push	20000h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi+60h], eax
		test	eax, eax
		jnz	short loc_956B93
		mov	esi, 0C0000017h
		jmp	loc_956C2D
; 

loc_956B93:				; CODE XREF: DbgkpWerCaptureLiveTriageDump(x)+5Dj
		lea	eax, [ebp+var_2D8]
		push	eax
		call	_RtlCaptureContext@4 ; RtlCaptureContext(x)
		push	dword ptr [edi+60h] ; size_t
		lea	eax, [ebp+var_2D8]
		push	dword ptr [edi+30h] ; int
		push	dword ptr [edi+2Ch] ; int
		push	dword ptr [edi+28h] ; int
		push	dword ptr [edi+24h] ; int
		push	dword ptr [edi+20h] ; int
		push	ebx		; size_t
		push	eax		; int
		call	_KeCapturePersistentThreadState@32 ; KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_956BD9
		push	offset ??_C@_0CN@CIIFFEL@DBGK?3?5KeCapturePersistentThread@NNGAKEGL@ ; char *
		push	ebx		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		mov	esi, 0C0000001h
		jmp	short loc_956C2D
; 

loc_956BD9:				; CODE XREF: DbgkpWerCaptureLiveTriageDump(x)+96j
		mov	ecx, edi	; char
		mov	[edi+64h], eax
		call	_DbgkpWerInvokeCallbacks@4 ; DbgkpWerInvokeCallbacks(x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_956BFC
		push	esi		; char
		push	offset ??_C@_0DD@PGHNHIBM@DBGK?3?5DbgkpWerInvokeCallbacks?5f@NNGAKEGL@ ; char *

loc_956BEF:				; CODE XREF: DbgkpWerCaptureLiveTriageDump(x)+E5j
					; DbgkpWerCaptureLiveTriageDump(x)+FDj
		push	ebx		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 10h
		jmp	short loc_956C2D
; 

loc_956BFC:				; CODE XREF: DbgkpWerCaptureLiveTriageDump(x)+BDj
		mov	ecx, edi
		call	_DbgkpWerWriteTriageDump@4 ; DbgkpWerWriteTriageDump(x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_956C11
		push	esi
		push	offset ??_C@_0DD@EHPANEIH@DBGK?3?5DbgkpWerWriteTriageDump?5f@NNGAKEGL@
		jmp	short loc_956BEF
; 

loc_956C11:				; CODE XREF: DbgkpWerCaptureLiveTriageDump(x)+DDj
		push	ebx
		push	dword ptr [edi+4Ch]
		call	ds:__imp__WerLiveKernelSubmitReport@8 ;	WerLiveKernelSubmitReport(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_956C29
		push	esi
		push	offset ??_C@_0FI@JFBJONDB@DBGK?3?5DbgkpWerCaptureLiveTriage@NNGAKEGL@
		jmp	short loc_956BEF
; 

loc_956C29:				; CODE XREF: DbgkpWerCaptureLiveTriageDump(x)+F5j
		or	dword ptr [edi+50h], 1

loc_956C2D:				; CODE XREF: DbgkpWerCaptureLiveTriageDump(x)+64j
					; DbgkpWerCaptureLiveTriageDump(x)+ADj	...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_DbgkpWerCaptureLiveTriageDump@4 endp


;  S U B	R O U T	I N E 


; int __fastcall DbgkpWerCleanupContext(char)
_DbgkpWerCleanupContext@4 proc near	; CODE XREF: DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+192p
					; DbgkpWerDeferredWriteRoutine(x)+98p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		push	esi		; char
		push	offset ??_C@_0CM@JGOHABJG@DBGK?3?5DbgkpWerCleanupContext?3?5C@NNGAKEGL@	; "DBGK: DbgkpWerCleanupContext: Context 0"...
		push	3		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 10h
		test	esi, esi
		jz	loc_956D72
		mov	ecx, [esi+5Ch]
		xor	ebx, ebx
		test	ecx, ecx
		jz	short loc_956C85
		call	_IoDiscardDeferredLiveDumpData@4 ; IoDiscardDeferredLiveDumpData(x)
		test	eax, eax
		jns	short loc_956C82
		push	eax		; char
		push	offset ??_C@_0DJ@GHCNCPCO@DBGK?3?5IoDiscardDeferredLiveDump@NNGAKEGL@ ;	char *
		push	ebx		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 10h

loc_956C82:				; CODE XREF: DbgkpWerCleanupContext(x)+31j
		mov	[esi+5Ch], ebx

loc_956C85:				; CODE XREF: DbgkpWerCleanupContext(x)+28j
		mov	eax, [esi+54h]
		test	eax, eax
		jz	short loc_956C9A
		push	57676244h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+54h], ebx

loc_956C9A:				; CODE XREF: DbgkpWerCleanupContext(x)+4Cj
		mov	eax, [esi+58h]
		test	eax, eax
		jz	short loc_956D11
		mov	ecx, [eax+0Ch]
		test	ecx, ecx
		jz	short loc_956CB6
		call	ObfDereferenceObject
		mov	eax, [esi+58h]
		mov	[eax+0Ch], ebx
		mov	eax, [esi+58h]

loc_956CB6:				; CODE XREF: DbgkpWerCleanupContext(x)+68j
		mov	ecx, [eax+8]
		test	ecx, ecx
		jz	short loc_956CCC
		push	ecx
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [esi+58h]
		mov	[eax+8], ebx
		mov	eax, [esi+58h]

loc_956CCC:				; CODE XREF: DbgkpWerCleanupContext(x)+7Dj
		mov	edi, [eax+20h]
		mov	[eax+20h], ebx
		test	edi, edi
		jz	short loc_956CFC

loc_956CD6:				; CODE XREF: DbgkpWerCleanupContext(x)+BCj
		mov	eax, [edi+10h]
		mov	ebx, [edi+1Ch]
		test	eax, eax
		jz	short loc_956CEB
		push	57676244h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_956CEB:				; CODE XREF: DbgkpWerCleanupContext(x)+A0j
		push	57676244h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, ebx
		test	ebx, ebx
		jnz	short loc_956CD6

loc_956CFC:				; CODE XREF: DbgkpWerCleanupContext(x)+96j
		mov	eax, [esi+58h]
		test	eax, eax
		jz	short loc_956D0E
		push	57676244h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_956D0E:				; CODE XREF: DbgkpWerCleanupContext(x)+C3j
		mov	[esi+58h], ebx

loc_956D11:				; CODE XREF: DbgkpWerCleanupContext(x)+61j
		mov	eax, [esi+60h]
		test	eax, eax
		jz	short loc_956D26
		push	57676244h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+60h], ebx

loc_956D26:				; CODE XREF: DbgkpWerCleanupContext(x)+D8j
		mov	eax, [esi+4Ch]
		test	eax, eax
		jz	short loc_956D72
		test	byte ptr [esi+50h], 1
		jnz	short loc_956D50
		push	eax
		call	ds:__imp__WerLiveKernelCancelReport@4 ;	WerLiveKernelCancelReport(x)
		test	eax, eax
		jns	short loc_956D50
		push	eax		; char
		push	(offset	loc_8B7983+7) ;	char *
		push	1		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 10h

loc_956D50:				; CODE XREF: DbgkpWerCleanupContext(x)+F3j
					; DbgkpWerCleanupContext(x)+FEj
		push	dword ptr [esi+4Ch]
		call	ds:__imp__WerLiveKernelCloseHandle@4 ; WerLiveKernelCloseHandle(x)
		test	eax, eax
		jns	short loc_956D6F
		push	eax		; char
		push	(offset	loc_8B79CC+4) ;	char *
		push	1		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 10h

loc_956D6F:				; CODE XREF: DbgkpWerCleanupContext(x)+11Dj
		mov	[esi+4Ch], ebx

loc_956D72:				; CODE XREF: DbgkpWerCleanupContext(x)+1Bj
					; DbgkpWerCleanupContext(x)+EDj
		pop	edi
		pop	esi
		pop	ebx
		retn
_DbgkpWerCleanupContext@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpWerDeferredWriteRoutine(x)
_DbgkpWerDeferredWriteRoutine@4	proc near
					; DATA XREF: DbgkpWerInitializeDeferredLiveDump(x)+ECo

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, dword ptr [ebp+arg_0]
		push	edi
		push	esi		; char
		push	offset ??_C@_0DK@OHIACILJ@DBGK?3?5DbgkpWerDeferredWriteRout@NNGAKEGL@ ;	"DBGK: DbgkpWerDeferredWriteRoutine ente"...
		push	3		; int
		push	5		; int
		call	_DbgPrintEx
		mov	eax, large fs:124h
		add	esp, 10h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, [esi+58h]
		mov	edi, [eax+0Ch]
		test	edi, edi
		jz	short loc_956DC6
		mov	eax, _DbgkpWerDeferredWriteTimeoutSeconds
		mov	ecx, 0FF676980h
		imul	ecx
		mov	ecx, edi
		push	edx
		push	eax
		push	0
		push	0
		xor	edx, edx
		call	KiSetTimerEx

loc_956DC6:				; CODE XREF: DbgkpWerDeferredWriteRoutine(x)+33j
		mov	ecx, [esi+5Ch]
		call	_IoWriteDeferredLiveDumpData@4 ; IoWriteDeferredLiveDumpData(x)
		push	edi
		mov	ebx, eax
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		xor	edi, edi
		mov	[esi+5Ch], edi
		test	ebx, ebx
		jns	short loc_956DF2
		push	ebx		; char
		push	offset ??_C@_0EI@HLLEJAAI@DBGK?3?5DbgkpWerDeferredWriteRout@NNGAKEGL@ ;	"DBGK: DbgkpWerDeferredWriteRoutine: dum"...

loc_956DE5:				; CODE XREF: DbgkpWerDeferredWriteRoutine(x)+90j
		push	edi		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 10h
		jmp	short loc_956E0C
; 

loc_956DF2:				; CODE XREF: DbgkpWerDeferredWriteRoutine(x)+67j
		push	edi
		push	dword ptr [esi+4Ch]
		call	ds:__imp__WerLiveKernelSubmitReport@8 ;	WerLiveKernelSubmitReport(x,x)
		test	eax, eax
		jns	short loc_956E08
		push	eax
		push	offset ??_C@_0FH@OHNJFOED@DBGK?3?5DbgkpWerDeferredWriteRout@NNGAKEGL@ ;	"DBGK: DbgkpWerDeferredWriteRoutine: Wer"...
		jmp	short loc_956DE5
; 

loc_956E08:				; CODE XREF: DbgkpWerDeferredWriteRoutine(x)+88j
		or	dword ptr [esi+50h], 1

loc_956E0C:				; CODE XREF: DbgkpWerDeferredWriteRoutine(x)+7Aj
		mov	ecx, esi	; char
		call	_DbgkpWerCleanupContext@4 ; DbgkpWerCleanupContext(x)
		xor	eax, eax
		mov	ecx, offset _DbgkpBusy
		xchg	eax, [ecx]
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_DbgkpWerDeferredWriteRoutine@4	endp


;  S U B	R O U T	I N E 


; __stdcall DbgkpWerFreePool(x)
_DbgkpWerFreePool@4 proc near		; CODE XREF: DbgkCaptureLiveKernelDump(x)+2B3p
		test	ecx, ecx
		jz	short locret_956E3E
		push	57676244h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

locret_956E3E:				; CODE XREF: DbgkpWerFreePool(x)+2j
		retn
_DbgkpWerFreePool@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpWerInitializeDeferredLiveDump(x)
_DbgkpWerInitializeDeferredLiveDump@4 proc near
					; CODE XREF: DbgkpWerCaptureLiveFullDump(x,x)+E1p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi		; char
		mov	ebx, ecx
		mov	[esp+30h+var_18], 18h
		xor	edi, edi
		mov	[esp+30h+var_C], 200h
		push	edi
		mov	[esp+34h+var_24], edi
		mov	eax, [ebx+58h]
		mov	[esp+34h+var_1C], eax
		lea	eax, [esp+34h+var_18]
		push	eax
		push	1F0003h
		lea	eax, [esp+3Ch+var_24]
		mov	[esp+3Ch+var_14], edi
		push	eax
		mov	[esp+40h+var_10], edi
		mov	[esp+40h+var_8], edi
		mov	[esp+40h+var_4], edi
		call	_ZwCreateTimer@16 ; ZwCreateTimer(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_956EAD
		push	esi		; char
		push	offset ??_C@_0CL@GAIMIBPK@DBGK?3?5Failed?5to?5create?5timer?0?5s@NNGAKEGL@ ; "DBGK: Failed to create timer, status 0x"...
		push	edi		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 10h
		jmp	loc_956F5C
; 

loc_956EAD:				; CODE XREF: DbgkpWerInitializeDeferredLiveDump(x)+56j
		mov	eax, ds:_ExTimerObjectType
		lea	ecx, [esp+30h+var_20]
		push	edi
		push	edi
		push	ecx
		mov	ecx, [esp+3Ch+var_24]
		mov	edx, 1F0003h
		push	57676244h
		push	edi
		push	eax
		mov	[esp+48h+var_20], edi
		call	ObpReferenceObjectByHandleWithTag
		mov	edi, [esp+30h+var_20]
		mov	esi, eax
		test	esi, esi
		jns	short loc_956EF0
		push	esi		; char
		push	offset ??_C@_0CO@DAEDMEKC@DBGK?3?5Failed?5to?5reference?5timer@NNGAKEGL@ ; "DBGK: Failed to reference timer, status"...
		push	0		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 10h
		jmp	short loc_956F35
; 

loc_956EF0:				; CODE XREF: DbgkpWerInitializeDeferredLiveDump(x)+9Bj
		push	[esp+30h+var_24]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [esp+30h+var_1C]
		and	[esp+30h+var_24], 0
		mov	[eax+0Ch], edi
		call	_DbgkpWerAllocateNonpagedPool@4	; DbgkpWerAllocateNonpagedPool(x)
		test	eax, eax
		jnz	short loc_956F25
		push	offset ??_C@_0CB@HEDBEK@DBGK?3?5Could?5not?5allocate?5timer?4@NNGAKEGL@	; "DBGK: Could not allocate timer.\n"
		push	eax		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		mov	eax, 0C0000017h
		jmp	short loc_956F5E
; 

loc_956F25:				; CODE XREF: DbgkpWerInitializeDeferredLiveDump(x)+CDj
		mov	[ebx+54h], eax
		and	dword ptr [eax], 0
		mov	dword ptr [eax+8], offset _DbgkpWerDeferredWriteRoutine@4 ; DbgkpWerDeferredWriteRoutine(x)
		mov	[eax+0Ch], ebx

loc_956F35:				; CODE XREF: DbgkpWerInitializeDeferredLiveDump(x)+AFj
		test	esi, esi
		jns	short loc_956F5C
		test	edi, edi
		jz	short loc_956F4C
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, [esp+30h+var_1C]
		and	dword ptr [eax+0Ch], 0

loc_956F4C:				; CODE XREF: DbgkpWerInitializeDeferredLiveDump(x)+FCj
		cmp	[esp+30h+var_24], 0
		jz	short loc_956F5C
		push	[esp+30h+var_24]
		call	_ZwClose@4	; ZwClose(x)

loc_956F5C:				; CODE XREF: DbgkpWerInitializeDeferredLiveDump(x)+69j
					; DbgkpWerInitializeDeferredLiveDump(x)+F8j ...
		mov	eax, esi

loc_956F5E:				; CODE XREF: DbgkpWerInitializeDeferredLiveDump(x)+E4j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_DbgkpWerInitializeDeferredLiveDump@4 endp


;  S U B	R O U T	I N E 


; int __fastcall DbgkpWerInvokeCallbacks(char)
_DbgkpWerInvokeCallbacks@4 proc	near	; CODE XREF: DbgkpWerCaptureLiveFullDump(x,x)+EEp
					; DbgkpWerCaptureLiveTriageDump(x)+B4p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		push	esi		; char
		push	offset ??_C@_0DF@HIJLMJII@DBGK?3?5DbgkpWerInvokeCallbacks?5e@NNGAKEGL@ ; char *
		push	3		; int
		push	5		; int
		call	_DbgPrintEx
		mov	eax, [esi+38h]
		add	esp, 10h
		test	eax, eax
		jz	short loc_956FCF
		push	eax		; char
		push	offset ??_C@_0CJ@NJPIGKGC@DBGK?3?5Invoking?5callback?5at?5addr@NNGAKEGL@ ; char	*
		push	3		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 10h
		push	dword ptr [esi+34h]
		push	dword ptr [esi+30h]
		push	dword ptr [esi+2Ch]
		push	dword ptr [esi+28h]
		push	dword ptr [esi+24h]
		push	dword ptr [esi+20h]
		push	offset _DbgkWerAddSecondaryData@16 ; DbgkWerAddSecondaryData(x,x,x,x)
		push	esi
		call	dword ptr [esi+38h]
		mov	edi, eax
		test	edi, edi
		jns	short loc_956FCD
		push	edi
		push	dword ptr [esi+38h] ; char
		push	offset ??_C@_0DF@LIFIPAMA@DBGK?3?5callback?5at?5address?50x?$CFp?5@NNGAKEGL@ ; char *
		push	0		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 14h

loc_956FCD:				; CODE XREF: DbgkpWerInvokeCallbacks(x)+51j
		mov	eax, edi

loc_956FCF:				; CODE XREF: DbgkpWerInvokeCallbacks(x)+1Ej
		pop	edi
		pop	esi
		pop	ecx
		retn
_DbgkpWerInvokeCallbacks@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpWerIsFullLiveDumpDisabled()
_DbgkpWerIsFullLiveDumpDisabled@0 proc near
					; CODE XREF: DbgkCaptureLiveKernelDump(x):loc_60077Fp
					; DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x):loc_956880p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	edi
		xor	eax, eax
		mov	[ebp+var_28], offset loc_AC00AA
		lea	edi, [ebp+var_18]
		mov	[ebp+var_24], offset ??_C@_1KM@IEMJAIOM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@	; "\\Registry\\Machine\\System\\CurrentControl"...
		stosd
		xor	ecx, ecx
		push	24h
		mov	[ebp+var_2C], offset ??_C@_1CG@PNAEGJGD@?$AAF?$AAu?$AAl?$AAl?$AAL?$AAi?$AAv?$AAe?$AAR?$AAe?$AAp?$AAo?$AAr?$AAt?$AAs@NNGAKEGL@
		mov	[ebp+var_1C], ecx
		stosd
		mov	[ebp+var_20], ecx
		mov	[ebp+var_48], 18h
		mov	[ebp+var_44], ecx
		stosd
		mov	[ebp+var_3C], 240h
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], ecx
		stosd
		stosd
		pop	eax
		push	26h
		mov	word ptr [ebp+var_30], ax
		pop	eax
		mov	word ptr [ebp+var_30+2], ax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	20019h
		lea	eax, [ebp+var_1C]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_95708F
		lea	eax, [ebp+var_20]
		push	eax
		push	14h
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_1C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_957087
		cmp	[ebp+var_14], 4
		jnz	short loc_957087
		cmp	[ebp+var_10], 4
		jnz	short loc_957087
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)
		cmp	[ebp+var_C], 0
		setz	al
		jmp	short loc_957091
; 

loc_957087:				; CODE XREF: DbgkpWerIsFullLiveDumpDisabled()+95j
					; DbgkpWerIsFullLiveDumpDisabled()+9Bj	...
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_95708F:				; CODE XREF: DbgkpWerIsFullLiveDumpDisabled()+79j
		xor	al, al

loc_957091:				; CODE XREF: DbgkpWerIsFullLiveDumpDisabled()+B2j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_DbgkpWerIsFullLiveDumpDisabled@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpWerProcessPolicyResult(x, x, x, x)
_DbgkpWerProcessPolicyResult@16	proc near
					; CODE XREF: DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)+182p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	byte ptr [esi],	1
		test	edx, edx
		jnz	short loc_9570B3
		xor	eax, eax
		jmp	short loc_9570ED
; 

loc_9570B3:				; CODE XREF: DbgkpWerProcessPolicyResult(x,x,x,x)+Fj
		mov	eax, [ebp+arg_0]
		mov	[ecx+4Ch], eax
		mov	[ecx+48h], edx
		cmp	edx, 1
		jnz	short loc_9570C8
		call	_DbgkpWerCaptureLiveTriageDump@4 ; DbgkpWerCaptureLiveTriageDump(x)
		jmp	short loc_9570ED
; 

loc_9570C8:				; CODE XREF: DbgkpWerProcessPolicyResult(x,x,x,x)+21j
		cmp	edx, 2
		jnz	short loc_9570D6
		mov	edx, esi
		call	_DbgkpWerCaptureLiveFullDump@8 ; DbgkpWerCaptureLiveFullDump(x,x)
		jmp	short loc_9570ED
; 

loc_9570D6:				; CODE XREF: DbgkpWerProcessPolicyResult(x,x,x,x)+2Dj
		push	edx		; char
		push	offset ??_C@_0DO@FGHFHDJA@DBGK?3?5DbgkpWerProcessPolicyResu@NNGAKEGL@ ;	char *
		push	0		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 10h
		mov	eax, 0C00000BBh

loc_9570ED:				; CODE XREF: DbgkpWerProcessPolicyResult(x,x,x,x)+13j
					; DbgkpWerProcessPolicyResult(x,x,x,x)+28j ...
		pop	esi
		pop	ecx
		pop	ebp
		retn	8
_DbgkpWerProcessPolicyResult@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpWerUpdateTriageDumpHeader(x)
_DbgkpWerUpdateTriageDumpHeader@4 proc near ; CODE XREF: DbgkpWerWriteTriageDump(x)+35p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi+44h]
		mov	edx, [esi+64h]
		test	edi, edi
		jz	short loc_95716E
		mov	ebx, [esi+74h]
		lea	eax, [edx+10h]
		push	20h
		pop	ecx
		mov	dword ptr [ebp+var_4], eax
		mov	eax, ebx
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jns	short loc_957146
		push	ebx		; char
		push	offset ??_C@_0DJ@KKILGGNJ@DBGK?3?5Overflow?5calculating?5tota@NNGAKEGL@	; char *
		push	0		; int
		push	5		; int
		call	_DbgPrintEx
		mov	eax, [ebp+var_C]
		add	esp, 10h
		jmp	short loc_957192
; 

loc_957146:				; CODE XREF: DbgkpWerUpdateTriageDumpHeader(x)+3Aj
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		mov	ecx, dword ptr [ebp+var_4]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_957192
		mov	ecx, dword ptr [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		mov	edx, edi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_957192
		mov	edx, dword ptr [ebp+var_4]

loc_95716E:				; CODE XREF: DbgkpWerUpdateTriageDumpHeader(x)+19j
		mov	eax, [esi+60h]
		push	edx		; char
		push	offset ??_C@_0CB@IFOMHPGE@DBGK?3?5Required?5total?5aize?3?50x?$CFX@NNGAKEGL@ ; char *
		push	3		; int
		and	dword ptr [eax+0FA4h], 0
		push	5		; int
		mov	[eax+0FA0h], edx
		call	_DbgPrintEx
		add	esp, 10h
		xor	eax, eax

loc_957192:				; CODE XREF: DbgkpWerUpdateTriageDumpHeader(x)+51j
					; DbgkpWerUpdateTriageDumpHeader(x)+64j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_DbgkpWerUpdateTriageDumpHeader@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpWerWriteSecondaryData(x, x)
_DbgkpWerWriteSecondaryData@8 proc near	; CODE XREF: DbgkpWerWriteTriageDump(x)+6Ap

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ecx+70h]
		push	esi
		xor	esi, esi
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], esi
		mov	[ebp+var_38], esi
		push	edi
		test	ebx, ebx
		jz	loc_957253
		mov	eax, _NtBuildNumber
		push	10h
		pop	ecx
		push	esi
		push	esi
		push	ecx
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_14], 706D7544h
		push	eax
		push	esi
		push	esi
		push	esi
		push	edx
		mov	[ebp+var_10], 626F6C42h
		mov	[ebp+var_C], ecx
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_957255
		mov	[ebp+var_34], 20h
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi

loc_957203:				; CODE XREF: DbgkpWerWriteSecondaryData(x,x)+B8j
		mov	esi, ebx
		lea	edi, [ebp+var_30]
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ebx+14h]
		xor	edi, edi
		mov	esi, [ebp+var_40]
		push	edi
		push	edi
		push	[ebp+var_34]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		push	edi
		push	edi
		push	edi
		push	esi
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_957255
		push	edi
		push	edi
		push	dword ptr [ebx+14h]
		lea	eax, [ebp+var_3C]
		push	dword ptr [ebx+10h]
		push	eax
		push	edi
		push	edi
		push	edi
		push	esi
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_957255
		mov	ebx, [ebx+1Ch]
		test	ebx, ebx
		jnz	short loc_957203
		jmp	short loc_957255
; 

loc_957253:				; CODE XREF: DbgkpWerWriteSecondaryData(x,x)+25j
		mov	eax, esi

loc_957255:				; CODE XREF: DbgkpWerWriteSecondaryData(x,x)+5Dj
					; DbgkpWerWriteSecondaryData(x,x)+98j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_DbgkpWerWriteSecondaryData@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpWerWriteTriageDump(x)
_DbgkpWerWriteTriageDump@4 proc	near	; CODE XREF: DbgkpWerCaptureLiveTriageDump(x)+D4p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	eax, [ebp+var_4]
		push	eax
		xor	ebx, ebx
		mov	[ebp+var_C], ebx
		push	dword ptr [edi+4Ch]
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	ds:__imp__WerLiveKernelOpenDumpFile@8 ;	WerLiveKernelOpenDumpFile(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_957297
		push	esi
		push	offset ??_C@_0EN@DDOOMDH@DBGK?3?5DbgkWerWriteTriageDump?3?5W@NNGAKEGL@
		jmp	short loc_9572DF
; 

loc_957297:				; CODE XREF: DbgkpWerWriteTriageDump(x)+29j
		mov	ecx, edi
		call	_DbgkpWerUpdateTriageDumpHeader@4 ; DbgkpWerUpdateTriageDumpHeader(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9572EA
		push	ebx
		push	ebx
		push	dword ptr [edi+64h]
		lea	eax, [ebp+var_C]
		push	dword ptr [edi+60h]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+var_4]
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9572C9
		push	esi
		push	offset ??_C@_0DB@KOIJBBFF@DBGK?3?5Triage?5dump?5write?5failed?5@NNGAKEGL@
		jmp	short loc_9572DF
; 

loc_9572C9:				; CODE XREF: DbgkpWerWriteTriageDump(x)+5Bj
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		call	_DbgkpWerWriteSecondaryData@8 ;	DbgkpWerWriteSecondaryData(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9572EA
		push	esi		; char
		push	offset ??_C@_0DG@GBCANKPK@DBGK?3?5Writing?5secondary?5data?5fa@NNGAKEGL@ ; char	*

loc_9572DF:				; CODE XREF: DbgkpWerWriteTriageDump(x)+31j
					; DbgkpWerWriteTriageDump(x)+63j
		push	ebx		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 10h

loc_9572EA:				; CODE XREF: DbgkpWerWriteTriageDump(x)+3Ej
					; DbgkpWerWriteTriageDump(x)+73j
		cmp	[ebp+var_4], ebx
		jz	short loc_9572F7
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_9572F7:				; CODE XREF: DbgkpWerWriteTriageDump(x)+89j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_DbgkpWerWriteTriageDump@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpTriageDumpFillHeaders(x, x, x,	x, x, x)
_DbgkpTriageDumpFillHeaders@24 proc near ; DATA	XREF: DbgkpTriageDumpInitialize(x,x,x,x)+50o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	0
		push	[ebp+arg_14]
		mov	edi, [esi]
		mov	ecx, edi
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		lea	ebx, [edi+1000h]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	4
		pop	edx
		call	_IoFillDumpHeader@32 ; IoFillDumpHeader(x,x,x,x,x,x,x,x)
		mov	ecx, [esi+4]
		xor	edx, edx
		mov	[ebp+arg_14], edx
		mov	[ebp+arg_0], edx
		cmp	ecx, 1000h
		jnb	short loc_957346
		mov	eax, 0C000009Ah
		jmp	short loc_957397
; 

loc_957346:				; CODE XREF: DbgkpTriageDumpFillHeaders(x,x,x,x,x,x)+3Fj
		lea	eax, [ebp+arg_14]
		add	ecx, 0FFFFF000h	; int
		push	eax		; int
		push	edx		; int
		push	edx		; int
		push	edx		; int
		push	edx		; int
		push	_CmNtCSDVersion	; int
		lea	eax, [ebp+arg_0]
		push	edx		; int
		push	edx		; int
		push	eax		; int
		push	440h		; int
		push	edx		; char
		mov	edx, ebx	; void *
		call	_IoFillTriageDumpBuffer@52 ; IoFillTriageDumpBuffer(x,x,x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_957397
		mov	eax, [ebp+arg_0]
		mov	[edi+0F8Ch], eax
		mov	eax, [ebp+arg_14]
		add	eax, 1007h
		and	eax, 0FFFFFFF8h
		mov	[esi+14h], eax
		mov	eax, [esi+4]
		and	dword ptr [ebx+64h], 0
		sub	eax, 4
		mov	[ebx+60h], eax
		xor	eax, eax

loc_957397:				; CODE XREF: DbgkpTriageDumpFillHeaders(x,x,x,x,x,x)+46j
					; DbgkpTriageDumpFillHeaders(x,x,x,x,x,x)+71j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	18h
_DbgkpTriageDumpFillHeaders@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpTriageDumpInitialize(x, x, x, x)
_DbgkpTriageDumpInitialize@16 proc near	; CODE XREF: DbgkCaptureLiveDump(x,x,x,x)+F6p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		push	4D574454h
		mov	ebx, 37CCh
		push	ebx
		push	200h
		mov	[esi], edx
		mov	[esi+4], eax
		mov	[esi+8], edi
		mov	[esi+0Ch], edi
		mov	[esi+10h], edi
		mov	[esi+14h], edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+18h], eax
		test	eax, eax
		jz	short loc_9573E8
		push	ebx		; size_t
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+1Ch], edi

loc_9573E8:				; CODE XREF: DbgkpTriageDumpInitialize(x,x,x,x)+3Aj
		mov	eax, [ebp+arg_4]
		pop	edi
		pop	esi
		pop	ebx
		mov	dword ptr [eax], offset	_DbgkpTriageDumpFillHeaders@24 ; DbgkpTriageDumpFillHeaders(x,x,x,x,x,x)
		mov	dword ptr [eax+8], offset _DbgkpTriageDumpSnapData@24 ;	DbgkpTriageDumpSnapData(x,x,x,x,x,x)
		mov	dword ptr [eax+4], offset _DbgkpTriageDumpIsMemoryBlockPresent@12 ; DbgkpTriageDumpIsMemoryBlockPresent(x,x,x)
		mov	dword ptr [eax+0Ch], offset _DbgkpTriageDumpSaveState@4	; DbgkpTriageDumpSaveState(x)
		mov	dword ptr [eax+10h], offset _DbgkpTriageDumpRestoreState@4 ; DbgkpTriageDumpRestoreState(x)
		mov	dword ptr [eax+14h], offset _DbgkpTriageDumpWrite@8 ; DbgkpTriageDumpWrite(x,x)
		xor	eax, eax
		pop	ebp
		retn	8
_DbgkpTriageDumpInitialize@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpTriageDumpIsMemoryBlockPresent(x, x, x)
_DbgkpTriageDumpIsMemoryBlockPresent@12	proc near
					; DATA XREF: DbgkpTriageDumpInitialize(x,x,x,x)+5Do

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	eax, [ecx]
		xor	edi, edi
		cmp	[ecx+18h], edi
		jz	short loc_957451
		cmp	dword ptr [ecx+1Ch], 6F9h
		jnb	short loc_957451
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+arg_0]
		push	eax
		push	[ebp+arg_8]
		call	_DbgkpTriageDumpCheckPresentHashTable@16 ; DbgkpTriageDumpCheckPresentHashTable(x,x,x,x)
		test	al, al
		jz	short loc_957490

loc_95744D:				; CODE XREF: DbgkpTriageDumpIsMemoryBlockPresent(x,x,x)+61j
					; DbgkpTriageDumpIsMemoryBlockPresent(x,x,x)+66j
		mov	al, 1
		jmp	short loc_957492
; 

loc_957451:				; CODE XREF: DbgkpTriageDumpIsMemoryBlockPresent(x,x,x)+12j
					; DbgkpTriageDumpIsMemoryBlockPresent(x,x,x)+1Bj
		mov	esi, [eax+1060h]
		mov	ebx, [eax+1064h]
		add	esi, eax
		test	ebx, ebx
		jz	short loc_957490
		mov	eax, [ebp+arg_4]
		cdq
		mov	[ebp+arg_0], edx
		mov	edx, [ebp+arg_8]
		mov	[ebp+arg_4], eax

loc_957470:				; CODE XREF: DbgkpTriageDumpIsMemoryBlockPresent(x,x,x)+71j
		cmp	[esi], eax
		jnz	short loc_957488
		mov	eax, [esi+4]
		cmp	eax, [ebp+arg_0]
		jnz	short loc_957485
		test	edx, edx
		jz	short loc_95744D
		cmp	[esi+0Ch], edx
		jz	short loc_95744D

loc_957485:				; CODE XREF: DbgkpTriageDumpIsMemoryBlockPresent(x,x,x)+5Dj
		mov	eax, [ebp+arg_4]

loc_957488:				; CODE XREF: DbgkpTriageDumpIsMemoryBlockPresent(x,x,x)+55j
		add	esi, 10h
		inc	edi
		cmp	edi, ebx
		jb	short loc_957470

loc_957490:				; CODE XREF: DbgkpTriageDumpIsMemoryBlockPresent(x,x,x)+2Ej
					; DbgkpTriageDumpIsMemoryBlockPresent(x,x,x)+44j
		xor	al, al

loc_957492:				; CODE XREF: DbgkpTriageDumpIsMemoryBlockPresent(x,x,x)+32j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_DbgkpTriageDumpIsMemoryBlockPresent@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpTriageDumpWrite(x, x)
_DbgkpTriageDumpWrite@8	proc near	; DATA XREF: DbgkpTriageDumpInitialize(x,x,x,x)+72o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_4]
		lea	ecx, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_0]
		and	[ebp+arg_0], 0
		push	esi
		push	edi
		mov	esi, [ebx]
		and	dword ptr [eax], 0
		push	ecx
		or	dword ptr [esi+0F8Ch], 0FFh
		mov	edi, [esi+1064h]
		mov	eax, [ebx+14h]
		mov	ecx, eax
		shl	edi, 4
		add	edi, 4
		mov	[ebp+var_4], eax
		mov	edx, edi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_957536
		mov	eax, [ebp+arg_0]
		cmp	eax, [ebx+4]
		ja	short loc_957536
		mov	eax, [esi+1060h]
		add	eax, esi
		push	edi		; size_t
		push	eax		; void *
		mov	eax, [ebp+var_4]
		add	eax, esi
		push	eax		; void *
		call	_memmove
		mov	eax, [ebx+14h]
		add	esp, 0Ch
		mov	[esi+1060h], eax
		lea	ecx, [eax+edi]
		mov	[esi+1004h], ecx
		lea	eax, [ecx-4]
		and	dword ptr [esi+0FA4h], 0
		mov	[esi+0FA0h], ecx
		mov	[esi+1008h], eax
		mov	dword ptr [eax+esi], 44475254h
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		xor	eax, eax
		jmp	short loc_95753B
; 

loc_957536:				; CODE XREF: DbgkpTriageDumpWrite(x,x)+43j
					; DbgkpTriageDumpWrite(x,x)+4Bj
		mov	eax, 0C000009Ah

loc_95753B:				; CODE XREF: DbgkpTriageDumpWrite(x,x)+9Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_DbgkpTriageDumpWrite@8	endp

; 
		align 4
		db 3 dup(0CCh)
; 
; Exported entry 278. EmClientRuleDeregisterNotification

; __stdcall EmClientRuleDeregisterNotification(x)
		public _EmClientRuleDeregisterNotification@4
_EmClientRuleDeregisterNotification@4:
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+8]
		test	esi, esi
		jz	loc_9575E0
		push	ebx
		mov	ebx, offset _EmpDatabaseLock
		xor	edx, edx
		push	edi
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		xor	ecx, ecx
		cmp	[esi+8], ecx
		jbe	short loc_9575A3
		mov	edx, ecx

loc_957571:				; CODE XREF: PAGE:0095759Cj
		mov	eax, [esi+4]
		mov	eax, [eax+edx]
		lock dec dword ptr [eax]
		mov	edi, [esi+4]
		add	edi, 0Ch
		add	edi, edx
		mov	ebx, [edi]
		cmp	[ebx+4], edi
		jnz	short loc_9575E5
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	short loc_9575E5
		mov	[eax], ebx
		inc	ecx
		mov	[ebx+4], eax
		add	edx, 14h
		cmp	ecx, [esi+8]
		jb	short loc_957571
		mov	ebx, offset _EmpDatabaseLock

loc_9575A3:				; CODE XREF: PAGE:0095756Dj
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_9575AE
		call	ObfDereferenceObject

loc_9575AE:				; CODE XREF: PAGE:009575A7j
		mov	edi, 6C634D45h
		push	edi
		push	dword ptr [esi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9575D7
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9575D7:				; CODE XREF: PAGE:009575CEj
		mov	ecx, ebx
		call	KeAbPostRelease
		pop	edi
		pop	ebx

loc_9575E0:				; CODE XREF: PAGE:00957552j
		pop	esi
		pop	ebp
		retn	4
; 

loc_9575E5:				; CODE XREF: PAGE:00957587j
					; PAGE:0095758Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dw 0CCCCh
		db 3 dup(0CCh)
; Exported entry 280. EmClientRuleRegisterNotification

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EmClientRuleRegisterNotification(x,	x, x, x)
		public _EmClientRuleRegisterNotification@16
_EmClientRuleRegisterNotification@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_957602
		mov	eax, 0C000000Dh
		jmp	short loc_957610
; 

loc_957602:				; CODE XREF: EmClientRuleRegisterNotification(x,x,x,x)+Aj
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_8]
		call	_EmpClientRuleRegisterNotification@16 ;	EmpClientRuleRegisterNotification(x,x,x,x)

loc_957610:				; CODE XREF: EmClientRuleRegisterNotification(x,x,x,x)+11j
		pop	ebp
		retn	10h
_EmClientRuleRegisterNotification@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EmpClientRuleRegisterNotification(x, x, x, x)
_EmpClientRuleRegisterNotification@16 proc near
					; CODE XREF: EmClientRuleRegisterNotification(x,x,x,x)+1Cp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	[ebp+var_C], edx
		xor	ebx, ebx
		mov	[ebp+var_1C], ecx
		xor	edx, edx
		push	edi
		mov	ecx, offset _EmpDatabaseLock
		mov	esi, ebx
		mov	edi, ebx
		call	ExAcquirePushLockExclusiveEx
		cmp	[ebp+arg_4], ebx
		jz	loc_9577AC
		cmp	[ebp+arg_0], ebx
		jz	loc_9577AC
		cmp	[ebp+var_C], ebx
		jz	loc_9577AC
		push	6C634D45h
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_957670
		mov	edi, 0C000009Ah
		jmp	loc_9577FA
; 

loc_957670:				; CODE XREF: EmpClientRuleRegisterNotification(x,x,x,x)+50j
		imul	eax, [ebp+arg_0], 14h
		push	6C634D45h
		push	eax
		push	1
		mov	[ebp+var_10], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+4], eax
		test	eax, eax
		jnz	short loc_957695
		mov	edi, 0C000009Ah
		jmp	loc_9577B1
; 

loc_957695:				; CODE XREF: EmpClientRuleRegisterNotification(x,x,x,x)+75j
		push	[ebp+var_10]	; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		mov	[esi+8], ecx
		mov	[ebp+var_10], ebx
		test	ecx, ecx
		jz	loc_957782
		mov	eax, [ebp+var_C]
		add	eax, 4
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], eax

loc_9576BF:				; CODE XREF: EmpClientRuleRegisterNotification(x,x,x,x)+168j
		mov	edx, [eax-4]
		test	edx, edx
		jz	loc_9577A5
		cmp	[eax], ebx
		jz	loc_9577A5
		mov	ecx, edx	; void *
		call	_EmpSearchRuleDatabase@4 ; EmpSearchRuleDatabase(x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_95779E
		mov	ecx, eax
		call	_EmpSearchTargetRuleList@4 ; EmpSearchTargetRuleList(x)
		mov	edx, eax
		mov	[ebp+var_18], edx
		test	edx, edx
		jz	loc_95779E
		mov	ecx, [esi+4]
		mov	eax, [ebp+var_8]
		mov	[eax+ecx], edx
		mov	eax, [ebp+var_C]
		mov	edx, [esi+4]
		mov	ecx, [eax]
		mov	eax, [ebp+var_8]
		mov	[eax+edx+4], ecx
		mov	ecx, [esi+4]
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+var_8]
		mov	eax, [eax+4]
		mov	[edx+ecx+8], eax
		add	edx, 0Ch
		mov	ecx, [ebp+var_14]
		mov	eax, [esi+4]
		add	eax, edx
		mov	edi, [ecx+3Ch]
		lea	edx, [ecx+38h]
		mov	[ebp+var_14], edi
		cmp	[edi], edx
		jnz	short loc_957799
		lea	edx, [ecx+38h]
		mov	[eax+4], edi
		mov	[eax], edx
		mov	[edi], eax
		mov	[edx+4], eax
		xor	eax, eax
		mov	edx, [ebp+var_18]
		inc	eax
		lock xadd [edx], eax
		inc	eax
		mov	edx, [ebp+var_8]
		mov	edi, ebx
		cmp	eax, 1
		jnz	short loc_957764
		xor	edx, edx
		call	EmpQueueRuleUpdateState
		mov	edx, [ebp+var_8]

loc_957764:				; CODE XREF: EmpClientRuleRegisterNotification(x,x,x,x)+144j
		mov	eax, [ebp+var_C]
		add	edx, 14h
		inc	[ebp+var_10]
		add	eax, 0Ch
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], edx
		cmp	[ebp+var_10], ecx
		jb	loc_9576BF

loc_957782:				; CODE XREF: EmpClientRuleRegisterNotification(x,x,x,x)+99j
		mov	ebx, [ebp+var_1C]
		test	ebx, ebx
		jz	short loc_957790
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_957790:				; CODE XREF: EmpClientRuleRegisterNotification(x,x,x,x)+173j
		mov	eax, [ebp+arg_4]
		mov	[esi], ebx
		mov	[eax], esi
		jmp	short loc_9577FA
; 

loc_957799:				; CODE XREF: EmpClientRuleRegisterNotification(x,x,x,x)+122j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_95779E:				; CODE XREF: EmpClientRuleRegisterNotification(x,x,x,x)+CAj
					; EmpClientRuleRegisterNotification(x,x,x,x)+DEj
		mov	edi, 0C0000225h
		jmp	short loc_9577B1
; 

loc_9577A5:				; CODE XREF: EmpClientRuleRegisterNotification(x,x,x,x)+B0j
					; EmpClientRuleRegisterNotification(x,x,x,x)+B8j
		mov	edi, 0C000000Dh
		jmp	short loc_9577B4
; 

loc_9577AC:				; CODE XREF: EmpClientRuleRegisterNotification(x,x,x,x)+26j
					; EmpClientRuleRegisterNotification(x,x,x,x)+2Fj ...
		mov	edi, 0C000000Dh

loc_9577B1:				; CODE XREF: EmpClientRuleRegisterNotification(x,x,x,x)+7Cj
					; EmpClientRuleRegisterNotification(x,x,x,x)+18Fj
		mov	ecx, [ebp+arg_0]

loc_9577B4:				; CODE XREF: EmpClientRuleRegisterNotification(x,x,x,x)+196j
		mov	[ebp+var_4], edi
		test	esi, esi
		jz	short loc_9577FA
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_9577EF
		test	ecx, ecx
		jz	short loc_9577E4
		mov	edi, eax

loc_9577C8:				; CODE XREF: EmpClientRuleRegisterNotification(x,x,x,x)+1C9j
		mov	edx, [ebx+eax]
		test	edx, edx
		jz	short loc_9577D7
		lock dec dword ptr [edx]
		mov	eax, [esi+4]
		mov	edi, eax

loc_9577D7:				; CODE XREF: EmpClientRuleRegisterNotification(x,x,x,x)+1B9j
		add	ebx, 14h
		sub	ecx, 1
		jnz	short loc_9577C8
		mov	eax, edi
		mov	edi, [ebp+var_4]

loc_9577E4:				; CODE XREF: EmpClientRuleRegisterNotification(x,x,x,x)+1B0j
		push	6C634D45h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9577EF:				; CODE XREF: EmpClientRuleRegisterNotification(x,x,x,x)+1ACj
		push	6C634D45h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9577FA:				; CODE XREF: EmpClientRuleRegisterNotification(x,x,x,x)+57j
					; EmpClientRuleRegisterNotification(x,x,x,x)+183j ...
		or	edx, 0FFFFFFFFh
		mov	esi, offset _EmpDatabaseLock
		lock xadd [esi], edx
		and	dl, 6
		cmp	dl, 2
		jnz	short loc_957815
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_957815:				; CODE XREF: EmpClientRuleRegisterNotification(x,x,x,x)+1F8j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_EmpClientRuleRegisterNotification@16 endp

; 
		align 4
		db 2 dup(0CCh)
; 
; Exported entry 281. EmProviderDeregister

; __stdcall EmProviderDeregister(x)
		public _EmProviderDeregister@4
_EmProviderDeregister@4:
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	edi
		mov	edi, [ebp+8]
		test	edi, edi
		jz	loc_95798E
		push	ebx
		push	esi
		xor	edx, edx
		mov	ecx, offset _EmpDatabaseLock
		call	ExAcquirePushLockExclusiveEx
		cmp	dword ptr [edi+0Ch], 0
		jz	short loc_957892
		xor	edx, edx
		cmp	[edi+10h], edx
		jbe	short loc_957885
		xor	esi, esi

loc_957859:				; CODE XREF: PAGE:00957883j
		mov	eax, [edi+0Ch]
		add	eax, 8
		add	eax, esi
		mov	ebx, [eax]
		cmp	[ebx+4], eax
		jnz	loc_957993
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_957993
		mov	[ecx], ebx
		inc	edx
		mov	[ebx+4], ecx
		add	esi, 10h
		cmp	edx, [edi+10h]
		jb	short loc_957859

loc_957885:				; CODE XREF: PAGE:00957855j
		push	72704D45h
		push	dword ptr [edi+0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_957892:				; CODE XREF: PAGE:0095784Ej
		xor	ebx, ebx
		or	esi, 0FFFFFFFFh
		cmp	[edi+8], ebx
		jbe	short loc_9578D8

loc_95789C:				; CODE XREF: PAGE:009578D6j
		mov	eax, [edi+4]
		mov	ecx, [eax+ebx*4]
		mov	eax, esi
		add	ecx, 10h
		lock xadd [ecx], eax
		jnz	short loc_9578D2
		mov	eax, [edi+4]
		mov	eax, [eax+ebx*4]
		mov	eax, [eax+2Ch]
		mov	[ebp-4], eax
		test	eax, eax
		jz	short loc_9578D2
		mov	edi, eax

loc_9578BF:				; CODE XREF: PAGE:009578CDj
		mov	ecx, [edi-4]
		xor	edx, edx
		call	EmpQueueRuleUpdateState
		mov	edi, [edi]
		test	edi, edi
		jnz	short loc_9578BF
		mov	edi, [ebp+8]

loc_9578D2:				; CODE XREF: PAGE:009578ABj
					; PAGE:009578BBj
		inc	ebx
		cmp	ebx, [edi+8]
		jb	short loc_95789C

loc_9578D8:				; CODE XREF: PAGE:0095789Aj
		lea	eax, [edi+1Ch]
		mov	ebx, [eax]
		mov	[ebp-4], eax
		cmp	ebx, eax
		jz	short loc_9578F7
		mov	edi, eax

loc_9578E6:				; CODE XREF: PAGE:009578F2j
		lea	ecx, [ebx-14h]
		mov	ebx, [ebx]
		call	_EmpProviderDeregisterEntry@4 ;	EmpProviderDeregisterEntry(x)
		cmp	ebx, edi
		jnz	short loc_9578E6
		mov	edi, [ebp+8]

loc_9578F7:				; CODE XREF: PAGE:009578E2j
		xor	ebx, ebx
		cmp	[edi+18h], ebx
		jbe	short loc_957944

loc_9578FE:				; CODE XREF: PAGE:00957942j
		mov	eax, [edi+14h]
		mov	ecx, [eax+ebx*4]
		mov	eax, esi
		add	ecx, 14h
		lock xadd [ecx], eax
		jnz	short loc_95793E
		mov	eax, [edi+14h]
		mov	eax, [eax+ebx*4]
		and	dword ptr [eax+10h], 0
		mov	eax, [edi+14h]
		mov	eax, [eax+ebx*4]
		mov	eax, [eax+20h]
		mov	[ebp-4], eax
		test	eax, eax
		jz	short loc_95793E
		mov	edi, eax

loc_95792B:				; CODE XREF: PAGE:00957939j
		mov	ecx, [edi-4]
		xor	edx, edx
		call	EmpQueueRuleUpdateState
		mov	edi, [edi]
		test	edi, edi
		jnz	short loc_95792B
		mov	edi, [ebp+8]

loc_95793E:				; CODE XREF: PAGE:0095790Dj
					; PAGE:00957927j
		inc	ebx
		cmp	ebx, [edi+18h]
		jb	short loc_9578FE

loc_957944:				; CODE XREF: PAGE:009578FCj
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_95794F
		call	ObfDereferenceObject

loc_95794F:				; CODE XREF: PAGE:00957948j
		mov	eax, [edi+14h]
		test	eax, eax
		jz	short loc_957961
		push	72704D45h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_957961:				; CODE XREF: PAGE:00957954j
		push	72704D45h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		or	eax, 0FFFFFFFFh
		mov	esi, offset _EmpDatabaseLock
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_957985
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_957985:				; CODE XREF: PAGE:0095797Cj
		mov	ecx, esi
		call	KeAbPostRelease
		pop	esi
		pop	ebx

loc_95798E:				; CODE XREF: PAGE:00957836j
		pop	edi
		leave
		retn	4
; 

loc_957993:				; CODE XREF: PAGE:00957866j
					; PAGE:00957871j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 282. EmProviderDeregisterEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EmProviderDeregisterEntry(x)
		public _EmProviderDeregisterEntry@4
_EmProviderDeregisterEntry@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, offset _EmpDatabaseLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+arg_0]
		call	_EmpProviderDeregisterEntry@4 ;	EmpProviderDeregisterEntry(x)
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9579CD
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9579CD:				; CODE XREF: EmProviderDeregisterEntry(x)+27j
		mov	ecx, esi
		call	KeAbPostRelease
		pop	esi
		pop	ebp
		retn	4
_EmProviderDeregisterEntry@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 284. EmProviderRegisterEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EmProviderRegisterEntry(int,void *,int,int)
		public _EmProviderRegisterEntry@16
_EmProviderRegisterEntry@16 proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		xor	edx, edx
		mov	edi, esi
		mov	ecx, offset _EmpDatabaseLock
		mov	[ebp+var_10], edi
		call	ExAcquirePushLockExclusiveEx
		cmp	[ebp+arg_4], esi
		jz	short loc_957A6F
		cmp	[ebp+arg_0], esi
		jz	short loc_957A6F
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		jz	short loc_957A6F
		cmp	[ebp+arg_C], esi
		jz	short loc_957A6F
		cmp	[ebx], esi
		jz	short loc_957A6F
		cmp	[ebx+4], esi
		jz	short loc_957A6F
		mov	ecx, [ebp+arg_4] ; void	*
		call	_EmpSearchEntryDatabase@4 ; EmpSearchEntryDatabase(x)
		mov	[ebp+arg_8], eax
		test	eax, eax
		jnz	short loc_957A31
		mov	edi, 0C0000225h
		jmp	short loc_957A74
; 

loc_957A31:				; CODE XREF: EmProviderRegisterEntry(x,x,x,x)+4Aj
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4], esi
		mov	ecx, [eax+8]
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	short loc_957A6F
		mov	eax, [eax+4]
		mov	[ebp+var_8], eax

loc_957A47:				; CODE XREF: EmProviderRegisterEntry(x,x,x,x)+8Fj
		push	10h		; size_t
		push	[ebp+arg_4]	; void *
		push	dword ptr [eax]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_957AC2
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_8]
		inc	ecx
		add	eax, 4
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], eax
		cmp	ecx, [ebp+var_C]
		jb	short loc_957A47

loc_957A6F:				; CODE XREF: EmProviderRegisterEntry(x,x,x,x)+21j
					; EmProviderRegisterEntry(x,x,x,x)+26j	...
		mov	edi, 0C000000Dh

loc_957A74:				; CODE XREF: EmProviderRegisterEntry(x,x,x,x)+51j
					; EmProviderRegisterEntry(x,x,x,x)+FDj	...
		or	eax, 0FFFFFFFFh
		mov	ebx, offset _EmpDatabaseLock
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_957A8D
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_957A8D:				; CODE XREF: EmProviderRegisterEntry(x,x,x,x)+A6j
		mov	ecx, ebx
		call	KeAbPostRelease
		test	edi, edi
		jns	short loc_957AB9
		test	esi, esi
		jz	short loc_957AB9
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_957AAE
		push	72704D45h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_957AAE:				; CODE XREF: EmProviderRegisterEntry(x,x,x,x)+C3j
		push	72704D45h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_957AB9:				; CODE XREF: EmProviderRegisterEntry(x,x,x,x)+B8j
					; EmProviderRegisterEntry(x,x,x,x)+BCj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_957AC2:				; CODE XREF: EmProviderRegisterEntry(x,x,x,x)+7Aj
		push	72704D45h
		push	1Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_957ADD

loc_957AD6:				; CODE XREF: EmProviderRegisterEntry(x,x,x,x)+11Cj
		mov	edi, 0C000009Ah
		jmp	short loc_957A74
; 

loc_957ADD:				; CODE XREF: EmProviderRegisterEntry(x,x,x,x)+F6j
		mov	eax, [ebp+arg_8]
		push	72704D45h
		mov	[esi], eax
		mov	eax, [ebx+4]
		push	eax
		push	1
		mov	[esi+8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+4], eax
		test	eax, eax
		jz	short loc_957AD6
		push	dword ptr [esi+8] ; size_t
		push	dword ptr [ebx]	; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		lea	ecx, [esi+14h]
		add	eax, 1Ch
		add	esp, 0Ch
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_957B67
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		lea	eax, [esi+0Ch]
		mov	ecx, [ebp+arg_8]
		lea	edx, [ecx+1Ch]
		mov	ebx, [edx+4]
		cmp	[ebx], edx
		jnz	short loc_957B67
		mov	[eax], edx
		mov	[eax+4], ebx
		mov	[ebx], eax
		mov	[edx+4], eax
		mov	ebx, [ecx+2Ch]
		mov	[ecx+18h], eax
		test	ebx, ebx
		jz	short loc_957B5D
		mov	edi, ecx

loc_957B4A:				; CODE XREF: EmProviderRegisterEntry(x,x,x,x)+17Aj
		mov	ecx, [ebx-4]
		mov	edx, edi
		call	EmpQueueRuleUpdateState
		mov	ebx, [ebx]
		test	ebx, ebx
		jnz	short loc_957B4A
		mov	edi, [ebp+var_10]

loc_957B5D:				; CODE XREF: EmProviderRegisterEntry(x,x,x,x)+168j
		mov	eax, [ebp+arg_C]
		mov	[eax], esi
		jmp	loc_957A74
; 

loc_957B67:				; CODE XREF: EmProviderRegisterEntry(x,x,x,x)+13Aj
					; EmProviderRegisterEntry(x,x,x,x)+154j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall EmMatchDate(x, x, x, x, x, x, x)
_EmMatchDate@28:			; DATA XREF: .text:00401B6Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	edi
		xor	edi, edi
		inc	edi
		test	ebx, ebx
		jz	short loc_957BD4
		cmp	[ebp+arg_C], edi
		jnz	short loc_957BD4
		mov	ebx, [ebx]
		test	ebx, ebx
		jz	short loc_957BD4
		cmp	[ebp+arg_14], 3
		jnz	short loc_957BD4
		mov	ecx, [ebp+arg_10]
		mov	edx, _EmpCachedBiosDate
		push	esi
		mov	eax, [ecx+8]
		mov	esi, eax
		shl	esi, 8
		add	esi, [ecx]
		shl	esi, 8
		cmp	eax, 80h
		sbb	eax, eax
		and	eax, 7000000h
		add	eax, 19000000h
		add	esi, eax
		add	esi, [ecx+4]
		test	edx, edx
		jnz	short loc_957BC4
		cmp	byte ptr [ebx],	2Ah
		jnz	short loc_957BD3

loc_957BC4:				; CODE XREF: EmProviderRegisterEntry(x,x,x,x)+1DFj
		push	esi
		mov	ecx, ebx
		call	EmpCheckOperator
		test	eax, eax
		jz	short loc_957BD3
		push	2
		pop	edi

loc_957BD3:				; CODE XREF: EmProviderRegisterEntry(x,x,x,x)+1E4j
					; EmProviderRegisterEntry(x,x,x,x)+1F0j
		pop	esi

loc_957BD4:				; CODE XREF: EmProviderRegisterEntry(x,x,x,x)+19Dj
					; EmProviderRegisterEntry(x,x,x,x)+1A2j ...
		mov	eax, edi
		pop	edi
		pop	ebx
		pop	ebp
		retn	1Ch
_EmProviderRegisterEntry@16 endp ; sp =	-20h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EmRemoveBadS3PagesCallback(x, x, x,	x, x, x, x)
_EmRemoveBadS3PagesCallback@28 proc near ; DATA	XREF: .text:00401BA8o

arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_957C1E
		cmp	[ebp+arg_14], 1
		jnz	short loc_957C1E
		mov	eax, [eax]
		and	dword_6CDBFC, 0
		and	_PersistBadS3PageWorkItem, 0
		push	1
		push	offset _PersistBadS3PageWorkItem
		mov	_EmpBadS3Page, eax
		mov	dword_6CDBF8, offset _EmpRemoveBadS3PageWorker@4 ; EmpRemoveBadS3PageWorker(x)
		call	ExQueueWorkItem
		push	2
		pop	eax
		jmp	short loc_957C21
; 

loc_957C1E:				; CODE XREF: EmRemoveBadS3PagesCallback(x,x,x,x,x,x,x)+Aj
					; EmRemoveBadS3PagesCallback(x,x,x,x,x,x,x)+10j
		xor	eax, eax
		inc	eax

loc_957C21:				; CODE XREF: EmRemoveBadS3PagesCallback(x,x,x,x,x,x,x)+40j
		pop	ebp
		retn	1Ch
_EmRemoveBadS3PagesCallback@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EmSystemArchitectureCallback(x, x, x, x, x,	x, x)
_EmSystemArchitectureCallback@28 proc near ; DATA XREF:	.text:00401B9Co

arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_10]
		xor	eax, eax
		inc	eax
		cmp	[ebp+arg_14], eax
		jz	short loc_957C39
		test	ecx, ecx
		jz	short loc_957C4B

loc_957C39:				; CODE XREF: EmSystemArchitectureCallback(x,x,x,x,x,x,x)+Ej
		movzx	eax, ds:_KeProcessorArchitecture
		cmp	[ecx], eax
		jnz	short loc_957C49
		push	2
		pop	eax
		jmp	short loc_957C4B
; 

loc_957C49:				; CODE XREF: EmSystemArchitectureCallback(x,x,x,x,x,x,x)+1Dj
		xor	eax, eax

loc_957C4B:				; CODE XREF: EmSystemArchitectureCallback(x,x,x,x,x,x,x)+12j
					; EmSystemArchitectureCallback(x,x,x,x,x,x,x)+22j
		pop	ebp
		retn	1Ch
_EmSystemArchitectureCallback@28 endp


;  S U B	R O U T	I N E 


; __stdcall EmpRemoveBadS3PageWorker(x)
_EmpRemoveBadS3PageWorker@4 proc near	; DATA XREF: EmRemoveBadS3PagesCallback(x,x,x,x,x,x,x)+2Eo
		mov	ecx, _EmpBadS3Page
		call	_WheaPersistBadPageToBcd@4 ; WheaPersistBadPageToBcd(x)
		retn	4
_EmpRemoveBadS3PageWorker@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 480. FsRtlAllocateResource

;  S U B	R O U T	I N E 


; __stdcall FsRtlAllocateResource()
		public _FsRtlAllocateResource@0
_FsRtlAllocateResource@0 proc near
		mov	ecx, ds:_FsRtlPagingIoResourceSelector
		mov	eax, ecx
		and	eax, 0Fh
		imul	eax, 38h
		add	eax, _FsRtlPagingIoResources
		inc	ecx
		mov	ds:_FsRtlPagingIoResourceSelector, ecx
		retn
_FsRtlAllocateResource@0 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 470. FsRtlAddToTunnelCache

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlAddToTunnelCache(x, x,	x, x, x, x, x, x)
		public _FsRtlAddToTunnelCache@32
_FsRtlAddToTunnelCache@32 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_1C]
		movzx	eax, [ebp+arg_14]
		push	[ebp+arg_18]
		neg	eax
		sbb	eax, eax
		and	eax, 2
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	FsRtlAddToTunnelCacheEx
		pop	ebp
		retn	20h
_FsRtlAddToTunnelCache@32 endp ; sp = -20h

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 505. FsRtlDeleteTunnelCache

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlDeleteTunnelCache(x)
		public _FsRtlDeleteTunnelCache@4
_FsRtlDeleteTunnelCache@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_TunnelMaxEntries, 0
		jz	short loc_957CF6
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		push	edi
		and	dword ptr [eax+20h], 0
		lea	edi, [eax+24h]
		mov	[eax+2Ch], cx
		mov	ecx, [edi]
		cmp	ecx, edi
		jz	short loc_957CF0
		push	esi

loc_957CDD:				; CODE XREF: FsRtlDeleteTunnelCache(x)+36j
		mov	esi, [ecx]
		xor	edx, edx
		add	ecx, 0FFFFFFF4h
		call	FsRtlFreeTunnelNode
		mov	ecx, esi
		cmp	esi, edi
		jnz	short loc_957CDD
		pop	esi

loc_957CF0:				; CODE XREF: FsRtlDeleteTunnelCache(x)+23j
		mov	[edi+4], edi
		mov	[edi], edi
		pop	edi

loc_957CF6:				; CODE XREF: FsRtlDeleteTunnelCache(x)+Cj
		pop	ebp
		retn	4
_FsRtlDeleteTunnelCache@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 518. FsRtlFindInTunnelCache

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	FsRtlFindInTunnelCache(int,int,int,int,int,int,int,void	*)
		public _FsRtlFindInTunnelCache@32
_FsRtlFindInTunnelCache@32 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_1C]	; void *
		push	[ebp+arg_18]	; int
		push	0		; int
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		call	FsRtlFindInTunnelCacheEx
		pop	ebp
		retn	20h
_FsRtlFindInTunnelCache@32 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 633. FsRtlPrepareToReuseEcp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlPrepareToReuseEcp(x)
		public _FsRtlPrepareToReuseEcp@4
_FsRtlPrepareToReuseEcp@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax-10h], 0FFFFFFF7h
		pop	ebp
		retn	4
_FsRtlPrepareToReuseEcp@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 497. FsRtlCopyRead

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlCopyRead(x, x,	x, x, x, x, x, x)
		public _FsRtlCopyRead@32
_FsRtlCopyRead@32 proc near

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		push	18h
		push	offset dword_6A7C50
		call	__SEH_prolog4
		call	_IoGetTopLevelIrp@0 ; IoGetTopLevelIrp()
		test	eax, eax
		jz	short loc_957D5D

loc_957D56:				; CODE XREF: FsRtlCopyRead(x,x,x,x,x,x,x,x)+57j
					; FsRtlCopyRead(x,x,x,x,x,x,x,x)+C6j ...
		xor	al, al
		jmp	loc_957F56
; 

loc_957D5D:				; CODE XREF: FsRtlCopyRead(x,x,x,x,x,x,x,x)+13j
		mov	esi, [ebp+arg_8]
		xor	ebx, ebx
		test	esi, esi
		jz	loc_957F4C
		mov	edi, [ebp+arg_4]
		mov	edx, [edi]
		mov	eax, [edi+4]
		mov	[ebp+arg_8], eax
		or	ecx, 0FFFFFFFFh
		sub	ecx, edx
		mov	eax, 7FFFFFFFh
		sbb	eax, [ebp+arg_8]
		cmp	eax, ebx
		jg	short loc_957D9A
		jl	short loc_957D8C
		cmp	ecx, esi
		jnb	short loc_957D9A

loc_957D8C:				; CODE XREF: FsRtlCopyRead(x,x,x,x,x,x,x,x)+45j
		mov	eax, [ebp+arg_18]
		mov	dword ptr [eax], 0C000000Dh
		mov	[eax+4], ebx
		jmp	short loc_957D56
; 

loc_957D9A:				; CODE XREF: FsRtlCopyRead(x,x,x,x,x,x,x,x)+43j
					; FsRtlCopyRead(x,x,x,x,x,x,x,x)+49j
		mov	eax, esi
		add	eax, edx
		mov	[ebp+var_28], eax
		mov	eax, ebx
		adc	eax, [ebp+arg_8]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+0Ch]
		mov	[ebp+var_20], ecx
		mov	[ebp+arg_8], ecx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		cmp	byte ptr [ebp+arg_C], bl
		jz	short loc_957DE0
		inc	large dword ptr	fs:604h
		xor	eax, eax
		inc	eax
		mov	[ebp+arg_4], eax
		push	eax
		push	dword ptr [ecx+8]
		call	ExAcquireResourceSharedLite
		jmp	short loc_957E13
; 

loc_957DE0:				; CODE XREF: FsRtlCopyRead(x,x,x,x,x,x,x,x)+85j
		inc	large dword ptr	fs:600h
		push	ebx
		push	dword ptr [ecx+8]
		call	ExAcquireResourceSharedLite
		test	al, al
		jnz	short loc_957E0C
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		inc	large dword ptr	fs:680h
		jmp	loc_957D56
; 

loc_957E0C:				; CODE XREF: FsRtlCopyRead(x,x,x,x,x,x,x,x)+B1j
		mov	[ebp+arg_4], 1

loc_957E13:				; CODE XREF: FsRtlCopyRead(x,x,x,x,x,x,x,x)+9Dj
		mov	edx, [ebp+arg_0]
		cmp	[edx+18h], ebx
		jz	loc_957F29
		mov	eax, [ebp+arg_8]
		mov	al, [eax+5]
		test	al, al
		jz	loc_957F29
		cmp	al, 2
		jnz	short loc_957E54
		mov	ecx, [ebp+arg_1C]
		mov	eax, [ecx+8]
		mov	eax, [eax+28h]
		push	ecx
		push	[ebp+arg_18]
		push	1
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	esi
		push	edi
		push	edx
		call	dword ptr [eax+4]
		test	al, al
		jz	loc_957F29

loc_957E54:				; CODE XREF: FsRtlCopyRead(x,x,x,x,x,x,x,x)+EEj
		mov	ecx, [ebp+arg_8]
		mov	edx, [ecx+18h]
		mov	eax, [ecx+1Ch]
		mov	[ebp+arg_1C], eax
		cmp	[ebp+var_24], eax
		jl	short loc_957E99
		jg	short loc_957E6C
		cmp	[ebp+var_28], edx
		jbe	short loc_957E99

loc_957E6C:				; CODE XREF: FsRtlCopyRead(x,x,x,x,x,x,x,x)+124j
		mov	eax, [edi+4]
		cmp	eax, [ebp+arg_1C]
		jl	short loc_957E95
		jg	short loc_957E7C
		mov	eax, [edi]
		cmp	eax, edx
		jb	short loc_957E95

loc_957E7C:				; CODE XREF: FsRtlCopyRead(x,x,x,x,x,x,x,x)+133j
		mov	eax, [ebp+arg_18]
		mov	dword ptr [eax], 0C0000011h
		mov	[eax+4], ebx
		mov	ecx, [ecx+8]
		call	ExReleaseResourceLite
		jmp	loc_957F18
; 

loc_957E95:				; CODE XREF: FsRtlCopyRead(x,x,x,x,x,x,x,x)+131j
					; FsRtlCopyRead(x,x,x,x,x,x,x,x)+139j
		mov	esi, edx
		sub	esi, [edi]

loc_957E99:				; CODE XREF: FsRtlCopyRead(x,x,x,x,x,x,x,x)+122j
					; FsRtlCopyRead(x,x,x,x,x,x,x,x)+129j
		push	4
		call	_IoSetTopLevelIrp@4 ; IoSetTopLevelIrp(x)
		mov	[ebp+ms_exc.disabled], ebx
		push	ebx
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_C]
		push	esi
		push	edi
		mov	esi, [ebp+arg_0]
		push	esi
		call	CcCopyReadEx
		mov	[ebp+var_19], al
		or	dword ptr [esi+2Ch], 80000h
		test	al, al
		jz	short loc_957EFA
		mov	eax, [ebp+arg_18]
		mov	eax, [eax+4]
		xor	ecx, ecx
		add	eax, [edi]
		adc	ecx, [edi+4]
		mov	[esi+38h], eax
		mov	[esi+3Ch], ecx
		jmp	short loc_957EFA
; 

loc_957EDB:				; DATA XREF: .text:006A7C64o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		push	eax
		call	_FsRtlIsNtstatusExpected@4 ; FsRtlIsNtstatusExpected(x)
		xor	ecx, ecx
		test	al, al
		setnz	cl
		mov	eax, ecx
		retn
; 

loc_957EF2:				; DATA XREF: .text:006A7C68o
		mov	esp, [ebp+ms_exc.old_esp]
		xor	ebx, ebx
		mov	[ebp+var_19], bl

loc_957EFA:				; CODE XREF: FsRtlCopyRead(x,x,x,x,x,x,x,x)+183j
					; FsRtlCopyRead(x,x,x,x,x,x,x,x)+198j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	ebx
		call	_IoSetTopLevelIrp@4 ; IoSetTopLevelIrp(x)
		mov	ecx, [ebp+arg_8]
		mov	ecx, [ecx+8]
		call	ExReleaseResourceLite
		mov	al, [ebp+var_19]
		mov	[ebp+arg_4], eax

loc_957F18:				; CODE XREF: FsRtlCopyRead(x,x,x,x,x,x,x,x)+14Fj
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	al, byte ptr [ebp+arg_4]
		jmp	short loc_957F56
; 

loc_957F29:				; CODE XREF: FsRtlCopyRead(x,x,x,x,x,x,x,x)+D8j
					; FsRtlCopyRead(x,x,x,x,x,x,x,x)+E6j ...
		mov	ecx, [ebp+var_20]
		mov	ecx, [ecx+8]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		inc	large dword ptr	fs:608h
		jmp	loc_957D56
; 

loc_957F4C:				; CODE XREF: FsRtlCopyRead(x,x,x,x,x,x,x,x)+23j
		mov	eax, [ebp+arg_18]
		mov	[eax], ebx
		mov	[eax+4], ebx
		mov	al, 1

loc_957F56:				; CODE XREF: FsRtlCopyRead(x,x,x,x,x,x,x,x)+17j
					; FsRtlCopyRead(x,x,x,x,x,x,x,x)+1E6j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
_FsRtlCopyRead@32 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 498. FsRtlCopyWrite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlCopyWrite(x, x, x, x, x, x, x,	x)
		public _FsRtlCopyWrite@32
_FsRtlCopyWrite@32 proc	near

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		push	54h
		push	offset dword_6A7C30
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_1C], bl
		mov	[ebp+var_19], 1
		mov	[ebp+var_1B], bl
		mov	eax, [ebp+arg_4]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_957F97
		cmp	dword ptr [eax+4], 0FFFFFFFFh
		mov	[ebp+var_1A], 1
		jz	short loc_957F9A

loc_957F97:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+1Ej
		mov	[ebp+var_1A], bl

loc_957F9A:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+28j
		call	_IoGetTopLevelIrp@0 ; IoGetTopLevelIrp()
		test	eax, eax
		jnz	loc_95803C
		mov	edi, [ebp+arg_0]
		mov	esi, [edi+0Ch]
		mov	[ebp+var_3C], esi
		push	ebx
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	edi
		call	CcCanIWrite
		test	al, al
		jz	short loc_95803C
		test	byte ptr [edi+2Ch], 10h
		jnz	short loc_95803C
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	edi
		call	CcCopyWriteWontFlush
		test	al, al
		jz	short loc_95803C
		mov	eax, [ebp+arg_18]
		mov	[eax], ebx
		mov	ecx, [ebp+arg_8]
		mov	[eax+4], ecx
		test	ecx, ecx
		jz	loc_9583CF
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], ebx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		cmp	[ebp+var_1A], bl
		jnz	short loc_958056
		mov	eax, [ebp+arg_4]
		mov	edx, [eax]
		add	edx, ecx
		mov	eax, [eax+4]
		adc	eax, ebx
		cmp	eax, [esi+24h]
		jg	short loc_958056
		jl	short loc_958021
		cmp	edx, [esi+20h]
		ja	short loc_958056

loc_958021:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+ADj
		push	[ebp+arg_C]
		push	dword ptr [esi+8]
		call	ExAcquireResourceSharedLite
		test	al, al
		jnz	short loc_958050

loc_958030:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+F6j
					; FsRtlCopyWrite(x,x,x,x,x,x,x,x)+1DEj	...
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_95803C:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+34j
					; FsRtlCopyWrite(x,x,x,x,x,x,x,x)+52j ...
		xor	al, al

loc_95803E:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+45Dj
					; FsRtlCopyWrite(x,x,x,x,x,x,x,x)+464j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
; 

loc_958050:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+C1j
		mov	[ebp+var_1C], 1
		jmp	short loc_958065
; 

loc_958056:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+9Aj
					; FsRtlCopyWrite(x,x,x,x,x,x,x,x)+ABj ...
		push	[ebp+arg_C]
		push	dword ptr [esi+8]
		call	ExAcquireResourceExclusiveLite
		test	al, al
		jz	short loc_958030

loc_958065:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+E7j
		cmp	[ebp+var_1A], bl
		jz	short loc_958075
		mov	eax, [esi+18h]
		mov	[ebp+var_28], eax
		mov	ecx, [esi+1Ch]
		jmp	short loc_958083
; 

loc_958075:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+FBj
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		mov	[ebp+var_28], ecx
		mov	ecx, [eax+4]
		mov	eax, [ebp+var_28]

loc_958083:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+106j
		mov	edx, eax
		mov	[ebp+var_2C], ecx
		add	edx, [ebp+arg_8]
		adc	ecx, ebx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_44], eax
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_40], eax
		cmp	[edi+18h], ebx
		jz	loc_958196
		mov	al, [esi+5]
		mov	byte ptr [ebp+arg_18+3], al
		test	al, al
		jz	loc_958196
		mov	edi, [esi+20h]
		mov	[ebp+var_34], edi
		mov	eax, [esi+24h]
		mov	[ebp+var_30], eax
		mov	eax, edi
		add	eax, 2000h
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_30]
		adc	eax, ebx
		cmp	[ebp+var_2C], eax
		mov	edi, [ebp+arg_0]
		jg	loc_958196
		mov	eax, [ebp+var_28]
		jl	short loc_9580EE
		cmp	eax, [ebp+var_38]
		jnb	loc_958196

loc_9580EE:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+176j
		or	[ebp+var_28], 0FFFFFFFFh
		sub	[ebp+var_28], eax
		mov	eax, 7FFFFFFFh
		sbb	eax, [ebp+var_2C]
		cmp	eax, ebx
		jl	loc_958196
		jg	short loc_958113
		mov	eax, [ebp+var_28]
		cmp	eax, [ebp+arg_8]
		jb	loc_958196

loc_958113:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+198j
		cmp	ecx, [esi+14h]
		jg	short loc_958196
		jl	short loc_95811F
		cmp	edx, [esi+10h]
		ja	short loc_958196

loc_95811F:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+1ABj
		cmp	[ebp+var_1C], bl
		jz	short loc_9581A3
		mov	al, byte ptr [ebp+arg_18+3]
		mov	byte ptr [ebp+arg_18+3], al
		cmp	ecx, [ebp+var_30]
		jl	short loc_9581A3
		jg	short loc_958136
		cmp	edx, [ebp+var_34]
		jbe	short loc_9581A3

loc_958136:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+1C2j
		mov	ecx, [esi+8]
		call	ExReleaseResourceLite
		push	[ebp+arg_C]
		push	dword ptr [esi+8]
		call	ExAcquireResourceExclusiveLite
		test	al, al
		jz	loc_958030
		cmp	[ebp+var_1A], bl
		jz	short loc_958175
		mov	eax, [esi+18h]
		mov	ecx, [esi+1Ch]
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], ecx
		add	eax, [ebp+arg_8]
		mov	[ebp+var_20], eax
		adc	ecx, ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], ecx
		jmp	short loc_95817B
; 

loc_958175:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+1E7j
		mov	ecx, [ebp+var_24]
		mov	eax, [ebp+var_20]

loc_95817B:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+206j
		cmp	[edi+18h], ebx
		jz	short loc_958196
		mov	dl, [esi+5]
		mov	byte ptr [ebp+arg_18+3], dl
		test	dl, dl
		jz	short loc_958196
		cmp	ecx, [esi+14h]
		jl	short loc_9581A3
		jg	short loc_958196
		cmp	eax, [esi+10h]
		jbe	short loc_9581A3

loc_958196:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+138j
					; FsRtlCopyWrite(x,x,x,x,x,x,x,x)+146j	...
		mov	ecx, [esi+8]
		call	ExReleaseResourceLite
		jmp	loc_958030
; 

loc_9581A3:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+1B5j
					; FsRtlCopyWrite(x,x,x,x,x,x,x,x)+1C0j	...
		cmp	byte ptr [ebp+arg_18+3], 2
		jnz	short loc_9581F3
		mov	edx, [ebp+arg_1C]
		mov	eax, [edx+8]
		mov	eax, [eax+28h]
		mov	[ebp+arg_18], eax
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], ebx
		mov	ecx, [ebp+arg_4]
		mov	eax, [ecx]
		and	eax, [ecx+4]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_9581CB
		lea	ecx, [esi+18h]

loc_9581CB:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+259j
		push	edx
		lea	eax, [ebp+var_64]
		push	eax
		push	ebx
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	ecx
		push	edi
		mov	eax, [ebp+arg_18]
		call	dword ptr [eax+4]
		test	al, al
		jnz	short loc_9581F3
		mov	ecx, [esi+8]
		call	ExReleaseResourceLite
		jmp	loc_9583BC
; 

loc_9581F3:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+23Aj
					; FsRtlCopyWrite(x,x,x,x,x,x,x,x)+277j
		mov	eax, [esi+18h]
		mov	edx, [esi+1Ch]
		mov	[ebp+arg_4], edx
		mov	ecx, [ebp+var_24]
		cmp	ecx, edx
		jl	short loc_958255
		mov	edx, [ebp+var_20]
		jg	short loc_95820C
		cmp	edx, eax
		jbe	short loc_958255

loc_95820C:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+299j
		mov	[ebp+var_1B], 1
		mov	[ebp+var_54], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_50], eax
		mov	eax, [esi+20h]
		mov	[ebp+var_5C], eax
		mov	eax, [esi+24h]
		mov	[ebp+var_58], eax
		cmp	[esi+1Ch], ecx
		jz	short loc_95824F
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_95824F
		push	1
		push	eax
		call	ExAcquireResourceExclusiveLite
		mov	eax, [ebp+var_20]
		mov	[esi+18h], eax
		mov	eax, [ebp+var_24]
		mov	[esi+1Ch], eax
		mov	ecx, [esi+0Ch]
		call	ExReleaseResourceLite
		jmp	short loc_958255
; 

loc_95824F:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+2BBj
					; FsRtlCopyWrite(x,x,x,x,x,x,x,x)+2C2j
		mov	[esi+18h], edx
		mov	[esi+1Ch], ecx

loc_958255:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+294j
					; FsRtlCopyWrite(x,x,x,x,x,x,x,x)+29Dj	...
		push	4
		call	_IoSetTopLevelIrp@4 ; IoSetTopLevelIrp(x)
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+var_40]
		lea	ecx, [esi+20h]
		cmp	eax, [ecx+4]
		jl	short loc_958284
		jg	short loc_958273
		mov	eax, [ebp+var_44]
		cmp	eax, [ecx]
		jbe	short loc_958284

loc_958273:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+2FDj
		push	[ebp+arg_C]
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	edi
		call	CcZeroData
		mov	[ebp+var_19], al

loc_958284:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+2FBj
					; FsRtlCopyWrite(x,x,x,x,x,x,x,x)+304j
		cmp	[ebp+var_19], 0
		jz	short loc_9582A0
		push	[ebp+arg_14]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		lea	eax, [ebp+var_44]
		push	eax
		push	edi
		call	_CcCopyWrite@20	; CcCopyWrite(x,x,x,x,x)
		mov	[ebp+var_19], al

loc_9582A0:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+31Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9582E1
; 

loc_9582A9:				; DATA XREF: .text:006A7C44o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		push	eax
		call	_FsRtlIsNtstatusExpected@4 ; FsRtlIsNtstatusExpected(x)
		xor	ecx, ecx
		test	al, al
		setnz	cl
		mov	eax, ecx
		retn
; 

loc_9582C0:				; DATA XREF: .text:006A7C48o
		mov	esp, [ebp+ms_exc.old_esp]
		xor	ebx, ebx
		mov	[ebp+var_19], bl
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+arg_0]
		mov	esi, [ebp+var_3C]
		mov	eax, [ebp+var_48]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_20], eax

loc_9582E1:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+33Aj
		push	ebx
		call	_IoSetTopLevelIrp@4 ; IoSetTopLevelIrp(x)
		cmp	[ebp+var_19], 0
		jz	short loc_958362
		mov	ebx, [ebp+var_24]
		mov	ecx, [ebp+var_20]
		cmp	ebx, [esi+24h]
		jl	short loc_95832F
		jg	short loc_9582FF
		cmp	ecx, [esi+20h]
		jbe	short loc_95832F

loc_9582FF:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+38Bj
		cmp	[esi+24h], ebx
		jz	short loc_958329
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_958329
		push	1
		push	eax
		call	ExAcquireResourceExclusiveLite
		mov	eax, [ebp+var_20]
		mov	[esi+20h], eax
		mov	[esi+24h], ebx
		mov	ecx, [esi+0Ch]
		call	ExReleaseResourceLite
		mov	ecx, [ebp+var_20]
		jmp	short loc_95832F
; 

loc_958329:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+395j
					; FsRtlCopyWrite(x,x,x,x,x,x,x,x)+39Cj
		mov	[esi+20h], ecx
		mov	[esi+24h], ebx

loc_95832F:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+389j
					; FsRtlCopyWrite(x,x,x,x,x,x,x,x)+390j	...
		or	dword ptr [edi+2Ch], 1000h
		cmp	[ebp+var_1B], 0
		jz	short loc_95834F
		mov	eax, [edi+14h]
		mov	eax, [eax+4]
		mov	[eax+8], ecx
		mov	[eax+0Ch], ebx
		or	dword ptr [edi+2Ch], 2000h

loc_95834F:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+3CDj
		xor	eax, eax
		mov	ecx, [ebp+arg_8]
		add	ecx, [ebp+var_44]
		adc	eax, [ebp+var_40]
		mov	[edi+38h], ecx
		mov	[edi+3Ch], eax
		jmp	short loc_9583B1
; 

loc_958362:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+37Ej
		cmp	[ebp+var_1B], 0
		jz	short loc_9583B1
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_958399
		push	1
		push	eax
		call	ExAcquireResourceExclusiveLite
		mov	eax, [ebp+var_54]
		mov	[esi+18h], eax
		mov	eax, [ebp+var_50]
		mov	[esi+1Ch], eax
		mov	eax, [ebp+var_5C]
		mov	[esi+20h], eax
		mov	eax, [ebp+var_58]
		mov	[esi+24h], eax
		mov	ecx, [esi+0Ch]
		call	ExReleaseResourceLite
		jmp	short loc_9583B1
; 

loc_958399:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+400j
		mov	eax, [ebp+var_54]
		mov	[esi+18h], eax
		mov	eax, [ebp+var_50]
		mov	[esi+1Ch], eax
		mov	eax, [ebp+var_5C]
		mov	[esi+20h], eax
		mov	eax, [ebp+var_58]
		mov	[esi+24h], eax

loc_9583B1:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+3F3j
					; FsRtlCopyWrite(x,x,x,x,x,x,x,x)+3F9j	...
		mov	ecx, [esi+8]
		call	ExReleaseResourceLite
		mov	bl, [ebp+var_19]

loc_9583BC:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+281j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	al, bl
		jmp	loc_95803E
; 

loc_9583CF:				; CODE XREF: FsRtlCopyWrite(x,x,x,x,x,x,x,x)+77j
		mov	al, 1
		jmp	loc_95803E
_FsRtlCopyWrite@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlGetDirectImageOriginalBase(x, x)
_FsRtlGetDirectImageOriginalBase@8 proc	near ; CODE XREF: MiCreateNewSection(x,x)+44Ap

var_1C		= dword	ptr -1Ch
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4], edx
		lea	edi, [ebp+var_1C]
		mov	ebx, ecx
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		push	eax
		push	eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	ebx
		call	IoGetRelatedDeviceObject
		mov	esi, eax
		push	0
		movzx	ecx, byte ptr [esi+30h]
		push	ecx
		push	esi
		call	IoAllocateIrpEx
		mov	edx, eax
		test	edx, edx
		jnz	short loc_958424
		mov	eax, 0C000009Ah
		jmp	short loc_958483
; 

loc_958424:				; CODE XREF: FsRtlGetDirectImageOriginalBase(x,x)+45j
		lea	eax, [ebp+var_C]
		mov	byte ptr [edx+20h], 0
		mov	[edx+28h], eax
		mov	ecx, esi
		lea	eax, [ebp+var_1C]
		mov	[edx+2Ch], eax
		mov	eax, [ebp+var_4]
		mov	[edx+0Ch], eax
		mov	eax, large fs:124h
		mov	[edx+50h], eax
		mov	eax, [edx+60h]
		mov	[eax-0Ch], ebx
		xor	ebx, ebx
		mov	word ptr [eax-24h], 0Dh
		mov	dword ptr [eax-18h], 903A4h
		mov	[eax-1Ch], ebx
		mov	dword ptr [eax-20h], 4
		mov	[eax-14h], ebx
		call	IofCallDriver
		cmp	eax, 103h
		jnz	short loc_958483
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_1C]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [ebp+var_C]

loc_958483:				; CODE XREF: FsRtlGetDirectImageOriginalBase(x,x)+4Cj
					; FsRtlGetDirectImageOriginalBase(x,x)+9Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_FsRtlGetDirectImageOriginalBase@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 579. FsRtlLogCcFlushError

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	FsRtlLogCcFlushError(size_t,int,int,int,char)
		public _FsRtlLogCcFlushError@20
_FsRtlLogCcFlushError@20 proc near	; CODE XREF: CcMmLogLostDelayedWriteError(x,x)+62p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		inc	eax
		mov	edx, [edx+20h]
		mov	ecx, eax
		push	edi
		shr	edx, 4
		xor	ebx, ebx
		push	esi
		and	edx, eax
		call	MmIsWriteErrorFatal
		test	eax, eax
		jz	loc_9586A9
		mov	eax, 0C00000C9h
		cmp	esi, eax
		jg	short loc_958536
		jz	loc_95859F
		add	eax, 0FFFFFFD4h
		cmp	esi, eax
		jg	short loc_958516
		jz	short loc_9584F4
		cmp	esi, 0C0000008h
		jz	short loc_958505
		cmp	esi, 0C0000022h
		jz	short loc_958505
		cmp	esi, 0C000007Fh
		jz	short loc_958505
		cmp	esi, 0C0000098h
		jnz	loc_958591

loc_9584F4:				; CODE XREF: FsRtlLogCcFlushError(x,x,x,x,x)+41j
					; FsRtlLogCcFlushError(x,x,x,x,x)+8Fj
		mov	eax, 0C000A082h
		mov	[ebp+arg_C], 8004008Dh
		jmp	loc_9585AB
; 

loc_958505:				; CODE XREF: FsRtlLogCcFlushError(x,x,x,x,x)+49j
					; FsRtlLogCcFlushError(x,x,x,x,x)+51j ...
		mov	eax, 0C000A081h
		mov	[ebp+arg_C], 8004008Ch
		jmp	loc_9585AB
; 

loc_958516:				; CODE XREF: FsRtlLogCcFlushError(x,x,x,x,x)+3Fj
		cmp	esi, 0C00000A2h
		jz	short loc_9584F4
		cmp	esi, 0C00000BCh
		jz	short loc_95859F
		cmp	esi, 0C00000BEh
		jz	short loc_95859F
		cmp	esi, 0C00000C4h
		jmp	short loc_95858F
; 

loc_958536:				; CODE XREF: FsRtlLogCcFlushError(x,x,x,x,x)+32j
		mov	eax, 0C000023Ch
		cmp	esi, eax
		jg	short loc_958569
		jz	short loc_95859F
		cmp	esi, 0C00000CCh
		jz	short loc_95859F
		cmp	esi, 0C0000203h
		jz	short loc_95859F
		cmp	esi, 0C000020Bh
		jle	short loc_958591
		cmp	esi, 0C000020Dh
		jle	short loc_95859F
		cmp	esi, 0C0000236h
		jmp	short loc_95858F
; 

loc_958569:				; CODE XREF: FsRtlLogCcFlushError(x,x,x,x,x)+B0j
		cmp	esi, 0C0000241h
		jz	short loc_95859F
		cmp	esi, 0C000035Ch
		jz	short loc_95859F
		cmp	esi, 0C0000465h
		jle	short loc_958591
		cmp	esi, 0C0000467h
		jle	short loc_95859F
		cmp	esi, 0C0000480h

loc_95858F:				; CODE XREF: FsRtlLogCcFlushError(x,x,x,x,x)+A7j
					; FsRtlLogCcFlushError(x,x,x,x,x)+DAj
		jz	short loc_95859F

loc_958591:				; CODE XREF: FsRtlLogCcFlushError(x,x,x,x,x)+61j
					; FsRtlLogCcFlushError(x,x,x,x,x)+CAj ...
		mov	eax, 0C0000222h
		mov	[ebp+arg_C], 80040032h
		jmp	short loc_9585AB
; 

loc_95859F:				; CODE XREF: FsRtlLogCcFlushError(x,x,x,x,x)+34j
					; FsRtlLogCcFlushError(x,x,x,x,x)+97j ...
		mov	eax, 0C000A080h
		mov	[ebp+arg_C], 8004008Bh

loc_9585AB:				; CODE XREF: FsRtlLogCcFlushError(x,x,x,x,x)+73j
					; FsRtlLogCcFlushError(x,x,x,x,x)+84j ...
		inc	large dword ptr	fs:67Ch
		test	[ebp+arg_10], 1
		mov	edi, [ebp+arg_0]
		jnz	short loc_9585C3
		push	ebx
		push	edi
		push	eax
		call	_IoRaiseInformationalHardError@12 ; IoRaiseInformationalHardError(x,x,x)

loc_9585C3:				; CODE XREF: FsRtlLogCcFlushError(x,x,x,x,x)+12Cj
		test	[ebp+arg_10], 2
		jnz	loc_9586A7
		movzx	eax, word ptr [edi]
		mov	ebx, 98h
		add	eax, 32h
		cmp	eax, ebx
		ja	short loc_9585E1
		mov	bl, [edi]
		add	bl, 32h

loc_9585E1:				; CODE XREF: FsRtlLogCcFlushError(x,x,x,x,x)+14Dj
		mov	[ebp+arg_10], bl
		push	dword ptr [ebp+arg_10]
		push	[ebp+arg_4]
		call	_IoAllocateErrorLogEntry@8 ; IoAllocateErrorLogEntry(x,x)
		mov	dword ptr [ebp+arg_10],	eax
		test	eax, eax
		jz	loc_9586A2
		mov	ecx, [ebp+arg_C]
		lea	edi, [eax+30h]
		push	4
		pop	edx
		mov	[eax], dl
		mov	[eax+2], dx
		xor	edx, edx
		mov	[eax+0Ch], ecx
		inc	edx
		movzx	ecx, bl
		mov	ebx, [ebp+arg_0]
		sub	ecx, 32h
		mov	[eax+4], dx
		push	30h
		pop	edx
		mov	[eax+14h], esi
		mov	[eax+28h], esi
		mov	[eax+6], dx
		movzx	eax, word ptr [ebx]
		mov	edx, [ebx+4]
		cmp	ecx, eax
		jnb	short loc_95867E
		mov	eax, ecx
		shr	eax, 2
		lea	esi, ds:0FFFFFFFCh[eax*2]
		push	esi		; size_t
		sub	ecx, esi
		push	edx		; void *
		sub	ecx, 8
		push	edi		; void *
		mov	[ebp+arg_0], ecx
		call	_memcpy
		add	edi, esi
		add	esp, 0Ch
		mov	esi, [ebp+arg_0]
		mov	dword ptr [edi], 2E0020h
		mov	dword ptr [edi+4], 20002Eh
		add	edi, 8
		movzx	eax, word ptr [ebx]
		sub	eax, esi
		add	eax, [ebx+4]
		push	esi		; size_t
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		add	edi, esi
		jmp	short loc_958691
; 

loc_95867E:				; CODE XREF: FsRtlLogCcFlushError(x,x,x,x,x)+1A4j
		push	eax		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcpy
		movzx	eax, word ptr [ebx]
		add	esp, 0Ch
		shr	eax, 1
		lea	edi, [edi+eax*2]

loc_958691:				; CODE XREF: FsRtlLogCcFlushError(x,x,x,x,x)+1EFj
		push	dword ptr [ebp+arg_10]
		xor	eax, eax
		mov	[edi], ax
		call	IoWriteErrorLogEntry
		xor	ebx, ebx
		jmp	short loc_9586A7
; 

loc_9586A2:				; CODE XREF: FsRtlLogCcFlushError(x,x,x,x,x)+167j
		mov	ebx, 0C000009Ah

loc_9586A7:				; CODE XREF: FsRtlLogCcFlushError(x,x,x,x,x)+13Aj
					; FsRtlLogCcFlushError(x,x,x,x,x)+213j
		mov	eax, ebx

loc_9586A9:				; CODE XREF: FsRtlLogCcFlushError(x,x,x,x,x)+25j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
_FsRtlLogCcFlushError@20 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 594. FsRtlMdlReadDev

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlMdlReadDev(x, x, x, x,	x, x, x)
		public _FsRtlMdlReadDev@28
_FsRtlMdlReadDev@28 proc near

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		push	10h
		push	offset dword_6A7C10
		call	__SEH_prolog4
		xor	ebx, ebx
		inc	ebx
		call	_IoGetTopLevelIrp@0 ; IoGetTopLevelIrp()
		test	eax, eax
		jnz	loc_958828
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jnz	short loc_9586E7
		mov	ecx, [ebp+arg_14]
		and	[ecx], esi
		and	[ecx+4], esi

loc_9586E0:				; CODE XREF: FsRtlMdlReadDev(x,x,x,x,x,x,x)+F7j
		mov	al, bl
		jmp	loc_95882A
; 

loc_9586E7:				; CODE XREF: FsRtlMdlReadDev(x,x,x,x,x,x,x)+21j
		mov	eax, esi
		xor	ecx, ecx
		mov	edi, [ebp+arg_4]
		add	eax, [edi]
		mov	[ebp+var_20], eax
		adc	ecx, [edi+4]
		mov	[ebp+var_1C], ecx
		mov	ecx, [ebp+arg_0]
		mov	ecx, [ecx+0Ch]
		mov	[ebp+arg_8], ecx
		mov	[ebp+arg_4], ecx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		inc	large dword ptr	fs:644h
		push	ebx
		push	dword ptr [ecx+8]
		call	ExAcquireResourceSharedLite
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_8]
		cmp	dword ptr [edx+18h], 0
		jz	loc_95880D
		mov	al, [ecx+5]
		test	al, al
		jz	loc_95880D
		cmp	al, 2
		jnz	short loc_958765
		mov	ecx, [ebp+arg_18]
		mov	eax, [ecx+8]
		mov	eax, [eax+28h]
		push	ecx
		push	[ebp+arg_14]
		push	ebx
		push	[ebp+arg_C]
		push	ebx
		push	esi
		push	edi
		push	edx
		call	dword ptr [eax+4]
		mov	ecx, [ebp+arg_8]
		test	al, al
		jz	loc_95880D

loc_958765:				; CODE XREF: FsRtlMdlReadDev(x,x,x,x,x,x,x)+8Bj
		mov	eax, [ebp+arg_4]
		mov	edx, [eax+18h]
		mov	eax, [eax+1Ch]
		mov	[ebp+arg_8], eax
		cmp	[ebp+var_1C], eax
		jl	short loc_9587B9
		jg	short loc_95877D
		cmp	[ebp+var_20], edx
		jbe	short loc_9587B9

loc_95877D:				; CODE XREF: FsRtlMdlReadDev(x,x,x,x,x,x,x)+C1j
		mov	eax, [edi+4]
		cmp	eax, [ebp+arg_8]
		jl	short loc_9587B1
		jg	short loc_95878B
		cmp	[edi], edx
		jb	short loc_9587B1

loc_95878B:				; CODE XREF: FsRtlMdlReadDev(x,x,x,x,x,x,x)+D0j
		mov	eax, [ebp+arg_14]
		mov	dword ptr [eax], 0C0000011h
		and	dword ptr [eax+4], 0

loc_958798:				; CODE XREF: FsRtlMdlReadDev(x,x,x,x,x,x,x)+156j
		mov	ecx, [ecx+8]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_9586E0
; 

loc_9587B1:				; CODE XREF: FsRtlMdlReadDev(x,x,x,x,x,x,x)+CEj
					; FsRtlMdlReadDev(x,x,x,x,x,x,x)+D4j
		mov	esi, [ebp+arg_4]
		mov	esi, [esi+18h]
		sub	esi, [edi]

loc_9587B9:				; CODE XREF: FsRtlMdlReadDev(x,x,x,x,x,x,x)+BFj
					; FsRtlMdlReadDev(x,x,x,x,x,x,x)+C6j
		push	4
		call	_IoSetTopLevelIrp@4 ; IoSetTopLevelIrp(x)
		and	[ebp+ms_exc.disabled], 0
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	esi
		push	edi
		mov	esi, [ebp+arg_0]
		push	esi
		call	CcMdlRead
		or	dword ptr [esi+2Ch], 80000h
		jmp	short loc_9587FA
; 

loc_9587DE:				; DATA XREF: .text:006A7C24o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		push	eax
		call	_FsRtlIsNtstatusExpected@4 ; FsRtlIsNtstatusExpected(x)
		xor	ecx, ecx
		test	al, al
		setnz	cl
		mov	eax, ecx
		retn
; 

loc_9587F5:				; DATA XREF: .text:006A7C28o
		mov	esp, [ebp+ms_exc.old_esp]
		xor	bl, bl

loc_9587FA:				; CODE XREF: FsRtlMdlReadDev(x,x,x,x,x,x,x)+127j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	0
		call	_IoSetTopLevelIrp@4 ; IoSetTopLevelIrp(x)
		mov	ecx, [ebp+arg_4]
		jmp	short loc_958798
; 

loc_95880D:				; CODE XREF: FsRtlMdlReadDev(x,x,x,x,x,x,x)+78j
					; FsRtlMdlReadDev(x,x,x,x,x,x,x)+83j ...
		mov	ecx, [ecx+8]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		inc	large dword ptr	fs:648h

loc_958828:				; CODE XREF: FsRtlMdlReadDev(x,x,x,x,x,x,x)+16j
		xor	al, al

loc_95882A:				; CODE XREF: FsRtlMdlReadDev(x,x,x,x,x,x,x)+2Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_FsRtlMdlReadDev@28 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 596. FsRtlMdlWriteComplete

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlMdlWriteComplete(x, x,	x)
		public _FsRtlMdlWriteComplete@12
_FsRtlMdlWriteComplete@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		call	IoGetRelatedDeviceObject
		mov	ecx, [eax+8]
		mov	ecx, [ecx+28h]
		test	ecx, ecx
		jz	short loc_958872
		cmp	dword ptr [ecx], 4Ch
		jbe	short loc_958872
		mov	ecx, [ecx+4Ch]
		test	ecx, ecx
		jz	short loc_958872
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ecx
		jmp	short loc_958874
; 

loc_958872:				; CODE XREF: FsRtlMdlWriteComplete(x,x,x)+15j
					; FsRtlMdlWriteComplete(x,x,x)+1Aj ...
		xor	al, al

loc_958874:				; CODE XREF: FsRtlMdlWriteComplete(x,x,x)+2Fj
		pop	ebp
		retn	0Ch
_FsRtlMdlWriteComplete@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 631. FsRtlPrepareMdlWriteDev

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlPrepareMdlWriteDev(x, x, x, x,	x, x, x)
		public _FsRtlPrepareMdlWriteDev@28
_FsRtlPrepareMdlWriteDev@28 proc near

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
var_1C		= byte ptr -1Ch
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		push	40h
		push	offset dword_6A7BF0
		call	__SEH_prolog4
		mov	edi, [ebp+arg_8]
		xor	ebx, ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_1A], 1
		mov	[ebp+var_1D], bl
		mov	[ebp+var_1C], bl
		or	ecx, 0FFFFFFFFh
		mov	eax, [ebp+arg_4]
		cmp	[eax], ecx
		jnz	short loc_9588B7
		cmp	[eax+4], ecx
		mov	[ebp+var_1B], 1
		jz	short loc_9588BA

loc_9588B7:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+2Fj
		mov	[ebp+var_1B], bl

loc_9588BA:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+38j
		call	_IoGetTopLevelIrp@0 ; IoGetTopLevelIrp()
		test	eax, eax
		jnz	loc_958A55
		push	ebx
		push	1
		push	edi
		mov	esi, [ebp+arg_0]
		push	esi
		call	CcCanIWrite
		test	al, al
		jz	loc_958A55
		test	byte ptr [esi+2Ch], 10h
		jnz	loc_958A55
		mov	eax, [ebp+arg_14]
		mov	[eax], ebx
		test	edi, edi
		jnz	short loc_9588F6
		mov	al, 1
		jmp	loc_958A57
; 

loc_9588F6:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+70j
		mov	esi, [esi+0Ch]
		mov	[ebp+var_30], esi
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		cmp	[ebp+var_1B], bl
		jnz	short loc_958937
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		add	ecx, edi
		mov	eax, [eax+4]
		adc	eax, ebx
		cmp	eax, [esi+24h]
		jg	short loc_958937
		jl	short loc_958927
		cmp	ecx, [esi+20h]
		ja	short loc_958937

loc_958927:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+A3j
		push	1
		push	dword ptr [esi+8]
		call	ExAcquireResourceSharedLite
		mov	[ebp+var_1D], 1
		jmp	short loc_958941
; 

loc_958937:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+90j
					; FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+A1j ...
		push	1
		push	dword ptr [esi+8]
		call	ExAcquireResourceExclusiveLite

loc_958941:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+B8j
		cmp	[ebp+var_1B], bl
		jz	short loc_958962
		mov	eax, [esi+18h]
		mov	[ebp+var_28], eax
		mov	ecx, [esi+1Ch]
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], ecx
		mov	ecx, [esi+18h]
		add	ecx, edi
		mov	edi, [esi+1Ch]
		jmp	short loc_95897A
; 

loc_958962:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+C7j
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		mov	[ebp+var_28], ecx
		mov	eax, [eax+4]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], eax
		add	ecx, edi
		mov	edi, eax

loc_95897A:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+E3j
		adc	edi, ebx
		mov	[ebp+var_3C], edi
		mov	[ebp+var_40], ecx
		mov	[ebp+var_24], ecx
		mov	edx, [ebp+arg_0]
		cmp	[edx+18h], ebx
		jz	loc_958A41
		mov	al, [esi+5]
		mov	[ebp+var_19], al
		test	al, al
		jz	loc_958A41
		or	eax, 0FFFFFFFFh
		sub	eax, [ebp+var_28]
		mov	[ebp+var_28], eax
		mov	eax, 7FFFFFFFh
		sbb	eax, [ebp+var_2C]
		cmp	eax, ebx
		jl	loc_958A41
		jg	short loc_9589C2
		mov	eax, [ebp+var_28]
		cmp	eax, [ebp+arg_8]
		jb	short loc_958A41

loc_9589C2:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+13Bj
		cmp	edi, [esi+14h]
		jg	short loc_958A41
		jl	short loc_9589CE
		cmp	ecx, [esi+10h]
		ja	short loc_958A41

loc_9589CE:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+14Aj
		cmp	[ebp+var_1D], bl
		jz	loc_958A6D
		mov	al, [ebp+var_19]
		cmp	edi, [esi+24h]
		jl	loc_958A69
		jg	short loc_9589EA
		cmp	ecx, [esi+20h]
		jbe	short loc_958A69

loc_9589EA:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+166j
		mov	ecx, [esi+8]
		call	ExReleaseResourceLite
		push	1
		push	dword ptr [esi+8]
		call	ExAcquireResourceExclusiveLite
		cmp	[ebp+var_1B], bl
		jz	short loc_958A23
		mov	eax, [esi+18h]
		mov	[ebp+var_38], eax
		mov	eax, [esi+1Ch]
		mov	[ebp+var_34], eax
		mov	eax, [esi+18h]
		add	eax, [ebp+arg_8]
		mov	[ebp+var_24], eax
		mov	edi, [esi+1Ch]
		adc	edi, ebx
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], edi
		jmp	short loc_958A26
; 

loc_958A23:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+182j
		mov	eax, [ebp+var_24]

loc_958A26:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+1A4j
		mov	edx, [ebp+arg_0]
		cmp	[edx+18h], ebx
		jz	short loc_958A41
		mov	cl, [esi+5]
		test	cl, cl
		jz	short loc_958A41
		cmp	edi, [esi+14h]
		jl	short loc_958A70
		jg	short loc_958A41
		cmp	eax, [esi+10h]
		jbe	short loc_958A70

loc_958A41:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+10Ej
					; FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+11Cj ...
		mov	ecx, [esi+8]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_958A55:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+44j
					; FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+59j ...
		xor	al, al

loc_958A57:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+74j
					; FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+3C4j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_958A69:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+160j
					; FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+16Bj
		mov	cl, al
		jmp	short loc_958A70
; 

loc_958A6D:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+154j
		mov	cl, [ebp+var_19]

loc_958A70:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+1BBj
					; FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+1C2j ...
		cmp	cl, 2
		jnz	short loc_958A96
		mov	ecx, [ebp+arg_18]
		mov	eax, [ecx+8]
		mov	eax, [eax+28h]
		push	ecx
		push	[ebp+arg_14]
		push	ebx
		push	[ebp+arg_C]
		push	1
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	edx
		call	dword ptr [eax+4]
		test	al, al
		jz	short loc_958A41

loc_958A96:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+1F6j
		mov	eax, [esi+18h]
		mov	edx, [esi+1Ch]
		cmp	edi, edx
		jl	short loc_958AEB
		mov	ecx, [ebp+var_24]
		jg	short loc_958AA9
		cmp	ecx, eax
		jbe	short loc_958AEB

loc_958AA9:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+226j
		mov	[ebp+var_1C], 1
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], edx
		mov	eax, [esi+20h]
		mov	[ebp+var_50], eax
		mov	eax, [esi+24h]
		mov	[ebp+var_4C], eax
		cmp	edx, edi
		jz	short loc_958AE5
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_958AE5
		push	1
		push	eax
		call	ExAcquireResourceExclusiveLite
		mov	eax, [ebp+var_24]
		mov	[esi+18h], eax
		mov	[esi+1Ch], edi
		mov	ecx, [esi+0Ch]
		call	ExReleaseResourceLite
		jmp	short loc_958AEB
; 

loc_958AE5:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+244j
					; FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+24Bj
		mov	[esi+18h], ecx
		mov	[esi+1Ch], edi

loc_958AEB:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+221j
					; FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+22Aj ...
		push	4
		call	_IoSetTopLevelIrp@4 ; IoSetTopLevelIrp(x)
		mov	[ebp+ms_exc.disabled], ebx
		lea	ecx, [esi+20h]
		mov	eax, [ebp+var_34]
		cmp	eax, [ecx+4]
		jl	short loc_958B1B
		jg	short loc_958B09
		mov	eax, [ebp+var_38]
		cmp	eax, [ecx]
		jbe	short loc_958B1B

loc_958B09:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+283j
		push	1
		lea	eax, [ebp+var_38]
		push	eax
		push	ecx
		push	[ebp+arg_0]
		call	CcZeroData
		mov	[ebp+var_1A], al

loc_958B1B:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+281j
					; FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+28Aj
		cmp	[ebp+var_1A], 0
		jz	short loc_958B36
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_8]
		lea	eax, [ebp+var_38]
		push	eax
		push	[ebp+arg_0]
		call	CcPrepareMdlWrite

loc_958B36:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+2A2j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_958B71
; 

loc_958B3F:				; DATA XREF: .text:006A7C04o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		push	eax
		call	_FsRtlIsNtstatusExpected@4 ; FsRtlIsNtstatusExpected(x)
		xor	ecx, ecx
		test	al, al
		setnz	cl
		mov	eax, ecx
		retn
; 

loc_958B56:				; DATA XREF: .text:006A7C08o
		mov	esp, [ebp+ms_exc.old_esp]
		xor	ebx, ebx
		mov	[ebp+var_1A], bl
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+var_30]
		mov	edi, [ebp+var_3C]
		mov	eax, [ebp+var_40]
		mov	[ebp+var_24], eax

loc_958B71:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+2C0j
		push	ebx
		call	_IoSetTopLevelIrp@4 ; IoSetTopLevelIrp(x)
		cmp	[ebp+var_1A], 0
		jz	short loc_958BDB
		mov	ebx, [ebp+var_24]
		cmp	edi, [esi+24h]
		jl	short loc_958BB6
		jg	short loc_958B8C
		cmp	ebx, [esi+20h]
		jbe	short loc_958BB6

loc_958B8C:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+308j
		cmp	[esi+24h], edi
		jz	short loc_958BB0
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_958BB0
		push	1
		push	eax
		call	ExAcquireResourceExclusiveLite
		mov	[esi+20h], ebx
		mov	[esi+24h], edi
		mov	ecx, [esi+0Ch]
		call	ExReleaseResourceLite
		jmp	short loc_958BB6
; 

loc_958BB0:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+312j
					; FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+319j
		mov	[esi+20h], ebx
		mov	[esi+24h], edi

loc_958BB6:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+306j
					; FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+30Dj ...
		mov	ecx, [ebp+arg_0]
		or	dword ptr [ecx+2Ch], 1000h
		cmp	[ebp+var_1C], 0
		jz	short loc_958C2A
		mov	eax, [ecx+14h]
		mov	eax, [eax+4]
		mov	[eax+8], ebx
		mov	[eax+0Ch], edi
		or	dword ptr [ecx+2Ch], 2000h
		jmp	short loc_958C2A
; 

loc_958BDB:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+2FEj
		cmp	[ebp+var_1C], 0
		jz	short loc_958C2A
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_958C12
		push	1
		push	eax
		call	ExAcquireResourceExclusiveLite
		mov	eax, [ebp+var_48]
		mov	[esi+18h], eax
		mov	eax, [ebp+var_44]
		mov	[esi+1Ch], eax
		mov	eax, [ebp+var_50]
		mov	[esi+20h], eax
		mov	eax, [ebp+var_4C]
		mov	[esi+24h], eax
		mov	ecx, [esi+0Ch]
		call	ExReleaseResourceLite
		jmp	short loc_958C2A
; 

loc_958C12:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+369j
		mov	eax, [ebp+var_48]
		mov	[esi+18h], eax
		mov	eax, [ebp+var_44]
		mov	[esi+1Ch], eax
		mov	eax, [ebp+var_50]
		mov	[esi+20h], eax
		mov	eax, [ebp+var_4C]
		mov	[esi+24h], eax

loc_958C2A:				; CODE XREF: FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+347j
					; FsRtlPrepareMdlWriteDev(x,x,x,x,x,x,x)+35Cj ...
		mov	ecx, [esi+8]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	al, [ebp+var_1A]
		jmp	loc_958A57
_FsRtlPrepareMdlWriteDev@28 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 553. FsRtlInitializeMcb

;  S U B	R O U T	I N E 


; __stdcall FsRtlInitializeMcb(x, x)
		public _FsRtlInitializeMcb@8
_FsRtlInitializeMcb@8 proc near
		jmp	FsRtlInitializeLargeMcb
_FsRtlInitializeMcb@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 676. FsRtlUninitializeMcb

;  S U B	R O U T	I N E 


; __stdcall FsRtlUninitializeMcb(x)
		public _FsRtlUninitializeMcb@4
_FsRtlUninitializeMcb@4	proc near
		jmp	_FsRtlUninitializeLargeMcb@4 ; FsRtlUninitializeLargeMcb(x)
_FsRtlUninitializeMcb@4	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 506. FsRtlDeregisterUncProvider

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlDeregisterUncProvider(x)
		public _FsRtlDeregisterUncProvider@4
_FsRtlDeregisterUncProvider@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_958C9F
		test	eax, eax
		jz	short loc_958C9F
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		test	eax, eax
		js	short loc_958C9F
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, offset _FsRtlpUncSemaphore
		push	edi
		push	edi
		push	edi
		push	edi
		push	esi
		call	KeWaitForSingleObject
		dec	ds:_FsRtlpRedirs
		push	edi
		push	1
		push	edi
		push	esi
		call	KeReleaseSemaphore
		pop	edi
		pop	esi

loc_958C9F:				; CODE XREF: FsRtlDeregisterUncProvider(x)+Bj
					; FsRtlDeregisterUncProvider(x)+Fj ...
		pop	ebp
		retn	4
_FsRtlDeregisterUncProvider@4 endp

; 
		align 8
; Exported entry 598. FsRtlMupGetProviderIdFromName

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlMupGetProviderIdFromName(x, x)
		public _FsRtlMupGetProviderIdFromName@8
_FsRtlMupGetProviderIdFromName@8 proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:_pFsRtlpMupCalls
		test	eax, eax
		jz	short loc_958CBA
		pop	ebp
		jmp	dword ptr [eax+4]
; 

loc_958CBA:				; CODE XREF: FsRtlMupGetProviderIdFromName(x,x)+Cj
		mov	eax, 0C00000BBh
		pop	ebp
		retn	8
_FsRtlMupGetProviderIdFromName@8 endp

; 
		align 8
; Exported entry 599. FsRtlMupGetProviderInfoFromFileObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlMupGetProviderInfoFromFileObject(x, x,	x, x)
		public _FsRtlMupGetProviderInfoFromFileObject@16
_FsRtlMupGetProviderInfoFromFileObject@16 proc near
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:_pFsRtlpMupCalls
		test	eax, eax
		jz	short loc_958CD9
		pop	ebp
		jmp	dword ptr [eax]
; 

loc_958CD9:				; CODE XREF: FsRtlMupGetProviderInfoFromFileObject(x,x,x,x)+Cj
		mov	eax, 0C00000BBh
		pop	ebp
		retn	10h
_FsRtlMupGetProviderInfoFromFileObject@16 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 643. FsRtlRegisterUncProvider

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlRegisterUncProvider(x,	x, x)
		public _FsRtlRegisterUncProvider@12
_FsRtlRegisterUncProvider@12 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		xor	eax, eax
		push	8
		pop	ecx
		mov	[ebp+var_8], eax
		mov	word ptr [ebp+var_8], cx
		mov	ecx, 100h
		mov	[ebp+var_4], eax
		mov	word ptr [ebp+var_8+2],	cx
		cmp	[ebp+arg_8], al
		jz	short loc_958D11
		or	eax, 1
		mov	[ebp+var_4], eax

loc_958D11:				; CODE XREF: FsRtlRegisterUncProvider(x,x,x)+22j
		push	[ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+var_8]
		push	eax
		xor	edx, edx
		call	FsRtlpRegisterUncProvider
		leave
		retn	0Ch
_FsRtlRegisterUncProvider@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 645. FsRtlRegisterUncProviderEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlRegisterUncProviderEx(x, x, x,	x)
		public _FsRtlRegisterUncProviderEx@16
_FsRtlRegisterUncProviderEx@16 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		push	8
		pop	eax
		push	[ebp+arg_0]
		mov	word ptr [ebp+var_8], ax
		mov	eax, 101h
		mov	word ptr [ebp+var_8+2],	ax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_8]
		push	eax
		call	FsRtlpRegisterUncProvider
		leave
		retn	10h
_FsRtlRegisterUncProviderEx@16 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 502. FsRtlCurrentOplockH

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlCurrentOplockH(x)
		public _FsRtlCurrentOplockH@4
_FsRtlCurrentOplockH@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		xor	cl, cl
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_958D7E
		test	dword ptr [eax+48h], 2000h
		jz	short loc_958D7E
		inc	cl

loc_958D7E:				; CODE XREF: FsRtlCurrentOplockH(x)+Ej
					; FsRtlCurrentOplockH(x)+17j
		mov	al, cl
		pop	ebp
		retn	4
_FsRtlCurrentOplockH@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 523. FsRtlGetCurrentProcessLoaderList

;  S U B	R O U T	I N E 


; __stdcall FsRtlGetCurrentProcessLoaderList()
		public _FsRtlGetCurrentProcessLoaderList@0
_FsRtlGetCurrentProcessLoaderList@0 proc near
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+17Ch]
		mov	eax, [eax+0Ch]
		add	eax, 0Ch
		retn
_FsRtlGetCurrentProcessLoaderList@0 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 560. FsRtlIs32BitProcess

;  S U B	R O U T	I N E 


; __stdcall FsRtlIs32BitProcess(x)
		public _FsRtlIs32BitProcess@4
_FsRtlIs32BitProcess@4 proc near
		mov	al, 1
		retn	4
_FsRtlIs32BitProcess@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 679. FsRtlUpperOplockFsctrl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlUpperOplockFsctrl(x, x, x, x, x)
		public _FsRtlUpperOplockFsctrl@20
_FsRtlUpperOplockFsctrl@20 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		xor	ecx, ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	edx, eax
		inc	ecx
		and	eax, 6
		and	edx, ecx
		shl	eax, 0Ch
		shl	edx, 0Ch
		xor	esi, esi
		mov	ebx, [edi+60h]
		or	edx, eax
		mov	ecx, esi
		mov	al, [ebx]
		mov	byte ptr [ebp+arg_C+3],	al
		test	al, al
		jnz	short loc_958E31
		mov	esi, [ebx+8]
		bt	esi, 14h
		setb	cl
		bt	edx, 0Eh
		setnb	al
		test	cl, al
		jz	short loc_958E19

loc_958DF6:				; CODE XREF: FsRtlUpperOplockFsctrl(x,x,x,x,x)+7Ej
		xor	ebx, ebx
		mov	esi, 0C00000E2h
		inc	ebx

loc_958DFE:				; CODE XREF: FsRtlUpperOplockFsctrl(x,x,x,x,x)+FBj
		cmp	byte ptr [ebp+arg_C+3],	0Dh
		jnz	short loc_958E10
		mov	dl, bl
		mov	[edi+18h], esi
		mov	ecx, edi
		call	IofCompleteRequest

loc_958E10:				; CODE XREF: FsRtlUpperOplockFsctrl(x,x,x,x,x)+51j
					; FsRtlUpperOplockFsctrl(x,x,x,x,x)+114j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
; 

loc_958E19:				; CODE XREF: FsRtlUpperOplockFsctrl(x,x,x,x,x)+43j
		bt	esi, 10h
		setb	cl
		bt	edx, 0Dh
		setnb	al
		test	cl, al
		jz	loc_958EB2
		jmp	short loc_958DF6
; 

loc_958E31:				; CODE XREF: FsRtlUpperOplockFsctrl(x,x,x,x,x)+2Ej
		mov	eax, [ebx+0Ch]
		sub	eax, 90000h
		jz	short loc_958E96
		sub	eax, 4
		jz	short loc_958E92
		sub	eax, 4
		jz	short loc_958E8E
		sub	eax, 54h
		jz	short loc_958E8A
		sub	eax, 1E4h
		jnz	short loc_958EB2
		cmp	dword ptr [ebx+8], 0Ch
		jnb	short loc_958E5E
		mov	esi, 0C0000023h
		jmp	short loc_958E99
; 

loc_958E5E:				; CODE XREF: FsRtlUpperOplockFsctrl(x,x,x,x,x)+A4j
		mov	eax, [edi+0Ch]
		xor	ebx, ebx
		inc	ebx
		cmp	[eax], bx
		jbe	short loc_958E70
		mov	esi, 0C000000Dh
		jmp	short loc_958E9C
; 

loc_958E70:				; CODE XREF: FsRtlUpperOplockFsctrl(x,x,x,x,x)+B6j
		test	byte ptr [eax+8], 2
		jnz	short loc_958EB2
		mov	eax, [eax+4]
		mov	ecx, eax
		and	ecx, ebx
		and	eax, 6
		shl	ecx, 0Ch
		shl	eax, 0Ch
		or	ecx, eax
		jmp	short loc_958E9C
; 

loc_958E8A:				; CODE XREF: FsRtlUpperOplockFsctrl(x,x,x,x,x)+97j
		push	8
		jmp	short loc_958E98
; 

loc_958E8E:				; CODE XREF: FsRtlUpperOplockFsctrl(x,x,x,x,x)+92j
		push	4
		jmp	short loc_958E98
; 

loc_958E92:				; CODE XREF: FsRtlUpperOplockFsctrl(x,x,x,x,x)+8Dj
		push	10h
		jmp	short loc_958E98
; 

loc_958E96:				; CODE XREF: FsRtlUpperOplockFsctrl(x,x,x,x,x)+88j
		push	2

loc_958E98:				; CODE XREF: FsRtlUpperOplockFsctrl(x,x,x,x,x)+DBj
					; FsRtlUpperOplockFsctrl(x,x,x,x,x)+DFj ...
		pop	ecx

loc_958E99:				; CODE XREF: FsRtlUpperOplockFsctrl(x,x,x,x,x)+ABj
		xor	ebx, ebx
		inc	ebx

loc_958E9C:				; CODE XREF: FsRtlUpperOplockFsctrl(x,x,x,x,x)+BDj
					; FsRtlUpperOplockFsctrl(x,x,x,x,x)+D7j
		call	FsRtlpOplockUpperLowerCompatible
		test	al, al
		jnz	short loc_958EAA
		mov	esi, 0C00000E2h

loc_958EAA:				; CODE XREF: FsRtlUpperOplockFsctrl(x,x,x,x,x)+F2j
		test	esi, esi
		jnz	loc_958DFE

loc_958EB2:				; CODE XREF: FsRtlUpperOplockFsctrl(x,x,x,x,x)+78j
					; FsRtlUpperOplockFsctrl(x,x,x,x,x)+9Ej ...
		mov	ecx, [ebp+arg_0]
		push	edx
		push	[ebp+arg_10]
		mov	edx, edi
		push	[ebp+arg_8]
		call	FsRtlpOplockFsctrlInternal
		mov	esi, eax
		jmp	loc_958E10
_FsRtlUpperOplockFsctrl@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpNotifyOplockBreakComplete(x, x)
_FsRtlpNotifyOplockBreakComplete@8 proc	near ; DATA XREF: FsRtlpOplockBreakNotify(x,x,x)+A2o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	dl, 1
		call	IofCompleteRequest
		pop	ebp
		retn	8
_FsRtlpNotifyOplockBreakComplete@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpOpBatchBreakClosePending(x, x, x)
_FsRtlpOpBatchBreakClosePending@12 proc	near ; CODE XREF: sub_9241BB+5p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	10h
		push	offset dword_6A7DB0
		call	__SEH_prolog4
		mov	edi, edx
		mov	esi, ecx
		mov	[ebp+var_20], esi
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		test	esi, esi
		jnz	short loc_958F12
		mov	esi, 0C00000E3h
		mov	ecx, [ebp+arg_0]
		mov	[ecx+18h], esi
		mov	dl, 1
		call	IofCompleteRequest
		mov	eax, esi
		jmp	loc_958FAC
; 

loc_958F12:				; CODE XREF: FsRtlpOpBatchBreakClosePending(x,x,x)+1Aj
		mov	ecx, [esi+4Ch]
		call	ExAcquireFastMutexUnsafe
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [esi+4]
		cmp	eax, [edi+18h]
		jnz	short loc_958F89
		mov	eax, [esi+48h]
		test	eax, 700h
		jz	short loc_958F89
		test	al, 82h
		jz	short loc_958F77
		push	ebx
		xor	edx, edx
		mov	ecx, esi
		call	FsRtlpModifyThreadPriorities
		xor	edx, edx
		mov	ecx, esi
		call	_FsRtlpClearOwner@8 ; FsRtlpClearOwner(x,x)
		mov	[esi+10h], bl
		mov	eax, [esi+48h]
		test	al, 2
		jz	short loc_958F5B
		mov	ecx, [esi+4]
		call	ObfDereferenceObject
		mov	eax, [esi+48h]

loc_958F5B:				; CODE XREF: FsRtlpOpBatchBreakClosePending(x,x,x)+71j
		and	eax, 20h
		or	eax, 1
		mov	[esi+48h], eax
		mov	[esi+4], ebx

loc_958F67:				; CODE XREF: FsRtlpOpBatchBreakClosePending(x,x,x)+98j
		lea	eax, [esi+2Ch]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_958F91
		call	_FsRtlpRemoveAndCompleteWaitingIrp@4 ; FsRtlpRemoveAndCompleteWaitingIrp(x)
		jmp	short loc_958F67
; 

loc_958F77:				; CODE XREF: FsRtlpOpBatchBreakClosePending(x,x,x)+54j
		and	eax, 0FE0FF0FFh
		mov	[esi+48h], eax
		or	eax, 800h
		mov	[esi+48h], eax
		jmp	short loc_958F91
; 

loc_958F89:				; CODE XREF: FsRtlpOpBatchBreakClosePending(x,x,x)+46j
					; FsRtlpOpBatchBreakClosePending(x,x,x)+50j
		mov	ebx, 0C00000E3h
		mov	[ebp+var_1C], ebx

loc_958F91:				; CODE XREF: FsRtlpOpBatchBreakClosePending(x,x,x)+91j
					; FsRtlpOpBatchBreakClosePending(x,x,x)+AAj
		mov	ecx, [ebp+arg_0]
		mov	[ecx+18h], ebx
		mov	dl, 1
		call	IofCompleteRequest
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_958FC4
		mov	eax, ebx

loc_958FAC:				; CODE XREF: FsRtlpOpBatchBreakClosePending(x,x,x)+30j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_FsRtlpOpBatchBreakClosePending@12 endp


;  S U B	R O U T	I N E 


sub_958FBE	proc near		; DATA XREF: .text:006A7DC8o
		mov	esi, [ebp-20h]
		mov	ebx, [ebp-1Ch]
sub_958FBE	endp


;  S U B	R O U T	I N E 


sub_958FC4	proc near		; CODE XREF: FsRtlpOpBatchBreakClosePending(x,x,x)+C8p
		mov	ecx, [esi+4Ch]
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		retn
sub_958FC4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpOplockBreakNotify(x, x, x)
_FsRtlpOplockBreakNotify@12 proc near	; CODE XREF: sub_9241CC+3p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	14h
		push	offset dword_6A7D90
		call	__SEH_prolog4
		mov	esi, ecx
		mov	[ebp+var_24], esi
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		test	esi, esi
		jnz	short loc_958FFB
		mov	ecx, [ebp+arg_0]
		mov	[ecx+18h], ebx
		mov	dl, 1
		call	IofCompleteRequest
		xor	eax, eax
		jmp	loc_959091
; 

loc_958FFB:				; CODE XREF: FsRtlpOplockBreakNotify(x,x,x)+18j
		mov	ecx, [esi+4Ch]
		call	ExAcquireFastMutexUnsafe
		mov	[ebp+var_19], 1
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, [esi+48h]
		test	ecx, 1F00F00h
		jnz	short loc_959033
		lea	eax, [esi+24h]
		cmp	[eax], eax
		jnz	short loc_959033
		test	ecx, 20000h
		jnz	short loc_959033
		mov	ecx, [ebp+arg_0]
		mov	[ecx+18h], ebx

loc_95902A:				; CODE XREF: FsRtlpOplockBreakNotify(x,x,x)+7Ej
		mov	dl, 1
		call	IofCompleteRequest
		jmp	short loc_959080
; 

loc_959033:				; CODE XREF: FsRtlpOplockBreakNotify(x,x,x)+46j
					; FsRtlpOplockBreakNotify(x,x,x)+4Dj ...
		mov	edi, [ebp+arg_0]
		test	cl, cl
		jns	short loc_95904D
		and	ecx, 20h
		or	ecx, 1
		mov	[esi+48h], ecx
		mov	[esi+4], ebx
		mov	[edi+18h], ebx
		mov	ecx, edi
		jmp	short loc_95902A
; 

loc_95904D:				; CODE XREF: FsRtlpOplockBreakNotify(x,x,x)+6Bj
		mov	[ebp+var_19], bl
		mov	[edi+18h], ebx
		push	1
		xor	edx, edx
		mov	ecx, esi
		call	FsRtlpModifyThreadPriorities
		xor	edx, edx
		mov	ecx, esi
		call	FsRtlpOplockSendModernAppTermination
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _FsRtlpNotifyOplockBreakComplete@8 ; FsRtlpNotifyOplockBreakComplete(x,x)
		push	ebx
		mov	edx, edi
		mov	ecx, esi
		call	_FsRtlpWaitOnIrp@48 ; FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax

loc_959080:				; CODE XREF: FsRtlpOplockBreakNotify(x,x,x)+64j
		mov	[ebp+var_20], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_9590A9
		mov	eax, ebx

loc_959091:				; CODE XREF: FsRtlpOplockBreakNotify(x,x,x)+29j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_FsRtlpOplockBreakNotify@12 endp


;  S U B	R O U T	I N E 


sub_9590A3	proc near		; DATA XREF: .text:006A7DA8o
		mov	esi, [ebp-24h]
		mov	ebx, [ebp-20h]
sub_9590A3	endp


;  S U B	R O U T	I N E 


sub_9590A9	proc near		; CODE XREF: FsRtlpOplockBreakNotify(x,x,x)+BDp
		cmp	byte ptr [ebp-19h], 0
		jz	short locret_9590B7
		mov	ecx, [esi+4Ch]
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)

locret_9590B7:				; CODE XREF: sub_9590A9+4j
		retn
sub_9590A9	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpOplockWaitCompleteRoutine(x, x)
_FsRtlpOplockWaitCompleteRoutine@8 proc	near
					; DATA XREF: FsRtlpWaitOnIrp(x,x,x,x,x,x,x,x,x,x,x,x):loc_602C0Bo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	0
		push	[ebp+arg_0]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	ebp
		retn	8
_FsRtlpOplockWaitCompleteRoutine@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlAddDiskIOCounterInstance(x, x)
_FsRtlAddDiskIOCounterInstance@8 proc near
					; CODE XREF: FsRtlDiskIOCounterSetCallback(x,x,x)+2Ap

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	ebx, ecx
		push	0FFFFh
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	edi, eax
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		test	edi, edi
		jz	short loc_959138

loc_959108:				; CODE XREF: FsRtlAddDiskIOCounterInstance(x,x)+69j
		mov	ecx, esi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, [eax+4158h]
		add	[ebp+var_18], ecx
		mov	ecx, [eax+415Ch]
		adc	[ebp+var_14], ecx
		mov	ecx, [eax+4160h]
		add	[ebp+var_10], ecx
		mov	eax, [eax+4164h]
		adc	[ebp+var_C], eax
		inc	esi
		cmp	esi, edi
		jb	short loc_959108

loc_959138:				; CODE XREF: FsRtlAddDiskIOCounterInstance(x,x)+39j
		push	offset ??_C@_1BA@HANLFFFG@?$AAd?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt@NNGAKEGL@	; "default"
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_18]
		mov	[ebp+var_24], 10h
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	1
		push	0
		lea	eax, [ebp+var_20]
		push	eax
		push	ebx
		call	_PcwAddInstance@20 ; PcwAddInstance(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_FsRtlAddDiskIOCounterInstance@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlDiskIOCounterSetCallback(x, x,	x)
_FsRtlDiskIOCounterSetCallback@12 proc near ; DATA XREF: ExpPcwHostCallback+160o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, [ebp+arg_0]
		push	esi
		xor	esi, esi
		dec	eax
		mov	[esp+18h+var_10], esi
		mov	[esp+18h+var_C], esi
		sub	eax, 1
		jz	short loc_9591A5
		sub	eax, 1
		jnz	short loc_9591DD
		mov	ecx, [ebp+arg_4]
		mov	ecx, [ecx+14h]
		call	_FsRtlAddDiskIOCounterInstance@8 ; FsRtlAddDiskIOCounterInstance(x,x)
		jmp	short loc_9591DF
; 

loc_9591A5:				; CODE XREF: FsRtlDiskIOCounterSetCallback(x,x,x)+1Dj
		push	offset ??_C@_1BA@HANLFFFG@?$AAd?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt@NNGAKEGL@	; "default"
		lea	eax, [esp+1Ch+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+arg_4]
		lea	ecx, [esp+18h+var_8]
		push	ecx
		push	1
		push	esi
		mov	eax, [eax+14h]
		lea	ecx, [esp+24h+var_10]
		push	ecx
		push	eax
		mov	[esp+2Ch+var_8], esi
		mov	[esp+2Ch+var_4], 10h
		call	_PcwAddInstance@20 ; PcwAddInstance(x,x,x,x,x)
		test	eax, eax
		js	short loc_9591DF

loc_9591DD:				; CODE XREF: FsRtlDiskIOCounterSetCallback(x,x,x)+22j
		xor	eax, eax

loc_9591DF:				; CODE XREF: FsRtlDiskIOCounterSetCallback(x,x,x)+2Fj
					; FsRtlDiskIOCounterSetCallback(x,x,x)+67j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_FsRtlDiskIOCounterSetCallback@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 507. FsRtlDismountComplete

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlDismountComplete(x, x)
		public _FsRtlDismountComplete@8
_FsRtlDismountComplete@8 proc near

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		jl	short loc_9591FE
		mov	eax, 0FFDF02DCh
		lock inc dword ptr [eax]

loc_9591FE:				; CODE XREF: FsRtlDismountComplete(x,x)+9j
		pop	ebp
		retn	8
_FsRtlDismountComplete@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 565. FsRtlIsExtentDangling

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlIsExtentDangling(x, x,	x)
		public _FsRtlIsExtentDangling@12
_FsRtlIsExtentDangling@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		add	eax, [ebp+arg_4]
		pop	ebp
		retn	0Ch
_FsRtlIsExtentDangling@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 637. FsRtlQueryInformationFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlQueryInformationFile(x, x, x, x, x)
		public _FsRtlQueryInformationFile@20
_FsRtlQueryInformationFile@20 proc near

var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	20h
		push	offset dword_6A7E50
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	esi, ebx
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], ebx
		xor	eax, eax
		lea	edi, [ebp+var_30]
		stosd
		stosd
		stosd
		stosd
		push	ebx
		push	ebx
		lea	eax, [ebp+var_30]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	[ebp+ms_exc.disabled], ebx
		mov	edi, [ebp+arg_0]
		test	dword ptr [edi+2Ch], 800h
		jz	short loc_959261
		mov	edi, 0C0000010h

loc_959259:				; CODE XREF: FsRtlQueryInformationFile(x,x,x,x,x)+6Bj
		mov	[ebp+var_1C], edi
		jmp	loc_95932A
; 

loc_959261:				; CODE XREF: FsRtlQueryInformationFile(x,x,x,x,x)+37j
		push	edi
		call	IoGetRelatedDeviceObject
		mov	ecx, eax
		mov	[ebp+arg_0], ecx
		push	ebx
		movzx	eax, byte ptr [ecx+30h]
		push	eax
		push	ecx
		call	IoAllocateIrpEx
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		jnz	short loc_959288
		mov	edi, 0C000009Ah
		jmp	short loc_959259
; 

loc_959288:				; CODE XREF: FsRtlQueryInformationFile(x,x,x,x,x)+64j
		lea	edx, [esi+60h]
		mov	ecx, [edx]
		mov	word ptr [ecx-24h], 405h
		mov	[ecx-0Ch], edi
		mov	eax, [ebp+arg_4]
		mov	[esi+0Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx-20h], eax
		mov	eax, [ebp+arg_C]
		mov	[ecx-1Ch], eax
		mov	eax, large fs:124h
		mov	esi, [ebp+var_20]
		mov	[esi+50h], eax
		or	dword ptr [esi+8], 4
		mov	[esi+20h], bl
		mov	eax, [edx]
		mov	dword ptr [eax-8], offset _SmKmGenericCompletion@12 ; SmKmGenericCompletion(x,x,x)
		lea	ecx, [ebp+var_30]
		mov	[eax-4], ecx
		mov	[eax-21h], bl
		mov	byte ptr [eax-21h], 40h
		mov	byte ptr [eax-21h], 0C0h
		mov	byte ptr [eax-21h], 0E0h
		mov	edx, esi
		mov	ecx, [ebp+arg_0]
		call	IofCallDriver
		mov	[ebp+var_1C], eax
		cmp	eax, 103h
		jnz	short loc_95931C
		lea	eax, [ebp+var_30]
		mov	[ebp+arg_4], eax
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+arg_4]
		push	eax
		push	1
		call	FsRtlCancellableWaitForMultipleObjects
		cmp	eax, 0C000004Bh
		jnz	short loc_95931C
		push	esi
		call	IoCancelIrp
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_30]
		push	eax
		call	KeWaitForSingleObject

loc_95931C:				; CODE XREF: FsRtlQueryInformationFile(x,x,x,x,x)+D0j
					; FsRtlQueryInformationFile(x,x,x,x,x)+ECj
		mov	edi, [esi+18h]
		mov	[ebp+var_1C], edi
		mov	ecx, [esi+1Ch]
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx

loc_95932A:				; CODE XREF: FsRtlQueryInformationFile(x,x,x,x,x)+41j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_959352
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_FsRtlQueryInformationFile@20 endp


;  S U B	R O U T	I N E 


sub_95934A	proc near		; DATA XREF: .text:006A7E68o
		xor	ebx, ebx
		mov	esi, [ebp-20h]
		mov	edi, [ebp-1Ch]
sub_95934A	endp


;  S U B	R O U T	I N E 


sub_959352	proc near		; CODE XREF: FsRtlQueryInformationFile(x,x,x,x,x)+116p
		test	esi, esi
		jz	short locret_95936B
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_959365
		call	_FsRtlpFreeMdlChain@4 ;	FsRtlpFreeMdlChain(x)
		mov	[esi+4], ebx

loc_959365:				; CODE XREF: sub_959352+9j
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)

locret_95936B:				; CODE XREF: sub_959352+2j
		retn
sub_959352	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpFreeMdlChain(x)
_FsRtlpFreeMdlChain@4 proc near		; CODE XREF: sub_7C504F:loc_8F0905p
					; sub_7CD030:loc_8F3142p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		mov	esi, ecx
		push	edi
		test	esi, esi
		jz	short loc_959396

loc_95937C:				; CODE XREF: FsRtlpFreeMdlChain(x)+28j
		test	byte ptr [esi+6], 2
		mov	edi, [esi]
		jz	short loc_95938A
		push	esi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)

loc_95938A:				; CODE XREF: FsRtlpFreeMdlChain(x)+16j
		push	esi
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		mov	esi, edi
		test	edi, edi
		jnz	short loc_95937C

loc_959396:				; CODE XREF: FsRtlpFreeMdlChain(x)+Ej
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_FsRtlpFreeMdlChain@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 508. FsRtlDissectDbcs

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlDissectDbcs(x,	x, x, x)
		public _FsRtlDissectDbcs@16
_FsRtlDissectDbcs@16 proc near		; CODE XREF: FsRtlIsFatDbcsLegal+12602Ep
					; FsRtlIsHpfsDbcsLegal(x,x,x,x,x)+BCp

arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		movzx	edx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		xor	edi, edi
		mov	[eax], ecx
		mov	[eax+4], edi
		xor	eax, eax
		mov	[esi], eax
		mov	[esi+4], edi
		test	edx, edx
		jz	short loc_959439
		mov	eax, [ebp+arg_4]
		push	ebx
		xor	ebx, ebx
		cmp	byte ptr [eax],	5Ch
		setz	bl
		mov	ecx, ebx
		cmp	ebx, edx
		jnb	short loc_959401
		mov	esi, eax

loc_9593DA:				; CODE XREF: FsRtlDissectDbcs(x,x,x,x)+5Ej
		mov	al, [esi+ecx]
		cmp	al, 5Ch
		jz	short loc_959401
		cmp	al, 80h
		jb	short loc_9593FC
		cmp	ds:_NlsMbOemCodePageTag, 0
		jz	short loc_9593FC
		movzx	eax, al
		cmp	ds:_NlsOemLeadByteInfoTable[eax*2], di
		jz	short loc_9593FC
		inc	ecx

loc_9593FC:				; CODE XREF: FsRtlDissectDbcs(x,x,x,x)+42j
					; FsRtlDissectDbcs(x,x,x,x)+4Bj ...
		inc	ecx
		cmp	ecx, edx
		jb	short loc_9593DA

loc_959401:				; CODE XREF: FsRtlDissectDbcs(x,x,x,x)+35j
					; FsRtlDissectDbcs(x,x,x,x)+3Ej
		mov	esi, [ebp+arg_8]
		movzx	edi, cx
		mov	eax, edi
		sub	eax, ebx
		mov	[esi], ax
		mov	[esi+2], ax
		mov	eax, [ebp+arg_4]
		add	eax, ebx
		mov	ebx, esi
		mov	esi, [ebp+arg_C]
		mov	[ebx+4], eax
		pop	ebx
		cmp	ecx, edx
		jnb	short loc_959439
		sub	edx, edi
		lea	eax, [edx-1]
		mov	[esi], ax
		mov	[esi+2], ax
		mov	eax, [ebp+arg_4]
		inc	eax
		add	eax, ecx
		mov	[esi+4], eax

loc_959439:				; CODE XREF: FsRtlDissectDbcs(x,x,x,x)+23j
					; FsRtlDissectDbcs(x,x,x,x)+81j
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
_FsRtlDissectDbcs@16 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 510. FsRtlDoesDbcsContainWildCards

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlDoesDbcsContainWildCards(x)
		public _FsRtlDoesDbcsContainWildCards@4
_FsRtlDoesDbcsContainWildCards@4 proc near ; CODE XREF:	FsRtlIsFatDbcsLegal+12605Ep
					; FsRtlIsDbcsInExpression(x,x)+9Dp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		xor	ebx, ebx
		movzx	esi, word ptr [eax]
		mov	ecx, ebx
		push	edi
		test	esi, esi
		jz	short loc_959495
		mov	edi, [eax+4]

loc_95945D:				; CODE XREF: FsRtlDoesDbcsContainWildCards(x)+4Fj
		mov	dl, [edi+ecx]
		cmp	dl, 80h
		jb	short loc_95947D
		cmp	ds:_NlsMbOemCodePageTag, bl
		jz	short loc_95947D
		movzx	eax, dl
		cmp	ds:_NlsOemLeadByteInfoTable[eax*2], bx
		jz	short loc_95947D
		inc	ecx
		jmp	short loc_959490
; 

loc_95947D:				; CODE XREF: FsRtlDoesDbcsContainWildCards(x)+1Fj
					; FsRtlDoesDbcsContainWildCards(x)+27j	...
		test	dl, dl
		js	short loc_959490
		movsx	eax, dl
		movzx	eax, ds:byte_40B788[eax]
		and	eax, 8
		jnz	short loc_95949E

loc_959490:				; CODE XREF: FsRtlDoesDbcsContainWildCards(x)+37j
					; FsRtlDoesDbcsContainWildCards(x)+3Bj
		inc	ecx
		cmp	ecx, esi
		jb	short loc_95945D

loc_959495:				; CODE XREF: FsRtlDoesDbcsContainWildCards(x)+14j
		xor	al, al

loc_959497:				; CODE XREF: FsRtlDoesDbcsContainWildCards(x)+5Cj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_95949E:				; CODE XREF: FsRtlDoesDbcsContainWildCards(x)+4Aj
		mov	al, 1
		jmp	short loc_959497
_FsRtlDoesDbcsContainWildCards@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 562. FsRtlIsDbcsInExpression

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlIsDbcsInExpression(x, x)
		public _FsRtlIsDbcsInExpression@8
_FsRtlIsDbcsInExpression@8 proc	near

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_46		= byte ptr -46h
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 90h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	[ebp+var_74], ecx
		movzx	esi, word ptr [ebx]
		mov	[ebp+var_5C], eax
		mov	[ebp+var_68], eax
		mov	[ebp+var_45], al
		test	si, si
		jz	loc_959994
		movzx	edi, word ptr [ecx]
		test	di, di
		jz	loc_959994
		xor	edx, edx
		inc	edx
		cmp	di, dx
		jnz	short loc_959502
		mov	eax, [ecx+4]
		cmp	byte ptr [eax],	2Ah
		jnz	short loc_959502
		mov	al, dl
		jmp	loc_95999F
; 

loc_959502:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+4Aj
					; FsRtlIsDbcsInExpression(x,x)+52j
		mov	eax, [ecx+4]
		cmp	byte ptr [eax],	2Ah
		jnz	loc_9595CC
		mov	eax, [ecx]
		mov	ebx, [ecx+4]
		mov	[ebp+var_88], eax
		inc	ebx
		dec	eax
		mov	[ebp+var_6C], ebx
		movzx	ecx, ax
		mov	word ptr [ebp+var_88], ax
		mov	eax, 0FFFFh
		add	word ptr [ebp+var_88+2], ax
		lea	eax, [ebp+var_88]
		push	eax
		mov	[ebp+var_84], ebx
		mov	[ebp+var_54], ecx
		call	_FsRtlDoesDbcsContainWildCards@4 ; FsRtlDoesDbcsContainWildCards(x)
		test	al, al
		jnz	short loc_9595C9
		lea	eax, [edi-1]
		cmp	si, ax
		jb	loc_959990
		mov	eax, [ebp+var_54]
		mov	ecx, esi
		movzx	edi, ax
		sub	ecx, edi
		mov	[ebp+var_54], edi
		cmp	ds:_NlsMbOemCodePageTag, 0
		jz	short loc_9595AC
		xor	eax, eax
		mov	esi, eax
		test	ecx, ecx
		jz	short loc_9595AC
		mov	ebx, [ebp+arg_4]
		xor	edi, edi
		mov	ebx, [ebx+4]

loc_95957F:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+F7j
		mov	al, [ebx+esi]
		xor	edx, edx
		cmp	al, 80h
		jnb	short loc_95958B
		inc	edx
		jmp	short loc_95959A
; 

loc_95958B:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+DFj
		movzx	eax, al
		cmp	ds:_NlsOemLeadByteInfoTable[eax*2], di
		setnz	dl
		inc	edx

loc_95959A:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+E2j
		add	esi, edx
		cmp	esi, ecx
		jb	short loc_95957F
		mov	ebx, [ebp+var_6C]
		mov	edi, [ebp+var_54]
		ja	loc_959990

loc_9595AC:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+C6j
					; FsRtlIsDbcsInExpression(x,x)+CEj
		mov	eax, [ebp+arg_4]
		push	edi		; size_t
		mov	eax, [eax+4]
		add	eax, ecx
		push	eax		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax

loc_9595C1:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+4D4j
		setz	al
		jmp	loc_95999F
; 

loc_9595C9:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+A4j
		mov	ebx, [ebp+arg_4]

loc_9595CC:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+61j
		xor	eax, eax
		mov	[ebp+var_8C], 2Eh
		mov	word ptr [ebp+var_44], ax
		lea	ecx, [ebp+var_44]
		mov	[ebp+var_70], eax
		lea	edx, [ebp+var_24]
		xor	esi, esi
		mov	[ebp+var_60], ecx
		lea	eax, [edi+edi]
		mov	[ebp+var_64], edx
		inc	esi
		movzx	eax, ax
		mov	[ebp+var_6C], esi
		mov	[ebp+var_54], eax
		jmp	short loc_9595FF
; 

loc_9595FC:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+4B5j
		mov	eax, [ebp+var_54]

loc_9595FF:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+153j
		mov	edi, [ebp+var_70]
		cmp	di, [ebx]
		jnb	short loc_95966A
		mov	esi, [ebx+4]
		movzx	ecx, di
		mov	dl, [ecx+esi]
		cmp	dl, 80h
		jb	short loc_959650
		cmp	ds:_NlsMbOemCodePageTag, 0
		jz	short loc_959650
		movzx	eax, dl
		xor	ebx, ebx
		cmp	ds:_NlsOemLeadByteInfoTable[eax*2], bx
		jz	short loc_959650
		movsx	cx, byte ptr [ecx+esi+1]
		mov	eax, 100h
		push	2
		movzx	ecx, cx
		imul	ecx, eax
		movsx	ax, dl
		add	cx, ax
		movzx	ecx, cx
		mov	[ebp+var_5C], ecx
		pop	eax
		jmp	short loc_95965D
; 

loc_959650:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+16Cj
					; FsRtlIsDbcsInExpression(x,x)+175j ...
		movsx	ax, dl
		movzx	eax, ax
		mov	[ebp+var_5C], eax
		xor	eax, eax
		inc	eax

loc_95965D:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+1A7j
		mov	edx, [ebp+var_64]
		add	edi, eax
		mov	esi, [ebp+var_6C]
		mov	[ebp+var_70], edi
		jmp	short loc_959679
; 

loc_95966A:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+15Ej
		mov	[ebp+var_45], 1
		cmp	[ecx+esi*2-2], ax
		jz	loc_959962

loc_959679:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+1C1j
		xor	edi, edi
		mov	[ebp+var_7C], edi
		mov	ecx, edi
		mov	ebx, edi
		test	esi, esi
		jz	loc_959982
		mov	edi, [ebp+var_60]

loc_95968D:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+492j
		movzx	eax, word ptr [edi+ecx*2]
		mov	esi, [ebp+var_74]
		inc	eax
		shr	eax, 1
		inc	ecx
		movzx	edi, ax
		xor	eax, eax
		mov	[ebp+var_84], ecx

loc_9596A3:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+32Dj
					; FsRtlIsDbcsInExpression(x,x)+407j
		movzx	ecx, word ptr [esi]
		cmp	di, cx
		jz	loc_959902
		add	edi, eax
		mov	[ebp+var_58], edi
		lea	eax, [edi+edi]
		movzx	eax, ax
		mov	[ebp+var_78], eax
		cmp	di, cx
		jz	loc_9598FA
		mov	eax, ecx
		movzx	edi, di
		mov	[ebp+var_80], eax
		dec	eax
		cmp	edi, eax
		jnz	short loc_9596F9
		mov	eax, [esi+4]
		mov	cl, [edi+eax]
		cmp	cl, 80h
		jb	short loc_9596F9
		cmp	ds:_NlsMbOemCodePageTag, 0
		jz	short loc_9596F9
		movzx	eax, cl
		xor	edx, edx
		cmp	ds:_NlsOemLeadByteInfoTable[eax*2], dx
		mov	edx, [ebp+var_64]
		jnz	short loc_95974D

loc_9596F9:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+22Aj
					; FsRtlIsDbcsInExpression(x,x)+235j ...
		mov	eax, [esi+4]
		mov	[ebp+var_50], eax
		mov	cl, [eax+edi]
		mov	[ebp+var_46], cl
		cmp	cl, 80h
		jb	short loc_95974D
		cmp	ds:_NlsMbOemCodePageTag, 0
		jz	short loc_95974D
		movzx	eax, cl
		xor	edx, edx
		cmp	ds:_NlsOemLeadByteInfoTable[eax*2], dx
		mov	edx, [ebp+var_64]
		jz	short loc_95974D
		mov	eax, [ebp+var_50]
		mov	[ebp+var_4C], 2
		movsx	cx, byte ptr [eax+edi+1]
		mov	eax, 100h
		movzx	ecx, cx
		imul	ecx, eax
		mov	al, [ebp+var_46]
		cbw
		add	cx, ax
		movzx	eax, cx
		jmp	short loc_95975B
; 

loc_95974D:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+250j
					; FsRtlIsDbcsInExpression(x,x)+261j ...
		movsx	ax, cl
		mov	[ebp+var_4C], 1
		movzx	eax, ax

loc_95975B:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+2A4j
		mov	[ebp+var_50], eax
		cmp	ebx, 0Eh
		jb	short loc_9597B5
		cmp	[ebp+var_68], 0
		jnz	short loc_9597B5
		mov	eax, [ebp+var_80]
		push	64725346h
		lea	eax, ds:8[eax*8]
		push	eax
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, [ebp+var_64]
		mov	edi, eax
		push	8
		pop	ecx
		rep movsd
		mov	ecx, [ebp+var_74]
		mov	edx, eax
		mov	esi, [ebp+var_60]
		push	8
		mov	[ebp+var_68], eax
		movzx	ecx, word ptr [ecx]
		inc	ecx
		mov	[ebp+var_64], edx
		lea	edi, [eax+ecx*4]
		pop	ecx
		rep movsd
		mov	esi, [ebp+var_74]
		mov	ecx, edx
		add	ecx, 4
		movzx	eax, word ptr [esi]
		lea	eax, [ecx+eax*4]
		mov	[ebp+var_60], eax

loc_9597B5:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+2BAj
					; FsRtlIsDbcsInExpression(x,x)+2C0j
		mov	eax, [ebp+var_50]
		cmp	ax, 2Ah
		jnz	short loc_9597D9

loc_9597BE:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+340j
					; FsRtlIsDbcsInExpression(x,x)+349j ...
		mov	eax, [ebp+var_78]
		mov	[edx+ebx*2], ax
		inc	eax
		mov	[edx+ebx*2+2], ax
		add	ebx, 2

loc_9597CE:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+3EAj
					; FsRtlIsDbcsInExpression(x,x)+414j ...
		mov	eax, [ebp+var_4C]
		mov	edi, [ebp+var_58]
		jmp	loc_9596A3
; 

loc_9597D9:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+315j
		cmp	ax, 3Ch
		jnz	loc_959896
		cmp	[ebp+var_45], 0
		jnz	short loc_9597BE
		push	2Eh
		pop	eax
		cmp	word ptr [ebp+var_5C], ax
		jnz	short loc_9597BE
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_70]
		movzx	edi, ax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_90], eax
		cmp	word ptr [ebp+var_70], ax
		jnb	short loc_959888
		mov	ecx, [ecx+4]
		mov	[ebp+var_50], ecx

loc_959810:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+3DFj
		movzx	eax, di
		mov	[ebp+var_80], eax
		mov	cl, [ecx+eax]
		mov	[ebp+var_46], cl
		cmp	cl, 80h
		jb	short loc_959863
		cmp	ds:_NlsMbOemCodePageTag, 0
		jz	short loc_959863
		movzx	eax, cl
		xor	esi, esi
		cmp	ds:_NlsOemLeadByteInfoTable[eax*2], si
		mov	esi, [ebp+var_74]
		jz	short loc_959863
		mov	eax, [ebp+var_80]
		mov	ecx, [ebp+var_50]
		push	2
		movsx	cx, byte ptr [ecx+eax+1]
		mov	eax, 100h
		movzx	ecx, cx
		imul	ecx, eax
		mov	al, [ebp+var_46]
		cbw
		add	cx, ax
		movzx	eax, cx
		pop	ecx
		jmp	short loc_95986D
; 

loc_959863:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+378j
					; FsRtlIsDbcsInExpression(x,x)+381j ...
		movsx	ax, cl
		xor	ecx, ecx
		inc	ecx
		movzx	eax, ax

loc_95986D:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+3BAj
		cmp	ax, word ptr [ebp+var_8C]
		jz	loc_9597BE
		add	edi, ecx
		mov	ecx, [ebp+var_50]
		cmp	di, word ptr [ebp+var_90]
		jb	short loc_959810

loc_959888:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+361j
		mov	eax, [ebp+var_78]
		inc	eax
		mov	[edx+ebx*2], ax
		inc	ebx
		jmp	loc_9597CE
; 

loc_959896:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+336j
		mov	ecx, [ebp+var_78]
		mov	edi, [ebp+var_4C]
		lea	ecx, [ecx+edi*2]
		cmp	ax, 3Eh
		jnz	short loc_9598C7
		cmp	[ebp+var_45], 0
		mov	eax, edi
		mov	edi, [ebp+var_58]
		jnz	loc_9596A3
		push	2Eh
		pop	eax
		cmp	word ptr [ebp+var_5C], ax
		jz	loc_9597CE

loc_9598C1:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+43Bj
					; FsRtlIsDbcsInExpression(x,x)+447j ...
		mov	[edx+ebx*2], cx
		jmp	short loc_959901
; 

loc_9598C7:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+3FCj
		cmp	ax, 22h
		jnz	short loc_9598E4
		cmp	[ebp+var_45], 0
		jnz	loc_9597CE
		mov	esi, [ebp+var_5C]
		push	2Eh
		pop	edi
		cmp	si, di
		jnz	short loc_9598F3
		jmp	short loc_9598C1
; 

loc_9598E4:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+424j
		cmp	[ebp+var_45], 0
		jnz	short loc_959902
		cmp	ax, 3Fh
		jz	short loc_9598C1
		mov	esi, [ebp+var_5C]

loc_9598F3:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+439j
		cmp	ax, si
		jnz	short loc_959902
		jmp	short loc_9598C1
; 

loc_9598FA:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+219j
		mov	eax, [ebp+var_54]
		mov	[edx+ebx*2], ax

loc_959901:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+41Ej
		inc	ebx

loc_959902:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+202j
					; FsRtlIsDbcsInExpression(x,x)+441j ...
		mov	ecx, [ebp+var_84]
		mov	esi, [ebp+var_6C]
		cmp	ecx, esi
		jnb	short loc_95993F
		mov	edi, [ebp+var_60]
		mov	eax, [ebp+var_7C]

loc_959915:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+48Ej
		cmp	eax, ebx
		jnb	short loc_959937
		cmp	ecx, esi
		jnb	short loc_95992F
		movzx	eax, word ptr [edx+eax*2]

loc_959921:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+483j
		cmp	[edi+ecx*2], ax
		jnb	short loc_95992C
		inc	ecx
		cmp	ecx, esi
		jb	short loc_959921

loc_95992C:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+47Ej
		mov	eax, [ebp+var_7C]

loc_95992F:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+474j
		inc	eax
		mov	[ebp+var_7C], eax
		cmp	ecx, esi
		jb	short loc_959915

loc_959937:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+470j
		cmp	ecx, esi
		jb	loc_95968D

loc_95993F:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+466j
		test	ebx, ebx
		jz	short loc_959980
		cmp	[ebp+var_45], 0
		mov	ecx, edx
		mov	eax, [ebp+var_60]
		mov	esi, ebx
		mov	ebx, [ebp+arg_4]
		mov	edx, eax
		mov	[ebp+var_60], ecx
		mov	[ebp+var_64], edx
		mov	[ebp+var_6C], esi
		jz	loc_9595FC

loc_959962:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+1CCj
		mov	eax, [ebp+var_68]
		movzx	esi, word ptr [ecx+esi*2-2]
		test	eax, eax
		jz	short loc_959977
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_959977:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+4C5j
		cmp	si, word ptr [ebp+var_54]
		jmp	loc_9595C1
; 

loc_959980:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+49Aj
		xor	edi, edi

loc_959982:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+1DDj
		mov	eax, [ebp+var_68]
		test	eax, eax
		jz	short loc_959990
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_959990:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+ACj
					; FsRtlIsDbcsInExpression(x,x)+FFj ...
		xor	al, al
		jmp	short loc_95999F
; 

loc_959994:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+32j
					; FsRtlIsDbcsInExpression(x,x)+3Ej
		movzx	eax, word ptr [ecx]
		add	eax, esi
		neg	eax
		sbb	al, al
		inc	al

loc_95999F:				; CODE XREF: FsRtlIsDbcsInExpression(x,x)+56j
					; FsRtlIsDbcsInExpression(x,x)+11Dj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_FsRtlIsDbcsInExpression@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 567. FsRtlIsHpfsDbcsLegal

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlIsHpfsDbcsLegal(x, x, x, x, x)
		public _FsRtlIsHpfsDbcsLegal@20
_FsRtlIsHpfsDbcsLegal@20 proc near	; CODE XREF: FsRtlIsHpfsDbcsLegal(x,x,x,x,x)+CCp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= byte ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ax, word ptr [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		test	ax, ax
		jz	loc_959B1E
		mov	edx, [ebp+arg_4]
		xor	ebx, ebx
		inc	ebx
		cmp	byte ptr [ebp+arg_8], 0
		jz	short loc_959A15
		cmp	ax, bx
		jnz	short loc_9599F1
		mov	cl, [edx]
		cmp	cl, 2Eh
		jz	loc_959B1A
		cmp	cl, 22h
		jz	loc_959B1A

loc_9599F1:				; CODE XREF: FsRtlIsHpfsDbcsLegal(x,x,x,x,x)+26j
		cmp	ax, 2
		jnz	short loc_959A15
		mov	cl, [edx]
		cmp	cl, 2Eh
		jnz	short loc_959A07
		cmp	[edx+1], cl
		jz	loc_959B1A

loc_959A07:				; CODE XREF: FsRtlIsHpfsDbcsLegal(x,x,x,x,x)+47j
		cmp	cl, 22h
		jnz	short loc_959A15
		cmp	[edx+1], cl
		jz	loc_959B1A

loc_959A15:				; CODE XREF: FsRtlIsHpfsDbcsLegal(x,x,x,x,x)+21j
					; FsRtlIsHpfsDbcsLegal(x,x,x,x,x)+40j ...
		cmp	byte ptr [edx],	5Ch
		jnz	short loc_959A3E
		cmp	[ebp+arg_10], 0
		jz	loc_959B1E
		cmp	ax, bx
		jbe	loc_959B1A
		mov	ecx, 0FFFFh
		inc	edx
		add	ax, cx
		add	word ptr [ebp+arg_0+2],	cx
		mov	word ptr [ebp+arg_0], ax

loc_959A3E:				; CODE XREF: FsRtlIsHpfsDbcsLegal(x,x,x,x,x)+63j
		cmp	[ebp+arg_C], 0
		jz	short loc_959A9F
		mov	ecx, [ebp+arg_0]
		xor	edi, edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		mov	[ebp+arg_0], ecx
		mov	[ebp+arg_4], edx
		test	ax, ax
		jz	loc_959B1A

loc_959A5E:				; CODE XREF: FsRtlIsHpfsDbcsLegal(x,x,x,x,x)+E8j
		cmp	byte ptr [edx],	5Ch
		jz	loc_959B1E
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	edx
		push	ecx
		call	_FsRtlDissectDbcs@16 ; FsRtlDissectDbcs(x,x,x,x)
		push	edi
		push	edi
		push	[ebp+arg_8]
		push	[ebp+var_4]
		push	[ebp+var_8]
		call	_FsRtlIsHpfsDbcsLegal@20 ; FsRtlIsHpfsDbcsLegal(x,x,x,x,x)
		test	al, al
		jz	loc_959B1E
		mov	ecx, [ebp+arg_0]
		test	cx, cx
		jz	loc_959B1A
		mov	edx, [ebp+arg_4]
		jmp	short loc_959A5E
; 

loc_959A9F:				; CODE XREF: FsRtlIsHpfsDbcsLegal(x,x,x,x,x)+8Dj
		mov	ecx, 0FFh
		cmp	ax, cx
		ja	short loc_959B1E
		movzx	ecx, ax
		xor	edi, edi
		mov	dword ptr [ebp+arg_10],	ecx
		mov	esi, edi
		test	ecx, ecx
		jz	short loc_959B1A

loc_959AB7:				; CODE XREF: FsRtlIsHpfsDbcsLegal(x,x,x,x,x)+151j
		mov	bl, [edx+esi]
		cmp	bl, 80h
		jb	short loc_959ADF
		cmp	ds:_NlsMbOemCodePageTag, 0
		jz	short loc_959ADF
		movzx	eax, bl
		cmp	ds:_NlsOemLeadByteInfoTable[eax*2], di
		jz	short loc_959ADF
		lea	eax, [ecx-1]
		cmp	esi, eax
		jz	short loc_959B1E
		inc	esi
		jmp	short loc_959B03
; 

loc_959ADF:				; CODE XREF: FsRtlIsHpfsDbcsLegal(x,x,x,x,x)+108j
					; FsRtlIsHpfsDbcsLegal(x,x,x,x,x)+111j	...
		test	bl, bl
		js	short loc_959B03
		movzx	eax, bl
		movzx	ecx, ds:byte_40B788[eax]
		xor	eax, eax
		cmp	byte ptr [ebp+arg_8], al
		setnz	al
		lea	eax, ds:2[eax*8]
		and	ecx, eax
		jz	short loc_959B1E
		mov	ecx, dword ptr [ebp+arg_10]

loc_959B03:				; CODE XREF: FsRtlIsHpfsDbcsLegal(x,x,x,x,x)+128j
					; FsRtlIsHpfsDbcsLegal(x,x,x,x,x)+12Cj
		inc	esi
		cmp	esi, ecx
		jb	short loc_959AB7
		cmp	bl, 20h
		jz	short loc_959B1E
		cmp	bl, 2Eh
		jz	short loc_959B1E
		cmp	bl, 22h
		jz	short loc_959B1E
		xor	ebx, ebx
		inc	ebx

loc_959B1A:				; CODE XREF: FsRtlIsHpfsDbcsLegal(x,x,x,x,x)+2Dj
					; FsRtlIsHpfsDbcsLegal(x,x,x,x,x)+36j ...
		mov	al, bl
		jmp	short loc_959B20
; 

loc_959B1E:				; CODE XREF: FsRtlIsHpfsDbcsLegal(x,x,x,x,x)+11j
					; FsRtlIsHpfsDbcsLegal(x,x,x,x,x)+69j ...
		xor	al, al

loc_959B20:				; CODE XREF: FsRtlIsHpfsDbcsLegal(x,x,x,x,x)+167j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_FsRtlIsHpfsDbcsLegal@20 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 536. FsRtlHeatInit

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlHeatInit(x, x,	x)
		public _FsRtlHeatInit@12
_FsRtlHeatInit@12 proc near

var_86		= byte ptr -86h
var_85		= byte ptr -85h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+8Ch+var_4], eax
		mov	eax, [ebp+arg_8]
		lea	edx, [esp+8Ch+var_80]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	ecx, [esp+98h+var_74]
		mov	ebx, [ebp+arg_4]
		mov	[esp+98h+var_6C], eax
		xor	eax, eax
		mov	[esp+98h+var_85], al
		mov	[edi], eax
		mov	[edi+4], eax
		lea	eax, [esp+98h+var_68]
		push	0Eh
		mov	[esp+9Ch+var_84], eax
		pop	eax
		push	10h
		mov	word ptr [esp+9Ch+var_80], ax
		pop	eax
		mov	word ptr [esp+98h+var_80+2], ax
		lea	eax, [esp+13h]
		push	eax
		lea	eax, [esp+9Ch+var_84]
		mov	[esp+9Ch+var_78], 5Ch
		push	eax
		lea	eax, [esp+0A0h+var_78]
		mov	[esp+0A0h+var_70], offset ??_C@_1IC@FDJAEMPF@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		push	eax
		mov	[esp+0A4h+var_74], (offset loc_82007E+2)
		mov	[esp+0A4h+var_7C], offset ??_C@_1BA@NPJPKIM@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAd@NNGAKEGL@ ; "Enabled"
		call	_FsRtlpQueryValueKey@20	; FsRtlpQueryValueKey(x,x,x,x,x)
		test	eax, eax
		js	short loc_959BCF
		mov	esi, [esp+98h+var_84]
		mov	eax, [esi+8]
		cmp	dword ptr [esi+eax], 0
		jnz	short loc_959BCF
		mov	edi, 0C0000001h
		jmp	short loc_959C2B
; 

loc_959BCF:				; CODE XREF: FsRtlHeatInit(x,x,x)+8Dj
					; FsRtlHeatInit(x,x,x)+9Aj
		push	24h
		pop	eax
		push	26h
		mov	word ptr [esp+9Ch+var_80], ax
		lea	edx, [esp+9Ch+var_80]
		pop	eax
		mov	word ptr [esp+98h+var_80+2], ax
		lea	ecx, [esp+98h+var_74]
		lea	eax, [esp+13h]
		mov	[esp+98h+var_7C], offset ??_C@_1CG@LDMOIOKE@?$AAM?$AAe?$AAa?$AAs?$AAu?$AAr?$AAe?$AAd?$AAO?$AAp?$AAe?$AAr?$AAa?$AAt?$AAi@NNGAKEGL@ ; "MeasuredOperations"
		push	eax
		lea	eax, [esp+9Ch+var_84]
		push	eax
		lea	eax, [esp+0A0h+var_78]
		push	eax
		call	_FsRtlpQueryValueKey@20	; FsRtlpQueryValueKey(x,x,x,x,x)
		mov	esi, [esp+98h+var_84]
		test	eax, eax
		js	short loc_959C19
		mov	eax, [esi+8]
		mov	eax, [esi+eax]
		and	eax, 7
		or	[edi+4], eax
		jmp	short loc_959C1D
; 

loc_959C19:				; CODE XREF: FsRtlHeatInit(x,x,x)+DDj
		or	dword ptr [edi+4], 7

loc_959C1D:				; CODE XREF: FsRtlHeatInit(x,x,x)+EBj
		mov	edx, [esp+98h+var_6C]
		mov	ecx, ebx
		push	edi
		call	_FsRtlpHeatRegisterVolume@12 ; FsRtlpHeatRegisterVolume(x,x,x)
		mov	edi, eax

loc_959C2B:				; CODE XREF: FsRtlHeatInit(x,x,x)+A1j
		cmp	[esp+98h+var_85], 0
		jz	short loc_959C3A
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_959C3A:				; CODE XREF: FsRtlHeatInit(x,x,x)+104j
		mov	ecx, [esp+98h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_FsRtlHeatInit@12 endp

; 
		align 8
; Exported entry 537. FsRtlHeatLogIo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlHeatLogIo(x, x, x, x, x)
		public _FsRtlHeatLogIo@20
_FsRtlHeatLogIo@20 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	esi
		xor	esi, esi
		mov	ecx, [eax+60h]
		movzx	eax, byte ptr [ecx]
		sub	eax, 3
		jz	short loc_959CD4
		sub	eax, 1
		jz	short loc_959CA8
		sub	eax, 0Eh
		jz	short loc_959C82
		mov	esi, 0C00000F0h
		jmp	loc_959D06
; 

loc_959C82:				; CODE XREF: FsRtlHeatLogIo(x,x,x,x,x)+1Ej
		test	_Microsoft_Windows_Storage_Tiering_IoHeatEnableBits, 8
		jz	short loc_959D06
		mov	eax, [ebp+arg_0]
		mov	edx, offset _TieredStorage_HeatDelete
		push	dword ptr [eax]
		mov	eax, [ebp+arg_8]
		push	esi
		push	esi
		push	esi
		push	dword ptr [eax+0Ch]
		push	dword ptr [eax+8]
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		jmp	short loc_959CFE
; 

loc_959CA8:				; CODE XREF: FsRtlHeatLogIo(x,x,x,x,x)+19j
		test	_Microsoft_Windows_Storage_Tiering_IoHeatEnableBits, 4
		jz	short loc_959D06
		mov	eax, [ebp+arg_0]
		mov	edx, offset _TieredStorage_HeatWrite
		push	dword ptr [eax]
		mov	eax, [ebp+arg_8]
		push	dword ptr [ecx+4]
		push	dword ptr [ecx+10h]
		push	dword ptr [ecx+0Ch]
		push	dword ptr [eax+0Ch]
		push	dword ptr [eax+8]
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		jmp	short loc_959CFE
; 

loc_959CD4:				; CODE XREF: FsRtlHeatLogIo(x,x,x,x,x)+14j
		test	_Microsoft_Windows_Storage_Tiering_IoHeatEnableBits, 2
		jz	short loc_959D06
		mov	eax, [ebp+arg_0]
		mov	edx, offset _TieredStorage_HeatRead
		push	dword ptr [eax]
		push	dword ptr [ecx+4]
		push	dword ptr [ecx+10h]
		push	dword ptr [ecx+0Ch]
		mov	ecx, [ebp+arg_8]
		push	dword ptr [ecx+0Ch]
		push	dword ptr [ecx+8]
		push	dword ptr [ecx+4]
		push	dword ptr [ecx]

loc_959CFE:				; CODE XREF: FsRtlHeatLogIo(x,x,x,x,x)+4Ej
					; FsRtlHeatLogIo(x,x,x,x,x)+7Aj
		push	[ebp+arg_10]
		call	_McTemplateK0xxxqq_EtwWriteTransfer@44 ; McTemplateK0xxxqq_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)

loc_959D06:				; CODE XREF: FsRtlHeatLogIo(x,x,x,x,x)+25j
					; FsRtlHeatLogIo(x,x,x,x,x)+31j ...
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	14h
_FsRtlHeatLogIo@20 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 538. FsRtlHeatLogTierMove

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlHeatLogTierMove(x, x, x, x, x,	x, x, x)
		public _FsRtlHeatLogTierMove@32
_FsRtlHeatLogTierMove@32 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	_Microsoft_Windows_Storage_Tiering_IoHeatEnableBits, 10h
		jz	short loc_959D4A
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax]
		mov	eax, [ebp+arg_4]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	dword ptr [eax+0Ch]
		push	dword ptr [eax+8]
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		push	[ebp+arg_1C]
		call	_McTemplateK0xxxqqqq_EtwWriteTransfer@52 ; McTemplateK0xxxqqqq_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x)

loc_959D4A:				; CODE XREF: FsRtlHeatLogTierMove(x,x,x,x,x,x,x,x)+Cj
		xor	eax, eax
		pop	ebp
		retn	20h
_FsRtlHeatLogTierMove@32 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 539. FsRtlHeatUninit

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlHeatUninit(x, x)
		public _FsRtlHeatUninit@8
_FsRtlHeatUninit@8 proc	near

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		call	_FsRtlpHeatUnregisterVolume@8 ;	FsRtlpHeatUnregisterVolume(x,x)
		pop	ebp
		retn	8
_FsRtlHeatUninit@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpHeatRegisterVolume(x,	x, x)
_FsRtlpHeatRegisterVolume@12 proc near	; CODE XREF: FsRtlHeatInit(x,x,x)+F8p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		push	1
		mov	ebx, ecx
		mov	[ebp+var_C], edx
		push	offset unk_6CDB08
		mov	[ebp+var_4], ebx
		call	ExAcquireResourceExclusiveLite
		mov	esi, _FsRtlTieringHeatData
		mov	edi, offset _FsRtlTieringHeatData
		jmp	short loc_959DA7
; 

loc_959D92:				; CODE XREF: FsRtlpHeatRegisterVolume(x,x,x)+43j
		push	10h		; size_t
		lea	eax, [esi+0Ch]
		push	ebx		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_959DCF
		mov	esi, [esi]

loc_959DA7:				; CODE XREF: FsRtlpHeatRegisterVolume(x,x,x)+2Aj
		cmp	esi, edi
		jnz	short loc_959D92
		push	68745346h
		push	20h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_8], edi
		test	edi, edi
		jnz	short loc_959DDF
		mov	edi, [ebp+arg_0]
		mov	esi, 0C000009Ah
		jmp	loc_959E6F
; 

loc_959DCF:				; CODE XREF: FsRtlpHeatRegisterVolume(x,x,x)+3Dj
		mov	edi, [ebp+arg_0]
		inc	dword ptr [esi+8]
		mov	eax, [esi+1Ch]
		mov	[edi], eax
		jmp	loc_959E6D
; 

loc_959DDF:				; CODE XREF: FsRtlpHeatRegisterVolume(x,x,x)+5Aj
		movzx	edx, byte ptr [ebx+0Ah]
		movzx	eax, byte ptr [ebx+0Fh]
		movzx	ecx, word ptr [ebx+4]
		shl	edx, 18h
		or	edx, eax
		shl	ecx, 10h
		movzx	eax, word ptr [ebx+6]
		or	ecx, eax
		xor	edx, ecx
		mov	ecx, offset _FsRtlTieringHeatData
		xor	edx, [ebx]
		mov	ebx, _FsRtlTieringHeatData
		jmp	short loc_959E1C
; 

loc_959E0A:				; CODE XREF: FsRtlpHeatRegisterVolume(x,x,x)+B8j
		cmp	[ebx+1Ch], edx
		jnz	short loc_959E18
		add	edx, 1
		jnz	short loc_959E1A
		mov	ebx, ecx
		jmp	short loc_959E1A
; 

loc_959E18:				; CODE XREF: FsRtlpHeatRegisterVolume(x,x,x)+A7j
		ja	short loc_959E20

loc_959E1A:				; CODE XREF: FsRtlpHeatRegisterVolume(x,x,x)+ACj
					; FsRtlpHeatRegisterVolume(x,x,x)+B0j
		mov	ebx, [ebx]

loc_959E1C:				; CODE XREF: FsRtlpHeatRegisterVolume(x,x,x)+A2j
		cmp	ebx, ecx
		jnz	short loc_959E0A

loc_959E20:				; CODE XREF: FsRtlpHeatRegisterVolume(x,x,x):loc_959E18j
		mov	esi, [ebp+var_4]
		xor	eax, eax
		push	8
		pop	ecx
		rep stosd
		mov	eax, [ebp+var_8]
		lea	edi, [eax+0Ch]
		movsd
		movsd
		movsd
		movsd
		mov	[eax+1Ch], edx
		mov	dword ptr [eax+8], 1
		mov	ecx, [ebx+4]
		cmp	[ecx], ebx
		jz	short loc_959E4A
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_959E4A:				; CODE XREF: FsRtlpHeatRegisterVolume(x,x,x)+DDj
		mov	edi, [ebp+arg_0]
		mov	[eax+4], ecx
		mov	[eax], ebx
		mov	[ecx], eax
		mov	ecx, offset _MS_StorageTiering_Provider
		mov	[ebx+4], eax
		mov	eax, offset _MS_StorageTiering_Provider_Context
		push	eax
		push	eax
		mov	[edi], edx
		call	_McGenEventRegister_EtwRegister@16 ; McGenEventRegister_EtwRegister(x,x,x,x)
		mov	ebx, [ebp+var_4]

loc_959E6D:				; CODE XREF: FsRtlpHeatRegisterVolume(x,x,x)+74j
		xor	esi, esi

loc_959E6F:				; CODE XREF: FsRtlpHeatRegisterVolume(x,x,x)+64j
		mov	ecx, offset unk_6CDB08
		call	ExReleaseResourceLite
		test	esi, esi
		js	short loc_959EA3
		test	_Microsoft_Windows_Storage_Tiering_IoHeatEnableBits, 1
		jz	short loc_959E91
		push	dword ptr [edi]
		push	ebx
		push	[ebp+var_C]
		call	_McTemplateK0jq_EtwWriteTransfer@20 ; McTemplateK0jq_EtwWriteTransfer(x,x,x,x,x)

loc_959E91:				; CODE XREF: FsRtlpHeatRegisterVolume(x,x,x)+11Ej
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WNF_FSRL_TIERED_VOLUME_DETECTED
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)

loc_959EA3:				; CODE XREF: FsRtlpHeatRegisterVolume(x,x,x)+115j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_FsRtlpHeatRegisterVolume@12 endp


;  S U B	R O U T	I N E 


; __stdcall FsRtlpHeatUnregisterVolume(x, x)
_FsRtlpHeatUnregisterVolume@8 proc near	; CODE XREF: FsRtlHeatUninit(x,x)+8p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	1
		push	offset unk_6CDB08
		mov	edi, ecx
		call	ExAcquireResourceExclusiveLite
		mov	esi, _FsRtlTieringHeatData
		mov	ebx, offset _FsRtlTieringHeatData
		jmp	short loc_959EE1
; 

loc_959ECC:				; CODE XREF: FsRtlpHeatUnregisterVolume(x,x)+37j
		push	10h		; size_t
		lea	eax, [esi+0Ch]
		push	edi		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_959EF2
		mov	esi, [esi]

loc_959EE1:				; CODE XREF: FsRtlpHeatUnregisterVolume(x,x)+1Ej
		cmp	esi, ebx
		jnz	short loc_959ECC

loc_959EE5:				; CODE XREF: FsRtlpHeatUnregisterVolume(x,x)+4Aj
					; FsRtlpHeatUnregisterVolume(x,x)+6Aj
		pop	edi
		pop	esi
		mov	ecx, offset unk_6CDB08
		pop	ebx
		jmp	ExReleaseResourceLite
; 

loc_959EF2:				; CODE XREF: FsRtlpHeatUnregisterVolume(x,x)+31j
		sub	dword ptr [esi+8], 1
		jnz	short loc_959EE5
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_959F18
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_959F18
		push	68745346h
		mov	[ecx], eax
		push	esi
		mov	[eax+4], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_959EE5
; 

loc_959F18:				; CODE XREF: FsRtlpHeatUnregisterVolume(x,x)+51j
					; FsRtlpHeatUnregisterVolume(x,x)+58j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_FsRtlpHeatUnregisterVolume@8 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlpQueryValueKey(x, x, x, x, x)
_FsRtlpQueryValueKey@20	proc near	; CODE XREF: FsRtlHeatInit(x,x,x)+86p
					; FsRtlHeatInit(x,x,x)+D2p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_28], 18h
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		mov	ebx, edx
		mov	[ebp+var_C], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	20019h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_10], ebx
		push	eax
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_20], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_95A008
		test	ebx, ebx
		jnz	short loc_959F7C
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		xor	eax, eax
		jmp	loc_95A008
; 

loc_959F7C:				; CODE XREF: FsRtlpQueryValueKey(x,x,x,x,x)+4Ej
		mov	ebx, [ebp+arg_0]
		mov	edi, [ebp+arg_4]
		mov	ebx, [ebx]
		mov	esi, [edi]

loc_959F86:				; CODE XREF: FsRtlpQueryValueKey(x,x,x,x,x)+C9j
		lea	eax, [ebp+var_C]
		push	eax
		push	ebx
		push	esi
		push	1
		push	[ebp+var_10]
		push	[ebp+var_8]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_959FAB
		cmp	esi, 80000005h
		jnz	short loc_959FED

loc_959FAB:				; CODE XREF: FsRtlpQueryValueKey(x,x,x,x,x)+84j
		mov	eax, [ebp+arg_0]
		cmp	ebx, [eax]
		jnz	short loc_959FED
		mov	ebx, [ebp+var_C]
		push	68745346h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_959FE8
		mov	eax, [ebp+arg_8]
		cmp	byte ptr [eax],	0
		jz	short loc_959FD9
		push	0
		push	dword ptr [edi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_959FD9:				; CODE XREF: FsRtlpQueryValueKey(x,x,x,x,x)+B1j
		mov	eax, [ebp+arg_0]
		mov	[edi], esi
		mov	[eax], ebx
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	1
		jmp	short loc_959F86
; 

loc_959FE8:				; CODE XREF: FsRtlpQueryValueKey(x,x,x,x,x)+A9j
		mov	esi, 0C000009Ah

loc_959FED:				; CODE XREF: FsRtlpQueryValueKey(x,x,x,x,x)+8Cj
					; FsRtlpQueryValueKey(x,x,x,x,x)+93j
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_95A006
		mov	eax, [edi]
		cmp	dword ptr [eax+0Ch], 0
		jnz	short loc_95A006
		mov	esi, 0C0000034h

loc_95A006:				; CODE XREF: FsRtlpQueryValueKey(x,x,x,x,x)+DAj
					; FsRtlpQueryValueKey(x,x,x,x,x)+E2j
		mov	eax, esi

loc_95A008:				; CODE XREF: FsRtlpQueryValueKey(x,x,x,x,x)+46j
					; FsRtlpQueryValueKey(x,x,x,x,x)+5Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_FsRtlpQueryValueKey@20	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 651. FsRtlRemoveDotsFromPath

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlRemoveDotsFromPath(x, x, x)
		public _FsRtlRemoveDotsFromPath@12
_FsRtlRemoveDotsFromPath@12 proc near	; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+159p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ax, word ptr [ebp+arg_4]
		xor	edx, edx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	2Eh
		shr	ax, 1
		movzx	ecx, ax
		mov	[ebp+arg_4], ecx
		pop	eax
		mov	[ebp+var_4], eax
		push	2
		pop	edi
		push	5Ch
		pop	ebx
		cmp	ecx, 3
		jnz	short loc_95A055
		cmp	[esi], bx
		jnz	short loc_95A06E
		cmp	[esi+2], ax
		jnz	short loc_95A06E
		cmp	[esi+4], ax
		jz	loc_95A1A8

loc_95A055:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+2Aj
		cmp	cx, di
		jnz	short loc_95A06C
		cmp	[esi], ax
		jnz	short loc_95A083
		cmp	[esi+2], ax
		jz	loc_95A1A8
		cmp	cx, di

loc_95A06C:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+44j
		jbe	short loc_95A083

loc_95A06E:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+2Fj
					; FsRtlRemoveDotsFromPath(x,x,x)+35j
		cmp	[esi], ax
		jnz	short loc_95A083
		cmp	[esi+2], ax
		jnz	short loc_95A083
		cmp	[esi+4], bx
		jz	loc_95A1A8

loc_95A083:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+49j
					; FsRtlRemoveDotsFromPath(x,x,x):loc_95A06Cj ...
		xor	eax, eax
		mov	ebx, edx
		cmp	ax, cx
		jnb	loc_95A197

loc_95A090:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+17Dj
		movzx	edi, bx
		test	bx, bx
		jz	loc_95A17E
		movzx	eax, cx
		mov	[ebp+arg_0], eax
		dec	eax
		cmp	edi, eax
		jge	short loc_95A0BE
		push	5Ch
		pop	ecx
		cmp	[esi+edi*2], cx
		jnz	short loc_95A0BE
		cmp	[esi+edi*2+2], cx
		mov	ecx, [ebp+arg_4]
		jz	loc_95A18D

loc_95A0BE:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+91j
					; FsRtlRemoveDotsFromPath(x,x,x)+9Aj
		push	2Eh
		pop	ecx
		cmp	[esi+edi*2], cx
		mov	ecx, [ebp+arg_4]
		jnz	loc_95A17E
		push	5Ch
		cmp	edi, eax
		jnz	short loc_95A0FD
		pop	eax
		cmp	[esi+edi*2-2], ax
		jz	short loc_95A0EB

loc_95A0DC:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+FFj
					; FsRtlRemoveDotsFromPath(x,x,x)+108j ...
		movsx	eax, dx
		push	2Eh
		pop	edi
		mov	[esi+eax*2], di
		jmp	loc_95A18C
; 

loc_95A0EB:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+C6j
		xor	eax, eax
		inc	eax
		cmp	dx, ax
		jle	loc_95A18D
		dec	edx
		jmp	loc_95A18D
; 

loc_95A0FD:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+BEj
		movzx	eax, word ptr [esi+edi*2+2]
		pop	ecx
		cmp	ax, cx
		mov	ecx, [ebp+arg_4]
		jnz	short loc_95A118
		push	5Ch
		pop	eax
		cmp	[esi+edi*2-2], ax
		jnz	short loc_95A0DC

loc_95A115:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+15Cj
					; FsRtlRemoveDotsFromPath(x,x,x)+161j ...
		inc	ebx
		jmp	short loc_95A18D
; 

loc_95A118:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+F5j
		cmp	ax, word ptr [ebp+var_4]
		jnz	short loc_95A0DC
		push	5Ch
		pop	eax
		cmp	[esi+edi*2-2], ax
		jnz	short loc_95A0DC
		mov	eax, [ebp+arg_0]
		add	eax, 0FFFFFFFEh
		mov	[ebp+arg_0], eax
		cmp	edi, eax
		jz	short loc_95A13F
		push	5Ch
		pop	eax
		cmp	[esi+edi*2+4], ax
		jnz	short loc_95A0DC

loc_95A13F:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+11Fj
		sub	edx, 2
		test	dx, dx
		jle	short loc_95A15C
		push	5Ch
		pop	ecx

loc_95A14A:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+143j
		movsx	eax, dx
		cmp	[esi+eax*2], cx
		jz	short loc_95A159
		dec	edx
		test	dx, dx
		jg	short loc_95A14A

loc_95A159:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+13Dj
		test	dx, dx

loc_95A15C:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+131j
		js	short loc_95A1A8
		movsx	eax, dx
		push	5Ch
		pop	ecx
		cmp	[esi+eax*2], cx
		mov	ecx, [ebp+arg_4]
		jnz	short loc_95A1A8
		test	dx, dx
		jnz	short loc_95A115
		cmp	edi, [ebp+arg_0]
		jnz	short loc_95A115
		xor	eax, eax
		lea	edx, [eax+1]
		jmp	short loc_95A115
; 

loc_95A17E:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+82j
					; FsRtlRemoveDotsFromPath(x,x,x)+B4j
		mov	ax, [esi+edi*2]
		movsx	ecx, dx
		mov	[esi+ecx*2], ax
		mov	ecx, [ebp+arg_4]

loc_95A18C:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+D2j
		inc	edx

loc_95A18D:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+A4j
					; FsRtlRemoveDotsFromPath(x,x,x)+DDj ...
		inc	ebx
		cmp	bx, cx
		jb	loc_95A090

loc_95A197:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+76j
		mov	eax, [ebp+arg_8]
		lea	ecx, [edx+edx]
		mov	[eax], cx
		mov	eax, [ebp+arg_4]
		movzx	ecx, ax
		jmp	short loc_95A1B6
; 

loc_95A1A8:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+3Bj
					; FsRtlRemoveDotsFromPath(x,x,x)+4Fj ...
		mov	eax, 0C0000278h
		jmp	short loc_95A1BF
; 

loc_95A1AF:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+1A7j
		xor	edi, edi
		inc	edx
		mov	[esi+eax*2], di

loc_95A1B6:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+192j
		movsx	eax, dx
		cmp	eax, ecx
		jl	short loc_95A1AF
		xor	eax, eax

loc_95A1BF:				; CODE XREF: FsRtlRemoveDotsFromPath(x,x,x)+199j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_FsRtlRemoveDotsFromPath@12 endp


;  S U B	R O U T	I N E 


; __stdcall FsRtlCheckNotifyForDelete(x, x)
_FsRtlCheckNotifyForDelete@8 proc near	; CODE XREF: FsRtlNotifyFilterChangeDirectory+12C56Bp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	esi, [edi]
		jmp	short loc_95A1F3
; 

loc_95A1D3:				; CODE XREF: FsRtlCheckNotifyForDelete(x,x)+2Fj
		lea	ecx, [esi-10h]
		cmp	[ecx+4Ch], ebx
		jnz	short loc_95A1F1
		or	word ptr [ecx+24h], 20h
		lea	eax, [ecx+18h]
		cmp	[eax], eax
		jz	short loc_95A1F1
		mov	edx, 0C0000056h
		call	_FsRtlNotifyCompleteIrpList@8 ;	FsRtlNotifyCompleteIrpList(x,x)

loc_95A1F1:				; CODE XREF: FsRtlCheckNotifyForDelete(x,x)+13j
					; FsRtlCheckNotifyForDelete(x,x)+1Fj
		mov	esi, [esi]

loc_95A1F3:				; CODE XREF: FsRtlCheckNotifyForDelete(x,x)+Bj
		cmp	esi, edi
		jnz	short loc_95A1D3
		pop	edi
		pop	esi
		pop	ebx
		retn
_FsRtlCheckNotifyForDelete@8 endp


;  S U B	R O U T	I N E 


; __stdcall FsRtlCheckNotifyForDeleteLite(x)
_FsRtlCheckNotifyForDeleteLite@4 proc near
					; CODE XREF: FsRtlNotifyFilterChangeDirectoryLite+12BE55p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi]
		jmp	short loc_95A220
; 

loc_95A205:				; CODE XREF: FsRtlCheckNotifyForDeleteLite(x)+27j
		lea	ecx, [esi-10h]
		or	word ptr [ecx+24h], 20h
		lea	eax, [ecx+18h]
		cmp	[eax], eax
		jz	short loc_95A21E
		mov	edx, 0C0000056h
		call	_FsRtlNotifyCompleteIrpList@8 ;	FsRtlNotifyCompleteIrpList(x,x)

loc_95A21E:				; CODE XREF: FsRtlCheckNotifyForDeleteLite(x)+17j
		mov	esi, [esi]

loc_95A220:				; CODE XREF: FsRtlCheckNotifyForDeleteLite(x)+8j
		cmp	esi, edi
		jnz	short loc_95A205
		pop	edi
		pop	esi
		retn
_FsRtlCheckNotifyForDeleteLite@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 601. FsRtlNotifyChangeDirectory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlNotifyChangeDirectory(x, x, x,	x, x, x, x)
		public _FsRtlNotifyChangeDirectory@28
_FsRtlNotifyChangeDirectory@28 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	1
		push	[ebp+arg_10]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_C]
		push	[ebp+arg_0]
		call	FsRtlNotifyFilterChangeDirectory
		pop	ebp
		retn	1Ch
_FsRtlNotifyChangeDirectory@28 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 603. FsRtlNotifyCleanupAll

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlNotifyCleanupAll(x, x)
		public _FsRtlNotifyCleanupAll@8
_FsRtlNotifyCleanupAll@8 proc near

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	0Ch
		push	offset dword_6A7E70
		call	__SEH_prolog4
		and	[ebp+var_1C], 0
		mov	edi, large fs:124h
		mov	esi, [ebp+arg_0]
		cmp	edi, [esi+20h]
		jz	short loc_95A284
		mov	ecx, esi
		call	ExAcquireFastMutexUnsafe
		mov	[esi+20h], edi

loc_95A284:				; CODE XREF: FsRtlNotifyCleanupAll(x,x)+1Dj
		inc	dword ptr [esi+24h]
		and	[ebp+ms_exc.disabled], 0
		mov	ebx, [ebp+arg_4]
		mov	edi, [ebx]

loc_95A290:				; CODE XREF: FsRtlNotifyCleanupAll(x,x)+4Aj
					; FsRtlNotifyCleanupAll(x,x)+5Ej
		cmp	edi, ebx
		jz	short loc_95A2BB
		lea	ecx, [edi-10h]
		mov	edi, [edi]
		lea	edx, [ebp+var_1C]
		call	_FsRtlNotifyCleanupOneEntry@8 ;	FsRtlNotifyCleanupOneEntry(x,x)
		cmp	[ebp+var_1C], 0
		jz	short loc_95A290
		push	[ebp+var_1C]
		call	SeReleaseSubjectContext
		push	0
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_95A290
; 

loc_95A2BB:				; CODE XREF: FsRtlNotifyCleanupAll(x,x)+37j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_95A2DC
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_FsRtlNotifyCleanupAll@8 endp


;  S U B	R O U T	I N E 


sub_95A2D9	proc near		; DATA XREF: .text:006A7E88o
		mov	esi, [ebp+8]
sub_95A2D9	endp


;  S U B	R O U T	I N E 


sub_95A2DC	proc near		; CODE XREF: FsRtlNotifyCleanupAll(x,x)+67p
		sub	dword ptr [esi+24h], 1
		jnz	short locret_95A2ED
		and	dword ptr [esi+20h], 0
		mov	ecx, esi
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)

locret_95A2ED:				; CODE XREF: sub_95A2DC+4j
		retn
sub_95A2DC	endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 607. FsRtlNotifyFilterReportChangeLite

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlNotifyFilterReportChangeLite(x, x, x, x, x, x,	x, x, x)
		public _FsRtlNotifyFilterReportChangeLite@36
_FsRtlNotifyFilterReportChangeLite@36 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_FsRtlNotifyFilterReportChangeLiteEx@40	; FsRtlNotifyFilterReportChangeLiteEx(x,x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	24h
_FsRtlNotifyFilterReportChangeLite@36 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 609. FsRtlNotifyFullChangeDirectory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlNotifyFullChangeDirectory(x, x, x, x, x, x, x,	x, x, x)
		public _FsRtlNotifyFullChangeDirectory@40
_FsRtlNotifyFullChangeDirectory@40 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	FsRtlNotifyFilterChangeDirectory
		pop	ebp
		retn	28h
_FsRtlNotifyFullChangeDirectory@40 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 610. FsRtlNotifyFullReportChange

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlNotifyFullReportChange(x, x, x, x, x, x, x, x,	x)
		public _FsRtlNotifyFullReportChange@36
_FsRtlNotifyFullReportChange@36	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_FsRtlNotifyFilterReportChange@40 ; FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	24h
_FsRtlNotifyFullReportChange@36	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 612. FsRtlNotifyReportChange

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlNotifyReportChange(x, x, x, x,	x)
		public _FsRtlNotifyReportChange@20
_FsRtlNotifyReportChange@20 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_8]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_10]
		mov	cx, [edx]
		push	eax
		push	eax
		mov	eax, [ebp+arg_C]
		sub	cx, [eax]
		movzx	eax, cx
		push	eax
		push	edx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_FsRtlNotifyFilterReportChange@40 ; FsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	14h
_FsRtlNotifyReportChange@20 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 614. FsRtlNotifyVolumeEvent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlNotifyVolumeEvent(x, x)
		public _FsRtlNotifyVolumeEvent@8
_FsRtlNotifyVolumeEvent@8 proc near	; CODE XREF: RawCleanup+16F073p
					; RawUserFsCtrl(x,x,x)+3Fp ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+28h+var_4], eax
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		or	[esp+28h+var_C], 0FFFFFFFFh
		inc	ecx
		push	1Ch
		mov	word ptr [esp+2Ch+var_24], cx
		xor	edx, edx
		pop	ecx
		mov	word ptr [esp+28h+var_24+2], cx
		lea	ecx, [esp+28h+var_24]
		push	ecx
		push	[ebp+arg_4]
		mov	[esp+30h+var_20], edx
		push	eax
		mov	[esp+34h+var_1C], edx
		mov	[esp+34h+var_18], edx
		mov	[esp+34h+var_14], edx
		mov	[esp+34h+var_8], edx
		mov	[esp+34h+var_10], edx
		call	FsRtlNotifyVolumeEventEx
		mov	ecx, [esp+28h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_FsRtlNotifyVolumeEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: virtual void * __thiscall NT_DISK::`scalar deleting destructor'(unsigned int)
??_GNT_DISK@@UAEPAXI@Z proc near

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		mov	dword ptr [esi], (offset loc_403A38+4)
		call	??1SC_DISK@@UAE@XZ ; SC_DISK::~SC_DISK(void)
		test	[ebp+arg_0], 1
		jz	short loc_95A441
		mov	ecx, esi
		call	??3SC_ENV_ALLOCATOR@@SGXPAX@Z ;	SC_ENV_ALLOCATOR::operator delete(void *)

loc_95A441:				; CODE XREF: NT_DISK::`scalar deleting destructor'(uint)+17j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
??_GNT_DISK@@UAEPAXI@Z endp


;  S U B	R O U T	I N E 


; public: static void *	__stdcall SC_ENV::Allocate(unsigned int)
?Allocate@SC_ENV@@SGPAXI@Z proc	near	; CODE XREF: ScAnsiToUnicodeString(char	*,_UNICODE_STRING *)+3Bp
					; SC_DISK::InitializePartitionCache(void)+12p ...
		push	54506F49h
		push	ecx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		retn
?Allocate@SC_ENV@@SGPAXI@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: virtual long __thiscall NT_DISK::Control(unsigned long, void *, unsigned long, void *, unsigned long)
?Control@NT_DISK@@UAEJKPAXK0K@Z	proc near

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	edi, [esp+28h+var_C]
		xor	eax, eax
		mov	[esp+28h+var_10], ebx
		stosd
		mov	esi, ecx
		push	ebx
		push	ebx
		mov	[esp+30h+var_18], ebx
		stosd
		mov	[esp+30h+var_14], ebx
		stosd
		lea	eax, [esp+30h+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+28h+var_18]
		push	eax
		lea	eax, [esp+2Ch+var_10]
		push	eax
		push	ebx
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	dword ptr [esi+0F8h]
		push	[ebp+arg_0]
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_95A4BC
		mov	eax, 0C000009Ah
		jmp	short loc_95A4E2
; 

loc_95A4BC:				; CODE XREF: NT_DISK::Control(ulong,void *,ulong,void *,ulong)+5Aj
		mov	ecx, [esi+0F8h]
		mov	edx, eax
		call	IofCallDriver
		cmp	eax, 103h
		jnz	short loc_95A4E2
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esp+38h+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esp+28h+var_18]

loc_95A4E2:				; CODE XREF: NT_DISK::Control(ulong,void *,ulong,void *,ulong)+61j
					; NT_DISK::Control(ulong,void *,ulong,void *,ulong)+75j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
?Control@NT_DISK@@UAEJKPAXK0K@Z	endp


;  S U B	R O U T	I N E 


; public: static long __stdcall	SC_ENV::CreateGuid(struct _GUID	*)
?CreateGuid@SC_ENV@@SGJPAU_GUID@@@Z proc near
					; CODE XREF: SC_MBR::WritePartitionTable(SC_DISK_LAYOUT	*)+4Ep
					; SC_GPT::WritePartitionTable(SC_DISK_LAYOUT *,uchar)+255p ...
		mov	edi, edi
		push	ecx
		push	ecx
		call	ExUuidCreate
		pop	ecx
		retn
?CreateGuid@SC_ENV@@SGJPAU_GUID@@@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: virtual long __thiscall NT_DISK::Read(unsigned __int64, unsigned long, unsigned char *)
?Read@NT_DISK@@UAEJ_KKPAE@Z proc near

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		push	edi
		push	0
		lea	eax, [ebp+arg_0]
		mov	edi, ecx
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_C]
		push	dword ptr [edi+0F8h]
		push	3
		call	_IoBuildAsynchronousFsdRequest@24 ; IoBuildAsynchronousFsdRequest(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_95A528
		mov	edi, 0C000009Ah
		jmp	short loc_95A553
; 

loc_95A528:				; CODE XREF: NT_DISK::Read(unsigned __int64,ulong,uchar	*)+29j
		mov	eax, [esi+60h]
		push	esi
		or	byte ptr [eax-22h], 2
		push	dword ptr [edi+0F8h]
		call	_IoSynchronousCallDriver@8 ; IoSynchronousCallDriver(x,x)
		mov	edi, eax
		push	dword ptr [esi+4]
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	dword ptr [esi+4]
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)

loc_95A553:				; CODE XREF: NT_DISK::Read(unsigned __int64,ulong,uchar	*)+30j
		mov	eax, edi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	10h
?Read@NT_DISK@@UAEJ_KKPAE@Z endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; public: virtual long __thiscall NT_DISK::Write(unsigned __int64, unsigned long, unsigned char	*)
?Write@NT_DISK@@UAEJ_KKPAE@Z proc near

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		push	edi
		push	0
		lea	eax, [ebp+arg_0]
		mov	edi, ecx
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_C]
		push	dword ptr [edi+0F8h]
		push	4
		call	_IoBuildAsynchronousFsdRequest@24 ; IoBuildAsynchronousFsdRequest(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_95A58F
		mov	edi, 0C000009Ah
		jmp	short loc_95A5BA
; 

loc_95A58F:				; CODE XREF: NT_DISK::Write(unsigned __int64,ulong,uchar *)+29j
		mov	eax, [esi+60h]
		push	esi
		or	byte ptr [eax-22h], 12h
		push	dword ptr [edi+0F8h]
		call	_IoSynchronousCallDriver@8 ; IoSynchronousCallDriver(x,x)
		mov	edi, eax
		push	dword ptr [esi+4]
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	dword ptr [esi+4]
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)

loc_95A5BA:				; CODE XREF: NT_DISK::Write(unsigned __int64,ulong,uchar *)+30j
		mov	eax, edi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	10h
?Write@NT_DISK@@UAEJ_KKPAE@Z endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 107. HalExamineMBR

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall HalExamineMBR(x, x, x, x)
		public @HalExamineMBR@16
@HalExamineMBR@16 proc near		; DATA XREF: .data:006B2BD4o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0
		pop	ebp
		retn	8
@HalExamineMBR@16 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 117. IoReadPartitionTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall IoReadPartitionTable(x, x,	x, x)
		public @IoReadPartitionTable@16
@IoReadPartitionTable@16 proc near	; DATA XREF: .data:006B2BD8o

var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 114h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+114h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, ecx
		mov	[esp+11Ch+var_114], ebx
		push	edi
		lea	ecx, [esp+120h+var_108]
		call	??0SC_DISK@@QAE@XZ ; SC_DISK::SC_DISK(void)
		and	[esp+120h+var_110], 0
		lea	ecx, [esp+120h+var_108]
		and	dword ptr [ebx], 0
		mov	[esp+120h+var_108], (offset loc_403A38+4)
		mov	[esp+120h+var_10], esi
		call	?Initialize@SC_DISK@@UAEJXZ ; SC_DISK::Initialize(void)
		mov	esi, eax
		test	esi, esi
		js	loc_95A766
		lea	ecx, [esp+120h+var_108]
		call	?InitializePartitionCache@SC_DISK@@QAEJXZ ; SC_DISK::InitializePartitionCache(void)
		mov	esi, eax
		test	esi, esi
		js	loc_95A766
		lea	eax, [esp+120h+var_110]
		push	eax
		lea	ecx, [esp+124h+var_108]
		call	?ReadPartitionTable@SC_DISK@@QAEJPAPAVSC_DISK_LAYOUT@@@Z ; SC_DISK::ReadPartitionTable(SC_DISK_LAYOUT *	*)
		mov	edi, [esp+120h+var_110]
		mov	esi, eax
		mov	[esp+120h+var_10C], esi
		test	esi, esi
		js	loc_95A75A
		cmp	dword ptr [edi], 1
		jnz	short loc_95A67A
		mov	esi, 0C00000BBh
		jmp	loc_95A75A
; 

loc_95A67A:				; CODE XREF: IoReadPartitionTable(x,x,x,x)+91j
		imul	ebx, [edi+4], 90h
		push	54506F49h
		add	ebx, 30h
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [esp+120h+var_114]
		mov	[ecx], eax
		test	eax, eax
		jnz	short loc_95A6A8
		mov	esi, 0C000009Ah
		jmp	loc_95A75A
; 

loc_95A6A8:				; CODE XREF: IoReadPartitionTable(x,x,x,x)+BFj
		push	ebx		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ebx, [esp+12Ch+var_114]
		add	esp, 0Ch
		mov	eax, [edi+4]
		and	[esp+120h+var_114], 0
		mov	ecx, [ebx]
		mov	[ecx], eax
		mov	ecx, [ebx]
		mov	eax, [edi+8]
		mov	[ecx+4], eax
		cmp	dword ptr [edi+4], 0
		jbe	loc_95A75A
		xor	edx, edx
		lea	ecx, [edi+40h]

loc_95A6DB:				; CODE XREF: IoReadPartitionTable(x,x,x,x)+177j
		cmp	[ebp+arg_0], 0
		mov	eax, [ebx]
		mov	[esp+120h+var_110], eax
		jz	short loc_95A6F6
		mov	al, [ecx+10h]
		test	al, al
		jz	short loc_95A73F
		cmp	al, 5
		jz	short loc_95A73F
		cmp	al, 0Fh
		jz	short loc_95A73F

loc_95A6F6:				; CODE XREF: IoReadPartitionTable(x,x,x,x)+108j
		mov	esi, [esp+120h+var_110]
		mov	eax, [ecx-8]
		mov	[esi+edx+8], eax
		mov	eax, [ecx-4]
		mov	[esi+edx+0Ch], eax
		mov	eax, [ecx]
		mov	[esi+edx+10h], eax
		mov	eax, [ecx+4]
		mov	[esi+edx+14h], eax
		mov	eax, [ecx+14h]
		mov	[esi+edx+18h], eax
		mov	eax, [ecx+8]
		mov	[esi+edx+1Ch], eax
		mov	al, [ecx+10h]
		mov	[esi+edx+20h], al
		mov	al, [ecx+11h]
		mov	[esi+edx+21h], al
		mov	al, [ecx+12h]
		mov	[esi+edx+22h], al
		mov	al, [ecx+0Ch]
		mov	[esi+edx+23h], al

loc_95A73F:				; CODE XREF: IoReadPartitionTable(x,x,x,x)+10Fj
					; IoReadPartitionTable(x,x,x,x)+113j ...
		mov	eax, [esp+120h+var_114]
		add	ecx, 90h
		inc	eax
		add	edx, 20h
		mov	[esp+120h+var_114], eax
		cmp	eax, [edi+4]
		jb	short loc_95A6DB
		mov	esi, [esp+120h+var_10C]

loc_95A75A:				; CODE XREF: IoReadPartitionTable(x,x,x,x)+88j
					; IoReadPartitionTable(x,x,x,x)+98j ...
		test	edi, edi
		jz	short loc_95A766
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95A766:				; CODE XREF: IoReadPartitionTable(x,x,x,x)+55j
					; IoReadPartitionTable(x,x,x,x)+68j ...
		lea	ecx, [esp+120h+var_108]
		mov	[esp+120h+var_108], (offset loc_403A38+4)
		call	??1SC_DISK@@UAE@XZ ; SC_DISK::~SC_DISK(void)
		mov	ecx, [esp+120h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
@IoReadPartitionTable@16 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 118. IoSetPartitionInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall IoSetPartitionInformation(x, x, x,	x)
		public @IoSetPartitionInformation@16
@IoSetPartitionInformation@16 proc near	; DATA XREF: .data:006B2BDCo

var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= byte ptr -178h
var_177		= dword	ptr -177h
var_108		= dword	ptr -108h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 180h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+180h+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		lea	ecx, [esp+188h+var_108]
		call	??0SC_DISK@@QAE@XZ ; SC_DISK::SC_DISK(void)
		and	[esp+188h+var_17C], 0
		lea	eax, [esp+188h+var_177]
		push	6Fh		; size_t
		push	0		; int
		mov	ebx, (offset loc_403A38+4)
		push	eax		; void *
		mov	[esp+194h+var_108], ebx
		call	_memset
		mov	al, [ebp+arg_4]
		lea	ecx, [esp+194h+var_108]
		and	[esp+194h+var_180], 0
		add	esp, 0Ch
		mov	[esp+188h+var_178], al
		mov	[esp+188h+var_10], esi
		call	?Initialize@SC_DISK@@UAEJXZ ; SC_DISK::Initialize(void)
		mov	esi, eax
		test	esi, esi
		js	short loc_95A830
		lea	ecx, [esp+188h+var_108]
		call	?InitializePartitionCache@SC_DISK@@QAEJXZ ; SC_DISK::InitializePartitionCache(void)
		mov	esi, eax
		test	esi, esi
		js	short loc_95A830
		lea	eax, [esp+188h+var_180]
		push	eax
		push	[ebp+arg_0]
		lea	ecx, [esp+190h+var_108]
		call	?SetPartition@SC_DISK@@QAEJKPAU_SET_PARTITION_INFORMATION_EX@@@Z ; SC_DISK::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)
		mov	esi, eax

loc_95A830:				; CODE XREF: IoSetPartitionInformation(x,x,x,x)+71j
					; IoSetPartitionInformation(x,x,x,x)+83j
		lea	ecx, [esp+188h+var_108]
		mov	[esp+188h+var_108], ebx
		call	??1SC_DISK@@UAE@XZ ; SC_DISK::~SC_DISK(void)
		mov	ecx, [esp+188h+var_4]
		mov	eax, esi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
@IoSetPartitionInformation@16 endp

; 
		align 10h
; Exported entry 119. IoWritePartitionTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall IoWritePartitionTable(x, x, x, x, x)
		public @IoWritePartitionTable@20
@IoWritePartitionTable@20 proc near	; DATA XREF: .data:006B2BE0o

var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+10Ch+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	[esp+114h+var_10C], ecx
		lea	ecx, [esp+114h+var_108]
		push	edi
		call	??0SC_DISK@@QAE@XZ ; SC_DISK::SC_DISK(void)
		imul	eax, [esi], 90h
		and	[esp+118h+var_10], 0
		push	54506F49h
		mov	[esp+11Ch+var_108], (offset loc_403A38+4)
		add	eax, 30h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_95A8C8
		mov	esi, 0C000009Ah
		jmp	loc_95A974
; 

loc_95A8C8:				; CODE XREF: IoWritePartitionTable(x,x,x,x,x)+5Cj
		and	dword ptr [edi], 0
		xor	ebx, ebx
		mov	eax, [esi]
		mov	[edi+4], eax
		mov	eax, [esi+4]
		mov	[edi+8], eax
		cmp	[esi], ebx
		jbe	short loc_95A937
		lea	edx, [esi+1Ch]
		lea	ecx, [edi+40h]

loc_95A8E2:				; CODE XREF: IoWritePartitionTable(x,x,x,x,x)+D5j
		and	dword ptr [ecx-10h], 0
		inc	ebx
		mov	eax, [edx-14h]
		mov	[ecx-8], eax
		mov	eax, [edx-10h]
		mov	[ecx-4], eax
		mov	eax, [edx-0Ch]
		mov	[ecx], eax
		lea	ecx, [ecx+90h]
		mov	eax, [edx-8]
		mov	[ecx-8Ch], eax
		mov	eax, [edx]
		lea	edx, [edx+20h]
		mov	[ecx-88h], eax
		mov	al, [edx-19h]
		mov	[ecx-84h], al
		mov	al, [edx-1Ch]
		mov	[ecx-80h], al
		mov	al, [edx-1Bh]
		mov	[ecx-7Fh], al
		mov	al, [edx-1Ah]
		mov	[ecx-7Eh], al
		mov	eax, [edx-24h]
		mov	[ecx-7Ch], eax
		cmp	ebx, [esi]
		jb	short loc_95A8E2

loc_95A937:				; CODE XREF: IoWritePartitionTable(x,x,x,x,x)+7Aj
		mov	eax, [esp+118h+var_10C]
		lea	ecx, [esp+118h+var_108]
		mov	[esp+118h+var_10], eax
		call	?Initialize@SC_DISK@@UAEJXZ ; SC_DISK::Initialize(void)
		mov	esi, eax
		test	esi, esi
		js	short loc_95A96C
		lea	ecx, [esp+118h+var_108]
		call	?InitializePartitionCache@SC_DISK@@QAEJXZ ; SC_DISK::InitializePartitionCache(void)
		mov	esi, eax
		test	esi, esi
		js	short loc_95A96C
		push	edi
		lea	ecx, [esp+11Ch+var_108]
		call	?WritePartitionTable@SC_DISK@@QAEJPAVSC_DISK_LAYOUT@@@Z	; SC_DISK::WritePartitionTable(SC_DISK_LAYOUT *)
		mov	esi, eax

loc_95A96C:				; CODE XREF: IoWritePartitionTable(x,x,x,x,x)+EFj
					; IoWritePartitionTable(x,x,x,x,x)+FEj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95A974:				; CODE XREF: IoWritePartitionTable(x,x,x,x,x)+63j
		lea	ecx, [esp+118h+var_108]
		mov	[esp+118h+var_108], (offset loc_403A38+4)
		call	??1SC_DISK@@UAE@XZ ; SC_DISK::~SC_DISK(void)
		mov	ecx, [esp+118h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
@IoWritePartitionTable@20 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 790. IoCreateDisk

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCreateDisk(x, x)
		public _IoCreateDisk@8
_IoCreateDisk@8	proc near

var_108		= dword	ptr -108h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+10Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		lea	ecx, [esp+118h+var_108]
		call	??0SC_DISK@@QAE@XZ ; SC_DISK::SC_DISK(void)
		mov	eax, [ebp+arg_0]
		lea	ecx, [esp+118h+var_108]
		mov	ebx, (offset loc_403A38+4)
		mov	[esp+118h+var_10], eax
		mov	[esp+118h+var_108], ebx
		call	?Initialize@SC_DISK@@UAEJXZ ; SC_DISK::Initialize(void)
		mov	esi, eax
		test	esi, esi
		js	short loc_95AA0B
		lea	ecx, [esp+118h+var_108]
		call	?InitializePartitionCache@SC_DISK@@QAEJXZ ; SC_DISK::InitializePartitionCache(void)
		mov	esi, eax
		test	esi, esi
		js	short loc_95AA0B
		push	edi
		lea	ecx, [esp+11Ch+var_108]
		call	?CreatePartitionTable@SC_DISK@@QAEJPAU_CREATE_DISK@@@Z ; SC_DISK::CreatePartitionTable(_CREATE_DISK *)
		mov	esi, eax

loc_95AA0B:				; CODE XREF: IoCreateDisk(x,x)+4Bj
					; IoCreateDisk(x,x)+5Aj
		lea	ecx, [esp+118h+var_108]
		mov	[esp+118h+var_108], ebx
		call	??1SC_DISK@@UAE@XZ ; SC_DISK::~SC_DISK(void)
		mov	ecx, [esp+118h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_IoCreateDisk@8	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 930. IoReadDiskSignature

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoReadDiskSignature(x, x, x)
		public _IoReadDiskSignature@12
_IoReadDiskSignature@12	proc near

var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+10Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		lea	ecx, [esp+118h+var_108]
		call	??0SC_DISK@@QAE@XZ ; SC_DISK::SC_DISK(void)
		mov	eax, [ebp+arg_0]
		lea	ecx, [esp+118h+var_108]
		and	[esp+118h+var_10C], 0
		mov	[esp+118h+var_108], (offset loc_403A38+4)
		mov	[esp+118h+var_10], eax
		call	?Initialize@SC_DISK@@UAEJXZ ; SC_DISK::Initialize(void)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_95AAE9
		lea	ecx, [esp+118h+var_108]
		call	?InitializePartitionCache@SC_DISK@@QAEJXZ ; SC_DISK::InitializePartitionCache(void)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_95AAE9
		lea	eax, [esp+118h+var_10C]
		push	eax
		lea	ecx, [esp+11Ch+var_108]
		call	?ReadPartitionTable@SC_DISK@@QAEJPAPAVSC_DISK_LAYOUT@@@Z ; SC_DISK::ReadPartitionTable(SC_DISK_LAYOUT *	*)
		mov	edx, [esp+118h+var_10C]
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_95AADD
		mov	ecx, [edx]
		mov	[edi], ecx
		mov	eax, [edx]
		sub	eax, 0
		jz	short loc_95AAD1
		sub	eax, 1
		jz	short loc_95AAC5
		mov	ebx, 0C00000BBh
		jmp	short loc_95AADD
; 

loc_95AAC5:				; CODE XREF: IoReadDiskSignature(x,x,x)+86j
		add	edi, 4
		lea	esi, [edx+8]
		movsd
		movsd
		movsd
		movsd
		jmp	short loc_95AADD
; 

loc_95AAD1:				; CODE XREF: IoReadDiskSignature(x,x,x)+81j
		mov	eax, [edx+8]
		mov	[edi+4], eax
		mov	eax, [edx+0Ch]
		mov	[edi+8], eax

loc_95AADD:				; CODE XREF: IoReadDiskSignature(x,x,x)+76j
					; IoReadDiskSignature(x,x,x)+8Dj ...
		test	edx, edx
		jz	short loc_95AAE9
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95AAE9:				; CODE XREF: IoReadDiskSignature(x,x,x)+4Fj
					; IoReadDiskSignature(x,x,x)+5Ej ...
		lea	ecx, [esp+118h+var_108]
		mov	[esp+118h+var_108], (offset loc_403A38+4)
		call	??1SC_DISK@@UAE@XZ ; SC_DISK::~SC_DISK(void)
		mov	ecx, [esp+118h+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_IoReadDiskSignature@12	endp

; 
		align 8
; Exported entry 932. IoReadPartitionTableEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoReadPartitionTableEx(x, x)
		public _IoReadPartitionTableEx@8
_IoReadPartitionTableEx@8 proc near

var_108		= dword	ptr -108h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+10Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		lea	ecx, [esp+118h+var_108]
		call	??0SC_DISK@@QAE@XZ ; SC_DISK::SC_DISK(void)
		mov	eax, [ebp+arg_0]
		lea	ecx, [esp+118h+var_108]
		mov	ebx, (offset loc_403A38+4)
		mov	[esp+118h+var_10], eax
		mov	[esp+118h+var_108], ebx
		call	?Initialize@SC_DISK@@UAEJXZ ; SC_DISK::Initialize(void)
		mov	esi, eax
		test	esi, esi
		js	short loc_95AB80
		lea	ecx, [esp+118h+var_108]
		call	?InitializePartitionCache@SC_DISK@@QAEJXZ ; SC_DISK::InitializePartitionCache(void)
		mov	esi, eax
		test	esi, esi
		js	short loc_95AB80
		push	edi
		lea	ecx, [esp+11Ch+var_108]
		call	?ReadPartitionTable@SC_DISK@@QAEJPAPAVSC_DISK_LAYOUT@@@Z ; SC_DISK::ReadPartitionTable(SC_DISK_LAYOUT *	*)
		mov	esi, eax

loc_95AB80:				; CODE XREF: IoReadPartitionTableEx(x,x)+4Bj
					; IoReadPartitionTableEx(x,x)+5Aj
		lea	ecx, [esp+118h+var_108]
		mov	[esp+118h+var_108], ebx
		call	??1SC_DISK@@UAE@XZ ; SC_DISK::~SC_DISK(void)
		mov	ecx, [esp+118h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_IoReadPartitionTableEx@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1000. IoSetPartitionInformationEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetPartitionInformationEx(x, x, x)
		public _IoSetPartitionInformationEx@12
_IoSetPartitionInformationEx@12	proc near

var_108		= dword	ptr -108h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+10Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		lea	ecx, [esp+118h+var_108]
		call	??0SC_DISK@@QAE@XZ ; SC_DISK::SC_DISK(void)
		mov	eax, [ebp+arg_0]
		lea	ecx, [esp+118h+var_108]
		mov	ebx, (offset loc_403A38+4)
		mov	[esp+118h+var_10], eax
		mov	[esp+118h+var_108], ebx
		call	?Initialize@SC_DISK@@UAEJXZ ; SC_DISK::Initialize(void)
		mov	esi, eax
		test	esi, esi
		js	short loc_95AC16
		lea	ecx, [esp+118h+var_108]
		call	?InitializePartitionCache@SC_DISK@@QAEJXZ ; SC_DISK::InitializePartitionCache(void)
		mov	esi, eax
		test	esi, esi
		js	short loc_95AC16
		push	edi
		push	[ebp+arg_4]
		lea	ecx, [esp+120h+var_108]
		call	?SetPartition@SC_DISK@@QAEJKPAU_SET_PARTITION_INFORMATION_EX@@@Z ; SC_DISK::SetPartition(ulong,_SET_PARTITION_INFORMATION_EX *)
		mov	esi, eax

loc_95AC16:				; CODE XREF: IoSetPartitionInformationEx(x,x,x)+4Bj
					; IoSetPartitionInformationEx(x,x,x)+5Aj
		lea	ecx, [esp+118h+var_108]
		mov	[esp+118h+var_108], ebx
		call	??1SC_DISK@@UAE@XZ ; SC_DISK::~SC_DISK(void)
		mov	ecx, [esp+118h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_IoSetPartitionInformationEx@12	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1038. IoVerifyPartitionTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoVerifyPartitionTable(x, x)
		public _IoVerifyPartitionTable@8
_IoVerifyPartitionTable@8 proc near

var_108		= dword	ptr -108h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 108h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+108h+var_4], eax
		push	esi
		push	edi
		lea	ecx, [esp+110h+var_108]
		call	??0SC_DISK@@QAE@XZ ; SC_DISK::SC_DISK(void)
		mov	eax, [ebp+arg_0]
		lea	ecx, [esp+110h+var_108]
		mov	edi, (offset loc_403A38+4)
		mov	[esp+110h+var_10], eax
		mov	[esp+110h+var_108], edi
		call	?Initialize@SC_DISK@@UAEJXZ ; SC_DISK::Initialize(void)
		mov	esi, eax
		test	esi, esi
		js	short loc_95ACA7
		lea	ecx, [esp+110h+var_108]
		call	?InitializePartitionCache@SC_DISK@@QAEJXZ ; SC_DISK::InitializePartitionCache(void)
		mov	esi, eax
		test	esi, esi
		js	short loc_95ACA7
		push	[ebp+arg_4]
		lea	ecx, [esp+114h+var_108]
		call	?VerifyPartitionTable@SC_DISK@@QAEJE@Z ; SC_DISK::VerifyPartitionTable(uchar)
		mov	esi, eax

loc_95ACA7:				; CODE XREF: IoVerifyPartitionTable(x,x)+47j
					; IoVerifyPartitionTable(x,x)+56j
		lea	ecx, [esp+110h+var_108]
		mov	[esp+110h+var_108], edi
		call	??1SC_DISK@@UAE@XZ ; SC_DISK::~SC_DISK(void)
		mov	ecx, [esp+110h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_IoVerifyPartitionTable@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1064. IoWritePartitionTableEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoWritePartitionTableEx(x, x)
		public _IoWritePartitionTableEx@8
_IoWritePartitionTableEx@8 proc	near

var_108		= dword	ptr -108h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+10Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		lea	ecx, [esp+118h+var_108]
		call	??0SC_DISK@@QAE@XZ ; SC_DISK::SC_DISK(void)
		mov	eax, [ebp+arg_0]
		lea	ecx, [esp+118h+var_108]
		mov	ebx, (offset loc_403A38+4)
		mov	[esp+118h+var_10], eax
		mov	[esp+118h+var_108], ebx
		call	?Initialize@SC_DISK@@UAEJXZ ; SC_DISK::Initialize(void)
		mov	esi, eax
		test	esi, esi
		js	short loc_95AD39
		lea	ecx, [esp+118h+var_108]
		call	?InitializePartitionCache@SC_DISK@@QAEJXZ ; SC_DISK::InitializePartitionCache(void)
		mov	esi, eax
		test	esi, esi
		js	short loc_95AD39
		push	edi
		lea	ecx, [esp+11Ch+var_108]
		call	?WritePartitionTable@SC_DISK@@QAEJPAVSC_DISK_LAYOUT@@@Z	; SC_DISK::WritePartitionTable(SC_DISK_LAYOUT *)
		mov	esi, eax

loc_95AD39:				; CODE XREF: IoWritePartitionTableEx(x,x)+4Bj
					; IoWritePartitionTableEx(x,x)+5Aj
		lea	ecx, [esp+118h+var_108]
		mov	[esp+118h+var_108], ebx
		call	??1SC_DISK@@UAE@XZ ; SC_DISK::~SC_DISK(void)
		mov	ecx, [esp+118h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_IoWritePartitionTableEx@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FstubTranslateRequirement(x, x, x, x, x)
_FstubTranslateRequirement@20 proc near	; DATA XREF: xHalGetInterruptTranslator(x,x,x,x,x,x,x)+3Eo

var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		push	esi
		push	62747346h
		xor	esi, esi
		mov	byte ptr [ebp+var_1], 0
		push	20h
		inc	esi
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, [ebp+arg_10]
		mov	[edx], eax
		test	eax, eax
		jnz	short loc_95AD8F
		mov	eax, 0C000009Ah
		jmp	short loc_95ADE4
; 

loc_95AD8F:				; CODE XREF: FstubTranslateRequirement(x,x,x,x,x)+27j
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	edi
		push	8
		pop	ecx
		mov	[eax], esi
		mov	esi, ebx
		mov	edi, [edx]
		rep movsd
		mov	eax, [ebx+8]
		lea	ecx, [ebp+var_8]
		mov	esi, ds:__imp__HalGetInterruptVector@24	; HalGetInterruptVector(x,x,x,x,x,x)
		push	ecx
		lea	ecx, [ebp+var_1]
		push	ecx
		push	eax
		push	eax
		push	0
		push	[ebp+arg_0]
		call	esi
		mov	edi, [ebp+arg_10]
		mov	ecx, [edi]
		mov	[ecx+8], eax
		lea	ecx, [ebp+var_8]
		mov	eax, [ebx+0Ch]
		push	ecx
		lea	ecx, [ebp+var_1]
		push	ecx
		push	eax
		push	eax
		push	0
		push	[ebp+arg_0]
		call	esi
		mov	ecx, [edi]
		pop	edi
		pop	ebx
		mov	[ecx+0Ch], eax
		mov	eax, 120h

loc_95ADE4:				; CODE XREF: FstubTranslateRequirement(x,x,x,x,x)+2Ej
		pop	esi
		leave
		retn	14h
_FstubTranslateRequirement@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FstubTranslateResource(x, x, x, x, x, x, x)
_FstubTranslateResource@28 proc	near	; DATA XREF: xHalGetInterruptTranslator(x,x,x,x,x,x,x)+37o

var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_8], edx
		mov	byte ptr [ebp+var_1], dl
		push	ebx
		mov	ebx, [ebp+arg_18]
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, ebx
		movsd
		movsd
		movsd
		movsd
		sub	eax, edx
		jz	short loc_95AE7A
		sub	eax, 1
		jnz	short loc_95AE5C
		mov	eax, [ebp+arg_C]
		mov	esi, [ebp+arg_10]
		shl	eax, 5
		add	eax, esi
		mov	[ebp+arg_18], eax
		jmp	short loc_95AE58
; 

loc_95AE25:				; CODE XREF: FstubTranslateResource(x,x,x,x,x,x,x)+71j
		mov	edi, [esi+8]
		cmp	edi, [esi+0Ch]
		ja	short loc_95AE55

loc_95AE2D:				; CODE XREF: FstubTranslateResource(x,x,x,x,x,x,x)+67j
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_1]
		push	eax
		push	edi
		push	edi
		push	edx
		push	[ebp+arg_0]
		call	ds:__imp__HalGetInterruptVector@24 ; HalGetInterruptVector(x,x,x,x,x,x)
		mov	ecx, [ebp+arg_4]
		cmp	eax, [ecx+8]
		jz	short loc_95AE68
		inc	edi
		push	0
		pop	edx
		cmp	edi, [esi+0Ch]
		jbe	short loc_95AE2D
		mov	eax, [ebp+arg_18]

loc_95AE55:				; CODE XREF: FstubTranslateResource(x,x,x,x,x,x,x)+42j
		add	esi, 20h

loc_95AE58:				; CODE XREF: FstubTranslateResource(x,x,x,x,x,x,x)+3Aj
		cmp	esi, eax
		jb	short loc_95AE25

loc_95AE5C:				; CODE XREF: FstubTranslateResource(x,x,x,x,x,x,x)+2Aj
		mov	eax, 0C0000001h

loc_95AE61:				; CODE XREF: FstubTranslateResource(x,x,x,x,x,x,x)+8Fj
					; FstubTranslateResource(x,x,x,x,x,x,x)+BEj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_95AE68:				; CODE XREF: FstubTranslateResource(x,x,x,x,x,x,x)+5Ej
		or	dword ptr [ebx+0Ch], 0FFFFFFFFh
		mov	ax, di
		mov	[ebx+4], ax
		xor	eax, eax
		mov	[ebx+8], edi
		jmp	short loc_95AE61
; 

loc_95AE7A:				; CODE XREF: FstubTranslateResource(x,x,x,x,x,x,x)+25j
		mov	eax, [ecx+8]
		lea	ecx, [ebp+var_8]
		push	ecx
		lea	ecx, [ebp+var_1]
		push	ecx
		push	eax
		push	eax
		push	edx
		push	[ebp+arg_0]
		call	ds:__imp__HalGetInterruptVector@24 ; HalGetInterruptVector(x,x,x,x,x,x)
		mov	[ebx+8], eax
		movzx	eax, byte ptr [ebp+var_1]
		mov	[ebx+4], ax
		mov	eax, [ebp+var_8]
		mov	[ebx+0Ch], eax
		mov	eax, 120h
		jmp	short loc_95AE61
_FstubTranslateResource@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall xHalGetInterruptTranslator(x, x, x,	x, x, x, x)
_xHalGetInterruptTranslator@28 proc near ; DATA	XREF: .data:006B2BFCo

arg_8		= dword	ptr  10h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_95AEC6
		test	eax, eax
		jle	short loc_95AEBF
		cmp	eax, 3
		jle	short loc_95AEC6

loc_95AEBF:				; CODE XREF: xHalGetInterruptTranslator(x,x,x,x,x,x,x)+Fj
		mov	eax, 0C0000002h
		jmp	short loc_95AEFB
; 

loc_95AEC6:				; CODE XREF: xHalGetInterruptTranslator(x,x,x,x,x,x,x)+Bj
					; xHalGetInterruptTranslator(x,x,x,x,x,x,x)+14j
		mov	ecx, [ebp+arg_14]
		push	18h
		pop	edx
		mov	[ecx], dx
		xor	edx, edx
		mov	[ecx+2], dx
		mov	edx, offset _PopPdcCallback@4 ;	PopPdcCallback(x)
		mov	[ecx+8], edx
		mov	[ecx+0Ch], edx
		mov	dword ptr [ecx+10h], offset _FstubTranslateResource@28 ; FstubTranslateResource(x,x,x,x,x,x,x)
		mov	dword ptr [ecx+14h], offset _FstubTranslateRequirement@20 ; FstubTranslateRequirement(x,x,x,x,x)
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_95AEF6
		xor	eax, eax
		inc	eax

loc_95AEF6:				; CODE XREF: xHalGetInterruptTranslator(x,x,x,x,x,x,x)+48j
		mov	[ecx+4], eax
		xor	eax, eax

loc_95AEFB:				; CODE XREF: xHalGetInterruptTranslator(x,x,x,x,x,x,x)+1Bj
		pop	ebp
		retn	1Ch
_xHalGetInterruptTranslator@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlQueryDetailInfo(x, x, x,	x)
_HvlQueryDetailInfo@16 proc near	; CODE XREF: PAGE:00780B5Ep

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_80		= dword	ptr -80h
var_70		= dword	ptr -70h
var_60		= dword	ptr -60h
var_50		= dword	ptr -50h
var_40		= dword	ptr -40h
var_30		= dword	ptr -30h
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch

		push	88h
		push	offset dword_6A7E90
		call	__SEH_prolog4_GS
		mov	edi, ecx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_94], eax
		cmp	edx, 70h
		jz	short loc_95AF40
		mov	edx, 0C00000F0h

loc_95AF23:				; CODE XREF: HvlQueryDetailInfo(x,x,x,x)+CBj
		mov	ecx, [ebp+var_94]
		and	dword ptr [ecx], 0

loc_95AF2C:				; CODE XREF: HvlQueryDetailInfo(x,x,x,x)+DDj
		mov	eax, edx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_95AF40:				; CODE XREF: HvlQueryDetailInfo(x,x,x,x)+1Dj
		push	70h		; size_t
		push	0		; int
		lea	eax, [ebp+var_90]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_90]
		push	eax
		call	_HviGetHypervisorVendorAndMaxFunction@4	; HviGetHypervisorVendorAndMaxFunction(x)
		lea	eax, [ebp+var_80]
		push	eax
		call	HviGetHypervisorInterface
		lea	eax, [ebp+var_70]
		push	eax
		call	_HviGetHypervisorVersion@4 ; HviGetHypervisorVersion(x)
		lea	eax, [ebp+var_60]
		push	eax
		call	HviGetHypervisorFeatures
		lea	eax, [ebp+var_50]
		push	eax
		call	_HviGetHardwareFeatures@4 ; HviGetHardwareFeatures(x)
		lea	eax, [ebp+var_40]
		push	eax
		call	HviGetEnlightenmentInformation
		lea	eax, [ebp+var_30]
		push	eax
		call	_HviGetImplementationLimits@4 ;	HviGetImplementationLimits(x)
		xor	edx, edx
		and	[ebp+ms_exc.disabled], edx
		push	1Ch
		pop	ecx
		lea	esi, [ebp+var_90]
		rep movsd
		jmp	short loc_95AFC1
; 

loc_95AFA7:				; DATA XREF: .text:006A7EA4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_98], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_95AFB8:				; DATA XREF: .text:006A7EA8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edx, [ebp+var_98]

loc_95AFC1:				; CODE XREF: HvlQueryDetailInfo(x,x,x,x)+A6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	edx, edx
		js	loc_95AF23
		mov	eax, [ebp+var_94]
		mov	dword ptr [eax], 70h
		jmp	loc_95AF2C
_HvlQueryDetailInfo@16 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 713. HvlRegisterWheaErrorNotification

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlRegisterWheaErrorNotification(x)
		public _HvlRegisterWheaErrorNotification@4
_HvlRegisterWheaErrorNotification@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, offset _HvlpWheaErrorNotificationCallback
		xor	eax, eax
		lock cmpxchg [edx], ecx
		neg	eax
		sbb	eax, eax
		and	eax, 0C0000001h
		pop	ebp
		retn	4
_HvlRegisterWheaErrorNotification@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlSetEnlightenmentInfo(x, x, x, x)
_HvlSetEnlightenmentInfo@16 proc near	; CODE XREF: PAGE:007B414Fp

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		jz	short loc_95B018
		mov	eax, 0C0000022h
		jmp	short loc_95B037
; 

loc_95B018:				; CODE XREF: HvlSetEnlightenmentInfo(x,x,x,x)+9j
		cmp	[ebp+arg_0], 0
		jz	short loc_95B025
		mov	eax, 0C00000F0h
		jmp	short loc_95B037
; 

loc_95B025:				; CODE XREF: HvlSetEnlightenmentInfo(x,x,x,x)+16j
		cmp	ds:_HvlHypervisorConnected, 0
		jnz	short loc_95B035
		mov	eax, 0C0351000h
		jmp	short loc_95B037
; 

loc_95B035:				; CODE XREF: HvlSetEnlightenmentInfo(x,x,x,x)+26j
		xor	eax, eax

loc_95B037:				; CODE XREF: HvlSetEnlightenmentInfo(x,x,x,x)+10j
					; HvlSetEnlightenmentInfo(x,x,x,x)+1Dj	...
		pop	ebp
		retn	8
_HvlSetEnlightenmentInfo@16 endp

; 
		align 10h
; Exported entry 715. HvlUnregisterWheaErrorNotification

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlUnregisterWheaErrorNotification(x)
		public _HvlUnregisterWheaErrorNotification@4
_HvlUnregisterWheaErrorNotification@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	edx, offset _HvlpWheaErrorNotificationCallback
		lock cmpxchg [edx], ecx
		sub	eax, [ebp+arg_0]
		neg	eax
		sbb	eax, eax
		and	eax, 0C0000001h
		pop	ebp
		retn	4
_HvlUnregisterWheaErrorNotification@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlDeleteProcessor(x)
_HvlDeleteProcessor@4 proc near		; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+495p
					; KeStartAllProcessors+2580Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+3FCCh]
		test	ecx, ecx
		jz	short loc_95B0D0
		mov	eax, large fs:20h
		cmp	esi, eax
		jnz	short loc_95B0B1
		lea	edx, [ebp+var_8]
		mov	ecx, 90013h
		call	_HvlpGetRegister64@8 ; HvlpGetRegister64(x,x)
		mov	eax, [ebp+var_8]
		mov	ecx, 90013h
		push	[ebp+var_4]
		and	eax, 0FFFFFFFEh
		push	eax
		call	_HvlpSetRegister64@12 ;	HvlpSetRegister64(x,x,x)
		mov	ecx, [esi+3FCCh]

loc_95B0B1:				; CODE XREF: HvlDeleteProcessor(x)+25j
		test	byte ptr ds:_HvlpFlags,	2
		jnz	short loc_95B0C1
		call	_HvlpFreeOverlayPages@4	; HvlpFreeOverlayPages(x)
		jmp	short loc_95B0C9
; 

loc_95B0C1:				; CODE XREF: HvlDeleteProcessor(x)+55j
		push	1
		push	ecx
		call	MmUnmapIoSpace

loc_95B0C9:				; CODE XREF: HvlDeleteProcessor(x)+5Cj
		and	dword ptr [esi+3FCCh], 0

loc_95B0D0:				; CODE XREF: HvlDeleteProcessor(x)+1Bj
		mov	ecx, [esi+4DCh]
		test	ecx, ecx
		jz	short loc_95B0DF
		call	_HvlpFreeOverlayPages@4	; HvlpFreeOverlayPages(x)

loc_95B0DF:				; CODE XREF: HvlDeleteProcessor(x)+75j
		mov	ecx, [esi+3FC8h]
		test	ecx, ecx
		jz	short loc_95B0F3
		mov	edx, 5000h
		call	_MmFreeIndependentPages@8 ; MmFreeIndependentPages(x,x)

loc_95B0F3:				; CODE XREF: HvlDeleteProcessor(x)+84j
		pop	esi
		leave
		retn
_HvlDeleteProcessor@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvlpCreateRootVirtualProcessor proc near ; CODE	XREF: HvlpEnableRootVirtualProcessor+21p

var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		and	[ebp+var_10], 0
		lea	edi, [ebp+var_30]
		and	[ebp+var_C], 0
		mov	ebx, ecx
		push	6
		xor	eax, eax
		mov	esi, edx
		pop	ecx
		rep stosd
		movzx	eax, word ptr [ebx+0Ch]
		lea	edx, [ebp+var_10]
		push	4Eh
		pop	ecx
		mov	[ebp+var_4], esi
		mov	eax, ds:_KeNodeBlock[eax*4]
		movzx	edi, word ptr [eax+8Ch]
		mov	eax, ds:_KeNodeBlock[edi*4]
		mov	eax, [eax+98h]
		mov	[ebp+var_8], eax
		call	_HvcallInitInputControl@8 ; HvcallInitInputControl(x,x)
		jmp	short loc_95B14C
; 

loc_95B149:				; CODE XREF: HvlpCreateRootVirtualProcessor+BEj
		mov	esi, [ebp+var_4]

loc_95B14C:				; CODE XREF: HvlpCreateRootVirtualProcessor+51j
		push	0
		mov	ecx, edi
		call	_HvlpDepositPages@12 ; HvlpDepositPages(x,x,x)
		test	eax, eax
		jnz	short loc_95B1C2
		push	20h
		xor	edx, edx
		lea	ecx, [ebp+var_30]
		push	eax
		inc	edx
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		mov	ecx, ds:_HvlPartitionId
		mov	[eax], ecx
		mov	ecx, ds:dword_70E274
		mov	[eax+4], ecx
		mov	ecx, [ebp+var_8]
		mov	[eax+10h], ecx
		mov	[eax+8], esi
		mov	dword ptr [eax+14h], 80000001h
		mov	ecx, [ebx+4]
		mov	[eax+18h], ecx
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	[ebp+var_1C]
		mov	[eax+1Ch], ecx
		push	[ebp+var_20]
		push	[ebp+var_C]
		push	[ebp+var_10]
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		lea	ecx, [ebp+var_30]
		mov	esi, eax
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		cmp	si, 0Bh
		jz	short loc_95B149
		movzx	eax, si
		neg	eax
		sbb	eax, eax
		and	eax, 0C0000001h

loc_95B1C2:				; CODE XREF: HvlpCreateRootVirtualProcessor+61j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
HvlpCreateRootVirtualProcessor endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpDiscoverTopologyLocal(x, x, x, x)
_HvlpDiscoverTopologyLocal@16 proc near	; CODE XREF: HvlEnlightenProcessor+81A59p
					; HvlStartBootLogicalProcessors+8A6D5p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		or	ecx, 0FFFFFFFFh
		pop	ebp
		jmp	$+5
_HvlpDiscoverTopologyLocal@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HvlpDiscoverTopologyWorker proc	near	; CODE XREF: HvlpDiscoverTopologyComplete()+34p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, ds:_HvlpCpuVendor
		sub	eax, 1
		jz	short loc_95B1F1
		sub	eax, 1
		jnz	short loc_95B1F7
		pop	ebp
		jmp	_HvlpDiscoverTopologyAmd@16 ; HvlpDiscoverTopologyAmd(x,x,x,x)
; 

loc_95B1F1:				; CODE XREF: HvlpDiscoverTopologyWorker+Fj
		pop	ebp
		jmp	_HvlpDiscoverTopologyIntel@16 ;	HvlpDiscoverTopologyIntel(x,x,x,x)
; 

loc_95B1F7:				; CODE XREF: HvlpDiscoverTopologyWorker+14j
		pop	ebp
		retn	8
HvlpDiscoverTopologyWorker endp


;  S U B	R O U T	I N E 


HvlpEnableRootVirtualProcessor proc near ; CODE	XREF: HvlInitializeProcessor+A0387p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, edx
		call	HvlpGetLpcbByApicId
		test	byte ptr ds:_HvlpRootFlags, 40h
		mov	esi, eax
		jz	short loc_95B225
		mov	edx, [edi+3CCh]
		mov	ecx, esi
		call	HvlpCreateRootVirtualProcessor
		test	eax, eax
		js	short loc_95B247

loc_95B225:				; CODE XREF: HvlpEnableRootVirtualProcessor+17j
		mov	eax, [esi+1Ch]
		mov	[edi+3FD0h], eax
		mov	eax, [edi+3CCh]
		cmp	eax, [esi+4]
		mov	[esi+18h], eax
		setnz	al
		dec	al
		and	byte_6B64F0, al
		xor	eax, eax

loc_95B247:				; CODE XREF: HvlpEnableRootVirtualProcessor+28j
		pop	edi
		pop	esi
		pop	ecx
		retn
HvlpEnableRootVirtualProcessor endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoEnableIrpCredits()
_IoEnableIrpCredits@0 proc near		; CODE XREF: PspInitializeQuotaBlock+850BFp

var_20		= dword	ptr -20h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		xor	eax, eax
		push	esi
		push	edi
		push	8
		pop	ecx
		lea	edi, [ebp+var_20]
		rep stosd
		mov	eax, _IopIrpCreditsEnabled
		xor	ecx, ecx
		inc	ecx
		cmp	eax, ecx
		jge	short loc_95B2BF
		mov	edx, offset _IopIrpCreditsEnabled
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	short loc_95B2BF
		lea	ecx, [ebp+var_20]
		call	_IopQueryProcessorInitValues@4 ; IopQueryProcessorInitValues(x)
		call	KeSynchronizeWithDynamicProcessors
		push	0FFFFh
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		xor	ecx, ecx
		test	eax, eax
		jz	short loc_95B2B8
		mov	esi, [ebp+var_4]

loc_95B29A:				; CODE XREF: IoEnableIrpCredits()+6Bj
		mov	edx, ds:_KiProcessorBlock[ecx*4]
		cmp	dword ptr [edx+3CE4h], 7FFFFFFFh
		jnz	short loc_95B2B8
		inc	ecx
		mov	[edx+3CE4h], esi
		cmp	ecx, eax
		jb	short loc_95B29A

loc_95B2B8:				; CODE XREF: IoEnableIrpCredits()+4Aj
					; IoEnableIrpCredits()+60j
		lock inc _IopIrpCreditsEnabled

loc_95B2BF:				; CODE XREF: IoEnableIrpCredits()+1Ej
					; IoEnableIrpCredits()+2Dj
		pop	edi
		pop	esi
		leave
		retn
_IoEnableIrpCredits@0 endp

; 
		align 8
; Exported entry 750. IoAttachDevice

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoAttachDevice(x, x, x)
		public _IoAttachDevice@12
_IoAttachDevice@12 proc	near

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, _IopCaseInsensitive
		push	esi
		xor	esi, esi
		mov	[esp+30h+var_18], 18h
		neg	eax
		mov	[esp+30h+var_28], esi
		push	80000040h
		sbb	eax, eax
		mov	[esp+34h+var_20], esi
		and	eax, 40h
		mov	[esp+34h+var_1C], esi
		add	eax, 200h
		mov	[esp+34h+var_14], esi
		mov	[esp+34h+var_C], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+34h+var_10], eax
		lea	eax, [esp+34h+var_20]
		push	esi
		push	eax
		lea	eax, [esp+3Ch+var_18]
		mov	[esp+3Ch+var_8], esi
		push	eax
		push	80h
		lea	eax, [esp+44h+var_28]
		mov	[esp+44h+var_4], esi
		push	eax
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_95B38E
		mov	eax, ds:_IoFileObjectType
		lea	ecx, [esp+30h+var_24]
		push	esi
		push	ecx
		push	esi
		push	eax
		push	esi
		push	[esp+44h+var_28]
		mov	[esp+48h+var_24], esi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_95B383
		push	[esp+30h+var_24]
		call	IoGetRelatedDeviceObject
		push	[esp+30h+var_28]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		push	[ebp+arg_8]
		push	esi
		push	[ebp+arg_0]
		call	_IoAttachDeviceToDeviceStackSafe@12 ; IoAttachDeviceToDeviceStackSafe(x,x,x)
		mov	ecx, [esp+30h+var_24]
		mov	esi, eax
		call	ObfDereferenceObject
		jmp	short loc_95B38C
; 

loc_95B383:				; CODE XREF: IoAttachDevice(x,x,x)+8Cj
		push	[esp+30h+var_28]
		call	_ZwClose@4	; ZwClose(x)

loc_95B38C:				; CODE XREF: IoAttachDevice(x,x,x)+B9j
		mov	eax, esi

loc_95B38E:				; CODE XREF: IoAttachDevice(x,x,x)+6Bj
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_IoAttachDevice@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 760. IoCancelFileOpen

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCancelFileOpen(x,	x)
		public _IoCancelFileOpen@8
_IoCancelFileOpen@8 proc near		; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+FF6p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+20h+var_10]
		xor	ebx, ebx
		stosd
		push	ebx
		stosd
		stosd
		stosd
		mov	edi, [ebp+arg_4]
		test	dword ptr [edi+2Ch], 40000h
		jz	short loc_95B3D0
		push	ebx
		push	[ebp+arg_0]
		push	edi
		push	0E8h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_95B3D0:				; CODE XREF: IoCancelFileOpen(x,x)+25j
		push	1
		lea	eax, [esp+38h+var_20]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		test	dword ptr [edi+2Ch], 4000000h
		lea	eax, [edi+5Ch]
		jnz	short loc_95B3EE
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_95B3EE:				; CODE XREF: IoCancelFileOpen(x,x)+4Cj
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		mov	dl, [esi+30h]
		call	IopAllocateIrpMustSucceed
		mov	ecx, large fs:124h
		mov	edx, eax
		lea	eax, [esp+30h+var_20]
		mov	[esp+30h+var_24], edx
		mov	[edx+50h], ecx
		lea	ecx, [edx+18h]
		mov	[edx+2Ch], eax
		mov	eax, [edx+60h]
		mov	[edx+28h], ecx
		mov	ecx, edx
		mov	[edx+64h], edi
		mov	[edx+20h], bl
		mov	[edx+30h], ebx
		mov	dword ptr [edx+8], 404h
		mov	byte ptr [eax-24h], 12h
		mov	[eax-0Ch], edi
		call	IopQueueThreadIrp
		push	[esp+30h+var_24]
		push	esi
		call	_PoCallDriver@8	; PoCallDriver(x,x)
		cmp	eax, 103h
		jnz	short loc_95B459
		push	ebx
		push	ebx
		push	ebx
		push	6
		lea	eax, [esp+40h+var_20]
		push	eax
		call	KeWaitForSingleObject

loc_95B459:				; CODE XREF: IoCancelFileOpen(x,x)+AEj
		mov	esi, [esp+30h+var_24]
		mov	ecx, esi
		call	IopDequeueIrpFromThread
		push	esi
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		lea	eax, [edi+5Ch]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		or	dword ptr [edi+2Ch], 200000h
		cmp	[edi+7Ch], ebx
		jz	short loc_95B486
		mov	ecx, edi
		call	_IopCloseFileObjectExtension@4 ; IopCloseFileObjectExtension(x)

loc_95B486:				; CODE XREF: IoCancelFileOpen(x,x)+E3j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_IoCancelFileOpen@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 762. IoCheckDesiredAccess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCheckDesiredAccess(x, x)
		public _IoCheckDesiredAccess@8
_IoCheckDesiredAccess@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:_IoFileObjectType
		push	esi
		mov	esi, [ebp+arg_0]
		add	eax, 34h
		push	eax
		push	esi
		call	_RtlMapGenericMask@8 ; RtlMapGenericMask(x,x)
		mov	eax, [ebp+arg_4]
		not	eax
		and	eax, [esi]
		neg	eax
		pop	esi
		sbb	eax, eax
		and	eax, 0C0000022h
		pop	ebp
		retn	8
_IoCheckDesiredAccess@8	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 766. IoCheckFunctionAccess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCheckFunctionAccess(x, x,	x, x, x, x)
		public _IoCheckFunctionAccess@24
_IoCheckFunctionAccess@24 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		movzx	eax, [ebp+arg_4]
		xor	edx, edx
		mov	[ebp+var_4], edx
		cmp	eax, 15h	; switch 22 cases
		ja	loc_95B5DD	; default
		jmp	ds:off_95B5EA[eax*4] ; switch jump

loc_95B4E5:				; DATA XREF: PAGE:off_95B5EAo
		mov	eax, [ebp+arg_0] ; case	0x3
		not	eax
		and	al, 1

loc_95B4EC:				; CODE XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+95j
					; IoCheckFunctionAccess(x,x,x,x,x,x)+9Ej ...
		movzx	edx, al

loc_95B4EF:				; CODE XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+BFj
					; IoCheckFunctionAccess(x,x,x,x,x,x)+103j
		neg	edx
		sbb	edx, edx
		and	edx, 0C0000022h
		jmp	loc_95B5E2	; case 0x0
; 

loc_95B4FE:				; CODE XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+18j
					; DATA XREF: PAGE:off_95B5EAo
		mov	eax, [ebp+arg_0] ; case	0x4
		and	al, 6

loc_95B503:				; CODE XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+E9j
		movzx	edx, al
		neg	edx
		sbb	edx, edx
		and	edx, 3FFFFFDEh
		add	edx, 0C0000022h
		jmp	loc_95B5E2	; case 0x0
; 

loc_95B51B:				; CODE XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+18j
					; DATA XREF: PAGE:off_95B5EAo
		mov	eax, [ebp+arg_10] ; case 0x5
		mov	eax, [eax]
		mov	ecx, ds:_IopQueryOperationAccess[eax*4]

loc_95B527:				; CODE XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+8Cj
		test	ecx, ecx
		jz	loc_95B5E2	; case 0x0
		mov	eax, [ebp+arg_0]
		not	eax
		test	eax, ecx
		jz	loc_95B5E2	; case 0x0

loc_95B53C:				; CODE XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+E2j
		mov	edx, 0C0000022h
		jmp	loc_95B5E2	; case 0x0
; 

loc_95B546:				; CODE XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+18j
					; DATA XREF: PAGE:off_95B5EAo
		mov	eax, [ebp+arg_10] ; case 0x6
		mov	eax, [eax]
		mov	ecx, ds:_IopSetOperationAccess[eax*4]
		jmp	short loc_95B527
; 

loc_95B554:				; CODE XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+18j
					; DATA XREF: PAGE:off_95B5EAo
		mov	eax, [ebp+arg_0] ; case	0x7
		not	eax
		and	al, 8
		jmp	short loc_95B4EC
; 

loc_95B55D:				; CODE XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+18j
					; DATA XREF: PAGE:off_95B5EAo
		mov	eax, [ebp+arg_0] ; case	0x8
		not	eax
		and	al, 10h
		jmp	short loc_95B4EC
; 

loc_95B566:				; CODE XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+18j
					; DATA XREF: PAGE:off_95B5EAo
		mov	eax, [ebp+arg_0] ; case	0x9
		not	eax
		and	al, 2
		jmp	loc_95B4EC
; 

loc_95B572:				; CODE XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+18j
					; DATA XREF: PAGE:off_95B5EAo
		mov	eax, [ebp+arg_14] ; case 0xA
		mov	eax, [eax]
		mov	edx, ds:_IopQueryFsOperationAccess[eax*4]

loc_95B57E:				; CODE XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+D0j
		mov	ecx, [ebp+arg_0]
		not	ecx
		and	edx, ecx
		jmp	loc_95B4EF
; 

loc_95B58A:				; CODE XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+18j
					; DATA XREF: PAGE:off_95B5EAo
		mov	eax, [ebp+arg_14] ; case 0xB
		mov	eax, [eax]
		mov	edx, ds:_IopSetFsOperationAccess[eax*4]
		jmp	short loc_95B57E
; 

loc_95B598:				; CODE XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+18j
					; DATA XREF: PAGE:off_95B5EAo
		mov	eax, [ebp+arg_C] ; case	0xD
		shr	eax, 0Eh
		and	eax, 3
		jz	short loc_95B5E2 ; case	0x0
		test	[ebp+arg_0], eax
		jnz	short loc_95B5E2 ; case	0x0
		jmp	short loc_95B53C
; 

loc_95B5AA:				; CODE XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+18j
					; DATA XREF: PAGE:off_95B5EAo
		mov	eax, [ebp+arg_0] ; case	0x11
		and	al, 3
		jmp	loc_95B503
; 

loc_95B5B4:				; CODE XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+18j
					; DATA XREF: PAGE:off_95B5EAo
		mov	ecx, [ebp+arg_10] ; case 0x15
		lea	edx, [ebp+var_4]
		mov	ecx, [ecx]
		call	SeSetSecurityAccessMask

loc_95B5C1:				; CODE XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+115j
		mov	edx, [ebp+arg_0]
		not	edx
		and	edx, [ebp+var_4]
		jmp	loc_95B4EF
; 

loc_95B5CE:				; CODE XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+18j
					; DATA XREF: PAGE:off_95B5EAo
		mov	ecx, [ebp+arg_10] ; case 0x14
		lea	edx, [ebp+var_4]
		mov	ecx, [ecx]
		call	_SeQuerySecurityAccessMask@8 ; SeQuerySecurityAccessMask(x,x)
		jmp	short loc_95B5C1
; 

loc_95B5DD:				; CODE XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+12j
					; IoCheckFunctionAccess(x,x,x,x,x,x)+18j
					; DATA XREF: ...
		mov	edx, 0C0000010h	; default

loc_95B5E2:				; CODE XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+18j
					; IoCheckFunctionAccess(x,x,x,x,x,x)+33j ...
		mov	eax, edx	; case 0x0
		leave
		retn	18h
_IoCheckFunctionAccess@24 endp

; 
		db 8Bh,	0FFh
off_95B5EA	dd offset loc_95B5E2	; DATA XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+18r
		dd offset loc_95B5DD	; jump table for switch	statement
		dd offset loc_95B5E2
		dd offset loc_95B4E5
		dd offset loc_95B4FE
		dd offset loc_95B51B
		dd offset loc_95B546
		dd offset loc_95B554
		dd offset loc_95B55D
		dd offset loc_95B566
		dd offset loc_95B572
		dd offset loc_95B58A
		dd offset loc_95B4E5
		dd offset loc_95B598
		dd offset loc_95B598
		dd offset loc_95B598
		dd offset loc_95B5DD
		dd offset loc_95B5AA
		dd offset loc_95B5DD
		dd offset loc_95B5DD
		dd offset loc_95B5CE
		dd offset loc_95B5B4
		align 4
		db 3 dup(0CCh)
; Exported entry 768. IoCheckQuerySetFileInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCheckQuerySetFileInformation(x, x, x)
		public _IoCheckQuerySetFileInformation@12
_IoCheckQuerySetFileInformation@12 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	eax, 4Ch
		jnb	short loc_95B67A
		cmp	[ebp+arg_8], 0
		mov	ecx, (offset loc_A3F6DB+5)
		jnz	short loc_95B664
		mov	ecx, offset _IopQueryOperationLength

loc_95B664:				; CODE XREF: IoCheckQuerySetFileInformation(x,x,x)+16j
		mov	al, [ecx+eax]
		test	al, al
		jz	short loc_95B67A
		movsx	eax, al
		cmp	[ebp+arg_4], eax
		sbb	eax, eax
		and	eax, 0C0000004h
		jmp	short loc_95B67F
; 

loc_95B67A:				; CODE XREF: IoCheckQuerySetFileInformation(x,x,x)+Bj
					; IoCheckQuerySetFileInformation(x,x,x)+22j
		mov	eax, 0C0000003h

loc_95B67F:				; CODE XREF: IoCheckQuerySetFileInformation(x,x,x)+31j
		pop	ebp
		retn	0Ch
_IoCheckQuerySetFileInformation@12 endp

; 
		align 8
; Exported entry 769. IoCheckQuerySetVolumeInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCheckQuerySetVolumeInformation(x,	x, x)
		public _IoCheckQuerySetVolumeInformation@12
_IoCheckQuerySetVolumeInformation@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_8], 0
		mov	eax, offset _IopSetFsOperationLength
		jnz	short loc_95B69D
		mov	eax, offset _IopQueryFsOperationLength

loc_95B69D:				; CODE XREF: IoCheckQuerySetVolumeInformation(x,x,x)+Ej
		mov	ecx, [ebp+arg_0]
		cmp	ecx, 0Fh
		jnb	short loc_95B6BB
		mov	al, [eax+ecx]
		test	al, al
		jz	short loc_95B6BB
		movsx	eax, al
		cmp	[ebp+arg_4], eax
		sbb	eax, eax
		and	eax, 0C0000004h
		jmp	short loc_95B6C0
; 

loc_95B6BB:				; CODE XREF: IoCheckQuerySetVolumeInformation(x,x,x)+1Bj
					; IoCheckQuerySetVolumeInformation(x,x,x)+22j
		mov	eax, 0C0000003h

loc_95B6C0:				; CODE XREF: IoCheckQuerySetVolumeInformation(x,x,x)+31j
		pop	ebp
		retn	0Ch
_IoCheckQuerySetVolumeInformation@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 770. IoCheckQuotaBufferValidity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCheckQuotaBufferValidity(x, x, x)
		public _IoCheckQuotaBufferValidity@12
_IoCheckQuotaBufferValidity@12 proc near
					; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+251p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	edi, 7FFFFFFFh
		jbe	short loc_95B6E5
		mov	eax, 80000014h
		jmp	short loc_95B6F0
; 

loc_95B6E5:				; CODE XREF: IoCheckQuotaBufferValidity(x,x,x)+13j
		test	byte ptr [ebp+arg_0], 3
		jz	short loc_95B6F8
		mov	eax, 80000002h

loc_95B6F0:				; CODE XREF: IoCheckQuotaBufferValidity(x,x,x)+1Aj
		mov	ecx, [ebp+arg_8]
		and	dword ptr [ecx], 0
		jmp	short loc_95B747
; 

loc_95B6F8:				; CODE XREF: IoCheckQuotaBufferValidity(x,x,x)+20j
		push	ebx
		jmp	short loc_95B734
; 

loc_95B6FB:				; CODE XREF: IoCheckQuotaBufferValidity(x,x,x)+6Ej
		lea	ebx, [esi+28h]
		push	ebx
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	short loc_95B739
		push	ebx
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		lea	ecx, [eax+28h]
		cmp	edi, ecx
		jb	short loc_95B739
		cmp	[esi+4], eax
		jnz	short loc_95B739
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_95B74D
		cmp	ecx, eax
		ja	short loc_95B739
		test	al, 3
		jnz	short loc_95B739
		test	eax, eax
		js	short loc_95B739
		cmp	edi, eax
		jb	short loc_95B739
		sub	edi, eax
		add	esi, eax

loc_95B734:				; CODE XREF: IoCheckQuotaBufferValidity(x,x,x)+30j
		cmp	edi, 34h
		jnb	short loc_95B6FB

loc_95B739:				; CODE XREF: IoCheckQuotaBufferValidity(x,x,x)+3Dj
					; IoCheckQuotaBufferValidity(x,x,x)+4Aj ...
		mov	eax, [ebp+arg_8]
		sub	esi, [ebp+arg_0]
		mov	[eax], esi
		mov	eax, 0C0000266h

loc_95B746:				; CODE XREF: IoCheckQuotaBufferValidity(x,x,x)+86j
		pop	ebx

loc_95B747:				; CODE XREF: IoCheckQuotaBufferValidity(x,x,x)+2Dj
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_95B74D:				; CODE XREF: IoCheckQuotaBufferValidity(x,x,x)+55j
		xor	eax, eax
		jmp	short loc_95B746
_IoCheckQuotaBufferValidity@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 773. IoCheckShareAccessEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCheckShareAccessEx(x, x, x, x, x,	x)
		public _IoCheckShareAccessEx@24
_IoCheckShareAccessEx@24 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_14]
		xor	eax, eax
		cmp	[ebp+arg_10], al
		setnz	al
		test	ecx, ecx
		jz	short loc_95B776
		cmp	byte ptr [ecx],	0
		jnz	short loc_95B776
		mov	ecx, 80000000h
		jmp	short loc_95B778
; 

loc_95B776:				; CODE XREF: IoCheckShareAccessEx(x,x,x,x,x,x)+12j
					; IoCheckShareAccessEx(x,x,x,x,x,x)+17j
		xor	ecx, ecx

loc_95B778:				; CODE XREF: IoCheckShareAccessEx(x,x,x,x,x,x)+1Ej
		or	eax, ecx
		push	eax
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	IoCheckLinkShareAccess
		pop	ebp
		retn	18h
_IoCheckShareAccessEx@24 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 784. IoConvertFileHandleToKernelHandle

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoConvertFileHandleToKernelHandle(x, x, x, x, x)
		public _IoConvertFileHandleToKernelHandle@20
_IoConvertFileHandleToKernelHandle@20 proc near	; CODE XREF: CmpNameFromAttributes+180E76p
					; IopOpenLinkOrRenameTarget+11FA01p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_10]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		mov	[eax], edi
		test	esi, esi
		jnz	short loc_95B7C0
		xor	eax, eax
		jmp	loc_95B881
; 

loc_95B7C0:				; CODE XREF: IoConvertFileHandleToKernelHandle(x,x,x,x,x)+20j
		mov	eax, ds:_IoFileObjectType
		lea	ecx, [ebp+var_C]
		push	ecx
		lea	ecx, [ebp+arg_0]
		mov	[ebp+arg_0], edi
		push	ecx
		push	[ebp+arg_4]
		push	eax
		push	edi
		push	esi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	loc_95B881
		cmp	byte ptr [ebp+arg_C], 0
		jnz	short loc_95B7FE
		mov	eax, [ebp+var_8]
		and	eax, [ebp+arg_8]
		cmp	eax, [ebp+arg_8]
		jz	short loc_95B7FE
		mov	ebx, [ebp+arg_0]
		mov	esi, 0C0000022h
		jmp	short loc_95B878
; 

loc_95B7FE:				; CODE XREF: IoConvertFileHandleToKernelHandle(x,x,x,x,x)+50j
					; IoConvertFileHandleToKernelHandle(x,x,x,x,x)+5Bj
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_4]
		push	edi
		push	edi
		push	200h
		push	[ebp+arg_8]
		mov	eax, [eax+80h]
		push	ecx
		push	ds:_PsInitialSystemProcess
		push	esi
		push	eax
		call	ObDuplicateObject
		mov	ebx, [ebp+arg_0]
		mov	esi, eax
		test	esi, esi
		js	short loc_95B878
		mov	eax, ds:_IoFileObjectType
		lea	ecx, [ebp+arg_C]
		push	edi
		push	ecx
		push	edi
		push	eax
		push	edi
		mov	[ebp+arg_C], edi
		mov	edi, [ebp+var_4]
		push	edi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_95B857
		push	0
		push	edi
		call	ObCloseHandle
		jmp	short loc_95B878
; 

loc_95B857:				; CODE XREF: IoConvertFileHandleToKernelHandle(x,x,x,x,x)+B4j
		cmp	[ebp+arg_C], ebx
		jz	short loc_95B86B
		push	0
		push	edi
		mov	esi, 0C0000024h
		call	ObCloseHandle
		jmp	short loc_95B870
; 

loc_95B86B:				; CODE XREF: IoConvertFileHandleToKernelHandle(x,x,x,x,x)+C3j
		mov	eax, [ebp+arg_10]
		mov	[eax], edi

loc_95B870:				; CODE XREF: IoConvertFileHandleToKernelHandle(x,x,x,x,x)+D2j
		mov	ecx, [ebp+arg_C]
		call	ObfDereferenceObject

loc_95B878:				; CODE XREF: IoConvertFileHandleToKernelHandle(x,x,x,x,x)+65j
					; IoConvertFileHandleToKernelHandle(x,x,x,x,x)+95j ...
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	eax, esi

loc_95B881:				; CODE XREF: IoConvertFileHandleToKernelHandle(x,x,x,x,x)+24j
					; IoConvertFileHandleToKernelHandle(x,x,x,x,x)+46j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_IoConvertFileHandleToKernelHandle@20 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 785. IoCopyDeviceObjectHint

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCopyDeviceObjectHint(x, x)
		public _IoCopyDeviceObjectHint@8
_IoCopyDeviceObjectHint@8 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		push	esi
		xor	esi, esi
		inc	edx
		push	esi
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_95B8B0
		mov	eax, 0C0000001h
		jmp	short loc_95B8E7
; 

loc_95B8B0:				; CODE XREF: IoCopyDeviceObjectHint(x,x)+1Aj
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	edi
		push	esi
		inc	edx
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_95B8E4
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		push	esi		; int
		push	eax		; int
		push	1		; char
		xor	edx, edx
		push	10h		; size_t
		inc	edx
		call	IopGetSetSpecificExtension
		mov	esi, eax
		test	esi, esi
		jnz	short loc_95B8E4
		mov	ecx, [ebp+var_4]
		mov	edx, [edi]
		mov	[ecx], edx

loc_95B8E4:				; CODE XREF: IoCopyDeviceObjectHint(x,x)+34j
					; IoCopyDeviceObjectHint(x,x)+4Ej
		mov	eax, esi
		pop	edi

loc_95B8E7:				; CODE XREF: IoCopyDeviceObjectHint(x,x)+21j
		pop	esi
		leave
		retn	8
_IoCopyDeviceObjectHint@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 796. IoCreateStreamFileObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCreateStreamFileObject(x,	x)
		public _IoCreateStreamFileObject@8
_IoCreateStreamFileObject@8 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		xor	ecx, ecx
		push	8
		inc	eax
		mov	[ebp+var_C], ecx
		mov	word ptr [ebp+var_C+2],	ax
		pop	eax
		push	ecx
		mov	word ptr [ebp+var_C], ax
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		lea	eax, [ebp+var_C]
		mov	[ebp+var_4], ecx
		push	[ebp+arg_0]
		mov	[ebp+var_8], ecx
		push	eax
		call	IoCreateStreamFileObjectEx2
		mov	eax, [ebp+var_4]
		leave
		retn	8
_IoCreateStreamFileObject@8 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 801. IoCreateSynchronizationEvent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCreateSynchronizationEvent(x, x)
		public _IoCreateSynchronizationEvent@8
_IoCreateSynchronizationEvent@8	proc near

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, [ebp+arg_0]
		push	esi
		push	1
		mov	[esp+2Ch+var_10], eax
		xor	esi, esi
		push	1
		lea	eax, [esp+30h+var_18]
		mov	[esp+30h+var_20], esi
		push	eax
		push	1F0003h
		lea	eax, [esp+38h+var_20]
		mov	[esp+38h+var_18], 18h
		push	eax
		mov	[esp+3Ch+var_14], esi
		mov	[esp+3Ch+var_C], 280h
		mov	[esp+3Ch+var_8], esi
		mov	[esp+3Ch+var_4], esi
		call	_ZwCreateEvent@20 ; ZwCreateEvent(x,x,x,x,x)
		test	eax, eax
		jns	short loc_95B987
		xor	eax, eax
		jmp	short loc_95B9B8
; 

loc_95B987:				; CODE XREF: IoCreateSynchronizationEvent(x,x)+4Fj
		push	esi
		lea	eax, [esp+2Ch+var_1C]
		mov	[esp+2Ch+var_1C], esi
		push	eax
		push	esi
		push	ds:_ExEventObjectType
		push	esi
		push	[esp+3Ch+var_20]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, [esp+28h+var_1C]
		call	ObfDereferenceObject
		mov	edx, [ebp+arg_4]
		mov	ecx, [esp+28h+var_20]
		mov	eax, [esp+28h+var_1C]
		mov	[edx], ecx

loc_95B9B8:				; CODE XREF: IoCreateSynchronizationEvent(x,x)+53j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
_IoCreateSynchronizationEvent@8	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 803. IoCreateUnprotectedSymbolicLink

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCreateUnprotectedSymbolicLink(x, x)
		public _IoCreateUnprotectedSymbolicLink@8
_IoCreateUnprotectedSymbolicLink@8 proc	near

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		push	esi
		push	[ebp+arg_4]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	0F0001h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ecx
		push	eax
		mov	[ebp+var_1C], 18h
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], 250h
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		call	_ZwCreateSymbolicLinkObject@16 ; ZwCreateSymbolicLinkObject(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_95BA12
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_95BA12:				; CODE XREF: IoCreateUnprotectedSymbolicLink(x,x)+44j
		mov	eax, esi
		pop	esi
		leave
		retn	8
_IoCreateUnprotectedSymbolicLink@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 813. IoDeleteDriver

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoDeleteDriver(x)
		public _IoDeleteDriver@4
_IoDeleteDriver@4 proc near		; CODE XREF: IopInitializePlugPlayServices(x,x)+72Bp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		lea	ecx, [esi+1Ch]
		call	EtwTiLogDriverObjectUnLoad
		mov	ecx, esi
		call	ObfDereferenceObject
		pop	esi
		pop	ebp
		retn	4
_IoDeleteDriver@4 endp

; 
		align 10h
; Exported entry 823. IoEnqueueIrp

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoEnqueueIrp(x)
		public _IoEnqueueIrp@4
_IoEnqueueIrp@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	IopQueueThreadIrp
		pop	ebp
		retn	4
_IoEnqueueIrp@4	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 826. IoFastQueryNetworkAttributes

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoFastQueryNetworkAttributes(x, x, x, x, x)
		public _IoFastQueryNetworkAttributes@20
_IoFastQueryNetworkAttributes@20 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		sub	esp, 0Ch
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_10]
		mov	al, [eax+15Ah]
		push	[ebp+arg_C]
		mov	byte ptr [ebp+var_4], al
		push	[ebp+arg_8]
		push	[ebp+var_4]
		call	_IopFastQueryNetworkAttributes@36 ; IopFastQueryNetworkAttributes(x,x,x,x,x,x,x,x,x)
		leave
		retn	14h
_IoFastQueryNetworkAttributes@20 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 845. IoGetBootDiskInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetBootDiskInformation(x,	x)
		public _IoGetBootDiskInformation@8
_IoGetBootDiskInformation@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	_InitializationPhase, 2
		jb	short loc_95BAA3
		mov	eax, 0C0000189h
		jmp	short loc_95BAAE
; 

loc_95BAA3:				; CODE XREF: IoGetBootDiskInformation(x,x)+Cj
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	_IopGetBootDiskInformation@8 ; IopGetBootDiskInformation(x,x)

loc_95BAAE:				; CODE XREF: IoGetBootDiskInformation(x,x)+13j
		pop	ebp
		retn	8
_IoGetBootDiskInformation@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 869. IoGetInitialStack

;  S U B	R O U T	I N E 


; __stdcall IoGetInitialStack()
		public _IoGetInitialStack@0
_IoGetInitialStack@0 proc near
		mov	eax, large fs:124h
		mov	eax, [eax+20h]
		retn
_IoGetInitialStack@0 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 941. IoRegisterFsRegistrationChange

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoRegisterFsRegistrationChange(x, x)
		public _IoRegisterFsRegistrationChange@8
_IoRegisterFsRegistrationChange@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	IoRegisterFsRegistrationChangeMountAware
		pop	ebp
		retn	8
_IoRegisterFsRegistrationChange@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 952. IoRemoveLinkShareAccess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoRemoveLinkShareAccess(x, x, x)
		public _IoRemoveLinkShareAccess@12
_IoRemoveLinkShareAccess@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_IoRemoveLinkShareAccessEx@16 ;	IoRemoveLinkShareAccessEx(x,x,x,x)
		pop	ebp
		retn	0Ch
_IoRemoveLinkShareAccess@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 955. IoReplaceFileObjectName

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IoReplaceFileObjectName(int,void *,__int16)
		public _IoReplaceFileObjectName@12
_IoReplaceFileObjectName@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	di, [ebp+arg_8]
		movzx	eax, word ptr [ebx+32h]
		mov	ecx, eax
		cmp	di, ax
		jbe	short loc_95BB70
		push	38h
		pop	esi
		cmp	di, si
		jb	short loc_95BB36
		push	78h
		pop	esi
		cmp	di, si
		jb	short loc_95BB36
		mov	esi, 0F8h
		cmp	di, si
		jb	short loc_95BB36
		movzx	esi, di

loc_95BB36:				; CODE XREF: IoReplaceFileObjectName(x,x,x)+20j
					; IoReplaceFileObjectName(x,x,x)+28j ...
		push	6D4E6F49h
		movzx	eax, si
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	dword ptr [ebp+arg_8], eax
		test	eax, eax
		jnz	short loc_95BB54
		mov	eax, 0C000009Ah
		jmp	short loc_95BB96
; 

loc_95BB54:				; CODE XREF: IoReplaceFileObjectName(x,x,x)+4Cj
		mov	eax, [ebx+34h]
		test	eax, eax
		jz	short loc_95BB63
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95BB63:				; CODE XREF: IoReplaceFileObjectName(x,x,x)+5Aj
		mov	eax, dword ptr [ebp+arg_8]
		mov	[ebx+34h], eax
		mov	[ebx+32h], si
		movzx	ecx, si

loc_95BB70:				; CODE XREF: IoReplaceFileObjectName(x,x,x)+18j
		movzx	eax, cx
		push	eax		; size_t
		push	0		; int
		push	dword ptr [ebx+34h] ; void *
		mov	[ebx+30h], di
		call	_memset
		movzx	eax, di
		push	eax		; size_t
		push	[ebp+arg_4]	; void *
		push	dword ptr [ebx+34h] ; void *
		call	_memcpy
		add	esp, 18h
		xor	eax, eax

loc_95BB96:				; CODE XREF: IoReplaceFileObjectName(x,x,x)+53j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_IoReplaceFileObjectName@12 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 983. IoSetFileObjectIgnoreSharing

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetFileObjectIgnoreSharing(x)
		public _IoSetFileObjectIgnoreSharing@4
_IoSetFileObjectIgnoreSharing@4	proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_4]
		and	[ebp+var_4], 0
		call	IopAllocateFileObjectExtension
		test	eax, eax
		js	short locret_95BBC3
		mov	eax, [ebp+var_4]
		or	dword ptr [eax], 1
		xor	eax, eax

locret_95BBC3:				; CODE XREF: IoSetFileObjectIgnoreSharing(x)+17j
		leave
		retn	4
_IoSetFileObjectIgnoreSharing@4	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 990. IoSetInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetInformation(x,	x, x, x)
		public _IoSetInformation@16
_IoSetInformation@16 proc near		; CODE XREF: MiAttemptPageFileReduction(x)+F1p
					; MiAttemptPageFileExtension(x,x,x)+126p

var_28		= byte ptr -28h
var_27		= byte ptr -27h
var_26		= dword	ptr -26h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+38h+var_10]
		stosd
		xor	ebx, ebx
		mov	[esp+38h+var_18], ebx
		mov	[esp+38h+var_14], ebx
		mov	[esp+38h+var_1C], ebx
		stosd
		mov	[esp+38h+var_28], bl
		mov	byte ptr [esp+38h+var_26+1], bl
		stosd
		stosd
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [edi+2Ch]
		test	al, 2
		jz	short loc_95BC83
		shr	eax, 2
		and	al, 1
		mov	bl, al
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	0
		lea	ecx, [edi+4Ch]
		xor	edx, edx
		call	KeAbPreAcquire
		xor	edx, edx
		mov	byte ptr [esp+38h+var_26], 0
		inc	edx
		lea	ecx, [edi+44h]
		xchg	edx, [ecx]
		test	edx, edx
		jnz	short loc_95BC5C
		test	eax, eax
		jz	short loc_95BC45
		or	byte ptr [eax+0Eh], 1

loc_95BC45:				; CODE XREF: IoSetInformation(x,x,x,x)+73j
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_95BC4C:				; CODE XREF: IoSetInformation(x,x,x,x)+A7j
		lea	eax, [edi+5Ch]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	[esp+38h+var_27], 1
		jmp	short loc_95BC94
; 

loc_95BC5C:				; CODE XREF: IoSetInformation(x,x,x,x)+6Fj
		lea	ecx, [esp+38h+var_26]
		xor	dl, dl
		push	ecx
		push	eax
		push	ebx
		mov	ecx, edi
		call	IopWaitAndAcquireFileObjectLock
		mov	esi, eax
		cmp	byte ptr [esp+38h+var_26], 0
		jz	short loc_95BC4C
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, esi
		jmp	loc_95BEF7
; 

loc_95BC83:				; CODE XREF: IoSetInformation(x,x,x,x)+3Dj
		push	ebx
		push	1
		lea	eax, [esp+40h+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	[esp+38h+var_27], bl

loc_95BC94:				; CODE XREF: IoSetInformation(x,x,x,x)+8Ej
		push	edi
		call	IoGetRelatedDeviceObject
		mov	ebx, [ebp+arg_4]
		mov	ecx, eax
		mov	[esp+38h+var_20], ecx
		cmp	ebx, 38h
		jnz	short loc_95BCB1
		push	0Ah

loc_95BCAA:				; CODE XREF: IoSetInformation(x,x,x,x)+ECj
					; IoSetInformation(x,x,x,x)+F5j ...
		mov	[esp+3Ch+var_28], 1
		jmp	short loc_95BCD8
; 

loc_95BCB1:				; CODE XREF: IoSetInformation(x,x,x,x)+DAj
		cmp	ebx, 42h
		jnz	short loc_95BCBA
		push	41h
		jmp	short loc_95BCAA
; 

loc_95BCBA:				; CODE XREF: IoSetInformation(x,x,x,x)+E8j
		cmp	ebx, 39h
		jnz	short loc_95BCC3
		push	0Bh
		jmp	short loc_95BCAA
; 

loc_95BCC3:				; CODE XREF: IoSetInformation(x,x,x,x)+F1j
		cmp	ebx, 49h
		jnz	short loc_95BCCC
		push	48h
		jmp	short loc_95BCAA
; 

loc_95BCCC:				; CODE XREF: IoSetInformation(x,x,x,x)+FAj
		cmp	ebx, 4Bh
		jnz	short loc_95BCD9
		push	47h
		mov	byte ptr [esp+3Ch+var_26+1], 1

loc_95BCD8:				; CODE XREF: IoSetInformation(x,x,x,x)+E3j
		pop	ebx

loc_95BCD9:				; CODE XREF: IoSetInformation(x,x,x,x)+103j
		mov	al, [esp+38h+var_27]
		push	dword ptr [ebp+4]
		mov	dl, [ecx+30h]
		xor	al, 1
		movzx	eax, al
		push	eax
		call	IopAllocateIrpExReturn
		mov	esi, eax
		test	esi, esi
		jnz	short loc_95BD07
		xor	edx, edx
		mov	ecx, edi
		call	_IopAllocateIrpCleanup@8 ; IopAllocateIrpCleanup(x,x)
		mov	eax, 0C000009Ah
		jmp	loc_95BEF7
; 

loc_95BD07:				; CODE XREF: IoSetInformation(x,x,x,x)+126j
		cmp	[esp+38h+var_27], 0
		mov	eax, large fs:124h
		mov	[esi+64h], edi
		mov	[esi+50h], eax
		mov	byte ptr [esi+20h], 0
		jz	short loc_95BD26
		or	byte ptr [esi+27h], 2
		xor	eax, eax
		jmp	short loc_95BD31
; 

loc_95BD26:				; CODE XREF: IoSetInformation(x,x,x,x)+150j
		mov	dword ptr [esi+8], 4
		lea	eax, [esp+38h+var_10]

loc_95BD31:				; CODE XREF: IoSetInformation(x,x,x,x)+158j
		mov	[esi+2Ch], eax
		lea	eax, [esp+38h+var_18]
		mov	ecx, [esi+60h]
		sub	ecx, 24h
		mov	[esi+28h], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+38h+var_26+2], ecx
		mov	byte ptr [ecx],	6
		mov	[ecx+18h], edi
		or	dword ptr [esi+8], 10h
		cmp	[esp+38h+var_28], 0
		mov	[esi+0Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+4], eax
		mov	[ecx+8], ebx
		jnz	short loc_95BD6C
		cmp	byte ptr [esp+38h+var_26+1], 0
		jz	short loc_95BD70

loc_95BD6C:				; CODE XREF: IoSetInformation(x,x,x,x)+197j
		or	byte ptr [ecx+2], 1

loc_95BD70:				; CODE XREF: IoSetInformation(x,x,x,x)+19Ej
		mov	ecx, esi
		call	IopQueueThreadIrp
		cmp	ebx, 10h
		jnz	short loc_95BDD2
		mov	eax, [edi+2Ch]
		mov	ecx, [ebp+arg_C]
		test	al, 8
		jnz	short loc_95BD95
		test	byte ptr [ecx],	2
		jz	short loc_95BD8F
		or	eax, ebx
		jmp	short loc_95BD92
; 

loc_95BD8F:				; CODE XREF: IoSetInformation(x,x,x,x)+1BDj
		and	eax, 0FFFFFFEFh

loc_95BD92:				; CODE XREF: IoSetInformation(x,x,x,x)+1C1j
		mov	[edi+2Ch], eax

loc_95BD95:				; CODE XREF: IoSetInformation(x,x,x,x)+1B8j
		test	byte ptr [ecx],	4
		jz	short loc_95BD9F
		or	eax, 20h
		jmp	short loc_95BDA2
; 

loc_95BD9F:				; CODE XREF: IoSetInformation(x,x,x,x)+1CCj
		and	eax, 0FFFFFFDFh

loc_95BDA2:				; CODE XREF: IoSetInformation(x,x,x,x)+1D1j
		mov	[edi+2Ch], eax
		mov	ecx, [ecx]
		test	cl, 2
		jz	short loc_95BDBC
		test	cl, 10h
		jz	short loc_95BDB6
		or	eax, 4
		jmp	short loc_95BDB9
; 

loc_95BDB6:				; CODE XREF: IoSetInformation(x,x,x,x)+1E3j
		and	eax, 0FFFFFFFBh

loc_95BDB9:				; CODE XREF: IoSetInformation(x,x,x,x)+1E8j
		mov	[edi+2Ch], eax

loc_95BDBC:				; CODE XREF: IoSetInformation(x,x,x,x)+1DEj
		add	dword ptr [esi+60h], 0FFFFFFDCh
		xor	ebx, ebx
		and	[esi+18h], ebx
		and	[esi+1Ch], ebx
		dec	byte ptr [esi+23h]
		xor	dl, dl
		jmp	loc_95BE6C
; 

loc_95BDD2:				; CODE XREF: IoSetInformation(x,x,x,x)+1AEj
		cmp	ebx, 0Ah
		jz	short loc_95BE0E
		cmp	ebx, 41h
		jz	short loc_95BE0E
		cmp	ebx, 0Bh
		jz	short loc_95BE0E
		cmp	ebx, 48h
		jz	short loc_95BE0E
		cmp	ebx, 1Fh
		jz	short loc_95BE13
		cmp	ebx, 45h
		jnz	loc_95BE75
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_C]
		mov	ecx, edi
		call	_IopSetFileMemoryPartitionInformation@12 ; IopSetFileMemoryPartitionInformation(x,x,x)
		and	dword ptr [esi+1Ch], 0
		mov	ebx, eax
		mov	[esi+18h], ebx
		xor	dl, dl
		jmp	short loc_95BE65
; 

loc_95BE0E:				; CODE XREF: IoSetInformation(x,x,x,x)+209j
					; IoSetInformation(x,x,x,x)+20Ej ...
		cmp	ebx, 1Fh
		jnz	short loc_95BE21

loc_95BE13:				; CODE XREF: IoSetInformation(x,x,x,x)+21Dj
		mov	eax, [ebp+arg_C]
		mov	ecx, [esp+38h+var_26+2]
		mov	eax, [eax]
		mov	[ecx+10h], eax
		jmp	short loc_95BE40
; 

loc_95BE21:				; CODE XREF: IoSetInformation(x,x,x,x)+245j
		cmp	ebx, 41h
		jz	short loc_95BE32
		cmp	ebx, 48h
		jz	short loc_95BE32
		mov	eax, [ebp+arg_C]
		mov	al, [eax]
		jmp	short loc_95BE39
; 

loc_95BE32:				; CODE XREF: IoSetInformation(x,x,x,x)+258j
					; IoSetInformation(x,x,x,x)+25Dj
		mov	eax, [ebp+arg_C]
		mov	al, [eax]
		and	al, 1

loc_95BE39:				; CODE XREF: IoSetInformation(x,x,x,x)+264j
		mov	ecx, [esp+38h+var_26+2]
		mov	[ecx+10h], al

loc_95BE40:				; CODE XREF: IoSetInformation(x,x,x,x)+253j
		mov	eax, [ebp+arg_C]
		cmp	word ptr [eax+0Ch], 5Ch
		jz	short loc_95BE50
		cmp	dword ptr [eax+4], 0
		jz	short loc_95BE75

loc_95BE50:				; CODE XREF: IoSetInformation(x,x,x,x)+27Cj
		push	edi
		push	eax
		mov	edx, esi
		lea	ecx, [esp+40h+var_1C]
		call	IopOpenLinkOrRenameTarget
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_95BE75
		mov	dl, 2

loc_95BE65:				; CODE XREF: IoSetInformation(x,x,x,x)+240j
		dec	byte ptr [esi+23h]
		add	dword ptr [esi+60h], 0FFFFFFDCh

loc_95BE6C:				; CODE XREF: IoSetInformation(x,x,x,x)+201j
		mov	ecx, esi
		call	IofCompleteRequest
		jmp	short loc_95BE82
; 

loc_95BE75:				; CODE XREF: IoSetInformation(x,x,x,x)+222j
					; IoSetInformation(x,x,x,x)+282j ...
		mov	ecx, [esp+38h+var_20]
		mov	edx, esi
		call	IofCallDriver
		mov	ebx, eax

loc_95BE82:				; CODE XREF: IoSetInformation(x,x,x,x)+2A7j
		cmp	[esp+38h+var_27], 0
		jz	short loc_95BEC7
		cmp	ebx, 103h
		jnz	short loc_95BEBE
		mov	eax, [edi+2Ch]
		lea	ebx, [edi+5Ch]
		shr	eax, 2
		xor	ecx, ecx
		push	ecx
		and	al, 1
		movzx	eax, al
		push	eax
		push	ecx
		push	ecx
		push	ebx
		call	KeWaitForSingleObject
		cmp	eax, 101h
		jnz	short loc_95BEBB
		mov	edx, esi
		mov	ecx, ebx
		call	_IopCancelAlertedRequest@8 ; IopCancelAlertedRequest(x,x)

loc_95BEBB:				; CODE XREF: IoSetInformation(x,x,x,x)+2E4j
		mov	ebx, [edi+1Ch]

loc_95BEBE:				; CODE XREF: IoSetInformation(x,x,x,x)+2C3j
		mov	ecx, edi
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)
		jmp	short loc_95BEE3
; 

loc_95BEC7:				; CODE XREF: IoSetInformation(x,x,x,x)+2BBj
		cmp	ebx, 103h
		jnz	short loc_95BEE3
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+48h+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	ebx, [esp+38h+var_18]

loc_95BEE3:				; CODE XREF: IoSetInformation(x,x,x,x)+2F9j
					; IoSetInformation(x,x,x,x)+301j
		cmp	[esp+38h+var_1C], 0
		jz	short loc_95BEF5
		push	0
		push	[esp+3Ch+var_1C]
		call	ObCloseHandle

loc_95BEF5:				; CODE XREF: IoSetInformation(x,x,x,x)+31Cj
		mov	eax, ebx

loc_95BEF7:				; CODE XREF: IoSetInformation(x,x,x,x)+B2j
					; IoSetInformation(x,x,x,x)+136j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_IoSetInformation@16 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1002. IoSetShareAccessEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetShareAccessEx(x, x, x,	x, x)
		public _IoSetShareAccessEx@20
_IoSetShareAccessEx@20 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_95BF1D
		cmp	byte ptr [eax],	0
		jnz	short loc_95BF1D
		mov	eax, 80000000h
		jmp	short loc_95BF1F
; 

loc_95BF1D:				; CODE XREF: IoSetShareAccessEx(x,x,x,x,x)+Aj
					; IoSetShareAccessEx(x,x,x,x,x)+Fj
		xor	eax, eax

loc_95BF1F:				; CODE XREF: IoSetShareAccessEx(x,x,x,x,x)+16j
		push	eax
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_IoSetLinkShareAccess@24 ; IoSetLinkShareAccess(x,x,x,x,x,x)
		pop	ebp
		retn	14h
_IoSetShareAccessEx@20 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1004. IoSetSystemPartition

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetSystemPartition(x)
		public _IoSetSystemPartition@4
_IoSetSystemPartition@4	proc near

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= word ptr -20h
var_1E		= word ptr -1Eh
var_1C		= word ptr -1Ch
var_1A		= word ptr -1Ah
var_18		= word ptr -18h
var_16		= word ptr -16h
var_14		= word ptr -14h
var_12		= word ptr -12h
var_10		= word ptr -10h
var_E		= word ptr -0Eh
var_C		= word ptr -0Ch
var_A		= word ptr -0Ah
var_8		= word ptr -8
var_6		= word ptr -6
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		lea	eax, [esp+58h+var_44]
		push	esi
		push	edi
		xor	esi, esi
		push	offset ??_C@_1DC@GKOJGBFO@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@NNGAKEGL@
		push	eax
		mov	[esp+68h+var_50], esi
		mov	[esp+68h+var_4C], esi
		mov	[esp+68h+var_44], esi
		mov	[esp+68h+var_40], esi
		mov	[esp+68h+var_48], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+60h+var_44]
		mov	[esp+60h+var_54], esi
		mov	[esp+60h+var_34], eax
		lea	eax, [esp+60h+var_3C]
		push	eax
		push	0F003Fh
		lea	eax, [esp+68h+var_54]
		mov	[esp+68h+var_3C], 18h
		push	eax
		mov	[esp+6Ch+var_38], esi
		mov	[esp+6Ch+var_30], 240h
		mov	[esp+6Ch+var_2C], esi
		mov	[esp+6Ch+var_28], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_95C0D7
		push	53h
		pop	eax
		push	65h
		mov	word ptr [esp+64h+var_24], ax
		lea	ecx, [esp+64h+var_48]
		pop	eax
		push	74h
		mov	word ptr [esp+64h+var_24+2], ax
		pop	eax
		push	75h
		mov	edx, [esp+64h+var_54]
		mov	[esp+64h+var_20], ax
		pop	eax
		push	70h
		mov	[esp+64h+var_1E], ax
		pop	eax
		mov	[esp+60h+var_1C], ax
		xor	eax, eax
		push	0Ch
		mov	[esp+64h+var_1A], ax
		pop	eax
		push	0Ah
		mov	word ptr [esp+64h+var_50+2], ax
		pop	eax
		push	esi
		mov	word ptr [esp+64h+var_50], ax
		lea	eax, [esp+64h+var_24]
		push	esi
		mov	[esp+68h+var_4C], eax
		lea	eax, [esp+68h+var_50]
		push	0F003Fh
		push	eax
		call	IopCreateRegistryKeyEx
		mov	edi, eax
		test	edi, edi
		js	loc_95C0D3
		push	53h
		pop	eax
		push	79h
		mov	word ptr [esp+64h+var_24], ax
		pop	eax
		push	73h
		mov	word ptr [esp+64h+var_24+2], ax
		pop	eax
		push	74h
		pop	ecx
		push	65h
		mov	[esp+64h+var_20], ax
		pop	eax
		push	6Dh
		mov	[esp+64h+var_1C], ax
		pop	eax
		push	50h
		mov	[esp+64h+var_1A], ax
		pop	eax
		push	61h
		mov	[esp+64h+var_18], ax
		pop	eax
		push	72h
		mov	[esp+64h+var_16], ax
		pop	eax
		push	69h
		mov	[esp+64h+var_14], ax
		pop	eax
		push	6Fh
		mov	[esp+64h+var_10], ax
		mov	[esp+64h+var_C], ax
		pop	eax
		push	6Eh
		mov	[esp+64h+var_A], ax
		pop	eax
		push	20h
		mov	[esp+64h+var_8], ax
		xor	eax, eax
		mov	[esp+64h+var_6], ax
		pop	eax
		push	1Eh
		mov	word ptr [esp+64h+var_50+2], ax
		pop	eax
		mov	word ptr [esp+60h+var_50], ax
		movzx	eax, word ptr [ebx]
		add	eax, 2
		mov	[esp+60h+var_1E], cx
		push	eax
		push	dword ptr [ebx+4]
		lea	eax, [esp+68h+var_50]
		mov	[esp+68h+var_12], cx
		push	1
		push	esi
		mov	esi, [esp+70h+var_48]
		push	eax
		push	esi
		mov	[esp+78h+var_E], cx
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	edi, eax
		jmp	short loc_95C0D7
; 

loc_95C0D3:				; CODE XREF: IoSetSystemPartition(x)+EBj
		mov	esi, [esp+60h+var_48]

loc_95C0D7:				; CODE XREF: IoSetSystemPartition(x)+81j
					; IoSetSystemPartition(x)+195j
		cmp	[esp+60h+var_54], 0
		jz	short loc_95C0E7
		push	[esp+60h+var_54]
		call	_ZwClose@4	; ZwClose(x)

loc_95C0E7:				; CODE XREF: IoSetSystemPartition(x)+1A0j
		test	esi, esi
		jz	short loc_95C0F1
		push	esi
		call	_ZwClose@4	; ZwClose(x)

loc_95C0F1:				; CODE XREF: IoSetSystemPartition(x)+1ADj
		mov	ecx, [esp+60h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_IoSetSystemPartition@4	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1027. IoUnregisterFileSystem

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoUnregisterFileSystem(x)
		public _IoUnregisterFileSystem@4
_IoUnregisterFileSystem@4 proc near	; CODE XREF: RawShutdown(x,x)+10p
					; RawShutdown(x,x)+1Bp	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _IopDatabaseResource
		call	ExAcquireResourceExclusiveLite
		mov	edi, [ebp+arg_0]
		lea	ecx, [edi+34h]
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_95C14B
		cmp	[eax+4], ecx
		jnz	short loc_95C158
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_95C158
		mov	[edx], eax
		mov	[eax+4], edx

loc_95C14B:				; CODE XREF: IoUnregisterFileSystem(x)+2Cj
		mov	esi, _IopFsNotifyChangeQueueHead
		mov	ebx, offset _IopFsNotifyChangeQueueHead
		jmp	short loc_95C167
; 

loc_95C158:				; CODE XREF: IoUnregisterFileSystem(x)+31j
					; IoUnregisterFileSystem(x)+38j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_95C15D:				; CODE XREF: IoUnregisterFileSystem(x)+5Dj
		push	0
		lea	eax, [esi]
		mov	esi, [esi]
		push	edi
		call	dword ptr [eax+0Ch]

loc_95C167:				; CODE XREF: IoUnregisterFileSystem(x)+4Aj
		cmp	esi, ebx
		jnz	short loc_95C15D
		inc	_IopFsRegistrationOps
		mov	ecx, offset _IopDatabaseResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	dl, 1
		mov	ecx, edi
		call	IopDecrementDeviceObjectRefCount
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_IoUnregisterFileSystem@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; 
; Exported entry 1028. IoUnregisterFsRegistrationChange

; __stdcall IoUnregisterFsRegistrationChange(x,	x)
		public _IoUnregisterFsRegistrationChange@8
_IoUnregisterFsRegistrationChange@8:
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	edi, offset _IopDatabaseResource
		push	edi
		call	ExAcquireResourceExclusiveLite
		mov	eax, _IopFsNotifyChangeQueueHead
		mov	edx, offset _IopFsNotifyChangeQueueHead
		mov	esi, [ebp+8]
		cmp	eax, edx
		jz	short loc_95C1E2
		mov	ecx, [ebp+0Ch]

loc_95C1D2:				; CODE XREF: PAGE:0095C1E0j
		cmp	[eax+8], esi
		jnz	short loc_95C1DC
		cmp	[eax+0Ch], ecx
		jz	short loc_95C202

loc_95C1DC:				; CODE XREF: PAGE:0095C1D5j
		mov	eax, [eax]
		cmp	eax, edx
		jnz	short loc_95C1D2

loc_95C1E2:				; CODE XREF: PAGE:0095C1CDj
					; PAGE:0095C21Dj
		mov	ecx, edi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, esi
		call	ObfDereferenceObject
		pop	edi
		pop	esi
		pop	ebp
		retn	8
; 

loc_95C202:				; CODE XREF: PAGE:0095C1DAj
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_95C21F
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_95C21F
		push	0
		mov	[edx], ecx
		push	eax
		mov	[ecx+4], edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_95C1E2
; 

loc_95C21F:				; CODE XREF: PAGE:0095C207j
					; PAGE:0095C20Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1034. IoUpdateLinkShareAccess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoUpdateLinkShareAccess(x, x, x)
		public _IoUpdateLinkShareAccess@12
_IoUpdateLinkShareAccess@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_IoUpdateLinkShareAccessEx@16 ;	IoUpdateLinkShareAccessEx(x,x,x,x)
		pop	ebp
		retn	0Ch
_IoUpdateLinkShareAccess@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1039. IoVerifyVolume

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoVerifyVolume(x, x)
		public _IoVerifyVolume@8
_IoVerifyVolume@8 proc near

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		xor	eax, eax
		xor	ebx, ebx
		push	esi
		push	edi
		lea	edi, [esp+38h+var_10]
		mov	[esp+38h+var_18], ebx
		stosd
		mov	[esp+38h+var_14], ebx
		mov	[esp+38h+var_24], ebx
		mov	[esp+38h+var_28], ebx
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+arg_0]
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esi+9Ch]
		push	ebx
		push	eax
		mov	[esp+4Ch+var_1C], eax
		call	KeWaitForSingleObject
		lea	eax, [esp+38h+var_24]
		mov	ecx, esi
		push	eax
		lea	edx, [esp+3Ch+var_28]
		call	_IopReferenceVerifyVpb@12 ; IopReferenceVerifyVpb(x,x,x)
		test	al, al
		jnz	short loc_95C2B1
		mov	edi, ebx
		jmp	loc_95C375
; 

loc_95C2B1:				; CODE XREF: IoVerifyVolume(x,x)+61j
		push	ebx
		push	ebx
		lea	eax, [esp+40h+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	edi, [esp+38h+var_24]
		jmp	short loc_95C2C5
; 

loc_95C2C3:				; CODE XREF: IoVerifyVolume(x,x)+83j
		mov	edi, eax

loc_95C2C5:				; CODE XREF: IoVerifyVolume(x,x)+7Aj
		mov	eax, [edi+10h]
		test	eax, eax
		jnz	short loc_95C2C3
		push	dword ptr [ebp+4]
		mov	dl, [edi+30h]
		mov	ecx, edi
		push	ebx
		call	IopAllocateIrpExReturn
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_95C2F3
		mov	ecx, [esp+38h+var_28]
		call	IopDereferenceVpbAndFree
		mov	edi, 0C000009Ah
		jmp	loc_95C3B6
; 

loc_95C2F3:				; CODE XREF: IoVerifyVolume(x,x)+97j
		cmp	[ebp+arg_4], 0
		lea	eax, [esp+38h+var_10]
		mov	[ebx+2Ch], eax
		mov	ecx, ebx
		lea	eax, [esp+38h+var_18]
		mov	dword ptr [ebx+8], 42h
		mov	[ebx+28h], eax
		mov	eax, large fs:124h
		mov	edx, [ebx+60h]
		mov	[ebx+50h], eax
		setnz	al
		mov	byte ptr [ebx+20h], 0
		mov	[edx-22h], al
		mov	eax, [esp+38h+var_28]
		mov	[edx-20h], eax
		mov	eax, [esp+38h+var_24]
		mov	word ptr [edx-24h], 20Dh
		mov	[edx-1Ch], eax
		call	IopQueueThreadIrp
		mov	edx, ebx
		mov	ecx, edi
		call	IofCallDriver
		mov	edi, eax
		xor	ebx, ebx
		cmp	edi, 103h
		jnz	short loc_95C364
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esp+48h+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	edi, [esp+38h+var_18]

loc_95C364:				; CODE XREF: IoVerifyVolume(x,x)+109j
		mov	ecx, [esp+38h+var_28]
		call	IopDereferenceVpbAndFree
		cmp	edi, 0C0000012h
		jnz	short loc_95C3B6

loc_95C375:				; CODE XREF: IoVerifyVolume(x,x)+65j
		mov	ecx, esi
		call	_IopCreateVpb@4	; IopCreateVpb(x)
		test	eax, eax
		js	short loc_95C3B2
		mov	ecx, esi
		call	_PoVolumeDevice@4 ; PoVolumeDevice(x)
		mov	dl, [ebp+arg_4]
		lea	eax, [esp+38h+var_20]
		push	eax
		push	ebx
		push	1
		mov	ecx, esi
		mov	[esp+44h+var_20], ebx
		call	IopMountVolume
		test	eax, eax
		js	short loc_95C3B2
		mov	ecx, [esp+38h+var_20]
		test	ecx, ecx
		jz	short loc_95C3B6
		mov	dl, 1
		call	IopDecrementVpbRefCount
		jmp	short loc_95C3B6
; 

loc_95C3B2:				; CODE XREF: IoVerifyVolume(x,x)+137j
					; IoVerifyVolume(x,x)+158j
		and	dword ptr [esi+1Ch], 0FFFFFFFDh

loc_95C3B6:				; CODE XREF: IoVerifyVolume(x,x)+A7j
					; IoVerifyVolume(x,x)+12Cj ...
		push	0
		push	0
		push	[esp+40h+var_1C]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_IoVerifyVolume@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCheckAndUpdateStopOnSymlinkEcp(x, x, x)
_IopCheckAndUpdateStopOnSymlinkEcp@12 proc near
					; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+F00p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		push	esi
		push	eax
		lea	eax, [ebp+var_8]
		mov	esi, edx
		push	eax
		push	offset _ECP_TYPE_IO_STOP_ON_SYMLINK_FILTER_GUID
		push	ecx
		call	_FsRtlFindExtraCreateParameter@16 ; FsRtlFindExtraCreateParameter(x,x,x,x)
		test	eax, eax
		js	short loc_95C43F
		cmp	[ebp+var_4], 8
		mov	edx, 0A000000Ch
		jb	short loc_95C437
		cmp	esi, 0A0000003h
		jz	short loc_95C422
		cmp	esi, edx
		jz	short loc_95C422
		cmp	esi, 0A0000019h
		jnz	short loc_95C431

loc_95C422:				; CODE XREF: IopCheckAndUpdateStopOnSymlinkEcp(x,x,x)+3Aj
					; IopCheckAndUpdateStopOnSymlinkEcp(x,x,x)+3Ej
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+arg_0]
		inc	dword ptr [ecx]
		movzx	eax, word ptr [eax+6]
		mov	[ecx+4], eax

loc_95C431:				; CODE XREF: IopCheckAndUpdateStopOnSymlinkEcp(x,x,x)+46j
		cmp	[ebp+var_4], 8
		ja	short loc_95C43F

loc_95C437:				; CODE XREF: IopCheckAndUpdateStopOnSymlinkEcp(x,x,x)+32j
		cmp	esi, edx
		jz	short loc_95C43F
		xor	al, al
		jmp	short loc_95C441
; 

loc_95C43F:				; CODE XREF: IopCheckAndUpdateStopOnSymlinkEcp(x,x,x)+27j
					; IopCheckAndUpdateStopOnSymlinkEcp(x,x,x)+5Bj	...
		mov	al, 1

loc_95C441:				; CODE XREF: IopCheckAndUpdateStopOnSymlinkEcp(x,x,x)+63j
		pop	esi
		leave
		retn	4
_IopCheckAndUpdateStopOnSymlinkEcp@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopFastQueryNetworkAttributes(x, x,	x, x, x, x, x, x, x)
_IopFastQueryNetworkAttributes@36 proc near
					; CODE XREF: IoFastQueryNetworkAttributes(x,x,x,x,x)+2Ap

var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_120		= dword	ptr -120h
var_110		= dword	ptr -110h
var_10A		= word ptr -10Ah
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F4		= dword	ptr -0F4h
var_E3		= byte ptr -0E3h
var_E1		= byte ptr -0E1h
var_E0		= dword	ptr -0E0h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_C4		= dword	ptr -0C4h
var_A8		= dword	ptr -0A8h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 144h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+144h+var_4], eax
		and	[esp+144h+var_144], 0
		lea	eax, [esp+144h+var_A8]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		push	0A0h		; size_t
		push	0		; int
		push	eax		; void *
		mov	[esp+15Ch+var_13C], edx
		mov	[esp+15Ch+var_140], ecx
		call	_memset
		mov	edi, 90h
		lea	eax, [esp+15Ch+var_138]
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 18h
		mov	word ptr [esp+150h+var_138+2], di
		mov	[esp+150h+var_F4], esi
		lea	edi, [esp+150h+var_D4]
		mov	esi, [esp+150h+var_140]
		xor	ecx, ecx
		inc	ecx
		mov	[esp+150h+var_120], esi
		push	8
		pop	eax
		mov	word ptr [esp+150h+var_138], ax
		push	7
		pop	eax
		mov	[esp+150h+var_10A], ax
		mov	eax, [ebp+arg_4]
		or	eax, 200000h
		mov	[esp+150h+var_FC], ecx
		mov	[esp+150h+var_110], eax
		lea	eax, [esp+150h+var_A8]
		mov	[esp+150h+var_E0], eax
		xor	eax, eax
		cmp	byte ptr [ebp+arg_0], 0
		mov	[esp+150h+var_100], ecx
		mov	[esp+150h+var_E3], cl
		mov	[esp+150h+var_E1], cl
		stosd
		push	14h
		stosd
		stosd
		stosd
		stosd
		pop	eax
		mov	word ptr [esp+150h+var_D4], ax
		mov	[esp+150h+var_C4], ecx
		jnz	short loc_95C512
		or	dword ptr [esi+0Ch], 200h

loc_95C512:				; CODE XREF: IopFastQueryNetworkAttributes(x,x,x,x,x,x,x,x,x)+C3j
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		lea	ecx, [esp+150h+var_144]
		mov	[esp+150h+var_C4], eax
		push	ecx
		push	eax
		lea	eax, [esp+158h+var_138]
		push	eax
		push	[esp+15Ch+var_13C]
		push	0
		push	[ebp+arg_0]
		push	ds:_IoFileObjectType
		push	esi
		call	ObOpenObjectByNameEx
		mov	ecx, [esp+150h+var_D0]
		mov	esi, eax
		test	ecx, ecx
		jz	short loc_95C550
		call	FsRtlpCleanupEcps

loc_95C550:				; CODE XREF: IopFastQueryNetworkAttributes(x,x,x,x,x,x,x,x,x)+103j
		cmp	[esp+150h+var_128], 0BEAA0251h
		jz	short loc_95C573
		test	esi, esi
		js	short loc_95C56F
		push	[ebp+arg_0]
		push	[esp+154h+var_144]
		call	ObCloseHandle
		mov	esi, 0C0000024h

loc_95C56F:				; CODE XREF: IopFastQueryNetworkAttributes(x,x,x,x,x,x,x,x,x)+116j
		mov	[ebx], esi
		jmp	short loc_95C580
; 

loc_95C573:				; CODE XREF: IopFastQueryNetworkAttributes(x,x,x,x,x,x,x,x,x)+112j
		mov	ecx, [esp+150h+var_130]
		mov	[ebx], ecx
		mov	ecx, [esp+150h+var_12C]
		mov	[ebx+4], ecx

loc_95C580:				; CODE XREF: IopFastQueryNetworkAttributes(x,x,x,x,x,x,x,x,x)+12Bj
		mov	ecx, [esp+150h+var_4]
		mov	al, 1
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_IopFastQueryNetworkAttributes@36 endp


;  S U B	R O U T	I N E 


; __stdcall IopGetThreadActiveConsoleId(x)
_IopGetThreadActiveConsoleId@4 proc near ; CODE	XREF: IoRaiseHardError(x,x,x)+38p
		mov	edi, edi
		push	ecx
		call	_PsGetThreadServerSilo@4 ; PsGetThreadServerSilo(x)
		mov	ecx, eax
		jmp	_PsGetServerSiloActiveConsoleId@4 ; PsGetServerSiloActiveConsoleId(x)
_IopGetThreadActiveConsoleId@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopSetFileMemoryPartitionInformation(x, x, x)
_IopSetFileMemoryPartitionInformation@12 proc near ; CODE XREF:	.text:005226B3p
					; IoSetInformation(x,x,x,x)+230p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	[ebp+var_C], ecx
		mov	ebx, edx
		xor	ecx, ecx
		cmp	[ebp+arg_0], 8
		push	esi
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], ecx
		jnb	short loc_95C5CF

loc_95C5C5:				; CODE XREF: IopSetFileMemoryPartitionInformation(x,x,x)+2Fj
					; IopSetFileMemoryPartitionInformation(x,x,x)+37j
		mov	esi, 0C000000Dh
		jmp	loc_95C692
; 

loc_95C5CF:				; CODE XREF: IopSetFileMemoryPartitionInformation(x,x,x)+1Bj
		mov	eax, [ebx+4]
		mov	[ebp+var_10], eax
		cmp	al, 1
		ja	short loc_95C5C5
		mov	byte ptr [ebp+var_10], cl
		cmp	[ebp+var_10], ecx
		jnz	short loc_95C5C5
		push	edi
		mov	esi, 66506F49h
		push	esi
		push	8
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_95C604
		mov	esi, 0C000009Ah
		jmp	loc_95C691
; 

loc_95C604:				; CODE XREF: IopSetFileMemoryPartitionInformation(x,x,x)+50j
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	ecx
		push	eax
		push	esi
		push	ecx
		mov	[edi], ecx
		push	2
		mov	[edi+4], ecx
		mov	ecx, [ebx]
		pop	edx
		call	_PsReferencePartitionByHandle@24 ; PsReferencePartitionByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_95C673
		mov	esi, [ebp+var_4]
		mov	edx, 6F466F49h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	ecx, esi
		call	PsDereferencePartition
		mov	ecx, [ebp+var_C]
		lea	edx, [ebp+var_8]
		mov	[edi], esi
		movzx	eax, byte ptr [ebx+4]
		xor	eax, [edi+4]
		and	eax, 1
		xor	[edi+4], eax
		call	IopAllocateFileObjectExtension
		mov	esi, eax
		test	esi, esi
		js	short loc_95C673
		mov	ecx, [ebp+var_8]
		push	edi
		push	8
		pop	edx
		call	_IopSetTypeSpecificFoExtension@12 ; IopSetTypeSpecificFoExtension(x,x,x)
		test	eax, eax
		jns	short loc_95C66F
		mov	esi, 0C0000021h
		jmp	short loc_95C673
; 

loc_95C66F:				; CODE XREF: IopSetFileMemoryPartitionInformation(x,x,x)+BEj
		xor	edi, edi
		xor	esi, esi

loc_95C673:				; CODE XREF: IopSetFileMemoryPartitionInformation(x,x,x)+78j
					; IopSetFileMemoryPartitionInformation(x,x,x)+AEj ...
		test	edi, edi
		jz	short loc_95C691
		cmp	dword ptr [edi], 0
		jz	short loc_95C689
		mov	ecx, [ebp+var_4]
		mov	edx, 6F466F49h
		call	ObfDereferenceObjectWithTag

loc_95C689:				; CODE XREF: IopSetFileMemoryPartitionInformation(x,x,x)+D2j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95C691:				; CODE XREF: IopSetFileMemoryPartitionInformation(x,x,x)+57j
					; IopSetFileMemoryPartitionInformation(x,x,x)+CDj
		pop	edi

loc_95C692:				; CODE XREF: IopSetFileMemoryPartitionInformation(x,x,x)+22j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_IopSetFileMemoryPartitionInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAbortRequest(x)
_IopAbortRequest@4 proc	near		; DATA XREF: .text:00524AF9o
					; .text:00525095o ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		lea	eax, [ecx+28h]
		push	eax
		lea	eax, [ecx+24h]
		push	eax
		lea	eax, [ecx+20h]
		push	eax
		lea	eax, [ecx+1Ch]
		push	eax
		push	ecx
		call	_IopCompleteRequest@20 ; IopCompleteRequest(x,x,x,x,x)
		pop	ebp
		retn	4
_IopAbortRequest@4 endp	; sp = -14h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAllocateGenericTableEntry(x, x)
_IopAllocateGenericTableEntry@8	proc near ; DATA XREF: INIT:00AC2DCEo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	65546F49h
		push	[ebp+arg_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	8
_IopAllocateGenericTableEntry@8	endp


;  S U B	R O U T	I N E 


; __stdcall IopAllocateIrpCleanup(x, x)
_IopAllocateIrpCleanup@8 proc near	; CODE XREF: .text:00522210p
					; PAGE:007BE2E1p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	edx, edx
		jz	short loc_95C6E4
		mov	ecx, edx
		call	ObfDereferenceObject

loc_95C6E4:				; CODE XREF: IopAllocateIrpCleanup(x,x)+7j
		test	byte ptr [esi+2Ch], 2
		jz	short loc_95C6F1
		mov	ecx, esi
		call	_IopReleaseFileObjectLock@4 ; IopReleaseFileObjectLock(x)

loc_95C6F1:				; CODE XREF: IopAllocateIrpCleanup(x,x)+14j
		mov	ecx, esi
		pop	esi
		jmp	ObfDereferenceObject
_IopAllocateIrpCleanup@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopApcHardError(x)
_IopApcHardError@4 proc	near		; DATA XREF: IopStartApcHardError(x)+18o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+14h]
		push	dword ptr [esi+10h]
		call	_IopRaiseHardError@12 ;	IopRaiseHardError(x,x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		pop	ebp
		retn	4
_IopApcHardError@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopBootLogToFile(x)
_IopBootLogToFile@4 proc near		; CODE XREF: IopBootLog+AF3E4p
					; IopCopyBootLogRegistryToFile+A1BEFp ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], 0FEFFh
		mov	ebx, ecx
		mov	[ebp+var_10], esi
		push	edi
		mov	[ebp+var_C], esi
		mov	[ebp+var_4], esi
		cmp	ds:dword_A933A4, esi
		jnz	short loc_95C74B
		xor	eax, eax
		jmp	loc_95C839
; 

loc_95C74B:				; CODE XREF: IopBootLogToFile(x)+25j
		mov	edi, large fs:124h
		dec	word ptr [edi+13Ch]
		nop
		mov	eax, ds:dword_A933A4
		push	1
		add	eax, 20h
		push	eax
		call	ExAcquireResourceExclusiveLite
		mov	eax, ds:dword_A933A4
		cmp	[eax+14h], esi
		jnz	short loc_95C787
		push	offset ??_C@_1DA@MICMNBLJ@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAn?$AAt?$AAb@NNGAKEGL@
		add	eax, 10h
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, ds:dword_A933A4

loc_95C787:				; CODE XREF: IopBootLogToFile(x)+55j
		push	esi
		push	esi
		push	64h
		push	3
		push	1
		add	eax, 10h
		mov	[ebp+var_30], 18h
		push	80h
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_10]
		push	esi
		push	eax
		lea	eax, [ebp+var_30]
		mov	[ebp+var_2C], esi
		push	eax
		push	40000000h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_24], 240h
		push	eax
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_95C822
		cmp	[ebp+var_C], 2
		jnz	short loc_95C7EF
		xor	ecx, ecx
		lea	eax, [ebp+var_8]
		push	ecx
		push	ecx
		push	2
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+var_4]
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		mov	esi, eax

loc_95C7EF:				; CODE XREF: IopBootLogToFile(x)+B5j
		test	esi, esi
		js	short loc_95C81A
		or	[ebp+var_14], 0FFFFFFFFh
		lea	eax, [ebp+var_18]
		or	[ebp+var_18], 0FFFFFFFFh
		xor	ecx, ecx
		push	ecx
		push	eax
		movzx	eax, word ptr [ebx]
		push	eax
		push	dword ptr [ebx+4]
		lea	eax, [ebp+var_10]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+var_4]
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		mov	esi, eax

loc_95C81A:				; CODE XREF: IopBootLogToFile(x)+D4j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_95C822:				; CODE XREF: IopBootLogToFile(x)+AFj
		mov	ecx, ds:dword_A933A4
		lea	ecx, [ecx+20h]
		call	ExReleaseResourceLite
		mov	ecx, edi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi

loc_95C839:				; CODE XREF: IopBootLogToFile(x)+29j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopBootLogToFile@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCancelAlertedRequest(x, x)
_IopCancelAlertedRequest@8 proc	near	; CODE XREF: .text:005227B6p
					; IopWaitForSynchronousIoEvent(x,x,x,x)+90p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	cl, 1
		push	edi
		mov	edi, edx
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		cmp	dword ptr [esi+4], 0
		mov	bh, al
		jnz	short loc_95C89D
		push	edi
		call	IoCancelIrp
		mov	cl, bh
		mov	bl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bl, bl
		jz	short loc_95C88F
		or	[ebp+var_4], 0FFFFFFFFh
		xor	edi, edi
		mov	[ebp+var_8], 0FFFE7960h

loc_95C87D:				; CODE XREF: IopCancelAlertedRequest(x,x)+4Fj
		cmp	[esi+4], edi
		jnz	short loc_95C8A5
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		push	edi
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	short loc_95C87D
; 

loc_95C88F:				; CODE XREF: IopCancelAlertedRequest(x,x)+30j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	esi
		call	KeWaitForSingleObject
		jmp	short loc_95C8A5
; 

loc_95C89D:				; CODE XREF: IopCancelAlertedRequest(x,x)+1Cj
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_95C8A5:				; CODE XREF: IopCancelAlertedRequest(x,x)+42j
					; IopCancelAlertedRequest(x,x)+5Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopCancelAlertedRequest@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCancelSynchronousIrpsForThread(x, x)
_IopCancelSynchronousIrpsForThread@8 proc near
					; CODE XREF: NtCancelSynchronousIoFile(x,x,x)+68p

var_50		= dword	ptr -50h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= byte ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 50h
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		push	esi
		xor	edx, edx
		call	IopCancelApcRequired
		test	eax, eax
		jz	short loc_95C8FA
		push	50h		; size_t
		lea	eax, [esp+5Ch+var_50]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+58h+var_1C], esi
		lea	eax, [esp+58h+var_18]
		mov	[esp+58h+var_8], 1
		push	0
		push	0
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	edx, [esp+58h+var_50]
		mov	ecx, edi
		call	_IopCancelIrpsInThreadList@8 ; IopCancelIrpsInThreadList(x,x)

loc_95C8FA:				; CODE XREF: IopCancelSynchronousIrpsForThread(x,x)+1Bj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_IopCancelSynchronousIrpsForThread@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCheckGetQuotaBufferValidity(x, x, x)
_IopCheckGetQuotaBufferValidity@12 proc	near ; CODE XREF: PAGE:0095FDE6p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		mov	esi, ebx
		jmp	short loc_95C93E
; 

loc_95C910:				; CODE XREF: IopCheckGetQuotaBufferValidity(x,x,x)+41j
		lea	eax, [esi+8]
		push	eax
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	short loc_95C943
		lea	eax, [esi+8]
		push	eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		mov	ecx, [esi]
		add	eax, 8
		test	ecx, ecx
		jz	short loc_95C956
		cmp	eax, ecx
		jg	short loc_95C943
		test	cl, 3
		jnz	short loc_95C943
		sub	edi, ecx
		js	short loc_95C943
		add	esi, ecx

loc_95C93E:				; CODE XREF: IopCheckGetQuotaBufferValidity(x,x,x)+Ej
		cmp	edi, 14h
		jge	short loc_95C910

loc_95C943:				; CODE XREF: IopCheckGetQuotaBufferValidity(x,x,x)+1Bj
					; IopCheckGetQuotaBufferValidity(x,x,x)+31j ...
		mov	eax, [ebp+arg_0]
		sub	esi, ebx
		mov	[eax], esi
		mov	eax, 0C0000266h

loc_95C94F:				; CODE XREF: IopCheckGetQuotaBufferValidity(x,x,x)+5Cj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_95C956:				; CODE XREF: IopCheckGetQuotaBufferValidity(x,x,x)+2Dj
		sub	edi, eax
		js	short loc_95C943
		xor	eax, eax
		jmp	short loc_95C94F
_IopCheckGetQuotaBufferValidity@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCleanupFileObjectIosbRange(x)
_IopCleanupFileObjectIosbRange@4 proc near ; CODE XREF:	IopCleanupProcessResources+11A60Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		mov	edx, 70436F49h
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], ebx
		push	edi
		mov	ecx, [ebx+10h]
		mov	edi, esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], ecx
		call	ObfDereferenceObjectWithTag
		mov	ecx, offset _IoStatusBlockRangeTableLock
		mov	[ebx+10h], esi
		call	ExAcquireFastMutex
		lea	eax, [ebp+var_C]
		push	eax
		push	offset _IoStatusBlockRangeTable
		call	_RtlLookupElementGenericTableAvl@8 ; RtlLookupElementGenericTableAvl(x,x)
		mov	ebx, eax
		mov	esi, [ebx+4]
		test	esi, esi
		jz	short loc_95C9C1
		mov	eax, [ebp+var_4]
		mov	eax, [eax+8]

loc_95C9AF:				; CODE XREF: IopCleanupFileObjectIosbRange(x)+5Dj
		cmp	eax, [esi+0Ch]
		jz	short loc_95C9BF
		mov	edi, esi
		mov	esi, [esi+14h]
		test	esi, esi
		jnz	short loc_95C9AF
		jmp	short loc_95C9C1
; 

loc_95C9BF:				; CODE XREF: IopCleanupFileObjectIosbRange(x)+54j
		dec	dword ptr [esi]

loc_95C9C1:				; CODE XREF: IopCleanupFileObjectIosbRange(x)+49j
					; IopCleanupFileObjectIosbRange(x)+5Fj
		cmp	dword ptr [esi], 0
		jnz	short loc_95CA11
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_95C9D6
		push	dword ptr [esi+0Ch]
		push	eax
		call	MmUnmapLockedPages

loc_95C9D6:				; CODE XREF: IopCleanupFileObjectIosbRange(x)+6Dj
		push	dword ptr [esi+0Ch]
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	dword ptr [esi+0Ch]
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		mov	eax, [esi+14h]
		test	edi, edi
		jnz	short loc_95C9F2
		mov	[ebx+4], eax
		jmp	short loc_95C9F5
; 

loc_95C9F2:				; CODE XREF: IopCleanupFileObjectIosbRange(x)+8Dj
		mov	[edi+14h], eax

loc_95C9F5:				; CODE XREF: IopCleanupFileObjectIosbRange(x)+92j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	dword ptr [ebx+4], 0
		jnz	short loc_95CA11
		lea	eax, [ebp+var_C]
		push	eax
		push	offset _IoStatusBlockRangeTable
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)

loc_95CA11:				; CODE XREF: IopCleanupFileObjectIosbRange(x)+66j
					; IopCleanupFileObjectIosbRange(x)+A3j
		mov	ecx, offset _IoStatusBlockRangeTableLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopCleanupFileObjectIosbRange@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCompareIosbRanges(x, x, x)
_IopCompareIosbRanges@12 proc near	; DATA XREF: INIT:00AC2DD3o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		mov	eax, [ebp+arg_8]
		mov	eax, [eax]
		cmp	eax, ecx
		jbe	short loc_95CA37
		xor	eax, eax
		jmp	short loc_95CA3C
; 

loc_95CA37:				; CODE XREF: IopCompareIosbRanges(x,x,x)+11j
		sbb	eax, eax
		add	eax, 2

loc_95CA3C:				; CODE XREF: IopCompareIosbRanges(x,x,x)+15j
		pop	ebp
		retn	0Ch
_IopCompareIosbRanges@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopConnectLinkTrackingPort(x)
_IopConnectLinkTrackingPort@4 proc near	; DATA XREF: IopSendMessageToTrackService(x,x,x)+9Co

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, edi
		mov	[ebp+var_18], edi
		cmp	ds:_IopLinkTrackingServiceObject, esi
		jnz	loc_95CB14
		mov	[ebp+var_20], edi
		xor	eax, eax
		mov	[ebp+var_1C], edi
		mov	[ebp+var_14], edi
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		mov	eax, ds:_IopLinkTrackingServiceEvent
		xor	edi, edi
		cmp	[eax+4], edi
		jz	loc_95CB0F
		push	offset ??_C@_1CM@JPFBADDC@?$AA?2?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AA?2?$AAT?$AAR?$AAK?$AAW?$AAK@NNGAKEGL@
		lea	eax, [ebp+var_20]
		mov	[ebp+var_C], 2
		push	eax
		mov	[ebp+var_8], 101h
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		push	edi
		lea	eax, [ebp+var_14]
		push	eax
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	NtSecureConnectPort
		mov	esi, eax
		test	esi, esi
		js	short loc_95CB14
		mov	eax, [ebp+var_14]
		add	eax, 0FFFFFF80h
		cmp	eax, 80h
		ja	short loc_95CB00
		mov	eax, ds:_LpcPortObjectType
		lea	ecx, [ebp+var_14]
		push	edi
		push	ecx
		push	edi
		push	eax
		push	edi
		push	[ebp+var_18]
		mov	[ebp+var_14], edi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		push	[ebp+var_18]
		mov	esi, eax
		mov	eax, [ebp+var_14]
		mov	ds:_IopLinkTrackingServiceObject, eax
		call	NtClose
		jmp	short loc_95CB14
; 

loc_95CB00:				; CODE XREF: IopConnectLinkTrackingPort(x)+92j
		push	[ebp+var_18]
		call	NtClose
		mov	esi, 0C000000Dh
		jmp	short loc_95CB14
; 

loc_95CB0F:				; CODE XREF: IopConnectLinkTrackingPort(x)+46j
		mov	esi, 0C0000034h

loc_95CB14:				; CODE XREF: IopConnectLinkTrackingPort(x)+25j
					; IopConnectLinkTrackingPort(x)+85j ...
		push	edi
		push	edi
		lea	eax, [ebx+10h]
		mov	[ebx+20h], esi
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_IopConnectLinkTrackingPort@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopEtwEnableCallback(x, x, x, x, x,	x, x, x, x)
_IopEtwEnableCallback@36 proc near	; DATA XREF: INIT:00AC2CAEo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		sub	eax, 0
		jz	short loc_95CB4C
		sub	eax, 1
		jnz	short loc_95CB56
		xor	ecx, ecx
		inc	ecx
		mov	edx, ecx
		jmp	short loc_95CB51
; 

loc_95CB4C:				; CODE XREF: IopEtwEnableCallback(x,x,x,x,x,x,x,x,x)+Bj
		xor	ecx, ecx
		xor	edx, edx
		inc	ecx

loc_95CB51:				; CODE XREF: IopEtwEnableCallback(x,x,x,x,x,x,x,x,x)+17j
		call	_IopIrpExtensionControl@8 ; IopIrpExtensionControl(x,x)

loc_95CB56:				; CODE XREF: IopEtwEnableCallback(x,x,x,x,x,x,x,x,x)+10j
		pop	ebp
		retn	24h
_IopEtwEnableCallback@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopFreeGenericTableEntry(x,	x)
_IopFreeGenericTableEntry@8 proc near	; DATA XREF: INIT:00AC2DC9o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	65546F49h
		push	[ebp+arg_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	8
_IopFreeGenericTableEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopGetVolumeId(x, x, x)
_IopGetVolumeId@12 proc	near		; CODE XREF: IopTrackLink+130328p
					; IopTrackLink+13034Cp	...

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_48		= dword	ptr -48h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+64h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+70h+var_64], edx
		lea	edi, [esp+70h+var_58]
		xor	esi, esi
		stosd
		mov	ebx, ecx
		push	40h		; size_t
		push	esi		; int
		mov	[esp+78h+var_60], esi
		stosd
		mov	[esp+78h+var_5C], esi
		stosd
		stosd
		lea	eax, [esp+78h+var_48]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+70h+var_58]
		push	esi
		push	esi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	ebx
		call	IoGetRelatedDeviceObject
		mov	edi, eax
		lea	eax, [esp+70h+var_60]
		push	eax
		lea	eax, [esp+74h+var_58]
		push	eax
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	edi
		push	esi
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_95CBEA
		mov	eax, 0C000009Ah
		jmp	short loc_95CC53
; 

loc_95CBEA:				; CODE XREF: IopGetVolumeId(x,x,x)+71j
		or	dword ptr [esi+8], 4
		lea	eax, [esp+70h+var_48]
		mov	[esi+3Ch], eax
		mov	ecx, ebx
		mov	[esi+0Ch], eax
		mov	eax, [esi+60h]
		mov	[esi+64h], ebx
		mov	[eax-0Ch], ebx
		mov	byte ptr [eax-24h], 0Ah
		mov	dword ptr [eax-20h], 40h
		mov	dword ptr [eax-1Ch], 8
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edx, esi
		mov	ecx, edi
		call	IofCallDriver
		xor	esi, esi
		cmp	eax, 103h
		jnz	short loc_95CC3E
		push	esi
		push	esi
		push	esi
		push	esi
		lea	eax, [esp+80h+var_58]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esp+70h+var_60]

loc_95CC3E:				; CODE XREF: IopGetVolumeId(x,x,x)+BAj
		test	eax, eax
		js	short loc_95CC53
		mov	edi, [esp+70h+var_64]
		mov	[edi], esi
		add	edi, 4
		lea	esi, [esp+70h+var_48]
		movsd
		movsd
		movsd
		movsd

loc_95CC53:				; CODE XREF: IopGetVolumeId(x,x,x)+78j
					; IopGetVolumeId(x,x,x)+D0j
		mov	ecx, [esp+70h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_IopGetVolumeId@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopHardErrorThread(x)
_IopHardErrorThread@4 proc near		; DATA XREF: INIT:00AC2ABBo

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+18h+var_8], edi

loc_95CC7B:				; CODE XREF: IopHardErrorThread(x)+7Dj
		push	edi
		push	edi
		push	edi
		push	edi
		push	offset unk_6CCF5C
		call	KeWaitForSingleObject
		call	_IopRemoveHardErrorPacket@0 ; IopRemoveHardErrorPacket()
		mov	esi, eax
		xor	eax, eax
		lea	ecx, [esi+0Ch]
		mov	[esp+18h+var_4], ecx
		mov	ecx, [esi+10h]
		test	ecx, ecx
		setnz	al
		cmp	_ExReadyForErrors, 0
		jz	short loc_95CCC6
		neg	ecx
		lea	edx, [esp+18h+var_8]
		push	edx		; int
		push	7		; int
		sbb	ecx, ecx
		lea	edx, [esp+20h+var_4]
		and	ecx, edx
		push	ecx		; void *
		push	eax		; int
		push	eax		; int
		push	dword ptr [esi+8] ; int
		call	_ExRaiseHardError@24 ; ExRaiseHardError(x,x,x,x,x,x)

loc_95CCC6:				; CODE XREF: IopHardErrorThread(x)+41j
		call	_IopCheckHardErrorEmpty@0 ; IopCheckHardErrorEmpty()
		mov	ecx, [esi+10h]
		mov	bl, al
		test	ecx, ecx
		jz	short loc_95CCDB
		push	edi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95CCDB:				; CODE XREF: IopHardErrorThread(x)+6Bj
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	bl, bl
		jnz	short loc_95CC7B
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_IopHardErrorThread@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopInitializeBootLogging(x,	x)
_IopInitializeBootLogging@8 proc near	; CODE XREF: Phase1InitializationDiscard(x)+DA0p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		cmp	ds:dword_A933A4, 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		jnz	loc_95CE8C
		push	60h
		pop	edx
		mov	ecx, 200h
		call	IopVerifierExAllocatePool
		mov	esi, eax
		mov	ds:dword_A933A4, esi
		test	esi, esi
		jz	loc_95CE8C
		push	60h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esi+20h]
		push	eax
		call	ExInitializeResourceLite
		mov	eax, ds:dword_A933A4
		push	1
		add	eax, 20h
		push	eax
		call	ExAcquireResourceExclusiveLite
		mov	esi, [edi+10h]
		lea	eax, [ebp+var_4]
		push	eax
		push	0B5h
		push	0
		push	0Bh
		push	dword ptr [esi+18h]
		call	_RtlFindMessage@20 ; RtlFindMessage(x,x,x,x,x)
		push	4
		pop	edi
		test	eax, eax
		js	short loc_95CDC4
		mov	ecx, [ebp+var_4]
		add	ecx, edi
		mov	[ebp+var_8], ecx
		lea	edx, [ecx+1]

loc_95CD7C:				; CODE XREF: IopInitializeBootLogging(x,x)+92j
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_95CD7C
		sub	ecx, edx
		movzx	eax, cx
		mov	word ptr [ebp+var_C], ax
		inc	eax
		mov	word ptr [ebp+var_C+2],	ax
		lea	eax, [ebp+var_C]
		push	1
		push	eax
		push	ds:dword_A933A4
		call	RtlAnsiStringToUnicodeString
		mov	edx, ds:dword_A933A4
		movzx	eax, word ptr [edx]
		cmp	ax, di
		jbe	short loc_95CDC4
		add	eax, 0FFFFFFFCh
		mov	[edx], ax
		movzx	ecx, ax
		mov	eax, [edx+4]
		shr	ecx, 1
		xor	edx, edx
		mov	[eax+ecx*2], dx

loc_95CDC4:				; CODE XREF: IopInitializeBootLogging(x,x)+80j
					; IopInitializeBootLogging(x,x)+BFj
		lea	eax, [ebp+var_4]
		push	eax
		push	0B6h
		push	0
		push	0Bh
		push	dword ptr [esi+18h]
		call	_RtlFindMessage@20 ; RtlFindMessage(x,x,x,x,x)
		test	eax, eax
		js	short loc_95CE3A
		mov	ecx, [ebp+var_4]
		add	ecx, 4
		mov	[ebp+var_8], ecx
		lea	edx, [ecx+1]

loc_95CDE9:				; CODE XREF: IopInitializeBootLogging(x,x)+FFj
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_95CDE9
		sub	ecx, edx
		movzx	eax, cx
		mov	word ptr [ebp+var_C], ax
		inc	eax
		mov	word ptr [ebp+var_C+2],	ax
		lea	eax, [ebp+var_C]
		push	1
		push	eax
		mov	eax, ds:dword_A933A4
		add	eax, 8
		push	eax
		call	RtlAnsiStringToUnicodeString
		mov	edx, ds:dword_A933A4
		movzx	eax, word ptr [edx+8]
		cmp	ax, di
		jbe	short loc_95CE40
		add	eax, 0FFFFFFFCh
		movzx	eax, ax
		mov	ecx, eax
		mov	[edx+8], ax
		mov	eax, [edx+0Ch]
		shr	ecx, 1
		xor	esi, esi
		mov	[eax+ecx*2], si
		jmp	short loc_95CE40
; 

loc_95CE3A:				; CODE XREF: IopInitializeBootLogging(x,x)+ECj
		mov	edx, ds:dword_A933A4

loc_95CE40:				; CODE XREF: IopInitializeBootLogging(x,x)+130j
					; IopInitializeBootLogging(x,x)+149j
		lea	eax, [ebx+1]
		push	eax
		lea	eax, [edx+18h]
		push	eax
		call	_RtlCreateUnicodeStringFromAsciiz@8 ; RtlCreateUnicodeStringFromAsciiz(x,x)
		push	1
		mov	edi, offset _PsLoadedModuleResource
		push	edi
		call	ExAcquireResourceSharedLite
		mov	esi, _PsLoadedModuleList
		mov	ebx, offset _PsLoadedModuleList
		jmp	short loc_95CE73
; 

loc_95CE67:				; CODE XREF: IopInitializeBootLogging(x,x)+186j
		lea	ecx, [esi+24h]
		mov	dl, 1
		call	IopBootLog
		mov	esi, [esi]

loc_95CE73:				; CODE XREF: IopInitializeBootLogging(x,x)+176j
		cmp	esi, ebx
		jnz	short loc_95CE67
		mov	ecx, edi
		call	ExReleaseResourceLite
		mov	ecx, ds:dword_A933A4
		lea	ecx, [ecx+20h]
		call	ExReleaseResourceLite

loc_95CE8C:				; CODE XREF: IopInitializeBootLogging(x,x)+1Aj
					; IopInitializeBootLogging(x,x)+37j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopInitializeBootLogging@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopInvalidateVolumesForDevice(x)
_IopInvalidateVolumesForDevice@4 proc near ; CODE XREF:	IopRemoveDevice(x,x)+13Cp
					; PiIrpQueryRemoveDevice(x,x)+103p

var_58		= dword	ptr -58h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h

		push	48h
		push	offset dword_6A7F70
		call	__SEH_prolog4
		mov	esi, ecx
		mov	[ebp+var_3C], esi
		xor	ebx, ebx
		mov	ecx, ebx
		xor	eax, eax
		lea	edi, [ebp+var_58]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_20], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ebx

loc_95CEB8:				; CODE XREF: IopInvalidateVolumesForDevice(x)+215j
		mov	[ebp+var_30], esi
		test	esi, esi
		jz	loc_95D0AB
		cmp	[esi+24h], ebx
		jz	loc_95D0A3
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esi+9Ch]
		push	eax
		call	KeWaitForSingleObject
		mov	[ebp+var_20], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+ms_exc.disabled], ebx
		push	esi
		push	ebx
		call	_IoCreateStreamFileObjectLite@8	; IoCreateStreamFileObjectLite(x,x)
		mov	ecx, eax
		mov	[ebp+var_34], ecx
		mov	eax, [esi+24h]
		mov	[ecx+8], eax
		lea	eax, [ebp+var_20]
		push	eax
		push	ebx
		push	ds:_IoFileObjectType
		push	ebx
		push	ebx
		push	200h
		push	ecx
		call	ObOpenObjectByPointer
		mov	[ebp+var_2C], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_95CF4C
; 

loc_95CF29:				; DATA XREF: .text:006A7F84o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_38], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_95CF37:				; DATA XREF: .text:006A7F88o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_38]
		mov	[ebp+var_2C], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp+var_30]

loc_95CF4C:				; CODE XREF: IopInvalidateVolumesForDevice(x)+96j
		test	eax, eax
		js	loc_95D086
		mov	eax, large fs:124h
		mov	[ebp+var_40], eax
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _IopDatabaseResource
		call	ExAcquireResourceSharedLite
		mov	eax, [ebp+var_3C]
		mov	eax, [eax+2Ch]
		cmp	eax, 7
		jz	short loc_95CF94
		cmp	eax, 24h
		jz	short loc_95CF94
		cmp	eax, 2
		jnz	short loc_95CF8D
		mov	edi, offset _IopCdRomFileSystemQueueHead
		jmp	short loc_95CF99
; 

loc_95CF8D:				; CODE XREF: IopInvalidateVolumesForDevice(x)+F3j
		mov	edi, offset _IopTapeFileSystemQueueHead
		jmp	short loc_95CF99
; 

loc_95CF94:				; CODE XREF: IopInvalidateVolumesForDevice(x)+E9j
					; IopInvalidateVolumesForDevice(x)+EEj
		mov	edi, offset _IopDiskFileSystemQueueHead

loc_95CF99:				; CODE XREF: IopInvalidateVolumesForDevice(x)+FAj
					; IopInvalidateVolumesForDevice(x)+101j
		push	ebx
		push	ebx
		lea	eax, [ebp+var_58]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	[ebp+var_24], ebx
		mov	eax, [edi]

loc_95CFA9:				; CODE XREF: IopInvalidateVolumesForDevice(x)+1B7j
		mov	[ebp+var_30], eax
		cmp	eax, edi
		jz	loc_95D054
		cmp	[eax], edi
		jz	loc_95D054
		add	eax, 0FFFFFFCCh

loc_95CFBF:				; CODE XREF: IopInvalidateVolumesForDevice(x)+136j
		mov	[ebp+var_28], eax
		mov	eax, [eax+10h]
		test	eax, eax
		jnz	short loc_95CFBF
		lea	eax, [ebp+var_58]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	4
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_28]
		push	90054h
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_95D04D
		mov	eax, [edx+60h]
		mov	word ptr [eax-24h], 0Dh
		mov	ecx, [ebp+var_28]
		call	IofCallDriver
		cmp	eax, 103h
		jnz	short loc_95D020
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_58]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [ebp+var_48]
		jmp	short loc_95D026
; 

loc_95D020:				; CODE XREF: IopInvalidateVolumesForDevice(x)+17Bj
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], ebx

loc_95D026:				; CODE XREF: IopInvalidateVolumesForDevice(x)+18Dj
		cmp	eax, 0C0000010h
		jz	short loc_95D034
		cmp	eax, 0C0000002h
		jnz	short loc_95D036

loc_95D034:				; CODE XREF: IopInvalidateVolumesForDevice(x)+19Aj
		mov	eax, ebx

loc_95D036:				; CODE XREF: IopInvalidateVolumesForDevice(x)+1A1j
		cmp	[ebp+var_24], 0
		jl	short loc_95D043
		test	eax, eax
		jns	short loc_95D043
		mov	[ebp+var_24], eax

loc_95D043:				; CODE XREF: IopInvalidateVolumesForDevice(x)+1A9j
					; IopInvalidateVolumesForDevice(x)+1ADj
		mov	eax, [ebp+var_30]
		mov	eax, [eax]
		jmp	loc_95CFA9
; 

loc_95D04D:				; CODE XREF: IopInvalidateVolumesForDevice(x)+163j
		mov	edi, 0C000009Ah
		jmp	short loc_95D057
; 

loc_95D054:				; CODE XREF: IopInvalidateVolumesForDevice(x)+11Dj
					; IopInvalidateVolumesForDevice(x)+125j
		mov	edi, [ebp+var_24]

loc_95D057:				; CODE XREF: IopInvalidateVolumesForDevice(x)+1C1j
		mov	ecx, offset _IopDatabaseResource
		call	ExReleaseResourceLite
		mov	ecx, [ebp+var_40]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [ebp+var_34]
		test	ecx, ecx
		jz	short loc_95D083
		call	ObfDereferenceObject
		cmp	[ebp+var_20], 0
		jz	short loc_95D083
		push	[ebp+var_20]
		call	_ZwClose@4	; ZwClose(x)

loc_95D083:				; CODE XREF: IopInvalidateVolumesForDevice(x)+1DDj
					; IopInvalidateVolumesForDevice(x)+1E8j
		mov	[ebp+var_2C], edi

loc_95D086:				; CODE XREF: IopInvalidateVolumesForDevice(x)+BDj
		push	ebx
		push	ebx
		lea	eax, [esi+9Ch]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [ebp+var_2C]

loc_95D0A3:				; CODE XREF: IopInvalidateVolumesForDevice(x)+35j
		mov	esi, [esi+10h]
		jmp	loc_95CEB8
; 

loc_95D0AB:				; CODE XREF: IopInvalidateVolumesForDevice(x)+2Cj
		mov	eax, ecx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopInvalidateVolumesForDevice@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLoadFileSystemDriver(x)
_IopLoadFileSystemDriver@4 proc	near	; CODE XREF: IopMountVolume+13CA46p

var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		mov	ebx, ecx
		mov	esi, ebx
		stosd
		stosd
		stosd
		xor	edi, edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		mov	eax, [ebx+10h]
		jmp	short loc_95D0E7
; 

loc_95D0E2:				; CODE XREF: IopLoadFileSystemDriver(x)+2Cj
		mov	esi, eax
		mov	eax, [esi+10h]

loc_95D0E7:				; CODE XREF: IopLoadFileSystemDriver(x)+23j
		test	eax, eax
		jnz	short loc_95D0E2
		push	edi
		push	edi
		lea	eax, [ebp+var_18]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	esi
		push	0Eh
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_95D135
		mov	edx, [eax+60h]
		mov	ecx, esi
		mov	word ptr [edx-24h], 30Dh
		mov	edx, eax
		call	IofCallDriver
		cmp	eax, 103h
		jnz	short loc_95D135
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_18]
		push	eax
		call	KeWaitForSingleObject

loc_95D135:				; CODE XREF: IopLoadFileSystemDriver(x)+50j
					; IopLoadFileSystemDriver(x)+69j
		push	1
		mov	dl, 1
		mov	ecx, ebx
		call	IopDecrementDeviceObjectRef
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopLoadFileSystemDriver@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopMarshalIds(x, x,	x, x)
_IopMarshalIds@16 proc near		; CODE XREF: IopTrackLink+130466p
					; IopTrackLink+1305C6p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	esi, [edx+4]
		and	dword ptr [ebx], 0
		lea	edi, [ebx+0Ch]
		and	dword ptr [ebx+8], 0
		mov	eax, [edx]
		mov	[ebx+8], eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+arg_0]
		lea	edi, [ebx+1Ch]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+arg_4]
		push	dword ptr [esi+4] ; size_t
		lea	eax, [esi+8]
		push	eax		; void *
		lea	eax, [ebx+2Ch]
		push	eax		; void *
		call	_memcpy
		mov	eax, [esi+4]
		add	esp, 0Ch
		add	eax, 24h
		mov	[ebx+4], eax
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_IopMarshalIds@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopRaiseHardError(x, x, x)
_IopRaiseHardError@12 proc near		; CODE XREF: IopApcHardError(x)+12p
					; DATA XREF: IoRaiseHardError(x,x,x)+96o

var_3E		= byte ptr -3Eh
var_3D		= byte ptr -3Dh
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+44h+var_4], eax
		mov	eax, [ebp+arg_8]
		xor	edx, edx
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	6
		mov	[esp+54h+var_3C], eax
		lea	edi, [esp+54h+var_28]
		pop	ecx
		xor	eax, eax
		rep stosd
		mov	edi, [esp+50h+var_3C]
		lea	eax, [esp+50h+var_34]
		xor	ecx, ecx
		push	ecx
		push	eax
		mov	[esp+58h+var_3D], cl
		mov	[esp+58h+var_38], ecx
		mov	[esp+58h+var_34], ecx
		mov	[esp+58h+var_30], ecx
		mov	[esp+58h+var_2C], ecx
		push	ecx
		mov	ecx, edi
		call	ObQueryNameStringMode
		mov	edx, [esp+50h+var_34]
		xor	ecx, ecx
		inc	ecx
		call	IopVerifierExAllocatePool
		mov	[esp+50h+var_3C], eax
		test	eax, eax
		jnz	short loc_95D20E
		mov	edi, 0C000009Ah
		jmp	loc_95D3AF
; 

loc_95D20E:				; CODE XREF: IopRaiseHardError(x,x,x)+6Dj
		push	0
		lea	ecx, [esp+54h+var_38]
		mov	edx, eax
		push	ecx
		push	[esp+58h+var_34]
		mov	ecx, edi
		call	ObQueryNameStringMode
		mov	edi, eax
		test	edi, edi
		js	loc_95D3A3
		test	ebx, ebx
		jz	short loc_95D250
		test	byte ptr [ebx+4], 1
		jz	short loc_95D250
		lea	eax, [ebx+18h]
		mov	[esp+50h+var_2C], eax
		mov	ax, [ebx+6]
		push	40h
		mov	word ptr [esp+54h+var_30], ax
		pop	eax
		mov	word ptr [esp+50h+var_30+2], ax
		jmp	short loc_95D25C
; 

loc_95D250:				; CODE XREF: IopRaiseHardError(x,x,x)+99j
					; IopRaiseHardError(x,x,x)+9Fj
		push	0
		lea	eax, [esp+54h+var_30]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_95D25C:				; CODE XREF: IopRaiseHardError(x,x,x)+B9j
		mov	eax, [esi+50h]
		mov	ecx, [eax+150h]
		mov	eax, large fs:124h
		cmp	ecx, [eax+80h]
		jz	short loc_95D284
		lea	eax, [esp+50h+var_28]
		xor	edx, edx
		push	eax
		call	KiStackAttachProcess
		mov	[esp+50h+var_3D], 1

loc_95D284:				; CODE XREF: IopRaiseHardError(x,x,x)+DCj
		mov	ecx, [esi+18h]
		mov	eax, 0C0000012h
		cmp	ecx, eax
		jz	short loc_95D2E7
		jle	short loc_95D2DD
		cmp	ecx, 0C0000014h
		jle	short loc_95D2B2
		cmp	ecx, 0C00000A2h
		jz	short loc_95D2E7
		cmp	ecx, 0C00000A3h
		jz	short loc_95D2B2
		cmp	ecx, 0C00000B5h
		jnz	short loc_95D2DD

loc_95D2B2:				; CODE XREF: IopRaiseHardError(x,x,x)+103j
					; IopRaiseHardError(x,x,x)+113j
		mov	eax, large fs:124h
		xor	edi, edi
		mov	ebx, [esp+50h+var_3C]
		inc	edi
		and	[esp+50h+var_8], 0
		push	2
		mov	eax, [eax+80h]
		pop	edx
		mov	[esp+50h+var_10], ebx
		mov	eax, [eax+0E4h]
		mov	[esp+50h+var_C], eax
		jmp	short loc_95D312
; 

loc_95D2DD:				; CODE XREF: IopRaiseHardError(x,x,x)+FBj
					; IopRaiseHardError(x,x,x)+11Bj
		mov	ebx, [esp+50h+var_3C]
		xor	edx, edx
		xor	edi, edi
		jmp	short loc_95D312
; 

loc_95D2E7:				; CODE XREF: IopRaiseHardError(x,x,x)+F9j
					; IopRaiseHardError(x,x,x)+10Bj
		mov	ebx, [esp+50h+var_3C]
		lea	eax, [esp+50h+var_30]
		mov	[esp+50h+var_10], eax
		mov	eax, large fs:124h
		push	3
		pop	edx
		push	edx
		mov	eax, [eax+80h]
		pop	edi
		mov	[esp+50h+var_C], ebx
		mov	eax, [eax+0E4h]
		mov	[esp+50h+var_8], eax

loc_95D312:				; CODE XREF: IopRaiseHardError(x,x,x)+146j
					; IopRaiseHardError(x,x,x)+150j
		cmp	_ExReadyForErrors, 0
		jz	short loc_95D333
		lea	eax, [esp+50h+var_38]
		push	eax		; int
		push	8		; int
		lea	eax, [esp+58h+var_10]
		push	eax		; void *
		push	edi		; int
		push	edx		; int
		push	ecx		; int
		call	_ExRaiseHardError@24 ; ExRaiseHardError(x,x,x,x,x,x)
		mov	edi, eax
		jmp	short loc_95D33D
; 

loc_95D333:				; CODE XREF: IopRaiseHardError(x,x,x)+184j
		and	[esp+50h+var_38], 0
		mov	edi, 0C0000001h

loc_95D33D:				; CODE XREF: IopRaiseHardError(x,x,x)+19Cj
		cmp	[esp+50h+var_3D], 0
		jz	short loc_95D34F
		xor	edx, edx
		lea	ecx, [esp+50h+var_28]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_95D34F:				; CODE XREF: IopRaiseHardError(x,x,x)+1ADj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		js	short loc_95D376
		cmp	[esp+50h+var_38], 9
		jnz	short loc_95D376
		mov	eax, [esi+60h]
		push	esi
		mov	ecx, [eax+14h]
		movzx	edx, byte ptr [eax]
		push	ecx
		mov	eax, [ecx+8]
		call	dword ptr [eax+edx*4+38h]
		jmp	short loc_95D3BF
; 

loc_95D376:				; CODE XREF: IopRaiseHardError(x,x,x)+1C4j
					; IopRaiseHardError(x,x,x)+1CBj
		cmp	[esp+50h+var_38], 3
		jnz	short loc_95D39B
		mov	eax, [esi+60h]
		cmp	byte ptr [eax],	0Dh
		jnz	short loc_95D394
		cmp	byte ptr [eax+1], 1
		jnz	short loc_95D394
		mov	dword ptr [esi+1Ch], 1
		jmp	short loc_95D39B
; 

loc_95D394:				; CODE XREF: IopRaiseHardError(x,x,x)+1EEj
					; IopRaiseHardError(x,x,x)+1F4j
		mov	dword ptr [esi+18h], 0C0000240h

loc_95D39B:				; CODE XREF: IopRaiseHardError(x,x,x)+1E6j
					; IopRaiseHardError(x,x,x)+1FDj
		test	byte ptr [esi+8], 40h
		jz	short loc_95D3B6
		jmp	short loc_95D3B2
; 

loc_95D3A3:				; CODE XREF: IopRaiseHardError(x,x,x)+91j
		mov	ebx, [esp+50h+var_3C]
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95D3AF:				; CODE XREF: IopRaiseHardError(x,x,x)+74j
		mov	[esi+18h], edi

loc_95D3B2:				; CODE XREF: IopRaiseHardError(x,x,x)+20Cj
		and	dword ptr [esi+1Ch], 0

loc_95D3B6:				; CODE XREF: IopRaiseHardError(x,x,x)+20Aj
		mov	dl, 1
		mov	ecx, esi
		call	IofCompleteRequest

loc_95D3BF:				; CODE XREF: IopRaiseHardError(x,x,x)+1DFj
		mov	ecx, [esp+50h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_IopRaiseHardError@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopRaiseInformationalHardError(x, x, x)
_IopRaiseInformationalHardError@12 proc	near
					; DATA XREF: IoRaiseInformationalHardError(x,x,x)+105o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		xor	ecx, ecx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [esi+0Ch]
		mov	[ebp+arg_0], eax
		mov	eax, [esi+10h]
		test	eax, eax
		setnz	cl
		cmp	_ExReadyForErrors, 0
		jz	short loc_95D417
		neg	eax
		lea	edx, [ebp+var_4]
		push	edx		; int
		push	7		; int
		sbb	eax, eax
		lea	edx, [ebp+arg_0]
		and	eax, edx
		push	eax		; void *
		push	ecx		; int
		push	ecx		; int
		push	dword ptr [esi+8] ; int
		call	_ExRaiseHardError@24 ; ExRaiseHardError(x,x,x,x,x,x)
		mov	eax, [esi+10h]

loc_95D417:				; CODE XREF: IopRaiseInformationalHardError(x,x,x)+25j
		test	eax, eax
		jz	short loc_95D423
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95D423:				; CODE XREF: IopRaiseInformationalHardError(x,x,x)+46j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lock dec dword_6CCF74
		pop	esi
		leave
		retn	0Ch
_IopRaiseInformationalHardError@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopSafebootDriverLoad(x, x)
_IopSafebootDriverLoad@8 proc near	; CODE XREF: IopLoadDriver+B067Cp
					; IopLoadDriver+B068Ep	...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	esi, ecx
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_C], eax
		test	edi, edi
		jz	short loc_95D463
		mov	[edi], al

loc_95D463:				; CODE XREF: IopSafebootDriverLoad(x,x)+28j
		mov	eax, _InitSafeBootMode
		sub	eax, 1
		jz	short loc_95D485
		sub	eax, 1
		jz	short loc_95D47E
		sub	eax, 1
		jnz	short loc_95D4B7
		mov	al, 1
		jmp	loc_95D58F
; 

loc_95D47E:				; CODE XREF: IopSafebootDriverLoad(x,x)+39j
		mov	eax, offset ??_C@_1BA@EBPJHHKE@?$AAN?$AAE?$AAT?$AAW?$AAO?$AAR?$AAK@NNGAKEGL@ ; "NETWORK"
		jmp	short loc_95D48A
; 

loc_95D485:				; CODE XREF: IopSafebootDriverLoad(x,x)+34j
		mov	eax, offset ??_C@_1BA@MHDMKJEM@?$AAM?$AAI?$AAN?$AAI?$AAM?$AAA?$AAL@NNGAKEGL@

loc_95D48A:				; CODE XREF: IopSafebootDriverLoad(x,x)+4Cj
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ax, [esi]
		xor	ebx, ebx
		add	ax, 8
		inc	ebx
		add	ax, word ptr [ebp+var_1C]
		mov	ecx, ebx
		movzx	edx, ax
		mov	word ptr [ebp+var_14+2], ax
		call	IopVerifierExAllocatePool
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	short loc_95D4BE

loc_95D4B7:				; CODE XREF: IopSafebootDriverLoad(x,x)+3Ej
					; IopSafebootDriverLoad(x,x)+B0j
		xor	al, al
		jmp	loc_95D58F
; 

loc_95D4BE:				; CODE XREF: IopSafebootDriverLoad(x,x)+7Ej
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@ ; void	*
		lea	eax, [ebp+var_14]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		test	eax, eax
		jns	short loc_95D4E9
		push	0
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_95D4B7
; 

loc_95D4E9:				; CODE XREF: IopSafebootDriverLoad(x,x)+A4j
		push	esi
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		test	eax, eax
		js	loc_95D581
		push	0
		mov	esi, 0F003Fh
		lea	ecx, [ebp+var_4]
		push	esi
		push	offset _CmRegistryMachineSystemCurrentControlSetControlSafeBoot
		xor	edx, edx
		call	IopOpenRegistryKey
		test	eax, eax
		js	short loc_95D581
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_14]
		push	0
		push	esi
		push	eax
		lea	ecx, [ebp+var_8]
		call	IopOpenRegistryKey
		push	0
		push	[ebp+var_4]
		mov	esi, eax
		call	ObCloseHandle
		test	esi, esi
		js	short loc_95D581
		test	edi, edi
		jz	short loc_95D575
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		push	eax
		push	0
		mov	edx, offset ??_C@_1CA@LCCLCIKI@?$AAS?$AAa?$AAf?$AAe?$AAB?$AAo?$AAo?$AAt?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAs@NNGAKEGL@
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_95D575
		mov	ecx, [ebp+var_C]
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_95D56D
		cmp	dword ptr [ecx+0Ch], 4
		jnz	short loc_95D56D
		mov	eax, [ecx+8]
		cmp	dword ptr [ecx+eax], 0
		jz	short loc_95D56D
		mov	[edi], bl

loc_95D56D:				; CODE XREF: IopSafebootDriverLoad(x,x)+123j
					; IopSafebootDriverLoad(x,x)+129j ...
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95D575:				; CODE XREF: IopSafebootDriverLoad(x,x)+103j
					; IopSafebootDriverLoad(x,x)+11Aj
		push	0
		push	[ebp+var_8]
		call	ObCloseHandle
		jmp	short loc_95D583
; 

loc_95D581:				; CODE XREF: IopSafebootDriverLoad(x,x)+BEj
					; IopSafebootDriverLoad(x,x)+DDj ...
		xor	bl, bl

loc_95D583:				; CODE XREF: IopSafebootDriverLoad(x,x)+148j
		push	0
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	al, bl

loc_95D58F:				; CODE XREF: IopSafebootDriverLoad(x,x)+42j
					; IopSafebootDriverLoad(x,x)+82j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopSafebootDriverLoad@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopSendMessageToTrackService(x, x, x)
_IopSendMessageToTrackService@12 proc near ; CODE XREF:	IopTrackLink+130497p
					; IopTrackLink+130716p

var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_EC		= dword	ptr -0ECh
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 11Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, ecx
		mov	al, [eax+15Ah]
		mov	ebx, offset _IopLinkTrackingPortObject
		mov	[ebp+var_118], edi
		xor	edi, edi
		mov	[ebp+var_114], edx
		mov	[ebp+var_110], esi
		mov	[ebp+var_10C], edi
		mov	byte ptr [ebp+var_108],	al

loc_95D5E2:				; CODE XREF: IopSendMessageToTrackService(x,x,x)+20Fj
		cmp	ds:_IopLinkTrackingServiceObject, 0
		jnz	loc_95D6A8
		mov	eax, ds:_IopLinkTrackingServiceEvent
		cmp	[eax+4], edi
		jz	loc_95D7A8
		push	edi
		push	edi
		push	[ebp+var_108]
		push	edi
		push	ebx
		call	KeWaitForSingleObject
		cmp	eax, 0C0h
		jz	loc_95D7D1
		cmp	eax, 101h
		jz	loc_95D7D1
		cmp	ds:_IopLinkTrackingServiceObject, 0
		jnz	short loc_95D6A0
		mov	esi, offset _IopLinkTrackingPacket
		mov	dword_6CCF08, offset _IopConnectLinkTrackingPort@4 ; IopConnectLinkTrackingPort(x)
		push	offset unk_6CCF10
		mov	dword_6CCF0C, esi
		mov	_IopLinkTrackingPacket,	edi
		call	_KeResetEvent@4	; KeResetEvent(x)
		push	1
		push	esi
		call	ExQueueWorkItem
		push	edi
		push	edi
		push	[ebp+var_108]
		push	edi
		push	offset unk_6CCF10
		call	KeWaitForSingleObject
		mov	esi, eax
		cmp	esi, 0C0h
		jz	short loc_95D688
		cmp	esi, 101h
		jz	short loc_95D688
		mov	eax, dword_6CCF20
		test	eax, eax
		jns	short loc_95D688
		mov	esi, eax

loc_95D688:				; CODE XREF: IopSendMessageToTrackService(x,x,x)+DFj
					; IopSendMessageToTrackService(x,x,x)+E7j ...
		push	edi
		push	edi
		push	ebx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		test	esi, esi
		jnz	loc_95D7B9
		mov	esi, [ebp+var_110]
		jmp	short loc_95D6A8
; 

loc_95D6A0:				; CODE XREF: IopSendMessageToTrackService(x,x,x)+95j
		push	edi
		push	edi
		push	ebx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_95D6A8:				; CODE XREF: IopSendMessageToTrackService(x,x,x)+55j
					; IopSendMessageToTrackService(x,x,x)+10Aj
		xor	ecx, ecx
		mov	edx, 0A8h
		inc	ecx
		call	IopVerifierExAllocatePool
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_95D7CC
		push	8Ch		; size_t
		lea	ecx, [ebx+1Ch]
		push	edi		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebx+18h], edi
		mov	[ebx+1Ch], edi
		lea	edi, [ebx+20h]
		push	5
		pop	ecx
		rep movsd
		mov	esi, [ebp+var_114]
		lea	edi, [ebx+34h]
		push	10h
		pop	ecx
		rep movsd
		mov	edi, [ebp+var_118]
		cmp	dword ptr [edi+4], 24h
		jb	loc_95D7BD
		lea	eax, [ebx+98h]
		mov	ecx, edi
		push	eax		; void *
		lea	eax, [ebx+88h]
		push	eax		; int
		lea	edx, [ebx+74h]
		call	_IopUnMarshalIds@16 ; IopUnMarshalIds(x,x,x,x)
		xor	edi, edi
		mov	dword ptr [ebx], 0A80090h
		push	edi
		lea	eax, [ebp+var_11C]
		mov	[ebx+4], edi
		push	eax
		lea	eax, [ebp+var_104]
		mov	[ebp+var_11C], 100h
		push	eax
		push	ebx
		push	20000h
		push	ds:_IopLinkTrackingServiceObject
		call	_LpcSendWaitReceivePort@24 ; LpcSendWaitReceivePort(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000037h
		jz	short loc_95D75C
		cmp	esi, 0C0000703h
		jnz	short loc_95D7AF

loc_95D75C:				; CODE XREF: IopSendMessageToTrackService(x,x,x)+1BEj
		push	edi
		push	edi
		push	[ebp+var_108]
		mov	ebx, offset _IopLinkTrackingPortObject
		push	edi
		push	ebx
		call	KeWaitForSingleObject
		mov	ecx, ds:_IopLinkTrackingServiceObject
		mov	esi, eax
		call	ObfDereferenceObject
		push	edi
		push	edi
		push	ebx
		mov	ds:_IopLinkTrackingServiceObject, edi
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		cmp	[ebp+var_10C], edi
		jnz	short loc_95D7AF
		mov	esi, [ebp+var_110]
		mov	[ebp+var_10C], 1
		jmp	loc_95D5E2
; 

loc_95D7A8:				; CODE XREF: IopSendMessageToTrackService(x,x,x)+63j
		mov	eax, 0C000029Fh
		jmp	short loc_95D7D1
; 

loc_95D7AF:				; CODE XREF: IopSendMessageToTrackService(x,x,x)+1C6j
					; IopSendMessageToTrackService(x,x,x)+1FDj
		test	esi, esi
		js	short loc_95D7B9
		mov	esi, [ebp+var_EC]

loc_95D7B9:				; CODE XREF: IopSendMessageToTrackService(x,x,x)+FEj
					; IopSendMessageToTrackService(x,x,x)+21Dj
		mov	eax, esi
		jmp	short loc_95D7D1
; 

loc_95D7BD:				; CODE XREF: IopSendMessageToTrackService(x,x,x)+163j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 80000005h
		jmp	short loc_95D7D1
; 

loc_95D7CC:				; CODE XREF: IopSendMessageToTrackService(x,x,x)+125j
		mov	eax, 0C000009Ah

loc_95D7D1:				; CODE XREF: IopSendMessageToTrackService(x,x,x)+7Dj
					; IopSendMessageToTrackService(x,x,x)+88j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_IopSendMessageToTrackService@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IopSetEaOrQuotaInformationFile(void *,int,int)
_IopSetEaOrQuotaInformationFile@20 proc	near
					; CODE XREF: NtSetQuotaInformationFile(x,x,x,x)+12p

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= dword	ptr -19h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	48h
		push	offset dword_6A7F38
		call	__SEH_prolog4
		mov	[ebp+var_30], edx
		mov	esi, ecx
		and	[ebp+var_20], 0
		xor	eax, eax
		mov	[ebp+var_24], eax
		and	[ebp+var_58], eax
		and	[ebp+var_54], eax
		mov	eax, large fs:124h
		mov	[ebp+var_44], eax
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_19], al
		mov	byte ptr [ebp+var_3C], al
		test	al, al
		jz	short loc_95D879
		and	dword ptr [ebp-4], 0
		mov	ecx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_95D82C
		mov	ecx, eax

loc_95D82C:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+46j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_95D857
		test	byte ptr [ebp+arg_0], 3
		jnz	loc_95DB65
		mov	ecx, [ebp+arg_0]
		lea	edx, [ecx+ebx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_95D854
		cmp	edx, ecx
		jnb	short loc_95D857

loc_95D854:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+6Cj
		mov	byte ptr [eax],	0

loc_95D857:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+53j
					; IopSetEaOrQuotaInformationFile(x,x,x,x,x)+70j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_95D87C
; 

loc_95D860:				; DATA XREF: .text:006A7F4Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_40], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_95D86E:				; DATA XREF: .text:006A7F50o
		mov	esp, [ebp+var_19+1]
		mov	eax, [ebp+var_40]
		jmp	loc_95DB59
; 

loc_95D879:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+37j
		mov	ebx, [ebp+arg_4]

loc_95D87C:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+7Cj
		push	0
		lea	eax, [ebp+var_20]
		push	eax
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_50], eax
		push	eax
		push	2
		pop	edx
		mov	ecx, esi
		call	IopReferenceFileObject
		mov	[ebp+var_28], eax
		test	eax, eax
		js	loc_95DAD2
		mov	esi, [ebp+var_20]
		lea	eax, [esi+2Ch]
		mov	[ebp+var_3C], eax
		mov	eax, [eax]
		test	al, 2
		jz	short loc_95D918
		shr	eax, 2
		and	al, 1
		mov	byte ptr [ebp+arg_4], al
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	0
		mov	esi, [ebp+var_20]
		lea	ecx, [esi+4Ch]
		xor	edx, edx
		call	KeAbPreAcquire
		mov	edx, eax
		mov	[ebp+var_1A], 0
		xor	ecx, ecx
		inc	ecx
		lea	eax, [esi+44h]
		xchg	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_95D8F7
		test	edx, edx
		jz	short loc_95D8EC
		or	byte ptr [edx+0Eh], 1

loc_95D8EC:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+104j
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	edi, edi
		jmp	short loc_95D90B
; 

loc_95D8F7:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+100j
		lea	eax, [ebp+var_1A]
		push	eax
		push	edx
		push	[ebp+arg_4]
		mov	dl, byte ptr [ebp+var_19]
		mov	ecx, esi
		call	IopWaitAndAcquireFileObjectLock
		mov	edi, eax

loc_95D90B:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+113j
		mov	[ebp+var_28], edi
		cmp	[ebp+var_1A], 0
		jnz	short loc_95D931
		mov	al, 1
		jmp	short loc_95D94B
; 

loc_95D918:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+C9j
		push	10h
		pop	edx
		mov	ecx, 200h
		call	IopVerifierExAllocatePool
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	short loc_95D93F
		mov	edi, 0C000009Ah

loc_95D931:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+130j
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, edi
		jmp	loc_95DAD2
; 

loc_95D93F:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+148j
		push	0
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	al, al

loc_95D94B:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+134j
		mov	byte ptr [ebp+arg_4], al
		mov	ecx, esi
		call	_IopResetEvent@4 ; IopResetEvent(x)
		push	esi
		call	IoGetRelatedDeviceObject
		mov	[ebp+var_2C], eax
		push	dword ptr [ebp+4]
		push	0
		mov	dl, [eax+30h]
		mov	ecx, eax
		call	IopAllocateIrpExReturn
		mov	edi, eax
		mov	[ebp+var_38], edi
		test	edi, edi
		jnz	short loc_95D99B
		mov	eax, [ebp+var_3C]
		test	byte ptr [eax],	2
		jnz	short loc_95D987
		push	edi
		push	[ebp+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95D987:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+19Aj
		xor	edx, edx
		mov	ecx, [ebp+var_20]
		call	_IopAllocateIrpCleanup@8 ; IopAllocateIrpCleanup(x,x)
		mov	eax, 0C000009Ah
		jmp	loc_95DAD2
; 

loc_95D99B:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+192j
		mov	eax, [ebp+var_20]
		mov	[ebp+var_3C], eax
		mov	[edi+64h], eax
		mov	eax, [ebp+var_44]
		mov	[edi+50h], eax
		mov	al, byte ptr [ebp+var_19]
		mov	[edi+20h], al
		cmp	byte ptr [ebp+arg_4], 0
		jz	short loc_95D9C1
		or	byte ptr [edi+27h], 2
		mov	eax, [ebp+var_30]
		xor	ecx, ecx
		jmp	short loc_95D9CE
; 

loc_95D9C1:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+1D2j
		mov	dword ptr [edi+8], 4
		lea	eax, [ebp+var_58]
		mov	ecx, [ebp+var_24]

loc_95D9CE:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+1DDj
		mov	[edi+2Ch], ecx
		mov	[edi+28h], eax
		and	dword ptr [edi+30h], 0
		mov	esi, [edi+60h]
		sub	esi, 24h
		mov	[ebp+var_44], esi
		mov	byte ptr [esi],	1Ah
		mov	eax, [ebp+var_3C]
		mov	[esi+18h], eax
		mov	eax, [ebp+var_2C]
		mov	eax, [eax+1Ch]
		test	al, 4
		jz	loc_95DAE4
		and	[ebp+var_34], 0
		test	ebx, ebx
		jz	loc_95DA94
		mov	[ebp+var_1B], 0
		mov	dword ptr [ebp-4], 1
		mov	edx, ebx
		mov	ecx, 200h
		call	sub_4F0630
		mov	esi, eax
		mov	[edi+0Ch], esi
		push	ebx		; size_t
		push	[ebp+arg_0]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_34]
		push	eax
		push	ebx
		push	esi
		call	_IoCheckQuotaBufferValidity@12 ; IoCheckQuotaBufferValidity(x,x,x)
		mov	[ebp+var_28], eax
		test	eax, eax
		js	loc_95DB6A
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		or	dword ptr [edi+8], 30h
		mov	esi, [ebp+var_44]
		jmp	short loc_95DA9E
; 

loc_95DA53:				; DATA XREF: .text:006A7F58o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_48], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_95DA61:				; DATA XREF: .text:006A7F5Co
		mov	esp, [ebp+var_19+1]
		mov	ecx, [ebp+var_20]
		movzx	eax, byte ptr [ecx+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		push	[ebp+var_24]
		push	0
		mov	edx, [ebp+var_38]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		cmp	[ebp+var_1B], 0
		jz	short loc_95DA8C
		mov	eax, [ebp+var_28]
		jmp	loc_95DB59
; 

loc_95DA8C:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+2A0j
		mov	eax, [ebp+var_48]
		jmp	loc_95DB59
; 

loc_95DA94:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+21Cj
		and	dword ptr [edi+0Ch], 0

loc_95DA98:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+304j
		mov	eax, [ebp+arg_0]
		mov	[edi+3Ch], eax

loc_95DA9E:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+26Fj
					; IopSetEaOrQuotaInformationFile(x,x,x,x,x)+308j ...
		mov	[esi+4], ebx
		push	2
		push	[ebp+arg_4]
		mov	esi, [ebp+var_50]
		push	esi
		push	0
		push	[ebp+var_3C]
		mov	edx, edi
		mov	ecx, [ebp+var_2C]
		call	_IopSynchronousServiceTail@28 ;	IopSynchronousServiceTail(x,x,x,x,x,x,x)
		cmp	byte ptr [ebp+arg_4], 0
		jnz	short loc_95DAD2
		push	[ebp+var_30]
		lea	ecx, [ebp+var_58]
		push	ecx
		push	esi
		push	edi
		mov	edx, [ebp+var_24]
		mov	ecx, eax
		call	IopSynchronousApiServiceTail

loc_95DAD2:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+B6j
					; IopSetEaOrQuotaInformationFile(x,x,x,x,x)+158j ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_95DAE4:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+210j
		test	al, 10h
		jz	short loc_95DA98
		test	ebx, ebx
		jz	short loc_95DA9E
		mov	dword ptr [ebp-4], 2
		push	edi
		push	1
		push	0
		push	ebx
		push	[ebp+arg_0]
		call	IoAllocateMdl
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_95DB0E
		push	0C000009Ah
		jmp	short loc_95DB7A
; 

loc_95DB0E:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+323j
		movzx	eax, byte ptr [esi]
		push	eax
		push	[ebp+var_2C]
		push	0
		mov	dl, byte ptr [ebp+var_19]
		call	sub_4F0820
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_95DA9E
; 

loc_95DB2B:				; DATA XREF: .text:006A7F64o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_4C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_95DB39:				; DATA XREF: .text:006A7F68o
		mov	esp, [ebp+var_19+1]
		mov	ecx, [ebp+var_20]
		movzx	eax, byte ptr [ecx+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		push	[ebp+var_24]
		push	0
		mov	edx, [ebp+var_38]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		mov	eax, [ebp+var_4C]

loc_95DB59:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+92j
					; IopSetEaOrQuotaInformationFile(x,x,x,x,x)+2A5j ...
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_95DAD2
; 

loc_95DB65:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+59j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_95DB6A:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+25Bj
		mov	[ebp+var_1B], 1
		mov	edx, [ebp+var_30]
		mov	[edx], eax
		mov	ecx, [ebp+var_34]
		mov	[edx+4], ecx
		push	eax

loc_95DB7A:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+32Aj
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger

; __stdcall IopSetFileObjectIosbRange(x, x)
_IopSetFileObjectIosbRange@8:		; CODE XREF: .text:0052262Bp
		push	5Ch
		push	offset dword_6A7EF0
		call	__SEH_prolog4
		mov	[ebp+var_48], edx
		mov	[ebp+var_3C], ecx
		xor	ebx, ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_1A], bl
		mov	byte ptr [ebp+var_19], bl
		mov	esi, ebx
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_68], ebx
		mov	edi, ebx
		mov	[ebp+var_28], ebx
		mov	eax, ebx
		mov	[ebp+var_34], eax
		mov	[ebp+var_20], ebx
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[ebp+var_24], eax
		mov	[ebp+var_64], eax
		mov	ecx, [edx+0Ch]
		mov	eax, [ecx+4]
		mov	[ebp+var_2C], eax
		test	eax, eax
		jnz	short loc_95DBDB
		mov	eax, 0C000000Dh
		jmp	loc_95DF04
; 

loc_95DBDB:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+3EDj
		mov	[ebp+var_5C], eax
		mov	eax, [ecx]
		mov	[ebp+var_30], eax
		mov	[ebp+var_58], eax
		mov	ecx, offset _IoStatusBlockRangeTableLock
		call	ExAcquireFastMutex
		mov	eax, [ebp+var_24]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_19]
		push	eax		; int
		push	8		; size_t
		lea	eax, [ebp+var_6C]
		push	eax		; void *
		push	offset _IoStatusBlockRangeTable	; int
		call	_RtlInsertElementGenericTableAvl@16 ; RtlInsertElementGenericTableAvl(x,x,x,x)
		mov	edx, eax
		mov	[ebp+var_40], edx
		test	edx, edx
		jnz	short loc_95DC1F

loc_95DC13:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+480j
					; IopSetEaOrQuotaInformationFile(x,x,x,x,x)+5ABj
		mov	[ebp+var_20], 0C000009Ah
		jmp	loc_95DE99
; 

loc_95DC1F:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+42Fj
		cmp	byte ptr [ebp+var_19], bl
		jnz	short loc_95DC45
		mov	esi, [eax+4]
		test	esi, esi
		jz	short loc_95DC4D
		mov	edx, [ebp+var_30]
		mov	ecx, [ebp+var_2C]

loc_95DC31:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+461j
		cmp	[esi+4], edx
		jnz	short loc_95DC3E
		lea	eax, [ecx+edx]
		cmp	[esi+8], eax
		jz	short loc_95DC45

loc_95DC3E:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+452j
		mov	esi, [esi+14h]
		test	esi, esi
		jnz	short loc_95DC31

loc_95DC45:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+440j
					; IopSetEaOrQuotaInformationFile(x,x,x,x,x)+45Aj
		test	esi, esi
		jnz	loc_95DD6E

loc_95DC4D:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+447j
		push	65546F49h
		push	18h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_50], esi
		test	esi, esi
		jz	short loc_95DC13
		mov	[ebp+var_1A], 1
		mov	[ebp-4], ebx
		mov	eax, [ebp+var_30]
		test	al, 3
		jz	short loc_95DC77
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_95DC77:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+48Ej
		mov	edx, [ebp+var_2C]
		add	edx, eax
		mov	ecx, ds:_MmUserProbeAddress
		mov	[ebp+var_44], ecx
		cmp	edx, ecx
		mov	ecx, [ebp+var_2C]
		ja	short loc_95DC90
		cmp	edx, eax
		jnb	short loc_95DC95

loc_95DC90:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+4A8j
		mov	edx, [ebp+var_44]
		mov	[edx], bl

loc_95DC95:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+4ACj
		push	ebx
		push	1
		push	ebx
		push	ecx
		push	eax
		call	IoAllocateMdl
		mov	[ebp+var_28], eax
		test	eax, eax
		jnz	short loc_95DCB1
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_95DCB1:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+4C3j
		push	1
		mov	eax, [ebp+var_48]
		movzx	eax, byte ptr [eax+20h]
		push	eax
		push	[ebp+var_28]
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp+var_20]
		jmp	short loc_95DD0B
; 

loc_95DCCF:				; DATA XREF: .text:006A7F04o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_4C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_95DCDD:				; DATA XREF: .text:006A7F08o
		mov	esp, [ebp+var_19+1]
		mov	ecx, [ebp+var_4C]
		mov	[ebp+var_20], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp+var_50]
		mov	edi, ebx
		mov	edx, [ebp+var_58]
		mov	[ebp+var_30], edx
		mov	eax, [ebp+var_5C]
		mov	[ebp+var_2C], eax
		mov	eax, ebx
		mov	[ebp+var_34], eax
		mov	eax, [ebp+var_64]
		mov	[ebp+var_24], eax

loc_95DD0B:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+4EBj
		test	ecx, ecx
		js	loc_95DE99
		mov	eax, [ebp+var_28]
		test	byte ptr [eax+6], 5
		jz	short loc_95DD24
		mov	edx, [eax+0Ch]
		mov	[ebp+var_34], edx
		jmp	short loc_95DD3B
; 

loc_95DD24:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+538j
		push	40000010h
		push	ebx
		push	ebx
		push	1
		push	ebx
		push	[ebp+var_28]
		call	MmMapLockedPagesSpecifyCache
		mov	edx, eax
		mov	[ebp+var_34], eax

loc_95DD3B:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+540j
		test	edx, edx
		jz	short loc_95DD64
		mov	ecx, [ebp+var_28]
		mov	[esi+0Ch], ecx
		mov	eax, [ebp+var_30]
		mov	[esi+4], eax
		mov	ecx, [ebp+var_2C]
		add	ecx, eax
		mov	[esi+8], ecx
		mov	dword ptr [esi], 1
		mov	[esi+14h], ebx
		mov	[esi+10h], edx
		mov	ecx, [ebp+var_20]
		jmp	short loc_95DD70
; 

loc_95DD64:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+55Bj
		mov	ecx, 0C000009Ah
		mov	[ebp+var_20], ecx
		jmp	short loc_95DD70
; 

loc_95DD6E:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+465j
		mov	ecx, ebx

loc_95DD70:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+580j
					; IopSetEaOrQuotaInformationFile(x,x,x,x,x)+58Aj
		test	ecx, ecx
		js	loc_95DE99
		push	65546F49h
		push	18h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_95DC13
		mov	[edi+8], ebx
		mov	[edi+0Ch], ebx
		mov	[edi+10h], ebx
		mov	[edi+14h], ebx
		mov	ecx, [ebp+var_30]
		mov	[edi], ecx
		mov	eax, [ebp+var_2C]
		add	eax, ecx
		mov	[edi+4], eax
		mov	eax, [esi+10h]
		sub	eax, [esi+4]
		add	eax, ecx
		mov	[edi+0Ch], eax
		mov	eax, [esi+0Ch]
		mov	[edi+8], eax
		mov	[edi+14h], ebx
		mov	edx, 70436F49h
		mov	ecx, [ebp+var_24]
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+var_24]
		mov	[edi+10h], eax
		lea	edx, [ebp+var_38]
		mov	ecx, [ebp+var_3C]
		call	IopAllocateFileObjectExtension
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		js	loc_95DE99
		push	edi
		push	2
		pop	edx
		mov	ecx, [ebp+var_38]
		call	_IopSetTypeSpecificFoExtension@12 ; IopSetTypeSpecificFoExtension(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		cmp	ecx, 0C0000001h
		jnz	short loc_95DE50
		push	ebx
		mov	ecx, [ebp+var_3C]
		call	_IopGetFileObjectExtension@12 ;	IopGetFileObjectExtension(x,x,x)
		mov	edx, eax
		mov	eax, [ebp+var_24]
		cmp	[edi+10h], eax
		jnz	short loc_95DE83
		mov	ecx, edx
		test	edx, edx
		jz	short loc_95DE38
		mov	eax, [edi]
		mov	[ebp+var_64], eax

loc_95DE22:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+654j
		cmp	eax, [ecx]
		jnz	short loc_95DE31
		mov	eax, [edi+4]
		cmp	eax, [ecx+4]
		jz	short loc_95DE6A
		mov	eax, [ebp+var_64]

loc_95DE31:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+642j
		mov	ecx, [ecx+14h]
		test	ecx, ecx
		jnz	short loc_95DE22

loc_95DE38:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+639j
		add	edx, 14h

loc_95DE3B:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+667j
		mov	eax, [edx]
		mov	ecx, edi
		mov	[edi+14h], eax
		lock cmpxchg [edx], ecx
		cmp	eax, [edi+14h]
		jnz	short loc_95DE3B
		mov	ecx, ebx
		mov	[ebp+var_20], ecx

loc_95DE50:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+620j
		mov	eax, [ebp+var_24]

loc_95DE53:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+6A4j
		test	ecx, ecx
		js	short loc_95DE99
		cmp	[ebp+var_1A], 1
		jnz	short loc_95DE93
		mov	edx, [ebp+var_40]
		cmp	byte ptr [ebp+var_19], 1
		jnz	short loc_95DE88
		mov	[edx], eax
		jmp	short loc_95DE8E
; 

loc_95DE6A:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+64Aj
		mov	edx, 70436F49h
		mov	ecx, [ebp+var_24]
		call	ObfDereferenceObjectWithTag
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+var_20], ebx
		jmp	short loc_95DEF7
; 

loc_95DE83:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+633j
		mov	ecx, [ebp+var_20]
		jmp	short loc_95DE53
; 

loc_95DE88:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+682j
		mov	eax, [edx+4]
		mov	[esi+14h], eax

loc_95DE8E:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+686j
		mov	[edx+4], esi
		jmp	short loc_95DE95
; 

loc_95DE93:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+679j
		inc	dword ptr [esi]

loc_95DE95:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+6AFj
		test	ecx, ecx
		jns	short loc_95DEF7

loc_95DE99:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+438j
					; IopSetEaOrQuotaInformationFile(x,x,x,x,x)+52Bj ...
		mov	eax, [ebp+var_28]
		test	eax, eax
		jz	short loc_95DEBE
		mov	ecx, [ebp+var_34]
		test	ecx, ecx
		jz	short loc_95DEAE
		push	eax
		push	ecx
		call	MmUnmapLockedPages

loc_95DEAE:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+6C3j
		push	[ebp+var_28]
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	[ebp+var_28]
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_95DEBE:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+6BCj
		test	edi, edi
		jz	short loc_95DED6
		mov	edx, 70436F49h
		mov	ecx, [ebp+var_24]
		call	ObfDereferenceObjectWithTag
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95DED6:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+6DEj
		cmp	byte ptr [ebp+var_19], 1
		jnz	short loc_95DEEA
		lea	eax, [ebp+var_6C]
		push	eax
		push	offset _IoStatusBlockRangeTable
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)

loc_95DEEA:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+6F8j
		cmp	[ebp+var_1A], 1
		jnz	short loc_95DEF7
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95DEF7:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+69Fj
					; IopSetEaOrQuotaInformationFile(x,x,x,x,x)+6B5j ...
		mov	ecx, offset _IoStatusBlockRangeTableLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, [ebp+var_20]

loc_95DF04:				; CODE XREF: IopSetEaOrQuotaInformationFile(x,x,x,x,x)+3F4j
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopSetEaOrQuotaInformationFile@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopSetRemoteLink(x,	x, x)
_IopSetRemoteLink@12 proc near		; CODE XREF: IopTrackLink+130724p

var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_118		= dword	ptr -118h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 13Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+13Ch+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		lea	eax, [esp+140h+var_118]
		push	esi
		push	edi
		push	10Ch		; size_t
		xor	esi, esi
		mov	[esp+14Ch+var_138], ecx
		push	esi		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		mov	[esp+154h+var_130], esi
		lea	edi, [esp+154h+var_128]
		mov	[esp+154h+var_12C], esi
		stosd
		add	esp, 0Ch
		stosd
		stosd
		stosd
		lea	eax, [esp+148h+var_128]
		xor	edi, edi
		push	edi
		push	edi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	[esp+148h+var_138]
		call	IoGetRelatedDeviceObject
		lea	ecx, [esp+148h+var_130]
		mov	[esp+148h+var_134], eax
		push	ecx
		lea	ecx, [esp+14Ch+var_128]
		push	ecx
		push	edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	eax
		push	1400ECh
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_95DFA3
		mov	eax, 0C000009Ah
		jmp	short loc_95E01F
; 

loc_95DFA3:				; CODE XREF: IopSetRemoteLink(x,x,x)+86j
		test	ebx, ebx
		jz	short loc_95DFD3
		mov	esi, [ebx+4]
		add	esi, 8
		cmp	esi, 10Ch
		ja	short loc_95DFCC
		push	esi		; size_t
		lea	eax, [esp+14Ch+var_118]
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	ebx, ebx
		mov	[esp+148h+var_118], ebx
		jmp	short loc_95DFD5
; 

loc_95DFCC:				; CODE XREF: IopSetRemoteLink(x,x,x)+9Fj
		mov	eax, 0C0000023h
		jmp	short loc_95E01F
; 

loc_95DFD3:				; CODE XREF: IopSetRemoteLink(x,x,x)+91j
		xor	ebx, ebx

loc_95DFD5:				; CODE XREF: IopSetRemoteLink(x,x,x)+B6j
		or	dword ptr [edi+8], 4
		lea	eax, [esp+148h+var_118]
		mov	ecx, [esp+148h+var_138]
		mov	[edi+0Ch], eax
		mov	eax, [edi+60h]
		mov	[edi+64h], ecx
		mov	[eax-0Ch], ecx
		mov	word ptr [eax-24h], 40Dh
		mov	[eax-1Ch], esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, [esp+148h+var_134]
		mov	edx, edi
		call	IofCallDriver
		cmp	eax, 103h
		jnz	short loc_95E01F
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esp+158h+var_128]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esp+148h+var_130]

loc_95E01F:				; CODE XREF: IopSetRemoteLink(x,x,x)+8Dj
					; IopSetRemoteLink(x,x,x)+BDj ...
		mov	ecx, [esp+148h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_IopSetRemoteLink@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopStartApcHardError(x)
_IopStartApcHardError@4	proc near	; DATA XREF: IoRaiseHardError(x,x,x)+199o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [esp+0Ch+var_4]
		push	edi
		xor	edi, edi
		push	edi
		push	edi
		push	esi
		push	offset _IopApcHardError@4 ; IopApcHardError(x)
		push	edi
		push	edi
		push	edi
		push	edi
		push	eax
		mov	[esp+34h+var_4], edi
		call	PsCreateSystemThreadEx
		test	eax, eax
		jns	short loc_95E078
		mov	ecx, [esi+10h]
		mov	dl, 1
		call	IofCompleteRequest
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_95E081
; 

loc_95E078:				; CODE XREF: IopStartApcHardError(x)+2Dj
		push	[esp+10h+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_95E081:				; CODE XREF: IopStartApcHardError(x)+40j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
_IopStartApcHardError@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IopUnMarshalIds(int,void *)
_IopUnMarshalIds@16 proc near		; CODE XREF: IopSendMessageToTrackService(x,x,x)+17Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [edx+4]
		mov	eax, [ebx+8]
		lea	esi, [ebx+0Ch]
		mov	[edx], eax
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+arg_0]
		lea	esi, [ebx+1Ch]
		movsd
		movsd
		movsd
		movsd
		mov	ecx, [ebx+4]
		cmp	ecx, 24h
		jbe	short loc_95E0D0
		push	10h
		add	ecx, 0FFFFFFDCh
		pop	eax
		cmp	ecx, eax
		ja	short loc_95E0C0
		mov	eax, ecx

loc_95E0C0:				; CODE XREF: IopUnMarshalIds(x,x,x,x)+33j
		push	eax		; size_t
		lea	eax, [ebx+2Ch]
		push	eax		; void *
		push	[ebp+arg_4]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_95E0D0:				; CODE XREF: IopUnMarshalIds(x,x,x,x)+29j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_IopUnMarshalIds@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopUserRundown(x)
_IopUserRundown@4 proc near		; DATA XREF: .text:00522D95o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		add	eax, 0FFFFFFC0h
		push	eax
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		pop	ebp
		retn	4
_IopUserRundown@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IopValidateJunctionTarget(size_t,int,int,int)
_IopValidateJunctionTarget@24 proc near	; CODE XREF: PAGE:0081D358p

var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	90h
		push	offset dword_6A7F10
		call	__SEH_prolog4
		mov	[ebp+var_64], edx
		mov	esi, ecx
		mov	[ebp+var_20], esi
		xor	ebx, ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], ebx
		push	16h
		pop	edx
		mov	word ptr [ebp+var_80], dx
		push	18h
		pop	eax
		mov	word ptr [ebp+var_80+2], ax
		mov	[ebp+var_7C], offset ??_C@_1BI@FFNFOEKI@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AA?2@NNGAKEGL@ ; "\\??\\Global\\"
		push	22h
		pop	eax
		mov	word ptr [ebp+var_78], ax
		push	24h
		pop	eax
		mov	word ptr [ebp+var_78+2], ax
		mov	[ebp+var_74], offset ??_C@_1CE@HKBNEBBK@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AA?2?$AAV?$AAo?$AAl?$AAu@NNGAKEGL@ ; "\\??\\Global\\Volume"
		mov	[ebp+var_88], ebx
		mov	[ebp+var_84], ebx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_A0]
		rep stosd
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ebx
		push	14h
		pop	eax
		mov	word ptr [ebp+var_38], ax
		mov	word ptr [ebp+var_38+2], dx
		mov	[ebp+var_34], offset ??_C@_1BG@KPDPFBJH@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAV?$AAo?$AAl?$AAu?$AAm?$AAe@NNGAKEGL@
		mov	[ebp+var_28], ebx
		mov	eax, ebx
		mov	[ebp+var_48], eax
		mov	[ebp+var_68], eax
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_30], ebx
		mov	edi, ebx
		push	ebx
		lea	eax, [ebp+var_44]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+arg_0]
		mov	ecx, 200h
		cmp	esi, 9040Ch
		jnz	short loc_95E1BA
		add	eax, 0FFFFFFE0h
		mov	[ebp+var_60], eax
		mov	edx, eax
		call	sub_4F0630
		mov	esi, eax
		mov	[ebp+var_28], esi
		push	[ebp+var_60]
		mov	eax, [ebp+var_64]
		add	eax, 20h
		push	eax
		jmp	short loc_95E1D0
; 

loc_95E1BA:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+AEj
		mov	[ebp+var_60], eax
		mov	edx, eax
		call	sub_4F0630
		mov	esi, eax
		mov	[ebp+var_28], esi
		mov	eax, [ebp+arg_0]
		push	eax		; size_t
		push	[ebp+var_64]	; void *

loc_95E1D0:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+CCj
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	dword ptr [esi], 0A0000003h
		jz	short loc_95E1F4

loc_95E1E8:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+1B3j
					; IopValidateJunctionTarget(x,x,x,x,x,x)+28Ej ...
		mov	esi, 0C000000Dh

loc_95E1ED:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+115j
					; IopValidateJunctionTarget(x,x,x,x,x,x)+186j ...
		mov	ecx, ebx
		jmp	loc_95E5BA
; 

loc_95E1F4:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+FAj
		push	esi
		push	[ebp+var_60]
		call	_FsRtlValidateReparsePointBuffer@8 ; FsRtlValidateReparsePointBuffer(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_95E1ED
		mov	ecx, [ebp+var_28]
		lea	eax, [ecx+10h]
		mov	[ebp+var_50], eax
		movzx	eax, word ptr [ecx+0Ah]
		mov	ecx, 0FFFEh
		and	eax, ecx
		mov	word ptr [ebp+var_54], ax
		mov	word ptr [ebp+var_54+2], ax
		mov	[ebp+var_A0], 18h
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_94], 600h
		lea	eax, [ebp+var_54]
		mov	[ebp+var_98], eax
		mov	[ebp+var_90], ebx
		mov	[ebp+var_8C], ebx
		push	1
		push	7
		lea	eax, [ebp+var_88]
		push	eax
		lea	eax, [ebp+var_A0]
		push	eax
		push	120116h
		lea	eax, [ebp+var_4C]
		push	eax
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_95E1ED
		push	ebx
		lea	eax, [ebp+var_30]
		push	eax
		push	ebx
		xor	edx, edx
		mov	ecx, [ebp+var_4C]
		call	IopReferenceFileObject
		mov	esi, eax
		test	esi, esi
		js	loc_95E1ED
		mov	eax, [ebp+var_30]
		mov	eax, [eax+4]
		mov	[ebp+var_3C], eax
		test	byte ptr [eax+20h], 10h
		jnz	loc_95E1E8
		mov	[ebp+var_19], bl
		push	1
		lea	eax, [ebp+var_54]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_95E2E0
		push	1
		lea	eax, [ebp+var_54]
		push	eax
		lea	eax, [ebp+var_78]
		push	eax
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_95E2E0
		lea	eax, [ebp+var_44]
		push	eax
		push	[ebp+var_3C]
		call	IoVolumeDeviceToDosName
		mov	esi, eax
		test	esi, esi
		jns	short loc_95E2E7

loc_95E2E0:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+1CDj
					; IopValidateJunctionTarget(x,x,x,x,x,x)+1E0j
		mov	al, 1
		mov	[ebp+var_19], al
		jmp	short loc_95E2EA
; 

loc_95E2E7:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+1F2j
		mov	al, [ebp+var_19]

loc_95E2EA:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+1F9j
		test	al, al
		jz	short loc_95E2FF
		lea	eax, [ebp+var_44]
		push	eax
		mov	eax, [ebp+var_30]
		push	dword ptr [eax+4]
		call	IoVolumeDeviceToGuidPath
		mov	esi, eax

loc_95E2FF:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+200j
		test	esi, esi
		jns	short loc_95E30B
		mov	[ebp+var_40], ebx
		jmp	loc_95E1ED
; 

loc_95E30B:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+215j
		movzx	eax, word ptr [ebp+var_54]
		add	eax, 8
		mov	[ebp+var_34], eax

loc_95E315:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+280j
		push	65546F49h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_2C], edi
		test	edi, edi
		jz	loc_95E58E
		push	1
		lea	eax, [ebp+var_3C]
		push	eax
		push	edi
		push	ebx
		mov	eax, [ebp+var_34]
		push	eax
		push	9
		pop	edx
		mov	ecx, [ebp+var_30]
		call	IopQueryXxxInformation
		mov	esi, eax
		cmp	esi, 80000005h
		jnz	short loc_95E369
		mov	eax, [edi]
		add	eax, 8
		mov	[ebp+var_34], eax
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, ebx
		mov	[ebp+var_2C], ebx
		cmp	esi, esi

loc_95E369:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+265j
		mov	eax, [ebp+var_34]
		jz	short loc_95E315
		test	esi, esi
		js	loc_95E567
		mov	eax, [edi]
		test	eax, eax
		jz	loc_95E1E8
		push	5Ch
		pop	esi
		cmp	[edi+4], si
		jnz	loc_95E1E8
		movzx	edx, word ptr [ebp+var_44]
		lea	ecx, [edx+16h]
		add	ecx, eax
		mov	[ebp+var_34], ecx
		cmp	[ebp+var_19], 0
		jz	short loc_95E3A5
		sub	ecx, 8
		mov	[ebp+var_34], ecx

loc_95E3A5:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+2B1j
		shr	edx, 1
		mov	eax, [ebp+var_40]
		cmp	[eax+edx*2-2], si
		jnz	short loc_95E3B7
		sub	ecx, 2
		mov	[ebp+var_34], ecx

loc_95E3B7:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+2C3j
		cmp	ecx, 0FFFDh
		jnb	loc_95E1E8
		movzx	eax, word ptr [ebp+var_54]
		mov	esi, ecx
		sub	esi, eax
		add	esi, [ebp+arg_0]
		mov	[ebp+var_3C], esi
		mov	[ebp+ms_exc.disabled], 1
		mov	edx, [ebp+arg_4]
		cmp	esi, edx
		jbe	short loc_95E3E1
		mov	edx, esi

loc_95E3E1:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+2F1j
		mov	ecx, 200h
		call	sub_4F0630
		mov	[ebp+var_48], eax
		mov	[ebp+var_68], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+var_20], 9040Ch
		jnz	short loc_95E41F
		push	8
		pop	ecx
		mov	esi, [ebp+var_64]
		mov	edi, eax
		rep movsd
		lea	ecx, [eax+20h]
		mov	[ebp+arg_0], ecx
		mov	eax, [ebp+var_3C]
		add	eax, 0FFFFFFE0h
		mov	[ebp+arg_4], eax
		mov	edi, [ebp+var_2C]
		jmp	short loc_95E427
; 

loc_95E41F:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+313j
		mov	ecx, eax
		mov	[ebp+arg_0], eax
		mov	[ebp+arg_4], esi

loc_95E427:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+331j
		lea	eax, [ecx+10h]
		mov	[ebp+var_58], eax
		xor	eax, eax
		mov	word ptr [ebp+var_5C], ax
		mov	eax, [ebp+var_34]
		mov	word ptr [ebp+var_5C+2], ax
		lea	eax, [ebp+var_80]
		push	eax
		lea	eax, [ebp+var_5C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_95E567
		mov	edx, [ebp+var_44]
		mov	[ebp+var_24], edx
		mov	ecx, [ebp+var_40]
		mov	[ebp+var_20], ecx
		cmp	[ebp+var_19], 0
		jz	short loc_95E470
		lea	eax, [edx-8]
		mov	word ptr [ebp+var_24], ax
		add	ecx, 8
		mov	[ebp+var_20], ecx

loc_95E470:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+375j
		movzx	eax, word ptr [ebp+var_24]
		shr	eax, 1
		push	5Ch
		pop	esi
		cmp	[ecx+eax*2-2], si
		jnz	short loc_95E489
		mov	eax, 0FFFEh
		add	word ptr [ebp+var_24], ax

loc_95E489:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+392j
		mov	ax, word ptr [ebp+var_24]
		test	ax, ax
		jz	loc_95E562
		cmp	ax, dx
		ja	loc_95E562
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_5C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_95E567
		lea	eax, [edi+4]
		mov	[ebp+var_20], eax
		mov	ax, [edi]
		mov	word ptr [ebp+var_24], ax
		mov	word ptr [ebp+var_24+2], ax
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_5C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_95E567
		mov	edx, [ebp+arg_0]
		mov	dword ptr [edx], 0A0000003h
		xor	eax, eax
		mov	[edx+6], eax
		mov	eax, [ebp+arg_4]
		add	eax, 0FFFFFFF8h
		mov	[edx+4], ax
		mov	ax, word ptr [ebp+var_5C]
		mov	[edx+0Ah], ax
		movzx	eax, ax
		shr	eax, 1
		xor	ecx, ecx
		mov	[edx+eax*2+10h], cx
		mov	eax, [ebp+var_5C]
		add	eax, 2
		movzx	ecx, ax
		mov	[edx+0Ch], cx
		mov	edx, [ebp+var_28]
		movzx	eax, word ptr [edx+0Eh]
		add	eax, 2
		push	eax		; size_t
		movzx	eax, word ptr [edx+0Ch]
		add	edx, 10h
		add	eax, edx
		push	eax		; void *
		mov	eax, ecx
		mov	ecx, [ebp+arg_0]
		add	ecx, 10h
		add	eax, ecx
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [ebp+var_28]
		mov	ax, [ecx+0Eh]
		mov	ecx, [ebp+arg_0]
		mov	[ecx+0Eh], ax
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_48]
		mov	[eax], ecx
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+var_3C]
		mov	[eax], ecx
		jmp	loc_95E1ED
; 

loc_95E562:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+3A4j
					; IopValidateJunctionTarget(x,x,x,x,x,x)+3ADj
		mov	esi, 0C000000Dh

loc_95E567:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+284j
					; IopValidateJunctionTarget(x,x,x,x,x,x)+35Fj ...
		mov	ecx, [ebp+var_48]
		jmp	short loc_95E5BA
; 

loc_95E56C:				; DATA XREF: .text:006A7F30o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_6C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_95E57A:				; DATA XREF: .text:006A7F34o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_6C]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	edi, [ebp+var_2C]
		jmp	short loc_95E5B7
; 

loc_95E58E:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+240j
		mov	esi, 0C000009Ah
		jmp	loc_95E1ED
; 

loc_95E598:				; DATA XREF: .text:006A7F24o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_70], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_95E5A6:				; DATA XREF: .text:006A7F28o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_70]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	edi, ebx

loc_95E5B7:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+4A0j
		mov	ecx, [ebp+var_68]

loc_95E5BA:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+103j
					; IopValidateJunctionTarget(x,x,x,x,x,x)+47Ej
		test	ecx, ecx
		jz	short loc_95E5C5
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95E5C5:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+4D0j
		mov	eax, [ebp+var_28]
		test	eax, eax
		jz	short loc_95E5D3
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95E5D3:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+4DEj
		test	edi, edi
		jz	short loc_95E5DE
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95E5DE:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+4E9j
		cmp	[ebp+var_40], 0
		jz	short loc_95E5ED
		push	ebx
		push	[ebp+var_40]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95E5ED:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+4F6j
		mov	ecx, [ebp+var_30]
		test	ecx, ecx
		jz	short loc_95E5F9
		call	ObfDereferenceObject

loc_95E5F9:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+506j
		cmp	[ebp+var_4C], 0
		jz	short loc_95E607
		push	[ebp+var_4C]
		call	_ZwClose@4	; ZwClose(x)

loc_95E607:				; CODE XREF: IopValidateJunctionTarget(x,x,x,x,x,x)+511j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_IopValidateJunctionTarget@24 endp

; 
		align 10h
; Exported entry 892. IoInitializeMiniCompletionPacket

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoInitializeMiniCompletionPacket(x,	x, x)
		public _IoInitializeMiniCompletionPacket@12
_IoInitializeMiniCompletionPacket@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		mov	[ecx+1Ch], eax
		mov	eax, [ebp+arg_8]
		mov	dword ptr [ecx+8], 4
		mov	[ecx+20h], eax
		mov	byte ptr [ecx+24h], 0
		pop	ebp
		retn	0Ch
_IoInitializeMiniCompletionPacket@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtOpenIoCompletion(x, x, x)
_NtOpenIoCompletion@12 proc near	; DATA XREF: .text:00580F50o

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	14h
		push	offset dword_6A8038
		call	__SEH_prolog4
		xor	edi, edi
		mov	[ebp+var_1C], edi
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_24], bl
		test	bl, bl
		jz	short loc_95E683
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_95E678
		mov	ecx, eax

loc_95E678:				; CODE XREF: NtOpenIoCompletion(x,x,x)+31j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_95E683:				; CODE XREF: NtOpenIoCompletion(x,x,x)+22j
		mov	esi, ds:_IoCompletionObjectType
		lea	eax, [ebp+var_1C]
		push	eax
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		push	edi
		push	[ebp+arg_4]
		push	edi
		push	[ebp+var_24]
		push	esi
		push	[ebp+arg_8]
		call	ObOpenObjectByNameEx
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	short loc_95E6F9
		test	bl, bl
		jz	short loc_95E6F1
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_95E6BE:				; CODE XREF: NtOpenIoCompletion(x,x,x)+ACj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_95E6F9
; 

loc_95E6C7:				; DATA XREF: .text:006A804Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_95E6D7:				; DATA XREF: .text:006A8050o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_20]
		jmp	short loc_95E6FC
; 

loc_95E6E6:				; DATA XREF: .text:006A8058o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_95E6EC:				; DATA XREF: .text:006A805Co
		mov	esp, [ebp+ms_exc.old_esp]
		jmp	short loc_95E6BE
; 

loc_95E6F1:				; CODE XREF: NtOpenIoCompletion(x,x,x)+6Aj
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_95E6F9:				; CODE XREF: NtOpenIoCompletion(x,x,x)+66j
					; NtOpenIoCompletion(x,x,x)+82j
		mov	eax, [ebp+arg_4]

loc_95E6FC:				; CODE XREF: NtOpenIoCompletion(x,x,x)+A1j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_NtOpenIoCompletion@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQueryIoCompletion(x, x, x, x, x)
_NtQueryIoCompletion@20	proc near	; DATA XREF: .text:00580E44o

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	10h
		push	offset dword_6A8010
		call	__SEH_prolog4
		cmp	[ebp+arg_4], 0
		jz	short loc_95E72A
		mov	eax, 0C0000003h
		jmp	loc_95E822
; 

loc_95E72A:				; CODE XREF: NtQueryIoCompletion(x,x,x,x,x)+10j
		cmp	[ebp+arg_C], 4
		jz	short loc_95E73A
		mov	eax, 0C0000004h
		jmp	loc_95E822
; 

loc_95E73A:				; CODE XREF: NtQueryIoCompletion(x,x,x,x,x)+20j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_4+3],	al
		mov	byte ptr [ebp+var_20], al
		test	al, al
		jz	short loc_95E7B1
		and	[ebp+ms_exc.disabled], 0
		mov	ebx, [ebp+arg_8]
		test	bl, 3
		jz	short loc_95E761
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_95E761:				; CODE XREF: NtQueryIoCompletion(x,x,x,x,x)+4Cj
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_95E76D
		mov	byte ptr [eax],	0

loc_95E76D:				; CODE XREF: NtQueryIoCompletion(x,x,x,x,x)+5Aj
		mov	al, [ebx]
		mov	[ebx], al
		mov	esi, [ebp+arg_10]
		test	esi, esi
		jz	short loc_95E789
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_95E785
		mov	ecx, eax

loc_95E785:				; CODE XREF: NtQueryIoCompletion(x,x,x,x,x)+73j
		mov	eax, [ecx]
		mov	[ecx], eax

loc_95E789:				; CODE XREF: NtQueryIoCompletion(x,x,x,x,x)+68j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_95E7B7
; 

loc_95E792:				; DATA XREF: .text:006A8024o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_95E7A2:				; DATA XREF: .text:006A8028o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]
		jmp	short loc_95E822
; 

loc_95E7B1:				; CODE XREF: NtQueryIoCompletion(x,x,x,x,x)+40j
		mov	esi, [ebp+arg_10]
		mov	ebx, [ebp+arg_8]

loc_95E7B7:				; CODE XREF: NtQueryIoCompletion(x,x,x,x,x)+82j
		mov	eax, ds:_IoCompletionObjectType
		and	[ebp+arg_C], 0
		push	0
		lea	ecx, [ebp+arg_C]
		push	ecx
		push	[ebp+var_20]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	[ebp+arg_10], eax
		test	eax, eax
		js	short loc_95E81F
		mov	ecx, [ebp+arg_C]
		mov	edi, [ecx+4]
		call	ObfDereferenceObject
		cmp	byte ptr [ebp+arg_4+3],	0
		jz	short loc_95E813
		mov	[ebp+ms_exc.disabled], 1
		mov	[ebx], edi
		test	esi, esi
		jz	short loc_95E7FF
		mov	dword ptr [esi], 4

loc_95E7FF:				; CODE XREF: NtQueryIoCompletion(x,x,x,x,x)+E9j
					; NtQueryIoCompletion(x,x,x,x,x)+103j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_95E81F
; 

loc_95E808:				; DATA XREF: .text:006A8030o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_95E80E:				; DATA XREF: .text:006A8034o
		mov	esp, [ebp+ms_exc.old_esp]
		jmp	short loc_95E7FF
; 

loc_95E813:				; CODE XREF: NtQueryIoCompletion(x,x,x,x,x)+DCj
		mov	[ebx], edi
		test	esi, esi
		jz	short loc_95E81F
		mov	dword ptr [esi], 4

loc_95E81F:				; CODE XREF: NtQueryIoCompletion(x,x,x,x,x)+CBj
					; NtQueryIoCompletion(x,x,x,x,x)+F8j ...
		mov	eax, [ebp+arg_10]

loc_95E822:				; CODE XREF: NtQueryIoCompletion(x,x,x,x,x)+17j
					; NtQueryIoCompletion(x,x,x,x,x)+27j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_NtQueryIoCompletion@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCancelSynchronousIoFile(x, x, x)
_NtCancelSynchronousIoFile@12 proc near	; DATA XREF: .text:005811D0o

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	14h
		push	offset dword_6A8060
		call	__SEH_prolog4
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		test	al, al
		jz	short loc_95E870
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, [ebp+arg_8]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_95E865
		mov	ecx, eax

loc_95E865:				; CODE XREF: NtCancelSynchronousIoFile(x,x,x)+2Dj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_95E870:				; CODE XREF: NtCancelSynchronousIoFile(x,x,x)+1Dj
		mov	eax, ds:_PsThreadType
		and	[ebp+var_1C], 0
		push	0
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_24]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_95E8FA
		call	_IopUpdateOtherOperationCount@0	; IopUpdateOtherOperationCount()
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_1C]
		call	_IopCancelSynchronousIrpsForThread@8 ; IopCancelSynchronousIrpsForThread(x,x)
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFDDBh
		add	eax, 0C0000225h
		mov	[ebp+arg_0], eax
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		and	dword ptr [ecx+4], 0
		jmp	short loc_95E8E8
; 

loc_95E8C4:				; DATA XREF: .text:006A8074o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_95E8D2:				; DATA XREF: .text:006A8078o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_20]
		jmp	short loc_95E8FA
; 

loc_95E8E1:				; DATA XREF: .text:006A8080o
		xor	eax, eax
		inc	eax
		retn
; 

loc_95E8E5:				; DATA XREF: .text:006A8084o
		mov	esp, [ebp+ms_exc.old_esp]

loc_95E8E8:				; CODE XREF: NtCancelSynchronousIoFile(x,x,x)+8Ej
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObject
		mov	eax, [ebp+arg_0]

loc_95E8FA:				; CODE XREF: NtCancelSynchronousIoFile(x,x,x)+5Bj
					; NtCancelSynchronousIoFile(x,x,x)+ABj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_NtCancelSynchronousIoFile@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1559. NtQueryInformationByName

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQueryInformationByName(x,	x, x, x, x)
		public _NtQueryInformationByName@20
_NtQueryInformationByName@20 proc near	; DATA XREF: .text:00580E7Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	0
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	IoQueryInformationByName
		pop	ebp
		retn	14h
_NtQueryInformationByName@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopFindMatchingComponentsLengthR(x,	x)
_IopFindMatchingComponentsLengthR@8 proc near ;	CODE XREF: IopSymlinkProcessReparse+1258ACp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		movzx	eax, word ptr [ecx]
		push	ebx
		mov	ebx, [ecx+4]
		add	eax, ebx
		mov	ecx, [edx+4]
		push	esi
		push	edi
		mov	esi, eax
		mov	[ebp+var_8], eax
		xor	edi, edi
		mov	[ebp+var_4], ecx
		cmp	esi, ebx
		jb	short loc_95E987
		movzx	ecx, word ptr [edx]
		mov	eax, [ebp+var_4]
		add	ecx, eax

loc_95E95D:				; CODE XREF: IopFindMatchingComponentsLengthR(x,x)+46j
		cmp	ecx, eax
		jb	short loc_95E97A
		movzx	edx, word ptr [esi]
		cmp	dx, [ecx]
		jnz	short loc_95E97A
		cmp	edx, 5Ch
		jnz	short loc_95E970
		mov	edi, esi

loc_95E970:				; CODE XREF: IopFindMatchingComponentsLengthR(x,x)+3Aj
		sub	esi, 2
		sub	ecx, 2
		cmp	esi, ebx
		jnb	short loc_95E95D

loc_95E97A:				; CODE XREF: IopFindMatchingComponentsLengthR(x,x)+2Dj
					; IopFindMatchingComponentsLengthR(x,x)+35j
		mov	eax, [ebp+var_8]
		test	edi, edi
		jz	short loc_95E987
		sub	eax, edi
		sar	eax, 1
		jmp	short loc_95E989
; 

loc_95E987:				; CODE XREF: IopFindMatchingComponentsLengthR(x,x)+21j
					; IopFindMatchingComponentsLengthR(x,x)+4Dj
		xor	eax, eax

loc_95E989:				; CODE XREF: IopFindMatchingComponentsLengthR(x,x)+53j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopFindMatchingComponentsLengthR@8 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 848. IoGetContainerInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetContainerInformation(x, x, x, x)
		public _IoGetContainerInformation@16
_IoGetContainerInformation@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jz	short loc_95E9A5
		mov	eax, 0C00000EFh
		jmp	short loc_95E9DC
; 

loc_95E9A5:				; CODE XREF: IoGetContainerInformation(x,x,x,x)+9j
		cmp	[ebp+arg_C], 0Ch
		jnb	short loc_95E9B2
		mov	eax, 0C00000F2h
		jmp	short loc_95E9DC
; 

loc_95E9B2:				; CODE XREF: IoGetContainerInformation(x,x,x,x)+16j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	short loc_95E9D0
		call	_PsGetCurrentProcessSessionId@0	; PsGetCurrentProcessSessionId()
		mov	ecx, eax
		call	MmGetSessionObjectById
		test	eax, eax
		jnz	short loc_95E9D0
		mov	eax, 0C00000F0h
		jmp	short loc_95E9DC
; 

loc_95E9D0:				; CODE XREF: IoGetContainerInformation(x,x,x,x)+24j
					; IoGetContainerInformation(x,x,x,x)+34j
		mov	edx, [ebp+arg_8]
		mov	ecx, eax
		call	_SessionGetSessionStateInfo@8 ;	SessionGetSessionStateInfo(x,x)
		xor	eax, eax

loc_95E9DC:				; CODE XREF: IoGetContainerInformation(x,x,x,x)+10j
					; IoGetContainerInformation(x,x,x,x)+1Dj ...
		pop	ebp
		retn	10h
_IoGetContainerInformation@16 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 937. IoRegisterContainerNotification

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoRegisterContainerNotification(x, x, x, x,	x)
		public _IoRegisterContainerNotification@20
_IoRegisterContainerNotification@20 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		xor	esi, esi
		cmp	[ebp+arg_0], 1
		jl	short loc_95E9FF
		mov	eax, 0C00000EFh
		jmp	loc_95EBB2
; 

loc_95E9FF:				; CODE XREF: IoRegisterContainerNotification(x,x,x,x,x)+Ej
		cmp	[ebp+arg_C], 14h
		jnz	loc_95EBAD
		mov	eax, [ebp+arg_8]
		cmp	dword ptr [eax], 14h
		jnz	loc_95EBAD
		push	ebx
		mov	ebx, [eax+8]
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	edx, edx
		mov	ecx, offset _IopSessionNotificationLock
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, _IopSessionNotificationQueueHead
		mov	edx, offset _IopSessionNotificationQueueHead
		jmp	short loc_95EA3E
; 

loc_95EA37:				; CODE XREF: IoRegisterContainerNotification(x,x,x,x,x)+5Bj
		cmp	[ecx+14h], ebx
		mov	ecx, [ecx]
		jz	short loc_95EA5E

loc_95EA3E:				; CODE XREF: IoRegisterContainerNotification(x,x,x,x,x)+50j
		cmp	ecx, edx
		jnz	short loc_95EA37
		push	edi
		push	6E536F49h
		push	24h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_95EA65
		mov	esi, 0C000009Ah
		jmp	short loc_95EAB5
; 

loc_95EA5E:				; CODE XREF: IoRegisterContainerNotification(x,x,x,x,x)+57j
		mov	esi, 0C0000021h
		jmp	short loc_95EAB6
; 

loc_95EA65:				; CODE XREF: IoRegisterContainerNotification(x,x,x,x,x)+70j
		push	edi
		push	offset _IopDispatchSessionNotifications@12 ; IopDispatchSessionNotifications(x,x,x)
		push	_IopSessionCallbackObject
		call	ExRegisterCallback
		mov	[ebp+arg_C], eax
		test	eax, eax
		jnz	short loc_95EA86
		mov	esi, 0C000009Ah
		mov	ebx, eax
		jmp	short loc_95EAA3
; 

loc_95EA86:				; CODE XREF: IoRegisterContainerNotification(x,x,x,x,x)+96j
		movsx	eax, word ptr [ebx]
		and	[ebp+var_8], esi
		sub	eax, 3
		jz	short loc_95EB00
		sub	eax, 1
		jz	short loc_95EAF9
		sub	eax, 1
		jz	short loc_95EACF
		mov	esi, 0C00000F1h

loc_95EAA0:				; CODE XREF: IoRegisterContainerNotification(x,x,x,x,x)+104j
					; IoRegisterContainerNotification(x,x,x,x,x)+110j
		mov	ebx, [ebp+arg_C]

loc_95EAA3:				; CODE XREF: IoRegisterContainerNotification(x,x,x,x,x)+9Fj
					; IoRegisterContainerNotification(x,x,x,x,x)+1C3j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		jz	short loc_95EAB5
		push	ebx
		call	ExUnregisterCallback

loc_95EAB5:				; CODE XREF: IoRegisterContainerNotification(x,x,x,x,x)+77j
					; IoRegisterContainerNotification(x,x,x,x,x)+C8j ...
		pop	edi

loc_95EAB6:				; CODE XREF: IoRegisterContainerNotification(x,x,x,x,x)+7Ej
		xor	edx, edx
		mov	ecx, offset _IopSessionNotificationLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, esi
		pop	ebx
		jmp	loc_95EBB2
; 

loc_95EACF:				; CODE XREF: IoRegisterContainerNotification(x,x,x,x,x)+B4j
		mov	eax, [ebx+4]
		lea	edx, [ebp+var_4]
		and	[ebp+var_4], esi
		mov	ecx, ebx
		mov	eax, [eax+8]
		mov	[ebp+arg_0], eax
		call	IopAllocateFileObjectExtension
		mov	esi, eax
		test	esi, esi
		js	short loc_95EAA0
		mov	eax, [ebp+var_4]
		xor	esi, esi
		or	dword ptr [eax], 2
		test	esi, esi
		js	short loc_95EAA0
		jmp	short loc_95EB49
; 

loc_95EAF9:				; CODE XREF: IoRegisterContainerNotification(x,x,x,x,x)+AFj
		mov	ecx, ebx
		mov	[ebp+arg_0], ecx
		jmp	short loc_95EB4C
; 

loc_95EB00:				; CODE XREF: IoRegisterContainerNotification(x,x,x,x,x)+AAj
		mov	eax, [ebx+8]
		mov	[ebp+arg_0], eax
		mov	eax, [ebx+0B0h]
		test	dword ptr [eax+10h], 400h
		jz	short loc_95EB3C
		mov	ecx, ebx
		call	IopGetDevicePDO
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_95EB3C
		mov	ecx, eax
		call	_IopGetSessionIdFromPDO@4 ; IopGetSessionIdFromPDO(x)
		mov	ecx, eax
		call	MmGetSessionObjectById
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_8], eax
		call	ObfDereferenceObject

loc_95EB3C:				; CODE XREF: IoRegisterContainerNotification(x,x,x,x,x)+12Ej
					; IoRegisterContainerNotification(x,x,x,x,x)+13Cj
		mov	eax, [ebx+0B0h]
		or	dword ptr [eax+10h], 1000h

loc_95EB49:				; CODE XREF: IoRegisterContainerNotification(x,x,x,x,x)+112j
		mov	ecx, [ebp+arg_0]

loc_95EB4C:				; CODE XREF: IoRegisterContainerNotification(x,x,x,x,x)+119j
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+arg_0]
		mov	[edi+14h], ebx
		mov	ebx, [ebp+arg_C]
		mov	[edi+8], eax
		mov	[edi+10h], ebx
		mov	eax, [ecx+10h]
		mov	[edi+20h], eax
		mov	eax, [ecx+0Ch]
		mov	ecx, offset _IopSessionNotificationQueueHead
		mov	[edi+1Ch], eax
		mov	eax, [ebp+arg_4]
		mov	[edi+0Ch], eax
		mov	eax, [ebp+var_8]
		mov	[edi+18h], eax
		mov	eax, [ebp+arg_10]
		mov	[eax], ebx
		mov	eax, dword_6CCC24
		cmp	[eax], ecx
		jz	short loc_95EB93
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_95EB93:				; CODE XREF: IoRegisterContainerNotification(x,x,x,x,x)+1A7j
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	dword_6CCC24, edi
		test	esi, esi
		jns	loc_95EAB5
		jmp	loc_95EAA3
; 

loc_95EBAD:				; CODE XREF: IoRegisterContainerNotification(x,x,x,x,x)+1Ej
					; IoRegisterContainerNotification(x,x,x,x,x)+2Aj
		mov	eax, 0C00000F2h

loc_95EBB2:				; CODE XREF: IoRegisterContainerNotification(x,x,x,x,x)+15j
					; IoRegisterContainerNotification(x,x,x,x,x)+E5j
		pop	esi
		leave
		retn	14h
_IoRegisterContainerNotification@20 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1026. IoUnregisterContainerNotification

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoUnregisterContainerNotification(x)
		public _IoUnregisterContainerNotification@4
_IoUnregisterContainerNotification@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	ebx
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _IopSessionNotificationLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, _IopSessionNotificationQueueHead
		mov	ecx, offset _IopSessionNotificationQueueHead
		cmp	eax, ecx
		jz	short loc_95EC00
		push	edi
		mov	edi, [ebp+arg_0]
		push	esi

loc_95EBF1:				; CODE XREF: IoUnregisterContainerNotification(x)+40j
		mov	esi, eax
		mov	eax, [eax]
		cmp	[esi+10h], edi
		jz	short loc_95EC1A
		cmp	eax, ecx
		jnz	short loc_95EBF1

loc_95EBFE:				; CODE XREF: IoUnregisterContainerNotification(x)+87j
		pop	esi
		pop	edi

loc_95EC00:				; CODE XREF: IoUnregisterContainerNotification(x)+2Ej
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	ebx
		pop	ebp
		retn	4
; 

loc_95EC1A:				; CODE XREF: IoUnregisterContainerNotification(x)+3Cj
		mov	ecx, [esi+8]
		call	ObfDereferenceObject
		push	edi
		call	ExUnregisterCallback
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_95EC45
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_95EC45
		push	0
		mov	[eax], ecx
		push	esi
		mov	[ecx+4], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_95EBFE
; 

loc_95EC45:				; CODE XREF: IoUnregisterContainerNotification(x)+71j
					; IoUnregisterContainerNotification(x)+78j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_IoUnregisterContainerNotification@4 endp ; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopDispatchSessionNotifications(x, x, x)
_IopDispatchSessionNotifications@12 proc near
					; DATA XREF: IoRegisterContainerNotification(x,x,x,x,x)+81o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		mov	edx, [ecx+10h]
		mov	esi, [eax+18h]
		mov	edi, dword ptr ds:(loc_427A33+1)[edx*4]
		test	esi, esi
		jz	short loc_95EC6D
		cmp	esi, [ecx+20h]
		jnz	short loc_95EC85

loc_95EC6D:				; CODE XREF: IopDispatchSessionNotifications(x,x,x)+1Cj
		test	[eax+1Ch], edi
		jz	short loc_95EC85
		push	dword ptr [ecx+18h]
		push	dword ptr [ecx+1Ch]
		push	dword ptr [eax+20h]
		push	edx
		push	dword ptr [eax+14h]
		push	dword ptr [ecx+20h]
		call	dword ptr [eax+0Ch]

loc_95EC85:				; CODE XREF: IopDispatchSessionNotifications(x,x,x)+21j
					; IopDispatchSessionNotifications(x,x,x)+26j
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
_IopDispatchSessionNotifications@12 endp

; 
		align 10h
; Exported entry 886. IoGetSymlinkSupportInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetSymlinkSupportInformation(x, x)
		public _IoGetSymlinkSupportInformation@8
_IoGetSymlinkSupportInformation@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 4
		mov	edx, _IopSymlinkEnabledTypes
		jnb	short loc_95ECA8
		mov	eax, 0C000000Dh
		jmp	short loc_95ECCF
; 

loc_95ECA8:				; CODE XREF: IoGetSymlinkSupportInformation(x,x)+Fj
		mov	ecx, [ebp+arg_0]
		mov	al, dl
		and	al, 1
		mov	[ecx], al
		mov	eax, edx
		shr	eax, 1
		and	al, 1
		mov	[ecx+1], al
		mov	eax, edx
		shr	eax, 2
		shr	edx, 3
		and	al, 1
		and	dl, 1
		mov	[ecx+2], al
		mov	[ecx+3], dl
		xor	eax, eax

loc_95ECCF:				; CODE XREF: IoGetSymlinkSupportInformation(x,x)+16j
		pop	ebp
		retn	8
_IoGetSymlinkSupportInformation@8 endp

; 
		align 8
; Exported entry 905. IoIsValidNameGraftingBuffer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoIsValidNameGraftingBuffer(x, x)
		public _IoIsValidNameGraftingBuffer@8
_IoIsValidNameGraftingBuffer@8 proc near

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_30], 0
		and	[ebp+var_2C], 0
		push	ebx
		mov	eax, [eax+60h]
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edx, [eax+4]
		test	edx, edx
		jz	short loc_95ED1A
		movzx	eax, word ptr [ebx+0Ah]
		movzx	ecx, word ptr [ebx+0Eh]
		add	eax, 14h
		add	eax, ecx
		cmp	edx, eax
		jb	loc_95EE45

loc_95ED1A:				; CODE XREF: IoIsValidNameGraftingBuffer(x,x)+2Bj
		movzx	eax, word ptr [ebx+0Ah]
		push	5Ch
		pop	esi
		push	3Fh
		pop	edi
		cmp	eax, 6
		jbe	short loc_95ED47
		cmp	[ebx+10h], si
		jnz	short loc_95ED47
		cmp	[ebx+12h], si
		jnz	short loc_95ED47
		movzx	ecx, word ptr [ebx+14h]
		cmp	ecx, 2Eh
		jz	short loc_95ED47
		cmp	cx, di
		jnz	loc_95EE45

loc_95ED47:				; CODE XREF: IoIsValidNameGraftingBuffer(x,x)+4Fj
					; IoIsValidNameGraftingBuffer(x,x)+55j	...
		cmp	eax, 10h
		jbe	short loc_95ED83
		cmp	[ebx+10h], si
		jnz	short loc_95ED83
		cmp	[ebx+12h], di
		jnz	short loc_95ED83
		cmp	[ebx+14h], di
		jnz	short loc_95ED83
		cmp	[ebx+16h], si
		jnz	short loc_95ED83
		cmp	word ptr [ebx+18h], 55h
		jnz	short loc_95ED83
		cmp	word ptr [ebx+1Ah], 4Eh
		jnz	short loc_95ED83
		cmp	word ptr [ebx+1Ch], 43h
		jnz	short loc_95ED83
		cmp	[ebx+1Eh], si
		jz	loc_95EE45

loc_95ED83:				; CODE XREF: IoIsValidNameGraftingBuffer(x,x)+72j
					; IoIsValidNameGraftingBuffer(x,x)+78j	...
		push	3Ah
		pop	edx
		push	0Ch
		pop	ecx
		cmp	ax, cx
		jbe	loc_95EF32
		cmp	[ebx+10h], si
		jnz	loc_95EF32
		cmp	[ebx+12h], di
		jnz	loc_95EF32
		cmp	[ebx+14h], di
		jnz	loc_95EF32
		cmp	[ebx+16h], si
		jnz	loc_95EF32
		cmp	[ebx+1Ah], dx
		jnz	loc_95EF32
		and	[ebp+var_28], 0
		lea	edi, [ebp+var_24]
		mov	esi, offset ??_C@_1BA@EGBLHBDC@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAC?$AA?3?$AA?$AA@NNGAKEGL@
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		movsd
		movsd
		movsd
		movsd
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_2C]
		xor	esi, esi
		mov	cx, [ebx+18h]
		mov	[eax+8], cx
		lea	eax, [ebp+var_30]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_50]
		push	eax
		push	1
		lea	eax, [ebp+var_28]
		mov	[ebp+var_50], 18h
		push	eax
		mov	[ebp+var_4C], esi
		mov	[ebp+var_44], 240h
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], esi
		call	_ZwOpenSymbolicLinkObject@12 ; ZwOpenSymbolicLinkObject(x,x,x)
		test	eax, eax
		js	loc_95EF2C
		push	20206F49h
		mov	eax, 208h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_95EE58
		push	[ebp+var_28]
		call	_ZwClose@4	; ZwClose(x)

loc_95EE45:				; CODE XREF: IoIsValidNameGraftingBuffer(x,x)+3Cj
					; IoIsValidNameGraftingBuffer(x,x)+69j	...
		xor	al, al

loc_95EE47:				; CODE XREF: IoIsValidNameGraftingBuffer(x,x)+362j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_95EE58:				; CODE XREF: IoIsValidNameGraftingBuffer(x,x)+163j
		push	esi
		lea	eax, [ebp+var_38]
		mov	[ebp+var_34], edi
		push	eax
		push	[ebp+var_28]
		mov	[ebp+var_38], 2080000h
		call	_ZwQuerySymbolicLinkObject@12 ;	ZwQuerySymbolicLinkObject(x,x,x)
		push	[ebp+var_28]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		push	5Ch
		test	esi, esi
		pop	esi
		js	loc_95EF22
		mov	edx, [ebp+var_34]
		cmp	[edx], si
		jnz	loc_95EF22
		cmp	word ptr [edx+2], 44h
		jnz	loc_95EF22
		push	65h
		pop	eax
		cmp	[edx+4], ax
		jnz	short loc_95EF22
		cmp	word ptr [edx+6], 76h
		jnz	short loc_95EF22
		push	69h
		pop	ecx
		cmp	[edx+8], cx
		jnz	short loc_95EF22
		cmp	word ptr [edx+0Ah], 63h
		jnz	short loc_95EF22
		cmp	[edx+0Ch], ax
		jnz	short loc_95EF22
		cmp	[edx+0Eh], si
		jnz	short loc_95EF22
		cmp	word ptr [edx+10h], 4Ch
		jnz	short loc_95EF22
		cmp	word ptr [edx+12h], 61h
		jnz	short loc_95EF22
		cmp	word ptr [edx+14h], 6Eh
		jnz	short loc_95EF22
		cmp	word ptr [edx+1Ch], 52h
		jnz	short loc_95EF22
		cmp	[edx+1Eh], ax
		jnz	short loc_95EF22
		cmp	word ptr [edx+20h], 64h
		jnz	short loc_95EF22
		cmp	[edx+22h], cx
		jnz	short loc_95EF22
		push	72h
		pop	eax
		cmp	[edx+24h], ax
		jnz	short loc_95EF22
		xor	ecx, ecx
		cmp	[edx+2Eh], ax
		setz	cl
		xor	eax, eax
		cmp	[edx+30h], si
		setz	al
		test	ecx, eax
		jz	short loc_95EF22
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_95EE45
; 

loc_95EF22:				; CODE XREF: IoIsValidNameGraftingBuffer(x,x)+1A6j
					; IoIsValidNameGraftingBuffer(x,x)+1B2j ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_95EF2F
; 

loc_95EF2C:				; CODE XREF: IoIsValidNameGraftingBuffer(x,x)+144j
		push	5Ch
		pop	esi

loc_95EF2F:				; CODE XREF: IoIsValidNameGraftingBuffer(x,x)+252j
		push	3Fh
		pop	edi

loc_95EF32:				; CODE XREF: IoIsValidNameGraftingBuffer(x,x)+B4j
					; IoIsValidNameGraftingBuffer(x,x)+BEj	...
		movzx	ecx, word ptr [ebx+0Ah]
		push	0Ch
		pop	eax
		cmp	cx, ax
		jb	loc_95EE45
		movzx	eax, word ptr [ebx+10h]
		mov	edx, eax
		cmp	ax, si
		jnz	short loc_95EF6C
		cmp	[ebx+12h], di
		jnz	short loc_95EF6C
		cmp	[ebx+14h], di
		jnz	short loc_95EF6C
		cmp	[ebx+16h], si
		jnz	short loc_95EF6C
		push	3Ah
		pop	eax
		cmp	[ebx+1Ah], ax
		jz	loc_95F038

loc_95EF6C:				; CODE XREF: IoIsValidNameGraftingBuffer(x,x)+273j
					; IoIsValidNameGraftingBuffer(x,x)+279j ...
		cmp	ecx, 60h
		jz	short loc_95EF84
		cmp	ecx, 62h
		jnz	loc_95EE45
		cmp	[ebx+70h], si
		jnz	loc_95EE45

loc_95EF84:				; CODE XREF: IoIsValidNameGraftingBuffer(x,x)+297j
		cmp	dx, si
		jnz	loc_95EE45
		movzx	eax, word ptr [ebx+12h]
		cmp	ax, di
		jz	short loc_95EF9F
		cmp	ax, si
		jnz	loc_95EE45

loc_95EF9F:				; CODE XREF: IoIsValidNameGraftingBuffer(x,x)+2BCj
		cmp	[ebx+14h], di
		jnz	loc_95EE45
		cmp	[ebx+16h], si
		jnz	loc_95EE45
		cmp	word ptr [ebx+18h], 56h
		jnz	loc_95EE45
		cmp	word ptr [ebx+1Ah], 6Fh
		jnz	loc_95EE45
		cmp	word ptr [ebx+1Ch], 6Ch
		jnz	loc_95EE45
		cmp	word ptr [ebx+1Eh], 75h
		jnz	loc_95EE45
		cmp	word ptr [ebx+20h], 6Dh
		jnz	loc_95EE45
		push	65h
		pop	eax
		cmp	[ebx+22h], ax
		jnz	loc_95EE45
		cmp	word ptr [ebx+24h], 7Bh
		jnz	loc_95EE45
		push	2Dh
		pop	ecx
		cmp	[ebx+36h], cx
		jnz	loc_95EE45
		cmp	[ebx+40h], cx
		jnz	loc_95EE45
		cmp	[ebx+4Ah], cx
		jnz	loc_95EE45
		cmp	[ebx+54h], cx
		jnz	loc_95EE45
		cmp	word ptr [ebx+6Eh], 7Dh
		jnz	loc_95EE45

loc_95F038:				; CODE XREF: IoIsValidNameGraftingBuffer(x,x)+28Ej
		mov	al, 1
		jmp	loc_95EE47
_IoIsValidNameGraftingBuffer@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopReplaceSymlinkPath(x, x,	x, x, x, x, x)
_IopReplaceSymlinkPath@28 proc near	; CODE XREF: IopSymlinkApplyToOpenedName(x,x,x,x,x,x)+E7p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= word ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		lea	eax, [ecx+eax*2]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_8], eax
		push	edi
		movzx	eax, word ptr [esi+6]
		lea	edi, [ecx+edx*2]
		mov	[ebp+var_10], eax
		xor	eax, eax
		mov	ebx, eax
		movzx	eax, word ptr [esi+0Ah]
		mov	[ebp+var_C], ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_18], eax
		cmp	edx, [ebp+arg_8]
		jb	loc_95F349
		movzx	eax, word ptr [esi+8]
		add	eax, 14h
		add	eax, esi
		push	5Ch
		pop	edx
		mov	[ebp+var_2C], eax
		cmp	[eax], dx
		jz	loc_95F1D8
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+var_10]
		mov	ax, [ecx+30h]
		sub	ax, dx
		movzx	esi, ax
		push	esi		; size_t
		push	dword ptr [ecx+34h] ; void *
		movzx	ebx, ax
		push	edi		; void *
		mov	[ebp+var_4], ebx
		call	_memcpy
		mov	ecx, [ebp+var_8]
		add	esp, 0Ch
		shr	esi, 1
		lea	edi, [edi+esi*2]
		jmp	short loc_95F0DD
; 

loc_95F0C2:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+A0j
		push	5Ch
		pop	eax
		cmp	[edi], ax
		jz	short loc_95F0E1
		xor	eax, eax
		mov	[edi], ax
		push	2
		pop	eax
		sub	edi, eax
		add	ebx, 0FFFEh
		mov	[ebp+var_4], ebx

loc_95F0DD:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+81j
		cmp	edi, ecx
		jnz	short loc_95F0C2

loc_95F0E1:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+89j
		cmp	edi, ecx
		jb	loc_95F349
		push	2
		pop	eax
		add	edi, eax

loc_95F0EE:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+1ABj
		mov	eax, [ebp+arg_C]

loc_95F0F1:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+305j
		mov	[ebp+arg_8], eax
		mov	eax, [ebp+var_18]
		test	ax, ax
		jz	short loc_95F117
		movzx	esi, ax
		push	esi		; size_t
		push	[ebp+var_2C]	; void *
		push	edi		; void *
		call	_memcpy
		shr	esi, 1
		add	esp, 0Ch
		add	ebx, [ebp+var_18]
		mov	[ebp+var_4], ebx
		lea	edi, [edi+esi*2]

loc_95F117:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+BBj
		mov	eax, [ebp+var_10]
		mov	esi, [ebp+arg_0]
		test	ax, ax
		jz	short loc_95F171
		movzx	ecx, ax
		movzx	eax, word ptr [esi+30h]
		add	eax, [esi+34h]
		push	5Ch
		pop	esi
		sub	eax, ecx
		cmp	[edi-2], si
		mov	esi, [ebp+arg_0]
		jnz	short loc_95F156
		push	5Ch
		pop	esi
		cmp	[eax], si
		mov	esi, [ebp+arg_0]
		jnz	short loc_95F156
		xor	esi, esi
		mov	[edi], si
		add	edi, 0FFFFFFFEh
		mov	esi, [ebp+arg_0]
		add	ebx, 0FFFEh

loc_95F156:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+F9j
					; IopReplaceSymlinkPath(x,x,x,x,x,x,x)+104j
		push	ecx		; size_t
		push	eax		; void *
		push	edi		; void *
		call	_memmove
		mov	edx, [ebp+var_10]
		add	esp, 0Ch
		movzx	eax, dx
		shr	eax, 1
		add	ebx, edx
		mov	[ebp+var_4], ebx
		lea	edi, [edi+eax*2]

loc_95F171:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+E1j
		mov	edx, [ebp+var_8]
		xor	eax, eax
		mov	ecx, edx
		mov	[edi], ax
		xor	ebx, ebx
		lea	edi, [ecx+2]

loc_95F180:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+14Aj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_95F180
		sub	ecx, edi
		lea	eax, [ebp+var_4]
		sar	ecx, 1
		push	eax
		lea	eax, [ecx+ecx]
		push	eax
		push	edx
		call	_FsRtlRemoveDotsFromPath@12 ; FsRtlRemoveDotsFromPath(x,x,x)
		test	eax, eax
		js	loc_95F34E
		mov	eax, [ebp+var_4]
		add	eax, [ebp+arg_8]
		mov	ebx, [ebp+var_1C]
		mov	[esi+30h], ax
		mov	ax, [ebp+arg_10]
		mov	[esi+32h], ax
		mov	eax, [esi+34h]
		cmp	ebx, eax
		jz	short loc_95F1D1
		test	eax, eax
		jz	short loc_95F1CE
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95F1CE:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+184j
		mov	[esi+34h], ebx

loc_95F1D1:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+180j
		xor	eax, eax
		jmp	loc_95F34E
; 

loc_95F1D8:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+50j
		push	0Bh		; size_t
		push	offset ??_C@_1BI@GOOABFBJ@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAM?$AAu?$AAp@NNGAKEGL@ ;	"\\Device\\Mup"
		push	ecx		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_95F0EE
		mov	edx, [ebp+arg_0]
		push	3Bh
		pop	esi
		mov	eax, [edx+34h]
		movzx	eax, word ptr [eax]
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		xor	ecx, ecx
		cmp	ax, si
		setnz	cl
		and	[ebp+var_8], ebx
		add	ecx, 3
		movzx	eax, cx
		mov	[ebp+arg_4], eax
		xor	eax, eax
		mov	esi, eax
		movzx	eax, word ptr [edx+30h]
		mov	ecx, eax
		and	eax, 0FFFEh
		mov	[ebp+var_20], ecx
		movzx	ecx, cx
		mov	[ebp+var_14], ecx
		mov	ecx, [ebp+arg_4]
		movzx	ecx, cx
		cmp	word ptr [ebp+var_8], ax
		jnb	loc_95F2EB
		mov	eax, [ebp+var_20]
		movzx	eax, ax
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		movzx	eax, ax
		mov	[ebp+arg_4], eax

loc_95F24F:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+2A4j
		mov	ebx, [edx+34h]
		movzx	ecx, si
		mov	[ebp+var_20], ecx
		mov	[ebp+var_14], ebx
		push	5Ch
		movzx	ecx, word ptr [ebx+ecx*2]
		pop	ebx
		cmp	cx, bx
		mov	[ebp+var_28], ecx
		mov	ebx, [ebp+var_C]
		jnz	short loc_95F2C0
		push	3Bh
		add	eax, 0FFFFh
		pop	ecx
		mov	[ebp+arg_4], eax
		cmp	word ptr [ebp+var_24], cx
		jz	short loc_95F2B2
		push	2
		pop	ecx
		cmp	ax, cx
		jnz	short loc_95F2B2
		mov	cx, word ptr [ebp+var_8]
		lea	eax, [esi+1]
		shr	cx, 1
		cmp	ax, cx
		jnb	short loc_95F2AF
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+var_14]
		push	3Bh
		pop	ebx
		cmp	[ecx+eax*2+2], bx
		mov	ebx, [ebp+var_C]
		jz	short loc_95F2AF
		xor	eax, eax
		mov	[ebp+arg_4], eax
		jmp	short loc_95F2B2
; 

loc_95F2AF:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+254j
					; IopReplaceSymlinkPath(x,x,x,x,x,x,x)+267j
		mov	eax, [ebp+arg_4]

loc_95F2B2:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+23Dj
					; IopReplaceSymlinkPath(x,x,x,x,x,x,x)+245j ...
		mov	ecx, [ebp+var_8]
		movzx	ecx, cx
		test	ax, ax
		jz	short loc_95F2F3
		mov	ecx, [ebp+var_28]

loc_95F2C0:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+22Cj
		mov	[edi], cx
		movzx	ecx, word ptr [edx+30h]
		push	2
		pop	eax
		add	edi, eax
		mov	eax, ecx
		mov	edx, ecx
		shr	cx, 1
		inc	esi
		mov	[ebp+var_8], edx
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_4]
		cmp	si, cx
		jb	loc_95F24F
		mov	ecx, eax

loc_95F2EB:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+1F8j
		test	cx, cx
		jnz	short loc_95F349
		mov	ecx, [ebp+var_14]

loc_95F2F3:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+27Cj
		shr	cx, 1
		cmp	si, cx
		jnb	short loc_95F32F
		mov	eax, [edx+34h]
		movzx	ecx, si
		push	5Ch
		pop	ebx
		movzx	ecx, word ptr [eax+ecx*2]

loc_95F308:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+2EBj
		mov	[edi], cx
		push	2
		pop	eax
		add	edi, eax
		mov	eax, [edx+34h]
		inc	esi
		movzx	ecx, si
		movzx	ecx, word ptr [eax+ecx*2]
		cmp	cx, bx
		jz	short loc_95F32C
		mov	ax, [edx+30h]
		shr	ax, 1
		cmp	si, ax
		jb	short loc_95F308

loc_95F32C:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+2DFj
		mov	ebx, [ebp+var_C]

loc_95F32F:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+2BAj
		mov	ecx, [ebp+var_1C]
		movzx	eax, si
		add	eax, [ebp+arg_8]
		lea	eax, [ecx+eax*2]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_C]
		lea	eax, [eax+esi*2]
		jmp	loc_95F0F1
; 

loc_95F349:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+38j
					; IopReplaceSymlinkPath(x,x,x,x,x,x,x)+A4j ...
		mov	eax, 0C0000278h

loc_95F34E:				; CODE XREF: IopReplaceSymlinkPath(x,x,x,x,x,x,x)+160j
					; IopReplaceSymlinkPath(x,x,x,x,x,x,x)+194j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_IopReplaceSymlinkPath@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IopSymlinkApplyToOpenedName(int,int,void *,int)
_IopSymlinkApplyToOpenedName@24	proc near ; CODE XREF: IopGraftName(x,x,x)+4EAp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		push	63466F49h
		mov	eax, [edi+34h]
		mov	[ebp+var_C], eax
		movzx	eax, word ptr [esi+0Ch]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	short loc_95F38B
		mov	eax, 0C000009Ah
		jmp	loc_95F47D
; 

loc_95F38B:				; CODE XREF: IopSymlinkApplyToOpenedName(x,x,x,x,x,x)+2Aj
		movzx	eax, word ptr [edi+30h]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	2
		pop	ecx
		mov	[ebp+var_8], eax
		cmp	ax, cx
		jbe	short loc_95F3DE
		movzx	ecx, ax
		mov	eax, [edi+34h]
		shr	ecx, 1
		cmp	word ptr [eax+ecx*2-2],	5Ch
		jnz	short loc_95F3DE
		push	2
		pop	eax
		cmp	[ebx+6], ax
		jnb	short loc_95F3CB
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C000000Dh
		jmp	loc_95F47C
; 

loc_95F3CB:				; CODE XREF: IopSymlinkApplyToOpenedName(x,x,x,x,x,x)+60j
		mov	eax, [ebp+var_8]
		add	eax, 0FFFFFFFEh
		mov	[edi+30h], ax
		mov	eax, 0FFFEh
		add	[ebx+6], ax

loc_95F3DE:				; CODE XREF: IopSymlinkApplyToOpenedName(x,x,x,x,x,x)+47j
					; IopSymlinkApplyToOpenedName(x,x,x,x,x,x)+57j
		movzx	eax, word ptr [esi+4]
		push	eax		; size_t
		push	dword ptr [esi+10h] ; void *
		push	[ebp+arg_8]	; void *
		call	_memcpy
		movzx	ecx, word ptr [esi+4]
		movzx	eax, word ptr [esi+0Ch]
		sub	eax, ecx
		push	eax		; size_t
		mov	eax, [esi+10h]
		add	eax, ecx
		push	eax		; void *
		push	[ebp+var_4]	; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	esp, 18h
		mov	[edi+34h], eax
		mov	ax, [esi+0Ch]
		sub	ax, [esi+4]
		push	0
		push	[ebp+var_C]
		mov	[edi+32h], ax
		mov	[edi+30h], ax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	[ebp+arg_C]
		movzx	eax, word ptr [esi+4]
		mov	ecx, [ebp+arg_8]
		mov	edx, eax
		push	eax
		shr	edx, 1
		push	edx
		push	ebx
		push	edi
		call	_IopReplaceSymlinkPath@28 ; IopReplaceSymlinkPath(x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_95F470
		mov	ax, [esi+2]
		mov	ecx, 0FFFEh
		and	ax, cx
		mov	edx, esi
		mov	ecx, [ebp+arg_4]
		movzx	eax, ax
		push	eax
		movzx	eax, word ptr [esi+4]
		push	eax
		lea	eax, [edi+30h]
		push	eax
		push	0
		call	IopSymlinkUpdateECP
		mov	ebx, eax
		jmp	short loc_95F47A
; 

loc_95F470:				; CODE XREF: IopSymlinkApplyToOpenedName(x,x,x,x,x,x)+F0j
		push	0
		push	[ebp+arg_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95F47A:				; CODE XREF: IopSymlinkApplyToOpenedName(x,x,x,x,x,x)+119j
		mov	eax, ebx

loc_95F47C:				; CODE XREF: IopSymlinkApplyToOpenedName(x,x,x,x,x,x)+71j
		pop	ebx

loc_95F47D:				; CODE XREF: IopSymlinkApplyToOpenedName(x,x,x,x,x,x)+31j
		pop	edi
		pop	esi
		leave
		retn	10h
_IopSymlinkApplyToOpenedName@24	endp

; 
		align 8
; Exported entry 943. IoRegisterIoTracking

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoRegisterIoTracking(x, x)
		public _IoRegisterIoTracking@8
_IoRegisterIoTracking@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	72546F49h
		push	0Ch
		and	dword ptr [ebx], 0
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_95F4B6
		mov	eax, 0C000009Ah
		jmp	loc_95F542
; 

loc_95F4B6:				; CODE XREF: IoRegisterIoTracking(x,x)+22j
		push	edi
		xor	eax, eax
		mov	edi, esi
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+4]
		mov	[esi+8], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		mov	edi, offset _IopPerfIoTrackingLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, dword_6CCDC4
		mov	ecx, offset _IopPerfIoTrackingListHead
		cmp	[eax], ecx
		jz	short loc_95F4F6
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_95F4F6:				; CODE XREF: IoRegisterIoTracking(x,x)+67j
		mov	[esi+4], eax
		mov	[esi], ecx
		mov	[eax], esi
		or	eax, 0FFFFFFFFh
		mov	dword_6CCDC4, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_95F517
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_95F517:				; CODE XREF: IoRegisterIoTracking(x,x)+86j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		xor	edx, edx
		push	2
		inc	edx
		pop	ecx
		call	_IopIrpExtensionControl@8 ; IopIrpExtensionControl(x,x)
		push	2
		pop	ecx
		call	_IoPerfInit@4	; IoPerfInit(x)
		mov	[ebx], esi
		xor	eax, eax
		pop	edi

loc_95F542:				; CODE XREF: IoRegisterIoTracking(x,x)+29j
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_IoRegisterIoTracking@8	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; 
; Exported entry 1029. IoUnregisterIoTracking

; __stdcall IoUnregisterIoTracking(x)
		public _IoUnregisterIoTracking@4
_IoUnregisterIoTracking@4:
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	2
		pop	ecx
		call	_IoPerfReset@4	; IoPerfReset(x)
		push	2
		xor	edx, edx
		pop	ecx
		call	_IopIrpExtensionControl@8 ; IopIrpExtensionControl(x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		mov	edi, offset _IopPerfIoTrackingLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [ebp+8]
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_95F5D0
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_95F5D0
		mov	[eax], ecx
		mov	[ecx+4], eax
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_95F5AC
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_95F5AC:				; CODE XREF: PAGE:0095F5A3j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		push	72546F49h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_95F5D0:				; CODE XREF: PAGE:0095F58Aj
					; PAGE:0095F591j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		db 2 dup(0CCh)
; Exported entry 1040. IoVolumeDeviceNameToGuid

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoVolumeDeviceNameToGuid(x,	x)
		public _IoVolumeDeviceNameToGuid@8
_IoVolumeDeviceNameToGuid@8 proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		and	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_0]
		call	IoVolumeDeviceNameToGuidPath
		test	eax, eax
		js	short locret_95F633
		mov	eax, [ebp+var_8]
		add	eax, 0FFFFFFECh
		push	esi
		mov	word ptr [ebp+var_10], ax
		mov	eax, [ebp+var_8+2]
		push	edi
		mov	edi, [ebp+var_4]
		add	eax, 0FFFFFFECh
		push	[ebp+arg_4]
		mov	word ptr [ebp+var_10+2], ax
		lea	eax, [edi+14h]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		push	0
		push	edi
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		mov	eax, esi
		pop	esi

locret_95F633:				; CODE XREF: IoVolumeDeviceNameToGuid(x,x)+1Ej
		leave
		retn	8
_IoVolumeDeviceNameToGuid@8 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1586. NtSetEaFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	NtSetEaFile(int,int,void *,int)
		public _NtSetEaFile@16
_NtSetEaFile@16	proc near		; DATA XREF: .text:00580CECo

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	40h
		push	offset dword_6A80C0
		call	__SEH_prolog4
		and	[ebp+var_20], 0
		xor	eax, eax
		mov	[ebp+var_24], eax
		and	[ebp+var_50], eax
		and	[ebp+var_4C], eax
		mov	eax, large fs:124h
		mov	[ebp+var_3C], eax
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		mov	byte ptr [ebp+var_34], al
		test	al, al
		jz	short loc_95F6CF
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, [ebp+arg_4]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_95F682
		mov	ecx, eax

loc_95F682:				; CODE XREF: NtSetEaFile(x,x,x,x)+42j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ebx, [ebp+arg_C]
		test	ebx, ebx
		jz	short loc_95F6AD
		test	byte ptr [ebp+arg_8], 3
		jnz	loc_95F9AF
		mov	ecx, [ebp+arg_8]
		lea	edx, [ecx+ebx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_95F6AA
		cmp	edx, ecx
		jnb	short loc_95F6AD

loc_95F6AA:				; CODE XREF: NtSetEaFile(x,x,x,x)+68j
		mov	byte ptr [eax],	0

loc_95F6AD:				; CODE XREF: NtSetEaFile(x,x,x,x)+4Fj
					; NtSetEaFile(x,x,x,x)+6Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_95F6D2
; 

loc_95F6B6:				; DATA XREF: .text:006A80D4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_38], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_95F6C4:				; DATA XREF: .text:006A80D8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_38]
		jmp	loc_95F95A
; 

loc_95F6CF:				; CODE XREF: NtSetEaFile(x,x,x,x)+32j
		mov	ebx, [ebp+arg_C]

loc_95F6D2:				; CODE XREF: NtSetEaFile(x,x,x,x)+78j
		push	0
		lea	eax, [ebp+var_20]
		push	eax
		mov	eax, [ebp+var_34]
		mov	[ebp+var_48], eax
		push	eax
		push	10h
		pop	edx
		mov	ecx, [ebp+arg_0]
		call	IopReferenceFileObject
		mov	[ebp+var_28], eax
		test	eax, eax
		js	loc_95F99D
		mov	esi, [ebp+var_20]
		lea	eax, [esi+2Ch]
		mov	[ebp+var_34], eax
		mov	eax, [eax]
		test	al, 2
		jz	short loc_95F76F
		shr	eax, 2
		and	al, 1
		mov	byte ptr [ebp+arg_C], al
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	0
		mov	esi, [ebp+var_20]
		lea	ecx, [esi+4Ch]
		xor	edx, edx
		call	KeAbPreAcquire
		mov	edx, eax
		mov	[ebp+var_1A], 0
		xor	ecx, ecx
		inc	ecx
		lea	eax, [esi+44h]
		xchg	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_95F74E
		test	edx, edx
		jz	short loc_95F743
		or	byte ptr [edx+0Eh], 1

loc_95F743:				; CODE XREF: NtSetEaFile(x,x,x,x)+101j
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	edi, edi
		jmp	short loc_95F762
; 

loc_95F74E:				; CODE XREF: NtSetEaFile(x,x,x,x)+FDj
		lea	eax, [ebp+var_1A]
		push	eax
		push	edx
		push	[ebp+arg_C]
		mov	dl, [ebp+var_19]
		mov	ecx, esi
		call	IopWaitAndAcquireFileObjectLock
		mov	edi, eax

loc_95F762:				; CODE XREF: NtSetEaFile(x,x,x,x)+110j
		mov	[ebp+var_28], edi
		cmp	[ebp+var_1A], 0
		jnz	short loc_95F780
		mov	al, 1
		jmp	short loc_95F79A
; 

loc_95F76F:				; CODE XREF: NtSetEaFile(x,x,x,x)+C6j
		call	sub_60F0DF
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	short loc_95F78E
		mov	edi, 0C000009Ah

loc_95F780:				; CODE XREF: NtSetEaFile(x,x,x,x)+12Dj
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, edi
		jmp	loc_95F99D
; 

loc_95F78E:				; CODE XREF: NtSetEaFile(x,x,x,x)+13Dj
		push	0
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	al, al

loc_95F79A:				; CODE XREF: NtSetEaFile(x,x,x,x)+131j
		mov	byte ptr [ebp+arg_C], al
		mov	ecx, esi
		call	_IopResetEvent@4 ; IopResetEvent(x)
		push	esi
		call	IoGetRelatedDeviceObject
		mov	[ebp+arg_0], eax
		push	dword ptr [ebp+4]
		push	0
		mov	dl, [eax+30h]
		mov	ecx, eax
		call	IopAllocateIrpExReturn
		mov	edi, eax
		mov	[ebp+var_30], edi
		test	edi, edi
		jnz	short loc_95F7EA
		mov	eax, [ebp+var_34]
		test	byte ptr [eax],	2
		jnz	short loc_95F7D6
		push	edi
		push	[ebp+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95F7D6:				; CODE XREF: NtSetEaFile(x,x,x,x)+18Fj
		xor	edx, edx
		mov	ecx, [ebp+var_20]
		call	_IopAllocateIrpCleanup@8 ; IopAllocateIrpCleanup(x,x)
		mov	eax, 0C000009Ah
		jmp	loc_95F99D
; 

loc_95F7EA:				; CODE XREF: NtSetEaFile(x,x,x,x)+187j
		mov	eax, [ebp+var_20]
		mov	[ebp+var_34], eax
		mov	[edi+64h], eax
		mov	eax, [ebp+var_3C]
		mov	[edi+50h], eax
		mov	al, [ebp+var_19]
		mov	[edi+20h], al
		cmp	byte ptr [ebp+arg_C], 0
		jz	short loc_95F80C
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		jmp	short loc_95F819
; 

loc_95F80C:				; CODE XREF: NtSetEaFile(x,x,x,x)+1C7j
		mov	dword ptr [edi+8], 4
		lea	eax, [ebp+var_50]
		mov	ecx, [ebp+var_24]

loc_95F819:				; CODE XREF: NtSetEaFile(x,x,x,x)+1CEj
		mov	[edi+2Ch], ecx
		mov	[edi+28h], eax
		and	dword ptr [edi+30h], 0
		mov	esi, [edi+60h]
		sub	esi, 24h
		mov	[ebp+var_3C], esi
		mov	byte ptr [esi],	8
		mov	eax, [ebp+var_34]
		mov	[esi+18h], eax
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+1Ch]
		test	al, 4
		jz	loc_95F8E5
		and	[ebp+var_2C], 0
		test	ebx, ebx
		jz	loc_95F8DC
		mov	[ebp+var_1B], 0
		mov	[ebp+ms_exc.disabled], 1
		mov	edx, ebx
		call	sub_4FA154
		mov	esi, eax
		mov	[edi+0Ch], esi
		push	ebx		; size_t
		push	[ebp+arg_8]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_2C]
		push	eax
		push	ebx
		push	esi
		call	IoCheckEaBufferValidity
		mov	edx, eax
		mov	[ebp+var_28], edx
		test	edx, edx
		js	loc_95F9B4
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		or	dword ptr [edi+8], 30h
		mov	esi, [ebp+var_3C]
		jmp	loc_95F969
; 

loc_95F89E:				; DATA XREF: .text:006A80E0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_40], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_95F8AC:				; DATA XREF: .text:006A80E4o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ecx, [ebp+var_20]
		movzx	eax, byte ptr [ecx+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		push	[ebp+var_24]
		push	0
		mov	edx, [ebp+var_30]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		cmp	[ebp+var_1B], 0
		jz	short loc_95F8D7
		mov	eax, [ebp+var_28]
		jmp	loc_95F95A
; 

loc_95F8D7:				; CODE XREF: NtSetEaFile(x,x,x,x)+291j
		mov	eax, [ebp+var_40]
		jmp	short loc_95F95A
; 

loc_95F8DC:				; CODE XREF: NtSetEaFile(x,x,x,x)+20Dj
		and	dword ptr [edi+0Ch], 0
		jmp	loc_95F969
; 

loc_95F8E5:				; CODE XREF: NtSetEaFile(x,x,x,x)+201j
		test	al, 10h
		jz	short loc_95F963
		test	ebx, ebx
		jz	short loc_95F969
		mov	[ebp+ms_exc.disabled], 2
		push	edi
		push	1
		push	0
		push	ebx
		push	[ebp+arg_8]
		call	IoAllocateMdl
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_95F912
		push	0C000009Ah
		jmp	loc_95F9C4
; 

loc_95F912:				; CODE XREF: NtSetEaFile(x,x,x,x)+2CAj
		movzx	eax, byte ptr [esi]
		push	eax
		push	[ebp+arg_0]
		push	0
		mov	dl, [ebp+var_19]
		call	sub_60F0AA
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_95F969
; 

loc_95F92C:				; DATA XREF: .text:006A80ECo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_44], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_95F93A:				; DATA XREF: .text:006A80F0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ecx, [ebp+var_20]
		movzx	eax, byte ptr [ecx+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		push	[ebp+var_24]
		push	0
		mov	edx, [ebp+var_30]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		mov	eax, [ebp+var_44]

loc_95F95A:				; CODE XREF: NtSetEaFile(x,x,x,x)+8Ej
					; NtSetEaFile(x,x,x,x)+296j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_95F99D
; 

loc_95F963:				; CODE XREF: NtSetEaFile(x,x,x,x)+2ABj
		mov	eax, [ebp+arg_8]
		mov	[edi+3Ch], eax

loc_95F969:				; CODE XREF: NtSetEaFile(x,x,x,x)+25Dj
					; NtSetEaFile(x,x,x,x)+2A4j ...
		mov	[esi+4], ebx
		push	2
		push	[ebp+arg_C]
		mov	esi, [ebp+var_48]
		push	esi
		push	0
		push	[ebp+var_34]
		mov	edx, edi
		mov	ecx, [ebp+arg_0]
		call	_IopSynchronousServiceTail@28 ;	IopSynchronousServiceTail(x,x,x,x,x,x,x)
		cmp	byte ptr [ebp+arg_C], 0
		jnz	short loc_95F99D
		push	[ebp+arg_4]
		lea	ecx, [ebp+var_50]
		push	ecx
		push	esi
		push	edi
		mov	edx, [ebp+var_24]
		mov	ecx, eax
		call	IopSynchronousApiServiceTail

loc_95F99D:				; CODE XREF: NtSetEaFile(x,x,x,x)+B3j
					; NtSetEaFile(x,x,x,x)+14Dj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_95F9AF:				; CODE XREF: NtSetEaFile(x,x,x,x)+55j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_95F9B4:				; CODE XREF: NtSetEaFile(x,x,x,x)+249j
		mov	[ebp+var_1B], 1
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		mov	ecx, [ebp+var_2C]
		mov	[eax+4], ecx
		push	edx

loc_95F9C4:				; CODE XREF: NtSetEaFile(x,x,x,x)+2D1j
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger
_NtSetEaFile@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopGetNumaNodeInformation(x, x)
_IopGetNumaNodeInformation@8 proc near	; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+746p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ecx+4]
		and	[ebp+var_4], 0
		push	ebx
		push	edi
		mov	ebx, edx
		call	IopGetDevicePDO
		mov	edi, eax
		test	edi, edi
		jnz	short loc_95F9ED
		mov	eax, 0C000000Eh
		jmp	short loc_95FA0F
; 

loc_95F9ED:				; CODE XREF: IopGetNumaNodeInformation(x,x)+1Aj
		push	esi
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		call	_IoGetDeviceNumaNode@8 ; IoGetDeviceNumaNode(x,x)
		mov	ecx, edi
		mov	esi, eax
		call	ObfDereferenceObject
		test	esi, esi
		js	short loc_95FA0C
		mov	cx, word ptr [ebp+var_4]
		mov	[ebx], cx

loc_95FA0C:				; CODE XREF: IopGetNumaNodeInformation(x,x)+39j
		mov	eax, esi
		pop	esi

loc_95FA0F:				; CODE XREF: IopGetNumaNodeInformation(x,x)+21j
		pop	edi
		pop	ebx
		leave
		retn
_IopGetNumaNodeInformation@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopIsFileOpenOrSection(x, x, x, x)
_IopIsFileOpenOrSection@16 proc	near	; DATA XREF: IopQueryProcessIdsUsingFile(x,x,x,x)+74o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	edx, [edx]
		xor	bl, bl
		mov	edi, [ebp+arg_C]
		and	edx, 0FFFFFFF8h
		mov	eax, edx
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [edx+0Ch]
		mov	esi, [edi]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		xor	ecx, ecx
		inc	ecx
		cmp	eax, ds:_IoFileObjectType
		jnz	short loc_95FA6A
		add	edx, 18h
		cmp	esi, edx
		jnz	short loc_95FA62
		cmp	[edi+4], bl
		setz	bl
		jmp	short loc_95FA8A
; 

loc_95FA62:				; CODE XREF: IopIsFileOpenOrSection(x,x,x,x)+45j
		mov	eax, [esi+0Ch]
		cmp	eax, [edx+0Ch]
		jmp	short loc_95FA86
; 

loc_95FA6A:				; CODE XREF: IopIsFileOpenOrSection(x,x,x,x)+3Ej
		cmp	eax, ds:_MmSectionObjectType
		jnz	short loc_95FA8A
		cmp	dword ptr [esi+14h], 0
		jz	short loc_95FA8A
		lea	ecx, [edx+18h]
		call	_MmSectionToSectionObjectPointers@4 ; MmSectionToSectionObjectPointers(x)
		xor	ecx, ecx
		inc	ecx
		cmp	eax, [esi+14h]

loc_95FA86:				; CODE XREF: IopIsFileOpenOrSection(x,x,x,x)+55j
		jnz	short loc_95FA8A
		mov	bl, cl

loc_95FA8A:				; CODE XREF: IopIsFileOpenOrSection(x,x,x,x)+4Dj
					; IopIsFileOpenOrSection(x,x,x,x)+5Dj ...
		mov	eax, [ebp+arg_4]
		lock xadd [eax], ecx
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+arg_4]
		and	[ebp+arg_4], 0
		add	ecx, 20h
		xor	edx, edx
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	short loc_95FAAC
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)

loc_95FAAC:				; CODE XREF: IopIsFileOpenOrSection(x,x,x,x)+92j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	10h
_IopIsFileOpenOrSection@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopQueryProcessIdsUsingFile(x, x, x, x)
_IopQueryProcessIdsUsingFile@16	proc near
					; CODE XREF: NtQueryInformationFile(x,x,x,x,x)+6D3p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	28h
		push	offset dword_6A80F8
		call	__SEH_prolog4
		mov	ebx, edx
		mov	[ebp+var_28], ecx
		lea	eax, [ebx+4]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_0]
		add	eax, 0FFFFFFFCh
		shr	eax, 2
		mov	[ebp+var_24], eax
		xor	eax, eax
		mov	edi, eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+ms_exc.disabled], eax
		mov	[ebx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+var_38], ecx
		xor	ecx, ecx
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	esi, eax
		mov	[ebp+var_20], esi

loc_95FAFD:				; CODE XREF: IopQueryProcessIdsUsingFile(x,x,x,x)+D9j
		test	esi, esi
		jz	loc_95FBC3
		mov	ecx, esi
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		test	eax, eax
		jz	short loc_95FB47
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		cmp	esi, ecx
		setz	byte ptr [ebp+var_34]
		push	0
		lea	ecx, [ebp+var_38]
		push	ecx
		push	offset _IopIsFileOpenOrSection@16 ; IopIsFileOpenOrSection(x,x,x,x)
		push	eax
		call	ExEnumHandleTable
		mov	byte ptr [ebp+arg_0+3],	al
		lea	ecx, [esi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	al, byte ptr [ebp+arg_0+3]
		jmp	short loc_95FB49
; 

loc_95FB47:				; CODE XREF: IopQueryProcessIdsUsingFile(x,x,x,x)+59j
		xor	al, al

loc_95FB49:				; CODE XREF: IopQueryProcessIdsUsingFile(x,x,x,x)+90j
		test	al, al
		jnz	short loc_95FB5B
		mov	edx, [ebp+var_28]
		mov	ecx, esi
		call	_MmIsFileMapped@8 ; MmIsFileMapped(x,x)
		test	eax, eax
		jz	short loc_95FB82

loc_95FB5B:				; CODE XREF: IopQueryProcessIdsUsingFile(x,x,x,x)+96j
		cmp	edi, [ebp+var_24]
		jnb	short loc_95FB81
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [esi+0E4h]
		mov	ecx, [ebp+var_1C]
		mov	[ecx], eax
		inc	dword ptr [ebx]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		add	ecx, 4
		mov	[ebp+var_1C], ecx

loc_95FB81:				; CODE XREF: IopQueryProcessIdsUsingFile(x,x,x,x)+A9j
		inc	edi

loc_95FB82:				; CODE XREF: IopQueryProcessIdsUsingFile(x,x,x,x)+A4j
		mov	ecx, esi
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	esi, eax
		mov	[ebp+var_20], eax
		jmp	loc_95FAFD
; 

loc_95FB93:				; DATA XREF: .text:006A8118o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_95FBA1:				; DATA XREF: .text:006A811Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0
		mov	edx, 6E457350h
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObjectWithTag
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_2C]
		jmp	short loc_95FBFC
; 

loc_95FBC3:				; CODE XREF: IopQueryProcessIdsUsingFile(x,x,x,x)+4Aj
		lea	ecx, ds:4[edi*4]
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		cmp	[ebp+var_24], edi
		sbb	eax, eax
		and	eax, 0C0000004h
		jmp	short loc_95FBFC
; 

loc_95FBDB:				; DATA XREF: .text:006A810Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_95FBE9:				; DATA XREF: .text:006A8110o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_30]

loc_95FBFC:				; CODE XREF: IopQueryProcessIdsUsingFile(x,x,x,x)+10Cj
					; IopQueryProcessIdsUsingFile(x,x,x,x)+124j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_IopQueryProcessIdsUsingFile@16	endp

; 
		align 10h
		db 3 dup(0CCh)
; 
; Exported entry 1568. NtQueryQuotaInformationFile

; __stdcall NtQueryQuotaInformationFile(x, x, x, x, x, x, x, x,	x)
		public _NtQueryQuotaInformationFile@36
_NtQueryQuotaInformationFile@36:	; DATA XREF: .text:00580E1Co
		push	50h
		push	offset dword_6A8120
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp-24h], ebx
		mov	[ebp-34h], ebx
		mov	[ebp-20h], ebx
		mov	[ebp-38h], ebx
		mov	[ebp-30h], ebx
		mov	[ebp-2Ch], ebx
		mov	[ebp-60h], ebx
		mov	[ebp-5Ch], ebx
		mov	eax, large fs:124h
		mov	[ebp-50h], eax
		mov	al, [eax+15Ah]
		mov	[ebp-19h], al
		mov	[ebp-4Ch], al
		test	al, al
		jz	loc_95FDB8
		mov	[ebp-4], ebx
		mov	ecx, [ebp+0Ch]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_95FC67
		mov	ecx, eax

loc_95FC67:				; CODE XREF: PAGE:0095FC63j
		mov	eax, [ecx]
		mov	[ecx], eax
		push	4
		mov	eax, [ebp+14h]
		push	eax
		push	dword ptr [ebp+10h]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	eax, [ebp+24h]
		mov	[ebp-28h], eax
		test	eax, eax
		jz	short loc_95FCCE
		inc	eax
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_95FC90
		mov	eax, ecx

loc_95FC90:				; CODE XREF: PAGE:0095FC8Cj
		nop
		mov	al, [eax]
		mov	[ebp-1Ah], al
		mov	[ebp+27h], al
		movzx	eax, al
		push	eax
		call	_RtlLengthRequiredSid@4	; RtlLengthRequiredSid(x)
		mov	ecx, eax
		mov	[ebp-3Ch], ecx
		mov	[ebp-38h], ecx
		mov	eax, [ebp-28h]
		test	ecx, ecx
		jz	short loc_95FCDC
		test	al, 3
		jnz	loc_960197
		lea	edx, [ecx+eax]
		mov	esi, ds:_MmUserProbeAddress
		cmp	edx, esi
		ja	short loc_95FCCA
		cmp	edx, eax
		jnb	short loc_95FCDC

loc_95FCCA:				; CODE XREF: PAGE:0095FCC4j
		mov	[esi], bl
		jmp	short loc_95FCDC
; 

loc_95FCCE:				; CODE XREF: PAGE:0095FC81j
		mov	cl, bl
		mov	[ebp+27h], cl
		mov	[ebp-1Ah], cl
		mov	ecx, [ebp-38h]
		mov	[ebp-3Ch], ecx

loc_95FCDC:				; CODE XREF: PAGE:0095FCAFj
					; PAGE:0095FCC8j ...
		mov	edx, [ebp+1Ch]
		test	edx, edx
		jz	short loc_95FD4A
		mov	esi, [ebp+20h]
		test	esi, esi
		jz	short loc_95FD4A
		test	dl, 3
		jnz	loc_960197
		lea	eax, [edx+esi]
		mov	edi, ds:_MmUserProbeAddress
		cmp	eax, edi
		ja	short loc_95FD04
		cmp	eax, edx
		jnb	short loc_95FD06

loc_95FD04:				; CODE XREF: PAGE:0095FCFEj
		mov	[edi], bl

loc_95FD06:				; CODE XREF: PAGE:0095FD02j
		lea	edx, [esi+3]
		and	edx, 0FFFFFFFCh
		mov	eax, ecx
		not	eax
		cmp	edx, eax
		jbe	short loc_95FD25

loc_95FD14:				; CODE XREF: PAGE:0095FD27j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, 0C000000Dh
		jmp	loc_9600A8
; 

loc_95FD25:				; CODE XREF: PAGE:0095FD12j
		cmp	edx, esi
		jb	short loc_95FD14
		add	edx, ecx
		mov	ecx, 200h
		call	sub_60F12F
		mov	[ebp-20h], eax
		mov	[ebp-2Ch], eax
		push	esi
		push	dword ptr [ebp+1Ch]
		push	eax
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_95FD60
; 

loc_95FD4A:				; CODE XREF: PAGE:0095FCE1j
					; PAGE:0095FCE8j
		mov	esi, ebx
		mov	[ebp+20h], esi
		test	eax, eax
		jz	short loc_95FD86
		mov	edx, ecx
		xor	ecx, ecx
		inc	ecx
		call	sub_60F12F
		mov	[ebp-20h], eax

loc_95FD60:				; CODE XREF: PAGE:0095FD48j
		mov	eax, [ebp-28h]
		test	eax, eax
		jz	short loc_95FD86
		lea	edi, [esi+3]
		and	edi, 0FFFFFFFCh
		add	edi, [ebp-20h]
		mov	[ebp-30h], edi
		push	dword ptr [ebp-3Ch]
		push	eax
		push	edi
		call	_memcpy
		add	esp, 0Ch
		mov	al, [ebp+27h]
		mov	[edi+1], al

loc_95FD86:				; CODE XREF: PAGE:0095FD51j
					; PAGE:0095FD65j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_95FDD6
; 

loc_95FD8F:				; DATA XREF: .text:006A8134o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-44h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_95FD9D:				; DATA XREF: .text:006A8138o
		mov	esp, [ebp-18h]
		cmp	dword ptr [ebp-20h], 0
		jz	short loc_95FDB0
		push	0
		push	dword ptr [ebp-20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95FDB0:				; CODE XREF: PAGE:0095FDA4j
		mov	eax, [ebp-44h]
		jmp	loc_96018B
; 

loc_95FDB8:				; CODE XREF: PAGE:0095FC50j
		mov	eax, [ebp+1Ch]
		mov	esi, [ebp+20h]
		test	eax, eax
		jz	short loc_95FDC9
		test	esi, esi
		jz	short loc_95FDC9
		mov	[ebp-2Ch], eax

loc_95FDC9:				; CODE XREF: PAGE:0095FDC0j
					; PAGE:0095FDC4j
		mov	eax, [ebp+24h]
		mov	[ebp-28h], eax
		test	eax, eax
		jz	short loc_95FDD6
		mov	[ebp-30h], eax

loc_95FDD6:				; CODE XREF: PAGE:0095FD8Dj
					; PAGE:0095FDD1j
		mov	ecx, [ebp-2Ch]
		test	ecx, ecx
		jz	short loc_95FE3C
		mov	[ebp-40h], ebx
		lea	eax, [ebp-40h]
		push	eax
		mov	edx, esi
		call	_IopCheckGetQuotaBufferValidity@12 ; IopCheckGetQuotaBufferValidity(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_95FE3C
		mov	dword ptr [ebp-4], 1
		mov	ecx, [ebp-40h]
		mov	eax, [ebp+0Ch]
		mov	[eax+4], ecx
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	short loc_95FE27
; 

loc_95FE0A:				; DATA XREF: .text:006A8140o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-48h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_95FE18:				; DATA XREF: .text:006A8144o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-48h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	ebx, ebx

loc_95FE27:				; CODE XREF: PAGE:0095FE08j
					; PAGE:0095FE7Fj
		mov	eax, [ebp-20h]
		test	eax, eax
		jz	short loc_95FE35
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95FE35:				; CODE XREF: PAGE:0095FE2Cj
		mov	eax, esi
		jmp	loc_9600A8
; 

loc_95FE3C:				; CODE XREF: PAGE:0095FDDBj
					; PAGE:0095FDEFj
		mov	edi, [ebp-30h]
		test	edi, edi
		jz	short loc_95FE65
		push	edi
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jnz	short loc_95FE65
		mov	eax, [ebp-20h]
		test	eax, eax
		jz	short loc_95FE5B
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95FE5B:				; CODE XREF: PAGE:0095FE52j
		mov	eax, 0C0000078h
		jmp	loc_9600A8
; 

loc_95FE65:				; CODE XREF: PAGE:0095FE41j
					; PAGE:0095FE4Bj
		push	ebx
		lea	eax, [ebp-24h]
		push	eax
		mov	eax, [ebp-4Ch]
		mov	[ebp-3Ch], eax
		push	eax
		xor	edx, edx
		mov	ecx, [ebp+8]
		call	IopReferenceFileObject
		mov	esi, eax
		test	esi, esi
		js	short loc_95FE27
		mov	esi, [ebp-24h]
		lea	eax, [esi+2Ch]
		mov	[ebp-4Ch], eax
		mov	eax, [eax]
		test	al, 2
		jz	short loc_95FF09
		shr	eax, 2
		and	al, 1
		mov	[ebp+1Ch], al
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	ebx
		mov	esi, [ebp-24h]
		lea	ecx, [esi+4Ch]
		xor	edx, edx
		call	KeAbPreAcquire
		mov	edx, eax
		mov	[ebp-1Bh], bl
		xor	ecx, ecx
		inc	ecx
		lea	eax, [esi+44h]
		xchg	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_95FED8
		test	edx, edx
		jz	short loc_95FECD
		or	byte ptr [edx+0Eh], 1

loc_95FECD:				; CODE XREF: PAGE:0095FEC7j
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edi, ebx
		jmp	short loc_95FEEC
; 

loc_95FED8:				; CODE XREF: PAGE:0095FEC3j
		lea	eax, [ebp-1Bh]
		push	eax
		push	edx
		push	dword ptr [ebp+1Ch]
		mov	dl, [ebp-19h]
		mov	ecx, esi
		call	IopWaitAndAcquireFileObjectLock
		mov	edi, eax

loc_95FEEC:				; CODE XREF: PAGE:0095FED6j
		cmp	byte ptr [ebp-1Bh], 0
		jz	short loc_95FF03
		cmp	dword ptr [ebp-20h], 0
		jz	short loc_95FF2A
		push	ebx
		push	dword ptr [ebp-20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_95FF2A
; 

loc_95FF03:				; CODE XREF: PAGE:0095FEF0j
		mov	al, 1
		mov	edi, ebx
		jmp	short loc_95FF43
; 

loc_95FF09:				; CODE XREF: PAGE:0095FE8Ej
		call	sub_60F0DF
		mov	edi, eax
		mov	[ebp-34h], edi
		test	edi, edi
		jnz	short loc_95FF38
		mov	eax, [ebp-20h]
		test	eax, eax
		jz	short loc_95FF25
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95FF25:				; CODE XREF: PAGE:0095FF1Cj
		mov	edi, 0C000009Ah

loc_95FF2A:				; CODE XREF: PAGE:0095FEF6j
					; PAGE:0095FF01j
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, edi
		jmp	loc_9600A8
; 

loc_95FF38:				; CODE XREF: PAGE:0095FF15j
		push	ebx
		push	1
		push	edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	al, bl

loc_95FF43:				; CODE XREF: PAGE:0095FF07j
		mov	[ebp+1Ch], al
		mov	ecx, esi
		call	_IopResetEvent@4 ; IopResetEvent(x)
		push	esi
		call	IoGetRelatedDeviceObject
		mov	[ebp+24h], eax
		push	dword ptr [ebp+4]
		push	ebx
		mov	dl, [eax+30h]
		mov	ecx, eax
		call	IopAllocateIrpExReturn
		mov	esi, eax
		mov	[ebp+8], esi
		test	esi, esi
		jnz	short loc_95FF9F
		mov	eax, [ebp-4Ch]
		test	byte ptr [eax],	2
		jnz	short loc_95FF7C
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95FF7C:				; CODE XREF: PAGE:0095FF73j
		xor	edx, edx
		mov	ecx, [ebp-24h]
		call	_IopAllocateIrpCleanup@8 ; IopAllocateIrpCleanup(x,x)
		cmp	dword ptr [ebp-20h], 0
		jz	short loc_95FF95
		push	ebx
		push	dword ptr [ebp-20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_95FF95:				; CODE XREF: PAGE:0095FF8Aj
		mov	eax, 0C000009Ah
		jmp	loc_9600A8
; 

loc_95FF9F:				; CODE XREF: PAGE:0095FF6Bj
		mov	ecx, [ebp-24h]
		mov	[ebp-4Ch], ecx
		mov	[esi+64h], ecx
		mov	eax, [ebp-50h]
		mov	[esi+50h], eax
		mov	al, [ebp-19h]
		mov	[esi+20h], al
		cmp	byte ptr [ebp+1Ch], 0
		jz	short loc_95FFC1
		mov	eax, [ebp+0Ch]
		mov	edi, ebx
		jmp	short loc_95FFCB
; 

loc_95FFC1:				; CODE XREF: PAGE:0095FFB8j
		mov	dword ptr [esi+8], 4
		lea	eax, [ebp-60h]

loc_95FFCB:				; CODE XREF: PAGE:0095FFBFj
		mov	[esi+2Ch], edi
		mov	[esi+28h], eax
		mov	[esi+30h], ebx
		mov	edi, [esi+60h]
		mov	byte ptr [edi-24h], 19h
		mov	[edi-0Ch], ecx
		mov	eax, [ebp-20h]
		mov	[esi+54h], eax
		mov	eax, [ebp-2Ch]
		mov	[edi-18h], eax
		mov	eax, [ebp+20h]
		mov	[edi-14h], eax
		mov	eax, [ebp+24h]
		mov	eax, [eax+1Ch]
		test	al, 4
		jz	loc_960104
		mov	eax, [ebp+14h]
		test	eax, eax
		jz	loc_9600FC
		mov	dword ptr [ebp-4], 2
		mov	edx, eax
		mov	ecx, 200h
		call	sub_60F12F
		mov	[esi+0Ch], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		cmp	_IopDisableBufferedIoInit, 0
		jnz	short loc_96003C
		push	dword ptr [ebp+14h]
		push	ebx
		push	eax
		call	_memset
		add	esp, 0Ch

loc_96003C:				; CODE XREF: PAGE:0096002Dj
		or	dword ptr [esi+8], 70h

loc_960040:				; CODE XREF: PAGE:009600FFj
					; PAGE:00960106j
		mov	eax, [ebp+10h]
		mov	[esi+3Ch], eax

loc_960046:				; CODE XREF: PAGE:00960149j
		mov	eax, [ebp+14h]

loc_960049:				; CODE XREF: PAGE:00960111j
		mov	[edi-20h], eax
		mov	eax, [ebp-30h]
		mov	[edi-1Ch], eax
		mov	[edi-22h], bl
		mov	al, bl
		cmp	[ebp+28h], al
		jz	short loc_960062
		mov	byte ptr [edi-22h], 1
		mov	al, 1

loc_960062:				; CODE XREF: PAGE:0096005Aj
		cmp	byte ptr [ebp+18h], 0
		jz	short loc_96006D
		or	al, 2
		mov	[edi-22h], al

loc_96006D:				; CODE XREF: PAGE:00960066j
		cmp	dword ptr [ebp-28h], 0
		jz	short loc_960078
		or	al, 4
		mov	[edi-22h], al

loc_960078:				; CODE XREF: PAGE:00960071j
		push	2
		push	dword ptr [ebp+1Ch]
		mov	edi, [ebp-3Ch]
		push	edi
		push	ebx
		push	dword ptr [ebp-4Ch]
		mov	edx, esi
		mov	ecx, [ebp+24h]
		call	_IopSynchronousServiceTail@28 ;	IopSynchronousServiceTail(x,x,x,x,x,x,x)
		cmp	byte ptr [ebp+1Ch], 0

loc_960093:				; DATA XREF: KIsUnlockSettingEnabled+10o
		jnz	short loc_9600A8
		push	dword ptr [ebp+0Ch]
		lea	ecx, [ebp-60h]
		push	ecx
		push	edi
		push	esi
		mov	edx, [ebp-34h]
		mov	ecx, eax
		call	IopSynchronousApiServiceTail

loc_9600A8:				; CODE XREF: PAGE:0095FD20j
					; PAGE:0095FE37j ...
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_9600BA:				; DATA XREF: .text:006A814Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-54h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9600C8:				; DATA XREF: .text:006A8150o
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-24h]
		movzx	eax, byte ptr [ecx+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		push	dword ptr [ebp-34h]
		xor	ebx, ebx
		push	ebx
		mov	edx, [ebp+8]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		cmp	[ebp-20h], ebx
		jz	short loc_9600F4
		push	ebx
		push	dword ptr [ebp-20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9600F4:				; CODE XREF: PAGE:009600E9j
		mov	eax, [ebp-54h]
		jmp	loc_96018B
; 

loc_9600FC:				; CODE XREF: PAGE:00960003j
		mov	[esi+0Ch], ebx
		jmp	loc_960040
; 

loc_960104:				; CODE XREF: PAGE:0095FFF8j
		test	al, 10h
		jz	loc_960040
		mov	eax, [ebp+14h]
		test	eax, eax
		jz	loc_960049
		mov	dword ptr [ebp-4], 3
		push	esi
		push	1
		push	ebx
		push	eax
		push	dword ptr [ebp+10h]
		call	IoAllocateMdl
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_96019C
		movzx	eax, byte ptr [edi-24h]
		push	eax
		push	dword ptr [ebp+24h]
		push	ecx
		mov	dl, [ebp-19h]
		call	sub_60F076
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_960046
; 

loc_96014E:				; DATA XREF: .text:006A8158o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-58h], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_96015C:				; DATA XREF: .text:006A815Co
		mov	esp, [ebp-18h]
		mov	ecx, [ebp-24h]
		movzx	eax, byte ptr [ecx+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		push	dword ptr [ebp-34h]
		xor	ebx, ebx
		push	ebx
		mov	edx, [ebp+8]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		cmp	[ebp-20h], ebx
		jz	short loc_960188
		push	ebx
		push	dword ptr [ebp-20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_960188:				; CODE XREF: PAGE:0096017Dj
		mov	eax, [ebp-58h]

loc_96018B:				; CODE XREF: PAGE:0095FDB3j
					; PAGE:009600F7j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_9600A8
; 

loc_960197:				; CODE XREF: PAGE:0095FCB3j
					; PAGE:0095FCEDj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_96019C:				; CODE XREF: PAGE:0096012Fj
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
; 
		dw 0CCCCh
		dd 0CCCCCCCCh
; Exported entry 1596. NtSetQuotaInformationFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall NtSetQuotaInformationFile(int,int,int,int,void	*,int)
		public _NtSetQuotaInformationFile@16
_NtSetQuotaInformationFile@16 proc near	; DATA XREF: .text:00580C80o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ecx		; int
		push	[ebp+arg_C]	; int
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_8]	; void *
		call	_IopSetEaOrQuotaInformationFile@20 ; IopSetEaOrQuotaInformationFile(x,x,x,x,x)
		pop	ebp
		retn	10h
_NtSetQuotaInformationFile@16 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1598. NtSetVolumeInformationFile

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSetVolumeInformationFile(x, x, x,	x, x)
		public _NtSetVolumeInformationFile@20
_NtSetVolumeInformationFile@20 proc near ; DATA	XREF: .text:00580C4Co

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3E		= dword	ptr -3Eh
var_3A		= word ptr -3Ah
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	6Ch
		push	offset dword_6A8160
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4C], eax
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_60], esi
		mov	ebx, [ebp+arg_8]
		mov	[ebp+var_6C], ebx
		mov	edx, [ebp+arg_C]
		mov	[ebp+var_50], edx
		and	[ebp+var_48], 0
		xor	edi, edi
		mov	[ebp+var_64], edi
		and	[ebp+var_44], edi
		mov	eax, large fs:124h
		mov	[ebp+var_5C], eax
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_3E+1], al
		mov	byte ptr [ebp+var_54], al
		test	al, al
		jz	short loc_96027C
		mov	eax, [ebp+arg_10]
		cmp	eax, 0Fh
		jnb	loc_960331
		mov	al, ds:_IopSetFsOperationLength[eax]
		test	al, al
		jz	loc_960331
		movzx	eax, al
		cmp	edx, eax
		jnb	short loc_960240
		mov	eax, 0C0000004h
		jmp	loc_960582
; 

loc_960240:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+68j
		and	[ebp+ms_exc.disabled], edi
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_960250
		mov	ecx, eax

loc_960250:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+80j
		mov	eax, [ecx]
		mov	[ecx], eax
		test	edx, edx
		jz	short loc_960275
		test	bl, 3
		jnz	loc_960594
		lea	eax, [edx+ebx]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_960272
		cmp	eax, ebx
		jnb	short loc_960275

loc_960272:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+A0j
		mov	byte ptr [ecx],	0

loc_960275:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+8Aj
					; NtSetVolumeInformationFile(x,x,x,x,x)+A4j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_96027C:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+47j
		push	0
		lea	eax, [ebp+var_48]
		push	eax
		mov	eax, [ebp+var_54]
		mov	[ebp+var_54], eax
		push	eax
		mov	edx, [ebp+arg_10]
		mov	edx, ds:_IopSetFsOperationAccess[edx*4]
		mov	ecx, [ebp+var_4C]
		call	IopReferenceFileObject
		test	eax, eax
		js	loc_960582
		lea	edx, [ebp+var_44]
		mov	esi, [ebp+var_48]
		mov	ecx, esi
		call	_IoGetRelatedTargetDevice@8 ; IoGetRelatedTargetDevice(x,x)
		test	eax, eax
		jns	short loc_9602B8
		and	[ebp+var_44], 0

loc_9602B8:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+E6j
		lea	ebx, [esi+2Ch]
		mov	[ebp+var_58], ebx
		mov	eax, [ebx]
		test	al, 2
		jz	loc_960377
		shr	eax, 2
		and	al, 1
		mov	bl, al
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	0
		mov	esi, [ebp+var_48]
		lea	ecx, [esi+4Ch]
		xor	edx, edx
		call	KeAbPreAcquire
		mov	edx, eax
		mov	byte ptr [ebp+var_3E], 0
		xor	ecx, ecx
		inc	ecx
		lea	eax, [esi+44h]
		xchg	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_96033B
		test	edx, edx
		jz	short loc_960306
		or	byte ptr [edx+0Eh], 1

loc_960306:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+134j
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	ebx, ebx
		jmp	short loc_96034D
; 

loc_960311:				; DATA XREF: .text:006A8174o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_68], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_96031F:				; DATA XREF: .text:006A8178o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_68]
		jmp	loc_960582
; 

loc_960331:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+4Fj
					; NtSetVolumeInformationFile(x,x,x,x,x)+5Dj
		mov	eax, 0C0000003h
		jmp	loc_960582
; 

loc_96033B:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+130j
		lea	eax, [ebp+var_3E]
		push	eax
		push	edx
		push	ebx
		mov	dl, byte ptr [ebp+var_3E+1]
		mov	ecx, esi
		call	IopWaitAndAcquireFileObjectLock
		mov	ebx, eax

loc_96034D:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+143j
		cmp	byte ptr [ebp+var_3E], 0
		jz	short loc_96036D
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	ecx, [ebp+var_44]
		test	ecx, ecx
		jz	short loc_960366

loc_960361:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+370j
		call	ObfDereferenceObject

loc_960366:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+193j
					; NtSetVolumeInformationFile(x,x,x,x,x)+331j
		mov	eax, ebx
		jmp	loc_960582
; 

loc_96036D:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+185j
		mov	bl, 1
		mov	byte ptr [ebp+var_4C], bl
		mov	ebx, [ebp+var_58]
		jmp	short loc_96039D
; 

loc_960377:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+F6j
		call	sub_51531E
		mov	edi, eax
		mov	[ebp+var_64], edi
		test	edi, edi
		jnz	short loc_96038E
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	short loc_9603DB
; 

loc_96038E:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+1B7j
		push	0
		push	1
		push	edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	al, al
		mov	byte ptr [ebp+var_4C], al

loc_96039D:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+1A9j
		mov	ecx, esi
		call	_IopResetEvent@4 ; IopResetEvent(x)
		push	esi
		call	IoGetRelatedDeviceObject
		mov	[ebp+var_58], eax
		push	dword ptr [ebp+4]
		push	0
		mov	dl, [eax+30h]
		mov	ecx, eax
		call	IopAllocateIrpExReturn
		mov	esi, eax
		mov	[ebp+var_70], esi
		test	esi, esi
		jnz	short loc_9603F1
		test	byte ptr [ebx],	2
		jnz	short loc_9603D1
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9603D1:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+1FCj
		xor	edx, edx
		mov	ecx, [ebp+var_48]
		call	_IopAllocateIrpCleanup@8 ; IopAllocateIrpCleanup(x,x)

loc_9603DB:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+1C0j
		mov	ecx, [ebp+var_44]
		test	ecx, ecx
		jz	short loc_9603E7
		call	ObfDereferenceObject

loc_9603E7:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+214j
		mov	eax, 0C000009Ah
		jmp	loc_960582
; 

loc_9603F1:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+1F7j
		mov	ebx, [ebp+var_48]
		mov	[esi+64h], ebx
		mov	eax, [ebp+var_5C]
		mov	[esi+50h], eax
		mov	al, byte ptr [ebp+var_3E+1]
		mov	[esi+20h], al
		xor	edx, edx
		mov	[ebp+var_7C], edx
		mov	[ebp+var_78], edx
		cmp	byte ptr [ebp+var_4C], dl
		jz	short loc_960417
		mov	eax, [ebp+var_60]
		mov	ecx, edx
		jmp	short loc_960423
; 

loc_960417:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+242j
		mov	dword ptr [esi+8], 4
		lea	eax, [ebp+var_7C]
		mov	ecx, edi

loc_960423:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+249j
		mov	[esi+2Ch], ecx
		mov	[esi+28h], eax
		mov	[esi+30h], edx
		mov	eax, [esi+60h]
		sub	eax, 24h
		mov	[ebp+var_5C], eax
		mov	byte ptr [eax],	0Bh
		mov	[eax+18h], ebx
		mov	[esi+0Ch], edx
		mov	[esi+4], edx
		mov	[ebp+ms_exc.disabled], 1
		mov	edx, [ebp+var_50]
		call	sub_4FA154
		mov	[esi+0Ch], eax
		push	[ebp+var_50]	; size_t
		push	[ebp+var_6C]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	byte ptr [ebp+var_3E+1], 0
		jz	short loc_9604B3
		cmp	[ebp+arg_10], 2
		jnz	short loc_9604B3
		mov	eax, [esi+0Ch]
		mov	eax, [eax]
		test	eax, eax
		js	short loc_960486
		add	eax, 4
		cmp	eax, [ebp+var_50]
		jbe	short loc_9604B3

loc_960486:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+2B0j
		mov	eax, [ebx+2Ch]
		shr	eax, 1
		and	al, 1
		movzx	eax, al
		push	eax
		push	edi
		push	0
		mov	edx, esi
		mov	ecx, ebx
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		mov	ecx, [ebp+var_44]
		test	ecx, ecx
		jz	short loc_9604A9
		call	ObfDereferenceObject

loc_9604A9:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+2D6j
		mov	eax, 0C000000Dh
		jmp	loc_960582
; 

loc_9604B3:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+2A1j
					; NtSetVolumeInformationFile(x,x,x,x,x)+2A7j ...
		or	dword ptr [esi+8], 30h
		mov	eax, [ebp+var_50]
		mov	ecx, [ebp+var_5C]
		mov	[ecx+4], eax
		mov	eax, [ebp+arg_10]
		mov	[ecx+8], eax
		push	2
		push	[ebp+var_4C]
		push	[ebp+var_54]
		push	0
		push	ebx
		mov	edx, esi
		mov	ecx, [ebp+var_58]
		call	_IopSynchronousServiceTail@28 ;	IopSynchronousServiceTail(x,x,x,x,x,x,x)
		mov	ebx, eax
		cmp	byte ptr [ebp+var_4C], 0
		jnz	short loc_9604F9
		push	[ebp+var_60]
		lea	eax, [ebp+var_7C]
		push	eax
		push	[ebp+var_54]
		push	esi
		mov	edx, edi
		mov	ecx, ebx
		call	IopSynchronousApiServiceTail
		mov	ebx, eax

loc_9604F9:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+315j
		cmp	[ebp+var_44], 0
		jz	loc_960366
		test	ebx, ebx
		js	short loc_960539
		and	[ebp+var_20], 0
		xor	eax, eax
		inc	eax
		mov	word ptr [ebp+var_3E+2], ax
		and	[ebp+var_28], 0
		or	[ebp+var_24], 0FFFFFFFFh
		push	1Ch
		pop	eax
		mov	[ebp+var_3A], ax
		mov	esi, offset _GUID_IO_VOLUME_CHANGE
		lea	edi, [ebp+var_38]
		movsd
		movsd
		movsd
		movsd
		lea	eax, [ebp+var_3E+2]
		push	eax
		push	[ebp+var_44]
		call	_IoReportTargetDeviceChange@8 ;	IoReportTargetDeviceChange(x,x)

loc_960539:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+339j
		mov	ecx, [ebp+var_44]
		jmp	loc_960361
; 

loc_960541:				; DATA XREF: .text:006A8180o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_74], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_96054F:				; DATA XREF: .text:006A8184o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ecx, [ebp+var_48]
		movzx	eax, byte ptr [ecx+2Ch]
		shr	eax, 1
		and	eax, 1
		push	eax
		push	[ebp+var_64]
		push	0
		mov	edx, [ebp+var_70]
		call	_IopExceptionCleanupEx@20 ; IopExceptionCleanupEx(x,x,x,x,x)
		mov	ecx, [ebp+var_44]
		test	ecx, ecx
		jz	short loc_960578
		call	ObfDereferenceObject

loc_960578:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+3A5j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_74]

loc_960582:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+6Fj
					; NtSetVolumeInformationFile(x,x,x,x,x)+D1j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_960594:				; CODE XREF: NtSetVolumeInformationFile(x,x,x,x,x)+8Fj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger
_NtSetVolumeInformationFile@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoCaptureLiveDump(x, x, x, x, x, x,	x)
_IoCaptureLiveDump@28 proc near		; CODE XREF: DbgkCaptureLiveKernelDump(x)+263p
					; DbgkpWerCaptureLiveFullDump(x,x)+10Dp

var_15A		= byte ptr -15Ah
var_159		= dword	ptr -159h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14A		= byte ptr -14Ah
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_E8		= dword	ptr -0E8h
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_40		= dword	ptr -40h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+14Ch+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+arg_10]
		push	esi
		xor	esi, esi
		mov	[esp+154h+var_110], edx
		push	edi
		mov	[esp+158h+var_114], ecx
		mov	[esp+158h+var_13C], eax
		mov	[esp+158h+var_11C], ebx
		mov	[esp+158h+var_138], esi
		mov	[esp+158h+var_148], esi
		mov	[esp+158h+var_144], esi
		mov	[esp+158h+var_124], esi
		mov	[esp+158h+var_120], esi
		mov	[esp+158h+var_12C], esi
		mov	[esp+158h+var_128], esi
		mov	[esp+158h+var_134], esi
		call	KeQueryInterruptTime
		mov	[esp+158h+var_108], eax
		lea	edi, [esp+158h+var_E8]
		xor	eax, eax
		mov	[esp+158h+var_104], edx
		cmp	_ForceDumpDisabled, 0
		stosd
		stosd
		stosd
		stosd
		jz	short loc_960621
		test	ebx, ebx
		jz	short loc_960617
		and	[ebx], esi

loc_960617:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+79j
		mov	eax, 0C00000BBh
		jmp	loc_960C6D
; 

loc_960621:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+75j
		mov	eax, ds:0FFDF0244h
		cmp	_BufferChunkSizeInBytes, eax
		jz	short loc_96063B
		mov	_BufferChunkSizeInBytes, eax
		shr	eax, 0Ch
		mov	_BufferChunkSizeInPages, eax

loc_96063B:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+92j
		xor	ecx, ecx
		call	_IopLiveDumpTraceInterfaceStart@4 ; IopLiveDumpTraceInterfaceStart(x)
		xor	edi, edi
		test	ebx, ebx
		jz	short loc_96064A
		mov	[ebx], edi

loc_96064A:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+ACj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	edi
		push	offset _IopLiveDumpLock
		call	ExAcquireResourceExclusiveLite
		mov	[esp+0Fh], al
		cmp	al, 1
		jz	short loc_960689
		mov	edi, 0C000022Dh

loc_960670:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+1C2j
					; IoCaptureLiveDump(x,x,x,x,x,x,x)+1E9j
		mov	eax, [esp+158h+var_148]
		mov	ebx, [esp+158h+var_138]
		mov	[esp+158h+var_148], eax
		mov	eax, [esp+158h+var_144]
		mov	[esp+158h+var_144], eax
		jmp	loc_960904
; 

loc_960689:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+CFj
		call	_KeGetSupervisorStateExtensionHost@0 ; KeGetSupervisorStateExtensionHost()
		mov	ebx, eax
		mov	[esp+158h+var_134], ebx
		test	ebx, ebx
		jz	short loc_9606D9
		mov	ecx, ebx
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		mov	_IptInterface, eax
		test	eax, eax
		jz	short loc_9606D5
		push	1
		call	dword ptr [eax]
		mov	eax, _IptInterface
		call	dword ptr [eax+4]
		test	al, al
		jnz	short loc_9606CD
		mov	eax, _IptInterface
		push	edi
		call	dword ptr [eax]
		mov	ecx, ebx
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)
		mov	_IptInterface, edi

loc_9606CD:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+11Cj
		cmp	_IptInterface, esi
		jnz	short loc_9606D9

loc_9606D5:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+10Cj
		mov	[esp+160h+var_13C], edi

loc_9606D9:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+FCj
					; IoCaptureLiveDump(x,x,x,x,x,x,x)+139j
		mov	eax, [esp+160h+var_144]
		test	byte ptr [eax+10h], 10h
		jz	short loc_960761
		push	offset ??_C@_1FA@LHALGJAB@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@
		lea	eax, [esp+164h+var_134]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+160h+var_140]
		push	eax
		lea	eax, [esp+164h+var_134]
		push	eax
		call	_IoCreateNotificationEvent@8 ; IoCreateNotificationEvent(x,x)
		mov	edi, eax
		lea	eax, [esp+160h+var_134]
		push	offset ??_C@_1EE@GONCMNFF@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+160h+var_150]
		push	eax
		lea	eax, [esp+164h+var_134]
		push	eax
		call	_IoCreateNotificationEvent@8 ; IoCreateNotificationEvent(x,x)
		mov	ebx, eax
		lea	eax, [esp+160h+var_134]
		push	offset ??_C@_1EG@JCCHLBNP@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@
		push	eax
		mov	[esp+168h+var_12C], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+14h]
		push	eax
		lea	eax, [esp+164h+var_134]
		push	eax
		call	_IoCreateNotificationEvent@8 ; IoCreateNotificationEvent(x,x)
		push	eax
		mov	edx, ebx
		mov	[esp+164h+var_128], eax
		mov	ecx, edi
		call	_IopLiveDumpIsUnderMemoryPressure@12 ; IopLiveDumpIsUnderMemoryPressure(x,x,x)
		test	al, al
		jz	short loc_960763
		mov	edi, 0C0000240h
		jmp	loc_960670
; 

loc_960761:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+147j
		mov	edi, esi

loc_960763:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+1BBj
		push	706D644Ch
		mov	ebx, 2C8h
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_960788
		mov	edi, 0C000009Ah
		jmp	loc_960670
; 

loc_960788:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+1E2j
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [esp+16Ch+var_11C]
		add	esp, 0Ch
		mov	[esi], eax
		mov	ecx, esi
		mov	eax, [esp+160h+var_118]
		xor	ebx, ebx
		mov	[esi+4], eax
		mov	eax, [ebp+arg_0]
		and	dword ptr [esi+30h], 0FFFFFFF3h
		mov	[esi+8], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+0Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[esi+10h], eax
		mov	eax, [esp+160h+var_140]
		mov	[esi+208h], eax
		mov	eax, [esp+160h+var_150]
		mov	[esi+20Ch], eax
		xor	eax, eax
		mov	[esp+160h+var_150], eax
		mov	eax, [esp+14h]
		mov	[esi+210h], eax
		xor	eax, eax
		mov	[esp+14h], eax
		mov	eax, [esp+160h+var_12C]
		mov	[esi+218h], eax
		mov	eax, [esp+160h+var_128]
		mov	_IopLiveDumpContext, esi
		mov	[esi+214h], edi
		mov	[esi+21Ch], eax
		call	_IopLiveDumpInitRegistrySettings@4 ; IopLiveDumpInitRegistrySettings(x)
		test	dword ptr [esi+30h], 200h
		jz	short loc_96082B
		mov	eax, [esi+2B0h]
		or	eax, [esi+2B4h]
		jnz	short loc_96082B

loc_960821:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+34Ej
		mov	edi, 0C000000Dh
		jmp	loc_960904
; 

loc_96082B:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+277j
					; IoCaptureLiveDump(x,x,x,x,x,x,x)+285j
		lea	edi, [esi+220h]
		push	edi
		push	5
		call	EtwActivityIdControl
		lea	eax, [esi+230h]
		push	eax
		push	1
		call	EtwActivityIdControl
		cmp	dword_6B2CE0, 5
		jbe	short loc_9608B4
		push	2000h
		push	0
		mov	ecx, offset dword_6B2CE0
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9608B4
		mov	eax, [esi+2ACh]
		and	[esp+160h+var_1C], ebx
		and	[esp+160h+var_14], ebx
		mov	[esp+160h+var_138], eax
		lea	eax, [esp+160h+var_138]
		mov	[esp+160h+var_20], eax
		lea	eax, [esp+160h+var_40]
		push	eax
		push	3
		push	edi
		lea	eax, [esi+230h]
		mov	[esp+16Ch+var_18], 4
		push	eax
		push	offset loc_41B8EC
		push	offset dword_6B2CE0
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9608B4:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+2B4j
					; IoCaptureLiveDump(x,x,x,x,x,x,x)+2C9j
		mov	edx, [esp+160h+var_144]
		push	ecx
		mov	ecx, esi
		call	_IopLiveDumpValidateParameters@12 ; IopLiveDumpValidateParameters(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_960904
		test	byte ptr [esi+30h], 80h
		jz	short loc_9608DE
		push	offset _PerformanceFrequency
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	cl, 1
		call	_IopLiveDumpGetMillisecondCounter@4 ; IopLiveDumpGetMillisecondCounter(x)

loc_9608DE:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+330j
		test	byte ptr [esi+14h], 8
		jz	short loc_9608EE
		cmp	[esp+164h+var_128], ebx
		jz	loc_960821

loc_9608EE:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+348j
		mov	ecx, esi
		call	_IopLiveDumpAllocAndInitResources@4 ; IopLiveDumpAllocAndInitResources(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_960904
		mov	ecx, esi
		call	_IopLiveDumpCaptureMemoryPages@4 ; IopLiveDumpCaptureMemoryPages(x)
		mov	edi, eax

loc_960904:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+EAj
					; IoCaptureLiveDump(x,x,x,x,x,x,x)+28Cj ...
		mov	eax, _IptInterface
		test	eax, eax
		jz	short loc_960921
		push	0
		call	dword ptr [eax]
		mov	ecx, [esp+168h+var_144]
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)
		and	_IptInterface, 0

loc_960921:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+371j
		test	ebx, ebx
		jz	short loc_96092B
		push	ebx
		call	_ZwClose@4	; ZwClose(x)

loc_96092B:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+389j
		mov	eax, [esp+168h+var_159+1]
		test	eax, eax
		jz	short loc_960939
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_960939:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+397j
		mov	eax, [esp+168h+var_154]
		test	eax, eax
		jz	short loc_960947
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_960947:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+3A5j
		mov	ebx, [esp+1Ch]
		test	byte ptr [ebx+10h], 10h
		jz	short loc_96097D
		cmp	edi, 0C0000240h
		jnz	short loc_96097D
		call	_IopLiveDumpIsTracingEnabled@0 ; IopLiveDumpIsTracingEnabled()
		cmp	al, 1
		jnz	short loc_96097D
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	offset _LIVEDUMP_EVENT_MEMORY_PRESSURE_ABORT
		push	dword_6FD4A4
		push	_IopLiveDumpEtwRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_96097D:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+3B5j
					; IoCaptureLiveDump(x,x,x,x,x,x,x)+3BDj ...
		cmp	byte ptr [esp+168h+var_159], 0
		jz	short loc_960995
		and	_IopLiveDumpContext, 0
		mov	ecx, offset _IopLiveDumpLock
		call	ExReleaseResourceLite

loc_960995:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+3E8j
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	edi, edi
		js	loc_960B14
		lea	ecx, [esi+240h]
		call	SecureDump_GetSecureDumpSettings
		mov	edi, eax
		test	edi, edi
		js	loc_960B14
		cmp	byte ptr [ecx],	0
		jz	short loc_9609E7
		mov	eax, [esi+248h]
		test	eax, eax
		jz	short loc_9609E2
		cmp	byte ptr [esi+241h], 0
		jz	short loc_9609E2
		cmp	dword ptr [esi+244h], 1000h
		jnz	short loc_9609E2
		test	eax, 0FFFh
		jz	short loc_9609E7

loc_9609E2:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+42Aj
					; IoCaptureLiveDump(x,x,x,x,x,x,x)+433j ...
		mov	edi, 0C0000001h

loc_9609E7:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+420j
					; IoCaptureLiveDump(x,x,x,x,x,x,x)+446j
		test	edi, edi
		js	loc_960B14
		test	byte ptr [esi+14h], 8
		jnz	loc_960B09
		mov	ecx, offset _LIVEDUMP_EVENT_WRITE_DUMPDATA_TO_FILE_START
		call	_IopLiveDumpTrace@4 ; IopLiveDumpTrace(x)
		call	KeQueryInterruptTime
		mov	ecx, esi
		mov	[esp+168h+var_140], edx
		mov	ebx, eax
		call	_IopLiveDumpWriteDumpFile@4 ; IopLiveDumpWriteDumpFile(x)
		cmp	dword_6B2CE0, 5
		mov	edi, eax
		jbe	loc_960AEA
		push	2000h
		push	0
		mov	ecx, offset dword_6B2CE0
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_960AEA
		mov	ecx, [esi+180h]
		and	[esp+168h+var_64], 0
		and	[esp+168h+var_5C], 0
		mov	[esp+168h+var_60], 8
		mov	eax, [ecx+0FA0h]
		mov	[esp+168h+var_110], eax
		mov	eax, [ecx+0FA4h]
		mov	[esp+168h+var_10C], eax
		lea	eax, [esp+168h+var_110]
		mov	[esp+168h+var_68], eax
		call	KeQueryInterruptTime
		sub	eax, ebx
		sbb	edx, [esp+168h+var_140]
		xor	ebx, ebx
		push	ebx
		push	2710h
		push	edx
		push	eax
		call	__aulldiv
		mov	[esp+168h+var_108], eax
		lea	eax, [esp+168h+var_108]
		mov	[esp+168h+var_58], eax
		lea	eax, [esp+168h+var_88]
		push	eax
		push	4
		lea	eax, [esi+220h]
		mov	[esp+170h+var_104], edx
		push	eax
		lea	eax, [esi+230h]
		mov	[esp+174h+var_54], ebx
		push	eax
		push	offset loc_41B8A3
		push	offset dword_6B2CE0
		mov	[esp+180h+var_50], 8
		mov	[esp+180h+var_4C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_960AEA:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+484j
					; IoCaptureLiveDump(x,x,x,x,x,x,x)+49Dj
		push	edi
		xor	edx, edx
		mov	ecx, esi
		call	_IopLiveDumpTraceDumpFileWriteEnd@12 ; IopLiveDumpTraceDumpFileWriteEnd(x,x,x)
		mov	ebx, [esp+1Ch]
		test	edi, edi
		js	short loc_960B14
		test	byte ptr [esi+30h], 2
		jz	short loc_960B14
		mov	edi, 105h
		jmp	short loc_960B14
; 

loc_960B09:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+459j
		mov	eax, [esp+168h+var_12C]
		mov	edi, 0C0000016h
		mov	[eax], esi

loc_960B14:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+402j
					; IoCaptureLiveDump(x,x,x,x,x,x,x)+417j ...
		push	edi
		xor	edx, edx
		call	_IopLiveDumpTraceInterfaceEnd@12 ; IopLiveDumpTraceInterfaceEnd(x,x,x)
		cmp	dword_6B2CE0, 5
		jbe	loc_960C39
		push	2000h
		push	0
		mov	ecx, offset dword_6B2CE0
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_960C39
		mov	ecx, [ebx+10h]
		lea	eax, [esp+168h+var_11C]
		and	[esp+168h+var_C4], 0
		xor	edx, edx
		and	[esp+168h+var_BC], 0
		inc	edx
		mov	[esp+168h+var_C8], eax
		xor	ebx, ebx
		mov	eax, ecx
		mov	[esp+168h+var_11C], edi
		shr	eax, 3
		and	al, dl
		shr	ecx, 4
		mov	byte ptr [esp+168h+var_159], al
		and	cl, dl
		lea	eax, [esp+168h+var_159]
		mov	[esp+168h+var_C0], 4
		mov	[esp+168h+var_B8], eax
		lea	eax, [esp+168h+var_150+3]
		mov	[esp+168h+var_B4], ebx
		mov	[esp+168h+var_B0], edx
		mov	[esp+168h+var_AC], ebx
		mov	byte ptr [esp+168h+var_150+3], cl
		mov	[esp+168h+var_A8], eax
		mov	[esp+168h+var_A4], ebx
		mov	[esp+168h+var_A0], edx
		mov	[esp+168h+var_9C], ebx
		call	KeQueryInterruptTime
		sub	eax, [esp+168h+var_118]
		push	ebx
		sbb	edx, [esp+16Ch+var_114]
		push	2710h
		push	edx
		push	eax
		call	__aulldiv
		mov	[esp+168h+var_100], eax
		lea	eax, [esp+168h+var_100]
		mov	[esp+168h+var_FC], edx
		lea	ecx, [esi+220h]
		mov	[esp+168h+var_98], eax
		mov	[esp+168h+var_94], ebx
		mov	[esp+168h+var_90], 8
		mov	[esp+168h+var_8C], ebx
		test	esi, esi
		jnz	short loc_960C84
		lea	ecx, [esp+168h+var_F8]
		mov	eax, ecx

loc_960C1E:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+6F0j
		lea	edx, [esp+168h+var_E8]
		push	edx
		push	6
		push	ecx
		push	eax
		push	offset loc_41B927
		push	offset dword_6B2CE0
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_960C39:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+589j
					; IoCaptureLiveDump(x,x,x,x,x,x,x)+5A2j
		test	esi, esi
		jz	short loc_960C6B
		test	byte ptr [esi+14h], 8
		jnz	short loc_960C51
		lea	eax, [esi+220h]
		push	eax
		push	2
		call	EtwActivityIdControl

loc_960C51:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+6A7j
		cmp	edi, 0C0000016h
		jz	short loc_960C6B
		mov	ecx, esi
		call	_IopLiveDumpReleaseResources@4 ; IopLiveDumpReleaseResources(x)
		push	706D644Ch
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_960C6B:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+6A1j
					; IoCaptureLiveDump(x,x,x,x,x,x,x)+6BDj
		mov	eax, edi

loc_960C6D:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+82j
		mov	ecx, [esp+168h+var_14]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_960C84:				; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+67Cj
		lea	eax, [esi+230h]
		jmp	short loc_960C1E
_IoCaptureLiveDump@28 endp


;  S U B	R O U T	I N E 


; __stdcall IoDiscardDeferredLiveDumpData(x)
_IoDiscardDeferredLiveDumpData@4 proc near ; CODE XREF:	DbgkpWerCleanupContext(x)+2Ap
		mov	edi, edi
		push	esi
		push	2
		mov	esi, ecx
		pop	ecx
		call	_IopLiveDumpTraceInterfaceStart@4 ; IopLiveDumpTraceInterfaceStart(x)
		push	0
		push	2
		pop	edx
		call	_IopLiveDumpTraceInterfaceEnd@12 ; IopLiveDumpTraceInterfaceEnd(x,x,x)
		mov	ecx, esi
		call	_IopLiveDumpReleaseResources@4 ; IopLiveDumpReleaseResources(x)
		push	706D644Ch
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		pop	esi
		retn
_IoDiscardDeferredLiveDumpData@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoWriteDeferredLiveDumpData(x)
_IoWriteDeferredLiveDumpData@4 proc near ; CODE	XREF: DbgkpWerDeferredWriteRoutine(x)+53p

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+5Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	KeQueryInterruptTime
		xor	ecx, ecx
		mov	[esp+68h+var_5C], edx
		inc	ecx
		mov	ebx, eax
		call	_IopLiveDumpTraceInterfaceStart@4 ; IopLiveDumpTraceInterfaceStart(x)
		mov	ecx, offset _LIVEDUMP_EVENT_WRITE_DEFERRED_DUMPDATA_TO_FILE_START
		call	_IopLiveDumpTrace@4 ; IopLiveDumpTrace(x)
		mov	ecx, esi
		call	_IopLiveDumpWriteDumpFile@4 ; IopLiveDumpWriteDumpFile(x)
		mov	edi, eax
		xor	edx, edx
		push	edi
		inc	edx
		mov	ecx, esi
		call	_IopLiveDumpTraceDumpFileWriteEnd@12 ; IopLiveDumpTraceDumpFileWriteEnd(x,x,x)
		test	edi, edi
		js	short loc_960D14
		test	byte ptr [esi+30h], 2
		jz	short loc_960D14
		mov	edi, 105h

loc_960D14:				; CODE XREF: IoWriteDeferredLiveDumpData(x)+4Ej
					; IoWriteDeferredLiveDumpData(x)+54j
		xor	edx, edx
		push	edi
		inc	edx
		call	_IopLiveDumpTraceInterfaceEnd@12 ; IopLiveDumpTraceInterfaceEnd(x,x,x)
		cmp	dword_6B2CE0, 5
		jbe	loc_960DD5
		push	2000h
		push	0
		mov	ecx, offset dword_6B2CE0
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_960DD5
		mov	ecx, [esi+180h]
		and	[esp+68h+var_24], 0
		and	[esp+68h+var_1C], 0
		mov	[esp+68h+var_20], 8
		mov	eax, [ecx+0FA0h]
		mov	[esp+68h+var_58], eax
		mov	eax, [ecx+0FA4h]
		mov	[esp+68h+var_54], eax
		lea	eax, [esp+68h+var_58]
		mov	[esp+68h+var_28], eax
		call	KeQueryInterruptTime
		sub	eax, ebx
		sbb	edx, [esp+68h+var_5C]
		xor	ebx, ebx
		push	ebx
		push	2710h
		push	edx
		push	eax
		call	__aulldiv
		mov	[esp+68h+var_50], eax
		lea	eax, [esp+68h+var_50]
		mov	[esp+68h+var_18], eax
		lea	eax, [esp+68h+var_48]
		push	eax
		push	4
		lea	eax, [esi+220h]
		mov	[esp+70h+var_4C], edx
		push	eax
		lea	eax, [esi+230h]
		mov	[esp+74h+var_14], ebx
		push	eax
		push	offset loc_41B6D7
		push	offset dword_6B2CE0
		mov	[esp+80h+var_10], 8
		mov	[esp+80h+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_960DD5:				; CODE XREF: IoWriteDeferredLiveDumpData(x)+6Bj
					; IoWriteDeferredLiveDumpData(x)+84j
		lea	eax, [esi+220h]
		push	eax
		push	2
		call	EtwActivityIdControl
		mov	ecx, esi
		call	_IopLiveDumpReleaseResources@4 ; IopLiveDumpReleaseResources(x)
		push	706D644Ch
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [esp+68h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_IoWriteDeferredLiveDumpData@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpAllocAndInitResources(x)
_IopLiveDumpAllocAndInitResources@4 proc near
					; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+356p

var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_7D		= dword	ptr -7Dh
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	ebx, ebx
		call	KeQueryInterruptTime
		push	dword ptr [esi+21Ch]
		mov	ecx, [esi+214h]
		mov	[ebp+var_90], edx
		mov	edx, [esi+218h]
		mov	[ebp+var_8C], eax
		call	_IopLiveDumpIsUnderMemoryPressure@12 ; IopLiveDumpIsUnderMemoryPressure(x,x,x)
		test	al, al
		jz	short loc_960E5B

loc_960E51:				; CODE XREF: IopLiveDumpAllocAndInitResources(x)+E9j
					; IopLiveDumpAllocAndInitResources(x)+15Fj ...
		mov	edi, 0C0000240h
		jmp	loc_961262
; 

loc_960E5B:				; CODE XREF: IopLiveDumpAllocAndInitResources(x)+46j
		lea	ecx, [esi+0B8h]
		mov	[ecx], esi
		call	_IopLiveDumpResetCorralContext@4 ; IopLiveDumpResetCorralContext(x)
		call	_IopGetPhysicalMemoryBlock@0 ; IopGetPhysicalMemoryBlock()
		mov	ebx, eax
		mov	[ebp+var_84], ebx
		test	ebx, ebx
		jnz	short loc_960E83

loc_960E79:				; CODE XREF: IopLiveDumpAllocAndInitResources(x)+CEj
					; IopLiveDumpAllocAndInitResources(x)+140j ...
		mov	edi, 0C000009Ah
		jmp	loc_961262
; 

loc_960E83:				; CODE XREF: IopLiveDumpAllocAndInitResources(x)+6Ej
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_960E93
		mov	edi, 0C00000E5h
		jmp	loc_961262
; 

loc_960E93:				; CODE XREF: IopLiveDumpAllocAndInitResources(x)+7Ej
		mov	ecx, [ebx+eax*8+4]
		mov	eax, [ebx+eax*8]
		add	eax, ecx
		mov	[esi+34h], eax
		push	706D644Ch
		lea	edi, [eax+7]
		shr	edi, 3
		add	edi, 7
		and	edi, 0FFFFFFF8h
		lea	eax, [edi+0FFFh]
		and	eax, 0FFFFF000h
		push	eax
		push	200h
		mov	[ebp+var_88], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_7D+1],	eax
		mov	[esi+190h], eax
		test	eax, eax
		jz	short loc_960E79
		push	dword ptr [esi+21Ch]
		mov	ecx, [esi+214h]
		mov	edx, [esi+218h]
		call	_IopLiveDumpIsUnderMemoryPressure@12 ; IopLiveDumpIsUnderMemoryPressure(x,x,x)
		test	al, al
		jnz	loc_960E51
		mov	eax, [esi+34h]
		lea	ecx, [esi+188h]
		mov	[ecx], eax
		mov	eax, [ebp+var_7D+1]
		push	ecx
		mov	[ecx+4], eax
		call	_RtlSetAllBits@4 ; RtlSetAllBits(x)
		push	[ebp+var_88]
		mov	edx, [esi+190h]
		mov	ecx, esi
		call	_IopLiveDumpDiscardVirtualAddressRange@12 ; IopLiveDumpDiscardVirtualAddressRange(x,x,x)
		add	edi, 2067h
		push	706D644Ch
		and	edi, 0FFFFF000h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_7D+1],	eax
		mov	[esi+180h], eax
		test	eax, eax
		jz	loc_960E79
		push	dword ptr [esi+21Ch]
		mov	ecx, [esi+214h]
		mov	edx, [esi+218h]
		call	_IopLiveDumpIsUnderMemoryPressure@12 ; IopLiveDumpIsUnderMemoryPressure(x,x,x)
		test	al, al
		jnz	loc_960E51
		push	edi		; size_t
		push	0		; int
		push	[ebp+var_7D+1]	; void *
		mov	[esi+184h], edi
		call	_memset
		mov	edx, [esi+180h]
		lea	ecx, [esi+178h]
		add	esp, 0Ch
		and	dword ptr [edx+1024h], 0
		mov	[edx+1020h], edi
		mov	eax, [esi+34h]
		and	dword ptr [edx+1034h], 0
		mov	[edx+1030h], eax
		mov	[ecx], eax
		lea	eax, [edx+1038h]
		push	ecx
		mov	[ecx+4], eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		push	dword ptr [esi+184h]
		mov	edx, [esi+180h]
		mov	ecx, esi
		call	_IopLiveDumpDiscardVirtualAddressRange@12 ; IopLiveDumpDiscardVirtualAddressRange(x,x,x)
		mov	edi, [ebp+var_88]
		push	706D644Ch
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_7D+1],	eax
		mov	[esi+1ACh], eax
		test	eax, eax
		jz	loc_960E79
		push	dword ptr [esi+21Ch]
		mov	ecx, [esi+214h]
		mov	edx, [esi+218h]
		call	_IopLiveDumpIsUnderMemoryPressure@12 ; IopLiveDumpIsUnderMemoryPressure(x,x,x)
		test	al, al
		jnz	loc_960E51
		mov	eax, [esi+34h]
		lea	ecx, [esi+194h]
		mov	[ecx], eax
		mov	eax, [ebp+var_7D+1]
		push	ecx
		mov	[ecx+4], eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		mov	edx, [esi+1ACh]
		mov	ecx, esi
		push	edi
		call	_IopLiveDumpDiscardVirtualAddressRange@12 ; IopLiveDumpDiscardVirtualAddressRange(x,x,x)
		mov	ecx, [esi+1ACh]
		mov	eax, [esi+34h]
		push	706D644Ch
		mov	[esi+19Ch], eax
		mov	[esi+1A0h], ecx
		mov	ecx, [esi+1ACh]
		mov	eax, [esi+34h]
		push	edi
		push	200h
		mov	[esi+1A4h], eax
		mov	[esi+1A8h], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_7D+1],	eax
		mov	[esi+1B8h], eax
		test	eax, eax
		jz	loc_960E79
		push	dword ptr [esi+21Ch]
		mov	ecx, [esi+214h]
		mov	edx, [esi+218h]
		call	_IopLiveDumpIsUnderMemoryPressure@12 ; IopLiveDumpIsUnderMemoryPressure(x,x,x)
		test	al, al
		jnz	loc_960E51
		mov	eax, [esi+34h]
		lea	ecx, [esi+1B0h]
		mov	[ecx], eax
		mov	eax, [ebp+var_7D+1]
		push	ecx
		mov	[ecx+4], eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		mov	edx, [esi+1B8h]
		mov	ecx, esi
		push	edi
		call	_IopLiveDumpDiscardVirtualAddressRange@12 ; IopLiveDumpDiscardVirtualAddressRange(x,x,x)
		mov	ecx, esi
		call	_IopLiveDumpDiscardSecondaryDataBuffersRange@4 ; IopLiveDumpDiscardSecondaryDataBuffersRange(x)
		mov	ecx, esi
		call	_IopLiveDumpAllocateMappingResources@4 ; IopLiveDumpAllocateMappingResources(x)
		mov	edi, eax
		test	edi, edi
		js	loc_961262
		push	dword ptr [esi+21Ch]
		mov	ecx, [esi+214h]
		mov	edx, [esi+218h]
		call	_IopLiveDumpIsUnderMemoryPressure@12 ; IopLiveDumpIsUnderMemoryPressure(x,x,x)
		test	al, al
		jnz	loc_960E51
		mov	ecx, esi
		call	_IopLiveDumpEstimateMemoryPages@4 ; IopLiveDumpEstimateMemoryPages(x)
		mov	edi, eax
		test	edi, edi
		js	loc_961262
		mov	ecx, esi
		call	_IopLiveDumpAllocateDumpBuffers@4 ; IopLiveDumpAllocateDumpBuffers(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_96113B
		cmp	_IptInterface, 0
		jz	short loc_961130
		mov	ecx, esi
		call	_IopLiveDumpAllocateIptBuffers@4 ; IopLiveDumpAllocateIptBuffers(x)
		mov	edi, eax

loc_961130:				; CODE XREF: IopLiveDumpAllocAndInitResources(x)+31Cj
		test	edi, edi
		js	short loc_96113B
		mov	ecx, esi
		call	_IopLiveDumpTraceBufferAllocation@4 ; IopLiveDumpTraceBufferAllocation(x)

loc_96113B:				; CODE XREF: IopLiveDumpAllocAndInitResources(x)+313j
					; IopLiveDumpAllocAndInitResources(x)+329j
		mov	ebx, ds:_KeNumberProcessors
		mov	eax, ebx
		push	706D644Ch
		shl	eax, 2
		push	eax
		push	200h
		mov	[ebp+var_88], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+2A0h], eax
		test	eax, eax
		jnz	short loc_961176
		and	[esi+29Ch], eax

loc_96116C:				; CODE XREF: IopLiveDumpAllocAndInitResources(x)+3B8j
					; IopLiveDumpAllocAndInitResources(x)+3DEj ...
		mov	edi, 0C000009Ah
		jmp	loc_96125C
; 

loc_961176:				; CODE XREF: IopLiveDumpAllocAndInitResources(x)+35Bj
		mov	eax, _BufferChunkSizeInPages
		and	[ebp+var_7D+1],	0
		mov	[esi+29Ch], ebx
		lea	ebx, ds:0FFFh[eax*4]
		and	ebx, 0FFFFF000h
		cmp	[ebp+var_88], 0
		jbe	short loc_9611CF

loc_96119B:				; CODE XREF: IopLiveDumpAllocAndInitResources(x)+3C4j
		push	706D644Ch
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, [ebp+var_7D+1]
		mov	ecx, [esi+2A0h]
		mov	[ecx+edx*4], eax
		mov	eax, [esi+2A0h]
		cmp	dword ptr [eax+edx*4], 0
		jz	short loc_96116C
		inc	edx
		mov	[ebp+var_7D+1],	edx
		cmp	edx, [ebp+var_88]
		jb	short loc_96119B

loc_9611CF:				; CODE XREF: IopLiveDumpAllocAndInitResources(x)+390j
		push	706D644Ch
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+2A4h], eax
		test	eax, eax
		jz	short loc_96116C
		push	706D644Ch
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+2A8h], eax
		test	eax, eax
		jz	loc_96116C
		push	dword ptr [esi+21Ch]
		mov	ecx, [esi+214h]
		mov	edx, [esi+218h]
		call	_IopLiveDumpIsUnderMemoryPressure@12 ; IopLiveDumpIsUnderMemoryPressure(x,x,x)
		test	al, al
		jz	short loc_961229
		mov	edi, 0C0000240h
		jmp	short loc_96125C
; 

loc_961229:				; CODE XREF: IopLiveDumpAllocAndInitResources(x)+417j
		mov	eax, [ebp+var_88]
		mov	ecx, esi
		mov	edx, [esi+2A0h]
		imul	eax, ebx
		push	eax
		call	_IopLiveDumpDiscardVirtualAddressRange@12 ; IopLiveDumpDiscardVirtualAddressRange(x,x,x)
		mov	edx, [esi+2A4h]
		mov	ecx, esi
		push	ebx
		call	_IopLiveDumpDiscardVirtualAddressRange@12 ; IopLiveDumpDiscardVirtualAddressRange(x,x,x)
		mov	edx, [esi+2A8h]
		mov	ecx, esi
		push	ebx
		call	_IopLiveDumpDiscardVirtualAddressRange@12 ; IopLiveDumpDiscardVirtualAddressRange(x,x,x)

loc_96125C:				; CODE XREF: IopLiveDumpAllocAndInitResources(x)+368j
					; IopLiveDumpAllocAndInitResources(x)+41Ej
		mov	ebx, [ebp+var_84]

loc_961262:				; CODE XREF: IopLiveDumpAllocAndInitResources(x)+4Dj
					; IopLiveDumpAllocAndInitResources(x)+75j ...
		cmp	dword_6B2CE0, 5
		jbe	loc_96137A
		push	2000h
		push	0
		mov	ecx, offset dword_6B2CE0
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_96137A
		mov	eax, [esi+1C0h]
		xor	edx, edx
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_98]
		mov	[ebp+var_58], eax
		mov	al, [esi+18h]
		and	al, 1
		mov	[ebp+var_94], edx
		mov	byte ptr [ebp+var_7D], al
		lea	eax, [ebp+var_7D]
		mov	[ebp+var_48], eax
		mov	eax, [esi+1C8h]
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_38], eax
		mov	eax, [esi+1CCh]
		push	8
		pop	ecx
		mov	[ebp+var_A8], eax
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_54], edx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], 1
		mov	[ebp+var_3C], edx
		mov	[ebp+var_9C], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_A4], edx
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edx
		call	KeQueryInterruptTime
		sub	eax, [ebp+var_8C]
		push	0
		sbb	edx, [ebp+var_90]
		push	2710h
		push	edx
		push	eax
		call	__aulldiv
		and	[ebp+var_14], 0
		and	[ebp+var_C], 0
		mov	[ebp+var_B0], eax
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	7
		lea	eax, [esi+220h]
		mov	[ebp+var_AC], edx
		push	eax
		lea	eax, [esi+230h]
		mov	[ebp+var_10], 8
		push	eax
		push	offset loc_41B9EC
		push	offset dword_6B2CE0
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_96137A:				; CODE XREF: IopLiveDumpAllocAndInitResources(x)+460j
					; IopLiveDumpAllocAndInitResources(x)+479j
		test	ebx, ebx
		jz	short loc_961386
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_961386:				; CODE XREF: IopLiveDumpAllocAndInitResources(x)+573j
		test	edi, edi
		jns	short loc_961391
		mov	ecx, esi
		call	_IopLiveDumpReleaseResources@4 ; IopLiveDumpReleaseResources(x)

loc_961391:				; CODE XREF: IopLiveDumpAllocAndInitResources(x)+57Fj
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IopLiveDumpAllocAndInitResources@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpAllocateDumpBuffers(x)
_IopLiveDumpAllocateDumpBuffers@4 proc near
					; CODE XREF: IopLiveDumpAllocAndInitResources(x)+30Ap

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		mov	ebx, ecx
		xor	eax, eax
		push	esi
		push	edi
		mov	[ebp+var_1C], eax
		test	byte ptr [ebx+30h], 80h
		mov	[ebp+var_20], eax
		jz	short loc_9613CC
		xor	cl, cl
		call	_IopLiveDumpGetMillisecondCounter@4 ; IopLiveDumpGetMillisecondCounter(x)
		mov	[ebp+var_1C], eax
		xor	eax, eax
		mov	[ebp+var_20], edx

loc_9613CC:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+19j
		mov	edx, _BufferChunkSizeInPages
		lea	ecx, [ebx+1C0h]
		mov	[ecx+10h], eax
		mov	[ecx+20h], eax
		mov	[ecx], eax
		mov	eax, [ebx+3Ch]
		lea	ecx, [edx-1]
		mov	edi, [ebx+38h]
		lea	esi, [edx-1]
		add	esi, [ebx+48h]
		dec	eax
		add	eax, edx
		mov	[ebp+var_C], edx
		not	ecx
		dec	edi
		and	eax, ecx
		mov	[ebp+var_18], ecx
		add	edi, edx
		mov	[ebx+3Ch], eax
		mov	eax, [ebx+4Ch]
		dec	edx
		add	eax, edx
		and	esi, ecx
		and	eax, ecx
		mov	[ebx+48h], esi
		xor	edx, edx
		mov	[ebx+4Ch], eax
		and	edi, ecx
		mov	ecx, [ebp+var_C]
		div	ecx
		xor	edx, edx
		mov	[ebx+38h], edi
		mov	[ebp+var_8], eax
		mov	eax, esi
		div	ecx
		mov	esi, [ebp+var_8]
		xor	edx, edx
		add	esi, eax
		mov	eax, edi
		div	ecx
		mov	edi, [ebx+30h]
		add	esi, eax
		mov	[ebp+var_24], edi
		mov	[ebp+var_8], esi
		test	edi, 200h
		jz	short loc_9614BE
		mov	esi, [ebx+2B0h]
		xor	edi, edi
		mov	edx, [ebx+2B4h]
		mov	ecx, esi
		and	ecx, 0FFFh
		mov	[ebp+var_14], edi
		mov	eax, ecx
		or	eax, edi
		jz	short loc_961469
		xor	eax, eax
		inc	eax
		jmp	short loc_96146B
; 

loc_961469:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+C0j
		mov	eax, edi

loc_96146B:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+C5j
		mov	edi, [ebp+var_C]
		imul	edi, [ebp+var_8]
		shrd	esi, edx, 0Ch
		shr	edx, 0Ch
		mov	[ebp+var_10], esi
		add	[ebp+var_10], eax
		mov	[ebp+var_28], edi
		adc	edx, [ebp+var_14]
		xor	eax, eax
		mov	edi, [ebp+var_24]
		cmp	eax, edx
		jb	short loc_9614BB
		ja	short loc_96149A
		mov	eax, [ebp+var_28]
		cmp	eax, [ebp+var_10]
		jbe	short loc_9614BB
		xor	eax, eax

loc_96149A:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+ECj
		or	edi, 400h
		or	ecx, eax
		mov	[ebx+30h], edi
		jz	short loc_9614AA
		xor	eax, eax
		inc	eax

loc_9614AA:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+103j
		add	eax, esi
		xor	edx, edx
		and	eax, [ebp+var_18]
		div	[ebp+var_C]
		mov	esi, eax
		mov	[ebp+var_8], esi
		jmp	short loc_9614BE
; 

loc_9614BB:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+EAj
					; IopLiveDumpAllocateDumpBuffers(x)+F4j
		mov	esi, [ebp+var_8]

loc_9614BE:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+A1j
					; IopLiveDumpAllocateDumpBuffers(x)+117j
		lea	edi, ds:0FFFh[esi*4]
		push	706D644Ch
		and	edi, 0FFFFF000h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		lea	esi, [ebx+1C0h]
		mov	[esi+24h], eax
		test	eax, eax
		jz	loc_9616F1
		push	dword ptr [ebx+21Ch]
		mov	ecx, [ebx+214h]
		mov	edx, [ebx+218h]
		call	_IopLiveDumpIsUnderMemoryPressure@12 ; IopLiveDumpIsUnderMemoryPressure(x,x,x)
		test	al, al
		jz	short loc_961511

loc_961507:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+1A3j
					; IopLiveDumpAllocateDumpBuffers(x)+2AEj ...
		mov	edi, 0C0000240h
		jmp	loc_9616F6
; 

loc_961511:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+163j
		push	706D644Ch
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+28h], eax
		test	eax, eax
		jz	loc_9616F1
		push	dword ptr [ebx+21Ch]
		mov	ecx, [ebx+214h]
		mov	edx, [ebx+218h]
		call	_IopLiveDumpIsUnderMemoryPressure@12 ; IopLiveDumpIsUnderMemoryPressure(x,x,x)
		test	al, al
		jnz	short loc_961507
		mov	edx, [esi+24h]
		mov	ecx, ebx
		push	edi
		call	_IopLiveDumpDiscardVirtualAddressRange@12 ; IopLiveDumpDiscardVirtualAddressRange(x,x,x)
		push	edi		; size_t
		push	0		; int
		push	dword ptr [esi+24h] ; void *
		call	_memset
		mov	edx, [esi+28h]
		add	esp, 0Ch
		mov	ecx, ebx
		push	edi
		call	_IopLiveDumpDiscardVirtualAddressRange@12 ; IopLiveDumpDiscardVirtualAddressRange(x,x,x)
		push	edi		; size_t
		push	0		; int
		push	dword ptr [esi+28h] ; void *
		call	_memset
		xor	eax, eax
		add	esp, 0Ch
		mov	dl, al
		mov	[ebp+var_10], eax
		mov	[ebp+var_1], dl
		cmp	[ebp+var_8], eax
		jbe	loc_9616C5

loc_96158C:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+308j
		mov	[ebp+var_C], eax
		mov	eax, [ebx+2ACh]
		cmp	eax, 2
		jz	short loc_96159F
		cmp	eax, 4
		jnz	short loc_9615B5

loc_96159F:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+1F6j
		test	dl, dl
		jnz	short loc_9615B5
		mov	ecx, _BufferChunkSizeInBytes
		or	edx, 0FFFFFFFFh
		push	ecx
		push	ecx
		call	MmAllocateIndependentPagesEx
		jmp	short loc_9615CA
; 

loc_9615B5:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+1FBj
					; IopLiveDumpAllocateDumpBuffers(x)+1FFj
		cmp	eax, 1
		jz	short loc_9615BF
		cmp	eax, 3
		jnz	short loc_9615D0

loc_9615BF:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+216j
		lea	eax, [ebp+var_C]
		mov	ecx, ebx
		push	eax
		call	_IopLiveDumpAllocateFromVMMemoryPartition@12 ; IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)

loc_9615CA:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+211j
		mov	edi, eax
		test	edi, edi
		jnz	short loc_96161D

loc_9615D0:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+21Bj
		mov	eax, [ebx+2ACh]
		cmp	eax, 2
		jz	loc_9616C5
		cmp	eax, 1
		jz	loc_9616C5
		cmp	eax, 4
		jnz	short loc_9615FA
		lea	eax, [ebp+var_C]
		mov	ecx, ebx
		push	eax
		call	_IopLiveDumpAllocateFromVMMemoryPartition@12 ; IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)
		jmp	short loc_961613
; 

loc_9615FA:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+249j
		cmp	eax, 3
		jnz	loc_9616C5
		mov	ecx, _BufferChunkSizeInBytes
		or	edx, 0FFFFFFFFh
		push	ecx
		push	ecx
		call	MmAllocateIndependentPagesEx

loc_961613:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+256j
		mov	edi, eax
		test	edi, edi
		jz	loc_9616C5

loc_96161D:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+22Cj
		push	dword ptr [ebx+21Ch]
		mov	ecx, [ebx+214h]
		mov	edx, [ebx+218h]
		call	_IopLiveDumpIsUnderMemoryPressure@12 ; IopLiveDumpIsUnderMemoryPressure(x,x,x)
		test	al, al
		jz	short loc_96166E
		mov	eax, [ebp+var_C]
		test	eax, eax
		jnz	short loc_9616AF
		mov	edx, _BufferChunkSizeInBytes
		mov	ecx, edi
		call	_MmFreeIndependentPages@8 ; MmFreeIndependentPages(x,x)
		cmp	[ebp+var_1], 0
		jnz	loc_961507
		cmp	dword ptr [ebx+2ACh], 4
		jnz	loc_961507
		mov	ecx, [ebp+var_10]
		mov	dl, 1
		dec	ecx
		mov	[ebp+var_1], dl
		jmp	short loc_96169F
; 

loc_96166E:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+294j
		mov	eax, [esi+24h]
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_C]
		push	_BufferChunkSizeInBytes
		mov	[eax+edx*4], edi
		mov	eax, _BufferChunkSizeInPages
		add	[esi], eax
		mov	eax, [esi+28h]
		inc	dword ptr [esi+20h]
		mov	[eax+edx*4], ecx
		mov	edx, edi
		mov	ecx, ebx
		call	_IopLiveDumpDiscardVirtualAddressRange@12 ; IopLiveDumpDiscardVirtualAddressRange(x,x,x)
		mov	ecx, [ebp+var_10]
		mov	dl, [ebp+var_1]

loc_96169F:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+2CAj
		inc	ecx
		mov	[ebp+var_10], ecx
		cmp	ecx, [ebp+var_8]
		jnb	short loc_9616C5
		xor	eax, eax
		jmp	loc_96158C
; 

loc_9616AF:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+29Bj
		push	eax
		call	_MmFreePagesFromMdl@4 ;	MmFreePagesFromMdl(x)
		mov	ecx, [ebp+var_C]
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_961507
; 

loc_9616C5:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+1E4j
					; IopLiveDumpAllocateDumpBuffers(x)+237j ...
		push	dword ptr [ebx+21Ch]
		mov	ecx, [ebx+214h]
		mov	edx, [ebx+218h]
		call	_IopLiveDumpIsUnderMemoryPressure@12 ; IopLiveDumpIsUnderMemoryPressure(x,x,x)
		test	al, al
		jnz	loc_961507
		mov	ecx, [esi]
		mov	edx, [ebx+3Ch]
		cmp	ecx, edx
		jb	short loc_9616F1
		xor	edi, edi
		jmp	short loc_961706
; 

loc_9616F1:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+144j
					; IopLiveDumpAllocateDumpBuffers(x)+184j ...
		mov	edi, 0C000009Ah

loc_9616F6:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+16Aj
		mov	ecx, esi
		call	_IopLiveDumpFreeDumpBuffers@4 ;	IopLiveDumpFreeDumpBuffers(x)
		xor	eax, eax
		mov	[esi], eax
		mov	ecx, eax
		mov	edx, [ebx+3Ch]

loc_961706:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+34Dj
		mov	eax, [ebx+4Ch]
		mov	esi, [ebx+48h]
		mov	[ebp+var_28], eax
		add	eax, esi
		add	eax, edx
		mov	[ebp+var_24], esi
		lea	esi, [ebx+1C0h]
		cmp	ecx, eax
		jb	short loc_961734
		sub	ecx, [ebp+var_28]
		sub	ecx, [ebp+var_24]
		mov	[esi+4], ecx
		mov	eax, [ebx+48h]
		mov	[esi+8], eax
		mov	eax, [ebx+4Ch]
		jmp	short loc_96174C
; 

loc_961734:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+37Cj
		test	ecx, ecx
		jz	short loc_961744
		sub	ecx, edx
		mov	[esi+4], edx
		mov	[esi+8], ecx
		xor	eax, eax
		jmp	short loc_96174C
; 

loc_961744:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+394j
		xor	eax, eax
		mov	[esi+4], eax
		mov	[esi+8], eax

loc_96174C:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+390j
					; IopLiveDumpAllocateDumpBuffers(x)+3A0j
		mov	[esi+0Ch], eax
		test	byte ptr [ebx+30h], 80h
		jz	short loc_96176E
		xor	cl, cl
		call	_IopLiveDumpGetMillisecondCounter@4 ; IopLiveDumpGetMillisecondCounter(x)
		sub	eax, [ebp+var_1C]
		mov	[ebx+1F0h], eax
		sbb	edx, [ebp+var_20]
		mov	[ebx+1F4h], edx

loc_96176E:				; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+3B1j
		mov	ecx, _BufferChunkSizeInPages
		imul	ecx, [ebp+var_8]
		push	0
		push	ecx
		mov	ecx, ebx
		call	_IopLiveDumpTraceEstimatedAndAllocatedPageCount@12 ; IopLiveDumpTraceEstimatedAndAllocatedPageCount(x,x,x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopLiveDumpAllocateDumpBuffers@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpAllocateFromVMMemoryPartition(x,	x, x)
_IopLiveDumpAllocateFromVMMemoryPartition@12 proc near
					; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+223p
					; IopLiveDumpAllocateDumpBuffers(x)+251p

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4D		= dword	ptr -4Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_60], eax
		mov	eax, _BufferChunkSizeInBytes
		lea	edi, [ebp+var_80]
		push	6
		mov	[ebp+var_54], eax
		mov	ebx, edx
		xor	eax, eax
		mov	[ebp+var_68], edx
		test	byte ptr [esi+30h], 0Ch
		pop	ecx
		rep stosd
		mov	[ebp+var_64], edx
		mov	edi, edx
		mov	[ebp+var_58], edx
		jnz	loc_961A02
		cmp	[esi+294h], edx
		jnz	loc_961861
		push	offset ??_C@_1EK@GMOJIIIJ@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@NNGAKEGL@
		lea	eax, [ebp+var_68]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_68]
		mov	[ebp+var_80], 18h
		mov	[ebp+var_78], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_80]
		mov	[ebp+var_7C], ecx
		push	eax
		push	2
		lea	eax, [esi+294h]
		mov	[ebp+var_74], 200h
		push	eax
		mov	[ebp+var_70], ecx
		mov	[ebp+var_6C], ecx
		call	_ZwOpenPartition@12 ; ZwOpenPartition(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_58], ecx
		test	ecx, ecx
		js	loc_961968
		mov	eax, ds:_PsPartitionType
		lea	edx, [ebp+var_5C]
		mov	ecx, [esi+294h]
		and	[ebp+var_5C], ebx
		push	edi
		push	edx
		push	edi
		push	eax
		push	2
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+var_5C]
		mov	[ebp+var_58], ecx
		mov	[esi+298h], eax
		test	ecx, ecx
		js	loc_961968
		xor	edx, edx

loc_961861:				; CODE XREF: IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)+51j
		push	dword ptr [esi+298h]
		mov	eax, _BufferChunkSizeInBytes
		push	65h
		push	edx
		push	1
		push	[ebp+var_54]
		mov	[ebp+var_5C], eax
		push	edx
		push	eax
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		push	edx
		push	edx
		call	MmAllocatePartitionNodePagesForMdlEx
		mov	edi, eax
		test	edi, edi
		jnz	loc_96193E
		push	dword ptr [esi+298h]
		push	25h
		push	eax
		push	1
		push	[ebp+var_54]
		push	eax
		push	[ebp+var_5C]
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		push	eax
		push	eax
		call	MmAllocatePartitionNodePagesForMdlEx
		mov	edi, eax
		test	edi, edi
		jnz	loc_96193E
		or	dword ptr [esi+30h], 8
		mov	ecx, esi
		call	_IopLiveDumpTraceAllocationFromVMMemoryPartitionFailure@8 ; IopLiveDumpTraceAllocationFromVMMemoryPartitionFailure(x,x)
		cmp	dword_6B2CE0, 5
		jbe	loc_96195D
		push	2000h
		push	edi
		mov	ecx, offset dword_6B2CE0
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_96195D
		mov	eax, [esi+30h]
		xor	ecx, ecx
		shr	eax, 3
		and	al, 1
		mov	[ebp+var_28], ecx
		mov	byte ptr [ebp+var_4D], al
		lea	eax, [ebp+var_4D]
		push	4
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_54]
		pop	edx
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_4D+1]
		push	eax
		push	edx
		lea	eax, [esi+220h]
		mov	[ebp+var_24], 1
		push	eax
		lea	eax, [esi+230h]
		mov	[ebp+var_20], ecx
		push	eax
		push	offset loc_41B675
		push	offset dword_6B2CE0
		mov	[ebp+var_54], 0C0000017h
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	short loc_96195D
; 

loc_96193E:				; CODE XREF: IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)+FFj
					; IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)+126j
		test	byte ptr [edi+6], 5
		jz	short loc_961949
		mov	ebx, [edi+0Ch]
		jmp	short loc_96195D
; 

loc_961949:				; CODE XREF: IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)+1B9j
		push	40000020h
		xor	eax, eax
		push	eax
		push	eax
		push	1
		push	eax
		push	edi
		call	MmMapLockedPagesSpecifyCache
		mov	ebx, eax

loc_96195D:				; CODE XREF: IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)+13Ej
					; IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)+156j	...
		mov	ecx, [ebp+var_58]
		test	ecx, ecx
		jns	loc_9619ED

loc_961968:				; CODE XREF: IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)+9Dj
					; IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)+D0j
		or	dword ptr [esi+30h], 4
		mov	edx, ecx
		mov	ecx, esi
		call	_IopLiveDumpTraceOpenVMMemoryPartitionFailure@8	; IopLiveDumpTraceOpenVMMemoryPartitionFailure(x,x)
		cmp	dword_6B2CE0, 5
		jbe	short loc_9619ED
		push	2000h
		push	0
		mov	ecx, offset dword_6B2CE0
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9619ED
		mov	eax, [esi+30h]
		xor	ecx, ecx
		shr	eax, 2
		and	al, 1
		mov	[ebp+var_28], ecx
		mov	byte ptr [ebp+var_4D], al
		lea	eax, [ebp+var_4D]
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+var_58]
		push	4
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_54]
		pop	edx
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_4D+1]
		push	eax
		push	edx
		lea	eax, [esi+220h]
		mov	[ebp+var_24], 1
		push	eax
		lea	eax, [esi+230h]
		mov	[ebp+var_20], ecx
		push	eax
		push	offset loc_41B730
		push	offset dword_6B2CE0
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9619ED:				; CODE XREF: IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)+1D9j
					; IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)+1F3j	...
		test	edi, edi
		jz	short loc_961A1A
		test	ebx, ebx
		jnz	short loc_961A15
		push	edi
		call	_MmFreePagesFromMdl@4 ;	MmFreePagesFromMdl(x)
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_961A02:				; CODE XREF: IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)+45j
		xor	eax, eax

loc_961A04:				; CODE XREF: IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)+293j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_961A15:				; CODE XREF: IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)+26Aj
		mov	eax, [ebp+var_60]
		mov	[eax], edi

loc_961A1A:				; CODE XREF: IopLiveDumpAllocateFromVMMemoryPartition(x,x,x)+266j
		mov	eax, ebx
		jmp	short loc_961A04
_IopLiveDumpAllocateFromVMMemoryPartition@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpAllocateIptBuffers(x)
_IopLiveDumpAllocateIptBuffers@4 proc near
					; CODE XREF: IopLiveDumpAllocAndInitResources(x)+320p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		push	24h
		xor	edi, edi
		lea	eax, [esi+270h]
		mov	[ebp+var_C], edi
		push	eax
		mov	eax, _IptInterface
		push	edi
		push	2
		mov	[ebp+var_8], edi
		mov	[esi+28Ch], edi
		mov	dword ptr [esi+278h], 10000000h
		call	dword ptr [eax+14h]
		mov	ebx, [esi+290h]
		test	ebx, ebx
		jz	loc_961BB3
		mov	edx, [esi+28Ch]
		test	edx, edx
		jz	short loc_961A7D
		push	ebx
		mov	ecx, esi
		call	_IopLiveDumpDiscardVirtualAddressRange@12 ; IopLiveDumpDiscardVirtualAddressRange(x,x,x)
		mov	ebx, [esi+290h]

loc_961A7D:				; CODE XREF: IopLiveDumpAllocateIptBuffers(x)+4Fj
		push	ecx
		push	ecx
		or	edx, 0FFFFFFFFh
		mov	[esi+28Ch], edi
		mov	ecx, ebx
		mov	[esi+290h], edi
		mov	[esi+274h], edi
		call	MmAllocateIndependentPagesEx
		mov	[ebp+var_4], eax
		mov	[esi+270h], eax
		test	eax, eax
		jz	loc_961BB3
		push	dword ptr [esi+21Ch]
		mov	ecx, [esi+214h]
		mov	edx, [esi+218h]
		mov	[esi+274h], ebx
		call	_IopLiveDumpIsUnderMemoryPressure@12 ; IopLiveDumpIsUnderMemoryPressure(x,x,x)
		test	al, al
		jz	short loc_961AD7

loc_961ACD:				; CODE XREF: IopLiveDumpAllocateIptBuffers(x)+164j
		mov	edi, 0C0000240h
		jmp	loc_961BB3
; 

loc_961AD7:				; CODE XREF: IopLiveDumpAllocateIptBuffers(x)+ADj
		mov	edx, [ebp+var_4]
		lea	eax, [ebx+0FFFh]
		and	eax, 0FFFFF000h
		mov	ecx, esi
		push	eax
		call	_IopLiveDumpDiscardVirtualAddressRange@12 ; IopLiveDumpDiscardVirtualAddressRange(x,x,x)
		push	dword ptr [esi+274h] ; size_t
		push	edi		; int
		push	dword ptr [esi+270h] ; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_C]
		push	eax
		mov	eax, _IptInterface
		call	dword ptr [eax+0Ch]
		test	eax, eax
		js	loc_961BB3
		mov	edx, [ebp+var_C]
		test	edx, edx
		jz	loc_961BB3
		cmp	[ebp+var_8], edi
		jbe	loc_961BB3
		push	[ebp+var_8]
		mov	ecx, esi
		call	_IopLiveDumpDiscardVirtualAddressRange@12 ; IopLiveDumpDiscardVirtualAddressRange(x,x,x)
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_8]
		or	edx, 0FFFFFFFFh
		mov	[esi+268h], edi
		mov	[esi+26Ch], edi
		mov	[esi+250h], edi
		call	MmAllocateIndependentPagesEx
		mov	[ebp+var_4], eax
		mov	[esi+24Ch], eax
		test	eax, eax
		jz	short loc_961BB3
		push	dword ptr [esi+21Ch]
		mov	ebx, [ebp+var_8]
		mov	ecx, [esi+214h]
		mov	edx, [esi+218h]
		mov	[esi+250h], ebx
		call	_IopLiveDumpIsUnderMemoryPressure@12 ; IopLiveDumpIsUnderMemoryPressure(x,x,x)
		test	al, al
		jnz	loc_961ACD
		mov	edx, [ebp+var_4]
		lea	eax, [ebx+0FFFh]
		and	eax, 0FFFFF000h
		mov	ecx, esi
		push	eax
		call	_IopLiveDumpDiscardVirtualAddressRange@12 ; IopLiveDumpDiscardVirtualAddressRange(x,x,x)
		push	dword ptr [esi+250h] ; size_t
		push	edi		; int
		push	dword ptr [esi+24Ch] ; void *
		call	_memset
		add	esp, 0Ch

loc_961BB3:				; CODE XREF: IopLiveDumpAllocateIptBuffers(x)+41j
					; IopLiveDumpAllocateIptBuffers(x)+88j	...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopLiveDumpAllocateIptBuffers@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpAllocateMappingResources(x)
_IopLiveDumpAllocateMappingResources@4 proc near
					; CODE XREF: IopLiveDumpAllocAndInitResources(x)+2C9p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ds:_KeNumberProcessors
		push	esi
		push	edi
		mov	esi, ebx
		mov	[ebp+var_8], ebx
		push	706D644Ch
		shl	esi, 3
		mov	edi, ecx
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi+204h], eax
		test	eax, eax
		jnz	short loc_961C07
		and	[edi+200h], eax

loc_961BF4:				; CODE XREF: IopLiveDumpAllocateMappingResources(x)+82j
					; IopLiveDumpAllocateMappingResources(x)+9Bj
		mov	ecx, edi
		call	_IopLiveDumpFreeMappingResources@4 ; IopLiveDumpFreeMappingResources(x)
		mov	esi, 0C000009Ah

loc_961C00:				; CODE XREF: IopLiveDumpAllocateMappingResources(x)+65j
					; IopLiveDumpAllocateMappingResources(x)+A3j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_961C07:				; CODE XREF: IopLiveDumpAllocateMappingResources(x)+32j
		push	esi		; size_t
		xor	esi, esi
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	[edi+200h], ebx
		add	esp, 0Ch
		mov	ebx, esi
		cmp	[ebp+var_8], ebx
		jbe	short loc_961C00

loc_961C21:				; CODE XREF: IopLiveDumpAllocateMappingResources(x)+A1j
		mov	eax, [edi+204h]
		mov	ecx, 10000h
		mov	[ebp+var_4], eax
		call	_MmAllocateDumpHibernateResources@4 ; MmAllocateDumpHibernateResources(x)
		mov	ecx, [ebp+var_4]
		mov	[ecx+ebx*8], eax
		test	eax, eax
		jz	short loc_961BF4
		push	esi
		push	esi
		push	esi
		push	10000h
		push	eax
		call	IoAllocateMdl
		mov	ecx, [ebp+var_4]
		mov	[ecx+ebx*8+4], eax
		test	eax, eax
		jz	short loc_961BF4
		inc	ebx
		cmp	ebx, [ebp+var_8]
		jb	short loc_961C21
		jmp	short loc_961C00
_IopLiveDumpAllocateMappingResources@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopLiveDumpDiscardSecondaryDataBuffersRange(x)
_IopLiveDumpDiscardSecondaryDataBuffersRange@4 proc near
					; CODE XREF: IopLiveDumpAllocAndInitResources(x)+2C2p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+24h]
		jmp	short loc_961C7A
; 

loc_961C6A:				; CODE XREF: IopLiveDumpDiscardSecondaryDataBuffersRange(x)+1Dj
		push	dword ptr [esi+14h]
		mov	edx, [esi+10h]
		mov	ecx, edi
		call	_IopLiveDumpDiscardVirtualAddressRange@12 ; IopLiveDumpDiscardVirtualAddressRange(x,x,x)
		mov	esi, [esi+1Ch]

loc_961C7A:				; CODE XREF: IopLiveDumpDiscardSecondaryDataBuffersRange(x)+9j
		test	esi, esi
		jnz	short loc_961C6A
		pop	edi
		pop	esi
		retn
_IopLiveDumpDiscardSecondaryDataBuffersRange@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpDiscardVirtualAddressRange(x, x,	x)
_IopLiveDumpDiscardVirtualAddressRange@12 proc near
					; CODE XREF: IopLiveDumpAllocAndInitResources(x)+114p
					; IopLiveDumpAllocAndInitResources(x)+1C1p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		test	eax, eax
		jz	short loc_961CE0
		test	edi, edi
		jz	short loc_961CE0
		push	esi
		mov	esi, eax
		and	esi, 0FFFh
		neg	esi
		sbb	esi, esi
		shr	eax, 0Ch
		neg	esi
		add	esi, eax
		jz	short loc_961CDF

loc_961CAD:				; CODE XREF: IopLiveDumpDiscardVirtualAddressRange(x,x,x)+5Cj
		push	edi
		call	_MmIsAddressValid@4 ; MmIsAddressValid(x)
		test	al, al
		jz	short loc_961CD4
		push	edi
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		shrd	eax, edx, 0Ch
		lea	ecx, [ebx+188h]
		cmp	eax, [ecx]
		jnb	short loc_961CD4
		push	1
		push	eax
		push	ecx
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)

loc_961CD4:				; CODE XREF: IopLiveDumpDiscardVirtualAddressRange(x,x,x)+34j
					; IopLiveDumpDiscardVirtualAddressRange(x,x,x)+48j
		add	edi, 1000h
		sub	esi, 1
		jnz	short loc_961CAD

loc_961CDF:				; CODE XREF: IopLiveDumpDiscardVirtualAddressRange(x,x,x)+2Aj
		pop	esi

loc_961CE0:				; CODE XREF: IopLiveDumpDiscardVirtualAddressRange(x,x,x)+10j
					; IopLiveDumpDiscardVirtualAddressRange(x,x,x)+14j
		pop	edi
		pop	ebx
		pop	ebp
		retn	4
_IopLiveDumpDiscardVirtualAddressRange@12 endp


;  S U B	R O U T	I N E 


; __stdcall IopLiveDumpFreeDumpBuffers(x)
_IopLiveDumpFreeDumpBuffers@4 proc near	; CODE XREF: IopLiveDumpAllocateDumpBuffers(x)+356p
					; IopLiveDumpReleaseResources(x)+CCp ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	esi, esi
		jz	loc_961D78
		xor	ebx, ebx
		mov	edi, ebx
		cmp	[esi+20h], ebx
		jbe	short loc_961D40

loc_961CFE:				; CODE XREF: IopLiveDumpFreeDumpBuffers(x)+58j
		mov	eax, [esi+28h]
		mov	eax, [eax+edi*4]
		test	eax, eax
		jz	short loc_961D1F
		push	eax
		call	_MmFreePagesFromMdl@4 ;	MmFreePagesFromMdl(x)
		mov	eax, [esi+28h]
		push	ebx
		push	dword ptr [eax+edi*4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi+28h]
		jmp	short loc_961D37
; 

loc_961D1F:				; CODE XREF: IopLiveDumpFreeDumpBuffers(x)+20j
		mov	eax, [esi+24h]
		mov	ecx, [eax+edi*4]
		test	ecx, ecx
		jz	short loc_961D3A
		mov	edx, _BufferChunkSizeInBytes
		call	_MmFreeIndependentPages@8 ; MmFreeIndependentPages(x,x)
		mov	eax, [esi+24h]

loc_961D37:				; CODE XREF: IopLiveDumpFreeDumpBuffers(x)+37j
		mov	[eax+edi*4], ebx

loc_961D3A:				; CODE XREF: IopLiveDumpFreeDumpBuffers(x)+41j
		inc	edi
		cmp	edi, [esi+20h]
		jb	short loc_961CFE

loc_961D40:				; CODE XREF: IopLiveDumpFreeDumpBuffers(x)+16j
		mov	eax, [esi+24h]
		mov	edi, 706D644Ch
		test	eax, eax
		jz	short loc_961D56
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+24h], ebx

loc_961D56:				; CODE XREF: IopLiveDumpFreeDumpBuffers(x)+64j
		mov	eax, [esi+28h]
		test	eax, eax
		jz	short loc_961D67
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+28h], ebx

loc_961D67:				; CODE XREF: IopLiveDumpFreeDumpBuffers(x)+75j
		mov	[esi+20h], ebx
		mov	[esi+14h], ebx
		mov	[esi], ebx
		mov	[esi+4], ebx
		mov	[esi+8], ebx
		mov	[esi+0Ch], ebx

loc_961D78:				; CODE XREF: IopLiveDumpFreeDumpBuffers(x)+9j
		pop	edi
		pop	esi
		pop	ebx
		retn
_IopLiveDumpFreeDumpBuffers@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopLiveDumpFreeMappingResources(x)
_IopLiveDumpFreeMappingResources@4 proc	near
					; CODE XREF: IopLiveDumpAllocateMappingResources(x)+3Cp
					; IopLiveDumpReleaseResources(x)+16p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	dword ptr [esi+204h], 0
		jz	short loc_961DE4
		push	edi
		xor	edi, edi
		cmp	[esi+200h], edi
		jbe	short loc_961DC5
		push	ebx

loc_961D96:				; CODE XREF: IopLiveDumpFreeMappingResources(x)+46j
		mov	ebx, [esi+204h]
		mov	ecx, [ebx+edi*8]
		test	ecx, ecx
		jz	short loc_961DAD
		mov	edx, 10000h
		call	_MmReleaseDumpHibernateResources@8 ; MmReleaseDumpHibernateResources(x,x)

loc_961DAD:				; CODE XREF: IopLiveDumpFreeMappingResources(x)+25j
		mov	eax, [ebx+edi*8+4]
		test	eax, eax
		jz	short loc_961DBB
		push	eax
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_961DBB:				; CODE XREF: IopLiveDumpFreeMappingResources(x)+37j
		inc	edi
		cmp	edi, [esi+200h]
		jb	short loc_961D96
		pop	ebx

loc_961DC5:				; CODE XREF: IopLiveDumpFreeMappingResources(x)+17j
		push	706D644Ch
		push	dword ptr [esi+204h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+204h], 0
		and	dword ptr [esi+200h], 0
		pop	edi

loc_961DE4:				; CODE XREF: IopLiveDumpFreeMappingResources(x)+Cj
		pop	esi
		retn
_IopLiveDumpFreeMappingResources@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpInitRegistrySettings(x)
_IopLiveDumpInitRegistrySettings@4 proc	near
					; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+26Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_8], 0
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		push	76h
		pop	eax
		push	78h
		mov	word ptr [ebp+var_10], ax
		xor	edi, edi
		pop	eax
		push	edi
		mov	word ptr [ebp+var_10+2], ax
		mov	esi, ecx
		push	20019h
		lea	eax, [ebp+var_10]
		mov	[ebp+var_C], offset ??_C@_1HI@GBCIFIH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		push	eax
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_4], edi
		call	IopOpenRegistryKey
		test	eax, eax
		jns	short loc_961E3F
		and	dword ptr [esi+30h], 0FFFFFC5Fh
		mov	dword ptr [esi+2ACh], 2
		jmp	loc_961FB3
; 

loc_961E3F:				; CODE XREF: IopLiveDumpInitRegistrySettings(x)+41j
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		pop	ebx
		push	ebx
		mov	edx, offset ??_C@_1CO@DFPMJEGC@?$AAB?$AAu?$AAf?$AAf?$AAe?$AAr?$AAA?$AAl?$AAl?$AAo?$AAc?$AAa?$AAt?$AAi?$AAo@NNGAKEGL@
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_961E84
		mov	ecx, [ebp+var_4]
		cmp	[ecx+4], ebx
		jnz	short loc_961E84
		cmp	[ecx+0Ch], ebx
		jnz	short loc_961E84
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		cmp	eax, 1
		jz	short loc_961E80
		push	2
		pop	ecx
		cmp	eax, ecx
		jz	short loc_961E80
		cmp	eax, 3
		jz	short loc_961E80
		cmp	eax, ebx
		jnz	short loc_961E87

loc_961E80:				; CODE XREF: IopLiveDumpInitRegistrySettings(x)+88j
					; IopLiveDumpInitRegistrySettings(x)+8Fj ...
		mov	ecx, eax
		jmp	short loc_961E87
; 

loc_961E84:				; CODE XREF: IopLiveDumpInitRegistrySettings(x)+70j
					; IopLiveDumpInitRegistrySettings(x)+78j ...
		push	2
		pop	ecx

loc_961E87:				; CODE XREF: IopLiveDumpInitRegistrySettings(x)+98j
					; IopLiveDumpInitRegistrySettings(x)+9Cj
		lea	eax, [ebp+var_4]
		mov	[esi+2ACh], ecx
		mov	ecx, [ebp+var_8]
		mov	edx, offset ??_C@_1DE@IDANIFDM@?$AAM?$AAi?$AAr?$AAr?$AAo?$AAr?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAP?$AAa?$AAr@NNGAKEGL@ ; "MirrorSystemPartitionOnly"
		push	eax
		push	ebx
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_961ECA
		mov	ecx, [ebp+var_4]
		cmp	[ecx+4], ebx
		jnz	short loc_961ECA
		cmp	[ecx+0Ch], ebx
		jnz	short loc_961ECA
		mov	eax, [ecx+8]
		mov	ecx, [ecx+eax]
		mov	eax, [esi+30h]
		neg	ecx
		sbb	ecx, ecx
		and	eax, 0FFFFFFDFh
		and	ecx, 20h
		or	ecx, eax
		mov	[esi+30h], ecx
		jmp	short loc_961ECE
; 

loc_961ECA:				; CODE XREF: IopLiveDumpInitRegistrySettings(x)+BBj
					; IopLiveDumpInitRegistrySettings(x)+C3j ...
		and	dword ptr [esi+30h], 0FFFFFFDFh

loc_961ECE:				; CODE XREF: IopLiveDumpInitRegistrySettings(x)+E2j
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		mov	edx, offset ??_C@_1CM@PEONNGOP@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAI?$AAn?$AAs?$AAt?$AAr?$AAu?$AAm?$AAe?$AAn@NNGAKEGL@
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_961F10
		mov	ecx, [ebp+var_4]
		cmp	[ecx+4], ebx
		jnz	short loc_961F10
		cmp	[ecx+0Ch], ebx
		jnz	short loc_961F10
		mov	eax, [ecx+8]
		mov	ecx, [ecx+eax]
		mov	eax, [esi+30h]
		neg	ecx
		sbb	ecx, ecx
		and	eax, 0FFFFFF7Fh
		and	ecx, 80h
		or	ecx, eax
		mov	[esi+30h], ecx
		jmp	short loc_961F17
; 

loc_961F10:				; CODE XREF: IopLiveDumpInitRegistrySettings(x)+FCj
					; IopLiveDumpInitRegistrySettings(x)+104j ...
		and	dword ptr [esi+30h], 0FFFFFF7Fh

loc_961F17:				; CODE XREF: IopLiveDumpInitRegistrySettings(x)+128j
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		mov	edx, offset ??_C@_1DA@KAEFOLN@?$AAS?$AAk?$AAi?$AAp?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAi?$AAn?$AAg?$AAI?$AAn@NNGAKEGL@
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_961F59
		mov	ecx, [ebp+var_4]
		cmp	[ecx+4], ebx
		jnz	short loc_961F59
		cmp	[ecx+0Ch], ebx
		jnz	short loc_961F59
		mov	eax, [ecx+8]
		mov	ecx, [ecx+eax]
		mov	eax, [esi+30h]
		neg	ecx
		sbb	ecx, ecx
		and	eax, 0FFFFFEFFh
		and	ecx, 100h
		or	ecx, eax
		mov	[esi+30h], ecx
		jmp	short loc_961F60
; 

loc_961F59:				; CODE XREF: IopLiveDumpInitRegistrySettings(x)+145j
					; IopLiveDumpInitRegistrySettings(x)+14Dj ...
		and	dword ptr [esi+30h], 0FFFFFEFFh

loc_961F60:				; CODE XREF: IopLiveDumpInitRegistrySettings(x)+171j
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		mov	edx, offset ??_C@_1BK@PDBCOOKL@?$AAD?$AAu?$AAm?$AAp?$AAF?$AAi?$AAl?$AAe?$AAS?$AAi?$AAz?$AAe@NNGAKEGL@
		call	IopGetRegistryValue
		mov	edi, [ebp+var_4]
		test	eax, eax
		js	short loc_961FAC
		cmp	[edi+4], ebx
		jnz	short loc_961FAC
		cmp	[edi+0Ch], ebx
		jnz	short loc_961FAC
		mov	eax, [edi+8]
		mov	ecx, 400h
		mov	eax, [eax+edi]
		mul	ecx
		shld	edx, eax, 0Ah
		shl	eax, 0Ah
		or	dword ptr [esi+30h], 200h
		mov	[esi+2B0h], eax
		mov	[esi+2B4h], edx
		jmp	short loc_961FB3
; 

loc_961FAC:				; CODE XREF: IopLiveDumpInitRegistrySettings(x)+191j
					; IopLiveDumpInitRegistrySettings(x)+196j ...
		and	dword ptr [esi+30h], 0FFFFFDFFh

loc_961FB3:				; CODE XREF: IopLiveDumpInitRegistrySettings(x)+54j
					; IopLiveDumpInitRegistrySettings(x)+1C4j
		cmp	[ebp+var_8], 0
		jz	short loc_961FC1
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_961FC1:				; CODE XREF: IopLiveDumpInitRegistrySettings(x)+1D1j
		test	edi, edi
		jz	short loc_961FCD
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_961FCD:				; CODE XREF: IopLiveDumpInitRegistrySettings(x)+1DDj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopLiveDumpInitRegistrySettings@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopLiveDumpLockPages()
_IopLiveDumpLockPages@0	proc near	; CODE XREF: IopLiveDumpCorralProcessors(x)+4Fp
		mov	ecx, ds:_ExPageLockHandle
		xor	edx, edx
		inc	edx
		jmp	MiLockPagableImageSection
_IopLiveDumpLockPages@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpReleaseResources(x)
_IopLiveDumpReleaseResources@4 proc near ; CODE	XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+6C1p
					; IoDiscardDeferredLiveDumpData(x)+19p	...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	esi, esi
		jz	loc_9621A5
		call	_IopLiveDumpFreeMappingResources@4 ; IopLiveDumpFreeMappingResources(x)
		mov	eax, [esi+180h]
		xor	ebx, ebx
		mov	edi, 706D644Ch
		test	eax, eax
		jz	short loc_962019
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+180h], ebx

loc_962019:				; CODE XREF: IopLiveDumpReleaseResources(x)+2Aj
		mov	eax, [esi+190h]
		test	eax, eax
		jz	short loc_962030
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+190h], ebx

loc_962030:				; CODE XREF: IopLiveDumpReleaseResources(x)+41j
		mov	eax, [esi+1ACh]
		test	eax, eax
		jz	short loc_962047
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+1ACh], ebx

loc_962047:				; CODE XREF: IopLiveDumpReleaseResources(x)+58j
		mov	eax, [esi+1B8h]
		test	eax, eax
		jz	short loc_96205E
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+1B8h], ebx

loc_96205E:				; CODE XREF: IopLiveDumpReleaseResources(x)+6Fj
		mov	ecx, [esi+54h]
		test	ecx, ecx
		jz	short loc_962070
		mov	edx, [esi+58h]
		call	_MmFreeIndependentPages@8 ; MmFreeIndependentPages(x,x)
		mov	[esi+54h], ebx

loc_962070:				; CODE XREF: IopLiveDumpReleaseResources(x)+83j
		mov	ecx, [esi+270h]
		test	ecx, ecx
		jz	short loc_96208B
		mov	edx, [esi+274h]
		call	_MmFreeIndependentPages@8 ; MmFreeIndependentPages(x,x)
		mov	[esi+270h], ebx

loc_96208B:				; CODE XREF: IopLiveDumpReleaseResources(x)+98j
		mov	ecx, [esi+24Ch]
		test	ecx, ecx
		jz	short loc_9620A6
		mov	edx, [esi+250h]
		call	_MmFreeIndependentPages@8 ; MmFreeIndependentPages(x,x)
		mov	[esi+24Ch], ebx

loc_9620A6:				; CODE XREF: IopLiveDumpReleaseResources(x)+B3j
		lea	ecx, [esi+1C0h]
		call	_IopLiveDumpFreeDumpBuffers@4 ;	IopLiveDumpFreeDumpBuffers(x)
		mov	eax, [esi+208h]
		test	eax, eax
		jz	short loc_9620C7
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		mov	[esi+208h], ebx

loc_9620C7:				; CODE XREF: IopLiveDumpReleaseResources(x)+D9j
		mov	eax, [esi+20Ch]
		test	eax, eax
		jz	short loc_9620DD
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		mov	[esi+20Ch], ebx

loc_9620DD:				; CODE XREF: IopLiveDumpReleaseResources(x)+EFj
		mov	eax, [esi+210h]
		test	eax, eax
		jz	short loc_9620F3
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		mov	[esi+210h], ebx

loc_9620F3:				; CODE XREF: IopLiveDumpReleaseResources(x)+105j
		mov	ecx, [esi+298h]
		test	ecx, ecx
		jz	short loc_962108
		call	ObfDereferenceObject
		mov	[esi+298h], ebx

loc_962108:				; CODE XREF: IopLiveDumpReleaseResources(x)+11Bj
		mov	eax, [esi+294h]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_962120
		push	ebx
		push	eax
		call	ObCloseHandle
		mov	[esi+294h], ebx

loc_962120:				; CODE XREF: IopLiveDumpReleaseResources(x)+131j
		mov	eax, [esi+2A0h]
		test	eax, eax
		jz	short loc_962177
		mov	edi, ebx
		cmp	[esi+29Ch], ebx
		jbe	short loc_96215F

loc_962134:				; CODE XREF: IopLiveDumpReleaseResources(x)+177j
		mov	eax, [esi+2A0h]
		push	706D644Ch
		push	dword ptr [eax+edi*4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi+2A0h]
		mov	[eax+edi*4], ebx
		inc	edi
		cmp	edi, [esi+29Ch]
		jb	short loc_962134
		mov	eax, [esi+2A0h]

loc_96215F:				; CODE XREF: IopLiveDumpReleaseResources(x)+152j
		mov	edi, 706D644Ch
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+2A0h], ebx
		mov	[esi+29Ch], ebx

loc_962177:				; CODE XREF: IopLiveDumpReleaseResources(x)+148j
		mov	eax, [esi+2A4h]
		test	eax, eax
		jz	short loc_96218E
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+2A4h], ebx

loc_96218E:				; CODE XREF: IopLiveDumpReleaseResources(x)+19Fj
		mov	eax, [esi+2A8h]
		test	eax, eax
		jz	short loc_9621A5
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+2A8h], ebx

loc_9621A5:				; CODE XREF: IopLiveDumpReleaseResources(x)+10j
					; IopLiveDumpReleaseResources(x)+1B6j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_IopLiveDumpReleaseResources@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopLiveDumpValidateCancelObject(x)
_IopLiveDumpValidateCancelObject@4 proc	near
					; CODE XREF: IopLiveDumpValidateParameters(x,x,x)+74p
		test	ecx, ecx
		jz	short loc_9621F5
		lea	eax, [ecx-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [ecx-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		cmp	eax, ds:_ExEventObjectType
		jz	short loc_9621F5
		cmp	eax, ds:_PsProcessType
		jz	short loc_9621F5
		cmp	eax, ds:_PsThreadType
		jz	short loc_9621F5
		cmp	eax, ds:_ExTimerObjectType
		jz	short loc_9621F5
		mov	eax, 0C000000Dh
		retn
; 

loc_9621F5:				; CODE XREF: IopLiveDumpValidateCancelObject(x)+2j
					; IopLiveDumpValidateCancelObject(x)+29j ...
		xor	eax, eax
		retn
_IopLiveDumpValidateCancelObject@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpValidateDumpFileHandle(x)
_IopLiveDumpValidateDumpFileHandle@4 proc near
					; CODE XREF: IopLiveDumpValidateParameters(x,x,x)+5Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		test	ecx, ecx
		jz	short loc_962236
		push	10h
		push	4
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	ecx
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		test	eax, eax
		js	short locret_96223B
		mov	eax, [ebp+var_C]
		test	eax, eax
		js	short locret_96223B
		test	byte ptr [ebp+var_4], 30h
		jz	short loc_962236
		xor	eax, eax
		leave
		retn
; 

loc_962236:				; CODE XREF: IopLiveDumpValidateDumpFileHandle(x)+15j
					; IopLiveDumpValidateDumpFileHandle(x)+38j
		mov	eax, 0C000000Dh

locret_96223B:				; CODE XREF: IopLiveDumpValidateDumpFileHandle(x)+2Bj
					; IopLiveDumpValidateDumpFileHandle(x)+32j
		leave
		retn
_IopLiveDumpValidateDumpFileHandle@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpValidateParameters(x, x,	x)
_IopLiveDumpValidateParameters@12 proc near
					; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+321p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		mov	[ebp+var_4], edx
		test	ebx, ebx
		jnz	short loc_962256

loc_96224F:				; CODE XREF: IopLiveDumpValidateParameters(x,x,x)+1Cj
					; IopLiveDumpValidateParameters(x,x,x)+22j ...
		mov	eax, 0C000000Dh
		jmp	short loc_9622D1
; 

loc_962256:				; CODE XREF: IopLiveDumpValidateParameters(x,x,x)+10j
		cmp	dword ptr [ebx], 1
		jnz	short loc_96224F
		cmp	dword ptr [ebx+4], 24h
		jb	short loc_96224F
		mov	eax, [ebx+14h]
		cmp	eax, 2
		jnb	short loc_96224F
		push	esi
		lea	esi, [ebx+18h]
		mov	[edx+18h], eax
		mov	ecx, esi
		call	_IopLiveDumpValidateSecondaryData@4 ; IopLiveDumpValidateSecondaryData(x)
		test	eax, eax
		js	short loc_9622D0
		push	edi
		lea	edi, [edx+1Ch]
		movsd
		movsd
		movsd
		mov	eax, [ebx+10h]
		pop	edi
		cmp	eax, 20h
		jb	short loc_962292
		mov	eax, 0C000000Dh
		jmp	short loc_9622D0
; 

loc_962292:				; CODE XREF: IopLiveDumpValidateParameters(x,x,x)+4Cj
		test	al, 3
		jnz	short loc_9622CB
		mov	[edx+14h], eax
		mov	ecx, [ebx+8]
		call	_IopLiveDumpValidateDumpFileHandle@4 ; IopLiveDumpValidateDumpFileHandle(x)
		mov	esi, [ebp+var_4]
		test	eax, eax
		js	short loc_9622C5
		mov	eax, [ebx+8]
		mov	[esi+28h], eax
		mov	ecx, [ebx+0Ch]
		call	_IopLiveDumpValidateCancelObject@4 ; IopLiveDumpValidateCancelObject(x)
		test	eax, eax
		js	short loc_9622BF
		mov	[esi+2Ch], ecx
		jmp	short loc_9622D0
; 

loc_9622BF:				; CODE XREF: IopLiveDumpValidateParameters(x,x,x)+7Bj
		and	dword ptr [esi+2Ch], 0
		jmp	short loc_9622D0
; 

loc_9622C5:				; CODE XREF: IopLiveDumpValidateParameters(x,x,x)+69j
		and	dword ptr [esi+28h], 0
		jmp	short loc_9622D0
; 

loc_9622CB:				; CODE XREF: IopLiveDumpValidateParameters(x,x,x)+57j
		mov	eax, 0C0000002h

loc_9622D0:				; CODE XREF: IopLiveDumpValidateParameters(x,x,x)+3Cj
					; IopLiveDumpValidateParameters(x,x,x)+53j ...
		pop	esi

loc_9622D1:				; CODE XREF: IopLiveDumpValidateParameters(x,x,x)+17j
		pop	ebx
		leave
		retn	4
_IopLiveDumpValidateParameters@12 endp


;  S U B	R O U T	I N E 


; __stdcall IopLiveDumpValidateSecondaryData(x)
_IopLiveDumpValidateSecondaryData@4 proc near
					; CODE XREF: IopLiveDumpValidateParameters(x,x,x)+35p
		xor	eax, eax
		cmp	[ecx+4], eax
		jnz	short loc_9622FD
		cmp	[ecx], eax
		jnz	short loc_9622FD
		mov	ecx, [ecx+8]
		jmp	short loc_9622F8
; 

loc_9622E6:				; CODE XREF: IopLiveDumpValidateSecondaryData(x)+24j
		cmp	[ecx+18h], eax
		jnz	short loc_9622FD
		cmp	[ecx+10h], eax
		jz	short loc_9622FD
		cmp	[ecx+14h], eax
		jz	short loc_9622FD
		mov	ecx, [ecx+1Ch]

loc_9622F8:				; CODE XREF: IopLiveDumpValidateSecondaryData(x)+Ej
		test	ecx, ecx
		jnz	short loc_9622E6
		retn
; 

loc_9622FD:				; CODE XREF: IopLiveDumpValidateSecondaryData(x)+5j
					; IopLiveDumpValidateSecondaryData(x)+9j ...
		mov	eax, 0C000000Dh
		retn
_IopLiveDumpValidateSecondaryData@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpWriteBuffer(x, x, x, x, x, x)
_IopLiveDumpWriteBuffer@24 proc	near	; CODE XREF: IopLiveDumpWriteDumpFile(x)+D5p
					; IopLiveDumpWriteDumpFile(x)+27Ep ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	[ebp+var_4], ecx
		mov	ebx, edx
		xor	ecx, ecx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		cmp	[eax+240h], cl
		jz	short loc_962348
		cmp	[ebp+arg_C], cl
		jnz	short loc_962348
		lea	eax, [ebp+var_14]
		push	eax
		push	ecx
		push	edi
		push	ebx
		push	ecx
		push	edi
		push	ebx
		call	_SecureDump_Encrypt_DmpData@28 ; SecureDump_Encrypt_DmpData(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_962371
		xor	ecx, ecx

loc_962348:				; CODE XREF: IopLiveDumpWriteBuffer(x,x,x,x,x,x)+29j
					; IopLiveDumpWriteBuffer(x,x,x,x,x,x)+2Ej
		push	esi
		mov	esi, [ebp+arg_4]
		lea	eax, [ebp+var_C]
		push	ecx
		push	esi
		push	edi
		push	ebx
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+var_4]
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_962370
		mov	eax, [ebp+var_C]
		test	eax, eax
		js	short loc_962370
		add	[esi], edi
		adc	dword ptr [esi+4], 0

loc_962370:				; CODE XREF: IopLiveDumpWriteBuffer(x,x,x,x,x,x)+5Ej
					; IopLiveDumpWriteBuffer(x,x,x,x,x,x)+65j
		pop	esi

loc_962371:				; CODE XREF: IopLiveDumpWriteBuffer(x,x,x,x,x,x)+41j
		pop	edi
		pop	ebx
		leave
		retn	10h
_IopLiveDumpWriteBuffer@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpWriteDumpFile(x)
_IopLiveDumpWriteDumpFile@4 proc near	; CODE XREF: IoCaptureLiveDump(x,x,x,x,x,x,x)+476p
					; IoWriteDeferredLiveDumpData(x)+3Ap

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_24]
		xor	eax, eax
		push	8
		pop	ecx
		cmp	byte ptr [ebx+240h], 0
		lea	esi, [ebx+1C0h]
		rep stosd
		push	8
		pop	ecx
		lea	edi, [ebp+var_44]
		mov	[ebp+var_70], eax
		rep stosd
		mov	ecx, [ebx+28h]
		mov	[ebp+var_6C], eax
		mov	[ebp+var_58], eax
		mov	eax, [ebx+180h]
		mov	[ebp+var_64], esi
		mov	[ebp+var_60], eax
		mov	[ebp+var_54], ecx
		jz	short loc_9623E0
		mov	ecx, [ebx+248h]
		xor	edx, edx
		add	ecx, [eax+1020h]
		adc	edx, [eax+1024h]
		jmp	short loc_9623EC
; 

loc_9623E0:				; CODE XREF: IopLiveDumpWriteDumpFile(x)+51j
		mov	ecx, [eax+1020h]
		mov	edx, [eax+1024h]

loc_9623EC:				; CODE XREF: IopLiveDumpWriteDumpFile(x)+67j
		mov	[ebp+var_50], ecx
		xor	edi, edi
		mov	ecx, large fs:124h
		mov	[ebp+var_4C], edx
		mov	[ebp+var_5C], ecx
		cmp	[esi+1Ch], edi
		jbe	loc_9624C1

loc_962407:				; CODE XREF: IopLiveDumpWriteDumpFile(x)+131j
		mov	eax, [ebx+2Ch]
		test	eax, eax
		jz	short loc_962418
		cmp	dword ptr [eax+4], 0
		jnz	loc_9624AD

loc_962418:				; CODE XREF: IopLiveDumpWriteDumpFile(x)+95j
		mov	eax, [ecx+2FCh]
		test	al, 1
		jnz	loc_9624B7
		mov	eax, [esi+1Ch]
		dec	eax
		cmp	edi, eax
		jnb	short loc_962435
		mov	eax, _BufferChunkSizeInBytes
		jmp	short loc_96243B
; 

loc_962435:				; CODE XREF: IopLiveDumpWriteDumpFile(x)+B5j
		mov	eax, [esi+14h]
		shl	eax, 0Ch

loc_96243B:				; CODE XREF: IopLiveDumpWriteDumpFile(x)+BCj
		mov	edx, [esi+24h]
		lea	ecx, [ebp+var_50]
		push	0
		push	ebx
		push	ecx
		mov	edx, [edx+edi*4]
		mov	ecx, [ebp+var_54]
		push	eax
		call	_IopLiveDumpWriteBuffer@24 ; IopLiveDumpWriteBuffer(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_962635
		lea	esi, [ebx+1C0h]
		mov	eax, [esi+28h]
		mov	eax, [eax+edi*4]
		test	eax, eax
		jz	short loc_962487
		push	eax
		call	_MmFreePagesFromMdl@4 ;	MmFreePagesFromMdl(x)
		mov	eax, [esi+28h]
		push	0
		push	dword ptr [eax+edi*4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi+28h]
		and	dword ptr [eax+edi*4], 0
		jmp	short loc_962498
; 

loc_962487:				; CODE XREF: IopLiveDumpWriteDumpFile(x)+F2j
		mov	ecx, [esi+24h]
		mov	edx, _BufferChunkSizeInBytes
		mov	ecx, [ecx+edi*4]
		call	_MmFreeIndependentPages@8 ; MmFreeIndependentPages(x,x)

loc_962498:				; CODE XREF: IopLiveDumpWriteDumpFile(x)+10Ej
		mov	eax, [esi+24h]
		and	dword ptr [eax+edi*4], 0
		inc	edi
		cmp	edi, [esi+1Ch]
		jnb	short loc_9624C1
		mov	ecx, [ebp+var_5C]
		jmp	loc_962407
; 

loc_9624AD:				; CODE XREF: IopLiveDumpWriteDumpFile(x)+9Bj
		mov	esi, 0C0000120h
		jmp	loc_962635
; 

loc_9624B7:				; CODE XREF: IopLiveDumpWriteDumpFile(x)+A9j
		mov	esi, 0C000004Bh
		jmp	loc_962635
; 

loc_9624C1:				; CODE XREF: IopLiveDumpWriteDumpFile(x)+8Aj
					; IopLiveDumpWriteDumpFile(x)+12Cj
		lea	eax, [ebx+178h]
		push	eax
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	ecx, [ebx+290h]
		mov	[ebp+var_5C], eax
		test	ecx, ecx
		jz	short loc_9624FF
		mov	eax, [ebx+28Ch]
		lea	esi, [ebx+27Ch]
		lea	edi, [ebp+var_24]
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+var_14], eax
		mov	eax, [ebx+24h]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_10], ecx
		mov	[ebx+24h], eax

loc_9624FF:				; CODE XREF: IopLiveDumpWriteDumpFile(x)+161j
		mov	ecx, [ebx+26Ch]
		test	ecx, ecx
		jz	short loc_96252E
		mov	eax, [ebx+268h]
		lea	esi, [ebx+258h]
		lea	edi, [ebp+var_44]
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+var_34], eax
		mov	eax, [ebx+24h]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_44]
		mov	[ebp+var_30], ecx
		mov	[ebx+24h], eax

loc_96252E:				; CODE XREF: IopLiveDumpWriteDumpFile(x)+190j
		mov	ecx, [ebp+var_54]
		lea	eax, [ebp+var_70]
		push	ebx
		push	eax
		lea	eax, [ebp+var_50]
		push	eax
		lea	edx, [ebx+1Ch]
		call	_IopLiveDumpWriteSecondaryData@20 ; IopLiveDumpWriteSecondaryData(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_962635
		mov	ecx, [ebp+var_50]
		sub	ecx, [ebx+248h]
		mov	eax, [ebp+var_4C]
		mov	edi, [ebp+var_60]
		push	0
		pop	edx
		sbb	eax, edx
		or	dword ptr [edi+8A0h], 10h
		mov	[edi+0FA4h], eax
		mov	eax, [ebp+var_5C]
		mov	[edi+0FA0h], ecx
		mov	dword ptr [edi+1000h], 504D4453h
		mov	dword ptr [edi+1004h], 504D5544h
		mov	[edi+1028h], eax
		mov	[edi+102Ch], edx
		mov	[ebp+var_4C], edx
		cmp	[ebx+240h], dl
		jz	short loc_9625DF
		mov	eax, [ebx+248h]
		push	706D644Ch
		push	eax
		push	200h
		mov	[ebp+var_50], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_58], eax
		test	eax, eax
		jnz	short loc_9625C8
		mov	esi, 0C000009Ah
		jmp	short loc_962635
; 

loc_9625C8:				; CODE XREF: IopLiveDumpWriteDumpFile(x)+248j
		push	dword ptr [ebx+248h] ; size_t
		push	eax		; void *
		push	edi		; int
		call	_SecureDump_Get_SecureDumpHeader@12 ; SecureDump_Get_SecureDumpHeader(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_962626
		xor	edx, edx
		jmp	short loc_9625E2
; 

loc_9625DF:				; CODE XREF: IopLiveDumpWriteDumpFile(x)+228j
		mov	[ebp+var_50], edx

loc_9625E2:				; CODE XREF: IopLiveDumpWriteDumpFile(x)+266j
		push	edx
		push	ebx
		lea	eax, [ebp+var_50]
		mov	edx, edi
		push	eax
		push	dword ptr [edi+1020h]
		mov	edi, [ebp+var_54]
		mov	ecx, edi
		call	_IopLiveDumpWriteBuffer@24 ; IopLiveDumpWriteBuffer(x,x,x,x,x,x)
		cmp	byte ptr [ebx+240h], 0
		mov	esi, eax
		jz	short loc_962626
		mov	edx, [ebp+var_58]
		lea	eax, [ebp+var_50]
		and	[ebp+var_50], 0
		mov	ecx, edi
		and	[ebp+var_4C], 0
		push	1
		push	ebx
		push	eax
		push	dword ptr [ebx+248h]
		call	_IopLiveDumpWriteBuffer@24 ; IopLiveDumpWriteBuffer(x,x,x,x,x,x)
		mov	esi, eax

loc_962626:				; CODE XREF: IopLiveDumpWriteDumpFile(x)+262j
					; IopLiveDumpWriteDumpFile(x)+28Cj
		mov	eax, [ebp+var_58]
		test	eax, eax
		jz	short loc_962635
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_962635:				; CODE XREF: IopLiveDumpWriteDumpFile(x)+DEj
					; IopLiveDumpWriteDumpFile(x)+13Bj ...
		mov	ecx, [ebp+var_64]
		call	_IopLiveDumpFreeDumpBuffers@4 ;	IopLiveDumpFreeDumpBuffers(x)
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IopLiveDumpWriteDumpFile@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLiveDumpWriteSecondaryData(x, x,	x, x, x)
_IopLiveDumpWriteSecondaryData@20 proc near ; CODE XREF: IopLiveDumpWriteDumpFile(x)+1C6p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [edx+8]
		push	esi
		push	edi
		mov	[ebp+var_3C], eax
		xor	esi, esi
		mov	eax, [ebp+arg_4]
		xor	edi, edi
		mov	[ebp+var_48], ecx
		mov	[ebp+var_4C], eax
		test	ebx, ebx
		jz	loc_962738
		mov	eax, _NtBuildNumber
		push	10h
		pop	edx
		push	edi
		push	[ebp+arg_8]
		mov	[ebp+var_10], edx
		push	[ebp+var_3C]
		mov	[ebp+var_18], 706D7544h
		push	edx
		lea	edx, [ebp+var_18]
		mov	[ebp+var_14], 626F6C42h
		mov	[ebp+var_C], eax
		call	_IopLiveDumpWriteBuffer@24 ; IopLiveDumpWriteBuffer(x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	loc_96273A
		mov	eax, [ebp+var_10]
		xor	edx, edx
		mov	[ebp+var_40], eax
		mov	[ebp+var_44], edx
		mov	[ebp+var_38], 20h
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], edx

loc_9626CF:				; CODE XREF: IopLiveDumpWriteSecondaryData(x,x,x,x,x)+E6j
		mov	ecx, [ebp+var_48]
		lea	edi, [ebp+var_34]
		mov	esi, ebx
		push	edx
		push	[ebp+arg_8]
		lea	edx, [ebp+var_38]
		push	[ebp+var_3C]
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ebx+14h]
		push	[ebp+var_38]
		mov	[ebp+var_24], eax
		call	_IopLiveDumpWriteBuffer@24 ; IopLiveDumpWriteBuffer(x,x,x,x,x,x)
		mov	esi, [ebp+var_40]
		mov	ecx, eax
		mov	edi, [ebp+var_44]
		test	ecx, ecx
		js	short loc_96273A
		add	esi, [ebp+var_38]
		mov	edx, [ebx+10h]
		mov	ecx, [ebp+var_48]
		adc	edi, 0
		push	0
		push	[ebp+arg_8]
		push	[ebp+var_3C]
		push	dword ptr [ebx+14h]
		call	_IopLiveDumpWriteBuffer@24 ; IopLiveDumpWriteBuffer(x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_96273A
		add	esi, [ebx+14h]
		mov	ebx, [ebx+1Ch]
		push	0
		pop	edx
		adc	edi, edx
		mov	[ebp+var_40], esi
		mov	[ebp+var_44], edi
		test	ebx, ebx
		jnz	short loc_9626CF
		jmp	short loc_96273A
; 

loc_962738:				; CODE XREF: IopLiveDumpWriteSecondaryData(x,x,x,x,x)+2Dj
		xor	ecx, ecx

loc_96273A:				; CODE XREF: IopLiveDumpWriteSecondaryData(x,x,x,x,x)+63j
					; IopLiveDumpWriteSecondaryData(x,x,x,x,x)+AFj	...
		mov	edx, [ebp+var_4C]
		test	edx, edx
		jz	short loc_962746
		mov	[edx], esi
		mov	[edx+4], edi

loc_962746:				; CODE XREF: IopLiveDumpWriteSecondaryData(x,x,x,x,x)+F1j
		mov	eax, ecx
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_IopLiveDumpWriteSecondaryData@20 endp


;  S U B	R O U T	I N E 


; __stdcall IopErrorLogQueueRequest()
_IopErrorLogQueueRequest@0 proc	near	; CODE XREF: IopErrorLogConnectSession():loc_868870p
					; IopErrorLogThread+A076Ap
		mov	edi, edi
		push	edi
		push	48h
		pop	edx
		mov	ecx, 200h
		call	sub_610570
		mov	edi, eax
		test	edi, edi
		jnz	short loc_962776
		mov	_IopErrorLogSessionPending, al
		pop	edi
		retn
; 

loc_962776:				; CODE XREF: IopErrorLogQueueRequest()+14j
		push	esi
		push	0
		push	offset _IopErrorLogDpc@16 ; IopErrorLogDpc(x,x,x,x)
		push	edi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	0
		lea	esi, [edi+20h]
		push	esi
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	edi
		push	7D0h
		push	0
		push	0FFFFFFFFh
		push	0EE1E5D00h
		push	esi
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)
		pop	esi
		pop	edi
		retn
_IopErrorLogQueueRequest@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoEnumerateEnvironmentVariablesEx(x, x, x, x)
_IoEnumerateEnvironmentVariablesEx@16 proc near
					; CODE XREF: NtEnumerateBootEntries(x,x)+187p
					; NtEnumerateDriverEntries(x,x)+12Cp ...

var_9A		= byte ptr -9Ah
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+84h+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+84h+var_78], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	[esp+88h+var_7C], eax
		mov	ebx, ecx
		xor	eax, eax
		lea	ecx, [esp+88h+var_70]
		push	esi
		mov	[esp+8Ch+var_74], eax
		mov	esi, edx
		mov	[esp+8Ch+var_70], eax
		lea	edx, [esp+8Ch+var_74]
		mov	[esp+8Ch+var_6C], eax
		lea	eax, [esp+8Ch+var_6C]
		push	edi
		push	eax
		mov	[esp+94h+var_80], esi
		call	_IopOpenSystemVariableDevice@12	; IopOpenSystemVariableDevice(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_96282D
		push	[esp+90h+var_7C]
		mov	eax, [esp+94h+var_6C]
		push	[esp+94h+var_78]
		push	esi
		mov	esi, [esp+9Ch+var_70]
		push	ebx
		push	[esp+0A0h+var_74]
		push	esi
		call	dword ptr [eax+8]
		mov	edi, eax
		test	esi, esi
		jz	short loc_962829
		mov	ecx, esi
		call	ObfDereferenceObject

loc_962829:				; CODE XREF: IoEnumerateEnvironmentVariablesEx(x,x,x,x)+79j
		mov	esi, [esp+0A8h+var_98]

loc_96282D:				; CODE XREF: IoEnumerateEnvironmentVariablesEx(x,x,x,x)+59j
		cmp	dword_6B2D08, 5
		jbe	loc_9628EF
		push	2000h
		push	0
		mov	ecx, offset dword_6B2D08
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9628EF
		lea	eax, [esp+0A8h+var_90]
		mov	[esp+0A8h+var_90], ebx
		mov	[esp+0A8h+var_60], eax
		xor	edx, edx
		mov	eax, [esp+0A8h+var_94]
		test	esi, esi
		push	4
		pop	ecx
		mov	[esp+0A8h+var_5C], edx
		setnz	byte ptr [esp+0Fh]
		mov	eax, [eax]
		mov	[esp+0A8h+var_94], eax
		lea	eax, [esp+0A8h+var_94]
		mov	[esp+0A8h+var_50], eax
		lea	eax, [esp+0A8h+var_98]
		mov	[esp+0A8h+var_40], eax
		lea	eax, [esp+0Fh]
		mov	[esp+0A8h+var_30], eax
		lea	eax, [esp+0A8h+var_80]
		push	eax
		push	6
		push	edx
		push	edx
		push	offset loc_41BFA0
		push	offset dword_6B2D08
		mov	[esp+0C0h+var_58], ecx
		mov	[esp+0C0h+var_54], edx
		mov	[esp+0C0h+var_4C], edx
		mov	[esp+0C0h+var_48], ecx
		mov	[esp+0C0h+var_44], edx
		mov	[esp+0C0h+var_98], edi
		mov	[esp+0C0h+var_3C], edx
		mov	[esp+0C0h+var_38], ecx
		mov	[esp+0C0h+var_34], edx
		mov	[esp+0C0h+var_2C], edx
		mov	[esp+0C0h+var_28], 1
		mov	[esp+0C0h+var_24], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9628EF:				; CODE XREF: IoEnumerateEnvironmentVariablesEx(x,x,x,x)+8Dj
					; IoEnumerateEnvironmentVariablesEx(x,x,x,x)+A6j
		mov	ecx, [esp+0A8h+var_1C]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_IoEnumerateEnvironmentVariablesEx@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetEnvironmentVariableEx(x, x, x,	x, x)
_IoGetEnvironmentVariableEx@20 proc near ; CODE	XREF: IopInitializeOfflineCrashDump+7E324p
					; ExpGetFirmwareEnvironmentVariable(x,x,x,x,x,x)+5Cp ...

var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_74		= dword	ptr -74h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+94h+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	[esp+98h+var_8C], eax
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[esp+9Ch+var_84], eax
		mov	[esp+9Ch+var_80], eax
		mov	[esp+9Ch+var_7C], eax
		lea	eax, [esp+9Ch+var_7C]
		push	edi
		mov	[esp+0A0h+var_90], edx
		lea	edx, [esp+0A0h+var_84]
		mov	[esp+0A0h+var_94], ecx
		lea	ecx, [esp+0A0h+var_80]
		push	eax
		mov	[esp+0A4h+var_88], 0DEADBEEFh
		call	_IopOpenSystemVariableDevice@12	; IopOpenSystemVariableDevice(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9629A2
		lea	eax, [esp+0A0h+var_88]
		push	eax
		push	[esp+0A4h+var_8C]
		mov	eax, [esp+0A8h+var_7C]
		push	esi
		push	[esp+0ACh+var_90]
		mov	esi, [esp+0B0h+var_80]
		push	[esp+0B0h+var_94]
		push	[esp+0B4h+var_84]
		push	esi
		call	dword ptr [eax]
		mov	edi, eax
		test	ebx, ebx
		jz	short loc_962997
		mov	eax, [esp+0BCh+var_A4]
		mov	[ebx], eax

loc_962997:				; CODE XREF: IoGetEnvironmentVariableEx(x,x,x,x,x)+87j
		test	esi, esi
		jz	short loc_9629A2
		mov	ecx, esi
		call	ObfDereferenceObject

loc_9629A2:				; CODE XREF: IoGetEnvironmentVariableEx(x,x,x,x,x)+60j
					; IoGetEnvironmentVariableEx(x,x,x,x,x)+91j
		cmp	dword_6B2D08, 5
		jbe	loc_962A77
		push	2000h
		xor	ebx, ebx
		mov	esi, offset dword_6B2D08
		push	ebx
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_962A77
		mov	edx, [esp+0BCh+var_B0]
		lea	ecx, [esp+0BCh+var_74]
		call	_tlgCreate1Sz_wchar_t
		mov	eax, [esp+0BCh+var_AC]
		mov	[esp+0BCh+var_64], eax
		mov	eax, [esp+0BCh+var_A8]
		push	4
		pop	ecx
		mov	[esp+0BCh+var_60], ebx
		mov	eax, [eax]
		mov	[esp+0BCh+var_A8], eax
		lea	eax, [esp+0BCh+var_A8]
		mov	[esp+0BCh+var_54], eax
		mov	eax, [esp+0BCh+var_A4]
		mov	[esp+0BCh+var_AC], eax
		lea	eax, [esp+0BCh+var_AC]
		mov	[esp+0BCh+var_44], eax
		lea	eax, [esp+0BCh+var_B0]
		mov	[esp+0BCh+var_34], eax
		lea	eax, [esp+0BCh+var_94]
		push	eax
		push	7
		push	ebx
		push	ebx
		push	offset loc_41BEC5
		push	esi
		mov	[esp+0D4h+var_5C], 10h
		mov	[esp+0D4h+var_58], ebx
		mov	[esp+0D4h+var_50], ebx
		mov	[esp+0D4h+var_4C], ecx
		mov	[esp+0D4h+var_48], ebx
		mov	[esp+0D4h+var_40], ebx
		mov	[esp+0D4h+var_3C], ecx
		mov	[esp+0D4h+var_38], ebx
		mov	[esp+0D4h+var_B0], edi
		mov	[esp+0D4h+var_30], ebx
		mov	[esp+0D4h+var_2C], ecx
		mov	[esp+0D4h+var_28], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_962A77:				; CODE XREF: IoGetEnvironmentVariableEx(x,x,x,x,x)+A1j
					; IoGetEnvironmentVariableEx(x,x,x,x,x)+BDj
		mov	ecx, [esp+0BCh+var_20]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_IoGetEnvironmentVariableEx@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoQueryEnvironmentVariableInfoEx(x,	x, x, x)
_IoQueryEnvironmentVariableInfoEx@16 proc near
					; CODE XREF: NtQueryEnvironmentVariableInfoEx(x,x,x,x)+53p

var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_88		= dword	ptr -88h
var_80		= dword	ptr -80h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+9Ch+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	[esp+0A0h+var_98], eax
		mov	ebx, edx
		xor	eax, eax
		mov	[esp+0A0h+var_9C], ecx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	edx, [esp+0A4h+var_94]
		mov	[esp+0A4h+var_94], eax
		lea	ecx, [esp+0A4h+var_90]
		mov	[esp+0A4h+var_90], eax
		mov	[esp+0A4h+var_88], eax
		lea	eax, [esp+0A4h+var_88]
		push	edi
		push	eax
		mov	[esp+0ACh+var_80], esi
		call	_IopOpenSystemVariableDevice@12	; IopOpenSystemVariableDevice(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_962B14
		push	[esp+0A8h+var_98]
		mov	eax, [esp+0ACh+var_88]
		push	esi
		mov	esi, [esp+0B0h+var_90]
		push	ebx
		push	[esp+0B4h+var_9C]
		push	[esp+0B8h+var_94]
		push	esi
		call	dword ptr [eax+0Ch]
		mov	edi, eax
		test	esi, esi
		jz	short loc_962B10
		mov	ecx, esi
		call	ObfDereferenceObject

loc_962B10:				; CODE XREF: IoQueryEnvironmentVariableInfoEx(x,x,x,x)+77j
		mov	esi, [esp+0C0h+var_98]

loc_962B14:				; CODE XREF: IoQueryEnvironmentVariableInfoEx(x,x,x,x)+57j
		cmp	dword_6B2D08, 5
		jbe	loc_962C23
		push	2000h
		push	0
		mov	ecx, offset dword_6B2D08
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_962C23
		mov	eax, [esp+0C0h+var_B4]
		mov	ecx, [esp+0C0h+var_B0]
		mov	[esp+0C0h+var_B4], eax
		lea	eax, [esp+0C0h+var_B4]
		mov	[esp+0C0h+var_70], eax
		mov	eax, [ebx]
		mov	[esp+0C0h+var_98], eax
		mov	eax, [ebx+4]
		xor	ebx, ebx
		mov	[esp+0C0h+var_94], eax
		lea	eax, [esp+0C0h+var_98]
		mov	[esp+0C0h+var_60], eax
		mov	eax, [esi]
		mov	[esp+0C0h+var_A0], eax
		mov	eax, [esi+4]
		mov	[esp+0C0h+var_9C], eax
		lea	eax, [esp+0C0h+var_A0]
		and	[esp+0C0h+var_6C], 0
		and	[esp+0C0h+var_64], 0
		mov	[esp+0C0h+var_50], eax
		mov	eax, [ecx]
		mov	[esp+0C0h+var_A8], eax
		mov	eax, [ecx+4]
		mov	[esp+0C0h+var_A4], eax
		lea	eax, [esp+0C0h+var_A8]
		push	8
		pop	edx
		mov	[esp+0C0h+var_40], eax
		lea	eax, [esp+0C0h+var_B0]
		mov	[esp+0C0h+var_30], eax
		lea	eax, [esp+0C0h+var_90]
		push	eax
		push	7
		push	ebx
		push	ebx
		push	offset loc_41BF1D
		push	offset dword_6B2D08
		mov	[esp+0D8h+var_68], 4
		mov	[esp+0D8h+var_5C], ebx
		mov	[esp+0D8h+var_58], edx
		mov	[esp+0D8h+var_54], ebx
		mov	[esp+0D8h+var_4C], ebx
		mov	[esp+0D8h+var_48], edx
		mov	[esp+0D8h+var_44], ebx
		mov	[esp+0D8h+var_3C], ebx
		mov	[esp+0D8h+var_38], edx
		mov	[esp+0D8h+var_34], ebx
		mov	[esp+0D8h+var_B0], edi
		mov	[esp+0D8h+var_2C], ebx
		mov	[esp+0D8h+var_28], 4
		mov	[esp+0D8h+var_24], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_962C23:				; CODE XREF: IoQueryEnvironmentVariableInfoEx(x,x,x,x)+8Bj
					; IoQueryEnvironmentVariableInfoEx(x,x,x,x)+A4j
		mov	ecx, [esp+0C0h+var_1C]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_IoQueryEnvironmentVariableInfoEx@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetEnvironmentVariableEx(x, x, x,	x, x)
_IoSetEnvironmentVariableEx@20 proc near ; CODE	XREF: IopInitializeOfflineCrashDump+7E342p
					; IopInitializeInMemoryDumpData()+153p	...

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_94		= dword	ptr -94h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_74		= dword	ptr -74h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+8Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[esp+90h+var_84], eax
		mov	ebx, ecx
		xor	eax, eax
		lea	ecx, [esp+90h+var_7C]
		push	esi
		mov	[esp+94h+var_80], eax
		mov	esi, edx
		mov	[esp+94h+var_7C], eax
		lea	edx, [esp+94h+var_80]
		mov	[esp+94h+var_8C], eax
		lea	eax, [esp+94h+var_8C]
		push	edi
		push	eax
		mov	[esp+9Ch+var_88], esi
		call	_IopOpenSystemVariableDevice@12	; IopOpenSystemVariableDevice(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_962CBD
		push	[ebp+arg_8]
		mov	eax, [esp+9Ch+var_8C]
		push	[ebp+arg_4]
		push	[esp+0A0h+var_84]
		push	esi
		mov	esi, [esp+0A8h+var_7C]
		push	ebx
		push	[esp+0ACh+var_80]
		push	esi
		call	dword ptr [eax+4]
		mov	edi, eax
		test	esi, esi
		jz	short loc_962CB9
		mov	ecx, esi
		call	ObfDereferenceObject

loc_962CB9:				; CODE XREF: IoSetEnvironmentVariableEx(x,x,x,x,x)+74j
		mov	esi, [esp+0B4h+var_A4]

loc_962CBD:				; CODE XREF: IoSetEnvironmentVariableEx(x,x,x,x,x)+52j
		cmp	dword_6B2D08, 5
		jbe	loc_962D88
		push	2000h
		push	0
		mov	ecx, offset dword_6B2D08
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_962D88
		mov	edx, ebx
		lea	ecx, [esp+0B4h+var_74]
		call	_tlgCreate1Sz_wchar_t
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		mov	[esp+0B4h+var_A0], eax
		lea	eax, [esp+0B4h+var_A0]
		mov	[esp+0B4h+var_54], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+0B4h+var_A4], eax
		lea	eax, [esp+0B4h+var_A4]
		push	4
		pop	ecx
		mov	[esp+0B4h+var_44], eax
		lea	eax, [esp+0B4h+var_A8]
		mov	[esp+0B4h+var_34], eax
		lea	eax, [esp+0B4h+var_94]
		push	eax
		push	7
		push	edx
		push	edx
		push	offset loc_41BE6D
		push	offset dword_6B2D08
		mov	[esp+0CCh+var_64], esi
		mov	[esp+0CCh+var_60], edx
		mov	[esp+0CCh+var_5C], 10h
		mov	[esp+0CCh+var_58], edx
		mov	[esp+0CCh+var_50], edx
		mov	[esp+0CCh+var_4C], ecx
		mov	[esp+0CCh+var_48], edx
		mov	[esp+0CCh+var_40], edx
		mov	[esp+0CCh+var_3C], ecx
		mov	[esp+0CCh+var_38], edx
		mov	[esp+0CCh+var_A8], edi
		mov	[esp+0CCh+var_30], edx
		mov	[esp+0CCh+var_2C], ecx
		mov	[esp+0CCh+var_28], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_962D88:				; CODE XREF: IoSetEnvironmentVariableEx(x,x,x,x,x)+88j
					; IoSetEnvironmentVariableEx(x,x,x,x,x)+A1j
		mov	ecx, [esp+0B4h+var_20]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_IoSetEnvironmentVariableEx@20 endp


;  S U B	R O U T	I N E 


; __stdcall IopEfiStatusToNTSTATUS(x)
_IopEfiStatusToNTSTATUS@4 proc near	; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x):loc_963177p
					; IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x):loc_96328Ap ...
		mov	eax, 8000000Bh
		cmp	ecx, eax
		ja	loc_962E52
		jz	loc_962E4C
		add	eax, 0FFFFFFFAh
		cmp	ecx, eax
		ja	short loc_962E06
		jz	short loc_962E00
		test	ecx, ecx
		jz	short loc_962DFD
		cmp	ecx, 80000001h
		jz	short loc_962DF7
		cmp	ecx, 80000002h
		jz	short loc_962DF1
		cmp	ecx, 80000003h
		jz	short loc_962DEB
		cmp	ecx, 80000004h
		jnz	loc_962E9A	; default
		mov	eax, 0C0000206h
		retn
; 

loc_962DEB:				; CODE XREF: IopEfiStatusToNTSTATUS(x)+36j
		mov	eax, 0C00000BBh
		retn
; 

loc_962DF1:				; CODE XREF: IopEfiStatusToNTSTATUS(x)+2Ej
		mov	eax, 0C000000Dh
		retn
; 

loc_962DF7:				; CODE XREF: IopEfiStatusToNTSTATUS(x)+26j
		mov	eax, 0C000026Ch
		retn
; 

loc_962DFD:				; CODE XREF: IopEfiStatusToNTSTATUS(x)+1Ej
		xor	eax, eax
		retn
; 

loc_962E00:				; CODE XREF: IopEfiStatusToNTSTATUS(x)+1Aj
		mov	eax, 0C0000023h
		retn
; 

loc_962E06:				; CODE XREF: IopEfiStatusToNTSTATUS(x)+18j
		cmp	ecx, 80000006h
		jz	short loc_962E46
		cmp	ecx, 80000007h
		jz	short loc_962E40
		cmp	ecx, 80000008h
		jz	short loc_962E3A
		cmp	ecx, 80000009h
		jz	short loc_962E34
		cmp	ecx, 8000000Ah
		jnz	short loc_962E9A ; default
		mov	eax, 0C0000032h
		retn
; 

loc_962E34:				; CODE XREF: IopEfiStatusToNTSTATUS(x)+83j
		mov	eax, 0C0000454h
		retn
; 

loc_962E3A:				; CODE XREF: IopEfiStatusToNTSTATUS(x)+7Bj
		mov	eax, 0C00000A2h
		retn
; 

loc_962E40:				; CODE XREF: IopEfiStatusToNTSTATUS(x)+73j
		mov	eax, 0C0000185h
		retn
; 

loc_962E46:				; CODE XREF: IopEfiStatusToNTSTATUS(x)+6Bj
		mov	eax, 0C0000225h
		retn
; 

loc_962E4C:				; CODE XREF: IopEfiStatusToNTSTATUS(x)+Dj
		mov	eax, 0C000007Fh
		retn
; 

loc_962E52:				; CODE XREF: IopEfiStatusToNTSTATUS(x)+7j
		add	ecx, 7FFFFFF4h	; switch 15 cases
		cmp	ecx, 0Eh
		ja	short loc_962E9A ; default
		jmp	ds:off_962EA1[ecx*4] ; switch jump

loc_962E64:				; DATA XREF: PAGE:off_962EA1o
		mov	eax, 0C0000178h	; case -0x7FFFFFF4
		retn
; 

loc_962E6A:				; CODE XREF: IopEfiStatusToNTSTATUS(x)+BCj
					; DATA XREF: PAGE:off_962EA1o
		mov	eax, 8000001Ch	; case -0x7FFFFFF3
		retn
; 

loc_962E70:				; CODE XREF: IopEfiStatusToNTSTATUS(x)+BCj
					; DATA XREF: PAGE:off_962EA1o
		mov	eax, 0C0000100h	; case -0x7FFFFFF2
		retn
; 

loc_962E76:				; CODE XREF: IopEfiStatusToNTSTATUS(x)+BCj
					; DATA XREF: PAGE:off_962EA1o
		mov	eax, 0C0000022h	; case -0x7FFFFFF1
		retn
; 

loc_962E7C:				; CODE XREF: IopEfiStatusToNTSTATUS(x)+BCj
					; DATA XREF: PAGE:off_962EA1o
		mov	eax, 0C0000272h	; case -0x7FFFFFEF
		retn
; 

loc_962E82:				; CODE XREF: IopEfiStatusToNTSTATUS(x)+BCj
					; DATA XREF: PAGE:off_962EA1o
		mov	eax, 102h	; case -0x7FFFFFF0
		retn
; 

loc_962E88:				; CODE XREF: IopEfiStatusToNTSTATUS(x)+BCj
					; DATA XREF: PAGE:off_962EA1o
		mov	eax, 0C00000A3h	; case -0x7FFFFFED
		retn
; 

loc_962E8E:				; CODE XREF: IopEfiStatusToNTSTATUS(x)+BCj
					; DATA XREF: PAGE:off_962EA1o
		mov	eax, 0C0000038h	; case -0x7FFFFFEC
		retn
; 

loc_962E94:				; CODE XREF: IopEfiStatusToNTSTATUS(x)+BCj
					; DATA XREF: PAGE:off_962EA1o
		mov	eax, 0C0000240h	; case -0x7FFFFFEB
		retn
; 

loc_962E9A:				; CODE XREF: IopEfiStatusToNTSTATUS(x)+3Ej
					; IopEfiStatusToNTSTATUS(x)+8Bj ...
		mov	eax, 0C0000001h	; default
		retn
_IopEfiStatusToNTSTATUS@4 endp

; 
		db 90h
off_962EA1	dd offset loc_962E64	; DATA XREF: IopEfiStatusToNTSTATUS(x)+BCr
		dd offset loc_962E6A	; jump table for switch	statement
		dd offset loc_962E70
		dd offset loc_962E76
		dd offset loc_962E82
		dd offset loc_962E7C
		dd offset loc_962E82
		dd offset loc_962E88
		dd offset loc_962E8E
		dd offset loc_962E94
		dd offset loc_962E9A
		dd offset loc_962E9A
		dd offset loc_962E9A
		dd offset loc_962E9A
		dd offset loc_962E76

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopEnumerateEnvironmentVariablesHal(x, x, x, x, x, x)
_IopEnumerateEnvironmentVariablesHal@24	proc near

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	off_6B1408	; ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete(x,x,x,x)
		pop	ebp
		retn	18h
_IopEnumerateEnvironmentVariablesHal@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopEnumerateEnvironmentVariablesSysEnv(x, x, x, x, x, x)
_IopEnumerateEnvironmentVariablesSysEnv@24 proc	near

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		cmp	[ebp+arg_8], 1
		jz	short loc_962F15
		cmp	[ebp+arg_8], 2
		jz	short loc_962F15
		mov	eax, 0C000000Dh
		jmp	short locret_962F4E
; 

loc_962F15:				; CODE XREF: IopEnumerateEnvironmentVariablesSysEnv(x,x,x,x,x,x)+Ej
					; IopEnumerateEnvironmentVariablesSysEnv(x,x,x,x,x,x)+14j
		cmp	[ebp+arg_8], 2
		lea	eax, [ebp+var_4]
		push	esi
		mov	esi, [ebp+arg_14]
		mov	dl, 1
		push	eax
		lea	eax, [ebp+arg_8+3]
		mov	ecx, 52000Ch
		setz	byte ptr [ebp+arg_8+3]
		push	dword ptr [esi]
		push	[ebp+arg_10]
		push	1
		push	eax
		push	[ebp+arg_4]
		push	0
		call	_IopIssueSystemEnvironmentRequest@36 ; IopIssueSystemEnvironmentRequest(x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_962F4D
		mov	ecx, [ebp+var_4]
		mov	[esi], ecx

loc_962F4D:				; CODE XREF: IopEnumerateEnvironmentVariablesSysEnv(x,x,x,x,x,x)+4Ej
		pop	esi

locret_962F4E:				; CODE XREF: IopEnumerateEnvironmentVariablesSysEnv(x,x,x,x,x,x)+1Bj
		leave
		retn	18h
_IopEnumerateEnvironmentVariablesSysEnv@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopEnumerateEnvironmentVariablesTrEE(x, x, x, x, x,	x)
_IopEnumerateEnvironmentVariablesTrEE@24 proc near

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		cmp	[ebp+arg_8], 1
		mov	[esp+48h+var_C], edi
		jz	short loc_962F7C
		cmp	[ebp+arg_8], 2
		jz	short loc_962F7C
		mov	eax, 0C000000Dh
		jmp	loc_9632ED
; 

loc_962F7C:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+18j
					; IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+1Ej
		mov	ebx, 214h
		mov	[esp+48h+var_20], edi
		mov	edx, ebx
		mov	[esp+48h+var_24], edi
		mov	[esp+48h+var_34], edi
		mov	[esp+48h+var_10], edi
		call	sub_610D09
		mov	[esp+48h+var_38], eax
		test	eax, eax
		jnz	short loc_962FAD
		mov	ebx, [ebp+arg_10]
		mov	esi, 0C000009Ah
		jmp	loc_9632DB
; 

loc_962FAD:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+4Cj
		mov	edx, 21Ch
		call	sub_610D09
		mov	edi, eax
		mov	[esp+48h+var_2C], edi
		test	edi, edi
		jnz	short loc_962FCE

loc_962FC1:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+91j
					; IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+A9j
		mov	ebx, [ebp+arg_10]
		mov	esi, 0C000009Ah
		jmp	loc_9632A4
; 

loc_962FCE:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+6Dj
		cmp	[ebp+arg_8], 2
		jnz	short loc_962FFD
		mov	edx, ebx
		call	sub_610D09
		mov	esi, eax
		mov	[esp+48h+var_24], esi
		test	esi, esi
		jz	short loc_962FC1
		mov	esi, 110h
		mov	edx, esi
		mov	[esp+48h+var_20], esi
		call	sub_610D09
		mov	[esp+48h+var_34], eax
		test	eax, eax
		jz	short loc_962FC1

loc_962FFD:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+80j
		mov	eax, [ebp+arg_14]
		mov	ebx, [ebp+arg_10]
		push	21Ch		; size_t
		push	0		; int
		mov	ecx, [eax]
		and	dword ptr [eax], 0
		add	ecx, ebx
		push	edi		; void *
		mov	[esp+54h+var_8], ecx
		call	_memset
		mov	eax, [esp+54h+var_38]
		lea	ecx, [edi+18h]
		lea	esi, [edi+4]
		mov	[esp+54h+var_18], ebx
		add	esp, 0Ch
		mov	[esp+48h+var_1C], ebx
		mov	[esp+48h+var_30], ecx
		lea	edx, [eax+10h]
		mov	[esp+48h+var_28], esi
		mov	[esp+48h+var_14], edx
		jmp	short loc_963049
; 

loc_963041:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+176j
					; IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+32Cj
		mov	ecx, [esp+48h+var_30]
		mov	eax, [esp+48h+var_38]

loc_963049:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+EDj
		mov	edi, eax
		movsd
		movsd
		movsd
		movsd
		mov	edi, [esp+48h+var_2C]
		push	dword ptr [edi+14h] ; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcpy
		mov	eax, [edi+14h]
		add	esp, 0Ch
		mov	ecx, [esp+48h+var_38]
		xor	edx, edx
		shr	eax, 1
		mov	[ecx+eax*2+10h], dx
		lea	eax, [esp+48h+var_C]
		mov	edx, [ebp+arg_0]
		push	eax
		push	18h
		push	21Ch
		push	edi
		push	214h
		push	ecx
		push	[ebp+arg_4]
		xor	ecx, ecx
		inc	ecx
		call	_IopIssueTrEERequest@36	; IopIssueTrEERequest(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_963295
		mov	ecx, [edi]
		cmp	ecx, 8000000Eh
		jz	loc_963293
		test	ecx, ecx
		js	loc_96328A
		cmp	[ebp+arg_C], 0
		lea	esi, [edi+4]
		jz	short loc_9630CE
		lea	eax, [edi+18h]
		push	eax
		push	esi
		call	[ebp+arg_C]
		mov	edx, [esp+50h+var_1C]
		test	al, al
		jz	loc_963041

loc_9630CE:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+166j
		cmp	[ebp+arg_8], 2
		jnz	loc_963218
		mov	eax, [esp+50h+var_2C]
		mov	edi, eax
		add	eax, 10h
		movsd
		movsd
		movsd
		movsd
		mov	edi, [esp+50h+var_34]
		push	dword ptr [edi+14h] ; size_t
		lea	ecx, [edi+18h]
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		mov	edx, [esp+5Ch+var_3C]
		add	esp, 0Ch

loc_9630FD:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+221j
		lea	eax, [esp+50h+var_14]
		xor	ecx, ecx
		push	eax
		push	0Ch
		push	[esp+58h+var_28]
		push	edx
		mov	edx, [ebp+arg_0]
		push	214h
		push	[esp+64h+var_2C]
		push	[ebp+arg_4]
		call	_IopIssueTrEERequest@36	; IopIssueTrEERequest(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_963295
		mov	edx, [esp+50h+var_3C]
		mov	ecx, [edx]
		cmp	ecx, 80000005h
		jnz	short loc_963169
		test	ebx, ebx
		jz	short loc_96316D
		mov	esi, [edx+8]
		push	0
		add	esi, 10h
		push	edx
		mov	[esp+58h+var_28], esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, esi
		call	sub_610D09
		mov	edx, eax
		mov	[esp+50h+var_3C], edx
		test	edx, edx
		jz	loc_963283
		mov	esi, 0C0000023h
		jmp	short loc_96316D
; 

loc_963169:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+1E3j
		test	ecx, ecx
		js	short loc_963177

loc_96316D:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+1E7j
					; IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+215j
		cmp	esi, 0C0000023h
		jz	short loc_9630FD
		jmp	short loc_96317E
; 

loc_963177:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+219j
		call	_IopEfiStatusToNTSTATUS@4 ; IopEfiStatusToNTSTATUS(x)
		mov	esi, eax

loc_96317E:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+223j
		test	esi, esi
		js	loc_963295
		mov	eax, [edi+14h]
		mov	edi, [esp+50h+var_24]
		lea	ecx, [edi+23h]
		add	ecx, eax
		and	ecx, 0FFFFFFFCh
		mov	[esp+50h+var_18], ecx
		add	ecx, 3
		add	ecx, [edx+8]
		and	ecx, 0FFFFFFFCh
		cmp	[esp+50h+var_10], ecx
		mov	[esp+50h+var_C], ecx
		sbb	eax, eax
		not	eax
		and	ebx, eax
		jz	short loc_96320A
		mov	esi, [esp+50h+var_30]
		add	edi, 10h
		mov	eax, [esp+50h+var_34]
		movsd
		movsd
		movsd
		movsd
		push	dword ptr [eax+14h] ; size_t
		mov	edi, [esp+54h+var_24]
		push	[esp+54h+var_38] ; void	*
		lea	eax, [edi+20h]
		push	eax		; void *
		call	_memcpy
		mov	ecx, [esp+5Ch+var_18]
		mov	eax, ecx
		mov	esi, [esp+5Ch+var_3C]
		sub	eax, edi
		mov	[edi+4], eax
		push	dword ptr [esi+8] ; size_t
		lea	eax, [esi+0Ch]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		mov	eax, [esi+8]
		add	esp, 18h
		mov	ecx, [esp+50h+var_C]
		mov	[edi+8], eax
		mov	eax, [esi+4]
		mov	[edi+0Ch], eax
		mov	eax, ecx
		sub	eax, edi
		mov	[edi], eax

loc_96320A:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+25Ej
		mov	eax, ecx
		mov	[esp+50h+var_18], edi
		sub	eax, edi
		mov	[esp+50h+var_24], ecx
		jmp	short loc_963271
; 

loc_963218:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+180j
		mov	esi, [esp+50h+var_20]
		lea	ecx, [esi+17h]
		add	ecx, [edi+14h]
		and	ecx, 0FFFFFFFCh
		cmp	[esp+50h+var_10], ecx
		mov	[esp+50h+var_C], ecx
		sbb	eax, eax
		not	eax
		and	ebx, eax
		jz	short loc_963265
		mov	eax, [esp+50h+var_34]
		lea	edi, [esi+4]
		mov	esi, [esp+50h+var_30]
		movsd
		movsd
		movsd
		movsd
		push	dword ptr [eax+14h] ; size_t
		mov	esi, [esp+54h+var_20]
		push	[esp+54h+var_38] ; void	*
		lea	eax, [esi+14h]
		push	eax		; void *
		call	_memcpy
		mov	ecx, [esp+5Ch+var_C]
		add	esp, 0Ch
		mov	eax, ecx
		sub	eax, esi
		mov	[esi], eax

loc_963265:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+2E1j
		mov	eax, ecx
		mov	[esp+50h+var_18], esi
		sub	eax, esi
		mov	[esp+50h+var_20], ecx

loc_963271:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+2C4j
		mov	edx, [ebp+arg_14]
		mov	esi, [esp+50h+var_30]
		add	[edx], eax
		mov	edx, [esp+50h+var_1C]
		jmp	loc_963041
; 

loc_963283:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+20Aj
		mov	esi, 0C000009Ah
		jmp	short loc_963295
; 

loc_96328A:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+159j
		call	_IopEfiStatusToNTSTATUS@4 ; IopEfiStatusToNTSTATUS(x)
		mov	esi, eax
		jmp	short loc_963295
; 

loc_963293:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+151j
		xor	esi, esi

loc_963295:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+143j
					; IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+1D1j ...
		mov	eax, [esp+48h+var_10]
		test	eax, eax
		jz	short loc_9632A4
		test	ebx, ebx
		jz	short loc_9632A4
		and	dword ptr [eax], 0

loc_9632A4:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+77j
					; IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+349j ...
		push	0
		push	[esp+4Ch+var_38]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		jz	short loc_9632BB
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9632BB:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+35Fj
		mov	eax, [esp+48h+var_24]
		xor	edi, edi
		test	eax, eax
		jz	short loc_9632CC
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9632CC:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+371j
		mov	eax, [esp+48h+var_34]
		test	eax, eax
		jz	short loc_9632DB
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9632DB:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+56j
					; IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+380j
		test	ebx, ebx
		jnz	short loc_9632EB
		mov	eax, [ebp+arg_14]
		cmp	[eax], edi
		jz	short loc_9632EB
		mov	esi, 0C0000023h

loc_9632EB:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+38Bj
					; IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+392j
		mov	eax, esi

loc_9632ED:				; CODE XREF: IopEnumerateEnvironmentVariablesTrEE(x,x,x,x,x,x)+25j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
_IopEnumerateEnvironmentVariablesTrEE@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopGetEnvironmentVariableHal(x, x, x, x, x,	x, x)
_IopGetEnvironmentVariableHal@28 proc near

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	ds:__imp__HalGetEnvironmentVariableEx@20 ; HalGetEnvironmentVariableEx(x,x,x,x,x)
		pop	ebp
		retn	1Ch
_IopGetEnvironmentVariableHal@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IopGetEnvironmentVariableSysEnv(int,int,void *,int,void	*,int,int)
_IopGetEnvironmentVariableSysEnv@28 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_8]
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	[ebp+var_4], ebx
		lea	edx, [ecx+2]

loc_963328:				; CODE XREF: IopGetEnvironmentVariableSysEnv(x,x,x,x,x,x,x)+1Dj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_963328
		sub	ecx, edx
		sar	ecx, 1
		lea	esi, ds:2[ecx*2]
		lea	edx, [esi+14h]
		mov	[ebp+var_8], esi
		call	sub_610D09
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_963359
		mov	esi, 0C000009Ah
		jmp	loc_96340E
; 

loc_963359:				; CODE XREF: IopGetEnvironmentVariableSysEnv(x,x,x,x,x,x,x)+39j
		push	edi
		push	esi		; size_t
		push	[ebp+arg_8]	; void *
		lea	eax, [ebx+14h]
		push	eax		; void *
		call	_memcpy
		mov	esi, [ebp+arg_C]
		mov	edi, ebx
		mov	eax, [ebp+arg_14]
		add	esp, 0Ch
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_8]
		mov	[ebx+10h], esi
		mov	eax, [eax]
		add	eax, 8
		mov	edx, eax
		mov	[ebp+arg_8], eax
		call	sub_610D09
		mov	edi, eax
		test	edi, edi
		jnz	short loc_963398
		mov	esi, 0C000009Ah
		jmp	short loc_963405
; 

loc_963398:				; CODE XREF: IopGetEnvironmentVariableSysEnv(x,x,x,x,x,x,x)+7Bj
		lea	eax, [ebp+var_4]
		mov	dl, 1
		push	eax
		push	[ebp+arg_8]
		lea	eax, [esi+14h]
		mov	ecx, offset loc_520004
		push	edi
		push	eax
		push	ebx
		push	[ebp+arg_4]
		push	0
		call	_IopIssueSystemEnvironmentRequest@36 ; IopIssueSystemEnvironmentRequest(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9633EA
		mov	eax, [ebp+arg_18]
		test	eax, eax
		jz	short loc_9633C7
		mov	ecx, [edi]
		mov	[eax], ecx

loc_9633C7:				; CODE XREF: IopGetEnvironmentVariableSysEnv(x,x,x,x,x,x,x)+ADj
		mov	eax, [ebp+arg_14]
		mov	ecx, [edi+4]
		mov	eax, [eax]
		cmp	eax, ecx
		jb	short loc_9633D5
		mov	eax, ecx

loc_9633D5:				; CODE XREF: IopGetEnvironmentVariableSysEnv(x,x,x,x,x,x,x)+BDj
		push	eax		; size_t
		lea	eax, [edi+8]
		push	eax		; void *
		push	[ebp+arg_10]	; void *
		call	_memcpy
		mov	eax, [edi+4]
		add	esp, 0Ch
		jmp	short loc_9633F8
; 

loc_9633EA:				; CODE XREF: IopGetEnvironmentVariableSysEnv(x,x,x,x,x,x,x)+A6j
		cmp	esi, 0C0000023h
		jnz	short loc_9633FD
		mov	eax, [ebp+var_4]
		add	eax, 0FFFFFFF8h

loc_9633F8:				; CODE XREF: IopGetEnvironmentVariableSysEnv(x,x,x,x,x,x,x)+D4j
		mov	ecx, [ebp+arg_14]
		mov	[ecx], eax

loc_9633FD:				; CODE XREF: IopGetEnvironmentVariableSysEnv(x,x,x,x,x,x,x)+DCj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_963405:				; CODE XREF: IopGetEnvironmentVariableSysEnv(x,x,x,x,x,x,x)+82j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi

loc_96340E:				; CODE XREF: IopGetEnvironmentVariableSysEnv(x,x,x,x,x,x,x)+40j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_IopGetEnvironmentVariableSysEnv@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IopGetEnvironmentVariableTrEE(int,int,void *,int,void *,int,int)
_IopGetEnvironmentVariableTrEE@28 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	ecx, [ebp+arg_8]
		push	ebx
		push	esi
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_8], ebx
		lea	edx, [ecx+2]

loc_96342C:				; CODE XREF: IopGetEnvironmentVariableTrEE(x,x,x,x,x,x,x)+1Fj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_96342C
		sub	ecx, edx
		sar	ecx, 1
		lea	esi, ds:2[ecx*2]
		lea	edx, [esi+10h]
		mov	[ebp+var_C], esi
		call	sub_610D09
		mov	ebx, eax
		mov	[ebp+var_4], ebx
		test	ebx, ebx
		jnz	short loc_963460
		mov	edi, 0C000009Ah
		jmp	loc_963528
; 

loc_963460:				; CODE XREF: IopGetEnvironmentVariableTrEE(x,x,x,x,x,x,x)+3Ej
		push	esi		; size_t
		push	[ebp+arg_8]	; void *
		lea	eax, [ebx+10h]
		push	eax		; void *
		call	_memcpy
		mov	esi, [ebp+arg_C]
		mov	edi, ebx
		mov	ebx, [ebp+arg_14]
		add	esp, 0Ch
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebx]
		add	edi, 0Ch
		mov	edx, edi
		call	sub_610D09
		mov	esi, eax
		test	esi, esi
		jnz	short loc_963495
		mov	edi, 0C000009Ah
		jmp	short loc_963512
; 

loc_963495:				; CODE XREF: IopGetEnvironmentVariableTrEE(x,x,x,x,x,x,x)+76j
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_8]
		push	eax
		mov	eax, [ebp+var_C]
		xor	ecx, ecx
		push	0Ch
		push	edi
		push	esi
		add	eax, 10h
		push	eax
		push	[ebp+var_4]
		push	[ebp+arg_4]
		call	_IopIssueTrEERequest@36	; IopIssueTrEERequest(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_9634BF
		and	dword ptr [ebx], 0
		jmp	short loc_963512
; 

loc_9634BF:				; CODE XREF: IopGetEnvironmentVariableTrEE(x,x,x,x,x,x,x)+A2j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_9634F3
		mov	ecx, [ebp+arg_18]
		test	ecx, ecx
		jz	short loc_9634D1
		mov	eax, [esi+4]
		mov	[ecx], eax

loc_9634D1:				; CODE XREF: IopGetEnvironmentVariableTrEE(x,x,x,x,x,x,x)+B4j
		mov	eax, [ebx]
		mov	ecx, [esi+8]
		cmp	eax, ecx
		jb	short loc_9634DC
		mov	eax, ecx

loc_9634DC:				; CODE XREF: IopGetEnvironmentVariableTrEE(x,x,x,x,x,x,x)+C2j
		push	eax		; size_t
		lea	eax, [esi+0Ch]
		push	eax		; void *
		push	[ebp+arg_10]	; void *
		call	_memcpy
		mov	eax, [esi+8]
		add	esp, 0Ch
		mov	[ebx], eax
		jmp	short loc_963512
; 

loc_9634F3:				; CODE XREF: IopGetEnvironmentVariableTrEE(x,x,x,x,x,x,x)+ADj
		cmp	eax, 80000005h
		jnz	short loc_963506
		mov	eax, [esi+8]
		mov	edi, 0C0000023h
		mov	[ebx], eax
		jmp	short loc_963512
; 

loc_963506:				; CODE XREF: IopGetEnvironmentVariableTrEE(x,x,x,x,x,x,x)+E2j
		and	dword ptr [ebx], 0
		mov	ecx, [esi]
		call	_IopEfiStatusToNTSTATUS@4 ; IopEfiStatusToNTSTATUS(x)
		mov	edi, eax

loc_963512:				; CODE XREF: IopGetEnvironmentVariableTrEE(x,x,x,x,x,x,x)+7Dj
					; IopGetEnvironmentVariableTrEE(x,x,x,x,x,x,x)+A7j ...
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jz	short loc_963528
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_963528:				; CODE XREF: IopGetEnvironmentVariableTrEE(x,x,x,x,x,x,x)+45j
					; IopGetEnvironmentVariableTrEE(x,x,x,x,x,x,x)+108j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_IopGetEnvironmentVariableTrEE@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopIssueSystemEnvironmentCallout(x)
_IopIssueSystemEnvironmentCallout@4 proc near
					; DATA XREF: IopIssueSystemEnvironmentRequest(x,x,x,x,x,x,x,x,x)+82o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	edx, [esi+4]
		mov	ecx, [esi]
		call	IofCallDriver
		mov	[esi+8], eax
		pop	esi
		pop	ebp
		retn	4
_IopIssueSystemEnvironmentCallout@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopIssueSystemEnvironmentRequest(x,	x, x, x, x, x, x, x, x)
_IopIssueSystemEnvironmentRequest@36 proc near
					; CODE XREF: IopIssueTrEERequest(x,x,x,x,x,x,x,x,x)+9Fp
					; IopEnumerateEnvironmentVariablesSysEnv(x,x,x,x,x,x)+44p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+30h+var_10]
		stosd
		mov	esi, edx
		mov	ebx, ecx
		stosd
		stosd
		stosd
		lea	eax, [esp+30h+var_10]
		xor	edi, edi
		push	edi
		push	edi
		push	eax
		mov	[esp+3Ch+var_24], edi
		mov	[esp+3Ch+var_20], edi
		mov	[esp+3Ch+var_14], edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+30h+var_24]
		push	eax
		lea	eax, [esp+34h+var_10]
		push	eax
		push	esi
		push	[ebp+arg_14]
		mov	esi, [ebp+arg_4]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	esi
		push	ebx
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_9635B0
		mov	eax, 0C000009Ah
		jmp	short loc_963625
; 

loc_9635B0:				; CODE XREF: IopIssueSystemEnvironmentRequest(x,x,x,x,x,x,x,x,x)+5Bj
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_9635BD
		mov	eax, [edx+60h]
		mov	[eax-0Ch], ecx

loc_9635BD:				; CODE XREF: IopIssueSystemEnvironmentRequest(x,x,x,x,x,x,x,x,x)+69j
		push	edi
		push	1
		push	0E800h
		lea	eax, [esp+3Ch+var_1C]
		mov	[esp+3Ch+var_1C], esi
		push	eax
		push	offset _IopIssueSystemEnvironmentCallout@4 ; IopIssueSystemEnvironmentCallout(x)
		mov	[esp+44h+var_18], edx
		call	_KeExpandKernelStackAndCalloutEx@20 ; KeExpandKernelStackAndCalloutEx(x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_96360F
		mov	ecx, [esp+30h+var_14]
		cmp	ecx, 103h
		jnz	short loc_963600
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [esp+40h+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	ecx, [esp+30h+var_24]

loc_963600:				; CODE XREF: IopIssueSystemEnvironmentRequest(x,x,x,x,x,x,x,x,x)+A0j
		mov	edx, [ebp+arg_18]
		test	edx, edx
		jz	short loc_963623
		mov	eax, [esp+30h+var_20]
		mov	[edx], eax
		jmp	short loc_963623
; 

loc_96360F:				; CODE XREF: IopIssueSystemEnvironmentRequest(x,x,x,x,x,x,x,x,x)+94j
		cmp	ecx, 0C0000023h
		jnz	short loc_963623
		mov	eax, [ebp+arg_18]
		add	ecx, 0FFFFFFF4h
		test	eax, eax
		jz	short loc_963623
		mov	[eax], edi

loc_963623:				; CODE XREF: IopIssueSystemEnvironmentRequest(x,x,x,x,x,x,x,x,x)+B9j
					; IopIssueSystemEnvironmentRequest(x,x,x,x,x,x,x,x,x)+C1j ...
		mov	eax, ecx

loc_963625:				; CODE XREF: IopIssueSystemEnvironmentRequest(x,x,x,x,x,x,x,x,x)+62j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_IopIssueSystemEnvironmentRequest@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopOpenSystemVariableDevice(x, x, x)
_IopOpenSystemVariableDevice@12	proc near
					; CODE XREF: IoEnumerateEnvironmentVariablesEx(x,x,x,x)+50p
					; IoGetEnvironmentVariableEx(x,x,x,x,x)+57p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		test	byte ptr _IopSysEnvOverrideFlags, 1
		mov	ebx, edx
		mov	[ebp+var_8], esi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		jz	short loc_963683
		push	offset ??_C@_1IA@DLIAHLEC@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs@NNGAKEGL@
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		push	esi
		push	10000000h
		lea	eax, [ebp+var_10]
		push	eax
		call	IoGetDeviceObjectPointer
		mov	esi, eax
		test	esi, esi
		js	short loc_9636DB
		mov	ecx, [ebp+arg_0]
		mov	dword ptr [ecx], (offset loc_A3FA9B+1)
		jmp	loc_96373B
; 

loc_963683:				; CODE XREF: IopOpenSystemVariableDevice(x,x,x)+21j
		push	edi		; int
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], edi
		push	eax		; int
		push	edi		; char
		push	edi		; int
		xor	edx, edx	; int
		mov	ecx, offset _GUID_EFI_VARIABLE_SERVICE ; int
		call	IopGetDeviceInterfaces
		test	eax, eax
		js	short loc_9636E2
		mov	edi, [ebp+var_4]
		xor	eax, eax
		cmp	[edi], ax
		jz	short loc_9636E0
		push	edi
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		push	esi
		push	10000000h
		lea	eax, [ebp+var_10]
		push	eax
		call	IoGetDeviceObjectPointer
		mov	esi, eax
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		js	short loc_96373B
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], (offset loc_A3FA9B+1)
		jmp	short loc_96373B
; 

loc_9636DB:				; CODE XREF: IopOpenSystemVariableDevice(x,x,x)+45j
		mov	esi, [ebp+var_8]
		jmp	short loc_9636E2
; 

loc_9636E0:				; CODE XREF: IopOpenSystemVariableDevice(x,x,x)+77j
		xor	edi, edi

loc_9636E2:				; CODE XREF: IopOpenSystemVariableDevice(x,x,x)+6Dj
					; IopOpenSystemVariableDevice(x,x,x)+B0j
		push	offset ??_C@_1BO@EGCMCODO@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAS?$AAy?$AAs?$AAE?$AAn?$AAv@NNGAKEGL@
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		push	esi
		push	10000000h
		lea	eax, [ebp+var_10]
		push	eax
		call	IoGetDeviceObjectPointer
		mov	esi, eax
		test	esi, esi
		js	short loc_963711
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], (offset loc_A3FAAB+1)
		jmp	short loc_96373B
; 

loc_963711:				; CODE XREF: IopOpenSystemVariableDevice(x,x,x)+D6j
		cmp	esi, 0C0000033h
		jz	short loc_963729
		cmp	esi, 0C0000034h
		jz	short loc_963729
		cmp	esi, 0C000003Ah
		jnz	short loc_96373B

loc_963729:				; CODE XREF: IopOpenSystemVariableDevice(x,x,x)+E9j
					; IopOpenSystemVariableDevice(x,x,x)+F1j
		mov	eax, [ebp+var_8]
		mov	esi, edi
		mov	[eax], edi
		mov	eax, [ebp+arg_0]
		mov	[ebx], edi
		mov	dword ptr [eax], offset	_IopSysEnvFunctionTableHal

loc_96373B:				; CODE XREF: IopOpenSystemVariableDevice(x,x,x)+50j
					; IopOpenSystemVariableDevice(x,x,x)+A0j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_IopOpenSystemVariableDevice@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopQueryEnvironmentVariableInfoHal(x, x, x,	x, x, x)
_IopQueryEnvironmentVariableInfoHal@24 proc near

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	ds:__imp__HalQueryEnvironmentVariableInfoEx@16 ; HalQueryEnvironmentVariableInfoEx(x,x,x,x)
		pop	ebp
		retn	18h
_IopQueryEnvironmentVariableInfoHal@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopQueryEnvironmentVariableInfoSysEnv(x, x,	x, x, x, x)
_IopQueryEnvironmentVariableInfoSysEnv@24 proc near

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		mov	eax, [ebp+arg_C]
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		mov	ebx, [ebp+arg_10]
		mov	esi, [ebp+arg_14]
		push	edi
		push	6
		pop	ecx
		mov	[esp+30h+var_24], eax
		lea	edi, [esp+30h+var_20]
		xor	eax, eax
		push	eax
		push	18h
		rep stosd
		lea	eax, [esp+38h+var_20]
		mov	ecx, 520010h
		push	eax
		push	4
		lea	eax, [ebp+arg_8]
		push	eax
		push	edx
		push	[ebp+arg_0]
		mov	dl, 1
		call	_IopIssueSystemEnvironmentRequest@36 ; IopIssueSystemEnvironmentRequest(x,x,x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_9637EE
		mov	eax, [esp+30h+var_24]
		test	eax, eax
		jz	short loc_9637CC
		mov	ecx, [esp+30h+var_20]
		mov	[eax], ecx
		mov	ecx, [esp+30h+var_1C]
		mov	[eax+4], ecx

loc_9637CC:				; CODE XREF: IopQueryEnvironmentVariableInfoSysEnv(x,x,x,x,x,x)+5Ej
		test	ebx, ebx
		jz	short loc_9637DD
		mov	eax, [esp+30h+var_18]
		mov	[ebx], eax
		mov	eax, [esp+30h+var_14]
		mov	[ebx+4], eax

loc_9637DD:				; CODE XREF: IopQueryEnvironmentVariableInfoSysEnv(x,x,x,x,x,x)+6Fj
		test	esi, esi
		jz	short loc_9637EE
		mov	eax, [esp+30h+var_10]
		mov	[esi], eax
		mov	eax, [esp+30h+var_C]
		mov	[esi+4], eax

loc_9637EE:				; CODE XREF: IopQueryEnvironmentVariableInfoSysEnv(x,x,x,x,x,x)+56j
					; IopQueryEnvironmentVariableInfoSysEnv(x,x,x,x,x,x)+80j
		mov	ecx, [esp+30h+var_4]
		mov	eax, edx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
_IopQueryEnvironmentVariableInfoSysEnv@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopQueryEnvironmentVariableInfoTrEE(x, x, x, x, x, x)
_IopQueryEnvironmentVariableInfoTrEE@24	proc near

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		mov	eax, [ebp+arg_14]
		push	ebx
		push	esi
		push	edi
		mov	edx, [ebp+arg_4]
		lea	edi, [esp+40h+var_28]
		push	8
		pop	ecx
		mov	esi, [ebp+arg_C]
		mov	ebx, [ebp+arg_10]
		and	[esp+40h+var_34], 0
		mov	[esp+40h+var_2C], eax
		xor	eax, eax
		rep stosd
		mov	eax, [ebp+arg_8]
		mov	[esp+40h+var_30], eax
		lea	eax, [esp+40h+var_34]
		push	eax
		push	20h
		push	20h
		lea	eax, [esp+4Ch+var_28]
		push	eax
		push	4
		lea	eax, [esp+54h+var_30]
		push	eax
		push	edx
		mov	edx, [ebp+arg_0]
		push	2
		pop	ecx
		call	_IopIssueTrEERequest@36	; IopIssueTrEERequest(x,x,x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_9638A7
		mov	ecx, [esp+40h+var_28]
		test	ecx, ecx
		jz	short loc_96387C
		call	_IopEfiStatusToNTSTATUS@4 ; IopEfiStatusToNTSTATUS(x)
		mov	edx, eax
		jmp	short loc_9638A7
; 

loc_96387C:				; CODE XREF: IopQueryEnvironmentVariableInfoTrEE(x,x,x,x,x,x)+6Dj
		mov	eax, [esp+40h+var_20]
		mov	ecx, [esp+40h+var_2C]
		mov	[esi], eax
		mov	eax, [esp+40h+var_1C]
		mov	[esi+4], eax
		mov	eax, [esp+40h+var_18]
		mov	[ebx], eax
		mov	eax, [esp+40h+var_14]
		mov	[ebx+4], eax
		mov	eax, [esp+40h+var_10]
		mov	[ecx], eax
		mov	eax, [esp+40h+var_C]
		mov	[ecx+4], eax

loc_9638A7:				; CODE XREF: IopQueryEnvironmentVariableInfoTrEE(x,x,x,x,x,x)+65j
					; IopQueryEnvironmentVariableInfoTrEE(x,x,x,x,x,x)+76j
		mov	ecx, [esp+40h+var_4]
		mov	eax, edx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
_IopQueryEnvironmentVariableInfoTrEE@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopSetEnvironmentVariableHal(x, x, x, x, x,	x, x)
_IopSetEnvironmentVariableHal@28 proc near

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	ds:__imp__HalSetEnvironmentVariableEx@20 ; HalSetEnvironmentVariableEx(x,x,x,x,x)
		pop	ebp
		retn	1Ch
_IopSetEnvironmentVariableHal@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IopSetEnvironmentVariableSysEnv(int,int,void *,int,void	*,size_t,int)
_IopSetEnvironmentVariableSysEnv@28 proc near

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_8]
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_9638EB:				; CODE XREF: IopSetEnvironmentVariableSysEnv(x,x,x,x,x,x,x)+19j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_9638EB
		sub	ecx, edx
		mov	edx, [ebp+arg_14]
		sar	ecx, 1
		add	edx, 20h
		lea	eax, ds:2[ecx*2]
		add	edx, eax
		mov	[ebp+var_4], eax
		call	sub_610D09
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_96391E
		mov	esi, 0C000009Ah
		jmp	short loc_963987
; 

loc_96391E:				; CODE XREF: IopSetEnvironmentVariableSysEnv(x,x,x,x,x,x,x)+3Aj
		mov	esi, [ebp+arg_C]
		mov	eax, [ebp+arg_18]
		push	edi
		lea	edi, [ebx+10h]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_4]
		and	dword ptr [ebx], 0
		push	esi		; size_t
		push	[ebp+arg_8]	; void *
		mov	[ebx+0Ch], eax
		lea	eax, [ebx+20h]
		push	eax		; void *
		call	_memcpy
		mov	edi, [ebp+arg_14]
		lea	eax, [esi+20h]
		push	edi		; size_t
		push	[ebp+arg_10]	; void *
		add	eax, ebx
		push	eax		; void *
		call	_memcpy
		add	esp, 18h
		mov	[ebx+8], edi
		xor	ecx, ecx
		lea	eax, [esi+20h]
		mov	[ebx+4], eax
		mov	dl, 1
		lea	eax, [edi+20h]
		push	ecx
		push	ecx
		push	ecx
		add	eax, esi
		push	eax
		push	ebx
		push	[ebp+arg_4]
		push	ecx
		mov	ecx, 520008h
		call	_IopIssueSystemEnvironmentRequest@36 ; IopIssueSystemEnvironmentRequest(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi

loc_963987:				; CODE XREF: IopSetEnvironmentVariableSysEnv(x,x,x,x,x,x,x)+41j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_IopSetEnvironmentVariableSysEnv@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IopSetEnvironmentVariableTrEE(int,int,void *,int,void *,size_t,int)
_IopSetEnvironmentVariableTrEE@28 proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	ecx, [ebp+arg_8]
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	[ebp+var_C], ebx
		lea	edx, [ecx+2]
		mov	[ebp+var_4], ebx

loc_9639A7:				; CODE XREF: IopSetEnvironmentVariableTrEE(x,x,x,x,x,x,x)+21j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_9639A7
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, ds:2[ecx*2]
		mov	ecx, [ebp+arg_14]
		add	ecx, 20h
		mov	[ebp+var_8], eax
		add	eax, ecx
		mov	edx, eax
		mov	[ebp+var_10], eax
		call	sub_610D09
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9639E2
		mov	esi, 0C000009Ah
		jmp	loc_963A66
; 

loc_9639E2:				; CODE XREF: IopSetEnvironmentVariableTrEE(x,x,x,x,x,x,x)+47j
		mov	esi, [ebp+arg_C]
		mov	eax, [ebp+arg_18]
		push	edi
		lea	edi, [ebx+4]
		movsd
		movsd
		movsd
		movsd
		pop	edi
		test	al, 1
		jz	short loc_9639F8
		or	eax, 6

loc_9639F8:				; CODE XREF: IopSetEnvironmentVariableTrEE(x,x,x,x,x,x,x)+64j
		mov	esi, [ebp+var_8]
		push	esi		; size_t
		push	[ebp+arg_8]	; void *
		mov	[ebx+14h], eax
		lea	eax, [ebx+20h]
		push	eax		; void *
		mov	dword ptr [ebx], 20h
		call	_memcpy
		mov	ecx, [ebp+arg_14]
		lea	eax, [esi+20h]
		push	ecx		; size_t
		push	[ebp+arg_10]	; void *
		mov	[ebx+1Ch], eax
		add	eax, ebx
		push	eax		; void *
		mov	[ebx+18h], ecx
		call	_memcpy
		add	esp, 18h
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_C]
		push	eax
		push	4
		push	4
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_10]
		push	ebx
		push	[ebp+arg_4]
		push	2
		pop	ecx
		call	_IopIssueTrEERequest@36	; IopIssueTrEERequest(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_963A5E
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_963A5E
		call	_IopEfiStatusToNTSTATUS@4 ; IopEfiStatusToNTSTATUS(x)
		mov	esi, eax

loc_963A5E:				; CODE XREF: IopSetEnvironmentVariableTrEE(x,x,x,x,x,x,x)+BFj
					; IopSetEnvironmentVariableTrEE(x,x,x,x,x,x,x)+C6j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_963A66:				; CODE XREF: IopSetEnvironmentVariableTrEE(x,x,x,x,x,x,x)+4Ej
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_IopSetEnvironmentVariableTrEE@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopFindSystemDevice(x, x)
_IopFindSystemDevice@8 proc near	; CODE XREF: IoQuerySystemDeviceName+12958Dp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		push	esi
		push	eax
		mov	ebx, edx
		mov	ecx, offset _SiGetSystemDisk@8 ; SiGetSystemDisk(x,x)
		push	0
		xor	edx, edx
		call	SiGetSystemDeviceName
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_963AA3
		test	esi, esi
		js	short loc_963AE6
		mov	esi, 0C00000E5h
		jmp	short loc_963AE6
; 

loc_963AA3:				; CODE XREF: IopFindSystemDevice(x,x)+28j
		push	edi
		push	44536F49h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_963AC0
		mov	esi, 0C000009Ah
		jmp	short loc_963AE5
; 

loc_963AC0:				; CODE XREF: IopFindSystemDevice(x,x)+49j
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		push	[ebp+var_4]
		mov	ecx, offset _SiGetSystemDisk@8 ; SiGetSystemDisk(x,x)
		call	SiGetSystemDeviceName
		mov	esi, eax
		test	esi, esi
		jns	short loc_963AE3
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_963AE5
; 

loc_963AE3:				; CODE XREF: IopFindSystemDevice(x,x)+69j
		mov	[ebx], edi

loc_963AE5:				; CODE XREF: IopFindSystemDevice(x,x)+50j
					; IopFindSystemDevice(x,x)+73j
		pop	edi

loc_963AE6:				; CODE XREF: IopFindSystemDevice(x,x)+2Cj
					; IopFindSystemDevice(x,x)+33j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_IopFindSystemDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopFreeBandwidthContract(x,	x)
_IopFreeBandwidthContract@8 proc near	; CODE XREF: IopCloseFile(x,x,x,x)+2D6p

var_40		= dword	ptr -40h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_40]
		xor	esi, esi
		stosd
		mov	ebx, ecx
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		stosd
		stosd
		cmp	[edx], edx
		jnz	short loc_963B33
		xor	eax, eax

loc_963B24:				; CODE XREF: IopFreeBandwidthContract(x,x)+128j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_963B33:				; CODE XREF: IopFreeBandwidthContract(x,x)+34j
		mov	edi, [ebx+2Ch]
		and	edi, 2
		mov	[ebp+var_1C], edi

loc_963B3C:				; CODE XREF: IopFreeBandwidthContract(x,x)+144j
		push	esi
		push	1
		lea	eax, [ebp+var_40]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		test	dword ptr [ebx+2Ch], 4000000h
		lea	eax, [ebx+5Ch]
		jnz	short loc_963B5A
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_963B5A:				; CODE XREF: IopFreeBandwidthContract(x,x)+66j
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		push	ebx
		stosd
		stosd
		stosd
		stosd
		call	IoGetRelatedDeviceObject
		mov	ecx, eax
		mov	[ebp+var_20], eax
		mov	dl, [eax+30h]
		call	IopAllocateIrpMustSucceed
		mov	ecx, large fs:124h
		mov	esi, eax
		mov	edi, [ebp+var_1C]
		mov	[esi+50h], ecx
		xor	ecx, ecx
		mov	[esi+64h], ebx
		mov	[esi+20h], cl
		test	edi, edi
		jz	short loc_963B96
		mov	eax, ecx
		jmp	short loc_963BA0
; 

loc_963B96:				; CODE XREF: IopFreeBandwidthContract(x,x)+A4j
		mov	dword ptr [esi+8], 4
		lea	eax, [ebp+var_40]

loc_963BA0:				; CODE XREF: IopFreeBandwidthContract(x,x)+A8j
		mov	[esi+2Ch], eax
		lea	eax, [ebp+var_28]
		mov	[esi+28h], eax
		mov	eax, [esi+60h]
		mov	[esi+30h], ecx
		mov	byte ptr [eax-24h], 6
		mov	[eax-0Ch], ebx
		mov	dword ptr [eax-20h], 14h
		mov	dword ptr [eax-1Ch], 2Ch
		lea	eax, [ebp+var_18]
		mov	[esi+3Ch], ecx
		mov	[esi+4], ecx
		mov	ecx, ebx
		mov	[esi+0Ch], eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, esi
		call	IopQueueThreadIrp
		mov	ecx, [ebp+var_20]
		mov	edx, esi
		call	IofCallDriver
		xor	esi, esi
		cmp	eax, 103h
		jnz	short loc_963C05
		lea	eax, [ebx+5Ch]
		push	esi
		push	esi
		push	esi
		push	esi
		test	edi, edi
		jnz	short loc_963BFF
		lea	eax, [ebp+var_40]

loc_963BFF:				; CODE XREF: IopFreeBandwidthContract(x,x)+10Ej
		push	eax
		call	KeWaitForSingleObject

loc_963C05:				; CODE XREF: IopFreeBandwidthContract(x,x)+103j
		mov	eax, [ebp+var_28]
		cmp	eax, 0C000009Ah
		jz	short loc_963C1A
		cmp	eax, 0C0000017h
		jnz	loc_963B24

loc_963C1A:				; CODE XREF: IopFreeBandwidthContract(x,x)+121j
		or	[ebp+var_2C], 0FFFFFFFFh
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		push	esi
		mov	[ebp+var_30], 0FFF0BDC0h
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		jmp	loc_963B3C
_IopFreeBandwidthContract@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipCallbackHasDeviceOverrides(x, x)
_PipCallbackHasDeviceOverrides@8 proc near ; CODE XREF:	PipFindDeviceOverrideEntry+6C75Fp

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [ebp+var_34]
		push	edi
		mov	edi, [ebp+arg_4]
		xor	ebx, ebx
		push	30h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_3C], ebx
		lea	eax, [ebp+var_54]
		mov	[ebp+var_38], ebx
		mov	[ebp+var_54], 18h
		mov	[ebp+var_50], esi
		push	eax
		push	20019h
		lea	eax, [ebp+var_38]
		mov	[ebp+var_48], 240h
		push	eax
		mov	[ebp+var_4C], edi
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_963CDA
		lea	eax, [ebp+var_3C]
		push	eax
		push	30h
		lea	eax, [ebp+var_34]
		push	eax
		push	2
		push	[ebp+var_38]
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		lea	ebx, [eax+7FFFFFFBh]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, eax
		jl	short loc_963CCD
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jz	short loc_963CCD
		mov	eax, [ebp+var_38]
		mov	[edi+8], eax
		mov	[edi+0Ch], ecx
		jmp	short loc_963CDA
; 

loc_963CCD:				; CODE XREF: PipCallbackHasDeviceOverrides(x,x)+84j
					; PipCallbackHasDeviceOverrides(x,x)+8Bj
		push	[ebp+var_38]
		mov	ebx, 0C0000001h
		call	_ZwClose@4	; ZwClose(x)

loc_963CDA:				; CODE XREF: PipCallbackHasDeviceOverrides(x,x)+62j
					; PipCallbackHasDeviceOverrides(x,x)+96j
		mov	ecx, [ebp+var_4]
		shr	ebx, 1Fh
		xor	ecx, ebp
		xor	bl, 1
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PipCallbackHasDeviceOverrides@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipCheckComputerSupported(x)
_PipCheckComputerSupported@4 proc near	; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+176p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_28], ecx
		lea	edi, [ebp+var_14]
		xor	ecx, ecx
		stosd
		mov	edx, 0F003Fh
		mov	[ebp+var_24], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_20], ecx
		stosd
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_2C], ecx
		stosd
		stosd
		lea	eax, [ebp+var_24]
		push	eax
		call	_PipHardwareConfigOpenKey@12 ; PipHardwareConfigOpenKey(x,x,x)
		mov	esi, [ebp+var_24]
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_963DB3
		push	18h
		pop	ecx
		push	16h
		pop	eax
		mov	word ptr [ebp+var_20], ax
		xor	edi, edi
		lea	eax, [ebp+var_20]
		mov	word ptr [ebp+var_20+2], cx
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	20019h
		lea	eax, [ebp+var_18]
		mov	[ebp+var_1C], offset ??_C@_1BI@CEAGCKOK@?$AAC?$AAo?$AAm?$AAp?$AAu?$AAt?$AAe?$AAr?$AAI?$AAd?$AAs@NNGAKEGL@ ; "ComputerIds"
		push	eax
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], esi
		mov	[ebp+var_38], 240h
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_963DB3
		push	[ebp+var_28]
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_2C]
		push	eax
		push	10h
		lea	eax, [ebp+var_14]
		push	eax
		push	edi
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_18]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		lea	ebx, [eax+7FFFFFFBh]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, eax

loc_963DB3:				; CODE XREF: PipCheckComputerSupported(x)+47j
					; PipCheckComputerSupported(x)+8Fj
		test	esi, esi
		jz	short loc_963DBD
		push	esi
		call	_ZwClose@4	; ZwClose(x)

loc_963DBD:				; CODE XREF: PipCheckComputerSupported(x)+C2j
		cmp	[ebp+var_18], 0
		jz	short loc_963DCB
		push	[ebp+var_18]
		call	_ZwClose@4	; ZwClose(x)

loc_963DCB:				; CODE XREF: PipCheckComputerSupported(x)+CEj
		mov	ecx, [ebp+var_4]
		shr	ebx, 1Fh
		xor	ecx, ebp
		xor	bl, 1
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PipCheckComputerSupported@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipHardwareConfigActivateService(x)
_PipHardwareConfigActivateService@4 proc near
					; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1BF7p
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1C0Cp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		test	ecx, ecx
		jnz	short loc_963E02
		mov	esi, 0C000000Dh
		jmp	short loc_963E81
; 

loc_963E02:				; CODE XREF: PipHardwareConfigActivateService(x)+17j
		push	ecx
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4]
		push	eax
		lea	ecx, [ebp+var_C]
		call	_PiOpenDriverRedirectedStateKey@12 ; PiOpenDriverRedirectedStateKey(x,x,x)
		cmp	eax, 0C0000225h
		jnz	short loc_963E26
		mov	esi, edi

loc_963E21:				; CODE XREF: PipHardwareConfigActivateService(x)+5Fj
		mov	edi, [ebp+var_4]
		jmp	short loc_963E77
; 

loc_963E26:				; CODE XREF: PipHardwareConfigActivateService(x)+3Bj
		test	eax, eax
		jns	short loc_963E43
		push	edi
		push	edi
		lea	eax, [ebp+var_4]
		mov	edx, 10000h
		push	eax
		lea	ecx, [ebp+var_C]
		call	PipOpenServiceEnumKeys
		mov	esi, eax
		test	esi, esi
		js	short loc_963E21

loc_963E43:				; CODE XREF: PipHardwareConfigActivateService(x)+46j
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jz	short loc_963E58
		mov	eax, [eax+74h]
		test	eax, eax
		jz	short loc_963E58
		mov	eax, [eax+4]
		jmp	short loc_963E5A
; 

loc_963E58:				; CODE XREF: PipHardwareConfigActivateService(x)+68j
					; PipHardwareConfigActivateService(x)+6Fj
		mov	eax, edi

loc_963E5A:				; CODE XREF: PipHardwareConfigActivateService(x)+74j
		push	edi
		mov	edi, [ebp+var_4]
		mov	edx, (offset loc_8B9055+1)
		push	eax
		mov	ecx, edi
		call	_RegRtlDeleteTreeInternal
		lea	esi, [eax+3FFFFFCCh]
		neg	esi
		sbb	esi, esi
		and	esi, eax

loc_963E77:				; CODE XREF: PipHardwareConfigActivateService(x)+42j
		test	edi, edi
		jz	short loc_963E81
		push	edi
		call	_ZwClose@4	; ZwClose(x)

loc_963E81:				; CODE XREF: PipHardwareConfigActivateService(x)+1Ej
					; PipHardwareConfigActivateService(x)+97j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_PipHardwareConfigActivateService@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipHardwareConfigClearStartOverrideCallback(x, x, x, x)
_PipHardwareConfigClearStartOverrideCallback@16	proc near
					; DATA XREF: PipHardwareConfigClearStartOverrides(x)+AFo

var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 218h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, dword ptr [ebp+arg_8]
		xor	ecx, ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_C]
		push	(offset	loc_8B9055+1)
		push	eax		; char
		push	offset ??_C@_1M@DFKENGJN@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@ ; "%s\\%s"
		push	800h		; int
		push	ecx		; int
		push	ecx		; int
		lea	eax, [ebp+var_20C]
		mov	[ebp+var_210], ecx
		push	104h		; int
		push	eax		; void *
		call	RtlStringCchPrintfExW
		add	esp, 20h
		test	eax, eax
		js	short loc_963F36
		test	esi, esi
		jnz	short loc_963EE5
		xor	ecx, ecx
		jmp	short loc_963EE8
; 

loc_963EE5:				; CODE XREF: PipHardwareConfigClearStartOverrideCallback(x,x,x,x)+58j
		mov	ecx, [esi+74h]

loc_963EE8:				; CODE XREF: PipHardwareConfigClearStartOverrideCallback(x,x,x,x)+5Cj
		lea	eax, [ebp+var_210]
		mov	edx, ebx
		push	eax
		push	2
		push	0
		lea	eax, [ebp+var_20C]
		push	eax
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_963F36
		and	[ebp+var_218], 0
		lea	eax, [ebp+var_218]
		and	[ebp+var_214], 0
		push	edi
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_963F36
		lea	eax, [ebp+var_218]
		push	eax
		push	[ebp+var_210]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_963F36:				; CODE XREF: PipHardwareConfigClearStartOverrideCallback(x,x,x,x)+54j
					; PipHardwareConfigClearStartOverrideCallback(x,x,x,x)+7Cj ...
		cmp	[ebp+var_210], 0
		pop	edi
		pop	esi
		pop	ebx
		jz	short loc_963F4D
		push	[ebp+var_210]
		call	_ZwClose@4	; ZwClose(x)

loc_963F4D:				; CODE XREF: PipHardwareConfigClearStartOverrideCallback(x,x,x,x)+B9j
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_PipHardwareConfigClearStartOverrideCallback@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipHardwareConfigClearStartOverrides(x)
_PipHardwareConfigClearStartOverrides@4	proc near ; CODE XREF: PipHardwareConfigInit+12C5Ep

var_94		= byte ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	dword ptr [ebp+var_94],	ecx
		and	[ebp+var_8C], ebx
		lea	edx, [ebp+var_8C]
		push	edi
		mov	[ebp+var_90], ebx
		call	_PiOpenDriverRedirectedStateRootKey@8 ;	PiOpenDriverRedirectedStateRootKey(x,x)
		cmp	eax, 0C0000225h
		jnz	short loc_963FA5
		xor	edi, edi

loc_963F9D:				; CODE XREF: PipHardwareConfigClearStartOverrides(x)+6Bj
		mov	esi, [ebp+var_8C]
		jmp	short loc_96401A
; 

loc_963FA5:				; CODE XREF: PipHardwareConfigClearStartOverrides(x)+3Cj
		test	eax, eax
		jns	short loc_963FCE
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_90]
		push	eax
		push	6
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	ebx, [ebp+var_90]
		mov	edi, eax
		test	edi, edi
		js	short loc_963F9D
		mov	esi, ebx
		jmp	short loc_963FD4
; 

loc_963FCE:				; CODE XREF: PipHardwareConfigClearStartOverrides(x)+4Aj
		mov	esi, [ebp+var_8C]

loc_963FD4:				; CODE XREF: PipHardwareConfigClearStartOverrides(x)+6Fj
		push	dword ptr [ebp+var_94] ; char
		lea	eax, [ebp+var_88]
		push	offset ??_C@_15KNBIKKIN@?$AA?$CF?$AAd@NNGAKEGL@	; wchar_t *
		push	800h		; int
		push	0		; int
		push	0		; int
		push	40h		; int
		push	eax		; void *
		call	RtlStringCchPrintfExW
		mov	edi, eax
		add	esp, 1Ch
		test	edi, edi
		js	short loc_96401A
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_88]
		push	eax
		push	offset _PipHardwareConfigClearStartOverrideCallback@16 ; PipHardwareConfigClearStartOverrideCallback(x,x,x,x)
		mov	edx, esi
		call	__PnpCtxRegEnumKeyWithCallback@16 ; _PnpCtxRegEnumKeyWithCallback(x,x,x,x)
		mov	edi, eax

loc_96401A:				; CODE XREF: PipHardwareConfigClearStartOverrides(x)+46j
					; PipHardwareConfigClearStartOverrides(x)+A0j
		test	esi, esi
		jz	short loc_964028
		cmp	esi, ebx
		jz	short loc_964028
		push	esi
		call	_ZwClose@4	; ZwClose(x)

loc_964028:				; CODE XREF: PipHardwareConfigClearStartOverrides(x)+BFj
					; PipHardwareConfigClearStartOverrides(x)+C3j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PipHardwareConfigClearStartOverrides@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipHardwareConfigGetLastUseTime(x, x)
_PipHardwareConfigGetLastUseTime@8 proc	near ; CODE XREF: PnpGetStableSystemBootTime(x)+27p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_C], 0
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, edx
		push	esi
		test	ebx, ebx
		jnz	short loc_964058
		mov	esi, 0C000000Dh
		jmp	short loc_964099
; 

loc_964058:				; CODE XREF: PipHardwareConfigGetLastUseTime(x,x)+16j
		lea	eax, [ebp+var_4]
		mov	edx, 20019h
		push	eax
		call	_PipHardwareConfigOpenKey@12 ; PipHardwareConfigOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_96408B
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		lea	eax, [ebp+var_C]
		mov	[ebp+var_8], 8
		push	eax
		mov	edx, offset ??_C@_1BA@LLDEAMNN@?$AAL?$AAa?$AAs?$AAt?$AAU?$AAs?$AAe@NNGAKEGL@
		call	_RegRtlQueryValue
		mov	esi, eax

loc_96408B:				; CODE XREF: PipHardwareConfigGetLastUseTime(x,x)+31j
		cmp	[ebp+var_4], 0
		jz	short loc_964099
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_964099:				; CODE XREF: PipHardwareConfigGetLastUseTime(x,x)+1Dj
					; PipHardwareConfigGetLastUseTime(x,x)+56j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PipHardwareConfigGetLastUseTime@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipHardwareConfigTriggerRespecialize(x)
_PipHardwareConfigTriggerRespecialize@4	proc near ; CODE XREF: PipHardwareConfigInit+12D0Ap

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_8], ebx
		push	esi
		mov	esi, ebx
		mov	[ebp+var_4], esi
		push	edi
		test	ecx, ecx
		jnz	short loc_9640ED
		push	3Eh
		pop	eax
		push	3Ch
		mov	word ptr [ebp+var_10+2], ax
		lea	ecx, [ebp+var_4]
		pop	eax
		push	ebx
		push	ebx
		mov	word ptr [ebp+var_10], ax
		xor	edx, edx
		push	0F003Fh
		lea	eax, [ebp+var_10]
		mov	[ebp+var_C], offset ??_C@_1DO@PGOAJPNE@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		push	eax
		call	IopCreateRegistryKeyEx
		mov	esi, [ebp+var_4]
		mov	edi, eax
		test	edi, edi
		js	short loc_96411E
		mov	ecx, esi

loc_9640ED:				; CODE XREF: PipHardwareConfigTriggerRespecialize(x)+17j
		push	1Ah
		pop	eax
		push	18h
		mov	word ptr [ebp+var_10+2], ax
		pop	eax
		push	4
		mov	word ptr [ebp+var_10], ax
		lea	eax, [ebp+var_8]
		push	eax
		push	4
		push	ebx
		lea	eax, [ebp+var_10]
		mov	[ebp+var_8], 1
		push	eax
		push	ecx
		mov	[ebp+var_C], offset ??_C@_1BK@CGJOHCEH@?$AAR?$AAe?$AAs?$AAp?$AAe?$AAc?$AAi?$AAa?$AAl?$AAi?$AAz?$AAe@NNGAKEGL@
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	edi, eax

loc_96411E:				; CODE XREF: PipHardwareConfigTriggerRespecialize(x)+4Aj
		test	esi, esi
		jz	short loc_964128
		push	esi
		call	_ZwClose@4	; ZwClose(x)

loc_964128:				; CODE XREF: PipHardwareConfigTriggerRespecialize(x)+81j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PipHardwareConfigTriggerRespecialize@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipUpdateSetupInProgressCallback(x)
_PipUpdateSetupInProgressCallback@4 proc near
					; DATA XREF: IopInitializePlugPlayServices(x,x)+4EBo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		call	_PipUpdateSetupInProgressNotify@8 ; PipUpdateSetupInProgressNotify(x,x)
		pop	ebp
		retn	4
_PipUpdateSetupInProgressCallback@4 endp


;  S U B	R O U T	I N E 


; __stdcall PipUpdateSetupInProgressNotify(x, x)
_PipUpdateSetupInProgressNotify@8 proc near
					; CODE XREF: PipUpdateSetupInProgressCallback(x)+Ap
					; IopInitializePlugPlayServices(x,x)+501p
		mov	edi, edi
		push	ebx
		push	esi
		xor	esi, esi
		mov	bl, dl
		cmp	_PnpSetupInProgress, 0
		push	edi
		mov	edi, ecx
		jnz	short loc_96415F
		cmp	_PnpSetupOOBEInProgress, 0
		jz	short loc_964194

loc_96415F:				; CODE XREF: PipUpdateSetupInProgressNotify(x,x)+12j
		push	1
		push	esi
		push	esi
		push	esi
		push	4
		push	offset _PnpSetupIoStatusBlock
		push	1
		push	offset _PnpSetupWorkItem
		push	esi
		push	edi
		call	_ZwNotifyChangeKey@40 ;	ZwNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_96417F
		mov	esi, edi

loc_96417F:				; CODE XREF: PipUpdateSetupInProgressNotify(x,x)+39j
		test	bl, bl
		jz	short loc_96418A
		mov	ecx, edi
		call	PipUpdateSetupInProgress

loc_96418A:				; CODE XREF: PipUpdateSetupInProgressNotify(x,x)+3Fj
		test	esi, esi
		jz	short loc_964194
		push	esi
		call	_ZwClose@4	; ZwClose(x)

loc_964194:				; CODE XREF: PipUpdateSetupInProgressNotify(x,x)+1Bj
					; PipUpdateSetupInProgressNotify(x,x)+4Aj
		pop	edi
		pop	esi
		pop	ebx
		retn
_PipUpdateSetupInProgressNotify@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipUpdateSetupOobeCompleteWnfCallback(x, x,	x, x, x, x)
_PipUpdateSetupOobeCompleteWnfCallback@24 proc near
					; DATA XREF: CmpInitializeSystemHivesLoad+A1F04o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_4]
		push	eax		; int
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], 4
		push	eax		; void *
		lea	eax, [ebp+arg_C]
		push	eax		; int
		push	[ebp+arg_0]	; int
		call	_ExQueryWnfStateData@16	; ExQueryWnfStateData(x,x,x,x)
		test	eax, eax
		js	short loc_9641D5
		cmp	[ebp+var_4], 4
		jnz	short loc_9641D5
		cmp	[ebp+var_8], 0
		jz	short loc_9641D5
		mov	_PnpSetupOOBEInProgress, 0

loc_9641D5:				; CODE XREF: PipUpdateSetupOobeCompleteWnfCallback(x,x,x,x,x,x)+28j
					; PipUpdateSetupOobeCompleteWnfCallback(x,x,x,x,x,x)+2Ej ...
		xor	eax, eax
		leave
		retn	18h
_PipUpdateSetupOobeCompleteWnfCallback@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpShutdownDevices()
_PnpShutdownDevices@0 proc near		; CODE XREF: IoShutdownSystem(x)+42p

var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0BCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	offset _PnpShutdownEvent
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_B4], ebx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	eax, ebx
		mov	[ebp+var_B0], eax
		cmp	_PnpTearDownPnpStacksOnShutdown, al
		jnz	short loc_96422A
		test	byte ptr _PopShutdownCleanly, 20h
		jz	loc_9643AB

loc_96422A:				; CODE XREF: PnpShutdownDevices()+40j
		mov	ecx, 155h
		call	_PnpCreateDeviceEventEntry@4 ; PnpCreateDeviceEventEntry(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_964244
		mov	eax, 0C000009Ah
		jmp	loc_9643AB
; 

loc_964244:				; CODE XREF: PnpShutdownDevices()+5Dj
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _PnpEventQueueEmpty
		call	KeWaitForSingleObject
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _PnpEnumerationLock
		call	KeWaitForSingleObject
		mov	esi, _IopRootDeviceNode
		lea	eax, [ebp+var_A8]
		push	10h
		pop	edx
		mov	ecx, esi
		mov	[ebp+var_BC], 0A00000h
		mov	[ebp+var_B8], eax
		call	PipSetDevNodeUserFlags
		or	ebx, 0FFFFFFFFh

loc_964289:				; CODE XREF: PnpShutdownDevices()+152j
					; PnpShutdownDevices()+15Fj ...
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceSharedLite
		mov	esi, [esi+4]
		jmp	loc_964385
; 

loc_9642AB:				; CODE XREF: PnpShutdownDevices()+1ACj
		mov	eax, [esi+110h]
		test	al, 20h
		jz	loc_964355
		cmp	esi, _IopRootDeviceNode
		jnz	loc_96436E
		xor	esi, esi

loc_9642C7:				; CODE XREF: PnpShutdownDevices()+17Cj
					; PnpShutdownDevices()+1B2j
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		jz	loc_964392
		lea	eax, [ebp+var_BC]
		mov	edx, 155h
		push	eax
		lea	eax, [ebp+var_B4]
		mov	ecx, edi
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	2Eh
		push	eax
		push	eax
		push	1
		push	eax
		push	dword ptr [esi+10h]
		call	_PnpInitializeTargetDeviceRemoveEvent@52 ; PnpInitializeTargetDeviceRemoveEvent(x,x,x,x,x,x,x,x,x,x,x,x,x)
		lea	ecx, [ebp+var_AC]
		mov	[ebp+var_AC], edi
		call	_PnpProcessQueryRemoveAndEject@4 ; PnpProcessQueryRemoveAndEject(x)
		mov	edx, [ebp+var_AC]
		mov	[ebp+var_B0], eax
		cmp	edx, edi
		jz	loc_964289
		mov	ecx, ebx
		lock xadd [edx+24h], ecx
		jnz	loc_964289
		push	4B706E50h
		push	[ebp+var_AC]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_964289
; 

loc_964355:				; CODE XREF: PnpShutdownDevices()+D8j
		test	al, 10h
		jz	loc_9642C7
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_964383
		push	20h
		pop	edx
		mov	ecx, esi
		call	PipSetDevNodeUserFlags

loc_96436E:				; CODE XREF: PnpShutdownDevices()+E4j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_964383
		mov	esi, [esi+8]
		mov	ecx, esi
		push	20h
		pop	edx
		call	PipSetDevNodeUserFlags
		jmp	short loc_964385
; 

loc_964383:				; CODE XREF: PnpShutdownDevices()+187j
					; PnpShutdownDevices()+197j
		mov	esi, eax

loc_964385:				; CODE XREF: PnpShutdownDevices()+CBj
					; PnpShutdownDevices()+1A6j
		test	esi, esi
		jnz	loc_9642AB
		jmp	loc_9642C7
; 

loc_964392:				; CODE XREF: PnpShutdownDevices()+104j
		lock xadd [edi+24h], ebx
		dec	ebx
		jnz	short loc_9643A5
		push	4B706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9643A5:				; CODE XREF: PnpShutdownDevices()+1BDj
		mov	eax, [ebp+var_B0]

loc_9643AB:				; CODE XREF: PnpShutdownDevices()+49j
					; PnpShutdownDevices()+64j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PnpShutdownDevices@0 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 733. IoAcquireKsrPersistentMemory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoAcquireKsrPersistentMemory(x, x, x, x)
		public _IoAcquireKsrPersistentMemory@16
_IoAcquireKsrPersistentMemory@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	edi
		push	esi
		mov	esi, ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		call	esi
		test	al, al
		jz	short loc_9643E9
		xor	edi, edi
		push	edi
		push	edi
		call	esi
		movzx	eax, al
		push	eax
		push	1
		push	121h

loc_9643E4:				; CODE XREF: IoAcquireKsrPersistentMemory(x,x,x,x)+139j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_9643E9:				; CODE XREF: IoAcquireKsrPersistentMemory(x,x,x,x)+12j
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	loc_9644FD
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_964411
		test	dword ptr [eax+10Ch], 20000h
		jz	loc_9644FD

loc_964411:				; CODE XREF: IoAcquireKsrPersistentMemory(x,x,x,x)+40j
		movzx	edx, word ptr [esi+2]
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		xor	edi, edi
		test	ecx, ecx
		jz	short loc_964450
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		add	ecx, 1Ch
		cmp	[ecx], di
		jz	short loc_964450
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_964450:				; CODE XREF: IoAcquireKsrPersistentMemory(x,x,x,x)+64j
					; IoAcquireKsrPersistentMemory(x,x,x,x)+78j
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_9644EE
		mov	edx, 1F4h
		lea	ebx, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		cmp	[ebx], di
		jz	short loc_964488
		push	2
		pop	edx
		mov	ecx, ebx
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [ebx]
		mov	ecx, [ebx+4]
		call	IoAddTriageDumpDataBlock

loc_964488:				; CODE XREF: IoAcquireKsrPersistentMemory(x,x,x,x)+B2j
		mov	edx, [esi+0B0h]
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], di
		jz	short loc_9644BC
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [esi+0B0h]

loc_9644BC:				; CODE XREF: IoAcquireKsrPersistentMemory(x,x,x,x)+D8j
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_9644EE
		lea	ecx, [eax+1Ch]
		cmp	[ecx], di
		jz	short loc_9644EE
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_9644EE:				; CODE XREF: IoAcquireKsrPersistentMemory(x,x,x,x)+9Cj
					; IoAcquireKsrPersistentMemory(x,x,x,x)+105j ...
		push	edi
		push	edi
		push	esi
		push	2
		push	0CAh
		jmp	loc_9643E4
; 

loc_9644FD:				; CODE XREF: IoAcquireKsrPersistentMemory(x,x,x,x)+2Fj
					; IoAcquireKsrPersistentMemory(x,x,x,x)+4Cj
		call	_ExIsSoftBoot@0	; ExIsSoftBoot()
		test	al, al
		jnz	short loc_96450D
		mov	eax, 0C00000BBh
		jmp	short loc_96451F
; 

loc_96450D:				; CODE XREF: IoAcquireKsrPersistentMemory(x,x,x,x)+145j
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		push	1
		push	[ebp+arg_8]
		push	[ebp+arg_C]
		call	_PipGetPersistentMemory@20 ; PipGetPersistentMemory(x,x,x,x,x)

loc_96451F:				; CODE XREF: IoAcquireKsrPersistentMemory(x,x,x,x)+14Cj
		pop	esi
		pop	edi
		pop	ebx
		pop	ebp
		retn	10h
_IoAcquireKsrPersistentMemory@16 endp ;	sp = -0Ch

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 833. IoFreeKsrPersistentMemory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoFreeKsrPersistentMemory(x)
		public _IoFreeKsrPersistentMemory@4
_IoFreeKsrPersistentMemory@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		push	edi
		call	esi
		test	al, al
		jz	short loc_964554
		push	0
		push	0
		call	esi
		movzx	eax, al
		push	eax
		push	1
		push	121h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_964554:				; CODE XREF: IoFreeKsrPersistentMemory(x)+11j
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+20h]
		test	eax, eax
		jz	short loc_964567
		push	dword ptr [esi+4]
		push	eax
		call	MmUnmapLockedPages

loc_964567:				; CODE XREF: IoFreeKsrPersistentMemory(x)+31j
		push	1
		push	dword ptr [esi+1Ch]
		lea	eax, [esi+8]
		push	dword ptr [esi+18h]
		push	eax
		call	ds:__imp__KsrFreePersistedMemoryBlock@16 ; KsrFreePersistedMemoryBlock(x,x,x,x)
		mov	eax, [esi+4]
		mov	edi, 61706E50h
		test	eax, eax
		jz	short loc_96458C
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96458C:				; CODE XREF: IoFreeKsrPersistentMemory(x)+58j
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	4
_IoFreeKsrPersistentMemory@4 endp

; 
		align 10h
; Exported entry 922. IoQueryKsrPersistentMemorySize

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoQueryKsrPersistentMemorySize(x, x, x)
		public _IoQueryKsrPersistentMemorySize@12
_IoQueryKsrPersistentMemorySize@12 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		call	edi
		test	al, al
		jz	short loc_9645CA
		xor	esi, esi
		push	esi
		push	esi
		call	edi
		movzx	eax, al
		push	eax
		push	1
		push	121h

loc_9645C5:				; CODE XREF: IoQueryKsrPersistentMemorySize(x,x,x)+139j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_9645CA:				; CODE XREF: IoQueryKsrPersistentMemorySize(x,x,x)+12j
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	loc_9646DE
		mov	eax, [edi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_9645F2
		test	dword ptr [eax+10Ch], 20000h
		jz	loc_9646DE

loc_9645F2:				; CODE XREF: IoQueryKsrPersistentMemorySize(x,x,x)+40j
		movzx	edx, word ptr [edi+2]
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		xor	esi, esi
		test	ecx, ecx
		jz	short loc_964631
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		add	ecx, 1Ch
		cmp	[ecx], si
		jz	short loc_964631
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_964631:				; CODE XREF: IoQueryKsrPersistentMemorySize(x,x,x)+64j
					; IoQueryKsrPersistentMemorySize(x,x,x)+78j
		mov	eax, [edi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_9646CF
		mov	edx, 1F4h
		lea	ebx, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		cmp	[ebx], si
		jz	short loc_964669
		push	2
		pop	edx
		mov	ecx, ebx
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [ebx]
		mov	ecx, [ebx+4]
		call	IoAddTriageDumpDataBlock

loc_964669:				; CODE XREF: IoQueryKsrPersistentMemorySize(x,x,x)+B2j
		mov	edx, [edi+0B0h]
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], si
		jz	short loc_96469D
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [edi+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [edi+0B0h]

loc_96469D:				; CODE XREF: IoQueryKsrPersistentMemorySize(x,x,x)+D8j
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_9646CF
		lea	ecx, [eax+1Ch]
		cmp	[ecx], si
		jz	short loc_9646CF
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [edi+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_9646CF:				; CODE XREF: IoQueryKsrPersistentMemorySize(x,x,x)+9Cj
					; IoQueryKsrPersistentMemorySize(x,x,x)+105j ...
		push	esi
		push	esi
		push	edi
		push	2
		push	0CAh
		jmp	loc_9645C5
; 

loc_9646DE:				; CODE XREF: IoQueryKsrPersistentMemorySize(x,x,x)+2Fj
					; IoQueryKsrPersistentMemorySize(x,x,x)+4Cj
		mov	ebx, [ebp+arg_8]
		xor	esi, esi
		mov	[ebx], esi
		call	_ExIsSoftBoot@0	; ExIsSoftBoot()
		test	al, al
		jnz	short loc_9646F5
		mov	eax, 0C00000BBh
		jmp	short loc_964713
; 

loc_9646F5:				; CODE XREF: IoQueryKsrPersistentMemorySize(x,x,x)+14Cj
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		push	esi
		push	esi
		push	ebx
		call	_PipGetPersistentMemory@20 ; PipGetPersistentMemory(x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_964713
		mov	ecx, [ebx]
		neg	ecx
		sbb	ecx, ecx
		not	ecx
		and	eax, ecx

loc_964713:				; CODE XREF: IoQueryKsrPersistentMemorySize(x,x,x)+153j
					; IoQueryKsrPersistentMemorySize(x,x,x)+167j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_IoQueryKsrPersistentMemorySize@12 endp	; sp = -0Ch

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 970. IoReserveKsrPersistentMemory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoReserveKsrPersistentMemory(x, x, x, x, x)
		public _IoReserveKsrPersistentMemory@20
_IoReserveKsrPersistentMemory@20 proc near

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+4Ch+var_3C], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	[esp+50h+var_18], eax
		xor	eax, eax
		push	esi
		mov	esi, ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		push	edi
		mov	[esp+58h+var_30], eax
		lea	edi, [esp+58h+var_14]
		mov	[esp+58h+var_2C], eax
		mov	[esp+58h+var_24], eax
		stosd
		stosd
		stosd
		stosd
		xor	edi, edi
		mov	[esp+58h+var_40], edi
		call	esi
		test	al, al
		jz	short loc_964785
		push	edi
		push	edi
		call	esi
		movzx	eax, al
		push	eax
		push	1
		push	121h

loc_964780:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+171j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_964785:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+50j
		test	ebx, ebx
		jz	loc_964895
		mov	eax, [ebx+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_9647AA
		test	dword ptr [eax+10Ch], 20000h
		jz	loc_964895

loc_9647AA:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+79j
		movzx	edx, word ptr [ebx+2]
		mov	ecx, ebx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+8]
		test	ecx, ecx
		jz	short loc_9647E7
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+8]
		add	ecx, 1Ch
		cmp	[ecx], di
		jz	short loc_9647E7
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_9647E7:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+9Bj
					; IoReserveKsrPersistentMemory(x,x,x,x,x)+AFj
		mov	eax, [ebx+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_964886
		mov	edx, 1F4h
		lea	esi, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		cmp	[esi], di
		jz	short loc_96481F
		push	2
		pop	edx
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [esi]
		mov	ecx, [esi+4]
		call	IoAddTriageDumpDataBlock

loc_96481F:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+E9j
		mov	ecx, [ebx+0B0h]
		mov	eax, [ecx+14h]
		cmp	[eax+1Ch], di
		jz	short loc_964854
		push	2
		pop	edx
		lea	ecx, [eax+1Ch]
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebx+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+0B0h]

loc_964854:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+10Dj
		mov	eax, [ecx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_964886
		lea	ecx, [eax+1Ch]
		cmp	[ecx], di
		jz	short loc_964886
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebx+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_964886:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+D3j
					; IoReserveKsrPersistentMemory(x,x,x,x,x)+13Dj	...
		push	edi
		push	edi
		push	ebx
		push	2
		push	0CAh
		jmp	loc_964780
; 

loc_964895:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+68j
					; IoReserveKsrPersistentMemory(x,x,x,x,x)+85j
		xor	eax, eax
		mov	[esp+6Ch+var_60], eax
		mov	[esp+6Ch+var_5C], eax
		mov	[esp+6Ch+var_4C], eax
		mov	[esp+6Ch+var_58], eax
		mov	[esp+6Ch+var_48], eax
		cmp	_PnpKsrEnabled,	al
		jnz	short loc_9648BD
		mov	esi, 0C00000BBh
		jmp	loc_96499C
; 

loc_9648BD:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+192j
		cmp	[ebp+arg_C], eax
		jz	short loc_9648CC
		mov	esi, 0C00000F2h
		jmp	loc_96499C
; 

loc_9648CC:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+1A1j
		mov	ecx, [esp+6Ch+var_50]
		lea	edx, [esp+6Ch+var_28]
		call	_PipGetDriverKsrGuid@8 ; PipGetDriverKsrGuid(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_96499C
		test	ebx, ebx
		jz	short loc_964911
		lea	eax, [esp+6Ch+var_5C]
		mov	ecx, ebx
		push	eax
		lea	edx, [esp+70h+var_58]
		call	_PipGetDeviceObjectLocation@12 ; PipGetDeviceObjectLocation(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9649B2
		mov	eax, [esp+6Ch+var_5C]
		mov	[esp+6Ch+var_60], eax
		mov	eax, [esp+6Ch+var_58]
		mov	[esp+6Ch+var_4C], eax

loc_964911:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+1C6j
		mov	ecx, [esp+6Ch+var_50]
		lea	eax, [esp+6Ch+var_38]
		push	1
		push	0
		push	eax
		mov	edx, ebx
		call	_PipGetPersistentMemory@20 ; PipGetPersistentMemory(x,x,x,x,x)
		lea	esi, [eax+3FFFFFCCh]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jl	short loc_964967
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		push	14h
		add	eax, 1003h
		inc	ecx
		push	ecx
		and	eax, 0FFFFF000h
		push	eax
		mov	[esp+78h+var_58], eax
		xor	eax, eax
		push	eax
		push	eax
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		push	eax
		push	eax
		call	_MmAllocatePagesForMdlEx@36 ; MmAllocatePagesForMdlEx(x,x,x,x,x,x,x,x,x)
		mov	[esp+6Ch+var_50], eax
		test	eax, eax
		jnz	short loc_9649B8

loc_964962:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+2B1j
					; IoReserveKsrPersistentMemory(x,x,x,x,x)+325j
		mov	esi, 0C000009Ah

loc_964967:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+212j
					; IoReserveKsrPersistentMemory(x,x,x,x,x)+2E7j
		mov	ebx, [esp+6Ch+var_60]

loc_96496B:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+297j
					; IoReserveKsrPersistentMemory(x,x,x,x,x)+3C6j	...
		test	ebx, ebx
		jz	short loc_96497A
		push	61706E50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96497A:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+24Ej
		test	edi, edi
		jz	short loc_964989
		push	61706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_964989:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+25Dj
		mov	eax, [esp+6Ch+var_48]
		test	eax, eax
		jz	short loc_96499C
		push	61706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96499C:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+199j
					; IoReserveKsrPersistentMemory(x,x,x,x,x)+1A8j	...
		mov	ecx, [esp+6Ch+var_18]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_9649B2:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+1DCj
		mov	ebx, [esp+6Ch+var_5C]
		jmp	short loc_96496B
; 

loc_9649B8:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+241j
		push	40000020h
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	1
		push	ecx
		push	eax
		call	MmMapLockedPagesSpecifyCache
		mov	[esp+6Ch+var_34], eax
		test	eax, eax
		jz	short loc_964962
		push	[esp+6Ch+var_58] ; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [esp+78h+var_4C]
		add	esp, 0Ch
		lea	eax, ds:0Ch[eax*2]
		push	61706E50h
		push	eax
		push	200h
		mov	[esp+78h+var_58], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+6Ch+var_5C], eax
		test	eax, eax
		jz	loc_964967
		push	[esp+6Ch+var_58] ; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [esp+78h+var_5C]
		add	esp, 0Ch
		xor	ecx, ecx
		inc	ecx
		push	61706E50h
		push	28h
		mov	[eax], cx
		mov	ecx, [ebp+arg_8]
		push	200h
		mov	[eax+8], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+6Ch+var_30], edi
		test	edi, edi
		jz	loc_964962
		mov	eax, [esp+6Ch+var_34]
		lea	esi, [esp+6Ch+var_28]
		xor	edx, edx
		mov	[edi], edx
		mov	[edi+8], edx
		mov	[edi+0Ch], edx
		mov	[edi+10h], edx
		mov	[edi+14h], edx
		mov	[edi+18h], edx
		mov	[edi+1Ch], edx
		mov	ecx, [esp+6Ch+var_5C]
		mov	[edi+20h], eax
		mov	eax, [esp+6Ch+var_50]
		mov	[edi+24h], ecx
		mov	[edi+4], eax
		add	edi, 8
		test	ebx, ebx
		mov	ebx, [esp+6Ch+var_60]
		movsd
		movsd
		movsd
		movsd
		jnz	short loc_964A8D
		xor	eax, eax
		inc	eax
		jmp	short loc_964AA9
; 

loc_964A8D:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+367j
		mov	eax, [esp+6Ch+var_4C]
		add	eax, eax
		push	eax		; size_t
		mov	[ecx+4], eax
		lea	eax, [ecx+0Ch]
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	edx, edx
		push	2
		pop	eax

loc_964AA9:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+36Cj
		mov	edi, [esp+6Ch+var_30]
		mov	esi, [esp+6Ch+var_50]
		mov	[edi], eax
		lea	eax, [esp+6Ch+var_54]
		push	eax
		push	edx
		push	edx
		push	esi
		call	ds:__imp__KsrMdlToMemoryRuns@16	; KsrMdlToMemoryRuns(x,x,x,x)
		mov	eax, [esp+7Ch+var_64]
		push	61706E50h
		shl	eax, 3
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+7Ch+var_58], eax
		test	eax, eax
		jnz	short loc_964AEA
		mov	esi, 0C000009Ah
		jmp	loc_96496B
; 

loc_964AEA:				; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+3BFj
		lea	ecx, [esp+7Ch+var_64]
		push	ecx
		push	[esp+80h+var_64]
		push	eax
		push	esi
		call	ds:__imp__KsrMdlToMemoryRuns@16	; KsrMdlToMemoryRuns(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_96496B
		lea	eax, [esp+8Ch+var_64]
		push	eax
		push	[esp+90h+var_78]
		mov	eax, [esp+94h+var_7C]
		push	eax
		push	[esp+98h+var_74]
		mov	eax, [esp+9Ch+var_68]
		push	eax
		lea	eax, [esp+0A0h+var_48]
		push	eax
		call	ds:__imp__KsrPersistMemoryWithMetadata@24 ; KsrPersistMemoryWithMetadata(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_96496B
		mov	eax, [esp+0A4h+var_7C]
		mov	[edi+18h], eax
		mov	eax, [esp+0A4h+var_78]
		mov	[edi+1Ch], eax
		mov	eax, [esp+0A4h+var_64]
		mov	[eax], edi
		xor	edi, edi
		jmp	loc_96496B
_IoReserveKsrPersistentMemory@20 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1062. IoWriteKsrPersistentMemory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IoWriteKsrPersistentMemory(int,void *,size_t)
		public _IoWriteKsrPersistentMemory@12
_IoWriteKsrPersistentMemory@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	al, al
		jz	short loc_964B7B
		push	esi
		push	esi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		push	1
		push	121h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_964B7B:				; CODE XREF: IoWriteKsrPersistentMemory(x,x,x)+10j
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		cmp	ecx, 2
		jz	short loc_964B91
		cmp	ecx, 1
		jz	short loc_964B91
		mov	esi, 0C00000EFh
		jmp	short loc_964BB8
; 

loc_964B91:				; CODE XREF: IoWriteKsrPersistentMemory(x,x,x)+32j
					; IoWriteKsrPersistentMemory(x,x,x)+37j
		mov	edx, [eax+20h]
		mov	eax, [eax+24h]
		mov	ecx, [ebp+arg_8]
		cmp	ecx, [eax+8]
		jbe	short loc_964BA6
		mov	esi, 0C0000023h
		jmp	short loc_964BB8
; 

loc_964BA6:				; CODE XREF: IoWriteKsrPersistentMemory(x,x,x)+4Cj
		push	ecx		; size_t
		push	[ebp+arg_4]	; void *
		mov	[edx], ecx
		lea	ecx, [edx+4]
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_964BB8:				; CODE XREF: IoWriteKsrPersistentMemory(x,x,x)+3Ej
					; IoWriteKsrPersistentMemory(x,x,x)+53j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	0Ch
_IoWriteKsrPersistentMemory@12 endp ; sp = -0Ch


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipEnumeratePersistedMemory(x, x, x, x)
_PipEnumeratePersistedMemory@16	proc near
					; DATA XREF: PipGetPersistentMemory(x,x,x,x,x)+1A0o
					; PipGetPersistentMemory(x,x,x,x,x)+1F2o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_C]
		push	esi
		mov	esi, [edx]
		test	esi, esi
		jnz	short loc_964BD3
		inc	dword ptr [edx+4]
		jmp	short loc_964BE6
; 

loc_964BD3:				; CODE XREF: PipEnumeratePersistedMemory(x,x,x,x)+Dj
		mov	ecx, [edx+8]
		mov	eax, [ebp+arg_4]
		mov	[esi+ecx*8], eax
		mov	eax, [ebp+arg_8]
		mov	[esi+ecx*8+4], eax
		inc	dword ptr [edx+8]

loc_964BE6:				; CODE XREF: PipEnumeratePersistedMemory(x,x,x,x)+12j
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	10h
_PipEnumeratePersistedMemory@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipGetDeviceObjectLocation(x, x, x)
_PipGetDeviceObjectLocation@12 proc near
					; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+1D3p
					; PipGetPersistentMemory(x,x,x,x,x)+487p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_C], edx
		xor	edi, edi
		mov	[ebp+var_8], edi
		test	esi, esi
		jz	loc_964D9B
		mov	eax, [esi+0B0h]
		mov	ebx, [eax+14h]
		test	ebx, ebx
		jz	loc_964CBE
		test	dword ptr [ebx+10Ch], 20000h
		jnz	loc_964CBE
		mov	eax, edi
		mov	esi, edi
		mov	[ebp+var_4], eax

loc_964C32:				; CODE XREF: PipGetDeviceObjectLocation(x,x,x)+9Dj
		mov	edx, [ebx+18h]
		lea	ecx, [ebp+var_4]
		push	edi
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	esi
		lea	eax, [ebp+var_8]
		push	eax
		push	offset _DEVPKEY_Device_LocationPaths
		push	edi
		push	edi
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000023h
		jnz	short loc_964C91
		test	esi, esi
		jz	short loc_964C6D
		push	61706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_964C6D:				; CODE XREF: PipGetDeviceObjectLocation(x,x,x)+73j
		push	61706E50h
		push	[ebp+var_4]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_964C8C
		mov	eax, [ebp+var_4]
		xor	edi, edi
		jmp	short loc_964C32
; 

loc_964C8C:				; CODE XREF: PipGetDeviceObjectLocation(x,x,x)+96j
		mov	edi, 0C000009Ah

loc_964C91:				; CODE XREF: PipGetDeviceObjectLocation(x,x,x)+6Fj
		test	edi, edi
		js	short loc_964CA6
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_C]
		mov	[eax], esi
		mov	eax, [ebp+var_4]
		shr	eax, 1
		mov	[ecx], eax
		jmp	short loc_964CB5
; 

loc_964CA6:				; CODE XREF: PipGetDeviceObjectLocation(x,x,x)+A6j
		test	esi, esi
		jz	short loc_964CB5
		push	61706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_964CB5:				; CODE XREF: PipGetDeviceObjectLocation(x,x,x)+B7j
					; PipGetDeviceObjectLocation(x,x,x)+BBj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_964CBE:				; CODE XREF: PipGetDeviceObjectLocation(x,x,x)+28j
					; PipGetDeviceObjectLocation(x,x,x)+38j
		movzx	edx, word ptr [esi+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_964CF9
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		add	ecx, 1Ch
		cmp	[ecx], di
		jz	short loc_964CF9
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_964CF9:				; CODE XREF: PipGetDeviceObjectLocation(x,x,x)+DFj
					; PipGetDeviceObjectLocation(x,x,x)+F3j
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_964D9B
		mov	edx, 1F4h
		lea	edi, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		xor	eax, eax
		cmp	[edi], ax
		jz	short loc_964D33
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [edi+4]
		call	IoAddTriageDumpDataBlock

loc_964D33:				; CODE XREF: PipGetDeviceObjectLocation(x,x,x)+12Fj
		mov	edx, [esi+0B0h]
		xor	edi, edi
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], di
		jz	short loc_964D69
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [esi+0B0h]

loc_964D69:				; CODE XREF: PipGetDeviceObjectLocation(x,x,x)+157j
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_964D9B
		lea	ecx, [eax+1Ch]
		cmp	[ecx], di
		jz	short loc_964D9B
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_964D9B:				; CODE XREF: PipGetDeviceObjectLocation(x,x,x)+17j
					; PipGetDeviceObjectLocation(x,x,x)+117j ...
		push	edi
		push	edi
		push	esi
		push	2
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_PipGetDeviceObjectLocation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipGetDriverKsrGuid(x, x)
_PipGetDriverKsrGuid@8 proc near	; CODE XREF: IoReserveKsrPersistentMemory(x,x,x,x,x)+1B5p
					; PipGetPersistentMemory(x,x,x,x,x)+17Dp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	ecx, [ecx+18h]
		xor	eax, eax
		or	[ebp+var_4], 0FFFFFFFFh
		add	ecx, 0Ch
		or	[ebp+var_8], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		push	eax
		push	eax
		mov	[ebp+var_10], eax
		mov	ebx, edx
		mov	[ebp+var_C], eax
		mov	edx, 20019h
		lea	eax, [ebp+var_8]
		push	eax
		call	PipOpenServiceEnumKeys
		mov	edi, [ebp+var_8]
		mov	esi, eax
		test	esi, esi
		js	short loc_964E42
		push	16h
		pop	eax
		push	14h
		mov	word ptr [ebp+var_10+2], ax
		xor	ecx, ecx
		pop	eax
		mov	word ptr [ebp+var_10], ax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_C], offset ??_C@_1BG@PGIGMDPA@?$AAP?$AAa?$AAr?$AAa?$AAm?$AAe?$AAt?$AAe?$AAr?$AAs@NNGAKEGL@ ; "Parameters"
		push	eax
		mov	[ebp+var_4], ecx
		mov	[ebp+var_28], 18h
		mov	[ebp+var_24], edi
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_964E42
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		call	_PipGetDriverKsrGuidRegistryValue@8 ; PipGetDriverKsrGuidRegistryValue(x,x)
		mov	esi, eax

loc_964E42:				; CODE XREF: PipGetDriverKsrGuid(x,x)+3Aj
					; PipGetDriverKsrGuid(x,x)+89j
		cmp	[ebp+var_4], 0FFFFFFFFh
		jz	short loc_964E54
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		or	[ebp+var_4], 0FFFFFFFFh

loc_964E54:				; CODE XREF: PipGetDriverKsrGuid(x,x)+9Bj
		cmp	edi, 0FFFFFFFFh
		jz	short loc_964E5F
		push	edi
		call	_ZwClose@4	; ZwClose(x)

loc_964E5F:				; CODE XREF: PipGetDriverKsrGuid(x,x)+ACj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PipGetDriverKsrGuid@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipGetDriverKsrGuidRegistryValue(x,	x)
_PipGetDriverKsrGuidRegistryValue@8 proc near ;	CODE XREF: PipGetDriverKsrGuid(x,x)+90p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		push	esi
		push	edi
		push	eax
		mov	ebx, edx
		mov	edx, offset ??_C@_1BA@DKPHFNPD@?$AAK?$AAs?$AAr?$AAG?$AAu?$AAi?$AAd@NNGAKEGL@ ; "K"
		push	0
		call	IopGetRegistryValue
		mov	esi, [ebp+var_4]
		mov	edi, eax
		test	edi, edi
		js	short loc_964ED4
		mov	ecx, esi
		call	_PipValidateRegistryString@4 ; PipValidateRegistryString(x)
		test	al, al
		jz	short loc_964ED4
		mov	edx, [esi+0Ch]
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		push	ecx
		mov	ecx, [esi+8]
		push	eax
		add	ecx, esi
		call	_PnpRegSzToString@16 ; PnpRegSzToString(x,x,x,x)
		mov	ax, word ptr [ebp+var_4]
		mov	word ptr [ebp+var_8], ax
		mov	ax, [esi+0Ch]
		mov	word ptr [ebp+var_8+2],	ax
		mov	eax, [esi+8]
		add	eax, esi
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_8]
		push	ebx
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	edi, eax

loc_964ED4:				; CODE XREF: PipGetDriverKsrGuidRegistryValue(x,x)+27j
					; PipGetDriverKsrGuidRegistryValue(x,x)+32j
		test	esi, esi
		jz	short loc_964EE0
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_964EE0:				; CODE XREF: PipGetDriverKsrGuidRegistryValue(x,x)+70j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PipGetDriverKsrGuidRegistryValue@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipGetPersistentMemory(x, x, x, x, x)
_PipGetPersistentMemory@20 proc	near	; CODE XREF: IoAcquireKsrPersistentMemory(x,x,x,x)+15Bp
					; IoQueryKsrPersistentMemorySize(x,x,x)+15Dp ...

var_11A		= byte ptr -11Ah
var_119		= byte ptr -119h
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_10A		= byte ptr -10Ah
var_109		= byte ptr -109h
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_DC		= dword	ptr -0DCh
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_C8		= dword	ptr -0C8h
var_BC		= dword	ptr -0BCh
var_B8		= byte ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A2		= byte ptr -0A2h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8A		= byte ptr -8Ah
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+7Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[esp+80h+var_64], eax
		mov	ebx, edx
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		mov	[esp+80h+var_54], eax
		xor	eax, eax
		mov	[esp+80h+var_3C], ebx
		mov	[esp+80h+var_28], edx
		mov	[esp+80h+var_6C], edx
		push	esi
		push	edi
		lea	edi, [esp+88h+var_14]
		stosd
		stosd
		stosd
		stosd
		test	ebx, ebx
		jz	loc_965040
		mov	eax, [ebx+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_964F4D
		test	dword ptr [eax+10Ch], 20000h
		jz	loc_965040

loc_964F4D:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+54j
		movzx	edx, word ptr [ebx+2]
		mov	ecx, ebx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+8]
		push	2
		pop	edi
		test	ecx, ecx
		jz	short loc_964F90
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+8]
		xor	esi, esi
		add	ecx, 1Ch
		cmp	[ecx], si
		jz	short loc_964F92
		mov	edx, edi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		jmp	short loc_964F92
; 

loc_964F90:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+79j
		xor	esi, esi

loc_964F92:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+8Fj
					; PipGetPersistentMemory(x,x,x,x,x)+A7j
		mov	eax, [ebx+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_965032
		mov	edx, 1F4h
		lea	esi, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		xor	edx, edx
		cmp	[esi], dx
		jz	short loc_964FCB
		mov	edx, edi
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [esi]
		mov	ecx, [esi+4]
		call	IoAddTriageDumpDataBlock

loc_964FCB:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+CEj
		mov	ecx, [ebx+0B0h]
		xor	esi, esi
		mov	eax, [ecx+14h]
		cmp	[eax+1Ch], si
		jz	short loc_965001
		mov	edx, edi
		lea	ecx, [eax+1Ch]
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebx+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+0B0h]

loc_965001:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+F3j
		mov	eax, [ecx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_965032
		lea	ecx, [eax+1Ch]
		cmp	[ecx], si
		jz	short loc_965032
		mov	edx, edi
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebx+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_965032:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+B6j
					; PipGetPersistentMemory(x,x,x,x,x)+122j ...
		push	esi
		push	esi
		push	ebx
		push	edi
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_965040:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+43j
					; PipGetPersistentMemory(x,x,x,x,x)+60j
		mov	eax, edx
		mov	[esp+13h], dl
		mov	ebx, edx
		mov	[esp+9Ch+var_74], edx
		mov	[esp+9Ch+var_7C], edx
		mov	[esp+9Ch+var_6C], edx
		mov	[esp+9Ch+var_84], edx
		lea	edx, [esp+9Ch+var_28]
		mov	[esp+9Ch+var_88], eax
		mov	[esp+9Ch+var_64], eax
		call	_PipGetDriverKsrGuid@8 ; PipGetDriverKsrGuid(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_965521
		xor	eax, eax
		lea	edi, [esp+9Ch+var_48]
		stosd
		stosd
		stosd
		lea	eax, [esp+9Ch+var_48]
		mov	edi, ds:__imp__KsrEnumeratePersistedMemory@12 ;	KsrEnumeratePersistedMemory(x,x,x)
		push	eax
		push	offset _PipEnumeratePersistedMemory@16 ; PipEnumeratePersistedMemory(x,x,x,x)
		lea	eax, [esp+0A4h+var_28]
		push	eax
		call	edi
		mov	esi, eax
		test	esi, esi
		js	loc_965521
		mov	eax, [esp+0A8h+var_50]
		test	eax, eax
		jnz	short loc_9650AF
		mov	esi, 0C0000034h
		jmp	loc_965521
; 

loc_9650AF:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+1BCj
		push	61706E50h
		shl	eax, 3
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+0A8h+var_54], eax
		test	eax, eax
		jnz	short loc_9650D4
		mov	esi, 0C000009Ah
		jmp	loc_965521
; 

loc_9650D4:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+1E1j
		lea	eax, [esp+0A8h+var_54]
		push	eax
		push	offset _PipEnumeratePersistedMemory@16 ; PipEnumeratePersistedMemory(x,x,x,x)
		lea	eax, [esp+0B0h+var_34]
		push	eax
		call	edi
		mov	esi, eax
		test	esi, esi
		js	loc_965521
		xor	edx, edx
		mov	ecx, edx
		mov	[esp+0B4h+var_78], ecx
		cmp	[esp+0B4h+var_5C], ecx
		jbe	loc_9654C6
		mov	eax, [ebp+arg_8]
		mov	edx, ds:__imp__KsrQueryMetadata@24 ; KsrQueryMetadata(x,x,x,x,x,x)
		mov	[esp+0B4h+var_50], eax
		mov	eax, ds:__imp__KsrClaimPersistedMemory@28 ; KsrClaimPersistedMemory(x,x,x,x,x,x,x)
		mov	[esp+0B4h+var_70], eax
		mov	eax, ds:__imp__KsrFreePersistedMemoryBlock@16 ;	KsrFreePersistedMemoryBlock(x,x,x,x)
		mov	[esp+0B4h+var_64], edx
		mov	[esp+0B4h+var_44], eax

loc_965124:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+586j
		xor	eax, eax
		mov	ebx, eax
		mov	edi, eax
		mov	[esp+0B4h+var_94], eax
		mov	[esp+0B4h+var_9C], eax
		cmp	[esp+13h], al
		jnz	loc_9654D5
		mov	eax, [esp+0B4h+var_60]
		xor	esi, esi
		mov	ebx, [eax+ecx*8]
		mov	edi, [eax+ecx*8+4]
		lea	eax, [esp+0B4h+var_84]
		push	eax
		push	esi
		push	esi
		push	edi
		push	ebx
		lea	eax, [esp+0C8h+var_40]
		mov	[esp+0C8h+var_48], ebx
		push	eax
		mov	[esp+0CCh+var_4C], edi
		call	edx
		push	61706E50h
		push	[esp+0D0h+var_9C]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+0CCh+var_AC], ecx
		test	ecx, ecx
		jz	loc_9654B5
		lea	eax, [esp+0CCh+var_9C]
		mov	[ecx], esi
		push	eax
		push	[esp+0D0h+var_9C]
		lea	eax, [esp+0D4h+var_58]
		push	ecx
		push	edi
		push	ebx
		push	eax
		call	[esp+0E4h+var_7C]
		mov	esi, eax
		test	esi, esi
		js	loc_9654BA
		lea	eax, [esp+0E4h+var_C8]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	edi
		push	ebx
		lea	eax, [esp+0FCh+var_70]
		push	eax
		call	[esp+100h+var_A0]
		lea	esi, [eax+3FFFFFDDh]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jl	loc_9654BA
		mov	eax, [esp+100h+var_E4]
		push	61706E50h
		shl	eax, 3
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+100h+var_E8], eax
		test	eax, eax
		jz	loc_9654A8
		lea	ecx, [esp+100h+var_E4]
		xor	edx, edx
		push	ecx
		push	edx
		push	[esp+108h+var_E4]
		push	eax
		push	edi
		push	ebx
		lea	eax, [esp+8Ch]
		push	eax
		call	[esp+11Ch+var_BC]
		mov	esi, eax
		xor	eax, eax
		mov	[esp+11Ch+var_D4], esi
		mov	edi, eax
		test	esi, esi
		js	loc_9654A4
		mov	ebx, [esp+11Ch+var_104]
		mov	[esp+11Ch+var_F0], eax
		cmp	[esp+11Ch+var_100], eax
		jbe	short loc_965255
		mov	esi, eax

loc_965236:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+364j
		mov	eax, [ebx+esi*8]
		mov	cl, 28h
		mov	edx, [ebx+esi*8+4]
		call	__aullshr
		add	edi, eax
		inc	esi
		cmp	esi, [esp+11Ch+var_100]
		jb	short loc_965236
		mov	esi, [esp+11Ch+var_D4]
		mov	[esp+11Ch+var_F0], edi

loc_965255:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+34Bj
		push	61706E50h
		lea	eax, ds:1Ch[edi*4]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+11Ch+var_F4], edi
		test	edi, edi
		jz	loc_9654A2
		mov	ecx, [esp+11Ch+var_F0]
		xor	edx, edx
		shl	ecx, 0Ch
		mov	eax, ecx
		mov	[edi], edx
		shr	eax, 0Ch
		push	2
		mov	[edi+10h], edx
		mov	[edi+18h], edx
		lea	eax, ds:1Ch[eax*4]
		mov	[edi+14h], ecx
		mov	[edi+4], ax
		pop	eax
		mov	[edi+6], ax
		lea	eax, [edi+1Ch]
		mov	[esp+11Ch+var_F0], eax
		cmp	[esp+11Ch+var_100], edx
		jbe	short loc_965304
		mov	esi, [esp+11Ch+var_100]
		mov	edi, edx

loc_9652B8:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+411j
		mov	eax, [ebx+edi*8]
		mov	cl, 28h
		mov	edx, [ebx+edi*8+4]
		mov	[esp+11Ch+var_DC], eax
		call	__aullshr
		mov	edx, eax
		xor	eax, eax
		mov	ecx, eax
		test	edx, edx
		jz	short loc_9652F5
		mov	esi, [esp+11Ch+var_F0]
		mov	ebx, [esp+11Ch+var_DC]

loc_9652DC:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+400j
		lea	eax, [ecx+ebx]
		mov	[esi], eax
		add	esi, 4
		inc	ecx
		cmp	ecx, edx
		jb	short loc_9652DC
		mov	ebx, [esp+11Ch+var_104]
		mov	[esp+11Ch+var_F0], esi
		mov	esi, [esp+11Ch+var_100]

loc_9652F5:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+3EBj
		inc	edi
		cmp	edi, esi
		jb	short loc_9652B8
		mov	esi, [esp+11Ch+var_D4]
		xor	edx, edx
		mov	edi, [esp+11Ch+var_F4]

loc_965304:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+3C9j
		push	40000010h
		push	edx
		push	edx
		push	1
		push	edx
		push	edi
		call	MmMapLockedPagesSpecifyCache
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_96549B
		mov	ecx, [esp+11Ch+var_FC]
		xor	eax, eax
		inc	eax
		cmp	[ecx], ax
		ja	loc_965494
		xor	eax, eax
		cmp	[ecx+4], eax
		jnz	short loc_965357
		cmp	[esp+11Ch+var_D0], eax
		jnz	loc_9653F5
		cmp	[esp+11Ch+var_E8], eax
		mov	eax, [ebx]
		jnz	short loc_9653AE
		mov	ecx, [esp+11Ch+var_F8]
		mov	[ecx], eax

loc_96534D:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+4D1j
		mov	esi, 0C0000023h
		jmp	loc_9654D5
; 

loc_965357:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+44Cj
		mov	eax, [esp+11Ch+var_D0]
		test	eax, eax
		jz	loc_9653F5
		lea	ecx, [esp+11Ch+var_E4]
		push	ecx
		lea	edx, [esp+120h+var_BC]
		mov	ecx, eax
		call	_PipGetDeviceObjectLocation@12 ; PipGetDeviceObjectLocation(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_965481
		mov	edx, [esp+11Ch+var_FC]
		xor	eax, eax
		push	eax
		mov	eax, [esp+120h+var_E4]
		add	edx, 0Ch
		mov	ecx, eax
		mov	[esp+120h+var_108], eax
		call	_PnpCompareMultiSz@12 ;	PnpCompareMultiSz(x,x,x)
		test	al, al
		jz	short loc_9653F5
		xor	eax, eax
		inc	eax
		cmp	[esp+11Ch+var_E8], 0
		mov	[esp+11Ch+var_109], al
		mov	eax, [ebx]
		jz	loc_965472

loc_9653AE:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+45Ej
		mov	edx, [esp+11Ch+var_F8]
		mov	ecx, [edx]
		mov	[edx], eax
		cmp	ecx, eax
		jb	short loc_96534D
		push	dword ptr [ebx]	; size_t
		lea	eax, [ebx+4]
		push	eax		; void *
		push	[esp+124h+var_E8] ; void *
		call	_memcpy
		xor	eax, eax
		add	esp, 0Ch
		inc	eax
		mov	[esp+11Ch+var_109], al
		test	[esp+11Ch+var_B8], al
		jz	short loc_9653F5
		push	eax
		push	[esp+120h+var_B4]
		lea	eax, [esp+124h+var_A8]
		push	[esp+124h+var_B0]
		push	eax
		call	[esp+12Ch+var_AC]
		xor	eax, eax
		inc	eax
		mov	[esp+12Ch+var_119], al

loc_9653F5:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+452j
					; PipGetPersistentMemory(x,x,x,x,x)+476j ...
		inc	[esp+12Ch+var_F0]
		mov	eax, [esp+12Ch+var_118]
		test	eax, eax
		jz	short loc_965418
		push	61706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edx, edx
		mov	eax, edx
		mov	[esp+12Ch+var_118], eax
		mov	[esp+12Ch+var_F4], eax

loc_965418:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+518j
		push	edi
		push	ebx
		call	MmUnmapLockedPages
		push	61706E50h
		xor	eax, eax
		push	edi
		mov	ebx, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		push	61706E50h
		push	dword ptr [esp+24h]
		mov	edi, eax
		mov	[esp+134h+var_104], edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[esp+20h], eax
		mov	eax, [esp+12Ch+var_114]
		push	61706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [esp+12Ch+var_F0]
		xor	edx, edx
		mov	[esp+12Ch+var_114], edx
		cmp	ecx, [esp+12Ch+var_D4]
		jnb	short loc_965487
		mov	edx, [esp+12Ch+var_DC]
		jmp	loc_965124
; 

loc_965472:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+4C1j
		mov	ecx, [esp+11Ch+var_F8]
		mov	esi, 0C0000023h
		xor	edx, edx
		mov	[ecx], eax
		jmp	short loc_96548B
; 

loc_965481:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+490j
		mov	eax, [esp+11Ch+var_E4]
		jmp	short loc_9654D9
; 

loc_965487:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+580j
		mov	ecx, [esp+12Ch+var_108]

loc_96548B:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+598j
		cmp	[esp+12Ch+var_119], 0
		jnz	short loc_9654D5
		jmp	short loc_9654CA
; 

loc_965494:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+441j
		mov	esi, 0C00000BBh
		jmp	short loc_9654D5
; 

loc_96549B:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+431j
		mov	esi, 0C000009Ah
		jmp	short loc_9654D5
; 

loc_9654A2:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+38Dj
		xor	eax, eax

loc_9654A4:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+339j
		mov	ebx, eax
		jmp	short loc_9654D5
; 

loc_9654A8:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+30Cj
		xor	eax, eax
		mov	esi, 0C000009Ah
		mov	ebx, eax
		mov	edi, eax
		jmp	short loc_9654D5
; 

loc_9654B5:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+29Ej
		mov	esi, 0C000009Ah

loc_9654BA:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+2BFj
					; PipGetPersistentMemory(x,x,x,x,x)+2E9j
		xor	eax, eax
		mov	ebx, eax
		mov	[esp+0CCh+var_B4], eax
		mov	edi, eax
		jmp	short loc_9654D5
; 

loc_9654C6:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+214j
		mov	ecx, [esp+0B4h+var_90]

loc_9654CA:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+5ABj
		mov	edi, [esp+28h]
		mov	esi, 0C0000034h
		mov	[ecx], edx

loc_9654D5:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+24Fj
					; PipGetPersistentMemory(x,x,x,x,x)+46Bj ...
		mov	eax, [esp+0B4h+var_A0]

loc_9654D9:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+59Ej
		test	eax, eax
		jz	short loc_9654E8
		push	61706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9654E8:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+5F4j
		test	ebx, ebx
		jz	short loc_9654F3
		push	edi
		push	ebx
		call	MmUnmapLockedPages

loc_9654F3:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+603j
		mov	ebx, 61706E50h
		test	edi, edi
		jz	short loc_965503
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_965503:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+613j
		mov	eax, [esp+0B4h+var_94]
		test	eax, eax
		jz	short loc_965512
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_965512:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+622j
		mov	eax, [esp+0B4h+var_9C]
		test	eax, eax
		jz	short loc_965521
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_965521:				; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+186j
					; PipGetPersistentMemory(x,x,x,x,x)+1B0j ...
		mov	ecx, [esp+0B4h+var_30]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PipGetPersistentMemory@20 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 749. IoAssignResources

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoAssignResources(x, x, x, x, x, x)
		public _IoAssignResources@24
_IoAssignResources@24 proc near

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_C]
		test	edi, edi
		jz	loc_965697
		mov	eax, [edi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_965697
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_965697
		mov	ebx, [ebp+arg_8]
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_9655A4
		movsx	edx, word ptr [ebx+2]
		mov	ecx, ebx
		call	IoAddTriageDumpDataBlock
		cmp	[ebx+1Ch], si
		jz	short loc_9655A4
		push	2
		pop	edx
		lea	ecx, [ebx+1Ch]
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [ebx+1Ch]
		mov	ecx, [ebx+20h]
		call	IoAddTriageDumpDataBlock

loc_9655A4:				; CODE XREF: IoAssignResources(x,x,x,x,x,x)+3Bj
					; IoAssignResources(x,x,x,x,x,x)+4Cj
		movzx	edx, word ptr [edi+2]
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		test	ecx, ecx
		jz	short loc_9655E1
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		add	ecx, 1Ch
		cmp	[ecx], si
		jz	short loc_9655E1
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_9655E1:				; CODE XREF: IoAssignResources(x,x,x,x,x,x)+75j
					; IoAssignResources(x,x,x,x,x,x)+89j
		mov	eax, [edi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_965688
		lea	eax, [ecx+14h]
		mov	edx, 1F4h
		mov	[ebp+arg_8], eax
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebp+arg_8]
		cmp	[eax], si
		jz	short loc_965622
		push	2
		pop	edx
		mov	ecx, eax
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebp+arg_8]
		movzx	edx, word ptr [eax]
		mov	ecx, [eax+4]
		call	IoAddTriageDumpDataBlock

loc_965622:				; CODE XREF: IoAssignResources(x,x,x,x,x,x)+C9j
		mov	edx, [edi+0B0h]
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], si
		jz	short loc_965656
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [edi+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [edi+0B0h]

loc_965656:				; CODE XREF: IoAssignResources(x,x,x,x,x,x)+F2j
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_965688
		lea	ecx, [eax+1Ch]
		cmp	[ecx], si
		jz	short loc_965688
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [edi+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_965688:				; CODE XREF: IoAssignResources(x,x,x,x,x,x)+ADj
					; IoAssignResources(x,x,x,x,x,x)+11Fj ...
		push	esi
		push	ebx
		push	edi
		push	2
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_965697:				; CODE XREF: IoAssignResources(x,x,x,x,x,x)+Dj
					; IoAssignResources(x,x,x,x,x,x)+1Ej ...
		mov	eax, [ebp+arg_10]
		xor	esi, esi
		test	eax, eax
		jz	short loc_9656AC
		cmp	[eax+1Ch], esi
		jz	short loc_9656AA
		cmp	[eax+24h], esi
		jnz	short loc_9656AC

loc_9656AA:				; CODE XREF: IoAssignResources(x,x,x,x,x,x)+164j
		mov	eax, esi

loc_9656AC:				; CODE XREF: IoAssignResources(x,x,x,x,x,x)+15Fj
					; IoAssignResources(x,x,x,x,x,x)+169j
		mov	ecx, [ebp+arg_14]
		test	ecx, ecx
		jz	short loc_9656B5
		mov	[ecx], esi

loc_9656B5:				; CODE XREF: IoAssignResources(x,x,x,x,x,x)+172j
		mov	edx, [ebp+arg_8]
		push	ecx
		push	eax
		push	edi
		push	2
		pop	ecx
		call	_IopLegacyResourceAllocation@20	; IopLegacyResourceAllocation(x,x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	18h
_IoAssignResources@24 endp ; sp	= -14h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpIsDuplicateDevice(x, x, x, x)
_PnpIsDuplicateDevice@16 proc near	; CODE XREF: IopIsReportedAlready+890FEp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], edx
		xor	ebx, ebx
		mov	[ebp+var_18], esi
		push	edi
		mov	[ebp+var_1C], ebx
		cmp	[esi], ebx
		jz	loc_9657D8
		cmp	[edx], ebx
		jz	loc_9657D8

loc_9656F2:				; CODE XREF: PnpIsDuplicateDevice(x,x,x,x)+104j
		mov	eax, [esi+10h]
		xor	ecx, ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_30], eax
		test	eax, eax
		jz	loc_9657BA
		lea	eax, [esi+14h]
		mov	[ebp+var_8], eax

loc_96570B:				; CODE XREF: PnpIsDuplicateDevice(x,x,x,x)+E7j
		mov	bl, [eax]
		cmp	bl, 1
		jz	short loc_965720
		cmp	bl, 3
		jz	short loc_965720
		cmp	bl, 7
		jnz	loc_9657A4

loc_965720:				; CODE XREF: PnpIsDuplicateDevice(x,x,x,x)+46j
					; PnpIsDuplicateDevice(x,x,x,x)+4Bj
		mov	ecx, [edx+10h]
		xor	edi, edi
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		mov	ecx, [ebp+var_10]
		jz	short loc_96579F
		mov	esi, [ebp+var_8]
		lea	eax, [edx+14h]
		mov	[ebp+var_C], eax
		mov	edx, eax
		mov	eax, [ebp+var_4]

loc_96573D:				; CODE XREF: PnpIsDuplicateDevice(x,x,x,x)+C7j
		mov	bh, [edx]
		cmp	bl, bh
		jnz	short loc_965788
		mov	eax, [esi+8]
		mov	ecx, [esi+4]
		mov	esi, [edx+8]
		mov	[ebp+var_24], eax
		mov	eax, [edx+4]
		xor	edx, edx
		cmp	bl, 1
		mov	[ebp+var_20], esi
		mov	esi, [ebp+var_8]
		setz	dl
		mov	[ebp+var_2C], edx
		xor	edx, edx
		cmp	bh, 1
		setz	dl
		mov	[ebp+var_28], edx
		mov	edx, [ebp+var_C]
		cmp	ecx, eax
		jnz	short loc_965785
		mov	eax, [ebp+var_20]
		cmp	[ebp+var_24], eax
		jnz	short loc_965785
		mov	eax, [ebp+var_28]
		cmp	[ebp+var_2C], eax
		jz	short loc_965793

loc_965785:				; CODE XREF: PnpIsDuplicateDevice(x,x,x,x)+A9j
					; PnpIsDuplicateDevice(x,x,x,x)+B1j
		mov	eax, [ebp+var_4]

loc_965788:				; CODE XREF: PnpIsDuplicateDevice(x,x,x,x)+77j
		inc	edi
		add	edx, 10h
		mov	[ebp+var_C], edx
		cmp	edi, eax
		jb	short loc_96573D

loc_965793:				; CODE XREF: PnpIsDuplicateDevice(x,x,x,x)+B9j
		mov	esi, [ebp+var_18]
		mov	edx, [ebp+var_14]
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_10]

loc_96579F:				; CODE XREF: PnpIsDuplicateDevice(x,x,x,x)+63j
		cmp	edi, [ebp+var_4]
		jz	short loc_9657D8

loc_9657A4:				; CODE XREF: PnpIsDuplicateDevice(x,x,x,x)+50j
		inc	ecx
		add	eax, 10h
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], eax
		cmp	ecx, [ebp+var_30]
		jb	loc_96570B
		mov	ebx, [ebp+var_1C]

loc_9657BA:				; CODE XREF: PnpIsDuplicateDevice(x,x,x,x)+35j
		test	ebx, ebx
		jnz	short loc_9657D3
		mov	eax, edx
		mov	[ebp+var_14], esi
		inc	ebx
		mov	[ebp+var_18], eax
		mov	edx, esi
		mov	[ebp+var_1C], ebx
		mov	esi, eax
		jmp	loc_9656F2
; 

loc_9657D3:				; CODE XREF: PnpIsDuplicateDevice(x,x,x,x)+F2j
		xor	eax, eax
		inc	eax
		jmp	short loc_9657DA
; 

loc_9657D8:				; CODE XREF: PnpIsDuplicateDevice(x,x,x,x)+1Aj
					; PnpIsDuplicateDevice(x,x,x,x)+22j ...
		xor	eax, eax

loc_9657DA:				; CODE XREF: PnpIsDuplicateDevice(x,x,x,x)+10Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PnpIsDuplicateDevice@16 endp

; 
		align 4
		db 2 dup(0CCh)
; 
; Exported entry 1015. IoSteerInterrupt

; __stdcall IoSteerInterrupt(x,	x)
		public _IoSteerInterrupt@8
_IoSteerInterrupt@8:
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ebx, 0C0000001h
		call	edi
		test	al, al
		jz	short loc_965815
		xor	esi, esi
		push	esi
		push	esi
		call	edi
		movzx	eax, al
		push	eax
		push	1
		push	121h

loc_965810:				; CODE XREF: PAGE:00965A9Bj
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_965815:				; CODE XREF: PAGE:009657FDj
		mov	edi, [ebp+8]
		test	edi, edi
		jz	loc_965AA0
		mov	edx, [ebp+0Ch]
		test	edx, edx
		jz	loc_965AA0
		xor	esi, esi
		cmp	[edi], esi
		jz	short loc_96583B

loc_965831:				; CODE XREF: PAGE:00965843j
					; PAGE:0096584Dj
		mov	ebx, 0C000000Dh
		jmp	loc_9658DD
; 

loc_96583B:				; CODE XREF: PAGE:0096582Fj
		mov	eax, [edx]
		mov	[ebp+8], eax
		cmp	eax, 2
		jge	short loc_965831
		cmp	eax, 1
		jnz	short loc_96584F
		cmp	[edx+8], esi
		jz	short loc_965831

loc_96584F:				; CODE XREF: PAGE:00965848j
		mov	ecx, [edi+8]
		test	ecx, ecx
		jz	loc_965A91
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_9658E6
		test	dword ptr [eax+10Ch], 20000h
		jnz	short loc_9658E6
		mov	eax, [edi+4]
		sub	eax, 1
		jz	short loc_9658A7
		sub	eax, 1
		jz	short loc_965899
		sub	eax, 1
		jz	short loc_965891
		sub	eax, 1
		jz	short loc_9658A7
		mov	ebx, 0C00000BBh
		jmp	short loc_9658DD
; 

loc_965891:				; CODE XREF: PAGE:00965883j
		mov	eax, [edi+0Ch]
		mov	ecx, [eax+14h]
		jmp	short loc_9658AA
; 

loc_965899:				; CODE XREF: PAGE:0096587Ej
		mov	eax, [edi+0Ch]
		mov	ecx, [eax+0D8h]
		add	ecx, 60h
		jmp	short loc_9658AA
; 

loc_9658A7:				; CODE XREF: PAGE:00965879j
					; PAGE:00965888j
		mov	ecx, [edi+0Ch]

loc_9658AA:				; CODE XREF: PAGE:00965897j
					; PAGE:009658A5j
		mov	edi, [ecx+104h]
		mov	eax, [edi+2Ch]
		cmp	eax, [ecx+2Ch]
		jnz	loc_965AA0
		mov	eax, [ebp+8]
		cmp	eax, 1
		jnz	short loc_9658CD
		push	dword ptr [edx+8]
		mov	dx, [edx+4]
		jmp	short loc_9658D4
; 

loc_9658CD:				; CODE XREF: PAGE:009658C2j
		test	eax, eax
		jnz	short loc_9658DD
		push	esi
		xor	edx, edx

loc_9658D4:				; CODE XREF: PAGE:009658CBj
		mov	ecx, edi
		call	_KeIntSteerAssignCpuSet@12 ; KeIntSteerAssignCpuSet(x,x,x)
		mov	ebx, eax

loc_9658DD:				; CODE XREF: PAGE:00965836j
					; PAGE:0096588Fj ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	8
; 

loc_9658E6:				; CODE XREF: PAGE:00965865j
					; PAGE:00965871j
		test	ecx, ecx
		jz	loc_965A91
		movzx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		mov	eax, [ecx+8]
		test	eax, eax
		jz	short loc_965938
		movsx	edx, word ptr [eax+2]
		mov	ecx, eax
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		mov	eax, [ecx+8]
		cmp	[eax+1Ch], si
		jz	short loc_965938
		push	2
		pop	edx
		lea	ecx, [eax+1Ch]
		call	IoAddTriageDumpDataBlock
		mov	eax, [edi+8]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]

loc_965938:				; CODE XREF: PAGE:009658FFj
					; PAGE:00965916j
		test	ecx, ecx
		jz	short loc_965947
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_965949
; 

loc_965947:				; CODE XREF: PAGE:0096593Aj
		mov	eax, esi

loc_965949:				; CODE XREF: PAGE:00965945j
		test	eax, eax
		jz	loc_965A91
		test	ecx, ecx
		jz	short loc_965960
		mov	eax, [ecx+0B0h]
		mov	ebx, [eax+14h]
		jmp	short loc_965962
; 

loc_965960:				; CODE XREF: PAGE:00965953j
		mov	ebx, esi

loc_965962:				; CODE XREF: PAGE:0096595Ej
		test	ecx, ecx
		jz	short loc_965971
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_965973
; 

loc_965971:				; CODE XREF: PAGE:00965964j
		mov	ecx, esi

loc_965973:				; CODE XREF: PAGE:0096596Fj
		mov	edx, 1F4h
		call	IoAddTriageDumpDataBlock
		cmp	[ebx+14h], si
		jz	short loc_96599A
		push	2
		pop	edx
		lea	ecx, [ebx+14h]
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [ebx+14h]
		mov	ecx, [ebx+18h]
		call	IoAddTriageDumpDataBlock

loc_96599A:				; CODE XREF: PAGE:00965981j
		mov	edx, [edi+8]
		test	edx, edx
		jz	short loc_9659AC
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_9659AE
; 

loc_9659AC:				; CODE XREF: PAGE:0096599Fj
		mov	eax, esi

loc_9659AE:				; CODE XREF: PAGE:009659AAj
		cmp	[eax+1Ch], si
		jz	short loc_965A04
		test	edx, edx
		jz	short loc_9659C3
		mov	eax, [edx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_9659C5
; 

loc_9659C3:				; CODE XREF: PAGE:009659B6j
		mov	ecx, esi

loc_9659C5:				; CODE XREF: PAGE:009659C1j
		push	2
		add	ecx, 1Ch
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		test	ecx, ecx
		jz	short loc_9659E2
		mov	eax, [ecx+0B0h]
		mov	edx, [eax+14h]
		jmp	short loc_9659E4
; 

loc_9659E2:				; CODE XREF: PAGE:009659D5j
		mov	edx, esi

loc_9659E4:				; CODE XREF: PAGE:009659E0j
		test	ecx, ecx
		jz	short loc_9659F3
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_9659F5
; 

loc_9659F3:				; CODE XREF: PAGE:009659E6j
		mov	ecx, esi

loc_9659F5:				; CODE XREF: PAGE:009659F1j
		movzx	edx, word ptr [edx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [edi+8]

loc_965A04:				; CODE XREF: PAGE:009659B2j
		test	edx, edx
		jz	short loc_965A13
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_965A15
; 

loc_965A13:				; CODE XREF: PAGE:00965A06j
		mov	eax, esi

loc_965A15:				; CODE XREF: PAGE:00965A11j
		mov	ecx, edx
		cmp	[eax+8], esi
		jz	short loc_965A91
		test	edx, edx
		jz	short loc_965A2B
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_965A2D
; 

loc_965A2B:				; CODE XREF: PAGE:00965A1Ej
		mov	eax, esi

loc_965A2D:				; CODE XREF: PAGE:00965A29j
		mov	eax, [eax+8]
		mov	ecx, edx
		cmp	[eax+1Ch], si
		jz	short loc_965A91
		test	edx, edx
		jz	short loc_965A47
		mov	eax, [edx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_965A49
; 

loc_965A47:				; CODE XREF: PAGE:00965A3Aj
		mov	ecx, esi

loc_965A49:				; CODE XREF: PAGE:00965A45j
		mov	ecx, [ecx+8]
		push	2
		add	ecx, 1Ch
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		test	ecx, ecx
		jz	short loc_965A69
		mov	eax, [ecx+0B0h]
		mov	edx, [eax+14h]
		jmp	short loc_965A6B
; 

loc_965A69:				; CODE XREF: PAGE:00965A5Cj
		mov	edx, esi

loc_965A6B:				; CODE XREF: PAGE:00965A67j
		test	ecx, ecx
		jz	short loc_965A7A
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_965A7C
; 

loc_965A7A:				; CODE XREF: PAGE:00965A6Dj
		mov	ecx, esi

loc_965A7C:				; CODE XREF: PAGE:00965A78j
		mov	eax, [edx+8]
		mov	ecx, [ecx+8]
		movzx	edx, word ptr [eax+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]

loc_965A91:				; CODE XREF: PAGE:00965854j
					; PAGE:009658E8j ...
		push	esi
		push	esi
		push	ecx
		push	2
		push	0CAh
		jmp	loc_965810
; 

loc_965AA0:				; CODE XREF: PAGE:0096581Aj
					; PAGE:00965825j ...
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		db 2 dup(0CCh)
; Exported entry 822. IoDuplicateDependency

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoDuplicateDependency(x, x)
		public _IoDuplicateDependency@8
_IoDuplicateDependency@8 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		test	ebx, ebx
		jz	loc_965B63
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	loc_965B63
		push	edi
		mov	cl, 1
		xor	edi, edi
		call	_PnpAcquireDependencyRelationsLock@4 ; PnpAcquireDependencyRelationsLock(x)
		mov	eax, [ebx+0B0h]
		mov	eax, [eax+2Ch]
		test	eax, eax
		jnz	short loc_965AE7

loc_965AE0:				; CODE XREF: IoDuplicateDependency(x,x)+64j
		call	_PnpReleaseDependencyRelationsLock@0 ; PnpReleaseDependencyRelationsLock()
		jmp	short loc_965B5E
; 

loc_965AE7:				; CODE XREF: IoDuplicateDependency(x,x)+34j
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], esi
		call	PipQueryBindingResolution
		mov	esi, eax
		test	esi, esi
		jnz	short loc_965B10
		lea	ecx, [ebp+var_8]
		call	PipCreateDependencyNode
		mov	esi, eax
		test	esi, esi
		jnz	short loc_965B13
		mov	edi, 0C000009Ah
		jmp	short loc_965AE0
; 

loc_965B10:				; CODE XREF: IoDuplicateDependency(x,x)+4Fj
		inc	dword ptr [esi+2Ch]

loc_965B13:				; CODE XREF: IoDuplicateDependency(x,x)+5Dj
		mov	ecx, ebx
		call	_PiGetDependentList@4 ;	PiGetDependentList(x)
		mov	[ebp+arg_0], eax
		mov	ebx, [eax]
		cmp	ebx, eax
		jz	short loc_965B45

loc_965B23:				; CODE XREF: IoDuplicateDependency(x,x)+95j
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	_PiListEntryToDependencyEdge@8 ; PiListEntryToDependencyEdge(x,x)
		mov	ebx, [ebx]
		mov	edx, esi
		mov	ecx, eax
		call	_PipDependencyCopyEdge@8 ; PipDependencyCopyEdge(x,x)
		test	eax, eax
		js	short loc_965B43
		cmp	ebx, [ebp+arg_0]
		jnz	short loc_965B23
		jmp	short loc_965B45
; 

loc_965B43:				; CODE XREF: IoDuplicateDependency(x,x)+90j
		mov	edi, eax

loc_965B45:				; CODE XREF: IoDuplicateDependency(x,x)+77j
					; IoDuplicateDependency(x,x)+97j
		mov	ecx, esi
		call	_PipDereferenceDependencyNode@4	; PipDereferenceDependencyNode(x)
		mov	ecx, [ebp+arg_4]
		call	PipAddDependentsToRebuildPowerRelationsQueue
		call	_PnpReleaseDependencyRelationsLock@0 ; PnpReleaseDependencyRelationsLock()
		call	_PipProcessRebuildPowerRelationsQueue@0	; PipProcessRebuildPowerRelationsQueue()

loc_965B5E:				; CODE XREF: IoDuplicateDependency(x,x)+3Bj
		mov	eax, edi
		pop	edi
		jmp	short loc_965B68
; 

loc_965B63:				; CODE XREF: IoDuplicateDependency(x,x)+Ej
					; IoDuplicateDependency(x,x)+19j
		mov	eax, 0C000000Dh

loc_965B68:				; CODE XREF: IoDuplicateDependency(x,x)+B7j
		pop	esi
		pop	ebx
		leave
		retn	8
_IoDuplicateDependency@8 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 969. IoReserveDependency

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoReserveDependency(x, x, x)
		public _IoReserveDependency@12
_IoReserveDependency@12	proc near

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	esi, esi
		jz	short loc_965BE5
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_965BE5
		xor	edi, edi
		cmp	[edx], di
		jz	short loc_965BE5
		mov	ebx, [ebp+arg_8]
		test	bl, 3
		mov	eax, ebx
		setnz	cl
		and	eax, 0FFFFFFFCh
		neg	eax
		sbb	al, al
		inc	al
		test	cl, al
		jz	short loc_965BE5
		mov	cl, 1
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], esi
		mov	[ebp+var_14], 1
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ebx
		call	_PnpAcquireDependencyRelationsLock@4 ; PnpAcquireDependencyRelationsLock(x)
		lea	edx, [ebp+var_14]
		lea	ecx, [ebp+var_8]
		call	_PipSetDependency@8 ; PipSetDependency(x,x)
		mov	ecx, offset _PiDependencyRelationsLock
		mov	esi, eax
		call	ExReleaseResourceLite
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		jmp	short loc_965BEA
; 

loc_965BE5:				; CODE XREF: IoReserveDependency(x,x,x)+10j
					; IoReserveDependency(x,x,x)+17j ...
		mov	esi, 0C000000Dh

loc_965BEA:				; CODE XREF: IoReserveDependency(x,x,x)+70j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_IoReserveDependency@12	endp

; 
		align 8
; Exported entry 978. IoSetDependency

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoSetDependency(x, x, x)
		public _IoSetDependency@12
_IoSetDependency@12 proc near

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		sub	esp, 14h
		push	ebx
		push	esi
		test	edx, edx
		jz	short loc_965C74
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_965C74
		mov	ebx, [ebp+arg_8]
		test	bl, 3
		mov	eax, ebx
		setnz	cl
		and	eax, 0FFFFFFFCh
		neg	eax
		sbb	al, al
		inc	al
		test	cl, al
		jz	short loc_965C74
		cmp	edx, esi
		jnz	short loc_965C33
		mov	eax, 0C0000001h
		jmp	short loc_965C7B
; 

loc_965C33:				; CODE XREF: IoSetDependency(x,x,x)+32j
		and	[ebp+var_8], 0
		mov	cl, 1
		and	[ebp+var_14], 0
		mov	[ebp+var_4], edx
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], ebx
		call	_PnpAcquireDependencyRelationsLock@4 ; PnpAcquireDependencyRelationsLock(x)
		lea	edx, [ebp+var_14]
		lea	ecx, [ebp+var_8]
		call	_PipSetDependency@8 ; PipSetDependency(x,x)
		mov	ecx, offset _PiDependencyRelationsLock
		mov	esi, eax
		call	ExReleaseResourceLite
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		test	esi, esi
		js	short loc_965C79
		call	_PipProcessRebuildPowerRelationsQueue@0	; PipProcessRebuildPowerRelationsQueue()
		jmp	short loc_965C79
; 

loc_965C74:				; CODE XREF: IoSetDependency(x,x,x)+Fj
					; IoSetDependency(x,x,x)+16j ...
		mov	esi, 0C000000Dh

loc_965C79:				; CODE XREF: IoSetDependency(x,x,x)+73j
					; IoSetDependency(x,x,x)+7Aj
		mov	eax, esi

loc_965C7B:				; CODE XREF: IoSetDependency(x,x,x)+39j
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_IoSetDependency@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiEnumerateDependentListEntry(x, x,	x)
_PiEnumerateDependentListEntry@12 proc near ; CODE XREF: PipAttemptDependentsStart+6DB65p
					; PipIommuValidateDeviceId+6BFE7p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		xor	edx, edx
		inc	edx
		call	_PiListEntryToDependencyEdge@8 ; PiListEntryToDependencyEdge(x,x)
		mov	ecx, [eax+14h]
		mov	ecx, [ecx+18h]
		mov	[esi], ecx
		mov	ecx, [ebp+arg_0]
		pop	esi
		test	ecx, ecx
		jz	short loc_965CA6
		mov	eax, [eax+18h]
		mov	[ecx], eax

loc_965CA6:				; CODE XREF: PiEnumerateDependentListEntry(x,x,x)+1Ej
		pop	ebp
		retn	4
_PiEnumerateDependentListEntry@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiEnumerateProviderListEntry(x, x, x)
_PiEnumerateProviderListEntry@12 proc near ; CODE XREF:	PiValidatePowerRelations+6BAF8p
					; PiQueryPowerDependencyRelations+6BA9Ep ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		xor	edx, edx
		call	_PiListEntryToDependencyEdge@8 ; PiListEntryToDependencyEdge(x,x)
		mov	ecx, [eax+10h]
		mov	ecx, [ecx+18h]
		mov	[esi], ecx
		mov	ecx, [ebp+arg_0]
		pop	esi
		test	ecx, ecx
		jz	short loc_965CCE
		mov	eax, [eax+18h]
		mov	[ecx], eax

loc_965CCE:				; CODE XREF: PiEnumerateProviderListEntry(x,x,x)+1Dj
		pop	ebp
		retn	4
_PiEnumerateProviderListEntry@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipAddRequestToEdge(x, x)
_PipAddRequestToEdge@8 proc near	; CODE XREF: PipAddDependencyEdgeBetweenNodes(x,x,x)+39p
					; PipCreateNewDependencyEdge(x,x,x)+3Ep ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		lea	ecx, [eax+1Ch]
		mov	[ebp+var_10], eax
		mov	eax, [ecx]
		xor	esi, esi
		xor	edi, edi
		mov	[ebp+var_4], ecx
		mov	ebx, edx
		cmp	eax, ecx
		jz	short loc_965D47

loc_965CF4:				; CODE XREF: PipAddRequestToEdge(x,x)+67j
		test	edi, edi
		jnz	short loc_965D3F
		mov	edx, eax
		mov	eax, [eax]
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], edx
		mov	eax, [edx+8]
		cmp	eax, [ebx]
		jnz	short loc_965D34
		sub	eax, edi
		jz	short loc_965D2A
		sub	eax, 1
		jnz	short loc_965D34
		push	eax
		push	dword ptr [ebx+4]
		push	dword ptr [edx+0Ch]
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		mov	ecx, [ebp+var_4]
		test	al, al
		jz	short loc_965D34
		mov	edi, [ebp+var_8]
		jmp	short loc_965D34
; 

loc_965D2A:				; CODE XREF: PipAddRequestToEdge(x,x)+39j
		mov	eax, [edx+0Ch]
		cmp	eax, [ebx+4]
		jnz	short loc_965D34
		mov	edi, edx

loc_965D34:				; CODE XREF: PipAddRequestToEdge(x,x)+35j
					; PipAddRequestToEdge(x,x)+3Ej	...
		mov	eax, [ebp+var_C]
		cmp	eax, ecx
		jnz	short loc_965CF4
		test	edi, edi
		jz	short loc_965D47

loc_965D3F:				; CODE XREF: PipAddRequestToEdge(x,x)+24j
		mov	eax, [ebx+8]
		or	[edi+10h], eax
		jmp	short loc_965DBA
; 

loc_965D47:				; CODE XREF: PipAddRequestToEdge(x,x)+20j
					; PipAddRequestToEdge(x,x)+6Bj
		push	53706E50h
		push	14h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_965DCF
		mov	ecx, [ebx+8]
		mov	[esi+10h], ecx
		mov	eax, [ebx]
		mov	[esi+8], eax
		sub	eax, 0
		jz	short loc_965D9B
		sub	eax, 1
		jnz	short loc_965DA1
		push	53706E50h
		push	8
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	eax
		mov	[esi+0Ch], eax
		push	dword ptr [ebx+4]
		push	0
		call	RtlDuplicateUnicodeString
		test	eax, eax
		jns	short loc_965DA1
		mov	ecx, esi
		call	_PipFreeBindingRequestEntry@4 ;	PipFreeBindingRequestEntry(x)
		xor	esi, esi
		jmp	short loc_965DCF
; 

loc_965D9B:				; CODE XREF: PipAddRequestToEdge(x,x)+97j
		mov	eax, [ebx+4]
		mov	[esi+0Ch], eax

loc_965DA1:				; CODE XREF: PipAddRequestToEdge(x,x)+9Cj
					; PipAddRequestToEdge(x,x)+BCj
		mov	eax, [ebp+var_4]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jz	short loc_965DB0
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_965DB0:				; CODE XREF: PipAddRequestToEdge(x,x)+D7j
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi

loc_965DBA:				; CODE XREF: PipAddRequestToEdge(x,x)+73j
		test	edi, edi
		jz	short loc_965DC0
		mov	esi, edi

loc_965DC0:				; CODE XREF: PipAddRequestToEdge(x,x)+EAj
		test	esi, esi
		jz	short loc_965DCF
		mov	edx, [ebx+8]
		mov	ecx, [ebp+var_10]
		call	_PipMergeDependencyTypes@8 ; PipMergeDependencyTypes(x,x)

loc_965DCF:				; CODE XREF: PipAddRequestToEdge(x,x)+87j
					; PipAddRequestToEdge(x,x)+C7j	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PipAddRequestToEdge@8 endp


;  S U B	R O U T	I N E 


; __stdcall PipAttemptDependentStart(x)
_PipAttemptDependentStart@4 proc near	; CODE XREF: PipAttemptDependentsStart+6DB77p
					; PipDeleteAllDependencyRelations(x)+97p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		test	edi, edi
		jz	short loc_965DEE
		mov	eax, [edi+0B0h]
		mov	esi, [eax+14h]
		jmp	short loc_965DF0
; 

loc_965DEE:				; CODE XREF: PipAttemptDependentStart(x)+Bj
		mov	esi, ebx

loc_965DF0:				; CODE XREF: PipAttemptDependentStart(x)+16j
		test	esi, esi
		jz	short loc_965E30
		test	dword ptr [esi+10Ch], 2000h
		jz	short loc_965E30
		cmp	dword ptr [esi+114h], 33h
		jnz	short loc_965E30
		push	3
		pop	edx
		mov	ecx, esi
		call	PipCheckForUnsatisfiedDependencies
		test	al, al
		jnz	short loc_965E30
		mov	ecx, esi
		call	PipClearDevNodeProblem
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	1
		push	10h
		pop	edx
		mov	ecx, edi
		call	PnpRequestDeviceAction
		jmp	short loc_965E35
; 

loc_965E30:				; CODE XREF: PipAttemptDependentStart(x)+1Cj
					; PipAttemptDependentStart(x)+28j ...
		mov	eax, 0C0000001h

loc_965E35:				; CODE XREF: PipAttemptDependentStart(x)+58j
		pop	edi
		pop	esi
		pop	ebx
		retn
_PipAttemptDependentStart@4 endp


;  S U B	R O U T	I N E 


; __stdcall PipCheckValidNewDependencyEdge(x, x)
_PipCheckValidNewDependencyEdge@8 proc near
					; CODE XREF: PipAddDependencyEdgeBetweenNodes(x,x,x)+26p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		cmp	ebx, edx
		jz	short loc_965EA0
		mov	eax, [ebx+18h]
		xor	esi, esi
		test	eax, eax
		jz	short loc_965E58
		mov	eax, [eax+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_965E5A
; 

loc_965E58:				; CODE XREF: PipCheckValidNewDependencyEdge(x,x)+12j
		mov	ecx, esi

loc_965E5A:				; CODE XREF: PipCheckValidNewDependencyEdge(x,x)+1Dj
		mov	eax, [edx+18h]
		test	eax, eax
		jz	short loc_965E6A
		mov	eax, [eax+0B0h]
		mov	esi, [eax+14h]

loc_965E6A:				; CODE XREF: PipCheckValidNewDependencyEdge(x,x)+26j
		test	ecx, ecx
		jz	short loc_965E81
		test	esi, esi
		jz	short loc_965E81

loc_965E72:				; CODE XREF: PipCheckValidNewDependencyEdge(x,x)+46j
		mov	esi, [esi+8]
		cmp	esi, ecx
		jz	short loc_965EA0
		cmp	esi, _IopRootDeviceNode
		jnz	short loc_965E72

loc_965E81:				; CODE XREF: PipCheckValidNewDependencyEdge(x,x)+33j
					; PipCheckValidNewDependencyEdge(x,x)+37j
		lea	edi, [edx+8]
		mov	esi, [edi]
		jmp	short loc_965E98
; 

loc_965E88:				; CODE XREF: PipCheckValidNewDependencyEdge(x,x)+61j
		xor	edx, edx
		mov	ecx, esi
		call	_PiListEntryToDependencyEdge@8 ; PiListEntryToDependencyEdge(x,x)
		mov	esi, [esi]
		cmp	[eax+10h], ebx
		jz	short loc_965EA0

loc_965E98:				; CODE XREF: PipCheckValidNewDependencyEdge(x,x)+4Dj
		cmp	esi, edi
		jnz	short loc_965E88
		mov	al, 1
		jmp	short loc_965EA2
; 

loc_965EA0:				; CODE XREF: PipCheckValidNewDependencyEdge(x,x)+9j
					; PipCheckValidNewDependencyEdge(x,x)+3Ej ...
		xor	al, al

loc_965EA2:				; CODE XREF: PipCheckValidNewDependencyEdge(x,x)+65j
		pop	edi
		pop	esi
		pop	ebx
		retn
_PipCheckValidNewDependencyEdge@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipConvertResolutionsToReservations(x)
_PipConvertResolutionsToReservations@4 proc near
					; CODE XREF: PipDeleteAllDependencyRelations(x)+31p
					; PnpSurpriseRemovedDeviceNodeDependencyCheck(x)+31p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		and	[esp+14h+var_8], 0
		and	[esp+14h+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	esi, esi
		jnz	short loc_965ECB
		mov	edi, 0C000000Dh
		jmp	short loc_965F35
; 

loc_965ECB:				; CODE XREF: PipConvertResolutionsToReservations(x)+1Cj
		xor	edi, edi
		mov	[esp+20h+var_10], edi
		call	_PipDeleteBindingIds@4 ; PipDeleteBindingIds(x)
		lea	eax, [esi+10h]
		mov	esi, [eax]
		mov	[esp+20h+var_C], eax
		cmp	esi, eax
		jz	short loc_965F35

loc_965EE3:				; CODE XREF: PipConvertResolutionsToReservations(x)+89j
		lea	ebx, [esi]
		mov	esi, [esi]
		cmp	byte ptr [ebx+1Ch], 0
		jnz	short loc_965F2D
		lea	ecx, [ebx+14h]
		mov	edi, [ecx]
		cmp	edi, ecx
		jz	short loc_965F29

loc_965EF6:				; CODE XREF: PipConvertResolutionsToReservations(x)+7Dj
		mov	edx, edi
		mov	edi, [edi]
		add	edx, 8
		cmp	dword ptr [edx], 1
		jnz	short loc_965F21
		mov	eax, [ebx+0Ch]
		lea	ecx, [esp+20h+var_8]
		and	[esp+20h+var_8], 0
		mov	eax, [eax+18h]
		mov	[esp+20h+var_4], eax
		call	_PipSetDependency@8 ; PipSetDependency(x,x)
		mov	[esp+20h+var_10], eax
		lea	ecx, [ebx+14h]

loc_965F21:				; CODE XREF: PipConvertResolutionsToReservations(x)+5Aj
		cmp	edi, ecx
		jnz	short loc_965EF6
		mov	eax, [esp+20h+var_C]

loc_965F29:				; CODE XREF: PipConvertResolutionsToReservations(x)+4Ej
		mov	byte ptr [ebx+1Ch], 1

loc_965F2D:				; CODE XREF: PipConvertResolutionsToReservations(x)+45j
		cmp	esi, eax
		jnz	short loc_965EE3
		mov	edi, [esp+20h+var_10]

loc_965F35:				; CODE XREF: PipConvertResolutionsToReservations(x)+23j
					; PipConvertResolutionsToReservations(x)+3Bj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PipConvertResolutionsToReservations@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipDeleteAllDependencyRelations(x)
_PipDeleteAllDependencyRelations@4 proc	near
					; CODE XREF: PnpDeleteAllDependencyRelations+14A77Ep

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], ebx
		push	esi
		push	edi
		test	ebx, ebx
		jz	short loc_965F5D
		mov	eax, [ebx+0B0h]
		mov	esi, [eax+2Ch]
		jmp	short loc_965F5F
; 

loc_965F5D:				; CODE XREF: PipDeleteAllDependencyRelations(x)+12j
		xor	esi, esi

loc_965F5F:				; CODE XREF: PipDeleteAllDependencyRelations(x)+1Dj
		mov	[ebp+var_4], esi
		test	esi, esi
		jz	loc_966021
		inc	dword ptr [esi+2Ch]
		mov	ecx, esi
		call	_PipConvertResolutionsToReservations@4 ; PipConvertResolutionsToReservations(x)
		lea	eax, [esi+8]
		mov	edi, [eax]
		cmp	edi, eax
		jz	short loc_965F99
		lea	ebx, [esi+8]

loc_965F80:				; CODE XREF: PipDeleteAllDependencyRelations(x)+56j
		xor	edx, edx
		mov	ecx, edi
		call	_PiListEntryToDependencyEdge@8 ; PiListEntryToDependencyEdge(x,x)
		mov	edi, [edi]
		mov	ecx, eax
		call	_PipFreeDependencyEdge@8 ; PipFreeDependencyEdge(x,x)
		cmp	edi, ebx
		jnz	short loc_965F80
		mov	ebx, [ebp+var_8]

loc_965F99:				; CODE XREF: PipDeleteAllDependencyRelations(x)+3Dj
		lea	ecx, [esi+10h]
		mov	eax, [ecx]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], eax
		cmp	eax, ecx
		jz	short loc_965FF1
		mov	ebx, eax
		mov	esi, ecx

loc_965FAC:				; CODE XREF: PipDeleteAllDependencyRelations(x)+ABj
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	_PiListEntryToDependencyEdge@8 ; PiListEntryToDependencyEdge(x,x)
		mov	ebx, [ebx]
		xor	edx, edx
		mov	ecx, eax
		mov	edi, [eax+14h]
		inc	dword ptr [edi+2Ch]
		call	_PipFreeDependencyEdge@8 ; PipFreeDependencyEdge(x,x)
		mov	ecx, [edi+18h]
		test	ecx, ecx
		jz	short loc_965FDA
		lea	eax, [edi+8]
		cmp	[eax], eax
		jz	short loc_965FDA
		call	_PipAttemptDependentStart@4 ; PipAttemptDependentStart(x)

loc_965FDA:				; CODE XREF: PipDeleteAllDependencyRelations(x)+8Ej
					; PipDeleteAllDependencyRelations(x)+95j
		sub	dword ptr [edi+2Ch], 1
		jnz	short loc_965FE7
		mov	ecx, edi
		call	_PipDeleteDependencyNode@4 ; PipDeleteDependencyNode(x)

loc_965FE7:				; CODE XREF: PipDeleteAllDependencyRelations(x)+A0j
		cmp	ebx, esi
		jnz	short loc_965FAC
		mov	esi, [ebp+var_4]
		mov	ebx, [ebp+var_8]

loc_965FF1:				; CODE XREF: PipDeleteAllDependencyRelations(x)+68j
		mov	eax, [ebx+0B0h]
		and	dword ptr [eax+2Ch], 0
		and	dword ptr [esi+18h], 0
		sub	dword ptr [esi+2Ch], 1
		mov	eax, [esi+2Ch]
		jnz	short loc_966012
		mov	ecx, esi
		call	_PipDeleteDependencyNode@4 ; PipDeleteDependencyNode(x)
		mov	eax, [esi+2Ch]

loc_966012:				; CODE XREF: PipDeleteAllDependencyRelations(x)+C8j
		sub	eax, 1
		mov	[esi+2Ch], eax
		jnz	short loc_966021
		mov	ecx, esi
		call	_PipDeleteDependencyNode@4 ; PipDeleteDependencyNode(x)

loc_966021:				; CODE XREF: PipDeleteAllDependencyRelations(x)+26j
					; PipDeleteAllDependencyRelations(x)+DAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PipDeleteAllDependencyRelations@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipDeleteBindingId(x, x)
_PipDeleteBindingId@8 proc near		; CODE XREF: IoResolveDependency+5EE65p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		lea	eax, [ecx+1Ch]
		mov	[ebp+var_8], edx
		push	esi
		mov	esi, [eax]
		mov	ebx, 0C0000225h
		mov	[ebp+var_4], eax
		cmp	esi, eax
		jz	short loc_966061
		push	edi

loc_966044:				; CODE XREF: PipDeleteBindingId(x,x)+38j
		mov	edi, [esi]
		lea	eax, [esi+8]
		push	0
		push	edx
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_966067
		mov	edx, [ebp+var_8]
		mov	esi, edi
		cmp	esi, [ebp+var_4]
		jnz	short loc_966044

loc_966060:				; CODE XREF: PipDeleteBindingId(x,x)+68j
		pop	edi

loc_966061:				; CODE XREF: PipDeleteBindingId(x,x)+1Bj
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_966067:				; CODE XREF: PipDeleteBindingId(x,x)+2Ej
		cmp	[edi+4], esi
		jnz	short loc_966090
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_966090
		mov	[eax], edi
		mov	[edi+4], eax
		lea	eax, [esi+8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		push	53706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ebx, ebx
		jmp	short loc_966060
; 

loc_966090:				; CODE XREF: PipDeleteBindingId(x,x)+44j
					; PipDeleteBindingId(x,x)+4Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall PipDeleteBindingIds(x)
_PipDeleteBindingIds@4:			; CODE XREF: PipConvertResolutionsToReservations(x)+2Bp
					; PipDeleteDependencyNode(x)+5p
		mov	edi, edi
		push	esi
		push	edi
		lea	esi, [ecx+1Ch]

loc_96609C:				; CODE XREF: PipDeleteBindingId(x,x)+A1j
		cmp	[esi], esi
		jz	short loc_9660CE
		mov	edi, [esi+4]
		cmp	[edi], esi
		jnz	short loc_9660C9
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	short loc_9660C9
		mov	[esi+4], eax
		mov	[eax], esi
		lea	eax, [edi+8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		push	53706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_96609C
; 

loc_9660C9:				; CODE XREF: PipDeleteBindingId(x,x)+7Fj
					; PipDeleteBindingId(x,x)+86j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9660CE:				; CODE XREF: PipDeleteBindingId(x,x)+78j
		pop	edi
		pop	esi
		retn
_PipDeleteBindingId@8 endp ; sp	= -18h


;  S U B	R O U T	I N E 


; __stdcall PipDeleteDependencyNode(x)
_PipDeleteDependencyNode@4 proc	near	; CODE XREF: PipDereferenceDependencyNode(x)+4j
					; PipCreateDependencyNode+6BAE0p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_PipDeleteBindingIds@4 ; PipDeleteBindingIds(x)
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_966111
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_966111
		mov	[eax], ecx
		mov	[ecx+4], eax
		lea	ecx, [esi+24h]
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_966111
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	short loc_966111
		push	53706E50h
		mov	[eax], edx
		push	esi
		mov	[edx+4], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
; 

loc_966111:				; CODE XREF: PipDeleteDependencyNode(x)+Fj
					; PipDeleteDependencyNode(x)+16j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PipDeleteDependencyNode@4 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipDependencyCopyEdge(x, x)
_PipDependencyCopyEdge@8 proc near	; CODE XREF: IoDuplicateDependency(x,x)+89p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebx+1Ch]
		mov	esi, [edi]
		jmp	short loc_966144
; 

loc_96612D:				; CODE XREF: PipDependencyCopyEdge(x,x)+30j
		mov	ecx, [ebx+14h]
		mov	eax, esi
		mov	esi, [esi]
		add	eax, 8
		push	eax
		call	_PipAddDependencyEdgeBetweenNodes@12 ; PipAddDependencyEdgeBetweenNodes(x,x,x)
		test	eax, eax
		js	short loc_966148
		mov	edx, [ebp+var_4]

loc_966144:				; CODE XREF: PipDependencyCopyEdge(x,x)+15j
		cmp	esi, edi
		jnz	short loc_96612D

loc_966148:				; CODE XREF: PipDependencyCopyEdge(x,x)+29j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PipDependencyCopyEdge@8 endp


;  S U B	R O U T	I N E 


; __stdcall PipFreeBindingRequestEntry(x)
_PipFreeBindingRequestEntry@4 proc near	; CODE XREF: PipCreateNewDependencyEdge(x,x,x)+111p
					; PipAddRequestToEdge(x,x)+C0p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, 53706E50h
		cmp	dword ptr [esi+8], 1
		jnz	short loc_966178
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_966178
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		push	edi
		push	dword ptr [esi+0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+0Ch], 0

loc_966178:				; CODE XREF: PipFreeBindingRequestEntry(x)+Fj
					; PipFreeBindingRequestEntry(x)+16j
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
_PipFreeBindingRequestEntry@4 endp


;  S U B	R O U T	I N E 


; __stdcall PipIsProviderStarted(x)
_PipIsProviderStarted@4	proc near	; CODE XREF: IoResolveDependency+5EEF3p
					; PipCheckForUnsatisfiedDependencies+A1842p
		mov	eax, [ecx+0ACh]
		add	eax, 0FFFFFCFFh
		cmp	eax, 13h
		ja	short loc_9661A3
		movzx	eax, ds:byte_9661AE[eax]
		jmp	ds:off_9661A6[eax*4]

loc_9661A0:				; DATA XREF: PAGE:009661AAo
		mov	al, 1
		retn
; 

loc_9661A3:				; CODE XREF: PipIsProviderStarted(x)+Ej
					; PipIsProviderStarted(x)+17j
					; DATA XREF: ...
		xor	al, al
		retn
_PipIsProviderStarted@4	endp

; 
off_9661A6	dd offset loc_9661A3	; DATA XREF: PipIsProviderStarted(x)+17r
		dd offset loc_9661A0
byte_9661AE	db 0			; DATA XREF: PipIsProviderStarted(x)+10r
		align 10h
		dd 0
		dd 100h, 10100h, 0
		db 2 dup(0)

;  S U B	R O U T	I N E 


; __stdcall PipLinkDeviceObjectAndDependencyNode(x, x)
_PipLinkDeviceObjectAndDependencyNode@8	proc near ; CODE XREF: IoResolveDependency+5EE98p
		inc	dword ptr [edx+2Ch]
		mov	[edx+18h], ecx
		mov	eax, [ecx+0B0h]
		mov	[eax+2Ch], edx
		retn
_PipLinkDeviceObjectAndDependencyNode@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipMergeDependencyEdgeList(x, x, x)
_PipMergeDependencyEdgeList@12 proc near ; CODE	XREF: PipMergeDependencyNodes(x,x)+25p
					; PipMergeDependencyNodes(x,x)+30p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_14], 0
		xor	eax, eax
		cmp	[ebp+arg_0], eax
		push	ebx
		push	esi
		setnz	al
		mov	[ebp+var_18], edx
		push	edi
		mov	edi, ecx
		lea	eax, ds:8[eax*8]
		lea	esi, [eax+edx]
		lea	ecx, [eax+edi]
		mov	[ebp+var_1C], esi
		mov	[ebp+var_C], ecx
		lea	ecx, [ebp+var_14]
		call	PiPnpRtlBeginOperation
		mov	ebx, [esi]
		jmp	loc_9662B8
; 

loc_966210:				; CODE XREF: PipMergeDependencyEdgeList(x,x,x)+E8j
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	_PiListEntryToDependencyEdge@8 ; PiListEntryToDependencyEdge(x,x)
		mov	ecx, [ebp+var_C]
		mov	esi, eax
		mov	ebx, [ebx]
		mov	[ebp+var_8], ebx
		mov	eax, [ecx]
		mov	[ebp+var_4], eax
		cmp	eax, ecx
		jz	short loc_966271

loc_96622D:				; CODE XREF: PipMergeDependencyEdgeList(x,x,x)+9Aj
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		call	_PiListEntryToDependencyEdge@8 ; PiListEntryToDependencyEdge(x,x)
		mov	ecx, eax
		mov	eax, [ebp+var_4]
		mov	[ebp+var_10], ecx
		mov	eax, [eax]
		mov	[ebp+var_4], eax
		test	edx, edx
		jnz	short loc_966258
		mov	edx, [ebp+var_10]
		mov	ecx, [esi+10h]
		cmp	ecx, [edx+10h]
		mov	ecx, edx
		setz	bl
		jmp	short loc_966265
; 

loc_966258:				; CODE XREF: PipMergeDependencyEdgeList(x,x,x)+74j
		mov	eax, [esi+14h]
		cmp	eax, [ecx+14h]
		jz	short loc_966281
		mov	eax, [ebp+var_4]
		xor	bl, bl

loc_966265:				; CODE XREF: PipMergeDependencyEdgeList(x,x,x)+84j
		test	bl, bl
		jnz	short loc_966283
		cmp	eax, [ebp+var_C]
		jnz	short loc_96622D
		mov	ebx, [ebp+var_8]

loc_966271:				; CODE XREF: PipMergeDependencyEdgeList(x,x,x)+59j
					; PipMergeDependencyEdgeList(x,x,x)+C1j
		cmp	[ebp+arg_0], 0
		jnz	short loc_966295
		mov	edx, [esi+10h]
		mov	ecx, edi
		mov	[esi+14h], edi
		jmp	short loc_96629D
; 

loc_966281:				; CODE XREF: PipMergeDependencyEdgeList(x,x,x)+8Cj
		mov	bl, 1

loc_966283:				; CODE XREF: PipMergeDependencyEdgeList(x,x,x)+95j
		mov	edx, esi
		call	_PipMergeDependencyEdges@8 ; PipMergeDependencyEdges(x,x)
		xor	esi, esi
		test	bl, bl
		mov	ebx, [ebp+var_8]
		jnz	short loc_9662B5
		jmp	short loc_966271
; 

loc_966295:				; CODE XREF: PipMergeDependencyEdgeList(x,x,x)+A3j
		mov	ecx, [esi+14h]
		mov	edx, edi
		mov	[esi+10h], edi

loc_96629D:				; CODE XREF: PipMergeDependencyEdgeList(x,x,x)+ADj
		call	_PipNotifyDependenciesChanged@8	; PipNotifyDependenciesChanged(x,x)
		mov	eax, [ebp+var_18]
		inc	dword ptr [edi+2Ch]
		sub	dword ptr [eax+2Ch], 1
		jnz	short loc_9662B5
		mov	ecx, eax
		call	_PipDeleteDependencyNode@4 ; PipDeleteDependencyNode(x)

loc_9662B5:				; CODE XREF: PipMergeDependencyEdgeList(x,x,x)+BFj
					; PipMergeDependencyEdgeList(x,x,x)+DAj
		mov	esi, [ebp+var_1C]

loc_9662B8:				; CODE XREF: PipMergeDependencyEdgeList(x,x,x)+39j
		cmp	ebx, esi
		jnz	loc_966210
		mov	ecx, [ebp+var_C]
		mov	edx, esi
		call	_PipMoveListEntries@8 ;	PipMoveListEntries(x,x)
		mov	ecx, [ebp+var_14]
		pop	edi
		pop	esi
		pop	ebx
		test	ecx, ecx
		jz	short locret_9662D9
		call	PiPnpRtlEndOperation

locret_9662D9:				; CODE XREF: PipMergeDependencyEdgeList(x,x,x)+100j
		leave
		retn	4
_PipMergeDependencyEdgeList@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipMergeDependencyEdges(x, x)
_PipMergeDependencyEdges@8 proc	near	; CODE XREF: PipMergeDependencyEdgeList(x,x,x)+B3p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		push	esi
		push	edi
		mov	[ebp+var_8], ebx
		lea	edi, [ebx+1Ch]
		mov	esi, [edi]
		cmp	esi, edi
		jz	short loc_966312
		mov	ebx, ecx

loc_9662FA:				; CODE XREF: PipMergeDependencyEdges(x,x)+2Dj
		mov	edx, esi
		mov	ecx, ebx
		mov	esi, [esi]
		add	edx, 8
		call	_PipAddRequestToEdge@8 ; PipAddRequestToEdge(x,x)
		cmp	esi, edi
		jnz	short loc_9662FA
		mov	ebx, [ebp+var_8]
		mov	ecx, [ebp+var_4]

loc_966312:				; CODE XREF: PipMergeDependencyEdges(x,x)+19j
		mov	edx, ecx
		mov	ecx, ebx
		call	_PipFreeDependencyEdge@8 ; PipFreeDependencyEdge(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PipMergeDependencyEdges@8 endp


;  S U B	R O U T	I N E 


; __stdcall PipMergeDependencyNodes(x, x)
_PipMergeDependencyNodes@8 proc	near	; CODE XREF: IoResolveDependency+5EEB3p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		inc	dword ptr [edi+2Ch]
		lea	edx, [esi+1Ch]
		inc	dword ptr [esi+2Ch]
		lea	ecx, [edi+1Ch]
		mov	eax, [esi+30h]
		or	[edi+30h], eax
		call	_PipMoveListEntries@8 ;	PipMoveListEntries(x,x)
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	_PipMergeDependencyEdgeList@12 ; PipMergeDependencyEdgeList(x,x,x)
		push	1
		mov	edx, esi
		mov	ecx, edi
		call	_PipMergeDependencyEdgeList@12 ; PipMergeDependencyEdgeList(x,x,x)
		sub	dword ptr [edi+2Ch], 1
		jnz	short loc_966362
		mov	ecx, edi
		call	_PipDeleteDependencyNode@4 ; PipDeleteDependencyNode(x)

loc_966362:				; CODE XREF: PipMergeDependencyNodes(x,x)+39j
		sub	dword ptr [esi+2Ch], 1
		pop	edi
		jnz	short loc_966371
		mov	ecx, esi
		pop	esi
		jmp	_PipDeleteDependencyNode@4 ; PipDeleteDependencyNode(x)
; 

loc_966371:				; CODE XREF: PipMergeDependencyNodes(x,x)+47j
		pop	esi
		retn
_PipMergeDependencyNodes@8 endp


;  S U B	R O U T	I N E 


; __stdcall PipNotifyDependenciesChanged(x, x)
_PipNotifyDependenciesChanged@8	proc near ; CODE XREF: PipCreateNewDependencyEdge(x,x,x)+D3p
					; PipCreateNewDependencyEdge(x,x,x)+18Ap ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	edx, edx
		jz	short loc_96639E
		mov	eax, [edx+18h]
		test	eax, eax
		jz	short loc_96639E
		mov	eax, [eax+0B0h]
		mov	edx, [eax+14h]
		test	edx, edx
		jz	short loc_96639E
		mov	edx, [edx+18h]
		test	edx, edx
		jz	short loc_96639E
		push	19h
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent

loc_96639E:				; CODE XREF: PipNotifyDependenciesChanged(x,x)+7j
					; PipNotifyDependenciesChanged(x,x)+Ej	...
		test	esi, esi
		jz	short loc_9663C4
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_9663C4
		mov	eax, [eax+0B0h]
		mov	edx, [eax+14h]
		test	edx, edx
		jz	short loc_9663C4
		mov	edx, [edx+18h]
		test	edx, edx
		jz	short loc_9663C4
		push	18h
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent

loc_9663C4:				; CODE XREF: PipNotifyDependenciesChanged(x,x)+2Dj
					; PipNotifyDependenciesChanged(x,x)+34j ...
		pop	esi
		retn
_PipNotifyDependenciesChanged@8	endp


;  S U B	R O U T	I N E 


; __stdcall PipReferenceDependencyNode(x)
_PipReferenceDependencyNode@4 proc near	; CODE XREF: PipCreateNewDependencyEdge(x,x,x)+5Fp
					; PipCreateNewDependencyEdge(x,x,x)+66p
		inc	dword ptr [ecx+2Ch]
		retn
_PipReferenceDependencyNode@4 endp


;  S U B	R O U T	I N E 


; __stdcall PipSetDependency(x,	x)
_PipSetDependency@8 proc near		; CODE XREF: IoReserveDependency(x,x,x)+58p
					; IoSetDependency(x,x,x)+59p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		call	PipQueryBindingResolution
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9663F2
		mov	ecx, esi
		call	PipCreateDependencyNode
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9663F5
		mov	ebx, 0C000009Ah
		jmp	short loc_966443
; 

loc_9663F2:				; CODE XREF: PipSetDependency(x,x)+12j
		inc	dword ptr [edi+2Ch]

loc_9663F5:				; CODE XREF: PipSetDependency(x,x)+1Fj
		mov	ecx, ebx
		call	PipQueryBindingResolution
		mov	esi, eax
		test	esi, esi
		jnz	short loc_966416
		mov	ecx, ebx
		call	PipCreateDependencyNode
		mov	esi, eax
		test	esi, esi
		jnz	short loc_966419
		mov	ebx, 0C000009Ah
		jmp	short loc_966425
; 

loc_966416:				; CODE XREF: PipSetDependency(x,x)+36j
		inc	dword ptr [esi+2Ch]

loc_966419:				; CODE XREF: PipSetDependency(x,x)+43j
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	_PipAddDependencyEdgeBetweenNodes@12 ; PipAddDependencyEdgeBetweenNodes(x,x,x)
		mov	ebx, eax

loc_966425:				; CODE XREF: PipSetDependency(x,x)+4Aj
		sub	dword ptr [edi+2Ch], 1
		jnz	short loc_966432
		mov	ecx, edi
		call	_PipDeleteDependencyNode@4 ; PipDeleteDependencyNode(x)

loc_966432:				; CODE XREF: PipSetDependency(x,x)+5Fj
		test	esi, esi
		jz	short loc_966443
		sub	dword ptr [esi+2Ch], 1
		jnz	short loc_966443
		mov	ecx, esi
		call	_PipDeleteDependencyNode@4 ; PipDeleteDependencyNode(x)

loc_966443:				; CODE XREF: PipSetDependency(x,x)+26j
					; PipSetDependency(x,x)+6Aj ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		retn
_PipSetDependency@8 endp


;  S U B	R O U T	I N E 


; __stdcall PipUnlinkDeviceObjectAndDependencyNode(x, x)
_PipUnlinkDeviceObjectAndDependencyNode@8 proc near ; CODE XREF: IoResolveDependency+5EED2p
		mov	eax, [ecx+0B0h]
		and	dword ptr [eax+2Ch], 0
		and	dword ptr [edx+18h], 0
		sub	dword ptr [edx+2Ch], 1
		jnz	short locret_966464
		mov	ecx, edx
		jmp	_PipDeleteDependencyNode@4 ; PipDeleteDependencyNode(x)
; 

locret_966464:				; CODE XREF: PipUnlinkDeviceObjectAndDependencyNode(x,x)+12j
		retn
_PipUnlinkDeviceObjectAndDependencyNode@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpGetDeviceDependencyList(x, x, x,	x, x)
_PnpGetDeviceDependencyList@20 proc near ; CODE	XREF: PiControlGetPropertyData+14A757p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, [ebp+arg_0]
		and	[ebp+var_C], 0
		and	[ebp+var_10], 0
		push	ebx
		push	esi
		mov	[ebp+var_4], eax
		xor	ebx, ebx
		mov	eax, [ecx+10h]
		xor	esi, esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	cl, cl
		mov	[ebp+var_20], edx
		mov	[ebp+var_8], edi
		mov	[ebp+var_14], eax
		call	_PnpAcquireDependencyRelationsLock@4 ; PnpAcquireDependencyRelationsLock(x)
		mov	edx, [ebp+var_20]
		test	edx, edx
		jnz	short loc_9664AE
		mov	ecx, [ebp+var_14]
		call	_PiGetProviderList@4 ; PiGetProviderList(x)
		mov	ecx, eax
		mov	[ebp+var_1C], ecx
		jmp	short loc_9664C4
; 

loc_9664AE:				; CODE XREF: PnpGetDeviceDependencyList(x,x,x,x,x)+38j
		cmp	edx, 1
		jnz	loc_96665F
		mov	ecx, [ebp+var_14]
		call	_PiGetDependentList@4 ;	PiGetDependentList(x)
		mov	ecx, eax
		mov	[ebp+var_1C], eax

loc_9664C4:				; CODE XREF: PnpGetDeviceDependencyList(x,x,x,x,x)+47j
		mov	eax, [ecx]
		mov	[ebp+var_14], eax
		cmp	eax, ecx
		jz	loc_966646

loc_9664D1:				; CODE XREF: PnpGetDeviceDependencyList(x,x,x,x,x)+1D7j
		mov	ecx, eax
		call	_PiListEntryToDependencyEdge@8 ; PiListEntryToDependencyEdge(x,x)
		mov	ecx, [ebp+var_14]
		mov	ecx, [ecx]
		mov	[ebp+var_14], ecx
		test	edx, edx
		jnz	short loc_9664E9
		mov	edx, [eax+10h]
		jmp	short loc_9664EC
; 

loc_9664E9:				; CODE XREF: PnpGetDeviceDependencyList(x,x,x,x,x)+7Dj
		mov	edx, [eax+14h]

loc_9664EC:				; CODE XREF: PnpGetDeviceDependencyList(x,x,x,x,x)+82j
		mov	ecx, [edx+18h]
		test	ecx, ecx
		jz	short loc_9664FE
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_966500
; 

loc_9664FE:				; CODE XREF: PnpGetDeviceDependencyList(x,x,x,x,x)+8Cj
		xor	eax, eax

loc_966500:				; CODE XREF: PnpGetDeviceDependencyList(x,x,x,x,x)+97j
		test	ecx, ecx
		jz	short loc_966571
		test	eax, eax
		jz	short loc_966571
		mov	eax, [eax+18h]
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	short loc_966571
		lea	ecx, [ebp+var_C]
		mov	edx, 0C8h
		push	ecx
		mov	ecx, eax
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_966664
		mov	ecx, [ebp+var_C]
		inc	ecx
		add	ebx, ecx
		mov	[ebp+var_C], ecx
		cmp	ecx, edi
		ja	loc_966633
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	800h
		push	eax
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		push	[ebp+var_18]
		call	RtlStringCchCopyExW
		mov	esi, eax
		test	esi, esi
		js	loc_966664
		mov	edi, [ebp+var_8]
		add	[ebp+var_4], 2
		dec	edi
		mov	[ebp+var_8], edi
		jmp	loc_966633
; 

loc_966571:				; CODE XREF: PnpGetDeviceDependencyList(x,x,x,x,x)+9Dj
					; PnpGetDeviceDependencyList(x,x,x,x,x)+A1j ...
		lea	ecx, [edx+1Ch]
		mov	eax, [ecx]
		mov	[ebp+var_2C], ecx
		cmp	eax, ecx
		jz	loc_96662F

loc_966581:				; CODE XREF: PnpGetDeviceDependencyList(x,x,x,x,x)+1A1j
		mov	ecx, eax
		xor	edx, edx
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		mov	[ebp+var_18], ecx
		lea	eax, [ecx+8]
		push	eax
		lea	ecx, [ebp+var_10]
		mov	[ebp+var_24], eax
		call	PnpUnicodeStringToWstr
		mov	esi, eax
		test	esi, esi
		js	loc_966664
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_C]
		push	eax
		mov	edx, 7FFFh
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_966621
		mov	eax, [ebp+var_C]
		inc	eax
		add	ebx, eax
		mov	[ebp+var_C], eax
		cmp	eax, edi
		ja	short loc_9665F5
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	800h
		push	eax
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		push	[ebp+var_10]
		call	RtlStringCchCopyExW
		mov	esi, eax
		test	esi, esi
		js	short loc_96660E
		mov	edi, [ebp+var_8]
		add	[ebp+var_4], 2
		dec	edi
		mov	[ebp+var_8], edi

loc_9665F5:				; CODE XREF: PnpGetDeviceDependencyList(x,x,x,x,x)+163j
		mov	edx, [ebp+var_24]
		mov	ecx, [ebp+var_10]
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)
		mov	eax, [ebp+var_28]
		cmp	eax, [ebp+var_2C]
		jnz	loc_966581
		jmp	short loc_96662F
; 

loc_96660E:				; CODE XREF: PnpGetDeviceDependencyList(x,x,x,x,x)+183j
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_10]
		add	edx, 8
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)
		mov	edi, [ebp+var_8]
		jmp	short loc_96662F
; 

loc_966621:				; CODE XREF: PnpGetDeviceDependencyList(x,x,x,x,x)+156j
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_10]
		add	edx, 8
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)

loc_96662F:				; CODE XREF: PnpGetDeviceDependencyList(x,x,x,x,x)+116j
					; PnpGetDeviceDependencyList(x,x,x,x,x)+1A7j ...
		test	esi, esi
		js	short loc_966664

loc_966633:				; CODE XREF: PnpGetDeviceDependencyList(x,x,x,x,x)+D2j
					; PnpGetDeviceDependencyList(x,x,x,x,x)+107j
		mov	eax, [ebp+var_14]
		mov	edx, [ebp+var_20]
		cmp	eax, [ebp+var_1C]
		jnz	loc_9664D1
		test	esi, esi
		js	short loc_966664

loc_966646:				; CODE XREF: PnpGetDeviceDependencyList(x,x,x,x,x)+66j
		inc	ebx
		cmp	ebx, [ebp+arg_4]
		jbe	short loc_966653
		mov	esi, 0C0000023h
		jmp	short loc_966664
; 

loc_966653:				; CODE XREF: PnpGetDeviceDependencyList(x,x,x,x,x)+1E5j
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	[eax+ebx*2-2], cx
		jmp	short loc_966664
; 

loc_96665F:				; CODE XREF: PnpGetDeviceDependencyList(x,x,x,x,x)+4Cj
		mov	esi, 0C000000Dh

loc_966664:				; CODE XREF: PnpGetDeviceDependencyList(x,x,x,x,x)+C1j
					; PnpGetDeviceDependencyList(x,x,x,x,x)+F6j ...
		mov	ecx, offset _PiDependencyRelationsLock
		call	ExReleaseResourceLite
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		test	esi, esi
		jns	short loc_966681
		cmp	esi, 0C0000023h
		jnz	short loc_96668A

loc_966681:				; CODE XREF: PnpGetDeviceDependencyList(x,x,x,x,x)+212j
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_96668A
		mov	[eax], ebx

loc_96668A:				; CODE XREF: PnpGetDeviceDependencyList(x,x,x,x,x)+21Aj
					; PnpGetDeviceDependencyList(x,x,x,x,x)+221j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PnpGetDeviceDependencyList@20 endp


;  S U B	R O U T	I N E 


; __stdcall PnpSurpriseRemovedDeviceNodeDependencyCheck(x)
_PnpSurpriseRemovedDeviceNodeDependencyCheck@4 proc near
					; CODE XREF: PnpSurpriseRemoveLockedDeviceNode(x,x,x)+1D3p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		test	byte ptr [edi+10Ch], 10h
		jnz	short loc_9666E1
		mov	cl, 1
		call	_PnpAcquireDependencyRelationsLock@4 ; PnpAcquireDependencyRelationsLock(x)
		mov	eax, [edi+10h]
		test	eax, eax
		jz	short loc_9666BE
		mov	eax, [eax+0B0h]
		mov	ecx, [eax+2Ch]
		jmp	short loc_9666C0
; 

loc_9666BE:				; CODE XREF: PnpSurpriseRemovedDeviceNodeDependencyCheck(x)+1Ej
		mov	ecx, esi

loc_9666C0:				; CODE XREF: PnpSurpriseRemovedDeviceNodeDependencyCheck(x)+29j
		test	ecx, ecx
		jz	short loc_9666CB
		call	_PipConvertResolutionsToReservations@4 ; PipConvertResolutionsToReservations(x)
		mov	esi, eax

loc_9666CB:				; CODE XREF: PnpSurpriseRemovedDeviceNodeDependencyCheck(x)+2Fj
		mov	ecx, offset _PiDependencyRelationsLock
		call	ExReleaseResourceLite
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		call	_PipProcessRebuildPowerRelationsQueue@0	; PipProcessRebuildPowerRelationsQueue()

loc_9666E1:				; CODE XREF: PnpSurpriseRemovedDeviceNodeDependencyCheck(x)+10j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ecx
		retn
_PnpSurpriseRemovedDeviceNodeDependencyCheck@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 854. IoGetDeviceInterfacePropertyData

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetDeviceInterfacePropertyData(x,	x, x, x, x, x, x, x)
		public _IoGetDeviceInterfacePropertyData@32
_IoGetDeviceInterfacePropertyData@32 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_1C]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	ecx
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		call	_PnpGetDeviceInterfacePropertyData@32 ;	PnpGetDeviceInterfacePropertyData(x,x,x,x,x,x,x,x)
		pop	ebp
		retn	20h
_IoGetDeviceInterfacePropertyData@32 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 906. IoIsWdmVersionAvailable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoIsWdmVersionAvailable(x, x)
		public _IoIsWdmVersionAvailable@8
_IoIsWdmVersionAvailable@8 proc	near

arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	al, [ebp+arg_0]
		cmp	al, 6
		jb	short loc_96672D
		jnz	short loc_966729
		cmp	[ebp+arg_4], 0
		jbe	short loc_96672D

loc_966729:				; CODE XREF: IoIsWdmVersionAvailable(x,x)+Cj
		xor	al, al
		jmp	short loc_96672F
; 

loc_96672D:				; CODE XREF: IoIsWdmVersionAvailable(x,x)+Aj
					; IoIsWdmVersionAvailable(x,x)+12j
		mov	al, 1

loc_96672F:				; CODE XREF: IoIsWdmVersionAvailable(x,x)+16j
		pop	ebp
		retn	8
_IoIsWdmVersionAvailable@8 endp


;  S U B	R O U T	I N E 


; __stdcall IoLockUnlockPnpDeviceTree(x)
_IoLockUnlockPnpDeviceTree@4 proc near	; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+B2p
		mov	edi, edi
		push	ecx
		test	cl, cl
		jz	short loc_966743
		xor	ecx, ecx
		call	PpDevNodeLockTree
		pop	ecx
		retn
; 

loc_966743:				; CODE XREF: IoLockUnlockPnpDeviceTree(x)+5j
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		pop	ecx
		retn
_IoLockUnlockPnpDeviceTree@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 956. IoReplacePartitionUnit

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoReplacePartitionUnit(x, x, x)
		public _IoReplacePartitionUnit@12
_IoReplacePartitionUnit@12 proc	near	; CODE XREF: NtReplacePartitionUnit(x,x,x)+69p
					; NtReplacePartitionUnit(x,x,x)+1DBp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, [ebp+arg_0]
		push	esi
		xor	esi, esi
		mov	[esp+38h+var_30], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+38h+var_2C], eax
		mov	eax, [ebp+arg_8]
		push	esi
		mov	[esp+3Ch+var_28], eax
		lea	eax, [esp+3Ch+var_20]
		push	esi
		push	eax
		mov	[esp+44h+var_20], esi
		mov	[esp+44h+var_1C], esi
		mov	[esp+44h+var_18], esi
		mov	[esp+44h+var_14], esi
		mov	[esp+44h+var_10], esi
		mov	[esp+44h+var_C], esi
		mov	[esp+44h+var_8], esi
		mov	[esp+44h+var_4], esi
		mov	[esp+44h+var_24], 0C0000001h
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	eax, ds:_PsInitialSystemProcess
		lea	eax, [esp+38h+var_30]
		jnz	short loc_9667C8
		push	eax
		call	_PnpReplacePartitionUnit@4 ; PnpReplacePartitionUnit(x)
		jmp	short loc_9667F2
; 

loc_9667C8:				; CODE XREF: IoReplacePartitionUnit(x,x,x)+6Dj
		mov	[esp+38h+var_4], eax
		lea	eax, [esp+38h+var_10]
		push	1
		push	eax
		mov	[esp+40h+var_8], offset	_PnpReplacePartitionUnit@4 ; PnpReplacePartitionUnit(x)
		mov	[esp+40h+var_10], esi
		call	ExQueueWorkItem
		push	esi
		push	esi
		push	esi
		push	esi
		lea	eax, [esp+48h+var_20]
		push	eax
		call	KeWaitForSingleObject

loc_9667F2:				; CODE XREF: IoReplacePartitionUnit(x,x,x)+75j
		mov	eax, [esp+38h+var_24]
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_IoReplacePartitionUnit@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiGetDeviceRegistryProperty(x, x, x, x, x, x)
_PiGetDeviceRegistryProperty@24	proc near ; CODE XREF: IoGetDeviceProperty+14A334p

var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_59		= byte ptr -59h
var_58		= dword	ptr -58h
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_80], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_74], eax
		mov	eax, large fs:124h
		push	esi
		mov	[ebp+var_68], ebx
		mov	esi, ecx
		mov	[ebp+var_78], ebx
		mov	[ebp+var_88], ebx
		mov	[ebp+var_84], ebx
		dec	word ptr [eax+13Ch]
		push	edi
		mov	[ebp+var_70], ebx
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_59], bl
		nop
		push	1
		mov	edi, offset _PnpRegistryDeviceResource
		push	edi
		call	ExAcquireResourceExclusiveLite
		push	20019h
		lea	edx, [ebp+var_68]
		mov	ecx, esi
		call	_PnpDeviceObjectToDeviceInstance@12 ; PnpDeviceObjectToDeviceInstance(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_966906
		push	offset ??_C@_1BA@EMGOOHIB@?$AAL?$AAo?$AAg?$AAC?$AAo?$AAn?$AAf@NNGAKEGL@	; "LogConf"
		lea	eax, [ebp+var_88]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_68]
		mov	[ebp+var_9C], eax
		lea	eax, [ebp+var_88]
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_A0]
		push	eax
		push	20019h
		lea	eax, [ebp+var_78]
		mov	[ebp+var_A0], 18h
		push	eax
		mov	[ebp+var_94], 240h
		mov	[ebp+var_90], ebx
		mov	[ebp+var_8C], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9668FE
		push	[ebp+var_68]
		call	_ZwClose@4	; ZwClose(x)
		mov	ecx, [ebp+var_78]
		lea	eax, [ebp+var_70]
		push	eax
		push	140h
		mov	edx, offset ??_C@_1BG@MNAOJKEG@?$AAB?$AAo?$AAo?$AAt?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg@NNGAKEGL@ ; "B"
		mov	[ebp+var_68], ecx
		call	IopGetRegistryValue
		mov	esi, eax

loc_9668FE:				; CODE XREF: PiGetDeviceRegistryProperty(x,x,x,x,x,x)+DCj
		push	[ebp+var_68]
		call	_ZwClose@4	; ZwClose(x)

loc_966906:				; CODE XREF: PiGetDeviceRegistryProperty(x,x,x,x,x,x)+77j
		mov	ecx, edi
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	esi, esi
		js	loc_966A48
		mov	edi, [ebp+var_70]
		mov	eax, [edi+8]
		mov	ebx, [edi+0Ch]
		add	eax, edi
		cmp	dword ptr [edi+4], 1
		mov	[ebp+var_7C], eax
		jnz	loc_9669DB
		lea	ecx, [ebp+var_6C]
		mov	edx, ebx
		push	ecx
		lea	ecx, [ebp+var_60]
		push	ecx
		mov	ecx, eax
		call	PnpFindAlternateStringData
		test	eax, eax
		jz	loc_9669DB
		mov	eax, [ebp+var_60]
		mov	ebx, [ebp+var_6C]
		push	offset ??_C@_15EFAGCOOD@?$AA?$DL?$AA?$CI@NNGAKEGL@ ; wchar_t *
		push	eax		; wchar_t *
		mov	[ebp+var_7C], eax
		call	_wcsstr
		pop	ecx
		pop	ecx
		mov	edx, eax
		mov	ecx, ebx
		mov	eax, [ebp+var_60]
		shr	ecx, 1
		test	edx, edx
		jz	short loc_9669E1
		cmp	word ptr [eax+ecx*2-4],	29h
		jnz	short loc_9669E1
		xor	edi, edi
		mov	[edx], di
		add	edx, 4
		push	50h		; size_t
		mov	[eax+ecx*2-4], di
		lea	eax, [ebp+var_58]
		push	edi		; int
		push	eax		; void *
		mov	[ebp+var_64], edx
		call	_memset
		mov	eax, [ebp+var_64]
		add	esp, 0Ch
		mov	[ebp+var_58], eax
		mov	[ebp+var_6C], 1
		push	2Ch		; wchar_t
		push	eax		; wchar_t *
		call	_wcschr
		mov	edi, [ebp+var_70]
		jmp	short loc_9669CF
; 

loc_9669AF:				; CODE XREF: PiGetDeviceRegistryProperty(x,x,x,x,x,x)+1D6j
		xor	ecx, ecx
		mov	[eax], cx
		add	eax, 2
		mov	ecx, [ebp+var_6C]
		cmp	ecx, 13h
		jnb	short loc_9669D7
		mov	[ebp+ecx*4+var_58], eax
		inc	ecx
		push	2Ch		; wchar_t
		push	eax		; wchar_t *
		mov	[ebp+var_6C], ecx
		call	_wcschr

loc_9669CF:				; CODE XREF: PiGetDeviceRegistryProperty(x,x,x,x,x,x)+1B0j
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_9669AF
		jmp	short loc_9669DB
; 

loc_9669D7:				; CODE XREF: PiGetDeviceRegistryProperty(x,x,x,x,x,x)+1C0j
		mov	[ebp+var_59], 1

loc_9669DB:				; CODE XREF: PiGetDeviceRegistryProperty(x,x,x,x,x,x)+12Fj
					; PiGetDeviceRegistryProperty(x,x,x,x,x,x)+148j ...
		mov	edx, [ebp+var_64]
		mov	eax, [ebp+var_60]

loc_9669E1:				; CODE XREF: PiGetDeviceRegistryProperty(x,x,x,x,x,x)+16Fj
					; PiGetDeviceRegistryProperty(x,x,x,x,x,x)+177j
		mov	ecx, [ebp+var_74]
		mov	ecx, [ecx]
		cmp	ecx, ebx
		jb	short loc_966A36
		cmp	dword ptr [edi+4], 8
		jnz	short loc_966A2F
		test	edx, edx
		jz	short loc_966A1E
		cmp	[ebp+var_59], 0
		jz	short loc_966A01
		mov	esi, 0C00000CDh
		jmp	short loc_966A3B
; 

loc_966A01:				; CODE XREF: PiGetDeviceRegistryProperty(x,x,x,x,x,x)+1FBj
		xor	edx, edx
		push	edx
		push	[ebp+var_74]
		push	ecx
		push	[ebp+var_80]
		lea	ecx, [ebp+var_58]
		push	ecx
		push	1
		push	edx
		push	edx
		mov	ecx, eax
		call	_RtlFormatMessageEx@40 ; RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		jmp	short loc_966A3B
; 

loc_966A1E:				; CODE XREF: PiGetDeviceRegistryProperty(x,x,x,x,x,x)+1F5j
		push	ebx		; size_t
		push	[ebp+var_7C]	; void *
		push	[ebp+var_80]	; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_966A3B
; 

loc_966A2F:				; CODE XREF: PiGetDeviceRegistryProperty(x,x,x,x,x,x)+1F1j
		mov	esi, 0C00000F0h
		jmp	short loc_966A3B
; 

loc_966A36:				; CODE XREF: PiGetDeviceRegistryProperty(x,x,x,x,x,x)+1EBj
		mov	esi, 0C0000023h

loc_966A3B:				; CODE XREF: PiGetDeviceRegistryProperty(x,x,x,x,x,x)+202j
					; PiGetDeviceRegistryProperty(x,x,x,x,x,x)+21Fj ...
		mov	eax, [ebp+var_74]
		push	0
		push	edi
		mov	[eax], ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_966A48:				; CODE XREF: PiGetDeviceRegistryProperty(x,x,x,x,x,x)+117j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_PiGetDeviceRegistryProperty@24	endp

; 
		align 10h
; Exported entry 852. IoGetDeviceDirectory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetDeviceDirectory(x, x, x, x, x)
		public _IoGetDeviceDirectory@20
_IoGetDeviceDirectory@20 proc near

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		mov	[esp+60h+var_20], eax
		lea	edi, [esp+60h+var_14]
		xor	eax, eax
		mov	[esp+60h+var_3C], ebx
		stosd
		push	ebx
		mov	[esp+64h+var_38], ebx
		mov	[esp+64h+var_34], ebx
		stosd
		mov	[esp+64h+var_30], ebx
		mov	[esp+64h+var_2C], ebx
		mov	[esp+64h+var_44], ebx
		stosd
		mov	[esp+64h+var_40], ebx
		mov	[esp+64h+var_1C], ebx
		mov	[esp+64h+var_18], ebx
		stosd
		lea	eax, [esp+64h+var_3C]
		push	eax
		mov	[esp+68h+var_50], ebx
		mov	[esp+68h+var_48], ebx
		mov	[esp+68h+var_4C], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		lea	eax, [esp+64h+var_34]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		lea	eax, [esp+64h+var_44]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		lea	eax, [esp+64h+var_1C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		test	esi, esi
		jz	loc_966D70
		cmp	[ebp+arg_8], ebx
		jnz	loc_966D70
		cmp	[ebp+arg_C], ebx
		jnz	loc_966D70
		cmp	[esp+60h+var_20], ebx
		jz	loc_966D70
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	[esp+60h+var_24], eax
		test	eax, eax
		jz	loc_966D70
		lea	edi, [eax+14h]
		cmp	[edi], bx
		jz	loc_966D70
		cmp	[eax+18h], ebx
		jz	loc_966D70
		cmp	[ebp+arg_4], ebx
		jnz	loc_966D70
		lea	eax, [esp+60h+var_3C]
		mov	edx, offset ??_C@_1EC@HELHKOLE@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@ ; void *
		push	eax		; int
		push	1		; int
		mov	ecx, offset ??_C@_1BI@LKGKDEHA@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAS?$AAt?$AAa?$AAt?$AAe@NNGAKEGL@ ; "D"
		call	PiGetStateRootPath
		mov	esi, eax
		test	esi, esi
		js	loc_966D75
		push	ebx
		lea	eax, [esp+64h+var_48]
		mov	ecx, 6F697050h
		push	eax
		lea	eax, [esp+68h+var_4C]
		push	eax
		lea	eax, [esp+6Ch+var_2C]
		push	eax
		mov	eax, [esp+70h+var_24]
		push	offset _DEVPKEY_Device_StateDirectoryId
		push	ebx
		push	ebx
		push	1
		push	dword ptr [eax+18h]
		push	4Eh
		pop	edx
		call	PnpGetObjectProperty
		mov	esi, eax
		mov	[esp+60h+var_28], 7Fh
		test	esi, esi
		js	loc_966C2E
		cmp	[esp+60h+var_2C], 12h
		jnz	short loc_966BEF
		cmp	[esp+60h+var_48], 2
		jb	short loc_966BEF
		mov	ecx, [esp+60h+var_4C]
		lea	edx, [ecx+2]

loc_966BB6:				; CODE XREF: IoGetDeviceDirectory(x,x,x,x,x)+15Fj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_966BB6
		sub	ecx, edx
		mov	edx, ebx
		sar	ecx, 1
		jz	short loc_966BF4

loc_966BC9:				; CODE XREF: IoGetDeviceDirectory(x,x,x,x,x)+18Bj
		mov	eax, [esp+60h+var_4C]
		movzx	eax, word ptr [eax+edx*2]
		cmp	ax, word ptr [esp+60h+var_28]
		ja	short loc_966C3A
		test	al, al
		js	short loc_966BE8
		movzx	eax, ds:byte_40B788[eax]
		and	eax, 1
		jz	short loc_966C3A

loc_966BE8:				; CODE XREF: IoGetDeviceDirectory(x,x,x,x,x)+17Aj
		inc	edx
		cmp	edx, ecx
		jb	short loc_966BC9
		jmp	short loc_966BF4
; 

loc_966BEF:				; CODE XREF: IoGetDeviceDirectory(x,x,x,x,x)+146j
					; IoGetDeviceDirectory(x,x,x,x,x)+14Dj
		mov	esi, 0C0000225h

loc_966BF4:				; CODE XREF: IoGetDeviceDirectory(x,x,x,x,x)+167j
					; IoGetDeviceDirectory(x,x,x,x,x)+18Dj
		test	esi, esi
		js	short loc_966C2E
		push	[esp+60h+var_4C]
		lea	eax, [esp+64h+var_1C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_966D75
		lea	eax, [esp+60h+var_50]
		push	eax
		push	1
		push	offset ??_C@_19IEEMEPMH@?$AAD?$AAa?$AAt?$AAa@NNGAKEGL@ ; "Data"
		lea	edx, [esp+6Ch+var_1C]
		lea	ecx, [esp+6Ch+var_3C]
		call	_PiBuildAndOpenDeviceDirectoryPath@20 ;	PiBuildAndOpenDeviceDirectoryPath(x,x,x,x,x)
		jmp	loc_966D58
; 

loc_966C2E:				; CODE XREF: IoGetDeviceDirectory(x,x,x,x,x)+13Bj
					; IoGetDeviceDirectory(x,x,x,x,x)+196j
		cmp	esi, 0C0000225h
		jnz	loc_966D75

loc_966C3A:				; CODE XREF: IoGetDeviceDirectory(x,x,x,x,x)+176j
					; IoGetDeviceDirectory(x,x,x,x,x)+186j
		push	ecx
		mov	edx, edi
		lea	ecx, [esp+64h+var_44]
		call	_PnpConcatenateUnicodeStrings@12 ; PnpConcatenateUnicodeStrings(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_966D75
		mov	edx, [esp+60h+var_44]
		mov	ecx, ebx
		movzx	eax, dx
		test	eax, 0FFFFFFFEh
		jbe	short loc_966C9B

loc_966C60:				; CODE XREF: IoGetDeviceDirectory(x,x,x,x,x)+232j
		mov	edi, [esp+60h+var_40]
		movzx	eax, word ptr [edi+ecx*2]
		cmp	ax, word ptr [esp+60h+var_28]
		ja	short loc_966C96
		test	al, al
		js	short loc_966C8A
		movzx	eax, ds:byte_40B788[eax]
		and	eax, 1
		jnz	short loc_966C8A
		push	23h
		pop	eax
		mov	[edi+ecx*2], ax
		mov	edx, [esp+60h+var_44]

loc_966C8A:				; CODE XREF: IoGetDeviceDirectory(x,x,x,x,x)+211j
					; IoGetDeviceDirectory(x,x,x,x,x)+21Dj
		movzx	eax, dx
		inc	ecx
		shr	eax, 1
		cmp	ecx, eax
		jb	short loc_966C60
		jmp	short loc_966C9B
; 

loc_966C96:				; CODE XREF: IoGetDeviceDirectory(x,x,x,x,x)+20Dj
		mov	esi, 0C000000Dh

loc_966C9B:				; CODE XREF: IoGetDeviceDirectory(x,x,x,x,x)+1FEj
					; IoGetDeviceDirectory(x,x,x,x,x)+234j
		test	esi, esi
		js	loc_966D75
		mov	edi, [esp+60h+var_40]
		lea	eax, [esp+60h+var_50]
		push	eax
		push	ebx
		push	offset ??_C@_19IEEMEPMH@?$AAD?$AAa?$AAt?$AAa@NNGAKEGL@ ; "Data"
		lea	edx, [esp+6Ch+var_44]
		lea	ecx, [esp+6Ch+var_3C]
		call	_PiBuildAndOpenDeviceDirectoryPath@20 ;	PiBuildAndOpenDeviceDirectoryPath(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C000003Ah
		jnz	short loc_966D19
		lea	eax, [esp+60h+var_14]
		push	eax
		call	ExUuidCreate
		mov	esi, eax
		cmp	esi, 40020056h
		jz	short loc_966CE5
		test	esi, esi
		js	loc_966D6A

loc_966CE5:				; CODE XREF: IoGetDeviceDirectory(x,x,x,x,x)+27Bj
		push	1
		lea	edx, [esp+64h+var_34]
		lea	ecx, [esp+64h+var_14]
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_966D6A
		mov	edi, [esp+60h+var_30]
		lea	eax, [esp+60h+var_50]
		push	eax
		push	1
		push	offset ??_C@_19IEEMEPMH@?$AAD?$AAa?$AAt?$AAa@NNGAKEGL@ ; "Data"
		lea	edx, [esp+6Ch+var_34]
		lea	ecx, [esp+6Ch+var_3C]
		call	_PiBuildAndOpenDeviceDirectoryPath@20 ;	PiBuildAndOpenDeviceDirectoryPath(x,x,x,x,x)
		mov	esi, eax

loc_966D19:				; CODE XREF: IoGetDeviceDirectory(x,x,x,x,x)+267j
		test	esi, esi
		js	short loc_966D6A
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_966D22:				; CODE XREF: IoGetDeviceDirectory(x,x,x,x,x)+2CBj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_966D22
		sub	ecx, edx
		sar	ecx, 1
		push	ebx
		lea	eax, ds:2[ecx*2]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		mov	eax, [esp+68h+var_24]
		push	edi
		push	12h
		push	offset _DEVPKEY_Device_StateDirectoryId
		mov	edx, [eax+18h]
		push	ebx
		push	ebx
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)

loc_966D58:				; CODE XREF: IoGetDeviceDirectory(x,x,x,x,x)+1C9j
		mov	esi, eax
		test	esi, esi
		js	short loc_966D6A
		mov	ecx, [esp+60h+var_20]
		mov	eax, [esp+60h+var_50]
		mov	[ecx], eax
		jmp	short loc_966D75
; 

loc_966D6A:				; CODE XREF: IoGetDeviceDirectory(x,x,x,x,x)+27Fj
					; IoGetDeviceDirectory(x,x,x,x,x)+298j	...
		mov	ebx, [esp+60h+var_50]
		jmp	short loc_966D75
; 

loc_966D70:				; CODE XREF: IoGetDeviceDirectory(x,x,x,x,x)+8Dj
					; IoGetDeviceDirectory(x,x,x,x,x)+96j ...
		mov	esi, 0C000000Dh

loc_966D75:				; CODE XREF: IoGetDeviceDirectory(x,x,x,x,x)+FCj
					; IoGetDeviceDirectory(x,x,x,x,x)+1AAj	...
		lea	eax, [esp+60h+var_3C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esp+60h+var_34]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esp+60h+var_44]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, [esp+60h+var_4C]
		test	eax, eax
		jz	short loc_966DA6
		push	6F697050h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_966DA6:				; CODE XREF: IoGetDeviceDirectory(x,x,x,x,x)+339j
		test	ebx, ebx
		jz	short loc_966DB0
		push	ebx
		call	_ZwClose@4	; ZwClose(x)

loc_966DB0:				; CODE XREF: IoGetDeviceDirectory(x,x,x,x,x)+348j
		mov	ecx, [esp+60h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
_IoGetDeviceDirectory@20 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 863. IoGetDriverDirectory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoGetDriverDirectory(x, x, x, x)
		public _IoGetDriverDirectory@16
_IoGetDriverDirectory@16 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		mov	[esp+0Ch+var_4], eax
		push	edi
		test	esi, esi
		jz	short loc_966E3C
		mov	ecx, [esi+18h]
		test	ecx, ecx
		jz	short loc_966E3C
		cmp	[ecx+10h], eax
		jz	short loc_966E3C
		cmp	[ecx+0Ch], ax
		jz	short loc_966E3C
		cmp	[ebp+arg_8], eax
		jnz	short loc_966E3C
		mov	edi, [ebp+arg_C]
		test	edi, edi
		jz	short loc_966E3C
		mov	ecx, [ebp+arg_4]
		sub	ecx, eax
		jz	short loc_966E23
		sub	ecx, 1
		jz	short loc_966E15
		mov	esi, 0C000000Dh
		jmp	short loc_966E4B
; 

loc_966E15:				; CODE XREF: IoGetDriverDirectory(x,x,x,x)+41j
		lea	eax, [esp+10h+var_4]
		mov	ecx, esi
		push	eax
		call	_PiGetDriverMutableStateDirectory@12 ; PiGetDriverMutableStateDirectory(x,x,x)
		jmp	short loc_966E2E
; 

loc_966E23:				; CODE XREF: IoGetDriverDirectory(x,x,x,x)+3Cj
		lea	edx, [esp+10h+var_4]
		mov	ecx, esi
		call	_PiGetDriverImageDirectory@8 ; PiGetDriverImageDirectory(x,x)

loc_966E2E:				; CODE XREF: IoGetDriverDirectory(x,x,x,x)+56j
		mov	esi, eax
		mov	eax, [esp+10h+var_4]
		test	esi, esi
		js	short loc_966E41
		mov	[edi], eax
		jmp	short loc_966E4B
; 

loc_966E3C:				; CODE XREF: IoGetDriverDirectory(x,x,x,x)+17j
					; IoGetDriverDirectory(x,x,x,x)+1Ej ...
		mov	esi, 0C000000Dh

loc_966E41:				; CODE XREF: IoGetDriverDirectory(x,x,x,x)+6Bj
		test	eax, eax
		jz	short loc_966E4B
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_966E4B:				; CODE XREF: IoGetDriverDirectory(x,x,x,x)+48j
					; IoGetDriverDirectory(x,x,x,x)+6Fj ...
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	10h
_IoGetDriverDirectory@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiBuildAndOpenDeviceDirectoryPath(x, x, x, x, x)
_PiBuildAndOpenDeviceDirectoryPath@20 proc near
					; CODE XREF: IoGetDeviceDirectory(x,x,x,x,x)+1C4p
					; IoGetDeviceDirectory(x,x,x,x,x)+25Ap	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	esi, esi
		lea	eax, [ebp+var_10]
		push	edi
		push	esi
		mov	edi, edx
		mov	[ebp+var_10], esi
		push	eax
		mov	[ebp+var_8], edi
		mov	ebx, ecx
		mov	[ebp+var_C], esi
		mov	[ebp+var_4], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, [ebp+arg_0]
		lea	edx, [ecx+2]

loc_966E82:				; CODE XREF: PiBuildAndOpenDeviceDirectoryPath(x,x,x,x,x)+36j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_966E82
		movzx	eax, word ptr [edi]
		sub	ecx, edx
		movzx	edx, word ptr [ebx]
		add	edx, 14h
		sar	ecx, 1
		lea	edx, [edx+ecx*2]
		add	edx, eax
		cmp	edx, 0FFFEh
		jbe	short loc_966EAE
		mov	edi, 80000005h
		jmp	short loc_966F09
; 

loc_966EAE:				; CODE XREF: PiBuildAndOpenDeviceDirectoryPath(x,x,x,x,x)+50j
		lea	ecx, [ebp+var_10]
		call	IopAllocateUnicodeString
		mov	edi, eax
		test	edi, edi
		js	short loc_966F09
		push	[ebp+arg_0]
		lea	eax, [ebp+var_10]
		push	[ebp+var_8]
		push	offset ??_C@_1BA@HICHNCPO@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAs@NNGAKEGL@	; "Devices"
		push	ebx		; char
		push	offset ??_C@_1CA@DADMMGPH@?$AA?$CF?$AAw?$AAZ?$AA?2?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAZ?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; int
		push	800h		; void *
		push	esi		; int
		push	eax		; int
		call	_RtlUnicodeStringPrintfEx
		mov	edi, eax
		add	esp, 20h
		test	edi, edi
		js	short loc_966F09
		lea	eax, [ebp+var_4]
		mov	ecx, ebx
		push	eax
		push	[ebp+arg_4]
		lea	edx, [ebp+var_10]
		call	_PiOpenDirectoryWithRoot@16 ; PiOpenDirectoryWithRoot(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_966F06
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_4]
		mov	[eax], ecx
		jmp	short loc_966F09
; 

loc_966F06:				; CODE XREF: PiBuildAndOpenDeviceDirectoryPath(x,x,x,x,x)+A5j
		mov	esi, [ebp+var_4]

loc_966F09:				; CODE XREF: PiBuildAndOpenDeviceDirectoryPath(x,x,x,x,x)+57j
					; PiBuildAndOpenDeviceDirectoryPath(x,x,x,x,x)+65j ...
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	esi, esi
		jz	short loc_966F1C
		push	esi
		call	_ZwClose@4	; ZwClose(x)

loc_966F1C:				; CODE XREF: PiBuildAndOpenDeviceDirectoryPath(x,x,x,x,x)+BFj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PiBuildAndOpenDeviceDirectoryPath@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCreateDirectoryPath(x, x,	x)
_PiCreateDirectoryPath@12 proc near	; CODE XREF: PiOpenDirectoryWithRoot(x,x,x,x)+C1p
					; PiOpenDirectoryWithRoot(x,x,x,x)+D5p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		push	esi
		push	edi
		push	6
		mov	ebx, ecx
		lea	edi, [ebp+var_3C]
		pop	ecx
		mov	esi, edx
		xor	eax, eax
		xor	edx, edx
		mov	[ebp+var_14], esi
		rep stosd
		push	edx
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_24], edx
		push	eax
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_8], edx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		test	ebx, ebx
		jz	loc_96713C
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	loc_96713C
		cmp	word ptr [ebx],	4
		jb	loc_96713C
		mov	eax, [ebx+4]
		push	5Ch
		pop	ecx
		mov	[ebp+var_C], ecx
		cmp	[eax], cx
		jnz	loc_96713C
		cmp	[eax+2], cx
		jz	loc_96713C
		xor	eax, eax
		mov	[ebp+var_3C], 18h
		push	eax
		push	eax
		push	21h
		push	3
		push	3
		push	80h
		push	eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_30], 240h
		push	eax
		push	100001h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_34], ebx
		push	eax
		mov	[ebp+var_2C], esi
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_966FE9
		mov	ecx, [ebp+var_8]
		and	[ebp+var_8], 0
		mov	[edi], ecx
		jmp	loc_967141
; 

loc_966FE9:				; CODE XREF: PiCreateDirectoryPath(x,x,x)+B4j
		cmp	esi, 0C000003Ah
		jnz	loc_967141
		push	ecx
		mov	edx, ebx
		lea	ecx, [ebp+var_1C]
		call	_PnpConcatenateUnicodeStrings@12 ; PnpConcatenateUnicodeStrings(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_967141
		movzx	eax, word ptr [ebp+var_1C]
		mov	ecx, [ebp+var_18]
		mov	[ebp+var_10], eax
		shr	ax, 1
		movzx	eax, ax
		lea	ebx, [ecx+4]
		mov	[ebp+arg_0], eax
		mov	edx, eax
		jmp	loc_9670CC
; 

loc_967027:				; CODE XREF: PiCreateDirectoryPath(x,x,x)+1B0j
		movzx	eax, word ptr [ebx]
		test	ax, ax
		jz	loc_9670DB
		cmp	ax, word ptr [ebp+var_C]
		jnz	loc_9670C9
		xor	eax, eax
		xor	ecx, ecx
		mov	[ebx], ax
		mov	eax, ebx
		sub	eax, [ebp+var_18]
		push	ecx
		push	ecx
		push	21h
		push	3
		and	eax, 0FFFFFFFEh
		mov	[ebp+var_3C], 18h
		push	3
		mov	word ptr [ebp+var_1C], ax
		lea	eax, [ebp+var_1C]
		push	80h
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_24]
		push	ecx
		push	eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_38], ecx
		push	eax
		push	100001h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_30], 240h
		push	eax
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ecx
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		push	5Ch
		pop	eax
		mov	[ebx], ax
		cmp	esi, 0C0000024h
		jz	short loc_9670B1
		cmp	esi, 0C000000Dh
		jz	short loc_9670B1
		test	esi, esi
		js	loc_967141

loc_9670B1:				; CODE XREF: PiCreateDirectoryPath(x,x,x)+17Aj
					; PiCreateDirectoryPath(x,x,x)+182j
		cmp	[ebp+var_8], 0
		jz	short loc_9670C3
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_8], 0

loc_9670C3:				; CODE XREF: PiCreateDirectoryPath(x,x,x)+190j
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_18]

loc_9670C9:				; CODE XREF: PiCreateDirectoryPath(x,x,x)+112j
		add	ebx, 2

loc_9670CC:				; CODE XREF: PiCreateDirectoryPath(x,x,x)+FDj
		mov	eax, ebx
		sub	eax, ecx
		sar	eax, 1
		cmp	ax, dx
		jb	loc_967027

loc_9670DB:				; CODE XREF: PiCreateDirectoryPath(x,x,x)+108j
		test	esi, esi
		js	short loc_967141
		mov	eax, [ebp+var_10]
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	21h
		push	3
		mov	word ptr [ebp+var_1C], ax
		lea	eax, [ebp+var_1C]
		push	3
		mov	[ebp+var_34], eax
		mov	eax, [ebp+var_14]
		push	80h
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_24]
		push	ebx
		push	eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_3C], 18h
		push	eax
		push	100001h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_38], ebx
		push	eax
		mov	[ebp+var_30], 240h
		mov	[ebp+var_28], ebx
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_967141
		mov	eax, [ebp+var_8]
		mov	[edi], eax
		mov	[ebp+var_8], ebx
		jmp	short loc_967141
; 

loc_96713C:				; CODE XREF: PiCreateDirectoryPath(x,x,x)+39j
					; PiCreateDirectoryPath(x,x,x)+44j ...
		mov	esi, 0C000000Dh

loc_967141:				; CODE XREF: PiCreateDirectoryPath(x,x,x)+BFj
					; PiCreateDirectoryPath(x,x,x)+CAj ...
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	[ebp+var_8], 0
		jz	short loc_967158
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_967158:				; CODE XREF: PiCreateDirectoryPath(x,x,x)+229j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_PiCreateDirectoryPath@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCreateRegistryPath(x, x, x, x)
_PiCreateRegistryPath@16 proc near	; CODE XREF: PiCreateDriverRedirectedStateKey+8C77Ap

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		push	6
		mov	ebx, ecx
		lea	edi, [ebp+var_28]
		pop	ecx
		xor	eax, eax
		xor	esi, esi
		rep stosd
		push	esi
		lea	eax, [ebp+var_10]
		mov	[ebp+var_10], esi
		push	eax
		mov	[ebp+var_C], esi
		mov	[ebp+var_4], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		test	ebx, ebx
		jz	loc_96732A
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	loc_96732A
		push	4
		pop	eax
		cmp	[ebx], ax
		jb	loc_96732A
		push	1
		push	ebx
		push	offset _CmRegistryMachineName
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	loc_96732A
		mov	eax, [ebp+arg_0]
		push	esi
		push	esi
		push	esi
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_28]
		push	esi
		push	eax
		push	4
		lea	eax, [ebp+var_4]
		mov	[ebp+var_28], 18h
		push	eax
		mov	[ebp+var_24], esi
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_20], ebx
		mov	[ebp+var_14], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_967205
		mov	ecx, [ebp+var_4]
		and	[ebp+var_4], 0
		mov	[edi], ecx
		jmp	loc_96732F
; 

loc_967205:				; CODE XREF: PiCreateRegistryPath(x,x,x,x)+94j
		cmp	esi, 0C0000034h
		jnz	loc_96732F
		push	ecx
		mov	edx, ebx
		lea	ecx, [ebp+var_10]
		call	_PnpConcatenateUnicodeStrings@12 ; PnpConcatenateUnicodeStrings(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_96732F
		movzx	eax, ds:_CmRegistryMachineName
		mov	ecx, [ebp+var_C]
		shr	eax, 1
		inc	eax
		lea	edi, [ecx+eax*2]
		movzx	eax, word ptr [ebp+var_10]
		mov	[ebp+var_8], eax
		shr	ax, 1
		movzx	ebx, ax
		mov	eax, edi
		sub	eax, ecx
		sar	eax, 1
		cmp	ax, bx
		jnb	loc_9672DB
		push	5Ch
		pop	edx

loc_967255:				; CODE XREF: PiCreateRegistryPath(x,x,x,x)+174j
		movzx	eax, word ptr [edi]
		test	ax, ax
		jz	short loc_9672DB
		cmp	ax, dx
		jnz	short loc_9672C9
		xor	eax, eax
		xor	ecx, ecx
		mov	[edi], ax
		mov	eax, edi
		sub	eax, [ebp+var_C]
		push	ecx
		and	eax, 0FFFFFFFEh
		mov	[ebp+var_28], 18h
		push	ecx
		mov	word ptr [ebp+var_10], ax
		lea	eax, [ebp+var_10]
		push	ecx
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_28]
		push	ecx
		push	eax
		push	4
		lea	eax, [ebp+var_4]
		mov	[ebp+var_24], ecx
		push	eax
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		push	5Ch
		mov	esi, eax
		pop	edx
		mov	[edi], dx
		test	esi, esi
		js	short loc_96732F
		cmp	[ebp+var_4], 0
		jz	short loc_9672C6
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_4], 0
		push	5Ch
		pop	edx

loc_9672C6:				; CODE XREF: PiCreateRegistryPath(x,x,x,x)+154j
		mov	ecx, [ebp+var_C]

loc_9672C9:				; CODE XREF: PiCreateRegistryPath(x,x,x,x)+FFj
		add	edi, 2
		mov	eax, edi
		sub	eax, ecx
		sar	eax, 1
		cmp	ax, bx
		jb	loc_967255

loc_9672DB:				; CODE XREF: PiCreateRegistryPath(x,x,x,x)+EBj
					; PiCreateRegistryPath(x,x,x,x)+FAj
		mov	eax, [ebp+var_8]
		xor	ebx, ebx
		push	ebx
		mov	word ptr [ebp+var_10], ax
		lea	eax, [ebp+var_10]
		push	ebx
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_28]
		push	ebx
		push	eax
		push	4
		lea	eax, [ebp+var_4]
		mov	[ebp+var_28], 18h
		push	eax
		mov	[ebp+var_24], ebx
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_14], ebx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_96732F
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_4]
		mov	[ebp+var_4], ebx
		mov	[ecx], eax
		jmp	short loc_96732F
; 

loc_96732A:				; CODE XREF: PiCreateRegistryPath(x,x,x,x)+2Ej
					; PiCreateRegistryPath(x,x,x,x)+39j ...
		mov	esi, 0C000000Dh

loc_96732F:				; CODE XREF: PiCreateRegistryPath(x,x,x,x)+9Fj
					; PiCreateRegistryPath(x,x,x,x)+AAj ...
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	[ebp+var_4], 0
		jz	short loc_967346
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_967346:				; CODE XREF: PiCreateRegistryPath(x,x,x,x)+1DBj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_PiCreateRegistryPath@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiGetDriverImageDirectory(x, x)
_PiGetDriverImageDirectory@8 proc near	; CODE XREF: IoGetDriverDirectory(x,x,x,x)+5Ep

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		push	6
		mov	esi, ecx
		lea	edi, [ebp+var_2C]
		pop	ecx
		xor	eax, eax
		mov	ebx, edx
		xor	edx, edx
		rep stosd
		push	edx
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], edx
		push	eax
		mov	[ebp+var_8], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_4], edx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		call	_IoQueryFullDriverPath@8 ; IoQueryFullDriverPath(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_96742A
		mov	ax, word ptr [ebp+var_C]
		push	2
		pop	edi
		cmp	ax, di
		jb	short loc_9673DC
		mov	edx, [ebp+var_8]

loc_9673A6:				; CODE XREF: PiGetDriverImageDirectory(x,x)+7Aj
		mov	eax, [ebp+var_C]
		add	eax, 0FFFFFFFEh
		movzx	ecx, ax
		shr	ecx, 1
		mov	word ptr [ebp+var_C], ax
		movzx	esi, ax
		cmp	word ptr [edx+ecx*2], 5Ch
		jz	short loc_9673CD
		cmp	word ptr [edx+ecx*2], 2Fh
		jz	short loc_9673CD
		cmp	si, di
		jnb	short loc_9673A6
		jmp	short loc_9673D7
; 

loc_9673CD:				; CODE XREF: PiGetDriverImageDirectory(x,x)+6Ej
					; PiGetDriverImageDirectory(x,x)+75j
		xor	eax, eax
		mov	[edx+ecx*2], ax
		mov	ax, word ptr [ebp+var_C]

loc_9673D7:				; CODE XREF: PiGetDriverImageDirectory(x,x)+7Cj
		cmp	ax, di
		ja	short loc_9673E3

loc_9673DC:				; CODE XREF: PiGetDriverImageDirectory(x,x)+52j
		mov	esi, 0C000000Dh
		jmp	short loc_96742A
; 

loc_9673E3:				; CODE XREF: PiGetDriverImageDirectory(x,x)+8Bj
		push	21h
		lea	eax, [ebp+var_C]
		mov	[ebp+var_2C], 18h
		mov	[ebp+var_24], eax
		xor	edi, edi
		push	3
		lea	eax, [ebp+var_14]
		mov	[ebp+var_28], edi
		push	eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_20], 240h
		push	eax
		push	100001h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_1C], edi
		push	eax
		mov	[ebp+var_18], edi
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_96742A
		mov	eax, [ebp+var_4]
		mov	[ebx], eax
		mov	[ebp+var_4], edi

loc_96742A:				; CODE XREF: PiGetDriverImageDirectory(x,x)+42j
					; PiGetDriverImageDirectory(x,x)+92j ...
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	[ebp+var_4], 0
		jz	short loc_967441
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_967441:				; CODE XREF: PiGetDriverImageDirectory(x,x)+E8j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PiGetDriverImageDirectory@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiGetDriverMutableStateDirectory(x,	x, x)
_PiGetDriverMutableStateDirectory@12 proc near
					; CODE XREF: IoGetDriverDirectory(x,x,x,x)+51p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		xor	esi, esi
		lea	eax, [ebp+var_C]
		push	edi
		push	esi
		push	eax
		mov	ebx, ecx
		mov	dword ptr [ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_4], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_C]
		mov	edx, offset ??_C@_1DC@JDNMDENN@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAe?$AAr@NNGAKEGL@ ; "\\SystemRoot\\ServiceState"
		push	eax		; int
		push	1		; int
		mov	ecx, offset ??_C@_1CM@EJFOHJD@?$AAW?$AAi?$AAn?$AA3?$AA2?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe?$AAS?$AAt?$AAa@NNGAKEGL@ ; int
		call	PiGetStateRootPath
		mov	edi, eax
		test	edi, edi
		js	loc_967531
		mov	ecx, offset ??_C@_19IEEMEPMH@?$AAD?$AAa?$AAt?$AAa@NNGAKEGL@ ; "Data"
		lea	edx, [ecx+2]

loc_9674A1:				; CODE XREF: PiGetDriverMutableStateDirectory(x,x,x)+62j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_9674A1
		mov	eax, [ebx+18h]
		sub	ecx, edx
		sar	ecx, 1
		movzx	edx, word ptr [eax+0Ch]
		movzx	eax, word ptr [ebp+var_C]
		add	edx, 4
		lea	edx, [edx+ecx*2]
		add	edx, eax
		cmp	edx, 0FFFEh
		jbe	short loc_9674D2
		mov	edi, 80000005h
		jmp	short loc_967531
; 

loc_9674D2:				; CODE XREF: PiGetDriverMutableStateDirectory(x,x,x)+81j
		lea	ecx, [ebp+var_14]
		call	IopAllocateUnicodeString
		mov	edi, eax
		test	edi, edi
		js	short loc_967531
		mov	eax, [ebx+18h]
		push	offset ??_C@_19IEEMEPMH@?$AAD?$AAa?$AAt?$AAa@NNGAKEGL@ ; "Data"
		add	eax, 0Ch
		push	eax
		lea	eax, [ebp+var_C]
		push	eax		; char
		push	offset ??_C@_1BI@IHFDDONL@?$AA?$CF?$AAw?$AAZ?$AA?2?$AA?$CF?$AAw?$AAZ?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; int
		push	800h		; void *
		lea	eax, [ebp+var_14]
		push	esi		; int
		push	eax		; int
		call	_RtlUnicodeStringPrintfEx
		mov	edi, eax
		add	esp, 1Ch
		test	edi, edi
		js	short loc_967531
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		lea	edx, [ebp+var_14]
		lea	ecx, [ebp+var_C]
		call	_PiOpenDirectoryWithRoot@16 ; PiOpenDirectoryWithRoot(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_96752E
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		mov	[eax], ecx
		jmp	short loc_967531
; 

loc_96752E:				; CODE XREF: PiGetDriverMutableStateDirectory(x,x,x)+DAj
		mov	esi, [ebp+var_4]

loc_967531:				; CODE XREF: PiGetDriverMutableStateDirectory(x,x,x)+4Bj
					; PiGetDriverMutableStateDirectory(x,x,x)+88j ...
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	esi, esi
		jz	short loc_96754D
		push	esi
		call	_ZwClose@4	; ZwClose(x)

loc_96754D:				; CODE XREF: PiGetDriverMutableStateDirectory(x,x,x)+FDj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PiGetDriverMutableStateDirectory@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiOpenDirectoryWithRoot(x, x, x, x)
_PiOpenDirectoryWithRoot@16 proc near	; CODE XREF: PiBuildAndOpenDeviceDirectoryPath(x,x,x,x,x)+9Cp
					; PiGetDriverMutableStateDirectory(x,x,x)+D1p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		lea	edi, [ebp+var_34]
		mov	edx, ecx
		mov	[ebp+var_14], esi
		xor	ebx, ebx
		mov	[ebp+var_10], edx
		push	6
		xor	eax, eax
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ebx
		pop	ecx
		rep stosd
		mov	edi, ebx
		mov	[ebp+var_C], edi
		test	edx, edx
		jz	loc_967652
		test	esi, esi
		jz	loc_967652
		cmp	[ebp+arg_4], eax
		jz	loc_967652
		push	1
		push	esi
		push	edx
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_9675B8
		mov	esi, 0C000000Dh
		jmp	loc_96767B
; 

loc_9675B8:				; CODE XREF: PiOpenDirectoryWithRoot(x,x,x,x)+56j
		xor	eax, eax
		mov	[ebp+var_34], 18h
		push	21h
		mov	[ebp+var_30], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_1C]
		push	3
		push	eax
		lea	eax, [ebp+var_34]
		mov	[ebp+var_28], 240h
		push	eax
		push	100001h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_2C], esi
		push	eax
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C000003Ah
		jnz	short loc_967640
		cmp	[ebp+arg_0], bl
		jz	short loc_967661
		lea	ecx, [ebp+var_C]
		call	_PiAuGetStateDirectorySecurityObject@4 ; PiAuGetStateDirectorySecurityObject(x)
		mov	edi, [ebp+var_C]
		mov	esi, eax
		test	esi, esi
		js	short loc_967661
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_8]
		push	eax
		mov	edx, edi
		call	_PiCreateDirectoryPath@12 ; PiCreateDirectoryPath(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_96763B
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_4]
		push	eax
		mov	edx, edi
		call	_PiCreateDirectoryPath@12 ; PiCreateDirectoryPath(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_96763B
		mov	ebx, [ebp+var_8]
		jmp	short loc_967644
; 

loc_96763B:				; CODE XREF: PiOpenDirectoryWithRoot(x,x,x,x)+CAj
					; PiOpenDirectoryWithRoot(x,x,x,x)+DEj
		mov	ebx, [ebp+var_8]
		jmp	short loc_967657
; 

loc_967640:				; CODE XREF: PiOpenDirectoryWithRoot(x,x,x,x)+A0j
		test	esi, esi
		js	short loc_967661

loc_967644:				; CODE XREF: PiOpenDirectoryWithRoot(x,x,x,x)+E3j
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		mov	[ecx], eax
		jmp	short loc_967657
; 

loc_967652:				; CODE XREF: PiOpenDirectoryWithRoot(x,x,x,x)+34j
					; PiOpenDirectoryWithRoot(x,x,x,x)+3Cj	...
		mov	esi, 0C000000Dh

loc_967657:				; CODE XREF: PiOpenDirectoryWithRoot(x,x,x,x)+E8j
					; PiOpenDirectoryWithRoot(x,x,x,x)+FAj
		test	ebx, ebx
		jz	short loc_967661
		push	ebx
		call	_ZwClose@4	; ZwClose(x)

loc_967661:				; CODE XREF: PiOpenDirectoryWithRoot(x,x,x,x)+A5j
					; PiOpenDirectoryWithRoot(x,x,x,x)+B6j	...
		cmp	[ebp+var_4], 0
		jz	short loc_96766F
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_96766F:				; CODE XREF: PiOpenDirectoryWithRoot(x,x,x,x)+10Fj
		test	edi, edi
		jz	short loc_96767B
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96767B:				; CODE XREF: PiOpenDirectoryWithRoot(x,x,x,x)+5Dj
					; PiOpenDirectoryWithRoot(x,x,x,x)+11Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_PiOpenDirectoryWithRoot@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiOpenDriverRedirectedStateKey(x, x, x)
_PiOpenDriverRedirectedStateKey@12 proc	near
					; CODE XREF: PipHardwareConfigActivateService(x)+31p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		push	6
		xor	esi, esi
		lea	edi, [ebp+var_30]
		mov	ebx, ecx
		mov	[ebp+var_18], esi
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_14], esi
		rep stosd
		push	esi
		lea	eax, [ebp+var_10]
		mov	dword ptr [ebp+var_10],	esi
		push	eax
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		test	ebx, ebx
		jz	loc_9677B6
		cmp	[ebx+4], esi
		jz	loc_9677B6
		push	2
		pop	eax
		cmp	[ebx], ax
		jb	loc_9677B6
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	loc_9677B6
		lea	eax, [ebp+var_10]
		xor	edx, edx	; void *
		push	eax		; int
		push	esi		; int
		mov	ecx, offset ??_C@_1CA@MIBAJKAO@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAS?$AAt?$AAa?$AAt?$AAe?$AAP?$AAa?$AAt?$AAh@NNGAKEGL@ ; "DriverStatePath"
		call	PiGetStateRootPath
		mov	esi, eax
		test	esi, esi
		js	loc_9677BB
		movzx	ecx, word ptr [ebx]
		lea	eax, [ebp+arg_0]
		movzx	edx, word ptr [ebp+var_10]
		add	ecx, 2
		push	eax
		mov	[ebp+arg_0], ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9677BB
		mov	edx, [ebp+arg_0]
		cmp	edx, 0FFFEh
		jbe	short loc_967738
		mov	esi, 80000005h
		jmp	loc_9677BB
; 

loc_967738:				; CODE XREF: PiOpenDriverRedirectedStateKey(x,x,x)+A8j
		lea	ecx, [ebp+var_18]
		call	IopAllocateUnicodeString
		mov	esi, eax
		test	esi, esi
		js	short loc_9677BB
		push	ebx
		lea	eax, [ebp+var_10]
		xor	ebx, ebx
		push	eax		; char
		push	offset ??_C@_1BA@IHOFGBGC@?$AA?$CF?$AAw?$AAZ?$AA?2?$AA?$CF?$AAw?$AAZ@NNGAKEGL@ ; int
		push	800h		; void *
		lea	eax, [ebp+var_18]
		push	ebx		; int
		push	eax		; int
		call	_RtlUnicodeStringPrintfEx
		mov	esi, eax
		add	esp, 18h
		test	esi, esi
		js	short loc_9677BB
		lea	eax, [ebp+var_18]
		mov	[ebp+var_30], 18h
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_30]
		push	eax
		push	30006h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_2C], ebx
		push	eax
		mov	[ebp+var_24], 240h
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_9677A8
		mov	esi, 0C0000225h

loc_9677A8:				; CODE XREF: PiOpenDriverRedirectedStateKey(x,x,x)+11Dj
		test	esi, esi
		js	short loc_9677BB
		mov	eax, [ebp+var_8]
		mov	[edi], eax
		mov	[ebp+var_8], ebx
		jmp	short loc_9677BB
; 

loc_9677B6:				; CODE XREF: PiOpenDriverRedirectedStateKey(x,x,x)+3Ej
					; PiOpenDriverRedirectedStateKey(x,x,x)+47j ...
		mov	esi, 0C000000Dh

loc_9677BB:				; CODE XREF: PiOpenDriverRedirectedStateKey(x,x,x)+79j
					; PiOpenDriverRedirectedStateKey(x,x,x)+99j ...
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	[ebp+var_8], 0
		jz	short loc_9677DB
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_9677DB:				; CODE XREF: PiOpenDriverRedirectedStateKey(x,x,x)+14Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_PiOpenDriverRedirectedStateKey@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiOpenDriverRedirectedStateRootKey(x, x)
_PiOpenDriverRedirectedStateRootKey@8 proc near
					; CODE XREF: PipHardwareConfigClearStartOverrides(x)+32p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_24]
		rep stosd
		xor	edi, edi
		lea	eax, [ebp+var_C]
		push	edi
		push	eax
		mov	ebx, edx
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		test	ebx, ebx
		jnz	short loc_96781B
		mov	esi, 0C000000Dh
		jmp	short loc_96787C
; 

loc_96781B:				; CODE XREF: PiOpenDriverRedirectedStateRootKey(x,x)+2Ej
		lea	eax, [ebp+var_C]
		xor	edx, edx	; void *
		push	eax		; int
		push	edi		; int
		mov	ecx, offset ??_C@_1CA@MIBAJKAO@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAS?$AAt?$AAa?$AAt?$AAe?$AAP?$AAa?$AAt?$AAh@NNGAKEGL@ ; "DriverStatePath"
		call	PiGetStateRootPath
		mov	esi, eax
		test	esi, esi
		js	short loc_96787C
		lea	eax, [ebp+var_C]
		mov	[ebp+var_24], 18h
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_20], edi
		push	eax
		mov	[ebp+var_18], 240h
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_967870
		mov	esi, 0C0000225h

loc_967870:				; CODE XREF: PiOpenDriverRedirectedStateRootKey(x,x)+85j
		test	esi, esi
		js	short loc_96787C
		mov	eax, [ebp+var_4]
		mov	[ebx], eax
		mov	[ebp+var_4], edi

loc_96787C:				; CODE XREF: PiOpenDriverRedirectedStateRootKey(x,x)+35j
					; PiOpenDriverRedirectedStateRootKey(x,x)+4Cj ...
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	[ebp+var_4], edi
		jz	short loc_967892
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_967892:				; CODE XREF: PiOpenDriverRedirectedStateRootKey(x,x)+A4j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PiOpenDriverRedirectedStateRootKey@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDeleteDeviceInterfaces(x)
_PnpDeleteDeviceInterfaces@4 proc near	; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1935p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], eax
		mov	ebx, ecx
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	eax, large fs:124h
		push	edi
		mov	[ebp+var_8], ebx
		mov	[ebp+var_10], esi
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceExclusiveLite
		push	ebx
		xor	edx, edx
		lea	ecx, [ebp+var_C]
		call	PnpUnicodeStringToWstr
		mov	edi, eax
		test	edi, edi
		js	loc_96799B
		xor	eax, eax
		mov	[ebp+var_4], 1000h
		mov	edi, 0C0000023h
		mov	ebx, eax

loc_9678FB:				; CODE XREF: PnpDeleteDeviceInterfaces(x)+B4j
		cmp	ebx, 5
		jnb	short loc_967956
		xor	edi, edi
		test	esi, esi
		jz	short loc_96790D
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96790D:				; CODE XREF: PnpDeleteDeviceInterfaces(x)+6Bj
		mov	eax, [ebp+var_4]
		push	20207050h
		add	eax, eax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_10], esi
		test	esi, esi
		jz	short loc_967951
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_4]
		push	edi
		push	eax
		push	[ebp+var_4]
		xor	edx, edx
		push	esi
		push	edi
		push	edi
		push	edi
		push	[ebp+var_C]
		call	_CmGetMatchingFilteredDeviceInterfaceList
		mov	edi, eax
		inc	ebx
		cmp	edi, 0C0000023h
		jz	short loc_9678FB
		jmp	short loc_967956
; 

loc_967951:				; CODE XREF: PnpDeleteDeviceInterfaces(x)+8Dj
		mov	edi, 0C000009Ah

loc_967956:				; CODE XREF: PnpDeleteDeviceInterfaces(x)+65j
					; PnpDeleteDeviceInterfaces(x)+B6j
		test	edi, edi
		js	short loc_967998
		xor	eax, eax
		mov	ebx, esi
		cmp	[esi], ax
		jz	short loc_967998
		xor	esi, esi

loc_967965:				; CODE XREF: PnpDeleteDeviceInterfaces(x)+FAj
		push	ebx
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_967984
		mov	edx, [ebp+var_14]
		mov	ecx, _PiPnpRtlCtx
		push	esi
		call	__CmDeleteDeviceInterface@12 ; _CmDeleteDeviceInterface(x,x,x)

loc_967984:				; CODE XREF: PnpDeleteDeviceInterfaces(x)+DAj
		movzx	eax, word ptr [ebp+var_18]
		add	eax, 2
		shr	eax, 1
		lea	ebx, [ebx+eax*2]
		cmp	[ebx], si
		jnz	short loc_967965
		mov	esi, [ebp+var_10]

loc_967998:				; CODE XREF: PnpDeleteDeviceInterfaces(x)+BFj
					; PnpDeleteDeviceInterfaces(x)+C8j
		mov	ebx, [ebp+var_8]

loc_96799B:				; CODE XREF: PnpDeleteDeviceInterfaces(x)+4Cj
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		jz	short loc_9679BE
		xor	eax, eax
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9679BE:				; CODE XREF: PnpDeleteDeviceInterfaces(x)+11Aj
		mov	ecx, [ebp+var_C]
		mov	edx, ebx
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PnpDeleteDeviceInterfaces@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDisableDeviceInterfaces(x)
_PnpDisableDeviceInterfaces@4 proc near	; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+215p
					; PnpSurpriseRemoveLockedDeviceNode(x,x,x)+14Dp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], eax
		mov	ebx, ecx
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	eax, large fs:124h
		push	edi
		mov	[ebp+var_8], ebx
		mov	[ebp+var_10], esi
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceExclusiveLite
		push	ebx
		xor	edx, edx
		lea	ecx, [ebp+var_C]
		call	PnpUnicodeStringToWstr
		mov	edi, eax
		test	edi, edi
		js	loc_967ACD
		xor	eax, eax
		mov	[ebp+var_4], 1000h
		mov	edi, 0C0000023h
		mov	ebx, eax

loc_967A31:				; CODE XREF: PnpDisableDeviceInterfaces(x)+B5j
		cmp	ebx, 5
		jnb	short loc_967A8D
		xor	edi, edi
		test	esi, esi
		jz	short loc_967A43
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_967A43:				; CODE XREF: PnpDisableDeviceInterfaces(x)+6Bj
		mov	eax, [ebp+var_4]
		push	20207050h
		add	eax, eax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_10], esi
		test	esi, esi
		jz	short loc_967A88
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_4]
		push	edi
		push	eax
		push	[ebp+var_4]
		xor	edx, edx
		push	esi
		push	edi
		push	edi
		push	1
		push	[ebp+var_C]
		call	_CmGetMatchingFilteredDeviceInterfaceList
		mov	edi, eax
		inc	ebx
		cmp	edi, 0C0000023h
		jz	short loc_967A31
		jmp	short loc_967A8D
; 

loc_967A88:				; CODE XREF: PnpDisableDeviceInterfaces(x)+8Dj
		mov	edi, 0C000009Ah

loc_967A8D:				; CODE XREF: PnpDisableDeviceInterfaces(x)+65j
					; PnpDisableDeviceInterfaces(x)+B7j
		test	edi, edi
		js	short loc_967ACA
		xor	eax, eax
		mov	ebx, esi
		cmp	[esi], ax
		jz	short loc_967ACA
		xor	esi, esi

loc_967A9C:				; CODE XREF: PnpDisableDeviceInterfaces(x)+F6j
		push	ebx
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_967AB6
		push	esi
		lea	eax, [ebp+var_18]
		push	eax
		call	_IoSetDeviceInterfaceState@8 ; IoSetDeviceInterfaceState(x,x)

loc_967AB6:				; CODE XREF: PnpDisableDeviceInterfaces(x)+DBj
		movzx	eax, word ptr [ebp+var_18]
		add	eax, 2
		shr	eax, 1
		lea	ebx, [ebx+eax*2]
		cmp	[ebx], si
		jnz	short loc_967A9C
		mov	esi, [ebp+var_10]

loc_967ACA:				; CODE XREF: PnpDisableDeviceInterfaces(x)+C0j
					; PnpDisableDeviceInterfaces(x)+C9j
		mov	ebx, [ebp+var_8]

loc_967ACD:				; CODE XREF: PnpDisableDeviceInterfaces(x)+4Cj
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		jz	short loc_967AF0
		xor	eax, eax
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_967AF0:				; CODE XREF: PnpDisableDeviceInterfaces(x)+116j
		mov	ecx, [ebp+var_C]
		mov	edx, ebx
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PnpDisableDeviceInterfaces@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopResourceRequirementsChanged(x, x)
_IopResourceRequirementsChanged@8 proc near ; CODE XREF: PiProcessQueryDeviceState+A1DFAp
		mov	edi, edi
		push	esi
		xor	esi, esi
		movzx	eax, dl
		push	esi
		push	esi
		push	esi
		push	eax
		push	esi
		push	0Dh
		pop	edx
		call	PnpRequestDeviceAction
		pop	esi
		retn
_IopResourceRequirementsChanged@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoNotifyPowerOperationVetoed(x, x, x)
_IoNotifyPowerOperationVetoed@12 proc near ; CODE XREF:	PoBroadcastSystemState+B26Ap

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	edx, edx
		jnz	short loc_967B29
		mov	eax, _IopRootDeviceNode
		mov	edx, [eax+10h]

loc_967B29:				; CODE XREF: IoNotifyPowerOperationVetoed(x,x,x)+7j
		mov	eax, [edx+0B0h]
		cmp	dword ptr [eax+14h], 0
		jnz	short loc_967B3C
		mov	eax, 0C00000F0h
		jmp	short loc_967B60
; 

loc_967B3C:				; CODE XREF: IoNotifyPowerOperationVetoed(x,x,x)+1Bj
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jnz	short loc_967B53
		mov	eax, 0C00000F1h
		jmp	short loc_967B60
; 

loc_967B53:				; CODE XREF: IoNotifyPowerOperationVetoed(x,x,x)+32j
		add	eax, 14h
		push	eax
		push	6
		push	edx
		push	ecx
		call	_PnpSetPowerVetoEvent@24 ; PnpSetPowerVetoEvent(x,x,x,x,x,x)

loc_967B60:				; CODE XREF: IoNotifyPowerOperationVetoed(x,x,x)+22j
					; IoNotifyPowerOperationVetoed(x,x,x)+39j
		pop	ebp
		retn	4
_IoNotifyPowerOperationVetoed@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 964. IoReportTargetDeviceChange

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoReportTargetDeviceChange(x, x)
		public _IoReportTargetDeviceChange@8
_IoReportTargetDeviceChange@8 proc near	; CODE XREF: FsRtlNotifyVolumeEventEx+1222C9p
					; NtSetVolumeInformationFile(x,x,x,x,x)+368p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
Source1		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		lea	edi, [esp+28h+var_10]
		xor	ebx, ebx
		stosd
		mov	[esp+28h+var_18], ebx
		stosd
		stosd
		stosd
		test	esi, esi
		jz	loc_967D49
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_967C6E
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_967C6E
		mov	ebx, [ebp+arg_4]
		mov	eax, (offset loc_4055E5+3)
		lea	edi, [ebx+4]
		cmp	edi, eax
		jz	loc_967C67
		push	10h		; Length
		push	eax		; Source2
		push	edi		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		sub	eax, 10h
		neg	eax
		sbb	eax, eax
		add	eax, 1
		jnz	loc_967C67
		mov	eax, offset _GUID_TARGET_DEVICE_REMOVE_CANCELLED
		cmp	edi, eax
		jz	short loc_967C67
		push	10h		; Length
		push	eax		; Source2
		push	edi		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 10h
		jz	short loc_967C67
		mov	eax, offset _GUID_TARGET_DEVICE_REMOVE_COMPLETE
		cmp	edi, eax
		jz	short loc_967C67
		push	10h		; Length
		push	eax		; Source2
		push	edi		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 10h
		jz	short loc_967C67
		movzx	eax, word ptr [ebx+2]
		push	1Ch
		pop	edx
		cmp	ax, dx
		jb	short loc_967C67
		mov	ecx, [ebx+18h]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_967C27
		sub	eax, edx
		cmp	ecx, eax
		jg	short loc_967C67

loc_967C27:				; CODE XREF: IoReportTargetDeviceChange(x,x)+B6j
		xor	edi, edi
		lea	eax, [esp+28h+var_10]
		push	edi
		push	edi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	ebx		; void *
		push	edi		; int
		push	edi		; int
		lea	eax, [esp+34h+var_18]
		mov	ecx, esi
		push	eax		; int
		lea	edx, [esp+38h+var_10]
		call	PnpSetCustomTargetEvent
		test	eax, eax
		js	short loc_967C5E
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [esp+38h+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esp+28h+var_18]

loc_967C5E:				; CODE XREF: IoReportTargetDeviceChange(x,x)+E1j
					; IoReportTargetDeviceChange(x,x)+103j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_967C67:				; CODE XREF: IoReportTargetDeviceChange(x,x)+57j
					; IoReportTargetDeviceChange(x,x)+70j ...
		mov	eax, 0C0000010h
		jmp	short loc_967C5E
; 

loc_967C6E:				; CODE XREF: IoReportTargetDeviceChange(x,x)+34j
					; IoReportTargetDeviceChange(x,x)+44j
		movzx	edx, word ptr [esi+2]
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_967CAB
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_967CAB
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_967CAB:				; CODE XREF: IoReportTargetDeviceChange(x,x)+115j
					; IoReportTargetDeviceChange(x,x)+129j
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_967D49
		mov	edx, 1F4h
		lea	edi, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		cmp	[edi], bx
		jz	short loc_967CE3
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [edi+4]
		call	IoAddTriageDumpDataBlock

loc_967CE3:				; CODE XREF: IoReportTargetDeviceChange(x,x)+163j
		mov	edx, [esi+0B0h]
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_967D17
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [esi+0B0h]

loc_967D17:				; CODE XREF: IoReportTargetDeviceChange(x,x)+189j
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_967D49
		lea	ecx, [eax+1Ch]
		cmp	[ecx], bx
		jz	short loc_967D49
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_967D49:				; CODE XREF: IoReportTargetDeviceChange(x,x)+23j
					; IoReportTargetDeviceChange(x,x)+14Dj	...
		push	ebx
		push	ebx
		push	esi
		push	2
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

; __stdcall PnpNotifyHwProfileChange(x,	x, x)
_PnpNotifyHwProfileChange@12:		; CODE XREF: PAGE:008D5C86p
					; PnpRequestHwProfileChangeNotification(x,x,x,x)+D4p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_1C], 0
		push	ebx
		mov	[ebp+var_2C], eax
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	[ebp+var_28], edx
		stosd
		mov	esi, ecx
		mov	ecx, offset _PnpHwProfileNotifyLock
		mov	[ebp+Source1], esi
		stosd
		stosd
		stosd
		stosd
		call	ExAcquireFastMutex
		mov	ebx, ds:_PnpProfileNotifyList
		cmp	ebx, offset _PnpProfileNotifyList
		jz	loc_967F32
		xor	edi, edi
		inc	edi

loc_967DA9:				; CODE XREF: IoReportTargetDeviceChange(x,x)+2EEj
		inc	word ptr [ebx+20h]
		mov	ecx, offset _PnpHwProfileNotifyLock
		mov	[ebp+var_24], ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	edi
		push	dword ptr [ebx+28h]
		call	ExAcquireResourceExclusiveLite
		cmp	byte ptr [ebx+22h], 0
		jnz	loc_967E62
		mov	word ptr [ebp+var_18], di
		lea	edx, [ebp+var_18]
		push	14h
		pop	eax
		mov	word ptr [ebp+var_18+2], ax
		lea	edi, [ebp+var_14]
		movsd
		lea	eax, [ebp+var_1C]
		push	eax
		mov	ecx, ebx
		movsd
		movsd
		movsd
		call	PnpNotifyDriverCallback
		mov	ecx, [ebx+28h]
		mov	esi, eax
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		jns	short loc_967E19
		and	[ebp+var_1C], 0

loc_967E19:				; CODE XREF: IoReportTargetDeviceChange(x,x)+2AAj
		cmp	[ebp+var_1C], 0
		mov	esi, [ebp+Source1]
		jge	short loc_967E3A
		mov	eax, offset _GUID_HWPROFILE_QUERY_CHANGE
		cmp	esi, eax
		jz	short loc_967E78
		push	10h
		pop	edi
		push	edi		; Length
		push	eax		; Source2
		push	esi		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, edi
		jz	short loc_967E78

loc_967E3A:				; CODE XREF: IoReportTargetDeviceChange(x,x)+2B7j
		xor	edi, edi
		inc	edi

loc_967E3D:				; CODE XREF: IoReportTargetDeviceChange(x,x)+30Dj
		mov	ecx, offset _PnpHwProfileNotifyLock
		call	ExAcquireFastMutex
		mov	ecx, [ebp+var_24]
		mov	ebx, [ebx]
		call	_PnpDereferenceNotify@4	; PnpDereferenceNotify(x)
		cmp	ebx, offset _PnpProfileNotifyList
		jnz	loc_967DA9
		jmp	loc_967F32
; 

loc_967E62:				; CODE XREF: IoReportTargetDeviceChange(x,x)+26Cj
		mov	ecx, [ebx+28h]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	short loc_967E3D
; 

loc_967E78:				; CODE XREF: IoReportTargetDeviceChange(x,x)+2C0j
					; IoReportTargetDeviceChange(x,x)+2CFj
		mov	eax, [ebp+var_28]
		test	eax, eax
		jz	short loc_967E85
		mov	dword ptr [eax], 7

loc_967E85:				; CODE XREF: IoReportTargetDeviceChange(x,x)+314j
		mov	ecx, [ebp+var_2C]
		test	ecx, ecx
		jz	short loc_967E9E
		xor	eax, eax
		mov	[ecx], ax
		mov	eax, [ebx+1Ch]
		add	eax, 1Ch
		push	eax
		push	ecx
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)

loc_967E9E:				; CODE XREF: IoReportTargetDeviceChange(x,x)+321j
		mov	esi, offset _GUID_HWPROFILE_CHANGE_CANCELLED
		lea	edi, [ebp+var_14]
		push	10h
		pop	eax
		mov	ecx, offset _PnpHwProfileNotifyLock
		movsd
		movsd
		movsd
		movsd
		mov	word ptr [ebp+var_18+2], ax
		mov	edi, ebx
		call	ExAcquireFastMutex

loc_967EBD:				; CODE XREF: IoReportTargetDeviceChange(x,x)+3C7j
		inc	word ptr [ebx+20h]
		mov	ecx, offset _PnpHwProfileNotifyLock
		mov	esi, ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	dword ptr [ebx+28h]
		call	ExAcquireResourceExclusiveLite
		cmp	byte ptr [ebx+22h], 0
		jnz	short loc_967EF7
		push	0
		lea	edx, [ebp+var_18]
		mov	ecx, ebx
		call	PnpNotifyDriverCallback

loc_967EF7:				; CODE XREF: IoReportTargetDeviceChange(x,x)+380j
		mov	ecx, [ebx+28h]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, offset _PnpHwProfileNotifyLock
		call	ExAcquireFastMutex
		mov	ebx, [ebx+4]
		mov	ecx, esi
		call	_PnpDereferenceNotify@4	; PnpDereferenceNotify(x)
		cmp	esi, edi
		jnz	short loc_967F2A
		mov	ecx, esi
		call	_PnpDereferenceNotify@4	; PnpDereferenceNotify(x)

loc_967F2A:				; CODE XREF: IoReportTargetDeviceChange(x,x)+3B8j
		cmp	ebx, offset _PnpProfileNotifyList
		jnz	short loc_967EBD

loc_967F32:				; CODE XREF: IoReportTargetDeviceChange(x,x)+237j
					; IoReportTargetDeviceChange(x,x)+2F4j
		mov	ecx, offset _PnpHwProfileNotifyLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_1C]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_IoReportTargetDeviceChange@8 endp


;  S U B	R O U T	I N E 


; __stdcall PnpOrphanNotification(x)
_PnpOrphanNotification@4 proc near	; CODE XREF: PpDevNodeRemoveFromTree(x)+98p
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	ecx, offset _PnpTargetDeviceNotifyLock
		push	edi
		call	ExAcquireFastMutex
		lea	edi, [ebx+140h]

loc_967F67:				; CODE XREF: PnpOrphanNotification(x)+38j
					; PnpOrphanNotification(x)+4Aj	...
		mov	esi, [edi]
		cmp	esi, edi
		jz	short loc_967FAC
		cmp	[esi+4], edi
		jnz	short loc_967FA7
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_967FA7
		mov	[edi], eax
		mov	[eax+4], edi
		mov	ecx, [esi+30h]
		mov	[esi+4], esi
		mov	[esi], esi
		test	ecx, ecx
		jz	short loc_967F67
		cmp	byte ptr [esi+22h], 0
		jz	short loc_967F9C
		test	dword ptr [ebx+1C8h], 4000h
		jnz	short loc_967F67

loc_967F9C:				; CODE XREF: PnpOrphanNotification(x)+3Ej
		call	ObfDereferenceObject
		and	dword ptr [esi+30h], 0
		jmp	short loc_967F67
; 

loc_967FA7:				; CODE XREF: PnpOrphanNotification(x)+20j
					; PnpOrphanNotification(x)+27j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_967FAC:				; CODE XREF: PnpOrphanNotification(x)+1Bj
		mov	ecx, offset _PnpTargetDeviceNotifyLock
		pop	edi
		pop	esi
		pop	ebx
		jmp	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
_PnpOrphanNotification@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpReportTargetDeviceChangeAsyncWorker(x)
_PnpReportTargetDeviceChangeAsyncWorker@4 proc near
					; DATA XREF: IoReportTargetDeviceChangeAsynchronous+16E736o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		xor	edx, edx
		push	dword ptr [esi+1Ch] ; void *
		mov	ecx, [esi+10h]
		push	dword ptr [esi+18h] ; int
		push	dword ptr [esi+14h] ; int
		push	0		; int
		call	PnpSetCustomTargetEvent
		mov	ecx, [esi+10h]
		mov	edx, 4E706E50h
		call	ObfDereferenceObjectWithTag
		push	38706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		pop	ebp
		retn	4
_PnpReportTargetDeviceChangeAsyncWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PnpRequestHwProfileChangeNotification(void *Source1,int,int,int)
_PnpRequestHwProfileChangeNotification@16 proc near
					; CODE XREF: PpProfileCancelHardwareProfileTransition()+51p
					; PpProfileCancelTransitioningDock(x,x)+58p ...

var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_4], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		mov	esi, ecx
		stosd
		mov	ebx, edx
		push	10h
		stosd
		stosd
		stosd
		pop	edi
		cmp	esi, offset _GUID_HWPROFILE_QUERY_CHANGE
		jz	short loc_968084
		push	edi		; Length
		push	offset _GUID_HWPROFILE_QUERY_CHANGE ; Source2
		push	esi		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, edi
		jz	short loc_96805C
		mov	eax, offset _GUID_HWPROFILE_CHANGE_CANCELLED
		cmp	esi, eax
		jz	short loc_96805C
		push	edi		; Length
		push	eax		; Source2
		push	esi		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, edi
		jz	short loc_96805C
		mov	eax, offset _GUID_HWPROFILE_CHANGE_COMPLETE
		cmp	esi, eax
		jz	short loc_96805C
		push	edi		; Length
		push	eax		; Source2
		push	esi		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, edi
		jz	short loc_96805C
		mov	eax, 0C0000010h
		jmp	short loc_9680CD
; 

loc_96805C:				; CODE XREF: PnpRequestHwProfileChangeNotification(x,x,x,x)+35j
					; PnpRequestHwProfileChangeNotification(x,x,x,x)+3Ej ...
		cmp	esi, offset _GUID_HWPROFILE_QUERY_CHANGE
		jz	short loc_968084
		push	edi		; Length
		push	offset _GUID_HWPROFILE_QUERY_CHANGE ; Source2
		push	esi		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, edi
		jz	short loc_968084
		xor	eax, eax
		xor	edx, edx
		push	eax
		push	eax
		push	eax
		mov	ecx, esi
		call	_PnpSetHwProfileChangeEvent@20 ; PnpSetHwProfileChangeEvent(x,x,x,x,x)
		jmp	short loc_9680CD
; 

loc_968084:				; CODE XREF: PnpRequestHwProfileChangeNotification(x,x,x,x)+25j
					; PnpRequestHwProfileChangeNotification(x,x,x,x)+6Ej ...
		cmp	ebx, 1
		jnz	short loc_9680C0
		xor	ebx, ebx
		lea	eax, [ebp+var_14]
		push	ebx
		push	ebx
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	[ebp+arg_4]
		lea	eax, [ebp+var_4]
		mov	ecx, esi
		push	[ebp+arg_0]
		lea	edx, [ebp+var_14]
		push	eax
		call	_PnpSetHwProfileChangeEvent@20 ; PnpSetHwProfileChangeEvent(x,x,x,x,x)
		test	eax, eax
		js	short loc_9680CD
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [ebp+var_4]
		jmp	short loc_9680CD
; 

loc_9680C0:				; CODE XREF: PnpRequestHwProfileChangeNotification(x,x,x,x)+93j
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_PnpNotifyHwProfileChange@12 ; PnpNotifyHwProfileChange(x,x,x)

loc_9680CD:				; CODE XREF: PnpRequestHwProfileChangeNotification(x,x,x,x)+66j
					; PnpRequestHwProfileChangeNotification(x,x,x,x)+8Ej ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PnpRequestHwProfileChangeNotification@16 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 961. IoReportResourceForDetection

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoReportResourceForDetection(x, x, x, x, x,	x, x)
		public _IoReportResourceForDetection@28
_IoReportResourceForDetection@28 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	edi
		push	esi
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jz	loc_968230
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_968230
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_968230
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		test	edi, edi
		jz	short loc_968142
		movsx	edx, word ptr [edi+2]
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		lea	ebx, [edi+1Ch]
		xor	eax, eax
		cmp	[ebx], ax
		jz	short loc_968140
		push	2
		pop	edx
		mov	ecx, ebx
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [ebx]
		mov	ecx, [edi+20h]
		call	IoAddTriageDumpDataBlock

loc_968140:				; CODE XREF: IoReportResourceForDetection(x,x,x,x,x,x,x)+50j
		xor	ebx, ebx

loc_968142:				; CODE XREF: IoReportResourceForDetection(x,x,x,x,x,x,x)+3Bj
		movzx	edx, word ptr [esi+2]
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_96817F
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_96817F
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_96817F:				; CODE XREF: IoReportResourceForDetection(x,x,x,x,x,x,x)+79j
					; IoReportResourceForDetection(x,x,x,x,x,x,x)+8Dj
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_968221
		mov	edx, 1F4h
		lea	ebx, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		xor	eax, eax
		cmp	[ebx], ax
		jz	short loc_9681B9
		push	2
		pop	edx
		mov	ecx, ebx
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [ebx]
		mov	ecx, [ebx+4]
		call	IoAddTriageDumpDataBlock

loc_9681B9:				; CODE XREF: IoReportResourceForDetection(x,x,x,x,x,x,x)+C9j
		mov	edx, [esi+0B0h]
		xor	ebx, ebx
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_9681EF
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [esi+0B0h]

loc_9681EF:				; CODE XREF: IoReportResourceForDetection(x,x,x,x,x,x,x)+F1j
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_968221
		lea	ecx, [eax+1Ch]
		cmp	[ecx], bx
		jz	short loc_968221
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_968221:				; CODE XREF: IoReportResourceForDetection(x,x,x,x,x,x,x)+B1j
					; IoReportResourceForDetection(x,x,x,x,x,x,x)+11Ej ...
		push	ebx
		push	edi
		push	esi
		push	2
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_968230:				; CODE XREF: IoReportResourceForDetection(x,x,x,x,x,x,x)+Dj
					; IoReportResourceForDetection(x,x,x,x,x,x,x)+1Ej ...
		push	[ebp+arg_18]
		push	ecx
		push	ecx
		push	[ebp+arg_10]
		push	esi
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	3
		pop	ecx
		call	_IoReportResourceUsageInternal@40 ; IoReportResourceUsageInternal(x,x,x,x,x,x,x,x,x,x)
		pop	esi
		pop	edi
		pop	ebx
		pop	ebp
		retn	1Ch
_IoReportResourceForDetection@28 endp ;	sp = -14h

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 962. IoReportResourceUsage

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoReportResourceUsage(x, x,	x, x, x, x, x, x, x)
		public _IoReportResourceUsage@36
_IoReportResourceUsage@36 proc near

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	edi
		push	esi
		mov	esi, [ebp+arg_10]
		test	esi, esi
		jz	loc_9683AB
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_9683AB
		test	dword ptr [eax+10Ch], 20000h
		jnz	loc_9683AB
		mov	edi, [ebp+arg_4]
		xor	ebx, ebx
		test	edi, edi
		jz	short loc_9682BD
		movsx	edx, word ptr [edi+2]
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		lea	ebx, [edi+1Ch]
		xor	eax, eax
		cmp	[ebx], ax
		jz	short loc_9682BB
		push	2
		pop	edx
		mov	ecx, ebx
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [ebx]
		mov	ecx, [edi+20h]
		call	IoAddTriageDumpDataBlock

loc_9682BB:				; CODE XREF: IoReportResourceUsage(x,x,x,x,x,x,x,x,x)+50j
		xor	ebx, ebx

loc_9682BD:				; CODE XREF: IoReportResourceUsage(x,x,x,x,x,x,x,x,x)+3Bj
		movzx	edx, word ptr [esi+2]
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_9682FA
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_9682FA
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_9682FA:				; CODE XREF: IoReportResourceUsage(x,x,x,x,x,x,x,x,x)+79j
					; IoReportResourceUsage(x,x,x,x,x,x,x,x,x)+8Dj
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_96839C
		mov	edx, 1F4h
		lea	ebx, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		xor	eax, eax
		cmp	[ebx], ax
		jz	short loc_968334
		push	2
		pop	edx
		mov	ecx, ebx
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [ebx]
		mov	ecx, [ebx+4]
		call	IoAddTriageDumpDataBlock

loc_968334:				; CODE XREF: IoReportResourceUsage(x,x,x,x,x,x,x,x,x)+C9j
		mov	edx, [esi+0B0h]
		xor	ebx, ebx
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], bx
		jz	short loc_96836A
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [esi+0B0h]

loc_96836A:				; CODE XREF: IoReportResourceUsage(x,x,x,x,x,x,x,x,x)+F1j
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_96839C
		lea	ecx, [eax+1Ch]
		cmp	[ecx], bx
		jz	short loc_96839C
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_96839C:				; CODE XREF: IoReportResourceUsage(x,x,x,x,x,x,x,x,x)+B1j
					; IoReportResourceUsage(x,x,x,x,x,x,x,x,x)+11Ej ...
		push	ebx
		push	edi
		push	esi
		push	2
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_9683AB:				; CODE XREF: IoReportResourceUsage(x,x,x,x,x,x,x,x,x)+Dj
					; IoReportResourceUsage(x,x,x,x,x,x,x,x,x)+1Ej	...
		push	[ebp+arg_20]
		push	ecx
		push	ecx
		push	[ebp+arg_14]
		push	esi
		push	ecx
		push	[ebp+arg_8]
		xor	ecx, ecx
		push	[ebp+arg_4]
		call	_IoReportResourceUsageInternal@40 ; IoReportResourceUsageInternal(x,x,x,x,x,x,x,x,x,x)
		pop	esi
		pop	edi
		pop	ebx
		pop	ebp
		retn	24h
_IoReportResourceUsage@36 endp ; sp = -14h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoReportResourceUsageInternal(x, x,	x, x, x, x, x, x, x, x)
_IoReportResourceUsageInternal@40 proc near ; CODE XREF: IoReportDetectedDevice+89412p
					; IoReportResourceForDetection(x,x,x,x,x,x,x)+16Ap ...

var_A		= byte ptr -0Ah
var_9		= byte ptr -9
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_10]
		mov	[esp+14h+var_4], ecx
		push	edi
		test	esi, esi
		jnz	short loc_9683E5
		mov	esi, [ebp+arg_4]

loc_9683E5:				; CODE XREF: IoReportResourceUsageInternal(x,x,x,x,x,x,x,x,x,x)+17j
		xor	edi, edi
		test	esi, esi
		jz	short loc_968418
		cmp	[esi], edi
		jz	short loc_968410
		cmp	[esi+10h], edi
		jz	short loc_968410
		push	3000h
		mov	edx, esi
		call	PnpCmResourcesToIoResources
		mov	edi, eax
		test	edi, edi
		jnz	short loc_968414
		mov	eax, 0C0000001h
		jmp	loc_96849C
; 

loc_968410:				; CODE XREF: IoReportResourceUsageInternal(x,x,x,x,x,x,x,x,x,x)+24j
					; IoReportResourceUsageInternal(x,x,x,x,x,x,x,x,x,x)+29j
		xor	esi, esi
		jmp	short loc_968418
; 

loc_968414:				; CODE XREF: IoReportResourceUsageInternal(x,x,x,x,x,x,x,x,x,x)+3Bj
		mov	ecx, [esp+18h+var_4]

loc_968418:				; CODE XREF: IoReportResourceUsageInternal(x,x,x,x,x,x,x,x,x,x)+20j
					; IoReportResourceUsageInternal(x,x,x,x,x,x,x,x,x,x)+49j
		mov	eax, [ebp+arg_1C]
		xor	ebx, ebx
		mov	[esp+18h+var_8], esi
		mov	byte ptr [eax],	1
		xor	al, al
		mov	[esp+18h+var_9], al

loc_96842A:				; CODE XREF: IoReportResourceUsageInternal(x,x,x,x,x,x,x,x,x,x)+96j
		mov	edx, [ebp+arg_0]
		lea	eax, [esp+18h+var_8]
		push	eax
		push	edi
		push	[ebp+arg_C]
		call	_IopLegacyResourceAllocation@20	; IopLegacyResourceAllocation(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_968461
		lea	edx, [esp+18h+var_8]
		mov	ecx, edi
		call	_IopChangeInterfaceType@8 ; IopChangeInterfaceType(x,x)
		test	al, al
		jz	short loc_968467
		inc	ebx
		mov	[esp+18h+var_9], 1
		cmp	ebx, 2
		jnb	short loc_968467
		mov	ecx, [esp+18h+var_4]
		jmp	short loc_96842A
; 

loc_968461:				; CODE XREF: IoReportResourceUsageInternal(x,x,x,x,x,x,x,x,x,x)+76j
		mov	eax, [ebp+arg_1C]
		mov	byte ptr [eax],	0

loc_968467:				; CODE XREF: IoReportResourceUsageInternal(x,x,x,x,x,x,x,x,x,x)+85j
					; IoReportResourceUsageInternal(x,x,x,x,x,x,x,x,x,x)+90j
		test	edi, edi
		jz	short loc_968473
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_968473:				; CODE XREF: IoReportResourceUsageInternal(x,x,x,x,x,x,x,x,x,x)+A0j
		cmp	[esp+18h+var_9], 0
		jz	short loc_968485
		push	0
		push	[esp+1Ch+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_968485:				; CODE XREF: IoReportResourceUsageInternal(x,x,x,x,x,x,x,x,x,x)+AFj
		test	esi, esi
		js	short loc_96848D
		xor	esi, esi
		jmp	short loc_96849A
; 

loc_96848D:				; CODE XREF: IoReportResourceUsageInternal(x,x,x,x,x,x,x,x,x,x)+BEj
		cmp	esi, 0C000009Ah
		jz	short loc_96849A
		mov	esi, 0C0000018h

loc_96849A:				; CODE XREF: IoReportResourceUsageInternal(x,x,x,x,x,x,x,x,x,x)+C2j
					; IoReportResourceUsageInternal(x,x,x,x,x,x,x,x,x,x)+CAj
		mov	eax, esi

loc_96849C:				; CODE XREF: IoReportResourceUsageInternal(x,x,x,x,x,x,x,x,x,x)+42j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
_IoReportResourceUsageInternal@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopChangeInterfaceType(x, x)
_IopChangeInterfaceType@8 proc near	; CODE XREF: IoReportResourceUsageInternal(x,x,x,x,x,x,x,x,x,x)+7Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	eax, edx
		xor	bl, bl
		mov	[ebp+var_8], eax
		test	ecx, ecx
		jnz	short loc_9684BF
		xor	al, al
		jmp	loc_96858F
; 

loc_9684BF:				; CODE XREF: IopChangeInterfaceType(x,x)+11j
		cmp	dword ptr [ecx+4], 0
		jnz	short loc_9684CE
		mov	dword ptr [ecx+4], 1
		mov	bl, 1

loc_9684CE:				; CODE XREF: IopChangeInterfaceType(x,x)+1Ej
		lea	edx, [ecx+20h]
		mov	ecx, [ecx+1Ch]
		sub	ecx, 1
		js	short loc_96850A

loc_9684D9:				; CODE XREF: IopChangeInterfaceType(x,x)+60j
		lea	eax, [edx+8]
		mov	edx, [edx+4]
		shl	edx, 5
		add	edx, eax
		jmp	short loc_9684FE
; 

loc_9684E6:				; CODE XREF: IopChangeInterfaceType(x,x)+5Bj
		cmp	byte ptr [eax+1], 0F0h
		jnz	short loc_9684FB
		cmp	dword ptr [eax+8], 0
		jnz	short loc_9684FB
		mov	dword ptr [eax+8], 1
		mov	bl, 1

loc_9684FB:				; CODE XREF: IopChangeInterfaceType(x,x)+45j
					; IopChangeInterfaceType(x,x)+4Bj
		add	eax, 20h

loc_9684FE:				; CODE XREF: IopChangeInterfaceType(x,x)+3Fj
		cmp	eax, edx
		jb	short loc_9684E6
		sub	ecx, 1
		jns	short loc_9684D9
		mov	eax, [ebp+var_8]

loc_96850A:				; CODE XREF: IopChangeInterfaceType(x,x)+32j
		test	bl, bl
		jz	short loc_96858D
		push	esi
		mov	esi, [eax]
		test	esi, esi
		jz	short loc_96858C
		push	edi
		mov	ecx, esi
		call	_PnpDetermineResourceListSize@4	; PnpDetermineResourceListSize(x)
		push	20207050h
		push	eax
		push	1
		mov	[ebp+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_968537
		xor	bl, bl
		jmp	short loc_96858B
; 

loc_968537:				; CODE XREF: IopChangeInterfaceType(x,x)+8Cj
		push	[ebp+var_4]	; size_t
		push	esi		; void *
		push	edi		; void *
		call	_memcpy
		and	[ebp+var_4], 0
		lea	eax, [edi+4]
		add	esp, 0Ch
		cmp	dword ptr [esi], 0
		jbe	short loc_968586

loc_968550:				; CODE XREF: IopChangeInterfaceType(x,x)+DFj
		cmp	dword ptr [eax], 0
		jnz	short loc_96855B
		mov	dword ptr [eax], 1

loc_96855B:				; CODE XREF: IopChangeInterfaceType(x,x)+AEj
		mov	edx, [eax+0Ch]
		lea	ecx, [eax+10h]
		test	edx, edx
		jz	short loc_968579

loc_968565:				; CODE XREF: IopChangeInterfaceType(x,x)+D2j
		xor	eax, eax
		cmp	byte ptr [ecx],	5
		jnz	short loc_96856F
		mov	eax, [ecx+4]

loc_96856F:				; CODE XREF: IopChangeInterfaceType(x,x)+C5j
		add	ecx, 10h
		add	ecx, eax
		sub	edx, 1
		jnz	short loc_968565

loc_968579:				; CODE XREF: IopChangeInterfaceType(x,x)+BEj
		mov	eax, ecx
		mov	ecx, [ebp+var_4]
		inc	ecx
		mov	[ebp+var_4], ecx
		cmp	ecx, [esi]
		jb	short loc_968550

loc_968586:				; CODE XREF: IopChangeInterfaceType(x,x)+A9j
		mov	eax, [ebp+var_8]
		mov	[eax], edi

loc_96858B:				; CODE XREF: IopChangeInterfaceType(x,x)+90j
		pop	edi

loc_96858C:				; CODE XREF: IopChangeInterfaceType(x,x)+6Ej
		pop	esi

loc_96858D:				; CODE XREF: IopChangeInterfaceType(x,x)+67j
		mov	al, bl

loc_96858F:				; CODE XREF: IopChangeInterfaceType(x,x)+15j
		pop	ebx
		leave
		retn
_IopChangeInterfaceType@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpRequestDeviceEjectExWorker(x)
_PnpRequestDeviceEjectExWorker@4 proc near ; DATA XREF:	IoRequestDeviceEjectEx(x,x,x,x)+BEo

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [esi+20h]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	1		; int
		push	8		; int
		lea	eax, [ebp+arg_0]
		mov	[ebp+arg_0], 400h
		push	eax		; int
		lea	eax, [esi+1B4h]
		push	eax		; void *
		lea	edx, [esi+1B0h]
		lea	ecx, [ebp+var_8]
		call	_PnpQueueQueryAndRemoveEvent@24	; PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)
		mov	ecx, [esi]
		mov	[esi+0Ch], eax
		test	ecx, ecx
		jz	short loc_9685E5
		push	dword ptr [esi+4]
		push	eax
		call	ecx

loc_9685E5:				; CODE XREF: PnpRequestDeviceEjectExWorker(x)+4Bj
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_9685F6
		mov	edx, 45706E50h
		call	ObfDereferenceObjectWithTag

loc_9685F6:				; CODE XREF: PnpRequestDeviceEjectExWorker(x)+58j
		push	46706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		leave
		retn	4
_PnpRequestDeviceEjectExWorker@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 968. IoRequestDeviceRemovalForReset

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoRequestDeviceRemovalForReset(x, x)
		public _IoRequestDeviceRemovalForReset@8
_IoRequestDeviceRemovalForReset@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	45706E50h
		mov	ebx, 80h
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		xor	edi, edi
		test	esi, esi
		jnz	short loc_96863A

loc_968630:				; CODE XREF: IoRequestDeviceRemovalForReset(x,x)+94j
		mov	ebx, 0C000009Ah
		jmp	loc_9686C9
; 

loc_96863A:				; CODE XREF: IoRequestDeviceRemovalForReset(x,x)+23j
		push	ebx		; size_t
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esi+28h]
		push	esi
		push	offset _PfSnTracingStateDpcRoutine@16 ;	PfSnTracingStateDpcRoutine(x,x,x,x)
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	edi
		push	esi
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		mov	ebx, [ebp+arg_0]
		mov	edx, 52706E50h
		mov	ecx, ebx
		mov	dword ptr [esi+50h], offset _IopRetryDeviceRemovalForReset@4 ; IopRetryDeviceRemovalForReset(x)
		mov	[esi+54h], esi
		mov	[esi+48h], edi
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+arg_4]
		mov	edx, 200h
		mov	[esi+68h], ebx
		lea	ebx, [esi+70h]
		mov	[esi+58h], edi
		mov	ecx, ebx
		mov	[esi+5Ch], edi
		mov	[esi+6Ch], edi
		mov	[esi+78h], eax
		mov	[ebx], edi
		mov	[ebx+4], edi
		call	IopAllocateUnicodeString
		test	eax, eax
		js	short loc_968630
		mov	ecx, [esi+68h]
		lea	eax, [esi+60h]
		push	eax
		push	ebx
		lea	eax, [esi+6Ch]
		xor	edx, edx
		push	eax
		lea	eax, [esi+5Ch]
		push	eax
		push	esi
		push	offset _IopDeviceRemovalForResetComplete@4 ; IopDeviceRemovalForResetComplete(x)
		push	edi
		push	edi
		push	36h
		push	1
		push	edi
		push	1
		call	_PnpSetTargetDeviceRemove@56 ; PnpSetTargetDeviceRemove(x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax

loc_9686C9:				; CODE XREF: IoRequestDeviceRemovalForReset(x,x)+2Aj
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	ebx
		call	_PnpTraceRequestDeviceRemovalForReset@12 ; PnpTraceRequestDeviceRemovalForReset(x,x,x)
		test	ebx, ebx
		jns	short loc_9686E6
		test	esi, esi
		jz	short loc_968713
		mov	ecx, esi
		call	_IopFreeResetRemovalContext@4 ;	IopFreeResetRemovalContext(x)
		jmp	short loc_968713
; 

loc_9686E6:				; CODE XREF: IoRequestDeviceRemovalForReset(x,x)+CCj
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_9686F6
		mov	eax, [eax+0B0h]
		mov	edi, [eax+14h]

loc_9686F6:				; CODE XREF: IoRequestDeviceRemovalForReset(x,x)+E0j
		test	byte_6CD8BB, 8
		jz	short loc_968713
		mov	ax, [edi+14h]
		push	dword ptr [edi+18h]
		shr	ax, 1
		movzx	eax, ax
		push	eax
		push	ecx
		call	_McTemplateK0hzr0_EtwWriteTransfer@20 ;	McTemplateK0hzr0_EtwWriteTransfer(x,x,x,x,x)

loc_968713:				; CODE XREF: IoRequestDeviceRemovalForReset(x,x)+D0j
					; IoRequestDeviceRemovalForReset(x,x)+D9j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	8
_IoRequestDeviceRemovalForReset@8 endp ; sp = -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopDeviceRemovalForResetComplete(x)
_IopDeviceRemovalForResetComplete@4 proc near
					; DATA XREF: IoRequestDeviceRemovalForReset(x,x)+A9o
					; IopQueueDeviceResetEvent(x)+18o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	esi, esi
		jnz	short loc_968730
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_968730:				; CODE XREF: IopDeviceRemovalForResetComplete(x)+Dj
		mov	edi, [esi+5Ch]
		xor	ebx, ebx
		test	edi, edi
		jns	short loc_96873E
		cmp	[esi+58h], ebx
		jnz	short loc_968788

loc_96873E:				; CODE XREF: IopDeviceRemovalForResetComplete(x)+1Bj
		mov	eax, [esi+68h]
		test	eax, eax
		jz	short loc_968750
		mov	eax, [eax+0B0h]
		mov	edx, [eax+14h]
		jmp	short loc_968752
; 

loc_968750:				; CODE XREF: IopDeviceRemovalForResetComplete(x)+27j
		mov	edx, ebx

loc_968752:				; CODE XREF: IopDeviceRemovalForResetComplete(x)+32j
		test	byte_6CD8BB, 8
		jz	short loc_968788
		mov	ecx, [esi+60h]
		mov	eax, [ecx+20h]
		push	dword ptr [eax+4]
		mov	ax, [eax]
		shr	ax, 1
		movzx	eax, ax
		push	eax
		mov	eax, [ecx+1Ch]
		push	dword ptr [eax]
		mov	ax, [edx+14h]
		push	edi
		push	dword ptr [edx+18h]
		shr	ax, 1
		movzx	eax, ax
		push	eax
		push	ecx
		call	_McTemplateK0hzr0qqhzr4_EtwWriteTransfer@36 ; McTemplateK0hzr0qqhzr4_EtwWriteTransfer(x,x,x,x,x,x,x,x,x)

loc_968788:				; CODE XREF: IopDeviceRemovalForResetComplete(x)+20j
					; IopDeviceRemovalForResetComplete(x)+3Dj
		test	edi, edi
		jns	short loc_9687EF
		cmp	dword ptr [esi+6Ch], 0Dh
		jz	short loc_9687EF
		mov	eax, [esi+64h]
		cmp	eax, _PnpResetMaximumRetryAttempts
		jnb	short loc_9687EF
		mov	ecx, [esi+60h]
		or	eax, 0FFFFFFFFh
		add	ecx, 24h
		lock xadd [ecx], eax
		jnz	short loc_9687B9
		push	4B706E50h
		push	dword ptr [esi+60h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9687B9:				; CODE XREF: IopDeviceRemovalForResetComplete(x)+8Ej
		lea	ecx, [esi+70h]
		mov	[esi+60h], ebx
		mov	edx, offset ??_C@_11LOCGONAA@@NNGAKEGL@
		mov	[esi+6Ch], ebx
		mov	[esi+58h], edi
		call	_RtlUnicodeStringCopyString@8 ;	RtlUnicodeStringCopyString(x,x)
		inc	dword ptr [esi+64h]
		mov	ecx, esi
		mov	eax, dword_6CC9FC
		mov	edx, _PnpResetRetryInterval
		push	eax
		push	edx
		lea	eax, [esi+28h]
		xor	edx, edx
		push	eax
		push	ebx
		call	KiSetTimerEx
		jmp	short loc_9687FD
; 

loc_9687EF:				; CODE XREF: IopDeviceRemovalForResetComplete(x)+6Ej
					; IopDeviceRemovalForResetComplete(x)+74j ...
		mov	ecx, esi
		call	_PnpTraceDeviceRemovalForResetComplete@8 ; PnpTraceDeviceRemovalForResetComplete(x,x)
		mov	ecx, esi
		call	_IopFreeResetRemovalContext@4 ;	IopFreeResetRemovalContext(x)

loc_9687FD:				; CODE XREF: IopDeviceRemovalForResetComplete(x)+D1j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_IopDeviceRemovalForResetComplete@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopFreeResetRemovalContext(x)
_IopFreeResetRemovalContext@4 proc near	; CODE XREF: IoRequestDeviceRemovalForReset(x,x)+D4p
					; IopDeviceRemovalForResetComplete(x)+DCp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+60h]
		test	ecx, ecx
		jz	short loc_96882B
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+24h], eax
		jnz	short loc_968827
		push	4B706E50h
		push	dword ptr [esi+60h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_968827:				; CODE XREF: IopFreeResetRemovalContext(x)+14j
		and	dword ptr [esi+60h], 0

loc_96882B:				; CODE XREF: IopFreeResetRemovalContext(x)+Aj
		mov	ecx, [esi+68h]
		test	ecx, ecx
		jz	short loc_968840
		mov	edx, 52706E50h
		call	ObfDereferenceObjectWithTag
		and	dword ptr [esi+68h], 0

loc_968840:				; CODE XREF: IopFreeResetRemovalContext(x)+2Cj
		lea	eax, [esi+70h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
_IopFreeResetRemovalContext@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopQueueDeviceResetEvent(x)
_IopQueueDeviceResetEvent@4 proc near	; CODE XREF: IopRetryDeviceRemovalForReset(x)+3Bp
		lea	eax, [ecx+60h]
		xor	edx, edx
		push	eax
		lea	eax, [ecx+70h]
		push	eax
		lea	eax, [ecx+6Ch]
		push	eax
		lea	eax, [ecx+5Ch]
		push	eax
		push	ecx
		mov	ecx, [ecx+68h]
		xor	eax, eax
		push	offset _IopDeviceRemovalForResetComplete@4 ; IopDeviceRemovalForResetComplete(x)
		push	eax
		push	eax
		push	36h
		push	1
		push	eax
		push	1
		call	_PnpSetTargetDeviceRemove@56 ; PnpSetTargetDeviceRemove(x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		retn
_IopQueueDeviceResetEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopRetryDeviceRemovalForReset(x)
_IopRetryDeviceRemovalForReset@4 proc near
					; DATA XREF: IoRequestDeviceRemovalForReset(x,x)+5Ao

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, [edi+68h]
		test	eax, eax
		jz	short loc_96889B
		mov	eax, [eax+0B0h]
		mov	esi, [eax+14h]
		jmp	short loc_96889D
; 

loc_96889B:				; CODE XREF: IopRetryDeviceRemovalForReset(x)+Fj
		xor	esi, esi

loc_96889D:				; CODE XREF: IopRetryDeviceRemovalForReset(x)+1Aj
		xor	ecx, ecx
		call	PpDevNodeLockTree
		mov	ecx, esi
		call	_PipIsDevNodeEffectivelyRemoved@4 ; PipIsDevNodeEffectivelyRemoved(x)
		xor	ecx, ecx
		mov	esi, eax
		call	PpDevNodeUnlockTree
		test	esi, esi
		jnz	short loc_9688C1
		mov	ecx, edi
		call	_IopQueueDeviceResetEvent@4 ; IopQueueDeviceResetEvent(x)
		jmp	short loc_9688C6
; 

loc_9688C1:				; CODE XREF: IopRetryDeviceRemovalForReset(x)+37j
		mov	eax, 0C0000001h

loc_9688C6:				; CODE XREF: IopRetryDeviceRemovalForReset(x)+40j
		test	eax, eax
		jns	short loc_9688D1
		mov	ecx, edi
		call	_IopFreeResetRemovalContext@4 ;	IopFreeResetRemovalContext(x)

loc_9688D1:				; CODE XREF: IopRetryDeviceRemovalForReset(x)+49j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_IopRetryDeviceRemovalForReset@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopCleanupSelectedConfiguration(x, x)
_IopCleanupSelectedConfiguration@8 proc	near
					; CODE XREF: PnpFindBestConfigurationWorker:loc_87B3FAp
		mov	edi, edi
		push	esi
		mov	esi, edx
		test	esi, esi
		jz	short loc_968903
		push	edi
		lea	edi, [ecx+18h]

loc_9688E4:				; CODE XREF: IopCleanupSelectedConfiguration(x,x)+29j
		mov	eax, [edi]
		push	0
		push	0
		mov	eax, [eax+0Ch]
		mov	edx, [eax]
		lea	ecx, [edx+14h]
		mov	edx, [edx+10h]
		call	IopAddRemoveReqDescs
		lea	edi, [edi+28h]
		sub	esi, 1
		jnz	short loc_9688E4
		pop	edi

loc_968903:				; CODE XREF: IopCleanupSelectedConfiguration(x,x)+7j
		pop	esi
		retn
_IopCleanupSelectedConfiguration@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopRetestConfiguration(x, x, x)
_IopRetestConfiguration@12 proc	near	; CODE XREF: PnpFindBestConfigurationWorker+69AFCp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_1C]
		mov	[ebp+var_C], edx
		stosd
		mov	[ebp+var_8], ecx
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	edi, [ebx]
		jmp	short loc_96896E
; 

loc_968928:				; CODE XREF: IopRetestConfiguration(x,x,x)+6Bj
		lea	ecx, [edi]
		mov	edi, [edi]
		cmp	byte ptr [ecx+9], 0
		jz	short loc_96896E
		mov	esi, [ecx-20h]
		lea	eax, [ecx-18h]
		and	[ebp+var_18], 0
		and	[ebp+var_14], 0
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		movzx	eax, byte ptr [ecx-24h]
		push	eax
		push	dword ptr [ecx-1Ch]
		mov	ecx, [ebp+var_8]
		call	PnpLookupArbitersNewResources
		lea	eax, [ebp+var_1C]
		push	eax
		push	1
		push	dword ptr [esi+4]
		call	dword ptr [esi+10h]
		test	eax, eax
		js	short loc_968972
		mov	edx, [ebp+var_C]

loc_96896E:				; CODE XREF: IopRetestConfiguration(x,x,x)+21j
					; IopRetestConfiguration(x,x,x)+2Bj
		cmp	edi, ebx
		jnz	short loc_968928

loc_968972:				; CODE XREF: IopRetestConfiguration(x,x,x)+64j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_IopRetestConfiguration@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopSaveRestoreConfiguration(x, x, x, x)
_IopSaveRestoreConfiguration@16	proc near ; CODE XREF: PnpFindBestConfigurationWorker+69AD7p
					; PnpFindBestConfigurationWorker+69AF1p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	[ebp+var_10], edx
		test	edx, edx
		jz	loc_968A36
		push	ebx
		lea	eax, [ecx+18h]
		push	esi
		mov	[ebp+var_C], eax
		push	edi

loc_968995:				; CODE XREF: IopSaveRestoreConfiguration(x,x,x,x)+B4j
		cmp	[ebp+arg_4], 0
		mov	eax, [eax]
		jz	short loc_9689A5
		mov	ecx, [eax+0Ch]
		mov	[eax+10h], ecx
		jmp	short loc_9689AB
; 

loc_9689A5:				; CODE XREF: IopSaveRestoreConfiguration(x,x,x,x)+22j
		mov	ecx, [eax+10h]
		mov	[eax+0Ch], ecx

loc_9689AB:				; CODE XREF: IopSaveRestoreConfiguration(x,x,x,x)+2Aj
		mov	ecx, [ecx]
		and	[ebp+var_4], 0
		mov	eax, [ecx+10h]
		lea	ebx, [ecx+14h]
		add	eax, 5
		lea	edx, [ecx+eax*4]
		mov	eax, edx
		sub	eax, ebx
		add	eax, 3
		shr	eax, 2
		cmp	edx, ebx
		sbb	edx, edx
		not	edx
		and	edx, eax
		jbe	short loc_968A20
		mov	eax, [ebp+var_4]

loc_9689D4:				; CODE XREF: IopSaveRestoreConfiguration(x,x,x,x)+A5j
		mov	ecx, [ebx]
		cmp	byte ptr [ecx+8], 0
		jz	short loc_968A15
		cmp	[ebp+arg_4], 0
		mov	eax, [ecx+14h]
		push	0Eh
		lea	ecx, [eax+98h]
		mov	[ebp+var_8], ecx
		lea	edi, [eax+60h]
		lea	esi, [eax+18h]
		pop	ecx
		jz	short loc_968A01
		rep movsd
		mov	edi, [ebp+var_8]
		lea	esi, [eax+50h]
		jmp	short loc_968A0E
; 

loc_968A01:				; CODE XREF: IopSaveRestoreConfiguration(x,x,x,x)+7Cj
		mov	esi, edi
		lea	edi, [eax+18h]
		rep movsd
		mov	esi, [ebp+var_8]
		lea	edi, [eax+50h]

loc_968A0E:				; CODE XREF: IopSaveRestoreConfiguration(x,x,x,x)+86j
		mov	eax, [ebp+var_4]
		movsd
		movsd
		movsd
		movsd

loc_968A15:				; CODE XREF: IopSaveRestoreConfiguration(x,x,x,x)+61j
		add	ebx, 4
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, edx
		jb	short loc_9689D4

loc_968A20:				; CODE XREF: IopSaveRestoreConfiguration(x,x,x,x)+56j
		mov	eax, [ebp+var_C]
		add	eax, 28h
		sub	[ebp+var_10], 1
		mov	[ebp+var_C], eax
		jnz	loc_968995
		pop	edi
		pop	esi
		pop	ebx

loc_968A36:				; CODE XREF: IopSaveRestoreConfiguration(x,x,x,x)+Dj
		mov	edx, [ebp+arg_0]
		mov	ecx, [edx]
		jmp	short loc_968A75
; 

loc_968A3D:				; CODE XREF: IopSaveRestoreConfiguration(x,x,x,x)+FEj
		cmp	[ebp+arg_4], 0
		jz	short loc_968A5C
		mov	eax, [ecx-18h]
		mov	[ecx-10h], eax
		mov	eax, [ecx-14h]
		mov	[ecx-0Ch], eax
		mov	eax, [ecx]
		mov	[ecx-8], eax
		mov	eax, [ecx+4]
		mov	[ecx-4], eax
		jmp	short loc_968A73
; 

loc_968A5C:				; CODE XREF: IopSaveRestoreConfiguration(x,x,x,x)+C8j
		mov	eax, [ecx-10h]
		mov	[ecx-18h], eax
		mov	eax, [ecx-0Ch]
		mov	[ecx-14h], eax
		mov	eax, [ecx-8]
		mov	[ecx], eax
		mov	eax, [ecx-4]
		mov	[ecx+4], eax

loc_968A73:				; CODE XREF: IopSaveRestoreConfiguration(x,x,x,x)+E1j
		mov	ecx, [ecx]

loc_968A75:				; CODE XREF: IopSaveRestoreConfiguration(x,x,x,x)+C2j
		cmp	ecx, edx
		jnz	short loc_968A3D
		leave
		retn	8
_IopSaveRestoreConfiguration@16	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry  14.

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpGetDeviceInstancePropertyData(x,	x, x, x, x, x, x, x)
		public _PnpGetDeviceInstancePropertyData@32
_PnpGetDeviceInstancePropertyData@32 proc near

var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_14]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_C4], eax
		mov	eax, [ebp+arg_18]
		push	edi
		mov	edi, [ebp+arg_1C]
		mov	[ebp+var_C0], eax
		mov	eax, 0AAh
		push	eax		; size_t
		lea	eax, [ebp+var_B0]
		push	0		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		add	esp, 0Ch
		mov	[ebp+var_B8], eax
		mov	[ebp+var_B4], eax
		mov	[ebp+var_BC], eax
		cmp	[ebp+arg_8], eax
		jz	short loc_968B15
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_B8], offset unk_AA0000
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_B8]
		push	eax
		push	[ebp+arg_8]
		call	_RtlLCIDToCultureName@8	; RtlLCIDToCultureName(x,x)
		test	al, al
		jnz	short loc_968B15
		mov	esi, 0C0000001h
		jmp	short loc_968B90
; 

loc_968B15:				; CODE XREF: PnpGetDeviceInstancePropertyData(x,x,x,x,x,x,x,x)+61j
					; PnpGetDeviceInstancePropertyData(x,x,x,x,x,x,x,x)+8Aj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpDevicePropertyLock
		call	ExAcquireResourceSharedLite
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_BC]
		push	0
		push	[ebp+var_C0]
		mov	edx, esi
		push	[ebp+arg_10]
		push	[ebp+var_C4]
		push	eax
		push	ebx
		push	[ebp+var_B4]
		push	0
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, offset _PnpDevicePropertyLock
		mov	esi, eax
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		js	short loc_968B83
		mov	ecx, [ebp+var_BC]
		mov	[edi], ecx

loc_968B83:				; CODE XREF: PnpGetDeviceInstancePropertyData(x,x,x,x,x,x,x,x)+F7j
		cmp	esi, 0C0000225h
		jnz	short loc_968B90
		mov	esi, 0C0000034h

loc_968B90:				; CODE XREF: PnpGetDeviceInstancePropertyData(x,x,x,x,x,x,x,x)+91j
					; PnpGetDeviceInstancePropertyData(x,x,x,x,x,x,x,x)+107j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	20h
_PnpGetDeviceInstancePropertyData@32 endp

; 
		align 8
; Exported entry  15.

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpGetDeviceInstanceRegistryValue(x, x, x, x, x)
		public _PnpGetDeviceInstanceRegistryValue@20
_PnpGetDeviceInstanceRegistryValue@20 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	ebx, ebx
		test	[ebp+arg_4], 1
		push	esi
		mov	[ebp+var_4], ebx
		jz	short loc_968BBF
		push	11h
		jmp	short loc_968BCB
; 

loc_968BBF:				; CODE XREF: PnpGetDeviceInstanceRegistryValue(x,x,x,x,x)+11j
		test	[ebp+arg_4], 2
		jz	loc_968C4A
		push	12h

loc_968BCB:				; CODE XREF: PnpGetDeviceInstanceRegistryValue(x,x,x,x,x)+15j
		test	[ebp+arg_4], 4
		pop	esi
		jz	short loc_968BD8
		or	esi, 200h

loc_968BD8:				; CODE XREF: PnpGetDeviceInstanceRegistryValue(x,x,x,x,x)+28j
		mov	eax, large fs:124h
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	edi, offset _PnpRegistryDeviceResource
		push	edi
		call	ExAcquireResourceExclusiveLite
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		push	eax
		push	ebx
		push	20019h
		push	ebx
		push	esi
		call	_CmOpenDeviceRegKey
		mov	ecx, edi
		mov	esi, eax
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		test	esi, esi
		jns	short loc_968C2D

loc_968C29:				; CODE XREF: PnpGetDeviceInstanceRegistryValue(x,x,x,x,x)+A0j
		mov	eax, esi
		jmp	short loc_968C4F
; 

loc_968C2D:				; CODE XREF: PnpGetDeviceInstanceRegistryValue(x,x,x,x,x)+7Fj
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_8]
		push	[ebp+arg_C]
		mov	ecx, [ebp+var_4]
		call	IopGetRegistryValue
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_968C29
; 

loc_968C4A:				; CODE XREF: PnpGetDeviceInstanceRegistryValue(x,x,x,x,x)+1Bj
		mov	eax, 0C000000Dh

loc_968C4F:				; CODE XREF: PnpGetDeviceInstanceRegistryValue(x,x,x,x,x)+83j
		pop	esi
		pop	ebx
		leave
		retn	14h
_PnpGetDeviceInstanceRegistryValue@20 endp


;  S U B	R O U T	I N E 


; __stdcall PpPagePathAssign(x)
_PpPagePathAssign@4 proc near		; CODE XREF: INIT:00AC3004p
		mov	dl, 1
		jmp	PiPagePathSetState
_PpPagePathAssign@4 endp


;  S U B	R O U T	I N E 


; __stdcall PpPagePathRelease(x)
_PpPagePathRelease@4 proc near		; CODE XREF: CmpVolumeContextCleanup(x)+Ep
		xor	dl, dl
		jmp	PiPagePathSetState
_PpPagePathRelease@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDiagRundownForEachDevice(x, x)
_PnpDiagRundownForEachDevice@8 proc near
					; DATA XREF: PnpDiagRundownRegisterCallback(x,x,x,x,x,x,x,x,x)+36o

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+64h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	edx, edx
		mov	[esp+70h+var_58], edx
		mov	[esp+70h+var_54], edx
		mov	[esp+70h+var_64], edx
		mov	edi, [edi+120h]
		mov	[esp+70h+var_4C], edi
		test	edi, edi
		jz	loc_968D8D
		mov	eax, edx
		mov	[esp+70h+var_5C], eax
		cmp	[edi], edx
		jbe	loc_968D8D
		lea	esi, [edi+10h]

loc_968CB0:				; CODE XREF: PnpDiagRundownForEachDevice(x,x)+124j
		mov	ecx, edx
		mov	[esp+70h+var_60], ecx
		cmp	[esi], edx
		jbe	loc_968D7D
		mov	edi, [ebp+arg_0]
		lea	ebx, [esi+0Ch]

loc_968CC4:				; CODE XREF: PnpDiagRundownForEachDevice(x,x)+10Cj
		cmp	byte ptr [ebx-8], 84h
		jnz	loc_968D65
		mov	eax, [ebx+4]
		movzx	ecx, word ptr [edi+14h]
		mov	[esp+70h+var_54], eax
		mov	eax, [ebx]
		mov	[esp+70h+var_58], eax
		lea	eax, [edi+10h]
		mov	[esp+70h+var_48], eax
		lea	eax, [esp+70h+var_58]
		mov	[esp+70h+var_38], eax
		mov	eax, ecx
		shr	eax, 1
		mov	[esp+70h+var_64], eax
		lea	eax, [esp+70h+var_64]
		mov	[esp+70h+var_28], eax
		mov	eax, [edi+18h]
		mov	[esp+70h+var_18], eax
		lea	eax, [esp+70h+var_48]
		push	eax
		push	4
		push	edx
		push	offset _PPM_ETW_INTERRUPT_STEERING_MASK_RUNDOWN
		push	dword_6FD4B4
		mov	[esp+84h+var_44], edx
		push	_PnpRundownEtwHandle
		mov	[esp+88h+var_40], 4
		mov	[esp+88h+var_3C], edx
		mov	[esp+88h+var_34], edx
		mov	[esp+88h+var_30], 8
		mov	[esp+88h+var_2C], edx
		mov	[esp+88h+var_24], edx
		mov	[esp+88h+var_20], 4
		mov	[esp+88h+var_1C], edx
		mov	[esp+88h+var_14], edx
		mov	[esp+88h+var_10], ecx
		mov	[esp+88h+var_C], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [esp+70h+var_60]
		xor	edx, edx

loc_968D65:				; CODE XREF: PnpDiagRundownForEachDevice(x,x)+65j
		inc	ecx
		add	ebx, 10h
		mov	[esp+70h+var_60], ecx
		cmp	ecx, [esi]
		jb	loc_968CC4
		mov	edi, [esp+70h+var_4C]
		mov	eax, [esp+70h+var_5C]

loc_968D7D:				; CODE XREF: PnpDiagRundownForEachDevice(x,x)+55j
		inc	eax
		add	esi, 20h
		mov	[esp+70h+var_5C], eax
		cmp	eax, [edi]
		jb	loc_968CB0

loc_968D8D:				; CODE XREF: PnpDiagRundownForEachDevice(x,x)+36j
					; PnpDiagRundownForEachDevice(x,x)+44j
		mov	ecx, [esp+70h+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_PnpDiagRundownForEachDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDiagRundownParentDevNodeForEachDevice(x,	x)
_PnpDiagRundownParentDevNodeForEachDevice@8 proc near
					; DATA XREF: PnpDiagRundownRegisterCallback(x,x,x,x,x,x,x,x,x)+AAo

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+arg_0]
		push	esi
		push	edi
		push	4
		pop	esi
		xor	edi, edi
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], esi
		mov	[ebp+var_38], edi
		mov	eax, [edx+8]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_28], edi
		movzx	eax, word ptr [edx+14h]
		shr	eax, 1
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], edi
		movzx	ecx, word ptr [edx+14h]
		mov	eax, [edx+18h]
		mov	[ebp+var_14], eax
		mov	eax, ecx
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	esi
		push	edi
		push	offset _KMPnPRundownEvt_SleepStudy_ParentDevNode
		push	dword_6FD4B4
		mov	[ebp+var_10], edi
		push	_PnpRundownEtwHandle
		mov	[ebp+var_8], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PnpDiagRundownParentDevNodeForEachDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDiagRundownParentPdoForEachDevice(x, x)
_PnpDiagRundownParentPdoForEachDevice@8	proc near
					; DATA XREF: PnpDiagRundownRegisterCallback(x,x,x,x,x,x,x,x,x)+70o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		cmp	[ecx+28h], edx
		jnz	short loc_968EAB
		push	esi
		lea	eax, [ecx+10h]
		mov	[ebp+var_20], edx
		push	4
		mov	[ebp+var_24], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_18], edx
		pop	esi
		mov	[ebp+var_1C], esi
		test	eax, eax
		jnz	short loc_968E78
		mov	eax, edx
		jmp	short loc_968E7B
; 

loc_968E78:				; CODE XREF: PnpDiagRundownParentPdoForEachDevice(x,x)+34j
		mov	eax, [eax+10h]

loc_968E7B:				; CODE XREF: PnpDiagRundownParentPdoForEachDevice(x,x)+38j
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	offset _KMPnPRundownEvt_SleepStudy_ParentPdo
		push	dword_6FD4B4
		mov	[ebp+var_10], edx
		push	_PnpRundownEtwHandle
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	esi

loc_968EAB:				; CODE XREF: PnpDiagRundownParentPdoForEachDevice(x,x)+1Aj
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PnpDiagRundownParentPdoForEachDevice@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDiagRundownRegisterCallback(x, x, x, x, x, x, x,	x, x)
_PnpDiagRundownRegisterCallback@36 proc	near ; DATA XREF: PnpDiagInitialize()+37o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 2
		jnz	loc_968F78
		push	offset _PPM_ETW_INTERRUPT_STEERING_MASK_RUNDOWN
		push	dword_6FD4B4
		push	_PnpRundownEtwHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_968F04
		xor	ecx, ecx
		call	PpDevNodeLockTree
		mov	ecx, _IopRootDeviceNode
		mov	edx, offset _PnpDiagRundownForEachDevice@8 ; PnpDiagRundownForEachDevice(x,x)
		push	0
		call	_PipForDeviceNodeSubtree@12 ; PipForDeviceNodeSubtree(x,x,x)
		xor	ecx, ecx
		call	PpDevNodeUnlockTree

loc_968F04:				; CODE XREF: PnpDiagRundownRegisterCallback(x,x,x,x,x,x,x,x,x)+27j
		push	offset _KMPnPRundownEvt_SleepStudy_ParentPdo
		push	dword_6FD4B4
		push	_PnpRundownEtwHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_968F3E
		xor	ecx, ecx
		call	PpDevNodeLockTree
		mov	ecx, _IopRootDeviceNode
		mov	edx, offset _PnpDiagRundownParentPdoForEachDevice@8 ; PnpDiagRundownParentPdoForEachDevice(x,x)
		push	0
		call	_PipForDeviceNodeSubtree@12 ; PipForDeviceNodeSubtree(x,x,x)
		xor	ecx, ecx
		call	PpDevNodeUnlockTree

loc_968F3E:				; CODE XREF: PnpDiagRundownRegisterCallback(x,x,x,x,x,x,x,x,x)+61j
		push	offset _KMPnPRundownEvt_SleepStudy_ParentDevNode
		push	dword_6FD4B4
		push	_PnpRundownEtwHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_968F78
		xor	ecx, ecx
		call	PpDevNodeLockTree
		mov	ecx, _IopRootDeviceNode
		mov	edx, offset _PnpDiagRundownParentDevNodeForEachDevice@8	; PnpDiagRundownParentDevNodeForEachDevice(x,x)
		push	0
		call	_PipForDeviceNodeSubtree@12 ; PipForDeviceNodeSubtree(x,x,x)
		xor	ecx, ecx
		call	PpDevNodeUnlockTree

loc_968F78:				; CODE XREF: PnpDiagRundownRegisterCallback(x,x,x,x,x,x,x,x,x)+9j
					; PnpDiagRundownRegisterCallback(x,x,x,x,x,x,x,x,x)+9Bj
		pop	ebp
		retn	24h
_PnpDiagRundownRegisterCallback@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpHandleEnumerateHandlesAgainstDeviceObject(x, x, x)
_PnpHandleEnumerateHandlesAgainstDeviceObject@12 proc near
					; CODE XREF: PnpHandleEnumerateHandlesAgainstPdoStack(x,x,x)+1Cp
					; PnpHandleEnumerateHandlesAgainstPdoStack(x,x,x)+6Cp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_8], ecx
		lea	edi, [ebp+var_1C]
		mov	[ebp+var_C], edx
		stosd
		xor	ecx, ecx
		stosd
		stosd
		stosd
		xor	edi, edi
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_969003
		mov	ebx, [ebp+arg_0]

loc_968FA8:				; CODE XREF: PnpHandleEnumerateHandlesAgainstDeviceObject(x,x,x)+77j
		mov	ecx, esi
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		test	eax, eax
		jz	short loc_968FE8
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_1C], ecx
		mov	ecx, [ebp+var_C]
		push	0
		mov	[ebp+var_14], ecx
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	offset _PnpHandleProcessWalkWorker@16 ;	PnpHandleProcessWalkWorker(x,x,x,x)
		push	eax
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], ebx
		call	ExEnumHandleTable
		lea	ecx, [esi+0F0h]
		movzx	edi, al
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		test	edi, edi
		jnz	short loc_968FF7

loc_968FE8:				; CODE XREF: PnpHandleEnumerateHandlesAgainstDeviceObject(x,x,x)+35j
		mov	ecx, esi
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_968FA8
		jmp	short loc_969003
; 

loc_968FF7:				; CODE XREF: PnpHandleEnumerateHandlesAgainstDeviceObject(x,x,x)+6Aj
		mov	edx, 6E457350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_969003:				; CODE XREF: PnpHandleEnumerateHandlesAgainstDeviceObject(x,x,x)+27j
					; PnpHandleEnumerateHandlesAgainstDeviceObject(x,x,x)+79j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PnpHandleEnumerateHandlesAgainstDeviceObject@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpHandleProcessWalkWorker(x, x, x,	x)
_PnpHandleProcessWalkWorker@16 proc near
					; DATA XREF: PnpHandleEnumerateHandlesAgainstDeviceObject(x,x,x)+49o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ebx
		mov	edx, [edx]
		and	edx, 0FFFFFFF8h
		mov	eax, edx
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [edx+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		cmp	eax, ds:_IoFileObjectType
		jz	short loc_969044
		xor	bl, bl
		jmp	short loc_96906E
; 

loc_969044:				; CODE XREF: PnpHandleProcessWalkWorker(x,x,x,x)+32j
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		lea	edi, [edx+18h]
		push	edi
		mov	ebx, [esi]
		call	_IoGetBaseFileSystemDeviceObject@4 ; IoGetBaseFileSystemDeviceObject(x)
		cmp	eax, ebx
		jz	short loc_96905C
		xor	bl, bl
		jmp	short loc_96906C
; 

loc_96905C:				; CODE XREF: PnpHandleProcessWalkWorker(x,x,x,x)+4Aj
		push	dword ptr [esi+0Ch]
		push	[ebp+arg_8]
		push	edi
		push	dword ptr [esi+4]
		push	ebx
		call	dword ptr [esi+8]
		mov	bl, al

loc_96906C:				; CODE XREF: PnpHandleProcessWalkWorker(x,x,x,x)+4Ej
		pop	edi
		pop	esi

loc_96906E:				; CODE XREF: PnpHandleProcessWalkWorker(x,x,x,x)+36j
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		inc	ecx
		lock xadd [eax], ecx
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+arg_4]
		and	[ebp+arg_4], 0
		add	ecx, 20h
		xor	edx, edx
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	short loc_969093
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)

loc_969093:				; CODE XREF: PnpHandleProcessWalkWorker(x,x,x,x)+80j
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	10h
_PnpHandleProcessWalkWorker@16 endp ; sp = -14h


;  S U B	R O U T	I N E 


; __stdcall IopAcquireReleaseDispatcherLock(x, x)
_IopAcquireReleaseDispatcherLock@8 proc	near ; CODE XREF: IopPassiveInterruptWorker(x)+24p
					; IopPassiveInterruptWorker(x)+E9p
		add	ecx, 60h
		test	dl, dl
		jz	short loc_9690BC
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	ecx
		call	KeWaitForSingleObject
		retn
; 

loc_9690BC:				; CODE XREF: IopAcquireReleaseDispatcherLock(x,x)+5j
		xor	eax, eax
		push	eax
		push	eax
		push	ecx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, large fs:124h
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_IopAcquireReleaseDispatcherLock@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAllocatePassiveInterruptBlock(x,	x)
_IopAllocatePassiveInterruptBlock@8 proc near ;	CODE XREF: IopConnectInterrupt+A168Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		push	edi
		mov	[ebp+var_C], esi
		mov	byte ptr [ebp+var_1], 0
		cmp	dword ptr [esi], 1
		jnz	loc_9691E4
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_969102
		cmp	eax, 3
		jnz	loc_9691E4

loc_969102:				; CODE XREF: IopAllocatePassiveInterruptBlock(x,x)+25j
		mov	edi, [esi+0Ch]
		mov	ecx, edi
		call	_IopFindPassiveInterruptBlock@4	; IopFindPassiveInterruptBlock(x)
		test	eax, eax
		jz	short loc_969117
		xor	eax, eax
		jmp	loc_9691E9
; 

loc_969117:				; CODE XREF: IopAllocatePassiveInterruptBlock(x,x)+3Cj
		push	6269704Bh
		push	74h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_969138
		mov	eax, 0C000009Ah
		jmp	loc_9691E9
; 

loc_969138:				; CODE XREF: IopAllocatePassiveInterruptBlock(x,x)+5Aj
		push	6Ch		; size_t
		lea	eax, [ebx+8]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	[ebx+4], ebx
		add	esp, 0Ch
		mov	[ebx], ebx
		mov	eax, [esi+8]
		mov	[ebx+0Ch], edi
		lea	edi, [ebx+1Ch]
		mov	[ebx+8], eax
		mov	eax, [esi+18h]
		mov	esi, [ebp+var_8]
		mov	[ebx+18h], eax
		mov	eax, [ebp+var_C]
		movsd
		movsd
		movsd
		mov	ecx, [eax+8]
		test	ecx, ecx
		jnz	short loc_969182
		mov	eax, [eax+38h]
		push	eax
		push	ecx
		mov	[ebx+10h], eax
		call	off_6B1308	; xHalpIsInterruptTypeSecondary(x,x)
		mov	[ebx+14h], al
		jmp	short loc_96918B
; 

loc_969182:				; CODE XREF: IopAllocatePassiveInterruptBlock(x,x)+9Bj
		cmp	ecx, 3
		jnz	short loc_96918B
		mov	byte ptr [ebx+14h], 0

loc_96918B:				; CODE XREF: IopAllocatePassiveInterruptBlock(x,x)+AEj
					; IopAllocatePassiveInterruptBlock(x,x)+B3j
		push	1
		push	1
		lea	eax, [ebx+60h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	ebx
		push	offset _IopPassiveInterruptDpc@16 ; IopPassiveInterruptDpc(x,x,x,x)
		lea	eax, [ebx+40h]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		xor	eax, eax
		lea	edx, [ebp+var_1]
		mov	[ebx+28h], eax
		mov	ecx, ebx
		mov	dword ptr [ebx+38h], offset _IopPassiveInterruptWorker@4 ; IopPassiveInterruptWorker(x)
		mov	[ebx+3Ch], ebx
		mov	[ebx+30h], eax
		mov	byte ptr [ebx+41h], 2
		call	_IopInsertPassiveInterruptBlock@8 ; IopInsertPassiveInterruptBlock(x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		js	short loc_9691D4
		cmp	byte ptr [ebp+var_1], 0
		jnz	short loc_9691E9

loc_9691D4:				; CODE XREF: IopAllocatePassiveInterruptBlock(x,x)+FAj
		push	6269704Bh
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_C]
		jmp	short loc_9691E9
; 

loc_9691E4:				; CODE XREF: IopAllocatePassiveInterruptBlock(x,x)+1Aj
					; IopAllocatePassiveInterruptBlock(x,x)+2Aj
		mov	eax, 0C00000EFh

loc_9691E9:				; CODE XREF: IopAllocatePassiveInterruptBlock(x,x)+40j
					; IopAllocatePassiveInterruptBlock(x,x)+61j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopAllocatePassiveInterruptBlock@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpLastGoodDeleteFilesCallback(x, x,	x, x)
_PpLastGoodDeleteFilesCallback@16 proc near
					; DATA XREF: IopFileUtilWalkDirectoryTreeBottomUp(x,x,x,x)+136o

var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 28h
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	edi
		xor	edi, edi
		mov	[esp+30h+var_20], edi
		mov	[esp+30h+var_1C], edi
		mov	[esp+30h+var_24], edi
		call	_IopFileUtilClearAttributes@8 ;	IopFileUtilClearAttributes(x,x)
		mov	eax, [ebp+arg_8]
		and	al, 10h
		mov	[esp+30h+var_18], 18h
		movzx	eax, al
		neg	eax
		mov	[esp+30h+var_14], edi
		mov	[esp+30h+var_C], 40h
		sbb	eax, eax
		mov	[esp+30h+var_10], esi
		and	eax, 0FFFFFFC1h
		mov	[esp+30h+var_8], edi
		add	eax, 204040h
		mov	[esp+30h+var_4], edi
		push	eax
		push	7
		lea	eax, [esp+38h+var_20]
		push	eax
		lea	eax, [esp+3Ch+var_18]
		push	eax
		push	10080h
		lea	eax, [esp+44h+var_24]
		push	eax
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_96928E
		push	0Dh
		push	1
		lea	eax, [esp+13h]
		mov	[esp+38h+var_25], 1
		push	eax
		lea	eax, [esp+3Ch+var_20]
		push	eax
		push	[esp+40h+var_24]
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		push	[esp+30h+var_24]
		call	_ZwClose@4	; ZwClose(x)
		xor	eax, eax

loc_96928E:				; CODE XREF: PpLastGoodDeleteFilesCallback(x,x,x,x)+77j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	10h
_PpLastGoodDeleteFilesCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipServiceInstanceToDeviceInstance(x, x, x,	x, x, x)
_PipServiceInstanceToDeviceInstance@24 proc near ; CODE	XREF: PnpDriverLoadingFailed+8388Ep

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= word ptr -2Ch
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	eax, edx
		xor	edx, edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], edx
		push	esi
		push	edi
		test	ecx, ecx
		jz	short loc_969308
		push	0Ah
		pop	eax
		push	8
		mov	word ptr [ebp+var_3C+2], ax
		pop	eax
		mov	word ptr [ebp+var_3C], ax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	20019h
		lea	eax, [ebp+var_34]
		mov	[ebp+var_38], offset ??_C@_19DDCEFKEI@?$AAE?$AAn?$AAu?$AAm@NNGAKEGL@ ; "Enum"
		push	eax
		mov	[ebp+var_54], 18h
		mov	[ebp+var_50], ecx
		mov	[ebp+var_48], 240h
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], edx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		jmp	short loc_96931A
; 

loc_969308:				; CODE XREF: PipServiceInstanceToDeviceInstance(x,x,x,x,x,x)+2Aj
		push	edx
		lea	ecx, [ebp+var_34]
		push	ecx
		push	edx
		mov	edx, 20019h
		mov	ecx, eax
		call	PipOpenServiceEnumKeys

loc_96931A:				; CODE XREF: PipServiceInstanceToDeviceInstance(x,x,x,x,x,x)+70j
		test	eax, eax
		js	loc_9693BD
		push	dword ptr [ebp+arg_0] ;	char
		lea	eax, [ebp+var_2C]
		push	offset ??_C@_15EFLNJKHH@?$AA?$CF?$AAu@NNGAKEGL@	; wchar_t *
		push	28h		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	ecx, [ebp+var_34]
		lea	eax, [ebp+var_30]
		add	esp, 10h
		lea	edx, [ebp+var_2C]
		push	eax
		push	64h
		call	IopGetRegistryValue
		push	[ebp+var_34]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_9693BB
		mov	edi, [ebp+var_30]
		cmp	dword ptr [edi+4], 1
		jnz	short loc_969399
		mov	edx, [edi+0Ch]
		lea	eax, [ebp+var_30]
		and	[ebp+var_30], 0
		push	ecx
		mov	ecx, [edi+8]
		push	eax
		add	ecx, edi
		call	_PnpRegSzToString@16 ; PnpRegSzToString(x,x,x,x)
		mov	ecx, [ebp+var_30]
		mov	word ptr [ebp+var_3C], cx
		mov	ax, [edi+0Ch]
		mov	word ptr [ebp+var_3C+2], ax
		mov	eax, [edi+8]
		add	eax, edi
		mov	[ebp+var_38], eax
		test	cx, cx
		jnz	short loc_96939E
		mov	esi, 0C000003Ah
		jmp	short loc_96939E
; 

loc_969399:				; CODE XREF: PipServiceInstanceToDeviceInstance(x,x,x,x,x,x)+C8j
		mov	esi, 0C0000261h

loc_96939E:				; CODE XREF: PipServiceInstanceToDeviceInstance(x,x,x,x,x,x)+FAj
					; PipServiceInstanceToDeviceInstance(x,x,x,x,x,x)+101j
		test	esi, esi
		js	short loc_9693B3
		test	ebx, ebx
		jz	short loc_9693B3
		push	ecx
		lea	edx, [ebp+var_3C]
		mov	ecx, ebx
		call	_PnpConcatenateUnicodeStrings@12 ; PnpConcatenateUnicodeStrings(x,x,x)
		mov	esi, eax

loc_9693B3:				; CODE XREF: PipServiceInstanceToDeviceInstance(x,x,x,x,x,x)+10Aj
					; PipServiceInstanceToDeviceInstance(x,x,x,x,x,x)+10Ej
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9693BB:				; CODE XREF: PipServiceInstanceToDeviceInstance(x,x,x,x,x,x)+BFj
		mov	eax, esi

loc_9693BD:				; CODE XREF: PipServiceInstanceToDeviceInstance(x,x,x,x,x,x)+86j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_PipServiceInstanceToDeviceInstance@24 endp


;  S U B	R O U T	I N E 


; __stdcall PipValidateRegistryString(x)
_PipValidateRegistryString@4 proc near	; CODE XREF: PipGetDriverKsrGuidRegistryValue(x,x)+2Bp
		xor	edx, edx
		push	ebx
		inc	edx
		xor	ebx, ebx
		push	esi
		cmp	[ecx+4], edx
		jnz	short loc_9693F1
		mov	esi, [ecx+0Ch]
		cmp	esi, 2
		jb	short loc_9693F1
		mov	eax, [ecx+8]
		shr	esi, 1
		lea	eax, [eax+esi*2]
		cmp	[eax+ecx-2], bx
		jz	short loc_9693F3

loc_9693F1:				; CODE XREF: PipValidateRegistryString(x)+Aj
					; PipValidateRegistryString(x)+12j
		mov	dl, bl

loc_9693F3:				; CODE XREF: PipValidateRegistryString(x)+21j
		pop	esi
		mov	al, dl
		pop	ebx
		retn
_PipValidateRegistryString@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpSetRegistryRequirementsList(x, x, x)
_PnpSetRegistryRequirementsList@12 proc	near ; CODE XREF: IoReportDetectedDevice+893A4p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	esi
		push	offset ??_C@_1CE@CAEIBNIA@?$AAB?$AAa?$AAs?$AAi?$AAc?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAV?$AAe?$AAc?$AAt@NNGAKEGL@	; "B"
		push	eax
		mov	esi, ecx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_96942B
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		jmp	short loc_96943C
; 

loc_96942B:				; CODE XREF: PnpSetRegistryRequirementsList(x,x,x)+25j
		push	dword ptr [eax]
		push	eax
		push	0Ah
		push	0
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_96943C:				; CODE XREF: PnpSetRegistryRequirementsList(x,x,x)+31j
		pop	esi
		leave
		retn	4
_PnpSetRegistryRequirementsList@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpSetRegistryResourceList(x, x, x)
_PnpSetRegistryResourceList@12 proc near ; CODE	XREF: IoReportDetectedDevice+89384p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	edi
		push	offset ??_C@_1BG@MNAOJKEG@?$AAB?$AAo?$AAo?$AAt?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg@NNGAKEGL@ ; "B"
		push	eax
		mov	edi, ecx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		cmp	[ebp+arg_0], 0
		jnz	short loc_969473
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		jmp	short loc_96948D
; 

loc_969473:				; CODE XREF: PnpSetRegistryResourceList(x,x,x)+24j
		mov	ecx, [ebp+arg_0]
		call	_PnpDetermineResourceListSize@4	; PnpDetermineResourceListSize(x)
		push	eax
		push	[ebp+arg_0]
		lea	eax, [ebp+var_8]
		push	8
		push	0
		push	eax
		push	edi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_96948D:				; CODE XREF: PnpSetRegistryResourceList(x,x,x)+30j
		pop	edi
		leave
		retn	4
_PnpSetRegistryResourceList@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpSystemHiveLimitCallback(x, x)
_PpSystemHiveLimitCallback@8 proc near	; DATA XREF: CmRegisterSystemHiveLimitCallback+4Bo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		cmp	ecx, [eax+4]
		jb	short loc_9694AB
		mov	_PnpSystemHiveTooLarge,	1
		jmp	short loc_9694D0
; 

loc_9694AB:				; CODE XREF: PpSystemHiveLimitCallback(x,x)+Ej
		push	ebx
		xor	ebx, ebx
		mov	_PnpSystemHiveTooLarge,	bl
		call	_PpResetProblemDevices@8 ; PpResetProblemDevices(x,x)
		mov	ecx, _IopRootDeviceNode
		push	ebx
		push	ebx
		push	ebx
		mov	ecx, [ecx+10h]
		push	ebx
		push	ebx
		push	0Eh
		pop	edx
		call	PnpRequestDeviceAction
		pop	ebx

loc_9694D0:				; CODE XREF: PpSystemHiveLimitCallback(x,x)+17j
		pop	ebp
		retn	8
_PpSystemHiveLimitCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpCheckDriverDependencies(x, x, x)
_PnpCheckDriverDependencies@12 proc near
					; CODE XREF: PipProcessPendingObjects(x,x,x,x,x)+1B6p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		lea	eax, [ebp+var_14]
		mov	edi, ecx
		xor	ecx, ecx
		push	eax
		push	4
		mov	[ebp+var_24], ecx
		mov	[ebp+var_1], cl
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebx], cl
		mov	ecx, _PiPnpRtlCtx
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_969698
		jmp	loc_9695B8
; 

loc_969520:				; CODE XREF: PnpCheckDriverDependencies(x,x,x)+E9j
		push	offset ??_C@_13BBDEGPLJ@?$AA?$CK@NNGAKEGL@ ; wchar_t *
		push	edi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_96959D
		cmp	[ebp+var_1], 0
		jnz	short loc_96959D
		cmp	[ebp+var_C], 0
		jnz	short loc_969580
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jnz	short loc_96954A
		mov	ecx, eax
		jmp	short loc_96954D
; 

loc_96954A:				; CODE XREF: PnpCheckDriverDependencies(x,x,x)+70j
		mov	ecx, [eax+74h]

loc_96954D:				; CODE XREF: PnpCheckDriverDependencies(x,x,x)+74j
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_C]
		push	eax
		push	20019h
		xor	eax, eax
		push	eax
		push	offset ??_C@_1DE@IBBBPFGH@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAF?$AAi?$AAr?$AAm?$AAw?$AAa?$AAr@NNGAKEGL@
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_969595
		cmp	esi, 0C000017Ch
		jz	short loc_969595
		test	esi, esi
		js	loc_969698

loc_969580:				; CODE XREF: PnpCheckDriverDependencies(x,x,x)+67j
		cmp	[ebp+var_8], 0
		jz	short loc_9695C8
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		xor	edx, edx
		mov	[ebp+var_8], edx
		jmp	short loc_9695CA
; 

loc_969595:				; CODE XREF: PnpCheckDriverDependencies(x,x,x)+9Aj
					; PnpCheckDriverDependencies(x,x,x)+A2j
		mov	[ebp+var_1], 1

loc_969599:				; CODE XREF: PnpCheckDriverDependencies(x,x,x)+11Cj
					; PnpCheckDriverDependencies(x,x,x)+124j ...
		xor	eax, eax
		mov	esi, eax

loc_96959D:				; CODE XREF: PnpCheckDriverDependencies(x,x,x)+5Bj
					; PnpCheckDriverDependencies(x,x,x)+61j ...
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_9695A2:				; CODE XREF: PnpCheckDriverDependencies(x,x,x)+D8j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_24]
		jnz	short loc_9695A2
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2

loc_9695B8:				; CODE XREF: PnpCheckDriverDependencies(x,x,x)+47j
		xor	eax, eax
		cmp	[edi], ax
		jnz	loc_969520
		jmp	loc_96968C
; 

loc_9695C8:				; CODE XREF: PnpCheckDriverDependencies(x,x,x)+B0j
		xor	edx, edx

loc_9695CA:				; CODE XREF: PnpCheckDriverDependencies(x,x,x)+BFj
		mov	eax, _PiPnpRtlCtx
		mov	ecx, edx
		test	eax, eax
		jz	short loc_9695D8
		mov	ecx, [eax+74h]

loc_9695D8:				; CODE XREF: PnpCheckDriverDependencies(x,x,x)+FFj
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		push	edx
		mov	edx, [ebp+var_C]
		push	edi
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_969599
		cmp	esi, 0C000017Ch
		jz	short loc_969599
		test	esi, esi
		js	loc_969698
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_10], 4
		push	eax
		lea	eax, [ebp+var_1C]
		mov	edx, offset ??_C@_1M@OHGOPPGD@?$AAP?$AAh?$AAa?$AAs?$AAe@NNGAKEGL@
		push	eax
		call	_RegRtlQueryValue
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_9696C3
		cmp	esi, 0C000017Ch
		jz	loc_969599
		test	esi, esi
		js	short loc_969698
		cmp	[ebp+var_18], 2
		jnz	short loc_96968A
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_20]
		mov	[ebp+var_10], 4
		push	eax
		lea	eax, [ebp+var_1C]
		mov	edx, offset ??_C@_1CE@IHKFLCFN@?$AAL?$AAa?$AAs?$AAt?$AAA?$AAt?$AAt?$AAe?$AAm?$AAp?$AAt?$AAS?$AAt?$AAa?$AAt@NNGAKEGL@
		push	eax
		call	_RegRtlQueryValue
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_9696BD
		cmp	esi, 0C000017Ch
		jz	loc_969599
		test	esi, esi
		js	short loc_969698
		cmp	[ebp+var_20], 0
		jz	loc_96959D

loc_96968A:				; CODE XREF: PnpCheckDriverDependencies(x,x,x)+170j
		xor	eax, eax

loc_96968C:				; CODE XREF: PnpCheckDriverDependencies(x,x,x)+EFj
					; PnpCheckDriverDependencies(x,x,x)+1EDj
		test	esi, esi
		js	short loc_969698

loc_969690:				; CODE XREF: PnpCheckDriverDependencies(x,x,x)+1F3j
		cmp	[edi], ax
		jnz	short loc_969698
		mov	byte ptr [ebx],	1

loc_969698:				; CODE XREF: PnpCheckDriverDependencies(x,x,x)+41j
					; PnpCheckDriverDependencies(x,x,x)+A6j ...
		cmp	[ebp+var_C], 0
		jz	short loc_9696A6
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_9696A6:				; CODE XREF: PnpCheckDriverDependencies(x,x,x)+1C8j
		cmp	[ebp+var_8], 0
		jz	short loc_9696B4
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_9696B4:				; CODE XREF: PnpCheckDriverDependencies(x,x,x)+1D6j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_9696BD:				; CODE XREF: PnpCheckDriverDependencies(x,x,x)+19Aj
		xor	eax, eax
		mov	esi, eax
		jmp	short loc_96968C
; 

loc_9696C3:				; CODE XREF: PnpCheckDriverDependencies(x,x,x)+156j
		xor	eax, eax
		mov	esi, eax
		jmp	short loc_969690
_PnpCheckDriverDependencies@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpCleanupDeviceRegistryValues(x)
_PnpCleanupDeviceRegistryValues@4 proc near
					; CODE XREF: PiBuildDeviceNodeInstancePath+6E345p
					; IoReportDetectedDevice+8929Cp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, offset _PnpDeviceReferenceTableLock
		mov	ecx, edi
		mov	[ebp+var_4], esi
		call	ExAcquireFastMutex
		lea	eax, [ebp+var_8]
		push	eax
		push	offset _PnpDeviceReferenceTable
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		push	0
		xor	dl, dl
		mov	ecx, esi
		call	PiDeviceRegistration
		pop	edi
		pop	esi
		leave
		retn
_PnpCleanupDeviceRegistryValues@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpConvertDevpropcompkeyArrayToString(x, x,	x, x, x)
_PnpConvertDevpropcompkeyArrayToString@20 proc near ; CODE XREF: PiDqIrpQueryCreate+1189EEp
					; PiDqIrpQueryCreate+118A2Ap

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_4], 0
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ebx, edi
		push	2
		pop	esi
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_14], ebx
		mov	[ebp+arg_4], esi
		cmp	edi, esi
		jb	short loc_96973D
		xor	ecx, ecx
		mov	[eax], cx
		mov	ecx, [ebp+var_8]

loc_96973D:				; CODE XREF: PnpConvertDevpropcompkeyArrayToString(x,x,x,x,x)+28j
		and	[ebp+var_C], 0
		test	edx, edx
		jz	short loc_9697AA

loc_969745:				; CODE XREF: PnpConvertDevpropcompkeyArrayToString(x,x,x,x,x)+9Aj
		lea	edx, [ebp+var_4]
		push	edx		; int
		push	edi		; size_t
		mov	edx, eax
		call	_ConvertDevpropcompkeyToString@16 ; ConvertDevpropcompkeyToString(x,x,x,x)
		test	eax, eax
		jns	short loc_96975C
		cmp	eax, 0C0000023h
		jnz	short loc_9697BE

loc_96975C:				; CODE XREF: PnpConvertDevpropcompkeyArrayToString(x,x,x,x,x)+48j
		mov	ebx, [ebp+var_4]
		lea	eax, [ebp+arg_4]
		add	ebx, 0FFFFFFFEh
		mov	ecx, esi
		push	eax
		mov	edx, ebx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_9697BE
		cmp	edi, ebx
		jb	short loc_96978C
		push	2
		pop	eax
		sub	eax, [ebp+var_4]
		add	edi, eax
		mov	eax, [ebp+arg_0]
		shr	ebx, 1
		lea	eax, [eax+ebx*2]
		mov	[ebp+arg_0], eax
		jmp	short loc_96978F
; 

loc_96978C:				; CODE XREF: PnpConvertDevpropcompkeyArrayToString(x,x,x,x,x)+6Aj
		mov	eax, [ebp+arg_0]

loc_96978F:				; CODE XREF: PnpConvertDevpropcompkeyArrayToString(x,x,x,x,x)+7Fj
		mov	ebx, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		inc	ebx
		mov	esi, [ebp+arg_4]
		add	ecx, 1Ch
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ecx
		cmp	ebx, [ebp+var_10]
		jb	short loc_969745
		mov	ebx, [ebp+var_14]

loc_9697AA:				; CODE XREF: PnpConvertDevpropcompkeyArrayToString(x,x,x,x,x)+38j
		mov	ecx, [ebp+arg_8]
		xor	eax, eax
		test	ecx, ecx
		jz	short loc_9697B5
		mov	[ecx], esi

loc_9697B5:				; CODE XREF: PnpConvertDevpropcompkeyArrayToString(x,x,x,x,x)+A6j
		cmp	esi, ebx
		jbe	short loc_9697BE
		mov	eax, 0C0000023h

loc_9697BE:				; CODE XREF: PnpConvertDevpropcompkeyArrayToString(x,x,x,x,x)+4Fj
					; PnpConvertDevpropcompkeyArrayToString(x,x,x,x,x)+66j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PnpConvertDevpropcompkeyArrayToString@20 endp


;  S U B	R O U T	I N E 


; __stdcall PnpDisableDevice(x,	x)
_PnpDisableDevice@8 proc near		; CODE XREF: PiProcessNewDeviceNode+6EA48p
					; PnpIsDeviceInstanceEnabled+6CA5Cp
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	eax, [esi+0ACh]
		cmp	eax, 301h
		jl	short loc_969820
		cmp	eax, 302h
		jle	short loc_96980B
		cmp	eax, 308h
		jle	short loc_9697F0
		cmp	eax, 30Dh
		jg	short loc_969820

loc_9697F0:				; CODE XREF: PnpDisableDevice(x,x)+22j
		mov	ecx, [esi+10h]
		xor	edx, edx
		call	_PiIrpQueryRemoveDevice@8 ; PiIrpQueryRemoveDevice(x,x)
		test	eax, eax
		jns	short loc_96980B
		mov	ecx, [esi+10h]
		push	3
		pop	edx
		call	_IopRemoveDevice@8 ; IopRemoveDevice(x,x)
		jmp	short loc_969820
; 

loc_96980B:				; CODE XREF: PnpDisableDevice(x,x)+1Bj
					; PnpDisableDevice(x,x)+37j
		mov	ecx, [esi+10h]
		push	2
		pop	edx
		call	_IopRemoveDevice@8 ; IopRemoveDevice(x,x)
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_IopReleaseDeviceResources@8 ; IopReleaseDeviceResources(x,x)

loc_969820:				; CODE XREF: PnpDisableDevice(x,x)+14j
					; PnpDisableDevice(x,x)+29j ...
		test	dword ptr [esi+10Ch], 6000h
		jz	short loc_969833
		mov	ecx, esi
		call	PipClearDevNodeProblem

loc_969833:				; CODE XREF: PnpDisableDevice(x,x)+65j
		push	0
		mov	edx, edi
		mov	ecx, esi
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		pop	edi
		pop	esi
		pop	ecx
		retn
_PnpDisableDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpGetCallerSessionId(x)
_PnpGetCallerSessionId@4 proc near	; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+265p

var_10		= dword	ptr -10h
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		mov	esi, ecx
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_10]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_96987D
		mov	eax, [ebp+var_8]

loc_96987D:				; CODE XREF: PnpGetCallerSessionId(x)+36j
		push	esi
		push	eax
		call	_SeQuerySessionIdToken@8 ; SeQuerySessionIdToken(x,x)
		mov	esi, eax
		lea	eax, [ebp+var_10]
		push	eax
		call	SeReleaseSubjectContext
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_PnpGetCallerSessionId@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpGetStableSystemBootTime(x)
_PnpGetStableSystemBootTime@4 proc near	; CODE XREF: PipCallDriverAddDevice+A18E0p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	30h		; size_t
		lea	eax, [ebp+var_38]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	edx, esi
		call	_PipHardwareConfigGetLastUseTime@8 ; PipHardwareConfigGetLastUseTime(x,x)
		mov	edx, eax
		test	edx, edx
		jns	short loc_9698ED
		push	0
		push	30h
		lea	eax, [ebp+var_38]
		push	eax
		push	3
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_9698ED
		mov	ecx, [ebp+var_38]
		sub	ecx, [ebp+var_18]
		mov	eax, [ebp+var_34]
		sbb	eax, [ebp+var_14]
		mov	[esi], ecx
		mov	[esi+4], eax

loc_9698ED:				; CODE XREF: PnpGetStableSystemBootTime(x)+30j
					; PnpGetStableSystemBootTime(x)+45j
		mov	ecx, [ebp+var_4]
		mov	eax, edx
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PnpGetStableSystemBootTime@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpIsValidGuidString(x)
_PnpIsValidGuidString@4	proc near	; CODE XREF: PiPnpRtlCmActionCallback+1158E5p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_1C], 0
		xor	eax, eax
		and	[ebp+var_18], 0
		push	edi
		lea	edi, [ebp+var_14]
		stosd
		push	ecx
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_969951
		mov	eax, [ebp+var_1C+2]
		and	eax, 0FFFEh
		cmp	ax, 4Eh
		jnz	short loc_969951
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		test	eax, eax
		js	short loc_969951
		mov	al, 1
		jmp	short loc_969953
; 

loc_969951:				; CODE XREF: PnpIsValidGuidString(x)+30j
					; PnpIsValidGuidString(x)+3Ej ...
		xor	al, al

loc_969953:				; CODE XREF: PnpIsValidGuidString(x)+53j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PnpIsValidGuidString@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PnpLogEvent(int,void *,size_t)
_PnpLogEvent@20	proc near		; CODE XREF: PnpQueryID+6E216p
					; PnpFixupID+6E173p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	eax, eax
		mov	[ebp+var_4], ecx
		push	edi
		mov	edi, edx
		mov	edx, eax
		test	ecx, ecx
		jz	short loc_96997B
		movzx	edx, word ptr [ecx]
		add	edx, 2

loc_96997B:				; CODE XREF: PnpLogEvent(x,x,x,x,x)+13j
		test	edi, edi
		jz	short loc_969985
		movzx	eax, word ptr [edi]
		add	eax, 2

loc_969985:				; CODE XREF: PnpLogEvent(x,x,x,x,x)+1Dj
		mov	ebx, [ebp+arg_8]
		add	ebx, 29h
		and	ebx, 0FFFFFFFEh
		add	eax, ebx
		add	eax, edx
		cmp	eax, 98h
		ja	loc_969A2B
		push	esi
		mov	cl, al
		call	_IoAllocateGenericErrorLogEntry@4 ; IoAllocateGenericErrorLogEntry(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_969A2A
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		mov	[esi+6], bx
		add	ebx, esi
		mov	[esi+0Ch], ecx
		mov	[esi+14h], ecx
		mov	[esi+2], ax
		test	eax, eax
		jz	short loc_9699D5
		push	eax		; size_t
		push	[ebp+arg_4]	; void *
		lea	eax, [esi+28h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_9699D5:				; CODE XREF: PnpLogEvent(x,x,x,x,x)+63j
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_969A03
		xor	eax, eax
		inc	eax
		mov	[esi+4], ax
		movzx	eax, word ptr [ecx]
		push	eax		; size_t
		push	dword ptr [ecx+4] ; void *
		push	ebx		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		movzx	eax, word ptr [eax]
		add	ebx, eax
		xor	eax, eax
		mov	[ebx], ax
		add	ebx, 2

loc_969A03:				; CODE XREF: PnpLogEvent(x,x,x,x,x)+7Aj
		test	edi, edi
		jz	short loc_969A24
		inc	word ptr [esi+4]
		movzx	eax, word ptr [edi]
		push	eax		; size_t
		push	dword ptr [edi+4] ; void *
		push	ebx		; void *
		call	_memcpy
		movzx	eax, word ptr [edi]
		add	esp, 0Ch
		xor	ecx, ecx
		mov	[eax+ebx], cx

loc_969A24:				; CODE XREF: PnpLogEvent(x,x,x,x,x)+A5j
		push	esi
		call	IoWriteErrorLogEntry

loc_969A2A:				; CODE XREF: PnpLogEvent(x,x,x,x,x)+49j
		pop	esi

loc_969A2B:				; CODE XREF: PnpLogEvent(x,x,x,x,x)+37j
		pop	edi
		pop	ebx
		leave
		retn	0Ch
_PnpLogEvent@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpOpenFirstMatchingSubKey(x, x, x,	x, x, x)
_PnpOpenFirstMatchingSubKey@24 proc near ; CODE	XREF: PiQueryRemovableDeviceOverride+6C88Dp
					; PiDevCfgConfigureDeviceLocation(x,x,x,x)+121p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		xor	eax, eax
		mov	esi, ecx
		mov	[ebp+var_4], eax
		mov	ebx, edx
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		push	edi
		test	esi, esi
		jz	loc_969AD5
		test	ebx, ebx
		jz	short loc_969AD5
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	short loc_969AD5
		mov	[edi], eax
		mov	edx, 0C0000034h
		jmp	short loc_969ACC
; 

loc_969A67:				; CODE XREF: PnpOpenFirstMatchingSubKey(x,x,x,x,x,x)+9Ej
		push	esi
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_C]
		mov	[ebp+var_24], 18h
		mov	[ebp+var_1C], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_24]
		mov	[edi], ecx
		push	eax
		push	20019h
		push	edi
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], 240h
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	edx, eax
		test	edx, edx
		jns	short loc_969AD1
		mov	ecx, esi
		xor	eax, eax
		mov	[edi], eax
		lea	eax, [ecx+2]
		mov	[ebp+arg_8], eax

loc_969AB3:				; CODE XREF: PnpOpenFirstMatchingSubKey(x,x,x,x,x,x)+8Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_4]
		jnz	short loc_969AB3
		sub	ecx, [ebp+arg_8]
		sar	ecx, 1
		lea	esi, [esi+ecx*2]
		add	esi, 2
		xor	eax, eax

loc_969ACC:				; CODE XREF: PnpOpenFirstMatchingSubKey(x,x,x,x,x,x)+34j
		cmp	[esi], ax
		jnz	short loc_969A67

loc_969AD1:				; CODE XREF: PnpOpenFirstMatchingSubKey(x,x,x,x,x,x)+74j
		mov	eax, edx
		jmp	short loc_969ADA
; 

loc_969AD5:				; CODE XREF: PnpOpenFirstMatchingSubKey(x,x,x,x,x,x)+1Cj
					; PnpOpenFirstMatchingSubKey(x,x,x,x,x,x)+24j ...
		mov	eax, 0C000000Dh

loc_969ADA:				; CODE XREF: PnpOpenFirstMatchingSubKey(x,x,x,x,x,x)+A2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PnpOpenFirstMatchingSubKey@24 endp


;  S U B	R O U T	I N E 


; __stdcall PnpRestartDeviceNode(x)
_PnpRestartDeviceNode@4	proc near	; CODE XREF: PiProcessClearDeviceProblem(x)+DAp
					; PiRestartDevice(x)+5Fp ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	4
		mov	esi, ecx
		pop	ecx
		call	PpDevNodeLockTree
		test	byte ptr [esi+10Ch], 10h
		jnz	short loc_969B03
		mov	edi, 0C0000001h
		jmp	loc_969BAA
; 

loc_969B03:				; CODE XREF: PnpRestartDeviceNode(x)+16j
		push	5
		pop	edx
		mov	ecx, esi
		call	PipClearDevNodeUserFlags
		mov	edx, 108000h
		mov	ecx, esi
		call	PipClearDevNodeFlags
		and	dword ptr [esi+1C8h], 0FFFFBC03h
		xor	edi, edi
		cmp	dword ptr [esi+0ACh], 301h
		mov	[esi+0A8h], edi
		mov	[esi+40h], edi
		mov	[esi+44h], edi
		jz	short loc_969B96
		mov	edx, 7C200D00h
		mov	ecx, esi
		call	PipClearDevNodeFlags
		cmp	[esi+1Ch], di
		jz	short loc_969B60
		push	edi
		push	dword ptr [esi+20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[esi+20h], edi
		mov	[esi+1Ch], eax

loc_969B60:				; CODE XREF: PnpRestartDeviceNode(x)+6Cj
		mov	ebx, offset _PiResourceListLock
		mov	ecx, ebx
		call	@KeAcquireGuardedMutex@4 ; KeAcquireGuardedMutex(x)
		mov	eax, [esi+128h]
		test	eax, eax
		jz	short loc_969B8F
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, 200h
		mov	[esi+128h], edi
		mov	ecx, esi
		call	PipClearDevNodeFlags

loc_969B8F:				; CODE XREF: PnpRestartDeviceNode(x)+93j
		mov	ecx, ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_969B96:				; CODE XREF: PnpRestartDeviceNode(x)+5Aj
		or	dword ptr [esi+1A4h], 0FFFFFFFFh
		mov	edx, 301h
		push	ecx
		mov	ecx, esi
		call	PipSetDevNodeState

loc_969BAA:				; CODE XREF: PnpRestartDeviceNode(x)+1Dj
		push	4
		pop	ecx
		call	PpDevNodeUnlockTree
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_PnpRestartDeviceNode@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpUpdateRebootRequiredReason(x, x,	x, x, x)
_PnpUpdateRebootRequiredReason@20 proc near ; CODE XREF: PipProcessStartPhase2+6E37Ap
					; PiDevCfgProcessDevice(x,x,x)+533p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_C]
		push	ebx
		push	eax
		xor	edi, edi
		mov	byte ptr [ebp+var_1], bl
		inc	edi
		mov	[ebp+var_C], ebx
		push	edi
		lea	eax, [ebp+var_1]
		mov	[ebp+var_8], ebx
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_18], ebx
		push	eax
		push	offset _DEVPKEY_Device_IsRebootRequired
		push	ebx
		mov	esi, ecx
		mov	[ebp+var_14], ebx
		mov	ecx, _PiPnpRtlCtx
		mov	edx, esi
		push	ebx
		push	edi
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_969C4B
		cmp	[ebp+var_8], 11h
		jnz	short loc_969C4B
		cmp	[ebp+var_C], edi
		jnz	short loc_969C4B
		cmp	byte ptr [ebp+var_1], 0FFh
		jnz	short loc_969C4B
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_C]
		push	ebx
		push	eax
		push	8
		lea	eax, [ebp+var_18]
		mov	edx, esi
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	offset _DEVPKEY_Device_RebootRequiredReason
		push	ebx
		push	ebx
		push	edi
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_969C45
		cmp	[ebp+var_8], 9
		jnz	short loc_969C45
		cmp	[ebp+var_C], 8
		jz	short loc_969C4B

loc_969C45:				; CODE XREF: PnpUpdateRebootRequiredReason(x,x,x,x,x)+7Fj
					; PnpUpdateRebootRequiredReason(x,x,x,x,x)+85j
		mov	eax, ebx
		mov	ecx, ebx
		jmp	short loc_969C51
; 

loc_969C4B:				; CODE XREF: PnpUpdateRebootRequiredReason(x,x,x,x,x)+46j
					; PnpUpdateRebootRequiredReason(x,x,x,x,x)+4Cj	...
		mov	ecx, [ebp+var_14]
		mov	eax, [ebp+var_18]

loc_969C51:				; CODE XREF: PnpUpdateRebootRequiredReason(x,x,x,x,x)+91j
		or	eax, [ebp+arg_0]
		mov	edx, esi
		or	ecx, [ebp+arg_4]
		mov	[ebp+var_18], eax
		or	eax, ecx
		mov	[ebp+var_14], ecx
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		jz	short loc_969C83
		push	8
		lea	eax, [ebp+var_18]
		push	eax
		push	9
		push	offset _DEVPKEY_Device_RebootRequiredReason
		push	ebx
		push	ebx
		push	edi
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		jmp	short loc_969C93
; 

loc_969C83:				; CODE XREF: PnpUpdateRebootRequiredReason(x,x,x,x,x)+B0j
		push	ebx
		push	ebx
		push	ebx
		push	offset _DEVPKEY_Device_RebootRequiredReason
		push	ebx
		push	ebx
		push	edi
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)

loc_969C93:				; CODE XREF: PnpUpdateRebootRequiredReason(x,x,x,x,x)+C9j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
_PnpUpdateRebootRequiredReason@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopReleaseDeviceResources(x, x)
_IopReleaseDeviceResources@8 proc near	; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+68p
					; PnpRemoveLockedDeviceNode(x,x,x)+228p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	eax, eax
		mov	ebx, edx
		mov	[esp+28h+var_8], eax
		mov	[esp+28h+var_4], eax
		cmp	[edi+11Ch], eax
		jnz	short loc_969CCD
		test	byte ptr [edi+10Ch], 80h
		jz	loc_969E25

loc_969CCD:				; CODE XREF: IopReleaseDeviceResources(x,x)+22j
		mov	[esp+28h+var_10], eax
		mov	esi, eax
		mov	[esp+28h+var_18], esi
		mov	byte ptr [esp+28h+var_C], al
		test	ebx, ebx
		jz	short loc_969D12
		test	byte ptr [edi+10Ch], 1
		jnz	short loc_969D12
		mov	ecx, [edi+10h]
		lea	eax, [esp+28h+var_10]
		push	eax
		lea	eax, [esp+2Ch+var_18]
		xor	edx, edx
		push	eax
		call	IopQueryDeviceResources
		test	eax, eax
		jns	short loc_969D0C
		xor	eax, eax
		mov	[esp+28h+var_18], esi
		mov	[esp+28h+var_10], eax
		jmp	short loc_969D12
; 

loc_969D0C:				; CODE XREF: IopReleaseDeviceResources(x,x)+62j
		mov	esi, [esp+28h+var_18]
		xor	eax, eax

loc_969D12:				; CODE XREF: IopReleaseDeviceResources(x,x)+41j
					; IopReleaseDeviceResources(x,x)+4Aj ...
		mov	edx, _PnpDriverObject
		or	ecx, 0FFFFFFFFh
		push	eax
		push	eax
		push	dword ptr [edi+10h]
		call	_IopLegacyResourceAllocation@20	; IopLegacyResourceAllocation(x,x,x,x,x)
		test	eax, eax
		js	loc_969E27
		xor	eax, eax
		xor	edx, edx
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		xor	ecx, ecx
		call	PnpRequestDeviceAction
		test	ebx, ebx
		jz	loc_969E25
		test	byte ptr [edi+10Ch], 1
		jnz	loc_969E25
		xor	ebx, ebx
		mov	[esp+28h+var_14], ebx
		test	esi, esi
		jz	short loc_969D61
		mov	byte ptr [esp+28h+var_C], 1

loc_969D61:				; CODE XREF: IopReleaseDeviceResources(x,x)+BEj
		mov	edx, [edi+18h]
		lea	eax, [esp+28h+var_14]
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		push	eax
		push	[esp+30h+var_C]
		push	0F003Fh
		push	ebx
		push	14h
		pop	eax
		push	eax
		call	_CmOpenDeviceRegKey
		test	eax, eax
		js	short loc_969E05
		push	16h
		pop	eax
		mov	word ptr [esp+28h+var_8+2], ax
		push	14h
		pop	eax
		mov	word ptr [esp+28h+var_8], ax
		mov	eax, large fs:124h
		mov	[esp+28h+var_4], offset	??_C@_1BG@MNAOJKEG@?$AAB?$AAo?$AAo?$AAt?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg@NNGAKEGL@	; "B"
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	esi, offset _PnpRegistryDeviceResource
		push	esi
		call	ExAcquireResourceSharedLite
		lea	eax, [esp+28h+var_8]
		cmp	[esp+28h+var_18], ebx
		jz	short loc_969DDB
		push	[esp+28h+var_10]
		push	[esp+2Ch+var_18]
		push	8
		push	ebx
		push	eax
		push	[esp+3Ch+var_14]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		jmp	short loc_969DE5
; 

loc_969DDB:				; CODE XREF: IopReleaseDeviceResources(x,x)+126j
		push	eax
		push	[esp+2Ch+var_14]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_969DE5:				; CODE XREF: IopReleaseDeviceResources(x,x)+13Dj
		mov	ecx, esi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	[esp+28h+var_14]
		call	_ZwClose@4	; ZwClose(x)
		mov	esi, [esp+28h+var_18]

loc_969E05:				; CODE XREF: IopReleaseDeviceResources(x,x)+E9j
		test	esi, esi
		jz	short loc_969E25
		push	40h
		pop	edx
		mov	ecx, edi
		call	PipSetDevNodeFlags
		push	esi
		push	dword ptr [edi+10h]
		mov	[edi+168h], esi
		push	4
		call	_IopAllocateBootResourcesRoutine

loc_969E25:				; CODE XREF: IopReleaseDeviceResources(x,x)+2Bj
					; IopReleaseDeviceResources(x,x)+A3j ...
		xor	eax, eax

loc_969E27:				; CODE XREF: IopReleaseDeviceResources(x,x)+8Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_IopReleaseDeviceResources@8 endp


;  S U B	R O U T	I N E 


; __stdcall IopReleaseResources(x)
_IopReleaseResources@4 proc near	; CODE XREF: IopLegacyResourceAllocation(x,x,x,x,x)+A3p
					; IopLegacyResourceAllocation(x,x,x,x,x)+1B8p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	_PnpReleaseResourcesInternal@4 ; PnpReleaseResourcesInternal(x)
		mov	ebx, offset _PiResourceListLock
		mov	ecx, ebx
		call	ExAcquireFastMutex
		mov	eax, [esi+11Ch]
		xor	edi, edi
		test	eax, eax
		jz	short loc_969E5F
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+11Ch], edi

loc_969E5F:				; CODE XREF: IopReleaseResources(x)+22j
		mov	eax, [esi+120h]
		test	eax, eax
		jz	short loc_969E76
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+120h], edi

loc_969E76:				; CODE XREF: IopReleaseResources(x)+39j
		mov	ecx, ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, [esi+10Ch]
		mov	eax, ecx
		and	eax, 10001h
		cmp	eax, 1
		jnz	short loc_969EAC
		test	cl, 40h
		jz	short loc_969ECF
		mov	eax, [esi+168h]
		test	eax, eax
		jz	short loc_969ECF
		mov	edx, [esi+10h]
		push	eax
		push	4
		pop	ecx
		call	IopAllocateBootResourcesInternal
		jmp	short loc_969ECF
; 

loc_969EAC:				; CODE XREF: IopReleaseResources(x)+5Fj
		mov	edx, 0C0h
		mov	ecx, esi
		call	PipClearDevNodeFlags
		mov	eax, [esi+168h]
		test	eax, eax
		jz	short loc_969ECF
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+168h], edi

loc_969ECF:				; CODE XREF: IopReleaseResources(x)+64j
					; IopReleaseResources(x)+6Ej ...
		pop	edi
		pop	esi
		pop	ebx
		retn
_IopReleaseResources@4 endp


;  S U B	R O U T	I N E 


; __stdcall PipIsProblemReadonly(x, x)
_PipIsProblemReadonly@8	proc near	; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+31Dp
					; PnpRemoveLockedDeviceNode(x,x,x)+32Cp ...
		mov	edi, edi
		dec	edx
		cmp	edx, 38h
		ja	short loc_969EF8
		movzx	eax, ds:byte_969F0F[edx]
		jmp	ds:off_969EFF[eax*4]

loc_969EE9:				; DATA XREF: PAGE:00969F03o
		test	dword ptr [ecx+10Ch], 20000h
		jnz	short loc_969EF8

loc_969EF5:				; CODE XREF: PipIsProblemReadonly(x,x)+Fj
					; DATA XREF: PAGE:off_969EFFo
		xor	eax, eax
		retn
; 

loc_969EF8:				; CODE XREF: PipIsProblemReadonly(x,x)+6j
					; PipIsProblemReadonly(x,x)+Fj	...
		xor	eax, eax
		inc	eax
		retn
_PipIsProblemReadonly@8	endp

; 
		db 8Dh,	49h, 0
off_969EFF	dd offset loc_969EF5	; DATA XREF: PipIsProblemReadonly(x,x)+Fr
		dd offset loc_969EE9
		dd offset loc_969EF8
		dd offset loc_969EF8
byte_969F0F	db 0			; DATA XREF: PipIsProblemReadonly(x,x)+8r
		dd 3030103h, 2030303h, 2 dup(3020300h),	30000h,	3020300h
		dd 2000303h, 2000003h, 20202h, 0
		dd 3000002h, 2000202h, 2, 202h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipSetDevNodeProblem(x, x, x)
_PipSetDevNodeProblem@12 proc near	; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+34Ep
					; PiProcessNewDeviceNode+6E632p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], edx
		push	edi
		mov	edi, [ebp+arg_0]
		test	dword ptr [esi+10Ch], 2000h
		mov	eax, [esi+118h]
		mov	ebx, [esi+114h]
		mov	[ebp+var_4], eax
		jz	short loc_969F86
		cmp	ebx, edx
		jnz	short loc_969F86
		cmp	eax, edi
		jz	loc_96A028

loc_969F86:				; CODE XREF: PipSetDevNodeProblem(x,x,x)+30j
					; PipSetDevNodeProblem(x,x,x)+34j
		lea	ecx, [ebp+var_8]
		call	PiPnpRtlBeginOperation
		mov	edx, 2000h
		mov	ecx, esi
		call	PipSetDevNodeFlags
		mov	edx, [esi+18h]
		mov	eax, [ebp+var_C]
		mov	[esi+114h], eax
		mov	[esi+118h], edi
		test	edx, edx
		jz	short loc_96A01C
		cmp	eax, ebx
		jz	short loc_969FC1
		push	0Ch
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		mov	edi, [esi+118h]

loc_969FC1:				; CODE XREF: PipSetDevNodeProblem(x,x,x)+6Aj
		cmp	edi, [ebp+var_4]
		jz	short loc_969FD6
		mov	edx, [esi+18h]
		push	0Dh
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		mov	edi, [esi+118h]

loc_969FD6:				; CODE XREF: PipSetDevNodeProblem(x,x,x)+7Cj
		push	[ebp+var_4]
		lea	ecx, [esi+14h]
		push	ebx
		push	edi
		push	dword ptr [esi+114h]
		lea	edx, [esi+1Ch]
		push	dword ptr [esi+0ACh]
		call	_PnpTraceSetDevNodeProblem@28 ;	PnpTraceSetDevNodeProblem(x,x,x,x,x,x,x)
		cmp	dword ptr [esi+114h], 16h
		jnz	short loc_96A01C
		xor	edx, edx
		mov	ecx, 8Ah
		call	SeAuditingWithTokenForSubcategory
		test	al, al
		jz	short loc_96A01C
		push	ecx
		push	dword ptr [esi+114h]
		mov	edx, ebx
		lea	ecx, [esi+14h]
		call	_PiAuditDeviceEnableDisableAction@16 ; PiAuditDeviceEnableDisableAction(x,x,x,x)

loc_96A01C:				; CODE XREF: PipSetDevNodeProblem(x,x,x)+66j
					; PipSetDevNodeProblem(x,x,x)+B1j ...
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_96A028
		call	PiPnpRtlEndOperation

loc_96A028:				; CODE XREF: PipSetDevNodeProblem(x,x,x)+38j
					; PipSetDevNodeProblem(x,x,x)+D9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PipSetDevNodeProblem@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpGetDeviceInterfacePropertyData(x, x, x, x, x, x,	x, x)
_PnpGetDeviceInterfacePropertyData@32 proc near
					; CODE XREF: IoGetDeviceInterfacePropertyData(x,x,x,x,x,x,x,x)+1Bp

var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	[ebp+var_C4], eax
		mov	ebx, edx
		mov	eax, [ebp+arg_10]
		push	esi
		mov	[ebp+var_C0], eax
		xor	esi, esi
		mov	eax, [ebp+arg_14]
		push	edi
		mov	[ebp+var_C8], eax
		mov	edi, ecx
		mov	eax, 0AAh
		push	eax		; size_t
		lea	eax, [ebp+var_B0]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_BC], esi
		mov	[ebp+var_B8], esi
		mov	[ebp+var_B4], esi
		test	edi, edi
		jz	loc_96A177
		cmp	[edi+4], esi
		jz	loc_96A177
		cmp	[edi], si
		jz	loc_96A177
		cmp	[ebp+arg_0], esi
		jz	short loc_96A0E2
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_BC], offset unk_AA0000
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_BC]
		push	eax
		push	[ebp+arg_0]
		call	_RtlLCIDToCultureName@8	; RtlLCIDToCultureName(x,x)
		test	al, al
		jnz	short loc_96A0E2
		mov	esi, 0C0000001h
		jmp	loc_96A17C
; 

loc_96A0E2:				; CODE XREF: PnpGetDeviceInterfacePropertyData(x,x,x,x,x,x,x,x)+7Ej
					; PnpGetDeviceInterfacePropertyData(x,x,x,x,x,x,x,x)+A7j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpDevicePropertyLock
		call	ExAcquireResourceSharedLite
		push	edi
		xor	edx, edx
		lea	ecx, [ebp+var_B4]
		call	PnpUnicodeStringToWstr
		mov	esi, eax
		test	esi, esi
		js	short loc_96A145
		mov	edx, [ebp+var_B4]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	[ebp+var_C0]
		push	[ebp+arg_8]
		push	[ebp+var_C4]
		push	[ebp+var_C8]
		push	ebx
		push	[ebp+var_B8]
		push	0
		push	3
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax

loc_96A145:				; CODE XREF: PnpGetDeviceInterfacePropertyData(x,x,x,x,x,x,x,x)+DFj
		mov	ecx, [ebp+var_B4]
		mov	edx, edi
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)
		mov	ecx, offset _PnpDevicePropertyLock
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	esi, 0C0000225h
		jnz	short loc_96A17C
		mov	esi, 0C0000034h
		jmp	short loc_96A17C
; 

loc_96A177:				; CODE XREF: PnpGetDeviceInterfacePropertyData(x,x,x,x,x,x,x,x)+63j
					; PnpGetDeviceInterfacePropertyData(x,x,x,x,x,x,x,x)+6Cj ...
		mov	esi, 0C000000Dh

loc_96A17C:				; CODE XREF: PnpGetDeviceInterfacePropertyData(x,x,x,x,x,x,x,x)+AEj
					; PnpGetDeviceInterfacePropertyData(x,x,x,x,x,x,x,x)+13Fj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_PnpGetDeviceInterfacePropertyData@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PnpGetInterruptInformation(int,void *,int,int)
_PnpGetInterruptInformation@16 proc near ; CODE	XREF: PnpGetDevicePropertyData+125C60p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+0B0h]
		push	esi
		mov	esi, edx
		mov	ecx, [eax+30h]
		test	ecx, ecx
		jnz	short loc_96A1AB
		mov	eax, 0C0000034h
		jmp	short loc_96A1D4
; 

loc_96A1AB:				; CODE XREF: PnpGetInterruptInformation(x,x,x,x)+13j
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_96A1B6
		mov	eax, [ecx]
		mov	[edx], eax

loc_96A1B6:				; CODE XREF: PnpGetInterruptInformation(x,x,x,x)+21j
		mov	eax, [ecx]
		cmp	[ebp+arg_0], eax
		jnb	short loc_96A1C4
		mov	eax, 0C0000023h
		jmp	short loc_96A1D4
; 

loc_96A1C4:				; CODE XREF: PnpGetInterruptInformation(x,x,x,x)+2Cj
		push	eax		; size_t
		lea	eax, [ecx+4]
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax

loc_96A1D4:				; CODE XREF: PnpGetInterruptInformation(x,x,x,x)+1Aj
					; PnpGetInterruptInformation(x,x,x,x)+33j
		pop	esi
		pop	ebp
		retn	8
_PnpGetInterruptInformation@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipDeviceRemovalCheckDeviceNodeState(x, x, x)
_PipDeviceRemovalCheckDeviceNodeState@12 proc near
					; CODE XREF: PnpRequestDeviceRemovalWorker(x,x,x,x,x)+31p

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, 30Eh
		mov	al, 1
		mov	esi, [edi+0ACh]
		sub	esi, ebx
		jz	short loc_96A20E
		sub	esi, 1
		jnz	short loc_96A210
		cmp	[ebp+arg_0], 0
		jz	short loc_96A20E
		call	_PipRestoreDevNodeState@4 ; PipRestoreDevNodeState(x)
		push	ecx
		mov	edx, ebx
		mov	ecx, edi
		call	PipSetDevNodeState

loc_96A20E:				; CODE XREF: PipDeviceRemovalCheckDeviceNodeState(x,x,x)+19j
					; PipDeviceRemovalCheckDeviceNodeState(x,x,x)+24j
		xor	al, al

loc_96A210:				; CODE XREF: PipDeviceRemovalCheckDeviceNodeState(x,x,x)+1Ej
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PipDeviceRemovalCheckDeviceNodeState@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipRemoveDevicesInRelationList(x)
_PipRemoveDevicesInRelationList@4 proc near ; CODE XREF: PnpDelayedRemoveWorker(x)+A7p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	short loc_96A234
		mov	eax, [eax+0B0h]
		mov	edi, [eax+14h]
		jmp	short loc_96A236
; 

loc_96A234:				; CODE XREF: PipRemoveDevicesInRelationList(x)+10j
		xor	edi, edi

loc_96A236:				; CODE XREF: PipRemoveDevicesInRelationList(x)+1Bj
		test	edi, edi
		jnz	short loc_96A241
		mov	ebx, 0C0000001h
		jmp	short loc_96A29E
; 

loc_96A241:				; CODE XREF: PipRemoveDevicesInRelationList(x)+21j
		test	byte ptr [edi+10Ch], 10h
		mov	[ebp+var_1], 0
		jnz	short loc_96A258
		cmp	dword ptr [edi+8], 0
		jz	short loc_96A258
		mov	[ebp+var_1], 1

loc_96A258:				; CODE XREF: PipRemoveDevicesInRelationList(x)+35j
					; PipRemoveDevicesInRelationList(x)+3Bj
		mov	ecx, [esi+20h]
		call	_IopSortRelationListForRemove@4	; IopSortRelationListForRemove(x)
		mov	edx, [esi+20h]
		mov	ebx, eax
		mov	ecx, [esi+1Ch]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	dword ptr [esi+2Ch]
		push	eax
		push	2
		call	_PnpDeleteLockedDeviceNodes@32 ; PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)
		cmp	[ebp+var_1], 0
		jz	short loc_96A29E
		cmp	dword ptr [edi+0ACh], 30Eh
		jnz	short loc_96A295
		mov	edx, [esi+1Ch]
		mov	ecx, [esi+20h]
		call	_IopRemoveRelationFromList@8 ; IopRemoveRelationFromList(x,x)

loc_96A295:				; CODE XREF: PipRemoveDevicesInRelationList(x)+71j
		mov	edx, [esi+20h]
		push	ecx
		call	_PnpUnlinkDeviceRemovalRelations@12 ; PnpUnlinkDeviceRemovalRelations(x,x,x)

loc_96A29E:				; CODE XREF: PipRemoveDevicesInRelationList(x)+28j
					; PipRemoveDevicesInRelationList(x)+65j
		mov	ecx, [esi+20h]
		call	_IopFreeRelationList@4 ; IopFreeRelationList(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_PipRemoveDevicesInRelationList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpBuildRemovalRelationList(x, x, x, x)
_PnpBuildRemovalRelationList@16	proc near ; CODE XREF: PnpProcessQueryRemoveAndEject(x)+12Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+0B0h]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	eax, [eax+14h]
		push	edi
		and	dword ptr [ebx], 0
		mov	edi, edx
		mov	ecx, edi
		mov	[ebp+arg_4], eax
		call	_IopAllocateRelationList@4 ; IopAllocateRelationList(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_96A2E6
		mov	eax, 0C000009Ah
		jmp	short loc_96A30E
; 

loc_96A2E6:				; CODE XREF: PnpBuildRemovalRelationList(x,x,x,x)+28j
		mov	ecx, [ebp+arg_4]
		mov	edx, edi
		push	esi
		push	[ebp+arg_0]
		push	2
		call	_PnpProcessRelation@20 ; PnpProcessRelation(x,x,x,x,x)
		mov	edi, eax
		mov	ecx, esi
		test	edi, edi
		js	short loc_96A307
		mov	[ebx], esi
		call	_IopSortRelationListForRemove@4	; IopSortRelationListForRemove(x)
		jmp	short loc_96A30C
; 

loc_96A307:				; CODE XREF: PnpBuildRemovalRelationList(x,x,x,x)+47j
		call	_IopFreeRelationList@4 ; IopFreeRelationList(x)

loc_96A30C:				; CODE XREF: PnpBuildRemovalRelationList(x,x,x,x)+50j
		mov	eax, edi

loc_96A30E:				; CODE XREF: PnpBuildRemovalRelationList(x,x,x,x)+2Fj
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
_PnpBuildRemovalRelationList@16	endp


;  S U B	R O U T	I N E 


; __stdcall PnpCancelRemoveLockedDeviceNode(x)
_PnpCancelRemoveLockedDeviceNode@4 proc	near
					; CODE XREF: PnpDeleteLockedDeviceNode(x,x,x,x,x,x)+8Fp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	dword ptr [esi+0ACh], 310h
		jnz	short loc_96A359
		mov	ecx, [esi+10h]
		push	3
		pop	edx
		call	_IopRemoveDevice@8 ; IopRemoveDevice(x,x)
		mov	ecx, esi
		call	_PipRestoreDevNodeState@4 ; PipRestoreDevNodeState(x)
		xor	cl, cl
		call	_PnpAcquireDependencyRelationsLock@4 ; PnpAcquireDependencyRelationsLock(x)
		mov	ecx, esi
		call	PipAttemptDependentsStart
		mov	ecx, offset _PiDependencyRelationsLock
		call	ExReleaseResourceLite
		xor	ecx, ecx
		pop	esi
		jmp	PpDevNodeUnlockTree
; 

loc_96A359:				; CODE XREF: PnpCancelRemoveLockedDeviceNode(x)+Fj
		pop	esi
		retn
_PnpCancelRemoveLockedDeviceNode@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpCancelRemoveOnHungDevices(x, x, x, x, x)
_PnpCancelRemoveOnHungDevices@20 proc near
					; CODE XREF: PiProcessQueryAndCancelRemoval(x,x,x,x,x,x,x)+153p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_10], ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		cmp	edi, 4
		jz	short loc_96A384
		test	edi, edi
		jz	short loc_96A384
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_96A384:				; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+1Ej
					; PnpCancelRemoveOnHungDevices(x,x,x,x,x)+22j
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		push	1
		push	[ebp+arg_0]
		call	_PnpCompileDeviceInstancePaths@20 ; PnpCompileDeviceInstancePaths(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_96A505
		mov	ecx, edi
		call	_IopAllocateRelationList@4 ; IopAllocateRelationList(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_96A3B7
		mov	esi, 0C0000017h
		jmp	loc_96A505
; 

loc_96A3B7:				; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+50j
		xor	esi, esi
		mov	[ebp+var_18], 2
		mov	[ebp+var_14], esi
		jmp	short loc_96A3C7
; 

loc_96A3C5:				; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+B4j
		xor	esi, esi

loc_96A3C7:				; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+68j
					; PnpCancelRemoveOnHungDevices(x,x,x,x,x)+9Aj ...
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+var_8]
		push	esi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	edx, [ebp+var_18]
		call	_IopEnumerateRelations@20 ; IopEnumerateRelations(x,x,x,x,x)
		test	al, al
		jz	short loc_96A416
		mov	edx, [ebp+var_4]
		test	edx, edx
		jz	short loc_96A3F1
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_96A3F3
; 

loc_96A3F1:				; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+89j
		mov	eax, esi

loc_96A3F3:				; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+94j
		test	eax, eax
		jz	short loc_96A3C7
		test	byte ptr [eax+1C8h], 2
		jz	short loc_96A3C7
		push	esi
		push	[ebp+var_8]
		mov	ecx, ebx
		call	_IopAddRelationToList@16 ; IopAddRelationToList(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_96A3C5
		jmp	loc_96A4FE
; 

loc_96A416:				; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+82j
		mov	byte ptr [ebx+4], 1
		mov	[ebp+var_18], 1
		mov	[ebp+var_14], esi

loc_96A424:				; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+FBj
					; PnpCancelRemoveOnHungDevices(x,x,x,x,x)+109j
		push	esi
		push	esi
		lea	eax, [ebp+var_4]
		mov	ecx, ebx
		push	eax
		lea	edx, [ebp+var_18]
		call	_IopEnumerateRelations@20 ; IopEnumerateRelations(x,x,x,x,x)
		test	al, al
		jz	short loc_96A466
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_96A44A
		mov	eax, [eax+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_96A44C
; 

loc_96A44A:				; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+E2j
		mov	ecx, esi

loc_96A44C:				; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+EDj
		cmp	dword ptr [ecx+0ACh], 310h
		jnz	short loc_96A424
		push	esi
		push	esi
		push	esi
		xor	edx, edx
		push	esi
		inc	edx
		call	_PnpDeleteLockedDeviceNode@24 ;	PnpDeleteLockedDeviceNode(x,x,x,x,x,x)
		jmp	short loc_96A424
; 

loc_96A466:				; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+DBj
		mov	[ebp+var_18], 1
		mov	[ebp+var_14], esi

loc_96A470:				; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+148j
					; PnpCancelRemoveOnHungDevices(x,x,x,x,x)+14Fj	...
		push	esi
		push	esi
		lea	eax, [ebp+var_4]
		mov	ecx, ebx
		push	eax
		lea	edx, [ebp+var_18]
		call	_IopEnumerateRelations@20 ; IopEnumerateRelations(x,x,x,x,x)
		test	al, al
		jz	short loc_96A4C1
		mov	edx, [ebp+var_4]
		test	edx, edx
		jz	short loc_96A496
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_96A498
; 

loc_96A496:				; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+12Ej
		mov	eax, esi

loc_96A498:				; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+139j
		mov	eax, [eax+0ACh]
		cmp	eax, 312h
		jz	short loc_96A470
		cmp	eax, 302h
		jz	short loc_96A470
		cmp	eax, 301h
		jz	short loc_96A470
		push	esi
		push	esi
		mov	ecx, offset _GUID_TARGET_DEVICE_REMOVE_CANCELLED
		call	PnpNotifyTargetDeviceChange
		jmp	short loc_96A470
; 

loc_96A4C1:				; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+127j
		lea	eax, [ebp+var_C]
		mov	edx, ebx
		push	eax
		push	esi
		push	esi
		mov	ecx, edi
		call	_PnpCompileDeviceInstancePaths@20 ; PnpCompileDeviceInstancePaths(x,x,x,x,x)
		mov	edi, [ebp+var_C]
		mov	esi, eax
		test	esi, esi
		js	short loc_96A4EF
		mov	ecx, [ebp+var_10]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	offset _GUID_TARGET_DEVICE_REMOVE_CANCELLED
		mov	edx, edi
		call	_PnpNotifyUserModeDeviceRemoval@24 ; PnpNotifyUserModeDeviceRemoval(x,x,x,x,x,x)
		mov	esi, eax

loc_96A4EF:				; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+17Cj
		test	edi, edi
		jz	short loc_96A4FE
		push	4B706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96A4FE:				; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+B6j
					; PnpCancelRemoveOnHungDevices(x,x,x,x,x)+196j
		mov	ecx, ebx
		call	_IopFreeRelationList@4 ; IopFreeRelationList(x)

loc_96A505:				; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+3Fj
					; PnpCancelRemoveOnHungDevices(x,x,x,x,x)+57j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PnpCancelRemoveOnHungDevices@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpChainDereferenceComplete(x, x)
_PnpChainDereferenceComplete@8 proc near ; CODE	XREF: IopCompleteUnloadOrDelete+D41AAp
					; PnpIsChainDereferenced(x,x,x,x,x)+6Cp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	edi, edx
		mov	ebx, ecx
		nop
		push	1
		push	offset _IopSurpriseRemoveListLock
		call	ExAcquireResourceExclusiveLite
		mov	esi, _IopPendingSurpriseRemovals
		jmp	short loc_96A585
; 

loc_96A540:				; CODE XREF: PnpChainDereferenceComplete(x,x)+7Dj
		cmp	byte ptr [esi+3Ch], 0
		jnz	short loc_96A583
		push	ecx
		mov	ecx, [esi+20h]
		mov	edx, ebx
		call	_IopSetRelationsTag@12 ; IopSetRelationsTag(x,x,x)
		test	eax, eax
		js	short loc_96A583
		mov	eax, [esi+20h]
		mov	eax, [eax]
		mov	ecx, [eax+8]
		mov	edx, [eax]
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	short loc_96A571
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_96A573
; 

loc_96A571:				; CODE XREF: PnpChainDereferenceComplete(x,x)+56j
		xor	eax, eax

loc_96A573:				; CODE XREF: PnpChainDereferenceComplete(x,x)+61j
		cmp	dword ptr [eax+0ACh], 30Eh
		jz	short loc_96A583
		cmp	ecx, edx
		jz	short loc_96A5AA

loc_96A583:				; CODE XREF: PnpChainDereferenceComplete(x,x)+36j
					; PnpChainDereferenceComplete(x,x)+45j	...
		mov	esi, [esi]

loc_96A585:				; CODE XREF: PnpChainDereferenceComplete(x,x)+30j
		cmp	esi, offset _IopPendingSurpriseRemovals
		jnz	short loc_96A540

loc_96A58D:				; CODE XREF: PnpChainDereferenceComplete(x,x)+A7j
		mov	ecx, offset _IopSurpriseRemoveListLock
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_96A5A3:				; CODE XREF: PnpChainDereferenceComplete(x,x)+E5j
					; PnpChainDereferenceComplete(x,x)+10Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_96A5AA:				; CODE XREF: PnpChainDereferenceComplete(x,x)+73j
		cmp	_PnpDelayedRemovePending, 0
		mov	byte ptr [esi+3Ch], 1
		jnz	short loc_96A58D
		mov	ecx, offset _IopSurpriseRemoveListLock
		mov	_PnpDelayedRemovePending, 1
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	edi, edi
		jz	short loc_96A5F5
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	eax, ds:_PsInitialSystemProcess
		jnz	short loc_96A5F5
		push	0
		call	_PnpDelayedRemoveWorker@4 ; PnpDelayedRemoveWorker(x)
		jmp	short loc_96A5A3
; 

loc_96A5F5:				; CODE XREF: PnpChainDereferenceComplete(x,x)+C8j
					; PnpChainDereferenceComplete(x,x)+DCj
		and	dword_6CC89C, 0
		and	_PnpDelayedRemoveWorkItem, 0
		push	1
		push	offset _PnpDelayedRemoveWorkItem
		mov	dword_6CC898, offset _PnpDelayedRemoveWorker@4 ; PnpDelayedRemoveWorker(x)
		call	ExQueueWorkItem
		jmp	short loc_96A5A3
_PnpChainDereferenceComplete@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDelayedRemoveWorker(x)
_PnpDelayedRemoveWorker@4 proc near	; CODE XREF: PnpChainDereferenceComplete(x,x)+E0p
					; DATA XREF: PnpChainDereferenceComplete(x,x)+FCo

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		push	esi
		lea	eax, [esp+0Ch+var_8]
		xor	ecx, ecx
		push	edi
		inc	ecx
		mov	[esp+10h+var_4], eax
		mov	[esp+10h+var_8], eax
		call	PpDevNodeLockTree
		mov	eax, large fs:124h
		mov	esi, offset _IopSurpriseRemoveListLock
		push	1
		push	esi
		mov	_PnpDelayedRemoveWorkerThread, eax
		call	ExAcquireResourceExclusiveLite
		lea	ecx, [esp+10h+var_8]
		call	_PnpDequeuePendingSurpriseRemoval@4 ; PnpDequeuePendingSurpriseRemoval(x)
		mov	ecx, esi
		mov	_PnpDelayedRemovePending, 0
		call	ExReleaseResourceLite
		mov	esi, [ebp+arg_0]

loc_96A66D:				; CODE XREF: PnpDelayedRemoveWorker(x)+AEj
					; PnpDelayedRemoveWorker(x)+B5j ...
		mov	edi, [esp+10h+var_8]
		lea	eax, [esp+10h+var_8]
		cmp	edi, eax
		jz	short loc_96A6EB
		cmp	[edi+4], eax
		jnz	short loc_96A6E6
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	short loc_96A6E6
		mov	[esp+10h+var_8], eax
		lea	ecx, [esp+10h+var_8]
		mov	[eax+4], ecx
		test	esi, esi
		jz	short loc_96A6C0
		mov	[esi+8], edi
		mov	eax, [edi+1Ch]
		mov	[esi+4], eax
		mov	eax, [edi+1Ch]
		test	eax, eax
		jz	short loc_96A6AF
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_96A6B1
; 

loc_96A6AF:				; CODE XREF: PnpDelayedRemoveWorker(x)+87j
		xor	eax, eax

loc_96A6B1:				; CODE XREF: PnpDelayedRemoveWorker(x)+92j
		push	3
		mov	edx, esi
		mov	[esi], eax
		pop	ecx
		call	_PnpEnableWatchdog@8 ; PnpEnableWatchdog(x,x)
		mov	[esi+0Ch], eax

loc_96A6C0:				; CODE XREF: PnpDelayedRemoveWorker(x)+77j
		mov	ecx, edi
		call	_PipRemoveDevicesInRelationList@4 ; PipRemoveDevicesInRelationList(x)
		test	esi, esi
		jz	short loc_96A66D
		mov	edi, [esi+0Ch]
		test	edi, edi
		jz	short loc_96A66D
		mov	ecx, edi
		call	PnpCancelWatchdog
		mov	ecx, edi
		call	_PnpFreeWatchdog@4 ; PnpFreeWatchdog(x)
		and	dword ptr [esi+0Ch], 0
		jmp	short loc_96A66D
; 

loc_96A6E6:				; CODE XREF: PnpDelayedRemoveWorker(x)+61j
					; PnpDelayedRemoveWorker(x)+68j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_96A6EB:				; CODE XREF: PnpDelayedRemoveWorker(x)+5Cj
		mov	_PnpDelayedRemoveWorkerThread, 0
		test	esi, esi
		jz	short loc_96A704
		push	54706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96A704:				; CODE XREF: PnpDelayedRemoveWorker(x)+DCj
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeUnlockTree
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
_PnpDelayedRemoveWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDeleteLockedDeviceNode(x, x, x, x, x, x)
_PnpDeleteLockedDeviceNode@24 proc near	; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+104p
					; PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+E8p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		sub	edx, edi
		jz	loc_96A7AA
		sub	edx, 1
		jz	short loc_96A779
		sub	edx, 1
		jz	short loc_96A75B
		sub	edx, 1
		jnz	loc_96A7CB
		mov	ecx, [esi+10h]
		call	_PoFxActivateDevice@4 ;	PoFxActivateDevice(x)
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		or	dword ptr [esi+1C8h], 8
		call	_PnpSurpriseRemoveLockedDeviceNode@12 ;	PnpSurpriseRemoveLockedDeviceNode(x,x,x)
		jmp	short loc_96A7CB
; 

loc_96A75B:				; CODE XREF: PnpDeleteLockedDeviceNode(x,x,x,x,x,x)+1Ej
		mov	ecx, [esi+10h]
		call	_PoFxActivateDevice@4 ;	PoFxActivateDevice(x)
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		or	dword ptr [esi+1C8h], 10h
		call	_PnpRemoveLockedDeviceNode@12 ;	PnpRemoveLockedDeviceNode(x,x,x)
		jmp	short loc_96A7CB
; 

loc_96A779:				; CODE XREF: PnpDeleteLockedDeviceNode(x,x,x,x,x,x)+19j
		test	byte ptr [esi+1C8h], 4
		jnz	short loc_96A792
		push	edi
		push	4
		push	esi
		push	0Dh
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_96A792:				; CODE XREF: PnpDeleteLockedDeviceNode(x,x,x,x,x,x)+6Cj
		mov	ecx, [esi+10h]
		call	PoFxIdleDevice
		and	dword ptr [esi+1C8h], 0FFFFFFFBh
		mov	ecx, esi
		call	_PnpCancelRemoveLockedDeviceNode@4 ; PnpCancelRemoveLockedDeviceNode(x)
		jmp	short loc_96A7CB
; 

loc_96A7AA:				; CODE XREF: PnpDeleteLockedDeviceNode(x,x,x,x,x,x)+10j
		mov	ecx, [esi+10h]
		call	_PoFxActivateDevice@4 ;	PoFxActivateDevice(x)
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	[ebp+arg_8]
		or	dword ptr [esi+1C8h], 4
		call	_PnpQueryRemoveLockedDeviceNode@16 ; PnpQueryRemoveLockedDeviceNode(x,x,x,x)
		mov	edi, eax

loc_96A7CB:				; CODE XREF: PnpDeleteLockedDeviceNode(x,x,x,x,x,x)+23j
					; PnpDeleteLockedDeviceNode(x,x,x,x,x,x)+45j ...
		mov	eax, edi
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	10h
_PnpDeleteLockedDeviceNode@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpDeleteLockedDeviceNodes(x, x, x,	x, x, x, x, x)
_PnpDeleteLockedDeviceNodes@32 proc near ; CODE	XREF: PipRemoveDevicesInRelationList(x)+5Cp
					; PnpProcessQueryRemoveAndEject(x)+312p ...

var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		mov	ebx, edx
		mov	[esp+28h+var_C], ecx
		xor	eax, eax
		push	esi
		push	edi
		mov	esi, eax
		mov	[esp+30h+var_20], eax
		mov	[esp+30h+var_14], eax
		cmp	[ebx+4], al
		jnz	short loc_96A804
		mov	esi, 0C0000001h
		jmp	loc_96A9AC
; 

loc_96A804:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+23j
		mov	[esp+30h+var_8], 1
		mov	[esp+30h+var_4], eax
		push	eax
		jmp	loc_96A8FA
; 

loc_96A816:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+13Cj
		cmp	[esp+34h+var_18], 0
		jnz	short loc_96A827
		cmp	[ebp+arg_4], 0
		jz	loc_96A8F8

loc_96A827:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+46j
		mov	eax, [esp+34h+var_24]
		mov	[esp+34h+var_14], eax
		test	eax, eax
		jz	short loc_96A842
		mov	eax, [eax+0B0h]
		mov	edi, [eax+14h]
		mov	eax, [esp+34h+var_14]
		jmp	short loc_96A844
; 

loc_96A842:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+5Cj
		xor	edi, edi

loc_96A844:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+6Bj
		mov	ecx, [ebp+arg_8]
		cmp	ecx, 36h
		jnz	short loc_96A852
		mov	[esp+34h+var_1C], ecx
		jmp	short loc_96A85C
; 

loc_96A852:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+75j
		cmp	eax, [esp+34h+var_10]
		jnz	short loc_96A865
		mov	[esp+34h+var_1C], ecx

loc_96A85C:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+7Bj
		mov	eax, [ebp+arg_C]
		mov	[esp+34h+var_20], eax
		jmp	short loc_96A886
; 

loc_96A865:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+81j
		cmp	[esp+34h+var_18], 1
		jnz	short loc_96A87C
		cmp	[ebp+arg_0], 1
		jz	short loc_96A87C
		mov	[esp+34h+var_1C], 33h
		jmp	short loc_96A881
; 

loc_96A87C:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+95j
					; PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+9Bj
		and	[esp+34h+var_1C], 0

loc_96A881:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+A5j
		and	[esp+34h+var_20], 0

loc_96A886:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+8Ej
		cmp	[ebp+arg_0], 3
		jz	short loc_96A892
		cmp	[ebp+arg_0], 2
		jnz	short loc_96A8AA

loc_96A892:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+B5j
		xor	dl, dl
		mov	ecx, edi
		call	PiUpdateGuestAssignedState
		cmp	[ebp+arg_0], 2
		jnz	short loc_96A8AA
		test	byte ptr [edi+1C8h], 2
		jnz	short loc_96A8F8

loc_96A8AA:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+BBj
					; PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+CAj
		push	[ebp+arg_14]
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	[ebp+arg_10]
		push	[esp+3Ch+var_20]
		push	[esp+40h+var_1C]
		call	_PnpDeleteLockedDeviceNode@24 ;	PnpDeleteLockedDeviceNode(x,x,x,x,x,x)
		cmp	[ebp+arg_0], 0
		mov	esi, eax
		jnz	short loc_96A8F4
		cmp	[ebp+arg_8], 36h
		jnz	short loc_96A8F4
		cmp	esi, 0C0000507h
		jnz	short loc_96A8F4
		mov	esi, [edi+8]
		mov	ecx, ebx
		mov	edx, [esi+10h]
		call	_IopIsRelationInList@8 ; IopIsRelationInList(x,x)
		test	al, al
		jz	short loc_96A8F0
		or	dword ptr [esi+1C8h], 2

loc_96A8F0:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+112j
		xor	esi, esi
		jmp	short loc_96A8F8
; 

loc_96A8F4:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+F3j
					; PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+F9j ...
		test	esi, esi
		js	short loc_96A91C

loc_96A8F8:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+4Cj
					; PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+D3j ...
		push	0

loc_96A8FA:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+3Cj
		lea	eax, [esp+38h+var_18]
		mov	ecx, ebx
		push	eax
		lea	eax, [esp+3Ch+var_24]
		push	eax
		lea	edx, [esp+40h+var_C]
		call	_IopEnumerateRelations@20 ; IopEnumerateRelations(x,x,x,x,x)
		test	al, al
		jnz	loc_96A816
		jmp	loc_96A9AC
; 

loc_96A91C:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+121j
		test	byte ptr [edi+1C8h], 4
		jnz	short loc_96A936
		push	0
		push	4
		push	edi
		push	0Dh
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_96A936:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+14Ej
		mov	ecx, [edi+10h]
		call	PoFxIdleDevice
		and	dword ptr [edi+1C8h], 0FFFFFFFBh
		lea	edx, [esp+48h+var_20]
		mov	ecx, ebx
		call	_IopReverseEnumerationOrder@8 ;	IopReverseEnumerationOrder(x,x)
		xor	edi, edi
		lea	eax, [esp+48h+var_38]
		push	edi
		push	edi
		push	eax
		mov	ecx, ebx
		call	_IopEnumerateRelations@20 ; IopEnumerateRelations(x,x,x,x,x)
		test	al, al
		jz	short loc_96A9A7
		mov	esi, [esp+48h+var_28]

loc_96A968:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+1D0j
		mov	eax, [esp+48h+var_38]
		cmp	esi, eax
		jz	short loc_96A991
		test	eax, eax
		jz	short loc_96A97F
		mov	eax, [eax+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_96A981
; 

loc_96A97F:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+19Dj
		mov	ecx, edi

loc_96A981:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+1A8j
		push	[ebp+arg_14]
		xor	edx, edx
		push	[ebp+arg_10]
		inc	edx
		push	edi
		push	edi
		call	_PnpDeleteLockedDeviceNode@24 ;	PnpDeleteLockedDeviceNode(x,x,x,x,x,x)

loc_96A991:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+199j
		push	edi
		push	edi
		lea	eax, [esp+50h+var_38]
		mov	ecx, ebx
		push	eax
		lea	edx, [esp+54h+var_20]
		call	_IopEnumerateRelations@20 ; IopEnumerateRelations(x,x,x,x,x)
		test	al, al
		jnz	short loc_96A968

loc_96A9A7:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+18Dj
		mov	esi, 80000028h

loc_96A9AC:				; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+2Aj
					; PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+142j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
_PnpDeleteLockedDeviceNodes@32 endp


;  S U B	R O U T	I N E 


; __stdcall PnpDequeuePendingSurpriseRemoval(x)
_PnpDequeuePendingSurpriseRemoval@4 proc near ;	CODE XREF: PnpDelayedRemoveWorker(x)+3Cp
		mov	edx, _IopPendingSurpriseRemovals
		push	ebx
		mov	ebx, offset _IopPendingSurpriseRemovals
		push	edi
		mov	edi, ecx
		cmp	edx, ebx
		jz	short loc_96AA0E
		push	esi

loc_96A9CB:				; CODE XREF: PnpDequeuePendingSurpriseRemoval(x)+54j
		cmp	byte ptr [edx+3Ch], 0
		mov	esi, [edx]
		jz	short loc_96AA07
		mov	eax, [edx+20h]
		mov	ecx, [eax]
		mov	eax, [ecx+8]
		cmp	eax, [ecx]
		jz	short loc_96A9E5
		mov	byte ptr [edx+3Ch], 0
		jmp	short loc_96AA07
; 

loc_96A9E5:				; CODE XREF: PnpDequeuePendingSurpriseRemoval(x)+26j
		cmp	[esi+4], edx
		jnz	short loc_96AA11
		mov	eax, [edx+4]
		cmp	[eax], edx
		jnz	short loc_96AA11
		mov	[eax], esi
		mov	[esi+4], eax
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	short loc_96AA11
		mov	[edx], edi
		mov	[edx+4], eax
		mov	[eax], edx
		mov	[edi+4], edx

loc_96AA07:				; CODE XREF: PnpDequeuePendingSurpriseRemoval(x)+1Aj
					; PnpDequeuePendingSurpriseRemoval(x)+2Cj
		mov	edx, esi
		cmp	esi, ebx
		jnz	short loc_96A9CB
		pop	esi

loc_96AA0E:				; CODE XREF: PnpDequeuePendingSurpriseRemoval(x)+11j
		pop	edi
		pop	ebx
		retn
; 

loc_96AA11:				; CODE XREF: PnpDequeuePendingSurpriseRemoval(x)+31j
					; PnpDequeuePendingSurpriseRemoval(x)+38j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall PnpInvalidateRelationsInList(x, x, x, x)
_PnpInvalidateRelationsInList@16:	; CODE XREF: PnpProcessCompletedEject(x)+95p
					; PnpProcessQueryRemoveAndEject(x)+5A7p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	eax, edx
		xor	esi, esi
		push	edi
		mov	edi, ecx
		mov	[ebp-14h], eax
		mov	ecx, eax
		mov	[ebp-10h], edi
		mov	[ebp-4], esi
		mov	[ebp-0Ch], esi
		mov	[ebp-8], esi
		call	_IopAllocateRelationList@4 ; IopAllocateRelationList(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_96AA4D
		mov	eax, 0C000009Ah
		jmp	loc_96AB56
; 

loc_96AA4D:				; CODE XREF: PnpDequeuePendingSurpriseRemoval(x)+8Aj
		mov	ecx, edi
		call	_IopSetAllRelationsTags@8 ; IopSetAllRelationsTags(x,x)
		mov	[ebp-1Ch], esi
		mov	[ebp-18h], esi

loc_96AA5A:				; CODE XREF: PnpDequeuePendingSurpriseRemoval(x)+CBj
					; PnpDequeuePendingSurpriseRemoval(x)+D1j ...
		lea	eax, [ebp-0Ch]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp-8]
		push	eax
		lea	eax, [ebp-4]
		push	eax
		lea	edx, [ebp-1Ch]
		call	_IopEnumerateRelations@20 ; IopEnumerateRelations(x,x,x,x,x)
		test	al, al
		jz	loc_96AB1F
		cmp	byte ptr [ebp+8], 0
		jz	short loc_96AA84
		cmp	dword ptr [ebp-8], 0
		jnz	short loc_96AA5A

loc_96AA84:				; CODE XREF: PnpDequeuePendingSurpriseRemoval(x)+C5j
		cmp	dword ptr [ebp-0Ch], 0
		jnz	short loc_96AA5A
		mov	esi, [ebp-4]

loc_96AA8D:				; CODE XREF: PnpDequeuePendingSurpriseRemoval(x)+14Aj
		push	ecx
		mov	edx, esi
		mov	ecx, edi
		call	_IopSetRelationsTag@12 ; IopSetRelationsTag(x,x,x)
		test	eax, eax
		jnz	short loc_96AB05
		cmp	byte ptr [ebp+0Ch], 0
		mov	eax, [esi+0B0h]
		mov	edi, [eax+14h]
		jz	short loc_96AAF4
		mov	edx, 80000h
		mov	ecx, edi
		call	PipClearDevNodeFlags
		mov	eax, [edi+10Ch]
		test	al, 10h
		jz	short loc_96AAF4
		test	eax, 2000h
		jz	short loc_96AADC
		cmp	dword ptr [edi+114h], 2Fh
		jnz	short loc_96AADC
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	1
		push	3
		jmp	short loc_96AAEC
; 

loc_96AADC:				; CODE XREF: PnpDequeuePendingSurpriseRemoval(x)+10Ej
					; PnpDequeuePendingSurpriseRemoval(x)+117j
		cmp	dword ptr [ebp-14h], 4
		jnz	short loc_96AAF4
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	1
		push	0Ch

loc_96AAEC:				; CODE XREF: PnpDequeuePendingSurpriseRemoval(x)+123j
		pop	edx
		mov	ecx, esi
		call	PnpRequestDeviceAction

loc_96AAF4:				; CODE XREF: PnpDequeuePendingSurpriseRemoval(x)+F1j
					; PnpDequeuePendingSurpriseRemoval(x)+107j ...
		mov	esi, [edi+8]
		mov	edi, [ebp-10h]
		test	esi, esi
		jz	short loc_96AB03
		mov	esi, [esi+10h]
		jmp	short loc_96AA8D
; 

loc_96AB03:				; CODE XREF: PnpDequeuePendingSurpriseRemoval(x)+145j
		xor	esi, esi

loc_96AB05:				; CODE XREF: PnpDequeuePendingSurpriseRemoval(x)+E2j
		test	esi, esi
		jz	loc_96AA5A
		push	0
		push	2
		mov	edx, esi
		mov	ecx, ebx
		call	_IopAddRelationToList@16 ; IopAddRelationToList(x,x,x,x)
		jmp	loc_96AA5A
; 

loc_96AB1F:				; CODE XREF: PnpDequeuePendingSurpriseRemoval(x)+BBj
		xor	esi, esi
		mov	[ebp-1Ch], esi
		mov	[ebp-18h], esi

loc_96AB27:				; CODE XREF: PnpDequeuePendingSurpriseRemoval(x)+194j
		push	esi
		push	esi
		lea	eax, [ebp-4]
		mov	ecx, ebx
		push	eax
		lea	edx, [ebp-1Ch]
		call	_IopEnumerateRelations@20 ; IopEnumerateRelations(x,x,x,x,x)
		test	al, al
		jz	short loc_96AB4D
		mov	ecx, [ebp-4]
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	9
		pop	edx
		call	PnpRequestDeviceAction
		jmp	short loc_96AB27
; 

loc_96AB4D:				; CODE XREF: PnpDequeuePendingSurpriseRemoval(x)+182j
		mov	ecx, ebx
		call	_IopFreeRelationList@4 ; IopFreeRelationList(x)
		xor	eax, eax

loc_96AB56:				; CODE XREF: PnpDequeuePendingSurpriseRemoval(x)+91j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PnpDequeuePendingSurpriseRemoval@4 endp ; sp =	 4


;  S U B	R O U T	I N E 


; __stdcall PnpIsBeingRemovedSafely(x, x)
_PnpIsBeingRemovedSafely@8 proc	near	; CODE XREF: PnpBuildUnsafeRemovalDeviceList(x,x,x)+54p
					; PnpBuildUnsafeRemovalDeviceList(x,x,x)+D4p
		sub	edx, 1
		jz	short loc_96AB67
		sub	edx, 1
		jnz	short loc_96ABAC

loc_96AB67:				; CODE XREF: PnpIsBeingRemovedSafely(x,x)+3j
		test	dword ptr [ecx+170h], 200h
		jnz	short loc_96ABAC
		mov	eax, [ecx+0ACh]
		cmp	eax, 30Eh
		jz	short loc_96AB87
		cmp	eax, 30Fh
		jnz	short loc_96AB8D

loc_96AB87:				; CODE XREF: PnpIsBeingRemovedSafely(x,x)+21j
		mov	eax, [ecx+0B0h]

loc_96AB8D:				; CODE XREF: PnpIsBeingRemovedSafely(x,x)+28j
		cmp	eax, 308h
		jz	short loc_96ABA9
		cmp	eax, 30Ah
		jz	short loc_96ABA9
		cmp	eax, 307h
		jz	short loc_96ABA9
		cmp	eax, 30Bh
		jnz	short loc_96ABAC

loc_96ABA9:				; CODE XREF: PnpIsBeingRemovedSafely(x,x)+35j
					; PnpIsBeingRemovedSafely(x,x)+3Cj ...
		xor	al, al
		retn
; 

loc_96ABAC:				; CODE XREF: PnpIsBeingRemovedSafely(x,x)+8j
					; PnpIsBeingRemovedSafely(x,x)+14j ...
		mov	al, 1
		retn
_PnpIsBeingRemovedSafely@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpProcessBusRelations(x, x, x, x, x)
_PnpProcessBusRelations@20 proc	near	; CODE XREF: PnpProcessRelation(x,x,x,x,x)+D1p
					; PnpProcessRelation(x,x,x,x,x)+6FDp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ecx+4]
		push	edi
		mov	edi, edx
		jmp	short loc_96ABD5
; 

loc_96ABBD:				; CODE XREF: PnpProcessBusRelations(x,x,x,x,x)+28j
		push	[ebp+arg_8]
		mov	edx, edi
		mov	ecx, esi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PnpProcessRelation@20 ; PnpProcessRelation(x,x,x,x,x)
		test	eax, eax
		js	short loc_96ABDB
		mov	esi, [esi]

loc_96ABD5:				; CODE XREF: PnpProcessBusRelations(x,x,x,x,x)+Cj
		test	esi, esi
		jnz	short loc_96ABBD
		xor	eax, eax

loc_96ABDB:				; CODE XREF: PnpProcessBusRelations(x,x,x,x,x)+22j
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
_PnpProcessBusRelations@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpProcessCompletedEject(x)
_PnpProcessCompletedEject@4 proc near	; CODE XREF: PnpProcessQueryRemoveAndEject(x)+608p
					; DATA XREF: IopDeviceEjectComplete(x,x,x)+1Ao	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		mov	edx, [esi+34h]
		cmp	edx, 1
		jz	short loc_96AC0B
		test	edx, edx
		jz	short loc_96AC0B
		mov	ecx, [esi+1Ch]
		mov	[esi+31h], bl
		call	_IopWarmEjectDevice@8 ;	IopWarmEjectDevice(x,x)
		mov	ebx, eax

loc_96AC0B:				; CODE XREF: PnpProcessCompletedEject(x)+17j
					; PnpProcessCompletedEject(x)+1Bj
		mov	ecx, [esi+38h]
		test	ecx, ecx
		jz	short loc_96AC23
		push	1
		push	dword ptr [ecx+4]
		call	dword ptr [ecx+10h]
		mov	eax, [esi+38h]
		push	dword ptr [eax+4]
		call	dword ptr [eax+0Ch]

loc_96AC23:				; CODE XREF: PnpProcessCompletedEject(x)+2Fj
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeLockTree
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	loc_96ACEA
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	loc_96ACEA
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	short loc_96AC58
		mov	eax, [eax+0B0h]
		mov	edi, [eax+14h]
		jmp	short loc_96AC5A
; 

loc_96AC58:				; CODE XREF: PnpProcessCompletedEject(x)+6Aj
		xor	edi, edi

loc_96AC5A:				; CODE XREF: PnpProcessCompletedEject(x)+75j
		mov	ecx, [esi+20h]
		test	ecx, ecx
		jz	short loc_96AC96
		cmp	byte ptr [esi+30h], 0
		jz	short loc_96AC6F
		call	_PpProfileMarkAllTransitioningDocksEjected@0 ; PpProfileMarkAllTransitioningDocksEjected()
		mov	ecx, [esi+20h]

loc_96AC6F:				; CODE XREF: PnpProcessCompletedEject(x)+84j
		push	1
		push	0
		push	4
		pop	edx
		call	_PnpInvalidateRelationsInList@16 ; PnpInvalidateRelationsInList(x,x,x,x)
		mov	ecx, [esi+20h]
		xor	dl, dl
		call	_PnpTrackQueryRemoveDevices@8 ;	PnpTrackQueryRemoveDevices(x,x)
		mov	ecx, [esi+20h]
		call	_IopFreeRelationList@4 ; IopFreeRelationList(x)
		and	dword ptr [edi+1C4h], 0
		jmp	short loc_96AC9A
; 

loc_96AC96:				; CODE XREF: PnpProcessCompletedEject(x)+7Ej
		mov	byte ptr [esi+31h], 0

loc_96AC9A:				; CODE XREF: PnpProcessCompletedEject(x)+B3j
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeUnlockTree
		mov	edi, [esi+18h]
		test	edi, edi
		jz	short loc_96ACC2
		mov	ecx, [edi+44h]
		test	ecx, ecx
		jz	short loc_96ACB9
		call	_PnpDisableWatchdog@4 ;	PnpDisableWatchdog(x)
		and	dword ptr [edi+44h], 0

loc_96ACB9:				; CODE XREF: PnpProcessCompletedEject(x)+CDj
		mov	edx, ebx
		mov	ecx, edi
		call	PnpCompleteDeviceEvent

loc_96ACC2:				; CODE XREF: PnpProcessCompletedEject(x)+C6j
		cmp	byte ptr [esi+31h], 0
		jz	short loc_96ACD1
		push	ecx
		mov	ecx, [esi+1Ch]
		call	_PnpSetDeviceRemovalSafe@12 ; PnpSetDeviceRemovalSafe(x,x,x)

loc_96ACD1:				; CODE XREF: PnpProcessCompletedEject(x)+E5j
		mov	ecx, [esi+1Ch]
		call	ObfDereferenceObject
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_96ACEA:				; CODE XREF: PnpProcessCompletedEject(x)+4Fj
					; PnpProcessCompletedEject(x)+5Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PnpProcessCompletedEject@4 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpProcessDependencyRelations(x, x,	x, x, x)
_PnpProcessDependencyRelations@20 proc near ; CODE XREF: PnpProcessRelation(x,x,x,x,x)+265p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ecx+10h]
		xor	cl, cl
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edi
		call	_PnpAcquireDependencyRelationsLock@4 ; PnpAcquireDependencyRelationsLock(x)
		mov	ecx, esi
		call	_PiGetDependentList@4 ;	PiGetDependentList(x)
		mov	ebx, eax
		mov	esi, [ebx]
		jmp	short loc_96AD81
; 

loc_96AD19:				; CODE XREF: PnpProcessDependencyRelations(x,x,x,x,x)+94j
		lea	eax, [ebp+var_C]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_4]
		call	_PiEnumerateDependentListEntry@12 ; PiEnumerateDependentListEntry(x,x,x)
		mov	eax, [ebp+var_4]
		mov	esi, [esi]
		test	eax, eax
		jz	short loc_96AD81
		mov	eax, [eax+0B0h]
		mov	ecx, [eax+14h]
		mov	eax, [ecx+0ACh]
		cmp	eax, 30Eh
		jl	short loc_96AD61
		cmp	eax, 30Fh
		jg	short loc_96AD61
		mov	eax, [ecx+0B0h]
		cmp	eax, 312h
		jz	short loc_96AD7D
		cmp	eax, 314h
		jmp	short loc_96AD68
; 

loc_96AD61:				; CODE XREF: PnpProcessDependencyRelations(x,x,x,x,x)+55j
					; PnpProcessDependencyRelations(x,x,x,x,x)+5Cj
		call	_PipIsDevNodeDNStarted@4 ; PipIsDevNodeDNStarted(x)
		test	al, al

loc_96AD68:				; CODE XREF: PnpProcessDependencyRelations(x,x,x,x,x)+70j
		jz	short loc_96AD7D
		push	[ebp+arg_8]
		mov	edx, [ebp+var_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PnpProcessRelation@20 ; PnpProcessRelation(x,x,x,x,x)
		mov	edi, eax

loc_96AD7D:				; CODE XREF: PnpProcessDependencyRelations(x,x,x,x,x)+69j
					; PnpProcessDependencyRelations(x,x,x,x,x):loc_96AD68j
		test	edi, edi
		js	short loc_96AD85

loc_96AD81:				; CODE XREF: PnpProcessDependencyRelations(x,x,x,x,x)+28j
					; PnpProcessDependencyRelations(x,x,x,x,x)+3Fj
		cmp	esi, ebx
		jnz	short loc_96AD19

loc_96AD85:				; CODE XREF: PnpProcessDependencyRelations(x,x,x,x,x)+90j
		mov	ecx, offset _PiDependencyRelationsLock
		call	ExReleaseResourceLite
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PnpProcessDependencyRelations@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpProcessRelation(x, x, x,	x, x)
_PnpProcessRelation@20 proc near	; CODE XREF: PnpBuildRemovalRelationList(x,x,x,x)+3Cp
					; PnpProcessBusRelations(x,x,x,x,x)+1Bp ...

var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	ebx, edx
		xor	esi, esi
		mov	[esp+1Ch+var_8], ebx
		mov	[esp+1Ch+var_10], esi
		push	edi
		mov	edi, ecx
		test	ebx, ebx
		jz	short loc_96ADD7
		cmp	ebx, 4
		jz	short loc_96ADD7
		cmp	dword ptr [edi+0ACh], 314h
		jnz	short loc_96AE36
		xor	eax, eax
		jmp	loc_96B6B0
; 

loc_96ADD7:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+1Ej
					; PnpProcessRelation(x,x,x,x,x)+23j
		mov	eax, [edi+0ACh]
		cmp	eax, 314h
		jz	loc_96B695
		cmp	eax, 30Fh
		jz	loc_96B695
		cmp	eax, 30Eh
		jz	loc_96B695
		cmp	[edi+1A0h], esi
		jg	loc_96B68A
		cmp	eax, 311h
		jz	loc_96B68A
		cmp	eax, 313h
		jz	loc_96B68A
		cmp	eax, 30Ah
		jz	loc_96B683
		cmp	eax, 30Bh
		jz	loc_96B683

loc_96AE36:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+2Fj
		mov	edx, [edi+10h]
		mov	ecx, [ebp+arg_8]
		push	esi
		push	[ebp+arg_0]
		call	_IopAddRelationToList@16 ; IopAddRelationToList(x,x,x,x)
		mov	ecx, eax
		mov	[esp+20h+var_4], ecx
		test	ecx, ecx
		jnz	loc_96B487
		test	dword ptr [edi+10Ch], 80000h
		jnz	loc_96B20D
		push	[ebp+arg_8]
		mov	edx, ebx
		mov	ecx, edi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PnpProcessBusRelations@20 ; PnpProcessBusRelations(x,x,x,x,x)
		test	eax, eax
		js	loc_96B6B0
		mov	eax, [edi+0ACh]
		cmp	eax, 30Fh
		jz	short loc_96AE91
		cmp	eax, 30Eh
		jnz	short loc_96AE97

loc_96AE91:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+E9j
		mov	eax, [edi+0B0h]

loc_96AE97:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+F0j
		cmp	eax, 308h
		jz	short loc_96AEB7
		cmp	eax, 30Ah
		jz	short loc_96AEB7
		cmp	eax, 307h
		jz	short loc_96AEB7
		cmp	eax, 30Bh
		jnz	loc_96AF49

loc_96AEB7:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+FDj
					; PnpProcessRelation(x,x,x,x,x)+104j ...
		mov	ecx, [edi+10h]
		lea	eax, [esp+20h+var_10]
		push	eax
		push	esi
		push	3
		pop	edx
		call	_PnpQueryDeviceRelations@16 ; PnpQueryDeviceRelations(x,x,x,x)
		test	eax, eax
		js	short loc_96AF49
		mov	eax, [esp+20h+var_10]
		test	eax, eax
		jz	short loc_96AF49
		mov	ecx, esi
		mov	[esp+20h+var_4], ecx
		cmp	[eax], esi
		jbe	short loc_96AF42

loc_96AEDE:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+19Dj
		mov	ebx, [eax+ecx*4+4]
		mov	ecx, [ebx+0B0h]
		test	byte ptr [ecx+10h], 2
		jnz	loc_96B029
		mov	ecx, [ecx+14h]
		test	ecx, ecx
		jz	loc_96B029
		cmp	[ecx+8], esi
		jz	loc_96B029
		push	[ebp+arg_8]
		mov	edx, [esp+24h+var_8]
		push	[ebp+arg_4]
		push	esi
		call	_PnpProcessRelation@20 ; PnpProcessRelation(x,x,x,x,x)
		mov	ecx, ebx
		mov	[esp+20h+var_C], eax
		call	ObfDereferenceObject
		mov	ebx, [esp+20h+var_C]
		test	ebx, ebx
		js	loc_96B018
		mov	ecx, [esp+20h+var_4]
		mov	eax, [esp+20h+var_10]
		inc	ecx
		mov	[esp+20h+var_4], ecx
		cmp	ecx, [eax]
		jb	short loc_96AEDE
		mov	ebx, [esp+20h+var_8]

loc_96AF42:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+13Dj
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96AF49:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+112j
					; PnpProcessRelation(x,x,x,x,x)+12Bj ...
		test	ebx, ebx
		jz	loc_96AFF1
		cmp	ebx, 5
		jz	loc_96AFF1
		cmp	ebx, 6
		jz	loc_96AFF1
		mov	ecx, [edi+10h]
		lea	eax, [esp+20h+var_10]
		push	eax
		xor	edx, edx
		push	esi
		inc	edx
		call	_PnpQueryDeviceRelations@16 ; PnpQueryDeviceRelations(x,x,x,x)
		test	eax, eax
		js	short loc_96AFF1
		mov	eax, [esp+20h+var_10]
		test	eax, eax
		jz	short loc_96AFF1
		mov	ecx, esi
		mov	[esp+20h+var_4], ecx
		cmp	[eax], esi
		jbe	short loc_96AFEA

loc_96AF8A:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+245j
		mov	ebx, [eax+ecx*4+4]
		mov	ecx, [ebx+0B0h]
		test	byte ptr [ecx+10h], 2
		jnz	loc_96B11F
		mov	ecx, [ecx+14h]
		test	ecx, ecx
		jz	loc_96B11F
		cmp	[ecx+8], esi
		jz	loc_96B11F
		push	[ebp+arg_8]
		mov	edx, [esp+24h+var_8]
		push	[ebp+arg_4]
		push	esi
		call	_PnpProcessRelation@20 ; PnpProcessRelation(x,x,x,x,x)
		mov	ecx, ebx
		mov	[esp+20h+var_C], eax
		call	ObfDereferenceObject
		mov	ebx, [esp+20h+var_C]
		test	ebx, ebx
		js	short loc_96B018
		mov	ecx, [esp+20h+var_4]
		mov	eax, [esp+20h+var_10]
		inc	ecx
		mov	[esp+20h+var_4], ecx
		cmp	ecx, [eax]
		jb	short loc_96AF8A
		mov	ebx, [esp+20h+var_8]

loc_96AFEA:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+1E9j
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96AFF1:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+1ACj
					; PnpProcessRelation(x,x,x,x,x)+1B5j ...
		push	[ebp+arg_8]
		xor	eax, eax
		mov	edx, ebx
		cmp	[ebp+arg_0], eax
		mov	ecx, edi
		push	[ebp+arg_4]
		setnz	al
		push	eax
		call	_PnpProcessDependencyRelations@20 ; PnpProcessDependencyRelations(x,x,x,x,x)
		test	eax, eax
		js	loc_96B6B0
		mov	ecx, esi
		jmp	loc_96B67F
; 

loc_96B018:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+188j
					; PnpProcessRelation(x,x,x,x,x)+234j
		push	esi
		push	[esp+24h+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, ebx
		jmp	loc_96B6B0
; 

loc_96B029:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+14Dj
					; PnpProcessRelation(x,x,x,x,x)+158j ...
		movzx	edx, word ptr [ebx+2]
		mov	ecx, ebx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+8]
		push	2
		pop	edi
		test	ecx, ecx
		jz	short loc_96B068
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+8]
		add	ecx, 1Ch
		cmp	[ecx], si
		jz	short loc_96B068
		mov	edx, edi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_96B068:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+29Dj
					; PnpProcessRelation(x,x,x,x,x)+2B1j
		mov	eax, [ebx+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_96B10F
		lea	eax, [ecx+14h]
		mov	edx, 1F4h
		mov	[esp+20h+var_4], eax
		call	IoAddTriageDumpDataBlock
		mov	eax, [esp+20h+var_4]
		cmp	[eax], si
		jz	short loc_96B0AB
		mov	edx, edi
		mov	ecx, eax
		call	IoAddTriageDumpDataBlock
		mov	eax, [esp+20h+var_4]
		movzx	edx, word ptr [eax]
		mov	ecx, [eax+4]
		call	IoAddTriageDumpDataBlock

loc_96B0AB:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+2F2j
		mov	edx, [ebx+0B0h]
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], si
		jz	short loc_96B0DE
		mov	edx, edi
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebx+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [ebx+0B0h]

loc_96B0DE:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+31Bj
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_96B10F
		lea	ecx, [eax+1Ch]
		cmp	[ecx], si
		jz	short loc_96B10F
		mov	edx, edi
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebx+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_96B10F:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+2D4j
					; PnpProcessRelation(x,x,x,x,x)+347j ...
		push	esi
		push	3

loc_96B112:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+469j
		push	ebx
		push	0Bh

loc_96B115:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+6E3j
					; PnpProcessRelation(x,x,x,x,x)+8D7j
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_96B11F:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+1F9j
					; PnpProcessRelation(x,x,x,x,x)+204j ...
		movzx	edx, word ptr [ebx+2]
		mov	ecx, ebx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+8]
		push	2
		pop	edi
		test	ecx, ecx
		jz	short loc_96B15E
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+8]
		add	ecx, 1Ch
		cmp	[ecx], si
		jz	short loc_96B15E
		mov	edx, edi
		call	IoAddTriageDumpDataBlock
		mov	ecx, [ebx+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_96B15E:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+393j
					; PnpProcessRelation(x,x,x,x,x)+3A7j
		mov	eax, [ebx+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_96B205
		lea	eax, [ecx+14h]
		mov	edx, 1F4h
		mov	[esp+34h+var_18], eax
		call	IoAddTriageDumpDataBlock
		mov	eax, [esp+34h+var_18]
		cmp	[eax], si
		jz	short loc_96B1A1
		mov	edx, edi
		mov	ecx, eax
		call	IoAddTriageDumpDataBlock
		mov	eax, [esp+34h+var_18]
		movzx	edx, word ptr [eax]
		mov	ecx, [eax+4]
		call	IoAddTriageDumpDataBlock

loc_96B1A1:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+3E8j
		mov	edx, [ebx+0B0h]
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], si
		jz	short loc_96B1D4
		mov	edx, edi
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebx+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [ebx+0B0h]

loc_96B1D4:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+411j
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_96B205
		lea	ecx, [eax+1Ch]
		cmp	[ecx], si
		jz	short loc_96B205
		mov	edx, edi
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebx+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_96B205:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+3CAj
					; PnpProcessRelation(x,x,x,x,x)+43Dj ...
		push	esi
		push	1
		jmp	loc_96B112
; 

loc_96B20D:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+BEj
		mov	eax, _IopPendingEjects
		mov	[esp+20h+var_C], eax
		push	2
		pop	ebx
		cmp	eax, offset _IopPendingEjects
		jz	loc_96B2C5

loc_96B224:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+4A7j
		mov	ecx, [eax+20h]
		test	ecx, ecx
		jz	short loc_96B23B
		mov	edx, [edi+10h]
		call	_IopIsRelationInList@8 ; IopIsRelationInList(x,x)
		test	al, al
		jnz	short loc_96B24A
		mov	eax, [esp+20h+var_C]

loc_96B23B:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+48Aj
		mov	eax, [eax]
		mov	[esp+20h+var_C], eax
		cmp	eax, offset _IopPendingEjects
		jnz	short loc_96B224
		jmp	short loc_96B2BA
; 

loc_96B24A:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+496j
		mov	eax, [esp+20h+var_8]
		cmp	eax, 4
		jnz	short loc_96B28F
		mov	edx, [edi+10h]
		mov	ecx, [ebp+arg_8]
		call	_IopRemoveRelationFromList@8 ; IopRemoveRelationFromList(x,x)
		mov	ecx, [esp+20h+var_C]
		mov	[esp+20h+var_4], eax
		call	_IopCancelPendingEject@4 ; IopCancelPendingEject(x)
		mov	eax, [esp+20h+var_C]
		mov	ecx, [ebp+arg_8]
		push	esi
		mov	edx, [eax+20h]
		call	_IopMergeRelationLists@12 ; IopMergeRelationLists(x,x,x)
		cmp	[ebp+arg_0], ebx
		jnz	short loc_96B2B6
		mov	edx, [edi+10h]
		mov	ecx, [ebp+arg_8]
		push	esi
		push	ebx
		call	_IopAddRelationToList@16 ; IopAddRelationToList(x,x,x,x)
		jmp	short loc_96B2B6
; 

loc_96B28F:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+4B2j
		test	eax, eax
		jz	loc_96B6AB
		mov	eax, [esp+20h+var_C]
		mov	edx, [edi+10h]
		mov	ecx, [eax+20h]
		call	_IopRemoveRelationFromList@8 ; IopRemoveRelationFromList(x,x)
		mov	edx, 80000h
		mov	[esp+20h+var_4], eax
		mov	ecx, edi
		call	PipClearDevNodeFlags

loc_96B2B6:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+4DFj
					; PnpProcessRelation(x,x,x,x,x)+4EEj
		mov	eax, [esp+20h+var_C]

loc_96B2BA:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+4A9j
		cmp	eax, offset _IopPendingEjects
		jnz	loc_96B67B

loc_96B2C5:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+47Fj
		mov	ecx, [edi+10h]
		test	ecx, ecx
		jz	loc_96B47D
		movzx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+10h]
		mov	eax, [ecx+8]
		test	eax, eax
		jz	short loc_96B319
		movsx	edx, word ptr [eax+2]
		mov	ecx, eax
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+10h]
		mov	eax, [ecx+8]
		cmp	[eax+1Ch], si
		jz	short loc_96B319
		mov	edx, ebx
		lea	ecx, [eax+1Ch]
		call	IoAddTriageDumpDataBlock
		mov	eax, [edi+10h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+10h]

loc_96B319:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+542j
					; PnpProcessRelation(x,x,x,x,x)+559j
		test	ecx, ecx
		jz	short loc_96B328
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_96B32A
; 

loc_96B328:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+57Cj
		mov	eax, esi

loc_96B32A:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+587j
		test	eax, eax
		jz	loc_96B47D
		test	ecx, ecx
		jz	short loc_96B345
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		mov	[esp+20h+var_4], eax
		jmp	short loc_96B349
; 

loc_96B345:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+595j
		mov	[esp+20h+var_4], esi

loc_96B349:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+5A4j
		test	ecx, ecx
		jz	short loc_96B358
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_96B35A
; 

loc_96B358:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+5ACj
		mov	ecx, esi

loc_96B35A:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+5B7j
		mov	edx, 1F4h
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esp+20h+var_4]
		cmp	[ecx+14h], si
		jz	short loc_96B388
		mov	edx, ebx
		lea	ecx, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esp+20h+var_4]
		movzx	edx, word ptr [ecx+14h]
		mov	ecx, [ecx+18h]
		call	IoAddTriageDumpDataBlock

loc_96B388:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+5CDj
		mov	edx, [edi+10h]
		test	edx, edx
		jz	short loc_96B39A
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_96B39C
; 

loc_96B39A:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+5EEj
		mov	eax, esi

loc_96B39C:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+5F9j
		cmp	[eax+1Ch], si
		jz	short loc_96B3F1
		test	edx, edx
		jz	short loc_96B3B1
		mov	eax, [edx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_96B3B3
; 

loc_96B3B1:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+605j
		mov	ecx, esi

loc_96B3B3:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+610j
		add	ecx, 1Ch
		mov	edx, ebx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+10h]
		test	ecx, ecx
		jz	short loc_96B3CF
		mov	eax, [ecx+0B0h]
		mov	edx, [eax+14h]
		jmp	short loc_96B3D1
; 

loc_96B3CF:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+623j
		mov	edx, esi

loc_96B3D1:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+62Ej
		test	ecx, ecx
		jz	short loc_96B3E0
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_96B3E2
; 

loc_96B3E0:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+634j
		mov	ecx, esi

loc_96B3E2:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+63Fj
		movzx	edx, word ptr [edx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [edi+10h]

loc_96B3F1:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+601j
		test	edx, edx
		jz	short loc_96B400
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_96B402
; 

loc_96B400:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+654j
		mov	eax, esi

loc_96B402:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+65Fj
		mov	ecx, edx
		cmp	[eax+8], esi
		jz	short loc_96B47D
		test	edx, edx
		jz	short loc_96B418
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_96B41A
; 

loc_96B418:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+66Cj
		mov	eax, esi

loc_96B41A:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+677j
		mov	eax, [eax+8]
		mov	ecx, edx
		cmp	[eax+1Ch], si
		jz	short loc_96B47D
		test	edx, edx
		jz	short loc_96B434
		mov	eax, [edx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_96B436
; 

loc_96B434:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+688j
		mov	ecx, esi

loc_96B436:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+693j
		mov	ecx, [ecx+8]
		mov	edx, ebx
		add	ecx, 1Ch
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+10h]
		test	ecx, ecx
		jz	short loc_96B455
		mov	eax, [ecx+0B0h]
		mov	edx, [eax+14h]
		jmp	short loc_96B457
; 

loc_96B455:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+6A9j
		mov	edx, esi

loc_96B457:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+6B4j
		test	ecx, ecx
		jz	short loc_96B466
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_96B468
; 

loc_96B466:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+6BAj
		mov	ecx, esi

loc_96B468:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+6C5j
		mov	eax, [edx+8]
		mov	ecx, [ecx+8]
		movzx	edx, word ptr [eax+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+10h]

loc_96B47D:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+52Bj
					; PnpProcessRelation(x,x,x,x,x)+58Dj ...
		push	esi
		push	esi
		push	ecx
		push	6
		jmp	loc_96B115
; 

loc_96B487:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+AEj
		cmp	ecx, 0C0000035h
		jnz	short loc_96B4A8
		push	[ebp+arg_8]
		mov	edx, ebx
		mov	ecx, edi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PnpProcessBusRelations@20 ; PnpProcessBusRelations(x,x,x,x,x)
		mov	ecx, eax
		jmp	loc_96B67F
; 

loc_96B4A8:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+6EEj
		cmp	ecx, 0C000009Ah
		jz	loc_96B67F
		mov	ecx, [edi+10h]
		test	ecx, ecx
		jz	loc_96B66B
		movzx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+10h]
		push	2
		pop	ebx
		mov	eax, [ecx+8]
		test	eax, eax
		jz	short loc_96B50B
		movsx	edx, word ptr [eax+2]
		mov	ecx, eax
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+10h]
		mov	eax, [ecx+8]
		cmp	[eax+1Ch], si
		jz	short loc_96B50B
		mov	edx, ebx
		lea	ecx, [eax+1Ch]
		call	IoAddTriageDumpDataBlock
		mov	eax, [edi+10h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+10h]

loc_96B50B:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+734j
					; PnpProcessRelation(x,x,x,x,x)+74Bj
		test	ecx, ecx
		jz	short loc_96B51A
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_96B51C
; 

loc_96B51A:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+76Ej
		mov	eax, esi

loc_96B51C:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+779j
		test	eax, eax
		jz	loc_96B66B
		test	ecx, ecx
		jz	short loc_96B537
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		mov	[esp+20h+var_8], eax
		jmp	short loc_96B53B
; 

loc_96B537:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+787j
		mov	[esp+20h+var_8], esi

loc_96B53B:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+796j
		test	ecx, ecx
		jz	short loc_96B54A
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_96B54C
; 

loc_96B54A:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+79Ej
		mov	ecx, esi

loc_96B54C:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+7A9j
		mov	edx, 1F4h
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esp+20h+var_8]
		cmp	[ecx+14h], si
		jz	short loc_96B57A
		mov	edx, ebx
		lea	ecx, [ecx+14h]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esp+20h+var_8]
		movzx	edx, word ptr [ecx+14h]
		mov	ecx, [ecx+18h]
		call	IoAddTriageDumpDataBlock

loc_96B57A:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+7BFj
		mov	edx, [edi+10h]
		test	edx, edx
		jz	short loc_96B58C
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_96B58E
; 

loc_96B58C:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+7E0j
		mov	eax, esi

loc_96B58E:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+7EBj
		cmp	[eax+1Ch], si
		jz	short loc_96B5E3
		test	edx, edx
		jz	short loc_96B5A3
		mov	eax, [edx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_96B5A5
; 

loc_96B5A3:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+7F7j
		mov	ecx, esi

loc_96B5A5:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+802j
		add	ecx, 1Ch
		mov	edx, ebx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+10h]
		test	ecx, ecx
		jz	short loc_96B5C1
		mov	eax, [ecx+0B0h]
		mov	edx, [eax+14h]
		jmp	short loc_96B5C3
; 

loc_96B5C1:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+815j
		mov	edx, esi

loc_96B5C3:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+820j
		test	ecx, ecx
		jz	short loc_96B5D2
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_96B5D4
; 

loc_96B5D2:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+826j
		mov	ecx, esi

loc_96B5D4:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+831j
		movzx	edx, word ptr [edx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [edi+10h]

loc_96B5E3:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+7F3j
		test	edx, edx
		jz	short loc_96B5F2
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_96B5F4
; 

loc_96B5F2:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+846j
		mov	eax, esi

loc_96B5F4:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+851j
		mov	ecx, edx
		cmp	[eax+8], esi
		jz	short loc_96B66B
		test	edx, edx
		jz	short loc_96B60A
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_96B60C
; 

loc_96B60A:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+85Ej
		mov	eax, esi

loc_96B60C:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+869j
		mov	eax, [eax+8]
		mov	ecx, edx
		cmp	[eax+1Ch], si
		jz	short loc_96B66B
		test	edx, edx
		jz	short loc_96B626
		mov	eax, [edx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_96B628
; 

loc_96B626:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+87Aj
		mov	ecx, esi

loc_96B628:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+885j
		mov	ecx, [ecx+8]
		mov	edx, ebx
		add	ecx, 1Ch
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+10h]
		test	ecx, ecx
		jz	short loc_96B647
		mov	eax, [ecx+0B0h]
		mov	edx, [eax+14h]
		jmp	short loc_96B649
; 

loc_96B647:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+89Bj
		mov	edx, esi

loc_96B649:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+8A6j
		test	ecx, ecx
		jz	short loc_96B656
		mov	eax, [ecx+0B0h]
		mov	esi, [eax+14h]

loc_96B656:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+8ACj
		mov	eax, [edx+8]
		mov	ecx, [esi+8]
		movzx	edx, word ptr [eax+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+10h]

loc_96B66B:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+71Aj
					; PnpProcessRelation(x,x,x,x,x)+77Fj ...
		mov	eax, [esp+20h+var_4]
		push	eax
		push	[ebp+arg_8]
		push	ecx
		push	7
		jmp	loc_96B115
; 

loc_96B67B:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+520j
		mov	ecx, [esp+20h+var_4]

loc_96B67F:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+274j
					; PnpProcessRelation(x,x,x,x,x)+704j ...
		mov	eax, ecx
		jmp	short loc_96B6B0
; 

loc_96B683:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+86j
					; PnpProcessRelation(x,x,x,x,x)+91j
		mov	eax, 0C0000010h
		jmp	short loc_96B6B0
; 

loc_96B68A:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+65j
					; PnpProcessRelation(x,x,x,x,x)+70j ...
		mov	ecx, [ebp+arg_4]
		mov	dword ptr [ecx], 5
		jmp	short loc_96B69E
; 

loc_96B695:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+43j
					; PnpProcessRelation(x,x,x,x,x)+4Ej ...
		mov	ecx, [ebp+arg_4]
		mov	dword ptr [ecx], 0Dh

loc_96B69E:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+8F4j
		lea	eax, [edi+14h]
		push	eax
		lea	eax, [ecx+4]
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)

loc_96B6AB:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+4F2j
		mov	eax, 0C0000001h

loc_96B6B0:				; CODE XREF: PnpProcessRelation(x,x,x,x,x)+33j
					; PnpProcessRelation(x,x,x,x,x)+D8j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PnpProcessRelation@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpQueryRemoveLockedDeviceNode(x, x, x, x)
_PnpQueryRemoveLockedDeviceNode@16 proc	near
					; CODE XREF: PnpDeleteLockedDeviceNode(x,x,x,x,x,x)+B0p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	eax, [esi+0ACh]
		add	eax, 0FFFFFCFFh
		cmp	eax, 11h
		ja	loc_96B7A8
		movzx	eax, ds:byte_96B7BD[eax]
		jmp	ds:off_96B7B1[eax*4]

loc_96B6EA:				; DATA XREF: PAGE:0096B7B5o
		mov	edx, 200h
		call	PipSetDevNodeUserFlags
		mov	eax, [esi+10h]
		lea	edx, [ebp+var_4]
		and	[ebp+var_4], 0
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	_PiIrpQueryRemoveDevice@8 ; PiIrpQueryRemoveDevice(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_96B730
		push	ecx
		mov	edx, 310h
		mov	ecx, esi
		call	PipSetDevNodeState
		cmp	ebx, 36h
		jnz	short loc_96B798
		test	byte ptr [esi+1C8h], 2
		jz	short loc_96B798
		mov	edi, 0C0000507h
		jmp	short loc_96B798
; 

loc_96B730:				; CODE XREF: PnpQueryRemoveLockedDeviceNode(x,x,x,x)+53j
		cmp	ebx, 36h
		jnz	short loc_96B753
		cmp	edi, 0C0000507h
		jnz	short loc_96B753
		push	ecx
		mov	edx, 310h
		mov	ecx, esi
		call	PipSetDevNodeState
		or	dword ptr [esi+1C8h], 2
		jmp	short loc_96B798
; 

loc_96B753:				; CODE XREF: PnpQueryRemoveLockedDeviceNode(x,x,x,x)+7Aj
					; PnpQueryRemoveLockedDeviceNode(x,x,x,x)+82j
		mov	ecx, [ebp+var_8]
		push	3
		pop	edx
		call	_IopRemoveDevice@8 ; IopRemoveDevice(x,x)
		mov	eax, [ebp+arg_0]
		mov	ebx, [ebp+arg_4]
		mov	dword ptr [eax], 6
		lea	eax, [esi+14h]
		push	eax
		push	ebx
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		mov	edx, [ebp+var_4]
		test	edx, edx
		jz	short loc_96B798
		movzx	eax, word ptr [ebx]
		add	edx, 1Ch
		movzx	ecx, word ptr [ebx+2]
		sub	ecx, eax
		movzx	eax, word ptr [edx]
		add	eax, 4
		cmp	ecx, eax
		jl	short loc_96B798
		push	edx
		push	ebx
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)

loc_96B798:				; CODE XREF: PnpQueryRemoveLockedDeviceNode(x,x,x,x)+65j
					; PnpQueryRemoveLockedDeviceNode(x,x,x,x)+6Ej ...
		mov	edx, 200h
		mov	ecx, esi
		call	PipClearDevNodeUserFlags
		mov	eax, edi
		jmp	short loc_96B7AA
; 

loc_96B7A8:				; CODE XREF: PnpQueryRemoveLockedDeviceNode(x,x,x,x)+1Dj
					; PnpQueryRemoveLockedDeviceNode(x,x,x,x)+2Aj
					; DATA XREF: ...
		xor	eax, eax

loc_96B7AA:				; CODE XREF: PnpQueryRemoveLockedDeviceNode(x,x,x,x)+EDj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PnpQueryRemoveLockedDeviceNode@16 endp

; 
off_96B7B1	dd offset loc_96B7A8	; DATA XREF: PnpQueryRemoveLockedDeviceNode(x,x,x,x)+2Ar
		dd offset loc_96B6EA
		dd offset loc_96B7A8
byte_96B7BD	db 0			; DATA XREF: PnpQueryRemoveLockedDeviceNode(x,x,x,x)+23r
		dw 100h
		dd 1010201h, 201h, 202h
		db 2, 2	dup(0)

;  S U B	R O U T	I N E 


; __stdcall PnpQueuePendingEject(x)
_PnpQueuePendingEject@4	proc near	; CODE XREF: IopEjectDevice(x,x)+30p
					; IopEjectDevice(x,x)+9Fp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeLockTree
		mov	eax, dword_6CC51C
		mov	ecx, offset _IopPendingEjects
		cmp	[eax], ecx
		jz	short loc_96B7EF
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_96B7EF:				; CODE XREF: PnpQueuePendingEject(x)+19j
		mov	[esi], ecx
		xor	ecx, ecx
		mov	[esi+4], eax
		inc	ecx
		mov	[eax], esi
		mov	dword_6CC51C, esi
		call	PpDevNodeUnlockTree
		mov	al, 1
		pop	esi
		retn
_PnpQueuePendingEject@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpQueuePendingSurpriseRemoval(x, x, x, x)
_PnpQueuePendingSurpriseRemoval@16 proc	near
					; CODE XREF: PiEventRemovalPostSurpriseRemove(x,x,x)+52p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [edx]
		push	ebx
		mov	[ebp+var_4], eax
		mov	ebx, eax
		mov	eax, large fs:124h
		push	esi
		mov	[ebp+var_C], ecx
		xor	ecx, ecx
		push	edi
		dec	word ptr [eax+13Ch]
		mov	esi, ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		mov	[edx], ecx
		nop
		push	1
		push	offset _IopSurpriseRemoveListLock
		call	ExAcquireResourceExclusiveLite
		mov	cl, 1
		call	_PnpAcquireDependencyRelationsLock@4 ; PnpAcquireDependencyRelationsLock(x)
		mov	eax, _IopPendingSurpriseRemovals
		jmp	short loc_96B8D0
; 

loc_96B854:				; CODE XREF: PnpQueuePendingSurpriseRemoval(x,x,x,x)+CDj
		mov	ecx, [ebp+var_C]
		mov	edi, eax
		mov	eax, [eax]
		mov	[ebp+var_10], eax
		mov	eax, [edi+20h]
		cmp	[edi+1Ch], ecx
		jz	short loc_96B8E2
		mov	edx, ebx
		mov	ecx, eax
		call	_IopCheckIfMergeRequired@8 ; IopCheckIfMergeRequired(x,x)
		test	al, al
		jz	short loc_96B8CD
		cmp	ebx, [ebp+var_4]
		jnz	short loc_96B894
		push	3
		pop	ecx
		mov	esi, edi
		call	_IopAllocateRelationList@4 ; IopAllocateRelationList(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_96B8DD
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		push	0
		call	_IopMergeRelationLists@12 ; IopMergeRelationLists(x,x,x)

loc_96B894:				; CODE XREF: PnpQueuePendingSurpriseRemoval(x,x,x,x)+6Ej
		mov	edx, [edi+20h]
		mov	ecx, ebx
		push	1
		call	_IopMergeRelationLists@12 ; IopMergeRelationLists(x,x,x)
		mov	ecx, [edi+20h]
		call	_IopFreeRelationList@4 ; IopFreeRelationList(x)
		cmp	esi, edi
		jz	short loc_96B8C9
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	short loc_96B92A
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	short loc_96B92A
		push	0
		mov	[ecx], eax
		push	edi
		mov	[eax+4], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_96B8CD
; 

loc_96B8C9:				; CODE XREF: PnpQueuePendingSurpriseRemoval(x,x,x,x)+A2j
		and	dword ptr [esi+20h], 0

loc_96B8CD:				; CODE XREF: PnpQueuePendingSurpriseRemoval(x,x,x,x)+69j
					; PnpQueuePendingSurpriseRemoval(x,x,x,x)+BFj
		mov	eax, [ebp+var_10]

loc_96B8D0:				; CODE XREF: PnpQueuePendingSurpriseRemoval(x,x,x,x)+4Aj
		cmp	eax, offset _IopPendingSurpriseRemovals
		jnz	loc_96B854
		jmp	short loc_96B8E6
; 

loc_96B8DD:				; CODE XREF: PnpQueuePendingSurpriseRemoval(x,x,x,x)+7Ej
		mov	ebx, [ebp+var_4]
		jmp	short loc_96B8E6
; 

loc_96B8E2:				; CODE XREF: PnpQueuePendingSurpriseRemoval(x,x,x,x)+5Cj
		mov	esi, edi
		mov	ebx, eax

loc_96B8E6:				; CODE XREF: PnpQueuePendingSurpriseRemoval(x,x,x,x)+D3j
					; PnpQueuePendingSurpriseRemoval(x,x,x,x)+D8j
		mov	ecx, offset _PiDependencyRelationsLock
		call	ExReleaseResourceLite
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		mov	eax, [ebp+var_4]
		cmp	eax, ebx
		jz	short loc_96B907
		mov	ecx, eax
		call	_IopFreeRelationList@4 ; IopFreeRelationList(x)
		jmp	short loc_96B940
; 

loc_96B907:				; CODE XREF: PnpQueuePendingSurpriseRemoval(x,x,x,x)+F4j
		push	54706E50h
		push	44h
		push	3
		mov	edx, 200h
		pop	ecx
		call	_PnpAllocateCriticalMemory@16 ;	PnpAllocateCriticalMemory(x,x,x,x)
		mov	esi, eax
		mov	eax, dword_6CC524
		cmp	dword ptr [eax], offset	_IopPendingSurpriseRemovals
		jz	short loc_96B92F

loc_96B92A:				; CODE XREF: PnpQueuePendingSurpriseRemoval(x,x,x,x)+A9j
					; PnpQueuePendingSurpriseRemoval(x,x,x,x)+B0j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_96B92F:				; CODE XREF: PnpQueuePendingSurpriseRemoval(x,x,x,x)+120j
		mov	dword ptr [esi], offset	_IopPendingSurpriseRemovals
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6CC524, esi

loc_96B940:				; CODE XREF: PnpQueuePendingSurpriseRemoval(x,x,x,x)+FDj
					; PnpQueuePendingSurpriseRemoval(x,x,x,x)+169j	...
		push	0
		push	0
		lea	eax, [ebp+var_8]
		mov	ecx, ebx
		push	eax
		lea	edx, [ebp+var_18]
		call	_IopEnumerateRelations@20 ; IopEnumerateRelations(x,x,x,x,x)
		test	al, al
		jz	short loc_96B993
		mov	edx, [ebp+var_8]
		test	edx, edx
		jz	short loc_96B968
		mov	eax, [edx+0B0h]
		mov	edi, [eax+14h]
		jmp	short loc_96B96A
; 

loc_96B968:				; CODE XREF: PnpQueuePendingSurpriseRemoval(x,x,x,x)+153j
		xor	edi, edi

loc_96B96A:				; CODE XREF: PnpQueuePendingSurpriseRemoval(x,x,x,x)+15Ej
		test	byte ptr [edi+19Ch], 1
		jz	short loc_96B940
		mov	ecx, ebx
		call	_IopIsDescendantNode@8 ; IopIsDescendantNode(x,x)
		test	al, al
		jz	short loc_96B940
		and	dword ptr [edi+19Ch], 0FFFFFFFEh
		mov	eax, [edi+19Ch]
		dec	dword ptr [eax+1A0h]
		jmp	short loc_96B940
; 

loc_96B993:				; CODE XREF: PnpQueuePendingSurpriseRemoval(x,x,x,x)+14Cj
		mov	eax, [ebp+var_C]
		mov	ecx, offset _IopSurpriseRemoveListLock
		mov	[esi+1Ch], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+2Ch], eax
		mov	eax, [ebp+arg_4]
		mov	byte ptr [esi+30h], 0
		mov	[esi+20h], ebx
		mov	[esi+40h], eax
		mov	byte ptr [esi+3Ch], 0
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PnpQueuePendingSurpriseRemoval@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpRequestDeviceRemoval(x, x, x, x)
_PnpRequestDeviceRemoval@16 proc near	; CODE XREF: PipProcessStartPhase2+6E385p
					; PiProcessQueryDeviceState+A1DC3p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	short loc_96BA22
		mov	cl, 1
		call	_PnpAcquireDependencyRelationsLock@4 ; PnpAcquireDependencyRelationsLock(x)
		xor	ebx, ebx
		mov	edx, esi
		push	ebx
		push	2
		push	edi
		mov	ecx, esi
		call	_PnpRequestDeviceRemovalWorker@20 ; PnpRequestDeviceRemovalWorker(x,x,x,x,x)
		mov	ecx, offset _PiDependencyRelationsLock
		call	ExReleaseResourceLite
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		push	ebx
		push	ebx
		mov	ecx, [esi+10h]
		xor	edx, edx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+arg_4]
		inc	edx
		push	[ebp+arg_0]
		push	1
		push	ebx
		push	1
		call	_PnpSetTargetDeviceRemove@56 ; PnpSetTargetDeviceRemove(x,x,x,x,x,x,x,x,x,x,x,x,x,x)

loc_96BA22:				; CODE XREF: PnpRequestDeviceRemoval(x,x,x,x)+Fj
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
_PnpRequestDeviceRemoval@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpRequestDeviceRemovalWorker(x, x,	x, x, x)
_PnpRequestDeviceRemovalWorker@20 proc near
					; CODE XREF: PnpRequestDeviceRemoval(x,x,x,x)+22p
					; PnpRequestDeviceRemovalWorker(x,x,x,x,x)+60p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_8], 0
		cmp	[ebp+arg_4], 2
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		jz	short loc_96BA56
		cmp	[ebp+arg_8], 0
		jnz	short loc_96BA56
		mov	ecx, edi
		call	_PipIsDevNodeDNStarted@4 ; PipIsDevNodeDNStarted(x)
		jmp	short loc_96BA60
; 

loc_96BA56:				; CODE XREF: PnpRequestDeviceRemovalWorker(x,x,x,x,x)+1Bj
					; PnpRequestDeviceRemovalWorker(x,x,x,x,x)+21j
		push	[ebp+arg_0]
		mov	ecx, edi
		call	_PipDeviceRemovalCheckDeviceNodeState@12 ; PipDeviceRemovalCheckDeviceNodeState(x,x,x)

loc_96BA60:				; CODE XREF: PnpRequestDeviceRemovalWorker(x,x,x,x,x)+2Aj
		test	al, al
		jz	short loc_96BAD7
		xor	edx, edx
		cmp	byte ptr [ebp+arg_0], dl
		push	ecx
		setz	dl
		mov	ecx, edi
		add	edx, 30Eh
		call	PipSetDevNodeState
		mov	esi, [edi+4]
		jmp	short loc_96BA91
; 

loc_96BA7F:				; CODE XREF: PnpRequestDeviceRemovalWorker(x,x,x,x,x)+69j
		push	1
		push	[ebp+arg_4]
		mov	edx, esi
		mov	ecx, ebx
		push	1
		call	_PnpRequestDeviceRemovalWorker@20 ; PnpRequestDeviceRemovalWorker(x,x,x,x,x)
		mov	esi, [esi]

loc_96BA91:				; CODE XREF: PnpRequestDeviceRemovalWorker(x,x,x,x,x)+53j
		test	esi, esi
		jnz	short loc_96BA7F
		mov	ecx, [edi+10h]
		call	_PiGetDependentList@4 ;	PiGetDependentList(x)
		mov	edi, eax
		mov	esi, [edi]
		jmp	short loc_96BAD3
; 

loc_96BAA3:				; CODE XREF: PnpRequestDeviceRemovalWorker(x,x,x,x,x)+ABj
		lea	eax, [esp+18h+var_4]
		mov	ecx, esi
		push	eax
		lea	edx, [esp+1Ch+var_8]
		call	_PiEnumerateDependentListEntry@12 ; PiEnumerateDependentListEntry(x,x,x)
		mov	eax, [esp+18h+var_8]
		mov	esi, [esi]
		test	eax, eax
		jz	short loc_96BAD3
		mov	eax, [eax+0B0h]
		mov	ecx, ebx
		push	0
		push	1
		push	0
		mov	edx, [eax+14h]
		call	_PnpRequestDeviceRemovalWorker@20 ; PnpRequestDeviceRemovalWorker(x,x,x,x,x)

loc_96BAD3:				; CODE XREF: PnpRequestDeviceRemovalWorker(x,x,x,x,x)+77j
					; PnpRequestDeviceRemovalWorker(x,x,x,x,x)+91j
		cmp	esi, edi
		jnz	short loc_96BAA3

loc_96BAD7:				; CODE XREF: PnpRequestDeviceRemovalWorker(x,x,x,x,x)+38j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PnpRequestDeviceRemovalWorker@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpSurpriseRemoveLockedDeviceNode(x, x, x)
_PnpSurpriseRemoveLockedDeviceNode@12 proc near
					; CODE XREF: PnpDeleteLockedDeviceNode(x,x,x,x,x,x)+40p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_18], 0
		and	[ebp+var_14], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10], edx
		mov	esi, 300h
		mov	[ebp+var_8], esi
		mov	ebx, [edi+0ACh]
		mov	eax, [edi+10h]
		mov	[ebp+var_4], eax
		cmp	ebx, 30Eh
		jz	short loc_96BB1C
		cmp	ebx, 30Fh
		jnz	short loc_96BB2C

loc_96BB1C:				; CODE XREF: PnpSurpriseRemoveLockedDeviceNode(x,x,x)+32j
		mov	esi, ebx
		mov	[ebp+var_8], ebx
		call	_PipRestoreDevNodeState@4 ; PipRestoreDevNodeState(x)
		mov	ebx, [edi+0ACh]

loc_96BB2C:				; CODE XREF: PnpSurpriseRemoveLockedDeviceNode(x,x,x)+3Aj
		mov	word ptr [edi+13Eh], 0
		cmp	ebx, 311h
		jnz	short loc_96BB5F
		cmp	esi, 30Eh
		jnz	short loc_96BB5F
		push	10h
		pop	edx
		mov	ecx, edi
		call	PipClearDevNodeFlags
		push	ecx
		lea	edx, [ebx+2]
		mov	ecx, edi
		call	PipSetDevNodeState
		jmp	loc_96BCC3
; 

loc_96BB5F:				; CODE XREF: PnpSurpriseRemoveLockedDeviceNode(x,x,x)+5Bj
					; PnpSurpriseRemoveLockedDeviceNode(x,x,x)+63j
		mov	esi, [edi+4]
		test	esi, esi
		jz	short loc_96BBB3

loc_96BB66:				; CODE XREF: PnpSurpriseRemoveLockedDeviceNode(x,x,x)+D1j
		mov	eax, [esi]
		mov	[ebp+var_C], eax
		mov	eax, [esi+10Ch]
		test	al, 10h
		jz	short loc_96BB7E
		and	eax, 0FFFFFFEFh
		mov	[esi+10Ch], eax

loc_96BB7E:				; CODE XREF: PnpSurpriseRemoveLockedDeviceNode(x,x,x)+93j
		cmp	dword ptr [esi+11Ch], 0
		jnz	short loc_96BB94
		cmp	dword ptr [esi+168h], 0
		jnz	short loc_96BB94
		test	al, 40h
		jz	short loc_96BB9D

loc_96BB94:				; CODE XREF: PnpSurpriseRemoveLockedDeviceNode(x,x,x)+A5j
					; PnpSurpriseRemoveLockedDeviceNode(x,x,x)+AEj
		xor	edx, edx
		mov	ecx, esi
		call	_IopReleaseDeviceResources@8 ; IopReleaseDeviceResources(x,x)

loc_96BB9D:				; CODE XREF: PnpSurpriseRemoveLockedDeviceNode(x,x,x)+B2j
		push	ecx
		mov	edx, 313h
		mov	ecx, esi
		call	PipSetDevNodeState
		mov	eax, [ebp+var_C]
		mov	esi, eax
		test	eax, eax
		jnz	short loc_96BB66

loc_96BBB3:				; CODE XREF: PnpSurpriseRemoveLockedDeviceNode(x,x,x)+84j
		mov	esi, [ebp+var_4]
		cmp	ebx, 30Ah
		jnz	short loc_96BBEB
		test	dword ptr [edi+10Ch], 1000000h
		jz	short loc_96BBEB
		lea	eax, [ebp+var_18]
		xor	edx, edx
		push	eax
		inc	edx
		mov	ecx, esi
		call	_PnpMarkDeviceForRemove@12 ; PnpMarkDeviceForRemove(x,x,x)
		mov	ecx, esi
		call	_PnpUnlockMountableDevice@4 ; PnpUnlockMountableDevice(x)
		mov	edx, 1000000h
		mov	ecx, edi
		call	PipClearDevNodeFlags

loc_96BBEB:				; CODE XREF: PnpSurpriseRemoveLockedDeviceNode(x,x,x)+DCj
					; PnpSurpriseRemoveLockedDeviceNode(x,x,x)+E8j
		mov	eax, [edi+0ACh]
		cmp	eax, 301h
		jl	short loc_96BC1E
		cmp	eax, 302h
		jle	short loc_96BC6E
		cmp	eax, 305h
		jle	short loc_96BC1E
		cmp	eax, 308h
		jle	short loc_96BC1E
		cmp	eax, 30Ah
		jz	short loc_96BC1E
		add	eax, 0FFFFFCEFh
		cmp	eax, 3
		jbe	short loc_96BC6E

loc_96BC1E:				; CODE XREF: PnpSurpriseRemoveLockedDeviceNode(x,x,x)+116j
					; PnpSurpriseRemoveLockedDeviceNode(x,x,x)+124j ...
		push	17h
		pop	edx
		mov	ecx, esi
		call	_IopRemoveDevice@8 ; IopRemoveDevice(x,x)
		lea	ecx, [edi+14h]
		mov	esi, eax
		call	_PnpDisableDeviceInterfaces@4 ;	PnpDisableDeviceInterfaces(x)
		test	esi, esi
		js	short loc_96BC3F
		xor	edx, edx
		mov	ecx, edi
		call	_IopReleaseDeviceResources@8 ; IopReleaseDeviceResources(x,x)

loc_96BC3F:				; CODE XREF: PnpSurpriseRemoveLockedDeviceNode(x,x,x)+154j
		test	byte ptr [edi+10Ch], 10h
		push	ecx
		mov	ecx, edi
		jz	short loc_96BC64
		mov	edx, 311h
		call	PipSetDevNodeState
		mov	edx, 30Eh
		cmp	[ebp+var_8], edx
		jnz	short loc_96BC6E
		push	ecx
		mov	ecx, edi
		jmp	short loc_96BC69
; 

loc_96BC64:				; CODE XREF: PnpSurpriseRemoveLockedDeviceNode(x,x,x)+169j
		mov	edx, 313h

loc_96BC69:				; CODE XREF: PnpSurpriseRemoveLockedDeviceNode(x,x,x)+182j
		call	PipSetDevNodeState

loc_96BC6E:				; CODE XREF: PnpSurpriseRemoveLockedDeviceNode(x,x,x)+11Dj
					; PnpSurpriseRemoveLockedDeviceNode(x,x,x)+13Cj ...
		cmp	ebx, 30Ah
		jnz	short loc_96BC8B
		mov	esi, [ebp+var_14]
		test	esi, esi
		jz	short loc_96BC8B
		mov	ecx, esi
		call	_IopDecrementDeviceObjectHandleCount@4 ; IopDecrementDeviceObjectHandleCount(x)
		mov	ecx, esi
		call	ObfDereferenceObject

loc_96BC8B:				; CODE XREF: PnpSurpriseRemoveLockedDeviceNode(x,x,x)+194j
					; PnpSurpriseRemoveLockedDeviceNode(x,x,x)+19Bj
		mov	ebx, [ebp+var_10]
		test	ebx, ebx
		jz	short loc_96BCAA
		test	dword ptr [edi+10Ch], 6000h
		jnz	short loc_96BCAA
		push	[ebp+arg_0]
		mov	edx, ebx
		mov	ecx, edi
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)

loc_96BCAA:				; CODE XREF: PnpSurpriseRemoveLockedDeviceNode(x,x,x)+1B0j
					; PnpSurpriseRemoveLockedDeviceNode(x,x,x)+1BCj
		and	dword ptr [edi+1C8h], 0FFFFFFFDh
		mov	ecx, edi
		call	_PnpSurpriseRemovedDeviceNodeDependencyCheck@4 ; PnpSurpriseRemovedDeviceNodeDependencyCheck(x)
		push	0
		mov	edx, ebx
		mov	ecx, edi
		call	_PiDmaGuardProcessPostRemove@12	; PiDmaGuardProcessPostRemove(x,x,x)

loc_96BCC3:				; CODE XREF: PnpSurpriseRemoveLockedDeviceNode(x,x,x)+7Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PnpSurpriseRemoveLockedDeviceNode@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpUnlinkDeviceRemovalRelations(x, x, x)
_PnpUnlinkDeviceRemovalRelations@12 proc near
					; CODE XREF: PipRemoveDevicesInRelationList(x)+82p
					; PnpProcessQueryRemoveAndEject(x)+43Bp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	esi, edx
		push	4
		pop	ecx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_8], ebx
		call	PpDevNodeLockTree
		test	esi, esi
		jz	loc_96BE1B
		cmp	[esi+4], bl
		jz	loc_96BE1B
		mov	[ebp+var_14], 1
		mov	[ebp+var_10], ebx
		jmp	loc_96BE00
; 

loc_96BD0D:				; CODE XREF: PnpUnlinkDeviceRemovalRelations(x,x,x)+14Bj
		mov	ecx, [ebp+var_4]
		mov	edx, ecx
		mov	eax, [ecx+0B0h]
		mov	ecx, esi
		mov	edi, [eax+14h]
		call	_IopIsDescendantNode@8 ; IopIsDescendantNode(x,x)
		mov	eax, [edi+0ACh]
		cmp	eax, 313h
		jz	short loc_96BD3A
		cmp	eax, 314h
		jnz	loc_96BE00

loc_96BD3A:				; CODE XREF: PnpUnlinkDeviceRemovalRelations(x,x,x)+63j
		mov	eax, [edi+8]
		mov	[ebp+var_C], eax
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceExclusiveLite
		lea	ecx, [edi+14h]
		call	_PnpCleanupDeviceRegistryValues@4 ; PnpCleanupDeviceRegistryValues(x)
		mov	ecx, edi
		call	_PpDevNodeRemoveFromTree@4 ; PpDevNodeRemoveFromTree(x)
		mov	ecx, offset _PnpRegistryDeviceResource
		mov	bl, al
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	bl, bl
		jz	loc_96BDFE
		mov	eax, [ebp+var_C]
		xor	ebx, ebx
		mov	[edi+19Ch], eax
		cmp	[edi+18h], ebx
		jz	short loc_96BDDA
		lea	ecx, [ebp+var_8]
		call	PiPnpRtlBeginOperation
		lea	eax, [ebp+var_20]
		push	eax
		call	KeQuerySystemTime
		mov	edx, [edi+18h]
		lea	eax, [ebp+var_20]
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		push	8
		push	eax
		push	10h
		push	offset _DEVPKEY_Device_LastRemovalDate ; "&cڃ@S?W;)g"
		push	ebx
		push	ebx
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	edx, [edi+18h]
		push	1
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		mov	ecx, edi
		call	_PnpSetDeviceInstanceRemovalEvent@4 ; PnpSetDeviceInstanceRemovalEvent(x)
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_96BDDA
		call	PiPnpRtlEndOperation
		mov	[ebp+var_8], ebx

loc_96BDDA:				; CODE XREF: PnpUnlinkDeviceRemovalRelations(x,x,x)+BDj
					; PnpUnlinkDeviceRemovalRelations(x,x,x)+106j
		cmp	dword ptr [edi+0ACh], 314h
		jnz	short loc_96BDF4
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_14]
		push	eax
		mov	ecx, esi
		call	_IopRemoveCurrentRelationFromList@12 ; IopRemoveCurrentRelationFromList(x,x,x)

loc_96BDF4:				; CODE XREF: PnpUnlinkDeviceRemovalRelations(x,x,x)+11Aj
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject
		jmp	short loc_96BE00
; 

loc_96BDFE:				; CODE XREF: PnpUnlinkDeviceRemovalRelations(x,x,x)+A9j
		xor	ebx, ebx

loc_96BE00:				; CODE XREF: PnpUnlinkDeviceRemovalRelations(x,x,x)+3Ej
					; PnpUnlinkDeviceRemovalRelations(x,x,x)+6Aj ...
		push	ebx
		lea	eax, [ebp+var_C]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	edx, [ebp+var_14]
		call	_IopEnumerateRelations@20 ; IopEnumerateRelations(x,x,x,x,x)
		test	al, al
		jnz	loc_96BD0D

loc_96BE1B:				; CODE XREF: PnpUnlinkDeviceRemovalRelations(x,x,x)+25j
					; PnpUnlinkDeviceRemovalRelations(x,x,x)+2Ej
		push	4
		pop	ecx
		call	PpDevNodeUnlockTree
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PnpUnlinkDeviceRemovalRelations@12 endp


;  S U B	R O U T	I N E 


; __stdcall PiConfigureDevice(x)
_PiConfigureDevice@4 proc near		; CODE XREF: .text:005DD801p
		mov	edx, ecx
		push	esi
		mov	eax, [edx+8]
		mov	eax, [eax+0B0h]
		mov	ecx, [eax+14h]
		mov	eax, [ecx+0ACh]
		cmp	eax, 313h
		jz	short loc_96BEBA
		mov	esi, 314h
		cmp	eax, esi
		jz	short loc_96BEBA
		cmp	eax, 300h
		jz	short loc_96BEB3
		cmp	eax, 30Dh
		jle	short loc_96BE6F
		cmp	eax, 311h
		jle	short loc_96BEB3
		cmp	eax, 312h
		jle	short loc_96BE6F
		cmp	eax, esi
		jle	short loc_96BEB3

loc_96BE6F:				; CODE XREF: PiConfigureDevice(x)+31j
					; PiConfigureDevice(x)+3Fj
		mov	eax, [edx+0Ch]
		sub	eax, 15h
		jz	short loc_96BE98
		sub	eax, 1
		jz	short loc_96BE92
		sub	eax, 1
		jz	short loc_96BE8C
		sub	eax, 1
		jnz	short loc_96BEB3
		pop	esi
		jmp	_PpDevCfgProcessDeviceReset@4 ;	PpDevCfgProcessDeviceReset(x)
; 

loc_96BE8C:				; CODE XREF: PiConfigureDevice(x)+55j
		pop	esi
		jmp	_PpDevCfgProcessDeviceExtensions@4 ; PpDevCfgProcessDeviceExtensions(x)
; 

loc_96BE92:				; CODE XREF: PiConfigureDevice(x)+50j
		pop	esi
		jmp	_PpDevCfgProcessDeviceClass@4 ;	PpDevCfgProcessDeviceClass(x)
; 

loc_96BE98:				; CODE XREF: PiConfigureDevice(x)+4Bj
		cmp	ds:_PiDevCfgMode, 0
		jnz	short loc_96BEA8
		mov	eax, 0C00000BBh
		pop	esi
		retn
; 

loc_96BEA8:				; CODE XREF: PiConfigureDevice(x)+75j
		push	0
		xor	edx, edx
		call	_PiDevCfgProcessDevice@12 ; PiDevCfgProcessDevice(x,x,x)
		pop	esi
		retn
; 

loc_96BEB3:				; CODE XREF: PiConfigureDevice(x)+2Aj
					; PiConfigureDevice(x)+38j ...
		mov	eax, 0C0000001h
		pop	esi
		retn
; 

loc_96BEBA:				; CODE XREF: PiConfigureDevice(x)+1Aj
					; PiConfigureDevice(x)+23j
		mov	eax, 0C0000056h
		pop	esi
		retn
_PiConfigureDevice@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiProcessClearDeviceProblem(x)
_PiProcessClearDeviceProblem@4 proc near ; CODE	XREF: .text:005DD745p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+8]
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax+0B0h]
		xor	edi, edi
		mov	ebx, 301h
		mov	[ebp+var_4], edi
		mov	esi, [eax+14h]
		mov	eax, [esi+0ACh]
		cmp	eax, ebx
		jz	short loc_96BF14
		cmp	eax, 302h
		jz	short loc_96BF14
		cmp	eax, 312h
		jz	short loc_96BF14
		cmp	eax, 313h
		jz	short loc_96BF0A
		cmp	eax, 314h
		jnz	loc_96BFAC

loc_96BF0A:				; CODE XREF: PiProcessClearDeviceProblem(x)+3Cj
		mov	edi, 0C0000056h
		jmp	loc_96BFAC
; 

loc_96BF14:				; CODE XREF: PiProcessClearDeviceProblem(x)+27j
					; PiProcessClearDeviceProblem(x)+2Ej ...
		mov	eax, [esi+10Ch]
		test	eax, 6000h
		jz	loc_96BFAC
		mov	ecx, [ecx+0Ch]
		cmp	ecx, 1
		jnz	short loc_96BF45
		mov	edx, [esi+114h]
		mov	ecx, esi
		call	_PipIsProblemReadonly@8	; PipIsProblemReadonly(x,x)
		test	eax, eax
		jz	short loc_96BF76
		mov	edi, 0C00000F0h
		jmp	short loc_96BFAC
; 

loc_96BF45:				; CODE XREF: PiProcessClearDeviceProblem(x)+6Aj
		cmp	ecx, 3
		jnz	short loc_96BF61
		test	eax, 2000h
		jz	short loc_96BF5A
		cmp	dword ptr [esi+114h], 2Fh

loc_96BF58:				; CODE XREF: PiProcessClearDeviceProblem(x)+B3j
		jz	short loc_96BF76

loc_96BF5A:				; CODE XREF: PiProcessClearDeviceProblem(x)+8Ej
					; PiProcessClearDeviceProblem(x)+AAj
		mov	edi, 0C0000010h
		jmp	short loc_96BFAC
; 

loc_96BF61:				; CODE XREF: PiProcessClearDeviceProblem(x)+87j
		cmp	ecx, 19h
		jnz	short loc_96BF76
		test	eax, 2000h
		jz	short loc_96BF5A
		cmp	dword ptr [esi+114h], 37h
		jmp	short loc_96BF58
; 

loc_96BF76:				; CODE XREF: PiProcessClearDeviceProblem(x)+7Bj
					; PiProcessClearDeviceProblem(x):loc_96BF58j ...
		lea	ecx, [ebp+var_4]
		call	PiPnpRtlBeginOperation
		mov	edx, 4000h
		mov	ecx, esi
		call	PipClearDevNodeFlags
		mov	ecx, esi
		call	PipClearDevNodeProblem
		cmp	[esi+0ACh], ebx
		jz	short loc_96BFA0
		mov	ecx, esi
		call	_PnpRestartDeviceNode@4	; PnpRestartDeviceNode(x)

loc_96BFA0:				; CODE XREF: PiProcessClearDeviceProblem(x)+D6j
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_96BFAC
		call	PiPnpRtlEndOperation

loc_96BFAC:				; CODE XREF: PiProcessClearDeviceProblem(x)+43j
					; PiProcessClearDeviceProblem(x)+4Ej ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PiProcessClearDeviceProblem@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiProcessHaltDevice(x)
_PiProcessHaltDevice@4 proc near	; CODE XREF: .text:005DD751p
		mov	edx, ecx
		push	ecx
		mov	eax, [edx+8]
		mov	eax, [eax+0B0h]
		mov	ecx, [eax+14h]
		mov	eax, [ecx+0ACh]
		cmp	eax, 313h
		jz	short loc_96C026
		cmp	eax, 314h
		jz	short loc_96C026
		test	dword ptr [edx+14h], 0FFFFFFFEh
		jz	short loc_96BFE6
		mov	eax, 0C00000F0h
		pop	ecx
		retn
; 

loc_96BFE6:				; CODE XREF: PiProcessHaltDevice(x)+2Aj
		mov	edx, [ecx+10Ch]
		test	edx, 1001h
		jnz	short loc_96C01F
		test	dl, 1
		jnz	short loc_96C002
		cmp	dword ptr [ecx+184h], 0
		jnz	short loc_96C01F

loc_96C002:				; CODE XREF: PiProcessHaltDevice(x)+44j
		cmp	eax, 308h
		jz	short loc_96C010
		mov	eax, 0C0000184h
		pop	ecx
		retn
; 

loc_96C010:				; CODE XREF: PiProcessHaltDevice(x)+54j
		push	0
		push	2Ch
		xor	dl, dl
		call	_PnpRequestDeviceRemoval@16 ; PnpRequestDeviceRemoval(x,x,x,x)
		xor	eax, eax
		pop	ecx
		retn
; 

loc_96C01F:				; CODE XREF: PiProcessHaltDevice(x)+3Fj
					; PiProcessHaltDevice(x)+4Dj
		mov	eax, 0C0000010h
		pop	ecx
		retn
; 

loc_96C026:				; CODE XREF: PiProcessHaltDevice(x)+1Aj
					; PiProcessHaltDevice(x)+21j
		mov	eax, 0C0000056h
		pop	ecx
		retn
_PiProcessHaltDevice@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiProcessResourceRequirementsChanged(x)
_PiProcessResourceRequirementsChanged@4	proc near ; CODE XREF: .text:005DD775p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		push	edi
		mov	ecx, [ebx+8]
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		test	ecx, ecx
		jz	short loc_96C054
		mov	eax, [ecx+0B0h]
		mov	edi, [eax+14h]
		jmp	short loc_96C056
; 

loc_96C054:				; CODE XREF: PiProcessResourceRequirementsChanged(x)+1Aj
		mov	edi, esi

loc_96C056:				; CODE XREF: PiProcessResourceRequirementsChanged(x)+25j
		mov	edx, 65706E50h
		call	ObfReferenceObjectWithTag
		mov	eax, [edi+0ACh]
		cmp	eax, 313h
		jz	loc_96C125
		cmp	eax, 314h
		jz	loc_96C125
		mov	ecx, [ebx+8]
		call	_PoFxActivateDevice@4 ;	PoFxActivateDevice(x)
		or	dword ptr [edi+1C8h], 40h
		mov	edx, 100h
		mov	ecx, edi
		call	PipClearDevNodeFlags
		mov	edx, 400h
		mov	ecx, edi
		call	PipSetDevNodeFlags
		mov	ecx, edi
		call	PipClearDevNodeProblem
		cmp	dword ptr [edi+0ACh], 308h
		jnz	short loc_96C11E
		mov	edx, 800h
		mov	ecx, edi
		cmp	[ebx+14h], esi
		jnz	short loc_96C0C9
		call	PipSetDevNodeFlags
		jmp	short loc_96C0CE
; 

loc_96C0C9:				; CODE XREF: PiProcessResourceRequirementsChanged(x)+93j
		call	PipClearDevNodeFlags

loc_96C0CE:				; CODE XREF: PiProcessResourceRequirementsChanged(x)+9Aj
		mov	ecx, edi
		call	_PnpReallocateResources@4 ; PnpReallocateResources(x)
		mov	ecx, _IopRootDeviceNode
		mov	al, _PnPBootDriversInitialized
		mov	esi, [ebx+18h]
		mov	[ebp+var_8], 3
		mov	byte ptr [ebp+var_4], al
		mov	ecx, [ecx+10h]
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	ecx, ecx
		mov	edx, ebx
		push	ecx
		test	esi, esi
		setnz	al
		movzx	eax, al
		push	eax
		push	ecx
		push	ecx
		mov	ecx, _IopRootDeviceNode
		lea	eax, [ebp+var_8]
		push	eax
		call	PipProcessDevNodeTree
		mov	esi, eax
		test	esi, esi
		jns	short loc_96C12A
		xor	esi, esi
		jmp	short loc_96C12A
; 

loc_96C11E:				; CODE XREF: PiProcessResourceRequirementsChanged(x)+87j
		mov	esi, 0C0000001h
		jmp	short loc_96C12A
; 

loc_96C125:				; CODE XREF: PiProcessResourceRequirementsChanged(x)+3Ej
					; PiProcessResourceRequirementsChanged(x)+49j
		mov	esi, 0C0000056h

loc_96C12A:				; CODE XREF: PiProcessResourceRequirementsChanged(x)+EBj
					; PiProcessResourceRequirementsChanged(x)+EFj ...
		test	byte ptr [edi+1C8h], 40h
		jz	short loc_96C142
		mov	ecx, [edi+10h]
		call	PoFxIdleDevice
		and	dword ptr [edi+1C8h], 0FFFFFFBFh

loc_96C142:				; CODE XREF: PiProcessResourceRequirementsChanged(x)+104j
		mov	ecx, [ebx+8]
		mov	edx, 65706E50h
		call	ObfDereferenceObjectWithTag
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PiProcessResourceRequirementsChanged@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiProcessSetDeviceProblem(x)
_PiProcessSetDeviceProblem@4 proc near	; CODE XREF: .text:005DD792p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ecx+8]
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	eax, [eax+0B0h]
		mov	esi, [ecx+14h]
		push	edi
		mov	[ebp+var_4], esi
		mov	ebx, [eax+14h]
		mov	eax, [ebx+0ACh]
		cmp	eax, 313h
		jz	loc_96C25B
		cmp	eax, 314h
		jz	loc_96C25B
		lea	ecx, [ebp+var_8]
		call	PiPnpRtlBeginOperation
		mov	eax, [esi+0Ch]
		mov	edi, eax
		shr	edi, 12h
		and	edi, 1
		test	eax, 100h
		jz	short loc_96C1B0
		or	edi, 4

loc_96C1B0:				; CODE XREF: PiProcessSetDeviceProblem(x)+55j
		mov	esi, eax
		shr	esi, 1
		and	esi, 4000h
		test	eax, 400h
		jz	short loc_96C1C7
		or	esi, 2000h

loc_96C1C7:				; CODE XREF: PiProcessSetDeviceProblem(x)+69j
		mov	eax, [ebp+var_4]
		mov	ecx, [eax+10h]
		mov	[ebp+var_C], ecx
		cmp	ecx, 0Eh
		jnz	short loc_96C1F4
		mov	edx, [ebx+0ACh]
		cmp	edx, 302h
		jz	short loc_96C1F1
		cmp	edx, 312h
		jz	short loc_96C1F1
		and	esi, 0FFFFDFFFh

loc_96C1F1:				; CODE XREF: PiProcessSetDeviceProblem(x)+8Bj
					; PiProcessSetDeviceProblem(x)+93j
		or	edi, 4

loc_96C1F4:				; CODE XREF: PiProcessSetDeviceProblem(x)+7Dj
		test	esi, esi
		jz	short loc_96C257
		mov	edx, [ebx+0ACh]
		cmp	edx, 302h
		jz	short loc_96C20E
		cmp	edx, 312h
		jnz	short loc_96C228

loc_96C20E:				; CODE XREF: PiProcessSetDeviceProblem(x)+AEj
		test	esi, 4000h
		jnz	short loc_96C235
		cmp	ecx, 3Ah
		jnb	short loc_96C228
		mov	edx, ecx
		mov	ecx, ebx
		call	_PipIsProblemReadonly@8	; PipIsProblemReadonly(x,x)
		test	eax, eax
		jz	short loc_96C22F

loc_96C228:				; CODE XREF: PiProcessSetDeviceProblem(x)+B6j
					; PiProcessSetDeviceProblem(x)+C3j
		mov	ebx, 0C00000F0h
		jmp	short loc_96C260
; 

loc_96C22F:				; CODE XREF: PiProcessSetDeviceProblem(x)+D0j
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_C]

loc_96C235:				; CODE XREF: PiProcessSetDeviceProblem(x)+BEj
		push	dword ptr [eax+18h]
		mov	edx, ecx
		mov	ecx, ebx
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		mov	edx, esi

loc_96C243:				; CODE XREF: PiProcessSetDeviceProblem(x)+103j
		mov	ecx, ebx
		call	PipSetDevNodeFlags
		mov	edx, edi
		mov	ecx, ebx
		call	PipSetDevNodeUserFlags
		xor	ebx, ebx
		jmp	short loc_96C260
; 

loc_96C257:				; CODE XREF: PiProcessSetDeviceProblem(x)+A0j
		xor	edx, edx
		jmp	short loc_96C243
; 

loc_96C25B:				; CODE XREF: PiProcessSetDeviceProblem(x)+2Cj
					; PiProcessSetDeviceProblem(x)+37j
		mov	ebx, 0C0000056h

loc_96C260:				; CODE XREF: PiProcessSetDeviceProblem(x)+D7j
					; PiProcessSetDeviceProblem(x)+FFj
		mov	eax, [ebp+var_4]
		test	byte ptr [eax+14h], 1
		jz	short loc_96C274
		push	55706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96C274:				; CODE XREF: PiProcessSetDeviceProblem(x)+111j
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_96C280
		call	PiPnpRtlEndOperation

loc_96C280:				; CODE XREF: PiProcessSetDeviceProblem(x)+123j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_PiProcessSetDeviceProblem@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiRestartDevice(x)
_PiRestartDevice@4 proc	near		; CODE XREF: .text:005DD769p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		mov	eax, [edi+8]
		mov	eax, [eax+0B0h]
		mov	esi, [eax+14h]
		mov	eax, [esi+0ACh]
		cmp	eax, 313h
		jz	short loc_96C322
		cmp	eax, 314h
		jz	short loc_96C322
		test	dword ptr [esi+10Ch], 6000h
		jnz	short loc_96C31B
		add	eax, 0FFFFFCFFh
		cmp	eax, 12h
		ja	short loc_96C31B
		movzx	eax, ds:byte_96C33F[eax]
		jmp	ds:off_96C32F[eax*4]

loc_96C2E0:				; CODE XREF: PiRestartDevice(x)+68j
					; PiRestartDevice(x)+92j
					; DATA XREF: ...
		xor	eax, eax
		jmp	short loc_96C327
; 

loc_96C2E4:				; CODE XREF: PiRestartDevice(x)+52j
					; DATA XREF: PAGE:0096C333o
		mov	ecx, esi
		call	_PnpRestartDeviceNode@4	; PnpRestartDeviceNode(x)

loc_96C2EB:				; CODE XREF: PiRestartDevice(x)+52j
					; DATA XREF: PAGE:off_96C32Fo
		cmp	dword ptr [edi+0Ch], 10h
		jnz	short loc_96C2E0
		mov	al, _PnPBootDriversInitialized
		mov	[ebp+var_8], 3
		mov	byte ptr [ebp+var_4], al
		mov	ecx, [esi+10h]
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_8]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	PipProcessDevNodeTree
		jmp	short loc_96C2E0
; 

loc_96C31B:				; CODE XREF: PiRestartDevice(x)+3Fj
					; PiRestartDevice(x)+49j ...
		mov	eax, 0C0000001h
		jmp	short loc_96C327
; 

loc_96C322:				; CODE XREF: PiRestartDevice(x)+2Cj
					; PiRestartDevice(x)+33j
		mov	eax, 0C0000056h

loc_96C327:				; CODE XREF: PiRestartDevice(x)+5Bj
					; PiRestartDevice(x)+99j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PiRestartDevice@4 endp

; 
		db 8Dh,	49h, 0
off_96C32F	dd offset loc_96C2EB	; DATA XREF: PiRestartDevice(x)+52r
		dd offset loc_96C2E4
		dd offset loc_96C2E0
		dd offset loc_96C31B
byte_96C33F	db 0			; DATA XREF: PiRestartDevice(x)+4Br
		dd 2000001h, 2020000h, 20202h, 3030303h
; 
		add	[ebx], eax

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpLogDuplicateDevice(x, x)
_PnpLogDuplicateDevice@8 proc near	; CODE XREF: PiProcessNewDeviceNode+6E72Ap

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_8]
		push	ecx
		push	eax
		mov	esi, edx
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	ecx, word ptr [ebp+var_10+2]
		mov	edx, 98h
		lea	eax, [ecx+2]
		cmp	eax, edx
		ja	short loc_96C3A8
		movzx	eax, word ptr [ebp+var_8+2]
		add	eax, ecx
		cmp	eax, edx
		jbe	short loc_96C3A2
		lea	eax, [edx-2]
		sub	eax, [ebp+var_10+2]
		jmp	short loc_96C3B3
; 

loc_96C3A2:				; CODE XREF: PnpLogDuplicateDevice(x,x)+46j
		mov	ax, word ptr [ebp+var_8]
		jmp	short loc_96C3B7
; 

loc_96C3A8:				; CODE XREF: PnpLogDuplicateDevice(x,x)+3Cj
		mov	eax, 96h
		mov	word ptr [ebp+var_10], ax
		xor	eax, eax

loc_96C3B3:				; CODE XREF: PnpLogDuplicateDevice(x,x)+4Ej
		mov	word ptr [ebp+var_8], ax

loc_96C3B7:				; CODE XREF: PnpLogDuplicateDevice(x,x)+54j
		movzx	ecx, ax
		lea	edx, [ebp+var_10]
		neg	ecx
		lea	eax, [ebp+var_8]
		push	edi		; size_t
		sbb	ecx, ecx
		push	edi		; void *
		and	ecx, eax
		push	0C0040038h	; int
		call	_PnpLogEvent@20	; PnpLogEvent(x,x,x,x,x)
		pop	edi
		pop	esi
		leave
		retn
_PnpLogDuplicateDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpResetProblemDevices(x, x)
_PpResetProblemDevices@8 proc near	; CODE XREF: PpSystemHiveLimitCallback(x,x)+22p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_C], 0
		xor	ecx, ecx
		and	[ebp+var_8], 0
		inc	ecx
		push	esi
		mov	esi, _IopRootDeviceNode
		mov	[ebp+var_10], 31h
		call	PpDevNodeLockTree
		lea	eax, [ebp+var_10]
		mov	edx, offset PiResetProblemDevicesWorker
		push	eax
		mov	ecx, esi
		call	_PipForDeviceNodeSubtree@12 ; PipForDeviceNodeSubtree(x,x,x)
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeUnlockTree
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpResetProblemDevices@8 endp


;  S U B	R O U T	I N E 


; __stdcall PiUEventAllocMem(x)
_PiUEventAllocMem@4 proc near		; CODE XREF: PiUEventProcessBroadcastNotifications+EEp
					; PiUEventProcessBroadcastNotifications+1E9p ...
		push	59706E50h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		retn
_PiUEventAllocMem@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiUEventBroadcastHardwareProfilesChangedEvent(x, x)
_PiUEventBroadcastHardwareProfilesChangedEvent@8 proc near
					; CODE XREF: PiUEventBroadcastEventWorker+9DF6Dp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	[ebp+var_4], ecx
		push	esi
		mov	esi, edx
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_96C45F
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	10h
		push	esi
		push	offset _WNF_PNPA_HARDWAREPROFILES_CHANGED
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		jmp	short loc_96C489
; 

loc_96C45F:				; CODE XREF: PiUEventBroadcastHardwareProfilesChangedEvent(x,x)+Fj
		push	edi
		call	_MmGetSessionById@4 ; MmGetSessionById(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_96C488
		xor	eax, eax
		lea	ecx, [ebp+var_4]
		push	eax
		push	eax
		push	ecx
		push	eax
		push	10h
		push	esi
		push	offset _WNF_PNPA_HARDWAREPROFILES_CHANGED_SESSION
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	ecx, edi
		call	ObfDereferenceObject

loc_96C488:				; CODE XREF: PiUEventBroadcastHardwareProfilesChangedEvent(x,x)+30j
		pop	edi

loc_96C489:				; CODE XREF: PiUEventBroadcastHardwareProfilesChangedEvent(x,x)+24j
		pop	esi
		leave
		retn
_PiUEventBroadcastHardwareProfilesChangedEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiUEventBroadcastPortsChangedEvent(x, x, x)
_PiUEventBroadcastPortsChangedEvent@12 proc near
					; CODE XREF: PiUEventBroadcastEventWorker+9DF5Dp

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [ebp+var_38]
		push	edi
		push	30h		; size_t
		xor	ebx, ebx
		mov	[ebp+var_40], ecx
		push	ebx		; int
		push	eax		; void *
		mov	edi, edx
		call	_memset
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_3C]
		add	esp, 0Ch
		mov	[ebp+var_3C], ebx
		mov	edx, esi
		mov	[ebp+var_48], ebx
		push	ebx
		push	eax
		push	ebx
		push	20019h
		push	ebx
		push	11h
		call	_CmOpenDeviceRegKey
		test	eax, eax
		js	short loc_96C553
		mov	ecx, [ebp+var_3C]
		lea	eax, [ebp+var_44]
		push	eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_44], 20h
		push	eax
		lea	eax, [ebp+var_48]
		mov	edx, offset ??_C@_1BC@LDIMLHJH@?$AAP?$AAo?$AAr?$AAt?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@
		push	eax
		call	_RegRtlQueryValue
		test	eax, eax
		js	short loc_96C553
		mov	ecx, [ebp+var_40]
		mov	esi, edi
		lea	edi, [ebp+var_38]
		movsd
		movsd
		movsd
		movsd
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_96C52A
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	30h
		lea	eax, [ebp+var_38]
		push	eax
		push	offset _WNF_PNPA_PORTS_CHANGED
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		jmp	short loc_96C553
; 

loc_96C52A:				; CODE XREF: PiUEventBroadcastPortsChangedEvent(x,x,x)+86j
		call	_MmGetSessionById@4 ; MmGetSessionById(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_96C553
		push	ebx
		push	ebx
		lea	eax, [ebp+var_40]
		push	eax
		push	ebx
		push	30h
		lea	eax, [ebp+var_38]
		push	eax
		push	offset _WNF_PNPA_PORTS_CHANGED_SESSION
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	ecx, esi
		call	ObfDereferenceObject

loc_96C553:				; CODE XREF: PiUEventBroadcastPortsChangedEvent(x,x,x)+51j
					; PiUEventBroadcastPortsChangedEvent(x,x,x)+75j ...
		cmp	[ebp+var_3C], ebx
		jz	short loc_96C560
		push	[ebp+var_3C]
		call	_ZwClose@4	; ZwClose(x)

loc_96C560:				; CODE XREF: PiUEventBroadcastPortsChangedEvent(x,x,x)+CAj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PiUEventBroadcastPortsChangedEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiUEventBroadcastVolumesChangedEvent(x)
_PiUEventBroadcastVolumesChangedEvent@4	proc near
					; CODE XREF: PiUEventBroadcastEventWorker+9DF7Ap

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	[ebp+var_4], ecx
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_96C593
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WNF_PNPA_VOLUMES_CHANGED
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		leave
		retn
; 

loc_96C593:				; CODE XREF: PiUEventBroadcastVolumesChangedEvent(x)+Cj
		push	esi
		call	_MmGetSessionById@4 ; MmGetSessionById(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_96C5BB
		xor	eax, eax
		lea	ecx, [ebp+var_4]
		push	eax
		push	eax
		push	ecx
		push	eax
		push	eax
		push	eax
		push	offset _WNF_PNPA_VOLUMES_CHANGED_SESSION
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	ecx, esi
		call	ObfDereferenceObject

loc_96C5BB:				; CODE XREF: PiUEventBroadcastVolumesChangedEvent(x)+2Cj
		pop	esi
		leave
		retn
_PiUEventBroadcastVolumesChangedEvent@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiUEventHandleVetoEvent(x, x, x, x,	x)
_PiUEventHandleVetoEvent@20 proc near	; CODE XREF: PiUEventHandleIoctl+1191F8p

var_22		= byte ptr -22h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		xor	eax, eax
		push	ebx
		mov	ebx, [ecx+10h]
		mov	[esp+28h+var_8], eax
		mov	[esp+28h+var_4], eax
		mov	[esp+28h+var_1C], eax
		mov	[esp+28h+var_21], al
		push	esi
		mov	esi, eax
		mov	[esp+2Ch+var_18], esi
		push	edi
		mov	edi, eax
		test	ebx, ebx
		jz	loc_96C79D
		test	edx, edx
		jz	loc_96C79D
		cmp	[ebp+arg_0], 8
		jnz	loc_96C79D
		mov	eax, [edx]
		mov	ecx, [ebx+8]
		mov	[esp+30h+var_14], eax
		mov	eax, [edx+4]
		mov	[esp+30h+var_10], eax
		call	ExAcquireFastMutex
		lea	eax, [ebx+38h]
		mov	ecx, [eax]
		mov	[esp+30h+var_20], ecx
		cmp	ecx, eax
		jnz	short loc_96C637
		mov	ecx, [ebx+8]
		mov	edi, 0C000000Dh
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	loc_96C7D6
; 

loc_96C637:				; CODE XREF: PiUEventHandleVetoEvent(x,x,x,x,x)+65j
		mov	eax, [ecx+10h]
		cmp	byte ptr [eax+29h], 0
		jz	loc_96C784
		mov	ecx, offset _PiUEventUsermodeEventQueueLock
		call	ExAcquireFastMutex
		mov	eax, [esp+30h+var_20]
		mov	ecx, [eax+10h]
		mov	eax, [ecx+10h]
		test	eax, eax
		jz	loc_96C776
		xor	edx, edx
		cmp	[ecx+14h], edx
		jz	loc_96C776
		cmp	[eax], edx
		jnz	loc_96C776
		cmp	byte ptr [esp+30h+var_14], dl
		jz	loc_96C771
		mov	ecx, [esp+30h+var_10]
		mov	[eax], ecx
		lea	eax, [esp+30h+var_1C]
		push	eax
		push	dword ptr [ebx+1Ch]
		call	PsLookupProcessByProcessId
		test	eax, eax
		js	short loc_96C6EF
		mov	ecx, [esp+30h+var_1C]
		lea	edx, [esp+30h+var_18]
		call	_PsGetAllocatedFullProcessImageName@8 ;	PsGetAllocatedFullProcessImageName(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_96C6EF
		mov	esi, [esp+30h+var_18]
		xor	eax, eax
		cmp	[esi], ax
		jnz	short loc_96C702
		push	eax
		push	esi
		mov	[esp+38h+var_10], eax
		mov	[esp+38h+var_C], eax
		mov	[esp+38h+var_21], 1
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	[esp+30h+var_1C]
		lea	esi, [esp+34h+var_8]
		call	_PsGetProcessImageFileName@4 ; PsGetProcessImageFileName(x)
		push	eax
		lea	eax, [esp+34h+var_10]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [esp+34h+var_10]
		push	eax
		mov	eax, esi
		push	eax
		call	RtlAnsiStringToUnicodeString
		jmp	short loc_96C702
; 

loc_96C6EF:				; CODE XREF: PiUEventHandleVetoEvent(x,x,x,x,x)+D4j
					; PiUEventHandleVetoEvent(x,x,x,x,x)+E7j
		lea	esi, [esp+30h+var_8]
		push	offset ??_C@_11LOCGONAA@@NNGAKEGL@
		mov	eax, esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	edi, edi

loc_96C702:				; CODE XREF: PiUEventHandleVetoEvent(x,x,x,x,x)+F2j
					; PiUEventHandleVetoEvent(x,x,x,x,x)+12Fj
		mov	eax, 400h
		cmp	[esi], ax
		mov	eax, [esp+30h+var_20]
		mov	eax, [eax+10h]
		ja	short loc_96C722
		push	esi
		push	dword ptr [eax+14h]
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		mov	ecx, [esp+30h+var_20]
		jmp	short loc_96C760
; 

loc_96C722:				; CODE XREF: PiUEventHandleVetoEvent(x,x,x,x,x)+153j
		mov	ecx, [eax+14h]
		mov	edx, 200h
		push	1FFh
		push	dword ptr [esi+4]
		mov	ecx, [ecx+4]
		call	RtlStringCchCopyNW
		mov	ecx, [esp+30h+var_20]
		mov	edi, eax
		xor	edx, edx
		mov	eax, [ecx+10h]
		mov	eax, [eax+14h]
		mov	eax, [eax+4]
		mov	[eax+3FEh], dx
		mov	edx, 400h
		mov	eax, [ecx+10h]
		mov	eax, [eax+14h]
		mov	[eax], dx

loc_96C760:				; CODE XREF: PiUEventHandleVetoEvent(x,x,x,x,x)+162j
		xor	eax, eax
		push	eax
		push	eax
		mov	eax, [ecx+10h]
		push	dword ptr [eax+0Ch]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_96C776
; 

loc_96C771:				; CODE XREF: PiUEventHandleVetoEvent(x,x,x,x,x)+B9j
		call	_PiUEventInitializeVeto@4 ; PiUEventInitializeVeto(x)

loc_96C776:				; CODE XREF: PiUEventHandleVetoEvent(x,x,x,x,x)+9Cj
					; PiUEventHandleVetoEvent(x,x,x,x,x)+A7j ...
		mov	ecx, offset _PiUEventUsermodeEventQueueLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, [esp+30h+var_20]

loc_96C784:				; CODE XREF: PiUEventHandleVetoEvent(x,x,x,x,x)+80j
		mov	edx, ecx
		mov	ecx, ebx
		push	1
		call	_PiUEventDequeuePendingEventWorker@12 ;	PiUEventDequeuePendingEventWorker(x,x,x)
		mov	ecx, [ebx+8]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	al, [esp+30h+var_21]
		jmp	short loc_96C7A2
; 

loc_96C79D:				; CODE XREF: PiUEventHandleVetoEvent(x,x,x,x,x)+2Dj
					; PiUEventHandleVetoEvent(x,x,x,x,x)+35j ...
		mov	edi, 0C000000Dh

loc_96C7A2:				; CODE XREF: PiUEventHandleVetoEvent(x,x,x,x,x)+1DDj
		test	al, al
		jz	short loc_96C7AE
		push	esi
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	short loc_96C7C2
; 

loc_96C7AE:				; CODE XREF: PiUEventHandleVetoEvent(x,x,x,x,x)+1E6j
		test	esi, esi
		jz	short loc_96C7C2
		lea	eax, [esp+30h+var_8]
		cmp	esi, eax
		jz	short loc_96C7C2
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96C7C2:				; CODE XREF: PiUEventHandleVetoEvent(x,x,x,x,x)+1EEj
					; PiUEventHandleVetoEvent(x,x,x,x,x)+1F2j ...
		mov	eax, [esp+30h+var_1C]
		test	eax, eax
		jz	short loc_96C7D6
		mov	edx, 746C6644h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag

loc_96C7D6:				; CODE XREF: PiUEventHandleVetoEvent(x,x,x,x,x)+74j
					; PiUEventHandleVetoEvent(x,x,x,x,x)+20Aj
		mov	eax, [ebp+arg_8]
		and	dword ptr [eax+4], 0
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PiUEventHandleVetoEvent@20 endp


;  S U B	R O U T	I N E 


; __stdcall PiUEventInitializeVeto(x)
_PiUEventInitializeVeto@4 proc near	; CODE XREF: PAGE:008D5A27p
					; PiUEventHandleVetoEvent(x,x,x,x,x):loc_96C771p
		mov	eax, [ecx+14h]
		xor	edx, edx
		mov	eax, [eax+4]
		mov	[eax], dx
		mov	eax, [ecx+14h]
		mov	[eax], dx
		mov	eax, [ecx+10h]
		and	[eax], edx
		retn
_PiUEventInitializeVeto@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiUEventSendDeviceInstallNotification(x)
_PiUEventSendDeviceInstallNotification@4 proc near ; CODE XREF:	PAGE:008D5A0Fp
		mov	edi, edi
		push	esi
		xor	eax, eax
		mov	esi, ecx
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WNF_PNPC_DEVICE_INSTALL_REQUESTED
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_96C82F
		test	byte_6CD8BA, 8
		jz	short loc_96C82F
		push	esi
		push	ecx
		mov	edx, offset _KMPnPEvt_DeviceInstall_Requested
		call	_McTemplateK0z_EtwWriteTransfer@16 ; McTemplateK0z_EtwWriteTransfer(x,x,x,x)

loc_96C82F:				; CODE XREF: PiUEventSendDeviceInstallNotification(x)+19j
					; PiUEventSendDeviceInstallNotification(x)+22j
		pop	esi
		retn
_PiUEventSendDeviceInstallNotification@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiIsHVCIEnabled()
_PiIsHVCIEnabled@0 proc	near		; CODE XREF: PiIsDriverBlocked+AFE8Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	8
		pop	eax
		xor	ebx, ebx
		mov	[ebp+var_8], eax
		push	ebx
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], ebx
		push	eax
		push	67h
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_96C860
		test	[ebp+var_4], 400h
		jz	short loc_96C860
		mov	bl, 1

loc_96C860:				; CODE XREF: PiIsHVCIEnabled()+22j
					; PiIsHVCIEnabled()+2Bj
		mov	al, bl
		pop	ebx
		leave
		retn
_PiIsHVCIEnabled@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiNotifyCiDriverBlocked(x, x)
_PiNotifyCiDriverBlocked@8 proc	near	; CODE XREF: PiIsDriverBlocked+AFFC1p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	eax, edx
		push	esi
		push	20207050h
		mov	[ebp+var_4], eax
		mov	esi, ecx
		movzx	ebx, word ptr [eax]
		add	ebx, 12h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jnz	short loc_96C898
		mov	eax, 0C0000017h
		jmp	short loc_96C8E9
; 

loc_96C898:				; CODE XREF: PiNotifyCiDriverBlocked(x,x)+2Aj
		mov	edx, [ebp+var_4]
		push	edi
		mov	edi, ecx
		movsd
		movsd
		movsd
		movsd
		mov	ax, [edx]
		mov	[ecx+10h], ax
		movzx	eax, word ptr [edx]
		push	eax		; size_t
		push	dword ptr [edx+4] ; void *
		lea	eax, [ecx+12h]
		push	eax		; void *
		call	_memcpy
		mov	eax, 1000h
		add	esp, 0Ch
		cmp	ebx, eax
		jb	short loc_96C8C7
		mov	ebx, eax

loc_96C8C7:				; CODE XREF: PiNotifyCiDriverBlocked(x,x)+5Ej
		mov	edi, [ebp+var_8]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	ebx
		push	edi
		push	offset _WNF_CI_BLOCKED_DRIVER
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		push	0
		push	edi
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		pop	edi

loc_96C8E9:				; CODE XREF: PiNotifyCiDriverBlocked(x,x)+31j
		pop	esi
		pop	ebx
		leave
		retn
_PiNotifyCiDriverBlocked@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCombineLegacyResources(x)
_IopCombineLegacyResources@4 proc near	; CODE XREF: IopLegacyResourceAllocation(x,x,x,x,x)+1EAp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], ecx
		mov	ebx, esi
		test	esi, esi
		jz	loc_96C993

loc_96C90A:				; CODE XREF: IopCombineLegacyResources(x)+3Ej
		mov	eax, [ebx+11Ch]
		test	eax, eax
		jz	short loc_96C923
		mov	ecx, eax
		call	_PnpDetermineResourceListSize@4	; PnpDetermineResourceListSize(x)
		mov	ecx, [ebp+var_4]
		add	ecx, eax
		mov	[ebp+var_4], ecx

loc_96C923:				; CODE XREF: IopCombineLegacyResources(x)+25j
		mov	ebx, [ebx+164h]
		test	ebx, ebx
		jnz	short loc_96C90A
		test	ecx, ecx
		jz	short loc_96C993
		push	20207050h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_96C993
		and	[edi], ebx
		lea	eax, [edi+4]
		mov	[ebp+var_4], eax

loc_96C94C:				; CODE XREF: IopCombineLegacyResources(x)+A4j
		mov	eax, [esi+11Ch]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_96C989
		mov	ecx, eax
		call	_PnpDetermineResourceListSize@4	; PnpDetermineResourceListSize(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_96C989
		mov	ecx, [ebp+var_8]
		sub	ebx, 4
		push	ebx		; size_t
		add	ecx, 4
		push	ecx		; void *
		push	[ebp+var_4]	; void *
		call	_memcpy
		mov	eax, [esi+11Ch]
		add	esp, 0Ch
		add	[ebp+var_4], ebx
		mov	eax, [eax]
		add	[edi], eax

loc_96C989:				; CODE XREF: IopCombineLegacyResources(x)+6Aj
					; IopCombineLegacyResources(x)+77j
		mov	esi, [esi+164h]
		test	esi, esi
		jnz	short loc_96C94C

loc_96C993:				; CODE XREF: IopCombineLegacyResources(x)+17j
					; IopCombineLegacyResources(x)+42j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopCombineLegacyResources@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopFindLegacyDeviceNode(x, x, x, x)
_IopFindLegacyDeviceNode@16 proc near	; CODE XREF: IopLegacyResourceAllocation(x,x,x,x,x)+4Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	eax, ecx
		mov	[ebp+var_C], eax
		mov	esi, 0C0000001h
		test	edi, edi
		jz	short loc_96CA1F
		mov	eax, [edi+0B0h]
		mov	ecx, [eax+14h]
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	short loc_96C9D1
		mov	eax, [ebp+arg_4]
		mov	[eax], edi
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jmp	short loc_96CA4E
; 

loc_96C9D1:				; CODE XREF: IopFindLegacyDeviceNode(x,x,x,x)+29j
		test	dword ptr [edi+1Ch], 1000h
		jnz	loc_96CADF
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	PipAllocateDeviceNode
		mov	ebx, [ebp+var_4]
		mov	esi, eax
		test	ebx, ebx
		jz	loc_96CADA
		mov	ecx, ebx
		cmp	esi, 0C000036Eh
		jnz	short loc_96CA09
		call	IopDestroyDeviceNode
		jmp	loc_96CADF
; 

loc_96CA09:				; CODE XREF: IopFindLegacyDeviceNode(x,x,x,x)+63j
		mov	edx, 20000h
		call	PipSetDevNodeFlags
		mov	eax, [ebp+arg_4]
		mov	[eax], edi
		mov	eax, [ebp+arg_0]
		mov	[eax], ebx
		jmp	short loc_96CA4E
; 

loc_96CA1F:				; CODE XREF: IopFindLegacyDeviceNode(x,x,x,x)+19j
		mov	edx, _IopLegacyDeviceNode
		mov	[ebp+var_4], edx
		test	edx, edx
		jz	short loc_96CA55

loc_96CA2C:				; CODE XREF: IopFindLegacyDeviceNode(x,x,x,x)+9Ej
		cmp	[edx+124h], eax
		jz	short loc_96CA3A
		mov	edx, [edx]
		test	edx, edx
		jnz	short loc_96CA2C

loc_96CA3A:				; CODE XREF: IopFindLegacyDeviceNode(x,x,x,x)+98j
		mov	[ebp+var_4], edx
		test	edx, edx
		jz	short loc_96CA55
		mov	eax, [ebp+arg_4]
		mov	ecx, [edx+10h]
		mov	[eax], ecx
		mov	eax, [ebp+arg_0]
		mov	[eax], edx

loc_96CA4E:				; CODE XREF: IopFindLegacyDeviceNode(x,x,x,x)+35j
					; IopFindLegacyDeviceNode(x,x,x,x)+83j
		xor	esi, esi
		jmp	loc_96CADF
; 

loc_96CA55:				; CODE XREF: IopFindLegacyDeviceNode(x,x,x,x)+90j
					; IopFindLegacyDeviceNode(x,x,x,x)+A5j
		and	[ebp+var_8], 0
		lea	ecx, [ebp+var_8]
		call	_IopCreateRootEnumeratedDeviceObject@4 ; IopCreateRootEnumeratedDeviceObject(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_96CADF
		mov	ebx, [ebp+var_8]
		lea	edx, [ebp+var_4]
		mov	ecx, ebx
		or	dword ptr [ebx+1Ch], 1000h
		call	PipAllocateDeviceNode
		mov	esi, eax
		cmp	esi, 0C000036Eh
		jz	short loc_96CAD4
		mov	edi, [ebp+var_4]
		test	edi, edi
		jz	short loc_96CAD4
		mov	eax, [ebp+var_C]
		mov	edx, 20001h
		mov	ecx, edi
		mov	[ebx+8], eax
		call	PipSetDevNodeFlags
		push	ecx
		mov	edx, 302h
		mov	ecx, edi
		call	PipSetDevNodeState
		mov	eax, [ebp+var_C]
		mov	[edi+124h], eax
		mov	eax, _IopLegacyDeviceNode
		mov	[edi], eax
		test	eax, eax
		jz	short loc_96CAC2
		mov	[eax+4], edi

loc_96CAC2:				; CODE XREF: IopFindLegacyDeviceNode(x,x,x,x)+123j
		mov	eax, [ebp+arg_4]
		mov	_IopLegacyDeviceNode, edi
		mov	[eax], ebx
		mov	eax, [ebp+arg_0]
		mov	[eax], edi
		jmp	short loc_96CADF
; 

loc_96CAD4:				; CODE XREF: IopFindLegacyDeviceNode(x,x,x,x)+E9j
					; IopFindLegacyDeviceNode(x,x,x,x)+F0j
		push	ebx
		call	IoDeleteDevice

loc_96CADA:				; CODE XREF: IopFindLegacyDeviceNode(x,x,x,x)+55j
		mov	esi, 0C000009Ah

loc_96CADF:				; CODE XREF: IopFindLegacyDeviceNode(x,x,x,x)+3Ej
					; IopFindLegacyDeviceNode(x,x,x,x)+6Aj	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_IopFindLegacyDeviceNode@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopLegacyResourceAllocation(x, x, x, x, x)
_IopLegacyResourceAllocation@20	proc near ; CODE XREF: IopDestroyDeviceNode+14A6C0p
					; IoAssignResources(x,x,x,x,x,x)+17Fp ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, large fs:124h
		push	ebx
		mov	[esp+48h+var_34], ecx
		mov	ebx, edx
		xor	ecx, ecx
		mov	[esp+48h+var_2C], ebx
		dec	word ptr [eax+13Ch]
		push	esi
		push	edi
		mov	[esp+50h+var_38], ecx
		mov	[esp+50h+var_3C], ecx
		nop
		push	ecx
		push	ecx
		push	ecx
		push	4
		push	offset _PpRegistrySemaphore
		call	KeWaitForSingleObject
		mov	edx, [ebp+arg_0]
		lea	eax, [esp+50h+var_38]
		push	eax
		lea	eax, [esp+54h+var_3C]
		mov	ecx, ebx
		push	eax
		call	_IopFindLegacyDeviceNode@16 ; IopFindLegacyDeviceNode(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_96CD0C
		mov	esi, [esp+50h+var_3C]
		xor	edx, edx
		mov	edi, [ebp+arg_4]
		mov	[esp+50h+var_40], edx
		cmp	[esi+8], edx
		jnz	short loc_96CB70
		test	edi, edi
		jz	short loc_96CB74
		cmp	dword ptr [edi+4], 0FFFFFFFFh
		jnz	short loc_96CB68
		mov	dword ptr [edi+4], 1

loc_96CB68:				; CODE XREF: IopLegacyResourceAllocation(x,x,x,x,x)+77j
		mov	eax, _IopRootDeviceNode
		mov	[esi+8], eax

loc_96CB70:				; CODE XREF: IopLegacyResourceAllocation(x,x,x,x,x)+6Dj
		test	edi, edi
		jnz	short loc_96CB79

loc_96CB74:				; CODE XREF: IopLegacyResourceAllocation(x,x,x,x,x)+71j
		cmp	[esi+8], edx
		jnz	short loc_96CB89

loc_96CB79:				; CODE XREF: IopLegacyResourceAllocation(x,x,x,x,x)+8Aj
		cmp	[esi+11Ch], edx
		jnz	short loc_96CB89
		cmp	[esi+168h], edx
		jz	short loc_96CB92

loc_96CB89:				; CODE XREF: IopLegacyResourceAllocation(x,x,x,x,x)+8Fj
					; IopLegacyResourceAllocation(x,x,x,x,x)+97j
		mov	ecx, esi
		call	_IopReleaseResources@4 ; IopReleaseResources(x)
		xor	edx, edx

loc_96CB92:				; CODE XREF: IopLegacyResourceAllocation(x,x,x,x,x)+9Fj
		test	edi, edi
		jz	loc_96CCB0
		mov	eax, [esp+50h+var_38]
		xor	ecx, ecx
		push	edx
		mov	[esp+54h+var_1C], edx
		inc	ecx
		mov	[esp+54h+var_18], edx
		mov	[esp+54h+var_10], edx
		mov	[esp+54h+var_C], edx
		mov	[esp+54h+var_8], edx
		mov	[esp+54h+var_4], edx
		lea	edx, [esp+54h+var_28]
		mov	[esp+54h+var_28], eax
		mov	eax, [esp+54h+var_34]
		push	1
		mov	[esp+58h+var_14], edi
		mov	[esp+58h+var_20], eax
		mov	[esp+58h+var_24], 80h
		call	PnpAllocateResources
		mov	ebx, [esp+50h+var_4]
		mov	[esp+50h+var_30], ebx
		test	ebx, ebx
		js	loc_96CCBA
		mov	ebx, [ebp+arg_8]
		mov	ecx, [ebx]
		test	ecx, ecx
		jnz	short loc_96CBFA
		mov	ecx, [esp+50h+var_C]

loc_96CBFA:				; CODE XREF: IopLegacyResourceAllocation(x,x,x,x,x)+10Cj
		call	_PnpDetermineResourceListSize@4	; PnpDetermineResourceListSize(x)
		push	20207050h
		push	eax
		push	1
		mov	[esp+5Ch+var_3C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+50h+var_38], eax
		test	eax, eax
		jz	short loc_96CC77
		cmp	dword ptr [ebx], 0
		jz	short loc_96CC2A
		push	0
		push	[esp+54h+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_96CC30
; 

loc_96CC2A:				; CODE XREF: IopLegacyResourceAllocation(x,x,x,x,x)+133j
		mov	eax, [esp+50h+var_C]
		mov	[ebx], eax

loc_96CC30:				; CODE XREF: IopLegacyResourceAllocation(x,x,x,x,x)+140j
		mov	ecx, offset _PiResourceListLock
		call	ExAcquireFastMutex
		mov	eax, [esp+50h+var_38]
		push	[esp+50h+var_3C] ; size_t
		mov	[esi+11Ch], eax
		push	dword ptr [ebx]	; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [esp+5Ch+var_8]
		add	esp, 0Ch
		mov	ecx, offset _PiResourceListLock
		mov	[esi+120h], eax
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, [esi+160h]
		mov	ebx, [esp+50h+var_30]
		mov	[esp+50h+var_40], ecx
		jmp	short loc_96CCAA
; 

loc_96CC77:				; CODE XREF: IopLegacyResourceAllocation(x,x,x,x,x)+12Ej
		mov	ebx, offset _PiResourceListLock
		mov	ecx, ebx
		call	ExAcquireFastMutex
		mov	eax, [esp+50h+var_C]
		mov	ecx, ebx
		mov	[esi+11Ch], eax
		mov	eax, [esp+50h+var_8]
		mov	[esi+120h], eax
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, esi
		call	_IopReleaseResources@4 ; IopReleaseResources(x)
		mov	ebx, 0C000009Ah

loc_96CCAA:				; CODE XREF: IopLegacyResourceAllocation(x,x,x,x,x)+18Dj
		test	ebx, ebx
		jns	short loc_96CCC8
		jmp	short loc_96CCBA
; 

loc_96CCB0:				; CODE XREF: IopLegacyResourceAllocation(x,x,x,x,x)+ACj
		mov	ecx, [esi+160h]
		mov	[esp+50h+var_40], ecx

loc_96CCBA:				; CODE XREF: IopLegacyResourceAllocation(x,x,x,x,x)+FFj
					; IopLegacyResourceAllocation(x,x,x,x,x)+1C6j
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_IopRemoveLegacyDeviceNode@8 ; IopRemoveLegacyDeviceNode(x,x)
		test	ebx, ebx
		js	short loc_96CD0C

loc_96CCC8:				; CODE XREF: IopLegacyResourceAllocation(x,x,x,x,x)+1C4j
		mov	eax, [esp+50h+var_40]
		test	eax, eax
		jz	short loc_96CCF8
		mov	ecx, eax
		call	_IopCombineLegacyResources@4 ; IopCombineLegacyResources(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_96CCF8
		mov	ecx, esi
		call	_PnpDetermineResourceListSize@4	; PnpDetermineResourceListSize(x)
		mov	ecx, [esp+50h+var_40]
		mov	edx, esi
		push	eax
		call	_IopWriteAllocatedResourcesToRegistry@12 ; IopWriteAllocatedResourcesToRegistry(x,x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96CCF8:				; CODE XREF: IopLegacyResourceAllocation(x,x,x,x,x)+1E6j
					; IopLegacyResourceAllocation(x,x,x,x,x)+1F3j
		cmp	[esp+50h+var_34], 3
		jz	short loc_96CD0C
		test	edi, edi
		jz	short loc_96CD0C
		mov	ecx, [esp+50h+var_2C]
		call	_IopSetLegacyResourcesFlag@4 ; IopSetLegacyResourcesFlag(x)

loc_96CD0C:				; CODE XREF: IopLegacyResourceAllocation(x,x,x,x,x)+57j
					; IopLegacyResourceAllocation(x,x,x,x,x)+1DEj ...
		push	0
		push	1
		push	0
		push	offset _PpRegistrySemaphore
		call	KeReleaseSemaphore
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_IopLegacyResourceAllocation@20	endp


;  S U B	R O U T	I N E 


; __stdcall IopRemoveLegacyDeviceNode(x, x)
_IopRemoveLegacyDeviceNode@8 proc near	; CODE XREF: IopLegacyResourceAllocation(x,x,x,x,x)+1D7p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		xor	edx, edx
		push	edi
		test	ebx, ebx
		jnz	short loc_96CD7C
		cmp	[esi+124h], edx
		jz	loc_96CDDA
		mov	ecx, [esi+4]
		mov	[esi+124h], edx
		test	ecx, ecx
		jz	short loc_96CD5F
		mov	eax, [esi]
		mov	[ecx], eax

loc_96CD5F:				; CODE XREF: IopRemoveLegacyDeviceNode(x,x)+26j
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_96CD6B
		mov	eax, [esi+4]
		mov	[ecx+4], eax

loc_96CD6B:				; CODE XREF: IopRemoveLegacyDeviceNode(x,x)+30j
		cmp	_IopLegacyDeviceNode, esi
		jnz	short loc_96CD85
		mov	eax, [esi]
		mov	_IopLegacyDeviceNode, eax
		jmp	short loc_96CD85
; 

loc_96CD7C:				; CODE XREF: IopRemoveLegacyDeviceNode(x,x)+Dj
		test	dword ptr [ebx+1Ch], 1000h
		jnz	short loc_96CDDA

loc_96CD85:				; CODE XREF: IopRemoveLegacyDeviceNode(x,x)+3Ej
					; IopRemoveLegacyDeviceNode(x,x)+47j
		mov	eax, [esi+160h]
		jmp	short loc_96CD99
; 

loc_96CD8D:				; CODE XREF: IopRemoveLegacyDeviceNode(x,x)+68j
		lea	ecx, [eax+164h]
		mov	eax, [ecx]
		cmp	eax, esi
		jz	short loc_96CD9F

loc_96CD99:				; CODE XREF: IopRemoveLegacyDeviceNode(x,x)+58j
		test	eax, eax
		jnz	short loc_96CD8D
		jmp	short loc_96CDA7
; 

loc_96CD9F:				; CODE XREF: IopRemoveLegacyDeviceNode(x,x)+64j
		mov	eax, [esi+164h]
		mov	[ecx], eax

loc_96CDA7:				; CODE XREF: IopRemoveLegacyDeviceNode(x,x)+6Aj
		mov	edi, [esi+10h]
		mov	ecx, esi
		mov	[esi+0Ch], edx
		mov	[esi+4], edx
		mov	[esi], edx
		mov	[esi+8], edx
		mov	edx, 20000h
		call	PipClearDevNodeFlags
		mov	ecx, esi
		call	IopDestroyDeviceNode
		test	ebx, ebx
		jnz	short loc_96CDDA
		mov	eax, _PnpDriverObject
		push	edi
		mov	[edi+8], eax
		call	IoDeleteDevice

loc_96CDDA:				; CODE XREF: IopRemoveLegacyDeviceNode(x,x)+15j
					; IopRemoveLegacyDeviceNode(x,x)+50j ...
		pop	edi
		pop	esi
		pop	ebx
		retn
_IopRemoveLegacyDeviceNode@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopGenericUnpackResource(x,	x, x)
_IopGenericUnpackResource@12 proc near	; DATA XREF: IopMemInitialize()+2Bo
					; IopPortInitialize()+47o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	RtlCmDecodeMemIoResource
		mov	ecx, [ebp+arg_8]
		mov	[ecx], eax
		xor	eax, eax
		mov	[ecx+4], edx
		pop	ebp
		retn	0Ch
_IopGenericUnpackResource@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopIsPciRootBus(x, x)
_IopIsPciRootBus@8 proc	near		; CODE XREF: IopMemQueryConflict(x,x)+26p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	eax, [esp+10h+var_4]
		xor	ecx, ecx
		mov	ebx, edx
		push	eax
		push	ecx
		push	ecx
		push	1
		push	esi
		mov	[esp+24h+var_4], ecx
		mov	[ebx], cl
		call	IoGetDeviceProperty
		cmp	eax, 0C0000023h
		jnz	loc_96CEB4
		push	20207050h
		push	[esp+14h+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_96CE4B
		mov	eax, 0C000009Ah
		jmp	short loc_96CEB4
; 

loc_96CE4B:				; CODE XREF: IopIsPciRootBus(x,x)+46j
		lea	eax, [esp+10h+var_4]
		push	eax
		push	edi
		push	[esp+18h+var_4]
		push	1
		push	esi
		call	IoGetDeviceProperty
		mov	esi, eax
		xor	eax, eax
		test	esi, esi
		js	short loc_96CEAB
		mov	esi, edi
		cmp	[edi], ax
		jz	short loc_96CEA9

loc_96CE6C:				; CODE XREF: IopIsPciRootBus(x,x)+A4j
		push	offset ??_C@_1BK@DOBMICEC@?$AAA?$AAC?$AAP?$AAI?$AA?2?$AAP?$AAN?$AAP?$AA0?$AAA?$AA0?$AA3@NNGAKEGL@ ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_96CEA4
		push	offset ??_C@_1BK@OJBNAFED@?$AAA?$AAC?$AAP?$AAI?$AA?2?$AAP?$AAN?$AAP?$AA0?$AAA?$AA0?$AA8@NNGAKEGL@ ; "A"
		push	esi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_96CEA4
		xor	eax, eax
		jmp	short loc_96CE95
; 

loc_96CE92:				; CODE XREF: IopIsPciRootBus(x,x)+9Cj
		add	esi, 2

loc_96CE95:				; CODE XREF: IopIsPciRootBus(x,x)+94j
		cmp	[esi], ax
		jnz	short loc_96CE92
		add	esi, 2
		cmp	[esi], ax
		jnz	short loc_96CE6C
		jmp	short loc_96CEA9
; 

loc_96CEA4:				; CODE XREF: IopIsPciRootBus(x,x)+7Fj
					; IopIsPciRootBus(x,x)+90j
		mov	byte ptr [ebx],	1
		xor	eax, eax

loc_96CEA9:				; CODE XREF: IopIsPciRootBus(x,x)+6Ej
					; IopIsPciRootBus(x,x)+A6j
		mov	esi, eax

loc_96CEAB:				; CODE XREF: IopIsPciRootBus(x,x)+67j
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi

loc_96CEB4:				; CODE XREF: IopIsPciRootBus(x,x)+2Cj
					; IopIsPciRootBus(x,x)+4Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_IopIsPciRootBus@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopMemQueryConflict(x, x)
_IopMemQueryConflict@8 proc near	; DATA XREF: IopMemInitialize()+49o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	eax, eax
		push	ebx
		push	[ebp+arg_0]
		mov	[ebp+var_8], eax
		mov	byte ptr [ebp+var_1], al
		call	_ArbQueryConflict@8 ; ArbQueryConflict(x,x)
		test	eax, eax
		js	short loc_96CF5B
		mov	ecx, [ebx]
		lea	edx, [ebp+var_1]
		call	_IopIsPciRootBus@8 ; IopIsPciRootBus(x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		js	short loc_96CF59
		cmp	byte ptr [ebp+var_1], 0
		jz	short loc_96CF59
		mov	ecx, [ebx+8]
		mov	eax, [ebx+0Ch]
		push	esi
		mov	esi, [ecx]
		mov	ebx, [eax]
		test	esi, esi
		jz	short loc_96CF51
		push	edi
		imul	edi, esi, 18h
		add	edi, ebx
		add	ebx, 8

loc_96CF0B:				; CODE XREF: IopMemQueryConflict(x,x)+8Dj
		push	dword ptr [ebx+0Ch]
		push	dword ptr [ebx+8]
		push	dword ptr [ebx+4]
		push	dword ptr [ebx]
		call	_ArbIsConflictWithMmConfigRange@16 ; ArbIsConflictWithMmConfigRange(x,x,x,x)
		test	al, al
		mov	eax, [ebp+var_8]
		jz	short loc_96CF3F
		dec	esi
		sub	edi, 18h
		mov	[ebp+arg_0], edi
		lea	edi, [ebx-8]
		mov	[ebp+var_C], esi
		mov	esi, [ebp+arg_0]
		push	6
		pop	ecx
		rep movsd
		mov	esi, [ebp+var_C]
		mov	edi, [ebp+arg_0]
		jmp	short loc_96CF46
; 

loc_96CF3F:				; CODE XREF: IopMemQueryConflict(x,x)+65j
		inc	eax
		add	ebx, 18h
		mov	[ebp+var_8], eax

loc_96CF46:				; CODE XREF: IopMemQueryConflict(x,x)+82j
		cmp	eax, esi
		jb	short loc_96CF0B
		mov	eax, [ebp+arg_4]
		pop	edi
		mov	ecx, [eax+8]

loc_96CF51:				; CODE XREF: IopMemQueryConflict(x,x)+45j
		mov	eax, [ebp+var_10]
		mov	[ecx], esi
		pop	esi
		jmp	short loc_96CF5B
; 

loc_96CF59:				; CODE XREF: IopMemQueryConflict(x,x)+30j
					; IopMemQueryConflict(x,x)+36j
		xor	eax, eax

loc_96CF5B:				; CODE XREF: IopMemQueryConflict(x,x)+1Fj
					; IopMemQueryConflict(x,x)+9Cj
		pop	ebx
		leave
		retn	8
_IopMemQueryConflict@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopPortBacktrackAllocation(x, x)
_IopPortBacktrackAllocation@8 proc near	; DATA XREF: IopPortInitialize()+29o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [esi]
		mov	ebx, [esi+4]
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], ebx

loc_96CF79:				; CODE XREF: IopPortBacktrackAllocation(x,x)+64j
		mov	ecx, [esi+24h]
		lea	edx, [ebp+var_C]
		mov	eax, [esi+20h]
		push	ebx
		mov	[ebp+var_4], ecx
		mov	ecx, [ecx+24h]
		mov	eax, [eax+10h]
		push	edi
		mov	[ebp+arg_4], eax
		call	IopPortGetNextAlias
		push	[ebp+arg_4]
		test	al, al
		jz	short loc_96CFC6
		mov	eax, [ebp+var_4]
		mov	edi, [ebp+var_C]
		mov	ebx, [ebp+var_8]
		mov	ecx, [eax+10h]
		mov	eax, [eax+14h]
		add	ecx, edi
		adc	eax, ebx
		add	ecx, 0FFFFFFFFh
		adc	eax, 0FFFFFFFFh
		push	eax
		mov	eax, [ebp+arg_0]
		push	ecx
		push	ebx
		push	edi
		push	dword ptr [eax+18h]
		call	RtlDeleteRange
		jmp	short loc_96CF79
; 

loc_96CFC6:				; CODE XREF: IopPortBacktrackAllocation(x,x)+3Aj
		push	dword ptr [esi+0Ch]
		mov	eax, [ebp+arg_0]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		push	dword ptr [eax+18h]
		call	RtlDeleteRange
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_IopPortBacktrackAllocation@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlEnsureObjectCached(x, x)
_PiPnpRtlEnsureObjectCached@8 proc near	; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+365p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		mov	[ebp+var_4], esi
		push	eax
		inc	ecx
		mov	[ebp+var_8], esi
		mov	ebx, edx
		mov	[ebp+var_C], esi
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_96D014
		mov	edi, esi
		jmp	loc_96D0D1
; 

loc_96D014:				; CODE XREF: PiPnpRtlEnsureObjectCached(x,x)+28j
		cmp	edi, 0C0000034h
		jnz	loc_96D0D1
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	eax
		mov	edx, ebx
		inc	ecx
		call	PiDmAddCacheReferenceForObject
		mov	edi, eax
		test	edi, edi
		js	loc_96D0D1
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+var_4]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		or	dword ptr [esi+18h], 1
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		lea	ecx, [ebp+var_8]
		call	PiPnpRtlBeginOperation
		test	eax, eax
		js	short loc_96D0D1
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PiPnpRtlRemoveOperationDispatchLock
		call	ExAcquireResourceSharedLite
		lea	eax, [ebp+var_C]
		xor	edx, edx
		push	eax
		push	[ebp+var_8]
		inc	edx
		mov	ecx, ebx
		call	PiPnpRtlObjectEventCreate
		mov	ecx, offset _PiPnpRtlRemoveOperationDispatchLock
		mov	esi, eax
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		js	short loc_96D0C9
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_96D0C9
		or	dword ptr [eax+4], 1

loc_96D0C9:				; CODE XREF: PiPnpRtlEnsureObjectCached(x,x)+D9j
					; PiPnpRtlEnsureObjectCached(x,x)+E0j
		mov	ecx, [ebp+var_8]
		call	PiPnpRtlEndOperation

loc_96D0D1:				; CODE XREF: PiPnpRtlEnsureObjectCached(x,x)+2Cj
					; PiPnpRtlEnsureObjectCached(x,x)+37j ...
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_96D0DD
		call	PiDmObjectRelease

loc_96D0DD:				; CODE XREF: PiPnpRtlEnsureObjectCached(x,x)+F3j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PiPnpRtlEnsureObjectCached@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlEnumDevicesCallback(x, x, x)
_PiPnpRtlEnumDevicesCallback@12	proc near ; DATA XREF: PiPnpRtlCmActionCallback+115C87o
					; PiPnpRtlCmActionCallback+115D0Bo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		xor	ebx, ebx
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[esi], bl
		push	dword ptr [edi+8]
		push	dword ptr [eax+0Ch]
		push	dword ptr [edi]
		call	dword ptr [edi+4]
		sub	eax, ebx
		jz	short loc_96D12C
		sub	eax, 1
		jz	short loc_96D125
		sub	eax, 1
		jz	short loc_96D129
		sub	eax, 1
		jz	short loc_96D11E
		mov	ebx, 0C00000E5h
		jmp	short loc_96D12C
; 

loc_96D11E:				; CODE XREF: PiPnpRtlEnumDevicesCallback(x,x,x)+31j
		mov	ebx, 0C0000240h
		jmp	short loc_96D12C
; 

loc_96D125:				; CODE XREF: PiPnpRtlEnumDevicesCallback(x,x,x)+27j
		mov	byte ptr [edi+0Ch], 1

loc_96D129:				; CODE XREF: PiPnpRtlEnumDevicesCallback(x,x,x)+2Cj
		mov	byte ptr [esi],	1

loc_96D12C:				; CODE XREF: PiPnpRtlEnumDevicesCallback(x,x,x)+22j
					; PiPnpRtlEnumDevicesCallback(x,x,x)+38j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	0Ch
_PiPnpRtlEnumDevicesCallback@12	endp


;  S U B	R O U T	I N E 


; __stdcall PiPnpRtlFreeContainerRemoveInfo(x)
_PiPnpRtlFreeContainerRemoveInfo@4 proc	near ; CODE XREF: PiPnpRtlCmActionCallback+115DC0p
					; PiPnpRtlCmActionCallback+115DFCp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_96D160
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_96D149
		call	PiDmObjectRelease

loc_96D149:				; CODE XREF: PiPnpRtlFreeContainerRemoveInfo(x)+Dj
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_96D155
		call	PiDmObjectRelease

loc_96D155:				; CODE XREF: PiPnpRtlFreeContainerRemoveInfo(x)+19j
		push	47706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96D160:				; CODE XREF: PiPnpRtlFreeContainerRemoveInfo(x)+7j
		pop	esi
		retn
_PiPnpRtlFreeContainerRemoveInfo@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiPnpRtlFreeDeviceDeleteInfo(x)
_PiPnpRtlFreeDeviceDeleteInfo@4	proc near ; CODE XREF: PiPnpRtlCmActionCallback+115AEBp
		test	ecx, ecx
		jz	short locret_96D171
		push	47706E50h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

locret_96D171:				; CODE XREF: PiPnpRtlFreeDeviceDeleteInfo(x)+2j
		retn
_PiPnpRtlFreeDeviceDeleteInfo@4	endp


;  S U B	R O U T	I N E 


; __stdcall PiPnpRtlFreeInstallerClassChangeInfo(x)
_PiPnpRtlFreeInstallerClassChangeInfo@4	proc near
					; CODE XREF: PiPnpRtlCmActionCallback+115945p
					; PiPnpRtlGatherInstallerClassChangeInfo(x,x,x)+101p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_96D1B8
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_96D186
		call	PiDmObjectRelease

loc_96D186:				; CODE XREF: PiPnpRtlFreeInstallerClassChangeInfo(x)+Dj
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_96D192
		call	PiDmObjectRelease

loc_96D192:				; CODE XREF: PiPnpRtlFreeInstallerClassChangeInfo(x)+19j
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_96D1AD
		mov	edx, [ecx+0Ch]
		push	ecx
		mov	ecx, [ecx+14h]
		call	PiDmRemoveCacheReferenceForObject
		mov	ecx, [esi+8]
		call	PiDmObjectRelease

loc_96D1AD:				; CODE XREF: PiPnpRtlFreeInstallerClassChangeInfo(x)+25j
		push	47706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96D1B8:				; CODE XREF: PiPnpRtlFreeInstallerClassChangeInfo(x)+7j
		pop	esi
		retn
_PiPnpRtlFreeInstallerClassChangeInfo@4	endp


;  S U B	R O U T	I N E 


; __stdcall PiPnpRtlFreeInterfaceDeleteInfo(x)
_PiPnpRtlFreeInterfaceDeleteInfo@4 proc	near ; CODE XREF: PiPnpRtlCmActionCallback+115B42p
					; PiPnpRtlGatherInterfaceDeleteInfo(x,x)+1D2p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_96D1FD
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_96D1CE
		call	PiDmObjectRelease

loc_96D1CE:				; CODE XREF: PiPnpRtlFreeInterfaceDeleteInfo(x)+Dj
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_96D1DA
		call	PiDmObjectRelease

loc_96D1DA:				; CODE XREF: PiPnpRtlFreeInterfaceDeleteInfo(x)+19j
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_96D1E6
		call	PiDmObjectRelease

loc_96D1E6:				; CODE XREF: PiPnpRtlFreeInterfaceDeleteInfo(x)+25j
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_96D1F2
		call	PiDmObjectRelease

loc_96D1F2:				; CODE XREF: PiPnpRtlFreeInterfaceDeleteInfo(x)+31j
		push	47706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96D1FD:				; CODE XREF: PiPnpRtlFreeInterfaceDeleteInfo(x)+7j
		pop	esi
		retn
_PiPnpRtlFreeInterfaceDeleteInfo@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlGatherContainerRemoveInfo(x, x, x)
_PiPnpRtlGatherContainerRemoveInfo@12 proc near
					; CODE XREF: PiPnpRtlCmActionCallback+115D5Bp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	47706E50h
		push	8
		push	1
		mov	ebx, edx
		mov	esi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, [ebp+arg_0]
		mov	[edi], eax
		test	eax, eax
		jnz	short loc_96D229
		mov	esi, 0C000009Ah
		jmp	short loc_96D267
; 

loc_96D229:				; CODE XREF: PiPnpRtlGatherContainerRemoveInfo(x,x,x)+21j
		and	dword ptr [eax], 0
		xor	ecx, ecx
		and	dword ptr [eax+4], 0
		mov	edx, esi
		push	eax
		inc	ecx
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_96D249
		test	esi, esi
		js	short loc_96D267

loc_96D249:				; CODE XREF: PiPnpRtlGatherContainerRemoveInfo(x,x,x)+44j
		mov	eax, [edi]
		mov	edx, ebx
		add	eax, 4
		push	eax
		push	5
		pop	ecx
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		lea	esi, [eax+3FFFFFCCh]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jge	short loc_96D271

loc_96D267:				; CODE XREF: PiPnpRtlGatherContainerRemoveInfo(x,x,x)+28j
					; PiPnpRtlGatherContainerRemoveInfo(x,x,x)+48j
		mov	ecx, [edi]
		call	_PiPnpRtlFreeContainerRemoveInfo@4 ; PiPnpRtlFreeContainerRemoveInfo(x)
		and	dword ptr [edi], 0

loc_96D271:				; CODE XREF: PiPnpRtlGatherContainerRemoveInfo(x,x,x)+66j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PiPnpRtlGatherContainerRemoveInfo@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlGatherDeviceDeleteInfo(x, x)
_PiPnpRtlGatherDeviceDeleteInfo@8 proc near ; CODE XREF: PiPnpRtlCmActionCallback+11598Bp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		push	47706E50h
		xor	ebx, ebx
		mov	edi, edx
		push	54h
		push	1
		mov	esi, ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_4], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi], eax
		test	eax, eax
		jnz	short loc_96D2B2
		mov	esi, 0C000009Ah
		jmp	loc_96D344
; 

loc_96D2B2:				; CODE XREF: PiPnpRtlGatherDeviceDeleteInfo(x,x)+2Cj
		push	54h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_18]
		push	esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [edi]
		lea	ecx, [ebp+var_C]
		push	ebx
		push	ecx
		push	eax
		lea	edx, [ebp+var_10]
		lea	ecx, [ebp+var_18]
		call	_PlugPlayGetDeviceStatus@20 ; PlugPlayGetDeviceStatus(x,x,x,x,x)
		mov	ecx, [edi]
		test	eax, eax
		jns	short loc_96D2E7
		mov	dword ptr [ecx], 2Dh

loc_96D2E7:				; CODE XREF: PiPnpRtlGatherDeviceDeleteInfo(x,x)+65j
		push	ebx
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], 4Eh
		push	eax
		lea	eax, [ecx+4]
		mov	edx, esi
		mov	ecx, _PiPnpRtlCtx
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	9
		push	ebx
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_96D327
		cmp	[ebp+var_4], 1
		jnz	short loc_96D327
		cmp	[ebp+var_8], 2
		jbe	short loc_96D327
		mov	eax, [edi]
		xor	ecx, ecx
		mov	[eax+50h], cx
		jmp	short loc_96D331
; 

loc_96D327:				; CODE XREF: PiPnpRtlGatherDeviceDeleteInfo(x,x)+95j
					; PiPnpRtlGatherDeviceDeleteInfo(x,x)+9Bj ...
		mov	eax, [edi]
		xor	ecx, ecx
		mov	esi, ebx
		mov	[eax+4], cx

loc_96D331:				; CODE XREF: PiPnpRtlGatherDeviceDeleteInfo(x,x)+ABj
		test	esi, esi
		jns	short loc_96D346
		test	eax, eax
		jz	short loc_96D344
		push	47706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96D344:				; CODE XREF: PiPnpRtlGatherDeviceDeleteInfo(x,x)+33j
					; PiPnpRtlGatherDeviceDeleteInfo(x,x)+BDj
		mov	[edi], ebx

loc_96D346:				; CODE XREF: PiPnpRtlGatherDeviceDeleteInfo(x,x)+B9j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PiPnpRtlGatherDeviceDeleteInfo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlGatherInstallerClassChangeInfo(x, x, x)
_PiPnpRtlGatherInstallerClassChangeInfo@12 proc	near
					; CODE XREF: PiPnpRtlCmActionCallback+1158FCp

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_5C		= dword	ptr -5Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 78h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		and	[ebp+var_78], 0
		xor	eax, eax
		and	[ebp+var_74], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		lea	edi, [ebp+var_6C]
		mov	[ebp+var_70], ecx
		stosd
		mov	esi, edx
		push	47706E50h
		push	0Ch
		push	1
		stosd
		stosd
		stosd
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebx], edi
		test	edi, edi
		jnz	short loc_96D39B
		mov	esi, 0C000009Ah
		jmp	loc_96D44C
; 

loc_96D39B:				; CODE XREF: PiPnpRtlGatherInstallerClassChangeInfo(x,x,x)+42j
		xor	eax, eax
		stosd
		stosd
		stosd
		test	esi, esi
		jz	short loc_96D3BE
		mov	eax, [ebx]
		mov	edx, esi
		add	eax, 8
		push	eax
		push	2
		pop	ecx
		call	PiDmAddCacheReferenceForObject
		mov	esi, eax
		test	esi, esi
		js	loc_96D44C

loc_96D3BE:				; CODE XREF: PiPnpRtlGatherInstallerClassChangeInfo(x,x,x)+55j
		push	dword ptr [ebx]
		mov	edi, [ebp+var_70]
		xor	ecx, ecx
		mov	edx, edi
		inc	ecx
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_96D3DB
		test	esi, esi
		js	short loc_96D44C

loc_96D3DB:				; CODE XREF: PiPnpRtlGatherInstallerClassChangeInfo(x,x,x)+88j
		xor	ecx, ecx
		lea	eax, [ebp+var_74]
		push	ecx
		push	eax
		push	10h
		lea	eax, [ebp+var_6C]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_78]
		push	eax
		push	offset _DEVPKEY_Device_ClassGuid
		push	ecx
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	edi, 0C0000034h
		cmp	esi, edi
		jz	short loc_96D446
		cmp	esi, 0C0000225h
		jz	short loc_96D446
		test	esi, esi
		js	short loc_96D44C
		push	ecx		; int
		lea	edx, [ebp+var_5C] ; void *
		lea	ecx, [ebp+var_6C] ; int
		call	_PnpStringFromGuid@12 ;	PnpStringFromGuid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_96D44C
		mov	eax, [ebx]
		lea	edx, [ebp+var_5C]
		add	eax, 4
		push	eax
		push	2
		pop	ecx
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	esi, eax
		cmp	esi, edi
		jnz	short loc_96D448
		xor	esi, esi
		jmp	short loc_96D456
; 

loc_96D446:				; CODE XREF: PiPnpRtlGatherInstallerClassChangeInfo(x,x,x)+BEj
					; PiPnpRtlGatherInstallerClassChangeInfo(x,x,x)+C6j
		xor	esi, esi

loc_96D448:				; CODE XREF: PiPnpRtlGatherInstallerClassChangeInfo(x,x,x)+F3j
		test	esi, esi
		jns	short loc_96D456

loc_96D44C:				; CODE XREF: PiPnpRtlGatherInstallerClassChangeInfo(x,x,x)+49j
					; PiPnpRtlGatherInstallerClassChangeInfo(x,x,x)+6Bj ...
		mov	ecx, [ebx]
		call	_PiPnpRtlFreeInstallerClassChangeInfo@4	; PiPnpRtlFreeInstallerClassChangeInfo(x)
		and	dword ptr [ebx], 0

loc_96D456:				; CODE XREF: PiPnpRtlGatherInstallerClassChangeInfo(x,x,x)+F7j
					; PiPnpRtlGatherInstallerClassChangeInfo(x,x,x)+FDj
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PiPnpRtlGatherInstallerClassChangeInfo@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlGatherInterfaceDeleteInfo(x, x)
_PiPnpRtlGatherInterfaceDeleteInfo@8 proc near ; CODE XREF: PiPnpRtlCmActionCallback+1159A9p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		and	[ebp+var_74], 0
		xor	eax, eax
		and	[ebp+var_70], 0
		mov	ebx, edx
		push	esi
		push	edi
		lea	edi, [ebp+var_68]
		mov	esi, ecx
		stosd
		push	47706E50h
		push	10h
		push	1
		stosd
		mov	[ebp+var_78], esi
		stosd
		stosd
		xor	edi, edi
		mov	[ebp+var_6C], edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebx], ecx
		test	ecx, ecx
		jnz	short loc_96D4BB
		mov	esi, 0C000009Ah
		jmp	loc_96D639
; 

loc_96D4BB:				; CODE XREF: PiPnpRtlGatherInterfaceDeleteInfo(x,x)+46j
		mov	edi, ecx
		xor	eax, eax
		mov	edx, esi
		stosd
		stosd
		stosd
		stosd
		push	dword ptr [ebx]
		push	3
		pop	ecx
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_96D4E1
		test	esi, esi
		js	loc_96D636

loc_96D4E1:				; CODE XREF: PiPnpRtlGatherInterfaceDeleteInfo(x,x)+6Ej
		mov	edi, [ebp+var_78]
		lea	eax, [ebp+var_70]
		xor	ecx, ecx
		mov	edx, edi
		push	ecx
		push	eax
		push	10h
		lea	eax, [ebp+var_68]
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		push	offset _DEVPKEY_DeviceInterface_ClassGuid
		push	ecx
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	3
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_96D557
		cmp	esi, 0C0000225h
		jz	short loc_96D557
		test	esi, esi
		js	loc_96D636
		push	ecx		; int
		lea	edx, [ebp+var_58] ; void *
		lea	ecx, [ebp+var_68] ; int
		call	_PnpStringFromGuid@12 ;	PnpStringFromGuid(x,x,x)
		test	eax, eax
		js	short loc_96D557
		mov	eax, [ebx]
		lea	edx, [ebp+var_58]
		push	4
		pop	ecx
		add	eax, ecx
		push	eax
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_96D557
		test	esi, esi
		js	loc_96D636

loc_96D557:				; CODE XREF: PiPnpRtlGatherInterfaceDeleteInfo(x,x)+AAj
					; PiPnpRtlGatherInterfaceDeleteInfo(x,x)+B2j ...
		xor	ecx, ecx
		lea	eax, [ebp+var_70]
		push	ecx
		push	eax
		lea	eax, [ebp+var_6C]
		mov	edx, 0C8h
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		push	offset _DEVPKEY_Device_InstanceId
		push	ecx
		push	ecx
		push	3
		push	edi
		mov	ecx, 47706E50h
		call	PnpGetObjectProperty
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_96D5BC
		cmp	esi, 0C0000225h
		jz	short loc_96D5BC
		mov	edi, [ebp+var_6C]
		test	esi, esi
		js	loc_96D639
		mov	eax, [ebx]
		xor	ecx, ecx
		add	eax, 8
		mov	edx, edi
		push	eax
		inc	ecx
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_96D5BF
		test	esi, esi
		js	short loc_96D639
		jmp	short loc_96D5BF
; 

loc_96D5BC:				; CODE XREF: PiPnpRtlGatherInterfaceDeleteInfo(x,x)+11Ej
					; PiPnpRtlGatherInterfaceDeleteInfo(x,x)+126j
		mov	edi, [ebp+var_6C]

loc_96D5BF:				; CODE XREF: PiPnpRtlGatherInterfaceDeleteInfo(x,x)+14Bj
					; PiPnpRtlGatherInterfaceDeleteInfo(x,x)+151j
		mov	edx, [ebp+var_78]
		lea	eax, [ebp+var_70]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	10h
		lea	eax, [ebp+var_68]
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		push	offset _DEVPKEY_Device_ContainerId
		push	ecx
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	3
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_96D62E
		cmp	esi, 0C0000225h
		jz	short loc_96D62E
		test	esi, esi
		js	short loc_96D639
		push	ecx		; int
		lea	edx, [ebp+var_58] ; void *
		lea	ecx, [ebp+var_68] ; int
		call	_PnpStringFromGuid@12 ;	PnpStringFromGuid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_96D639
		mov	eax, [ebx]
		lea	edx, [ebp+var_58]
		add	eax, 0Ch
		push	eax
		push	5
		pop	ecx
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_96D630
		xor	esi, esi
		jmp	short loc_96D643
; 

loc_96D62E:				; CODE XREF: PiPnpRtlGatherInterfaceDeleteInfo(x,x)+186j
					; PiPnpRtlGatherInterfaceDeleteInfo(x,x)+18Ej
		xor	esi, esi

loc_96D630:				; CODE XREF: PiPnpRtlGatherInterfaceDeleteInfo(x,x)+1BFj
		test	esi, esi
		jns	short loc_96D643
		jmp	short loc_96D639
; 

loc_96D636:				; CODE XREF: PiPnpRtlGatherInterfaceDeleteInfo(x,x)+72j
					; PiPnpRtlGatherInterfaceDeleteInfo(x,x)+B6j ...
		mov	edi, [ebp+var_6C]

loc_96D639:				; CODE XREF: PiPnpRtlGatherInterfaceDeleteInfo(x,x)+4Dj
					; PiPnpRtlGatherInterfaceDeleteInfo(x,x)+12Dj ...
		mov	ecx, [ebx]
		call	_PiPnpRtlFreeInterfaceDeleteInfo@4 ; PiPnpRtlFreeInterfaceDeleteInfo(x)
		and	dword ptr [ebx], 0

loc_96D643:				; CODE XREF: PiPnpRtlGatherInterfaceDeleteInfo(x,x)+1C3j
					; PiPnpRtlGatherInterfaceDeleteInfo(x,x)+1C9j
		test	edi, edi
		jz	short loc_96D652
		push	47706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96D652:				; CODE XREF: PiPnpRtlGatherInterfaceDeleteInfo(x,x)+1DCj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PiPnpRtlGatherInterfaceDeleteInfo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlGatherPanelRemoveInfo(x, x,	x)
_PiPnpRtlGatherPanelRemoveInfo@12 proc near ; CODE XREF: PiPnpRtlCmActionCallback+1159BDp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	47706E50h
		push	8
		push	1
		mov	ebx, edx
		mov	esi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, [ebp+arg_0]
		mov	[edi], eax
		test	eax, eax
		jnz	short loc_96D68D
		mov	esi, 0C000009Ah
		jmp	short loc_96D6CB
; 

loc_96D68D:				; CODE XREF: PiPnpRtlGatherPanelRemoveInfo(x,x,x)+21j
		and	dword ptr [eax], 0
		xor	ecx, ecx
		and	dword ptr [eax+4], 0
		mov	edx, esi
		push	eax
		inc	ecx
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_96D6AD
		test	esi, esi
		js	short loc_96D6CB

loc_96D6AD:				; CODE XREF: PiPnpRtlGatherPanelRemoveInfo(x,x,x)+44j
		mov	eax, [edi]
		mov	edx, ebx
		add	eax, 4
		push	eax
		push	6
		pop	ecx
		call	_PiDmGetObject@12 ; PiDmGetObject(x,x,x)
		lea	esi, [eax+3FFFFFCCh]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jge	short loc_96D6D5

loc_96D6CB:				; CODE XREF: PiPnpRtlGatherPanelRemoveInfo(x,x,x)+28j
					; PiPnpRtlGatherPanelRemoveInfo(x,x,x)+48j
		mov	ecx, [edi]
		call	_PiPnpRtlFreeContainerRemoveInfo@4 ; PiPnpRtlFreeContainerRemoveInfo(x)
		and	dword ptr [edi], 0

loc_96D6D5:				; CODE XREF: PiPnpRtlGatherPanelRemoveInfo(x,x,x)+66j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PiPnpRtlGatherPanelRemoveInfo@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlGetDeviceRelationsList(x, x, x, x, x, x, x)
_PiPnpRtlGetDeviceRelationsList@28 proc	near ; DATA XREF: PiPnpRtlInit+DAo

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_18]
		mov	edx, [ebp+arg_8]
		push	[ebp+arg_14]
		mov	ecx, [ebp+arg_4]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	_PlugPlayGetDeviceRelations@24 ; PlugPlayGetDeviceRelations(x,x,x,x,x,x)
		pop	ebp
		retn	1Ch
_PiPnpRtlGetDeviceRelationsList@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiPnpRtlSetDeviceRegProperty(x, x, x, x, x,	x, x, x)
_PiPnpRtlSetDeviceRegProperty@32 proc near
					; CODE XREF: PiDevCfgSetDeviceRegProp(x,x,x,x,x,x,x)+27p
					; PiCMSetRegistryProperty(x,x,x,x,x,x)+B7p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_10], ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, edx
		mov	[ebp+var_18], esi
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	byte ptr [ebp+var_14], bl
		cmp	edi, 11h
		jg	loc_96D7F4
		cmp	edi, 10h
		jge	loc_96D7E6
		cmp	edi, 2
		jl	loc_96D7FE
		cmp	edi, 3
		jle	loc_96D7DB
		cmp	edi, 9
		jz	short loc_96D7BA
		cmp	edi, 0Bh
		jnz	loc_96D7FE
		cmp	[ebp+arg_C], ebx
		jz	short loc_96D7B3
		cmp	[ebp+arg_10], 4
		jnz	short loc_96D7B3
		xor	edx, edx
		lea	ecx, [edi+7Fh]
		call	SeAuditingWithTokenForSubcategory
		test	al, al
		jz	loc_96D7FE
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_4]
		push	ebx
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], 4
		push	eax
		lea	eax, [ebp+var_C]
		mov	edx, esi
		push	eax
		push	edi
		push	[ebp+arg_0]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_96D7A9
		cmp	[ebp+var_4], 4
		jnz	short loc_96D7A9
		cmp	[ebp+var_C], 4
		jz	short loc_96D7AC

loc_96D7A9:				; CODE XREF: PiPnpRtlSetDeviceRegProperty(x,x,x,x,x,x,x,x)+9Dj
					; PiPnpRtlSetDeviceRegProperty(x,x,x,x,x,x,x,x)+A3j
		mov	[ebp+var_8], ebx

loc_96D7AC:				; CODE XREF: PiPnpRtlSetDeviceRegProperty(x,x,x,x,x,x,x,x)+A9j
		mov	eax, [ebp+arg_C]
		mov	ebx, [eax]
		jmp	short loc_96D801
; 

loc_96D7B3:				; CODE XREF: PiPnpRtlSetDeviceRegProperty(x,x,x,x,x,x,x,x)+5Fj
					; PiPnpRtlSetDeviceRegProperty(x,x,x,x,x,x,x,x)+65j
		mov	esi, 0C000000Dh
		jmp	short loc_96D7EB
; 

loc_96D7BA:				; CODE XREF: PiPnpRtlSetDeviceRegProperty(x,x,x,x,x,x,x,x)+51j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	eax, eax
		inc	eax
		push	eax
		push	offset _PnpRegistryDeviceResource
		mov	[ebp+var_14], eax
		call	ExAcquireResourceExclusiveLite
		jmp	short loc_96D7FE
; 

loc_96D7DB:				; CODE XREF: PiPnpRtlSetDeviceRegProperty(x,x,x,x,x,x,x,x)+48j
		mov	ecx, esi
		call	__CmIsRootEnumeratedDevice@4 ; _CmIsRootEnumeratedDevice(x)
		test	al, al
		jnz	short loc_96D7FE

loc_96D7E6:				; CODE XREF: PiPnpRtlSetDeviceRegProperty(x,x,x,x,x,x,x,x)+36j
					; PiPnpRtlSetDeviceRegProperty(x,x,x,x,x,x,x,x)+F9j ...
		mov	esi, 0C0000022h

loc_96D7EB:				; CODE XREF: PiPnpRtlSetDeviceRegProperty(x,x,x,x,x,x,x,x)+BAj
					; PiPnpRtlSetDeviceRegProperty(x,x,x,x,x,x,x,x)+155j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_96D7F4:				; CODE XREF: PiPnpRtlSetDeviceRegProperty(x,x,x,x,x,x,x,x)+2Dj
		cmp	edi, 1Dh
		jz	short loc_96D7E6
		cmp	edi, 25h
		jz	short loc_96D7E6

loc_96D7FE:				; CODE XREF: PiPnpRtlSetDeviceRegProperty(x,x,x,x,x,x,x,x)+3Fj
					; PiPnpRtlSetDeviceRegProperty(x,x,x,x,x,x,x,x)+56j ...
		mov	eax, [ebp+arg_C]

loc_96D801:				; CODE XREF: PiPnpRtlSetDeviceRegProperty(x,x,x,x,x,x,x,x)+B3j
		push	[ebp+arg_14]
		mov	ecx, [ebp+var_10]
		mov	edx, esi
		push	[ebp+arg_10]
		push	eax
		push	[ebp+arg_8]
		push	edi
		push	[ebp+arg_0]
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	edi, 0Bh
		jnz	short loc_96D84F
		xor	edx, edx
		lea	ecx, [edi+7Fh]
		call	SeAuditingWithTokenForSubcategory
		test	al, al
		jz	short loc_96D84F
		push	[ebp+var_18]
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, [ebp+var_8]
		lea	ecx, [ebp+var_20]
		test	esi, esi
		setns	byte ptr [ebp+arg_C]
		push	[ebp+arg_C]
		push	ebx
		call	_PiAuditDeviceEnableDisableRequest@16 ;	PiAuditDeviceEnableDisableRequest(x,x,x,x)

loc_96D84F:				; CODE XREF: PiPnpRtlSetDeviceRegProperty(x,x,x,x,x,x,x,x)+120j
					; PiPnpRtlSetDeviceRegProperty(x,x,x,x,x,x,x,x)+12Ej
		cmp	byte ptr [ebp+var_14], 0
		jz	short loc_96D7EB
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_96D7EB
_PiPnpRtlSetDeviceRegProperty@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmFreeGenericTableEntry(x, x)
_PiDmFreeGenericTableEntry@8 proc near	; DATA XREF: PiDmObjectManagerInit(x,x)+11o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	5A706E50h
		push	[ebp+arg_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	8
_PiDmFreeGenericTableEntry@8 endp


;  S U B	R O U T	I N E 


; __stdcall PiDmGetObjectCount(x)
_PiDmGetObjectCount@4 proc near		; CODE XREF: PiDqQueryAppendActionEntry+117E32p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		call	PiDmGetObjectManagerForObjectType
		mov	ecx, large fs:124h
		mov	edi, eax
		dec	word ptr [ecx+13Ch]
		nop
		push	1
		push	edi
		call	ExAcquireResourceSharedLite
		lea	ecx, [edi+38h]
		push	ecx
		call	_RtlNumberGenericTableElementsAvl@4 ; RtlNumberGenericTableElementsAvl(x)
		mov	ecx, edi
		mov	esi, eax
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ecx
		retn
_PiDmGetObjectCount@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmListAddList(x, x, x, x)
_PiDmListAddList@16 proc near		; CODE XREF: PiPnpRtlCmActionCallback+115BAEp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ecx, [edi+14h]
		call	PiDmGetObjectManagerForObjectType
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_8], eax
		lea	esi, [ebx+34h]
		mov	[ebp+var_C], esi
		cmp	edi, ebx
		jnb	short loc_96D923
		mov	ecx, large fs:124h
		dec	word ptr [ecx+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		jmp	short loc_96D953
; 

loc_96D923:				; CODE XREF: PiDmListAddList(x,x,x,x)+23j
		mov	eax, large fs:124h
		jbe	short loc_96D942
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	eax, large fs:124h

loc_96D942:				; CODE XREF: PiDmListAddList(x,x,x,x)+5Cj
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx

loc_96D953:				; CODE XREF: PiDmListAddList(x,x,x,x)+54j
		mov	eax, [esi]
		cmp	eax, esi
		jz	short loc_96D9A3
		mov	ebx, eax

loc_96D95B:				; CODE XREF: PiDmListAddList(x,x,x,x)+D1j
		mov	eax, large fs:124h
		lea	esi, [ebx-28h]
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	edx, [ebp+var_8]
		push	0
		push	esi
		push	edi
		push	2
		pop	ecx
		call	_PiDmListAddObjectWorker@20 ; PiDmListAddObjectWorker(x,x,x,x,x)
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ebx, [ebx]
		cmp	ebx, [ebp+var_C]
		jnz	short loc_96D95B
		mov	ebx, [ebp+arg_4]

loc_96D9A3:				; CODE XREF: PiDmListAddList(x,x,x,x)+8Aj
		cmp	edi, ebx
		jnb	short loc_96D9D8
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_96D9BC:				; CODE XREF: PiDmListAddList(x,x,x,x):loc_96D9D8j
		mov	ecx, edi

loc_96D9BE:				; CODE XREF: PiDmListAddList(x,x,x,x)+124j
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_96D9D8:				; CODE XREF: PiDmListAddList(x,x,x,x)+D8j
		jbe	short loc_96D9BC
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, ebx
		jmp	short loc_96D9BE
_PiDmListAddList@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmListRemoveList(x, x, x,	x)
_PiDmListRemoveList@16 proc near	; CODE XREF: PiPnpRtlCmActionCallback+115DB9p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ecx, [edi+14h]
		call	PiDmGetObjectManagerForObjectType
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_8], eax
		lea	esi, [ebx+34h]
		mov	[ebp+var_C], esi
		cmp	edi, ebx
		jnb	short loc_96DA49
		mov	ecx, large fs:124h
		dec	word ptr [ecx+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		jmp	short loc_96DA79
; 

loc_96DA49:				; CODE XREF: PiDmListRemoveList(x,x,x,x)+23j
		mov	eax, large fs:124h
		jbe	short loc_96DA68
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	eax, large fs:124h

loc_96DA68:				; CODE XREF: PiDmListRemoveList(x,x,x,x)+5Cj
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx

loc_96DA79:				; CODE XREF: PiDmListRemoveList(x,x,x,x)+54j
		mov	eax, [esi]
		cmp	eax, esi
		jz	short loc_96DAC9
		mov	ebx, eax

loc_96DA81:				; CODE XREF: PiDmListRemoveList(x,x,x,x)+D1j
		mov	eax, large fs:124h
		lea	esi, [ebx-28h]
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	edx, [ebp+var_8]
		push	0
		push	esi
		push	edi
		push	2
		pop	ecx
		call	_PiDmListRemoveObjectWorker@20 ; PiDmListRemoveObjectWorker(x,x,x,x,x)
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ebx, [ebx]
		cmp	ebx, [ebp+var_C]
		jnz	short loc_96DA81
		mov	ebx, [ebp+arg_4]

loc_96DAC9:				; CODE XREF: PiDmListRemoveList(x,x,x,x)+8Aj
		cmp	edi, ebx
		jnb	short loc_96DAFE
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_96DAE2:				; CODE XREF: PiDmListRemoveList(x,x,x,x):loc_96DAFEj
		mov	ecx, edi

loc_96DAE4:				; CODE XREF: PiDmListRemoveList(x,x,x,x)+124j
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_96DAFE:				; CODE XREF: PiDmListRemoveList(x,x,x,x)+D8j
		jbe	short loc_96DAE2
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, ebx
		jmp	short loc_96DAE4
_PiDmListRemoveList@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmListRemoveObject(x, x, x, x)
_PiDmListRemoveObject@16 proc near	; CODE XREF: PiPnpRtlCmActionCallback+11592Cp
					; PiPnpRtlCmActionCallback+115B17p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	eax, edx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	[ebp+var_4], eax
		mov	ecx, [eax+14h]
		call	PiDmGetObjectManagerForObjectType
		mov	esi, large fs:124h
		mov	edi, eax
		dec	word ptr [esi+13Ch]
		nop
		mov	esi, [ebp+var_4]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, large fs:124h
		dec	word ptr [ecx+13Ch]
		nop
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		push	[ebp+arg_4]
		mov	edx, edi
		mov	ecx, ebx
		push	[ebp+arg_0]
		push	esi
		call	_PiDmListRemoveObjectWorker@20 ; PiDmListRemoveObjectWorker(x,x,x,x,x)
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PiDmListRemoveObject@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmListRemoveObjectWorker(x, x, x,	x, x)
_PiDmListRemoveObjectWorker@20 proc near ; CODE	XREF: PiDmListRemoveList(x,x,x,x)+B2p
					; PiDmListRemoveObject(x,x,x,x)+59p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		imul	eax, ecx, 14h
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	edx, ds:dword_4042C4[eax]
		mov	eax, ds:dword_4042CC[eax]
		add	eax, [ebp+arg_4]
		add	edx, [ebp+arg_0]
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_96DC4B
		xor	ebx, ebx
		inc	ebx
		cmp	[ecx+4], eax
		jnz	short loc_96DC46
		mov	edi, [eax+4]
		cmp	[edi], eax
		jnz	short loc_96DC46
		mov	[edi], ecx
		mov	[ecx+4], edi
		xor	edi, edi
		dec	dword ptr [edx+8]
		mov	[eax], edi
		mov	[eax+4], edi
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	ebx
		push	esi
		call	ExAcquireResourceExclusiveLite
		mov	eax, [ebp+arg_0]
		dec	dword ptr [eax+8]
		mov	eax, [ebp+arg_0]
		cmp	[eax+8], edi
		jnz	short loc_96DC24
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [esi+38h]
		push	eax
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)
		mov	ecx, [ebp+arg_0]
		call	PiDmObjectRelease

loc_96DC24:				; CODE XREF: PiDmListRemoveObjectWorker(x,x,x,x,x)+64j
		mov	ecx, esi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0FFFFFFFFh
		call	PiDmListUpdateAggregationCountWorker
		jmp	short loc_96DC4D
; 

loc_96DC46:				; CODE XREF: PiDmListRemoveObjectWorker(x,x,x,x,x)+2Bj
					; PiDmListRemoveObjectWorker(x,x,x,x,x)+32j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_96DC4B:				; CODE XREF: PiDmListRemoveObjectWorker(x,x,x,x,x)+23j
		xor	bl, bl

loc_96DC4D:				; CODE XREF: PiDmListRemoveObjectWorker(x,x,x,x,x)+9Bj
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_96DC56
		mov	[eax], bl

loc_96DC56:				; CODE XREF: PiDmListRemoveObjectWorker(x,x,x,x,x)+A9j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_PiDmListRemoveObjectWorker@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmPnpObjectMatchCallback(x, x, x)
_PiDmPnpObjectMatchCallback@12 proc near ; DATA	XREF: PiPnpRtlObjectActionCallback+118919o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_96DC83
		push	dword ptr [eax+4]
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax+14h]
		push	dword ptr [eax+0Ch]
		push	_PiPnpRtlCtx
		call	ecx
		mov	cl, al
		jmp	short loc_96DC85
; 

loc_96DC83:				; CODE XREF: PiDmPnpObjectMatchCallback(x,x,x)+Cj
		mov	cl, 1

loc_96DC85:				; CODE XREF: PiDmPnpObjectMatchCallback(x,x,x)+24j
		mov	eax, [ebp+arg_8]
		mov	[eax], cl
		xor	eax, eax
		pop	ebp
		retn	0Ch
_PiDmPnpObjectMatchCallback@12 endp


;  S U B	R O U T	I N E 


; __stdcall PipDmgInitParseGroupPolicy(x)
_PipDmgInitParseGroupPolicy@4 proc near	; CODE XREF: PipDmgInitReadGroupPolicy()+7Fp
		xor	eax, eax
		sub	ecx, eax
		jz	short loc_96DCA6
		sub	ecx, 1
		jz	short loc_96DCA2
		sub	ecx, 1
		jnz	short locret_96DCA9
		inc	eax
		retn
; 

loc_96DCA2:				; CODE XREF: PipDmgInitParseGroupPolicy(x)+9j
		push	2
		pop	eax
		retn
; 

loc_96DCA6:				; CODE XREF: PipDmgInitParseGroupPolicy(x)+4j
		push	3
		pop	eax

locret_96DCA9:				; CODE XREF: PipDmgInitParseGroupPolicy(x)+Ej
		retn
_PipDmgInitParseGroupPolicy@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipDmgInitReadGroupPolicy()
_PipDmgInitReadGroupPolicy@0 proc near	; CODE XREF: PipDmgInitPhaseTwo:loc_92975Ep

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		push	edi
		lea	eax, [ebp+var_10]
		mov	[ebp+var_10], offset loc_980096
		mov	[ebp+var_20], eax
		xor	edi, edi
		lea	eax, [ebp+var_28]
		mov	[ebp+var_8], edi
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_C], offset ??_C@_1JI@IBPLMKFD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\Registry\\Machine\\Software\\Policies\\Mic"...
		push	eax
		mov	esi, edi
		mov	[ebp+var_4], edi
		mov	[ebp+var_28], 18h
		mov	[ebp+var_24], edi
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_96DD3B
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		mov	edx, offset ??_C@_1DA@ECPFKNNG@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAE?$AAn?$AAu?$AAm?$AAe?$AAr?$AAa?$AAt?$AAi@NNGAKEGL@
		call	IopGetRegistryValue
		mov	edx, [ebp+var_8]
		test	eax, eax
		js	short loc_96DD30
		mov	ecx, edx
		call	_PnpValidateRegistryDword@4 ; PnpValidateRegistryDword(x)
		test	al, al
		jz	short loc_96DD30
		mov	ecx, [edx+8]
		mov	ecx, [ecx+edx]
		call	_PipDmgInitParseGroupPolicy@4 ;	PipDmgInitParseGroupPolicy(x)
		mov	esi, eax

loc_96DD30:				; CODE XREF: PipDmgInitReadGroupPolicy()+6Cj
					; PipDmgInitReadGroupPolicy()+77j
		test	edx, edx
		jz	short loc_96DD3B
		push	edi
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96DD3B:				; CODE XREF: PipDmgInitReadGroupPolicy()+53j
					; PipDmgInitReadGroupPolicy()+88j
		cmp	[ebp+var_4], 0FFFFFFFFh
		jz	short loc_96DD49
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_96DD49:				; CODE XREF: PipDmgInitReadGroupPolicy()+95j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_PipDmgInitReadGroupPolicy@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDcContainerRequiresConfiguration(x)
_PiDcContainerRequiresConfiguration@4 proc near
					; CODE XREF: PiDcUpdateDeviceContainerMembership+6E9C7p
					; PiDcHandleCustomDeviceEvent+11BD01p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], ebx
		mov	esi, ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], ebx
		call	_PnpIsNullGuidString@4 ; PnpIsNullGuidString(x)
		test	al, al
		jnz	short loc_96DDDF
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_C]
		push	ebx
		push	eax
		push	4
		lea	eax, [ebp+var_8]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	offset _DEVPKEY_DeviceContainer_ConfigFlags
		push	ebx
		push	ebx
		push	5
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_96DDA9
		cmp	[ebp+var_4], 7
		jnz	short loc_96DDA9
		cmp	[ebp+var_8], 0FFFFFFFFh
		jz	short loc_96DDDF

loc_96DDA9:				; CODE XREF: PiDcContainerRequiresConfiguration(x)+4Cj
					; PiDcContainerRequiresConfiguration(x)+52j
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	ebx
		push	4
		push	offset _unconfiguredConfigFlags
		push	7
		push	offset _DEVPKEY_DeviceContainer_ConfigFlags
		push	ebx
		push	ebx
		push	5
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_96DDDF
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _WNF_PNPC_CONTAINER_CONFIG_REQUESTED
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)

loc_96DDDF:				; CODE XREF: PiDcContainerRequiresConfiguration(x)+21j
					; PiDcContainerRequiresConfiguration(x)+58j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PiDcContainerRequiresConfiguration@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDcFreeGenericTableEntry(x, x)
_PiDcFreeGenericTableEntry@8 proc near	; DATA XREF: PiDcInit(x)+2Ao

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	47706E50h
		push	[ebp+arg_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	8
_PiDcFreeGenericTableEntry@8 endp


;  S U B	R O U T	I N E 


; __stdcall PiDcHandleSystemFirmwareUpdate()
_PiDcHandleSystemFirmwareUpdate@0 proc near
					; CODE XREF: IopInitializePlugPlayServices(x,x)+844p
		mov	edi, edi
		push	ecx
		mov	ecx, offset ??_C@_1EO@EKIIDBMB@?$AA?$HL?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA?9?$AA0?$AA0?$AA0?$AA0?$AA?9@NNGAKEGL@ ; "{00000000-0000-0000-FFFF-FFFFFFFFFFFF}"
		call	_PiDcContainerRequiresConfiguration@4 ;	PiDcContainerRequiresConfiguration(x)
		pop	ecx
		retn
_PiDcHandleSystemFirmwareUpdate@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDcResetChildDeviceContainerCallback(x, x,	x)
_PiDcResetChildDeviceContainerCallback@12 proc near
					; DATA XREF: PiDcResetChildDeviceContainers(x,x)+50o

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= word ptr -58h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+7Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	ecx, ebx
		mov	[esp+80h+var_64], eax
		mov	eax, [ebp+arg_8]
		push	esi
		mov	[esp+84h+var_74], eax
		mov	esi, ebx
		xor	eax, eax
		push	edi
		mov	[esp+88h+var_60], eax
		mov	edi, eax
		mov	[esp+88h+var_5C], eax
		mov	[esp+88h+var_70], eax
		mov	[esp+88h+var_78], eax
		mov	[esp+88h+var_6C], eax
		mov	[esp+88h+var_68], eax
		call	__CmIsRootDevice@4 ; _CmIsRootDevice(x)
		test	al, al
		jnz	loc_96DFE7

loc_96DE62:				; CODE XREF: PiDcResetChildDeviceContainerCallback(x,x,x)+165j
		push	esi
		lea	eax, [esp+8Ch+var_60]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	loc_96DFD8
		mov	edx, 746C6644h
		lea	ecx, [esp+88h+var_60]
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		test	eax, eax
		jnz	loc_96DFD1
		cmp	esi, ebx
		jz	short loc_96DEF1
		mov	ecx, _PiPnpRtlCtx
		mov	edx, esi
		push	eax
		lea	eax, [esp+8Ch+var_78]
		mov	[esp+8Ch+var_78], 4Eh
		push	eax
		lea	eax, [esp+90h+var_58]
		push	eax
		lea	eax, [esp+94h+var_70]
		push	eax
		push	25h
		push	0
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_96DFD8
		cmp	[esp+88h+var_70], 1
		jnz	loc_96DFD8
		cmp	[esp+88h+var_78], 4Eh
		jnz	loc_96DFD8
		mov	eax, [esp+88h+var_74]
		push	dword ptr [eax+4] ; wchar_t *
		lea	eax, [esp+8Ch+var_58]
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_96DFD8

loc_96DEF1:				; CODE XREF: PiDcResetChildDeviceContainerCallback(x,x,x)+82j
		test	edi, edi
		jnz	short loc_96DF10
		push	47706E50h
		push	190h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_96DFE7

loc_96DF10:				; CODE XREF: PiDcResetChildDeviceContainerCallback(x,x,x)+E8j
		xor	ecx, ecx
		lea	eax, [esp+88h+var_68]
		push	ecx
		push	eax
		push	190h
		push	edi
		lea	eax, [esp+98h+var_6C]
		mov	edx, esi
		push	eax
		push	offset _DEVPKEY_Device_LastKnownParent ; "&cڃ@S?W;)\n"
		push	ecx
		push	ecx
		mov	ecx, [esp+0A8h+var_64]
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_96DFD8
		cmp	[esp+88h+var_6C], 12h
		jnz	loc_96DFD8
		xor	eax, eax
		mov	[edi+18Eh], ax
		mov	eax, [esp+88h+var_74]
		push	dword ptr [eax]	; wchar_t *
		push	edi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_96DF78
		mov	ecx, edi
		mov	esi, edi
		call	__CmIsRootDevice@4 ; _CmIsRootDevice(x)
		test	al, al
		jz	loc_96DE62
		jmp	short loc_96DFD8
; 

loc_96DF78:				; CODE XREF: PiDcResetChildDeviceContainerCallback(x,x,x)+158j
		push	47706E50h
		push	198h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_96DFD8
		push	ebx
		lea	ecx, [esi+8]
		mov	edx, 190h
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		test	eax, eax
		js	short loc_96DFC0
		mov	eax, [esp+88h+var_74]
		add	eax, 8
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jz	short loc_96DFB4
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_96DFB4:				; CODE XREF: PiDcResetChildDeviceContainerCallback(x,x,x)+1A2j
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi
		xor	esi, esi

loc_96DFC0:				; CODE XREF: PiDcResetChildDeviceContainerCallback(x,x,x)+194j
		test	esi, esi
		jz	short loc_96DFD8
		push	47706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_96DFD8
; 

loc_96DFD1:				; CODE XREF: PiDcResetChildDeviceContainerCallback(x,x,x)+7Aj
		mov	ecx, eax
		call	ObfDereferenceObject

loc_96DFD8:				; CODE XREF: PiDcResetChildDeviceContainerCallback(x,x,x)+64j
					; PiDcResetChildDeviceContainerCallback(x,x,x)+AFj ...
		test	edi, edi
		jz	short loc_96DFE7
		push	47706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96DFE7:				; CODE XREF: PiDcResetChildDeviceContainerCallback(x,x,x)+51j
					; PiDcResetChildDeviceContainerCallback(x,x,x)+FFj ...
		mov	ecx, [esp+88h+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PiDcResetChildDeviceContainerCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDcResetChildDeviceContainers(x, x)
_PiDcResetChildDeviceContainers@8 proc near
					; CODE XREF: PiDcUpdateDeviceContainerMembership+6E9B7p

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_68], ecx
		xor	esi, esi
		mov	[ebp+var_64], ebx
		lea	eax, [ebp+var_60]
		mov	[ebp+var_70], esi
		push	offset ??_C@_1EO@EKIIDBMB@?$AA?$HL?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA?9?$AA0?$AA0?$AA0?$AA0?$AA?9@NNGAKEGL@ ; "{00000000-0000-0000-FFFF-FFFFFFFFFFFF}"
		push	ebx		; wchar_t *
		mov	edi, esi
		mov	[ebp+var_6C], esi
		mov	[ebp+var_5C], eax
		mov	[ebp+var_60], eax
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_96E0FF
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_68]
		push	eax
		push	offset _PiDcResetChildDeviceContainerCallback@12 ; PiDcResetChildDeviceContainerCallback(x,x,x)
		push	esi
		mov	edx, ebx
		call	__CmEnumDevicesInContainerWithCallback@24 ; _CmEnumDevicesInContainerWithCallback(x,x,x,x,x,x)
		mov	esi, [ebp+var_60]
		lea	eax, [ebp+var_60]
		cmp	esi, eax
		jz	loc_96E102

loc_96E06B:				; CODE XREF: PiDcResetChildDeviceContainers(x,x)+F9j
		push	0
		lea	ecx, [ebp+var_6C]
		mov	[ebp+var_6C], 4Eh
		push	ecx
		lea	ecx, [ebp+var_58]
		push	ecx
		lea	ecx, [ebp+var_70]
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	edx, [esi+8]
		push	25h
		push	0
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000225h
		jz	short loc_96E0F0
		cmp	[ebp+var_70], 1
		jnz	short loc_96E0F0
		cmp	[ebp+var_6C], 4Eh
		jnz	short loc_96E0F0
		test	edi, edi
		js	short loc_96E0FF
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [esi+8]
		push	eax
		lea	eax, [ebp+var_58]
		mov	edx, ebx
		push	eax
		call	__CmRemoveDeviceFromContainer@20 ; _CmRemoveDeviceFromContainer(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_96E0FF
		mov	ecx, _PiPnpRtlCtx
		lea	edx, [esi+8]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	1
		push	25h
		push	eax
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000225h
		jz	short loc_96E0F0
		test	edi, edi
		js	short loc_96E0FF
		jmp	short loc_96E0F2
; 

loc_96E0F0:				; CODE XREF: PiDcResetChildDeviceContainers(x,x)+9Aj
					; PiDcResetChildDeviceContainers(x,x)+A0j ...
		xor	edi, edi

loc_96E0F2:				; CODE XREF: PiDcResetChildDeviceContainers(x,x)+EEj
		mov	esi, [esi]
		lea	eax, [ebp+var_60]
		cmp	esi, eax
		jnz	loc_96E06B

loc_96E0FF:				; CODE XREF: PiDcResetChildDeviceContainers(x,x)+3Fj
					; PiDcResetChildDeviceContainers(x,x)+AAj ...
		mov	esi, [ebp+var_60]

loc_96E102:				; CODE XREF: PiDcResetChildDeviceContainers(x,x)+65j
		lea	eax, [ebp+var_60]
		cmp	esi, eax
		jz	short loc_96E130
		cmp	[esi+4], eax
		jnz	short loc_96E12B
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_96E12B
		push	47706E50h
		lea	ecx, [ebp+var_60]
		mov	[ebp+var_60], eax
		push	esi
		mov	[eax+4], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_96E0FF
; 

loc_96E12B:				; CODE XREF: PiDcResetChildDeviceContainers(x,x)+10Cj
					; PiDcResetChildDeviceContainers(x,x)+113j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_96E130:				; CODE XREF: PiDcResetChildDeviceContainers(x,x)+107j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PiDcResetChildDeviceContainers@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiAuCheckClientInteractive(x)
_PiAuCheckClientInteractive@4 proc near	; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+27Dp

var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		push	20207050h
		mov	ebx, ecx
		mov	[ebp+var_8], 500h
		xor	eax, eax
		push	0Ch
		push	1
		mov	[ebp+var_C], eax
		mov	byte ptr [ebp+var_1], al
		mov	[ebx], al
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_96E179
		mov	esi, 0C000009Ah
		jmp	short loc_96E1C9
; 

loc_96E179:				; CODE XREF: PiAuCheckClientInteractive(x)+2Fj
		push	1
		lea	eax, [ebp+var_C]
		push	eax
		push	edi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_96E1C1
		push	0
		push	edi
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	edi
		mov	dword ptr [eax], 4
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jnz	short loc_96E1A8
		mov	esi, 0C00000E5h

loc_96E1A8:				; CODE XREF: PiAuCheckClientInteractive(x)+60j
		test	esi, esi
		js	short loc_96E1C1
		lea	edx, [ebp+var_1]
		mov	ecx, edi
		call	_PiAuCheckTokenMembership@8 ; PiAuCheckTokenMembership(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_96E1C1
		mov	al, byte ptr [ebp+var_1]
		mov	[ebx], al

loc_96E1C1:				; CODE XREF: PiAuCheckClientInteractive(x)+48j
					; PiAuCheckClientInteractive(x)+69j ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96E1C9:				; CODE XREF: PiAuCheckClientInteractive(x)+36j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PiAuCheckClientInteractive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiAuCheckTokenMembership(x,	x)
_PiAuCheckTokenMembership@8 proc near	; CODE XREF: PiAuCheckClientInteractive(x)+70p

var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_28], edx
		lea	edi, [ebp+var_38]
		mov	[ebp+var_14], 20001h
		stosd
		mov	esi, ecx
		xor	ecx, ecx
		mov	[ebp+var_18], esi
		push	esi
		mov	[ebp+var_24], ecx
		stosd
		mov	[ebp+var_20], ecx
		mov	[ebp+var_8], 1F0001h
		mov	[edx], cl
		stosd
		stosd
		mov	eax, 20000h
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		imul	ebx, eax, 3
		push	20207050h
		add	ebx, 28h
		push	ebx
		push	1
		mov	[ebp+var_1C], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_96E245
		mov	esi, 0C000009Ah
		jmp	loc_96E312
; 

loc_96E245:				; CODE XREF: PiAuCheckTokenMembership(x,x)+69j
		push	ebx		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		lea	ebx, [edi+14h]
		push	1
		push	edi
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	0
		push	esi
		push	edi
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		push	0
		push	esi
		push	edi
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		mov	eax, [ebp+var_1C]
		push	2		; int
		add	eax, 0FFFFFFECh
		push	eax		; size_t
		push	ebx		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_96E30A
		push	0
		push	[ebp+var_18]
		mov	ecx, ebx
		push	1
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	short loc_96E30A
		push	0
		push	ebx
		push	1
		push	edi
		call	RtlSetDaclSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	short loc_96E30A
		lea	eax, [ebp+var_38]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	eax, large fs:124h
		xor	esi, esi
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_18], al
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_18]
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		push	esi
		push	1
		push	esi
		lea	eax, [ebp+var_38]
		push	eax
		push	edi
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_28]
		mov	[ecx], al
		lea	eax, [ebp+var_38]
		push	eax
		call	SeReleaseSubjectContext

loc_96E30A:				; CODE XREF: PiAuCheckTokenMembership(x,x)+B1j
					; PiAuCheckTokenMembership(x,x)+CEj ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96E312:				; CODE XREF: PiAuCheckTokenMembership(x,x)+70j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PiAuCheckTokenMembership@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiAuDoesClientHavePrivilege(x)
_PiAuDoesClientHavePrivilege@4 proc near ; CODE	XREF: PiCMDeviceAction(x,x,x,x,x,x)+E5p
					; PiCMDeviceAction(x,x,x,x,x,x)+14Cp ...

var_2C		= dword	ptr -2Ch
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		push	ebx
		push	edi
		lea	edi, [ebp+var_2C]
		stosd
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		and	[ebp+var_C], 0
		and	[ebp+var_8], 0
		mov	[ebp+var_10], ecx
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_1C], al
		xor	eax, eax
		inc	eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_2C]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		push	[ebp+var_1C]
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_SePrivilegeCheck@12 ; SePrivilegeCheck(x,x,x)
		mov	bl, al
		lea	eax, [ebp+var_2C]
		push	eax
		call	SeReleaseSubjectContext
		mov	ecx, [ebp+var_4]
		mov	al, bl
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PiAuDoesClientHavePrivilege@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiAuGetServiceStateSecurityObject(x)
_PiAuGetServiceStateSecurityObject@4 proc near
					; CODE XREF: IoOpenDriverRegistryKey(x,x,x,x,x)+1A2p
					; PiCreateDriverRedirectedStateKey+8C760p

var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_8], ecx
		lea	edi, [ebp+var_1C]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	eax, ds:_SeExports
		xor	edi, edi
		push	dword ptr [eax+190h]
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	ds:_SeAliasAdminsSid
		mov	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	_SeLocalSystemSid
		add	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	_SeTrustedInstallerSid
		add	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	eax, 28h
		push	20207050h
		add	esi, eax
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_96E41D
		mov	esi, 0C000009Ah
		jmp	loc_96E596
; 

loc_96E41D:				; CODE XREF: PiAuGetServiceStateSecurityObject(x)+67j
		push	2		; int
		push	esi		; size_t
		push	ebx		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_96E582
		mov	eax, _SeTrustedInstallerSid
		mov	ecx, ebx
		push	0
		push	eax
		push	10000000h
		push	2
		push	2
		pop	edx
		mov	[ebp+var_4], eax
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	loc_96E582
		push	0
		push	_SeLocalSystemSid
		mov	ecx, ebx
		push	80030006h
		push	2
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	loc_96E582
		push	0
		push	ds:_SeAliasAdminsSid
		mov	ecx, ebx
		push	80000000h
		push	2
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	loc_96E582
		mov	eax, ds:_SeExports
		mov	ecx, ebx
		push	0
		mov	eax, [eax+190h]
		push	eax
		push	80000000h
		push	2
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	loc_96E582
		push	1
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_96E582
		push	0
		push	ebx
		push	1
		lea	eax, [ebp+var_1C]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	loc_96E582
		push	0
		push	[ebp+var_4]
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_96E582
		push	0
		push	[ebp+var_4]
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_96E582
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlValidSecurityDescriptor@4 ;	RtlValidSecurityDescriptor(x)
		test	al, al
		jnz	short loc_96E52E

loc_96E527:				; CODE XREF: PiAuGetServiceStateSecurityObject(x)+195j
		mov	esi, 0C00000E5h
		jmp	short loc_96E582
; 

loc_96E52E:				; CODE XREF: PiAuGetServiceStateSecurityObject(x)+17Bj
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		mov	esi, eax
		mov	[ebp+var_4], esi
		cmp	esi, 14h
		jb	short loc_96E527
		push	20207050h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_96E55B
		mov	esi, 0C000009Ah
		jmp	short loc_96E582
; 

loc_96E55B:				; CODE XREF: PiAuGetServiceStateSecurityObject(x)+1A8j
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlAbsoluteToSelfRelativeSD@12	; RtlAbsoluteToSelfRelativeSD(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_96E582
		mov	eax, [ebp+var_8]
		mov	[eax], edi
		xor	edi, edi

loc_96E582:				; CODE XREF: PiAuGetServiceStateSecurityObject(x)+80j
					; PiAuGetServiceStateSecurityObject(x)+A6j ...
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		jz	short loc_96E596
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96E596:				; CODE XREF: PiAuGetServiceStateSecurityObject(x)+6Ej
					; PiAuGetServiceStateSecurityObject(x)+1E2j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PiAuGetServiceStateSecurityObject@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiAuGetStateDirectorySecurityObject(x)
_PiAuGetStateDirectorySecurityObject@4 proc near
					; CODE XREF: PiOpenDirectoryWithRoot(x,x,x,x)+AAp

var_20		= dword	ptr -20h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_C], ecx
		lea	edi, [ebp+var_20]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	eax, ds:_SeExports
		xor	edi, edi
		push	dword ptr [eax+190h]
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	ds:_SeAliasAdminsSid
		mov	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	_SeLocalSystemSid
		add	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	eax, 30h
		push	20207050h
		lea	esi, [eax+esi*2]
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_96E604
		mov	esi, 0C000009Ah
		jmp	loc_96E7A0
; 

loc_96E604:				; CODE XREF: PiAuGetStateDirectorySecurityObject(x)+5Bj
		push	2		; int
		push	esi		; size_t
		push	ebx		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_96E78C
		mov	eax, _SeLocalSystemSid
		mov	ecx, ebx
		push	0
		push	eax
		push	10000000h
		push	3
		push	2
		pop	edx
		mov	[ebp+var_4], eax
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	loc_96E78C
		mov	eax, ds:_SeAliasAdminsSid
		mov	ecx, ebx
		push	0
		push	eax
		push	80000000h
		push	3
		push	2
		pop	edx
		mov	[ebp+var_8], eax
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	loc_96E78C
		push	0
		push	[ebp+var_8]
		mov	ecx, ebx
		push	20h
		push	2
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	loc_96E78C
		mov	eax, ds:_SeExports
		mov	ecx, ebx
		push	0
		mov	eax, [eax+190h]
		push	eax
		push	80000000h
		push	3
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	loc_96E78C
		mov	eax, ds:_SeExports
		mov	ecx, ebx
		push	0
		mov	eax, [eax+190h]
		push	eax
		push	20h
		push	2
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	loc_96E78C
		push	1
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_96E78C
		push	0
		push	ebx
		push	1
		lea	eax, [ebp+var_20]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	loc_96E78C
		push	0
		push	[ebp+var_4]
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_96E78C
		push	0
		push	[ebp+var_4]
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_96E78C
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlValidSecurityDescriptor@4 ;	RtlValidSecurityDescriptor(x)
		test	al, al
		jnz	short loc_96E738

loc_96E731:				; CODE XREF: PiAuGetStateDirectorySecurityObject(x)+1ACj
		mov	esi, 0C00000E5h
		jmp	short loc_96E78C
; 

loc_96E738:				; CODE XREF: PiAuGetStateDirectorySecurityObject(x)+192j
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		mov	esi, eax
		mov	[ebp+var_8], esi
		cmp	esi, 14h
		jb	short loc_96E731
		push	20207050h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_96E765
		mov	esi, 0C000009Ah
		jmp	short loc_96E78C
; 

loc_96E765:				; CODE XREF: PiAuGetStateDirectorySecurityObject(x)+1BFj
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlAbsoluteToSelfRelativeSD@12	; RtlAbsoluteToSelfRelativeSD(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_96E78C
		mov	eax, [ebp+var_C]
		mov	[eax], edi
		xor	edi, edi

loc_96E78C:				; CODE XREF: PiAuGetStateDirectorySecurityObject(x)+74j
					; PiAuGetStateDirectorySecurityObject(x)+9Aj ...
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		jz	short loc_96E7A0
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96E7A0:				; CODE XREF: PiAuGetStateDirectorySecurityObject(x)+62j
					; PiAuGetStateDirectorySecurityObject(x)+1F9j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PiAuGetStateDirectorySecurityObject@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDqActionDataGetAllPropertiesInAllLanguages(x, x, x, x, x,	x, x)
_PiDqActionDataGetAllPropertiesInAllLanguages@28 proc near
					; CODE XREF: PiDqActionDataCreate+117F72p
					; PiDqActionDataCreate+117F9Ap

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		push	ecx
		mov	eax, edx
		xor	esi, esi
		push	ecx
		lea	edx, [ebp+var_4]
		mov	[ebp+var_18], eax
		push	edx
		mov	edx, [ebp+arg_4]
		lea	ebx, [eax-1]
		push	ecx
		push	esi
		neg	ebx
		mov	[ebp+var_24], esi
		push	1
		push	[ebp+arg_0]
		sbb	ebx, ebx
		mov	[ebp+var_4], esi
		and	ebx, [ebp+arg_0]
		mov	edi, esi
		mov	ecx, eax
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], esi
		call	_PiDqOpenObjectRegKey@36 ; PiDqOpenObjectRegKey(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_96E99D
		lea	eax, [ebp+var_C]
		mov	edx, ebx
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		push	ecx
		push	[ebp+var_4]
		mov	ecx, [ebp+arg_4]
		call	_PiDqPnPGetObjectPropertyKeys@24 ; PiDqPnPGetObjectPropertyKeys(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_96E99D
		xor	eax, eax
		mov	[ebp+var_1C], eax
		cmp	[ebp+var_C], eax
		jbe	loc_96E99D
		mov	eax, [ebp+var_14]
		mov	[ebp+var_8], eax

loc_96E829:				; CODE XREF: PiDqActionDataGetAllPropertiesInAllLanguages(x,x,x,x,x,x,x)+1EBj
		lea	ecx, [ebp+var_10]
		mov	edx, ebx
		push	ecx
		mov	ecx, [ebp+arg_4]
		push	eax
		push	[ebp+var_4]
		call	_PiDqPnPGetObjectPropertyLocales@20 ; PiDqPnPGetObjectPropertyLocales(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_96E99A
		mov	edx, [ebp+arg_10]
		xor	eax, eax
		cmp	[edx], eax
		jnz	short loc_96E870
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+arg_8]
		mov	[edx], eax
		mov	edx, [ebp+arg_C]
		push	eax
		mov	edx, [edx]
		call	PiDqGrowPropertyArray
		mov	esi, eax
		test	esi, esi
		js	loc_96E99A
		mov	edx, [ebp+arg_10]
		xor	eax, eax

loc_96E870:				; CODE XREF: PiDqActionDataGetAllPropertiesInAllLanguages(x,x,x,x,x,x,x)+A5j
		mov	edi, [ebp+var_10]
		mov	[ebp+arg_0], edi
		cmp	[edi], ax
		jz	loc_96E91E
		mov	ecx, [ebp+arg_C]
		mov	eax, [ecx]
		mov	[ebp+var_10], eax

loc_96E887:				; CODE XREF: PiDqActionDataGetAllPropertiesInAllLanguages(x,x,x,x,x,x,x)+171j
		mov	esi, [edx]
		cmp	eax, esi
		mov	[ebp+var_20], esi
		mov	esi, [ebp+arg_0]
		jnz	short loc_96E8B6
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+arg_8]
		add	eax, eax
		mov	[edx], eax
		mov	edx, [ebp+var_10]
		push	eax
		call	PiDqGrowPropertyArray
		mov	esi, eax
		test	esi, esi
		js	loc_96E99D
		mov	ecx, [ebp+arg_C]
		mov	esi, [ebp+arg_0]

loc_96E8B6:				; CODE XREF: PiDqActionDataGetAllPropertiesInAllLanguages(x,x,x,x,x,x,x)+EAj
		imul	eax, [ecx], 28h
		mov	edx, ebx
		mov	ecx, [ebp+arg_8]
		add	eax, [ecx]
		mov	ecx, [ebp+arg_4]
		push	eax
		push	esi
		push	[ebp+var_18]
		push	[ebp+var_8]
		push	[ebp+var_4]
		call	PiDqPnPGetObjectProperty
		mov	esi, eax
		test	esi, esi
		js	loc_96E99D
		mov	ecx, [ebp+arg_C]
		mov	esi, [ebp+arg_0]
		mov	edx, esi
		mov	eax, [ecx]
		inc	eax
		mov	[ebp+var_10], eax
		mov	[ecx], eax
		lea	eax, [edx+2]
		mov	[ebp+arg_0], eax

loc_96E8F3:				; CODE XREF: PiDqActionDataGetAllPropertiesInAllLanguages(x,x,x,x,x,x,x)+156j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [ebp+var_24]
		jnz	short loc_96E8F3
		sub	edx, [ebp+arg_0]
		xor	eax, eax
		sar	edx, 1
		lea	esi, [esi+edx*2]
		mov	edx, [ebp+arg_10]
		add	esi, 2
		mov	[ebp+arg_0], esi
		cmp	[esi], ax
		mov	eax, [ebp+var_10]
		jnz	loc_96E887

loc_96E91E:				; CODE XREF: PiDqActionDataGetAllPropertiesInAllLanguages(x,x,x,x,x,x,x)+D2j
		push	58706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+arg_10]
		xor	eax, eax
		mov	edi, eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], edi
		mov	esi, [ecx]
		mov	edx, [eax]
		cmp	edx, esi
		jnz	short loc_96E955
		lea	eax, [esi+esi]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_8]
		push	eax
		call	PiDqGrowPropertyArray
		mov	esi, eax
		test	esi, esi
		js	short loc_96E99D
		mov	eax, [ebp+arg_C]

loc_96E955:				; CODE XREF: PiDqActionDataGetAllPropertiesInAllLanguages(x,x,x,x,x,x,x)+195j
		imul	eax, [eax], 28h
		mov	edx, ebx
		mov	ecx, [ebp+arg_8]
		add	eax, [ecx]
		mov	ecx, [ebp+arg_4]
		push	eax
		xor	eax, eax
		push	eax
		push	[ebp+var_18]
		push	[ebp+var_8]
		push	[ebp+var_4]
		call	PiDqPnPGetObjectProperty
		mov	esi, eax
		test	esi, esi
		js	short loc_96E99D
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+var_1C]
		inc	dword ptr [eax]
		inc	ecx
		mov	eax, [ebp+var_8]
		add	eax, 14h
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_8], eax
		cmp	ecx, [ebp+var_C]
		jb	loc_96E829
		jmp	short loc_96E99D
; 

loc_96E99A:				; CODE XREF: PiDqActionDataGetAllPropertiesInAllLanguages(x,x,x,x,x,x,x)+98j
					; PiDqActionDataGetAllPropertiesInAllLanguages(x,x,x,x,x,x,x)+BEj
		mov	edi, [ebp+var_10]

loc_96E99D:				; CODE XREF: PiDqActionDataGetAllPropertiesInAllLanguages(x,x,x,x,x,x,x)+48j
					; PiDqActionDataGetAllPropertiesInAllLanguages(x,x,x,x,x,x,x)+68j ...
		cmp	[ebp+var_4], 0
		jz	short loc_96E9AB
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_96E9AB:				; CODE XREF: PiDqActionDataGetAllPropertiesInAllLanguages(x,x,x,x,x,x,x)+1FAj
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_96E9BD
		push	58706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96E9BD:				; CODE XREF: PiDqActionDataGetAllPropertiesInAllLanguages(x,x,x,x,x,x,x)+209j
		test	edi, edi
		jz	short loc_96E9CC
		push	58706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96E9CC:				; CODE XREF: PiDqActionDataGetAllPropertiesInAllLanguages(x,x,x,x,x,x,x)+218j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
_PiDqActionDataGetAllPropertiesInAllLanguages@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDqActionDataGetAllPropertiesInBestLanguage(x, x, x, x, x,	x, x, x)
_PiDqActionDataGetAllPropertiesInBestLanguage@32 proc near
					; CODE XREF: PiDqActionDataCreate+117F34p
					; PiDqActionDataCreate+117F61p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		push	ecx
		mov	eax, edx
		xor	esi, esi
		push	ecx
		lea	edx, [ebp+var_4]
		mov	[ebp+var_10], eax
		push	edx
		mov	edx, [ebp+arg_4]
		lea	ebx, [eax-1]
		push	ecx
		push	esi
		neg	ebx
		mov	[ebp+var_4], esi
		push	1
		push	[ebp+arg_0]
		sbb	ebx, ebx
		mov	[ebp+var_C], esi
		and	ebx, [ebp+arg_0]
		mov	ecx, eax
		mov	[ebp+var_8], esi
		call	_PiDqOpenObjectRegKey@36 ; PiDqOpenObjectRegKey(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_96EAC4
		lea	eax, [ebp+var_8]
		mov	edx, ebx
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	ecx
		push	[ebp+var_4]
		mov	ecx, [ebp+arg_4]
		call	_PiDqPnPGetObjectPropertyKeys@24 ; PiDqPnPGetObjectPropertyKeys(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_96EAC1
		mov	eax, [ebp+arg_10]
		mov	ecx, [ebp+var_8]
		mov	edx, [eax]
		mov	eax, [ebp+arg_14]
		mov	[ebp+arg_0], edx
		add	edx, ecx
		cmp	[eax], edx
		mov	eax, [ebp+arg_10]
		jnb	short loc_96EA6F
		mov	eax, [ebp+arg_14]
		mov	ecx, [ebp+arg_C]
		push	edx
		mov	[eax], edx
		mov	edx, [ebp+arg_0]
		call	PiDqGrowPropertyArray
		mov	edi, eax
		test	edi, edi
		js	short loc_96EAC1
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+arg_10]

loc_96EA6F:				; CODE XREF: PiDqActionDataGetAllPropertiesInBestLanguage(x,x,x,x,x,x,x,x)+7Bj
		mov	[ebp+arg_0], esi
		test	ecx, ecx
		jz	short loc_96EAC1
		mov	esi, [ebp+var_C]
		mov	ecx, esi
		mov	edx, [eax]
		mov	[ebp+arg_14], esi

loc_96EA80:				; CODE XREF: PiDqActionDataGetAllPropertiesInBestLanguage(x,x,x,x,x,x,x,x)+E8j
		imul	eax, edx, 28h
		mov	edx, [ebp+arg_C]
		add	eax, [edx]
		mov	edx, ebx
		push	eax
		push	[ebp+arg_8]
		push	[ebp+var_10]
		push	ecx
		push	[ebp+var_4]
		mov	ecx, [ebp+arg_4]
		call	_PiDqPnPGetObjectPropertyInBestLocale@28 ; PiDqPnPGetObjectPropertyInBestLocale(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_96EAC4
		mov	eax, [ebp+arg_10]
		mov	ecx, [ebp+arg_14]
		add	ecx, 14h
		mov	[ebp+arg_14], ecx
		inc	dword ptr [eax]
		mov	edx, [eax]
		mov	eax, [ebp+arg_0]
		inc	eax
		mov	[ebp+arg_0], eax
		cmp	eax, [ebp+var_8]
		jb	short loc_96EA80
		jmp	short loc_96EAC4
; 

loc_96EAC1:				; CODE XREF: PiDqActionDataGetAllPropertiesInBestLanguage(x,x,x,x,x,x,x,x)+60j
					; PiDqActionDataGetAllPropertiesInBestLanguage(x,x,x,x,x,x,x,x)+92j ...
		mov	esi, [ebp+var_C]

loc_96EAC4:				; CODE XREF: PiDqActionDataGetAllPropertiesInBestLanguage(x,x,x,x,x,x,x,x)+40j
					; PiDqActionDataGetAllPropertiesInBestLanguage(x,x,x,x,x,x,x,x)+CCj ...
		cmp	[ebp+var_4], 0
		jz	short loc_96EAD2
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_96EAD2:				; CODE XREF: PiDqActionDataGetAllPropertiesInBestLanguage(x,x,x,x,x,x,x,x)+F3j
		test	esi, esi
		jz	short loc_96EAE1
		push	58706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96EAE1:				; CODE XREF: PiDqActionDataGetAllPropertiesInBestLanguage(x,x,x,x,x,x,x,x)+FFj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_PiDqActionDataGetAllPropertiesInBestLanguage@32 endp


;  S U B	R O U T	I N E 


; __stdcall PiDqConvertObjectTypeToString(x, x)
_PiDqConvertObjectTypeToString@8 proc near ; CODE XREF:	PiDqIrpQueryCreate+1188A3p
		xor	eax, eax
		mov	[edx], eax
		cmp	ecx, 0Bh	; switch 12 cases
		ja	short loc_96EB4E ; default
		jmp	ds:off_96EB56[ecx*4] ; switch jump

loc_96EAFA:				; DATA XREF: PAGE:off_96EB56o
		mov	dword ptr [edx], (offset loc_8B7595+1) ; case 0x0
		retn
; 

loc_96EB01:				; CODE XREF: PiDqConvertObjectTypeToString(x,x)+9j
					; DATA XREF: PAGE:off_96EB56o
		mov	dword ptr [edx], offset	??_C@_1CA@FJGOFOAA@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI?$AAn?$AAt?$AAe?$AAr?$AAf?$AAa?$AAc?$AAe@NNGAKEGL@ ; case	0x1
		retn
; 

loc_96EB08:				; CODE XREF: PiDqConvertObjectTypeToString(x,x)+9j
					; DATA XREF: PAGE:off_96EB56o
		mov	dword ptr [edx], offset	??_C@_1CA@EADKOLGB@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr@NNGAKEGL@ ; case	0x2
		retn
; 

loc_96EB0F:				; CODE XREF: PiDqConvertObjectTypeToString(x,x)+9j
					; DATA XREF: PAGE:off_96EB56o
		mov	dword ptr [edx], offset	??_C@_1O@HAMLNBEA@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@NNGAKEGL@ ; case 0x3
		retn
; 

loc_96EB16:				; CODE XREF: PiDqConvertObjectTypeToString(x,x)+9j
					; DATA XREF: PAGE:off_96EB56o
		mov	dword ptr [edx], offset	??_C@_1CK@KNOHNFMP@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI?$AAn?$AAt?$AAe?$AAr?$AAf?$AAa?$AAc?$AAe@NNGAKEGL@ ; case	0x4
		retn
; 

loc_96EB1D:				; CODE XREF: PiDqConvertObjectTypeToString(x,x)+9j
					; DATA XREF: PAGE:off_96EB56o
		mov	dword ptr [edx], offset	??_C@_17OLHCHGJI@?$AAA?$AAE?$AAP@NNGAKEGL@ ; case 0x5
		retn
; 

loc_96EB24:				; CODE XREF: PiDqConvertObjectTypeToString(x,x)+9j
					; DATA XREF: PAGE:off_96EB56o
		mov	dword ptr [edx], offset	??_C@_1BK@HNBMGFAO@?$AAA?$AAE?$AAP?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr@NNGAKEGL@ ; case 0x6
		retn
; 

loc_96EB2B:				; CODE XREF: PiDqConvertObjectTypeToString(x,x)+9j
					; DATA XREF: PAGE:off_96EB56o
		mov	dword ptr [edx], offset	??_C@_1CK@OPLFMDGP@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAe?$AAr@NNGAKEGL@ ; case	0x7
		retn
; 

loc_96EB32:				; CODE XREF: PiDqConvertObjectTypeToString(x,x)+9j
					; DATA XREF: PAGE:off_96EB56o
		mov	dword ptr [edx], offset	??_C@_1CO@BOHOPNOD@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI?$AAn?$AAt?$AAe?$AAr?$AAf?$AAa?$AAc?$AAe@NNGAKEGL@ ; case	0x8
		retn
; 

loc_96EB39:				; CODE XREF: PiDqConvertObjectTypeToString(x,x)+9j
					; DATA XREF: PAGE:off_96EB56o
		mov	dword ptr [edx], offset	??_C@_1CO@FPFGHDKK@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr@NNGAKEGL@ ; case	0x9
		retn
; 

loc_96EB40:				; CODE XREF: PiDqConvertObjectTypeToString(x,x)+9j
					; DATA XREF: PAGE:off_96EB56o
		mov	dword ptr [edx], offset	??_C@_1BG@JHBJODFK@?$AAA?$AAE?$AAP?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe@NNGAKEGL@	; case 0xA
		retn
; 

loc_96EB47:				; CODE XREF: PiDqConvertObjectTypeToString(x,x)+9j
					; DATA XREF: PAGE:off_96EB56o
		mov	dword ptr [edx], offset	??_C@_1BI@LIJEIIAJ@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAP?$AAa?$AAn?$AAe?$AAl@NNGAKEGL@ ; case 0xB
		retn
; 

loc_96EB4E:				; CODE XREF: PiDqConvertObjectTypeToString(x,x)+7j
		mov	eax, 0C000000Dh	; default
		retn
_PiDqConvertObjectTypeToString@8 endp

; 
		db 8Bh,	0FFh
off_96EB56	dd offset loc_96EAFA	; DATA XREF: PiDqConvertObjectTypeToString(x,x)+9r
		dd offset loc_96EB01	; jump table for switch	statement
		dd offset loc_96EB08
		dd offset loc_96EB0F
		dd offset loc_96EB16
		dd offset loc_96EB1D
		dd offset loc_96EB24
		dd offset loc_96EB2B
		dd offset loc_96EB32
		dd offset loc_96EB39
		dd offset loc_96EB40
		dd offset loc_96EB47

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDqConvertQueryFlagsToString(x, x,	x, x)
_PiDqConvertQueryFlagsToString@16 proc near ; CODE XREF: PiDqIrpQueryCreate+11890Cp
					; PiDqIrpQueryCreate+118947p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		xor	eax, eax
		test	ebx, 0FFFFFFF8h
		jz	short loc_96EBA6
		mov	eax, 0C000000Dh
		jmp	loc_96EC90
; 

loc_96EBA6:				; CODE XREF: PiDqConvertQueryFlagsToString(x,x,x,x)+14j
		mov	ecx, [ebp+var_4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		push	2
		pop	esi
		cmp	edi, esi
		jb	short loc_96EBBA
		xor	edx, edx
		mov	[ecx], dx

loc_96EBBA:				; CODE XREF: PiDqConvertQueryFlagsToString(x,x,x,x)+2Dj
		mov	[ebp+var_4], ecx
		mov	edx, edi
		mov	[ebp+arg_0], edx
		test	bl, 1
		jz	short loc_96EBF6
		push	36h
		pop	esi
		and	ebx, 0FFFFFFFEh
		cmp	edi, esi
		jb	short loc_96EBF6
		push	400h
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	offset ??_C@_1DG@MBMMKDCI@?$AAD?$AAe?$AAv?$AAQ?$AAu?$AAe?$AAr?$AAy?$AAF?$AAl?$AAa?$AAg?$AAU?$AAp?$AAd@NNGAKEGL@
		call	RtlStringCbCopyExW
		test	eax, eax
		js	loc_96EC8E
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+arg_0]

loc_96EBF6:				; CODE XREF: PiDqConvertQueryFlagsToString(x,x,x,x)+3Fj
					; PiDqConvertQueryFlagsToString(x,x,x,x)+49j
		test	bl, 2
		jz	short loc_96EC26
		add	esi, 34h
		and	ebx, 0FFFFFFFDh
		cmp	esi, edi
		ja	short loc_96EC26
		push	400h
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	offset ??_C@_1DG@CINBGJHP@?$AAD?$AAe?$AAv?$AAQ?$AAu?$AAe?$AAr?$AAy?$AAF?$AAl?$AAa?$AAg?$AAA?$AAl?$AAl@NNGAKEGL@	; "DevQueryFlagAllProperties "
		call	RtlStringCbCopyExW
		test	eax, eax
		js	short loc_96EC8E
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+arg_0]

loc_96EC26:				; CODE XREF: PiDqConvertQueryFlagsToString(x,x,x,x)+73j
					; PiDqConvertQueryFlagsToString(x,x,x,x)+7Dj
		test	bl, 4
		jz	short loc_96EC56
		add	esi, 2Ah
		and	ebx, 0FFFFFFFBh
		cmp	esi, edi
		ja	short loc_96EC56
		push	400h
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	offset ??_C@_1CM@PCLLHIPJ@?$AAD?$AAe?$AAv?$AAQ?$AAu?$AAe?$AAr?$AAy?$AAF?$AAl?$AAa?$AAg?$AAL?$AAo?$AAc@NNGAKEGL@
		call	RtlStringCbCopyExW
		test	eax, eax
		js	short loc_96EC8E
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+arg_0]

loc_96EC56:				; CODE XREF: PiDqConvertQueryFlagsToString(x,x,x,x)+A3j
					; PiDqConvertQueryFlagsToString(x,x,x,x)+ADj
		test	ebx, ebx
		jz	short loc_96EC7C
		add	esi, 18h
		cmp	esi, edi
		ja	short loc_96EC7C
		push	400h
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	offset ??_C@_1BK@EHEKFHFC@?$AA?$DM?$AAm?$AAo?$AAr?$AAe?$AA?5?$AAf?$AAl?$AAa?$AAg?$AAs?$AA?$DO@NNGAKEGL@
		call	RtlStringCbCopyExW
		test	eax, eax
		js	short loc_96EC8E

loc_96EC7C:				; CODE XREF: PiDqConvertQueryFlagsToString(x,x,x,x)+D2j
					; PiDqConvertQueryFlagsToString(x,x,x,x)+D9j
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_96EC85
		mov	[ecx], esi

loc_96EC85:				; CODE XREF: PiDqConvertQueryFlagsToString(x,x,x,x)+FBj
		cmp	esi, edi
		jnb	short loc_96EC8E
		mov	eax, 0C0000023h

loc_96EC8E:				; CODE XREF: PiDqConvertQueryFlagsToString(x,x,x,x)+64j
					; PiDqConvertQueryFlagsToString(x,x,x,x)+98j ...
		pop	edi
		pop	esi

loc_96EC90:				; CODE XREF: PiDqConvertQueryFlagsToString(x,x,x,x)+1Bj
		pop	ebx
		leave
		retn	8
_PiDqConvertQueryFlagsToString@16 endp


;  S U B	R O U T	I N E 


; __stdcall PiDqConvertQueryTypeToString(x, x)
_PiDqConvertQueryTypeToString@8	proc near ; CODE XREF: PiDqIrpQueryCreate+1188BBp
		xor	eax, eax
		mov	[edx], eax
		sub	ecx, eax
		jz	short loc_96ECBB
		sub	ecx, 1
		jz	short loc_96ECB4
		sub	ecx, 1
		jz	short loc_96ECAD
		mov	eax, 0C000000Dh
		retn
; 

loc_96ECAD:				; CODE XREF: PiDqConvertQueryTypeToString(x,x)+10j
		mov	dword ptr [edx], offset	??_C@_1BE@MFOLOKJL@?$AAI?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe?$AAs@NNGAKEGL@
		retn
; 

loc_96ECB4:				; CODE XREF: PiDqConvertQueryTypeToString(x,x)+Bj
		mov	dword ptr [edx], offset	??_C@_1BC@LDHKIAE@?$AAI?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe@NNGAKEGL@
		retn
; 

loc_96ECBB:				; CODE XREF: PiDqConvertQueryTypeToString(x,x)+6j
		mov	dword ptr [edx], offset	??_C@_19BIEPDBPA@?$AAT?$AAy?$AAp?$AAe@NNGAKEGL@
		retn
_PiDqConvertQueryTypeToString@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDqDeleteUserObject(x, x, x)
_PiDqDeleteUserObject@12 proc near	; CODE XREF: PiDqDeleteUserObjectFromLoadedHives(x,x)+B8p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		mov	eax, edx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	edx, esi
		mov	[ebp+var_8], ecx
		lea	ecx, [ebp+var_4]
		push	edi
		push	ecx
		mov	ecx, eax
		call	PiDqGetRelativeObjectRegPath
		mov	edi, [ebp+var_4]
		mov	ebx, eax
		test	ebx, ebx
		js	loc_96ED79
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jz	short loc_96ED07
		mov	eax, [eax+74h]
		test	eax, eax
		jz	short loc_96ED07
		mov	eax, [eax+4]
		jmp	short loc_96ED09
; 

loc_96ED07:				; CODE XREF: PiDqDeleteUserObject(x,x,x)+37j
					; PiDqDeleteUserObject(x,x,x)+3Ej
		xor	eax, eax

loc_96ED09:				; CODE XREF: PiDqDeleteUserObject(x,x,x)+43j
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		push	0
		push	eax
		call	_RegRtlDeleteTreeInternal
		mov	ebx, eax
		mov	[ebp+arg_0], ebx
		sub	esi, 1
		jz	short loc_96ED2F
		dec	esi
		sub	esi, 1
		jz	short loc_96ED2A
		xor	esi, esi
		jmp	short loc_96ED32
; 

loc_96ED2A:				; CODE XREF: PiDqDeleteUserObject(x,x,x)+62j
		xor	esi, esi
		inc	esi
		jmp	short loc_96ED36
; 

loc_96ED2F:				; CODE XREF: PiDqDeleteUserObject(x,x,x)+5Cj
		push	2
		pop	esi

loc_96ED32:				; CODE XREF: PiDqDeleteUserObject(x,x,x)+66j
		test	esi, esi
		jz	short loc_96ED79

loc_96ED36:				; CODE XREF: PiDqDeleteUserObject(x,x,x)+6Bj
		xor	ebx, ebx

loc_96ED38:				; CODE XREF: PiDqDeleteUserObject(x,x,x)+B2j
		push	5Ch		; wchar_t
		push	edi		; wchar_t *
		call	_wcsrchr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_96ED71
		xor	ecx, ecx
		mov	[eax], cx
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jz	short loc_96ED60
		mov	eax, [eax+74h]
		test	eax, eax
		jz	short loc_96ED60
		mov	eax, [eax+4]
		jmp	short loc_96ED62
; 

loc_96ED60:				; CODE XREF: PiDqDeleteUserObject(x,x,x)+90j
					; PiDqDeleteUserObject(x,x,x)+97j
		xor	eax, eax

loc_96ED62:				; CODE XREF: PiDqDeleteUserObject(x,x,x)+9Cj
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		push	eax
		call	__RegRtlDeleteKeyTransacted@12 ; _RegRtlDeleteKeyTransacted(x,x,x)
		test	eax, eax
		js	short loc_96ED76

loc_96ED71:				; CODE XREF: PiDqDeleteUserObject(x,x,x)+82j
		inc	ebx
		cmp	ebx, esi
		jb	short loc_96ED38

loc_96ED76:				; CODE XREF: PiDqDeleteUserObject(x,x,x)+ADj
		mov	ebx, [ebp+arg_0]

loc_96ED79:				; CODE XREF: PiDqDeleteUserObject(x,x,x)+2Aj
					; PiDqDeleteUserObject(x,x,x)+72j
		test	edi, edi
		jz	short loc_96ED88
		push	58706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96ED88:				; CODE XREF: PiDqDeleteUserObject(x,x,x)+B9j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
_PiDqDeleteUserObject@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDqDeleteUserObjectFromLoadedHives(x, x)
_PiDqDeleteUserObjectFromLoadedHives@8 proc near
					; CODE XREF: PiDqObjectManagerHandleObjectEvent+AD8C8p

var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 214h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		mov	ecx, _PiPnpRtlCtx
		mov	[ebp+var_20C], esi
		mov	[ebp+var_210], esi
		push	edi
		mov	edi, edx
		test	ecx, ecx
		jnz	short loc_96EDC9
		mov	ecx, esi
		jmp	short loc_96EDCC
; 

loc_96EDC9:				; CODE XREF: PiDqDeleteUserObjectFromLoadedHives(x,x)+32j
		mov	ecx, [ecx+74h]

loc_96EDCC:				; CODE XREF: PiDqDeleteUserObjectFromLoadedHives(x,x)+36j
		lea	eax, [ebp+var_20C]
		xor	edx, edx
		push	eax
		push	8
		push	esi
		push	(offset	loc_8B9E51+1)
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_96EE5C

loc_96EDE6:				; CODE XREF: PiDqDeleteUserObjectFromLoadedHives(x,x)+C9j
		mov	ecx, [ebp+var_20C]
		lea	eax, [ebp+var_214]
		push	eax
		lea	eax, [ebp+var_208]
		mov	[ebp+var_214], 100h
		push	eax
		mov	edx, esi
		call	_RegRtlEnumKey
		test	eax, eax
		js	short loc_96EE5C
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jnz	short loc_96EE1C
		xor	ecx, ecx
		jmp	short loc_96EE1F
; 

loc_96EE1C:				; CODE XREF: PiDqDeleteUserObjectFromLoadedHives(x,x)+85j
		mov	ecx, [eax+74h]

loc_96EE1F:				; CODE XREF: PiDqDeleteUserObjectFromLoadedHives(x,x)+89j
		mov	edx, [ebp+var_20C]
		lea	eax, [ebp+var_210]
		push	eax
		push	1
		push	0
		lea	eax, [ebp+var_208]
		push	eax
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_96EE59
		mov	ecx, [ebp+var_210]
		mov	edx, ebx
		push	edi
		call	_PiDqDeleteUserObject@12 ; PiDqDeleteUserObject(x,x,x)
		push	[ebp+var_210]
		call	_ZwClose@4	; ZwClose(x)

loc_96EE59:				; CODE XREF: PiDqDeleteUserObjectFromLoadedHives(x,x)+ADj
		inc	esi
		jmp	short loc_96EDE6
; 

loc_96EE5C:				; CODE XREF: PiDqDeleteUserObjectFromLoadedHives(x,x)+53j
					; PiDqDeleteUserObjectFromLoadedHives(x,x)+7Cj
		cmp	[ebp+var_20C], 0
		jz	short loc_96EE70
		push	[ebp+var_20C]
		call	_ZwClose@4	; ZwClose(x)

loc_96EE70:				; CODE XREF: PiDqDeleteUserObjectFromLoadedHives(x,x)+D2j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PiDqDeleteUserObjectFromLoadedHives@8 endp


;  S U B	R O U T	I N E 


; __stdcall PiDqObjectManagerMakeInconsistent(x)
_PiDqObjectManagerMakeInconsistent@4 proc near ; CODE XREF: PiPnpRtlObjectEventWorker+CDA3Cp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	bl, bl
		push	edi
		lea	ecx, [esi+38h]
		call	ExAcquireFastMutex
		mov	edx, [esi+7Ch]
		test	dl, 2
		jnz	short loc_96EEB2
		lea	eax, [esi+68h]
		cmp	[eax], eax
		jz	short loc_96EEB2
		or	edx, 2
		mov	[esi+7Ch], edx
		test	dl, 1
		jnz	short loc_96EEB2
		xor	ebx, ebx
		inc	ebx
		or	edx, ebx
		mov	[esi+7Ch], edx

loc_96EEB2:				; CODE XREF: PiDqObjectManagerMakeInconsistent(x)+17j
					; PiDqObjectManagerMakeInconsistent(x)+1Ej ...
		lea	ecx, [esi+38h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	bl, bl
		jz	short loc_96EEC9
		push	3
		lea	eax, [esi+58h]
		push	eax
		call	ExQueueWorkItem

loc_96EEC9:				; CODE XREF: PiDqObjectManagerMakeInconsistent(x)+3Dj
		pop	edi
		pop	esi
		pop	ebx
		retn
_PiDqObjectManagerMakeInconsistent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDqPnPGetObjectPropertyKeys(x, x, x, x, x,	x)
_PiDqPnPGetObjectPropertyKeys@24 proc near
					; CODE XREF: PiDqActionDataGetAllPropertiesInAllLanguages(x,x,x,x,x,x,x)+5Fp
					; PiDqActionDataGetAllPropertiesInBestLanguage(x,x,x,x,x,x,x,x)+57p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	esi, 1770h
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], esi
		and	dword ptr [edi], 0

loc_96EEEF:				; CODE XREF: PiDqPnPGetObjectPropertyKeys(x,x,x,x,x,x)+AAj
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_96EF00
		push	58706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96EF00:				; CODE XREF: PiDqPnPGetObjectPropertyKeys(x,x,x,x,x,x)+26j
		push	58706E50h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[edi], ecx
		test	ecx, ecx
		jz	short loc_96EF7C
		push	14h
		mov	eax, esi
		and	dword ptr [ebx], 0
		pop	esi
		xor	edx, edx
		div	esi
		mov	edx, [ebp+var_8]
		push	ecx
		push	ebx
		push	eax
		push	ecx
		push	1
		test	edx, edx
		jz	short loc_96EF43
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, _PiPnpRtlCtx
		push	edx
		mov	edx, [ebp+var_C]
		call	__PnpGetObjectPropertyKeys@40 ;	_PnpGetObjectPropertyKeys(x,x,x,x,x,x,x,x,x,x)
		jmp	short loc_96EF53
; 

loc_96EF43:				; CODE XREF: PiDqPnPGetObjectPropertyKeys(x,x,x,x,x,x)+5Fj
		mov	edx, [ebp+arg_0]
		mov	ecx, _PiPnpRtlCtx
		push	0
		call	__PnpGetGenericStorePropertyKeys@32 ; _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)

loc_96EF53:				; CODE XREF: PiDqPnPGetObjectPropertyKeys(x,x,x,x,x,x)+74j
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_96EF81
		mov	eax, [ebx]
		push	14h
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_96EF85
		mov	esi, [ebp+var_4]
		jmp	loc_96EEEF
; 

loc_96EF7C:				; CODE XREF: PiDqPnPGetObjectPropertyKeys(x,x,x,x,x,x)+46j
		mov	esi, 0C000009Ah

loc_96EF81:				; CODE XREF: PiDqPnPGetObjectPropertyKeys(x,x,x,x,x,x)+8Ej
		test	esi, esi
		jns	short loc_96EF88

loc_96EF85:				; CODE XREF: PiDqPnPGetObjectPropertyKeys(x,x,x,x,x,x)+A5j
		and	dword ptr [ebx], 0

loc_96EF88:				; CODE XREF: PiDqPnPGetObjectPropertyKeys(x,x,x,x,x,x)+B6j
		cmp	dword ptr [ebx], 0
		jnz	short loc_96EFA1
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_96EFA1
		push	58706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi], 0

loc_96EFA1:				; CODE XREF: PiDqPnPGetObjectPropertyKeys(x,x,x,x,x,x)+BEj
					; PiDqPnPGetObjectPropertyKeys(x,x,x,x,x,x)+C4j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PiDqPnPGetObjectPropertyKeys@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDqPnPGetObjectPropertyLocales(x, x, x, x,	x)
_PiDqPnPGetObjectPropertyLocales@20 proc near
					; CODE XREF: PiDqActionDataGetAllPropertiesInAllLanguages(x,x,x,x,x,x,x)+8Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	esi, ecx
		mov	ebx, edx
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], 28h
		and	dword ptr [edi], 0

loc_96EFC8:				; CODE XREF: PiDqPnPGetObjectPropertyLocales(x,x,x,x,x)+7Fj
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_96EFD9
		push	58706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96EFD9:				; CODE XREF: PiDqPnPGetObjectPropertyLocales(x,x,x,x,x)+22j
		mov	eax, [ebp+var_4]
		push	58706E50h
		add	eax, eax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi], eax
		test	eax, eax
		jz	short loc_96F02B
		push	ecx
		lea	ecx, [ebp+var_4]
		push	ecx
		push	[ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		test	ebx, ebx
		jz	short loc_96F00E
		push	[ebp+arg_0]
		mov	edx, esi
		push	ebx
		call	__PnpGetObjectPropertyLocales@36 ; _PnpGetObjectPropertyLocales(x,x,x,x,x,x,x,x,x)
		jmp	short loc_96F01C
; 

loc_96F00E:				; CODE XREF: PiDqPnPGetObjectPropertyLocales(x,x,x,x,x)+55j
		mov	edx, [ebp+arg_0]
		mov	ecx, _PiPnpRtlCtx
		call	__PnpGetGenericStorePropertyLocales@28 ; _PnpGetGenericStorePropertyLocales(x,x,x,x,x,x,x)

loc_96F01C:				; CODE XREF: PiDqPnPGetObjectPropertyLocales(x,x,x,x,x)+62j
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_96F030
		mov	esi, [ebp+var_8]
		jmp	short loc_96EFC8
; 

loc_96F02B:				; CODE XREF: PiDqPnPGetObjectPropertyLocales(x,x,x,x,x)+45j
		mov	esi, 0C000009Ah

loc_96F030:				; CODE XREF: PiDqPnPGetObjectPropertyLocales(x,x,x,x,x)+7Aj
		test	esi, esi
		jns	short loc_96F048
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_96F048
		push	58706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi], 0

loc_96F048:				; CODE XREF: PiDqPnPGetObjectPropertyLocales(x,x,x,x,x)+88j
					; PiDqPnPGetObjectPropertyLocales(x,x,x,x,x)+8Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PiDqPnPGetObjectPropertyLocales@20 endp


;  S U B	R O U T	I N E 


; __stdcall PiDqQueryLock(x)
_PiDqQueryLock@4 proc near		; CODE XREF: PiDqIrpCancel(x,x)+76p
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		add	ecx, 20h
		xor	edx, edx
		jmp	ExAcquirePushLockExclusiveEx
_PiDqQueryLock@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiDqQueryUnlock(x)
_PiDqQueryUnlock@4 proc	near		; CODE XREF: PiDqIrpCancel(x,x)+91p
		add	ecx, 20h
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_PiDqQueryUnlock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDqSameUserHive(x,	x, x)
_PiDqSameUserHive@12 proc near		; CODE XREF: PiDqQueryApplyObjectEvent+AE327p

var_98		= dword	ptr -98h
var_50		= dword	ptr -50h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 98h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		lea	eax, [ebp+var_98]
		push	esi
		push	edi
		push	44h		; size_t
		push	0		; int
		push	eax		; void *
		mov	esi, edx
		mov	edi, ecx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_50]
		push	44h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [edi]
		add	esp, 0Ch
		test	ecx, ecx
		jnz	short loc_96F0CA
		mov	ecx, [edi+8]

loc_96F0CA:				; CODE XREF: PiDqSameUserHive(x,x,x)+46j
		push	0
		push	44h
		lea	edx, [ebp+var_98]
		call	_SeQueryUserSidToken@16	; SeQueryUserSidToken(x,x,x,x)
		mov	ecx, [esi]
		test	ecx, ecx
		jnz	short loc_96F0E2
		mov	ecx, [esi+8]

loc_96F0E2:				; CODE XREF: PiDqSameUserHive(x,x,x)+5Ej
		push	0
		push	44h
		lea	edx, [ebp+var_50]
		call	_SeQueryUserSidToken@16	; SeQueryUserSidToken(x,x,x,x)
		lea	eax, [ebp+var_50]
		push	eax
		lea	eax, [ebp+var_98]
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		mov	[ebx], al
		xor	ecx, ebp
		pop	esi
		xor	eax, eax
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PiDqSameUserHive@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiDevCfgAppendMultiSz(size_t,void *)
_PiDevCfgAppendMultiSz@16 proc near	; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+3ADp
					; PiDevCfgConfigureDevice(x,x,x,x,x)+3DBp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], eax
		mov	ebx, edx
		mov	[ebp+var_C], edi
		mov	[ebp+var_4], ebx
		cmp	[esi+4], edi
		jnz	loc_96F1EE
		test	ebx, ebx
		jz	loc_96F1D1
		movzx	eax, word ptr [ebx]
		add	eax, 4
		cmp	eax, 0FFFEh
		jbe	short loc_96F157

loc_96F14D:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+11Aj
		mov	edi, 80000005h
		jmp	loc_96F3A8
; 

loc_96F157:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+38j
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	edx, eax
		mov	[esi+4], edx
		test	edx, edx
		jnz	short loc_96F170

loc_96F166:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+D6j
					; PiDevCfgAppendMultiSz(x,x,x,x)+12Dj
		mov	edi, 0C000009Ah
		jmp	loc_96F3A8
; 

loc_96F170:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+51j
		movzx	eax, word ptr [ebx]
		mov	ecx, eax
		mov	[esi], ax
		movzx	eax, word ptr [ebx]
		mov	[ebp+arg_4], eax
		mov	eax, ecx
		mov	ecx, [ebp+arg_4]
		test	cx, cx
		jz	short loc_96F1B4
		movzx	eax, cx
		push	eax		; size_t
		push	dword ptr [ebx+4] ; void *
		push	edx		; void *
		call	_memcpy
		movzx	ecx, word ptr [esi]
		add	esp, 0Ch
		mov	eax, [esi+4]
		xor	edx, edx
		shr	ecx, 1
		push	2
		mov	[eax+ecx*2], dx
		mov	edx, [esi+4]
		pop	ecx
		add	[esi], cx
		movzx	eax, word ptr [esi]
		jmp	short loc_96F1B7
; 

loc_96F1B4:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+73j
		push	2
		pop	ecx

loc_96F1B7:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+9Fj
		movzx	eax, ax
		xor	ebx, ebx
		shr	eax, 1
		mov	[edx+eax*2], bx
		add	[esi], cx
		mov	ax, [esi]
		mov	[esi+2], ax
		jmp	loc_96F3A8
; 

loc_96F1D1:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+27j
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	loc_96F3A3
		call	_PnpDuplicateUnicodeString@8 ; PnpDuplicateUnicodeString(x,x)
		test	al, al
		jnz	loc_96F3A8
		jmp	loc_96F166
; 

loc_96F1EE:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+1Fj
		movzx	eax, word ptr [esi]
		push	2
		pop	edx
		mov	[ebp+var_8], eax
		movzx	ecx, ax
		cmp	ax, dx
		ja	short loc_96F201
		mov	ecx, edx

loc_96F201:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+EAj
		test	ebx, ebx
		jz	short loc_96F20F
		movzx	eax, word ptr [ebx]
		add	eax, 2
		add	ecx, eax
		jmp	short loc_96F227
; 

loc_96F20F:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+F0j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	loc_96F3A3
		movzx	eax, word ptr [eax]
		add	ecx, eax
		cmp	word ptr [ebp+var_8], di
		jbe	short loc_96F227
		sub	ecx, edx

loc_96F227:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+FAj
					; PiDevCfgAppendMultiSz(x,x,x,x)+110j
		cmp	ecx, 0FFFEh
		ja	loc_96F14D
		push	ecx
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	loc_96F166
		movzx	eax, word ptr [esi]
		push	2
		pop	edx
		cmp	ax, dx
		jbe	short loc_96F269
		push	eax		; size_t
		push	dword ptr [esi+4] ; void *
		push	ecx		; void *
		call	_memcpy
		mov	bx, [esi]
		add	esp, 0Ch
		push	2
		pop	edx
		sub	bx, dx
		jmp	short loc_96F26B
; 

loc_96F269:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+13Cj
		xor	ebx, ebx

loc_96F26B:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+154j
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_96F2C4
		cmp	byte ptr [ebp+arg_4], 0
		jnz	short loc_96F28F
		mov	edx, [ecx+4]
		push	ecx
		mov	ecx, [esi+4]
		call	_PnpMultiSzContainsString@12 ; PnpMultiSzContainsString(x,x,x)
		test	eax, eax
		jnz	loc_96F36E
		mov	ecx, [ebp+var_4]

loc_96F28F:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+163j
		movzx	eax, word ptr [ecx]
		push	eax		; size_t
		push	dword ptr [ecx+4] ; void *
		movzx	eax, bx
		add	eax, [ebp+var_C]
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		mov	edx, [ebp+var_C]
		mov	cx, [ecx]
		add	cx, bx
		movzx	eax, cx
		shr	eax, 1
		xor	ebx, ebx
		mov	[edx+eax*2], bx
		lea	ebx, [ecx+2]
		jmp	loc_96F371
; 

loc_96F2C4:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+15Dj
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	loc_96F36E
		cmp	byte ptr [ebp+arg_4], 0
		jz	short loc_96F2FF
		movzx	eax, word ptr [ecx]
		push	eax		; size_t
		push	dword ptr [ecx+4] ; void *
		movzx	eax, bx
		add	eax, [ebp+var_C]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	edx, [ebp+var_C]
		mov	ax, [eax]
		push	2
		pop	ecx
		sub	ax, cx
		add	bx, ax
		jmp	short loc_96F374
; 

loc_96F2FF:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+1C0j
		mov	ecx, [ecx+4]

loc_96F302:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+259j
		mov	[ebp+arg_4], ecx
		cmp	[ecx], di
		jz	short loc_96F36E
		lea	eax, [ecx+2]
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_8], eax

loc_96F313:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+208j
		mov	ax, [ecx]
		add	ecx, edx
		cmp	ax, di
		jnz	short loc_96F313
		mov	edx, [ebp+arg_4]
		mov	eax, ecx
		sub	eax, [ebp+var_8]
		sar	eax, 1
		mov	[ebp+arg_0], ecx
		push	ecx
		mov	ecx, [esi+4]
		lea	eax, ds:2[eax*2]
		mov	[ebp+arg_0], eax
		call	_PnpMultiSzContainsString@12 ; PnpMultiSzContainsString(x,x,x)
		test	eax, eax
		jnz	short loc_96F35E
		push	[ebp+arg_0]	; size_t
		movzx	eax, bx
		push	[ebp+arg_4]	; void *
		add	eax, [ebp+var_C]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		add	bx, ax
		jmp	short loc_96F361
; 

loc_96F35E:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+22Cj
		mov	eax, [ebp+arg_0]

loc_96F361:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+249j
		mov	ecx, [ebp+arg_4]
		shr	eax, 1
		push	2
		pop	edx
		lea	ecx, [ecx+eax*2]
		jmp	short loc_96F302
; 

loc_96F36E:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+173j
					; PiDevCfgAppendMultiSz(x,x,x,x)+1B6j ...
		mov	edx, [ebp+var_C]

loc_96F371:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+1ACj
		push	2
		pop	ecx

loc_96F374:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+1EAj
		movzx	eax, bx
		xor	edi, edi
		shr	eax, 1
		add	bx, cx
		push	esi
		mov	word ptr [ebp+var_10], bx
		mov	word ptr [ebp+var_10+2], bx
		mov	[edx+eax*2], di
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, [ebp+var_10]
		mov	[esi], eax
		mov	eax, [ebp+var_C]
		mov	[esi+4], eax
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		jmp	short loc_96F3A8
; 

loc_96F3A3:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+C3j
					; PiDevCfgAppendMultiSz(x,x,x,x)+101j
		mov	edi, 0C000000Dh

loc_96F3A8:				; CODE XREF: PiDevCfgAppendMultiSz(x,x,x,x)+3Fj
					; PiDevCfgAppendMultiSz(x,x,x,x)+58j ...
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PiDevCfgAppendMultiSz@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgBuildDriverConfigurationId(x, x)
_PiDevCfgBuildDriverConfigurationId@8 proc near
					; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+45p

var_24		= dword	ptr -24h
var_20		= word ptr -20h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4], edx
		mov	[ebp+var_C], eax
		lea	edi, [ebp+var_24]
		stosd
		mov	ebx, ecx
		xor	edx, edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_14], edx
		movzx	esi, word ptr [ebx+14h]
		stosd
		add	esi, 4
		mov	[ebp+var_10], edx
		stosd
		stosd
		lea	edi, [ebx+24h]
		movzx	ecx, word ptr [edi]
		add	esi, ecx
		cmp	[ebx+30h], edx
		jz	short loc_96F3FE
		movzx	eax, word ptr [ebx+2Ch]
		add	eax, 2
		add	esi, eax

loc_96F3FE:				; CODE XREF: PiDevCfgBuildDriverConfigurationId(x,x)+39j
		lea	ecx, [ebx+70h]	; Source2
		call	_PnpIsNullGuid@4 ; PnpIsNullGuid(x)
		test	al, al
		jnz	short loc_96F40D
		add	esi, 48h

loc_96F40D:				; CODE XREF: PiDevCfgBuildDriverConfigurationId(x,x)+4Ej
		lea	eax, [esi+2]
		cmp	eax, 0FFFEh
		jbe	short loc_96F421
		mov	edi, 0C0000106h
		jmp	loc_96F553
; 

loc_96F421:				; CODE XREF: PiDevCfgBuildDriverConfigurationId(x,x)+5Bj
		movzx	eax, si
		mov	word ptr [ebp+var_C], ax
		add	eax, 2
		mov	word ptr [ebp+var_C+2],	ax
		movzx	eax, ax
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	short loc_96F449
		mov	edi, 0C000009Ah
		jmp	loc_96F553
; 

loc_96F449:				; CODE XREF: PiDevCfgBuildDriverConfigurationId(x,x)+83j
		push	edi
		lea	eax, [ebx+14h]
		push	eax		; char
		push	offset ??_C@_1BA@FLBMBFFF@?$AA?$CF?$AAw?$AAZ?$AA?3?$AA?$CF?$AAw?$AAZ@NNGAKEGL@ ; int
		push	800h		; void *
		lea	eax, [ebp+var_14]
		push	eax		; int
		lea	eax, [ebp+var_C]
		push	eax		; int
		call	_RtlUnicodeStringPrintfEx
		mov	edi, eax
		add	esp, 18h
		test	edi, edi
		js	loc_96F553
		cmp	dword ptr [ebx+30h], 0
		jz	short loc_96F4B3
		lea	esi, [ebx+2Ch]
		push	esi		; char
		push	offset ??_C@_19EKBFMKFK@?$AA?0?$AA?$CF?$AAw?$AAZ@NNGAKEGL@ ; int
		lea	eax, [ebp+var_14]
		push	800h		; void *
		push	eax		; int
		push	eax		; int
		call	_RtlUnicodeStringPrintfEx
		mov	edi, eax
		add	esp, 14h
		test	edi, edi
		js	loc_96F553
		mov	ax, [esi]
		mov	si, word ptr [ebp+var_C]
		push	2
		pop	ecx
		add	ax, cx
		add	si, ax
		mov	word ptr [ebp+var_C], si
		jmp	short loc_96F4B7
; 

loc_96F4B3:				; CODE XREF: PiDevCfgBuildDriverConfigurationId(x,x)+BCj
		mov	si, word ptr [ebp+var_C]

loc_96F4B7:				; CODE XREF: PiDevCfgBuildDriverConfigurationId(x,x)+F7j
		lea	ecx, [ebx+70h]	; Source2
		call	_PnpIsNullGuid@4 ; PnpIsNullGuid(x)
		test	al, al
		jnz	short loc_96F53D
		cmp	dword ptr [ebx+30h], 0
		jnz	short loc_96F4EE
		lea	eax, [ebp+var_14]
		mov	edx, offset ??_C@_13DEFPDAGF@?$AA?0@NNGAKEGL@
		push	800h
		push	eax
		mov	ecx, eax
		call	RtlUnicodeStringCopyStringEx
		mov	edi, eax
		test	edi, edi
		js	short loc_96F553
		push	2
		pop	eax
		add	si, ax
		mov	word ptr [ebp+var_C], si

loc_96F4EE:				; CODE XREF: PiDevCfgBuildDriverConfigurationId(x,x)+10Dj
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebx+40h]
		push	eax
		call	_RtlTimeToTimeFields@8 ; RtlTimeToTimeFields(x,x)
		movzx	eax, word ptr [ebx+48h]
		push	eax
		movzx	eax, word ptr [ebx+4Ah]
		push	eax
		movzx	eax, word ptr [ebx+4Ch]
		push	eax
		movzx	eax, word ptr [ebx+4Eh]
		push	eax
		movsx	eax, word ptr [ebp+var_24]
		push	eax
		movsx	eax, [ebp+var_20]
		push	eax
		movsx	eax, word ptr [ebp+var_24+2]
		push	eax		; char
		lea	eax, [ebp+var_14]
		push	offset ??_C@_1DI@BBGEGIPL@?$AA?0?$AA?$CF?$AA0?$AA2?$AAd?$AA?1?$AA?$CF?$AA0?$AA2?$AAd?$AA?1?$AA?$CF?$AA0?$AA4?$AAd@NNGAKEGL@ ; wchar_t *
		push	eax		; int
		call	_RtlUnicodeStringPrintf
		mov	edi, eax
		add	esp, 24h
		test	edi, edi
		js	short loc_96F553
		add	si, word ptr [ebp+var_14]
		mov	word ptr [ebp+var_C], si

loc_96F53D:				; CODE XREF: PiDevCfgBuildDriverConfigurationId(x,x)+107j
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_C]
		and	[ebp+var_C], 0
		mov	[ecx], eax
		mov	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		mov	[ecx+4], eax

loc_96F553:				; CODE XREF: PiDevCfgBuildDriverConfigurationId(x,x)+62j
					; PiDevCfgBuildDriverConfigurationId(x,x)+8Aj ...
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PiDevCfgBuildDriverConfigurationId@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgBuildDriverNodeStrongName(x, x, x, x)
_PiDevCfgBuildDriverNodeStrongName@16 proc near
					; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+13A9p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		xor	eax, eax
		push	esi
		mov	esi, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		movzx	ecx, word ptr [esi+14h]
		lea	ebx, [esi+2Ch]
		movzx	eax, word ptr [ebx]
		add	ecx, eax
		movzx	eax, word ptr [esi+24h]
		add	eax, 5Ah
		add	ecx, eax
		push	edi
		mov	edi, edx
		lea	eax, [ecx+2]
		cmp	eax, 0FFFEh
		jbe	short loc_96F5A9
		mov	esi, 0C0000106h
		jmp	loc_96F65E
; 

loc_96F5A9:				; CODE XREF: PiDevCfgBuildDriverNodeStrongName(x,x,x,x)+3Aj
		movzx	eax, cx
		mov	word ptr [ebp+var_10], ax
		add	eax, 2
		mov	word ptr [ebp+var_10+2], ax
		movzx	eax, ax
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	short loc_96F5D1
		mov	esi, 0C000009Ah
		jmp	loc_96F65E
; 

loc_96F5D1:				; CODE XREF: PiDevCfgBuildDriverNodeStrongName(x,x,x,x)+62j
		cmp	dword ptr [edi+4], 0
		jz	short loc_96F5EE
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		push	1
		push	edi
		call	RtlHashUnicodeString
		test	eax, eax
		js	short loc_96F5EE
		mov	edi, [ebp+var_4]
		jmp	short loc_96F5F0
; 

loc_96F5EE:				; CODE XREF: PiDevCfgBuildDriverNodeStrongName(x,x,x,x)+72j
					; PiDevCfgBuildDriverNodeStrongName(x,x,x,x)+84j
		xor	edi, edi

loc_96F5F0:				; CODE XREF: PiDevCfgBuildDriverNodeStrongName(x,x,x,x)+89j
		mov	eax, [ebp+arg_0]
		cmp	dword ptr [eax+4], 0
		jz	short loc_96F610
		lea	ecx, [ebp+var_8]
		push	ecx
		push	0
		push	1
		push	eax
		call	RtlHashUnicodeString
		test	eax, eax
		js	short loc_96F610
		mov	ecx, [ebp+var_8]
		jmp	short loc_96F612
; 

loc_96F610:				; CODE XREF: PiDevCfgBuildDriverNodeStrongName(x,x,x,x)+94j
					; PiDevCfgBuildDriverNodeStrongName(x,x,x,x)+A6j
		xor	ecx, ecx

loc_96F612:				; CODE XREF: PiDevCfgBuildDriverNodeStrongName(x,x,x,x)+ABj
		lea	eax, [esi+24h]
		push	eax
		movzx	eax, word ptr [esi+48h]
		push	eax
		movzx	eax, word ptr [esi+4Ah]
		push	eax
		movzx	eax, word ptr [esi+4Ch]
		push	eax
		movzx	eax, word ptr [esi+4Eh]
		push	eax
		push	ebx
		push	ecx
		push	edi
		lea	eax, [esi+14h]
		push	eax		; char
		lea	eax, [ebp+var_10]
		push	offset ??_C@_1EC@BBAOPJFC@?$AA?$CF?$AAw?$AAZ?$AA?3?$AA?$CF?$AA0?$AA8?$AAx?$AA?$CF?$AA0?$AA8?$AAx?$AA?3?$AA?$CF?$AAw@NNGAKEGL@ ;	wchar_t	*
		push	eax		; int
		call	_RtlUnicodeStringPrintf
		mov	esi, eax
		add	esp, 2Ch
		test	esi, esi
		js	short loc_96F65E
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_10]
		and	[ebp+var_10], 0
		mov	[edx], ecx
		mov	ecx, [ebp+var_C]
		and	[ebp+var_C], 0
		mov	[edx+4], ecx

loc_96F65E:				; CODE XREF: PiDevCfgBuildDriverNodeStrongName(x,x,x,x)+41j
					; PiDevCfgBuildDriverNodeStrongName(x,x,x,x)+69j ...
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_PiDevCfgBuildDriverNodeStrongName@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgBuildIndirectString(x, x, x, x)
_PiDevCfgBuildIndirectString@16	proc near
					; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+F54p
					; PiDevCfgConfigureDevice(x,x,x,x,x)+117Cp

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= byte ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_C], ecx
		xor	ecx, ecx
		mov	[ebp+var_10], ebx
		xor	eax, eax
		mov	[ebp+var_4], ecx
		mov	esi, ecx
		mov	[ebp+var_2C], ecx
		push	4
		mov	edi, ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_1C], eax
		movzx	eax, word ptr [ebx]
		mov	[ebp+var_18], ecx
		mov	dword ptr [ebp+var_24],	ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ecx
		pop	ecx
		mov	[ebp+var_8], esi
		cmp	ax, cx
		jbe	loc_96F8D1
		mov	ecx, [ebx+4]
		push	25h
		pop	edx
		cmp	[ecx], dx
		mov	edx, [ebp+var_C]
		jnz	loc_96F8D1
		shr	eax, 1
		push	25h
		pop	ebx
		cmp	[ecx+eax*2-2], bx
		mov	ebx, [ebp+var_10]
		jnz	loc_96F8D1
		and	[ebp+var_3C], esi
		and	[ebp+var_38], esi
		push	10h
		pop	eax
		mov	word ptr [ebp+var_2C+2], ax
		push	0Eh
		pop	eax
		mov	word ptr [ebp+var_2C], ax
		mov	eax, [edx+8]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_28], offset ??_C@_1BA@ENIPEGKK@?$AAS?$AAt?$AAr?$AAi?$AAn?$AAg?$AAs@NNGAKEGL@
		push	eax
		mov	[ebp+var_4C], 18h
		mov	[ebp+var_40], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_96F7EB
		mov	ax, [ebx]
		push	4
		pop	ecx
		sub	ax, cx
		movzx	ecx, ax
		mov	word ptr [ebp+var_34], ax
		mov	eax, [ebp+var_34]
		add	eax, 2
		mov	[ebp+var_14], ecx
		mov	word ptr [ebp+var_34+2], ax
		movzx	eax, ax
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	edi, eax
		mov	[ebp+var_30], edi
		test	edi, edi
		jnz	short loc_96F765

loc_96F75B:				; CODE XREF: PiDevCfgBuildIndirectString(x,x,x,x)+1CBj
					; PiDevCfgBuildIndirectString(x,x,x,x)+26Fj
		mov	edi, 0C000009Ah
		jmp	loc_96F8F6
; 

loc_96F765:				; CODE XREF: PiDevCfgBuildIndirectString(x,x,x,x)+E9j
		mov	eax, [ebp+var_14]
		movzx	esi, ax
		mov	eax, [ebx+4]
		push	esi		; size_t
		add	eax, 2
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		shr	esi, 1
		add	esp, 0Ch
		xor	eax, eax
		mov	edx, edi
		mov	[edi+esi*2], ax
		lea	eax, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		push	eax
		push	0
		call	IopGetRegistryValue
		mov	esi, eax
		lea	eax, [ebp+var_34]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	esi, esi
		js	short loc_96F7E9
		mov	esi, [ebp+var_8]
		mov	ecx, esi
		call	_PnpValidateRegistryString@4 ; PnpValidateRegistryString(x)
		test	al, al
		jz	short loc_96F7E1
		mov	edx, [esi+0Ch]
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		push	ecx
		mov	ecx, [esi+8]
		push	eax
		add	ecx, esi
		call	_PnpRegSzToString@16 ; PnpRegSzToString(x,x,x,x)
		mov	ax, word ptr [ebp+var_8]
		mov	word ptr [ebp+var_24], ax
		mov	ax, [esi+0Ch]
		mov	[ebp-22h], ax
		mov	eax, [esi+8]
		add	eax, esi
		mov	[ebp+var_20], eax
		jmp	short loc_96F7EB
; 

loc_96F7E1:				; CODE XREF: PiDevCfgBuildIndirectString(x,x,x,x)+13Fj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96F7E9:				; CODE XREF: PiDevCfgBuildIndirectString(x,x,x,x)+131j
		xor	esi, esi

loc_96F7EB:				; CODE XREF: PiDevCfgBuildIndirectString(x,x,x,x)+B6j
					; PiDevCfgBuildIndirectString(x,x,x,x)+16Fj
		mov	edi, [ebp+var_C]
		movzx	ecx, word ptr [ebx]
		add	edi, 14h
		add	ecx, 4
		movzx	eax, word ptr [edi]
		add	ecx, eax
		cmp	[ebp+var_20], 0
		jz	short loc_96F80B
		movzx	eax, word ptr [ebp+var_24]
		add	eax, 2
		add	ecx, eax

loc_96F80B:				; CODE XREF: PiDevCfgBuildIndirectString(x,x,x,x)+190j
		lea	eax, [ecx+2]
		cmp	eax, 0FFFEh
		jbe	short loc_96F81F
		mov	edi, 0C0000106h
		jmp	loc_96F8F6
; 

loc_96F81F:				; CODE XREF: PiDevCfgBuildIndirectString(x,x,x,x)+1A3j
		movzx	eax, cx
		mov	word ptr [ebp+var_1C], ax
		add	eax, 2
		mov	word ptr [ebp+var_1C+2], ax
		movzx	eax, ax
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	loc_96F75B
		push	ebx
		push	edi		; char
		push	offset ??_C@_1BC@EAIBBAIC@?$AA?$EA?$AA?$CF?$AAw?$AAZ?$AA?0?$AA?$CF?$AAw?$AAZ@NNGAKEGL@ ; int
		push	800h		; void *
		lea	eax, [ebp+var_2C]
		push	eax		; int
		lea	eax, [ebp+var_1C]
		push	eax		; int
		call	_RtlUnicodeStringPrintfEx
		mov	edi, eax
		add	esp, 18h
		test	edi, edi
		js	loc_96F8F6
		movzx	ebx, word ptr [ebp+var_1C]
		shr	ebx, 1
		cmp	[ebp+var_20], 0
		jz	short loc_96F89D
		lea	eax, [ebp+var_24]
		push	eax		; char
		lea	eax, [ebp+var_2C]
		push	offset ??_C@_19IPGHFAML@?$AA?$DL?$AA?$CF?$AAw?$AAZ@NNGAKEGL@ ; wchar_t *
		push	eax		; int
		call	_RtlUnicodeStringPrintf
		mov	edi, eax
		add	esp, 0Ch
		test	edi, edi
		js	short loc_96F8F6
		mov	ax, word ptr [ebp+var_1C]
		add	ax, word ptr [ebp+var_2C]
		inc	ebx
		mov	word ptr [ebp+var_1C], ax
		jmp	short loc_96F8A7
; 

loc_96F89D:				; CODE XREF: PiDevCfgBuildIndirectString(x,x,x,x)+201j
		mov	eax, [ebp+var_10]
		movzx	eax, word ptr [eax]
		shr	eax, 1
		sub	ebx, eax

loc_96F8A7:				; CODE XREF: PiDevCfgBuildIndirectString(x,x,x,x)+22Bj
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_1C]
		and	[ebp+var_1C], 0
		mov	[ecx], eax
		mov	eax, [ebp+var_18]
		and	[ebp+var_18], 0
		cmp	[ebp+arg_4], 0
		mov	[ecx+4], eax
		jz	short loc_96F8F6
		lea	eax, [eax+ebx*2]
		push	eax
		push	[ebp+arg_4]
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	short loc_96F8F6
; 

loc_96F8D1:				; CODE XREF: PiDevCfgBuildIndirectString(x,x,x,x)+42j
					; PiDevCfgBuildIndirectString(x,x,x,x)+54j ...
		mov	edx, ebx
		mov	ebx, [ebp+arg_0]
		mov	ecx, ebx
		call	_PnpDuplicateUnicodeString@8 ; PnpDuplicateUnicodeString(x,x)
		test	al, al
		jz	loc_96F75B
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_96F8F6
		mov	eax, [ebx]
		mov	[ecx], eax
		mov	eax, [ebx+4]
		mov	[ecx+4], eax

loc_96F8F6:				; CODE XREF: PiDevCfgBuildIndirectString(x,x,x,x)+F0j
					; PiDevCfgBuildIndirectString(x,x,x,x)+1AAj ...
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	esi, esi
		jz	short loc_96F90B
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_96F90B:				; CODE XREF: PiDevCfgBuildIndirectString(x,x,x,x)+291j
		cmp	[ebp+var_4], 0
		jz	short loc_96F919
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_96F919:				; CODE XREF: PiDevCfgBuildIndirectString(x,x,x,x)+29Fj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PiDevCfgBuildIndirectString@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgCheckDeviceNeedsUpdate(x, x)
_PiDevCfgCheckDeviceNeedsUpdate@8 proc near
					; CODE XREF: PiDevCfgProcessDeviceCallback+6C3D4p
					; PiDevCfgInitDeviceCallback(x,x,x)+B8p ...

var_D8		= dword	ptr -0D8h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0DCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, edx
		mov	[ebp+var_BC], 1
		xor	edx, edx
		mov	[ebp+var_D8], eax
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[eax], edx
		xor	ecx, ecx
		mov	[ebp+var_7C], edx
		push	edi
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_90], ecx
		mov	ebx, edx
		mov	[ebp+var_A8], ecx
		mov	[ebp+var_B0], ecx
		mov	[ebp+var_B8], ecx
		mov	[ebp+var_CC], ecx
		mov	ecx, esi
		push	eax
		mov	[ebp+var_A0], edx
		mov	[ebp+var_C4], ebx
		mov	[ebp+var_8C], edx
		mov	[ebp+var_98], edx
		mov	[ebp+var_94], edx
		mov	[ebp+var_A4], edx
		mov	[ebp+var_88], edx
		mov	[ebp+var_84], edx
		mov	[ebp+var_AC], edx
		mov	[ebp+var_74], edx
		mov	[ebp+var_70], edx
		mov	[ebp+var_B4], edx
		mov	[ebp+var_C0], edx
		mov	[ebp+var_6C], edx
		mov	[ebp+var_9C], edx
		mov	[ebp+var_C8], edx
		call	_PiDevCfgFindDeviceDriver@12 ; PiDevCfgFindDeviceDriver(x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000490h
		jz	short loc_96F9EB
		test	edi, edi
		js	loc_96FF7A

loc_96F9EB:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+BFj
		mov	edx, [esi+4]
		lea	eax, [ebp+var_9C]
		mov	ecx, _PiPnpRtlCtx
		xor	edi, edi
		push	edi
		push	eax
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_9C], 4
		push	eax
		lea	eax, [ebp+var_BC]
		push	eax
		push	0Bh
		push	dword ptr [esi+8]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_96FA36
		cmp	[ebp+var_BC], 4
		jnz	short loc_96FA36
		cmp	[ebp+var_9C], 4
		jz	short loc_96FA3C

loc_96FA36:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+100j
					; PiDevCfgCheckDeviceNeedsUpdate(x,x)+109j
		mov	[ebp+var_A0], edi

loc_96FA3C:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+112j
		push	60h		; size_t
		lea	eax, [ebp+var_68]
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_68], offset _DEVPKEY_Device_DriverInfPath
		lea	eax, [ebp+var_90]
		mov	[ebp+var_50], offset _DEVPKEY_Device_DriverDate
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_98]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_A8]
		push	12h
		pop	ecx
		push	6
		pop	edx
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_B0]
		push	4
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	dword ptr [esi+8]
		mov	[ebp+var_58], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_10], edx
		mov	edx, [esi+4]
		push	1
		mov	[ebp+var_64], ecx
		mov	[ebp+var_4C], 10h
		mov	[ebp+var_44], 8
		mov	[ebp+var_38], offset _DEVPKEY_Device_DriverVersion
		mov	[ebp+var_34], ecx
		mov	[ebp+var_20], offset _DEVPKEY_Device_ExtendedConfigurationIds
		mov	[ebp+var_1C], 2012h
		call	PiDevCfgQueryObjectProperties
		mov	edi, eax
		mov	[ebp+var_78], edi
		test	edi, edi
		js	loc_96FF7A
		cmp	[ebp+var_54], ebx
		jge	short loc_96FAE9
		xor	eax, eax
		push	eax
		lea	eax, [ebp+var_90]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_96FAE9:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+1B6j
		xor	eax, eax
		cmp	[ebp+var_3C], ebx
		jge	short loc_96FAFC
		mov	[ebp+var_98], eax
		mov	[ebp+var_94], eax

loc_96FAFC:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+1CCj
		cmp	[ebp+var_24], ebx
		jge	short loc_96FB0E
		push	eax
		lea	eax, [ebp+var_A8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_96FB0E:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+1DDj
		cmp	[ebp+var_C], ebx
		jge	short loc_96FB22
		xor	eax, eax
		push	eax
		lea	eax, [ebp+var_B0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_96FB22:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+1EFj
		cmp	[ebp+var_A4], ebx
		jz	short loc_96FB5E
		lea	eax, [ebp+var_88]
		push	eax
		lea	eax, [ebp+var_88+2]
		push	eax
		lea	eax, [ebp+var_84]
		push	eax
		lea	eax, [ebp+var_84+2]
		push	eax
		push	offset ??_C@_1CA@EEKMHEGJ@?$AA?$CF?$AAh?$AAu?$AA?4?$AA?$CF?$AAh?$AAu?$AA?4?$AA?$CF?$AAh?$AAu?$AA?4?$AA?$CF?$AAh?$AAu@NNGAKEGL@
		push	[ebp+var_A4]
		call	_swscanf_s
		add	esp, 18h
		cmp	eax, 4
		jz	short loc_96FB6C

loc_96FB5E:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+206j
		xor	eax, eax
		mov	[ebp+var_88], eax
		mov	[ebp+var_84], eax

loc_96FB6C:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+23Aj
		mov	ecx, [esi+4]
		call	__CmIsRootEnumeratedDevice@4 ; _CmIsRootEnumeratedDevice(x)
		test	al, al
		jz	loc_96FC89
		xor	eax, eax
		push	60h		; size_t
		push	eax		; int
		lea	eax, [ebp+var_68]
		push	eax		; void *
		call	_memset
		mov	edx, [esi+4]
		lea	eax, [ebp+var_B8]
		add	esp, 0Ch
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_68], offset _DEVPKEY_Device_Owners
		mov	[ebp+var_64], 2012h
		mov	[ebp+var_58], 6
		push	1
		push	eax
		push	dword ptr [esi+8]
		push	1
		call	PiDevCfgQueryObjectProperties
		mov	edi, eax
		mov	[ebp+var_78], edi
		test	edi, edi
		js	loc_96FF7A
		cmp	[ebp+var_54], ebx
		jl	loc_96FC89
		mov	esi, [ebp+var_B4]
		test	esi, esi
		jz	loc_96FC89
		push	2
		pop	eax
		cmp	word ptr [ebp+var_B8], ax
		jbe	loc_96FC89
		movzx	eax, word ptr [esi]
		mov	ecx, eax
		test	ax, ax
		jz	short loc_96FC5E
		xor	ecx, ecx

loc_96FBFE:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+32Aj
		push	ecx
		push	ecx
		lea	eax, [ebp+var_C0]
		mov	edx, esi
		push	eax
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	20019h
		push	9
		call	_PnpOpenObjectRegKey
		mov	edi, eax
		mov	[ebp+var_78], eax
		test	edi, edi
		jns	short loc_96FC50
		mov	ecx, esi
		xor	eax, eax
		mov	edi, eax
		mov	[ebp+var_78], edi
		lea	edx, [ecx+2]

loc_96FC31:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+319j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_7C]
		jnz	short loc_96FC31
		sub	ecx, edx
		sar	ecx, 1
		lea	esi, [esi+ecx*2]
		xor	ecx, ecx
		add	esi, 2
		cmp	[esi], cx
		jnz	short loc_96FBFE
		jmp	short loc_96FC63
; 

loc_96FC50:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+301j
		push	[ebp+var_C0]
		call	_ZwClose@4	; ZwClose(x)
		movzx	ecx, word ptr [esi]

loc_96FC5E:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+2D8j
		test	cx, cx
		jnz	short loc_96FC89

loc_96FC63:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+32Cj
		mov	esi, [ebp+var_6C]
		test	esi, esi
		jnz	short loc_96FC8C
		xor	ebx, ebx
		cmp	_PnpBootMode, bl
		push	2
		setz	bl
		dec	ebx
		and	ebx, 3FFFEh
		pop	eax
		add	ebx, eax
		mov	[ebp+var_C4], ebx
		jmp	short loc_96FC8C
; 

loc_96FC89:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+254j
					; PiDevCfgCheckDeviceNeedsUpdate(x,x)+2ACj ...
		mov	esi, [ebp+var_6C]

loc_96FC8C:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+346j
					; PiDevCfgCheckDeviceNeedsUpdate(x,x)+365j
		test	byte ptr [ebp+var_A0], 40h
		jz	short loc_96FCA2

loc_96FC95:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+387j
		test	esi, esi
		jz	loc_96FF0C
		jmp	loc_96FF09
; 

loc_96FCA2:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+371j
		cmp	[ebp+var_8C], 0
		jz	short loc_96FC95
		test	esi, esi
		jz	loc_96FED5
		push	1
		lea	eax, [ebp+var_90]
		push	eax
		lea	eax, [esi+14h]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	loc_96FED5
		mov	eax, [esi+40h]
		cmp	eax, [ebp+var_98]
		jnz	loc_96FF09
		mov	eax, [esi+44h]
		cmp	eax, [ebp+var_94]
		jnz	loc_96FF09
		mov	eax, [esi+48h]
		cmp	eax, [ebp+var_88]
		jnz	loc_96FF09
		mov	eax, [esi+4Ch]
		cmp	eax, [ebp+var_84]
		jnz	loc_96FF09
		mov	edx, [ebp+var_AC]
		lea	eax, [esi+80h]
		mov	[ebp+var_7C], edx
		test	edx, edx
		jz	loc_96FEBC
		cmp	[eax], eax
		jz	loc_96FF09
		lea	eax, [ebp+var_74]
		xor	edi, edi
		mov	ecx, eax
		mov	[ebp+var_70], eax
		mov	[ebp+var_74], ecx
		cmp	[edx], di
		jz	loc_96FE63

loc_96FD3E:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+531j
		lea	eax, [esi+80h]
		cmp	[eax], eax
		jz	loc_96FE60
		lea	eax, [ebp+var_90]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_88]
		push	eax		; int
		lea	eax, [ebp+var_98]
		push	eax		; int
		push	ecx		; int
		push	ecx		; int
		mov	ecx, [ebp+var_7C] ; wchar_t *
		lea	edx, [ebp+var_90] ; int
		call	_PiDevCfgSplitDriverConfigurationId@24 ; PiDevCfgSplitDriverConfigurationId(x,x,x,x,x,x)
		mov	esi, [ebp+var_6C]
		test	eax, eax
		js	loc_96FE60
		lea	ecx, [esi+80h]
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	loc_96FE60
		mov	esi, eax
		mov	ebx, ecx

loc_96FD95:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+493j
		push	1
		lea	eax, [ebp+var_90]
		mov	edi, esi
		push	eax
		lea	eax, [esi+14h]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_96FDB7
		mov	esi, [esi]
		xor	eax, eax
		mov	edi, eax
		cmp	esi, ebx
		jnz	short loc_96FD95

loc_96FDB7:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+489j
		mov	ebx, [ebp+var_C4]
		mov	esi, [ebp+var_6C]
		test	edi, edi
		jz	loc_96FE5E
		mov	eax, [edi+40h]
		cmp	eax, [ebp+var_98]
		jnz	loc_96FE5E
		mov	eax, [edi+44h]
		cmp	eax, [ebp+var_94]
		jnz	short loc_96FE5E
		mov	eax, [edi+48h]
		cmp	eax, [ebp+var_88]
		jnz	short loc_96FE5E
		mov	eax, [edi+4Ch]
		cmp	eax, [ebp+var_84]
		jnz	short loc_96FE5E
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	loc_96FEB7
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	loc_96FEB7
		mov	[ecx], eax
		mov	[eax+4], ecx
		lea	ecx, [ebp+var_74]
		mov	eax, [ebp+var_70]
		cmp	[eax], ecx
		jnz	loc_96FEB7
		mov	edx, [ebp+var_7C]
		mov	[edi], ecx
		mov	ecx, edx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	[ebp+var_70], edi
		xor	edi, edi
		lea	esi, [ecx+2]

loc_96FE35:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+51Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_96FE35
		sub	ecx, esi
		mov	esi, [ebp+var_6C]
		sar	ecx, 1
		lea	edx, [edx+ecx*2]
		add	edx, 2
		mov	[ebp+var_7C], edx
		cmp	[edx], di
		jnz	loc_96FD3E
		mov	ecx, [ebp+var_74]
		jmp	short loc_96FE6B
; 

loc_96FE5E:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+4A0j
					; PiDevCfgCheckDeviceNeedsUpdate(x,x)+4AFj ...
		xor	edi, edi

loc_96FE60:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+424j
					; PiDevCfgCheckDeviceNeedsUpdate(x,x)+459j ...
		mov	ecx, [ebp+var_74]

loc_96FE63:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+416j
		mov	eax, [ebp+var_7C]
		cmp	[eax], di
		jnz	short loc_96FE75

loc_96FE6B:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+53Aj
		lea	eax, [esi+80h]
		cmp	[eax], eax
		jz	short loc_96FE78

loc_96FE75:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+547j
		or	ebx, 20h

loc_96FE78:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+551j
					; PiDevCfgCheckDeviceNeedsUpdate(x,x)+593j
		lea	eax, [ebp+var_74]
		cmp	ecx, eax
		jz	loc_96FF0C
		cmp	[ecx+4], eax
		jnz	short loc_96FEB7
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_96FEB7
		mov	[ebp+var_74], eax
		lea	edx, [ebp+var_74]
		mov	[eax+4], edx
		mov	eax, [ebp+var_6C]
		sub	eax, 0FFFFFF80h
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_96FEB7
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		mov	ecx, [ebp+var_74]
		mov	esi, [ebp+var_6C]
		jmp	short loc_96FE78
; 

loc_96FEB7:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+4DBj
					; PiDevCfgCheckDeviceNeedsUpdate(x,x)+4E6j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_96FEBC:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+3F8j
		cmp	[eax], eax
		jnz	short loc_96FF09
		cmp	_PnpBootMode, 0
		jz	loc_96FF72
		or	ebx, 40000h
		jmp	short loc_96FF0C
; 

loc_96FED5:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+38Bj
					; PiDevCfgCheckDeviceNeedsUpdate(x,x)+3A5j
		cmp	_PnpBootMode, 0
		jz	short loc_96FF09
		test	byte ptr ds:_PiDevCfgFlags, 2
		jz	short loc_96FF09
		or	ebx, 40000h
		test	esi, esi
		jz	short loc_96FF0C
		mov	ecx, [ebp+var_8C]
		lea	edx, [ebp+var_CC]
		call	_PiDevCfgGetDriverPackageId@8 ;	PiDevCfgGetDriverPackageId(x,x)
		mov	esi, [ebp+var_6C]
		test	eax, eax
		jns	short loc_96FF0C

loc_96FF09:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+37Bj
					; PiDevCfgCheckDeviceNeedsUpdate(x,x)+3B4j ...
		or	ebx, 20h

loc_96FF0C:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+375j
					; PiDevCfgCheckDeviceNeedsUpdate(x,x)+55Bj ...
		cmp	_PnpBootMode, 0
		jz	short loc_96FF6F
		test	esi, esi
		jz	short loc_96FF6F
		test	bl, 20h
		jz	short loc_96FF6F
		mov	ecx, esi
		call	_PiDevCfgQueryDriverConfiguration@4 ; PiDevCfgQueryDriverConfiguration(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_96FF52
		mov	ecx, [ebp+var_6C]
		lea	eax, [ecx+80h]
		mov	esi, [eax]
		jmp	short loc_96FF4E
; 

loc_96FF38:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+62Ej
		call	_PiDevCfgQueryDriverConfiguration@4 ; PiDevCfgQueryDriverConfiguration(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_96FF52
		mov	ecx, [ebp+var_6C]
		mov	esi, [esi]
		lea	eax, [ecx+80h]

loc_96FF4E:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+614j
		cmp	esi, eax
		jnz	short loc_96FF38

loc_96FF52:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+607j
					; PiDevCfgCheckDeviceNeedsUpdate(x,x)+61Fj
		cmp	edi, 0C0000493h
		jnz	short loc_96FF69
		xor	eax, eax
		and	ebx, 0FFFFFFDFh
		mov	edi, eax
		or	ebx, 40000h
		jmp	short loc_96FF72
; 

loc_96FF69:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+636j
		test	edi, edi
		js	short loc_96FF7A
		jmp	short loc_96FF72
; 

loc_96FF6F:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+5F1j
					; PiDevCfgCheckDeviceNeedsUpdate(x,x)+5F5j ...
		mov	edi, [ebp+var_78]

loc_96FF72:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+5A5j
					; PiDevCfgCheckDeviceNeedsUpdate(x,x)+645j ...
		mov	eax, [ebp+var_D8]
		mov	[eax], ebx

loc_96FF7A:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+C3j
					; PiDevCfgCheckDeviceNeedsUpdate(x,x)+1ADj ...
		lea	eax, [ebp+var_90]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_A8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_B0]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_CC]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_B8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [ebp+var_6C]
		test	ecx, ecx
		jz	short loc_96FFC2
		call	_PiDevCfgFreeDriverNode@4 ; PiDevCfgFreeDriverNode(x)

loc_96FFC2:				; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+699j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PiDevCfgCheckDeviceNeedsUpdate@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgClearDeviceMigrationNode(x,	x)
_PiDevCfgClearDeviceMigrationNode@8 proc near
					; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+1E9p
					; PiDevCfgMigrateDevice(x,x,x,x,x,x)+3B8p ...

var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		mov	ecx, _PiPnpRtlCtx
		xor	eax, eax
		mov	[ebp+var_AC], esi
		mov	[ebp+var_7C], esi
		mov	[ebp+var_9C], esi
		mov	[ebp+var_A0], esi
		mov	[ebp+var_84], eax
		mov	[ebp+var_80], esi
		mov	[ebp+var_94], eax
		mov	[ebp+var_90], esi
		mov	[ebp+var_A4], esi
		push	edi
		mov	edi, edx
		mov	edx, [ebx+4]
		mov	[ebp+var_A8], edi
		test	ecx, ecx
		jnz	short loc_97003A
		mov	ecx, esi
		jmp	short loc_97003D
; 

loc_97003A:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+61j
		mov	ecx, [ecx+74h]

loc_97003D:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+65j
		lea	eax, [ebp+var_7C]
		push	eax
		push	20019h
		push	esi
		push	edi
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_970060

loc_970057:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+16Bj
		xor	eax, eax

loc_970059:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+2B6j
		mov	esi, eax
		jmp	loc_970367
; 

loc_970060:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+82j
		test	esi, esi
		js	loc_970367
		push	70h		; size_t
		xor	esi, esi
		lea	eax, [ebp+var_78]
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+var_7C]
		lea	eax, [ebp+var_84]
		add	esp, 0Ch
		mov	[ebp+var_6C], eax
		mov	ecx, 120h
		mov	[ebp+var_70], offset ??_C@_1BE@MANDFMJD@?$AAC?$AAl?$AAa?$AAs?$AAs?$AAG?$AAu?$AAi?$AAd@NNGAKEGL@
		lea	eax, [ebp+var_94]
		mov	[ebp+var_74], ecx
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_A4]
		push	1
		push	ecx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_78]
		push	esi
		mov	[ebp+var_3C], ecx
		mov	ecx, 0C0000000h
		push	eax
		mov	[ebp+var_68], 1000000h
		mov	[ebp+var_54], offset ??_C@_1BM@NDODFCEE@?$AAL?$AAo?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AAP?$AAa?$AAt?$AAh?$AAs@NNGAKEGL@ ; "LocationPaths"
		mov	[ebp+var_4C], 7000000h
		mov	[ebp+var_58], 130h
		mov	[ebp+var_38], offset ??_C@_1BA@KACDEPEO@?$AAP?$AAe?$AAr?$AAs?$AAi?$AAs?$AAt@NNGAKEGL@
		mov	[ebp+var_30], 4000000h
		call	RtlpQueryRegistryValues
		mov	esi, eax
		mov	[ebp+var_98], esi
		test	esi, esi
		js	loc_970367
		cmp	word ptr [ebp+var_84], 0
		jnz	short loc_970111
		cmp	[ebp+var_80], 0
		jz	short loc_970111
		lea	eax, [ebp+var_84]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_970111:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+12Aj
					; PiDevCfgClearDeviceMigrationNode(x,x)+130j
		mov	ecx, [ebp+var_90]
		test	ecx, ecx
		jz	short loc_970137
		movzx	edx, word ptr [ebp+var_94]
		call	_PnpValidateMultiSzData@8 ; PnpValidateMultiSzData(x,x)
		test	al, al
		jnz	short loc_970137
		lea	eax, [ebp+var_94]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_970137:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+146j
					; PiDevCfgClearDeviceMigrationNode(x,x)+156j
		cmp	[ebp+var_A4], 0
		jnz	loc_970057
		push	[ebp+var_7C]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, _PiPnpRtlCtx
		xor	edx, edx
		mov	ecx, [ebx+4]
		mov	[ebp+var_7C], edx
		test	eax, eax
		jz	short loc_970167
		mov	eax, [eax+74h]
		test	eax, eax
		jz	short loc_970167
		mov	edx, [eax+4]

loc_970167:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+188j
					; PiDevCfgClearDeviceMigrationNode(x,x)+18Fj
		push	ecx
		push	edx
		mov	edx, edi
		push	1
		call	__RegRtlDeletePathInternal@20 ;	_RegRtlDeletePathInternal(x,x,x,x,x)
		mov	esi, [ebx+0Ch]
		test	esi, esi
		jz	short loc_9701A5
		xor	eax, eax
		mov	[ebp+var_8C], eax
		mov	[ebp+var_88], eax
		lea	eax, [ebp+var_8C]
		push	edi
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_9701A5
		lea	eax, [ebp+var_8C]
		push	eax
		push	esi
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_9701A5:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+1A4j
					; PiDevCfgClearDeviceMigrationNode(x,x)+1C3j
		mov	edx, [ebx+8]
		test	edx, edx
		jz	loc_970242
		cmp	[ebp+var_80], 0
		jz	loc_970242
		mov	eax, _PiPnpRtlCtx
		xor	esi, esi
		mov	ecx, esi
		test	eax, eax
		jz	short loc_9701CA
		mov	ecx, [eax+74h]

loc_9701CA:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+1F2j
		lea	eax, [ebp+var_9C]
		push	eax
		push	0F003Fh
		push	esi
		push	[ebp+var_80]
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_97021D
		push	edi
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_8C], esi
		push	eax
		mov	[ebp+var_88], esi
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_970212
		lea	eax, [ebp+var_8C]
		push	eax
		push	[ebp+var_9C]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_970212:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+22Bj
		push	[ebp+var_9C]
		call	_ZwClose@4	; ZwClose(x)

loc_97021D:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+20Ej
		mov	eax, _PiPnpRtlCtx
		mov	ecx, [ebx+8]
		test	eax, eax
		jz	short loc_970237
		mov	eax, [eax+74h]
		test	eax, eax
		jz	short loc_970237
		mov	edx, [eax+4]
		push	ecx
		push	edx
		jmp	short loc_970239
; 

loc_970237:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+254j
					; PiDevCfgClearDeviceMigrationNode(x,x)+25Bj
		push	ecx
		push	esi

loc_970239:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+262j
		mov	edx, [ebp+var_80]
		push	esi
		call	__RegRtlDeletePathInternal@20 ;	_RegRtlDeletePathInternal(x,x,x,x,x)

loc_970242:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+1D7j
					; PiDevCfgClearDeviceMigrationNode(x,x)+1E1j
		mov	esi, [ebp+var_90]
		test	esi, esi
		jz	loc_970361
		lea	edi, [ebx+10h]
		xor	ecx, ecx
		cmp	[edi], ecx
		jnz	short loc_97029F
		mov	eax, _PiPnpRtlCtx
		mov	edx, [ebx]
		test	eax, eax
		jz	short loc_970267
		mov	ecx, [eax+74h]

loc_970267:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+28Fj
		push	edi
		push	0F003Fh
		xor	eax, eax
		push	eax
		push	offset ??_C@_1BE@EOAKIEOD@?$AAL?$AAo?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AAs@NNGAKEGL@
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		cmp	eax, 0C0000034h
		jnz	short loc_970287
		xor	ecx, ecx
		mov	[edi], ecx
		jmp	short loc_970291
; 

loc_970287:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+2ACj
		test	eax, eax
		js	loc_970059
		xor	ecx, ecx

loc_970291:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+2B2j
		mov	esi, [ebp+var_90]
		cmp	[edi], ecx
		jz	loc_970361

loc_97029F:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+284j
		cmp	[esi], cx
		jz	loc_970361
		mov	ebx, [ebp+var_A8]

loc_9702AE:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+388j
		mov	eax, _PiPnpRtlCtx
		mov	edx, [edi]
		test	eax, eax
		jz	short loc_9702BC
		mov	ecx, [eax+74h]

loc_9702BC:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+2E4j
		lea	eax, [ebp+var_A0]
		push	eax
		push	0F003Fh
		xor	eax, eax
		push	eax
		push	esi
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_970311
		xor	eax, eax
		mov	[ebp+var_8C], eax
		mov	[ebp+var_88], eax
		lea	eax, [ebp+var_8C]
		push	ebx
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_970306
		lea	eax, [ebp+var_8C]
		push	eax
		push	[ebp+var_A0]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_970306:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+31Fj
		push	[ebp+var_A0]
		call	_ZwClose@4	; ZwClose(x)

loc_970311:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+300j
		mov	eax, _PiPnpRtlCtx
		mov	ecx, [edi]
		test	eax, eax
		jz	short loc_97032C
		mov	eax, [eax+74h]
		test	eax, eax
		jz	short loc_97032C
		mov	edx, [eax+4]
		xor	eax, eax
		push	ecx
		push	edx
		jmp	short loc_970330
; 

loc_97032C:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+347j
					; PiDevCfgClearDeviceMigrationNode(x,x)+34Ej
		push	ecx
		xor	eax, eax
		push	eax

loc_970330:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+357j
		mov	edx, esi
		push	eax
		call	__RegRtlDeletePathInternal@20 ;	_RegRtlDeletePathInternal(x,x,x,x,x)
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_97033D:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+377j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_AC]
		jnz	short loc_97033D
		sub	ecx, edx
		sar	ecx, 1
		lea	esi, [esi+ecx*2]
		xor	ecx, ecx
		add	esi, 2
		cmp	[esi], cx
		jnz	loc_9702AE

loc_970361:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+277j
					; PiDevCfgClearDeviceMigrationNode(x,x)+2C6j ...
		mov	esi, [ebp+var_98]

loc_970367:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+88j
					; PiDevCfgClearDeviceMigrationNode(x,x)+8Fj ...
		lea	eax, [ebp+var_84]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_94]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	[ebp+var_7C], 0
		jz	short loc_97038D
		push	[ebp+var_7C]
		call	_ZwClose@4	; ZwClose(x)

loc_97038D:				; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+3B0j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PiDevCfgClearDeviceMigrationNode@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgConfigureDevice(x, x, x, x,	x)
_PiDevCfgConfigureDevice@20 proc near	; CODE XREF: PiDevCfgProcessDevice(x,x,x)+252p
					; PiDevCfgProcessDevice(x,x,x)+345p

var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_95		= dword	ptr -95h
var_90		= dword	ptr -90h
var_8C		= byte ptr -8Ch
var_8B		= byte ptr -8Bh
var_89		= byte ptr -89h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
Source2		= dword	ptr -7Ch
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 198h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		mov	[ebp+var_84], esi
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_178], eax
		xor	eax, eax
		mov	[ebp+var_17C], eax
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_AC], eax
		mov	[ebp+var_C8], eax
		mov	[ebp+var_B4], eax
		mov	[ebp+var_B0], eax
		mov	[ebp+var_12C], eax
		mov	[ebp+var_110], eax
		mov	[ebp+var_118], eax
		mov	[ebp+var_FC], eax
		mov	[ebp+var_114], eax
		mov	[ebp+var_120], eax
		mov	[ebp+var_100], eax
		mov	[ebp+var_11C], eax
		mov	[ebp+var_138], eax
		mov	[ebp+var_140], eax
		mov	[ebp+var_E0], eax
		mov	[ebp+var_150], eax
		mov	[ebp+var_16C], eax
		mov	[ebp+var_158], eax
		mov	[ebp+var_154], eax
		mov	[ebp+var_A4], eax
		mov	[ebp+var_D8], eax
		mov	eax, 400h
		xor	edi, edi
		mov	[ebp+var_95+1],	eax
		mov	[ebp+var_10C], edi
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_134], edi
		mov	[ebp+var_13C], edi
		mov	[ebp+var_14C], edi
		lea	edi, [ebp+Source2]
		mov	[ebp+var_90], eax
		xor	eax, eax
		mov	[ebp+var_A0], eax
		mov	[ebp+var_164], eax
		mov	[ebp+var_168], eax
		mov	[ebp+var_D4], eax
		stosd
		mov	[ebp+var_A8], edx
		mov	[ebp+var_D0], ecx
		stosd
		stosd
		stosd
		xor	eax, eax
		xor	edi, edi
		mov	[ebp+var_128], eax
		mov	[ebp+var_124], edi
		mov	[ebp+var_BC], eax
		mov	[ebp+var_B8], edi
		mov	[ebp+var_E8], eax
		mov	[ebp+var_E4], edi
		mov	[ebp+var_F8], eax
		mov	[ebp+var_F4], edi
		mov	[ebp+var_108], eax
		mov	[ebp+var_104], edi
		mov	[ebp+var_148], eax
		mov	[ebp+var_144], eax
		mov	[ebp-8Ah], al
		mov	[ebp+var_130], eax
		mov	[ebp+var_174], eax
		mov	[ebp+var_89], al
		mov	[ebp+var_8B], al
		mov	[ebp+var_DC], eax
		mov	[ebp+var_170], eax
		mov	[ebp+var_CC], eax
		mov	[ebp+var_8C], al
		mov	[ebp+var_F0], eax
		mov	[ebp+var_EC], eax
		mov	byte ptr [ebp+var_95], al
		mov	[ebp+var_C0], eax
		mov	[ebp+var_C4], eax
		mov	dword ptr [edx], 400h
		add	esi, 14h
		mov	[ecx], eax
		mov	eax, [ebx+8]
		mov	[ebp+var_80], eax
		mov	eax, 410h
		push	63647050h
		push	eax
		push	1
		mov	[ebp+var_88], esi
		mov	[ebp+var_160], 4100000h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_15C], eax
		test	eax, eax
		jnz	short loc_970594

loc_97058A:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+23Ej
					; PiDevCfgConfigureDevice(x,x,x,x,x)+26Aj ...
		mov	esi, 0C000009Ah
		jmp	loc_97203D
; 

loc_970594:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1EAj
		mov	edi, [ebp+var_178]
		test	edi, edi
		jz	loc_970C73
		mov	ecx, edi
		call	_PiDevCfgQueryDriverConfiguration@4 ; PiDevCfgQueryDriverConfiguration(x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		mov	eax, [edi+0A4h]
		mov	[ebp+var_D4], eax
		xor	eax, eax
		cmp	[edi+0B4h], eax
		jz	short loc_9705ED
		lea	edx, [edi+0B0h]
		lea	ecx, [ebp+var_110]
		call	_PnpDuplicateUnicodeString@8 ; PnpDuplicateUnicodeString(x,x)
		test	al, al
		jz	short loc_97058A
		movzx	eax, word ptr [ebp+var_110]
		mov	[ebp+var_12C], eax
		xor	eax, eax

loc_9705ED:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+229j
		cmp	[edi+0BCh], eax
		jz	short loc_970618
		lea	edx, [edi+0B8h]
		lea	ecx, [ebp+var_118]
		call	_PnpDuplicateUnicodeString@8 ; PnpDuplicateUnicodeString(x,x)
		test	al, al
		jz	short loc_97058A
		mov	eax, [ebp+var_114]
		mov	[ebp+var_FC], eax
		xor	eax, eax

loc_970618:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+255j
		cmp	[edi+0C4h], eax
		jz	short loc_970647
		lea	edx, [edi+0C0h]
		lea	ecx, [ebp+var_120]
		call	_PnpDuplicateUnicodeString@8 ; PnpDuplicateUnicodeString(x,x)
		test	al, al
		jz	loc_97058A
		mov	eax, [ebp+var_11C]
		mov	[ebp+var_100], eax
		xor	eax, eax

loc_970647:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+280j
		cmp	[edi+0CCh], eax
		jz	short loc_97066A
		lea	edx, [edi+0C8h]
		lea	ecx, [ebp+var_138]
		call	_PnpDuplicateUnicodeString@8 ; PnpDuplicateUnicodeString(x,x)
		test	al, al
		jz	loc_97058A
		xor	eax, eax

loc_97066A:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+2AFj
		cmp	[edi+0D4h], eax
		jz	short loc_97068B
		lea	edx, [edi+0D0h]
		lea	ecx, [ebp+var_140]
		call	_PnpDuplicateUnicodeString@8 ; PnpDuplicateUnicodeString(x,x)
		test	al, al
		jz	loc_97058A

loc_97068B:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+2D2j
		mov	eax, [edi+0E4h]
		lea	ecx, [edi+80h]
		mov	edx, [edi+0E0h]
		mov	[ebp+var_A4], eax
		mov	eax, [edi+6Ch]
		mov	[ebp+var_D8], eax
		mov	eax, [ecx]
		mov	[ebp+var_95+1],	edx
		mov	[ebp+var_90], edx
		mov	[ebp+var_9C], eax
		cmp	eax, ecx
		jz	loc_9708B8

loc_9706C8:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+4DCj
		mov	ecx, eax
		call	_PiDevCfgQueryDriverConfiguration@4 ; PiDevCfgQueryDriverConfiguration(x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_97071B
		cmp	esi, 0C0000493h
		jnz	loc_970880
		cmp	_PnpBootMode, 0
		jz	loc_97203D
		test	byte ptr ds:_PiDevCfgFlags, 2
		jz	loc_97203D
		mov	eax, [ebp+var_95+1]
		or	eax, 400h
		mov	[ebp+var_95+1],	eax
		mov	[ebp+var_90], eax
		xor	eax, eax
		mov	esi, eax
		jmp	loc_970864
; 

loc_97071B:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+335j
		mov	eax, [ebp+var_9C]
		xor	edx, edx
		cmp	[eax+0B4h], edx
		jz	short loc_970734
		and	dword ptr [eax+6Ch], 0FFFFFFFEh
		jmp	loc_97086A
; 

loc_970734:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+38Bj
		cmp	[eax+0BCh], edx
		jz	short loc_970762
		push	edx		; void *
		add	eax, 0B8h
		lea	ecx, [ebp+var_118]
		push	eax		; size_t
		xor	edx, edx
		call	_PiDevCfgAppendMultiSz@16 ; PiDevCfgAppendMultiSz(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		mov	eax, [ebp+var_9C]
		xor	edx, edx

loc_970762:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+39Cj
		cmp	[eax+0C4h], edx
		jz	short loc_970790
		push	edx		; void *
		add	eax, 0C0h
		lea	ecx, [ebp+var_120]
		push	eax		; size_t
		xor	edx, edx
		call	_PiDevCfgAppendMultiSz@16 ; PiDevCfgAppendMultiSz(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		mov	eax, [ebp+var_9C]
		xor	edx, edx

loc_970790:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+3CAj
		cmp	[eax+0CCh], edx
		jz	short loc_9707BE
		push	edx		; void *
		add	eax, 0C8h
		lea	ecx, [ebp+var_138]
		push	eax		; size_t
		xor	edx, edx
		call	_PiDevCfgAppendMultiSz@16 ; PiDevCfgAppendMultiSz(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		mov	eax, [ebp+var_9C]
		xor	edx, edx

loc_9707BE:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+3F8j
		cmp	[eax+0D4h], edx
		jz	short loc_9707EC
		push	edx		; void *
		add	eax, 0D0h
		lea	ecx, [ebp+var_140]
		push	eax		; size_t
		xor	edx, edx
		call	_PiDevCfgAppendMultiSz@16 ; PiDevCfgAppendMultiSz(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		mov	eax, [ebp+var_9C]
		xor	edx, edx

loc_9707EC:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+426j
		mov	ecx, [ebp+var_95+1]
		or	ecx, [eax+0E0h]
		mov	[ebp+var_95+1],	ecx
		mov	[ebp+var_90], ecx
		mov	ecx, [ebp+var_A4]
		or	ecx, [eax+0E4h]
		mov	[ebp+var_A4], ecx
		mov	ecx, [ebp+var_D8]
		or	ecx, [eax+6Ch]
		push	edx		; void *
		mov	[ebp+var_D8], ecx
		lea	ecx, [ebp+var_150]
		push	edx		; size_t
		lea	edx, [eax+14h]
		call	_PiDevCfgAppendMultiSz@16 ; PiDevCfgAppendMultiSz(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		mov	edx, [ebp+var_9C]
		lea	ecx, [ebp+var_158]
		xor	eax, eax
		add	edx, 0E8h
		push	eax		; void *
		push	eax		; size_t
		call	_PiDevCfgAppendMultiSz@16 ; PiDevCfgAppendMultiSz(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D

loc_970864:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+378j
		mov	eax, [ebp+var_9C]

loc_97086A:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+391j
		mov	eax, [eax]
		lea	ecx, [edi+80h]
		mov	[ebp+var_9C], eax
		cmp	eax, ecx
		jnz	loc_9706C8

loc_970880:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+33Dj
		mov	eax, [ebp+var_114]
		mov	edx, [ebp+var_95+1]
		mov	[ebp+var_FC], eax
		mov	eax, [ebp+var_11C]
		mov	[ebp+var_100], eax
		mov	ax, word ptr [ebp+var_150]
		mov	[ebp+var_E0], eax
		mov	ax, word ptr [ebp+var_158]
		mov	[ebp+var_16C], eax

loc_9708B8:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+324j
		test	esi, esi
		js	loc_97203D
		test	byte ptr ds:_PiDevCfgFlags, 2
		jz	short loc_970929
		test	edx, 400h
		jz	short loc_970905
		test	byte ptr [edi+0F0h], 2
		setz	cl
		test	byte ptr ds:_PiDevCfgOptions, 1
		setz	al
		test	cl, al
		jz	short loc_970905
		cmp	_InitIsWinPEMode, 0
		jnz	short loc_970905
		cmp	_PnpBootMode, 0
		jnz	short loc_970905

loc_9708FB:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+577j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+623j ...
		mov	esi, 0C0000495h
		jmp	loc_97203D
; 

loc_970905:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+531j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+549j ...
		test	byte ptr [ebp+var_D8], 40h
		jz	short loc_970929
		cmp	_PnpBootMode, 0
		jz	short loc_9708FB
		or	edx, 400h
		mov	[ebp+var_95+1],	edx
		mov	[ebp+var_90], edx

loc_970929:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+529j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+56Ej
		push	54h		; size_t
		xor	esi, esi
		lea	eax, [ebp+var_64]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_5C], offset ??_C@_1BI@DLMANABL@?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		lea	eax, [ebp+var_BC]
		mov	[ebp+var_40], offset ??_C@_1BK@PGBJEKCF@?$AAM?$AAa?$AAn?$AAu?$AAf?$AAa?$AAc?$AAt?$AAu?$AAr?$AAe?$AAr@NNGAKEGL@
		mov	ecx, 120h
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_E8]
		mov	[ebp+var_60], ecx
		push	1
		push	ecx
		mov	edx, 1000000h
		mov	[ebp+var_3C], eax
		push	esi
		lea	eax, [ebp+var_64]
		mov	[ebp+var_54], edx
		mov	[ebp+var_38], edx
		mov	edx, [edi+0Ch]
		mov	[ebp+var_44], ecx
		mov	ecx, 0C0000000h
		push	eax
		call	RtlpQueryRegistryValues
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		mov	ecx, [ebp+var_B8]
		mov	eax, [ebp+var_E4]
		test	ecx, ecx
		jnz	short loc_9709DF
		test	eax, eax
		jnz	short loc_9709DF
		xor	edx, edx
		cmp	[edi+64h], edx
		jz	short loc_9709DF
		test	byte ptr ds:_PiDevCfgFlags, 2
		jz	short loc_9709DF
		cmp	_InitIsWinPEMode, dl
		jnz	short loc_9709DF
		cmp	_PnpBootMode, dl
		jz	loc_9708FB
		mov	edx, [ebp+var_95+1]
		or	edx, 400h
		mov	[ebp+var_95+1],	edx
		mov	[ebp+var_90], edx

loc_9709DF:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+5FFj
					; PiDevCfgConfigureDevice(x,x,x,x,x)+603j ...
		cmp	word ptr [ebp+var_BC], 0
		jnz	short loc_9709FF
		test	ecx, ecx
		jz	short loc_9709FF
		lea	eax, [ebp+var_BC]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, [ebp+var_E4]

loc_9709FF:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+649j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+64Dj
		cmp	word ptr [ebp+var_E8], 0
		jnz	short loc_970A19
		test	eax, eax
		jz	short loc_970A19
		lea	eax, [ebp+var_E8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_970A19:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+669j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+66Dj
		mov	esi, [ebp+var_D4]
		test	esi, esi
		jz	loc_970C06
		xor	ecx, ecx
		lea	eax, [ebp+var_AC]
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		mov	edx, esi
		push	20019h
		push	2
		call	_PnpOpenObjectRegKey
		test	eax, eax
		js	loc_970C06
		xor	eax, eax
		push	60h		; size_t
		push	eax		; int
		lea	eax, [ebp+var_6C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_6C], offset _DEVPKEY_DeviceClass_Configurable
		lea	eax, [ebp-8Ah]
		mov	[ebp+var_54], (offset loc_427EA7+1)
		mov	[ebp+var_64], eax
		xor	ecx, ecx
		lea	eax, [ebp-89h]
		mov	[ebp+var_3C], offset _DEVPKEY_DeviceClass_DefaultService
		push	11h
		pop	edx
		mov	[ebp+var_4C], eax
		inc	ecx
		push	2
		lea	eax, [ebp+var_128]
		mov	[ebp+var_60], ecx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_DC]
		mov	[ebp+var_48], ecx
		pop	ecx
		push	4
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	[ebp+var_AC]
		mov	[ebp+var_68], edx
		mov	[ebp+var_50], edx
		mov	edx, esi
		push	ecx
		mov	[ebp+var_38], 12h
		mov	[ebp+var_2C], 6
		mov	[ebp+var_24], offset _DEVPKEY_DeviceClass_CompatibleFeatureScores
		mov	[ebp+var_20], 1003h
		mov	[ebp+var_14], ecx
		call	PiDevCfgQueryObjectProperties
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		cmp	[ebp+var_58], 0
		setl	cl
		dec	cl
		and	cl, [ebp-8Ah]
		cmp	[ebp+var_40], 0
		mov	[ebp-8Ah], cl
		setl	al
		dec	al
		and	al, [ebp+var_89]
		cmp	[ebp+var_28], 0
		mov	[ebp+var_89], al
		jge	short loc_970B30
		xor	eax, eax
		push	eax
		lea	eax, [ebp+var_128]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	cl, [ebp-8Ah]

loc_970B30:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+77Bj
		xor	edx, edx
		cmp	[ebp+var_10], edx
		jge	short loc_970B3F
		mov	[ebp+var_DC], edx
		jmp	short loc_970B48
; 

loc_970B3F:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+797j
		mov	eax, [ebp+var_18]
		mov	[ebp+var_170], eax

loc_970B48:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+79Fj
		test	cl, cl
		jnz	loc_970C4C
		push	edx
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_C4]
		push	eax
		push	4
		pop	esi
		push	esi
		lea	eax, [ebp+var_130]
		push	eax
		lea	eax, [ebp+var_C0]
		push	eax
		push	(offset	loc_427E93+1)
		push	edx
		push	[ebp+var_AC]
		mov	edx, [ebp+var_D4]
		push	2
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_970C06
		cmp	[ebp+var_C0], 7
		jnz	short loc_970C06
		cmp	[ebp+var_C4], esi
		jnz	short loc_970C06
		cmp	[ebp+var_130], 0
		jz	short loc_970C06
		mov	edx, [edi+20h]
		lea	eax, [ebp+var_C4]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	esi
		lea	eax, [ebp+var_174]
		push	eax
		lea	eax, [ebp+var_C0]
		push	eax
		push	offset _DEVPKEY_DriverPackage_ClassVersion
		push	ecx
		push	dword ptr [edi+8]
		mov	ecx, _PiPnpRtlCtx
		push	8
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_970C06
		cmp	[ebp+var_C0], 7
		jnz	short loc_970C06
		cmp	[ebp+var_C4], esi
		jnz	short loc_970C06
		mov	eax, [ebp+var_174]
		cmp	eax, [ebp+var_130]
		jb	short loc_970C06
		or	al, 0FFh
		mov	[ebp-8Ah], al
		jmp	short loc_970C0C
; 

loc_970C06:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+683j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+6ABj ...
		mov	al, [ebp-8Ah]

loc_970C0C:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+866j
		test	al, al
		jnz	short loc_970C4C
		test	byte ptr ds:_PiDevCfgOptions, 1
		setz	cl
		test	byte ptr ds:_PiDevCfgFlags, 2
		setnz	al
		test	cl, al
		jz	short loc_970C4C
		cmp	_PnpBootMode, 0
		jz	loc_9708FB
		mov	eax, [ebp+var_95+1]
		or	eax, 400h
		mov	[ebp+var_95+1],	eax
		mov	[ebp+var_90], eax

loc_970C4C:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+7ACj
					; PiDevCfgConfigureDevice(x,x,x,x,x)+870j ...
		mov	edx, [ebp+var_DC]
		test	edx, edx
		jz	short loc_970C6D
		push	[ebp+var_170]
		mov	ecx, edi
		call	_PiDevCfgVerifyFeatureScore@12 ; PiDevCfgVerifyFeatureScore(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D

loc_970C6D:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+8B6j
		mov	esi, [ebp+var_88]

loc_970C73:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1FEj
		test	byte ptr [ebx],	1
		jnz	loc_970D3F
		xor	eax, eax
		push	60h		; size_t
		push	eax		; int
		lea	eax, [ebp+var_6C]
		push	eax		; void *
		call	_memset
		mov	edx, [esi+4]
		lea	eax, [ebp+Source2]
		mov	[ebp+var_64], eax
		add	esp, 0Ch
		lea	eax, [ebp+var_CC]
		mov	[ebp+var_6C], offset _DEVPKEY_Device_ClassGuid
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_F0]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_6C]
		push	3
		push	eax
		push	[ebp+var_80]
		mov	[ebp+var_68], 0Dh
		push	1
		mov	[ebp+var_60], 10h
		mov	[ebp+var_54], offset _DEVPKEY_Device_InstallFlags
		mov	[ebp+var_50], 7
		mov	[ebp+var_48], 4
		mov	[ebp+var_3C], offset _DEVPKEY_Device_DriverNodeStrongName
		mov	[ebp+var_38], 12h
		mov	[ebp+var_2C], 6
		call	PiDevCfgQueryObjectProperties
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		cmp	[ebp+var_58], 0
		jge	short loc_970D18
		xor	eax, eax
		lea	edi, [ebp+Source2]
		stosd
		stosd
		stosd
		stosd
		mov	edi, [ebp+var_178]
		jmp	short loc_970D1F
; 

loc_970D18:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+967j
		mov	[ebp+var_8C], 1

loc_970D1F:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+978j
		xor	eax, eax
		cmp	[ebp+var_40], eax
		jge	short loc_970D2C
		mov	[ebp+var_CC], eax

loc_970D2C:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+986j
		cmp	[ebp+var_28], 0
		jge	short loc_970D3F
		push	eax
		lea	eax, [ebp+var_F0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_970D3F:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+8D8j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+992j
		cmp	[ebp+var_89], 0
		jnz	loc_970E18
		test	byte ptr [ebp+var_CC], 4
		jz	loc_970DFB
		test	edi, edi
		jz	loc_970DEF
		xor	eax, eax
		push	60h		; size_t
		push	eax		; int
		lea	eax, [ebp+var_6C]
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+var_84]
		lea	eax, [ebp+var_148]
		add	esp, 0Ch
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_6C], offset _DEVPKEY_Device_DriverInfPath
		mov	[ebp+var_68], 12h
		mov	edx, [edx+18h]
		push	1
		push	eax
		push	[ebp+var_80]
		mov	[ebp+var_5C], 6
		push	1
		call	PiDevCfgQueryObjectProperties
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		cmp	[ebp+var_58], 0
		jge	short loc_970DC8
		xor	eax, eax
		push	eax
		lea	eax, [ebp+var_148]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_970DC8:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+A19j
		cmp	[ebp+var_144], 0
		jz	short loc_970DE7
		push	1
		lea	eax, [edi+14h]
		push	eax
		lea	eax, [ebp+var_148]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_970DEF

loc_970DE7:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+A31j
		mov	al, [ebp+var_89]
		jmp	short loc_970DF7
; 

loc_970DEF:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+9BDj
					; PiDevCfgConfigureDevice(x,x,x,x,x)+A47j
		or	al, 0FFh
		mov	[ebp+var_89], al

loc_970DF7:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+A4Fj
		test	al, al
		jnz	short loc_970E18

loc_970DFB:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+9B5j
		push	[ebp+var_D4]	; wchar_t *
		mov	ecx, [ebp+var_84]
		mov	edx, ebx
		call	_PiDevCfgEnforceDevicePolicy@12	; PiDevCfgEnforceDevicePolicy(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D

loc_970E18:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+9A8j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+A5Bj
		mov	eax, [ebp+var_AC]
		test	eax, eax
		jz	loc_970EBD
		push	1Ch
		mov	[ebp+var_190], eax
		lea	eax, [ebp+var_B4]
		pop	ecx
		mov	[ebp+var_18C], eax
		xor	eax, eax
		push	1Ah
		mov	[ebp+var_184], eax
		mov	[ebp+var_180], eax
		lea	eax, [ebp+var_194]
		mov	word ptr [ebp+var_B4+2], cx
		pop	ecx
		push	eax
		push	20019h
		lea	eax, [ebp+var_C8]
		mov	word ptr [ebp+var_B4], cx
		push	eax
		mov	[ebp+var_B0], offset ??_C@_1BM@ICBIINEM@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		mov	[ebp+var_194], 18h
		mov	[ebp+var_188], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_970EBD
		test	esi, esi
		js	loc_97203D
		mov	edx, [ebp+var_C8]
		mov	ecx, [ebp+var_84]
		call	_PiDevCfgVerifyDeviceAllowed@8 ; PiDevCfgVerifyDeviceAllowed(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D

loc_970EBD:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+A82j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+AFAj
		mov	eax, [ebp+var_84]
		mov	esi, [ebp+var_88]
		mov	eax, [eax+10h]
		mov	eax, [eax+8]
		test	byte ptr [eax+8], 4
		jz	short loc_970F2A
		mov	edx, [esi+4]
		lea	eax, [ebp+var_C4]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	1
		lea	eax, [ebp+var_8B]
		push	eax
		lea	eax, [ebp+var_C0]
		push	eax
		push	offset _DEVPKEY_Device_Reported
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_970F1E
		cmp	[ebp+var_C0], 11h
		jnz	short loc_970F1E
		cmp	[ebp+var_C4], 1
		jz	short loc_970F2A

loc_970F1E:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+B6Cj
					; PiDevCfgConfigureDevice(x,x,x,x,x)+B75j
		xor	edx, edx
		mov	al, dl
		mov	[ebp+var_8B], al
		jmp	short loc_970F32
; 

loc_970F2A:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+B35j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+B7Ej
		mov	al, [ebp+var_8B]
		xor	edx, edx

loc_970F32:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+B8Aj
		test	edi, edi
		jz	short loc_970F68
		mov	ecx, [ebp+var_10C]
		test	ecx, ecx
		jnz	short loc_970F68
		cmp	[ebp+var_124], ecx
		jnz	short loc_970F68
		test	al, al
		mov	eax, [ebp+var_84]
		jnz	short loc_970F6E
		test	dword ptr [eax+170h], 100h
		jnz	short loc_970F6E
		mov	esi, 0C0000494h
		jmp	loc_97203D
; 

loc_970F68:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+B96j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+BA0j ...
		mov	eax, [ebp+var_84]

loc_970F6E:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+BB2j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+BBEj
		test	byte ptr [ebx],	1
		jnz	short loc_970FE8
		test	edi, edi
		jnz	short loc_970FA0
		cmp	[ebp+var_8C], 0
		jz	short loc_970F8C
		test	dword ptr [eax+170h], 100h
		jnz	short loc_970FD4

loc_970F8C:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+BE0j
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	edx
		mov	edx, [esi+4]
		push	11h
		call	__CmDeleteDeviceRegKey@20 ; _CmDeleteDeviceRegKey(x,x,x,x,x)
		jmp	short loc_970FD4
; 

loc_970FA0:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+BD7j
		lea	ecx, [ebp+Source2] ; Source2
		call	_PnpIsNullGuid@4 ; PnpIsNullGuid(x)
		test	al, al
		jnz	short loc_970FE8
		lea	ecx, [edi+90h]	; Source2
		call	_PnpIsNullGuid@4 ; PnpIsNullGuid(x)
		test	al, al
		jnz	short loc_970FE8
		push	10h		; size_t
		lea	eax, [edi+90h]
		push	eax		; void *
		lea	eax, [ebp+Source2]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_970FE8

loc_970FD4:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+BECj
					; PiDevCfgConfigureDevice(x,x,x,x,x)+C00j
		mov	edx, [esi+4]
		xor	eax, eax
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	12h
		call	__CmDeleteDeviceRegKey@20 ; _CmDeleteDeviceRegKey(x,x,x,x,x)

loc_970FE8:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+BD3j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+C0Cj ...
		lea	eax, [ebp+var_168]
		mov	ecx, edi
		push	eax
		neg	ecx
		lea	eax, [ebp+var_164]
		push	eax
		sbb	ecx, ecx
		lea	eax, [edi+14h]
		and	ecx, eax
		mov	edx, ebx
		push	ecx
		mov	ecx, edi
		lea	eax, [edi+0A0h]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		push	ecx
		mov	ecx, [ebp+var_84]
		call	_PiDevCfgMigrateDevice@24 ; PiDevCfgMigrateDevice(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_971046
		mov	eax, [ebp+var_95+1]
		or	eax, [ebp+var_164]
		mov	[ebp+var_95+1],	eax
		mov	[ebp+var_90], eax
		mov	eax, [ebp+var_168]
		mov	[ebp+var_A0], eax

loc_971046:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+C82j
		test	byte ptr [ebx],	1
		jnz	loc_9710D3
		movzx	eax, [ebp+var_8C]
		lea	ecx, [ebp+Source2]
		neg	eax
		mov	edx, ebx
		sbb	eax, eax
		and	eax, ecx
		mov	ecx, edi
		neg	ecx
		push	eax		; int
		push	[ebp+var_AC]	; int
		sbb	ecx, ecx
		lea	eax, [edi+90h]
		and	ecx, eax
		push	ecx		; void *
		mov	ecx, [ebp+var_84]
		call	_PiDevCfgResetDeviceDriverSettings@20 ;	PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jz	short loc_971097
		mov	eax, [eax+74h]
		test	eax, eax
		jz	short loc_971097
		mov	eax, [eax+4]
		jmp	short loc_971099
; 

loc_971097:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+CEBj
					; PiDevCfgConfigureDevice(x,x,x,x,x)+CF2j
		xor	eax, eax

loc_971099:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+CF7j
		xor	ecx, ecx
		mov	edx, offset ??_C@_1BA@HICHNCPO@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAs@NNGAKEGL@ ; "Devices"
		push	ecx
		mov	ecx, [ebp+var_80]
		push	eax
		call	_RegRtlDeleteTreeInternal
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jz	short loc_9710C2
		mov	eax, [eax+74h]
		test	eax, eax
		jz	short loc_9710C2
		xor	ecx, ecx
		push	ecx
		push	dword ptr [eax+4]
		jmp	short loc_9710C6
; 

loc_9710C2:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+D13j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+D1Aj
		xor	eax, eax
		push	eax
		push	eax

loc_9710C6:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+D22j
		mov	ecx, [ebp+var_80]
		mov	edx, offset ??_C@_1BA@DJLBFCNB@?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@NNGAKEGL@ ; "F"
		call	_RegRtlDeleteTreeInternal

loc_9710D3:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+CABj
		test	edi, edi
		jz	short loc_97111B
		lea	ecx, [edi+90h]	; Source2
		call	_PnpIsNullGuid@4 ; PnpIsNullGuid(x)
		test	al, al
		jnz	short loc_97111B
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	10h
		lea	eax, [edi+90h]
		push	eax
		push	0Dh
		push	offset _DEVPKEY_Device_ClassGuid
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		jmp	short loc_971141
; 

loc_97111B:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+D37j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+D46j
		test	byte ptr [ebx],	1
		jnz	short loc_971141
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_ClassGuid
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)

loc_971141:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+D7Bj
					; PiDevCfgConfigureDevice(x,x,x,x,x)+D80j
		mov	edx, [ebp+var_10C]
		mov	ecx, [ebp+var_124]
		test	edx, edx
		jz	loc_9711EB
		mov	eax, [ebp+var_12C]
		test	ax, ax
		jz	loc_97120B
		xor	ecx, ecx
		movzx	eax, ax
		push	ecx
		add	eax, 2
		push	eax
		push	edx

loc_97116F:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+E68j
		mov	eax, [ebp+var_84]
		mov	edx, ebx
		push	12h
		push	offset _DEVPKEY_Device_Service
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+18h]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D

loc_97119C:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+E70j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+E81j
		mov	esi, [ebp+var_88]

loc_9711A2:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+EAEj
		mov	ecx, [ebp+var_FC]
		test	ecx, ecx
		jz	loc_971251
		xor	eax, eax
		mov	edx, ebx
		push	eax
		movzx	eax, word ptr [ebp+var_118]
		push	eax
		push	ecx
		push	2012h
		push	offset _DEVPKEY_Device_LowerFilters
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		jmp	loc_971277
; 

loc_9711EB:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+DB1j
		test	ecx, ecx
		jz	short loc_97120B
		mov	ax, word ptr [ebp+var_128]
		test	ax, ax
		jz	short loc_97120B
		xor	edx, edx
		movzx	eax, ax
		push	edx
		add	eax, 2
		push	eax
		push	ecx
		jmp	loc_97116F
; 

loc_97120B:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+DC0j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+E4Fj ...
		test	byte ptr [ebx],	1
		jnz	short loc_97119C
		test	edx, edx
		jz	short loc_971218
		test	ecx, ecx
		jnz	short loc_971225

loc_971218:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+E74j
		cmp	[ebp+var_8B], 0
		jnz	loc_97119C

loc_971225:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+E78j
		mov	esi, [ebp+var_88]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_Service
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		mov	edx, ebx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		jmp	loc_9711A2
; 

loc_971251:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+E0Cj
		test	byte ptr [ebx],	1
		jnz	short loc_971277
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_LowerFilters
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)

loc_971277:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+E48j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+EB6j
		mov	ecx, [ebp+var_100]
		test	ecx, ecx
		jz	loc_9713A7
		xor	eax, eax
		mov	edx, ebx
		push	eax
		movzx	eax, word ptr [ebp+var_120]
		push	eax
		mov	eax, [ebp+var_84]
		push	ecx
		push	2012h
		push	offset _DEVPKEY_Device_UpperFilters
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+18h]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D

loc_9712C1:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+100Cj
		mov	esi, [ebp+var_88]

loc_9712C7:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1039j
		test	edi, edi
		jz	loc_971427
		cmp	[ebp+var_B8], 0
		jz	loc_971427
		lea	eax, [ebp+var_108]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_F8]
		push	eax
		lea	edx, [ebp+var_BC]
		call	_PiDevCfgBuildIndirectString@16	; PiDevCfgBuildIndirectString(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		bt	[ebp+var_95+1],	0Ah
		setb	cl
		test	byte ptr ds:_PiDevCfgOptions, 1
		setz	al
		test	cl, al
		jnz	short loc_97135B
		xor	eax, eax
		mov	edx, ebx
		push	eax
		movzx	eax, word ptr [ebp+var_F8]
		add	eax, 2
		push	eax
		push	[ebp+var_F4]
		mov	eax, [ebp+var_84]
		push	12h
		push	offset _DEVPKEY_Device_DeviceDesc
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+18h]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D

loc_97135B:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+F7Aj
		cmp	[ebp+var_104], 0
		jz	short loc_9713DC
		xor	eax, eax
		mov	edx, ebx
		push	eax
		movzx	eax, word ptr [ebp+var_108]
		add	eax, 2
		push	eax
		push	[ebp+var_104]
		mov	eax, [ebp+var_84]
		push	12h
		push	offset _DEVPKEY_Device_DriverDesc
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+18h]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		jmp	short loc_971408
; 

loc_9713A7:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+EE1j
		test	byte ptr [ebx],	1
		jnz	loc_9712C1
		mov	esi, [ebp+var_88]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_UpperFilters
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		mov	edx, ebx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		jmp	loc_9712C7
; 

loc_9713DC:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+FC4j
		test	byte ptr [ebx],	1
		jnz	short loc_971408
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	eax
		push	eax
		push	eax
		mov	eax, [ebp+var_84]
		push	offset _DEVPKEY_Device_DriverDesc
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+18h]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)

loc_971408:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1007j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1041j
		lea	eax, [ebp+var_F8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		xor	eax, eax
		mov	[ebp+var_108], eax
		mov	[ebp+var_104], eax
		jmp	loc_9714F3
; 

loc_971427:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+F2Bj
					; PiDevCfgConfigureDevice(x,x,x,x,x)+F38j
		test	byte ptr [ebx],	1
		jnz	loc_9714F3
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_DriverDesc
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	edi, edi
		jnz	loc_9714FB
		xor	eax, eax
		push	60h		; size_t
		push	eax		; int
		lea	eax, [ebp+var_6C]
		push	eax		; void *
		call	_memset
		mov	edx, [esi+4]
		lea	eax, [ebp+var_BC]
		add	esp, 0Ch
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_6C], (offset loc_4058A5+3)
		mov	[ebp+var_68], 12h
		mov	[ebp+var_5C], 6
		push	1
		push	eax
		push	[ebp+var_80]
		push	1
		call	PiDevCfgQueryObjectProperties
		test	eax, eax
		js	loc_9715B6
		cmp	[ebp+var_58], edi
		jl	loc_9715B6
		cmp	[ebp+var_B8], edi
		jz	loc_9715B6
		xor	eax, eax
		mov	edx, ebx
		push	eax
		movzx	eax, word ptr [ebp+var_BC]
		add	eax, 2
		push	eax
		push	[ebp+var_B8]
		push	12h
		push	offset _DEVPKEY_Device_DeviceDesc
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D

loc_9714F3:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1084j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+108Cj
		test	edi, edi
		jz	loc_9715B6

loc_9714FB:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+10B5j
		cmp	[ebp+var_E4], 0
		jz	loc_9715B6
		xor	eax, eax
		lea	edx, [ebp+var_E8]
		push	eax
		lea	eax, [ebp+var_F8]
		mov	ecx, edi
		push	eax
		call	_PiDevCfgBuildIndirectString@16	; PiDevCfgBuildIndirectString(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		xor	eax, eax
		mov	edx, ebx
		push	eax
		movzx	eax, word ptr [ebp+var_F8]
		add	eax, 2
		push	eax
		push	[ebp+var_F4]
		mov	eax, [ebp+var_84]
		push	12h
		push	offset _DEVPKEY_Device_Manufacturer
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+18h]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D

loc_97156A:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+121Bj
		mov	esi, [ebp+var_88]

loc_971570:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1244j
		test	edi, edi
		jz	short loc_9715E4
		mov	ecx, [edi+0ACh]
		test	ecx, ecx
		jz	short loc_9715E4
		xor	eax, eax
		mov	edx, ebx
		push	eax
		movzx	eax, word ptr [edi+0A8h]
		add	eax, 2
		push	eax
		push	ecx
		push	12h
		push	(offset	loc_41118C+4)
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		jmp	short loc_97160A
; 

loc_9715B6:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+10FFj
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1108j ...
		test	byte ptr [ebx],	1
		jnz	short loc_97156A
		mov	esi, [ebp+var_88]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_Manufacturer
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		mov	edx, ebx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		jmp	short loc_971570
; 

loc_9715E4:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+11D4j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+11DEj
		test	byte ptr [ebx],	1
		jnz	short loc_97160A
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_41118C+4)
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)

loc_97160A:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1216j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1249j
		test	edi, edi
		jz	loc_971847
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	8
		lea	eax, [edi+40h]
		push	eax
		mov	eax, [ebp+var_84]
		push	10h
		push	offset _DEVPKEY_Device_DriverDate
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+18h]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		movzx	eax, word ptr [edi+48h]
		push	eax
		movzx	eax, word ptr [edi+4Ah]
		push	eax
		movzx	eax, word ptr [edi+4Ch]
		push	eax
		movzx	eax, word ptr [edi+4Eh]
		push	eax		; char
		lea	eax, [ebp+var_160]
		push	offset ??_C@_1BI@IEJCOLMP@?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu@NNGAKEGL@ ; wchar_t *
		push	eax		; int
		call	_RtlUnicodeStringPrintf
		mov	esi, eax
		add	esp, 18h
		test	esi, esi
		js	loc_97203D
		xor	eax, eax
		mov	edx, ebx
		push	eax
		movzx	eax, word ptr [ebp+var_160]
		add	eax, 2
		push	eax
		push	[ebp+var_15C]
		mov	eax, [ebp+var_84]
		push	12h
		push	offset _DEVPKEY_Device_DriverVersion
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+18h]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		xor	eax, eax
		mov	edx, ebx
		push	eax
		movzx	eax, word ptr [edi+14h]
		add	eax, 2
		push	eax
		push	dword ptr [edi+18h]
		mov	eax, [ebp+var_84]
		push	12h
		push	offset _DEVPKEY_Device_DriverInfPath
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+18h]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		xor	eax, eax
		mov	edx, ebx
		push	eax
		movzx	eax, word ptr [edi+2Ch]
		add	eax, 2
		push	eax
		push	dword ptr [edi+30h]
		mov	eax, [ebp+var_84]
		push	12h
		push	offset _DEVPKEY_Device_DriverInfSection
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+18h]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		lea	eax, [ebp+var_B4]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_BC]
		push	eax
		lea	edx, [ebp+var_E8]
		call	_PiDevCfgBuildDriverNodeStrongName@16 ;	PiDevCfgBuildDriverNodeStrongName(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		cmp	[ebp+var_EC], 0
		jz	short loc_971784
		push	1
		lea	eax, [ebp+var_B4]
		push	eax
		lea	eax, [ebp+var_F0]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jnz	short loc_971784
		lea	eax, [ebp+var_F0]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_971784:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+13BFj
					; PiDevCfgConfigureDevice(x,x,x,x,x)+13D8j
		xor	eax, eax
		mov	edx, ebx
		push	eax
		movzx	eax, word ptr [ebp+var_B4]
		add	eax, 2
		push	eax
		push	[ebp+var_B0]
		mov	eax, [ebp+var_84]
		push	12h
		push	offset _DEVPKEY_Device_DriverNodeStrongName
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+18h]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_B4]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	esi, esi
		js	loc_97203D

loc_9717D1:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+14ACj
		mov	esi, [ebp+var_88]

loc_9717D7:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1559j
		cmp	[ebp+var_EC], 0
		jz	loc_9718FC
		test	byte ptr [ebp+var_CC], 8
		jnz	loc_9718FC
		mov	eax, [ebp+var_84]
		test	dword ptr [eax+10Ch], 6000h
		jnz	loc_9718FC
		xor	eax, eax
		mov	edx, ebx
		push	eax
		movzx	eax, word ptr [ebp+var_F0]
		add	eax, 2
		push	eax
		push	[ebp+var_EC]
		push	12h
		push	offset _DEVPKEY_Device_RollbackDriverNode
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		jmp	loc_971922
; 

loc_971847:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+126Ej
		test	byte ptr [ebx],	1
		jnz	short loc_9717D1
		mov	esi, [ebp+var_88]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_DriverDate
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		mov	edx, ebx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_DriverVersion
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_DriverInfPath
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_DriverInfSection
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_DriverNodeStrongName
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		jmp	loc_9717D7
; 

loc_9718FC:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1440j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+144Dj ...
		test	byte ptr [ebx],	1
		jnz	short loc_971922
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_RollbackDriverNode
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)

loc_971922:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+14A4j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1561j
		mov	ecx, [ebp+var_134]
		test	ecx, ecx
		jz	loc_9719B4
		xor	eax, eax
		mov	edx, ebx
		push	eax
		movzx	eax, word ptr [ebp+var_138]
		push	eax
		mov	eax, [ebp+var_84]
		push	ecx
		push	2012h
		push	offset _DEVPKEY_Device_DriverIncludedInfs
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+18h]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D

loc_97196C:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1619j
		mov	esi, [ebp+var_88]

loc_971972:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1642j
		mov	ecx, [ebp+var_13C]
		test	ecx, ecx
		jz	short loc_9719E2
		xor	eax, eax
		mov	edx, ebx
		push	eax
		movzx	eax, word ptr [ebp+var_140]
		push	eax
		push	ecx
		push	2012h
		push	offset _DEVPKEY_Device_DriverIncludedConfigs
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		jmp	short loc_971A08
; 

loc_9719B4:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+158Cj
		test	byte ptr [ebx],	1
		jnz	short loc_97196C
		mov	esi, [ebp+var_88]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_DriverIncludedInfs
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		mov	edx, ebx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		jmp	short loc_971972
; 

loc_9719E2:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+15DCj
		test	byte ptr [ebx],	1
		jnz	short loc_971A08
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_DriverIncludedConfigs
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)

loc_971A08:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1614j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1647j
		mov	ecx, [ebp+var_14C]
		test	ecx, ecx
		jz	loc_971AD9
		xor	eax, eax
		mov	edx, ebx
		push	eax
		mov	eax, [ebp+var_E0]
		movzx	eax, ax
		push	eax
		mov	eax, [ebp+var_84]
		push	ecx
		push	2012h
		push	offset _DEVPKEY_Device_DriverExtendedInfs
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+18h]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D

loc_971A54:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+173Ej
		mov	esi, [ebp+var_88]

loc_971A5A:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+176Bj
		test	edi, edi
		jz	loc_971B0E
		cmp	dword ptr [edi+38h], 0FFFFFFFFh
		jz	loc_971B0E
		xor	eax, eax
		mov	edx, ebx
		push	eax
		movzx	eax, word ptr [edi+24h]
		add	eax, 2
		push	eax
		push	dword ptr [edi+28h]
		push	12h
		push	offset _DEVPKEY_Device_MatchingDeviceId
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	4
		lea	eax, [edi+38h]
		push	eax
		mov	eax, [ebp+var_84]
		push	7
		push	offset _DEVPKEY_Device_DriverRank
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+18h]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		jmp	short loc_971B55
; 

loc_971AD9:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1672j
		test	byte ptr [ebx],	1
		jnz	loc_971A54
		mov	esi, [ebp+var_88]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_DriverExtendedInfs
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		mov	edx, ebx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		jmp	loc_971A5A
; 

loc_971B0E:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+16BEj
					; PiDevCfgConfigureDevice(x,x,x,x,x)+16C8j
		test	byte ptr [ebx],	1
		jnz	short loc_971B55
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_MatchingDeviceId
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_DriverRank
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)

loc_971B55:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1739j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1773j
		cmp	[ebp+var_CC], 0
		mov	esi, [ebp+var_88]
		jz	short loc_971B85
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_InstallFlags
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [esi+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)

loc_971B85:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+17C4j
		test	edi, edi
		jz	loc_971CA7
		mov	esi, [ebp+var_A8]
		mov	edx, [ebp+var_95+1]
		mov	[esi], edx
		test	byte ptr [edi+6Ch], 8
		setnz	cl
		test	byte ptr ds:_PiDevCfgFlags, 2
		setnz	al
		test	cl, al
		jz	short loc_971BB8
		or	edx, 400h
		mov	[esi], edx

loc_971BB8:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1810j
		mov	ecx, [ebp+var_84]
		lea	eax, [ebp+var_A0]
		push	eax
		lea	eax, [ebp+var_90]
		mov	edx, ebx
		push	eax
		push	edi
		call	_PiDevCfgConfigureDeviceDriver@20 ; PiDevCfgConfigureDeviceDriver(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		mov	esi, [ebp+var_A8]
		lea	ecx, [edi+80h]
		mov	edx, [ebp+var_D0]
		mov	eax, [ebp+var_90]
		or	[esi], eax
		mov	eax, [ebp+var_A0]
		or	[edx], eax
		mov	eax, [ecx]
		jmp	short loc_971C5A
; 

loc_971C04:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+18C4j
		test	byte ptr [eax+6Ch], 1
		jz	short loc_971C58
		lea	ecx, [ebp+var_A0]
		mov	edx, ebx
		push	ecx
		lea	ecx, [ebp+var_90]
		push	ecx
		mov	ecx, [ebp+var_84]
		push	eax
		call	_PiDevCfgConfigureDeviceDriver@20 ; PiDevCfgConfigureDeviceDriver(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		mov	ecx, [ebp+var_A8]
		mov	eax, [ebp+var_90]
		or	[ecx], eax
		mov	ecx, [ebp+var_D0]
		mov	eax, [ebp+var_A0]
		or	[ecx], eax
		lea	ecx, [edi+80h]
		mov	eax, [ebp+var_E0]

loc_971C58:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+186Aj
		mov	eax, [eax]

loc_971C5A:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1864j
		mov	[ebp+var_E0], eax
		cmp	eax, ecx
		jnz	short loc_971C04
		mov	ecx, [ebp+var_84]
		lea	eax, [ebp+var_A0]
		push	eax
		lea	eax, [ebp+var_90]
		mov	edx, ebx
		push	eax
		call	_PiDevCfgConfigureDeviceLocation@16 ; PiDevCfgConfigureDeviceLocation(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		mov	esi, [ebp+var_A8]
		mov	edx, [ebp+var_D0]
		mov	eax, [ebp+var_90]
		or	[esi], eax
		mov	eax, [ebp+var_A0]
		or	[edx], eax
		jmp	short loc_971CDE
; 

loc_971CA7:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+17E9j
		mov	ecx, [ebp+var_84]
		mov	eax, [ebp+var_A8]
		test	dword ptr [ecx+170h], 100h
		jz	short loc_971CCB
		xor	edx, edx
		mov	[eax], edx
		mov	edx, [ebp+var_D0]
		jmp	short loc_971CE4
; 

loc_971CCB:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+191Fj
		mov	ecx, esi
		mov	dword ptr [eax], 40h
		call	_PnpDeleteDeviceInterfaces@4 ; PnpDeleteDeviceInterfaces(x)
		mov	edx, [ebp+var_D0]

loc_971CDE:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1907j
		mov	ecx, [ebp+var_84]

loc_971CE4:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+192Bj
		cmp	[ebp+var_A4], 0
		jz	short loc_971D02
		cmp	_InitIsWinPEMode, 0
		jnz	short loc_971D02
		call	_PipIsDevNodeDNStarted@4 ; PipIsDevNodeDNStarted(x)
		test	eax, eax
		jz	short loc_971D02
		or	dword ptr [edx], 10h

loc_971D02:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+194Dj
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1956j ...
		test	byte ptr [ebp+var_CC], 2
		jz	short loc_971D0E
		or	dword ptr [edx], 20h

loc_971D0E:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+196Bj
		cmp	[ebp+var_8C], 0
		jz	short loc_971D1A
		or	dword ptr [edx], 1

loc_971D1A:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1977j
		cmp	[ebp+var_C8], 0
		jz	short loc_971D66
		lea	eax, [ebp+var_A0]
		mov	edx, ebx
		push	eax
		lea	eax, [ebp+var_90]
		push	eax
		push	0FFFFFFFFh
		push	[ebp+var_C8]
		call	_PiDevCfgConfigureDeviceKeys@24	; PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		mov	ecx, [ebp+var_A8]
		mov	edx, [ebp+var_D0]
		mov	eax, [ebp+var_90]
		or	[ecx], eax
		mov	eax, [ebp+var_A0]
		or	[edx], eax

loc_971D66:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1983j
		test	byte ptr [edx],	2
		jnz	short loc_971DA5
		mov	eax, [ebp+var_D4]
		test	eax, eax
		jz	short loc_971DA5
		mov	edx, [ebp+var_AC]
		test	edx, edx
		jz	short loc_971DA5
		lea	ecx, [ebp+var_90]
		push	ecx
		mov	ecx, eax
		call	_PiDevCfgGetDeviceClassConfigFlags@12 ;	PiDevCfgGetDeviceClassConfigFlags(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97203D
		mov	ecx, [ebp+var_A8]
		mov	eax, [ebp+var_90]
		or	[ecx], eax

loc_971DA5:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+19CBj
					; PiDevCfgConfigureDevice(x,x,x,x,x)+19D5j ...
		test	edi, edi
		jz	short loc_971DB7
		mov	eax, [edi+0E8h]
		mov	ecx, [edi+0ECh]
		jmp	short loc_971DC2
; 

loc_971DB7:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1A09j
		mov	eax, ds:_PiDevCfgEmptyString
		mov	ecx, ds:off_A3FDD8

loc_971DC2:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1A17j
		mov	[ebp+var_B4], eax
		mov	edx, ebx
		xor	eax, eax
		mov	[ebp+var_B0], ecx
		push	eax
		movzx	eax, word ptr [ebp+var_B4]
		add	eax, 2
		push	eax
		mov	eax, [ebp+var_88]
		push	ecx
		push	12h
		push	offset _DEVPKEY_Device_ConfigurationId
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_A4], esi
		test	esi, esi
		js	loc_97203D
		mov	ecx, [ebp+var_154]
		test	ecx, ecx
		jz	short loc_971E60
		xor	eax, eax
		mov	edx, ebx
		push	eax
		mov	eax, [ebp+var_16C]
		movzx	eax, ax
		push	eax
		mov	eax, [ebp+var_88]
		push	ecx
		push	2012h
		push	offset _DEVPKEY_Device_ExtendedConfigurationIds
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_A4], eax
		test	esi, esi
		js	loc_97203D
		jmp	short loc_971E8C
; 

loc_971E60:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1A7Aj
		test	byte ptr [ebx],	1
		jnz	short loc_971E8C
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	eax
		push	eax
		push	eax
		mov	eax, [ebp+var_88]
		push	offset _DEVPKEY_Device_ExtendedConfigurationIds
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)

loc_971E8C:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1AC0j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1AC5j
		test	edi, edi
		jz	short loc_971ED8
		mov	ecx, [edi+54h]
		test	ecx, ecx
		jz	short loc_971ED8
		xor	eax, eax
		mov	edx, ebx
		push	eax
		movzx	eax, word ptr [edi+50h]
		add	eax, 2
		push	eax
		mov	eax, [ebp+var_88]
		push	ecx
		push	12h
		push	(offset	loc_427F80+4)
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_A4], esi
		test	esi, esi
		js	loc_97203D
		jmp	short loc_971F04
; 

loc_971ED8:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1AF0j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1AF7j
		test	byte ptr [ebx],	1
		jnz	short loc_971F04
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	eax
		push	eax
		push	eax
		mov	eax, [ebp+var_88]
		push	(offset	loc_427F80+4)
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)

loc_971F04:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1B38j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1B3Dj
		test	byte ptr [ebp+var_D8], 80h
		jz	short loc_971F55
		xor	eax, eax
		mov	byte ptr [ebp+var_95], 0FFh
		push	eax
		push	1
		lea	eax, [ebp+var_95]
		mov	edx, ebx
		push	eax
		mov	eax, [ebp+var_88]
		push	11h
		push	offset _DEVPKEY_Device_DriverInGroup
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_A4], esi
		test	esi, esi
		js	loc_97203D
		jmp	short loc_971F81
; 

loc_971F55:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1B6Dj
		test	byte ptr [ebx],	1
		jnz	short loc_971F81
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	eax
		push	eax
		push	eax
		mov	eax, [ebp+var_88]
		push	offset _DEVPKEY_Device_DriverInGroup
		push	ecx
		push	[ebp+var_80]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)

loc_971F81:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1BB5j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1BBAj
		mov	ecx, [ebp+var_10C]
		test	ecx, ecx
		jz	short loc_971F9A
		cmp	word ptr [ebp+var_12C],	0
		jz	short loc_971F9A
		call	_PipHardwareConfigActivateService@4 ; PipHardwareConfigActivateService(x)

loc_971F9A:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1BEBj
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1BF5j
		mov	ebx, [ebp+var_FC]
		xor	eax, eax
		test	ebx, ebx
		jz	short loc_971FEA
		jmp	short loc_971FE5
; 

loc_971FA8:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1C4Aj
		mov	ecx, ebx
		call	_PipHardwareConfigActivateService@4 ; PipHardwareConfigActivateService(x)
		cmp	_PnpBootMode, 0
		jnz	short loc_971FC5
		test	byte ptr [edi+6Ch], 10h
		jz	short loc_971FC5
		mov	ecx, ebx
		call	_PiDevCfgMakeServiceBootStart@4	; PiDevCfgMakeServiceBootStart(x)

loc_971FC5:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1C18j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1C1Ej
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_971FCA:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1C39j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_17C]
		jnz	short loc_971FCA
		sub	ecx, edx
		sar	ecx, 1
		lea	ebx, [ebx+ecx*2]
		add	ebx, 2
		xor	eax, eax

loc_971FE5:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1C08j
		cmp	[ebx], ax
		jnz	short loc_971FA8

loc_971FEA:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1C06j
		mov	ebx, [ebp+var_100]
		test	ebx, ebx
		jz	short loc_97203D
		cmp	[ebx], ax
		jz	short loc_97203D
		xor	esi, esi

loc_971FFB:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1C97j
		mov	ecx, ebx
		call	_PipHardwareConfigActivateService@4 ; PipHardwareConfigActivateService(x)
		cmp	_PnpBootMode, 0
		jnz	short loc_972018
		test	byte ptr [edi+6Ch], 10h
		jz	short loc_972018
		mov	ecx, ebx
		call	_PiDevCfgMakeServiceBootStart@4	; PiDevCfgMakeServiceBootStart(x)

loc_972018:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1C6Bj
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1C71j
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_97201D:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1C88j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_97201D
		sub	ecx, edx
		sar	ecx, 1
		lea	ebx, [ebx+ecx*2]
		add	ebx, 2
		cmp	[ebx], si
		jnz	short loc_971FFB
		mov	esi, [ebp+var_A4]

loc_97203D:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1F1j
					; PiDevCfgConfigureDevice(x,x,x,x,x)+20Fj ...
		lea	eax, [ebp+var_BC]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_E8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_128]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_110]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_118]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_120]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_138]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_140]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_150]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_158]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_F8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_148]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_F0]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, [ebp+var_15C]
		xor	ebx, ebx
		test	eax, eax
		jz	short loc_9720EC
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9720EC:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1D45j
		cmp	[ebp+var_DC], 0
		jz	short loc_972101
		push	ebx
		push	[ebp+var_DC]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_972101:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1D55j
		cmp	[ebp+var_AC], 0
		jz	short loc_972115
		push	[ebp+var_AC]
		call	_ZwClose@4	; ZwClose(x)

loc_972115:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1D6Aj
		cmp	[ebp+var_C8], 0
		jz	short loc_972129
		push	[ebp+var_C8]
		call	_ZwClose@4	; ZwClose(x)

loc_972129:				; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1D7Ej
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_PiDevCfgConfigureDevice@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgConfigureDeviceDriver(x, x,	x, x, x)
_PiDevCfgConfigureDeviceDriver@20 proc near
					; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1831p
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1883p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	eax, edx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	edx, edx
		push	edi
		mov	edi, [ebp+arg_8]
		push	edi
		push	ebx
		push	edx
		push	edx
		push	0FFFFFFFFh
		push	dword ptr [esi+10h]
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], edx
		mov	edx, eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], ecx
		call	_PiDevCfgConfigureDeviceDriverConfiguration@32 ; PiDevCfgConfigureDeviceDriverConfiguration(x,x,x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_9721C5
		lea	eax, [esi+0D8h]
		mov	esi, [eax]
		jmp	short loc_9721C1
; 

loc_972180:				; CODE XREF: PiDevCfgConfigureDeviceDriver(x,x,x,x,x)+87j
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		mov	ecx, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		push	offset _PiDevCfgConfigurePropertyMatchCallback@8 ; PiDevCfgConfigurePropertyMatchCallback(x,x)
		push	dword ptr [esi+34h]
		push	dword ptr [esi+10h]
		call	_PiDevCfgConfigureDeviceDriverConfiguration@32 ; PiDevCfgConfigureDeviceDriverConfiguration(x,x,x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_9721C5
		test	ebx, ebx
		jz	short loc_9721AE
		mov	eax, [ebp+var_4]
		or	[ebx], eax

loc_9721AE:				; CODE XREF: PiDevCfgConfigureDeviceDriver(x,x,x,x,x)+6Bj
		test	edi, edi
		jz	short loc_9721B7
		mov	eax, [ebp+var_8]
		or	[edi], eax

loc_9721B7:				; CODE XREF: PiDevCfgConfigureDeviceDriver(x,x,x,x,x)+74j
		mov	eax, [ebp+arg_0]
		mov	esi, [esi]
		add	eax, 0D8h

loc_9721C1:				; CODE XREF: PiDevCfgConfigureDeviceDriver(x,x,x,x,x)+42j
		cmp	esi, eax
		jnz	short loc_972180

loc_9721C5:				; CODE XREF: PiDevCfgConfigureDeviceDriver(x,x,x,x,x)+38j
					; PiDevCfgConfigureDeviceDriver(x,x,x,x,x)+67j
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	0Ch
_PiDevCfgConfigureDeviceDriver@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgConfigureDeviceDriverConfiguration(x, x, x,	x, x, x, x, x)
_PiDevCfgConfigureDeviceDriverConfiguration@32 proc near
					; CODE XREF: PiDevCfgConfigureDeviceDriver(x,x,x,x,x)+2Fp
					; PiDevCfgConfigureDeviceDriver(x,x,x,x,x)+5Ep	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr [ebp+arg_4], 1
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jz	short loc_97220D
		mov	eax, [esi]
		xor	edx, edx
		and	eax, 1
		shl	eax, 11h
		push	eax
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	dword ptr [esi+8]
		push	1
		push	dword ptr [edi+18h]
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, _PiPnpRtlCtx
		push	0
		call	_PiDevCfgCopyObjectProperties@44 ; PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_972222

loc_97220D:				; CODE XREF: PiDevCfgConfigureDeviceDriverConfiguration(x,x,x,x,x,x,x,x)+Fj
		push	[ebp+arg_14]
		mov	edx, esi
		mov	ecx, edi
		push	[ebp+arg_10]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PiDevCfgConfigureDeviceKeys@24	; PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)

loc_972222:				; CODE XREF: PiDevCfgConfigureDeviceDriverConfiguration(x,x,x,x,x,x,x,x)+3Dj
		pop	edi
		pop	esi
		pop	ebp
		retn	18h
_PiDevCfgConfigureDeviceDriverConfiguration@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgConfigureDeviceFilters(x, x)
_PiDevCfgConfigureDeviceFilters@8 proc near
					; CODE XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+C2p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		push	10h
		pop	eax
		push	0Eh
		mov	word ptr [ebp+var_C+2],	ax
		xor	ebx, ebx
		pop	eax
		mov	word ptr [ebp+var_C], ax
		mov	edi, ecx
		lea	eax, [ebp+var_C]
		mov	[ebp+var_8], offset ??_C@_1BA@DJLBFCNB@?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@NNGAKEGL@ ; "F"
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ebx
		push	eax
		mov	[ebp+var_24], 18h
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], 240h
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_97228C
		mov	esi, ebx
		jmp	short loc_9722BC
; 

loc_97228C:				; CODE XREF: PiDevCfgConfigureDeviceFilters(x,x)+5Ej
		test	esi, esi
		js	short loc_9722BC
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jz	short loc_9722A5
		mov	eax, [eax+74h]
		test	eax, eax
		jz	short loc_9722A5
		mov	eax, [eax+4]
		jmp	short loc_9722A7
; 

loc_9722A5:				; CODE XREF: PiDevCfgConfigureDeviceFilters(x,x)+6Fj
					; PiDevCfgConfigureDeviceFilters(x,x)+76j
		mov	eax, ebx

loc_9722A7:				; CODE XREF: PiDevCfgConfigureDeviceFilters(x,x)+7Bj
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		push	ebx
		push	eax
		push	ebx
		push	offset ??_C@_1BA@DJLBFCNB@?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@NNGAKEGL@	; "F"
		push	edi
		call	__RegRtlCopyTreeInternal@28 ; _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)
		mov	esi, eax

loc_9722BC:				; CODE XREF: PiDevCfgConfigureDeviceFilters(x,x)+62j
					; PiDevCfgConfigureDeviceFilters(x,x)+66j
		cmp	[ebp+var_4], ebx
		jz	short loc_9722C9
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_9722C9:				; CODE XREF: PiDevCfgConfigureDeviceFilters(x,x)+97j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PiDevCfgConfigureDeviceFilters@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgConfigureDeviceInterface(x,	x, x)
_PiDevCfgConfigureDeviceInterface@12 proc near
					; CODE XREF: PiDevCfgConfigureDeviceInterfaceCallback(x,x,x,x)+17p
					; PiDevCfgConfigureDeviceInterfaces(x,x,x)+2F7p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		lea	eax, [esp+38h+var_20]
		push	offset ??_C@_1O@HAMLNBEA@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@NNGAKEGL@ ; "Device"
		push	eax
		mov	ebx, edx
		mov	[esp+40h+var_24], esi
		mov	edi, ecx
		mov	[esp+40h+var_20], esi
		mov	[esp+40h+var_1C], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+38h+var_20]
		mov	[esp+38h+var_28], esi
		mov	[esp+38h+var_10], eax
		lea	eax, [esp+38h+var_18]
		push	eax
		push	20019h
		lea	eax, [esp+40h+var_28]
		mov	[esp+40h+var_18], 18h
		push	eax
		mov	[esp+44h+var_14], ebx
		mov	[esp+44h+var_C], 240h
		mov	[esp+44h+var_8], esi
		mov	[esp+44h+var_4], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_9723AE
		test	esi, esi
		js	loc_97246C
		push	0
		lea	eax, [esp+3Ch+var_24]
		mov	edx, edi
		push	eax
		push	1
		push	0F003Fh
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	32h
		call	_CmOpenDeviceInterfaceRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_97246C
		push	[ebp+arg_0]
		mov	edx, [esp+3Ch+var_24]
		push	ecx
		mov	ecx, [esp+40h+var_28]
		call	_PiDevCfgCopyDeviceKeys@16 ; PiDevCfgCopyDeviceKeys(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97246C
		push	[esp+38h+var_28]
		call	_ZwClose@4	; ZwClose(x)
		push	[esp+38h+var_24]
		xor	esi, esi
		mov	[esp+3Ch+var_28], esi
		call	_ZwClose@4	; ZwClose(x)
		mov	[esp+38h+var_24], esi
		jmp	short loc_9723B0
; 

loc_9723AE:				; CODE XREF: PiDevCfgConfigureDeviceInterface(x,x,x)+73j
		xor	esi, esi

loc_9723B0:				; CODE XREF: PiDevCfgConfigureDeviceInterface(x,x,x)+DCj
		push	offset ??_C@_1BG@COALCEMK@?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAi?$AAe?$AAs@NNGAKEGL@
		lea	eax, [esp+3Ch+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+38h+var_20]
		mov	[esp+38h+var_28], esi
		mov	[esp+38h+var_10], eax
		lea	eax, [esp+38h+var_18]
		push	eax
		push	20019h
		lea	eax, [esp+40h+var_28]
		mov	[esp+40h+var_18], 18h
		push	eax
		mov	[esp+44h+var_14], ebx
		mov	[esp+44h+var_C], 240h
		mov	[esp+44h+var_8], esi
		mov	[esp+44h+var_4], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_972409
		xor	esi, esi
		jmp	short loc_97246C
; 

loc_972409:				; CODE XREF: PiDevCfgConfigureDeviceInterface(x,x,x)+133j
		test	esi, esi
		js	short loc_97246C
		push	0
		lea	eax, [esp+3Ch+var_24]
		mov	edx, edi
		push	eax
		push	0
		push	0F003Fh
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	30h
		call	_CmOpenDeviceInterfaceRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_97246C
		xor	eax, eax
		xor	edx, edx
		push	eax
		push	eax
		push	eax
		push	[esp+44h+var_24]
		push	3
		push	edi
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		push	eax
		call	_PiDevCfgCopyObjectProperties@44 ; PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_97246C
		push	[ebp+arg_0]
		mov	edx, [esp+3Ch+var_24]
		mov	ecx, [esp+3Ch+var_28]
		push	0
		push	1
		push	3
		push	edi
		call	_PiDevCfgCopyDeviceKey@28 ; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)
		mov	esi, eax

loc_97246C:				; CODE XREF: PiDevCfgConfigureDeviceInterface(x,x,x)+77j
					; PiDevCfgConfigureDeviceInterface(x,x,x)+9Fj ...
		cmp	[esp+38h+var_28], 0
		jz	short loc_97247C
		push	[esp+38h+var_28]
		call	_ZwClose@4	; ZwClose(x)

loc_97247C:				; CODE XREF: PiDevCfgConfigureDeviceInterface(x,x,x)+1A1j
		cmp	[esp+38h+var_24], 0
		jz	short loc_97248C
		push	[esp+38h+var_24]
		call	_ZwClose@4	; ZwClose(x)

loc_97248C:				; CODE XREF: PiDevCfgConfigureDeviceInterface(x,x,x)+1B1j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_PiDevCfgConfigureDeviceInterface@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgConfigureDeviceInterfaces(x, x, x)
_PiDevCfgConfigureDeviceInterfaces@12 proc near
					; CODE XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+88p

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	ebx, [ebp+arg_0]
		lea	edi, [ebp+var_84]
		mov	[ebp+var_38], ecx
		stosd
		xor	ecx, ecx
		push	16h
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_78], ecx
		stosd
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], ecx
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_18]
		mov	[ebp+var_74], ecx
		stosd
		mov	[ebp+var_70], ecx
		mov	[ebp+var_30], offset ??_C@_1BG@JELGADA@?$AAI?$AAn?$AAt?$AAe?$AAr?$AAf?$AAa?$AAc?$AAe?$AAs@NNGAKEGL@
		mov	[ebp+var_68], 18h
		stosd
		mov	[ebp+var_64], edx
		mov	[ebp+var_5C], 240h
		stosd
		stosd
		pop	eax
		push	14h
		mov	word ptr [ebp+var_34+2], ax
		xor	edi, edi
		pop	eax
		mov	word ptr [ebp+var_34], ax
		lea	eax, [ebp+var_34]
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	20019h
		lea	eax, [ebp+var_20]
		mov	[ebp+var_28], edi
		push	eax
		mov	[ebp+var_24], edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_58], edi
		mov	[ebp+var_54], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_972543
		mov	esi, edi
		jmp	loc_97288C
; 

loc_972543:				; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+A3j
		test	esi, esi
		js	loc_97288C
		push	4
		pop	eax
		mov	word ptr [ebp+var_34+2], ax
		push	2
		pop	eax
		mov	word ptr [ebp+var_34], ax
		mov	eax, [ebp+var_20]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_34]
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	20019h
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_30], offset ??_C@_13BBDEGPLJ@?$AA?$CK@NNGAKEGL@
		push	eax
		mov	[ebp+var_68], 18h
		mov	[ebp+var_5C], 240h
		mov	[ebp+var_58], edi
		mov	[ebp+var_54], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_9725F7
		test	esi, esi
		js	loc_97288C
		mov	eax, [ebp+var_1C]
		xor	edx, edx
		mov	ecx, _PiPnpRtlCtx
		push	edi
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_40]
		push	eax
		push	edi
		push	edi
		lea	eax, [ebp+var_84]
		mov	[ebp+var_80], ebx
		push	eax
		push	offset _PiDevCfgConfigureDeviceInterfaceCallback@16 ; PiDevCfgConfigureDeviceInterfaceCallback(x,x,x,x)
		push	edi
		push	[ebp+var_38]
		mov	[ebp+var_7C], edi
		call	_CmGetMatchingFilteredDeviceInterfaceList
		push	[ebp+var_1C]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		mov	[ebp+var_1C], edi
		test	esi, esi
		js	loc_97289A
		mov	esi, [ebp+var_7C]
		test	esi, esi
		js	loc_97289A

loc_9725F7:				; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+103j
		push	63647050h
		mov	esi, 26Eh
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_972619
		mov	esi, 0C000009Ah
		jmp	loc_97288C
; 

loc_972619:				; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+176j
		lea	eax, [ebp+var_40]
		mov	[ebp+var_6C], edi
		push	eax
		push	esi
		push	ebx
		push	edi
		push	edi
		push	[ebp+var_20]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97286A
		lea	edi, [ebx+10h]

loc_972639:				; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+3CBj
		mov	eax, [ebx+0Ch]
		xor	ecx, ecx
		shr	eax, 1
		push	offset ??_C@_13BBDEGPLJ@?$AA?$CK@NNGAKEGL@ ; wchar_t *
		push	edi		; wchar_t *
		mov	[ebx+eax*2+10h], cx
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_972841
		push	edi
		lea	eax, [ebp+var_50]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_972883
		mov	eax, [ebp+var_50]
		xor	ecx, ecx
		mov	[ebp+var_48], eax
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+var_20]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	20019h
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_1C], ecx
		push	eax
		mov	[ebp+var_68], 18h
		mov	[ebp+var_5C], 240h
		mov	[ebp+var_58], ecx
		mov	[ebp+var_54], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_972883
		mov	esi, [ebp+var_3C]
		xor	eax, eax
		mov	[ebp+var_2C], eax
		mov	edi, eax
		test	esi, esi
		jz	loc_9727E4
		cmp	[esi+8], eax
		jz	loc_9727E4
		mov	ecx, [ebp+var_4C]
		lea	eax, [ebp+var_2C]
		push	eax
		lea	edx, [ebp+var_74]
		call	_PiDevCfgParseVariableName@12 ;	PiDevCfgParseVariableName(x,x,x)
		test	al, al
		jz	loc_9727E4
		mov	edx, [ebp+var_70]
		xor	eax, eax
		mov	[ebp+var_2C], eax
		mov	ecx, esi
		lea	eax, [ebp+var_2C]
		push	eax
		call	_PiDevCfgResolveVariable@12 ; PiDevCfgResolveVariable(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9727D0
		mov	ecx, [ebp+var_2C]
		mov	eax, [ecx+10h]
		cmp	eax, 1
		jz	short loc_972728
		cmp	eax, 2
		jz	short loc_972728
		cmp	eax, 7
		jnz	loc_972831
		mov	edi, [ecx+18h]
		jmp	short loc_97273D
; 

loc_972728:				; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+27Cj
					; PiDevCfgConfigureDeviceInterfaces(x,x,x)+281j
		mov	eax, [ecx+18h]
		movzx	ecx, word ptr [ecx+14h]
		mov	[ebp+var_44], eax
		mov	word ptr [ebp+var_48+2], cx
		lea	eax, [ecx-2]
		mov	word ptr [ebp+var_48], ax

loc_97273D:				; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+28Fj
		test	edi, edi
		jz	loc_9727E4
		jmp	short loc_9727C3
; 

loc_972747:				; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+331j
		push	edi
		lea	eax, [ebp+var_34]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_28]
		push	eax
		lea	edx, [ebp+var_18]
		lea	ecx, [ebp+var_34]
		call	_PiDevCfgParseInterfaceKeyName@12 ; PiDevCfgParseInterfaceKeyName(x,x,x)
		test	al, al
		jz	short loc_9727A8
		mov	ecx, [ebp+var_38] ; int
		lea	edx, [ebp+var_18] ; int
		xor	eax, eax
		push	eax		; int
		lea	eax, [ebp+var_24]
		push	eax		; int
		push	1		; char
		push	[ebp+var_28]	; int
		call	IopRegisterDeviceInterface
		mov	esi, eax
		test	esi, esi
		js	loc_972883
		push	[ebp+var_3C]
		mov	edx, [ebp+var_1C]
		mov	ecx, [ebp+var_24]
		call	_PiDevCfgConfigureDeviceInterface@12 ; PiDevCfgConfigureDeviceInterface(x,x,x)
		mov	esi, eax
		xor	eax, eax
		push	eax
		push	[ebp+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		js	loc_972883

loc_9727A8:				; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+2CBj
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_9727AD:				; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+320j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_78]
		jnz	short loc_9727AD
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2

loc_9727C3:				; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+2AEj
		xor	eax, eax
		cmp	[edi], ax
		jnz	loc_972747
		jmp	short loc_97282D
; 

loc_9727D0:				; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+26Dj
		cmp	esi, 0C0000034h
		jnz	short loc_972831
		mov	eax, [ebp+var_74]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+var_70]
		mov	[ebp+var_44], eax

loc_9727E4:				; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+230j
					; PiDevCfgConfigureDeviceInterfaces(x,x,x)+239j ...
		lea	eax, [ebp+var_28]
		push	eax
		lea	edx, [ebp+var_18]
		lea	ecx, [ebp+var_48]
		call	_PiDevCfgParseInterfaceKeyName@12 ; PiDevCfgParseInterfaceKeyName(x,x,x)
		test	al, al
		jz	short loc_972831
		mov	ecx, [ebp+var_38] ; int
		lea	eax, [ebp+var_24]
		xor	edi, edi
		lea	edx, [ebp+var_18] ; int
		push	edi		; int
		push	eax		; int
		push	1		; char
		push	[ebp+var_28]	; int
		call	IopRegisterDeviceInterface
		mov	esi, eax
		test	esi, esi
		js	short loc_972883
		push	[ebp+var_3C]
		mov	edx, [ebp+var_1C]
		mov	ecx, [ebp+var_24]
		call	_PiDevCfgConfigureDeviceInterface@12 ; PiDevCfgConfigureDeviceInterface(x,x,x)
		push	edi
		push	[ebp+var_24]
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97282D:				; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+337j
		test	esi, esi
		js	short loc_972883

loc_972831:				; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+286j
					; PiDevCfgConfigureDeviceInterfaces(x,x,x)+33Fj ...
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)
		xor	eax, eax
		lea	edi, [ebx+10h]
		mov	[ebp+var_1C], eax

loc_972841:				; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+1BDj
		mov	eax, [ebp+var_6C]
		lea	ecx, [ebp+var_40]
		push	ecx
		push	26Eh
		push	ebx
		xor	ecx, ecx
		inc	eax
		push	ecx
		push	eax
		push	[ebp+var_20]
		mov	[ebp+var_6C], eax
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_972639
		xor	edi, edi

loc_97286A:				; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+199j
		cmp	esi, 8000001Ah
		jnz	short loc_972876
		mov	esi, edi
		jmp	short loc_972883
; 

loc_972876:				; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+3D9j
		cmp	esi, 80000005h
		jnz	short loc_972883
		mov	esi, 0C0000033h

loc_972883:				; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+1D1j
					; PiDevCfgConfigureDeviceInterfaces(x,x,x)+21Ej ...
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97288C:				; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+A7j
					; PiDevCfgConfigureDeviceInterfaces(x,x,x)+AEj	...
		cmp	[ebp+var_1C], 0
		jz	short loc_97289A
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_97289A:				; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+14Fj
					; PiDevCfgConfigureDeviceInterfaces(x,x,x)+15Aj ...
		cmp	[ebp+var_20], 0
		jz	short loc_9728A8
		push	[ebp+var_20]
		call	_ZwClose@4	; ZwClose(x)

loc_9728A8:				; CODE XREF: PiDevCfgConfigureDeviceInterfaces(x,x,x)+407j
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PiDevCfgConfigureDeviceInterfaces@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgConfigureDeviceKeyCallback(x, x, x,	x, x, x)
_PiDevCfgConfigureDeviceKeyCallback@24 proc near
					; DATA XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+5Co

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		cmp	dword ptr [eax+0Ch], 10h
		jnz	short loc_9728F8
		push	offset ??_C@_1BG@COALCEMK@?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAi?$AAe?$AAs@NNGAKEGL@ ; wchar_t *
		push	dword ptr [eax]	; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_9728F8
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+4]
		push	[ebp+arg_14]
		mov	edx, [ebp+arg_10]
		mov	ecx, [ebp+arg_C]
		push	0
		push	1
		push	1
		push	eax
		call	_PiDevCfgCopyDeviceKey@28 ; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)
		jmp	short loc_972907
; 

loc_9728F8:				; CODE XREF: PiDevCfgConfigureDeviceKeyCallback(x,x,x,x,x,x)+Cj
					; PiDevCfgConfigureDeviceKeyCallback(x,x,x,x,x,x)+1Ej
		push	[ebp+arg_14]
		mov	edx, [ebp+arg_10]
		push	ecx
		mov	ecx, [ebp+arg_C]
		call	_PiDevCfgCopyDeviceKeys@16 ; PiDevCfgCopyDeviceKeys(x,x,x,x)

loc_972907:				; CODE XREF: PiDevCfgConfigureDeviceKeyCallback(x,x,x,x,x,x)+3Bj
		pop	ebp
		retn	18h
_PiDevCfgConfigureDeviceKeyCallback@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgConfigureDeviceKeys(x, x, x, x, x, x)
_PiDevCfgConfigureDeviceKeys@24	proc near
					; CODE XREF: PpDevCfgProcessDeviceOperations+6C82Cp
					; PiDevCfgConfigureDevice(x,x,x,x,x)+199Dp ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_C], edx
		push	esi
		push	edi
		lea	edi, [ebp+var_28]
		mov	[ebp+var_10], ecx
		stosd
		xor	edx, edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_8], edx
		stosd
		mov	[ebp+var_4], edx
		stosd
		stosd
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_97293C
		mov	[eax], edx

loc_97293C:				; CODE XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+2Dj
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jz	short loc_972945
		mov	[esi], edx

loc_972945:				; CODE XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+36j
		mov	ebx, [ebp+arg_0]
		lea	eax, [ebp+var_28]
		push	eax
		mov	edx, ebx
		call	_PiDevCfgInitResolveContext@12 ; PiDevCfgInitResolveContext(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_972AD5
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_28]
		mov	ecx, [ebp+var_10]
		push	eax
		push	offset _PiDevCfgConfigureDeviceKeyCallback@24 ;	PiDevCfgConfigureDeviceKeyCallback(x,x,x,x,x,x)
		push	1
		push	[ebp+arg_4]
		push	ebx
		call	_PiDevCfgEnumDeviceKeys@28 ; PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_972AD5
		test	byte ptr [ebp+arg_4], 8
		jz	short loc_9729A2
		lea	eax, [ebp+var_28]
		mov	edx, ebx
		push	eax
		mov	eax, [ebp+var_C]
		mov	ecx, [eax+4]
		call	_PiDevCfgConfigureDeviceInterfaces@12 ;	PiDevCfgConfigureDeviceInterfaces(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_972AD5

loc_9729A2:				; CODE XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+7Aj
		test	byte ptr [ebp+arg_4], 10h
		jz	short loc_9729BF
		mov	eax, [ebp+var_C]
		mov	edx, ebx
		mov	ecx, [eax+8]
		call	_PiDevCfgConfigureSoftwareDevices@8 ; PiDevCfgConfigureSoftwareDevices(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_972AD5

loc_9729BF:				; CODE XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+9Bj
		test	byte ptr [ebp+arg_4], 20h
		jz	short loc_9729DC
		mov	eax, [ebp+var_C]
		mov	edx, ebx
		mov	ecx, [eax+8]
		call	_PiDevCfgConfigureDeviceFilters@8 ; PiDevCfgConfigureDeviceFilters(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_972AD5

loc_9729DC:				; CODE XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+B8j
		push	0Eh
		pop	eax
		push	0Ch
		mov	word ptr [ebp+var_18+2], ax
		pop	eax
		mov	word ptr [ebp+var_18], ax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_40]
		push	eax
		mov	[ebp+var_3C], ebx
		lea	eax, [ebp+var_8]
		push	20019h
		xor	ebx, ebx
		mov	[ebp+var_14], (offset loc_8BA67D+1)
		push	eax
		mov	[ebp+var_40], 18h
		mov	[ebp+var_34], 240h
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_972AD5
		test	esi, esi
		jz	short loc_972A9A
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	(offset	loc_8BA5E5+1)
		lea	ecx, [ebp+var_28]
		call	_PiDevCfgQueryResolveValue@16 ;	PiDevCfgQueryResolveValue(x,x,x,x)
		test	eax, eax
		js	short loc_972A64
		mov	ecx, [ebp+var_4]
		call	_PnpValidateRegistryDword@4 ; PnpValidateRegistryDword(x)
		test	al, al
		jz	short loc_972A5D
		mov	eax, [ecx+8]
		cmp	[ecx+eax], ebx
		jz	short loc_972A5D
		or	dword ptr [esi], 40h

loc_972A5D:				; CODE XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+145j
					; PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+14Dj
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_972A64:				; CODE XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+139j
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	offset ??_C@_1CA@IENBEMHD@?$AAC?$AAl?$AAa?$AAs?$AAs?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr?$AAe?$AAd@NNGAKEGL@
		lea	ecx, [ebp+var_28]
		call	_PiDevCfgQueryResolveValue@16 ;	PiDevCfgQueryResolveValue(x,x,x,x)
		test	eax, eax
		js	short loc_972A9A
		mov	ecx, [ebp+var_4]
		call	_PnpValidateRegistryDword@4 ; PnpValidateRegistryDword(x)
		test	al, al
		jz	short loc_972A93
		mov	eax, [ecx+8]
		cmp	[ecx+eax], ebx
		jz	short loc_972A93
		or	dword ptr [esi], 2

loc_972A93:				; CODE XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+17Bj
					; PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+183j
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_972A9A:				; CODE XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+121j
					; PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+16Fj
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		jz	short loc_972AD5
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	offset ??_C@_1BI@KGJMAEC@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAF?$AAl?$AAa?$AAg?$AAs@NNGAKEGL@
		lea	ecx, [ebp+var_28]
		call	_PiDevCfgQueryResolveValue@16 ;	PiDevCfgQueryResolveValue(x,x,x,x)
		test	eax, eax
		js	short loc_972AD5
		mov	ecx, [ebp+var_4]
		call	_PnpValidateRegistryDword@4 ; PnpValidateRegistryDword(x)
		test	al, al
		jz	short loc_972ACD
		mov	eax, [ecx+8]
		mov	eax, [eax+ecx]
		or	[ebx], eax

loc_972ACD:				; CODE XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+1B8j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_972AD5:				; CODE XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+4Cj
					; PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+70j	...
		lea	ecx, [ebp+var_28]
		call	_PiDevCfgFreeResolveContext@4 ;	PiDevCfgFreeResolveContext(x)
		cmp	[ebp+var_8], 0
		jz	short loc_972AEB
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_972AEB:				; CODE XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+1D6j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PiDevCfgConfigureDeviceKeys@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgConfigureDeviceLocation(x, x, x, x)
_PiDevCfgConfigureDeviceLocation@16 proc near
					; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+18DCp
					; PpDevCfgProcessDeviceClass(x)+1CBp

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_80], ecx
		mov	[ebp+var_70], eax
		lea	edi, [ebp+var_30]
		xor	eax, eax
		mov	[ebp+var_38], ebx
		push	0Ah
		pop	ecx
		rep stosd
		mov	esi, edx
		mov	[ebp+var_54], eax
		mov	eax, [ebp+var_70]
		xor	edi, edi
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_74], esi
		mov	[ebp+var_7C], edx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_78], edi
		test	eax, eax
		jz	short loc_972B55
		mov	[eax], edi

loc_972B55:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+5Dj
		test	edx, edx
		jz	short loc_972B5B
		mov	[edx], edi

loc_972B5B:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+63j
		cmp	[esi+20h], edi
		jnz	short loc_972B67

loc_972B60:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+E0j
					; PiDevCfgConfigureDeviceLocation(x,x,x,x)+10Bj
		mov	esi, edi
		jmp	loc_972D92
; 

loc_972B67:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+6Aj
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_38]
		push	eax
		push	4
		pop	eax
		mov	edx, eax
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_972D92
		push	30h
		pop	eax
		mov	word ptr [ebp+var_40+2], ax
		push	2Eh
		pop	eax
		mov	word ptr [ebp+var_40], ax
		mov	eax, [ebp+var_38]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_48]
		mov	[ebp+var_3C], offset ??_C@_1DA@LIEHOELA@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAL@NNGAKEGL@ ; "Control\\DeviceLocations"
		push	eax
		mov	[ebp+var_6C], 18h
		mov	[ebp+var_60], 240h
		mov	[ebp+var_5C], edi
		mov	[ebp+var_58], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_972B60
		test	esi, esi
		js	loc_972D92
		lea	eax, [ebp+var_78]
		push	eax
		push	28h
		lea	eax, [ebp+var_30]
		push	eax
		push	4
		push	[ebp+var_48]
		call	NtQueryKey
		mov	esi, eax
		test	esi, esi
		js	loc_972D92
		cmp	[ebp+var_24], ebx
		jz	loc_972B60
		mov	edi, [ebp+var_74]
		lea	eax, [ebp+var_44]
		mov	edx, [ebp+var_48]
		push	ecx
		push	eax
		push	ecx
		push	ecx
		mov	ecx, [edi+20h]
		call	_PnpOpenFirstMatchingSubKey@24 ; PnpOpenFirstMatchingSubKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_972C2B
		xor	esi, esi
		jmp	loc_972D92
; 

loc_972C2B:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+12Ej
		test	esi, esi
		js	loc_972D92
		xor	eax, eax
		add	edi, 0Ch
		push	2
		mov	[ebp+var_38], eax
		pop	ecx

loc_972C3E:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+1BCj
		cmp	dword ptr [edi+4], 0
		jz	short loc_972CA7
		test	ebx, ebx
		jz	short loc_972C51
		lea	eax, [ebp+var_54]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_972C51:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+152j
		mov	edx, edi
		lea	ecx, [ebp+var_54]
		call	_PnpDuplicateUnicodeString@8 ; PnpDuplicateUnicodeString(x,x)
		test	al, al
		jz	short loc_972CB4
		lea	edx, [ebp+var_54]
		mov	ecx, edx
		call	_IopReplaceSeperatorWithPound@8	; IopReplaceSeperatorWithPound(x,x)
		mov	ebx, [ebp+var_50]
		test	eax, eax
		jns	short loc_972C74
		xor	esi, esi
		jmp	short loc_972CA1
; 

loc_972C74:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+17Aj
		mov	edx, [ebp+var_44]
		lea	eax, [ebp+var_34]
		push	ecx
		push	eax
		push	ecx
		push	ecx
		mov	ecx, ebx
		call	_PnpOpenFirstMatchingSubKey@24 ; PnpOpenFirstMatchingSubKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_972C93
		xor	esi, esi
		jmp	short loc_972C9B
; 

loc_972C93:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+199j
		test	esi, esi
		js	loc_972D92

loc_972C9B:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+19Dj
		cmp	[ebp+var_34], 0
		jnz	short loc_972CB9

loc_972CA1:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+17Ej
		mov	eax, [ebp+var_38]
		push	2
		pop	ecx

loc_972CA7:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+14Ej
		inc	eax
		add	edi, 8
		mov	[ebp+var_38], eax
		cmp	eax, ecx
		jb	short loc_972C3E
		jmp	short loc_972CBC
; 

loc_972CB4:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+169j
		mov	esi, 0C000009Ah

loc_972CB9:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+1ABj
		push	2
		pop	ecx

loc_972CBC:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+1BEj
		test	esi, esi
		js	loc_972D92
		xor	ebx, ebx
		cmp	[ebp+var_34], ebx
		jnz	short loc_972D24
		push	4
		pop	eax
		mov	word ptr [ebp+var_40+2], ax
		mov	eax, [ebp+var_44]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_34]
		mov	word ptr [ebp+var_40], cx
		push	eax
		mov	[ebp+var_3C], offset ??_C@_13BBDEGPLJ@?$AA?$CK@NNGAKEGL@
		mov	[ebp+var_34], ebx
		mov	[ebp+var_6C], 18h
		mov	[ebp+var_60], 240h
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_972D20

loc_972D1C:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+27Fj
		mov	esi, ebx
		jmp	short loc_972D92
; 

loc_972D20:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+226j
		test	esi, esi
		js	short loc_972D92

loc_972D24:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+1D5j
		push	1Ch
		pop	eax
		mov	word ptr [ebp+var_40+2], ax
		push	1Ah
		pop	eax
		mov	word ptr [ebp+var_40], ax
		mov	eax, [ebp+var_34]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_3C], offset ??_C@_1BM@ICBIINEM@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		push	eax
		mov	[ebp+var_6C], 18h
		mov	[ebp+var_60], 240h
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_972D1C
		test	esi, esi
		js	short loc_972D92
		push	[ebp+var_7C]
		mov	eax, [ebp+var_70]
		mov	edx, [ebp+var_74]
		mov	ecx, [ebp+var_80]
		push	eax
		push	0FFFFFFFFh
		push	[ebp+var_4C]
		call	_PiDevCfgConfigureDeviceKeys@24	; PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)
		mov	esi, eax

loc_972D92:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+6Ej
					; PiDevCfgConfigureDeviceLocation(x,x,x,x)+8Bj	...
		lea	eax, [ebp+var_54]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	[ebp+var_4C], 0
		jz	short loc_972DA9
		push	[ebp+var_4C]
		call	_ZwClose@4	; ZwClose(x)

loc_972DA9:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+2ABj
		cmp	[ebp+var_34], 0
		jz	short loc_972DB7
		push	[ebp+var_34]
		call	_ZwClose@4	; ZwClose(x)

loc_972DB7:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+2B9j
		cmp	[ebp+var_44], 0
		jz	short loc_972DC5
		push	[ebp+var_44]
		call	_ZwClose@4	; ZwClose(x)

loc_972DC5:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+2C7j
		cmp	[ebp+var_48], 0
		jz	short loc_972DD3
		push	[ebp+var_48]
		call	_ZwClose@4	; ZwClose(x)

loc_972DD3:				; CODE XREF: PiDevCfgConfigureDeviceLocation(x,x,x,x)+2D5j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PiDevCfgConfigureDeviceLocation@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiDevCfgConfigurePropertyMatchCallback(void *,int)
_PiDevCfgConfigurePropertyMatchCallback@8 proc near
					; DATA XREF: PiDevCfgConfigureDeviceDriver(x,x,x,x,x)+53o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		test	byte ptr [eax+34h], 2
		mov	bl, 1
		mov	edi, [ebp+arg_0]
		jnz	short loc_972E3F
		push	10h		; size_t
		push	ds:off_A933F4	; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_972E3F
		mov	ecx, [edi+10h]
		xor	esi, esi
		mov	[ebp+arg_4], ecx

loc_972E19:				; CODE XREF: PiDevCfgConfigurePropertyMatchCallback(x,x)+57j
		mov	eax, ds:off_A933F4[esi]
		cmp	[eax+10h], ecx
		jnz	short loc_972E37
		push	10h		; size_t
		push	edi		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_972E6F
		mov	ecx, [ebp+arg_4]

loc_972E37:				; CODE XREF: PiDevCfgConfigurePropertyMatchCallback(x,x)+3Cj
		add	esi, 4
		cmp	esi, 28h
		jb	short loc_972E19

loc_972E3F:				; CODE XREF: PiDevCfgConfigurePropertyMatchCallback(x,x)+14j
					; PiDevCfgConfigurePropertyMatchCallback(x,x)+29j
		mov	ecx, [edi+10h]
		xor	esi, esi
		mov	[ebp+arg_4], ecx

loc_972E47:				; CODE XREF: PiDevCfgConfigurePropertyMatchCallback(x,x)+85j
		mov	eax, ds:off_A933AC[esi]
		cmp	[eax+10h], ecx
		jnz	short loc_972E65
		push	10h		; size_t
		push	edi		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_972E6F
		mov	ecx, [ebp+arg_4]

loc_972E65:				; CODE XREF: PiDevCfgConfigurePropertyMatchCallback(x,x)+6Aj
		add	esi, 4
		cmp	esi, 4
		jb	short loc_972E47
		jmp	short loc_972E71
; 

loc_972E6F:				; CODE XREF: PiDevCfgConfigurePropertyMatchCallback(x,x)+4Cj
					; PiDevCfgConfigurePropertyMatchCallback(x,x)+7Aj
		xor	bl, bl

loc_972E71:				; CODE XREF: PiDevCfgConfigurePropertyMatchCallback(x,x)+87j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	8
_PiDevCfgConfigurePropertyMatchCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgConfigureSoftwareDevices(x,	x)
_PiDevCfgConfigureSoftwareDevices@8 proc near
					; CODE XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+A5p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		push	10h
		pop	eax
		push	0Eh
		mov	word ptr [ebp+var_14+2], ax
		xor	ebx, ebx
		pop	eax
		mov	word ptr [ebp+var_14], ax
		mov	edi, ecx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_8], ebx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_C], ebx
		push	eax
		mov	[ebp+var_10], offset ??_C@_1BA@HICHNCPO@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAs@NNGAKEGL@ ;	"Devices"
		mov	[ebp+var_4], ebx
		mov	[ebp+var_2C], 18h
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], 240h
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_972EE7
		mov	esi, ebx
		jmp	loc_973008
; 

loc_972EE7:				; CODE XREF: PiDevCfgConfigureSoftwareDevices(x,x)+64j
		test	esi, esi
		js	loc_973008
		push	10h
		pop	eax
		push	0Eh
		mov	word ptr [ebp+var_14+2], ax
		lea	ecx, [ebp+var_8]
		pop	eax
		push	ebx
		push	ebx
		mov	word ptr [ebp+var_14], ax
		mov	edx, edi
		push	0F003Fh
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], offset ??_C@_1BA@HICHNCPO@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAs@NNGAKEGL@ ;	"Devices"
		push	eax
		call	IopCreateRegistryKeyEx
		mov	ebx, [ebp+var_8]
		mov	esi, eax
		test	esi, esi
		js	loc_972FFE
		push	63647050h
		mov	esi, 220h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_972F48
		mov	esi, 0C000009Ah
		jmp	loc_972FFE
; 

loc_972F48:				; CODE XREF: PiDevCfgConfigureSoftwareDevices(x,x)+C2j
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		push	eax
		push	esi
		push	edi
		push	ecx
		mov	[ebp+var_8], ecx
		push	ecx
		jmp	short loc_972FCB
; 

loc_972F57:				; CODE XREF: PiDevCfgConfigureSoftwareDevices(x,x)+15Dj
		mov	eax, [edi+0Ch]
		lea	esi, [edi+10h]
		shr	eax, 1
		xor	ecx, ecx
		mov	[edi+eax*2+10h], cx
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jz	short loc_972F7B
		mov	eax, [eax+74h]
		test	eax, eax
		jz	short loc_972F7B
		mov	eax, [eax+4]
		jmp	short loc_972F7D
; 

loc_972F7B:				; CODE XREF: PiDevCfgConfigureSoftwareDevices(x,x)+F3j
					; PiDevCfgConfigureSoftwareDevices(x,x)+FAj
		xor	eax, eax

loc_972F7D:				; CODE XREF: PiDevCfgConfigureSoftwareDevices(x,x)+FFj
		push	0
		push	eax
		mov	edx, esi
		mov	ecx, ebx
		call	_RegRtlDeleteTreeInternal
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jz	short loc_972F9E
		mov	eax, [eax+74h]
		test	eax, eax
		jz	short loc_972F9E
		mov	eax, [eax+4]
		jmp	short loc_972FA0
; 

loc_972F9E:				; CODE XREF: PiDevCfgConfigureSoftwareDevices(x,x)+116j
					; PiDevCfgConfigureSoftwareDevices(x,x)+11Dj
		xor	eax, eax

loc_972FA0:				; CODE XREF: PiDevCfgConfigureSoftwareDevices(x,x)+122j
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		push	0
		push	eax
		push	0
		push	esi
		push	ebx
		call	__RegRtlCopyTreeInternal@28 ; _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_972FF6
		mov	eax, [ebp+var_8]
		lea	ecx, [ebp+var_C]
		push	ecx
		push	220h
		push	edi
		inc	eax
		push	0
		mov	[ebp+var_8], eax
		push	eax

loc_972FCB:				; CODE XREF: PiDevCfgConfigureSoftwareDevices(x,x)+DBj
		push	[ebp+var_4]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_972F57
		cmp	esi, 8000001Ah
		jnz	short loc_972FE9
		xor	esi, esi
		jmp	short loc_972FF6
; 

loc_972FE9:				; CODE XREF: PiDevCfgConfigureSoftwareDevices(x,x)+169j
		cmp	esi, 80000005h
		jnz	short loc_972FF6
		mov	esi, 0C0000033h

loc_972FF6:				; CODE XREF: PiDevCfgConfigureSoftwareDevices(x,x)+13Bj
					; PiDevCfgConfigureSoftwareDevices(x,x)+16Dj ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_972FFE:				; CODE XREF: PiDevCfgConfigureSoftwareDevices(x,x)+A6j
					; PiDevCfgConfigureSoftwareDevices(x,x)+C9j
		test	ebx, ebx
		jz	short loc_973008
		push	ebx
		call	_ZwClose@4	; ZwClose(x)

loc_973008:				; CODE XREF: PiDevCfgConfigureSoftwareDevices(x,x)+68j
					; PiDevCfgConfigureSoftwareDevices(x,x)+6Fj ...
		cmp	[ebp+var_4], 0
		jz	short loc_973016
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_973016:				; CODE XREF: PiDevCfgConfigureSoftwareDevices(x,x)+192j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PiDevCfgConfigureSoftwareDevices@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgConvertPropertyFromValue(x,	x, x, x, x, x)
_PiDevCfgConvertPropertyFromValue@24 proc near
					; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+616p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ebx
		push	edi
		mov	edi, ebx
		cmp	eax, 1003h
		ja	loc_97320A
		jz	loc_973216
		add	eax, 0FFFFFFFEh
		cmp	eax, 17h
		ja	loc_97321B
		movzx	eax, ds:byte_973259[eax]
		jmp	ds:off_973231[eax*4]

loc_97305B:				; DATA XREF: PAGE:0097324Do
		lea	eax, [ecx-1]
		cmp	eax, 1
		ja	loc_97321B
		jmp	loc_973216
; 

loc_97306C:				; CODE XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+37j
					; DATA XREF: PAGE:off_973231o
		cmp	ecx, 4
		jnz	loc_97321B
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		mov	[ebp+arg_0], eax
		cmp	eax, 0FFh
		ja	loc_97321B
		xor	edi, edi
		push	63647050h
		inc	edi
		push	edi
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9730A7

loc_97309D:				; CODE XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+C4j
					; PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+116j ...
		mov	ebx, 0C000009Ah
		jmp	loc_973225
; 

loc_9730A7:				; CODE XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+7Ej
		mov	eax, [ebp+arg_0]

loc_9730AA:				; CODE XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+15Bj
		mov	[esi], al
		jmp	loc_97321B
; 

loc_9730B1:				; CODE XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+37j
					; DATA XREF: PAGE:00973235o
		cmp	ecx, 4
		jnz	loc_97321B
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		mov	[ebp+arg_0], eax
		cmp	eax, 0FFFFh
		ja	loc_97321B
		push	2
		pop	edi
		push	63647050h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_97309D
		mov	eax, [ebp+arg_0]
		mov	[esi], ax
		jmp	loc_97321B
; 

loc_9730EE:				; CODE XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+37j
					; DATA XREF: PAGE:00973239o
		lea	edi, [ecx-4]
		lea	esi, [ecx-4]

loc_9730F4:				; CODE XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+17Cj
					; PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+1E8j
		neg	edi
		sbb	edi, edi
		not	edi
		and	edi, edx
		neg	esi
		sbb	esi, esi
		not	esi
		and	esi, [ebp+arg_0]
		jmp	loc_97321B
; 

loc_97310A:				; CODE XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+37j
					; DATA XREF: PAGE:0097323Do
		cmp	ecx, 4
		jz	short loc_973117
		cmp	ecx, 0Bh
		jmp	loc_973214
; 

loc_973117:				; CODE XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+F0j
		mov	eax, [ebp+arg_0]
		push	8
		pop	edi
		push	63647050h
		mov	eax, [eax]
		push	edi
		push	1
		mov	[ebp+arg_0], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_97309D
		mov	eax, [ebp+arg_0]
		mov	[esi], eax
		mov	[esi+4], ebx
		jmp	loc_97321B
; 

loc_973146:				; CODE XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+37j
					; DATA XREF: PAGE:00973249o
		cmp	ecx, 4
		jnz	loc_97321B
		mov	eax, [ebp+arg_0]
		xor	edi, edi
		push	63647050h
		inc	edi
		push	edi
		mov	eax, [eax]
		push	edi
		mov	[ebp+arg_0], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_97309D
		cmp	[ebp+arg_0], ebx
		setz	al
		dec	al
		jmp	loc_9730AA
; 

loc_97317D:				; CODE XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+37j
					; DATA XREF: PAGE:00973241o
		test	ecx, ecx
		jz	loc_97321B
		cmp	ecx, 2
		jbe	short loc_97319E
		cmp	ecx, 3
		jnz	loc_97321B
		lea	edi, [edx-10h]
		lea	esi, [edx-10h]
		jmp	loc_9730F4
; 

loc_97319E:				; CODE XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+16Bj
		push	4Eh
		pop	eax
		cmp	edx, eax
		jnz	short loc_97321B
		push	10h
		pop	edi
		push	63647050h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_97309D
		mov	eax, [ebp+arg_0]
		push	4Ch
		mov	[ebp+var_4], eax
		pop	eax
		push	4Eh
		mov	word ptr [ebp+var_8], ax
		pop	eax
		mov	word ptr [ebp+var_8+2],	ax
		lea	eax, [ebp+var_8]
		push	esi
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		test	eax, eax
		jns	short loc_97321B
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, ebx
		jmp	short loc_97321B
; 

loc_9731EC:				; CODE XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+37j
					; DATA XREF: PAGE:00973245o
		cmp	ecx, 3
		jz	short loc_9731F6
		cmp	ecx, 0Bh
		jnz	short loc_97321B

loc_9731F6:				; CODE XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+1D2j
		cmp	edx, 8
		jnz	short loc_97321B
		push	edx
		pop	edi
		jmp	short loc_973218
; 

loc_9731FF:				; CODE XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+37j
					; DATA XREF: PAGE:00973251o
		lea	edi, [ecx-3]
		lea	esi, [ecx-3]
		jmp	loc_9730F4
; 

loc_97320A:				; CODE XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+18j
		cmp	eax, 2012h
		jnz	short loc_97321B
		cmp	ecx, 7

loc_973214:				; CODE XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+F5j
		jnz	short loc_97321B

loc_973216:				; CODE XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+1Ej
					; PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+4Aj
		mov	edi, edx

loc_973218:				; CODE XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+1E0j
		mov	esi, [ebp+arg_0]

loc_97321B:				; CODE XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+2Aj
					; PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+37j ...
		mov	ecx, [ebp+arg_8]
		mov	[ecx], edi
		mov	ecx, [ebp+arg_C]
		mov	[ecx], esi

loc_973225:				; CODE XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+85j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
_PiDevCfgConvertPropertyFromValue@24 endp

; 
		dw 498Dh
		db 0
off_973231	dd offset loc_97306C	; DATA XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+37r
		dd offset loc_9730B1
		dd offset loc_9730EE
		dd offset loc_97310A
		dd offset loc_97317D
		dd offset loc_9731EC
		dd offset loc_973146
		dd offset loc_97305B
		dd offset loc_9731FF
		dd offset loc_97321B
byte_973259	db 0			; DATA XREF: PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)+30r
; 
		add	[ecx], al
		add	[edx], eax
		add	al, [ebx]
		add	ecx, [ecx]
		or	[ecx], ecx
		add	al, 9
		or	ds:7080706h, eax
		or	[edx], eax
		add	al, [edx]
		pop	es

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgCopyDeviceKey(x, x,	x, x, x, x, x)
_PiDevCfgCopyDeviceKey@28 proc near	; CODE XREF: PiDevCfgConfigureDeviceInterface(x,x,x)+195p
					; PiDevCfgConfigureDeviceKeyCallback(x,x,x,x,x,x)+36p ...

var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0B4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0B4h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[esp+0C0h+var_98], edx
		mov	esi, ecx
		mov	[esp+0C0h+var_68], esi
		mov	eax, [ebp+arg_0]
		mov	[esp+0C0h+var_7C], eax
		mov	eax, [ebp+arg_C]
		lea	edi, [esp+0C0h+var_4C]
		mov	ecx, [ebp+arg_10]
		mov	[esp+0C0h+var_50], eax
		xor	eax, eax
		mov	[esp+0C0h+var_54], ecx
		push	6
		pop	ecx
		rep stosd
		xor	ecx, ecx
		lea	edi, [esp+0C0h+var_18]
		mov	[esp+0C0h+var_1C], ecx
		stosd
		lea	edx, [esp+0C0h+var_78]
		mov	ebx, ecx
		mov	[esp+0C0h+var_A4], ecx
		mov	[esp+0C0h+var_A8], ecx
		mov	[esp+0C0h+var_88], ebx
		inc	ebx
		stosd
		mov	[esp+0C0h+var_34], ecx
		mov	[esp+0C0h+var_30], ecx
		mov	[esp+0C0h+var_64], ecx
		stosd
		mov	[esp+0C0h+var_60], ecx
		mov	[esp+0C0h+var_24], ecx
		mov	[esp+0C0h+var_20], ecx
		stosd
		mov	[esp+0C0h+var_84], ecx
		mov	[esp+0C0h+var_80], ecx
		mov	[esp+0C0h+var_90], ecx
		mov	[esp+0C0h+var_78], ecx
		mov	[esp+0C0h+var_28], ecx
		mov	[esp+0C0h+var_74], ecx
		mov	[esp+0C0h+var_70], ecx
		mov	[esp+0C0h+var_58], ecx
		mov	[esp+0C0h+var_94], ecx
		mov	[esp+0C0h+var_5C], ecx
		mov	ecx, esi
		stosd
		mov	[esp+0C0h+var_2C], ebx
		call	IopGetRegistryKeyInformation
		mov	esi, eax
		test	esi, esi
		js	loc_973E83
		mov	ecx, [esp+0C0h+var_78]
		mov	eax, [ecx+18h]
		lea	esi, ds:1Ah[eax*2]
		mov	eax, [ecx+24h]
		mov	[esp+0C0h+var_9C], esi
		lea	eax, ds:12h[eax*2]
		mov	[esp+0C0h+var_90], eax
		cmp	eax, esi
		jbe	short loc_973373
		mov	esi, eax
		mov	[esp+0C0h+var_9C], eax

loc_973373:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+FAj
		xor	eax, eax
		push	eax
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	63647050h
		push	esi
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+0C0h+var_AC], edi
		test	edi, edi
		jnz	short loc_97339C
		mov	esi, 0C000009Ah
		jmp	loc_973E83
; 

loc_97339C:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+11Fj
		xor	ecx, ecx
		mov	ebx, ecx
		mov	[esp+0C0h+var_78], ecx

loc_9733A4:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+769j
		lea	eax, [esp+0C0h+var_90]
		push	eax
		push	esi
		push	edi
		push	ecx
		push	ebx
		push	[esp+0D4h+var_68]
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_973406
		cmp	esi, 8000001Ah
		jz	loc_9739F0
		cmp	esi, 80000005h
		jnz	loc_9739E4
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [esp+0C0h+var_90]
		push	63647050h
		push	esi
		push	1
		mov	[esp+0CCh+var_9C], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+0C0h+var_AC], edi
		test	edi, edi
		jz	loc_9739DF
		dec	ebx
		jmp	loc_9739D3
; 

loc_973406:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+149j
		mov	eax, [edi+8]
		xor	ecx, ecx
		shr	eax, 1
		mov	[edi+eax*2+0Ch], cx
		lea	eax, [edi+0Ch]
		push	eax
		lea	eax, [esp+0C4h+var_24]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_973E63
		mov	eax, [esp+0C0h+var_24]
		xor	ecx, ecx
		mov	esi, [esp+0C0h+var_54]
		mov	edi, ecx
		mov	[esp+0C0h+var_84], eax
		mov	eax, [esp+0C0h+var_20]
		mov	[esp+0C0h+var_80], eax
		mov	[esp+0C0h+var_8C], edi
		test	esi, esi
		jz	loc_9734FF
		cmp	[esi+8], ecx
		jz	loc_9734FF
		lea	ecx, [esp+0C0h+var_8C]
		push	ecx
		lea	edx, [esp+0C4h+var_74]
		mov	ecx, eax
		call	_PiDevCfgParseVariableName@12 ;	PiDevCfgParseVariableName(x,x,x)
		mov	edi, [esp+0C0h+var_8C]
		test	al, al
		jz	loc_9734FF
		test	edi, 400000h
		jnz	loc_9739CB
		mov	edx, [esp+0C0h+var_70]
		xor	eax, eax
		mov	[esp+0C0h+var_B4], eax
		mov	ecx, esi
		lea	eax, [esp+0C0h+var_B4]
		push	eax
		call	_PiDevCfgResolveVariable@12 ; PiDevCfgResolveVariable(x,x,x)
		test	eax, eax
		js	short loc_9734E4
		mov	ecx, [esp+0C0h+var_B4]
		push	2
		pop	edx
		mov	eax, [ecx+10h]
		cmp	eax, 1
		jz	short loc_9734B9
		cmp	eax, edx
		jnz	loc_9739CB

loc_9734B9:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+23Ej
		cmp	dword ptr [ecx+14h], 0FFFEh
		ja	loc_9739CB
		mov	eax, [ecx+18h]
		mov	[esp+0C0h+var_80], eax
		mov	ax, [ecx+14h]
		sub	ax, dx
		mov	word ptr [esp+0C0h+var_84], ax
		mov	ax, [ecx+14h]
		mov	word ptr [esp+0C0h+var_84+2], ax
		jmp	short loc_9734FF
; 

loc_9734E4:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+22Fj
		cmp	eax, 0C0000034h
		jnz	loc_9739CB
		mov	eax, [esp+0C0h+var_74]
		mov	[esp+0C0h+var_84], eax
		mov	eax, [esp+0C0h+var_70]
		mov	[esp+0C0h+var_80], eax

loc_9734FF:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+1E0j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+1E9j ...
		mov	eax, [esp+0C0h+var_AC]
		xor	ecx, ecx
		mov	esi, [eax+4]
		and	esi, 0FFFF0000h
		mov	[eax+6], cx
		test	esi, 400000h
		jnz	loc_9739CB
		mov	ecx, [esp+0C0h+var_7C]
		test	ecx, ecx
		jz	short loc_97354A
		lea	eax, [esp+0C0h+var_2C]
		push	eax
		lea	edx, [esp+0C4h+var_18]
		lea	ecx, [esp+0C4h+var_84]
		call	_PiDevCfgParsePropertyKeyName@12 ; PiDevCfgParsePropertyKeyName(x,x,x)
		test	al, al
		jz	loc_9739CB
		mov	ecx, [esp+0C0h+var_7C]

loc_97354A:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+2B3j
		test	byte ptr [ebp+arg_8], 1
		setnz	bl
		or	esi, edi
		mov	eax, esi
		and	eax, 30000h
		neg	eax
		sbb	al, al
		inc	al
		test	al, bl
		jnz	short loc_9735AF
		test	ecx, ecx
		jz	loc_97370C
		xor	edx, edx
		lea	eax, [esp+0C0h+var_5C]
		push	edx
		push	eax
		push	edx
		push	edx
		lea	eax, [esp+0D0h+var_94]
		push	eax
		lea	eax, [esp+0D4h+var_18]
		push	eax
		push	edx
		push	[esp+0DCh+var_98]
		mov	edx, ecx
		mov	ecx, _PiPnpRtlCtx
		push	[ebp+arg_4]
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jz	loc_973721

loc_9735A3:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+4AAj
		test	esi, 10000h
		jnz	loc_9739C7

loc_9735AF:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+2F1j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+4B9j
		mov	edx, [esp+0C0h+var_20]
		lea	eax, [esp+0C0h+var_A0]
		mov	ecx, [esp+0C0h+var_68]
		xor	edi, edi
		push	eax
		push	edi
		mov	[esp+0C8h+var_A0], edi
		mov	[esp+0C8h+var_6C], edi
		call	IopGetRegistryValue
		mov	esi, eax
		test	esi, esi
		js	loc_973E65
		mov	edx, [esp+0C0h+var_A0]
		push	2
		mov	ecx, [edx+8]
		mov	eax, [edx+4]
		add	ecx, edx
		mov	edi, [edx+0Ch]
		mov	edx, eax
		and	edx, 0FFFF0000h
		movzx	ebx, ax
		mov	eax, [esp+0C4h+var_54]
		mov	[esp+0C4h+var_B4], ecx
		mov	[esp+0C4h+var_B0], edx
		test	eax, eax
		jz	loc_973782
		xor	edx, edx
		cmp	[eax+8], edx
		pop	eax
		jz	loc_973783
		cmp	ebx, 1
		jz	short loc_973622
		cmp	ebx, eax
		jnz	loc_973783

loc_973622:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+3A7j
		cmp	edi, eax
		jb	loc_973783
		mov	eax, edi
		shr	eax, 1
		cmp	[ecx+eax*2-2], dx
		jnz	loc_973780
		lea	eax, [esp+0C0h+var_8C]
		push	eax
		lea	edx, [esp+0C4h+var_74]
		call	_PiDevCfgParseVariableName@12 ;	PiDevCfgParseVariableName(x,x,x)
		test	al, al
		jz	loc_97377C
		mov	edx, [esp+0C0h+var_70]
		xor	eax, eax
		mov	ecx, [esp+0C0h+var_54]
		mov	[esp+0C0h+var_B4], eax
		lea	eax, [esp+0C0h+var_B4]
		push	eax
		call	_PiDevCfgResolveVariable@12 ; PiDevCfgResolveVariable(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_973756
		test	[esp+0C0h+var_8C], 0C0000h
		jz	loc_973735
		mov	ecx, [esp+0C0h+var_B4]
		lea	eax, [esp+0C0h+var_6C]
		push	eax		; int
		lea	eax, [esp+0C4h+var_90]
		push	eax		; int
		push	[esp+0C8h+var_80] ; int
		mov	edx, [ecx+14h]
		push	[esp+0CCh+var_98] ; void *
		push	[esp+0D0h+var_8C] ; size_t
		push	dword ptr [ecx+18h] ; int
		mov	ecx, [ecx+10h]
		call	_PiDevCfgResolveMultiSzValue@32	; PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_9737BF

loc_9736B1:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+4EBj
		xor	edx, edx
		mov	[esp+0C0h+var_B4], edx
		mov	esi, edx
		mov	ecx, edx

loc_9736BB:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+506j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+564j ...
		mov	eax, [esp+0C0h+var_B0]

loc_9736BF:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+573j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+582j ...
		test	ecx, ecx
		jz	loc_97395E
		cmp	ebx, 8000h
		jnz	loc_973810
		cmp	[esp+0C0h+var_7C], 0
		jnz	loc_97395E
		mov	edi, [esp+0C0h+var_50]
		test	edi, edi
		jz	loc_97395E
		shr	eax, 11h
		mov	edx, ecx
		not	eax
		mov	ecx, edi
		and	eax, 1
		or	eax, 80000000h
		push	eax
		push	[esp+0C4h+var_98]
		call	_PiDevCfgPushCopyKeyEntry@16 ; PiDevCfgPushCopyKeyEntry(x,x,x,x)
		mov	esi, eax
		jmp	loc_97395E
; 

loc_97370C:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+2F5j
		mov	ecx, [esp+0C0h+var_98]
		lea	edx, [esp+0C0h+var_84]
		call	_PnpRegistryValueExists@8 ; PnpRegistryValueExists(x,x)
		test	al, al
		jz	loc_9735A3

loc_973721:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+32Cj
		bt	esi, 11h
		setnb	al
		test	al, bl
		jnz	loc_9735AF
		jmp	loc_9739C7
; 

loc_973735:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+408j
		mov	eax, [esp+0C0h+var_B4]
		mov	ecx, [eax+10h]
		mov	edi, [eax+14h]
		mov	eax, [eax+18h]
		mov	[esp+0C0h+var_B4], eax
		mov	eax, ecx
		and	eax, 0FFFF0000h
		movzx	ebx, cx
		or	[esp+0C0h+var_B0], eax
		jmp	short loc_973773
; 

loc_973756:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+3FAj
		cmp	esi, 0C0000034h
		jnz	loc_9736B1
		mov	esi, [esp+0C0h+var_70]
		xor	eax, eax
		movzx	edi, word ptr [esp+0C0h+var_74+2]
		mov	[esp+0C0h+var_B4], esi
		mov	esi, eax

loc_973773:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+4E3j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+51Ej
		mov	ecx, [esp+0C0h+var_B4]
		jmp	loc_9736BB
; 

loc_97377C:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+3D8j
		mov	ecx, [esp+0C0h+var_B4]

loc_973780:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+3C2j
		push	2

loc_973782:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+392j
		pop	eax

loc_973783:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+39Ej
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+3ABj ...
		cmp	ebx, 1
		jz	short loc_973791
		cmp	ebx, eax
		jz	short loc_973791
		cmp	ebx, 7
		jnz	short loc_973773

loc_973791:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+515j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+519j
		mov	eax, [esp+0C0h+var_B0]
		test	eax, 0C0000h
		jz	short loc_973807
		lea	edx, [esp+0C0h+var_6C]
		push	edx		; int
		lea	edx, [esp+0C4h+var_90]
		push	edx		; int
		push	[esp+0C8h+var_80] ; int
		mov	edx, edi
		push	[esp+0CCh+var_98] ; void *
		push	eax		; size_t
		push	ecx		; int
		mov	ecx, ebx
		call	_PiDevCfgResolveMultiSzValue@32	; PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9737F8

loc_9737BF:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+43Aj
		mov	edx, [esp+0C0h+var_6C]
		mov	ecx, edx
		mov	edi, [esp+0C0h+var_90]
		push	7
		pop	ebx
		push	2
		pop	eax
		mov	[esp+0C0h+var_B4], ecx
		cmp	edi, eax
		jb	loc_9736BB
		xor	eax, eax
		cmp	[edx], ax
		mov	eax, [esp+0C0h+var_B0]
		jnz	loc_9736BF
		or	eax, 200000h
		mov	[esp+0C0h+var_B0], eax
		jmp	loc_9736BF
; 

loc_9737F8:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+54Cj
		xor	eax, eax
		mov	[esp+0C0h+var_B4], eax
		mov	esi, eax
		mov	ecx, eax
		jmp	loc_9736BB
; 

loc_973807:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+529j
		mov	ecx, [esp+0C0h+var_B4]
		jmp	loc_9736BF
; 

loc_973810:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+45Cj
		test	ebx, ebx
		jnz	short loc_97381F
		test	eax, 100000h
		jnz	loc_97395E

loc_97381F:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+5A1j
		mov	edx, [esp+0C0h+var_7C]
		and	eax, 200000h
		test	edx, edx
		jz	loc_973924
		test	eax, eax
		jnz	short loc_9738A0
		mov	eax, [esp+0C0h+var_2C]
		cmp	eax, 1
		jnz	short loc_973873
		test	ebx, ebx
		jz	short loc_97386E
		push	2
		pop	eax
		cmp	ebx, eax
		jbe	short loc_97386A
		cmp	ebx, 4
		jz	short loc_973866
		cmp	ebx, 7
		jz	short loc_97385F
		cmp	ebx, 0Bh
		jnz	short loc_97386E
		push	9

loc_97385C:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+5F7j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+5FBj
		pop	eax
		jmp	short loc_973873
; 

loc_97385F:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+5E2j
		mov	eax, 2012h
		jmp	short loc_973873
; 

loc_973866:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+5DDj
		push	7
		jmp	short loc_97385C
; 

loc_97386A:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+5D8j
		push	12h
		jmp	short loc_97385C
; 

loc_97386E:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+5D1j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+5E7j
		mov	eax, 1003h

loc_973873:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+5CDj
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+5ECj ...
		lea	edx, [esp+0C0h+var_58]
		mov	[esp+0C0h+var_94], eax
		push	edx
		lea	edx, [esp+0C4h+var_5C]
		push	edx
		push	eax
		push	ecx
		mov	edx, edi
		mov	ecx, ebx
		call	_PiDevCfgConvertPropertyFromValue@24 ; PiDevCfgConvertPropertyFromValue(x,x,x,x,x,x)
		mov	edi, [esp+0C0h+var_58]
		mov	esi, eax
		mov	eax, [esp+0C0h+var_94]
		mov	ecx, [esp+0C0h+var_5C]
		mov	edx, [esp+0C0h+var_7C]
		jmp	short loc_9738B2
; 

loc_9738A0:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+5C1j
		xor	edi, edi
		mov	eax, edi
		mov	[esp+0C0h+var_58], edi
		mov	ecx, edi
		mov	[esp+0C0h+var_94], eax
		mov	[esp+0C0h+var_5C], ecx

loc_9738B2:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+62Dj
		test	esi, esi
		js	loc_97395E
		test	edi, edi
		jnz	short loc_9738C6
		test	eax, eax
		jnz	loc_97395E

loc_9738C6:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+64Bj
		xor	esi, esi
		push	esi
		push	ecx
		push	edi
		push	eax
		lea	eax, [esp+0D0h+var_18]
		push	eax
		push	ecx
		push	[esp+0D8h+var_98]
		mov	ecx, _PiPnpRtlCtx
		push	[ebp+arg_4]
		push	edx
		xor	edx, edx
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000022h
		jz	short loc_973903
		cmp	[esp+0C0h+var_94], 0
		jnz	short loc_973909
		cmp	esi, 0C0000225h
		jnz	short loc_973909

loc_973903:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+681j
		xor	eax, eax
		mov	esi, eax
		jmp	short loc_97390B
; 

loc_973909:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+688j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+690j
		xor	eax, eax

loc_97390B:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+696j
		test	edi, edi
		jz	short loc_97395E
		cmp	edi, [esp+0C0h+var_B4]
		jz	short loc_97391C
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97391C:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+6A2j
		xor	ecx, ecx
		mov	[esp+0C0h+var_58], ecx
		jmp	short loc_973960
; 

loc_973924:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+5B9j
		test	eax, eax
		lea	eax, [esp+0C0h+var_84]
		jnz	short loc_973948
		push	edi
		push	[esp+0C4h+var_B4]
		mov	edi, [esp+0C8h+var_A0]
		push	ebx
		push	dword ptr [edi]
		push	eax
		push	[esp+0D4h+var_98]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		xor	ecx, ecx
		jmp	short loc_973964
; 

loc_973948:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+6B9j
		push	eax
		push	[esp+0C4h+var_98]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		lea	esi, [eax+3FFFFFCCh]
		neg	esi
		sbb	esi, esi
		and	esi, eax

loc_97395E:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+450j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+467j ...
		xor	ecx, ecx

loc_973960:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+6B1j
		mov	edi, [esp+0C0h+var_A0]

loc_973964:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+6D5j
		mov	eax, [esp+0C0h+var_6C]
		test	eax, eax
		jz	short loc_973973
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_973973:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+6F9j
		cmp	[esp+0C0h+var_7C], 0
		jnz	short loc_9739B6
		cmp	ebx, 8000h
		jz	short loc_9739B6
		test	[esp+0C0h+var_B0], 100000h
		jz	short loc_9739B6
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jz	short loc_9739A5
		mov	eax, [eax+74h]
		test	eax, eax
		jz	short loc_9739A5
		mov	ecx, [eax+4]
		xor	eax, eax
		push	eax
		push	ecx
		jmp	short loc_9739A9
; 

loc_9739A5:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+722j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+729j
		xor	eax, eax
		push	eax
		push	eax

loc_9739A9:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+732j
		mov	edx, [esp+0C8h+var_80]
		mov	ecx, [esp+0C8h+var_98]
		call	_RegRtlDeleteTreeInternal

loc_9739B6:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+707j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+70Fj ...
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		js	loc_973E63

loc_9739C7:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+338j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+4BFj
		mov	ebx, [esp+0C0h+var_78]

loc_9739CB:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+211j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+242j ...
		mov	edi, [esp+0C0h+var_AC]
		mov	esi, [esp+0C0h+var_9C]

loc_9739D3:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+190j
		inc	ebx
		xor	ecx, ecx
		mov	[esp+0C0h+var_78], ebx
		jmp	loc_9733A4
; 

loc_9739DF:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+189j
		mov	esi, 0C000009Ah

loc_9739E4:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+15Dj
		test	esi, esi
		js	loc_973E63
		xor	ecx, ecx
		jmp	short loc_9739F4
; 

loc_9739F0:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+151j
		xor	ecx, ecx
		mov	esi, ecx

loc_9739F4:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+77Dj
		cmp	[esp+0C0h+var_7C], 0
		jnz	loc_973E63
		cmp	[esp+0C0h+var_50], 0
		jz	loc_973E63
		mov	ebx, ecx

loc_973A0C:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+B1Dj
		lea	eax, [esp+0C0h+var_90]
		push	eax
		push	[esp+0C4h+var_9C]
		push	edi
		push	ecx
		push	ebx
		push	[esp+0D4h+var_68]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_973A71
		cmp	esi, 8000001Ah
		jz	loc_973EBA
		cmp	esi, 80000005h
		jnz	loc_973E63
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+0C0h+var_90]
		push	63647050h
		push	eax
		push	1
		mov	[esp+0CCh+var_9C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+0C0h+var_AC], edi
		test	edi, edi
		jz	loc_973E5E
		dec	ebx
		jmp	loc_973D8B
; 

loc_973A71:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+7B4j
		mov	eax, [edi+0Ch]
		xor	ecx, ecx
		shr	eax, 1
		mov	[edi+eax*2+10h], cx
		lea	eax, [edi+10h]
		push	eax
		lea	eax, [esp+0C4h+var_34]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		xor	edi, edi
		test	esi, esi
		js	loc_973E65
		mov	eax, [esp+0C0h+var_34]
		mov	[esp+0C0h+var_64], eax
		mov	eax, [esp+0C0h+var_30]
		mov	[esp+0C0h+var_60], eax
		mov	eax, [esp+0C0h+var_68]
		mov	[esp+0C0h+var_48], eax
		lea	eax, [esp+0C0h+var_34]
		mov	[esp+0C0h+var_44], eax
		lea	eax, [esp+0C0h+var_4C]
		push	eax
		push	20019h
		lea	eax, [esp+0C8h+var_A4]
		mov	[esp+0C8h+var_4C], 18h
		push	eax
		mov	[esp+0CCh+var_40], 240h
		mov	[esp+0CCh+var_3C], edi
		mov	[esp+0CCh+var_38], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_973E65
		mov	esi, [esp+0C0h+var_54]
		xor	eax, eax
		mov	[esp+0C0h+var_8C], eax
		test	esi, esi
		jz	loc_973BBE
		cmp	[esi+8], eax
		jz	loc_973BBE
		mov	ecx, [esp+0C0h+var_30]
		lea	eax, [esp+0C0h+var_8C]
		push	eax
		lea	edx, [esp+0C4h+var_74]
		call	_PiDevCfgParseVariableName@12 ;	PiDevCfgParseVariableName(x,x,x)
		test	al, al
		jz	loc_973BBE
		mov	edx, [esp+0C0h+var_70]
		xor	eax, eax
		mov	[esp+0C0h+var_B4], eax
		mov	ecx, esi
		lea	eax, [esp+0C0h+var_B4]
		push	eax
		call	_PiDevCfgResolveVariable@12 ; PiDevCfgResolveVariable(x,x,x)
		test	eax, eax
		js	short loc_973BA7
		mov	ecx, [esp+0C0h+var_B4]
		push	2
		pop	edx
		mov	eax, [ecx+10h]
		cmp	eax, 1
		jz	short loc_973B89
		cmp	eax, edx
		jz	short loc_973B89
		cmp	eax, 7
		jnz	short loc_973B71
		mov	edi, [ecx+18h]
		jmp	short loc_973BBE
; 

loc_973B71:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+8F9j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+93Bj
		push	[esp+0C0h+var_A4]
		call	_ZwClose@4	; ZwClose(x)
		mov	edi, [esp+0C0h+var_AC]
		xor	ecx, ecx
		mov	[esp+0C0h+var_A4], ecx
		jmp	loc_973D8D
; 

loc_973B89:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+8F0j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+8F4j
		mov	eax, [ecx+18h]
		mov	[esp+0C0h+var_60], eax
		mov	ax, [ecx+14h]
		sub	ax, dx
		mov	word ptr [esp+0C0h+var_64], ax
		mov	ax, [ecx+14h]
		mov	word ptr [esp+0C0h+var_64+2], ax
		jmp	short loc_973BBE
; 

loc_973BA7:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+8E1j
		cmp	eax, 0C0000034h
		jnz	short loc_973B71
		mov	eax, [esp+0C0h+var_74]
		mov	[esp+0C0h+var_64], eax
		mov	eax, [esp+0C0h+var_70]
		mov	[esp+0C0h+var_60], eax

loc_973BBE:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+89Dj
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+8A6j ...
		mov	ecx, [esp+0C0h+var_A4]
		lea	edx, [esp+0C0h+var_88]
		call	_PiDevCfgGetKeySecurityDescriptor@8 ; PiDevCfgGetKeySecurityDescriptor(x,x)
		mov	esi, eax
		xor	ecx, ecx
		test	esi, esi
		jns	short loc_973BDD
		mov	eax, ecx
		mov	esi, ecx
		mov	[esp+0C0h+var_88], eax
		jmp	short loc_973BE1
; 

loc_973BDD:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+960j
		mov	eax, [esp+0C0h+var_88]

loc_973BE1:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+96Aj
		test	edi, edi
		jz	loc_973DA4
		cmp	[edi], cx
		jz	loc_973D58

loc_973BF2:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+AE1j
		push	edi
		lea	eax, [esp+0C4h+var_64]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [esp+0C0h+var_98]
		mov	[esp+0C0h+var_48], eax
		lea	eax, [esp+0C0h+var_64]
		mov	[esp+0C0h+var_44], eax
		mov	eax, [esp+0C0h+var_88]
		mov	[esp+0C0h+var_3C], eax
		xor	eax, eax
		mov	[esp+0C0h+var_38], eax
		lea	eax, [esp+0C0h+var_4C]
		push	eax
		push	0F003Fh
		lea	eax, [esp+0C8h+var_A8]
		mov	[esp+0C8h+var_4C], 18h
		push	eax
		mov	[esp+0CCh+var_40], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_973C64
		mov	eax, [esp+0C0h+var_88]
		test	eax, eax
		jz	short loc_973CA8
		push	eax
		push	4
		push	[esp+0C8h+var_A8]
		call	_ZwSetSecurityObject@12	; ZwSetSecurityObject(x,x,x)
		jmp	short loc_973CA8
; 

loc_973C64:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+9DBj
		cmp	esi, 0C0000034h
		jnz	loc_973D58
		xor	eax, eax
		test	[esp+0C0h+var_8C], 10000h
		jz	short loc_973C83
		mov	esi, eax
		jmp	loc_973D2E
; 

loc_973C83:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+A09j
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+0D0h+var_4C]
		push	eax
		push	0F003Fh
		lea	eax, [esp+0D8h+var_A8]
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_973D58

loc_973CA8:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+9E3j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+9F1j
		mov	edx, [esp+0C0h+var_A4]
		test	edx, edx
		jnz	short loc_973D08
		mov	eax, [esp+0C0h+var_68]
		mov	[esp+0C0h+var_48], eax
		lea	eax, [esp+0C0h+var_34]
		mov	[esp+0C0h+var_44], eax
		xor	eax, eax
		mov	[esp+0C0h+var_3C], eax
		mov	[esp+0C0h+var_38], eax
		lea	eax, [esp+0C0h+var_4C]
		push	eax
		push	20019h
		lea	eax, [esp+0C8h+var_A4]
		mov	[esp+0C8h+var_4C], 18h
		push	eax
		mov	[esp+0CCh+var_40], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_973D93
		mov	edx, [esp+0C0h+var_A4]

loc_973D08:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+A3Dj
		mov	eax, [ebp+arg_8]
		mov	ecx, [esp+0C0h+var_50]
		or	eax, 40000000h
		push	eax
		push	[esp+0C4h+var_A8]
		call	_PiDevCfgPushCopyKeyEntry@16 ; PiDevCfgPushCopyKeyEntry(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_973D93
		xor	eax, eax
		mov	[esp+0C0h+var_A4], eax
		mov	[esp+0C0h+var_A8], eax

loc_973D2E:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+A0Dj
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_973D33:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+AD0j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+0C0h+var_1C]
		jnz	short loc_973D33
		sub	ecx, edx
		xor	eax, eax
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2
		cmp	[edi], ax
		jnz	loc_973BF2

loc_973D58:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+97Bj
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+9F9j ...
		xor	edi, edi

loc_973D5A:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+B31j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+B95j
		mov	eax, [esp+0C0h+var_88]
		test	eax, eax
		jz	short loc_973D6D
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esp+0C0h+var_88], edi

loc_973D6D:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+AEFj
		mov	eax, [esp+0C0h+var_A4]
		test	eax, eax
		jz	short loc_973D7F
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		mov	[esp+0C0h+var_A4], edi

loc_973D7F:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+B02j
		test	esi, esi
		js	loc_973E65
		mov	edi, [esp+0C0h+var_AC]

loc_973D8B:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+7FBj
		xor	ecx, ecx

loc_973D8D:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+913j
		inc	ebx
		jmp	loc_973A0C
; 

loc_973D93:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+A8Dj
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+AB1j
		push	[esp+0C0h+var_A8]
		call	_ZwClose@4	; ZwClose(x)
		xor	edi, edi

loc_973D9E:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+BE8j
		mov	[esp+0C0h+var_A8], edi
		jmp	short loc_973D5A
; 

loc_973DA4:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+972j
		mov	ecx, [esp+0C0h+var_98]
		xor	edi, edi
		mov	[esp+0C0h+var_3C], eax
		lea	eax, [esp+0C0h+var_28]
		push	eax
		push	edi
		push	edi
		push	edi
		lea	eax, [esp+0D0h+var_4C]
		mov	[esp+0D0h+var_48], ecx
		push	eax
		push	0F003Fh
		lea	eax, [esp+0D8h+var_A8]
		mov	[esp+0D8h+var_4C], 18h
		lea	ecx, [esp+0D8h+var_64]
		mov	[esp+0D8h+var_40], 240h
		push	eax
		mov	[esp+0DCh+var_44], ecx
		mov	[esp+0DCh+var_38], edi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_973D5A
		push	2
		pop	eax
		cmp	[esp+0C0h+var_28], eax
		jnz	short loc_973E2C
		mov	eax, [esp+0C0h+var_88]
		test	eax, eax
		jz	short loc_973E2C
		push	eax
		push	4
		push	[esp+0C8h+var_A8]
		call	_ZwSetSecurityObject@12	; ZwSetSecurityObject(x,x,x)

loc_973E2C:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+BA5j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+BADj
		mov	eax, [ebp+arg_8]
		mov	edx, [esp+0C0h+var_A4]
		or	eax, 40000000h
		mov	ecx, [esp+0C0h+var_50]
		push	eax
		push	[esp+0C4h+var_A8]
		call	_PiDevCfgPushCopyKeyEntry@16 ; PiDevCfgPushCopyKeyEntry(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_973E55
		push	[esp+0C0h+var_A8]
		call	_ZwClose@4	; ZwClose(x)

loc_973E55:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+BD9j
		mov	[esp+0C0h+var_A4], edi
		jmp	loc_973D9E
; 

loc_973E5E:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+7F4j
		mov	esi, 0C000009Ah

loc_973E63:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+1B6j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+750j ...
		xor	edi, edi

loc_973E65:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+362j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+823j ...
		mov	eax, [esp+0C0h+var_AC]
		test	eax, eax
		jz	short loc_973E74
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_973E74:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+BFAj
		mov	ebx, [esp+0C0h+var_88]
		test	ebx, ebx
		jz	short loc_973E83
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_973E83:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+D2j
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+126j ...
		mov	eax, [esp+0C0h+var_A4]
		test	eax, eax
		jz	short loc_973E91
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_973E91:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+C18j
		cmp	[esp+0C0h+var_A8], 0
		jz	short loc_973EA1
		push	[esp+0C0h+var_A8]
		call	_ZwClose@4	; ZwClose(x)

loc_973EA1:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+C25j
		mov	ecx, [esp+0C0h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_973EBA:				; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+7BCj
		xor	edi, edi
		mov	esi, edi
		jmp	short loc_973E65
_PiDevCfgCopyDeviceKey@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgCopyDeviceKeys(x, x, x, x)
_PiDevCfgCopyDeviceKeys@16 proc	near	; CODE XREF: PiDevCfgConfigureDeviceInterface(x,x,x)+B1p
					; PiDevCfgConfigureDeviceKeyCallback(x,x,x,x,x,x)+47p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[esp+24h+var_18], 1
		lea	eax, [esp+24h+var_8]
		mov	[esp+24h+var_C], ebx
		mov	esi, edx
		mov	[esp+24h+var_14], ebx
		push	edi
		lea	edx, [esp+28h+var_C]
		mov	[esp+28h+var_10], ebx
		mov	edi, ecx
		mov	[esp+28h+var_4], eax
		mov	[esp+28h+var_8], eax
		call	_PiDevCfgGetKeySecurityDescriptor@8 ; PiDevCfgGetKeySecurityDescriptor(x,x)
		test	eax, eax
		js	short loc_973F17
		push	[esp+28h+var_C]
		push	4
		push	esi
		call	_ZwSetSecurityObject@12	; ZwSetSecurityObject(x,x,x)
		push	ebx
		push	[esp+2Ch+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_973F17:				; CODE XREF: PiDevCfgCopyDeviceKeys(x,x,x,x)+3Fj
		push	1
		push	esi
		mov	edx, edi
		lea	ecx, [esp+30h+var_8]
		call	_PiDevCfgPushCopyKeyEntry@16 ; PiDevCfgPushCopyKeyEntry(x,x,x,x)
		mov	esi, eax
		mov	edi, 40000000h
		jmp	short loc_973F7E
; 

loc_973F2E:				; CODE XREF: PiDevCfgCopyDeviceKeys(x,x,x,x)+C0j
		lea	eax, [esp+28h+var_18]
		push	eax
		lea	eax, [esp+2Ch+var_10]
		push	eax
		lea	edx, [esp+30h+var_14]
		lea	ecx, [esp+30h+var_8]
		call	_PiDevCfgPopCopyKeyEntry@16 ; PiDevCfgPopCopyKeyEntry(x,x,x,x)
		test	al, al
		jz	short loc_973F82
		push	[ebp+arg_4]
		mov	edx, [esp+2Ch+var_10]
		lea	eax, [esp+2Ch+var_8]
		mov	ecx, [esp+2Ch+var_14]
		push	eax
		push	[esp+30h+var_18]
		push	ebx
		push	ebx
		call	_PiDevCfgCopyDeviceKey@28 ; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	[esp+28h+var_18], edi
		jz	short loc_973F7E
		push	[esp+28h+var_14]
		call	_ZwClose@4	; ZwClose(x)
		push	[esp+28h+var_10]
		call	_ZwClose@4	; ZwClose(x)

loc_973F7E:				; CODE XREF: PiDevCfgCopyDeviceKeys(x,x,x,x)+6Cj
					; PiDevCfgCopyDeviceKeys(x,x,x,x)+AAj
		test	esi, esi
		jns	short loc_973F2E

loc_973F82:				; CODE XREF: PiDevCfgCopyDeviceKeys(x,x,x,x)+87j
					; PiDevCfgCopyDeviceKeys(x,x,x,x)+E1j ...
		lea	eax, [esp+28h+var_18]
		push	eax
		lea	eax, [esp+2Ch+var_10]
		push	eax
		lea	edx, [esp+30h+var_14]
		lea	ecx, [esp+30h+var_8]
		call	_PiDevCfgPopCopyKeyEntry@16 ; PiDevCfgPopCopyKeyEntry(x,x,x,x)
		test	al, al
		jz	short loc_973FB7
		test	[esp+28h+var_18], edi
		jz	short loc_973F82
		push	[esp+28h+var_14]
		call	_ZwClose@4	; ZwClose(x)
		push	[esp+28h+var_10]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_973F82
; 

loc_973FB7:				; CODE XREF: PiDevCfgCopyDeviceKeys(x,x,x,x)+DBj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_PiDevCfgCopyDeviceKeys@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgCopyObjectProperties(x, x, x, x, x,	x, x, x, x, x, x)
_PiDevCfgCopyObjectProperties@44 proc near
					; CODE XREF: PiDevCfgConfigureDeviceDriverConfiguration(x,x,x,x,x,x,x,x)+36p
					; PiDevCfgConfigureDeviceInterface(x,x,x)+178p	...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, ecx
		mov	ecx, _PiPnpRtlCtx
		push	esi
		xor	esi, esi
		mov	[esp+3Ch+var_10], edx
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[esp+40h+var_28], eax
		mov	[esp+40h+var_8], ecx
		mov	[esp+40h+var_24], esi
		mov	[esp+40h+var_14], esi
		mov	[esp+40h+var_30], esi
		mov	[esp+40h+var_C], 1
		mov	[esp+40h+var_20], esi
		test	edi, edi
		jnz	short loc_97402D
		push	esi
		push	esi
		lea	ecx, [esp+48h+var_24]
		push	ecx
		push	esi
		push	2000001h
		push	ebx
		mov	ecx, eax
		call	_PnpOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_9742B9
		mov	ecx, [esp+40h+var_8]
		xor	esi, esi

loc_97402D:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+44j
		cmp	[ebp+arg_14], 0
		jnz	short loc_974055
		mov	edx, [ebp+arg_C]
		lea	eax, [esp+40h+var_14]
		push	esi
		push	esi
		push	eax
		push	esi
		push	2000001h
		push	[ebp+arg_10]
		call	_PnpOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_9742B9

loc_974055:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+6Fj
		test	ebx, ebx
		jz	short loc_974080
		mov	eax, edi
		test	edi, edi
		jnz	short loc_974063
		mov	eax, [esp+40h+var_24]

loc_974063:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+9Bj
		mov	edx, [esp+40h+var_10]
		push	ecx
		lea	ecx, [esp+44h+var_30]
		push	ecx
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		mov	ecx, [esp+58h+var_28]
		push	eax
		push	ebx
		call	__PnpGetObjectPropertyKeys@40 ;	_PnpGetObjectPropertyKeys(x,x,x,x,x,x,x,x,x,x)
		jmp	short loc_974097
; 

loc_974080:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+95j
		push	ecx
		mov	ecx, [esp+44h+var_28]
		lea	eax, [esp+44h+var_30]
		push	eax
		xor	eax, eax
		mov	edx, edi
		push	eax
		push	eax
		push	eax
		push	eax
		call	__PnpGetGenericStorePropertyKeys@32 ; _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)

loc_974097:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+BCj
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_9740A9
		test	esi, esi
		js	loc_9742B9

loc_9740A9:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+DDj
		mov	eax, [esp+40h+var_30]
		test	eax, eax
		jnz	short loc_9740B8
		xor	esi, esi
		jmp	loc_9742B9
; 

loc_9740B8:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+EDj
		imul	eax, 14h
		push	63647050h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+40h+var_4], ecx
		test	ecx, ecx
		jnz	short loc_9740DC
		mov	esi, 0C000009Ah
		jmp	loc_9742B9
; 

loc_9740DC:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+10Ej
		test	ebx, ebx
		jz	short loc_974109
		mov	eax, edi
		test	edi, edi
		jnz	short loc_9740EA
		mov	eax, [esp+40h+var_24]

loc_9740EA:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+122j
		push	ecx
		lea	edx, [esp+44h+var_30]
		push	edx
		push	[esp+48h+var_30]
		mov	edx, [esp+4Ch+var_10]
		push	ecx
		push	0
		push	ecx
		mov	ecx, [esp+58h+var_28]
		push	eax
		push	ebx
		call	__PnpGetObjectPropertyKeys@40 ;	_PnpGetObjectPropertyKeys(x,x,x,x,x,x,x,x,x,x)
		jmp	short loc_974123
; 

loc_974109:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+11Cj
		push	ecx
		lea	eax, [esp+44h+var_30]
		mov	edx, edi
		push	eax
		push	[esp+48h+var_30]
		push	ecx
		mov	ecx, [esp+50h+var_28]
		push	0
		push	0
		call	__PnpGetGenericStorePropertyKeys@32 ; _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)

loc_974123:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+145j
		mov	esi, eax
		test	esi, esi
		js	loc_9742AE
		mov	eax, 100h
		push	63647050h
		push	eax
		push	1
		mov	[esp+4Ch+var_18], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_974153
		mov	esi, 0C000009Ah
		jmp	loc_9742AE
; 

loc_974153:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+185j
		and	[esp+40h+var_1C], 0
		cmp	[esp+40h+var_30], 0
		jbe	loc_9742A2
		mov	eax, [esp+40h+var_4]
		mov	[esp+40h+var_2C], eax

loc_97416B:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+2CCj
		cmp	[ebp+arg_18], 0
		jz	short loc_974184
		push	[ebp+arg_1C]
		push	eax
		call	[ebp+arg_18]
		test	al, al
		mov	eax, [esp+48h+var_34]
		jz	loc_97427A

loc_974184:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+1ADj
		cmp	[ebp+arg_0], 0
		jz	short loc_9741CB
		mov	ecx, edi
		test	edi, edi
		jnz	short loc_974194
		mov	ecx, [esp+48h+var_2C]

loc_974194:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+1CCj
		push	[ebp+arg_20]
		lea	edx, [esp+4Ch+var_28]
		push	edx
		push	[esp+50h+var_20]
		lea	edx, [esp+54h+var_14]
		push	ebx
		push	edx
		mov	edx, [esp+5Ch+var_18]
		push	eax
		push	0
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, [esp+6Ch+var_30]
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000002h
		jnz	short loc_9741EB
		xor	esi, esi
		jmp	loc_974276
; 

loc_9741CB:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+1C6j
		push	ecx
		lea	ecx, [esp+4Ch+var_28]
		mov	edx, edi
		push	ecx
		push	[esp+50h+var_20]
		lea	ecx, [esp+54h+var_14]
		push	ebx
		push	ecx
		mov	ecx, [esp+5Ch+var_30]
		push	eax
		push	0
		call	__PnpGetGenericStoreProperty@36	; _PnpGetGenericStoreProperty(x,x,x,x,x,x,x,x,x)
		mov	esi, eax

loc_9741EB:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+200j
		cmp	esi, 0C0000023h
		jnz	short loc_974234
		mov	eax, [esp+48h+var_20]
		cmp	[esp+48h+var_28], eax
		jbe	loc_97429D
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+48h+var_28]
		push	63647050h
		push	eax
		push	1
		mov	[esp+54h+var_20], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_974296
		mov	ecx, [esp+48h+var_24]
		xor	esi, esi
		mov	eax, [esp+48h+var_34]
		dec	ecx
		sub	eax, 14h
		jmp	short loc_97427E
; 

loc_974234:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+22Fj
		test	esi, esi
		js	short loc_9742A2
		cmp	[ebp+arg_14], 0
		mov	eax, [ebp+arg_14]
		jnz	short loc_974245
		mov	eax, [esp+48h+var_1C]

loc_974245:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+27Dj
		push	[ebp+arg_20]
		xor	edx, edx
		push	[esp+4Ch+var_28]
		push	ebx
		push	[esp+54h+var_14]
		push	[esp+58h+var_34]
		push	ecx
		mov	ecx, [esp+60h+var_10]
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		lea	esi, [eax+3FFFFFDEh]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jl	short loc_9742A2

loc_974276:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+204j
		mov	eax, [esp+48h+var_34]

loc_97427A:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+1BCj
		mov	ecx, [esp+48h+var_24]

loc_97427E:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+270j
		inc	ecx
		add	eax, 14h
		mov	[esp+48h+var_24], ecx
		mov	[esp+48h+var_34], eax
		cmp	ecx, [esp+48h+var_38]
		jb	loc_97416B
		jmp	short loc_9742A2
; 

loc_974296:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+260j
		mov	esi, 0C000009Ah
		jmp	short loc_9742A2
; 

loc_97429D:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+239j
		mov	esi, 0C00000E5h

loc_9742A2:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+19Bj
					; PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+274j ...
		test	ebx, ebx
		jz	short loc_9742AE
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9742AE:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+165j
					; PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+18Cj ...
		push	0
		push	[esp+4Ch+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9742B9:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+5Fj
					; PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+8Dj ...
		cmp	[esp+48h+var_2C], 0
		jz	short loc_9742C9
		push	[esp+48h+var_2C]
		call	_ZwClose@4	; ZwClose(x)

loc_9742C9:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+2FCj
		cmp	[esp+48h+var_1C], 0
		jz	short loc_9742D9
		push	[esp+48h+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_9742D9:				; CODE XREF: PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+30Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
_PiDevCfgCopyObjectProperties@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgCopyVariableData(x,	x)
_PiDevCfgCopyVariableData@8 proc near	; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+FBAp
					; PiDevCfgResolveVariableSwitchCase(x,x,x)+1B7p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ecx
		xor	esi, esi
		mov	ebx, esi
		mov	[ebp+var_4], esi
		mov	edx, [edi+18h]
		test	edx, edx
		jz	short loc_974366
		cmp	word ptr [edi+10h], 8000h
		jnz	short loc_974333
		mov	eax, _PiPnpRtlCtx
		mov	ecx, esi
		test	eax, eax
		jz	short loc_974318
		mov	ecx, [eax+74h]

loc_974318:				; CODE XREF: PiDevCfgCopyVariableData(x,x)+2Fj
		lea	eax, [ebp+var_4]
		push	eax
		push	20019h
		push	esi
		push	esi
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_974375
		mov	ebx, [ebp+var_4]
		jmp	short loc_974363
; 

loc_974333:				; CODE XREF: PiDevCfgCopyVariableData(x,x)+24j
		mov	eax, [edi+14h]
		test	eax, eax
		jz	short loc_974366
		push	63647050h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_974354
		mov	esi, 0C000009Ah
		jmp	short loc_974375
; 

loc_974354:				; CODE XREF: PiDevCfgCopyVariableData(x,x)+67j
		push	dword ptr [edi+14h] ; size_t
		push	dword ptr [edi+18h] ; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_974363:				; CODE XREF: PiDevCfgCopyVariableData(x,x)+4Dj
		mov	ecx, [ebp+var_8]

loc_974366:				; CODE XREF: PiDevCfgCopyVariableData(x,x)+1Cj
					; PiDevCfgCopyVariableData(x,x)+54j
		mov	eax, [edi+10h]
		mov	[ecx+10h], eax
		mov	eax, [edi+14h]
		mov	[ecx+14h], eax
		mov	[ecx+18h], ebx

loc_974375:				; CODE XREF: PiDevCfgCopyVariableData(x,x)+48j
					; PiDevCfgCopyVariableData(x,x)+6Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PiDevCfgCopyVariableData@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiDevCfgEnforceDevicePolicy(wchar_t *)
_PiDevCfgEnforceDevicePolicy@12	proc near
					; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+A6Bp

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_D		= byte ptr -0Dh
var_C		= byte ptr -0Ch
var_B		= byte ptr -0Bh
var_A		= byte ptr -0Ah
var_9		= byte ptr -9
var_8		= byte ptr -8
var_7		= byte ptr -7
var_6		= dword	ptr -6
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_2C], edx
		push	18h
		pop	edi
		lea	eax, [ebp+var_48]
		mov	[ebp+var_20], ebx
		mov	[ebp+var_58], eax
		mov	esi, ecx
		lea	eax, [ebp+var_60]
		mov	[ebp+var_14], ebx
		push	eax
		push	20019h
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_34], ebx
		push	eax
		mov	[ebp+var_30], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_40], ebx
		mov	byte ptr [ebp+var_6], bl
		mov	[ebp+var_48], 880086h
		mov	[ebp+var_44], offset ??_C@_1II@OAHIPMAC@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_60], edi
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_54], 240h
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		cmp	eax, 0C0000034h
		jnz	short loc_97443A
		cmp	_PnpBootMode, bl
		jz	short loc_97443E
		push	62h
		pop	eax
		push	60h
		mov	word ptr [ebp+var_48+2], ax
		pop	eax
		mov	word ptr [ebp+var_48], ax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_60]
		push	eax
		push	20019h
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_44], offset ??_C@_1GC@IKLGFJMB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		push	eax
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_60], edi
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_54], 240h
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)

loc_97443A:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+71j
		test	eax, eax
		jns	short loc_974445

loc_97443E:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+79j
					; PiDevCfgEnforceDevicePolicy(x,x,x)+10Bj
		mov	esi, ebx
		jmp	loc_974906
; 

loc_974445:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+C0j
		push	1Ah
		pop	eax
		mov	word ptr [ebp+var_48+2], ax
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_60]
		push	eax
		push	20019h
		lea	eax, [ebp+var_14]
		mov	word ptr [ebp+var_48], di
		push	eax
		mov	[ebp+var_44], (offset loc_8BA1CB+1)
		mov	[ebp+var_60], edi
		mov	[ebp+var_54], 240h
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_97443E
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_6]
		push	eax
		mov	edx, offset ??_C@_1CC@NPDHLKAB@?$AAA?$AAl?$AAl?$AAo?$AAw?$AAD?$AAe?$AAn?$AAy?$AAL?$AAa?$AAy?$AAe?$AAr?$AAe@NNGAKEGL@
		mov	byte ptr [ebp+var_6+1],	bl
		mov	[ebp+var_7], bl
		mov	[ebp+var_C], bl
		mov	[ebp+var_9], bl
		mov	[ebp+var_A], bl
		mov	[ebp+var_B], bl
		mov	[ebp+var_D], bl
		mov	[ebp+var_8], bl
		call	_PiDevCfgQueryPolicyEnabled@12 ; PiDevCfgQueryPolicyEnabled(x,x,x)
		xor	ebx, ebx
		inc	ebx
		test	eax, eax
		js	short loc_9744C2
		cmp	byte ptr [ebp+var_6], 0
		jz	short loc_9744C2
		mov	[ebp+var_8], bl

loc_9744C2:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+13Bj
					; PiDevCfgEnforceDevicePolicy(x,x,x)+141j
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_6]
		push	eax
		mov	edx, offset ??_C@_1CK@ILAKMLGI@?$AAD?$AAe?$AAn?$AAy?$AAR?$AAe?$AAm?$AAo?$AAv?$AAa?$AAb?$AAl?$AAe?$AAD?$AAe@NNGAKEGL@
		call	_PiDevCfgQueryPolicyEnabled@12 ; PiDevCfgQueryPolicyEnabled(x,x,x)
		test	eax, eax
		js	short loc_9744E9
		cmp	byte ptr [ebp+var_6], 0
		jz	short loc_9744E9
		test	byte ptr [esi+170h], 10h
		jz	short loc_9744E9
		mov	byte ptr [ebp+var_6+1],	bl

loc_9744E9:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+159j
					; PiDevCfgEnforceDevicePolicy(x,x,x)+15Fj ...
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_34]
		push	eax
		mov	edx, offset ??_C@_1CG@DCECOKLJ@?$AAA?$AAl?$AAl?$AAo?$AAw?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC?$AAl?$AAa?$AAs@NNGAKEGL@
		call	_PiDevCfgQueryPolicyStringList@12 ; PiDevCfgQueryPolicyStringList(x,x,x)
		test	eax, eax
		jns	short loc_974504
		xor	eax, eax
		mov	esi, eax
		jmp	short loc_974507
; 

loc_974504:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+180j
		mov	esi, [ebp+var_34]

loc_974507:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+186j
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_30]
		push	eax
		mov	edx, offset ??_C@_1CE@EIBAFMB@?$AAD?$AAe?$AAn?$AAy?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAC?$AAl?$AAa?$AAs?$AAs@NNGAKEGL@
		mov	[ebp+var_28], esi
		call	_PiDevCfgQueryPolicyStringList@12 ; PiDevCfgQueryPolicyStringList(x,x,x)
		xor	ecx, ecx
		mov	edi, ecx
		test	eax, eax
		js	short loc_974526
		mov	edi, [ebp+var_30]

loc_974526:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+1A5j
		cmp	[ebp+arg_0], 0
		mov	[ebp+var_30], edi
		jz	loc_9745C8
		test	esi, esi
		jnz	short loc_974541
		test	edi, edi
		jz	loc_9745C8
		jmp	short loc_974583
; 

loc_974541:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+1B9j
		mov	eax, [ebp+var_28]
		cmp	[eax], cx
		jz	short loc_974583

loc_974549:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+200j
		push	[ebp+arg_0]	; wchar_t *
		push	esi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_974580
		mov	ecx, esi
		xor	edi, edi
		lea	edx, [ecx+2]

loc_97455F:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+1ECj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_97455F
		mov	edi, [ebp+var_30]
		sub	ecx, edx
		sar	ecx, 1
		xor	eax, eax
		lea	esi, [esi+ecx*2]
		add	esi, 2
		cmp	[esi], ax
		jnz	short loc_974549
		jmp	short loc_974585
; 

loc_974580:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+1DAj
		mov	[ebp+var_7], bl

loc_974583:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+1C3j
					; PiDevCfgEnforceDevicePolicy(x,x,x)+1CBj
		xor	eax, eax

loc_974585:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+202j
		test	edi, edi
		jz	short loc_9745C8
		mov	esi, edi
		cmp	[edi], ax
		jz	short loc_9745C8
		xor	edi, edi

loc_974592:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+242j
		push	[ebp+arg_0]	; wchar_t *
		push	esi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_9745C2
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_9745A6:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+233j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_9745A6
		sub	ecx, edx
		sar	ecx, 1
		lea	esi, [esi+ecx*2]
		add	esi, 2
		cmp	[esi], di
		jnz	short loc_974592
		jmp	short loc_9745C8
; 

loc_9745C2:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+223j
		mov	[ebp+var_C], bl
		mov	byte ptr [ebp+var_6+1],	bl

loc_9745C8:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+1B1j
					; PiDevCfgEnforceDevicePolicy(x,x,x)+1BDj ...
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_24]
		push	eax
		mov	edx, offset ??_C@_1BO@GPHLCNOK@?$AAA?$AAl?$AAl?$AAo?$AAw?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI?$AAD?$AAs@NNGAKEGL@	; "AllowDeviceIDs"
		call	_PiDevCfgQueryPolicyStringList@12 ; PiDevCfgQueryPolicyStringList(x,x,x)
		xor	esi, esi
		test	eax, eax
		mov	eax, esi
		js	short loc_9745E4
		mov	eax, [ebp+var_24]

loc_9745E4:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+263j
		mov	ecx, [ebp+var_14]
		mov	edx, offset ??_C@_1BM@IBNKIDD@?$AAD?$AAe?$AAn?$AAy?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI?$AAD?$AAs@NNGAKEGL@
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_PiDevCfgQueryPolicyStringList@12 ; PiDevCfgQueryPolicyStringList(x,x,x)
		test	eax, eax
		js	short loc_9745FF
		mov	esi, [ebp+var_18]

loc_9745FF:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+27Ej
		mov	edx, [ebp+var_24]
		mov	[ebp+var_18], esi
		test	edx, edx
		jnz	short loc_974611
		test	esi, esi
		jz	loc_974714

loc_974611:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+28Bj
		mov	eax, [ebp+var_2C]
		push	2
		add	eax, 10h
		pop	ecx
		mov	[ebp+var_34], eax
		mov	[ebp+var_38], ecx

loc_974620:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+392j
		mov	edi, [eax]
		test	edi, edi
		jz	loc_974702
		xor	esi, esi
		cmp	[edi], si
		mov	esi, [ebp+var_18]
		jz	loc_974702
		xor	ecx, ecx

loc_97463A:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+37Aj
		test	edx, edx
		jz	short loc_974687
		cmp	[ebp+var_A], 0
		jnz	short loc_974687
		mov	esi, edx
		cmp	[edx], cx
		jz	short loc_974684

loc_97464B:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+2FCj
		push	edi		; wchar_t *
		push	esi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_97467C
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_97465D:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+2EBj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_20]
		jnz	short loc_97465D
		sub	ecx, edx
		sar	ecx, 1
		lea	esi, [esi+ecx*2]
		xor	ecx, ecx
		add	esi, 2
		cmp	[esi], cx
		jnz	short loc_97464B
		jmp	short loc_974684
; 

loc_97467C:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+2DAj
		mov	[ebp+var_A], bl
		xor	ecx, ecx
		mov	[ebp+var_7], bl

loc_974684:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+2CDj
					; PiDevCfgEnforceDevicePolicy(x,x,x)+2FEj
		mov	esi, [ebp+var_18]

loc_974687:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+2C0j
					; PiDevCfgEnforceDevicePolicy(x,x,x)+2C6j
		test	esi, esi
		jz	short loc_9746D3
		cmp	[ebp+var_9], 0
		jnz	short loc_9746D3
		mov	eax, [ebp+var_18]
		cmp	[eax], cx
		jz	short loc_9746D0

loc_974699:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+34Aj
		push	edi		; wchar_t *
		push	esi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_9746CA
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_9746AB:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+339j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_20]
		jnz	short loc_9746AB
		sub	ecx, edx
		xor	eax, eax
		sar	ecx, 1
		lea	esi, [esi+ecx*2]
		add	esi, 2
		cmp	[esi], ax
		jnz	short loc_974699
		jmp	short loc_9746D0
; 

loc_9746CA:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+328j
		mov	[ebp+var_9], bl
		mov	byte ptr [ebp+var_6+1],	bl

loc_9746D0:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+31Bj
					; PiDevCfgEnforceDevicePolicy(x,x,x)+34Cj
		mov	esi, [ebp+var_18]

loc_9746D3:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+30Dj
					; PiDevCfgEnforceDevicePolicy(x,x,x)+313j
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_9746D8:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+366j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_20]
		jnz	short loc_9746D8
		sub	ecx, edx
		mov	edx, [ebp+var_24]
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		xor	ecx, ecx
		add	edi, 2
		cmp	[edi], cx
		jnz	loc_97463A
		mov	eax, [ebp+var_34]
		mov	ecx, [ebp+var_38]

loc_974702:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+2A8j
					; PiDevCfgEnforceDevicePolicy(x,x,x)+2B6j
		add	eax, 8
		sub	ecx, 1
		mov	[ebp+var_34], eax
		mov	[ebp+var_38], ecx
		jnz	loc_974620

loc_974714:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+28Fj
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_3C]
		push	eax
		mov	edx, offset ??_C@_1CC@LHEJOKDF@?$AAA?$AAl?$AAl?$AAo?$AAw?$AAI?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe?$AAI?$AAD@NNGAKEGL@
		call	_PiDevCfgQueryPolicyStringList@12 ; PiDevCfgQueryPolicyStringList(x,x,x)
		test	eax, eax
		jns	short loc_97472F
		xor	eax, eax
		mov	esi, eax
		jmp	short loc_974732
; 

loc_97472F:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+3ABj
		mov	esi, [ebp+var_3C]

loc_974732:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+3B1j
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_40]
		push	eax
		mov	edx, (offset loc_8BA381+1)
		mov	[ebp+var_34], esi
		call	_PiDevCfgQueryPolicyStringList@12 ; PiDevCfgQueryPolicyStringList(x,x,x)
		xor	ecx, ecx
		mov	edi, ecx
		test	eax, eax
		js	short loc_974751
		mov	edi, [ebp+var_40]

loc_974751:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+3D0j
		test	esi, esi
		jnz	short loc_9747BC
		test	edi, edi
		jnz	loc_974800

loc_97475D:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+488j
					; PiDevCfgEnforceDevicePolicy(x,x,x)+493j ...
		mov	al, byte ptr [ebp+var_6+1]

loc_974760:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+4D7j
		test	al, al
		jnz	loc_97485A
		cmp	[ebp+var_7], al
		jnz	short loc_9747B3
		cmp	[ebp+var_8], al
		jnz	short loc_9747B3
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_6]
		push	eax
		mov	edx, offset ??_C@_1CA@LONBEDBA@?$AAD?$AAe?$AAn?$AAy?$AAU?$AAn?$AAs?$AAp?$AAe?$AAc?$AAi?$AAf?$AAi?$AAe?$AAd@NNGAKEGL@
		call	_PiDevCfgQueryPolicyEnabled@12 ; PiDevCfgQueryPolicyEnabled(x,x,x)
		test	eax, eax
		js	short loc_9747B3
		cmp	byte ptr [ebp+var_6], 0
		jz	short loc_9747B3
		cmp	[ebp+arg_0], 0
		jnz	short loc_974799
		cmp	[ebp+var_28], 0
		jnz	short loc_9747B3

loc_974799:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+415j
		cmp	_PnpSetupInProgress, 0
		jz	loc_974858
		cmp	_PnpSetupUpgradeInProgress, 0
		jz	loc_974858

loc_9747B3:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+3EFj
					; PiDevCfgEnforceDevicePolicy(x,x,x)+3F4j ...
		xor	ebx, ebx
		mov	esi, ebx
		jmp	loc_9748B5
; 

loc_9747BC:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+3D7j
		mov	eax, [ebp+var_34]
		cmp	[eax], cx
		jz	short loc_974800

loc_9747C4:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+47Aj
		mov	eax, [ebp+var_2C]
		push	dword ptr [eax+4] ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_9747FA
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_9747DB:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+469j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_20]
		jnz	short loc_9747DB
		sub	ecx, edx
		xor	eax, eax
		sar	ecx, 1
		lea	esi, [esi+ecx*2]
		add	esi, 2
		cmp	[esi], ax
		jnz	short loc_9747C4
		jmp	short loc_974802
; 

loc_9747FA:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+458j
		mov	[ebp+var_D], bl
		mov	[ebp+var_7], bl

loc_974800:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+3DBj
					; PiDevCfgEnforceDevicePolicy(x,x,x)+446j
		xor	eax, eax

loc_974802:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+47Cj
		test	edi, edi
		jz	loc_97475D
		mov	esi, edi
		cmp	[edi], ax
		jz	loc_97475D

loc_974815:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+4CBj
		mov	eax, [ebp+var_2C]
		push	dword ptr [eax+4] ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_97484E
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_97482C:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+4BAj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_20]
		jnz	short loc_97482C
		sub	ecx, edx
		xor	eax, eax
		sar	ecx, 1
		lea	esi, [esi+ecx*2]
		add	esi, 2
		cmp	[esi], ax
		jnz	short loc_974815
		jmp	loc_97475D
; 

loc_97484E:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+4A9j
		mov	[ebp+var_B], bl
		mov	al, bl
		jmp	loc_974760
; 

loc_974858:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+424j
					; PiDevCfgEnforceDevicePolicy(x,x,x)+431j
		mov	al, bl

loc_97485A:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+3E6j
		cmp	[ebp+var_8], 0
		jz	short loc_9748AE
		cmp	[ebp+var_7], 0
		jz	short loc_9748AE
		test	al, al
		jz	loc_9747B3
		cmp	[ebp+var_B], 0
		jz	short loc_97487A
		xor	eax, eax
		mov	ebx, eax
		jmp	short loc_97488D
; 

loc_97487A:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+4F6j
		cmp	[ebp+var_9], 0
		jnz	short loc_97488B
		xor	ebx, ebx
		cmp	[ebp+var_C], bl
		setz	bl
		add	ebx, 2

loc_97488B:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+502j
		xor	eax, eax

loc_97488D:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+4FCj
		cmp	[ebp+var_D], 0
		jnz	short loc_97489C
		xor	eax, eax
		cmp	[ebp+var_A], al
		setz	al
		inc	eax

loc_97489C:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+515j
		cmp	eax, ebx
		sbb	esi, esi
		and	esi, 3FFFFC9Fh
		add	esi, 0C0000361h
		jmp	short loc_9748B3
; 

loc_9748AE:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+4E2j
					; PiDevCfgEnforceDevicePolicy(x,x,x)+4E8j
		mov	esi, 0C0000361h

loc_9748B3:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+530j
		xor	ebx, ebx

loc_9748B5:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+43Bj
		mov	eax, [ebp+var_28]
		test	eax, eax
		jz	short loc_9748C3
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9748C3:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+53Ej
		mov	eax, [ebp+var_30]
		test	eax, eax
		jz	short loc_9748D1
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9748D1:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+54Cj
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	short loc_9748DF
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9748DF:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+55Aj
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	short loc_9748ED
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9748ED:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+568j
		mov	eax, [ebp+var_34]
		test	eax, eax
		jz	short loc_9748FB
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9748FB:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+576j
		test	edi, edi
		jz	short loc_974906
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_974906:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+C4j
					; PiDevCfgEnforceDevicePolicy(x,x,x)+581j
		cmp	[ebp+var_14], 0
		jz	short loc_974914
		push	[ebp+var_14]
		call	_ZwClose@4	; ZwClose(x)

loc_974914:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+58Ej
		cmp	[ebp+var_1C], 0
		jz	short loc_974922
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_974922:				; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+59Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_PiDevCfgEnforceDevicePolicy@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgEnumDeviceKeys(x, x, x, x, x, x, x)
_PiDevCfgEnumDeviceKeys@28 proc	near	; CODE XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+67p
					; PiDevCfgResetDeviceKeys(x,x,x)+7Fp

var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_10		= word ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[ebp+var_84], eax
		mov	ebx, offset dword_A3FCD0
		mov	eax, [ebp+arg_C]
		push	esi
		xor	esi, esi
		mov	[ebp+var_90], eax
		mov	eax, [ebp+arg_10]
		push	edi
		mov	edi, esi
		mov	[ebp+var_88], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_70], edx
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_80], esi
		mov	[ebp+var_7C], esi
		mov	[ebp+var_64], esi
		mov	[ebp+var_60], esi
		mov	[ebp+var_6C], esi
		mov	[ebp+var_74], esi
		mov	[ebp+var_78], esi
		mov	[ebp+var_68], edi

loc_97498B:				; CODE XREF: PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+27Aj
		test	[ebx-4], eax
		jz	loc_974B96
		push	dword ptr [ebx-8]
		lea	eax, [ebp+var_80]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_84]
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_A8]
		push	eax
		push	20019h
		lea	eax, [ebp+var_64]
		mov	[ebp+var_64], esi
		push	eax
		mov	[ebp+var_A8], 18h
		mov	[ebp+var_9C], 240h
		mov	[ebp+var_98], esi
		mov	[ebp+var_94], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		cmp	eax, 0C0000034h
		jz	loc_974B93
		test	eax, eax
		js	loc_974BB1
		mov	eax, [ebx+4]
		test	eax, eax
		jz	short loc_974A2E
		push	esi
		lea	ecx, [ebp+var_60]
		push	ecx
		push	[ebp+arg_8]
		mov	ecx, _PiPnpRtlCtx
		push	0F003Fh
		push	esi
		push	eax
		mov	eax, [ebp+var_70]
		mov	edx, [eax+4]
		call	_CmOpenDeviceRegKey
		mov	edi, eax
		jmp	loc_974B34
; 

loc_974A2E:				; CODE XREF: PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+DAj
		mov	edx, [ebx]
		call	_CmIsStateSeparationEnabled@0 ;	CmIsStateSeparationEnabled()
		test	al, al
		jz	short loc_974A68
		mov	eax, edx
		sub	eax, 4
		jz	short loc_974A59
		dec	eax
		sub	eax, 1
		jz	loc_974B3F
		lea	eax, [ebp+var_60]
		push	eax
		push	ecx
		push	ecx
		push	edx
		push	ecx
		call	__PnpCtxOpenContextNodeBaseKey@28 ; _PnpCtxOpenContextNodeBaseKey(x,x,x,x,x,x,x)
		jmp	short loc_974A77
; 

loc_974A59:				; CODE XREF: PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+113j
		lea	eax, [ebp+var_60]
		push	eax
		push	0F003Fh
		push	ecx
		push	4
		pop	edx
		jmp	short loc_974A72
; 

loc_974A68:				; CODE XREF: PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+10Cj
		lea	eax, [ebp+var_60]
		push	eax
		push	0F003Fh
		push	ecx

loc_974A72:				; CODE XREF: PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+13Bj
		call	__PnpCtxOpenContextBaseKey@20 ;	_PnpCtxOpenContextBaseKey(x,x,x,x,x)

loc_974A77:				; CODE XREF: PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+12Cj
		mov	edi, eax
		test	edi, edi
		js	loc_974B34
		cmp	dword ptr [ebx], 7
		jz	short loc_974A8B
		mov	eax, [ebx+8]
		jmp	short loc_974AC8
; 

loc_974A8B:				; CODE XREF: PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+159j
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_74]
		push	esi
		push	eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_74], 4Eh
		push	eax
		lea	eax, [ebp+var_78]
		push	eax
		mov	eax, [ebp+var_70]
		push	9
		push	esi
		mov	edx, [eax+4]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_974B34
		cmp	[ebp+var_78], 1
		jnz	short loc_974B3C
		xor	eax, eax
		mov	[ebp+var_10], ax
		lea	eax, [ebp+var_5C]

loc_974AC8:				; CODE XREF: PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+15Ej
		test	eax, eax
		jz	short loc_974B34
		push	eax
		lea	eax, [ebp+var_80]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_60]
		mov	[ebp+var_BC], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_C0]
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_6C], esi
		push	eax
		mov	[ebp+var_C0], 18h
		mov	[ebp+var_B4], 240h
		mov	[ebp+var_B0], esi
		mov	[ebp+var_AC], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_974B34
		push	[ebp+var_60]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [ebp+var_6C]
		mov	[ebp+var_60], eax

loc_974B34:				; CODE XREF: PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+FEj
					; PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+150j ...
		cmp	edi, 0C0000034h
		jnz	short loc_974B4C

loc_974B3C:				; CODE XREF: PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+192j
		mov	edi, [ebp+var_68]

loc_974B3F:				; CODE XREF: PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+119j
		push	[ebp+var_64]
		call	_ZwClose@4	; ZwClose(x)
		mov	[ebp+var_64], esi
		jmp	short loc_974B93
; 

loc_974B4C:				; CODE XREF: PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+20Fj
		test	edi, edi
		js	short loc_974BAD
		push	[ebp+var_88]
		lea	eax, [ebx-8]
		push	[ebp+var_60]
		push	[ebp+var_64]
		push	eax
		push	[ebp+var_70]
		push	[ebp+var_8C]
		call	[ebp+var_90]
		cmp	eax, 0C0000240h
		jz	short loc_974BB3
		test	eax, eax
		js	short loc_974BB1
		push	[ebp+var_64]
		call	_ZwClose@4	; ZwClose(x)
		push	[ebp+var_60]
		mov	[ebp+var_64], esi
		call	_ZwClose@4	; ZwClose(x)
		mov	edi, [ebp+var_68]
		mov	[ebp+var_60], esi

loc_974B93:				; CODE XREF: PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+C7j
					; PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+21Fj
		mov	eax, [ebp+arg_4]

loc_974B96:				; CODE XREF: PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+63j
		add	edi, 14h
		add	ebx, 14h
		mov	[ebp+var_68], edi
		cmp	edi, 8Ch
		jb	loc_97498B
		jmp	short loc_974BB3
; 

loc_974BAD:				; CODE XREF: PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+223j
		mov	esi, edi
		jmp	short loc_974BB3
; 

loc_974BB1:				; CODE XREF: PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+CFj
					; PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+24Dj
		mov	esi, eax

loc_974BB3:				; CODE XREF: PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+249j
					; PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+280j ...
		cmp	[ebp+var_64], 0
		jz	short loc_974BC1
		push	[ebp+var_64]
		call	_ZwClose@4	; ZwClose(x)

loc_974BC1:				; CODE XREF: PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+28Cj
		cmp	[ebp+var_60], 0
		jz	short loc_974BCF
		push	[ebp+var_60]
		call	_ZwClose@4	; ZwClose(x)

loc_974BCF:				; CODE XREF: PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+29Aj
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_PiDevCfgEnumDeviceKeys@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgFindDeviceDriver(x,	x, x)
_PiDevCfgFindDeviceDriver@12 proc near	; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+B2p
					; PiDevCfgProcessDevice(x,x,x)+190p ...

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= word ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		push	ebx
		lea	eax, [ebp+var_50]
		mov	[ebp+var_28], ecx
		xor	ecx, ecx
		mov	[ebp+var_4C], eax
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_30], ecx
		mov	ebx, ecx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_44], ecx
		mov	dword ptr [ebp+var_18],	ecx
		mov	[ebp+var_38], 1
		mov	[ebp+var_20], ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_54], eax
		mov	[ebp+var_58], eax
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edi
		test	edx, edx
		jz	short loc_974C54
		mov	ecx, edx
		mov	[ebp+var_34], edx
		lea	esi, [ecx+2]

loc_974C33:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+5Aj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_974C33
		sub	ecx, esi
		mov	edi, ebx
		sar	ecx, 1
		inc	ecx
		lea	eax, [edx+ecx*2]
		movzx	ecx, word ptr [eax]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	[ebp+var_44], ecx

loc_974C54:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+47j
		xor	eax, eax
		inc	eax
		mov	[ebp+var_40], eax
		cmp	_PnpSetupInProgress, bl
		jz	short loc_974C69
		mov	[ebp+var_40], 3

loc_974C69:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+7Ej
		push	63647050h
		mov	esi, 208h
		push	esi
		push	eax
		mov	[ebp+var_3C], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jnz	short loc_974CC0
		mov	ebx, 0C000009Ah

loc_974C89:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+486j
					; PiDevCfgFindDeviceDriver(x,x,x)+49Ej	...
		xor	esi, esi

loc_974C8B:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+DCj
					; PiDevCfgFindDeviceDriver(x,x,x)+79Fj
		mov	ecx, [ebp+var_50]
		lea	eax, [ebp+var_50]
		cmp	ecx, eax
		jz	loc_975386
		cmp	[ecx+4], eax
		jnz	loc_9753AF
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	loc_9753AF
		lea	edx, [ebp+var_50]
		mov	[ebp+var_50], eax
		mov	[eax+4], edx
		mov	[ebp+var_4], ecx
		call	_PiDevCfgFreeDriverNode@4 ; PiDevCfgFreeDriverNode(x)
		jmp	short loc_974C8B
; 

loc_974CC0:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+A0j
		mov	edx, [ebp+var_28]
		xor	eax, eax
		mov	ecx, eax
		mov	[ebp+var_2C], ecx

loc_974CCA:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+496j
		mov	eax, [edx+ecx*8+10h]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	loc_975071
		and	[ebp+var_24], 0
		xor	edi, edi
		cmp	[eax], di
		mov	edi, [ebp+var_8]
		jz	loc_975066

loc_974CEB:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+478j
		mov	ecx, [ebp+var_14]
		xor	ebx, ebx
		mov	[ebp+var_38], 1
		mov	[ebp+var_20], ebx

loc_974CFA:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+17Dj
		push	ebx
		lea	edx, [ebp+var_20]
		push	edx
		push	esi
		push	ecx
		lea	ecx, [ebp+var_38]
		mov	edx, eax
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	offset _DEVPKEY_DeviceId_DriverInfMatches
		push	ebx
		push	0FFFFFFFFh
		push	0Bh
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		jns	short loc_974D6B
		cmp	ebx, 0C0000023h
		jnz	short loc_974D6B
		cmp	[ebp+var_20], esi
		jbe	short loc_974DAD
		mov	eax, [ebp+var_14]
		xor	ebx, ebx
		mov	esi, [ebp+var_20]
		mov	[ebp+var_3C], esi
		test	eax, eax
		jz	short loc_974D48
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_974D48:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+15Dj
		push	63647050h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jnz	short loc_974CFA
		mov	ebx, 0C000009Ah
		mov	[ebp+var_C], ebx
		jmp	short loc_974D6E
; 

loc_974D6B:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+141j
					; PiDevCfgFindDeviceDriver(x,x,x)+149j
		mov	ecx, [ebp+var_14]

loc_974D6E:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+187j
		cmp	ebx, 0C000009Ah
		jz	loc_975060
		test	ebx, ebx
		jns	short loc_974DB9
		cmp	ebx, 0C0000022h
		jz	short loc_974D9C
		cmp	ebx, 0C0000467h
		jz	short loc_974D9C
		mov	eax, 0C0000034h
		cmp	ebx, eax
		jnz	short loc_974DAD
		mov	[ebp+var_30], eax
		jmp	short loc_974DAD
; 

loc_974D9C:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+1A2j
					; PiDevCfgFindDeviceDriver(x,x,x)+1AAj
		mov	eax, [ebp+var_30]
		test	eax, eax
		jz	short loc_974DAA
		cmp	eax, 0C0000034h
		jz	short loc_974DAD

loc_974DAA:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+1BFj
		mov	[ebp+var_30], ebx

loc_974DAD:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+14Ej
					; PiDevCfgFindDeviceDriver(x,x,x)+1B3j	...
		xor	esi, esi
		mov	ebx, esi
		mov	[ebp+var_C], ebx
		jmp	loc_975030
; 

loc_974DB9:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+19Aj
		xor	esi, esi
		cmp	[ebp+var_38], 2012h
		jnz	loc_975030
		cmp	[ecx], si
		mov	eax, ecx
		jmp	loc_975023
; 

loc_974DD2:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+444j
		push	5Ch		; wchar_t
		push	eax		; wchar_t *
		call	_wcschr
		mov	esi, eax
		pop	ecx
		pop	ecx
		test	esi, esi
		jz	loc_974FFD
		mov	ecx, [ebp+var_10] ; wchar_t *
		lea	eax, [ebp+var_18]
		push	eax		; wchar_t *
		xor	eax, eax
		xor	edx, edx	; int
		push	eax		; int
		call	_DrvDbSplitDeviceIdDriverInfMatch@16 ; DrvDbSplitDeviceIdDriverInfMatch(x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		js	loc_97502E
		mov	ebx, [ebp+var_10]
		xor	eax, eax
		mov	ecx, [ebp+var_2C]
		mov	edx, [ebp+var_40]
		mov	edi, edx
		mov	[esi], ax
		lea	eax, [esi+2]
		mov	[ebp+var_10], eax
		mov	eax, dword ptr [ebp+var_18]
		cmp	ecx, 2
		jnz	short loc_974E2D
		cmp	al, 3
		jnz	loc_974FFA
		or	edi, 8

loc_974E2D:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+23Ej
		cmp	al, 1
		jnz	short loc_974E3A
		xor	edx, edx
		mov	esi, edx
		mov	edx, [ebp+var_24]
		jmp	short loc_974E5B
; 

loc_974E3A:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+24Dj
		cmp	al, 2
		jnz	short loc_974E4F
		movzx	edx, word ptr [ebp-16h]
		mov	esi, 1000h
		shl	edx, 8
		add	edx, [ebp+var_24]
		jmp	short loc_974E5B
; 

loc_974E4F:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+25Aj
		cmp	al, 3
		jnz	loc_974FFA
		xor	edx, edx
		mov	esi, edx

loc_974E5B:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+256j
					; PiDevCfgFindDeviceDriver(x,x,x)+26Bj
		cmp	edx, 1000h
		jb	short loc_974E68
		mov	edx, 0FFFh

loc_974E68:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+27Fj
		cmp	al, 3
		jz	short loc_974E73
		shl	ecx, 0Dh
		add	ecx, edx
		add	esi, ecx

loc_974E73:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+288j
		mov	edx, [ebp+var_1C]
		lea	ecx, [ebp+var_4]
		push	ecx
		movzx	eax, ah
		mov	ecx, ebx
		push	edi
		shl	eax, 10h
		push	eax
		push	esi
		call	_PiDevCfgQueryDriverNode@24 ; PiDevCfgQueryDriverNode(x,x,x,x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jns	short loc_974EA0
		mov	edi, [ebp+var_8]
		xor	esi, esi
		mov	ebx, esi
		mov	[ebp+var_C], ebx
		jmp	loc_975002
; 

loc_974EA0:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+2ADj
		mov	ecx, [ebp+var_4]
		mov	esi, [ecx+64h]
		test	esi, esi
		jz	short loc_974F1E
		xor	ebx, ebx
		cmp	[esi], bx
		jz	short loc_974F0B
		mov	eax, [ebp+var_28]
		add	eax, 10h
		mov	[ebp+var_48], eax

loc_974EBA:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+327j
		mov	edi, eax

loc_974EBC:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+2F3j
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_974ECE
		push	ecx
		mov	edx, esi
		call	_PnpMultiSzContainsString@12 ; PnpMultiSzContainsString(x,x,x)
		test	eax, eax
		jnz	short loc_974ED9

loc_974ECE:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+2DEj
		inc	ebx
		add	edi, 8
		cmp	ebx, 3
		jb	short loc_974EBC
		jmp	short loc_974EDF
; 

loc_974ED9:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+2EAj
		mov	eax, [ebp+var_4]
		mov	[eax+68h], esi

loc_974EDF:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+2F5j
		mov	ecx, [ebp+var_4]
		xor	ebx, ebx
		cmp	[ecx+68h], ebx
		jnz	short loc_974F0B
		mov	edx, esi
		lea	edi, [edx+2]

loc_974EEE:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+315j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, bx
		jnz	short loc_974EEE
		mov	eax, [ebp+var_48]
		sub	edx, edi
		sar	edx, 1
		lea	esi, [esi+edx*2]
		add	esi, 2
		cmp	[esi], bx
		jnz	short loc_974EBA

loc_974F0B:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+2CDj
					; PiDevCfgFindDeviceDriver(x,x,x)+305j
		xor	esi, esi
		cmp	[ecx+68h], esi
		jz	short loc_974F20
		or	dword ptr [ecx+38h], 0FFFFh
		mov	ecx, [ebp+var_4]
		jmp	short loc_974F20
; 

loc_974F1E:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+2C6j
		xor	esi, esi

loc_974F20:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+32Ej
					; PiDevCfgFindDeviceDriver(x,x,x)+33Aj
		cmp	byte ptr [ebp+var_18], 3
		jnz	short loc_974F46
		mov	eax, [ebp+var_54]
		lea	edx, [ebp+var_58]
		cmp	[eax], edx
		jnz	loc_9753AF
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	[ebp+var_54], ecx

loc_974F3E:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+391j
					; PiDevCfgFindDeviceDriver(x,x,x)+3B3j
		mov	edi, [ebp+var_8]
		jmp	loc_974FFF
; 

loc_974F46:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+342j
		mov	eax, [ebp+var_34]
		test	eax, eax
		jz	short loc_974F78
		mov	edx, eax
		call	_PiDevCfgMatchDriverConfigurationId@8 ;	PiDevCfgMatchDriverConfigurationId(x,x)
		test	al, al
		jnz	short loc_974F75
		mov	ecx, [ebp+var_4C]
		lea	edx, [ebp+var_50]
		mov	eax, [ebp+var_4]
		cmp	[ecx], edx
		jnz	loc_9753AF
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[ebp+var_4C], eax
		jmp	short loc_974F3E
; 

loc_974F75:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+374j
		mov	ecx, [ebp+var_4]

loc_974F78:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+369j
		cmp	[ecx+68h], esi
		jz	short loc_974F97
		mov	eax, [ebp+var_4C]
		lea	edx, [ebp+var_50]
		cmp	[eax], edx
		jnz	loc_9753AF
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	[ebp+var_4C], ecx
		jmp	short loc_974F3E
; 

loc_974F97:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+399j
		mov	edi, [ebp+var_8]
		test	edi, edi
		jnz	short loc_974FA5
		mov	edi, ecx

loc_974FA0:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+3FFj
		mov	[ebp+var_8], edi
		jmp	short loc_974FFF
; 

loc_974FA5:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+3BAj
		mov	edx, edi
		call	_PiDevCfgCompareDrivers@8 ; PiDevCfgCompareDrivers(x,x)
		test	eax, eax
		mov	eax, [ebp+var_4C]
		jns	short loc_974FE3
		lea	ecx, [ebp+var_50]
		cmp	[eax], ecx
		jnz	loc_9753AF
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	[ebp+var_4C], edi
		test	byte ptr [edi+6Ch], 0Ch
		jz	short loc_974FDE
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+6Ch]
		test	al, 4
		jnz	short loc_974FDE
		or	eax, 8
		mov	[ecx+6Ch], eax

loc_974FDE:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+3EAj
					; PiDevCfgFindDeviceDriver(x,x,x)+3F4j
		mov	edi, [ebp+var_4]
		jmp	short loc_974FA0
; 

loc_974FE3:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+3CFj
		lea	edx, [ebp+var_50]
		cmp	[eax], edx
		jnz	loc_9753AF
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	[ebp+var_4C], ecx
		jmp	short loc_974FFF
; 

loc_974FFA:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+242j
					; PiDevCfgFindDeviceDriver(x,x,x)+26Fj
		mov	edi, [ebp+var_8]

loc_974FFD:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+1FEj
		xor	esi, esi

loc_974FFF:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+35Fj
					; PiDevCfgFindDeviceDriver(x,x,x)+3C1j	...
		mov	ebx, [ebp+var_C]

loc_975002:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+2B9j
		mov	ecx, [ebp+var_10]
		lea	edx, [ecx+2]

loc_975008:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+42Fj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_975008
		mov	eax, [ebp+var_10]
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, [eax+ecx*2]
		add	eax, 2
		cmp	[eax], si

loc_975023:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+1EBj
		mov	[ebp+var_10], eax
		jnz	loc_974DD2
		jmp	short loc_975030
; 

loc_97502E:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+21Cj
		xor	esi, esi

loc_975030:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+1D2j
					; PiDevCfgFindDeviceDriver(x,x,x)+1E0j	...
		mov	ecx, [ebp+var_1C]
		lea	edx, [ecx+2]

loc_975036:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+45Dj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_975036
		mov	eax, [ebp+var_1C]
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, [eax+ecx*2]
		add	eax, 2
		inc	[ebp+var_24]
		mov	[ebp+var_1C], eax
		cmp	[eax], si
		mov	esi, [ebp+var_3C]
		jnz	loc_974CEB

loc_975060:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+192j
		mov	edx, [ebp+var_28]
		mov	ecx, [ebp+var_2C]

loc_975066:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+103j
		test	ebx, ebx
		js	loc_974C89
		mov	esi, [ebp+var_3C]

loc_975071:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+F1j
		inc	ecx
		mov	[ebp+var_2C], ecx
		cmp	ecx, 3
		jb	loc_974CCA
		test	ebx, ebx
		js	loc_974C89
		mov	ebx, [ebp+var_34]
		test	ebx, ebx
		jz	short loc_9750E3
		test	edi, edi
		jnz	short loc_975106
		push	3Ah		; wchar_t
		push	ebx		; wchar_t *
		call	_wcschr
		mov	esi, eax
		pop	ecx
		pop	ecx
		test	esi, esi
		jnz	short loc_9750AB

loc_9750A1:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+4DDj
		mov	ebx, 0C0000033h
		jmp	loc_974C89
; 

loc_9750AB:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+4BDj
		xor	eax, eax
		mov	[esi], ax
		add	esi, 2
		push	2Ch		; wchar_t
		push	esi		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_9750A1
		xor	ecx, ecx
		mov	edx, esi
		mov	[eax], cx
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		xor	eax, eax
		mov	ecx, ebx
		push	eax
		push	eax
		call	_PiDevCfgQueryDriverNode@24 ; PiDevCfgQueryDriverNode(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9750E7
		mov	edi, [ebp+var_4]
		mov	[ebp+var_8], edi

loc_9750E3:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+4A9j
		test	edi, edi
		jnz	short loc_975106

loc_9750E7:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+4F9j
		mov	eax, [ebp+var_30]
		test	eax, eax
		jz	short loc_9750FC
		cmp	eax, 0C0000034h
		jz	short loc_9750FC
		mov	ebx, eax
		jmp	loc_974C89
; 

loc_9750FC:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+50Aj
					; PiDevCfgFindDeviceDriver(x,x,x)+511j
		mov	ebx, 0C0000490h
		jmp	loc_974C89
; 

loc_975106:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+4ADj
					; PiDevCfgFindDeviceDriver(x,x,x)+503j	...
		mov	eax, [ebp+var_50]
		lea	ecx, [ebp+var_50]
		cmp	eax, ecx
		jz	short loc_97514D
		cmp	[eax+4], ecx
		jnz	loc_9753AF
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_9753AF
		mov	[ebp+var_50], ecx
		lea	edx, [ebp+var_50]
		mov	[ecx+4], edx
		lea	ecx, [edi+88h]
		mov	[ebp+var_4], eax
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_9753AF
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		jmp	short loc_975106
; 

loc_97514D:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+52Cj
					; PiDevCfgFindDeviceDriver(x,x,x)+642j	...
		mov	ecx, [ebp+var_58]
		lea	eax, [ebp+var_58]
		cmp	ecx, eax
		jz	loc_975375
		cmp	[ecx+4], eax
		jnz	loc_9753AF
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	loc_9753AF
		lea	edx, [ebp+var_58]
		mov	[ebp+var_58], eax
		mov	[eax+4], edx
		mov	[ebp+var_4], ecx
		add	ecx, 70h	; Source2
		call	_PnpIsNullGuid@4 ; PnpIsNullGuid(x)
		mov	esi, [ebp+var_4]
		test	al, al
		jnz	loc_97521D
		xor	ecx, ecx
		cmp	[esi+68h], ecx
		jnz	loc_97521D
		cmp	[esi+58h], ecx
		jz	loc_975229
		mov	eax, [edi+5Ch]
		mov	ebx, ecx
		mov	[ebp+var_3C], eax
		test	eax, eax
		jz	short loc_97521D
		mov	edx, [esi+5Ch]
		mov	eax, ecx
		mov	ecx, [ebp+var_3C]
		mov	[ebp+var_2C], edx
		mov	[ebp+var_30], eax

loc_9751BC:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+636j
		xor	edi, edi
		test	edx, edx
		jz	short loc_97520F
		mov	ecx, [ebp+var_8]
		mov	edx, [esi+58h]
		mov	[ebp+var_28], edx
		mov	[ebp+var_40], edx
		mov	ecx, [ecx+58h]
		add	ecx, eax
		mov	eax, edx
		mov	[ebp+var_48], ecx

loc_9751D8:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+618j
		push	10h		; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_9751FE
		mov	eax, [ebp+var_40]
		inc	edi
		mov	edx, [ebp+var_2C]
		add	eax, 10h
		mov	ecx, [ebp+var_48]
		mov	[ebp+var_40], eax
		cmp	edi, edx
		jb	short loc_9751D8
		jmp	short loc_975209
; 

loc_9751FE:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+604j
		shl	edi, 4
		add	edi, [ebp+var_28]
		jnz	short loc_975229
		mov	edx, [ebp+var_2C]

loc_975209:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+61Aj
		mov	ecx, [ebp+var_3C]
		mov	eax, [ebp+var_30]

loc_97520F:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+5DEj
		inc	ebx
		add	eax, 10h
		mov	[ebp+var_30], eax
		cmp	ebx, ecx
		jb	short loc_9751BC
		mov	edi, [ebp+var_8]

loc_97521D:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+5A6j
					; PiDevCfgFindDeviceDriver(x,x,x)+5B1j	...
		mov	ecx, esi
		call	_PiDevCfgFreeDriverNode@4 ; PiDevCfgFreeDriverNode(x)
		jmp	loc_97514D
; 

loc_975229:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+5BAj
					; PiDevCfgFindDeviceDriver(x,x,x)+622j
		cmp	[ebp+var_34], 0
		jz	loc_9752C1
		mov	ebx, [ebp+var_44]
		test	ebx, ebx
		jz	short loc_9752B5
		mov	ecx, offset ??_C@_13BBDEGPLJ@?$AA?$CK@NNGAKEGL@
		mov	eax, ebx

loc_975241:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+67Fj
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	short loc_975269
		test	dx, dx
		jz	short loc_975263
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	short loc_975269
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_975241

loc_975263:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+66Aj
		xor	ecx, ecx
		mov	eax, ecx
		jmp	short loc_975270
; 

loc_975269:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+665j
					; PiDevCfgFindDeviceDriver(x,x,x)+674j
		sbb	eax, eax
		or	eax, 1
		xor	ecx, ecx

loc_975270:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+685j
		test	eax, eax
		jz	short loc_9752B1
		mov	edi, ebx
		cmp	[ebx], cx
		jz	short loc_9752B5
		xor	ebx, ebx

loc_97527D:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+6C8j
		mov	edx, edi
		mov	ecx, esi
		call	_PiDevCfgMatchDriverConfigurationId@8 ;	PiDevCfgMatchDriverConfigurationId(x,x)
		test	al, al
		jnz	short loc_9752AE
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_97528F:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+6B6j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_97528F
		mov	esi, [ebp+var_4]
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2
		cmp	[edi], bx
		jnz	short loc_97527D
		jmp	short loc_9752B5
; 

loc_9752AE:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+6A6j
		mov	esi, [ebp+var_4]

loc_9752B1:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+690j
		test	esi, esi
		jnz	short loc_9752C1

loc_9752B5:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+656j
					; PiDevCfgFindDeviceDriver(x,x,x)+697j	...
		mov	ecx, esi
		call	_PiDevCfgFreeDriverNode@4 ; PiDevCfgFreeDriverNode(x)
		jmp	loc_97536D
; 

loc_9752C1:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+64Bj
					; PiDevCfgFindDeviceDriver(x,x,x)+6D1j
		mov	ebx, [ebp+var_8]
		sub	ebx, 0FFFFFF80h
		mov	edi, [ebx]

loc_9752C9:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+71Aj
		cmp	edi, ebx
		jz	loc_975351
		lea	eax, [esi+70h]
		push	10h		; size_t
		push	eax		; void *
		lea	eax, [edi+70h]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9752FA
		push	1
		lea	eax, [esi+24h]
		push	eax
		lea	eax, [edi+24h]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_9752FE

loc_9752FA:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+703j
		mov	edi, [edi]
		jmp	short loc_9752C9
; 

loc_9752FE:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+716j
		xor	eax, eax
		cmp	[edi+58h], eax
		jz	short loc_97530C
		cmp	[esi+58h], eax
		jnz	short loc_975311
		jmp	short loc_97533C
; 

loc_97530C:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+721j
		cmp	[esi+58h], eax
		jnz	short loc_97531E

loc_975311:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+726j
		mov	edx, edi
		mov	ecx, esi
		call	_PiDevCfgCompareDrivers@8 ; PiDevCfgCompareDrivers(x,x)
		test	eax, eax
		jns	short loc_97533A

loc_97531E:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+72Dj
		mov	ecx, [edi]
		cmp	[ecx+4], edi
		jnz	loc_9753AF
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	short loc_9753AF
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	esi, [ebp+var_4]
		jmp	short loc_975343
; 

loc_97533A:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+73Aj
		xor	eax, eax

loc_97533C:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+728j
		mov	edi, esi
		mov	esi, eax
		mov	[ebp+var_4], esi

loc_975343:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+756j
		test	edi, edi
		jz	short loc_975351
		mov	ecx, edi
		call	_PiDevCfgFreeDriverNode@4 ; PiDevCfgFreeDriverNode(x)
		mov	esi, [ebp+var_4]

loc_975351:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+6E9j
					; PiDevCfgFindDeviceDriver(x,x,x)+763j
		mov	edi, [ebp+var_8]
		test	esi, esi
		jz	loc_97514D
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jnz	short loc_9753AF
		mov	[esi], ebx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[ebx+4], esi

loc_97536D:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+6DAj
		mov	edi, [ebp+var_8]
		jmp	loc_97514D
; 

loc_975375:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+573j
		mov	eax, [ebp+arg_0]
		xor	esi, esi
		mov	ebx, [ebp+var_C]
		mov	[eax], edi
		mov	edi, esi
		jmp	loc_974C8B
; 

loc_975386:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+B1j
					; PiDevCfgFindDeviceDriver(x,x,x)+7CBj
		mov	ecx, [ebp+var_58]
		lea	eax, [ebp+var_58]
		cmp	ecx, eax
		jz	short loc_9753B4
		cmp	[ecx+4], eax
		jnz	short loc_9753AF
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_9753AF
		lea	edx, [ebp+var_58]
		mov	[ebp+var_58], eax
		mov	[eax+4], edx
		mov	[ebp+var_4], ecx
		call	_PiDevCfgFreeDriverNode@4 ; PiDevCfgFreeDriverNode(x)
		jmp	short loc_975386
; 

loc_9753AF:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+BAj
					; PiDevCfgFindDeviceDriver(x,x,x)+C5j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9753B4:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+7ACj
		test	edi, edi
		jz	short loc_9753BF
		mov	ecx, edi
		call	_PiDevCfgFreeDriverNode@4 ; PiDevCfgFreeDriverNode(x)

loc_9753BF:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+7D4j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_9753CD
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9753CD:				; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+7E2j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
_PiDevCfgFindDeviceDriver@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgFindDeviceMigrationNode(x, x, x, x,	x)
_PiDevCfgFindDeviceMigrationNode@20 proc near
					; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+19Ep
					; PiDevCfgMigrateDevice(x,x,x,x,x,x)+21Ap

var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0F8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_F8], eax
		lea	edi, [ebp+var_44]
		push	0Ah
		xor	eax, eax
		mov	[ebp+var_60], ecx
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_18]
		mov	[ebp+var_68], edx
		stosd
		xor	esi, esi
		mov	edx, [ebp+arg_0]
		mov	ebx, esi
		mov	[ebp+var_AC], edx
		mov	[ebp+var_84], esi
		stosd
		mov	[ebp+var_6C], esi
		mov	[ebp+var_F4], ebx
		mov	[ebp+var_54], esi
		stosd
		mov	[ebp+var_78], esi
		mov	[ebp+var_74], esi
		mov	[ebp+var_88], esi
		stosd
		xor	eax, eax
		mov	[ebp+var_8C], eax
		mov	[ebp+var_94], eax
		mov	[ebp+var_C0], eax
		mov	[ebp+var_A4], eax
		mov	[ebp+var_9C], eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_58], eax
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_70]
		push	eax
		push	28h
		lea	eax, [ebp+var_44]
		mov	[ebp+var_90], esi
		push	eax
		push	4
		push	edx
		mov	[ebp+var_BC], esi
		mov	[ebp+var_A0], esi
		mov	[ebp+var_98], esi
		mov	[ebp+var_B8], esi
		mov	[ebp+var_B4], esi
		mov	[ebp+var_B0], esi
		mov	[ebp+var_70], esi
		call	NtQueryKey
		mov	edi, eax
		test	edi, edi
		js	loc_975CE2
		cmp	[ebp+var_30], ebx
		jz	loc_975CDD
		mov	ecx, [ebp+var_2C]
		mov	eax, [ebp+var_28]
		push	63647050h
		lea	eax, [eax+ecx*2]
		add	eax, 1Ah
		push	eax
		push	1
		mov	[ebp+var_7C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_4C], esi
		test	esi, esi
		jnz	short loc_9754E3

loc_9754D9:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+17Ej
		mov	edi, 0C000009Ah
		jmp	loc_975CE2
; 

loc_9754E3:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+101j
		mov	eax, [ebp+var_60]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_975501
		lea	ecx, [ebp+var_18]
		push	ecx
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_975CE2

loc_975501:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+115j
		lea	eax, [ebp+var_70]
		xor	ecx, ecx
		push	eax
		push	[ebp+var_7C]
		mov	[ebp+var_64], ecx
		push	esi
		push	1
		push	ecx
		push	[ebp+var_AC]
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_50], edi
		jmp	loc_9755E9
; 

loc_975526:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+219j
		cmp	edi, 80000005h
		jnz	short loc_97555C
		xor	eax, eax
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_70]
		add	eax, 2
		push	63647050h
		push	eax
		push	1
		mov	[ebp+var_7C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_4C], esi
		test	esi, esi
		jz	short loc_9754D9
		mov	eax, [ebp+var_64]
		dec	eax
		jmp	short loc_9755CA
; 

loc_97555C:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+156j
		test	edi, edi
		js	loc_975B6B
		mov	ecx, esi
		call	_PnpValidateRegistryDword@4 ; PnpValidateRegistryDword(x)
		test	al, al
		jz	short loc_97557A
		mov	eax, [esi+8]
		mov	edi, [esi+eax]
		mov	[ebp+var_48], edi
		jmp	short loc_975580
; 

loc_97557A:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+197j
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_48], eax

loc_975580:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+1A2j
		mov	eax, [esi+10h]
		xor	ecx, ecx
		shr	eax, 1
		mov	[esi+eax*2+14h], cx
		add	esi, 14h
		mov	ecx, esi
		call	__CmIsRootEnumeratedDevice@4 ; _CmIsRootEnumeratedDevice(x)
		test	al, al
		jnz	short loc_9755C4
		mov	ecx, [ebp+var_60]
		lea	eax, [ebp+var_6C]
		push	eax
		mov	edx, esi
		call	_PiDevCfgQueryDeviceMigrationNode@12 ; PiDevCfgQueryDeviceMigrationNode(x,x,x)
		mov	edi, eax
		mov	[ebp+var_50], edi
		cmp	edi, 0C0000034h
		jnz	short loc_9755FF
		mov	ecx, [ebp+var_60]
		xor	eax, eax
		mov	edx, esi
		mov	[ebp+var_6C], eax
		call	_PiDevCfgClearDeviceMigrationNode@8 ; PiDevCfgClearDeviceMigrationNode(x,x)

loc_9755C4:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+1C2j
		mov	eax, [ebp+var_64]

loc_9755C7:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+77Ej
					; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+78Dj
		mov	esi, [ebp+var_4C]

loc_9755CA:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+184j
		lea	ecx, [ebp+var_70]
		inc	eax
		push	ecx
		push	[ebp+var_7C]
		mov	[ebp+var_64], eax
		push	esi
		push	1
		push	eax
		push	[ebp+var_AC]
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_50], eax

loc_9755E9:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+14Bj
		cmp	edi, 8000001Ah
		jnz	loc_975526
		xor	edi, edi
		mov	[ebp+var_50], edi
		jmp	loc_975B6B
; 

loc_9755FF:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+1DDj
		test	edi, edi
		js	loc_975B68
		mov	esi, [ebp+var_6C]
		lea	ecx, [ebp+var_5C]
		mov	eax, [ebp+var_48]
		mov	[esi+64h], eax
		mov	eax, [ebp+var_58]
		cmp	[eax], ecx
		jnz	loc_975D08
		mov	edi, [ebp+var_68]
		mov	[esi+4], eax
		mov	[esi], ecx
		mov	[eax], esi
		xor	eax, eax
		push	dword ptr [edi+4] ; wchar_t *
		mov	[ebp+var_58], esi
		push	dword ptr [esi+10h] ; wchar_t *
		mov	[ebp+var_48], eax
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_97564B
		mov	eax, 10000000h
		mov	[ebp+var_48], eax
		jmp	short loc_97564E
; 

loc_97564B:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+269j
		mov	eax, [ebp+var_48]

loc_97564E:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+273j
		test	dword ptr [esi+64h], 10000000h
		setnz	cl
		bt	eax, 1Ch
		setnb	al
		test	cl, al
		jz	short loc_975667
		or	dword ptr [esi+8], 1

loc_975667:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+28Bj
		mov	ebx, [ebp+var_48]
		lea	eax, [ebp+var_78]
		mov	[ebp+var_80], eax
		lea	ecx, [edi+10h]
		lea	eax, [esi+1Ch]
		mov	[ebp+var_50], ecx
		mov	esi, [ebp+var_80]
		xor	edx, edx
		mov	[ebp+var_A8], eax
		mov	edi, edx

loc_975686:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+2EDj
		mov	edx, [ecx]
		mov	ecx, [eax]	; wchar_t *
		call	_PiDevCfgGetMigrationDeviceIdScore@8 ; PiDevCfgGetMigrationDeviceIdScore(x,x)
		mov	ecx, 0FFFFh
		mov	[esi], ax
		cmp	ax, cx
		jz	short loc_9756A2
		or	ebx, ds:dword_A3FCAC[edi]

loc_9756A2:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+2C4j
		mov	ecx, [ebp+var_50]
		add	edi, 4
		mov	eax, [ebp+var_A8]
		add	ecx, 8
		add	eax, 8
		mov	[ebp+var_50], ecx
		add	esi, 2
		mov	[ebp+var_A8], eax
		cmp	edi, 8
		jb	short loc_975686
		mov	esi, [ebp+var_6C]
		mov	ecx, 10000h
		mov	[ebp+var_48], ebx
		mov	ebx, [ebp+var_F4]
		mov	edx, [esi+64h]
		test	edx, ecx
		jz	short loc_9756FB
		mov	eax, [ebp+var_48]
		test	eax, ecx
		jz	short loc_97570E
		mov	ecx, eax
		and	ecx, 11000h
		neg	ecx
		sbb	cl, cl
		inc	cl
		bt	edx, 0Ch
		setb	al
		jmp	short loc_97570A
; 

loc_9756FB:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+305j
		bt	edx, 0Ch
		setb	cl
		bt	[ebp+var_48], 0Ch
		setnb	al

loc_97570A:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+323j
		test	cl, al
		jz	short loc_975712

loc_97570E:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+30Cj
		or	dword ptr [esi+8], 1

loc_975712:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+336j
		mov	edi, [esi+50h]
		xor	edx, edx
		test	edi, edi
		jz	short loc_97576A
		mov	eax, [ebp+var_68]
		cmp	[eax+20h], edx
		jz	short loc_97576A
		jmp	short loc_975757
; 

loc_975725:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+384j
		push	ecx
		mov	ecx, [eax+20h]
		mov	edx, edi
		call	_PnpMultiSzContainsString@12 ; PnpMultiSzContainsString(x,x,x)
		test	eax, eax
		jnz	short loc_97575E
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_975739:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+370j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_84]
		jnz	short loc_975739
		mov	eax, [ebp+var_68]
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2
		xor	edx, edx

loc_975757:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+34Dj
		cmp	[edi], dx
		jnz	short loc_975725
		jmp	short loc_97576A
; 

loc_97575E:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+35Cj
		or	[ebp+var_48], 200h
		xor	edx, edx
		mov	[esi+54h], edi

loc_97576A:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+343j
					; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+34Bj ...
		test	dword ptr [esi+64h], 200h
		mov	edi, [ebp+var_48]
		setnz	cl
		bt	edi, 9
		setnb	al
		test	cl, al
		jz	short loc_975786
		or	dword ptr [esi+8], 1

loc_975786:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+3AAj
		cmp	[esi+48h], edx
		jz	loc_975846
		test	[ebp+var_54], 100h
		jnz	loc_97581F
		push	30h		; size_t
		push	edx		; int
		lea	eax, [ebp+var_F0]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_F0], offset _DEVPKEY_Device_LocationInfo
		lea	eax, [ebp+var_94]
		mov	[ebp+var_EC], 12h
		mov	[ebp+var_E8], eax
		lea	eax, [ebp+var_F0]
		mov	[ebp+var_E0], 6
		push	1
		push	eax
		mov	eax, [ebp+var_68]
		push	dword ptr [eax+8]
		mov	edx, [eax+4]
		push	1
		call	PiDevCfgQueryObjectProperties
		mov	edi, eax
		mov	[ebp+var_50], edi
		test	edi, edi
		js	loc_975B68
		cmp	[ebp+var_DC], ebx
		jge	short loc_975815
		xor	eax, eax
		push	eax
		lea	eax, [ebp+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_975815:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+42Ej
		or	[ebp+var_54], 100h
		mov	edi, [ebp+var_48]

loc_97581F:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+3C0j
		cmp	[ebp+var_90], ebx
		jz	short loc_975846
		push	1
		lea	eax, [ebp+var_94]
		push	eax
		lea	eax, [esi+44h]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jnz	short loc_975846
		or	edi, 100h
		mov	[ebp+var_48], edi

loc_975846:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+3B3j
					; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+44Fj ...
		mov	ecx, edi
		and	ecx, 300h
		neg	ecx
		sbb	cl, cl
		inc	cl
		test	dword ptr [esi+64h], 100h
		setnz	al
		test	cl, al
		jz	short loc_975866
		or	dword ptr [esi+8], 1

loc_975866:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+48Aj
		test	byte ptr [ebp+var_54], 30h
		jnz	loc_97591C
		xor	eax, eax
		mov	[ebp+var_F0], offset _DEVPKEY_Device_Capabilities
		mov	[ebp+var_E0], eax
		mov	[ebp+var_DC], eax
		mov	[ebp+var_CC], eax
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_74]
		mov	[ebp+var_E8], eax
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_D0], eax
		lea	eax, [ebp+var_F0]
		push	2
		push	eax
		mov	eax, [ebp+var_68]
		mov	[ebp+var_EC], 7
		mov	[ebp+var_E4], 4
		mov	[ebp+var_D8], (offset loc_4058A5+3)
		push	dword ptr [eax+8]
		mov	edx, [eax+4]
		push	1
		mov	[ebp+var_D4], 12h
		mov	[ebp+var_C8], 6
		call	PiDevCfgQueryObjectProperties
		mov	edi, eax
		mov	[ebp+var_50], edi
		test	edi, edi
		js	loc_975B68
		cmp	[ebp+var_C4], ebx
		jge	short loc_975918
		xor	eax, eax
		push	eax
		lea	eax, [ebp+var_8C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_975918:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+531j
		or	[ebp+var_54], 30h

loc_97591C:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+494j
		mov	eax, [esi+38h]
		xor	eax, [ebp+var_74]
		test	al, 10h
		jnz	short loc_97592C
		or	[ebp+var_48], 10h
		jmp	short loc_97593C
; 

loc_97592C:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+54Ej
		test	byte ptr [esi+64h], 10h
		jnz	short loc_975938
		test	byte ptr [ebp+var_74], 10h
		jz	short loc_97593C

loc_975938:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+55Aj
		or	dword ptr [esi+8], 1

loc_97593C:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+554j
					; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+560j
		mov	eax, [esi+40h]
		mov	edi, [ebp+var_88]
		mov	[ebp+var_80], eax
		test	eax, eax
		jz	short loc_97596D
		test	edi, edi
		jz	short loc_975969
		push	1
		lea	eax, [ebp+var_8C]
		push	eax
		lea	eax, [esi+3Ch]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jz	short loc_975971
		mov	eax, [ebp+var_80]

loc_975969:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+578j
		test	eax, eax
		jnz	short loc_975975

loc_97596D:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+574j
		test	edi, edi
		jnz	short loc_975975

loc_975971:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+58Ej
		or	[ebp+var_48], 20h

loc_975975:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+595j
					; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+599j
		test	byte ptr [esi+64h], 20h
		setnz	cl
		test	byte ptr [ebp+var_48], 20h
		setz	al
		test	cl, al
		jz	short loc_97598B
		or	dword ptr [esi+8], 1

loc_97598B:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+5AFj
		xor	eax, eax
		cmp	[esi+5Ch], eax
		jz	loc_975A8C
		test	byte ptr [ebp+var_54], 2
		jnz	loc_975A6A
		mov	edi, [ebp+var_60]
		mov	eax, [edi+18h]
		test	eax, eax
		jz	loc_975A66
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	loc_975A66
		lea	edx, [ebp+var_C0]
		call	_PiDevCfgGetDriverPackageId@8 ;	PiDevCfgGetDriverPackageId(x,x)
		test	eax, eax
		js	short loc_975A44
		push	30h		; size_t
		xor	edi, edi
		lea	eax, [ebp+var_F0]
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+var_BC]
		lea	eax, [ebp+var_9C]
		add	esp, 0Ch
		mov	[ebp+var_E8], eax
		lea	eax, [ebp+var_F0]
		mov	[ebp+var_F0], offset _DEVPKEY_DriverPackage_OriginalInfName
		mov	[ebp+var_EC], 12h
		mov	[ebp+var_E0], 6
		push	1
		push	eax
		push	edi
		push	8
		call	PiDevCfgQueryObjectProperties
		mov	edi, eax
		mov	[ebp+var_50], edi
		test	edi, edi
		js	loc_975B68
		cmp	[ebp+var_DC], ebx
		jge	short loc_975A41
		xor	eax, eax
		push	eax
		lea	eax, [ebp+var_9C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_975A41:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+65Aj
		mov	edi, [ebp+var_60]

loc_975A44:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+5F0j
		lea	ecx, [ebp+var_9C]
		cmp	[ebp+var_98], ebx
		jnz	short loc_975A55
		mov	ecx, [edi+18h]

loc_975A55:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+67Aj
		mov	eax, [ecx]
		mov	[ebp+var_A4], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_A0], eax

loc_975A66:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+5D2j
					; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+5DDj
		or	[ebp+var_54], 2

loc_975A6A:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+5C4j
		cmp	[ebp+var_A0], ebx
		jz	short loc_975A8C
		push	1
		lea	eax, [ebp+var_A4]
		push	eax
		lea	eax, [esi+58h]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jnz	short loc_975A8C
		or	[ebp+var_48], 2

loc_975A8C:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+5BAj
					; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+69Aj ...
		test	byte ptr [esi+64h], 2
		setnz	cl
		test	byte ptr [ebp+var_48], 2
		setz	al
		test	cl, al
		jz	short loc_975AA2
		or	dword ptr [esi+8], 1

loc_975AA2:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+6C6j
		push	10h		; size_t
		lea	eax, [ebp+var_18]
		push	eax		; void *
		lea	eax, [esi+28h]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_975ABE
		or	[ebp+var_48], 1
		jmp	short loc_975AC8
; 

loc_975ABE:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+6E0j
		test	byte ptr [esi+64h], 1
		jz	short loc_975AC8
		or	dword ptr [esi+8], 1

loc_975AC8:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+6E6j
					; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+6ECj
		movzx	eax, word ptr [ebp+var_78]
		cdq
		mov	ecx, eax
		mov	edi, edx
		movzx	eax, word ptr [ebp+var_78+2]
		shld	edi, ecx, 10h
		cdq
		shl	ecx, 10h
		or	edi, edx
		or	ecx, eax
		mov	eax, [ebp+var_48]
		shld	edi, ecx, 10h
		shl	ecx, 10h
		mov	[esi+68h], ecx
		mov	[esi+6Ch], edi
		test	eax, 10000000h
		jnz	short loc_975B04
		or	edi, 0F0000000h
		mov	[esi+68h], ecx
		mov	[esi+6Ch], edi

loc_975B04:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+720j
		test	eax, 200h
		jnz	short loc_975B17
		or	ecx, 0F000h
		mov	[esi+68h], ecx
		mov	[esi+6Ch], edi

loc_975B17:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+733j
		mov	edx, 100h
		test	eax, edx
		jnz	short loc_975B28
		or	ecx, edx
		mov	[esi+68h], ecx
		mov	[esi+6Ch], edi

loc_975B28:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+748j
		test	al, 20h
		jnz	short loc_975B35
		or	ecx, 20h
		mov	[esi+68h], ecx
		mov	[esi+6Ch], edi

loc_975B35:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+754j
		test	al, 10h
		jnz	short loc_975B42
		or	ecx, 10h
		mov	[esi+68h], ecx
		mov	[esi+6Ch], edi

loc_975B42:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+761j
		test	al, 2
		jnz	short loc_975B4F
		or	ecx, 2
		mov	[esi+68h], ecx
		mov	[esi+6Ch], edi

loc_975B4F:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+76Ej
		test	al, 1
		mov	eax, [ebp+var_64]
		jnz	loc_9755C7
		or	ecx, 1
		mov	[esi+68h], ecx
		mov	[esi+6Ch], edi
		jmp	loc_9755C7
; 

loc_975B68:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+22Bj
					; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+422j ...
		mov	esi, [ebp+var_4C]

loc_975B6B:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+188j
					; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+224j
		xor	eax, eax
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		js	loc_975CE2
		mov	ecx, [ebp+var_5C]
		lea	eax, [ebp+var_5C]
		cmp	ecx, eax
		jz	loc_975CDD

loc_975B8A:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+7EEj
		mov	edx, [ecx+68h]
		mov	eax, edx
		mov	esi, [ecx+6Ch]
		and	eax, esi
		cmp	eax, 0FFFFFFFFh
		jz	short loc_975BBD
		test	ebx, ebx
		jz	short loc_975BBB
		mov	edi, [ebx+6Ch]
		mov	eax, [ebx+68h]
		mov	[ebp+var_84], edi
		cmp	edi, esi
		jb	loc_975C4F
		ja	short loc_975BBB
		cmp	eax, edx
		jbe	loc_975C51

loc_975BBB:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+7C5j
					; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+7DBj ...
		mov	ebx, ecx

loc_975BBD:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+7C1j
					; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x):loc_975C51j ...
		mov	ecx, [ecx]
		lea	eax, [ebp+var_5C]
		cmp	ecx, eax
		jnz	short loc_975B8A
		mov	edi, [ebp+var_50]
		test	ebx, ebx
		jz	loc_975CDD
		test	byte ptr [ebx+8], 2
		jz	loc_975C89
		mov	esi, [ebp+var_5C]
		mov	[ebp+var_B0], 1
		cmp	esi, eax
		jz	loc_975CC0
		xor	edi, edi

loc_975BF2:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+872j
		test	byte ptr [esi+8], 2
		jz	short loc_975C41
		mov	eax, [esi+68h]
		cmp	eax, [ebx+68h]
		jnz	short loc_975C41
		mov	eax, [esi+6Ch]
		cmp	eax, [ebx+6Ch]
		jnz	short loc_975C41
		push	14h
		pop	eax
		push	12h
		mov	word ptr [ebp+var_B8+2], ax
		pop	eax
		push	4
		mov	word ptr [ebp+var_B8], ax
		lea	eax, [ebp+var_B0]
		push	eax
		push	4
		push	edi
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_B4], offset ??_C@_1BE@NAMCHGKG@?$AAD?$AAu?$AAp?$AAl?$AAi?$AAc?$AAa?$AAt?$AAe@NNGAKEGL@
		push	eax
		push	dword ptr [esi+14h]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_975C41:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+820j
					; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+828j ...
		mov	esi, [esi]
		lea	eax, [ebp+var_5C]
		cmp	esi, eax
		jnz	short loc_975BF2
		mov	edi, [ebp+var_50]
		jmp	short loc_975CC0
; 

loc_975C4F:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+7D5j
		cmp	eax, edx

loc_975C51:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+7DFj
		jnz	loc_975BBD
		cmp	[ebp+var_84], esi
		jnz	loc_975BBD
		cmp	_PnpSetupInProgress, 0
		jz	short loc_975C7C
		xor	eax, eax
		cmp	[ecx+60h], eax
		jz	short loc_975C7C
		cmp	[ebx+60h], eax
		jz	loc_975BBB

loc_975C7C:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+894j
					; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+89Bj
		or	dword ptr [ebx+8], 2
		or	dword ptr [ecx+8], 2
		jmp	loc_975BBD
; 

loc_975C89:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+7FFj
		mov	ecx, [ebx+14h]
		lea	eax, [ebp+var_4C]
		push	eax
		xor	esi, esi
		mov	edx, offset ??_C@_1BE@NAMCHGKG@?$AAD?$AAu?$AAp?$AAl?$AAi?$AAc?$AAa?$AAt?$AAe@NNGAKEGL@
		push	esi
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_975CC0
		mov	ecx, [ebp+var_4C]
		call	_PnpValidateRegistryDword@4 ; PnpValidateRegistryDword(x)
		test	al, al
		jz	short loc_975CB9
		mov	eax, [ecx+8]
		cmp	[ecx+eax], esi
		jz	short loc_975CB9
		or	dword ptr [ebx+8], 2

loc_975CB9:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+8D5j
					; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+8DDj
		push	esi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_975CC0:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+814j
					; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+877j ...
		mov	eax, [ebx]
		cmp	[eax+4], ebx
		jnz	short loc_975D08
		mov	ecx, [ebx+4]
		cmp	[ecx], ebx
		jnz	short loc_975D08
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	eax, [ebp+var_F8]
		mov	[eax], ebx
		jmp	short loc_975CE2
; 

loc_975CDD:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+D8j
					; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+7AEj ...
		mov	edi, 0C0000225h

loc_975CE2:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+CFj
					; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+108j ...
		mov	ecx, [ebp+var_5C]
		lea	eax, [ebp+var_5C]
		cmp	ecx, eax
		jz	short loc_975D0D
		cmp	[ecx+4], eax
		jnz	short loc_975D08
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_975D08
		lea	edx, [ebp+var_5C]
		mov	[ebp+var_5C], eax
		mov	[eax+4], edx
		call	_PiDevCfgFreeDeviceMigrationNode@4 ; PiDevCfgFreeDeviceMigrationNode(x)
		jmp	short loc_975CE2
; 

loc_975D08:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+242j
					; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+8EFj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_975D0D:				; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+914j
		lea	eax, [ebp+var_8C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_94]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_C0]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_9C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [ebp+var_8]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_PiDevCfgFindDeviceMigrationNode@20 endp


;  S U B	R O U T	I N E 


; __stdcall PiDevCfgFreeDeviceMigrationNode(x)
_PiDevCfgFreeDeviceMigrationNode@4 proc	near
					; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+92Bp
					; PiDevCfgMigrateDevice(x,x,x,x,x,x)+3E7p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_975D64
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_975D64:				; CODE XREF: PiDevCfgFreeDeviceMigrationNode(x)+Cj
		lea	eax, [esi+0Ch]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		push	2
		lea	edi, [esi+18h]
		pop	ebx

loc_975D73:				; CODE XREF: PiDevCfgFreeDeviceMigrationNode(x)+2Fj
		push	edi
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		add	edi, 8
		sub	ebx, 1
		jnz	short loc_975D73
		lea	eax, [esi+3Ch]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+44h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+4Ch]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+58h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		retn
_PiDevCfgFreeDeviceMigrationNode@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiDevCfgFreeDriverNode(x)
_PiDevCfgFreeDriverNode@4 proc near	; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+69Bp
					; PiDevCfgFindDeviceDriver(x,x,x)+D7p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [esi+88h]

loc_975DBC:				; CODE XREF: PiDevCfgFreeDriverNode(x)+28j
		mov	ecx, [edi]
		cmp	ecx, edi
		jz	short loc_975DDA
		cmp	[ecx+4], edi
		jnz	short loc_975E22
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_975E22
		mov	[edi], eax
		mov	[eax+4], edi
		call	_PiDevCfgFreeDriverNode@4 ; PiDevCfgFreeDriverNode(x)
		jmp	short loc_975DBC
; 

loc_975DDA:				; CODE XREF: PiDevCfgFreeDriverNode(x)+10j
		lea	edi, [esi+80h]

loc_975DE0:				; CODE XREF: PiDevCfgFreeDriverNode(x)+4Cj
		mov	ecx, [edi]
		cmp	ecx, edi
		jz	short loc_975DFE
		cmp	[ecx+4], edi
		jnz	short loc_975E22
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_975E22
		mov	[edi], eax
		mov	[eax+4], edi
		call	_PiDevCfgFreeDriverNode@4 ; PiDevCfgFreeDriverNode(x)
		jmp	short loc_975DE0
; 

loc_975DFE:				; CODE XREF: PiDevCfgFreeDriverNode(x)+34j
		lea	edi, [esi+0D8h]

loc_975E04:				; CODE XREF: PiDevCfgFreeDriverNode(x)+70j
		mov	ecx, [edi]
		cmp	ecx, edi
		jz	short loc_975E27
		cmp	[ecx+4], edi
		jnz	short loc_975E22
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_975E22
		mov	[edi], eax
		mov	[eax+4], edi
		call	_PiDevCfgFreeDriverNode@4 ; PiDevCfgFreeDriverNode(x)
		jmp	short loc_975E04
; 

loc_975E22:				; CODE XREF: PiDevCfgFreeDriverNode(x)+15j
					; PiDevCfgFreeDriverNode(x)+1Cj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_975E27:				; CODE XREF: PiDevCfgFreeDriverNode(x)+58j
		mov	eax, [esi+58h]
		test	eax, eax
		jz	short loc_975E36
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_975E36:				; CODE XREF: PiDevCfgFreeDriverNode(x)+7Cj
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_975E43
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_975E43:				; CODE XREF: PiDevCfgFreeDriverNode(x)+8Bj
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_975E50
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_975E50:				; CODE XREF: PiDevCfgFreeDriverNode(x)+98j
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_975E5D
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_975E5D:				; CODE XREF: PiDevCfgFreeDriverNode(x)+A5j
		lea	eax, [esi+1Ch]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+14h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+24h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+2Ch]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+50h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+60h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+0A0h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+0A8h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+0B0h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+0B8h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+0C0h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+0C8h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+0D0h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+0E8h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
_PiDevCfgFreeDriverNode@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiDevCfgFreeMigrationContext(x)
_PiDevCfgFreeMigrationContext@4	proc near
					; CODE XREF: PiDevCfgInitMigrationContext(x,x,x)+1C0p
					; PiDevCfgMigrateDevice(x,x,x,x,x,x)+3EFp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	dword ptr [esi], 0
		jz	short loc_975F43
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_975F15
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_975F15:				; CODE XREF: PiDevCfgFreeMigrationContext(x)+Fj
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_975F22
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_975F22:				; CODE XREF: PiDevCfgFreeMigrationContext(x)+1Cj
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_975F2F
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_975F2F:				; CODE XREF: PiDevCfgFreeMigrationContext(x)+29j
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_975F3C
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_975F3C:				; CODE XREF: PiDevCfgFreeMigrationContext(x)+36j
		push	dword ptr [esi]
		call	_ZwClose@4	; ZwClose(x)

loc_975F43:				; CODE XREF: PiDevCfgFreeMigrationContext(x)+8j
		pop	esi
		retn
_PiDevCfgFreeMigrationContext@4	endp


;  S U B	R O U T	I N E 


; __stdcall PiDevCfgFreeResolveContext(x)
_PiDevCfgFreeResolveContext@4 proc near	; CODE XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+1CDp
					; PiDevCfgInitResolveContext(x,x,x)+14Fp ...
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		cmp	dword ptr [edi+0Ch], 0
		jz	short loc_975F8B
		xor	esi, esi

loc_975F54:				; CODE XREF: PiDevCfgFreeResolveContext(x)+31j
					; PiDevCfgFreeResolveContext(x)+3Cj
		mov	edx, [edi+0Ch]
		lea	eax, [esi+edx]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_975F78
		cmp	[ecx+4], eax
		jnz	short loc_975F9C
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_975F9C
		mov	[eax], edx
		mov	[edx+4], eax
		call	_PiDevCfgFreeVariable@4	; PiDevCfgFreeVariable(x)
		jmp	short loc_975F54
; 

loc_975F78:				; CODE XREF: PiDevCfgFreeResolveContext(x)+19j
		add	esi, 8
		cmp	esi, 3F8h
		jb	short loc_975F54
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_975F8B:				; CODE XREF: PiDevCfgFreeResolveContext(x)+Bj
		mov	eax, [edi+8]
		test	eax, eax
		jz	short loc_975F98
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_975F98:				; CODE XREF: PiDevCfgFreeResolveContext(x)+4Bj
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_975F9C:				; CODE XREF: PiDevCfgFreeResolveContext(x)+1Ej
					; PiDevCfgFreeResolveContext(x)+25j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PiDevCfgFreeResolveContext@4 endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall PiDevCfgFreeVariable(x)
_PiDevCfgFreeVariable@4	proc near	; CODE XREF: PiDevCfgFreeResolveContext(x)+2Cp
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		lea	eax, [esi+8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [esi+18h]
		xor	edi, edi
		test	ecx, ecx
		jz	short loc_975FFC
		mov	edx, [esi+10h]
		cmp	dx, 8000h
		jnz	short loc_975FF5
		test	edx, 100000h
		jz	short loc_975FEB
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jz	short loc_975FE2
		mov	eax, [eax+74h]
		test	eax, eax
		jz	short loc_975FE2
		push	edi
		push	dword ptr [eax+4]
		jmp	short loc_975FE4
; 

loc_975FE2:				; CODE XREF: PiDevCfgFreeVariable(x)+32j
					; PiDevCfgFreeVariable(x)+39j
		push	edi
		push	edi

loc_975FE4:				; CODE XREF: PiDevCfgFreeVariable(x)+3Fj
		xor	edx, edx
		call	_RegRtlDeleteTreeInternal

loc_975FEB:				; CODE XREF: PiDevCfgFreeVariable(x)+29j
		push	dword ptr [esi+18h]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_975FFC
; 

loc_975FF5:				; CODE XREF: PiDevCfgFreeVariable(x)+21j
		push	edi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_975FFC:				; CODE XREF: PiDevCfgFreeVariable(x)+17j
					; PiDevCfgFreeVariable(x)+52j
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ecx
		retn
_PiDevCfgFreeVariable@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgGetDeviceClassConfigFlags(x, x, x)
_PiDevCfgGetDeviceClassConfigFlags@12 proc near
					; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+19EAp
					; PpDevCfgProcessDeviceClass(x)+1FBp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_8], 1
		xor	ecx, ecx
		mov	edi, edx
		push	ecx
		push	eax
		push	ecx
		push	ecx
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], ecx
		push	eax
		push	offset _DEVPKEY_DeviceClass_ConfigFilters
		push	ecx
		push	edi
		mov	[esi], ecx
		mov	edx, ebx
		mov	ecx, _PiPnpRtlCtx
		push	2
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jz	short loc_976078
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	ecx
		push	eax
		push	ecx
		push	ecx
		lea	eax, [ebp+var_8]
		mov	edx, ebx
		push	eax
		push	offset _DEVPKEY_DeviceClass_ConfigNotifyWnfTriggers
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	edi
		push	2
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_97607E

loc_976078:				; CODE XREF: PiDevCfgGetDeviceClassConfigFlags(x,x,x)+45j
		or	dword ptr [esi], 80000h

loc_97607E:				; CODE XREF: PiDevCfgGetDeviceClassConfigFlags(x,x,x)+6Fj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	4
_PiDevCfgGetDeviceClassConfigFlags@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgGetDriverPackageId(x, x)
_PiDevCfgGetDriverPackageId@8 proc near	; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+5DBp
					; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+5E9p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		mov	ebx, edx
		push	ecx
		push	ecx
		push	eax
		push	ecx
		push	20019h
		mov	[ebp+var_4], ecx
		mov	edx, edi
		mov	ecx, _PiPnpRtlCtx
		push	9
		call	_PnpOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_9760FD
		and	[ebp+var_10], 0
		lea	eax, [ebp+var_1C]
		and	[ebp+var_8], 0
		mov	edx, edi
		push	1
		push	eax
		push	[ebp+var_4]
		mov	[ebp+var_1C], offset _DEVPKEY_DriverInfFile_ActiveDriverPackage
		push	9
		mov	[ebp+var_18], 12h
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], 6
		call	PiDevCfgQueryObjectProperties
		mov	esi, eax
		test	esi, esi
		js	short loc_9760FD
		cmp	[ebp+var_8], 0
		jge	short loc_9760FD
		mov	esi, [ebp+var_8]

loc_9760FD:				; CODE XREF: PiDevCfgGetDriverPackageId(x,x)+33j
					; PiDevCfgGetDriverPackageId(x,x)+6Bj ...
		cmp	[ebp+var_4], 0
		jz	short loc_97610B
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_97610B:				; CODE XREF: PiDevCfgGetDriverPackageId(x,x)+7Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PiDevCfgGetDriverPackageId@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgGetFailedInstallProblemStatus(x, x)
_PiDevCfgGetFailedInstallProblemStatus@8 proc near
					; CODE XREF: PiProcessNewDeviceNode+6EAFFp
					; IopInitializeDeviceInstanceKey+90605p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], 1
		push	esi
		lea	eax, [ebp+var_8]
		mov	[ebp+var_C], esi
		push	eax
		push	4
		lea	eax, [ebp+var_C]
		mov	[ebp+var_8], esi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	offset _DEVPKEY_Device_InstallError
		push	esi
		push	edx
		mov	edx, ecx
		mov	ecx, _PiPnpRtlCtx
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9761A6
		cmp	[ebp+var_4], 17h
		jnz	short loc_9761A6
		cmp	[ebp+var_8], 4
		jnz	short loc_9761A6
		mov	eax, [ebp+var_C]
		cmp	eax, 0E0000219h
		jz	short loc_9761A1
		cmp	eax, 0E0000228h
		jz	short loc_97619A
		cmp	eax, 0E0000250h
		jz	short loc_976193
		cmp	eax, 0E0000251h
		jz	short loc_97618C
		cmp	eax, 0E0000252h
		jnz	short loc_9761A6
		mov	esi, 0C0000493h
		jmp	short loc_9761A6
; 

loc_97618C:				; CODE XREF: PiDevCfgGetFailedInstallProblemStatus(x,x)+6Aj
		mov	esi, 0C0000492h
		jmp	short loc_9761A6
; 

loc_976193:				; CODE XREF: PiDevCfgGetFailedInstallProblemStatus(x,x)+63j
		mov	esi, 0C0000491h
		jmp	short loc_9761A6
; 

loc_97619A:				; CODE XREF: PiDevCfgGetFailedInstallProblemStatus(x,x)+5Cj
		mov	esi, 0C0000490h
		jmp	short loc_9761A6
; 

loc_9761A1:				; CODE XREF: PiDevCfgGetFailedInstallProblemStatus(x,x)+55j
		mov	esi, 0C0000494h

loc_9761A6:				; CODE XREF: PiDevCfgGetFailedInstallProblemStatus(x,x)+3Fj
					; PiDevCfgGetFailedInstallProblemStatus(x,x)+45j ...
		mov	eax, esi
		pop	esi
		leave
		retn
_PiDevCfgGetFailedInstallProblemStatus@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgGetKeySecurityDescriptor(x,	x)
_PiDevCfgGetKeySecurityDescriptor@8 proc near
					; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+955p
					; PiDevCfgCopyDeviceKeys(x,x,x,x)+38p

var_60		= dword	ptr -60h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_25		= dword	ptr -25h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4C], edx
		lea	edi, [ebp+var_60]
		mov	[ebp+var_40], ecx
		stosd
		xor	ebx, ebx
		and	[edx], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_2C], ebx
		stosd
		mov	byte ptr [ebp+var_25], bl
		mov	[ebp+var_34], ebx
		mov	[ebp+var_38], ebx
		stosd
		mov	[ebp+var_44], ebx
		mov	[ebp+var_48], ebx
		stosd
		stosd
		lea	eax, [ebp+var_3C]
		push	eax
		push	20h
		lea	eax, [ebp+var_25+1]
		push	eax
		push	2
		push	ecx
		call	_ZwQuerySecurityObject@20 ; ZwQuerySecurityObject(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_97620F

loc_976205:				; CODE XREF: PiDevCfgGetKeySecurityDescriptor(x,x)+A5j
		mov	esi, 0C0000068h
		jmp	loc_9762CF
; 

loc_97620F:				; CODE XREF: PiDevCfgGetKeySecurityDescriptor(x,x)+58j
		test	esi, esi
		js	loc_9762CF
		lea	eax, [ebp-2Dh]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_25+1]
		push	eax
		call	_RtlGetGroupSecurityDescriptor@12 ; RtlGetGroupSecurityDescriptor(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9762CF
		cmp	[ebp+var_2C], ebx
		jnz	short loc_976241
		mov	esi, 0C0000066h
		jmp	loc_9762CF
; 

loc_976241:				; CODE XREF: PiDevCfgGetKeySecurityDescriptor(x,x)+8Aj
		push	offset _PiDevCfgNullSid
		push	[ebp+var_2C]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	short loc_976205
		mov	esi, 0DCh
		mov	[ebp+var_2C], esi
		jmp	short loc_976289
; 

loc_97625C:				; CODE XREF: PiDevCfgGetKeySecurityDescriptor(x,x)+EFj
		lea	eax, [ebp+var_3C]
		push	eax
		push	esi
		push	edi
		push	4
		push	[ebp+var_40]
		call	_ZwQuerySecurityObject@20 ; ZwQuerySecurityObject(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_9762E5
		mov	esi, [ebp+var_3C]
		cmp	esi, [ebp+var_2C]
		jbe	short loc_9762E0
		push	0
		push	edi
		mov	[ebp+var_2C], esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_976289:				; CODE XREF: PiDevCfgGetKeySecurityDescriptor(x,x)+AFj
		push	63647050h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_97625C

loc_97629C:				; CODE XREF: PiDevCfgGetKeySecurityDescriptor(x,x)+1EDj
					; PiDevCfgGetKeySecurityDescriptor(x,x)+2DAj
		mov	esi, 0C000009Ah

loc_9762A1:				; CODE XREF: PiDevCfgGetKeySecurityDescriptor(x,x)+13Cj
					; PiDevCfgGetKeySecurityDescriptor(x,x)+154j ...
		test	edi, edi
		jz	short loc_9762B4
		lea	eax, [ebp+var_25+1]
		cmp	edi, eax
		jz	short loc_9762B4
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9762B4:				; CODE XREF: PiDevCfgGetKeySecurityDescriptor(x,x)+F8j
					; PiDevCfgGetKeySecurityDescriptor(x,x)+FFj
		test	ebx, ebx
		jz	short loc_9762C0
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9762C0:				; CODE XREF: PiDevCfgGetKeySecurityDescriptor(x,x)+10Bj
		mov	eax, [ebp+var_38]
		test	eax, eax
		jz	short loc_9762CF
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9762CF:				; CODE XREF: PiDevCfgGetKeySecurityDescriptor(x,x)+5Fj
					; PiDevCfgGetKeySecurityDescriptor(x,x)+66j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_9762E0:				; CODE XREF: PiDevCfgGetKeySecurityDescriptor(x,x)+D1j
		mov	esi, 0C00000E5h

loc_9762E5:				; CODE XREF: PiDevCfgGetKeySecurityDescriptor(x,x)+C9j
		test	esi, esi
		js	short loc_9762A1
		lea	eax, [ebp-2Dh]
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_25]
		push	eax
		push	edi
		call	_RtlGetDaclSecurityDescriptor@16 ; RtlGetDaclSecurityDescriptor(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9762A1
		cmp	byte ptr [ebp+var_25], bl
		jz	loc_9764BB
		mov	esi, [ebp+var_34]
		test	esi, esi
		jz	loc_9764BB
		xor	eax, eax
		xor	ecx, ecx
		cmp	ax, [esi+4]
		jmp	short loc_97636D
; 

loc_97631F:				; CODE XREF: PiDevCfgGetKeySecurityDescriptor(x,x)+1C5j
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	esi
		call	_RtlGetAce@12	; RtlGetAce(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9762A1
		mov	ecx, [ebp+var_44]
		cmp	[ecx], bl
		jnz	short loc_976360
		mov	eax, [ecx+4]
		mov	edx, 0F003Fh
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_976360
		push	_SeLocalSystemSid
		lea	eax, [ecx+8]
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	loc_976457

loc_976360:				; CODE XREF: PiDevCfgGetKeySecurityDescriptor(x,x)+18Ej
					; PiDevCfgGetKeySecurityDescriptor(x,x)+19Cj
		mov	esi, [ebp+var_34]
		mov	ecx, [ebp+var_2C]
		inc	ecx
		movzx	eax, word ptr [esi+4]
		cmp	ecx, eax

loc_97636D:				; CODE XREF: PiDevCfgGetKeySecurityDescriptor(x,x)+172j
		mov	[ebp+var_2C], ecx
		jb	short loc_97631F
		push	_SeLocalSystemSid
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		movzx	esi, word ptr [esi+2]
		add	eax, 8
		push	63647050h
		add	esi, eax
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_38], eax
		test	eax, eax
		jz	loc_97629C
		push	2		; int
		push	esi		; size_t
		push	eax		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9762A1
		lea	eax, [ebp+var_48]
		push	eax
		push	0
		push	[ebp+var_34]
		call	_RtlGetAce@12	; RtlGetAce(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9762A1
		mov	eax, [ebp+var_34]
		movzx	eax, word ptr [eax+2]
		sub	eax, 8
		push	eax
		push	[ebp+var_48]
		push	0
		push	2
		push	[ebp+var_38]
		call	RtlAddAce
		mov	esi, eax
		test	esi, esi
		js	loc_9762A1
		mov	ecx, [ebp+var_38]
		push	0
		push	_SeLocalSystemSid
		push	0F003Fh
		push	2
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	loc_9762A1
		push	1
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9762A1
		push	0
		push	[ebp+var_38]
		lea	eax, [ebp+var_60]
		push	1
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	loc_9762A1
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlValidSecurityDescriptor@4 ;	RtlValidSecurityDescriptor(x)
		test	al, al
		jnz	short loc_976461

loc_97644D:				; CODE XREF: PiDevCfgGetKeySecurityDescriptor(x,x)+2C7j
		mov	esi, 0C00000E5h
		jmp	loc_9762A1
; 

loc_976457:				; CODE XREF: PiDevCfgGetKeySecurityDescriptor(x,x)+1AFj
		mov	eax, [ebp+var_4C]
		mov	[eax], edi
		jmp	loc_9762CF
; 

loc_976461:				; CODE XREF: PiDevCfgGetKeySecurityDescriptor(x,x)+2A0j
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		mov	esi, eax
		mov	[ebp+var_40], esi
		cmp	esi, 14h
		jb	short loc_97644D
		push	63647050h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_97629C
		push	esi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_40]
		push	eax
		push	ebx
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlAbsoluteToSelfRelativeSD@12	; RtlAbsoluteToSelfRelativeSD(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9762A1
		mov	eax, [ebp+var_4C]
		mov	[eax], ebx
		xor	ebx, ebx
		jmp	loc_9762A1
; 

loc_9764BB:				; CODE XREF: PiDevCfgGetKeySecurityDescriptor(x,x)+159j
					; PiDevCfgGetKeySecurityDescriptor(x,x)+164j
		mov	esi, 0C0000225h
		jmp	loc_9762A1
_PiDevCfgGetKeySecurityDescriptor@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgInitDeviceCallback(x, x, x)
_PiDevCfgInitDeviceCallback@12 proc near ; DATA	XREF: PpDevCfgInit+146DDo

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		push	9
		pop	ecx
		mov	edx, [esi+0Ch]
		lea	edi, [esp+48h+var_24]
		push	ebx
		xor	eax, eax
		mov	[esp+4Ch+var_34], ebx
		push	ebx
		rep stosd
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [esp+50h+var_34]
		push	eax
		push	ebx
		push	0F003Fh
		push	dword ptr [esi+14h]
		mov	[esp+60h+var_38], ebx
		mov	[esp+60h+var_28], ebx
		mov	[esp+60h+var_2C], 1
		mov	[esp+60h+var_30], ebx
		call	_PnpOpenObjectRegKey
		test	eax, eax
		js	loc_9765AA
		mov	edx, [esi+0Ch]
		lea	eax, [esp+48h+var_30]
		mov	ecx, _PiPnpRtlCtx
		push	4
		pop	edi
		push	ebx
		push	eax
		lea	eax, [esp+50h+var_38]
		mov	[esp+50h+var_30], edi
		push	eax
		lea	eax, [esp+54h+var_2C]
		push	eax
		push	0Bh
		push	[esp+5Ch+var_34]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_97655C
		cmp	[esp+48h+var_2C], edi
		jnz	short loc_97655C
		cmp	[esp+48h+var_30], edi
		jz	short loc_976560

loc_97655C:				; CODE XREF: PiDevCfgInitDeviceCallback(x,x,x)+89j
					; PiDevCfgInitDeviceCallback(x,x,x)+8Fj
		mov	[esp+48h+var_38], ebx

loc_976560:				; CODE XREF: PiDevCfgInitDeviceCallback(x,x,x)+95j
		mov	edx, [esp+48h+var_34]
		lea	eax, [esp+48h+var_24]
		mov	ecx, [esi+0Ch]
		push	eax
		call	_PiDevCfgInitDeviceContext@12 ;	PiDevCfgInitDeviceContext(x,x,x)
		test	eax, eax
		js	short loc_9765AA
		lea	edx, [esp+48h+var_28]
		lea	ecx, [esp+48h+var_24]
		call	_PiDevCfgCheckDeviceNeedsUpdate@8 ; PiDevCfgCheckDeviceNeedsUpdate(x,x)
		test	eax, eax
		js	short loc_9765A5
		mov	eax, [esp+48h+var_28]
		test	eax, eax
		jz	short loc_9765A5
		or	[esp+48h+var_38], eax
		lea	edx, [esp+48h+var_24]
		push	ecx
		push	edi
		lea	eax, [esp+50h+var_38]
		push	eax
		push	edi
		push	0Bh
		call	_PiDevCfgSetDeviceRegProp@28 ; PiDevCfgSetDeviceRegProp(x,x,x,x,x,x,x)

loc_9765A5:				; CODE XREF: PiDevCfgInitDeviceCallback(x,x,x)+BFj
					; PiDevCfgInitDeviceCallback(x,x,x)+C7j
		mov	eax, [ebp+arg_8]
		mov	[eax], bl

loc_9765AA:				; CODE XREF: PiDevCfgInitDeviceCallback(x,x,x)+56j
					; PiDevCfgInitDeviceCallback(x,x,x)+AEj
		lea	ecx, [esp+48h+var_24]
		call	PiDevCfgFreeDeviceContext
		cmp	[esp+48h+var_34], ebx
		jz	short loc_9765C2
		push	[esp+48h+var_34]
		call	_ZwClose@4	; ZwClose(x)

loc_9765C2:				; CODE XREF: PiDevCfgInitDeviceCallback(x,x,x)+F2j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PiDevCfgInitDeviceCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgInitDeviceContext(x, x, x)
_PiDevCfgInitDeviceContext@12 proc near	; CODE XREF: PpDevCfgProcessDeviceOperations+6C80Ep
					; PiDevCfgProcessDeviceCallback+6C3A1p	...

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_40		= dword	ptr -40h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		push	9
		xor	eax, eax
		mov	edi, esi
		pop	ecx
		rep stosd
		mov	[esi+4], ebx
		lea	eax, [esi+8]
		test	edx, edx
		jz	short loc_9765FE
		mov	[eax], edx
		jmp	short loc_976629
; 

loc_9765FE:				; CODE XREF: PiDevCfgInitDeviceContext(x,x,x)+2Bj
		mov	ecx, _PiPnpRtlCtx
		mov	edx, ebx
		push	0
		push	eax
		push	0
		push	0F003Fh
		push	0
		push	10h
		call	_CmOpenDeviceRegKey
		mov	edi, eax
		test	edi, edi
		js	loc_9766AE
		or	dword ptr [esi], 80000000h

loc_976629:				; CODE XREF: PiDevCfgInitDeviceContext(x,x,x)+2Fj
		push	48h		; size_t
		lea	eax, [ebp+var_54]
		push	0		; int
		push	eax		; void *
		call	_memset
		lea	ebx, [esi+0Ch]
		add	esp, 0Ch
		lea	ecx, [ebp+var_50]
		mov	edi, ebx
		xor	edx, edx

loc_976643:				; CODE XREF: PiDevCfgInitDeviceContext(x,x,x)+9Bj
		mov	eax, ds:off_A9341C[edx]
		add	edx, 4
		mov	[ecx+4], edi
		add	edi, 8
		mov	[ecx-4], eax
		mov	dword ptr [ecx], 2012h
		lea	ecx, [ecx+18h]
		mov	dword ptr [ecx-0Ch], 6
		cmp	edx, 0Ch
		jb	short loc_976643
		mov	edx, [esi+4]
		push	3
		pop	eax
		push	eax
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	dword ptr [esi+8]
		push	1
		call	PiDevCfgQueryObjectProperties
		mov	edi, eax
		test	edi, edi
		js	short loc_9766AE
		push	3
		lea	esi, [ebp+var_40]
		pop	eax

loc_97668E:				; CODE XREF: PiDevCfgInitDeviceContext(x,x,x)+DDj
		cmp	dword ptr [esi], 0
		jge	short loc_97669E
		push	0
		push	ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_58]

loc_97669E:				; CODE XREF: PiDevCfgInitDeviceContext(x,x,x)+C4j
		add	esi, 18h
		add	ebx, 8
		sub	eax, 1
		mov	[ebp+var_58], eax
		jnz	short loc_97668E
		jmp	short loc_9766B5
; 

loc_9766AE:				; CODE XREF: PiDevCfgInitDeviceContext(x,x,x)+50j
					; PiDevCfgInitDeviceContext(x,x,x)+B9j
		mov	ecx, esi
		call	PiDevCfgFreeDeviceContext

loc_9766B5:				; CODE XREF: PiDevCfgInitDeviceContext(x,x,x)+DFj
		mov	ecx, [ebp+var_8]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PiDevCfgInitDeviceContext@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgInitDriverDatabaseCallback(x, x, x)
_PiDevCfgInitDriverDatabaseCallback@12 proc near ; CODE	XREF: PiDrvDbDestroyNode(x)+9Dp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, _PiPnpRtlCtx
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_8], ebx
		mov	ecx, ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		mov	byte ptr [ebp+var_1], bl
		push	esi
		mov	esi, ebx
		push	edi
		mov	edi, ebx
		test	eax, eax
		jz	short loc_9766F9
		mov	ecx, [eax+74h]

loc_9766F9:				; CODE XREF: PiDevCfgInitDriverDatabaseCallback(x,x,x)+2Cj
		lea	eax, [ebp+var_8]
		mov	edx, 80000002h
		push	eax
		push	2000000h
		push	ebx
		push	[ebp+arg_0]
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_976876
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_18]
		push	eax
		push	ecx
		push	ecx
		push	ebx
		push	ecx
		call	_PnpCtxOpenMachine
		mov	ebx, [ebp+var_18]
		test	eax, eax
		js	loc_97686B
		mov	eax, 800h
		mov	[ebp+var_C], eax

loc_97673B:				; CODE XREF: PiDevCfgInitDriverDatabaseCallback(x,x,x)+C5j
		cmp	eax, edi
		jbe	loc_97685E
		mov	edi, eax
		test	esi, esi
		jz	short loc_976751
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_976751:				; CODE XREF: PiDevCfgInitDriverDatabaseCallback(x,x,x)+7Fj
		push	63647050h
		lea	eax, [edi+edi]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_18], esi
		test	esi, esi
		jz	short loc_97678F
		push	ecx
		lea	eax, [ebp+var_C]
		mov	edx, offset ??_C@_19LFKAPJKP@?$AAR?$AAo?$AAo?$AAt@NNGAKEGL@ ; "Root"
		push	eax
		push	edi
		push	esi
		push	0
		push	0
		push	1
		mov	ecx, ebx
		call	_CmGetMatchingFilteredDeviceList
		cmp	eax, 0C0000023h
		jnz	short loc_976794
		mov	eax, [ebp+var_C]
		jmp	short loc_97673B
; 

loc_97678F:				; CODE XREF: PiDevCfgInitDriverDatabaseCallback(x,x,x)+A0j
		mov	eax, 0C000009Ah

loc_976794:				; CODE XREF: PiDevCfgInitDriverDatabaseCallback(x,x,x)+C0j
		test	eax, eax
		js	loc_97685E
		xor	eax, eax
		test	edi, edi
		jz	loc_976860
		mov	edi, esi
		cmp	[esi], ax
		jz	loc_976860
		xor	esi, esi

loc_9767B3:				; CODE XREF: PiDevCfgInitDriverDatabaseCallback(x,x,x)+18Dj
		push	esi
		lea	eax, [ebp+var_14]
		mov	edx, edi
		push	eax
		push	esi
		push	2000000h
		push	esi
		push	10h
		mov	ecx, ebx
		call	_CmOpenDeviceRegKey
		test	eax, eax
		js	short loc_976838
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_1]
		push	esi
		push	eax
		lea	eax, [ebp+var_10]
		mov	edx, edi
		push	eax
		push	2001Fh
		call	_CmCreateDevice
		mov	[ebp+arg_0], eax
		test	eax, eax
		js	short loc_976830
		cmp	byte ptr [ebp+var_1], 0
		jz	short loc_976815
		push	20000h
		push	esi
		push	esi
		push	[ebp+var_10]
		mov	edx, edi
		push	1
		push	edi
		push	ecx
		push	[ebp+var_14]
		mov	ecx, ebx
		push	1
		call	_PiDevCfgCopyObjectProperties@44 ; PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)
		mov	[ebp+arg_0], eax

loc_976815:				; CODE XREF: PiDevCfgInitDriverDatabaseCallback(x,x,x)+12Cj
		push	[ebp+var_10]
		call	_ZwClose@4	; ZwClose(x)
		cmp	[ebp+arg_0], esi
		jge	short loc_976830
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	esi
		call	__CmDeleteDevice@12 ; _CmDeleteDevice(x,x,x)

loc_976830:				; CODE XREF: PiDevCfgInitDriverDatabaseCallback(x,x,x)+126j
					; PiDevCfgInitDriverDatabaseCallback(x,x,x)+158j
		push	[ebp+var_14]
		call	_ZwClose@4	; ZwClose(x)

loc_976838:				; CODE XREF: PiDevCfgInitDriverDatabaseCallback(x,x,x)+104j
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_97683D:				; CODE XREF: PiDevCfgInitDriverDatabaseCallback(x,x,x)+17Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_97683D
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2
		cmp	[edi], si
		jnz	loc_9767B3
		mov	esi, [ebp+var_18]

loc_97685E:				; CODE XREF: PiDevCfgInitDriverDatabaseCallback(x,x,x)+75j
					; PiDevCfgInitDriverDatabaseCallback(x,x,x)+CEj
		xor	eax, eax

loc_976860:				; CODE XREF: PiDevCfgInitDriverDatabaseCallback(x,x,x)+D8j
					; PiDevCfgInitDriverDatabaseCallback(x,x,x)+E3j
		test	esi, esi
		jz	short loc_97686B
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97686B:				; CODE XREF: PiDevCfgInitDriverDatabaseCallback(x,x,x)+65j
					; PiDevCfgInitDriverDatabaseCallback(x,x,x)+19Aj
		test	ebx, ebx
		jz	short loc_976876
		mov	ecx, ebx
		call	__PnpCtxCloseMachine@4 ; _PnpCtxCloseMachine(x)

loc_976876:				; CODE XREF: PiDevCfgInitDriverDatabaseCallback(x,x,x)+4Aj
					; PiDevCfgInitDriverDatabaseCallback(x,x,x)+1A5j
		cmp	[ebp+var_8], 0
		pop	edi
		pop	esi
		pop	ebx
		jz	short loc_976887
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_976887:				; CODE XREF: PiDevCfgInitDriverDatabaseCallback(x,x,x)+1B5j
		mov	al, 1
		leave
		retn	0Ch
_PiDevCfgInitDriverDatabaseCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgInitMigrationContext(x, x, x)
_PiDevCfgInitMigrationContext@12 proc near
					; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+4Dp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		mov	[ebp+arg_0], ebx
		mov	eax, ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[edi], ebx
		mov	[edi+4], ebx
		mov	[edi+8], ebx
		mov	[edi+0Ch], ebx
		mov	[edi+10h], ebx
		mov	[edi+14h], eax
		mov	[ebp+var_8], eax
		lea	eax, [ebp+arg_0]
		push	eax
		mov	[edi+18h], edx
		mov	ecx, _PiPnpRtlCtx
		push	4
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_976A4B
		push	30h
		pop	eax
		push	2Eh
		mov	word ptr [ebp+var_10+2], ax
		pop	eax
		mov	word ptr [ebp+var_10], ax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	20019h
		push	edi
		mov	[ebp+var_C], offset ??_C@_1DA@PEBFPDJH@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAM@NNGAKEGL@ ;	"Control\\DeviceMigration"
		mov	[edi], ebx
		mov	[ebp+var_28], 18h
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_976932
		mov	esi, ebx
		jmp	loc_976A52
; 

loc_976932:				; CODE XREF: PiDevCfgInitMigrationContext(x,x,x)+9Cj
		test	esi, esi
		js	loc_976A4B
		and	[ebp+var_18], 0
		lea	ebx, [edi+4]
		and	[ebp+var_14], 0
		push	10h
		pop	eax
		push	0Eh
		mov	word ptr [ebp+var_10+2], ax
		pop	eax
		mov	word ptr [ebp+var_10], ax
		mov	eax, [edi]
		and	dword ptr [ebx], 0
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	20019h
		push	ebx
		mov	[ebp+var_C], offset ??_C@_1BA@HICHNCPO@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAs@NNGAKEGL@ ; "Devices"
		mov	[ebp+var_28], 18h
		mov	[ebp+var_1C], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_976994
		and	dword ptr [ebx], 0
		jmp	short loc_97699C
; 

loc_976994:				; CODE XREF: PiDevCfgInitMigrationContext(x,x,x)+100j
		test	esi, esi
		js	loc_976A4B

loc_97699C:				; CODE XREF: PiDevCfgInitMigrationContext(x,x,x)+105j
		and	[ebp+var_18], 0
		lea	ebx, [edi+8]
		and	[ebp+var_14], 0
		push	10h
		pop	eax
		push	0Eh
		mov	word ptr [ebp+var_10+2], ax
		pop	eax
		mov	word ptr [ebp+var_10], ax
		mov	eax, [edi]
		and	dword ptr [ebx], 0
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	20019h
		push	ebx
		mov	[ebp+var_C], offset ??_C@_1BA@BPDPPBLC@?$AAC?$AAl?$AAa?$AAs?$AAs?$AAe?$AAs@NNGAKEGL@ ; "Classes"
		mov	[ebp+var_28], 18h
		mov	[ebp+var_1C], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_9769F7
		xor	esi, esi
		and	[ebx], esi
		jmp	short loc_9769FB
; 

loc_9769F7:				; CODE XREF: PiDevCfgInitMigrationContext(x,x,x)+162j
		test	esi, esi
		js	short loc_976A4B

loc_9769FB:				; CODE XREF: PiDevCfgInitMigrationContext(x,x,x)+168j
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_976A47
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_976A47
		and	[ebp+var_18], 0
		lea	ebx, [edi+0Ch]
		and	dword ptr [ebx], 0
		and	[ebp+var_14], 0
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	20019h
		push	ebx
		mov	[ebp+var_28], 18h
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_20], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_976A47
		xor	esi, esi
		and	[ebx], esi

loc_976A47:				; CODE XREF: PiDevCfgInitMigrationContext(x,x,x)+172j
					; PiDevCfgInitMigrationContext(x,x,x)+179j ...
		test	esi, esi
		jns	short loc_976A52

loc_976A4B:				; CODE XREF: PiDevCfgInitMigrationContext(x,x,x)+48j
					; PiDevCfgInitMigrationContext(x,x,x)+A7j ...
		mov	ecx, edi
		call	_PiDevCfgFreeMigrationContext@4	; PiDevCfgFreeMigrationContext(x)

loc_976A52:				; CODE XREF: PiDevCfgInitMigrationContext(x,x,x)+A0j
					; PiDevCfgInitMigrationContext(x,x,x)+1BCj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_PiDevCfgInitMigrationContext@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgInitResolveContext(x, x, x)
_PiDevCfgInitResolveContext@12 proc near
					; CODE XREF: PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)+43p
					; PiDevCfgVerifyDeviceAllowed(x,x)+76p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, ebx
		mov	[ebp+var_C], edx
		push	14h
		xor	esi, esi
		mov	[ebp+var_10], offset ??_C@_1BE@BDPBLKHD@?$AAV?$AAa?$AAr?$AAi?$AAa?$AAb?$AAl?$AAe?$AAs@NNGAKEGL@	; "Variables"
		mov	[ebp+var_8], esi
		stosd
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], 240h
		mov	[ebp+var_1C], esi
		stosd
		mov	[ebp+var_18], esi
		stosd
		stosd
		pop	eax
		push	12h
		mov	word ptr [ebp+var_14+2], ax
		pop	eax
		mov	[ebx], ecx
		lea	ecx, [ebp-14h]
		push	18h
		pop	edi
		mov	[ebp+var_24], ecx
		lea	ecx, [ebp+var_2C]
		push	ecx
		mov	word ptr [ebp+var_14], ax
		lea	eax, [ebx+8]
		push	20019h
		push	eax
		mov	[ebp+var_2C], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_976B06
		test	esi, esi
		js	loc_976B96
		push	63647050h
		mov	esi, 3F8h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+0Ch], eax
		test	eax, eax
		jnz	short loc_976AF3
		mov	esi, 0C000009Ah
		jmp	loc_976B96
; 

loc_976AF3:				; CODE XREF: PiDevCfgInitResolveContext(x,x,x)+8Cj
		xor	ecx, ecx

loc_976AF5:				; CODE XREF: PiDevCfgInitResolveContext(x,x,x)+A9j
		mov	eax, [ebx+0Ch]
		add	eax, ecx
		add	ecx, 8
		mov	[eax+4], eax
		mov	[eax], eax
		cmp	ecx, esi
		jb	short loc_976AF5

loc_976B06:				; CODE XREF: PiDevCfgInitResolveContext(x,x,x)+6Bj
		and	[ebp+var_1C], 0
		and	[ebp+var_18], 0
		push	2Eh
		pop	eax
		push	2Ch
		mov	word ptr [ebp+var_14+2], ax
		pop	eax
		mov	word ptr [ebp+var_14], ax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_2C], edi
		mov	edi, [ebp+var_C]
		push	eax
		mov	[ebp+var_10], offset ??_C@_1CO@OPKJDAJE@?$AAS?$AAe?$AAt?$AAu?$AAp?$AA?2?$AAR?$AAe?$AAs?$AAo?$AAl?$AAv?$AAe?$AAF?$AAi@NNGAKEGL@
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_976B94
		cmp	esi, 0C000017Ch
		jz	short loc_976B94
		test	esi, esi
		js	short loc_976B96
		mov	ecx, edi
		call	_PiDrvDbResolveKeyFilePaths@4 ;	PiDrvDbResolveKeyFilePaths(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_976B94
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jz	short loc_976B83
		mov	eax, [eax+74h]
		test	eax, eax
		jz	short loc_976B83
		mov	eax, [eax+4]
		jmp	short loc_976B85
; 

loc_976B83:				; CODE XREF: PiDevCfgInitResolveContext(x,x,x)+11Aj
					; PiDevCfgInitResolveContext(x,x,x)+121j
		xor	eax, eax

loc_976B85:				; CODE XREF: PiDevCfgInitResolveContext(x,x,x)+126j
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		push	0
		push	eax
		call	_RegRtlDeleteTreeInternal
		jmp	short loc_976B96
; 

loc_976B94:				; CODE XREF: PiDevCfgInitResolveContext(x,x,x)+F8j
					; PiDevCfgInitResolveContext(x,x,x)+100j ...
		xor	esi, esi

loc_976B96:				; CODE XREF: PiDevCfgInitResolveContext(x,x,x)+6Fj
					; PiDevCfgInitResolveContext(x,x,x)+93j ...
		cmp	[ebp+var_8], 0
		jz	short loc_976BA4
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_976BA4:				; CODE XREF: PiDevCfgInitResolveContext(x,x,x)+13Fj
		test	esi, esi
		jns	short loc_976BAF
		mov	ecx, ebx
		call	_PiDevCfgFreeResolveContext@4 ;	PiDevCfgFreeResolveContext(x)

loc_976BAF:				; CODE XREF: PiDevCfgInitResolveContext(x,x,x)+14Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_PiDevCfgInitResolveContext@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgLogDeviceConfigured(x, x, x, x, x, x, x, x)
_PiDevCfgLogDeviceConfigured@32	proc near
					; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+984p
					; PiDevCfgProcessDevice(x,x,x)+714p

var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= word ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4C		= word ptr -4Ch
var_1C		= word ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 154h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_154], eax
		xor	eax, eax
		mov	[ebp+var_100], eax
		mov	[ebp+var_EC], eax
		mov	[ebp+var_14C], eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_110]
		mov	ebx, [ebp+arg_0]
		stosd
		xor	esi, esi
		mov	[ebp+var_DC], edx
		xor	edx, edx
		inc	edx
		mov	[ebp+var_11C], ecx
		mov	[ebp+var_114], ebx
		stosd
		mov	[ebp+var_118], esi
		mov	[ebp+var_FC], esi
		mov	[ebp+var_E8], esi
		stosd
		mov	[ebp+var_148], esi
		mov	[ebp+var_D8], edx
		mov	[ebp+var_124], esi
		stosd
		xor	eax, eax
		mov	[ebp+var_12C], eax
		lea	edi, [ebp+var_C0]
		mov	[ebp+var_C4], eax
		mov	[ebp+var_128], eax
		stosd
		mov	[ebp+var_150], esi
		mov	[ebp+var_13C], esi
		mov	[ebp+var_138], esi
		stosd
		mov	[ebp+var_130], esi
		mov	[ebp+var_E4], esi
		mov	[ebp+var_E0], esi
		stosd
		mov	[ebp+var_144], esi
		mov	[ebp+var_140], esi
		mov	[ebp+var_120], esi
		stosd
		xor	eax, eax
		mov	[ebp+var_134], eax
		mov	[ebp+var_F8], eax
		mov	al, byte_6CD8BA
		and	al, 18h
		mov	[ebp+var_F4], esi
		cmp	al, 18h
		jnz	loc_9778B0
		push	6
		pop	edi
		test	ebx, ebx
		jz	loc_976FE8
		push	60h		; size_t
		lea	eax, [ebp+var_B0]
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebx+20h]
		lea	eax, [ebp+var_100]
		add	esp, 0Ch
		mov	[ebp+var_A8], eax
		lea	eax, [ebp+var_EC]
		mov	[ebp+var_B0], offset _DEVPKEY_DriverPackage_OriginalInfName
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_14C]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_B0]
		push	12h
		pop	ecx
		push	3
		push	eax
		push	dword ptr [ebx+8]
		mov	[ebp+var_AC], ecx
		push	8
		mov	[ebp+var_A0], edi
		mov	[ebp+var_98], offset _DEVPKEY_DriverPackage_DriverFlightIds
		mov	[ebp+var_94], 2012h
		mov	[ebp+var_88], edi
		mov	[ebp+var_80], offset _DEVPKEY_DriverPackage_SubmissionId
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_70], edi
		call	PiDevCfgQueryObjectProperties
		test	eax, eax
		js	loc_9778B0
		cmp	[ebp+var_9C], esi
		jge	short loc_976D5D
		push	esi
		lea	eax, [ebp+var_100]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_976D5D:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+196j
		cmp	[ebp+var_84], esi
		jge	short loc_976D72
		push	esi
		lea	eax, [ebp+var_EC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_976D72:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+1ABj
		mov	esi, [ebp+var_E8]
		test	esi, esi
		jz	short loc_976DDA
		mov	cx, word ptr [ebp+var_EC]
		push	4
		pop	eax
		cmp	cx, ax
		jbe	short loc_976DDA
		movzx	eax, cx
		xor	edi, edi
		shr	eax, 1
		mov	edx, edi
		dec	eax
		sub	eax, 1
		jz	short loc_976DC7
		push	3Bh
		pop	ebx

loc_976D9D:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+207j
		cmp	[esi+edx*2], di
		jnz	short loc_976DB4
		mov	[esi+edx*2], bx
		mov	esi, [ebp+var_E8]
		mov	cx, word ptr [ebp+var_EC]

loc_976DB4:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+1E9j
		movzx	eax, cx
		inc	edx
		shr	eax, 1
		sub	eax, 2
		cmp	edx, eax
		jb	short loc_976D9D
		mov	ebx, [ebp+var_114]

loc_976DC7:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+1E0j
		mov	eax, 0FFFEh
		add	cx, ax
		xor	esi, esi
		mov	word ptr [ebp+var_EC], cx
		jmp	short loc_976DF5
; 

loc_976DDA:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+1C2j
					; PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+1D1j
		lea	eax, [ebp+var_EC]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		xor	esi, esi
		lea	eax, [ebp+var_EC]
		push	esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_976DF5:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+220j
		cmp	[ebp+var_6C], 0
		jge	short loc_976E08
		push	esi
		lea	eax, [ebp+var_14C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_976E08:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+241j
		cmp	[ebp+var_FC], 0
		jz	short loc_976E30
		push	1
		lea	eax, [ebp+var_100]
		push	eax
		lea	eax, [ebx+14h]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	[ebp+var_D8], eax

loc_976E30:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+257j
		lea	eax, [ebp+var_110]
		push	eax
		lea	eax, [ebx+40h]
		push	eax
		call	_RtlTimeToTimeFields@8 ; RtlTimeToTimeFields(x,x)
		movsx	eax, word ptr [ebp+var_110]
		push	eax
		movsx	eax, [ebp+var_10C]
		push	eax
		movsx	eax, word ptr [ebp+var_110+2]
		push	eax		; char
		push	(offset	loc_8BA13D+1) ;	wchar_t	*
		lea	eax, [ebp+var_1C]
		push	0Bh		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 18h
		test	eax, eax
		jns	short loc_976E75
		xor	eax, eax
		mov	[ebp+var_1C], ax

loc_976E75:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+2B5j
		movzx	eax, word ptr [ebx+48h]
		push	eax
		movzx	eax, word ptr [ebx+4Ah]
		push	eax
		movzx	eax, word ptr [ebx+4Ch]
		push	eax
		movzx	eax, word ptr [ebx+4Eh]
		push	eax		; char
		push	offset ??_C@_1BI@IEJCOLMP@?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu?$AA?4?$AA?$CF?$AAu@NNGAKEGL@ ; wchar_t *
		lea	eax, [ebp+var_4C]
		push	18h		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 1Ch
		test	eax, eax
		jns	short loc_976EA6
		xor	eax, eax
		mov	[ebp+var_4C], ax

loc_976EA6:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+2E6j
		mov	eax, [ebx+38h]
		lea	edi, [ebx+88h]
		mov	edx, [edi]
		lea	ecx, [eax+1]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	[ebp+var_F0], ecx
		cmp	edx, edi
		jz	loc_976FDB

loc_976EC8:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+35Cj
		movzx	ecx, word ptr [edx+24h]
		movzx	eax, word ptr [edx+14h]
		add	eax, esi
		lea	esi, [ecx+16h]
		mov	ecx, [edx+68h]
		add	esi, eax
		test	ecx, ecx
		jz	short loc_976F10
		lea	eax, [ecx+2]
		xor	ebx, ebx
		push	2
		mov	[ebp+var_C8], eax
		pop	edi

loc_976EEC:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+33Cj
		mov	ax, [ecx]
		add	ecx, edi
		cmp	ax, bx
		jnz	short loc_976EEC
		sub	ecx, [ebp+var_C8]
		mov	ebx, [ebp+var_114]
		sar	ecx, 1
		lea	edi, [ebx+88h]
		lea	esi, [esi+ecx*2]
		add	esi, 2

loc_976F10:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+324j
		mov	edx, [edx]
		cmp	edx, edi
		jnz	short loc_976EC8
		lea	eax, [esi+2]
		mov	ecx, 0FFFEh
		cmp	eax, ecx
		jbe	short loc_976F25
		mov	ax, cx

loc_976F25:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+368j
		mov	word ptr [ebp+var_12C+2], ax
		movzx	eax, ax
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	edx, eax
		mov	[ebp+var_C4], edx
		mov	[ebp+var_128], edx
		test	edx, edx
		jz	loc_9778B0
		mov	ecx, [ebp+var_12C]
		xor	eax, eax
		mov	[edx], ax
		mov	esi, [edi]
		mov	[ebp+var_108], ecx
		mov	[ebp+var_104], edx
		jmp	short loc_976FD7
; 

loc_976F66:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+421j
		cmp	esi, [edi]
		jz	short loc_976F86
		lea	eax, [ebp+var_108]
		mov	edx, offset ??_C@_13HOIJIPNN@?$AA?5@NNGAKEGL@
		push	800h
		push	eax
		mov	ecx, eax
		call	RtlUnicodeStringCopyStringEx
		test	eax, eax
		js	short loc_976FDB

loc_976F86:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+3B0j
		push	dword ptr [esi+38h]
		lea	eax, [esi+24h]
		push	eax
		lea	eax, [esi+14h]
		push	eax		; char
		push	offset ??_C@_1BK@IHJLDEBK@?$AA?$CF?$AAw?$AAZ?$AA?3?$AA?$CF?$AAw?$AAZ?$AA?3?$AA?$CF?$AA0?$AA8?$AAX@NNGAKEGL@ ; int
		lea	eax, [ebp+var_108]
		push	800h		; void *
		push	eax		; int
		push	eax		; int
		call	_RtlUnicodeStringPrintfEx
		add	esp, 1Ch
		test	eax, eax
		js	short loc_976FDB
		mov	eax, [esi+68h]
		test	eax, eax
		jz	short loc_976FD5
		push	eax		; char
		push	offset ??_C@_19LNJPNLEB@?$AA?3?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; int
		lea	eax, [ebp+var_108]
		push	800h		; void *
		push	eax		; int
		push	eax		; int
		call	_RtlUnicodeStringPrintfEx
		add	esp, 14h
		test	eax, eax
		js	short loc_976FDB

loc_976FD5:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+3FCj
		mov	esi, [esi]

loc_976FD7:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+3ACj
		cmp	esi, edi
		jnz	short loc_976F66

loc_976FDB:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+30Aj
					; PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+3CCj ...
		mov	ecx, [ebp+var_11C]
		xor	edx, edx
		xor	esi, esi
		inc	edx
		jmp	short loc_976FFE
; 

loc_976FE8:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+F9j
		xor	eax, eax
		mov	[ebp+var_D8], esi
		mov	[ebp+var_1C], ax
		mov	[ebp+var_4C], ax
		mov	[ebp+var_F0], esi

loc_976FFE:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+42Ej
		cmp	[ebp+arg_8], 0
		jl	loc_977227
		mov	eax, [ebp+arg_4]
		test	al, 70h
		jnz	loc_97711D
		test	byte_6CD8BA, 8
		jz	loc_97745A
		and	eax, edx
		mov	[ebp+var_D4], eax
		test	ebx, ebx
		jz	short loc_977035
		cmp	dword ptr [ebx+38h], 0FFFFFFFFh
		lea	edi, [ebx+24h]
		jnz	short loc_977037

loc_977035:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+472j
		mov	edi, esi

loc_977037:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+47Bj
		mov	edx, ebx
		lea	eax, [ebx+2Ch]
		neg	edx
		mov	esi, ebx
		sbb	edx, edx
		and	edx, eax
		neg	esi
		lea	eax, [ebx+0A8h]
		sbb	esi, esi
		and	esi, eax
		test	ebx, ebx
		jz	short loc_977062
		lea	eax, [ebx+90h]
		mov	[ebp+var_D0], eax
		jmp	short loc_97706C
; 

loc_977062:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+49Aj
		mov	[ebp+var_D0], offset _PiDevCfgNullGuid

loc_97706C:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+4A8j
		test	ebx, ebx
		jz	short loc_97707B
		mov	eax, [ebx+18h]
		mov	[ebp+var_C8], eax
		jmp	short loc_977085
; 

loc_97707B:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+4B6j
		mov	[ebp+var_C8], offset ??_C@_19DJCNLLCE@?$AAn?$AAu?$AAl?$AAl@LBKOJDO@

loc_977085:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+4C1j
		mov	ecx, [ecx+8]
		mov	eax, offset ??_C@_11LOCGONAA@@LBKOJDO@
		add	ecx, 14h
		jz	short loc_97709F
		mov	ecx, [ecx+4]
		mov	[ebp+var_CC], ecx
		test	ecx, ecx
		jnz	short loc_9770A5

loc_97709F:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+4D8j
		mov	[ebp+var_CC], eax

loc_9770A5:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+4E5j
		cmp	[ebp+var_C4], 0
		jnz	short loc_9770B4
		mov	[ebp+var_C4], eax

loc_9770B4:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+4F4j
		test	edi, edi
		jz	short loc_9770BF
		mov	edi, [edi+4]
		test	edi, edi
		jnz	short loc_9770C1

loc_9770BF:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+4FEj
		mov	edi, eax

loc_9770C1:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+505j
		test	edx, edx
		jz	short loc_9770CC
		mov	edx, [edx+4]
		test	edx, edx
		jnz	short loc_9770CE

loc_9770CC:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+50Bj
		mov	edx, eax

loc_9770CE:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+512j
		test	esi, esi
		jz	short loc_9770D9
		mov	ecx, [esi+4]
		test	ecx, ecx
		jnz	short loc_9770DB

loc_9770D9:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+518j
		mov	ecx, eax

loc_9770DB:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+51Fj
		push	[ebp+var_CC]
		lea	eax, [ebp+var_4C]
		push	[ebp+arg_8]
		push	[ebp+var_D4]
		push	[ebp+var_C4]
		push	edi
		push	[ebp+var_F0]
		push	edx
		push	[ebp+var_D8]
		mov	edx, offset _KMPnPEvt_DeviceConfig_Success
		push	ecx
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_D0]
		push	[ebp+var_C8]
		jmp	loc_97744B
; 

loc_97711D:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+455j
		test	byte_6CD8BA, 20h
		jz	loc_97745A
		and	eax, edx
		mov	[ebp+var_D4], eax
		test	ebx, ebx
		jz	short loc_97713F
		cmp	dword ptr [ebx+38h], 0FFFFFFFFh
		lea	edi, [ebx+24h]
		jnz	short loc_977141

loc_97713F:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+57Cj
		mov	edi, esi

loc_977141:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+585j
		mov	edx, ebx
		lea	eax, [ebx+2Ch]
		neg	edx
		mov	esi, ebx
		sbb	edx, edx
		and	edx, eax
		neg	esi
		lea	eax, [ebx+0A8h]
		sbb	esi, esi
		and	esi, eax
		test	ebx, ebx
		jz	short loc_97716C
		lea	eax, [ebx+90h]
		mov	[ebp+var_D0], eax
		jmp	short loc_977176
; 

loc_97716C:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+5A4j
		mov	[ebp+var_D0], offset _PiDevCfgNullGuid

loc_977176:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+5B2j
		test	ebx, ebx
		jz	short loc_977185
		mov	eax, [ebx+18h]
		mov	[ebp+var_CC], eax
		jmp	short loc_97718F
; 

loc_977185:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+5C0j
		mov	[ebp+var_CC], offset ??_C@_19DJCNLLCE@?$AAn?$AAu?$AAl?$AAl@LBKOJDO@

loc_97718F:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+5CBj
		mov	ecx, [ecx+8]
		mov	eax, offset ??_C@_11LOCGONAA@@LBKOJDO@
		add	ecx, 14h
		jz	short loc_9771A9
		mov	ecx, [ecx+4]
		mov	[ebp+var_C8], ecx
		test	ecx, ecx
		jnz	short loc_9771AF

loc_9771A9:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+5E2j
		mov	[ebp+var_C8], eax

loc_9771AF:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+5EFj
		cmp	[ebp+var_C4], 0
		jnz	short loc_9771BE
		mov	[ebp+var_C4], eax

loc_9771BE:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+5FEj
		test	edi, edi
		jz	short loc_9771C9
		mov	edi, [edi+4]
		test	edi, edi
		jnz	short loc_9771CB

loc_9771C9:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+608j
		mov	edi, eax

loc_9771CB:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+60Fj
		test	edx, edx
		jz	short loc_9771D6
		mov	edx, [edx+4]
		test	edx, edx
		jnz	short loc_9771D8

loc_9771D6:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+615j
		mov	edx, eax

loc_9771D8:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+61Cj
		test	esi, esi
		jz	short loc_9771E3
		mov	ecx, [esi+4]
		test	ecx, ecx
		jnz	short loc_9771E5

loc_9771E3:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+622j
		mov	ecx, eax

loc_9771E5:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+629j
		push	[ebp+var_C8]
		lea	eax, [ebp+var_4C]
		push	[ebp+arg_8]
		push	[ebp+var_D4]
		push	[ebp+var_C4]
		push	edi
		push	[ebp+var_F0]
		push	edx
		push	[ebp+var_D8]
		mov	edx, offset _KMPnPEvt_DeviceConfig_RebootRequired
		push	ecx
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_D0]
		push	[ebp+var_CC]
		jmp	loc_97744B
; 

loc_977227:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+44Aj
		cmp	[ebp+arg_8], 0C0000361h
		jnz	loc_977343
		test	byte_6CD8BA, 20h
		jz	loc_97745A
		mov	eax, [ebp+arg_4]
		and	eax, edx
		mov	[ebp+var_D4], eax
		test	ebx, ebx
		jz	short loc_977259
		cmp	dword ptr [ebx+38h], 0FFFFFFFFh
		lea	edi, [ebx+24h]
		jnz	short loc_97725B

loc_977259:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+696j
		mov	edi, esi

loc_97725B:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+69Fj
		mov	edx, ebx
		lea	eax, [ebx+2Ch]
		neg	edx
		mov	esi, ebx
		sbb	edx, edx
		and	edx, eax
		neg	esi
		lea	eax, [ebx+0A8h]
		sbb	esi, esi
		and	esi, eax
		test	ebx, ebx
		jz	short loc_977286
		lea	eax, [ebx+90h]
		mov	[ebp+var_D0], eax
		jmp	short loc_977290
; 

loc_977286:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+6BEj
		mov	[ebp+var_D0], offset _PiDevCfgNullGuid

loc_977290:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+6CCj
		test	ebx, ebx
		jz	short loc_97729F
		mov	eax, [ebx+18h]
		mov	[ebp+var_CC], eax
		jmp	short loc_9772A9
; 

loc_97729F:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+6DAj
		mov	[ebp+var_CC], offset ??_C@_19DJCNLLCE@?$AAn?$AAu?$AAl?$AAl@LBKOJDO@

loc_9772A9:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+6E5j
		mov	ecx, [ecx+8]
		mov	eax, offset ??_C@_11LOCGONAA@@LBKOJDO@
		add	ecx, 14h
		jz	short loc_9772C3
		mov	ecx, [ecx+4]
		mov	[ebp+var_C8], ecx
		test	ecx, ecx
		jnz	short loc_9772C9

loc_9772C3:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+6FCj
		mov	[ebp+var_C8], eax

loc_9772C9:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+709j
		cmp	[ebp+var_C4], 0
		jnz	short loc_9772D8
		mov	[ebp+var_C4], eax

loc_9772D8:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+718j
		test	edi, edi
		jz	short loc_9772E3
		mov	edi, [edi+4]
		test	edi, edi
		jnz	short loc_9772E5

loc_9772E3:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+722j
		mov	edi, eax

loc_9772E5:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+729j
		test	edx, edx
		jz	short loc_9772F0
		mov	edx, [edx+4]
		test	edx, edx
		jnz	short loc_9772F2

loc_9772F0:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+72Fj
		mov	edx, eax

loc_9772F2:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+736j
		test	esi, esi
		jz	short loc_9772FD
		mov	ecx, [esi+4]
		test	ecx, ecx
		jnz	short loc_9772FF

loc_9772FD:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+73Cj
		mov	ecx, eax

loc_9772FF:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+743j
		push	[ebp+var_C8]
		lea	eax, [ebp+var_4C]
		push	0C0000361h
		push	[ebp+var_D4]
		push	[ebp+var_C4]
		push	edi
		push	[ebp+var_F0]
		push	edx
		push	[ebp+var_D8]
		mov	edx, offset _KMPnPEvt_DeviceConfig_Blocked
		push	ecx
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_D0]
		push	[ebp+var_CC]
		jmp	loc_97744B
; 

loc_977343:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+676j
		test	byte_6CD8BA, 10h
		jz	loc_97745A
		mov	eax, [ebp+arg_4]
		and	eax, edx
		mov	[ebp+var_D4], eax
		test	ebx, ebx
		jz	short loc_977368
		cmp	dword ptr [ebx+38h], 0FFFFFFFFh
		lea	edi, [ebx+24h]
		jnz	short loc_97736A

loc_977368:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+7A5j
		mov	edi, esi

loc_97736A:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+7AEj
		mov	edx, ebx
		lea	eax, [ebx+2Ch]
		neg	edx
		mov	esi, ebx
		sbb	edx, edx
		and	edx, eax
		neg	esi
		lea	eax, [ebx+0A8h]
		sbb	esi, esi
		and	esi, eax
		test	ebx, ebx
		jz	short loc_977395
		lea	eax, [ebx+90h]
		mov	[ebp+var_D0], eax
		jmp	short loc_97739F
; 

loc_977395:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+7CDj
		mov	[ebp+var_D0], offset _PiDevCfgNullGuid

loc_97739F:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+7DBj
		test	ebx, ebx
		jz	short loc_9773AE
		mov	eax, [ebx+18h]
		mov	[ebp+var_CC], eax
		jmp	short loc_9773B8
; 

loc_9773AE:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+7E9j
		mov	[ebp+var_CC], offset ??_C@_19DJCNLLCE@?$AAn?$AAu?$AAl?$AAl@LBKOJDO@

loc_9773B8:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+7F4j
		mov	ecx, [ecx+8]
		mov	eax, offset ??_C@_11LOCGONAA@@LBKOJDO@
		add	ecx, 14h
		jz	short loc_9773D2
		mov	ecx, [ecx+4]
		mov	[ebp+var_C8], ecx
		test	ecx, ecx
		jnz	short loc_9773D8

loc_9773D2:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+80Bj
		mov	[ebp+var_C8], eax

loc_9773D8:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+818j
		cmp	[ebp+var_C4], 0
		jnz	short loc_9773E7
		mov	[ebp+var_C4], eax

loc_9773E7:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+827j
		test	edi, edi
		jz	short loc_9773F2
		mov	edi, [edi+4]
		test	edi, edi
		jnz	short loc_9773F4

loc_9773F2:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+831j
		mov	edi, eax

loc_9773F4:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+838j
		test	edx, edx
		jz	short loc_9773FF
		mov	edx, [edx+4]
		test	edx, edx
		jnz	short loc_977401

loc_9773FF:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+83Ej
		mov	edx, eax

loc_977401:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+845j
		test	esi, esi
		jz	short loc_97740C
		mov	ecx, [esi+4]
		test	ecx, ecx
		jnz	short loc_97740E

loc_97740C:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+84Bj
		mov	ecx, eax

loc_97740E:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+852j
		push	[ebp+var_C8]
		lea	eax, [ebp+var_4C]
		push	[ebp+arg_8]
		push	[ebp+var_D4]
		push	[ebp+var_C4]
		push	edi
		push	[ebp+var_F0]
		push	edx
		push	[ebp+var_D8]
		mov	edx, offset _KMPnPEvt_DeviceConfig_Failure
		push	ecx
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_D0]
		push	[ebp+var_CC]

loc_97744B:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+560j
					; PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+66Aj ...
		mov	eax, [ebp+var_DC]
		push	dword ptr [eax+4]
		push	ecx
		call	_McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer@68	; McTemplateK0zzjzzztzdzztdz_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)

loc_97745A:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+462j
					; PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+56Cj ...
		test	ebx, ebx
		jz	loc_9778B0
		lea	ecx, [ebx+80h]
		mov	eax, [ecx]
		mov	[ebp+var_D4], ecx
		cmp	eax, ecx
		jz	loc_9777B0
		mov	edx, [ebp+var_120]

loc_97747E:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+8CBj
		mov	eax, [eax]
		inc	edx
		cmp	eax, ecx
		jnz	short loc_97747E
		test	edx, edx
		jz	loc_9777B0
		imul	eax, edx, 66Eh
		mov	esi, 7FFFh
		push	2
		pop	ecx
		add	eax, ecx
		cmp	eax, esi
		ja	short loc_9774A4
		mov	si, ax

loc_9774A4:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+8E7j
		movzx	edi, si
		push	edi
		mov	word ptr [ebp+var_F8+2], si
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[ebp+var_F4], eax
		test	eax, eax
		jz	loc_9778B0
		push	edi		; size_t
		xor	ecx, ecx
		push	ecx		; int
		push	eax		; void *
		call	_memset
		mov	eax, 0FFFEh
		add	esp, 0Ch
		add	si, ax
		mov	word ptr [ebp+var_F8+2], si
		lea	esi, [ebx+80h]
		mov	eax, [ebp+var_F8]
		mov	edi, [esi]
		mov	[ebp+var_108], eax
		mov	eax, [ebp+var_F4]
		mov	[ebp+var_104], eax
		cmp	edi, esi
		jz	loc_9777B0
		mov	eax, [ebp+arg_4]
		and	eax, 1
		mov	[ebp+var_120], eax

loc_977512:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+BF2j
		xor	ecx, ecx
		cmp	[edi+0E4h], ecx
		jz	short loc_97751F
		or	eax, 10h

loc_97751F:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+962j
		push	[ebp+var_154]
		mov	edx, [ebp+var_DC]
		push	[ebp+arg_10]
		mov	ecx, [ebp+var_11C]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	eax
		push	edi
		call	_PiDevCfgLogDeviceConfigured@32	; PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)
		xor	eax, eax
		push	60h		; size_t
		push	eax		; int
		lea	eax, [ebp+var_B0]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_B0], offset _DEVPKEY_DriverPackage_OriginalInfName
		lea	eax, [ebp+var_13C]
		mov	[ebp+var_98], offset _DEVPKEY_DriverPackage_ExtensionId
		mov	[ebp+var_A8], eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_E4]
		push	12h
		pop	edx
		push	6
		pop	ecx
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_144]
		push	4
		mov	[ebp+var_60], eax
		pop	eax
		push	eax
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_AC], edx
		push	eax
		push	dword ptr [edi+8]
		mov	[ebp+var_64], edx
		mov	edx, [edi+20h]
		push	8
		mov	[ebp+var_A0], ecx
		mov	[ebp+var_94], 0Dh
		mov	[ebp+var_8C], 10h
		mov	[ebp+var_80], offset _DEVPKEY_DriverPackage_DriverFlightIds
		mov	[ebp+var_7C], 2012h
		mov	[ebp+var_70], ecx
		mov	[ebp+var_68], offset _DEVPKEY_DriverPackage_SubmissionId
		mov	[ebp+var_58], ecx
		call	PiDevCfgQueryObjectProperties
		test	eax, eax
		js	loc_9777A0
		cmp	[ebp+var_9C], 0
		jge	short loc_977622
		push	dword ptr [edi+18h] ; void *
		lea	eax, [ebp+var_13C]
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jnz	short loc_977622
		xor	eax, eax
		push	eax
		lea	eax, [ebp+var_13C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_977622:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+A46j
					; PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+A59j
		cmp	[ebp+var_84], 0
		jl	short loc_977642
		push	1
		lea	edx, [ebp+var_134]
		lea	ecx, [ebp+var_C0]
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		test	eax, eax
		jns	short loc_977651

loc_977642:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+A71j
		xor	eax, eax
		push	eax
		lea	eax, [ebp+var_134]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_977651:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+A88j
		cmp	[ebp+var_6C], 0
		jge	short loc_977666
		xor	eax, eax
		push	eax
		lea	eax, [ebp+var_E4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_977666:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+A9Dj
		cmp	[ebp+var_E0], 0
		jz	short loc_9776D3
		mov	cx, word ptr [ebp+var_E4]
		push	4
		pop	eax
		cmp	cx, ax
		jbe	short loc_9776D3
		xor	eax, eax
		mov	edx, eax
		movzx	eax, cx
		shr	eax, 1
		dec	eax
		sub	eax, 1
		jz	short loc_9776C2
		push	3Bh
		xor	ebx, ebx
		pop	esi

loc_977692:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+AFCj
		mov	eax, [ebp+var_E0]
		cmp	[eax+edx*2], bx
		jnz	short loc_9776A9
		mov	[eax+edx*2], si
		mov	cx, word ptr [ebp+var_E4]

loc_9776A9:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+AE4j
		movzx	eax, cx
		inc	edx
		shr	eax, 1
		sub	eax, 2
		cmp	edx, eax
		jb	short loc_977692
		mov	ebx, [ebp+var_114]
		mov	esi, [ebp+var_D4]

loc_9776C2:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+AD3j
		mov	eax, 0FFFEh
		add	cx, ax
		mov	word ptr [ebp+var_E4], cx
		jmp	short loc_9776EE
; 

loc_9776D3:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+AB5j
					; PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+AC4j
		lea	eax, [ebp+var_E4]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		xor	eax, eax
		push	eax
		lea	eax, [ebp+var_E4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_9776EE:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+B19j
		cmp	[ebp+var_54], 0
		jge	short loc_977703
		xor	eax, eax
		push	eax
		lea	eax, [ebp+var_144]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_977703:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+B3Aj
		cmp	[ebp+var_140], 0
		lea	edx, [ebp+var_144]
		jnz	short loc_977717
		mov	edx, offset _PiDevCfgEmptyString

loc_977717:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+B58j
		cmp	[ebp+var_E0], 0
		lea	ecx, [ebp+var_E4]
		jnz	short loc_97772B
		mov	ecx, offset _PiDevCfgEmptyString

loc_97772B:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+B6Cj
		mov	eax, offset ??_C@_13DEFPDAGF@?$AA?0@NNGAKEGL@
		cmp	edi, [esi]
		jnz	short loc_977739
		mov	eax, offset ??_C@_11LOCGONAA@@NNGAKEGL@

loc_977739:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+B7Aj
		push	edx
		push	ecx
		lea	ecx, [ebp+var_134]
		push	ecx
		lea	ecx, [ebp+var_13C]
		push	ecx
		push	eax		; char
		push	(offset	loc_8BA15B+1) ;	int
		lea	eax, [ebp+var_108]
		push	800h		; void *
		push	eax		; int
		push	eax		; int
		call	_RtlUnicodeStringPrintfEx
		add	esp, 24h
		mov	esi, eax
		lea	eax, [ebp+var_134]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_E4]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_13C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_144]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	esi, esi
		js	short loc_9777B0
		lea	esi, [ebx+80h]

loc_9777A0:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+A39j
		mov	edi, [edi]
		mov	eax, [ebp+var_120]
		cmp	edi, esi
		jnz	loc_977512

loc_9777B0:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+8BAj
					; PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+8CFj ...
		mov	ecx, [ebp+var_DC]
		mov	eax, [ecx+10h]
		mov	edi, eax
		test	eax, eax
		jnz	short loc_9777C5
		mov	edi, [ebp+var_124]

loc_9777C5:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+C05j
		mov	eax, [ecx+18h]
		test	eax, eax
		jz	short loc_97782E
		push	2
		pop	edx
		cmp	[ecx+14h], dx
		jbe	short loc_97782E
		mov	esi, eax
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_9777DC:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+C31j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_118]
		jnz	short loc_9777DC
		jmp	short loc_97781F
; 

loc_9777ED:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+C72j
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_9777F2:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+C47j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_118]
		jnz	short loc_9777F2
		sub	ecx, edx
		sar	ecx, 1
		lea	esi, [esi+ecx*2]
		add	esi, 2
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_977810:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+C65j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_118]
		jnz	short loc_977810

loc_97781F:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+C33j
		sub	ecx, edx
		xor	eax, eax
		sar	ecx, 1
		cmp	[esi+ecx*2+2], ax
		jnz	short loc_9777ED
		jmp	short loc_977834
; 

loc_97782E:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+C12j
					; PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+C1Bj
		mov	esi, [ebp+var_150]

loc_977834:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+C74j
		mov	ecx, [ebp+var_FC]
		test	ecx, ecx
		jnz	short loc_977841
		mov	ecx, [ebx+18h]

loc_977841:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+C84j
		push	[ebp+var_154]
		cmp	_PnpSetupInProgress, 0
		mov	edx, edi
		push	[ebp+arg_8]
		mov	eax, [ebp+arg_4]
		setnz	byte ptr [ebp+var_124]
		push	[ebp+arg_10]
		and	eax, 70h
		push	[ebp+arg_C]
		setnz	al
		movzx	eax, al
		push	eax
		push	[ebp+var_124]
		lea	eax, [ebp+var_EC]
		push	eax
		push	[ebp+var_D8]
		lea	eax, [ebp+var_4C]
		push	[ebp+var_F4]
		push	[ebp+var_148]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	dword ptr [ebx+0ACh]
		push	ecx
		mov	ecx, [ebp+var_11C]
		push	dword ptr [ebx+0A4h]
		push	esi
		lea	ecx, [ecx+14h]
		call	_PnpTraceDeviceConfig@72 ; PnpTraceDeviceConfig(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)

loc_9778B0:				; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+EEj
					; PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+18Aj ...
		lea	eax, [ebp+var_100]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_12C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_EC]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_F8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_14C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_PiDevCfgLogDeviceConfigured@32	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgLogDeviceMigrated(x, x, x)
_PiDevCfgLogDeviceMigrated@12 proc near	; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+3A4p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	al, byte_6CD8BA
		push	esi
		mov	esi, ecx
		test	al, 8
		jz	loc_97799B
		test	al, 20h
		jz	loc_97799B
		test	al, 10h
		jz	short loc_97799B
		mov	ecx, [ebp+arg_0]
		mov	eax, [edx+54h]
		test	ecx, ecx
		js	short loc_97794A
		test	eax, eax
		jnz	short loc_977931
		mov	eax, offset ??_C@_11LOCGONAA@@LBKOJDO@

loc_977931:				; CODE XREF: PiDevCfgLogDeviceMigrated(x,x,x)+2Dj
		push	ecx
		push	dword ptr [edx+60h]
		push	dword ptr [edx+6Ch]
		push	dword ptr [edx+68h]
		push	eax
		lea	eax, [edx+28h]
		push	eax
		push	dword ptr [edx+10h]
		mov	edx, offset _KMPnPEvt_DeviceMigrate_Success
		jmp	short loc_977992
; 

loc_97794A:				; CODE XREF: PiDevCfgLogDeviceMigrated(x,x,x)+29j
		test	byte ptr [edx+8], 3
		jz	short loc_977972
		test	eax, eax
		jnz	short loc_977959
		mov	eax, offset ??_C@_11LOCGONAA@@LBKOJDO@

loc_977959:				; CODE XREF: PiDevCfgLogDeviceMigrated(x,x,x)+55j
		push	ecx
		push	dword ptr [edx+60h]
		push	dword ptr [edx+6Ch]
		push	dword ptr [edx+68h]
		push	eax
		lea	eax, [edx+28h]
		push	eax
		push	dword ptr [edx+10h]
		mov	edx, (offset loc_4276AF+1)
		jmp	short loc_977992
; 

loc_977972:				; CODE XREF: PiDevCfgLogDeviceMigrated(x,x,x)+51j
		test	eax, eax
		jnz	short loc_97797B
		mov	eax, offset ??_C@_11LOCGONAA@@LBKOJDO@

loc_97797B:				; CODE XREF: PiDevCfgLogDeviceMigrated(x,x,x)+77j
		push	ecx
		push	dword ptr [edx+60h]
		push	dword ptr [edx+6Ch]
		push	dword ptr [edx+68h]
		push	eax
		lea	eax, [edx+28h]
		push	eax
		push	dword ptr [edx+10h]
		mov	edx, (offset loc_4276CF+1)

loc_977992:				; CODE XREF: PiDevCfgLogDeviceMigrated(x,x,x)+4Bj
					; PiDevCfgLogDeviceMigrated(x,x,x)+73j
		push	dword ptr [esi+4]
		push	ecx
		call	_McTemplateK0zzjzitd_EtwWriteTransfer@44 ; McTemplateK0zzjzitd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)

loc_97799B:				; CODE XREF: PiDevCfgLogDeviceMigrated(x,x,x)+Fj
					; PiDevCfgLogDeviceMigrated(x,x,x)+17j	...
		pop	esi
		pop	ebp
		retn	4
_PiDevCfgLogDeviceMigrated@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgLogDeviceStarted(x)
_PiDevCfgLogDeviceStarted@4 proc near	; CODE XREF: PpDevCfgTraceDeviceStart(x)+40p

var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0BCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_90]
		mov	[ebp+var_94], ebx
		stosd
		xor	esi, esi
		mov	[ebp+var_A8], esi
		mov	[ebp+var_B0], esi
		mov	[ebp+var_98], esi
		stosd
		mov	[ebp+var_A0], esi
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_AC], eax
		mov	[ebp+var_B4], eax
		mov	[ebp+var_9C], eax
		mov	[ebp+var_A4], eax
		mov	al, byte_6CD8BA
		and	al, 18h
		cmp	al, 18h
		jnz	loc_977D42
		push	78h		; size_t
		lea	eax, [ebp+var_80]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_80], offset _DEVPKEY_Device_ClassGuid
		lea	eax, [ebp+var_90]
		mov	[ebp+var_7C], 0Dh
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_AC]
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_B4]
		push	12h
		pop	ecx
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_9C]
		push	6
		pop	edx
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_A4]
		push	5
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_80]
		push	eax
		mov	[ebp+var_64], ecx
		mov	[ebp+var_4C], ecx
		mov	ecx, 2012h
		push	esi
		mov	[ebp+var_58], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_10], edx
		mov	edx, [ebx+18h]
		push	1
		mov	[ebp+var_74], 10h
		mov	[ebp+var_68], offset _DEVPKEY_Device_DriverInfPath
		mov	[ebp+var_50], offset _DEVPKEY_Device_Service
		mov	[ebp+var_38], offset _DEVPKEY_Device_LowerFilters
		mov	[ebp+var_34], ecx
		mov	[ebp+var_20], offset _DEVPKEY_Device_UpperFilters
		mov	[ebp+var_1C], ecx
		call	PiDevCfgQueryObjectProperties
		test	eax, eax
		js	loc_977D42
		cmp	[ebp+var_6C], esi
		jge	short loc_977AC9
		xor	eax, eax
		lea	edi, [ebp+var_90]
		stosd
		stosd
		stosd
		stosd

loc_977AC9:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+11Bj
		cmp	[ebp+var_54], esi
		jge	short loc_977ADB
		push	esi
		lea	eax, [ebp+var_AC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_977ADB:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+12Cj
		cmp	[ebp+var_3C], esi
		jge	short loc_977AED
		push	esi
		lea	eax, [ebp+var_B4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_977AED:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+13Ej
		cmp	[ebp+var_24], esi
		jge	short loc_977AFF
		push	esi
		lea	eax, [ebp+var_9C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_977AFF:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+150j
		cmp	[ebp+var_C], esi
		jge	short loc_977B11
		push	esi
		lea	eax, [ebp+var_A4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_977B11:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+162j
		mov	edx, [ebp+var_98]
		push	4
		pop	eax
		test	edx, edx
		jz	short loc_977B76
		mov	cx, word ptr [ebp+var_9C]
		cmp	cx, ax
		jbe	short loc_977B76
		movzx	eax, cx
		mov	edi, esi
		shr	eax, 1
		dec	eax
		sub	eax, 1
		jz	short loc_977B64
		push	20h
		pop	ebx

loc_977B3A:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+1BCj
		cmp	[edx+edi*2], si
		jnz	short loc_977B51
		mov	[edx+edi*2], bx
		mov	edx, [ebp+var_98]
		mov	cx, word ptr [ebp+var_9C]

loc_977B51:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+19Ej
		movzx	eax, cx
		inc	edi
		shr	eax, 1
		sub	eax, 2
		cmp	edi, eax
		jb	short loc_977B3A
		mov	ebx, [ebp+var_94]

loc_977B64:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+195j
		mov	eax, 0FFFEh
		add	cx, ax
		push	4
		mov	word ptr [ebp+var_9C], cx
		pop	eax

loc_977B76:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+17Cj
					; PiDevCfgLogDeviceStarted(x)+188j
		mov	edi, [ebp+var_A0]
		test	edi, edi
		jz	short loc_977BDB
		mov	cx, word ptr [ebp+var_A4]
		cmp	cx, ax
		jbe	short loc_977BDB
		movzx	eax, cx
		shr	eax, 1
		dec	eax
		sub	eax, 1
		jz	short loc_977BCC
		push	20h
		mov	edx, esi
		pop	ebx

loc_977B9C:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+21Ej
		cmp	[edi+edx*2], si
		jnz	short loc_977BB3
		mov	[edi+edx*2], bx
		mov	edi, [ebp+var_A0]
		mov	cx, word ptr [ebp+var_A4]

loc_977BB3:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+200j
		movzx	eax, cx
		inc	edx
		shr	eax, 1
		sub	eax, 2
		cmp	edx, eax
		jb	short loc_977B9C
		mov	edx, [ebp+var_98]
		mov	ebx, [ebp+var_94]

loc_977BCC:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+1F5j
		mov	eax, 0FFFEh
		add	cx, ax
		mov	word ptr [ebp+var_A4], cx

loc_977BDB:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+1DEj
					; PiDevCfgLogDeviceStarted(x)+1EAj
		mov	eax, [ebx+10Ch]
		mov	[ebp+var_B8], eax
		and	eax, 6000h
		mov	[ebp+var_94], eax
		jz	short loc_977BFC
		mov	esi, [ebx+118h]
		jmp	short loc_977C12
; 

loc_977BFC:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+252j
		mov	ecx, ebx
		call	_PipIsDevNodeDNStarted@4 ; PipIsDevNodeDNStarted(x)
		test	eax, eax
		mov	eax, [ebp+var_94]
		jnz	short loc_977C12
		mov	esi, 0C00000E5h

loc_977C12:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+25Aj
					; PiDevCfgLogDeviceStarted(x)+26Bj
		test	eax, eax
		jnz	short loc_977C78
		mov	ecx, ebx
		call	_PipIsDevNodeDNStarted@4 ; PipIsDevNodeDNStarted(x)
		test	eax, eax
		jz	short loc_977C78
		test	byte_6CD8BA, 8
		jz	loc_977D42
		mov	ecx, [ebp+var_A8]
		mov	[ebp+var_94], ecx
		test	ecx, ecx
		jnz	short loc_977C48
		mov	[ebp+var_94], offset ??_C@_19DJCNLLCE@?$AAn?$AAu?$AAl?$AAl@LBKOJDO@

loc_977C48:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+29Cj
		mov	eax, offset ??_C@_11LOCGONAA@@LBKOJDO@
		test	edi, edi
		jnz	short loc_977C53
		mov	edi, eax

loc_977C53:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+2AFj
		test	edx, edx
		jnz	short loc_977C59
		mov	edx, eax

loc_977C59:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+2B5j
		mov	ecx, [ebp+var_B0]
		test	ecx, ecx
		jnz	short loc_977C65
		mov	ecx, eax

loc_977C65:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+2C1j
		push	esi
		push	dword ptr [ebx+114h]
		push	edi
		push	edx
		mov	edx, offset _KMPnPEvt_DeviceStart_Success
		jmp	loc_977D2B
; 

loc_977C78:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+274j
					; PiDevCfgLogDeviceStarted(x)+27Fj
		test	[ebp+var_B8], 2000h
		jz	short loc_977CDD
		cmp	dword ptr [ebx+114h], 0Eh
		jnz	short loc_977CDD
		test	byte_6CD8BA, 20h
		jz	loc_977D42
		mov	ecx, [ebp+var_A8]
		mov	[ebp+var_94], ecx
		test	ecx, ecx
		jnz	short loc_977CB4
		mov	[ebp+var_94], offset ??_C@_19DJCNLLCE@?$AAn?$AAu?$AAl?$AAl@LBKOJDO@

loc_977CB4:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+308j
		mov	eax, offset ??_C@_11LOCGONAA@@LBKOJDO@
		test	edi, edi
		jnz	short loc_977CBF
		mov	edi, eax

loc_977CBF:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+31Bj
		test	edx, edx
		jnz	short loc_977CC5
		mov	edx, eax

loc_977CC5:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+321j
		mov	ecx, [ebp+var_B0]
		test	ecx, ecx
		jnz	short loc_977CD1
		mov	ecx, eax

loc_977CD1:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+32Dj
		push	esi
		push	0Eh
		push	edi
		push	edx
		mov	edx, offset _KMPnPEvt_DeviceStart_RebootRequired
		jmp	short loc_977D2B
; 

loc_977CDD:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+2E2j
					; PiDevCfgLogDeviceStarted(x)+2EBj
		test	byte_6CD8BA, 10h
		jz	short loc_977D42
		mov	ecx, [ebp+var_A8]
		mov	[ebp+var_94], ecx
		test	ecx, ecx
		jnz	short loc_977D00
		mov	[ebp+var_94], offset ??_C@_19DJCNLLCE@?$AAn?$AAu?$AAl?$AAl@LBKOJDO@

loc_977D00:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+354j
		mov	eax, offset ??_C@_11LOCGONAA@@LBKOJDO@
		test	edi, edi
		jnz	short loc_977D0B
		mov	edi, eax

loc_977D0B:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+367j
		test	edx, edx
		jnz	short loc_977D11
		mov	edx, eax

loc_977D11:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+36Dj
		mov	ecx, [ebp+var_B0]
		test	ecx, ecx
		jnz	short loc_977D1D
		mov	ecx, eax

loc_977D1D:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+379j
		push	esi
		push	dword ptr [ebx+114h]
		push	edi
		push	edx
		mov	edx, offset _KMPnPEvt_DeviceStart_Failure

loc_977D2B:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+2D3j
					; PiDevCfgLogDeviceStarted(x)+33Bj
		push	ecx
		lea	eax, [ebp+var_90]
		push	eax
		push	[ebp+var_94]
		push	dword ptr [ebx+18h]
		push	ecx
		call	_McTemplateK0zzjzzzdd_EtwWriteTransfer@44 ; McTemplateK0zzjzzzdd_EtwWriteTransfer(x,x,x,x,x,x,x,x,x,x,x)

loc_977D42:				; CODE XREF: PiDevCfgLogDeviceStarted(x)+69j
					; PiDevCfgLogDeviceStarted(x)+112j ...
		lea	eax, [ebp+var_AC]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_B4]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_9C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_A4]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PiDevCfgLogDeviceStarted@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgMakeServiceBootStart(x)
_PiDevCfgMakeServiceBootStart@4	proc near
					; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1C22p
					; PiDevCfgConfigureDevice(x,x,x,x,x)+1C75p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_8], 4
		push	edi
		xor	esi, esi
		mov	[ebp+var_20], eax
		push	ecx
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], esi
		push	eax
		mov	[ebp+var_14], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_1C], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		push	esi
		lea	eax, [ebp+var_C]
		mov	edx, 2001Fh
		push	eax
		lea	ecx, [ebp+var_18]
		call	PipOpenServiceEnumKeys
		mov	ebx, [ebp+var_C]
		mov	edi, eax
		test	edi, edi
		js	loc_977F4F
		lea	eax, [ebp+var_4]
		mov	edx, offset ??_C@_1M@IOJLKPKK@?$AAS?$AAt?$AAa?$AAr?$AAt@NNGAKEGL@
		push	eax
		push	esi
		mov	ecx, ebx
		call	IopGetRegistryValue
		mov	edi, eax
		test	edi, edi
		js	loc_977F3F
		mov	esi, [ebp+var_4]
		mov	ecx, esi
		call	_PnpValidateRegistryDword@4 ; PnpValidateRegistryDword(x)
		test	al, al
		jnz	short loc_977E06

loc_977DFC:				; CODE XREF: PiDevCfgMakeServiceBootStart(x)+D8j
					; PiDevCfgMakeServiceBootStart(x)+E0j ...
		mov	edi, 0C0000001h
		jmp	loc_977F42
; 

loc_977E06:				; CODE XREF: PiDevCfgMakeServiceBootStart(x)+79j
		mov	eax, [esi+8]
		mov	eax, [esi+eax]
		mov	[ebp+var_8], eax
		xor	eax, eax
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ecx, ecx
		cmp	[ebp+var_8], 4
		mov	[ebp+var_4], ecx
		jz	loc_977F4F
		cmp	[ebp+var_8], ecx
		jz	loc_977F4F
		lea	eax, [ebp+var_4]
		mov	edx, offset ??_C@_1BE@CMLCLKJK@?$AAI?$AAm?$AAa?$AAg?$AAe?$AAP?$AAa?$AAt?$AAh@NNGAKEGL@ ; "ImagePath"
		push	eax
		push	ecx
		mov	ecx, ebx
		call	IopGetRegistryValue
		mov	edi, eax
		test	edi, edi
		js	loc_977F3F
		mov	esi, [ebp+var_4]
		mov	eax, [esi+4]
		cmp	eax, 1
		jz	short loc_977E5B
		cmp	eax, 2
		jnz	short loc_977DFC

loc_977E5B:				; CODE XREF: PiDevCfgMakeServiceBootStart(x)+D3j
		mov	edx, [esi+0Ch]
		cmp	edx, 2
		jb	short loc_977DFC
		mov	ecx, [esi+8]
		mov	eax, edx
		shr	eax, 1
		xor	edi, edi
		lea	eax, [ecx+eax*2]
		cmp	[eax+esi-2], di
		jnz	short loc_977DFC
		push	ecx
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], edi
		push	eax
		add	ecx, esi
		call	_PnpRegSzToString@16 ; PnpRegSzToString(x,x,x,x)
		mov	ax, word ptr [ebp+var_C]
		mov	edi, [esi+8]
		mov	word ptr [ebp+var_10], ax
		add	edi, esi
		mov	ax, [esi+0Ch]
		mov	word ptr [ebp+var_10+2], ax
		lea	eax, [ebp+var_10]
		push	1
		push	eax
		push	(offset	loc_A3FDBB+1)
		mov	[ebp+var_C], edi
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_977EF6
		lea	eax, [edi+18h]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	14h
		pop	eax
		push	12h
		mov	word ptr [ebp+var_18+2], ax
		pop	eax
		mov	word ptr [ebp+var_18], ax
		movzx	eax, word ptr [ebp+var_20]
		add	eax, 2
		mov	[ebp+var_14], offset ??_C@_1BE@CMLCLKJK@?$AAI?$AAm?$AAa?$AAg?$AAe?$AAP?$AAa?$AAt?$AAh@NNGAKEGL@	; "ImagePath"
		push	eax
		push	[ebp+var_1C]
		xor	eax, eax
		push	dword ptr [esi+4]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	ebx
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_977F42
		jmp	short loc_977F0E
; 

loc_977EF6:				; CODE XREF: PiDevCfgMakeServiceBootStart(x)+12Ej
		push	1
		lea	eax, [ebp+var_10]
		push	eax
		push	offset _PiDevCfgSystem32
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	loc_977DFC

loc_977F0E:				; CODE XREF: PiDevCfgMakeServiceBootStart(x)+173j
		push	0Ch
		pop	eax
		push	0Ah
		mov	word ptr [ebp+var_18+2], ax
		xor	ecx, ecx
		pop	eax
		push	4
		mov	word ptr [ebp+var_18], ax
		lea	eax, [ebp+var_8]
		push	eax
		push	4
		push	ecx
		lea	eax, [ebp+var_18]
		mov	[ebp+var_14], offset ??_C@_1M@IOJLKPKK@?$AAS?$AAt?$AAa?$AAr?$AAt@NNGAKEGL@
		push	eax
		push	ebx
		mov	[ebp+var_8], ecx
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	edi, eax
		jmp	short loc_977F42
; 

loc_977F3F:				; CODE XREF: PiDevCfgMakeServiceBootStart(x)+67j
					; PiDevCfgMakeServiceBootStart(x)+C4j
		mov	esi, [ebp+var_4]

loc_977F42:				; CODE XREF: PiDevCfgMakeServiceBootStart(x)+80j
					; PiDevCfgMakeServiceBootStart(x)+171j	...
		test	esi, esi
		jz	short loc_977F4F
		xor	eax, eax
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_977F4F:				; CODE XREF: PiDevCfgMakeServiceBootStart(x)+4Cj
					; PiDevCfgMakeServiceBootStart(x)+A0j ...
		test	ebx, ebx
		jz	short loc_977F59
		push	ebx
		call	_ZwClose@4	; ZwClose(x)

loc_977F59:				; CODE XREF: PiDevCfgMakeServiceBootStart(x)+1D0j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PiDevCfgMakeServiceBootStart@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgMigrateDevice(x, x,	x, x, x, x)
_PiDevCfgMigrateDevice@24 proc near	; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+C7Bp
					; PiDevCfgMigrateRootDevice(x,x,x)+9Ep	...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_20], ecx
		lea	edi, [ebp+var_40]
		push	7
		xor	eax, eax
		mov	ebx, edx
		pop	ecx
		rep stosd
		mov	edi, [ebp+arg_8]
		xor	ecx, ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		test	edi, edi
		jz	short loc_977F9A
		mov	[edi], ecx

loc_977F9A:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+36j
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_977FA3
		mov	[eax], ecx

loc_977FA3:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+3Fj
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_40]
		mov	ecx, [ebp+arg_0]
		push	eax
		call	_PiDevCfgInitMigrationContext@12 ; PiDevCfgInitMigrationContext(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_978340
		cmp	[ebp+var_40], 0
		jnz	short loc_977FCB
		xor	eax, eax

loc_977FC4:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+145j
		mov	esi, eax
		jmp	loc_978340
; 

loc_977FCB:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+60j
		mov	edx, [ebx+4]
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	ecx
		push	ecx
		lea	eax, [ebp+var_C]
		push	eax
		push	(offset	loc_427A80+4)
		push	ecx
		push	dword ptr [ebx+8]
		mov	ecx, _PiPnpRtlCtx
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_978008
		cmp	[ebp+var_C], 9
		jnz	short loc_978008
		cmp	[ebp+var_8], 8
		jz	loc_978196

loc_978008:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+96j
					; PiDevCfgMigrateDevice(x,x,x,x,x,x)+9Cj
		cmp	[ebp+var_3C], 0
		jz	short loc_978041
		mov	edx, [ebx+4]
		lea	eax, [ebp+var_4]
		push	eax
		lea	ecx, [ebp+var_40]
		call	_PiDevCfgQueryDeviceMigrationNode@12 ; PiDevCfgQueryDeviceMigrationNode(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_978030
		mov	eax, [ebp+var_4]
		xor	ecx, ecx
		mov	[eax+68h], ecx
		mov	[eax+6Ch], ecx
		jmp	short loc_978041
; 

loc_978030:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+C1j
		lea	eax, [esi+3FFFFFCCh]
		neg	eax
		sbb	eax, eax
		and	esi, eax
		xor	eax, eax
		mov	[ebp+var_4], eax

loc_978041:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+ACj
					; PiDevCfgMigrateDevice(x,x,x,x,x,x)+CEj
		cmp	[ebp+var_4], 0
		jnz	loc_9781A0
		mov	ecx, [ebx+4]
		call	__CmIsRootEnumeratedDevice@4 ; _CmIsRootEnumeratedDevice(x)
		test	al, al
		jnz	loc_978196
		xor	ecx, ecx
		cmp	[ebx+20h], ecx
		jz	loc_978159
		mov	edx, [ebp+var_30]
		test	edx, edx
		jnz	short loc_9780B8
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jz	short loc_978079
		mov	ecx, [eax+74h]

loc_978079:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+114j
		mov	edx, [ebp+var_40]
		lea	eax, [ebp+var_30]
		push	eax
		push	20019h
		xor	eax, eax
		push	eax
		push	offset ??_C@_1BE@EOAKIEOD@?$AAL?$AAo?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AAs@NNGAKEGL@
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		cmp	eax, 0C0000034h
		jnz	short loc_9780A3
		xor	eax, eax
		mov	[ebp+var_30], eax
		jmp	loc_978159
; 

loc_9780A3:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+137j
		test	eax, eax
		js	loc_977FC4
		mov	edx, [ebp+var_30]
		test	edx, edx
		jz	loc_978159
		xor	ecx, ecx

loc_9780B8:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+10Bj
		mov	edi, [ebx+20h]
		cmp	[edi], cx
		jz	loc_97814E

loc_9780C4:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+1E7j
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jz	short loc_9780D0
		mov	ecx, [eax+74h]

loc_9780D0:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+16Bj
		lea	eax, [ebp+var_10]
		push	eax
		push	20019h
		xor	eax, eax
		push	eax
		push	edi
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		cmp	eax, 0C0000034h
		jz	short loc_978122
		test	eax, eax
		js	short loc_97814C
		lea	eax, [ebp+var_4]
		mov	edx, ebx
		push	eax
		push	11201h
		push	[ebp+var_10]
		lea	ecx, [ebp+var_40]
		call	_PiDevCfgFindDeviceMigrationNode@20 ; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)
		push	[ebp+var_10]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		jns	short loc_978156
		lea	eax, [esi+3FFFFDDBh]
		neg	eax
		sbb	eax, eax
		and	esi, eax
		xor	eax, eax
		mov	[ebp+var_4], eax

loc_978122:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+187j
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_978127:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+1D1j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_1C]
		jnz	short loc_978127
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		xor	ecx, ecx
		add	edi, 2
		cmp	[edi], cx
		jz	short loc_97814E
		mov	edx, [ebp+var_30]
		jmp	loc_9780C4
; 

loc_97814C:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+18Bj
		mov	esi, eax

loc_97814E:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+15Ej
					; PiDevCfgMigrateDevice(x,x,x,x,x,x)+1E2j
		test	esi, esi
		js	loc_978340

loc_978156:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+1AFj
		mov	edi, [ebp+arg_8]

loc_978159:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+100j
					; PiDevCfgMigrateDevice(x,x,x,x,x,x)+13Ej ...
		cmp	[ebp+var_4], 0
		jnz	short loc_9781A0
		cmp	[ebp+var_34], 0
		jz	loc_978335
		lea	eax, [ebp+var_4]
		mov	edx, ebx
		push	eax
		push	11021h
		push	[ebp+var_34]
		lea	ecx, [ebp+var_40]
		call	_PiDevCfgFindDeviceMigrationNode@20 ; PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_978196
		lea	eax, [esi+3FFFFDDBh]
		neg	eax
		sbb	eax, eax
		and	esi, eax
		xor	eax, eax
		mov	[ebp+var_4], eax

loc_978196:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+A2j
					; PiDevCfgMigrateDevice(x,x,x,x,x,x)+F5j ...
		cmp	[ebp+var_4], 0
		jz	loc_978335

loc_9781A0:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+E5j
					; PiDevCfgMigrateDevice(x,x,x,x,x,x)+1FDj
		mov	eax, [ebp+var_4]
		mov	eax, [eax+8]
		test	al, 1
		jz	short loc_9781B4
		mov	esi, 0C0000719h
		jmp	loc_9782FE
; 

loc_9781B4:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+248j
		test	al, 2
		jz	short loc_9781C2
		mov	esi, 0C0000451h
		jmp	loc_9782FE
; 

loc_9781C2:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+256j
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_14]
		push	eax
		xor	esi, esi
		mov	edx, offset ??_C@_1BI@KGJMAEC@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAF?$AAl?$AAa?$AAg?$AAs@NNGAKEGL@
		push	esi
		mov	ecx, [ecx+14h]
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_9781F9
		mov	ecx, [ebp+var_14]
		call	_PnpValidateRegistryDword@4 ; PnpValidateRegistryDword(x)
		test	al, al
		jz	short loc_9781F2
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		mov	[ebp+var_18], eax

loc_9781F2:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+287j
		push	esi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9781F9:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+27Bj
		mov	edx, [ebx+4]
		lea	eax, [ebp+var_8]
		mov	ecx, _PiPnpRtlCtx
		push	esi
		push	eax
		push	esi
		push	esi
		lea	eax, [ebp+var_C]
		mov	[ebp+var_8], esi
		push	eax
		push	offset _DEVPKEY_Device_ClassGuid
		push	esi
		push	dword ptr [ebx+8]
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_978233
		cmp	[ebp+var_C], 0Dh
		jnz	short loc_978233
		cmp	[ebp+var_8], 10h
		jz	short loc_978277

loc_978233:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+2C5j
					; PiDevCfgMigrateDevice(x,x,x,x,x,x)+2CBj
		mov	ecx, [ebp+arg_0]
		mov	edx, ebx
		test	ecx, ecx
		jz	short loc_978252
		movzx	eax, word ptr [ecx]
		push	ecx
		add	eax, 2
		push	eax
		push	dword ptr [ecx+4]
		push	1
		push	9
		call	_PiDevCfgSetDeviceRegProp@28 ; PiDevCfgSetDeviceRegProp(x,x,x,x,x,x,x)
		jmp	short loc_978277
; 

loc_978252:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+2DAj
		mov	eax, [ebp+var_4]
		push	esi
		push	10h
		add	eax, 28h
		push	eax
		push	0Dh
		push	offset _DEVPKEY_Device_ClassGuid
		push	ecx
		push	dword ptr [ebx+8]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [ebx+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)

loc_978277:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+2D1j
					; PiDevCfgMigrateDevice(x,x,x,x,x,x)+2F0j
		push	[ebp+arg_C]
		mov	eax, [ebp+var_4]
		mov	edx, ebx
		mov	ecx, [ebp+var_20]
		push	edi
		push	esi
		push	esi
		push	0FFFFFFFFh
		push	dword ptr [eax+14h]
		call	_PiDevCfgConfigureDeviceDriverConfiguration@32 ; PiDevCfgConfigureDeviceDriverConfiguration(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9782FE
		test	edi, edi
		jz	short loc_97829E
		mov	eax, [ebp+var_18]
		or	[edi], eax

loc_97829E:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+337j
		mov	edi, [ebp+var_4]
		mov	eax, [edi+68h]
		or	eax, [edi+6Ch]
		jz	short loc_9782D8
		mov	eax, [ebx+8]
		mov	[ebp+arg_8], eax
		xor	eax, eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_24]
		push	(offset	loc_8B9894+6)
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_9782D8
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+arg_8]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		mov	edi, [ebp+var_4]

loc_9782D8:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+347j
					; PiDevCfgMigrateDevice(x,x,x,x,x,x)+367j
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	8
		lea	eax, [edi+68h]
		push	eax
		push	9
		push	(offset	loc_427A80+4)
		push	ecx
		push	dword ptr [ebx+8]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [ebx+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)

loc_9782FE:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+24Fj
					; PiDevCfgMigrateDevice(x,x,x,x,x,x)+25Dj ...
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		push	esi
		call	_PiDevCfgLogDeviceMigrated@12 ;	PiDevCfgLogDeviceMigrated(x,x,x)
		mov	eax, [ebp+var_4]
		test	byte ptr [eax+8], 1
		jnz	short loc_978320
		mov	edx, [eax+10h]
		lea	ecx, [ebp+var_40]
		call	_PiDevCfgClearDeviceMigrationNode@8 ; PiDevCfgClearDeviceMigrationNode(x,x)
		mov	eax, [ebp+var_4]

loc_978320:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+3B0j
		test	eax, eax
		jz	short loc_978335
		push	dword ptr [eax+10h] ; wchar_t *
		push	dword ptr [ebx+4] ; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_978340

loc_978335:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+203j
					; PiDevCfgMigrateDevice(x,x,x,x,x,x)+23Aj ...
		mov	edx, [ebx+4]
		lea	ecx, [ebp+var_40]
		call	_PiDevCfgClearDeviceMigrationNode@8 ; PiDevCfgClearDeviceMigrationNode(x,x)

loc_978340:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+56j
					; PiDevCfgMigrateDevice(x,x,x,x,x,x)+66j ...
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_97834C
		call	_PiDevCfgFreeDeviceMigrationNode@4 ; PiDevCfgFreeDeviceMigrationNode(x)

loc_97834C:				; CODE XREF: PiDevCfgMigrateDevice(x,x,x,x,x,x)+3E5j
		lea	ecx, [ebp+var_40]
		call	_PiDevCfgFreeMigrationContext@4	; PiDevCfgFreeMigrationContext(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PiDevCfgMigrateDevice@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgMigrateRootDevice(x, x, x)
_PiDevCfgMigrateRootDevice@12 proc near	; CODE XREF: PiDevCfgProcessDevice(x,x,x)+304p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_C], ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	ebx, eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_4]
		mov	ecx, [edi+4]
		push	eax
		call	_PiDevCfgOpenDeviceMigrationKey@12 ; PiDevCfgOpenDeviceMigrationKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_978402
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		xor	esi, esi
		mov	edx, offset ??_C@_1BI@KGJMAEC@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAF?$AAl?$AAa?$AAg?$AAs@NNGAKEGL@
		push	esi
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_9783C0
		mov	ecx, [ebp+var_8]
		call	_PnpValidateRegistryDword@4 ; PnpValidateRegistryDword(x)
		test	al, al
		jz	short loc_9783B9
		mov	eax, [ecx+8]
		mov	ebx, [ecx+eax]

loc_9783B9:				; CODE XREF: PiDevCfgMigrateRootDevice(x,x,x)+54j
		push	esi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9783C0:				; CODE XREF: PiDevCfgMigrateRootDevice(x,x,x)+48j
		test	bl, 1
		jnz	short loc_9783CC

loc_9783C5:				; CODE XREF: PiDevCfgMigrateRootDevice(x,x,x)+91j
		mov	esi, 0C0000001h
		jmp	short loc_978402
; 

loc_9783CC:				; CODE XREF: PiDevCfgMigrateRootDevice(x,x,x)+66j
		mov	ecx, [ebp+var_4]
		lea	edx, [ebp+var_14]
		push	1Ch
		pop	eax
		push	1Ah
		mov	word ptr [ebp+var_14+2], ax
		pop	eax
		mov	word ptr [ebp+var_14], ax
		mov	[ebp+var_10], offset ??_C@_1BM@GNHLLIBL@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAI?$AAn?$AAf?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@
		call	_PnpRegistryValueExists@8 ; PnpRegistryValueExists(x,x)
		test	al, al
		jnz	short loc_9783C5
		mov	ecx, [ebp+var_C]
		mov	edx, edi
		push	esi
		push	[ebp+arg_0]
		push	esi
		push	esi
		call	_PiDevCfgMigrateDevice@24 ; PiDevCfgMigrateDevice(x,x,x,x,x,x)
		mov	esi, eax

loc_978402:				; CODE XREF: PiDevCfgMigrateRootDevice(x,x,x)+30j
					; PiDevCfgMigrateRootDevice(x,x,x)+6Dj
		cmp	[ebp+var_4], 0
		jz	short loc_978410
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_978410:				; CODE XREF: PiDevCfgMigrateRootDevice(x,x,x)+A9j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_PiDevCfgMigrateRootDevice@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgOpenDeviceMigrationKey(x, x, x)
_PiDevCfgOpenDeviceMigrationKey@12 proc	near
					; CODE XREF: PiDevCfgMigrateRootDevice(x,x,x)+27p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_C]
		xor	ebx, ebx
		push	eax
		push	4
		mov	edi, ecx
		mov	[ebp+var_C], ebx
		mov	ecx, _PiPnpRtlCtx
		pop	edx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9784DD
		push	40h
		pop	eax
		mov	word ptr [ebp+var_14+2], ax
		push	3Eh
		pop	eax
		mov	word ptr [ebp+var_14], ax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_10], offset ??_C@_1EA@MFAHDJFD@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAM@NNGAKEGL@
		push	eax
		mov	[ebp+var_2C], 18h
		mov	[ebp+var_20], 240h
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9784DD
		push	edi
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	20019h
		push	ecx
		mov	[ecx], ebx
		mov	[ebp+var_2C], 18h
		mov	[ebp+var_20], 240h
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax

loc_9784DD:				; CODE XREF: PiDevCfgOpenDeviceMigrationKey(x,x,x)+31j
					; PiDevCfgOpenDeviceMigrationKey(x,x,x)+82j
		cmp	[ebp+var_8], ebx
		jz	short loc_9784EA
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_9784EA:				; CODE XREF: PiDevCfgOpenDeviceMigrationKey(x,x,x)+C7j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_PiDevCfgOpenDeviceMigrationKey@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgOpenDriverConfiguration(x, x, x)
_PiDevCfgOpenDriverConfiguration@12 proc near
					; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+576p
					; PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+44p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		push	1Eh
		pop	eax
		push	1Ch
		mov	word ptr [ebp+var_10+2], ax
		xor	ebx, ebx
		pop	eax
		mov	word ptr [ebp+var_10], ax
		mov	edi, edx
		lea	eax, [ebp+var_10]
		mov	[ebp+var_C], offset ??_C@_1BO@LGEPHCPO@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn?$AAs@NNGAKEGL@
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	20019h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], ebx
		push	eax
		mov	[ebp+var_28], 18h
		mov	[ebp+var_24], ecx
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_97858F
		push	edi
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	20019h
		push	ecx
		mov	[ecx], ebx
		mov	[ebp+var_28], 18h
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax

loc_97858F:				; CODE XREF: PiDevCfgOpenDriverConfiguration(x,x,x)+5Aj
		cmp	[ebp+var_8], ebx
		jz	short loc_97859C
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_97859C:				; CODE XREF: PiDevCfgOpenDriverConfiguration(x,x,x)+9Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_PiDevCfgOpenDriverConfiguration@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgProcessDevice(x, x,	x)
_PiDevCfgProcessDevice@12 proc near	; CODE XREF: PiConfigureDevice(x)+82p
					; PpDevCfgProcessDevice(x,x,x)+19p

var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_78		= dword	ptr -78h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_D		= byte ptr -0Dh
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B0h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_20], edx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_18], ebx
		xor	eax, eax
		mov	[ebp+var_44], ebx
		push	9
		pop	ecx
		lea	edi, [ebp+var_80]
		mov	[ebp+var_48], eax
		rep stosd
		mov	[ebp+var_50], eax
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_5], bl
		mov	byte ptr [ebp+var_1C], bl
		mov	[ebp+var_28], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], 1
		mov	[ebp+var_24], ebx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_D], bl
		cmp	[esi+18h], ebx
		jnz	short loc_978613
		mov	edi, 0C0000010h
		jmp	loc_978CCA
; 

loc_978613:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+62j
		lea	edi, [esi+14h]
		mov	ecx, offset _KMPnPEvt_DeviceConfig_Start
		mov	edx, edi
		mov	[ebp+var_18], edi
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_80]
		mov	ecx, [edi+4]
		push	eax
		call	_PiDevCfgInitDeviceContext@12 ;	PiDevCfgInitDeviceContext(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_978CBE
		test	[ebp+arg_0], 1
		mov	eax, [ebp+var_80]
		jz	short loc_97864D
		or	eax, 1
		mov	[ebp+var_80], eax

loc_97864D:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+A0j
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jnz	short loc_97865A
		mov	ecx, [ebp+var_78]
		mov	[ebp+var_20], ecx

loc_97865A:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+ADj
		test	al, 1
		jnz	loc_97872B
		cmp	_PnpBootMode, bl
		jnz	loc_97872B
		push	6
		pop	edx
		lea	eax, [ebp+var_48]
		mov	[ebp+var_A0], edx
		mov	[ebp+var_A8], eax
		mov	edi, 2012h
		lea	eax, [ebp+var_50]
		mov	[ebp+var_88], edx
		mov	edx, [ebp+var_18]
		push	2
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_B0]
		push	eax
		mov	edx, [edx+4]
		push	ecx
		push	1
		mov	[ebp+var_A4], ebx
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_84], ebx
		mov	[ebp+var_B0], offset _DEVPKEY_Device_PendingConfigurationIds ; "&cڃ@S?W;)\v"
		mov	[ebp+var_AC], edi
		mov	[ebp+var_98], offset _DEVPKEY_Device_RequestConfigurationIds
		mov	[ebp+var_94], edi
		call	PiDevCfgQueryObjectProperties
		mov	edi, eax
		test	edi, edi
		js	loc_978CBE
		cmp	[ebp+var_9C], ebx
		jge	short loc_9786FF
		push	ebx
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_9786FF:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+14Ej
		cmp	[ebp+var_84], ebx
		jge	short loc_978711
		push	ebx
		lea	eax, [ebp+var_50]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_978711:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+160j
		mov	eax, [ebp+var_44]
		test	eax, eax
		jz	short loc_97872B
		cmp	[eax], bx
		jnz	short loc_97872B
		mov	al, 1
		mov	[ebp+var_28], 0C0000490h
		mov	[ebp+var_1C], eax
		jmp	short loc_978759
; 

loc_97872B:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+B7j
					; PiDevCfgProcessDevice(x,x,x)+C3j ...
		mov	edx, [ebp+var_44]
		lea	eax, [ebp+var_2C]
		push	eax
		lea	ecx, [ebp+var_80]
		call	_PiDevCfgFindDeviceDriver@12 ; PiDevCfgFindDeviceDriver(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_978756
		cmp	[ebp+var_4C], ebx
		jz	loc_9787E7
		mov	edx, [ebp+var_2C]
		lea	ecx, [ebp+var_80]
		call	_PiDevCfgRequestDriverConfigurations@8 ; PiDevCfgRequestDriverConfigurations(x,x)
		mov	edi, eax

loc_978756:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+199j
					; PiDevCfgProcessDevice(x,x,x)+26Dj
		mov	eax, [ebp+var_1C]

loc_978759:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+184j
					; PiDevCfgProcessDevice(x,x,x)+27Cj ...
		cmp	[ebp+var_44], ebx
		jz	short loc_97878A
		cmp	[ebp+var_2C], ebx
		jnz	short loc_978767
		test	al, al
		jz	short loc_97878A

loc_978767:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+1BCj
		mov	eax, [ebp+var_18]
		lea	edx, [ebp+var_80]
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _DEVPKEY_Device_PendingConfigurationIds ; "&cڃ@S?W;)\v"
		push	ecx
		push	[ebp+var_20]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)

loc_97878A:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+1B7j
					; PiDevCfgProcessDevice(x,x,x)+1C0j
		cmp	[ebp+var_4C], ebx
		jnz	loc_978C50
		cmp	[ebp+var_44], ebx
		jnz	loc_9788D1
		cmp	byte ptr [ebp+var_1C], bl
		jnz	loc_9788DC
		cmp	[ebp+var_2C], ebx
		jnz	loc_97892E
		cmp	edi, 0C0000490h
		jnz	loc_978978
		test	byte ptr ds:_PiDevCfgMode, 2
		jz	loc_978978
		cmp	_PnpBootMode, bl
		jz	short loc_978830
		test	dword ptr [esi+170h], 100h
		jnz	short loc_978830
		mov	[ebp+var_14], 20h
		jmp	loc_978891
; 

loc_9787E7:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+19Ej
		lea	eax, [ebp+var_40]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+var_2C]
		lea	edx, [ebp+var_80]
		call	_PiDevCfgConfigureDevice@20 ; PiDevCfgConfigureDevice(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_97880C
		mov	eax, [ebp+var_C]
		mov	[ebp+var_5], 1
		mov	[ebp+var_14], eax

loc_97880C:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+25Bj
		cmp	edi, 0C0000493h
		jz	loc_978756
		mov	eax, [ebp+var_1C]
		cmp	edi, 0C0000495h
		jz	loc_978759
		mov	[ebp+var_D], 1
		jmp	loc_978759
; 

loc_978830:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+228j
					; PiDevCfgProcessDevice(x,x,x)+234j
		mov	eax, [ebp+var_18]
		mov	ecx, [eax+4]
		call	__CmIsRootEnumeratedDevice@4 ; _CmIsRootEnumeratedDevice(x)
		test	al, al
		jz	short loc_97888D
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_24]
		push	ebx
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_24], 4
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		mov	eax, [ebp+var_18]
		push	0Bh
		push	[ebp+var_20]
		mov	edx, [eax+4]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_97887E
		cmp	[ebp+var_34], 4
		jnz	short loc_97887E
		cmp	[ebp+var_24], 4
		jnz	short loc_97887E
		mov	eax, [ebp+var_C]
		jmp	short loc_978883
; 

loc_97887E:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+2C6j
					; PiDevCfgProcessDevice(x,x,x)+2CCj ...
		mov	eax, ebx
		mov	[ebp+var_C], eax

loc_978883:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+2D7j
		shr	eax, 5
		and	al, 1
		mov	[ebp+var_1C], eax
		jmp	short loc_978891
; 

loc_97888D:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+298j
		mov	byte ptr [ebp+var_1C], 1

loc_978891:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+23Dj
					; PiDevCfgProcessDevice(x,x,x)+2E6j
		mov	eax, [ebp+var_18]
		mov	ecx, [eax+4]
		call	__CmIsRootEnumeratedDevice@4 ; _CmIsRootEnumeratedDevice(x)
		test	al, al
		jz	short loc_9788CA
		lea	eax, [ebp+var_C]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_80]
		call	_PiDevCfgMigrateRootDevice@12 ;	PiDevCfgMigrateRootDevice(x,x,x)
		test	eax, eax
		js	short loc_9788CA
		mov	eax, [ebp+var_14]
		or	eax, [ebp+var_C]
		test	byte ptr [ebp+var_C], 1
		mov	[ebp+var_14], eax
		jz	short loc_9788CA
		and	eax, 0FFFFFFDFh
		mov	byte ptr [ebp+var_1C], bl
		mov	[ebp+var_14], eax

loc_9788CA:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+2F9j
					; PiDevCfgProcessDevice(x,x,x)+30Bj ...
		mov	[ebp+var_28], 0C0000490h

loc_9788D1:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+1F1j
		mov	eax, [ebp+var_1C]

loc_9788D4:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+39Bj
		test	al, al
		jz	loc_978978

loc_9788DC:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+1FAj
		lea	eax, [ebp+var_40]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	ebx
		lea	edx, [ebp+var_80]
		call	_PiDevCfgConfigureDevice@20 ; PiDevCfgConfigureDevice(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_978964
		mov	eax, [ebp+var_C]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_28]
		mov	[ebp+var_5], 1
		cmp	eax, 0C0000490h
		jz	short loc_97895D
		cmp	eax, 0C0000491h
		jz	short loc_978954
		cmp	eax, 0C0000492h
		jz	short loc_97894B
		cmp	eax, 0C0000493h
		jz	short loc_978942
		cmp	eax, 0C0000494h
		jnz	short loc_978964
		mov	[ebp+var_30], 0E0000219h
		jmp	short loc_978964
; 

loc_97892E:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+203j
		mov	eax, [ebp+var_2C]
		mov	ecx, [eax+0F4h]
		test	ecx, ecx
		jns	short loc_978978
		mov	al, 1
		mov	[ebp+var_28], ecx
		jmp	short loc_9788D4
; 

loc_978942:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+377j
		mov	[ebp+var_30], 0E0000252h
		jmp	short loc_978964
; 

loc_97894B:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+370j
		mov	[ebp+var_30], 0E0000251h
		jmp	short loc_978964
; 

loc_978954:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+369j
		mov	[ebp+var_30], 0E0000250h
		jmp	short loc_978964
; 

loc_97895D:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+362j
		mov	[ebp+var_30], 0E0000228h

loc_978964:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+34Ej
					; PiDevCfgProcessDevice(x,x,x)+37Ej ...
		cmp	edi, 0C0000493h
		jz	short loc_978978
		cmp	edi, 0C0000495h
		jz	short loc_978978
		mov	[ebp+var_D], 1

loc_978978:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+20Fj
					; PiDevCfgProcessDevice(x,x,x)+21Cj ...
		cmp	[ebp+var_5], bl
		jz	short loc_9789AC
		cmp	_PnpBootMode, bl
		jnz	short loc_97898B
		test	[ebp+arg_0], 2
		jz	short loc_978992

loc_97898B:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+3DEj
		or	[ebp+var_14], 40000h

loc_978992:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+3E4j
		test	byte ptr [ebp+var_14], 40h
		mov	eax, [esi+1C8h]
		jnz	short loc_9789A3
		or	eax, 1
		jmp	short loc_9789A6
; 

loc_9789A3:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+3F7j
		and	eax, 0FFFFFFFEh

loc_9789A6:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+3FCj
		mov	[esi+1C8h], eax

loc_9789AC:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+3D6j
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_24]
		push	ebx
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_24], 4
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		mov	eax, [ebp+var_18]
		push	0Bh
		push	[ebp+var_20]
		mov	edx, [eax+4]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9789E6
		cmp	[ebp+var_34], 4
		jnz	short loc_9789E6
		cmp	[ebp+var_24], 4
		jz	short loc_9789E9

loc_9789E6:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+433j
					; PiDevCfgProcessDevice(x,x,x)+439j
		mov	[ebp+var_C], ebx

loc_9789E9:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+43Fj
		mov	eax, [esi+10Ch]
		and	eax, 2000h
		test	edi, edi
		js	loc_978B74
		mov	ecx, [ebp+var_14]
		and	[ebp+var_C], 0FFF7FB9Fh
		and	ecx, 0FFFFFFDFh
		mov	[ebp+var_14], ecx
		test	eax, eax
		jz	short loc_978A3C
		cmp	dword ptr [esi+114h], 1
		jz	short loc_978A32
		test	eax, eax
		jz	short loc_978A3C
		mov	eax, [esi+114h]
		cmp	eax, 1Ch
		jz	short loc_978A32
		cmp	eax, 12h
		jz	short loc_978A32
		cmp	eax, 38h
		jnz	short loc_978A3C

loc_978A32:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+472j
					; PiDevCfgProcessDevice(x,x,x)+481j ...
		mov	ecx, esi
		call	PipClearDevNodeProblem
		mov	ecx, [ebp+var_14]

loc_978A3C:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+469j
					; PiDevCfgProcessDevice(x,x,x)+476j ...
		mov	eax, [esi+0ACh]
		cmp	eax, 302h
		jz	short loc_978A54
		cmp	eax, 312h
		jnz	loc_978B33

loc_978A54:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+4A2j
		mov	eax, [esi+10Ch]
		test	eax, 6000h
		jnz	loc_978B0C
		mov	edx, [ebp+var_40]
		test	dl, 70h
		jz	loc_978AF8
		cmp	_PnpBootMode, bl
		jnz	short loc_978AF8
		mov	dword ptr [ebp+arg_0], ebx
		mov	[ebp+var_28], ebx
		test	dl, 10h
		jz	short loc_978A99
		mov	eax, 80h
		mov	[ebp+var_28], ebx
		mov	ecx, ebx
		mov	dword ptr [ebp+arg_0], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], ecx
		jmp	short loc_978A9F
; 

loc_978A99:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+4DDj
		mov	ecx, [ebp+var_38]
		mov	eax, [ebp+var_3C]

loc_978A9F:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+4F2j
		test	dl, 20h
		jz	short loc_978AB9
		mov	eax, dword ptr [ebp+arg_0]
		mov	ecx, [ebp+var_28]
		or	eax, 10h
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], ecx
		mov	dword ptr [ebp+arg_0], eax
		mov	[ebp+var_28], ecx

loc_978AB9:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+4FDj
		test	dl, 40h
		jz	short loc_978ACF
		mov	eax, dword ptr [ebp+arg_0]
		mov	ecx, [ebp+var_28]
		or	eax, 200h
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], ecx

loc_978ACF:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+517j
		push	ecx
		push	ecx
		push	eax
		mov	eax, [ebp+var_18]
		mov	ecx, [eax+4]
		call	_PnpUpdateRebootRequiredReason@20 ; PnpUpdateRebootRequiredReason(x,x,x,x,x)
		push	0C00002D2h
		push	0Eh
		pop	edx
		mov	ecx, esi
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		push	4
		pop	edx
		mov	ecx, esi
		call	PipSetDevNodeUserFlags
		jmp	short loc_978B33
; 

loc_978AF8:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+4C6j
					; PiDevCfgProcessDevice(x,x,x)+4D2j
		test	cl, 40h
		jz	short loc_978B33
		push	[ebp+var_28]
		mov	ecx, esi
		push	1Ch
		pop	edx
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		jmp	short loc_978B33
; 

loc_978B0C:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+4BAj
		test	eax, 2000h
		jz	short loc_978B33
		cmp	dword ptr [esi+114h], 0Eh
		jnz	short loc_978B33
		test	byte ptr [ebp+var_40], 70h
		jnz	short loc_978B33
		mov	ecx, esi
		call	PipClearDevNodeProblem
		push	4
		pop	edx
		mov	ecx, esi
		call	PipClearDevNodeUserFlags

loc_978B33:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+4A9j
					; PiDevCfgProcessDevice(x,x,x)+551j ...
		cmp	[ebp+var_30], ebx
		jz	short loc_978B49
		test	byte ptr [ebp+var_14], 40h
		jz	short loc_978B49
		push	ebx
		push	4
		lea	eax, [ebp+var_30]
		push	eax
		push	17h
		jmp	short loc_978B53
; 

loc_978B49:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+591j
					; PiDevCfgProcessDevice(x,x,x)+597j
		test	byte ptr [ebp+var_80], 1
		jnz	short loc_978B94
		push	ebx
		push	ebx
		push	ebx
		push	ebx

loc_978B53:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+5A2j
		mov	eax, [ebp+var_18]
		lea	edx, [ebp+var_80]
		push	offset _DEVPKEY_Device_InstallError
		push	ecx
		push	[ebp+var_20]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		jmp	short loc_978B94
; 

loc_978B74:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+451j
		test	eax, eax
		jz	short loc_978B94
		mov	edx, [esi+114h]
		cmp	edx, 1
		jz	short loc_978B8C
		test	eax, eax
		jz	short loc_978B94
		cmp	edx, 12h
		jnz	short loc_978B94

loc_978B8C:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+5DCj
		push	edi
		mov	ecx, esi
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)

loc_978B94:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+5A8j
					; PiDevCfgProcessDevice(x,x,x)+5CDj ...
		mov	eax, [ebp+var_14]
		cmp	[ebp+var_5], bl
		jnz	short loc_978BA4
		test	eax, eax
		jz	loc_978C50

loc_978BA4:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+5F5j
		or	[ebp+var_C], eax
		lea	edx, [ebp+var_80]
		push	ecx
		push	4
		lea	eax, [ebp+var_C]
		push	eax
		push	4
		push	0Bh
		call	_PiDevCfgSetDeviceRegProp@28 ; PiDevCfgSetDeviceRegProp(x,x,x,x,x,x,x)
		cmp	[ebp+var_5], bl
		jz	loc_978C50
		lea	eax, [ebp+var_5C]
		push	eax
		call	KeQuerySystemTime
		push	ebx
		push	8
		lea	eax, [ebp+var_5C]
		push	eax
		mov	eax, [ebp+var_18]
		lea	edx, [ebp+var_80]
		push	10h
		push	offset _DEVPKEY_Device_InstallDate ; "&cڃ@S?W;)d"
		push	ecx
		push	[ebp+var_20]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_24]
		push	ebx
		push	eax
		push	ebx
		push	ebx
		lea	eax, [ebp+var_34]
		push	eax
		mov	eax, [ebp+var_18]
		push	offset _DEVPKEY_Device_FirstInstallDate	; "&cڃ@S?W;)e"
		push	ebx
		push	[ebp+var_20]
		mov	edx, [eax+4]
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_978C28
		cmp	[ebp+var_24], 8
		jz	short loc_978C50

loc_978C28:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+67Bj
		push	ebx
		push	8
		lea	eax, [ebp+var_5C]
		push	eax
		mov	eax, [ebp+var_18]
		lea	edx, [ebp+var_80]
		push	10h
		push	offset _DEVPKEY_Device_FirstInstallDate	; "&cڃ@S?W;)e"
		push	ecx
		push	[ebp+var_20]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)

loc_978C50:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+1E8j
					; PiDevCfgProcessDevice(x,x,x)+5F9j ...
		cmp	[ebp+var_D], bl
		jz	short loc_978CBE
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_24]
		push	ebx
		push	eax
		push	8
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_24], 8
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		mov	eax, [ebp+var_18]
		push	offset _DEVPKEY_Device_RebootRequiredReason
		push	ebx
		push	[ebp+var_20]
		mov	edx, [eax+4]
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_978C9F
		cmp	[ebp+var_34], 9
		jnz	short loc_978C9F
		cmp	[ebp+var_24], 8
		jnz	short loc_978C9F
		mov	ebx, [ebp+var_38]
		mov	eax, [ebp+var_3C]
		jmp	short loc_978CA7
; 

loc_978C9F:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+6E4j
					; PiDevCfgProcessDevice(x,x,x)+6EAj ...
		mov	eax, ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_3C], eax

loc_978CA7:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+6F8j
		lea	ecx, [ebp+var_5C]
		push	ecx
		push	ebx
		push	eax
		push	edi
		push	[ebp+var_40]
		lea	edx, [ebp+var_80]
		mov	ecx, esi
		push	[ebp+var_2C]
		call	_PiDevCfgLogDeviceConfigured@32	; PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)

loc_978CBE:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+93j
					; PiDevCfgProcessDevice(x,x,x)+142j ...
		mov	ecx, [ebp+var_2C]
		test	ecx, ecx
		jz	short loc_978CCA
		call	_PiDevCfgFreeDriverNode@4 ; PiDevCfgFreeDriverNode(x)

loc_978CCA:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+69j
					; PiDevCfgProcessDevice(x,x,x)+71Ej
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_50]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	ecx, [ebp+var_80]
		call	PiDevCfgFreeDeviceContext
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	short loc_978CF8
		push	edi
		mov	edx, eax
		mov	ecx, offset _KMPnPEvt_DeviceConfig_Stop
		call	_PnpDiagnosticTraceObjectWithStatus@12 ; PnpDiagnosticTraceObjectWithStatus(x,x,x)

loc_978CF8:				; CODE XREF: PiDevCfgProcessDevice(x,x,x)+744j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PiDevCfgProcessDevice@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgQueryDeviceMigrationNode(x,	x, x)
_PiDevCfgQueryDeviceMigrationNode@12 proc near
					; CODE XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+1CDp
					; PiDevCfgMigrateDevice(x,x,x,x,x,x)+B8p

var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_114		= dword	ptr -114h
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 140h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_13C], eax
		mov	edx, [ecx+4]
		xor	esi, esi
		mov	ecx, _PiPnpRtlCtx
		xor	eax, eax
		mov	[ebp+var_128], esi
		mov	[ebp+var_130], eax
		mov	[ebp+var_12C], esi
		push	edi
		test	ecx, ecx
		jnz	short loc_978D4B
		mov	ecx, esi
		jmp	short loc_978D4E
; 

loc_978D4B:				; CODE XREF: PiDevCfgQueryDeviceMigrationNode(x,x,x)+44j
		mov	ecx, [ecx+74h]

loc_978D4E:				; CODE XREF: PiDevCfgQueryDeviceMigrationNode(x,x,x)+48j
		lea	eax, [ebp+var_128]
		push	eax
		push	20019h
		push	esi
		push	ebx
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_978FD5
		push	63647050h
		push	70h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_138], esi
		test	esi, esi
		jnz	short loc_978D8F
		mov	edi, 0C000009Ah
		jmp	loc_978FD5
; 

loc_978D8F:				; CODE XREF: PiDevCfgQueryDeviceMigrationNode(x,x,x)+82j
		push	68h		; size_t
		xor	edi, edi
		push	edi		; int
		push	esi		; void *
		call	_memset
		or	dword ptr [esi+68h], 0FFFFFFFFh
		lea	eax, [esi+0Ch]
		or	dword ptr [esi+6Ch], 0FFFFFFFFh
		add	esp, 0Ch
		push	ebx		; void *
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jnz	short loc_978DBD
		mov	edi, 0C000009Ah
		jmp	loc_978FCE
; 

loc_978DBD:				; CODE XREF: PiDevCfgQueryDeviceMigrationNode(x,x,x)+B0j
		mov	eax, [ebp+var_128]
		mov	[esi+14h], eax
		lea	eax, [ebp+var_124]
		push	118h		; size_t
		push	edi		; int
		push	eax		; void *
		mov	[ebp+var_128], edi
		call	_memset
		lea	ebx, [esi+18h]
		add	esp, 0Ch
		lea	ecx, [ebp+var_114]
		mov	edi, ebx
		xor	edx, edx

loc_978DEE:				; CODE XREF: PiDevCfgQueryDeviceMigrationNode(x,x,x)+112j
		mov	eax, ds:off_A3FCA4[edx]
		add	edx, 4
		mov	[ecx-4], edi
		add	edi, 8
		mov	[ecx-8], eax
		mov	dword ptr [ecx], 7000000h
		lea	ecx, [ecx+1Ch]
		mov	dword ptr [ecx-28h], 130h
		cmp	edx, 8
		jb	short loc_978DEE
		lea	eax, [ebp+var_130]
		mov	[ebp+var_E4], offset ??_C@_1BE@MANDFMJD@?$AAC?$AAl?$AAa?$AAs?$AAs?$AAG?$AAu?$AAi?$AAd@NNGAKEGL@
		mov	[ebp+var_E0], eax
		mov	ecx, 4000000h
		lea	eax, [esi+38h]
		mov	[ebp+var_C0], ecx
		mov	[ebp+var_C4], eax
		mov	edx, 1000000h
		lea	eax, [esi+3Ch]
		mov	[ebp+var_DC], edx
		mov	[ebp+var_A8], eax
		mov	edi, 120h
		lea	eax, [esi+44h]
		mov	[ebp+var_A4], edx
		mov	[ebp+var_8C], eax
		lea	eax, [esi+4Ch]
		mov	[ebp+var_70], eax
		lea	eax, [esi+58h]
		push	1
		mov	[ebp+var_54], eax
		lea	eax, [esi+60h]
		push	ecx
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_124]
		push	0
		mov	[ebp+var_88], edx
		mov	[ebp+var_50], edx
		mov	edx, [esi+14h]
		mov	[ebp+var_34], ecx
		mov	ecx, 0C0000000h
		push	eax
		mov	[ebp+var_E8], edi
		mov	[ebp+var_C8], offset ??_C@_1BK@JKLHPNBO@?$AAC?$AAa?$AAp?$AAa?$AAb?$AAi?$AAl?$AAi?$AAt?$AAi?$AAe?$AAs@NNGAKEGL@ ; "Capabilities"
		mov	[ebp+var_CC], edi
		mov	[ebp+var_AC], offset ??_C@_1BM@JIENPPCJ@?$AAB?$AAu?$AAs?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAD?$AAe?$AAs?$AAc@NNGAKEGL@
		mov	[ebp+var_B0], edi
		mov	[ebp+var_90], offset ??_C@_1BK@MGFHJELK@?$AAL?$AAo?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AAI?$AAn?$AAf?$AAo@NNGAKEGL@
		mov	[ebp+var_94], edi
		mov	[ebp+var_74], offset ??_C@_1BM@NDODFCEE@?$AAL?$AAo?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AAP?$AAa?$AAt?$AAh?$AAs@NNGAKEGL@ ; "LocationPaths"
		mov	[ebp+var_6C], 7000000h
		mov	[ebp+var_78], 130h
		mov	[ebp+var_58], offset ??_C@_1BM@GNHLLIBL@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAI?$AAn?$AAf?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@
		mov	[ebp+var_5C], edi
		mov	[ebp+var_3C], offset ??_C@_1BA@DDDLNJJL@?$AAP?$AAr?$AAe?$AAs?$AAe?$AAn?$AAt@NNGAKEGL@
		mov	[ebp+var_40], edi
		call	RtlpQueryRegistryValues
		mov	edi, eax
		test	edi, edi
		js	loc_978FCE
		cmp	[ebp+var_12C], 0
		jz	loc_978FC9
		lea	eax, [esi+28h]
		push	eax
		lea	eax, [ebp+var_130]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		test	eax, eax
		js	loc_978FC9
		push	2
		pop	ecx
		mov	eax, ecx
		xor	esi, esi
		mov	[ebp+var_134], eax

loc_978F39:				; CODE XREF: PiDevCfgQueryDeviceMigrationNode(x,x,x)+25Dj
		cmp	[ebx], cx
		ja	short loc_978F52
		cmp	[ebx+4], esi
		jz	short loc_978F52
		push	ebx
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, [ebp+var_134]
		push	2
		pop	ecx

loc_978F52:				; CODE XREF: PiDevCfgQueryDeviceMigrationNode(x,x,x)+23Bj
					; PiDevCfgQueryDeviceMigrationNode(x,x,x)+240j
		add	ebx, 8
		sub	eax, 1
		mov	[ebp+var_134], eax
		jnz	short loc_978F39
		mov	esi, [ebp+var_138]
		xor	ebx, ebx
		lea	eax, [esi+3Ch]
		cmp	[eax], bx
		jnz	short loc_978F7B
		cmp	[esi+40h], ebx
		jz	short loc_978F7B
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_978F7B:				; CODE XREF: PiDevCfgQueryDeviceMigrationNode(x,x,x)+26Dj
					; PiDevCfgQueryDeviceMigrationNode(x,x,x)+272j
		lea	eax, [esi+44h]
		cmp	[eax], bx
		jnz	short loc_978F8E
		cmp	[esi+48h], ebx
		jz	short loc_978F8E
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_978F8E:				; CODE XREF: PiDevCfgQueryDeviceMigrationNode(x,x,x)+280j
					; PiDevCfgQueryDeviceMigrationNode(x,x,x)+285j
		mov	ecx, [esi+50h]
		test	ecx, ecx
		jz	short loc_978FAC
		lea	ebx, [esi+4Ch]
		movzx	edx, word ptr [ebx]
		call	_PnpValidateMultiSzData@8 ; PnpValidateMultiSzData(x,x)
		test	al, al
		jnz	short loc_978FAA
		push	ebx
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_978FAA:				; CODE XREF: PiDevCfgQueryDeviceMigrationNode(x,x,x)+2A1j
		xor	ebx, ebx

loc_978FAC:				; CODE XREF: PiDevCfgQueryDeviceMigrationNode(x,x,x)+292j
		lea	eax, [esi+58h]
		cmp	[eax], bx
		jnz	short loc_978FBF
		cmp	[esi+5Ch], ebx
		jz	short loc_978FBF
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_978FBF:				; CODE XREF: PiDevCfgQueryDeviceMigrationNode(x,x,x)+2B1j
					; PiDevCfgQueryDeviceMigrationNode(x,x,x)+2B6j
		mov	eax, [ebp+var_13C]
		mov	[eax], esi
		jmp	short loc_978FD5
; 

loc_978FC9:				; CODE XREF: PiDevCfgQueryDeviceMigrationNode(x,x,x)+20Dj
					; PiDevCfgQueryDeviceMigrationNode(x,x,x)+225j
		mov	edi, 0C0000034h

loc_978FCE:				; CODE XREF: PiDevCfgQueryDeviceMigrationNode(x,x,x)+B7j
					; PiDevCfgQueryDeviceMigrationNode(x,x,x)+200j
		mov	ecx, esi
		call	_PiDevCfgFreeDeviceMigrationNode@4 ; PiDevCfgFreeDeviceMigrationNode(x)

loc_978FD5:				; CODE XREF: PiDevCfgQueryDeviceMigrationNode(x,x,x)+64j
					; PiDevCfgQueryDeviceMigrationNode(x,x,x)+89j ...
		cmp	[ebp+var_128], 0
		jz	short loc_978FE9
		push	[ebp+var_128]
		call	_ZwClose@4	; ZwClose(x)

loc_978FE9:				; CODE XREF: PiDevCfgQueryDeviceMigrationNode(x,x,x)+2DBj
		lea	eax, [ebp+var_130]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [ebp+var_8]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PiDevCfgQueryDeviceMigrationNode@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgQueryDriverConfiguration(x)
_PiDevCfgQueryDriverConfiguration@4 proc near
					; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+5FEp
					; PiDevCfgCheckDeviceNeedsUpdate(x,x):loc_96FF38p ...

var_156		= byte ptr -156h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 15Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+15Ch+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		xor	eax, eax
		mov	[esp+164h+var_14C], ebx
		push	edi
		mov	[esp+13h], bl
		test	byte ptr [esi+6Ch], 20h
		mov	[esp+168h+var_156], bl
		mov	[esp+168h+var_154], eax
		mov	[esp+168h+var_150], ebx
		jnz	short loc_979061
		lea	edx, [esi+0E8h]
		call	_PiDevCfgBuildDriverConfigurationId@8 ;	PiDevCfgBuildDriverConfigurationId(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9794D1
		cmp	[esi+0Ch], ebx
		jz	short loc_979068

loc_979061:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+3Dj
		mov	edi, [esi+10h]
		test	edi, edi
		jnz	short loc_979072

loc_979068:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+57j
					; PiDevCfgQueryDriverConfiguration(x)+1D3j ...
		mov	edi, 0C0000493h
		jmp	loc_9794D1
; 

loc_979072:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+5Ej
		push	0E0h		; size_t
		lea	eax, [esp+16Ch+var_E8]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		lea	eax, [esi+0B0h]
		mov	[esp+174h+var_E0], offset ??_C@_1BA@IELBACJJ@?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe@NNGAKEGL@
		mov	[esp+174h+var_DC], eax
		lea	ebx, [esi+0B8h]
		mov	eax, 7000000h
		mov	[esp+174h+var_D8], 1000000h
		mov	[esp+174h+var_BC], eax
		add	esp, 0Ch
		mov	[esp+168h+var_A0], eax
		mov	ecx, 4000000h
		lea	eax, [esi+0C0h]
		mov	[esp+168h+var_84], ecx
		mov	[esp+168h+var_A4], eax
		mov	edx, 130h
		lea	eax, [esi+0E0h]
		mov	[esp+168h+var_C8], edx
		mov	[esp+168h+var_88], eax
		lea	eax, [esi+0C8h]
		mov	[esp+168h+var_6C], eax
		lea	eax, [esi+0D0h]
		mov	[esp+168h+var_50], eax
		lea	eax, [esi+0E4h]
		push	1
		mov	[esp+16Ch+var_34], eax
		xor	eax, eax
		push	ecx
		push	eax
		lea	eax, [esp+174h+var_E8]
		mov	[esp+174h+var_AC], edx
		mov	[esp+174h+var_74], edx
		mov	[esp+174h+var_58], edx
		mov	edx, edi
		mov	[esp+174h+var_30], ecx
		mov	ecx, 0C0000000h
		push	eax
		mov	[esp+178h+var_E4], 120h
		mov	[esp+178h+var_C4], offset ??_C@_1BK@LMFDGODN@?$AAL?$AAo?$AAw?$AAe?$AAr?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@NNGAKEGL@
		mov	[esp+178h+var_C0], ebx
		mov	[esp+178h+var_A8], offset ??_C@_1BK@FNJCPENK@?$AAU?$AAp?$AAp?$AAe?$AAr?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@NNGAKEGL@
		mov	[esp+178h+var_8C], offset ??_C@_1BI@KGJMAEC@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAF?$AAl?$AAa?$AAg?$AAs@NNGAKEGL@
		mov	[esp+178h+var_90], 124h
		mov	[esp+178h+var_70], offset ??_C@_1BK@PIHNOJBM@?$AAI?$AAn?$AAc?$AAl?$AAu?$AAd?$AAe?$AAd?$AAI?$AAn?$AAf?$AAs@NNGAKEGL@
		mov	[esp+178h+var_68], 7000000h
		mov	[esp+178h+var_54], offset ??_C@_1CA@HOLKNBGP@?$AAI?$AAn?$AAc?$AAl?$AAu?$AAd?$AAe?$AAd?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAs@NNGAKEGL@
		mov	[esp+178h+var_4C], 7000000h
		mov	[esp+178h+var_38], (offset loc_8BA5E5+1)
		mov	[esp+178h+var_3C], 120h
		call	RtlpQueryRegistryValues
		mov	edi, eax
		cmp	edi, 0C0000034h
		jz	loc_979068
		test	edi, edi
		js	loc_9794D1
		push	2
		pop	eax
		xor	ecx, ecx
		cmp	[ebx], ax
		ja	short loc_979203
		cmp	[esi+0BCh], ecx
		jz	short loc_979203
		push	ebx
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		xor	ecx, ecx

loc_979203:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+1E9j
					; PiDevCfgQueryDriverConfiguration(x)+1F1j
		push	2
		lea	eax, [esi+0C0h]
		pop	edx
		cmp	[eax], dx
		ja	short loc_97921F
		cmp	[esi+0C4h], ecx
		jz	short loc_97921F
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_97921F:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+207j
					; PiDevCfgQueryDriverConfiguration(x)+20Fj
		push	2
		lea	eax, [esi+0C8h]
		pop	ecx
		cmp	[eax], cx
		ja	short loc_97923D
		xor	ecx, ecx
		cmp	[esi+0CCh], ecx
		jz	short loc_97923F
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_97923D:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+223j
		xor	ecx, ecx

loc_97923F:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+22Dj
		push	2
		lea	eax, [esi+0D0h]
		pop	edx
		cmp	[eax], dx
		ja	short loc_97925B
		cmp	[esi+0D4h], ecx
		jz	short loc_97925B
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_97925B:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+243j
					; PiDevCfgQueryDriverConfiguration(x)+24Bj
		test	byte ptr [esi+6Ch], 20h
		jz	short loc_9792AB
		mov	eax, [esi+34h]
		xor	ecx, ecx
		test	al, 4
		jnz	short loc_979283
		cmp	[esi+0B4h], ecx
		jz	short loc_979283
		lea	eax, [esi+0B0h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, [esi+34h]
		xor	ecx, ecx

loc_979283:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+260j
					; PiDevCfgQueryDriverConfiguration(x)+268j
		test	al, 2
		jnz	short loc_9792AB
		cmp	[esi+0BCh], ecx
		jz	short loc_979297
		push	ebx
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		xor	ecx, ecx

loc_979297:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+285j
		cmp	[esi+0C4h], ecx
		jz	short loc_9792AB
		lea	eax, [esi+0C0h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_9792AB:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+257j
					; PiDevCfgQueryDriverConfiguration(x)+27Dj ...
		mov	ecx, [esi+0B4h]
		xor	edx, edx
		test	ecx, ecx
		jz	short loc_9792E7
		cmp	[esi+0B0h], dx
		jz	short loc_9792E7
		lea	eax, [esi+0F0h]
		push	eax
		lea	edx, [esp+17h]
		call	_PiDevCfgVerifyService@12 ; PiDevCfgVerifyService(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_979068
		cmp	byte ptr [esp+13h], 0
		jz	short loc_9792E5
		or	dword ptr [esi+6Ch], 10h

loc_9792E5:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+2D7j
		xor	edx, edx

loc_9792E7:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+2ADj
					; PiDevCfgQueryDriverConfiguration(x)+2B6j
		mov	ebx, [esi+0BCh]
		test	ebx, ebx
		jz	short loc_979337
		jmp	short loc_979321
; 

loc_9792F3:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+31Cj
		push	edx
		xor	edx, edx
		mov	ecx, ebx
		call	_PiDevCfgVerifyService@12 ; PiDevCfgVerifyService(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_979328
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_979308:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+30Bj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+168h+var_14C]
		jnz	short loc_979308
		sub	ecx, edx
		sar	ecx, 1
		lea	ebx, [ebx+ecx*2]
		add	ebx, 2
		xor	edx, edx

loc_979321:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+2E9j
		cmp	[ebx], dx
		jnz	short loc_9792F3
		jmp	short loc_97932F
; 

loc_979328:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+2F9j
		mov	edi, 0C0000493h
		xor	edx, edx

loc_97932F:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+31Ej
		test	edi, edi
		js	loc_9794D1

loc_979337:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+2E7j
		mov	ebx, [esi+0C4h]
		test	ebx, ebx
		jz	short loc_979387
		jmp	short loc_979371
; 

loc_979343:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+36Cj
		push	edx
		xor	edx, edx
		mov	ecx, ebx
		call	_PiDevCfgVerifyService@12 ; PiDevCfgVerifyService(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_979378
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_979358:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+35Bj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+168h+var_14C]
		jnz	short loc_979358
		sub	ecx, edx
		sar	ecx, 1
		lea	ebx, [ebx+ecx*2]
		add	ebx, 2
		xor	edx, edx

loc_979371:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+339j
		cmp	[ebx], dx
		jnz	short loc_979343
		jmp	short loc_97937F
; 

loc_979378:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+349j
		mov	edi, 0C0000493h
		xor	edx, edx

loc_97937F:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+36Ej
		test	edi, edi
		js	loc_9794D1

loc_979387:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+337j
		test	byte ptr [esi+6Ch], 20h
		jnz	loc_9794CD
		push	60h		; size_t
		push	edx		; int
		lea	eax, [esp+170h+var_148]
		push	eax		; void *
		call	_memset
		mov	edx, [esi+20h]
		lea	eax, [esi+0A8h]
		add	esp, 0Ch
		mov	[esp+168h+var_128], eax
		lea	eax, [esp+168h+var_156]
		mov	[esp+168h+var_148], offset _DEVPKEY_DriverPackage_ClassGuid
		mov	[esp+168h+var_110], eax
		lea	ebx, [esi+90h]
		lea	eax, [esp+168h+var_154]
		mov	[esp+168h+var_144], 0Dh
		push	6
		pop	ecx
		push	4
		mov	[esp+16Ch+var_F8], eax
		lea	eax, [esp+16Ch+var_148]
		push	eax
		push	dword ptr [esi+8]
		mov	[esp+174h+var_140], ebx
		push	8
		mov	[esp+178h+var_13C], 10h
		mov	[esp+178h+var_130], offset _DEVPKEY_DriverPackage_ProviderName
		mov	[esp+178h+var_12C], 12h
		mov	[esp+178h+var_120], ecx
		mov	[esp+178h+var_118], offset _DEVPKEY_DriverPackage_NeedsReconfig
		mov	[esp+178h+var_114], 11h
		mov	[esp+178h+var_10C], 1
		mov	[esp+178h+var_100], offset _DEVPKEY_DriverPackage_GroupIds
		mov	[esp+178h+var_FC], 2012h
		mov	[esp+178h+var_F0], ecx
		call	PiDevCfgQueryObjectProperties
		mov	edi, eax
		test	edi, edi
		js	loc_9794D1
		cmp	[esp+168h+var_134], 0
		jl	short loc_97945F
		push	1
		lea	edx, [esi+0A0h]
		mov	ecx, ebx
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9794D1
		jmp	short loc_979467
; 

loc_97945F:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+43Ej
		mov	edi, ebx
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd

loc_979467:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+455j
		xor	ebx, ebx
		cmp	[esp+168h+var_11C], ebx
		jge	short loc_97947C
		push	ebx
		lea	eax, [esi+0A8h]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_97947C:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+465j
		cmp	[esp+168h+var_104], 0
		setl	al
		dec	al
		and	al, [esp+168h+var_156]
		mov	[esp+168h+var_156], al
		cmp	al, 0FFh
		jnz	short loc_979496
		or	dword ptr [esi+6Ch], 40h

loc_979496:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+488j
		cmp	[esp+168h+var_EC], 0
		jge	short loc_9794A8
		push	ebx
		lea	eax, [esp+16Ch+var_154]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_9794A8:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+493j
		cmp	[esp+168h+var_150], 0
		jz	short loc_9794C0
		push	2
		pop	eax
		cmp	word ptr [esp+168h+var_154], ax
		jbe	short loc_9794C0
		or	dword ptr [esi+6Ch], 80h

loc_9794C0:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+4A5j
					; PiDevCfgQueryDriverConfiguration(x)+4AFj
		mov	ecx, esi
		call	_PiDevCfgQueryIncludedDriverConfigurations@4 ; PiDevCfgQueryIncludedDriverConfigurations(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9794D1

loc_9794CD:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+383j
		or	dword ptr [esi+6Ch], 1

loc_9794D1:				; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+4Ej
					; PiDevCfgQueryDriverConfiguration(x)+65j ...
		lea	eax, [esp+168h+var_154]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [esp+168h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_PiDevCfgQueryDriverConfiguration@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgQueryDriverNode(x, x, x, x,	x, x)
_PiDevCfgQueryDriverNode@24 proc near	; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+2A3p
					; PiDevCfgFindDeviceDriver(x,x,x)+4F2p

var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_82		= byte ptr -82h
var_81		= byte ptr -81h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0DCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ecx
		mov	[ebp+var_D0], edx
		mov	ecx, [ebp+arg_C]
		lea	edx, [ebp+var_A4]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_D8], ecx
		xor	ecx, ecx
		mov	[ebp+var_CC], eax
		push	esi
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_B0], ecx
		mov	ecx, eax
		push	edi
		mov	[ebp+var_A0], ebx
		mov	edi, ebx
		mov	[ebp+var_88], ebx
		mov	[ebp+var_82], bl
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_A8], 0FF000000h
		mov	[ebp+var_81], bl
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_98], ebx
		mov	[ebp+var_94], ebx
		mov	[ebp+var_90], ebx
		mov	[ebp+var_8C], ebx
		call	_PiDevCfgGetDriverPackageId@8 ;	PiDevCfgGetDriverPackageId(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_979B96
		mov	edx, [ebp+var_A0]
		lea	eax, [ebp+var_88]
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		push	ebx
		push	eax
		push	ebx
		push	20019h
		push	8
		call	_PnpOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_979B96
		push	78h		; size_t
		lea	eax, [ebp+var_80]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+var_A0]
		lea	eax, [ebp+var_82]
		add	esp, 0Ch
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_80], offset _DEVPKEY_DriverPackage_Invalidated
		mov	[ebp+var_60], eax
		mov	[ebp+var_7C], 11h
		push	2
		pop	eax
		push	eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_74], 1
		push	eax
		push	[ebp+var_88]
		mov	[ebp+var_68], offset _DEVPKEY_DriverPackage_TargetComputerIds
		push	8
		mov	[ebp+var_64], 2012h
		mov	[ebp+var_58], 6
		call	PiDevCfgQueryObjectProperties
		mov	esi, eax
		test	esi, esi
		js	loc_979B96
		cmp	[ebp+var_6C], ebx
		jl	short loc_979644
		cmp	[ebp+var_82], 0FFh
		jnz	short loc_979644
		mov	esi, 0C0000056h
		jmp	loc_979B96
; 

loc_979644:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+13Dj
					; PiDevCfgQueryDriverNode(x,x,x,x,x,x)+146j
		cmp	[ebp+var_54], ebx
		jl	short loc_97969E
		mov	eax, [ebp+var_AC]
		test	eax, eax
		jz	short loc_97969E
		push	2
		pop	esi
		cmp	word ptr [ebp+var_B0], si
		jbe	short loc_97969E
		mov	edi, eax
		cmp	[eax], bx
		jz	short loc_97968F

loc_979666:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+19Bj
		mov	ecx, edi
		call	_PipCheckComputerSupported@4 ; PipCheckComputerSupported(x)
		test	al, al
		jnz	short loc_97968F
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_979676:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+18Cj
		mov	ax, [ecx]
		add	ecx, esi
		cmp	ax, bx
		jnz	short loc_979676
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2
		cmp	[edi], bx
		jnz	short loc_979666

loc_97968F:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+172j
					; PiDevCfgQueryDriverNode(x,x,x,x,x,x)+17Dj
		cmp	[edi], bx
		jnz	short loc_97969E

loc_979694:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+1BBj
		mov	esi, 0C0000424h
		jmp	loc_979B96
; 

loc_97969E:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+155j
					; PiDevCfgQueryDriverNode(x,x,x,x,x,x)+15Fj ...
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_D4], eax
		test	al, 8
		jz	short loc_9796AF
		test	edi, edi
		jz	short loc_979694

loc_9796AF:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+1B7j
		push	63647050h
		mov	esi, 0F8h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9796D1
		mov	esi, 0C000009Ah
		jmp	loc_979B96
; 

loc_9796D1:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+1D3j
		push	esi		; size_t
		xor	esi, esi
		push	esi		; int
		push	ebx		; void *
		call	_memset
		lea	eax, [ebx+88h]
		add	esp, 0Ch
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ebx+80h]
		mov	[eax+4], eax
		push	[ebp+var_CC]	; void *
		mov	[eax], eax
		lea	eax, [ebx+0D8h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ebx+14h]
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jnz	short loc_97971C

loc_979712:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+23Aj
					; PiDevCfgQueryDriverNode(x,x,x,x,x,x)+24Dj ...
		mov	esi, 0C000009Ah
		jmp	loc_979B8B
; 

loc_97971C:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+21Ej
		lea	ecx, [ebx+1Ch]
		lea	edx, [ebp+var_A4]
		call	_PnpDuplicateUnicodeString@8 ; PnpDuplicateUnicodeString(x,x)
		test	al, al
		jz	short loc_979712
		push	[ebp+var_D0]	; void *
		lea	eax, [ebx+24h]
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jz	short loc_979712
		test	edi, edi
		jz	short loc_979753
		push	edi		; void *
		lea	eax, [ebx+50h]
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jz	short loc_979712

loc_979753:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+251j
		push	78h		; size_t
		lea	eax, [ebp+var_80]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_80], offset _DEVPKEY_DriverPackage_DriverDate
		lea	eax, [ebx+40h]
		mov	[ebp+var_68], offset _DEVPKEY_DriverPackage_DriverVersion
		mov	[ebp+var_78], eax
		lea	edi, [ebx+58h]
		lea	eax, [ebx+48h]
		mov	[ebp+var_64], 9
		push	10h
		pop	ecx
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_A8]
		push	8
		pop	edx
		mov	[ebp+var_48], eax
		lea	eax, [ebx+70h]
		push	5
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_80]
		push	eax
		push	[ebp+var_88]
		mov	[ebp+var_74], edx
		mov	[ebp+var_5C], edx
		push	edx
		mov	edx, [ebp+var_A0]
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_50], offset _DEVPKEY_DriverPackage_SignerScore
		mov	[ebp+var_4C], 7
		mov	[ebp+var_44], 4
		mov	[ebp+var_38], offset _DEVPKEY_DriverPackage_ExtensionId
		mov	[ebp+var_34], 0Dh
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_20], offset _DEVPKEY_DriverPackage_ExtensionContractIds
		mov	[ebp+var_1C], 100Dh
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], 2
		call	PiDevCfgQueryObjectProperties
		mov	esi, eax
		test	esi, esi
		js	loc_979B8B
		xor	esi, esi
		cmp	[ebp+var_6C], esi
		jge	short loc_979811
		mov	[ebx+40h], esi
		mov	[ebx+44h], esi

loc_979811:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+317j
		cmp	[ebp+var_54], 0
		jge	short loc_97981D
		mov	[ebx+48h], esi
		mov	[ebx+4Ch], esi

loc_97981D:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+323j
		cmp	[ebp+var_3C], 0
		jge	short loc_97982D
		mov	[ebp+var_A8], 0FF000000h

loc_97982D:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+32Fj
		cmp	[ebp+var_24], 0
		jge	short loc_97983F
		xor	eax, eax
		lea	edi, [ebx+70h]
		stosd
		stosd
		stosd
		stosd
		lea	edi, [ebx+58h]

loc_97983F:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+33Fj
		cmp	[ebp+var_C], 0
		jl	short loc_97985C
		mov	eax, [ebp+var_14]
		test	al, 0Fh
		jnz	short loc_979854
		shr	eax, 4
		mov	[ebx+5Ch], eax
		jmp	short loc_97985E
; 

loc_979854:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+358j
		push	esi
		push	dword ptr [edi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97985C:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+351j
		mov	[edi], esi

loc_97985E:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+360j
		mov	edx, [ebp+var_D4]
		test	dl, 4
		jz	short loc_97986E
		or	ecx, 0FFFFFFFFh
		jmp	short loc_97989B
; 

loc_97986E:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+375j
		mov	eax, edx
		and	al, 1
		movzx	ecx, al
		mov	eax, [ebp+arg_4]
		neg	ecx
		sbb	ecx, ecx
		and	eax, 0FF0000h
		and	ecx, 0F1000000h
		add	ecx, 0FF000000h
		and	ecx, [ebp+var_A8]
		or	ecx, eax
		movzx	eax, [ebp+arg_0]
		or	ecx, eax

loc_97989B:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+37Aj
		xor	edi, edi
		mov	[ebx+38h], ecx
		test	dl, 2
		jz	short loc_97990F
		push	68h		; size_t
		lea	eax, [ebp+var_70]
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+var_A0]
		lea	eax, [ebp-81h]
		add	esp, 0Ch
		mov	[ebp+var_78], eax
		xor	eax, eax
		mov	[ebp+var_80], offset _DEVPKEY_DriverPackage_F6
		inc	eax
		mov	[ebp+var_7C], 11h
		mov	[ebp+var_74], eax
		push	eax
		lea	eax, [ebp+var_80]
		push	eax
		push	[ebp+var_88]
		push	8
		call	PiDevCfgQueryObjectProperties
		mov	esi, eax
		test	esi, esi
		js	loc_979B8B
		cmp	[ebp+var_6C], edi
		setl	al
		dec	al
		and	al, [ebp+var_81]
		mov	[ebp+var_81], al
		cmp	al, 0FFh
		jnz	short loc_97990F
		or	dword ptr [ebx+6Ch], 2

loc_97990F:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+3B1j
					; PiDevCfgQueryDriverNode(x,x,x,x,x,x)+417j
		push	18h
		pop	eax
		mov	word ptr [ebp+var_9C+2], ax
		mov	[ebp+var_C8], eax
		mov	eax, [ebp+var_88]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_9C]
		push	16h
		pop	ecx
		mov	[ebp+var_C0], eax
		lea	eax, [ebp+var_C8]
		push	eax
		push	20019h
		lea	eax, [ebp+var_94]
		mov	word ptr [ebp+var_9C], cx
		push	eax
		mov	[ebp+var_98], offset ??_C@_1BI@OAJEEHJL@?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAo?$AAr?$AAs@NNGAKEGL@
		mov	[ebp+var_BC], 240h
		mov	[ebp+var_B8], edi
		mov	[ebp+var_B4], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_9799E2
		test	esi, esi
		js	loc_979B8B
		mov	eax, [ebp+var_94]
		mov	[ebp+var_C4], eax
		lea	eax, [ebx+24h]
		mov	[ebp+var_C0], eax
		lea	eax, [ebp+var_C8]
		push	eax
		push	20019h
		lea	eax, [ebp+var_90]
		mov	[ebp+var_C8], 18h
		push	eax
		mov	[ebp+var_BC], 240h
		mov	[ebp+var_B8], edi
		mov	[ebp+var_B4], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_9799E6

loc_9799E2:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+48Fj
		mov	esi, edi
		jmp	short loc_979A50
; 

loc_9799E6:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+4EEj
		test	esi, esi
		js	loc_979B8B
		push	70h		; size_t
		lea	eax, [ebp+var_78]
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+var_90]
		lea	edi, [ebx+2Ch]
		add	esp, 0Ch
		mov	[ebp+var_70], offset ??_C@_1BM@ICBIINEM@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		xor	eax, eax
		mov	[ebp+var_68], 1000000h
		mov	[ebp+var_6C], edi
		mov	[ebp+var_74], 120h
		push	1
		push	ecx
		push	eax
		lea	eax, [ebp+var_78]
		mov	ecx, 0C0000000h
		push	eax
		call	RtlpQueryRegistryValues
		mov	esi, eax
		test	esi, esi
		js	loc_979B8B
		xor	eax, eax
		cmp	[edi], ax
		jnz	short loc_979A4E
		cmp	[ebx+30h], eax
		jz	short loc_979A4E
		push	edi
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_979A4E:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+54Fj
					; PiDevCfgQueryDriverNode(x,x,x,x,x,x)+554j
		xor	edi, edi

loc_979A50:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+4F2j
		mov	edx, [ebx+30h]
		test	edx, edx
		jz	loc_979B0E
		mov	ecx, [ebp+var_88]
		lea	eax, [ebp+var_8C]
		push	eax
		call	_PiDevCfgOpenDriverConfiguration@12 ; PiDevCfgOpenDriverConfiguration(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_979A7E
		mov	esi, edi
		jmp	loc_979B0E
; 

loc_979A7E:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+583j
		test	esi, esi
		js	loc_979B8B
		push	70h		; size_t
		lea	eax, [ebp+var_78]
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+var_8C]
		lea	eax, [ebx+40h]
		add	esp, 0Ch
		mov	[ebp+var_6C], eax
		mov	ecx, offset _PiDevCfgQueryDriverVersionValueCallback@24	; PiDevCfgQueryDriverVersionValueCallback(x,x,x,x,x,x)
		mov	[ebp+var_70], offset ??_C@_1BG@IAFOGIBK@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAD?$AAa?$AAt?$AAe@NNGAKEGL@ ; "DriverDate"
		lea	eax, [ebx+48h]
		mov	[ebp+var_78], ecx
		mov	[ebp+var_50], eax
		lea	edi, [ebx+60h]
		push	1
		push	ecx
		xor	eax, eax
		mov	[ebp+var_5C], ecx
		push	eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_54], offset ??_C@_1BM@JBLBDIOG@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@NNGAKEGL@ ; "DriverVersion"
		push	eax
		mov	ecx, 0C0000000h
		mov	[ebp+var_38], offset ??_C@_1BG@LJENICHM@?$AAE?$AAx?$AAc?$AAl?$AAu?$AAd?$AAe?$AAI?$AAd?$AAs@NNGAKEGL@
		mov	[ebp+var_30], 7000000h
		mov	[ebp+var_34], edi
		mov	[ebp+var_3C], 130h
		call	RtlpQueryRegistryValues
		mov	esi, eax
		test	esi, esi
		js	loc_979B8B
		push	2
		pop	eax
		cmp	[edi], ax
		ja	short loc_979B0E
		xor	eax, eax
		cmp	[ebx+64h], eax
		jz	short loc_979B0E
		push	edi
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_979B0E:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+563j
					; PiDevCfgQueryDriverNode(x,x,x,x,x,x)+587j ...
		cmp	_PnpBootMode, 0
		jz	short loc_979B52
		mov	ecx, [ebp+var_8C]
		mov	[ebp+var_98], offset ??_C@_1BI@KGJMAEC@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAF?$AAl?$AAa?$AAg?$AAs@NNGAKEGL@
		push	18h
		pop	eax
		mov	word ptr [ebp+var_9C+2], ax
		push	16h
		pop	eax
		mov	word ptr [ebp+var_9C], ax
		test	ecx, ecx
		jz	short loc_979B4E
		lea	edx, [ebp+var_9C]
		call	_PnpRegistryValueExists@8 ; PnpRegistryValueExists(x,x)
		test	al, al
		jnz	short loc_979B52

loc_979B4E:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+64Bj
		or	dword ptr [ebx+6Ch], 4

loc_979B52:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+623j
					; PiDevCfgQueryDriverNode(x,x,x,x,x,x)+65Aj
		mov	eax, [ebp+var_88]
		xor	ecx, ecx
		mov	[ebx+8], eax
		mov	eax, [ebp+var_90]
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+var_8C]
		mov	[ebx+10h], eax
		mov	eax, [ebp+var_D8]
		mov	[ebp+var_88], ecx
		mov	[ebp+var_90], ecx
		mov	[ebp+var_8C], ecx
		mov	[eax], ebx
		mov	ebx, ecx

loc_979B8B:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+225j
					; PiDevCfgQueryDriverNode(x,x,x,x,x,x)+30Cj ...
		test	ebx, ebx
		jz	short loc_979B96
		mov	ecx, ebx
		call	_PiDevCfgFreeDriverNode@4 ; PiDevCfgFreeDriverNode(x)

loc_979B96:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+98j
					; PiDevCfgQueryDriverNode(x,x,x,x,x,x)+C4j ...
		cmp	[ebp+var_88], 0
		jz	short loc_979BAA
		push	[ebp+var_88]
		call	_ZwClose@4	; ZwClose(x)

loc_979BAA:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+6ABj
		cmp	[ebp+var_90], 0
		jz	short loc_979BBE
		push	[ebp+var_90]
		call	_ZwClose@4	; ZwClose(x)

loc_979BBE:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+6BFj
		cmp	[ebp+var_94], 0
		jz	short loc_979BD2
		push	[ebp+var_94]
		call	_ZwClose@4	; ZwClose(x)

loc_979BD2:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+6D3j
		cmp	[ebp+var_8C], 0
		jz	short loc_979BE6
		push	[ebp+var_8C]
		call	_ZwClose@4	; ZwClose(x)

loc_979BE6:				; CODE XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+6E7j
		lea	eax, [ebp+var_A4]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_B0]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_PiDevCfgQueryDriverNode@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgQueryDriverVersionValueCallback(x, x, x, x,	x, x)
_PiDevCfgQueryDriverVersionValueCallback@24 proc near
					; DATA XREF: PiDevCfgQueryDriverNode(x,x,x,x,x,x)+5AFo

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 3
		mov	edx, [ebp+arg_14]
		mov	ecx, [ebp+arg_8]
		jnz	short loc_979C36
		cmp	[ebp+arg_C], 8
		jnz	short loc_979C36
		test	ecx, ecx
		jz	short loc_979C36
		mov	eax, [ecx]
		mov	[edx], eax
		mov	eax, [ecx+4]
		mov	[edx+4], eax

loc_979C36:				; CODE XREF: PiDevCfgQueryDriverVersionValueCallback(x,x,x,x,x,x)+Fj
					; PiDevCfgQueryDriverVersionValueCallback(x,x,x,x,x,x)+15j ...
		xor	eax, eax
		pop	ebp
		retn	18h
_PiDevCfgQueryDriverVersionValueCallback@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgQueryIncludedDriverConfigurations(x)
_PiDevCfgQueryIncludedDriverConfigurations@4 proc near
					; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+4BAp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ecx
		lea	ecx, [ebp+var_30]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], eax
		push	edi
		mov	[ebp+var_18], esi
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], esi
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_30], ecx
		cmp	[eax+0D4h], esi
		jnz	short loc_979C7F
		mov	edi, esi

loc_979C6A:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+3Aj
					; PiDevCfgQueryIncludedDriverConfigurations(x)+64j ...
		xor	edx, edx
		lea	ecx, [ebp+var_30]
		call	_PiDevCfgPopDriverNodeEntry@8 ;	PiDevCfgPopDriverNodeEntry(x,x)
		test	al, al
		jnz	short loc_979C6A
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_979C7F:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+2Aj
		mov	edx, eax
		lea	ecx, [ebp+var_30]
		call	_PiDevCfgPushDriverNodeEntry@8 ; PiDevCfgPushDriverNodeEntry(x,x)
		mov	edi, eax
		mov	[ebp+var_8], edi
		jmp	loc_979F65
; 

loc_979C93:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+71j
					; PiDevCfgQueryIncludedDriverConfigurations(x)+32Bj
		lea	edx, [ebp+var_18]
		lea	ecx, [ebp+var_30]
		call	_PiDevCfgPopDriverNodeEntry@8 ;	PiDevCfgPopDriverNodeEntry(x,x)
		test	al, al
		jz	short loc_979C6A
		mov	ebx, [ebp+var_18]
		mov	ebx, [ebx+0D4h]
		test	ebx, ebx
		jz	short loc_979C93
		jmp	loc_979F45
; 

loc_979CB4:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+30Cj
		push	3Ah		; wchar_t
		push	ebx		; wchar_t *
		mov	[ebp+var_24], ebx
		mov	esi, ebx
		call	_wcschr
		mov	edx, eax
		pop	ecx
		pop	ecx
		test	edx, edx
		jz	loc_979F29
		xor	eax, eax
		mov	ecx, offset ??_C@_13BBDEGPLJ@?$AA?$CK@NNGAKEGL@
		mov	[edx], ax
		add	edx, 2
		mov	[ebp+var_1C], edx
		mov	ebx, edx

loc_979CDF:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+C3j
		mov	ax, [esi]
		cmp	ax, [ecx]
		jnz	short loc_979D07
		test	ax, ax
		jz	short loc_979D01
		mov	ax, [esi+2]
		cmp	ax, [ecx+2]
		jnz	short loc_979D07
		add	esi, 4
		add	ecx, 4
		test	ax, ax
		jnz	short loc_979CDF

loc_979D01:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+AEj
		xor	esi, esi
		mov	eax, esi
		jmp	short loc_979D0C
; 

loc_979D07:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+A9j
					; PiDevCfgQueryIncludedDriverConfigurations(x)+B8j
		sbb	eax, eax
		or	eax, 1

loc_979D0C:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+C9j
		neg	eax
		push	2Eh		; wchar_t
		sbb	eax, eax
		and	eax, [ebp+var_24]
		push	edx		; wchar_t *
		mov	[ebp+var_20], eax
		call	_wcsrchr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_979F29
		xor	ecx, ecx
		mov	edx, offset ??_C@_13BBDEGPLJ@?$AA?$CK@NNGAKEGL@
		mov	[eax], cx
		add	eax, 2
		mov	ebx, eax
		mov	ecx, eax
		mov	[ebp+var_14], ebx

loc_979D3C:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+120j
		mov	si, [ecx]
		cmp	si, [edx]
		jnz	short loc_979D64
		test	si, si
		jz	short loc_979D5E
		mov	si, [ecx+2]
		cmp	si, [edx+2]
		jnz	short loc_979D64
		add	ecx, 4
		add	edx, 4
		test	si, si
		jnz	short loc_979D3C

loc_979D5E:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+10Bj
		xor	edx, edx
		mov	ecx, edx
		jmp	short loc_979D6B
; 

loc_979D64:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+106j
					; PiDevCfgQueryIncludedDriverConfigurations(x)+115j
		sbb	ecx, ecx
		or	ecx, 1
		xor	edx, edx

loc_979D6B:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+126j
		test	ecx, ecx
		jnz	short loc_979D75
		or	[ebp+var_C], 0FFFFFFFFh
		jmp	short loc_979DCF
; 

loc_979D75:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+131j
		mov	ebx, eax
		mov	[ebp+var_C], edx
		mov	[ebp+var_14], ebx
		cmp	[eax], dx
		jz	short loc_979DCF
		mov	edi, edx

loc_979D84:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+18Bj
		push	2Ch		; wchar_t
		push	ebx		; wchar_t *
		call	_wcschr
		mov	esi, eax
		pop	ecx
		pop	ecx
		test	esi, esi
		jz	short loc_979D9E
		xor	eax, eax
		mov	[esi], ax
		add	esi, 2
		jmp	short loc_979DB7
; 

loc_979D9E:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+156j
		mov	ecx, ebx
		xor	esi, esi
		lea	edx, [ecx+2]

loc_979DA5:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+172j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_979DA5
		sub	ecx, edx
		sar	ecx, 1
		lea	esi, [ebx+ecx*2]

loc_979DB7:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+160j
		mov	ecx, ebx	; wchar_t *
		call	_PiDevCfgGetDriverConfigurationKeyScope@4 ; PiDevCfgGetDriverConfigurationKeyScope(x)
		xor	edx, edx
		or	edi, eax
		mov	ebx, esi
		cmp	[esi], dx
		jnz	short loc_979D84
		mov	[ebp+var_C], edi
		mov	[ebp+var_14], esi

loc_979DCF:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+137j
					; PiDevCfgQueryIncludedDriverConfigurations(x)+144j
		push	[ebp+var_1C]
		lea	eax, [ebp+var_38]
		mov	[ebp+var_10], edx
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_4]
		add	eax, 0D8h
		mov	[ebp+var_24], eax
		mov	esi, [eax]
		cmp	esi, eax
		jz	short loc_979E40
		mov	ebx, [ebp+var_20]
		mov	edi, eax

loc_979DF4:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+1EFj
		push	1
		lea	eax, [ebp+var_38]
		mov	[ebp+var_10], esi
		push	eax
		lea	eax, [esi+2Ch]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_979E22
		mov	eax, esi
		test	ebx, ebx
		jz	short loc_979E32
		push	ebx		; wchar_t *
		push	dword ptr [esi+18h] ; wchar_t *
		mov	[ebp+var_28], esi
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_979E2F

loc_979E22:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+1CCj
		mov	esi, [esi]
		xor	eax, eax
		mov	[ebp+var_10], eax
		cmp	esi, edi
		jnz	short loc_979DF4
		jmp	short loc_979E32
; 

loc_979E2F:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+1E4j
		mov	eax, [ebp+var_28]

loc_979E32:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+1D2j
					; PiDevCfgQueryIncludedDriverConfigurations(x)+1F1j
		mov	edi, [ebp+var_8]
		mov	ebx, [ebp+var_14]
		test	eax, eax
		jnz	loc_979F29

loc_979E40:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+1B1j
		mov	edx, [ebp+var_20] ; wchar_t *
		lea	eax, [ebp+var_10]
		mov	ecx, [ebp+var_18] ; int
		push	eax		; int
		push	[ebp+var_C]	; int
		push	[ebp+var_1C]	; void *
		call	_PiDevCfgQueryIncludedDriverNode@20 ; PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_8], edi
		test	edi, edi
		js	loc_979F5A
		mov	eax, [ebp+var_24]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_979F72
		mov	esi, [ebp+var_10]
		mov	[esi+4], ecx
		mov	[esi], eax
		mov	[ecx], esi
		mov	ecx, esi
		mov	[eax+4], esi
		call	_PiDevCfgQueryDriverConfiguration@4 ; PiDevCfgQueryDriverConfiguration(x)
		mov	edi, eax
		test	edi, edi
		js	loc_979C6A
		mov	ecx, [ebp+var_4]
		xor	edi, edi
		cmp	[esi+0B4h], edi
		jz	short loc_979EBF
		cmp	[ecx+0B4h], edi
		jnz	short loc_979EBF
		lea	edx, [esi+0B0h]
		add	ecx, 0B0h
		call	_PnpDuplicateUnicodeString@8 ; PnpDuplicateUnicodeString(x,x)
		test	al, al
		jz	loc_979F50
		mov	ecx, [ebp+var_4]

loc_979EBF:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+25Dj
					; PiDevCfgQueryIncludedDriverConfigurations(x)+265j
		cmp	[esi+0BCh], edi
		jz	short loc_979EE8
		push	edi		; void *
		lea	eax, [esi+0B8h]
		add	ecx, 0B8h
		push	eax		; size_t
		xor	edx, edx
		call	_PiDevCfgAppendMultiSz@16 ; PiDevCfgAppendMultiSz(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_979C6A
		xor	edi, edi

loc_979EE8:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+289j
		cmp	[esi+0C4h], edi
		jz	short loc_979F12
		mov	ecx, [ebp+var_4]
		lea	eax, [esi+0C0h]
		push	edi		; void *
		push	eax		; size_t
		xor	edx, edx
		lea	ecx, [ecx+0C0h]
		call	_PiDevCfgAppendMultiSz@16 ; PiDevCfgAppendMultiSz(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_979C6A

loc_979F12:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+2B2j
		mov	edx, esi
		lea	ecx, [ebp+var_30]
		call	_PiDevCfgPushDriverNodeEntry@8 ; PiDevCfgPushDriverNodeEntry(x,x)
		mov	edi, eax
		mov	[ebp+var_8], edi
		test	edi, edi
		js	loc_979C6A

loc_979F29:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+8Bj
					; PiDevCfgQueryIncludedDriverConfigurations(x)+E6j ...
		mov	ecx, ebx
		xor	esi, esi
		lea	edx, [ecx+2]

loc_979F30:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+2FDj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_979F30
		sub	ecx, edx
		sar	ecx, 1
		lea	ebx, [ebx+ecx*2]
		add	ebx, 2

loc_979F45:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+73j
		cmp	[ebx], si
		jnz	loc_979CB4
		jmp	short loc_979F65
; 

loc_979F50:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+27Aj
		mov	edi, 0C000009Ah
		mov	[ebp+var_8], edi
		jmp	short loc_979F63
; 

loc_979F5A:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+220j
		mov	eax, [ebp+var_4]
		mov	[eax+0F4h], edi

loc_979F63:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+31Cj
		xor	esi, esi

loc_979F65:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+52j
					; PiDevCfgQueryIncludedDriverConfigurations(x)+312j
		test	edi, edi
		jns	loc_979C93
		jmp	loc_979C6A
; 

loc_979F72:				; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+22Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PiDevCfgQueryIncludedDriverConfigurations@4 endp ; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PiDevCfgQueryIncludedDriverNode(int,wchar_t *,void *,int,int)
_PiDevCfgQueryIncludedDriverNode@20 proc near
					; CODE XREF: PiDevCfgQueryIncludedDriverConfigurations(x)+214p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		xor	eax, eax
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		push	edi
		mov	edi, ecx
		test	ebx, ebx
		jz	loc_97A047
		push	dword ptr [edi+18h] ; wchar_t *
		push	ebx		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_979FD7
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_8]
		mov	ecx, [edi+8]
		push	eax
		call	_PiDevCfgOpenDriverConfiguration@12 ; PiDevCfgOpenDriverConfiguration(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_97A03D
		test	esi, esi
		js	loc_97A368
		jmp	loc_97A079
; 

loc_979FD7:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+38j
		lea	edx, [ebp+var_1C]
		mov	ecx, ebx
		call	_PiDevCfgGetDriverPackageId@8 ;	PiDevCfgGetDriverPackageId(x,x)
		mov	esi, eax
		mov	edi, 0C0000034h
		cmp	esi, edi
		jz	loc_97A1BA
		test	esi, esi
		js	loc_97A368
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	20019h
		push	8
		call	_PnpOpenObjectRegKey
		mov	esi, eax
		cmp	esi, edi
		jz	loc_97A1BA
		test	esi, esi
		js	loc_97A368
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_PiDevCfgOpenDriverConfiguration@12 ; PiDevCfgOpenDriverConfiguration(x,x,x)
		mov	esi, eax
		cmp	esi, edi
		jnz	short loc_97A0B3

loc_97A03D:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+51j
		mov	esi, 0C0000492h
		jmp	loc_97A368
; 

loc_97A047:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+25j
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_8]
		mov	ecx, [edi+8]
		push	eax
		call	_PiDevCfgOpenDriverConfiguration@12 ; PiDevCfgOpenDriverConfiguration(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_97A066
		xor	eax, eax
		mov	esi, eax
		jmp	short loc_97A070
; 

loc_97A066:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+E7j
		test	esi, esi
		js	loc_97A368
		xor	eax, eax

loc_97A070:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+EDj
		cmp	[ebp+var_8], 0
		jz	short loc_97A0C0
		mov	ebx, [edi+18h]

loc_97A079:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+5Bj
		lea	edx, [edi+1Ch]
		lea	ecx, [ebp+var_1C]
		call	_PnpDuplicateUnicodeString@8 ; PnpDuplicateUnicodeString(x,x)
		test	al, al
		jz	loc_97A1B0
		mov	eax, _PiPnpRtlCtx
		mov	edx, [edi+8]
		test	eax, eax
		jnz	short loc_97A09C
		mov	ecx, eax
		jmp	short loc_97A09F
; 

loc_97A09C:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+11Fj
		mov	ecx, [eax+74h]

loc_97A09F:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+123j
		lea	eax, [ebp+var_4]
		push	eax
		push	20019h
		xor	eax, eax
		push	eax
		push	eax
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax

loc_97A0B3:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+C4j
		test	esi, esi
		js	loc_97A368
		jmp	loc_97A195
; 

loc_97A0C0:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+FDj
		mov	ebx, [edi+0CCh]
		test	ebx, ebx
		jnz	short loc_97A0D4

loc_97A0CA:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+218j
		mov	esi, 0C0000492h
		jmp	loc_97A376
; 

loc_97A0D4:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+151j
		cmp	[ebx], ax
		jz	loc_97A183
		mov	edi, 0C0000034h

loc_97A0E2:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+1FFj
		lea	edx, [ebp+var_1C]
		mov	ecx, ebx
		call	_PiDevCfgGetDriverPackageId@8 ;	PiDevCfgGetDriverPackageId(x,x)
		mov	esi, eax
		cmp	esi, edi
		jz	loc_97A1BA
		test	esi, esi
		js	loc_97A368
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	20019h
		push	8
		call	_PnpOpenObjectRegKey
		mov	esi, eax
		cmp	esi, edi
		jz	short loc_97A17E
		test	esi, esi
		js	loc_97A368
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_PiDevCfgOpenDriverConfiguration@12 ; PiDevCfgOpenDriverConfiguration(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_97A18B
		cmp	esi, edi
		jnz	short loc_97A183
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		lea	eax, [ebp+var_1C]
		xor	esi, esi
		push	eax
		mov	[ebp+var_4], esi
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_97A15E:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+1F0j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_97A15E
		sub	ecx, edx
		sar	ecx, 1
		lea	ebx, [ebx+ecx*2]
		add	ebx, 2
		cmp	[ebx], si
		jnz	loc_97A0E2
		jmp	short loc_97A18B
; 

loc_97A17E:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+1A9j
		mov	esi, 0C0000491h

loc_97A183:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+160j
					; PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+1CAj
		test	esi, esi
		js	loc_97A368

loc_97A18B:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+1C6j
					; PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+205j
		cmp	[ebp+var_8], 0
		jz	loc_97A0CA

loc_97A195:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+144j
		push	63647050h
		mov	esi, 0F8h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_10], edi
		test	edi, edi
		jnz	short loc_97A1C4

loc_97A1B0:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+10Fj
		mov	esi, 0C000009Ah
		jmp	loc_97A368
; 

loc_97A1BA:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+73j
					; PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+A3j ...
		mov	esi, 0C0000491h
		jmp	loc_97A368
; 

loc_97A1C4:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+237j
		push	esi		; size_t
		xor	eax, eax
		push	eax		; int
		push	edi		; void *
		call	_memset
		lea	eax, [edi+88h]
		mov	dword ptr [edi+6Ch], 20h
		mov	[eax+4], eax
		add	esp, 0Ch
		mov	[eax], eax
		lea	eax, [edi+80h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edi+0D8h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [edi+14h]
		push	ebx		; void *
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jnz	short loc_97A211

loc_97A207:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+2A7j
					; PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+2B7j
		mov	esi, 0C000009Ah
		jmp	loc_97A34D
; 

loc_97A211:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+28Ej
		lea	ecx, [edi+1Ch]
		lea	edx, [ebp+var_1C]
		call	_PnpDuplicateUnicodeString@8 ; PnpDuplicateUnicodeString(x,x)
		test	al, al
		jz	short loc_97A207
		push	[ebp+arg_0]	; void *
		lea	eax, [edi+2Ch]
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jz	short loc_97A207
		mov	eax, [ebp+arg_4]
		xor	ebx, ebx
		mov	[edi+34h], eax
		mov	edx, offset ??_C@_1BK@KMOEEMNF@?$AAI?$AAn?$AAc?$AAl?$AAu?$AAd?$AAe?$AAS?$AAc?$AAo?$AAp?$AAe@NNGAKEGL@
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		push	eax
		push	ebx
		call	IopGetRegistryValue
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_97A25B
		mov	esi, ebx
		jmp	loc_97A330
; 

loc_97A25B:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+2DBj
		test	esi, esi
		js	loc_97A34D
		mov	ebx, [ebp+var_C]
		mov	ecx, ebx
		call	_PnpValidateRegistryMultiSz@4 ;	PnpValidateRegistryMultiSz(x)
		test	al, al
		jnz	short loc_97A27B
		mov	esi, 0C0000001h
		jmp	loc_97A350
; 

loc_97A27B:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+2F8j
		mov	ebx, [ebx+8]
		add	ebx, [ebp+var_C]
		jmp	loc_97A31E
; 

loc_97A286:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+3ADj
		mov	edx, offset ??_C@_13BBDEGPLJ@?$AA?$CK@NNGAKEGL@
		mov	eax, ebx

loc_97A28D:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+348j
		mov	di, [eax]
		cmp	di, [edx]
		mov	word ptr [ebp+arg_0+2],	di
		mov	edi, [ebp+var_10]
		jnz	short loc_97A2C7
		cmp	word ptr [ebp+arg_0+2],	0
		jz	short loc_97A2C1
		mov	di, [eax+2]
		cmp	di, [edx+2]
		mov	word ptr [ebp+arg_0+2],	di
		mov	edi, [ebp+var_10]
		jnz	short loc_97A2C7
		add	eax, 4
		add	edx, 4
		cmp	word ptr [ebp+arg_0+2],	0
		jnz	short loc_97A28D

loc_97A2C1:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+32Aj
		xor	edx, edx
		mov	eax, edx
		jmp	short loc_97A2CE
; 

loc_97A2C7:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+323j
					; PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+33Bj
		sbb	eax, eax
		or	eax, 1
		xor	edx, edx

loc_97A2CE:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+34Ej
		test	eax, eax
		jz	short loc_97A32C
		mov	byte ptr [ebp+arg_0+3],	1
		cmp	cx, 2Bh
		jz	short loc_97A2E5
		cmp	cx, 2Dh
		jnz	short loc_97A2E8
		mov	byte ptr [ebp+arg_0+3],	dl

loc_97A2E5:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+363j
		add	ebx, 2

loc_97A2E8:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+369j
		mov	ecx, ebx	; wchar_t *
		call	_PiDevCfgGetDriverConfigurationKeyScope@4 ; PiDevCfgGetDriverConfigurationKeyScope(x)
		cmp	byte ptr [ebp+arg_0+3],	0
		mov	ecx, [edi+34h]
		jz	short loc_97A2FC
		or	ecx, eax
		jmp	short loc_97A300
; 

loc_97A2FC:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+37Fj
		not	eax
		and	ecx, eax

loc_97A300:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+383j
		mov	[edi+34h], ecx
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_97A308:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+39Bj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_14]
		jnz	short loc_97A308
		sub	ecx, edx
		sar	ecx, 1
		lea	ebx, [ebx+ecx*2]
		add	ebx, 2

loc_97A31E:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+30Aj
		movzx	ecx, word ptr [ebx]
		test	cx, cx
		jnz	loc_97A286
		jmp	short loc_97A330
; 

loc_97A32C:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+359j
		or	dword ptr [edi+34h], 0FFFFFFFFh

loc_97A330:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+2DFj
					; PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+3B3j
		mov	eax, [ebp+var_4]
		mov	[edi+8], eax
		mov	eax, [ebp+var_8]
		mov	[edi+10h], eax
		xor	eax, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		xor	eax, eax
		mov	edi, eax

loc_97A34D:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+295j
					; PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+2E6j
		mov	ebx, [ebp+var_C]

loc_97A350:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+2FFj
		test	edi, edi
		jz	short loc_97A35B
		mov	ecx, edi
		call	_PiDevCfgFreeDriverNode@4 ; PiDevCfgFreeDriverNode(x)

loc_97A35B:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+3DBj
		test	ebx, ebx
		jz	short loc_97A368
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97A368:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+55j
					; PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+7Bj ...
		cmp	[ebp+var_8], 0
		jz	short loc_97A376
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_97A376:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+158j
					; PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+3F5j
		cmp	[ebp+var_4], 0
		jz	short loc_97A384
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_97A384:				; CODE XREF: PiDevCfgQueryIncludedDriverNode(x,x,x,x,x)+403j
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PiDevCfgQueryIncludedDriverNode@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgQueryPolicyEnabled(x, x, x)
_PiDevCfgQueryPolicyEnabled@12 proc near
					; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+131p
					; PiDevCfgEnforceDevicePolicy(x,x,x)+152p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	eax
		xor	esi, esi
		mov	byte ptr [ebx],	0
		push	esi
		call	IopGetRegistryValue
		mov	ecx, [ebp+var_4]
		mov	edi, eax
		test	edi, edi
		js	short loc_97A3D5
		call	_PnpValidateRegistryDword@4 ; PnpValidateRegistryDword(x)
		test	al, al
		jz	short loc_97A3CD
		mov	eax, [ecx+8]
		mov	esi, [ecx+eax]

loc_97A3CD:				; CODE XREF: PiDevCfgQueryPolicyEnabled(x,x,x)+2Fj
		cmp	esi, 1
		setz	al
		mov	[ebx], al

loc_97A3D5:				; CODE XREF: PiDevCfgQueryPolicyEnabled(x,x,x)+26j
		test	ecx, ecx
		jz	short loc_97A3E1
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97A3E1:				; CODE XREF: PiDevCfgQueryPolicyEnabled(x,x,x)+41j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PiDevCfgQueryPolicyEnabled@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgQueryPolicyStringList(x, x,	x)
_PiDevCfgQueryPolicyStringList@12 proc near
					; CODE XREF: PiDevCfgEnforceDevicePolicy(x,x,x)+179p
					; PiDevCfgEnforceDevicePolicy(x,x,x)+19Ap ...

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 78h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_5C], eax
		push	0Ah
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_50], edx
		lea	edi, [ebp+var_34]
		mov	[ebp+var_48], esi
		rep stosd
		xor	ebx, ebx
		lea	eax, [ebp+var_38]
		push	eax
		xor	edi, edi
		mov	[ebp+var_58], ebx
		push	edi
		mov	ecx, esi
		mov	[ebp+var_54], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_4C], ebx
		call	IopGetRegistryValue
		mov	esi, eax
		test	esi, esi
		js	loc_97A65F
		mov	ecx, [ebp+var_38]
		call	_PnpValidateRegistryDword@4 ; PnpValidateRegistryDword(x)
		test	al, al
		jz	short loc_97A458
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		mov	[ebp+var_40], eax

loc_97A458:				; CODE XREF: PiDevCfgQueryPolicyStringList(x,x,x)+63j
		push	edi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[ebp+var_40], 1
		jz	short loc_97A46F

loc_97A465:				; CODE XREF: PiDevCfgQueryPolicyStringList(x,x,x)+EEj
		mov	esi, 0C0000225h
		jmp	loc_97A66E
; 

loc_97A46F:				; CODE XREF: PiDevCfgQueryPolicyStringList(x,x,x)+79j
		push	[ebp+var_50]
		lea	eax, [ebp+var_58]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_48]
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	20019h
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_74], 18h
		push	eax
		mov	[ebp+var_68], 240h
		mov	[ebp+var_64], edi
		mov	[ebp+var_60], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97A66E
		lea	eax, [ebp+var_4C]
		push	eax
		push	28h
		lea	eax, [ebp+var_34]
		push	eax
		push	4
		push	[ebp+var_3C]
		call	NtQueryKey
		mov	esi, eax
		test	esi, esi
		js	loc_97A66E
		cmp	[ebp+var_20], ebx
		jz	short loc_97A465
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+var_18]
		push	63647050h
		lea	eax, [eax+ecx*2]
		add	eax, 18h
		push	eax
		push	1
		mov	[ebp+var_48], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_97A506
		mov	esi, 0C000009Ah
		jmp	loc_97A66E
; 

loc_97A506:				; CODE XREF: PiDevCfgQueryPolicyStringList(x,x,x)+110j
		mov	esi, [ebp+var_18]
		imul	esi, [ebp+var_20]
		add	esi, 2

loc_97A510:				; CODE XREF: PiDevCfgQueryPolicyStringList(x,x,x)+23Dj
		test	ebx, ebx
		jz	short loc_97A51C
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97A51C:				; CODE XREF: PiDevCfgQueryPolicyStringList(x,x,x)+128j
		push	63647050h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_97A658
		lea	eax, [ebp+var_4C]
		shr	esi, 1
		push	eax
		push	[ebp+var_48]
		xor	ecx, ecx
		mov	[ebp+var_50], esi
		push	edi
		push	1
		mov	[ebp+var_40], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_44], ecx
		push	ecx
		jmp	loc_97A5FF
; 

loc_97A553:				; CODE XREF: PiDevCfgQueryPolicyStringList(x,x,x)+225j
		cmp	esi, 80000005h
		jnz	short loc_97A586
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_4C]
		push	63647050h
		push	eax
		push	1
		mov	[ebp+var_48], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_97A62C
		mov	eax, [ebp+var_44]
		dec	eax
		jmp	short loc_97A5F0
; 

loc_97A586:				; CODE XREF: PiDevCfgQueryPolicyStringList(x,x,x)+16Fj
		test	esi, esi
		js	loc_97A64A
		mov	ecx, edi
		call	_PnpValidateRegistryString@4 ; PnpValidateRegistryString(x)
		test	al, al
		jz	short loc_97A5ED
		mov	eax, [edi+8]
		add	eax, edi
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97A64A
		movzx	eax, word ptr [ebp+var_58+2]
		mov	ecx, [ebp+var_40]
		shr	eax, 1
		add	ecx, eax
		mov	eax, [ebp+var_50]
		mov	[ebp+var_40], ecx
		cmp	eax, ecx
		jbe	short loc_97A5ED
		mov	esi, [ebp+var_38]
		mov	edx, eax
		push	900h
		push	0
		push	0
		push	[ebp+var_54]
		sub	edx, esi
		lea	ecx, [ebx+esi*2]
		call	RtlStringCchCopyExW
		movzx	eax, word ptr [ebp+var_58+2]
		shr	eax, 1
		add	esi, eax
		mov	[ebp+var_38], esi

loc_97A5ED:				; CODE XREF: PiDevCfgQueryPolicyStringList(x,x,x)+1ADj
					; PiDevCfgQueryPolicyStringList(x,x,x)+1DBj
		mov	eax, [ebp+var_44]

loc_97A5F0:				; CODE XREF: PiDevCfgQueryPolicyStringList(x,x,x)+19Aj
		lea	ecx, [ebp+var_4C]
		inc	eax
		push	ecx
		push	[ebp+var_48]
		mov	[ebp+var_44], eax
		push	edi
		push	1
		push	eax

loc_97A5FF:				; CODE XREF: PiDevCfgQueryPolicyStringList(x,x,x)+164j
		push	[ebp+var_3C]
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 8000001Ah
		jnz	loc_97A553
		mov	eax, [ebp+var_40]
		xor	esi, esi
		test	eax, eax
		jz	short loc_97A645
		inc	eax
		cmp	[ebp+var_50], eax
		jnb	short loc_97A633
		lea	esi, [eax+eax]
		jmp	loc_97A510
; 

loc_97A62C:				; CODE XREF: PiDevCfgQueryPolicyStringList(x,x,x)+190j
		mov	esi, 0C000009Ah
		jmp	short loc_97A64A
; 

loc_97A633:				; CODE XREF: PiDevCfgQueryPolicyStringList(x,x,x)+238j
		mov	eax, [ebp+var_38]
		xor	ecx, ecx
		mov	[ebx+eax*2], cx
		mov	eax, [ebp+var_5C]
		mov	[eax], ebx
		xor	ebx, ebx
		jmp	short loc_97A64A
; 

loc_97A645:				; CODE XREF: PiDevCfgQueryPolicyStringList(x,x,x)+232j
		mov	esi, 0C0000225h

loc_97A64A:				; CODE XREF: PiDevCfgQueryPolicyStringList(x,x,x)+19Ej
					; PiDevCfgQueryPolicyStringList(x,x,x)+1C2j ...
		test	ebx, ebx
		jz	short loc_97A662
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_97A662
; 

loc_97A658:				; CODE XREF: PiDevCfgQueryPolicyStringList(x,x,x)+143j
		mov	esi, 0C000009Ah
		jmp	short loc_97A662
; 

loc_97A65F:				; CODE XREF: PiDevCfgQueryPolicyStringList(x,x,x)+53j
		mov	edi, [ebp+var_38]

loc_97A662:				; CODE XREF: PiDevCfgQueryPolicyStringList(x,x,x)+262j
					; PiDevCfgQueryPolicyStringList(x,x,x)+26Cj ...
		test	edi, edi
		jz	short loc_97A66E
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97A66E:				; CODE XREF: PiDevCfgQueryPolicyStringList(x,x,x)+80j
					; PiDevCfgQueryPolicyStringList(x,x,x)+C7j ...
		cmp	[ebp+var_3C], 0
		jz	short loc_97A67C
		push	[ebp+var_3C]
		call	_ZwClose@4	; ZwClose(x)

loc_97A67C:				; CODE XREF: PiDevCfgQueryPolicyStringList(x,x,x)+288j
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PiDevCfgQueryPolicyStringList@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgRequestDriverConfigurations(x, x)
_PiDevCfgRequestDriverConfigurations@8 proc near
					; CODE XREF: PiDevCfgProcessDevice(x,x,x)+1AAp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		xor	eax, eax
		mov	ecx, ebx
		and	[ebp+var_8], eax
		push	edi
		mov	[ebp+var_C], eax
		call	_PiDevCfgQueryDriverConfiguration@4 ; PiDevCfgQueryDriverConfiguration(x)
		mov	esi, eax
		cmp	esi, 0C0000493h
		jz	short loc_97A6C0
		test	esi, esi
		js	loc_97A74E

loc_97A6C0:				; CODE XREF: PiDevCfgRequestDriverConfigurations(x,x)+27j
		push	1		; void *
		push	0		; size_t
		lea	edx, [ebx+0E8h]
		lea	ecx, [ebp+var_C]
		call	_PiDevCfgAppendMultiSz@16 ; PiDevCfgAppendMultiSz(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_97A74E
		sub	ebx, 0FFFFFF80h
		mov	edi, [ebx]
		jmp	short loc_97A70E
; 

loc_97A6DF:				; CODE XREF: PiDevCfgRequestDriverConfigurations(x,x)+81j
		mov	ecx, edi
		call	_PiDevCfgQueryDriverConfiguration@4 ; PiDevCfgQueryDriverConfiguration(x)
		mov	esi, eax
		cmp	esi, 0C0000493h
		jz	short loc_97A6F4
		test	esi, esi
		js	short loc_97A74E

loc_97A6F4:				; CODE XREF: PiDevCfgRequestDriverConfigurations(x,x)+5Fj
		push	1		; void *
		push	0		; size_t
		lea	edx, [edi+0E8h]
		lea	ecx, [ebp+var_C]
		call	_PiDevCfgAppendMultiSz@16 ; PiDevCfgAppendMultiSz(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_97A74E
		mov	edi, [edi]

loc_97A70E:				; CODE XREF: PiDevCfgRequestDriverConfigurations(x,x)+4Ej
		cmp	edi, ebx
		jnz	short loc_97A6DF
		cmp	[ebp+var_8], 0
		jnz	short loc_97A71F
		mov	esi, 0C0000493h
		jmp	short loc_97A74E
; 

loc_97A71F:				; CODE XREF: PiDevCfgRequestDriverConfigurations(x,x)+87j
		movzx	eax, word ptr [ebp+var_C]
		push	0
		push	eax
		push	[ebp+var_8]
		mov	eax, [ebp+var_4]
		mov	edx, eax
		push	2012h
		push	offset _DEVPKEY_Device_RequestConfigurationIds
		push	ecx
		push	dword ptr [eax+8]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [eax+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax

loc_97A74E:				; CODE XREF: PiDevCfgRequestDriverConfigurations(x,x)+2Bj
					; PiDevCfgRequestDriverConfigurations(x,x)+47j	...
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PiDevCfgRequestDriverConfigurations@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiDevCfgResetDeviceDriverSettings(void *,int,int)
_PiDevCfgResetDeviceDriverSettings@20 proc near
					; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+CDFp
					; PpDevCfgProcessDeviceReset(x)+14Ap

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
Source2		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	[ebp+var_20], eax
		mov	ebx, edx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_28], ecx
		lea	edi, [ebp+Source2]
		xor	ecx, ecx
		stosd
		mov	esi, ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_30], ecx
		stosd
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_50], ecx
		stosd
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_44], ecx
		stosd
		xor	eax, eax
		mov	[ebp+var_40], eax

loc_97A7B1:				; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+7Cj
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	ds:off_A933B0[esi]
		mov	edx, ebx
		push	ecx
		push	dword ptr [ebx+8]
		mov	ecx, _PiPnpRtlCtx
		push	1
		push	dword ptr [ebx+4]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		add	esi, 4
		push	0
		pop	ecx
		cmp	esi, 44h
		jb	short loc_97A7B1
		mov	edx, [ebx+4]
		lea	eax, [ebp+var_44]
		push	ecx
		push	eax
		push	10h
		lea	eax, [ebp+Source2]
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		push	offset _DEVPKEY_Device_BusTypeGuid
		push	ecx
		push	dword ptr [ebx+8]
		mov	ecx, _PiPnpRtlCtx
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_97A80E
		cmp	[ebp+var_34], 0Dh
		jz	short loc_97A817

loc_97A80E:				; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+A8j
		xor	eax, eax
		lea	edi, [ebp+Source2]
		stosd
		stosd
		stosd
		stosd

loc_97A817:				; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+AEj
		push	2
		pop	ecx
		mov	edi, offset off_A3FD90
		mov	[ebp+var_24], ecx

loc_97A822:				; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+227j
		mov	esi, [edi-4]
		test	esi, esi
		jz	loc_97A91B
		cmp	[ebp+arg_0], 0
		jz	short loc_97A848
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_97A867
		mov	ecx, [ebp+var_24]

loc_97A848:				; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+D3j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	loc_97A97C
		push	10h		; size_t
		push	eax		; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_97A976

loc_97A867:				; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+E5j
		xor	esi, esi

loc_97A869:				; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+1E3j
		mov	edx, [ebx+4]
		lea	eax, [ebp+var_1C]
		mov	ecx, _PiPnpRtlCtx
		push	esi
		push	eax
		push	1
		push	0F003Fh
		push	esi
		push	dword ptr [edi+4]
		call	_CmOpenDeviceRegKey
		test	eax, eax
		js	loc_97A976
		mov	eax, [edi+8]
		test	eax, eax
		jz	short loc_97A8EF
		push	eax
		lea	eax, [ebp+var_50]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_70]
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		mov	[ebp+var_70], 18h
		mov	[ebp+var_64], 240h
		mov	[ebp+var_60], esi
		mov	[ebp+var_5C], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		push	[ebp+var_1C]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	loc_97A976
		mov	eax, [ebp+var_30]
		xor	esi, esi
		mov	[ebp+var_1C], eax

loc_97A8EF:				; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+136j
		mov	eax, [edi+0Ch]
		test	eax, eax
		jz	short loc_97A946
		mov	esi, [ebp+var_1C]
		and	[ebp+var_58], 0
		and	[ebp+var_54], 0
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_97A96E
		lea	eax, [ebp+var_58]
		push	eax
		push	esi
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		jmp	short loc_97A96E
; 

loc_97A91B:				; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+C9j
		xor	esi, esi
		cmp	[edi], esi
		jz	short loc_97A979
		lea	ecx, [ebp+Source2] ; Source2
		call	_PnpIsNullGuid@4 ; PnpIsNullGuid(x)
		test	al, al
		jnz	short loc_97A976
		push	10h		; size_t
		lea	eax, [ebp+Source2]
		push	eax		; void *
		push	dword ptr [edi]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_97A976
		jmp	loc_97A869
; 

loc_97A946:				; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+196j
		cmp	[edi+8], esi
		jz	short loc_97A96E
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jz	short loc_97A962
		mov	eax, [eax+74h]
		test	eax, eax
		jz	short loc_97A962
		mov	ecx, [eax+4]
		push	esi
		push	ecx
		jmp	short loc_97A964
; 

loc_97A962:				; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+1F4j
					; PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+1FBj
		push	esi
		push	esi

loc_97A964:				; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+202j
		mov	ecx, [ebp+var_1C]
		xor	edx, edx
		call	_RegRtlDeleteTreeInternal

loc_97A96E:				; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+1AFj
					; PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+1BBj ...
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_97A976:				; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+103j
					; PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+12Bj ...
		mov	ecx, [ebp+var_24]

loc_97A979:				; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+1C1j
		mov	eax, [ebp+var_20]

loc_97A97C:				; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+EFj
		add	edi, 14h
		sub	ecx, 1
		mov	[ebp+var_24], ecx
		jnz	loc_97A822
		test	eax, eax
		jz	short loc_97A9F5
		cmp	[ebp+arg_0], 0
		jz	short loc_97A9AA
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_97A9F5
		mov	eax, [ebp+var_20]

loc_97A9AA:				; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+235j
		push	1
		lea	edx, [ebp+var_40]
		mov	ecx, eax
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_97AA14
		mov	edx, [ebp+var_3C]
		lea	eax, [ebp+var_2C]
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	20019h
		push	2
		call	_PnpOpenObjectRegKey
		mov	edi, [ebp+var_28]
		test	eax, eax
		js	short loc_97A9FB
		push	[ebp+var_2C]
		mov	edx, ebx
		mov	ecx, edi
		call	_PiDevCfgResetDeviceKeys@12 ; PiDevCfgResetDeviceKeys(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_97AA14
		jmp	short loc_97A9FB
; 

loc_97A9F5:				; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+22Fj
					; PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+247j
		mov	edi, [ebp+var_28]
		mov	esi, [ebp+var_38]

loc_97A9FB:				; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+281j
					; PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+295j
		cmp	[ebp+arg_0], 0
		jz	short loc_97AA14
		mov	eax, [ebp+var_48]
		test	eax, eax
		jz	short loc_97AA14
		push	eax
		mov	edx, ebx
		mov	ecx, edi
		call	_PiDevCfgResetDeviceKeys@12 ; PiDevCfgResetDeviceKeys(x,x,x)
		mov	esi, eax

loc_97AA14:				; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+25Cj
					; PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+293j ...
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	[ebp+var_2C], 0
		jz	short loc_97AA2B
		push	[ebp+var_2C]
		call	_ZwClose@4	; ZwClose(x)

loc_97AA2B:				; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+2C3j
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_PiDevCfgResetDeviceDriverSettings@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgResetDeviceKeyCallback(x, x, x, x, x, x)
_PiDevCfgResetDeviceKeyCallback@24 proc	near ; DATA XREF: PiDevCfgResetDeviceKeys(x,x,x)+6Fo

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		cmp	dword ptr [eax+0Ch], 10h
		jnz	short loc_97AA7A
		push	offset ??_C@_1BG@COALCEMK@?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAi?$AAe?$AAs@NNGAKEGL@ ; wchar_t *
		push	dword ptr [eax]	; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_97AA7A
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+4]
		mov	edx, [ebp+arg_10]
		mov	ecx, [ebp+arg_C]
		push	0
		push	0
		push	1
		push	1
		push	eax
		call	_PiDevCfgCopyDeviceKey@28 ; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)
		jmp	short loc_97AA88
; 

loc_97AA7A:				; CODE XREF: PiDevCfgResetDeviceKeyCallback(x,x,x,x,x,x)+Cj
					; PiDevCfgResetDeviceKeyCallback(x,x,x,x,x,x)+1Ej
		mov	edx, [ebp+arg_10]
		push	0
		push	ecx
		mov	ecx, [ebp+arg_C]
		call	_PiDevCfgCopyDeviceKeys@16 ; PiDevCfgCopyDeviceKeys(x,x,x,x)

loc_97AA88:				; CODE XREF: PiDevCfgResetDeviceKeyCallback(x,x,x,x,x,x)+3Aj
		pop	ebp
		retn	18h
_PiDevCfgResetDeviceKeyCallback@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgResetDeviceKeys(x, x, x)
_PiDevCfgResetDeviceKeys@12 proc near	; CODE XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+28Ap
					; PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+2AFp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		push	28h
		pop	eax
		mov	word ptr [ebp+var_10+2], ax
		mov	ebx, ecx
		push	26h
		pop	eax
		mov	word ptr [ebp+var_10], ax
		xor	ecx, ecx
		mov	eax, [ebp+arg_0]
		mov	edi, edx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	20019h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_C], offset ??_C@_1CI@IBANAFHK@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn?$AA?2?$AAR@NNGAKEGL@
		push	eax
		mov	[ebp+var_8], ecx
		mov	[ebp+var_28], 18h
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_97AAF5
		xor	esi, esi
		jmp	short loc_97AB12
; 

loc_97AAF5:				; CODE XREF: PiDevCfgResetDeviceKeys(x,x,x)+63j
		test	esi, esi
		js	short loc_97AB12
		push	0
		push	offset _PiDevCfgResetDeviceKeyCallback@24 ; PiDevCfgResetDeviceKeyCallback(x,x,x,x,x,x)
		push	0
		push	0FFFFFFFFh
		push	[ebp+var_8]
		mov	edx, edi
		mov	ecx, ebx
		call	_PiDevCfgEnumDeviceKeys@28 ; PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)
		mov	esi, eax

loc_97AB12:				; CODE XREF: PiDevCfgResetDeviceKeys(x,x,x)+67j
					; PiDevCfgResetDeviceKeys(x,x,x)+6Bj
		cmp	[ebp+var_8], 0
		jz	short loc_97AB20
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_97AB20:				; CODE XREF: PiDevCfgResetDeviceKeys(x,x,x)+8Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_PiDevCfgResetDeviceKeys@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiDevCfgResolveMultiSzValue(int,size_t,void *,int,int,int)
_PiDevCfgResolveMultiSzValue@32	proc near
					; CODE XREF: PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+431p
					; PiDevCfgCopyDeviceKey(x,x,x,x,x,x,x)+543p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		mov	eax, ecx
		mov	ebx, edx
		mov	ecx, [ebp+arg_10]
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], ebx
		mov	[ecx], edi
		mov	ecx, [ebp+arg_14]
		mov	[ebp+var_4], eax
		mov	[ebp+var_14], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], edi
		mov	[ecx], edi
		test	eax, eax
		jz	short loc_97ABBF
		cmp	eax, 2
		jbe	short loc_97AB7F
		cmp	eax, 7
		jnz	short loc_97ABBF
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	_PnpValidateMultiSzData@8 ; PnpValidateMultiSzData(x,x)
		test	al, al
		jnz	short loc_97AB92

loc_97AB78:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+59j
					; PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+67j
		mov	ecx, 0C0000001h
		jmp	short loc_97ABD8
; 

loc_97AB7F:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+3Aj
		cmp	ebx, 2
		jb	short loc_97AB78
		mov	esi, [ebp+arg_0]
		mov	eax, ebx
		shr	eax, 1
		cmp	[esi+eax*2-2], di
		jnz	short loc_97AB78

loc_97AB92:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+4Dj
		mov	edx, [ebp+arg_C]
		lea	eax, [ebp+var_8]
		mov	ecx, [ebp+arg_8]
		push	eax
		push	edi
		call	IopGetRegistryValue
		mov	ecx, eax
		mov	[ebp+arg_C], ecx
		test	ecx, ecx
		js	loc_97ADD9
		mov	edi, [ebp+var_8]
		mov	ecx, edi
		call	_PnpValidateRegistryMultiSz@4 ;	PnpValidateRegistryMultiSz(x)
		test	al, al
		jnz	short loc_97ABE1
		xor	edi, edi

loc_97ABBF:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+35j
					; PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+3Fj
		mov	ecx, 0C0000001h

loc_97ABC4:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+FAj
		mov	[ebp+arg_C], ecx

loc_97ABC7:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+169j
					; PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+2B6j
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_97ABD8
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+arg_C]

loc_97ABD8:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+54j
					; PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+A3j
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	18h
; 

loc_97ABE1:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+92j
		test	[ebp+arg_4], 40000h
		jz	loc_97AD30
		mov	eax, [ebp+var_8]
		mov	ecx, [eax+8]
		mov	edi, [eax+0Ch]
		add	ecx, eax
		mov	[ebp+arg_8], ecx
		test	edi, edi
		jnz	short loc_97AC03
		push	2
		pop	edi

loc_97AC03:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+D5j
		lea	eax, [edi+ebx]
		push	63647050h
		push	eax
		push	1
		mov	[ebp+var_10], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_97AC25

loc_97AC1C:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+21Aj
					; PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+2E6j
		mov	ecx, 0C000009Ah
		xor	edi, edi
		jmp	short loc_97ABC4
; 

loc_97AC25:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+F1j
		cmp	edi, 2
		jbe	short loc_97AC41
		push	edi		; size_t
		push	[ebp+arg_8]	; void *
		push	ebx		; void *
		call	_memcpy
		lea	edx, [edi-2]
		add	esp, 0Ch
		mov	[ebp+arg_0], edx
		xor	ecx, ecx
		jmp	short loc_97AC48
; 

loc_97AC41:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+FFj
		xor	ecx, ecx
		mov	edx, ecx
		mov	[ebp+arg_0], ecx

loc_97AC48:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+116j
		mov	eax, [ebp+arg_4]
		and	eax, 20000h
		cmp	[ebp+var_4], 7
		jnz	loc_97ACFA
		test	eax, eax
		jz	short loc_97AC97
		push	[ebp+var_C]	; size_t
		lea	eax, [edx+ebx]
		push	esi		; void *
		push	eax		; void *
		call	_memcpy
		mov	edi, [ebp+var_10]
		add	esp, 0Ch
		add	edi, 0FFFFFFFEh

loc_97AC74:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+171j
					; PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+1CCj ...
		mov	ecx, [ebp+arg_C]

loc_97AC77:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+302j
		test	ebx, ebx
		jz	short loc_97AC86
		mov	eax, edi
		shr	eax, 1
		xor	edx, edx
		mov	[ebx+eax*2-2], dx

loc_97AC86:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+150j
		mov	eax, [ebp+arg_10]
		mov	[eax], edi
		xor	edi, edi
		mov	eax, [ebp+arg_14]
		mov	[eax], ebx
		jmp	loc_97ABC7
; 

loc_97AC97:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+133j
		cmp	[esi], cx
		jz	short loc_97AC74

loc_97AC9C:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+1CAj
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_97ACA1:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+182j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_14]
		jnz	short loc_97ACA1
		sub	ecx, edx
		mov	edx, esi
		sar	ecx, 1
		push	ecx
		lea	eax, ds:2[ecx*2]
		mov	ecx, [ebp+arg_8]
		mov	[ebp+arg_4], eax
		call	_PnpMultiSzContainsString@12 ; PnpMultiSzContainsString(x,x,x)
		test	eax, eax
		jnz	short loc_97ACE6
		push	[ebp+arg_4]	; size_t
		mov	eax, [ebp+arg_0]
		add	eax, ebx
		push	esi		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		add	[ebp+arg_0], eax
		add	edi, eax
		jmp	short loc_97ACE9
; 

loc_97ACE6:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+19Fj
		mov	eax, [ebp+arg_4]

loc_97ACE9:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+1BBj
		shr	eax, 1
		lea	esi, [esi+eax*2]
		xor	eax, eax
		cmp	[esi], ax
		jnz	short loc_97AC9C
		jmp	loc_97AC74
; 

loc_97ACFA:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+12Bj
		test	eax, eax
		jnz	short loc_97AD16
		cmp	edi, 2
		jz	short loc_97AD16
		push	ecx
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_PnpMultiSzContainsString@12 ; PnpMultiSzContainsString(x,x,x)
		test	eax, eax
		jnz	loc_97AC74

loc_97AD16:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+1D3j
					; PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+1D8j
		push	[ebp+var_C]	; size_t
		mov	eax, [ebp+arg_0]
		add	eax, ebx
		push	esi		; void *
		push	eax		; void *
		call	_memcpy
		mov	edi, [ebp+var_10]
		add	esp, 0Ch
		jmp	loc_97AC74
; 

loc_97AD30:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+BFj
		push	63647050h
		push	dword ptr [edi+0Ch]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_97AC1C
		cmp	[ebp+var_4], 7
		jz	short loc_97AD59
		push	esi
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_97AD59:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+224j
		mov	ecx, [edi+8]
		add	ecx, edi
		xor	eax, eax
		push	2
		pop	edi
		mov	[ebp+arg_4], eax
		jmp	short loc_97ADCC
; 

loc_97AD68:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+2A9j
		push	ecx
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		cmp	[ebp+var_4], 7
		jnz	short loc_97AD87
		mov	edx, [ebp+var_18]
		push	ecx
		mov	ecx, esi
		call	_PnpMultiSzContainsString@12 ; PnpMultiSzContainsString(x,x,x)
		test	eax, eax
		jmp	short loc_97AD98
; 

loc_97AD87:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+24Dj
		push	1
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al

loc_97AD98:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+25Cj
		jnz	short loc_97ADB8
		movzx	esi, word ptr [ebp+var_1C]
		mov	eax, [ebp+arg_4]
		add	esi, 2
		push	esi		; size_t
		push	[ebp+var_18]	; void *
		add	eax, ebx
		push	eax		; void *
		call	_memcpy
		add	[ebp+arg_4], esi
		add	esp, 0Ch
		add	edi, esi

loc_97ADB8:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x):loc_97AD98j
		movzx	eax, word ptr [ebp+var_1C]
		mov	ecx, [ebp+arg_8]
		mov	esi, [ebp+arg_0]
		shr	eax, 1
		lea	ecx, [ecx+eax*2]
		add	ecx, 2
		xor	eax, eax

loc_97ADCC:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+23Dj
		mov	[ebp+arg_8], ecx
		cmp	[ecx], ax
		jnz	short loc_97AD68
		jmp	loc_97AC74
; 

loc_97ADD9:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+80j
		cmp	ecx, 0C0000034h
		jnz	loc_97ABC7
		test	[ebp+arg_4], 40000h
		mov	ecx, edi
		mov	[ebp+arg_C], ecx
		jz	short loc_97AE27
		cmp	[ebp+var_4], 7
		mov	edi, ebx
		jz	short loc_97ADFE
		lea	edi, [ebx+2]

loc_97ADFE:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+2D0j
		push	63647050h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_97AC1C
		push	[ebp+var_C]	; size_t
		push	esi		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_97AC74
; 

loc_97AE27:				; CODE XREF: PiDevCfgResolveMultiSzValue(x,x,x,x,x,x,x,x)+2C8j
		xor	eax, eax
		mov	ebx, eax
		jmp	loc_97AC77
_PiDevCfgResolveMultiSzValue@32	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgResolveVariable(x, x, x)
_PiDevCfgResolveVariable@12 proc near	; CODE XREF: PiDevCfgQueryResolveValue(x,x,x,x)+9Cp
					; PiDevCfgConfigureDeviceInterfaces(x,x,x)+264p ...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		xor	eax, eax
		mov	[ebp+var_C], edx
		push	ebx
		push	esi
		push	edi
		mov	edi, eax
		mov	[ebp+var_30], eax
		mov	esi, ecx
		mov	[ebp+var_2C], eax
		mov	[ebp+var_24], esi
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_14], edi
		mov	[ebp+var_20], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_1C], eax
		cmp	[edx], di
		jnz	short loc_97AE77
		mov	ebx, 0C0000034h
		jmp	loc_97AEFA
; 

loc_97AE77:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+3Bj
		mov	eax, [ebp+arg_0]
		push	edx
		mov	[eax], edi
		lea	eax, [ebp+var_38]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_18]
		push	eax
		push	edi
		push	1
		lea	eax, [ebp+var_38]
		push	eax
		call	RtlHashUnicodeString
		test	eax, eax
		mov	eax, edi
		js	short loc_97AE9F
		mov	eax, [ebp+var_18]

loc_97AE9F:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+6Aj
		push	7Fh
		xor	edx, edx
		pop	ecx
		div	ecx
		mov	eax, [esi+0Ch]
		lea	eax, [eax+edx*8]
		mov	edi, [eax]
		mov	[ebp+var_18], eax
		cmp	edi, eax
		jz	short loc_97AF06
		mov	ebx, eax

loc_97AEB7:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+A4j
		push	1
		lea	eax, [edi+8]
		mov	esi, edi
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_97AED6
		mov	edi, [edi]
		xor	eax, eax
		mov	esi, eax
		cmp	edi, ebx
		jnz	short loc_97AEB7

loc_97AED6:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+9Aj
		mov	ebx, [ebp+var_2C]
		test	esi, esi
		jz	short loc_97AF03
		cmp	dword ptr [esi+10h], 0FFFFFFFFh
		jnz	loc_97B14D
		mov	ebx, 0C0000001h

loc_97AEEC:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+188j
					; PiDevCfgResolveVariable(x,x,x)+1C3j ...
		cmp	[ebp+var_8], 0
		jz	short loc_97AEFA
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_97AEFA:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+42j
					; PiDevCfgResolveVariable(x,x,x)+C0j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
; 

loc_97AF03:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+ABj
		mov	esi, [ebp+var_24]

loc_97AF06:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+83j
		mov	eax, [esi+8]
		xor	esi, esi
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_50]
		push	eax
		push	20019h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_50], 18h
		push	eax
		mov	[ebp+var_44], 240h
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_97AFB2
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		mov	edx, offset ??_C@_11LOCGONAA@@LBKOJDO@
		call	IopGetRegistryValue
		mov	ebx, eax
		test	ebx, ebx
		js	loc_97B091
		mov	edi, [ebp+var_14]
		mov	ecx, edi
		call	_PnpValidateRegistryString@4 ; PnpValidateRegistryString(x)
		test	al, al
		jnz	short loc_97AF74
		mov	ebx, 0C0000001h
		jmp	loc_97B091
; 

loc_97AF74:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+138j
		mov	eax, [edi+8]
		add	eax, edi
		mov	[ebp+var_2C], eax

loc_97AF7C:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+166j
		push	eax		; wchar_t *
		push	ds:off_A3FAF0[esi*8] ; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_97AF9A
		mov	eax, [ebp+var_2C]
		inc	esi
		cmp	esi, 8
		jb	short loc_97AF7C
		jmp	short loc_97AFA8
; 

loc_97AF9A:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+15Dj
		mov	eax, ds:off_A3FAF4[esi*8]
		mov	[ebp+var_20], eax
		test	eax, eax
		jnz	short loc_97B016

loc_97AFA8:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+168j
		mov	ebx, 0C0000034h
		jmp	loc_97B08F
; 

loc_97AFB2:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+10Ej
		cmp	ebx, 0C0000034h
		jnz	loc_97AEEC
		mov	ebx, esi
		mov	edi, esi

loc_97AFC2:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+1ADj
		push	[ebp+var_C]	; wchar_t *
		push	ds:off_A3FC74[esi] ; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_97AFF8
		add	esi, 0Ch
		inc	edi
		cmp	esi, 30h
		jb	short loc_97AFC2

loc_97AFDF:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+1D0j
		mov	ecx, [ebp+var_C]
		lea	edx, [ebp+var_1C]
		call	_PnpStringToDwordValue@8 ; PnpStringToDwordValue(x,x)
		test	al, al
		jnz	short loc_97B010
		mov	ebx, 0C0000034h
		jmp	loc_97AEEC
; 

loc_97AFF8:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+1A4j
		imul	eax, edi, 0Ch
		add	eax, offset off_A3FC74
		jz	short loc_97AFDF
		mov	ecx, [eax+4]
		mov	edi, [eax+8]
		mov	[ebp+var_28], ecx
		mov	[ebp+var_10], edi
		jmp	short loc_97B016
; 

loc_97B010:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+1BCj
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_10], eax

loc_97B016:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+176j
					; PiDevCfgResolveVariable(x,x,x)+1DEj
		push	63647050h
		push	1Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_97B031
		mov	ebx, 0C000009Ah
		jmp	short loc_97B08F
; 

loc_97B031:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+1F8j
		push	7
		xor	eax, eax
		mov	edi, esi
		pop	ecx
		rep stosd
		mov	ecx, [ebp+var_18]
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	loc_97B15B
		push	[ebp+var_C]	; void *
		mov	[esi+4], eax
		mov	[esi], ecx
		mov	[eax], esi
		lea	eax, [esi+8]
		push	eax		; int
		mov	[ecx+4], esi
		call	RtlCreateUnicodeString
		test	al, al
		jnz	short loc_97B0A8

loc_97B062:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+2E2j
					; PiDevCfgResolveVariable(x,x,x)+312j
		mov	ebx, 0C000009Ah

loc_97B067:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+29Cj
					; PiDevCfgResolveVariable(x,x,x)+2A1j
		xor	edx, edx

loc_97B069:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+326j
		test	esi, esi
		jz	short loc_97B08F
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_97B15B
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_97B15B
		push	edx
		mov	[ecx], eax
		push	esi
		mov	[eax+4], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97B08F:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+17Dj
					; PiDevCfgResolveVariable(x,x,x)+1FFj ...
		xor	esi, esi

loc_97B091:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+126j
					; PiDevCfgResolveVariable(x,x,x)+13Fj
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	loc_97AEEC
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_97AEEC
; 

loc_97B0A8:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+230j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_97B0D3
		or	dword ptr [esi+10h], 0FFFFFFFFh
		push	esi
		push	[ebp+var_8]
		push	[ebp+var_24]
		call	eax
		mov	ebx, eax
		test	ebx, ebx
		jns	loc_97B14D
		cmp	ebx, 0C0000034h
		jnz	short loc_97B067
		add	ebx, 0FFFFFFCDh
		jmp	short loc_97B067
; 

loc_97B0D3:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+27Dj
		mov	edi, [ebp+var_28]
		test	edi, edi
		jz	short loc_97B127
		mov	ecx, edi
		mov	dword ptr [esi+10h], 1
		lea	edx, [ecx+2]

loc_97B0E6:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+2C0j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_30]
		jnz	short loc_97B0E6
		sub	ecx, edx
		sar	ecx, 1
		push	63647050h
		lea	eax, ds:2[ecx*2]
		push	eax
		push	1
		mov	[esi+14h], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+18h], eax
		test	eax, eax
		jz	loc_97B062
		push	dword ptr [esi+14h] ; size_t
		push	edi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_97B14D
; 

loc_97B127:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+2A8j
		push	4
		pop	eax
		push	63647050h
		push	eax
		push	1
		mov	[esi+10h], eax
		mov	[esi+14h], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+18h], eax
		test	eax, eax
		jz	loc_97B062
		mov	ecx, [ebp+var_10]
		mov	[eax], ecx

loc_97B14D:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+B1j
					; PiDevCfgResolveVariable(x,x,x)+290j ...
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		mov	[eax], esi
		mov	esi, edx
		jmp	loc_97B069
; 

loc_97B15B:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+212j
					; PiDevCfgResolveVariable(x,x,x)+242j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall PiDevCfgResolveVariableConstant(x, x, x)
_PiDevCfgResolveVariableConstant@12:	; DATA XREF: PAGE:off_A3FAF4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		mov	edx, offset ??_C@_1M@LJBKIHIF@?$AAV?$AAa?$AAl?$AAu?$AAe@NNGAKEGL@ ; "Value"
		push	esi
		push	edi
		push	eax
		push	0
		call	IopGetRegistryValue
		mov	esi, [ebp+var_4]
		mov	edi, eax
		test	edi, edi
		js	short loc_97B1EC
		mov	ecx, esi
		call	_PnpValidateRegistryValue@4 ; PnpValidateRegistryValue(x)
		test	al, al
		jnz	short loc_97B19A
		mov	edi, 0C0000001h
		jmp	short loc_97B1EC
; 

loc_97B19A:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+361j
		mov	eax, [esi+4]
		push	ebx
		mov	ebx, [esi+0Ch]
		mov	[ebp+var_4], eax
		test	ebx, ebx
		jz	short loc_97B1DA
		push	63647050h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+arg_4], ecx
		test	ecx, ecx
		jnz	short loc_97B1C5
		mov	edi, 0C000009Ah
		jmp	short loc_97B1EB
; 

loc_97B1C5:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+38Cj
		mov	eax, [esi+8]
		push	ebx		; size_t
		add	eax, esi
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		mov	ecx, [ebp+arg_4]
		add	esp, 0Ch
		jmp	short loc_97B1DC
; 

loc_97B1DA:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+376j
		xor	ecx, ecx

loc_97B1DC:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+3A8j
		mov	eax, [ebp+arg_8]
		mov	edx, [ebp+var_4]
		mov	[eax+10h], edx
		mov	[eax+14h], ebx
		mov	[eax+18h], ecx

loc_97B1EB:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+393j
		pop	ebx

loc_97B1EC:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+356j
					; PiDevCfgResolveVariable(x,x,x)+368j
		test	esi, esi
		jz	short loc_97B1F8
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97B1F8:				; CODE XREF: PiDevCfgResolveVariable(x,x,x)+3BEj
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn	0Ch
_PiDevCfgResolveVariable@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgResolveVariableDeviceProperty(x, x,	x)
_PiDevCfgResolveVariableDeviceProperty@12 proc near

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	edx, offset ??_C@_1BK@DPGDNAK@?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAy?$AAG?$AAu?$AAi?$AAd@NNGAKEGL@
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	[ebp+var_40], eax
		xor	eax, eax
		push	esi
		push	edi
		mov	[ebp+var_20], eax
		lea	edi, [ebp+var_18]
		stosd
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_3C], ecx
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		xor	edi, edi
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_20]
		mov	[ebp+var_38], edi
		push	eax
		push	edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_30], edi
		call	IopGetRegistryValue
		mov	esi, eax
		test	esi, esi
		js	loc_97B4DC
		mov	ebx, [ebp+var_20]
		mov	ecx, ebx
		call	_PnpValidateRegistryString@4 ; PnpValidateRegistryString(x)
		test	al, al
		jnz	short loc_97B278

loc_97B26E:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+EEj
					; PiDevCfgResolveVariableDeviceProperty(x,x,x)+18Ej ...
		mov	esi, 0C0000001h
		jmp	loc_97B4DF
; 

loc_97B278:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+6Cj
		mov	edx, [ebx+0Ch]
		lea	eax, [ebp+var_20]
		push	ecx
		mov	ecx, [ebx+8]
		push	eax
		add	ecx, ebx
		mov	[ebp+var_20], edi
		call	_PnpRegSzToString@16 ; PnpRegSzToString(x,x,x,x)
		mov	ax, word ptr [ebp+var_20]
		mov	word ptr [ebp+var_24], ax
		mov	ax, [ebx+0Ch]
		mov	word ptr [ebp+var_24+2], ax
		mov	eax, [ebx+8]
		add	eax, ebx
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97B4DF
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_3C]
		lea	eax, [ebp+var_20]
		push	eax
		push	edi
		mov	edx, offset ??_C@_1BG@OPBALPIK@?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAy?$AAI?$AAd@NNGAKEGL@
		mov	[ebp+var_20], edi
		call	IopGetRegistryValue
		mov	esi, eax
		test	esi, esi
		js	loc_97B4DC
		mov	ebx, [ebp+var_20]
		mov	ecx, ebx
		call	_PnpValidateRegistryDword@4 ; PnpValidateRegistryDword(x)
		test	al, al
		jz	loc_97B26E
		mov	eax, [ebx+8]
		xor	edx, edx
		push	edi
		mov	ecx, 47706E50h
		mov	eax, [ebx+eax]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		mov	eax, [ebp+var_2C]
		push	edi
		push	edi
		push	1
		mov	eax, [eax]
		push	dword ptr [eax+18h]
		call	PnpGetObjectProperty
		mov	esi, eax
		test	esi, esi
		js	loc_97B4C2
		mov	eax, [ebp+var_38]
		mov	ecx, 2012h
		cmp	eax, ecx
		ja	loc_97B4B3
		jz	loc_97B49A
		cmp	eax, 19h
		ja	loc_97B4B3
		movzx	eax, ds:byte_97B53C[eax]
		jmp	ds:off_97B518[eax*4]

loc_97B35D:				; DATA XREF: PAGE:0097B534o
		mov	ebx, [ebp+var_28]
		cmp	ebx, 2
		jb	short loc_97B380
		mov	edi, [ebp+var_1C]
		mov	eax, ebx
		shr	eax, 1
		xor	ecx, ecx
		cmp	[edi+eax*2-2], cx
		jnz	short loc_97B380
		xor	eax, eax
		mov	[ebp+var_1C], ecx
		inc	eax
		jmp	loc_97B4D0
; 

loc_97B380:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+163j
					; PiDevCfgResolveVariableDeviceProperty(x,x,x)+173j ...
		mov	esi, 0C0000001h
		jmp	loc_97B4DC
; 

loc_97B38A:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+156j
					; DATA XREF: PAGE:0097B51Co
		cmp	[ebp+var_28], 1
		jnz	loc_97B26E
		push	4
		pop	ebx
		push	63647050h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_97B3B4

loc_97B3AA:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+1E2j
					; PiDevCfgResolveVariableDeviceProperty(x,x,x)+231j ...
		mov	esi, 0C000009Ah
		jmp	loc_97B4DC
; 

loc_97B3B4:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+1A8j
		mov	eax, [ebp+var_1C]
		movzx	eax, byte ptr [eax]

loc_97B3BA:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+1EAj
		mov	[edi], eax

loc_97B3BC:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+244j
		push	4
		pop	eax
		jmp	loc_97B4D0
; 

loc_97B3C4:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+156j
					; DATA XREF: PAGE:0097B520o
		cmp	[ebp+var_28], 2
		jnz	loc_97B26E
		push	4
		pop	ebx
		push	63647050h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_97B3AA
		mov	eax, [ebp+var_1C]
		movzx	eax, word ptr [eax]
		jmp	short loc_97B3BA
; 

loc_97B3EC:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+156j
					; DATA XREF: PAGE:0097B524o
		cmp	[ebp+var_28], 4
		jnz	loc_97B26E
		push	4
		pop	eax
		push	eax
		pop	ebx
		jmp	loc_97B4B9
; 

loc_97B400:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+156j
					; DATA XREF: PAGE:0097B528o
		push	8
		pop	ebx
		cmp	[ebp+var_28], ebx
		jnz	loc_97B380
		push	0Bh
		jmp	loc_97B4B8
; 

loc_97B413:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+156j
					; DATA XREF: PAGE:0097B530o
		cmp	[ebp+var_28], 1
		jnz	loc_97B26E
		push	4
		pop	ebx
		push	63647050h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_97B3AA
		mov	eax, [ebp+var_1C]
		xor	ecx, ecx
		cmp	byte ptr [eax],	0FFh
		setz	cl
		mov	[edi], ecx
		jmp	loc_97B3BC
; 

loc_97B449:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+156j
					; DATA XREF: PAGE:0097B52Co
		cmp	[ebp+var_28], 10h
		jnz	loc_97B26E
		mov	ecx, [ebp+var_1C]
		lea	edx, [ebp+var_34]
		xor	edi, edi
		inc	edi
		push	edi
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_97B4DF
		movzx	ebx, word ptr [ebp+var_34]
		push	63647050h
		add	ebx, 2
		mov	[ebp+var_2C], edi
		push	ebx
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_97B3AA
		push	ebx		; size_t
		push	[ebp+var_30]	; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [ebp+var_2C]
		add	esp, 0Ch
		jmp	short loc_97B4D0
; 

loc_97B49A:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+140j
		mov	ebx, [ebp+var_28]
		mov	edx, ebx
		mov	ecx, [ebp+var_1C]
		call	_PnpValidateMultiSzData@8 ; PnpValidateMultiSzData(x,x)
		test	al, al
		jz	loc_97B380
		push	7
		jmp	short loc_97B4B8
; 

loc_97B4B3:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+13Aj
					; PiDevCfgResolveVariableDeviceProperty(x,x,x)+149j ...
		mov	ebx, [ebp+var_28]
		push	3

loc_97B4B8:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+20Ej
					; PiDevCfgResolveVariableDeviceProperty(x,x,x)+2B1j
		pop	eax

loc_97B4B9:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+1FBj
		mov	edi, [ebp+var_1C]
		and	[ebp+var_1C], 0
		jmp	short loc_97B4D0
; 

loc_97B4C2:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+12Aj
		cmp	esi, 0C0000225h
		jnz	short loc_97B4DF
		xor	esi, esi

loc_97B4CC:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+156j
					; DATA XREF: PAGE:off_97B518o
		mov	ebx, edi
		mov	eax, edi

loc_97B4D0:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+17Bj
					; PiDevCfgResolveVariableDeviceProperty(x,x,x)+1BFj ...
		mov	ecx, [ebp+var_40]
		mov	[ecx+10h], eax
		mov	[ecx+14h], ebx
		mov	[ecx+18h], edi

loc_97B4DC:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+5Aj
					; PiDevCfgResolveVariableDeviceProperty(x,x,x)+DCj ...
		mov	ebx, [ebp+var_20]

loc_97B4DF:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+73j
					; PiDevCfgResolveVariableDeviceProperty(x,x,x)+B6j ...
		lea	eax, [ebp+var_34]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	edi, [ebp+var_1C]
		test	edi, edi
		jz	short loc_97B4F7
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97B4F7:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+2EDj
		test	ebx, ebx
		jz	short loc_97B503
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97B503:				; CODE XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+2F9j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_PiDevCfgResolveVariableDeviceProperty@12 endp

; 
		align 4
off_97B518	dd offset loc_97B4CC	; DATA XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+156r
		dd offset loc_97B38A
		dd offset loc_97B3C4
		dd offset loc_97B3EC
		dd offset loc_97B400
		dd offset loc_97B449
		dd offset loc_97B413
		dd offset loc_97B35D
		dd offset loc_97B4B3
byte_97B53C	db 0			; DATA XREF: PiDevCfgResolveVariableDeviceProperty(x,x,x)+14Fr
		align 2
		add	[ecx], eax
		add	al, [edx]
		add	eax, [ebx]
		add	al, 4
		or	[eax], cl
		or	ds:6080808h, al
		pop	es
		or	[edi], al
		or	[ebx], al
		add	eax, [ebx]
		pop	es

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgResolveVariableExpression(x, x, x)
_PiDevCfgResolveVariableExpression@12 proc near	; DATA XREF: PAGE:00A3FAFCo

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+6Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		mov	ecx, [ebp+arg_4]
		push	ebx
		mov	[esp+70h+var_18], eax
		mov	eax, [ebp+arg_8]
		push	esi
		push	edi
		mov	[esp+78h+var_14], eax
		lea	edi, [esp+78h+var_10]
		xor	eax, eax
		mov	[esp+78h+var_24], edx
		stosd
		mov	[esp+78h+var_20], edx
		mov	[esp+78h+var_48], edx
		mov	[esp+78h+var_44], edx
		stosd
		mov	[esp+78h+var_4C], edx
		stosd
		lea	eax, [esp+78h+var_20]
		push	eax
		push	edx
		mov	edx, offset ??_C@_1O@LAFNABMH@?$AAT?$AAo?$AAk?$AAe?$AAn?$AAs@NNGAKEGL@ ; "Tokens"
		call	IopGetRegistryValue
		mov	ebx, eax
		mov	[esp+78h+var_68], ebx
		test	ebx, ebx
		js	loc_97C527
		mov	esi, [esp+78h+var_20]
		mov	ecx, esi
		call	_PnpValidateRegistryMultiSz@4 ;	PnpValidateRegistryMultiSz(x)
		test	al, al
		jnz	short loc_97B5D6

loc_97B5CC:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+90j
					; PiDevCfgResolveVariableExpression(x,x,x)+C2j
		mov	ebx, 0C0000001h
		jmp	loc_97C5B4
; 

loc_97B5D6:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+74j
		mov	edi, [esi+8]
		xor	eax, eax
		add	edi, esi
		mov	[esp+78h+var_3C], edi
		mov	edx, edi
		cmp	[edi], ax
		jz	short loc_97B5CC
		mov	ebx, eax

loc_97B5EA:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+B6j
		mov	ecx, edx
		inc	ebx
		lea	esi, [ecx+2]

loc_97B5F0:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+A5j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+78h+var_24]
		jnz	short loc_97B5F0
		sub	ecx, esi
		xor	eax, eax
		sar	ecx, 1
		lea	edx, [edx+ecx*2]
		add	edx, 2
		cmp	[edx], ax
		jnz	short loc_97B5EA
		mov	[esp+78h+var_28], ebx
		test	ebx, ebx
		mov	ebx, [esp+78h+var_68]
		jz	short loc_97B5CC
		mov	eax, [esp+78h+var_28]
		push	63647050h
		shl	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[esp+78h+var_48], esi
		test	esi, esi
		jnz	short loc_97B642
		mov	ebx, 0C000009Ah
		jmp	loc_97C5B4
; 

loc_97B642:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+E0j
		movzx	eax, word ptr [edi]
		mov	edi, [esp+78h+var_44]
		test	ax, ax
		jz	loc_97C4F0
		mov	esi, [esp+78h+var_3C]
		mov	edx, eax

loc_97B658:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+F55j
		xor	eax, eax
		mov	ecx, eax
		mov	[esp+78h+var_58], ecx
		test	dx, dx
		jz	short loc_97B6E0
		cmp	[esi+2], ax
		jz	short loc_97B671
		cmp	[esi+4], ax
		jnz	short loc_97B693

loc_97B671:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+113j
		mov	esi, [esi]
		xor	edx, edx
		push	0Ch
		inc	edx
		pop	ecx

loc_97B679:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+137j
		mov	eax, ds:dword_A3FB34[ecx]
		cmp	esi, [eax]
		jz	short loc_97B6D1
		add	ecx, 0Ch
		inc	edx
		cmp	ecx, 144h
		jb	short loc_97B679

loc_97B68F:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+18Cj
		mov	esi, [esp+78h+var_3C]

loc_97B693:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+119j
		cmp	edi, [esp+78h+var_28]
		jnb	loc_97C4E3
		mov	ecx, [esp+78h+var_18]
		xor	eax, eax
		mov	[esp+78h+var_5C], eax
		mov	edx, esi
		lea	eax, [esp+78h+var_5C]
		push	eax
		call	_PiDevCfgResolveVariable@12 ; PiDevCfgResolveVariable(x,x,x)
		mov	ebx, eax
		mov	[esp+78h+var_68], ebx
		test	ebx, ebx
		js	loc_97C4D6
		mov	ecx, [esp+78h+var_48]
		mov	eax, [esp+78h+var_5C]
		mov	[ecx+edi*4], eax
		jmp	loc_97C47E
; 

loc_97B6D1:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+12Bj
		imul	ecx, edx, 0Ch
		add	ecx, (offset loc_A3FB2B+5)
		xor	eax, eax
		mov	[esp+78h+var_58], ecx

loc_97B6E0:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+10Dj
		test	ecx, ecx
		jz	short loc_97B68F
		mov	edx, [ecx+8]
		mov	[esp+78h+var_4C], eax
		test	edx, edx
		jz	short loc_97B723
		xor	eax, eax
		mov	[esp+78h+var_4C], eax

loc_97B6F5:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+1C0j
		test	edi, edi
		jz	short loc_97B71A
		mov	esi, [esp+78h+var_4C]
		dec	edi
		mov	eax, [esp+78h+var_48]
		mov	[esp+78h+var_44], edi
		mov	eax, [eax+edi*4]
		mov	[esp+esi*4+78h+var_10],	eax
		mov	eax, esi
		inc	eax
		mov	[esp+78h+var_4C], eax
		cmp	eax, edx
		jb	short loc_97B6F5
		jmp	short loc_97B723
; 

loc_97B71A:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+1A1j
		mov	ebx, 0C0000001h
		mov	[esp+78h+var_68], ebx

loc_97B723:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+197j
					; PiDevCfgResolveVariableExpression(x,x,x)+1C2j
		test	ebx, ebx
		js	loc_97C527
		xor	edx, edx
		xor	edi, edi
		inc	edi
		mov	[esp+78h+var_64], edx
		mov	[esp+78h+var_50], edx
		mov	ebx, edx
		mov	[esp+78h+var_5C], ebx
		mov	[esp+78h+var_54], edx
		mov	[esp+78h+var_60], edx
		cmp	eax, edi
		jnz	loc_97B9CA
		mov	ecx, [ecx]
		mov	eax, ecx
		sub	eax, 16h
		jz	loc_97B9AC
		sub	eax, edi
		jz	loc_97B993
		mov	esi, [esp+78h+var_10]
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_97B790 ; default
		cmp	eax, 2
		jbe	loc_97B919
		cmp	eax, 4
		jz	short loc_97B7E9
		cmp	eax, 7
		jnz	short loc_97B790 ; default
		mov	edx, [esi+18h]
		sub	ecx, 0Bh
		jz	short loc_97B7B3
		sub	ecx, edi
		jz	short loc_97B79E
		sub	ecx, 0Dh

loc_97B790:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+216j
					; PiDevCfgResolveVariableExpression(x,x,x)+229j ...
		mov	edx, (offset loc_A3FAC3+5) ; default

loc_97B795:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+3A9j
					; PiDevCfgResolveVariableExpression(x,x,x)+3B5j ...
		mov	esi, [esp+78h+var_68]
		jmp	loc_97B882
; 

loc_97B79E:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+235j
		xor	ebx, ebx
		xor	eax, eax
		cmp	[edx], ax
		setz	bl

loc_97B7A8:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+551j
		mov	esi, [esp+78h+var_68]

loc_97B7AC:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+3A2j
					; PiDevCfgResolveVariableExpression(x,x,x)+405j
		mov	edx, eax
		jmp	loc_97B882
; 

loc_97B7B3:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+231j
		xor	edi, edi
		cmp	[edx], di
		jz	loc_97BD84

loc_97B7BE:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+286j
		mov	ecx, edx
		inc	ebx
		lea	esi, [ecx+2]

loc_97B7C4:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+277j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_97B7C4
		sub	ecx, esi
		sar	ecx, 1
		lea	edx, [edx+ecx*2]
		add	edx, 2
		cmp	[edx], di
		jnz	short loc_97B7BE
		mov	esi, [esp+78h+var_68]
		mov	edx, edi
		jmp	loc_97B882
; 

loc_97B7E9:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+224j
		mov	eax, [esi+18h]
		mov	esi, [eax]
		sub	ecx, 0Bh
		jz	loc_97B910
		sub	ecx, 1
		jz	loc_97B904
		sub	ecx, 0Dh
		jz	loc_97B8FD
		sub	ecx, 1
		jnz	short loc_97B790 ; default
		push	16h
		pop	eax
		push	63647050h
		push	eax
		push	edi
		mov	[esp+84h+var_50], 14h
		mov	[esp+84h+var_64], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+78h+var_54], edi
		test	edi, edi
		jz	loc_97C4B7
		push	esi		; char
		push	offset ??_C@_15EFLNJKHH@?$AA?$CF?$AAu@NNGAKEGL@	; wchar_t *
		push	0Bh		; int
		push	edi		; wchar_t *
		call	RtlStringCchPrintfW
		mov	esi, eax
		add	esp, 10h
		mov	[esp+78h+var_68], esi
		test	esi, esi
		js	loc_97B8E9
		mov	ecx, edi
		xor	edi, edi
		lea	edx, [ecx+2]

loc_97B85D:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+310j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_97B85D
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, [ecx+ecx]
		movzx	edx, ax
		add	eax, 2
		mov	[esp+78h+var_50], edx
		movzx	edx, ax
		mov	[esp+78h+var_64], edx

loc_97B880:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+5E0j
					; PiDevCfgResolveVariableExpression(x,x,x)+832j ...
		mov	edx, ebx

loc_97B882:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+243j
					; PiDevCfgResolveVariableExpression(x,x,x)+258j ...
		mov	eax, [esp+78h+var_64]

loc_97B886:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+3E7j
					; PiDevCfgResolveVariableExpression(x,x,x)+44Ej ...
		movzx	edi, ax
		test	esi, esi
		js	loc_97C523
		test	edx, edx
		jnz	loc_97C434
		push	63647050h
		push	1Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[esp+78h+var_60], edx
		test	edx, edx
		jz	loc_97C4CB
		xor	eax, eax
		mov	[edx+8], eax
		mov	[edx+0Ch], eax
		cmp	[esp+78h+var_54], eax
		jz	loc_97C3FD
		mov	eax, [esp+78h+var_64]
		mov	ebx, [esp+78h+var_50]
		movzx	esi, ax
		xor	eax, eax
		movzx	ecx, bx
		cmp	cx, di
		setz	al
		dec	eax
		and	eax, 0FFFFFFFAh
		add	eax, 7
		jmp	loc_97C427
; 

loc_97B8E9:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+2FAj
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[esp+78h+var_54], eax
		jmp	loc_97B7AC
; 

loc_97B8FD:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+2ADj
		mov	ebx, esi
		jmp	loc_97B795
; 

loc_97B904:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+2A4j
		xor	ebx, ebx
		test	esi, esi

loc_97B908:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+41Ej
		setz	bl
		jmp	loc_97B795
; 

loc_97B910:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+29Bj
		mov	ebx, esi
		not	ebx
		jmp	loc_97B795
; 

loc_97B919:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+21Bj
		mov	eax, [esi+18h]
		sub	ecx, 0Bh
		jz	short loc_97B976
		sub	ecx, 1
		jz	short loc_97B96D
		sub	ecx, 0Dh
		jz	short loc_97B946
		mov	eax, [esp+78h+var_64]
		sub	ecx, 1
		jz	short loc_97B942
		mov	edx, (offset loc_A3FAC3+5)

loc_97B939:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+3EEj
					; PiDevCfgResolveVariableExpression(x,x,x)+C1Bj
		mov	esi, [esp+78h+var_68]
		jmp	loc_97B886
; 

loc_97B942:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+3DCj
		mov	edx, esi
		jmp	short loc_97B939
; 

loc_97B946:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+3D3j
		lea	edx, [esp+78h+var_5C]
		mov	ecx, eax
		call	_PnpStringToDwordValue@8 ; PnpStringToDwordValue(x,x)
		mov	esi, [esp+78h+var_68]
		test	al, al
		jnz	short loc_97B960
		xor	eax, eax
		jmp	loc_97B7AC
; 

loc_97B960:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+401j
		mov	ebx, [esp+78h+var_5C]

loc_97B964:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+532j
		mov	edx, [esp+78h+var_60]
		jmp	loc_97B882
; 

loc_97B96D:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+3CEj
		xor	ecx, ecx
		xor	ebx, ebx
		cmp	[eax], cx
		jmp	short loc_97B908
; 

loc_97B976:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+3C9j
		mov	ebx, eax
		xor	esi, esi
		push	2
		pop	edi
		lea	ecx, [ebx+2]

loc_97B980:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+432j
		mov	ax, [ebx]
		add	ebx, edi
		cmp	ax, si
		jnz	short loc_97B980
		sub	ebx, ecx
		sar	ebx, 1
		jmp	loc_97B795
; 

loc_97B993:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+207j
		mov	ecx, [esp+78h+var_10]
		xor	eax, eax
		mov	esi, [esp+78h+var_68]
		cmp	[ecx+10h], eax
		mov	eax, [esp+78h+var_64]
		jnz	loc_97B886
		jmp	short loc_97B9C3
; 

loc_97B9AC:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+1FFj
		mov	eax, [esp+78h+var_10]
		xor	ecx, ecx
		mov	esi, [esp+78h+var_68]
		cmp	[eax+10h], ecx
		mov	eax, [esp+78h+var_64]
		jz	loc_97B886

loc_97B9C3:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+454j
		mov	ebx, edi
		jmp	loc_97B886
; 

loc_97B9CA:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+1F2j
		push	2
		pop	esi
		cmp	eax, esi
		jnz	loc_97C37E
		mov	edx, [esp+78h+var_C]
		mov	eax, [edx+10h]
		test	eax, eax
		jz	loc_97B790	; default
		cmp	eax, esi
		jbe	loc_97C07A
		cmp	eax, 3
		jz	loc_97C004
		cmp	eax, 4
		jz	loc_97BF0D
		cmp	eax, 7
		jnz	loc_97B790	; default
		mov	esi, [esp+78h+var_10]
		mov	eax, [esi+10h]
		cmp	eax, 7
		jnz	loc_97BCBD
		mov	edi, [esp+78h+var_C]
		mov	eax, [esi+18h]
		mov	edx, [edx+18h]
		mov	esi, [esi+14h]
		mov	edi, [edi+14h]
		mov	[esp+78h+var_58], eax
		mov	eax, 0FFFEh
		mov	[esp+78h+var_5C], edx
		cmp	edi, eax
		ja	loc_97C4C1
		cmp	esi, eax
		ja	loc_97C4C1
		mov	eax, [ecx]
		cmp	eax, 0Fh
		jg	loc_97BC03
		jz	loc_97BBE7
		sub	eax, 1
		jz	loc_97BB6C
		sub	eax, 7
		jz	short loc_97BAA2
		sub	eax, 1
		jz	loc_97BB6C
		sub	eax, 4
		jz	short loc_97BA8D
		sub	eax, 1
		jnz	loc_97B790	; default
		push	2
		pop	ecx
		cmp	edi, ecx
		jbe	short loc_97BA98

loc_97BA81:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+54Aj
					; PiDevCfgResolveVariableExpression(x,x,x)+ADEj ...
		xor	ebx, ebx
		inc	ebx

loc_97BA84:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+6A8j
					; PiDevCfgResolveVariableExpression(x,x,x)+6E7j ...
		mov	esi, [esp+78h+var_68]
		jmp	loc_97B964
; 

loc_97BA8D:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+519j
		push	2
		pop	ecx
		cmp	edi, ecx
		jbe	loc_97BFC9

loc_97BA98:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+529j
		cmp	esi, ecx
		jbe	loc_97BFC9
		jmp	short loc_97BA81
; 

loc_97BAA2:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+50Bj
		xor	eax, eax
		cmp	[edx], ax
		jz	loc_97B7A8

loc_97BAAD:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+5D4j
		mov	ecx, edx
		lea	esi, [ecx+2]

loc_97BAB2:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+567j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+78h+var_24]
		jnz	short loc_97BAB2
		sub	ecx, esi
		sar	ecx, 1
		push	ecx
		lea	esi, ds:2[ecx*2]
		mov	ecx, [esp+7Ch+var_58]
		call	_PnpMultiSzContainsString@12 ; PnpMultiSzContainsString(x,x,x)
		test	eax, eax
		jz	short loc_97BB18
		mov	ecx, [esp+78h+var_54]
		test	ecx, ecx
		jnz	short loc_97BAFD
		push	63647050h
		push	edi
		xor	eax, eax
		push	1
		mov	[esp+84h+var_50], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+78h+var_54], ecx
		test	ecx, ecx
		jz	short loc_97BB61

loc_97BAFD:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+588j
		mov	eax, [esp+78h+var_50]
		push	esi		; size_t
		push	[esp+7Ch+var_5C] ; void	*
		movzx	eax, ax
		add	eax, ecx
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		add	[esp+78h+var_50], esi

loc_97BB18:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+580j
		mov	edx, [esp+78h+var_5C]
		xor	eax, eax
		shr	esi, 1
		lea	edx, [edx+esi*2]
		mov	[esp+78h+var_5C], edx
		cmp	[edx], ax
		jnz	short loc_97BAAD
		mov	esi, [esp+78h+var_68]
		mov	ecx, [esp+78h+var_54]

loc_97BB34:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+614j
		test	ecx, ecx
		jz	loc_97B880
		mov	eax, [esp+78h+var_50]
		push	2
		pop	edx
		add	eax, edx
		movzx	edx, ax
		mov	[esp+78h+var_50], eax
		movzx	eax, ax
		shr	eax, 1
		mov	[esp+78h+var_64], edx
		xor	edx, edx
		mov	[ecx+eax*2-2], dx
		jmp	loc_97B882
; 

loc_97BB61:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+5A5j
		mov	esi, 0C000009Ah
		mov	[esp+78h+var_68], esi
		jmp	short loc_97BB34
; 

loc_97BB6C:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+502j
					; PiDevCfgResolveVariableExpression(x,x,x)+510j
		xor	eax, eax
		cmp	[edx], ax
		jz	loc_97C0F1
		mov	eax, [esp+78h+var_58]
		xor	ecx, ecx
		cmp	[eax], cx
		jz	loc_97C105
		lea	eax, [edi-2]
		add	eax, esi
		cmp	eax, 0FFFEh
		ja	loc_97C4C1
		lea	eax, [esi-2]
		add	eax, edi
		movzx	ecx, ax
		push	63647050h
		movzx	eax, ax
		push	eax
		push	1
		mov	[esp+84h+var_64], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+78h+var_54], ecx
		test	ecx, ecx
		jz	loc_97C4B7
		lea	eax, [edi-2]
		push	eax		; size_t
		push	[esp+7Ch+var_5C] ; void	*
		push	ecx		; void *
		call	_memcpy
		mov	eax, [esp+84h+var_54]
		add	esp, 0Ch
		shr	edi, 1
		push	esi
		push	[esp+7Ch+var_58]
		lea	eax, [eax+edi*2]
		add	eax, 0FFFFFFFEh
		jmp	loc_97C15B
; 

loc_97BBE7:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+4F9j
		push	1
		shr	esi, 1
		push	esi
		push	[esp+80h+var_58]
		shr	edi, 1
		push	edi
		push	edx
		call	_RtlCompareUnicodeStrings@20 ; RtlCompareUnicodeStrings(x,x,x,x,x)

loc_97BBF9:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+CBFj
		neg	eax
		sbb	ebx, ebx

loc_97BBFD:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+AA5j
		inc	ebx
		jmp	loc_97BA84
; 

loc_97BC03:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+4F3j
		sub	eax, 10h
		jz	loc_97BC94
		sub	eax, 1
		jz	short loc_97BC7E
		sub	eax, 1
		jz	short loc_97BC60
		sub	eax, 1
		jz	short loc_97BC42
		sub	eax, 1
		jnz	loc_97B790	; default
		push	1
		shr	esi, 1
		push	esi
		push	[esp+80h+var_58]
		shr	edi, 1
		push	edi
		push	edx
		call	_RtlCompareUnicodeStrings@20 ; RtlCompareUnicodeStrings(x,x,x,x,x)

loc_97BC36:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+DCAj
		mov	ebx, eax
		not	ebx

loc_97BC3A:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+73Cj
		shr	ebx, 1Fh
		jmp	loc_97BA84
; 

loc_97BC42:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+6C3j
		push	1
		shr	esi, 1
		push	esi
		push	[esp+80h+var_58]
		shr	edi, 1
		push	edi
		push	edx
		call	_RtlCompareUnicodeStrings@20 ; RtlCompareUnicodeStrings(x,x,x,x,x)

loc_97BC54:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+DE0j
		xor	ebx, ebx
		test	eax, eax
		setle	bl
		jmp	loc_97BA84
; 

loc_97BC60:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+6BEj
		push	1
		shr	esi, 1
		push	esi
		push	[esp+80h+var_58]
		shr	edi, 1
		push	edi
		push	edx
		call	_RtlCompareUnicodeStrings@20 ; RtlCompareUnicodeStrings(x,x,x,x,x)

loc_97BC72:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+DF6j
		xor	ebx, ebx
		test	eax, eax
		setnle	bl
		jmp	loc_97BA84
; 

loc_97BC7E:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+6B9j
		push	1
		shr	esi, 1
		push	esi
		push	[esp+80h+var_58]
		shr	edi, 1
		push	edi
		push	edx
		call	_RtlCompareUnicodeStrings@20 ; RtlCompareUnicodeStrings(x,x,x,x,x)
		mov	ebx, eax
		jmp	short loc_97BC3A
; 

loc_97BC94:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+6B0j
		push	1
		shr	esi, 1
		push	esi
		push	[esp+80h+var_58]
		shr	edi, 1
		push	edi
		push	edx
		call	_RtlCompareUnicodeStrings@20 ; RtlCompareUnicodeStrings(x,x,x,x,x)
		mov	esi, [esp+78h+var_68]
		test	eax, eax
		mov	eax, [esp+78h+var_64]
		jnz	loc_97C372

loc_97BCB6:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+8B1j
					; PiDevCfgResolveVariableExpression(x,x,x)+B19j ...
		mov	edx, ebx
		jmp	loc_97B886
; 

loc_97BCBD:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+4BBj
		cmp	eax, edi
		jz	loc_97BD8D
		push	2
		pop	edi
		cmp	eax, edi
		jz	loc_97BD8D
		cmp	eax, 4
		jnz	loc_97B790	; default
		cmp	dword ptr [ecx], 18h
		mov	eax, [esi+18h]
		mov	eax, [eax]
		mov	[esp+78h+var_5C], eax
		jnz	loc_97B790	; default
		mov	edi, [edx+18h]
		xor	ecx, ecx
		xor	edx, edx
		mov	esi, edx
		cmp	[edi], cx
		jz	short loc_97BD2F

loc_97BCF9:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+7D3j
		mov	ecx, edi
		lea	esi, [ecx+2]

loc_97BCFE:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+7B3j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+78h+var_24]
		jnz	short loc_97BCFE
		sub	ecx, esi
		sar	ecx, 1
		lea	esi, ds:2[ecx*2]
		cmp	edx, [esp+78h+var_5C]
		jz	short loc_97BD37
		mov	eax, esi
		shr	eax, 1
		inc	edx
		lea	edi, [edi+eax*2]
		xor	eax, eax
		cmp	[edi], ax
		jnz	short loc_97BCF9
		mov	eax, [esp+78h+var_5C]

loc_97BD2F:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+7A1j
		cmp	edx, eax
		jnz	loc_97B790	; default

loc_97BD37:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+7C4j
		xor	eax, eax
		cmp	[edi], ax
		jz	loc_97B790	; default
		push	2
		pop	eax
		cmp	esi, eax
		jbe	loc_97B790	; default
		movzx	ecx, si
		push	63647050h
		push	ecx
		push	1
		lea	eax, [ecx-8]
		movzx	eax, ax
		mov	[esp+84h+var_50], eax
		mov	eax, ecx
		mov	[esp+84h+var_64], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+78h+var_54], eax
		test	eax, eax
		jz	loc_97C4B7
		push	esi		; size_t
		push	edi		; void *

loc_97BD7B:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+D82j
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_97BD84:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+262j
					; PiDevCfgResolveVariableExpression(x,x,x)+AFEj
		mov	esi, [esp+78h+var_68]
		jmp	loc_97B880
; 

loc_97BD8D:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+769j
					; PiDevCfgResolveVariableExpression(x,x,x)+774j
		mov	eax, [edx+18h]
		mov	edi, [edx+14h]
		mov	edx, [esi+18h]
		mov	esi, [esi+14h]
		mov	[esp+78h+var_58], eax
		mov	eax, 0FFFEh
		mov	[esp+78h+var_5C], edx
		mov	[esp+78h+var_40], esi
		cmp	edi, eax
		ja	loc_97C4C1
		cmp	esi, eax
		ja	loc_97C4C1
		mov	eax, [ecx]
		sub	eax, 1
		jz	loc_97BE89
		sub	eax, 1
		jz	short loc_97BE16
		sub	eax, 6
		jz	short loc_97BDF3
		sub	eax, 1
		jnz	loc_97B790	; default
		push	ecx
		mov	ecx, [esp+7Ch+var_58]
		call	_PnpMultiSzContainsString@12 ; PnpMultiSzContainsString(x,x,x)
		test	eax, eax
		jz	loc_97BE89

loc_97BDEA:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+D11j
					; PiDevCfgResolveVariableExpression(x,x,x)+E77j ...
		mov	edx, [esp+78h+var_C]
		jmp	loc_97B795
; 

loc_97BDF3:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+877j
		push	ecx
		mov	ecx, [esp+7Ch+var_58]
		call	_PnpMultiSzContainsString@12 ; PnpMultiSzContainsString(x,x,x)
		mov	esi, [esp+78h+var_68]
		test	eax, eax
		mov	eax, [esp+78h+var_64]
		jz	loc_97BCB6
		mov	edx, [esp+78h+var_10]
		jmp	loc_97B886
; 

loc_97BE16:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+872j
		push	ecx
		mov	ecx, [esp+7Ch+var_58]
		call	_PnpMultiSzContainsString@12 ; PnpMultiSzContainsString(x,x,x)
		mov	[esp+78h+var_5C], eax
		test	eax, eax
		jz	loc_97C105
		mov	ecx, edi
		sub	ecx, esi
		movzx	eax, cx
		push	63647050h
		movzx	ecx, cx
		push	ecx
		push	1
		mov	[esp+84h+var_64], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+78h+var_54], ecx
		test	ecx, ecx
		jz	loc_97C4B7
		mov	esi, [esp+78h+var_5C]
		mov	eax, [esp+78h+var_58]
		sub	esi, eax
		sar	esi, 1
		test	esi, esi
		jle	short loc_97BE70
		push	esi		; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_97BE70:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+90Dj
		mov	eax, [esp+78h+var_40]
		sub	edi, esi
		sub	edi, eax
		add	eax, [esp+78h+var_5C]
		push	edi
		push	eax
		mov	eax, [esp+80h+var_54]
		add	eax, esi
		jmp	loc_97C15B
; 

loc_97BE89:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+869j
					; PiDevCfgResolveVariableExpression(x,x,x)+88Ej
		lea	eax, [esi+edi]
		cmp	eax, 0FFFEh
		ja	loc_97C4C1
		lea	eax, [edi+esi]
		movzx	ecx, ax
		movzx	eax, ax
		push	63647050h
		mov	[esp+7Ch+var_50], ecx
		push	eax
		movzx	ecx, cx
		push	1
		mov	[esp+84h+var_64], ecx
		mov	[esp+84h+var_40], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+78h+var_54], ecx
		test	ecx, ecx
		jz	loc_97C4B7
		lea	eax, [edi-2]
		push	eax		; size_t
		push	[esp+7Ch+var_58] ; void	*
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		shr	edi, 1
		push	esi		; size_t
		mov	esi, [esp+7Ch+var_54]
		push	[esp+7Ch+var_5C] ; void	*
		lea	eax, [esi-2]
		lea	eax, [eax+edi*2]
		push	eax		; void *
		call	_memcpy
		mov	eax, [esp+84h+var_40]
		add	esp, 0Ch
		shr	eax, 1
		xor	ecx, ecx
		mov	edx, ecx
		mov	[esi+eax*2-2], cx
		mov	esi, [esp+78h+var_68]
		jmp	loc_97B882
; 

loc_97BF0D:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+4A2j
		mov	ecx, [esp+78h+var_10]
		cmp	dword ptr [ecx+10h], 4
		jnz	loc_97B790	; default
		mov	eax, [edx+18h]
		mov	edx, [eax]
		mov	eax, [ecx+18h]
		mov	ecx, [eax]
		mov	eax, [esp+78h+var_58]
		mov	eax, [eax]
		dec	eax
		cmp	eax, 13h	; switch 20 cases
		ja	loc_97B790	; default
		jmp	ds:off_97C5DE[eax*4] ; switch jump

loc_97BF3C:				; DATA XREF: PAGE:off_97C5DEo
		lea	ebx, [ecx+edx]	; case 0x0
		jmp	loc_97BA84
; 

loc_97BF44:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+9DFj
					; DATA XREF: PAGE:0097C5E2o
		mov	ebx, edx	; case 0x1
		sub	ebx, ecx
		jmp	loc_97BA84
; 

loc_97BF4D:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+9DFj
					; DATA XREF: PAGE:0097C5E6o
		mov	ebx, ecx	; case 0x2
		imul	ebx, edx
		jmp	loc_97BA84
; 

loc_97BF57:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+9DFj
					; DATA XREF: PAGE:0097C5EAo
		test	ecx, ecx	; case 0x3
		jz	short loc_97BF68
		mov	eax, edx
		xor	edx, edx
		div	ecx
		mov	ebx, eax
		jmp	loc_97BA84
; 

loc_97BF68:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+A03j
					; PiDevCfgResolveVariableExpression(x,x,x)+A22j
		mov	esi, 0C0000094h
		mov	[esp+78h+var_68], esi
		jmp	loc_97B880
; 

loc_97BF76:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+9DFj
					; DATA XREF: PAGE:0097C5EEo
		test	ecx, ecx	; case 0x4
		jz	short loc_97BF68
		mov	eax, edx
		xor	edx, edx
		div	ecx
		mov	ebx, edx
		jmp	loc_97BA84
; 

loc_97BF87:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+9DFj
					; DATA XREF: PAGE:0097C5F2o
		mov	ebx, edx	; case 0x5
		shl	ebx, cl
		jmp	loc_97BA84
; 

loc_97BF90:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+9DFj
					; DATA XREF: PAGE:0097C5F6o
		mov	ebx, edx	; case 0x6
		shr	ebx, cl
		jmp	loc_97BA84
; 

loc_97BF99:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+9DFj
					; DATA XREF: PAGE:0097C5FAo
		mov	ebx, ecx	; case 0x7
		and	ebx, edx
		jmp	loc_97BA84
; 

loc_97BFA2:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+9DFj
					; DATA XREF: PAGE:0097C5FEo
		mov	ebx, ecx	; case 0x8
		or	ebx, edx
		jmp	loc_97BA84
; 

loc_97BFAB:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+9DFj
					; DATA XREF: PAGE:0097C602o
		mov	ebx, ecx	; case 0x9
		xor	ebx, edx
		jmp	loc_97BA84
; 

loc_97BFB4:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+9DFj
					; DATA XREF: PAGE:0097C60Eo
		test	edx, edx	; case 0xC
		jz	short loc_97BFC9
		jmp	short loc_97BFC5
; 

loc_97BFBA:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+A6Dj
					; PiDevCfgResolveVariableExpression(x,x,x)+A71j
		mov	ebx, edi
		jmp	loc_97BA84
; 

loc_97BFC1:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+9DFj
					; DATA XREF: PAGE:0097C612o
		test	edx, edx	; case 0xD
		jnz	short loc_97BFBA

loc_97BFC5:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+A62j
		test	ecx, ecx
		jnz	short loc_97BFBA

loc_97BFC9:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+53Cj
					; PiDevCfgResolveVariableExpression(x,x,x)+544j ...
		xor	eax, eax
		jmp	loc_97BA84
; 

loc_97BFD0:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+9DFj
					; DATA XREF: PAGE:0097C616o
		xor	ebx, ebx	; case 0xE
		cmp	edx, ecx
		setz	bl
		jmp	loc_97BA84
; 

loc_97BFDC:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+9DFj
					; DATA XREF: PAGE:0097C61Ao
		xor	ebx, ebx	; case 0xF
		cmp	edx, ecx
		setnz	bl
		jmp	loc_97BA84
; 

loc_97BFE8:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+9DFj
					; DATA XREF: PAGE:0097C61Eo
		cmp	edx, ecx	; case 0x10

loc_97BFEA:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+A9Fj
		sbb	ebx, ebx

loc_97BFEC:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+D9Cj
		neg	ebx
		jmp	loc_97BA84
; 

loc_97BFF3:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+9DFj
					; DATA XREF: PAGE:0097C622o
		cmp	ecx, edx	; case 0x11
		jmp	short loc_97BFEA
; 

loc_97BFF7:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+9DFj
					; DATA XREF: PAGE:0097C626o
		cmp	ecx, edx	; case 0x12

loc_97BFF9:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+AACj
		sbb	ebx, ebx
		jmp	loc_97BBFD
; 

loc_97C000:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+9DFj
					; DATA XREF: PAGE:0097C62Ao
		cmp	edx, ecx	; case 0x13
		jmp	short loc_97BFF9
; 

loc_97C004:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+499j
		mov	edx, [esp+78h+var_10]
		cmp	dword ptr [edx+10h], 3
		jnz	loc_97B790	; default
		mov	eax, [esp+78h+var_C]
		mov	ecx, [ecx]
		mov	edi, [edx+18h]
		mov	edx, [edx+14h]
		mov	esi, [eax+18h]
		mov	eax, [eax+14h]
		sub	ecx, 0Fh
		jz	short loc_97C052
		sub	ecx, 1
		jnz	loc_97B790	; default
		cmp	eax, edx
		jnz	loc_97BA81
		push	eax		; size_t
		push	edi		; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_97BA81
		jmp	loc_97BFC9
; 

loc_97C052:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+AD1j
		cmp	eax, edx
		jnz	loc_97BD84
		push	eax		; size_t
		push	edi		; void *
		push	esi		; void *
		call	_memcmp
		mov	esi, [esp+84h+var_68]
		add	esp, 0Ch
		test	eax, eax
		mov	eax, [esp+78h+var_64]
		jnz	loc_97BCB6
		jmp	loc_97C372
; 

loc_97C07A:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+490j
		mov	edi, [esp+78h+var_10]
		mov	eax, [edi+10h]
		cmp	eax, 1
		jz	loc_97C176
		cmp	eax, esi
		jz	loc_97C176
		cmp	eax, 7
		jnz	loc_97B790	; default
		mov	eax, [esp+78h+var_C]
		mov	edx, [edx+18h]
		mov	[esp+78h+var_40], edx
		mov	esi, [eax+14h]
		mov	eax, [edi+18h]
		mov	edi, [edi+14h]
		mov	[esp+78h+var_5C], eax
		mov	eax, 0FFFEh
		cmp	esi, eax
		ja	loc_97C4C1
		cmp	edi, eax
		ja	loc_97C4C1
		mov	eax, [ecx]
		sub	eax, 1
		jz	short loc_97C10B
		sub	eax, 7
		jz	short loc_97C0F7
		sub	eax, 1
		jz	short loc_97C0E3
		mov	edx, (offset loc_A3FAC3+5)
		jmp	loc_97C166
; 

loc_97C0E3:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+B81j
		push	ecx
		mov	ecx, [esp+7Ch+var_5C]
		call	_PnpMultiSzContainsString@12 ; PnpMultiSzContainsString(x,x,x)
		test	eax, eax
		jz	short loc_97C10B

loc_97C0F1:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+61Bj
		mov	edx, [esp+78h+var_10]
		jmp	short loc_97C166
; 

loc_97C0F7:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+B7Cj
		push	ecx
		mov	ecx, [esp+7Ch+var_5C]
		call	_PnpMultiSzContainsString@12 ; PnpMultiSzContainsString(x,x,x)
		test	eax, eax
		jz	short loc_97C164

loc_97C105:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+62Aj
					; PiDevCfgResolveVariableExpression(x,x,x)+8D0j
		mov	edx, [esp+78h+var_C]
		jmp	short loc_97C166
; 

loc_97C10B:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+B77j
					; PiDevCfgResolveVariableExpression(x,x,x)+B99j
		lea	eax, [edi+esi]
		cmp	eax, 0FFFEh
		ja	loc_97C4C1
		lea	eax, [esi+edi]
		movzx	ecx, ax
		push	63647050h
		movzx	eax, ax
		push	eax
		push	1
		mov	[esp+84h+var_64], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+78h+var_54], eax
		test	eax, eax
		jz	loc_97C4B7
		push	esi		; size_t
		push	[esp+7Ch+var_40] ; void	*
		push	eax		; void *
		call	_memcpy
		mov	eax, [esp+84h+var_54]
		add	esp, 0Ch
		shr	esi, 1
		push	edi		; size_t
		push	[esp+7Ch+var_5C] ; void	*
		lea	eax, [eax+esi*2]

loc_97C15B:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+68Cj
					; PiDevCfgResolveVariableExpression(x,x,x)+92Ej
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_97C164:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+BADj
		mov	edx, ebx

loc_97C166:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+B88j
					; PiDevCfgResolveVariableExpression(x,x,x)+B9Fj ...
		mov	eax, [esp+78h+var_64]
		movzx	esi, ax
		mov	[esp+78h+var_50], esi
		jmp	loc_97B939
; 

loc_97C176:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+B2Ej
					; PiDevCfgResolveVariableExpression(x,x,x)+B36j
		xor	eax, eax
		mov	[esp+78h+var_30], eax
		mov	[esp+78h+var_2C], eax
		mov	[esp+78h+var_38], eax
		mov	[esp+78h+var_34], eax
		mov	eax, 0FFFEh
		cmp	[edx+14h], eax
		ja	loc_97C4C1
		cmp	[edi+14h], eax
		ja	loc_97C4C1
		movzx	eax, word ptr [edx+14h]
		mov	esi, [edx+18h]
		mov	[esp+78h+var_40], eax
		mov	word ptr [esp+78h+var_30+2], ax
		lea	edx, [eax-2]
		mov	[esp+78h+var_58], esi
		mov	eax, [edi+18h]
		mov	[esp+78h+var_5C], eax
		mov	[esp+78h+var_34], eax
		movzx	eax, word ptr [edi+14h]
		mov	word ptr [esp+78h+var_38+2], ax
		mov	[esp+78h+var_2C], esi
		mov	word ptr [esp+78h+var_30], dx
		lea	edi, [eax-2]
		mov	eax, [ecx]
		mov	word ptr [esp+78h+var_38], di
		cmp	eax, 10h
		jg	loc_97C2F7
		jz	loc_97C2DD
		sub	eax, 1
		jz	short loc_97C24E
		sub	eax, 0Ch
		jz	short loc_97C234
		sub	eax, 1
		jz	short loc_97C21A
		sub	eax, 1
		jnz	loc_97B790	; default
		push	1
		lea	eax, [esp+7Ch+var_38]
		push	eax
		lea	eax, [esp+80h+var_30]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		jmp	loc_97BBF9
; 

loc_97C21A:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+CA3j
		push	2
		pop	ecx
		cmp	dx, cx
		jnb	loc_97BA81
		cmp	di, cx
		jnb	loc_97BA81
		jmp	loc_97BFC9
; 

loc_97C234:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+C9Ej
		push	2
		pop	ecx
		cmp	dx, cx
		jb	loc_97BFC9
		cmp	di, cx
		jb	loc_97BFC9
		jmp	loc_97BA81
; 

loc_97C24E:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+C99j
		xor	eax, eax
		cmp	[esi], ax
		jnz	short loc_97C25E

loc_97C255:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+E6Cj
					; PiDevCfgResolveVariableExpression(x,x,x)+E82j ...
		mov	edx, [esp+78h+var_10]
		jmp	loc_97B795
; 

loc_97C25E:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+CFDj
		mov	eax, [esp+78h+var_5C]
		xor	ecx, ecx
		cmp	[eax], cx
		jz	loc_97BDEA
		movzx	eax, di
		movzx	esi, dx
		mov	[esp+78h+var_1C], eax
		add	eax, esi
		cmp	eax, 0FFFEh
		jnb	loc_97C4C1
		lea	eax, [edi+edx]
		movzx	eax, ax
		mov	[esp+78h+var_50], eax
		mov	eax, [esp+78h+var_40]
		add	eax, edi
		movzx	ecx, ax
		push	63647050h
		movzx	eax, ax
		push	eax
		push	1
		mov	[esp+84h+var_64], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+78h+var_54], edi
		test	edi, edi
		jz	loc_97C4B7
		push	esi		; size_t
		push	[esp+7Ch+var_58] ; void	*
		push	edi		; void *
		call	_memcpy
		mov	eax, [esp+84h+var_1C]
		add	esp, 0Ch
		add	eax, 2
		shr	esi, 1
		push	eax
		push	[esp+7Ch+var_5C]
		lea	eax, [edi+esi*2]
		jmp	loc_97BD7B
; 

loc_97C2DD:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+C90j
		push	1
		lea	eax, [esp+7Ch+var_38]
		push	eax
		lea	eax, [esp+80h+var_30]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		neg	eax
		sbb	ebx, ebx
		jmp	loc_97BFEC
; 

loc_97C2F7:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+C8Aj
		sub	eax, 11h
		jz	short loc_97C351
		sub	eax, 1
		jz	short loc_97C33B
		sub	eax, 1
		jz	short loc_97C325
		sub	eax, 1
		jnz	loc_97B790	; default
		push	1
		lea	eax, [esp+7Ch+var_38]
		push	eax
		lea	eax, [esp+80h+var_30]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		jmp	loc_97BC36
; 

loc_97C325:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+DAEj
		push	1
		lea	eax, [esp+7Ch+var_38]
		push	eax
		lea	eax, [esp+80h+var_30]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		jmp	loc_97BC54
; 

loc_97C33B:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+DA9j
		push	1
		lea	eax, [esp+7Ch+var_38]
		push	eax
		lea	eax, [esp+80h+var_30]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		jmp	loc_97BC72
; 

loc_97C351:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+DA4j
		push	1
		lea	eax, [esp+7Ch+var_38]
		push	eax
		lea	eax, [esp+80h+var_30]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		mov	esi, [esp+78h+var_68]
		test	eax, eax
		mov	eax, [esp+78h+var_64]
		jns	loc_97BCB6

loc_97C372:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+75Aj
					; PiDevCfgResolveVariableExpression(x,x,x)+B1Fj
		mov	edx, [esp+78h+var_60]
		xor	ebx, ebx
		inc	ebx
		jmp	loc_97B886
; 

loc_97C37E:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+479j
		cmp	eax, 3
		jnz	loc_97B795
		mov	ecx, [esp+78h+var_8]
		mov	eax, [ecx+10h]
		test	eax, eax
		jz	short loc_97C3EE
		cmp	eax, esi
		jbe	short loc_97C3DD
		cmp	eax, 3
		jz	short loc_97C3BA
		cmp	eax, 4
		jz	short loc_97C3AE
		cmp	eax, 7
		jnz	short loc_97C3E6
		cmp	dword ptr [ecx+14h], 4
		setnbe	al
		jmp	short loc_97C3F0
; 

loc_97C3AE:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+E48j
		mov	eax, [ecx+18h]
		xor	ecx, ecx
		cmp	[eax], ecx
		setnz	al
		jmp	short loc_97C3F0
; 

loc_97C3BA:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+E43j
		mov	edx, [ecx+18h]
		mov	ecx, [ecx+14h]
		test	ecx, ecx
		jz	loc_97C255

loc_97C3C8:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+E80j
		mov	al, [edx]
		inc	edx
		test	al, al
		jnz	loc_97BDEA
		sub	ecx, 1
		jnz	short loc_97C3C8
		jmp	loc_97C255
; 

loc_97C3DD:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+E3Ej
		cmp	[ecx+14h], esi
		sbb	al, al
		inc	al
		jmp	short loc_97C3F0
; 

loc_97C3E6:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+E4Dj
		test	eax, eax
		jnz	loc_97BDEA

loc_97C3EE:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+E3Aj
		xor	eax, eax

loc_97C3F0:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+E56j
					; PiDevCfgResolveVariableExpression(x,x,x)+E62j ...
		test	al, al
		jnz	loc_97BDEA
		jmp	loc_97C255
; 

loc_97C3FD:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+36Bj
		push	4
		pop	eax
		push	63647050h
		push	eax
		push	1
		mov	[esp+84h+var_1C], eax
		mov	esi, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+78h+var_54], eax
		test	eax, eax
		jz	loc_97C4CB
		mov	edx, [esp+78h+var_60]
		mov	[eax], ebx
		mov	eax, esi

loc_97C427:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+38Ej
		mov	[edx+10h], eax
		mov	eax, [esp+78h+var_54]
		mov	[edx+14h], esi
		mov	[edx+18h], eax

loc_97C434:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+33Dj
		mov	edi, [esp+78h+var_44]
		xor	ecx, ecx
		mov	eax, [esp+78h+var_48]
		mov	esi, ecx
		mov	ebx, [esp+78h+var_4C]
		mov	[eax+edi*4], edx
		test	ebx, ebx
		jz	short loc_97C476

loc_97C44B:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+F1Aj
		mov	edi, [esp+esi*4+78h+var_10]
		cmp	[edi+0Ch], ecx
		jnz	short loc_97C46D
		mov	eax, [edi+18h]
		test	eax, eax
		jz	short loc_97C464
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ecx, ecx

loc_97C464:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+F03j
		push	ecx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ecx, ecx

loc_97C46D:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+EFCj
		inc	esi
		cmp	esi, ebx
		jb	short loc_97C44B
		mov	edi, [esp+78h+var_44]

loc_97C476:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+EF3j
		mov	esi, [esp+78h+var_3C]
		mov	ebx, [esp+78h+var_68]

loc_97C47E:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+176j
		mov	ecx, esi
		inc	edi
		mov	[esp+78h+var_44], edi
		lea	edx, [ecx+2]

loc_97C488:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+F3Dj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+78h+var_24]
		jnz	short loc_97C488
		sub	ecx, edx
		sar	ecx, 1
		lea	esi, [esi+ecx*2]
		add	esi, 2
		mov	[esp+78h+var_3C], esi
		movzx	eax, word ptr [esi]
		mov	edx, eax
		test	ax, ax
		jnz	loc_97B658
		mov	[esp+78h+var_44], edi
		jmp	short loc_97C4EC
; 

loc_97C4B7:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+2DBj
					; PiDevCfgResolveVariableExpression(x,x,x)+664j ...
		mov	[esp+78h+var_68], 0C000009Ah
		jmp	short loc_97C52F
; 

loc_97C4C1:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+4E0j
					; PiDevCfgResolveVariableExpression(x,x,x)+4E8j ...
		mov	[esp+78h+var_68], 80000005h
		jmp	short loc_97C52F
; 

loc_97C4CB:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+359j
					; PiDevCfgResolveVariableExpression(x,x,x)+EC3j
		mov	ebx, 0C000009Ah
		mov	[esp+78h+var_68], ebx
		jmp	short loc_97C527
; 

loc_97C4D6:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+165j
		cmp	ebx, 0C0000034h
		jnz	short loc_97C4EC
		add	ebx, 0FFFFFFCDh
		jmp	short loc_97C4E8
; 

loc_97C4E3:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+141j
		mov	ebx, 0C00000FDh

loc_97C4E8:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+F8Bj
		mov	[esp+78h+var_68], ebx

loc_97C4EC:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+F5Fj
					; PiDevCfgResolveVariableExpression(x,x,x)+F86j
		mov	esi, [esp+78h+var_48]

loc_97C4F0:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+F6j
		xor	eax, eax
		mov	[esp+78h+var_4C], eax
		test	ebx, ebx
		js	short loc_97C52B
		cmp	edi, 1
		jz	short loc_97C50A
		mov	ebx, 0C0000001h
		mov	[esp+78h+var_68], ebx
		jmp	short loc_97C568
; 

loc_97C50A:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+FA7j
		mov	edx, [esi]
		mov	ecx, [esp+78h+var_14]
		call	_PiDevCfgCopyVariableData@8 ; PiDevCfgCopyVariableData(x,x)
		mov	ebx, eax
		xor	eax, eax
		mov	[esp+78h+var_68], ebx
		mov	[esp+78h+var_4C], eax
		jmp	short loc_97C52B
; 

loc_97C523:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+335j
		mov	ebx, [esp+78h+var_68]

loc_97C527:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+61j
					; PiDevCfgResolveVariableExpression(x,x,x)+1CFj ...
		mov	eax, [esp+78h+var_4C]

loc_97C52B:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+FA2j
					; PiDevCfgResolveVariableExpression(x,x,x)+FCBj
		test	eax, eax
		jz	short loc_97C564

loc_97C52F:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+F69j
					; PiDevCfgResolveVariableExpression(x,x,x)+F73j
		xor	ebx, ebx
		xor	ecx, ecx
		mov	esi, ebx
		mov	ebx, [esp+78h+var_4C]

loc_97C539:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+1008j
		mov	edi, [esp+esi*4+78h+var_10]
		cmp	[edi+0Ch], ecx
		jnz	short loc_97C55B
		mov	eax, [edi+18h]
		test	eax, eax
		jz	short loc_97C550
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97C550:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+FF1j
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ecx, ecx

loc_97C55B:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+FEAj
		inc	esi
		cmp	esi, ebx
		jb	short loc_97C539
		mov	ebx, [esp+78h+var_68]

loc_97C564:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+FD7j
		mov	edi, [esp+78h+var_44]

loc_97C568:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+FB2j
		mov	ecx, [esp+78h+var_48]
		test	ecx, ecx
		jz	short loc_97C5B4
		xor	eax, eax
		mov	esi, eax
		test	edi, edi
		jz	short loc_97C5AD
		xor	ebx, ebx

loc_97C57A:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+104Fj
		mov	eax, [ecx+esi*4]
		cmp	[eax+0Ch], ebx
		jnz	short loc_97C5A2
		mov	ecx, [eax+18h]
		test	ecx, ecx
		jz	short loc_97C597
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [esp+78h+var_48]
		mov	eax, [ecx+esi*4]

loc_97C597:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+1031j
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [esp+78h+var_48]

loc_97C5A2:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+102Aj
		inc	esi
		cmp	esi, edi
		jb	short loc_97C57A
		mov	ebx, [esp+78h+var_68]
		xor	eax, eax

loc_97C5AD:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+1020j
		push	eax
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97C5B4:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+7Bj
					; PiDevCfgResolveVariableExpression(x,x,x)+E7j	...
		mov	eax, [esp+78h+var_20]
		test	eax, eax
		jz	short loc_97C5C5
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97C5C5:				; CODE XREF: PiDevCfgResolveVariableExpression(x,x,x)+1064j
		mov	ecx, [esp+78h+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PiDevCfgResolveVariableExpression@12 endp

; 
		db 8Dh
		db 49h,	0
off_97C5DE	dd offset loc_97BF3C	; DATA XREF: PiDevCfgResolveVariableExpression(x,x,x)+9DFr
					; jump table for switch	statement
		dd offset loc_97BF44	; case 0x1
		dd offset loc_97BF4D	; case 0x2
		dd offset loc_97BF57	; case 0x3
		dd offset loc_97BF76	; case 0x4
		dd offset loc_97BF87	; case 0x5
		dd offset loc_97BF90	; case 0x6
		dd offset loc_97BF99	; case 0x7
		dd offset loc_97BFA2	; case 0x8
		dd offset loc_97BFAB	; case 0x9
		dd offset loc_97B790	; default
		dd offset loc_97B790	; default
		dd offset loc_97BFB4	; case 0xC
		dd offset loc_97BFC1	; case 0xD
		dd offset loc_97BFD0	; case 0xE
		dd offset loc_97BFDC	; case 0xF
		dd offset loc_97BFE8	; case 0x10
		dd offset loc_97BFF3	; case 0x11
		dd offset loc_97BFF7	; case 0x12
		dd offset loc_97C000	; case 0x13

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgResolveVariableFormatString(x, x, x)
_PiDevCfgResolveVariableFormatString@12	proc near

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		push	ebx
		push	esi
		mov	[esp+5Ch+var_40], eax
		mov	edx, offset ??_C@_1O@FDFOMCPN@?$AAF?$AAo?$AAr?$AAm?$AAa?$AAt@NNGAKEGL@ ; "Format"
		mov	eax, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[esp+60h+var_20], eax
		lea	eax, [esp+60h+var_2C]
		push	eax
		mov	[esp+64h+var_34], ecx
		mov	[esp+64h+var_2C], ecx
		mov	[esp+64h+var_4C], ecx
		mov	[esp+64h+var_38], ecx
		mov	[esp+64h+var_30], ecx
		push	ecx
		mov	ecx, edi
		call	IopGetRegistryValue
		mov	ecx, [esp+60h+var_2C]
		mov	esi, eax
		mov	[esp+60h+var_28], ecx
		test	esi, esi
		js	short loc_97C700
		call	_PnpValidateRegistryString@4 ; PnpValidateRegistryString(x)
		test	al, al
		jnz	short loc_97C69E
		mov	esi, 0C0000001h
		jmp	short loc_97C700
; 

loc_97C69E:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+67j
		mov	eax, [ecx+8]
		mov	edx, offset ??_C@_1BE@BDPBLKHD@?$AAV?$AAa?$AAr?$AAi?$AAa?$AAb?$AAl?$AAe?$AAs@NNGAKEGL@ ; "Variables"
		add	eax, ecx
		mov	ecx, edi
		mov	[esp+60h+var_50], eax
		lea	eax, [esp+60h+var_4C]
		push	eax
		xor	eax, eax
		push	eax
		call	IopGetRegistryValue
		mov	ebx, [esp+60h+var_4C]
		mov	esi, eax
		mov	[esp+60h+var_3C], esi
		mov	[esp+60h+var_2C], ebx
		test	esi, esi
		jns	short loc_97C6DF
		cmp	esi, 0C0000034h
		jnz	short loc_97C6EF
		xor	eax, eax
		mov	esi, eax
		mov	[esp+60h+var_3C], esi
		jmp	short loc_97C725
; 

loc_97C6DF:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+9Dj
		mov	ecx, ebx
		call	_PnpValidateRegistryMultiSz@4 ;	PnpValidateRegistryMultiSz(x)
		test	al, al
		jnz	short loc_97C723
		mov	esi, 0C0000001h

loc_97C6EF:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+A5j
					; PiDevCfgResolveVariableFormatString(x,x,x)+16Cj
		xor	edi, edi

loc_97C6F1:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+527j
		test	ebx, ebx
		jz	short loc_97C6FC
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97C6FC:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+C5j
		mov	ecx, [esp+60h+var_28]

loc_97C700:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+5Ej
					; PiDevCfgResolveVariableFormatString(x,x,x)+6Ej
		test	ecx, ecx
		jz	short loc_97C70D
		xor	eax, eax
		push	eax
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97C70D:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+D4j
		mov	ecx, [esp+60h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_97C723:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+BAj
		xor	eax, eax

loc_97C725:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+AFj
		test	ebx, ebx
		jz	loc_97C821
		mov	edi, [ebx+8]
		add	edi, ebx
		mov	edx, edi
		cmp	[edi], ax
		jz	loc_97C821
		mov	esi, [esp+60h+var_38]

loc_97C741:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+135j
		mov	ecx, edx
		inc	esi
		lea	ebx, [ecx+2]

loc_97C747:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+124j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+60h+var_34]
		jnz	short loc_97C747
		sub	ecx, ebx
		xor	eax, eax
		sar	ecx, 1
		lea	edx, [edx+ecx*2]
		add	edx, 2
		cmp	[edx], ax
		jnz	short loc_97C741
		mov	eax, esi
		mov	[esp+60h+var_38], esi
		mov	esi, [esp+60h+var_3C]
		test	eax, eax
		jz	loc_97C821
		mov	ebx, eax
		push	63647050h
		shl	ebx, 2
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+60h+var_30], eax
		test	eax, eax
		jnz	short loc_97C79F
		mov	ebx, [esp+60h+var_2C]
		mov	esi, 0C000009Ah
		jmp	loc_97C6EF
; 

loc_97C79F:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+161j
		push	ebx		; size_t
		xor	ecx, ecx
		push	ecx		; int
		push	eax		; void *
		call	_memset
		xor	edx, edx
		add	esp, 0Ch
		mov	eax, edx
		mov	[esp+60h+var_4C], eax
		cmp	[edi], dx
		jz	short loc_97C819
		mov	ebx, [esp+60h+var_30]

loc_97C7BD:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+1D8j
		cmp	eax, [esp+60h+var_38]
		jnb	short loc_97C819
		mov	ecx, [esp+60h+var_40]
		mov	edx, edi
		push	ebx
		call	_PiDevCfgResolveVariable@12 ; PiDevCfgResolveVariable(x,x,x)
		mov	esi, eax
		mov	[esp+60h+var_3C], esi
		test	esi, esi
		js	short loc_97C80A
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_97C7DE:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+1BBj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+60h+var_34]
		jnz	short loc_97C7DE
		mov	eax, [esp+60h+var_4C]
		sub	ecx, edx
		sar	ecx, 1
		add	ebx, 4
		lea	edi, [edi+ecx*2]
		xor	ecx, ecx
		add	edi, 2
		inc	eax
		mov	[esp+60h+var_4C], eax
		cmp	[edi], cx
		jnz	short loc_97C7BD
		jmp	short loc_97C819
; 

loc_97C80A:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+1A9j
		cmp	esi, 0C0000034h
		jnz	short loc_97C819
		add	esi, 0FFFFFFCDh
		mov	[esp+60h+var_3C], esi

loc_97C819:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+189j
					; PiDevCfgResolveVariableFormatString(x,x,x)+193j ...
		test	esi, esi
		js	loc_97CB40

loc_97C821:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+F9j
					; PiDevCfgResolveVariableFormatString(x,x,x)+109j ...
		xor	eax, eax
		mov	[esp+60h+var_4C], 9
		mov	ebx, eax
		mov	eax, [esp+60h+var_50]
		mov	edi, eax
		mov	[esp+60h+var_44], ebx
		push	25h
		pop	edx
		movzx	eax, word ptr [eax]
		test	ax, ax
		jz	loc_97C90F
		mov	esi, [esp+60h+var_30]
		mov	ecx, eax

loc_97C84C:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+2D7j
		add	edi, 2
		cmp	cx, dx
		jnz	short loc_97C85F
		movzx	ecx, word ptr [edi]
		cmp	cx, dx
		jnz	short loc_97C86B
		add	edi, 2

loc_97C85F:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+224j
		add	ebx, 2
		mov	[esp+60h+var_44], ebx
		jmp	loc_97C8FD
; 

loc_97C86B:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+22Cj
		lea	eax, [ecx-30h]
		cmp	ax, word ptr [esp+60h+var_4C]
		ja	loc_97C8FD
		xor	eax, eax
		mov	edx, eax
		test	cx, cx
		jz	short loc_97C8B1
		push	9
		mov	ebx, ecx
		pop	esi

loc_97C887:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+277j
		lea	eax, [ebx-30h]
		cmp	ax, si
		ja	short loc_97C8A7
		imul	ecx, edx, 0Ah
		add	edi, 2
		movzx	edx, bx
		add	edx, 0FFFFFFD0h
		movzx	eax, word ptr [edi]
		add	edx, ecx
		mov	ebx, eax
		test	ax, ax
		jnz	short loc_97C887

loc_97C8A7:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+25Fj
		mov	ebx, [esp+60h+var_44]
		xor	eax, eax
		mov	esi, [esp+60h+var_30]

loc_97C8B1:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+252j
		cmp	edx, [esp+60h+var_38]
		jnb	short loc_97C8FA
		cmp	[esi+edx*4], eax
		jz	short loc_97C8FA
		lfence	eax
		mov	ecx, [esi+edx*4]
		mov	eax, [ecx+10h]
		test	eax, eax
		jz	short loc_97C8FA
		cmp	eax, 2
		jbe	loc_97C96A
		cmp	eax, 4
		jz	short loc_97C937
		cmp	eax, 7
		jnz	short loc_97C8FA
		mov	ecx, [ecx+18h]
		lea	edx, [ecx+2]

loc_97C8E2:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+2BFj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+60h+var_34]
		jnz	short loc_97C8E2

loc_97C8EF:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+33Aj
		sub	ecx, edx
		sar	ecx, 1
		lea	ebx, [ebx+ecx*2]

loc_97C8F6:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+342j
		mov	[esp+60h+var_44], ebx

loc_97C8FA:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+287j
					; PiDevCfgResolveVariableFormatString(x,x,x)+28Cj ...
		push	25h
		pop	edx

loc_97C8FD:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+238j
					; PiDevCfgResolveVariableFormatString(x,x,x)+245j
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		test	ax, ax
		jnz	loc_97C84C
		mov	esi, [esp+60h+var_3C]

loc_97C90F:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+212j
		push	63647050h
		add	ebx, 2
		push	ebx
		push	1
		mov	[esp+6Ch+var_44], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+60h+var_40], ecx
		test	ecx, ecx
		jnz	short loc_97C972
		mov	esi, 0C000009Ah
		jmp	loc_97CB40
; 

loc_97C937:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+2A7j
		mov	eax, [ecx+18h]
		push	dword ptr [eax]	; char
		lea	eax, [esp+64h+var_1C]
		push	offset ??_C@_15EFLNJKHH@?$AA?$CF?$AAu@NNGAKEGL@	; wchar_t *
		push	0Bh		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 10h
		test	eax, eax
		js	short loc_97C8FA
		lea	ecx, [esp+60h+var_1C]
		lea	edx, [ecx+2]

loc_97C95B:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+338j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+60h+var_34]
		jnz	short loc_97C95B
		jmp	short loc_97C8EF
; 

loc_97C96A:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+29Ej
		add	ebx, 0FFFFFFFEh
		add	ebx, [ecx+14h]
		jmp	short loc_97C8F6
; 

loc_97C972:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+2FDj
		mov	edi, [esp+60h+var_50]
		mov	edx, ecx
		mov	[esp+60h+var_48], edx
		mov	[esp+60h+var_4C], ebx
		movzx	eax, word ptr [edi]
		test	ax, ax
		jz	loc_97CB63
		mov	ecx, eax

loc_97C98E:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+4F4j
		push	25h
		pop	eax
		cmp	cx, ax
		jnz	loc_97CAFC
		mov	ecx, [esp+60h+var_50]
		push	2
		pop	eax
		add	ecx, eax
		push	25h
		mov	[esp+64h+var_50], ecx
		pop	edi
		movzx	ecx, word ptr [ecx]
		cmp	cx, di
		jnz	short loc_97C9D8
		cmp	ebx, eax
		jbe	loc_97CB2A
		mov	[edx], di
		add	edx, eax
		mov	edi, [esp+60h+var_50]
		add	edi, eax
		sub	ebx, eax

loc_97C9C7:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+4DFj
		mov	[esp+60h+var_50], edi
		mov	[esp+60h+var_48], edx
		mov	[esp+60h+var_4C], ebx
		jmp	loc_97CB1A
; 

loc_97C9D8:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+382j
		push	9
		lea	eax, [ecx-30h]
		pop	edi
		cmp	ax, di
		ja	loc_97CB16
		xor	eax, eax
		mov	edi, eax
		test	cx, cx
		jz	short loc_97CA29
		mov	esi, [esp+60h+var_50]
		mov	edx, ecx
		push	9
		pop	ebx

loc_97C9F9:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+3E9j
		lea	eax, [edx-30h]
		cmp	ax, bx
		ja	short loc_97CA19
		imul	ecx, edi, 0Ah
		add	esi, 2
		movzx	edi, dx
		add	edi, 0FFFFFFD0h
		movzx	eax, word ptr [esi]
		add	edi, ecx
		mov	edx, eax
		test	ax, ax
		jnz	short loc_97C9F9

loc_97CA19:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+3D1j
		mov	ebx, [esp+60h+var_4C]
		mov	edx, [esp+60h+var_48]
		mov	[esp+60h+var_50], esi
		mov	esi, [esp+60h+var_3C]

loc_97CA29:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+3C0j
		cmp	edi, [esp+60h+var_38]
		jnb	loc_97CB16
		mov	eax, [esp+60h+var_30]
		xor	ecx, ecx
		cmp	[eax+edi*4], ecx
		jz	loc_97CB16
		lfence	eax
		mov	edi, [eax+edi*4]
		mov	eax, [edi+10h]
		test	eax, eax
		jz	short loc_97CAC7
		cmp	eax, 2
		jbe	short loc_97CABC
		cmp	eax, 4
		jz	short loc_97CA81
		cmp	eax, 7
		jnz	short loc_97CAC7
		mov	ecx, [edi+18h]
		mov	edi, ecx
		lea	eax, [edi+2]
		mov	[esp+60h+var_24], eax

loc_97CA6A:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+447j
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, word ptr [esp+60h+var_34]
		jnz	short loc_97CA6A
		sub	edi, [esp+60h+var_24]
		sar	edi, 1
		add	edi, edi
		jmp	short loc_97CACB
; 

loc_97CA81:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+429j
		mov	eax, [edi+18h]
		push	dword ptr [eax]	; char
		lea	eax, [esp+64h+var_1C]
		push	offset ??_C@_15EFLNJKHH@?$AA?$CF?$AAu@NNGAKEGL@	; wchar_t *
		push	0Bh		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 10h
		test	eax, eax
		js	short loc_97CB12
		lea	ecx, [esp+60h+var_1C]
		mov	edi, ecx
		lea	edx, [edi+2]

loc_97CAA7:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+484j
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, word ptr [esp+60h+var_34]
		jnz	short loc_97CAA7
		sub	edi, edx
		sar	edi, 1
		add	edi, edi
		jmp	short loc_97CACF
; 

loc_97CABC:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+424j
		mov	ecx, [edi+18h]
		mov	edi, [edi+14h]
		sub	edi, 2
		jmp	short loc_97CACB
; 

loc_97CAC7:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+41Fj
					; PiDevCfgResolveVariableFormatString(x,x,x)+42Ej
		xor	eax, eax
		mov	edi, eax

loc_97CACB:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+451j
					; PiDevCfgResolveVariableFormatString(x,x,x)+497j
		test	ecx, ecx
		jz	short loc_97CB16

loc_97CACF:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+48Cj
		test	edi, edi
		jz	short loc_97CB12
		cmp	ebx, edi
		jbe	short loc_97CB2A
		push	edi		; size_t
		push	ecx		; void *
		push	[esp+68h+var_48] ; void	*
		call	_memcpy
		mov	edx, [esp+6Ch+var_48]
		mov	eax, edi
		shr	eax, 1
		add	esp, 0Ch
		sub	ebx, edi
		mov	[esp+60h+var_4C], ebx
		lea	edx, [edx+eax*2]
		mov	[esp+60h+var_48], edx
		jmp	short loc_97CB16
; 

loc_97CAFC:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+366j
		cmp	ebx, 2
		jbe	short loc_97CB5A
		mov	[edx], cx
		add	edi, 2
		add	edx, 2
		sub	ebx, 2
		jmp	loc_97C9C7
; 

loc_97CB12:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+46Ej
					; PiDevCfgResolveVariableFormatString(x,x,x)+4A3j
		mov	edx, [esp+60h+var_48]

loc_97CB16:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+3B3j
					; PiDevCfgResolveVariableFormatString(x,x,x)+3FFj ...
		mov	edi, [esp+60h+var_50]

loc_97CB1A:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+3A5j
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		test	ax, ax
		jnz	loc_97C98E
		jmp	short loc_97CB5F
; 

loc_97CB2A:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+386j
					; PiDevCfgResolveVariableFormatString(x,x,x)+4A7j ...
		mov	esi, 0C0000001h

loc_97CB2F:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+537j
		mov	eax, [esp+60h+var_40]
		xor	ecx, ecx

loc_97CB35:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+55Cj
		test	eax, eax
		jz	short loc_97CB40
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97CB40:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+1EDj
					; PiDevCfgResolveVariableFormatString(x,x,x)+304j ...
		mov	eax, [esp+60h+var_30]
		xor	edi, edi
		test	eax, eax
		jz	short loc_97CB51
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97CB51:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+51Aj
		mov	ebx, [esp+60h+var_2C]
		jmp	loc_97C6F1
; 

loc_97CB5A:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+4D1j
		mov	esi, 0C0000001h

loc_97CB5F:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+4FAj
		mov	ecx, [esp+60h+var_40]

loc_97CB63:				; CODE XREF: PiDevCfgResolveVariableFormatString(x,x,x)+358j
		test	esi, esi
		js	short loc_97CB2F
		cmp	ebx, 2
		jnz	short loc_97CB2A
		xor	eax, eax
		mov	[edx], ax
		mov	edx, [esp+60h+var_20]
		mov	eax, [esp+60h+var_44]
		mov	[edx+18h], ecx
		xor	ecx, ecx
		mov	[edx+14h], eax
		mov	eax, ecx
		mov	dword ptr [edx+10h], 1
		jmp	short loc_97CB35
_PiDevCfgResolveVariableFormatString@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgResolveVariableGenerateGuid(x, x, x)
_PiDevCfgResolveVariableGenerateGuid@12	proc near

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	[esp+28h+var_18], eax
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [esp+30h+var_14]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		and	[esp+30h+var_1C], eax
		mov	[esp+30h+var_20], eax
		lea	eax, [esp+30h+var_14]
		push	eax
		call	ExUuidCreate
		mov	esi, eax
		cmp	esi, 40020056h
		jz	short loc_97CBD8
		test	esi, esi
		js	short loc_97CC41

loc_97CBD8:				; CODE XREF: PiDevCfgResolveVariableGenerateGuid(x,x,x)+46j
		push	1
		lea	edx, [esp+34h+var_20]
		lea	ecx, [esp+34h+var_14]
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_97CC41
		push	0
		lea	eax, [esp+34h+var_20]
		push	eax
		push	eax
		call	RtlUpcaseUnicodeString
		mov	esi, eax
		test	esi, esi
		js	short loc_97CC41
		movzx	edi, word ptr [esp+30h+var_20]
		push	63647050h
		add	edi, 2
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_97CC22
		mov	esi, 0C000009Ah
		jmp	short loc_97CC41
; 

loc_97CC22:				; CODE XREF: PiDevCfgResolveVariableGenerateGuid(x,x,x)+8Dj
		push	edi		; size_t
		push	[esp+34h+var_1C] ; void	*
		push	ebx		; void *
		call	_memcpy
		mov	eax, [esp+3Ch+var_18]
		add	esp, 0Ch
		mov	dword ptr [eax+10h], 1
		mov	[eax+14h], edi
		mov	[eax+18h], ebx

loc_97CC41:				; CODE XREF: PiDevCfgResolveVariableGenerateGuid(x,x,x)+4Aj
					; PiDevCfgResolveVariableGenerateGuid(x,x,x)+5Fj ...
		lea	eax, [esp+30h+var_20]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [esp+30h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PiDevCfgResolveVariableGenerateGuid@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgResolveVariableKeyCopy(x, x, x)
_PiDevCfgResolveVariableKeyCopy@12 proc	near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	edx, [ebp+arg_4]
		lea	eax, [esp+0Ch+var_8]
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		push	eax
		mov	[esp+1Ch+var_8], edi
		mov	ebx, edi
		mov	[esp+1Ch+var_4], edi
		call	_PiDevCfgResolveVariableKeyHandle@12 ; PiDevCfgResolveVariableKeyHandle(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_97CD01
		mov	ecx, [ebp+arg_4]
		lea	eax, [esp+18h+var_4]
		push	eax
		push	edi
		mov	edx, offset ??_C@_1O@JDLOHAN@?$AAD?$AAe?$AAl?$AAe?$AAt?$AAe@NNGAKEGL@
		call	IopGetRegistryValue
		mov	edi, [esp+18h+var_4]
		mov	esi, eax
		test	esi, esi
		jns	short loc_97CCBA
		cmp	esi, 0C0000034h
		jnz	short loc_97CCF5
		xor	esi, esi
		jmp	short loc_97CCD9
; 

loc_97CCBA:				; CODE XREF: PiDevCfgResolveVariableKeyCopy(x,x,x)+4Bj
		mov	ecx, edi
		call	_PnpValidateRegistryValue@4 ; PnpValidateRegistryValue(x)
		test	al, al
		jnz	short loc_97CCCC
		mov	esi, 0C0000001h
		jmp	short loc_97CCF5
; 

loc_97CCCC:				; CODE XREF: PiDevCfgResolveVariableKeyCopy(x,x,x)+62j
		mov	eax, [edi+8]
		cmp	[edi+eax], ebx
		jz	short loc_97CCD9
		mov	ebx, 100000h

loc_97CCD9:				; CODE XREF: PiDevCfgResolveVariableKeyCopy(x,x,x)+57j
					; PiDevCfgResolveVariableKeyCopy(x,x,x)+71j
		mov	ecx, [ebp+arg_8]
		or	ebx, 8000h
		mov	eax, [esp+18h+var_8]
		and	dword ptr [ecx+14h], 0
		and	[esp+18h+var_8], 0
		mov	[ecx+10h], ebx
		mov	[ecx+18h], eax

loc_97CCF5:				; CODE XREF: PiDevCfgResolveVariableKeyCopy(x,x,x)+53j
					; PiDevCfgResolveVariableKeyCopy(x,x,x)+69j
		test	edi, edi
		jz	short loc_97CD01
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97CD01:				; CODE XREF: PiDevCfgResolveVariableKeyCopy(x,x,x)+2Ej
					; PiDevCfgResolveVariableKeyCopy(x,x,x)+96j
		cmp	[esp+18h+var_8], 0
		jz	short loc_97CD11
		push	[esp+18h+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_97CD11:				; CODE XREF: PiDevCfgResolveVariableKeyCopy(x,x,x)+A5j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PiDevCfgResolveVariableKeyCopy@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgResolveVariableKeyHandle(x,	x, x)
_PiDevCfgResolveVariableKeyHandle@12 proc near
					; CODE XREF: PiDevCfgResolveVariableKeyCopy(x,x,x)+25p
					; PiDevCfgResolveVariableKeyValue(x,x,x)+28p

var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_10		= word ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	eax, edx
		mov	[ebp+var_C8], ecx
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_90], ecx
		mov	[ebp+var_78], ecx
		lea	ecx, [ebp+var_60]
		push	ecx
		mov	[ebp+var_CC], edx
		mov	ecx, eax
		mov	[edx], edi
		mov	edx, offset ??_C@_1BA@HPKJFNOK@?$AAK?$AAe?$AAy?$AAR?$AAo?$AAo?$AAt@NNGAKEGL@
		push	edi
		mov	[ebp+var_84], eax
		mov	[ebp+var_88], edi
		mov	[ebp+var_60], edi
		mov	[ebp+var_74], edi
		mov	[ebp+var_70], edi
		mov	[ebp+var_6C], edi
		mov	[ebp+var_C4], edi
		mov	[ebp+var_B8], edi
		mov	[ebp+var_BC], edi
		mov	[ebp+var_C0], edi
		mov	[ebp+var_AC], edi
		mov	[ebp+var_B0], edi
		mov	[ebp+var_8C], edi
		call	IopGetRegistryValue
		mov	ebx, [ebp+var_60]
		mov	esi, eax
		test	esi, esi
		js	loc_97CEB4
		mov	ecx, ebx
		call	_PnpValidateRegistryString@4 ; PnpValidateRegistryString(x)
		test	al, al
		jnz	short loc_97CDC9

loc_97CDBF:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+2ADj
		mov	esi, 0C0000001h
		jmp	loc_97CEB4
; 

loc_97CDC9:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+A1j
		mov	esi, [ebx+8]
		add	esi, ebx
		mov	ebx, edi

loc_97CDD0:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+D0j
		push	esi		; wchar_t *
		push	ds:off_A3FCC8[edi] ; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_97CE14
		add	edi, 14h
		inc	ebx
		cmp	edi, 8Ch
		jb	short loc_97CDD0

loc_97CDEE:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+101j
		push	offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@NNGAKEGL@ ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_97D048
		push	32h
		pop	eax
		push	30h
		mov	[ebp+var_70], offset ??_C@_1DC@KILCGNCG@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		jmp	loc_97D065
; 

loc_97CE14:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+C4j
		imul	edi, ebx, 14h
		add	edi, offset off_A3FCC8
		jz	short loc_97CDEE
		mov	ecx, [ebp+var_C8]
		mov	eax, [edi+0Ch]
		mov	ecx, [ecx]
		test	eax, eax
		jz	short loc_97CE53
		xor	ebx, ebx
		lea	edx, [ebp+var_6C]
		push	ebx
		push	edx
		mov	edx, [ecx+18h]
		mov	edi, 20019h
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		push	edi
		xor	edi, edi
		push	edi
		push	eax
		call	_CmOpenDeviceRegKey
		jmp	loc_97D0B4
; 

loc_97CE53:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+110j
		mov	edx, [edi+8]
		test	edx, edx
		jz	loc_97D03E
		cmp	edx, 7
		jz	short loc_97CE6B
		mov	ebx, [edi+10h]
		jmp	loc_97CF09
; 

loc_97CE6B:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+145j
		xor	edx, edx
		mov	[ebp+var_BC], 4Eh
		push	edx
		lea	eax, [ebp+var_BC]
		push	eax
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_C0]
		push	eax
		push	9
		push	edx
		mov	edx, [ecx+18h]
		mov	ecx, _PiPnpRtlCtx
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_97CEAF
		cmp	[ebp+var_C0], 1
		jz	short loc_97CEFD

loc_97CEAA:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+60Cj
		mov	esi, 0C0000001h

loc_97CEAF:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+183j
					; PiDevCfgResolveVariableKeyHandle(x,x,x)+201j	...
		mov	ebx, [ebp+var_60]

loc_97CEB2:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+31Dj
					; PiDevCfgResolveVariableKeyHandle(x,x,x)+555j	...
		xor	edi, edi

loc_97CEB4:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+92j
					; PiDevCfgResolveVariableKeyHandle(x,x,x)+A8j ...
		lea	eax, [ebp+var_90]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, [ebp+var_B0]
		test	eax, eax
		jz	short loc_97CED1
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97CED1:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+1ACj
		test	ebx, ebx
		jz	short loc_97CEDC
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97CEDC:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+1B7j
		cmp	[ebp+var_6C], 0
		jz	short loc_97CEEA
		push	[ebp+var_6C]
		call	_ZwClose@4	; ZwClose(x)

loc_97CEEA:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+1C4j
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_97CEFD:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+18Cj
		mov	edx, [edi+8]
		lea	ebx, [ebp+var_5C]
		xor	eax, eax
		mov	[ebp+var_10], ax

loc_97CF09:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+14Aj
		lea	eax, [ebp+var_6C]
		mov	edi, 20019h
		push	eax
		push	edi
		push	ecx
		call	__PnpCtxOpenContextBaseKey@20 ;	_PnpCtxOpenContextBaseKey(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_97CEAF
		test	ebx, ebx
		jz	short loc_97CF90
		push	ebx
		lea	eax, [ebp+var_74]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_6C]
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_74]
		mov	[ebp+var_A0], eax
		xor	eax, eax
		mov	[ebp+var_98], eax
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_A8]
		push	eax
		push	edi
		lea	eax, [ebp+var_C4]
		mov	[ebp+var_A8], 18h
		push	eax
		mov	[ebp+var_9C], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97CEAF
		push	[ebp+var_6C]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [ebp+var_C4]
		mov	[ebp+var_6C], eax

loc_97CF90:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+205j
		xor	edi, edi

loc_97CF92:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+3A2j
		push	edi
		push	[ebp+var_60]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_84]
		lea	eax, [ebp+var_60]
		push	eax
		push	edi
		mov	edx, (offset loc_8BA8F5+1)
		mov	[ebp+var_60], edi
		call	IopGetRegistryValue
		mov	esi, eax
		test	esi, esi
		js	loc_97D4F8
		mov	ebx, [ebp+var_60]
		mov	ecx, ebx
		call	_PnpValidateRegistryString@4 ; PnpValidateRegistryString(x)
		test	al, al
		jz	loc_97CDBF
		mov	eax, [ebx+8]
		push	24h
		pop	ecx
		add	eax, ebx
		push	ecx		; wchar_t
		push	eax		; wchar_t *
		mov	[ebp+var_7C], eax
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_97D466
		mov	edi, [ebp+var_AC]
		push	24h
		pop	ebx

loc_97CFF4:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+2E7j
		add	eax, 2
		inc	edi
		push	ebx		; wchar_t
		push	eax		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_97CFF4
		mov	ebx, [ebp+var_60]
		mov	[ebp+var_AC], edi
		test	edi, edi
		jz	loc_97D464
		push	63647050h
		shl	edi, 2
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_B0], eax
		test	eax, eax
		jnz	loc_97D0EB

loc_97D034:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+58Bj
		mov	esi, 0C000009Ah
		jmp	loc_97CEB2
; 

loc_97D03E:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+13Cj
		mov	esi, 0C00000E5h
		jmp	loc_97CEAF
; 

loc_97D048:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+E1j
		push	offset ??_C@_1BC@JDKNNDON@?$AAS?$AAO?$AAF?$AAT?$AAW?$AAA?$AAR?$AAE@NNGAKEGL@ ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_97D0C3
		push	36h
		pop	eax
		push	34h
		mov	[ebp+var_70], offset ??_C@_1DG@FHHAPGD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@

loc_97D065:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+F3j
		xor	edi, edi

loc_97D067:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+3CAj
		mov	word ptr [ebp+var_74+2], ax
		pop	eax
		mov	word ptr [ebp+var_74], ax
		lea	eax, [ebp+var_74]
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_A8]
		push	eax
		push	20019h
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_A8], 18h
		push	eax
		mov	[ebp+var_A4], edi
		mov	[ebp+var_9C], 240h
		mov	[ebp+var_98], edi
		mov	[ebp+var_94], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)

loc_97D0B4:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+132j
		mov	esi, eax
		test	esi, esi
		js	loc_97D516
		jmp	loc_97CF92
; 

loc_97D0C3:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+33Bj
		push	offset ??_C@_1BC@BDFNFELL@?$AAH?$AAA?$AAR?$AAD?$AAW?$AAA?$AAR?$AAE@NNGAKEGL@ ; "HARDWARE"
		push	esi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		xor	edi, edi
		pop	ecx
		test	eax, eax
		jnz	loc_97D51E
		push	36h
		pop	eax
		push	34h
		mov	[ebp+var_70], offset ??_C@_1DG@IFIHIIDF@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		jmp	loc_97D067
; 

loc_97D0EB:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+312j
		push	edi		; size_t
		xor	ecx, ecx
		push	ecx		; int
		push	eax		; void *
		call	_memset
		mov	edi, [ebp+var_7C]
		xor	edx, edx
		add	esp, 0Ch
		mov	eax, edi
		mov	ecx, edx
		mov	[ebp+var_64], eax
		mov	[ebp+var_80], ecx
		cmp	[edi], dx
		jz	loc_97D26F
		mov	edx, [ebp+var_B0]
		mov	[ebp+var_68], edx

loc_97D119:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+543j
		cmp	ecx, [ebp+var_AC]
		jnb	loc_97D26C
		push	5Ch
		pop	ecx
		push	ecx		; wchar_t
		push	eax		; wchar_t *
		call	_wcschr
		mov	edi, eax
		pop	ecx
		pop	ecx
		test	edi, edi
		jz	short loc_97D145
		mov	edx, [ebp+var_64]
		xor	eax, eax
		mov	ecx, edi
		mov	[edi], ax
		sub	ecx, edx
		jmp	short loc_97D160
; 

loc_97D145:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+419j
		mov	ecx, [ebp+var_64]
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_97D14D:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+43Aj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_97D14D
		mov	ebx, [ebp+var_60]
		sub	ecx, edx
		mov	edx, [ebp+var_64]

loc_97D160:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+427j
		sar	ecx, 1
		push	24h
		lea	eax, [ecx+ecx]
		mov	[ebp+var_84], eax
		mov	ecx, eax
		pop	eax
		cmp	[edx], ax
		jnz	loc_97D202
		push	[ebp+var_68]
		mov	ecx, [ebp+var_C8]
		add	edx, 2
		call	_PiDevCfgResolveVariable@12 ; PiDevCfgResolveVariable(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_97D1E6
		mov	eax, [ebp+var_68]
		mov	edx, [ebp+var_84]
		mov	ecx, edx
		mov	eax, [eax]
		mov	[ebp+var_B4], eax
		mov	eax, [eax+10h]
		test	eax, eax
		jz	short loc_97D1F8
		cmp	eax, 2
		jbe	short loc_97D1D8
		cmp	eax, 7
		jnz	short loc_97D1F8
		mov	ecx, [ebp+var_B4]
		xor	ebx, ebx
		mov	ecx, [ecx+18h]
		lea	edx, [ecx+2]

loc_97D1C2:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+4AFj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_97D1C2
		mov	ebx, [ebp+var_60]
		sub	ecx, edx
		sar	ecx, 1
		add	ecx, ecx
		jmp	short loc_97D1F8
; 

loc_97D1D8:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+491j
		mov	ecx, [ebp+var_B4]
		mov	ecx, [ecx+14h]
		sub	ecx, 2
		jmp	short loc_97D1F8
; 

loc_97D1E6:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+472j
		cmp	esi, 0C0000034h
		jnz	short loc_97D26C
		mov	ecx, [ebp+var_84]
		xor	eax, eax
		mov	esi, eax

loc_97D1F8:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+48Cj
					; PiDevCfgResolveVariableKeyHandle(x,x,x)+496j	...
		inc	[ebp+var_80]
		add	[ebp+var_68], 4
		mov	edx, [ebp+var_64]

loc_97D202:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+457j
		mov	eax, [ebp+var_78]
		movzx	eax, ax
		add	eax, 2
		add	eax, ecx
		cmp	eax, 0FFFEh
		jnb	short loc_97D267
		lea	eax, [ecx+2]
		mov	ecx, [ebp+var_78]
		add	cx, ax
		mov	[ebp+var_78], ecx
		mov	word ptr [ebp+var_90+2], cx
		test	edi, edi
		jz	short loc_97D236
		push	5Ch
		pop	eax
		mov	[edi], ax
		add	edi, 2
		jmp	short loc_97D252
; 

loc_97D236:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+50Dj
		mov	ecx, edx
		xor	edi, edi
		lea	edx, [ecx+2]

loc_97D23D:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+52Aj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_97D23D
		mov	eax, [ebp+var_64]
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [eax+ecx*2]

loc_97D252:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+518j
		xor	ecx, ecx
		mov	[ebp+var_64], edi
		cmp	[edi], cx
		mov	eax, edi
		mov	ecx, [ebp+var_80]
		jnz	loc_97D119
		jmp	short loc_97D26C
; 

loc_97D267:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+4F6j
		mov	esi, 80000005h

loc_97D26C:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+403j
					; PiDevCfgResolveVariableKeyHandle(x,x,x)+4D0j	...
		mov	edi, [ebp+var_7C]

loc_97D26F:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+3EEj
		test	esi, esi
		js	loc_97CEB2
		mov	eax, [ebp+var_90+2]
		add	eax, 0FFFFFFFEh
		mov	word ptr [ebp+var_90], ax
		mov	eax, [ebp+var_78]
		movzx	eax, ax
		push	63647050h
		push	eax
		push	1
		mov	[ebp+var_68], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_8C], edx
		test	edx, edx
		jz	loc_97D034
		mov	ebx, [ebp+var_7C]
		xor	eax, eax
		mov	[ebp+var_78], edi
		mov	ecx, edx
		xor	edi, edi
		mov	[ebp+var_64], edx
		mov	[ebp+var_80], eax
		cmp	[ebx], di
		mov	ebx, [ebp+var_60]
		mov	edi, [ebp+var_78]
		jz	loc_97D435

loc_97D2CE:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+6F5j
		cmp	eax, [ebp+var_AC]
		jnb	loc_97D429
		push	5Ch
		pop	eax
		push	eax		; wchar_t
		push	edi		; wchar_t *
		call	_wcschr
		mov	ebx, eax
		pop	ecx
		pop	ecx
		test	ebx, ebx
		jz	short loc_97D2F7
		xor	eax, eax
		mov	ecx, ebx
		mov	[ebx], ax
		sub	ecx, edi
		jmp	short loc_97D30D
; 

loc_97D2F7:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+5CEj
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_97D2FC:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+5EDj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_88]
		jnz	short loc_97D2FC
		sub	ecx, edx

loc_97D30D:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+5D9j
		sar	ecx, 1
		mov	edx, edi
		add	ecx, ecx
		mov	[ebp+var_84], edx
		mov	[ebp+var_B4], ecx
		cmp	edi, [ebp+var_7C]
		jz	short loc_97D341
		cmp	[ebp+var_68], 2
		jbe	loc_97CEAA
		mov	edi, [ebp+var_64]
		push	5Ch
		pop	eax
		mov	[edi], ax
		add	edi, 2
		sub	[ebp+var_68], 2
		mov	[ebp+var_64], edi

loc_97D341:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+606j
		mov	eax, [ebp+var_78]
		mov	edi, ecx
		push	24h
		pop	ecx
		cmp	[eax], cx
		mov	ecx, [ebp+var_B4]
		jnz	short loc_97D3AB
		mov	edi, [ebp+var_80]
		mov	eax, [ebp+var_B0]
		mov	eax, [eax+edi*4]
		inc	edi
		mov	[ebp+var_80], edi
		mov	edi, ecx
		test	eax, eax
		jz	short loc_97D3AB
		mov	edx, [eax+10h]
		test	edx, edx
		jz	short loc_97D3A5
		cmp	edx, 2
		jbe	short loc_97D39A
		cmp	edx, 7
		jnz	short loc_97D3A5
		mov	edx, [eax+18h]
		mov	edi, edx
		lea	ecx, [edi+2]

loc_97D383:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+674j
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, word ptr [ebp+var_88]
		jnz	short loc_97D383
		sub	edi, ecx
		sar	edi, 1
		add	edi, edi
		jmp	short loc_97D3AB
; 

loc_97D39A:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+658j
		mov	edi, [eax+14h]
		mov	edx, [eax+18h]
		sub	edi, 2
		jmp	short loc_97D3AB
; 

loc_97D3A5:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+653j
					; PiDevCfgResolveVariableKeyHandle(x,x,x)+65Dj
		mov	edx, [ebp+var_84]

loc_97D3AB:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+636j
					; PiDevCfgResolveVariableKeyHandle(x,x,x)+64Cj	...
		mov	eax, [ebp+var_68]
		cmp	eax, edi
		jbe	short loc_97D416
		push	edi		; size_t
		push	edx		; void *
		push	[ebp+var_64]	; void *
		call	_memcpy
		mov	ecx, [ebp+var_64]
		mov	eax, edi
		shr	eax, 1
		add	esp, 0Ch
		lea	ecx, [ecx+eax*2]
		mov	eax, [ebp+var_68]
		sub	eax, edi
		mov	[ebp+var_64], ecx
		mov	[ebp+var_68], eax
		test	ebx, ebx
		jz	short loc_97D3E3
		push	5Ch
		pop	ecx
		mov	[ebx], cx
		add	ebx, 2
		jmp	short loc_97D402
; 

loc_97D3E3:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+6BAj
		mov	edx, [ebp+var_78]
		xor	ebx, ebx
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_97D3ED:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+6DAj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_97D3ED
		mov	eax, [ebp+var_68]
		sub	ecx, edi
		sar	ecx, 1
		lea	ebx, [edx+ecx*2]

loc_97D402:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+6C5j
		xor	ecx, ecx
		mov	[ebp+var_78], ebx
		mov	edi, ebx
		cmp	[ebx], cx
		jz	short loc_97D41B
		mov	eax, [ebp+var_80]
		jmp	loc_97D2CE
; 

loc_97D416:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+694j
		mov	esi, 0C0000001h

loc_97D41B:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+6F0j
		mov	ebx, [ebp+var_60]
		mov	ecx, [ebp+var_64]
		mov	edx, [ebp+var_8C]
		jmp	short loc_97D438
; 

loc_97D429:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+5B8j
		mov	ebx, [ebp+var_60]
		mov	ecx, [ebp+var_64]
		mov	edx, [ebp+var_8C]

loc_97D435:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+5ACj
		mov	eax, [ebp+var_68]

loc_97D438:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+70Bj
		test	esi, esi
		js	loc_97CEB2
		cmp	eax, 2
		jz	short loc_97D44F
		mov	esi, 0C0000001h
		jmp	loc_97CEB2
; 

loc_97D44F:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+727j
		xor	eax, eax
		xor	edi, edi
		mov	[ecx], ax
		mov	eax, [ebp+var_90]
		mov	[ebp+var_74], eax
		mov	[ebp+var_70], edx
		jmp	short loc_97D49C
; 

loc_97D464:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+2F4j
		xor	edi, edi

loc_97D466:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+2C9j
		mov	edx, [ebx+0Ch]
		lea	eax, [ebp+var_88]
		push	ecx
		mov	ecx, [ebx+8]
		push	eax
		add	ecx, ebx
		mov	[ebp+var_88], edi
		call	_PnpRegSzToString@16 ; PnpRegSzToString(x,x,x,x)
		mov	ax, word ptr [ebp+var_88]
		mov	word ptr [ebp+var_74], ax
		mov	ax, [ebx+0Ch]
		mov	word ptr [ebp+var_74+2], ax
		mov	eax, [ebx+8]
		add	eax, ebx
		mov	[ebp+var_70], eax

loc_97D49C:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+746j
		mov	eax, [ebp+var_6C]
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_74]
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_A8]
		push	eax
		push	20019h
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_A8], 18h
		push	eax
		mov	[ebp+var_9C], 240h
		mov	[ebp+var_98], edi
		mov	[ebp+var_94], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97CEB4
		mov	eax, [ebp+var_B8]
		jmp	short loc_97D50E
; 

loc_97D4F8:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+29Bj
		cmp	esi, 0C0000034h
		jnz	short loc_97D516
		mov	eax, [ebp+var_6C]
		mov	esi, edi
		mov	[ebp+var_B8], eax
		mov	[ebp+var_6C], edi

loc_97D50E:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+7DAj
		mov	ecx, [ebp+var_CC]
		mov	[ecx], eax

loc_97D516:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+39Cj
					; PiDevCfgResolveVariableKeyHandle(x,x,x)+7E2j	...
		mov	ebx, [ebp+var_60]
		jmp	loc_97CEB4
; 

loc_97D51E:				; CODE XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+3B8j
		mov	esi, 0C0000034h
		jmp	short loc_97D516
_PiDevCfgResolveVariableKeyHandle@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgResolveVariableKeyValue(x, x, x)
_PiDevCfgResolveVariableKeyValue@12 proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	edx, [ebp+arg_4]
		lea	eax, [esp+14h+var_C]
		mov	ecx, [ebp+arg_0]
		and	[esp+14h+var_8], 0
		and	[esp+14h+var_10], 0
		and	[esp+14h+var_C], 0
		push	ebx
		push	esi
		push	edi
		push	eax
		call	_PiDevCfgResolveVariableKeyHandle@12 ; PiDevCfgResolveVariableKeyHandle(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97D6C1
		mov	ecx, [ebp+arg_4]
		lea	eax, [esp+20h+var_8]
		push	eax
		push	0
		mov	edx, (offset loc_8BAA0B+1)
		call	IopGetRegistryValue
		mov	ebx, [esp+20h+var_8]
		mov	esi, eax
		test	esi, esi
		js	loc_97D6B5
		mov	ecx, ebx
		call	_PnpValidateRegistryString@4 ; PnpValidateRegistryString(x)
		test	al, al
		jnz	short loc_97D593
		mov	esi, 0C0000001h
		jmp	loc_97D6B5
; 

loc_97D593:				; CODE XREF: PiDevCfgResolveVariableKeyValue(x,x,x)+62j
		mov	edi, [ebx+8]
		add	edi, ebx
		cmp	word ptr [edi],	24h
		jnz	short loc_97D5DF
		mov	ecx, [ebp+arg_0]
		lea	eax, [esp+20h+var_8]
		and	[esp+20h+var_8], 0
		lea	edx, [edi+2]
		push	eax
		call	_PiDevCfgResolveVariable@12 ; PiDevCfgResolveVariable(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_97D5D3
		mov	eax, [esp+20h+var_8]
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jz	short loc_97D5DF
		cmp	ecx, 2
		jbe	short loc_97D5CE
		cmp	ecx, 7
		jnz	short loc_97D5DF

loc_97D5CE:				; CODE XREF: PiDevCfgResolveVariableKeyValue(x,x,x)+A2j
		mov	edi, [eax+18h]
		jmp	short loc_97D5DF
; 

loc_97D5D3:				; CODE XREF: PiDevCfgResolveVariableKeyValue(x,x,x)+92j
		cmp	esi, 0C0000034h
		jnz	loc_97D6B5

loc_97D5DF:				; CODE XREF: PiDevCfgResolveVariableKeyValue(x,x,x)+77j
					; PiDevCfgResolveVariableKeyValue(x,x,x)+9Dj ...
		mov	ecx, [esp+20h+var_C]
		lea	eax, [esp+20h+var_10]
		push	eax
		push	0
		mov	edx, edi
		call	IopGetRegistryValue
		mov	esi, eax
		test	esi, esi
		jns	short loc_97D62A
		mov	edi, 0C0000034h
		cmp	esi, edi
		jnz	short loc_97D624
		mov	ecx, [ebp+arg_4]
		lea	eax, [esp+20h+var_10]
		push	eax
		push	0
		mov	edx, (offset loc_8BA9F1+1)
		call	IopGetRegistryValue
		mov	esi, eax
		test	esi, esi
		jns	short loc_97D62A
		cmp	esi, edi
		jnz	short loc_97D624
		xor	esi, esi
		xor	edi, edi
		jmp	short loc_97D62E
; 

loc_97D624:				; CODE XREF: PiDevCfgResolveVariableKeyValue(x,x,x)+D9j
					; PiDevCfgResolveVariableKeyValue(x,x,x)+F7j
		mov	edi, [esp+20h+var_10]
		jmp	short loc_97D6A9
; 

loc_97D62A:				; CODE XREF: PiDevCfgResolveVariableKeyValue(x,x,x)+D0j
					; PiDevCfgResolveVariableKeyValue(x,x,x)+F3j
		mov	edi, [esp+20h+var_10]

loc_97D62E:				; CODE XREF: PiDevCfgResolveVariableKeyValue(x,x,x)+FDj
		test	edi, edi
		jz	short loc_97D689
		mov	ecx, edi
		call	_PnpValidateRegistryValue@4 ; PnpValidateRegistryValue(x)
		test	al, al
		jnz	short loc_97D644
		mov	esi, 0C0000001h
		jmp	short loc_97D6A9
; 

loc_97D644:				; CODE XREF: PiDevCfgResolveVariableKeyValue(x,x,x)+116j
		mov	eax, [edi+4]
		push	63647050h
		mov	[esp+24h+var_8], eax
		mov	eax, [edi+0Ch]
		push	eax
		push	1
		mov	[esp+2Ch+var_10], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+20h+var_4], ecx
		test	ecx, ecx
		jnz	short loc_97D670
		mov	esi, 0C000009Ah
		jmp	short loc_97D6A9
; 

loc_97D670:				; CODE XREF: PiDevCfgResolveVariableKeyValue(x,x,x)+142j
		mov	eax, [edi+8]
		push	[esp+20h+var_10] ; size_t
		add	eax, edi
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		mov	edx, [esp+2Ch+var_4]
		add	esp, 0Ch
		jmp	short loc_97D695
; 

loc_97D689:				; CODE XREF: PiDevCfgResolveVariableKeyValue(x,x,x)+10Bj
		and	[esp+20h+var_8], 0
		and	[esp+20h+var_10], 0
		xor	edx, edx

loc_97D695:				; CODE XREF: PiDevCfgResolveVariableKeyValue(x,x,x)+162j
		mov	eax, [ebp+arg_8]
		mov	ecx, [esp+20h+var_8]
		mov	[eax+10h], ecx
		mov	ecx, [esp+20h+var_10]
		mov	[eax+14h], ecx
		mov	[eax+18h], edx

loc_97D6A9:				; CODE XREF: PiDevCfgResolveVariableKeyValue(x,x,x)+103j
					; PiDevCfgResolveVariableKeyValue(x,x,x)+11Dj ...
		test	edi, edi
		jz	short loc_97D6B5
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97D6B5:				; CODE XREF: PiDevCfgResolveVariableKeyValue(x,x,x)+53j
					; PiDevCfgResolveVariableKeyValue(x,x,x)+69j ...
		test	ebx, ebx
		jz	short loc_97D6C1
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97D6C1:				; CODE XREF: PiDevCfgResolveVariableKeyValue(x,x,x)+31j
					; PiDevCfgResolveVariableKeyValue(x,x,x)+192j
		cmp	[esp+20h+var_C], 0
		jz	short loc_97D6D1
		push	[esp+20h+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_97D6D1:				; CODE XREF: PiDevCfgResolveVariableKeyValue(x,x,x)+1A1j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PiDevCfgResolveVariableKeyValue@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgResolveVariableSwitchCase(x, x, x)
_PiDevCfgResolveVariableSwitchCase@12 proc near

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	edx, offset ??_C@_1O@FAOGBCMN@?$AAS?$AAw?$AAi?$AAt?$AAc?$AAh@NNGAKEGL@
		push	esi
		mov	[esp+3Ch+var_28], eax
		mov	eax, [ebp+arg_8]
		push	edi
		mov	[esp+40h+var_20], eax
		lea	eax, [esp+40h+var_30]
		push	eax
		mov	[esp+44h+var_30], ecx
		mov	[esp+44h+var_2C], ecx
		mov	[esp+44h+var_24], ecx
		push	ecx
		mov	ecx, ebx
		call	IopGetRegistryValue
		mov	esi, eax
		test	esi, esi
		js	loc_97D807
		mov	edi, [esp+40h+var_30]
		mov	ecx, edi
		call	_PnpValidateRegistryString@4 ; PnpValidateRegistryString(x)
		test	al, al
		jnz	short loc_97D749

loc_97D73F:				; CODE XREF: PiDevCfgResolveVariableSwitchCase(x,x,x)+92j
					; PiDevCfgResolveVariableSwitchCase(x,x,x)+F6j	...
		mov	esi, 0C0000001h
		jmp	loc_97D80B
; 

loc_97D749:				; CODE XREF: PiDevCfgResolveVariableSwitchCase(x,x,x)+61j
		mov	edx, [edi+8]
		lea	eax, [esp+40h+var_2C]
		mov	ecx, [esp+40h+var_28]
		add	edx, edi
		push	eax
		call	_PiDevCfgResolveVariable@12 ; PiDevCfgResolveVariable(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_97D770

loc_97D762:				; CODE XREF: PiDevCfgResolveVariableSwitchCase(x,x,x)+1A9j
		cmp	esi, 0C0000034h
		jnz	loc_97D80B
		jmp	short loc_97D73F
; 

loc_97D770:				; CODE XREF: PiDevCfgResolveVariableSwitchCase(x,x,x)+84j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, [esp+40h+var_2C]
		and	[esp+40h+var_30], 0
		mov	eax, [edx+10h]
		test	eax, eax
		jz	short loc_97D7A3
		cmp	eax, 2
		jbe	loc_97D853
		cmp	eax, 4
		jz	loc_97D82D
		cmp	eax, 7
		jz	loc_97D853

loc_97D7A3:				; CODE XREF: PiDevCfgResolveVariableSwitchCase(x,x,x)+AAj
		xor	edx, edx

loc_97D7A5:				; CODE XREF: PiDevCfgResolveVariableSwitchCase(x,x,x)+17Aj
		test	edx, edx
		jz	short loc_97D7E3

loc_97D7A9:				; CODE XREF: PiDevCfgResolveVariableSwitchCase(x,x,x)+172j
		lea	eax, [esp+40h+var_30]
		mov	ecx, ebx
		push	eax
		push	0
		call	IopGetRegistryValue
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_97D7E3
		test	esi, esi
		js	short loc_97D807
		mov	edi, [esp+40h+var_30]
		mov	ecx, edi
		call	_PnpValidateRegistryString@4 ; PnpValidateRegistryString(x)
		test	al, al
		jz	loc_97D73F
		mov	edx, [edi+8]
		add	edx, edi
		jnz	loc_97D873

loc_97D7E3:				; CODE XREF: PiDevCfgResolveVariableSwitchCase(x,x,x)+CBj
					; PiDevCfgResolveVariableSwitchCase(x,x,x)+E3j	...
		lea	eax, [esp+40h+var_30]
		mov	edx, offset ??_C@_1BA@GHOECOCL@?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt@NNGAKEGL@ ; "D"
		push	eax
		push	0
		mov	ecx, ebx
		call	IopGetRegistryValue
		mov	esi, eax
		test	esi, esi
		jns	short loc_97D85B
		cmp	esi, 0C0000034h
		jnz	short loc_97D807
		add	esi, 0FFFFFFCDh

loc_97D807:				; CODE XREF: PiDevCfgResolveVariableSwitchCase(x,x,x)+4Ej
					; PiDevCfgResolveVariableSwitchCase(x,x,x)+E7j	...
		mov	edi, [esp+40h+var_30]

loc_97D80B:				; CODE XREF: PiDevCfgResolveVariableSwitchCase(x,x,x)+68j
					; PiDevCfgResolveVariableSwitchCase(x,x,x)+8Cj	...
		test	edi, edi
		jz	short loc_97D817
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97D817:				; CODE XREF: PiDevCfgResolveVariableSwitchCase(x,x,x)+131j
		mov	ecx, [esp+40h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_97D82D:				; CODE XREF: PiDevCfgResolveVariableSwitchCase(x,x,x)+B8j
		mov	eax, [edx+18h]
		push	dword ptr [eax]	; char
		lea	eax, [esp+44h+var_1C]
		push	offset ??_C@_15EFLNJKHH@?$AA?$CF?$AAu@NNGAKEGL@	; wchar_t *
		push	0Bh		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 10h
		test	eax, eax
		js	short loc_97D7E3
		lea	edx, [esp+40h+var_1C]
		jmp	loc_97D7A9
; 

loc_97D853:				; CODE XREF: PiDevCfgResolveVariableSwitchCase(x,x,x)+AFj
					; PiDevCfgResolveVariableSwitchCase(x,x,x)+C1j
		mov	edx, [edx+18h]
		jmp	loc_97D7A5
; 

loc_97D85B:				; CODE XREF: PiDevCfgResolveVariableSwitchCase(x,x,x)+11Ej
		mov	edi, [esp+40h+var_30]
		mov	ecx, edi
		call	_PnpValidateRegistryString@4 ; PnpValidateRegistryString(x)
		test	al, al
		jz	loc_97D73F
		mov	edx, [edi+8]
		add	edx, edi

loc_97D873:				; CODE XREF: PiDevCfgResolveVariableSwitchCase(x,x,x)+101j
		mov	ecx, [esp+40h+var_28]
		lea	eax, [esp+40h+var_24]
		push	eax
		call	_PiDevCfgResolveVariable@12 ; PiDevCfgResolveVariable(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97D762
		mov	edx, [esp+40h+var_24]
		mov	ecx, [esp+40h+var_20]
		call	_PiDevCfgCopyVariableData@8 ; PiDevCfgCopyVariableData(x,x)
		mov	esi, eax
		jmp	loc_97D80B
_PiDevCfgResolveVariableSwitchCase@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgSetDeviceRegProp(x,	x, x, x, x, x, x)
_PiDevCfgSetDeviceRegProp@28 proc near	; CODE XREF: PpDevCfgProcessDeviceOperations+6C8B8p
					; PiDevCfgProcessDeviceCallback+6C3FFp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [edx]
		mov	ecx, _PiPnpRtlCtx
		and	eax, 1
		shl	eax, 11h
		push	eax
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	dword ptr [edx+8]
		mov	edx, [edx+4]
		call	_PiPnpRtlSetDeviceRegProperty@32 ; PiPnpRtlSetDeviceRegProperty(x,x,x,x,x,x,x,x)
		leave
		retn	14h
_PiDevCfgSetDeviceRegProp@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgSetObjectProperty(x, x, x, x, x, x,	x, x, x, x, x)
_PiDevCfgSetObjectProperty@44 proc near	; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+D6Cp
					; PiDevCfgConfigureDevice(x,x,x,x,x)+D9Ep ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ecx, _PiPnpRtlCtx
		jnz	short loc_97D8F5
		cmp	[ebp+arg_4], 1
		jnz	short loc_97D8F5
		test	edx, edx
		jz	short loc_97D8F5
		test	byte ptr [edx],	1
		jz	short loc_97D8F5
		mov	eax, [ebp+arg_20]
		or	eax, 20000h
		jmp	short loc_97D8F8
; 

loc_97D8F5:				; CODE XREF: PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)+Bj
					; PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)+11j	...
		mov	eax, [ebp+arg_20]

loc_97D8F8:				; CODE XREF: PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)+24j
		mov	edx, [ebp+arg_0]
		push	eax
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	PiPnpRtlSetObjectProperty
		pop	ebp
		retn	24h
_PiDevCfgSetObjectProperty@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PiDevCfgSplitDriverConfigurationId(wchar_t *,int,int,int,int,int)
_PiDevCfgSplitDriverConfigurationId@24 proc near
					; CODE XREF: PiDevCfgCheckDeviceNeedsUpdate(x,x)+44Fp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		mov	[ebp+var_38], eax
		lea	edi, [ebp+var_2C]
		xor	eax, eax
		mov	[ebp+var_30], edx
		stosd
		xor	esi, esi
		push	3Ah		; wchar_t
		push	ecx		; wchar_t *
		mov	[ebp+var_34], ecx
		stosd
		stosd
		stosd
		call	_wcschr
		mov	[ebp+var_3C], eax
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_97D963

loc_97D959:				; CODE XREF: PiDevCfgSplitDriverConfigurationId(x,x,x,x,x,x)+C6j
					; PiDevCfgSplitDriverConfigurationId(x,x,x,x,x,x)+155j	...
		mov	esi, 0C0000001h
		jmp	loc_97DB16
; 

loc_97D963:				; CODE XREF: PiDevCfgSplitDriverConfigurationId(x,x,x,x,x,x)+3Ej
		mov	ecx, [ebp+var_30]
		test	ecx, ecx
		jz	short loc_97D9D0
		mov	edi, eax
		sub	edi, [ebp+var_34]
		and	edi, 0FFFFFFFEh
		lea	eax, [edi+2]
		cmp	eax, 0FFFEh
		jbe	short loc_97D986
		mov	esi, 0C0000106h
		jmp	loc_97DB16
; 

loc_97D986:				; CODE XREF: PiDevCfgSplitDriverConfigurationId(x,x,x,x,x,x)+61j
		movzx	eax, di
		mov	[ecx], ax
		add	eax, 2
		mov	[ecx+2], ax
		movzx	eax, ax
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	ecx, eax
		mov	eax, [ebp+var_30]
		mov	[eax+4], ecx
		test	ecx, ecx
		jnz	short loc_97D9B2
		mov	esi, 0C000009Ah
		jmp	loc_97DB16
; 

loc_97D9B2:				; CODE XREF: PiDevCfgSplitDriverConfigurationId(x,x,x,x,x,x)+8Dj
		push	edi		; size_t
		push	[ebp+var_34]	; void *
		push	ecx		; void *
		call	_memcpy
		mov	eax, [ebp+var_30]
		add	esp, 0Ch
		shr	edi, 1
		xor	ecx, ecx
		mov	eax, [eax+4]
		mov	[eax+edi*2], cx
		mov	eax, [ebp+var_3C]

loc_97D9D0:				; CODE XREF: PiDevCfgSplitDriverConfigurationId(x,x,x,x,x,x)+4Fj
		add	eax, 2
		push	2Ch		; wchar_t
		push	eax		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_97D959
		lea	edi, [eax+2]
		push	2Ch		; wchar_t
		push	edi		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_97DA0D
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_97D9FB:				; CODE XREF: PiDevCfgSplitDriverConfigurationId(x,x,x,x,x,x)+EBj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_97D9FB
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, [edi+ecx*2]

loc_97DA0D:				; CODE XREF: PiDevCfgSplitDriverConfigurationId(x,x,x,x,x,x)+DBj
		cmp	[eax], si
		jz	loc_97DB01
		mov	edi, [ebp+var_38]
		test	edi, edi
		jnz	short loc_97DA25
		test	ebx, ebx
		jz	loc_97DB16

loc_97DA25:				; CODE XREF: PiDevCfgSplitDriverConfigurationId(x,x,x,x,x,x)+102j
		add	eax, 2
		push	2Ch		; wchar_t
		push	eax		; wchar_t *
		mov	[ebp+var_34], eax
		call	_wcschr
		mov	edx, [ebp+var_34]
		mov	[ebp+var_30], eax
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_97DA5D
		mov	ecx, edx
		lea	eax, [ecx+2]
		mov	[ebp+var_3C], eax

loc_97DA47:				; CODE XREF: PiDevCfgSplitDriverConfigurationId(x,x,x,x,x,x)+137j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_97DA47
		sub	ecx, [ebp+var_3C]
		sar	ecx, 1
		lea	eax, [edx+ecx*2]
		mov	[ebp+var_30], eax

loc_97DA5D:				; CODE XREF: PiDevCfgSplitDriverConfigurationId(x,x,x,x,x,x)+124j
		test	edi, edi
		jz	short loc_97DAC8
		mov	edi, eax
		sub	edi, edx
		and	edi, 0FFFFFFFEh
		lea	eax, [edi+2]
		cmp	eax, 16h
		ja	loc_97D959
		push	edi		; size_t
		push	edx		; void *
		lea	eax, [ebp+var_1C]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	edi, 16h
		jnb	short loc_97DAFC
		xor	eax, eax
		mov	word ptr [ebp+edi+var_1C], ax
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_2C+2]
		push	eax
		lea	eax, [ebp+var_1C]
		push	offset ??_C@_1BI@CHKFBIMA@?$AA?$CF?$AAh?$AAu?$AA?1?$AA?$CF?$AAh?$AAu?$AA?1?$AA?$CF?$AAh?$AAu@NNGAKEGL@
		push	eax
		call	_swscanf_s
		add	esp, 14h
		cmp	eax, 3
		jnz	loc_97D959
		push	[ebp+var_38]
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlTimeFieldsToTime@8 ; RtlTimeFieldsToTime(x,x)
		test	al, al
		jz	loc_97D959

loc_97DAC8:				; CODE XREF: PiDevCfgSplitDriverConfigurationId(x,x,x,x,x,x)+146j
		test	ebx, ebx
		jz	short loc_97DB16
		mov	ecx, [ebp+var_30]
		cmp	[ecx], si
		jz	short loc_97DB11
		push	ebx
		lea	eax, [ebx+2]
		push	eax
		lea	eax, [ebx+4]
		push	eax
		lea	eax, [ebx+6]
		push	eax
		lea	eax, [ecx+2]
		push	offset ??_C@_1CA@EEKMHEGJ@?$AA?$CF?$AAh?$AAu?$AA?4?$AA?$CF?$AAh?$AAu?$AA?4?$AA?$CF?$AAh?$AAu?$AA?4?$AA?$CF?$AAh?$AAu@NNGAKEGL@
		push	eax
		call	_swscanf_s
		add	esp, 18h
		cmp	eax, 4
		jz	short loc_97DB16
		jmp	loc_97D959
; 

loc_97DAFC:				; CODE XREF: PiDevCfgSplitDriverConfigurationId(x,x,x,x,x,x)+16Cj
		call	___report_rangecheckfailure

loc_97DB01:				; CODE XREF: PiDevCfgSplitDriverConfigurationId(x,x,x,x,x,x)+F7j
		mov	eax, [ebp+var_38]
		test	eax, eax
		jz	short loc_97DB0D
		mov	[eax], esi
		mov	[eax+4], esi

loc_97DB0D:				; CODE XREF: PiDevCfgSplitDriverConfigurationId(x,x,x,x,x,x)+1EDj
		test	ebx, ebx
		jz	short loc_97DB16

loc_97DB11:				; CODE XREF: PiDevCfgSplitDriverConfigurationId(x,x,x,x,x,x)+1B9j
		mov	[ebx], esi
		mov	[ebx+4], esi

loc_97DB16:				; CODE XREF: PiDevCfgSplitDriverConfigurationId(x,x,x,x,x,x)+45j
					; PiDevCfgSplitDriverConfigurationId(x,x,x,x,x,x)+68j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_PiDevCfgSplitDriverConfigurationId@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgVerifyDeviceAllowed(x, x)
_PiDevCfgVerifyDeviceAllowed@8 proc near
					; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+B10p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_C], ecx
		lea	edi, [ebp+var_24]
		mov	[ebp+var_10], (offset loc_8BA67D+1)
		stosd
		xor	ecx, ecx
		push	0Eh
		mov	ebx, edx
		mov	[ebp+var_8], ecx
		mov	esi, ecx
		mov	[ebp+var_4], ecx
		stosd
		mov	[ebp+var_3C], 18h
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], 240h
		stosd
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ecx
		stosd
		pop	eax
		push	0Ch
		mov	word ptr [ebp+var_14+2], ax
		mov	edi, ecx
		pop	eax
		mov	word ptr [ebp+var_14], ax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_3C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_97DBE5
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_24]
		push	eax
		mov	edx, ebx
		call	_PiDevCfgInitResolveContext@12 ; PiDevCfgInitResolveContext(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_97DBE5
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		push	offset ??_C@_1BA@BNFIHHGN@?$AAB?$AAl?$AAo?$AAc?$AAk?$AAe?$AAd@NNGAKEGL@
		lea	ecx, [ebp+var_24]
		call	_PiDevCfgQueryResolveValue@16 ;	PiDevCfgQueryResolveValue(x,x,x,x)
		test	eax, eax
		js	short loc_97DBE5
		mov	ecx, [ebp+var_8]
		call	_PnpValidateRegistryDword@4 ; PnpValidateRegistryDword(x)
		test	al, al
		jz	short loc_97DBD4
		mov	eax, [ecx+8]
		mov	edi, [ecx+eax]

loc_97DBD4:				; CODE XREF: PiDevCfgVerifyDeviceAllowed(x,x)+A3j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		jz	short loc_97DBE5
		mov	esi, 0C000036Ch

loc_97DBE5:				; CODE XREF: PiDevCfgVerifyDeviceAllowed(x,x)+6Bj
					; PiDevCfgVerifyDeviceAllowed(x,x)+7Fj	...
		lea	ecx, [ebp+var_24]
		call	_PiDevCfgFreeResolveContext@4 ;	PiDevCfgFreeResolveContext(x)
		cmp	[ebp+var_4], 0
		jz	short loc_97DBFB
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_97DBFB:				; CODE XREF: PiDevCfgVerifyDeviceAllowed(x,x)+C8j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PiDevCfgVerifyDeviceAllowed@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgVerifyFeatureScore(x, x, x)
_PiDevCfgVerifyFeatureScore@12 proc near
					; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+8C0p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	bl, [ecx+3Ah]
		xor	eax, eax
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_97DC1E

loc_97DC14:				; CODE XREF: PiDevCfgVerifyFeatureScore(x,x,x)+1Aj
		cmp	[eax+edx], bl
		jz	short loc_97DC1E
		inc	eax
		cmp	eax, ecx
		jb	short loc_97DC14

loc_97DC1E:				; CODE XREF: PiDevCfgVerifyFeatureScore(x,x,x)+10j
					; PiDevCfgVerifyFeatureScore(x,x,x)+15j
		cmp	eax, ecx
		pop	ebx
		sbb	eax, eax
		and	eax, 3FFFFBDCh
		add	eax, 0C0000424h
		pop	ebp
		retn	4
_PiDevCfgVerifyFeatureScore@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDevCfgVerifyService(x, x,	x)
_PiDevCfgVerifyService@12 proc near	; CODE XREF: PiDevCfgQueryDriverConfiguration(x)+2C3p
					; PiDevCfgQueryDriverConfiguration(x)+2F0p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	eax, edx
		mov	[ebp+var_14], eax
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_C], ebx
		push	4
		pop	edx
		mov	[ebp+var_10], edx
		test	eax, eax
		jz	short loc_97DC5E
		mov	[eax], bl

loc_97DC5E:				; CODE XREF: PiDevCfgVerifyService(x,x,x)+29j
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jz	short loc_97DC68
		and	dword ptr [ebx], 0

loc_97DC68:				; CODE XREF: PiDevCfgVerifyService(x,x,x)+32j
		push	ecx
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	0
		push	0
		lea	eax, [ebp+var_8]
		mov	edx, 20019h
		push	eax
		lea	ecx, [ebp+var_1C]
		call	PipOpenServiceEnumKeys
		mov	edi, [ebp+var_8]
		mov	esi, eax
		test	esi, esi
		js	loc_97DD78
		lea	eax, [ebp+var_4]
		mov	edx, offset ??_C@_19BIEPDBPA@?$AAT?$AAy?$AAp?$AAe@NNGAKEGL@
		push	eax
		push	0
		mov	ecx, edi
		call	IopGetRegistryValue
		mov	esi, eax
		test	esi, esi
		js	loc_97DD78
		mov	ecx, [ebp+var_4]
		call	_PnpValidateRegistryDword@4 ; PnpValidateRegistryDword(x)
		test	al, al
		jz	short loc_97DCC7
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		mov	[ebp+var_C], eax
		jmp	short loc_97DCCC
; 

loc_97DCC7:				; CODE XREF: PiDevCfgVerifyService(x,x,x)+89j
		mov	esi, 0C0000001h

loc_97DCCC:				; CODE XREF: PiDevCfgVerifyService(x,x,x)+94j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		js	loc_97DD78
		test	byte ptr [ebp+var_C], 0Bh
		jnz	short loc_97DCEC

loc_97DCE2:				; CODE XREF: PiDevCfgVerifyService(x,x,x)+101j
		mov	esi, 0C0000001h
		jmp	loc_97DD78
; 

loc_97DCEC:				; CODE XREF: PiDevCfgVerifyService(x,x,x)+AFj
		lea	eax, [ebp+var_4]
		mov	edx, offset ??_C@_1M@IOJLKPKK@?$AAS?$AAt?$AAa?$AAr?$AAt@NNGAKEGL@
		push	eax
		push	0
		mov	ecx, edi
		call	IopGetRegistryValue
		mov	esi, eax
		test	esi, esi
		js	short loc_97DD78
		mov	ecx, [ebp+var_4]
		call	_PnpValidateRegistryDword@4 ; PnpValidateRegistryDword(x)
		test	al, al
		jz	short loc_97DD1B
		mov	eax, [ecx+8]
		mov	edx, [ecx+eax]
		mov	[ebp+var_10], edx
		jmp	short loc_97DD20
; 

loc_97DD1B:				; CODE XREF: PiDevCfgVerifyService(x,x,x)+DDj
		mov	esi, 0C0000001h

loc_97DD20:				; CODE XREF: PiDevCfgVerifyService(x,x,x)+E8j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		js	short loc_97DD78
		mov	eax, [ebp+var_10]
		cmp	eax, 4
		ja	short loc_97DCE2
		mov	ecx, [ebp+var_14]
		test	ecx, ecx
		jz	short loc_97DD42
		test	eax, eax
		setz	al
		mov	[ecx], al

loc_97DD42:				; CODE XREF: PiDevCfgVerifyService(x,x,x)+108j
		test	ebx, ebx
		jz	short loc_97DD78
		lea	eax, [ebp+var_4]
		mov	edx, offset ??_C@_1BC@JLNJLCPI@?$AAP?$AAn?$AAp?$AAF?$AAl?$AAa?$AAg?$AAs@NNGAKEGL@ ; "PnpFlags"
		push	eax
		push	0
		mov	ecx, edi
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_97DD78
		mov	ecx, [ebp+var_4]
		call	_PnpValidateRegistryDword@4 ; PnpValidateRegistryDword(x)
		test	al, al
		jz	short loc_97DD70
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		mov	[ebx], eax

loc_97DD70:				; CODE XREF: PiDevCfgVerifyService(x,x,x)+135j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97DD78:				; CODE XREF: PiDevCfgVerifyService(x,x,x)+5Dj
					; PiDevCfgVerifyService(x,x,x)+79j ...
		test	edi, edi
		jz	short loc_97DD82
		push	edi
		call	_ZwClose@4	; ZwClose(x)

loc_97DD82:				; CODE XREF: PiDevCfgVerifyService(x,x,x)+149j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_PiDevCfgVerifyService@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpDevCfgCheckDeviceNeedsUpdate(x, x, x)
_PpDevCfgCheckDeviceNeedsUpdate@12 proc	near ; CODE XREF: PiProcessNewDeviceNode+6EB75p

var_24		= dword	ptr -24h
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		xor	eax, eax
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_24]
		push	9
		pop	ecx
		rep stosd
		lea	eax, [ebp+var_24]
		mov	ecx, esi
		push	eax
		call	_PiDevCfgInitDeviceContext@12 ;	PiDevCfgInitDeviceContext(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_97DDBF
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_24]
		call	_PiDevCfgCheckDeviceNeedsUpdate@8 ; PiDevCfgCheckDeviceNeedsUpdate(x,x)
		mov	esi, eax

loc_97DDBF:				; CODE XREF: PpDevCfgCheckDeviceNeedsUpdate(x,x,x)+25j
		lea	ecx, [ebp+var_24]
		call	PiDevCfgFreeDeviceContext
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	4
_PpDevCfgCheckDeviceNeedsUpdate@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpDevCfgProcessDevice(x, x,	x)
_PpDevCfgProcessDevice@12 proc near	; CODE XREF: PipProcessStartPhase3+6DF41p
					; PiProcessNewDeviceNode+6EC26p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	ds:_PiDevCfgMode, 0
		jnz	short loc_97DDE5
		mov	eax, 0C00000BBh
		jmp	short loc_97DDED
; 

loc_97DDE5:				; CODE XREF: PpDevCfgProcessDevice(x,x,x)+Dj
		push	[ebp+arg_0]
		call	_PiDevCfgProcessDevice@12 ; PiDevCfgProcessDevice(x,x,x)

loc_97DDED:				; CODE XREF: PpDevCfgProcessDevice(x,x,x)+14j
		pop	ecx
		pop	ebp
		retn	4
_PpDevCfgProcessDevice@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpDevCfgProcessDeviceClass(x)
_PpDevCfgProcessDeviceClass@4 proc near	; CODE XREF: PiConfigureDevice(x)+69j

var_84		= dword	ptr -84h
var_7C		= dword	ptr -7Ch
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_3C], 1
		mov	edx, ecx
		lea	edi, [ebp+var_84]
		push	9
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_14]
		mov	[ebp+var_24], edx
		stosd
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_44], ebx
		stosd
		mov	[ebp+var_40], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_18], ebx
		stosd
		mov	[ebp+var_20], ebx
		mov	[ebp+var_2C], ebx
		stosd
		xor	eax, eax
		mov	edi, ebx
		mov	[ebp+var_34], eax
		mov	[ebp+var_38], eax
		cmp	ds:_PiDevCfgMode, eax
		jnz	short loc_97DE5D
		mov	esi, ebx
		jmp	loc_97E057
; 

loc_97DE5D:				; CODE XREF: PpDevCfgProcessDeviceClass(x)+62j
		mov	ecx, [edx+18h]
		test	ecx, ecx
		jnz	short loc_97DE6E
		mov	esi, 0C0000010h
		jmp	loc_97E057
; 

loc_97DE6E:				; CODE XREF: PpDevCfgProcessDeviceClass(x)+70j
		lea	eax, [ebp+var_84]
		xor	edx, edx
		push	eax
		call	_PiDevCfgInitDeviceContext@12 ;	PiDevCfgInitDeviceContext(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97E057
		mov	eax, [ebp+var_7C]
		lea	ecx, [ebp+var_14]
		mov	edx, [ebp+var_24]
		push	1
		mov	[ebp+var_54], ecx
		lea	ecx, [ebp+var_5C]
		push	ecx
		mov	edx, [edx+18h]
		push	eax
		push	1
		mov	[ebp+var_60], eax
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_5C], offset _DEVPKEY_Device_ClassGuid
		mov	[ebp+var_58], 0Dh
		mov	[ebp+var_50], 10h
		call	PiDevCfgQueryObjectProperties
		mov	esi, eax
		test	esi, esi
		js	loc_97E057
		cmp	[ebp+var_48], ebx
		jl	short loc_97DF1D
		push	1
		lea	edx, [ebp+var_34]
		lea	ecx, [ebp+var_14]
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97E057
		mov	edx, [ebp+var_30]
		lea	eax, [ebp+var_1C]
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		push	ebx
		push	eax
		push	ebx
		push	20019h
		push	2
		call	_PnpOpenObjectRegKey
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_97DF15
		mov	[ebp+var_1C], ebx
		jmp	loc_97DFAC
; 

loc_97DF15:				; CODE XREF: PpDevCfgProcessDeviceClass(x)+119j
		test	esi, esi
		js	loc_97E057

loc_97DF1D:				; CODE XREF: PpDevCfgProcessDeviceClass(x)+DCj
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	loc_97DFAC
		push	1Ch
		pop	ecx
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_44]
		push	1Ah
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_5C]
		mov	word ptr [ebp+var_44+2], cx
		pop	ecx
		push	eax
		push	20019h
		lea	eax, [ebp+var_28]
		mov	word ptr [ebp+var_44], cx
		push	eax
		mov	[ebp+var_40], offset ??_C@_1BM@ICBIINEM@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		mov	[ebp+var_5C], 18h
		mov	[ebp+var_50], 240h
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_48], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_97DFAC
		test	esi, esi
		js	loc_97E057
		mov	ecx, [ebp+var_24]
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	0FFFFFFFFh
		push	[ebp+var_28]
		lea	edx, [ebp+var_84]
		call	_PiDevCfgConfigureDeviceKeys@24	; PiDevCfgConfigureDeviceKeys(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97E057
		mov	eax, [ebp+var_20]
		mov	edi, [ebp+var_18]
		mov	[ebp+var_38], eax

loc_97DFAC:				; CODE XREF: PpDevCfgProcessDeviceClass(x)+11Ej
					; PpDevCfgProcessDeviceClass(x)+130j ...
		mov	ecx, [ebp+var_24]
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		lea	edx, [ebp+var_84]
		call	_PiDevCfgConfigureDeviceLocation@16 ; PiDevCfgConfigureDeviceLocation(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_97E057
		mov	eax, [ebp+var_38]
		or	eax, [ebp+var_20]
		or	edi, [ebp+var_18]
		test	al, 2
		jnz	short loc_97DFFB
		mov	eax, [ebp+var_30]
		test	eax, eax
		jz	short loc_97DFFB
		mov	edx, [ebp+var_1C]
		test	edx, edx
		jz	short loc_97DFFB
		lea	ecx, [ebp+var_18]
		push	ecx
		mov	ecx, eax
		call	_PiDevCfgGetDeviceClassConfigFlags@12 ;	PiDevCfgGetDeviceClassConfigFlags(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_97E057
		or	edi, [ebp+var_18]

loc_97DFFB:				; CODE XREF: PpDevCfgProcessDeviceClass(x)+1E5j
					; PpDevCfgProcessDeviceClass(x)+1ECj ...
		test	edi, edi
		jz	short loc_97E057
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_2C]
		push	ebx
		push	eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_2C], 4
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		mov	eax, [ebp+var_24]
		push	0Bh
		push	[ebp+var_60]
		mov	edx, [eax+18h]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_97E03C
		cmp	[ebp+var_3C], 4
		jnz	short loc_97E03C
		cmp	[ebp+var_2C], 4
		jnz	short loc_97E03C
		mov	ebx, [ebp+var_18]

loc_97E03C:				; CODE XREF: PpDevCfgProcessDeviceClass(x)+239j
					; PpDevCfgProcessDeviceClass(x)+23Fj ...
		push	ecx
		push	4
		lea	eax, [ebp+var_18]
		or	ebx, edi
		push	eax
		push	4
		push	0Bh
		lea	edx, [ebp+var_84]
		mov	[ebp+var_18], ebx
		call	_PiDevCfgSetDeviceRegProp@28 ; PiDevCfgSetDeviceRegProp(x,x,x,x,x,x,x)

loc_97E057:				; CODE XREF: PpDevCfgProcessDeviceClass(x)+66j
					; PpDevCfgProcessDeviceClass(x)+77j ...
		lea	eax, [ebp+var_34]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	[ebp+var_28], 0
		jz	short loc_97E06E
		push	[ebp+var_28]
		call	_ZwClose@4	; ZwClose(x)

loc_97E06E:				; CODE XREF: PpDevCfgProcessDeviceClass(x)+272j
		cmp	[ebp+var_1C], 0
		jz	short loc_97E07C
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_97E07C:				; CODE XREF: PpDevCfgProcessDeviceClass(x)+280j
		lea	ecx, [ebp+var_84]
		call	PiDevCfgFreeDeviceContext
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpDevCfgProcessDeviceClass@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpDevCfgProcessDeviceExtensions(x)
_PpDevCfgProcessDeviceExtensions@4 proc	near ; CODE XREF: PiConfigureDevice(x)+63j

var_C0		= dword	ptr -0C0h
var_B8		= dword	ptr -0B8h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_1C], ebx
		xor	eax, eax
		mov	[ebp+var_60], 1
		mov	[ebp+var_44], eax
		push	9
		pop	ecx
		lea	edi, [ebp+var_C0]
		mov	[ebp+var_4C], eax
		rep stosd
		mov	[ebp+var_68], eax
		lea	edi, [ebp+var_14]
		mov	[ebp+var_70], eax
		xor	esi, esi
		mov	[ebp+var_78], eax
		mov	[ebp+var_80], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_54], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_38], eax
		stosd
		mov	[ebp+var_40], esi
		mov	[ebp+var_24], esi
		stosd
		mov	[ebp+var_48], esi
		mov	[ebp+var_64], esi
		mov	[ebp+var_6C], esi
		stosd
		mov	[ebp+var_74], esi
		mov	[ebp+var_7C], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_58], esi
		mov	[ebp+var_34], esi
		stosd
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_3C], esi
		cmp	ds:_PiDevCfgMode, esi
		jnz	short loc_97E129
		mov	edi, esi
		jmp	loc_97E615
; 

loc_97E129:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+88j
		mov	ecx, [ebx+18h]
		test	ecx, ecx
		jnz	short loc_97E13A
		mov	edi, 0C0000010h
		jmp	loc_97E615
; 

loc_97E13A:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+96j
		lea	eax, [ebp+var_C0]
		xor	edx, edx
		push	eax
		call	_PiDevCfgInitDeviceContext@12 ;	PiDevCfgInitDeviceContext(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_97E609
		mov	eax, [ebp+var_B8]
		lea	ecx, [ebp+var_44]
		mov	edx, [ebx+18h]
		push	1
		mov	[ebp+var_90], ecx
		lea	ecx, [ebp+var_98]
		push	ecx
		push	eax
		push	1
		mov	[ebp+var_2C], eax
		mov	[ebp+var_8C], esi
		mov	[ebp+var_84], esi
		mov	[ebp+var_98], offset _DEVPKEY_Device_PendingConfigurationIds ; "&cڃ@S?W;)\v"
		mov	[ebp+var_94], 2012h
		mov	[ebp+var_88], 6
		call	PiDevCfgQueryObjectProperties
		mov	edi, eax
		test	edi, edi
		js	loc_97E609
		cmp	[ebp+var_84], esi
		jge	short loc_97E1BE
		push	esi
		lea	eax, [ebp+var_44]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_97E1BE:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+11Aj
		mov	edx, [ebp+var_40]
		lea	eax, [ebp+var_24]
		push	eax
		lea	ecx, [ebp+var_C0]
		call	_PiDevCfgFindDeviceDriver@12 ; PiDevCfgFindDeviceDriver(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_97E609
		mov	eax, [ebp+var_24]
		sub	eax, 0FFFFFF80h
		mov	ebx, [eax]
		cmp	ebx, eax
		jz	loc_97E4C5

loc_97E1EA:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+266j
		mov	ecx, ebx
		call	_PiDevCfgQueryDriverConfiguration@4 ; PiDevCfgQueryDriverConfiguration(x)
		mov	edi, eax
		cmp	edi, 0C0000493h
		jnz	short loc_97E205
		push	1
		lea	ecx, [ebp+var_4C]
		jmp	loc_97E2D5
; 

loc_97E205:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+161j
		test	edi, edi
		js	loc_97E609
		cmp	[ebx+0B4h], esi
		jz	short loc_97E21E
		and	dword ptr [ebx+6Ch], 0FFFFFFFEh
		jmp	loc_97E2EB
; 

loc_97E21E:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+17Bj
		cmp	[ebx+0BCh], esi
		jz	short loc_97E242
		push	esi		; void *
		lea	eax, [ebx+0B8h]
		xor	edx, edx
		push	eax		; size_t
		lea	ecx, [ebp+var_68]
		call	_PiDevCfgAppendMultiSz@16 ; PiDevCfgAppendMultiSz(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_97E609

loc_97E242:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+18Cj
		cmp	[ebx+0C4h], esi
		jz	short loc_97E266
		push	esi		; void *
		lea	eax, [ebx+0C0h]
		xor	edx, edx
		push	eax		; size_t
		lea	ecx, [ebp+var_70]
		call	_PiDevCfgAppendMultiSz@16 ; PiDevCfgAppendMultiSz(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_97E609

loc_97E266:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+1B0j
		cmp	[ebx+0CCh], esi
		jz	short loc_97E28A
		push	esi		; void *
		lea	eax, [ebx+0C8h]
		xor	edx, edx
		push	eax		; size_t
		lea	ecx, [ebp+var_78]
		call	_PiDevCfgAppendMultiSz@16 ; PiDevCfgAppendMultiSz(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_97E609

loc_97E28A:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+1D4j
		cmp	[ebx+0D4h], esi
		jz	short loc_97E2AE
		push	esi		; void *
		lea	eax, [ebx+0D0h]
		xor	edx, edx
		push	eax		; size_t
		lea	ecx, [ebp+var_80]
		call	_PiDevCfgAppendMultiSz@16 ; PiDevCfgAppendMultiSz(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_97E609

loc_97E2AE:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+1F8j
		mov	eax, [ebp+var_18]
		lea	edx, [ebx+14h]
		or	eax, [ebx+0E0h]
		lea	ecx, [ebp+var_54]
		push	esi		; void *
		push	esi		; size_t
		mov	[ebp+var_18], eax
		call	_PiDevCfgAppendMultiSz@16 ; PiDevCfgAppendMultiSz(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_97E609
		push	esi		; void *
		lea	ecx, [ebp+var_5C]

loc_97E2D5:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+168j
		push	esi		; size_t
		lea	edx, [ebx+0E8h]
		call	_PiDevCfgAppendMultiSz@16 ; PiDevCfgAppendMultiSz(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_97E609

loc_97E2EB:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+181j
		mov	eax, [ebp+var_18]
		mov	ebx, [ebx]
		mov	[ebp+var_9C], eax
		mov	eax, [ebp+var_24]
		sub	eax, 0FFFFFF80h
		cmp	ebx, eax
		jnz	loc_97E1EA
		test	edi, edi
		js	loc_97E609
		mov	ebx, [ebp+var_2C]
		cmp	[ebp+var_48], esi
		jz	short loc_97E356
		movzx	eax, word ptr [ebp+var_4C]
		mov	edx, [ebp+var_1C]
		push	esi
		push	eax
		push	[ebp+var_48]
		push	2012h
		push	offset _DEVPKEY_Device_RequestConfigurationIds
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		push	1
		push	dword ptr [edx+18h]
		lea	edx, [ebp+var_C0]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_97E609
		mov	edi, 0C0000493h
		jmp	loc_97E609
; 

loc_97E356:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+27Aj
		lea	eax, [ebp+var_68]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_8], eax
		mov	eax, esi
		mov	[ebp+var_18], eax

loc_97E373:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+3BCj
		mov	ecx, [ebp+eax+var_14]
		mov	[ebp+var_30], ecx
		cmp	[ecx+4], esi
		jz	loc_97E44B
		mov	eax, ds:off_A93428[eax]
		mov	edx, [ebp+var_1C]
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_38]
		push	1
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_98]
		mov	edx, [edx+18h]
		push	eax
		push	ebx
		push	1
		mov	[ebp+var_8C], esi
		mov	[ebp+var_84], esi
		mov	[ebp+var_94], 2012h
		mov	[ebp+var_88], 6
		call	PiDevCfgQueryObjectProperties
		mov	edi, eax
		test	edi, edi
		js	loc_97E609
		cmp	[ebp+var_84], esi
		jge	short loc_97E3EB
		push	esi
		lea	eax, [ebp+var_38]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_97E3EB:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+347j
		push	esi		; void *
		push	[ebp+var_30]	; size_t
		xor	edx, edx
		lea	ecx, [ebp+var_38]
		call	_PiDevCfgAppendMultiSz@16 ; PiDevCfgAppendMultiSz(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_97E609
		movzx	eax, word ptr [ebp+var_38]
		lea	edx, [ebp+var_C0]
		push	esi
		push	eax
		push	[ebp+var_34]
		mov	eax, [ebp+var_18]
		push	2012h
		push	ds:off_A93428[eax]
		mov	eax, [ebp+var_1C]
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		push	1
		push	dword ptr [eax+18h]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_97E609
		lea	eax, [ebp+var_38]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, [ebp+var_18]

loc_97E44B:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+2E5j
		add	eax, 4
		mov	[ebp+var_18], eax
		cmp	eax, 10h
		jb	loc_97E373
		mov	edx, [ebp+var_24]
		mov	ebx, [ebp+var_9C]
		mov	[ebp+var_18], ebx
		lea	eax, [edx+80h]
		mov	ecx, [eax]
		mov	[ebp+var_28], ecx
		cmp	ecx, eax
		jz	short loc_97E4B7
		mov	[ebp+var_18], ebx

loc_97E478:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+41Dj
		test	byte ptr [ecx+6Ch], 1
		jz	short loc_97E4A8
		push	esi
		lea	eax, [ebp+var_20]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_1C]
		lea	edx, [ebp+var_C0]
		call	_PiDevCfgConfigureDeviceDriver@20 ; PiDevCfgConfigureDeviceDriver(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_97E609
		or	ebx, [ebp+var_20]
		mov	edx, [ebp+var_24]
		mov	ecx, [ebp+var_28]
		mov	[ebp+var_18], ebx

loc_97E4A8:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+3E4j
		mov	ecx, [ecx]
		lea	eax, [edx+80h]
		mov	[ebp+var_28], ecx
		cmp	ecx, eax
		jnz	short loc_97E478

loc_97E4B7:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+3DBj
		mov	ax, word ptr [ebp+var_54]
		mov	[ebp+var_28], eax
		mov	ax, word ptr [ebp+var_5C]
		mov	[ebp+var_30], eax

loc_97E4C5:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+14Cj
		mov	ebx, [ebp+var_2C]
		cmp	[ebp+var_40], esi
		jz	short loc_97E4F1
		mov	eax, [ebp+var_1C]
		lea	edx, [ebp+var_C0]
		push	esi
		push	esi
		push	esi
		push	esi
		push	offset _DEVPKEY_Device_PendingConfigurationIds ; "&cڃ@S?W;)\v"
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		push	1
		push	dword ptr [eax+18h]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)

loc_97E4F1:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+433j
		mov	eax, [ebp+var_1C]
		mov	edx, [ebp+var_50]
		push	esi
		mov	ecx, [eax+18h]
		test	edx, edx
		jz	short loc_97E533
		mov	eax, [ebp+var_28]
		movzx	eax, ax
		push	eax
		push	edx
		push	2012h
		push	offset _DEVPKEY_Device_DriverExtendedInfs
		push	ecx
		push	ebx
		push	1
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	edx, [ebp+var_C0]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_97E609
		jmp	short loc_97E551
; 

loc_97E533:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+465j
		push	esi
		push	esi
		push	esi
		push	offset _DEVPKEY_Device_DriverExtendedInfs
		push	ecx
		push	ebx
		push	1
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	edx, [ebp+var_C0]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)

loc_97E551:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+499j
		mov	eax, [ebp+var_1C]
		mov	edx, [ebp+var_58]
		push	esi
		mov	ecx, [eax+18h]
		test	edx, edx
		jz	short loc_97E58F
		mov	eax, [ebp+var_30]
		movzx	eax, ax
		push	eax
		push	edx
		push	2012h
		push	offset _DEVPKEY_Device_ExtendedConfigurationIds
		push	ecx
		push	ebx
		push	1
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	edx, [ebp+var_C0]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_97E609
		jmp	short loc_97E5AD
; 

loc_97E58F:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+4C5j
		push	esi
		push	esi
		push	esi
		push	offset _DEVPKEY_Device_ExtendedConfigurationIds
		push	ecx
		push	ebx
		push	1
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	edx, [ebp+var_C0]
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)

loc_97E5AD:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+4F5j
		cmp	[ebp+var_18], esi
		jz	short loc_97E609
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_3C]
		push	esi
		push	eax
		lea	eax, [ebp+var_20]
		mov	[ebp+var_3C], 4
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		mov	eax, [ebp+var_1C]
		push	0Bh
		push	ebx
		mov	edx, [eax+18h]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_97E5ED
		cmp	[ebp+var_60], 4
		jnz	short loc_97E5ED
		cmp	[ebp+var_3C], 4
		jnz	short loc_97E5ED
		mov	esi, [ebp+var_20]

loc_97E5ED:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+544j
					; PpDevCfgProcessDeviceExtensions(x)+54Aj ...
		or	esi, [ebp+var_18]
		lea	eax, [ebp+var_20]
		push	ecx
		push	4
		push	eax
		push	4
		push	0Bh
		lea	edx, [ebp+var_C0]
		mov	[ebp+var_20], esi
		call	_PiDevCfgSetDeviceRegProp@28 ; PiDevCfgSetDeviceRegProp(x,x,x,x,x,x,x)

loc_97E609:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+B4j
					; PpDevCfgProcessDeviceExtensions(x)+10Ej ...
		mov	ecx, [ebp+var_24]
		test	ecx, ecx
		jz	short loc_97E615
		call	_PiDevCfgFreeDriverNode@4 ; PiDevCfgFreeDriverNode(x)

loc_97E615:				; CODE XREF: PpDevCfgProcessDeviceExtensions(x)+8Cj
					; PpDevCfgProcessDeviceExtensions(x)+9Dj ...
		lea	eax, [ebp+var_44]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_68]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_70]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_78]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_80]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_54]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_5C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_38]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_4C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	ecx, [ebp+var_C0]
		call	PiDevCfgFreeDeviceContext
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpDevCfgProcessDeviceExtensions@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpDevCfgProcessDeviceReset(x)
_PpDevCfgProcessDeviceReset@4 proc near	; CODE XREF: PiConfigureDevice(x)+5Dj

var_74		= dword	ptr -74h
var_6C		= dword	ptr -6Ch
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_74]
		mov	edx, ecx
		xor	esi, esi
		push	9
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_14]
		mov	[ebp+var_18], edx
		stosd
		mov	[ebp+var_34], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		stosd
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		stosd
		stosd
		xor	eax, eax
		xor	edi, edi
		mov	[ebp+var_24], eax
		inc	edi
		mov	[ebp+var_38], edi
		cmp	ds:_PiDevCfgMode, eax
		jnz	short loc_97E6D8
		mov	ebx, esi
		jmp	loc_97E876
; 

loc_97E6D8:				; CODE XREF: PpDevCfgProcessDeviceReset(x)+4Dj
		mov	ecx, [edx+18h]
		test	ecx, ecx
		jnz	short loc_97E6E9
		mov	ebx, 0C0000010h
		jmp	loc_97E876
; 

loc_97E6E9:				; CODE XREF: PpDevCfgProcessDeviceReset(x)+5Bj
		lea	eax, [ebp+var_74]
		xor	edx, edx
		push	eax
		call	_PiDevCfgInitDeviceContext@12 ;	PiDevCfgInitDeviceContext(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_97E876
		mov	eax, [ebp+var_6C]
		lea	ecx, [ebp+var_14]
		mov	edx, [ebp+var_18]
		push	edi
		mov	[ebp+var_48], ecx
		lea	ecx, [ebp+var_50]
		push	ecx
		mov	edx, [edx+18h]
		push	eax
		push	edi
		mov	[ebp+var_28], eax
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], esi
		mov	[ebp+var_50], offset _DEVPKEY_Device_ClassGuid
		mov	[ebp+var_4C], 0Dh
		mov	[ebp+var_44], 10h
		call	PiDevCfgQueryObjectProperties
		mov	ebx, eax
		test	ebx, ebx
		js	loc_97E876
		cmp	[ebp+var_3C], esi
		jl	short loc_97E785
		push	edi
		lea	edx, [ebp+var_24]
		lea	ecx, [ebp+var_14]
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_97E876
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_34]
		mov	ecx, _PiPnpRtlCtx
		push	esi
		push	esi
		push	eax
		push	esi
		push	20019h
		push	2
		call	_PnpOpenObjectRegKey
		test	eax, eax
		jns	short loc_97E78E
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_97E785:				; CODE XREF: PpDevCfgProcessDeviceReset(x)+C2j
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		stosd

loc_97E78E:				; CODE XREF: PpDevCfgProcessDeviceReset(x)+F8j
		mov	eax, [ebp+var_20]
		lea	ecx, [ebp+var_24]
		neg	eax
		lea	edx, [ebp+var_74]
		push	esi
		sbb	eax, eax
		and	eax, ecx
		lea	ecx, [ebp+var_30]
		push	ecx
		mov	ecx, [ebp+var_18]
		push	esi
		push	eax
		call	_PiDevCfgMigrateDevice@24 ; PiDevCfgMigrateDevice(x,x,x,x,x,x)
		mov	edi, esi
		test	eax, eax
		js	short loc_97E7B5
		mov	edi, [ebp+var_30]

loc_97E7B5:				; CODE XREF: PpDevCfgProcessDeviceReset(x)+12Ej
		mov	eax, [ebp+var_20]
		lea	ecx, [ebp+var_14]
		neg	eax
		lea	edx, [ebp+var_74]
		push	esi		; int
		push	[ebp+var_34]	; int
		sbb	eax, eax
		and	eax, ecx
		mov	ecx, [ebp+var_18]
		push	eax		; void *
		call	_PiDevCfgResetDeviceDriverSettings@20 ;	PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jz	short loc_97E7E6
		mov	eax, [eax+74h]
		test	eax, eax
		jz	short loc_97E7E6
		mov	eax, [eax+4]
		jmp	short loc_97E7E8
; 

loc_97E7E6:				; CODE XREF: PpDevCfgProcessDeviceReset(x)+156j
					; PpDevCfgProcessDeviceReset(x)+15Dj
		mov	eax, esi

loc_97E7E8:				; CODE XREF: PpDevCfgProcessDeviceReset(x)+162j
		mov	ecx, [ebp+var_28]
		mov	edx, offset ??_C@_1BA@HICHNCPO@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAs@NNGAKEGL@ ; "Devices"
		push	esi
		push	eax
		call	_RegRtlDeleteTreeInternal
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jz	short loc_97E80C
		mov	eax, [eax+74h]
		test	eax, eax
		jz	short loc_97E80C
		mov	eax, [eax+4]
		jmp	short loc_97E80E
; 

loc_97E80C:				; CODE XREF: PpDevCfgProcessDeviceReset(x)+17Cj
					; PpDevCfgProcessDeviceReset(x)+183j
		mov	eax, esi

loc_97E80E:				; CODE XREF: PpDevCfgProcessDeviceReset(x)+188j
		mov	ecx, [ebp+var_28]
		mov	edx, offset ??_C@_1BA@DJLBFCNB@?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@NNGAKEGL@ ; "F"
		push	esi
		push	eax
		call	_RegRtlDeleteTreeInternal
		test	edi, edi
		jz	short loc_97E876
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_2C]
		push	esi
		push	eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_2C], 4
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		mov	eax, [ebp+var_18]
		push	0Bh
		push	[ebp+var_28]
		mov	edx, [eax+18h]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_97E85E
		cmp	[ebp+var_38], 4
		jnz	short loc_97E85E
		cmp	[ebp+var_2C], 4
		jnz	short loc_97E85E
		mov	esi, [ebp+var_1C]

loc_97E85E:				; CODE XREF: PpDevCfgProcessDeviceReset(x)+1CBj
					; PpDevCfgProcessDeviceReset(x)+1D1j ...
		push	ecx
		push	4
		lea	eax, [ebp+var_1C]
		or	esi, edi
		push	eax
		push	4
		push	0Bh
		lea	edx, [ebp+var_74]
		mov	[ebp+var_1C], esi
		call	_PiDevCfgSetDeviceRegProp@28 ; PiDevCfgSetDeviceRegProp(x,x,x,x,x,x,x)

loc_97E876:				; CODE XREF: PpDevCfgProcessDeviceReset(x)+51j
					; PpDevCfgProcessDeviceReset(x)+62j ...
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	ecx, [ebp+var_74]
		call	PiDevCfgFreeDeviceContext
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpDevCfgProcessDeviceReset@4 endp


;  S U B	R O U T	I N E 


; __stdcall PpDevCfgTraceDeviceStart(x)
_PpDevCfgTraceDeviceStart@4 proc near	; CODE XREF: PipProcessDevNodeTree+A1BCFp
		mov	edi, edi
		push	ecx
		mov	eax, [ecx+0ACh]
		cmp	eax, 302h
		jl	short loc_97E8B6
		cmp	eax, 307h
		jle	short loc_97E8DF
		cmp	eax, 308h
		jz	short loc_97E8D1

loc_97E8B6:				; CODE XREF: PpDevCfgTraceDeviceStart(x)+Ej
		test	dword ptr [ecx+10Ch], 2000h
		jz	short loc_97E8CB
		cmp	dword ptr [ecx+114h], 38h
		jz	short loc_97E8DD

loc_97E8CB:				; CODE XREF: PpDevCfgTraceDeviceStart(x)+28j
		mov	al, 1

loc_97E8CD:				; CODE XREF: PpDevCfgTraceDeviceStart(x)+54j
		test	al, al
		jz	short loc_97E8DD

loc_97E8D1:				; CODE XREF: PpDevCfgTraceDeviceStart(x)+1Cj
		and	dword ptr [ecx+1C8h], 0FFFFFFFEh
		call	_PiDevCfgLogDeviceStarted@4 ; PiDevCfgLogDeviceStarted(x)

loc_97E8DD:				; CODE XREF: PpDevCfgTraceDeviceStart(x)+31j
					; PpDevCfgTraceDeviceStart(x)+37j
		pop	ecx
		retn
; 

loc_97E8DF:				; CODE XREF: PpDevCfgTraceDeviceStart(x)+15j
		test	dword ptr [ecx+10Ch], 6000h
		setnz	al
		jmp	short loc_97E8CD
_PpDevCfgTraceDeviceStart@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiProfileUpdateDeviceTree()
_PiProfileUpdateDeviceTree@0 proc near	; CODE XREF: PpProfileCancelTransitioningDock(x,x)+5Dp
					; PpProfileCommitTransitioningDock(x,x)+D3p
		push	20207050h
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_97E91B
		and	dword ptr [eax], 0
		push	0
		push	eax
		mov	dword ptr [eax+8], offset _PiProfileUpdateDeviceTreeWorker@4 ; PiProfileUpdateDeviceTreeWorker(x)
		mov	[eax+0Ch], eax
		call	ExQueueWorkItem
		xor	eax, eax
		retn
; 

loc_97E91B:				; CODE XREF: PiProfileUpdateDeviceTree()+13j
		mov	eax, 0C000009Ah
		retn
_PiProfileUpdateDeviceTree@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiProfileUpdateDeviceTreeCallback(x, x)
_PiProfileUpdateDeviceTreeCallback@8 proc near
					; DATA XREF: PiProfileUpdateDeviceTreeWorker(x)+13o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+0ACh]
		cmp	eax, 308h
		jnz	short loc_97E955
		push	0
		lea	edx, [esi+14h]
		xor	ecx, ecx
		call	PnpIsDeviceInstanceEnabled
		test	eax, eax
		jnz	short loc_97E9AF
		push	eax
		push	16h
		xor	dl, dl
		mov	ecx, esi
		call	_PnpRequestDeviceRemoval@16 ; PnpRequestDeviceRemoval(x,x,x,x)
		jmp	short loc_97E9AF
; 

loc_97E955:				; CODE XREF: PiProfileUpdateDeviceTreeCallback(x,x)+14j
		cmp	eax, 302h
		jz	short loc_97E963
		cmp	eax, 312h
		jnz	short loc_97E9AF

loc_97E963:				; CODE XREF: PiProfileUpdateDeviceTreeCallback(x,x)+39j
		test	dword ptr [esi+10Ch], 2000h
		jz	short loc_97E9AF
		cmp	dword ptr [esi+114h], 16h
		jnz	short loc_97E9AF
		mov	ecx, esi
		call	PipClearDevNodeProblem
		push	0
		lea	edx, [esi+14h]
		xor	ecx, ecx
		call	PnpIsDeviceInstanceEnabled
		mov	ecx, esi
		test	eax, eax
		jz	short loc_97E9A5
		call	_PnpRestartDeviceNode@4	; PnpRestartDeviceNode(x)
		mov	eax, [esi+8]
		push	0
		push	dword ptr [eax+10h]
		call	IoInvalidateDeviceRelations
		jmp	short loc_97E9AF
; 

loc_97E9A5:				; CODE XREF: PiProfileUpdateDeviceTreeCallback(x,x)+6Ej
		push	0
		push	16h
		pop	edx
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)

loc_97E9AF:				; CODE XREF: PiProfileUpdateDeviceTreeCallback(x,x)+24j
					; PiProfileUpdateDeviceTreeCallback(x,x)+32j ...
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	8
_PiProfileUpdateDeviceTreeCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiProfileUpdateDeviceTreeWorker(x)
_PiProfileUpdateDeviceTreeWorker@4 proc	near ; DATA XREF: PiProfileUpdateDeviceTree()+1Bo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeLockTree
		mov	ecx, _IopRootDeviceNode
		mov	edx, offset _PiProfileUpdateDeviceTreeCallback@8 ; PiProfileUpdateDeviceTreeCallback(x,x)
		push	0
		call	_PipForDeviceNodeSubtree@12 ; PipForDeviceNodeSubtree(x,x,x)
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeUnlockTree
		push	0
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	4
_PiProfileUpdateDeviceTreeWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpProfileUpdateHardwareProfile(x)
_PnpProfileUpdateHardwareProfile@4 proc	near
					; CODE XREF: PpProfileCancelTransitioningDock(x,x)+40p
					; PpProfileCommitTransitioningDock(x,x)+B6p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	ebx, ecx
		xor	esi, esi
		push	edi
		mov	ecx, offset _PiProfileDeviceListLock
		mov	[ebp+var_C], esi
		mov	[ebp+var_4], esi
		call	ExAcquireFastMutex
		push	7Ch
		pop	eax
		push	7Ah
		mov	word ptr [ebp+var_14+2], ax
		pop	eax
		mov	word ptr [ebp+var_14], ax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_10], (offset loc_8BAA35+1)
		push	eax
		mov	[ebp+var_8], esi
		mov	[ebp+var_2C], 18h
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], 240h
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_97EADC
		push	20h
		pop	eax
		mov	word ptr [ebp+var_14+2], ax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_14]
		push	1Eh
		pop	edi
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_4]
		mov	word ptr [ebp+var_14], di
		push	eax
		mov	[ebp+var_10], offset ??_C@_1CA@CEMLPECN@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAD?$AAo?$AAc?$AAk?$AAI?$AAn?$AAf?$AAo@NNGAKEGL@
		mov	[ebp+var_2C], 18h
		mov	[ebp+var_20], 240h
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_97EAD4
		push	1Ch
		pop	eax
		push	4
		push	offset _PiProfileDeviceCount
		push	4
		mov	word ptr [ebp+var_14], ax
		lea	eax, [ebp+var_14]
		push	esi
		push	eax
		push	[ebp+var_4]
		mov	word ptr [ebp+var_14+2], di
		mov	[ebp+var_10], offset ??_C@_1BO@KGPNNPCC@?$AAE?$AAj?$AAe?$AAc?$AAt?$AAa?$AAb?$AAl?$AAe?$AAD?$AAo?$AAc?$AAk?$AAs@NNGAKEGL@
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_97EAD4:				; CODE XREF: PnpProfileUpdateHardwareProfile(x)+B7j
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_97EADC:				; CODE XREF: PnpProfileUpdateHardwareProfile(x)+68j
		mov	eax, _PiProfileDeviceCount
		test	eax, eax
		jnz	short loc_97EAE6
		inc	eax

loc_97EAE6:				; CODE XREF: PnpProfileUpdateHardwareProfile(x)+F8j
		push	20207050h
		lea	eax, ds:4[eax*4]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_97EB66
		mov	eax, _PiProfileDeviceListHead
		mov	esi, edi
		mov	edx, offset _PiProfileDeviceListHead
		jmp	short loc_97EB1F
; 

loc_97EB11:				; CODE XREF: PnpProfileUpdateHardwareProfile(x)+136j
		mov	ecx, [eax+8]
		test	ecx, ecx
		jz	short loc_97EB1D
		mov	[esi], ecx
		add	esi, 4

loc_97EB1D:				; CODE XREF: PnpProfileUpdateHardwareProfile(x)+12Bj
		mov	eax, [eax]

loc_97EB1F:				; CODE XREF: PnpProfileUpdateHardwareProfile(x)+124j
		cmp	eax, edx
		jnz	short loc_97EB11
		mov	ecx, offset _PiProfileDeviceListLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		cmp	esi, edi
		jnz	short loc_97EB37
		and	dword ptr [esi], 0
		add	esi, 4

loc_97EB37:				; CODE XREF: PnpProfileUpdateHardwareProfile(x)+144j
		and	dword ptr [esi], 0
		lea	eax, [ebp+var_C]
		push	ebx
		sub	esi, edi
		mov	edx, edi
		push	eax
		sar	esi, 2
		push	esi
		call	_IopExecuteHardwareProfileChange@20 ; IopExecuteHardwareProfileChange(x,x,x,x,x)
		cmp	[ebp+var_C], 0
		mov	esi, eax
		jz	short loc_97EB5C
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_97EB5C:				; CODE XREF: PnpProfileUpdateHardwareProfile(x)+167j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_97EB75
; 

loc_97EB66:				; CODE XREF: PnpProfileUpdateHardwareProfile(x)+116j
		mov	ecx, offset _PiProfileDeviceListLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	esi, 0C000009Ah

loc_97EB75:				; CODE XREF: PnpProfileUpdateHardwareProfile(x)+179j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PnpProfileUpdateHardwareProfile@4 endp


;  S U B	R O U T	I N E 


; __stdcall PpProfileBeginHardwareProfileTransition(x)
_PpProfileBeginHardwareProfileTransition@4 proc	near
					; CODE XREF: PipProcessStartPhase1+92D10p
					; PnpProcessQueryRemoveAndEject(x)+1BDp
		test	cl, cl
		jnz	short locret_97EB90
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _PiProfileChangeSemaphore
		call	KeWaitForSingleObject

locret_97EB90:				; CODE XREF: PpProfileBeginHardwareProfileTransition(x)+2j
		retn
_PpProfileBeginHardwareProfileTransition@4 endp


;  S U B	R O U T	I N E 


; __stdcall PpProfileCancelHardwareProfileTransition()
_PpProfileCancelHardwareProfileTransition@0 proc near
					; CODE XREF: PipProcessStartPhase2:loc_8E0877p
					; PnpProcessQueryRemoveAndEject(x)+219p ...
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, offset _PiProfileDeviceListLock
		push	edi
		mov	ecx, esi
		call	ExAcquireFastMutex
		mov	eax, _PiProfileDeviceListHead
		xor	edi, edi
		inc	edi
		mov	edx, offset _PiProfileDeviceListHead
		jmp	short loc_97EBC2
; 

loc_97EBB1:				; CODE XREF: PpProfileCancelHardwareProfileTransition()+33j
		cmp	[eax-4], edi
		jz	short loc_97EBC0
		lock dec _PiProfileDevicesInTransition
		mov	[eax-4], edi

loc_97EBC0:				; CODE XREF: PpProfileCancelHardwareProfileTransition()+23j
		mov	eax, [eax]

loc_97EBC2:				; CODE XREF: PpProfileCancelHardwareProfileTransition()+1Ej
		cmp	eax, edx
		jnz	short loc_97EBB1
		mov	ecx, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		xor	esi, esi
		cmp	_PiProfileChangeCancelRequired,	0
		jz	short loc_97EBE7
		push	esi		; int
		push	esi		; int
		push	2
		pop	edx
		mov	ecx, offset _GUID_HWPROFILE_CHANGE_CANCELLED ; Source1
		call	_PnpRequestHwProfileChangeNotification@16 ; PnpRequestHwProfileChangeNotification(x,x,x,x)

loc_97EBE7:				; CODE XREF: PpProfileCancelHardwareProfileTransition()+45j
		push	esi
		push	edi
		push	esi
		push	offset _PiProfileChangeSemaphore
		call	KeReleaseSemaphore
		pop	edi
		pop	esi
		pop	ecx
		retn
_PpProfileCancelHardwareProfileTransition@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpProfileCancelTransitioningDock(x,	x)
_PpProfileCancelTransitioningDock@8 proc near
					; CODE XREF: PipProcessEnumeratedChildDevice+87p
					; PiProcessNewDeviceNode+6E5C1p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, offset _PiProfileDeviceListLock
		xor	ebx, ebx
		mov	ecx, edi
		mov	[ebp+var_1], bl
		call	ExAcquireFastMutex
		mov	dword ptr [esi+174h], 1
		or	esi, 0FFFFFFFFh
		lock xadd _PiProfileDevicesInTransition, esi
		dec	esi
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	esi, esi
		jnz	short loc_97EC79
		lea	ecx, [ebp-1]
		call	_PnpProfileUpdateHardwareProfile@4 ; PnpProfileUpdateHardwareProfile(x)
		test	eax, eax
		js	short loc_97EC5C
		cmp	[ebp+var_1], bl
		jz	short loc_97EC5C
		push	ebx		; int
		push	ebx		; int
		push	2
		pop	edx
		mov	ecx, offset _GUID_HWPROFILE_CHANGE_COMPLETE ; Source1
		call	_PnpRequestHwProfileChangeNotification@16 ; PnpRequestHwProfileChangeNotification(x,x,x,x)
		call	_PiProfileUpdateDeviceTree@0 ; PiProfileUpdateDeviceTree()
		jmp	short loc_97EC6B
; 

loc_97EC5C:				; CODE XREF: PpProfileCancelTransitioningDock(x,x)+47j
					; PpProfileCancelTransitioningDock(x,x)+4Cj
		push	ebx		; int
		push	ebx		; int
		push	2
		pop	edx
		mov	ecx, offset _GUID_HWPROFILE_CHANGE_CANCELLED ; Source1
		call	_PnpRequestHwProfileChangeNotification@16 ; PnpRequestHwProfileChangeNotification(x,x,x,x)

loc_97EC6B:				; CODE XREF: PpProfileCancelTransitioningDock(x,x)+62j
		push	ebx
		push	1
		push	ebx
		push	offset _PiProfileChangeSemaphore
		call	KeReleaseSemaphore

loc_97EC79:				; CODE XREF: PpProfileCancelTransitioningDock(x,x)+3Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PpProfileCancelTransitioningDock@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpProfileCommitTransitioningDock(x,	x)
_PpProfileCommitTransitioningDock@8 proc near
					; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+24Ap
					; PipProcessStartPhase2+6E34Bp

var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ebx
		mov	eax, [esi+180h]
		cmp	edi, 3
		jnz	short loc_97ECED
		test	eax, eax
		jz	short loc_97ECAE
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+180h], ebx

loc_97ECAE:				; CODE XREF: PpProfileCommitTransitioningDock(x,x)+21j
		mov	ecx, offset _PiProfileDeviceListLock
		call	ExAcquireFastMutex
		lea	eax, [esi+178h]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_97ECE8
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_97ECE8
		mov	[edx], ecx
		mov	[ecx+4], edx
		mov	ecx, offset _PiProfileDeviceListLock
		mov	[eax+4], eax
		mov	[eax], eax
		dec	_PiProfileDeviceCount
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	short loc_97ED09
; 

loc_97ECE8:				; CODE XREF: PpProfileCommitTransitioningDock(x,x)+45j
					; PpProfileCommitTransitioningDock(x,x)+4Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_97ECED:				; CODE XREF: PpProfileCommitTransitioningDock(x,x)+1Dj
		test	eax, eax
		jnz	short loc_97ED09
		mov	ecx, [esi+10h]
		lea	eax, [ebp+var_8]
		push	eax
		push	4
		pop	edx
		call	_PnpIrpQueryID@12 ; PnpIrpQueryID(x,x,x)
		mov	eax, [ebp+var_8]
		mov	[esi+180h], eax

loc_97ED09:				; CODE XREF: PpProfileCommitTransitioningDock(x,x)+68j
					; PpProfileCommitTransitioningDock(x,x)+71j
		mov	dword ptr [esi+174h], 1
		or	eax, 0FFFFFFFFh
		lock xadd _PiProfileDevicesInTransition, eax
		dec	eax
		jnz	short loc_97ED7D
		mov	byte ptr [ebp+var_1], bl
		cmp	edi, 2
		jnz	short loc_97ED31
		cmp	[esi+180h], ebx
		jz	short loc_97ED58

loc_97ED31:				; CODE XREF: PpProfileCommitTransitioningDock(x,x)+A9j
		lea	ecx, [ebp+var_1]
		call	_PnpProfileUpdateHardwareProfile@4 ; PnpProfileUpdateHardwareProfile(x)
		test	eax, eax
		js	short loc_97ED58
		cmp	byte ptr [ebp+var_1], bl
		jz	short loc_97ED58
		push	ebx		; int
		push	ebx		; int
		push	2
		pop	edx
		mov	ecx, offset _GUID_HWPROFILE_CHANGE_COMPLETE ; Source1
		call	_PnpRequestHwProfileChangeNotification@16 ; PnpRequestHwProfileChangeNotification(x,x,x,x)
		call	_PiProfileUpdateDeviceTree@0 ; PiProfileUpdateDeviceTree()
		jmp	short loc_97ED6F
; 

loc_97ED58:				; CODE XREF: PpProfileCommitTransitioningDock(x,x)+B1j
					; PpProfileCommitTransitioningDock(x,x)+BDj ...
		cmp	_PiProfileChangeCancelRequired,	bl
		jz	short loc_97ED6F
		push	ebx		; int
		push	ebx		; int
		push	2
		pop	edx
		mov	ecx, offset _GUID_HWPROFILE_CHANGE_CANCELLED ; Source1
		call	_PnpRequestHwProfileChangeNotification@16 ; PnpRequestHwProfileChangeNotification(x,x,x,x)

loc_97ED6F:				; CODE XREF: PpProfileCommitTransitioningDock(x,x)+D8j
					; PpProfileCommitTransitioningDock(x,x)+E0j
		push	ebx
		push	1
		push	ebx
		push	offset _PiProfileChangeSemaphore
		call	KeReleaseSemaphore

loc_97ED7D:				; CODE XREF: PpProfileCommitTransitioningDock(x,x)+A1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PpProfileCommitTransitioningDock@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpProfileIncludeInHardwareProfileTransition(x, x)
_PpProfileIncludeInHardwareProfileTransition@8 proc near
					; CODE XREF: PipProcessStartPhase1+92D1Ap
					; PnpProcessQueryRemoveAndEject(x)+1EDp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		cmp	ebx, 2
		jnz	short loc_97EE01
		lea	esi, [edi+178h]
		cmp	[esi], esi
		jnz	short loc_97EDDE
		mov	ecx, offset _PiProfileDeviceListLock
		call	ExAcquireFastMutex
		mov	eax, _PiProfileDeviceListHead
		mov	ecx, offset _PiProfileDeviceListHead
		cmp	[eax+4], ecx
		jz	short loc_97EDC0
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_97EDC0:				; CODE XREF: PpProfileIncludeInHardwareProfileTransition(x,x)+37j
		mov	[esi+4], ecx
		mov	ecx, offset _PiProfileDeviceListLock
		mov	[esi], eax
		mov	[eax+4], esi
		inc	_PiProfileDeviceCount
		mov	_PiProfileDeviceListHead, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_97EDDE:				; CODE XREF: PpProfileIncludeInHardwareProfileTransition(x,x)+1Ej
		mov	ecx, [edi+10h]
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		pop	edx
		call	_PnpIrpQueryID@12 ; PnpIrpQueryID(x,x,x)
		test	eax, eax
		js	short loc_97EE01
		cmp	[ebp+var_4], 0
		jz	short loc_97EE01
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97EE01:				; CODE XREF: PpProfileIncludeInHardwareProfileTransition(x,x)+14j
					; PpProfileIncludeInHardwareProfileTransition(x,x)+6Dj	...
		lock inc _PiProfileDevicesInTransition
		mov	[edi+174h], ebx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PpProfileIncludeInHardwareProfileTransition@8 endp


;  S U B	R O U T	I N E 


; __stdcall PpProfileMarkAllTransitioningDocksEjected()
_PpProfileMarkAllTransitioningDocksEjected@0 proc near
					; CODE XREF: PnpProcessCompletedEject(x)+86p
		mov	edi, edi
		push	esi
		mov	esi, offset _PiProfileDeviceListLock
		mov	ecx, esi
		call	ExAcquireFastMutex
		mov	eax, _PiProfileDeviceListHead
		mov	ecx, offset _PiProfileDeviceListHead
		jmp	short loc_97EE3D
; 

loc_97EE2E:				; CODE XREF: PpProfileMarkAllTransitioningDocksEjected()+2Cj
		cmp	dword ptr [eax-4], 1
		jz	short loc_97EE3B
		mov	dword ptr [eax-4], 4

loc_97EE3B:				; CODE XREF: PpProfileMarkAllTransitioningDocksEjected()+1Fj
		mov	eax, [eax]

loc_97EE3D:				; CODE XREF: PpProfileMarkAllTransitioningDocksEjected()+19j
		cmp	eax, ecx
		jnz	short loc_97EE2E
		mov	ecx, esi
		pop	esi
		jmp	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
_PpProfileMarkAllTransitioningDocksEjected@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpProfileQueryHardwareProfileChange(x, x, x, x)
_PpProfileQueryHardwareProfileChange@16	proc near ; CODE XREF: PipProcessStartPhase1+92D29p
					; PnpProcessQueryRemoveAndEject(x)+26Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	bh, cl
		mov	edi, offset _PiProfileDeviceListLock
		mov	ecx, edi
		mov	esi, edx
		call	ExAcquireFastMutex
		mov	eax, _PiProfileDeviceListHead
		xor	bl, bl
		mov	edx, offset _PiProfileDeviceListHead
		jmp	short loc_97EE7A
; 

loc_97EE70:				; CODE XREF: PpProfileQueryHardwareProfileChange(x,x,x,x)+33j
		cmp	dword ptr [eax-4], 2
		jnz	short loc_97EE78
		mov	bl, 1

loc_97EE78:				; CODE XREF: PpProfileQueryHardwareProfileChange(x,x,x,x)+2Bj
		mov	eax, [eax]

loc_97EE7A:				; CODE XREF: PpProfileQueryHardwareProfileChange(x,x,x,x)+25j
		cmp	eax, edx
		jnz	short loc_97EE70
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		test	bh, bh
		jz	short loc_97EE8D

loc_97EE89:				; CODE XREF: PpProfileQueryHardwareProfileChange(x,x,x,x)+4Fj
		xor	eax, eax
		jmp	short loc_97EEB5
; 

loc_97EE8D:				; CODE XREF: PpProfileQueryHardwareProfileChange(x,x,x,x)+3Ej
		test	bl, bl
		jz	short loc_97EE9A
		mov	_PiProfileChangeCancelRequired,	0
		jmp	short loc_97EE89
; 

loc_97EE9A:				; CODE XREF: PpProfileQueryHardwareProfileChange(x,x,x,x)+46j
		push	[ebp+arg_4]	; int
		mov	edx, esi	; int
		mov	ecx, offset _GUID_HWPROFILE_QUERY_CHANGE ; Source1
		push	[ebp+arg_0]	; int
		call	_PnpRequestHwProfileChangeNotification@16 ; PnpRequestHwProfileChangeNotification(x,x,x,x)
		test	eax, eax
		setns	_PiProfileChangeCancelRequired

loc_97EEB5:				; CODE XREF: PpProfileQueryHardwareProfileChange(x,x,x,x)+42j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
_PpProfileQueryHardwareProfileChange@16	endp


;  S U B	R O U T	I N E 


; __stdcall IopMarkRootEnumeratedDeviceObjectUninstalled(x)
_IopMarkRootEnumeratedDeviceObjectUninstalled@4	proc near
					; CODE XREF: PiPnpRtlCmActionCallback+115AE2p
		mov	edi, edi
		push	ecx
		test	ecx, ecx
		jz	short loc_97EEF2
		cmp	word ptr [ecx],	2
		jb	short loc_97EEF2
		mov	eax, [ecx+4]
		cmp	word ptr [eax],	0
		jz	short loc_97EEF2
		mov	edx, 746C6644h
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		test	eax, eax
		jz	short loc_97EEF2
		mov	ecx, [eax+28h]
		test	ecx, ecx
		jz	short loc_97EEEB
		or	dword ptr [ecx], 1

loc_97EEEB:				; CODE XREF: IopMarkRootEnumeratedDeviceObjectUninstalled(x)+29j
		mov	ecx, eax
		call	ObfDereferenceObject

loc_97EEF2:				; CODE XREF: IopMarkRootEnumeratedDeviceObjectUninstalled(x)+5j
					; IopMarkRootEnumeratedDeviceObjectUninstalled(x)+Bj ...
		pop	ecx
		retn
_IopMarkRootEnumeratedDeviceObjectUninstalled@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopSystemControlDispatch(x,	x)
_IopSystemControlDispatch@8 proc near	; DATA XREF: PiSwPdoDriverEntry(x,x)+2Eo
					; PipPnPDriverEntry(x,x)+2Eo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		xor	dl, dl
		push	esi
		mov	esi, [ecx+18h]
		call	IofCompleteRequest
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_IopSystemControlDispatch@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopTranslatorHandlerIo(x, x, x, x, x)
_IopTranslatorHandlerIo@20 proc	near	; DATA XREF: IopPnPDispatch+173o

arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	64647050h
		xor	esi, esi
		push	20h
		inc	esi
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_97EF31
		mov	eax, 0C000009Ah
		jmp	short loc_97EF49
; 

loc_97EF31:				; CODE XREF: IopTranslatorHandlerIo(x,x,x,x,x)+1Aj
		mov	eax, [ebp+arg_C]
		push	edi
		push	8
		pop	ecx
		mov	[eax], esi
		mov	edi, edx
		mov	eax, [ebp+arg_10]
		mov	esi, [ebp+arg_4]
		rep movsd
		mov	[eax], edx
		xor	eax, eax
		pop	edi

loc_97EF49:				; CODE XREF: IopTranslatorHandlerIo(x,x,x,x,x)+21j
		pop	esi
		pop	ebp
		retn	14h
_IopTranslatorHandlerIo@20 endp

; 
		align 10h
		db 0CCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpWatchdogEtwWrite(x, x)
_PnpWatchdogEtwWrite@8 proc near	; CODE XREF: PnpCancelWatchdog+171B03j
					; PnpWatchdogWorkItem(x)+18p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_1], dl
		mov	eax, ecx
		mov	[ebp+var_C], esi
		push	edi
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], esi
		mov	[ebp+var_14], esi
		call	_PnpWatchdogGetElapsedTime@4 ; PnpWatchdogGetElapsedTime(x)
		mov	ebx, eax
		lea	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_14]
		push	eax
		mov	edi, esi
		call	_PnpWatchdogExtractTriageInformation@20	; PnpWatchdogExtractTriageInformation(x,x,x,x,x)
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_97EF98
		mov	edi, [eax+18h]

loc_97EF98:				; CODE XREF: PnpWatchdogEtwWrite(x,x)+42j
		mov	ecx, [ebp+var_10]
		xor	edx, edx
		test	ecx, ecx
		jz	short loc_97EFAF
		mov	ecx, [ecx+18h]
		cmp	[ecx+0Ch], dx
		jbe	short loc_97EFAF
		mov	esi, [ecx+10h]
		jmp	short loc_97EFBC
; 

loc_97EFAF:				; CODE XREF: PnpWatchdogEtwWrite(x,x)+4Ej
					; PnpWatchdogEtwWrite(x,x)+57j
		test	eax, eax
		jz	short loc_97EFBC
		cmp	[eax+1Ch], dx
		jbe	short loc_97EFBC
		mov	esi, [eax+20h]

loc_97EFBC:				; CODE XREF: PnpWatchdogEtwWrite(x,x)+5Cj
					; PnpWatchdogEtwWrite(x,x)+60j	...
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_97EFCB
		mov	eax, [eax+2B0h]
		jmp	short loc_97EFD0
; 

loc_97EFCB:				; CODE XREF: PnpWatchdogEtwWrite(x,x)+70j
		call	_PsGetCurrentThreadId@0	; PsGetCurrentThreadId()

loc_97EFD0:				; CODE XREF: PnpWatchdogEtwWrite(x,x)+78j
		cmp	[ebp+var_1], 0
		mov	ecx, [ebp+var_8]
		cdq
		mov	ecx, [ecx+0Ch]
		jz	loc_97F080
		sub	ecx, 1
		jz	short loc_97F058
		sub	ecx, 1
		jz	short loc_97F041
		sub	ecx, 1
		jz	short loc_97F02A
		sub	ecx, 1
		jz	short loc_97F013
		sub	ecx, 1
		jnz	loc_97F099
		test	byte_6CD8BB, 20h
		jz	short loc_97F074
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	edx
		mov	edx, offset _KMPnPEvt_Watchdog_DriverEntry_Start
		jmp	short loc_97F06D
; 

loc_97F013:				; CODE XREF: PnpWatchdogEtwWrite(x,x)+A2j
		test	byte_6CD8BB, 20h
		jz	short loc_97F074
		xor	ecx, ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	edx
		mov	edx, offset _KMPnPEvt_Watchdog_AddDevice_Start
		jmp	short loc_97F06D
; 

loc_97F02A:				; CODE XREF: PnpWatchdogEtwWrite(x,x)+9Dj
		test	byte_6CD8BB, 20h
		jz	short loc_97F074
		xor	ecx, ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	edx
		mov	edx, offset _KMPnPEvt_Watchdog_DelayedRemoveWorker_Start
		jmp	short loc_97F06D
; 

loc_97F041:				; CODE XREF: PnpWatchdogEtwWrite(x,x)+98j
		test	byte_6CD8BB, 20h
		jz	short loc_97F074
		xor	ecx, ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	edx
		mov	edx, (offset loc_42768F+1)
		jmp	short loc_97F06D
; 

loc_97F058:				; CODE XREF: PnpWatchdogEtwWrite(x,x)+93j
		test	byte_6CD8BB, 20h
		jz	short loc_97F074
		xor	ecx, ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	edx
		mov	edx, offset _KMPnPEvt_Watchdog_EventWorker_Start

loc_97F06D:				; CODE XREF: PnpWatchdogEtwWrite(x,x)+C0j
					; PnpWatchdogEtwWrite(x,x)+D7j	...
		push	eax
		push	ecx
		call	_McTemplateK0izzx_EtwWriteTransfer@36 ;	McTemplateK0izzx_EtwWriteTransfer(x,x,x,x,x,x,x,x,x)

loc_97F074:				; CODE XREF: PnpWatchdogEtwWrite(x,x)+B4j
					; PnpWatchdogEtwWrite(x,x)+C9j	...
		mov	eax, [ebp+var_8]
		mov	byte ptr [eax+14h], 1
		jmp	loc_97F116
; 

loc_97F080:				; CODE XREF: PnpWatchdogEtwWrite(x,x)+8Aj
		sub	ecx, 1
		jz	short loc_97F0FA
		sub	ecx, 1
		jz	short loc_97F0E3
		sub	ecx, 1
		jz	short loc_97F0CC
		sub	ecx, 1
		jz	short loc_97F0B5
		sub	ecx, 1
		jz	short loc_97F09E

loc_97F099:				; CODE XREF: PnpWatchdogEtwWrite(x,x)+A7j
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_97F09E:				; CODE XREF: PnpWatchdogEtwWrite(x,x)+146j
		test	byte_6CD8BB, 40h
		jz	short loc_97F116
		xor	ecx, ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	edx
		mov	edx, offset _KMPnPEvt_Watchdog_DriverEntry_Stop
		jmp	short loc_97F10F
; 

loc_97F0B5:				; CODE XREF: PnpWatchdogEtwWrite(x,x)+141j
		test	byte_6CD8BB, 40h
		jz	short loc_97F116
		xor	ecx, ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	edx
		mov	edx, offset _KMPnPEvt_Watchdog_AddDevice_Stop
		jmp	short loc_97F10F
; 

loc_97F0CC:				; CODE XREF: PnpWatchdogEtwWrite(x,x)+13Cj
		test	byte_6CD8BB, 40h
		jz	short loc_97F116
		xor	ecx, ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	edx
		mov	edx, offset _KMPnPEvt_Watchdog_DelayedRemoveWorker_Stop
		jmp	short loc_97F10F
; 

loc_97F0E3:				; CODE XREF: PnpWatchdogEtwWrite(x,x)+137j
		test	byte_6CD8BB, 40h
		jz	short loc_97F116
		xor	ecx, ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	edx
		mov	edx, offset _KMPnPEvt_Watchdog_CompletionQueue_Stop
		jmp	short loc_97F10F
; 

loc_97F0FA:				; CODE XREF: PnpWatchdogEtwWrite(x,x)+132j
		test	byte_6CD8BB, 40h
		jz	short loc_97F116
		xor	ecx, ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	edx
		mov	edx, offset _KMPnPEvt_Watchdog_EventWorker_Stop

loc_97F10F:				; CODE XREF: PnpWatchdogEtwWrite(x,x)+162j
					; PnpWatchdogEtwWrite(x,x)+179j ...
		push	eax
		push	ecx
		call	_McTemplateK0izzx_EtwWriteTransfer@36 ;	McTemplateK0izzx_EtwWriteTransfer(x,x,x,x,x,x,x,x,x)

loc_97F116:				; CODE XREF: PnpWatchdogEtwWrite(x,x)+12Aj
					; PnpWatchdogEtwWrite(x,x)+154j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PnpWatchdogEtwWrite@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpWatchdogWorkItem(x)
_PnpWatchdogWorkItem@4 proc near	; DATA XREF: PnpAllocateWatchdog+31o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	edx, [esi+0Ch]
		mov	ecx, [esi+10h]
		call	_PnpRecordBlackbox@8 ; PnpRecordBlackbox(x,x)
		mov	dl, 1
		mov	ecx, esi
		call	_PnpWatchdogEtwWrite@8 ; PnpWatchdogEtwWrite(x,x)
		pop	esi
		pop	ebp
		retn	4
_PnpWatchdogWorkItem@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpAddVetoInformation(x, x,	x)
_PnpAddVetoInformation@12 proc near	; CODE XREF: PnpCollectOpenHandlesCallBack(x,x,x,x,x)+42p

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ecx
		xor	ebx, ebx
		mov	[ebp+var_1], 1
		mov	esi, ebx
		mov	eax, [edi]
		lea	edx, [eax-0Ch]
		cmp	edi, eax
		jz	short loc_97F1A3
		mov	ecx, [ebp+arg_0]

loc_97F160:				; CODE XREF: PnpAddVetoInformation(x,x,x)+53j
		cmp	[edx+8], ecx
		jnz	short loc_97F199
		mov	eax, [edx]
		mov	esi, edx
		mov	[ebp+var_1], bl
		jmp	short loc_97F17E
; 

loc_97F16E:				; CODE XREF: PnpAddVetoInformation(x,x,x)+46j
		mov	eax, [ecx]
		cmp	eax, [ebp+var_8]
		jz	loc_97F1FB
		ja	short loc_97F194
		mov	eax, [ecx+4]

loc_97F17E:				; CODE XREF: PnpAddVetoInformation(x,x,x)+2Fj
		lea	ecx, [eax-4]
		cmp	edx, eax
		jnz	short loc_97F16E

loc_97F185:				; CODE XREF: PnpAddVetoInformation(x,x,x)+5Aj
		mov	ecx, [ebp+arg_0]

loc_97F188:				; CODE XREF: PnpAddVetoInformation(x,x,x):loc_97F199j
		mov	eax, [edx+0Ch]
		lea	edx, [eax-0Ch]
		cmp	edi, eax
		jnz	short loc_97F160
		jmp	short loc_97F19E
; 

loc_97F194:				; CODE XREF: PnpAddVetoInformation(x,x,x)+3Cj
		lea	esi, [ecx+4]
		jmp	short loc_97F185
; 

loc_97F199:				; CODE XREF: PnpAddVetoInformation(x,x,x)+26j
		jbe	short loc_97F188
		lea	edi, [edx+0Ch]

loc_97F19E:				; CODE XREF: PnpAddVetoInformation(x,x,x)+55j
		cmp	[ebp+var_1], bl
		jz	short loc_97F1D8

loc_97F1A3:				; CODE XREF: PnpAddVetoInformation(x,x,x)+1Ej
		push	4F706E50h
		push	14h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_97F1FB
		mov	eax, [ebp+arg_0]
		mov	[ebx+8], eax
		lea	eax, [ebx+0Ch]
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	short loc_97F224
		mov	[eax], edi
		mov	esi, ebx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[edi+4], eax
		mov	[ebx+4], ebx
		mov	[ebx], ebx

loc_97F1D8:				; CODE XREF: PnpAddVetoInformation(x,x,x)+64j
		push	50706E50h
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_97F202
		test	ebx, ebx
		jz	short loc_97F1FB
		push	4F706E50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97F1FB:				; CODE XREF: PnpAddVetoInformation(x,x,x)+36j
					; PnpAddVetoInformation(x,x,x)+78j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_97F202:				; CODE XREF: PnpAddVetoInformation(x,x,x)+ADj
		mov	ebx, [ebp+var_8]
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	[edi], ebx
		lea	eax, [edi+4]
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_97F224
		mov	[eax], esi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[esi+4], eax
		jmp	short loc_97F1FB
; 

loc_97F224:				; CODE XREF: PnpAddVetoInformation(x,x,x)+88j
					; PnpAddVetoInformation(x,x,x)+D9j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PnpAddVetoInformation@12 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpAllocateCriticalMemory(x, x, x, x)
_PnpAllocateCriticalMemory@16 proc near	; CODE XREF: PnpQueuePendingSurpriseRemoval(x,x,x,x)+10Ep
					; PnpCompileDeviceInstancePaths(x,x,x,x,x)+99p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		jmp	short loc_97F259
; 

loc_97F238:				; CODE XREF: PnpAllocateCriticalMemory(x,x,x,x)+3Ej
		test	esi, esi
		jz	short loc_97F269
		cmp	esi, 4
		jz	short loc_97F269
		or	[ebp+var_4], 0FFFFFFFFh
		lea	eax, [ebp+var_8]
		push	eax
		push	0
		push	0
		mov	[ebp+var_8], 0FFFFD8F0h
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)

loc_97F259:				; CODE XREF: PnpAllocateCriticalMemory(x,x,x,x)+Dj
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_97F238

loc_97F269:				; CODE XREF: PnpAllocateCriticalMemory(x,x,x,x)+11j
					; PnpAllocateCriticalMemory(x,x,x,x)+16j
		pop	edi
		pop	esi
		leave
		retn	8
_PnpAllocateCriticalMemory@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpBuildUnsafeRemovalDeviceList(x, x, x)
_PnpBuildUnsafeRemovalDeviceList@12 proc near
					; CODE XREF: PnpProcessQueryRemoveAndEject(x)+1A3p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, edx
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		mov	[eax], edi
		test	ebx, ebx
		jz	loc_97F375
		mov	esi, edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi

loc_97F299:				; CODE XREF: PnpBuildUnsafeRemovalDeviceList(x,x,x)+46j
					; PnpBuildUnsafeRemovalDeviceList(x,x,x)+5Bj ...
		push	edi
		lea	eax, [ebp+var_4]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	edx, [ebp+var_10]
		call	_IopEnumerateRelations@20 ; IopEnumerateRelations(x,x,x,x,x)
		test	al, al
		jz	short loc_97F2DC
		mov	edx, [ebp+var_4]
		test	edx, edx
		jz	short loc_97F299
		mov	eax, [ebp+var_8]
		mov	eax, [eax+0B0h]
		mov	ecx, [eax+14h]
		call	_PnpIsBeingRemovedSafely@8 ; PnpIsBeingRemovedSafely(x,x)
		test	al, al
		jnz	short loc_97F299
		cmp	[ecx+18h], edi
		jz	short loc_97F299
		movzx	eax, word ptr [ecx+14h]
		add	eax, 2
		add	esi, eax
		jmp	short loc_97F299
; 

loc_97F2DC:				; CODE XREF: PnpBuildUnsafeRemovalDeviceList(x,x,x)+3Fj
		test	esi, esi
		jz	loc_97F375
		push	4B706E50h
		add	esi, 2
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	eax, [ebp+arg_0]
		mov	[eax], edi
		test	edi, edi
		jz	short loc_97F375
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_10], 2
		and	[ebp+var_C], 0

loc_97F316:				; CODE XREF: PnpBuildUnsafeRemovalDeviceList(x,x,x)+C4j
					; PnpBuildUnsafeRemovalDeviceList(x,x,x)+DBj ...
		push	0
		lea	eax, [ebp+var_4]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	edx, [ebp+var_10]
		call	_IopEnumerateRelations@20 ; IopEnumerateRelations(x,x,x,x,x)
		test	al, al
		jz	short loc_97F370
		mov	edx, [ebp+var_4]
		test	edx, edx
		jz	short loc_97F316
		mov	eax, [ebp+var_8]
		mov	eax, [eax+0B0h]
		mov	esi, [eax+14h]
		mov	ecx, esi
		call	_PnpIsBeingRemovedSafely@8 ; PnpIsBeingRemovedSafely(x,x)
		test	al, al
		jnz	short loc_97F316
		mov	ecx, [esi+18h]
		test	ecx, ecx
		jz	short loc_97F316
		movzx	eax, word ptr [esi+14h]
		push	eax		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		movzx	eax, word ptr [esi+14h]
		add	esp, 0Ch
		shr	eax, 1
		lea	edi, [edi+eax*2]
		add	edi, 2
		jmp	short loc_97F316
; 

loc_97F370:				; CODE XREF: PnpBuildUnsafeRemovalDeviceList(x,x,x)+BDj
		xor	eax, eax
		mov	[edi], ax

loc_97F375:				; CODE XREF: PnpBuildUnsafeRemovalDeviceList(x,x,x)+1Cj
					; PnpBuildUnsafeRemovalDeviceList(x,x,x)+6Fj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PnpBuildUnsafeRemovalDeviceList@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PnpCollectOpenHandles(int,int,int)
_PnpCollectOpenHandles@12 proc near	; CODE XREF: PipRecordOpenHandleVeto(x,x,x,x,x)+1Ap
					; PipSendQueryRemoveIrpAndCheckOpenHandles(x,x,x,x,x,x)+D7p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, edx
		push	edi		; char
		mov	[ebp+var_4], ecx
		cmp	byte ptr [esi+14h], 0
		jz	short loc_97F3A5
		push	offset ??_C@_0BI@PNOHNGJF@Beginning?5handle?5dump?3?6@NNGAKEGL@	; char *
		push	14h		; int
		call	_IopDebugPrint
		pop	ecx
		pop	ecx
		mov	ecx, [ebp+var_4]

loc_97F3A5:				; CODE XREF: PnpCollectOpenHandles(x,x,x)+16j
		xor	edi, edi
		lea	eax, [esi+8]
		mov	[esi+10h], edi
		mov	[eax+4], eax
		mov	[eax], eax
		mov	al, [esi+14h]
		test	al, al
		jnz	short loc_97F3BE
		cmp	[esi+15h], al
		jz	short loc_97F3F1

loc_97F3BE:				; CODE XREF: PnpCollectOpenHandles(x,x,x)+3Bj
		test	ebx, ebx
		jz	short loc_97F3DB

loc_97F3C2:				; CODE XREF: PnpCollectOpenHandles(x,x,x)+5Aj
		mov	eax, [ecx+edi*4]
		mov	[esi], eax
		mov	ecx, [ecx+edi*4]
		push	esi
		call	_PnpHandleEnumerateHandlesAgainstPdoStack@12 ; PnpHandleEnumerateHandlesAgainstPdoStack(x,x,x)
		mov	ecx, [ebp+var_4]
		inc	edi
		cmp	edi, ebx
		jb	short loc_97F3C2
		mov	al, [esi+14h]

loc_97F3DB:				; CODE XREF: PnpCollectOpenHandles(x,x,x)+44j
		test	al, al
		jz	short loc_97F3F1
		push	dword ptr [esi+10h] ; char
		push	offset ??_C@_0CJ@KOBJPJNL@Dump?5complete?5?9?5?$CFd?5total?5handle@NNGAKEGL@ ; char *
		push	14h		; int
		call	_IopDebugPrint
		add	esp, 0Ch

loc_97F3F1:				; CODE XREF: PnpCollectOpenHandles(x,x,x)+40j
					; PnpCollectOpenHandles(x,x,x)+61j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PnpCollectOpenHandles@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpCollectOpenHandlesCallBack(x, x,	x, x, x)
_PnpCollectOpenHandlesCallBack@20 proc near
					; DATA XREF: PnpHandleEnumerateHandlesAgainstPdoStack(x,x,x)+15o
					; PnpHandleEnumerateHandlesAgainstPdoStack(x,x,x)+65o

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_10]
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	byte ptr [esi+14h], 0
		jz	short loc_97F429
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	dword ptr [edi+0E4h]
		push	dword ptr [ebp+arg_0] ;	char
		push	offset ??_C@_0DK@KHKIOIMC@?5?5DeviceObject?3?$CFp?5ProcessID?3?$CFdT@NNGAKEGL@ ; char *
		push	14h		; int
		call	_IopDebugPrint
		add	esp, 18h

loc_97F429:				; CODE XREF: PnpCollectOpenHandlesCallBack(x,x,x,x,x)+11j
		cmp	byte ptr [esi+15h], 0
		jz	short loc_97F43F
		push	dword ptr [edi+0E4h]
		mov	ecx, [esi]
		lea	edx, [esi+8]
		call	_PnpAddVetoInformation@12 ; PnpAddVetoInformation(x,x,x)

loc_97F43F:				; CODE XREF: PnpCollectOpenHandlesCallBack(x,x,x,x,x)+35j
		inc	dword ptr [esi+10h]
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebp
		retn	14h
_PnpCollectOpenHandlesCallBack@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpCompileDeviceInstancePaths(x, x,	x, x, x)
_PnpCompileDeviceInstancePaths@20 proc near
					; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+36p
					; PnpCancelRemoveOnHungDevices(x,x,x,x,x)+170p	...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		push	edi
		test	edx, edx
		jnz	short loc_97F46C
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_97F46C:				; CODE XREF: PnpCompileDeviceInstancePaths(x,x,x,x,x)+1Bj
		mov	ebx, [ebp+arg_8]
		mov	edi, esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		mov	[ebx], esi
		mov	ebx, edx

loc_97F47B:				; CODE XREF: PnpCompileDeviceInstancePaths(x,x,x,x,x)+5Ej
					; PnpCompileDeviceInstancePaths(x,x,x,x,x)+6Dj	...
		push	esi
		lea	eax, [ebp+var_8]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	edx, [ebp+var_18]
		call	_IopEnumerateRelations@20 ; IopEnumerateRelations(x,x,x,x,x)
		test	al, al
		jz	short loc_97F4D4
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_97F4A4
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_97F4A6
; 

loc_97F4A4:				; CODE XREF: PnpCompileDeviceInstancePaths(x,x,x,x,x)+4Dj
		mov	eax, esi

loc_97F4A6:				; CODE XREF: PnpCompileDeviceInstancePaths(x,x,x,x,x)+58j
		test	eax, eax
		jz	short loc_97F47B
		cmp	[ebp+arg_4], 0
		jz	short loc_97F4B9
		test	byte ptr [eax+1C8h], 2
		jnz	short loc_97F47B

loc_97F4B9:				; CODE XREF: PnpCompileDeviceInstancePaths(x,x,x,x,x)+64j
		cmp	[eax+18h], esi
		jz	short loc_97F47B
		cmp	[ebp+arg_0], 0
		jz	short loc_97F4C9
		cmp	[ebp+var_8], esi
		jz	short loc_97F47B

loc_97F4C9:				; CODE XREF: PnpCompileDeviceInstancePaths(x,x,x,x,x)+78j
		movzx	eax, word ptr [eax+14h]
		add	edi, 2
		add	edi, eax
		jmp	short loc_97F47B
; 

loc_97F4D4:				; CODE XREF: PnpCompileDeviceInstancePaths(x,x,x,x,x)+46j
		mov	ecx, [ebp+var_10]
		lea	eax, [edi+2]
		push	4B706E50h
		xor	edx, edx
		push	eax
		inc	edx
		call	_PnpAllocateCriticalMemory@16 ;	PnpAllocateCriticalMemory(x,x,x,x)
		mov	ebx, [ebp+arg_8]
		mov	edi, eax
		mov	[ebx], edi
		test	edi, edi
		jnz	short loc_97F4FD
		mov	esi, 0C000009Ah
		jmp	loc_97F594
; 

loc_97F4FD:				; CODE XREF: PnpCompileDeviceInstancePaths(x,x,x,x,x)+A7j
		mov	[ebp+var_18], 2
		mov	[ebp+var_14], esi

loc_97F507:				; CODE XREF: PnpCompileDeviceInstancePaths(x,x,x,x,x)+EBj
					; PnpCompileDeviceInstancePaths(x,x,x,x,x)+FAj	...
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		push	esi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	edx, [ebp+var_18]
		call	_IopEnumerateRelations@20 ; IopEnumerateRelations(x,x,x,x,x)
		test	al, al
		jz	short loc_97F58F
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_97F531
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_97F533
; 

loc_97F531:				; CODE XREF: PnpCompileDeviceInstancePaths(x,x,x,x,x)+DAj
		mov	eax, esi

loc_97F533:				; CODE XREF: PnpCompileDeviceInstancePaths(x,x,x,x,x)+E5j
		test	eax, eax
		jz	short loc_97F507
		cmp	[ebp+arg_4], 0
		jz	short loc_97F546
		test	byte ptr [eax+1C8h], 2
		jnz	short loc_97F507

loc_97F546:				; CODE XREF: PnpCompileDeviceInstancePaths(x,x,x,x,x)+F1j
		cmp	[eax+18h], esi
		jz	short loc_97F507
		cmp	[ebp+arg_0], 0
		jz	short loc_97F556
		cmp	[ebp+var_8], esi
		jz	short loc_97F507

loc_97F556:				; CODE XREF: PnpCompileDeviceInstancePaths(x,x,x,x,x)+105j
		mov	eax, [ecx+0B0h]
		mov	ebx, [eax+14h]
		test	ebx, ebx
		jz	short loc_97F507
		mov	ecx, [ebx+18h]
		test	ecx, ecx
		jz	short loc_97F507
		movzx	eax, word ptr [ebx+14h]
		push	eax		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		movzx	eax, word ptr [ebx+14h]
		add	esp, 0Ch
		shr	eax, 1
		lea	edi, [edi+eax*2]
		xor	eax, eax
		mov	[edi], ax
		add	edi, 2
		jmp	loc_97F507
; 

loc_97F58F:				; CODE XREF: PnpCompileDeviceInstancePaths(x,x,x,x,x)+D3j
		xor	eax, eax
		mov	[edi], ax

loc_97F594:				; CODE XREF: PnpCompileDeviceInstancePaths(x,x,x,x,x)+AEj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PnpCompileDeviceInstancePaths@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpFinalizeVetoedRemove(x, x, x)
_PnpFinalizeVetoedRemove@12 proc near	; CODE XREF: PnpProcessQueryRemoveAndEject(x)+CDp
					; PnpProcessQueryRemoveAndEject(x)+112p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	eax, [edi+1Ch]
		test	eax, eax
		jz	short loc_97F5B2
		mov	[eax], ebx

loc_97F5B2:				; CODE XREF: PnpFinalizeVetoedRemove(x,x,x)+11j
		mov	eax, [edi+20h]
		mov	esi, [ebp+arg_0]
		test	eax, eax
		jz	short loc_97F5C7
		test	esi, esi
		jz	short loc_97F5C7
		push	esi
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)

loc_97F5C7:				; CODE XREF: PnpFinalizeVetoedRemove(x,x,x)+1Dj
					; PnpFinalizeVetoedRemove(x,x,x)+21j
		test	byte ptr [edi+60h], 8
		jz	short loc_97F5FF
		cmp	ebx, 6
		jnz	short loc_97F5FF
		mov	eax, [esi+4]
		xor	ecx, ecx
		movzx	edx, word ptr [esi]
		add	edx, eax
		cmp	eax, edx
		jnb	short loc_97F5FF

loc_97F5E0:				; CODE XREF: PnpFinalizeVetoedRemove(x,x,x)+54j
		cmp	word ptr [eax],	5Ch
		jnz	short loc_97F5EC
		inc	ecx
		cmp	ecx, 3
		jz	short loc_97F5F8

loc_97F5EC:				; CODE XREF: PnpFinalizeVetoedRemove(x,x,x)+47j
		add	eax, 2
		cmp	eax, edx
		jb	short loc_97F5E0
		cmp	ecx, 3
		jnz	short loc_97F5FF

loc_97F5F8:				; CODE XREF: PnpFinalizeVetoedRemove(x,x,x)+4Dj
		sub	ax, [esi+4]
		mov	[esi], ax

loc_97F5FF:				; CODE XREF: PnpFinalizeVetoedRemove(x,x,x)+2Ej
					; PnpFinalizeVetoedRemove(x,x,x)+33j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PnpFinalizeVetoedRemove@12 endp


;  S U B	R O U T	I N E 


; __stdcall PnpFreeVetoInformation(x)
_PnpFreeVetoInformation@4 proc near	; CODE XREF: PipSendQueryRemoveIrpAndCheckOpenHandles(x,x,x,x,x,x)+F0p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx

loc_97F60D:				; CODE XREF: PnpFreeVetoInformation(x)+5Aj
		mov	eax, [ebx]
		cmp	eax, ebx
		jz	short loc_97F667
		cmp	[eax+4], ebx
		jnz	short loc_97F662
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_97F662
		mov	[ebx], ecx
		lea	edi, [eax-0Ch]
		mov	[ecx+4], ebx

loc_97F627:				; CODE XREF: PnpFreeVetoInformation(x)+4Dj
		mov	esi, [edi]
		cmp	esi, edi
		jz	short loc_97F655
		cmp	[esi+4], edi
		jnz	short loc_97F662
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_97F662
		add	esi, 0FFFFFFFCh
		mov	[edi], eax
		mov	[eax+4], edi
		mov	ecx, [esi]
		call	ObfDereferenceObject
		push	50706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_97F627
; 

loc_97F655:				; CODE XREF: PnpFreeVetoInformation(x)+25j
		push	4F706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_97F60D
; 

loc_97F662:				; CODE XREF: PnpFreeVetoInformation(x)+10j
					; PnpFreeVetoInformation(x)+17j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_97F667:				; CODE XREF: PnpFreeVetoInformation(x)+Bj
		pop	edi
		pop	esi
		pop	ebx
		retn
_PnpFreeVetoInformation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpInitializeTargetDeviceRemoveEvent(x, x, x, x, x,	x, x, x, x, x, x, x, x)
_PnpInitializeTargetDeviceRemoveEvent@52 proc near ; CODE XREF:	PnpShutdownDevices()+12Ep
					; PnpSetTargetDeviceRemove(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B8p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		mov	ecx, esi
		mov	edx, 56706E50h
		call	ObfReferenceObjectWithTag
		test	esi, esi
		jz	short loc_97F697
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_97F699
; 

loc_97F697:				; CODE XREF: PnpInitializeTargetDeviceRemoveEvent(x,x,x,x,x,x,x,x,x,x,x,x,x)+1Fj
		xor	eax, eax

loc_97F699:				; CODE XREF: PnpInitializeTargetDeviceRemoveEvent(x,x,x,x,x,x,x,x,x,x,x,x,x)+2Aj
		push	edi
		push	[ebp+var_4]	; size_t
		movzx	edi, word ptr [eax+14h]
		push	0		; int
		shr	edi, 1
		push	ebx		; void *
		mov	[ebp+arg_0], eax
		mov	[ebp+var_8], edi
		call	_memset
		mov	eax, [ebp+arg_1C]
		lea	ecx, [edi+edi]
		mov	[ebx+10h], eax
		lea	edi, [ebx+48h]
		mov	eax, [ebp+arg_14]
		xor	edx, edx
		mov	[ebx+8], eax
		inc	edx
		mov	eax, [ebp+arg_18]
		add	esp, 0Ch
		cmp	[ebp+arg_C], 0
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+arg_24]
		mov	[ebx+1Ch], eax
		mov	eax, [ebp+arg_28]
		mov	[ebx+20h], eax
		lea	eax, [ecx+46h]
		mov	[ebx+64h], eax
		mov	eax, [ebp+arg_20]
		mov	[ebx+68h], esi
		mov	esi, offset _GUID_DEVICE_EJECT
		mov	[ebx+24h], edx
		mov	[ebx+58h], edx
		mov	[ebx+5Ch], eax
		jnz	short loc_97F700
		mov	esi, offset _GUID_DEVICE_QUERY_AND_REMOVE

loc_97F700:				; CODE XREF: PnpInitializeTargetDeviceRemoveEvent(x,x,x,x,x,x,x,x,x,x,x,x,x)+8Ej
		cmp	[ebp+arg_8], 0
		movsd
		movsd
		movsd
		movsd
		pop	edi
		jz	short loc_97F70F
		or	dword ptr [ebx+60h], 2

loc_97F70F:				; CODE XREF: PnpInitializeTargetDeviceRemoveEvent(x,x,x,x,x,x,x,x,x,x,x,x,x)+9Ej
		cmp	[ebp+arg_4], 0
		jz	short loc_97F719
		or	dword ptr [ebx+60h], 4

loc_97F719:				; CODE XREF: PnpInitializeTargetDeviceRemoveEvent(x,x,x,x,x,x,x,x,x,x,x,x,x)+A8j
		cmp	[ebp+arg_10], 0
		jz	short loc_97F723
		or	dword ptr [ebx+60h], 8

loc_97F723:				; CODE XREF: PnpInitializeTargetDeviceRemoveEvent(x,x,x,x,x,x,x,x,x,x,x,x,x)+B2j
		mov	esi, [ebp+var_8]
		test	esi, esi
		jz	short loc_97F73D
		mov	eax, [ebp+arg_0]
		push	ecx		; size_t
		push	dword ptr [eax+18h] ; void *
		lea	eax, [ebx+6Ch]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_97F73D:				; CODE XREF: PnpInitializeTargetDeviceRemoveEvent(x,x,x,x,x,x,x,x,x,x,x,x,x)+BDj
		xor	eax, eax
		mov	[ebx+esi*2+6Ch], ax
		pop	esi
		pop	ebx
		leave
		retn	2Ch
_PnpInitializeTargetDeviceRemoveEvent@52 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpLogVetoInformation(x, x)
_PnpLogVetoInformation@8 proc near	; CODE XREF: PipSendQueryRemoveIrpAndCheckOpenHandles(x,x,x,x,x,x)+E8p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, [edx]
		push	ebx
		mov	[ebp+var_10], ecx
		xor	ecx, ecx
		push	esi
		push	edi
		mov	[ebp+var_18], edx
		cmp	edx, eax
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], ecx
		jmp	loc_97F861
; 

loc_97F772:				; CODE XREF: PnpLogVetoInformation(x,x)+11Aj
		lea	eax, [ebp+var_C]
		mov	[ebp+var_1], cl
		push	eax
		push	dword ptr [edi+8]
		call	PsLookupProcessByProcessId
		test	eax, eax
		js	loc_97F858
		mov	ebx, [ebp+var_C]
		lea	edx, [ebp+var_8]
		mov	ecx, ebx
		call	_PsGetAllocatedFullProcessImageName@8 ;	PsGetAllocatedFullProcessImageName(x,x)
		test	eax, eax
		jns	short loc_97F7A1
		xor	esi, esi
		mov	[ebp+var_8], esi
		jmp	short loc_97F7E0
; 

loc_97F7A1:				; CODE XREF: PnpLogVetoInformation(x,x)+4Ej
		mov	esi, [ebp+var_8]
		xor	eax, eax
		cmp	[esi], ax
		jnz	short loc_97F7E0
		push	eax
		push	esi
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_1], 1
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lea	esi, [ebp+var_28]
		push	ebx
		mov	[ebp+var_8], esi
		call	_PsGetProcessImageFileName@4 ; PsGetProcessImageFileName(x)
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_20]
		push	eax
		mov	eax, esi
		push	eax
		call	RtlAnsiStringToUnicodeString

loc_97F7E0:				; CODE XREF: PnpLogVetoInformation(x,x)+55j
					; PnpLogVetoInformation(x,x)+5Fj
		push	[ebp+var_10]
		mov	edx, [ebx+0E4h]
		push	esi
		call	_PnpDiagnosticTraceAppVeto@16 ;	PnpDiagnosticTraceAppVeto(x,x,x,x)
		mov	eax, [edi]
		lea	ecx, [eax-4]
		mov	[ebp+var_14], ecx
		cmp	edi, eax
		jz	short loc_97F831
		mov	ebx, [ebp+var_10]

loc_97F7FE:				; CODE XREF: PnpLogVetoInformation(x,x)+E2j
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_97F80F
		mov	eax, [eax+0B0h]
		mov	edx, [eax+14h]
		jmp	short loc_97F813
; 

loc_97F80F:				; CODE XREF: PnpLogVetoInformation(x,x)+B8j
		xor	eax, eax
		mov	edx, eax

loc_97F813:				; CODE XREF: PnpLogVetoInformation(x,x)+C3j
		push	esi
		add	edx, 14h
		mov	ecx, ebx
		call	_PnpTraceDeviceRemoveProcessVeto@12 ; PnpTraceDeviceRemoveProcessVeto(x,x,x)
		mov	ecx, [ebp+var_14]
		mov	eax, [ecx+4]
		lea	ecx, [eax-4]
		mov	[ebp+var_14], ecx
		cmp	edi, eax
		jnz	short loc_97F7FE
		mov	ebx, [ebp+var_C]

loc_97F831:				; CODE XREF: PnpLogVetoInformation(x,x)+AFj
		cmp	[ebp+var_1], 0
		jz	short loc_97F83F
		push	esi
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	short loc_97F84C
; 

loc_97F83F:				; CODE XREF: PnpLogVetoInformation(x,x)+EBj
		test	esi, esi
		jz	short loc_97F84C
		xor	eax, eax
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97F84C:				; CODE XREF: PnpLogVetoInformation(x,x)+F3j
					; PnpLogVetoInformation(x,x)+F7j
		mov	edx, 746C6644h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_97F858:				; CODE XREF: PnpLogVetoInformation(x,x)+39j
		mov	eax, [edi+0Ch]
		cmp	[ebp+var_18], eax
		push	0
		pop	ecx

loc_97F861:				; CODE XREF: PnpLogVetoInformation(x,x)+23j
		lea	edi, [eax-0Ch]
		jnz	loc_97F772
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PnpLogVetoInformation@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpNotifyUserModeDeviceRemoval(x, x, x, x, x, x)
_PnpNotifyUserModeDeviceRemoval@24 proc	near
					; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+18Dp
					; PnpProcessQueryRemoveAndEject(x)+342p ...

var_1C8		= dword	ptr -1C8h
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1CCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	[ebp+var_1A8], edx
		xor	edx, edx
		mov	[ebp+var_19C], ecx
		mov	[ebp+var_1AC], eax
		mov	[ebp+var_1B0], edx
		push	esi
		push	edi
		test	eax, eax
		jz	short loc_97F8AA
		mov	[eax], edx

loc_97F8AA:				; CODE XREF: PnpNotifyUserModeDeviceRemoval(x,x,x,x,x,x)+37j
		lea	eax, [ecx+48h]
		mov	edx, 0C8h
		mov	esi, eax
		mov	[ebp+var_1A0], eax
		mov	eax, [ecx+1Ch]
		lea	edi, [ebp+var_1C8]
		mov	[ebp+var_1B4], eax
		mov	eax, [ecx+20h]
		movsd
		mov	[ebp+var_1B8], eax
		lea	eax, [ecx+6Ch]
		push	eax
		lea	ecx, [ebp+var_198]
		mov	[ebp+var_1A4], eax
		movsd
		movsd
		movsd
		call	RtlStringCchCopyW
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_97FA00
		mov	esi, [ebp+arg_0]
		mov	edi, [ebp+var_1A0]
		mov	ecx, [ebp+var_19C]
		mov	eax, [ebp+arg_4]
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_1A8]
		mov	[ecx+1Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+20h], eax
		xor	eax, eax
		cmp	[edi], ax
		jz	short loc_97F99F
		mov	esi, [ebp+var_1AC]

loc_97F927:				; CODE XREF: PnpNotifyUserModeDeviceRemoval(x,x,x,x,x,x)+11Fj
		mov	ecx, edi
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_97F92E:				; CODE XREF: PnpNotifyUserModeDeviceRemoval(x,x,x,x,x,x)+C8j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_97F92E
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, ds:2[ecx*2]
		push	eax		; size_t
		push	edi		; void *
		push	[ebp+var_1A4]	; void *
		call	_memcpy
		mov	ecx, [ebp+var_19C]
		add	esp, 0Ch
		call	PiUEventNotifyUserMode
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_97F992
		test	esi, esi
		jz	short loc_97F96B
		inc	dword ptr [esi]

loc_97F96B:				; CODE XREF: PnpNotifyUserModeDeviceRemoval(x,x,x,x,x,x)+F8j
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_97F970:				; CODE XREF: PnpNotifyUserModeDeviceRemoval(x,x,x,x,x,x)+10Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_1B0]
		jnz	short loc_97F970
		sub	ecx, edx
		xor	eax, eax
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2
		cmp	[edi], ax
		jnz	short loc_97F927
		jmp	short loc_97F99F
; 

loc_97F992:				; CODE XREF: PnpNotifyUserModeDeviceRemoval(x,x,x,x,x,x)+F4j
		cmp	ebx, 0C0000120h
		jnz	short loc_97F99F
		mov	ebx, 80000028h

loc_97F99F:				; CODE XREF: PnpNotifyUserModeDeviceRemoval(x,x,x,x,x,x)+B0j
					; PnpNotifyUserModeDeviceRemoval(x,x,x,x,x,x)+121j ...
		mov	edi, [ebp+var_1A0]
		lea	esi, [ebp+var_1C8]
		mov	eax, [ebp+var_19C]
		mov	ecx, [ebp+var_1B4]
		movsd
		mov	[eax+1Ch], ecx
		mov	ecx, [ebp+var_1B8]
		mov	[eax+20h], ecx
		lea	ecx, [ebp+var_198]
		movsd
		lea	edx, [ecx+2]
		movsd
		movsd
		xor	esi, esi

loc_97F9D2:				; CODE XREF: PnpNotifyUserModeDeviceRemoval(x,x,x,x,x,x)+16Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_97F9D2
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, ds:2[ecx*2]
		push	eax		; size_t
		lea	eax, [ebp+var_198]
		push	eax		; void *
		push	[ebp+var_1A4]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, ebx

loc_97FA00:				; CODE XREF: PnpNotifyUserModeDeviceRemoval(x,x,x,x,x,x)+80j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_PnpNotifyUserModeDeviceRemoval@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpProcessQueryRemoveAndEject(x)
_PnpProcessQueryRemoveAndEject@4 proc near ; CODE XREF:	PnpProcessTargetDeviceEvent+6DBD6p
					; PnpShutdownDevices()+13Fp

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		xor	edx, edx
		mov	[ebp+var_38], ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx]
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_2C], edx
		mov	eax, [edi+68h]
		mov	[ebp+var_2], dl
		mov	[ebp+var_18], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_28], edx
		mov	byte ptr [ebp+var_1C], dl
		mov	[ebp+var_34], edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_1], dl
		mov	[ebp+var_10], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_20], eax
		push	7
		pop	ebx
		test	eax, eax
		jz	short loc_97FA68
		mov	eax, [eax+0B0h]
		mov	esi, [eax+14h]
		mov	[ebp+var_C], esi
		jmp	short loc_97FA6D
; 

loc_97FA68:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+47j
		mov	esi, edx
		mov	[ebp+var_C], edx

loc_97FA6D:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+55j
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeLockTree
		mov	eax, [esi+0ACh]
		cmp	eax, 313h
		jz	loc_980055
		cmp	eax, 314h
		jz	loc_980055
		mov	ecx, edi
		call	_PiDetermineDeleteType@4 ; PiDetermineDeleteType(x)
		mov	ebx, eax
		cmp	ebx, 4
		jz	short loc_97FAAC
		push	1
		push	0
		mov	edx, ebx
		mov	ecx, edi
		call	_PnpRecordBlackboxPnpEventInformation@16 ; PnpRecordBlackboxPnpEventInformation(x,x,x,x)

loc_97FAAC:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+8Cj
		mov	edx, edi
		mov	ecx, ebx
		call	_PiCheckRemovalPreconditions@8 ; PiCheckRemovalPreconditions(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98005A
		mov	ecx, [ebp+var_C]
		cmp	ebx, 4
		jnz	short loc_97FAF2
		lea	edx, [ebp+var_2]
		call	_PiValidateEjectionRequest@8 ; PiValidateEjectionRequest(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_97FAE8
		lea	eax, [ecx+14h]
		push	eax
		push	8
		pop	edx

loc_97FADC:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+63Fj
		mov	ecx, edi
		call	_PnpFinalizeVetoedRemove@12 ; PnpFinalizeVetoedRemove(x,x,x)
		jmp	loc_98005A
; 

loc_97FAE8:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+C2j
		cmp	[ebp+var_2], 0
		jz	loc_98005A

loc_97FAF2:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+B4j
		test	ebx, ebx
		jnz	short loc_97FB0D
		call	_PipAreDriversLoaded@4 ; PipAreDriversLoaded(x)
		test	eax, eax
		jnz	short loc_97FB0D
		mov	ecx, edi
		call	_PiProcessQueryRemoveNoFdo@4 ; PiProcessQueryRemoveNoFdo(x)
		mov	esi, eax
		jmp	loc_98005A
; 

loc_97FB0D:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+E3j
					; PnpProcessQueryRemoveAndEject(x)+ECj
		mov	ecx, ebx
		call	_PiEventAllocateVetoBuffer@4 ; PiEventAllocateVetoBuffer(x)
		mov	esi, eax
		mov	[ebp+var_10], esi
		test	esi, esi
		jnz	short loc_97FB32

loc_97FB1D:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+5BCj
		push	0
		xor	edx, edx

loc_97FB21:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+13Aj
		mov	ecx, edi
		call	_PnpFinalizeVetoedRemove@12 ; PnpFinalizeVetoedRemove(x,x,x)

loc_97FB28:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+25Cj
					; PnpProcessQueryRemoveAndEject(x)+60Dj
		mov	esi, 80000028h
		jmp	loc_98005A
; 

loc_97FB32:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+10Aj
		mov	ecx, [ebp+var_20]
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		mov	edx, ebx
		call	_PnpBuildRemovalRelationList@16	; PnpBuildRemovalRelationList(x,x,x,x)
		test	eax, eax
		jns	short loc_97FB4D

loc_97FB45:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+281j
		mov	edx, [esi]
		lea	eax, [esi+4]
		push	eax
		jmp	short loc_97FB21
; 

loc_97FB4D:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+132j
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp-1]
		push	eax
		lea	eax, [ebp+var_1C]
		mov	edx, ebx
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		push	edi
		call	_PiEventBuildPdoList@28	; PiEventBuildPdoList(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98003C
		mov	edi, [ebp+var_38]
		mov	edx, ebx
		mov	ecx, edi
		call	_PnpResizeTargetDeviceBlock@8 ;	PnpResizeTargetDeviceBlock(x,x)
		mov	edi, [edi]
		mov	esi, eax
		mov	[ebp+var_38], edi
		test	esi, esi
		js	loc_98003C
		lea	eax, [ebp+var_14]
		mov	ecx, ebx
		push	eax
		push	0
		call	_PiEventAreDeviceRelationsExcluded@4 ; PiEventAreDeviceRelationsExcluded(x)
		mov	edx, [ebp+var_8]
		movzx	eax, al
		push	eax
		call	_PnpCompileDeviceInstancePaths@20 ; PnpCompileDeviceInstancePaths(x,x,x,x,x)
		mov	esi, eax
		cmp	ebx, 3
		jnz	short loc_97FBB9
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_30]
		push	eax
		call	_PnpBuildUnsafeRemovalDeviceList@12 ; PnpBuildUnsafeRemovalDeviceList(x,x,x)

loc_97FBB9:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+19Aj
		test	esi, esi
		js	loc_98003C
		cmp	byte ptr [ebp+var_1C], 0
		jz	loc_97FC97
		mov	cl, [ebp+var_1]
		call	_PpProfileBeginHardwareProfileTransition@4 ; PpProfileBeginHardwareProfileTransition(x)
		mov	esi, [ebp+var_28]
		sub	esi, 1
		js	short loc_97FC0B
		mov	edi, [ebp+var_24]

loc_97FBDE:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+1F5j
		mov	eax, [edi+esi*4]
		test	eax, eax
		jz	short loc_97FBF0
		mov	eax, [eax+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_97FBF2
; 

loc_97FBF0:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+1D2j
		xor	ecx, ecx

loc_97FBF2:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+1DDj
		cmp	dword ptr [ecx+174h], 1
		jnz	short loc_97FC03
		push	3
		pop	edx
		call	_PpProfileIncludeInHardwareProfileTransition@8 ; PpProfileIncludeInHardwareProfileTransition(x,x)

loc_97FC03:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+1E8j
		sub	esi, 1
		jns	short loc_97FBDE
		mov	edi, [ebp+var_38]

loc_97FC0B:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+1C8j
		mov	esi, [ebp+var_10]
		cmp	ebx, 4
		jnz	loc_97FC9A
		mov	edx, esi
		lea	ecx, [ebp+var_2C]
		call	IoGetLegacyVetoList
		test	eax, eax
		js	short loc_97FC72
		cmp	dword ptr [esi], 0
		jz	short loc_97FC72
		call	_PpProfileCancelHardwareProfileTransition@0 ; PpProfileCancelHardwareProfileTransition()
		mov	ecx, [ebp+var_8]
		call	_IopFreeRelationList@4 ; IopFreeRelationList(x)
		mov	ecx, [edi+1Ch]
		test	ecx, ecx
		jz	short loc_97FC42
		mov	eax, [esi]
		mov	[ecx], eax

loc_97FC42:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+22Bj
		xor	esi, esi
		cmp	[edi+20h], esi
		jz	short loc_97FC61
		push	[ebp+var_2C]
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_40]
		push	eax
		push	dword ptr [edi+20h]
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)

loc_97FC61:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+236j
		push	esi
		push	[ebp+var_2C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+var_2C], esi
		jmp	loc_97FB28
; 

loc_97FC72:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+212j
					; PnpProcessQueryRemoveAndEject(x)+217j
		mov	cl, [ebp+var_1]
		lea	eax, [esi+4]
		push	eax
		push	esi
		xor	edx, edx
		call	_PpProfileQueryHardwareProfileChange@16	; PpProfileQueryHardwareProfileChange(x,x,x,x)
		test	eax, eax
		jns	short loc_97FC9A
		call	_PpProfileCancelHardwareProfileTransition@0 ; PpProfileCancelHardwareProfileTransition()
		mov	ecx, [ebp+var_8]
		call	_IopFreeRelationList@4 ; IopFreeRelationList(x)
		jmp	loc_97FB45
; 

loc_97FC97:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+1B4j
		mov	esi, [ebp+var_10]

loc_97FC9A:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+200j
					; PnpProcessQueryRemoveAndEject(x)+272j
		mov	ecx, ebx
		call	_PiIsOrderlyRemoval@4 ;	PiIsOrderlyRemoval(x)
		mov	[ebp+var_38], eax
		test	al, al
		jz	short loc_97FD09
		mov	ecx, [ebp+var_8]
		mov	dl, 1
		call	_PnpTrackQueryRemoveDevices@8 ;	PnpTrackQueryRemoveDevices(x,x)
		lea	eax, [ebp+var_14]
		mov	edx, edi
		push	eax
		push	esi
		push	[ebp+var_24]
		mov	ecx, ebx
		push	[ebp+var_28]
		push	[ebp+var_8]
		call	_PiProcessQueryAndCancelRemoval@28 ; PiProcessQueryAndCancelRemoval(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_97FD2A
		cmp	byte ptr [ebp+var_1C], 0
		jz	short loc_97FCDA
		call	_PpProfileCancelHardwareProfileTransition@0 ; PpProfileCancelHardwareProfileTransition()

loc_97FCDA:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+2C2j
		cmp	dword ptr [edi+8], 36h
		jnz	short loc_97FCF2
		mov	eax, [ebp+var_10]
		mov	edx, edi
		push	eax
		push	[ebp+var_8]
		mov	ecx, ebx
		call	_PiProcessCanceledRemoveForReset@16 ; PiProcessCanceledRemoveForReset(x,x,x,x)
		mov	esi, eax

loc_97FCF2:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+2CDj
		mov	ecx, [ebp+var_8]
		xor	dl, dl
		call	_PnpTrackQueryRemoveDevices@8 ;	PnpTrackQueryRemoveDevices(x,x)
		mov	ecx, [ebp+var_8]
		call	_IopFreeRelationList@4 ; IopFreeRelationList(x)
		jmp	loc_98005A
; 

loc_97FD09:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+295j
		call	_PiIsSurpriseRemoval@4 ; PiIsSurpriseRemoval(x)
		mov	esi, [ebp+var_8]
		test	al, al
		jz	short loc_97FD2D
		mov	ecx, [ebp+var_20]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	3
		mov	edx, esi
		call	_PnpDeleteLockedDeviceNodes@32 ; PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)
		jmp	short loc_97FD2D
; 

loc_97FD2A:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+2BCj
		mov	esi, [ebp+var_8]

loc_97FD2D:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+302j
					; PnpProcessQueryRemoveAndEject(x)+317j
		cmp	ebx, 3
		jz	short loc_97FD3E
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	offset _GUID_DEVICE_REMOVE_PENDING
		jmp	short loc_97FD6F
; 

loc_97FD3E:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+31Fj
		mov	eax, [ebp+var_30]
		test	eax, eax
		jz	short loc_97FD65
		xor	ecx, ecx
		mov	edx, eax
		push	ecx
		push	ecx
		push	ecx
		push	offset _GUID_DEVICE_SURPRISE_REMOVAL
		mov	ecx, edi
		call	_PnpNotifyUserModeDeviceRemoval@24 ; PnpNotifyUserModeDeviceRemoval(x,x,x,x,x,x)
		push	4B706E50h
		push	[ebp+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_97FD65:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+332j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	offset _GUID_TARGET_DEVICE_REMOVE_COMPLETE

loc_97FD6F:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+32Bj
		mov	edx, [ebp+var_14]
		mov	ecx, edi
		call	_PnpNotifyUserModeDeviceRemoval@24 ; PnpNotifyUserModeDeviceRemoval(x,x,x,x,x,x)
		push	[ebp+var_28]
		mov	edx, [ebp+var_24]
		mov	ecx, ebx
		call	_PiSendTargetDeviceRemoveCompleteNotification@12 ; PiSendTargetDeviceRemoveCompleteNotification(x,x,x)
		mov	edx, esi
		mov	ecx, ebx
		call	_PiInvalidateSpeculativeRelations@8 ; PiInvalidateSpeculativeRelations(x,x)
		mov	ecx, ebx
		call	_PiIsSurpriseRemoval@4 ; PiIsSurpriseRemoval(x)
		test	al, al
		jz	short loc_97FDC7
		lea	eax, [ebp+var_8]
		mov	edx, ebx
		push	eax
		mov	ecx, edi
		call	_PiEventRemovalPostSurpriseRemove@12 ; PiEventRemovalPostSurpriseRemove(x,x,x)
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeUnlockTree
		mov	edx, [ebp+var_28]
		mov	ecx, [ebp+var_24]
		push	0
		push	1
		push	0
		call	_PnpIsChainDereferenced@20 ; PnpIsChainDereferenced(x,x,x,x,x)
		xor	esi, esi
		jmp	loc_98006A
; 

loc_97FDC7:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+387j
		mov	eax, [ebp+var_C]
		cmp	dword ptr [eax+174h], 0
		jz	short loc_97FDF0
		mov	ecx, [ebp+var_20]
		lea	edx, [ebp+var_18]
		call	_IopQueryDockRemovalInterface@8	; IopQueryDockRemovalInterface(x,x)
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	short loc_97FDED
		push	3
		push	dword ptr [eax+4]
		call	dword ptr [eax+10h]

loc_97FDED:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+3D2j
		mov	eax, [ebp+var_C]

loc_97FDF0:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+3C0j
		test	ebx, ebx
		jnz	short loc_97FE00
		mov	edx, 2000000h
		mov	ecx, eax
		call	PipSetDevNodeFlags

loc_97FE00:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+3E1j
		mov	ecx, [ebp+var_20]
		mov	edx, esi
		push	0
		push	0
		push	dword ptr [edi+0Ch]
		push	dword ptr [edi+8]
		push	[ebp+var_38]
		push	2
		call	_PnpDeleteLockedDeviceNodes@32 ; PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)
		mov	eax, [ebp+var_C]
		mov	eax, [eax+170h]
		mov	ecx, eax
		shr	ecx, 3
		shr	eax, 10h
		and	ecx, 0FFFFFF01h
		and	al, 1
		mov	[ebp+var_8], ecx
		mov	byte ptr [ebp+var_28], al
		cmp	ebx, 4
		jz	short loc_97FE57
		push	[ebp+var_20]
		mov	edx, esi
		mov	ecx, edi
		call	_PiRestartRemovalRelations@12 ;	PiRestartRemovalRelations(x,x,x)
		push	ecx
		mov	edx, esi
		call	_PnpUnlinkDeviceRemovalRelations@12 ; PnpUnlinkDeviceRemovalRelations(x,x,x)
		test	ebx, ebx
		jnz	short loc_97FE78
		jmp	short loc_97FE6F
; 

loc_97FE57:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+42Aj
		test	cl, cl
		jnz	loc_97FEF7
		test	al, al
		jnz	loc_97FEF7
		push	ecx
		mov	edx, esi
		call	_PnpUnlinkDeviceRemovalRelations@12 ; PnpUnlinkDeviceRemovalRelations(x,x,x)

loc_97FE6F:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+444j
		xor	dl, dl
		mov	ecx, esi
		call	_PnpTrackQueryRemoveDevices@8 ;	PnpTrackQueryRemoveDevices(x,x)

loc_97FE78:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+442j
		mov	ecx, esi
		call	_IopFreeRelationList@4 ; IopFreeRelationList(x)
		cmp	ebx, 2
		jnz	short loc_97FE98
		mov	edx, [ebp+var_14]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	offset _GUID_TARGET_DEVICE_REMOVE_COMPLETE
		mov	ecx, edi
		call	_PnpNotifyUserModeDeviceRemoval@24 ; PnpNotifyUserModeDeviceRemoval(x,x,x,x,x,x)

loc_97FE98:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+471j
		test	ebx, ebx
		jnz	short loc_97FEDB
		test	byte ptr [edi+60h], 2
		jnz	short loc_97FEDB
		mov	esi, [ebp+var_C]
		test	dword ptr [esi+10Ch], 2000h
		jz	short loc_97FEDB
		cmp	dword ptr [esi+114h], 12h
		jnz	short loc_97FEDB
		mov	ecx, esi
		call	PipClearDevNodeProblem
		mov	ecx, esi
		call	_PnpRestartDeviceNode@4	; PnpRestartDeviceNode(x)
		mov	ecx, [esi+10h]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	1
		push	10h
		pop	edx
		call	PnpRequestDeviceAction

loc_97FEDB:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+489j
					; PnpProcessQueryRemoveAndEject(x)+48Fj ...
		mov	esi, [ebp+var_18]
		test	esi, esi
		jz	short loc_97FEF0
		push	1
		push	dword ptr [esi+4]
		call	dword ptr [esi+10h]
		push	dword ptr [esi+4]
		call	dword ptr [esi+0Ch]

loc_97FEF0:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+4CFj
		xor	esi, esi
		jmp	loc_98005A
; 

loc_97FEF7:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+448j
					; PnpProcessQueryRemoveAndEject(x)+450j
		xor	eax, eax
		mov	[ebp+var_48], 1
		push	eax
		mov	[ebp+var_44], eax
		push	eax
		jmp	short loc_97FF5B
; 

loc_97FF07:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+55Aj
		mov	eax, [ebp+var_34]
		test	eax, eax
		jz	short loc_97FF19
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_97FF1B
; 

loc_97FF19:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+4FBj
		xor	eax, eax

loc_97FF1B:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+506j
		mov	[ebp+var_30], eax
		test	eax, eax
		jz	short loc_97FF57
		mov	edx, 80000h
		mov	ecx, eax
		call	PipSetDevNodeFlags
		mov	eax, [ebp+var_30]
		mov	eax, [eax+1C4h]
		mov	[ebp+var_38], eax
		test	eax, eax
		jz	short loc_97FF57
		mov	ecx, [eax+20h]
		call	_IopFreeRelationList@4 ; IopFreeRelationList(x)
		mov	eax, [ebp+var_38]
		and	dword ptr [eax+20h], 0
		mov	eax, [ebp+var_30]
		and	dword ptr [eax+1C4h], 0

loc_97FF57:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+50Fj
					; PnpProcessQueryRemoveAndEject(x)+52Bj
		push	0
		push	0

loc_97FF5B:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+4F4j
		lea	eax, [ebp+var_34]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_48]
		call	_IopEnumerateRelations@20 ; IopEnumerateRelations(x,x,x,x,x)
		test	al, al
		jnz	short loc_97FF07
		push	ecx
		mov	edx, esi
		call	_PnpUnlinkDeviceRemovalRelations@12 ; PnpUnlinkDeviceRemovalRelations(x,x,x)
		mov	eax, [ebp+var_18]
		mov	edx, esi
		push	eax
		push	[ebp+var_1C]
		mov	ecx, edi
		call	_PiEventAllocatePendingEjectRelations@16 ; PiEventAllocatePendingEjectRelations(x,x,x,x)
		mov	[ebp+var_38], eax
		test	eax, eax
		jnz	short loc_97FFD2
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	short loc_97FFA4
		push	1
		push	dword ptr [eax+4]
		call	dword ptr [eax+10h]
		mov	eax, [ebp+var_18]
		push	dword ptr [eax+4]
		call	dword ptr [eax+0Ch]

loc_97FFA4:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+580j
		cmp	byte ptr [ebp+var_1C], 0
		jz	short loc_97FFAF
		call	_PpProfileCancelHardwareProfileTransition@0 ; PpProfileCancelHardwareProfileTransition()

loc_97FFAF:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+597j
		push	1
		push	0
		push	4
		pop	edx
		mov	ecx, esi
		call	_PnpInvalidateRelationsInList@16 ; PnpInvalidateRelationsInList(x,x,x,x)
		xor	dl, dl
		mov	ecx, esi
		call	_PnpTrackQueryRemoveDevices@8 ;	PnpTrackQueryRemoveDevices(x,x)
		mov	ecx, esi
		call	_IopFreeRelationList@4 ; IopFreeRelationList(x)
		jmp	loc_97FB1D
; 

loc_97FFD2:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+579j
		mov	eax, [ebp+var_C]
		mov	esi, [ebp+var_38]
		mov	dl, byte ptr [ebp+var_8]
		mov	cl, byte ptr [ebp+var_1C]
		mov	[eax+1C4h], esi
		lea	eax, [esi+34h]
		push	eax
		push	[ebp+var_28]
		call	_PoGetLightestSystemStateForEject@16 ; PoGetLightestSystemStateForEject(x,x,x,x)
		test	eax, eax
		jns	short loc_980023
		cmp	eax, 0C00002DEh
		jnz	short loc_980000
		push	9
		pop	edx
		jmp	short loc_980002
; 

loc_980000:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+5E8j
		xor	edx, edx

loc_980002:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+5EDj
		push	0
		mov	ecx, edi
		call	_PnpFinalizeVetoedRemove@12 ; PnpFinalizeVetoedRemove(x,x,x)
		and	dword ptr [esi+18h], 0
		push	esi
		mov	byte ptr [esi+31h], 0
		mov	[esi+4], esi
		mov	[esi], esi
		call	_PnpProcessCompletedEject@4 ; PnpProcessCompletedEject(x)
		jmp	loc_97FB28
; 

loc_980023:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+5E1j
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeUnlockTree
		mov	ecx, [ebp+var_20]
		mov	edx, esi
		call	_IopEjectDevice@8 ; IopEjectDevice(x,x)
		mov	esi, 103h
		jmp	short loc_980062
; 

loc_98003C:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+15Bj
					; PnpProcessQueryRemoveAndEject(x)+176j ...
		mov	ecx, [ebp+var_8]
		call	_IopFreeRelationList@4 ; IopFreeRelationList(x)
		cmp	esi, 80000028h
		jz	short loc_98005A
		push	0
		xor	edx, edx
		jmp	loc_97FADC
; 

loc_980055:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+6Fj
					; PnpProcessQueryRemoveAndEject(x)+7Aj
		mov	esi, 0C0000056h

loc_98005A:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+A8j
					; PnpProcessQueryRemoveAndEject(x)+D2j	...
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeUnlockTree

loc_980062:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+629j
		cmp	esi, 0C0000056h
		jz	short loc_980086

loc_98006A:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+3B1j
		cmp	ebx, 4
		jz	short loc_980086
		mov	eax, [ebp+var_10]
		mov	edx, ebx
		mov	ecx, edi
		push	0
		test	eax, eax
		jz	short loc_98007F
		push	eax
		jmp	short loc_980081
; 

loc_98007F:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+669j
		push	0

loc_980081:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+66Cj
		call	_PnpRecordBlackboxPnpEventInformation@16 ; PnpRecordBlackboxPnpEventInformation(x,x,x,x)

loc_980086:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+657j
					; PnpProcessQueryRemoveAndEject(x)+65Cj
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_98009D
		cmp	dword_6CC5E4, 0
		jnz	short loc_98009D

loc_980096:				; DATA XREF: PsBootPhaseComplete+47o
					; PipDmgInitReadGroupPolicy()+Do
		mov	ecx, eax
		call	_PiEventFreeVetoBuffer@4 ; PiEventFreeVetoBuffer(x)

loc_98009D:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+67Aj
					; PnpProcessQueryRemoveAndEject(x)+683j
		cmp	[ebp+var_14], 0
		jz	short loc_9800AD
		push	0
		push	[ebp+var_14]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9800AD:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+690j
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	short loc_9800BC
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9800BC:				; CODE XREF: PnpProcessQueryRemoveAndEject(x)+6A1j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PnpProcessQueryRemoveAndEject@4 endp


;  S U B	R O U T	I N E 


; __stdcall PnpRemoveEventFromQueue(x)
_PnpRemoveEventFromQueue@4 proc	near	; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+1A8p
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		mov	ecx, ds:_PnpDeviceEventList
		push	edi
		xor	edi, edi
		lea	ecx, [ecx+24h]
		call	ExAcquireFastMutex
		mov	eax, [esi]
		cmp	eax, esi
		jz	short loc_980107
		cmp	[eax+4], esi
		jnz	short loc_98011B
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_98011B
		mov	[ecx], eax
		inc	edi
		mov	[eax+4], ecx
		or	eax, 0FFFFFFFFh
		lock xadd [esi+24h], eax
		jnz	short loc_980107
		push	4B706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_980107:				; CODE XREF: PnpRemoveEventFromQueue(x)+1Bj
					; PnpRemoveEventFromQueue(x)+37j
		mov	ecx, ds:_PnpDeviceEventList
		add	ecx, 24h
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_98011B:				; CODE XREF: PnpRemoveEventFromQueue(x)+20j
					; PnpRemoveEventFromQueue(x)+27j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PnpRemoveEventFromQueue@4 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpResizeTargetDeviceBlock(x, x)
_PnpResizeTargetDeviceBlock@8 proc near	; CODE XREF: PnpProcessQueryRemoveAndEject(x)+168p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ecx
		push	ebx
		mov	[ebp+var_4], eax
		xor	ebx, ebx
		push	esi
		mov	eax, [eax]
		push	edi
		mov	edi, edx
		mov	edx, [eax+64h]
		lea	ecx, [eax+6Ch]
		add	edx, 48h
		lea	esi, [ecx+2]
		mov	[ebp+var_8], edx

loc_980145:				; CODE XREF: PnpResizeTargetDeviceBlock(x,x)+2Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_980145
		sub	ecx, esi
		mov	esi, edx
		sar	ecx, 1
		add	ecx, ecx
		lea	eax, [ecx+2]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		sub	esi, ecx
		add	esi, 190h
		mov	[ebp+var_C], esi
		cmp	esi, edx
		jbe	short loc_9801BF
		push	4B706E50h
		xor	edx, edx
		mov	ecx, edi
		push	esi
		inc	edx
		call	_PnpAllocateCriticalMemory@16 ;	PnpAllocateCriticalMemory(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_98018D
		mov	ebx, 0C000009Ah
		jmp	short loc_9801BF
; 

loc_98018D:				; CODE XREF: PnpResizeTargetDeviceBlock(x,x)+64j
		push	esi		; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		mov	esi, [ebp+var_4]
		push	[ebp+var_8]	; size_t
		mov	esi, [esi]
		push	esi		; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	esp, 18h
		mov	ecx, [ebp+var_C]
		add	ecx, 0FFFFFFB8h
		mov	dword ptr [edi+24h], 1
		mov	[edi+64h], ecx
		mov	[edi+30h], esi
		mov	[eax], edi

loc_9801BF:				; CODE XREF: PnpResizeTargetDeviceBlock(x,x)+4Ej
					; PnpResizeTargetDeviceBlock(x,x)+6Bj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_PnpResizeTargetDeviceBlock@8 endp


;  S U B	R O U T	I N E 


; __stdcall PnpSetBlockedDriverEvent(x)
_PnpSetBlockedDriverEvent@4 proc near	; CODE XREF: PnpPrepareDriverLoading+BDp
		cmp	dword_6CC5E4, 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		jz	short loc_9801DD
		mov	eax, 0C0000189h

loc_9801D9:				; CODE XREF: PnpSetBlockedDriverEvent(x)+2Aj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_9801DD:				; CODE XREF: PnpSetBlockedDriverEvent(x)+Cj
		mov	ecx, 8Ch
		call	_PnpCreateDeviceEventEntry@4 ; PnpCreateDeviceEventEntry(x)
		test	eax, eax
		jnz	short loc_9801F2
		mov	eax, 0C000009Ah
		jmp	short loc_9801D9
; 

loc_9801F2:				; CODE XREF: PnpSetBlockedDriverEvent(x)+23j
		mov	esi, (offset loc_42731E+2)
		mov	dword ptr [eax+58h], 7
		lea	edi, [eax+48h]
		mov	dword ptr [eax+64h], 44h
		mov	ecx, eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, ebx
		lea	edi, [eax+6Ch]
		movsd
		movsd
		movsd
		movsd
		pop	edi
		pop	esi
		pop	ebx
		jmp	PnpInsertEventInQueue
_PnpSetBlockedDriverEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpSetDeviceRemovalSafe(x, x, x)
_PnpSetDeviceRemovalSafe@12 proc near	; CODE XREF: PnpProcessCompletedEject(x)+EBp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		cmp	dword_6CC5E4, 0
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], esi
		jz	short loc_980240
		mov	eax, 0C0000189h
		jmp	loc_9802EE
; 

loc_980240:				; CODE XREF: PnpSetDeviceRemovalSafe(x,x,x)+15j
		push	edi
		xor	edi, edi
		test	esi, esi
		jz	short loc_980255
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	[ebp+var_4], eax
		jmp	short loc_98025A
; 

loc_980255:				; CODE XREF: PnpSetDeviceRemovalSafe(x,x,x)+26j
		mov	eax, edi
		mov	[ebp+var_4], edi

loc_98025A:				; CODE XREF: PnpSetDeviceRemovalSafe(x,x,x)+34j
		movzx	eax, word ptr [eax+14h]
		add	eax, 46h
		push	ebx
		mov	[ebp+var_8], eax
		lea	ecx, [eax+48h]
		call	_PnpCreateDeviceEventEntry@4 ; PnpCreateDeviceEventEntry(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_98027A
		mov	eax, 0C000009Ah
		jmp	short loc_9802EC
; 

loc_98027A:				; CODE XREF: PnpSetDeviceRemovalSafe(x,x,x)+52j
		mov	edx, 56706E50h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+var_8]
		mov	esi, (offset loc_42735F+1)
		mov	[ebx+10h], edi
		mov	[ebx+8], edi
		mov	[ebx+0Ch], edi
		mov	[ebx+1Ch], edi
		mov	[ebx+20h], edi
		lea	edi, [ebx+48h]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_4]
		and	dword ptr [ebx+5Ch], 0
		and	dword ptr [ebx+60h], 0
		mov	[ebx+64h], eax
		mov	eax, [ebp+var_C]
		mov	dword ptr [ebx+58h], 1
		mov	[ebx+68h], eax
		mov	ecx, [esi+18h]
		test	ecx, ecx
		jz	short loc_9802D8
		movzx	eax, word ptr [esi+14h]
		push	eax		; size_t
		push	ecx		; void *
		lea	eax, [ebx+6Ch]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_9802D8:				; CODE XREF: PnpSetDeviceRemovalSafe(x,x,x)+A5j
		movzx	eax, word ptr [esi+14h]
		xor	ecx, ecx
		shr	eax, 1
		mov	[ebx+eax*2+6Ch], cx
		mov	ecx, ebx
		call	PnpInsertEventInQueue

loc_9802EC:				; CODE XREF: PnpSetDeviceRemovalSafe(x,x,x)+59j
		pop	ebx
		pop	edi

loc_9802EE:				; CODE XREF: PnpSetDeviceRemovalSafe(x,x,x)+1Cj
		pop	esi
		leave
		retn	4
_PnpSetDeviceRemovalSafe@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpSetHwProfileChangeEvent(x, x, x,	x, x)
_PnpSetHwProfileChangeEvent@20 proc near
					; CODE XREF: PnpRequestHwProfileChangeNotification(x,x,x,x)+89p
					; PnpRequestHwProfileChangeNotification(x,x,x,x)+B1p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dword_6CC5E4, 0
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		jz	short loc_98030E
		mov	eax, 0C0000189h
		jmp	short loc_980355
; 

loc_98030E:				; CODE XREF: PnpSetHwProfileChangeEvent(x,x,x,x,x)+12j
		mov	ecx, 8Ch
		call	_PnpCreateDeviceEventEntry@4 ; PnpCreateDeviceEventEntry(x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_980325
		mov	eax, 0C000009Ah
		jmp	short loc_980355
; 

loc_980325:				; CODE XREF: PnpSetHwProfileChangeEvent(x,x,x,x,x)+29j
		mov	eax, [ebp+arg_4]
		and	dword ptr [ecx+58h], 0
		mov	[ecx+10h], esi
		mov	esi, ebx
		mov	[ecx+1Ch], eax
		mov	eax, [ebp+arg_8]
		push	edi
		mov	[ecx+20h], eax
		lea	edi, [ecx+48h]
		mov	eax, [ebp+arg_0]
		movsd
		movsd
		movsd
		movsd
		mov	dword ptr [ecx+64h], 44h
		mov	[ecx+5Ch], eax
		call	PnpInsertEventInQueue
		pop	edi

loc_980355:				; CODE XREF: PnpSetHwProfileChangeEvent(x,x,x,x,x)+19j
					; PnpSetHwProfileChangeEvent(x,x,x,x,x)+30j
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_PnpSetHwProfileChangeEvent@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpSetInvalidIDEvent(x)
_PnpSetInvalidIDEvent@4	proc near	; CODE XREF: PiProcessNewDeviceNode+6E64Ap
					; PnpQueryID+6E1D1p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	dword_6CC5E4, 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], ecx
		jz	short loc_980378
		mov	eax, 0C0000189h
		jmp	short loc_9803E0
; 

loc_980378:				; CODE XREF: PnpSetInvalidIDEvent(x)+14j
		movzx	ebx, word ptr [ecx]
		add	ebx, 46h
		lea	ecx, [ebx+48h]
		call	_PnpCreateDeviceEventEntry@4 ; PnpCreateDeviceEventEntry(x)
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jnz	short loc_980396
		mov	eax, 0C000009Ah
		jmp	short loc_9803E0
; 

loc_980396:				; CODE XREF: PnpSetInvalidIDEvent(x)+32j
		mov	esi, offset _GUID_DEVICE_INVALID_ID
		mov	[ecx+64h], ebx
		mov	ebx, [ebp+var_4]
		lea	edi, [ecx+48h]
		mov	dword ptr [ecx+58h], 8
		movsd
		movsd
		movsd
		movsd
		movzx	eax, word ptr [ebx]
		push	eax		; size_t
		push	dword ptr [ebx+4] ; void *
		lea	eax, [ecx+6Ch]
		push	eax		; void *
		call	_memcpy
		movzx	eax, word ptr [ebx]
		xor	edx, edx
		mov	ecx, [ebp+var_8]
		add	esp, 0Ch
		shr	eax, 1
		mov	[ecx+eax*2+6Ch], dx
		movzx	eax, word ptr [ebx]
		shr	eax, 1
		mov	[ecx+eax*2+6Eh], dx
		call	PnpInsertEventInQueue

loc_9803E0:				; CODE XREF: PnpSetInvalidIDEvent(x)+1Bj
					; PnpSetInvalidIDEvent(x)+39j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PnpSetInvalidIDEvent@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpSetPowerVetoEvent(x, x, x, x, x,	x)
_PnpSetPowerVetoEvent@24 proc near	; CODE XREF: IoNotifyPowerOperationVetoed(x,x,x)+43p
					; IopWarmEjectDevice(x,x)+4Cp

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	dword_6CC5E4, 0
		mov	[ebp+var_4], ecx
		jz	short loc_980401
		mov	eax, 0C0000189h
		jmp	locret_9804F3
; 

loc_980401:				; CODE XREF: PnpSetPowerVetoEvent(x,x,x,x,x,x)+10j
		mov	eax, [ebp+arg_4]
		push	esi
		mov	eax, [eax+0B0h]
		mov	esi, [eax+14h]
		test	esi, esi
		jnz	short loc_98041C
		mov	eax, 0C00000F0h
		jmp	loc_9804F2
; 

loc_98041C:				; CODE XREF: PnpSetPowerVetoEvent(x,x,x,x,x,x)+2Bj
		push	edi
		mov	edi, [ebp+arg_C]
		test	edi, edi
		jz	short loc_980429
		movzx	ecx, word ptr [edi]
		jmp	short loc_98042B
; 

loc_980429:				; CODE XREF: PnpSetPowerVetoEvent(x,x,x,x,x,x)+3Dj
		xor	ecx, ecx

loc_98042B:				; CODE XREF: PnpSetPowerVetoEvent(x,x,x,x,x,x)+42j
		movzx	eax, word ptr [esi+14h]
		add	eax, 48h
		add	eax, ecx
		push	ebx
		mov	[ebp+arg_C], eax
		lea	ecx, [eax+48h]
		call	_PnpCreateDeviceEventEntry@4 ; PnpCreateDeviceEventEntry(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_980450
		mov	eax, 0C000009Ah
		jmp	loc_9804F0
; 

loc_980450:				; CODE XREF: PnpSetPowerVetoEvent(x,x,x,x,x,x)+5Fj
		mov	ecx, [ebp+arg_4]
		mov	edx, 56706E50h
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+arg_C]
		and	dword ptr [ebx+10h], 0
		and	dword ptr [ebx+5Ch], 0
		mov	[ebx+64h], eax
		mov	eax, [ebp+arg_4]
		mov	[ebx+68h], eax
		mov	eax, [ebp+arg_8]
		mov	[ebx+6Ch], eax
		movzx	eax, word ptr [esi+14h]
		push	eax		; size_t
		push	dword ptr [esi+18h] ; void *
		lea	eax, [ebx+70h]
		push	eax		; void *
		call	_memcpy
		movzx	eax, word ptr [esi+14h]
		xor	ecx, ecx
		shr	eax, 1
		add	esp, 0Ch
		mov	[ebx+eax*2+70h], cx
		test	edi, edi
		jz	short loc_9804BD
		add	eax, 39h
		lea	esi, [ebx+eax*2]
		movzx	eax, word ptr [edi]
		push	eax		; size_t
		push	dword ptr [edi+4] ; void *
		push	esi		; void *
		call	_memcpy
		movzx	eax, word ptr [edi]
		add	esp, 0Ch
		shr	eax, 1
		xor	ecx, ecx
		mov	[esi+eax*2], cx

loc_9804BD:				; CODE XREF: PnpSetPowerVetoEvent(x,x,x,x,x,x)+B5j
		mov	eax, [ebp+var_4]
		lea	edi, [ebx+48h]
		cmp	eax, 7
		jnz	short loc_9804CF
		mov	esi, (offset loc_42733F+1)
		jmp	short loc_9804DE
; 

loc_9804CF:				; CODE XREF: PnpSetPowerVetoEvent(x,x,x,x,x,x)+E1j
		mov	esi, offset _GUID_DEVICE_HIBERNATE_VETOED
		cmp	eax, 3
		jz	short loc_9804DE
		mov	esi, (offset loc_42732E+2)

loc_9804DE:				; CODE XREF: PnpSetPowerVetoEvent(x,x,x,x,x,x)+E8j
					; PnpSetPowerVetoEvent(x,x,x,x,x,x)+F2j
		movsd
		mov	ecx, ebx
		mov	dword ptr [ebx+58h], 6
		movsd
		movsd
		movsd
		call	PnpInsertEventInQueue

loc_9804F0:				; CODE XREF: PnpSetPowerVetoEvent(x,x,x,x,x,x)+66j
		pop	ebx
		pop	edi

loc_9804F2:				; CODE XREF: PnpSetPowerVetoEvent(x,x,x,x,x,x)+32j
		pop	esi

locret_9804F3:				; CODE XREF: PnpSetPowerVetoEvent(x,x,x,x,x,x)+17j
		leave
		retn	10h
_PnpSetPowerVetoEvent@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpSetTargetDeviceRemove(x,	x, x, x, x, x, x, x, x,	x, x, x, x, x)
_PnpSetTargetDeviceRemove@56 proc near	; CODE XREF: PiDevCfgProcessDeviceCallback+6C4C9p
					; IoRequestDeviceRemovalForReset(x,x)+B7p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_20]
		mov	ebx, ecx
		mov	[esp+18h+var_4], edx
		test	edi, edi
		jz	short loc_980518
		mov	dword ptr [edi], 103h

loc_980518:				; CODE XREF: PnpSetTargetDeviceRemove(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+19j
		cmp	dword_6CC5E4, 0
		jz	short loc_98053C
		xor	ecx, ecx
		mov	esi, offset _PnpDeviceActionThread
		xor	eax, eax
		lock cmpxchg [esi], ecx
		test	eax, eax
		jnz	short loc_98053C
		mov	eax, 0C0000189h
		jmp	loc_9805D3
; 

loc_98053C:				; CODE XREF: PnpSetTargetDeviceRemove(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+28j
					; PnpSetTargetDeviceRemove(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+39j
		test	ebx, ebx
		jz	short loc_98054B
		mov	eax, [ebx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_98054D
; 

loc_98054B:				; CODE XREF: PnpSetTargetDeviceRemove(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+47j
		xor	eax, eax

loc_98054D:				; CODE XREF: PnpSetTargetDeviceRemove(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+52j
		movzx	eax, word ptr [eax+14h]
		add	eax, 8Eh
		neg	edx
		push	4B706E50h
		sbb	ecx, ecx
		mov	[esp+1Ch+var_8], eax
		xor	edx, edx
		and	ecx, 3
		push	eax
		inc	edx
		call	_PnpAllocateCriticalMemory@16 ;	PnpAllocateCriticalMemory(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_98057C
		mov	eax, 0C000009Ah
		jmp	short loc_9805D3
; 

loc_98057C:				; CODE XREF: PnpSetTargetDeviceRemove(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7Cj
		push	[esp+18h+var_8]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	edx, [esp+18h+var_8]
		mov	ecx, esi
		push	[ebp+arg_28]
		push	[ebp+arg_24]
		push	edi
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	[esp+3Ch+var_4]
		push	ebx
		call	_PnpInitializeTargetDeviceRemoveEvent@52 ; PnpInitializeTargetDeviceRemoveEvent(x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	eax, [ebp+arg_18]
		mov	[esi+14h], eax
		mov	eax, [ebp+arg_1C]
		mov	[esi+18h], eax
		mov	eax, [ebp+arg_2C]
		test	eax, eax
		jz	short loc_9805CC
		mov	[eax], esi
		inc	dword ptr [esi+24h]

loc_9805CC:				; CODE XREF: PnpSetTargetDeviceRemove(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+CEj
		mov	ecx, esi
		call	PnpInsertEventInQueue

loc_9805D3:				; CODE XREF: PnpSetTargetDeviceRemove(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+40j
					; PnpSetTargetDeviceRemove(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+83j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	30h
_PnpSetTargetDeviceRemove@56 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpSynchronizeDeviceEventQueue()
_PnpSynchronizeDeviceEventQueue@0 proc near ; CODE XREF: PipProcessDevNodeTree+A1C5Dp

var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		xor	esi, esi
		push	esi
		push	esi
		mov	[ebp+var_4], esi
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_14]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	edx, [ebp+var_4]
		lea	ecx, [ebp+var_14]
		call	_PnpInsertNoopEvent@8 ;	PnpInsertNoopEvent(x,x)
		test	eax, eax
		js	short loc_98061B
		push	esi
		push	esi
		push	esi
		push	esi
		lea	eax, [ebp+var_14]
		push	eax
		call	KeWaitForSingleObject

loc_98061B:				; CODE XREF: PnpSynchronizeDeviceEventQueue()+30j
		pop	edi
		pop	esi
		leave
		retn
_PnpSynchronizeDeviceEventQueue@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpTrackQueryRemoveDevices(x, x)
_PnpTrackQueryRemoveDevices@8 proc near	; CODE XREF: PnpProcessCompletedEject(x)+9Fp
					; PnpProcessQueryRemoveAndEject(x)+29Cp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	bl, dl
		mov	esi, ecx
		mov	[ebp+var_4], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi

loc_980639:				; CODE XREF: PnpTrackQueryRemoveDevices(x,x)+50j
					; PnpTrackQueryRemoveDevices(x,x)+57j
		push	edi
		push	edi
		lea	eax, [ebp+var_4]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_C]
		call	_IopEnumerateRelations@20 ; IopEnumerateRelations(x,x,x,x,x)
		test	al, al
		jz	short loc_980678
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_98065F
		mov	eax, [eax+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_980661
; 

loc_98065F:				; CODE XREF: PnpTrackQueryRemoveDevices(x,x)+33j
		mov	ecx, edi

loc_980661:				; CODE XREF: PnpTrackQueryRemoveDevices(x,x)+3Ej
		mov	edx, 100h
		test	bl, bl
		jz	short loc_980671
		call	PipSetDevNodeUserFlags
		jmp	short loc_980639
; 

loc_980671:				; CODE XREF: PnpTrackQueryRemoveDevices(x,x)+49j
		call	PipClearDevNodeUserFlags
		jmp	short loc_980639
; 

loc_980678:				; CODE XREF: PnpTrackQueryRemoveDevices(x,x)+2Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PnpTrackQueryRemoveDevices@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpReplacePartitionUnit(x)
_PnpReplacePartitionUnit@4 proc	near	; CODE XREF: IoReplacePartitionUnit(x,x,x)+70p
					; DATA XREF: IoReplacePartitionUnit(x,x,x)+82o

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_60], eax
		lea	edi, [ebp+var_1C]
		xor	eax, eax
		xor	ebx, ebx
		stosd
		push	3Ch		; size_t
		push	ebx		; int
		stosd
		stosd
		lea	eax, [ebp+var_58]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	0FFFFh
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _PnpReplaceEvent
		mov	[ebp+var_68], eax
		call	KeWaitForSingleObject
		mov	edi, [ebp+var_60]
		xor	edx, edx
		cmp	[edi+8], edx
		jl	short loc_980725
		mov	esi, [edi+4]
		test	esi, esi
		jz	loc_98090A
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_98090A
		mov	ebx, 20000h
		test	[eax+10Ch], ebx
		jnz	loc_98090A
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_980751
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_980751
		test	[eax+10Ch], ebx
		jnz	short loc_980751
		mov	edx, esi
		call	_PnprLogStartEvent@8 ; PnprLogStartEvent(x,x)

loc_980725:				; CODE XREF: PnpReplacePartitionUnit(x)+57j
		push	51706E50h
		mov	esi, 2A0h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_980AD6
		mov	esi, 0C000009Ah

loc_980749:				; CODE XREF: PnpReplacePartitionUnit(x)+565j
		mov	[ebp+var_5C], esi
		jmp	loc_980EFB
; 

loc_980751:				; CODE XREF: PnpReplacePartitionUnit(x)+8Aj
					; PnpReplacePartitionUnit(x)+97j ...
		push	2
		pop	ebx
		test	ecx, ecx
		jz	loc_9808FC
		movzx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi]
		mov	eax, [ecx+8]
		test	eax, eax
		jz	short loc_9807A3
		movsx	edx, word ptr [eax+2]
		mov	ecx, eax
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi]
		xor	edx, edx
		mov	eax, [ecx+8]
		cmp	[eax+1Ch], dx
		jz	short loc_9807A5
		mov	edx, ebx
		lea	ecx, [eax+1Ch]
		call	IoAddTriageDumpDataBlock
		mov	eax, [edi]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi]

loc_9807A3:				; CODE XREF: PnpReplacePartitionUnit(x)+EFj
		xor	edx, edx

loc_9807A5:				; CODE XREF: PnpReplacePartitionUnit(x)+107j
		test	ecx, ecx
		jz	short loc_9807B4
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_9807B6
; 

loc_9807B4:				; CODE XREF: PnpReplacePartitionUnit(x)+12Aj
		mov	eax, edx

loc_9807B6:				; CODE XREF: PnpReplacePartitionUnit(x)+135j
		test	eax, eax
		jz	loc_9808FC
		test	ecx, ecx
		jz	short loc_9807CD
		mov	eax, [ecx+0B0h]
		mov	esi, [eax+14h]
		jmp	short loc_9807CF
; 

loc_9807CD:				; CODE XREF: PnpReplacePartitionUnit(x)+143j
		mov	esi, edx

loc_9807CF:				; CODE XREF: PnpReplacePartitionUnit(x)+14Ej
		test	ecx, ecx
		jz	short loc_9807DE
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_9807E0
; 

loc_9807DE:				; CODE XREF: PnpReplacePartitionUnit(x)+154j
		mov	ecx, edx

loc_9807E0:				; CODE XREF: PnpReplacePartitionUnit(x)+15Fj
		mov	edx, 1F4h
		call	IoAddTriageDumpDataBlock
		xor	eax, eax
		cmp	[esi+14h], ax
		jz	short loc_980808
		mov	edx, ebx
		lea	ecx, [esi+14h]
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [esi+14h]
		mov	ecx, [esi+18h]
		call	IoAddTriageDumpDataBlock

loc_980808:				; CODE XREF: PnpReplacePartitionUnit(x)+173j
		mov	edx, [edi]
		xor	esi, esi
		test	edx, edx
		jz	short loc_98081B
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_98081D
; 

loc_98081B:				; CODE XREF: PnpReplacePartitionUnit(x)+191j
		mov	eax, esi

loc_98081D:				; CODE XREF: PnpReplacePartitionUnit(x)+19Cj
		cmp	[eax+1Ch], si
		jz	short loc_980870
		test	edx, edx
		jz	short loc_980832
		mov	eax, [edx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_980834
; 

loc_980832:				; CODE XREF: PnpReplacePartitionUnit(x)+1A8j
		mov	ecx, esi

loc_980834:				; CODE XREF: PnpReplacePartitionUnit(x)+1B3j
		add	ecx, 1Ch
		mov	edx, ebx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_98084F
		mov	eax, [ecx+0B0h]
		mov	edx, [eax+14h]
		jmp	short loc_980851
; 

loc_98084F:				; CODE XREF: PnpReplacePartitionUnit(x)+1C5j
		mov	edx, esi

loc_980851:				; CODE XREF: PnpReplacePartitionUnit(x)+1D0j
		test	ecx, ecx
		jz	short loc_980860
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_980862
; 

loc_980860:				; CODE XREF: PnpReplacePartitionUnit(x)+1D6j
		mov	ecx, esi

loc_980862:				; CODE XREF: PnpReplacePartitionUnit(x)+1E1j
		movzx	edx, word ptr [edx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [edi]

loc_980870:				; CODE XREF: PnpReplacePartitionUnit(x)+1A4j
		test	edx, edx
		jz	short loc_98087F
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_980881
; 

loc_98087F:				; CODE XREF: PnpReplacePartitionUnit(x)+1F5j
		mov	eax, esi

loc_980881:				; CODE XREF: PnpReplacePartitionUnit(x)+200j
		mov	ecx, edx
		cmp	[eax+8], esi
		jz	short loc_9808FA
		test	edx, edx
		jz	short loc_980897
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_980899
; 

loc_980897:				; CODE XREF: PnpReplacePartitionUnit(x)+20Dj
		mov	eax, esi

loc_980899:				; CODE XREF: PnpReplacePartitionUnit(x)+218j
		mov	eax, [eax+8]
		mov	ecx, edx
		cmp	[eax+1Ch], si
		jz	short loc_9808FA
		test	edx, edx
		jz	short loc_9808B3
		mov	eax, [edx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_9808B5
; 

loc_9808B3:				; CODE XREF: PnpReplacePartitionUnit(x)+229j
		mov	ecx, esi

loc_9808B5:				; CODE XREF: PnpReplacePartitionUnit(x)+234j
		mov	ecx, [ecx+8]
		mov	edx, ebx
		add	ecx, 1Ch
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_9808D3
		mov	eax, [ecx+0B0h]
		mov	edx, [eax+14h]
		jmp	short loc_9808D5
; 

loc_9808D3:				; CODE XREF: PnpReplacePartitionUnit(x)+249j
		mov	edx, esi

loc_9808D5:				; CODE XREF: PnpReplacePartitionUnit(x)+254j
		test	ecx, ecx
		jz	short loc_9808E4
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_9808E6
; 

loc_9808E4:				; CODE XREF: PnpReplacePartitionUnit(x)+25Aj
		mov	ecx, esi

loc_9808E6:				; CODE XREF: PnpReplacePartitionUnit(x)+265j
		mov	eax, [edx+8]
		mov	ecx, [ecx+8]
		movzx	edx, word ptr [eax+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi]

loc_9808FA:				; CODE XREF: PnpReplacePartitionUnit(x)+209j
					; PnpReplacePartitionUnit(x)+225j
		xor	edx, edx

loc_9808FC:				; CODE XREF: PnpReplacePartitionUnit(x)+D9j
					; PnpReplacePartitionUnit(x)+13Bj
		push	edx
		push	edx
		push	ecx

loc_9808FF:				; CODE XREF: PnpReplacePartitionUnit(x)+454j
		push	ebx
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_98090A:				; CODE XREF: PnpReplacePartitionUnit(x)+5Ej
					; PnpReplacePartitionUnit(x)+6Fj ...
		push	2
		pop	ebx
		test	esi, esi
		jz	loc_980ACE
		movzx	edx, word ptr [esi+2]
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		mov	esi, [edi+4]
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_98095F
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	esi, [edi+4]
		xor	edx, edx
		mov	ecx, [esi+8]
		add	ecx, 1Ch
		cmp	[ecx], dx
		jz	short loc_980961
		mov	edx, ebx
		call	IoAddTriageDumpDataBlock
		mov	eax, [edi+4]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	esi, [edi+4]

loc_98095F:				; CODE XREF: PnpReplacePartitionUnit(x)+2ABj
		xor	edx, edx

loc_980961:				; CODE XREF: PnpReplacePartitionUnit(x)+2C4j
		test	esi, esi
		jz	short loc_980970
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_980972
; 

loc_980970:				; CODE XREF: PnpReplacePartitionUnit(x)+2E6j
		mov	eax, edx

loc_980972:				; CODE XREF: PnpReplacePartitionUnit(x)+2F1j
		test	eax, eax
		jz	loc_980ACE
		test	esi, esi
		jz	short loc_98098C
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	[ebp+var_60], eax
		jmp	short loc_98098F
; 

loc_98098C:				; CODE XREF: PnpReplacePartitionUnit(x)+2FFj
		mov	[ebp+var_60], edx

loc_98098F:				; CODE XREF: PnpReplacePartitionUnit(x)+30Dj
		test	esi, esi
		jz	short loc_98099E
		mov	eax, [esi+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_9809A0
; 

loc_98099E:				; CODE XREF: PnpReplacePartitionUnit(x)+314j
		mov	ecx, edx

loc_9809A0:				; CODE XREF: PnpReplacePartitionUnit(x)+31Fj
		mov	edx, 1F4h
		call	IoAddTriageDumpDataBlock
		mov	esi, [ebp+var_60]
		xor	edx, edx
		cmp	[esi+14h], dx
		jz	short loc_9809CD
		mov	edx, ebx
		lea	ecx, [esi+14h]
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [esi+14h]
		mov	ecx, [esi+18h]
		call	IoAddTriageDumpDataBlock
		xor	edx, edx

loc_9809CD:				; CODE XREF: PnpReplacePartitionUnit(x)+336j
		mov	ecx, [edi+4]
		test	ecx, ecx
		jz	short loc_9809DF
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_9809E1
; 

loc_9809DF:				; CODE XREF: PnpReplacePartitionUnit(x)+355j
		mov	eax, edx

loc_9809E1:				; CODE XREF: PnpReplacePartitionUnit(x)+360j
		cmp	[eax+1Ch], dx
		jz	short loc_980A3C
		test	ecx, ecx
		jz	short loc_9809F6
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_9809F8
; 

loc_9809F6:				; CODE XREF: PnpReplacePartitionUnit(x)+36Cj
		mov	ecx, edx

loc_9809F8:				; CODE XREF: PnpReplacePartitionUnit(x)+377j
		add	ecx, 1Ch
		mov	edx, ebx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+4]
		test	ecx, ecx
		jz	short loc_980A16
		mov	eax, [ecx+0B0h]
		mov	edx, [eax+14h]
		xor	eax, eax
		jmp	short loc_980A1A
; 

loc_980A16:				; CODE XREF: PnpReplacePartitionUnit(x)+38Aj
		xor	eax, eax
		mov	edx, eax

loc_980A1A:				; CODE XREF: PnpReplacePartitionUnit(x)+397j
		test	ecx, ecx
		jz	short loc_980A29
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_980A2B
; 

loc_980A29:				; CODE XREF: PnpReplacePartitionUnit(x)+39Fj
		mov	ecx, eax

loc_980A2B:				; CODE XREF: PnpReplacePartitionUnit(x)+3AAj
		movzx	edx, word ptr [edx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+4]
		xor	edx, edx

loc_980A3C:				; CODE XREF: PnpReplacePartitionUnit(x)+368j
		test	ecx, ecx
		jz	short loc_980A4B
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_980A4D
; 

loc_980A4B:				; CODE XREF: PnpReplacePartitionUnit(x)+3C1j
		mov	eax, edx

loc_980A4D:				; CODE XREF: PnpReplacePartitionUnit(x)+3CCj
		mov	esi, ecx
		cmp	[eax+8], edx
		jz	short loc_980ACE
		test	ecx, ecx
		jz	short loc_980A63
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_980A65
; 

loc_980A63:				; CODE XREF: PnpReplacePartitionUnit(x)+3D9j
		mov	eax, edx

loc_980A65:				; CODE XREF: PnpReplacePartitionUnit(x)+3E4j
		mov	eax, [eax+8]
		mov	esi, ecx
		cmp	[eax+1Ch], dx
		jz	short loc_980ACE
		test	ecx, ecx
		jz	short loc_980A7F
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_980A81
; 

loc_980A7F:				; CODE XREF: PnpReplacePartitionUnit(x)+3F5j
		mov	ecx, edx

loc_980A81:				; CODE XREF: PnpReplacePartitionUnit(x)+400j
		mov	ecx, [ecx+8]
		mov	edx, ebx
		add	ecx, 1Ch
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+4]
		test	ecx, ecx
		jz	short loc_980AA2
		mov	eax, [ecx+0B0h]
		mov	edx, [eax+14h]
		xor	eax, eax
		jmp	short loc_980AA6
; 

loc_980AA2:				; CODE XREF: PnpReplacePartitionUnit(x)+416j
		xor	eax, eax
		mov	edx, eax

loc_980AA6:				; CODE XREF: PnpReplacePartitionUnit(x)+423j
		test	ecx, ecx
		jz	short loc_980AB5
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_980AB7
; 

loc_980AB5:				; CODE XREF: PnpReplacePartitionUnit(x)+42Bj
		mov	ecx, eax

loc_980AB7:				; CODE XREF: PnpReplacePartitionUnit(x)+436j
		mov	eax, [edx+8]
		mov	ecx, [ecx+8]
		movzx	edx, word ptr [eax+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	esi, [edi+4]
		xor	edx, edx

loc_980ACE:				; CODE XREF: PnpReplacePartitionUnit(x)+292j
					; PnpReplacePartitionUnit(x)+2F7j ...
		push	edx
		push	edx
		push	esi
		jmp	loc_9808FF
; 

loc_980AD6:				; CODE XREF: PnpReplacePartitionUnit(x)+C1j
		push	esi		; size_t
		xor	eax, eax
		push	eax		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [edi]
		add	esp, 0Ch
		mov	[ebx], eax
		mov	eax, [edi+4]
		mov	[ebx+18h], eax
		mov	eax, [edi+8]
		mov	[ebx+30h], eax
		lea	eax, [ebx+70h]
		mov	[eax+4], eax
		mov	[eax], eax
		cmp	ds:_KeDynamicPartitioningSupported, 0
		mov	_PnprContext, ebx
		jnz	short loc_980B46
		xor	eax, eax
		cmp	[edi+8], eax
		jl	short loc_980B46
		mov	eax, [ebx+260h]
		mov	esi, 0C00000BBh
		mov	[ebp+var_5C], esi
		test	eax, eax
		jnz	short loc_980B28
		mov	eax, 0ABh

loc_980B28:				; CODE XREF: PnpReplacePartitionUnit(x)+4A4j
		mov	[ebx+260h], eax
		mov	eax, [ebx+264h]
		test	eax, eax
		jnz	short loc_980B3B
		push	2
		pop	eax

loc_980B3B:				; CODE XREF: PnpReplacePartitionUnit(x)+4B9j
		mov	[ebx+264h], eax
		jmp	loc_980EFB
; 

loc_980B46:				; CODE XREF: PnpReplacePartitionUnit(x)+48Bj
					; PnpReplacePartitionUnit(x)+492j
		call	_PnprLegacyDeviceDriversPresent@0 ; PnprLegacyDeviceDriversPresent()
		test	al, al
		jz	short loc_980B89
		mov	eax, _PnprContext
		mov	esi, 0C00000CBh
		mov	[ebp+var_5C], esi
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_980B6B
		mov	ecx, 0B7h

loc_980B6B:				; CODE XREF: PnpReplacePartitionUnit(x)+4E7j
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_980B7E
		push	7

loc_980B7D:				; CODE XREF: PnpReplacePartitionUnit(x)+5AFj
					; PnpReplacePartitionUnit(x)+739j ...
		pop	ecx

loc_980B7E:				; CODE XREF: PnpReplacePartitionUnit(x)+4FCj
					; PnpReplacePartitionUnit(x)+5A7j ...
		mov	[eax+264h], ecx
		jmp	loc_980EFB
; 

loc_980B89:				; CODE XREF: PnpReplacePartitionUnit(x)+4D0j
		mov	cl, 1
		call	_PnprGetMillisecondCounter@4 ; PnprGetMillisecondCounter(x)
		xor	eax, eax
		cmp	[edi+8], eax
		jge	short loc_980BE7
		mov	ecx, ds:_ExPageLockHandle
		xor	esi, esi
		inc	esi
		mov	edx, esi
		call	MiLockPagableImageSection
		xor	eax, eax
		push	eax
		push	3
		push	_ExCbPowerState
		call	_ExNotifyCallback@12 ; ExNotifyCallback(x,x,x)
		lea	ecx, [ebp+var_58]
		call	_PnprQuiesceDevices@4 ;	PnprQuiesceDevices(x)
		lea	ecx, [ebp+var_58]
		call	_PnprWakeDevices@4 ; PnprWakeDevices(x)
		push	ds:_ExPageLockHandle
		call	_MmUnlockPagableImageSection@4 ; MmUnlockPagableImageSection(x)
		push	esi
		push	3
		push	_ExCbPowerState
		call	_ExNotifyCallback@12 ; ExNotifyCallback(x,x,x)
		xor	esi, esi
		jmp	loc_980749
; 

loc_980BE7:				; CODE XREF: PnpReplacePartitionUnit(x)+518j
		mov	edx, [ebx+18h]
		lea	eax, [ebx+20h]
		mov	ecx, [ebx]
		push	eax
		lea	eax, [ebx+8]
		push	eax
		call	_PnprIdentifyUnits@16 ;	PnprIdentifyUnits(x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_5C], esi
		test	esi, esi
		jns	short loc_980C31
		mov	eax, _PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_980C16
		mov	ecx, 0DCh

loc_980C16:				; CODE XREF: PnpReplacePartitionUnit(x)+592j
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	loc_980B7E
		push	3
		jmp	loc_980B7D
; 

loc_980C31:				; CODE XREF: PnpReplacePartitionUnit(x)+583j
		lea	edx, [ebx+18h]
		mov	ecx, ebx
		call	_PnprCollectResources@8	; PnprCollectResources(x,x)
		mov	esi, eax
		mov	[ebp+var_5C], esi
		test	esi, esi
		jns	short loc_980C75
		mov	ecx, _PnprContext
		mov	eax, [ecx+260h]
		test	eax, eax
		jnz	short loc_980C59
		mov	eax, 0E9h

loc_980C59:				; CODE XREF: PnpReplacePartitionUnit(x)+5D5j
					; PnpReplacePartitionUnit(x)+69Aj ...
		mov	[ecx+260h], eax
		mov	eax, [ecx+264h]
		test	eax, eax
		jnz	short loc_980C6A
		inc	eax

loc_980C6A:				; CODE XREF: PnpReplacePartitionUnit(x)+5EAj
		mov	[ecx+264h], eax
		jmp	loc_980EFB
; 

loc_980C75:				; CODE XREF: PnpReplacePartitionUnit(x)+5C5j
		lea	edx, [ebx+22Ch]
		lea	ecx, [ebx+220h]
		call	_PnprLoadPluginDriver@8	; PnprLoadPluginDriver(x,x)
		mov	esi, eax
		xor	eax, eax
		mov	[ebp+var_5C], esi
		mov	[ebp+var_64], eax
		test	esi, esi
		js	short loc_980D01
		lea	edx, [ebx+18h]
		lea	ecx, [ebx+22Ch]
		call	_PnprQueryReplaceFeatures@8 ; PnprQueryReplaceFeatures(x,x)
		or	[ebx+30h], eax
		mov	ecx, [ebx+14h]
		mov	[ebp+var_64], eax

loc_980CAB:				; CODE XREF: PnpReplacePartitionUnit(x)+68Aj
		xor	esi, esi
		cmp	[ecx+4], esi
		jz	loc_980DC0
		mov	eax, [ebx+234h]
		test	al, 1
		jz	loc_980E0A
		cmp	[ebx+244h], esi
		jz	loc_980E0A
		test	al, 2
		jz	short loc_980D27
		cmp	[ebx+248h], esi
		jnz	short loc_980D27
		mov	eax, _PnprContext
		mov	esi, 0C00000BBh
		mov	[ebp+var_5C], esi
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	loc_980E26
		mov	ecx, 11Ah
		jmp	loc_980E26
; 

loc_980D01:				; CODE XREF: PnpReplacePartitionUnit(x)+615j
		mov	ecx, [ebx+14h]
		cmp	[ecx+4], eax
		jz	short loc_980CAB
		mov	ecx, _PnprContext
		mov	eax, [ecx+260h]
		test	eax, eax
		jnz	loc_980C59
		mov	eax, 103h
		jmp	loc_980C59
; 

loc_980D27:				; CODE XREF: PnpReplacePartitionUnit(x)+655j
					; PnpReplacePartitionUnit(x)+65Dj
		lea	edx, [ebx+70h]
		call	_PnprMmConstruct@8 ; PnprMmConstruct(x,x)
		mov	esi, eax
		mov	[ebp+var_5C], esi
		test	esi, esi
		jns	short loc_980D56
		mov	ecx, _PnprContext
		mov	eax, [ecx+260h]
		test	eax, eax
		jnz	loc_980C59
		mov	eax, 126h
		jmp	loc_980C59
; 

loc_980D56:				; CODE XREF: PnpReplacePartitionUnit(x)+6B9j
		test	byte ptr [ebp+var_64], 8
		jz	short loc_980D65
		mov	eax, [ebx+2Ch]
		and	dword ptr [eax+4], 0
		jmp	short loc_980D75
; 

loc_980D65:				; CODE XREF: PnpReplacePartitionUnit(x)+6DDj
		xor	eax, eax
		cmp	[ebx+258h], eax
		jz	short loc_980DEC
		test	byte ptr [ebx+30h], 20h
		jnz	short loc_980DEC

loc_980D75:				; CODE XREF: PnpReplacePartitionUnit(x)+6E6j
		push	[ebp+var_68]
		lea	edx, [ebx+6Ch]
		lea	ecx, [ebx+68h]
		call	_PnprAllocateMappingReserves@12	; PnprAllocateMappingReserves(x,x,x)
		mov	esi, eax
		mov	[ebp+var_5C], esi
		test	esi, esi
		jns	short loc_980DBB
		mov	eax, _PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_980DA0
		mov	ecx, 14Dh

loc_980DA0:				; CODE XREF: PnpReplacePartitionUnit(x)+71Cj
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	loc_980B7E
		push	0Ah
		jmp	loc_980B7D
; 

loc_980DBB:				; CODE XREF: PnpReplacePartitionUnit(x)+70Dj
		xor	esi, esi
		mov	[ebx+78h], esi

loc_980DC0:				; CODE XREF: PnpReplacePartitionUnit(x)+633j
		test	byte ptr [ebx+30h], 20h
		jz	short loc_980E41
		cmp	[ebx+25Ch], esi
		jnz	short loc_980E41
		mov	eax, _PnprContext
		mov	esi, 0C00000BBh
		mov	[ebp+var_5C], esi
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_980E26
		mov	ecx, 161h
		jmp	short loc_980E26
; 

loc_980DEC:				; CODE XREF: PnpReplacePartitionUnit(x)+6F0j
					; PnpReplacePartitionUnit(x)+6F6j
		mov	eax, _PnprContext
		mov	esi, 0C00000BBh
		mov	[ebp+var_5C], esi
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_980E26
		mov	ecx, 13Eh
		jmp	short loc_980E26
; 

loc_980E0A:				; CODE XREF: PnpReplacePartitionUnit(x)+641j
					; PnpReplacePartitionUnit(x)+64Dj
		mov	eax, _PnprContext
		mov	esi, 0C00000BBh
		mov	[ebp+var_5C], esi
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_980E26
		mov	ecx, 112h

loc_980E26:				; CODE XREF: PnpReplacePartitionUnit(x)+674j
					; PnpReplacePartitionUnit(x)+67Fj ...
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	loc_980B7E
		push	9
		jmp	loc_980B7D
; 

loc_980E41:				; CODE XREF: PnpReplacePartitionUnit(x)+747j
					; PnpReplacePartitionUnit(x)+74Fj
		mov	eax, [ebp+var_68]
		lea	edi, [ebp+var_10]
		mov	[ebx+7Ch], eax
		mov	esi, offset _KeActiveProcessors
		mov	eax, [ebx+10h]
		movsd
		mov	edx, [eax+4]
		movsd
		movsd
		xor	esi, esi
		mov	ecx, esi
		test	edx, edx
		jz	short loc_980E72
		mov	esi, [eax]

loc_980E62:				; CODE XREF: PnpReplacePartitionUnit(x)+7F1j
		mov	eax, [esi+ecx*4]
		not	eax
		and	[ebp+ecx*4+var_8], eax
		inc	ecx
		cmp	ecx, edx
		jb	short loc_980E62
		xor	esi, esi

loc_980E72:				; CODE XREF: PnpReplacePartitionUnit(x)+7E1j
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	short loc_980EB0
		mov	eax, _PnprContext
		mov	esi, 0C00000CBh
		mov	[ebp+var_5C], esi
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_980E95
		mov	ecx, 17Ch

loc_980E95:				; CODE XREF: PnpReplacePartitionUnit(x)+811j
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_980EA8
		push	6
		pop	ecx

loc_980EA8:				; CODE XREF: PnpReplacePartitionUnit(x)+826j
		mov	[eax+264h], ecx
		jmp	short loc_980EF8
; 

loc_980EB0:				; CODE XREF: PnpReplacePartitionUnit(x)+7FAj
		test	al, 1
		jz	short loc_980EB8
		mov	eax, esi
		jmp	short loc_980EBE
; 

loc_980EB8:				; CODE XREF: PnpReplacePartitionUnit(x)+835j
		mov	[ebp+var_64], esi
		bsr	eax, eax

loc_980EBE:				; CODE XREF: PnpReplacePartitionUnit(x)+839j
		mov	[ebx+80h], eax
		xor	eax, eax
		mov	ecx, [ebx+80h]
		inc	eax
		shl	eax, cl
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_C], esi
		push	eax
		mov	[ebp+var_8], esi
		call	KeSetSystemGroupAffinityThread
		call	_PnprInitiateReplaceOperation@0	; PnprInitiateReplaceOperation()
		mov	esi, eax
		lea	eax, [ebp+var_1C]
		push	eax
		mov	[ebp+var_5C], esi
		call	KeRevertToUserGroupAffinityThread

loc_980EF8:				; CODE XREF: PnpReplacePartitionUnit(x)+831j
		mov	edi, [ebp+var_60]

loc_980EFB:				; CODE XREF: PnpReplacePartitionUnit(x)+CFj
					; PnpReplacePartitionUnit(x)+4C4j ...
		cmp	dword ptr [edi+8], 0
		jl	short loc_980F24
		test	esi, esi
		js	short loc_980F19
		xor	cl, cl
		call	_PnprGetMillisecondCounter@4 ; PnprGetMillisecondCounter(x)
		mov	[ebx+298h], eax
		call	_PnprLogSuccessEvent@0 ; PnprLogSuccessEvent()
		jmp	short loc_980F24
; 

loc_980F19:				; CODE XREF: PnpReplacePartitionUnit(x)+886j
		mov	edx, [edi+4]
		mov	ecx, [edi]
		push	esi
		call	_PnprLogFailureEvent@12	; PnprLogFailureEvent(x,x,x)

loc_980F24:				; CODE XREF: PnpReplacePartitionUnit(x)+882j
					; PnpReplacePartitionUnit(x)+89Aj
		test	ebx, ebx
		jz	loc_981012
		mov	eax, [ebx+220h]
		mov	[ebp+var_64], eax
		test	eax, eax
		jz	short loc_980F4E
		mov	ecx, [ebx+238h]
		test	ecx, ecx
		jz	short loc_980F48
		call	ecx
		mov	eax, [ebp+var_64]

loc_980F48:				; CODE XREF: PnpReplacePartitionUnit(x)+8C4j
		push	eax
		call	MmUnloadSystemImage

loc_980F4E:				; CODE XREF: PnpReplacePartitionUnit(x)+8BAj
		mov	eax, [ebx+68h]
		test	eax, eax
		jz	short loc_980FA3
		xor	ecx, ecx
		cmp	[ebx+6Ch], ecx
		jz	short loc_980FA3
		cmp	[ebp+var_68], ecx
		jbe	short loc_980F8B
		mov	esi, [ebp+var_68]
		mov	edi, ecx

loc_980F66:				; CODE XREF: PnpReplacePartitionUnit(x)+903j
		mov	ecx, [ebx+68h]
		add	ecx, edi
		call	_PnprFreeMappingReserve@4 ; PnprFreeMappingReserve(x)
		mov	ecx, [ebx+6Ch]
		add	ecx, edi
		call	_PnprFreeMappingReserve@4 ; PnprFreeMappingReserve(x)
		add	edi, 0Ch
		sub	esi, 1
		jnz	short loc_980F66
		mov	eax, [ebx+68h]
		mov	edi, [ebp+var_60]
		mov	esi, [ebp+var_5C]

loc_980F8B:				; CODE XREF: PnpReplacePartitionUnit(x)+8E2j
		push	51706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	51706E50h
		push	dword ptr [ebx+6Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_980FA3:				; CODE XREF: PnpReplacePartitionUnit(x)+8D6j
					; PnpReplacePartitionUnit(x)+8DDj
		lea	ecx, [ebx+70h]
		call	_PnprMmFree@4	; PnprMmFree(x)
		mov	eax, [ebx+10h]
		test	eax, eax
		jz	short loc_980FC2
		push	51706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[ebx+10h], eax

loc_980FC2:				; CODE XREF: PnpReplacePartitionUnit(x)+933j
		mov	eax, [ebx+14h]
		test	eax, eax
		jz	short loc_980FD9
		push	51706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[ebx+14h], eax

loc_980FD9:				; CODE XREF: PnpReplacePartitionUnit(x)+94Aj
		mov	eax, [ebx+28h]
		test	eax, eax
		jz	short loc_980FF0
		push	51706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[ebx+28h], eax

loc_980FF0:				; CODE XREF: PnpReplacePartitionUnit(x)+961j
		mov	eax, [ebx+2Ch]
		test	eax, eax
		jz	short loc_981007
		push	51706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[ebx+2Ch], eax

loc_981007:				; CODE XREF: PnpReplacePartitionUnit(x)+978j
		push	51706E50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_981012:				; CODE XREF: PnpReplacePartitionUnit(x)+8A9j
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	offset _PnpReplaceEvent
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	ebx
		push	ebx
		lea	eax, [edi+10h]
		mov	[edi+0Ch], esi
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PnpReplacePartitionUnit@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprAddDeviceResources(x, x)
_PnprAddDeviceResources@8 proc near	; DATA XREF: PnprCollectResources(x,x)+1CAo

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		and	[ebp+var_4], 0
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	esi, [eax+10h]
		mov	ecx, esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	dl, [edi]
		mov	ebx, [edi+4]
		call	_PnprIsMemoryDevice@8 ;	PnprIsMemoryDevice(x,x)
		mov	ecx, esi
		test	al, al
		jz	short loc_981076
		lea	edx, [ebx+14h]
		call	_PnprAddMemoryResources@8 ; PnprAddMemoryResources(x,x)
		jmp	short loc_98109C
; 

loc_981076:				; CODE XREF: PnprAddDeviceResources(x,x)+2Bj
		mov	dl, [edi]
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_PnprIsProcessorDevice@16 ; PnprIsProcessorDevice(x,x,x,x)
		test	al, al
		jz	short loc_98109A
		mov	edx, [ebp+var_8]
		lea	eax, [ebx+10h]
		push	eax
		push	[ebp+var_4]
		call	_PnprAddProcessorResources@16 ;	PnprAddProcessorResources(x,x,x,x)
		jmp	short loc_98109C
; 

loc_98109A:				; CODE XREF: PnprAddDeviceResources(x,x)+48j
		xor	eax, eax

loc_98109C:				; CODE XREF: PnprAddDeviceResources(x,x)+35j
					; PnprAddDeviceResources(x,x)+59j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PnprAddDeviceResources@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprAddMemoryResources(x, x)
_PnprAddMemoryResources@8 proc near	; CODE XREF: PnprAddDeviceResources(x,x)+30p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		mov	eax, edx
		push	esi
		xor	esi, esi
		mov	[ebp+var_18], eax
		mov	[ebp+var_30], esi
		mov	ebx, [eax]
		mov	[ebp+var_2C], esi
		push	edi
		mov	edi, ebx
		mov	[ebp+var_24], edi
		test	ecx, ecx
		jz	short loc_9810D1
		mov	eax, [ecx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_9810D3
; 

loc_9810D1:				; CODE XREF: PnprAddMemoryResources(x,x)+21j
		mov	ecx, esi

loc_9810D3:				; CODE XREF: PnprAddMemoryResources(x,x)+2Cj
		mov	ecx, [ecx+11Ch]
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		jnz	short loc_981128
		mov	eax, _PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_9810F4
		mov	ecx, 278h

loc_9810F4:				; CODE XREF: PnprAddMemoryResources(x,x)+4Aj
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_981107
		push	6
		pop	ecx

loc_981107:				; CODE XREF: PnprAddMemoryResources(x,x)+5Fj
		mov	[eax+264h], ecx

loc_98110D:				; CODE XREF: PnprAddMemoryResources(x,x)+90j
					; PnprAddMemoryResources(x,x)+186j
		mov	eax, [ebp+var_18]
		mov	[eax], ebx
		cmp	ebx, edi
		jz	short loc_981121
		push	51706E50h
		push	edi

loc_98111C:				; CODE XREF: PnprAddMemoryResources(x,x)+1D0j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_981121:				; CODE XREF: PnprAddMemoryResources(x,x)+71j
					; PnprAddMemoryResources(x,x)+1C4j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_981128:				; CODE XREF: PnprAddMemoryResources(x,x)+3Bj
		lea	eax, [ecx+4]
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], eax
		cmp	[ecx], esi
		jbe	short loc_98110D

loc_981135:				; CODE XREF: PnprAddMemoryResources(x,x)+180j
		mov	edx, esi
		mov	[ebp+var_8], edx
		cmp	[eax+0Ch], esi
		jbe	loc_981212
		lea	ecx, [eax+10h]
		mov	[ebp+var_C], ecx

loc_981149:				; CODE XREF: PnprAddMemoryResources(x,x)+164j
		mov	dl, [ecx]
		mov	[ebp+var_1], dl
		cmp	dl, 3
		mov	edx, [ebp+var_8]
		jz	short loc_981160
		cmp	[ebp+var_1], 7
		jnz	loc_9811FA

loc_981160:				; CODE XREF: PnprAddMemoryResources(x,x)+B1j
		mov	eax, [ebx+4]
		mov	[ebp+var_1C], eax
		cmp	eax, [ebx]
		jnz	short loc_9811B9
		add	eax, 4
		mov	[ebp+var_20], eax
		inc	eax
		push	51706E50h
		shl	eax, 4
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_98122E
		mov	ecx, [ebp+var_1C]
		inc	ecx
		shl	ecx, 4
		push	ecx		; size_t
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+var_20]
		add	esp, 0Ch
		mov	[esi], eax
		cmp	ebx, edi
		jz	short loc_9811B4
		push	51706E50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9811B4:				; CODE XREF: PnprAddMemoryResources(x,x)+104j
		mov	ecx, [ebp+var_C]
		mov	ebx, esi

loc_9811B9:				; CODE XREF: PnprAddMemoryResources(x,x)+C5j
		lea	eax, [ebp+var_30]
		push	eax
		push	ecx
		call	RtlCmDecodeMemIoResource
		mov	esi, [ebx+4]
		mov	edi, eax
		mov	ecx, [ebp+var_30]
		inc	esi
		add	esi, esi
		mov	[ebx+esi*8], ecx
		mov	ecx, [ebp+var_2C]
		mov	[ebx+esi*8+4], ecx
		mov	eax, [ebx+4]
		mov	ecx, [ebp+var_C]
		add	eax, eax
		mov	[ebx+eax*8+18h], edi
		mov	[ebx+eax*8+1Ch], edx
		add	[ebx+8], edi
		mov	eax, [ebp+var_10]
		adc	[ebx+0Ch], edx
		inc	dword ptr [ebx+4]
		mov	edi, [ebp+var_24]
		mov	edx, [ebp+var_8]

loc_9811FA:				; CODE XREF: PnprAddMemoryResources(x,x)+B7j
		inc	edx
		add	ecx, 10h
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], ecx
		cmp	edx, [eax+0Ch]
		jb	loc_981149
		mov	ecx, [ebp+var_28]
		xor	esi, esi

loc_981212:				; CODE XREF: PnprAddMemoryResources(x,x)+9Aj
		add	edx, 20h
		add	eax, edx
		mov	edx, [ebp+var_14]
		inc	edx
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], edx
		cmp	edx, [ecx]
		jb	loc_981135
		jmp	loc_98110D
; 

loc_98122E:				; CODE XREF: PnprAddMemoryResources(x,x)+E5j
		mov	eax, _PnprContext
		mov	esi, 0C000009Ah
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_981247
		mov	ecx, 2A0h

loc_981247:				; CODE XREF: PnprAddMemoryResources(x,x)+19Dj
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_98125A
		push	0Ah
		pop	ecx

loc_98125A:				; CODE XREF: PnprAddMemoryResources(x,x)+1B2j
		mov	[eax+264h], ecx
		mov	eax, [ebp+var_18]
		mov	[eax], edi
		cmp	ebx, edi
		jz	loc_981121
		push	51706E50h
		push	ebx
		jmp	loc_98111C
_PnprAddMemoryResources@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprAddProcessorResources(x, x, x, x)
_PnprAddProcessorResources@16 proc near	; CODE XREF: PnprAddDeviceResources(x,x)+54p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ebx, edx
		mov	edi, [edi]
		mov	eax, [edi+0Ch]
		cmp	eax, [edi+8]
		jnz	short loc_98130F
		add	eax, 4
		mov	[ebp+var_C], eax
		shl	eax, 2
		mov	[ebp+var_8], eax
		add	eax, 10h
		push	51706E50h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9812EF
		mov	eax, _PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_9812CF
		mov	ecx, 330h

loc_9812CF:				; CODE XREF: PnprAddProcessorResources(x,x,x,x)+50j
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_9812E2
		push	0Ah
		pop	ecx

loc_9812E2:				; CODE XREF: PnprAddProcessorResources(x,x,x,x)+65j
		mov	[eax+264h], ecx
		mov	eax, 0C000009Ah
		jmp	short loc_981345
; 

loc_9812EF:				; CODE XREF: PnprAddProcessorResources(x,x,x,x)+41j
		push	[ebp+var_8]	; size_t
		push	edi		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	51706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_C]
		mov	edi, esi
		mov	[esi+8], eax

loc_98130F:				; CODE XREF: PnprAddProcessorResources(x,x,x,x)+1Cj
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_981331
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		call	_KeGetProcessorNumberFromIndex@8 ; KeGetProcessorNumberFromIndex(x,x)
		movzx	esi, word ptr [ebp+var_4]
		mov	edx, [edi]
		movzx	eax, byte ptr [ebp+var_4+2]
		mov	ecx, [edx+esi*4]
		bts	ecx, eax
		mov	[edx+esi*4], ecx

loc_981331:				; CODE XREF: PnprAddProcessorResources(x,x,x,x)+9Aj
		mov	ecx, [edi+0Ch]
		mov	eax, [ebp+arg_0]
		mov	[edi+ecx*4+10h], eax
		mov	eax, [ebp+arg_4]
		inc	dword ptr [edi+0Ch]
		mov	[eax], edi
		xor	eax, eax

loc_981345:				; CODE XREF: PnprAddProcessorResources(x,x,x,x)+75j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PnprAddProcessorResources@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprAllocateMappingReserves(x, x, x)
_PnprAllocateMappingReserves@12	proc near ; CODE XREF: PnpReplacePartitionUnit(x)+701p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		imul	esi, [ebp+arg_0], 0Ch
		mov	ebx, 51706E50h
		push	edi
		push	ebx
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], ecx
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_C], edi
		test	edi, edi
		jnz	short loc_981385
		mov	esi, 0C000009Ah
		jmp	loc_981465
; 

loc_981385:				; CODE XREF: PnprAllocateMappingReserves(x,x,x)+2Dj
		push	ebx
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_98139E
		mov	esi, 0C000009Ah
		jmp	short loc_981410
; 

loc_98139E:				; CODE XREF: PnprAllocateMappingReserves(x,x,x)+49j
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		push	esi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		and	[ebp+var_8], 0
		add	esp, 0Ch
		cmp	[ebp+arg_0], 0
		jbe	short loc_98140A
		mov	ecx, ebx
		mov	eax, edi
		sub	ecx, edi
		mov	[ebp+var_4], eax
		mov	[ebp+var_10], ecx

loc_9813CC:				; CODE XREF: PnprAllocateMappingReserves(x,x,x)+BCj
		push	2
		mov	edx, eax
		pop	ecx
		call	_PnprInitializeMappingReserve@8	; PnprInitializeMappingReserve(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_981410
		mov	eax, [ebp+var_4]
		mov	ecx, 802h
		mov	edx, [ebp+var_10]
		lea	edx, [edx+eax]
		call	_PnprInitializeMappingReserve@8	; PnprInitializeMappingReserve(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_98146E
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_4]
		inc	ecx
		add	eax, 0Ch
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], eax
		cmp	ecx, [ebp+arg_0]
		jb	short loc_9813CC

loc_98140A:				; CODE XREF: PnprAllocateMappingReserves(x,x,x)+72j
		xor	esi, esi

loc_98140C:				; CODE XREF: PnprAllocateMappingReserves(x,x,x)+12Aj
		test	esi, esi
		jns	short loc_98145B

loc_981410:				; CODE XREF: PnprAllocateMappingReserves(x,x,x)+50j
					; PnprAllocateMappingReserves(x,x,x)+8Ej
		test	ebx, ebx
		jz	short loc_981478
		cmp	dword ptr [edi], 0
		jz	short loc_981478
		cmp	dword ptr [ebx], 0
		jz	short loc_981478
		mov	ecx, _PnprContext
		imul	eax, [ecx+80h],	0Ch
		add	eax, edi
		cmp	dword ptr [eax], 0
		jnz	short loc_981459
		mov	esi, edi
		mov	edi, eax
		xor	eax, eax
		movsd
		movsd
		movsd
		imul	edi, [ecx+80h],	0Ch
		mov	esi, ebx
		add	edi, ebx
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	edi, ebx
		stosd
		stosd
		stosd
		mov	edi, [ebp+var_C]

loc_981459:				; CODE XREF: PnprAllocateMappingReserves(x,x,x)+E4j
		xor	esi, esi

loc_98145B:				; CODE XREF: PnprAllocateMappingReserves(x,x,x)+C2j
		mov	eax, [ebp+var_14]
		mov	[eax], edi
		mov	eax, [ebp+var_18]
		mov	[eax], ebx

loc_981465:				; CODE XREF: PnprAllocateMappingReserves(x,x,x)+34j
					; PnprAllocateMappingReserves(x,x,x)+139j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_98146E:				; CODE XREF: PnprAllocateMappingReserves(x,x,x)+A7j
		mov	ecx, [ebp+var_4]
		call	_PnprFreeMappingReserve@4 ; PnprFreeMappingReserve(x)
		jmp	short loc_98140C
; 

loc_981478:				; CODE XREF: PnprAllocateMappingReserves(x,x,x)+C6j
					; PnprAllocateMappingReserves(x,x,x)+CBj ...
		push	51706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		jz	short loc_981465
		push	51706E50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_981465
_PnprAllocateMappingReserves@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprCollectResources(x, x)
_PnprCollectResources@8	proc near	; CODE XREF: PnpReplacePartitionUnit(x)+5B9p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		push	51706E50h
		xor	eax, eax
		mov	ebx, edx
		push	20h
		push	200h
		mov	[ebp+var_4], ebx
		mov	esi, ecx
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esi+10h], edi
		test	edi, edi
		jnz	short loc_981505
		mov	eax, _PnprContext
		mov	edi, 0C000009Ah
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_9814E7
		mov	ecx, 400h

loc_9814E7:				; CODE XREF: PnprCollectResources(x,x)+4Cj
					; PnprCollectResources(x,x)+AEj ...
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_9814FA
		push	0Ah
		pop	ecx

loc_9814FA:				; CODE XREF: PnprCollectResources(x,x)+61j
		mov	[eax+264h], ecx
		jmp	loc_9817AD
; 

loc_981505:				; CODE XREF: PnprCollectResources(x,x)+38j
		push	8
		pop	ecx
		xor	eax, eax
		rep stosd
		mov	eax, [esi+10h]
		push	51706E50h
		push	20h
		push	200h
		mov	dword ptr [eax+8], 4
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebx+10h], edi
		test	edi, edi
		jnz	short loc_98154B
		mov	eax, _PnprContext
		mov	edi, 0C000009Ah
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_9814E7
		mov	ecx, 40Dh
		jmp	short loc_9814E7
; 

loc_98154B:				; CODE XREF: PnprCollectResources(x,x)+9Aj
		push	8
		pop	ecx
		xor	eax, eax
		rep stosd
		mov	eax, [ebx+10h]
		mov	edi, 200h
		push	4
		pop	ecx
		push	51706E50h
		push	ecx
		push	edi
		mov	[eax+8], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [esi+10h]
		mov	[ecx], eax
		mov	eax, [esi+10h]
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_98159C
		mov	eax, _PnprContext
		mov	edi, 0C000009Ah
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	loc_9814E7
		mov	ecx, 421h
		jmp	loc_9814E7
; 

loc_98159C:				; CODE XREF: PnprCollectResources(x,x)+E4j
		and	dword ptr [eax], 0
		xor	ebx, ebx
		mov	eax, [esi+10h]
		inc	ebx
		push	51706E50h
		push	50h
		push	edi
		mov	[eax+4], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+14h], eax
		test	eax, eax
		jnz	short loc_9815F6
		mov	eax, _PnprContext
		mov	edi, 0C000009Ah
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_9815D5
		mov	ecx, 434h

loc_9815D5:				; CODE XREF: PnprCollectResources(x,x)+13Aj
					; PnprCollectResources(x,x)+18Bj ...
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_9815E8
		push	0Ah

loc_9815E7:				; CODE XREF: PnprCollectResources(x,x)+2A8j
		pop	ecx

loc_9815E8:				; CODE XREF: PnprCollectResources(x,x)+14Fj
					; PnprCollectResources(x,x)+2A0j
		mov	ebx, [ebp+var_4]
		mov	[eax+264h], ecx
		jmp	loc_9817AD
; 

loc_9815F6:				; CODE XREF: PnprCollectResources(x,x)+126j
		push	51706E50h
		push	50h
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, [ebp+var_4]
		mov	[edi+14h], eax
		test	eax, eax
		jnz	short loc_981628
		mov	eax, _PnprContext
		mov	edi, 0C000009Ah
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_9815D5
		mov	ecx, 43Fh
		jmp	short loc_9815D5
; 

loc_981628:				; CODE XREF: PnprCollectResources(x,x)+177j
		push	50h		; size_t
		push	0		; int
		push	dword ptr [esi+14h] ; void *
		call	_memset
		push	50h		; size_t
		push	0		; int
		push	dword ptr [edi+14h] ; void *
		call	_memset
		mov	eax, [esi+14h]
		add	esp, 18h
		push	4
		pop	ecx
		mov	[eax], ecx
		mov	eax, [edi+14h]
		mov	[eax], ecx
		lea	eax, [ebp+var_10]
		mov	[ebp+var_14], eax
		mov	eax, [esi]
		mov	[ebp+var_C], esi
		mov	byte ptr [ebp+var_10], bl
		mov	[ebp+var_18], offset _PnprAddDeviceResources@8 ; PnprAddDeviceResources(x,x)
		test	eax, eax
		jz	short loc_981674
		mov	eax, [eax+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_981676
; 

loc_981674:				; CODE XREF: PnprCollectResources(x,x)+1D3j
		xor	ecx, ecx

loc_981676:				; CODE XREF: PnprCollectResources(x,x)+1DEj
		lea	eax, [ebp+var_18]
		push	eax
		call	_PipForAllChildDeviceNodes@12 ;	PipForAllChildDeviceNodes(x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_9816B9
		mov	eax, _PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_981699
		mov	ecx, 456h

loc_981699:				; CODE XREF: PnprCollectResources(x,x)+1FEj
					; PnprCollectResources(x,x)+25Ej ...
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jz	short loc_9816AB
		mov	ebx, ecx

loc_9816AB:				; CODE XREF: PnprCollectResources(x,x)+213j
		mov	[eax+264h], ebx
		mov	ebx, [ebp+var_4]
		jmp	loc_9817A9
; 

loc_9816B9:				; CODE XREF: PnprCollectResources(x,x)+1EFj
		mov	eax, [ebp+var_4]
		mov	[ebp+var_C], eax
		mov	byte ptr [ebp+var_10], 0
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_9816D4
		mov	eax, [eax+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_9816D6
; 

loc_9816D4:				; CODE XREF: PnprCollectResources(x,x)+233j
		xor	ecx, ecx

loc_9816D6:				; CODE XREF: PnprCollectResources(x,x)+23Ej
		lea	eax, [ebp+var_18]
		push	eax
		call	_PipForAllChildDeviceNodes@12 ;	PipForAllChildDeviceNodes(x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_9816FB
		mov	eax, _PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_981699
		mov	ecx, 461h
		jmp	short loc_981699
; 

loc_9816FB:				; CODE XREF: PnprCollectResources(x,x)+24Fj
		mov	eax, [esi+10h]
		mov	ecx, [eax+0Ch]
		test	ecx, ecx
		jnz	short loc_981741
		mov	eax, [esi+14h]
		cmp	[eax+4], ecx
		jnz	short loc_981741
		mov	eax, _PnprContext
		mov	edi, 0C000000Dh
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_981726
		mov	ecx, 46Dh

loc_981726:				; CODE XREF: PnprCollectResources(x,x)+28Bj
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	loc_9815E8
		push	5
		jmp	loc_9815E7
; 

loc_981741:				; CODE XREF: PnprCollectResources(x,x)+26Fj
					; PnprCollectResources(x,x)+277j
		mov	ebx, [ebp+var_4]
		mov	eax, [ebx+14h]
		mov	edx, [eax+8]
		mov	[ebp+var_4], edx
		mov	edx, [eax+0Ch]
		mov	eax, [ebp+var_4]
		or	eax, edx
		mov	[ebp+var_8], edx
		jz	short loc_98176F
		mov	edx, [esi+14h]
		mov	eax, [edx+0Ch]
		cmp	eax, [ebp+var_8]
		ja	short loc_981777
		jb	short loc_98176F
		mov	eax, [edx+8]
		cmp	eax, [ebp+var_4]
		ja	short loc_981777

loc_98176F:				; CODE XREF: PnprCollectResources(x,x)+2C4j
					; PnprCollectResources(x,x)+2D1j
		mov	eax, [ebx+10h]
		cmp	ecx, [eax+0Ch]
		jbe	short loc_9817A9

loc_981777:				; CODE XREF: PnprCollectResources(x,x)+2CFj
					; PnprCollectResources(x,x)+2D9j
		mov	eax, _PnprContext
		mov	edi, 0C000000Dh
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_981790
		mov	ecx, 476h

loc_981790:				; CODE XREF: PnprCollectResources(x,x)+2F5j
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_9817A3
		push	4
		pop	ecx

loc_9817A3:				; CODE XREF: PnprCollectResources(x,x)+30Aj
		mov	[eax+264h], ecx

loc_9817A9:				; CODE XREF: PnprCollectResources(x,x)+220j
					; PnprCollectResources(x,x)+2E1j
		test	edi, edi
		jns	short loc_981819

loc_9817AD:				; CODE XREF: PnprCollectResources(x,x)+6Cj
					; PnprCollectResources(x,x)+15Dj
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_9817D7
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_9817C8
		push	51706E50h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi+10h]

loc_9817C8:				; CODE XREF: PnprCollectResources(x,x)+324j
		push	51706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+10h], 0

loc_9817D7:				; CODE XREF: PnprCollectResources(x,x)+31Ej
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_9817ED
		push	51706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+14h], 0

loc_9817ED:				; CODE XREF: PnprCollectResources(x,x)+348j
		mov	eax, [ebx+10h]
		test	eax, eax
		jz	short loc_981803
		push	51706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [ebx+10h], 0

loc_981803:				; CODE XREF: PnprCollectResources(x,x)+35Ej
		mov	eax, [ebx+14h]
		test	eax, eax
		jz	short loc_981819
		push	51706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [ebx+14h], 0

loc_981819:				; CODE XREF: PnprCollectResources(x,x)+317j
					; PnprCollectResources(x,x)+374j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PnprCollectResources@8	endp


;  S U B	R O U T	I N E 


; __stdcall PnprFreeMappingReserve(x)
_PnprFreeMappingReserve@4 proc near	; CODE XREF: PnpReplacePartitionUnit(x)+8EEp
					; PnpReplacePartitionUnit(x)+8F8p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_981834
		push	eax
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		and	dword ptr [esi], 0

loc_981834:				; CODE XREF: PnprFreeMappingReserve(x)+9j
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_98184A
		push	51706E50h
		push	eax
		call	MmFreeMappingAddress
		and	dword ptr [esi+4], 0

loc_98184A:				; CODE XREF: PnprFreeMappingReserve(x)+19j
		xor	eax, eax
		mov	[esi+8], ax
		pop	esi
		retn
_PnprFreeMappingReserve@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprGetPluginDriverImagePath(x)
_PnprGetPluginDriverImagePath@4	proc near ; CODE XREF: PnprLoadPluginDriver(x,x)+33p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		push	6
		mov	[ebp+var_10], ecx
		lea	edi, [ebp+var_38]
		pop	ecx
		xor	eax, eax
		xor	esi, esi
		rep stosd
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_C]
		push	eax
		push	4
		pop	edx
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_4], esi
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9819EC
		push	offset ??_C@_1BI@EIJDOAKI@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAP?$AAn?$AAp@NNGAKEGL@ ; "Control\\Pnp"
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_C]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_20]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_38], 18h
		push	eax
		mov	[ebp+var_2C], 240h
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9819EC
		push	offset ??_C@_1BM@MGIANELL@?$AAR?$AAe?$AAp?$AAl?$AAa?$AAc?$AAe?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@NNGAKEGL@
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		push	esi
		push	2
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+var_4]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 80000005h
		jz	short loc_98192D
		cmp	edi, 0C0000023h
		jz	short loc_98192D
		test	edi, edi
		js	loc_9819EC
		mov	edi, 0C0000001h
		jmp	loc_9819EC
; 

loc_98192D:				; CODE XREF: PnprGetPluginDriverImagePath(x)+BFj
					; PnprGetPluginDriverImagePath(x)+C7j
		push	51706E50h
		push	[ebp+var_8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_98194C
		mov	edi, 0C000009Ah
		jmp	loc_9819EC
; 

loc_98194C:				; CODE XREF: PnprGetPluginDriverImagePath(x)+EEj
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_8]
		lea	eax, [ebp+var_18]
		push	esi
		push	2
		push	eax
		push	[ebp+var_4]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9819EC
		mov	eax, [esi+4]
		cmp	eax, 1
		jz	short loc_981979
		cmp	eax, 2
		jnz	short loc_981980

loc_981979:				; CODE XREF: PnprGetPluginDriverImagePath(x)+120j
		mov	eax, [esi+8]
		test	al, 1
		jz	short loc_981987

loc_981980:				; CODE XREF: PnprGetPluginDriverImagePath(x)+125j
		mov	edi, 0C000000Dh
		jmp	short loc_9819EC
; 

loc_981987:				; CODE XREF: PnprGetPluginDriverImagePath(x)+12Cj
		add	eax, 1Ah
		shr	eax, 1
		mov	[ebp+var_C], eax
		add	eax, eax
		push	51706E50h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		cmp	[ebp+var_10], 0
		mov	ebx, eax
		jnz	short loc_9819BC
		mov	edi, 0C000009Ah
		test	ebx, ebx
		jz	short loc_9819EC
		push	51706E50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9819EC
; 

loc_9819BC:				; CODE XREF: PnprGetPluginDriverImagePath(x)+152j
		push	offset ??_C@_1BK@NBLOFKLI@?$AA?2?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AAr?$AAo?$AAo?$AAt?$AA?2@NNGAKEGL@ ; "\\systemroot\\"
		push	[ebp+var_C]
		push	ebx
		call	_wcscpy_s
		mov	eax, [esi+8]
		add	esp, 0Ch
		shr	eax, 1
		push	eax
		lea	eax, [esi+0Ch]
		push	eax
		push	[ebp+var_C]
		push	ebx
		call	_wcsncat_s
		add	esp, 10h
		push	ebx
		push	[ebp+var_10]
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_9819EC:				; CODE XREF: PnprGetPluginDriverImagePath(x)+45j
					; PnprGetPluginDriverImagePath(x)+8Fj ...
		cmp	[ebp+var_4], 0
		jz	short loc_9819FA
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_9819FA:				; CODE XREF: PnprGetPluginDriverImagePath(x)+19Ej
		test	esi, esi
		jz	short loc_981A09
		push	51706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_981A09:				; CODE XREF: PnprGetPluginDriverImagePath(x)+1AAj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PnprGetPluginDriverImagePath@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprIdentifyUnits(x, x, x, x)
_PnprIdentifyUnits@16 proc near		; CODE XREF: PnpReplacePartitionUnit(x)+577p

var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		push	7
		mov	ebx, ecx
		lea	edi, [esp+4Ch+var_38]
		pop	ecx
		rep stosd
		push	7
		pop	ecx
		lea	edi, [esp+48h+var_1C]
		mov	esi, edx
		rep stosd
		lea	eax, [esp+48h+var_38]
		mov	edi, offset _GUID_PARTITION_UNIT_INTERFACE_STANDARD
		push	eax		; void *
		push	0		; int
		push	1Ch		; __int16
		push	1		; __int16
		mov	edx, edi
		mov	ecx, esi
		call	PnpQueryInterface
		mov	esi, eax
		test	esi, esi
		jns	short loc_981A87
		mov	eax, _PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_981A69
		mov	ecx, 514h

loc_981A69:				; CODE XREF: PnprIdentifyUnits(x,x,x,x)+52j
					; PnprIdentifyUnits(x,x,x,x)+9Ej ...
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_981A7C
		push	3

loc_981A7B:				; CODE XREF: PnprIdentifyUnits(x,x,x,x)+164j
		pop	ecx

loc_981A7C:				; CODE XREF: PnprIdentifyUnits(x,x,x,x)+67j
					; PnprIdentifyUnits(x,x,x,x)+15Cj
		mov	[eax+264h], ecx
		jmp	loc_981B82
; 

loc_981A87:				; CODE XREF: PnprIdentifyUnits(x,x,x,x)+43j
		lea	eax, [esp+48h+var_1C]
		mov	edx, edi
		push	eax		; void *
		push	0		; int
		push	1Ch		; __int16
		push	1		; __int16
		mov	ecx, ebx
		call	PnpQueryInterface
		mov	esi, eax
		test	esi, esi
		jns	short loc_981AB7
		mov	eax, _PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_981A69
		mov	ecx, 520h
		jmp	short loc_981A69
; 

loc_981AB7:				; CODE XREF: PnprIdentifyUnits(x,x,x,x)+8Fj
		mov	eax, [esp+48h+var_C]
		test	eax, eax
		jz	loc_981B7D
		cmp	[esp+48h+var_28], 0
		jz	loc_981B7D
		cmp	[esp+48h+var_20], 0
		jz	loc_981B7D
		mov	edi, [ebp+arg_0]
		push	edi
		push	[esp+4Ch+var_18]
		call	eax
		mov	esi, eax
		test	esi, esi
		jns	short loc_981B06
		mov	eax, _PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	loc_981A69
		mov	ecx, 534h
		jmp	loc_981A69
; 

loc_981B06:				; CODE XREF: PnprIdentifyUnits(x,x,x,x)+D7j
		push	[ebp+arg_4]
		push	[esp+54h+var_3C]
		call	[esp+58h+var_30]
		mov	esi, eax
		test	esi, esi
		jns	short loc_981B34
		mov	eax, _PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	loc_981A69
		mov	ecx, 53Ch
		jmp	loc_981A69
; 

loc_981B34:				; CODE XREF: PnprIdentifyUnits(x,x,x,x)+105j
		push	dword ptr [edi+4]
		push	dword ptr [edi]
		push	[esp+60h+var_44]
		call	[esp+64h+var_30]
		test	al, al
		jnz	short loc_981B79
		mov	eax, _PnprContext
		mov	esi, 0C000000Dh
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_981B5E
		mov	ecx, 549h

loc_981B5E:				; CODE XREF: PnprIdentifyUnits(x,x,x,x)+147j
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	loc_981A7C
		push	4
		jmp	loc_981A7B
; 

loc_981B79:				; CODE XREF: PnprIdentifyUnits(x,x,x,x)+133j
		xor	esi, esi
		jmp	short loc_981B82
; 

loc_981B7D:				; CODE XREF: PnprIdentifyUnits(x,x,x,x)+ADj
					; PnprIdentifyUnits(x,x,x,x)+B8j ...
		mov	esi, 0C000000Dh

loc_981B82:				; CODE XREF: PnprIdentifyUnits(x,x,x,x)+72j
					; PnprIdentifyUnits(x,x,x,x)+16Bj
		cmp	[esp+48h+var_34], 0
		jz	short loc_981B91
		push	[esp+48h+var_34]
		call	[esp+4Ch+var_2C]

loc_981B91:				; CODE XREF: PnprIdentifyUnits(x,x,x,x)+177j
		cmp	[esp+4Ch+var_1C], 0
		jz	short loc_981BA0
		push	[esp+4Ch+var_1C]
		call	[esp+50h+var_14]

loc_981BA0:				; CODE XREF: PnprIdentifyUnits(x,x,x,x)+186j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_PnprIdentifyUnits@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprInitializeMappingReserve(x, x)
_PnprInitializeMappingReserve@8	proc near
					; CODE XREF: PnprAllocateMappingReserves(x,x,x)+85p
					; PnprAllocateMappingReserves(x,x,x)+9Ep

var_2		= word ptr -2

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_2], cx
		push	esi
		push	51706E50h
		push	10000h
		mov	ebx, edx
		call	MmAllocateMappingAddressEx
		mov	edi, eax
		test	edi, edi
		jnz	short loc_981C06
		mov	eax, _PnprContext
		mov	esi, 0C000009Ah
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_981BEB
		mov	ecx, 0F4Bh

loc_981BEB:				; CODE XREF: PnprInitializeMappingReserve(x,x)+39j
					; PnprInitializeMappingReserve(x,x)+8Aj ...
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_981BFE
		push	0Ah
		pop	ecx

loc_981BFE:				; CODE XREF: PnprInitializeMappingReserve(x,x)+4Ej
		mov	[eax+264h], ecx
		jmp	short loc_981C4B
; 

loc_981C06:				; CODE XREF: PnprInitializeMappingReserve(x,x)+25j
		push	esi
		push	esi
		push	esi
		push	10000h
		push	edi
		call	IoAllocateMdl
		test	eax, eax
		jnz	short loc_981C3E
		push	51706E50h
		push	edi
		call	MmFreeMappingAddress
		mov	eax, _PnprContext
		mov	esi, 0C000009Ah
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_981BEB
		mov	ecx, 0F5Ah
		jmp	short loc_981BEB
; 

loc_981C3E:				; CODE XREF: PnprInitializeMappingReserve(x,x)+6Bj
		mov	[ebx], eax
		mov	ax, [ebp+var_2]
		mov	[ebx+4], edi
		mov	[ebx+8], ax

loc_981C4B:				; CODE XREF: PnprInitializeMappingReserve(x,x)+59j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PnprInitializeMappingReserve@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprIsMemoryDevice(x, x)
_PnprIsMemoryDevice@8 proc near		; CODE XREF: PnprAddDeviceResources(x,x)+22p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		xor	eax, eax
		push	esi
		push	edi
		mov	esi, eax
		mov	[ebp+var_10], eax
		xor	edi, edi
		mov	byte ptr [ebp+var_1], al
		mov	[ebp+var_C], eax
		mov	bl, al
		mov	[ebp+var_8], esi
		test	dl, dl
		jz	short loc_981C93
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		push	ecx
		push	offset _GUID_DEVICE_MEMORY
		call	IoGetDeviceInterfaces
		mov	esi, [ebp+var_8]
		test	eax, eax
		js	short loc_981CBF
		cmp	[esi], di
		jz	short loc_981CBF
		jmp	short loc_981CBD
; 

loc_981C93:				; CODE XREF: PnprIsMemoryDevice(x,x)+21j
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_1]
		push	eax
		push	1
		push	edi
		push	edi
		push	offset _DEVPKEY_Spare_Memory
		push	ecx
		call	IoGetDevicePropertyData
		test	eax, eax
		js	short loc_981CCA
		cmp	[ebp+var_C], 11h
		jnz	short loc_981CCA
		cmp	byte ptr [ebp+var_1], bl
		jz	short loc_981CCA

loc_981CBD:				; CODE XREF: PnprIsMemoryDevice(x,x)+3Fj
		mov	bl, 1

loc_981CBF:				; CODE XREF: PnprIsMemoryDevice(x,x)+38j
					; PnprIsMemoryDevice(x,x)+3Dj
		test	esi, esi
		jz	short loc_981CCA
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_981CCA:				; CODE XREF: PnprIsMemoryDevice(x,x)+5Ej
					; PnprIsMemoryDevice(x,x)+64j ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_PnprIsMemoryDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprIsProcessorDevice(x, x,	x, x)
_PnprIsProcessorDevice@16 proc near	; CODE XREF: PnprAddDeviceResources(x,x)+41p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_4], ebx
		push	esi
		mov	esi, ecx
		test	dl, dl
		jz	short loc_981D51
		lea	eax, [ebp+var_C]
		push	eax
		push	ebx
		push	esi
		push	(offset	loc_A4472E+2)
		call	IoGetDeviceInterfaces
		test	eax, eax
		js	short loc_981D7D
		mov	eax, [ebp+var_C]
		cmp	[eax], bx
		jz	short loc_981D7D
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	4
		push	ebx
		push	ebx
		push	(offset	loc_A4474F+1)
		push	esi
		call	IoGetDevicePropertyData
		test	eax, eax
		js	short loc_981D7D
		cmp	[ebp+var_4], 7
		jnz	short loc_981D7D
		push	[ebp+arg_4]
		push	[ebp+var_8]
		call	ds:__imp__HalGetProcessorIdByNtNumber@8	; HalGetProcessorIdByNtNumber(x,x)
		test	eax, eax
		js	short loc_981D7D
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_8]
		mov	[ecx], eax
		jmp	short loc_981D7B
; 

loc_981D51:				; CODE XREF: PnprIsProcessorDevice(x,x,x,x)+1Cj
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+arg_4]
		push	4
		push	ebx
		push	ebx
		push	offset _DEVPKEY_Spare_Processor_Apic_Id
		push	esi
		call	IoGetDevicePropertyData
		test	eax, eax
		js	short loc_981D7D
		cmp	[ebp+var_4], 7
		jnz	short loc_981D7D
		mov	eax, [ebp+arg_0]
		or	dword ptr [eax], 0FFFFFFFFh

loc_981D7B:				; CODE XREF: PnprIsProcessorDevice(x,x,x,x)+7Ej
		mov	bl, 1

loc_981D7D:				; CODE XREF: PnprIsProcessorDevice(x,x,x,x)+30j
					; PnprIsProcessorDevice(x,x,x,x)+38j ...
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	8
_PnprIsProcessorDevice@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprLegacyDeviceDriversPresent()
_PnprLegacyDeviceDriversPresent@0 proc near
					; CODE XREF: PnpReplacePartitionUnit(x):loc_980B46p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	edx, [ebp+var_8]
		and	[ebp+var_4], 0
		lea	ecx, [ebp+var_4]
		push	ebx
		xor	bl, bl
		call	IoGetLegacyVetoList
		test	eax, eax
		js	short loc_981DAE
		cmp	[ebp+var_8], 0
		jz	short loc_981DAE
		inc	bl

loc_981DAE:				; CODE XREF: PnprLegacyDeviceDriversPresent()+1Fj
					; PnprLegacyDeviceDriversPresent()+25j
		cmp	[ebp+var_4], 0
		jz	short loc_981DBE
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_981DBE:				; CODE XREF: PnprLegacyDeviceDriversPresent()+2Dj
		mov	al, bl
		pop	ebx
		leave
		retn
_PnprLegacyDeviceDriversPresent@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprLoadPluginDriver(x, x)
_PnprLoadPluginDriver@8	proc near	; CODE XREF: PnpReplacePartitionUnit(x)+604p

var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		xor	eax, eax
		mov	esi, edx
		push	edi
		push	eax
		mov	[esp+24h+var_C], eax
		mov	ebx, ecx
		mov	[esp+24h+var_8], eax
		mov	[esp+24h+var_4], eax
		mov	[esp+24h+var_10], eax
		lea	eax, [esp+24h+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	ecx, [esp+20h+var_8]
		call	_PnprGetPluginDriverImagePath@4	; PnprGetPluginDriverImagePath(x)
		mov	edi, eax
		test	edi, edi
		js	loc_981EFC
		lea	eax, [esp+20h+var_C]
		xor	edx, edx
		push	eax
		lea	eax, [esp+24h+var_10]
		push	eax
		push	2
		push	0
		lea	ecx, [esp+30h+var_8]
		call	_MmLoadSystemImageEx@24	; MmLoadSystemImageEx(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_981E54
		mov	eax, _PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_981E38
		mov	ecx, 12F9h

loc_981E38:				; CODE XREF: PnprLoadPluginDriver(x,x)+6Ej
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	loc_981EF2
		push	0Ah

loc_981E4E:				; CODE XREF: PnprLoadPluginDriver(x,x)+E1j
		pop	ecx
		jmp	loc_981EF2
; 

loc_981E54:				; CODE XREF: PnprLoadPluginDriver(x,x)+5Fj
		push	34h
		pop	edi
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [esp+2Ch+var_10]
		add	esp, 0Ch
		mov	dword ptr [esi+4], 1
		mov	[esi], edi
		mov	eax, [eax+1Ch]
		push	0
		push	esi
		call	eax
		mov	edi, eax
		test	edi, edi
		jns	short loc_981EA6
		mov	eax, _PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_981E92
		mov	ecx, 1307h

loc_981E92:				; CODE XREF: PnprLoadPluginDriver(x,x)+C8j
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_981EF2
		push	8
		jmp	short loc_981E4E
; 

loc_981EA6:				; CODE XREF: PnprLoadPluginDriver(x,x)+B9j
		cmp	dword ptr [esi], 24h
		jb	short loc_981EC6
		xor	ecx, ecx
		cmp	[esi+20h], ecx
		jz	short loc_981EC6
		cmp	[esi+10h], ecx
		jz	short loc_981EC6
		cmp	[esi+14h], ecx
		jz	short loc_981EC6
		mov	eax, [esp+28h+var_18]
		mov	edi, ecx
		mov	[ebx], eax
		jmp	short loc_981F0C
; 

loc_981EC6:				; CODE XREF: PnprLoadPluginDriver(x,x)+E6j
					; PnprLoadPluginDriver(x,x)+EDj ...
		mov	eax, _PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_981EDA
		mov	ecx, 1317h

loc_981EDA:				; CODE XREF: PnprLoadPluginDriver(x,x)+110j
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_981EED
		push	9
		pop	ecx

loc_981EED:				; CODE XREF: PnprLoadPluginDriver(x,x)+125j
		mov	edi, 0C00000BBh

loc_981EF2:				; CODE XREF: PnprLoadPluginDriver(x,x)+83j
					; PnprLoadPluginDriver(x,x)+8Cj ...
		mov	[eax+264h], ecx
		test	edi, edi
		jns	short loc_981F0C

loc_981EFC:				; CODE XREF: PnprLoadPluginDriver(x,x)+3Cj
		cmp	[esp+28h+var_18], 0
		jz	short loc_981F0C
		push	[esp+28h+var_18]
		call	MmUnloadSystemImage

loc_981F0C:				; CODE XREF: PnprLoadPluginDriver(x,x)+101j
					; PnprLoadPluginDriver(x,x)+137j ...
		cmp	[esp+28h+var_C], 0
		jz	short loc_981F21
		push	51706E50h
		push	[esp+2Ch+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_981F21:				; CODE XREF: PnprLoadPluginDriver(x,x)+14Ej
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PnprLoadPluginDriver@8	endp


;  S U B	R O U T	I N E 


; __stdcall PnprLockPagesForReplace()
_PnprLockPagesForReplace@0 proc	near	; CODE XREF: PnprQuiesce():loc_615D39p
					; PnprQuiesceWorker(x)+58p
		mov	edi, edi
		push	ecx
		mov	ecx, ds:_ExPageLockHandle
		xor	edx, edx
		inc	edx
		call	MiLockPagableImageSection
		push	0
		push	3
		push	_ExCbPowerState
		call	_ExNotifyCallback@12 ; ExNotifyCallback(x,x,x)
		pop	ecx
		retn
_PnprLockPagesForReplace@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprLogFailureEvent(x, x, x)
_PnprLogFailureEvent@12	proc near	; CODE XREF: PnpReplacePartitionUnit(x)+8A2p

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		xor	esi, esi
		mov	[ebp+var_78], esi
		test	ecx, ecx
		jz	short loc_981F76
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_981F78
; 

loc_981F76:				; CODE XREF: PnprLogFailureEvent(x,x,x)+1Dj
		mov	eax, esi

loc_981F78:				; CODE XREF: PnprLogFailureEvent(x,x,x)+28j
		movzx	ecx, word ptr [eax+14h]
		mov	eax, [eax+18h]
		mov	[ebp+var_74], eax
		mov	eax, ecx
		mov	[ebp+var_70], esi
		mov	[ebp+var_6C], eax
		mov	[ebp+var_68], esi
		mov	[ebp+var_60], esi
		mov	[ebp+var_58], esi
		push	ebx
		lea	ebx, [ebp+var_78]
		mov	[ebp+var_64], ebx
		push	edi
		push	2
		pop	edi
		mov	[ebp+var_5C], edi
		test	edx, edx
		jz	short loc_981FB0
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_981FB2
; 

loc_981FB0:				; CODE XREF: PnprLogFailureEvent(x,x,x)+57j
		mov	eax, esi

loc_981FB2:				; CODE XREF: PnprLogFailureEvent(x,x,x)+62j
		movzx	ecx, word ptr [eax+14h]
		mov	eax, [eax+18h]
		mov	[ebp+var_54], eax
		mov	eax, ecx
		mov	ecx, _PnprContext
		mov	[ebp+var_3C], edi
		mov	[ebp+var_44], ebx
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_38], esi
		pop	edi
		pop	ebx
		test	ecx, ecx
		jnz	short loc_981FE6
		xor	eax, eax
		mov	ecx, esi
		inc	eax
		jmp	short loc_981FF2
; 

loc_981FE6:				; CODE XREF: PnprLogFailureEvent(x,x,x)+91j
		mov	eax, [ecx+264h]
		mov	ecx, [ecx+260h]

loc_981FF2:				; CODE XREF: PnprLogFailureEvent(x,x,x)+98j
		mov	[ebp+var_80], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_7C]
		push	4
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_7C], ecx
		pop	ecx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	7
		push	esi
		push	offset _PNP_EVT_DP_REPLACE_FAILURE
		push	dword_6D4DF4
		mov	[ebp+var_30], esi
		push	_PnpEtwHandle
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PnprLogFailureEvent@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprLogStartEvent(x, x)
_PnprLogStartEvent@8 proc near		; CODE XREF: PnpReplacePartitionUnit(x)+A3p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_48], esi
		push	edi
		test	ecx, ecx
		jz	short loc_98207D
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_98207F
; 

loc_98207D:				; CODE XREF: PnprLogStartEvent(x,x)+1Cj
		mov	eax, esi

loc_98207F:				; CODE XREF: PnprLogStartEvent(x,x)+27j
		movzx	ecx, word ptr [eax+14h]
		lea	ebx, [ebp+var_48]
		mov	eax, [eax+18h]
		mov	[ebp+var_44], eax
		mov	eax, ecx
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], esi
		mov	[ebp+var_28], esi
		push	2
		pop	edi
		mov	[ebp+var_2C], edi
		test	edx, edx
		jz	short loc_9820B5
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_9820B7
; 

loc_9820B5:				; CODE XREF: PnprLogStartEvent(x,x)+54j
		mov	eax, esi

loc_9820B7:				; CODE XREF: PnprLogStartEvent(x,x)+5Fj
		movzx	ecx, word ptr [eax+14h]
		mov	eax, [eax+18h]
		mov	[ebp+var_24], eax
		mov	eax, ecx
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	4
		push	esi
		push	(offset	loc_4275DF+1)
		push	dword_6D4DF4
		mov	[ebp+var_20], esi
		push	_PnpEtwHandle
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PnprLogStartEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprLogSuccessEvent()
_PnprLogSuccessEvent@0 proc near	; CODE XREF: PnpReplacePartitionUnit(x)+895p

var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 15Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, _PnprContext
		push	edi
		xor	edi, edi
		mov	[ebp+var_138], edi
		mov	eax, [esi+298h]
		mov	edx, [esi+28Ch]
		mov	ecx, [esi+290h]
		mov	edi, [esi+10h]
		mov	[ebp+var_13C], eax
		mov	eax, edx
		sub	eax, [esi+288h]
		mov	[ebp+var_140], eax
		mov	eax, ecx
		sub	eax, edx
		xor	edx, edx
		mov	[ebp+var_144], eax
		mov	eax, [esi+294h]
		sub	eax, ecx
		mov	[ebp+var_148], eax
		mov	eax, [edi]
		mov	eax, [eax]
		mov	[ebp+var_15C], eax
		mov	eax, [esi]
		mov	[ebp+var_158], edx
		test	eax, eax
		jz	short loc_98218D
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_98218F
; 

loc_98218D:				; CODE XREF: PnprLogSuccessEvent()+7Cj
		mov	eax, edx

loc_98218F:				; CODE XREF: PnprLogSuccessEvent()+87j
		movzx	ecx, word ptr [eax+14h]
		mov	eax, [eax+18h]
		mov	[ebp+var_134], eax
		mov	eax, ecx
		mov	[ebp+var_12C], eax
		lea	eax, [ebp+var_138]
		mov	[ebp+var_124], eax
		lea	eax, [ebp+var_15C]
		push	ebx
		mov	ebx, [esi+14h]
		mov	[ebp+var_114], eax
		lea	eax, [edi+0Ch]
		mov	[ebp+var_104], eax
		push	4
		lea	eax, [ebx+4]
		mov	[ebp+var_130], edx
		mov	[ebp+var_F4], eax
		lea	eax, [ebx+8]
		pop	ecx
		mov	[ebp+var_E4], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_128], edx
		mov	[ebp+var_120], edx
		mov	[ebp+var_11C], 2
		mov	[ebp+var_118], edx
		mov	[ebp+var_110], edx
		mov	[ebp+var_10C], 8
		mov	[ebp+var_108], edx
		mov	[ebp+var_100], edx
		mov	[ebp+var_FC], ecx
		mov	[ebp+var_F8], edx
		mov	[ebp+var_F0], edx
		mov	[ebp+var_EC], ecx
		mov	[ebp+var_E8], edx
		mov	[ebp+var_E0], edx
		mov	[ebp+var_DC], 8
		mov	[ebp+var_D8], edx
		test	eax, eax
		jz	short loc_982262
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_982264
; 

loc_982262:				; CODE XREF: PnprLogSuccessEvent()+151j
		mov	eax, edx

loc_982264:				; CODE XREF: PnprLogSuccessEvent()+15Cj
		movzx	ecx, word ptr [eax+14h]
		mov	eax, [eax+18h]
		mov	[ebp+var_D4], eax
		mov	eax, ecx
		mov	[ebp+var_CC], eax
		lea	eax, [ebp+var_138]
		mov	[ebp+var_C4], eax
		mov	eax, [esi+28h]
		mov	[ebp+var_14C], eax
		add	eax, 0Ch
		mov	[ebp+var_B4], eax
		mov	eax, [esi+2Ch]
		mov	[ebp+var_154], eax
		push	4
		mov	[ebp+var_D0], edx
		lea	ecx, [eax+4]
		mov	[ebp+var_C8], edx
		add	eax, 8
		mov	[ebp+var_150], ecx
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_13C]
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_140]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_144]
		mov	[ebp+var_A4], ecx
		pop	ecx
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_148]
		mov	[ebp+var_C0], edx
		mov	[ebp+var_B8], edx
		mov	[ebp+var_B0], edx
		mov	[ebp+var_A8], edx
		mov	[ebp+var_A0], edx
		mov	[ebp+var_98], edx
		mov	[ebp+var_90], edx
		mov	[ebp+var_88], edx
		mov	[ebp+var_80], edx
		mov	[ebp+var_78], edx
		mov	[ebp+var_70], edx
		mov	[ebp+var_68], edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_58], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_BC], 2
		mov	[ebp+var_AC], 4
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_8C], 8
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_54], eax
		mov	[ebp+var_4C], ecx
		mov	ecx, [edi+0Ch]
		push	0Fh
		pop	edx
		test	ecx, ecx
		jz	short loc_98238B
		lea	eax, [edi+10h]
		xor	edi, edi
		mov	[ebp+var_44], eax
		mov	eax, ecx
		shl	eax, 2
		push	10h
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], edi
		pop	edx
		jmp	short loc_98238D
; 

loc_98238B:				; CODE XREF: PnprLogSuccessEvent()+26Aj
		xor	edi, edi

loc_98238D:				; CODE XREF: PnprLogSuccessEvent()+285j
		mov	esi, [ebx+4]
		test	esi, esi
		jz	short loc_9823BB
		mov	ecx, edx
		shl	esi, 4
		add	ecx, ecx
		lea	eax, [ebx+10h]
		inc	edx
		mov	[ebp+ecx*8+var_134], eax
		mov	[ebp+ecx*8+var_130], edi
		mov	[ebp+ecx*8+var_12C], esi
		mov	[ebp+ecx*8+var_128], edi

loc_9823BB:				; CODE XREF: PnprLogSuccessEvent()+28Ej
		mov	eax, [ebp+var_14C]
		pop	ebx
		mov	esi, [eax+0Ch]
		test	esi, esi
		jz	short loc_9823F2
		mov	ecx, edx
		add	eax, 10h
		add	ecx, ecx
		mov	[ebp+ecx*8+var_134], eax
		mov	eax, esi
		shl	eax, 2
		inc	edx
		mov	[ebp+ecx*8+var_130], edi
		mov	[ebp+ecx*8+var_12C], eax
		mov	[ebp+ecx*8+var_128], edi

loc_9823F2:				; CODE XREF: PnprLogSuccessEvent()+2C3j
		mov	esi, [ebp+var_150]
		mov	esi, [esi]
		test	esi, esi
		jz	short loc_98242B
		mov	eax, [ebp+var_154]
		mov	ecx, edx
		add	ecx, ecx
		shl	esi, 4
		add	eax, 10h
		inc	edx
		mov	[ebp+ecx*8+var_134], eax
		mov	[ebp+ecx*8+var_130], edi
		mov	[ebp+ecx*8+var_12C], esi
		mov	[ebp+ecx*8+var_128], edi

loc_98242B:				; CODE XREF: PnprLogSuccessEvent()+2F8j
		lea	eax, [ebp+var_134]
		push	eax
		push	edx
		push	edi
		push	offset _PNP_EVT_DP_REPLACE_SUCCESS
		push	dword_6D4DF4
		push	_PnpEtwHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PnprLogSuccessEvent@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprMmAddRange(x, x, x, x, x)
_PnprMmAddRange@20 proc	near		; CODE XREF: PnprMmConstruct(x,x)+35p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		shr	[ebp+arg_0], 0Ch
		push	esi
		mov	esi, [ebp+arg_8]
		shr	esi, 0Ch
		mov	[ebp+var_8], ecx
		test	esi, esi
		jz	loc_98253E
		push	ebx
		push	edi

loc_98247B:				; CODE XREF: PnprMmAddRange(x,x,x,x,x)+A3j
		mov	ebx, 80000000h
		cmp	esi, 80000000h
		ja	short loc_98248A
		mov	ebx, esi

loc_98248A:				; CODE XREF: PnprMmAddRange(x,x,x,x,x)+2Ej
		lea	eax, [ebx+20h]
		and	eax, 0FFFFFFE0h
		mov	[ebp+arg_C], eax
		shr	eax, 3
		push	52706E50h
		add	eax, 18h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_982508
		mov	eax, [ebp+arg_0]
		lea	ecx, [edi+10h]
		mov	[edi+8], eax
		mov	eax, [ebp+arg_C]
		mov	[edi+0Ch], ebx
		mov	[ecx], eax
		lea	eax, [edi+18h]
		push	ecx
		mov	[ecx+4], eax
		call	_RtlSetAllBits@4 ; RtlSetAllBits(x)
		mov	edx, [ebp+var_8]
		mov	eax, [edx+4]
		cmp	eax, edx
		jz	short loc_9824E5
		mov	ecx, [edi+8]

loc_9824D9:				; CODE XREF: PnprMmAddRange(x,x,x,x,x)+8Bj
		cmp	[eax+8], ecx
		jb	short loc_9824E5
		mov	eax, [eax+4]
		cmp	eax, edx
		jnz	short loc_9824D9

loc_9824E5:				; CODE XREF: PnprMmAddRange(x,x,x,x,x)+7Cj
					; PnprMmAddRange(x,x,x,x,x)+84j
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_982503
		add	[ebp+arg_0], ebx
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[ecx+4], edi
		mov	[eax], edi
		sub	esi, ebx
		jnz	loc_98247B
		jmp	short loc_98253C
; 

loc_982503:				; CODE XREF: PnprMmAddRange(x,x,x,x,x)+92j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_982508:				; CODE XREF: PnprMmAddRange(x,x,x,x,x)+55j
		mov	eax, _PnprContext
		mov	[ebp+var_4], 0C000009Ah
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_982523
		mov	ecx, 110Eh

loc_982523:				; CODE XREF: PnprMmAddRange(x,x,x,x,x)+C4j
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_982536
		push	0Ah
		pop	ecx

loc_982536:				; CODE XREF: PnprMmAddRange(x,x,x,x,x)+D9j
		mov	[eax+264h], ecx

loc_98253C:				; CODE XREF: PnprMmAddRange(x,x,x,x,x)+A9j
		pop	edi
		pop	ebx

loc_98253E:				; CODE XREF: PnprMmAddRange(x,x,x,x,x)+1Bj
		mov	eax, [ebp+var_4]
		pop	esi
		leave
		retn	10h
_PnprMmAddRange@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprMmConstruct(x, x)
_PnprMmConstruct@8 proc	near		; CODE XREF: PnpReplacePartitionUnit(x)+6ADp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	eax, ecx
		mov	ebx, edx
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], eax
		mov	esi, edi
		mov	[ebp+var_4], edi
		cmp	[eax+4], edi
		jbe	short loc_98259E
		add	eax, 18h
		mov	[ebp+var_8], eax

loc_98256A:				; CODE XREF: PnprMmConstruct(x,x)+56j
		mov	ecx, [eax]
		mov	esi, [eax-8]
		mov	edx, [eax-4]
		mov	eax, [eax+4]
		push	eax
		push	ecx
		push	edx
		push	esi
		mov	ecx, ebx
		call	_PnprMmAddRange@20 ; PnprMmAddRange(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9825A2
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_C]
		inc	ecx
		mov	eax, [ebp+var_8]
		add	eax, 10h
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], eax
		cmp	ecx, [edx+4]
		jb	short loc_98256A

loc_98259E:				; CODE XREF: PnprMmConstruct(x,x)+1Cj
		mov	eax, [ebx]
		jmp	short loc_9825DC
; 

loc_9825A2:				; CODE XREF: PnprMmConstruct(x,x)+3Ej
		mov	eax, _PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_9825B6
		mov	ecx, 1190h

loc_9825B6:				; CODE XREF: PnprMmConstruct(x,x)+69j
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_98260E
		inc	ecx
		jmp	short loc_98260E
; 

loc_9825C9:				; CODE XREF: PnprMmConstruct(x,x)+98j
		mov	ecx, [eax+0Ch]
		test	ecx, ecx
		jz	short loc_9825E2
		mov	edx, [eax+8]
		cmp	edx, edi
		jb	short loc_9825E2
		mov	eax, [eax]
		lea	edi, [edx+ecx]

loc_9825DC:				; CODE XREF: PnprMmConstruct(x,x)+5Aj
		cmp	eax, ebx
		jnz	short loc_9825C9
		jmp	short loc_982614
; 

loc_9825E2:				; CODE XREF: PnprMmConstruct(x,x)+88j
					; PnprMmConstruct(x,x)+8Fj
		mov	eax, _PnprContext
		mov	esi, 0C000000Dh
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_9825FB
		mov	ecx, 11A5h

loc_9825FB:				; CODE XREF: PnprMmConstruct(x,x)+AEj
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_98260E
		push	6
		pop	ecx

loc_98260E:				; CODE XREF: PnprMmConstruct(x,x)+7Ej
					; PnprMmConstruct(x,x)+81j ...
		mov	[eax+264h], ecx

loc_982614:				; CODE XREF: PnprMmConstruct(x,x)+9Aj
		test	esi, esi
		jns	short loc_98261F
		mov	ecx, ebx
		call	_PnprMmFree@4	; PnprMmFree(x)

loc_98261F:				; CODE XREF: PnprMmConstruct(x,x)+D0j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PnprMmConstruct@8 endp


;  S U B	R O U T	I N E 


; __stdcall PnprMmFree(x)
_PnprMmFree@4	proc near		; CODE XREF: PnpReplacePartitionUnit(x)+929p
					; PnprMmConstruct(x,x)+D4p
		mov	edi, edi
		push	esi
		mov	esi, ecx

loc_98262B:				; CODE XREF: PnprMmFree(x)+27j
		mov	eax, [esi]
		cmp	eax, esi
		jz	short loc_982654
		cmp	[eax+4], esi
		jnz	short loc_98264F
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_98264F
		push	52706E50h
		mov	[esi], ecx
		push	eax
		mov	[ecx+4], esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_98262B
; 

loc_98264F:				; CODE XREF: PnprMmFree(x)+Ej
					; PnprMmFree(x)+15j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_982654:				; CODE XREF: PnprMmFree(x)+9j
		pop	esi
		retn
_PnprMmFree@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnprReplaceStart()
_PnprReplaceStart@0 proc near		; CODE XREF: PnprInitiateReplaceOperation():loc_72D61Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	edx, _PnprContext
		xor	ecx, ecx
		push	ebx
		push	edi
		mov	[ebp+var_C], ecx
		test	byte ptr [edx+234h], 2
		lea	edi, [edx+38h]
		mov	eax, [edx+10h]
		mov	[ebp+var_8], eax
		mov	eax, [edx+28h]
		mov	[ebp+var_4], eax
		jz	short loc_982689
		or	ecx, 1
		mov	[ebp+var_C], ecx

loc_982689:				; CODE XREF: PnprReplaceStart()+2Bj
		test	byte ptr [edx+30h], 20h
		jz	short loc_982695
		or	ecx, 2
		mov	[ebp+var_C], ecx

loc_982695:				; CODE XREF: PnprReplaceStart()+37j
		lea	eax, [edx+224h]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	off_6B1284	; MmConfigureGraphicsPtes(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_9826DF
		mov	ecx, _PnprContext
		mov	edx, [ecx+260h]
		test	edx, edx
		jnz	short loc_9826C1
		mov	edx, 0AA8h

loc_9826C1:				; CODE XREF: PnprReplaceStart()+64j
		mov	eax, [ecx+264h]
		mov	[ecx+260h], edx
		test	eax, eax
		jnz	short loc_9826D4
		push	6
		pop	eax

loc_9826D4:				; CODE XREF: PnprReplaceStart()+79j
		mov	[ecx+264h], eax
		jmp	loc_982784
; 

loc_9826DF:				; CODE XREF: PnprReplaceStart()+54j
		push	esi
		mov	esi, _PnprContext
		mov	eax, [esi+14h]
		cmp	dword ptr [eax+4], 0
		jz	loc_982783
		push	30h
		pop	ebx
		push	ebx		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	[edi], ebx
		add	esp, 0Ch
		mov	dword ptr [edi+4], 2
		mov	eax, [esi+8]
		mov	[edi+8], eax
		mov	eax, [esi+0Ch]
		mov	[edi+0Ch], eax
		mov	eax, [esi+20h]
		mov	[edi+10h], eax
		mov	eax, [esi+24h]
		mov	[edi+14h], eax
		mov	eax, [esi+10h]
		mov	[edi+18h], eax
		mov	eax, [esi+28h]
		mov	[edi+1Ch], eax
		mov	eax, [esi+14h]
		mov	[edi+20h], eax
		mov	eax, [esi+2Ch]
		mov	[edi+24h], eax
		lea	eax, [esi+228h]
		push	eax
		push	edi
		mov	dword ptr [edi+28h], offset _PnprMapTargetSparePhysicalPages@28	; PnprMapTargetSparePhysicalPages(x,x,x,x,x,x,x)
		call	dword ptr [esi+23Ch]
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_982783
		mov	eax, _PnprContext
		mov	ecx, [eax+260h]
		test	ecx, ecx
		jnz	short loc_98276A
		mov	ecx, 0AC2h

loc_98276A:				; CODE XREF: PnprReplaceStart()+10Dj
		mov	[eax+260h], ecx
		mov	ecx, [eax+264h]
		test	ecx, ecx
		jnz	short loc_98277D
		push	8
		pop	ecx

loc_98277D:				; CODE XREF: PnprReplaceStart()+122j
		mov	[eax+264h], ecx

loc_982783:				; CODE XREF: PnprReplaceStart()+97j
					; PnprReplaceStart()+FEj
		pop	esi

loc_982784:				; CODE XREF: PnprReplaceStart()+84j
		pop	edi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_PnprReplaceStart@0 endp


;  S U B	R O U T	I N E 


; __stdcall PnprUnlockPagesForReplace()
_PnprUnlockPagesForReplace@0 proc near	; CODE XREF: PnprCompleteWake()+3p
		mov	edi, edi
		push	ecx
		push	ds:_ExPageLockHandle
		call	_MmUnlockPagableImageSection@4 ; MmUnlockPagableImageSection(x)
		push	1
		push	3
		push	_ExCbPowerState
		call	_ExNotifyCallback@12 ; ExNotifyCallback(x,x,x)
		pop	ecx
		retn
_PnprUnlockPagesForReplace@0 endp


;  S U B	R O U T	I N E 


; __stdcall PiSwAllocMem(x)
_PiSwAllocMem@4	proc near		; CODE XREF: PiSwIrpStartCreateWorker+F3p
					; PiSwIrpStartCreateWorker+99A79p
		push	57706E50h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		retn
_PiSwAllocMem@4	endp


;  S U B	R O U T	I N E 


; __stdcall PiSwBusRelationRemove(x)
_PiSwBusRelationRemove@4 proc near	; CODE XREF: PiSwIrpStartCreateWorker+99899p
					; PiSwIrpStartCreateWorker+999E6p ...
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		lea	eax, [esi+34h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_98280A
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_98280A
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, [esi+3Ch]
		lea	eax, [ecx+8]
		cmp	[eax], eax
		jnz	short loc_9827FB
		mov	edi, [ecx+4]
		push	ecx
		push	offset _PiSwBusRelationsTable
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)
		test	edi, edi
		jz	short loc_9827FB
		push	57706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9827FB:				; CODE XREF: PiSwBusRelationRemove(x)+25j
					; PiSwBusRelationRemove(x)+37j
		and	dword ptr [esi+3Ch], 0
		mov	ecx, esi
		call	PiSwDeviceDereference
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_98280A:				; CODE XREF: PiSwBusRelationRemove(x)+Fj
					; PiSwBusRelationRemove(x)+16j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PiSwBusRelationRemove@4 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiSwCloseDevice(x)
_PiSwCloseDevice@4 proc	near		; CODE XREF: PiSwCloseDescendants(x,x)+44p
					; PiSwStopDestroy(x,x,x,x)+ADp	...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	[ebp+var_4], ecx
		xor	esi, esi
		mov	eax, [ecx+30h]
		test	eax, eax
		jz	short loc_982832
		mov	ecx, eax
		call	_PiSwQueuedCreateInfoFree@4 ; PiSwQueuedCreateInfoFree(x)
		mov	eax, [ebp+var_4]
		mov	[eax+30h], esi
		mov	ecx, [ebp+var_4]

loc_982832:				; CODE XREF: PiSwCloseDevice(x)+11j
		cmp	[ecx+40h], esi
		jz	short loc_982862
		or	dword ptr [ecx+4], 2
		mov	edx, 746C6644h
		mov	ecx, [ebp+var_4]
		mov	ecx, [ecx+3Ch]
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_982882
		push	5
		push	esi
		call	IoInvalidateDeviceRelations
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	short loc_982882
; 

loc_982862:				; CODE XREF: PiSwCloseDevice(x)+26j
		cmp	[ecx+3Ch], esi
		jz	short loc_98286C
		call	_PiSwBusRelationRemove@4 ; PiSwBusRelationRemove(x)

loc_98286C:				; CODE XREF: PiSwCloseDevice(x)+56j
		lea	eax, [ebp+var_4]
		push	eax
		push	offset _PiSwDeviceInstanceTable
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)
		mov	ecx, [ebp+var_4]
		call	PiSwDeviceDereference

loc_982882:				; CODE XREF: PiSwCloseDevice(x)+40j
					; PiSwCloseDevice(x)+51j
		pop	esi
		leave
		retn
_PiSwCloseDevice@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiSwDeviceFree(x)
_PiSwDeviceFree@4 proc near		; CODE XREF: PiSwDeviceDereference:loc_93928Ep
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		lea	ecx, [esi+8]
		call	_PiSwInstanceInfoFree@4	; PiSwInstanceInfoFree(x)
		lea	ecx, [esi+10h]
		call	_PiSwPnPInfoFree@4 ; PiSwPnPInfoFree(x)
		mov	eax, [esi+2Ch]
		xor	edi, edi
		mov	ebx, 57706E50h
		test	eax, eax
		jz	short loc_9828B7
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+28h], edi
		mov	[esi+2Ch], edi

loc_9828B7:				; CODE XREF: PiSwDeviceFree(x)+23j
		mov	ecx, [esi+30h]
		test	ecx, ecx
		jz	short loc_9828C6
		call	_PiSwQueuedCreateInfoFree@4 ; PiSwQueuedCreateInfoFree(x)
		mov	[esi+30h], edi

loc_9828C6:				; CODE XREF: PiSwDeviceFree(x)+37j
		mov	eax, [esi+50h]
		test	eax, eax
		jz	short loc_9828D7
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+50h], edi

loc_9828D7:				; CODE XREF: PiSwDeviceFree(x)+46j
		mov	edx, [esi+58h]
		test	edx, edx
		jz	short loc_9828ED
		mov	ecx, [esi+5Ch]
		push	ebx
		call	_PnpFreeDevPropertyArray@12 ; PnpFreeDevPropertyArray(x,x,x)
		mov	[esi+58h], edi
		mov	[esi+5Ch], edi

loc_9828ED:				; CODE XREF: PiSwDeviceFree(x)+57j
		lea	ecx, [esi+64h]
		call	PiSwFreeInterfaceList
		lea	ecx, [esi+44h]
		pop	edi
		pop	esi
		pop	ebx
		jmp	_PiSwFreePdoAssociationsList@4 ; PiSwFreePdoAssociationsList(x)
; 

; __stdcall PiSwDoesCreateChangesRequireReEnum(x, x)
_PiSwDoesCreateChangesRequireReEnum@8:	; CODE XREF: PiSwIrpStartCreateWorker+998D9p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		xor	ebx, ebx
		inc	ebx
		mov	eax, [edi+24h]
		cmp	eax, [esi+20h]
		jnz	loc_9829FD
		mov	eax, [edi+18h]
		mov	ecx, [esi+1Ch]
		cmp	eax, ecx
		jz	short loc_982946
		test	eax, eax
		jz	loc_9829FD
		test	ecx, ecx
		jz	loc_9829FD
		push	10h		; size_t
		push	ecx		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_9829FD

loc_982946:				; CODE XREF: PiSwDeviceFree(x)+9Bj
		mov	eax, [edi+3Ch]
		push	dword ptr [esi+4] ; wchar_t *
		push	dword ptr [eax+4] ; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_9829FD
		mov	eax, [edi+1Ch]
		mov	ecx, [esi+24h]
		cmp	eax, ecx
		jz	short loc_982985
		test	eax, eax
		jz	loc_9829FD
		test	ecx, ecx
		jz	loc_9829FD
		push	ecx		; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_9829FD

loc_982985:				; CODE XREF: PiSwDeviceFree(x)+E1j
		mov	eax, [edi+20h]
		mov	ecx, [esi+28h]
		cmp	eax, ecx
		jz	short loc_9829A4
		test	eax, eax
		jz	short loc_9829FD
		test	ecx, ecx
		jz	short loc_9829FD
		push	ecx		; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_9829FD

loc_9829A4:				; CODE XREF: PiSwDeviceFree(x)+108j
		mov	eax, [edi+54h]
		cmp	eax, [esi+2Ch]
		jnz	short loc_9829FD
		test	eax, eax
		jz	short loc_9829C3
		push	eax		; size_t
		push	dword ptr [esi+30h] ; void *
		push	dword ptr [edi+50h] ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9829FD

loc_9829C3:				; CODE XREF: PiSwDeviceFree(x)+129j
		mov	ecx, [edi+10h]
		mov	edx, [esi+10h]
		cmp	ecx, edx
		jz	short loc_9829DF
		test	ecx, ecx
		jz	short loc_9829FD
		test	edx, edx
		jz	short loc_9829FD
		push	ebx
		call	_PnpCompareMultiSz@12 ;	PnpCompareMultiSz(x,x,x)
		test	al, al
		jz	short loc_9829FD

loc_9829DF:				; CODE XREF: PiSwDeviceFree(x)+146j
		mov	ecx, [edi+14h]
		mov	edx, [esi+18h]
		cmp	ecx, edx
		jz	short loc_9829FB
		test	ecx, ecx
		jz	short loc_9829FD
		test	edx, edx
		jz	short loc_9829FD
		push	ebx
		call	_PnpCompareMultiSz@12 ;	PnpCompareMultiSz(x,x,x)
		test	al, al
		jz	short loc_9829FD

loc_9829FB:				; CODE XREF: PiSwDeviceFree(x)+162j
		xor	bl, bl

loc_9829FD:				; CODE XREF: PiSwDeviceFree(x)+8Dj
					; PiSwDeviceFree(x)+9Fj ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		retn
; 

; __stdcall PiSwFindSwDevice(x)
_PiSwFindSwDevice@4:			; CODE XREF: PiSwIrpCleanup+99CDDp
					; PiSwProcessParentRemoveIrp(x)+A8p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 210h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		push	esi
		push	edi
		push	70h		; size_t
		xor	esi, esi
		lea	eax, [ebp-210h]
		push	esi		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		push	4		; size_t
		lea	eax, [ebp-210h]
		push	offset _PiSwBusName ; wchar_t *
		push	edi		; wchar_t *
		mov	[ebp-19Ch], eax
		call	__wcsnicmp
		add	esp, 18h
		test	eax, eax
		jnz	short loc_982AA7
		push	edi
		mov	edx, 190h
		lea	ecx, [ebp-198h]
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		test	eax, eax
		js	short loc_982AA7
		lea	eax, [ebp-198h]
		mov	[ebp-208h], eax
		lea	eax, [ebp-18Eh]
		push	5Ch		; wchar_t
		push	eax		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_982AA7
		xor	ecx, ecx
		mov	[eax], cx
		add	eax, 2
		mov	[ebp-204h], eax
		lea	eax, [ebp-19Ch]
		push	eax
		push	offset _PiSwDeviceInstanceTable
		call	_RtlLookupElementGenericTableAvl@8 ; RtlLookupElementGenericTableAvl(x,x)
		test	eax, eax
		jz	short loc_982AA7
		mov	esi, [eax]

loc_982AA7:				; CODE XREF: PiSwDeviceFree(x)+1C6j
					; PiSwDeviceFree(x)+1DBj ...
		mov	ecx, [ebp-4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

; __stdcall PiSwFreeGenericTableEntry(x, x)
_PiSwFreeGenericTableEntry@8:		; DATA XREF: PiSwInit()+Bo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	57706E50h
		push	dword ptr [ebp+0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	8
; 

; __stdcall PiSwFreePdoAssociationsList(x)
_PiSwFreePdoAssociationsList@4:		; CODE XREF: PiSwDeviceFree(x)+76j
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, offset _PiSwLockObj

loc_982AD9:				; CODE XREF: PiSwDeviceFree(x)+2B1j
		mov	esi, [edi]
		cmp	esi, edi
		jz	short loc_982B3D
		cmp	[esi+4], edi
		jnz	short loc_982B38
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_982B38
		mov	[edi], eax
		mov	[eax+4], edi
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	ebx
		call	ExAcquireResourceExclusiveLite
		lea	ecx, [esi+8]
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_982B38
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	short loc_982B38
		mov	[eax], edx
		mov	ecx, ebx
		mov	[edx+4], eax
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, esi
		call	_PiSwPdoAssociationFree@4 ; PiSwPdoAssociationFree(x)
		jmp	short loc_982AD9
; 

loc_982B38:				; CODE XREF: PiSwDeviceFree(x)+25Dj
					; PiSwDeviceFree(x)+264j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_982B3D:				; CODE XREF: PiSwDeviceFree(x)+258j
		pop	edi
		pop	esi
		pop	ebx
		retn
_PiSwDeviceFree@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiSwInstanceInfoFree(x)
_PiSwInstanceInfoFree@4	proc near	; CODE XREF: PiSwInstanceInfoInit(x,x)+4Fp
					; PiSwDeviceFree(x)+Ap
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, 57706E50h
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_982B5C
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi], 0

loc_982B5C:				; CODE XREF: PiSwInstanceInfoFree(x)+Fj
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_982B6E
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+4], 0

loc_982B6E:				; CODE XREF: PiSwInstanceInfoFree(x)+20j
		pop	edi
		pop	esi
		retn
_PiSwInstanceInfoFree@4	endp


;  S U B	R O U T	I N E 


; __stdcall PiSwInterfaceFree(x)
_PiSwInterfaceFree@4 proc near		; CODE XREF: PiSwIrpInterfaceRegister+99D17p
					; PiSwInterfaceCreate+99A4Fp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, 57706E50h
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_982B8A
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_982B8A:				; CODE XREF: PiSwInterfaceFree(x)+10j
		mov	edx, [esi+0Ch]
		test	edx, edx
		jz	short loc_982B9A
		mov	ecx, [esi+10h]
		push	edi
		call	_PnpFreeDevPropertyArray@12 ; PnpFreeDevPropertyArray(x,x,x)

loc_982B9A:				; CODE XREF: PiSwInterfaceFree(x)+1Ej
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
_PiSwInterfaceFree@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiSwIrpGetLifetime(x)
_PiSwIrpGetLifetime@4 proc near		; CODE XREF: PiSwDispatch:loc_905F62p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	edx, [edi+60h]
		cmp	dword ptr [edx+4], 4
		mov	eax, [edx+18h]
		mov	ebx, [eax+10h]
		mov	eax, [edi+0Ch]
		mov	[ebp+var_4], eax
		jnb	short loc_982BCD
		mov	esi, 0C000000Dh
		jmp	short loc_982C1E
; 

loc_982BCD:				; CODE XREF: PiSwIrpGetLifetime(x)+20j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PiSwLockObj
		call	ExAcquireResourceExclusiveLite
		mov	ecx, ebx
		call	_PiSwDeviceOperationsAllowed@4 ; PiSwDeviceOperationsAllowed(x)
		test	al, al
		jnz	short loc_982BF9
		mov	esi, 0C00000BBh
		jmp	short loc_982C08
; 

loc_982BF9:				; CODE XREF: PiSwIrpGetLifetime(x)+4Cj
		mov	edx, [ebp+var_4]
		mov	eax, [ebx+60h]
		mov	[edx], eax
		mov	dword ptr [edi+1Ch], 4

loc_982C08:				; CODE XREF: PiSwIrpGetLifetime(x)+53j
		mov	ecx, offset _PiSwLockObj
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_982C1E:				; CODE XREF: PiSwIrpGetLifetime(x)+27j
		xor	dl, dl
		mov	[edi+18h], esi
		mov	ecx, edi
		call	IofCompleteRequest
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PiSwIrpGetLifetime@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiSwPdoAssociationFree(x)
_PiSwPdoAssociationFree@4 proc near	; CODE XREF: PiSwDeviceFree(x)+2ACp
					; PiSwRemovePdoAssociation(x,x)+3Bp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+10h]
		call	ObfDereferenceObject
		mov	ecx, [esi+14h]
		call	ObfDereferenceObject
		push	57706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
_PiSwPdoAssociationFree@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiSwPnPInfoFree(x)
_PiSwPnPInfoFree@4 proc	near		; CODE XREF: PiSwIrpStartCreateWorker+999F2p
					; PiSwDeviceFree(x)+12p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, 57706E50h
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_982C70
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi], ebx

loc_982C70:				; CODE XREF: PiSwPnPInfoFree(x)+12j
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_982C81
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+4], ebx

loc_982C81:				; CODE XREF: PiSwPnPInfoFree(x)+22j
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_982C92
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+8], ebx

loc_982C92:				; CODE XREF: PiSwPnPInfoFree(x)+33j
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_982CA3
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+0Ch], ebx

loc_982CA3:				; CODE XREF: PiSwPnPInfoFree(x)+44j
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_982CB4
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+10h], ebx

loc_982CB4:				; CODE XREF: PiSwPnPInfoFree(x)+55j
		pop	edi
		pop	esi
		pop	ebx
		retn
_PiSwPnPInfoFree@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiSwProcessParentRemoveIrp(x)
_PiSwProcessParentRemoveIrp@4 proc near	; CODE XREF: IopRemoveDevice(x,x)+BCp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		test	edi, edi
		jz	short loc_982CD7
		mov	eax, [edi+0B0h]
		mov	esi, [eax+14h]
		jmp	short loc_982CD9
; 

loc_982CD7:				; CODE XREF: PiSwProcessParentRemoveIrp(x)+12j
		xor	esi, esi

loc_982CD9:				; CODE XREF: PiSwProcessParentRemoveIrp(x)+1Dj
		lea	eax, [esi+14h]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PiSwLockObj
		call	ExAcquireResourceExclusiveLite
		mov	ebx, _PiSwGlobalPdoAssociationList
		jmp	short loc_982D4D
; 

loc_982D04:				; CODE XREF: PiSwProcessParentRemoveIrp(x)+9Bj
		lea	eax, [ebx]
		mov	ebx, [ebx]
		cmp	[eax+8], edi
		jnz	short loc_982D4D
		mov	eax, [eax+0Ch]
		mov	[esp+18h+var_4], eax
		mov	ecx, [eax+28h]
		mov	[esp+18h+var_8], ecx
		test	byte ptr [ecx+4], 20h
		jnz	short loc_982D35
		xor	dl, dl
		mov	ecx, eax
		call	_PiSwProcessRemove@8 ; PiSwProcessRemove(x,x)
		mov	eax, [esp+18h+var_4]
		mov	ecx, [eax+28h]
		mov	[esp+18h+var_8], ecx

loc_982D35:				; CODE XREF: PiSwProcessParentRemoveIrp(x)+67j
		mov	ecx, eax
		call	_PiSwUnassociateDeviceObject@4 ; PiSwUnassociateDeviceObject(x)
		mov	eax, [esp+18h+var_8]
		push	[esp+18h+var_4]
		or	dword ptr [eax+4], 10h
		call	IoDeleteDevice

loc_982D4D:				; CODE XREF: PiSwProcessParentRemoveIrp(x)+4Aj
					; PiSwProcessParentRemoveIrp(x)+53j
		cmp	ebx, offset _PiSwGlobalPdoAssociationList
		jnz	short loc_982D04
		test	esi, esi
		jz	short loc_982D7E
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_982D7E
		call	_PiSwFindSwDevice@4 ; PiSwFindSwDevice(x)
		test	eax, eax
		jz	short loc_982D75
		test	byte ptr [eax+4], 1
		jnz	short loc_982D7E
		cmp	dword ptr [eax+60h], 0
		jnz	short loc_982D7E

loc_982D75:				; CODE XREF: PiSwProcessParentRemoveIrp(x)+AFj
		mov	dl, 1
		mov	ecx, esi
		call	_PiSwCloseDescendants@8	; PiSwCloseDescendants(x,x)

loc_982D7E:				; CODE XREF: PiSwProcessParentRemoveIrp(x)+9Fj
					; PiSwProcessParentRemoveIrp(x)+A6j ...
		mov	ecx, offset _PiSwLockObj
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PiSwProcessParentRemoveIrp@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiSwProcessRemove(x, x)
_PiSwProcessRemove@8 proc near		; CODE XREF: PiSwGetChildPdo+A121Ap
					; PiSwPdoPnPDispatch+9F28Ep ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		push	edi
		mov	edi, [esi+28h]
		mov	eax, [edi]
		mov	[ebp+var_4], eax
		mov	eax, [edi+4]
		test	al, 20h
		jnz	loc_982F74
		test	al, 1
		jz	short loc_982DCF
		and	eax, 0FFFFFFFEh
		xor	dl, dl
		mov	[edi+4], eax
		mov	ecx, [ebp+var_4]
		call	PiSwDeviceInterfacesUpdateState

loc_982DCF:				; CODE XREF: PiSwProcessRemove(x,x)+22j
		test	bl, bl
		jnz	loc_982F74
		mov	eax, [esi+28h]
		xor	ebx, ebx
		mov	ecx, [eax]
		cmp	esi, [ecx+40h]
		jnz	short loc_982DE6
		mov	[ecx+40h], ebx

loc_982DE6:				; CODE XREF: PiSwProcessRemove(x,x)+46j
		or	dword ptr [eax+4], 20h
		test	byte ptr [edi+4], 8
		jnz	short loc_982DF7
		mov	ecx, esi
		call	_PiSwUnassociateDeviceObject@4 ; PiSwUnassociateDeviceObject(x)

loc_982DF7:				; CODE XREF: PiSwProcessRemove(x,x)+53j
		mov	ecx, [ebp+var_4]
		test	byte ptr [ecx+4], 2
		jz	loc_982F74
		call	_PiSwBusRelationRemove@4 ; PiSwBusRelationRemove(x)
		mov	eax, [ebp+var_4]
		cmp	[eax+30h], ebx
		jz	loc_982F59
		and	dword ptr [eax+4], 0FFFFFFFBh
		mov	ecx, [ebp+var_4]
		lea	ecx, [ecx+10h]
		call	_PiSwPnPInfoFree@4 ; PiSwPnPInfoFree(x)
		mov	eax, [ebp+var_4]
		push	6
		pop	ecx
		push	6
		mov	esi, [eax+30h]
		lea	edi, [eax+10h]
		add	esi, 4
		xor	eax, eax
		rep movsd
		mov	edx, [ebp+var_4]
		mov	esi, 57706E50h
		pop	ecx
		mov	edi, [edx+30h]
		add	edi, 4
		rep stosd
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+50h]
		test	eax, eax
		jz	short loc_982E5E
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_4]

loc_982E5E:				; CODE XREF: PiSwProcessRemove(x,x)+B7j
		mov	eax, [ecx+30h]
		mov	eax, [eax+20h]
		mov	[ecx+54h], eax
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+30h]
		mov	eax, [eax+1Ch]
		mov	[ecx+50h], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+30h]
		mov	[eax+20h], ebx
		mov	eax, [ebp+var_4]
		mov	eax, [eax+30h]
		mov	[eax+1Ch], ebx
		mov	ecx, [ebp+var_4]
		mov	edx, [ecx+58h]
		test	edx, edx
		jz	short loc_982E9B
		mov	ecx, [ecx+5Ch]
		push	esi
		call	_PnpFreeDevPropertyArray@12 ; PnpFreeDevPropertyArray(x,x,x)
		mov	ecx, [ebp+var_4]

loc_982E9B:				; CODE XREF: PiSwProcessRemove(x,x)+F2j
		mov	eax, [ecx+30h]
		mov	eax, [eax+28h]
		mov	[ecx+5Ch], eax
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+30h]
		mov	eax, [eax+24h]
		mov	[ecx+58h], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+30h]
		mov	[eax+28h], ebx
		mov	eax, [ebp+var_4]
		mov	eax, [eax+30h]
		mov	[eax+24h], ebx
		mov	ecx, [ebp+var_4]
		lea	ecx, [ecx+64h]
		call	PiSwFreeInterfaceList
		mov	edx, [ebp+var_4]
		mov	ecx, [edx+30h]
		mov	ecx, [ecx]
		call	_PiSwBusRelationAdd@8 ;	PiSwBusRelationAdd(x,x)
		mov	edx, eax
		mov	eax, [ebp+var_4]
		test	edx, edx
		js	short loc_982F0E
		and	dword ptr [eax+4], 0FFFFFFFDh
		mov	edx, 746C6644h
		mov	ecx, [ebp+var_4]
		mov	ecx, [ecx+3Ch]
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_982F45
		push	5
		push	esi
		call	IoInvalidateDeviceRelations
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	short loc_982F45
; 

loc_982F0E:				; CODE XREF: PiSwProcessRemove(x,x)+146j
		mov	eax, [eax+4Ch]
		test	eax, eax
		jz	short loc_982F45
		xor	ecx, ecx
		add	eax, 38h
		xchg	ecx, [eax]
		test	ecx, ecx
		jz	short loc_982F45
		mov	eax, [ebp+var_4]
		mov	eax, [eax+4Ch]
		mov	[eax+1Ch], ebx
		mov	eax, [ebp+var_4]
		mov	eax, [eax+4Ch]
		mov	[eax+18h], edx
		xor	dl, dl
		mov	ecx, [ebp+var_4]
		mov	ecx, [ecx+4Ch]
		call	IofCompleteRequest
		mov	eax, [ebp+var_4]
		mov	[eax+4Ch], ebx

loc_982F45:				; CODE XREF: PiSwProcessRemove(x,x)+160j
					; PiSwProcessRemove(x,x)+171j ...
		mov	ecx, [ebp+var_4]
		mov	ecx, [ecx+30h]
		call	_PiSwQueuedCreateInfoFree@4 ; PiSwQueuedCreateInfoFree(x)
		mov	eax, [ebp+var_4]
		mov	[eax+30h], ebx
		mov	eax, [ebp+var_4]

loc_982F59:				; CODE XREF: PiSwProcessRemove(x,x)+74j
		cmp	[eax+3Ch], ebx
		jnz	short loc_982F74
		lea	eax, [ebp+var_4]
		push	eax
		push	offset _PiSwDeviceInstanceTable
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)
		mov	ecx, [ebp+var_4]
		call	PiSwDeviceDereference

loc_982F74:				; CODE XREF: PiSwProcessRemove(x,x)+1Aj
					; PiSwProcessRemove(x,x)+36j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PiSwProcessRemove@8 endp


;  S U B	R O U T	I N E 


; __stdcall PiSwQueuedCreateInfoCreate(x, x)
_PiSwQueuedCreateInfoCreate@8 proc near	; CODE XREF: PiSwIrpStartCreateWorker+99966p
					; PiSwIrpStartCreateWorker+999C6p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, 57706E50h
		mov	edi, edx
		push	esi
		push	2Ch
		push	1
		mov	ebx, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx], eax
		test	eax, eax
		jz	loc_98302C
		push	2Ch		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [edi+4]
		add	esp, 0Ch
		mov	edx, 0C8h
		push	dword ptr [ebx]
		push	esi
		call	PnpAllocatePWSTR
		mov	esi, eax
		test	esi, esi
		js	short loc_983035
		mov	ecx, [ebx]
		mov	edx, edi
		add	ecx, 4
		call	_PiSwPnPInfoInit@8 ; PiSwPnPInfoInit(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_983035
		cmp	dword ptr [edi+30h], 0
		jz	short loc_983012
		mov	ecx, [ebx]
		mov	eax, [edi+2Ch]
		push	57706E50h
		mov	[ecx+20h], eax
		mov	eax, [edi+2Ch]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebx]
		mov	[ecx+1Ch], eax
		mov	eax, [ebx]
		mov	eax, [eax+1Ch]
		test	eax, eax
		jnz	short loc_983003
		mov	esi, 0C000009Ah
		jmp	short loc_983035
; 

loc_983003:				; CODE XREF: PiSwQueuedCreateInfoCreate(x,x)+81j
		push	dword ptr [edi+2Ch] ; size_t
		push	dword ptr [edi+30h] ; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_983012:				; CODE XREF: PiSwQueuedCreateInfoCreate(x,x)+5Bj
		mov	ecx, [ebx]
		mov	edx, [edi+38h]
		lea	eax, [ecx+24h]
		push	eax
		lea	eax, [ecx+28h]
		push	eax
		push	ecx
		mov	ecx, [edi+34h]
		call	PnpCopyDevPropertyArray
		mov	esi, eax
		jmp	short loc_983031
; 

loc_98302C:				; CODE XREF: PiSwQueuedCreateInfoCreate(x,x)+1Cj
		mov	esi, 0C000009Ah

loc_983031:				; CODE XREF: PiSwQueuedCreateInfoCreate(x,x)+B1j
		test	esi, esi
		jns	short loc_983043

loc_983035:				; CODE XREF: PiSwQueuedCreateInfoCreate(x,x)+43j
					; PiSwQueuedCreateInfoCreate(x,x)+55j ...
		mov	ecx, [ebx]
		test	ecx, ecx
		jz	short loc_983043
		call	_PiSwQueuedCreateInfoFree@4 ; PiSwQueuedCreateInfoFree(x)
		and	dword ptr [ebx], 0

loc_983043:				; CODE XREF: PiSwQueuedCreateInfoCreate(x,x)+BAj
					; PiSwQueuedCreateInfoCreate(x,x)+C0j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_PiSwQueuedCreateInfoCreate@8 endp


;  S U B	R O U T	I N E 


; __stdcall PiSwQueuedCreateInfoFree(x)
_PiSwQueuedCreateInfoFree@4 proc near	; CODE XREF: PiSwIrpStartCreateWorker+99950p
					; PiSwCloseDevice(x)+15p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, 57706E50h
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_983064
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi], 0

loc_983064:				; CODE XREF: PiSwQueuedCreateInfoFree(x)+Fj
		lea	ecx, [esi+4]
		call	_PiSwPnPInfoFree@4 ; PiSwPnPInfoFree(x)
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	short loc_98307E
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+1Ch], 0

loc_98307E:				; CODE XREF: PiSwQueuedCreateInfoFree(x)+28j
		mov	edx, [esi+24h]
		test	edx, edx
		jz	short loc_98308E
		mov	ecx, [esi+28h]
		push	edi
		call	_PnpFreeDevPropertyArray@12 ; PnpFreeDevPropertyArray(x,x,x)

loc_98308E:				; CODE XREF: PiSwQueuedCreateInfoFree(x)+3Aj
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
_PiSwQueuedCreateInfoFree@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiSwRemovePdoAssociation(x,	x)
_PiSwRemovePdoAssociation@8 proc near	; CODE XREF: PiSwUnassociateDeviceObject(x)+12p
		mov	edi, edi
		push	esi
		xor	esi, esi
		push	esi
		call	_PiSwFindPdoAssociation@12 ; PiSwFindPdoAssociation(x,x,x)
		test	eax, eax
		jz	short loc_9830E0
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_9830DB
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_9830DB
		mov	[edx], ecx
		mov	[ecx+4], edx
		lea	edx, [eax+8]
		push	edi
		mov	edi, [edx]
		cmp	[edi+4], edx
		jnz	short loc_9830DB
		mov	ecx, [edx+4]
		cmp	[ecx], edx
		jnz	short loc_9830DB
		mov	[ecx], edi
		mov	[edi+4], ecx
		mov	ecx, eax
		call	_PiSwPdoAssociationFree@4 ; PiSwPdoAssociationFree(x)
		pop	edi
		jmp	short loc_9830E5
; 

loc_9830DB:				; CODE XREF: PiSwRemovePdoAssociation(x,x)+14j
					; PiSwRemovePdoAssociation(x,x)+1Bj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9830E0:				; CODE XREF: PiSwRemovePdoAssociation(x,x)+Dj
		mov	esi, 0C0000225h

loc_9830E5:				; CODE XREF: PiSwRemovePdoAssociation(x,x)+41j
		mov	eax, esi
		pop	esi
		retn
_PiSwRemovePdoAssociation@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiSwStartCreate(x, x, x, x,	x, x, x, x, x, x, x, x,	x)
_PiSwStartCreate@52 proc near		; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+99Cp

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	esi
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_20]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_28]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_24]
		mov	[ebp+var_40], offset aDriverenum ; "DRIVERENUM"
		mov	[ebp+var_3C], edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_8], eax
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_28], esi
		test	ecx, ecx
		jz	short loc_983165
		lea	eax, [ebp+var_4]
		mov	edx, 400h
		push	eax
		call	_PnpGetMultiSzLength@12	; PnpGetMultiSzLength(x,x,x)
		test	eax, eax
		js	short loc_98318D
		mov	eax, [ebp+var_4]
		mov	[ebp+var_34], eax

loc_983165:				; CODE XREF: PiSwStartCreate(x,x,x,x,x,x,x,x,x,x,x,x,x)+62j
		test	esi, esi
		jz	short loc_983183
		lea	eax, [ebp+var_4]
		mov	edx, 400h
		push	eax
		mov	ecx, esi
		call	_PnpGetMultiSzLength@12	; PnpGetMultiSzLength(x,x,x)
		test	eax, eax
		js	short loc_98318D
		mov	eax, [ebp+var_4]
		mov	[ebp+var_2C], eax

loc_983183:				; CODE XREF: PiSwStartCreate(x,x,x,x,x,x,x,x,x,x,x,x,x)+7Ej
		xor	edx, edx
		lea	ecx, [ebp+var_40]
		call	PiSwIrpStartCreateWorker

loc_98318D:				; CODE XREF: PiSwStartCreate(x,x,x,x,x,x,x,x,x,x,x,x,x)+74j
					; PiSwStartCreate(x,x,x,x,x,x,x,x,x,x,x,x,x)+92j
		pop	esi
		leave
		retn	2Ch
_PiSwStartCreate@52 endp


;  S U B	R O U T	I N E 


; __stdcall PiSwUnassociateDeviceObject(x)
_PiSwUnassociateDeviceObject@4 proc near ; CODE	XREF: PiSwPdoPnPDispatch+9F2A1p
					; PiSwProcessParentRemoveIrp(x)+7Fp ...
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, [ecx+28h]
		mov	esi, [edi]
		test	esi, esi
		jz	short loc_9831B3
		mov	edx, ecx
		mov	ecx, esi
		call	_PiSwRemovePdoAssociation@8 ; PiSwRemovePdoAssociation(x,x)
		mov	ecx, esi
		call	PiSwDeviceDereference
		and	dword ptr [edi], 0

loc_9831B3:				; CODE XREF: PiSwUnassociateDeviceObject(x)+Cj
		pop	edi
		pop	esi
		pop	ecx
		retn
_PiSwUnassociateDeviceObject@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMCaptureCreateDeviceInputData(x,	x, x, x)
_PiCMCaptureCreateDeviceInputData@16 proc near
					; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+5Ep

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch

		push	20h
		push	offset dword_6A82D0
		call	__SEH_prolog4
		mov	esi, edx
		mov	edx, ecx
		and	[ebp+var_28], 0
		and	[ebp+var_2C], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_20], al
		xor	eax, eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_24], eax
		test	edx, edx
		jz	loc_983337
		test	esi, esi
		jz	loc_983337
		and	[ebp+ms_exc.disabled], eax
		test	dl, 3
		jz	short loc_983203
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_983203:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+45j
		lea	edi, [edx+esi]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edi, ecx
		ja	short loc_983214
		cmp	edi, edx
		jnb	short loc_983217

loc_983214:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+57j
		mov	byte ptr [ecx],	0

loc_983217:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+5Bj
		mov	ebx, [ebp+arg_4]
		cmp	esi, 1Ch
		jb	short loc_98322D
		push	7
		pop	ecx
		mov	esi, edx
		mov	edi, ebx
		rep movsd
		cmp	dword ptr [ebx], 1Ch
		jz	short loc_983238

loc_98322D:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+66j
		mov	eax, 0C000000Dh
		mov	[ebp+var_24], eax
		mov	[ebp+var_1C], eax

loc_983238:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+74j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_983265
; 

loc_983241:				; DATA XREF: .text:006A82E4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_98324F:				; DATA XREF: .text:006A82E8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_30]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_24], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+arg_4]

loc_983265:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+88j
		test	eax, eax
		js	loc_983341
		lea	edi, [ebx+8]
		mov	eax, [edi]
		and	dword ptr [edi], 0
		test	eax, eax
		jz	short loc_9832BC
		mov	ecx, [ebx+0Ch]
		cmp	ecx, 2
		jb	short loc_9832B8
		push	1
		push	[ebp+var_20]
		push	2
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	PiControlMakeUserModeCallersCopy
		mov	esi, eax
		test	esi, esi
		js	short loc_9832AF
		mov	[ebp+var_28], 1
		mov	edx, [ebx+0Ch]
		shr	edx, 1
		mov	ecx, [edi]
		xor	eax, eax
		mov	[ecx+edx*2-2], ax
		jmp	short loc_9832D6
; 

loc_9832AF:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+DFj
		and	dword ptr [edi], 0
		and	dword ptr [ebx+0Ch], 0
		jmp	short loc_9832D6
; 

loc_9832B8:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+C8j
		test	eax, eax
		jnz	short loc_9832C6

loc_9832BC:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+C0j
		cmp	dword ptr [ebx+0Ch], 0
		ja	short loc_9832CC
		test	eax, eax
		jz	short loc_9832D3

loc_9832C6:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+103j
		cmp	dword ptr [ebx+0Ch], 2
		jnb	short loc_9832D3

loc_9832CC:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+109j
					; PiCMCaptureCreateDeviceInputData(x,x,x,x)+172j ...
		mov	esi, 0C000000Dh
		jmp	short loc_983348
; 

loc_9832D3:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+10Dj
					; PiCMCaptureCreateDeviceInputData(x,x,x,x)+113j
		mov	esi, [ebp+var_1C]

loc_9832D6:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+F6j
					; PiCMCaptureCreateDeviceInputData(x,x,x,x)+FFj
		lea	edi, [ebx+10h]
		mov	eax, [edi]
		and	dword ptr [edi], 0
		test	eax, eax
		jz	short loc_983325
		mov	ecx, [ebx+14h]
		cmp	ecx, 2
		jb	short loc_983321
		push	1
		push	[ebp+var_20]
		push	2
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	PiControlMakeUserModeCallersCopy
		mov	esi, eax
		test	esi, esi
		js	short loc_983318
		mov	[ebp+var_2C], 1
		mov	ecx, [ebx+14h]
		shr	ecx, 1
		mov	eax, [edi]
		xor	edx, edx
		mov	[eax+ecx*2-2], dx
		jmp	short loc_983344
; 

loc_983318:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+148j
		and	dword ptr [edi], 0
		and	dword ptr [ebx+14h], 0
		jmp	short loc_983344
; 

loc_983321:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+131j
		test	eax, eax
		jnz	short loc_98332F

loc_983325:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+129j
		cmp	dword ptr [ebx+14h], 0
		ja	short loc_9832CC
		test	eax, eax
		jz	short loc_983344

loc_98332F:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+16Cj
		cmp	dword ptr [ebx+14h], 2
		jnb	short loc_983344
		jmp	short loc_9832CC
; 

loc_983337:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+31j
					; PiCMCaptureCreateDeviceInputData(x,x,x,x)+39j
		mov	esi, 0C000000Dh
		mov	ebx, [ebp+arg_4]
		jmp	short loc_983344
; 

loc_983341:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+B0j
		mov	esi, [ebp+var_1C]

loc_983344:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+15Fj
					; PiCMCaptureCreateDeviceInputData(x,x,x,x)+168j ...
		test	esi, esi
		jns	short loc_983387

loc_983348:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+11Aj
		cmp	[ebp+var_28], 0
		jz	short loc_983363
		mov	eax, [ebx+8]
		cmp	byte ptr [ebp+var_20], 0
		jz	short loc_983363
		test	eax, eax
		jz	short loc_983363
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_983363:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+195j
					; PiCMCaptureCreateDeviceInputData(x,x,x,x)+19Ej ...
		cmp	[ebp+var_2C], 0
		jz	short loc_98337E
		mov	eax, [ebx+10h]
		cmp	byte ptr [ebp+var_20], 0
		jz	short loc_98337E
		test	eax, eax
		jz	short loc_98337E
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98337E:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+1B0j
					; PiCMCaptureCreateDeviceInputData(x,x,x,x)+1B9j ...
		push	7
		pop	ecx
		xor	eax, eax
		mov	edi, ebx
		rep stosd

loc_983387:				; CODE XREF: PiCMCaptureCreateDeviceInputData(x,x,x,x)+18Fj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PiCMCaptureCreateDeviceInputData@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMCaptureEnumerateInputData(x, x,	x, x)
_PiCMCaptureEnumerateInputData@16 proc near
					; CODE XREF: PiCMEnumerateSubKeys(x,x,x,x,x,x)+2Cp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch

		push	10h
		push	offset dword_6A8310
		call	__SEH_prolog4
		mov	esi, edx
		mov	eax, ecx
		xor	edx, edx
		mov	[ebp+var_1C], edx
		test	eax, eax
		jz	short loc_98340F
		cmp	esi, 14h
		jb	short loc_98340F
		mov	[ebp+ms_exc.disabled], edx
		test	al, 3
		jz	short loc_9833C5
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9833C5:				; CODE XREF: PiCMCaptureEnumerateInputData(x,x,x,x)+23j
		add	esi, eax
		mov	ecx, ds:_MmUserProbeAddress
		cmp	esi, ecx
		ja	short loc_9833D5
		cmp	esi, eax
		jnb	short loc_9833D7

loc_9833D5:				; CODE XREF: PiCMCaptureEnumerateInputData(x,x,x,x)+34j
		mov	[ecx], dl

loc_9833D7:				; CODE XREF: PiCMCaptureEnumerateInputData(x,x,x,x)+38j
		push	5
		pop	ecx
		mov	esi, eax
		mov	eax, [ebp+arg_4]
		mov	edi, eax
		rep movsd
		cmp	dword ptr [eax], 14h
		jz	short loc_9833F0
		mov	edx, 0C000000Dh

loc_9833ED:				; CODE XREF: PiCMCaptureEnumerateInputData(x,x,x,x)+72j
		mov	[ebp+var_1C], edx

loc_9833F0:				; CODE XREF: PiCMCaptureEnumerateInputData(x,x,x,x)+4Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_983414
; 

loc_9833F9:				; DATA XREF: .text:006A8324o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_983407:				; DATA XREF: .text:006A8328o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edx, [ebp+var_20]
		jmp	short loc_9833ED
; 

loc_98340F:				; CODE XREF: PiCMCaptureEnumerateInputData(x,x,x,x)+17j
					; PiCMCaptureEnumerateInputData(x,x,x,x)+1Cj
		mov	edx, 0C000000Dh

loc_983414:				; CODE XREF: PiCMCaptureEnumerateInputData(x,x,x,x)+5Cj
		test	edx, edx
		jns	short loc_983422
		xor	eax, eax
		mov	edi, [ebp+arg_4]
		stosd
		stosd
		stosd
		stosd
		stosd

loc_983422:				; CODE XREF: PiCMCaptureEnumerateInputData(x,x,x,x)+7Bj
		mov	eax, edx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PiCMCaptureEnumerateInputData@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiCMCaptureProblemInputData(int,void *)
_PiCMCaptureProblemInputData@16	proc near ; CODE XREF: PiCMSetDeviceProblem(x,x,x,x,x,x)+53p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch

		push	10h
		push	offset dword_6A82F0
		call	__SEH_prolog4
		mov	eax, ecx
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		test	eax, eax
		jz	short loc_9834BA
		cmp	edx, 1A0h
		jb	short loc_9834BA
		and	[ebp+ms_exc.disabled], ebx
		test	al, 3
		jz	short loc_983461
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_983461:				; CODE XREF: PiCMCaptureProblemInputData(x,x,x,x)+24j
		add	edx, eax
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		ja	short loc_983471
		cmp	edx, eax
		jnb	short loc_983474

loc_983471:				; CODE XREF: PiCMCaptureProblemInputData(x,x,x,x)+35j
		mov	byte ptr [ecx],	0

loc_983474:				; CODE XREF: PiCMCaptureProblemInputData(x,x,x,x)+39j
		push	68h
		pop	ecx
		mov	esi, eax
		mov	eax, [ebp+arg_4]
		mov	edi, eax
		rep movsd
		cmp	dword ptr [eax], 1A0h
		jz	short loc_983492
		mov	ebx, 0C000000Dh

loc_98348D:				; CODE XREF: PiCMCaptureProblemInputData(x,x,x,x)+82j
		mov	[ebp+var_1C], ebx
		jmp	short loc_98349B
; 

loc_983492:				; CODE XREF: PiCMCaptureProblemInputData(x,x,x,x)+50j
		xor	ecx, ecx
		mov	[eax+196h], cx

loc_98349B:				; CODE XREF: PiCMCaptureProblemInputData(x,x,x,x)+5Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9834BF
; 

loc_9834A4:				; DATA XREF: .text:006A8304o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9834B2:				; DATA XREF: .text:006A8308o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_20]
		jmp	short loc_98348D
; 

loc_9834BA:				; CODE XREF: PiCMCaptureProblemInputData(x,x,x,x)+15j
					; PiCMCaptureProblemInputData(x,x,x,x)+1Dj
		mov	ebx, 0C000000Dh

loc_9834BF:				; CODE XREF: PiCMCaptureProblemInputData(x,x,x,x)+6Cj
		test	ebx, ebx
		jns	short loc_9834D5
		push	1A0h		; size_t
		push	0		; int
		push	[ebp+arg_4]	; void *
		call	_memset
		add	esp, 0Ch

loc_9834D5:				; CODE XREF: PiCMCaptureProblemInputData(x,x,x,x)+8Bj
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PiCMCaptureProblemInputData@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMCaptureRegisterInterfaceInputData(x, x,	x, x)
_PiCMCaptureRegisterInterfaceInputData@16 proc near
					; CODE XREF: PiCMRegisterDeviceInterface(x,x,x,x,x,x)+4Ep

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch

		push	20h
		push	offset dword_6A82B0
		call	__SEH_prolog4
		mov	esi, edx
		mov	edx, ecx
		and	[ebp+var_28], 0
		and	[ebp+var_2C], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_20], al
		xor	eax, eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_24], eax
		test	edx, edx
		jz	loc_983669
		test	esi, esi
		jz	loc_983669
		and	[ebp+ms_exc.disabled], eax
		test	dl, 3
		jz	short loc_983535
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_983535:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+45j
		lea	edi, [edx+esi]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edi, ecx
		ja	short loc_983546
		cmp	edi, edx
		jnb	short loc_983549

loc_983546:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+57j
		mov	byte ptr [ecx],	0

loc_983549:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+5Bj
		mov	ebx, [ebp+arg_4]
		cmp	esi, 2Ch
		jb	short loc_98355F
		push	0Bh
		pop	ecx
		mov	esi, edx
		mov	edi, ebx
		rep movsd
		cmp	dword ptr [ebx], 2Ch
		jz	short loc_98356A

loc_98355F:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+66j
		mov	eax, 0C000000Dh
		mov	[ebp+var_24], eax
		mov	[ebp+var_1C], eax

loc_98356A:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+74j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_983597
; 

loc_983573:				; DATA XREF: .text:006A82C4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_983581:				; DATA XREF: .text:006A82C8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_30]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_24], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+arg_4]

loc_983597:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+88j
		test	eax, eax
		js	loc_983673
		lea	edi, [ebx+18h]
		mov	eax, [edi]
		and	dword ptr [edi], 0
		test	eax, eax
		jz	short loc_9835EE
		mov	ecx, [ebx+1Ch]
		cmp	ecx, 2
		jb	short loc_9835EA
		push	1
		push	[ebp+var_20]
		push	2
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	PiControlMakeUserModeCallersCopy
		mov	esi, eax
		test	esi, esi
		js	short loc_9835E1
		mov	[ebp+var_28], 1
		mov	edx, [ebx+1Ch]
		shr	edx, 1
		mov	ecx, [edi]
		xor	eax, eax
		mov	[ecx+edx*2-2], ax
		jmp	short loc_983608
; 

loc_9835E1:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+DFj
		and	dword ptr [edi], 0
		and	dword ptr [ebx+1Ch], 0
		jmp	short loc_983608
; 

loc_9835EA:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+C8j
		test	eax, eax
		jnz	short loc_9835F8

loc_9835EE:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+C0j
		cmp	dword ptr [ebx+1Ch], 0
		ja	short loc_9835FE
		test	eax, eax
		jz	short loc_983605

loc_9835F8:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+103j
		cmp	dword ptr [ebx+1Ch], 2
		jnb	short loc_983605

loc_9835FE:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+109j
					; PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+172j ...
		mov	esi, 0C000000Dh
		jmp	short loc_98367A
; 

loc_983605:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+10Dj
					; PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+113j
		mov	esi, [ebp+var_1C]

loc_983608:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+F6j
					; PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+FFj
		lea	edi, [ebx+20h]
		mov	eax, [edi]
		and	dword ptr [edi], 0
		test	eax, eax
		jz	short loc_983657
		mov	ecx, [ebx+24h]
		cmp	ecx, 2
		jb	short loc_983653
		push	1
		push	[ebp+var_20]
		push	2
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	PiControlMakeUserModeCallersCopy
		mov	esi, eax
		test	esi, esi
		js	short loc_98364A
		mov	[ebp+var_2C], 1
		mov	ecx, [ebx+24h]
		shr	ecx, 1
		mov	eax, [edi]
		xor	edx, edx
		mov	[eax+ecx*2-2], dx
		jmp	short loc_983676
; 

loc_98364A:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+148j
		and	dword ptr [edi], 0
		and	dword ptr [ebx+24h], 0
		jmp	short loc_983676
; 

loc_983653:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+131j
		test	eax, eax
		jnz	short loc_983661

loc_983657:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+129j
		cmp	dword ptr [ebx+24h], 0
		ja	short loc_9835FE
		test	eax, eax
		jz	short loc_983676

loc_983661:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+16Cj
		cmp	dword ptr [ebx+24h], 2
		jnb	short loc_983676
		jmp	short loc_9835FE
; 

loc_983669:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+31j
					; PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+39j
		mov	esi, 0C000000Dh
		mov	ebx, [ebp+arg_4]
		jmp	short loc_983676
; 

loc_983673:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+B0j
		mov	esi, [ebp+var_1C]

loc_983676:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+15Fj
					; PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+168j ...
		test	esi, esi
		jns	short loc_9836BD

loc_98367A:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+11Aj
		cmp	[ebp+var_28], 0
		jz	short loc_983695
		mov	eax, [ebx+18h]
		cmp	byte ptr [ebp+var_20], 0
		jz	short loc_983695
		test	eax, eax
		jz	short loc_983695
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_983695:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+195j
					; PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+19Ej ...
		cmp	[ebp+var_2C], 0
		jz	short loc_9836B0
		mov	eax, [ebx+20h]
		cmp	byte ptr [ebp+var_20], 0
		jz	short loc_9836B0
		test	eax, eax
		jz	short loc_9836B0
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9836B0:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+1B0j
					; PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+1B9j ...
		push	2Ch		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch

loc_9836BD:				; CODE XREF: PiCMCaptureRegisterInterfaceInputData(x,x,x,x)+18Fj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PiCMCaptureRegisterInterfaceInputData@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMCreateDevice(x,	x, x, x, x, x)
_PiCMCreateDevice@24 proc near		; CODE XREF: PiCMHandleIoctl+119DD9p

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	edi, [ebp+var_6C]
		mov	esi, ecx
		mov	[ebp+var_10], ebx
		push	7
		xor	eax, eax
		mov	[ebp+var_14], ebx
		pop	ecx
		rep stosd
		mov	eax, [ebp+arg_C]
		xor	ecx, ecx
		mov	[ebp+var_38], ecx
		mov	edi, ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ebx
		mov	[eax], ebx
		mov	eax, ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_18], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_3C], ebx
		call	_PiCMCaptureCreateDeviceInputData@16 ; PiCMCaptureCreateDeviceInputData(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9837C5
		push	2
		pop	esi
		mov	ecx, esi
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jnz	loc_983810
		mov	esi, 0C0000022h

loc_983755:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+17Ej
					; PiCMCreateDevice(x,x,x,x,x,x)+1A0j ...
		mov	eax, [ebp+var_8]

loc_983758:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+575j
		push	[ebp+arg_C]	; int
		xor	ecx, ecx
		lea	edx, [eax+eax]
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		push	[ebp+var_54]	; int
		push	ecx		; size_t
		push	ecx		; void *
		push	ecx		; int

loc_98376C:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+58Cj
		mov	ecx, esi
		call	PiCMReturnBufferResultData
		cmp	[ebp+var_C], 0
		mov	esi, eax
		jz	short loc_983783
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_983783:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+A8j
		test	edi, edi
		jz	short loc_983792
		push	34706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_983792:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+B4j
		mov	eax, [ebp+var_38]
		test	eax, eax
		jz	short loc_9837A4
		push	34706E50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9837A4:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+C6j
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	short loc_9837B2
		mov	ecx, eax
		call	ObfDereferenceObject

loc_9837B2:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+D8j
		test	bl, bl
		jz	short loc_9837C5
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9837C5:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+67j
					; PiCMCreateDevice(x,x,x,x,x,x)+E3j
		mov	eax, large fs:124h
		cmp	[ebp+var_64], 0
		mov	bl, [eax+15Ah]
		jz	short loc_9837E6
		test	bl, bl
		jz	short loc_9837E6
		xor	eax, eax
		push	eax
		push	[ebp+var_64]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9837E6:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+104j
					; PiCMCreateDevice(x,x,x,x,x,x)+108j
		cmp	[ebp+var_5C], 0
		jz	short loc_9837FB
		test	bl, bl
		jz	short loc_9837FB
		xor	eax, eax
		push	eax
		push	[ebp+var_5C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9837FB:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+119j
					; PiCMCreateDevice(x,x,x,x,x,x)+11Dj
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jz	short loc_983807
		call	PiPnpRtlEndOperation

loc_983807:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+12Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_983810:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+79j
		cmp	[ebp+var_64], ebx
		jz	loc_983BFB
		cmp	[ebp+var_60], esi
		jb	loc_983BFB
		mov	ecx, [ebp+var_5C]
		test	ecx, ecx
		jz	loc_983BFB
		cmp	[ebp+var_58], esi
		jb	loc_983BFB
		cmp	[ebp+arg_0], ebx
		jz	short loc_98384A
		cmp	[ebp+arg_4], 14h
		jb	short loc_98384A
		test	[ebp+var_68], 0FFFFFFF0h
		jz	short loc_983854

loc_98384A:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+168j
					; PiCMCreateDevice(x,x,x,x,x,x)+16Ej ...
		mov	esi, 0C000000Dh
		jmp	loc_983755
; 

loc_983854:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+177j
		mov	eax, [ebp+var_68]
		and	eax, esi
		mov	[ebp+var_1C], eax
		call	__CmIsRootDevice@4 ; _CmIsRootDevice(x)
		test	al, al
		jz	short loc_98384A
		lea	ecx, [ebp+var_3C]
		call	PiPnpRtlBeginOperation
		mov	esi, eax
		test	esi, esi
		js	loc_983755
		push	34706E50h
		push	190h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_983898
		mov	esi, 0C000009Ah
		jmp	loc_983755
; 

loc_983898:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+1BBj
		mov	eax, [ebp+var_68]
		and	eax, 4
		mov	[ebp+var_40], eax
		jz	short loc_9838C0
		cmp	[ebp+var_1C], ebx
		push	ecx
		mov	ecx, [ebp+var_64]
		setnz	dl
		push	edi
		call	_PiCMGenerateDeviceInstance@16 ; PiCMGenerateDeviceInstance(x,x,x,x)
		mov	esi, eax
		cmp	[ebp+var_1C], ebx
		jnz	loc_983C00
		jmp	short loc_9838CA
; 

loc_9838C0:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+1D0j
		mov	edx, [ebp+var_64]
		call	__CmValidateDeviceName@8 ; _CmValidateDeviceName(x,x)
		mov	esi, eax

loc_9838CA:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+1EDj
		test	esi, esi
		js	loc_983755
		cmp	[ebp+var_40], ebx
		jnz	short loc_9838F9
		push	800h
		xor	eax, eax
		mov	edx, 0C8h
		push	eax
		push	eax
		push	[ebp+var_64]
		mov	ecx, edi
		call	RtlStringCchCopyExW
		mov	esi, eax
		test	esi, esi
		js	loc_983755

loc_9838F9:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+204j
		xor	ecx, ecx
		lea	eax, [ebp+var_C]
		push	ecx
		push	eax
		push	ecx
		push	2001Fh
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	10h
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		test	esi, esi
		jns	short loc_983928
		cmp	esi, 0C000000Eh
		jnz	loc_983C00

loc_983928:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+249j
		cmp	[ebp+var_1C], ebx
		jz	loc_9839D7
		cmp	[ebp+var_C], ebx
		jz	short loc_983940

loc_983936:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+35Ej
					; PiCMCreateDevice(x,x,x,x,x,x)+3BFj
		mov	esi, 0C0000035h
		jmp	loc_983755
; 

loc_983940:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+263j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceExclusiveLite
		mov	ecx, _PiPnpRtlCtx
		xor	eax, eax
		push	eax
		mov	byte ptr [ebp+var_1], al
		mov	edx, edi
		lea	eax, [ebp+var_1]
		mov	bl, 1
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	20006h
		call	_CmCreateDevice
		mov	esi, eax
		test	esi, esi
		js	loc_983755
		cmp	byte ptr [ebp+var_1], 0
		jnz	short loc_983995
		push	[ebp+var_18]
		mov	esi, 0C0000035h
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_983755
; 

loc_983995:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+2B0j
		mov	ecx, [ebp+var_18]
		lea	eax, [ebp+var_28]
		push	4
		push	eax
		push	4
		mov	edx, offset ??_C@_1BA@LEPEEO@?$AAP?$AAh?$AAa?$AAn?$AAt?$AAo?$AAm@NNGAKEGL@ ; "Phantom"
		mov	[ebp+var_28], 1
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		push	[ebp+var_18]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	loc_983755
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_983C00
; 

loc_9839D7:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+25Aj
		cmp	[ebp+var_C], ebx
		jz	short loc_983A3D
		push	edi
		lea	eax, [ebp+var_50]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	loc_983A96
		xor	ecx, ecx
		call	PpDevNodeLockTree
		mov	edx, 746C6644h
		lea	ecx, [ebp+var_50]
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	[ebp+var_24], eax
		test	eax, eax
		jz	short loc_983A14
		mov	ecx, [eax+0B0h]
		mov	esi, [ecx+14h]
		jmp	short loc_983A18
; 

loc_983A14:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+336j
		xor	eax, eax
		mov	esi, eax

loc_983A18:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+341j
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		test	esi, esi
		jz	short loc_983A34
		mov	ecx, [ebp+var_24]
		call	_IopIsRootEnumeratedDeviceObjectActive@4 ; IopIsRootEnumeratedDeviceObjectActive(x)
		test	al, al
		jz	short loc_983A96
		jmp	loc_983936
; 

loc_983A34:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+350j
		mov	edx, edi
		call	_PiPnpRtlEnsureObjectCached@8 ;	PiPnpRtlEnsureObjectCached(x,x)
		jmp	short loc_983A96
; 

loc_983A3D:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+309j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceExclusiveLite
		mov	ecx, _PiPnpRtlCtx
		xor	eax, eax
		push	eax
		mov	byte ptr [ebp+var_1], al
		mov	edx, edi
		lea	eax, [ebp+var_1]
		mov	bl, 1
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	2001Fh
		call	_CmCreateDevice
		mov	esi, eax
		test	esi, esi
		js	loc_983755
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	eax, eax
		mov	bl, al
		cmp	byte ptr [ebp+var_1], al
		jz	loc_983936

loc_983A96:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+317j
					; PiCMCreateDevice(x,x,x,x,x,x)+35Cj ...
		push	edi
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		xor	eax, eax
		mov	bl, al
		test	esi, esi
		js	loc_983755
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_10]
		xor	ebx, ebx
		mov	[ebp+var_10], 4
		push	ebx
		push	eax
		lea	eax, [ebp+var_20]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		push	0Bh
		push	[ebp+var_C]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_983ADD
		mov	[ebp+var_20], ebx

loc_983ADD:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+407j
		lea	eax, [ebp+var_2C]
		push	eax
		lea	ecx, [ebp+var_48]
		call	PnpGetDeviceInstanceCsConfigFlags
		test	eax, eax
		mov	eax, ebx
		js	short loc_983AF2
		mov	eax, [ebp+var_2C]

loc_983AF2:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+41Cj
		mov	ecx, [ebp+var_20]
		and	cl, 12h
		neg	cl
		sbb	cl, cl
		inc	cl
		test	al, 2
		setz	al
		test	cl, al
		jz	loc_983BF1
		lea	ecx, [ebp+var_48]
		call	_PiInitializeDevice@4 ;	PiInitializeDevice(x)
		mov	esi, eax
		test	esi, esi
		js	loc_983755
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_30]
		mov	[ebp+var_10], 4
		push	eax
		lea	eax, [ebp+var_14]
		mov	ebx, offset ??_C@_1BA@LEPEEO@?$AAP?$AAh?$AAa?$AAn?$AAt?$AAo?$AAm@NNGAKEGL@ ; "Phantom"
		push	eax
		mov	edx, ebx
		call	_RegRtlQueryValue
		test	eax, eax
		js	short loc_983B54
		cmp	[ebp+var_14], 4
		jnz	short loc_983B54
		cmp	[ebp+var_10], 4
		jnz	short loc_983B54
		mov	eax, [ebp+var_30]
		jmp	short loc_983B56
; 

loc_983B54:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+470j
					; PiCMCreateDevice(x,x,x,x,x,x)+476j ...
		xor	eax, eax

loc_983B56:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+481j
		test	eax, eax
		jz	short loc_983B63
		mov	edx, [ebp+var_C]
		push	ebx
		call	__PnpCtxRegDeleteValue@12 ; _PnpCtxRegDeleteValue(x,x,x)

loc_983B63:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+487j
		test	byte ptr [ebp+var_68], 8
		jz	loc_983C00
		mov	eax, 200h
		push	34706E50h
		push	eax
		push	1
		mov	[ebp+var_10], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		xor	eax, eax
		mov	[ebp+var_38], ebx
		test	ebx, ebx
		jnz	short loc_983B99
		mov	esi, 0C000009Ah
		mov	bl, al
		jmp	loc_983755
; 

loc_983B99:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+4BAj
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		push	5
		push	[ebp+var_C]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_983C00
		cmp	[ebp+var_14], 1
		jnz	short loc_983C00
		cmp	[ebp+var_10], 200h
		ja	short loc_983C00
		xor	ecx, ecx
		cmp	[ebx], cx
		jz	short loc_983C00
		push	edi
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_983C00
		xor	eax, eax
		lea	ecx, [ebp+var_48]
		push	eax
		push	eax
		mov	dl, 1
		call	_PpDeviceRegistration@16 ; PpDeviceRegistration(x,x,x,x)
		mov	esi, eax
		jmp	short loc_983C00
; 

loc_983BF1:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+434j
		mov	esi, 0C0000010h
		jmp	loc_983755
; 

loc_983BFB:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+142j
					; PiCMCreateDevice(x,x,x,x,x,x)+14Bj ...
		mov	esi, 0C000000Dh

loc_983C00:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+1E7j
					; PiCMCreateDevice(x,x,x,x,x,x)+251j ...
		xor	ebx, ebx
		test	esi, esi
		js	loc_983755
		lea	eax, [ebp+var_34]
		mov	edx, 0C8h
		push	eax
		mov	ecx, edi
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_983C3E
		mov	edx, [ebp+var_34]
		mov	eax, [ebp+arg_4]
		inc	edx
		add	eax, 0FFFFFFECh
		mov	[ebp+var_8], edx
		lea	ecx, [edx+edx]
		cmp	eax, ecx
		jnb	short loc_983C39
		mov	esi, 0C0000023h

loc_983C39:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+561j
		mov	eax, [ebp+var_8]
		jmp	short loc_983C42
; 

loc_983C3E:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+54Dj
		xor	edx, edx
		mov	eax, edx

loc_983C42:				; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+56Bj
		xor	ebx, ebx
		test	esi, esi
		js	loc_983758
		push	[ebp+arg_C]
		add	edx, edx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	[ebp+var_54]
		push	edx
		push	edi
		push	ebx
		jmp	loc_98376C
_PiCMCreateDevice@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMCreateObject(x,	x, x, x, x, x)
_PiCMCreateObject@24 proc near		; CODE XREF: PiCMHandleIoctl+119D37p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	ebx, [ebp+arg_C]
		xor	eax, eax
		push	esi
		push	edi
		push	7
		and	[ebx], eax
		lea	edi, [ebp+var_1C]
		mov	esi, ecx
		pop	ecx
		rep stosd
		lea	eax, [ebp+var_1C]
		push	eax
		push	ecx
		mov	ecx, esi
		call	PiCMCaptureObjectInputData
		mov	edi, [ebp+var_10]
		mov	esi, eax
		test	esi, esi
		js	loc_983D96
		push	2
		pop	ecx
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jnz	short loc_983CAD
		mov	esi, 0C0000022h
		jmp	loc_983D83
; 

loc_983CAD:				; CODE XREF: PiCMCreateObject(x,x,x,x,x,x)+3Fj
		test	edi, edi
		jz	loc_983D7E
		cmp	[ebp+var_18], 0
		jnz	loc_983D7E
		cmp	[ebp+var_8], 0
		jnz	loc_983D7E
		cmp	[ebp+arg_0], 0
		jz	loc_983D7E
		push	8
		pop	edx
		cmp	[ebp+arg_4], edx
		jb	loc_983D7E
		mov	eax, [ebp+var_14]
		xor	ecx, ecx
		cmp	eax, 6
		jg	short loc_983D1F
		jz	short loc_983D1B
		sub	eax, 1
		jz	short loc_983D16
		sub	eax, 1
		jz	short loc_983D12
		sub	eax, 1
		jz	short loc_983D0D
		sub	eax, 1
		jz	short loc_983D09
		sub	eax, 1
		jnz	short loc_983D55
		push	5

loc_983D06:				; CODE XREF: PiCMCreateObject(x,x,x,x,x,x)+A9j
					; PiCMCreateObject(x,x,x,x,x,x)+BBj
		pop	ecx
		jmp	short loc_983D63
; 

loc_983D09:				; CODE XREF: PiCMCreateObject(x,x,x,x,x,x)+9Bj
		push	3
		jmp	short loc_983D06
; 

loc_983D0D:				; CODE XREF: PiCMCreateObject(x,x,x,x,x,x)+96j
		push	4

loc_983D0F:				; CODE XREF: PiCMCreateObject(x,x,x,x,x,x)+B2j
		pop	ecx
		jmp	short loc_983D68
; 

loc_983D12:				; CODE XREF: PiCMCreateObject(x,x,x,x,x,x)+91j
		push	2
		jmp	short loc_983D0F
; 

loc_983D16:				; CODE XREF: PiCMCreateObject(x,x,x,x,x,x)+8Cj
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_983D63
; 

loc_983D1B:				; CODE XREF: PiCMCreateObject(x,x,x,x,x,x)+87j
		push	6
		jmp	short loc_983D06
; 

loc_983D1F:				; CODE XREF: PiCMCreateObject(x,x,x,x,x,x)+85j
		sub	eax, 10001h
		jz	short loc_983D46
		sub	eax, 1
		jz	short loc_983D49
		sub	eax, 1
		jz	short loc_983D42
		sub	eax, 1
		jz	short loc_983D3E
		sub	eax, 1
		jnz	short loc_983D55
		push	0Bh
		jmp	short loc_983D48
; 

loc_983D3E:				; CODE XREF: PiCMCreateObject(x,x,x,x,x,x)+D1j
		push	0Ah
		jmp	short loc_983D48
; 

loc_983D42:				; CODE XREF: PiCMCreateObject(x,x,x,x,x,x)+CCj
		push	9
		jmp	short loc_983D48
; 

loc_983D46:				; CODE XREF: PiCMCreateObject(x,x,x,x,x,x)+C2j
		push	7

loc_983D48:				; CODE XREF: PiCMCreateObject(x,x,x,x,x,x)+DAj
					; PiCMCreateObject(x,x,x,x,x,x)+DEj ...
		pop	edx

loc_983D49:				; CODE XREF: PiCMCreateObject(x,x,x,x,x,x)+C7j
		mov	ecx, _PiDrvDbCtx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, edx

loc_983D55:				; CODE XREF: PiCMCreateObject(x,x,x,x,x,x)+A0j
					; PiCMCreateObject(x,x,x,x,x,x)+D6j
		test	ecx, ecx
		jz	short loc_983D7E
		cmp	ecx, 4
		jbe	short loc_983D68
		cmp	ecx, 6
		ja	short loc_983D68

loc_983D63:				; CODE XREF: PiCMCreateObject(x,x,x,x,x,x)+A5j
					; PiCMCreateObject(x,x,x,x,x,x)+B7j
		mov	esi, 0C00000BBh

loc_983D68:				; CODE XREF: PiCMCreateObject(x,x,x,x,x,x)+AEj
					; PiCMCreateObject(x,x,x,x,x,x)+FAj ...
		test	esi, esi
		js	short loc_983D83
		push	ecx
		push	ecx
		push	0
		push	0
		push	ecx
		mov	edx, edi
		call	__PnpCreateObject@28 ; _PnpCreateObject(x,x,x,x,x,x,x)
		mov	esi, eax
		jmp	short loc_983D83
; 

loc_983D7E:				; CODE XREF: PiCMCreateObject(x,x,x,x,x,x)+4Dj
					; PiCMCreateObject(x,x,x,x,x,x)+57j ...
		mov	esi, 0C000000Dh

loc_983D83:				; CODE XREF: PiCMCreateObject(x,x,x,x,x,x)+46j
					; PiCMCreateObject(x,x,x,x,x,x)+108j ...
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		push	ebx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiCMReturnBasicResultData
		mov	esi, eax

loc_983D96:				; CODE XREF: PiCMCreateObject(x,x,x,x,x,x)+2Fj
		test	edi, edi
		jz	short loc_983DB3
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_983DB3
		push	0
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_983DB3:				; CODE XREF: PiCMCreateObject(x,x,x,x,x,x)+136j
					; PiCMCreateObject(x,x,x,x,x,x)+145j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PiCMCreateObject@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMDeleteClassKey(x, x, x,	x, x, x)
_PiCMDeleteClassKey@24 proc near	; CODE XREF: PiCMHandleIoctl+119E33p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	ebx, [ebp+arg_C]
		xor	eax, eax
		push	esi
		push	edi
		and	[ebp+arg_C], eax
		lea	edi, [ebp+var_1C]
		and	[ebx], eax
		mov	esi, ecx
		push	7
		pop	ecx
		rep stosd
		lea	eax, [ebp+var_1C]
		push	eax
		push	ecx
		mov	ecx, esi
		call	PiCMCaptureObjectInputData
		mov	esi, [ebp+var_10]
		mov	edi, eax
		test	edi, edi
		js	loc_983E74
		push	2
		pop	ecx
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jnz	short loc_983E07
		mov	eax, 0C0000022h
		jmp	short loc_983E61
; 

loc_983E07:				; CODE XREF: PiCMDeleteClassKey(x,x,x,x,x,x)+42j
		test	esi, esi
		jz	short loc_983E5C
		cmp	[ebp+var_8], 0
		jnz	short loc_983E5C
		cmp	[ebp+arg_0], 0
		jz	short loc_983E5C
		cmp	[ebp+arg_4], 8
		jb	short loc_983E5C
		cmp	[ebp+var_14], 2
		jz	short loc_983E29
		cmp	[ebp+var_14], 3
		jnz	short loc_983E5C

loc_983E29:				; CODE XREF: PiCMDeleteClassKey(x,x,x,x,x,x)+65j
		mov	eax, [ebp+var_18]
		dec	eax
		cmp	eax, 1
		ja	short loc_983E5C
		lea	ecx, [ebp+arg_C]
		call	PiPnpRtlBeginOperation
		test	eax, eax
		js	short loc_983E61
		cmp	[ebp+var_14], 3
		mov	edx, esi
		mov	ecx, _PiPnpRtlCtx
		push	0
		jnz	short loc_983E55
		call	__CmDeleteInterfaceClass@12 ; _CmDeleteInterfaceClass(x,x,x)
		jmp	short loc_983E61
; 

loc_983E55:				; CODE XREF: PiCMDeleteClassKey(x,x,x,x,x,x)+90j
		call	__CmDeleteInstallerClass@12 ; _CmDeleteInstallerClass(x,x,x)
		jmp	short loc_983E61
; 

loc_983E5C:				; CODE XREF: PiCMDeleteClassKey(x,x,x,x,x,x)+4Dj
					; PiCMDeleteClassKey(x,x,x,x,x,x)+53j ...
		mov	eax, 0C000000Dh

loc_983E61:				; CODE XREF: PiCMDeleteClassKey(x,x,x,x,x,x)+49j
					; PiCMDeleteClassKey(x,x,x,x,x,x)+80j ...
		mov	edx, [ebp+var_4]
		mov	ecx, eax
		push	ebx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiCMReturnBasicResultData
		mov	edi, eax

loc_983E74:				; CODE XREF: PiCMDeleteClassKey(x,x,x,x,x,x)+32j
		test	esi, esi
		jz	short loc_983E91
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_983E91
		push	0
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_983E91:				; CODE XREF: PiCMDeleteClassKey(x,x,x,x,x,x)+BAj
					; PiCMDeleteClassKey(x,x,x,x,x,x)+C9j
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	short loc_983E9D
		call	PiPnpRtlEndOperation

loc_983E9D:				; CODE XREF: PiCMDeleteClassKey(x,x,x,x,x,x)+DAj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PiCMDeleteClassKey@24 endp

; 
		align 4
		db 0CCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMDeleteDevice(x,	x, x, x, x, x)
_PiCMDeleteDevice@24 proc near		; CODE XREF: PiCMHandleIoctl+119DEBp

var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		push	ebx
		push	esi
		push	edi
		push	7
		mov	esi, ecx
		lea	edi, [ebp+var_3C]
		pop	ecx
		xor	eax, eax
		xor	ebx, ebx
		rep stosd
		push	7
		pop	ecx
		lea	edi, [ebp+var_58]
		mov	[ebp+var_18], ebx
		rep stosd
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_14], ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_10], ebx
		mov	[eax], ebx
		lea	eax, [ebp+var_3C]
		push	eax
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_C], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_8], ebx
		call	PiCMCaptureObjectInputData
		mov	esi, eax
		test	esi, esi
		js	loc_984140
		push	2
		pop	ecx
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jnz	short loc_983F13
		mov	esi, 0C0000022h
		jmp	loc_98412B
; 

loc_983F13:				; CODE XREF: PiCMDeleteDevice(x,x,x,x,x,x)+5Ej
		mov	edi, [ebp+var_30]
		test	edi, edi
		jz	loc_984126
		cmp	[ebp+var_38], ebx
		jnz	loc_984126
		xor	ebx, ebx
		inc	ebx
		cmp	[ebp+var_34], ebx
		jnz	loc_984126
		cmp	[ebp+var_28], 0
		jnz	loc_984126
		cmp	[ebp+arg_0], 0
		jz	loc_984126
		cmp	[ebp+arg_4], 8
		jb	loc_984126
		mov	edx, edi
		call	__CmValidateDeviceName@8 ; _CmValidateDeviceName(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98412B
		mov	ecx, edi
		call	__CmIsRootDevice@4 ; _CmIsRootDevice(x)
		test	al, al
		jnz	loc_984126
		lea	ecx, [ebp+var_8]
		call	PiPnpRtlBeginOperation
		mov	esi, eax
		test	esi, esi
		js	loc_98412B
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_10]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		call	__CmGetDeviceStatus@28 ; _CmGetDeviceStatus(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_98406E
		mov	eax, [ebp+var_4]
		test	al, 2
		jz	loc_98406E
		and	eax, 2001h
		cmp	eax, ebx
		jnz	short loc_983FC5
		mov	esi, 0C0000010h
		jmp	loc_98412B
; 

loc_983FC5:				; CODE XREF: PiCMDeleteDevice(x,x,x,x,x,x)+110j
		push	edi
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98412B
		push	3
		pop	ecx
		call	PpDevNodeLockTree
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	ebx
		mov	ebx, offset _PnpRegistryDeviceResource
		push	ebx
		call	ExAcquireResourceExclusiveLite
		push	0
		xor	dl, dl
		lea	ecx, [ebp+var_18]
		call	PiDeviceRegistration
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	0
		call	__CmDeleteDevice@12 ; _CmDeleteDevice(x,x,x)
		mov	ecx, ebx
		mov	esi, eax
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, offset _IopDeviceTreeLock
		call	ExReleaseResourceLite
		mov	ecx, offset _PiEngineLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	esi, esi
		js	loc_98412B
		push	edi
		lea	eax, [ebp+var_58]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	loc_98410E
		push	1Ch
		lea	eax, [ebp+var_58]
		mov	[ebp+var_50], 1
		push	eax
		push	0Eh
		mov	[ebp+var_4C], 40000h
		call	_ZwPlugPlayControl@12 ;	ZwPlugPlayControl(x,x,x)
		jmp	loc_98410E
; 

loc_98406E:				; CODE XREF: PiCMDeleteDevice(x,x,x,x,x,x)+F8j
					; PiCMDeleteDevice(x,x,x,x,x,x)+103j
		push	edi
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98412B
		push	3
		pop	ecx
		call	PpDevNodeLockTree
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	ebx
		mov	ebx, offset _PnpRegistryDeviceResource
		push	ebx
		call	ExAcquireResourceExclusiveLite
		push	0
		xor	dl, dl
		lea	ecx, [ebp+var_18]
		call	PiDeviceRegistration
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	0
		call	__CmDeleteDevice@12 ; _CmDeleteDevice(x,x,x)
		mov	ecx, ebx
		mov	esi, eax
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, offset _IopDeviceTreeLock
		call	ExReleaseResourceLite
		mov	ecx, offset _PiEngineLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	esi, esi
		js	short loc_98412B
		mov	ecx, edi
		call	__CmIsRootEnumeratedDevice@4 ; _CmIsRootEnumeratedDevice(x)
		test	al, al
		jz	short loc_98410E
		push	offset ??_C@_1BK@CCOOHMCM@?$AAH?$AAT?$AAR?$AAE?$AAE?$AA?2?$AAR?$AAO?$AAO?$AAT?$AA?2?$AA0@NNGAKEGL@
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_98410E
		push	0
		push	1
		push	ecx
		push	8
		pop	edx
		lea	ecx, [ebp+var_18]
		call	_PiQueueDeviceRequest@20 ; PiQueueDeviceRequest(x,x,x,x,x)

loc_98410E:				; CODE XREF: PiCMDeleteDevice(x,x,x,x,x,x)+19Fj
					; PiCMDeleteDevice(x,x,x,x,x,x)+1C0j ...
		push	edi
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_98412B
		lea	ecx, [ebp+var_20]
		call	PnpSetDeviceInstancePropertyChangeEventFromDeviceInstance
		jmp	short loc_98412B
; 

loc_984126:				; CODE XREF: PiCMDeleteDevice(x,x,x,x,x,x)+6Fj
					; PiCMDeleteDevice(x,x,x,x,x,x)+78j ...
		mov	esi, 0C000000Dh

loc_98412B:				; CODE XREF: PiCMDeleteDevice(x,x,x,x,x,x)+65j
					; PiCMDeleteDevice(x,x,x,x,x,x)+B3j ...
		push	[ebp+arg_C]
		mov	edx, [ebp+var_24]
		mov	ecx, esi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiCMReturnBasicResultData
		mov	esi, eax

loc_984140:				; CODE XREF: PiCMDeleteDevice(x,x,x,x,x,x)+4Ej
		lea	ecx, [ebp+var_3C]
		call	_PiCMReleaseObjectInputData@8 ;	PiCMReleaseObjectInputData(x,x)
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_984154
		call	PiPnpRtlEndOperation

loc_984154:				; CODE XREF: PiCMDeleteDevice(x,x,x,x,x,x)+2A4j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PiCMDeleteDevice@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMDeleteDeviceInterfaceKey(x, x, x, x, x,	x)
_PiCMDeleteDeviceInterfaceKey@24 proc near ; CODE XREF:	PiCMHandleIoctl+119E0Fp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	ebx, [ebp+arg_C]
		xor	eax, eax
		push	esi
		push	edi
		push	7
		and	[ebx], eax
		lea	edi, [ebp+var_1C]
		mov	esi, ecx
		pop	ecx
		rep stosd
		lea	eax, [ebp+var_1C]
		push	eax
		push	ecx
		mov	ecx, esi
		call	PiCMCaptureObjectInputData
		mov	esi, [ebp+var_10]
		mov	edi, eax
		test	edi, edi
		js	short loc_9841EF
		push	2
		pop	ecx
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jnz	short loc_9841A1
		mov	eax, 0C0000022h
		jmp	short loc_9841DC
; 

loc_9841A1:				; CODE XREF: PiCMDeleteDeviceInterfaceKey(x,x,x,x,x,x)+3Bj
		test	esi, esi
		jz	short loc_9841D7
		cmp	[ebp+var_18], 0
		jnz	short loc_9841D7
		cmp	[ebp+var_14], 4
		jnz	short loc_9841D7
		cmp	[ebp+var_8], 0
		jnz	short loc_9841D7
		cmp	[ebp+arg_0], 0
		jz	short loc_9841D7
		cmp	[ebp+arg_4], 8
		jb	short loc_9841D7
		push	1
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		mov	edx, esi
		push	32h
		call	__CmDeleteDeviceInterfaceRegKey@20 ; _CmDeleteDeviceInterfaceRegKey(x,x,x,x,x)
		jmp	short loc_9841DC
; 

loc_9841D7:				; CODE XREF: PiCMDeleteDeviceInterfaceKey(x,x,x,x,x,x)+46j
					; PiCMDeleteDeviceInterfaceKey(x,x,x,x,x,x)+4Cj ...
		mov	eax, 0C000000Dh

loc_9841DC:				; CODE XREF: PiCMDeleteDeviceInterfaceKey(x,x,x,x,x,x)+42j
					; PiCMDeleteDeviceInterfaceKey(x,x,x,x,x,x)+78j
		mov	edx, [ebp+var_4]
		mov	ecx, eax
		push	ebx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiCMReturnBasicResultData
		mov	edi, eax

loc_9841EF:				; CODE XREF: PiCMDeleteDeviceInterfaceKey(x,x,x,x,x,x)+2Fj
		test	esi, esi
		jz	short loc_98420C
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_98420C
		push	0
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98420C:				; CODE XREF: PiCMDeleteDeviceInterfaceKey(x,x,x,x,x,x)+94j
					; PiCMDeleteDeviceInterfaceKey(x,x,x,x,x,x)+A3j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PiCMDeleteDeviceInterfaceKey@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMDeleteDeviceKey(x, x, x, x, x, x)
_PiCMDeleteDeviceKey@24	proc near	; CODE XREF: PiCMHandleIoctl+119E21p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		push	edi
		push	7
		mov	esi, ecx
		mov	[ebp+var_14], eax
		xor	eax, eax
		mov	ebx, [ebp+arg_0]
		pop	ecx
		lea	edi, [ebp+var_50]
		mov	[ebp+var_34], eax
		rep stosd
		mov	edi, [ebp+var_14]
		mov	[ebp+var_30], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_18], eax
		mov	[edi], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_50]
		push	eax
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_20], ebx
		call	PiCMCaptureObjectInputData
		mov	esi, eax
		test	esi, esi
		js	loc_9843B8
		push	2
		pop	ecx
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jnz	short loc_984285
		mov	esi, 0C0000022h
		jmp	loc_984399
; 

loc_984285:				; CODE XREF: PiCMDeleteDeviceKey(x,x,x,x,x,x)+64j
		cmp	[ebp+var_44], 0
		jz	loc_984403
		cmp	[ebp+var_48], 1
		jnz	loc_984403
		test	ebx, ebx
		jz	loc_984403
		cmp	[ebp+arg_4], 8
		jb	loc_984403
		mov	edi, [ebp+var_4C]
		lea	edx, [ebp+var_1C]
		mov	ecx, edi
		call	PiCMConvertDeviceKeyType
		mov	esi, eax
		test	esi, esi
		js	loc_984396
		and	edi, 0FF00h
		cmp	edi, 200h
		jnz	loc_9843EA
		cmp	[ebp+var_3C], 0FFFFFFFFh
		jnz	loc_9843EA
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_24]
		push	eax
		push	4
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		test	eax, eax
		js	loc_984396
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jnz	short loc_984305
		xor	ecx, ecx
		jmp	short loc_984308
; 

loc_984305:				; CODE XREF: PiCMDeleteDeviceKey(x,x,x,x,x,x)+EAj
		mov	ecx, [eax+74h]

loc_984308:				; CODE XREF: PiCMDeleteDeviceKey(x,x,x,x,x,x)+EEj
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_18]
		push	eax
		push	8
		xor	ebx, ebx
		push	ebx
		push	offset ??_C@_1EK@JDAEMMIE@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAI?$AAD?$AAC?$AAo?$AAn?$AAf?$AAi@NNGAKEGL@
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_984393

loc_984322:				; CODE XREF: PiCMDeleteDeviceKey(x,x,x,x,x,x)+17Cj
		test	esi, esi
		js	short loc_984393
		mov	ecx, [ebp+var_18]
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_2C], 5
		push	eax
		mov	edx, ebx
		call	_RegRtlEnumKey
		mov	edi, eax
		test	edi, edi
		js	short loc_98438E
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_98438E
		lea	eax, [ebp+var_28]
		push	eax
		push	0
		lea	eax, [ebp+var_34]
		push	eax
		call	RtlUnicodeStringToInteger
		mov	edi, eax
		test	edi, edi
		js	short loc_98438E
		mov	edx, [ebp+var_44]
		push	ecx
		push	[ebp+var_28]
		mov	ecx, _PiPnpRtlCtx
		push	[ebp+var_1C]
		call	__CmDeleteDeviceRegKey@20 ; _CmDeleteDeviceRegKey(x,x,x,x,x)
		lea	esi, [eax+3FFFFFCCh]
		neg	esi
		sbb	esi, esi
		and	esi, eax

loc_98438E:				; CODE XREF: PiCMDeleteDeviceKey(x,x,x,x,x,x)+12Ej
					; PiCMDeleteDeviceKey(x,x,x,x,x,x)+141j ...
		inc	ebx
		test	edi, edi
		jns	short loc_984322

loc_984393:				; CODE XREF: PiCMDeleteDeviceKey(x,x,x,x,x,x)+10Bj
					; PiCMDeleteDeviceKey(x,x,x,x,x,x)+10Fj
		mov	ebx, [ebp+var_20]

loc_984396:				; CODE XREF: PiCMDeleteDeviceKey(x,x,x,x,x,x)+A7j
					; PiCMDeleteDeviceKey(x,x,x,x,x,x)+DDj	...
		mov	edi, [ebp+var_14]

loc_984399:				; CODE XREF: PiCMDeleteDeviceKey(x,x,x,x,x,x)+6Bj
					; PiCMDeleteDeviceKey(x,x,x,x,x,x)+1F3j
		cmp	[ebp+var_18], 0
		jz	short loc_9843A7
		push	[ebp+var_18]
		call	_ZwClose@4	; ZwClose(x)

loc_9843A7:				; CODE XREF: PiCMDeleteDeviceKey(x,x,x,x,x,x)+188j
		mov	edx, [ebp+var_38]
		mov	ecx, esi
		push	edi
		push	[ebp+arg_4]
		push	ebx
		call	PiCMReturnBasicResultData
		mov	esi, eax

loc_9843B8:				; CODE XREF: PiCMDeleteDeviceKey(x,x,x,x,x,x)+54j
		cmp	[ebp+var_44], 0
		jz	short loc_9843D7
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_9843D7
		push	0
		push	[ebp+var_44]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9843D7:				; CODE XREF: PiCMDeleteDeviceKey(x,x,x,x,x,x)+1A7j
					; PiCMDeleteDeviceKey(x,x,x,x,x,x)+1B6j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_9843EA:				; CODE XREF: PiCMDeleteDeviceKey(x,x,x,x,x,x)+B9j
					; PiCMDeleteDeviceKey(x,x,x,x,x,x)+C3j
		mov	edx, [ebp+var_44]
		push	ecx
		push	[ebp+var_3C]
		mov	ecx, _PiPnpRtlCtx
		push	[ebp+var_1C]
		call	__CmDeleteDeviceRegKey@20 ; _CmDeleteDeviceRegKey(x,x,x,x,x)
		mov	esi, eax
		jmp	short loc_984396
; 

loc_984403:				; CODE XREF: PiCMDeleteDeviceKey(x,x,x,x,x,x)+74j
					; PiCMDeleteDeviceKey(x,x,x,x,x,x)+7Ej	...
		mov	esi, 0C000000Dh
		jmp	short loc_984399
_PiCMDeleteDeviceKey@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMDeleteObject(x,	x, x, x, x, x)
_PiCMDeleteObject@24 proc near		; CODE XREF: PiCMHandleIoctl+119D49p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		push	7
		mov	esi, ecx
		and	[ebp+var_4], 0
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_20]
		rep stosd
		mov	eax, [ebp+arg_C]
		and	dword ptr [eax], 0
		lea	eax, [ebp+var_20]
		push	eax
		push	ecx
		mov	ecx, esi
		call	PiCMCaptureObjectInputData
		mov	ebx, [ebp+var_14]
		mov	edi, eax
		test	edi, edi
		js	loc_98454F
		push	2
		pop	ecx
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jnz	short loc_98445A
		mov	edi, 0C0000022h
		jmp	loc_98453A
; 

loc_98445A:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+44j
		test	ebx, ebx
		jz	loc_984535
		cmp	[ebp+var_1C], 0
		jnz	loc_984535
		cmp	[ebp+var_C], 0
		jnz	loc_984535
		cmp	[ebp+arg_0], 0
		jz	loc_984535
		push	8
		pop	ecx
		cmp	[ebp+arg_4], ecx
		jb	loc_984535
		mov	eax, [ebp+var_18]
		xor	esi, esi
		push	6
		pop	edx
		cmp	eax, edx
		jg	short loc_9844CE
		jz	short loc_9844CA
		sub	eax, 1
		jz	short loc_9844C5
		sub	eax, 1
		jz	short loc_9844C1
		sub	eax, 1
		jz	short loc_9844BC
		sub	eax, 1
		jz	short loc_9844B8
		sub	eax, 1
		jnz	short loc_984504
		push	5

loc_9844B5:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+B0j
		pop	esi
		jmp	short loc_984511
; 

loc_9844B8:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+A2j
		push	3
		jmp	short loc_9844B5
; 

loc_9844BC:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+9Dj
		push	4

loc_9844BE:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+B9j
		pop	esi
		jmp	short loc_984516
; 

loc_9844C1:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+98j
		push	2
		jmp	short loc_9844BE
; 

loc_9844C5:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+93j
		xor	esi, esi
		inc	esi
		jmp	short loc_984511
; 

loc_9844CA:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+8Ej
		mov	esi, edx
		jmp	short loc_984511
; 

loc_9844CE:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+8Cj
		sub	eax, 10001h
		jz	short loc_9844F5
		sub	eax, 1
		jz	short loc_9844F8
		sub	eax, 1
		jz	short loc_9844F1
		sub	eax, 1
		jz	short loc_9844ED
		sub	eax, 1
		jnz	short loc_984504
		push	0Bh
		jmp	short loc_9844F7
; 

loc_9844ED:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+D8j
		push	0Ah
		jmp	short loc_9844F7
; 

loc_9844F1:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+D3j
		push	9
		jmp	short loc_9844F7
; 

loc_9844F5:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+C9j
		push	7

loc_9844F7:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+E1j
					; PiCMDeleteObject(x,x,x,x,x,x)+E5j ...
		pop	ecx

loc_9844F8:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+CEj
		mov	esi, _PiDrvDbCtx
		neg	esi
		sbb	esi, esi
		and	esi, ecx

loc_984504:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+A7j
					; PiCMDeleteObject(x,x,x,x,x,x)+DDj
		test	esi, esi
		jz	short loc_984535
		cmp	esi, 4
		jbe	short loc_984516
		cmp	esi, edx
		ja	short loc_984516

loc_984511:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+ACj
					; PiCMDeleteObject(x,x,x,x,x,x)+BEj ...
		mov	edi, 0C00000BBh

loc_984516:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+B5j
					; PiCMDeleteObject(x,x,x,x,x,x)+101j ...
		test	edi, edi
		js	short loc_98453A
		lea	ecx, [ebp+var_4]
		call	PiPnpRtlBeginOperation
		mov	edi, eax
		test	edi, edi
		js	short loc_98453A
		push	ecx
		push	esi
		mov	edx, ebx
		call	__PnpDeleteObject@16 ; _PnpDeleteObject(x,x,x,x)
		mov	edi, eax
		jmp	short loc_98453A
; 

loc_984535:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+52j
					; PiCMDeleteObject(x,x,x,x,x,x)+5Cj ...
		mov	edi, 0C000000Dh

loc_98453A:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+4Bj
					; PiCMDeleteObject(x,x,x,x,x,x)+10Ej ...
		push	[ebp+arg_C]
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiCMReturnBasicResultData
		mov	edi, eax

loc_98454F:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+34j
		test	ebx, ebx
		jz	short loc_98456C
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_98456C
		push	0
		push	[ebp+var_14]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98456C:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+147j
					; PiCMDeleteObject(x,x,x,x,x,x)+156j
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_984578
		call	PiPnpRtlEndOperation

loc_984578:				; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+167j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PiCMDeleteObject@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMDeviceAction(x,	x, x, x, x, x)
_PiCMDeviceAction@24 proc near		; CODE XREF: PiCMHandleIoctl+119DFDp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		push	7
		mov	esi, ecx
		and	[ebp+var_1C], 0
		xor	eax, eax
		and	[ebp+var_18], 0
		and	[ebp+var_4], eax
		lea	edi, [ebp+var_38]
		pop	ecx
		rep stosd
		mov	eax, [ebp+arg_C]
		xor	edi, edi
		and	[ebp+var_8], 0
		and	[ebp+var_14], 0
		and	[ebp+var_10], 0
		and	dword ptr [eax], 0
		lea	eax, [ebp+var_38]
		and	[ebp+var_C], 0
		push	eax
		push	ecx
		mov	ecx, esi
		call	PiCMCaptureObjectInputData
		mov	esi, eax
		test	esi, esi
		js	loc_98480C
		cmp	[ebp+var_2C], edi
		jz	loc_9847F2
		cmp	[ebp+var_30], 1
		jnz	loc_9847F2
		cmp	[ebp+arg_0], edi
		jz	loc_9847F2
		cmp	[ebp+arg_4], 8
		jb	loc_9847F2
		mov	ebx, [ebp+var_24]
		mov	ecx, 0C000000Dh
		mov	eax, ebx
		sub	eax, 1
		jz	short loc_984621
		sub	eax, 1
		jz	short loc_984612
		mov	esi, ecx
		jmp	loc_9847F7
; 

loc_984612:				; CODE XREF: PiCMDeviceAction(x,x,x,x,x,x)+88j
		mov	eax, [ebp+var_34]
		mov	[ebp+var_C], eax
		test	eax, eax
		jle	short loc_98462D
		cmp	eax, 3
		jmp	short loc_98462B
; 

loc_984621:				; CODE XREF: PiCMDeviceAction(x,x,x,x,x,x)+83j
		mov	edi, [ebp+var_34]
		test	edi, edi
		jle	short loc_98462D
		cmp	edi, 7

loc_98462B:				; CODE XREF: PiCMDeviceAction(x,x,x,x,x,x)+9Ej
		jl	short loc_98462F

loc_98462D:				; CODE XREF: PiCMDeviceAction(x,x,x,x,x,x)+99j
					; PiCMDeviceAction(x,x,x,x,x,x)+A5j
		mov	esi, ecx

loc_98462F:				; CODE XREF: PiCMDeviceAction(x,x,x,x,x,x):loc_98462Bj
		test	esi, esi
		js	loc_9847F7
		mov	edx, [ebp+var_2C]
		call	__CmValidateDeviceName@8 ; _CmValidateDeviceName(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9847F7
		sub	ebx, 1
		jz	short loc_9846A5
		sub	ebx, 1
		jnz	loc_9847F2
		push	20h
		pop	ecx
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jz	short loc_98469B
		push	0Ah
		pop	ecx
		call	_PiAuDoesClientHavePrivilege@4 ; PiAuDoesClientHavePrivilege(x)
		test	al, al
		jz	short loc_98469B
		push	[ebp+var_2C]
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9847F7
		xor	eax, eax
		cmp	[ebp+var_C], 2
		push	ebx
		setnz	al
		push	eax
		push	ecx
		push	9
		lea	ecx, [ebp+var_1C]
		jmp	loc_9847E8
; 

loc_98469B:				; CODE XREF: PiCMDeviceAction(x,x,x,x,x,x)+E0j
					; PiCMDeviceAction(x,x,x,x,x,x)+ECj ...
		mov	esi, 0C0000022h
		jmp	loc_9847F7
; 

loc_9846A5:				; CODE XREF: PiCMDeviceAction(x,x,x,x,x,x)+CBj
		test	edi, edi
		jle	loc_9847F2
		push	2
		pop	ecx
		cmp	edi, ecx
		jle	loc_984752
		cmp	edi, 6
		jg	loc_9847F2
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jz	short loc_98469B
		push	0Ah
		pop	ecx
		call	_PiAuDoesClientHavePrivilege@4 ; PiAuDoesClientHavePrivilege(x)
		test	al, al
		jz	short loc_98469B
		push	[ebp+var_2C]
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9847F7
		sub	edi, 3
		jz	short loc_98472E
		sub	edi, 1
		jz	short loc_984723
		sub	edi, 1
		jz	short loc_984718
		sub	edi, 1
		jz	short loc_98470D
		mov	esi, 0C000000Dh
		mov	[ebp+var_4], esi
		jmp	loc_9847F7
; 

loc_98470D:				; CODE XREF: PiCMDeviceAction(x,x,x,x,x,x)+17Dj
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		push	ecx
		push	18h
		jmp	short loc_984737
; 

loc_984718:				; CODE XREF: PiCMDeviceAction(x,x,x,x,x,x)+178j
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		push	ecx
		push	17h
		jmp	short loc_984737
; 

loc_984723:				; CODE XREF: PiCMDeviceAction(x,x,x,x,x,x)+173j
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		push	ecx
		push	16h
		jmp	short loc_984737
; 

loc_98472E:				; CODE XREF: PiCMDeviceAction(x,x,x,x,x,x)+16Ej
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		push	ecx
		push	15h

loc_984737:				; CODE XREF: PiCMDeviceAction(x,x,x,x,x,x)+195j
					; PiCMDeviceAction(x,x,x,x,x,x)+1A0j ...
		pop	edx
		lea	ecx, [ebp+var_1C]
		call	_PiQueueDeviceRequest@20 ; PiQueueDeviceRequest(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9847F7
		mov	esi, [ebp+var_4]
		jmp	loc_9847F7
; 

loc_984752:				; CODE XREF: PiCMDeviceAction(x,x,x,x,x,x)+131j
		push	20h
		pop	ecx
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jz	loc_98469B
		push	0Ah
		pop	ecx
		call	_PiAuDoesClientHavePrivilege@4 ; PiAuDoesClientHavePrivilege(x)
		test	al, al
		jz	loc_98469B
		mov	ecx, [ebp+var_2C]
		call	__CmIsRootDevice@4 ; _CmIsRootDevice(x)
		test	al, al
		jnz	short loc_9847F2
		mov	edx, [ebp+var_2C]
		lea	eax, [ebp+var_10]
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	0
		call	__CmGetDeviceStatus@28 ; _CmGetDeviceStatus(x,x,x,x,x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		js	short loc_9847C3
		test	byte ptr [ebp+var_8], 8
		jnz	short loc_9847F7
		test	[ebp+var_8], 400h
		jz	short loc_9847C3
		mov	ecx, [ebp+var_2C]
		xor	edx, edx
		push	1
		call	_PiCMSetProblem@12 ; PiCMSetProblem(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9847F7

loc_9847C3:				; CODE XREF: PiCMDeviceAction(x,x,x,x,x,x)+21Fj
					; PiCMDeviceAction(x,x,x,x,x,x)+22Ej
		push	[ebp+var_2C]
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9847F7
		push	0
		push	1
		push	ecx
		lea	ecx, [ebp+var_1C]
		cmp	edi, 1
		jnz	short loc_9847E6
		push	10h
		jmp	short loc_9847E8
; 

loc_9847E6:				; CODE XREF: PiCMDeviceAction(x,x,x,x,x,x)+25Fj
		push	0Ch

loc_9847E8:				; CODE XREF: PiCMDeviceAction(x,x,x,x,x,x)+115j
					; PiCMDeviceAction(x,x,x,x,x,x)+263j
		pop	edx
		call	_PiQueueDeviceRequest@20 ; PiQueueDeviceRequest(x,x,x,x,x)
		mov	esi, eax
		jmp	short loc_9847F7
; 

loc_9847F2:				; CODE XREF: PiCMDeviceAction(x,x,x,x,x,x)+53j
					; PiCMDeviceAction(x,x,x,x,x,x)+5Dj ...
		mov	esi, 0C000000Dh

loc_9847F7:				; CODE XREF: PiCMDeviceAction(x,x,x,x,x,x)+8Cj
					; PiCMDeviceAction(x,x,x,x,x,x)+B0j ...
		push	[ebp+arg_C]
		mov	edx, [ebp+var_20]
		mov	ecx, esi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiCMReturnBasicResultData
		mov	esi, eax

loc_98480C:				; CODE XREF: PiCMDeviceAction(x,x,x,x,x,x)+4Aj
		cmp	[ebp+var_2C], 0
		jz	short loc_98482B
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_98482B
		push	0
		push	[ebp+var_2C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98482B:				; CODE XREF: PiCMDeviceAction(x,x,x,x,x,x)+28Fj
					; PiCMDeviceAction(x,x,x,x,x,x)+29Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PiCMDeviceAction@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMEnumerateSubKeys(x, x, x, x, x,	x)
_PiCMEnumerateSubKeys@24 proc near	; CODE XREF: PiCMHandleIoctl+119D25p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_20]
		stosd
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], ebx
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_C]
		mov	edi, ebx
		mov	[eax], ebx
		lea	eax, [ebp+var_20]
		push	eax
		push	ecx
		call	_PiCMCaptureEnumerateInputData@16 ; PiCMCaptureEnumerateInputData(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9848A4
		cmp	[ebp+var_1C], ebx
		mov	ebx, [ebp+arg_4]
		jz	short loc_9848AD

loc_984873:				; CODE XREF: PiCMEnumerateSubKeys(x,x,x,x,x,x)+91j
					; PiCMEnumerateSubKeys(x,x,x,x,x,x)+C2j
		mov	ecx, 0C000000Dh

loc_984878:				; CODE XREF: PiCMEnumerateSubKeys(x,x,x,x,x,x)+ABj
					; PiCMEnumerateSubKeys(x,x,x,x,x,x)+EEj ...
		push	[ebp+arg_C]	; int
		mov	eax, [ebp+var_8]
		push	ebx		; int
		push	[ebp+arg_0]	; int
		push	[ebp+var_10]	; int
		lea	edx, [eax+eax]
		push	0		; size_t
		push	0		; void *

loc_98488C:				; CODE XREF: PiCMEnumerateSubKeys(x,x,x,x,x,x)+1A2j
		push	0		; int
		call	PiCMReturnBufferResultData
		mov	esi, eax
		test	edi, edi
		jz	short loc_9848A4
		push	34706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9848A4:				; CODE XREF: PiCMEnumerateSubKeys(x,x,x,x,x,x)+35j
					; PiCMEnumerateSubKeys(x,x,x,x,x,x)+63j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_9848AD:				; CODE XREF: PiCMEnumerateSubKeys(x,x,x,x,x,x)+3Dj
		cmp	[ebp+arg_0], edi
		jz	loc_9849B7
		cmp	ebx, 14h
		jb	loc_9849B7
		lea	esi, [ebx-14h]
		cmp	esi, 2
		jb	short loc_984873
		push	34706E50h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9848E1
		mov	ecx, 0C000009Ah
		jmp	short loc_984878
; 

loc_9848E1:				; CODE XREF: PiCMEnumerateSubKeys(x,x,x,x,x,x)+A4j
		mov	eax, [ebp+var_18]
		shr	esi, 1
		mov	[ebp+var_8], esi
		sub	eax, 1
		jz	short loc_98490C
		sub	eax, 1
		jz	short loc_984904
		sub	eax, 1
		jnz	loc_984873
		lea	eax, [ebp+var_4]
		push	eax
		push	8
		jmp	short loc_984912
; 

loc_984904:				; CODE XREF: PiCMEnumerateSubKeys(x,x,x,x,x,x)+BDj
		lea	eax, [ebp+var_4]
		push	eax
		push	7
		jmp	short loc_984912
; 

loc_98490C:				; CODE XREF: PiCMEnumerateSubKeys(x,x,x,x,x,x)+B8j
		lea	eax, [ebp+var_4]
		push	eax
		push	5

loc_984912:				; CODE XREF: PiCMEnumerateSubKeys(x,x,x,x,x,x)+CEj
					; PiCMEnumerateSubKeys(x,x,x,x,x,x)+D6j
		mov	ecx, _PiPnpRtlCtx
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	loc_984878
		mov	esi, [ebp+var_14]
		lea	eax, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		push	eax
		push	edi
		call	_RegRtlEnumKey
		mov	ecx, eax
		cmp	ecx, 8000001Ah
		jnz	short loc_9849BC
		cmp	[ebp+var_18], 3
		jnz	loc_984878
		call	_CmIsStateSeparationEnabled@0 ;	CmIsStateSeparationEnabled()
		test	al, al
		jz	loc_984878
		mov	ecx, [ebp+var_4]
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	loc_984878
		cmp	esi, [ebp+var_C]
		jnb	short loc_984985
		mov	ecx, 0C00000E5h
		jmp	loc_984878
; 

loc_984985:				; CODE XREF: PiCMEnumerateSubKeys(x,x,x,x,x,x)+145j
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_4]
		push	eax
		push	9
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	loc_984878
		sub	esi, [ebp+var_C]
		lea	eax, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		push	eax
		push	edi
		call	_RegRtlEnumKey
		mov	ecx, eax
		jmp	short loc_9849BC
; 

loc_9849B7:				; CODE XREF: PiCMEnumerateSubKeys(x,x,x,x,x,x)+7Cj
					; PiCMEnumerateSubKeys(x,x,x,x,x,x)+85j
		mov	ecx, 0C000000Dh

loc_9849BC:				; CODE XREF: PiCMEnumerateSubKeys(x,x,x,x,x,x)+10Ej
					; PiCMEnumerateSubKeys(x,x,x,x,x,x)+181j
		test	ecx, ecx
		js	loc_984878
		push	[ebp+arg_C]
		mov	eax, [ebp+var_8]
		push	ebx
		push	[ebp+arg_0]
		push	[ebp+var_10]
		lea	edx, [eax+eax]
		push	edx
		push	edi
		jmp	loc_98488C
_PiCMEnumerateSubKeys@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMGenerateDeviceInstance(x, x, x,	x)
_PiCMGenerateDeviceInstance@16 proc near ; CODE	XREF: PiCMCreateDevice(x,x,x,x,x,x)+1DDp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		mov	ebx, dword ptr [ebp+arg_0]
		mov	eax, ecx
		xor	ecx, ecx
		mov	[ebp+var_3], dl
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ecx
		mov	edx, 0C8h
		mov	[ebp+var_14], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_10], ecx
		mov	[ebx], cx
		lea	ecx, [ebp+var_20]
		push	ecx
		mov	ecx, eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], edi
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_984C95
		mov	eax, [ebp+var_C]
		mov	edx, eax
		movzx	eax, word ptr [eax]
		test	ax, ax
		jz	short loc_984A5F
		mov	ecx, eax

loc_984A36:				; CODE XREF: PiCMGenerateDeviceInstance(x,x,x,x)+7Bj
		lea	eax, [ecx-21h]
		cmp	ax, 5Eh
		ja	short loc_984A5A
		cmp	cx, 2Ch
		jz	short loc_984A5A
		cmp	cx, 5Ch
		jz	short loc_984A5A
		add	edx, 2
		movzx	eax, word ptr [edx]
		mov	ecx, eax
		test	ax, ax
		jnz	short loc_984A36
		jmp	short loc_984A5F
; 

loc_984A5A:				; CODE XREF: PiCMGenerateDeviceInstance(x,x,x,x)+62j
					; PiCMGenerateDeviceInstance(x,x,x,x)+68j ...
		mov	esi, 0C0000033h

loc_984A5F:				; CODE XREF: PiCMGenerateDeviceInstance(x,x,x,x)+57j
					; PiCMGenerateDeviceInstance(x,x,x,x)+7Dj
		test	esi, esi
		js	loc_984C95
		push	800h
		push	0
		push	0
		push	offset ??_C@_19LFKAPJKP@?$AAR?$AAo?$AAo?$AAt@NNGAKEGL@ ; "Root"
		mov	edx, 0C8h
		mov	ecx, ebx
		call	RtlStringCchCopyExW
		mov	esi, eax
		test	esi, esi
		js	loc_984C95
		push	ebx
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_984C95
		push	0
		lea	eax, [ebp+var_28]
		push	eax
		push	eax
		call	RtlUpcaseUnicodeString
		mov	esi, eax
		test	esi, esi
		js	loc_984C95
		sub	esp, 0Ch
		mov	edx, 0C8h
		mov	ecx, ebx
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@
		call	RtlStringCchCatExW
		mov	esi, eax
		test	esi, esi
		js	loc_984C95
		sub	esp, 0Ch
		mov	edx, 0C8h
		mov	ecx, ebx
		push	[ebp+var_C]
		call	RtlStringCchCatExW
		mov	esi, eax
		test	esi, esi
		js	loc_984C95
		push	34706E50h
		push	190h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_984B10
		mov	esi, 0C000009Ah
		jmp	loc_984CA2
; 

loc_984B10:				; CODE XREF: PiCMGenerateDeviceInstance(x,x,x,x)+129j
		xor	esi, esi
		mov	[ebp+var_C], esi

loc_984B15:				; CODE XREF: PiCMGenerateDeviceInstance(x,x,x,x)+209j
		test	edi, edi
		jz	short loc_984B24
		push	edi
		call	_ZwClose@4	; ZwClose(x)
		xor	edi, edi
		mov	[ebp+var_8], edi

loc_984B24:				; CODE XREF: PiCMGenerateDeviceInstance(x,x,x,x)+13Cj
		push	esi
		push	dword ptr [ebp+arg_0] ;	char
		push	offset ??_C@_1BA@DOOOBNCO@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AA0?$AA4?$AAu@NNGAKEGL@ ; wchar_t *
		push	800h		; int
		push	0		; int
		push	0		; int
		push	0C8h		; int
		push	ebx		; void *
		call	RtlStringCchPrintfExW
		mov	esi, eax
		add	esp, 20h
		test	esi, esi
		js	loc_984C80
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_18]
		mov	edx, ebx
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	0
		call	__CmGetDeviceStatus@28 ; _CmGetDeviceStatus(x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_984BD3
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	edi, offset _PnpRegistryDeviceResource
		push	edi
		call	ExAcquireResourceExclusiveLite
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp-1]
		push	0
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_2], 1
		push	eax
		push	20006h
		mov	edx, ebx
		mov	[ebp+var_1], 0
		call	_CmCreateDevice
		mov	esi, eax
		test	esi, esi
		js	loc_984C6A
		cmp	[ebp+var_1], 0
		jnz	short loc_984BEC
		mov	ecx, edi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	edi, [ebp+var_8]

loc_984BD3:				; CODE XREF: PiCMGenerateDeviceInstance(x,x,x,x)+191j
		mov	esi, [ebp+var_C]
		inc	esi
		mov	[ebp+var_2], 0
		mov	[ebp+var_C], esi
		cmp	esi, 270Fh
		jbe	loc_984B15
		jmp	short loc_984BF2
; 

loc_984BEC:				; CODE XREF: PiCMGenerateDeviceInstance(x,x,x,x)+1E0j
		mov	edi, [ebp+var_8]
		mov	esi, [ebp+var_C]

loc_984BF2:				; CODE XREF: PiCMGenerateDeviceInstance(x,x,x,x)+20Fj
		cmp	esi, 270Fh
		jbe	short loc_984C01
		mov	esi, 8000001Ah
		jmp	short loc_984C5F
; 

loc_984C01:				; CODE XREF: PiCMGenerateDeviceInstance(x,x,x,x)+21Dj
		mov	edx, ebx
		call	__CmValidateDeviceName@8 ; _CmValidateDeviceName(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_984C50
		mov	ecx, dword ptr [ebp+arg_0]
		mov	edx, 0C8h
		push	800h
		push	0
		push	0
		push	ebx
		call	RtlStringCchCopyExW
		mov	esi, eax
		test	esi, esi
		js	short loc_984C50
		cmp	[ebp+var_3], 0
		jz	short loc_984C5F
		push	4
		lea	eax, [ebp+var_10]
		mov	[ebp+var_10], 1
		push	eax
		push	4
		mov	edx, offset ??_C@_1BA@LEPEEO@?$AAP?$AAh?$AAa?$AAn?$AAt?$AAo?$AAm@NNGAKEGL@ ; "Phantom"
		mov	ecx, edi
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		mov	esi, eax
		jmp	short loc_984C5F
; 

loc_984C50:				; CODE XREF: PiCMGenerateDeviceInstance(x,x,x,x)+231j
					; PiCMGenerateDeviceInstance(x,x,x,x)+24Ej
		mov	ecx, _PiPnpRtlCtx
		mov	edx, ebx
		push	0
		call	__CmDeleteDevice@12 ; _CmDeleteDevice(x,x,x)

loc_984C5F:				; CODE XREF: PiCMGenerateDeviceInstance(x,x,x,x)+224j
					; PiCMGenerateDeviceInstance(x,x,x,x)+254j ...
		cmp	[ebp+var_2], 0
		jz	short loc_984C80
		mov	edi, offset _PnpRegistryDeviceResource

loc_984C6A:				; CODE XREF: PiCMGenerateDeviceInstance(x,x,x,x)+1D6j
		mov	ecx, edi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	edi, [ebp+var_8]

loc_984C80:				; CODE XREF: PiCMGenerateDeviceInstance(x,x,x,x)+16Dj
					; PiCMGenerateDeviceInstance(x,x,x,x)+288j
		test	edi, edi
		jz	short loc_984C8A
		push	edi
		call	_ZwClose@4	; ZwClose(x)

loc_984C8A:				; CODE XREF: PiCMGenerateDeviceInstance(x,x,x,x)+2A7j
		push	34706E50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_984C95:				; CODE XREF: PiCMGenerateDeviceInstance(x,x,x,x)+46j
					; PiCMGenerateDeviceInstance(x,x,x,x)+86j ...
		cmp	esi, 80000005h
		jnz	short loc_984CA2
		mov	esi, 0C0000023h

loc_984CA2:				; CODE XREF: PiCMGenerateDeviceInstance(x,x,x,x)+130j
					; PiCMGenerateDeviceInstance(x,x,x,x)+2C0j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_PiCMGenerateDeviceInstance@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMGetDeviceDepth(x, x, x,	x, x, x)
_PiCMGetDeviceDepth@24 proc near	; CODE XREF: PiCMHandleIoctl+119D7Fp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		push	7
		mov	esi, ecx
		lea	edi, [ebp+var_28]
		pop	ecx
		xor	eax, eax
		xor	ebx, ebx
		rep stosd
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		mov	[eax], ebx
		lea	eax, [ebp+var_28]
		push	eax
		push	ecx
		mov	ecx, esi
		call	PiCMCaptureObjectInputData
		mov	esi, [ebp+var_1C]
		mov	edi, eax
		test	edi, edi
		js	short loc_984D4B
		test	esi, esi
		jz	short loc_984D2F
		cmp	[ebp+var_24], ebx
		jnz	short loc_984D2F
		cmp	[ebp+var_20], 1
		jnz	short loc_984D2F
		cmp	[ebp+var_14], ebx
		jnz	short loc_984D2F
		cmp	[ebp+arg_0], ebx
		jz	short loc_984D2F
		cmp	[ebp+arg_4], 0Ch
		jb	short loc_984D2F
		mov	edx, esi
		call	__CmValidateDeviceName@8 ; _CmValidateDeviceName(x,x)
		test	eax, eax
		js	short loc_984D34
		push	esi
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_984D34
		lea	edx, [ebp+var_4]
		lea	ecx, [ebp+var_C]
		call	_PiGetDeviceDepth@8 ; PiGetDeviceDepth(x,x)
		mov	ebx, [ebp+var_4]
		jmp	short loc_984D34
; 

loc_984D2F:				; CODE XREF: PiCMGetDeviceDepth(x,x,x,x,x,x)+3Ej
					; PiCMGetDeviceDepth(x,x,x,x,x,x)+43j ...
		mov	eax, 0C000000Dh

loc_984D34:				; CODE XREF: PiCMGetDeviceDepth(x,x,x,x,x,x)+64j
					; PiCMGetDeviceDepth(x,x,x,x,x,x)+72j ...
		push	[ebp+arg_C]
		mov	edx, ebx
		mov	ecx, eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	[ebp+var_10]
		call	_PiCMReturnDepthResultData@24 ;	PiCMReturnDepthResultData(x,x,x,x,x,x)
		mov	edi, eax

loc_984D4B:				; CODE XREF: PiCMGetDeviceDepth(x,x,x,x,x,x)+3Aj
		test	esi, esi
		jz	short loc_984D68
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_984D68
		push	0
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_984D68:				; CODE XREF: PiCMGetDeviceDepth(x,x,x,x,x,x)+A2j
					; PiCMGetDeviceDepth(x,x,x,x,x,x)+B1j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PiCMGetDeviceDepth@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMGetObjectPropertyKeys(x, x, x, x, x, x)
_PiCMGetObjectPropertyKeys@24 proc near	; CODE XREF: PiCMHandleIoctl+119D5Bp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		push	7
		mov	esi, ecx
		lea	edi, [ebp+var_24]
		pop	ebx
		xor	eax, eax
		mov	ecx, ebx
		rep stosd
		mov	eax, [ebp+arg_C]
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], ecx
		mov	[eax], ecx
		lea	eax, [ebp+var_24]
		push	eax
		push	ecx
		mov	ecx, esi
		call	PiCMCaptureObjectInputData
		mov	edi, eax
		test	edi, edi
		js	loc_984EBE
		cmp	[ebp+var_18], 0
		jz	loc_984F24
		cmp	[ebp+var_20], 0
		jnz	loc_984F24
		cmp	[ebp+var_10], 0
		jnz	loc_984F24
		cmp	[ebp+arg_0], 0
		jz	loc_984F1A
		mov	ecx, [ebp+arg_4]
		push	14h
		pop	edx
		cmp	ecx, edx
		jb	loc_984F1A
		mov	eax, [ebp+var_1C]
		xor	esi, esi
		cmp	eax, 6
		jg	short loc_984E22
		jz	short loc_984E1E
		sub	eax, 1
		jz	short loc_984E19
		sub	eax, 1
		jz	short loc_984E15
		sub	eax, 1
		jz	short loc_984E11
		sub	eax, 1
		jz	short loc_984E0D
		sub	eax, 1
		jnz	short loc_984E58
		push	5

loc_984E0A:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+9Ej
					; PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+A2j ...
		pop	esi
		jmp	short loc_984E61
; 

loc_984E0D:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+90j
		push	3
		jmp	short loc_984E0A
; 

loc_984E11:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+8Bj
		push	4
		jmp	short loc_984E0A
; 

loc_984E15:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+86j
		push	2
		jmp	short loc_984E0A
; 

loc_984E19:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+81j
		xor	esi, esi
		inc	esi
		jmp	short loc_984E61
; 

loc_984E1E:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+7Cj
		push	6
		jmp	short loc_984E0A
; 

loc_984E22:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+7Aj
		sub	eax, 10001h
		jz	short loc_984E4C
		sub	eax, 1
		jz	short loc_984E49
		sub	eax, 1
		jz	short loc_984E45
		sub	eax, 1
		jz	short loc_984E41
		sub	eax, 1
		jnz	short loc_984E58
		push	0Bh
		jmp	short loc_984E4B
; 

loc_984E41:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+C5j
		push	0Ah
		jmp	short loc_984E4B
; 

loc_984E45:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+C0j
		push	9
		jmp	short loc_984E4B
; 

loc_984E49:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+BBj
		push	8

loc_984E4B:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+CEj
					; PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+D2j ...
		pop	ebx

loc_984E4C:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+B6j
		mov	esi, _PiDrvDbCtx
		neg	esi
		sbb	esi, esi
		and	esi, ebx

loc_984E58:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+95j
					; PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+CAj
		test	esi, esi
		jnz	short loc_984E61
		mov	edi, 0C000000Dh

loc_984E61:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+9Aj
					; PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+ABj ...
		test	edi, edi
		js	short loc_984E8D
		lea	eax, [ecx-14h]
		cmp	eax, edx
		sbb	edi, edi
		not	edi
		and	edi, eax
		jbe	short loc_984EF1
		push	34706E50h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		test	ebx, ebx
		jnz	short loc_984EE6
		mov	edi, 0C000009Ah

loc_984E8D:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+F2j
					; PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+1AEj ...
		push	[ebp+arg_C]	; int
		imul	edx, [ebp+var_4], arg_C
		mov	ecx, edi
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		push	[ebp+var_C]	; int
		push	0		; size_t
		push	0		; void *
		push	0		; int
		call	PiCMReturnBufferResultData
		mov	ebx, [ebp+var_8]

loc_984EAD:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+1DEj
		mov	edi, eax
		test	ebx, ebx
		jz	short loc_984EBE
		push	34706E50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_984EBE:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+36j
					; PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+140j
		cmp	[ebp+var_18], 0
		jz	short loc_984EDD
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_984EDD
		push	0
		push	[ebp+var_18]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_984EDD:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+151j
					; PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+160j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_984EE6:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+115j
		push	14h
		mov	eax, edi
		xor	edx, edx
		pop	ecx
		div	ecx
		jmp	short loc_984EF8
; 

loc_984EF1:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+FFj
		xor	ebx, ebx
		xor	eax, eax
		mov	[ebp+var_8], ebx

loc_984EF8:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+17Ej
		mov	edx, [ebp+var_18]
		push	ecx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_4], eax
		push	ecx
		push	eax
		push	ebx
		push	0
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	esi
		call	__PnpGetObjectPropertyKeys@40 ;	_PnpGetObjectPropertyKeys(x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		jmp	short loc_984F2C
; 

loc_984F1A:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+5Ej
					; PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+6Cj
		mov	edi, 0C000000Dh
		jmp	loc_984E8D
; 

loc_984F24:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+40j
					; PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+4Aj ...
		mov	ebx, [ebp+var_8]
		mov	edi, 0C000000Dh

loc_984F2C:				; CODE XREF: PiCMGetObjectPropertyKeys(x,x,x,x,x,x)+1A7j
		test	edi, edi
		js	loc_984E8D
		push	[ebp+arg_C]	; int
		imul	edx, [ebp+var_4], arg_C
		mov	ecx, edi
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		push	[ebp+var_C]	; int
		push	edx		; size_t
		push	ebx		; void *
		push	0		; int
		call	PiCMReturnBufferResultData
		jmp	loc_984EAD
_PiCMGetObjectPropertyKeys@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMQueryRemove(x, x, x, x,	x, x)
_PiCMQueryRemove@24 proc near		; CODE XREF: PiCMHandleIoctl+119DA3p

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		push	ebx
		push	esi
		push	edi
		push	7
		mov	esi, ecx
		lea	edi, [ebp+var_5C]
		pop	ecx
		xor	eax, eax
		xor	ebx, ebx
		rep stosd
		mov	eax, [ebp+arg_C]
		mov	edi, ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_1C], ebx
		mov	[eax], ebx
		lea	eax, [ebp+var_5C]
		push	eax
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_38], ebx
		mov	byte ptr [ebp+var_1], bl
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_18], ebx
		call	PiCMCaptureObjectInputData
		mov	esi, eax
		test	esi, esi
		js	loc_985055
		test	byte_6CD8BB, 4
		mov	ebx, [ebp+var_50]
		mov	edi, [ebp+var_48]
		mov	[ebp+var_2C], ebx
		jz	short loc_984FD6
		push	ebx
		push	edi
		push	ecx
		mov	edx, offset _KMPnPEvt_CfgMgr_QueryRemove_Start
		call	_McTemplateK0dz_EtwWriteTransfer@20 ; McTemplateK0dz_EtwWriteTransfer(x,x,x,x,x)

loc_984FD6:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+73j
		test	ebx, ebx
		jz	loc_98529B
		cmp	[ebp+var_54], 1
		jnz	loc_98529B
		cmp	[ebp+arg_0], 0
		jz	loc_985110
		mov	ebx, [ebp+arg_4]
		cmp	ebx, 14h
		jb	loc_985110
		mov	edx, [ebp+var_50]
		call	__CmValidateDeviceName@8 ; _CmValidateDeviceName(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9852A0
		mov	ecx, [ebp+var_50]
		call	__CmIsRootDevice@4 ; _CmIsRootDevice(x)
		test	al, al
		jz	short loc_985091
		mov	esi, 0C0000033h

loc_985021:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+164j
					; PiCMQueryRemove(x,x,x,x,x,x)+1C1j ...
		mov	edx, [ebp+var_8]

loc_985024:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+364j
		push	[ebp+arg_C]	; int
		xor	ebx, ebx
		mov	ecx, esi
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		push	[ebp+var_44]	; int
		push	ebx		; size_t
		push	ebx		; void *
		push	[ebp+var_18]	; int
		call	PiCMReturnBufferResultData
		mov	edi, [ebp+var_C]

loc_985041:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+387j
		mov	esi, eax
		test	edi, edi
		jz	short loc_985052
		push	34706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_985052:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+F1j
		mov	edi, [ebp+var_2C]

loc_985055:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+5Dj
		test	byte_6CD8BB, 4
		jz	short loc_98506A
		push	edi
		push	ecx
		mov	edx, offset _KMPnPEvt_CfgMgr_QueryRemove_Stop
		call	_McTemplateK0z_EtwWriteTransfer@16 ; McTemplateK0z_EtwWriteTransfer(x,x,x,x)

loc_98506A:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+108j
		cmp	[ebp+var_50], 0
		jz	short loc_985088
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_985088
		push	ebx
		push	[ebp+var_50]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_985088:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+11Aj
					; PiCMQueryRemove(x,x,x,x,x,x)+129j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_985091:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+C6j
		lea	eax, [ebx-14h]
		cmp	eax, 2
		sbb	ebx, ebx
		not	ebx
		and	ebx, eax
		jbe	short loc_9850C4
		push	34706E50h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	short loc_9850BD
		mov	esi, 0C000009Ah
		jmp	loc_985021
; 

loc_9850BD:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+15Dj
		xor	ecx, ecx
		mov	[eax], cx
		jmp	short loc_9850C9
; 

loc_9850C4:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+149j
		xor	eax, eax
		mov	[ebp+var_C], eax

loc_9850C9:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+16Ej
		sub	edi, 1
		jz	loc_98520A
		sub	edi, 1
		jz	loc_98515F
		sub	edi, 1
		jz	short loc_9850EA
		mov	esi, 0C000000Dh
		jmp	loc_98523B
; 

loc_9850EA:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+18Aj
		push	4
		pop	ecx
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jz	loc_9851AC
		push	0Ah
		pop	ecx
		call	_PiAuDoesClientHavePrivilege@4 ; PiAuDoesClientHavePrivilege(x)
		test	al, al
		jz	loc_9851AC
		cmp	[ebp+var_58], 0
		jz	short loc_98511A

loc_985110:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+98j
					; PiCMQueryRemove(x,x,x,x,x,x)+A4j ...
		mov	esi, 0C000000Dh
		jmp	loc_985021
; 

loc_98511A:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+1BAj
		mov	edx, [ebp+var_50]
		lea	eax, [ebp+var_30]
		push	2
		pop	edi
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	0
		call	__CmGetDeviceStatus@28 ; _CmGetDeviceStatus(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_985155
		test	[ebp+var_1C], 2000h
		jnz	loc_98523E
		mov	esi, 0C0000010h
		jmp	loc_985021
; 

loc_985155:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+1E8j
		mov	esi, 0C000000Eh
		jmp	loc_985021
; 

loc_98515F:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+181j
		mov	edx, [ebp+var_50]
		lea	eax, [ebp+var_20]
		mov	ecx, _PiPnpRtlCtx
		push	4
		pop	edi
		push	0
		push	eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_20], edi
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		push	10h
		push	0
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98523B
		test	byte ptr [ebp+var_24], 8
		jz	short loc_9851B6
		mov	ecx, edi
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jz	short loc_9851AC
		push	19h
		pop	ecx
		call	_PiAuDoesClientHavePrivilege@4 ; PiAuDoesClientHavePrivilege(x)
		test	al, al
		jnz	short loc_9851FB

loc_9851AC:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+1A0j
					; PiCMQueryRemove(x,x,x,x,x,x)+1B0j ...
		mov	esi, 0C0000022h
		jmp	loc_985021
; 

loc_9851B6:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+23Fj
		lea	ecx, [ebp+var_28]
		call	_PnpGetCallerSessionId@4 ; PnpGetCallerSessionId(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9851CE
		call	_RtlGetActiveConsoleId@0 ; RtlGetActiveConsoleId()
		cmp	[ebp+var_28], eax
		jz	short loc_9851FB

loc_9851CE:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+26Ej
		lea	ecx, [ebp+var_1]
		call	_PiAuCheckClientInteractive@4 ;	PiAuCheckClientInteractive(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9851E2
		cmp	byte ptr [ebp+var_1], 0
		jnz	short loc_9851FB

loc_9851E2:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+286j
		mov	ecx, edi
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jz	short loc_9851AC
		push	0Ah
		pop	ecx
		call	_PiAuDoesClientHavePrivilege@4 ; PiAuDoesClientHavePrivilege(x)
		test	al, al
		jz	short loc_9851AC
		xor	esi, esi

loc_9851FB:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+256j
					; PiCMQueryRemove(x,x,x,x,x,x)+278j ...
		cmp	[ebp+var_58], 0
		jnz	loc_985110
		push	8
		pop	edi
		jmp	short loc_98523E
; 

loc_98520A:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+178j
		push	20h
		pop	ecx
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jz	short loc_985236
		push	0Ah
		pop	ecx
		call	_PiAuDoesClientHavePrivilege@4 ; PiAuDoesClientHavePrivilege(x)
		test	al, al
		jz	short loc_985236
		mov	edi, [ebp+var_58]
		test	edi, 0FFFFFFFEh
		jnz	loc_985110
		and	edi, 1
		jmp	short loc_98523E
; 

loc_985236:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+2C0j
					; PiCMQueryRemove(x,x,x,x,x,x)+2CCj
		mov	esi, 0C0000022h

loc_98523B:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+191j
					; PiCMQueryRemove(x,x,x,x,x,x)+235j
		mov	edi, [ebp+var_10]

loc_98523E:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+1F1j
					; PiCMQueryRemove(x,x,x,x,x,x)+2B4j ...
		mov	[ebp+var_14], ebx
		test	esi, esi
		js	short loc_9852A0
		push	[ebp+var_50]
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		mov	[ebp+var_14], ebx
		test	esi, esi
		js	short loc_9852A0
		push	0		; int
		push	edi		; int
		mov	edi, [ebp+var_C]
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	edi		; void *
		lea	edx, [ebp+var_18]
		mov	[ebp+var_8], ebx
		lea	ecx, [ebp+var_40]
		call	_PnpQueueQueryAndRemoveEvent@24	; PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)
		mov	esi, eax
		mov	ecx, 80000028h
		cmp	esi, ecx
		jnz	loc_985021
		mov	eax, ebx
		test	edi, edi
		jz	short loc_985293
		shr	eax, 1
		xor	edx, edx
		mov	[edi+eax*2-2], dx
		mov	eax, ebx

loc_985293:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+332j
		mov	edx, [ebp+var_8]
		mov	[ebp+var_8], edx
		jmp	short loc_9852B6
; 

loc_98529B:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+84j
					; PiCMQueryRemove(x,x,x,x,x,x)+8Ej
		mov	esi, 0C000000Dh

loc_9852A0:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+B6j
					; PiCMQueryRemove(x,x,x,x,x,x)+2EFj ...
		mov	ecx, 80000028h
		cmp	esi, ecx
		jnz	loc_985021
		mov	eax, [ebp+var_14]
		mov	edi, [ebp+var_C]
		mov	edx, [ebp+var_8]

loc_9852B6:				; CODE XREF: PiCMQueryRemove(x,x,x,x,x,x)+345j
		cmp	edx, eax
		ja	loc_985024
		push	[ebp+arg_C]	; int
		mov	eax, [ebp+var_8]
		mov	edx, eax
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		push	[ebp+var_44]	; int
		push	eax		; size_t
		push	edi		; void *
		push	[ebp+var_18]	; int
		call	PiCMReturnBufferResultData
		xor	ebx, ebx
		jmp	loc_985041
_PiCMQueryRemove@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMRegisterDeviceInterface(x, x, x, x, x, x)
_PiCMRegisterDeviceInterface@24	proc near ; CODE XREF: PiCMHandleIoctl+119DB5p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		mov	[ebp+var_38], eax
		mov	esi, edx
		xor	eax, eax
		mov	[ebp+var_40], ebx
		push	2Ch		; size_t
		push	eax		; int
		mov	[ebp+var_44], eax
		mov	edi, ecx
		lea	eax, [ebp+var_30]
		push	eax		; void *
		call	_memset
		xor	eax, eax
		add	esp, 0Ch
		mov	[ebx], eax
		mov	edx, esi
		mov	ebx, eax
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_30]
		mov	[ebp+var_34], ebx
		push	eax
		push	ecx
		mov	ecx, edi
		call	_PiCMCaptureRegisterInterfaceInputData@16 ; PiCMCaptureRegisterInterfaceInputData(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_985372
		push	2
		pop	ecx
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		mov	edi, [ebp+arg_4]
		test	al, al
		jnz	short loc_9853B8
		mov	ecx, 0C0000022h

loc_98534D:				; CODE XREF: PiCMRegisterDeviceInterface(x,x,x,x,x,x)+FCj
		xor	eax, eax
		mov	edx, eax

loc_985351:				; CODE XREF: PiCMRegisterDeviceInterface(x,x,x,x,x,x)+169j
					; PiCMRegisterDeviceInterface(x,x,x,x,x,x)+17Aj
		push	[ebp+var_40]	; int
		push	edi		; int
		push	[ebp+var_38]	; int
		xor	edi, edi
		push	[ebp+var_8]	; int
		push	edi		; size_t
		push	edi		; void *

loc_98535F:				; CODE XREF: PiCMRegisterDeviceInterface(x,x,x,x,x,x)+18Ej
		push	edi		; int
		call	PiCMReturnBufferResultData
		mov	esi, eax
		test	ebx, ebx
		jz	short loc_985372
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_985372:				; CODE XREF: PiCMRegisterDeviceInterface(x,x,x,x,x,x)+57j
					; PiCMRegisterDeviceInterface(x,x,x,x,x,x)+89j
		mov	eax, large fs:124h
		xor	edi, edi
		mov	bl, [eax+15Ah]
		cmp	[ebp+var_18], edi
		jz	short loc_985392
		test	bl, bl
		jz	short loc_985392
		push	edi
		push	[ebp+var_18]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_985392:				; CODE XREF: PiCMRegisterDeviceInterface(x,x,x,x,x,x)+A3j
					; PiCMRegisterDeviceInterface(x,x,x,x,x,x)+A7j
		cmp	[ebp+var_10], 0
		jz	short loc_9853A5
		test	bl, bl
		jz	short loc_9853A5
		push	edi
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9853A5:				; CODE XREF: PiCMRegisterDeviceInterface(x,x,x,x,x,x)+B6j
					; PiCMRegisterDeviceInterface(x,x,x,x,x,x)+BAj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_9853B8:				; CODE XREF: PiCMRegisterDeviceInterface(x,x,x,x,x,x)+66j
		mov	esi, [ebp+var_18]
		test	esi, esi
		jz	loc_98544E
		cmp	[ebp+var_2C], ebx
		jnz	loc_98544E
		cmp	[ebp+var_10], ebx
		jz	short loc_9853E1
		cmp	[ebp+var_C], 2
		jnb	short loc_9853E1

loc_9853D7:				; CODE XREF: PiCMRegisterDeviceInterface(x,x,x,x,x,x)+104j
					; PiCMRegisterDeviceInterface(x,x,x,x,x,x)+109j ...
		mov	ecx, 0C000000Dh
		jmp	loc_98534D
; 

loc_9853E1:				; CODE XREF: PiCMRegisterDeviceInterface(x,x,x,x,x,x)+EFj
					; PiCMRegisterDeviceInterface(x,x,x,x,x,x)+F5j
		cmp	[ebp+var_38], ebx
		jz	short loc_9853D7
		cmp	edi, 14h
		jb	short loc_9853D7
		lea	eax, [edi-14h]
		cmp	eax, 2
		jb	short loc_9853D7
		mov	edx, esi
		call	__CmValidateDeviceName@8 ; _CmValidateDeviceName(x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_985453
		xor	eax, eax
		lea	edx, [ebp+var_28] ; int
		push	eax		; int
		lea	eax, [ebp+var_34]
		mov	ecx, esi	; int
		push	eax		; int
		push	1		; char
		push	[ebp+var_10]	; int
		call	IopRegisterDeviceInterface
		mov	ebx, [ebp+var_34]
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_985453
		mov	edx, ebx
		lea	esi, [edx+2]

loc_985424:				; CODE XREF: PiCMRegisterDeviceInterface(x,x,x,x,x,x)+14Ej
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [ebp+var_44]
		jnz	short loc_985424
		sub	edx, esi
		sar	edx, 1
		lea	eax, [edx+1]
		lea	edx, [eax+eax]
		mov	[ebp+var_3C], eax
		lea	eax, [edi-14h]
		cmp	edx, eax
		jbe	short loc_985453
		mov	ecx, 0C0000023h
		jmp	loc_985351
; 

loc_98544E:				; CODE XREF: PiCMRegisterDeviceInterface(x,x,x,x,x,x)+DDj
					; PiCMRegisterDeviceInterface(x,x,x,x,x,x)+E6j
		mov	ecx, 0C000000Dh

loc_985453:				; CODE XREF: PiCMRegisterDeviceInterface(x,x,x,x,x,x)+11Ej
					; PiCMRegisterDeviceInterface(x,x,x,x,x,x)+13Dj ...
		mov	edx, [ebp+var_3C]
		add	edx, edx
		test	ecx, ecx
		js	loc_985351
		push	[ebp+var_40]
		push	edi
		push	[ebp+var_38]
		xor	edi, edi
		push	[ebp+var_8]
		push	edx
		push	ebx
		jmp	loc_98535F
_PiCMRegisterDeviceInterface@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMReturnDepthResultData(x, x, x, x, x, x)
_PiCMReturnDepthResultData@24 proc near	; CODE XREF: PiCMGetDeviceDepth(x,x,x,x,x,x)+99p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	14h
		push	offset dword_6A8330
		call	__SEH_prolog4
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		xor	edi, edi
		mov	eax, [ebp+arg_C]
		mov	[eax], edi
		push	0Ch
		pop	ebx
		cmp	[ebp+arg_8], ebx
		jnb	short loc_98549B

loc_985494:				; CODE XREF: PiCMReturnDepthResultData(x,x,x,x,x,x)+2Bj
		mov	edi, 0C000000Dh
		jmp	short loc_9854EF
; 

loc_98549B:				; CODE XREF: PiCMReturnDepthResultData(x,x,x,x,x,x)+1Fj
		cmp	[ebp+arg_0], ebx
		jnz	short loc_985494
		mov	[ebp+ms_exc.disabled], edi
		push	4
		push	[ebp+arg_8]
		mov	esi, [ebp+arg_4]
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	[esi], ebx
		mov	eax, [ebp+var_1C]
		mov	[esi+4], eax
		mov	eax, [ebp+var_20]
		mov	[esi+8], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9854E6
; 

loc_9854C8:				; DATA XREF: .text:006A8344o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9854D6:				; DATA XREF: .text:006A8348o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_24]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	0Ch
		pop	ebx

loc_9854E6:				; CODE XREF: PiCMReturnDepthResultData(x,x,x,x,x,x)+53j
		test	edi, edi
		js	short loc_9854EF
		mov	ecx, [ebp+arg_C]
		mov	[ecx], ebx

loc_9854EF:				; CODE XREF: PiCMReturnDepthResultData(x,x,x,x,x,x)+26j
					; PiCMReturnDepthResultData(x,x,x,x,x,x)+75j
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PiCMReturnDepthResultData@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMSetDeviceProblem(x, x, x, x, x,	x)
_PiCMSetDeviceProblem@24 proc near	; CODE XREF: PiCMHandleIoctl+119D91p

var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1ACh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	1A0h		; size_t
		mov	[ebp+var_1AC], eax
		mov	esi, edx
		lea	eax, [ebp+var_1A8]
		mov	edi, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_1AC]
		add	esp, 0Ch
		mov	edx, esi
		and	dword ptr [eax], 0
		lea	eax, [ebp+var_1A8]
		push	eax		; void *
		push	ecx		; int
		mov	ecx, edi
		call	_PiCMCaptureProblemInputData@16	; PiCMCaptureProblemInputData(x,x,x,x)
		test	eax, eax
		js	short loc_9855DB
		push	4
		pop	ecx
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jz	short loc_9855C2
		push	0Ah
		pop	ecx
		call	_PiAuDoesClientHavePrivilege@4 ; PiAuDoesClientHavePrivilege(x)
		test	al, al
		jz	short loc_9855C2
		cmp	word ptr [ebp+var_1A0],	0
		mov	edi, [ebp+var_10]
		mov	esi, [ebp+var_1A4]
		jnz	short loc_985591

loc_98558A:				; CODE XREF: PiCMSetDeviceProblem(x,x,x,x,x,x)+90j
					; PiCMSetDeviceProblem(x,x,x,x,x,x)+96j ...
		mov	eax, 0C000000Dh
		jmp	short loc_9855C7
; 

loc_985591:				; CODE XREF: PiCMSetDeviceProblem(x,x,x,x,x,x)+85j
		test	ebx, ebx
		jz	short loc_98558A
		cmp	[ebp+arg_4], 8
		jb	short loc_98558A
		lea	eax, [esi-1]
		cmp	eax, 1
		ja	short loc_98558A
		lea	edx, [ebp+var_1A0]
		call	__CmValidateDeviceName@8 ; _CmValidateDeviceName(x,x)
		test	eax, eax
		js	short loc_9855C7
		push	esi
		mov	edx, edi
		lea	ecx, [ebp+var_1A0]
		call	_PiCMSetProblem@12 ; PiCMSetProblem(x,x,x)
		jmp	short loc_9855C7
; 

loc_9855C2:				; CODE XREF: PiCMSetDeviceProblem(x,x,x,x,x,x)+66j
					; PiCMSetDeviceProblem(x,x,x,x,x,x)+72j
		mov	eax, 0C0000022h

loc_9855C7:				; CODE XREF: PiCMSetDeviceProblem(x,x,x,x,x,x)+8Cj
					; PiCMSetDeviceProblem(x,x,x,x,x,x)+ADj ...
		push	[ebp+var_1AC]
		mov	edx, [ebp+var_C]
		mov	ecx, eax
		push	[ebp+arg_4]
		push	ebx
		call	PiCMReturnBasicResultData

loc_9855DB:				; CODE XREF: PiCMSetDeviceProblem(x,x,x,x,x,x)+5Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_PiCMSetDeviceProblem@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMSetProblem(x, x, x)
_PiCMSetProblem@12 proc	near		; CODE XREF: PiCMDeviceAction(x,x,x,x,x,x)+237p
					; PiCMSetDeviceProblem(x,x,x,x,x,x)+B8p

var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, ecx
		xor	ecx, ecx
		mov	esi, edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], ecx
		lea	eax, [edi-1]
		mov	[ebp+var_8], ecx
		cmp	eax, 1
		ja	short loc_98568E
		push	ecx
		lea	eax, [ebp+var_C]
		mov	edx, ebx
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		call	__CmGetDeviceStatus@28 ; _CmGetDeviceStatus(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_985693
		test	esi, esi
		jz	short loc_985647
		test	[ebp+var_8], 400h
		jz	short loc_985647
		cmp	[ebp+var_4], esi
		jz	short loc_985647
		cmp	edi, 2
		jnz	short loc_98568E

loc_985647:				; CODE XREF: PiCMSetProblem(x,x,x)+46j
					; PiCMSetProblem(x,x,x)+4Fj ...
		push	7
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_28]
		rep stosd
		push	ebx
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_1C], 400h
		test	esi, esi
		jz	short loc_985672
		mov	[ebp+var_20], 1
		mov	[ebp+var_18], esi
		jmp	short loc_98567F
; 

loc_985672:				; CODE XREF: PiCMSetProblem(x,x,x)+78j
		mov	eax, [ebp+var_4]
		mov	[ebp+var_20], 2
		mov	[ebp+var_18], eax

loc_98567F:				; CODE XREF: PiCMSetProblem(x,x,x)+84j
		push	1Ch
		lea	eax, [ebp+var_28]
		push	eax
		push	0Eh
		call	_ZwPlugPlayControl@12 ;	ZwPlugPlayControl(x,x,x)
		jmp	short loc_985693
; 

loc_98568E:				; CODE XREF: PiCMSetProblem(x,x,x)+23j
					; PiCMSetProblem(x,x,x)+59j
		mov	eax, 0C000000Dh

loc_985693:				; CODE XREF: PiCMSetProblem(x,x,x)+42j
					; PiCMSetProblem(x,x,x)+A0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PiCMSetProblem@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMSetRegistryProperty(x, x, x, x,	x, x)
_PiCMSetRegistryProperty@24 proc near	; CODE XREF: PiCMHandleIoctl+119D6Dp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		mov	ebx, [ebp+arg_C]
		xor	eax, eax
		push	esi
		push	edi
		and	[ebp+arg_C], eax
		lea	edi, [ebp+var_30]
		and	[ebx], eax
		mov	esi, ecx
		push	0Ah
		pop	ecx
		rep stosd
		lea	eax, [ebp+var_30]
		push	eax
		push	ecx
		mov	ecx, esi
		call	PiCMCaptureRegistryPropertyInputData
		mov	esi, eax
		test	esi, esi
		js	loc_9857CE
		xor	ecx, ecx
		cmp	[ebp+var_1C], 0Dh
		setz	cl
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 3Eh
		add	ecx, 2
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jnz	short loc_9856F5
		mov	esi, 0C0000022h
		jmp	loc_9857BB
; 

loc_9856F5:				; CODE XREF: PiCMSetRegistryProperty(x,x,x,x,x,x)+4Fj
		mov	edi, [ebp+var_24]
		test	edi, edi
		jz	loc_9857B6
		cmp	[ebp+var_2C], 0
		jnz	loc_9857B6
		cmp	[ebp+arg_0], 0
		jz	loc_9857B6
		cmp	[ebp+arg_4], 8
		jb	loc_9857B6
		mov	ecx, [ebp+var_1C]
		lea	edx, [ebp+arg_C]
		call	PiCMConvertRegistryProperty
		mov	esi, eax
		test	esi, esi
		js	loc_9857BB
		cmp	[ebp+var_28], 1
		jnz	short loc_98577C
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	0
		push	[ebp+var_10]
		push	[ebp+var_14]
		push	[ebp+var_18]
		push	[ebp+arg_C]
		push	0
		call	_PiPnpRtlSetDeviceRegProperty@32 ; PiPnpRtlSetDeviceRegProperty(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9857A7
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	edi
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_9857A7
		lea	ecx, [ebp+var_8]
		call	PnpSetDeviceInstancePropertyChangeEventFromDeviceInstance
		jmp	short loc_9857A7
; 

loc_98577C:				; CODE XREF: PiCMSetRegistryProperty(x,x,x,x,x,x)+9Dj
		cmp	[ebp+var_28], 2
		jnz	short loc_9857A2
		push	ecx
		push	[ebp+var_10]
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	[ebp+var_14]
		push	[ebp+var_18]
		push	[ebp+arg_C]
		push	0
		call	__CmSetInstallerClassRegProp@32	; _CmSetInstallerClassRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		jmp	short loc_9857A7
; 

loc_9857A2:				; CODE XREF: PiCMSetRegistryProperty(x,x,x,x,x,x)+E6j
		mov	esi, 0C000000Dh

loc_9857A7:				; CODE XREF: PiCMSetRegistryProperty(x,x,x,x,x,x)+C0j
					; PiCMSetRegistryProperty(x,x,x,x,x,x)+D6j ...
		cmp	esi, 0C0000022h
		jnz	short loc_9857BB
		mov	esi, 0C0000230h
		jmp	short loc_9857BB
; 

loc_9857B6:				; CODE XREF: PiCMSetRegistryProperty(x,x,x,x,x,x)+60j
					; PiCMSetRegistryProperty(x,x,x,x,x,x)+6Aj ...
		mov	esi, 0C000000Dh

loc_9857BB:				; CODE XREF: PiCMSetRegistryProperty(x,x,x,x,x,x)+56j
					; PiCMSetRegistryProperty(x,x,x,x,x,x)+93j ...
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		push	ebx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiCMReturnBasicResultData
		mov	esi, eax

loc_9857CE:				; CODE XREF: PiCMSetRegistryProperty(x,x,x,x,x,x)+2Fj
		lea	ecx, [ebp+var_30]
		call	PiCMReleaseRegistryPropertyInputData
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PiCMSetRegistryProperty@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCMUnregisterDeviceInterface(x, x,	x, x, x, x)
_PiCMUnregisterDeviceInterface@24 proc near ; CODE XREF: PiCMHandleIoctl+119DC7p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		push	7
		mov	esi, ecx
		lea	edi, [ebp+var_24]
		pop	ecx
		xor	eax, eax
		xor	ebx, ebx
		rep stosd
		mov	edi, [ebp+arg_C]
		lea	eax, [ebp+var_24]
		push	eax
		push	ecx
		mov	ecx, esi
		mov	byte ptr [ebp+arg_C+3],	bl
		mov	[edi], ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ebx
		call	PiCMCaptureObjectInputData
		mov	esi, eax
		test	esi, esi
		js	loc_985914
		push	2
		pop	ecx
		call	_PiAuDoesClientHaveAccess@4 ; PiAuDoesClientHaveAccess(x)
		test	al, al
		jnz	short loc_985832
		mov	esi, 0C0000022h
		jmp	loc_985901
; 

loc_985832:				; CODE XREF: PiCMUnregisterDeviceInterface(x,x,x,x,x,x)+47j
		mov	edx, [ebp+var_18]
		test	edx, edx
		jz	loc_9858FC
		cmp	[ebp+var_20], ebx
		jnz	loc_9858FC
		cmp	[ebp+var_1C], 4
		jnz	loc_9858FC
		cmp	[ebp+var_10], ebx
		jnz	loc_9858FC
		cmp	[ebp+arg_0], ebx
		jz	loc_9858FC
		cmp	[ebp+arg_4], 8
		jb	loc_9858FC
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_8]
		push	ebx
		push	eax
		push	1
		lea	eax, [ebp+arg_C+3]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	offset _DEVPKEY_DeviceInterface_Enabled
		push	ebx
		push	ebx
		push	3
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_985901
		cmp	[ebp+var_4], 11h
		jnz	short loc_9858A6
		cmp	[ebp+var_8], 1
		jnz	short loc_9858A6
		mov	al, byte ptr [ebp+arg_C+3]
		jmp	short loc_9858AB
; 

loc_9858A6:				; CODE XREF: PiCMUnregisterDeviceInterface(x,x,x,x,x,x)+BAj
					; PiCMUnregisterDeviceInterface(x,x,x,x,x,x)+C0j
		mov	al, bl
		mov	byte ptr [ebp+arg_C+3],	al

loc_9858AB:				; CODE XREF: PiCMUnregisterDeviceInterface(x,x,x,x,x,x)+C5j
		cmp	al, 0FFh
		jnz	short loc_9858B4
		mov	esi, 0C0000708h

loc_9858B4:				; CODE XREF: PiCMUnregisterDeviceInterface(x,x,x,x,x,x)+CEj
		test	esi, esi
		js	short loc_985901
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	ebx, offset _PnpRegistryDeviceResource
		push	ebx
		call	ExAcquireResourceExclusiveLite
		mov	edx, [ebp+var_18]
		mov	ecx, _PiPnpRtlCtx
		push	0
		call	__CmDeleteDeviceInterface@12 ; _CmDeleteDeviceInterface(x,x,x)
		mov	ecx, ebx
		mov	esi, eax
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	ebx, ebx
		jmp	short loc_985901
; 

loc_9858FC:				; CODE XREF: PiCMUnregisterDeviceInterface(x,x,x,x,x,x)+58j
					; PiCMUnregisterDeviceInterface(x,x,x,x,x,x)+61j ...
		mov	esi, 0C000000Dh

loc_985901:				; CODE XREF: PiCMUnregisterDeviceInterface(x,x,x,x,x,x)+4Ej
					; PiCMUnregisterDeviceInterface(x,x,x,x,x,x)+B4j ...
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		push	edi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	PiCMReturnBasicResultData
		mov	esi, eax

loc_985914:				; CODE XREF: PiCMUnregisterDeviceInterface(x,x,x,x,x,x)+37j
		cmp	[ebp+var_18], 0
		jz	short loc_985932
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_985932
		push	ebx
		push	[ebp+var_18]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_985932:				; CODE XREF: PiCMUnregisterDeviceInterface(x,x,x,x,x,x)+139j
					; PiCMUnregisterDeviceInterface(x,x,x,x,x,x)+148j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PiCMUnregisterDeviceInterface@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDmaGuardProcessPostRemove(x, x, x)
_PiDmaGuardProcessPostRemove@12	proc near ; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+369p
					; PnpSurpriseRemoveLockedDeviceNode(x,x,x)+1DEp

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	ecx, [esi+1D0h]
		test	ecx, ecx
		jz	loc_985A0C
		cmp	_PipHalIommuSecurityEnabled, 0
		jz	loc_9859F6
		call	_PiIommuBlockDevice@4 ;	PiIommuBlockDevice(x)
		mov	ebx, eax
		test	ebx, ebx
		jns	loc_9859F6
		mov	edx, 1F4h
		lea	edi, [esi+14h]
		mov	ecx, esi
		call	IoAddTriageDumpDataBlock
		xor	edx, edx
		cmp	[edi], dx
		jz	short loc_98599E
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [edi+4]
		call	IoAddTriageDumpDataBlock
		xor	edx, edx

loc_98599E:				; CODE XREF: PiDmaGuardProcessPostRemove(x,x,x)+4Aj
		lea	edi, [esi+1Ch]
		cmp	[edi], dx
		jz	short loc_9859BD
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [esi+20h]
		call	IoAddTriageDumpDataBlock
		xor	edx, edx

loc_9859BD:				; CODE XREF: PiDmaGuardProcessPostRemove(x,x,x)+69j
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_9859E3
		lea	ecx, [eax+1Ch]
		cmp	[ecx], dx
		jz	short loc_9859E3
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_9859E3:				; CODE XREF: PiDmaGuardProcessPostRemove(x,x,x)+87j
					; PiDmaGuardProcessPostRemove(x,x,x)+8Fj
		push	esi
		push	ebx
		push	1001h
		push	13h
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_9859F6:				; CODE XREF: PiDmaGuardProcessPostRemove(x,x,x)+21j
					; PiDmaGuardProcessPostRemove(x,x,x)+30j
		mov	ecx, [esi+1D0h]
		test	ecx, ecx
		jz	short loc_985A0C
		call	_PiIommuFreeExtension@4	; PiIommuFreeExtension(x)
		and	dword ptr [esi+1D0h], 0

loc_985A0C:				; CODE XREF: PiDmaGuardProcessPostRemove(x,x,x)+14j
					; PiDmaGuardProcessPostRemove(x,x,x)+C3j
		cmp	[ebp+arg_0], 0
		jz	short loc_985A34
		cmp	_PipDmaGuardPolicy, 0
		jz	short loc_985A34
		mov	ecx, [esi+10h]
		cmp	edi, 37h
		jnz	short loc_985A2F
		call	_PiDmaGuardQueueInsertEntry@4 ;	PiDmaGuardQueueInsertEntry(x)
		call	_PipDmgReevaluateQueue@0 ; PipDmgReevaluateQueue()
		jmp	short loc_985A34
; 

loc_985A2F:				; CODE XREF: PiDmaGuardProcessPostRemove(x,x,x)+E6j
		call	_PiDmaGuardQueueRemoveEntry@4 ;	PiDmaGuardQueueRemoveEntry(x)

loc_985A34:				; CODE XREF: PiDmaGuardProcessPostRemove(x,x,x)+D5j
					; PiDmaGuardProcessPostRemove(x,x,x)+DEj ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PiDmaGuardProcessPostRemove@12	endp ; sp = -14h


;  S U B	R O U T	I N E 


; __stdcall PipDmaGuardBlockAddDevice(x)
_PipDmaGuardBlockAddDevice@4 proc near	; CODE XREF: PipDmgEnforceEnumerationPolicy(x)+51p
		cmp	_PipDmaGuardPolicy, 1
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jnz	loc_985AD6
		test	esi, esi
		jz	short loc_985ABD
		mov	edx, 1F4h
		lea	edi, [esi+14h]
		call	IoAddTriageDumpDataBlock
		xor	ebx, ebx
		cmp	[edi], bx
		jz	short loc_985A7A
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [edi+4]
		call	IoAddTriageDumpDataBlock

loc_985A7A:				; CODE XREF: PipDmaGuardBlockAddDevice(x)+28j
		lea	edi, [esi+1Ch]
		cmp	[edi], bx
		jz	short loc_985A97
		push	2
		pop	edx
		mov	ecx, edi
		call	IoAddTriageDumpDataBlock
		movzx	edx, word ptr [edi]
		mov	ecx, [esi+20h]
		call	IoAddTriageDumpDataBlock

loc_985A97:				; CODE XREF: PipDmaGuardBlockAddDevice(x)+45j
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_985ABD
		lea	ecx, [eax+1Ch]
		cmp	[ecx], bx
		jz	short loc_985ABD
		push	2
		pop	edx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [esi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_985ABD:				; CODE XREF: PipDmaGuardBlockAddDevice(x)+14j
					; PipDmaGuardBlockAddDevice(x)+61j ...
		push	dword ptr [esi+1C8h]
		push	dword ptr [esi+1D0h]
		push	esi
		push	11h
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_985AD6:				; CODE XREF: PipDmaGuardBlockAddDevice(x)+Cj
		push	0C0000022h
		push	37h
		xor	dl, dl
		call	_PnpRequestDeviceRemoval@16 ; PnpRequestDeviceRemoval(x,x,x,x)
		pop	edi
		pop	esi
		mov	eax, 0C00002CEh
		pop	ebx
		retn
_PipDmaGuardBlockAddDevice@4 endp ; sp = -14h


;  S U B	R O U T	I N E 


; __stdcall PipDmgConsoleUnlockCallback()
_PipDmgConsoleUnlockCallback@0 proc near ; DATA	XREF: PiDmaGuardInitialize:loc_5F4D39o
		mov	eax, _PipDmaGuardPolicy
		sub	eax, 1
		jz	short locret_985B0B
		sub	eax, 1
		jz	short loc_985B06
		sub	eax, 1
		jz	short locret_985B0B
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_985B06:				; CODE XREF: PipDmgConsoleUnlockCallback()+Dj
		jmp	_PipDmgFlushQueueAndRestartDevices@0 ; PipDmgFlushQueueAndRestartDevices()
; 

locret_985B0B:				; CODE XREF: PipDmgConsoleUnlockCallback()+8j
					; PipDmgConsoleUnlockCallback()+12j
		retn
_PipDmgConsoleUnlockCallback@0 endp


;  S U B	R O U T	I N E 


; __stdcall PipDmgEnforceEnumerationPolicy(x)
_PipDmgEnforceEnumerationPolicy@4 proc near ; CODE XREF: PipCallDriverAddDevice+A1CD0p
		mov	edi, edi
		push	ecx
		mov	eax, _PipDmaGuardPolicy
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi+1D0h]
		sub	eax, 1
		jz	short loc_985B64
		sub	eax, 1
		jz	short loc_985B41
		sub	eax, 1
		jz	short loc_985B32
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_985B32:				; CODE XREF: PipDmgEnforceEnumerationPolicy(x)+1Fj
		mov	ecx, edi
		call	_PiIommuIsDeviceSafeWhileConsoleLocked@4 ; PiIommuIsDeviceSafeWhileConsoleLocked(x)
		neg	al
		sbb	al, al
		inc	al
		jmp	short loc_985B57
; 

loc_985B41:				; CODE XREF: PipDmgEnforceEnumerationPolicy(x)+1Aj
		call	_PiCslIsConsoleLocked@0	; PiCslIsConsoleLocked()
		test	al, al
		jz	short loc_985B64
		mov	ecx, edi
		call	_PiIommuIsDeviceSafeWhileConsoleLocked@4 ; PiIommuIsDeviceSafeWhileConsoleLocked(x)
		test	al, al
		jnz	short loc_985B64
		inc	al

loc_985B57:				; CODE XREF: PipDmgEnforceEnumerationPolicy(x)+33j
		test	al, al
		jz	short loc_985B64
		mov	ecx, esi
		call	_PipDmaGuardBlockAddDevice@4 ; PipDmaGuardBlockAddDevice(x)
		jmp	short loc_985B66
; 

loc_985B64:				; CODE XREF: PipDmgEnforceEnumerationPolicy(x)+15j
					; PipDmgEnforceEnumerationPolicy(x)+3Cj ...
		xor	eax, eax

loc_985B66:				; CODE XREF: PipDmgEnforceEnumerationPolicy(x)+56j
		pop	edi
		pop	esi
		pop	ecx
		retn
_PipDmgEnforceEnumerationPolicy@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipDmgFlushQueueAndRestartDevices()
_PipDmgFlushQueueAndRestartDevices@0 proc near
					; CODE XREF: PipDmgConsoleUnlockCallback():loc_985B06j
					; PipDmgReevaluateQueue():loc_985BEFj

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, _PipDmaGuardPolicy
		sub	esp, 0Ch
		push	esi
		test	eax, eax
		jz	short loc_985BBB
		cmp	eax, 3
		jz	short loc_985BBB
		lea	eax, [esp+10h+var_8]
		mov	ecx, eax
		mov	[esp+10h+var_4], eax
		mov	[esp+10h+var_8], eax
		call	_PiDmaGuardQueueFlush@4	; PiDmaGuardQueueFlush(x)
		mov	esi, [esp+10h+var_8]
		jmp	short loc_985BA7
; 

loc_985B9D:				; CODE XREF: PipDmgFlushQueueAndRestartDevices()+43j
		mov	ecx, [esi+8]
		mov	esi, [esi]
		call	_PipDmgRequestRestartOnBlockedDevice@4 ; PipDmgRequestRestartOnBlockedDevice(x)

loc_985BA7:				; CODE XREF: PipDmgFlushQueueAndRestartDevices()+31j
		lea	eax, [esp+10h+var_8]
		cmp	esi, eax
		jnz	short loc_985B9D
		mov	ecx, eax
		call	_PiDmaGuardQueueFree@4 ; PiDmaGuardQueueFree(x)
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_985BBB:				; CODE XREF: PipDmgFlushQueueAndRestartDevices()+13j
					; PipDmgFlushQueueAndRestartDevices()+18j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	11h
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_PipDmgFlushQueueAndRestartDevices@0 endp


;  S U B	R O U T	I N E 


; __stdcall PipDmgReevaluateQueue()
_PipDmgReevaluateQueue@0 proc near	; CODE XREF: PipDmgInitPhaseTwo+9C86Dp
					; PiDmaGuardProcessPostRemove(x,x,x)+EDp
		mov	eax, _PipDmaGuardPolicy
		sub	eax, 1
		jz	short loc_985BEF
		sub	eax, 1
		jz	short loc_985BE6
		sub	eax, 1
		jz	short locret_985BF4
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_985BE6:				; CODE XREF: PipDmgReevaluateQueue()+Dj
		call	_PiCslIsConsoleLocked@0	; PiCslIsConsoleLocked()
		test	al, al
		jnz	short locret_985BF4

loc_985BEF:				; CODE XREF: PipDmgReevaluateQueue()+8j
		jmp	_PipDmgFlushQueueAndRestartDevices@0 ; PipDmgFlushQueueAndRestartDevices()
; 

locret_985BF4:				; CODE XREF: PipDmgReevaluateQueue()+12j
					; PipDmgReevaluateQueue()+20j
		retn
_PipDmgReevaluateQueue@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipDmgRequestRestartOnBlockedDevice(x)
_PipDmgRequestRestartOnBlockedDevice@4 proc near
					; CODE XREF: PipDmgFlushQueueAndRestartDevices()+38p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		cmp	_PipDmaGuardPolicy, 3
		push	edi
		mov	edi, ecx
		jnz	loc_985D07
		test	edi, edi
		jz	loc_985CF8
		movzx	edx, word ptr [edi+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		push	2
		pop	ebx
		test	ecx, ecx
		jz	short loc_985C54
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		add	ecx, 1Ch
		cmp	[ecx], si
		jz	short loc_985C54
		mov	edx, ebx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_985C54:				; CODE XREF: PipDmgRequestRestartOnBlockedDevice(x)+33j
					; PipDmgRequestRestartOnBlockedDevice(x)+47j
		mov	eax, [edi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_985CF8
		lea	eax, [ecx+14h]
		mov	edx, 1F4h
		mov	[ebp+var_4], eax
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebp+var_4]
		cmp	[eax], si
		jz	short loc_985C94
		mov	edx, ebx
		mov	ecx, eax
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebp+var_4]
		movzx	edx, word ptr [eax]
		mov	ecx, [eax+4]
		call	IoAddTriageDumpDataBlock

loc_985C94:				; CODE XREF: PipDmgRequestRestartOnBlockedDevice(x)+86j
		mov	edx, [edi+0B0h]
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], si
		jz	short loc_985CC7
		mov	edx, ebx
		call	IoAddTriageDumpDataBlock
		mov	eax, [edi+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [edi+0B0h]

loc_985CC7:				; CODE XREF: PipDmgRequestRestartOnBlockedDevice(x)+AEj
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_985CF8
		lea	ecx, [eax+1Ch]
		cmp	[ecx], si
		jz	short loc_985CF8
		mov	edx, ebx
		call	IoAddTriageDumpDataBlock
		mov	eax, [edi+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_985CF8:				; CODE XREF: PipDmgRequestRestartOnBlockedDevice(x)+1Cj
					; PipDmgRequestRestartOnBlockedDevice(x)+6Aj ...
		push	esi
		push	esi
		push	edi
		push	11h

loc_985CFD:				; CODE XREF: PipDmgRequestRestartOnBlockedDevice(x)+240j
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_985D07:				; CODE XREF: PipDmgRequestRestartOnBlockedDevice(x)+14j
		push	2
		pop	ebx
		test	edi, edi
		jz	loc_985E31
		mov	eax, [edi+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_985D53
		test	dword ptr [eax+10Ch], 20000h
		jnz	short loc_985D53
		xor	esi, esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	1
		push	19h
		pop	edx
		call	PnpRequestDeviceAction
		test	eax, eax
		js	short loc_985D4E
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	10h
		pop	edx
		mov	ecx, edi
		call	PnpRequestDeviceAction

loc_985D4E:				; CODE XREF: PipDmgRequestRestartOnBlockedDevice(x)+148j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_985D53:				; CODE XREF: PipDmgRequestRestartOnBlockedDevice(x)+128j
					; PipDmgRequestRestartOnBlockedDevice(x)+134j
		movzx	edx, word ptr [edi+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		test	ecx, ecx
		jz	short loc_985D8D
		movsx	edx, word ptr [ecx+2]
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		add	ecx, 1Ch
		cmp	[ecx], si
		jz	short loc_985D8D
		mov	edx, ebx
		call	IoAddTriageDumpDataBlock
		mov	ecx, [edi+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_985D8D:				; CODE XREF: PipDmgRequestRestartOnBlockedDevice(x)+16Cj
					; PipDmgRequestRestartOnBlockedDevice(x)+180j
		mov	eax, [edi+0B0h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	loc_985E31
		lea	eax, [ecx+14h]
		mov	edx, 1F4h
		mov	[ebp+var_4], eax
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebp+var_4]
		cmp	[eax], si
		jz	short loc_985DCD
		mov	edx, ebx
		mov	ecx, eax
		call	IoAddTriageDumpDataBlock
		mov	eax, [ebp+var_4]
		movzx	edx, word ptr [eax]
		mov	ecx, [eax+4]
		call	IoAddTriageDumpDataBlock

loc_985DCD:				; CODE XREF: PipDmgRequestRestartOnBlockedDevice(x)+1BFj
		mov	edx, [edi+0B0h]
		mov	ecx, [edx+14h]
		add	ecx, 1Ch
		cmp	[ecx], si
		jz	short loc_985E00
		mov	edx, ebx
		call	IoAddTriageDumpDataBlock
		mov	eax, [edi+0B0h]
		mov	ecx, [eax+14h]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock
		mov	edx, [edi+0B0h]

loc_985E00:				; CODE XREF: PipDmgRequestRestartOnBlockedDevice(x)+1E7j
		mov	eax, [edx+14h]
		mov	eax, [eax+8]
		test	eax, eax
		jz	short loc_985E31
		lea	ecx, [eax+1Ch]
		cmp	[ecx], si
		jz	short loc_985E31
		mov	edx, ebx
		call	IoAddTriageDumpDataBlock
		mov	eax, [edi+0B0h]
		mov	eax, [eax+14h]
		mov	ecx, [eax+8]
		movzx	edx, word ptr [ecx+1Ch]
		mov	ecx, [ecx+20h]
		call	IoAddTriageDumpDataBlock

loc_985E31:				; CODE XREF: PipDmgRequestRestartOnBlockedDevice(x)+117j
					; PipDmgRequestRestartOnBlockedDevice(x)+1A3j ...
		push	esi
		push	esi
		push	edi
		push	ebx
		jmp	loc_985CFD
_PipDmgRequestRestartOnBlockedDevice@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpTraceClearDevNodeProblem(x, x, x, x)
_PnpTraceClearDevNodeProblem@16	proc near ; CODE XREF: AlpcpInitializeMessageLog+85735p

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0ACh+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		cmp	esi, 1
		jz	loc_985F89
		cmp	dword_6B2DD8, 5
		jbe	loc_985F89
		push	8000h
		push	0
		mov	ecx, offset dword_6B2DD8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_985F89
		lea	eax, [esp+0B8h+var_A0]
		and	[esp+0B8h+var_1C], 0
		mov	[esp+0B8h+var_78], eax
		xor	edx, edx
		lea	eax, [esp+0B8h+var_50]
		and	[esp+0B8h+var_14], 0
		mov	[esp+0B8h+var_68], eax
		mov	eax, [ebx+4]
		mov	[esp+0B8h+var_58], eax
		movzx	eax, word ptr [ebx]
		mov	[esp+0B8h+var_50], eax
		lea	eax, [esp+0B8h+var_30]
		and	[esp+0B8h+var_C], 0
		mov	[esp+0B8h+var_48], eax
		mov	eax, [edi+4]
		mov	[esp+0B8h+var_38], eax
		movzx	eax, word ptr [edi]
		mov	[esp+0B8h+var_30], eax
		lea	eax, [esp+0B8h+var_A8]
		push	2
		pop	ecx
		mov	[esp+0B8h+var_28], eax
		mov	eax, [ebp+arg_4]
		push	4
		mov	[esp+0BCh+var_A4], eax
		lea	eax, [esp+0BCh+var_A4]
		mov	[esp+0BCh+var_9C], edx
		mov	[esp+0BCh+var_74], edx
		mov	[esp+0BCh+var_6C], edx
		mov	[esp+0BCh+var_64], edx
		mov	[esp+0BCh+var_5C], edx
		mov	[esp+0BCh+var_54], edx
		mov	[esp+0BCh+var_4C], edx
		mov	[esp+0BCh+var_44], edx
		mov	[esp+0BCh+var_3C], edx
		mov	[esp+0BCh+var_34], edx
		mov	[esp+0BCh+var_2C], edx
		mov	[esp+0BCh+var_24], edx
		pop	edx
		mov	[esp+0B8h+var_18], eax
		lea	eax, [esp+0B8h+var_98]
		push	eax
		push	9
		mov	[esp+0C0h+var_60], ecx
		mov	[esp+0C0h+var_40], ecx
		mov	[esp+0C0h+var_20], edx
		mov	[esp+0C0h+var_10], edx
		mov	edx, offset loc_41C41B
		push	ecx
		mov	ecx, offset dword_6B2DD8
		mov	[esp+0C4h+var_A0], 1
		mov	[esp+0C4h+var_70], 8
		mov	[esp+0C4h+var_A8], esi
		call	__tlgWriteAgg@20 ; _tlgWriteAgg(x,x,x,x,x)

loc_985F89:				; CODE XREF: PnpTraceClearDevNodeProblem(x,x,x,x)+29j
					; PnpTraceClearDevNodeProblem(x,x,x,x)+36j ...
		mov	ecx, [esp+0B8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_PnpTraceClearDevNodeProblem@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpTraceDeviceConfig(x, x, x, x, x,	x, x, x, x, x, x, x, x,	x, x, x, x, x)
_PnpTraceDeviceConfig@72 proc near	; CODE XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+CF3p

var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17B		= dword	ptr -17Bh
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_E8		= dword	ptr -0E8h
var_D8		= dword	ptr -0D8h
var_C8		= dword	ptr -0C8h
var_B8		= dword	ptr -0B8h
var_A8		= dword	ptr -0A8h
var_98		= dword	ptr -98h
var_88		= dword	ptr -88h
var_78		= dword	ptr -78h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= byte ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= byte ptr  30h
arg_2C		= byte ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch
arg_38		= dword	ptr  40h
arg_3C		= dword	ptr  44h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1B4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_198], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_19C], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_1A0], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_1A4], eax
		mov	eax, [ebp+arg_14]
		push	esi
		mov	[ebp+var_1A8], eax
		mov	esi, ecx
		mov	eax, [ebp+arg_18]
		mov	ecx, [ebp+arg_3C]
		push	edi
		mov	edi, edx
		mov	[ebp+var_184], eax
		mov	eax, [ebp+arg_1C]
		xor	edx, edx
		mov	[ebp+var_180], eax
		mov	[ebp+var_190], edx
		mov	[ebp+var_18C], edx
		test	ecx, ecx
		jz	short loc_986024
		mov	eax, [ecx+4]
		mov	[ebp+var_18C], eax
		mov	eax, [ecx]
		mov	[ebp+var_190], eax

loc_986024:				; CODE XREF: PnpTraceDeviceConfig(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+71j
		cmp	dword_6B2E00, 5
		jbe	loc_986279
		push	8000h
		push	edx
		mov	ecx, offset dword_6B2E00
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_986279
		lea	eax, [ebp+var_1B0]
		mov	[ebp+var_1B0], 800h
		mov	[ebp+var_158], eax
		xor	edx, edx
		lea	eax, [ebp+var_194]
		mov	[ebp+var_1AC], edx
		mov	[ebp+var_148], eax
		lea	eax, [ebp+var_120]
		mov	[ebp+var_138], eax
		mov	eax, [esi+4]
		push	2
		pop	ecx
		mov	[ebp+var_128], eax
		movzx	eax, word ptr [esi]
		xor	esi, esi
		mov	[ebp+var_130], ecx
		mov	[ebp+var_110], ecx
		mov	ecx, [ebp+arg_24]
		mov	[ebp+var_120], eax
		lea	eax, [ebp+var_100]
		mov	[ebp+var_118], eax
		mov	[ebp+var_154], edx
		mov	eax, [ecx+4]
		mov	[ebp+var_108], eax
		movzx	eax, word ptr [ecx]
		lea	ecx, [ebp+var_F8]
		mov	[ebp+var_14C], edx
		mov	[ebp+var_194], edx
		mov	[ebp+var_144], edx
		mov	[ebp+var_13C], edx
		mov	[ebp+var_134], edx
		mov	[ebp+var_12C], edx
		mov	[ebp+var_124], edx
		mov	edx, edi
		mov	[ebp+var_150], 8
		mov	[ebp+var_140], 4
		mov	[ebp+var_11C], esi
		mov	[ebp+var_114], esi
		mov	[ebp+var_10C], esi
		mov	[ebp+var_104], esi
		mov	[ebp+var_100], eax
		mov	[ebp+var_FC], esi
		call	_tlgCreate1Sz_wchar_t
		mov	edx, ebx
		lea	ecx, [ebp+var_E8]
		call	_tlgCreate1Sz_wchar_t
		mov	edx, [ebp+var_198]
		lea	ecx, [ebp+var_D8]
		call	_tlgCreate1Sz_wchar_t
		mov	edx, [ebp+var_19C]
		lea	ecx, [ebp+var_C8]
		call	_tlgCreate1Sz_wchar_t
		mov	edx, [ebp+var_1A0]
		lea	ecx, [ebp+var_B8]
		call	_tlgCreate1Sz_wchar_t
		mov	edx, [ebp+var_1A4]
		lea	ecx, [ebp+var_A8]
		call	_tlgCreate1Sz_wchar_t
		mov	edx, [ebp+var_1A8]
		lea	ecx, [ebp+var_98]
		call	_tlgCreate1Sz_wchar_t
		mov	edx, [ebp+var_184]
		lea	ecx, [ebp+var_88]
		call	_tlgCreate1Sz_wchar_t
		mov	edx, [ebp+var_180]
		lea	ecx, [ebp+var_78]
		call	_tlgCreate1Sz_wchar_t
		mov	al, [ebp+arg_20]
		xor	ecx, ecx
		mov	byte ptr [ebp+var_17B+2], al
		inc	ecx
		lea	eax, [ebp+var_17B+2]
		mov	[ebp+var_64], esi
		mov	[ebp+var_68], eax
		mov	al, [ebp+arg_28]
		mov	byte ptr [ebp+var_17B+1], al
		lea	eax, [ebp+var_17B+1]
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], esi
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], esi
		mov	al, [ebp+arg_2C]
		mov	byte ptr [ebp+var_17B],	al
		lea	eax, [ebp+var_17B]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+arg_30]
		mov	[ebp+var_188], eax
		mov	eax, [ebp+arg_34]
		mov	[ebp+var_184], eax
		lea	eax, [ebp+var_188]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_38]
		mov	[ebp+var_180], eax
		lea	eax, [ebp+var_180]
		push	8
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_190]
		mov	[ebp+var_50], ecx
		mov	[ebp+var_40], ecx
		pop	ecx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_17B+3]
		push	eax
		push	17h
		push	esi
		push	esi
		push	offset loc_41C4F3
		push	offset dword_6B2E00
		mov	[ebp+var_4C], esi
		mov	[ebp+var_44], esi
		mov	[ebp+var_3C], esi
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], 4
		mov	[ebp+var_1C], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_986279:				; CODE XREF: PnpTraceDeviceConfig(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+8Bj
					; PnpTraceDeviceConfig(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A3j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	40h
_PnpTraceDeviceConfig@72 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpTraceDeviceRemovalForResetComplete(x, x)
_PnpTraceDeviceRemovalForResetComplete@8 proc near
					; CODE XREF: IopDeviceRemovalForResetComplete(x)+D5p

var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0F4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0F4h+var_4], eax
		push	ebx
		push	esi
		mov	esi, dword_6B2B18
		push	edi
		mov	edi, ecx
		test	esi, esi
		jz	loc_9864AD
		push	4000h
		push	0
		mov	ecx, offset dword_6B2B18
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9864AD
		mov	eax, [edi+68h]
		test	eax, eax
		jz	short loc_9862E4
		mov	eax, [eax+0B0h]
		mov	ebx, [eax+14h]
		jmp	short loc_9862E6
; 

loc_9862E4:				; CODE XREF: PnpTraceDeviceRemovalForResetComplete(x,x)+4Dj
		xor	ebx, ebx

loc_9862E6:				; CODE XREF: PnpTraceDeviceRemovalForResetComplete(x,x)+58j
		cmp	esi, 5
		jbe	loc_9864AD
		push	4000h
		xor	esi, esi
		mov	ecx, offset dword_6B2B18
		push	esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9864AD
		lea	eax, [esp+100h+var_A0]
		mov	[esp+100h+var_B4], esi
		mov	[esp+100h+var_B8], eax
		mov	eax, [ebx+18h]
		mov	[esp+100h+var_A8], eax
		movzx	eax, word ptr [ebx+14h]
		mov	[esp+100h+var_A0], eax
		lea	eax, [esp+100h+var_80]
		mov	[esp+100h+var_98], eax
		mov	eax, [ebx+20h]
		mov	[esp+100h+var_88], eax
		movzx	eax, word ptr [ebx+1Ch]
		mov	[esp+100h+var_80], eax
		mov	eax, [ebx+0ACh]
		mov	[esp+100h+var_F0], eax
		lea	eax, [esp+100h+var_F0]
		mov	[esp+100h+var_78], eax
		mov	eax, [edi+5Ch]
		mov	[esp+100h+var_EC], eax
		lea	eax, [esp+100h+var_EC]
		mov	[esp+100h+var_68], eax
		mov	eax, [edi+64h]
		mov	[esp+100h+var_E8], eax
		lea	eax, [esp+100h+var_E8]
		mov	[esp+100h+var_58], eax
		mov	eax, _PnpResetRetryInterval
		mov	[esp+100h+var_E0], eax
		mov	eax, dword_6CC9FC
		mov	[esp+100h+var_DC], eax
		lea	eax, [esp+100h+var_E0]
		mov	[esp+100h+var_48], eax
		mov	eax, [edi+6Ch]
		mov	[esp+100h+var_E4], eax
		lea	eax, [esp+100h+var_E4]
		push	2
		pop	edx
		mov	[esp+100h+var_38], eax
		lea	eax, [esp+100h+var_10]
		push	4
		pop	ecx
		mov	[esp+100h+var_28], eax
		mov	eax, [edi+74h]
		mov	[esp+100h+var_18], eax
		movzx	eax, word ptr [edi+70h]
		mov	[esp+100h+var_10], eax
		lea	eax, [esp+100h+var_D8]
		push	eax
		push	0Dh
		push	esi
		push	esi
		push	(offset	loc_41C746+6)
		mov	[esp+114h+var_B0], edx
		mov	[esp+114h+var_AC], esi
		mov	[esp+114h+var_A4], esi
		mov	[esp+114h+var_9C], esi
		mov	[esp+114h+var_94], esi
		mov	[esp+114h+var_90], edx
		mov	[esp+114h+var_8C], esi
		mov	[esp+114h+var_84], esi
		mov	[esp+114h+var_7C], esi
		mov	[esp+114h+var_74], esi
		mov	[esp+114h+var_70], ecx
		mov	[esp+114h+var_6C], esi
		mov	[esp+114h+var_64], esi
		mov	[esp+114h+var_60], ecx
		mov	[esp+114h+var_5C], esi
		mov	[esp+114h+var_54], esi
		mov	[esp+114h+var_50], ecx
		mov	[esp+114h+var_4C], esi
		mov	[esp+114h+var_44], esi
		mov	[esp+114h+var_40], 8
		mov	[esp+114h+var_3C], esi
		mov	[esp+114h+var_34], esi
		mov	[esp+114h+var_30], ecx
		mov	[esp+114h+var_2C], esi
		mov	[esp+114h+var_24], esi
		mov	[esp+114h+var_20], edx
		mov	[esp+114h+var_1C], esi
		mov	[esp+114h+var_14], esi
		mov	[esp+114h+var_C], esi
		push	offset dword_6B2B18
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9864AD:				; CODE XREF: PnpTraceDeviceRemovalForResetComplete(x,x)+29j
					; PnpTraceDeviceRemovalForResetComplete(x,x)+42j ...
		mov	ecx, [esp+100h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_PnpTraceDeviceRemovalForResetComplete@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpTraceDeviceRemoveProcessVeto(x, x, x)
_PnpTraceDeviceRemoveProcessVeto@12 proc near ;	CODE XREF: PnpLogVetoInformation(x,x)+CFp

var_8C		= dword	ptr -8Ch
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 90h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	dword_6B2B18, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	loc_986588
		push	4000h
		xor	ebx, ebx
		mov	ecx, offset dword_6B2B18
		push	ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_986588
		lea	eax, [ebp+var_54]
		mov	[ebp+var_68], ebx
		mov	[ebp+var_6C], eax
		mov	eax, [edi+4]
		mov	[ebp+var_5C], eax
		movzx	eax, word ptr [edi]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_34]
		push	2
		pop	ecx
		mov	[ebp+var_4C], eax
		mov	eax, [esi+4]
		mov	[ebp+var_3C], eax
		movzx	eax, word ptr [esi]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_64], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_24], ecx
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_60], ebx
		mov	[ebp+var_58], ebx
		mov	eax, [ecx+4]
		mov	[ebp+var_1C], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_8C]
		push	eax
		push	8
		push	ebx
		push	ebx
		push	offset loc_41C494
		push	offset dword_6B2B18
		mov	[ebp+var_50], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_986588:				; CODE XREF: PnpTraceDeviceRemoveProcessVeto(x,x,x)+23j
					; PnpTraceDeviceRemoveProcessVeto(x,x,x)+3Dj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PnpTraceDeviceRemoveProcessVeto@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpTraceDockDeviceEnumeration(x, x)
_PnpTraceDockDeviceEnumeration@8 proc near ; CODE XREF:	PiProcessNewDeviceNode+6ECDBp

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	dword_6B2B18, 5
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		jbe	loc_98663F
		push	4000h
		xor	ebx, ebx
		mov	ecx, offset dword_6B2B18
		push	ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_98663F
		lea	eax, [ebp+var_30]
		mov	[ebp+var_44], ebx
		mov	[ebp+var_48], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_38], eax
		movzx	eax, word ptr [esi+14h]
		mov	[ebp+var_30], eax
		mov	eax, [esi+174h]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_6C]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	6
		push	ebx
		push	ebx
		push	offset loc_41C630
		push	offset dword_6B2B18
		mov	[ebp+var_40], 2
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_70], edi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_98663F:				; CODE XREF: PnpTraceDockDeviceEnumeration(x,x)+20j
					; PnpTraceDockDeviceEnumeration(x,x)+3Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PnpTraceDockDeviceEnumeration@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpTraceDriverBlocked(x, x,	x, x)
_PnpTraceDriverBlocked@16 proc near	; CODE XREF: PiIsDriverBlocked+AFF91p

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	dword_6B2B18, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	loc_986715
		push	4000h
		xor	ebx, ebx
		mov	ecx, offset dword_6B2B18
		push	ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_986715
		lea	eax, [ebp+var_88]
		mov	[ebp+var_88], 800h
		mov	edx, edi
		mov	[ebp+var_84], ebx
		lea	ecx, [ebp+var_48]
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], 8
		mov	[ebp+var_4C], ebx
		call	_tlgCreate1Sz_wchar_t
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_4]
		push	4
		pop	ecx
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	7
		push	ebx
		push	ebx
		push	offset loc_41C2D7
		push	offset dword_6B2B18
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], 10h
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_986715:				; CODE XREF: PnpTraceDriverBlocked(x,x,x,x)+23j
					; PnpTraceDriverBlocked(x,x,x,x)+3Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PnpTraceDriverBlocked@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpTraceIommuDeviceProperties(x, x)
_PnpTraceIommuDeviceProperties@8 proc near ; CODE XREF:	PiIommuAllocateExtension+B7p

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	dword_6B2B18, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jbe	short loc_9867B0
		push	4000h
		xor	edi, edi
		mov	ebx, offset dword_6B2B18
		push	edi
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9867B0
		lea	eax, [ebp+var_24]
		mov	[ebp+var_38], edi
		mov	[ebp+var_3C], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_2C], eax
		movzx	eax, word ptr [esi+14h]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	5
		push	edi
		push	edi
		push	offset loc_41C227
		push	ebx
		mov	[ebp+var_34], 2
		mov	[ebp+var_30], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], 4
		mov	[ebp+var_10], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9867B0:				; CODE XREF: PnpTraceIommuDeviceProperties(x,x)+1Ej
					; PnpTraceIommuDeviceProperties(x,x)+36j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PnpTraceIommuDeviceProperties@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpTraceRebalanceResult(x)
_PnpTraceRebalanceResult@4 proc	near	; CODE XREF: PnpRebalance(x,x,x,x)+183p

var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_130		= dword	ptr -130h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_FA		= dword	ptr -0FAh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 11Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	dword_6B2B18, 0
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jbe	loc_986A15
		push	4000h
		push	0
		mov	ecx, offset dword_6B2B18
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_986A15
		test	esi, esi
		jz	loc_986A24
		mov	edi, [esi+20h]
		test	edi, edi
		jz	loc_986A24
		mov	ebx, [esi+18h]
		test	ebx, ebx
		jz	loc_986A24
		call	KeQueryInterruptTime
		cmp	dword_6B2B18, 5
		mov	[ebp+var_104], eax
		mov	[ebp+var_10C], edx
		jbe	loc_986A15
		push	4000h
		push	0
		mov	ecx, offset dword_6B2B18
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_986A15
		lea	eax, [ebp+var_C0]
		xor	edx, edx
		mov	[ebp+var_D8], eax
		mov	eax, [edi+18h]
		mov	[ebp+var_C8], eax
		movzx	eax, word ptr [edi+14h]
		mov	[ebp+var_C0], eax
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_B8], eax
		mov	eax, [edi+20h]
		mov	[ebp+var_A8], eax
		movzx	eax, word ptr [edi+1Ch]
		xor	edi, edi
		mov	[ebp+var_A0], eax
		mov	eax, [esi]
		mov	[ebp+var_114], eax
		lea	eax, [ebp+var_114]
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_88], eax
		mov	eax, [ebx+18h]
		mov	[ebp+var_78], eax
		movzx	eax, word ptr [ebx+14h]
		mov	ebx, [ebp+var_10C]
		mov	[ebp+var_70], eax
		mov	al, [esi+1Ch]
		mov	byte ptr [ebp+var_FA+1], al
		lea	eax, [ebp+var_FA+1]
		mov	[ebp+var_68], eax
		mov	al, [esi+24h]
		mov	byte ptr [ebp+var_FA], al
		lea	eax, [ebp+var_FA]
		mov	[ebp+var_58], eax
		mov	eax, [esi+0Ch]
		push	2
		pop	ecx
		mov	[ebp+var_118], eax
		lea	eax, [ebp+var_118]
		mov	[ebp+var_D0], ecx
		mov	[ebp+var_B0], ecx
		mov	[ebp+var_80], ecx
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_48], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_11C], eax
		lea	eax, [ebp+var_11C]
		mov	[ebp+var_9C], edi
		mov	[ebp+var_94], edi
		push	4
		mov	[ebp+var_8C], edi
		mov	[ebp+var_84], edi
		mov	[ebp+var_7C], edi
		mov	[ebp+var_74], edi
		mov	[ebp+var_6C], edi
		mov	[ebp+var_64], edi
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], edi
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], edi
		mov	[ebp+var_44], edi
		mov	[ebp+var_3C], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_2C], edi
		mov	edi, [ebp+var_104]
		mov	ecx, edi
		sub	ecx, [esi+28h]
		mov	[ebp+var_D4], edx
		mov	[ebp+var_CC], edx
		mov	[ebp+var_C4], edx
		mov	[ebp+var_BC], edx
		mov	[ebp+var_B4], edx
		mov	[ebp+var_AC], edx
		mov	[ebp+var_A4], edx
		pop	edx
		mov	[ebp+var_38], eax
		mov	eax, ebx
		mov	[ebp+var_90], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_30], edx
		sbb	eax, [esi+2Ch]
		xor	esi, esi
		push	esi
		push	2710h
		push	eax
		push	ecx
		call	__aulldiv
		mov	[ebp+var_110], eax
		lea	eax, [ebp+var_110]
		push	8
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_108]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_FA+2]
		push	eax
		push	0Fh
		push	esi
		push	esi
		push	offset loc_41C687
		push	offset dword_6B2B18
		mov	[ebp+var_10C], edx
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], esi
		mov	[ebp+var_108], edi
		mov	[ebp+var_104], ebx
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_986A15:				; CODE XREF: PnpTraceRebalanceResult(x)+21j
					; PnpTraceRebalanceResult(x)+3Aj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_986A24:				; CODE XREF: PnpTraceRebalanceResult(x)+42j
					; PnpTraceRebalanceResult(x)+4Dj ...
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall PnpTraceRequestDeviceRemovalForReset(x, x, x)
_PnpTraceRequestDeviceRemovalForReset@12:
					; CODE XREF: IoRequestDeviceRemovalForReset(x,x)+C5p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1D0h+var_130], eax
		mov	[esp+1D0h+var_1D0], edx
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	short loc_986A5A
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_986A5C
; 

loc_986A5A:				; CODE XREF: PnpTraceRebalanceResult(x)+28Cj
		xor	eax, eax

loc_986A5C:				; CODE XREF: PnpTraceRebalanceResult(x)+297j
		test	eax, eax
		jz	short loc_986A6E
		mov	ebx, [eax+0ACh]
		lea	esi, [eax+14h]
		lea	edi, [eax+1Ch]
		jmp	short loc_986A7A
; 

loc_986A6E:				; CODE XREF: PnpTraceRebalanceResult(x)+29Dj
		mov	esi, offset _PnpEmptyUnicodeString
		mov	ebx, 300h
		mov	edi, esi

loc_986A7A:				; CODE XREF: PnpTraceRebalanceResult(x)+2ABj
		cmp	dword_6B2B18, 5
		jbe	loc_986B8A
		push	4000h
		push	0
		mov	ecx, offset dword_6B2B18
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_986B8A
		lea	eax, [esp+1DCh+var_18C]
		mov	[esp+1DCh+var_1CC], ebx
		mov	[esp+1DCh+var_1A4], eax
		xor	edx, edx
		mov	eax, [esi+4]
		mov	[esp+1DCh+var_194], eax
		movzx	eax, word ptr [esi]
		mov	[esp+1DCh+var_18C], eax
		lea	eax, [esp+1DCh+var_16C]
		mov	[esp+1DCh+var_184], eax
		mov	eax, [edi+4]
		mov	[esp+1DCh+var_174], eax
		movzx	eax, word ptr [edi]
		mov	[esp+1DCh+var_16C], eax
		lea	eax, [esp+1DCh+var_1CC]
		mov	[esp+1DCh+var_164], eax
		mov	eax, [esp+1DCh+var_1D0]
		push	2
		pop	ecx
		mov	[esp+1DCh+var_1D0], eax
		lea	eax, [esp+1DCh+var_1D0]
		push	4
		mov	[esp+1E0h+var_154], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+1E0h+var_1C8], eax
		lea	eax, [esp+1E0h+var_1C8]
		mov	[esp+1E0h+var_19C], ecx
		mov	[esp+1E0h+var_17C], ecx
		pop	ecx
		mov	[esp+1DCh+var_144], eax
		lea	eax, [esp+1DCh+var_1C4]
		push	eax
		push	9
		push	edx
		push	edx
		push	offset loc_41C7DF
		push	offset dword_6B2B18
		mov	[esp+1F4h+var_1A0], edx
		mov	[esp+1F4h+var_198], edx
		mov	[esp+1F4h+var_190], edx
		mov	[esp+1F4h+var_188], edx
		mov	[esp+1F4h+var_180], edx
		mov	[esp+1F4h+var_178], edx
		mov	[esp+1F4h+var_170], edx
		mov	[esp+1F4h+var_168], edx
		mov	[esp+1F4h+var_160], edx
		mov	[esp+1F4h+var_15C], ecx
		mov	[esp+1F4h+var_158], edx
		mov	[esp+1F4h+var_150], edx
		mov	[esp+1F4h+var_14C], ecx
		mov	[esp+1F4h+var_148], edx
		mov	[esp+1F4h+var_140], edx
		mov	[esp+1F4h+var_13C], ecx
		mov	[esp+1F4h+var_138], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_986B8A:				; CODE XREF: PnpTraceRebalanceResult(x)+2C0j
					; PnpTraceRebalanceResult(x)+2D9j
		mov	ecx, [esp+1DCh+var_130]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_PnpTraceRebalanceResult@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpTraceSetDevNodeProblem(x, x, x, x, x, x,	x)
_PnpTraceSetDevNodeProblem@28 proc near	; CODE XREF: PipSetDevNodeProblem(x,x,x)+A5p

var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0D4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0D4h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		cmp	esi, 1
		jz	loc_986D55
		cmp	esi, 18h
		jnz	short loc_986BE2
		cmp	[ebp+arg_0], 314h
		jz	loc_986D55

loc_986BE2:				; CODE XREF: PnpTraceSetDevNodeProblem(x,x,x,x,x,x,x)+32j
		cmp	dword_6B2DD8, 5
		jbe	loc_986D55
		push	8000h
		push	0
		mov	ecx, offset dword_6B2DD8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_986D55
		lea	eax, [esp+0E0h+var_C0]
		mov	[esp+0E0h+var_C0], 1
		mov	[esp+0E0h+var_98], eax
		xor	edx, edx
		lea	eax, [esp+0E0h+var_70]
		mov	[esp+0E0h+var_BC], edx
		mov	[esp+0E0h+var_88], eax
		mov	eax, [ebx+4]
		mov	[esp+0E0h+var_78], eax
		movzx	eax, word ptr [ebx]
		xor	ebx, ebx
		mov	[esp+0E0h+var_70], eax
		lea	eax, [esp+0E0h+var_50]
		mov	[esp+0E0h+var_68], eax
		mov	eax, [edi+4]
		mov	[esp+0E0h+var_58], eax
		movzx	eax, word ptr [edi]
		mov	[esp+0E0h+var_50], eax
		lea	eax, [esp+0E0h+var_D0]
		mov	[esp+0E0h+var_48], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+0E0h+var_CC], eax
		lea	eax, [esp+0E0h+var_CC]
		mov	[esp+0E0h+var_38], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+0E0h+var_C8], eax
		lea	eax, [esp+0E0h+var_C8]
		push	2
		pop	ecx
		mov	[esp+0E0h+var_28], eax
		mov	eax, [ebp+arg_10]
		push	4
		mov	[esp+0E4h+var_C4], eax
		lea	eax, [esp+0E4h+var_C4]
		mov	[esp+0E4h+var_94], edx
		mov	[esp+0E4h+var_8C], edx
		mov	[esp+0E4h+var_84], edx
		mov	[esp+0E4h+var_7C], edx
		mov	[esp+0E4h+var_74], edx
		pop	edx
		mov	[esp+0E0h+var_18], eax
		lea	eax, [esp+0E0h+var_B8]
		push	eax
		push	0Bh
		mov	[esp+0E8h+var_80], ecx
		mov	[esp+0E8h+var_60], ecx
		mov	[esp+0E8h+var_40], edx
		mov	[esp+0E8h+var_30], edx
		mov	[esp+0E8h+var_20], edx
		mov	[esp+0E8h+var_10], edx
		mov	edx, offset loc_41C38B
		push	ecx
		mov	ecx, offset dword_6B2DD8
		mov	[esp+0ECh+var_90], 8
		mov	[esp+0ECh+var_6C], ebx
		mov	[esp+0ECh+var_64], ebx
		mov	[esp+0ECh+var_5C], ebx
		mov	[esp+0ECh+var_54], ebx
		mov	[esp+0ECh+var_4C], ebx
		mov	[esp+0ECh+var_D0], esi
		mov	[esp+0ECh+var_44], ebx
		mov	[esp+0ECh+var_3C], ebx
		mov	[esp+0ECh+var_34], ebx
		mov	[esp+0ECh+var_2C], ebx
		mov	[esp+0ECh+var_24], ebx
		mov	[esp+0ECh+var_1C], ebx
		mov	[esp+0ECh+var_14], ebx
		mov	[esp+0ECh+var_C], ebx
		call	__tlgWriteAgg@20 ; _tlgWriteAgg(x,x,x,x,x)

loc_986D55:				; CODE XREF: PnpTraceSetDevNodeProblem(x,x,x,x,x,x,x)+29j
					; PnpTraceSetDevNodeProblem(x,x,x,x,x,x,x)+3Bj	...
		mov	ecx, [esp+0E0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
_PnpTraceSetDevNodeProblem@28 endp


;  S U B	R O U T	I N E 


; __stdcall PiCslIsConsoleLocked()
_PiCslIsConsoleLocked@0	proc near	; CODE XREF: PipDmgEnforceEnumerationPolicy(x):loc_985B41p
					; PipDmgReevaluateQueue():loc_985BE6p
		xor	eax, eax
		cmp	_PipCslInitialized, al
		jnz	short loc_986D85
		push	eax
		push	eax
		push	eax
		push	10h
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_986D85:				; CODE XREF: PiCslIsConsoleLocked()+8j
		mov	ecx, _PipCslConsoleLockState
		sub	ecx, eax
		jz	short loc_986D9E
		sub	ecx, 1
		jz	short locret_986DA0
		sub	ecx, 1
		jz	short loc_986D9E
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_986D9E:				; CODE XREF: PiCslIsConsoleLocked()+21j
					; PiCslIsConsoleLocked()+2Bj
		mov	al, 1

locret_986DA0:				; CODE XREF: PiCslIsConsoleLocked()+26j
		retn
_PiCslIsConsoleLocked@0	endp ; sp = -14h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpCompareMultiSz(x, x, x)
_PnpCompareMultiSz@12 proc near		; CODE XREF: PipGetPersistentMemory(x,x,x,x,x)+4AAp
					; PiSwDeviceFree(x)+151p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_4]
		mov	esi, edx
		xor	ebx, ebx
		mov	edx, 7FFFFFFFh
		push	eax
		mov	edi, ecx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ebx
		call	_PnpGetMultiSzLength@12	; PnpGetMultiSzLength(x,x,x)
		test	eax, eax
		js	short loc_986DFA
		lea	eax, [ebp+var_8]
		mov	edx, 7FFFFFFFh
		push	eax
		mov	ecx, esi
		call	_PnpGetMultiSzLength@12	; PnpGetMultiSzLength(x,x,x)
		test	eax, eax
		js	short loc_986DFA
		mov	eax, [ebp+var_8]
		cmp	[ebp+var_4], eax
		jnz	short loc_986DFA
		push	[ebp+arg_0]
		push	eax
		push	esi
		push	[ebp+var_4]
		push	edi
		call	_RtlCompareUnicodeStrings@20 ; RtlCompareUnicodeStrings(x,x,x,x,x)
		neg	eax
		sbb	al, al
		lea	ebx, [eax+1]

loc_986DFA:				; CODE XREF: PnpCompareMultiSz(x,x,x)+26j
					; PnpCompareMultiSz(x,x,x)+3Aj	...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
_PnpCompareMultiSz@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiRearrangeDeviceInstances(x, x, x)
_PiRearrangeDeviceInstances@12 proc near ; CODE	XREF: PiProcessDriverInstance+6D1C8p

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_4C]
		push	ebx		; int
		push	eax		; void *
		mov	esi, edx
		mov	edi, ecx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_60], ebx
		lea	eax, [ebp+var_60]
		mov	[ebp+var_5C], ebx
		push	eax
		push	30h
		lea	eax, [ebp+var_4C]
		push	eax
		push	2
		push	edi
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		push	esi		; char
		push	offset ??_C@_15EFLNJKHH@?$AA?$CF?$AAu@NNGAKEGL@	; wchar_t *
		push	ebx		; int
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_50]
		push	ebx		; int
		push	eax		; int
		lea	eax, [ebp+var_1C]
		push	0Ah		; int
		push	eax		; void *
		call	RtlStringCchPrintfExW
		mov	eax, [ebp+var_50]
		lea	ecx, [ebp+var_1C]
		add	esp, 1Ch
		sub	eax, ecx
		sar	eax, 1
		push	14h
		pop	esi
		mov	word ptr [ebp+var_58+2], si
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_986E81
		mov	word ptr [ebp+var_58], si
		jmp	short loc_986E87
; 

loc_986E81:				; CODE XREF: PiRearrangeDeviceInstances(x,x,x)+76j
		add	eax, eax
		mov	word ptr [ebp+var_58], ax

loc_986E87:				; CODE XREF: PiRearrangeDeviceInstances(x,x,x)+7Cj
		lea	eax, [ebp+var_1C]
		mov	ecx, edi
		mov	[ebp+var_54], eax
		lea	edx, [ebp+var_1C]
		lea	eax, [ebp+var_5C]
		push	eax
		push	ebx
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_986F15
		lea	eax, [ebp+var_58]
		push	eax
		push	edi
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		push	dword ptr [ebp+arg_0] ;	char
		lea	eax, [ebp+var_1C]
		push	offset ??_C@_15EFLNJKHH@?$AA?$CF?$AAu@NNGAKEGL@	; wchar_t *
		push	ebx		; int
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_50]
		push	ebx		; int
		push	eax		; int
		lea	eax, [ebp+var_1C]
		push	0Ah		; int
		push	eax		; void *
		call	RtlStringCchPrintfExW
		mov	eax, [ebp+var_50]
		lea	ecx, [ebp+var_1C]
		sub	eax, ecx
		mov	word ptr [ebp+var_58+2], si
		sar	eax, 1
		add	esp, 1Ch
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_986EE5
		mov	word ptr [ebp+var_58], si
		jmp	short loc_986EEB
; 

loc_986EE5:				; CODE XREF: PiRearrangeDeviceInstances(x,x,x)+DAj
		add	eax, eax
		mov	word ptr [ebp+var_58], ax

loc_986EEB:				; CODE XREF: PiRearrangeDeviceInstances(x,x,x)+E0j
		mov	esi, [ebp+var_5C]
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_54], eax
		push	dword ptr [esi+0Ch]
		mov	eax, [esi+8]
		add	eax, esi
		push	eax
		push	1
		push	ebx
		lea	eax, [ebp+var_58]
		push	eax
		push	edi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, ebx
		jmp	short loc_986F18
; 

loc_986F15:				; CODE XREF: PiRearrangeDeviceInstances(x,x,x)+9Bj
		mov	eax, [ebp+var_5C]

loc_986F18:				; CODE XREF: PiRearrangeDeviceInstances(x,x,x)+110j
		test	eax, eax
		jz	short loc_986F23
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_986F23:				; CODE XREF: PiRearrangeDeviceInstances(x,x,x)+117j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PiRearrangeDeviceInstances@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAppendLegacyVeto(x, x)
_IopAppendLegacyVeto@8 proc near	; CODE XREF: PopRemoveReasonRecordByReasonCode+14A705p
					; IopGetLegacyVetoListDeviceNode+149E31p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	eax, edx
		mov	edi, ecx
		mov	[ebp+var_4], eax
		push	6F697050h
		movzx	esi, word ptr [eax]
		mov	eax, [edi+4]
		add	eax, 2
		add	eax, esi
		push	eax
		push	200h
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_986FBB
		mov	esi, [edi]
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_986F89
		push	dword ptr [edi+4] ; size_t
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	0
		push	dword ptr [esi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [edi]

loc_986F89:				; CODE XREF: IopAppendLegacyVeto(x,x)+3Bj
		mov	ecx, [ebp+var_4]
		movzx	eax, word ptr [ecx]
		push	eax		; size_t
		mov	eax, [edi+4]
		push	dword ptr [ecx+4] ; void *
		shr	eax, 1
		lea	eax, [ebx+eax*2]
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+var_8]
		add	esp, 0Ch
		mov	eax, ecx
		mov	[edi+4], ecx
		shr	eax, 1
		xor	edx, edx
		mov	[ebx+eax*2-2], dx
		mov	al, 1
		mov	[esi], ebx
		jmp	short loc_986FC6
; 

loc_986FBB:				; CODE XREF: IopAppendLegacyVeto(x,x)+33j
		mov	eax, [edi+0Ch]
		mov	dword ptr [eax], 0C000009Ah
		xor	al, al

loc_986FC6:				; CODE XREF: IopAppendLegacyVeto(x,x)+85j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopAppendLegacyVeto@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IopCreateLegacyDeviceIds(size_t)
_IopCreateLegacyDeviceIds@12 proc near	; CODE XREF: IoReportDetectedDevice+891ECp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_C], edx
		mov	[ebp+var_10], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		push	esi
		push	edi
		mov	edi, eax
		test	ecx, ecx
		jz	short loc_986FF7
		mov	eax, [ecx+0B0h]
		mov	ebx, [eax+14h]
		xor	eax, eax
		jmp	short loc_986FF9
; 

loc_986FF7:				; CODE XREF: IopCreateLegacyDeviceIds(x,x,x)+1Dj
		mov	ebx, eax

loc_986FF9:				; CODE XREF: IopCreateLegacyDeviceIds(x,x,x)+2Aj
		test	ebx, ebx
		jz	loc_9870F3
		cmp	[ebx+18h], eax
		jz	loc_9870F3
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_987023
		mov	esi, [esi+4]
		cmp	esi, 12h
		jg	short loc_98701E
		cmp	esi, 0FFFFFFFFh
		jge	short loc_987025

loc_98701E:				; CODE XREF: IopCreateLegacyDeviceIds(x,x,x)+4Cj
		push	12h
		pop	esi
		jmp	short loc_987025
; 

loc_987023:				; CODE XREF: IopCreateLegacyDeviceIds(x,x,x)+44j
		mov	esi, eax

loc_987025:				; CODE XREF: IopCreateLegacyDeviceIds(x,x,x)+51j
					; IopCreateLegacyDeviceIds(x,x,x)+56j
		mov	ecx, ds:off_404CBC[esi*4]
		lea	edi, [ecx+2]

loc_98702F:				; CODE XREF: IopCreateLegacyDeviceIds(x,x,x)+6Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_10]
		jnz	short loc_98702F
		movzx	eax, word ptr [edx]
		sub	ecx, edi
		sar	ecx, 1
		add	eax, ecx
		push	6F697050h
		lea	eax, ds:2Ah[eax*2]
		push	eax
		push	1
		mov	[ebp+arg_0], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_98706B
		mov	esi, 0C000009Ah
		jmp	loc_987105
; 

loc_98706B:				; CODE XREF: IopCreateLegacyDeviceIds(x,x,x)+94j
		push	[ebp+arg_0]	; size_t
		xor	eax, eax
		push	eax		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		push	[ebp+var_C]
		push	ds:off_404CBC[esi*4]
		push	offset ??_C@_1BC@EIDCNHE@?$AAD?$AAE?$AAT?$AAE?$AAC?$AAT?$AAE?$AAD@NNGAKEGL@ ; char
		push	offset ??_C@_1BG@IIJBKLDM@?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAZ@NNGAKEGL@ ; wchar_t *
		push	eax		; int
		lea	eax, [ebp+var_8]
		push	eax		; int
		lea	eax, [ebp+var_4]
		push	eax		; int
		mov	eax, [ebp+arg_0]
		shr	eax, 1
		push	eax		; int
		push	edi		; void *
		call	RtlStringCchPrintfExW
		mov	esi, eax
		add	esp, 24h
		test	esi, esi
		js	short loc_9870F8
		push	[ebp+var_C]
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_8]
		add	ecx, 2
		push	offset ??_C@_1BC@EIDCNHE@?$AAD?$AAE?$AAT?$AAE?$AAC?$AAT?$AAE?$AAD@NNGAKEGL@ ; char
		dec	eax
		push	offset ??_C@_1BA@CHNIAAL@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAZ@NNGAKEGL@ ;	wchar_t	*
		push	eax		; int
		push	ecx		; wchar_t *
		call	RtlStringCchPrintfW
		mov	esi, eax
		add	esp, 14h
		test	esi, esi
		js	short loc_9870F8
		mov	edx, [ebx+18h]
		xor	eax, eax
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	[ebp+arg_0]
		push	edi
		push	7
		push	3
		push	eax
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		jmp	short loc_9870F8
; 

loc_9870F3:				; CODE XREF: IopCreateLegacyDeviceIds(x,x,x)+30j
					; IopCreateLegacyDeviceIds(x,x,x)+39j
		mov	esi, 0C000000Dh

loc_9870F8:				; CODE XREF: IopCreateLegacyDeviceIds(x,x,x)+E1j
					; IopCreateLegacyDeviceIds(x,x,x)+108j	...
		test	edi, edi
		jz	short loc_987105
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_987105:				; CODE XREF: IopCreateLegacyDeviceIds(x,x,x)+9Bj
					; IopCreateLegacyDeviceIds(x,x,x)+12Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_IopCreateLegacyDeviceIds@12 endp


;  S U B	R O U T	I N E 


; __stdcall PnpCopyResourceList(x)
_PnpCopyResourceList@4 proc near	; CODE XREF: PiUpdateDeviceResourceLists(x)+53p
					; PiUpdateDeviceResourceLists(x)+68p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		call	_PnpDetermineResourceListSize@4	; PnpDetermineResourceListSize(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_987142
		push	75737050h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_987142
		push	edi		; size_t
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, esi
		jmp	short loc_987144
; 

loc_987142:				; CODE XREF: PnpCopyResourceList(x)+10j
					; PnpCopyResourceList(x)+23j
		xor	eax, eax

loc_987144:				; CODE XREF: PnpCopyResourceList(x)+32j
		pop	edi
		pop	esi
		pop	ebx
		retn
_PnpCopyResourceList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopAddRelationToList(x, x, x, x)
_IopAddRelationToList@16 proc near	; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+ABp
					; PnpDequeuePendingSurpriseRemoval(x)+15Ep ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		test	esi, esi
		jz	short loc_987167
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_987169
; 

loc_987167:				; CODE XREF: IopAddRelationToList(x,x,x,x)+12j
		xor	eax, eax

loc_987169:				; CODE XREF: IopAddRelationToList(x,x,x,x)+1Dj
		test	eax, eax
		jnz	short loc_987174
		mov	eax, 0C000000Eh
		jmp	short loc_9871C5
; 

loc_987174:				; CODE XREF: IopAddRelationToList(x,x,x,x)+23j
		mov	ecx, [edi]
		lea	eax, [ebp+var_4]
		push	eax
		push	dword ptr [ecx]
		call	_PipDeviceObjectListIndexOf@16 ; PipDeviceObjectListIndexOf(x,x,x,x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9871AE
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+arg_0]
		mov	edx, [ecx+4]
		cmp	eax, edx
		jg	short loc_987195
		mov	eax, edx

loc_987195:				; CODE XREF: IopAddRelationToList(x,x,x,x)+49j
		cmp	[ebp+arg_4], 1
		mov	[ecx+4], eax
		jnz	short loc_9871A7
		mov	eax, [edi]
		inc	dword ptr [eax+8]
		or	dword ptr [ecx+0Ch], 1

loc_9871A7:				; CODE XREF: IopAddRelationToList(x,x,x,x)+54j
		mov	eax, 0C0000035h
		jmp	short loc_9871C5
; 

loc_9871AE:				; CODE XREF: IopAddRelationToList(x,x,x,x)+3Cj
		push	[ebp+arg_4]
		mov	edx, esi
		mov	ecx, edi
		push	[ebp+arg_0]
		call	_PipDeviceObjectListAdd@16 ; PipDeviceObjectListAdd(x,x,x,x)
		test	eax, eax
		js	short loc_9871C5
		mov	byte ptr [edi+4], 0

loc_9871C5:				; CODE XREF: IopAddRelationToList(x,x,x,x)+2Aj
					; IopAddRelationToList(x,x,x,x)+64j ...
		pop	edi
		pop	esi
		leave
		retn	8
_IopAddRelationToList@16 endp


;  S U B	R O U T	I N E 


; __stdcall IopAllocateRelationList(x)
_IopAllocateRelationList@4 proc	near	; CODE XREF: PnpBuildRemovalRelationList(x,x,x,x)+1Fp
					; PnpCancelRemoveOnHungDevices(x,x,x,x,x)+47p ...
		mov	edi, edi
		push	esi
		push	edi
		push	54706E50h
		xor	edx, edx
		mov	edi, ecx
		push	8
		inc	edx
		call	_PnpAllocateCriticalMemory@16 ;	PnpAllocateCriticalMemory(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_987205
		push	8
		pop	edx
		mov	ecx, edi
		call	_PiAllocateDeviceObjectList@8 ;	PiAllocateDeviceObjectList(x,x)
		mov	[esi], eax
		test	eax, eax
		jnz	short loc_987201
		mov	ecx, esi
		call	_IopFreeRelationList@4 ; IopFreeRelationList(x)
		xor	esi, esi
		jmp	short loc_987205
; 

loc_987201:				; CODE XREF: IopAllocateRelationList(x)+29j
		mov	byte ptr [esi+4], 0

loc_987205:				; CODE XREF: IopAllocateRelationList(x)+19j
					; IopAllocateRelationList(x)+34j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_IopAllocateRelationList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCheckIfMergeRequired(x, x)
_IopCheckIfMergeRequired@8 proc	near	; CODE XREF: PnpQueuePendingSurpriseRemoval(x,x,x,x)+62p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	eax, ecx
		mov	ebx, edx
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		jmp	short loc_98722E
; 

loc_98722C:				; CODE XREF: IopCheckIfMergeRequired(x,x)+92j
					; IopCheckIfMergeRequired(x,x)+C2j
		xor	edi, edi

loc_98722E:				; CODE XREF: IopCheckIfMergeRequired(x,x)+20j
		push	edi
		push	edi
		lea	ecx, [ebp+var_4]
		push	ecx
		lea	edx, [ebp+var_18]
		mov	ecx, eax
		call	_IopEnumerateRelations@20 ; IopEnumerateRelations(x,x,x,x,x)
		test	al, al
		jz	loc_9872D5
		mov	edx, [ebp+var_4]
		test	edx, edx
		jz	short loc_987258
		mov	eax, [edx+0B0h]
		mov	esi, [eax+14h]
		jmp	short loc_98725A
; 

loc_987258:				; CODE XREF: IopCheckIfMergeRequired(x,x)+41j
		mov	esi, edi

loc_98725A:				; CODE XREF: IopCheckIfMergeRequired(x,x)+4Cj
		mov	ecx, [ebx]
		push	edi
		push	dword ptr [ecx]
		call	_PipDeviceObjectListIndexOf@16 ; PipDeviceObjectListIndexOf(x,x,x,x)
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_9872D1
		mov	edx, [esi+8]
		test	edx, edx
		jnz	short loc_987279
		mov	edx, [esi+19Ch]
		and	edx, 0FFFFFFFEh

loc_987279:				; CODE XREF: IopCheckIfMergeRequired(x,x)+64j
		mov	ecx, [ebx]
		mov	edx, [edx+10h]
		push	edi
		push	dword ptr [ecx]
		call	_PipDeviceObjectListIndexOf@16 ; PipDeviceObjectListIndexOf(x,x,x,x)
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_9872D1
		mov	ecx, [esi+10h]
		call	_PiGetProviderList@4 ; PiGetProviderList(x)
		mov	edi, eax
		mov	eax, [ebp+var_C]
		mov	esi, [edi]
		cmp	esi, edi
		jz	short loc_98722C

loc_98729E:				; CODE XREF: IopCheckIfMergeRequired(x,x)+BDj
		lea	eax, [ebp+var_10]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_8]
		call	_PiEnumerateProviderListEntry@12 ; PiEnumerateProviderListEntry(x,x,x)
		mov	edx, [ebp+var_8]
		mov	esi, [esi]
		test	edx, edx
		jz	short loc_9872C5
		mov	ecx, [ebx]
		push	0
		push	dword ptr [ecx]
		call	_PipDeviceObjectListIndexOf@16 ; PipDeviceObjectListIndexOf(x,x,x,x)
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_9872D1

loc_9872C5:				; CODE XREF: IopCheckIfMergeRequired(x,x)+A9j
		cmp	esi, edi
		jnz	short loc_98729E
		mov	eax, [ebp+var_C]
		jmp	loc_98722C
; 

loc_9872D1:				; CODE XREF: IopCheckIfMergeRequired(x,x)+5Dj
					; IopCheckIfMergeRequired(x,x)+7Fj ...
		mov	al, 1
		jmp	short loc_9872D7
; 

loc_9872D5:				; CODE XREF: IopCheckIfMergeRequired(x,x)+36j
		xor	al, al

loc_9872D7:				; CODE XREF: IopCheckIfMergeRequired(x,x)+C9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopCheckIfMergeRequired@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopEnumerateRelations(x, x,	x, x, x)
_IopEnumerateRelations@20 proc near	; CODE XREF: PnpCancelRemoveOnHungDevices(x,x,x,x,x)+7Bp
					; PnpCancelRemoveOnHungDevices(x,x,x,x,x)+D4p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		xor	eax, eax
		mov	edx, ecx
		mov	ecx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ecx], eax
		test	edi, edi
		jz	short loc_9872F9
		mov	[edi], eax

loc_9872F9:				; CODE XREF: IopEnumerateRelations(x,x,x,x,x)+19j
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jz	short loc_987302
		mov	[esi], eax

loc_987302:				; CODE XREF: IopEnumerateRelations(x,x,x,x,x)+22j
		mov	ecx, [ebx]
		test	ecx, ecx
		jz	short loc_98730D
		cmp	[edx+4], al
		jz	short loc_987349

loc_98730D:				; CODE XREF: IopEnumerateRelations(x,x,x,x,x)+2Aj
		mov	edi, [edx]
		mov	edx, [ebx+4]
		mov	[ebp+var_4], edi
		mov	edi, [edi]
		cmp	edx, edi
		mov	[ebp+arg_8], edi
		mov	edi, [ebp+arg_4]
		jnb	short loc_987349
		test	ecx, ecx
		js	short loc_987349
		cmp	ecx, 1
		jle	short loc_987334
		cmp	ecx, 2
		jnz	short loc_987349
		not	edx
		add	edx, [ebp+arg_8]

loc_987334:				; CODE XREF: IopEnumerateRelations(x,x,x,x,x)+4Cj
		mov	ecx, [ebp+var_4]
		push	esi
		push	edi
		push	[ebp+arg_0]
		call	_PipDeviceObjectListElementAt@20 ; PipDeviceObjectListElementAt(x,x,x,x,x)
		test	eax, eax
		setns	al
		inc	dword ptr [ebx+4]

loc_987349:				; CODE XREF: IopEnumerateRelations(x,x,x,x,x)+2Fj
					; IopEnumerateRelations(x,x,x,x,x)+43j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_IopEnumerateRelations@20 endp


;  S U B	R O U T	I N E 


; __stdcall IopFreeRelationList(x)
_IopFreeRelationList@4 proc near	; CODE XREF: PipRemoveDevicesInRelationList(x)+8Ap
					; PnpBuildRemovalRelationList(x,x,x,x):loc_96A307p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_98737E
		push	edi
		mov	edi, [esi]
		test	edi, edi
		jz	short loc_987372
		mov	ecx, edi
		call	_PiClearDeviceObjectList@4 ; PiClearDeviceObjectList(x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi], 0

loc_987372:				; CODE XREF: IopFreeRelationList(x)+Ej
		push	54706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi

loc_98737E:				; CODE XREF: IopFreeRelationList(x)+7j
		pop	esi
		retn
_IopFreeRelationList@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopIsDescendantNode(x, x)
_IopIsDescendantNode@8 proc near	; CODE XREF: PnpQueuePendingSurpriseRemoval(x,x,x,x)+16Dp
					; PnpUnlinkDeviceRemovalRelations(x,x,x)+53p
		test	edx, edx
		jz	short loc_98738F
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_987391
; 

loc_98738F:				; CODE XREF: IopIsDescendantNode(x,x)+2j
		xor	eax, eax

loc_987391:				; CODE XREF: IopIsDescendantNode(x,x)+Dj
		mov	edx, [eax+8]
		test	edx, edx
		jnz	short loc_9873A1
		mov	edx, [eax+19Ch]
		and	edx, 0FFFFFFFEh

loc_9873A1:				; CODE XREF: IopIsDescendantNode(x,x)+16j
		mov	ecx, [ecx]
		mov	edx, [edx+10h]
		push	0
		push	dword ptr [ecx]
		call	_PipDeviceObjectListIndexOf@16 ; PipDeviceObjectListIndexOf(x,x,x,x)
		cmp	eax, 0FFFFFFFFh
		setnz	al
		retn
_IopIsDescendantNode@8 endp


;  S U B	R O U T	I N E 


; __stdcall IopIsRelationInList(x, x)
_IopIsRelationInList@8 proc near	; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+10Bp
					; PnpProcessRelation(x,x,x,x,x)+48Fp
		mov	ecx, [ecx]
		push	0
		push	dword ptr [ecx]
		call	_PipDeviceObjectListIndexOf@16 ; PipDeviceObjectListIndexOf(x,x,x,x)
		cmp	eax, 0FFFFFFFFh
		setnz	al
		retn
_IopIsRelationInList@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopMergeRelationLists(x, x,	x)
_IopMergeRelationLists@12 proc near	; CODE XREF: PnpProcessRelation(x,x,x,x,x)+4D7p
					; PnpQueuePendingSurpriseRemoval(x,x,x,x)+87p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ecx]
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax]
		mov	edi, edx
		xor	ebx, ebx
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], ecx
		mov	[ebp+var_14], eax
		mov	esi, [edi]
		mov	[ebp+var_C], ebx
		cmp	[esi], ebx
		jbe	loc_98747E
		mov	edi, ebx
		jmp	short loc_9873F8
; 

loc_9873F5:				; CODE XREF: IopMergeRelationLists(x,x,x)+A4j
		mov	ecx, [ebp+var_8]

loc_9873F8:				; CODE XREF: IopMergeRelationLists(x,x,x)+2Bj
		mov	ecx, [ecx]
		lea	edx, [ebp+var_18]
		push	edx
		mov	edx, [edi+esi+10h]
		push	eax
		call	_PipDeviceObjectListIndexOf@16 ; PipDeviceObjectListIndexOf(x,x,x,x)
		test	eax, eax
		js	short loc_987425
		mov	[ebp+var_1], 1
		cmp	[ebp+arg_0], bl
		jz	short loc_987421
		test	byte ptr [edi+esi+1Ch],	1
		jz	short loc_987421
		xor	eax, eax
		inc	eax
		jmp	short loc_987430
; 

loc_987421:				; CODE XREF: IopMergeRelationLists(x,x,x)+4Bj
					; IopMergeRelationLists(x,x,x)+52j
		mov	eax, ebx
		jmp	short loc_987430
; 

loc_987425:				; CODE XREF: IopMergeRelationLists(x,x,x)+42j
		movzx	eax, byte ptr [edi+esi+1Ch]
		mov	[ebp+var_1], bl
		and	eax, 1

loc_987430:				; CODE XREF: IopMergeRelationLists(x,x,x)+57j
					; IopMergeRelationLists(x,x,x)+5Bj
		mov	edx, [edi+esi+10h]
		mov	ecx, [ebp+var_8]
		push	eax
		push	dword ptr [edi+esi+14h]
		call	_IopAddRelationToList@16 ; IopAddRelationToList(x,x,x,x)
		mov	ecx, eax
		cmp	[ebp+var_1], bl
		jz	short loc_987454
		lea	eax, [ecx+3FFFFFCBh]
		neg	eax
		sbb	eax, eax
		and	ecx, eax

loc_987454:				; CODE XREF: IopMergeRelationLists(x,x,x)+7Ej
		test	ecx, ecx
		js	short loc_98747A
		mov	eax, [ebp+var_10]
		add	edi, 10h
		mov	ecx, [ebp+var_C]
		inc	ecx
		mov	[ebp+var_C], ecx
		mov	esi, [eax]
		mov	eax, [ebp+var_14]
		cmp	ecx, [esi]
		jb	short loc_9873F5
		mov	edx, [ebp+var_8]
		mov	edi, [ebp+var_10]
		mov	eax, [edx]
		mov	eax, [eax]
		jmp	short loc_987480
; 

loc_98747A:				; CODE XREF: IopMergeRelationLists(x,x,x)+8Ej
		mov	ebx, ecx
		jmp	short loc_98748A
; 

loc_98747E:				; CODE XREF: IopMergeRelationLists(x,x,x)+23j
		mov	edx, ecx

loc_987480:				; CODE XREF: IopMergeRelationLists(x,x,x)+B0j
		test	eax, eax
		jnz	short loc_98748A
		mov	cl, [edi+4]
		mov	[edx+4], cl

loc_98748A:				; CODE XREF: IopMergeRelationLists(x,x,x)+B4j
					; IopMergeRelationLists(x,x,x)+BAj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
_IopMergeRelationLists@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopRemoveCurrentRelationFromList(x,	x, x)
_IopRemoveCurrentRelationFromList@12 proc near
					; CODE XREF: PnpUnlinkDeviceRemovalRelations(x,x,x)+125p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		xor	ecx, ecx
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], ecx
		mov	eax, [esi]
		cmp	eax, 1
		jz	short loc_9874BB
		test	eax, eax
		jz	short loc_9874BB
		mov	eax, 0C00000BBh
		jmp	short loc_9874F7
; 

loc_9874BB:				; CODE XREF: IopRemoveCurrentRelationFromList(x,x,x)+1Bj
					; IopRemoveCurrentRelationFromList(x,x,x)+1Fj
		push	edi
		mov	edi, [esi+4]
		lea	eax, [ebp+var_4]
		push	ecx
		push	ecx
		mov	ecx, [ebx]
		dec	edi
		push	eax
		mov	edx, edi
		call	_PipDeviceObjectListElementAt@20 ; PipDeviceObjectListElementAt(x,x,x,x,x)
		mov	eax, [ebp+var_8]
		cmp	[ebp+var_4], eax
		jz	short loc_9874DE
		mov	eax, 0C000000Eh
		jmp	short loc_9874F6
; 

loc_9874DE:				; CODE XREF: IopRemoveCurrentRelationFromList(x,x,x)+42j
		mov	ecx, [ebx]
		mov	edx, edi
		call	_PipDeviceObjectListRemove@8 ; PipDeviceObjectListRemove(x,x)
		cmp	dword ptr [esi], 1
		ja	short loc_9874F1
		mov	[esi+4], edi
		jmp	short loc_9874F6
; 

loc_9874F1:				; CODE XREF: IopRemoveCurrentRelationFromList(x,x,x)+57j
		mov	eax, 0C00000BBh

loc_9874F6:				; CODE XREF: IopRemoveCurrentRelationFromList(x,x,x)+49j
					; IopRemoveCurrentRelationFromList(x,x,x)+5Cj
		pop	edi

loc_9874F7:				; CODE XREF: IopRemoveCurrentRelationFromList(x,x,x)+26j
		pop	esi
		pop	ebx
		leave
		retn	4
_IopRemoveCurrentRelationFromList@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopRemoveDeviceRelationsFromList(x)
_IopRemoveDeviceRelationsFromList@4 proc near
					; CODE XREF: PiInvalidateSpeculativeRelations(x,x)+24j

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, [edi]
		mov	esi, [eax]
		jmp	short loc_987534
; 

loc_987512:				; CODE XREF: IopRemoveDeviceRelationsFromList(x)+3Aj
		mov	ecx, [edi]
		lea	eax, [ebp+var_4]
		push	0
		push	eax
		lea	eax, [ebp+var_8]
		mov	edx, esi
		push	eax
		call	_PipDeviceObjectListElementAt@20 ; PipDeviceObjectListElementAt(x,x,x,x,x)
		cmp	[ebp+var_4], 0
		jnz	short loc_987534
		mov	ecx, [edi]
		mov	edx, esi
		call	_PipDeviceObjectListRemove@8 ; PipDeviceObjectListRemove(x,x)

loc_987534:				; CODE XREF: IopRemoveDeviceRelationsFromList(x)+13j
					; IopRemoveDeviceRelationsFromList(x)+2Cj
		sub	esi, 1
		jns	short loc_987512
		pop	edi
		xor	eax, eax
		pop	esi
		leave
		retn
_IopRemoveDeviceRelationsFromList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopRemoveRelationFromList(x, x)
_IopRemoveRelationFromList@8 proc near	; CODE XREF: PipRemoveDevicesInRelationList(x)+79p
					; PnpProcessRelation(x,x,x,x,x)+4BAp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [ebp+var_4]
		push	edi
		mov	ecx, [esi]
		mov	eax, [ecx]
		push	eax
		call	_PipDeviceObjectListIndexOf@16 ; PipDeviceObjectListIndexOf(x,x,x,x)
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_987563
		mov	eax, 0C000000Eh
		jmp	short loc_98756C
; 

loc_987563:				; CODE XREF: IopRemoveRelationFromList(x,x)+1Bj
		mov	ecx, [esi]
		mov	edx, eax
		call	_PipDeviceObjectListRemove@8 ; PipDeviceObjectListRemove(x,x)

loc_98756C:				; CODE XREF: IopRemoveRelationFromList(x,x)+22j
		pop	edi
		pop	esi
		leave
		retn
_IopRemoveRelationFromList@8 endp


;  S U B	R O U T	I N E 


; __stdcall IopReverseEnumerationOrder(x, x)
_IopReverseEnumerationOrder@8 proc near	; CODE XREF: PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)+176p
		cmp	dword ptr [edx], 1
		mov	eax, ecx
		push	esi
		jnz	short loc_98758D
		mov	ecx, [edx+4]
		test	ecx, ecx
		jz	short loc_98758D
		dec	ecx
		mov	[edx+4], ecx
		not	ecx
		mov	eax, [eax]
		push	2
		add	ecx, [eax]
		jmp	short loc_987591
; 

loc_98758D:				; CODE XREF: IopReverseEnumerationOrder(x,x)+6j
					; IopReverseEnumerationOrder(x,x)+Dj
		push	3
		xor	ecx, ecx

loc_987591:				; CODE XREF: IopReverseEnumerationOrder(x,x)+1Bj
		pop	esi
		mov	[edx+4], ecx
		mov	[edx], esi
		pop	esi
		retn
_IopReverseEnumerationOrder@8 endp


;  S U B	R O U T	I N E 


; __stdcall IopSetAllRelationsTags(x, x)
_IopSetAllRelationsTags@8 proc near	; CODE XREF: PnpDequeuePendingSurpriseRemoval(x)+98p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	edx, edx
		mov	eax, [esi]
		cmp	[eax], edx
		jbe	short loc_9875B7
		xor	ecx, ecx

loc_9875A8:				; CODE XREF: IopSetAllRelationsTags(x,x)+1Cj
		and	dword ptr [ecx+eax+1Ch], 0FFFFFFFEh
		lea	ecx, [ecx+10h]
		mov	eax, [esi]
		inc	edx
		cmp	edx, [eax]
		jb	short loc_9875A8

loc_9875B7:				; CODE XREF: IopSetAllRelationsTags(x,x)+Bj
		and	dword ptr [eax+8], 0
		pop	esi
		retn
_IopSetAllRelationsTags@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopSetRelationsTag(x, x, x)
_IopSetRelationsTag@12 proc near	; CODE XREF: PnpChainDereferenceComplete(x,x)+3Ep
					; PnpDequeuePendingSurpriseRemoval(x)+DBp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		lea	eax, [ebp+var_4]
		push	eax
		xor	esi, esi
		mov	[ebp+var_4], esi
		mov	ecx, [edi]
		push	dword ptr [ecx]
		call	_PipDeviceObjectListIndexOf@16 ; PipDeviceObjectListIndexOf(x,x,x,x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9875FD
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+0Ch]
		test	al, 1
		jz	short loc_9875F0
		mov	eax, [edi]
		dec	dword ptr [eax+8]
		mov	eax, [ecx+0Ch]

loc_9875F0:				; CODE XREF: IopSetRelationsTag(x,x,x)+29j
		or	eax, 1
		mov	[ecx+0Ch], eax
		mov	eax, [edi]
		inc	dword ptr [eax+8]
		jmp	short loc_987602
; 

loc_9875FD:				; CODE XREF: IopSetRelationsTag(x,x,x)+1Fj
		mov	esi, 0C000000Eh

loc_987602:				; CODE XREF: IopSetRelationsTag(x,x,x)+3Ej
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	4
_IopSetRelationsTag@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopSortRelationListForRemove(x)
_IopSortRelationListForRemove@4	proc near ; CODE XREF: PipRemoveDevicesInRelationList(x)+44p
					; PnpBuildRemovalRelationList(x,x,x,x)+4Bp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		mov	[ebp+var_10], ebx
		cmp	[edi+4], bl
		jnz	loc_98773C
		xor	cl, cl
		call	_PnpAcquireDependencyRelationsLock@4 ; PnpAcquireDependencyRelationsLock(x)
		mov	esi, [edi]
		mov	[ebp+var_8], ebx
		mov	[ebp+var_18], ebx
		cmp	[esi], ebx
		jbe	loc_987726
		mov	eax, ebx
		mov	[ebp+var_C], ebx

loc_987641:				; CODE XREF: IopSortRelationListForRemove(x)+FFj
		mov	eax, [eax+esi+10h]
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	short loc_987657
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_987659
; 

loc_987657:				; CODE XREF: IopSortRelationListForRemove(x)+40j
		mov	eax, ebx

loc_987659:				; CODE XREF: IopSortRelationListForRemove(x)+4Bj
		mov	edx, [eax+8]
		test	edx, edx
		jnz	short loc_987670
		mov	edx, [eax+19Ch]
		and	edx, 0FFFFFFFEh
		jnz	short loc_987670
		mov	[ebp+var_1], bl
		jmp	short loc_987684
; 

loc_987670:				; CODE XREF: IopSortRelationListForRemove(x)+54j
					; IopSortRelationListForRemove(x)+5Fj
		mov	edx, [edx+10h]
		mov	ecx, esi
		push	ebx
		push	dword ptr [esi]
		call	_PipDeviceObjectListIndexOf@16 ; PipDeviceObjectListIndexOf(x,x,x,x)
		cmp	eax, 0FFFFFFFFh
		setnz	[ebp+var_1]

loc_987684:				; CODE XREF: IopSortRelationListForRemove(x)+64j
		mov	ecx, [ebp+var_14]
		mov	dl, bl
		call	_PiGetProviderList@4 ; PiGetProviderList(x)
		mov	ecx, eax
		mov	[ebp+var_1C], ecx
		mov	eax, [ecx]
		mov	[ebp+var_14], eax
		cmp	eax, ecx
		jz	short loc_9876CF

loc_98769C:				; CODE XREF: IopSortRelationListForRemove(x)+C1j
		lea	ecx, [ebp+var_20]
		push	ecx
		lea	edx, [ebp+var_10]
		mov	ecx, eax
		call	_PiEnumerateProviderListEntry@12 ; PiEnumerateProviderListEntry(x,x,x)
		mov	edx, [ebp+var_10]
		test	edx, edx
		jz	short loc_9876C0
		mov	ecx, [edi]
		push	ebx
		push	dword ptr [ecx]
		call	_PipDeviceObjectListIndexOf@16 ; PipDeviceObjectListIndexOf(x,x,x,x)
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_9876E9

loc_9876C0:				; CODE XREF: IopSortRelationListForRemove(x)+A5j
		mov	eax, [ebp+var_14]
		mov	eax, [eax]
		mov	[ebp+var_14], eax
		cmp	eax, [ebp+var_1C]
		jnz	short loc_98769C
		mov	dl, bl

loc_9876CF:				; CODE XREF: IopSortRelationListForRemove(x)+90j
					; IopSortRelationListForRemove(x)+E1j
		cmp	[ebp+var_1], bl
		jnz	short loc_9876ED
		test	dl, dl
		jnz	short loc_9876ED
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		or	dword ptr [eax+esi+1Ch], 4
		inc	ecx
		mov	[ebp+var_8], ecx
		jmp	short loc_9876F8
; 

loc_9876E9:				; CODE XREF: IopSortRelationListForRemove(x)+B4j
		mov	dl, 1
		jmp	short loc_9876CF
; 

loc_9876ED:				; CODE XREF: IopSortRelationListForRemove(x)+C8j
					; IopSortRelationListForRemove(x)+CCj
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		and	dword ptr [eax+esi+1Ch], 0FFFFFFFBh

loc_9876F8:				; CODE XREF: IopSortRelationListForRemove(x)+DDj
		mov	edx, [ebp+var_18]
		add	eax, 10h
		mov	esi, [edi]
		inc	edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_C], eax
		cmp	edx, [esi]
		jb	loc_987641
		test	ecx, ecx
		jz	short loc_987726
		mov	ecx, edi
		call	_PipSortDeviceObjectList@4 ; PipSortDeviceObjectList(x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_98772B
		mov	byte ptr [edi+4], 1
		jmp	short loc_98772B
; 

loc_987726:				; CODE XREF: IopSortRelationListForRemove(x)+2Cj
					; IopSortRelationListForRemove(x)+107j
		mov	ebx, 0C0000001h

loc_98772B:				; CODE XREF: IopSortRelationListForRemove(x)+114j
					; IopSortRelationListForRemove(x)+11Aj
		mov	ecx, offset _PiDependencyRelationsLock
		call	ExReleaseResourceLite
		xor	ecx, ecx
		call	PpDevNodeUnlockTree

loc_98773C:				; CODE XREF: IopSortRelationListForRemove(x)+15j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_IopSortRelationListForRemove@4	endp


;  S U B	R O U T	I N E 


; __stdcall PiAllocateDeviceObjectList(x, x)
_PiAllocateDeviceObjectList@8 proc near	; CODE XREF: IopAllocateRelationList(x)+20p
					; PipGrowDeviceObjectList(x)+24p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		push	54706E50h
		xor	edx, edx
		inc	edx
		lea	eax, [edi+1]
		shl	eax, 4
		push	eax
		call	_PnpAllocateCriticalMemory@16 ;	PnpAllocateCriticalMemory(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_98777A
		and	dword ptr [esi], 0
		mov	ecx, esi
		and	dword ptr [esi+8], 0
		mov	[esi+0Ch], ebx
		mov	[esi+4], edi
		call	_PiClearDeviceObjectList@4 ; PiClearDeviceObjectList(x)

loc_98777A:				; CODE XREF: PiAllocateDeviceObjectList(x,x)+21j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_PiAllocateDeviceObjectList@8 endp


;  S U B	R O U T	I N E 


; __stdcall PiClearDeviceObjectList(x)
_PiClearDeviceObjectList@4 proc	near	; CODE XREF: IopFreeRelationList(x)+12p
					; PiAllocateDeviceObjectList(x,x)+32p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		cmp	[esi], edi
		jbe	short loc_9877A5
		push	ebx
		lea	ebx, [esi+10h]

loc_987790:				; CODE XREF: PiClearDeviceObjectList(x)+22j
		mov	ecx, [ebx]
		mov	edx, 4C706E50h
		call	ObfDereferenceObjectWithTag
		inc	edi
		lea	ebx, [ebx+10h]
		cmp	edi, [esi]
		jb	short loc_987790
		pop	ebx

loc_9877A5:				; CODE XREF: PiClearDeviceObjectList(x)+Aj
		mov	eax, [esi+4]
		shl	eax, 4
		push	eax		; size_t
		lea	eax, [esi+10h]
		push	0		; int
		push	eax		; void *
		call	_memset
		and	dword ptr [esi], 0
		add	esp, 0Ch
		and	dword ptr [esi+8], 0
		pop	edi
		pop	esi
		retn
_PiClearDeviceObjectList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipDeviceObjectListAdd(x, x, x, x)
_PipDeviceObjectListAdd@16 proc	near	; CODE XREF: IopAddRelationToList(x,x,x,x)+70p
					; PipGrowDeviceObjectList(x)+5Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		push	esi
		mov	esi, [ebx]
		mov	[ebp+var_4], esi
		mov	eax, [esi]
		inc	eax
		cmp	eax, [esi+4]
		jnz	short loc_9877EE
		lea	ecx, [ebp+var_4]
		call	_PipGrowDeviceObjectList@4 ; PipGrowDeviceObjectList(x)
		mov	esi, [ebp+var_4]
		test	eax, eax
		js	short loc_987825

loc_9877EE:				; CODE XREF: PipDeviceObjectListAdd(x,x,x,x)+19j
		mov	ecx, [ebp+var_8]
		mov	edx, 4C706E50h
		push	edi
		mov	edi, [esi]
		inc	edi
		shl	edi, 4
		add	edi, esi
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		mov	[edi], eax
		inc	ecx
		mov	eax, [ebp+arg_0]
		mov	[edi+4], eax
		xor	eax, eax
		mov	[edi+0Ch], eax
		cmp	[ebp+arg_4], ecx
		jnz	short loc_987822
		mov	[edi+0Ch], ecx
		inc	dword ptr [esi+8]

loc_987822:				; CODE XREF: PipDeviceObjectListAdd(x,x,x,x)+56j
		inc	dword ptr [esi]
		pop	edi

loc_987825:				; CODE XREF: PipDeviceObjectListAdd(x,x,x,x)+28j
		mov	[ebx], esi
		pop	esi
		pop	ebx
		leave
		retn	8
_PipDeviceObjectListAdd@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipDeviceObjectListElementAt(x, x, x, x, x)
_PipDeviceObjectListElementAt@20 proc near ; CODE XREF:	IopEnumerateRelations(x,x,x,x,x)+60p
					; IopRemoveCurrentRelationFromList(x,x,x)+37p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ecx, ecx
		jnz	short loc_98783D
		mov	eax, 0C000000Dh
		jmp	short loc_987873
; 

loc_98783D:				; CODE XREF: PipDeviceObjectListElementAt(x,x,x,x,x)+7j
		cmp	edx, [ecx]
		jb	short loc_987848
		mov	eax, 0C000008Ch
		jmp	short loc_987873
; 

loc_987848:				; CODE XREF: PipDeviceObjectListElementAt(x,x,x,x,x)+12j
		mov	eax, [ebp+arg_0]
		inc	edx
		shl	edx, 4
		add	edx, ecx
		mov	ecx, [edx]
		mov	[eax], ecx
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_987861
		mov	eax, [edx+4]
		mov	[ecx], eax

loc_987861:				; CODE XREF: PipDeviceObjectListElementAt(x,x,x,x,x)+2Dj
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_987871
		movzx	eax, byte ptr [edx+0Ch]
		and	eax, 1
		mov	[ecx], eax

loc_987871:				; CODE XREF: PipDeviceObjectListElementAt(x,x,x,x,x)+39j
		xor	eax, eax

loc_987873:				; CODE XREF: PipDeviceObjectListElementAt(x,x,x,x,x)+Ej
					; PipDeviceObjectListElementAt(x,x,x,x,x)+19j
		pop	ebp
		retn	0Ch
_PipDeviceObjectListElementAt@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipDeviceObjectListIndexOf(x, x, x,	x)
_PipDeviceObjectListIndexOf@16 proc near ; CODE	XREF: IopAddRelationToList(x,x,x,x)+34p
					; IopCheckIfMergeRequired(x,x)+55p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		cmp	[ebp+arg_0], eax
		jle	short loc_987893
		add	ecx, 10h

loc_987886:				; CODE XREF: PipDeviceObjectListIndexOf(x,x,x,x)+1Aj
		cmp	edx, [ecx]
		jz	short loc_9878A4
		inc	eax
		add	ecx, 10h
		cmp	eax, [ebp+arg_0]
		jl	short loc_987886

loc_987893:				; CODE XREF: PipDeviceObjectListIndexOf(x,x,x,x)+Aj
		mov	ecx, [ebp+arg_4]
		or	eax, 0FFFFFFFFh
		test	ecx, ecx
		jz	short loc_9878A0
		and	dword ptr [ecx], 0

loc_9878A0:				; CODE XREF: PipDeviceObjectListIndexOf(x,x,x,x)+24j
					; PipDeviceObjectListIndexOf(x,x,x,x)+32j ...
		pop	ebp
		retn	8
; 

loc_9878A4:				; CODE XREF: PipDeviceObjectListIndexOf(x,x,x,x)+11j
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_9878A0
		mov	[edx], ecx
		jmp	short loc_9878A0
_PipDeviceObjectListIndexOf@16 endp


;  S U B	R O U T	I N E 


; __stdcall PipDeviceObjectListRemove(x, x)
_PipDeviceObjectListRemove@8 proc near	; CODE XREF: IopRemoveCurrentRelationFromList(x,x,x)+4Fp
					; IopRemoveDeviceRelationsFromList(x)+32p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		cmp	edi, [esi]
		jb	short loc_9878C2
		mov	eax, 0C000008Ch
		jmp	short loc_987911
; 

loc_9878C2:				; CODE XREF: PipDeviceObjectListRemove(x,x)+Aj
		push	ebx
		mov	ebx, edi
		mov	edx, 4C706E50h
		shl	ebx, 4
		lea	eax, [ebx+esi]
		mov	ecx, [eax+10h]
		call	ObfDereferenceObjectWithTag
		lea	edx, [esi+10h]
		add	edx, ebx
		test	byte ptr [edx+0Ch], 1
		jz	short loc_9878E6
		dec	dword ptr [esi+8]

loc_9878E6:				; CODE XREF: PipDeviceObjectListRemove(x,x)+32j
		mov	ecx, [esi]
		lea	eax, [ecx-1]
		cmp	edi, eax
		jnb	short loc_987909
		sub	ecx, edi
		lea	eax, [esi+20h]
		shl	ecx, 4
		add	eax, ebx
		sub	ecx, 10h
		push	ecx		; size_t
		push	eax		; void *
		push	edx		; void *
		call	_memmove
		mov	ecx, [esi]
		add	esp, 0Ch

loc_987909:				; CODE XREF: PipDeviceObjectListRemove(x,x)+3Ej
		lea	eax, [ecx-1]
		mov	[esi], eax
		xor	eax, eax
		pop	ebx

loc_987911:				; CODE XREF: PipDeviceObjectListRemove(x,x)+11j
		pop	edi
		pop	esi
		retn
_PipDeviceObjectListRemove@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipGrowDeviceObjectList(x)
_PipGrowDeviceObjectList@4 proc	near	; CODE XREF: PipDeviceObjectListAdd(x,x,x,x)+1Ep

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ecx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_14], eax
		mov	edi, [eax]
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		mov	edx, [edi+4]
		mov	ecx, [edi+0Ch]
		add	edx, edx
		call	_PiAllocateDeviceObjectList@8 ;	PiAllocateDeviceObjectList(x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	short loc_98794B
		mov	esi, 0C000009Ah
		jmp	short loc_98798F
; 

loc_98794B:				; CODE XREF: PipGrowDeviceObjectList(x)+2Ej
		push	ebx
		mov	ebx, esi
		cmp	[edi], esi
		jbe	short loc_98797D

loc_987952:				; CODE XREF: PipGrowDeviceObjectList(x)+67j
		lea	eax, [ebp+var_4]
		mov	edx, ebx
		push	eax
		lea	eax, [ebp+var_8]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	_PipDeviceObjectListElementAt@20 ; PipDeviceObjectListElementAt(x,x,x,x,x)
		push	[ebp+var_4]
		mov	edx, [ebp+var_C]
		lea	ecx, [ebp+var_10]
		push	[ebp+var_8]
		call	_PipDeviceObjectListAdd@16 ; PipDeviceObjectListAdd(x,x,x,x)
		inc	ebx
		cmp	ebx, [edi]
		jb	short loc_987952

loc_98797D:				; CODE XREF: PipGrowDeviceObjectList(x)+3Cj
		mov	ecx, edi
		call	_PiClearDeviceObjectList@4 ; PiClearDeviceObjectList(x)
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_10]
		pop	ebx

loc_98798F:				; CODE XREF: PipGrowDeviceObjectList(x)+35j
		mov	ecx, [ebp+var_14]
		pop	edi
		mov	[ecx], eax
		mov	eax, esi
		pop	esi
		leave
		retn
_PipGrowDeviceObjectList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipSortDeviceObjectList(x)
_PipSortDeviceObjectList@4 proc	near	; CODE XREF: IopSortRelationListForRemove(x)+10Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ecx]
		push	ebx
		push	esi
		mov	[ebp+var_8], ecx
		mov	esi, [eax]
		lea	ebx, [eax+10h]
		mov	[ebp+var_10], ebx
		test	esi, esi
		jz	short loc_9879C5
		lea	eax, [ebx+0Ch]
		mov	ecx, esi

loc_9879BA:				; CODE XREF: PipSortDeviceObjectList(x)+29j
		and	dword ptr [eax], 0FFFFFFFDh
		lea	eax, [eax+10h]
		sub	ecx, 1
		jnz	short loc_9879BA

loc_9879C5:				; CODE XREF: PipSortDeviceObjectList(x)+19j
		mov	[ebp+var_C], 1
		test	esi, esi
		jz	short loc_987A00
		push	edi
		mov	eax, esi
		mov	edi, ebx
		mov	ebx, [ebp+var_8]
		mov	[ebp+var_4], eax

loc_9879DB:				; CODE XREF: PipSortDeviceObjectList(x)+60j
		test	byte ptr [edi+0Ch], 4
		jz	short loc_9879F1
		mov	edx, [ebx]
		lea	eax, [ebp+var_C]
		push	eax
		mov	ecx, edi
		call	_PipVisitDeviceObjectListEntry@12 ; PipVisitDeviceObjectListEntry(x,x,x)
		mov	eax, [ebp+var_4]

loc_9879F1:				; CODE XREF: PipSortDeviceObjectList(x)+45j
		add	edi, 10h
		sub	eax, 1
		mov	[ebp+var_4], eax
		jnz	short loc_9879DB
		mov	ebx, [ebp+var_10]
		pop	edi

loc_987A00:				; CODE XREF: PipSortDeviceObjectList(x)+34j
		push	offset _PipSortDevicesByOrdinal	; int __cdecl (*)(const	void *,const void *)
		push	10h		; size_t
		push	esi		; size_t
		push	ebx		; void *
		call	_qsort
		add	esp, 10h
		xor	eax, eax
		pop	esi
		pop	ebx
		leave
		retn
_PipSortDeviceObjectList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipVisitDeviceObjectListEntry(x, x,	x)
_PipVisitDeviceObjectListEntry@12 proc near ; CODE XREF: PipSortDeviceObjectList(x)+4Fp
					; PipVisitDeviceObjectListEntry(x,x,x)+7Ep ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_14], ebx
		mov	eax, [ebx+0Ch]
		mov	esi, edx
		mov	[ebp+var_10], edi
		mov	[ebp+var_4], edi
		test	al, 2
		jnz	loc_987B08
		mov	ecx, [ebx]
		or	eax, 2
		mov	[ebx+0Ch], eax
		test	ecx, ecx
		jz	short loc_987A56
		mov	eax, [ecx+0B0h]
		mov	edx, [eax+14h]
		mov	[ebp+var_8], edx
		jmp	short loc_987A5B
; 

loc_987A56:				; CODE XREF: PipVisitDeviceObjectListEntry(x,x,x)+2Fj
		mov	edx, edi
		mov	[ebp+var_8], edi

loc_987A5B:				; CODE XREF: PipVisitDeviceObjectListEntry(x,x,x)+3Dj
		mov	[ebp+var_C], edi
		cmp	[esi], edi
		jbe	short loc_987AB0
		mov	ebx, [ebp+arg_0]
		lea	edi, [esi+10h]

loc_987A68:				; CODE XREF: PipVisitDeviceObjectListEntry(x,x,x)+92j
		mov	eax, [edi]
		mov	[ebp+var_4], edi
		test	eax, eax
		jz	short loc_987A7C
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_987A7E
; 

loc_987A7C:				; CODE XREF: PipVisitDeviceObjectListEntry(x,x,x)+58j
		xor	eax, eax

loc_987A7E:				; CODE XREF: PipVisitDeviceObjectListEntry(x,x,x)+63j
		cmp	[eax+8], edx
		jz	short loc_987A90
		mov	eax, [eax+19Ch]
		and	eax, 0FFFFFFFEh
		cmp	eax, edx
		jnz	short loc_987A9D

loc_987A90:				; CODE XREF: PipVisitDeviceObjectListEntry(x,x,x)+6Aj
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	_PipVisitDeviceObjectListEntry@12 ; PipVisitDeviceObjectListEntry(x,x,x)
		mov	edx, [ebp+var_8]

loc_987A9D:				; CODE XREF: PipVisitDeviceObjectListEntry(x,x,x)+77j
		mov	eax, [ebp+var_C]
		add	edi, 10h
		inc	eax
		mov	[ebp+var_C], eax
		cmp	eax, [esi]
		jb	short loc_987A68
		mov	ebx, [ebp+var_14]
		mov	ecx, [ebx]

loc_987AB0:				; CODE XREF: PipVisitDeviceObjectListEntry(x,x,x)+49j
		call	_PiGetDependentList@4 ;	PiGetDependentList(x)
		mov	[ebp+var_C], eax
		mov	edi, [eax]
		cmp	edi, eax
		jz	short loc_987AFD
		mov	ebx, [ebp+arg_0]

loc_987AC1:				; CODE XREF: PipVisitDeviceObjectListEntry(x,x,x)+E1j
		lea	eax, [ebp+var_8]
		mov	ecx, edi
		push	eax
		lea	edx, [ebp+var_10]
		call	_PiEnumerateDependentListEntry@12 ; PiEnumerateDependentListEntry(x,x,x)
		mov	edx, [ebp+var_10]
		mov	edi, [edi]
		test	edx, edx
		jz	short loc_987AF5
		lea	eax, [ebp+var_4]
		mov	ecx, esi
		push	eax
		push	dword ptr [esi]
		call	_PipDeviceObjectListIndexOf@16 ; PipDeviceObjectListIndexOf(x,x,x,x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_987AF5
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		push	ebx
		call	_PipVisitDeviceObjectListEntry@12 ; PipVisitDeviceObjectListEntry(x,x,x)

loc_987AF5:				; CODE XREF: PipVisitDeviceObjectListEntry(x,x,x)+BFj
					; PipVisitDeviceObjectListEntry(x,x,x)+D1j
		cmp	edi, [ebp+var_C]
		jnz	short loc_987AC1
		mov	ebx, [ebp+var_14]

loc_987AFD:				; CODE XREF: PipVisitDeviceObjectListEntry(x,x,x)+A5j
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx]
		mov	[ebx+8], eax
		inc	eax
		mov	[ecx], eax

loc_987B08:				; CODE XREF: PipVisitDeviceObjectListEntry(x,x,x)+1Fj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	4
_PipVisitDeviceObjectListEntry@12 endp


;  S U B	R O U T	I N E 


; __stdcall IopCancelPendingEject(x)
_IopCancelPendingEject@4 proc near	; CODE XREF: PnpProcessRelation(x,x,x,x,x)+4C7p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	dword ptr [esi+24h], 0
		jz	short loc_987B44
		xor	eax, eax
		push	edi
		lea	edi, [esi+28h]
		inc	eax
		xchg	eax, [edi]
		test	eax, eax
		jnz	short loc_987B43
		push	dword ptr [esi+24h]
		call	IoCancelIrp
		push	2
		pop	eax
		xchg	eax, [edi]
		cmp	eax, 3
		jnz	short loc_987B43
		push	dword ptr [esi+24h]
		call	_IoFreeIrp@4	; IoFreeIrp(x)

loc_987B43:				; CODE XREF: IopCancelPendingEject(x)+16j
					; IopCancelPendingEject(x)+28j
		pop	edi

loc_987B44:				; CODE XREF: IopCancelPendingEject(x)+9j
		pop	esi
		retn
_IopCancelPendingEject@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopEjectDevice(x, x)
_IopEjectDevice@8 proc near		; CODE XREF: PnpProcessQueryRemoveAndEject(x)+61Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		cmp	dword ptr [esi+34h], 1
		mov	eax, [esi+38h]
		jz	short loc_987B99
		test	eax, eax
		jz	short loc_987B6A
		push	4
		push	dword ptr [eax+4]
		call	dword ptr [eax+10h]

loc_987B6A:				; CODE XREF: IopEjectDevice(x,x)+1Aj
		xor	ebx, ebx
		mov	ecx, esi
		mov	[esi+24h], ebx
		mov	[esi+4], esi
		mov	[esi], esi
		call	_PnpQueuePendingEject@4	; PnpQueuePendingEject(x)
		lea	eax, [esi+8]
		push	1
		push	eax
		mov	dword ptr [eax+8], offset _PnpProcessCompletedEject@4 ;	PnpProcessCompletedEject(x)
		mov	[eax+0Ch], esi
		mov	[eax], ebx
		call	ExQueueWorkItem
		xor	eax, eax
		jmp	loc_987C81
; 

loc_987B99:				; CODE XREF: IopEjectDevice(x,x)+16j
		xor	ebx, ebx
		test	eax, eax
		jz	short loc_987BB8
		push	3
		push	dword ptr [eax+4]
		call	dword ptr [eax+10h]
		mov	eax, [esi+38h]
		push	dword ptr [eax+4]
		call	dword ptr [eax+14h]
		cmp	[esi+31h], bl
		jz	short loc_987BB8
		mov	[esi+31h], bl

loc_987BB8:				; CODE XREF: IopEjectDevice(x,x)+57j
					; IopEjectDevice(x,x)+6Dj
		mov	edx, 69706E50h
		mov	ecx, edi
		call	IoGetAttachedDeviceReferenceWithTag
		push	ebx
		mov	[ebp+var_4], eax
		movzx	ecx, byte ptr [eax+30h]
		push	ecx
		call	IoAllocateIrp
		mov	edi, eax
		mov	[ebp+var_8], edi
		test	edi, edi
		jnz	short loc_987C0B
		mov	[esi+24h], ebx
		mov	ecx, esi
		mov	[esi+4], esi
		mov	[esi], esi
		call	_PnpQueuePendingEject@4	; PnpQueuePendingEject(x)
		lea	eax, [esi+8]
		push	1
		push	eax
		mov	dword ptr [eax+8], offset _PnpProcessCompletedEject@4 ;	PnpProcessCompletedEject(x)
		mov	[eax+0Ch], esi
		mov	[eax], ebx
		call	ExQueueWorkItem
		mov	esi, [ebp+var_4]
		mov	edi, 0C000009Ah
		jmp	short loc_987C73
; 

loc_987C0B:				; CODE XREF: IopEjectDevice(x,x)+93j
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	_IovUtilWatermarkIrp@8 ; IovUtilWatermarkIrp(x,x)
		mov	edx, [edi+60h]
		xor	eax, eax
		mov	dword ptr [edi+18h], 0C00000BBh
		mov	[edi+1Ch], ebx
		push	9
		pop	ecx
		lea	edi, [edx-24h]
		rep stosd
		mov	edi, [ebp+var_8]
		mov	ecx, esi
		mov	eax, large fs:124h
		mov	word ptr [edx-24h], 111Bh
		mov	[edi+50h], eax
		mov	[edi+20h], bl
		mov	[edi+28h], ebx
		mov	[edi+2Ch], ebx
		mov	[esi+24h], edi
		mov	[esi+28h], ebx
		call	_PnpQueuePendingEject@4	; PnpQueuePendingEject(x)
		mov	eax, [edi+60h]
		mov	edx, edi
		mov	[eax-4], esi
		mov	esi, [ebp+var_4]
		mov	ecx, esi
		mov	dword ptr [eax-8], offset _IopDeviceEjectComplete@12 ; IopDeviceEjectComplete(x,x,x)
		mov	byte ptr [eax-21h], 0E0h
		call	IofCallDriver
		mov	edi, eax

loc_987C73:				; CODE XREF: IopEjectDevice(x,x)+C3j
		mov	edx, 69706E50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, edi

loc_987C81:				; CODE XREF: IopEjectDevice(x,x)+4Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopEjectDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopQueryBusResourceUpdateInterface(x, x)
_IopQueryBusResourceUpdateInterface@8 proc near
					; CODE XREF: PiUpdateDeviceResourceLists(x)+23p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	20207050h
		push	14h
		push	1
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_987CAF
		mov	eax, 0C000009Ah
		jmp	short loc_987CE2
; 

loc_987CAF:				; CODE XREF: IopQueryBusResourceUpdateInterface(x,x)+20j
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		mov	edi, esi
		mov	edx, offset _GUID_BUS_RESOURCE_UPDATE_INTERFACE
		push	esi		; void *
		push	0		; int
		push	14h		; __int16
		stosd
		push	0		; __int16
		stosd
		stosd
		stosd
		stosd
		call	PnpQueryInterface
		mov	edi, eax
		test	edi, edi
		jns	short loc_987CDE
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		jmp	short loc_987CE2
; 

loc_987CDE:				; CODE XREF: IopQueryBusResourceUpdateInterface(x,x)+4Aj
		mov	[ebx], esi
		xor	eax, eax

loc_987CE2:				; CODE XREF: IopQueryBusResourceUpdateInterface(x,x)+27j
					; IopQueryBusResourceUpdateInterface(x,x)+56j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopQueryBusResourceUpdateInterface@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopQueryDockRemovalInterface(x, x)
_IopQueryDockRemovalInterface@8	proc near ; CODE XREF: PnpProcessQueryRemoveAndEject(x)+3C8p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= word ptr -34h
var_32		= word ptr -32h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, offset _GUID_DOCK_INTERFACE
		mov	[ebp+var_18], ecx
		lea	edi, [ebp+var_14]
		mov	ebx, edx
		push	20207050h
		push	18h
		movsd
		pop	eax
		push	eax
		push	1
		movsd
		movsd
		movsd
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_987D2A
		mov	eax, 0C000009Ah
		jmp	short loc_987D8E
; 

loc_987D2A:				; CODE XREF: IopQueryDockRemovalInterface(x,x)+3Aj
		push	6
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_3C], 81Bh
		push	18h
		pop	edx
		mov	edi, esi
		mov	[ebp+var_34], dx
		rep stosd
		xor	ecx, ecx
		mov	[esi], dx
		push	ecx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_28], ecx
		push	ecx
		mov	[ebp+var_38], eax
		lea	edx, [ebp+var_3C]
		xor	eax, eax
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_2C], ecx
		mov	ecx, [ebp+var_18]
		push	0C00000BBh
		mov	[esi+2], ax
		mov	[ebp+var_32], ax
		mov	[ebp+var_30], esi
		call	IopSynchronousCall
		mov	edi, eax
		test	edi, edi
		js	short loc_987D84
		mov	[ebx], esi
		jmp	short loc_987D8C
; 

loc_987D84:				; CODE XREF: IopQueryDockRemovalInterface(x,x)+97j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_987D8C:				; CODE XREF: IopQueryDockRemovalInterface(x,x)+9Bj
		mov	eax, edi

loc_987D8E:				; CODE XREF: IopQueryDockRemovalInterface(x,x)+41j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IopQueryDockRemovalInterface@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopQueryReconfiguration(x, x)
_IopQueryReconfiguration@8 proc	near	; CODE XREF: PnpCancelStopDeviceNode(x)+41p
					; PnpQueryStopDeviceNode(x,x)+59p ...

var_24		= dword	ptr -24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		mov	ebx, edx
		mov	dl, cl
		push	esi
		push	edi
		mov	eax, [ebx+0B0h]
		mov	esi, [eax+14h]
		movzx	eax, dl
		sub	eax, 4
		jz	short loc_987DE7
		sub	eax, 1
		jz	short loc_987DDB
		sub	eax, 1
		jnz	short loc_987DF3
		mov	eax, [esi+0ACh]
		cmp	eax, 309h
		jz	short loc_987DFA
		cmp	eax, 308h
		jmp	short loc_987DF1
; 

loc_987DDB:				; CODE XREF: IopQueryReconfiguration(x,x)+23j
		cmp	dword ptr [esi+0ACh], 308h
		jmp	short loc_987DF1
; 

loc_987DE7:				; CODE XREF: IopQueryReconfiguration(x,x)+1Ej
		cmp	dword ptr [esi+0ACh], 309h

loc_987DF1:				; CODE XREF: IopQueryReconfiguration(x,x)+3Cj
					; IopQueryReconfiguration(x,x)+48j
		jz	short loc_987DFA

loc_987DF3:				; CODE XREF: IopQueryReconfiguration(x,x)+28j
		mov	eax, 0C0000001h
		jmp	short loc_987E1C
; 

loc_987DFA:				; CODE XREF: IopQueryReconfiguration(x,x)+35j
					; IopQueryReconfiguration(x,x):loc_987DF1j
		push	9
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_24]
		push	eax
		rep stosd
		push	eax
		mov	byte ptr [ebp+var_24+1], dl
		mov	ecx, ebx
		push	0C00000BBh
		lea	edx, [ebp+var_24]
		mov	byte ptr [ebp+var_24], 1Bh
		call	IopSynchronousCall

loc_987E1C:				; CODE XREF: IopQueryReconfiguration(x,x)+5Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopQueryReconfiguration@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopRemoveDevice(x, x)
_IopRemoveDevice@8 proc	near		; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+5Fp
					; PnpRemoveLockedDeviceNode(x,x,x)+201p ...

var_3C		= dword	ptr -3Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		xor	ecx, ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		push	edi
		test	esi, esi
		jz	short loc_987E4D
		mov	eax, [esi+0B0h]
		mov	eax, [eax+14h]
		mov	[ebp+var_4], eax
		jmp	short loc_987E50
; 

loc_987E4D:				; CODE XREF: IopRemoveDevice(x,x)+1Cj
		mov	[ebp+var_4], ecx

loc_987E50:				; CODE XREF: IopRemoveDevice(x,x)+2Aj
		mov	[ebp+var_10], ecx
		lea	ecx, [ebp+var_10]
		call	PiPnpRtlBeginOperation
		cmp	ebx, 2
		jnz	short loc_987E6A
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	IopUncacheInterfaceInformation

loc_987E6A:				; CODE XREF: IopRemoveDevice(x,x)+3Dj
		push	9
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_3C]
		rep stosd
		mov	ecx, esi
		mov	byte ptr [ebp+var_3C], 1Bh
		mov	byte ptr [ebp+var_3C+1], bl
		call	_PnpFindMountableDevice@4 ; PnpFindMountableDevice(x)
		test	eax, eax
		jz	short loc_987EAC
		xor	edi, edi
		mov	ecx, esi
		inc	edi
		mov	[ebp+var_C], edi
		call	_PnpLockMountableDevice@4 ; PnpLockMountableDevice(x)
		lea	eax, [ebp+var_18]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	_PnpMarkDeviceForRemove@12 ; PnpMarkDeviceForRemove(x,x,x)
		mov	ecx, esi
		mov	[ebp+var_8], eax
		call	_PnpUnlockMountableDevice@4 ; PnpUnlockMountableDevice(x)
		jmp	short loc_987EAF
; 

loc_987EAC:				; CODE XREF: IopRemoveDevice(x,x)+63j
		mov	[ebp+var_8], esi

loc_987EAF:				; CODE XREF: IopRemoveDevice(x,x)+89j
		cmp	ebx, 17h
		jz	short loc_987EB9
		cmp	ebx, 2
		jnz	short loc_987EF0

loc_987EB9:				; CODE XREF: IopRemoveDevice(x,x)+91j
		mov	edi, [ebp+var_4]
		test	byte ptr [edi+110h], 8
		jz	short loc_987ED6
		push	8
		pop	edx
		mov	ecx, edi
		call	PipClearDevNodeUserFlags
		mov	ecx, edi
		call	IopDecDisableableDepends

loc_987ED6:				; CODE XREF: IopRemoveDevice(x,x)+A2j
		cmp	ebx, 2
		jnz	short loc_987EF3
		mov	ecx, esi
		call	_PiSwProcessParentRemoveIrp@4 ;	PiSwProcessParentRemoveIrp(x)
		mov	edx, [edi+18h]
		push	ecx
		push	dword ptr [edi+10h]
		call	_PiSwStopDestroy@16 ; PiSwStopDestroy(x,x,x,x)
		jmp	short loc_987EF3
; 

loc_987EF0:				; CODE XREF: IopRemoveDevice(x,x)+96j
		mov	edi, [ebp+var_4]

loc_987EF3:				; CODE XREF: IopRemoveDevice(x,x)+B8j
					; IopRemoveDevice(x,x)+CDj
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_3C]
		push	0
		push	0
		push	0C00000BBh
		call	IopSynchronousCall
		cmp	[ebp+var_C], 0
		mov	[ebp+var_4], eax
		jz	short loc_987F65
		mov	ecx, esi
		call	_PnpLockMountableDevice@4 ; PnpLockMountableDevice(x)
		cmp	ebx, 2
		jz	short loc_987F21
		cmp	ebx, 3
		jnz	short loc_987F2E

loc_987F21:				; CODE XREF: IopRemoveDevice(x,x)+F9j
		lea	eax, [ebp+var_18]
		xor	edx, edx
		push	eax
		mov	ecx, esi
		call	_PnpMarkDeviceForRemove@12 ; PnpMarkDeviceForRemove(x,x,x)

loc_987F2E:				; CODE XREF: IopRemoveDevice(x,x)+FEj
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_987F44
		mov	ecx, eax
		call	_IopDecrementDeviceObjectHandleCount@4 ; IopDecrementDeviceObjectHandleCount(x)
		mov	ecx, [ebp+var_14]
		call	ObfDereferenceObject

loc_987F44:				; CODE XREF: IopRemoveDevice(x,x)+112j
		mov	ecx, esi
		call	_PnpUnlockMountableDevice@4 ; PnpUnlockMountableDevice(x)
		cmp	ebx, 1
		jnz	short loc_987F56
		cmp	[ebp+var_4], 0
		jge	short loc_987F5B

loc_987F56:				; CODE XREF: IopRemoveDevice(x,x)+12Dj
		cmp	ebx, 17h
		jnz	short loc_987F6A

loc_987F5B:				; CODE XREF: IopRemoveDevice(x,x)+133j
		mov	ecx, esi
		call	_IopInvalidateVolumesForDevice@4 ; IopInvalidateVolumesForDevice(x)
		mov	[ebp+var_4], eax

loc_987F65:				; CODE XREF: IopRemoveDevice(x,x)+EDj
		cmp	ebx, 17h
		jz	short loc_987F6F

loc_987F6A:				; CODE XREF: IopRemoveDevice(x,x)+138j
		cmp	ebx, 2
		jnz	short loc_987FA8

loc_987F6F:				; CODE XREF: IopRemoveDevice(x,x)+147j
		mov	ecx, edi
		call	_PoFxAbandonDevice@4 ; PoFxAbandonDevice(x)
		and	dword ptr [edi+58h], 0
		cmp	ebx, 2
		jnz	short loc_987FA8
		mov	edx, 1008h
		mov	ecx, edi
		call	PipClearDevNodeFlags
		mov	eax, [edi+19Ch]
		test	eax, eax
		jz	short loc_987FA8
		test	al, 1
		jz	short loc_987FA8
		and	eax, 0FFFFFFFEh
		mov	[edi+19Ch], eax
		dec	dword ptr [eax+1A0h]

loc_987FA8:				; CODE XREF: IopRemoveDevice(x,x)+14Cj
					; IopRemoveDevice(x,x)+15Cj ...
		mov	ecx, [ebp+var_10]
		test	ecx, ecx
		jz	short loc_987FB4
		call	PiPnpRtlEndOperation

loc_987FB4:				; CODE XREF: IopRemoveDevice(x,x)+18Cj
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IopRemoveDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiIrpQueryRemoveDevice(x, x)
_PiIrpQueryRemoveDevice@8 proc near	; CODE XREF: PnpDisableDevice(x,x)+30p
					; PnpQueryRemoveLockedDeviceNode(x,x,x,x)+4Ap

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+58h+var_48], edx
		mov	esi, ecx
		mov	[esp+58h+var_44], eax
		push	9
		pop	ecx
		lea	edi, [esp+58h+var_24]
		mov	[esp+58h+var_38], eax
		rep stosd
		mov	ebx, eax
		mov	[esp+58h+var_34], eax
		mov	ecx, esi
		mov	[esp+58h+var_40], ebx
		mov	[esp+58h+var_30], eax
		mov	[esp+58h+var_2C], eax
		mov	[esp+58h+var_4C], eax
		mov	word ptr [esp+58h+var_24], 11Bh
		call	_PnpFindMountableDevice@4 ; PnpFindMountableDevice(x)
		test	eax, eax
		jz	short loc_988034
		inc	ebx
		mov	ecx, esi
		mov	[esp+58h+var_4C], ebx
		call	_PnpLockMountableDevice@4 ; PnpLockMountableDevice(x)
		lea	eax, [esp+58h+var_44]
		mov	edx, ebx
		push	eax
		mov	ecx, esi
		call	_PnpMarkDeviceForRemove@12 ; PnpMarkDeviceForRemove(x,x,x)
		mov	ecx, esi
		mov	edi, eax
		call	_PnpUnlockMountableDevice@4 ; PnpUnlockMountableDevice(x)
		mov	ebx, [esp+58h+var_40]
		jmp	short loc_988036
; 

loc_988034:				; CODE XREF: PiIrpQueryRemoveDevice(x,x)+4Dj
		mov	edi, esi

loc_988036:				; CODE XREF: PiIrpQueryRemoveDevice(x,x)+76j
		and	[esp+58h+var_3C], 0
		lea	eax, [esp+58h+var_38]
		push	0
		push	1
		push	eax
		mov	[esp+64h+var_28], 0C0000001h
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+58h+var_3C]
		mov	ecx, edi
		push	eax
		push	offset _PnpDiagnosticCompletionRoutine@12 ; PnpDiagnosticCompletionRoutine(x,x,x)
		lea	edx, [esp+60h+var_24]
		call	PnpAsynchronousCall
		mov	edi, eax
		cmp	edi, 103h
		jnz	short loc_988084
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+68h+var_38]
		push	eax
		call	KeWaitForSingleObject
		mov	edi, [esp+58h+var_28]

loc_988084:				; CODE XREF: PiIrpQueryRemoveDevice(x,x)+B2j
		mov	ecx, [esp+58h+var_48]
		test	ecx, ecx
		jz	short loc_988092
		mov	eax, [esp+58h+var_3C]
		mov	[ecx], eax

loc_988092:				; CODE XREF: PiIrpQueryRemoveDevice(x,x)+CEj
		cmp	[esp+58h+var_4C], 0
		jz	short loc_9880C6
		mov	ecx, esi
		call	_PnpLockMountableDevice@4 ; PnpLockMountableDevice(x)
		test	ebx, ebx
		jz	short loc_9880B2
		mov	ecx, ebx
		call	_IopDecrementDeviceObjectHandleCount@4 ; IopDecrementDeviceObjectHandleCount(x)
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_9880B2:				; CODE XREF: PiIrpQueryRemoveDevice(x,x)+E6j
		mov	ecx, esi
		call	_PnpUnlockMountableDevice@4 ; PnpUnlockMountableDevice(x)
		test	edi, edi
		js	short loc_9880C6
		mov	ecx, esi
		call	_IopInvalidateVolumesForDevice@4 ; IopInvalidateVolumesForDevice(x)
		mov	edi, eax

loc_9880C6:				; CODE XREF: PiIrpQueryRemoveDevice(x,x)+DBj
					; PiIrpQueryRemoveDevice(x,x)+FFj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PiIrpQueryRemoveDevice@8 endp


;  S U B	R O U T	I N E 


; __stdcall PpHotSwapInitRemovalPolicy(x)
_PpHotSwapInitRemovalPolicy@4 proc near	; CODE XREF: PnpRemoveLockedDeviceNode(x,x,x)+1Fp
		mov	word ptr [ecx+13Eh], 0
		retn
_PpHotSwapInitRemovalPolicy@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiRegisterKernelSoftRestartNotification(x, x, x, x)
_PiRegisterKernelSoftRestartNotification@16 proc near
					; CODE XREF: IoRegisterPlugPlayNotification+B633Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	_PnpKsrEnabled,	0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		jnz	short loc_9880F9
		mov	edi, 0C00000BBh
		jmp	loc_9881A0
; 

loc_9880F9:				; CODE XREF: PiRegisterKernelSoftRestartNotification(x,x,x,x)+14j
		cmp	_PnpKsrPrepared, 0
		jz	short loc_98810C
		mov	edi, 0C00002FEh
		jmp	loc_9881A0
; 

loc_98810C:				; CODE XREF: PiRegisterKernelSoftRestartNotification(x,x,x,x)+27j
		push	61706E50h
		push	30h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_988127
		mov	edi, 0C000009Ah
		jmp	short loc_9881A0
; 

loc_988127:				; CODE XREF: PiRegisterKernelSoftRestartNotification(x,x,x,x)+45j
		push	30h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, esi
		push	offset _PnpKsrNotifyLock
		push	ebx
		push	[ebp+arg_0]
		push	edi
		push	4
		pop	edx
		call	PnpInitializeNotifyEntry
		mov	edi, eax
		test	edi, edi
		js	short loc_988195
		mov	ecx, esi
		call	_PnpDeferNotification@4	; PnpDeferNotification(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_988195
		mov	ebx, offset _PnpKsrNotifyLock
		mov	ecx, ebx
		call	ExAcquireFastMutex
		mov	eax, dword_6CB584
		mov	ecx, offset _PnpKsrNotifyList
		cmp	[eax], ecx
		jz	short loc_98817A
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_98817A:				; CODE XREF: PiRegisterKernelSoftRestartNotification(x,x,x,x)+9Aj
		mov	[esi], ecx
		mov	ecx, ebx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6CB584, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		jmp	short loc_9881A0
; 

loc_988195:				; CODE XREF: PiRegisterKernelSoftRestartNotification(x,x,x,x)+73j
					; PiRegisterKernelSoftRestartNotification(x,x,x,x)+80j
		push	61706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9881A0:				; CODE XREF: PiRegisterKernelSoftRestartNotification(x,x,x,x)+1Bj
					; PiRegisterKernelSoftRestartNotification(x,x,x,x)+2Ej	...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
_PiRegisterKernelSoftRestartNotification@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipKsrCallback(x, x, x)
_PipKsrCallback@12 proc	near		; DATA XREF: PiKsrNotifyInitialize()+85o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		sub	eax, ecx
		jz	short loc_9881EF
		sub	eax, 1
		jz	short loc_9881D5
		sub	eax, 0Eh
		jz	short loc_9881CE
		sub	eax, 5
		jnz	short loc_98820B
		mov	ecx, offset _GUID_RECOVERY_PCI_PREPARE_SHUTDOWN
		jmp	short loc_9881E8
; 

loc_9881CE:				; CODE XREF: PipKsrCallback(x,x,x)+16j
		mov	ecx, offset _GUID_RECOVERY_NVMED_PREPARE_SHUTDOWN
		jmp	short loc_9881E8
; 

loc_9881D5:				; CODE XREF: PipKsrCallback(x,x,x)+11j
		cmp	_PnpKsrPrepared, cl
		jz	short loc_98820B
		mov	_PnpKsrPrepared, cl
		mov	ecx, offset _GUID_KERNEL_SOFT_RESTART_CANCEL

loc_9881E8:				; CODE XREF: PipKsrCallback(x,x,x)+22j
					; PipKsrCallback(x,x,x)+29j
		call	_PipKsrNotifyDrivers@4 ; PipKsrNotifyDrivers(x)
		jmp	short loc_98820B
; 

loc_9881EF:				; CODE XREF: PipKsrCallback(x,x,x)+Cj
		push	esi
		mov	esi, [ebp+arg_8]
		cmp	[esi], ecx
		jl	short loc_98820A
		mov	ecx, offset _GUID_KERNEL_SOFT_RESTART_PREPARE
		call	_PipKsrNotifyDrivers@4 ; PipKsrNotifyDrivers(x)
		mov	[esi], eax
		mov	_PnpKsrPrepared, 1

loc_98820A:				; CODE XREF: PipKsrCallback(x,x,x)+4Bj
		pop	esi

loc_98820B:				; CODE XREF: PipKsrCallback(x,x,x)+1Bj
					; PipKsrCallback(x,x,x)+31j ...
		pop	ebp
		retn	0Ch
_PipKsrCallback@12 endp


;  S U B	R O U T	I N E 


; __stdcall PipKsrIsNotificationRequired(x, x)
_PipKsrIsNotificationRequired@8	proc near ; CODE XREF: PipKsrNotifyDrivers(x)+7Ep
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		cmp	byte ptr [esi+22h], 0
		jnz	short loc_988253
		push	10h		; size_t
		push	offset _GUID_KERNEL_SOFT_RESTART_CANCEL	; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_988236
		cmp	[esi+2Ch], al
		jz	short loc_988253

loc_988236:				; CODE XREF: PipKsrIsNotificationRequired(x,x)+20j
		push	10h		; size_t
		push	offset _GUID_KERNEL_SOFT_RESTART_PREPARE ; void	*
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_98824F
		cmp	[esi+2Ch], al
		jnz	short loc_988253

loc_98824F:				; CODE XREF: PipKsrIsNotificationRequired(x,x)+39j
		mov	al, 1
		jmp	short loc_988255
; 

loc_988253:				; CODE XREF: PipKsrIsNotificationRequired(x,x)+Cj
					; PipKsrIsNotificationRequired(x,x)+25j ...
		xor	al, al

loc_988255:				; CODE XREF: PipKsrIsNotificationRequired(x,x)+42j
		pop	edi
		pop	esi
		retn
_PipKsrIsNotificationRequired@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipKsrNotifyDrivers(x)
_PipKsrNotifyDrivers@4 proc near	; CODE XREF: PipKsrCallback(x,x,x):loc_9881E8p
					; PipKsrCallback(x,x,x)+52p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+30h+var_20], ecx
		lea	edi, [esp+30h+var_18]
		xor	esi, esi
		stosd
		mov	ecx, offset _PnpKsrNotifyLock
		mov	[esp+30h+var_24], esi
		stosd
		stosd
		stosd
		stosd
		call	ExAcquireFastMutex
		mov	ebx, _PnpKsrNotifyList
		cmp	ebx, offset _PnpKsrNotifyList
		jz	loc_988375
		mov	edi, [esp+30h+var_20]

loc_9882A6:				; CODE XREF: PipKsrNotifyDrivers(x)+117j
		xor	esi, esi
		mov	[esp+30h+var_1C], ebx
		inc	esi
		mov	ecx, offset _PnpKsrNotifyLock
		inc	word ptr [ebx+20h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	esi
		push	dword ptr [ebx+28h]
		call	ExAcquireResourceExclusiveLite
		mov	edx, edi
		mov	ecx, ebx
		call	_PipKsrIsNotificationRequired@8	; PipKsrIsNotificationRequired(x,x)
		test	al, al
		jz	short loc_98831F
		mov	word ptr [esp+30h+var_18], si
		lea	edx, [esp+30h+var_18]
		mov	esi, edi
		mov	ecx, ebx
		push	14h
		pop	eax
		mov	word ptr [esp+30h+var_18+2], ax
		lea	edi, [esp+30h+var_14]
		movsd
		lea	eax, [esp+30h+var_24]
		push	eax
		movsd
		movsd
		movsd
		call	PnpNotifyDriverCallback
		mov	edi, [esp+30h+var_20]
		test	eax, eax
		js	short loc_988319
		mov	edx, edi
		mov	ecx, ebx
		call	_PipKsrUpdateNotifyEntry@8 ; PipKsrUpdateNotifyEntry(x,x)
		jmp	short loc_988324
; 

loc_988319:				; CODE XREF: PipKsrNotifyDrivers(x)+B4j
		mov	[esp+30h+var_24], eax
		jmp	short loc_988324
; 

loc_98831F:				; CODE XREF: PipKsrNotifyDrivers(x)+85j
		and	[esp+30h+var_24], 0

loc_988324:				; CODE XREF: PipKsrNotifyDrivers(x)+BFj
					; PipKsrNotifyDrivers(x)+C5j
		mov	ecx, [ebx+28h]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, offset _PnpKsrNotifyLock
		call	ExAcquireFastMutex
		mov	ecx, [esp+30h+var_1C]
		mov	ebx, [ebx]
		call	_PnpDereferenceNotify@4	; PnpDereferenceNotify(x)
		mov	esi, [esp+30h+var_24]
		test	esi, esi
		jns	short loc_988369
		push	10h		; size_t
		push	offset _GUID_KERNEL_SOFT_RESTART_PREPARE ; void	*
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_988375

loc_988369:				; CODE XREF: PipKsrNotifyDrivers(x)+FBj
		cmp	ebx, offset _PnpKsrNotifyList
		jnz	loc_9882A6

loc_988375:				; CODE XREF: PipKsrNotifyDrivers(x)+44j
					; PipKsrNotifyDrivers(x)+10Fj
		mov	ecx, offset _PnpKsrNotifyLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, [esp+30h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_PipKsrNotifyDrivers@4 endp


;  S U B	R O U T	I N E 


; __stdcall PipKsrUpdateNotifyEntry(x, x)
_PipKsrUpdateNotifyEntry@8 proc	near	; CODE XREF: PipKsrNotifyDrivers(x)+BAp
		mov	edi, edi
		push	esi
		push	edi
		push	10h		; size_t
		mov	edi, edx
		mov	esi, ecx
		push	offset _GUID_KERNEL_SOFT_RESTART_PREPARE ; void	*
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9883B5
		mov	byte ptr [esi+2Ch], 1
		jmp	short loc_9883CC
; 

loc_9883B5:				; CODE XREF: PipKsrUpdateNotifyEntry(x,x)+1Aj
		push	10h		; size_t
		push	offset _GUID_KERNEL_SOFT_RESTART_CANCEL	; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9883CC
		mov	[esi+2Ch], al

loc_9883CC:				; CODE XREF: PipKsrUpdateNotifyEntry(x,x)+20j
					; PipKsrUpdateNotifyEntry(x,x)+34j
		pop	edi
		pop	esi
		retn
_PipKsrUpdateNotifyEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpReallocateResources(x)
_PnpReallocateResources@4 proc near	; CODE XREF: PiProcessResourceRequirementsChanged(x)+A3p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_38]
		push	0Ah
		pop	ecx
		xor	eax, eax
		rep stosd
		xor	edi, edi
		mov	[ebp+var_4], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	edi
		push	edi
		push	edi
		push	4
		push	offset _PpRegistrySemaphore
		call	KeWaitForSingleObject
		mov	ebx, [esi+10Ch]
		test	ebx, 400h
		jz	loc_98854F
		mov	eax, 100h
		mov	ecx, esi
		and	ebx, eax
		mov	edx, eax
		mov	[ebp+var_8], ebx
		call	PipClearDevNodeFlags
		test	dword ptr [esi+10Ch], 800h
		jz	loc_988527
		mov	eax, [esi+10h]
		lea	edx, [ebp+var_10]
		mov	ecx, edi
		mov	[ebp+var_38], eax
		or	ecx, 280h
		mov	[ebp+var_2C], edi
		lea	eax, [ebp+var_4]
		mov	[ebp+var_34], ecx
		push	eax
		lea	ecx, [ebp+var_38]
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_30], 4
		call	PnpGetResourceRequirementsForAssignTable
		cmp	[ebp+var_4], 0
		mov	edi, eax
		jz	loc_988534
		cmp	dword ptr [esi+11Ch], 0
		jz	short loc_988492
		mov	ecx, esi
		call	_PnpReleaseResourcesInternal@4 ; PnpReleaseResourcesInternal(x)

loc_988492:				; CODE XREF: PnpReallocateResources(x)+BAj
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_10]
		push	eax
		lea	ecx, [ebp+var_38]
		call	_PnpFindBestConfiguration@12 ; PnpFindBestConfiguration(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9884EE
		lea	ecx, [ebp+var_10]
		call	_IopCommitConfiguration@4 ; IopCommitConfiguration(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9884EE
		mov	edx, 0C00h
		mov	ecx, esi
		call	PipClearDevNodeFlags
		push	1
		lea	edx, [ebp+var_10]
		lea	ecx, [ebp+var_38]
		call	PnpBuildCmResourceLists
		xor	edx, edx
		mov	ecx, esi
		push	1
		inc	edx
		call	PnpStartDeviceNode
		mov	edi, eax
		test	edi, edi
		jns	short loc_98851A
		push	edi
		push	0Ch
		xor	dl, dl
		mov	ecx, esi
		call	_PnpRequestDeviceRemoval@16 ; PnpRequestDeviceRemoval(x,x,x,x)
		jmp	short loc_98851A
; 

loc_9884EE:				; CODE XREF: PnpReallocateResources(x)+D6j
					; PnpReallocateResources(x)+E4j
		mov	ecx, esi
		call	_PnpRestoreResourcesInternal@4 ; PnpRestoreResourcesInternal(x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_988517
		push	ecx
		mov	ecx, [esi+18h]
		push	0
		push	4000h
		call	_PnpUpdateRebootRequiredReason@20 ; PnpUpdateRebootRequiredReason(x,x,x,x,x)
		push	ebx
		push	0Eh
		xor	dl, dl
		mov	ecx, esi
		call	_PnpRequestDeviceRemoval@16 ; PnpRequestDeviceRemoval(x,x,x,x)

loc_988517:				; CODE XREF: PnpReallocateResources(x)+12Aj
		mov	ebx, [ebp+var_8]

loc_98851A:				; CODE XREF: PnpReallocateResources(x)+10Fj
					; PnpReallocateResources(x)+11Dj
		lea	edx, [ebp+var_10]
		lea	ecx, [ebp+var_38]
		call	PnpFreeResourceRequirementsForAssignTable
		jmp	short loc_988534
; 

loc_988527:				; CODE XREF: PnpReallocateResources(x)+65j
		push	edi
		push	edi
		xor	edx, edx
		mov	ecx, esi
		call	_PnpRebalance@16 ; PnpRebalance(x,x,x,x)
		mov	edi, eax

loc_988534:				; CODE XREF: PnpReallocateResources(x)+ADj
					; PnpReallocateResources(x)+156j
		test	edi, edi
		jns	short loc_98854D
		mov	edx, 100h
		mov	ecx, esi
		call	PipClearDevNodeFlags
		mov	edx, ebx
		mov	ecx, esi
		call	PipSetDevNodeFlags

loc_98854D:				; CODE XREF: PnpReallocateResources(x)+167j
		xor	edi, edi

loc_98854F:				; CODE XREF: PnpReallocateResources(x)+42j
		push	edi
		push	1
		push	edi
		push	offset _PpRegistrySemaphore
		call	KeReleaseSemaphore
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PnpReallocateResources@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpReleaseResourcesInternal(x)
_PnpReleaseResourcesInternal@4 proc near ; CODE	XREF: IopReleaseResources(x)+7p
					; PnpReallocateResources(x)+BEp

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_40], 4
		push	esi
		xor	esi, esi
		lea	eax, [ebp+var_54]
		push	edi
		mov	edi, [ebx+11Ch]
		mov	[ebp+var_50], eax
		mov	[ebp+var_54], eax
		mov	eax, [ebx+10h]
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_4C], esi
		mov	[ebp+var_48], esi
		mov	[ebp+var_44], eax
		mov	[ebp+var_3C], esi
		mov	[ebp+var_38], esi
		mov	[ebp+var_28], esi
		test	edi, edi
		jnz	short loc_9885BE
		mov	edi, [ebx+168h]
		test	edi, edi
		jz	short loc_9885CF

loc_9885BE:				; CODE XREF: PnpReleaseResourcesInternal(x)+4Bj
		mov	edx, [edi]
		mov	[ebp+var_18], edx
		test	edx, edx
		jz	short loc_9885CF
		lea	eax, [edi+4]
		mov	[ebp+var_C], eax
		jmp	short loc_9885DC
; 

loc_9885CF:				; CODE XREF: PnpReleaseResourcesInternal(x)+55j
					; PnpReleaseResourcesInternal(x)+5Ej
		xor	edx, edx
		mov	[ebp+var_C], esi
		inc	edx
		mov	edi, esi
		mov	[ebp+var_18], edx
		mov	eax, esi

loc_9885DC:				; CODE XREF: PnpReleaseResourcesInternal(x)+66j
		mov	[ebp+var_1C], esi
		test	edx, edx
		jz	loc_98872E

loc_9885E7:				; CODE XREF: PnpReleaseResourcesInternal(x)+1C1j
		test	edi, edi
		jz	short loc_9885FD
		mov	ecx, [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_8], ecx
		mov	[ebp+var_14], eax
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_988606
		jmp	short loc_988600
; 

loc_9885FD:				; CODE XREF: PnpReleaseResourcesInternal(x)+82j
		mov	[ebp+var_14], esi

loc_988600:				; CODE XREF: PnpReleaseResourcesInternal(x)+94j
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_8], ecx

loc_988606:				; CODE XREF: PnpReleaseResourcesInternal(x)+92j
		cmp	ebx, _IopRootDeviceNode
		jz	short loc_988613
		mov	esi, [ebx+8]
		jmp	short loc_988615
; 

loc_988613:				; CODE XREF: PnpReleaseResourcesInternal(x)+A5j
		mov	esi, ebx

loc_988615:				; CODE XREF: PnpReleaseResourcesInternal(x)+AAj
		mov	[ebp+var_4], 1
		test	esi, esi
		jz	loc_9886EF
		mov	edx, [ebp+var_4]

loc_988627:				; CODE XREF: PnpReleaseResourcesInternal(x)+17Fj
		mov	eax, _IopRootDeviceNode
		mov	[ebp+var_10], eax
		cmp	esi, eax
		jnz	short loc_98865F
		test	edx, edx
		jz	short loc_98865F
		mov	edx, [ebp+var_14]
		call	_IopFindLegacyBusDeviceNode@8 ;	IopFindLegacyBusDeviceNode(x,x)
		mov	esi, eax
		cmp	esi, [ebp+var_10]
		jnz	short loc_988658
		cmp	[ebp+var_8], 0
		jnz	short loc_988658
		xor	ecx, ecx
		xor	edx, edx
		inc	ecx
		call	_IopFindLegacyBusDeviceNode@8 ;	IopFindLegacyBusDeviceNode(x,x)
		mov	esi, eax

loc_988658:				; CODE XREF: PnpReleaseResourcesInternal(x)+DDj
					; PnpReleaseResourcesInternal(x)+E3j
		and	[ebp+var_4], 0
		mov	edx, [ebp+var_4]

loc_98865F:				; CODE XREF: PnpReleaseResourcesInternal(x)+CAj
					; PnpReleaseResourcesInternal(x)+CEj
		lea	eax, [esi+148h]
		mov	ecx, [eax]
		mov	[ebp+var_10], ecx
		cmp	ecx, eax
		jz	short loc_9886DE

loc_98866E:				; CODE XREF: PnpReleaseResourcesInternal(x)+172j
		cmp	dword ptr [ecx+0Ch], 0
		jz	short loc_9886D2
		and	[ebp+var_4], 0
		lea	eax, [ecx+14h]
		lea	edx, [ebp+var_54]
		mov	[ebp+var_54], eax
		push	ecx
		mov	[ebp+var_50], eax
		mov	[eax], edx
		push	ecx
		mov	[eax+4], edx
		xor	edx, edx
		push	eax
		call	IopCallArbiter
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_10]
		push	0
		push	2
		pop	edx
		call	IopCallArbiter
		mov	ecx, [ebp+var_54]
		lea	edx, [ebp+var_54]
		mov	eax, [ebp+var_50]
		cmp	[ecx+4], edx
		jnz	loc_98873D
		cmp	[eax], edx
		jnz	loc_98873D
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	eax, edx
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_50], eax
		mov	[ebp+var_54], eax
		lea	eax, [esi+148h]

loc_9886D2:				; CODE XREF: PnpReleaseResourcesInternal(x)+10Bj
		mov	ecx, [ecx]
		mov	[ebp+var_10], ecx
		cmp	ecx, eax
		jnz	short loc_98866E
		mov	edx, [ebp+var_4]

loc_9886DE:				; CODE XREF: PnpReleaseResourcesInternal(x)+105j
		mov	esi, [esi+8]
		mov	ecx, [ebp+var_8]
		test	esi, esi
		jnz	loc_988627
		mov	edx, [ebp+var_18]

loc_9886EF:				; CODE XREF: PnpReleaseResourcesInternal(x)+B7j
		cmp	edx, 1
		jbe	short loc_98871A
		mov	ecx, [ebp+var_C]
		lea	eax, [ecx+10h]
		mov	ecx, [ecx+0Ch]
		test	ecx, ecx
		jz	short loc_988715

loc_988701:				; CODE XREF: PnpReleaseResourcesInternal(x)+1ACj
		xor	esi, esi
		cmp	byte ptr [eax],	5
		jnz	short loc_98870B
		mov	esi, [eax+4]

loc_98870B:				; CODE XREF: PnpReleaseResourcesInternal(x)+19Fj
		add	eax, 10h
		add	eax, esi
		sub	ecx, 1
		jnz	short loc_988701

loc_988715:				; CODE XREF: PnpReleaseResourcesInternal(x)+198j
		mov	[ebp+var_C], eax
		jmp	short loc_98871D
; 

loc_98871A:				; CODE XREF: PnpReleaseResourcesInternal(x)+18Bj
		mov	eax, [ebp+var_C]

loc_98871D:				; CODE XREF: PnpReleaseResourcesInternal(x)+1B1j
		mov	ecx, [ebp+var_1C]
		xor	esi, esi
		inc	ecx
		mov	[ebp+var_1C], ecx
		cmp	ecx, edx
		jb	loc_9885E7

loc_98872E:				; CODE XREF: PnpReleaseResourcesInternal(x)+7Aj
		push	esi
		xor	edx, edx
		mov	ecx, ebx
		call	_IopWriteAllocatedResourcesToRegistry@12 ; IopWriteAllocatedResourcesToRegistry(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_98873D:				; CODE XREF: PnpReleaseResourcesInternal(x)+147j
					; PnpReleaseResourcesInternal(x)+14Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall PnpRestoreResourcesInternal(x)
_PnpRestoreResourcesInternal@4:		; CODE XREF: PnpReallocateResources(x)+121p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		xor	ebx, ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	edx, [edi+11Ch]
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		test	edx, edx
		jnz	short loc_98877D
		xor	eax, eax
		jmp	loc_98885F
; 

loc_98877D:				; CODE XREF: PnpReleaseResourcesInternal(x)+20Dj
		push	ebx
		call	PnpCmResourcesToIoResources
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_988793
		mov	eax, 0C000009Ah
		jmp	loc_98885F
; 

loc_988793:				; CODE XREF: PnpReleaseResourcesInternal(x)+220j
		mov	eax, [edi+10h]
		lea	edx, [ebp+var_18]
		mov	[ebp+var_1C], ecx
		lea	ecx, [ebp+var_30]
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_30], eax
		mov	[ebp+var_28], 4
		call	IopResourceRequirementsListToReqList
		mov	ebx, eax
		test	ebx, ebx
		js	loc_988853
		mov	esi, [ebp+var_18]
		test	esi, esi
		jz	short loc_988853
		mov	ecx, esi
		call	_IopRearrangeReqList@4 ; IopRearrangeReqList(x)
		cmp	dword ptr [esi+10h], 0
		lea	ecx, [ebp+var_30]
		jnz	short loc_9887F3
		lea	edx, [ebp+var_8]
		call	PnpFreeResourceRequirementsForAssignTable
		mov	eax, 0C0000182h
		jmp	short loc_98885F
; 

loc_9887F3:				; CODE XREF: PnpReleaseResourcesInternal(x)+27Bj
		lea	eax, [ebp+var_8]
		xor	edx, edx
		push	eax
		inc	edx
		call	_PnpFindBestConfiguration@12 ; PnpFindBestConfiguration(x,x,x)
		lea	edx, [ebp+var_8]
		mov	ebx, eax
		lea	ecx, [ebp+var_30]
		call	PnpFreeResourceRequirementsForAssignTable
		test	ebx, ebx
		js	short loc_98881A
		lea	ecx, [ebp+var_8]
		call	_IopCommitConfiguration@4 ; IopCommitConfiguration(x)
		mov	ebx, eax

loc_98881A:				; CODE XREF: PnpReleaseResourcesInternal(x)+2A7j
		cmp	[ebp+var_14], 0
		jz	short loc_98882A
		push	0
		push	[ebp+var_14]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98882A:				; CODE XREF: PnpReleaseResourcesInternal(x)+2B7j
		cmp	[ebp+var_10], 0
		jz	short loc_98883A
		push	0
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98883A:				; CODE XREF: PnpReleaseResourcesInternal(x)+2C7j
		mov	esi, [edi+11Ch]
		mov	ecx, esi
		call	_PnpDetermineResourceListSize@4	; PnpDetermineResourceListSize(x)
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	_IopWriteAllocatedResourcesToRegistry@12 ; IopWriteAllocatedResourcesToRegistry(x,x,x)
		jmp	short loc_98885D
; 

loc_988853:				; CODE XREF: PnpReleaseResourcesInternal(x)+260j
					; PnpReleaseResourcesInternal(x)+26Bj
		push	0
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98885D:				; CODE XREF: PnpReleaseResourcesInternal(x)+2EAj
		mov	eax, ebx

loc_98885F:				; CODE XREF: PnpReleaseResourcesInternal(x)+211j
					; PnpReleaseResourcesInternal(x)+227j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PnpReleaseResourcesInternal@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiControlGetDevicePowerData(size_t,int,int)
_PiControlGetDevicePowerData@20	proc near ; CODE XREF: PiControlGetPropertyData+14A68Bp

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 90h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		xor	ebx, ebx
		push	40h		; size_t
		mov	[ebp+var_50], eax
		mov	esi, ecx
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_54], edi
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_84], ebx
		cmp	[ebp+arg_0], 4
		mov	[edi], ebx
		push	38h
		pop	eax
		mov	[ebp+var_8C], eax
		jnb	short loc_9888BE
		mov	[edi], eax
		mov	eax, 80000005h
		jmp	loc_988A74
; 

loc_9888BE:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+4Cj
		mov	ecx, [esi+10h]
		lea	edx, [ebp+var_4C]
		call	_PpIrpQueryCapabilities@8 ; PpIrpQueryCapabilities(x,x)
		test	eax, eax
		jns	short loc_9888D7
		mov	eax, 0C000000Eh
		jmp	loc_988A74
; 

loc_9888D7:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+67j
		mov	ecx, esi
		call	_PipIsDevNodeDNStarted@4 ; PipIsDevNodeDNStarted(x)
		test	eax, eax
		jz	short loc_9888FD
		mov	eax, [esi+10h]
		mov	ecx, [eax+0B0h]
		call	_PopLockGetDoDevicePowerState@4	; PopLockGetDoDevicePowerState(x)
		test	eax, eax
		jnz	short loc_9888F5
		inc	eax

loc_9888F5:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+8Ej
		mov	[ebp+var_88], eax
		jmp	short loc_988907
; 

loc_9888FD:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+7Cj
		mov	[ebp+var_88], 4

loc_988907:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+97j
		mov	ecx, [ebp+var_48]
		push	9
		pop	eax
		mov	[ebp+var_84], eax
		test	cl, 1
		jz	short loc_988921
		push	0Bh
		pop	eax
		mov	[ebp+var_84], eax

loc_988921:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+B2j
		test	cl, 2
		jz	short loc_98892F
		or	eax, 4
		mov	[ebp+var_84], eax

loc_98892F:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+C0j
		test	ecx, 400h
		jz	short loc_988940
		or	eax, 10h
		mov	[ebp+var_84], eax

loc_988940:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+D1j
		test	ecx, 800h
		jz	short loc_988951
		or	eax, 20h
		mov	[ebp+var_84], eax

loc_988951:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+E2j
		test	ecx, 1000h
		jz	short loc_988962
		or	eax, 40h
		mov	[ebp+var_84], eax

loc_988962:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+F3j
		test	ecx, 2000h
		jz	short loc_988975
		or	eax, 80h
		mov	[ebp+var_84], eax

loc_988975:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+104j
		test	ecx, 10000h
		jz	short loc_988988
		or	eax, 100h
		mov	[ebp+var_84], eax

loc_988988:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+117j
		mov	eax, [ebp+var_18]
		lea	esi, [ebp+var_3C]
		push	7
		pop	ecx
		lea	edi, [ebp+var_74]
		rep movsd
		mov	ecx, [ebp+var_1C]
		mov	esi, [ebp+var_20]
		mov	[ebp+var_80], eax
		mov	eax, [ebp+var_14]
		mov	[ebp+var_7C], eax
		mov	eax, [ebp+var_10]
		push	2
		pop	edx
		mov	[ebp+var_78], eax
		mov	edi, edx
		mov	eax, [ebp+var_84]

loc_9889B6:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+18Fj
		sub	ecx, 1
		jz	short loc_9889DB
		sub	ecx, 1
		jz	short loc_9889D6
		sub	ecx, 1
		jz	short loc_9889D1
		sub	ecx, 1
		jnz	short loc_9889E4
		or	eax, 80h
		jmp	short loc_9889DE
; 

loc_9889D1:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+15Fj
		or	eax, 44h
		jmp	short loc_9889DE
; 

loc_9889D6:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+15Aj
		or	eax, 22h
		jmp	short loc_9889DE
; 

loc_9889DB:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+155j
		or	eax, 10h

loc_9889DE:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+16Bj
					; PiControlGetDevicePowerData(x,x,x,x,x)+170j ...
		mov	[ebp+var_84], eax

loc_9889E4:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+164j
		test	esi, esi
		jz	short loc_9889EE
		mov	ecx, [ebp+esi*4+var_3C]
		jmp	short loc_9889F0
; 

loc_9889EE:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+182j
		mov	ecx, ebx

loc_9889F0:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+188j
		sub	edi, 1
		jnz	short loc_9889B6
		test	al, al
		jns	short loc_9889FD
		push	4
		jmp	short loc_988A03
; 

loc_9889FD:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+193j
		test	al, 40h
		jz	short loc_988A06
		push	3

loc_988A03:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+197j
		pop	edx
		jmp	short loc_988A13
; 

loc_988A06:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+19Bj
		test	al, 20h
		jnz	short loc_988A13
		movzx	edx, al
		shr	edx, 4
		and	edx, 1

loc_988A13:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+1A0j
					; PiControlGetDevicePowerData(x,x,x,x,x)+1A4j
		test	esi, esi
		jnz	short loc_988A2E
		test	edx, edx
		jz	short loc_988A2E
		push	4
		pop	esi

loc_988A1E:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+1C8j
		cmp	[ebp+var_34], ebx
		jz	short loc_988A28
		cmp	[ebp+var_34], edx
		jle	short loc_988A2E

loc_988A28:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+1BDj
		dec	esi
		cmp	esi, 1
		jge	short loc_988A1E

loc_988A2E:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+1B1j
					; PiControlGetDevicePowerData(x,x,x,x,x)+1B5j ...
		cmp	[ebp+arg_0], 38h
		mov	eax, [ebp+var_50]
		mov	[ebp+var_58], esi
		jnb	short loc_988A58
		test	eax, eax
		jz	short loc_988A51
		push	[ebp+arg_0]	; size_t
		lea	ecx, [ebp+var_8C]
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_988A51:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+1D8j
		mov	ebx, 80000005h
		jmp	short loc_988A69
; 

loc_988A58:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+1D4j
		test	eax, eax
		jz	short loc_988A69
		push	0Eh
		pop	ecx
		lea	esi, [ebp+var_8C]
		mov	edi, eax
		rep movsd

loc_988A69:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+1F2j
					; PiControlGetDevicePowerData(x,x,x,x,x)+1F6j
		mov	eax, [ebp+var_54]
		mov	dword ptr [eax], 38h
		mov	eax, ebx

loc_988A74:				; CODE XREF: PiControlGetDevicePowerData(x,x,x,x,x)+55j
					; PiControlGetDevicePowerData(x,x,x,x,x)+6Ej
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_PiControlGetDevicePowerData@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiControlGetDeviceStack(x, x, x, x)
_PiControlGetDeviceStack@16 proc near	; CODE XREF: PiControlGetPropertyData+14A735p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	ecx, [ecx+10h]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	edi, eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	ebx, eax
		mov	[ebp+var_C], eax
		mov	esi, 43706E50h
		lea	eax, [ebp+var_34]
		mov	[ebp+var_1C], edx
		mov	edx, esi
		mov	[ebp+var_30], eax
		mov	[ebp+var_34], eax
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	short loc_988ACB
		mov	edi, 0C0000010h
		jmp	loc_988CF8
; 

loc_988ACB:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+3Aj
		mov	edx, esi
		mov	ecx, eax
		call	IoGetAttachedDeviceReferenceWithTag
		jmp	short loc_988B13
; 

loc_988AD6:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+92j
		push	47706E50h
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_988B7A
		mov	[eax+8], esi
		lea	edx, [ebp+var_34]
		mov	ecx, [ebp+var_30]
		cmp	[ecx], edx
		jnz	loc_988D2A
		mov	[eax], edx
		mov	edx, 43706E50h
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	ecx, esi
		mov	[ebp+var_30], eax
		call	IoGetLowerDeviceObjectWithTag

loc_988B13:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+4Fj
		mov	esi, eax
		test	esi, esi
		jnz	short loc_988AD6
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_34]
		mov	edx, [ebp+var_1C]
		mov	[ebp+var_8], eax
		xor	eax, eax
		mov	esi, eax
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		mov	[ebp+var_10], edx
		cmp	ecx, eax
		mov	[ebp+var_18], ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4], 2
		jz	loc_988CC5

loc_988B47:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+229j
		mov	eax, [ecx+8]
		mov	ecx, [eax+8]
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_988C3E
		xor	eax, eax
		cmp	[ecx+20h], eax
		jz	short loc_988BB8
		mov	edx, [ebp+var_4]
		cmp	[ecx+1Ch], dx
		jb	short loc_988BB8
		mov	eax, [ecx+1Ch]
		mov	[ebp+var_2C], eax
		mov	eax, [ecx+20h]
		mov	dx, word ptr [ebp+var_2C]
		mov	[ebp+var_28], eax
		jmp	short loc_988BB0
; 

loc_988B7A:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+61j
		mov	edx, 43706E50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	edi, 0C000009Ah
		jmp	loc_988CF8
; 

loc_988B90:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+12Fj
		mov	eax, [ebp+var_28]
		xor	esi, esi
		movzx	ecx, dx
		shr	ecx, 1
		cmp	[eax+ecx*2-2], si
		mov	esi, [ebp+var_14]
		jnz	short loc_988BC6
		mov	eax, 0FFFEh
		add	dx, ax
		mov	word ptr [ebp+var_2C], dx

loc_988BB0:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+F3j
		cmp	dx, word ptr [ebp+var_4]
		jnb	short loc_988B90
		jmp	short loc_988BC6
; 

loc_988BB8:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+D8j
					; PiControlGetDeviceStack(x,x,x,x)+E1j
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	dx, word ptr [ebp+var_2C]

loc_988BC6:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+11Dj
					; PiControlGetDeviceStack(x,x,x,x)+131j
		test	dx, dx
		jnz	loc_988C50
		mov	ecx, 108h
		mov	eax, ecx
		mov	[ebp+var_C], eax
		test	ebx, ebx
		jnz	short loc_988BF7
		push	47706E50h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_988CB6
		mov	eax, [ebp+var_C]

loc_988BF7:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+156j
		xor	ecx, ecx
		mov	edx, ebx
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		mov	ecx, [ebp+var_20]
		push	eax
		call	ObQueryNameStringMode
		mov	edi, eax
		test	edi, edi
		js	short loc_988C2A
		cmp	[ebp+var_C], 0
		jz	short loc_988C2A
		mov	eax, [ebp+var_4]
		cmp	[ebx], ax
		jb	short loc_988C2A
		mov	eax, [ebx]
		mov	[ebp+var_2C], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_28], eax
		jmp	short loc_988C4C
; 

loc_988C2A:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+188j
					; PiControlGetDeviceStack(x,x,x,x)+18Ej ...
		push	offset ??_C@_13HGPDMIBE@?$AA?$DP@NNGAKEGL@
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		mov	edi, eax
		jmp	short loc_988C4C
; 

loc_988C3E:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+CDj
		push	offset ??_C@_13HGPDMIBE@?$AA?$DP@NNGAKEGL@
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_988C4C:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+1A3j
					; PiControlGetDeviceStack(x,x,x,x)+1B7j
		mov	dx, word ptr [ebp+var_2C]

loc_988C50:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+144j
		cmp	[ebp+var_8], 0
		jz	short loc_988C96
		movzx	ecx, dx
		lea	eax, [ecx+2]
		cmp	[ebp+var_10], eax
		jb	short loc_988C96
		push	ecx		; size_t
		push	[ebp+var_28]	; void *
		push	[ebp+var_8]	; void *
		call	_memcpy
		movzx	eax, word ptr [ebp+var_2C]
		add	esp, 0Ch
		mov	ecx, [ebp+var_8]
		shr	eax, 1
		push	0FFFFFFFEh
		lea	ecx, [ecx+eax*2]
		xor	eax, eax
		mov	[ecx], ax
		add	ecx, [ebp+var_4]
		mov	dx, word ptr [ebp+var_2C]
		mov	[ebp+var_8], ecx
		movzx	eax, dx
		pop	ecx
		sub	ecx, eax
		add	[ebp+var_10], ecx

loc_988C96:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+1CFj
					; PiControlGetDeviceStack(x,x,x,x)+1DAj
		mov	ecx, [ebp+var_18]
		movzx	eax, dx
		add	eax, 2
		add	esi, eax
		lea	eax, [ebp+var_34]
		mov	ecx, [ecx]
		mov	[ebp+var_14], esi
		mov	[ebp+var_18], ecx
		cmp	ecx, eax
		jnz	loc_988B47
		jmp	short loc_988CBB
; 

loc_988CB6:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+169j
		mov	edi, 0C000009Ah

loc_988CBB:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+22Fj
		test	edi, edi
		js	short loc_988CEB
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_10]

loc_988CC5:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+BCj
		test	eax, eax
		jz	short loc_988CD3
		cmp	edx, [ebp+var_4]
		jb	short loc_988CD3
		xor	ecx, ecx
		mov	[eax], cx

loc_988CD3:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+242j
					; PiControlGetDeviceStack(x,x,x,x)+247j
		mov	eax, [ebp+arg_4]
		add	esi, [ebp+var_4]
		cmp	[ebp+arg_0], 0
		mov	[eax], esi
		jz	short loc_988CE6
		cmp	esi, [ebp+var_1C]
		jbe	short loc_988CEB

loc_988CE6:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+25Aj
		mov	edi, 0C0000023h

loc_988CEB:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+238j
					; PiControlGetDeviceStack(x,x,x,x)+25Fj
		test	ebx, ebx
		jz	short loc_988CF8
		xor	eax, eax
		push	eax
		push	ebx

loc_988CF3:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+2A3j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_988CF8:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+41j
					; PiControlGetDeviceStack(x,x,x,x)+106j ...
		mov	esi, [ebp+var_34]
		lea	eax, [ebp+var_34]
		cmp	esi, eax
		jz	short loc_988D2F
		cmp	[esi+4], eax
		jnz	short loc_988D2A
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_988D2A
		mov	[ebp+var_34], eax
		lea	ecx, [ebp+var_34]
		mov	[eax+4], ecx
		mov	edx, 43706E50h
		mov	ecx, [esi+8]
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		push	eax
		push	esi
		jmp	short loc_988CF3
; 

loc_988D2A:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+72j
					; PiControlGetDeviceStack(x,x,x,x)+280j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_988D2F:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+27Bj
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	short loc_988D42
		mov	edx, 43706E50h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag

loc_988D42:				; CODE XREF: PiControlGetDeviceStack(x,x,x,x)+2AFj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PiControlGetDeviceStack@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiControlQueryAndRemoveDevice(x, x,	x, x)
_PiControlQueryAndRemoveDevice@16 proc near ; DATA XREF: .text:00403AD8o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, [ebp+arg_4]
		xor	edx, edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edx
		movzx	eax, word ptr [esi]
		mov	word ptr [ebp+var_C+2],	ax
		mov	word ptr [ebp+var_C], ax
		test	ax, ax
		jz	loc_988E44
		mov	ecx, 190h
		cmp	ax, cx
		ja	loc_988E44
		test	al, 1
		jnz	loc_988E44
		mov	ecx, [esi+14h]
		mov	eax, [esi+10h]
		mov	[ebp+arg_4], edx
		mov	[ebp+var_8], edx
		test	ecx, ecx
		jz	short loc_988DA2
		test	eax, eax
		jz	short loc_988DA2
		lea	edx, [ecx+ecx]
		jmp	short loc_988DA5
; 

loc_988DA2:				; CODE XREF: PiControlQueryAndRemoveDevice(x,x,x,x)+4Cj
					; PiControlQueryAndRemoveDevice(x,x,x,x)+50j
		mov	[esi+14h], edx

loc_988DA5:				; CODE XREF: PiControlQueryAndRemoveDevice(x,x,x,x)+55j
		push	ebx
		push	edi
		push	eax
		push	[ebp+arg_C]
		lea	ecx, [ebp+arg_4]
		mov	[ebp+var_4], edx
		call	PiControlAllocateBufferForUserModeCaller
		mov	ebx, [ebp+arg_4]
		mov	edi, eax
		test	edi, edi
		js	short loc_988E1C
		movzx	eax, word ptr [ebp+var_C]
		lea	ecx, [ebp+var_8]
		mov	edx, [esi+4]
		push	1
		push	[ebp+arg_C]
		push	2
		push	eax
		call	PiControlMakeUserModeCallersCopy
		mov	edi, eax
		test	edi, edi
		js	short loc_988E1C
		push	0		; int
		push	dword ptr [esi+8] ; int
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	ebx		; void *
		lea	edx, [esi+0Ch]
		lea	ecx, [ebp+var_C]
		call	_PnpQueueQueryAndRemoveEvent@24	; PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)
		mov	edi, eax
		test	ebx, ebx
		jz	short loc_988E14
		mov	eax, [esi+14h]
		lea	ecx, [esi+10h]
		push	0
		push	[ebp+arg_C]
		add	eax, eax
		mov	edx, ebx
		push	2
		push	eax
		call	PiControlMakeUserModeCallersCopy
		test	eax, eax
		jns	short loc_988E14
		mov	edi, eax

loc_988E14:				; CODE XREF: PiControlQueryAndRemoveDevice(x,x,x,x)+AAj
					; PiControlQueryAndRemoveDevice(x,x,x,x)+C5j
		mov	eax, [ebp+var_4]
		shr	eax, 1
		mov	[esi+14h], eax

loc_988E1C:				; CODE XREF: PiControlQueryAndRemoveDevice(x,x,x,x)+72j
					; PiControlQueryAndRemoveDevice(x,x,x,x)+8Fj
		cmp	byte ptr [ebp+arg_C], 0
		jz	short loc_988E3E
		cmp	[ebp+var_8], 0
		jz	short loc_988E32
		push	0
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_988E32:				; CODE XREF: PiControlQueryAndRemoveDevice(x,x,x,x)+DBj
		test	ebx, ebx
		jz	short loc_988E3E
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_988E3E:				; CODE XREF: PiControlQueryAndRemoveDevice(x,x,x,x)+D5j
					; PiControlQueryAndRemoveDevice(x,x,x,x)+E9j
		mov	eax, edi
		pop	edi
		pop	ebx
		jmp	short loc_988E49
; 

loc_988E44:				; CODE XREF: PiControlQueryAndRemoveDevice(x,x,x,x)+22j
					; PiControlQueryAndRemoveDevice(x,x,x,x)+30j ...
		mov	eax, 0C000000Dh

loc_988E49:				; CODE XREF: PiControlQueryAndRemoveDevice(x,x,x,x)+F7j
		pop	esi
		leave
		retn	10h
_PiControlQueryAndRemoveDevice@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiControlQueryConflictList(x, x, x,	x)
_PiControlQueryConflictList@16 proc near ; DATA	XREF: .text:00403B98o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		cmp	[esi+10h], ebx
		jz	loc_989007
		cmp	dword ptr [esi+14h], 20h
		jb	loc_989007
		mov	edx, [esi+8]
		test	edx, edx
		jz	loc_989000
		mov	ecx, [esi+0Ch]
		cmp	ecx, 24h
		jb	loc_989000
		cmp	dword ptr [edx], 1
		jnz	loc_989000
		cmp	dword ptr [edx+10h], 1
		jnz	loc_989000
		movzx	eax, word ptr [esi]
		mov	word ptr [ebp+var_10+2], ax
		mov	word ptr [ebp+var_10], ax
		test	ax, ax
		jz	loc_989000
		mov	edi, 190h
		cmp	ax, di
		ja	loc_989000
		test	al, 1
		jnz	loc_989000
		and	[ebp+var_8], ebx
		and	[ebp+var_C], ebx
		push	1
		push	[ebp+arg_C]
		mov	[ebp+arg_4], ebx
		push	1
		push	ecx
		lea	ecx, [ebp+arg_4]
		mov	[ebp+var_4], ebx
		call	PiControlMakeUserModeCallersCopy
		mov	edi, eax
		test	edi, edi
		js	loc_988FB4
		push	dword ptr [esi+10h]
		mov	edx, [esi+14h]
		lea	ecx, [ebp+var_4]
		push	[ebp+arg_C]
		call	PiControlAllocateBufferForUserModeCaller
		mov	edi, eax
		test	edi, edi
		js	loc_988FB1
		movzx	eax, word ptr [esi]
		lea	ecx, [ebp+var_C]
		mov	edx, [esi+4]
		push	1
		push	[ebp+arg_C]
		push	2
		push	eax
		call	PiControlMakeUserModeCallersCopy
		mov	edi, eax
		test	edi, edi
		js	loc_988FB1
		xor	ecx, ecx
		mov	edi, 0C000000Eh
		inc	ecx
		call	PpDevNodeLockTree
		mov	edx, 43706E50h
		lea	ecx, [ebp+var_10]
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	ebx, [ebp+var_4]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_988FA7
		mov	ecx, [eax+0B0h]
		mov	ecx, [ecx+14h]
		test	ecx, ecx
		jz	short loc_988FA7
		cmp	ecx, _IopRootDeviceNode
		jz	short loc_988FA7
		mov	ecx, [ecx+0ACh]
		cmp	ecx, 313h
		jz	short loc_988FA7
		cmp	ecx, 314h
		jz	short loc_988FA7
		mov	edx, [ebp+arg_4]
		push	ecx
		push	dword ptr [esi+14h]
		push	ebx
		push	ecx
		mov	ecx, eax
		call	_IopQueryConflictList@24 ; IopQueryConflictList(x,x,x,x,x,x)
		push	0
		push	[ebp+arg_C]
		mov	edx, ebx
		lea	ecx, [esi+10h]
		push	1
		push	dword ptr [esi+14h]
		mov	edi, eax
		call	PiControlMakeUserModeCallersCopy
		test	eax, eax
		jns	short loc_988FA7
		mov	edi, eax

loc_988FA7:				; CODE XREF: PiControlQueryConflictList(x,x,x,x)+100j
					; PiControlQueryConflictList(x,x,x,x)+10Dj ...
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeUnlockTree
		jmp	short loc_988FB4
; 

loc_988FB1:				; CODE XREF: PiControlQueryConflictList(x,x,x,x)+B8j
					; PiControlQueryConflictList(x,x,x,x)+D8j
		mov	ebx, [ebp+var_4]

loc_988FB4:				; CODE XREF: PiControlQueryConflictList(x,x,x,x)+9Dj
					; PiControlQueryConflictList(x,x,x,x)+161j
		cmp	byte ptr [ebp+arg_C], 0
		jz	short loc_988FE6
		cmp	[ebp+arg_4], 0
		jz	short loc_988FCA
		push	0
		push	[ebp+arg_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_988FCA:				; CODE XREF: PiControlQueryConflictList(x,x,x,x)+170j
		test	ebx, ebx
		jz	short loc_988FD6
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_988FD6:				; CODE XREF: PiControlQueryConflictList(x,x,x,x)+17Ej
		cmp	[ebp+var_C], 0
		jz	short loc_988FE6
		push	0
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_988FE6:				; CODE XREF: PiControlQueryConflictList(x,x,x,x)+16Aj
					; PiControlQueryConflictList(x,x,x,x)+18Cj
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_988FF9
		mov	edx, 43706E50h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag

loc_988FF9:				; CODE XREF: PiControlQueryConflictList(x,x,x,x)+19Dj
		mov	[esi+1Ch], edi
		mov	eax, edi
		jmp	short loc_98900C
; 

loc_989000:				; CODE XREF: PiControlQueryConflictList(x,x,x,x)+2Ej
					; PiControlQueryConflictList(x,x,x,x)+3Aj ...
		mov	eax, 0C000000Dh
		jmp	short loc_98900C
; 

loc_989007:				; CODE XREF: PiControlQueryConflictList(x,x,x,x)+19j
					; PiControlQueryConflictList(x,x,x,x)+23j
		mov	eax, 0C0000023h

loc_98900C:				; CODE XREF: PiControlQueryConflictList(x,x,x,x)+1B0j
					; PiControlQueryConflictList(x,x,x,x)+1B7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PiControlQueryConflictList@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiControlQueryDeviceRelations(x, x,	x, x)
_PiControlQueryDeviceRelations@16 proc near ; DATA XREF: .text:00403B78o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, [ebp+arg_4]
		xor	edx, edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edx
		movzx	eax, word ptr [esi]
		mov	word ptr [ebp+var_C+2],	ax
		mov	word ptr [ebp+var_C], ax
		test	ax, ax
		jz	loc_989102
		mov	ecx, 190h
		cmp	ax, cx
		ja	loc_989102
		test	al, 1
		jnz	loc_989102
		mov	ecx, [esi+0Ch]
		mov	eax, [esi+10h]
		mov	[ebp+arg_4], edx
		mov	[ebp+var_8], edx
		test	ecx, ecx
		jz	short loc_989068
		test	eax, eax
		jz	short loc_989068
		lea	edx, [ecx+ecx]

loc_989068:				; CODE XREF: PiControlQueryDeviceRelations(x,x,x,x)+4Cj
					; PiControlQueryDeviceRelations(x,x,x,x)+50j
		push	ebx
		push	edi
		push	eax
		push	[ebp+arg_C]
		lea	ecx, [ebp+arg_4]
		mov	[ebp+var_4], edx
		call	PiControlAllocateBufferForUserModeCaller
		mov	ebx, [ebp+arg_4]
		mov	edi, eax
		test	edi, edi
		js	short loc_9890DA
		movzx	eax, word ptr [ebp+var_C]
		lea	ecx, [ebp+var_8]
		mov	edx, [esi+4]
		push	1
		push	[ebp+arg_C]
		push	2
		push	eax
		call	PiControlMakeUserModeCallersCopy
		mov	edi, eax
		test	edi, edi
		js	short loc_9890DA
		mov	edx, [esi+8]
		lea	eax, [ebp+var_4]
		push	ebx		; void *
		push	eax		; int
		lea	ecx, [ebp+var_C]
		call	_PiQueryDeviceRelations@16 ; PiQueryDeviceRelations(x,x,x,x)
		mov	edi, eax
		test	ebx, ebx
		jz	short loc_9890D2
		mov	eax, [esi+0Ch]
		lea	ecx, [esi+10h]
		push	0
		push	[ebp+arg_C]
		add	eax, eax
		mov	edx, ebx
		push	2
		push	eax
		call	PiControlMakeUserModeCallersCopy
		test	eax, eax
		jns	short loc_9890D2
		mov	edi, eax

loc_9890D2:				; CODE XREF: PiControlQueryDeviceRelations(x,x,x,x)+A0j
					; PiControlQueryDeviceRelations(x,x,x,x)+BBj
		mov	eax, [ebp+var_4]
		shr	eax, 1
		mov	[esi+0Ch], eax

loc_9890DA:				; CODE XREF: PiControlQueryDeviceRelations(x,x,x,x)+6Dj
					; PiControlQueryDeviceRelations(x,x,x,x)+8Aj
		cmp	byte ptr [ebp+arg_C], 0
		jz	short loc_9890FC
		test	ebx, ebx
		jz	short loc_9890EC
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9890EC:				; CODE XREF: PiControlQueryDeviceRelations(x,x,x,x)+CFj
		cmp	[ebp+var_8], 0
		jz	short loc_9890FC
		push	0
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9890FC:				; CODE XREF: PiControlQueryDeviceRelations(x,x,x,x)+CBj
					; PiControlQueryDeviceRelations(x,x,x,x)+DDj
		mov	eax, edi
		pop	edi
		pop	ebx
		jmp	short loc_989107
; 

loc_989102:				; CODE XREF: PiControlQueryDeviceRelations(x,x,x,x)+22j
					; PiControlQueryDeviceRelations(x,x,x,x)+30j ...
		mov	eax, 0C000000Dh

loc_989107:				; CODE XREF: PiControlQueryDeviceRelations(x,x,x,x)+EDj
		pop	esi
		leave
		retn	10h
_PiControlQueryDeviceRelations@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiControlStartDevice(x, x, x, x)
_PiControlStartDevice@16 proc near	; DATA XREF: .text:00403AB8o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	edx, [ebp+arg_4]
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edi
		movzx	eax, word ptr [edx]
		mov	[ebp+var_4], edi
		mov	word ptr [ebp+var_8+2],	ax
		mov	word ptr [ebp+var_8], ax
		test	ax, ax
		jz	short loc_989181
		mov	ecx, 190h
		cmp	ax, cx
		ja	short loc_989181
		test	al, 1
		jnz	short loc_989181
		mov	edx, [edx+4]
		lea	ecx, [ebp+var_4]
		push	esi
		push	1
		push	[ebp+arg_C]
		push	2
		push	eax
		call	PiControlMakeUserModeCallersCopy
		mov	esi, eax
		test	esi, esi
		js	short loc_98917C
		push	edi
		push	1
		push	ecx
		push	10h
		pop	edx
		lea	ecx, [ebp+var_8]
		call	_PiQueueDeviceRequest@20 ; PiQueueDeviceRequest(x,x,x,x,x)
		cmp	byte ptr [ebp+arg_C], 0
		mov	esi, eax
		jz	short loc_98917C
		cmp	[ebp+var_4], edi
		jz	short loc_98917C
		push	edi
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98917C:				; CODE XREF: PiControlStartDevice(x,x,x,x)+49j
					; PiControlStartDevice(x,x,x,x)+60j ...
		mov	eax, esi
		pop	esi
		jmp	short loc_989186
; 

loc_989181:				; CODE XREF: PiControlStartDevice(x,x,x,x)+21j
					; PiControlStartDevice(x,x,x,x)+2Bj ...
		mov	eax, 0C000000Dh

loc_989186:				; CODE XREF: PiControlStartDevice(x,x,x,x)+73j
		pop	edi
		leave
		retn	10h
_PiControlStartDevice@16 endp


;  S U B	R O U T	I N E 


; __stdcall PiDeviceRelationType(x)
_PiDeviceRelationType@4	proc near	; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+17p
		sub	ecx, 0
		jz	short loc_9891B7
		sub	ecx, 1
		jz	short loc_9891B3
		sub	ecx, 1
		jz	short loc_9891AF
		sub	ecx, 1
		jz	short loc_9891AC
		sub	ecx, 1
		jz	short loc_9891A8
		or	eax, 0FFFFFFFFh
		retn
; 

loc_9891A8:				; CODE XREF: PiDeviceRelationType(x)+17j
		push	6
		jmp	short loc_9891B5
; 

loc_9891AC:				; CODE XREF: PiDeviceRelationType(x)+12j
		xor	eax, eax
		retn
; 

loc_9891AF:				; CODE XREF: PiDeviceRelationType(x)+Dj
		push	2
		jmp	short loc_9891B5
; 

loc_9891B3:				; CODE XREF: PiDeviceRelationType(x)+8j
		push	3

loc_9891B5:				; CODE XREF: PiDeviceRelationType(x)+1Fj
					; PiDeviceRelationType(x)+26j
		pop	eax
		retn
; 

loc_9891B7:				; CODE XREF: PiDeviceRelationType(x)+3j
		xor	eax, eax
		inc	eax
		retn
_PiDeviceRelationType@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiInitializeDevice(x)
_PiInitializeDevice@4 proc near		; CODE XREF: PiCMCreateDevice(x,x,x,x,x,x)+43Dp

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1C], eax
		xor	ecx, ecx
		mov	[ebp+var_20], esi
		mov	ebx, eax
		mov	[ebp+var_8], eax
		push	edi
		inc	ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_2C], eax
		mov	edi, eax
		mov	[ebp+var_18], ebx
		mov	[ebp+var_24], eax
		mov	[ebp+var_C], eax
		call	PpDevNodeLockTree
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceExclusiveLite
		mov	edx, 43706E50h
		mov	[ebp+var_1], 1
		mov	ecx, esi
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	short loc_989229
		mov	edx, 43706E50h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag
		xor	esi, esi
		jmp	loc_98949D
; 

loc_989229:				; CODE XREF: PiInitializeDevice(x)+59j
		push	esi
		xor	edx, edx
		lea	ecx, [ebp+var_18]
		call	PnpUnicodeStringToWstr
		mov	esi, eax
		test	esi, esi
		js	loc_98949A
		lea	ecx, [ebp+var_2C]
		call	PiPnpRtlBeginOperation
		mov	ebx, [ebp+var_18]
		mov	esi, eax
		test	esi, esi
		js	loc_98949D
		xor	ecx, ecx
		lea	eax, [ebp+var_C]
		push	ecx
		push	eax
		push	ecx
		push	0F003Fh
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		mov	edx, ebx
		push	10h
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_98949D
		xor	eax, eax
		xor	edi, edi
		mov	[ebp+var_34], eax
		xor	esi, esi
		mov	eax, 200h
		mov	[ebp+var_18], edi
		push	20207050h
		push	eax
		push	1
		mov	[ebp+var_30], esi
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_28], edi
		test	edi, edi
		jnz	short loc_9892B1
		mov	esi, 0C000009Ah
		jmp	loc_98949D
; 

loc_9892B1:				; CODE XREF: PiInitializeDevice(x)+EAj
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_8]
		push	esi
		push	eax
		push	edi
		lea	eax, [ebp+var_10]
		mov	edx, ebx
		push	eax
		push	5
		push	[ebp+var_C]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_989300
		cmp	[ebp+var_10], 1
		jnz	short loc_989300
		cmp	[ebp+var_8], esi
		jz	short loc_989300
		push	edi
		lea	eax, [ebp+var_34]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		jns	short loc_9892F9
		xor	eax, eax
		mov	[ebp+var_30], esi
		xor	edi, edi
		mov	[ebp+var_34], eax
		mov	[ebp+var_18], edi
		jmp	short loc_989300
; 

loc_9892F9:				; CODE XREF: PiInitializeDevice(x)+12Dj
		movzx	eax, word ptr [ebp+var_34]
		mov	[ebp+var_18], eax

loc_989300:				; CODE XREF: PiInitializeDevice(x)+114j
					; PiInitializeDevice(x)+11Aj ...
		lea	ecx, [ebp+var_14]
		call	_IopCreateRootEnumeratedDeviceObject@4 ; IopCreateRootEnumeratedDeviceObject(x)
		mov	esi, eax
		test	esi, esi
		js	loc_989482
		mov	eax, [ebp+var_14]
		lea	edx, [ebp+var_24]
		mov	ecx, eax
		or	dword ptr [eax+1Ch], 1000h
		call	PipAllocateDeviceNode
		mov	edi, [ebp+var_24]
		mov	esi, eax
		test	edi, edi
		jnz	short loc_989345
		cmp	esi, 0C000036Eh
		jnz	loc_98947E
		mov	esi, 0C000009Ah
		jmp	loc_98947E
; 

loc_989345:				; CODE XREF: PiInitializeDevice(x)+172j
		push	11h
		pop	edx
		mov	ecx, edi
		call	PipSetDevNodeFlags
		push	ecx
		mov	edx, 302h
		mov	ecx, edi
		call	PipSetDevNodeState
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_8]
		push	4
		pop	esi
		push	0
		push	eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_8], esi
		push	eax
		lea	eax, [ebp+var_10]
		mov	edx, ebx
		push	eax
		push	0Bh
		push	[ebp+var_C]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9893CA
		cmp	[ebp+var_10], esi
		jnz	short loc_989395
		cmp	[ebp+var_8], esi
		jnz	short loc_989395
		mov	eax, [ebp+var_1C]
		jmp	short loc_98939A
; 

loc_989395:				; CODE XREF: PiInitializeDevice(x)+1CEj
					; PiInitializeDevice(x)+1D3j
		xor	eax, eax
		mov	[ebp+var_1C], eax

loc_98939A:				; CODE XREF: PiInitializeDevice(x)+1D8j
		test	al, 20h
		jz	short loc_9893A4
		push	0
		push	12h
		jmp	short loc_9893C2
; 

loc_9893A4:				; CODE XREF: PiInitializeDevice(x)+1E1j
		test	eax, 2000h
		jz	short loc_9893B1
		push	0
		push	10h
		jmp	short loc_9893C2
; 

loc_9893B1:				; CODE XREF: PiInitializeDevice(x)+1EEj
		test	al, 40h
		jz	short loc_9893CA
		mov	edx, [ebp+var_C]
		mov	ecx, ebx
		call	_PiDevCfgGetFailedInstallProblemStatus@8 ; PiDevCfgGetFailedInstallProblemStatus(x,x)
		push	eax
		push	1Ch

loc_9893C2:				; CODE XREF: PiInitializeDevice(x)+1E7j
					; PiInitializeDevice(x)+1F4j
		pop	edx
		mov	ecx, edi
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)

loc_9893CA:				; CODE XREF: PiInitializeDevice(x)+1C9j
					; PiInitializeDevice(x)+1F8j
		mov	eax, [ebp+var_20]
		mov	ecx, edi
		movzx	edx, word ptr [eax]
		add	edx, 2
		call	_PnpAllocateDeviceInstancePath@8 ; PnpAllocateDeviceInstancePath(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_989482
		mov	edx, [ebp+var_20]
		mov	ecx, edi
		call	_PnpCopyDeviceInstancePath@8 ; PnpCopyDeviceInstancePath(x,x)
		cmp	word ptr [ebp+var_18], 0
		jz	short loc_989405
		push	ecx
		lea	edx, [ebp+var_34]
		lea	ecx, [edi+1Ch]
		call	_PnpConcatenateUnicodeStrings@12 ; PnpConcatenateUnicodeStrings(x,x,x)
		test	eax, eax
		jns	short loc_98940D

loc_989405:				; CODE XREF: PiInitializeDevice(x)+238j
		xor	eax, eax
		mov	[edi+1Ch], eax
		and	[edi+20h], eax

loc_98940D:				; CODE XREF: PiInitializeDevice(x)+248j
		mov	ecx, [edi+10h]
		lea	edx, [edi+14h]
		call	_PnpMapDeviceObjectToDeviceInstance@8 ;	PnpMapDeviceObjectToDeviceInstance(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_989482
		mov	ecx, _IopRootDeviceNode
		mov	edx, edi
		call	PpDevNodeInsertIntoTree
		mov	ecx, [ebp+var_14]
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, edi
		mov	[ebp+var_1], 0
		call	_PnpQueryAndSaveDeviceNodeCapabilities@4 ; PnpQueryAndSaveDeviceNodeCapabilities(x)
		mov	edx, [edi+18h]
		push	1
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		mov	edx, [edi+18h]
		push	0Eh
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		mov	edx, _IopRootDeviceNode
		push	0Fh
		mov	edx, [edx+18h]
		call	_PnpRaiseNtPlugPlayDevicePropertyChangeEvent
		mov	edx, [edi+10h]
		mov	ecx, offset _GUID_DEVICE_ENUMERATED
		call	PnpSetPlugPlayEvent

loc_98947E:				; CODE XREF: PiInitializeDevice(x)+17Aj
					; PiInitializeDevice(x)+185j
		test	esi, esi
		jns	short loc_98948F

loc_989482:				; CODE XREF: PiInitializeDevice(x)+151j
					; PiInitializeDevice(x)+223j ...
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_98948F
		push	eax
		call	IoDeleteDevice

loc_98948F:				; CODE XREF: PiInitializeDevice(x)+2C5j
					; PiInitializeDevice(x)+2CCj
		cmp	[ebp+var_1], 0
		mov	edi, [ebp+var_28]
		jz	short loc_9894AC
		jmp	short loc_98949D
; 

loc_98949A:				; CODE XREF: PiInitializeDevice(x)+7Dj
		mov	ebx, [ebp+var_18]

loc_98949D:				; CODE XREF: PiInitializeDevice(x)+69j
					; PiInitializeDevice(x)+92j ...
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9894AC:				; CODE XREF: PiInitializeDevice(x)+2DBj
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeUnlockTree
		cmp	[ebp+var_C], 0
		jz	short loc_9894C2
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_9894C2:				; CODE XREF: PiInitializeDevice(x)+2FDj
		mov	ecx, [ebp+var_2C]
		test	ecx, ecx
		jz	short loc_9894CE
		call	PiPnpRtlEndOperation

loc_9894CE:				; CODE XREF: PiInitializeDevice(x)+30Cj
		test	ebx, ebx
		jz	short loc_9894DC
		mov	edx, [ebp+var_20]
		mov	ecx, ebx
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)

loc_9894DC:				; CODE XREF: PiInitializeDevice(x)+315j
		test	edi, edi
		jz	short loc_9894E8
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9894E8:				; CODE XREF: PiInitializeDevice(x)+323j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PiInitializeDevice@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PiQueryDeviceRelations(int,void	*)
_PiQueryDeviceRelations@16 proc	near	; CODE XREF: PiControlQueryDeviceRelations(x,x,x,x)+97p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	[ebp+var_10], ecx
		xor	esi, esi
		and	[ebp+var_4], esi
		mov	ecx, edx
		push	edi
		xor	edi, edi
		call	_PiDeviceRelationType@4	; PiDeviceRelationType(x)
		mov	ebx, eax
		cmp	ebx, 0FFFFFFFFh
		jnz	short loc_98951C
		mov	eax, 0C000000Dh
		jmp	loc_98972D
; 

loc_98951C:				; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+21j
		xor	ecx, ecx
		call	PpDevNodeLockTree
		mov	ecx, [ebp+var_10]
		mov	edx, 43706E50h
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_9896F1
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		mov	[ebp+var_8], eax
		mov	ecx, [eax+0ACh]
		cmp	ecx, 313h
		jz	loc_9896F1
		cmp	ecx, 314h
		jz	loc_9896F1
		test	ebx, ebx
		jnz	loc_98967B
		mov	eax, [eax+4]
		jmp	short loc_989575
; 

loc_989572:				; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+88j
		mov	eax, [eax]
		inc	ebx

loc_989575:				; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+81j
		test	eax, eax
		jnz	short loc_989572
		push	20207050h
		lea	eax, ds:8[ebx*4]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	loc_989671
		mov	eax, [ebp+var_8]
		xor	edx, edx
		mov	[ecx], ebx
		mov	eax, [eax+4]
		jmp	short loc_9895CD
; 

loc_9895A6:				; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+E6j
		cmp	edx, ebx
		jnb	short loc_9895D7
		mov	ecx, [eax+10h]
		mov	edx, 43706E50h
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_C]
		mov	ecx, [eax+10h]
		mov	eax, [ebp+var_4]
		mov	[eax+edx*4+4], ecx
		inc	edx
		mov	eax, [ebp+var_8]
		mov	eax, [eax]

loc_9895CD:				; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+B5j
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], edx
		test	eax, eax
		jnz	short loc_9895A6

loc_9895D7:				; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+B9j
					; PiQueryDeviceRelations(x,x,x,x)+1A0j
		mov	ecx, [ebp+var_4]

loc_9895DA:				; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+187j
					; PiQueryDeviceRelations(x,x,x,x)+1ABj
		test	ecx, ecx
		jz	loc_9896F6
		cmp	[ecx], edi
		jbe	loc_9896F6
		push	2
		pop	ebx
		xor	eax, eax
		mov	edi, ebx
		mov	[ebp+var_8], eax

loc_9895F4:				; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+1DFj
		mov	eax, [ecx+eax*4+4]
		mov	eax, [eax+0B0h]
		mov	edx, [eax+14h]
		mov	[ebp+var_C], edx
		test	edx, edx
		jz	loc_9896AA
		lea	eax, [edx+14h]
		test	eax, eax
		jz	loc_9896AA
		movzx	eax, word ptr [eax]
		cmp	ax, bx
		jb	loc_9896AA
		mov	ebx, eax
		mov	[ebp+var_14], ebx
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_98969F
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		lea	eax, [edi+2]
		add	eax, ecx
		cmp	[edx], eax
		mov	edx, [ebp+var_C]
		jb	loc_9896D3
		push	ecx		; size_t
		push	dword ptr [edx+18h] ; void *
		push	ebx		; void *
		call	_memcpy
		mov	ecx, [ebp+var_C]
		add	esp, 0Ch
		movzx	eax, word ptr [ecx+14h]
		shr	eax, 1
		lea	ebx, [ebx+eax*2]
		xor	eax, eax
		mov	[ebx], ax
		add	ebx, 2
		movzx	eax, word ptr [ecx+14h]
		mov	ecx, [ebp+var_4]
		mov	[ebp+arg_4], ebx
		jmp	short loc_9896A2
; 

loc_989671:				; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+A5j
		mov	esi, 0C000009Ah
		jmp	loc_9895DA
; 

loc_98967B:				; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+78j
		mov	ecx, [ebp+var_10]

loc_98967E:				; DATA XREF: CmpArmLazyWriter+41o
					; CmpArmLazyWriter+E0o	...
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		mov	edx, ebx
		call	_PnpQueryDeviceRelations@16 ; PnpQueryDeviceRelations(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_9895D7
		xor	ecx, ecx
		mov	[ebp+var_4], ecx
		jmp	loc_9895DA
; 

loc_98969F:				; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+13Ej
		mov	eax, [ebp+var_14]

loc_9896A2:				; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+180j
		movzx	eax, ax
		add	edi, 2
		add	edi, eax

loc_9896AA:				; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+117j
					; PiQueryDeviceRelations(x,x,x,x)+122j	...
		mov	eax, [ebp+var_8]
		mov	edx, 43706E50h
		mov	ebx, edi
		mov	ecx, [ecx+eax*4+4]
		call	ObfDereferenceObjectWithTag
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		inc	eax
		mov	[ebp+var_8], eax
		cmp	eax, [ecx]
		jnb	short loc_9896DA
		push	2
		pop	ebx
		jmp	loc_9895F4
; 

loc_9896D3:				; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+14Fj
					; PiQueryDeviceRelations(x,x,x,x)+1F9j
		mov	esi, 0C0000023h
		jmp	short loc_9896F6
; 

loc_9896DA:				; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+1DAj
		mov	eax, [ebp+arg_4]
		mov	edi, ebx
		test	eax, eax
		jz	short loc_9896F6
		mov	ecx, [ebp+arg_0]
		cmp	[ecx], ebx
		jb	short loc_9896D3
		xor	ecx, ecx
		mov	[eax], cx
		jmp	short loc_9896F6
; 

loc_9896F1:				; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+46j
					; PiQueryDeviceRelations(x,x,x,x)+64j ...
		mov	esi, 0C000000Eh

loc_9896F6:				; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+EDj
					; PiQueryDeviceRelations(x,x,x,x)+F5j ...
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		test	esi, esi
		jns	short loc_989703
		xor	edi, edi

loc_989703:				; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+210j
		mov	eax, [ebp+arg_0]
		mov	[eax], edi
		cmp	[ebp+var_4], 0
		jz	short loc_989718
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_989718:				; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+21Dj
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_98972B
		mov	edx, 43706E50h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag

loc_98972B:				; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+22Ej
		mov	eax, esi

loc_98972D:				; CODE XREF: PiQueryDeviceRelations(x,x,x,x)+28j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PiQueryDeviceRelations@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiQueueDeviceRequest(x, x, x, x, x)
_PiQueueDeviceRequest@20 proc near	; CODE XREF: PiCMDeleteDevice(x,x,x,x,x,x)+260p
					; PiCMDeviceAction(x,x,x,x,x,x)+1BAp ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+28h+var_18], edx
		lea	edi, [esp+28h+var_10]
		xor	ebx, ebx
		stosd
		mov	[esp+28h+var_1C], ebx
		stosd
		stosd
		stosd
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	short loc_98975F
		mov	[edi], ebx

loc_98975F:				; CODE XREF: PiQueueDeviceRequest(x,x,x,x,x)+27j
		mov	edx, 43706E50h
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	esi, eax
		mov	[esp+28h+var_14], esi
		test	esi, esi
		jnz	short loc_98977D
		mov	esi, 0C000000Eh
		jmp	loc_989844
; 

loc_98977D:				; CODE XREF: PiQueueDeviceRequest(x,x,x,x,x)+3Dj
		mov	eax, [esi+0B0h]
		cmp	[eax+14h], ebx
		jnz	short loc_989792
		mov	esi, 0C000000Eh
		jmp	loc_989836
; 

loc_989792:				; CODE XREF: PiQueueDeviceRequest(x,x,x,x,x)+52j
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_9897A7
		push	0
		push	0
		lea	eax, [esp+30h+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)

loc_9897A7:				; CODE XREF: PiQueueDeviceRequest(x,x,x,x,x)+63j
		mov	eax, ebx
		mov	edx, [esp+28h+var_18]
		neg	eax
		lea	ecx, [esp+28h+var_1C]
		sbb	eax, eax
		and	eax, ecx
		lea	ecx, [esp+28h+var_10]
		push	eax
		mov	eax, ebx
		neg	eax
		sbb	eax, eax
		and	eax, edi
		push	eax
		mov	eax, ebx
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	ecx, esi
		push	eax
		push	0
		push	0
		call	PnpRequestDeviceAction
		mov	edi, [esp+28h+var_1C]
		mov	esi, eax
		test	esi, esi
		js	short loc_98982B
		test	ebx, ebx
		jz	short loc_98982B
		xor	ebx, ebx
		lea	eax, [esp+28h+var_10]
		push	ebx
		push	1
		push	ebx
		push	ebx
		push	eax
		call	KeWaitForSingleObject
		mov	esi, eax
		cmp	esi, 101h
		jnz	short loc_98982B
		mov	ecx, edi
		call	_PnpRemoveDeviceActionRequestFromQueue@4 ; PnpRemoveDeviceActionRequestFromQueue(x)
		test	eax, eax
		jz	short loc_989814
		mov	esi, 0C0000120h
		jmp	short loc_98982B
; 

loc_989814:				; CODE XREF: PiQueueDeviceRequest(x,x,x,x,x)+D7j
		mov	ecx, edi
		call	_PnpCancelDeviceActionRequest@4	; PnpCancelDeviceActionRequest(x)
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esp+38h+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, eax

loc_98982B:				; CODE XREF: PiQueueDeviceRequest(x,x,x,x,x)+ADj
					; PiQueueDeviceRequest(x,x,x,x,x)+B1j ...
		test	edi, edi
		jz	short loc_989836
		mov	ecx, edi
		call	_PnpDeleteDeviceActionRequest@4	; PnpDeleteDeviceActionRequest(x)

loc_989836:				; CODE XREF: PiQueueDeviceRequest(x,x,x,x,x)+59j
					; PiQueueDeviceRequest(x,x,x,x,x)+F9j
		mov	ecx, [esp+28h+var_14]
		mov	edx, 43706E50h
		call	ObfDereferenceObjectWithTag

loc_989844:				; CODE XREF: PiQueueDeviceRequest(x,x,x,x,x)+44j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PiQueueDeviceRequest@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PnpQueueQueryAndRemoveEvent(void *,int,int,int)
_PnpQueueQueryAndRemoveEvent@24	proc near ; CODE XREF: PnpRequestDeviceEjectExWorker(x)+3Fp
					; PiCMQueryRemove(x,x,x,x,x,x)+31Ap ...

var_3E		= byte ptr -3Eh
var_3D		= byte ptr -3Dh
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		push	ebx
		xor	eax, eax
		mov	[esp+48h+var_28], edx
		push	esi
		push	edi
		lea	edi, [esp+50h+var_10]
		mov	esi, ecx
		stosd
		mov	[esp+50h+var_14], esi
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	ebx, eax
		mov	[esp+50h+var_24], eax
		mov	[esp+50h+var_38], eax
		mov	[esp+50h+var_3C], eax
		mov	[esp+50h+var_3D], al
		mov	[edx], eax
		mov	eax, [ebp+arg_8]
		and	eax, 8
		mov	[esp+50h+var_2C], ebx
		mov	[esp+50h+var_1C], eax
		jz	short loc_9898A3
		mov	edx, esi
		mov	ecx, offset _KMPnPEvt_DeviceEject_Start
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)

loc_9898A3:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+46j
		mov	edx, 43706E50h
		mov	ecx, esi
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	edi, [ebp+arg_C]
		mov	[esp+50h+var_20], eax
		test	eax, eax
		jnz	short loc_9898C4
		mov	esi, 0C000000Eh
		jmp	loc_989B33
; 

loc_9898C4:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+69j
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jnz	short loc_9898DB
		mov	esi, 0C000000Eh
		jmp	loc_989B0C
; 

loc_9898DB:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+80j
		cmp	eax, _IopRootDeviceNode
		jnz	short loc_9898ED
		mov	esi, 0C0000022h
		jmp	loc_989B0C
; 

loc_9898ED:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+92j
		mov	esi, [ebp+arg_4]
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_98993C
		push	20207050h
		add	eax, 0Ch
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+50h+var_38], ecx
		test	ecx, ecx
		jnz	short loc_98991A
		mov	esi, 0C000009Ah
		jmp	loc_989B0C
; 

loc_98991A:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+BFj
		lea	ebx, [ecx+4]
		mov	[esp+50h+var_3D], 1
		lea	eax, [ebx+8]
		mov	[ebx+4], eax
		mov	ax, [esi]
		mov	[ebx+2], ax
		xor	eax, eax
		xor	edx, edx
		mov	[ebx], ax
		mov	[esp+50h+var_34], edx
		jmp	short loc_98994A
; 

loc_98993C:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+A5j
		xor	edx, edx
		mov	[esp+50h+var_34], 1
		mov	[esp+50h+var_38], edx

loc_98994A:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+EBj
		mov	ecx, [esp+50h+var_1C]
		mov	[esp+50h+var_3C], ebx
		test	ecx, ecx
		jz	short loc_989962
		test	edi, edi
		jz	short loc_989962
		mov	[esp+50h+var_34], 1

loc_989962:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+105j
					; PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+109j
		test	byte ptr [ebp+arg_8], 0Bh
		push	0
		pop	eax
		setnz	al
		test	byte ptr [ebp+arg_8], 2
		mov	[esp+50h+var_18], eax
		jz	short loc_98997A
		push	16h
		jmp	short loc_98998C
; 

loc_98997A:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+125j
		test	ecx, ecx
		jz	short loc_98998A
		push	2Fh
		mov	[esp+54h+var_30], 1
		jmp	short loc_989990
; 

loc_98998A:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+12Dj
		push	15h

loc_98998C:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+129j
		mov	[esp+54h+var_30], edx

loc_989990:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+139j
		pop	esi
		push	edx
		push	edx
		lea	eax, [esp+58h+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	ecx, [esp+50h+var_20]
		lea	eax, [esp+50h+var_2C]
		push	eax
		push	ebx
		push	[esp+58h+var_38]
		lea	eax, [esp+5Ch+var_24]
		xor	ebx, ebx
		push	eax
		push	ebx
		push	ebx
		lea	eax, [esp+68h+var_10]
		xor	edx, edx
		push	eax
		push	ebx
		push	esi
		push	[esp+74h+var_34]
		push	[esp+78h+var_30]
		push	[esp+7Ch+var_18]
		call	_PnpSetTargetDeviceRemove@56 ; PnpSetTargetDeviceRemove(x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_989B08
		push	ebx
		push	1
		push	ebx
		push	ebx
		lea	eax, [esp+60h+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	ebx, [esp+50h+var_2C]
		mov	esi, eax
		cmp	esi, 101h
		jnz	short loc_989A3E
		mov	ecx, ebx
		call	_PnpRemoveEventFromQueue@4 ; PnpRemoveEventFromQueue(x)
		test	eax, eax
		jz	short loc_989A0A
		mov	esi, 0C0000120h
		jmp	loc_989B0C
; 

loc_989A0A:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+1AFj
		xor	eax, eax
		lea	ecx, [ebx+28h]
		inc	eax
		xchg	eax, [ecx]
		test	eax, eax
		jnz	short loc_989A2C
		mov	byte ptr [ebx+2Ch], 1
		mov	esi, 0C0000120h
		xchg	eax, [ecx]
		xor	eax, eax
		mov	[esp+50h+var_3D], al
		jmp	loc_989B0C
; 

loc_989A2C:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+1C5j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+60h+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, eax

loc_989A3E:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+1A4j
		test	esi, esi
		js	short loc_989A46
		mov	esi, [esp+50h+var_24]

loc_989A46:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+1F1j
		mov	eax, [esp+50h+var_38]
		test	eax, eax
		jz	short loc_989A56
		mov	ecx, [esp+50h+var_28]
		mov	eax, [eax]
		mov	[ecx], eax

loc_989A56:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+1FDj
		mov	ecx, [esp+50h+var_3C]
		test	ecx, ecx
		jz	short loc_989AB2
		movzx	eax, word ptr [ecx]
		mov	edx, eax
		test	ax, ax
		jz	short loc_989AAA
		mov	edi, [ebp+arg_4]
		cmp	eax, [edi]
		jb	short loc_989A80
		mov	eax, edi
		push	2
		pop	edx
		mov	ax, [eax]
		sub	ax, dx
		mov	[ecx], ax
		movzx	edx, ax

loc_989A80:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+21Ej
		movzx	eax, dx
		push	eax		; size_t
		push	dword ptr [ecx+4] ; void *
		push	[ebp+arg_0]	; void *
		call	_memcpy
		mov	ecx, [esp+5Ch+var_3C]
		add	esp, 0Ch
		mov	edx, [ebp+arg_0]
		movzx	eax, word ptr [ecx]
		shr	eax, 1
		xor	edi, edi
		mov	[edx+eax*2], di
		movzx	edx, word ptr [ecx]
		mov	edi, [ebp+arg_C]

loc_989AAA:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+217j
		mov	ecx, [ebp+arg_4]
		movzx	eax, dx
		mov	[ecx], eax

loc_989AB2:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+20Dj
		mov	eax, [esp+50h+var_28]
		cmp	dword ptr [eax], 6
		jnz	short loc_989B0C
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_989B0C
		xor	eax, eax
		xor	edi, edi
		cmp	[ecx], di
		mov	edx, eax
		mov	edi, [ebp+arg_C]
		mov	eax, ecx
		jz	short loc_989B0C

loc_989AD2:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+29Cj
		cmp	word ptr [eax],	5Ch
		jnz	short loc_989ADE
		inc	edx
		cmp	edx, 3
		jz	short loc_989AEF

loc_989ADE:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+287j
		push	2
		pop	ecx
		add	eax, ecx
		xor	ecx, ecx
		cmp	[eax], cx
		mov	ecx, [ebp+arg_0]
		jnz	short loc_989AD2
		jmp	short loc_989AF7
; 

loc_989AEF:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+28Dj
		xor	edi, edi
		mov	[eax], di
		mov	edi, [ebp+arg_C]

loc_989AF7:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+29Ej
		cmp	edx, 3
		jnz	short loc_989B0C
		sub	eax, ecx
		mov	ecx, [ebp+arg_4]
		movzx	eax, ax
		mov	[ecx], eax
		jmp	short loc_989B0C
; 

loc_989B08:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+183j
		mov	ebx, [esp+50h+var_2C]

loc_989B0C:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+87j
					; PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+99j	...
		mov	ecx, [esp+50h+var_20]
		mov	edx, 43706E50h
		call	ObfDereferenceObjectWithTag
		test	ebx, ebx
		jz	short loc_989B33
		or	eax, 0FFFFFFFFh
		lock xadd [ebx+24h], eax
		jnz	short loc_989B33
		push	4B706E50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_989B33:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+70j
					; PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+2CDj ...
		cmp	[esp+50h+var_1C], 0
		jz	short loc_989B5E
		mov	eax, [esp+50h+var_28]
		neg	edi
		mov	edx, [esp+50h+var_14]
		mov	ecx, offset _KMPnPEvt_DeviceEject_Stop
		sbb	edi, edi
		and	edi, 80000000h
		or	edi, [eax]
		push	edi
		push	[esp+54h+var_3C]
		push	esi
		call	PnpDiagnosticTraceDeviceOperation

loc_989B5E:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+2E9j
		cmp	[esp+50h+var_3D], 0
		jz	short loc_989B71
		xor	eax, eax
		push	eax
		push	[esp+54h+var_38]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_989B71:				; CODE XREF: PnpQueueQueryAndRemoveEvent(x,x,x,x,x,x)+314j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_PnpQueueQueryAndRemoveEvent@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopFileUtilClearAttributes(x, x)
_IopFileUtilClearAttributes@8 proc near	; CODE XREF: PpLastGoodDeleteFilesCallback(x,x,x,x)+20p
					; IopFileUtilRename+B2p ...

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	0Ah
		mov	edx, ecx
		mov	[ebp+var_54], 18h
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_48], 240h
		push	204022h
		push	3
		lea	edi, [ebp+var_30]
		mov	[ebp+var_4C], edx
		rep stosd
		lea	eax, [ebp+var_3C]
		xor	esi, esi
		push	eax
		lea	eax, [ebp+var_54]
		mov	[ebp+var_34], esi
		push	eax
		push	100180h
		lea	eax, [ebp+var_34]
		mov	[ebp+var_3C], esi
		push	eax
		mov	[ebp+var_38], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_44], esi
		mov	[ebp+var_40], esi
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_989C3B
		push	4
		push	28h
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		push	[ebp+var_34]
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_989C31
		mov	edx, [ebp+var_10]
		test	dl, 7
		jz	short loc_989C31
		and	edx, 0FFFFFFF8h
		jnz	short loc_989C0E
		mov	edx, 80h

loc_989C0E:				; CODE XREF: IopFileUtilClearAttributes(x,x)+8Bj
		push	0Ah
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_30]
		push	4
		rep stosd
		push	28h
		lea	eax, [ebp+var_30]
		mov	[ebp+var_10], edx
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		push	[ebp+var_34]
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		mov	esi, eax

loc_989C31:				; CODE XREF: IopFileUtilClearAttributes(x,x)+7Ej
					; IopFileUtilClearAttributes(x,x)+86j
		push	[ebp+var_34]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, esi

loc_989C3B:				; CODE XREF: IopFileUtilClearAttributes(x,x)+64j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IopFileUtilClearAttributes@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopFileUtilWalkDirectoryTreeBottomUp(x, x, x, x)
_IopFileUtilWalkDirectoryTreeBottomUp@16 proc near ; CODE XREF:	NtEnableLastKnownGood()+231p
					; NtEnableLastKnownGood()+274p

var_41C		= dword	ptr -41Ch
var_418		= dword	ptr -418h
var_414		= dword	ptr -414h
var_410		= dword	ptr -410h
var_40C		= dword	ptr -40Ch
var_408		= dword	ptr -408h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 41Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	eax, ecx
		lea	ecx, [ebp+var_410]
		push	esi
		push	edi
		push	75466F49h
		movzx	ebx, word ptr [eax]
		xor	edi, edi
		add	ebx, 12h
		mov	[ebp+var_40C], ecx
		mov	[ebp+var_410], ecx
		lea	ecx, [ebp+var_418]
		push	ebx
		push	1
		mov	[ebp+var_41C], eax
		mov	[ebp+var_414], ecx
		mov	[ebp+var_418], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_989CB2
		mov	edi, 0C000009Ah
		jmp	loc_989DD8
; 

loc_989CB2:				; CODE XREF: IopFileUtilWalkDirectoryTreeBottomUp(x,x,x,x)+5Dj
		push	ebx		; size_t
		xor	ebx, ebx
		push	ebx		; int
		push	esi		; void *
		call	_memset
		mov	edx, [ebp+var_41C]
		lea	ecx, [esi+8]
		xor	eax, eax
		add	esp, 0Ch
		mov	[ecx], ax
		mov	ax, [edx]
		mov	[esi+0Ah], ax
		lea	eax, [esi+10h]
		push	edx
		push	ecx
		mov	[esi+0Ch], eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		mov	eax, [ebp+var_410]
		lea	ecx, [ebp+var_410]
		cmp	[eax+4], ecx
		jnz	loc_989DF3
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[eax+4], esi
		mov	eax, ecx
		mov	[ebp+var_410], esi
		cmp	esi, eax
		jz	short loc_989D3E

loc_989D0A:				; CODE XREF: IopFileUtilWalkDirectoryTreeBottomUp(x,x,x,x)+F1j
		lea	eax, [ebp+var_410]
		push	eax
		push	ecx
		lea	eax, [ebp+var_408]
		push	eax
		push	ebx
		push	ebx
		push	8
		lea	ecx, [esi+8]
		pop	edx
		call	_IopFileUtilWalkDirectoryTreeHelper@28 ; IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_989DD8
		mov	esi, [esi]
		lea	eax, [ebp+var_410]
		cmp	esi, eax
		jnz	short loc_989D0A
		jmp	short loc_989D9C
; 

loc_989D3E:				; CODE XREF: IopFileUtilWalkDirectoryTreeBottomUp(x,x,x,x)+BFj
					; IopFileUtilWalkDirectoryTreeBottomUp(x,x,x,x)+159j
		lea	eax, [ebp+var_410]
		cmp	esi, eax
		jz	short loc_989DA4
		mov	esi, [ebp+var_40C]
		cmp	[esi], eax
		jnz	loc_989DF3
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	loc_989DF3
		mov	[ebp+var_40C], eax
		lea	ecx, [ebp+var_410]
		mov	[eax], ecx
		lea	eax, [ebp+var_418]
		push	eax
		push	ecx
		lea	eax, [ebp+var_408]
		push	eax
		push	ebx
		push	offset _PpLastGoodDeleteFilesCallback@16 ; PpLastGoodDeleteFilesCallback(x,x,x,x)
		push	7
		lea	ecx, [esi+8]
		pop	edx
		call	_IopFileUtilWalkDirectoryTreeHelper@28 ; IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)
		push	75466F49h
		push	esi
		mov	edi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_989D9C:				; CODE XREF: IopFileUtilWalkDirectoryTreeBottomUp(x,x,x,x)+F3j
		mov	esi, [ebp+var_410]
		jmp	short loc_989D3E
; 

loc_989DA4:				; CODE XREF: IopFileUtilWalkDirectoryTreeBottomUp(x,x,x,x)+FDj
		test	edi, edi
		jns	short loc_989DE0

loc_989DA8:				; CODE XREF: IopFileUtilWalkDirectoryTreeBottomUp(x,x,x,x)+195j
		lea	eax, [ebp+var_410]
		cmp	esi, eax
		jz	short loc_989DE0
		cmp	[esi+4], eax
		jnz	short loc_989DF3
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_989DF3
		push	75466F49h
		lea	ecx, [ebp+var_410]
		mov	[ebp+var_410], eax
		push	esi
		mov	[eax+4], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_989DD8:				; CODE XREF: IopFileUtilWalkDirectoryTreeBottomUp(x,x,x,x)+64j
					; IopFileUtilWalkDirectoryTreeBottomUp(x,x,x,x)+E1j
		mov	esi, [ebp+var_410]
		jmp	short loc_989DA8
; 

loc_989DE0:				; CODE XREF: IopFileUtilWalkDirectoryTreeBottomUp(x,x,x,x)+15Dj
					; IopFileUtilWalkDirectoryTreeBottomUp(x,x,x,x)+167j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_989DF3:				; CODE XREF: IopFileUtilWalkDirectoryTreeBottomUp(x,x,x,x)+A7j
					; IopFileUtilWalkDirectoryTreeBottomUp(x,x,x,x)+107j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_IopFileUtilWalkDirectoryTreeBottomUp@16 endp ;	AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopFileUtilWalkDirectoryTreeHelper(x, x, x,	x, x, x, x)
_IopFileUtilWalkDirectoryTreeHelper@28 proc near
					; CODE XREF: IopFileUtilWalkDirectoryTreeBottomUp(x,x,x,x)+D8p
					; IopFileUtilWalkDirectoryTreeBottomUp(x,x,x,x)+141p ...

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		push	ebx
		mov	eax, edx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], eax
		xor	ebx, ebx
		shl	eax, 11h
		push	esi
		not	eax
		mov	[ebp+var_8], ebx
		push	edi
		and	eax, 200000h
		mov	[ebp+var_34], ebx
		or	eax, 4001h
		mov	[ebp+var_30], ebx
		push	eax
		push	1
		lea	eax, [ebp+var_34]
		mov	[ebp+var_2C], ebx
		push	eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_28], ebx
		push	eax
		push	100001h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4C], 18h
		push	eax
		mov	[ebp+var_48], ebx
		mov	[ebp+var_40], 240h
		mov	[ebp+var_44], ecx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		js	loc_98A05A
		push	1
		jmp	loc_98A020
; 

loc_989E6D:				; CODE XREF: IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+248j
		cmp	esi, 103h
		jnz	short loc_989E8B
		push	ebx
		push	1
		push	[ebp+var_8]
		call	_ZwWaitForSingleObject@12 ; ZwWaitForSingleObject(x,x,x)
		mov	esi, [ebp+var_34]
		test	esi, esi
		js	loc_98A046

loc_989E8B:				; CODE XREF: IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+7Bj
		lea	eax, [edi+3Ch]
		mov	[ebp+var_C], edi
		mov	[ebp+var_18], eax
		mov	ebx, edi
		mov	eax, [eax]
		shr	eax, 1
		movzx	ecx, word ptr [edi+eax*2+5Eh]
		mov	[ebp+var_1C], ecx
		xor	ecx, ecx
		mov	[edi+eax*2+5Eh], cx
		lea	eax, [edi+5Eh]
		jmp	loc_989FD4
; 

loc_989EB1:				; CODE XREF: IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+216j
		push	[ebp+var_14]
		xor	eax, eax
		lea	ecx, [edi+8]
		mov	[ecx], ax
		mov	eax, [ebp+var_24]
		mov	[edi+0Ah], ax
		lea	eax, [edi+10h]
		push	ecx
		mov	[edi+0Ch], eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@ ; void	*
		lea	eax, [edi+8]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [edi+8]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	eax, [ebx+38h]
		test	al, 10h
		jz	loc_989F77
		mov	ebx, [ebp+var_20]
		push	offset ??_C@_13JOFGPIOO@?$AA?4@NNGAKEGL@ ; wchar_t *
		push	ebx		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_989F1E
		push	offset ??_C@_15DDHGOCBH@?$AA?4?$AA?4@NNGAKEGL@ ; wchar_t *
		push	ebx		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_989F1E
		xor	bl, bl
		jmp	short loc_989F20
; 

loc_989F1E:				; CODE XREF: IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+10Fj
					; IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+120j
		mov	bl, 1

loc_989F20:				; CODE XREF: IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+124j
		mov	eax, [ebp+var_10]
		test	al, 2
		jz	short loc_989F48
		test	al, 4
		jz	short loc_989F2F
		test	bl, bl
		jnz	short loc_989F6A

loc_989F2F:				; CODE XREF: IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+131j
		push	[ebp+arg_4]
		mov	eax, [ebp+var_C]
		push	dword ptr [eax+38h]
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [edi+8]
		push	eax
		call	[ebp+arg_0]
		mov	esi, eax
		mov	eax, [ebp+var_10]

loc_989F48:				; CODE XREF: IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+12Dj
		test	bl, bl
		jnz	short loc_989F6A
		test	al, 8
		jz	short loc_989F6A
		mov	ecx, [ebp+arg_10]
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	loc_98A061
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	[ecx+4], edi
		jmp	short loc_989F72
; 

loc_989F6A:				; CODE XREF: IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+135j
					; IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+152j ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_989F72:				; CODE XREF: IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+170j
		mov	ebx, [ebp+var_C]
		jmp	short loc_989F96
; 

loc_989F77:				; CODE XREF: IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+F7j
		test	byte ptr [ebp+var_10], 1
		jz	short loc_989F8E
		push	[ebp+arg_4]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [edi+8]
		push	eax
		call	[ebp+arg_0]
		mov	esi, eax

loc_989F8E:				; CODE XREF: IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+183j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_989F96:				; CODE XREF: IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+17Dj
		test	esi, esi
		js	loc_98A046
		mov	eax, [ebp+var_18]
		mov	ecx, [ebp+var_1C]
		mov	eax, [eax]
		shr	eax, 1
		mov	[ebx+eax*2+5Eh], cx
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_98A019
		add	ebx, eax
		mov	[ebp+var_C], ebx
		lea	eax, [ebx+3Ch]
		mov	[ebp+var_18], eax
		mov	eax, [eax]
		shr	eax, 1
		movzx	ecx, word ptr [ebx+eax*2+5Eh]
		mov	[ebp+var_1C], ecx
		xor	ecx, ecx
		mov	[ebx+eax*2+5Eh], cx
		lea	eax, [ebx+5Eh]

loc_989FD4:				; CODE XREF: IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+B4j
		push	eax
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, [ebp+var_14]
		push	2
		mov	ax, [ecx]
		add	ax, word ptr [ebp+var_2C]
		pop	ecx
		add	ax, cx
		movzx	eax, ax
		mov	[ebp+var_24], eax
		movzx	eax, ax
		push	75466F49h
		add	eax, 12h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_989EB1
		mov	esi, 0C000009Ah

loc_98A019:				; CODE XREF: IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+1B9j
		test	esi, esi
		js	short loc_98A046
		xor	ebx, ebx
		push	ebx

loc_98A020:				; CODE XREF: IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+70j
		mov	edi, [ebp+arg_8]
		lea	eax, [ebp+var_34]
		push	ebx
		push	ebx
		push	3
		push	3FEh
		push	edi
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+var_8]
		call	_ZwQueryDirectoryFile@44 ; ZwQueryDirectoryFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_989E6D

loc_98A046:				; CODE XREF: IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+8Dj
					; IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+1A0j ...
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		lea	eax, [esi+7FFFFFFAh]
		neg	eax
		sbb	eax, eax
		and	eax, esi

loc_98A05A:				; CODE XREF: IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+68j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_98A061:				; CODE XREF: IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)+160j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_IopFileUtilWalkDirectoryTreeHelper@28 endp ; AL = character to	display


;  S U B	R O U T	I N E 


; __stdcall PiIommuBlockDevice(x)
_PiIommuBlockDevice@4 proc near		; CODE XREF: PiDmaGuardProcessPostRemove(x,x,x)+27p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	byte ptr [esi+8], 2
		jz	short loc_98A088
		push	dword ptr [esi+4]
		call	off_6B1428	; xKdReleasePciDeviceForDebugging(x)
		test	eax, eax
		js	short loc_98A082
		and	byte ptr [esi+8], 0FDh

loc_98A082:				; CODE XREF: PiIommuBlockDevice(x)+16j
		and	dword ptr [esi+4], 0
		pop	esi
		retn
; 

loc_98A088:				; CODE XREF: PiIommuBlockDevice(x)+9j
		xor	eax, eax
		pop	esi
		retn
_PiIommuBlockDevice@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiIommuFreeExtension(x)
_PiIommuFreeExtension@4	proc near	; CODE XREF: PiDmaGuardProcessNewDeviceNode:loc_874FCAp
					; PiIommuAllocateExtension+6C108p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	al, [esi+8]
		test	al, 2
		jz	short loc_98A0AF
		push	1001h
		movzx	eax, al
		push	eax
		push	esi
		push	11h
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_98A0AF:				; CODE XREF: PiIommuFreeExtension(x)+Bj
		mov	eax, [esi]
		mov	edi, 64706E50h
		test	eax, eax
		jz	short loc_98A0C4
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi], 0

loc_98A0C4:				; CODE XREF: PiIommuFreeExtension(x)+2Cj
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
_PiIommuFreeExtension@4	endp ; sp = -14h


;  S U B	R O U T	I N E 


; __stdcall PiIommuIsDeviceSafeWhileConsoleLocked(x)
_PiIommuIsDeviceSafeWhileConsoleLocked@4 proc near
					; CODE XREF: PipDmgEnforceEnumerationPolicy(x)+28p
					; PipDmgEnforceEnumerationPolicy(x)+40p
		mov	al, [ecx+8]
		test	al, 9
		jnz	short loc_98A0DC
		test	al, 24h
		jz	short loc_98A0DC
		xor	al, al
		retn
; 

loc_98A0DC:				; CODE XREF: PiIommuIsDeviceSafeWhileConsoleLocked(x)+5j
					; PiIommuIsDeviceSafeWhileConsoleLocked(x)+9j
		mov	al, 1
		retn
_PiIommuIsDeviceSafeWhileConsoleLocked@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiIommuPutInterface(x)
_PiIommuPutInterface@4 proc near	; CODE XREF: PiIommuGetInterface:loc_875031p
		mov	eax, [ecx+0Ch]
		test	eax, eax
		jz	short locret_98A0EB
		push	dword ptr [ecx+4]
		call	eax

locret_98A0EB:				; CODE XREF: PiIommuPutInterface(x)+5j
		retn
_PiIommuPutInterface@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiIommuUnblockDevice(x)
_PiIommuUnblockDevice@4	proc near	; CODE XREF: PipProcessStartPhase1+92D4Ep
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	byte ptr [esi+8], 1
		jz	short loc_98A103
		mov	eax, [esi]
		test	byte ptr [eax+4], 1
		jnz	short loc_98A103
		xor	eax, eax
		pop	esi
		retn
; 

loc_98A103:				; CODE XREF: PiIommuUnblockDevice(x)+9j
					; PiIommuUnblockDevice(x)+11j
		lea	eax, [esi+4]
		push	eax
		push	dword ptr [esi]
		call	off_6B142C	; xHalIommuUnblockDevice(x,x)
		test	eax, eax
		js	short loc_98A117
		or	byte ptr [esi+8], 2

loc_98A117:				; CODE XREF: PiIommuUnblockDevice(x)+25j
		pop	esi
		retn
_PiIommuUnblockDevice@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiAuditDeviceEnableDisableAction(x,	x, x, x)
_PiAuditDeviceEnableDisableAction@16 proc near ; CODE XREF: AlpcpInitializeMessageLog+85759p
					; PipSetDevNodeProblem(x,x,x)+CFp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	edx, 16h
		jz	short loc_98A12D
		cmp	[ebp+arg_0], 16h
		jnz	short loc_98A13D
		push	2
		jmp	short loc_98A135
; 

loc_98A12D:				; CODE XREF: PiAuditDeviceEnableDisableAction(x,x,x,x)+8j
		cmp	[ebp+arg_0], 16h
		jz	short loc_98A13D
		push	4

loc_98A135:				; CODE XREF: PiAuditDeviceEnableDisableAction(x,x,x,x)+12j
		pop	edx
		push	1
		call	_PiAuditDeviceOperation@12 ; PiAuditDeviceOperation(x,x,x)

loc_98A13D:				; CODE XREF: PiAuditDeviceEnableDisableAction(x,x,x,x)+Ej
					; PiAuditDeviceEnableDisableAction(x,x,x,x)+18j
		pop	ebp
		retn	8
_PiAuditDeviceEnableDisableAction@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiAuditDeviceEnableDisableRequest(x, x, x, x)
_PiAuditDeviceEnableDisableRequest@16 proc near
					; CODE XREF: PiPnpRtlSetObjectProperty+A17CEp
					; PiPnpRtlSetDeviceRegProperty(x,x,x,x,x,x,x,x)+14Cp

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	dl, 1
		push	ebx
		setz	bl
		test	[ebp+arg_0], 1
		setnz	al
		test	bl, al
		jz	short loc_98A15D
		xor	edx, edx
		inc	edx
		jmp	short loc_98A16B
; 

loc_98A15D:				; CODE XREF: PiAuditDeviceEnableDisableRequest(x,x,x,x)+15j
		test	dl, 1
		jz	short loc_98A173
		test	[ebp+arg_0], 1
		jnz	short loc_98A173
		push	3
		pop	edx

loc_98A16B:				; CODE XREF: PiAuditDeviceEnableDisableRequest(x,x,x,x)+1Aj
		push	[ebp+arg_4]
		call	_PiAuditDeviceOperation@12 ; PiAuditDeviceOperation(x,x,x)

loc_98A173:				; CODE XREF: PiAuditDeviceEnableDisableRequest(x,x,x,x)+1Fj
					; PiAuditDeviceEnableDisableRequest(x,x,x,x)+25j
		pop	ebx
		pop	ebp
		retn	8
_PiAuditDeviceEnableDisableRequest@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiAuditDeviceInstallPolicyBlock(x, x, x, x)
_PiAuditDeviceInstallPolicyBlock@16 proc near ;	CODE XREF: PiPnpRtlSetObjectProperty+A1811p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, 0E0000248h
		cmp	edx, eax
		jz	short loc_98A18F
		cmp	[ebp+arg_0], eax
		jnz	short loc_98A19F
		push	5
		jmp	short loc_98A196
; 

loc_98A18F:				; CODE XREF: PiAuditDeviceInstallPolicyBlock(x,x,x,x)+Cj
		cmp	[ebp+arg_0], eax
		jz	short loc_98A19F
		push	6

loc_98A196:				; CODE XREF: PiAuditDeviceInstallPolicyBlock(x,x,x,x)+15j
		pop	edx
		push	[ebp+arg_4]
		call	_PiAuditDeviceOperation@12 ; PiAuditDeviceOperation(x,x,x)

loc_98A19F:				; CODE XREF: PiAuditDeviceInstallPolicyBlock(x,x,x,x)+11j
					; PiAuditDeviceInstallPolicyBlock(x,x,x,x)+1Aj
		pop	ebp
		retn	8
_PiAuditDeviceInstallPolicyBlock@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiAuditDeviceOperation(x, x, x)
_PiAuditDeviceOperation@12 proc	near	; CODE XREF: PiAuditDeviceEnableDisableAction(x,x,x,x)+1Fp
					; PiAuditDeviceEnableDisableRequest(x,x,x,x)+2Dp ...

var_B0		= dword	ptr -0B0h
var_A4		= dword	ptr -0A4h
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+74h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+80h+var_14]
		stosd
		mov	esi, ecx
		xor	ecx, ecx
		mov	[esp+80h+var_54], esi
		mov	[esp+80h+var_68], ecx
		mov	[esp+80h+var_44], ecx
		stosd
		mov	[esp+80h+var_20], ecx
		mov	[esp+80h+var_1C], ecx
		mov	[esp+80h+var_28], ecx
		stosd
		mov	[esp+80h+var_24], ecx
		mov	[esp+80h+var_60], ecx
		mov	[esp+80h+var_38], ecx
		stosd
		mov	[esp+80h+var_34], ecx
		mov	edi, ecx
		mov	[esp+80h+var_70], ecx
		mov	[esp+80h+var_30], ecx
		mov	[esp+80h+var_2C], ecx
		mov	[esp+80h+var_40], ecx
		mov	[esp+80h+var_3C], ecx
		mov	[esp+80h+var_6C], ecx
		mov	[esp+80h+var_4C], ecx
		mov	[esp+80h+var_74], ecx
		push	1
		pop	eax
		sub	edx, ecx
		jz	short loc_98A275
		sub	edx, eax
		jz	short loc_98A26F
		sub	edx, eax
		jz	short loc_98A265
		sub	edx, eax
		jz	short loc_98A25B
		sub	edx, eax
		jz	short loc_98A251
		sub	edx, eax
		jz	short loc_98A247
		sub	edx, eax
		jz	short loc_98A23D
		mov	esi, 0C0000001h
		jmp	loc_98A6EE
; 

loc_98A23D:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+8Ej
		mov	[esp+80h+var_5C], 6
		jmp	short loc_98A279
; 

loc_98A247:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+8Aj
		mov	[esp+80h+var_5C], 5
		jmp	short loc_98A279
; 

loc_98A251:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+86j
		mov	[esp+80h+var_5C], 4
		jmp	short loc_98A279
; 

loc_98A25B:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+82j
		mov	[esp+80h+var_5C], 3
		jmp	short loc_98A279
; 

loc_98A265:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+7Ej
		mov	[esp+80h+var_5C], 2
		jmp	short loc_98A279
; 

loc_98A26F:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+7Aj
		mov	[esp+80h+var_5C], eax
		jmp	short loc_98A279
; 

loc_98A275:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+76j
		mov	[esp+80h+var_5C], ecx

loc_98A279:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+A2j
					; PiAuditDeviceOperation(x,x,x)+ACj ...
		mov	ecx, 200h
		push	20207050h
		push	ecx
		push	eax
		mov	[esp+8Ch+var_64], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[esp+80h+var_58], ebx
		jmp	short loc_98A2BE
; 

loc_98A296:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+11Dj
		mov	esi, 0C000009Ah
		jmp	loc_98A6EE
; 

loc_98A2A0:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+14Dj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	20207050h
		push	[esp+84h+var_64]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[esp+80h+var_58], eax

loc_98A2BE:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+F1j
		test	ebx, ebx
		jz	short loc_98A296
		mov	edx, [esi+4]
		lea	eax, [esp+80h+var_64]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	[esp+88h+var_64]
		lea	eax, [esp+8Ch+var_74]
		push	ebx
		push	eax
		push	(offset	loc_4069E3+5)
		push	ecx
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jz	short loc_98A2A0
		test	eax, eax
		js	short loc_98A306
		cmp	[esp+80h+var_74], 2012h
		jnz	short loc_98A306
		mov	eax, [esp+80h+var_64]
		jmp	short loc_98A31A
; 

loc_98A306:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+151j
					; PiAuditDeviceOperation(x,x,x)+15Bj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ebx, ebx
		xor	eax, eax
		mov	[esp+80h+var_58], ebx
		mov	[esp+80h+var_64], eax

loc_98A31A:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+161j
		mov	word ptr [esp+80h+var_30], ax
		mov	word ptr [esp+80h+var_30+2], ax
		mov	eax, 200h
		push	20207050h
		push	eax
		push	1
		mov	[esp+8Ch+var_2C], ebx
		mov	[esp+8Ch+var_70], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[esp+80h+var_48], esi
		test	esi, esi
		jnz	short loc_98A352

loc_98A348:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+1EAj
		mov	esi, 0C000009Ah
		jmp	loc_98A6D6
; 

loc_98A352:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+1A3j
		mov	edx, [esp+80h+var_54]
		lea	eax, [esp+80h+var_70]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	[esp+88h+var_70]
		mov	edx, [edx+4]
		lea	eax, [esp+8Ch+var_74]
		push	esi
		push	eax
		jmp	short loc_98A3A8
; 

loc_98A36D:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+21Ej
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	20207050h
		push	[esp+98h+var_84]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[esp+94h+var_5C], eax
		test	esi, esi
		jz	short loc_98A348
		xor	ecx, ecx
		lea	eax, [esp+94h+var_84]
		push	ecx
		push	eax
		push	[esp+9Ch+var_84]
		lea	eax, [esp+0A0h+var_88]
		push	esi
		push	eax
		mov	eax, [esp+0A8h+var_68]
		mov	edx, [eax+4]

loc_98A3A8:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+1C8j
		push	offset _DEVPKEY_Device_CompatibleIds
		push	ecx
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jz	short loc_98A36D
		test	eax, eax
		js	short loc_98A3D7
		cmp	[esp+94h+var_88], 2012h
		jnz	short loc_98A3D7
		mov	eax, [esp+94h+var_84]
		jmp	short loc_98A3EB
; 

loc_98A3D7:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+222j
					; PiAuditDeviceOperation(x,x,x)+22Cj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi
		xor	eax, eax
		mov	[esp+94h+var_5C], esi
		mov	[esp+94h+var_84], eax

loc_98A3EB:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+232j
		push	40h
		mov	word ptr [esp+98h+var_4C], ax
		mov	word ptr [esp+98h+var_4C+2], ax
		pop	eax
		push	20207050h
		push	eax
		push	1
		mov	[esp+0A0h+var_48], esi
		mov	[esp+0A0h+var_80], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+94h+var_64], edi
		test	edi, edi
		jnz	short loc_98A421

loc_98A417:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+2A4j
		mov	esi, 0C000009Ah
		jmp	loc_98A6C6
; 

loc_98A421:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+272j
		mov	esi, [esp+94h+var_68]
		jmp	short loc_98A449
; 

loc_98A427:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+2D4j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	20207050h
		push	[esp+98h+var_80]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+94h+var_64], eax
		test	edi, edi
		jz	short loc_98A417

loc_98A449:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+282j
		mov	edx, [esi+4]
		lea	eax, [esp+94h+var_80]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	[esp+9Ch+var_80]
		lea	eax, [esp+0A0h+var_88]
		push	edi
		push	eax
		push	offset _DEVPKEY_Device_LocationInfo
		push	ecx
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jz	short loc_98A427
		test	eax, eax
		js	short loc_98A48A
		cmp	[esp+94h+var_88], 12h
		jnz	short loc_98A48A
		mov	eax, [esp+94h+var_80]
		jmp	short loc_98A49E
; 

loc_98A48A:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+2D8j
					; PiAuditDeviceOperation(x,x,x)+2DFj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edi, edi
		xor	eax, eax
		mov	[esp+94h+var_64], edi
		mov	[esp+94h+var_80], eax

loc_98A49E:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+2E5j
		mov	edx, [esi+4]
		mov	ecx, _PiPnpRtlCtx
		push	10h
		pop	ebx
		push	0
		mov	word ptr [esp+98h+var_54], ax
		mov	word ptr [esp+98h+var_54+2], ax
		lea	eax, [esp+98h+var_60]
		push	eax
		push	ebx
		lea	eax, [esp+0A0h+var_28]
		mov	[esp+0A0h+var_50], edi
		push	eax
		lea	eax, [esp+0A4h+var_88]
		mov	[esp+0A4h+var_60], ebx
		push	eax
		push	offset _DEVPKEY_Device_ClassGuid
		push	0
		push	0
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_98A4EF
		cmp	[esp+94h+var_88], 0Dh
		jnz	short loc_98A4EF
		cmp	[esp+94h+var_60], ebx
		jz	short loc_98A4FD

loc_98A4EF:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+33Dj
					; PiAuditDeviceOperation(x,x,x)+344j
		xor	eax, eax
		lea	edi, [esp+94h+var_28]
		stosd
		stosd
		stosd
		stosd
		mov	edi, [esp+94h+var_64]

loc_98A4FD:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+34Aj
		push	20h
		pop	eax
		push	20207050h
		mov	[esp+98h+var_74], eax
		push	eax
		jmp	short loc_98A527
; 

loc_98A50C:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+38Fj
		mov	esi, 0C000009Ah
		jmp	loc_98A6C2
; 

loc_98A516:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+3BFj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	20207050h
		push	[esp+0A0h+var_7C]

loc_98A527:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+367j
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_98A50C
		mov	edx, [esi+4]
		lea	eax, [esp+9Ch+var_7C]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	[esp+0A4h+var_7C]
		lea	eax, [esp+0A8h+var_90]
		push	ebx
		push	eax
		push	offset _DEVPKEY_Device_Class
		push	ecx
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jz	short loc_98A516
		test	eax, eax
		js	short loc_98A56F
		cmp	[esp+9Ch+var_90], 12h
		jz	short loc_98A57D

loc_98A56F:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+3C3j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ebx, ebx
		and	[esp+9Ch+var_7C], ebx

loc_98A57D:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+3CAj
		push	ebx
		lea	eax, [esp+0A0h+var_44]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	20h
		pop	eax
		push	20207050h
		push	eax
		push	1
		mov	[esp+0A8h+var_84], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_98A5AC

loc_98A5A2:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+444j
		mov	esi, 0C000009Ah
		jmp	loc_98A6B2
; 

loc_98A5AC:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+3FDj
		mov	edx, [esi+4]
		lea	eax, [esp+9Ch+var_84]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	[esp+0A4h+var_84]
		lea	eax, [esp+0A8h+var_90]
		push	edi
		push	eax
		push	offset _DEVPKEY_NAME
		push	ecx
		push	ecx
		jmp	short loc_98A607
; 

loc_98A5CA:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+479j
		xor	esi, esi
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	20207050h
		push	[esp+0C0h+var_A4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_98A5A2
		push	esi
		lea	eax, [esp+0C0h+var_A4]
		push	eax
		push	[esp+0C4h+var_A4]
		lea	eax, [esp+0C8h+var_B0]
		push	edi
		push	eax
		mov	eax, [esp+0D0h+var_90]
		push	offset _DEVPKEY_NAME
		push	esi
		push	esi
		mov	edx, [eax+4]

loc_98A607:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+425j
		mov	ecx, _PiPnpRtlCtx
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_98A5CA
		test	esi, esi
		js	short loc_98A65D
		cmp	[esp+0BCh+var_B0], 19h
		jnz	short loc_98A652
		mov	edx, [esp+0BCh+var_A4]
		lea	eax, [esp+0BCh+var_54]
		push	eax
		lea	eax, [esp+0C0h+var_80]
		mov	ecx, edi
		push	eax
		call	PnpFindAlternateStringData
		test	eax, eax
		mov	eax, [esp+0BCh+var_80]
		jnz	short loc_98A648
		mov	eax, edi

loc_98A648:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+4A1j
		mov	[esp+0BCh+var_B0], 12h
		jmp	short loc_98A66E
; 

loc_98A652:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+484j
		cmp	[esp+0BCh+var_B0], 12h
		jnz	short loc_98A65D
		mov	eax, edi
		jmp	short loc_98A66E
; 

loc_98A65D:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+47Dj
					; PiAuditDeviceOperation(x,x,x)+4B4j
		xor	esi, esi
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[esp+0BCh+var_A4], esi
		xor	edi, edi
		xor	eax, eax

loc_98A66E:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+4ADj
					; PiAuditDeviceOperation(x,x,x)+4B8j
		push	eax
		lea	eax, [esp+0C0h+var_5C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	[ebp+arg_0]
		mov	ecx, [esp+0C0h+var_90]
		lea	eax, [esp+0C0h+var_64]
		push	[esp+0C0h+var_98]
		lea	edx, [esp+0C4h+var_5C]
		push	eax
		lea	eax, [esp+0C8h+var_50]
		push	eax
		lea	eax, [esp+0CCh+var_7C]
		push	eax
		lea	eax, [esp+0D0h+var_74]
		push	eax
		lea	eax, [esp+0D4h+var_6C]
		push	eax
		call	_SeAuditPlugAndPlay@36 ; SeAuditPlugAndPlay(x,x,x,x,x,x,x,x,x)
		test	edi, edi
		jz	short loc_98A6B2
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98A6B2:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+404j
					; PiAuditDeviceOperation(x,x,x)+505j
		test	ebx, ebx
		jz	short loc_98A6BE
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98A6BE:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+511j
		mov	edi, [esp+0BCh+var_8C]

loc_98A6C2:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+36Ej
		mov	ebx, [esp+0BCh+var_94]

loc_98A6C6:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+279j
		mov	eax, [esp+0BCh+var_84]
		test	eax, eax
		jz	short loc_98A6D6
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98A6D6:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+1AAj
					; PiAuditDeviceOperation(x,x,x)+529j
		test	ebx, ebx
		jz	short loc_98A6E2
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98A6E2:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+535j
		test	edi, edi
		jz	short loc_98A6EE
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98A6EE:				; CODE XREF: PiAuditDeviceOperation(x,x,x)+95j
					; PiAuditDeviceOperation(x,x,x)+F8j ...
		mov	ecx, [esp+0BCh+var_40]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_PiAuditDeviceOperation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiAuditDeviceStart(x)
_PiAuditDeviceStart@4 proc near		; CODE XREF: PipProcessStartPhase3+6DF65p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		push	edi
		mov	esi, ecx
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		xor	edi, edi
		push	ecx
		push	eax
		mov	edx, [esi+4]
		lea	eax, [ebp-1]
		inc	edi
		mov	[ebp+var_8], ecx
		push	edi
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_1], cl
		push	eax
		push	offset _DEVPKEY_Device_InLocalMachineContainer
		push	ecx
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	edi
		mov	[ebp+var_C], edi
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_98A761
		cmp	[ebp+var_8], 11h
		jnz	short loc_98A761
		cmp	[ebp+var_C], edi
		jnz	short loc_98A761
		cmp	[ebp+var_1], 0FFh
		jz	short loc_98A761
		push	edi
		xor	edx, edx
		mov	ecx, esi
		call	_PiAuditDeviceOperation@12 ; PiAuditDeviceOperation(x,x,x)

loc_98A761:				; CODE XREF: PiAuditDeviceStart(x)+40j
					; PiAuditDeviceStart(x)+46j ...
		pop	edi
		pop	esi
		leave
		retn
_PiAuditDeviceStart@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipSendGuestAssignedNotification(x,	x)
_PipSendGuestAssignedNotification@8 proc near ;	CODE XREF: PiUpdateGuestAssignedState+A13EFp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_28]
		push	0Ah
		pop	ecx
		xor	eax, eax
		mov	bl, dl
		push	dword ptr [esi+10h]
		rep stosd
		call	_IoGetAttachedDevice@4 ; IoGetAttachedDevice(x)
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], 6
		mov	[ebp+var_20], bl
		call	_PpIrpAllocateDeviceUsageNotification@4	; PpIrpAllocateDeviceUsageNotification(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_98A7A8
		mov	eax, 0C0000017h
		jmp	short loc_98A7D1
; 

loc_98A7A8:				; CODE XREF: PipSendGuestAssignedNotification(x,x)+3Aj
		push	esi
		call	_IoQueueThreadIrp@4 ; IoQueueThreadIrp(x)
		mov	ecx, [ebp+var_28]
		mov	edx, esi
		call	IofCallDriver
		cmp	eax, 103h
		jnz	short loc_98A7D1
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [ebp+var_18]

loc_98A7D1:				; CODE XREF: PipSendGuestAssignedNotification(x,x)+41j
					; PipSendGuestAssignedNotification(x,x)+58j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PipSendGuestAssignedNotification@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipSetGuestAssignedProperty(x, x)
_PipSetGuestAssignedProperty@8 proc near ; CODE	XREF: PiUpdateGuestAssignedState+A13E0p

var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+18h]
		push	esi
		xor	esi, esi
		test	dl, dl
		push	esi
		mov	edx, eax
		jz	short loc_98A80D
		push	1
		lea	ecx, [ebp-1]
		mov	[ebp+var_1], 0FFh
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	11h
		push	offset _DEVPKEY_Device_AssignedToGuest
		push	esi
		push	esi
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		jmp	short loc_98A824
; 

loc_98A80D:				; CODE XREF: PipSetGuestAssignedProperty(x,x)+11j
		mov	ecx, _PiPnpRtlCtx
		push	esi
		push	esi
		push	esi
		push	offset _DEVPKEY_Device_AssignedToGuest
		push	esi
		push	esi
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)

loc_98A824:				; CODE XREF: PipSetGuestAssignedProperty(x,x)+35j
		mov	eax, esi
		pop	esi
		leave
		retn
_PipSetGuestAssignedProperty@8 endp


;  S U B	R O U T	I N E 


; __stdcall IoDiagTraceDirectedDripsCandidateDevices()
_IoDiagTraceDirectedDripsCandidateDevices@0 proc near
					; CODE XREF: PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)+2Ep
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, _IopRootDeviceNode
		push	edi
		jmp	short loc_98A838
; 

loc_98A836:				; CODE XREF: IoDiagTraceDirectedDripsCandidateDevices()+14j
		mov	esi, eax

loc_98A838:				; CODE XREF: IoDiagTraceDirectedDripsCandidateDevices()+Bj
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_98A836
		jmp	short loc_98A877
; 

loc_98A841:				; CODE XREF: IoDiagTraceDirectedDripsCandidateDevices()+54j
		xor	edi, edi
		lea	edx, [esi+0A8h]
		mov	eax, [edx]

loc_98A84B:				; CODE XREF: IoDiagTraceDirectedDripsCandidateDevices()+2Aj
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_98A84B
		test	eax, 100h
		jz	short loc_98A863
		mov	ecx, esi
		call	_PoDiagTraceDirectedDripsCandidateDevice@4 ; PoDiagTraceDirectedDripsCandidateDevice(x)

loc_98A863:				; CODE XREF: IoDiagTraceDirectedDripsCandidateDevices()+31j
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_98A874

loc_98A869:				; CODE XREF: IoDiagTraceDirectedDripsCandidateDevices()+47j
		mov	esi, eax
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_98A869
		jmp	short loc_98A877
; 

loc_98A874:				; CODE XREF: IoDiagTraceDirectedDripsCandidateDevices()+3Ej
		mov	esi, [esi+8]

loc_98A877:				; CODE XREF: IoDiagTraceDirectedDripsCandidateDevices()+16j
					; IoDiagTraceDirectedDripsCandidateDevices()+49j
		cmp	esi, _IopRootDeviceNode
		jnz	short loc_98A841
		pop	edi
		pop	esi
		pop	ecx
		retn
_IoDiagTraceDirectedDripsCandidateDevices@0 endp


;  S U B	R O U T	I N E 


; __stdcall IopWarmEjectDevice(x, x)
_IopWarmEjectDevice@8 proc near		; CODE XREF: PnpProcessCompletedEject(x)+23p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	esi, edx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _IopWarmEjectLock
		mov	edi, ecx
		call	KeWaitForSingleObject
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeLockTree
		xor	ecx, ecx
		mov	_IopWarmEjectPdo, edi
		inc	ecx
		call	PpDevNodeUnlockTree
		push	ebx
		push	3
		push	esi
		push	7
		call	NtInitiatePowerAction
		mov	esi, eax
		cmp	esi, 0C0000061h
		jnz	short loc_98A8D4
		push	ebx
		push	0Ch
		push	edi
		push	ecx
		push	7
		pop	ecx
		call	_PnpSetPowerVetoEvent@24 ; PnpSetPowerVetoEvent(x,x,x,x,x,x)

loc_98A8D4:				; CODE XREF: IopWarmEjectDevice(x,x)+42j
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeLockTree
		cmp	_IopWarmEjectPdo, ebx
		jz	short loc_98A8F3
		test	esi, esi
		js	short loc_98A8ED
		mov	esi, 0C0000001h

loc_98A8ED:				; CODE XREF: IopWarmEjectDevice(x,x)+63j
		mov	_IopWarmEjectPdo, ebx

loc_98A8F3:				; CODE XREF: IopWarmEjectDevice(x,x)+5Fj
		xor	ecx, ecx
		inc	ecx
		call	PpDevNodeUnlockTree
		push	ebx
		push	ebx
		push	offset _IopWarmEjectLock
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_IopWarmEjectDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiCreateDriverSwDeviceCallback(x, x, x, x)
_PiCreateDriverSwDeviceCallback@16 proc	near ; DATA XREF: PiCreateDriverSwDevices+6DF0Co

var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 184h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+184h+var_4], eax
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		push	ebx
		mov	[esp+188h+var_180], eax
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	[esp+190h+var_108], eax
		lea	edi, [esp+190h+var_E0]
		mov	[esp+190h+var_170], eax
		mov	[esp+190h+var_164], eax
		mov	[esp+190h+var_160], eax
		mov	[esp+190h+var_15C], eax
		mov	[esp+190h+var_158], eax
		mov	[esp+190h+var_148], eax
		mov	[esp+190h+var_144], eax
		stosd
		mov	[esp+190h+var_138], ecx
		mov	[esp+190h+var_168], esi
		mov	[esp+190h+var_F8], 1
		stosd
		stosd
		stosd
		xor	edi, edi
		mov	[esp+190h+var_134], edi
		mov	ebx, edi
		mov	[esp+190h+var_118], edi
		mov	[esp+190h+var_114], edi
		mov	[esp+190h+var_110], edi
		mov	[esp+190h+var_10C], edi
		mov	[esp+190h+var_140], edi
		mov	[esp+190h+var_13C], edi
		mov	[esp+190h+var_128], edi
		mov	[esp+190h+var_124], edi
		mov	[esp+190h+var_F4], ebx
		mov	[esp+190h+var_154], ebx
		mov	[esp+190h+var_178], edi
		mov	[esp+190h+var_184], edi
		mov	[esp+190h+var_104], edi
		mov	[esp+190h+var_12C], edi
		mov	[esp+190h+var_FC], edi
		mov	[esp+190h+var_100], edi
		mov	[esp+190h+var_120], edi
		mov	[esp+190h+var_11C], edi
		mov	[esp+190h+var_130], edi
		mov	[esp+190h+var_174], edi
		mov	[esp+190h+var_14C], edi
		mov	[esp+190h+var_150], edi
		mov	[esp+190h+var_17C], edi
		test	ecx, ecx
		jnz	short loc_98A9FD
		mov	ecx, edi
		jmp	short loc_98AA00
; 

loc_98A9FD:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+EAj
		mov	ecx, [ecx+74h]

loc_98AA00:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+EEj
		lea	eax, [esp+190h+var_170]
		push	eax
		push	20019h
		push	edi
		push	esi
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98B0A8
		push	0C4h		; size_t
		lea	eax, [esp+194h+var_D0]
		push	edi		; int
		push	eax		; void *
		call	_memset
		lea	eax, [esp+19Ch+var_164]
		mov	[esp+19Ch+var_C8], offset ??_C@_1BI@ELGHKGG@?$AAH?$AAa?$AAr?$AAd?$AAw?$AAa?$AAr?$AAe?$AAI?$AAd?$AAs@NNGAKEGL@
		mov	[esp+19Ch+var_C4], eax
		add	esp, 0Ch
		lea	eax, [esp+190h+var_15C]
		mov	[esp+190h+var_AC], offset ??_C@_1BM@BIEIEELI@?$AAC?$AAo?$AAm?$AAp?$AAa?$AAt?$AAi?$AAb?$AAl?$AAe?$AAI?$AAd?$AAs@NNGAKEGL@
		mov	[esp+190h+var_A8], eax
		mov	ecx, 7000000h
		lea	eax, [esp+190h+var_148]
		mov	[esp+190h+var_C0], ecx
		mov	[esp+190h+var_8C], eax
		mov	edx, 130h
		lea	eax, [esp+190h+var_134]
		mov	[esp+190h+var_A4], ecx
		mov	[esp+190h+var_70], eax
		mov	ecx, 1000000h
		lea	eax, [esp+190h+var_118]
		mov	[esp+190h+var_CC], edx
		push	1
		mov	[esp+194h+var_54], eax
		lea	eax, [esp+194h+var_110]
		push	ecx
		mov	[esp+198h+var_B0], edx
		add	edx, 0FFFFFFF0h
		mov	[esp+198h+var_38], eax
		lea	eax, [esp+198h+var_D0]
		push	edi
		mov	[esp+19Ch+var_94], edx
		mov	[esp+19Ch+var_88], ecx
		mov	[esp+19Ch+var_78], edx
		mov	[esp+19Ch+var_5C], edx
		mov	[esp+19Ch+var_50], ecx
		mov	[esp+19Ch+var_40], edx
		mov	edx, [esp+19Ch+var_170]
		mov	[esp+19Ch+var_34], ecx
		mov	ecx, 0C0000000h
		push	eax
		mov	[esp+1A0h+var_90], offset ??_C@_1BI@HJOCIGHC@?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAI?$AAd@NNGAKEGL@ ; "ContainerId"
		mov	[esp+1A0h+var_74], offset ??_C@_1BK@JKLHPNBO@?$AAC?$AAa?$AAp?$AAa?$AAb?$AAi?$AAl?$AAi?$AAt?$AAi?$AAe?$AAs@NNGAKEGL@ ; "Capabilities"
		mov	[esp+1A0h+var_6C], 4000000h
		mov	[esp+1A0h+var_58], offset ??_C@_1BI@DLMANABL@?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		mov	[esp+1A0h+var_3C], offset ??_C@_1BK@MGFHJELK@?$AAL?$AAo?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AAI?$AAn?$AAf?$AAo@NNGAKEGL@
		call	RtlpQueryRegistryValues
		mov	esi, eax
		test	esi, esi
		js	loc_98B0A8
		push	2
		pop	edi
		cmp	[esp+190h+var_160], ebx
		jz	short loc_98AB60
		cmp	word ptr [esp+190h+var_164], di
		ja	short loc_98AB60
		lea	eax, [esp+190h+var_164]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_98AB60:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+240j
					; PiCreateDriverSwDeviceCallback(x,x,x,x)+247j
		cmp	[esp+190h+var_158], ebx
		jz	short loc_98AB77
		cmp	word ptr [esp+190h+var_15C], di
		ja	short loc_98AB77
		lea	eax, [esp+190h+var_15C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_98AB77:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+257j
					; PiCreateDriverSwDeviceCallback(x,x,x,x)+25Ej
		mov	eax, [esp+190h+var_144]
		test	eax, eax
		jz	short loc_98ABAE
		cmp	word ptr [esp+190h+var_148], di
		jnb	short loc_98AB94
		lea	eax, [esp+190h+var_148]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, [esp+190h+var_144]

loc_98AB94:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+277j
		test	eax, eax
		jz	short loc_98ABAE
		lea	eax, [esp+190h+var_E0]
		push	eax
		lea	eax, [esp+194h+var_148]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		test	eax, eax
		jns	short loc_98ABBE

loc_98ABAE:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+270j
					; PiCreateDriverSwDeviceCallback(x,x,x,x)+289j
		xor	eax, eax
		lea	edi, [esp+190h+var_E0]
		stosd
		push	2
		stosd
		stosd
		stosd
		pop	edi

loc_98ABBE:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+29Fj
		cmp	[esp+190h+var_114], ebx
		jz	short loc_98ABD5
		cmp	word ptr [esp+190h+var_118], di
		jnb	short loc_98ABD5
		lea	eax, [esp+190h+var_118]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_98ABD5:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+2B5j
					; PiCreateDriverSwDeviceCallback(x,x,x,x)+2BCj
		cmp	[esp+190h+var_10C], ebx
		jz	short loc_98ABF5
		cmp	word ptr [esp+190h+var_110], di
		jnb	short loc_98ABF5
		lea	eax, [esp+190h+var_110]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_98ABF5:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+2CFj
					; PiCreateDriverSwDeviceCallback(x,x,x,x)+2D9j
		cmp	[esp+190h+var_160], ebx
		jnz	short loc_98AC0B
		cmp	[esp+190h+var_158], ebx
		jnz	short loc_98AC0B
		mov	esi, 0C00000BBh
		jmp	loc_98B0A8
; 

loc_98AC0B:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+2ECj
					; PiCreateDriverSwDeviceCallback(x,x,x,x)+2F2j
		mov	edx, [esp+190h+var_180]
		mov	eax, [esp+190h+var_160]
		mov	[esp+190h+var_E8], eax
		mov	eax, [esp+190h+var_158]
		mov	[esp+190h+var_F0], edi
		mov	edi, [edx]
		mov	[esp+190h+var_E4], eax
		mov	[esp+190h+var_EC], 3
		jmp	loc_98AEB3
; 

loc_98AC3E:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+5B0j
		mov	eax, [edi+10h]
		mov	eax, [eax+8]
		cmp	eax, _PiSwDeviceDriverObject
		jnz	loc_98AEB0
		push	offset _PiSwBusName
		lea	eax, [esp+194h+var_128]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	1
		lea	eax, [edi+14h]
		push	eax
		lea	eax, [esp+198h+var_128]
		push	eax
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	loc_98AEB0
		movzx	ecx, word ptr [esp+190h+var_128]
		mov	eax, [edi+18h]
		shr	ecx, 1
		lea	eax, [eax+ecx*2]
		push	eax
		lea	eax, [esp+194h+var_140]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset aDriverenum ; "DRIVERENUM"
		lea	eax, [esp+194h+var_128]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	1
		lea	eax, [esp+194h+var_140]
		push	eax
		lea	eax, [esp+198h+var_128]
		push	eax
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	loc_98AEB0
		movzx	ecx, word ptr [esp+190h+var_128]
		mov	eax, [esp+190h+var_13C]
		shr	ecx, 1
		cmp	word ptr [eax+ecx*2], 5Ch
		jnz	loc_98AEB0
		test	ebx, ebx
		jnz	loc_98AD6F
		mov	edx, [esp+190h+var_158]
		lea	eax, [esp+190h+var_154]
		mov	ecx, [esp+190h+var_160]
		push	eax
		call	_PnpGenerateDeviceIdsHash@12 ; PnpGenerateDeviceIdsHash(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98B0A4
		test	byte ptr [esp+190h+var_134], 8
		jnz	short loc_98AD2F
		push	offset _PiSwGenericRawCompatibleId
		lea	eax, [esp+194h+var_140]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+190h+var_178]
		push	eax
		xor	eax, eax
		push	eax
		push	1
		lea	eax, [esp+19Ch+var_140]
		push	eax
		call	RtlHashUnicodeString
		mov	esi, eax
		test	esi, esi
		js	loc_98B0A4
		mov	ebx, [esp+190h+var_154]
		add	ebx, [esp+190h+var_178]
		jmp	short loc_98AD33
; 

loc_98AD2F:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+3E9j
		mov	ebx, [esp+190h+var_154]

loc_98AD33:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+420j
		push	offset _PiSwGenericCompatibleId
		lea	eax, [esp+194h+var_140]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+190h+var_178]
		push	eax
		xor	eax, eax
		push	eax
		push	1
		lea	eax, [esp+19Ch+var_140]
		push	eax
		call	RtlHashUnicodeString
		mov	esi, eax
		test	esi, esi
		js	loc_98B0A4
		add	ebx, [esp+190h+var_178]
		mov	[esp+190h+var_F4], ebx
		mov	[esp+190h+var_154], ebx

loc_98AD6F:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+3C2j
		cmp	[edi+1BCh], ebx
		jnz	loc_98AEB0
		mov	ecx, [esp+190h+var_184]
		test	ecx, ecx
		jnz	short loc_98ADAC
		mov	eax, 800h
		push	20207050h
		push	eax
		push	1
		mov	[esp+19Ch+var_104], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[esp+190h+var_184], ebx
		test	ebx, ebx
		jz	loc_98AEC5
		mov	ecx, eax

loc_98ADAC:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+474j
		xor	edx, edx
		mov	ebx, edx

loc_98ADB0:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+591j
		mov	eax, [esp+190h+var_104]
		push	edx
		mov	[esp+194h+var_17C], eax
		lea	eax, [esp+194h+var_17C]
		push	eax
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [esp+19Ch+var_F8]
		push	eax
		push	[esp+ebx*4+1A0h+var_F0]
		push	edx
		mov	edx, [edi+18h]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_98ADF7
		cmp	[esp+190h+var_F8], 7
		jnz	short loc_98ADF7
		cmp	[esp+190h+var_17C], 2
		jnb	short loc_98AE04

loc_98ADF7:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+4D7j
					; PiCreateDriverSwDeviceCallback(x,x,x,x)+4E1j
		mov	eax, [esp+190h+var_184]
		xor	ecx, ecx
		mov	esi, ecx
		mov	[eax], cx
		jmp	short loc_98AE0A
; 

loc_98AE04:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+4E8j
		mov	eax, [esp+190h+var_184]
		xor	ecx, ecx

loc_98AE0A:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+4F5j
		cmp	ebx, 1
		jnz	short loc_98AE6D
		mov	edi, eax
		cmp	[eax], cx
		jz	short loc_98AE69

loc_98AE16:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+54Fj
		push	offset _PiSwGenericRawCompatibleId ; wchar_t *
		push	edi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_98AE64
		push	offset _PiSwGenericCompatibleId	; wchar_t *
		push	edi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_98AE64
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_98AE3D:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+53Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+190h+var_108]
		jnz	short loc_98AE3D
		sub	ecx, edx
		xor	edx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2
		cmp	[edi], dx
		jnz	short loc_98AE16
		mov	edi, [esp+190h+var_16C]
		jmp	short loc_98AE6F
; 

loc_98AE64:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+518j
					; PiCreateDriverSwDeviceCallback(x,x,x,x)+529j
		xor	eax, eax
		mov	[edi], ax

loc_98AE69:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+507j
		mov	edi, [esp+190h+var_16C]

loc_98AE6D:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+500j
		xor	edx, edx

loc_98AE6F:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+555j
		mov	ecx, [esp+ebx*4+190h+var_E8]
		test	ecx, ecx
		jz	short loc_98AE91
		mov	edx, [esp+190h+var_184]
		push	1
		call	_PnpCompareMultiSz@12 ;	PnpCompareMultiSz(x,x,x)
		test	al, al
		jz	short loc_98AEA4
		mov	ecx, [esp+190h+var_184]
		xor	edx, edx
		jmp	short loc_98AE9A
; 

loc_98AE91:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+56Bj
		mov	ecx, [esp+190h+var_184]
		cmp	[ecx], dx
		jnz	short loc_98AEA4

loc_98AE9A:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+582j
		inc	ebx
		cmp	ebx, 2
		jb	loc_98ADB0

loc_98AEA4:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+57Aj
					; PiCreateDriverSwDeviceCallback(x,x,x,x)+58Bj
		cmp	ebx, 2
		jnb	short loc_98AECF
		mov	ebx, [esp+190h+var_F4]

loc_98AEB0:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+33Dj
					; PiCreateDriverSwDeviceCallback(x,x,x,x)+364j	...
		mov	edi, [edi+8]

loc_98AEB3:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+32Cj
		mov	[esp+190h+var_16C], edi
		cmp	edi, _IopRootDeviceNode
		jnz	loc_98AC3E
		jmp	short loc_98AED4
; 

loc_98AEC5:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+497j
		mov	esi, 0C000009Ah
		jmp	loc_98B0A8
; 

loc_98AECF:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+59Aj
		mov	esi, 0C0000704h

loc_98AED4:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+5B6j
		test	esi, esi
		js	loc_98B0A4
		mov	ecx, [esp+190h+var_170]
		lea	eax, [esp+190h+var_12C]
		push	eax
		xor	ebx, ebx
		mov	edx, offset ??_C@_1BC@FCJNIDNL@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy@NNGAKEGL@
		push	ebx
		call	IopGetRegistryValue
		mov	esi, eax
		test	esi, esi
		jns	short loc_98AF05
		cmp	esi, 0C0000034h
		jz	short loc_98AF32
		jmp	loc_98B0A4
; 

loc_98AF05:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+5E9j
		mov	eax, [esp+190h+var_12C]
		cmp	dword ptr [eax+4], 3
		jnz	loc_98B303
		mov	ecx, [eax+0Ch]
		mov	[esp+190h+var_100], ecx
		cmp	ecx, 14h
		jb	loc_98B303
		mov	ecx, [eax+8]
		add	ecx, eax
		mov	[esp+190h+var_FC], ecx

loc_98AF32:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+5F1j
		mov	edi, [esp+190h+var_180]
		mov	ecx, [edi]
		cmp	ecx, _IopRootDeviceNode
		jz	loc_98AFE7
		mov	ecx, [ecx+10h]
		lea	eax, [esp+190h+var_130]
		push	eax
		xor	edx, edx
		call	PipMakeGloballyUniqueId
		mov	esi, eax
		test	esi, esi
		js	loc_98AFDE
		mov	edi, [esp+190h+var_168]
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_98AF66:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+662j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_98AF66
		mov	ebx, [esp+190h+var_130]
		sub	ecx, edx
		mov	edx, ebx
		sar	ecx, 1
		lea	esi, [edx+2]

loc_98AF7E:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+67Fj
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [esp+190h+var_108]
		jnz	short loc_98AF7E
		sub	edx, esi
		sar	edx, 1
		lea	eax, [ecx+edx]
		lea	eax, ds:4[eax*2]
		mov	word ptr [esp+190h+var_120+2], ax
		movzx	eax, ax
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[esp+190h+var_11C], eax
		test	eax, eax
		jnz	short loc_98AFBC

loc_98AFB2:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+6EBj
		mov	esi, 0C000009Ah
		jmp	loc_98B0A4
; 

loc_98AFBC:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+6A3j
		push	ebx
		push	edi		; char
		lea	eax, [esp+198h+var_120]
		push	offset ??_C@_1BA@DOCMHFOO@?$AA?$CF?$AAw?$AAs?$AA?$CG?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; wchar_t *
		push	eax		; int
		call	_RtlUnicodeStringPrintf
		mov	esi, eax
		add	esp, 10h
		test	esi, esi
		js	loc_98B0A4
		xor	ebx, ebx
		jmp	short loc_98AFFA
; 

loc_98AFDE:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+64Aj
		mov	ebx, [esp+190h+var_184]
		jmp	loc_98B0AC
; 

loc_98AFE7:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+631j
		mov	edi, [esp+190h+var_168]
		lea	eax, [esp+190h+var_120]
		push	edi		; void *
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jz	short loc_98AFB2

loc_98AFFA:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+6CFj
		mov	edx, [esp+190h+var_170]
		lea	eax, [esp+190h+var_17C]
		push	ecx
		mov	ecx, [esp+194h+var_138]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		call	__PnpGetGenericStorePropertyKeys@32 ; _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	loc_98B14D
		mov	ebx, [esp+190h+var_174]
		mov	edi, ebx

loc_98B025:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+770j
		mov	eax, [esp+190h+var_17C]
		cmp	eax, ebx
		jbe	short loc_98B08E
		xor	esi, esi
		test	edi, edi
		jz	short loc_98B03E
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+190h+var_17C]

loc_98B03E:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+724j
		mov	ebx, eax
		mov	[esp+190h+var_174], eax
		imul	eax, ebx, 14h
		push	20207050h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+190h+var_14C], edi
		test	edi, edi
		jz	short loc_98B084
		mov	edx, [esp+190h+var_170]
		lea	eax, [esp+190h+var_17C]
		push	ecx
		mov	ecx, [esp+194h+var_138]
		push	eax
		push	ebx
		push	edi
		push	esi
		push	esi
		call	__PnpGetGenericStorePropertyKeys@32 ; _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_98B025
		jmp	loc_98B151
; 

loc_98B084:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+74Fj
		mov	esi, 0C000009Ah
		jmp	loc_98B159
; 

loc_98B08E:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+71Ej
		mov	esi, 0C00000E5h

loc_98B093:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+84Ej
					; PiCreateDriverSwDeviceCallback(x,x,x,x)+87Bj	...
		xor	ebx, ebx

loc_98B095:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+9F1j
		mov	eax, [esp+190h+var_14C]
		test	eax, eax
		jz	short loc_98B0A4
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98B0A4:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+3DEj
					; PiCreateDriverSwDeviceCallback(x,x,x,x)+412j	...
		mov	ebx, [esp+190h+var_184]

loc_98B0A8:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+108j
					; PiCreateDriverSwDeviceCallback(x,x,x,x)+233j	...
		mov	edi, [esp+190h+var_180]

loc_98B0AC:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+6D5j
		lea	eax, [esp+190h+var_120]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, [esp+190h+var_130]
		test	eax, eax
		jz	short loc_98B0C7
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98B0C7:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+7AFj
		lea	eax, [esp+190h+var_164]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esp+190h+var_15C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esp+190h+var_148]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esp+190h+var_118]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esp+190h+var_110]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, [esp+190h+var_12C]
		test	eax, eax
		jz	short loc_98B10D
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98B10D:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+7F5j
		test	ebx, ebx
		jz	short loc_98B11A
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98B11A:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+802j
		cmp	[esp+190h+var_170], 0
		jz	short loc_98B12A
		push	[esp+190h+var_170]
		call	_ZwClose@4	; ZwClose(x)

loc_98B12A:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+812j
		xor	eax, eax
		cmp	[edi+4], eax
		jl	short loc_98B134
		mov	[edi+4], esi

loc_98B134:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+822j
		mov	ecx, [esp+190h+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_98B14D:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+70Cj
		mov	edi, [esp+190h+var_14C]

loc_98B151:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+772j
		mov	ebx, [esp+190h+var_17C]
		mov	[esp+190h+var_174], ebx

loc_98B159:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+77Cj
		test	esi, esi
		js	loc_98B093
		test	ebx, ebx
		jz	loc_98B25A
		imul	esi, ebx, 28h
		push	20207050h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[esp+190h+var_150], ebx
		test	ebx, ebx
		jnz	short loc_98B18D
		mov	esi, 0C000009Ah
		jmp	loc_98B093
; 

loc_98B18D:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+874j
		push	esi		; size_t
		xor	esi, esi
		push	esi		; int
		push	ebx		; void *
		call	_memset
		mov	edx, edi
		mov	[esp+19Ch+var_168], esi
		add	esp, 0Ch
		mov	[esp+190h+var_16C], edx
		add	ebx, 20h

loc_98B1A7:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+943j
		mov	eax, [ebx+4]
		lea	edi, [ebx-20h]
		push	5
		pop	ecx
		mov	esi, edx
		rep movsd
		xor	edi, edi
		mov	[ebx-0Ch], edi

loc_98B1B9:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+911j
		push	ecx
		lea	ecx, [esp+194h+var_17C]
		push	ecx
		push	dword ptr [ebx]
		mov	ecx, [esp+19Ch+var_138]
		push	eax
		lea	eax, [ebx-4]
		push	eax
		push	edx
		mov	edx, [esp+1A8h+var_170]
		push	edi
		call	__PnpGetGenericStoreProperty@36	; _PnpGetGenericStoreProperty(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [esp+190h+var_17C]
		mov	[esp+190h+var_178], esi
		cmp	esi, 0C0000023h
		jnz	short loc_98B22B
		cmp	eax, [ebx]
		jbe	loc_98B2B6
		mov	ecx, [ebx+4]
		test	ecx, ecx
		jz	short loc_98B201
		push	edi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+190h+var_17C]

loc_98B201:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+8E7j
		push	20207050h
		mov	[ebx], eax
		push	[esp+194h+var_17C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+4], eax
		test	eax, eax
		jz	short loc_98B220
		mov	edx, [esp+190h+var_16C]
		jmp	short loc_98B1B9
; 

loc_98B220:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+90Bj
		mov	esi, 0C000009Ah
		mov	[esp+190h+var_178], esi
		jmp	short loc_98B22D
; 

loc_98B22B:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+8D8j
		mov	[ebx], eax

loc_98B22D:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+91Cj
		test	esi, esi
		js	loc_98B2BF
		mov	eax, [esp+190h+var_168]
		add	ebx, 28h
		mov	edx, [esp+190h+var_16C]
		inc	eax
		add	edx, 14h
		mov	[esp+190h+var_168], eax
		mov	[esp+190h+var_16C], edx
		cmp	eax, [esp+190h+var_174]
		jb	loc_98B1A7
		mov	ebx, [esp+190h+var_174]

loc_98B25A:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+856j
		mov	eax, [esp+190h+var_144]
		lea	ecx, [esp+190h+var_E0]
		mov	edx, [esp+190h+var_180]
		neg	eax
		push	ebx
		push	[esp+194h+var_150]
		sbb	eax, eax
		push	[esp+198h+var_100]
		mov	edx, [edx]
		and	eax, ecx
		push	[esp+19Ch+var_FC]
		push	[esp+1A0h+var_10C]
		mov	edx, [edx+18h]
		push	[esp+1A4h+var_114]
		push	[esp+1A8h+var_134]
		push	eax
		push	[esp+1B0h+var_158]
		push	[esp+1B4h+var_160]
		push	[esp+1B8h+var_11C]
		call	_PiSwStartCreate@52 ; PiSwStartCreate(x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax

loc_98B2B0:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+9FBj
		mov	[esp+190h+var_178], esi
		jmp	short loc_98B2C3
; 

loc_98B2B6:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+8DCj
		mov	esi, 0C00000E5h
		mov	[esp+190h+var_178], esi

loc_98B2BF:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+922j
		mov	ebx, [esp+190h+var_174]

loc_98B2C3:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+9A7j
		mov	eax, [esp+190h+var_150]
		test	eax, eax
		jz	loc_98B093
		test	ebx, ebx
		jz	short loc_98B2F5
		lea	edi, [eax+24h]
		xor	esi, esi

loc_98B2D8:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+9DEj
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_98B2E5
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98B2E5:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+9CFj
		add	edi, 28h
		sub	ebx, 1
		jnz	short loc_98B2D8
		mov	esi, [esp+190h+var_178]
		mov	eax, [esp+190h+var_150]

loc_98B2F5:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+9C4j
		xor	ebx, ebx
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_98B095
; 

loc_98B303:				; CODE XREF: PiCreateDriverSwDeviceCallback(x,x,x,x)+600j
					; PiCreateDriverSwDeviceCallback(x,x,x,x)+613j
		mov	esi, 0C0000001h
		jmp	short loc_98B2B0
_PiCreateDriverSwDeviceCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiUpdateDeviceResourceLists(x)
_PiUpdateDeviceResourceLists@4 proc near ; CODE	XREF: PiProcessQueryDeviceState+A1E06p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_10], ecx
		mov	ecx, [ecx+10h]
		lea	edx, [ebp+var_4]
		push	esi
		push	edi
		mov	[ebp+var_C], eax
		mov	ebx, eax
		mov	[ebp+var_8], eax
		mov	edi, eax
		mov	[ebp+var_4], eax
		call	_IopQueryBusResourceUpdateInterface@8 ;	IopQueryBusResourceUpdateInterface(x,x)
		test	eax, eax
		js	loc_98B3F8
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		mov	eax, [ebp+var_4]
		push	dword ptr [eax+4]
		call	dword ptr [eax+10h]
		mov	esi, eax
		test	esi, esi
		js	short loc_98B3C6
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jz	short loc_98B3C4
		cmp	[ebp+var_8], ebx
		jz	short loc_98B3C4
		call	_PnpCopyResourceList@4 ; PnpCopyResourceList(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_98B36F

loc_98B368:				; CODE XREF: PiUpdateDeviceResourceLists(x)+71j
		mov	esi, 0C000009Ah
		jmp	short loc_98B3C6
; 

loc_98B36F:				; CODE XREF: PiUpdateDeviceResourceLists(x)+5Cj
		mov	ecx, [ebp+var_8]
		call	_PnpCopyResourceList@4 ; PnpCopyResourceList(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_98B368
		mov	ecx, offset _PiResourceListLock
		call	ExAcquireFastMutex
		mov	esi, [ebp+var_10]
		mov	eax, [esi+11Ch]
		test	eax, eax
		jz	short loc_98B39C
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98B39C:				; CODE XREF: PiUpdateDeviceResourceLists(x)+88j
		mov	eax, [esi+120h]
		test	eax, eax
		jz	short loc_98B3AE
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98B3AE:				; CODE XREF: PiUpdateDeviceResourceLists(x)+9Aj
		mov	ecx, offset _PiResourceListLock
		mov	[esi+11Ch], ebx
		mov	[esi+120h], edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_98B3C4:				; CODE XREF: PiUpdateDeviceResourceLists(x)+4Cj
					; PiUpdateDeviceResourceLists(x)+51j
		xor	esi, esi

loc_98B3C6:				; CODE XREF: PiUpdateDeviceResourceLists(x)+45j
					; PiUpdateDeviceResourceLists(x)+63j
		mov	eax, [ebp+var_4]
		push	dword ptr [eax+4]
		call	dword ptr [eax+0Ch]
		mov	eax, [ebp+var_4]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jns	short loc_98B3F6
		test	ebx, ebx
		jz	short loc_98B3EA
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98B3EA:				; CODE XREF: PiUpdateDeviceResourceLists(x)+D6j
		test	edi, edi
		jz	short loc_98B3F6
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98B3F6:				; CODE XREF: PiUpdateDeviceResourceLists(x)+D2j
					; PiUpdateDeviceResourceLists(x)+E2j
		mov	eax, esi

loc_98B3F8:				; CODE XREF: PiUpdateDeviceResourceLists(x)+2Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PiUpdateDeviceResourceLists@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipProcessRestartPhase1(x, x, x)
_PipProcessRestartPhase1@12 proc near	; CODE XREF: PipProcessDevNodeTree+A1B9Bp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte_6CD8BB, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		jz	short loc_98B422
		push	dword ptr [esi+18h]
		mov	edx, offset _KMPnPEvt_ProcessDeviceRestart_Start
		push	1
		push	ecx
		call	_McTemplateK0dz_EtwWriteTransfer@20 ; McTemplateK0dz_EtwWriteTransfer(x,x,x,x,x)

loc_98B422:				; CODE XREF: PipProcessRestartPhase1(x,x,x)+13j
		cmp	[ebp+arg_0], 0
		jz	short loc_98B43B
		test	dword ptr [esi+10Ch], 400000h
		jz	short loc_98B43B
		mov	edi, 0C000022Dh
		jmp	short loc_98B466
; 

loc_98B43B:				; CODE XREF: PipProcessRestartPhase1(x,x,x)+29j
					; PipProcessRestartPhase1(x,x,x)+35j
		xor	edx, edx
		mov	ecx, esi
		push	edi
		inc	edx
		call	PnpStartDeviceNode
		mov	ebx, 1000000h
		mov	edi, eax
		test	[esi+10Ch], ebx
		jz	short loc_98B466
		mov	ecx, [esi+10h]
		call	_PnpUnlockMountableDevice@4 ; PnpUnlockMountableDevice(x)
		mov	edx, ebx
		mov	ecx, esi
		call	PipClearDevNodeFlags

loc_98B466:				; CODE XREF: PipProcessRestartPhase1(x,x,x)+3Cj
					; PipProcessRestartPhase1(x,x,x)+56j
		test	byte_6CD8BB, 10h
		jz	short loc_98B47F
		push	dword ptr [esi+18h]
		mov	edx, (offset loc_42793F+1)
		push	1
		push	ecx
		call	_McTemplateK0dz_EtwWriteTransfer@20 ; McTemplateK0dz_EtwWriteTransfer(x,x,x,x,x)

loc_98B47F:				; CODE XREF: PipProcessRestartPhase1(x,x,x)+70j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PipProcessRestartPhase1@12 endp


;  S U B	R O U T	I N E 


; __stdcall PipProcessRestartPhase2(x)
_PipProcessRestartPhase2@4 proc	near	; CODE XREF: PipProcessDevNodeTree+A1BA7p
		test	byte_6CD8BB, 10h
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jz	short loc_98B4A6
		push	dword ptr [esi+18h]
		mov	edx, offset _KMPnPEvt_ProcessDeviceRestart_Start
		push	2
		push	ecx
		call	_McTemplateK0dz_EtwWriteTransfer@20 ; McTemplateK0dz_EtwWriteTransfer(x,x,x,x,x)

loc_98B4A6:				; CODE XREF: PipProcessRestartPhase2(x)+Cj
		mov	edi, [esi+108h]
		test	edi, edi
		jns	short loc_98B4EE
		cmp	edi, 0C00002D2h
		jz	short loc_98B4BD
		push	0Ah
		pop	ebx
		jmp	short loc_98B4D0
; 

loc_98B4BD:				; CODE XREF: PipProcessRestartPhase2(x)+2Ej
		push	0Eh
		pop	ebx
		push	ecx
		mov	ecx, [esi+18h]
		push	0
		push	80000000h
		call	_PnpUpdateRebootRequiredReason@20 ; PnpUpdateRebootRequiredReason(x,x,x,x,x)

loc_98B4D0:				; CODE XREF: PipProcessRestartPhase2(x)+33j
		push	edi
		push	ebx
		xor	dl, dl
		mov	ecx, esi
		call	_PnpRequestDeviceRemoval@16 ; PnpRequestDeviceRemoval(x,x,x,x)
		cmp	dword ptr [esi+174h], 0
		jz	short loc_98B51A
		push	dword ptr [esi+10h]
		call	_IoRequestDeviceEject@4	; IoRequestDeviceEject(x)
		jmp	short loc_98B51A
; 

loc_98B4EE:				; CODE XREF: PipProcessRestartPhase2(x)+26j
		push	ecx
		mov	edx, 308h
		mov	ecx, esi
		call	PipSetDevNodeState
		test	byte ptr [esi+1C8h], 20h
		jz	short loc_98B513
		mov	ecx, [esi+10h]
		call	PoFxIdleDevice
		and	dword ptr [esi+1C8h], 0FFFFFFDFh

loc_98B513:				; CODE XREF: PipProcessRestartPhase2(x)+7Aj
		mov	ecx, esi
		call	_PnpStartedDeviceNodeDependencyCheck@4 ; PnpStartedDeviceNodeDependencyCheck(x)

loc_98B51A:				; CODE XREF: PipProcessRestartPhase2(x)+5Aj
					; PipProcessRestartPhase2(x)+64j
		test	byte_6CD8BB, 10h
		jz	short loc_98B533
		push	dword ptr [esi+18h]
		mov	edx, (offset loc_42793F+1)
		push	2
		push	ecx
		call	_McTemplateK0dz_EtwWriteTransfer@20 ; McTemplateK0dz_EtwWriteTransfer(x,x,x,x,x)

loc_98B533:				; CODE XREF: PipProcessRestartPhase2(x)+99j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_PipProcessRestartPhase2@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiDrvDbDestroyNode(x)
_PiDrvDbDestroyNode@4 proc near		; CODE XREF: PiDrvDbCreateNode+1FBp
					; PiDrvDbRegisterNode+9E30Dp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	byte ptr [esi+20h], 10h
		jz	short loc_98B551
		mov	eax, [esi+24h]
		test	eax, eax
		jz	short loc_98B551
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_98B551:				; CODE XREF: PiDrvDbDestroyNode(x)+9j
					; PiDrvDbDestroyNode(x)+10j
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_98B568
		cmp	[eax+4], esi
		jnz	short loc_98B5B8
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_98B5B8
		mov	[ecx], eax
		mov	[eax+4], ecx

loc_98B568:				; CODE XREF: PiDrvDbDestroyNode(x)+1Cj
		lea	eax, [esi+8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+10h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+18h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+11Ch]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	byte ptr [esi+64h], 0
		jz	short loc_98B59E
		lea	eax, [esi+2Ch]
		push	eax
		call	ExDeleteResourceLite

loc_98B59E:				; CODE XREF: PiDrvDbDestroyNode(x)+5Aj
		mov	eax, [esi+100h]
		test	eax, eax
		jz	short loc_98B5AE
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_98B5AE:				; CODE XREF: PiDrvDbDestroyNode(x)+6Dj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
; 

loc_98B5B8:				; CODE XREF: PiDrvDbDestroyNode(x)+21j
					; PiDrvDbDestroyNode(x)+28j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall PiDrvDbEnumNodes(x,	x)
_PiDrvDbEnumNodes@8:			; CODE XREF: PpDevCfgInit+146CCp
		mov	edi, edi
		push	esi
		mov	esi, _PiDrvDbNodeList
		push	edi
		mov	edi, offset _PiDrvDbNodeList
		jmp	short loc_98B5E1
; 

loc_98B5CE:				; CODE XREF: PiDrvDbDestroyNode(x)+AAj
		push	0
		push	dword ptr [esi+20h]
		push	dword ptr [esi+0Ch]
		call	_PiDevCfgInitDriverDatabaseCallback@12 ; PiDevCfgInitDriverDatabaseCallback(x,x,x)
		test	al, al
		jz	short loc_98B5E5
		mov	esi, [esi]

loc_98B5E1:				; CODE XREF: PiDrvDbDestroyNode(x)+93j
		cmp	esi, edi
		jnz	short loc_98B5CE

loc_98B5E5:				; CODE XREF: PiDrvDbDestroyNode(x)+A4j
		pop	edi
		xor	eax, eax
		pop	esi
		retn
_PiDrvDbDestroyNode@4 endp ; sp	= -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDrvDbFindSystemFilePathToken(x, x)
_PiDrvDbFindSystemFilePathToken@8 proc near
					; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+BBp
					; PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+ECp ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= word ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [ecx]
		push	ebx
		mov	ebx, [ecx+4]
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_10], ecx
		mov	edi, edx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_8], edi
		mov	[ebp+var_18], ebx
		cmp	[ebx], si
		jz	loc_98B6F1
		mov	[ebp+var_14], 25h

loc_98B61A:				; CODE XREF: PiDrvDbFindSystemFilePathToken(x,x)+FDj
		push	1
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		call	RtlFindUnicodeSubstring
		mov	edi, eax
		test	edi, edi
		jz	loc_98B6F1
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_10]
		movzx	ecx, word ptr [eax]
		shr	ecx, 1
		mov	[ebp+var_4], ecx
		cmp	edi, [edx+4]
		jbe	short loc_98B694
		mov	eax, [eax+4]
		movzx	ecx, word ptr [edi-2]
		push	5Ch
		pop	edx
		movzx	eax, word ptr [eax]
		mov	dword ptr [ebp+var_C], ecx
		cmp	ax, dx
		jnz	short loc_98B671
		push	ecx		; wint_t
		call	_iswalnum
		pop	ecx
		mov	ecx, [ebp+var_4]
		test	eax, eax
		jnz	short loc_98B6D0
		push	5Ch
		pop	eax
		cmp	[ebp+var_C], ax
		jnz	short loc_98B691
		jmp	short loc_98B6D0
; 

loc_98B671:				; CODE XREF: PiDrvDbFindSystemFilePathToken(x,x)+6Cj
		push	eax		; wint_t
		call	_iswalpha
		pop	ecx
		test	eax, eax
		jz	short loc_98B68E
		push	dword ptr [ebp+var_C] ;	wint_t
		call	_iswalnum
		pop	ecx
		mov	ecx, [ebp+var_4]
		test	eax, eax
		jnz	short loc_98B6D0
		jmp	short loc_98B691
; 

loc_98B68E:				; CODE XREF: PiDrvDbFindSystemFilePathToken(x,x)+90j
		mov	ecx, [ebp+var_4]

loc_98B691:				; CODE XREF: PiDrvDbFindSystemFilePathToken(x,x)+83j
					; PiDrvDbFindSystemFilePathToken(x,x)+A2j
		mov	eax, [ebp+var_8]

loc_98B694:				; CODE XREF: PiDrvDbFindSystemFilePathToken(x,x)+57j
		mov	dx, word ptr [ebp+var_1C]
		cmp	dx, [eax]
		jnz	short loc_98B6A3
		cmp	[edi+ecx*2], si
		jz	short loc_98B6EF

loc_98B6A3:				; CODE XREF: PiDrvDbFindSystemFilePathToken(x,x)+B1j
		mov	edx, [eax+4]
		push	5Ch
		movzx	eax, word ptr [edx+ecx*2-2]
		pop	ecx
		cmp	ax, cx
		mov	ecx, [ebp+var_4]
		jz	short loc_98B6EF
		push	5Ch
		pop	esi
		cmp	[edi+ecx*2], si
		push	0
		pop	esi
		jz	short loc_98B6EF
		cmp	ax, word ptr [ebp+var_14]
		jnz	short loc_98B6D0
		push	25h
		pop	eax
		cmp	[edx], ax
		jz	short loc_98B6EF

loc_98B6D0:				; CODE XREF: PiDrvDbFindSystemFilePathToken(x,x)+7Aj
					; PiDrvDbFindSystemFilePathToken(x,x)+85j ...
		mov	edi, [ebp+var_8]
		lea	ebx, [ebx+ecx*2]
		mov	ax, word ptr [ebp+var_1C]
		mov	[ebp+var_18], ebx
		sub	ax, [edi]
		mov	word ptr [ebp+var_1C], ax
		cmp	[ebx], si
		jnz	loc_98B61A
		jmp	short loc_98B6F1
; 

loc_98B6EF:				; CODE XREF: PiDrvDbFindSystemFilePathToken(x,x)+B7j
					; PiDrvDbFindSystemFilePathToken(x,x)+CAj ...
		mov	esi, edi

loc_98B6F1:				; CODE XREF: PiDrvDbFindSystemFilePathToken(x,x)+23j
					; PiDrvDbFindSystemFilePathToken(x,x)+40j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PiDrvDbFindSystemFilePathToken@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDrvDbGetNodeSystemRoot(x,	x)
_PiDrvDbGetNodeSystemRoot@8 proc near	; CODE XREF: PiDrvDbQuerySystemPathWin32(x,x)+2E4p
					; PiDrvDbResolveKeyFilePaths(x)+E3p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		mov	ebx, edx
		mov	[ebp+var_8], eax
		mov	ecx, eax
		mov	[ebp+var_4], eax
		mov	[ebx], eax
		cmp	[esi+120h], eax
		jnz	loc_98B7E4
		mov	eax, 208h
		mov	dword ptr [esi+11Ch], 2080000h
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	ecx, eax
		mov	[esi+120h], ecx
		test	ecx, ecx
		jnz	short loc_98B748
		mov	ecx, 0C000009Ah
		jmp	loc_98B800
; 

loc_98B748:				; CODE XREF: PiDrvDbGetNodeSystemRoot(x,x)+44j
		push	edi
		xor	edx, edx
		lea	eax, [ebp+var_4]
		push	edx
		push	eax
		movzx	eax, word ptr [esi+11Eh]
		push	eax
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_8]
		push	eax
		push	offset _DEVPKEY_DriverDatabase_SystemRoot
		push	edx
		push	dword ptr [esi+24h]
		mov	edx, [esi+0Ch]
		push	7
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_98B7D6
		cmp	[ebp+var_8], 12h
		jnz	short loc_98B7D6
		mov	edx, [ebp+var_4]
		push	2
		pop	eax
		cmp	edx, eax
		jbe	short loc_98B7D6
		mov	edi, [esi+120h]
		mov	eax, edx
		shr	eax, 1
		xor	edx, edx
		cmp	[edi+eax*2-2], dx
		mov	edx, [ebp+var_4]
		jnz	short loc_98B7D6
		push	2
		add	edx, 0FFFFFFFEh
		pop	eax
		mov	[esi+11Ch], dx
		cmp	dx, ax
		jbe	short loc_98B7E3
		movzx	eax, dx
		shr	eax, 1
		cmp	word ptr [edi+eax*2-2],	5Ch
		jnz	short loc_98B7E3
		xor	edx, edx
		mov	[edi+eax*2-2], dx
		mov	eax, 0FFFEh
		add	[esi+11Ch], ax
		jmp	short loc_98B7E3
; 

loc_98B7D6:				; CODE XREF: PiDrvDbGetNodeSystemRoot(x,x)+82j
					; PiDrvDbGetNodeSystemRoot(x,x)+88j ...
		mov	eax, [esi+120h]
		xor	ecx, ecx
		mov	[eax], cx
		xor	eax, eax

loc_98B7E3:				; CODE XREF: PiDrvDbGetNodeSystemRoot(x,x)+BAj
					; PiDrvDbGetNodeSystemRoot(x,x)+C7j ...
		pop	edi

loc_98B7E4:				; CODE XREF: PiDrvDbGetNodeSystemRoot(x,x)+1Fj
		mov	eax, [esi+120h]
		xor	edx, edx
		cmp	[eax], dx
		jnz	short loc_98B7F8
		mov	ecx, 0C0000225h
		jmp	short loc_98B800
; 

loc_98B7F8:				; CODE XREF: PiDrvDbGetNodeSystemRoot(x,x)+F7j
		lea	eax, [esi+11Ch]
		mov	[ebx], eax

loc_98B800:				; CODE XREF: PiDrvDbGetNodeSystemRoot(x,x)+4Bj
					; PiDrvDbGetNodeSystemRoot(x,x)+FEj
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn
_PiDrvDbGetNodeSystemRoot@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDrvDbMountNode(x)
_PiDrvDbMountNode@4 proc near		; CODE XREF: PiPnpRtlObjectActionCallback+118887p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_14]
		push	edi
		push	eax
		mov	esi, ecx
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	edx, [ebp+var_4]
		lea	ecx, [ebp+var_C]
		call	_PiDrvDbFindNode@8 ; PiDrvDbFindNode(x,x)
		test	eax, eax
		js	short loc_98B873
		mov	eax, [ebp+var_4]
		mov	eax, [eax+20h]
		and	al, 1
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 80000022h
		add	esi, 40000000h
		jmp	short loc_98B878
; 

loc_98B873:				; CODE XREF: PiDrvDbMountNode(x)+4Ej
		mov	esi, 0C00000BBh

loc_98B878:				; CODE XREF: PiDrvDbMountNode(x)+6Bj
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_PiDrvDbMountNode@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDrvDbOverlayCopyKeys(x, x, x, x, x, x, x,	x)
_PiDrvDbOverlayCopyKeys@32 proc	near	; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+2D9p
					; PiDrvDbOverlayNodeHive(x,x,x)+175p ...

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_10]
		push	esi
		push	edi
		mov	[ebp+var_40], eax
		lea	edi, [ebp+var_10]
		mov	eax, [ebp+arg_14]
		xor	esi, esi
		mov	[ebp+var_4C], eax
		mov	ebx, esi
		xor	eax, eax
		mov	[ebp+var_20], esi
		stosd
		mov	[ebp+var_2C], esi
		mov	[ebp+var_38], esi
		mov	[ebp+var_24], esi
		stosd
		mov	[ebp+var_50], esi
		mov	[ebp+var_54], esi
		mov	[ebp+var_30], esi
		stosd
		lea	eax, [ebp+var_20]
		push	eax
		push	20019h
		push	8
		push	edx
		mov	edx, ecx
		mov	[ebp+var_18], esi
		xor	ecx, ecx
		mov	[ebp+var_1C], esi
		mov	edi, esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_58], esi
		mov	[ebp+var_44], esi
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98BCC4
		lea	eax, [ebp+var_44]
		push	eax
		push	0Ch
		lea	eax, [ebp+var_10]
		push	eax
		push	5
		push	[ebp+var_20]
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		test	eax, eax
		js	short loc_98B948
		test	[ebp+var_C], 2
		jz	short loc_98B93F
		mov	esi, 8000002Dh
		jmp	loc_98BCC4
; 

loc_98B93F:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+A3j
		test	[ebp+var_C], 1
		jz	short loc_98B948
		xor	ebx, ebx
		inc	ebx

loc_98B948:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+9Dj
					; PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+B3j
		mov	edx, [ebp+var_48]
		lea	eax, [ebp+var_54]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	ecx
		push	0
		push	6001Fh
		push	ebx
		push	[ebp+var_3C]
		xor	ecx, ecx
		call	__SysCtxRegCreateKey@36	; _SysCtxRegCreateKey(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98BCC4
		mov	ecx, [ebp+var_20]
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_18]
		xor	edx, edx
		push	eax
		push	0
		lea	eax, [ebp+var_30]
		push	eax
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_98B9C2
		mov	eax, [ebp+var_30]
		cmp	eax, [ebp+var_18]
		ja	short loc_98B997
		mov	eax, [ebp+var_18]

loc_98B997:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+102j
		lea	ebx, ds:2[eax*2]
		mov	[ebp+var_1C], ebx
		test	ebx, ebx
		jz	short loc_98B9C4
		push	62647050h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_98B9C4
		mov	esi, 0C000009Ah
		jmp	loc_98BCC4
; 

loc_98B9C2:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+FAj
		mov	ebx, edi

loc_98B9C4:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+113j
					; PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+126j
		mov	eax, [ebp+var_14]
		mov	[ebp+var_30], eax
		test	eax, eax
		jz	short loc_98B9EC
		push	62647050h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_28], eax
		test	eax, eax
		jnz	short loc_98B9EC

loc_98B9E2:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+17Ej
					; PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+3BAj
		mov	esi, 0C000009Ah
		jmp	loc_98BC9A
; 

loc_98B9EC:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+13Cj
					; PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+150j
		cmp	[ebp+var_34], 0
		jz	short loc_98BA10
		mov	eax, [ebp+var_40]
		test	eax, eax
		jz	short loc_98BA10
		push	62647050h
		shl	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_38], eax
		test	eax, eax
		jz	short loc_98B9E2

loc_98BA10:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+160j
					; PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+167j
		and	[ebp+var_14], 0

loc_98BA14:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+2FEj
		mov	edx, [ebp+var_14]
		mov	eax, ebx
		mov	ecx, [ebp+var_20]
		shr	eax, 1
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	edi
		call	_RegRtlEnumKey
		cmp	eax, 8000001Ah
		jz	loc_98BB9F
		cmp	eax, 0C0000023h
		jnz	short loc_98BA72
		mov	eax, [ebp+var_18]
		lea	ebx, [eax+eax]
		mov	[ebp+var_1C], ebx
		test	edi, edi
		jz	short loc_98BA52
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98BA52:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+1B8j
		push	62647050h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_98BB93
		mov	eax, [ebp+var_14]
		dec	eax
		jmp	loc_98BB8A
; 

loc_98BA72:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+1ABj
		test	eax, eax
		js	loc_98BB9D
		mov	edx, [ebp+var_34]
		xor	ebx, ebx
		test	edx, edx
		jz	short loc_98BAF4
		mov	eax, [ebp+var_18]
		mov	[ebp+var_3C], eax
		test	eax, eax
		jz	short loc_98BAF4
		xor	ecx, ecx
		mov	[ebp+var_18], ecx
		cmp	[ebp+var_40], ecx
		jbe	short loc_98BAEC
		dec	eax
		mov	[ebp+var_48], eax

loc_98BA9B:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+253j
		push	eax		; size_t
		push	edi		; wchar_t *
		push	dword ptr [edx+ecx*4] ;	wchar_t	*
		call	__wcsnicmp
		mov	edx, [ebp+var_34]
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_98BAD4
		mov	eax, [ebp+var_18]
		mov	ecx, [ebp+var_3C]
		mov	eax, [edx+eax*4]
		lea	ecx, [eax+ecx*2]
		movzx	eax, word ptr [ecx-2]
		test	ax, ax
		jz	short loc_98BAE5
		cmp	eax, 5Ch
		jnz	short loc_98BAD4
		mov	eax, [ebp+var_38]
		test	eax, eax
		jz	short loc_98BAD4
		mov	[eax+ebx*4], ecx
		inc	ebx

loc_98BAD4:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+21Dj
					; PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+237j	...
		mov	ecx, [ebp+var_18]
		inc	ecx
		mov	[ebp+var_18], ecx
		cmp	ecx, [ebp+var_40]
		jnb	short loc_98BAE9
		mov	eax, [ebp+var_48]
		jmp	short loc_98BA9B
; 

loc_98BAE5:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+232j
		xor	eax, eax
		jmp	short loc_98BAEC
; 

loc_98BAE9:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+24Ej
		mov	eax, [ebp+var_3C]

loc_98BAEC:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+205j
					; PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+257j
		test	eax, eax
		jz	loc_98BB84

loc_98BAF4:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+1F1j
					; PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+1FBj
		mov	eax, [ebp+var_4C]
		test	eax, eax
		jz	short loc_98BB51
		lea	ecx, [ebp+var_24]
		mov	edx, eax
		push	ecx
		push	20019h
		push	0
		push	edi
		xor	ecx, ecx
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		cmp	eax, 0C0000034h
		jnz	short loc_98BB1D
		and	[ebp+var_24], 0
		jmp	short loc_98BB84
; 

loc_98BB1D:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+285j
		test	eax, eax
		js	short loc_98BB9D
		mov	ecx, [ebp+var_24]
		lea	edx, [ebp+var_50]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98BC9A
		cmp	[ebp+var_50], 0
		jnz	short loc_98BB51
		push	[ebp+var_24]
		call	_ZwClose@4	; ZwClose(x)
		xor	eax, eax
		mov	[ebp+var_24], eax
		jmp	short loc_98BB54
; 

loc_98BB51:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+269j
					; PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+2B0j
		mov	eax, [ebp+var_24]

loc_98BB54:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+2BFj
		mov	ecx, [ebp+var_20]
		mov	edx, edi
		push	eax
		push	ebx
		neg	ebx
		sbb	ebx, ebx
		and	ebx, [ebp+var_38]
		push	ebx
		push	0
		push	edi
		push	[ebp+var_2C]
		call	_PiDrvDbOverlayCopyKeys@32 ; PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 8000002Dh
		jnz	short loc_98BB7C
		xor	esi, esi
		jmp	short loc_98BB84
; 

loc_98BB7C:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+2E6j
		test	esi, esi
		js	loc_98BC9A

loc_98BB84:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+25Ej
					; PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+28Bj	...
		mov	eax, [ebp+var_14]
		mov	ebx, [ebp+var_1C]

loc_98BB8A:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+1DDj
		inc	eax
		mov	[ebp+var_14], eax
		jmp	loc_98BA14
; 

loc_98BB93:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+1D3j
					; PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+383j
		mov	esi, 0C000009Ah
		jmp	loc_98BCA6
; 

loc_98BB9D:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+1E4j
					; PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+28Fj
		mov	esi, eax

loc_98BB9F:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+1A0j
		test	esi, esi
		js	loc_98BC9A
		xor	ebx, ebx

loc_98BBA9:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+403j
		mov	eax, [ebp+var_1C]
		mov	edx, ebx
		mov	ecx, [ebp+var_20]
		shr	eax, 1
		mov	[ebp+var_4C], eax
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_30]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_14]
		push	eax		; int
		push	[ebp+var_28]	; void *
		lea	eax, [ebp+var_58]
		push	eax		; int
		lea	eax, [ebp+var_18]
		push	eax		; int
		push	edi		; void *
		call	_RegRtlEnumValue
		cmp	eax, 8000001Ah
		jz	loc_98BC9A
		cmp	eax, 0C0000023h
		jnz	short loc_98BC53
		mov	eax, [ebp+var_18]
		cmp	eax, [ebp+var_4C]
		jbe	short loc_98BC19
		add	eax, eax
		mov	[ebp+var_1C], eax
		test	edi, edi
		jz	short loc_98BC02
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_1C]

loc_98BC02:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+365j
		push	62647050h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_98BB93

loc_98BC19:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+35Cj
		mov	eax, [ebp+var_30]
		cmp	[ebp+var_14], eax
		jbe	short loc_98BC50
		mov	eax, [ebp+var_14]
		mov	[ebp+var_30], eax
		mov	eax, [ebp+var_28]
		test	eax, eax
		jz	short loc_98BC36
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98BC36:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+39Cj
		push	62647050h
		push	[ebp+var_14]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	loc_98B9E2

loc_98BC50:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+38Fj
		dec	ebx
		jmp	short loc_98BC92
; 

loc_98BC53:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+354j
		test	eax, eax
		js	short loc_98BC98
		cmp	[ebp+var_54], 2
		jnz	short loc_98BC79
		xor	ecx, ecx
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		mov	[ebp+var_44], ecx
		mov	edx, edi
		push	ecx
		mov	ecx, [ebp+var_2C]
		call	_RegRtlQueryValue
		cmp	eax, 0C0000023h
		jz	short loc_98BC92

loc_98BC79:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+3CBj
		push	[ebp+var_14]
		mov	ecx, [ebp+var_2C]
		mov	edx, edi
		push	[ebp+var_28]
		push	[ebp+var_58]
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_98BC9A

loc_98BC92:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+3C1j
					; PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+3E7j
		inc	ebx
		jmp	loc_98BBA9
; 

loc_98BC98:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+3C5j
		mov	esi, eax

loc_98BC9A:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+157j
					; PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+2A6j	...
		test	edi, edi
		jz	short loc_98BCA6
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98BCA6:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+308j
					; PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+40Cj
		mov	eax, [ebp+var_28]
		test	eax, eax
		jz	short loc_98BCB5
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98BCB5:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+41Bj
		mov	eax, [ebp+var_38]
		test	eax, eax
		jz	short loc_98BCC4
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98BCC4:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+81j
					; PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+AAj ...
		cmp	[ebp+var_20], 0
		jz	short loc_98BCD2
		push	[ebp+var_20]
		call	_ZwClose@4	; ZwClose(x)

loc_98BCD2:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+438j
		cmp	[ebp+var_2C], 0
		jz	short loc_98BCE0
		push	[ebp+var_2C]
		call	_ZwClose@4	; ZwClose(x)

loc_98BCE0:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+446j
		cmp	[ebp+var_24], 0
		jz	short loc_98BCEE
		push	[ebp+var_24]
		call	_ZwClose@4	; ZwClose(x)

loc_98BCEE:				; CODE XREF: PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)+454j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_PiDrvDbOverlayCopyKeys@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PiDrvDbOverlayNodeHive(int,wchar_t *,int)
_PiDrvDbOverlayNodeHive@12 proc	near	; CODE XREF: PiDrvDbSetupNodeHive(x,x)+35Fp

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_30], eax
		push	8
		pop	ecx
		mov	ebx, edx
		mov	[ebp+var_58], esi
		xor	edx, edx
		lea	edi, [ebp+var_28]
		xor	eax, eax
		mov	[ebp+var_44], edx
		rep stosd
		push	offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@NNGAKEGL@ ; wchar_t *
		push	ebx		; wchar_t *
		mov	edi, edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_54], edx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_48], edx
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_98BDBC
		mov	eax, [esi+114h]
		test	al, 10h
		jnz	short loc_98BD6E

loc_98BD67:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+D3j
		xor	esi, esi
		jmp	loc_98C007
; 

loc_98BD6E:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+64j
		lea	edi, [ebp+var_28]
		mov	esi, (offset loc_A3FDEB+1)
		movsd
		movsd
		movsd
		movsd
		test	al, 0C0h
		jz	short loc_98BDB0
		mov	edx, [ebp+var_30]
		lea	eax, [ebp+var_2C]
		push	eax
		push	20019h
		push	0
		push	offset ??_C@_1CO@IHJNBOPF@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAS?$AAe?$AAt?$AA0?$AA0?$AA1?$AA?2?$AAS@NNGAKEGL@
		xor	ecx, ecx
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_98BDA8
		and	[ebp+var_2C], 0
		jmp	short loc_98BDB0
; 

loc_98BDA8:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+9Fj
		test	esi, esi
		js	loc_98C007

loc_98BDB0:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+7Bj
					; PiDrvDbOverlayNodeHive(x,x,x)+A5j
		push	5
		mov	[ebp+var_18], offset ??_C@_1CO@IHJNBOPF@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAS?$AAe?$AAt?$AA0?$AA0?$AA1?$AA?2?$AAS@NNGAKEGL@
		pop	edi
		jmp	short loc_98BDD6
; 

loc_98BDBC:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+5Aj
		push	offset ??_C@_1BC@JDKNNDON@?$AAS?$AAO?$AAF?$AAT?$AAW?$AAA?$AAR?$AAE@NNGAKEGL@ ; wchar_t *
		push	ebx		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_98BDD6
		test	byte ptr [esi+114h], 20h
		jz	short loc_98BD67

loc_98BDD6:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+B9j
					; PiDrvDbOverlayNodeHive(x,x,x)+CAj
		lea	eax, [ebp+var_3C]
		mov	[ebp+edi*4+var_28], offset ??_C@_1CO@OPKJDAJE@?$AAS?$AAe?$AAt?$AAu?$AAp?$AA?2?$AAR?$AAe?$AAs?$AAo?$AAl?$AAv?$AAe?$AAF?$AAi@NNGAKEGL@
		push	eax
		push	20019h
		push	0
		push	offset ??_C@_1JA@ONBDNKIN@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@
		mov	edx, 80000002h
		xor	ecx, ecx
		inc	edi
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_98BE0B
		and	[ebp+var_3C], 0
		jmp	short loc_98BE41
; 

loc_98BE0B:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+102j
		test	esi, esi
		js	loc_98C007
		mov	edx, [ebp+var_3C]
		lea	eax, [ebp+var_38]
		push	eax
		push	20019h
		push	0
		push	ebx
		xor	ecx, ecx
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_98BE39
		and	[ebp+var_38], 0
		jmp	short loc_98BE41
; 

loc_98BE39:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+130j
		test	esi, esi
		js	loc_98C007

loc_98BE41:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+108j
					; PiDrvDbOverlayNodeHive(x,x,x)+136j
		lea	eax, [ebp+var_44]
		mov	edx, 80000002h
		push	eax
		push	2001Fh
		push	0
		push	ebx
		xor	ecx, ecx
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98C007
		push	[ebp+var_38]
		lea	eax, [ebp+var_28]
		xor	edx, edx
		push	edi
		push	eax
		push	ecx
		mov	ecx, [ebp+var_30]
		push	0
		push	[ebp+var_44]
		call	_PiDrvDbOverlayCopyKeys@32 ; PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98C007
		cmp	[ebp+var_2C], 0
		jz	loc_98C007
		push	62647050h
		push	208h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_30], ebx
		test	ebx, ebx
		jnz	short loc_98BEB3
		mov	esi, 0C000009Ah
		jmp	loc_98C007
; 

loc_98BEB3:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+1A6j
		xor	eax, eax

loc_98BEB5:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+2F6j
		lea	ecx, [ebp+var_34]
		mov	[ebp+var_5C], eax
		push	ecx
		mov	ecx, [ebp+var_2C]
		mov	edx, eax
		push	ebx
		mov	[ebp+var_34], 104h
		call	_RegRtlEnumKey
		cmp	eax, 8000001Ah
		jz	loc_98BFFF
		test	eax, eax
		js	loc_98BFF3
		mov	edx, [ebp+var_2C]
		lea	eax, [ebp+var_54]
		push	eax
		push	20019h
		push	0
		push	ebx
		xor	ecx, ecx
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_98BFF3
		mov	ecx, [ebp+var_54]
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_34], 4
		push	eax
		lea	eax, [ebp+var_48]
		mov	edx, offset ??_C@_19BIEPDBPA@?$AAT?$AAy?$AAp?$AAe@NNGAKEGL@
		push	eax
		call	_RegRtlQueryValue
		test	eax, eax
		js	short loc_98BF6C
		cmp	[ebp+var_48], 4
		jnz	short loc_98BF6C
		cmp	[ebp+var_34], 4
		jnz	short loc_98BF6C
		mov	ecx, [ebp+var_54]
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_34], 4
		push	eax
		lea	eax, [ebp+var_48]
		mov	edx, offset ??_C@_1M@IOJLKPKK@?$AAS?$AAt?$AAa?$AAr?$AAt@NNGAKEGL@
		push	eax
		call	_RegRtlQueryValue
		test	eax, eax
		js	short loc_98BF67
		cmp	[ebp+var_48], 4
		jnz	short loc_98BF67
		cmp	[ebp+var_34], 4
		jnz	short loc_98BF67
		mov	ebx, [ebp+var_4C]
		mov	edi, [ebp+var_50]
		jmp	short loc_98BF76
; 

loc_98BF67:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+250j
					; PiDrvDbOverlayNodeHive(x,x,x)+256j ...
		mov	ebx, [ebp+var_4C]
		jmp	short loc_98BF71
; 

loc_98BF6C:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+220j
					; PiDrvDbOverlayNodeHive(x,x,x)+226j ...
		xor	ebx, ebx
		mov	[ebp+var_4C], ebx

loc_98BF71:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+269j
		xor	edi, edi
		mov	[ebp+var_50], edi

loc_98BF76:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+264j
		push	[ebp+var_54]
		call	_ZwClose@4	; ZwClose(x)
		test	ebx, ebx
		jz	short loc_98BFF0
		test	bl, 0Bh
		jz	short loc_98BF98
		cmp	edi, 2
		jz	short loc_98BF98
		mov	eax, [ebp+var_58]
		test	byte ptr [eax+114h], 40h
		jmp	short loc_98BFA2
; 

loc_98BF98:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+284j
					; PiDrvDbOverlayNodeHive(x,x,x)+289j
		mov	eax, [ebp+var_58]
		test	byte ptr [eax+114h], 80h

loc_98BFA2:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+295j
		jz	short loc_98BFF0
		mov	eax, [ebp+var_40]
		test	eax, eax
		jnz	short loc_98BFD2
		mov	edx, [ebp+var_44]
		push	eax
		lea	eax, [ebp+var_40]
		push	eax
		push	ecx
		push	0
		push	2001Fh
		push	0
		push	offset ??_C@_1CO@IHJNBOPF@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAS?$AAe?$AAt?$AA0?$AA0?$AA1?$AA?2?$AAS@NNGAKEGL@
		xor	ecx, ecx
		call	__SysCtxRegCreateKey@36	; _SysCtxRegCreateKey(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_98BFFC
		mov	eax, [ebp+var_40]

loc_98BFD2:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+2A8j
		mov	ebx, [ebp+var_30]
		mov	edx, ebx
		push	0
		push	0
		push	0
		push	ecx
		mov	ecx, [ebp+var_2C]
		push	ebx
		push	eax
		call	_PiDrvDbOverlayCopyKeys@32 ; PiDrvDbOverlayCopyKeys(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_98BFFF
		jmp	short loc_98BFF3
; 

loc_98BFF0:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+27Fj
					; PiDrvDbOverlayNodeHive(x,x,x):loc_98BFA2j
		mov	ebx, [ebp+var_30]

loc_98BFF3:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+1DAj
					; PiDrvDbOverlayNodeHive(x,x,x)+1F8j ...
		mov	eax, [ebp+var_5C]
		inc	eax
		jmp	loc_98BEB5
; 

loc_98BFFC:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+2CCj
		mov	ebx, [ebp+var_30]

loc_98BFFF:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+1D2j
					; PiDrvDbOverlayNodeHive(x,x,x)+2EBj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98C007:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+68j
					; PiDrvDbOverlayNodeHive(x,x,x)+A9j ...
		cmp	[ebp+var_38], 0
		jz	short loc_98C015
		push	[ebp+var_38]
		call	_ZwClose@4	; ZwClose(x)

loc_98C015:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+30Aj
		cmp	[ebp+var_3C], 0
		jz	short loc_98C023
		push	[ebp+var_3C]
		call	_ZwClose@4	; ZwClose(x)

loc_98C023:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+318j
		cmp	[ebp+var_2C], 0
		jz	short loc_98C031
		push	[ebp+var_2C]
		call	_ZwClose@4	; ZwClose(x)

loc_98C031:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+326j
		cmp	[ebp+var_40], 0
		jz	short loc_98C03F
		push	[ebp+var_40]
		call	_ZwClose@4	; ZwClose(x)

loc_98C03F:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+334j
		cmp	[ebp+var_44], 0
		jz	short loc_98C04D
		push	[ebp+var_44]
		call	_ZwClose@4	; ZwClose(x)

loc_98C04D:				; CODE XREF: PiDrvDbOverlayNodeHive(x,x,x)+342j
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PiDrvDbOverlayNodeHive@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDrvDbQuerySyncNodesUpdated(x, x)
_PiDrvDbQuerySyncNodesUpdated@8	proc near ; CODE XREF: PpDevCfgInit+1469Fp
					; PpDevCfgInit+14724p

Source1		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
Source2		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_1C], edx
		push	esi
		push	edi
		mov	ebx, 208h
		mov	[ebp+var_2], cl
		push	62647050h
		mov	[ebp+var_1], al
		mov	[ebp+var_C], eax
		mov	[ebp+Source1], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+Source2], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_8], eax
		push	ebx
		jmp	short loc_98C0D9
; 

loc_98C09E:				; CODE XREF: PiDrvDbQuerySyncNodesUpdated(x,x)+84j
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	ebx		; int
		push	edi		; void *
		push	0		; int
		push	offset ??_C@_1GA@GJKBFJNO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; void *
		push	0		; int
		push	(offset	loc_8BB185+1) ;	int
		call	RtlGetPersistedStateLocation
		mov	esi, eax
		cmp	esi, 80000005h
		jnz	short loc_98C111
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edi, edi
		cmp	[ebp+var_8], ebx
		jbe	short loc_98C10C
		mov	ebx, [ebp+var_8]
		push	62647050h
		push	ebx

loc_98C0D9:				; CODE XREF: PiDrvDbQuerySyncNodesUpdated(x,x)+3Cj
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_98C09E
		mov	esi, 0C000009Ah

loc_98C0EB:				; CODE XREF: PiDrvDbQuerySyncNodesUpdated(x,x)+B3j
					; PiDrvDbQuerySyncNodesUpdated(x,x)+D3j ...
		cmp	[ebp+var_C], 0
		jz	short loc_98C0F9
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_98C0F9:				; CODE XREF: PiDrvDbQuerySyncNodesUpdated(x,x)+8Fj
		test	edi, edi
		jz	short loc_98C105
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98C105:				; CODE XREF: PiDrvDbQuerySyncNodesUpdated(x,x)+9Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_98C10C:				; CODE XREF: PiDrvDbQuerySyncNodesUpdated(x,x)+6Ej
		mov	esi, 0C00000E5h

loc_98C111:				; CODE XREF: PiDrvDbQuerySyncNodesUpdated(x,x)+5Fj
		test	esi, esi
		js	short loc_98C0EB
		push	0
		lea	eax, [ebp+var_C]
		xor	edx, edx
		push	eax
		push	ecx
		push	0
		push	2001Fh
		push	0
		push	edi
		xor	ecx, ecx
		call	__SysCtxRegCreateTree@36 ; _SysCtxRegCreateTree(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_98C0EB
		mov	ebx, _PiDrvDbNodeList

loc_98C13B:				; CODE XREF: PiDrvDbQuerySyncNodesUpdated(x,x)+1B2j
		cmp	ebx, offset _PiDrvDbNodeList
		jz	loc_98C217
		test	byte ptr [ebx+20h], 4
		jz	short loc_98C15A
		cmp	_PnpBootMode, 0
		jnz	loc_98C210

loc_98C15A:				; CODE XREF: PiDrvDbQuerySyncNodesUpdated(x,x)+EBj
		mov	edx, [ebx+0Ch]
		lea	eax, [ebp+var_14]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	eax
		push	8
		lea	eax, [ebp+Source1]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	offset _DEVPKEY_DriverDatabase_LastUpdateDate
		push	0
		push	dword ptr [ebx+24h]
		push	7
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_98C20E
		cmp	[ebp+var_10], 10h
		jnz	short loc_98C20E
		cmp	[ebp+var_14], 8
		jnz	short loc_98C20E
		mov	edx, [ebx+0Ch]
		lea	eax, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		push	eax
		lea	eax, [ebp+Source2]
		mov	[ebp+var_8], 8
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_RegRtlQueryValue
		mov	esi, eax
		test	esi, esi
		js	short loc_98C1C8
		cmp	[ebp+var_18], 3
		jnz	short loc_98C1C8
		cmp	[ebp+var_8], 8
		jz	short loc_98C1D0

loc_98C1C8:				; CODE XREF: PiDrvDbQuerySyncNodesUpdated(x,x)+15Aj
					; PiDrvDbQuerySyncNodesUpdated(x,x)+160j
		xor	esi, esi
		and	[ebp+Source2], esi
		and	[ebp+var_24], esi

loc_98C1D0:				; CODE XREF: PiDrvDbQuerySyncNodesUpdated(x,x)+166j
		push	8		; Length
		lea	eax, [ebp+Source2]
		push	eax		; Source2
		lea	eax, [ebp+Source1]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 8
		jz	short loc_98C210
		cmp	[ebp+var_2], 0
		mov	cl, 1
		mov	[ebp+var_1], cl
		jz	short loc_98C21A
		mov	edx, [ebx+0Ch]
		lea	eax, [ebp+Source1]
		mov	ecx, [ebp+var_C]
		push	8
		push	eax
		push	3
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98C0EB
		jmp	short loc_98C210
; 

loc_98C20E:				; CODE XREF: PiDrvDbQuerySyncNodesUpdated(x,x)+126j
					; PiDrvDbQuerySyncNodesUpdated(x,x)+130j ...
		xor	esi, esi

loc_98C210:				; CODE XREF: PiDrvDbQuerySyncNodesUpdated(x,x)+F4j
					; PiDrvDbQuerySyncNodesUpdated(x,x)+182j ...
		mov	ebx, [ebx]
		jmp	loc_98C13B
; 

loc_98C217:				; CODE XREF: PiDrvDbQuerySyncNodesUpdated(x,x)+E1j
		mov	cl, [ebp+var_1]

loc_98C21A:				; CODE XREF: PiDrvDbQuerySyncNodesUpdated(x,x)+18Dj
		test	esi, esi
		js	loc_98C0EB
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	loc_98C0EB
		mov	[eax], cl
		jmp	loc_98C0EB
_PiDrvDbQuerySyncNodesUpdated@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDrvDbQuerySystemPathWin32(x, x)
_PiDrvDbQuerySystemPathWin32@8 proc near ; CODE	XREF: PiDrvDbRegisterNode+9E2B2p
					; PiDrvDbResolveFilePathKeyValues(x,x,x,x)+A4p

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 9Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	eax, edx
		push	edi
		mov	ebx, edi
		mov	[ebp+var_34], eax
		push	eax
		mov	esi, ecx
		mov	[ebp+var_48], edi
		mov	[ebp+var_44], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_4], edi
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_3C], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_2C], edi
		mov	[ebp+var_30], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	18h
		pop	eax
		push	21h
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_48]
		push	3
		push	eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_5C], edi
		push	eax
		push	100080h
		lea	eax, [ebp+var_24]
		mov	[ebp+var_54], 240h
		push	eax
		mov	[ebp+var_58], esi
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], edi
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_98C322
		mov	eax, ds:_IoFileObjectType
		lea	ecx, [ebp+var_4]
		push	edi
		push	ecx
		push	edi
		push	eax
		push	80h
		push	[ebp+var_24]
		mov	[ebp+var_4], edi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	loc_98C598
		lea	eax, [ebp+var_20]
		push	eax
		push	edi
		call	_IoQueryFileDosDeviceName@8 ; IoQueryFileDosDeviceName(x,x)
		mov	ebx, [ebp+var_20]
		mov	esi, eax
		test	esi, esi
		js	loc_98C598
		mov	ecx, [ebp+var_34]
		push	ecx
		push	ebx
		push	1
		call	RtlDuplicateUnicodeString
		mov	esi, eax
		jmp	loc_98C598
; 

loc_98C322:				; CODE XREF: PiDrvDbQuerySystemPathWin32(x,x)+99j
		movzx	edi, word ptr [esi]
		mov	[ebp+var_40], edi
		cmp	edi, 16h
		jb	short loc_98C37D
		push	1
		push	esi
		push	offset _PiDrvDbSystemRootNt
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_98C37D
		push	offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@NNGAKEGL@
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	ecx, word ptr [esi]
		push	18h
		pop	eax
		cmp	cx, ax
		jbe	loc_98C418
		mov	eax, [esi+4]
		add	eax, 16h
		cmp	word ptr [eax],	5Ch
		jnz	loc_98C418
		mov	[ebp+var_10], eax
		lea	eax, [ecx-16h]
		mov	word ptr [ebp+var_14], ax
		add	eax, 2
		jmp	loc_98C404
; 

loc_98C37D:				; CODE XREF: PiDrvDbQuerySystemPathWin32(x,x)+F7j
					; PiDrvDbQuerySystemPathWin32(x,x)+108j
		cmp	edi, 1Ch
		jbe	loc_98C40A
		push	1
		push	esi
		push	offset _PiDrvDbDriverStoresRoot
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_98C40A
		mov	esi, [esi+4]
		push	5Ch
		pop	eax
		cmp	[esi+1Ah], ax
		jnz	short loc_98C40A
		xor	ecx, ecx
		lea	edx, [esi+1Ch]
		mov	word ptr [ebp+var_1C], cx
		mov	[ebp+var_18], edx
		cmp	[edx], ax
		jz	short loc_98C3D6
		push	eax
		xor	ebx, ebx
		pop	edi

loc_98C3B8:				; CODE XREF: PiDrvDbQuerySystemPathWin32(x,x)+19Aj
		movzx	eax, cx
		cmp	[edx+eax*2], bx
		jz	short loc_98C3D0
		inc	cx
		movzx	eax, cx
		mov	word ptr [ebp+var_1C], cx
		cmp	[edx+eax*2], di
		jnz	short loc_98C3B8

loc_98C3D0:				; CODE XREF: PiDrvDbQuerySystemPathWin32(x,x)+18Bj
		mov	edi, [ebp+var_40]
		mov	ebx, [ebp+var_20]

loc_98C3D6:				; CODE XREF: PiDrvDbQuerySystemPathWin32(x,x)+17Ej
		mov	eax, [ebp+var_1C]
		add	eax, eax
		mov	word ptr [ebp+var_1C], ax
		mov	word ptr [ebp+var_1C+2], ax
		movzx	eax, ax
		shr	eax, 1
		push	5Ch
		pop	ecx
		lea	eax, [edx+eax*2]
		cmp	[eax], cx
		jnz	short loc_98C418
		mov	[ebp+var_10], eax
		sub	eax, esi
		and	eax, 0FFFFFFFEh
		sub	edi, eax
		mov	word ptr [ebp+var_14], di
		lea	eax, [edi+2]

loc_98C404:				; CODE XREF: PiDrvDbQuerySystemPathWin32(x,x)+144j
		mov	word ptr [ebp+var_14+2], ax
		jmp	short loc_98C418
; 

loc_98C40A:				; CODE XREF: PiDrvDbQuerySystemPathWin32(x,x)+14Cj
					; PiDrvDbQuerySystemPathWin32(x,x)+161j ...
		push	offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@NNGAKEGL@
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_98C418:				; CODE XREF: PiDrvDbQuerySystemPathWin32(x,x)+121j
					; PiDrvDbQuerySystemPathWin32(x,x)+131j ...
		lea	edx, [ebp+var_28]
		lea	ecx, [ebp+var_1C]
		call	_PiDrvDbFindNode@8 ; PiDrvDbFindNode(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98C595
		mov	ecx, [ebp+var_28]
		push	2
		pop	edi
		mov	eax, [ecx+20h]
		test	al, 1
		jz	loc_98C511
		push	offset ??_C@_1BG@OJDKBFIC@?$AAC?$AA?3?$AA?2?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs@NNGAKEGL@ ; "C:\\Windows"
		lea	eax, [ebp+var_3C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, [ebp+var_3C]
		mov	eax, [ebp+var_14]
		add	ecx, edi
		add	eax, ecx
		mov	word ptr [ebp+var_C+2],	ax
		movzx	eax, ax
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	short loc_98C474

loc_98C46A:				; CODE XREF: PiDrvDbQuerySystemPathWin32(x,x)+30Ej
		mov	esi, 0C000009Ah
		jmp	loc_98C595
; 

loc_98C474:				; CODE XREF: PiDrvDbQuerySystemPathWin32(x,x)+234j
		lea	eax, [ebp+var_3C]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98C595
		xor	edi, edi
		cmp	_InitIsWinPEMode, 0
		jz	loc_98C55A
		push	38h		; size_t
		lea	eax, [ebp+var_98]
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_90], offset ??_C@_1BM@OCDIALJA@?$AAI?$AAn?$AAs?$AAt?$AAR?$AAo?$AAo?$AAt?$AAD?$AAr?$AAi?$AAv?$AAe@NNGAKEGL@ ; "InstRootDrive"
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_88], 4000000h
		mov	[ebp+var_8C], eax
		mov	edx, offset ??_C@_1M@IEBOLHNI@?$AAW?$AAi?$AAn?$AAP?$AAE@NNGAKEGL@ ; "WinPE"
		lea	eax, [ebp+var_98]
		mov	[ebp+var_94], 124h
		push	1
		push	ecx
		push	edi
		push	eax
		push	2
		pop	ecx
		call	RtlpQueryRegistryValues
		mov	esi, eax
		test	esi, esi
		js	short loc_98C504
		mov	ecx, [ebp+var_2C]
		lea	eax, [ecx-41h]
		cmp	eax, 19h
		ja	short loc_98C504
		mov	eax, [ebp+var_8]
		mov	[eax], cx
		jmp	short loc_98C55A
; 

loc_98C504:				; CODE XREF: PiDrvDbQuerySystemPathWin32(x,x)+2BBj
					; PiDrvDbQuerySystemPathWin32(x,x)+2C6j
		mov	eax, [ebp+var_8]
		mov	esi, edi
		push	58h
		pop	ecx
		mov	[eax], cx
		jmp	short loc_98C55A
; 

loc_98C511:				; CODE XREF: PiDrvDbQuerySystemPathWin32(x,x)+204j
		test	al, 8
		jz	short loc_98C590
		lea	edx, [ebp+var_30]
		call	_PiDrvDbGetNodeSystemRoot@8 ; PiDrvDbGetNodeSystemRoot(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_98C595
		mov	esi, [ebp+var_30]
		mov	ax, [esi]
		add	ax, word ptr [ebp+var_14]
		add	ax, di
		mov	word ptr [ebp+var_C+2],	ax
		movzx	eax, ax
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_98C46A
		push	esi
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_98C595
		xor	edi, edi

loc_98C55A:				; CODE XREF: PiDrvDbQuerySystemPathWin32(x,x)+260j
					; PiDrvDbQuerySystemPathWin32(x,x)+2CEj ...
		push	2
		pop	eax
		cmp	word ptr [ebp+var_14], ax
		jbe	short loc_98C576
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_98C595

loc_98C576:				; CODE XREF: PiDrvDbQuerySystemPathWin32(x,x)+32Dj
		mov	ecx, [ebp+var_34]
		mov	eax, [ebp+var_C]
		push	edi
		mov	[ecx], eax
		mov	eax, [ebp+var_8]
		mov	[ecx+4], eax
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	short loc_98C595
; 

loc_98C590:				; CODE XREF: PiDrvDbQuerySystemPathWin32(x,x)+2DFj
		mov	esi, 0C0000225h

loc_98C595:				; CODE XREF: PiDrvDbQuerySystemPathWin32(x,x)+1F3j
					; PiDrvDbQuerySystemPathWin32(x,x)+23Bj ...
		mov	edi, [ebp+var_4]

loc_98C598:				; CODE XREF: PiDrvDbQuerySystemPathWin32(x,x)+BEj
					; PiDrvDbQuerySystemPathWin32(x,x)+D5j	...
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	ebx, ebx
		jz	short loc_98C5AE
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98C5AE:				; CODE XREF: PiDrvDbQuerySystemPathWin32(x,x)+36Fj
		test	edi, edi
		jz	short loc_98C5B9
		mov	ecx, edi
		call	ObfDereferenceObject

loc_98C5B9:				; CODE XREF: PiDrvDbQuerySystemPathWin32(x,x)+37Cj
		cmp	[ebp+var_24], 0
		jz	short loc_98C5C7
		push	[ebp+var_24]
		call	_ZwClose@4	; ZwClose(x)

loc_98C5C7:				; CODE XREF: PiDrvDbQuerySystemPathWin32(x,x)+389j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PiDrvDbQuerySystemPathWin32@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDrvDbResolveFilePathKeyValues(x, x, x, x)
_PiDrvDbResolveFilePathKeyValues@16 proc near ;	CODE XREF: PiDrvDbResolveKeyFilePaths(x)+F9p
					; PiDrvDbResolveNodeFilePaths(x,x)+109p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_20], edx
		xor	ecx, ecx
		mov	[ebp+var_38], esi
		push	ecx
		lea	eax, [ebp+var_40]
		mov	[ebp+var_1C], ecx
		mov	edi, ecx
		mov	[ebp+var_40], ecx
		push	eax
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_2C], edi
		mov	[ebp+var_18], ecx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_58], ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_30], ecx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	ebx, ebx
		lea	eax, [ebp+var_48]
		push	ebx
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		lea	eax, [ebp+var_58]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_1C]
		mov	edx, esi
		push	eax
		push	20019h
		push	ebx
		push	offset ??_C@_1CO@OPKJDAJE@?$AAS?$AAe?$AAt?$AAu?$AAp?$AA?2?$AAR?$AAe?$AAs?$AAo?$AAl?$AAv?$AAe?$AAF?$AAi@NNGAKEGL@
		xor	ecx, ecx
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_98C664
		mov	esi, ebx
		jmp	loc_98C782
; 

loc_98C664:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+8Dj
		test	esi, esi
		js	loc_98C782
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_40]
		call	_PiDrvDbQuerySystemPathWin32@8 ; PiDrvDbQuerySystemPathWin32(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_98C689
		push	ebx
		lea	eax, [ebp+var_40]
		mov	esi, ebx
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_98C689:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+ADj
		test	byte ptr [ebp+var_20], 2
		mov	ebx, [ebp+var_3C]
		jz	short loc_98C6C2
		cmp	[ebp+arg_0], edi
		jz	short loc_98C6AA
		push	1
		push	offset _PiDrvDbSystemRootNt
		push	[ebp+arg_0]
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_98C6F3

loc_98C6AA:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+C7j
		test	ebx, ebx
		jz	short loc_98C6C2
		push	1
		push	offset _PiDrvDbSystemRootWin32
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_98C6F3

loc_98C6C2:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+C2j
					; PiDrvDbResolveFilePathKeyValues(x,x,x,x)+DEj
		test	byte ptr [ebp+var_20], 1
		jz	loc_98CB3E
		cmp	[ebp+arg_4], edi
		jz	loc_98CB3E
		test	ebx, ebx
		jz	loc_98CB3E
		push	1
		lea	eax, [ebp+var_40]
		push	eax
		push	[ebp+arg_4]
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	loc_98CB3E

loc_98C6F3:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+DAj
					; PiDrvDbResolveFilePathKeyValues(x,x,x,x)+F2j
		mov	ecx, [ebp+var_1C]
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_28]
		xor	edx, edx
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_98C7B4
		mov	eax, [ebp+var_28]
		lea	ebx, ds:2[eax*2]
		mov	eax, [ebp+var_14]
		mov	[ebp+var_24], ebx
		mov	[ebp+var_C], eax
		test	ebx, ebx
		jz	short loc_98C746
		push	62647050h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	short loc_98C743
		mov	esi, 0C000009Ah
		jmp	short loc_98C782
; 

loc_98C743:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+16Cj
		mov	eax, [ebp+var_C]

loc_98C746:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+158j
		test	eax, eax
		jz	short loc_98C7BD
		push	62647050h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_2C], edi
		test	edi, edi
		jnz	short loc_98C7BA

loc_98C760:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+28Ej
		mov	esi, 0C000009Ah

loc_98C765:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+21Bj
					; PiDrvDbResolveFilePathKeyValues(x,x,x,x)+543j ...
		xor	ebx, ebx

loc_98C767:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+564j
					; PiDrvDbResolveFilePathKeyValues(x,x,x,x)+574j
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_98C775
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98C775:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+19Ej
					; PiDrvDbResolveFilePathKeyValues(x,x,x,x)+55Dj
		test	edi, edi
		jz	short loc_98C782
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98C782:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+91j
					; PiDrvDbResolveFilePathKeyValues(x,x,x,x)+98j	...
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_58]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	[ebp+var_1C], 0
		jz	short loc_98C7AB
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_98C7AB:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+1D3j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_98C7B4:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+13Dj
		mov	eax, edi
		mov	ebx, eax
		jmp	short loc_98C7BD
; 

loc_98C7BA:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+190j
		mov	eax, [ebp+var_C]

loc_98C7BD:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+17Aj
					; PiDrvDbResolveFilePathKeyValues(x,x,x,x)+1EAj
		xor	ecx, ecx

loc_98C7BF:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+553j
		mov	[ebp+var_14], eax
		mov	edx, ecx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+var_1C]
		push	eax		; int
		push	edi		; void *
		lea	eax, [ebp+var_30]
		shr	ebx, 1
		push	eax		; int
		lea	eax, [ebp+var_28]
		mov	[ebp+var_28], ebx
		push	eax		; int
		push	[ebp+var_10]	; void *
		call	_RegRtlEnumValue
		cmp	eax, 8000001Ah
		jz	loc_98C765
		cmp	eax, 0C0000023h
		jnz	short loc_98C86B
		mov	eax, [ebp+var_28]
		cmp	eax, ebx
		jbe	short loc_98C82B
		lea	ebx, [eax+eax]
		mov	eax, [ebp+var_10]
		mov	[ebp+var_24], ebx
		test	eax, eax
		jz	short loc_98C813
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98C813:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+23Aj
		push	62647050h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_98CB26

loc_98C82B:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+22Dj
		mov	eax, [ebp+var_C]
		cmp	[ebp+var_14], eax
		jbe	short loc_98C862
		mov	eax, [ebp+var_14]
		mov	[ebp+var_C], eax
		test	edi, edi
		jz	short loc_98C846
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98C846:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+26Dj
		push	62647050h
		push	[ebp+var_14]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_2C], edi
		test	edi, edi
		jz	loc_98C760

loc_98C862:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+263j
		mov	ecx, [ebp+var_8]
		dec	ecx
		jmp	loc_98CB1A
; 

loc_98C86B:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+226j
		test	eax, eax
		js	loc_98CB37
		cmp	[ebp+var_30], 7
		jnz	loc_98CB17
		mov	eax, [ebp+var_14]
		cmp	eax, 4
		jb	loc_98CB17
		shr	eax, 1
		xor	ebx, ebx
		cmp	[edi+eax*2-2], bx
		jnz	loc_98CB17
		cmp	[edi+eax*2-4], bx
		jnz	loc_98CB17
		mov	edx, [ebp+var_38]
		lea	eax, [ebp+var_18]
		push	eax
		push	2001Fh
		push	ebx
		push	[ebp+var_10]
		xor	ecx, ecx
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		cmp	eax, 0C0000034h
		jz	loc_98CB17
		test	eax, eax
		js	loc_98CB30
		xor	eax, eax
		mov	ebx, edi
		mov	[ebp+var_34], ebx
		cmp	[edi], ax
		jz	loc_98CB07
		xor	edi, edi

loc_98C8DF:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+530j
		push	offset ??_C@_13HOIJIPNN@?$AA?5@NNGAKEGL@ ; wchar_t *
		push	ebx		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_98C8FA
		mov	eax, offset ??_C@_11LOCGONAA@@NNGAKEGL@
		mov	[ebp+var_28], eax
		jmp	short loc_98C8FF
; 

loc_98C8FA:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+320j
		mov	eax, ebx
		mov	[ebp+var_28], ebx

loc_98C8FF:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+32Aj
		lea	ecx, [ebp+var_4]
		mov	edx, eax
		push	ecx
		mov	ecx, [ebp+var_18]
		push	edi
		call	IopGetRegistryValue
		test	eax, eax
		js	loc_98CADE
		mov	edx, [ebp+var_4]
		mov	eax, [edx+4]
		test	eax, eax
		jz	loc_98CACD
		cmp	eax, 2
		jbe	loc_98CA45
		cmp	eax, 7
		jnz	loc_98CACD
		mov	ebx, [edx+8]
		mov	eax, [edx+0Ch]
		add	ebx, edx
		cmp	eax, 4
		jb	loc_98CACD
		cmp	eax, 0FFFEh
		ja	loc_98CACD
		shr	eax, 1
		cmp	[ebx+eax*2-2], di
		jnz	loc_98CACD
		cmp	[ebx+eax*2-4], di
		jnz	loc_98CACD
		xor	eax, eax
		mov	ecx, edi
		mov	word ptr [ebp+var_58], ax
		mov	[ebp+var_14], ecx
		cmp	[ebx], di
		jz	loc_98CA18

loc_98C97E:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+43Aj
		push	ebx
		lea	eax, [ebp+var_50]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, [ebp+var_20]
		lea	ecx, [ebp+var_40]
		xor	eax, eax
		mov	word ptr [ebp+var_48], ax
		mov	eax, [ebp+var_3C]
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		lea	ecx, [ebp+var_48]
		push	ecx
		push	[ebp+arg_4]
		lea	ecx, [ebp+var_50]
		push	eax
		push	[ebp+arg_0]
		call	_PiDrvDbResolveSystemFilePath@24 ; PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000225h
		jz	short loc_98C9D3
		cmp	esi, 0C00000BBh
		jz	short loc_98C9D3
		test	esi, esi
		js	loc_98CACD
		inc	[ebp+var_14]
		mov	ax, word ptr [ebp+var_48]
		jmp	short loc_98C9D9
; 

loc_98C9D3:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+3EAj
					; PiDrvDbResolveFilePathKeyValues(x,x,x,x)+3F2j
		xor	eax, eax
		mov	word ptr [ebp+var_48], ax

loc_98C9D9:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+403j
		lea	edx, [ebp+var_48]
		test	ax, ax
		jnz	short loc_98C9E4
		lea	edx, [ebp+var_50]

loc_98C9E4:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+411j
		push	1		; void *
		push	edi		; size_t
		lea	ecx, [ebp+var_58]
		call	_PiDevCfgAppendMultiSz@16 ; PiDevCfgAppendMultiSz(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98CACD
		movzx	eax, word ptr [ebp+var_50]
		shr	eax, 1
		lea	ebx, [ebx+eax*2]
		add	ebx, 2
		cmp	[ebx], di
		jnz	loc_98C97E
		mov	ax, word ptr [ebp+var_58]
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_14]

loc_98CA18:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+3AAj
		test	esi, esi
		js	loc_98CACD
		test	ecx, ecx
		jz	loc_98CACD
		mov	ecx, [edx+4]
		mov	edx, [ebp+var_28]
		movzx	eax, ax
		push	eax
		push	[ebp+var_54]
		push	ecx
		mov	ecx, [ebp+var_18]
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		mov	esi, eax
		jmp	loc_98CACD
; 

loc_98CA45:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+359j
		mov	ecx, [edx+8]
		mov	eax, [edx+0Ch]
		add	ecx, edx
		cmp	eax, 2
		jbe	short loc_98CACD
		cmp	eax, 0FFFEh
		ja	short loc_98CACD
		shr	eax, 1
		cmp	[ecx+eax*2-2], di
		jnz	short loc_98CACD
		push	ecx
		lea	eax, [ebp+var_50]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, [ebp+var_20]
		lea	ecx, [ebp+var_40]
		xor	eax, eax
		mov	word ptr [ebp+var_48], ax
		mov	eax, [ebp+var_3C]
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		lea	ecx, [ebp+var_48]
		push	ecx
		push	[ebp+arg_4]
		lea	ecx, [ebp+var_50]
		push	eax
		push	[ebp+arg_0]
		call	_PiDrvDbResolveSystemFilePath@24 ; PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000225h
		jz	short loc_98CACB
		cmp	esi, 0C00000BBh
		jz	short loc_98CACB
		mov	ebx, [ebp+var_4]
		test	esi, esi
		js	short loc_98CAD0
		movzx	ecx, word ptr [ebp+var_48]
		mov	eax, [ebx+4]
		add	ecx, 2
		mov	edx, [ebp+var_28]
		push	ecx
		push	[ebp+var_44]
		mov	ecx, [ebp+var_18]
		push	eax
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		mov	esi, eax
		jmp	short loc_98CAD0
; 

loc_98CACB:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+4CEj
					; PiDrvDbResolveFilePathKeyValues(x,x,x,x)+4D6j
		mov	esi, edi

loc_98CACD:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+350j
					; PiDrvDbResolveFilePathKeyValues(x,x,x,x)+362j ...
		mov	ebx, [ebp+var_4]

loc_98CAD0:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+4DDj
					; PiDrvDbResolveFilePathKeyValues(x,x,x,x)+4FBj
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		js	short loc_98CB04
		mov	ebx, [ebp+var_34]

loc_98CADE:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+342j
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_98CAE3:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+51Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_98CAE3
		sub	ecx, edx
		sar	ecx, 1
		lea	ebx, [ebx+ecx*2]
		add	ebx, 2
		mov	[ebp+var_34], ebx
		cmp	[ebx], di
		jnz	loc_98C8DF

loc_98CB04:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+50Bj
		mov	edi, [ebp+var_2C]

loc_98CB07:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+309j
		push	[ebp+var_18]
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	loc_98C765

loc_98CB17:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+2A9j
					; PiDrvDbResolveFilePathKeyValues(x,x,x,x)+2B5j ...
		mov	ecx, [ebp+var_8]

loc_98CB1A:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+298j
		mov	eax, [ebp+var_C]
		inc	ecx
		mov	ebx, [ebp+var_24]
		jmp	loc_98C7BF
; 

loc_98CB26:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+257j
		mov	esi, 0C000009Ah
		jmp	loc_98C775
; 

loc_98CB30:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+2F9j
		mov	esi, eax
		jmp	loc_98C767
; 

loc_98CB37:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+29Fj
		mov	esi, eax
		jmp	loc_98C765
; 

loc_98CB3E:				; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+F8j
					; PiDrvDbResolveFilePathKeyValues(x,x,x,x)+101j ...
		xor	ebx, ebx
		mov	esi, ebx
		jmp	loc_98C767
_PiDrvDbResolveFilePathKeyValues@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDrvDbResolveKeyFilePaths(x)
_PiDrvDbResolveKeyFilePaths@4 proc near	; CODE XREF: PiDevCfgInitResolveContext(x,x,x)+108p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		xor	esi, esi
		lea	eax, [ebp+var_14]
		push	edi
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_14], esi
		push	eax
		mov	[ebp+var_C], ebx
		mov	[ebp+var_10], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_4], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	edx, [ebp+var_14]
		mov	ecx, ebx
		call	IopQueryRegistryKeySystemPath
		mov	edi, eax
		test	edi, edi
		js	loc_98CC47
		mov	ax, word ptr [ebp+var_14]
		mov	edi, [ebp+var_10]
		push	5Ch
		pop	ebx
		cmp	ax, 2
		jb	short loc_98CBBF
		movzx	ecx, ax
		shr	ecx, 1
		cmp	[edi+ecx*2-2], bx
		jnz	short loc_98CBBF
		xor	eax, eax
		mov	[edi+ecx*2-2], ax
		mov	ecx, 0FFFEh
		mov	ax, word ptr [ebp+var_14]
		mov	edi, [ebp+var_10]
		add	ax, cx
		mov	word ptr [ebp+var_14], ax

loc_98CBBF:				; CODE XREF: PiDrvDbResolveKeyFilePaths(x)+50j
					; PiDrvDbResolveKeyFilePaths(x)+5Cj
		cmp	ax, 1Ch
		jbe	short loc_98CBE4
		push	1
		lea	eax, [ebp+var_14]
		push	eax
		push	offset _PiDrvDbDriverStoresRoot
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_98CBE4
		cmp	[edi+1Ah], bx
		jnz	short loc_98CBE4
		add	edi, 1Ch
		jmp	short loc_98CBE9
; 

loc_98CBE4:				; CODE XREF: PiDrvDbResolveKeyFilePaths(x)+7Cj
					; PiDrvDbResolveKeyFilePaths(x)+90j ...
		mov	edi, offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@NNGAKEGL@

loc_98CBE9:				; CODE XREF: PiDrvDbResolveKeyFilePaths(x)+9Bj
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	edx, [ebp+var_4]
		lea	ecx, [ebp+var_1C]
		call	_PiDrvDbFindNode@8 ; PiDrvDbFindNode(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_98CC47
		mov	ecx, [ebp+var_4]
		test	byte ptr [ecx+114h], 1
		jnz	short loc_98CC14
		mov	edi, esi
		jmp	short loc_98CC47
; 

loc_98CC14:				; CODE XREF: PiDrvDbResolveKeyFilePaths(x)+C7j
		call	_CmIsStateSeparationEnabled@0 ;	CmIsStateSeparationEnabled()
		xor	ebx, ebx
		lea	edx, [ebp+var_8]
		test	al, al
		setnz	bl
		lea	ebx, ds:1[ebx*2]
		call	_PiDrvDbGetNodeSystemRoot@8 ; PiDrvDbGetNodeSystemRoot(x,x)
		test	eax, eax
		js	short loc_98CC36
		mov	esi, [ebp+var_8]

loc_98CC36:				; CODE XREF: PiDrvDbResolveKeyFilePaths(x)+EAj
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_14]
		push	esi
		push	eax
		mov	edx, ebx
		call	_PiDrvDbResolveFilePathKeyValues@16 ; PiDrvDbResolveFilePathKeyValues(x,x,x,x)
		mov	edi, eax

loc_98CC47:				; CODE XREF: PiDrvDbResolveKeyFilePaths(x)+3Cj
					; PiDrvDbResolveKeyFilePaths(x)+BBj ...
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PiDrvDbResolveKeyFilePaths@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDrvDbResolveNodeFilePaths(x, x)
_PiDrvDbResolveNodeFilePaths@8 proc near ; CODE	XREF: PiDrvDbSetupNodeHive(x,x)+346p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_18]
		push	edi
		mov	esi, edx
		mov	[ebp+var_4], edi
		push	eax
		mov	[ebp+var_10], esi
		mov	ebx, ecx
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_8], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		test	byte ptr [ebx+114h], 1
		jnz	short loc_98CC91

loc_98CC8A:				; CODE XREF: PiDrvDbResolveNodeFilePaths(x,x)+5Aj
		mov	esi, edi
		jmp	loc_98CD67
; 

loc_98CC91:				; CODE XREF: PiDrvDbResolveNodeFilePaths(x,x)+31j
		lea	eax, [ebp+var_4]
		mov	edx, esi
		push	eax
		push	20019h
		push	edi
		push	offset ??_C@_1CO@OPKJDAJE@?$AAS?$AAe?$AAt?$AAu?$AAp?$AA?2?$AAR?$AAe?$AAs?$AAo?$AAl?$AAv?$AAe?$AAF?$AAi@NNGAKEGL@
		xor	ecx, ecx
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_98CC8A
		test	esi, esi
		js	loc_98CD67
		mov	ecx, [ebx+20h]
		mov	[ebp+var_C], 1
		test	cl, 1
		jnz	short loc_98CCDA
		call	_CmIsStateSeparationEnabled@0 ;	CmIsStateSeparationEnabled()
		test	al, al
		jz	short loc_98CCDA
		mov	[ebp+var_C], 3

loc_98CCDA:				; CODE XREF: PiDrvDbResolveNodeFilePaths(x,x)+71j
					; PiDrvDbResolveNodeFilePaths(x,x)+7Aj
		test	cl, 8
		jnz	short loc_98CCF8
		push	offset ??_C@_1BI@OMNCDEIM@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt@NNGAKEGL@ ; void *
		lea	eax, [ebp+var_18]
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jnz	short loc_98CD44

loc_98CCF1:				; CODE XREF: PiDrvDbResolveNodeFilePaths(x,x)+CBj
		mov	esi, 0C000009Ah
		jmp	short loc_98CD67
; 

loc_98CCF8:				; CODE XREF: PiDrvDbResolveNodeFilePaths(x,x)+86j
		movzx	eax, word ptr [ebx+0Ah]
		add	eax, 1Ch
		cmp	eax, 0FFFEh
		jbe	short loc_98CD0D
		mov	esi, 80000005h
		jmp	short loc_98CD67
; 

loc_98CD0D:				; CODE XREF: PiDrvDbResolveNodeFilePaths(x,x)+ADj
		xor	ecx, ecx
		mov	word ptr [ebp+var_18+2], ax
		push	eax
		mov	word ptr [ebp+var_18], cx
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	short loc_98CCF1
		lea	eax, [ebx+8]
		push	eax
		push	offset ??_C@_1BM@PNGDECLI@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAS?$AAt?$AAo?$AAr?$AAe?$AAs@NNGAKEGL@ ; "\\DriverStores"
		lea	eax, [ebp+var_18]
		push	offset ??_C@_1BA@CHNIAAL@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAZ@NNGAKEGL@ ;	wchar_t	*
		push	eax		; int
		call	_RtlUnicodeStringPrintf
		mov	esi, eax
		add	esp, 10h
		test	esi, esi
		js	short loc_98CD67

loc_98CD44:				; CODE XREF: PiDrvDbResolveNodeFilePaths(x,x)+98j
		lea	edx, [ebp+var_8]
		mov	ecx, ebx
		call	_PiDrvDbGetNodeSystemRoot@8 ; PiDrvDbGetNodeSystemRoot(x,x)
		test	eax, eax
		js	short loc_98CD55
		mov	edi, [ebp+var_8]

loc_98CD55:				; CODE XREF: PiDrvDbResolveNodeFilePaths(x,x)+F9j
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_18]
		mov	ecx, [ebp+var_10]
		push	edi
		push	eax
		call	_PiDrvDbResolveFilePathKeyValues@16 ; PiDrvDbResolveFilePathKeyValues(x,x,x,x)
		mov	esi, eax

loc_98CD67:				; CODE XREF: PiDrvDbResolveNodeFilePaths(x,x)+35j
					; PiDrvDbResolveNodeFilePaths(x,x)+5Ej	...
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	[ebp+var_4], 0
		jz	short loc_98CD7E
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_98CD7E:				; CODE XREF: PiDrvDbResolveNodeFilePaths(x,x)+11Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PiDrvDbResolveNodeFilePaths@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDrvDbResolveSystemFilePath(x, x, x, x, x,	x)
_PiDrvDbResolveSystemFilePath@24 proc near
					; CODE XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+3DDp
					; PiDrvDbResolveFilePathKeyValues(x,x,x,x)+4C1p

var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		xor	ecx, ecx
		mov	[ebp+var_1C], edi
		push	2
		mov	esi, ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_1], cl
		mov	eax, ebx
		mov	[ebp+var_3], cl
		mov	[ebp+var_2], cl
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], ecx
		pop	ecx
		and	eax, ecx
		mov	[ebp+var_14], eax
		jz	short loc_98CDD5
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_98CDD5
		push	1
		push	offset _PiDrvDbSystemRootNt
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_98CDD5
		mov	[ebp+var_1], 1

loc_98CDD5:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+32j
					; PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+39j ...
		and	ebx, 1
		mov	[ebp+var_18], ebx
		jz	short loc_98CDFC
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_98CDFC
		cmp	[ebp+arg_4], esi
		jz	short loc_98CDFC
		push	1
		push	[ebp+arg_4]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_98CDFC
		mov	[ebp+var_2], 1

loc_98CDFC:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+56j
					; PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+5Dj ...
		mov	ebx, [ebp+arg_C]
		xor	eax, eax
		mov	[ebx], ax
		mov	ecx, [edi+4]
		mov	eax, [edi]
		mov	[ebp+var_28], eax
		xor	eax, eax
		mov	[ebp+arg_C], ecx
		mov	[ebp+var_24], ecx
		cmp	[ecx], ax
		jz	loc_98D042
		mov	[ebp+var_20], 5Ch

loc_98CE24:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+267j
		cmp	[ebp+var_14], 0
		mov	edi, eax
		jz	short loc_98CE96
		cmp	[ebp+arg_0], 0
		jz	short loc_98CE5D
		cmp	[ebp+var_1], 0
		jnz	short loc_98CE5D
		mov	edx, offset _PiDrvDbSystemRootNt
		lea	ecx, [ebp+var_28]
		call	_PiDrvDbFindSystemFilePathToken@8 ; PiDrvDbFindSystemFilePathToken(x,x)
		test	eax, eax
		jnz	short loc_98CE4F
		mov	[ebp+var_1], 1
		jmp	short loc_98CE5D
; 

loc_98CE4F:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+C2j
		mov	edi, eax
		push	16h
		pop	eax
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C], eax

loc_98CE5D:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+ABj
					; PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+B1j ...
		cmp	[ebp+arg_4], 0
		jz	short loc_98CE96
		cmp	[ebp+var_3], 0
		jnz	short loc_98CE96
		mov	edx, offset _PiDrvDbSystemRootWin32
		lea	ecx, [ebp+var_28]
		call	_PiDrvDbFindSystemFilePathToken@8 ; PiDrvDbFindSystemFilePathToken(x,x)
		test	eax, eax
		jnz	short loc_98CE80
		mov	[ebp+var_3], 1
		jmp	short loc_98CE96
; 

loc_98CE80:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+F3j
		test	edi, edi
		jz	short loc_98CE88
		cmp	eax, edi
		jnb	short loc_98CE96

loc_98CE88:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+FDj
		mov	edi, eax
		push	18h
		pop	eax
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_C], eax

loc_98CE96:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+A5j
					; PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+DCj ...
		cmp	[ebp+var_18], 0
		jz	short loc_98CECD
		cmp	[ebp+arg_4], 0
		jz	short loc_98CECD
		cmp	[ebp+var_2], 0
		jnz	short loc_98CECD
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_98CECD
		push	2
		pop	ecx
		cmp	[eax], cx
		jbe	short loc_98CECD
		mov	edx, eax
		lea	ecx, [ebp+var_28]
		call	_PiDrvDbFindSystemFilePathToken@8 ; PiDrvDbFindSystemFilePathToken(x,x)
		test	eax, eax
		jnz	loc_98CFF4
		mov	[ebp+var_2], 1

loc_98CECD:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+115j
					; PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+11Bj ...
		mov	edx, [ebp+var_8]

loc_98CED0:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+28Cj
		test	edi, edi
		jz	loc_98D01B
		mov	eax, edi
		sub	eax, [ebp+arg_C]
		and	eax, 0FFFFFFFEh
		mov	[ebp+var_10], eax
		mov	word ptr [ebp+var_28], ax
		mov	eax, edx
		mov	edx, [ebp+var_1C]
		shr	eax, 1
		lea	ecx, [edi+eax*2]
		mov	eax, ecx
		mov	[ebp+arg_C], ecx
		sub	eax, [edx+4]
		mov	dx, [edx]
		and	eax, 0FFFFFFFEh
		sub	dx, ax
		mov	di, dx
		mov	word ptr [ebp+var_30], di
		lea	eax, [edx+2]
		mov	word ptr [ebp+var_30+2], ax
		movzx	eax, word ptr [ecx]
		test	ax, ax
		jz	short loc_98CF22
		cmp	ax, word ptr [ebp+var_20]
		jnz	loc_98CFDE

loc_98CF22:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+191j
		push	5Ch
		pop	esi
		cmp	ax, si
		jnz	short loc_98CF4B
		mov	eax, [ebp+var_C]
		movzx	ecx, word ptr [eax]
		mov	eax, [eax+4]
		shr	ecx, 1
		cmp	[eax+ecx*2-2], si
		jnz	short loc_98CF4B
		add	[ebp+arg_C], 2
		lea	edi, [edx-2]
		mov	word ptr [ebp+var_30], di
		mov	word ptr [ebp+var_30+2], dx

loc_98CF4B:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+1A3j
					; PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+1B5j
		mov	eax, [ebp+var_10]
		movzx	ecx, ax
		movzx	eax, word ptr [ebx]
		add	ecx, eax
		movzx	eax, di
		mov	edi, [ebp+var_C]
		add	ecx, eax
		movzx	esi, word ptr [edi]
		add	esi, 2
		add	esi, ecx
		cmp	esi, 0FFFEh
		ja	loc_98D03B
		movzx	eax, word ptr [ebx+2]
		cmp	esi, eax
		jbe	short loc_98CFB7
		push	esi
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_98D016
		mov	ecx, [ebx+4]
		test	ecx, ecx
		jz	short loc_98CFAD
		movzx	eax, word ptr [ebx]
		test	ax, ax
		jz	short loc_98CFA7
		push	eax		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		mov	ecx, [ebx+4]
		add	esp, 0Ch

loc_98CFA7:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+212j
		push	ecx
		call	_ExFreePool@4	; ExFreePool(x)

loc_98CFAD:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+20Aj
		mov	[ebx+4], edi
		mov	edi, [ebp+var_C]
		mov	[ebx+2], si

loc_98CFB7:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+1F3j
		cmp	word ptr [ebp+var_10], 0
		jbe	short loc_98CFCE
		lea	eax, [ebp+var_28]
		push	eax
		push	ebx
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_98D047

loc_98CFCE:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+237j
		push	edi
		push	ebx
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_98D047
		mov	ecx, [ebp+arg_C]

loc_98CFDE:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+197j
		mov	eax, [ebp+var_30]
		mov	[ebp+var_28], eax
		xor	eax, eax
		mov	[ebp+var_24], ecx
		cmp	[ecx], ax
		jnz	loc_98CE24
		jmp	short loc_98D01D
; 

loc_98CFF4:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+13Ej
		test	edi, edi
		jz	short loc_98D000
		cmp	eax, edi
		jnb	loc_98CECD

loc_98D000:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+271j
		mov	edi, eax
		mov	eax, [ebp+arg_8]
		movzx	edx, word ptr [eax]
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], eax
		jmp	loc_98CED0
; 

loc_98D016:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+1FFj
		mov	esi, 0C000009Ah

loc_98D01B:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+14Dj
		xor	eax, eax

loc_98D01D:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+26Dj
		test	esi, esi
		js	short loc_98D047
		cmp	[ebx], ax
		jz	short loc_98D042
		cmp	word ptr [ebp+var_28], 0
		jbe	short loc_98D047
		lea	eax, [ebp+var_28]
		push	eax
		push	ebx
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		jmp	short loc_98D047
; 

loc_98D03B:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+1E7j
		mov	esi, 80000005h
		jmp	short loc_98D047
; 

loc_98D042:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+92j
					; PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+29Fj
		mov	esi, 0C0000225h

loc_98D047:				; CODE XREF: PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+247j
					; PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+254j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PiDrvDbResolveSystemFilePath@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDrvDbSetupNodeHive(x, x)
_PiDrvDbSetupNodeHive@8	proc near	; CODE XREF: PiDrvDbSetupNodes+9E2EFp
					; PiDrvDbLoadNodeWorkerCallback+E321Dp

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		push	6
		xor	ebx, ebx
		mov	[ebp+var_8], ecx
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_2C], ebx
		mov	esi, edx
		mov	[ebp+var_28], ebx
		lea	edi, [ebp+var_44]
		mov	[ebp+var_C], esi
		rep stosd
		push	esi
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_1C], ebx
		push	eax
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_4], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@NNGAKEGL@ ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsicmp
		mov	edi, [ebp+var_8]
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_98D0F2
		lea	eax, [edi+10h]
		mov	[ebp+var_44], 18h
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_4]
		mov	[ebp+var_40], ebx
		push	eax
		mov	[ebp+var_38], 240h
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		jmp	loc_98D192
; 

loc_98D0F2:				; CODE XREF: PiDrvDbSetupNodeHive(x,x)+6Aj
		test	byte ptr [edi+20h], 8
		jnz	loc_98D19F
		xor	eax, eax
		mov	word ptr [ebp+var_14], ax
		mov	eax, [ebp+var_2C]
		add	eax, 26h
		mov	word ptr [ebp+var_14+2], ax
		movzx	eax, ax
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	short loc_98D126

loc_98D11C:				; CODE XREF: PiDrvDbSetupNodeHive(x,x)+17Cj
					; PiDrvDbSetupNodeHive(x,x)+202j
		mov	esi, 0C000009Ah
		jmp	loc_98D3BA
; 

loc_98D126:				; CODE XREF: PiDrvDbSetupNodeHive(x,x)+CAj
		push	offset ??_C@_1CG@GOLKLNMC@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@NNGAKEGL@ ; "\\"
		lea	eax, [ebp+var_14]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98D3BA
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98D3BA
		lea	eax, [ebp+var_14]
		mov	[ebp+var_44], 18h
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_4]
		mov	[ebp+var_40], ebx
		push	eax
		mov	[ebp+var_38], 240h
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_98D3B8

loc_98D192:				; CODE XREF: PiDrvDbSetupNodeHive(x,x)+9Dj
		test	esi, esi
		js	loc_98D3BA
		jmp	loc_98D391
; 

loc_98D19F:				; CODE XREF: PiDrvDbSetupNodeHive(x,x)+A6j
		call	_CmIsStateSeparationEnabled@0 ;	CmIsStateSeparationEnabled()
		test	al, al
		jz	loc_98D3B8
		xor	eax, eax
		mov	word ptr [ebp+var_1C], ax
		mov	ax, [edi+1Ah]
		add	ax, word ptr [ebp+var_2C]
		mov	word ptr [ebp+var_1C+2], ax
		movzx	eax, ax
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	loc_98D11C
		lea	eax, [edi+18h]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98D3BA
		mov	cx, word ptr [ebp+var_1C]
		push	2
		pop	esi
		cmp	cx, si
		jbe	short loc_98D21B
		mov	edx, [ebp+var_18]
		push	5Ch
		pop	edi

loc_98D1FB:				; CODE XREF: PiDrvDbSetupNodeHive(x,x)+1C6j
		movzx	eax, cx
		shr	eax, 1
		cmp	[edx+eax*2-2], di
		jz	short loc_98D218
		mov	eax, 0FFFEh
		add	cx, ax
		mov	word ptr [ebp+var_1C], cx
		cmp	cx, si
		ja	short loc_98D1FB

loc_98D218:				; CODE XREF: PiDrvDbSetupNodeHive(x,x)+1B5j
		mov	edi, [ebp+var_8]

loc_98D21B:				; CODE XREF: PiDrvDbSetupNodeHive(x,x)+1A3j
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98D3BA
		xor	eax, eax
		mov	word ptr [ebp+var_14], ax
		mov	ax, [edi+12h]
		add	ax, word ptr [ebp+var_2C]
		mov	word ptr [ebp+var_14+2], ax
		movzx	eax, ax
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_98D11C
		lea	eax, [edi+10h]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98D3BA
		push	offset ??_C@_1BA@MPCNLPLA@?$AAD?$AAR?$AAI?$AAV?$AAE?$AAR?$AAS@NNGAKEGL@
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_24]
		mov	si, word ptr [ebp+var_14]
		movzx	eax, ax
		mov	[ebp+var_8], eax
		add	eax, 2
		movzx	ecx, si
		cmp	ecx, eax
		jbe	short loc_98D2BC
		push	1
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlSuffixUnicodeString@12 ; RtlSuffixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_98D2BC
		mov	eax, [ebp+var_10]
		movzx	ecx, si
		sub	ecx, [ebp+var_8]
		shr	ecx, 1
		push	5Ch
		pop	edx
		cmp	[eax+ecx*2-2], dx
		jnz	short loc_98D309

loc_98D2BC:				; CODE XREF: PiDrvDbSetupNodeHive(x,x)+242j
					; PiDrvDbSetupNodeHive(x,x)+255j
		push	offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@NNGAKEGL@
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_24]
		mov	si, word ptr [ebp+var_14]
		movzx	eax, ax
		mov	[ebp+var_8], eax
		add	eax, 2
		movzx	ecx, si
		cmp	ecx, eax
		jbe	short loc_98D311
		push	1
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlSuffixUnicodeString@12 ; RtlSuffixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_98D311
		mov	eax, [ebp+var_10]
		movzx	ecx, si
		sub	ecx, [ebp+var_8]
		shr	ecx, 1
		push	5Ch
		pop	edx
		cmp	[eax+ecx*2-2], dx
		jz	short loc_98D311

loc_98D309:				; CODE XREF: PiDrvDbSetupNodeHive(x,x)+26Aj
		sub	si, word ptr [ebp+var_24]
		mov	word ptr [ebp+var_14], si

loc_98D311:				; CODE XREF: PiDrvDbSetupNodeHive(x,x)+28Fj
					; PiDrvDbSetupNodeHive(x,x)+2A2j ...
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_98D3BA
		lea	eax, [ebp+var_4]
		push	eax
		push	2000h
		lea	edx, [ebp+var_1C]
		lea	ecx, [ebp+var_14]
		call	PiDrvDbLoadHive
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_98D3B8
		test	esi, esi
		js	short loc_98D3BA
		test	byte ptr [edi+114h], 2
		jz	short loc_98D38F
		push	offset ??_C@_1BC@JDKNNDON@?$AAS?$AAO?$AAF?$AAT?$AAW?$AAA?$AAR?$AAE@NNGAKEGL@ ; wchar_t *
		push	[ebp+var_C]	; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_98D38F
		movzx	eax, word ptr [ebp+var_14]
		mov	edx, [edi+0Ch]
		add	eax, 2
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		push	eax
		push	[ebp+var_10]
		push	12h
		push	offset _DEVPKEY_DriverDatabase_SoftwareRegistryPath
		push	ebx
		push	dword ptr [edi+24h]
		push	7
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		jmp	short loc_98D391
; 

loc_98D38F:				; CODE XREF: PiDrvDbSetupNodeHive(x,x)+301j
					; PiDrvDbSetupNodeHive(x,x)+314j
		mov	bl, 1

loc_98D391:				; CODE XREF: PiDrvDbSetupNodeHive(x,x)+14Aj
					; PiDrvDbSetupNodeHive(x,x)+33Dj
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		call	_PiDrvDbResolveNodeFilePaths@8 ; PiDrvDbResolveNodeFilePaths(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_98D3BA
		test	byte ptr [edi+20h], 8
		jz	short loc_98D3BA
		push	[ebp+var_4]	; int
		mov	edx, [ebp+var_C] ; wchar_t *
		mov	ecx, edi	; int
		call	_PiDrvDbOverlayNodeHive@12 ; PiDrvDbOverlayNodeHive(x,x,x)
		mov	esi, eax
		jmp	short loc_98D3BA
; 

loc_98D3B8:				; CODE XREF: PiDrvDbSetupNodeHive(x,x)+13Cj
					; PiDrvDbSetupNodeHive(x,x)+156j ...
		mov	esi, ebx

loc_98D3BA:				; CODE XREF: PiDrvDbSetupNodeHive(x,x)+D1j
					; PiDrvDbSetupNodeHive(x,x)+E8j ...
		cmp	[ebp+var_4], 0
		jz	short loc_98D3C8
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_98D3C8:				; CODE XREF: PiDrvDbSetupNodeHive(x,x)+36Ej
		test	bl, bl
		jz	short loc_98D3D6
		xor	edx, edx
		lea	ecx, [ebp+var_14]
		call	PiDrvDbUnloadHive

loc_98D3D6:				; CODE XREF: PiDrvDbSetupNodeHive(x,x)+37Aj
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PiDrvDbSetupNodeHive@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDrvDbUnmountNode(x)
_PiDrvDbUnmountNode@4 proc near		; CODE XREF: PiPnpRtlObjectActionCallback+1188B0p
					; PiPnpRtlObjectActionCallback+1188DAp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_C]
		push	ecx
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	edx, [ebp+var_4]
		lea	ecx, [ebp+var_C]
		call	_PiDrvDbFindNode@8 ; PiDrvDbFindNode(x,x)
		test	eax, eax
		js	short locret_98D43F
		mov	eax, [ebp+var_4]
		mov	eax, [eax+20h]
		test	al, 1
		jz	short loc_98D42C
		mov	eax, 0C0000022h
		leave
		retn
; 

loc_98D42C:				; CODE XREF: PiDrvDbUnmountNode(x)+34j
		and	al, 10h
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 99h
		add	eax, 0C0000022h

locret_98D43F:				; CODE XREF: PiDrvDbUnmountNode(x)+2Aj
		leave
		retn
_PiDrvDbUnmountNode@4 endp


;  S U B	R O U T	I N E 


; __stdcall PnpCancelStopDeviceNode(x)
_PnpCancelStopDeviceNode@4 proc	near	; CODE XREF: PnpCancelStopDeviceSubtree(x)+5p
					; PnpQueryRebalanceWorker(x,x,x,x,x,x)+D0p ...
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		cmp	dword ptr [esi+0ACh], 309h
		jnz	short loc_98D4AC
		test	byte ptr [esi+1C8h], 20h
		jnz	short loc_98D46E
		push	0
		push	20h
		push	esi
		push	0Dh
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_98D46E:				; CODE XREF: PnpCancelStopDeviceNode(x)+1Aj
		mov	ecx, [esi+10h]
		call	PoFxIdleDevice
		mov	edx, [esi+10h]
		mov	cl, 6
		and	dword ptr [esi+1C8h], 0FFFFFFDFh
		call	_IopQueryReconfiguration@8 ; IopQueryReconfiguration(x,x)
		mov	ecx, esi
		call	_PipRestoreDevNodeState@4 ; PipRestoreDevNodeState(x)
		mov	edi, 1000000h
		test	[esi+10Ch], edi
		jz	short loc_98D4AC
		mov	ecx, [esi+10h]
		call	_PnpUnlockMountableDevice@4 ; PnpUnlockMountableDevice(x)
		mov	edx, edi
		mov	ecx, esi
		call	PipClearDevNodeFlags

loc_98D4AC:				; CODE XREF: PnpCancelStopDeviceNode(x)+11j
					; PnpCancelStopDeviceNode(x)+58j
		pop	edi
		pop	esi
		pop	ecx
		retn
_PnpCancelStopDeviceNode@4 endp	; sp = -14h


;  S U B	R O U T	I N E 


; __stdcall PnpCancelStopDeviceSubtree(x)
_PnpCancelStopDeviceSubtree@4 proc near	; CODE XREF: PnpCancelStopDeviceSubtree(x)+11p
					; PnpRebalance(x,x,x,x)+15Cp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_PnpCancelStopDeviceNode@4 ; PnpCancelStopDeviceNode(x)
		mov	esi, [esi+4]
		jmp	short loc_98D4C8
; 

loc_98D4BF:				; CODE XREF: PnpCancelStopDeviceSubtree(x)+1Aj
		mov	ecx, esi
		call	_PnpCancelStopDeviceSubtree@4 ;	PnpCancelStopDeviceSubtree(x)
		mov	esi, [esi]

loc_98D4C8:				; CODE XREF: PnpCancelStopDeviceSubtree(x)+Dj
		test	esi, esi
		jnz	short loc_98D4BF
		pop	esi
		retn
_PnpCancelStopDeviceSubtree@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpFindRebalanceCandidates(x, x, x,	x, x, x)
_PnpFindRebalanceCandidates@24 proc near ; CODE	XREF: PnpRebalance(x,x,x,x)+F1p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, edx
		push	edi
		test	ecx, ecx
		jnz	short loc_98D54B
		test	esi, esi
		jz	short loc_98D54B
		mov	edi, [ebp+arg_C]
		mov	edx, 308h
		mov	[edi+20h], esi
		mov	ecx, [esi+0ACh]
		cmp	ecx, edx
		jz	short loc_98D4FC
		mov	esi, [esi+8]

loc_98D4FC:				; CODE XREF: PnpFindRebalanceCandidates(x,x,x,x,x,x)+29j
		xor	eax, eax
		cmp	ecx, edx
		setnz	al
		inc	eax
		mov	[edi+8], eax
		test	esi, esi
		jz	short loc_98D57A
		lea	ecx, [edi+30h]
		lea	eax, [edi+38h]
		mov	[ebp+var_4], ecx
		mov	edi, eax

loc_98D516:				; CODE XREF: PnpFindRebalanceCandidates(x,x,x,x,x,x)+67j
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		push	edi
		push	ecx
		push	ebx
		mov	ecx, esi
		call	_PnpQueryRebalance@24 ;	PnpQueryRebalance(x,x,x,x,x,x)
		cmp	eax, 119h
		jnz	short loc_98D537
		mov	esi, [esi+8]
		mov	ecx, [ebp+var_4]
		test	esi, esi
		jnz	short loc_98D516

loc_98D537:				; CODE XREF: PnpFindRebalanceCandidates(x,x,x,x,x,x)+5Dj
		mov	edi, [ebp+arg_C]
		test	esi, esi
		jz	short loc_98D57A
		shr	eax, 1Fh
		xor	al, 1
		mov	[edi+1Ch], al
		mov	[edi+18h], esi
		jmp	short loc_98D57A
; 

loc_98D54B:				; CODE XREF: PnpFindRebalanceCandidates(x,x,x,x,x,x)+10j
					; PnpFindRebalanceCandidates(x,x,x,x,x,x)+14j
		mov	edi, [ebp+arg_C]
		lea	eax, [ecx+0Eh]
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		add	ecx, 0Ch
		lea	eax, [edi+eax*4]
		push	eax
		lea	eax, [edi+ecx*4]
		mov	ecx, _IopRootDeviceNode
		push	eax
		push	ebx
		call	_PnpQueryRebalance@24 ;	PnpQueryRebalance(x,x,x,x,x,x)
		mov	eax, _IopRootDeviceNode
		mov	[edi+18h], eax
		mov	byte ptr [edi+1Ch], 1

loc_98D57A:				; CODE XREF: PnpFindRebalanceCandidates(x,x,x,x,x,x)+3Bj
					; PnpFindRebalanceCandidates(x,x,x,x,x,x)+6Ej ...
		mov	eax, [ebx]
		mov	[edi], eax
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PnpFindRebalanceCandidates@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpQueryRebalance(x, x, x, x, x, x)
_PnpQueryRebalance@24 proc near		; CODE XREF: PnpFindRebalanceCandidates(x,x,x,x,x,x)+53p
					; PnpFindRebalanceCandidates(x,x,x,x,x,x)+9Bp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	eax, ecx
		mov	ebx, edx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_4], eax
		mov	edi, [eax+4]
		test	edi, edi
		jz	short loc_98D5C9

loc_98D59E:				; CODE XREF: PnpQueryRebalance(x,x,x,x,x,x)+3Bj
		push	[ebp+arg_C]
		mov	edx, ebx
		mov	ecx, edi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PnpQueryRebalance@24 ;	PnpQueryRebalance(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_98D5BC
		mov	esi, 0C0000001h

loc_98D5BC:				; CODE XREF: PnpQueryRebalance(x,x,x,x,x,x)+30j
		mov	edi, [edi]
		test	edi, edi
		jnz	short loc_98D59E
		test	esi, esi
		js	short loc_98D5E0
		mov	eax, [ebp+var_4]

loc_98D5C9:				; CODE XREF: PnpQueryRebalance(x,x,x,x,x,x)+17j
		push	[ebp+arg_C]
		mov	edx, ebx
		mov	ecx, eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PnpQueryRebalanceWorker@24 ; PnpQueryRebalanceWorker(x,x,x,x,x,x)
		mov	esi, eax

loc_98D5E0:				; CODE XREF: PnpQueryRebalance(x,x,x,x,x,x)+3Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PnpQueryRebalance@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpQueryRebalanceWorker(x, x, x, x,	x, x)
_PnpQueryRebalanceWorker@24 proc near	; CODE XREF: PnpQueryRebalance(x,x,x,x,x,x)+54p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		mov	eax, [edi+0ACh]
		cmp	eax, 308h
		jnz	loc_98D6DD
		test	dword ptr [edi+10Ch], 1000h
		jnz	loc_98D707
		mov	dl, [ebp+arg_C]
		call	_PnpQueryStopDeviceNode@8 ; PnpQueryStopDeviceNode(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_98D6CA
		cmp	ebx, 119h
		jnz	short loc_98D649
		mov	edx, 400h
		mov	ecx, edi
		call	PipSetDevNodeFlags

loc_98D649:				; CODE XREF: PnpQueryRebalanceWorker(x,x,x,x,x,x)+52j
		mov	eax, [ebp+arg_0]
		mov	edx, [edi+10h]
		mov	ecx, [ebp+var_4]
		imul	eax, [eax], 28h
		add	ecx, eax
		xor	eax, eax
		mov	[ecx+4], eax
		mov	[ecx+0Ch], eax
		mov	[ecx+10h], eax
		mov	[ecx+18h], eax
		mov	[ecx+1Ch], eax
		mov	[ecx+20h], eax
		mov	[ecx+24h], eax
		mov	[ecx+14h], eax
		lea	eax, [ebp+var_8]
		mov	[ecx], edx
		lea	edx, [ecx+28h]
		push	eax
		mov	dword ptr [ecx+8], 4
		call	PnpGetResourceRequirementsForAssignTable
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx]
		imul	edx, eax, 28h
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_4]
		mov	dword ptr [ebp+arg_C], edx
		mov	edx, [edx+eax+24h]
		test	edx, edx
		js	short loc_98D6B5
		mov	edx, dword ptr [ebp+arg_C]
		test	byte ptr [edx+eax+4], 20h
		jnz	loc_98D730
		mov	eax, [ebp+arg_0]
		inc	eax
		mov	[ecx], eax
		jmp	short loc_98D730
; 

loc_98D6B5:				; CODE XREF: PnpQueryRebalanceWorker(x,x,x,x,x,x)+B4j
		mov	ecx, edi
		mov	ebx, edx
		call	_PnpCancelStopDeviceNode@4 ; PnpCancelStopDeviceNode(x)
		test	esi, esi
		jz	short loc_98D730
		mov	dword ptr [esi], 2
		jmp	short loc_98D730
; 

loc_98D6CA:				; CODE XREF: PnpQueryRebalanceWorker(x,x,x,x,x,x)+46j
		mov	ecx, edi
		call	_PnpCancelStopDeviceNode@4 ; PnpCancelStopDeviceNode(x)
		test	esi, esi
		jz	short loc_98D730
		mov	dword ptr [esi], 1
		jmp	short loc_98D730
; 

loc_98D6DD:				; CODE XREF: PnpQueryRebalanceWorker(x,x,x,x,x,x)+24j
		cmp	eax, 301h
		jz	short loc_98D726
		cmp	eax, 302h
		jz	short loc_98D726
		cmp	eax, 303h
		jz	short loc_98D726
		cmp	eax, 309h
		jz	short loc_98D726
		cmp	eax, 311h
		jz	short loc_98D726
		cmp	eax, 312h
		jz	short loc_98D726

loc_98D707:				; CODE XREF: PnpQueryRebalanceWorker(x,x,x,x,x,x)+34j
		test	dword ptr [edi+10Ch], 40000h
		jnz	short loc_98D726
		mov	eax, esi
		mov	ebx, 0C0000001h
		test	eax, eax
		jz	short loc_98D734
		mov	dword ptr [eax], 3
		jmp	short loc_98D734
; 

loc_98D726:				; CODE XREF: PnpQueryRebalanceWorker(x,x,x,x,x,x)+F9j
					; PnpQueryRebalanceWorker(x,x,x,x,x,x)+100j ...
		test	esi, esi
		jz	short loc_98D73F
		mov	dword ptr [esi], 4

loc_98D730:				; CODE XREF: PnpQueryRebalanceWorker(x,x,x,x,x,x)+BEj
					; PnpQueryRebalanceWorker(x,x,x,x,x,x)+CAj ...
		test	ebx, ebx
		jns	short loc_98D73F

loc_98D734:				; CODE XREF: PnpQueryRebalanceWorker(x,x,x,x,x,x)+133j
					; PnpQueryRebalanceWorker(x,x,x,x,x,x)+13Bj
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_98D750
		mov	[eax], edi
		jmp	short loc_98D750
; 

loc_98D73F:				; CODE XREF: PnpQueryRebalanceWorker(x,x,x,x,x,x)+13Fj
					; PnpQueryRebalanceWorker(x,x,x,x,x,x)+149j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_98D749
		and	dword ptr [eax], 0

loc_98D749:				; CODE XREF: PnpQueryRebalanceWorker(x,x,x,x,x,x)+15Bj
		test	esi, esi
		jz	short loc_98D750
		and	dword ptr [esi], 0

loc_98D750:				; CODE XREF: PnpQueryRebalanceWorker(x,x,x,x,x,x)+150j
					; PnpQueryRebalanceWorker(x,x,x,x,x,x)+154j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
_PnpQueryRebalanceWorker@24 endp


;  S U B	R O U T	I N E 


; __stdcall PnpQueryStopDeviceNode(x, x)
_PnpQueryStopDeviceNode@8 proc near	; CODE XREF: PnpQueryRebalanceWorker(x,x,x,x,x,x)+3Dp
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, 0C0000001h
		cmp	dword ptr [esi+0ACh], 308h
		jnz	short loc_98D7C6
		test	dl, dl
		jz	short loc_98D77E
		call	_PiRebalanceOptOut@4 ; PiRebalanceOptOut(x)
		test	al, al
		jnz	short loc_98D7C6

loc_98D77E:				; CODE XREF: PnpQueryStopDeviceNode(x,x)+1Aj
		mov	ecx, [esi+10h]
		call	_PnpFindMountableDevice@4 ; PnpFindMountableDevice(x)
		test	eax, eax
		jz	short loc_98D79E
		mov	ecx, [esi+10h]
		call	_PnpLockMountableDevice@4 ; PnpLockMountableDevice(x)
		mov	edx, 1000000h
		mov	ecx, esi
		call	PipSetDevNodeFlags

loc_98D79E:				; CODE XREF: PnpQueryStopDeviceNode(x,x)+2Fj
		mov	ecx, [esi+10h]
		call	_PoFxActivateDevice@4 ;	PoFxActivateDevice(x)
		mov	edx, [esi+10h]
		mov	cl, 5
		or	dword ptr [esi+1C8h], 20h
		call	_IopQueryReconfiguration@8 ; IopQueryReconfiguration(x,x)
		push	ecx
		mov	edx, 309h
		mov	ecx, esi
		mov	edi, eax
		call	PipSetDevNodeState

loc_98D7C6:				; CODE XREF: PnpQueryStopDeviceNode(x,x)+16j
					; PnpQueryStopDeviceNode(x,x)+23j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ecx
		retn
_PnpQueryStopDeviceNode@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpRebalance(x, x, x, x)
_PnpRebalance@16 proc near		; CODE XREF: PnpProcessRebalance(x)+99p
					; PnpAllocateResources+69FCDp ...

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= byte ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_74], edx
		push	esi
		xor	esi, esi
		mov	[ebp+var_64], ebx
		push	edi
		mov	eax, [ebx+1CCh]
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_88], esi
		mov	[ebp+var_84], esi
		test	eax, eax
		jz	short loc_98D813
		push	40h		; size_t
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_98D813:				; CODE XREF: PnpRebalance(x,x,x,x)+39j
		push	50h		; size_t
		lea	eax, [ebp+var_58]
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	eax, _IopRootDeviceNode
		add	esp, 0Ch
		mov	[ebp+var_38], eax
		mov	[ebp+var_40], eax
		call	KeQueryInterruptTime
		mov	[ebp+var_30], eax
		mov	ecx, offset _KMPnPEvt_Rebalance_Start
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_34], al
		lea	eax, [ebx+14h]
		mov	[ebp+var_2C], edx
		mov	edx, eax
		mov	[ebp+var_80], eax
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)
		imul	eax, _IopNumberDeviceNodes, 28h
		push	30706E50h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_98D87B
		mov	[ebp+var_48], 2
		mov	ebx, 0C000009Ah
		jmp	loc_98D94C
; 

loc_98D87B:				; CODE XREF: PnpRebalance(x,x,x,x)+9Cj
		test	edi, edi
		jz	short loc_98D88F
		imul	eax, edi, 28h
		push	eax		; size_t
		push	[ebp+var_74]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_98D88F:				; CODE XREF: PnpRebalance(x,x,x,x)+B1j
		imul	edx, edi, 28h
		xor	ecx, ecx
		xor	eax, eax
		mov	[ebp+var_5C], ecx
		xor	ebx, ebx
		mov	[ebp+var_60], eax
		mov	[ebp+var_70], edx
		add	edx, esi
		mov	[ebp+var_68], edx

loc_98D8A6:				; CODE XREF: PnpRebalance(x,x,x,x)+20Ej
		inc	[ebp+var_54]
		mov	[ebp+var_7C], ecx
		lea	ecx, [ebp+var_58]
		push	ecx
		push	[ebp+arg_4]
		lea	ecx, [ebp+var_5C]
		push	ecx
		push	edx
		mov	edx, [ebp+var_64]
		mov	ecx, eax
		call	_PnpFindRebalanceCandidates@24 ; PnpFindRebalanceCandidates(x,x,x,x,x,x)
		mov	ecx, [ebp+var_5C]
		test	edi, edi
		jnz	loc_98D97C
		cmp	byte ptr [ebp+arg_4], 0
		jnz	loc_98D97C
		and	[ebp+var_6C], edi
		mov	eax, [ebp+var_64]
		test	ecx, ecx
		jz	short loc_98D902
		mov	edx, [eax+10h]
		mov	[ebp+var_78], edx
		mov	edx, esi

loc_98D8E9:				; CODE XREF: PnpRebalance(x,x,x,x)+134j
		mov	eax, [ebp+var_78]
		cmp	[edx], eax
		mov	eax, [ebp+var_64]
		jz	loc_98D97C
		inc	[ebp+var_6C]
		add	edx, 28h
		cmp	[ebp+var_6C], ecx
		jb	short loc_98D8E9

loc_98D902:				; CODE XREF: PnpRebalance(x,x,x,x)+113j
		cmp	dword ptr [eax+0ACh], 309h
		mov	ebx, 0C0000001h
		mov	eax, [ebp+var_60]
		jz	loc_98D9DF
		mov	[ebp+eax*4+var_48], 3

loc_98D922:				; CODE XREF: PnpRebalance(x,x,x,x)+21Dj
		mov	ecx, _IopRootDeviceNode
		call	_PnpCancelStopDeviceSubtree@4 ;	PnpCancelStopDeviceSubtree(x)
		mov	ecx, [ebp+var_70]

loc_98D930:				; CODE XREF: PnpRebalance(x,x,x,x)+27Dj
		mov	eax, [ebp+var_5C]
		add	ecx, esi
		add	eax, edi
		imul	edx, eax, 28h
		add	edx, esi
		call	PnpFreeResourceRequirementsForAssignTable
		push	30706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98D94C:				; CODE XREF: PnpRebalance(x,x,x,x)+AAj
		lea	ecx, [ebp+var_58]
		call	_PnpTraceRebalanceResult@4 ; PnpTraceRebalanceResult(x)
		mov	esi, [ebp+var_64]
		mov	eax, [esi+1CCh]
		test	ebx, ebx
		jns	loc_98DA4E
		test	eax, eax
		jz	loc_98DA64
		push	10h
		pop	ecx
		lea	esi, [ebp+var_58]
		mov	edi, eax
		rep movsd
		jmp	loc_98DA64
; 

loc_98D97C:				; CODE XREF: PnpRebalance(x,x,x,x)+FBj
					; PnpRebalance(x,x,x,x)+105j ...
		cmp	[ebp+var_7C], ecx
		jz	short loc_98D9AF
		lea	eax, [ebp+var_88]
		lea	edx, [edi+ecx]
		mov	ecx, esi
		push	eax
		call	_PnpFindBestConfiguration@12 ; PnpFindBestConfiguration(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_98D9EF
		mov	eax, [ebp+var_60]
		mov	ecx, [ebp+var_5C]
		cmp	[ebp+eax*4+var_48], 0
		jnz	short loc_98D9CE
		mov	[ebp+eax*4+var_48], 6
		jmp	short loc_98D9CE
; 

loc_98D9AF:				; CODE XREF: PnpRebalance(x,x,x,x)+1B3j
		mov	eax, [ebp+var_60]
		cmp	[ebp+eax*4+var_48], 0
		jnz	short loc_98D9C1
		mov	[ebp+eax*4+var_48], 5

loc_98D9C1:				; CODE XREF: PnpRebalance(x,x,x,x)+1EBj
		cmp	ebx, 0C0000908h
		jz	short loc_98D9CE
		mov	ebx, 0C0000001h

loc_98D9CE:				; CODE XREF: PnpRebalance(x,x,x,x)+1D7j
					; PnpRebalance(x,x,x,x)+1E1j ...
		inc	eax
		mov	[ebp+var_60], eax
		cmp	eax, 2
		jnb	short loc_98D9E7
		mov	edx, [ebp+var_68]
		jmp	loc_98D8A6
; 

loc_98D9DF:				; CODE XREF: PnpRebalance(x,x,x,x)+148j
		mov	[ebp+eax*4+var_48], 4

loc_98D9E7:				; CODE XREF: PnpRebalance(x,x,x,x)+209j
		test	ebx, ebx
		js	loc_98D922

loc_98D9EF:				; CODE XREF: PnpRebalance(x,x,x,x)+1CAj
		mov	ecx, _IopRootDeviceNode
		call	_PnpStopDeviceSubtree@4	; PnpStopDeviceSubtree(x)
		lea	ecx, [ebp+var_88]
		call	_IopCommitConfiguration@4 ; IopCommitConfiguration(x)
		test	edi, edi
		jz	short loc_98DA1A
		mov	edx, [ebp+var_68]
		mov	ecx, esi
		push	0
		call	PnpBuildCmResourceLists
		mov	ecx, [ebp+var_70]
		jmp	short loc_98DA1D
; 

loc_98DA1A:				; CODE XREF: PnpRebalance(x,x,x,x)+23Bj
		imul	ecx, edi, 28h

loc_98DA1D:				; CODE XREF: PnpRebalance(x,x,x,x)+24Cj
		mov	eax, [ebp+var_5C]
		add	eax, edi
		mov	[ebp+var_68], ecx
		imul	edx, eax, 28h
		add	ecx, esi
		push	1
		add	edx, esi
		call	PnpBuildCmResourceLists
		test	edi, edi
		jz	short loc_98DA46
		push	[ebp+var_70]	; size_t
		push	esi		; void *
		push	[ebp+var_74]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_98DA46:				; CODE XREF: PnpRebalance(x,x,x,x)+269j
		mov	ecx, [ebp+var_68]
		jmp	loc_98D930
; 

loc_98DA4E:				; CODE XREF: PnpRebalance(x,x,x,x)+193j
		test	eax, eax
		jz	short loc_98DA64
		push	62655250h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+1CCh], 0

loc_98DA64:				; CODE XREF: PnpRebalance(x,x,x,x)+19Bj
					; PnpRebalance(x,x,x,x)+1ABj ...
		mov	edx, [ebp+var_80]
		mov	ecx, offset _KMPnPEvt_Rebalance_Stop
		push	ebx
		call	_PnpDiagnosticTraceObjectWithStatus@12 ; PnpDiagnosticTraceObjectWithStatus(x,x,x)
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PnpRebalance@16 endp


;  S U B	R O U T	I N E 


; __stdcall PnpStopDeviceSubtree(x)
_PnpStopDeviceSubtree@4	proc near	; CODE XREF: PnpRebalance(x,x,x,x)+229p
					; PnpStopDeviceSubtree(x)+Ep
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+4]
		jmp	short loc_98DA9A
; 

loc_98DA91:				; CODE XREF: PnpStopDeviceSubtree(x)+17j
		mov	ecx, esi
		call	_PnpStopDeviceSubtree@4	; PnpStopDeviceSubtree(x)
		mov	esi, [esi]

loc_98DA9A:				; CODE XREF: PnpStopDeviceSubtree(x)+Aj
		test	esi, esi
		jnz	short loc_98DA91
		cmp	dword ptr [edi+0ACh], 309h
		jnz	short loc_98DAC1
		mov	edx, [edi+10h]
		mov	cl, 4
		call	_IopQueryReconfiguration@8 ; IopQueryReconfiguration(x,x)
		push	ecx
		mov	edx, 30Ah
		mov	ecx, edi
		call	PipSetDevNodeState

loc_98DAC1:				; CODE XREF: PnpStopDeviceSubtree(x)+23j
		pop	edi
		pop	esi
		pop	ecx
		retn
_PnpStopDeviceSubtree@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopExecuteHardwareProfileChange(x, x, x, x,	x)
_IopExecuteHardwareProfileChange@20 proc near
					; CODE XREF: PnpProfileUpdateHardwareProfile(x)+15Cp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, edi
		push	33706E50h
		shl	eax, 3
		push	eax
		push	200h
		mov	[ebp+var_14], edx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		test	ebx, ebx
		jnz	short loc_98DAFE
		mov	esi, 0C000009Ah
		jmp	loc_98DC49
; 

loc_98DAFE:				; CODE XREF: IopExecuteHardwareProfileChange(x,x,x,x,x)+2Dj
		xor	esi, esi
		mov	[ebp+var_C], esi
		test	edi, edi
		jz	short loc_98DB7F
		mov	ebx, eax

loc_98DB09:				; CODE XREF: IopExecuteHardwareProfileChange(x,x,x,x,x)+56j
		mov	eax, [ebp+var_14]
		push	dword ptr [eax+esi*4]
		push	ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		inc	esi
		add	ebx, 8
		cmp	esi, edi
		jb	short loc_98DB09
		mov	ebx, [ebp+var_8]
		lea	ecx, [edi-1]
		mov	eax, edi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], eax
		xor	esi, esi

loc_98DB2D:				; CODE XREF: IopExecuteHardwareProfileChange(x,x,x,x,x)+B5j
		test	ecx, ecx
		jz	short loc_98DB74
		mov	edi, ebx
		mov	ebx, ecx

loc_98DB35:				; CODE XREF: IopExecuteHardwareProfileChange(x,x,x,x,x)+A4j
		lea	eax, [edi+8]
		push	esi
		push	eax
		push	edi
		mov	[ebp+var_4], eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		mov	eax, [ebp+var_4]
		jle	short loc_98DB64
		mov	eax, [eax]
		mov	ecx, [edi]
		mov	edx, [edi+4]
		mov	[edi], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+4]
		mov	[edi+4], eax
		mov	eax, [ebp+var_4]
		mov	[eax], ecx
		mov	[eax+4], edx

loc_98DB64:				; CODE XREF: IopExecuteHardwareProfileChange(x,x,x,x,x)+83j
		mov	edi, eax
		sub	ebx, 1
		jnz	short loc_98DB35
		mov	ebx, [ebp+var_8]
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+var_14]

loc_98DB74:				; CODE XREF: IopExecuteHardwareProfileChange(x,x,x,x,x)+6Aj
		sub	eax, 1
		mov	[ebp+var_10], eax
		jnz	short loc_98DB2D
		mov	edi, [ebp+arg_0]

loc_98DB7F:				; CODE XREF: IopExecuteHardwareProfileChange(x,x,x,x,x)+40j
		mov	ecx, esi
		mov	edx, esi
		test	edi, edi
		jz	short loc_98DB92

loc_98DB87:				; CODE XREF: IopExecuteHardwareProfileChange(x,x,x,x,x)+CBj
		movzx	eax, word ptr [ebx+edx*8]
		add	ecx, eax
		inc	edx
		cmp	edx, edi
		jb	short loc_98DB87

loc_98DB92:				; CODE XREF: IopExecuteHardwareProfileChange(x,x,x,x,x)+C0j
		add	ecx, 2
		push	33706E50h
		mov	[ebp+var_4], ecx
		lea	eax, [ecx+6]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_14], ebx
		test	ebx, ebx
		jnz	short loc_98DBBB
		mov	esi, 0C000009Ah
		jmp	short loc_98DC30
; 

loc_98DBBB:				; CODE XREF: IopExecuteHardwareProfileChange(x,x,x,x,x)+EDj
		lea	edx, [ebx+4]
		mov	[ebp+var_10], edx
		mov	ecx, edx
		mov	[ebp+arg_0], ecx
		test	edi, edi
		jz	short loc_98DBFB
		mov	ebx, [ebp+var_8]

loc_98DBCD:				; CODE XREF: IopExecuteHardwareProfileChange(x,x,x,x,x)+12Ej
		mov	eax, [ebp+var_C]
		movzx	esi, word ptr [ebx+esi*8]
		push	esi		; size_t
		push	dword ptr [ebx+eax*8+4]	; void *
		push	ecx		; void *
		call	_memcpy
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		add	ecx, esi
		mov	esi, [ebp+var_C]
		inc	esi
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_C], esi
		cmp	esi, edi
		jb	short loc_98DBCD
		mov	ebx, [ebp+var_14]
		mov	edx, [ebp+var_10]

loc_98DBFB:				; CODE XREF: IopExecuteHardwareProfileChange(x,x,x,x,x)+103j
		xor	eax, eax
		mov	[ecx], ax
		mov	eax, [ebp+var_4]
		mov	[ebx+2], ax
		xor	eax, eax
		inc	eax
		cmp	edi, eax
		ja	short loc_98DC15
		xor	ecx, ecx
		cmp	cx, [edx]
		jz	short loc_98DC18

loc_98DC15:				; CODE XREF: IopExecuteHardwareProfileChange(x,x,x,x,x)+147j
		push	2
		pop	eax

loc_98DC18:				; CODE XREF: IopExecuteHardwareProfileChange(x,x,x,x,x)+14Ej
		push	[ebp+arg_8]
		mov	edx, offset _IopExecuteHwpDefaultSelect@12 ; IopExecuteHwpDefaultSelect(x,x,x)
		mov	[ebx], ax
		push	[ebp+arg_4]
		push	ecx
		mov	ecx, ebx
		call	CmSetAcpiHwProfile
		mov	esi, eax

loc_98DC30:				; CODE XREF: IopExecuteHardwareProfileChange(x,x,x,x,x)+F4j
		mov	edi, 33706E50h
		push	edi
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		jz	short loc_98DC49
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98DC49:				; CODE XREF: IopExecuteHardwareProfileChange(x,x,x,x,x)+34j
					; IopExecuteHardwareProfileChange(x,x,x,x,x)+17Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_IopExecuteHardwareProfileChange@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpRecordBlackboxDelayedRemoveWorkerInformation(x)
_PnpRecordBlackboxDelayedRemoveWorkerInformation@4 proc	near
					; CODE XREF: PnpRecordBlackbox(x,x):loc_764227p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_14], 0
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		xor	edi, edi
		xor	esi, esi
		call	KeQueryInterruptTime
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], edx
		test	ebx, ebx
		jz	loc_98DD0A
		push	40h
		pop	edi
		push	4B706E50h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_98DD0A
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		mov	edx, [ebp+var_8]
		mov	dword ptr [esi], 1
		mov	[esi+4], edi
		mov	eax, [ebx+0Ch]
		push	0
		push	2710h
		sub	ecx, [eax]
		sbb	edx, [eax+4]
		push	edx
		push	ecx
		call	__aulldiv
		mov	[esi+0Ch], eax
		xor	ecx, ecx
		mov	eax, [ebx+4]
		mov	[esi+18h], eax
		mov	[esi+1Ch], ecx
		mov	eax, [ebx+8]
		mov	[esi+20h], eax
		mov	[esi+24h], ecx
		mov	eax, [ebx]
		mov	[esi+10h], eax
		mov	eax, _PnpDeviceEventThread
		mov	[esi+28h], eax
		mov	[esi+14h], ecx
		mov	[esi+2Ch], ecx
		mov	eax, _PnpDeviceActionThread
		mov	[esi+30h], eax
		mov	eax, _PnpDelayedRemoveWorkerThread
		mov	[esi+34h], ecx
		mov	[esi+38h], eax
		mov	[esi+3Ch], ecx
		jmp	short loc_98DD0C
; 

loc_98DD0A:				; CODE XREF: PnpRecordBlackboxDelayedRemoveWorkerInformation(x)+26j
					; PnpRecordBlackboxDelayedRemoveWorkerInformation(x)+43j
		xor	ecx, ecx

loc_98DD0C:				; CODE XREF: PnpRecordBlackboxDelayedRemoveWorkerInformation(x)+B6j
		push	ecx
		push	ecx
		push	14h
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_14], ecx
		push	eax
		push	5Eh
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], 0Bh
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], edi
		call	NtPowerInformation
		test	esi, esi
		jz	short loc_98DD3D
		push	4B706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98DD3D:				; CODE XREF: PnpRecordBlackboxDelayedRemoveWorkerInformation(x)+DEj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PnpRecordBlackboxDelayedRemoveWorkerInformation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpRecordBlackboxPnpEventInformation(x, x, x, x)
_PnpRecordBlackboxPnpEventInformation@16 proc near
					; CODE XREF: PnpProcessQueryRemoveAndEject(x)+96p
					; PnpProcessQueryRemoveAndEject(x):loc_980081p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		xor	eax, eax
		mov	[ebp+var_14], edx
		push	ebx
		push	esi
		mov	ebx, eax
		mov	[ebp+var_34], eax
		push	edi
		mov	[ebp+var_2C], eax
		mov	edi, ecx
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_28]
		push	eax
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], ebx
		call	KeQuerySystemTime
		mov	eax, [edi+68h]
		test	eax, eax
		jz	short loc_98DD86
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_98DD88
; 

loc_98DD86:				; CODE XREF: PnpRecordBlackboxPnpEventInformation(x,x,x,x)+37j
		xor	eax, eax

loc_98DD88:				; CODE XREF: PnpRecordBlackboxPnpEventInformation(x,x,x,x)+42j
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_4], eax
		movzx	eax, word ptr [eax+14h]
		add	eax, 32h
		mov	[ebp+var_18], eax
		test	ecx, ecx
		jz	short loc_98DDBE
		lea	esi, [ecx+4]
		mov	[ebp+var_C], esi
		cmp	[ebp+arg_4], bl
		jnz	short loc_98DDBE
		test	esi, esi
		jz	short loc_98DDBE
		movzx	ecx, word ptr [esi]
		test	cx, cx
		jz	short loc_98DDBE
		cmp	[esi+4], ebx
		jz	short loc_98DDBE
		lea	ebx, [ecx+2]
		mov	[ebp+var_8], ebx

loc_98DDBE:				; CODE XREF: PnpRecordBlackboxPnpEventInformation(x,x,x,x)+58j
					; PnpRecordBlackboxPnpEventInformation(x,x,x,x)+63j ...
		lea	esi, [ebx+eax]
		push	4B706E50h
		push	esi
		push	200h
		mov	[ebp+var_1C], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_98DE9C
		xor	eax, eax
		push	esi		; size_t
		push	eax		; int
		push	ebx		; void *
		mov	[ebp+var_34], eax
		mov	[ebp+var_2C], eax
		call	_memset
		mov	eax, [ebp+var_28]
		lea	esi, [edi+34h]
		mov	edi, ebx
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_4]
		mov	[ebx+10h], eax
		mov	eax, [ebp+var_24]
		mov	[ebx+14h], eax
		mov	eax, [ebp+var_10]
		mov	eax, [eax+8]
		mov	[ebx+20h], eax
		mov	eax, [ebp+var_14]
		mov	[ebx+18h], eax
		mov	al, [ebp+arg_4]
		mov	[ebx+1Ch], al
		movzx	eax, word ptr [esi+14h]
		push	eax		; size_t
		push	dword ptr [esi+18h] ; void *
		lea	eax, [ebx+2Ch]
		push	eax		; void *
		call	_memcpy
		movzx	eax, word ptr [esi+14h]
		xor	ecx, ecx
		shr	eax, 1
		add	esp, 18h
		mov	[ebx+eax*2+2Ch], cx
		cmp	[ebp+var_8], ecx
		jbe	short loc_98DE70
		mov	eax, [ebp+arg_0]
		mov	edi, [ebp+var_C]
		mov	eax, [eax]
		mov	[ebx+24h], eax
		mov	eax, [ebp+var_18]
		mov	[ebx+28h], eax
		lea	esi, [eax+ebx]
		movzx	eax, word ptr [edi]
		push	eax		; size_t
		push	dword ptr [edi+4] ; void *
		push	esi		; void *
		call	_memcpy
		movzx	eax, word ptr [edi]
		add	esp, 0Ch
		shr	eax, 1
		xor	ecx, ecx
		mov	[esi+eax*2], cx

loc_98DE70:				; CODE XREF: PnpRecordBlackboxPnpEventInformation(x,x,x,x)+FDj
		mov	eax, [ebp+var_1C]
		push	0
		push	0
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_3C]
		push	14h
		push	eax
		push	5Eh
		mov	[ebp+var_30], 2
		mov	[ebp+var_3C], ebx
		call	NtPowerInformation
		push	4B706E50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98DE9C:				; CODE XREF: PnpRecordBlackboxPnpEventInformation(x,x,x,x)+96j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PnpRecordBlackboxPnpEventInformation@16 endp


;  S U B	R O U T	I N E 


; __stdcall PiCheckRemovalPreconditions(x, x)
_PiCheckRemovalPreconditions@8 proc near ; CODE	XREF: PnpProcessQueryRemoveAndEject(x)+9Fp
		mov	edi, edi
		push	ebx
		mov	ebx, edx
		push	esi
		xor	esi, esi
		push	edi
		mov	eax, [ebx+68h]
		test	eax, eax
		jz	short loc_98DEBE
		mov	eax, [eax+0B0h]
		mov	edi, [eax+14h]
		jmp	short loc_98DEC0
; 

loc_98DEBE:				; CODE XREF: PiCheckRemovalPreconditions(x,x)+Ej
		mov	edi, esi

loc_98DEC0:				; CODE XREF: PiCheckRemovalPreconditions(x,x)+19j
		call	_PiIsOrderlyRemoval@4 ;	PiIsOrderlyRemoval(x)
		test	al, al
		jz	short loc_98DEDE
		test	dword ptr [edi+10Ch], 1000h
		jz	short loc_98DEDE
		lea	eax, [edi+14h]
		xor	edx, edx
		push	eax
		inc	edx
		jmp	short loc_98DF12
; 

loc_98DEDE:				; CODE XREF: PiCheckRemovalPreconditions(x,x)+24j
					; PiCheckRemovalPreconditions(x,x)+30j
		test	ecx, ecx
		jnz	short loc_98DEF8
		cmp	dword ptr [ebx+8], 16h
		jnz	short loc_98DEF8
		cmp	[edi+184h], esi
		jbe	short loc_98DEF8
		lea	eax, [edi+14h]
		push	eax
		push	0Ah
		jmp	short loc_98DF11
; 

loc_98DEF8:				; CODE XREF: PiCheckRemovalPreconditions(x,x)+3Dj
					; PiCheckRemovalPreconditions(x,x)+43j	...
		cmp	dword ptr [edi+0ACh], 312h
		jnz	short loc_98DF1E
		test	ecx, ecx
		jnz	short loc_98DF1E
		cmp	dword ptr [ebx+8], 36h
		jnz	short loc_98DF1E
		push	esi
		push	0Dh

loc_98DF11:				; CODE XREF: PiCheckRemovalPreconditions(x,x)+53j
		pop	edx

loc_98DF12:				; CODE XREF: PiCheckRemovalPreconditions(x,x)+39j
		mov	ecx, ebx
		call	_PnpFinalizeVetoedRemove@12 ; PnpFinalizeVetoedRemove(x,x,x)
		mov	esi, 80000028h

loc_98DF1E:				; CODE XREF: PiCheckRemovalPreconditions(x,x)+5Fj
					; PiCheckRemovalPreconditions(x,x)+63j	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_PiCheckRemovalPreconditions@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDetermineDeleteType(x)
_PiDetermineDeleteType@4 proc near	; CODE XREF: PnpProcessQueryRemoveAndEject(x)+82p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ecx+68h]
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], ecx
		push	edi
		test	ebx, ebx
		jz	short loc_98DF44
		mov	eax, [ebx+0B0h]
		mov	edi, [eax+14h]
		jmp	short loc_98DF46
; 

loc_98DF44:				; CODE XREF: PiDetermineDeleteType(x)+13j
		mov	edi, esi

loc_98DF46:				; CODE XREF: PiDetermineDeleteType(x)+1Ej
		push	10h		; size_t
		lea	eax, [ecx+48h]
		push	offset _GUID_DEVICE_EJECT ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_98DF61
		push	4
		jmp	short loc_98DFCB
; 

loc_98DF61:				; CODE XREF: PiDetermineDeleteType(x)+37j
		mov	eax, [ebp+var_4]
		test	byte ptr [eax+60h], 4
		jz	short loc_98DFCC
		test	byte ptr [edi+10Ch], 10h
		mov	eax, [edi+0B0h]
		jnz	short loc_98DFA9
		cmp	eax, 308h
		jz	short loc_98DFA5
		cmp	eax, 30Ah
		jz	short loc_98DFA5
		cmp	eax, 307h
		jz	short loc_98DFA5
		cmp	eax, 30Bh
		jz	short loc_98DFA5
		mov	eax, [ebx+0B0h]
		test	byte ptr [eax+10h], 4
		jnz	short loc_98DFA5
		push	2
		jmp	short loc_98DFCB
; 

loc_98DFA5:				; CODE XREF: PiDetermineDeleteType(x)+5Aj
					; PiDetermineDeleteType(x)+61j	...
		push	3
		jmp	short loc_98DFCB
; 

loc_98DFA9:				; CODE XREF: PiDetermineDeleteType(x)+53j
		cmp	eax, 308h
		jz	short loc_98DFC9
		cmp	eax, 30Ah
		jz	short loc_98DFC9
		cmp	eax, 307h
		jz	short loc_98DFC9
		cmp	eax, 30Bh
		jz	short loc_98DFC9
		push	6
		jmp	short loc_98DFCB
; 

loc_98DFC9:				; CODE XREF: PiDetermineDeleteType(x)+8Aj
					; PiDetermineDeleteType(x)+91j	...
		push	5

loc_98DFCB:				; CODE XREF: PiDetermineDeleteType(x)+3Bj
					; PiDetermineDeleteType(x)+7Fj	...
		pop	esi

loc_98DFCC:				; CODE XREF: PiDetermineDeleteType(x)+44j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PiDetermineDeleteType@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiEventAllocatePendingEjectRelations(x, x, x, x)
_PiEventAllocatePendingEjectRelations@16 proc near
					; CODE XREF: PnpProcessQueryRemoveAndEject(x)+56Fp

var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	20207050h
		mov	edi, ecx
		mov	[ebp+var_4], edx
		push	44h
		push	200h
		mov	ebx, [edi+68h]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_98E025
		mov	ecx, ebx
		mov	[esi+18h], edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [ebp+var_4]
		mov	cl, [ebp+arg_0]
		mov	[esi+20h], eax
		mov	[esi+1Ch], ebx
		mov	[esi+30h], cl
		mov	eax, [edi+60h]
		shr	eax, 3
		and	al, 1
		mov	[esi+31h], al
		mov	eax, [ebp+arg_4]
		mov	[esi+38h], eax

loc_98E025:				; CODE XREF: PiEventAllocatePendingEjectRelations(x,x,x,x)+26j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_PiEventAllocatePendingEjectRelations@16 endp


;  S U B	R O U T	I N E 


; __stdcall PiEventAllocateVetoBuffer(x)
_PiEventAllocateVetoBuffer@4 proc near	; CODE XREF: PnpProcessQueryRemoveAndEject(x)+FEp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, 4D706E50h
		xor	edx, edx
		push	ebx
		push	0Ch
		inc	edx
		mov	edi, ecx
		call	_PnpAllocateCriticalMemory@16 ;	PnpAllocateCriticalMemory(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_98E07E
		push	ebx
		mov	eax, 400h
		xor	edx, edx
		push	eax
		inc	edx
		mov	ecx, edi
		call	_PnpAllocateCriticalMemory@16 ;	PnpAllocateCriticalMemory(x,x,x,x)
		test	eax, eax
		jnz	short loc_98E06B
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi
		jmp	short loc_98E07E
; 

loc_98E06B:				; CODE XREF: PiEventAllocateVetoBuffer(x)+30j
		xor	ecx, ecx
		mov	[esi], ecx
		mov	[esi+4], ecx
		mov	ecx, 400h
		mov	[esi+6], cx
		mov	[esi+8], eax

loc_98E07E:				; CODE XREF: PiEventAllocateVetoBuffer(x)+1Bj
					; PiEventAllocateVetoBuffer(x)+3Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_PiEventAllocateVetoBuffer@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiEventAreDeviceRelationsExcluded(x)
_PiEventAreDeviceRelationsExcluded@4 proc near
					; CODE XREF: PnpProcessQueryRemoveAndEject(x)+184p
					; PiProcessQueryAndCancelRemoval(x,x,x,x,x,x,x)+1Ap
		cmp	ecx, 3
		jz	short loc_98E09B
		cmp	ecx, 5
		jz	short loc_98E09B
		cmp	ecx, 6
		jz	short loc_98E09B
		cmp	ecx, 2
		jz	short loc_98E09B
		xor	al, al
		retn
; 

loc_98E09B:				; CODE XREF: PiEventAreDeviceRelationsExcluded(x)+3j
					; PiEventAreDeviceRelationsExcluded(x)+8j ...
		mov	al, 1
		retn
_PiEventAreDeviceRelationsExcluded@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiEventBuildPdoList(x, x, x, x, x, x, x)
_PiEventBuildPdoList@28	proc near	; CODE XREF: PnpProcessQueryRemoveAndEject(x)+152p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_C]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_10], ecx
		push	esi
		mov	[eax], bl
		mov	esi, edx
		mov	eax, [ebp+arg_10]
		mov	edx, 200h
		push	edi
		push	4E706E50h
		mov	[ebp+var_8], ebx
		mov	[eax], bl
		mov	eax, [ecx]
		mov	ecx, esi
		mov	[ebp+var_4], ebx
		mov	eax, [eax]
		shl	eax, 2
		push	eax
		call	_PnpAllocateCriticalMemory@16 ;	PnpAllocateCriticalMemory(x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jnz	short loc_98E0EC
		mov	ebx, 0C000009Ah
		jmp	loc_98E1AA
; 

loc_98E0EC:				; CODE XREF: PiEventBuildPdoList(x,x,x,x,x,x,x)+42j
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_18], 1
		mov	[ebp+var_14], ebx
		mov	[edi], ebx

loc_98E0FB:				; CODE XREF: PiEventBuildPdoList(x,x,x,x,x,x,x)+85j
					; PiEventBuildPdoList(x,x,x,x,x,x,x)+EAj
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_4]
		push	ebx
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	edx, [ebp+var_18]
		call	_IopEnumerateRelations@20 ; IopEnumerateRelations(x,x,x,x,x)
		test	al, al
		jz	loc_98E1AA
		cmp	[ebp+var_4], ebx
		jnz	short loc_98E125
		cmp	esi, 4
		jz	short loc_98E125
		test	esi, esi
		jnz	short loc_98E0FB

loc_98E125:				; CODE XREF: PiEventBuildPdoList(x,x,x,x,x,x,x)+7Cj
					; PiEventBuildPdoList(x,x,x,x,x,x,x)+81j
		mov	edx, [ebp+var_8]
		test	edx, edx
		jz	short loc_98E137
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_98E139
; 

loc_98E137:				; CODE XREF: PiEventBuildPdoList(x,x,x,x,x,x,x)+8Cj
		mov	eax, ebx

loc_98E139:				; CODE XREF: PiEventBuildPdoList(x,x,x,x,x,x,x)+97j
		cmp	esi, 2
		jz	short loc_98E15C
		test	esi, esi
		jz	short loc_98E165
		mov	ecx, [eax+174h]
		cmp	ecx, 1
		jnz	short loc_98E152
		mov	ecx, [ebp+arg_C]
		jmp	short loc_98E159
; 

loc_98E152:				; CODE XREF: PiEventBuildPdoList(x,x,x,x,x,x,x)+ADj
		test	ecx, ecx
		jz	short loc_98E15C
		mov	ecx, [ebp+arg_10]

loc_98E159:				; CODE XREF: PiEventBuildPdoList(x,x,x,x,x,x,x)+B2j
		mov	byte ptr [ecx],	1

loc_98E15C:				; CODE XREF: PiEventBuildPdoList(x,x,x,x,x,x,x)+9Ej
					; PiEventBuildPdoList(x,x,x,x,x,x,x)+B6j
		test	esi, esi
		jz	short loc_98E165
		cmp	esi, 4
		jnz	short loc_98E17D

loc_98E165:				; CODE XREF: PiEventBuildPdoList(x,x,x,x,x,x,x)+A2j
					; PiEventBuildPdoList(x,x,x,x,x,x,x)+C0j
		test	dword ptr [eax+10Ch], 1000h
		jnz	short loc_98E196
		cmp	dword ptr [eax+0ACh], 311h
		jz	short loc_98E18D

loc_98E17D:				; CODE XREF: PiEventBuildPdoList(x,x,x,x,x,x,x)+C5j
		mov	eax, [edi]
		mov	ecx, [ebp+var_C]
		mov	[ecx+eax*4], edx
		inc	eax
		mov	[edi], eax
		jmp	loc_98E0FB
; 

loc_98E18D:				; CODE XREF: PiEventBuildPdoList(x,x,x,x,x,x,x)+DDj
		add	eax, 14h
		push	eax
		push	5
		pop	edx
		jmp	short loc_98E19D
; 

loc_98E196:				; CODE XREF: PiEventBuildPdoList(x,x,x,x,x,x,x)+D1j
		add	eax, 14h
		xor	edx, edx
		push	eax
		inc	edx

loc_98E19D:				; CODE XREF: PiEventBuildPdoList(x,x,x,x,x,x,x)+F6j
		mov	ecx, [ebp+arg_0]
		call	_PnpFinalizeVetoedRemove@12 ; PnpFinalizeVetoedRemove(x,x,x)
		mov	ebx, 80000028h

loc_98E1AA:				; CODE XREF: PiEventBuildPdoList(x,x,x,x,x,x,x)+49j
					; PiEventBuildPdoList(x,x,x,x,x,x,x)+73j
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+var_C]
		pop	edi
		pop	esi
		mov	[ecx], eax
		mov	eax, ebx
		pop	ebx
		leave
		retn	14h
_PiEventBuildPdoList@28	endp


;  S U B	R O U T	I N E 


; __stdcall PiEventFreeVetoBuffer(x)
_PiEventFreeVetoBuffer@4 proc near	; CODE XREF: PnpProcessQueryRemoveAndEject(x)+687p
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, 4D706E50h
		push	edi
		push	dword ptr [esi+8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+8], 0
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
_PiEventFreeVetoBuffer@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiEventRemovalPostSurpriseRemove(x,	x, x)
_PiEventRemovalPostSurpriseRemove@12 proc near
					; CODE XREF: PnpProcessQueryRemoveAndEject(x)+391p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		mov	eax, [ebx+68h]
		test	eax, eax
		jz	short loc_98E1FE
		mov	eax, [eax+0B0h]
		mov	esi, [eax+14h]
		jmp	short loc_98E200
; 

loc_98E1FE:				; CODE XREF: PiEventRemovalPostSurpriseRemove(x,x,x)+14j
		xor	esi, esi

loc_98E200:				; CODE XREF: PiEventRemovalPostSurpriseRemove(x,x,x)+1Fj
		mov	edi, [ebp+arg_0]
		push	ecx
		mov	edx, [edi]
		call	_PnpUnlinkDeviceRemovalRelations@12 ; PnpUnlinkDeviceRemovalRelations(x,x,x)
		cmp	dword ptr [esi+8], 0
		jnz	short loc_98E224
		mov	eax, [esi+19Ch]
		inc	dword ptr [eax+1A0h]
		or	dword ptr [esi+19Ch], 1

loc_98E224:				; CODE XREF: PiEventRemovalPostSurpriseRemove(x,x,x)+32j
		push	[ebp+var_4]
		mov	ecx, [esi+10h]
		mov	edx, edi
		push	dword ptr [ebx+8]
		call	_PnpQueuePendingSurpriseRemoval@16 ; PnpQueuePendingSurpriseRemoval(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PiEventRemovalPostSurpriseRemove@12 endp


;  S U B	R O U T	I N E 


; __stdcall PiGetTargetDeviceNode(x)
_PiGetTargetDeviceNode@4 proc near	; CODE XREF: PiProcessQueryRemoveNoFdo(x)+Ep
		mov	eax, [ecx+68h]
		test	eax, eax
		jz	short loc_98E24C
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		retn
; 

loc_98E24C:				; CODE XREF: PiGetTargetDeviceNode(x)+5j
		xor	eax, eax
		retn
_PiGetTargetDeviceNode@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiInvalidateSpeculativeRelations(x,	x)
_PiInvalidateSpeculativeRelations@8 proc near
					; CODE XREF: PnpProcessQueryRemoveAndEject(x)+379p
		mov	edi, edi
		push	esi
		mov	esi, edx
		cmp	ecx, 2
		jz	short loc_98E263
		cmp	ecx, 5
		jz	short loc_98E263
		cmp	ecx, 3
		jnz	short loc_98E278

loc_98E263:				; CODE XREF: PiInvalidateSpeculativeRelations(x,x)+8j
					; PiInvalidateSpeculativeRelations(x,x)+Dj
		push	0
		mov	edx, ecx
		mov	ecx, esi
		push	1
		call	_PnpInvalidateRelationsInList@16 ; PnpInvalidateRelationsInList(x,x,x,x)
		mov	ecx, esi
		pop	esi
		jmp	_IopRemoveDeviceRelationsFromList@4 ; IopRemoveDeviceRelationsFromList(x)
; 

loc_98E278:				; CODE XREF: PiInvalidateSpeculativeRelations(x,x)+12j
		pop	esi
		retn
_PiInvalidateSpeculativeRelations@8 endp


;  S U B	R O U T	I N E 


; __stdcall PiIsOrderlyRemoval(x)
_PiIsOrderlyRemoval@4 proc near		; CODE XREF: PnpProcessQueryRemoveAndEject(x)+28Bp
					; PiCheckRemovalPreconditions(x,x):loc_98DEC0p
		test	ecx, ecx
		jz	short loc_98E286
		cmp	ecx, 4
		jz	short loc_98E286
		xor	al, al
		retn
; 

loc_98E286:				; CODE XREF: PiIsOrderlyRemoval(x)+2j
					; PiIsOrderlyRemoval(x)+7j
		mov	al, 1
		retn
_PiIsOrderlyRemoval@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiIsSurpriseRemoval(x)
_PiIsSurpriseRemoval@4 proc near	; CODE XREF: PnpProcessQueryRemoveAndEject(x):loc_97FD09p
					; PnpProcessQueryRemoveAndEject(x)+380p
		cmp	ecx, 3
		jz	short loc_98E296
		cmp	ecx, 5
		jz	short loc_98E296
		xor	al, al
		retn
; 

loc_98E296:				; CODE XREF: PiIsSurpriseRemoval(x)+3j
					; PiIsSurpriseRemoval(x)+8j
		mov	al, 1
		retn
_PiIsSurpriseRemoval@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiProcessCanceledRemoveForReset(x, x, x, x)
_PiProcessCanceledRemoveForReset@16 proc near
					; CODE XREF: PnpProcessQueryRemoveAndEject(x)+2DAp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], ecx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, edx
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_14], 1
		mov	[ebp+var_10], esi

loc_98E2BE:				; CODE XREF: PiProcessCanceledRemoveForReset(x,x,x,x)+4Fj
					; PiProcessCanceledRemoveForReset(x,x,x,x)+58j
		push	esi
		push	esi
		lea	eax, [ebp+var_4]
		mov	ecx, edi
		push	eax
		lea	edx, [ebp+var_14]
		call	_IopEnumerateRelations@20 ; IopEnumerateRelations(x,x,x,x,x)
		test	al, al
		jz	short loc_98E2F3
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_98E2E4
		mov	eax, [eax+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_98E2E6
; 

loc_98E2E4:				; CODE XREF: PiProcessCanceledRemoveForReset(x,x,x,x)+3Ej
		mov	eax, esi

loc_98E2E6:				; CODE XREF: PiProcessCanceledRemoveForReset(x,x,x,x)+49j
		test	eax, eax
		jz	short loc_98E2BE
		and	dword ptr [eax+1C8h], 0FFFFFFFDh
		jmp	short loc_98E2BE
; 

loc_98E2F3:				; CODE XREF: PiProcessCanceledRemoveForReset(x,x,x,x)+37j
		mov	eax, [ebx+18h]
		mov	ecx, [eax+78h]
		mov	edx, ecx
		mov	eax, [edi]
		and	edx, 1
		and	ecx, 2
		cmp	dword ptr [eax], 1
		jnz	short loc_98E34D
		mov	ecx, [ebx+68h]
		test	ecx, ecx
		jz	short loc_98E31A
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_98E31C
; 

loc_98E31A:				; CODE XREF: PiProcessCanceledRemoveForReset(x,x,x,x)+74j
		mov	eax, esi

loc_98E31C:				; CODE XREF: PiProcessCanceledRemoveForReset(x,x,x,x)+7Fj
		cmp	dword ptr [eax+0ACh], 314h
		jnz	short loc_98E33D
		mov	eax, [ebp+arg_4]
		push	edi
		push	dword ptr [eax]
		push	[ebp+var_C]
		push	0Eh
		push	0CAh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_98E33D:				; CODE XREF: PiProcessCanceledRemoveForReset(x,x,x,x)+8Dj
		or	dword ptr [ecx+1Ch], 4000000h
		xor	edx, edx
		call	_IopQueryDeviceState@8 ; IopQueryDeviceState(x,x)
		jmp	short loc_98E3B7
; 

loc_98E34D:				; CODE XREF: PiProcessCanceledRemoveForReset(x,x,x,x)+6Dj
		test	dl, dl
		jz	short loc_98E359
		mov	eax, [ebp+arg_4]
		cmp	dword ptr [eax], 5
		jz	short loc_98E35D

loc_98E359:				; CODE XREF: PiProcessCanceledRemoveForReset(x,x,x,x)+B6j
		test	ecx, ecx
		jz	short loc_98E3B2

loc_98E35D:				; CODE XREF: PiProcessCanceledRemoveForReset(x,x,x,x)+BEj
		xor	ebx, ebx
		mov	[ebp+var_10], esi
		inc	ebx
		mov	[ebp+var_14], ebx

loc_98E366:				; CODE XREF: PiProcessCanceledRemoveForReset(x,x,x,x)+FBj
					; PiProcessCanceledRemoveForReset(x,x,x,x)+107j ...
		push	esi
		lea	eax, [ebp+var_8]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	edx, [ebp+var_14]
		call	_IopEnumerateRelations@20 ; IopEnumerateRelations(x,x,x,x,x)
		test	al, al
		jz	short loc_98E3B7
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_98E38F
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_98E391
; 

loc_98E38F:				; CODE XREF: PiProcessCanceledRemoveForReset(x,x,x,x)+E9j
		mov	eax, esi

loc_98E391:				; CODE XREF: PiProcessCanceledRemoveForReset(x,x,x,x)+F4j
		cmp	[ebp+var_8], ebx
		jz	short loc_98E366
		cmp	dword ptr [eax+0ACh], 314h
		jz	short loc_98E366
		or	dword ptr [ecx+1Ch], 4000000h
		xor	edx, edx
		call	_IopQueryDeviceState@8 ; IopQueryDeviceState(x,x)
		jmp	short loc_98E366
; 

loc_98E3B2:				; CODE XREF: PiProcessCanceledRemoveForReset(x,x,x,x)+C2j
		mov	esi, 80000028h

loc_98E3B7:				; CODE XREF: PiProcessCanceledRemoveForReset(x,x,x,x)+B2j
					; PiProcessCanceledRemoveForReset(x,x,x,x)+E2j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_PiProcessCanceledRemoveForReset@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiProcessQueryAndCancelRemoval(x, x, x, x, x, x, x)
_PiProcessQueryAndCancelRemoval@28 proc	near
					; CODE XREF: PnpProcessQueryRemoveAndEject(x)+2B3p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	esi, edx
		mov	eax, ecx
		xor	edx, edx
		mov	[ebp+var_4], eax
		push	edi
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], edx
		call	_PiEventAreDeviceRelationsExcluded@4 ; PiEventAreDeviceRelationsExcluded(x)
		mov	byte ptr [ebp+var_14], al
		mov	edi, edx
		mov	eax, [ebp+arg_C]
		lea	edx, [ebp+var_8]
		push	edx
		mov	edx, [ebp+arg_10]
		lea	ecx, [eax+4]
		push	ecx
		mov	edx, [edx]
		push	eax
		mov	[ebp+var_C], ecx
		mov	ecx, esi
		push	(offset	loc_4055E5+3)
		call	_PnpNotifyUserModeDeviceRemoval@24 ; PnpNotifyUserModeDeviceRemoval(x,x,x,x,x,x)
		mov	ebx, eax
		mov	eax, [ebp+arg_C]
		test	ebx, ebx
		jns	loc_98E4BE
		push	[ebp+var_C]
		mov	edx, [eax]
		mov	ecx, esi
		call	_PnpFinalizeVetoedRemove@12 ; PnpFinalizeVetoedRemove(x,x,x)
		mov	edi, [ebp+var_8]
		test	edi, edi
		jz	loc_98E529
		mov	eax, [ebp+arg_10]
		mov	eax, [eax]
		mov	edx, eax
		mov	[ebp+arg_0], eax

loc_98E432:				; CODE XREF: PiProcessQueryAndCancelRemoval(x,x,x,x,x,x,x)+94j
		mov	ecx, edx
		lea	eax, [ecx+2]
		mov	[ebp+arg_C], eax

loc_98E43A:				; CODE XREF: PiProcessQueryAndCancelRemoval(x,x,x,x,x,x,x)+84j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_10]
		jnz	short loc_98E43A
		sub	ecx, [ebp+arg_C]
		sar	ecx, 1
		lea	edx, [edx+ecx*2]
		add	edx, 2
		sub	edi, 1
		jnz	short loc_98E432
		mov	eax, [ebp+arg_0]
		sub	edx, eax
		mov	ecx, [ebp+var_4]
		sar	edx, 1
		mov	[ebp+arg_C], edx
		push	4B706E50h
		lea	eax, ds:2[edx*2]
		xor	edx, edx
		push	eax
		inc	edx
		mov	[ebp+arg_0], eax
		call	_PnpAllocateCriticalMemory@16 ;	PnpAllocateCriticalMemory(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_98E48B
		mov	ebx, 0C000009Ah
		jmp	loc_98E529
; 

loc_98E48B:				; CODE XREF: PiProcessQueryAndCancelRemoval(x,x,x,x,x,x,x)+BFj
		mov	eax, [ebp+arg_C]
		add	eax, eax
		push	eax		; size_t
		mov	eax, [ebp+arg_10]
		push	dword ptr [eax]	; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		xor	ecx, ecx
		mov	edx, edi
		mov	[eax+edi-2], cx
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	offset _GUID_TARGET_DEVICE_REMOVE_CANCELLED
		mov	ecx, esi
		call	_PnpNotifyUserModeDeviceRemoval@24 ; PnpNotifyUserModeDeviceRemoval(x,x,x,x,x,x)
		jmp	short loc_98E51A
; 

loc_98E4BE:				; CODE XREF: PiProcessQueryAndCancelRemoval(x,x,x,x,x,x,x)+4Bj
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PipProcessQueryRemovalInKernelMode@24 ; PipProcessQueryRemovalInKernelMode(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_98E4FF
		mov	eax, [ebp+arg_C]
		mov	ecx, esi
		push	[ebp+var_C]
		mov	edx, [eax]
		call	_PnpFinalizeVetoedRemove@12 ; PnpFinalizeVetoedRemove(x,x,x)
		xor	eax, eax
		mov	ecx, esi
		push	eax
		push	eax
		push	eax
		mov	eax, [ebp+arg_10]
		push	offset _GUID_TARGET_DEVICE_REMOVE_CANCELLED
		mov	edx, [eax]
		call	_PnpNotifyUserModeDeviceRemoval@24 ; PnpNotifyUserModeDeviceRemoval(x,x,x,x,x,x)
		jmp	short loc_98E529
; 

loc_98E4FF:				; CODE XREF: PiProcessQueryAndCancelRemoval(x,x,x,x,x,x,x)+116j
		cmp	dword ptr [esi+8], 36h
		jnz	short loc_98E529
		push	[ebp+arg_10]
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		push	[ebp+arg_0]
		push	[ebp+var_14]
		call	_PnpCancelRemoveOnHungDevices@20 ; PnpCancelRemoveOnHungDevices(x,x,x,x,x)
		mov	ebx, eax

loc_98E51A:				; CODE XREF: PiProcessQueryAndCancelRemoval(x,x,x,x,x,x,x)+FCj
		test	edi, edi
		jz	short loc_98E529
		push	4B706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98E529:				; CODE XREF: PiProcessQueryAndCancelRemoval(x,x,x,x,x,x,x)+62j
					; PiProcessQueryAndCancelRemoval(x,x,x,x,x,x,x)+C6j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	14h
_PiProcessQueryAndCancelRemoval@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiProcessQueryRemoveNoFdo(x)
_PiProcessQueryRemoveNoFdo@4 proc near	; CODE XREF: PnpProcessQueryRemoveAndEject(x)+F0p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	eax, ecx
		push	edi
		mov	[ebp+var_4], eax
		call	_PiGetTargetDeviceNode@4 ; PiGetTargetDeviceNode(x)
		mov	esi, eax
		xor	ebx, ebx
		mov	eax, [esi+0ACh]
		cmp	eax, 302h
		jz	short loc_98E55D
		cmp	eax, 312h
		jnz	short loc_98E5B9

loc_98E55D:				; CODE XREF: PiProcessQueryRemoveNoFdo(x)+22j
		mov	edi, [esi+10Ch]
		test	edi, 6000h
		jz	short loc_98E587
		mov	edx, [esi+114h]
		mov	ecx, esi
		call	_PipIsProblemReadonly@8	; PipIsProblemReadonly(x,x)
		test	eax, eax
		jnz	short loc_98E587
		call	PipClearDevNodeProblem
		mov	edi, [esi+10Ch]

loc_98E587:				; CODE XREF: PiProcessQueryRemoveNoFdo(x)+37j
					; PiProcessQueryRemoveNoFdo(x)+48j
		mov	edx, [ebp+var_4]
		mov	eax, [edx+60h]
		and	eax, 2
		test	edi, 6000h
		jnz	short loc_98E5B0
		mov	ecx, esi
		test	eax, eax
		jnz	short loc_98E5A5
		call	_PnpRestartDeviceNode@4	; PnpRestartDeviceNode(x)
		jmp	short loc_98E5B9
; 

loc_98E5A5:				; CODE XREF: PiProcessQueryRemoveNoFdo(x)+6Aj
		mov	edx, [edx+8]
		push	ebx
		call	_PipSetDevNodeProblem@12 ; PipSetDevNodeProblem(x,x,x)
		jmp	short loc_98E5B9
; 

loc_98E5B0:				; CODE XREF: PiProcessQueryRemoveNoFdo(x)+64j
		test	eax, eax
		jnz	short loc_98E5B9
		mov	ebx, 0C000000Dh

loc_98E5B9:				; CODE XREF: PiProcessQueryRemoveNoFdo(x)+29j
					; PiProcessQueryRemoveNoFdo(x)+71j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_PiProcessQueryRemoveNoFdo@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiRestartRemovalRelations(x, x, x)
_PiRestartRemovalRelations@12 proc near	; CODE XREF: PnpProcessQueryRemoveAndEject(x)+433p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_4], 0
		and	[ebp+var_8], 0
		and	[ebp+var_10], 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_14], 1
		mov	edi, ecx

loc_98E5E2:				; CODE XREF: PiRestartRemovalRelations(x,x,x)+68j
					; PiRestartRemovalRelations(x,x,x)+79j	...
		push	0
		lea	eax, [ebp+var_8]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	edx, [ebp+var_14]
		call	_IopEnumerateRelations@20 ; IopEnumerateRelations(x,x,x,x,x)
		test	al, al
		jz	loc_98E6A0
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_98E610
		mov	eax, [ecx+0B0h]
		mov	esi, [eax+14h]
		jmp	short loc_98E612
; 

loc_98E610:				; CODE XREF: PiRestartRemovalRelations(x,x,x)+43j
		xor	esi, esi

loc_98E612:				; CODE XREF: PiRestartRemovalRelations(x,x,x)+4Ej
		cmp	dword ptr [edi+8], 36h
		jnz	short loc_98E63B
		cmp	[ebp+var_8], 1
		jz	short loc_98E63B
		cmp	dword ptr [esi+0ACh], 314h
		jz	short loc_98E5E2
		or	dword ptr [ecx+1Ch], 4000000h
		lea	edx, [ebp+var_C]
		call	_IopQueryDeviceState@8 ; IopQueryDeviceState(x,x)
		jmp	short loc_98E5E2
; 

loc_98E63B:				; CODE XREF: PiRestartRemovalRelations(x,x,x)+56j
					; PiRestartRemovalRelations(x,x,x)+5Cj
		cmp	ecx, [ebp+arg_0]
		jnz	short loc_98E674
		test	byte ptr [edi+60h], 2
		jnz	short loc_98E5E2
		cmp	dword ptr [esi+0ACh], 312h
		jnz	short loc_98E5E2
		test	dword ptr [esi+10Ch], 2000h
		jz	short loc_98E5E2
		cmp	dword ptr [esi+114h], 15h
		jnz	loc_98E5E2
		mov	ecx, esi
		call	PipClearDevNodeProblem
		jmp	short loc_98E694
; 

loc_98E674:				; CODE XREF: PiRestartRemovalRelations(x,x,x)+7Ej
		test	dword ptr [esi+10Ch], 6000h
		jnz	loc_98E5E2
		cmp	dword ptr [esi+0ACh], 312h
		jnz	loc_98E5E2

loc_98E694:				; CODE XREF: PiRestartRemovalRelations(x,x,x)+B2j
		mov	ecx, esi
		call	_PnpRestartDeviceNode@4	; PnpRestartDeviceNode(x)
		jmp	loc_98E5E2
; 

loc_98E6A0:				; CODE XREF: PiRestartRemovalRelations(x,x,x)+38j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PiRestartRemovalRelations@12 endp


;  S U B	R O U T	I N E 


; __stdcall PiSendTargetDeviceRemoveCanceledNotification(x, x)
_PiSendTargetDeviceRemoveCanceledNotification@8	proc near
					; CODE XREF: PipProcessQueryRemovalInKernelMode(x,x,x,x,x,x)+47p
					; PipSendTargetDeviceQueryRemoveNotification(x,x,x,x)+C0p
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, edx
		push	edi
		test	esi, esi
		jz	short loc_98E700
		lea	edi, [ecx-4]
		lea	edi, [edi+esi*4]

loc_98E6B8:				; CODE XREF: PiSendTargetDeviceRemoveCanceledNotification(x,x)+57j
		mov	edx, [edi]
		test	edx, edx
		jz	short loc_98E6C9
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_98E6CB
; 

loc_98E6C9:				; CODE XREF: PiSendTargetDeviceRemoveCanceledNotification(x,x)+15j
		xor	eax, eax

loc_98E6CB:				; CODE XREF: PiSendTargetDeviceRemoveCanceledNotification(x,x)+20j
		test	eax, eax
		jz	short loc_98E6EA
		mov	eax, [eax+0ACh]
		cmp	eax, 312h
		jz	short loc_98E6F8
		cmp	eax, 302h
		jz	short loc_98E6F8
		cmp	eax, 301h
		jz	short loc_98E6F8

loc_98E6EA:				; CODE XREF: PiSendTargetDeviceRemoveCanceledNotification(x,x)+26j
		push	0
		push	0
		mov	ecx, offset _GUID_TARGET_DEVICE_REMOVE_CANCELLED
		call	PnpNotifyTargetDeviceChange

loc_98E6F8:				; CODE XREF: PiSendTargetDeviceRemoveCanceledNotification(x,x)+33j
					; PiSendTargetDeviceRemoveCanceledNotification(x,x)+3Aj ...
		sub	edi, 4
		sub	esi, 1
		jnz	short loc_98E6B8

loc_98E700:				; CODE XREF: PiSendTargetDeviceRemoveCanceledNotification(x,x)+9j
		pop	edi
		pop	esi
		pop	ecx
		retn
_PiSendTargetDeviceRemoveCanceledNotification@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiSendTargetDeviceRemoveCompleteNotification(x, x, x)
_PiSendTargetDeviceRemoveCompleteNotification@12 proc near
					; CODE XREF: PnpProcessQueryRemoveAndEject(x)+370p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		cmp	[ebp+arg_0], esi
		jbe	short loc_98E75A

loc_98E717:				; CODE XREF: PiSendTargetDeviceRemoveCompleteNotification(x,x,x)+54j
		mov	edx, [edi+esi*4]
		test	edx, edx
		jz	short loc_98E729
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_98E72B
; 

loc_98E729:				; CODE XREF: PiSendTargetDeviceRemoveCompleteNotification(x,x,x)+18j
		xor	eax, eax

loc_98E72B:				; CODE XREF: PiSendTargetDeviceRemoveCompleteNotification(x,x,x)+23j
		test	ebx, ebx
		jnz	short loc_98E73C
		test	eax, eax
		jz	short loc_98E73C
		test	byte ptr [eax+1C8h], 2
		jnz	short loc_98E754

loc_98E73C:				; CODE XREF: PiSendTargetDeviceRemoveCompleteNotification(x,x,x)+29j
					; PiSendTargetDeviceRemoveCompleteNotification(x,x,x)+2Dj
		or	dword ptr [eax+1C8h], 4000h
		mov	ecx, offset _GUID_TARGET_DEVICE_REMOVE_COMPLETE
		push	0
		push	0
		call	PnpNotifyTargetDeviceChange

loc_98E754:				; CODE XREF: PiSendTargetDeviceRemoveCompleteNotification(x,x,x)+36j
		inc	esi
		cmp	esi, [ebp+arg_0]
		jb	short loc_98E717

loc_98E75A:				; CODE XREF: PiSendTargetDeviceRemoveCompleteNotification(x,x,x)+11j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PiSendTargetDeviceRemoveCompleteNotification@12 endp


;  S U B	R O U T	I N E 


; __stdcall PiValidateEjectionRequest(x, x)
_PiValidateEjectionRequest@8 proc near	; CODE XREF: PnpProcessQueryRemoveAndEject(x)+B9p
		test	dword ptr [ecx+10Ch], 80000h
		jnz	short loc_98E795
		mov	eax, [ecx+174h]
		cmp	eax, 3
		jz	short loc_98E795
		cmp	eax, 4
		jz	short loc_98E795
		test	byte ptr [ecx+170h], 10h
		jnz	short loc_98E78F
		mov	eax, 80000028h
		mov	byte ptr [edx],	0
		retn
; 

loc_98E78F:				; CODE XREF: PiValidateEjectionRequest(x,x)+23j
		xor	eax, eax
		mov	byte ptr [edx],	1
		retn
; 

loc_98E795:				; CODE XREF: PiValidateEjectionRequest(x,x)+Aj
					; PiValidateEjectionRequest(x,x)+15j ...
		xor	eax, eax
		mov	[edx], al
		retn
_PiValidateEjectionRequest@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipEventRemovalCheckOpenHandles(x, x, x)
_PipEventRemovalCheckOpenHandles@12 proc near
					; CODE XREF: PipSendQueryRemoveIrpAndCheckOpenHandles(x,x,x,x,x,x)+8Fp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		or	[ebp+var_C], 0FFFFFFFFh
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_4], eax
		mov	[ebp+var_10], 0FFF0BDC0h
		mov	edi, 80000011h
		xor	esi, esi

loc_98E7BE:				; CODE XREF: PipEventRemovalCheckOpenHandles(x,x,x)+53j
		test	esi, esi
		jz	short loc_98E7D2
		lea	eax, [ebp+var_10]
		push	eax
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	eax, [ebp+var_4]

loc_98E7D2:				; CODE XREF: PipEventRemovalCheckOpenHandles(x,x,x)+26j
		push	[ebp+arg_0]
		mov	edx, ebx
		mov	ecx, eax
		push	0
		push	1
		call	_PnpIsChainDereferenced@20 ; PnpIsChainDereferenced(x,x,x,x,x)
		test	eax, eax
		jz	short loc_98E7F1
		mov	eax, [ebp+var_4]
		inc	esi
		cmp	esi, 32h
		jb	short loc_98E7BE
		jmp	short loc_98E7F3
; 

loc_98E7F1:				; CODE XREF: PipEventRemovalCheckOpenHandles(x,x,x)+4Aj
		xor	edi, edi

loc_98E7F3:				; CODE XREF: PipEventRemovalCheckOpenHandles(x,x,x)+55j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PipEventRemovalCheckOpenHandles@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipProcessQueryRemovalInKernelMode(x, x, x,	x, x, x)
_PipProcessQueryRemovalInKernelMode@24 proc near
					; CODE XREF: PiProcessQueryAndCancelRemoval(x,x,x,x,x,x,x)+10Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	[ebp+arg_C]
		mov	esi, edx
		mov	edi, ecx
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_8]
		mov	ecx, esi
		call	_PipSendTargetDeviceQueryRemoveNotification@16 ; PipSendTargetDeviceQueryRemoveNotification(x,x,x,x)
		test	eax, eax
		jns	short loc_98E822
		mov	esi, 80000028h
		jmp	short loc_98E848
; 

loc_98E822:				; CODE XREF: PipProcessQueryRemovalInKernelMode(x,x,x,x,x,x)+1Dj
		push	[ebp+arg_C]
		mov	edx, esi
		mov	ecx, edi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PipSendQueryRemoveIrpAndCheckOpenHandles@24 ; PipSendQueryRemoveIrpAndCheckOpenHandles(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_98E848
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		call	_PiSendTargetDeviceRemoveCanceledNotification@8	; PiSendTargetDeviceRemoveCanceledNotification(x,x)

loc_98E848:				; CODE XREF: PipProcessQueryRemovalInKernelMode(x,x,x,x,x,x)+24j
					; PipProcessQueryRemovalInKernelMode(x,x,x,x,x,x)+3Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	10h
_PipProcessQueryRemovalInKernelMode@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PipRecordOpenHandleVeto(int,int,int,int,int)
_PipRecordOpenHandleVeto@20 proc near	; CODE XREF: PipSendQueryRemoveIrpAndCheckOpenHandles(x,x,x,x,x,x)+A8p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	eax, edx
		push	[ebp+arg_4]	; int
		mov	edx, ecx	; int
		mov	ecx, eax	; int
		mov	dword ptr [edi], 5
		call	_PnpCollectOpenHandles@12 ; PnpCollectOpenHandles(x,x,x)
		cmp	[ebp+arg_0], 0
		jz	short loc_98E8A6
		push	[ebp+arg_0]
		call	_IoGetDeviceAttachmentBaseRef@4	; IoGetDeviceAttachmentBaseRef(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_98E88E
		mov	ecx, [esi+0B0h]
		mov	eax, [ecx+14h]
		jmp	short loc_98E890
; 

loc_98E88E:				; CODE XREF: PipRecordOpenHandleVeto(x,x,x,x,x)+31j
		xor	eax, eax

loc_98E890:				; CODE XREF: PipRecordOpenHandleVeto(x,x,x,x,x)+3Cj
		add	eax, 14h
		push	eax
		lea	eax, [edi+4]
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	short loc_98E8B1
; 

loc_98E8A6:				; CODE XREF: PipRecordOpenHandleVeto(x,x,x,x,x)+23j
		push	0
		lea	eax, [edi+4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_98E8B1:				; CODE XREF: PipRecordOpenHandleVeto(x,x,x,x,x)+54j
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	0Ch
_PipRecordOpenHandleVeto@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipSendQueryRemoveIrpAndCheckOpenHandles(x,	x, x, x, x, x)
_PipSendQueryRemoveIrpAndCheckOpenHandles@24 proc near
					; CODE XREF: PipProcessQueryRemovalInKernelMode(x,x,x,x,x,x)+36p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_B		= word ptr -0Bh
var_9		= byte ptr -9
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		mov	edi, [edx+68h]
		lea	eax, [ebx+4]
		mov	[ebp+var_8], ecx
		push	eax
		push	ebx
		push	dword ptr [edx+0Ch]
		mov	ecx, edi
		push	dword ptr [edx+8]
		mov	edx, [ebp+arg_0]
		push	1
		push	0
		call	_PnpDeleteLockedDeviceNodes@32 ; PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)
		mov	esi, eax
		xor	ecx, ecx
		xor	eax, eax
		mov	[ebp+var_9], cl
		mov	[ebp+var_B], ax
		mov	eax, [ebp+var_8]
		cmp	eax, 4
		jz	short loc_98E902
		test	eax, eax
		jnz	short loc_98E906

loc_98E902:				; CODE XREF: PipSendQueryRemoveIrpAndCheckOpenHandles(x,x,x,x,x,x)+44j
		mov	byte ptr [ebp+var_B], 1

loc_98E906:				; CODE XREF: PipSendQueryRemoveIrpAndCheckOpenHandles(x,x,x,x,x,x)+48j
		test	edi, edi
		jz	short loc_98E915
		mov	eax, [edi+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_98E917
; 

loc_98E915:				; CODE XREF: PipSendQueryRemoveIrpAndCheckOpenHandles(x,x,x,x,x,x)+50j
		mov	eax, ecx

loc_98E917:				; CODE XREF: PipSendQueryRemoveIrpAndCheckOpenHandles(x,x,x,x,x,x)+5Bj
		add	eax, 14h
		mov	[ebp+var_10], ecx
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], eax
		mov	eax, _NtGlobalFlag
		shr	eax, 0Eh
		and	al, 1
		mov	[ebp+var_20], ecx
		mov	[ebp+var_C], al
		test	esi, esi
		js	short loc_98E980
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_8]
		push	eax
		call	_PipEventRemovalCheckOpenHandles@12 ; PipEventRemovalCheckOpenHandles(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_98E994
		mov	edx, [ebp+arg_8] ; int
		lea	eax, [ebp+var_20]
		mov	ecx, [ebp+arg_4] ; int
		push	ebx		; int
		push	eax		; int
		push	[ebp+var_4]	; int
		call	_PipRecordOpenHandleVeto@20 ; PipRecordOpenHandleVeto(x,x,x,x,x)
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	1
		push	1
		mov	ecx, edi
		call	_PnpDeleteLockedDeviceNodes@32 ; PnpDeleteLockedDeviceNodes(x,x,x,x,x,x,x,x)
		mov	esi, 80000028h
		jmp	short loc_98E994
; 

loc_98E980:				; CODE XREF: PipSendQueryRemoveIrpAndCheckOpenHandles(x,x,x,x,x,x)+83j
		cmp	dword ptr [ebx], 6
		jnz	short loc_98E994
		mov	edx, [ebp+arg_4] ; int
		lea	eax, [ebp+var_20]
		mov	ecx, [ebp+arg_8] ; int
		push	eax		; int
		call	_PnpCollectOpenHandles@12 ; PnpCollectOpenHandles(x,x,x)

loc_98E994:				; CODE XREF: PipSendQueryRemoveIrpAndCheckOpenHandles(x,x,x,x,x,x)+98j
					; PipSendQueryRemoveIrpAndCheckOpenHandles(x,x,x,x,x,x)+C6j ...
		cmp	byte ptr [ebp+var_B], 0
		jz	short loc_98E9AD
		mov	ecx, [ebp+var_1C]
		lea	edx, [ebp+var_18]
		call	_PnpLogVetoInformation@8 ; PnpLogVetoInformation(x,x)
		lea	ecx, [ebp+var_18]
		call	_PnpFreeVetoInformation@4 ; PnpFreeVetoInformation(x)

loc_98E9AD:				; CODE XREF: PipSendQueryRemoveIrpAndCheckOpenHandles(x,x,x,x,x,x)+E0j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PipSendQueryRemoveIrpAndCheckOpenHandles@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipSendTargetDeviceQueryRemoveNotification(x, x, x,	x)
_PipSendTargetDeviceQueryRemoveNotification@16 proc near
					; CODE XREF: PipProcessQueryRemovalInKernelMode(x,x,x,x,x,x)+16p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		xor	ebx, ebx
		mov	eax, edx
		and	[ebp+var_4], ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], eax
		push	edi
		mov	edi, ecx
		cmp	[ebp+arg_0], ebx
		jbe	loc_98EA7B

loc_98E9D8:				; CODE XREF: PipSendTargetDeviceQueryRemoveNotification(x,x,x,x)+7Aj
		mov	edx, [eax+esi*4]
		test	edx, edx
		jz	short loc_98E9EA
		mov	eax, [edx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_98E9EC
; 

loc_98E9EA:				; CODE XREF: PipSendTargetDeviceQueryRemoveNotification(x,x,x,x)+27j
		xor	eax, eax

loc_98E9EC:				; CODE XREF: PipSendTargetDeviceQueryRemoveNotification(x,x,x,x)+32j
		test	eax, eax
		jz	short loc_98EA0B
		mov	eax, [eax+0ACh]
		cmp	eax, 312h
		jz	short loc_98EA27
		cmp	eax, 302h
		jz	short loc_98EA27
		cmp	eax, 301h
		jz	short loc_98EA27

loc_98EA0B:				; CODE XREF: PipSendTargetDeviceQueryRemoveNotification(x,x,x,x)+38j
		cmp	byte ptr [edi+2Ch], 0
		jnz	short loc_98EA32
		lea	eax, [ebp+var_4]
		mov	ecx, (offset loc_4055E5+3)
		push	eax
		push	0
		call	PnpNotifyTargetDeviceChange
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_98EA37

loc_98EA27:				; CODE XREF: PipSendTargetDeviceQueryRemoveNotification(x,x,x,x)+45j
					; PipSendTargetDeviceQueryRemoveNotification(x,x,x,x)+4Cj ...
		inc	esi
		cmp	esi, [ebp+arg_0]
		jnb	short loc_98EA7B
		mov	eax, [ebp+var_8]
		jmp	short loc_98E9D8
; 

loc_98EA32:				; CODE XREF: PipSendTargetDeviceQueryRemoveNotification(x,x,x,x)+59j
		mov	ebx, 0C0000120h

loc_98EA37:				; CODE XREF: PipSendTargetDeviceQueryRemoveNotification(x,x,x,x)+6Fj
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_4]
		mov	dword ptr [ecx], 7
		lea	edi, [ecx+4]
		test	eax, eax
		jz	short loc_98EA56
		add	eax, 1Ch
		push	eax
		push	edi
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		jmp	short loc_98EA6C
; 

loc_98EA56:				; CODE XREF: PipSendTargetDeviceQueryRemoveNotification(x,x,x,x)+92j
		movzx	eax, word ptr [edi]
		push	eax		; size_t
		push	0		; int
		push	dword ptr [ecx+8] ; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		mov	[edi], ax

loc_98EA6C:				; CODE XREF: PipSendTargetDeviceQueryRemoveNotification(x,x,x,x)+9Ej
		test	esi, esi
		jz	short loc_98EA7B
		mov	ecx, [ebp+var_8]
		lea	edx, [esi-1]
		call	_PiSendTargetDeviceRemoveCanceledNotification@8	; PiSendTargetDeviceRemoveCanceledNotification(x,x)

loc_98EA7B:				; CODE XREF: PipSendTargetDeviceQueryRemoveNotification(x,x,x,x)+1Cj
					; PipSendTargetDeviceQueryRemoveNotification(x,x,x,x)+75j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_PipSendTargetDeviceQueryRemoveNotification@16 endp


;  S U B	R O U T	I N E 


; __stdcall PiDmaGuardQueueFlush(x)
_PiDmaGuardQueueFlush@4	proc near	; CODE XREF: PipDmgFlushQueueAndRestartDevices()+28p
		mov	edi, edi
		push	ecx
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	edi, offset _PipDgqListLock
		push	edi
		call	ExAcquireResourceExclusiveLite
		mov	edx, offset _PipDgqListHead

loc_98EAAB:				; CODE XREF: PiDmaGuardQueueFlush(x)+56j
		mov	eax, _PipDgqListHead
		cmp	eax, edx
		jz	short loc_98EAE1
		cmp	[eax+4], edx
		jnz	short loc_98EADC
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_98EADC
		mov	_PipDgqListHead, ecx
		mov	[ecx+4], edx
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_98EADC
		mov	[eax], esi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[esi+4], eax
		jmp	short loc_98EAAB
; 

loc_98EADC:				; CODE XREF: PiDmaGuardQueueFlush(x)+33j
					; PiDmaGuardQueueFlush(x)+3Aj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_98EAE1:				; CODE XREF: PiDmaGuardQueueFlush(x)+2Ej
		mov	ecx, edi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ecx
		retn
_PiDmaGuardQueueFlush@4	endp


;  S U B	R O U T	I N E 


; __stdcall PiDmaGuardQueueFree(x)
_PiDmaGuardQueueFree@4 proc near	; CODE XREF: PipDmgFlushQueueAndRestartDevices()+47p
		mov	edi, edi
		push	esi
		mov	esi, ecx

loc_98EAFD:				; CODE XREF: PiDmaGuardQueueFree(x)+21j
		mov	ecx, [esi]
		cmp	ecx, esi
		jz	short loc_98EB20
		cmp	[ecx+4], esi
		jnz	short loc_98EB1B
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_98EB1B
		mov	[esi], eax
		mov	[eax+4], esi
		call	_PipDgqFreeEntry@4 ; PipDgqFreeEntry(x)
		jmp	short loc_98EAFD
; 

loc_98EB1B:				; CODE XREF: PiDmaGuardQueueFree(x)+Ej
					; PiDmaGuardQueueFree(x)+15j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_98EB20:				; CODE XREF: PiDmaGuardQueueFree(x)+9j
		pop	esi
		retn
_PiDmaGuardQueueFree@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiDmaGuardQueueInsertEntry(x)
_PiDmaGuardQueueInsertEntry@4 proc near	; CODE XREF: PiDmaGuardProcessPostRemove(x,x,x)+E8p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, 64706E50h
		mov	edi, ecx
		push	ebx
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_98EB55
		mov	edx, ebx
		mov	ecx, edi
		call	ObfReferenceObjectWithTag
		mov	ecx, esi
		mov	[esi+8], edi
		call	_PipDgqInsertEntry@4 ; PipDgqInsertEntry(x)
		xor	eax, eax
		jmp	short loc_98EB5A
; 

loc_98EB55:				; CODE XREF: PiDmaGuardQueueInsertEntry(x)+1Aj
		mov	eax, 0C000009Ah

loc_98EB5A:				; CODE XREF: PiDmaGuardQueueInsertEntry(x)+31j
		pop	edi
		pop	esi
		pop	ebx
		retn
_PiDmaGuardQueueInsertEntry@4 endp


;  S U B	R O U T	I N E 


; __stdcall PipDgqFreeEntry(x)
_PipDgqFreeEntry@4 proc	near		; CODE XREF: PiDmaGuardQueueRemoveEntry(x)+64p
					; PiDmaGuardQueueFree(x)+1Cp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, 64706E50h
		mov	edx, edi
		mov	ecx, [esi+8]
		call	ObfDereferenceObjectWithTag
		and	dword ptr [esi+8], 0
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
_PipDgqFreeEntry@4 endp


;  S U B	R O U T	I N E 


; __stdcall PipDgqInsertEntry(x)
_PipDgqInsertEntry@4 proc near		; CODE XREF: PiDmaGuardQueueInsertEntry(x)+2Ap
		mov	edi, edi
		push	ecx
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	edi, offset _PipDgqListLock
		push	edi
		call	ExAcquireResourceExclusiveLite
		mov	eax, dword_6CB52C
		mov	ecx, offset _PipDgqListHead
		cmp	[eax], ecx
		jz	short loc_98EBB6
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_98EBB6:				; CODE XREF: PipDgqInsertEntry(x)+2Ej
		mov	[esi], ecx
		mov	ecx, edi
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6CB52C, esi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ecx
		retn
_PipDgqInsertEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopQueryConflictFillConflicts(x, x,	x, x, x, x)
_IopQueryConflictFillConflicts@24 proc near
					; CODE XREF: IopQueryConflictListInternal(x,x,x,x,x,x)+1D0p
					; IopQueryConflictListInternal(x,x,x,x,x,x)+202p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_1C], ecx
		xor	edx, edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_C], edx
		push	esi
		push	edi
		test	ebx, ebx
		jz	short loc_98EC57
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		imul	eax, ebx, 18h
		inc	esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], edi
		add	eax, 0FFFFFFE8h
		add	eax, edi
		mov	[ebp+var_10], eax

loc_98EC0D:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+79j
		mov	edx, [edi]
		mov	ecx, [ebp+var_1C]
		call	_IopEliminateBogusConflict@8 ; IopEliminateBogusConflict(x,x)
		test	al, al
		jz	short loc_98EC40
		mov	eax, [ebp+var_10]
		cmp	esi, ebx
		jnb	short loc_98EC2F
		push	6
		pop	ecx
		mov	esi, eax
		rep movsd
		mov	edi, [ebp+var_14]
		mov	esi, [ebp+var_18]

loc_98EC2F:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+46j
		sub	eax, 18h
		dec	ebx
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_C]
		dec	eax
		dec	esi
		sub	edi, 18h
		jmp	short loc_98EC43
; 

loc_98EC40:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+3Fj
		mov	eax, [ebp+var_C]

loc_98EC43:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+64j
		inc	eax
		add	edi, 18h
		inc	esi
		mov	[ebp+var_C], eax
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], edi
		cmp	eax, ebx
		jb	short loc_98EC0D

loc_98EC55:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+167j
		xor	edx, edx

loc_98EC57:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+1Aj
		mov	esi, [ebp+arg_0]
		xor	ecx, ecx
		mov	edi, edx
		mov	[ebp+var_4], esi
		inc	ecx
		mov	eax, esi

loc_98EC64:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+133j
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_10], edi
		cmp	edi, ebx
		jnb	loc_98ED46
		cmp	[eax], edx
		jz	loc_98ED05
		mov	edi, ecx
		mov	[ebp+var_18], edi
		cmp	ecx, ebx
		jnb	short loc_98ED02
		inc	ecx
		add	esi, 0FFFFFFE8h
		mov	[ebp+var_8], ecx
		lea	ecx, [eax+18h]
		imul	eax, ebx, 18h
		mov	[ebp+var_C], ecx
		add	eax, esi
		mov	esi, [ebp+var_4]
		mov	[ebp+var_14], eax

loc_98EC9B:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+11Bj
		mov	edx, [ecx]
		mov	ecx, [esi]
		call	_IopEliminateBogusConflict@8 ; IopEliminateBogusConflict(x,x)
		test	al, al
		jz	short loc_98ECCF
		mov	edx, [ebp+var_8]
		cmp	edx, ebx
		jnb	short loc_98ECC0
		mov	esi, [ebp+var_14]
		mov	edi, [ebp+var_C]
		push	6
		pop	ecx
		rep movsd
		mov	edi, [ebp+var_18]
		mov	esi, [ebp+var_4]

loc_98ECC0:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+D3j
		sub	[ebp+var_14], 18h
		dec	ebx
		mov	ecx, [ebp+var_C]
		dec	edi
		dec	edx
		sub	ecx, 18h
		jmp	short loc_98ECE5
; 

loc_98ECCF:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+CCj
		mov	eax, [ebp+var_C]
		mov	edx, [esi]
		mov	ecx, [eax]
		call	_IopEliminateBogusConflict@8 ; IopEliminateBogusConflict(x,x)
		test	al, al
		jnz	short loc_98ED12
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+var_8]

loc_98ECE5:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+F3j
		inc	edi
		add	ecx, 18h
		inc	edx
		mov	[ebp+var_18], edi
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], ecx
		cmp	edi, ebx
		jb	short loc_98EC9B
		mov	esi, [ebp+arg_0]
		xor	edx, edx
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_1C]

loc_98ED02:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+A7j
		mov	edi, [ebp+var_10]

loc_98ED05:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+9Aj
		inc	edi
		inc	ecx
		add	eax, 18h
		mov	[ebp+var_4], eax
		jmp	loc_98EC64
; 

loc_98ED12:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+103j
		mov	eax, [ebp+var_18]
		imul	edx, edi, 18h
		imul	edi, [ebp+var_10], 18h
		push	6
		pop	ecx
		add	edx, [ebp+arg_0]
		add	edi, [ebp+arg_0]
		mov	esi, edx
		inc	eax
		rep movsd
		cmp	eax, ebx
		jnb	short loc_98ED40
		mov	esi, [ebp+arg_0]
		mov	edi, edx
		imul	eax, ebx, 18h
		add	esi, 0FFFFFFE8h
		push	6
		pop	ecx
		add	esi, eax
		rep movsd

loc_98ED40:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+152j
		dec	ebx
		jmp	loc_98EC55
; 

loc_98ED46:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+92j
		mov	[ebp+var_8], ebx
		mov	edi, edx
		mov	[ebp+var_10], edi
		test	ebx, ebx
		jz	loc_98EDED
		mov	eax, esi

loc_98ED58:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+192j
		lea	ecx, [edi+1]
		mov	[ebp+var_18], ecx
		cmp	[eax], edx
		jz	short loc_98ED70
		mov	edi, ecx
		add	eax, 18h
		mov	[ebp+var_10], edi
		cmp	edi, ebx
		jb	short loc_98ED58
		jmp	short loc_98EDED
; 

loc_98ED70:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+186j
		cmp	ecx, ebx
		jnb	short loc_98EDCA
		lea	eax, [ecx+1]
		imul	edi, ecx, 18h
		mov	[ebp+var_C], eax
		imul	eax, ebx, 18h
		add	edi, esi
		mov	[ebp+var_14], edi
		add	eax, 0FFFFFFE8h
		add	esi, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_1C], esi

loc_98ED90:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+1E5j
		cmp	[edi], edx
		jnz	short loc_98EDB2
		cmp	eax, ebx
		jnb	short loc_98EDA6
		push	6
		pop	ecx
		rep movsd
		mov	ecx, [ebp+var_18]
		mov	edi, [ebp+var_14]
		mov	esi, [ebp+var_1C]

loc_98EDA6:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+1BCj
		sub	esi, 18h
		dec	ebx
		dec	ecx
		mov	[ebp+var_1C], esi
		dec	eax
		sub	edi, 18h

loc_98EDB2:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+1B8j
		inc	ecx
		add	edi, 18h
		inc	eax
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], edi
		cmp	ecx, ebx
		jb	short loc_98ED90
		mov	esi, [ebp+arg_0]
		mov	edi, [ebp+var_10]
		mov	[ebp+var_8], ebx

loc_98EDCA:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+198j
		cmp	ebx, 1
		jz	short loc_98EDED
		lea	eax, [edi+1]
		cmp	eax, ebx
		jnb	short loc_98EDE9
		imul	eax, ebx, 18h
		add	esi, 0FFFFFFE8h
		imul	edi, 18h
		push	6
		pop	ecx
		add	esi, eax
		add	edi, [ebp+arg_0]
		rep movsd

loc_98EDE9:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+1FAj
		dec	ebx
		mov	[ebp+var_8], ebx

loc_98EDED:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+176j
					; IopQueryConflictFillConflicts(x,x,x,x,x,x)+194j ...
		mov	eax, [ebp+arg_C]
		mov	esi, edx
		test	eax, eax
		jz	short loc_98EDFD
		cmp	[ebp+arg_8], 4Ah
		sbb	esi, esi
		inc	esi

loc_98EDFD:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+21Aj
		neg	eax
		mov	[ebp+var_4], esi
		sbb	edi, edi
		mov	eax, esi
		and	edi, 2Ah
		mov	[ebp+var_14], eax
		add	edi, 20h
		test	ebx, ebx
		jz	short loc_98EE5B
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_18], ebx
		mov	ebx, esi
		mov	[ebp+var_1C], eax

loc_98EE1E:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+276j
		push	edx		; int
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_C], edx
		push	ecx		; int
		mov	ecx, [eax]	; int
		xor	edx, edx	; void *
		call	_IopQueryConflictFillString@16 ; IopQueryConflictFillString(x,x,x,x)
		mov	eax, [ebp+var_C]
		lea	edi, [edi+eax*2]
		add	edi, 28h
		cmp	edi, [ebp+arg_8]
		ja	short loc_98EE40
		inc	esi
		add	ebx, eax

loc_98EE40:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+261j
		mov	eax, [ebp+var_1C]
		add	eax, 18h
		sub	[ebp+var_18], 1
		push	0
		mov	[ebp+var_1C], eax
		pop	edx
		jnz	short loc_98EE1E
		mov	eax, [ebp+var_14]
		mov	[ebp+var_4], ebx
		mov	ebx, [ebp+var_8]

loc_98EE5B:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+237j
		mov	ecx, [ebp+arg_4]
		add	eax, ebx
		mov	[ecx+8], eax
		lea	ebx, [ecx+18h]
		imul	eax, esi, 28h
		mov	[ecx+0Ch], esi
		mov	[ecx+10h], edi
		add	ebx, eax
		mov	eax, [ebp+arg_8]
		add	eax, 0FFFFFFF8h
		mov	[ebp+arg_4], ebx
		add	eax, ecx
		cmp	ebx, eax
		jbe	short loc_98EE8A
		mov	eax, 0C0000023h
		jmp	loc_98EF35
; 

loc_98EE8A:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+2A4j
		or	dword ptr [ebx], 0FFFFFFFFh
		cmp	[ebp+var_14], 0
		jz	short loc_98EEBD
		mov	eax, [ebp+arg_C]
		mov	[ecx+1Ch], eax
		xor	eax, eax
		dec	[ebp+var_4]
		mov	[ecx+18h], edx
		mov	[ecx+20h], edx
		mov	[ecx+28h], edx
		mov	[ecx+2Ch], edx
		mov	[ecx+30h], edx
		mov	[ecx+34h], edx
		mov	[ecx+38h], edx
		mov	[ebx+4], ax
		inc	eax
		mov	[ebp+var_20], eax
		jmp	short loc_98EEBF
; 

loc_98EEBD:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+2B7j
		mov	eax, edx

loc_98EEBF:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+2E1j
		mov	ebx, eax
		cmp	eax, esi
		jnb	short loc_98EF29
		imul	eax, 28h
		lea	edi, [ecx+1Ch]
		mov	ecx, [ebp+arg_0]
		add	edi, eax
		sub	esi, [ebp+var_20]
		mov	eax, [ebp+var_4]

loc_98EED6:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+34Dj
		mov	[edi], edx
		mov	[edi+4], edx
		mov	[edi+10h], edx
		mov	[edi+14h], edx
		mov	[edi+18h], edx
		mov	[edi+1Ch], edx
		mov	edx, [ebp+arg_4]
		add	edx, 4
		mov	[ebp+var_C], eax
		push	edi		; int
		lea	eax, [ebp+var_C]
		mov	[edi-4], ebx
		mov	dword ptr [edi+0Ch], 1
		mov	ecx, [ecx]	; int
		lea	edx, [edx+ebx*2] ; void	*
		push	eax		; int
		call	_IopQueryConflictFillString@16 ; IopQueryConflictFillString(x,x,x,x)
		mov	eax, [ebp+var_4]
		add	edi, 28h
		mov	ecx, [ebp+arg_0]
		sub	eax, [ebp+var_C]
		add	ecx, 18h
		add	ebx, [ebp+var_C]
		mov	[ebp+var_4], eax
		mov	[ebp+arg_0], ecx
		push	0
		pop	edx
		sub	esi, 1
		jnz	short loc_98EED6

loc_98EF29:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+2E9j
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		mov	[eax+ebx*2+4], cx
		xor	eax, eax

loc_98EF35:				; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+2ABj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_IopQueryConflictFillConflicts@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall IopQueryConflictFillString(int,void *,int,int)
_IopQueryConflictFillString@16 proc near
					; CODE XREF: IopQueryConflictFillConflicts(x,x,x,x,x,x)+250p
					; IopQueryConflictFillConflicts(x,x,x,x,x,x)+32Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], eax
		push	edi
		mov	edi, eax
		test	esi, esi
		jz	short loc_98EF5C
		mov	ebx, [esi]
		mov	[ebp+var_4], ebx

loc_98EF5C:				; CODE XREF: IopQueryConflictFillString(x,x,x,x)+19j
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_98EF65
		mov	edi, [ebx]

loc_98EF65:				; CODE XREF: IopQueryConflictFillString(x,x,x,x)+25j
		test	ecx, ecx
		jz	short loc_98EFCC
		test	dword ptr [ecx+1Ch], 1000h
		jnz	short loc_98EF81
		mov	esi, [ecx+8]

loc_98EF75:				; CODE XREF: IopQueryConflictFillString(x,x,x,x)+C0j
		test	esi, esi
		jz	short loc_98EFC9
		add	esi, 1Ch
		or	edi, 1
		jmp	short loc_98EFA0
; 

loc_98EF81:				; CODE XREF: IopQueryConflictFillString(x,x,x,x)+34j
		mov	esi, [ecx+0B0h]
		test	esi, esi
		jz	short loc_98EFC9
		mov	esi, [esi+14h]
		test	esi, esi
		jz	short loc_98EFC9
		cmp	esi, _IopRootDeviceNode
		jnz	short loc_98EFF1
		or	edi, 2

loc_98EF9D:				; CODE XREF: IopQueryConflictFillString(x,x,x,x)+B8j
		add	esi, 14h

loc_98EFA0:				; CODE XREF: IopQueryConflictFillString(x,x,x,x)+43j
		test	esi, esi
		jz	short loc_98EFC9
		test	edx, edx
		jz	short loc_98EFC4
		mov	eax, [ebp+var_4]
		movzx	ecx, word ptr [esi]
		add	eax, eax
		cmp	eax, ecx
		jbe	short loc_98EFC4
		push	ecx		; size_t
		push	dword ptr [esi+4] ; void *
		push	edx		; void *
		call	_memcpy
		mov	edx, [ebp+var_8]
		add	esp, 0Ch

loc_98EFC4:				; CODE XREF: IopQueryConflictFillString(x,x,x,x)+6Aj
					; IopQueryConflictFillString(x,x,x,x)+76j
		movzx	eax, word ptr [esi]
		shr	eax, 1

loc_98EFC9:				; CODE XREF: IopQueryConflictFillString(x,x,x,x)+3Bj
					; IopQueryConflictFillString(x,x,x,x)+4Dj ...
		mov	esi, [ebp+arg_0]

loc_98EFCC:				; CODE XREF: IopQueryConflictFillString(x,x,x,x)+2Bj
		test	edx, edx
		jz	short loc_98EFDB
		cmp	[ebp+var_4], eax
		jbe	short loc_98EFDB
		xor	ecx, ecx
		mov	[edx+eax*2], cx

loc_98EFDB:				; CODE XREF: IopQueryConflictFillString(x,x,x,x)+92j
					; IopQueryConflictFillString(x,x,x,x)+97j
		test	esi, esi
		jz	short loc_98EFE2
		inc	eax
		mov	[esi], eax

loc_98EFE2:				; CODE XREF: IopQueryConflictFillString(x,x,x,x)+A1j
		test	ebx, ebx
		jz	short loc_98EFE8
		mov	[ebx], edi

loc_98EFE8:				; CODE XREF: IopQueryConflictFillString(x,x,x,x)+A8j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	8
; 

loc_98EFF1:				; CODE XREF: IopQueryConflictFillString(x,x,x,x)+5Cj
		cmp	[esi+8], eax
		jnz	short loc_98EF9D
		mov	esi, [esi+124h]
		jmp	loc_98EF75
_IopQueryConflictFillString@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopQueryConflictList(x, x, x, x, x,	x)
_IopQueryConflictList@24 proc near	; CODE XREF: PiControlQueryConflictList(x,x,x,x)+138p

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	esi, edx
		mov	edi, ecx
		nop
		xor	eax, eax
		mov	ebx, offset _PpRegistrySemaphore
		push	eax
		push	eax
		push	eax
		push	4
		push	ebx
		call	KeWaitForSingleObject
		push	ecx
		push	[ebp+arg_8]
		mov	edx, esi
		push	[ebp+arg_4]
		push	ecx
		mov	ecx, edi
		call	_IopQueryConflictListInternal@24 ; IopQueryConflictListInternal(x,x,x,x,x,x)
		push	0
		push	1
		push	0
		push	ebx
		mov	esi, eax
		call	KeReleaseSemaphore
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
_IopQueryConflictList@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopQueryConflictListInternal(x, x, x, x, x,	x)
_IopQueryConflictListInternal@24 proc near
					; CODE XREF: IopQueryConflictList(x,x,x,x,x,x)+38p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		push	ebx
		and	[esp+50h+var_44], 0
		xor	eax, eax
		and	[esp+50h+var_4C], 0
		mov	ebx, ecx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		lea	edi, [esp+58h+var_14]
		mov	[esp+58h+var_40], esi
		stosd
		push	0Ah
		pop	ecx
		mov	dword ptr [esi+10h], 20h
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+58h+var_3C]
		rep stosd
		xor	edi, edi
		mov	[esp+58h+var_48], edi
		mov	[esi+8], edi
		mov	[esi+0Ch], edi
		test	ebx, ebx
		jz	short loc_98F0C4
		mov	eax, [ebx+0B0h]
		mov	ecx, [eax+14h]
		jmp	short loc_98F0C6
; 

loc_98F0C4:				; CODE XREF: IopQueryConflictListInternal(x,x,x,x,x,x)+56j
		mov	ecx, edi

loc_98F0C6:				; CODE XREF: IopQueryConflictListInternal(x,x,x,x,x,x)+61j
		test	ecx, ecx
		jnz	short loc_98F0D4
		mov	esi, 0C000000Eh
		jmp	loc_98F27F
; 

loc_98F0D4:				; CODE XREF: IopQueryConflictListInternal(x,x,x,x,x,x)+67j
		movzx	eax, byte ptr [edx+14h]
		sub	eax, 1
		jz	short loc_98F0FB
		sub	eax, 1
		jz	short loc_98F107
		sub	eax, 1
		jz	short loc_98F0FB
		sub	eax, 1
		jz	short loc_98F107
		sub	eax, 3
		jz	short loc_98F0FB
		mov	esi, 0C000000Dh
		jmp	loc_98F27F
; 

loc_98F0FB:				; CODE XREF: IopQueryConflictListInternal(x,x,x,x,x,x)+7Aj
					; IopQueryConflictListInternal(x,x,x,x,x,x)+84j ...
		cmp	[edx+20h], edi
		jnz	short loc_98F107
		mov	esi, edi
		jmp	loc_98F27F
; 

loc_98F107:				; CODE XREF: IopQueryConflictListInternal(x,x,x,x,x,x)+7Fj
					; IopQueryConflictListInternal(x,x,x,x,x,x)+89j ...
		mov	eax, [ecx+134h]
		mov	esi, [ecx+128h]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_98F127
		test	esi, esi
		jz	short loc_98F124
		mov	eax, [esi+4]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_98F127

loc_98F124:				; CODE XREF: IopQueryConflictListInternal(x,x,x,x,x,x)+B9j
		xor	eax, eax
		inc	eax

loc_98F127:				; CODE XREF: IopQueryConflictListInternal(x,x,x,x,x,x)+B5j
					; IopQueryConflictListInternal(x,x,x,x,x,x)+C1j
		mov	[edx+4], eax
		cmp	eax, 8
		jnz	short loc_98F136
		mov	dword ptr [edx+4], 1

loc_98F136:				; CODE XREF: IopQueryConflictListInternal(x,x,x,x,x,x)+CCj
		mov	eax, [ecx+138h]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_98F14F
		test	esi, esi
		jz	short loc_98F14D
		mov	eax, [esi+8]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_98F14F

loc_98F14D:				; CODE XREF: IopQueryConflictListInternal(x,x,x,x,x,x)+E2j
		mov	eax, edi

loc_98F14F:				; CODE XREF: IopQueryConflictListInternal(x,x,x,x,x,x)+DEj
					; IopQueryConflictListInternal(x,x,x,x,x,x)+EAj
		push	edi
		mov	[edx+8], eax
		call	PnpCmResourcesToIoResources
		mov	edi, eax
		test	edi, edi
		jnz	short loc_98F168
		mov	esi, 0C000000Dh
		jmp	loc_98F272
; 

loc_98F168:				; CODE XREF: IopQueryConflictListInternal(x,x,x,x,x,x)+FBj
		or	[esp+58h+var_34], 0FFFFFFFFh
		lea	edx, [esp+58h+var_48]
		xor	eax, eax
		mov	[esp+58h+var_3C], ebx
		lea	ecx, [esp+58h+var_3C]
		mov	[esp+58h+var_38], eax
		mov	[esp+58h+var_30], eax
		mov	[esp+58h+var_2C], eax
		mov	[esp+58h+var_24], eax
		mov	[esp+58h+var_20], eax
		mov	[esp+58h+var_1C], eax
		mov	[esp+58h+var_18], eax
		mov	[esp+58h+var_28], edi
		call	IopResourceRequirementsListToReqList
		mov	esi, eax
		test	esi, esi
		js	loc_98F26A
		mov	ecx, [esp+58h+var_48]
		test	ecx, ecx
		jnz	short loc_98F1BC

loc_98F1B2:				; CODE XREF: IopQueryConflictListInternal(x,x,x,x,x,x)+167j
					; IopQueryConflictListInternal(x,x,x,x,x,x)+170j
		mov	esi, 0C000000Dh
		jmp	loc_98F26A
; 

loc_98F1BC:				; CODE XREF: IopQueryConflictListInternal(x,x,x,x,x,x)+14Fj
		lea	eax, [ecx+18h]
		mov	edx, [eax]
		mov	[ecx+0Ch], eax
		cmp	dword ptr [edx+10h], 1
		jnz	short loc_98F1B2
		mov	eax, [edx+14h]
		cmp	byte ptr [eax+8], 0
		jz	short loc_98F1B2
		mov	esi, [eax+0B0h]
		mov	eax, [eax+14h]
		mov	eax, [eax+24h]
		mov	cl, [eax+1]
		cmp	cl, 80h
		jz	short loc_98F1EC
		cmp	cl, 0F0h
		jnz	short loc_98F1EF

loc_98F1EC:				; CODE XREF: IopQueryConflictListInternal(x,x,x,x,x,x)+184j
		add	eax, 20h

loc_98F1EF:				; CODE XREF: IopQueryConflictListInternal(x,x,x,x,x,x)+189j
		mov	[esp+58h+var_10], eax
		lea	eax, [esp+58h+var_44]
		push	ecx
		mov	[esp+5Ch+var_C], eax
		lea	eax, [esp+5Ch+var_4C]
		push	ecx
		mov	[esp+60h+var_8], eax
		mov	ecx, esi
		lea	eax, [esp+60h+var_14]
		mov	[esp+60h+var_14], ebx
		push	eax
		push	6
		pop	edx
		call	IopCallArbiter
		mov	esi, eax
		test	esi, esi
		js	short loc_98F24C
		mov	edx, [esp+58h+var_44]
		mov	ecx, ebx
		push	0
		push	[ebp+arg_8]
		push	[esp+60h+var_40]
		push	[esp+64h+var_4C]
		call	_IopQueryConflictFillConflicts@24 ; IopQueryConflictFillConflicts(x,x,x,x,x,x)
		cmp	[esp+58h+var_4C], 0
		mov	esi, eax
		jz	short loc_98F26A
		push	0
		push	[esp+5Ch+var_4C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_98F26A
; 

loc_98F24C:				; CODE XREF: IopQueryConflictListInternal(x,x,x,x,x,x)+1BBj
		cmp	esi, 0C000028Ch
		jnz	short loc_98F26A
		push	4
		push	[ebp+arg_8]
		xor	edx, edx
		xor	ecx, ecx
		push	[esp+60h+var_40]
		push	0
		call	_IopQueryConflictFillConflicts@24 ; IopQueryConflictFillConflicts(x,x,x,x,x,x)
		mov	esi, eax

loc_98F26A:				; CODE XREF: IopQueryConflictListInternal(x,x,x,x,x,x)+143j
					; IopQueryConflictListInternal(x,x,x,x,x,x)+156j ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_98F272:				; CODE XREF: IopQueryConflictListInternal(x,x,x,x,x,x)+102j
		mov	ecx, [esp+58h+var_48]
		test	ecx, ecx
		jz	short loc_98F27F
		call	_IopFreeReqList@4 ; IopFreeReqList(x)

loc_98F27F:				; CODE XREF: IopQueryConflictListInternal(x,x,x,x,x,x)+6Ej
					; IopQueryConflictListInternal(x,x,x,x,x,x)+95j ...
		mov	ecx, [esp+58h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_IopQueryConflictListInternal@24 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1084. KdSystemDebugControl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdSystemDebugControl(x, x, x, x, x,	x, x)
		public _KdSystemDebugControl@28
_KdSystemDebugControl@28 proc near

var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		push	0F4h
		push	offset dword_6A8398
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_28], ebx
		cmp	ds:_KdpBootedNodebug, bl
		jnz	short loc_98F2CC
		cmp	_KdPitchDebugger, bl
		jnz	short loc_98F2CC
		cmp	_KdDebuggerEnabled, bl
		jnz	short loc_98F2DE

loc_98F2CC:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+20j
					; KdSystemDebugControl(x,x,x,x,x,x,x)+28j
		cmp	_KdLocalDebugEnabled, bl
		jnz	short loc_98F2DE
		mov	eax, 0C0000022h
		jmp	loc_98F7A2
; 

loc_98F2DE:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+30j
					; KdSystemDebugControl(x,x,x,x,x,x,x)+38j
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+arg_0]
		add	eax, 0FFFFFFF9h	; switch 14 cases
		cmp	eax, 0Dh
		ja	loc_98F75E	; default
		jmp	ds:off_98F7B6[eax*4] ; switch jump

loc_98F2F7:				; DATA XREF: PAGE:off_98F7B6o
		cmp	[ebp+arg_10], 28h ; case 0x7
		jz	short loc_98F30E

loc_98F2FD:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+87j
					; KdSystemDebugControl(x,x,x,x,x,x,x)+E6j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_98F7A2
; 

loc_98F30E:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+61j
		mov	ecx, [ebp+arg_C]
		call	_KdpSysGetVersion@4 ; KdpSysGetVersion(x)
		mov	esi, ebx
		jmp	loc_98F763
; 

loc_98F31D:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+56j
					; DATA XREF: PAGE:off_98F7B6o
		cmp	[ebp+arg_8], 0Ch ; case	0x8
		jnz	short loc_98F2FD
		mov	esi, [ebp+arg_4]
		lea	edi, [ebp+var_38]
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_30]
		test	edi, edi
		jnz	short loc_98F33D

loc_98F333:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+FAj
					; KdSystemDebugControl(x,x,x,x,x,x,x)+145j ...
		mov	esi, 0C0000005h
		jmp	loc_98F763
; 

loc_98F33D:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+97j
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	1
		push	[ebp+arg_18]
		mov	edx, edi
		mov	ecx, [ebp+var_34]
		call	ExLockUserBuffer
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	loc_98F766
		lea	eax, [ebp+var_24]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+var_38]

loc_98F36B:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+12Aj
					; KdSystemDebugControl(x,x,x,x,x,x,x)+17Cj ...
		mov	edx, edi
		mov	ecx, [ebp+var_20]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)

loc_98F375:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+241j
					; KdSystemDebugControl(x,x,x,x,x,x,x)+2B1j ...
		mov	esi, eax
		jmp	loc_98F763
; 

loc_98F37C:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+56j
					; DATA XREF: PAGE:off_98F7B6o
		cmp	[ebp+arg_8], 0Ch ; case	0x9
		jnz	loc_98F2FD
		mov	esi, [ebp+arg_4]
		lea	edi, [ebp+var_44]
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_3C]
		test	edi, edi
		jz	short loc_98F333
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	ebx
		push	[ebp+arg_18]
		mov	edx, edi
		mov	ecx, [ebp+var_40]
		call	ExLockUserBuffer
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	loc_98F766
		lea	eax, [ebp+var_24]
		push	eax
		push	1
		push	ebx
		push	ebx
		push	[ebp+var_44]
		jmp	short loc_98F36B
; 

loc_98F3C6:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+56j
					; DATA XREF: PAGE:off_98F7B6o
		cmp	[ebp+arg_8], 10h ; case	0xA
		jnz	loc_98F2FD
		mov	esi, [ebp+arg_4]
		lea	edi, [ebp+var_54]
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_48]
		test	edi, edi
		jz	loc_98F333
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	1
		push	[ebp+arg_18]
		mov	edx, edi
		mov	ecx, [ebp+var_4C]
		call	ExLockUserBuffer
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	loc_98F766
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	ebx
		push	[ebp+var_50]
		push	[ebp+var_54]
		jmp	loc_98F36B
; 

loc_98F41B:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+56j
					; DATA XREF: PAGE:off_98F7B6o
		cmp	[ebp+arg_8], 10h ; case	0xB
		jnz	loc_98F2FD
		mov	esi, [ebp+arg_4]
		lea	edi, [ebp+var_64]
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_58]
		test	edi, edi
		jz	loc_98F333
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	ebx
		push	[ebp+arg_18]
		mov	edx, edi
		mov	ecx, [ebp+var_5C]
		call	ExLockUserBuffer
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	loc_98F766
		lea	eax, [ebp+var_24]
		push	eax
		push	3
		push	ebx
		push	[ebp+var_60]
		push	[ebp+var_64]
		jmp	loc_98F36B
; 

loc_98F46F:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+56j
					; DATA XREF: PAGE:off_98F7B6o
		cmp	[ebp+arg_8], 18h ; case	0xC
		jnz	loc_98F2FD
		push	6
		pop	ecx
		mov	esi, [ebp+arg_4]
		lea	edi, [ebp+var_AC]
		rep movsd
		mov	edi, [ebp+var_A0]
		test	edi, edi
		jz	loc_98F333
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	1
		push	[ebp+arg_18]
		mov	edx, edi
		mov	ecx, [ebp+var_A4]
		call	ExLockUserBuffer
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	loc_98F766
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		push	[ebp+var_A8]
		push	[ebp+var_AC]
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_9C]
		call	_KdpSysReadControlSpace@24 ; KdpSysReadControlSpace(x,x,x,x,x,x)
		jmp	loc_98F375
; 

loc_98F4E0:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+56j
					; DATA XREF: PAGE:off_98F7B6o
		cmp	[ebp+arg_8], 18h ; case	0xD
		jnz	loc_98F2FD
		push	6
		pop	ecx
		mov	esi, [ebp+arg_4]
		lea	edi, [ebp+var_C4]
		rep movsd
		mov	edi, [ebp+var_B8]
		test	edi, edi
		jz	loc_98F333
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	ebx
		push	[ebp+arg_18]
		mov	edx, edi
		mov	ecx, [ebp+var_BC]
		call	ExLockUserBuffer
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	loc_98F766
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		push	[ebp+var_C0]
		push	[ebp+var_C4]
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_B4]
		call	_KdpSysWriteControlSpace@24 ; KdpSysWriteControlSpace(x,x,x,x,x,x)
		jmp	loc_98F375
; 

loc_98F550:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+56j
					; DATA XREF: PAGE:off_98F7B6o
		cmp	[ebp+arg_8], 20h ; case	0xE
		jnz	loc_98F2FD
		push	8
		pop	ecx
		mov	esi, [ebp+arg_4]
		lea	edi, [ebp+var_E4]
		rep movsd
		mov	edi, [ebp+var_D8]
		test	edi, edi
		jz	loc_98F333
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	1
		push	[ebp+arg_18]
		mov	edx, edi
		mov	ecx, [ebp+var_DC]
		call	ExLockUserBuffer
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	loc_98F766
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		push	[ebp+var_20]
		push	[ebp+var_E0]
		push	[ebp+var_E4]
		push	[ebp+var_CC]
		mov	edx, [ebp+var_D0]
		mov	ecx, [ebp+var_D4]
		call	_KdpSysReadIoSpace@32 ;	KdpSysReadIoSpace(x,x,x,x,x,x,x,x)
		jmp	loc_98F375
; 

loc_98F5CD:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+56j
					; DATA XREF: PAGE:off_98F7B6o
		cmp	[ebp+arg_8], 20h ; case	0xF
		jnz	loc_98F2FD
		push	8
		pop	ecx
		mov	esi, [ebp+arg_4]
		lea	edi, [ebp+var_104]
		rep movsd
		mov	edi, [ebp+var_F8]
		test	edi, edi
		jz	loc_98F333
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	ebx
		push	[ebp+arg_18]
		mov	edx, edi
		mov	ecx, [ebp+var_FC]
		call	ExLockUserBuffer
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	loc_98F766
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		push	[ebp+var_20]
		push	[ebp+var_100]
		push	[ebp+var_104]
		push	[ebp+var_EC]
		mov	edx, [ebp+var_F0]
		mov	ecx, [ebp+var_F4]
		call	_KdpSysWriteIoSpace@32 ; KdpSysWriteIoSpace(x,x,x,x,x,x,x,x)
		jmp	loc_98F375
; 

loc_98F649:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+56j
					; DATA XREF: PAGE:off_98F7B6o
		cmp	[ebp+arg_8], 10h ; case	0x10
		jnz	loc_98F2FD
		mov	ecx, [ebp+arg_4]
		lea	edx, [ecx+8]
		mov	ecx, [ecx]
		call	_KdpSysReadMsr@8 ; KdpSysReadMsr(x,x)
		jmp	loc_98F375
; 

loc_98F665:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+56j
					; DATA XREF: PAGE:off_98F7B6o
		cmp	[ebp+arg_8], 10h ; case	0x11
		jnz	loc_98F2FD
		mov	ecx, [ebp+arg_4]
		lea	edx, [ecx+8]
		mov	ecx, [ecx]
		call	_KdpSysWriteMsr@8 ; KdpSysWriteMsr(x,x)
		jmp	loc_98F375
; 

loc_98F681:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+56j
					; DATA XREF: PAGE:off_98F7B6o
		cmp	[ebp+arg_8], 18h ; case	0x12
		jnz	loc_98F2FD
		push	6
		pop	ecx
		mov	esi, [ebp+arg_4]
		lea	edi, [ebp+var_7C]
		rep movsd
		mov	edi, [ebp+var_74]
		test	edi, edi
		jz	loc_98F333
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	1
		push	[ebp+arg_18]
		mov	edx, edi
		mov	ecx, [ebp+var_78]
		call	ExLockUserBuffer
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	loc_98F766
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		push	[ebp+var_20]
		push	[ebp+var_7C]
		push	[ebp+var_68]
		mov	edx, [ebp+var_6C]
		mov	ecx, [ebp+var_70]
		call	_KdpSysReadBusData@28 ;	KdpSysReadBusData(x,x,x,x,x,x,x)
		jmp	loc_98F375
; 

loc_98F6E3:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+56j
					; DATA XREF: PAGE:off_98F7B6o
		cmp	[ebp+arg_8], 18h ; case	0x13
		jnz	loc_98F2FD
		push	6
		pop	ecx
		mov	esi, [ebp+arg_4]
		lea	edi, [ebp+var_94]
		rep movsd
		mov	edi, [ebp+var_8C]
		test	edi, edi
		jz	loc_98F333
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	ebx
		push	[ebp+arg_18]
		mov	edx, edi
		mov	ecx, [ebp+var_90]
		call	ExLockUserBuffer
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	short loc_98F766
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		push	[ebp+var_20]
		push	[ebp+var_94]
		push	[ebp+var_80]
		mov	edx, [ebp+var_84]
		mov	ecx, [ebp+var_88]
		call	_KdpSysWriteBusData@28 ; KdpSysWriteBusData(x,x,x,x,x,x,x)
		jmp	loc_98F375
; 

loc_98F752:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+56j
					; DATA XREF: PAGE:off_98F7B6o
		xor	ecx, ecx	; case 0x14
		call	_KdpSysCheckLowMemory@4	; KdpSysCheckLowMemory(x)
		jmp	loc_98F375
; 

loc_98F75E:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+50j
		mov	esi, 0C0000003h	; default

loc_98F763:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+7Ej
					; KdSystemDebugControl(x,x,x,x,x,x,x)+9Ej ...
		mov	[ebp+var_1C], esi

loc_98F766:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+C1j
					; KdSystemDebugControl(x,x,x,x,x,x,x)+119j ...
		mov	ecx, [ebp+arg_14]
		test	ecx, ecx
		jz	short loc_98F78B
		mov	eax, [ebp+var_24]
		mov	[ecx], eax
		jmp	short loc_98F78B
; 

loc_98F774:				; DATA XREF: .text:006A83ACo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_98F782:				; DATA XREF: .text:006A83B0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_2C]
		mov	[ebp+var_1C], esi

loc_98F78B:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+4D1j
					; KdSystemDebugControl(x,x,x,x,x,x,x)+4D8j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+var_20], 0
		jz	short loc_98F7A0
		mov	ecx, [ebp+var_28]
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)

loc_98F7A0:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+4FCj
		mov	eax, esi

loc_98F7A2:				; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+3Fj
					; KdSystemDebugControl(x,x,x,x,x,x,x)+6Fj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_KdSystemDebugControl@28 endp

; 
		db 8Bh,	0FFh
off_98F7B6	dd offset loc_98F2F7	; DATA XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+56r
		dd offset loc_98F31D	; jump table for switch	statement
		dd offset loc_98F37C
		dd offset loc_98F3C6
		dd offset loc_98F41B
		dd offset loc_98F46F
		dd offset loc_98F4E0
		dd offset loc_98F550
		dd offset loc_98F5CD
		dd offset loc_98F649
		dd offset loc_98F665
		dd offset loc_98F681
		dd offset loc_98F6E3
		dd offset loc_98F752
		align 10h
		db 3 dup(0CCh)
; Exported entry 1201. KeIsWaitListEmpty

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeIsWaitListEmpty(x)
		public _KeIsWaitListEmpty@4
_KeIsWaitListEmpty@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+arg_0]
		and	[ebp+arg_0], 0
		add	eax, 8
		xor	edx, edx
		lock or	[ecx], edx
		cmp	eax, [eax]
		setz	al
		pop	ebp
		retn	4
_KeIsWaitListEmpty@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeConfigureHeteroProcessors(x, x, x)
_KeConfigureHeteroProcessors@12	proc near ; CODE XREF: PopInitializeHeteroProcessors(x)+225p

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= byte ptr -50h
var_4F		= byte ptr -4Fh
var_4E		= byte ptr -4Eh
var_4D		= byte ptr -4Dh
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		xor	ebx, ebx
		mov	eax, edx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_54], eax
		mov	ecx, [ebp+arg_0]
		mov	dl, bl
		mov	[ebp+var_64], ecx
		mov	ecx, ds:_KiDefaultHeteroCpuPolicy
		mov	[ebp+var_48], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_68], ecx
		mov	ecx, ds:_KeHeteroSystem
		push	edi
		mov	edi, ds:_KeNumberProcessors
		mov	[ebp+var_6C], ecx
		mov	ch, bl
		mov	[ebp+var_60], esi
		mov	[ebp+var_44], ebx
		mov	[ebp+var_4C], esi
		mov	word ptr [ebp+var_3C], ax
		mov	word ptr [ebp+var_3C+2], ax
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		mov	word ptr [ebp+var_30], ax
		mov	word ptr [ebp+var_30+2], ax
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ebx
		mov	word ptr [ebp+var_24], ax
		mov	word ptr [ebp+var_24+2], ax
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	word ptr [ebp+var_18], ax
		mov	word ptr [ebp+var_18+2], ax
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_58], edi
		mov	[ebp+var_4D], dl
		test	edi, edi
		jz	loc_98F983
		lea	eax, [esi+7]
		mov	edx, edi

loc_98F8AD:				; CODE XREF: KeConfigureHeteroProcessors(x,x,x)+BCj
		mov	cl, [eax+1]
		cmp	cl, bl
		jbe	short loc_98F8B6
		mov	bl, cl

loc_98F8B6:				; CODE XREF: KeConfigureHeteroProcessors(x,x,x)+9Fj
		mov	cl, [eax]
		cmp	cl, ch
		jbe	short loc_98F8BE
		mov	ch, cl

loc_98F8BE:				; CODE XREF: KeConfigureHeteroProcessors(x,x,x)+A7j
		mov	cl, [eax-1]
		cmp	cl, [ebp+var_4D]
		jbe	short loc_98F8C9
		mov	[ebp+var_4D], cl

loc_98F8C9:				; CODE XREF: KeConfigureHeteroProcessors(x,x,x)+B1j
		add	eax, 3
		sub	edx, 1
		jnz	short loc_98F8AD
		push	edx
		mov	[ebp+var_4E], bl
		test	bl, bl
		mov	[ebp+var_4F], ch
		pop	ebx
		jnz	short loc_98F8E5
		test	ch, ch
		jz	loc_98F980

loc_98F8E5:				; CODE XREF: KeConfigureHeteroProcessors(x,x,x)+C8j
		mov	cl, [esi+5]
		mov	eax, ebx
		mov	ebx, [ebp+var_28]
		add	esi, 8
		mov	edx, [ebp+var_1C]
		mov	[ebp+var_54], ebx
		mov	ebx, [ebp+var_34]
		mov	[ebp+var_50], cl
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_5C], ebx
		mov	bh, [ebp+var_50]
		mov	[ebp+var_40], 1

loc_98F90C:				; CODE XREF: KeConfigureHeteroProcessors(x,x,x)+167j
		mov	bl, [esi]
		cmp	bl, bh
		jb	short loc_98F935
		mov	edi, [ebp+var_5C]
		bts	edi, eax
		mov	[ebp+var_5C], edi
		mov	[ebp+var_34], edi
		mov	edi, [ebp+var_58]
		cmp	bl, [ebp+var_4E]
		jnz	short loc_98F935
		mov	edi, [ebp+var_54]
		bts	edi, eax
		mov	[ebp+var_54], edi
		mov	[ebp+var_28], edi
		mov	edi, [ebp+var_58]

loc_98F935:				; CODE XREF: KeConfigureHeteroProcessors(x,x,x)+FDj
					; KeConfigureHeteroProcessors(x,x,x)+111j
		cmp	[ebp+var_4D], 0
		jnz	short loc_98F94B
		test	bh, bh
		jz	short loc_98F943
		cmp	bl, bh
		jnb	short loc_98F974

loc_98F943:				; CODE XREF: KeConfigureHeteroProcessors(x,x,x)+12Aj
		bts	edx, eax
		mov	[ebp+var_1C], edx
		jmp	short loc_98F96E
; 

loc_98F94B:				; CODE XREF: KeConfigureHeteroProcessors(x,x,x)+126j
		mov	edi, [ebp+var_60]
		mov	bl, [esi-1]
		mov	ds:_KiEfficiencyClassSystem, 1
		cmp	bl, [edi+4]
		mov	edi, [ebp+var_58]
		jb	short loc_98F974
		bts	edx, eax
		mov	[ebp+var_1C], edx
		cmp	bl, [ebp+var_4F]
		jnz	short loc_98F974

loc_98F96E:				; CODE XREF: KeConfigureHeteroProcessors(x,x,x)+136j
		bts	ecx, eax
		mov	[ebp+var_10], ecx

loc_98F974:				; CODE XREF: KeConfigureHeteroProcessors(x,x,x)+12Ej
					; KeConfigureHeteroProcessors(x,x,x)+14Ej ...
		inc	eax
		add	esi, 3
		cmp	eax, edi
		jb	short loc_98F90C
		xor	ebx, ebx
		jmp	short loc_98F9C2
; 

loc_98F980:				; CODE XREF: KeConfigureHeteroProcessors(x,x,x)+CCj
		mov	dl, [ebp+var_4D]

loc_98F983:				; CODE XREF: KeConfigureHeteroProcessors(x,x,x)+8Fj
		mov	ecx, ebx
		test	edi, edi
		jz	short loc_98F997
		mov	eax, [ebp+var_34]

loc_98F98C:				; CODE XREF: KeConfigureHeteroProcessors(x,x,x)+17Fj
		bts	eax, ecx
		inc	ecx
		cmp	ecx, edi
		jb	short loc_98F98C
		mov	[ebp+var_34], eax

loc_98F997:				; CODE XREF: KeConfigureHeteroProcessors(x,x,x)+174j
		lea	esi, [ebp+var_3C]
		mov	eax, [ebp+var_54]
		lea	edi, [ebp+var_30]
		movsd
		movsd
		movsd
		lea	esi, [ebp+var_3C]
		lea	edi, [ebp+var_24]
		movsd
		movsd
		movsd
		lea	esi, [ebp+var_3C]
		lea	edi, [ebp+var_18]
		movsd
		movsd
		movsd
		mov	[ebp+var_44], eax
		xor	eax, eax
		test	dl, dl
		setnz	al
		mov	[ebp+var_40], eax

loc_98F9C2:				; CODE XREF: KeConfigureHeteroProcessors(x,x,x)+16Bj
		lea	eax, [ebp+var_4C]
		push	eax
		push	offset _KiConfigureHeteroProcessorsTarget@16 ; KiConfigureHeteroProcessorsTarget(x,x,x,x)
		call	_KeGenericCallDpc@8 ; KeGenericCallDpc(x,x)
		mov	ecx, [ebp+var_64]
		mov	esi, ebx
		mov	eax, ds:_KeHeteroSystem
		mov	[ecx], eax
		neg	eax
		sbb	eax, eax
		and	eax, ds:_KiDesiredHeteroCpuPolicy
		mov	ds:_KiDefaultHeteroCpuPolicy, eax
		cmp	ds:_KeNumberProcessors,	ebx
		jbe	short loc_98FA08

loc_98F9F3:				; CODE XREF: KeConfigureHeteroProcessors(x,x,x)+1F3j
		mov	ecx, ds:_KiProcessorBlock[esi*4]
		call	KiConfigureCpuSetSchedulingInformation
		inc	esi
		cmp	esi, ds:_KeNumberProcessors
		jb	short loc_98F9F3

loc_98FA08:				; CODE XREF: KeConfigureHeteroProcessors(x,x,x)+1DEj
		mov	eax, [ebp+var_68]
		cmp	eax, ds:_KiDefaultHeteroCpuPolicy
		jnz	short loc_98FA1E
		mov	eax, [ebp+var_6C]
		cmp	eax, ds:_KeHeteroSystem
		jz	short loc_98FA21

loc_98FA1E:				; CODE XREF: KeConfigureHeteroProcessors(x,x,x)+1FEj
		xor	ebx, ebx
		inc	ebx

loc_98FA21:				; CODE XREF: KeConfigureHeteroProcessors(x,x,x)+209j
		mov	ecx, [ebp+var_8]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_KeConfigureHeteroProcessors@12	endp


;  S U B	R O U T	I N E 


; __stdcall KeSetCheckStackExtentsProcess(x, x)
_KeSetCheckStackExtentsProcess@8 proc near
					; CODE XREF: PspApplyMitigationOptions(x,x,x,x,x,x,x)+338p
					; PAGE:007AA26Ep
		add	ecx, 64h
		test	edx, edx
		jz	short loc_98FA42
		lock bts dword ptr [ecx], 5
		jmp	short loc_98FA47
; 

loc_98FA42:				; CODE XREF: KeSetCheckStackExtentsProcess(x,x)+5j
		lock btr dword ptr [ecx], 5

loc_98FA47:				; CODE XREF: KeSetCheckStackExtentsProcess(x,x)+Cj
		setb	al
		movzx	eax, al
		retn
_KeSetCheckStackExtentsProcess@8 endp


;  S U B	R O U T	I N E 


; __stdcall KeSetDisableBoostProcess(x,	x)
_KeSetDisableBoostProcess@8 proc near	; CODE XREF: PAGE:007A7EB7p
		add	ecx, 64h
		test	edx, edx
		jz	short loc_98FA5C
		lock bts dword ptr [ecx], 1
		jmp	short loc_98FA61
; 

loc_98FA5C:				; CODE XREF: KeSetDisableBoostProcess(x,x)+5j
		lock btr dword ptr [ecx], 1

loc_98FA61:				; CODE XREF: KeSetDisableBoostProcess(x,x)+Cj
		setb	al
		movzx	eax, al
		retn
_KeSetDisableBoostProcess@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1271. KeRemoveSystemServiceTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeRemoveSystemServiceTable(x)
		public _KeRemoveSystemServiceTable@4
_KeRemoveSystemServiceTable@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		test	eax, eax
		jnz	short loc_98FAE8
		mov	ecx, [ebp+arg_0]
		cmp	ecx, 1
		jz	short loc_98FA95
		cmp	ecx, 2
		jnz	short loc_98FAB0

loc_98FA95:				; CODE XREF: KeRemoveSystemServiceTable(x)+21j
		cmp	ds:dword_70E690, 0
		jnz	short loc_98FAB4
		cmp	ds:dword_70E710, 0
		jnz	short loc_98FAB4
		cmp	ds:dword_70E6D0, 0
		jnz	short loc_98FAB4

loc_98FAB0:				; CODE XREF: KeRemoveSystemServiceTable(x)+26j
		xor	al, al
		jmp	short loc_98FAEA
; 

loc_98FAB4:				; CODE XREF: KeRemoveSystemServiceTable(x)+2Fj
					; KeRemoveSystemServiceTable(x)+38j ...
		mov	eax, ecx
		shl	eax, 4
		cmp	ecx, 1
		jnz	short loc_98FAD4
		xor	ecx, ecx
		mov	ds:_KeServiceDescriptorTableShadow[eax], ecx
		mov	ds:dword_70E708[eax], ecx
		mov	ds:dword_70E70C[eax], ecx
		jmp	short loc_98FAE8
; 

loc_98FAD4:				; CODE XREF: KeRemoveSystemServiceTable(x)+4Fj
		xor	ecx, ecx
		mov	ds:_KiSystemAllowedCpuSets[eax], ecx
		mov	ds:_KiNonParkedCpuSets[eax], ecx
		mov	ds:_KiReservedCpuSets[eax], ecx

loc_98FAE8:				; CODE XREF: KeRemoveSystemServiceTable(x)+19j
					; KeRemoveSystemServiceTable(x)+65j
		mov	al, 1

loc_98FAEA:				; CODE XREF: KeRemoveSystemServiceTable(x)+45j
		pop	ebp
		retn	4
_KeRemoveSystemServiceTable@4 endp


;  S U B	R O U T	I N E 


; __stdcall KiAddSynchCounters(x, x)
_KiAddSynchCounters@8 proc near		; CODE XREF: KiSynchNumaCounterSetCallback(x,x,x)+10Fp
					; KiSynchNumaCounterSetCallback(x,x,x)+11Bp
		mov	eax, [edx]
		add	[ecx], eax
		mov	eax, [edx+4]
		add	[ecx+4], eax
		mov	eax, [edx+8]
		add	[ecx+8], eax
		mov	eax, [edx+0Ch]
		add	[ecx+0Ch], eax
		mov	eax, [edx+10h]
		add	[ecx+10h], eax
		mov	eax, [edx+14h]
		add	[ecx+14h], eax
		mov	eax, [edx+18h]
		add	[ecx+18h], eax
		mov	eax, [edx+1Ch]
		add	[ecx+1Ch], eax
		mov	eax, [edx+20h]
		add	[ecx+20h], eax
		mov	eax, [edx+24h]
		add	[ecx+24h], eax
		mov	eax, [edx+28h]
		add	[ecx+28h], eax
		mov	eax, [edx+2Ch]
		add	[ecx+2Ch], eax
		mov	eax, [edx+30h]
		add	[ecx+30h], eax
		mov	eax, [edx+34h]
		add	[ecx+34h], eax
		mov	eax, [edx+38h]
		add	[ecx+38h], eax
		mov	eax, [edx+3Ch]
		add	[ecx+3Ch], eax
		mov	eax, [edx+40h]
		add	[ecx+40h], eax
		mov	eax, [edx+44h]
		add	[ecx+44h], eax
		mov	eax, [edx+48h]
		add	[ecx+48h], eax
		mov	eax, [edx+4Ch]
		add	[ecx+4Ch], eax
		mov	eax, [edx+50h]
		add	[ecx+50h], eax
		mov	eax, [edx+54h]
		add	[ecx+54h], eax
		mov	eax, [edx+58h]
		add	[ecx+58h], eax
		mov	eax, [edx+5Ch]
		add	[ecx+5Ch], eax
		mov	eax, [edx+60h]
		add	[ecx+60h], eax
		mov	eax, [edx+64h]
		add	[ecx+64h], eax
		mov	eax, [edx+68h]
		add	[ecx+68h], eax
		mov	eax, [edx+6Ch]
		add	[ecx+6Ch], eax
		mov	eax, [edx+70h]
		add	[ecx+70h], eax
		mov	eax, [edx+74h]
		add	[ecx+74h], eax
		mov	eax, [edx+78h]
		add	[ecx+78h], eax
		mov	eax, [edx+7Ch]
		add	[ecx+7Ch], eax
		mov	eax, [edx+80h]
		add	[ecx+80h], eax
		mov	eax, [edx+84h]
		add	[ecx+84h], eax
		mov	eax, [edx+88h]
		add	[ecx+88h], eax
		mov	eax, [edx+8Ch]
		add	[ecx+8Ch], eax
		mov	eax, [edx+90h]
		add	[ecx+90h], eax
		mov	eax, [edx+94h]
		add	[ecx+94h], eax
		mov	eax, [edx+98h]
		add	[ecx+98h], eax
		mov	eax, [edx+9Ch]
		add	[ecx+9Ch], eax
		mov	eax, [edx+0A8h]
		add	[ecx+0A8h], eax
		mov	eax, [edx+0ACh]
		add	[ecx+0ACh], eax
		retn
_KiAddSynchCounters@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSynchCounterSetCallback(x, x, x)
_KiSynchCounterSetCallback@12 proc near	; DATA XREF: ExpPcwHostCallback+71o

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+40h+var_2C], edi
		mov	[esp+40h+var_28], edi
		sub	eax, edi
		jz	loc_98FCE9
		sub	eax, 1
		jz	loc_98FCE2
		sub	eax, 1
		jz	short loc_98FC6D
		sub	eax, 1
		jnz	loc_98FCEE

loc_98FC6D:				; CODE XREF: KiSynchCounterSetCallback(x,x,x)+3Dj
		mov	eax, [ecx+14h]
		push	0FFFFh
		mov	[esp+44h+var_30], eax
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_98FCEE

loc_98FC84:				; CODE XREF: KiSynchCounterSetCallback(x,x,x)+B9j
		mov	esi, ds:_KiProcessorBlock[edi*4]
		lea	eax, [esp+40h+var_1C]
		push	edi		; char
		push	offset ??_C@_15EFLNJKHH@?$AA?$CF?$AAu@NNGAKEGL@	; wchar_t *
		push	16h		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 10h
		lea	eax, [esp+40h+var_1C]
		push	eax
		lea	eax, [esp+44h+var_2C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esi+40A0h]
		mov	[esp+40h+var_20], 0B8h
		mov	[esp+40h+var_24], eax
		lea	eax, [esp+40h+var_24]
		push	eax
		push	1
		push	edi
		lea	eax, [esp+4Ch+var_2C]
		push	eax
		push	[esp+50h+var_30]
		call	_PcwAddInstance@20 ; PcwAddInstance(x,x,x,x,x)
		test	eax, eax
		js	short loc_98FCF0
		inc	edi
		cmp	edi, ebx
		jb	short loc_98FC84
		jmp	short loc_98FCEE
; 

loc_98FCE2:				; CODE XREF: KiSynchCounterSetCallback(x,x,x)+34j
		call	_EtwDereferenceSpinLockCounters@0 ; EtwDereferenceSpinLockCounters()
		jmp	short loc_98FCEE
; 

loc_98FCE9:				; CODE XREF: KiSynchCounterSetCallback(x,x,x)+2Bj
		call	_EtwReferenceSpinLockCounters@0	; EtwReferenceSpinLockCounters()

loc_98FCEE:				; CODE XREF: KiSynchCounterSetCallback(x,x,x)+42j
					; KiSynchCounterSetCallback(x,x,x)+5Dj	...
		xor	eax, eax

loc_98FCF0:				; CODE XREF: KiSynchCounterSetCallback(x,x,x)+B4j
		mov	ecx, [esp+40h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_KiSynchCounterSetCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall KiSynchNumaCounterSetCallback(int,int,int,int,int)
_KiSynchNumaCounterSetCallback@12 proc near ; DATA XREF: ExpPcwHostCallback+BCo

var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= word ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_D8		= dword	ptr -0D8h
var_1C		= word ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1C4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1C4h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	eax, eax
		push	edi		; char
		lea	edi, [esp+1D0h+var_1A4]
		xor	ebx, ebx
		stosd
		push	0B8h		; size_t
		push	ebx		; int
		stosd
		stosd
		lea	eax, [esp+1D8h+var_190]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+1D0h+var_D8]
		push	0B8h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	[esp+1D0h+var_1BC], ebx
		mov	[esp+1D0h+var_1B8], ebx
		mov	[esp+1D0h+var_1B4], ebx
		sub	eax, ebx
		jz	loc_98FF53
		sub	eax, 1
		jz	loc_98FF4C
		sub	eax, 1
		jz	short loc_98FD88
		sub	eax, 1
		jnz	loc_98FF58

loc_98FD88:				; CODE XREF: KiSynchNumaCounterSetCallback(x,x,x)+79j
		mov	esi, [esi+14h]
		xor	ecx, ecx
		mov	[esp+1D0h+var_1B0], esi
		cmp	cx, ds:_KeNumberNodes
		jnb	loc_98FEEE

loc_98FD9E:				; CODE XREF: KiSynchNumaCounterSetCallback(x,x,x)+1E4j
		mov	eax, ds:_KeNodeBlock[ebx*4]
		mov	edi, [eax+84h]
		test	edi, edi
		jz	loc_98FEDE
		movzx	esi, word ptr [eax+88h]
		lea	eax, [esp+1D0h+var_190]
		push	0B8h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		and	[esp+1DCh+var_1C0], 0
		add	esp, 0Ch
		and	[esp+1D0h+var_1A4], 0
		mov	[esp+1D0h+var_19C], si
		mov	esi, [esp+1D0h+var_1B0]
		mov	[esp+1D0h+var_1A0], edi

loc_98FDE5:				; CODE XREF: KiSynchNumaCounterSetCallback(x,x,x)+17Dj
		lea	eax, [esp+1D0h+var_1A4]
		push	eax
		lea	eax, [esp+1D4h+var_1B4]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	loc_98FE86
		mov	edi, [esp+1D0h+var_1B4]
		lea	ecx, [esp+1D0h+var_190]
		mov	esi, ds:_KiProcessorBlock[edi*4]
		add	esi, 40A0h
		mov	edx, esi
		call	_KiAddSynchCounters@8 ;	KiAddSynchCounters(x,x)
		lea	ecx, [esp+1D0h+var_D8]
		call	_KiAddSynchCounters@8 ;	KiAddSynchCounters(x,x)
		push	[esp+1D0h+var_1C0]
		lea	eax, [esp+1D4h+var_1C]
		push	ebx		; char
		push	offset ??_C@_1M@LBIBGIJG@?$AA?$CF?$AAu?$AA?0?$AA?$CF?$AAu@NNGAKEGL@ ; wchar_t *
		push	16h		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 14h
		lea	eax, [esp+1D0h+var_1C]
		push	eax
		lea	eax, [esp+1D4h+var_1BC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+1D0h+var_198]
		mov	[esp+1D0h+var_198], esi
		mov	esi, [esp+1D0h+var_1B0]
		push	eax
		push	1
		push	edi
		lea	eax, [esp+1DCh+var_1BC]
		mov	[esp+1DCh+var_194], 0B8h
		push	eax
		push	esi
		call	_PcwAddInstance@20 ; PcwAddInstance(x,x,x,x,x)
		test	eax, eax
		js	loc_98FF5A
		inc	[esp+1D0h+var_1C0]
		jmp	loc_98FDE5
; 

loc_98FE86:				; CODE XREF: KiSynchNumaCounterSetCallback(x,x,x)+F2j
		push	ebx		; char
		push	offset ??_C@_1BE@KIJPPDLH@?$AA?$CF?$AAu?$AA?0?$AA_?$AAT?$AAo?$AAt?$AAa?$AAl@NNGAKEGL@ ;	wchar_t	*
		lea	eax, [esp+1D8h+var_1C]
		push	16h		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 10h
		lea	eax, [esp+1D0h+var_1C]
		push	eax
		lea	eax, [esp+1D4h+var_1BC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, ds:_KeMaximumProcessors
		lea	ecx, [esp+1D0h+var_190]
		mov	[esp+1D0h+var_1AC], ecx
		add	eax, ebx
		lea	ecx, [esp+1D0h+var_1AC]
		mov	[esp+1D0h+var_1A8], 0B8h
		push	ecx
		push	1
		push	eax
		lea	eax, [esp+1DCh+var_1BC]
		push	eax
		push	esi
		call	_PcwAddInstance@20 ; PcwAddInstance(x,x,x,x,x)
		test	eax, eax
		js	short loc_98FF5A

loc_98FEDE:				; CODE XREF: KiSynchNumaCounterSetCallback(x,x,x)+A9j
		movzx	eax, ds:_KeNumberNodes
		inc	ebx
		cmp	ebx, eax
		jb	loc_98FD9E

loc_98FEEE:				; CODE XREF: KiSynchNumaCounterSetCallback(x,x,x)+94j
		push	offset ??_C@_1O@NKAIMMPD@?$AA_?$AAT?$AAo?$AAt?$AAa?$AAl@NNGAKEGL@ ; "_Total"
		lea	eax, [esp+1D4h+var_1C]
		push	16h		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 0Ch
		lea	eax, [esp+1D0h+var_1C]
		push	eax
		lea	eax, [esp+1D4h+var_1BC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	eax, ds:_KeNumberNodes
		lea	ecx, [esp+1D0h+var_D8]
		add	eax, ds:_KeMaximumProcessors
		mov	[esp+1D0h+var_1AC], ecx
		lea	ecx, [esp+1D0h+var_1AC]
		push	ecx
		push	1
		push	eax
		lea	eax, [esp+1DCh+var_1BC]
		mov	[esp+1DCh+var_1A8], 0B8h
		push	eax
		push	esi
		call	_PcwAddInstance@20 ; PcwAddInstance(x,x,x,x,x)
		jmp	short loc_98FF5A
; 

loc_98FF4C:				; CODE XREF: KiSynchNumaCounterSetCallback(x,x,x)+70j
		call	_EtwDereferenceSpinLockCounters@0 ; EtwDereferenceSpinLockCounters()
		jmp	short loc_98FF58
; 

loc_98FF53:				; CODE XREF: KiSynchNumaCounterSetCallback(x,x,x)+67j
		call	_EtwReferenceSpinLockCounters@0	; EtwReferenceSpinLockCounters()

loc_98FF58:				; CODE XREF: KiSynchNumaCounterSetCallback(x,x,x)+7Ej
					; KiSynchNumaCounterSetCallback(x,x,x)+24Dj
		xor	eax, eax

loc_98FF5A:				; CODE XREF: KiSynchNumaCounterSetCallback(x,x,x)+173j
					; KiSynchNumaCounterSetCallback(x,x,x)+1D8j ...
		mov	ecx, [esp+1D0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_KiSynchNumaCounterSetCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiTraceLogNmiCallback(x)
_KiTraceLogNmiCallback@4 proc near	; CODE XREF: KeRegisterNmiCallback(x,x)+1Cp

var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0CCh+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	offset ??_C@_1BO@LEMCLNMN@?$AAU?$AAn?$AAk?$AAn?$AAo?$AAw?$AAn?$AA_?$AAM?$AAo?$AAd?$AAu?$AAl?$AAe@NNGAKEGL@
		lea	eax, [esp+0DCh+var_BC]
		xor	ebx, ebx
		push	eax
		mov	esi, ecx
		mov	[esp+0E0h+var_BC], ebx
		mov	[esp+0E0h+var_B8], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		or	[esp+0D8h+var_CC], 0FFFFFFFFh
		mov	[esp+0D8h+var_C8], ebx
		mov	[esp+0D8h+var_C4], ebx
		mov	[esp+0D8h+var_C0], ebx
		cmp	esi, ds:_PsNtosImageBase
		jb	short loc_98FFD0
		cmp	esi, ds:_PsNtosImageEnd
		jb	loc_99018B

loc_98FFD0:				; CODE XREF: KiTraceLogNmiCallback(x)+51j
		cmp	esi, ds:_PsHalImageBase
		jb	short loc_98FFE4
		cmp	esi, ds:_PsHalImageEnd
		jb	loc_99018B

loc_98FFE4:				; CODE XREF: KiTraceLogNmiCallback(x)+65j
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceSharedLite
		mov	ecx, _PsLoadedModuleList
		mov	edi, offset _PsLoadedModuleList
		jmp	short loc_990013
; 

loc_98FFFD:				; CODE XREF: KiTraceLogNmiCallback(x)+A4j
		mov	edx, [ecx+18h]
		cmp	esi, edx
		jb	short loc_990011
		mov	eax, [ecx+20h]
		add	eax, edx
		cmp	esi, eax
		jb	loc_9901A0

loc_990011:				; CODE XREF: KiTraceLogNmiCallback(x)+91j
		mov	ecx, [ecx]

loc_990013:				; CODE XREF: KiTraceLogNmiCallback(x)+8Aj
		cmp	ecx, edi
		jnz	short loc_98FFFD
		mov	ebx, [esp+0D8h+var_B8]
		mov	edi, [esp+0D8h+var_BC]

loc_99001F:				; CODE XREF: KiTraceLogNmiCallback(x)+259j
		cmp	dword_6B1F28, 5
		jbe	loc_990181
		push	4000h
		push	0
		mov	ecx, offset dword_6B1F28
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_990181
		lea	eax, [esp+0D8h+var_70]
		mov	[esp+0D8h+var_80], 2
		mov	[esp+0D8h+var_88], eax
		xor	edx, edx
		movzx	eax, di
		mov	[esp+0D8h+var_70], eax
		mov	eax, [esp+0D8h+var_CC]
		mov	[esp+0D8h+var_CC], eax
		lea	eax, [esp+0D8h+var_CC]
		mov	[esp+0D8h+var_68], eax
		mov	eax, [esp+0D8h+var_C8]
		mov	[esp+0D8h+var_C8], eax
		lea	eax, [esp+0D8h+var_C8]
		mov	[esp+0D8h+var_58], eax
		mov	eax, [esp+0D8h+var_C4]
		mov	[esp+0D8h+var_C4], eax
		lea	eax, [esp+0D8h+var_C4]
		mov	[esp+0D8h+var_48], eax
		mov	eax, [esp+0D8h+var_C0]
		mov	[esp+0D8h+var_C0], eax
		lea	eax, [esp+0D8h+var_C0]
		mov	[esp+0D8h+var_38], eax
		lea	eax, [esp+0D8h+var_B4]
		push	4
		pop	ecx
		mov	[esp+0D8h+var_28], eax
		lea	eax, [esp+0D8h+var_B0]
		mov	[esp+0D8h+var_18], eax
		lea	eax, [esp+0D8h+var_A8]
		push	eax
		push	0Ah
		push	edx
		push	edx
		push	offset loc_41C849
		push	offset dword_6B1F28
		mov	[esp+0F0h+var_84], edx
		mov	[esp+0F0h+var_7C], edx
		mov	[esp+0F0h+var_78], ebx
		mov	[esp+0F0h+var_74], edx
		mov	[esp+0F0h+var_6C], edx
		mov	[esp+0F0h+var_64], edx
		mov	[esp+0F0h+var_60], ecx
		mov	[esp+0F0h+var_5C], edx
		mov	[esp+0F0h+var_54], edx
		mov	[esp+0F0h+var_50], ecx
		mov	[esp+0F0h+var_4C], edx
		mov	[esp+0F0h+var_44], edx
		mov	[esp+0F0h+var_40], ecx
		mov	[esp+0F0h+var_3C], edx
		mov	[esp+0F0h+var_34], edx
		mov	[esp+0F0h+var_30], ecx
		mov	[esp+0F0h+var_2C], edx
		mov	[esp+0F0h+var_B4], esi
		mov	[esp+0F0h+var_24], edx
		mov	[esp+0F0h+var_20], ecx
		mov	[esp+0F0h+var_1C], edx
		mov	[esp+0F0h+var_B0], 1000000h
		mov	[esp+0F0h+var_AC], edx
		mov	[esp+0F0h+var_14], edx
		mov	[esp+0F0h+var_10], 8
		mov	[esp+0F0h+var_C], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_990181:				; CODE XREF: KiTraceLogNmiCallback(x)+B5j
					; KiTraceLogNmiCallback(x)+CEj
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite

loc_99018B:				; CODE XREF: KiTraceLogNmiCallback(x)+59j
					; KiTraceLogNmiCallback(x)+6Dj
		mov	ecx, [esp+0D8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_9901A0:				; CODE XREF: KiTraceLogNmiCallback(x)+9Aj
		mov	edi, [ecx+24h]
		mov	[esp+0D8h+var_BC], edi
		mov	ebx, [ecx+28h]
		mov	[esp+0D8h+var_B8], ebx
		mov	eax, [ecx+18h]
		mov	[esp+0D8h+var_CC], eax
		mov	eax, [ecx+20h]
		mov	[esp+0D8h+var_C8], eax
		mov	eax, [ecx+40h]
		mov	[esp+0D8h+var_C4], eax
		mov	eax, [ecx+58h]
		mov	[esp+0D8h+var_C0], eax
		jmp	loc_99001F
_KiTraceLogNmiCallback@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeCreateEnclave(x, x, x, x,	x, x, x, x)
_KeCreateEnclave@32 proc near		; CODE XREF: MiCreateHardwareEnclave(x,x,x,x,x)+152p

var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_44		= dword	ptr -44h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFC0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A8518
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		push	ecx
		push	ecx
		push	ebx
		sub	esp, 0D8h
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		mov	[ebp+var_44], eax
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	[ebp+var_C4], edx
		mov	[ebp+var_C8], ecx
		mov	edi, [ebx+0Ch]
		mov	edx, [ebx+18h]
		mov	eax, [ebx+1Ch]
		mov	esi, ds:dword_70E754
		and	esi, 8
		and	dword ptr [eax], 0
		xor	eax, eax
		or	eax, esi
		jz	loc_990321
		xor	esi, esi
		test	dword ptr [ebx+14h], 100h
		jz	short loc_990263
		mov	ecx, ds:dword_70E754
		and	ecx, 20h
		mov	eax, esi
		or	eax, ecx
		jz	short loc_99027F

loc_990263:				; CODE XREF: KeCreateEnclave(x,x,x,x,x,x,x,x)+83j
		mov	eax, [edi]
		cmp	eax, [ebx+8]
		jnz	short loc_99027F
		cmp	[edi+4], esi
		jnz	short loc_99027F
		mov	eax, [edi+30h]
		and	eax, 4
		test	byte ptr [ebx+14h], 1
		jz	short loc_990289
		or	eax, esi
		jnz	short loc_99028D

loc_99027F:				; CODE XREF: KeCreateEnclave(x,x,x,x,x,x,x,x)+92j
					; KeCreateEnclave(x,x,x,x,x,x,x,x)+99j	...
		mov	eax, 0C000000Dh
		jmp	loc_990326
; 

loc_990289:				; CODE XREF: KeCreateEnclave(x,x,x,x,x,x,x,x)+AAj
		or	eax, esi
		jnz	short loc_99027F

loc_99028D:				; CODE XREF: KeCreateEnclave(x,x,x,x,x,x,x,x)+AEj
		mov	eax, [ebp+var_C4]
		mov	[edi+8], eax
		mov	[edi+0Ch], esi
		mov	[edx], esi
		mov	eax, [edi+30h]
		push	2
		pop	ecx
		and	eax, ecx
		or	eax, esi
		jz	short loc_9902A9
		mov	[edx], ecx

loc_9902A9:				; CODE XREF: KeCreateEnclave(x,x,x,x,x,x,x,x)+D6j
		push	40h		; size_t
		push	esi		; int
		lea	eax, [ebp+var_C0]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_70], eax
		mov	[ebp+var_6C], esi
		mov	[ebp+var_80], esi
		mov	[ebp+var_7C], esi
		mov	[ebp+var_78], edi
		mov	[ebp+var_74], esi
		mov	[ebp+var_68], esi
		mov	[ebp+var_64], esi
		mov	[ebp+var_4], esi
		push	esi
		push	[ebp+var_C8]
		lea	eax, [ebp+var_80]
		push	eax
		push	esi
		call	_KiEncls@16	; KiEncls(x,x,x,x)
		mov	[ebp+var_4], 0FFFFFFFEh
		xor	eax, eax
		jmp	short loc_990326
; 

loc_9902F8:				; DATA XREF: .text:006A852Co
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0CCh], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_99030C:				; DATA XREF: .text:006A8530o
		mov	ebx, [ebp-1Ch]
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0CCh]
		jmp	short loc_990326
; 

loc_990321:				; CODE XREF: KeCreateEnclave(x,x,x,x,x,x,x,x)+74j
		mov	eax, 0C00000BBh

loc_990326:				; CODE XREF: KeCreateEnclave(x,x,x,x,x,x,x,x)+B5j
					; KeCreateEnclave(x,x,x,x,x,x,x,x)+127j ...
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		mov	ecx, [ebp+var_44]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	18h
_KeCreateEnclave@32 endp ; sp =	 4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeDebugReadEnclaveMemory(x,	x, x, x)
_KeDebugReadEnclaveMemory@16 proc near	; CODE XREF: MiDbgReadWriteEnclave(x,x,x,x,x):loc_99BDDEp
					; MiDbgReadWriteEnclaveUnaligned(x,x,x,x)+2Ap

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	10h
		push	offset dword_6A8478
		call	__SEH_prolog4
		mov	edi, edx
		mov	ebx, ecx
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0
		mov	esi, ds:dword_70E754
		and	esi, 8
		xor	eax, eax
		or	eax, esi
		jz	short loc_9903BE
		push	4
		pop	esi

loc_99036E:				; CODE XREF: KeDebugReadEnclaveMemory(x,x,x,x)+55j
		cmp	[ebp+arg_0], 0
		jz	short loc_9903BA
		and	[ebp+ms_exc.disabled], 0
		push	0
		push	ebx
		push	0
		push	esi
		call	_KiEnclsDebugRead@16 ; KiEnclsDebugRead(x,x,x,x)
		mov	[ebp+var_20], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[edi], eax
		add	ebx, esi
		add	edi, esi
		sub	[ebp+arg_0], esi
		mov	eax, [ebp+arg_4]
		add	[eax], esi
		jmp	short loc_99036E
; 

loc_99039D:				; DATA XREF: .text:006A848Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9903AB:				; DATA XREF: .text:006A8490o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]
		jmp	short loc_9903C3
; 

loc_9903BA:				; CODE XREF: KeDebugReadEnclaveMemory(x,x,x,x)+2Cj
		xor	eax, eax
		jmp	short loc_9903C3
; 

loc_9903BE:				; CODE XREF: KeDebugReadEnclaveMemory(x,x,x,x)+23j
		mov	eax, 0C00000BBh

loc_9903C3:				; CODE XREF: KeDebugReadEnclaveMemory(x,x,x,x)+72j
					; KeDebugReadEnclaveMemory(x,x,x,x)+76j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_KeDebugReadEnclaveMemory@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeDebugWriteEnclaveMemory(x, x, x, x)
_KeDebugWriteEnclaveMemory@16 proc near	; CODE XREF: MiDbgReadWriteEnclave(x,x,x,x,x)+68p
					; MiDbgReadWriteEnclaveUnaligned(x,x,x,x)+5Ap

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	0Ch
		push	offset dword_6A8458
		call	__SEH_prolog4
		mov	edi, edx
		mov	ebx, ecx
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0
		mov	esi, ds:dword_70E754
		and	esi, 8
		xor	eax, eax
		or	eax, esi
		jz	short loc_99044A
		push	4
		pop	esi

loc_9903FD:				; CODE XREF: KeDebugWriteEnclaveMemory(x,x,x,x)+52j
		cmp	[ebp+arg_0], 0
		jz	short loc_990446
		mov	eax, [edi]
		and	[ebp+ms_exc.disabled], 0
		push	0
		push	ebx
		push	eax
		push	5
		call	_KiEncls@16	; KiEncls(x,x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		add	ebx, esi
		add	edi, esi
		sub	[ebp+arg_0], esi
		mov	eax, [ebp+arg_4]
		add	[eax], esi
		jmp	short loc_9903FD
; 

loc_990429:				; DATA XREF: .text:006A846Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_990437:				; DATA XREF: .text:006A8470o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]
		jmp	short loc_99044F
; 

loc_990446:				; CODE XREF: KeDebugWriteEnclaveMemory(x,x,x,x)+2Cj
		xor	eax, eax
		jmp	short loc_99044F
; 

loc_99044A:				; CODE XREF: KeDebugWriteEnclaveMemory(x,x,x,x)+23j
		mov	eax, 0C00000BBh

loc_99044F:				; CODE XREF: KeDebugWriteEnclaveMemory(x,x,x,x)+6Fj
					; KeDebugWriteEnclaveMemory(x,x,x,x)+73j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_KeDebugWriteEnclaveMemory@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeEnclave(x, x, x, x, x, x)
_KeInitializeEnclave@24	proc near	; CODE XREF: MiInitializeEnclave(x,x,x,x,x)+78p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		push	14h
		push	offset dword_6A84D8
		call	__SEH_prolog4
		mov	ebx, edx
		mov	[ebp+var_20], ecx
		mov	esi, ds:dword_70E754
		and	esi, 8
		mov	edi, [ebp+arg_C]
		and	dword ptr [edi], 0
		xor	eax, eax
		or	eax, esi
		jz	short loc_9904FB
		and	[ebp+ms_exc.disabled], 0
		push	10h
		pop	esi
		mov	[ebp+var_1C], esi

loc_990491:				; CODE XREF: KeInitializeEnclave(x,x,x,x,x,x)+6Bj
		push	[ebp+arg_4]
		push	ecx
		push	ebx
		push	2
		call	_KiEncls@16	; KiEncls(x,x,x,x)
		test	eax, eax
		jnz	short loc_9904AA
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_990500
; 

loc_9904AA:				; CODE XREF: KeInitializeEnclave(x,x,x,x,x,x)+3Ej
		mov	edx, 80h
		cmp	eax, edx
		jz	short loc_9904C3
		mov	[edi], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000048Fh
		jmp	short loc_990500
; 

loc_9904C3:				; CODE XREF: KeInitializeEnclave(x,x,x,x,x,x)+50j
		sub	esi, 1
		mov	[ebp+var_1C], esi
		mov	ecx, [ebp+var_20]
		jnz	short loc_990491
		mov	[edi], edx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000022Dh
		jmp	short loc_990500
; 

loc_9904DE:				; DATA XREF: .text:006A84ECo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9904EC:				; DATA XREF: .text:006A84F0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_24]
		jmp	short loc_990500
; 

loc_9904FB:				; CODE XREF: KeInitializeEnclave(x,x,x,x,x,x)+24j
		mov	eax, 0C00000BBh

loc_990500:				; CODE XREF: KeInitializeEnclave(x,x,x,x,x,x)+47j
					; KeInitializeEnclave(x,x,x,x,x,x)+60j	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_KeInitializeEnclave@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Ki386AdlibEmulation(x, x, x)
_Ki386AdlibEmulation@12	proc near	; CODE XREF: Ki386VdmDispatchIo(x,x,x,x,x)+AEp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, [eax+80h]
		mov	esi, [eax+0F4h]
		test	dl, dl
		jz	short loc_990540
		mov	al, [esi+0ACh]
		mov	[edi+40h], al
		jmp	loc_9905C2
; 

loc_990540:				; CODE XREF: Ki386AdlibEmulation(x,x,x)+1Ej
		mov	al, [edi+40h]
		and	cl, 0Fh
		cmp	cl, 8
		jnz	short loc_990557
		movzx	eax, al
		mov	[esi+0AEh], ax
		jmp	short loc_9905C2
; 

loc_990557:				; CODE XREF: Ki386AdlibEmulation(x,x,x)+37j
		movzx	ecx, word ptr [esi+0AEh]
		mov	edx, 0B0h
		push	4
		pop	edi
		cmp	cx, dx
		jb	short loc_990573
		add	edx, 0Dh
		cmp	cx, dx
		jbe	short loc_990578

loc_990573:				; CODE XREF: Ki386AdlibEmulation(x,x,x)+57j
		cmp	cx, di
		jnz	short loc_9905C2

loc_990578:				; CODE XREF: Ki386AdlibEmulation(x,x,x)+5Fj
		cmp	cx, di
		jnz	short loc_99058A
		test	al, al
		jns	short loc_99058A
		xor	ecx, ecx
		mov	[esi+0ACh], cx

loc_99058A:				; CODE XREF: Ki386AdlibEmulation(x,x,x)+69j
					; Ki386AdlibEmulation(x,x,x)+6Dj
		test	al, 1
		jz	short loc_9905A7
		movzx	ecx, word ptr [esi+0ACh]
		test	cl, 40h
		jnz	short loc_9905A7
		or	ecx, 0C0h
		mov	[esi+0ACh], cx

loc_9905A7:				; CODE XREF: Ki386AdlibEmulation(x,x,x)+7Aj
					; Ki386AdlibEmulation(x,x,x)+86j
		test	al, 2
		jz	short loc_9905C2
		movzx	eax, word ptr [esi+0ACh]
		test	al, 20h
		jnz	short loc_9905C2
		or	eax, 0A0h
		mov	[esi+0ACh], ax

loc_9905C2:				; CODE XREF: Ki386AdlibEmulation(x,x,x)+29j
					; Ki386AdlibEmulation(x,x,x)+43j ...
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_Ki386AdlibEmulation@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Ki386VdmDispatchIo(x, x, x,	x, x)
_Ki386VdmDispatchIo@20 proc near	; CODE XREF: OpcodeINBimm+1Ep
					; OpcodeINWimm+1Ep ...

var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_5C		= dword	ptr -5Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h

		push	0E0h
		push	offset dword_6A85B8
		call	__SEH_prolog4_GS
		mov	ebx, [ebp+arg_10]
		xor	esi, esi
		mov	[ebp+var_F0], esi
		push	50h		; size_t
		push	esi		; int
		lea	eax, [ebp+var_6C]
		push	eax		; void *
		call	_memset
		push	78h		; size_t
		push	esi		; int
		lea	eax, [ebp+var_E4]
		push	eax		; void *
		call	_memset
		add	esp, 18h
		mov	[ebp+var_EC], esi
		mov	edi, [ebp+arg_4]
		xor	eax, eax
		inc	eax
		cmp	edi, eax
		jnz	short loc_99068A
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, [eax+0F4h]
		test	ecx, ecx
		jz	short loc_99068A
		movzx	edx, word ptr [ecx+0B8h]
		xor	eax, eax
		inc	eax
		cmp	dx, ax
		jz	short loc_99063D
		push	2
		pop	eax
		cmp	dx, ax
		jnz	short loc_99068A

loc_99063D:				; CODE XREF: Ki386VdmDispatchIo(x,x,x,x,x)+6Bj
		movzx	eax, word ptr [ecx+0B0h]
		mov	edx, [ebp+arg_0]
		cmp	edx, eax
		jb	short loc_990656
		movzx	eax, word ptr [ecx+0B2h]
		cmp	edx, eax
		jbe	short loc_99066F

loc_990656:				; CODE XREF: Ki386VdmDispatchIo(x,x,x,x,x)+81j
		movzx	eax, word ptr [ecx+0B4h]
		mov	edx, [ebp+arg_0]
		cmp	edx, eax
		jb	short loc_99068A
		movzx	eax, word ptr [ecx+0B6h]
		cmp	edx, eax
		ja	short loc_99068A

loc_99066F:				; CODE XREF: Ki386VdmDispatchIo(x,x,x,x,x)+8Cj
		push	ebx
		mov	dl, byte ptr [ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		call	_Ki386AdlibEmulation@12	; Ki386AdlibEmulation(x,x,x)
		movzx	ecx, [ebp+arg_C]
		add	[ebx+68h], ecx

loc_990682:				; CODE XREF: Ki386VdmDispatchIo(x,x,x,x,x)+171j
					; Ki386VdmDispatchIo(x,x,x,x,x)+1DFj
		xor	eax, eax
		inc	eax
		jmp	loc_9907D4
; 

loc_99068A:				; CODE XREF: Ki386VdmDispatchIo(x,x,x,x,x)+46j
					; Ki386VdmDispatchIo(x,x,x,x,x)+5Cj ...
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		lea	eax, [ebp+var_EC]
		push	eax
		lea	eax, [ebp+var_E4]
		push	eax
		mov	edx, [ebp+arg_0]
		and	edx, 0FFFFFFFCh
		call	_Ps386GetVdmIoHandler@16 ; Ps386GetVdmIoHandler(x,x,x,x)
		mov	cl, al
		test	cl, cl
		jz	short loc_990702
		mov	eax, [ebx+40h]
		mov	[ebp+var_E8], eax
		mov	ecx, [ebp+arg_0]
		mov	eax, ecx
		xor	edx, edx
		div	edi
		lea	eax, [ebp+var_E8]
		push	eax
		push	[ebp+arg_8]
		push	edi
		test	edx, edx
		mov	edx, [ebp+var_EC]
		jz	short loc_9906EA
		push	ecx
		lea	ecx, [ebp+var_E4]
		call	_VdmDispatchUnalignedIoToHandler@24 ; VdmDispatchUnalignedIoToHandler(x,x,x,x,x,x)
		jmp	short loc_9906F8
; 

loc_9906EA:				; CODE XREF: Ki386VdmDispatchIo(x,x,x,x,x)+112j
		push	[ebp+arg_0]
		lea	ecx, [ebp+var_E4]
		call	_VdmDispatchIoToHandler@24 ; VdmDispatchIoToHandler(x,x,x,x,x,x)

loc_9906F8:				; CODE XREF: Ki386VdmDispatchIo(x,x,x,x,x)+120j
		mov	cl, al
		mov	eax, [ebp+var_E8]
		jmp	short loc_99070A
; 

loc_990702:				; CODE XREF: Ki386VdmDispatchIo(x,x,x,x,x)+EBj
		mov	eax, esi
		mov	[ebp+var_E8], eax

loc_99070A:				; CODE XREF: Ki386VdmDispatchIo(x,x,x,x,x)+138j
		test	cl, cl
		jz	short loc_99073E
		cmp	byte ptr [ebp+arg_8], 0
		jz	short loc_990732
		sub	edi, 1
		jz	short loc_99072F
		sub	edi, 1
		jz	short loc_990729
		dec	edi
		sub	edi, 1
		jnz	short loc_990732
		mov	[ebx+40h], eax
		jmp	short loc_990732
; 

loc_990729:				; CODE XREF: Ki386VdmDispatchIo(x,x,x,x,x)+154j
		mov	[ebx+40h], ax
		jmp	short loc_990732
; 

loc_99072F:				; CODE XREF: Ki386VdmDispatchIo(x,x,x,x,x)+14Fj
		mov	[ebx+40h], al

loc_990732:				; CODE XREF: Ki386VdmDispatchIo(x,x,x,x,x)+14Aj
					; Ki386VdmDispatchIo(x,x,x,x,x)+15Aj ...
		movzx	eax, [ebp+arg_C]
		add	[ebx+68h], eax
		jmp	loc_990682
; 

loc_99073E:				; CODE XREF: Ki386VdmDispatchIo(x,x,x,x,x)+144j
		lea	ecx, [ebp+var_F0]
		call	_VdmpGetVdmTib@4 ; VdmpGetVdmTib(x)
		test	eax, eax
		jns	short loc_990765
		mov	[ebp+var_6C], 0C0000005h
		mov	[ebp+var_68], esi
		mov	[ebp+var_5C], esi
		lea	eax, [ebp+var_6C]
		push	eax
		call	_RtlRaiseException@4 ; RtlRaiseException(x)
		jmp	short loc_9907D2
; 

loc_990765:				; CODE XREF: Ki386VdmDispatchIo(x,x,x,x,x)+183j
		mov	[ebp+ms_exc.disabled], esi
		movzx	eax, [ebp+arg_C]
		mov	ecx, [ebp+var_F0]
		mov	[ecx+5ACh], eax
		mov	[ecx+5A8h], esi
		mov	ax, word ptr [ebp+arg_0]
		mov	[ecx+5B0h], ax
		mov	[ecx+5B2h], di
		mov	eax, [ebp+arg_8]
		mov	[ecx+5B4h], al
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	ecx
		push	ebx
		call	_VdmEndExecution@8 ; VdmEndExecution(x,x)
		jmp	loc_990682
; 

loc_9907AC:				; DATA XREF: .text:006A85CCo
		xor	eax, eax
		inc	eax
		retn
; 

loc_9907B0:				; DATA XREF: .text:006A85D0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+var_6C], 0C0000005h
		xor	esi, esi
		mov	[ebp+var_68], esi
		mov	[ebp+var_5C], esi
		lea	eax, [ebp+var_6C]
		push	eax
		call	_RtlRaiseException@4 ; RtlRaiseException(x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9907D2:				; CODE XREF: Ki386VdmDispatchIo(x,x,x,x,x)+19Bj
		xor	al, al

loc_9907D4:				; CODE XREF: Ki386VdmDispatchIo(x,x,x,x,x)+BDj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_Ki386VdmDispatchIo@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Ki386VdmDispatchStringIo(x,	x, x, x, x, x, x, x)
_Ki386VdmDispatchStringIo@32 proc near	; CODE XREF: OpcodeINSB+31p
					; OpcodeINSW+31p ...

var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_5C		= dword	ptr -5Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= byte ptr  20h
arg_1C		= dword	ptr  24h

		push	0DCh
		push	offset dword_6A8598
		call	__SEH_prolog4_GS
		mov	edi, [ebp+arg_1C]
		xor	esi, esi
		mov	[ebp+var_EC], esi
		push	50h		; size_t
		push	esi		; int
		lea	eax, [ebp+var_6C]
		push	eax		; void *
		call	_memset
		push	78h		; size_t
		push	esi		; int
		lea	eax, [ebp+var_E4]
		push	eax		; void *
		call	_memset
		add	esp, 18h
		mov	[ebp+var_E8], esi
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		lea	eax, [ebp+var_E8]
		push	eax
		lea	eax, [ebp+var_E4]
		push	eax
		mov	ebx, [ebp+arg_0]
		mov	edx, ebx
		and	edx, 0FFFFFFFCh
		call	_Ps386GetVdmIoHandler@16 ; Ps386GetVdmIoHandler(x,x,x,x)
		test	al, al
		jz	short loc_9908BB
		push	[ebp+arg_14]
		push	[ebp+arg_C]
		push	[ebp+arg_10]
		push	[ebp+arg_4]
		push	ebx
		mov	edx, [ebp+var_E8]
		lea	ecx, [ebp+var_E4]
		call	_VdmDispatchStringIoToHandler@28 ; VdmDispatchStringIoToHandler(x,x,x,x,x,x,x)
		test	al, al
		jz	short loc_9908BB
		xor	ecx, ecx
		cmp	byte ptr [ebp+arg_C], cl
		setz	cl
		lea	ecx, ds:54h[ecx*4]
		mov	eax, [ebp+arg_10]
		imul	eax, [ebp+arg_4]
		movzx	edx, word ptr [ecx+edi]
		test	dword ptr [edi+70h], 400h
		jz	short loc_99089B
		sub	edx, eax
		movzx	eax, dx
		jmp	short loc_9908A0
; 

loc_99089B:				; CODE XREF: Ki386VdmDispatchStringIo(x,x,x,x,x,x,x,x)+ACj
		add	eax, edx
		movzx	eax, ax

loc_9908A0:				; CODE XREF: Ki386VdmDispatchStringIo(x,x,x,x,x,x,x,x)+B3j
		mov	[ecx+edi], ax
		cmp	[ebp+arg_8], 0
		jz	short loc_9908AD
		mov	[edi+3Ch], esi

loc_9908AD:				; CODE XREF: Ki386VdmDispatchStringIo(x,x,x,x,x,x,x,x)+C2j
		movzx	eax, [ebp+arg_18]
		add	[edi+68h], eax

loc_9908B4:				; CODE XREF: Ki386VdmDispatchStringIo(x,x,x,x,x,x,x,x)+160j
		mov	al, 1
		jmp	loc_990973
; 

loc_9908BB:				; CODE XREF: Ki386VdmDispatchStringIo(x,x,x,x,x,x,x,x)+67j
					; Ki386VdmDispatchStringIo(x,x,x,x,x,x,x,x)+89j
		lea	ecx, [ebp+var_EC]
		call	_VdmpGetVdmTib@4 ; VdmpGetVdmTib(x)
		test	eax, eax
		jns	short loc_9908E5
		mov	[ebp+var_6C], 0C0000005h
		mov	[ebp+var_68], esi
		mov	[ebp+var_5C], esi
		lea	eax, [ebp+var_6C]
		push	eax
		call	_RtlRaiseException@4 ; RtlRaiseException(x)
		jmp	loc_990971
; 

loc_9908E5:				; CODE XREF: Ki386VdmDispatchStringIo(x,x,x,x,x,x,x,x)+E2j
		mov	[ebp+ms_exc.disabled], esi
		movzx	eax, [ebp+arg_18]
		mov	ecx, [ebp+var_EC]
		mov	[ecx+5ACh], eax
		mov	dword ptr [ecx+5A8h], 1
		mov	[ecx+5B0h], bx
		mov	ax, word ptr [ebp+arg_4]
		mov	[ecx+5B2h], ax
		mov	al, [ebp+arg_8]
		mov	[ecx+5B4h], al
		mov	al, byte ptr [ebp+arg_C]
		mov	[ecx+5B5h], al
		mov	eax, [ebp+arg_10]
		mov	[ecx+5B8h], eax
		mov	eax, [ebp+arg_14]
		mov	[ecx+5BCh], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	ecx
		push	edi
		call	_VdmEndExecution@8 ; VdmEndExecution(x,x)
		jmp	loc_9908B4
; 

loc_99094B:				; DATA XREF: .text:006A85ACo
		xor	eax, eax
		inc	eax
		retn
; 

loc_99094F:				; DATA XREF: .text:006A85B0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+var_6C], 0C0000005h
		xor	esi, esi
		mov	[ebp+var_68], esi
		mov	[ebp+var_5C], esi
		lea	eax, [ebp+var_6C]
		push	eax
		call	_RtlRaiseException@4 ; RtlRaiseException(x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_990971:				; CODE XREF: Ki386VdmDispatchStringIo(x,x,x,x,x,x,x,x)+FAj
		xor	al, al

loc_990973:				; CODE XREF: Ki386VdmDispatchStringIo(x,x,x,x,x,x,x,x)+D0j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
_Ki386VdmDispatchStringIo@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmCallStringIoHandler(x, x, x, x, x, x, x,	x)
_VdmCallStringIoHandler@32 proc	near	; CODE XREF: VdmDispatchStringIoToHandler(x,x,x,x,x,x,x)+ACp

var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_6E		= byte ptr -6Eh
var_6D		= byte ptr -6Dh
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_5C		= dword	ptr -5Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		push	8Ch
		push	offset dword_6A8558
		call	__SEH_prolog4_GS
		mov	edi, edx
		mov	[ebp+var_84], ecx
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_7C], esi
		xor	ebx, ebx
		mov	[ebp+var_74], ebx
		push	50h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_6C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	edx, [ebp+var_74]
		mov	ecx, [ebp+arg_14]
		call	_VdmConvertToLinearAddress@8 ; VdmConvertToLinearAddress(x,x)
		mov	cl, al
		mov	[ebp+var_6D], cl
		mov	[ebp+var_6E], cl
		test	cl, cl
		jnz	short loc_9909EA
		mov	[ebp+var_6C], 0C0000005h
		mov	[ebp+var_68], ebx
		mov	[ebp+var_5C], ebx
		lea	eax, [ebp+var_6C]
		push	eax
		call	_RtlRaiseException@4 ; RtlRaiseException(x)
		mov	al, 1
		jmp	loc_990BD7
; 

loc_9909EA:				; CODE XREF: VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+46j
		mov	ecx, esi
		imul	ecx, [ebp+arg_C]
		mov	[ebp+var_90], ecx
		mov	eax, ebx
		mov	[ebp+var_8C], eax
		mov	[ebp+var_98], eax
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		div	esi
		mov	eax, edx
		mov	[ebp+var_94], eax
		mov	[ebp+ms_exc.disabled], ebx
		mov	esi, eax
		neg	esi
		sbb	esi, esi
		not	esi
		and	esi, edi
		cmp	byte ptr [ebp+arg_10], 0
		jz	short loc_990A3D
		push	1
		push	ecx
		push	[ebp+var_74]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	byte ptr [ebp+var_80], 1
		mov	ecx, [ebp+var_90]
		jmp	short loc_990A5A
; 

loc_990A3D:				; CODE XREF: VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+9Fj
		test	ecx, ecx
		jz	short loc_990A56
		mov	edx, [ebp+var_74]
		lea	edi, [edx+ecx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		ja	short loc_990A54
		cmp	edi, edx
		jnb	short loc_990A56

loc_990A54:				; CODE XREF: VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+C9j
		mov	[eax], bl

loc_990A56:				; CODE XREF: VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+BAj
					; VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+CDj
		mov	byte ptr [ebp+var_80], 2

loc_990A5A:				; CODE XREF: VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+B6j
		mov	edx, ebx

loc_990A5C:				; CODE XREF: VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+171j
		cmp	edx, ecx
		jnb	loc_990B8F
		lea	eax, [edx+400h]
		cmp	eax, ecx
		jbe	short loc_990A74
		mov	edi, ecx
		sub	edi, edx
		jmp	short loc_990A79
; 

loc_990A74:				; CODE XREF: VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+E7j
		mov	edi, 400h

loc_990A79:				; CODE XREF: VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+EDj
		cmp	byte ptr [ebp+arg_10], 0
		jnz	short loc_990A90
		push	edi		; size_t
		push	[ebp+var_74]	; void *
		push	offset _VdmStringIoBuffer ; void *
		call	_memcpy
		add	esp, 0Ch

loc_990A90:				; CODE XREF: VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+F8j
		mov	eax, edi
		xor	edx, edx
		div	[ebp+var_7C]
		mov	[ebp+var_88], eax
		test	esi, esi
		jz	short loc_990AFB
		push	eax
		push	offset _VdmStringIoBuffer
		push	[ebp+var_80]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	esi
		test	eax, eax
		js	short loc_990AC2
		mov	cl, [ebp+var_6D]
		or	cl, 1
		mov	[ebp+var_6D], cl
		mov	[ebp+var_6E], cl

loc_990AC2:				; CODE XREF: VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+12Fj
					; VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+186j	...
		cmp	byte ptr [ebp+arg_10], 0
		jz	short loc_990AD9
		push	edi		; size_t
		push	offset _VdmStringIoBuffer ; void *
		push	[ebp+var_74]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_990AD9:				; CODE XREF: VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+141j
		mov	edx, [ebp+var_8C]
		add	edx, edi
		mov	[ebp+var_8C], edx
		mov	[ebp+var_98], edx
		add	[ebp+var_74], edi
		mov	ecx, [ebp+var_90]
		jmp	loc_990A5C
; 

loc_990AFB:				; CODE XREF: VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+11Aj
		mov	ecx, ebx
		mov	[ebp+var_78], ecx
		cmp	[ebp+var_94], 0
		jz	short loc_990B4A

loc_990B09:				; CODE XREF: VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+1C3j
		cmp	ecx, eax
		jnb	short loc_990AC2
		mov	edx, [ebp+var_7C]
		mov	eax, edx
		imul	eax, ecx
		add	eax, offset _VdmStringIoBuffer
		push	eax
		push	[ebp+arg_10]
		push	edx
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_84]
		call	_VdmDispatchUnalignedIoToHandler@24 ; VdmDispatchUnalignedIoToHandler(x,x,x,x,x,x)
		mov	cl, [ebp+var_6D]
		or	cl, al
		mov	[ebp+var_6D], cl
		mov	[ebp+var_6E], cl
		mov	ecx, [ebp+var_78]
		inc	ecx
		mov	[ebp+var_78], ecx
		mov	eax, [ebp+var_88]
		jmp	short loc_990B09
; 

loc_990B4A:				; CODE XREF: VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+182j
					; VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+208j
		cmp	ecx, eax
		jnb	loc_990AC2
		mov	edx, [ebp+var_7C]
		mov	eax, edx
		imul	eax, ecx
		add	eax, offset _VdmStringIoBuffer
		push	eax
		push	[ebp+arg_10]
		push	edx
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_84]
		call	_VdmDispatchIoToHandler@24 ; VdmDispatchIoToHandler(x,x,x,x,x,x)
		mov	cl, [ebp+var_6D]
		or	cl, al
		mov	[ebp+var_6D], cl
		mov	[ebp+var_6E], cl
		mov	ecx, [ebp+var_78]
		inc	ecx
		mov	[ebp+var_78], ecx
		mov	eax, [ebp+var_88]
		jmp	short loc_990B4A
; 

loc_990B8F:				; CODE XREF: VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+D9j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	cl, [ebp+var_6D]
		jmp	short loc_990BD5
; 

loc_990B9B:				; DATA XREF: .text:006A856Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_9C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_990BAC:				; DATA XREF: .text:006A8570o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_9C]
		mov	[ebp+var_6C], eax
		xor	ebx, ebx
		mov	[ebp+var_68], ebx
		mov	[ebp+var_5C], ebx
		lea	eax, [ebp+var_6C]
		push	eax
		call	_RtlRaiseException@4 ; RtlRaiseException(x)
		mov	cl, 1
		mov	[ebp+var_6E], cl
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_990BD5:				; CODE XREF: VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+214j
		mov	al, cl

loc_990BD7:				; CODE XREF: VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+60j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_VdmCallStringIoHandler@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmConvertToLinearAddress(x, x)
_VdmConvertToLinearAddress@8 proc near	; CODE XREF: VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+37p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		and	[ebp+var_4], 0
		push	ebx
		push	edi
		mov	eax, [eax+20h]
		mov	ebx, edx
		mov	edi, ecx
		test	dword ptr [eax-1Ch], 20000h
		jz	short loc_990C25
		push	esi
		mov	esi, edi
		movzx	eax, di
		shr	esi, 0Ch
		and	esi, 0FFFF0h
		add	esi, eax
		mov	al, 1
		mov	[ebx], esi
		pop	esi
		jmp	short loc_990C48
; 

loc_990C25:				; CODE XREF: VdmConvertToLinearAddress(x,x)+22j
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		mov	eax, edi
		shr	eax, 10h
		push	eax
		call	_Ki386GetSelectorParameters@16 ; Ki386GetSelectorParameters(x,x,x,x)
		test	al, al
		jz	short loc_990C48
		movzx	ecx, di
		add	ecx, [ebp+var_4]
		mov	[ebx], ecx

loc_990C48:				; CODE XREF: VdmConvertToLinearAddress(x,x)+3Aj
					; VdmConvertToLinearAddress(x,x)+55j
		pop	edi
		pop	ebx
		leave
		retn
_VdmConvertToLinearAddress@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmDispatchIoToHandler(x, x, x, x, x, x)
_VdmDispatchIoToHandler@24 proc	near	; CODE XREF: Ki386VdmDispatchIo(x,x,x,x,x)+12Bp
					; VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+1EBp	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	edx, [ebp+arg_8]
		test	dl, dl
		push	1
		setz	cl
		mov	[ebp+var_8], edi
		inc	cl
		mov	[ebp+var_4], esi
		mov	[ebp+var_C], ecx
		pop	ebx
		sub	eax, 1
		jz	loc_990D39
		sub	eax, ebx
		jz	short loc_990CE6
		dec	eax
		sub	eax, ebx
		jnz	loc_990D67
		test	dl, dl
		setz	al
		imul	eax, 38h
		mov	eax, [eax+esi+8]
		test	eax, eax
		jz	short loc_990CA3
		push	[ebp+arg_C]
		push	ecx
		jmp	loc_990D59
; 

loc_990CA3:				; CODE XREF: VdmDispatchIoToHandler(x,x,x,x,x,x)+4Cj
		mov	esi, [ebp+arg_C]
		mov	edi, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		push	esi
		push	edx
		mov	edx, [ebp+var_8]
		push	2
		push	edi
		call	_VdmDispatchIoToHandler@24 ; VdmDispatchIoToHandler(x,x,x,x,x,x)
		mov	edx, [ebp+var_8]
		mov	bl, al
		mov	ecx, [ebp+var_4]
		lea	eax, [esi+2]
		push	eax
		push	[ebp+arg_8]
		lea	eax, [edi+2]
		push	2
		push	eax
		call	_VdmDispatchIoToHandler@24 ; VdmDispatchIoToHandler(x,x,x,x,x,x)
		test	bl, bl
		jnz	short loc_990CDF
		test	al, al
		jz	loc_990D67

loc_990CDF:				; CODE XREF: VdmDispatchIoToHandler(x,x,x,x,x,x)+89j
		mov	al, 1
		jmp	loc_990D69
; 

loc_990CE6:				; CODE XREF: VdmDispatchIoToHandler(x,x,x,x,x,x)+33j
		xor	eax, eax
		test	dl, dl
		setz	al
		imul	ecx, eax, 0Eh
		mov	eax, [ebp+arg_0]
		and	eax, ebx
		add	ecx, eax
		mov	eax, [esi+ecx*4+10h]
		test	eax, eax
		jnz	short loc_990D53
		mov	esi, [ebp+arg_C]
		mov	ecx, [ebp+var_4]
		push	esi
		push	edx
		push	ebx
		push	[ebp+arg_0]
		mov	edx, edi
		call	_VdmDispatchIoToHandler@24 ; VdmDispatchIoToHandler(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		mov	bl, al
		lea	eax, [esi+1]
		mov	edx, edi
		push	eax
		push	[ebp+arg_8]
		mov	eax, [ebp+arg_0]
		push	1
		inc	eax
		push	eax
		call	_VdmDispatchIoToHandler@24 ; VdmDispatchIoToHandler(x,x,x,x,x,x)
		test	bl, bl
		jnz	short loc_990D34
		test	al, al
		jz	short loc_990D67

loc_990D34:				; CODE XREF: VdmDispatchIoToHandler(x,x,x,x,x,x)+E2j
		xor	eax, eax
		inc	eax
		jmp	short loc_990D69
; 

loc_990D39:				; CODE XREF: VdmDispatchIoToHandler(x,x,x,x,x,x)+2Bj
		xor	eax, eax
		test	dl, dl
		setz	al
		imul	ecx, eax, 0Eh
		mov	eax, [ebp+arg_0]
		and	eax, 3
		add	ecx, eax
		mov	eax, [esi+ecx*4+20h]
		test	eax, eax
		jz	short loc_990D67

loc_990D53:				; CODE XREF: VdmDispatchIoToHandler(x,x,x,x,x,x)+B1j
		push	[ebp+arg_C]
		push	[ebp+var_C]

loc_990D59:				; CODE XREF: VdmDispatchIoToHandler(x,x,x,x,x,x)+52j
		push	[ebp+arg_0]
		push	edi
		call	eax
		test	eax, eax
		js	short loc_990D67
		mov	al, bl
		jmp	short loc_990D69
; 

loc_990D67:				; CODE XREF: VdmDispatchIoToHandler(x,x,x,x,x,x)+38j
					; VdmDispatchIoToHandler(x,x,x,x,x,x)+8Dj ...
		xor	al, al

loc_990D69:				; CODE XREF: VdmDispatchIoToHandler(x,x,x,x,x,x)+95j
					; VdmDispatchIoToHandler(x,x,x,x,x,x)+EBj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_VdmDispatchIoToHandler@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmDispatchStringIoToHandler(x, x, x, x, x,	x, x)
_VdmDispatchStringIoToHandler@28 proc near
					; CODE XREF: Ki386VdmDispatchStringIo(x,x,x,x,x,x,x,x)+82p

var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	0Ch
		push	offset dword_6A8578
		call	__SEH_prolog4
		mov	edi, edx
		mov	esi, ecx
		xor	ebx, ebx
		mov	[ebp+var_19], bl
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _VdmStringIoMutex
		call	KeWaitForSingleObject
		test	eax, eax
		jns	short loc_990D9E
		xor	al, al
		jmp	loc_990E56
; 

loc_990D9E:				; CODE XREF: VdmDispatchStringIoToHandler(x,x,x,x,x,x,x)+25j
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+arg_4]
		sub	eax, 1
		jz	short loc_990DF6
		sub	eax, 1
		jz	short loc_990DD1
		dec	eax
		sub	eax, 1
		jnz	short loc_990E27
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	4
		push	[ebp+arg_0]
		cmp	byte ptr [ebp+arg_C], al
		setz	al
		imul	edx, eax, 38h
		mov	edx, [edx+esi+0Ch]
		jmp	short loc_990E19
; 

loc_990DD1:				; CODE XREF: VdmDispatchStringIoToHandler(x,x,x,x,x,x,x)+3Cj
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	2
		mov	ecx, [ebp+arg_0]
		push	ecx
		xor	eax, eax
		cmp	byte ptr [ebp+arg_C], al
		setz	al
		imul	edx, eax, 0Eh
		and	ecx, 1
		add	edx, ecx
		mov	edx, [esi+edx*4+18h]
		jmp	short loc_990E19
; 

loc_990DF6:				; CODE XREF: VdmDispatchStringIoToHandler(x,x,x,x,x,x,x)+37j
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	1
		mov	ecx, [ebp+arg_0]
		push	ecx
		xor	eax, eax
		cmp	byte ptr [ebp+arg_C], al
		setz	al
		imul	edx, eax, 0Eh
		and	ecx, 3
		add	edx, ecx
		mov	edx, [esi+edx*4+30h]

loc_990E19:				; CODE XREF: VdmDispatchStringIoToHandler(x,x,x,x,x,x,x)+5Fj
					; VdmDispatchStringIoToHandler(x,x,x,x,x,x,x)+84j
		push	edi
		mov	ecx, esi
		call	_VdmCallStringIoHandler@32 ; VdmCallStringIoHandler(x,x,x,x,x,x,x,x)
		mov	[ebp+var_1A], al
		mov	[ebp+var_19], al

loc_990E27:				; CODE XREF: VdmDispatchStringIoToHandler(x,x,x,x,x,x,x)+42j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_990E48
; 

loc_990E30:				; DATA XREF: .text:006A858Co
		xor	eax, eax
		inc	eax
		retn
; 

loc_990E34:				; DATA XREF: .text:006A8590o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	al, 1
		mov	[ebp+var_19], al
		mov	[ebp+var_1A], al
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx

loc_990E48:				; CODE XREF: VdmDispatchStringIoToHandler(x,x,x,x,x,x,x)+BEj
		push	ebx
		push	offset _VdmStringIoMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	al, [ebp+var_19]

loc_990E56:				; CODE XREF: VdmDispatchStringIoToHandler(x,x,x,x,x,x,x)+29j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_VdmDispatchStringIoToHandler@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmDispatchUnalignedIoToHandler(x, x, x, x,	x, x)
_VdmDispatchUnalignedIoToHandler@24 proc near
					; CODE XREF: Ki386VdmDispatchIo(x,x,x,x,x)+11Bp
					; VdmCallStringIoHandler(x,x,x,x,x,x,x,x)+1A6p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, edx
		xor	edx, edx
		mov	[ebp+var_4], ebx
		mov	eax, edi
		mov	[ebp+var_8], ecx
		div	[ebp+arg_4]
		push	[ebp+arg_C]
		not	edx
		push	[ebp+arg_8]
		and	edx, 1
		lea	esi, [edx+1]
		mov	edx, ebx
		push	esi
		push	edi
		call	_VdmDispatchIoToHandler@24 ; VdmDispatchIoToHandler(x,x,x,x,x,x)
		cmp	[ebp+arg_4], 4
		mov	bl, al
		jnz	short loc_990EC2
		mov	eax, [ebp+arg_C]
		mov	edx, [ebp+var_4]
		add	eax, esi
		mov	ecx, [ebp+var_8]
		push	eax
		push	[ebp+arg_8]
		lea	eax, [esi+edi]
		push	2
		push	eax
		call	_VdmDispatchIoToHandler@24 ; VdmDispatchIoToHandler(x,x,x,x,x,x)
		or	bl, al
		add	esi, 2

loc_990EC2:				; CODE XREF: VdmDispatchUnalignedIoToHandler(x,x,x,x,x,x)+39j
		cmp	esi, 4
		jz	short loc_990EE3
		mov	eax, [ebp+arg_C]
		lea	ecx, [esi+edi]
		mov	edx, [ebp+var_4]
		add	eax, esi
		push	eax
		push	[ebp+arg_8]
		push	1
		push	ecx
		mov	ecx, [ebp+var_8]
		call	_VdmDispatchIoToHandler@24 ; VdmDispatchIoToHandler(x,x,x,x,x,x)
		or	bl, al

loc_990EE3:				; CODE XREF: VdmDispatchUnalignedIoToHandler(x,x,x,x,x,x)+5Dj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	10h
_VdmDispatchUnalignedIoToHandler@24 endp


;  S U B	R O U T	I N E 


; __stdcall KeRequestTerminationProcess(x, x)
_KeRequestTerminationProcess@8 proc near ; CODE	XREF: MiForceCrashForInvalidAccess(x,x)+42p
					; MiForceCrashForInvalidAccess(x,x)+143p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		shl	edx, 12h
		lea	ebx, [edi+5Ch]
		mov	esi, [ebx]
		test	esi, 0C0000h
		jnz	short loc_990F1A

loc_990F03:				; CODE XREF: KeRequestTerminationProcess(x,x)+2Cj
		mov	ecx, esi
		mov	eax, esi
		or	ecx, edx
		lock cmpxchg [ebx], ecx
		cmp	esi, eax
		jz	short loc_990F1E
		mov	esi, eax
		test	eax, 0C0000h
		jz	short loc_990F03

loc_990F1A:				; CODE XREF: KeRequestTerminationProcess(x,x)+15j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_990F1E:				; CODE XREF: KeRequestTerminationProcess(x,x)+23j
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	KeRequestTerminationThread
_KeRequestTerminationProcess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Ki386CheckDivideByZeroTrap(x)
_Ki386CheckDivideByZeroTrap@4 proc near	; CODE XREF: KiScanForPrefix+3D0p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	28h
		push	offset dword_6A85D8
		call	__SEH_prolog4
		mov	[ebp+var_38], 0C0000094h
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[ebp+var_1B], al
		xor	ebx, ebx
		inc	ebx
		cmp	al, bl
		jnb	short loc_990F56
		mov	cl, bl
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_1B], al

loc_990F56:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+21j
		mov	[ebp+var_1A], bl
		mov	[ebp+var_30], offset byte_6B65E8
		mov	[ebp+var_28], 4
		or	[ebp+var_2C], 0FFFFFFFFh
		xor	edx, edx
		mov	al, dl
		mov	[ebp+var_19], al
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+68h]
		mov	[ebp+var_24], ecx
		mov	[ebp+ms_exc.disabled], edx

loc_990F7E:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+82j
					; Ki386CheckDivideByZeroTrap(x)+87j ...
		cmp	[ebp+var_1A], 0
		jz	short loc_990FFA
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_990F8F
		mov	ecx, eax

loc_990F8F:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+63j
		nop
		mov	al, [ecx]
		mov	[ebp+var_19], al
		mov	ecx, [ebp+var_24]
		inc	ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_19], al
		movzx	eax, al
		cmp	eax, 65h
		ja	short loc_990FC2
		cmp	eax, 64h
		jnb	short loc_990F7E
		cmp	eax, 26h
		jz	short loc_990F7E
		cmp	eax, 2Eh
		jz	short loc_990F7E
		cmp	eax, 36h
		jz	short loc_990F7E
		cmp	eax, 3Eh
		jz	short loc_990F7E
		jmp	short loc_990FE5
; 

loc_990FC2:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+7Dj
		cmp	eax, 66h
		jz	short loc_990FEA
		cmp	eax, 67h
		jz	loc_99117F
		cmp	eax, 0F0h
		jz	short loc_990F7E
		cmp	eax, 0F1h
		jbe	short loc_990FE5
		cmp	eax, 0F3h
		jbe	short loc_990F7E

loc_990FE5:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+98j
					; Ki386CheckDivideByZeroTrap(x)+B4j
		mov	[ebp+var_1A], dl
		jmp	short loc_990F7E
; 

loc_990FEA:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+9Dj
		mov	[ebp+var_28], 2
		mov	[ebp+var_2C], 0FFFFh
		jmp	short loc_990F7E
; 

loc_990FFA:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+5Aj
		mov	al, [ebp+var_19]
		cmp	al, 0F7h
		jz	short loc_991009
		cmp	al, 0F6h
		jnz	loc_99117F

loc_991009:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+D7j
		cmp	al, 0F6h
		jnz	short loc_991017
		mov	[ebp+var_28], ebx
		mov	[ebp+var_2C], 0FFh

loc_991017:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+E3j
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_991022
		mov	ecx, eax

loc_991022:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+F6j
		nop
		mov	al, [ecx]
		mov	[ebp+var_19], al
		mov	esi, [ebp+var_24]
		inc	esi
		mov	[ebp+var_24], esi
		mov	ch, al
		movzx	eax, ch
		shr	eax, 6
		lea	edi, unk_6B65D8[eax*4]
		mov	[ebp+var_34], edi
		mov	cl, ch
		and	cl, 7
		mov	[ebp+var_1C], cl
		cmp	[ebp+var_28], ebx
		jnz	short loc_99105D
		and	ch, 0C0h
		cmp	ch, 0C0h
		jnz	short loc_99105D
		mov	[ebp+var_30], offset unk_6B65F0

loc_99105D:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+124j
					; Ki386CheckDivideByZeroTrap(x)+12Cj
		mov	[ebp+var_20], edx
		cmp	cl, [edi]
		jz	short loc_9910DE
		cmp	cl, [edi+1]
		jnz	short loc_9910CB
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_991074
		mov	esi, eax

loc_991074:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+148j
		nop
		mov	al, [esi]
		mov	[ebp+var_19], al
		mov	esi, [ebp+var_24]
		inc	esi
		mov	[ebp+var_24], esi
		movzx	edi, al
		mov	eax, edi
		shr	eax, 3
		and	eax, 7
		cmp	eax, 4
		jz	short loc_9910AD
		movzx	eax, byte_6B65E8[eax]
		mov	edx, [ebp+arg_0]
		mov	edx, [eax+edx]
		mov	[ebp+var_20], edx
		mov	ecx, edi
		shr	ecx, 6
		shl	edx, cl
		mov	[ebp+var_20], edx
		jmp	short loc_9910B0
; 

loc_9910AD:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+167j
		mov	edx, [ebp+var_20]

loc_9910B0:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+183j
		and	edi, 7
		movzx	eax, byte_6B65E8[edi]
		mov	ecx, [ebp+arg_0]
		add	edx, [eax+ecx]
		mov	[ebp+var_20], edx
		mov	cl, [ebp+var_1C]
		mov	edi, [ebp+var_34]
		jmp	short loc_9910DE
; 

loc_9910CB:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+13Fj
		movzx	edx, cl
		mov	eax, [ebp+var_30]
		movzx	eax, byte ptr [edx+eax]
		mov	edx, [ebp+arg_0]
		mov	edx, [eax+edx]
		mov	[ebp+var_20], edx

loc_9910DE:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+13Aj
					; Ki386CheckDivideByZeroTrap(x)+1A1j
		shl	ebx, cl
		test	[edi+2], bl
		jz	short loc_991115
		mov	eax, ds:_MmUserProbeAddress
		cmp	byte ptr [edi+3], 4
		jnz	short loc_9910FB
		cmp	esi, eax
		jb	short loc_9910F6
		mov	esi, eax

loc_9910F6:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+1CAj
		nop
		mov	eax, [esi]
		jmp	short loc_99110A
; 

loc_9910FB:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+1C6j
		cmp	esi, eax
		jb	short loc_991101
		mov	esi, eax

loc_991101:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+1D5j
		nop
		mov	al, [esi]
		mov	[ebp+var_19], al
		movsx	eax, al

loc_99110A:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+1D1j
		mov	edx, [ebp+var_20]
		add	edx, eax
		mov	[ebp+var_20], edx
		mov	edi, [ebp+var_34]

loc_991115:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+1BBj
		cmp	byte ptr [edi+3], 0
		jz	short loc_99116A
		test	edx, edx
		jz	short loc_99116A
		mov	eax, [ebp+var_28]
		sub	eax, 1
		jz	short loc_991156
		sub	eax, 1
		jz	short loc_991142
		dec	eax
		sub	eax, 1
		jnz	short loc_99116A
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_99113D
		mov	edx, eax

loc_99113D:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+211j
		nop
		mov	edx, [edx]
		jmp	short loc_991167
; 

loc_991142:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+202j
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_99114D
		mov	edx, eax

loc_99114D:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+221j
		nop
		mov	ax, [edx]
		movzx	edx, ax
		jmp	short loc_991167
; 

loc_991156:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+1FDj
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_991161
		mov	edx, eax

loc_991161:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+235j
		nop
		mov	al, [edx]
		movzx	edx, al

loc_991167:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+218j
					; Ki386CheckDivideByZeroTrap(x)+22Cj
		mov	[ebp+var_20], edx

loc_99116A:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+1F1j
					; Ki386CheckDivideByZeroTrap(x)+1F5j ...
		test	[ebp+var_2C], edx
		jz	short loc_99117F
		mov	[ebp+var_38], 0C0000095h
		jmp	short loc_99117F
; 

loc_991178:				; DATA XREF: .text:006A85ECo
		xor	eax, eax
		inc	eax
		retn
; 

loc_99117C:				; DATA XREF: .text:006A85F0o
		mov	esp, [ebp+ms_exc.old_esp]

loc_99117F:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+A2j
					; Ki386CheckDivideByZeroTrap(x)+DBj ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	al, [ebp+var_1B]
		cmp	al, 1
		jnb	short loc_991195
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_991195:				; CODE XREF: Ki386CheckDivideByZeroTrap(x)+263j
		mov	eax, [ebp+var_38]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_Ki386CheckDivideByZeroTrap@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1147. KeFreeCalloutStack

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeFreeCalloutStack(x)
		public _KeFreeCalloutStack@4
_KeFreeCalloutStack@4 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		cmp	[esi+4], bl
		setnz	bl
		and	[esp+10h+var_4], 0
		cmp	byte ptr [esi+5], 0
		jbe	short loc_9911FD
		lea	edi, [esi+28h]

loc_9911D4:				; CODE XREF: KeFreeCalloutStack(x)+4Cj
		mov	ecx, [edi]
		mov	edx, ebx
		call	_MmDeleteKernelStack@8 ; MmDeleteKernelStack(x,x)
		mov	eax, ds:_MmBadPointer
		mov	ecx, [esp+10h+var_4]
		add	eax, 1000h
		mov	[edi], eax
		inc	ecx
		movzx	eax, byte ptr [esi+5]
		lea	edi, [edi+4]
		mov	[esp+10h+var_4], ecx
		cmp	ecx, eax
		jb	short loc_9911D4

loc_9911FD:				; CODE XREF: KeFreeCalloutStack(x)+20j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_KeFreeCalloutStack@4 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 1126. KeDeregisterProcessorChangeCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeDeregisterProcessorChangeCallback(x)
		public _KeDeregisterProcessorChangeCallback@4
_KeDeregisterProcessorChangeCallback@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_0]
		call	ExUnregisterCallback
		pop	ecx
		pop	ebp
		retn	4
_KeDeregisterProcessorChangeCallback@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1312. KeStartDynamicProcessor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeStartDynamicProcessor(x, x, x, x)
		public _KeStartDynamicProcessor@16
_KeStartDynamicProcessor@16 proc near

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	eax, ds:_PsInitialSystemProcess
		jnz	short loc_9912A3
		cmp	ds:_KeDynamicPartitioningSupported, 0
		jz	short loc_9912A3
		push	esi
		push	edi
		mov	edi, offset _KiDynamicProcessorLock
		mov	ecx, edi
		call	ExAcquireFastMutexUnsafe
		mov	eax, ds:_KeNumberProcessors
		cmp	eax, ds:_KeMaximumProcessors
		jnb	short loc_991283
		mov	ecx, ds:_KeNumberProcessors
		mov	eax, [ebp+arg_C]
		mov	edx, [ebp+arg_4]
		push	ecx
		push	[ebp+arg_8]
		mov	[eax], ecx
		call	_KiStartDynamicProcessor@16 ; KiStartDynamicProcessor(x,x,x,x)
		mov	esi, eax
		jmp	short loc_991288
; 

loc_991283:				; CODE XREF: KeStartDynamicProcessor(x,x,x,x)+3Bj
		mov	esi, 0C0000259h

loc_991288:				; CODE XREF: KeStartDynamicProcessor(x,x,x,x)+56j
		mov	ecx, edi
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		test	esi, esi
		js	short loc_99129D
		call	_PnpInitializeProcessor@4 ; PnpInitializeProcessor(x)
		call	_PsUpdateActiveProcessAffinity@0 ; PsUpdateActiveProcessAffinity()

loc_99129D:				; CODE XREF: KeStartDynamicProcessor(x,x,x,x)+66j
		pop	edi
		mov	eax, esi
		pop	esi
		jmp	short loc_9912A8
; 

loc_9912A3:				; CODE XREF: KeStartDynamicProcessor(x,x,x,x)+17j
					; KeStartDynamicProcessor(x,x,x,x)+20j
		mov	eax, 0C0000001h

loc_9912A8:				; CODE XREF: KeStartDynamicProcessor(x,x,x,x)+76j
		pop	ebp
		retn	10h
_KeStartDynamicProcessor@16 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1176. KeInitializeSecondaryInterruptServices

;  S U B	R O U T	I N E 


; __stdcall KeInitializeSecondaryInterruptServices(x)
		public _KeInitializeSecondaryInterruptServices@4
_KeInitializeSecondaryInterruptServices@4 proc near
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	6953654Bh
		mov	edi, 1C00h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	_KiGlobalSecondaryIDT, esi
		test	esi, esi
		jnz	short loc_9912DE
		mov	ebx, 0C000009Ah
		jmp	short loc_991339
; 

loc_9912DE:				; CODE XREF: KeInitializeSecondaryInterruptServices(x)+24j
		push	edi		; size_t
		xor	ebx, ebx
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	edi, 100h

loc_9912F0:				; CODE XREF: KeInitializeSecondaryInterruptServices(x)+54j
		push	1
		push	1
		lea	eax, [esi+4]
		mov	[esi], ebx
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	esi, [esi+1Ch]
		sub	edi, 1
		jnz	short loc_9912F0
		push	ebx
		mov	eax, offset _KiSecondarySignalList
		push	offset _KiProcessSecondarySignalList@16	; KiProcessSecondarySignalList(x,x,x,x)
		push	offset _KiSecondarySignalDpc
		mov	dword_6C75FC, eax
		mov	_KiSecondarySignalList,	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	_KiSecondarySignalListLock, ebx
		mov	_KiSecondarySignalDpcRunning, bl
		mov	_KiSecondaryInterruptServicesEnabled, 1

loc_991339:				; CODE XREF: KeInitializeSecondaryInterruptServices(x)+2Bj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		retn	4
_KeInitializeSecondaryInterruptServices@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeEnableProfiling(x, x, x, x, x)
_KeEnableProfiling@20 proc near		; CODE XREF: NtSetInformationThread+104458p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], ebx
		push	esi
		mov	esi, ecx
		test	ebx, 0FFFFFFFEh
		jz	short loc_991362
		mov	eax, 0C000000Dh
		jmp	loc_9913EF
; 

loc_991362:				; CODE XREF: KeEnableProfiling(x,x,x,x,x)+15j
		cmp	dword ptr [esi+0F4h], 0
		jz	short loc_991372
		mov	eax, 0C0000303h
		jmp	short loc_9913EF
; 

loc_991372:				; CODE XREF: KeEnableProfiling(x,x,x,x,x)+28j
		push	edi
		push	666F7250h
		push	1A8h
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	edi, eax
		test	edi, edi
		jnz	short loc_991394
		mov	eax, 0C0000017h
		jmp	short loc_9913EE
; 

loc_991394:				; CODE XREF: KeEnableProfiling(x,x,x,x,x)+4Aj
		push	1A8h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	eax, [ebp+arg_8]
		add	esp, 0Ch
		mov	[edi+8], eax
		mov	eax, [ebp+arg_4]
		mov	[edi+0Ch], ebx
		mov	ebx, [ebp+arg_0]
		mov	[edi+20h], ebx
		mov	[edi+24h], eax
		mov	[esi+0F4h], edi
		lock bts dword ptr [esi], 10h
		xor	edx, edx
		mov	ecx, esi
		call	_KeUpdateTotalCyclesCurrentThread@8 ; KeUpdateTotalCyclesCurrentThread(x,x)
		test	byte ptr [ebp+var_4], 1
		mov	[edi+18h], eax
		mov	[edi+1Ch], edx
		jnz	short loc_9913DE
		or	ebx, [ebp+arg_4]
		jz	short loc_9913EC

loc_9913DE:				; CODE XREF: KeEnableProfiling(x,x,x,x,x)+96j
		xor	dl, dl
		mov	ecx, esi
		call	@KiBeginCounterAccumulation@8 ;	KiBeginCounterAccumulation(x,x)
		lock bts dword ptr [esi], 11h

loc_9913EC:				; CODE XREF: KeEnableProfiling(x,x,x,x,x)+9Bj
		xor	eax, eax

loc_9913EE:				; CODE XREF: KeEnableProfiling(x,x,x,x,x)+51j
		pop	edi

loc_9913EF:				; CODE XREF: KeEnableProfiling(x,x,x,x,x)+1Cj
					; KeEnableProfiling(x,x,x,x,x)+2Fj
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_KeEnableProfiling@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeInitializeProfile(x, x, x, x, x, x, x, x,	x)
_KeInitializeProfile@36	proc near	; CODE XREF: NtStartProfile(x)+17Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= word ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, offset _KeActiveProcessors
		push	17h
		pop	eax
		push	34h
		mov	[edi], ax
		xor	ecx, ecx
		pop	eax
		mov	[edi+2], ax
		mov	eax, [ebp+arg_0]
		mov	[edi+0Ch], edx
		mov	edx, [ebp+arg_4]
		mov	[edi+1Ch], eax
		mov	eax, [ebp+arg_8]
		add	eax, edx
		mov	[edi+10h], edx
		mov	[edi+14h], eax
		mov	eax, [ebp+arg_C]
		add	eax, 0FFFFFFFEh
		mov	[edi+32h], cl
		mov	[edi+18h], eax
		mov	eax, [ebp+arg_10]
		mov	[edi+20h], eax
		mov	ax, [ebp+arg_14]
		mov	[edi+30h], ax
		cmp	[ebp+arg_18], ecx
		jz	short loc_991457
		lea	eax, [edi+24h]
		push	eax
		push	esi
		push	[ebp+arg_18]
		call	_KeAndAffinityEx@12 ; KeAndAffinityEx(x,x,x)
		mov	ecx, eax

loc_991457:				; CODE XREF: KeInitializeProfile(x,x,x,x,x,x,x,x,x)+51j
		test	ecx, ecx
		jnz	short loc_991461
		add	edi, 24h
		movsd
		movsd
		movsd

loc_991461:				; CODE XREF: KeInitializeProfile(x,x,x,x,x,x,x,x,x)+64j
		pop	edi
		pop	esi
		pop	ebp
		retn	1Ch
_KeInitializeProfile@36	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall KeInitializeProfileCallback(void *,int,int,__int16)
_KeInitializeProfileCallback@16	proc near ; CODE XREF: EtwpSetPmcProfileSource(x,x)+ACp
					; EtwpTimeProfileInit()+1Ep ...

arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	34h
		pop	ebx
		push	ebx		; size_t
		mov	edi, ecx
		mov	esi, edx
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[edi+10h], esi
		mov	[edi+2], bx
		mov	esi, offset _KeActiveProcessors
		push	11h
		pop	eax
		mov	[edi], ax
		mov	eax, [ebp+arg_0]
		mov	[edi+14h], eax
		mov	ax, [ebp+arg_4]
		mov	[edi+30h], ax
		add	edi, 24h
		movsd
		movsd
		movsd
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_KeInitializeProfileCallback@16	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1223. KeQueryHardwareCounterConfiguration

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryHardwareCounterConfiguration(x, x, x)
		public _KeQueryHardwareCounterConfiguration@12
_KeQueryHardwareCounterConfiguration@12	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, _KiHwCountersCount
		push	esi
		mov	esi, [ebp+arg_8]
		mov	[esi], eax
		cmp	eax, [ebp+arg_4]
		jbe	short loc_9914D0
		mov	eax, 0C0000023h
		jmp	short loc_9914FB
; 

loc_9914D0:				; CODE XREF: KeQueryHardwareCounterConfiguration(x,x,x)+13j
		xor	edx, edx
		test	eax, eax
		jz	short loc_9914F9
		mov	ecx, [ebp+arg_0]
		add	ecx, 8

loc_9914DC:				; CODE XREF: KeQueryHardwareCounterConfiguration(x,x,x)+43j
		and	dword ptr [ecx-8], 0
		and	dword ptr [ecx-4], 0
		and	dword ptr [ecx+4], 0
		mov	eax, _KiHwCounters[edx*4]
		inc	edx
		mov	[ecx], eax
		lea	ecx, [ecx+10h]
		cmp	edx, [esi]
		jb	short loc_9914DC

loc_9914F9:				; CODE XREF: KeQueryHardwareCounterConfiguration(x,x,x)+20j
		xor	eax, eax

loc_9914FB:				; CODE XREF: KeQueryHardwareCounterConfiguration(x,x,x)+1Aj
		pop	esi
		pop	ebp
		retn	0Ch
_KeQueryHardwareCounterConfiguration@12	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1291. KeSetHardwareCounterConfiguration

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetHardwareCounterConfiguration(x, x)
		public _KeSetHardwareCounterConfiguration@8
_KeSetHardwareCounterConfiguration@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		cmp	ecx, 10h
		jbe	short loc_991519
		mov	eax, 0C000000Dh
		jmp	short loc_991554
; 

loc_991519:				; CODE XREF: KeSetHardwareCounterConfiguration(x,x)+Bj
		test	ecx, ecx
		jz	short loc_99152D
		cmp	_KiHwCountersCount, 0
		jz	short loc_99152D
		mov	eax, 0C0000303h
		jmp	short loc_991554
; 

loc_99152D:				; CODE XREF: KeSetHardwareCounterConfiguration(x,x)+16j
					; KeSetHardwareCounterConfiguration(x,x)+1Fj
		xor	edx, edx
		test	ecx, ecx
		jz	short loc_99154C
		push	esi
		mov	esi, [ebp+arg_0]
		add	esi, 8

loc_99153A:				; CODE XREF: KeSetHardwareCounterConfiguration(x,x)+44j
		mov	eax, [esi]
		lea	esi, [esi+10h]
		mov	_KiHwCounters[edx*4], eax
		inc	edx
		cmp	edx, ecx
		jb	short loc_99153A
		pop	esi

loc_99154C:				; CODE XREF: KeSetHardwareCounterConfiguration(x,x)+2Cj
		mov	_KiHwCountersCount, ecx
		xor	eax, eax

loc_991554:				; CODE XREF: KeSetHardwareCounterConfiguration(x,x)+12j
					; KeSetHardwareCounterConfiguration(x,x)+26j
		pop	ebp
		retn	8
_KeSetHardwareCounterConfiguration@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetIntervalProfile(x, x)
_KeSetIntervalProfile@8	proc near	; CODE XREF: EtwpTimeProfileInit()+9p
					; EtwpCoverageSamplerStart(x)+217p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, edx
		and	[ebp+var_2C], ebx
		and	[ebp+var_28], ebx
		test	dword ptr ds:byte_70EFC4, 402h
		push	edi
		mov	edi, ecx
		mov	[ebp+var_24], edi
		jz	short loc_991591
		mov	ecx, esi
		call	_KeQueryIntervalProfile@4 ; KeQueryIntervalProfile(x)
		mov	ebx, eax

loc_991591:				; CODE XREF: KeSetIntervalProfile(x,x)+2Ej
		test	esi, esi
		jnz	short loc_9915AC
		test	ds:_KiCacheErrataMonitor, 0FFFFFFFCh
		jz	short loc_9915B9
		lea	ecx, [ebp+var_24]
		call	_KiSanitizeProfileInterval@4 ; KiSanitizeProfileInterval(x)
		mov	edi, [ebp+var_24]

loc_9915AC:				; CODE XREF: KeSetIntervalProfile(x,x)+3Bj
		cmp	esi, 1
		jnz	short loc_9915B9
		mov	_KiProfileAlignmentFixupInterval, edi
		jmp	short loc_9915D4
; 

loc_9915B9:				; CODE XREF: KeSetIntervalProfile(x,x)+47j
					; KeSetIntervalProfile(x,x)+57j
		push	1
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_2C], esi
		push	eax
		mov	edx, offset _KiSetIntervalWorker@8 ; KiSetIntervalWorker(x,x)
		mov	[ebp+var_28], edi
		mov	ecx, offset _KeActiveProcessors
		call	_KeGenericProcessorCallback@16 ; KeGenericProcessorCallback(x,x,x,x)

loc_9915D4:				; CODE XREF: KeSetIntervalProfile(x,x)+5Fj
		test	dword ptr ds:byte_70EFC4, 402h
		jz	short loc_991623
		mov	ecx, esi
		call	_KeQueryIntervalProfile@4 ; KeQueryIntervalProfile(x)
		cmp	eax, ebx
		jz	short loc_991623
		and	[ebp+var_1C], 0
		lea	ecx, [ebp+var_20]
		and	[ebp+var_14], 0
		xor	edx, edx
		push	(offset	off_401900+2)
		mov	[ebp+var_C], eax
		inc	edx
		push	0F48h
		lea	eax, [ebp+var_10]
		mov	[ebp+var_10], esi
		push	20000402h
		mov	[ebp+var_8], ebx
		mov	[ebp+var_20], eax
		mov	[ebp+var_18], 0Ch
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_991623:				; CODE XREF: KeSetIntervalProfile(x,x)+86j
					; KeSetIntervalProfile(x,x)+91j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_KeSetIntervalProfile@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiCopyCountersWorker(x, x)
_KiCopyCountersWorker@8	proc near	; CODE XREF: KiCopyCounters(x)+2Ep

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	38h
		push	offset dword_6A86A0
		call	__SEH_prolog4
		mov	ebx, edx
		mov	[ebp+var_1C], ebx
		mov	esi, ecx
		mov	edi, [ebx+8]
		and	[ebp+ms_exc.disabled], 0
		lea	eax, [edi+4]
		push	eax
		call	_KeGetCurrentProcessorNumberEx@4 ; KeGetCurrentProcessorNumberEx(x)
		mov	ecx, [esi+30h]
		mov	eax, [esi+34h]
		sub	ecx, [ebx+18h]
		sbb	eax, [ebx+1Ch]
		mov	[edi+38h], ecx
		mov	[edi+3Ch], eax
		mov	ecx, large fs:20h
		mov	eax, [ecx+3B40h]
		mov	ecx, [ecx+3B44h]
		mov	[edi+30h], eax
		mov	[edi+34h], ecx
		test	byte ptr [ebx+0Ch], 1
		jz	short loc_9916C2
		mov	eax, [ebx+10h]
		mov	[edi+8], eax
		mov	eax, [ebx]
		or	eax, [ebx+4]
		jz	short loc_9916C2

loc_991693:				; CODE XREF: KiCopyCountersWorker(x,x)+81j
					; KiCopyCountersWorker(x,x)+88j
		mov	eax, [ebx]
		mov	[ebp+var_28], eax
		mov	ecx, [ebx+4]
		mov	[ebp+var_24], ecx
		mov	edx, ecx
		nop
		xor	ebx, ebx
		xor	ecx, ecx
		mov	esi, [ebp+var_1C]
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [ebp+var_28]
		cmp	eax, ecx
		mov	ebx, esi
		jnz	short loc_991693
		mov	eax, [ebp+var_24]
		cmp	edx, eax
		jnz	short loc_991693
		or	[edi+18h], ecx
		or	[edi+1Ch], eax

loc_9916C2:				; CODE XREF: KiCopyCountersWorker(x,x)+52j
					; KiCopyCountersWorker(x,x)+5Fj
		mov	ecx, [ebx+20h]
		mov	[ebp+var_30], ecx
		mov	[ebp+var_48], ecx
		mov	edx, [ebx+24h]
		mov	[ebp+var_2C], edx
		mov	[ebp+var_44], edx
		mov	eax, ecx
		or	eax, edx
		jz	loc_99176E
		xor	eax, eax
		inc	eax
		mov	[ebp+var_40], eax
		xor	esi, esi
		mov	[ebp+var_3C], esi
		xor	edx, edx
		mov	[ebp+var_20], edx

loc_9916EE:				; CODE XREF: KiCopyCountersWorker(x,x)+134j
		mov	[ebp+var_24], esi
		mov	[ebp+var_28], eax
		mov	ebx, _KiHwCountersCount
		mov	[ebp+var_34], ebx
		cmp	edx, ebx
		mov	ebx, [ebp+var_1C]
		jnb	short loc_991768
		and	ecx, eax
		mov	eax, [ebp+var_2C]
		and	eax, esi
		or	ecx, eax
		jz	short loc_991750
		imul	esi, edx, 18h
		mov	eax, _KiHwCounters[edx*4]
		mov	[esi+edi+44h], eax
		lea	eax, [edx+2]
		imul	eax, 18h
		mov	ecx, [eax+ebx]
		mov	edx, [eax+ebx+4]
		mov	eax, [ebp+var_20]
		add	eax, 3
		imul	eax, 18h
		mov	[eax+edi], ecx
		mov	[eax+edi+4], edx
		mov	eax, [esi+ebx+38h]
		mov	ecx, [esi+ebx+3Ch]
		mov	[esi+edi+50h], eax
		mov	[esi+edi+54h], ecx
		mov	edx, [ebp+var_20]
		mov	esi, [ebp+var_24]

loc_991750:				; CODE XREF: KiCopyCountersWorker(x,x)+DBj
		mov	eax, [ebp+var_28]
		shld	esi, eax, 1
		add	eax, eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], esi
		inc	edx
		mov	[ebp+var_20], edx
		mov	ecx, [ebp+var_30]
		jmp	short loc_9916EE
; 

loc_991768:				; CODE XREF: KiCopyCountersWorker(x,x)+D0j
		mov	eax, [ebp+var_34]
		mov	[edi+0Ch], eax

loc_99176E:				; CODE XREF: KiCopyCountersWorker(x,x)+A6j
		mov	ecx, [edi+10h]
		mov	eax, [edi+14h]
		add	ecx, 1
		adc	eax, 0
		mov	[edi+10h], ecx
		mov	[edi+14h], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	short loc_9917A6
; 

loc_99178B:				; DATA XREF: .text:006A86B4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_38], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_991799:				; DATA XREF: .text:006A86B8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_38]

loc_9917A6:				; CODE XREF: KiCopyCountersWorker(x,x)+157j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KiCopyCountersWorker@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSpecialUserApcKernelRoutine(x, x,	x, x, x)
_KeSpecialUserApcKernelRoutine@20 proc near ; DATA XREF: KeInsertQueueApc+3Fo
					; KiInsertQueueApc:loc_446C81o	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		cmp	byte ptr [esi+2Dh], 0
		mov	edi, [esi+18h]
		jnz	short loc_991815
		mov	eax, [ebp+arg_4]
		mov	bl, [esi+1]
		mov	ecx, [eax]
		and	dword ptr [eax], 0
		mov	eax, [ebp+arg_8]
		push	dword ptr [eax]
		mov	eax, large fs:124h
		push	1
		push	ecx
		push	edi
		push	offset _KeSpecialUserApcKernelRoutine@20 ; KeSpecialUserApcKernelRoutine(x,x,x,x,x)
		push	0
		push	eax
		push	esi
		call	_KeInitializeApc@32 ; KeInitializeApc(x,x,x,x,x,x,x,x)
		test	bl, 1
		jz	short loc_9917FF
		or	byte ptr [esi+1], 1

loc_9917FF:				; CODE XREF: KeSpecialUserApcKernelRoutine(x,x,x,x,x)+43j
		mov	eax, [ebp+arg_10]
		push	0
		push	dword ptr [eax]
		mov	eax, [ebp+arg_C]
		push	dword ptr [eax]
		push	esi
		call	KeInsertQueueApc
		test	al, al
		jnz	short loc_991818

loc_991815:				; CODE XREF: KeSpecialUserApcKernelRoutine(x,x,x,x,x)+16j
		push	esi
		call	edi

loc_991818:				; CODE XREF: KeSpecialUserApcKernelRoutine(x,x,x,x,x)+5Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
_KeSpecialUserApcKernelRoutine@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQuerySpeculationControlInformation(x, x, x)
_KeQuerySpeculationControlInformation@12 proc near ; CODE XREF:	PAGE:007802F9p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	2Ch
		push	offset dword_6A86E0
		call	__SEH_prolog4
		mov	eax, edx
		mov	[ebp+var_24], eax
		mov	[ebp+var_28], ecx
		cmp	eax, 4
		jnb	short loc_99184D
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 8
		mov	eax, 0C0000004h
		jmp	loc_99201D
; 

loc_99184D:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+17j
		push	8
		pop	esi
		cmp	eax, esi
		jnb	short loc_99185B
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		jmp	short loc_991860
; 

loc_99185B:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+31j
		mov	ecx, esi
		mov	[ebp+var_20], esi

loc_991860:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+38j
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		xor	edx, edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], edx
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		push	10h
		pop	edi
		and	ecx, edi
		mov	eax, edx
		or	eax, ecx
		jz	short loc_99188D
		xor	ebx, ebx
		inc	ebx
		mov	eax, ebx
		jmp	short loc_991892
; 

loc_99188D:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+63j
		mov	eax, edx
		xor	ebx, ebx
		inc	ebx

loc_991892:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+6Aj
		mov	[ebp+var_34], eax
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, 4
		mov	eax, edx
		or	eax, ecx
		jz	short loc_9918B1
		push	2
		pop	ecx
		jmp	short loc_9918B3
; 

loc_9918B1:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+89j
		mov	ecx, edx

loc_9918B3:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+8Ej
		mov	eax, [ebp+var_34]
		and	eax, 0FFFFFFFDh
		or	eax, ecx
		mov	[ebp+var_34], eax
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, esi
		mov	eax, edx
		or	eax, ecx
		jz	short loc_9918D9
		push	4
		pop	ecx
		jmp	short loc_9918DB
; 

loc_9918D9:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+B1j
		mov	ecx, edx

loc_9918DB:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+B6j
		mov	eax, [ebp+var_34]
		and	eax, 0FFFFFFFBh
		or	eax, ecx
		mov	[ebp+var_34], eax
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		mov	[ebp+var_38], eax
		and	ecx, edi
		or	ecx, edx
		jnz	short loc_99190F
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		mov	[ebp+var_38], eax
		and	ecx, 40h
		or	ecx, edx
		jz	short loc_991912

loc_99190F:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+D7j
		or	[ebp+var_34], esi

loc_991912:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+ECj
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		mov	[ebp+var_38], eax
		and	ecx, 4
		or	ecx, edx
		jz	short loc_99192A
		or	[ebp+var_34], edi

loc_99192A:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+104j
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, edi
		mov	eax, edx
		or	eax, ecx
		jz	short loc_99195E
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, 20h
		mov	eax, edx
		or	eax, ecx
		jz	short loc_99195E
		or	[ebp+var_34], 2000h

loc_99195E:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+11Dj
					; KeQuerySpeculationControlInformation(x,x,x)+134j
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		mov	[ebp+var_38], eax
		and	ecx, edi
		or	ecx, edx
		jz	short loc_991977
		push	20h
		pop	ecx
		jmp	short loc_991979
; 

loc_991977:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+14Fj
		mov	ecx, edx

loc_991979:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+154j
		mov	eax, [ebp+var_34]
		and	eax, 0FFFFFFDFh
		or	eax, ecx
		mov	[ebp+var_34], eax
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		mov	[ebp+var_38], eax
		and	ecx, 40h
		or	ecx, edx
		jz	short loc_99199E
		push	40h
		pop	ecx
		jmp	short loc_9919A0
; 

loc_99199E:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+176j
		mov	ecx, edx

loc_9919A0:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+17Bj
		mov	eax, [ebp+var_34]
		and	eax, 0FFFFFFBFh
		or	eax, ecx
		mov	[ebp+var_34], eax
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		mov	[ebp+var_38], eax
		and	ecx, 20h
		or	ecx, edx
		mov	ecx, 180h
		jnz	short loc_9919C8
		add	ecx, 0FFFFFF80h

loc_9919C8:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+1A2j
		mov	eax, [ebp+var_34]
		and	eax, 0FFFFFF7Fh
		or	eax, ecx
		mov	[ebp+var_34], eax
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		mov	[ebp+var_38], eax
		mov	esi, 80h
		and	ecx, esi
		or	ecx, edx
		mov	ecx, 200h
		jnz	short loc_9919F5
		mov	ecx, edx

loc_9919F5:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+1D0j
		mov	eax, [ebp+var_34]
		and	eax, 0FFFFFDFFh
		or	eax, ecx
		mov	[ebp+var_34], eax
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, 40h
		mov	eax, edx
		or	eax, ecx
		mov	ecx, 400h
		jnz	short loc_991A20
		mov	ecx, edx

loc_991A20:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+1FBj
		mov	eax, [ebp+var_34]
		and	eax, 0FFFFFBFFh
		or	eax, ecx
		mov	[ebp+var_34], eax
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, esi
		mov	eax, edx
		or	eax, ecx
		mov	ecx, 800h
		jnz	short loc_991A4A
		mov	ecx, edx

loc_991A4A:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+225j
		mov	eax, [ebp+var_34]
		and	eax, 0FFFFF7FFh
		or	eax, ecx
		mov	[ebp+var_34], eax
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		mov	[ebp+var_38], eax
		and	ecx, 100h
		or	ecx, edx
		mov	ecx, edx
		jnz	short loc_991A76
		mov	ecx, 1000h

loc_991A76:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+24Ej
		mov	eax, [ebp+var_34]
		and	eax, 0FFFFEFFFh
		or	eax, ecx
		mov	[ebp+var_34], eax
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		mov	[ebp+var_38], eax
		and	ecx, ebx
		or	ecx, edx
		mov	eax, offset loc_810000
		jnz	short loc_991AA1
		mov	eax, 800000h

loc_991AA1:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+279j
		mov	ecx, [ebp+var_34]
		and	ecx, 0FFFEFFFFh
		or	ecx, eax
		mov	edi, ds:_KeFeatureBits2
		mov	esi, edi
		and	esi, 20h
		mov	eax, esi
		or	eax, edx
		mov	eax, 1000000h
		jnz	short loc_991AC4
		mov	eax, edx

loc_991AC4:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+29Fj
		and	ecx, 0FEFFFFFFh
		or	ecx, eax
		cmp	ds:_KiKvaShadow, dl
		jz	short loc_991AE2
		mov	eax, edi
		and	eax, 8
		or	eax, edx
		mov	eax, 26000000h
		jnz	short loc_991AE7

loc_991AE2:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+2B1j
		mov	eax, 24000000h

loc_991AE7:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+2BFj
		and	ecx, 0FDFFFFFFh
		or	ecx, eax
		mov	edx, edi
		and	edx, 8000h
		mov	eax, edx
		or	eax, 0
		jz	short loc_991B07
		cmp	ds:_KiDisableTsx, 0
		jnz	short loc_991B5D

loc_991B07:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+2DBj
		cmp	ds:_KiTsxSupported, 0
		jz	short loc_991B5D
		mov	eax, edi
		and	eax, 10000h
		or	eax, 0
		jnz	short loc_991B34
		mov	eax, edi
		and	eax, 8
		or	eax, 0
		jz	short loc_991B42
		or	esi, 0
		jnz	short loc_991B42
		call	_KeKvaShadowingActive@0	; KeKvaShadowingActive()
		test	eax, eax
		jz	short loc_991B42

loc_991B34:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+2F9j
		and	ecx, 0F7FFFFFFh
		or	ecx, 10000000h
		jmp	short loc_991B63
; 

loc_991B42:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+303j
					; KeQuerySpeculationControlInformation(x,x,x)+308j ...
		or	edx, 0
		jz	short loc_991B55
		and	ecx, 0EFFFFFFFh
		or	ecx, 8000000h
		jmp	short loc_991B63
; 

loc_991B55:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+324j
		and	ecx, 0E7FFFFFFh
		jmp	short loc_991B63
; 

loc_991B5D:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+2E4j
					; KeQuerySpeculationControlInformation(x,x,x)+2EDj
		or	ecx, 18000000h

loc_991B63:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+31Fj
					; KeQuerySpeculationControlInformation(x,x,x)+332j ...
		mov	eax, edi
		and	eax, 10000h
		or	eax, 0
		jnz	short loc_991B77
		cmp	ds:_KiTsxSupportedAtBoot, eax
		jnz	short loc_991B7C

loc_991B77:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+34Cj
		mov	eax, 40000000h

loc_991B7C:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+354j
		and	ecx, 0BFFFFFFFh
		or	ecx, eax
		mov	[ebp+var_34], ecx
		lea	ecx, [ebp+var_34]
		call	_HvlQueryL1tfMitigationInformation@4 ; HvlQueryL1tfMitigationInformation(x)
		mov	eax, edi
		and	eax, 80000h
		or	eax, 0
		jnz	short loc_991B9D
		xor	ebx, ebx

loc_991B9D:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+378j
		mov	esi, [ebp+var_30]
		and	esi, 0FFFFFFFEh
		or	esi, ebx
		mov	eax, edi
		and	eax, 100000h
		xor	ebx, ebx
		or	eax, ebx
		jz	short loc_991BB7
		push	2
		pop	eax
		jmp	short loc_991BB9
; 

loc_991BB7:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+38Fj
		mov	eax, ebx

loc_991BB9:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+394j
		and	esi, 0FFFFFFFDh
		or	esi, eax
		and	edi, 200000h
		or	edi, ebx
		jz	short loc_991BCD
		push	4
		pop	eax
		jmp	short loc_991BCF
; 

loc_991BCD:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+3A5j
		mov	eax, ebx

loc_991BCF:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+3AAj
		and	esi, 0FFFFFFFBh
		or	esi, eax
		cmp	ds:_KiKvaShadow, bl
		jz	short loc_991BEA
		call	_KiIsFbClearSupported@0	; KiIsFbClearSupported()
		test	eax, eax
		mov	eax, 418h
		jnz	short loc_991BEF

loc_991BEA:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+3B9j
		mov	eax, 410h

loc_991BEF:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+3C7j
		and	esi, 0FFFFFFF7h
		or	esi, eax
		mov	[ebp+var_30], esi
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		mov	[ebp+var_38], eax
		mov	edx, 8000h
		and	ecx, edx
		or	ecx, ebx
		jnz	short loc_991C24
		mov	ecx, [ebp+var_30]
		and	ecx, 0FFFFFEFFh
		or	ecx, 200h
		jmp	loc_991CC2
; 

loc_991C24:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+3EDj
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, 4
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_991CB3
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, 20h
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_991CB3
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, 1000h
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_991CB3
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, 8
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_991CA8
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, 2000h
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_991CA8
		mov	ecx, [ebp+var_30]
		or	ecx, 300h
		jmp	short loc_991CC2
; 

loc_991CA8:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+460j
					; KeQuerySpeculationControlInformation(x,x,x)+47Aj
		mov	ecx, [ebp+var_30]
		and	ecx, 0FFFFFCFFh
		jmp	short loc_991CC2
; 

loc_991CB3:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+418j
					; KeQuerySpeculationControlInformation(x,x,x)+42Fj ...
		mov	ecx, [ebp+var_30]
		and	ecx, 0FFFFFDFFh
		or	ecx, 100h

loc_991CC2:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+3FEj
					; KeQuerySpeculationControlInformation(x,x,x)+485j ...
		or	ecx, 800h
		mov	eax, ds:_KeFeatureBits2
		and	eax, 10h
		or	eax, ebx
		mov	eax, 21000h
		jnz	short loc_991CDE
		mov	eax, 20000h

loc_991CDE:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+4B6j
		and	ecx, 0FFFFEFFFh
		or	ecx, eax
		mov	[ebp+var_30], ecx
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		mov	[ebp+var_38], eax
		mov	edi, 200000h
		and	ecx, edi
		or	ecx, ebx
		jnz	short loc_991D14
		mov	eax, [ebp+var_30]
		and	eax, 0FFFBFFFFh
		or	eax, 80000h
		jmp	loc_991DAA
; 

loc_991D14:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+4DFj
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, 4
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_991D9D
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, 20h
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_991D9D
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, edx
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_991D9D
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, 8
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_991D93
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, 10000h
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_991D93
		mov	eax, [ebp+var_30]
		or	eax, 0C0000h
		jmp	short loc_991DAA
; 

loc_991D93:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+54Cj
					; KeQuerySpeculationControlInformation(x,x,x)+566j
		mov	eax, [ebp+var_30]
		and	eax, 0FFF3FFFFh
		jmp	short loc_991DAA
; 

loc_991D9D:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+508j
					; KeQuerySpeculationControlInformation(x,x,x)+51Fj ...
		mov	eax, [ebp+var_30]
		and	eax, 0FFF7FFFFh
		or	eax, 40000h

loc_991DAA:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+4EEj
					; KeQuerySpeculationControlInformation(x,x,x)+570j ...
		or	eax, 100000h
		mov	[ebp+var_30], eax
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		mov	[ebp+var_38], eax
		mov	esi, 400000h
		and	ecx, esi
		or	ecx, ebx
		mov	eax, [ebp+var_30]
		jnz	short loc_991DD5
		and	eax, 0FFDFFFFFh
		jmp	short loc_991DD7
; 

loc_991DD5:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+5ABj
		or	eax, edi

loc_991DD7:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+5B2j
		or	eax, esi
		mov	[ebp+var_30], eax
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		mov	[ebp+var_38], eax
		mov	edx, 800000h
		and	ecx, edx
		or	ecx, ebx
		jnz	short loc_991E04
		mov	eax, [ebp+var_30]
		and	eax, 0FF7FFFFFh
		or	eax, 1000000h
		jmp	short loc_991E28
; 

loc_991E04:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+5D2j
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, 20000h
		mov	eax, ebx
		or	eax, ecx
		jz	short loc_991E2D
		mov	eax, [ebp+var_30]
		and	eax, 0FEFFFFFFh
		or	eax, edx

loc_991E28:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+5E1j
		mov	[ebp+var_30], eax
		jmp	short loc_991E57
; 

loc_991E2D:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+5FBj
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, 40000h
		mov	eax, ebx
		or	eax, ecx
		jz	short loc_991E50
		and	[ebp+var_30], 0FE7FFFFFh
		jmp	short loc_991E57
; 

loc_991E50:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+624j
		or	[ebp+var_30], 1800000h

loc_991E57:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+60Aj
					; KeQuerySpeculationControlInformation(x,x,x)+62Dj
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		mov	[ebp+var_38], eax
		and	ecx, 10000h
		or	ecx, ebx
		jz	loc_991F10
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, 100000h
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_991F0C
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, 4
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_991F0C
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, edi
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_991F03
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, 8
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_991F03
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, esi
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_991EFD
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, edx
		mov	eax, ebx
		or	eax, ecx
		jz	short loc_991F10

loc_991EFD:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+6C4j
		or	[ebp+var_30], 20h
		jmp	short loc_991F10
; 

loc_991F03:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+697j
					; KeQuerySpeculationControlInformation(x,x,x)+6AEj
		or	[ebp+var_30], 80h
		jmp	short loc_991F10
; 

loc_991F0C:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+66Aj
					; KeQuerySpeculationControlInformation(x,x,x)+681j
		or	[ebp+var_30], 40h

loc_991F10:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+64Cj
					; KeQuerySpeculationControlInformation(x,x,x)+6DAj ...
		mov	edx, 2000000h
		or	[ebp+var_30], edx
		mov	ecx, ds:_KiSpeculationFeatures
		mov	eax, ds:dword_70E764
		mov	[ebp+var_38], eax
		and	ecx, edx
		or	ecx, ebx
		jnz	short loc_991F3E
		mov	eax, [ebp+var_30]
		and	eax, 0FBFFFFFFh
		or	eax, 8000000h
		jmp	loc_991FD2
; 

loc_991F3E:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+709j
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, 4
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_991FC5
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, 20h
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_991FC5
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, edx
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_991FC5
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, 8
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_991FBC
		mov	eax, ds:_KiSpeculationFeatures
		mov	[ebp+var_3C], eax
		mov	ecx, ds:dword_70E764
		and	ecx, 4000000h
		mov	eax, ebx
		or	eax, ecx
		jnz	short loc_991FBC
		or	[ebp+var_30], 0C000000h
		jmp	short loc_991FD5
; 

loc_991FBC:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+776j
					; KeQuerySpeculationControlInformation(x,x,x)+790j
		and	[ebp+var_30], 0F3FFFFFFh
		jmp	short loc_991FD5
; 

loc_991FC5:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+732j
					; KeQuerySpeculationControlInformation(x,x,x)+749j ...
		mov	eax, [ebp+var_30]
		and	eax, 0F7FFFFFFh
		or	eax, 4000000h

loc_991FD2:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+718j
		mov	[ebp+var_30], eax

loc_991FD5:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+799j
					; KeQuerySpeculationControlInformation(x,x,x)+7A2j
		mov	[ebp+ms_exc.disabled], ebx
		push	[ebp+var_24]	; size_t
		push	ebx		; int
		mov	esi, [ebp+var_28]
		push	esi		; void *
		call	_memset
		push	[ebp+var_20]	; size_t
		lea	eax, [ebp+var_34]
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 18h
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	short loc_99201D
; 

loc_992000:				; DATA XREF: .text:006A86F4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_992010:				; DATA XREF: .text:006A86F8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_2C]

loc_99201D:				; CODE XREF: KeQuerySpeculationControlInformation(x,x,x)+27j
					; KeQuerySpeculationControlInformation(x,x,x)+7DDj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KeQuerySpeculationControlInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeQueryKvaShadowInformation(x, x, x)
_KeQueryKvaShadowInformation@12	proc near ; CODE XREF: PAGE:007802E0p

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	8
		push	offset dword_6A8720
		call	__SEH_prolog4
		mov	ebx, ecx
		push	4
		pop	ecx
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		cmp	edx, ecx
		jnb	short loc_992053
		mov	eax, 0C0000004h
		jmp	loc_992106
; 

loc_992053:				; CODE XREF: KeQueryKvaShadowInformation(x,x,x)+18j
		call	_KeQueryImplementedPhysicalBits@0 ; KeQueryImplementedPhysicalBits()
		mov	esi, eax
		test	esi, esi
		jg	short loc_992064
		xor	edi, edi
		mov	esi, edi
		jmp	short loc_992067
; 

loc_992064:				; CODE XREF: KeQueryKvaShadowInformation(x,x,x)+2Dj
		dec	esi
		xor	edi, edi

loc_992067:				; CODE XREF: KeQueryKvaShadowInformation(x,x,x)+33j
		mov	[ebp+ms_exc.disabled], edi
		xor	eax, eax
		cmp	ds:_KiKvaShadow, al
		setnz	al
		mov	ecx, [ebx]
		and	ecx, 0FFFFFFFEh
		or	ecx, eax
		mov	[ebx], ecx
		call	_KeKvaShadowingActive@0	; KeKvaShadowingActive()
		sub	eax, 2
		neg	eax
		sbb	edx, edx
		inc	edx
		add	edx, edx
		and	ecx, 0FFFFFFFDh
		or	edx, ecx
		mov	[ebx], edx
		and	edx, 0FFFFFFFBh
		mov	[ebx], edx
		and	edx, 0FFFFFFF7h
		mov	[ebx], edx
		movzx	eax, _KiKvaLeakage
		neg	eax
		sbb	eax, eax
		and	eax, 10h
		and	edx, 0FFFFFFEFh
		or	edx, eax
		mov	[ebx], edx
		or	edx, 20h
		mov	[ebx], edx
		or	edx, 2000h
		mov	[ebx], edx
		shl	esi, 6
		xor	esi, edx
		and	esi, 0FC0h
		xor	esi, edx
		mov	[ebx], esi
		mov	eax, ds:_KeFeatureBits2
		and	eax, 1
		or	eax, edi
		jz	short loc_9920E0
		mov	edi, 1000h

loc_9920E0:				; CODE XREF: KeQueryKvaShadowInformation(x,x,x)+AAj
		and	esi, 0FFFFEFFFh
		or	esi, edi
		mov	[ebx], esi
		and	esi, 3FFFh
		mov	[ebx], esi
		jmp	short loc_9920FD
; 

loc_9920F4:				; DATA XREF: .text:006A8734o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_9920FA:				; DATA XREF: .text:006A8738o
		mov	esp, [ebp+ms_exc.old_esp]

loc_9920FD:				; CODE XREF: KeQueryKvaShadowInformation(x,x,x)+C3j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax

loc_992106:				; CODE XREF: KeQueryKvaShadowInformation(x,x,x)+1Fj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KeQueryKvaShadowInformation@12	endp


;  S U B	R O U T	I N E 


; __stdcall NtUmsThreadYield(x)
_NtUmsThreadYield@4 proc near		; DATA XREF: .text:00580BF4o
		mov	eax, 0C00000BBh
		retn	4
_NtUmsThreadYield@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1336. KseQueryDeviceDataList

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseQueryDeviceDataList(x, x, x, x)
		public _KseQueryDeviceDataList@16
_KseQueryDeviceDataList@16 proc	near	; CODE XREF: ExpGetDeviceDataInformation(x,x,x)+10Bp

var_28		= dword	ptr -28h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_28]
		and	[ebp+var_4], eax
		cmp	dword_6D4A78, 2
		push	9
		pop	ecx
		rep stosd
		jnz	loc_992224
		test	byte ptr _KseEngine, 2
		jnz	loc_992224
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	loc_99221D
		mov	ebx, [ebp+arg_C]
		test	ebx, ebx
		jz	loc_99221D
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		push	ebx
		push	[ebp+arg_8]
		call	_KsepDbQueryRegistryDeviceDataList@16 ;	KsepDbQueryRegistryDeviceDataList(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	loc_992229
		call	KsepShimDbChanged
		test	eax, eax
		jz	short loc_992199
		call	_KseResetDeviceCache@0 ; KseResetDeviceCache()
		jmp	short loc_9921E4
; 

loc_992199:				; CODE XREF: KseQueryDeviceDataList(x,x,x,x)+6Bj
		push	edi
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, dword_6D4A9C
		call	_KsepCacheLock@4 ; KsepCacheLock(x)
		mov	ecx, dword_6D4A9C
		lea	edx, [ebp+var_28]
		call	_KsepCacheLookup@8 ; KsepCacheLookup(x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_9921D3
		mov	edx, [ebp+arg_4]
		mov	ecx, eax
		push	ebx
		push	[ebp+arg_8]
		call	_KsepDbCacheQueryDeviceDataList@16 ; KsepDbCacheQueryDeviceDataList(x,x,x,x)
		mov	esi, eax

loc_9921D3:				; CODE XREF: KseQueryDeviceDataList(x,x,x,x)+9Cj
		mov	ecx, dword_6D4A9C
		call	_KsepCacheUnlock@4 ; KsepCacheUnlock(x)
		cmp	[ebp+var_4], 0
		jnz	short loc_992229

loc_9921E4:				; CODE XREF: KseQueryDeviceDataList(x,x,x,x)+72j
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	KsepDbCacheReadDevice
		mov	esi, eax
		test	esi, esi
		js	short loc_992229
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_4]
		push	ebx
		push	[ebp+arg_8]
		call	_KsepDbCacheQueryDeviceDataList@16 ; KsepDbCacheQueryDeviceDataList(x,x,x,x)
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		mov	esi, eax
		call	KsepDbCacheInsertDevice
		test	eax, eax
		jns	short loc_992229
		push	[ebp+var_4]
		call	_KsepCacheDeviceFree@4 ; KsepCacheDeviceFree(x)
		jmp	short loc_992229
; 

loc_99221D:				; CODE XREF: KseQueryDeviceDataList(x,x,x,x)+37j
					; KseQueryDeviceDataList(x,x,x,x)+42j
		mov	esi, 0C000000Dh
		jmp	short loc_992229
; 

loc_992224:				; CODE XREF: KseQueryDeviceDataList(x,x,x,x)+1Fj
					; KseQueryDeviceDataList(x,x,x,x)+2Cj
		mov	esi, 0C0000225h

loc_992229:				; CODE XREF: KseQueryDeviceDataList(x,x,x,x)+5Ej
					; KseQueryDeviceDataList(x,x,x,x)+BDj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_KseQueryDeviceDataList@16 endp


;  S U B	R O U T	I N E 


; __stdcall KseResetDeviceCache()
_KseResetDeviceCache@0 proc near	; CODE XREF: KseQueryDeviceData:loc_8E456Cp
					; KseQueryDeviceDataList(x,x,x,x)+6Dp
		cmp	dword_6D4A78, 2
		push	esi
		jnz	short loc_99228F
		mov	eax, large fs:124h
		mov	ecx, dword_6D4A9C
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, dword_6D4A9C
		call	_KsepCacheReset@4 ; KsepCacheReset(x)
		mov	esi, dword_6D4A9C
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_99227C
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_99227C:				; CODE XREF: KseResetDeviceCache()+41j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_99228F:				; CODE XREF: KseResetDeviceCache()+8j
		xor	eax, eax
		pop	esi
		retn
_KseResetDeviceCache@0 endp

; 
		align 8
; Exported entry 1340. KseSetDeviceFlags

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseSetDeviceFlags(x, x, x, x)
		public _KseSetDeviceFlags@16
_KseSetDeviceFlags@16 proc near

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		xor	eax, eax
		push	edi
		xor	edi, edi
		mov	[esp+20h+var_10], eax
		cmp	dword_6D4A78, 2
		mov	[esp+20h+var_C], edi
		mov	[esp+20h+var_14], edi
		mov	[esp+20h+var_8], eax
		mov	[esp+20h+var_4], edi
		jnz	loc_992399
		test	byte ptr _KseEngine, 2
		jnz	loc_992399
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	loc_992392
		cmp	[ebp+arg_4], eax
		jz	loc_992392
		push	ecx
		push	ecx
		lea	ecx, [esp+28h+var_10]
		call	KsepStringTransform
		mov	esi, eax
		test	esi, esi
		js	loc_99239E
		mov	edx, [esp+20h+var_C]
		lea	eax, [esp+20h+var_14]
		mov	ebx, offset ??_C@_1JA@BMMOANL@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		push	eax
		mov	ecx, ebx
		call	_KsepRegistryCreateKey@12 ; KsepRegistryCreateKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_992366
		lea	eax, [esp+20h+var_14]
		mov	edx, offset ??_C@_1O@HAMLNBEA@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@NNGAKEGL@ ; "Device"
		push	eax
		mov	ecx, offset ??_C@_1IC@OOOCOOLB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\Registry\\Machine\\System\\CurrentControl"...
		call	_KsepRegistryCreateKey@12 ; KsepRegistryCreateKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_99239E
		cmp	[esp+20h+var_14], edi
		jz	short loc_992350
		push	[esp+20h+var_14]
		call	_ZwClose@4	; ZwClose(x)
		lock inc dword_6C6FBC

loc_992350:				; CODE XREF: KseSetDeviceFlags(x,x,x,x)+A6j
		mov	edx, [esp+20h+var_C]
		lea	eax, [esp+20h+var_14]
		push	eax
		mov	ecx, ebx
		mov	[esp+24h+var_14], edi
		call	_KsepRegistryCreateKey@12 ; KsepRegistryCreateKey(x,x,x)
		mov	esi, eax

loc_992366:				; CODE XREF: KseSetDeviceFlags(x,x,x,x)+86j
		test	esi, esi
		js	short loc_99239E
		push	[ebp+arg_4]
		lea	eax, [esp+24h+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	8
		lea	eax, [ebp+arg_8]
		push	eax
		push	0Bh
		push	edi
		lea	eax, [esp+30h+var_8]
		push	eax
		push	[esp+34h+var_14]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		jmp	short loc_99239E
; 

loc_992392:				; CODE XREF: KseSetDeviceFlags(x,x,x,x)+45j
					; KseSetDeviceFlags(x,x,x,x)+4Ej
		mov	esi, 0C000000Dh
		jmp	short loc_99239E
; 

loc_992399:				; CODE XREF: KseSetDeviceFlags(x,x,x,x)+2Dj
					; KseSetDeviceFlags(x,x,x,x)+3Aj
		mov	esi, 0C0000001h

loc_99239E:				; CODE XREF: KseSetDeviceFlags(x,x,x,x)+63j
					; KseSetDeviceFlags(x,x,x,x)+A0j ...
		lea	ecx, [esp+20h+var_10]
		call	KsepStringFree
		cmp	[esp+20h+var_14], edi
		jz	short loc_9923BD
		push	[esp+20h+var_14]
		call	_ZwClose@4	; ZwClose(x)
		lock inc dword_6C6FBC

loc_9923BD:				; CODE XREF: KseSetDeviceFlags(x,x,x,x)+113j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_KseSetDeviceFlags@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepDbCacheQueryDeviceDataList(x, x, x, x)
_KsepDbCacheQueryDeviceDataList@16 proc	near
					; CODE XREF: KseQueryDeviceDataList(x,x,x,x)+A7p
					; KseQueryDeviceDataList(x,x,x,x)+D9p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		lea	edi, [ecx+1Ch]
		mov	[ebp+var_4], edx
		mov	esi, [edi]
		xor	ebx, ebx
		mov	edx, ebx
		mov	ecx, esi
		jmp	short loc_9923EA
; 

loc_9923E2:				; CODE XREF: KsepDbCacheQueryDeviceDataList(x,x,x,x)+24j
		movzx	eax, word ptr [ecx+0Ah]
		mov	ecx, [ecx]
		add	edx, eax

loc_9923EA:				; CODE XREF: KsepDbCacheQueryDeviceDataList(x,x,x,x)+18j
		cmp	ecx, edi
		jnz	short loc_9923E2
		lea	eax, [edx+2]
		mov	[ebp+var_8], eax
		cmp	eax, [ebp+arg_0]
		jbe	short loc_992400
		mov	ebx, 0C0000023h
		jmp	short loc_992429
; 

loc_992400:				; CODE XREF: KsepDbCacheQueryDeviceDataList(x,x,x,x)+2Fj
		cmp	esi, edi
		jz	short loc_992429
		mov	ebx, [ebp+var_4]

loc_992407:				; CODE XREF: KsepDbCacheQueryDeviceDataList(x,x,x,x)+5Aj
		movzx	eax, word ptr [esi+0Ah]
		push	eax		; size_t
		push	dword ptr [esi+0Ch] ; void *
		push	ebx		; void *
		call	_memcpy
		movzx	eax, word ptr [esi+0Ah]
		add	esp, 0Ch
		mov	esi, [esi]
		add	ebx, eax
		cmp	esi, edi
		jnz	short loc_992407
		mov	eax, [ebp+var_8]
		xor	ebx, ebx

loc_992429:				; CODE XREF: KsepDbCacheQueryDeviceDataList(x,x,x,x)+36j
					; KsepDbCacheQueryDeviceDataList(x,x,x,x)+3Aj
		mov	ecx, [ebp+arg_4]
		pop	edi
		pop	esi
		mov	[ecx], eax
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_KsepDbCacheQueryDeviceDataList@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepDbGetShimInfo(x, x)
_KsepDbGetShimInfo@8 proc near		; CODE XREF: KsepEngineGetShimsFromRegistry+AF4DDp

var_60		= dword	ptr -60h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_30], ecx
		lea	edi, [ebp+var_24]
		mov	[ebp+var_2C], edx
		stosd
		xor	ecx, ecx
		mov	[ebp+var_38], ecx
		mov	esi, ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_44], ecx
		lea	ecx, [ebp+var_44]
		stosd
		stosd
		stosd
		call	KseShimDatabaseOpen
		mov	edi, [ebp+var_2C]
		mov	ebx, eax
		test	ebx, ebx
		js	loc_9925C8
		imul	ecx, edi, 34h
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		and	[ebp+var_48], 0
		mov	esi, eax
		mov	eax, [ebp+var_44]
		mov	ebx, 0C0000225h
		mov	[ebp+var_28], esi
		mov	eax, [eax]
		mov	[ebp+var_40], eax
		test	edi, edi
		jz	loc_9925E8
		mov	ecx, [ebp+var_30]
		add	esi, 28h
		add	ecx, 14h
		mov	[ebp+var_3C], esi
		mov	[ebp+var_4C], ecx

loc_9924B2:				; CODE XREF: KsepDbGetShimInfo(x,x)+181j
		mov	edx, [ecx]
		mov	ecx, eax
		call	_SdbGetKShimTagRef@8 ; SdbGetKShimTagRef(x,x)
		test	eax, eax
		jz	loc_9925C5
		lea	ecx, [ebp+var_38]
		mov	edx, eax
		push	ecx
		lea	ecx, [ebp+var_34]
		push	ecx
		mov	ecx, [ebp+var_40]
		call	SdbTagRefToTagID
		test	eax, eax
		jz	loc_99259B
		mov	edx, [ebp+var_38]
		mov	ecx, [ebp+var_34]
		push	9010h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	loc_9925C5
		sub	esp, 10h	; int
		lea	esi, [ebp+var_24]
		mov	edi, esp
		lea	ecx, [ebp+var_60]
		mov	edx, eax
		push	ecx		; void *
		mov	ecx, [ebp+var_34]
		movsd
		movsd
		movsd
		movsd
		call	_SdbReadGUIDTag@24 ; SdbReadGUIDTag(x,x,x,x,x,x)
		mov	esi, eax
		lea	edi, [ebp+var_14]
		push	10h		; size_t
		lea	eax, [ebp+var_24]
		push	eax		; void *
		movsd
		lea	eax, [ebp+var_14]
		push	eax		; void *
		movsd
		movsd
		movsd
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_9925C2
		mov	edi, [ebp+var_3C]
		lea	esi, [ebp+var_14]
		mov	edx, [ebp+var_38]
		add	edi, 0FFFFFFD8h
		push	6003h
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_34]
		mov	ecx, esi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	short loc_9925C2
		mov	edx, eax
		mov	ecx, esi
		call	SdbGetStringTagPtr
		mov	edx, eax
		test	edx, edx
		jz	short loc_9925BD
		mov	ecx, [ebp+var_3C]
		lea	ecx, [ecx-10h]
		call	KsepStringDuplicate
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9925C2
		mov	edx, [ebp+var_38]
		mov	ecx, esi
		push	4017h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	short loc_9925C2
		push	0
		mov	edx, eax
		mov	ecx, esi
		call	SdbReadDWORDTag
		mov	esi, [ebp+var_3C]
		mov	edi, [ebp+var_2C]
		mov	[esi], eax

loc_99259B:				; CODE XREF: KsepDbGetShimInfo(x,x)+A0j
		mov	eax, [ebp+var_48]
		add	esi, 34h
		mov	ecx, [ebp+var_4C]
		inc	eax
		add	ecx, 34h
		mov	[ebp+var_48], eax
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_3C], esi
		cmp	eax, edi
		jnb	short loc_9925E5
		mov	eax, [ebp+var_40]
		jmp	loc_9924B2
; 

loc_9925BD:				; CODE XREF: KsepDbGetShimInfo(x,x)+12Bj
		mov	ebx, 0C000000Dh

loc_9925C2:				; CODE XREF: KsepDbGetShimInfo(x,x)+F5j
					; KsepDbGetShimInfo(x,x)+11Cj ...
		mov	edi, [ebp+var_2C]

loc_9925C5:				; CODE XREF: KsepDbGetShimInfo(x,x)+86j
					; KsepDbGetShimInfo(x,x)+B8j
		mov	esi, [ebp+var_28]

loc_9925C8:				; CODE XREF: KsepDbGetShimInfo(x,x)+40j
					; KsepDbGetShimInfo(x,x)+1B8j
		mov	eax, [ebp+var_44]
		test	eax, eax
		jz	short loc_9925D6
		mov	ecx, eax
		call	KseShimDatabaseClose

loc_9925D6:				; CODE XREF: KsepDbGetShimInfo(x,x)+196j
		mov	ecx, esi
		test	ebx, ebx
		jns	short loc_99262B
		mov	edx, edi
		call	KsepDbFreeDriverShims
		jmp	short loc_992630
; 

loc_9925E5:				; CODE XREF: KsepDbGetShimInfo(x,x)+17Cj
		mov	esi, [ebp+var_28]

loc_9925E8:				; CODE XREF: KsepDbGetShimInfo(x,x)+66j
		xor	ebx, ebx
		mov	[ebp+var_40], ebx
		test	edi, edi
		jz	short loc_9925C8
		mov	eax, [ebp+var_30]
		mov	ebx, esi
		mov	ecx, esi
		mov	[ebp+var_30], edi
		sub	ebx, eax
		lea	edx, [eax+28h]

loc_992600:				; CODE XREF: KsepDbGetShimInfo(x,x)+1EDj
		mov	eax, [ebx+edx]
		lea	edi, [edx-28h]
		mov	[edx], eax
		mov	esi, ecx
		mov	eax, [ecx+18h]
		lea	edx, [edx+34h]
		mov	[edx-44h], eax
		mov	eax, [ecx+1Ch]
		add	ecx, 34h
		sub	[ebp+var_30], 1
		mov	[edx-40h], eax
		movsd
		movsd
		movsd
		movsd
		jnz	short loc_992600
		mov	ebx, [ebp+var_40]
		jmp	short loc_9925C2
; 

loc_99262B:				; CODE XREF: KsepDbGetShimInfo(x,x)+1A3j
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)

loc_992630:				; CODE XREF: KsepDbGetShimInfo(x,x)+1ACj
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_KsepDbGetShimInfo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepDbQueryRegistryDeviceDataList(x, x, x, x)
_KsepDbQueryRegistryDeviceDataList@16 proc near
					; CODE XREF: KseQueryDeviceDataList(x,x,x,x)+51p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_18], edx
		push	ecx
		xor	eax, eax
		mov	[ebp+var_1C], edi
		push	ecx
		mov	edx, ecx
		mov	[ebp+var_20], eax
		lea	ecx, [ebp+var_20]
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_4], edi
		call	KsepStringTransform
		mov	esi, eax
		test	esi, esi
		js	loc_992770
		mov	edx, [ebp+var_1C] ; void *
		lea	eax, [ebp+var_10]
		push	eax		; int
		mov	ecx, offset ??_C@_1JA@BMMOANL@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ;	int
		call	KsepRegistryOpenKey
		mov	ebx, [ebp+var_10]
		test	eax, eax
		jns	short loc_99269D
		mov	esi, 0C0000225h
		jmp	loc_99275F
; 

loc_99269D:				; CODE XREF: KsepDbQueryRegistryDeviceDataList(x,x,x,x)+50j
		lea	eax, [ebp+var_C]
		mov	ecx, ebx
		push	eax
		lea	edx, [ebp+var_8]
		call	_KsepRegistryQueryKeyInformation@12 ; KsepRegistryQueryKeyInformation(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_99275F
		mov	ecx, [ebp+var_8]
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	esi, eax
		mov	[ebp+var_10], esi
		test	esi, esi
		jnz	short loc_9926D0
		mov	esi, 0C0000017h
		jmp	loc_99275F
; 

loc_9926D0:				; CODE XREF: KsepDbQueryRegistryDeviceDataList(x,x,x,x)+83j
		mov	ecx, [ebp+var_C]
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		test	eax, eax
		jnz	short loc_9926E3
		mov	esi, 0C0000017h
		jmp	short loc_992757
; 

loc_9926E3:				; CODE XREF: KsepDbQueryRegistryDeviceDataList(x,x,x,x)+99j
		mov	eax, [ebp+var_18]
		mov	[ebp+var_C], eax
		xor	eax, eax

loc_9926EB:				; CODE XREF: KsepDbQueryRegistryDeviceDataList(x,x,x,x)+F3j
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_14], eax
		push	ecx		; int
		push	esi		; void *
		push	[ebp+var_8]	; int
		mov	edx, eax
		mov	ecx, ebx
		call	_KsepRegistryEnumValue@20 ; KsepRegistryEnumValue(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 8000001Ah
		jz	short loc_992736
		test	esi, esi
		js	short loc_992757
		add	edi, [ebp+var_4]
		mov	esi, [ebp+var_10]
		cmp	edi, [ebp+arg_0]
		ja	short loc_992730
		push	[ebp+var_4]	; size_t
		push	esi		; void *
		push	[ebp+var_C]	; void *
		call	_memcpy
		mov	eax, [ebp+var_C]
		add	esp, 0Ch
		add	eax, [ebp+var_4]
		mov	[ebp+var_C], eax

loc_992730:				; CODE XREF: KsepDbQueryRegistryDeviceDataList(x,x,x,x)+D5j
		mov	eax, [ebp+var_14]
		inc	eax
		jmp	short loc_9926EB
; 

loc_992736:				; CODE XREF: KsepDbQueryRegistryDeviceDataList(x,x,x,x)+C6j
		mov	eax, [ebp+arg_4]
		lea	ecx, [edi+2]
		mov	[eax], ecx
		cmp	ecx, [ebp+arg_0]
		jbe	short loc_99274A
		mov	esi, 0C0000023h
		jmp	short loc_992757
; 

loc_99274A:				; CODE XREF: KsepDbQueryRegistryDeviceDataList(x,x,x,x)+100j
		mov	eax, [ebp+var_18]
		xor	ecx, ecx
		shr	edi, 1
		xor	esi, esi
		mov	[eax+edi*2], cx

loc_992757:				; CODE XREF: KsepDbQueryRegistryDeviceDataList(x,x,x,x)+A0j
					; KsepDbQueryRegistryDeviceDataList(x,x,x,x)+CAj ...
		mov	ecx, [ebp+var_10]
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)

loc_99275F:				; CODE XREF: KsepDbQueryRegistryDeviceDataList(x,x,x,x)+57j
					; KsepDbQueryRegistryDeviceDataList(x,x,x,x)+6Ej ...
		test	ebx, ebx
		jz	short loc_992770
		push	ebx
		call	_ZwClose@4	; ZwClose(x)
		lock inc dword_6C6FBC

loc_992770:				; CODE XREF: KsepDbQueryRegistryDeviceDataList(x,x,x,x)+34j
					; KsepDbQueryRegistryDeviceDataList(x,x,x,x)+120j
		lea	ecx, [ebp+var_20]
		call	KsepStringFree
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_KsepDbQueryRegistryDeviceDataList@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepDbReadKData(x, x, x)
_KsepDbReadKData@12 proc near		; CODE XREF: KsepDbCacheReadDeviceInternal+6A4FEp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		mov	edi, 0C0000001h
		test	esi, esi
		jz	loc_99290C
		push	6001h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	loc_99290C
		mov	edx, eax
		mov	ecx, ebx
		call	SdbGetStringTagPtr
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_99290C
		push	4018h
		mov	edx, esi
		mov	ecx, ebx
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	loc_99290C
		xor	ecx, ecx
		mov	edx, eax
		push	ecx
		mov	ecx, ebx
		call	SdbReadDWORDTag
		cmp	eax, 1
		jnz	short loc_992844
		push	601Eh
		mov	edx, esi
		mov	ecx, ebx
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	edx, eax
		mov	ecx, ebx
		call	SdbGetStringTagPtr
		mov	esi, eax
		test	esi, esi
		jz	loc_99290C
		mov	edx, [ebp+arg_0]
		xor	ebx, ebx
		mov	ecx, [ebp+var_4]
		mov	[edx], ecx
		mov	ecx, esi
		mov	dword ptr [edx+4], 1
		lea	edi, [ecx+2]

loc_992821:				; CODE XREF: KsepDbReadKData(x,x,x)+A9j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_992821
		sub	ecx, edi
		mov	[edx+0Ch], esi
		sar	ecx, 1
		mov	edi, ebx
		lea	eax, ds:2[ecx*2]
		mov	[edx+8], eax
		jmp	loc_99290C
; 

loc_992844:				; CODE XREF: KsepDbReadKData(x,x,x)+67j
		cmp	eax, 4
		jnz	short loc_992878
		push	4019h
		mov	edx, esi
		mov	ecx, ebx
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	edi, [ebp+arg_0]
		mov	edx, eax
		mov	ecx, [ebp+var_4]
		push	4
		mov	[edi], ecx
		lea	esi, [edi+10h]
		pop	ecx
		mov	[edi+4], ecx
		mov	[edi+8], ecx
		mov	ecx, ebx
		push	0
		call	SdbReadDWORDTag
		jmp	short loc_9928B4
; 

loc_992878:				; CODE XREF: KsepDbReadKData(x,x,x)+C6j
		cmp	eax, 0Bh
		jnz	short loc_9928BB
		push	5007h
		mov	edx, esi
		mov	ecx, ebx
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	edi, [ebp+arg_0]
		mov	edx, eax
		mov	ecx, [ebp+var_4]
		mov	[edi], ecx
		lea	esi, [edi+18h]
		xor	ecx, ecx
		mov	dword ptr [edi+4], 0Bh
		push	ecx
		push	ecx
		mov	ecx, ebx
		mov	dword ptr [edi+8], 8
		call	SdbReadQWORDTag
		mov	[esi+4], edx

loc_9928B4:				; CODE XREF: KsepDbReadKData(x,x,x)+F5j
		mov	[esi], eax
		mov	[edi+0Ch], esi
		jmp	short loc_992903
; 

loc_9928BB:				; CODE XREF: KsepDbReadKData(x,x,x)+FAj
		cmp	eax, 3
		jnz	short loc_992907
		push	9005h
		mov	edx, esi
		mov	ecx, ebx
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_8], eax
		mov	ecx, ebx
		call	SdbpGetMappedTagData
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_99290C
		mov	esi, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_8]
		mov	[esi], ecx
		mov	ecx, ebx
		mov	dword ptr [esi+4], 3
		call	SdbGetTagDataSize
		mov	[esi+8], eax
		mov	eax, [ebp+var_C]
		mov	[esi+0Ch], eax

loc_992903:				; CODE XREF: KsepDbReadKData(x,x,x)+138j
		xor	edi, edi
		jmp	short loc_99290C
; 

loc_992907:				; CODE XREF: KsepDbReadKData(x,x,x)+13Dj
		mov	edi, 0C000000Dh

loc_99290C:				; CODE XREF: KsepDbReadKData(x,x,x)+16j
					; KsepDbReadKData(x,x,x)+28j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KsepDbReadKData@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1341. KseUnregisterShim

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseUnregisterShim(x, x, x)
		public _KseUnregisterShim@12
_KseUnregisterShim@12 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		test	edi, edi
		jnz	short loc_992938
		mov	eax, 0C000000Dh
		jmp	loc_992B18
; 

loc_992938:				; CODE XREF: KseUnregisterShim(x,x,x)+12j
		push	2
		pop	eax
		cmp	dword_6D4A78, eax
		jz	short loc_99294D
		mov	eax, 0C0000001h
		jmp	loc_992B18
; 

loc_99294D:				; CODE XREF: KseUnregisterShim(x,x,x)+27j
		mov	eax, large fs:124h
		push	esi
		mov	esi, ebx
		mov	[ebp+arg_0], esi
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset unk_6D4A90
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [edi+4]	; void *
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	ecx		; int
		mov	ecx, offset _KseEngine ; int
		call	KsepIsShimRegistered
		test	eax, eax
		jz	loc_992A79
		mov	esi, [ebp+var_4]
		cmp	[esi+0Ch], ebx
		jz	short loc_992A01
		xor	eax, eax
		mov	ebx, 0C0000022h
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	2
		push	2
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 17Dh
		mov	dword_6C7024[eax*8], ebx
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_9929E0
		mov	eax, [edi+4]
		push	esi
		push	dword ptr [eax]	; char
		push	offset ??_C@_0FE@PGGAJCKD@KSE?3?5Ending?5shim?5?$FL0x?$CF08X?$FN?5unreg@NNGAKEGL@ ; "KSE: Ending shim [0x%08X] unregistratio"...
		push	3		; int
		call	_KsepDebugPrint
		add	esp, 10h

loc_9929E0:				; CODE XREF: KseUnregisterShim(x,x,x)+AFj
		mov	eax, [edi+4]
		push	esi
		push	dword ptr [eax]	; char
		push	offset ??_C@_0FE@PGGAJCKD@KSE?3?5Ending?5shim?5?$FL0x?$CF08X?$FN?5unreg@NNGAKEGL@ ; "KSE: Ending shim [0x%08X] unregistratio"...
		push	3		; int
		call	_KsepLogError
		add	esp, 10h
		or	dword ptr [esi+10h], 4
		mov	esi, [ebp+arg_0]
		jmp	loc_992ADD
; 

loc_992A01:				; CODE XREF: KseUnregisterShim(x,x,x)+73j
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_992A74
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_992A74
		xor	esi, esi
		mov	[ecx], eax
		inc	esi
		mov	[eax+4], ecx
		mov	eax, esi
		lock xadd _KsepHistoryMessagesIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	1
		push	2
		pop	ecx
		mov	word_6C7242[eax*8], cx
		mov	ecx, 18Eh
		mov	dword_6C7244[eax*8], ebx
		mov	_KsepHistoryMessages[eax*8], cx
		jz	short loc_992A61
		mov	eax, [edi+4]
		push	dword ptr [eax]	; char
		push	offset ??_C@_0CO@KLNFPNOL@KSE?3?5Succeeded?5shim?5?$FL0x?$CF08X?$FN?5un@NNGAKEGL@ ; char *
		push	3		; int
		call	_KsepDebugPrint
		add	esp, 0Ch

loc_992A61:				; CODE XREF: KseUnregisterShim(x,x,x)+131j
		mov	eax, [edi+4]
		push	dword ptr [eax]
		push	offset ??_C@_0CO@KLNFPNOL@KSE?3?5Succeeded?5shim?5?$FL0x?$CF08X?$FN?5un@NNGAKEGL@
		push	3
		call	_KsepLogInfo
		jmp	short loc_992ADA
; 

loc_992A74:				; CODE XREF: KseUnregisterShim(x,x,x)+ECj
					; KseUnregisterShim(x,x,x)+F3j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_992A79:				; CODE XREF: KseUnregisterShim(x,x,x)+67j
		xor	eax, eax
		mov	ebx, 0C0000034h
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	2
		push	2
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 19Ah
		mov	dword_6C7024[eax*8], ebx
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_992AC9
		mov	eax, [edi+4]
		push	dword ptr [eax]	; char
		push	offset ??_C@_0DL@CKPAJMKP@KSE?3?5Failed?5shim?5?$FL0x?$CF08X?$FN?5unreg@NNGAKEGL@ ; char *
		push	3		; int
		call	_KsepDebugPrint
		add	esp, 0Ch

loc_992AC9:				; CODE XREF: KseUnregisterShim(x,x,x)+199j
		mov	eax, [edi+4]
		push	dword ptr [eax]	; char
		push	offset ??_C@_0DL@CKPAJMKP@KSE?3?5Failed?5shim?5?$FL0x?$CF08X?$FN?5unreg@NNGAKEGL@ ; char *
		push	3		; int
		call	_KsepLogError

loc_992ADA:				; CODE XREF: KseUnregisterShim(x,x,x)+158j
		add	esp, 0Ch

loc_992ADD:				; CODE XREF: KseUnregisterShim(x,x,x)+E2j
		or	eax, 0FFFFFFFFh
		mov	edi, offset unk_6D4A90
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_992AF6
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_992AF6:				; CODE XREF: KseUnregisterShim(x,x,x)+1D3j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		pop	esi
		jz	short loc_992B16
		mov	ecx, [ebp+var_4]
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)

loc_992B16:				; CODE XREF: KseUnregisterShim(x,x,x)+1F2j
		mov	eax, ebx

loc_992B18:				; CODE XREF: KseUnregisterShim(x,x,x)+19j
					; KseUnregisterShim(x,x,x)+2Ej
		pop	edi
		pop	ebx
		leave
		retn	0Ch
_KseUnregisterShim@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepResolveShimHooks(x, x)
_KsepResolveShimHooks@8	proc near	; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+2E4p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_4], 0
		mov	[ebp+var_10], ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		test	ecx, ecx
		jz	loc_992BEC
		test	edi, edi
		jz	loc_992BEC
		mov	[ebp+var_8], edi

loc_992B45:				; CODE XREF: KsepResolveShimHooks(x,x)+BEj
		mov	eax, [edi]
		cmp	eax, 4
		jz	loc_992BE8
		sub	eax, 0
		jz	short loc_992B8F
		sub	eax, 1
		jz	short loc_992B87
		sub	eax, 1
		jz	short loc_992B6C
		sub	eax, 1
		jnz	loc_992BEC
		xor	esi, esi
		jmp	short loc_992B92
; 

loc_992B6C:				; CODE XREF: KsepResolveShimHooks(x,x)+3Fj
		push	ecx
		lea	eax, [ebp+var_4]
		mov	edx, ecx
		mov	ecx, [edi+4]
		push	eax
		call	_KsepGetModuleInfoByName@16 ; KsepGetModuleInfoByName(x,x,x,x)
		test	eax, eax
		js	short loc_992BF1
		mov	esi, [ebp+var_4]
		mov	edx, [ebp+var_8]
		jmp	short loc_992B95
; 

loc_992B87:				; CODE XREF: KsepResolveShimHooks(x,x)+3Aj
		mov	esi, [ecx+128h]
		jmp	short loc_992B92
; 

loc_992B8F:				; CODE XREF: KsepResolveShimHooks(x,x)+35j
		mov	esi, [ecx+0Ch]

loc_992B92:				; CODE XREF: KsepResolveShimHooks(x,x)+4Cj
					; KsepResolveShimHooks(x,x)+6Fj
		mov	[ebp+var_4], esi

loc_992B95:				; CODE XREF: KsepResolveShimHooks(x,x)+67j
		mov	ebx, [edi+8]
		test	ebx, ebx
		jz	short loc_992BCF
		xor	eax, eax
		mov	[ebp+var_C], eax

loc_992BA1:				; CODE XREF: KsepResolveShimHooks(x,x)+ACj
		mov	ecx, [ebx]
		cmp	ecx, 2
		jz	short loc_992BCC
		test	ecx, ecx
		jnz	short loc_992BBF
		push	dword ptr [ebx+4]
		push	esi
		call	_RtlFindExportedRoutineByName@8	; RtlFindExportedRoutineByName(x,x)
		test	eax, eax
		jz	short loc_992BE1
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+var_C]

loc_992BBF:				; CODE XREF: KsepResolveShimHooks(x,x)+8Cj
		mov	ebx, [edi+8]
		add	eax, 10h
		mov	[ebp+var_C], eax
		add	ebx, eax
		jnz	short loc_992BA1

loc_992BCC:				; CODE XREF: KsepResolveShimHooks(x,x)+88j
		mov	edx, [ebp+var_8]

loc_992BCF:				; CODE XREF: KsepResolveShimHooks(x,x)+7Cj
		add	edx, 0Ch
		mov	[ebp+var_8], edx
		mov	edi, edx
		jz	short loc_992BE8
		mov	ecx, [ebp+var_10]
		jmp	loc_992B45
; 

loc_992BE1:				; CODE XREF: KsepResolveShimHooks(x,x)+99j
		mov	eax, 0C0000001h
		jmp	short loc_992BF1
; 

loc_992BE8:				; CODE XREF: KsepResolveShimHooks(x,x)+2Cj
					; KsepResolveShimHooks(x,x)+B9j
		xor	eax, eax
		jmp	short loc_992BF1
; 

loc_992BEC:				; CODE XREF: KsepResolveShimHooks(x,x)+16j
					; KsepResolveShimHooks(x,x)+1Ej ...
		mov	eax, 0C000000Dh

loc_992BF1:				; CODE XREF: KsepResolveShimHooks(x,x)+5Fj
					; KsepResolveShimHooks(x,x)+C8j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KsepResolveShimHooks@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepApplyShimsToDriver(x, x, x, x)
_KsepApplyShimsToDriver@16 proc	near	; CODE XREF: KseDriverLoadImage(x)+A4p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	[ebp+var_4], ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		test	ecx, ecx
		jz	loc_992E36
		test	edi, edi
		jz	loc_992E36
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jz	loc_992E36
		xor	esi, esi
		xor	edx, edx
		inc	esi
		mov	[ebp+var_8], edx
		push	7
		pop	eax
		cmp	[ebp+arg_4], edx
		jbe	loc_992D20
		add	ebx, 30h
		mov	[ebp+arg_0], ebx

loc_992C3B:				; CODE XREF: KsepApplyShimsToDriver(x,x,x,x)+121j
		mov	eax, [ebx]
		test	byte ptr [eax+10h], 4
		jnz	loc_992D0A
		mov	eax, [eax+8]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_992C70
		push	dword ptr [ecx+40h]
		push	dword ptr [ecx+58h]
		push	dword ptr [ecx+20h]
		push	dword ptr [ecx+18h]
		push	edi
		call	eax
		mov	ebx, eax
		test	ebx, ebx
		js	loc_992D7C
		mov	ebx, [ebp+arg_0]
		mov	ecx, [ebp+var_4]

loc_992C70:				; CODE XREF: KsepApplyShimsToDriver(x,x,x,x)+59j
		mov	edx, [ebx]
		mov	edx, [edx+8]
		call	_KsepPatchDriverImportsTable@8 ; KsepPatchDriverImportsTable(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_992DDA
		mov	ebx, [ebp+arg_0]
		mov	eax, [ebx]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	short loc_992C95
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_992C95:				; CODE XREF: KsepApplyShimsToDriver(x,x,x,x)+98j
		mov	eax, esi
		lock xadd _KsepHistoryMessagesIndex, eax
		inc	eax
		and	eax, 3Fh
		push	7
		pop	ecx
		and	dword_6C7244[eax*8], 0
		test	_KsepDebugFlag,	1
		mov	word_6C7242[eax*8], cx
		mov	ecx, 2AAh
		mov	_KsepHistoryMessages[eax*8], cx
		jz	short loc_992CE8
		mov	eax, [ebx]
		push	dword ptr [edi+4]
		mov	eax, [eax+8]
		mov	eax, [eax+4]
		push	dword ptr [eax]	; char
		push	offset ??_C@_0CM@GMLHMFCH@KSE?3?5Applied?5shim?5?$FL0x?$CF08X?$FN?5to?5d@NNGAKEGL@ ; char *
		push	8		; int
		call	_KsepDebugPrint
		add	esp, 10h

loc_992CE8:				; CODE XREF: KsepApplyShimsToDriver(x,x,x,x)+D4j
		mov	eax, [ebx]
		push	dword ptr [edi+4]
		mov	eax, [eax+8]
		mov	eax, [eax+4]
		push	dword ptr [eax]
		push	offset ??_C@_0CM@GMLHMFCH@KSE?3?5Applied?5shim?5?$FL0x?$CF08X?$FN?5to?5d@NNGAKEGL@
		push	8
		call	_KsepLogInfo
		mov	ecx, [ebp+var_4]
		add	esp, 10h
		mov	edx, [ebp+var_8]

loc_992D0A:				; CODE XREF: KsepApplyShimsToDriver(x,x,x,x)+4Bj
		inc	edx
		add	ebx, 34h
		mov	[ebp+var_8], edx
		mov	[ebp+arg_0], ebx
		cmp	edx, [ebp+arg_4]
		jb	loc_992C3B
		push	7
		pop	eax

loc_992D20:				; CODE XREF: KsepApplyShimsToDriver(x,x,x,x)+39j
		lock xadd _KsepHistoryMessagesIndex, esi
		inc	esi
		and	esi, 3Fh
		and	dword_6C7244[esi*8], 0
		test	_KsepDebugFlag,	1
		mov	word_6C7242[esi*8], ax
		mov	eax, 2AEh
		mov	_KsepHistoryMessages[esi*8], ax
		mov	esi, offset ??_C@_0DB@MOKEJO@KSE?3?5Successfully?5applied?5shims@NNGAKEGL@
		jz	short loc_992D65
		push	dword ptr [edi+4] ; char
		push	esi		; char *
		push	8		; int
		call	_KsepDebugPrint
		add	esp, 0Ch

loc_992D65:				; CODE XREF: KsepApplyShimsToDriver(x,x,x,x)+15Fj
		push	dword ptr [edi+4]
		push	esi
		push	8
		call	_KsepLogInfo
		add	esp, 0Ch
		xor	ebx, ebx

loc_992D75:				; CODE XREF: KsepApplyShimsToDriver(x,x,x,x)+1E2j
					; KsepApplyShimsToDriver(x,x,x,x)+23Bj
		mov	eax, ebx
		jmp	loc_992E3B
; 

loc_992D7C:				; CODE XREF: KsepApplyShimsToDriver(x,x,x,x)+6Ej
		lock xadd _KsepHistoryErrorsIndex, esi
		inc	esi
		and	esi, 3Fh
		test	_KsepDebugFlag,	2
		push	7
		pop	eax
		mov	word_6C7022[esi*8], ax
		mov	eax, 284h
		mov	dword_6C7024[esi*8], ebx
		mov	_KsepHistoryErrors[esi*8], ax
		mov	esi, offset ??_C@_0CG@GICNOBIL@KSE?3?5Driver?5blocked?5with?5?$FL?$CFws?$FN?3@NNGAKEGL@
		jz	short loc_992DC4
		push	ebx
		push	dword ptr [edi+4] ; char
		push	esi		; char *
		push	8		; int
		call	_KsepDebugPrint
		add	esp, 10h

loc_992DC4:				; CODE XREF: KsepApplyShimsToDriver(x,x,x,x)+1BDj
		push	ebx
		push	dword ptr [edi+4] ; char
		push	esi		; char *
		push	8		; int
		call	_KsepLogError
		add	esp, 10h
		mov	ebx, 0C000036Ch
		jmp	short loc_992D75
; 

loc_992DDA:				; CODE XREF: KsepApplyShimsToDriver(x,x,x,x)+88j
		lock xadd _KsepHistoryErrorsIndex, esi
		inc	esi
		and	esi, 3Fh
		test	_KsepDebugFlag,	2
		push	7
		pop	eax
		mov	word_6C7022[esi*8], ax
		mov	eax, 297h
		mov	dword_6C7024[esi*8], ebx
		mov	_KsepHistoryErrors[esi*8], ax
		mov	esi, offset ??_C@_0CJ@EMNNCJLL@KSE?3?5Failed?5to?5patch?5driver?5?$FL?$CFw@NNGAKEGL@
		jz	short loc_992E22
		push	ebx
		push	dword ptr [edi+4] ; char
		push	esi		; char *
		push	8		; int
		call	_KsepDebugPrint
		add	esp, 10h

loc_992E22:				; CODE XREF: KsepApplyShimsToDriver(x,x,x,x)+21Bj
		push	ebx
		push	dword ptr [edi+4] ; char
		push	esi		; char *
		push	8		; int
		call	_KsepLogError
		add	esp, 10h
		jmp	loc_992D75
; 

loc_992E36:				; CODE XREF: KsepApplyShimsToDriver(x,x,x,x)+12j
					; KsepApplyShimsToDriver(x,x,x,x)+1Aj ...
		mov	eax, 0C000000Dh

loc_992E3B:				; CODE XREF: KsepApplyShimsToDriver(x,x,x,x)+181j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_KsepApplyShimsToDriver@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepPatchDriverImportsTable(x, x)
_KsepPatchDriverImportsTable@8 proc near ; CODE	XREF: KsepApplyShimsToDriver(x,x,x,x)+7Fp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_4], 0
		mov	eax, ecx
		mov	[ebp+var_18], eax
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_14], ebx
		push	esi
		push	edi
		test	eax, eax
		jz	loc_992F79
		test	ebx, ebx
		jz	loc_992F79
		mov	eax, [eax+18h]
		lea	ecx, [ebp+var_4]
		push	ecx
		push	0Ch
		push	1
		push	eax
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	short loc_992E8D
		mov	eax, 0C0000001h
		jmp	loc_992F7E
; 

loc_992E8D:				; CODE XREF: KsepPatchDriverImportsTable(x,x)+3Fj
		mov	edi, [ebx+18h]
		test	edi, edi
		jz	loc_992F79
		xor	ecx, ecx
		mov	[ebp+var_8], ecx

loc_992E9D:				; CODE XREF: KsepPatchDriverImportsTable(x,x)+12Dj
		mov	eax, [edi]
		cmp	eax, 4
		jz	loc_992F75
		cmp	eax, 2
		jz	short loc_992EBA
		test	eax, eax
		jz	short loc_992EBA
		cmp	eax, 1
		jnz	loc_992F64

loc_992EBA:				; CODE XREF: KsepPatchDriverImportsTable(x,x)+69j
					; KsepPatchDriverImportsTable(x,x)+6Dj
		mov	esi, [edi+8]
		test	esi, esi
		jz	loc_992F79
		and	[ebp+var_10], 0

loc_992EC9:				; CODE XREF: KsepPatchDriverImportsTable(x,x)+116j
		mov	eax, [esi]
		cmp	eax, 2
		jz	loc_992F5E
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	loc_992F79
		mov	edx, [esi+0Ch]
		test	edx, edx
		jz	loc_992F79
		test	eax, eax
		jnz	loc_992F79
		push	ecx
		mov	ecx, [ebp+var_C]
		push	edx
		mov	edx, [ebp+var_4]
		call	_KsepPatchImportTableEntry@16 ;	KsepPatchImportTableEntry(x,x,x,x)
		cmp	eax, 0C0000225h
		jnz	short loc_992F3F
		call	_VfIsVerifierEnabled@0 ; VfIsVerifierEnabled()
		test	eax, eax
		jz	short loc_992F4A
		mov	ecx, [ebp+var_18]
		call	_VfIsVerificationEnabledForImage@4 ; VfIsVerificationEnabledForImage(x)
		test	eax, eax
		jz	short loc_992F4A
		mov	ecx, [esi+4]
		call	_VfGetHookAddressForOriginal@4 ; VfGetHookAddressForOriginal(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_992F4A
		push	dword ptr [esi+8]
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_C]
		push	ebx
		call	_KsepPatchImportTableEntry@16 ;	KsepPatchImportTableEntry(x,x,x,x)
		test	eax, eax
		js	short loc_992F43
		mov	[esi+0Ch], ebx

loc_992F3F:				; CODE XREF: KsepPatchDriverImportsTable(x,x)+C2j
		test	eax, eax
		jns	short loc_992F4A

loc_992F43:				; CODE XREF: KsepPatchDriverImportsTable(x,x)+F8j
		cmp	eax, 0C0000225h
		jnz	short loc_992F7E

loc_992F4A:				; CODE XREF: KsepPatchDriverImportsTable(x,x)+CBj
					; KsepPatchDriverImportsTable(x,x)+D7j	...
		mov	ecx, [ebp+var_10]
		mov	esi, [edi+8]
		add	ecx, 10h
		mov	[ebp+var_10], ecx
		add	esi, ecx
		jnz	loc_992EC9

loc_992F5E:				; CODE XREF: KsepPatchDriverImportsTable(x,x)+8Cj
		mov	ecx, [ebp+var_8]
		mov	ebx, [ebp+var_14]

loc_992F64:				; CODE XREF: KsepPatchDriverImportsTable(x,x)+72j
		mov	edi, [ebx+18h]
		add	ecx, 0Ch
		mov	[ebp+var_8], ecx
		add	edi, ecx
		jnz	loc_992E9D

loc_992F75:				; CODE XREF: KsepPatchDriverImportsTable(x,x)+60j
		xor	eax, eax
		jmp	short loc_992F7E
; 

loc_992F79:				; CODE XREF: KsepPatchDriverImportsTable(x,x)+1Bj
					; KsepPatchDriverImportsTable(x,x)+23j	...
		mov	eax, 0C000000Dh

loc_992F7E:				; CODE XREF: KsepPatchDriverImportsTable(x,x)+46j
					; KsepPatchDriverImportsTable(x,x)+106j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KsepPatchDriverImportsTable@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepPatchImportTableEntry(x, x, x, x)
_KsepPatchImportTableEntry@16 proc near	; CODE XREF: KsepPatchDriverImportsTable(x,x)+B8p
					; KsepPatchDriverImportsTable(x,x)+F1p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		test	ecx, ecx
		jz	short loc_992FD3
		test	edx, edx
		jz	short loc_992FD3
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_992FD3
		cmp	[ebp+arg_4], 0
		jz	short loc_992FD3
		xor	eax, eax
		shr	edx, 2
		mov	edi, eax
		test	edx, edx
		jz	short loc_992FC3

loc_992FAA:				; CODE XREF: KsepPatchImportTableEntry(x,x,x,x)+31j
		cmp	[ecx], esi
		jz	short loc_992FB8
		inc	edi
		add	ecx, 4
		cmp	edi, edx
		jb	short loc_992FAA
		jmp	short loc_992FC3
; 

loc_992FB8:				; CODE XREF: KsepPatchImportTableEntry(x,x,x,x)+29j
		mov	edx, [ebp+arg_4]
		call	_MmReplaceImportEntry@8	; MmReplaceImportEntry(x,x)
		xor	eax, eax
		inc	eax

loc_992FC3:				; CODE XREF: KsepPatchImportTableEntry(x,x,x,x)+25j
					; KsepPatchImportTableEntry(x,x,x,x)+33j
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFDDBh
		add	eax, 0C0000225h
		jmp	short loc_992FD8
; 

loc_992FD3:				; CODE XREF: KsepPatchImportTableEntry(x,x,x,x)+9j
					; KsepPatchImportTableEntry(x,x,x,x)+Dj ...
		mov	eax, 0C000000Dh

loc_992FD8:				; CODE XREF: KsepPatchImportTableEntry(x,x,x,x)+4Ej
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_KsepPatchImportTableEntry@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepResolveApplicableShimsForDriver(x, x)
_KsepResolveApplicableShimsForDriver@8 proc near ; CODE	XREF: KsepGetShimsForDriver+AFC00p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		xor	eax, eax
		mov	dword ptr [ebp+var_4], edx
		push	ebx
		mov	ebx, eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], eax
		mov	eax, large fs:124h
		push	esi
		mov	esi, ecx
		mov	[ebp+var_18], ebx
		push	edi
		dec	word ptr [eax+13Ch]
		mov	[ebp+var_8], esi
		nop
		xor	edx, edx
		mov	ecx, offset unk_6D4A90
		call	ExAcquirePushLockExclusiveEx
		mov	eax, dword ptr [ebp+var_4]
		xor	edi, edi
		inc	edi
		test	eax, eax
		jz	short loc_993063
		add	esi, 30h
		mov	ebx, eax

loc_99302A:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+80j
		push	esi		; int
		push	ecx		; int
		lea	edx, [esi-30h]	; void *
		mov	ecx, offset _KseEngine ; int
		call	KsepIsShimRegistered
		cmp	eax, edi
		jnz	short loc_99304F
		mov	ecx, [esi]
		mov	eax, [ecx+0Ch]
		test	eax, eax
		jnz	short loc_993049
		mov	[ebp+var_10], edi

loc_993049:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+66j
		inc	eax
		mov	[ecx+0Ch], eax
		jmp	short loc_993058
; 

loc_99304F:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+5Dj
		and	dword ptr [esi], 0
		mov	[ebp+var_C], edi
		mov	[ebp+var_10], edi

loc_993058:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+6Fj
		add	esi, 34h
		sub	ebx, 1
		jnz	short loc_99302A
		mov	ebx, [ebp+var_18]

loc_993063:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+45j
		or	esi, 0FFFFFFFFh
		mov	ecx, offset unk_6D4A90
		mov	eax, esi
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_993081
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset unk_6D4A90

loc_993081:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+97j
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	[ebp+var_C], 0
		jz	loc_99326C
		xor	eax, eax
		mov	[ebp+var_C], eax
		cmp	dword ptr [ebp+var_4], eax
		jbe	short loc_9930DB
		mov	ecx, [ebp+var_8]
		mov	edx, dword ptr [ebp+var_4]
		mov	[ebp+var_18], ecx

loc_9930AF:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+FBj
		cmp	dword ptr [ecx+30h], 0
		jnz	short loc_9930CD
		call	_KsepLoadShimProvider@4	; KsepLoadShimProvider(x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_993169
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_18]
		mov	edx, dword ptr [ebp+var_4]

loc_9930CD:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+D5j
		inc	eax
		add	ecx, 34h
		mov	[ebp+var_C], eax
		mov	[ebp+var_18], ecx
		cmp	eax, edx
		jb	short loc_9930AF

loc_9930DB:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+C6j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset unk_6D4A90
		call	ExAcquirePushLockExclusiveEx
		and	[ebp+var_C], 0
		cmp	dword ptr [ebp+var_4], 0
		jbe	short loc_993139
		mov	ecx, [ebp+var_8]
		add	ecx, 30h
		mov	[ebp+var_18], ecx

loc_993108:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+159j
		push	ecx		; int
		push	ecx		; int
		lea	edx, [ecx-30h]	; void *
		mov	ecx, offset _KseEngine ; int
		call	KsepIsShimRegistered
		test	eax, eax
		jz	loc_9931D5
		mov	ecx, [ebp+var_18]
		mov	eax, [ecx]
		add	ecx, 34h
		mov	[ebp+var_18], ecx
		inc	dword ptr [eax+0Ch]
		mov	eax, [ebp+var_C]
		inc	eax
		mov	[ebp+var_C], eax
		cmp	eax, dword ptr [ebp+var_4]
		jb	short loc_993108

loc_993139:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+11Fj
		mov	eax, esi
		mov	esi, offset unk_6D4A90
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_993151
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_993151:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+16Aj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_993271
; 

loc_993169:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+E0j
		mov	eax, edi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		mov	esi, [ebp+var_8]
		and	eax, 3Fh
		test	_KsepDebugFlag,	2
		push	7
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 1CFh
		mov	dword_6C7024[eax*8], ebx
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_9931B9
		imul	eax, [ebp+var_C], 34h
		push	ebx
		push	dword ptr [eax+esi] ; char
		push	offset ??_C@_0DO@GGEELECN@KSE?3?5Failed?5to?5load?5provider?5fo@NNGAKEGL@ ; char *
		push	6		; int
		call	_KsepDebugPrint
		add	esp, 10h

loc_9931B9:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+1C2j
		imul	eax, [ebp+var_C], 34h
		push	ebx
		push	dword ptr [eax+esi] ; char
		push	offset ??_C@_0DO@GGEELECN@KSE?3?5Failed?5to?5load?5provider?5fo@NNGAKEGL@ ; char *

loc_9931C6:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+424j
		push	6		; int
		call	_KsepLogError
		add	esp, 10h
		jmp	loc_993312
; 

loc_9931D5:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+13Bj
		or	eax, 0FFFFFFFFh
		mov	ebx, offset unk_6D4A90
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9931EE
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9931EE:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+207j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ebx, 0C0000412h
		lock xadd _KsepHistoryErrorsIndex, edi
		inc	edi
		mov	esi, [ebp+var_8]
		and	edi, 3Fh
		test	_KsepDebugFlag,	2
		push	7
		pop	eax
		mov	word_6C7022[edi*8], ax
		mov	eax, 1ECh
		mov	dword_6C7024[edi*8], ebx
		mov	_KsepHistoryErrors[edi*8], ax
		mov	edi, [ebp+var_C]
		jz	short loc_993255
		imul	eax, edi, 34h
		push	dword ptr [eax+esi] ; char
		push	offset ??_C@_0DK@JPBPOEHM@KSE?3?5The?5provider?5did?5not?5regis@NNGAKEGL@ ; char *
		push	6		; int
		call	_KsepDebugPrint
		add	esp, 0Ch

loc_993255:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+260j
		imul	eax, edi, 34h
		push	dword ptr [eax+esi] ; char
		push	offset ??_C@_0DK@JPBPOEHM@KSE?3?5The?5provider?5did?5not?5regis@NNGAKEGL@ ; char *
		push	6		; int
		call	_KsepLogError
		jmp	loc_993369
; 

loc_99326C:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+B8j
		mov	esi, offset unk_6D4A90

loc_993271:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+186j
		cmp	[ebp+var_10], 0
		jz	loc_993312
		lea	ecx, [ebp+var_14]
		call	_KsepGetLoadedModulesList@4 ; KsepGetLoadedModulesList(x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_99336C
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		and	[ebp+var_C], 0
		cmp	dword ptr [ebp+var_4], 0
		jbe	short loc_9932EB
		mov	esi, [ebp+var_8]
		lea	ecx, [esi+30h]
		mov	[ebp+var_18], ecx

loc_9932B7:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+306j
		mov	eax, [ecx]
		mov	ecx, [ebp+var_14]
		mov	edx, [eax+8]
		mov	edx, [edx+18h]
		call	_KsepResolveShimHooks@8	; KsepResolveShimHooks(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_99337B
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_18]
		inc	eax
		add	ecx, 34h
		mov	[ebp+var_C], eax
		mov	[ebp+var_18], ecx
		cmp	eax, dword ptr [ebp+var_4]
		jb	short loc_9932B7
		mov	esi, offset unk_6D4A90

loc_9932EB:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+2CEj
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9932FF
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9932FF:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+318j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_993312:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+1F2j
					; KsepResolveApplicableShimsForDriver(x,x)+297j
		test	ebx, ebx
		js	short loc_99336C
		lock xadd _KsepHistoryMessagesIndex, edi
		inc	edi
		and	edi, 3Fh
		mov	esi, (offset loc_8BB6DF+1)
		push	7
		pop	eax
		and	dword_6C7244[edi*8], 0
		test	_KsepDebugFlag,	1
		mov	word_6C7242[edi*8], ax
		mov	eax, 22Ah
		mov	_KsepHistoryMessages[edi*8], ax
		jz	short loc_99335E
		push	dword ptr [ebp+var_4] ;	char
		push	esi		; char *
		push	6		; int
		call	_KsepDebugPrint
		add	esp, 0Ch

loc_99335E:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+370j
		push	dword ptr [ebp+var_4]
		push	esi
		push	6
		call	_KsepLogInfo

loc_993369:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+289j
		add	esp, 0Ch

loc_99336C:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+2A9j
					; KsepResolveApplicableShimsForDriver(x,x)+336j
		mov	ecx, [ebp+var_14]
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_99337B:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+2EDj
		or	eax, 0FFFFFFFFh
		mov	ecx, offset unk_6D4A90
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_993397
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset unk_6D4A90

loc_993397:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+3ADj
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	2
		push	7
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 21Ch
		mov	dword_6C7024[eax*8], ebx
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_9933F5
		imul	eax, [ebp+var_C], 34h
		push	ebx
		push	dword ptr [eax+esi] ; char
		push	offset ??_C@_0DO@FIPHHPDP@KSE?3?5Failed?5to?5resolve?5hooks?5fo@NNGAKEGL@ ; char *
		push	6		; int
		call	_KsepDebugPrint
		add	esp, 10h

loc_9933F5:				; CODE XREF: KsepResolveApplicableShimsForDriver(x,x)+3FEj
		imul	eax, [ebp+var_C], 34h
		push	ebx
		push	dword ptr [eax+esi]
		push	offset ??_C@_0DO@FIPHHPDP@KSE?3?5Failed?5to?5resolve?5hooks?5fo@NNGAKEGL@
		jmp	loc_9931C6
_KsepResolveApplicableShimsForDriver@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KseLookupHardwareId(x)
_KseLookupHardwareId@4 proc near	; CODE XREF: AhcCacheQueryHwId(x)+124p

var_24		= dword	ptr -24h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, dword_6D4AA0
		mov	edx, ecx
		push	edi
		push	7
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_8], edx
		lea	edi, [ebp+var_24]
		mov	ebx, edx
		rep stosd
		movzx	eax, word ptr [edx]
		push	2Ah
		pop	edi
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		cmp	ax, di
		jnz	short loc_99343F
		lea	ebx, [edx+2]
		movzx	ecx, word ptr [ebx]

loc_99343F:				; CODE XREF: KseLookupHardwareId(x)+30j
		movzx	eax, cx
		test	ax, ax
		jz	short loc_993466
		mov	edx, ebx
		mov	ecx, eax

loc_99344B:				; CODE XREF: KseLookupHardwareId(x)+5Aj
		cmp	cx, di
		jz	short loc_9934CC
		cmp	cx, 3Fh
		jz	short loc_9934CC
		add	edx, 2
		movzx	eax, word ptr [edx]
		mov	ecx, eax
		test	ax, ax
		jnz	short loc_99344B
		mov	edx, [ebp+var_8]

loc_993466:				; CODE XREF: KseLookupHardwareId(x)+3Ej
		push	edx
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		lea	edx, [ebp+var_24]
		mov	ecx, esi
		call	_KsepCacheLookup@8 ; KsepCacheLookup(x,x)
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, 0C0000225h
		mov	ebx, eax

loc_99349E:				; CODE XREF: KseLookupHardwareId(x)+120j
					; KseLookupHardwareId(x)+127j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9934B2
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9934B2:				; CODE XREF: KseLookupHardwareId(x)+A2j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_9934CC:				; CODE XREF: KseLookupHardwareId(x)+47j
					; KseLookupHardwareId(x)+4Dj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [esi+14h]
		mov	edi, [eax]
		cmp	edi, eax
		jz	short loc_993522
		mov	ecx, [ebp+var_4]

loc_9934EF:				; CODE XREF: KseLookupHardwareId(x)+119j
		mov	edx, [edi+0Ch]
		push	2Ah
		pop	eax
		cmp	cx, ax
		lea	eax, [esi+14h]
		jnz	short loc_99350B
		push	2Ah
		pop	ecx
		cmp	[edx], cx
		mov	ecx, [ebp+var_4]
		jnz	short loc_99351C
		add	edx, 2

loc_99350B:				; CODE XREF: KseLookupHardwareId(x)+F4j
		mov	ecx, ebx
		call	AslStringPatternMatchW
		test	eax, eax
		jnz	short loc_99352C
		mov	ecx, [ebp+var_4]
		lea	eax, [esi+14h]

loc_99351C:				; CODE XREF: KseLookupHardwareId(x)+FFj
		mov	edi, [edi]
		cmp	edi, eax
		jnz	short loc_9934EF

loc_993522:				; CODE XREF: KseLookupHardwareId(x)+E3j
		mov	ebx, 0C0000225h
		jmp	loc_99349E
; 

loc_99352C:				; CODE XREF: KseLookupHardwareId(x)+10Dj
		xor	ebx, ebx
		jmp	loc_99349E
_KseLookupHardwareId@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepDeletePatchSdb()
_KsepDeletePatchSdb@0 proc near		; CODE XREF: KseShimDatabaseOpen+AF704p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		push	edi		; char
		push	offset aSystemrootAppp ; "\\SystemRoot\\AppPatch\\drvpatch.sdb"
		lea	eax, [ebp+var_8]
		xor	esi, esi
		push	eax
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		mov	[ebp+var_20], 18h
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_20]
		push	eax
		mov	[ebp+var_1C], esi
		mov	[ebp+var_14], 240h
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		call	_ZwDeleteFile@4	; ZwDeleteFile(x)
		test	eax, eax
		jns	short loc_9935CB
		xor	ecx, ecx
		inc	ecx
		lock xadd _KsepHistoryErrorsIndex, ecx
		inc	ecx
		and	ecx, 3Fh
		mov	edi, offset ??_C@_0CM@LMJONFN@KSE?3?5Failed?5to?5delete?5patch?5shi@NNGAKEGL@
		test	_KsepDebugFlag,	2
		push	9
		mov	dword_6C7024[ecx*8], eax
		pop	eax
		mov	word_6C7022[ecx*8], ax
		mov	eax, 224h
		mov	_KsepHistoryErrors[ecx*8], ax
		jz	short loc_9935C2
		push	edi		; char *
		push	esi		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx

loc_9935C2:				; CODE XREF: KsepDeletePatchSdb()+84j
		push	edi		; char *
		push	esi		; int
		call	_KsepLogError
		pop	ecx
		pop	ecx

loc_9935CB:				; CODE XREF: KsepDeletePatchSdb()+48j
		pop	edi
		pop	esi
		leave
		retn
_KsepDeletePatchSdb@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepGetModuleInfoByName(x, x, x, x)
_KsepGetModuleInfoByName@16 proc near	; CODE XREF: KsepResolveShimHooks(x,x)+58p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		push	esi
		push	edi
		mov	edi, edx
		test	ecx, ecx
		jz	loc_99367C
		cmp	[ebp+arg_0], ebx
		jz	short loc_99367C
		test	edi, edi
		jz	short loc_99367C
		push	ecx
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	1
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	RtlUnicodeStringToAnsiString
		mov	esi, eax
		test	esi, esi
		js	short loc_99365D
		cmp	[edi], ebx
		jbe	short loc_993658
		lea	esi, [edi+4]

loc_993627:				; CODE XREF: KsepGetModuleInfoByName(x,x,x,x)+87j
		movzx	eax, word ptr [esi+1Ah]
		add	eax, 1Ch
		add	eax, esi
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlCompareString
		test	eax, eax
		jz	short loc_993670
		inc	ebx
		add	esi, 11Ch
		cmp	ebx, [edi]
		jb	short loc_993627

loc_993658:				; CODE XREF: KsepGetModuleInfoByName(x,x,x,x)+53j
		mov	esi, 0C0000225h

loc_99365D:				; CODE XREF: KsepGetModuleInfoByName(x,x,x,x)+4Fj
					; KsepGetModuleInfoByName(x,x,x,x)+ABj
		cmp	[ebp+var_4], 0
		jz	short loc_99366C
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlFreeAnsiString@4 ; RtlFreeAnsiString(x)

loc_99366C:				; CODE XREF: KsepGetModuleInfoByName(x,x,x,x)+92j
		mov	eax, esi
		jmp	short loc_993681
; 

loc_993670:				; CODE XREF: KsepGetModuleInfoByName(x,x,x,x)+7Cj
		mov	ecx, [ebp+arg_0]
		mov	eax, [esi+8]
		xor	esi, esi
		mov	[ecx], eax
		jmp	short loc_99365D
; 

loc_99367C:				; CODE XREF: KsepGetModuleInfoByName(x,x,x,x)+23j
					; KsepGetModuleInfoByName(x,x,x,x)+2Cj	...
		mov	eax, 0C000000Dh

loc_993681:				; CODE XREF: KsepGetModuleInfoByName(x,x,x,x)+9Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_KsepGetModuleInfoByName@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepStringSplitMultiString(x, x, x,	x)
_KsepStringSplitMultiString@16 proc near ; CODE	XREF: KsepEngineGetShimsFromRegistry+AF470p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		mov	eax, edx
		mov	edx, ecx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_18], eax
		mov	edi, eax
		mov	[ebp+var_1C], edx
		shr	edi, 1
		mov	eax, esi
		mov	[ebp+var_4], eax
		mov	ebx, esi
		test	edx, edx
		jz	loc_993847
		test	byte ptr [ebp+var_18], 1
		jnz	loc_993847
		cmp	[ebp+arg_0], eax
		jz	loc_993847
		cmp	[ebp+arg_4], eax
		jz	loc_993847
		push	3
		pop	eax
		cmp	edi, eax
		jb	loc_993840
		cmp	[edx+edi*2-2], si
		jnz	loc_993840
		cmp	[edx+edi*2-4], si
		jnz	loc_993840
		mov	eax, esi
		mov	ecx, esi

loc_9936F3:				; CODE XREF: KsepStringSplitMultiString(x,x,x,x)+77j
		cmp	[edx+ecx*2], si
		jnz	short loc_9936FA
		inc	eax

loc_9936FA:				; CODE XREF: KsepStringSplitMultiString(x,x,x,x)+6Fj
		inc	ecx
		mov	ebx, eax
		cmp	ecx, edi
		jb	short loc_9936F3
		cmp	eax, 2
		jnb	short loc_993756
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		push	3
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 3B5h
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], cx
		mov	eax, ebx
		jz	short loc_993756
		push	esi
		push	ecx
		push	offset ??_C@_0BP@MHONLNCD@minkernel?2ntos?2kshim?2ksemisc?4c@NNGAKEGL@
		push	(offset	loc_8BBBCB+5)
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		mov	eax, ebx

loc_993756:				; CODE XREF: KsepStringSplitMultiString(x,x,x,x)+7Cj
					; KsepStringSplitMultiString(x,x,x,x)+B9j
		lea	ebx, [eax-1]
		mov	ecx, ebx
		shl	ecx, 3
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	short loc_993774
		mov	esi, 0C0000017h
		jmp	loc_99386F
; 

loc_993774:				; CODE XREF: KsepStringSplitMultiString(x,x,x,x)+E0j
		lea	ecx, [edi-1]
		mov	[ebp+var_14], esi
		mov	[ebp+var_20], ecx
		mov	edx, esi
		mov	[ebp+var_10], edx
		test	ecx, ecx
		jz	short loc_9937D7
		mov	edi, [ebp+var_1C]
		push	2
		pop	ecx
		mov	[ebp+var_8], eax
		mov	eax, esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_18], ecx

loc_993797:				; CODE XREF: KsepStringSplitMultiString(x,x,x,x)+14Dj
		cmp	[edi+ecx-2], si
		jnz	short loc_9937C8
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		lea	edx, [edx+edi]
		call	KsepStringDuplicate
		test	eax, eax
		js	loc_993836
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_18]
		inc	edx
		add	[ebp+var_8], 8
		mov	eax, [ebp+var_14]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], edx

loc_9937C8:				; CODE XREF: KsepStringSplitMultiString(x,x,x,x)+114j
		inc	eax
		add	ecx, 2
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], ecx
		cmp	eax, [ebp+var_20]
		jb	short loc_993797

loc_9937D7:				; CODE XREF: KsepStringSplitMultiString(x,x,x,x)+FCj
		cmp	edx, ebx
		jz	short loc_993827
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		push	3
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 3DDh
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_993827
		push	esi
		push	ecx
		push	offset ??_C@_0BP@MHONLNCD@minkernel?2ntos?2kshim?2ksemisc?4c@NNGAKEGL@
		push	offset ??_C@_0BL@NOBLOGNK@Count?5?$DN?$DN?5StringsVectorSize@NNGAKEGL@
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)

loc_993827:				; CODE XREF: KsepStringSplitMultiString(x,x,x,x)+151j
					; KsepStringSplitMultiString(x,x,x,x)+18Cj
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_4]
		mov	[ecx], eax
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx
		jmp	short loc_99386F
; 

loc_993836:				; CODE XREF: KsepStringSplitMultiString(x,x,x,x)+126j
		mov	eax, [ebp+var_4]
		mov	esi, 0C0000017h
		jmp	short loc_99384C
; 

loc_993840:				; CODE XREF: KsepStringSplitMultiString(x,x,x,x)+4Bj
					; KsepStringSplitMultiString(x,x,x,x)+56j ...
		mov	esi, 0C000000Dh
		jmp	short loc_99386F
; 

loc_993847:				; CODE XREF: KsepStringSplitMultiString(x,x,x,x)+24j
					; KsepStringSplitMultiString(x,x,x,x)+2Ej ...
		mov	esi, 0C000000Dh

loc_99384C:				; CODE XREF: KsepStringSplitMultiString(x,x,x,x)+1B6j
		test	eax, eax
		jz	short loc_99386F
		test	ebx, ebx
		jz	short loc_993868
		mov	edi, eax

loc_993856:				; CODE XREF: KsepStringSplitMultiString(x,x,x,x)+1DBj
		mov	ecx, edi
		call	KsepStringFree
		add	edi, 8
		sub	ebx, 1
		jnz	short loc_993856
		mov	eax, [ebp+var_4]

loc_993868:				; CODE XREF: KsepStringSplitMultiString(x,x,x,x)+1CAj
		mov	ecx, eax
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)

loc_99386F:				; CODE XREF: KsepStringSplitMultiString(x,x,x,x)+E7j
					; KsepStringSplitMultiString(x,x,x,x)+1ACj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_KsepStringSplitMultiString@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepCacheDeviceFree(x)
_KsepCacheDeviceFree@4 proc near	; CODE XREF: KsepDbCacheReadDevice+A9p
					; KseQueryDeviceData+6B74Fp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_9938C5
		lea	eax, [edi+1Ch]
		mov	ebx, [eax]
		cmp	ebx, eax
		jz	short loc_9938B6
		mov	edi, eax

loc_993894:				; CODE XREF: KsepCacheDeviceFree(x)+39j
		mov	esi, ebx
		mov	ebx, [ebx]
		lea	ecx, [esi+8]
		call	KsepStringFree
		mov	ecx, [esi+18h]
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
		mov	ecx, esi
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
		cmp	ebx, edi
		jnz	short loc_993894
		mov	edi, [ebp+arg_0]

loc_9938B6:				; CODE XREF: KsepCacheDeviceFree(x)+18j
		lea	ecx, [edi+14h]
		call	KsepStringFree
		mov	ecx, edi
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)

loc_9938C5:				; CODE XREF: KsepCacheDeviceFree(x)+Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KsepCacheDeviceFree@4 endp


;  S U B	R O U T	I N E 


; __stdcall KsepCacheReset(x)
_KsepCacheReset@4 proc near		; CODE XREF: KseResetDeviceCache()+2Bp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	esi, [edi+14h]
		mov	ebx, [esi]
		jmp	short loc_9938E3
; 

loc_9938DA:				; CODE XREF: KsepCacheReset(x)+19j
		lea	eax, [ebx-0Ch]
		mov	ebx, [ebx]
		push	eax
		call	dword ptr [edi+38h]

loc_9938E3:				; CODE XREF: KsepCacheReset(x)+Cj
		cmp	ebx, esi
		jnz	short loc_9938DA
		xor	ecx, ecx
		cmp	[edi+8], ecx
		jbe	short loc_9938FF

loc_9938EE:				; CODE XREF: KsepCacheReset(x)+31j
		mov	eax, [edi+0Ch]
		lea	eax, [eax+ecx*8]
		inc	ecx
		mov	[eax+4], eax
		mov	[eax], eax
		cmp	ecx, [edi+8]
		jb	short loc_9938EE

loc_9938FF:				; CODE XREF: KsepCacheReset(x)+20j
		and	dword ptr [edi+4], 0
		pop	edi
		mov	[esi+4], esi
		mov	[esi], esi
		pop	esi
		pop	ebx
		retn
_KsepCacheReset@4 endp


;  S U B	R O U T	I N E 


; __stdcall KsepCacheUninitialize(x)
_KsepCacheUninitialize@4 proc near	; CODE XREF: KsepEngineUninitialize(x)+5Cp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		lea	ebx, [esi+14h]
		mov	edi, [ebx]
		jmp	short loc_993923
; 

loc_99391A:				; CODE XREF: KsepCacheUninitialize(x)+19j
		lea	eax, [edi-0Ch]
		mov	edi, [edi]
		push	eax
		call	dword ptr [esi+38h]

loc_993923:				; CODE XREF: KsepCacheUninitialize(x)+Cj
		cmp	edi, ebx
		jnz	short loc_99391A
		mov	ecx, [esi+0Ch]
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
		pop	edi
		mov	ecx, esi
		pop	esi
		pop	ebx
		jmp	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
_KsepCacheUninitialize@4 endp


;  S U B	R O U T	I N E 


; __stdcall KsepCacheUnlock(x)
_KsepCacheUnlock@4 proc	near		; CODE XREF: KseQueryDeviceDataList(x,x,x,x)+B4p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_993950
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_993950:				; CODE XREF: KsepCacheUnlock(x)+10j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		pop	esi
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_KsepCacheUnlock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepRegistryCreateKey(x, x,	x)
_KsepRegistryCreateKey@12 proc near	; CODE XREF: KseSetDeviceFlags(x,x,x,x)+79p
					; KseSetDeviceFlags(x,x,x,x)+97p ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		push	esi
		mov	eax, ecx
		xor	esi, esi
		xor	ecx, ecx
		mov	[ebp+var_10], eax
		push	edi
		mov	ebx, edx
		mov	[ebp+var_18], ecx
		xor	edx, edx
		mov	[ebp+var_20], ecx
		inc	esi
		mov	[ebp+var_14], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], edx
		push	4
		pop	ecx
		test	eax, eax
		jnz	short loc_9939E3
		mov	eax, esi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		mov	word_6C7022[eax*8], cx
		mov	ecx, 1F7h
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_9939E0
		push	edx
		push	ecx
		push	offset ??_C@_0CD@GDPINNHE@minkernel?2ntos?2kshim?2kseregistr@NNGAKEGL@
		push	offset ??_C@_0BD@MJDCKHCM@EnginePath?5?$CB?$DN?5NULL@NNGAKEGL@
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		xor	edx, edx

loc_9939E0:				; CODE XREF: KsepRegistryCreateKey(x,x,x)+67j
		push	4
		pop	ecx

loc_9939E3:				; CODE XREF: KsepRegistryCreateKey(x,x,x)+30j
		test	ebx, ebx
		jnz	short loc_993A2F
		mov	eax, esi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		mov	word_6C7022[eax*8], cx
		mov	ecx, 1F8h
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_993A2F
		push	edx
		push	ecx
		push	offset ??_C@_0CD@GDPINNHE@minkernel?2ntos?2kshim?2kseregistr@NNGAKEGL@
		push	offset ??_C@_0BC@NBPPGFMM@SearchKey?5?$CB?$DN?5NULL@NNGAKEGL@
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)

loc_993A2F:				; CODE XREF: KsepRegistryCreateKey(x,x,x)+81j
					; KsepRegistryCreateKey(x,x,x)+B8j
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jnz	short loc_993A80
		lock xadd _KsepHistoryErrorsIndex, esi
		inc	esi
		and	esi, 3Fh
		mov	ecx, 1F9h
		push	4
		pop	eax
		mov	dword_6C7024[esi*8], 0C0000420h
		mov	word_6C7022[esi*8], ax
		mov	_KsepHistoryErrors[esi*8], cx
		test	_KsepDebugFlag,	al
		jz	short loc_993A80
		xor	eax, eax
		push	eax
		push	ecx
		push	offset ??_C@_0CD@GDPINNHE@minkernel?2ntos?2kshim?2kseregistr@NNGAKEGL@
		push	offset ??_C@_0P@MJKECDDF@Handle?5?$CB?$DN?5NULL@NNGAKEGL@
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)

loc_993A80:				; CODE XREF: KsepRegistryCreateKey(x,x,x)+D0j
					; KsepRegistryCreateKey(x,x,x)+107j
		mov	edx, [ebp+var_10]
		lea	ecx, [ebp+var_18]
		call	KsepStringDuplicate
		xor	ecx, ecx
		mov	[ebp+var_38], 18h
		push	ecx
		push	ecx
		push	ecx
		lea	eax, [ebp+var_18]
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_38]
		push	ecx
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_8]
		mov	[ebp+var_2C], 240h
		push	eax
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_993B20
		mov	edx, ebx
		lea	ecx, [ebp+var_20]
		call	KsepStringDuplicate
		mov	esi, eax
		test	esi, esi
		js	short loc_993B20
		mov	eax, [ebp+var_8]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_20]
		mov	[ebp+var_30], eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_C]
		mov	[ebp+var_38], 18h
		push	eax
		mov	[ebp+var_2C], 240h
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_993B20
		mov	eax, [ebp+var_C]
		mov	[edi], eax
		lock inc dword_6C6FB8

loc_993B20:				; CODE XREF: KsepRegistryCreateKey(x,x,x)+160j
					; KsepRegistryCreateKey(x,x,x)+170j ...
		lea	ecx, [ebp+var_18]
		call	KsepStringFree
		lea	ecx, [ebp+var_20]
		call	KsepStringFree
		cmp	[ebp+var_8], 0
		jz	short loc_993B3E
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_993B3E:				; CODE XREF: KsepRegistryCreateKey(x,x,x)+1D0j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_KsepRegistryCreateKey@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	KsepRegistryEnumValue(int,void *,int)
_KsepRegistryEnumValue@20 proc near	; CODE XREF: KsepDbQueryRegistryDeviceDataList(x,x,x,x)+B9p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	ebx, ecx
		lea	eax, [ebp+var_4]
		push	eax
		xor	ecx, ecx
		mov	esi, edx
		push	ecx
		push	ecx
		push	ecx
		push	esi
		push	ebx
		mov	[ebp+var_4], ecx
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jz	short loc_993B74
		cmp	eax, 80000005h
		jnz	short loc_993BE4

loc_993B74:				; CODE XREF: KsepRegistryEnumValue(x,x,x,x,x)+24j
		mov	ecx, [ebp+var_4]
		push	edi
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_993B8A
		mov	eax, 0C0000017h
		jmp	short loc_993BE3
; 

loc_993B8A:				; CODE XREF: KsepRegistryEnumValue(x,x,x,x,x)+3Aj
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_4]
		push	edi
		push	0
		push	esi
		push	ebx
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_993BDA
		mov	eax, [edi+8]
		lea	ecx, [eax+2]
		cmp	ecx, [ebp+arg_0]
		jbe	short loc_993BB3
		mov	ebx, 0C0000023h
		jmp	short loc_993BD5
; 

loc_993BB3:				; CODE XREF: KsepRegistryEnumValue(x,x,x,x,x)+63j
		mov	esi, [ebp+arg_4]
		push	eax		; size_t
		lea	eax, [edi+0Ch]
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [edi+8]
		xor	ecx, ecx
		shr	eax, 1
		add	esp, 0Ch
		mov	[esi+eax*2], cx
		mov	ecx, [edi+8]
		add	ecx, 2

loc_993BD5:				; CODE XREF: KsepRegistryEnumValue(x,x,x,x,x)+6Aj
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx

loc_993BDA:				; CODE XREF: KsepRegistryEnumValue(x,x,x,x,x)+58j
		mov	ecx, edi
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
		mov	eax, ebx

loc_993BE3:				; CODE XREF: KsepRegistryEnumValue(x,x,x,x,x)+41j
		pop	edi

loc_993BE4:				; CODE XREF: KsepRegistryEnumValue(x,x,x,x,x)+2Bj
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_KsepRegistryEnumValue@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KsepRegistryQueryKeyInformation(x, x, x)
_KsepRegistryQueryKeyInformation@12 proc near
					; CODE XREF: KsepDbQueryRegistryDeviceDataList(x,x,x,x)+65p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		xor	ecx, ecx
		mov	[eax], ecx
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		push	ecx
		push	2
		push	edi
		mov	[ebp+var_4], ecx
		mov	[ebx], ecx
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		cmp	eax, 80000005h
		jz	short loc_993C1E
		cmp	eax, 0C0000023h
		jnz	short loc_993C64

loc_993C1E:				; CODE XREF: KsepRegistryQueryKeyInformation(x,x,x)+2Bj
		mov	ecx, [ebp+var_4]
		push	esi
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_993C34
		mov	eax, 0C0000017h
		jmp	short loc_993C63
; 

loc_993C34:				; CODE XREF: KsepRegistryQueryKeyInformation(x,x,x)+41j
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_4]
		push	esi
		push	2
		push	edi
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_993C5A
		mov	ecx, [esi+24h]
		mov	eax, [ebp+arg_0]
		add	ecx, 2
		mov	[ebx], ecx
		mov	ecx, [esi+28h]
		mov	[eax], ecx

loc_993C5A:				; CODE XREF: KsepRegistryQueryKeyInformation(x,x,x)+5Ej
		mov	ecx, esi
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)
		mov	eax, edi

loc_993C63:				; CODE XREF: KsepRegistryQueryKeyInformation(x,x,x)+48j
		pop	esi

loc_993C64:				; CODE XREF: KsepRegistryQueryKeyInformation(x,x,x)+32j
		pop	edi
		pop	ebx
		leave
		retn	4
_KsepRegistryQueryKeyInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	KsepRegistryQueryValue(int,void	*,int,int)
_KsepRegistryQueryValue@24 proc	near	; CODE XREF: KsepDbQueryRegistryDeviceData+6B7F7p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		xor	ecx, ecx
		mov	[ebp+var_C], edi
		xor	esi, esi
		mov	[ebp+var_14], ecx
		inc	esi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_4], ecx
		push	4
		pop	edx
		test	edi, edi
		jnz	short loc_993CDE
		mov	eax, esi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		mov	ebx, 3C9h
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	word_6C7022[eax*8], dx
		mov	_KsepHistoryErrors[eax*8], bx
		test	_KsepDebugFlag,	dl
		jz	short loc_993CDE
		push	ecx
		push	ebx
		push	offset ??_C@_0CD@GDPINNHE@minkernel?2ntos?2kshim?2kseregistr@NNGAKEGL@
		push	offset ??_C@_0BC@LLGAOKNE@KeyHandle?5?$CB?$DN?5NULL@NNGAKEGL@ ;	"KeyHandle != NULL"
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		push	4
		xor	ecx, ecx
		pop	edx

loc_993CDE:				; CODE XREF: KsepRegistryQueryValue(x,x,x,x,x,x)+26j
					; KsepRegistryQueryValue(x,x,x,x,x,x)+5Cj
		cmp	[ebp+arg_4], 0
		jnz	short loc_993D2C
		mov	eax, esi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		mov	word_6C7022[eax*8], dx
		mov	edx, 3CAh
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], dx
		jz	short loc_993D2C
		push	ecx
		push	edx
		push	offset ??_C@_0CD@GDPINNHE@minkernel?2ntos?2kshim?2kseregistr@NNGAKEGL@
		push	offset ??_C@_0BE@MEPHNDGO@ValueBuffer?5?$CB?$DN?5NULL@NNGAKEGL@	; "ValueBuffer != NULL"
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)

loc_993D2C:				; CODE XREF: KsepRegistryQueryValue(x,x,x,x,x,x)+78j
					; KsepRegistryQueryValue(x,x,x,x,x,x)+AFj
		mov	ebx, [ebp+arg_C]
		test	ebx, ebx
		jnz	short loc_993D7E
		mov	eax, esi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		push	4
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 3CBh
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_993D7E
		push	ebx
		push	ecx
		push	offset ??_C@_0CD@GDPINNHE@minkernel?2ntos?2kshim?2kseregistr@NNGAKEGL@
		push	offset ??_C@_0BF@GHHEJLCO@ActualLength?5?$CB?$DN?5NULL@NNGAKEGL@ ; "ActualLength != NULL"
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)

loc_993D7E:				; CODE XREF: KsepRegistryQueryValue(x,x,x,x,x,x)+C7j
					; KsepRegistryQueryValue(x,x,x,x,x,x)+101j
		push	[ebp+var_8]
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		push	0
		push	2
		lea	eax, [ebp+var_14]
		push	eax
		push	edi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000023h
		jz	short loc_993DFC
		test	edi, edi
		js	loc_993E62
		lock xadd _KsepHistoryErrorsIndex, esi
		inc	esi
		and	esi, 3Fh
		test	_KsepDebugFlag,	4
		push	4
		pop	eax
		mov	word_6C7022[esi*8], ax
		mov	eax, 3DDh
		mov	dword_6C7024[esi*8], 0C0000420h
		mov	_KsepHistoryErrors[esi*8], ax
		jz	short loc_993E62
		push	0
		push	eax
		push	offset ??_C@_0CD@GDPINNHE@minkernel?2ntos?2kshim?2kseregistr@NNGAKEGL@
		push	offset ??_C@_0BE@EEDFCNFH@?$CBNT_SUCCESS?$CIStatus?$CJ@NNGAKEGL@ ; "!NT_SUCCESS(Status)"
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		jmp	short loc_993E62
; 

loc_993DFC:				; CODE XREF: KsepRegistryQueryValue(x,x,x,x,x,x)+13Cj
		mov	ecx, [ebp+var_4]
		call	_KsepPoolAllocatePaged@4 ; KsepPoolAllocatePaged(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_993E11
		mov	eax, 0C0000017h
		jmp	short loc_993E64
; 

loc_993E11:				; CODE XREF: KsepRegistryQueryValue(x,x,x,x,x,x)+19Ej
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_4]
		lea	eax, [ebp+var_14]
		push	esi
		push	2
		push	eax
		push	[ebp+var_C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_993E5B
		mov	ecx, [esi+8]
		cmp	ecx, [ebp+arg_8]
		jbe	short loc_993E3E
		mov	[ebx], ecx
		mov	edi, 0C0000023h
		jmp	short loc_993E5B
; 

loc_993E3E:				; CODE XREF: KsepRegistryQueryValue(x,x,x,x,x,x)+1C9j
		push	ecx		; size_t
		lea	eax, [esi+0Ch]
		push	eax		; void *
		push	[ebp+arg_4]	; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	ecx, [esi+4]
		mov	[eax], ecx
		mov	eax, [esi+8]
		mov	[ebx], eax

loc_993E5B:				; CODE XREF: KsepRegistryQueryValue(x,x,x,x,x,x)+1C1j
					; KsepRegistryQueryValue(x,x,x,x,x,x)+1D2j
		mov	ecx, esi
		call	_KsepPoolFreePaged@4 ; KsepPoolFreePaged(x)

loc_993E62:				; CODE XREF: KsepRegistryQueryValue(x,x,x,x,x,x)+140j
					; KsepRegistryQueryValue(x,x,x,x,x,x)+17Cj ...
		mov	eax, edi

loc_993E64:				; CODE XREF: KsepRegistryQueryValue(x,x,x,x,x,x)+1A5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_KsepRegistryQueryValue@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Win7PsGetVersion(x,	x, x, x)
_Win7PsGetVersion@16 proc near		; DATA XREF: .data:006B325Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_4]
		push	0
		push	esi
		push	edi
		push	ebx
		call	PsGetVersion
		mov	byte ptr [ebp+arg_8+3],	al
		test	ebx, ebx
		jz	short loc_993E93
		mov	dword ptr [ebx], 6

loc_993E93:				; CODE XREF: Win7PsGetVersion(x,x,x,x)+20j
		test	edi, edi
		jz	short loc_993E9D
		mov	dword ptr [edi], 1

loc_993E9D:				; CODE XREF: Win7PsGetVersion(x,x,x,x)+2Aj
		test	esi, esi
		jz	short loc_993EA7
		mov	dword ptr [esi], 1DB0h

loc_993EA7:				; CODE XREF: Win7PsGetVersion(x,x,x,x)+34j
		cmp	[ebp+arg_C], 0
		pop	edi
		pop	esi
		pop	ebx
		jz	short loc_993EBD
		push	0
		push	[ebp+arg_C]
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	al, byte ptr [ebp+arg_8+3]

loc_993EBD:				; CODE XREF: Win7PsGetVersion(x,x,x,x)+43j
		pop	ebp
		retn	10h
_Win7PsGetVersion@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Win7RtlGetVersion(x)
_Win7RtlGetVersion@4 proc near		; DATA XREF: .data:006B324Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	esi
		call	RtlGetVersion
		test	eax, eax
		js	short loc_993F09
		xor	ecx, ecx
		mov	dword ptr [esi+4], 6
		mov	[esi+14h], cx
		mov	ecx, [esi]
		mov	dword ptr [esi+8], 1
		mov	dword ptr [esi+0Ch], 1DB0h
		cmp	ecx, 11Ch
		jz	short loc_993F01
		cmp	ecx, 124h
		jnz	short loc_993F09

loc_993F01:				; CODE XREF: Win7RtlGetVersion(x)+36j
		xor	ecx, ecx
		mov	[esi+114h], ecx

loc_993F09:				; CODE XREF: Win7RtlGetVersion(x)+11j
					; Win7RtlGetVersion(x)+3Ej
		pop	esi
		pop	ebp
		retn	4
_Win7RtlGetVersion@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Win81PsGetVersion(x, x, x, x)
_Win81PsGetVersion@16 proc near		; DATA XREF: .data:006B322Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_4]
		push	0
		push	esi
		push	edi
		push	ebx
		call	PsGetVersion
		mov	byte ptr [ebp+arg_8+3],	al
		test	ebx, ebx
		jz	short loc_993F36
		mov	dword ptr [ebx], 6

loc_993F36:				; CODE XREF: Win81PsGetVersion(x,x,x,x)+20j
		test	edi, edi
		jz	short loc_993F40
		mov	dword ptr [edi], 3

loc_993F40:				; CODE XREF: Win81PsGetVersion(x,x,x,x)+2Aj
		test	esi, esi
		jz	short loc_993F4A
		mov	dword ptr [esi], 2580h

loc_993F4A:				; CODE XREF: Win81PsGetVersion(x,x,x,x)+34j
		cmp	[ebp+arg_C], 0
		pop	edi
		pop	esi
		pop	ebx
		jz	short loc_993F60
		push	0
		push	[ebp+arg_C]
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	al, byte ptr [ebp+arg_8+3]

loc_993F60:				; CODE XREF: Win81PsGetVersion(x,x,x,x)+43j
		pop	ebp
		retn	10h
_Win81PsGetVersion@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Win81RtlGetVersion(x)
_Win81RtlGetVersion@4 proc near		; DATA XREF: .data:006B321Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	esi
		call	RtlGetVersion
		test	eax, eax
		js	short loc_993FAC
		xor	ecx, ecx
		mov	dword ptr [esi+4], 6
		mov	[esi+14h], cx
		mov	ecx, [esi]
		mov	dword ptr [esi+8], 3
		mov	dword ptr [esi+0Ch], 2580h
		cmp	ecx, 11Ch
		jz	short loc_993FA4
		cmp	ecx, 124h
		jnz	short loc_993FAC

loc_993FA4:				; CODE XREF: Win81RtlGetVersion(x)+36j
		xor	ecx, ecx
		mov	[esi+114h], ecx

loc_993FAC:				; CODE XREF: Win81RtlGetVersion(x)+11j
					; Win81RtlGetVersion(x)+3Ej
		pop	esi
		pop	ebp
		retn	4
_Win81RtlGetVersion@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Win8PsGetVersion(x,	x, x, x)
_Win8PsGetVersion@16 proc near		; DATA XREF: .data:006B32A4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_4]
		push	0
		push	esi
		push	edi
		push	ebx
		call	PsGetVersion
		mov	byte ptr [ebp+arg_8+3],	al
		test	ebx, ebx
		jz	short loc_993FD9
		mov	dword ptr [ebx], 6

loc_993FD9:				; CODE XREF: Win8PsGetVersion(x,x,x,x)+20j
		test	edi, edi
		jz	short loc_993FE3
		mov	dword ptr [edi], 2

loc_993FE3:				; CODE XREF: Win8PsGetVersion(x,x,x,x)+2Aj
		test	esi, esi
		jz	short loc_993FED
		mov	dword ptr [esi], 23F0h

loc_993FED:				; CODE XREF: Win8PsGetVersion(x,x,x,x)+34j
		cmp	[ebp+arg_C], 0
		pop	edi
		pop	esi
		pop	ebx
		jz	short loc_994003
		push	0
		push	[ebp+arg_C]
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	al, byte ptr [ebp+arg_8+3]

loc_994003:				; CODE XREF: Win8PsGetVersion(x,x,x,x)+43j
		pop	ebp
		retn	10h
_Win8PsGetVersion@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Win8RtlGetVersion(x)
_Win8RtlGetVersion@4 proc near		; DATA XREF: .data:006B3294o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	esi
		call	RtlGetVersion
		test	eax, eax
		js	short loc_99404F
		xor	ecx, ecx
		mov	dword ptr [esi+4], 6
		mov	[esi+14h], cx
		mov	ecx, [esi]
		mov	dword ptr [esi+8], 2
		mov	dword ptr [esi+0Ch], 23F0h
		cmp	ecx, 11Ch
		jz	short loc_994047
		cmp	ecx, 124h
		jnz	short loc_99404F

loc_994047:				; CODE XREF: Win8RtlGetVersion(x)+36j
		xor	ecx, ecx
		mov	[esi+114h], ecx

loc_99404F:				; CODE XREF: Win8RtlGetVersion(x)+11j
					; Win8RtlGetVersion(x)+3Ej
		pop	esi
		pop	ebp
		retn	4
_Win8RtlGetVersion@4 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpDereferencePort(x)
_AlpcpDereferencePort@4	proc near	; CODE XREF: PAGE:0079A6ECp
					; PAGE:0079A707p ...
		jmp	ObfDereferenceObject
_AlpcpDereferencePort@4	endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpDereferenceView(x)
_AlpcpDereferenceView@4	proc near	; CODE XREF: AlpcpLocateSectionView(x,x,x,x)+7Cp
					; AlpcpMapLegacyPortView(x,x,x)+134p ...
		xor	edx, edx
		inc	edx
		jmp	AlpcpDereferenceBlobEx
_AlpcpDereferenceView@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpReferencePortByHandle(x, x, x,	x)
_AlpcpReferencePortByHandle@16 proc near ; CODE	XREF: NtAlpcSetInformation(x,x,x,x)+BEp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_AlpcPortObjectType
		and	[ebp+var_4], 0
		push	esi
		push	0
		lea	esi, [ebp+var_4]
		push	esi
		push	[ebp+arg_0]
		push	eax
		push	edx
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_4]
		pop	esi
		mov	[edx], ecx
		leave
		retn	8
_AlpcpReferencePortByHandle@16 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpReleasePushLockExclusive(x)
_AlpcpReleasePushLockExclusive@4 proc near ; CODE XREF:	AlpcAddHandleTableEntry(x,x)+53p
					; AlpcAddHandleTableEntry(x,x)+DAp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9940A6
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9940A6:				; CODE XREF: AlpcpReleasePushLockExclusive(x)+10j
		mov	ecx, esi
		pop	esi
		jmp	KeAbPostRelease
_AlpcpReleasePushLockExclusive@4 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpUnlockMessage(x)
_AlpcpUnlockMessage@4 proc near		; CODE XREF: PAGE:0079A6D4p
					; AlpcpReceiveDirectMessagePort(x,x,x,x,x)+71p	...
		cmp	_AlpcpMessageLogEnabled, 0
		push	esi
		mov	esi, ecx
		jz	short loc_9940BF
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_9940BF:				; CODE XREF: AlpcpUnlockMessage(x)+Aj
		mov	ecx, esi
		pop	esi
		jmp	AlpcpUnlockBlob
_AlpcpUnlockMessage@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1353. LpcRequestWaitReplyPort

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LpcRequestWaitReplyPort(x, x, x)
		public _LpcRequestWaitReplyPort@12
_LpcRequestWaitReplyPort@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ecx
		push	0
		push	ecx
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		call	_LpcpRequestWaitReplyPort@24 ; LpcpRequestWaitReplyPort(x,x,x,x,x,x)
		pop	ebp
		retn	0Ch
_LpcRequestWaitReplyPort@12 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1354. LpcRequestWaitReplyPortEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LpcRequestWaitReplyPortEx(x, x, x)
		public _LpcRequestWaitReplyPortEx@12
_LpcRequestWaitReplyPortEx@12 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		mov	edx, [ebp+arg_4]
		push	ecx
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_4], al
		push	[ebp+var_4]
		push	ecx
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		call	_LpcpRequestWaitReplyPort@24 ; LpcpRequestWaitReplyPort(x,x,x,x,x,x)
		leave
		retn	0Ch
_LpcRequestWaitReplyPortEx@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LpcpCopyRequestData(x, x, x, x, x, x, x)
_LpcpCopyRequestData@28	proc near	; CODE XREF: NtReadRequestData(x,x,x,x,x,x)+28p
					; NtWriteRequestData(x,x,x,x,x,x)+28p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	40h
		push	offset dword_6A87A0
		call	__SEH_prolog4
		mov	[ebp+var_28], edx
		mov	[ebp+var_19], cl
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_30], ebx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_2C], al
		test	al, al
		jz	loc_9941D7
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+arg_C]
		test	cl, cl
		jz	short loc_994171
		test	eax, eax
		jz	short loc_99417F
		mov	ecx, [ebp+arg_8]
		add	eax, ecx
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	short loc_99416D
		cmp	eax, ecx
		jnb	short loc_99417C

loc_99416D:				; CODE XREF: LpcpCopyRequestData(x,x,x,x,x,x,x)+4Fj
		mov	[edx], bl
		jmp	short loc_99417C
; 

loc_994171:				; CODE XREF: LpcpCopyRequestData(x,x,x,x,x,x,x)+3Cj
		push	1
		push	eax
		push	[ebp+arg_8]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_99417C:				; CODE XREF: LpcpCopyRequestData(x,x,x,x,x,x,x)+53j
					; LpcpCopyRequestData(x,x,x,x,x,x,x)+57j
		mov	edx, [ebp+var_28]

loc_99417F:				; CODE XREF: LpcpCopyRequestData(x,x,x,x,x,x,x)+40j
		mov	esi, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_99418D
		mov	esi, eax

loc_99418D:				; CODE XREF: LpcpCopyRequestData(x,x,x,x,x,x,x)+71j
		push	6
		pop	ecx
		lea	edi, [ebp+var_50]
		rep movsd
		nop
		mov	edi, [ebp+arg_10]
		test	edi, edi
		jz	short loc_9941AE
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jb	short loc_9941AA
		mov	ecx, eax

loc_9941AA:				; CODE XREF: LpcpCopyRequestData(x,x,x,x,x,x,x)+8Ej
		mov	eax, [ecx]
		mov	[ecx], eax

loc_9941AE:				; CODE XREF: LpcpCopyRequestData(x,x,x,x,x,x,x)+83j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9941E5
; 

loc_9941B7:				; DATA XREF: .text:006A87B4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_38], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9941C5:				; DATA XREF: .text:006A87B8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_38]
		jmp	loc_994350
; 

loc_9941D7:				; CODE XREF: LpcpCopyRequestData(x,x,x,x,x,x,x)+2Ej
		push	6
		pop	ecx
		mov	esi, [ebp+arg_0]
		lea	edi, [ebp+var_50]
		rep movsd
		mov	edi, [ebp+arg_10]

loc_9941E5:				; CODE XREF: LpcpCopyRequestData(x,x,x,x,x,x,x)+9Dj
		mov	eax, [ebp+var_4C]
		shr	eax, 10h
		test	ax, ax
		jnz	short loc_9941FA
		mov	eax, 0C000000Dh
		jmp	loc_994350
; 

loc_9941FA:				; CODE XREF: LpcpCopyRequestData(x,x,x,x,x,x,x)+D6j
		mov	eax, ds:_AlpcPortObjectType
		mov	[ebp+var_24], ebx
		push	ebx
		lea	ecx, [ebp+var_24]
		push	ecx
		push	[ebp+var_2C]
		push	eax
		push	1
		push	edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	loc_994350
		lea	eax, [ebp+var_20]
		push	eax
		push	ecx
		push	[ebp+var_3C]
		mov	edx, [ebp+var_40]
		mov	ecx, [ebp+var_24]
		call	AlpcpLookupMessage
		mov	esi, eax
		test	esi, esi
		js	loc_994346
		mov	eax, [ebp+var_20]
		mov	edx, [eax+10h]
		test	edx, edx
		jnz	short loc_99424C
		mov	esi, 0C0000022h
		jmp	loc_99433E
; 

loc_99424C:				; CODE XREF: LpcpCopyRequestData(x,x,x,x,x,x,x)+128j
		mov	esi, 0C000000Dh
		mov	ecx, [ebp+var_20]
		movzx	eax, word ptr [ecx+86h]
		and	[ebp+arg_0], 0
		cmp	word ptr [ebp+arg_0], ax
		jz	short loc_9942C3
		cwde
		mov	[ebp+arg_0], eax
		call	_AlpcpAvailableBufferSize@4 ; AlpcpAvailableBufferSize(x)
		movzx	ecx, word ptr [ecx+82h]
		cmp	eax, ecx
		jbe	short loc_99427B
		mov	eax, ecx

loc_99427B:				; CODE XREF: LpcpCopyRequestData(x,x,x,x,x,x,x)+15Fj
		mov	ecx, [ebp+arg_0]
		add	ecx, 4
		cmp	ecx, eax
		jnb	loc_99433E
		sub	eax, ecx
		shr	eax, 3
		mov	ecx, [ebp+arg_4]
		cmp	ecx, eax
		jnb	loc_99433E
		mov	eax, [ebp+var_20]
		add	eax, [ebp+arg_0]
		cmp	[eax+80h], ecx
		mov	edi, [ebp+arg_10]
		jbe	short loc_9942C3
		mov	ebx, [eax+ecx*8+84h]
		mov	eax, [eax+ecx*8+88h]
		mov	ecx, [ebp+arg_C]
		cmp	eax, ecx
		sbb	eax, eax
		and	esi, eax
		jmp	short loc_9942C6
; 

loc_9942C3:				; CODE XREF: LpcpCopyRequestData(x,x,x,x,x,x,x)+14Bj
					; LpcpCopyRequestData(x,x,x,x,x,x,x)+190j
		mov	ecx, [ebp+arg_C]

loc_9942C6:				; CODE XREF: LpcpCopyRequestData(x,x,x,x,x,x,x)+1A9j
		test	esi, esi
		js	short loc_99433E
		mov	eax, large fs:124h
		lea	esi, [ebp+var_30]
		mov	eax, [eax+80h]
		push	esi
		push	[ebp+var_2C]
		push	ecx
		cmp	[ebp+var_19], 0
		jz	short loc_9942FB
		push	ebx
		push	dword ptr [edx+150h]
		push	[ebp+arg_8]
		push	eax
		call	MmCopyVirtualMemory
		mov	esi, eax
		mov	[ebp+arg_C], esi
		jmp	short loc_994310
; 

loc_9942FB:				; CODE XREF: LpcpCopyRequestData(x,x,x,x,x,x,x)+1CAj
		push	[ebp+arg_8]
		push	eax
		push	ebx
		push	dword ptr [edx+150h]
		call	MmCopyVirtualMemory
		mov	esi, eax
		mov	[ebp+arg_C], eax

loc_994310:				; CODE XREF: LpcpCopyRequestData(x,x,x,x,x,x,x)+1E1j
		test	esi, esi
		js	short loc_99433E
		test	edi, edi
		jz	short loc_99433E
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_30]
		mov	[edi], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_99433E
; 

loc_99432D:				; DATA XREF: .text:006A87C0o
		xor	eax, eax
		inc	eax
		retn
; 

loc_994331:				; DATA XREF: .text:006A87C4o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+arg_C]

loc_99433E:				; CODE XREF: LpcpCopyRequestData(x,x,x,x,x,x,x)+12Fj
					; LpcpCopyRequestData(x,x,x,x,x,x,x)+16Bj ...
		mov	ecx, [ebp+var_20]
		call	_AlpcpUnlockMessage@4 ;	AlpcpUnlockMessage(x)

loc_994346:				; CODE XREF: LpcpCopyRequestData(x,x,x,x,x,x,x)+11Aj
		mov	ecx, [ebp+var_24]
		call	_AlpcpDereferencePort@4	; AlpcpDereferencePort(x)
		mov	eax, esi

loc_994350:				; CODE XREF: LpcpCopyRequestData(x,x,x,x,x,x,x)+BAj
					; LpcpCopyRequestData(x,x,x,x,x,x,x)+DDj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_LpcpCopyRequestData@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LpcpRequestWaitReplyPort(x,	x, x, x, x, x)
_LpcpRequestWaitReplyPort@24 proc near	; CODE XREF: LpcRequestWaitReplyPort(x,x,x)+12p
					; LpcRequestWaitReplyPortEx(x,x,x)+23p

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_8		= byte ptr  10h

		push	8
		push	offset dword_6A8760
		call	__SEH_prolog4
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_0]
		push	eax
		push	edx
		xor	edx, edx
		cmp	[ebp+arg_8], 1
		setz	dl
		dec	edx
		and	edx, 0FFF00000h
		add	edx, 120002h
		call	_AlpcpProcessSynchronousRequest@36 ; AlpcpProcessSynchronousRequest(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	esi, 0C0000703h
		jnz	short loc_9943BD
		mov	esi, 0C0000037h

loc_9943BD:				; CODE XREF: LpcpRequestWaitReplyPort(x,x,x,x,x,x)+54j
		cmp	esi, 0C0000701h
		jnz	short loc_9943CA
		mov	esi, 0C0000253h

loc_9943CA:				; CODE XREF: LpcpRequestWaitReplyPort(x,x,x,x,x,x)+61j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_LpcpRequestWaitReplyPort@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtImpersonateClientOfPort(x, x)
_NtImpersonateClientOfPort@8 proc near	; DATA XREF: .text:00580FE8o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	NtAlpcImpersonateClientOfPort
		cmp	eax, 0C0000702h
		jnz	short loc_9943FC
		mov	eax, 0C000021Fh

loc_9943FC:				; CODE XREF: NtImpersonateClientOfPort(x,x)+17j
		pop	ebp
		retn	8
_NtImpersonateClientOfPort@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQueryInformationPort(x, x, x, x, x)
_NtQueryInformationPort@20 proc	near	; DATA XREF: .text:00580E6Co

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	18h
		push	offset dword_6A87C8
		call	__SEH_prolog4
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		test	al, al
		jz	short loc_99444D
		and	[ebp+ms_exc.disabled], 0
		push	4
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	short loc_994446
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_994442
		mov	ecx, eax

loc_994442:				; CODE XREF: NtQueryInformationPort(x,x,x,x,x)+3Ej
		mov	eax, [ecx]
		mov	[ecx], eax

loc_994446:				; CODE XREF: NtQueryInformationPort(x,x,x,x,x)+35j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_99444D:				; CODE XREF: NtQueryInformationPort(x,x,x,x,x)+1Dj
		cmp	[ebp+arg_0], 0
		jz	short loc_9944CE
		mov	eax, ds:_AlpcPortObjectType
		and	[ebp+var_1C], 0
		push	0
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_24]
		push	eax
		push	20000h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9944D3
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	short loc_9944C4
		mov	[ebp+ms_exc.disabled], 1
		and	dword ptr [ecx], 0
		jmp	short loc_9944BD
; 

loc_99448C:				; DATA XREF: .text:006A87DCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_99449A:				; DATA XREF: .text:006A87E0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_20]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9944D3
; 

loc_9944A9:				; DATA XREF: .text:006A87E8o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9944B7:				; DATA XREF: .text:006A87ECo
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_28]

loc_9944BD:				; CODE XREF: NtQueryInformationPort(x,x,x,x,x)+8Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9944C4:				; CODE XREF: NtQueryInformationPort(x,x,x,x,x)+7Ej
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObject
		jmp	short loc_9944D3
; 

loc_9944CE:				; CODE XREF: NtQueryInformationPort(x,x,x,x,x)+51j
		mov	esi, 0C0000003h

loc_9944D3:				; CODE XREF: NtQueryInformationPort(x,x,x,x,x)+77j
					; NtQueryInformationPort(x,x,x,x,x)+A7j ...
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_NtQueryInformationPort@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtReadRequestData(x, x, x, x, x, x)
_NtReadRequestData@24 proc near		; DATA XREF: .text:00580DB0o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		push	[ebp+arg_14]
		mov	edx, [ebp+arg_0]
		xor	cl, cl
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_LpcpCopyRequestData@28	; LpcpCopyRequestData(x,x,x,x,x,x,x)
		mov	ecx, large fs:124h
		mov	esi, eax
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	18h
_NtReadRequestData@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtReplyWaitReplyPort(x, x)
_NtReplyWaitReplyPort@8	proc near	; DATA XREF: .text:00580D5Co

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	14h
		push	offset dword_6A8780
		call	__SEH_prolog4
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_20], bl
		mov	eax, ds:_AlpcPortObjectType
		and	[ebp+var_1C], 0
		push	0
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_20]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_994618
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+0F4h]
		and	al, 6
		cmp	al, 2
		jnz	short loc_994592
		mov	esi, 0C000000Dh
		jmp	loc_994618
; 

loc_994592:				; CODE XREF: NtReplyWaitReplyPort(x,x)+5Dj
		xor	edx, edx
		test	bl, bl
		jz	short loc_9945E3
		mov	[ebp+ms_exc.disabled], edx
		mov	ecx, [ebp+arg_4]
		test	cl, 3
		jz	short loc_9945A8
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9945A8:				; CODE XREF: NtReplyWaitReplyPort(x,x)+78j
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_9945B3
		mov	[eax], dl

loc_9945B3:				; CODE XREF: NtReplyWaitReplyPort(x,x)+86j
		mov	al, [ecx]
		mov	[ecx], al
		mov	al, [ecx+14h]
		mov	[ecx+14h], al
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9945E6
; 

loc_9945C6:				; DATA XREF: .text:006A8794o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9945D4:				; DATA XREF: .text:006A8798o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_24]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_994618
; 

loc_9945E3:				; CODE XREF: NtReplyWaitReplyPort(x,x)+6Dj
		mov	ecx, [ebp+arg_4]

loc_9945E6:				; CODE XREF: NtReplyWaitReplyPort(x,x)+9Bj
		push	[ebp+var_20]
		push	edx
		push	edx
		push	edx
		push	ecx
		push	edx
		push	ecx
		mov	edx, 20001h
		mov	ecx, [ebp+var_1C]
		call	_AlpcpProcessSynchronousRequest@36 ; AlpcpProcessSynchronousRequest(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000703h
		jnz	short loc_99460B
		mov	esi, 0C0000037h

loc_99460B:				; CODE XREF: NtReplyWaitReplyPort(x,x)+DBj
		cmp	esi, 0C0000701h
		jnz	short loc_994618
		mov	esi, 0C0000253h

loc_994618:				; CODE XREF: NtReplyWaitReplyPort(x,x)+4Aj
					; NtReplyWaitReplyPort(x,x)+64j ...
		mov	ecx, [ebp+var_1C]
		test	ecx, ecx
		jz	short loc_994624
		call	ObfDereferenceObject

loc_994624:				; CODE XREF: NtReplyWaitReplyPort(x,x)+F4j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_NtReplyWaitReplyPort@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtWriteRequestData(x, x, x,	x, x, x)
_NtWriteRequestData@24 proc near	; DATA XREF: .text:00580B98o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		push	[ebp+arg_14]
		mov	edx, [ebp+arg_0]
		mov	cl, 1
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_LpcpCopyRequestData@28	; LpcpCopyRequestData(x,x,x,x,x,x,x)
		mov	ecx, large fs:124h
		mov	esi, eax
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	18h
_NtWriteRequestData@24 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 174. AlpcCreateSecurityContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcCreateSecurityContext(x, x, x, x)
		public _AlpcCreateSecurityContext@16
_AlpcCreateSecurityContext@16 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		xor	edx, edx
		push	edi
		mov	[ebp+var_8], edx
		dec	word ptr [eax+13Ch]
		nop
		cmp	[ebp+arg_8], edx
		jz	short loc_9946B2
		mov	edi, 0C000000Dh
		jmp	short loc_99471F
; 

loc_9946B2:				; CODE XREF: AlpcCreateSecurityContext(x,x,x,x)+1Ej
		mov	eax, ds:_AlpcPortObjectType
		lea	ecx, [ebp+var_4]
		push	edx
		push	ecx
		push	edx
		push	eax
		push	1
		push	[ebp+arg_0]
		mov	[ebp+var_4], edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_99471F
		push	ebx
		mov	ebx, [ebp+arg_C]
		test	ebx, ebx
		jz	short loc_9946E5
		mov	eax, [ebx+4]
		test	eax, eax
		jz	short loc_9946E5
		mov	ecx, [ebp+var_4]
		jmp	short loc_9946EE
; 

loc_9946E5:				; CODE XREF: AlpcCreateSecurityContext(x,x,x,x)+4Cj
					; AlpcCreateSecurityContext(x,x,x,x)+53j
		mov	ecx, [ebp+var_4]
		lea	eax, [ecx+9Ch]

loc_9946EE:				; CODE XREF: AlpcCreateSecurityContext(x,x,x,x)+58j
		lea	edx, [ebp+var_8]
		push	edx
		mov	edx, [ebp+arg_4]
		push	eax
		push	1
		call	AlpcpCreateSecurityContext
		mov	edi, eax
		test	edi, edi
		js	short loc_994716
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		push	esi
		inc	edx
		mov	esi, [ecx+4]
		mov	[ebx+8], esi
		call	AlpcpDereferenceBlobEx
		pop	esi

loc_994716:				; CODE XREF: AlpcCreateSecurityContext(x,x,x,x)+76j
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject
		pop	ebx

loc_99471F:				; CODE XREF: AlpcCreateSecurityContext(x,x,x,x)+25j
					; AlpcCreateSecurityContext(x,x,x,x)+44j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		pop	edi
		leave
		retn	10h
_AlpcCreateSecurityContext@16 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpLockPortShared(x)
_AlpcpLockPortShared@4 proc near	; CODE XREF: NtAlpcSetInformation(x,x,x,x)+1F9p
					; AlpcpPortQueryServerInfo(x,x,x,x,x)+191p
		add	ecx, 0D0h
		xor	edx, edx
		jmp	ExAcquirePushLockSharedEx
_AlpcpLockPortShared@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpQueryTokenModifiedIdMessage(x,	x, x, x, x)
_AlpcpQueryTokenModifiedIdMessage@20 proc near
					; CODE XREF: NtAlpcQueryInformationMessage+144BCFp

var_88		= dword	ptr -88h
var_7C		= dword	ptr -7Ch
var_4C		= dword	ptr -4Ch
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	78h
		push	offset dword_6A87F0
		call	__SEH_prolog4
		mov	esi, edx
		mov	ebx, ecx
		push	3Ch		; size_t
		push	0		; int
		lea	eax, [ebp+var_88]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_19], 0
		and	[ebp+var_20], 0
		push	0Ah
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_4C]
		rep stosd
		push	8
		pop	edi
		cmp	[ebp+arg_4], edi
		jnb	short loc_994783
		mov	esi, 0C0000023h
		jmp	short loc_9947BA
; 

loc_994783:				; CODE XREF: AlpcpQueryTokenModifiedIdMessage(x,x,x,x,x)+3Bj
		lea	eax, [ebp+var_19]
		push	eax
		lea	eax, [ebp+var_88]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		mov	edx, esi
		mov	ecx, ebx
		call	AlpcpGetEffectiveTokenMessage
		mov	esi, eax
		test	esi, esi
		js	short loc_9947F8
		lea	edx, [ebp+var_4C]
		mov	ecx, [ebp+var_20]
		call	_SeGetTokenControlInformation@8	; SeGetTokenControlInformation(x,x)
		cmp	[ebp+var_19], 0
		jz	short loc_9947BA
		mov	ecx, [ebp+var_7C]
		call	ObfDereferenceObject

loc_9947BA:				; CODE XREF: AlpcpQueryTokenModifiedIdMessage(x,x,x,x,x)+42j
					; AlpcpQueryTokenModifiedIdMessage(x,x,x,x,x)+71j
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_9947C7
		mov	[eax], edi

loc_9947C7:				; CODE XREF: AlpcpQueryTokenModifiedIdMessage(x,x,x,x,x)+84j
		test	esi, esi
		js	short loc_9947EF
		mov	eax, [ebp+var_3C]
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, [ebp+var_38]
		mov	[ecx+4], eax
		jmp	short loc_9947EF
; 

loc_9947DB:				; DATA XREF: .text:006A8804o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9947E9:				; DATA XREF: .text:006A8808o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_24]

loc_9947EF:				; CODE XREF: AlpcpQueryTokenModifiedIdMessage(x,x,x,x,x)+8Aj
					; AlpcpQueryTokenModifiedIdMessage(x,x,x,x,x)+9Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi

loc_9947F8:				; CODE XREF: AlpcpQueryTokenModifiedIdMessage(x,x,x,x,x)+60j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_AlpcpQueryTokenModifiedIdMessage@20 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpUnlockPortShared(x)
_AlpcpUnlockPortShared@4 proc near	; CODE XREF: NtAlpcSetInformation(x,x,x,x)+21Ep
					; AlpcpReceiveMessagePort(x,x,x,x,x)+14Dp ...
		mov	edi, edi
		push	esi
		push	11h
		lea	esi, [ecx+0D0h]
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_994828
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_994828:				; CODE XREF: AlpcpUnlockPortShared(x)+15j
		mov	ecx, esi
		pop	esi
		jmp	KeAbPostRelease
_AlpcpUnlockPortShared@4 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpUnlockCommunicationInfoExclusive(x)
_AlpcpUnlockCommunicationInfoExclusive@4 proc near ; CODE XREF:	AlpcpDeletePort(x)+5Fp
					; AlpcpImpersonateMessage+14Ap	...
		mov	edi, edi
		push	esi
		lea	esi, [ecx-4]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_99484A
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_99484A:				; CODE XREF: AlpcpUnlockCommunicationInfoExclusive(x)+11j
		mov	ecx, esi
		pop	esi
		jmp	KeAbPostRelease
_AlpcpUnlockCommunicationInfoExclusive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAlpcImpersonateClientContainerOfPort(x, x, x)
_NtAlpcImpersonateClientContainerOfPort@12 proc	near ; DATA XREF: .text:00581214o

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	2Ch
		push	offset dword_6A8810
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_3C], esi
		mov	[ebp+var_38], esi
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	[ebp+var_30], esi
		cmp	[ebp+arg_8], esi
		jz	short loc_994892
		mov	edi, 0C000000Dh
		jmp	loc_994A54
; 

loc_994892:				; CODE XREF: NtAlpcImpersonateClientContainerOfPort(x,x,x)+34j
		mov	[ebp+ms_exc.disabled], esi
		lea	eax, [ebp+var_24]
		push	eax
		lea	edx, [ebp+var_28]
		mov	ecx, [ebp+arg_4]
		call	_AlpcpCaptureIdMessage@12 ; AlpcpCaptureIdMessage(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_8], al
		mov	eax, ds:_AlpcPortObjectType
		mov	[ebp+var_20], esi
		push	esi
		lea	ecx, [ebp+var_20]
		push	ecx
		push	[ebp+arg_8]
		push	eax
		push	20000h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		mov	eax, [ebp+var_20]
		mov	[ebp+var_30], eax
		test	edi, edi
		js	loc_994A54
		mov	eax, [eax+0F4h]
		and	eax, 6
		cmp	al, 6
		jnz	loc_994A32
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, [ebp+var_20]
		cmp	eax, [ecx+0Ch]
		jnz	loc_994A32
		lea	eax, [ebp+var_1C]
		push	eax
		push	ecx
		push	[ebp+var_24]
		mov	edx, [ebp+var_28]
		call	AlpcpLookupMessage
		mov	edi, eax
		mov	[ebp+arg_4], edi
		test	edi, edi
		js	loc_994A54
		mov	ecx, [ebp+var_1C]
		test	byte ptr [ecx+14h], 80h
		jz	short loc_994957
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_994945
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_994945:				; CODE XREF: NtAlpcImpersonateClientContainerOfPort(x,x,x)+ECj
		mov	ecx, [ebp+var_1C]
		call	AlpcpUnlockBlob
		mov	edi, 0C0000703h
		jmp	loc_994A54
; 

loc_994957:				; CODE XREF: NtAlpcImpersonateClientContainerOfPort(x,x,x)+E3j
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+10h]
		mov	[ebp+arg_8], eax
		test	eax, eax
		jz	loc_994A17
		lea	edx, [ebp+var_2C]
		mov	ecx, eax
		call	_PsGetWorkOnBehalfThread@8 ; PsGetWorkOnBehalfThread(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_99498D
		mov	ecx, ebx
		call	PsImpersonateContainerOfThread
		cmp	[ebp+var_2C], 0
		jz	short loc_9949B4
		push	ebx
		call	_ObDereferenceObjectDeferDelete@4 ; ObDereferenceObjectDeferDelete(x)
		jmp	short loc_9949B4
; 

loc_99498D:				; CODE XREF: NtAlpcImpersonateClientContainerOfPort(x,x,x)+124j
		push	[ebp+arg_8]
		call	_IoThreadToProcess@4 ; IoThreadToProcess(x)
		cmp	[eax+430h], esi
		jnz	short loc_9949AA
		call	_PoEnergyEstimationEnabled@0 ; PoEnergyEstimationEnabled()
		test	al, al
		jnz	short loc_9949AA
		mov	ebx, esi
		jmp	short loc_9949B4
; 

loc_9949AA:				; CODE XREF: NtAlpcImpersonateClientContainerOfPort(x,x,x)+149j
					; NtAlpcImpersonateClientContainerOfPort(x,x,x)+152j
		mov	ebx, [ebp+arg_8]
		mov	ecx, ebx
		call	PsImpersonateContainerOfThread

loc_9949B4:				; CODE XREF: NtAlpcImpersonateClientContainerOfPort(x,x,x)+131j
					; NtAlpcImpersonateClientContainerOfPort(x,x,x)+139j ...
		test	ebx, ebx
		jz	short loc_994A17
		mov	eax, large fs:124h
		test	dword ptr [eax+58h], 400h
		jnz	short loc_9949D6
		cmp	byte ptr [eax+16Ah], 1
		jz	short loc_9949D6
		mov	esi, [eax+0A8h]

loc_9949D6:				; CODE XREF: NtAlpcImpersonateClientContainerOfPort(x,x,x)+173j
					; NtAlpcImpersonateClientContainerOfPort(x,x,x)+17Cj
		test	esi, esi
		jz	short loc_994A17
		lea	edx, [ebp+var_3C]
		mov	ecx, ebx
		call	_PsEncodeThreadWorkOnBehalfTicket@8 ; PsEncodeThreadWorkOnBehalfTicket(x,x)
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_3C]
		mov	[esi+19Ch], eax
		mov	eax, [ebp+var_38]
		mov	[esi+1A0h], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_994A17
; 

loc_994A06:				; DATA XREF: .text:006A8830o
		xor	eax, eax
		inc	eax
		retn
; 

loc_994A0A:				; DATA XREF: .text:006A8834o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+arg_4]

loc_994A17:				; CODE XREF: NtAlpcImpersonateClientContainerOfPort(x,x,x)+110j
					; NtAlpcImpersonateClientContainerOfPort(x,x,x)+164j ...
		cmp	_AlpcpMessageLogEnabled, 0
		jz	short loc_994A28
		mov	ecx, [ebp+var_1C]
		call	_AlpcpEnterStateChangeEventMessageLog@4	; AlpcpEnterStateChangeEventMessageLog(x)

loc_994A28:				; CODE XREF: NtAlpcImpersonateClientContainerOfPort(x,x,x)+1CCj
		mov	ecx, [ebp+var_1C]
		call	AlpcpUnlockBlob
		jmp	short loc_994A54
; 

loc_994A32:				; CODE XREF: NtAlpcImpersonateClientContainerOfPort(x,x,x)+A1j
					; NtAlpcImpersonateClientContainerOfPort(x,x,x)+B9j
		mov	edi, 0C0000022h
		jmp	short loc_994A54
; 

loc_994A39:				; DATA XREF: .text:006A8824o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_994A47:				; DATA XREF: .text:006A8828o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_34]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_994A54:				; CODE XREF: NtAlpcImpersonateClientContainerOfPort(x,x,x)+3Bj
					; NtAlpcImpersonateClientContainerOfPort(x,x,x)+90j ...
		mov	ecx, [ebp+var_30]
		test	ecx, ecx
		jz	short loc_994A60
		call	ObfDereferenceObject

loc_994A60:				; CODE XREF: NtAlpcImpersonateClientContainerOfPort(x,x,x)+207j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_NtAlpcImpersonateClientContainerOfPort@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAlpcRevokeSecurityContext(x, x, x)
_NtAlpcRevokeSecurityContext@12	proc near ; DATA XREF: .text:005811FCo

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		cmp	[ebp+arg_4], 0
		jz	short loc_994AA5
		mov	esi, 0C000000Dh
		jmp	loc_994B5F
; 

loc_994AA5:				; CODE XREF: NtAlpcRevokeSecurityContext(x,x,x)+19j
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_4]
		and	[ebp+var_4], 0
		push	0
		push	ecx
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_4], al
		push	[ebp+arg_4]
		mov	eax, ds:_AlpcPortObjectType
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_994B5F
		mov	edx, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+var_4]
		push	edi
		push	offset _AlpcSecurityType
		mov	ecx, [ebx+8]
		add	ecx, 14h
		call	AlpcReferenceBlobByHandle
		mov	edi, eax
		test	edi, edi
		jnz	short loc_994B00
		mov	esi, 0C0000008h
		jmp	short loc_994B56
; 

loc_994B00:				; CODE XREF: NtAlpcRevokeSecurityContext(x,x,x)+77j
		cmp	ebx, [edi+0Ch]
		jz	short loc_994B0C
		mov	esi, 0C0000022h
		jmp	short loc_994B4C
; 

loc_994B0C:				; CODE XREF: NtAlpcRevokeSecurityContext(x,x,x)+83j
		lea	ebx, [edi-4]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+4Ch]
		test	al, 2
		jz	short loc_994B26
		mov	esi, 0C0000001h
		jmp	short loc_994B2E
; 

loc_994B26:				; CODE XREF: NtAlpcRevokeSecurityContext(x,x,x)+9Dj
		or	eax, 1
		xor	esi, esi
		mov	[edi+4Ch], eax

loc_994B2E:				; CODE XREF: NtAlpcRevokeSecurityContext(x,x,x)+A4j
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_994B42
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_994B42:				; CODE XREF: NtAlpcRevokeSecurityContext(x,x,x)+B9j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ebx, [ebp+var_4]

loc_994B4C:				; CODE XREF: NtAlpcRevokeSecurityContext(x,x,x)+8Aj
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	AlpcpDereferenceBlobEx

loc_994B56:				; CODE XREF: NtAlpcRevokeSecurityContext(x,x,x)+7Ej
		mov	ecx, ebx
		call	ObfDereferenceObject
		pop	edi
		pop	ebx

loc_994B5F:				; CODE XREF: NtAlpcRevokeSecurityContext(x,x,x)+20j
					; NtAlpcRevokeSecurityContext(x,x,x)+55j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		pop	esi
		leave
		retn	0Ch
_NtAlpcRevokeSecurityContext@12	endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpAllocateMessageLog()
_AlpcpAllocateMessageLog@0 proc	near	; CODE XREF: AlpcpEnterAllocationEventMessageLog(x)+14p
		mov	eax, _AlpcpFreeMessageLogListHead
		mov	edx, offset _AlpcpFreeMessageLogListHead
		cmp	eax, edx
		jz	short loc_994B9E
		cmp	[eax+4], edx
		jnz	loc_994C18
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_994C18
		mov	_AlpcpFreeMessageLogListHead, ecx
		mov	[ecx+4], edx
		retn
; 

loc_994B9E:				; CODE XREF: AlpcpAllocateMessageLog()+Cj
		mov	eax, _AlpcpMessageLogListHead
		mov	edx, offset _AlpcpMessageLogListHead
		cmp	eax, edx
		jz	short loc_994C1D
		cmp	[eax+4], edx
		jnz	short loc_994C18
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_994C18
		mov	_AlpcpMessageLogListHead, ecx
		mov	[ecx+4], edx
		lea	ecx, [eax+8]
		and	dword ptr [eax+18h], 0
		push	esi
		mov	esi, [ecx]
		cmp	[esi+4], ecx
		jnz	short loc_994C18
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_994C18
		mov	[edx], esi
		push	edi
		mov	[esi+4], edx
		mov	edi, offset _AlpcpFreeMessageSnapshotListHead
		lea	edx, [eax+1Ch]

loc_994BE5:				; CODE XREF: AlpcpAllocateMessageLog()+A1j
		mov	ecx, [edx]
		cmp	ecx, edx
		jz	short loc_994C15
		cmp	[ecx+4], edx
		jnz	short loc_994C18
		mov	esi, [ecx]
		cmp	[esi+4], ecx
		jnz	short loc_994C18
		mov	[edx], esi
		mov	[esi+4], edx
		mov	esi, dword_6C6F44
		cmp	[esi], edi
		jnz	short loc_994C18
		mov	[ecx], edi
		mov	[ecx+4], esi
		mov	[esi], ecx
		mov	dword_6C6F44, ecx
		jmp	short loc_994BE5
; 

loc_994C15:				; CODE XREF: AlpcpAllocateMessageLog()+77j
		pop	edi
		pop	esi
		retn
; 

loc_994C18:				; CODE XREF: AlpcpAllocateMessageLog()+11j
					; AlpcpAllocateMessageLog()+1Cj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_994C1D:				; CODE XREF: AlpcpAllocateMessageLog()+38j
		xor	eax, eax
		retn
_AlpcpAllocateMessageLog@0 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpAllocateSnapshotMessageLog()
_AlpcpAllocateSnapshotMessageLog@0 proc	near
					; CODE XREF: AlpcpEnterStateChangeEventMessageLog(x):loc_994E5Fp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, offset _AlpcpFreeMessageSnapshotListHead
		mov	ebx, offset _AlpcpMessageLogListHead

loc_994C2F:				; CODE XREF: AlpcpAllocateSnapshotMessageLog()+B1j
		mov	eax, _AlpcpFreeMessageSnapshotListHead
		cmp	eax, edi
		jnz	loc_994CDC
		mov	eax, _AlpcpMessageLogListHead
		cmp	eax, ebx
		jz	loc_994CD6
		cmp	[eax+4], ebx
		jnz	loc_994CF3
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_994CF3
		mov	_AlpcpMessageLogListHead, ecx
		mov	[ecx+4], ebx
		lea	ecx, [eax+8]
		and	dword ptr [eax+18h], 0
		mov	esi, [ecx]
		cmp	[esi+4], ecx
		jnz	short loc_994CF3
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_994CF3
		mov	[edx], esi
		mov	[esi+4], edx
		lea	edx, [eax+1Ch]

loc_994C83:				; CODE XREF: AlpcpAllocateSnapshotMessageLog()+91j
		mov	ecx, [edx]
		cmp	ecx, edx
		jz	short loc_994CB3
		cmp	[ecx+4], edx
		jnz	short loc_994CF3
		mov	esi, [ecx]
		cmp	[esi+4], ecx
		jnz	short loc_994CF3
		mov	[edx], esi
		mov	[esi+4], edx
		mov	esi, dword_6C6F44
		cmp	[esi], edi
		jnz	short loc_994CF3
		mov	[ecx], edi
		mov	[ecx+4], esi
		mov	[esi], ecx
		mov	dword_6C6F44, ecx
		jmp	short loc_994C83
; 

loc_994CB3:				; CODE XREF: AlpcpAllocateSnapshotMessageLog()+67j
		mov	ecx, dword_6C6F4C
		cmp	dword ptr [ecx], offset	_AlpcpFreeMessageLogListHead
		jnz	short loc_994CF3
		mov	dword ptr [eax], offset	_AlpcpFreeMessageLogListHead
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	dword_6C6F4C, eax
		jmp	loc_994C2F
; 

loc_994CD6:				; CODE XREF: AlpcpAllocateSnapshotMessageLog()+23j
		xor	eax, eax

loc_994CD8:				; CODE XREF: AlpcpAllocateSnapshotMessageLog()+D1j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_994CDC:				; CODE XREF: AlpcpAllocateSnapshotMessageLog()+16j
		cmp	[eax+4], edi
		jnz	short loc_994CF3
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_994CF3
		mov	_AlpcpFreeMessageSnapshotListHead, ecx
		mov	[ecx+4], edi
		jmp	short loc_994CD8
; 

loc_994CF3:				; CODE XREF: AlpcpAllocateSnapshotMessageLog()+2Cj
					; AlpcpAllocateSnapshotMessageLog()+37j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_AlpcpAllocateSnapshotMessageLog@0 endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall AlpcpEnterAllocationEventMessageLog(x)
_AlpcpEnterAllocationEventMessageLog@4 proc near
					; CODE XREF: AlpcpAllocateMessage(x,x,x)+94p
					; AlpcpSendLegacySynchronousRequest(x,x,x,x)+138p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, offset _AlpcpMessageLogLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		call	_AlpcpAllocateMessageLog@0 ; AlpcpAllocateMessageLog()
		test	eax, eax
		jz	short loc_994D6B
		mov	[eax+10h], esi
		mov	edx, offset _AlpcpMessageLogListHead
		mov	ecx, [esi+90h]
		mov	[eax+14h], ecx
		mov	dword ptr [eax+18h], 1
		mov	ecx, dword_6C6F54
		cmp	[ecx], edx
		jnz	short loc_994D88
		mov	[eax+4], ecx
		mov	[eax], edx
		lea	edx, [eax+8]
		mov	[ecx], eax
		mov	dword_6C6F54, eax
		mov	ecx, [eax+14h]
		mov	eax, _AlpcpMessageLogLookupTable
		shr	ecx, 2
		and	ecx, 3FFh
		lea	eax, [eax+ecx*8]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_994D88
		mov	[edx], eax
		mov	[edx+4], ecx
		mov	[ecx], edx
		mov	[eax+4], edx

loc_994D6B:				; CODE XREF: AlpcpEnterAllocationEventMessageLog(x)+1Bj
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_994D7F
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_994D7F:				; CODE XREF: AlpcpEnterAllocationEventMessageLog(x)+7Ej
		mov	ecx, edi
		pop	edi
		pop	esi
		jmp	KeAbPostRelease
; 

loc_994D88:				; CODE XREF: AlpcpEnterAllocationEventMessageLog(x)+3Dj
					; AlpcpEnterAllocationEventMessageLog(x)+67j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_AlpcpEnterAllocationEventMessageLog@4 endp ; AL = character to	display


;  S U B	R O U T	I N E 


; __stdcall AlpcpEnterFreeEventMessageLog(x)
_AlpcpEnterFreeEventMessageLog@4 proc near ; CODE XREF:	PAGE:0082FD20p
					; AlpcMessageDestroyProcedure+F1138p
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, offset _AlpcpMessageLogLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esi+90h]
		call	_AlpcpLocateMessageLog@4 ; AlpcpLocateMessageLog(x)
		test	eax, eax
		jz	short loc_994DB8
		and	dword ptr [eax+18h], 0
		and	dword ptr [eax+10h], 0

loc_994DB8:				; CODE XREF: AlpcpEnterFreeEventMessageLog(x)+21j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_994DCC
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_994DCC:				; CODE XREF: AlpcpEnterFreeEventMessageLog(x)+36j
		mov	ecx, edi
		pop	edi
		pop	esi
		jmp	KeAbPostRelease
_AlpcpEnterFreeEventMessageLog@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpEnterStateChangeEventMessageLog(x)
_AlpcpEnterStateChangeEventMessageLog@4	proc near ; CODE XREF: AlpcpDisconnectPort+2D0p
					; AlpcpSendCloseMessage(x)+10Cp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		xor	edx, edx
		push	edi
		mov	ecx, offset _AlpcpMessageLogLock
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esi+90h]
		call	_AlpcpLocateMessageLog@4 ; AlpcpLocateMessageLog(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_994EDF
		push	ebx
		lea	ebx, [edi+1Ch]
		cmp	[ebx], ebx
		jz	short loc_994E5F
		mov	ecx, [edi+20h]
		test	ecx, ecx
		jz	short loc_994E5F
		mov	eax, [ecx+8]
		cmp	eax, [esi+14h]
		jnz	short loc_994E5F
		mov	eax, [ecx+10h]
		cmp	eax, [esi+0Ch]
		jnz	short loc_994E5F
		mov	eax, [ecx+14h]
		cmp	eax, [esi+8]
		jnz	short loc_994E5F
		mov	eax, [ecx+1Ch]
		cmp	eax, [esi+10h]
		jnz	short loc_994E5F
		mov	eax, [ecx+18h]
		cmp	eax, [esi+24h]
		jnz	short loc_994E5F
		mov	eax, [ecx+20h]
		cmp	eax, [esi+38h]
		jnz	short loc_994E5F
		mov	eax, [ecx+24h]
		cmp	eax, [esi+3Ch]
		jnz	short loc_994E5F
		push	18h		; size_t
		lea	eax, [esi+80h]
		push	eax		; void *
		lea	eax, [ecx+30h]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_994EDE

loc_994E5F:				; CODE XREF: AlpcpEnterStateChangeEventMessageLog(x)+30j
					; AlpcpEnterStateChangeEventMessageLog(x)+37j ...
		call	_AlpcpAllocateSnapshotMessageLog@0 ; AlpcpAllocateSnapshotMessageLog()
		cmp	dword ptr [edi+18h], 0
		mov	edx, eax
		jnz	short loc_994E89
		mov	eax, dword_6C6F44
		mov	ecx, offset _AlpcpFreeMessageSnapshotListHead
		cmp	[eax], ecx
		jnz	short loc_994ECF
		mov	[edx], ecx
		mov	[edx+4], eax
		mov	[eax], edx
		mov	dword_6C6F44, edx
		jmp	short loc_994EDE
; 

loc_994E89:				; CODE XREF: AlpcpEnterStateChangeEventMessageLog(x)+95j
		mov	eax, [esi+14h]
		lea	edi, [edx+30h]
		mov	[edx+8], eax
		mov	eax, [esi+0Ch]
		mov	[edx+10h], eax
		mov	eax, [esi+8]
		mov	[edx+14h], eax
		mov	eax, [esi+24h]
		mov	[edx+18h], eax
		mov	eax, [esi+10h]
		mov	[edx+1Ch], eax
		mov	eax, [esi+38h]
		mov	[edx+20h], eax
		mov	eax, [esi+3Ch]
		sub	esi, 0FFFFFF80h
		mov	[edx+24h], eax
		mov	eax, [ebp+4]
		and	dword ptr [edx+0Ch], 0
		push	6
		mov	[edx+28h], eax
		pop	ecx
		rep movsd
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jz	short loc_994ED4

loc_994ECF:				; CODE XREF: AlpcpEnterStateChangeEventMessageLog(x)+A3j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_994ED4:				; CODE XREF: AlpcpEnterStateChangeEventMessageLog(x)+F8j
		mov	[edx], ebx
		mov	[edx+4], eax
		mov	[eax], edx
		mov	[ebx+4], edx

loc_994EDE:				; CODE XREF: AlpcpEnterStateChangeEventMessageLog(x)+88j
					; AlpcpEnterStateChangeEventMessageLog(x)+B2j
		pop	ebx

loc_994EDF:				; CODE XREF: AlpcpEnterStateChangeEventMessageLog(x)+24j
		or	eax, 0FFFFFFFFh
		mov	esi, offset _AlpcpMessageLogLock
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_994EF8
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_994EF8:				; CODE XREF: AlpcpEnterStateChangeEventMessageLog(x)+11Aj
		pop	edi
		mov	ecx, esi
		pop	esi
		pop	ebp
		jmp	KeAbPostRelease
_AlpcpEnterStateChangeEventMessageLog@4	endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpLocateMessageLog(x)
_AlpcpLocateMessageLog@4 proc near	; CODE XREF: AlpcpEnterFreeEventMessageLog(x)+1Ap
					; AlpcpEnterStateChangeEventMessageLog(x)+1Bp
		mov	edx, _AlpcpMessageLogLookupTable
		push	esi
		mov	esi, ecx
		test	edx, edx
		jz	short loc_994F33
		mov	eax, esi
		shr	eax, 2
		and	eax, 3FFh
		lea	edx, [edx+eax*8]
		mov	eax, [edx+4]
		jmp	short loc_994F2F
; 

loc_994F21:				; CODE XREF: AlpcpLocateMessageLog(x)+2Fj
		cmp	dword ptr [eax+10h], 0
		jz	short loc_994F2C
		cmp	[eax+0Ch], esi
		jz	short loc_994F37

loc_994F2C:				; CODE XREF: AlpcpLocateMessageLog(x)+23j
		mov	eax, [eax+4]

loc_994F2F:				; CODE XREF: AlpcpLocateMessageLog(x)+1Dj
		cmp	eax, edx
		jnz	short loc_994F21

loc_994F33:				; CODE XREF: AlpcpLocateMessageLog(x)+Bj
		xor	eax, eax
		pop	esi
		retn
; 

loc_994F37:				; CODE XREF: AlpcpLocateMessageLog(x)+28j
		add	eax, 0FFFFFFF8h
		pop	esi
		retn
_AlpcpLocateMessageLog@4 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpAllocateMessageFromExtendedTables(x)
_AlpcpAllocateMessageFromExtendedTables@4 proc near
					; CODE XREF: AlpcpAllocateMessageFunction+127C04p
		mov	edi, edi
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		inc	esi
		cmp	ds:_AlpcpSecondaryMessageTables, 0
		push	edi
		jnz	short loc_994F9C
		push	61486C41h
		push	80h
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_994FFA
		push	7Ch		; size_t
		lea	ecx, [edi+4]
		push	0		; int
		push	ecx		; void *
		call	_memset
		mov	eax, ds:_AlpcMessageTable
		add	esp, 0Ch
		mov	[edi], eax
		mov	ecx, edi
		mov	edx, offset _AlpcpSecondaryMessageTables
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	short loc_994F9C
		push	61486C41h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_994F9C:				; CODE XREF: AlpcpAllocateMessageFromExtendedTables(x)+11j
					; AlpcpAllocateMessageFromExtendedTables(x)+53j ...
		mov	eax, ds:_AlpcpSecondaryMessageTables
		mov	edi, [eax+esi*4]
		test	edi, edi
		jnz	short loc_994FE2
		xor	edx, edx
		xor	ecx, ecx
		call	ExCreateHandleTable
		mov	edi, eax
		test	edi, edi
		jz	short loc_994FFA
		mov	ecx, ds:_AlpcpSecondaryMessageTables
		xor	eax, eax
		lea	edx, [ecx+esi*4]
		mov	ecx, edi
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	short loc_994FE2
		mov	ecx, edi
		call	_ExpRemoveHandleTable@4	; ExpRemoveHandleTable(x)
		mov	ecx, edi
		call	ExpFreeHandleTable
		mov	eax, ds:_AlpcpSecondaryMessageTables
		mov	edi, [eax+esi*4]

loc_994FE2:				; CODE XREF: AlpcpAllocateMessageFromExtendedTables(x)+6Aj
					; AlpcpAllocateMessageFromExtendedTables(x)+8Ej
		xor	eax, eax
		mov	edx, ebx
		push	eax
		push	eax
		push	eax
		mov	ecx, edi
		call	ExCreateHandleEx
		test	eax, eax
		jnz	short loc_994FFE
		inc	esi
		cmp	esi, 20h
		jb	short loc_994F9C

loc_994FFA:				; CODE XREF: AlpcpAllocateMessageFromExtendedTables(x)+27j
					; AlpcpAllocateMessageFromExtendedTables(x)+79j
		xor	eax, eax
		jmp	short loc_995003
; 

loc_994FFE:				; CODE XREF: AlpcpAllocateMessageFromExtendedTables(x)+B6j
		shl	esi, 1Ah
		or	eax, esi

loc_995003:				; CODE XREF: AlpcpAllocateMessageFromExtendedTables(x)+C0j
		pop	edi
		pop	esi
		pop	ebx
		retn
_AlpcpAllocateMessageFromExtendedTables@4 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpLockCommunicationInfoShared(x)
_AlpcpLockCommunicationInfoShared@4 proc near
					; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+114p
		add	ecx, 0FFFFFFFCh
		xor	edx, edx
		jmp	ExAcquirePushLockSharedEx
_AlpcpLockCommunicationInfoShared@4 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpLockPortExclusive(x)
_AlpcpLockPortExclusive@4 proc near	; CODE XREF: NtAlpcSetInformation(x,x,x,x)+18Fp
					; NtAlpcSetInformation(x,x,x,x)+1BAp ...
		add	ecx, 0D0h
		xor	edx, edx
		jmp	ExAcquirePushLockExclusiveEx
_AlpcpLockPortExclusive@4 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpUnlockCommunicationInfoShared(x)
_AlpcpUnlockCommunicationInfoShared@4 proc near
					; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+180p
		mov	edi, edi
		push	esi
		push	11h
		lea	esi, [ecx-4]
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_995039
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_995039:				; CODE XREF: AlpcpUnlockCommunicationInfoShared(x)+12j
		mov	ecx, esi
		pop	esi
		jmp	KeAbPostRelease
_AlpcpUnlockCommunicationInfoShared@4 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpUnlockIncomingQueue(x)
_AlpcpUnlockIncomingQueue@4 proc near	; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+A2p
					; AlpcpReceiveMessagePort(x,x,x,x,x)+F0p ...
		mov	edi, edi
		push	esi
		lea	esi, [ecx+5Ch]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_99505B
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_99505B:				; CODE XREF: AlpcpUnlockIncomingQueue(x)+11j
		mov	ecx, esi
		pop	esi
		jmp	KeAbPostRelease
_AlpcpUnlockIncomingQueue@4 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpUnlockPortExclusive(x)
_AlpcpUnlockPortExclusive@4 proc near	; CODE XREF: NtAlpcSetInformation(x,x,x,x)+1A5p
					; NtAlpcSetInformation(x,x,x,x)+1DCp ...
		mov	edi, edi
		push	esi
		lea	esi, [ecx+0D0h]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_995080
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_995080:				; CODE XREF: AlpcpUnlockPortExclusive(x)+14j
		mov	ecx, esi
		pop	esi
		jmp	KeAbPostRelease
_AlpcpUnlockPortExclusive@4 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpValidateDataInformation(x, x)
_AlpcpValidateDataInformation@8	proc near
					; CODE XREF: AlpcpReplyLegacySynchronousRequest(x,x,x)+69p
					; PAGE:00830608p
		mov	edi, edi
		push	esi
		movzx	esi, word ptr [edx+2]
		movzx	edx, word ptr [edx+6]
		push	edi
		cmp	edx, 18h
		jb	short loc_9950D1
		mov	edi, edx
		lea	eax, [esi-0Ch]
		cmp	edi, eax
		ja	short loc_9950D1
		sub	esi, edx
		add	ecx, edi
		movzx	edx, si
		mov	esi, ecx
		sub	edx, 4
		shr	edx, 3
		test	cl, 3
		jz	short loc_9950BB
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9950BB:				; CODE XREF: AlpcpValidateDataInformation(x,x)+2Cj
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_9950C6
		mov	esi, eax

loc_9950C6:				; CODE XREF: AlpcpValidateDataInformation(x,x)+3Aj
		nop
		mov	al, [esi]
		cmp	[ecx], edx
		ja	short loc_9950D1
		xor	eax, eax
		jmp	short loc_9950D6
; 

loc_9950D1:				; CODE XREF: AlpcpValidateDataInformation(x,x)+Fj
					; AlpcpValidateDataInformation(x,x)+18j ...
		mov	eax, 0C000000Dh

loc_9950D6:				; CODE XREF: AlpcpValidateDataInformation(x,x)+47j
		pop	edi
		pop	esi
		retn
_AlpcpValidateDataInformation@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpGetPortNameInformation(x, x, x)
_AlpcpGetPortNameInformation@12	proc near
					; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+1EAp
					; AlpcpLogWaitForNewMessage(x)+28p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, ecx
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		lea	ecx, [ebp+arg_0]
		mov	esi, [ebx]
		xor	edx, edx
		push	edx
		push	ecx
		push	edx
		mov	ecx, eax
		mov	[ebp+var_4], eax
		mov	[ebp+arg_0], edx
		call	ObQueryNameStringMode
		mov	edi, eax
		cmp	edi, 0C0000004h
		jnz	short loc_99515A
		cmp	[ebp+arg_0], esi
		ja	short loc_995155
		push	43504C41h
		push	[ebp+arg_0]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_995150
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+arg_0]
		push	0
		push	eax
		push	[ebp+arg_0]
		mov	edx, esi
		call	ObQueryNameStringMode
		mov	edi, eax
		test	edi, edi
		js	short loc_995146
		mov	eax, [ebp+var_8]
		mov	[eax], esi
		jmp	short loc_995155
; 

loc_995146:				; CODE XREF: AlpcpGetPortNameInformation(x,x,x)+64j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_995155
; 

loc_995150:				; CODE XREF: AlpcpGetPortNameInformation(x,x,x)+4Bj
		mov	edi, 0C0000017h

loc_995155:				; CODE XREF: AlpcpGetPortNameInformation(x,x,x)+36j
					; AlpcpGetPortNameInformation(x,x,x)+6Bj ...
		mov	eax, [ebp+arg_0]
		mov	[ebx], eax

loc_99515A:				; CODE XREF: AlpcpGetPortNameInformation(x,x,x)+31j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_AlpcpGetPortNameInformation@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpPortQueryServerInfo(x,	x, x, x, x)
_AlpcpPortQueryServerInfo@20 proc near	; CODE XREF: NtAlpcQueryInformation+13BB84p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_B		= byte ptr  13h

		push	38h
		push	offset dword_6A8838
		call	__SEH_prolog4
		mov	[ebp+var_38], edx
		xor	ebx, ebx
		mov	[ebp+var_2C], ebx
		test	ecx, ecx
		jnz	loc_995461
		cmp	[ebp+arg_0], 4
		jb	loc_995461
		cmp	[ebp+arg_8], bl
		jz	short loc_9951D9
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, edx
		test	dl, 3
		jz	short loc_99519D
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_99519D:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+33j
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_9951A8
		mov	ecx, eax

loc_9951A8:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+41j
		nop
		mov	al, [ecx]
		mov	ecx, [edx]
		mov	[ebp+var_48], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9951DB
; 

loc_9951B9:				; DATA XREF: .text:006A884Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_3C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9951C7:				; DATA XREF: .text:006A8850o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_3C]
		jmp	loc_995466
; 

loc_9951D9:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+29j
		mov	ecx, [edx]

loc_9951DB:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+54j
		mov	eax, ds:_PsThreadType
		mov	[ebp+var_20], ebx
		push	ebx
		lea	edx, [ebp+var_20]
		push	edx
		push	dword ptr [ebp+arg_8]
		push	eax
		push	40h
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	loc_995466
		mov	[ebp+var_24], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+arg_B], bl
		mov	[ebp+var_34], ebx
		lea	edx, [ebp+var_2C]
		mov	edi, [ebp+var_20]
		mov	ecx, edi
		call	_AlpcpReferenceMessageByWaitingThread@8	; AlpcpReferenceMessageByWaitingThread(x,x)
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	short loc_995228
		mov	edi, ebx
		mov	esi, ebx
		jmp	loc_99537F
; 

loc_995228:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+BAj
		test	esi, esi
		jns	short loc_99523A
		mov	ecx, edi
		call	ObfDereferenceObject

loc_995233:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+2ECj
					; AlpcpPortQueryServerInfo(x,x,x,x,x)+2F9j
		mov	eax, esi
		jmp	loc_995466
; 

loc_99523A:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+C7j
		mov	edi, [ebp+var_2C]
		mov	ecx, edi
		call	AlpcpLockForCachedReferenceBlob
		dec	word ptr [edi-0Eh]
		mov	eax, [ebp+var_20]
		mov	eax, [eax+314h]
		cmp	edi, eax
		jnz	loc_99537F
		mov	eax, [edi+0Ch]
		mov	[ebp+var_40], eax
		test	eax, eax
		jz	loc_99537F
		mov	eax, [eax+8]
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	loc_99537F
		mov	ecx, eax
		call	_AlpcpLockCommunicationInfoShared@4 ; AlpcpLockCommunicationInfoShared(x)
		mov	ecx, edi
		call	_AlpcpUnlockMessage@4 ;	AlpcpUnlockMessage(x)
		mov	[ebp+var_2C], ebx
		mov	ecx, [ebp+var_28]
		mov	eax, [ecx]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	short loc_9952DE
		mov	ecx, eax
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, [ebp+var_1C]
		mov	[ebp+var_1C], eax
		mov	ecx, [ebp+var_28]
		test	eax, eax
		jz	short loc_9952DE
		mov	edx, [ebp+var_40]
		mov	edx, [edx+0F4h]
		and	edx, 6
		cmp	edx, 2
		jz	short loc_9952C6
		cmp	edx, 4
		jz	short loc_9952C6
		add	ecx, 8

loc_9952C6:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+159j
					; AlpcpPortQueryServerInfo(x,x,x,x,x)+15Ej
		mov	ecx, [ecx]
		mov	[ebp+var_40], ecx
		mov	edi, ecx
		test	ecx, ecx
		jz	short loc_9952E0
		cmp	ecx, eax
		jz	short loc_9952E0
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		test	al, al
		jnz	short loc_9952E0

loc_9952DE:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+12Dj
					; AlpcpPortQueryServerInfo(x,x,x,x,x)+148j
		mov	edi, ebx

loc_9952E0:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+16Cj
					; AlpcpPortQueryServerInfo(x,x,x,x,x)+170j ...
		mov	ecx, [ebp+var_28]
		call	_AlpcpUnlockCommunicationInfoShared@4 ;	AlpcpUnlockCommunicationInfoShared(x)
		test	edi, edi
		jz	short loc_99535C
		cmp	[ebp+var_1C], 0
		jz	short loc_99535C
		mov	ecx, edi
		call	_AlpcpLockPortShared@4 ; AlpcpLockPortShared(x)
		mov	ecx, [edi+0Ch]
		call	_AlpcpGetValidPointer@4	; AlpcpGetValidPointer(x)
		mov	[ebp+var_40], eax
		test	eax, eax
		jz	short loc_995314
		mov	edx, 63706C41h
		mov	ecx, eax
		call	ObfReferenceObjectWithTag

loc_995314:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+1A3j
		mov	ecx, edi
		call	_AlpcpUnlockPortShared@4 ; AlpcpUnlockPortShared(x)
		mov	ecx, [ebp+var_40]
		test	ecx, ecx
		jz	short loc_99535C
		mov	eax, [ecx+0E4h]
		mov	[ebp+var_34], eax
		mov	edx, 63706C41h
		call	ObfDereferenceObjectWithTag
		mov	eax, [ebp+arg_0]
		cmp	eax, 8
		jbe	short loc_995343
		add	eax, 0FFFFFFF8h
		mov	[ebp+var_30], eax

loc_995343:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+1D8j
		lea	eax, [ebp+var_30]
		push	eax
		lea	edx, [ebp+var_24]
		mov	ecx, [ebp+var_1C]
		call	_AlpcpGetPortNameInformation@12	; AlpcpGetPortNameInformation(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_99535C
		mov	[ebp+arg_B], 1

loc_99535C:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+187j
					; AlpcpPortQueryServerInfo(x,x,x,x,x)+18Dj ...
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_99536D
		mov	ecx, eax
		call	ObfDereferenceObject
		mov	eax, [ebp+var_1C]

loc_99536D:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+1FEj
		test	edi, edi
		jz	short loc_99537C
		cmp	edi, eax
		jz	short loc_99537C
		mov	ecx, edi
		call	ObfDereferenceObject

loc_99537C:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+20Cj
					; AlpcpPortQueryServerInfo(x,x,x,x,x)+210j
		mov	edi, [ebp+var_2C]

loc_99537F:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+C0j
					; AlpcpPortQueryServerInfo(x,x,x,x,x)+F0j ...
		test	edi, edi
		jz	short loc_99538A
		mov	ecx, edi
		call	_AlpcpUnlockMessage@4 ;	AlpcpUnlockMessage(x)

loc_99538A:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+21Ej
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObject
		push	10h
		pop	edi
		mov	edx, [ebp+var_24]
		test	edx, edx
		jz	short loc_9953A4
		movzx	eax, word ptr [edx+2]
		add	edi, eax
		jmp	short loc_9953B2
; 

loc_9953A4:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+237j
		cmp	esi, 0C0000004h
		jnz	short loc_9953B2
		mov	edi, [ebp+var_30]
		add	edi, 8

loc_9953B2:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+23Fj
					; AlpcpPortQueryServerInfo(x,x,x,x,x)+247j
		cmp	[ebp+arg_0], edi
		jnb	short loc_9953BC
		mov	esi, 0C0000004h

loc_9953BC:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+252j
		mov	[ebp+ms_exc.disabled], 1
		test	esi, esi
		js	short loc_99540F
		mov	ecx, [ebp+var_38]
		mov	al, [ebp+arg_B]
		mov	[ecx], al
		mov	eax, [ebp+var_34]
		mov	[ecx+4], eax
		mov	edx, [ebp+var_24]
		test	edx, edx
		jz	short loc_995407
		mov	ax, [edx]
		mov	[ecx+8], ax
		mov	ax, [edx+2]
		mov	[ecx+0Ah], ax
		add	ecx, 10h
		mov	eax, [ebp+var_38]
		mov	[eax+0Ch], ecx
		movzx	eax, word ptr [edx+2]
		push	eax		; size_t
		push	dword ptr [edx+4] ; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_99540F
; 

loc_995407:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+277j
		xor	eax, eax
		mov	[ecx+8], eax
		mov	[ecx+0Ch], ebx

loc_99540F:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+262j
					; AlpcpPortQueryServerInfo(x,x,x,x,x)+2A2j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_995424
		test	esi, esi
		jns	short loc_995422
		cmp	esi, 0C0000004h
		jnz	short loc_995424

loc_995422:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+2B5j
		mov	[eax], edi

loc_995424:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+2B1j
					; AlpcpPortQueryServerInfo(x,x,x,x,x)+2BDj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_99544A
; 

loc_99542D:				; DATA XREF: .text:006A8858o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_44], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_99543B:				; DATA XREF: .text:006A885Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_44]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx

loc_99544A:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+2C8j
		mov	edx, [ebp+var_24]
		test	edx, edx
		jz	loc_995233
		push	ebx
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_995233
; 

loc_995461:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+16j
					; AlpcpPortQueryServerInfo(x,x,x,x,x)+20j
		mov	eax, 0C000000Dh

loc_995466:				; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+71j
					; AlpcpPortQueryServerInfo(x,x,x,x,x)+93j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_AlpcpPortQueryServerInfo@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpFreeBitmap(x, x, x, x)
_AlpcpFreeBitmap@16 proc near		; CODE XREF: AlpcpCompleteDispatchMessage+F28D5p
					; AlpcpAllocateFromBitmap+F0427p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, ebx
		shr	eax, 5
		push	edi
		lea	edi, [ecx+eax*4]
		and	ebx, 1Fh
		jbe	short loc_9954B5
		push	esi
		push	20h
		pop	esi
		sub	esi, ebx
		cmp	edx, esi
		jnb	short loc_99549E
		mov	esi, edx

loc_99549E:				; CODE XREF: AlpcpFreeBitmap(x,x,x,x)+22j
		xor	eax, eax
		mov	ecx, esi
		inc	eax
		shl	eax, cl
		mov	ecx, ebx
		dec	eax
		shl	eax, cl
		not	eax
		lock and [edi],	eax
		sub	edx, esi
		add	edi, 4
		pop	esi

loc_9954B5:				; CODE XREF: AlpcpFreeBitmap(x,x,x,x)+18j
		cmp	edx, 20h
		jb	short loc_9954CF
		mov	eax, edx
		shr	eax, 5

loc_9954BF:				; CODE XREF: AlpcpFreeBitmap(x,x,x,x)+55j
		xor	ecx, ecx
		lock and [edi],	ecx
		sub	edx, 20h
		add	edi, 4
		sub	eax, 1
		jnz	short loc_9954BF

loc_9954CF:				; CODE XREF: AlpcpFreeBitmap(x,x,x,x)+40j
		test	edx, edx
		jz	short loc_9954DD
		or	eax, 0FFFFFFFFh
		mov	ecx, edx
		shl	eax, cl
		lock and [edi],	eax

loc_9954DD:				; CODE XREF: AlpcpFreeBitmap(x,x,x,x)+59j
		pop	edi
		pop	ebx
		pop	ebp
		retn	8
_AlpcpFreeBitmap@16 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpLockCommunicationInfoExclusive(x)
_AlpcpLockCommunicationInfoExclusive@4 proc near ; CODE	XREF: AlpcpDeletePort(x)+26p
		add	ecx, 0FFFFFFFCh
		xor	edx, edx
		jmp	ExAcquirePushLockExclusiveEx
_AlpcpLockCommunicationInfoExclusive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpReferenceMessageByWaitingThread(x, x)
_AlpcpReferenceMessageByWaitingThread@8	proc near
					; CODE XREF: AlpcpPortQueryServerInfo(x,x,x,x,x)+ADp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	[ebp+var_8], edx
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		xor	edx, edx
		push	edi
		mov	ecx, offset _AlpcpPortListLock
		xor	esi, esi
		call	ExAcquirePushLockExclusiveEx
		mov	edi, _AlpcpPortList
		or	eax, 0FFFFFFFFh
		cmp	edi, offset _AlpcpPortList
		jz	short loc_99557F

loc_99551E:				; CODE XREF: AlpcpReferenceMessageByWaitingThread(x,x)+8Dj
		mov	ecx, edi
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		test	al, al
		jz	short loc_995572
		or	eax, 0FFFFFFFFh
		mov	ebx, offset _AlpcpPortListLock
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_995542
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_995542:				; CODE XREF: AlpcpReferenceMessageByWaitingThread(x,x)+4Cj
		mov	ecx, ebx
		call	KeAbPostRelease
		test	esi, esi
		jz	short loc_995554
		mov	ecx, esi
		call	ObfDereferenceObject

loc_995554:				; CODE XREF: AlpcpReferenceMessageByWaitingThread(x,x)+5Ej
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		mov	esi, edi
		call	_AlpcpReferenceMessageByWaitingThreadPort@8 ; AlpcpReferenceMessageByWaitingThreadPort(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9955B8
		xor	edx, edx
		mov	ecx, offset _AlpcpPortListLock
		call	ExAcquirePushLockExclusiveEx

loc_995572:				; CODE XREF: AlpcpReferenceMessageByWaitingThread(x,x)+3Aj
		mov	edi, [edi]
		cmp	edi, offset _AlpcpPortList
		jnz	short loc_99551E
		or	eax, 0FFFFFFFFh

loc_99557F:				; CODE XREF: AlpcpReferenceMessageByWaitingThread(x,x)+2Fj
		mov	edi, offset _AlpcpPortListLock
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_995595
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_995595:				; CODE XREF: AlpcpReferenceMessageByWaitingThread(x,x)+9Fj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	edi, 0C0000225h

loc_9955A1:				; CODE XREF: AlpcpReferenceMessageByWaitingThread(x,x)+CDj
		test	esi, esi
		jz	short loc_9955AC
		mov	ecx, esi
		call	ObfDereferenceObject

loc_9955AC:				; CODE XREF: AlpcpReferenceMessageByWaitingThread(x,x)+B6j
		mov	eax, [ebp+var_8]
		mov	[eax], ebx
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_9955B8:				; CODE XREF: AlpcpReferenceMessageByWaitingThread(x,x)+77j
		xor	edi, edi
		jmp	short loc_9955A1
_AlpcpReferenceMessageByWaitingThread@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpReferenceMessageByWaitingThreadPort(x,	x)
_AlpcpReferenceMessageByWaitingThreadPort@8 proc near
					; CODE XREF: AlpcpReferenceMessageByWaitingThread(x,x)+6Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		xor	edx, edx
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], ebx
		lea	eax, [esi+0D0h]
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	ExAcquirePushLockSharedEx
		mov	eax, [esi+0F4h]
		and	al, 41h
		cmp	al, 1
		jnz	loc_9956D1
		lea	edi, [esi+5Ch]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		lea	edx, [esi+60h]
		mov	ecx, ebx
		call	_AlpcpReferenceMessageByWaitingThreadPortQueue@8 ; AlpcpReferenceMessageByWaitingThreadPortQueue(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_995631
		or	ecx, 0FFFFFFFFh
		lock xadd [edi], ecx
		and	cl, 6
		cmp	cl, 2
		jnz	short loc_995625
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_995625:				; CODE XREF: AlpcpReferenceMessageByWaitingThreadPort(x,x)+60j
		mov	ecx, edi

loc_995627:				; CODE XREF: AlpcpReferenceMessageByWaitingThreadPort(x,x)+110j
		call	KeAbPostRelease
		jmp	loc_9956D3
; 

loc_995631:				; CODE XREF: AlpcpReferenceMessageByWaitingThreadPort(x,x)+51j
		mov	ecx, [ebp+var_4]
		lea	edx, [esi+68h]
		call	_AlpcpReferenceMessageByWaitingThreadPortQueue@8 ; AlpcpReferenceMessageByWaitingThreadPortQueue(x,x)
		or	esi, 0FFFFFFFFh
		mov	ebx, eax
		mov	eax, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_995654
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_995654:				; CODE XREF: AlpcpReferenceMessageByWaitingThreadPort(x,x)+8Fj
		mov	ecx, edi
		call	KeAbPostRelease
		test	ebx, ebx
		jnz	short loc_9956D3
		mov	edi, [ebp+var_8]
		xor	edx, edx
		lea	ecx, [edi+70h]
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_4]
		lea	edx, [edi+74h]
		call	_AlpcpReferenceMessageByWaitingThreadPortQueue@8 ; AlpcpReferenceMessageByWaitingThreadPortQueue(x,x)
		mov	ebx, eax
		mov	eax, esi
		lea	esi, [edi+70h]
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_99568F
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_99568F:				; CODE XREF: AlpcpReferenceMessageByWaitingThreadPort(x,x)+CAj
		mov	ecx, esi
		call	KeAbPostRelease
		test	ebx, ebx
		jnz	short loc_9956D3
		lea	esi, [edi+7Ch]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_4]
		lea	edx, [edi+80h]
		call	_AlpcpReferenceMessageByWaitingThreadPortQueue@8 ; AlpcpReferenceMessageByWaitingThreadPortQueue(x,x)
		mov	ebx, eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9956CA
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9956CA:				; CODE XREF: AlpcpReferenceMessageByWaitingThreadPort(x,x)+105j
		mov	ecx, esi
		jmp	loc_995627
; 

loc_9956D1:				; CODE XREF: AlpcpReferenceMessageByWaitingThreadPort(x,x)+31j
		xor	ebx, ebx

loc_9956D3:				; CODE XREF: AlpcpReferenceMessageByWaitingThreadPort(x,x)+70j
					; AlpcpReferenceMessageByWaitingThreadPort(x,x)+A1j ...
		mov	esi, [ebp+var_C]
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_9956EB
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9956EB:				; CODE XREF: AlpcpReferenceMessageByWaitingThreadPort(x,x)+126j
		mov	ecx, esi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_AlpcpReferenceMessageByWaitingThreadPort@8 endp


;  S U B	R O U T	I N E 


; __stdcall AlpcpReferenceMessageByWaitingThreadPortQueue(x, x)
_AlpcpReferenceMessageByWaitingThreadPortQueue@8 proc near
					; CODE XREF: AlpcpReferenceMessageByWaitingThreadPort(x,x)+48p
					; AlpcpReferenceMessageByWaitingThreadPort(x,x)+7Bp ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	esi, [edi]
		jmp	short loc_995718
; 

loc_995706:				; CODE XREF: AlpcpReferenceMessageByWaitingThreadPortQueue(x,x)+21j
		cmp	[esi+10h], ebx
		jnz	short loc_995716
		mov	ecx, esi
		call	AlpcpReferenceBlob
		test	eax, eax
		jnz	short loc_995722

loc_995716:				; CODE XREF: AlpcpReferenceMessageByWaitingThreadPortQueue(x,x)+10j
		mov	esi, [esi]

loc_995718:				; CODE XREF: AlpcpReferenceMessageByWaitingThreadPortQueue(x,x)+Bj
		cmp	esi, edi
		jnz	short loc_995706
		xor	eax, eax

loc_99571E:				; CODE XREF: AlpcpReferenceMessageByWaitingThreadPortQueue(x,x)+2Bj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_995722:				; CODE XREF: AlpcpReferenceMessageByWaitingThreadPortQueue(x,x)+1Bj
		mov	eax, esi
		jmp	short loc_99571E
_AlpcpReferenceMessageByWaitingThreadPortQueue@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall AlpcpExposeViewAttribute(x, x, x, x)
@AlpcpExposeViewAttribute@16 proc near	; CODE XREF: sub_8CA243+13p

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_1], 0
		mov	esi, [edi+4Ch]
		test	esi, esi
		jnz	short loc_99573F
		xor	eax, eax
		jmp	short loc_99579B
; 

loc_99573F:				; CODE XREF: AlpcpExposeViewAttribute(x,x,x,x)+13j
		mov	esi, [esi+8]
		mov	ecx, esi
		push	ebx
		call	AlpcpReferenceBlob
		lea	eax, [ebp-1]
		mov	edx, edi
		push	eax
		call	_AlpcpReceiveView@12 ; AlpcpReceiveView(x,x,x)
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		mov	ebx, eax
		call	AlpcpDereferenceBlobEx
		test	ebx, ebx
		jns	short loc_995769
		mov	eax, ebx
		jmp	short loc_99579A
; 

loc_995769:				; CODE XREF: AlpcpExposeViewAttribute(x,x,x,x)+3Dj
		mov	ecx, [edi+4Ch]
		xor	eax, eax
		cmp	[ebp+var_1], 0
		mov	edx, [ebp+arg_0]
		mov	edi, edx
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ecx+14h]
		mov	[edx+8], eax
		mov	eax, [ecx+18h]
		mov	[edx+0Ch], eax
		jz	short loc_99578F
		mov	dword ptr [edx], 40000h

loc_99578F:				; CODE XREF: AlpcpExposeViewAttribute(x,x,x,x)+61j
		mov	eax, [ebp+arg_4]
		or	dword ptr [eax], 40000000h
		xor	eax, eax

loc_99579A:				; CODE XREF: AlpcpExposeViewAttribute(x,x,x,x)+41j
		pop	ebx

loc_99579B:				; CODE XREF: AlpcpExposeViewAttribute(x,x,x,x)+17j
		pop	edi
		pop	esi
		leave
		retn	8
@AlpcpExposeViewAttribute@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpForceUnlinkSecureView(x)
_AlpcpForceUnlinkSecureView@4 proc near	; CODE XREF: AlpcpCleanupProcessViews+17E424p

var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_1C]
		push	6
		pop	ecx
		xor	eax, eax
		mov	ebx, [esi+10h]
		rep stosd
		mov	edi, [esi+8]
		mov	ecx, edi
		call	AlpcpLockForCachedReferenceBlob
		cmp	esi, [edi+28h]
		jz	short loc_9957D8
		xor	esi, esi
		jmp	short loc_99580D
; 

loc_9957D8:				; CODE XREF: AlpcpForceUnlinkSecureView(x)+31j
		cmp	dword ptr [esi+20h], 0
		jz	short loc_995801
		lea	eax, [ebp+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, ebx
		call	KiStackAttachProcess
		push	dword ptr [esi+20h]
		call	_MmUnsecureVirtualMemory@4 ; MmUnsecureVirtualMemory(x)
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		and	dword ptr [esi+20h], 0

loc_995801:				; CODE XREF: AlpcpForceUnlinkSecureView(x)+3Bj
		or	dword ptr [esi+24h], 1
		and	dword ptr [edi+28h], 0
		or	dword ptr [esi+24h], 4

loc_99580D:				; CODE XREF: AlpcpForceUnlinkSecureView(x)+35j
		mov	ecx, edi
		call	AlpcpUnlockBlob
		test	esi, esi
		jz	short loc_995822
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	AlpcpDereferenceBlobEx

loc_995822:				; CODE XREF: AlpcpForceUnlinkSecureView(x)+75j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_AlpcpForceUnlinkSecureView@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAlpcDeleteResourceReserve(x, x, x)
_NtAlpcDeleteResourceReserve@12	proc near ; DATA XREF: .text:00581224o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		cmp	[ebp+arg_4], 0
		jnz	loc_9958E7
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jns	loc_9958E7
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_4]
		and	[ebp+var_4], 0
		push	0
		push	ecx
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_4], al
		push	[ebp+arg_4]
		mov	eax, ds:_AlpcPortObjectType
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9958EC
		push	ebx
		mov	ebx, [ebp+var_4]
		and	edi, 7FFFFFFFh
		push	offset _AlpcReserveType
		mov	edx, edi
		mov	ecx, [ebx+8]
		add	ecx, 14h
		call	AlpcReferenceBlobByHandle
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9958B7
		mov	esi, 0C0000008h
		jmp	short loc_9958DD
; 

loc_9958B7:				; CODE XREF: NtAlpcDeleteResourceReserve(x,x,x)+7Dj
		mov	ecx, edi
		call	AlpcpDeleteBlob
		test	al, al
		jz	short loc_9958CE
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	AlpcpDereferenceBlobEx
		jmp	short loc_9958D3
; 

loc_9958CE:				; CODE XREF: NtAlpcDeleteResourceReserve(x,x,x)+8Fj
		mov	esi, 0C0000056h

loc_9958D3:				; CODE XREF: NtAlpcDeleteResourceReserve(x,x,x)+9Bj
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	AlpcpDereferenceBlobEx

loc_9958DD:				; CODE XREF: NtAlpcDeleteResourceReserve(x,x,x)+84j
		mov	ecx, ebx
		call	ObfDereferenceObject
		pop	ebx
		jmp	short loc_9958EC
; 

loc_9958E7:				; CODE XREF: NtAlpcDeleteResourceReserve(x,x,x)+1Aj
					; NtAlpcDeleteResourceReserve(x,x,x)+25j
		mov	esi, 0C000000Dh

loc_9958EC:				; CODE XREF: NtAlpcDeleteResourceReserve(x,x,x)+5Bj
					; NtAlpcDeleteResourceReserve(x,x,x)+B4j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	0Ch
_NtAlpcDeleteResourceReserve@12	endp


;  S U B	R O U T	I N E 


; __fastcall AlpcRegisterLogRoutine(x)
@AlpcRegisterLogRoutine@4 proc near	; CODE XREF: EtwpEnableKernelTrace:loc_90D1C4p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	634C6C41h
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_995920
		mov	eax, 0C000009Ah
		jmp	short loc_99599F
; 

loc_995920:				; CODE XREF: AlpcRegisterLogRoutine(x)+17j
		mov	edi, offset _AlpcpLogLock
		mov	ebx, offset @EtwpTraceALPC@8 ; EtwpTraceALPC(x,x)
		xor	edx, edx
		mov	[esi+8], ebx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, _AlpcpLogCallbackListHead
		mov	ecx, offset _AlpcpLogCallbackListHead
		jmp	short loc_995949
; 

loc_995942:				; CODE XREF: AlpcRegisterLogRoutine(x)+4Bj
		cmp	[eax+8], ebx
		jz	short loc_99595B
		mov	eax, [eax]

loc_995949:				; CODE XREF: AlpcRegisterLogRoutine(x)+40j
		cmp	eax, ecx
		jnz	short loc_995942
		mov	eax, off_6B3504
		cmp	[eax], ecx
		jz	short loc_99596A
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_99595B:				; CODE XREF: AlpcRegisterLogRoutine(x)+45j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, 0C0000718h
		jmp	short loc_995980
; 

loc_99596A:				; CODE XREF: AlpcRegisterLogRoutine(x)+54j
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	off_6B3504, esi
		xor	esi, esi
		mov	_AlpcpLogEnabled, 1

loc_995980:				; CODE XREF: AlpcRegisterLogRoutine(x)+68j
		or	edx, 0FFFFFFFFh
		lock xadd [edi], edx
		and	dl, 6
		cmp	dl, 2
		jnz	short loc_995996
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_995996:				; CODE XREF: AlpcRegisterLogRoutine(x)+8Dj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, esi

loc_99599F:				; CODE XREF: AlpcRegisterLogRoutine(x)+1Ej
		pop	edi
		pop	esi
		pop	ebx
		retn
@AlpcRegisterLogRoutine@4 endp


;  S U B	R O U T	I N E 


; __fastcall AlpcUnregisterLogRoutine(x)
@AlpcUnregisterLogRoutine@4 proc near	; CODE XREF: EtwpDisableKernelTrace:loc_90D2CFp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, offset _AlpcpLogLock
		xor	edx, edx
		mov	ecx, edi
		mov	esi, 0C0000225h
		call	ExAcquirePushLockExclusiveEx
		mov	eax, _AlpcpLogCallbackListHead
		mov	ebx, offset _AlpcpLogCallbackListHead
		jmp	short loc_9959D4
; 

loc_9959C7:				; CODE XREF: AlpcUnregisterLogRoutine(x)+33j
		cmp	dword ptr [eax+8], offset @EtwpTraceALPC@8 ; EtwpTraceALPC(x,x)
		mov	ecx, [eax]
		jz	short loc_995A08
		mov	eax, ecx

loc_9959D4:				; CODE XREF: AlpcUnregisterLogRoutine(x)+22j
		cmp	eax, ebx
		jnz	short loc_9959C7

loc_9959D8:				; CODE XREF: AlpcUnregisterLogRoutine(x)+7Fj
		cmp	_AlpcpLogCallbackListHead, ebx
		setnz	_AlpcpLogEnabled
		or	edx, 0FFFFFFFFh
		lock xadd [edi], edx
		and	dl, 6
		cmp	dl, 2
		jnz	short loc_9959FB
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9959FB:				; CODE XREF: AlpcUnregisterLogRoutine(x)+4Fj
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_995A08:				; CODE XREF: AlpcUnregisterLogRoutine(x)+2Dj
		cmp	[ecx+4], eax
		jnz	short loc_995A24
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_995A24
		xor	esi, esi
		mov	[edx], ecx
		push	esi
		push	eax
		mov	[ecx+4], edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9959D8
; 

loc_995A24:				; CODE XREF: AlpcUnregisterLogRoutine(x)+68j
					; AlpcUnregisterLogRoutine(x)+6Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
@AlpcUnregisterLogRoutine@4 endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall AlpcpInvokeLogCallbacks(x, x)
_AlpcpInvokeLogCallbacks@8 proc	near	; CODE XREF: AlpcpLogClosePort(x)+41p
					; AlpcpLogConnectFail(x,x)+3Fp	...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		xor	edx, edx
		mov	ecx, offset _AlpcpLogLock
		call	ExAcquirePushLockSharedEx
		mov	esi, _AlpcpLogCallbackListHead
		jmp	short loc_995A4F
; 

loc_995A46:				; CODE XREF: AlpcpInvokeLogCallbacks(x,x)+2Cj
		mov	edx, edi
		mov	ecx, ebx
		call	dword ptr [esi+8]
		mov	esi, [esi]

loc_995A4F:				; CODE XREF: AlpcpInvokeLogCallbacks(x,x)+1Bj
		cmp	esi, offset _AlpcpLogCallbackListHead
		jnz	short loc_995A46
		push	11h
		xor	edx, edx
		mov	esi, offset _AlpcpLogLock
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_995A71
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_995A71:				; CODE XREF: AlpcpInvokeLogCallbacks(x,x)+3Fj
		pop	edi
		mov	ecx, esi
		pop	esi
		pop	ebx
		jmp	KeAbPostRelease
_AlpcpInvokeLogCallbacks@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpLogClosePort(x)
_AlpcpLogClosePort@4 proc near		; CODE XREF: AlpcpDispatchCloseMessage+12B3CCp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, large fs:124h
		push	10h
		mov	eax, [edx+2ACh]
		mov	[ebp+var_14], eax
		mov	eax, [edx+2B0h]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+90h]
		lea	ecx, [ebp+var_14]
		pop	edx
		mov	[ebp+var_C], 9
		mov	[ebp+var_8], eax
		call	_AlpcpInvokeLogCallbacks@8 ; AlpcpInvokeLogCallbacks(x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_AlpcpLogClosePort@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpLogConnectFail(x, x)
_AlpcpLogConnectFail@8 proc near	; CODE XREF: AlpcpProcessConnectionRequest+14B37Cp
					; AlpcpProcessConnectionRequest+14B3A5p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, large fs:124h
		push	14h
		mov	eax, [esi+2ACh]
		mov	[ebp+var_18], eax
		mov	eax, [esi+2B0h]
		mov	[ebp+var_C], ecx
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_8], edx
		pop	edx
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], 8
		call	_AlpcpInvokeLogCallbacks@8 ; AlpcpInvokeLogCallbacks(x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_AlpcpLogConnectFail@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpLogConnectRequest(x)
_AlpcpLogConnectRequest@4 proc near	; CODE XREF: AlpcpProcessConnectionRequest+14B364p
					; NtSecureConnectPort+13AEE3p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, large fs:124h
		push	10h
		mov	eax, [edx+2ACh]
		mov	[ebp+var_14], eax
		mov	eax, [edx+2B0h]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+90h]
		lea	ecx, [ebp+var_14]
		pop	edx
		mov	[ebp+var_C], 6
		mov	[ebp+var_8], eax
		call	_AlpcpInvokeLogCallbacks@8 ; AlpcpInvokeLogCallbacks(x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_AlpcpLogConnectRequest@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpLogConnectSuccess(x)
_AlpcpLogConnectSuccess@4 proc near	; CODE XREF: AlpcpProcessConnectionRequest+14B3B5p
					; NtSecureConnectPort+13AF3Bp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, large fs:124h
		push	10h
		mov	eax, [edx+2ACh]
		mov	[ebp+var_14], eax
		mov	eax, [edx+2B0h]
		mov	[ebp+var_8], ecx
		lea	ecx, [ebp+var_14]
		pop	edx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], 7
		call	_AlpcpInvokeLogCallbacks@8 ; AlpcpInvokeLogCallbacks(x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_AlpcpLogConnectSuccess@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpLogReceiveMessage(x)
_AlpcpLogReceiveMessage@4 proc near	; CODE XREF: AlpcpReceiveDirectMessagePort(x,x,x,x,x)+1DDp
					; PAGE:0082FFFAp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, large fs:124h
		push	10h
		mov	eax, [edx+2ACh]
		mov	[ebp+var_14], eax
		mov	eax, [edx+2B0h]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+90h]
		lea	ecx, [ebp+var_14]
		pop	edx
		mov	[ebp+var_C], 2
		mov	[ebp+var_8], eax
		call	_AlpcpInvokeLogCallbacks@8 ; AlpcpInvokeLogCallbacks(x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_AlpcpLogReceiveMessage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpLogSendMessage(x)
_AlpcpLogSendMessage@4 proc near	; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+33Ep
					; PAGE:008302F3p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, large fs:124h
		push	10h
		mov	eax, [edx+2ACh]
		mov	[ebp+var_14], eax
		mov	eax, [edx+2B0h]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+90h]
		lea	ecx, [ebp+var_14]
		pop	edx
		mov	[ebp+var_C], 1
		mov	[ebp+var_8], eax
		call	_AlpcpInvokeLogCallbacks@8 ; AlpcpInvokeLogCallbacks(x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_AlpcpLogSendMessage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpLogUnwait(x)
_AlpcpLogUnwait@4 proc near		; CODE XREF: AlpcpWaitForSingleObject(x,x,x,x,x)+44p
					; AlpcpSignalAndWait+B782Ap

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, large fs:124h
		push	10h
		mov	eax, [edx+2ACh]
		mov	[ebp+var_14], eax
		mov	eax, [edx+2B0h]
		mov	[ebp+var_8], ecx
		lea	ecx, [ebp+var_14]
		pop	edx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], 5
		call	_AlpcpInvokeLogCallbacks@8 ; AlpcpInvokeLogCallbacks(x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_AlpcpLogUnwait@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpLogWaitForNewMessage(x)
_AlpcpLogWaitForNewMessage@4 proc near	; CODE XREF: AlpcpReceiveMessagePort(x,x,x,x,x)+20Bp
					; AlpcpReceiveMessagePort(x,x,x,x,x)+282p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	edi
		mov	eax, ecx
		xor	edi, edi
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], edi
		push	12h
		pop	ebx
		test	eax, eax
		jz	short loc_995CE9
		or	[ebp+var_8], 0FFFFFFFFh
		lea	ecx, [ebp+var_8]
		push	ecx
		lea	edx, [ebp+var_4]
		mov	ecx, eax
		call	_AlpcpGetPortNameInformation@12	; AlpcpGetPortNameInformation(x,x,x)
		test	eax, eax
		js	loc_995D7B
		mov	edi, [ebp+var_4]
		movzx	eax, word ptr [edi]
		add	ebx, eax

loc_995CE9:				; CODE XREF: AlpcpLogWaitForNewMessage(x)+19j
		push	esi
		push	654C6C41h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_995D6E
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	ecx, large fs:124h
		add	esp, 0Ch
		mov	edi, [ebp+var_4]
		mov	eax, [ecx+2ACh]
		mov	[esi], eax
		mov	eax, [ecx+2B0h]
		mov	[esi+4], eax
		mov	eax, [ebp+var_C]
		mov	dword ptr [esi+8], 4
		test	eax, eax
		jz	short loc_995D59
		mov	eax, [eax+0F4h]
		xor	ecx, ecx
		and	al, 6
		cmp	al, 2
		setz	cl
		mov	[esi+0Ch], ecx
		movzx	eax, word ptr [edi]
		push	eax		; size_t
		push	dword ptr [edi+4] ; void *
		lea	eax, [esi+10h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_995D5D
; 

loc_995D59:				; CODE XREF: AlpcpLogWaitForNewMessage(x)+84j
		and	dword ptr [esi+0Ch], 0

loc_995D5D:				; CODE XREF: AlpcpLogWaitForNewMessage(x)+ABj
		mov	edx, ebx
		mov	ecx, esi
		call	_AlpcpInvokeLogCallbacks@8 ; AlpcpInvokeLogCallbacks(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_995D6E:				; CODE XREF: AlpcpLogWaitForNewMessage(x)+4Fj
		test	edi, edi
		jz	short loc_995D7A
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_995D7A:				; CODE XREF: AlpcpLogWaitForNewMessage(x)+C4j
		pop	esi

loc_995D7B:				; CODE XREF: AlpcpLogWaitForNewMessage(x)+2Fj
		pop	edi
		pop	ebx
		leave
		retn
_AlpcpLogWaitForNewMessage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AlpcpLogWaitForReply(x)
_AlpcpLogWaitForReply@4	proc near	; CODE XREF: AlpcpSendLegacySynchronousRequest(x,x,x,x)+34Ep
					; PAGE:00830318p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, large fs:124h
		push	10h
		mov	eax, [edx+2ACh]
		mov	[ebp+var_14], eax
		mov	eax, [edx+2B0h]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+90h]
		lea	ecx, [ebp+var_14]
		pop	edx
		mov	[ebp+var_C], 3
		mov	[ebp+var_8], eax
		call	_AlpcpInvokeLogCallbacks@8 ; AlpcpInvokeLogCallbacks(x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_AlpcpLogWaitForReply@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmGetFileNameForAddress(x, x)
_MmGetFileNameForAddress@8 proc	near	; CODE XREF: DbgkPostModuleMessage(x,x,x,x,x,x)+7Dp
					; EtwpLocateBinaryForRegEntry(x,x,x)+28p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_C], 0
		lea	eax, [esp+0Ch+var_8]
		push	ebx
		push	esi
		push	edi
		push	eax
		push	2
		mov	[esp+20h+var_4], edx
		pop	edx
		call	MiObtainReferencedVadEx
		mov	esi, eax
		test	esi, esi
		jnz	short loc_995E04
		mov	eax, 0C0000141h
		jmp	loc_995EC2
; 

loc_995E04:				; CODE XREF: MmGetFileNameForAddress(x,x)+27j
		test	dword ptr [esi+1Ch], 100000h
		jnz	loc_995EB6
		mov	eax, [esi+2Ch]
		mov	ecx, [eax]
		test	byte ptr [ecx+1Ch], 20h
		jz	loc_995EB6
		call	MiReferenceControlAreaFile
		mov	ebx, eax
		mov	ecx, esi
		mov	[esp+18h+var_8], ebx
		call	MiUnlockAndDereferenceVadShared
		mov	edi, 408h

loc_995E37:				; CODE XREF: MmGetFileNameForAddress(x,x)+B1j
		push	0
		push	100h
		mov	edx, 20206D4Dh
		mov	ecx, edi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_995EA4
		and	[esp+18h+var_C], 0
		lea	eax, [esp+18h+var_C]
		push	0
		push	eax
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	ObQueryNameStringMode
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_995E84
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[esp+18h+var_C], edi
		jbe	short loc_995EA9
		mov	edi, [esp+18h+var_C]
		mov	ebx, [esp+18h+var_8]
		jmp	short loc_995E37
; 

loc_995E84:				; CODE XREF: MmGetFileNameForAddress(x,x)+99j
		mov	ecx, [esp+18h+var_4]
		movzx	eax, word ptr [esi]
		push	eax		; size_t
		mov	[ecx+2], ax
		mov	[ecx], ax
		mov	[ecx+4], esi
		push	dword ptr [esi+4] ; void *
		push	esi		; void *
		call	_memmove
		add	esp, 0Ch
		jmp	short loc_995EA9
; 

loc_995EA4:				; CODE XREF: MmGetFileNameForAddress(x,x)+7Dj
		mov	ebx, 0C0000017h

loc_995EA9:				; CODE XREF: MmGetFileNameForAddress(x,x)+A7j
					; MmGetFileNameForAddress(x,x)+D1j
		mov	ecx, [esp+18h+var_8]
		call	ObfDereferenceObject
		mov	eax, ebx
		jmp	short loc_995EC2
; 

loc_995EB6:				; CODE XREF: MmGetFileNameForAddress(x,x)+3Aj
					; MmGetFileNameForAddress(x,x)+49j
		mov	ecx, esi
		call	MiUnlockAndDereferenceVadShared
		mov	eax, 0C0000049h

loc_995EC2:				; CODE XREF: MmGetFileNameForAddress(x,x)+2Ej
					; MmGetFileNameForAddress(x,x)+E3j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MmGetFileNameForAddress@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmGetFileNameForSection(x, x)
_MmGetFileNameForSection@8 proc	near	; CODE XREF: DbgkpSectionToFileHandle(x)+1Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	edi, edx
		xor	esi, esi
		mov	[ebp+var_4], esi
		test	byte ptr [ebx+20h], 20h
		mov	[edi], esi
		jnz	short loc_995EEF
		mov	eax, 0C0000049h
		jmp	loc_995F99
; 

loc_995EEF:				; CODE XREF: MmGetFileNameForSection(x,x)+1Aj
		push	esi
		push	100h
		mov	edx, 20206D4Dh
		mov	ecx, 400h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[edi], eax
		test	eax, eax
		jnz	short loc_995F14

loc_995F0A:				; CODE XREF: MmGetFileNameForSection(x,x)+A5j
		mov	eax, 0C0000017h
		jmp	loc_995F99
; 

loc_995F14:				; CODE XREF: MmGetFileNameForSection(x,x)+3Fj
		mov	ecx, ebx
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	MiReferenceControlAreaFile
		mov	edx, [edi]
		mov	ebx, eax
		push	esi
		lea	eax, [ebp+var_4]
		mov	ecx, ebx
		push	eax
		push	400h
		call	ObQueryNameStringMode
		mov	[ebp+var_C], eax
		test	eax, eax
		jns	short loc_995F8D
		cmp	eax, 0C0000004h
		jnz	short loc_995FB6
		push	esi
		push	dword ptr [edi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_4]
		add	eax, 400h
		mov	[ebp+var_C], eax
		cmp	eax, 400h
		ja	short loc_995F70
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		mov	[edi], esi
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)
		jmp	short loc_995F0A
; 

loc_995F70:				; CODE XREF: MmGetFileNameForSection(x,x)+97j
		push	esi
		push	100h
		mov	edx, 20206D4Dh
		mov	ecx, eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[edi], eax
		test	eax, eax
		jnz	short loc_995F9E
		mov	esi, 0C0000017h

loc_995F8D:				; CODE XREF: MmGetFileNameForSection(x,x)+76j
					; MmGetFileNameForSection(x,x)+EBj
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)
		mov	eax, esi

loc_995F99:				; CODE XREF: MmGetFileNameForSection(x,x)+21j
					; MmGetFileNameForSection(x,x)+46j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_995F9E:				; CODE XREF: MmGetFileNameForSection(x,x)+BDj
		push	esi
		lea	ecx, [ebp+var_4]
		mov	edx, eax
		push	ecx
		push	[ebp+var_C]
		mov	ecx, ebx
		call	ObQueryNameStringMode
		mov	[ebp+var_C], eax
		test	eax, eax
		jns	short loc_995F8D

loc_995FB6:				; CODE XREF: MmGetFileNameForSection(x,x)+7Dj
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)
		push	esi
		push	dword ptr [edi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_C]
		mov	[edi], esi
		jmp	short loc_995F99
_MmGetFileNameForSection@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1407. MmGetMaximumFileSectionSize

;  S U B	R O U T	I N E 


; __stdcall MmGetMaximumFileSectionSize()
		public _MmGetMaximumFileSectionSize@0
_MmGetMaximumFileSectionSize@0 proc near
		mov	eax, 0FFFFF000h
		mov	edx, 3FFFFFh
		retn
_MmGetMaximumFileSectionSize@0 endp


;  S U B	R O U T	I N E 


; __stdcall MiCleanVad(x)
_MiCleanVad@4	proc near		; CODE XREF: MmCleanProcessAddressSpace+F897Dp
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		call	_MiVadDeleted@4	; MiVadDeleted(x)
		cmp	eax, 1
		jnz	short loc_996001
		call	_MiWaitForVadDeletion@4	; MiWaitForVadDeletion(x)
		mov	ecx, esi
		call	MiUnlockAndDereferenceVad
		inc	edi
		jmp	short loc_996019
; 

loc_996001:				; CODE XREF: MiCleanVad(x)+11j
		xor	edx, edx
		test	dword ptr [esi+1Ch], 100000h
		push	edi
		jnz	short loc_996014
		call	MiUnmapVad
		jmp	short loc_996019
; 

loc_996014:				; CODE XREF: MiCleanVad(x)+2Cj
		call	_MiDeleteVad@12	; MiDeleteVad(x,x,x)

loc_996019:				; CODE XREF: MiCleanVad(x)+20j
					; MiCleanVad(x)+33j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ecx
		retn
_MiCleanVad@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiForceCrashForInvalidAccess(x, x)
_MiForceCrashForInvalidAccess@8	proc near
					; CODE XREF: MiKernelWriteToExecutableMemory(x,x,x,x)+54p

var_70		= dword	ptr -70h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_20]
		push	6
		xor	eax, eax
		xor	esi, esi
		pop	ecx
		rep stosd
		mov	edi, large fs:124h
		mov	[ebp+var_4], esi
		dec	word ptr [edi+13Ch]
		nop
		cmp	byte ptr [edi+16Ah], 1
		jz	short loc_99606B
		test	dword ptr [edi+58h], 400h
		jnz	short loc_99606B
		push	2
		pop	edx
		mov	ecx, edi
		call	_KeRequestTerminationProcess@8 ; KeRequestTerminationProcess(x,x)
		jmp	loc_996186
; 

loc_99606B:				; CODE XREF: MiForceCrashForInvalidAccess(x,x)+32j
					; MiForceCrashForInvalidAccess(x,x)+3Bj
		lea	edx, [ebx+0F8h]	; int
		mov	esi, 4000000h
		mov	eax, [edx]

loc_996078:				; CODE XREF: MiForceCrashForInvalidAccess(x,x)+61j
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_996078
		mov	ecx, esi
		push	0
		pop	esi
		test	eax, ecx
		jnz	loc_996186
		push	edi
		call	_IoThreadToProcess@4 ; IoThreadToProcess(x)
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_9960D7
		push	50h		; size_t
		lea	eax, [ebp+var_70]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_70], 0C0000726h
		mov	[ebp+var_60], 1
		push	ebx
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		mov	[ebp+var_5C], eax
		mov	ecx, edi	; int
		lea	eax, [ebp+var_70]
		push	eax
		push	0Eh
		pop	edx
		call	_DbgkQueueUserExceptionReport@12 ; DbgkQueueUserExceptionReport(x,x,x)
		jmp	short loc_9960F8
; 

loc_9960D7:				; CODE XREF: MiForceCrashForInvalidAccess(x,x)+80j
		push	esi		; int
		push	esi		; int
		push	esi		; int
		push	esi		; int
		push	ebx
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		push	eax		; int
		push	0C0000726h	; int
		push	9000h		; int
		push	1Ah		; int
		push	offset ??_C@_1BM@FMDCFHKI@?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@NNGAKEGL@ ;	"MemoryManager"
		call	_DbgkWerCaptureLiveKernelDump@36 ; DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)

loc_9960F8:				; CODE XREF: MiForceCrashForInvalidAccess(x,x)+B6j
		xor	dl, dl
		mov	ecx, ebx
		call	PsFreezeProcess
		push	esi
		mov	eax, 1000h
		mov	[ebp+var_20], 18h
		push	eax
		push	eax
		push	esi
		push	1
		push	esi
		push	esi
		push	0FFFFFFFFh
		lea	eax, [ebp+var_20]
		mov	[ebp+var_1C], esi
		push	eax
		push	1FFFFFh
		lea	eax, [ebp+var_4]
		mov	[ebp+var_14], 200h
		push	eax
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		call	_ZwCreateThreadEx@44 ; ZwCreateThreadEx(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_99617A
		push	esi
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], esi
		push	eax
		push	esi
		push	ds:_PsThreadType
		push	1FFFFFh
		push	[ebp+var_4]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, [ebp+var_8]
		push	3
		pop	edx
		call	_KeRequestTerminationProcess@8 ; KeRequestTerminationProcess(x,x)
		push	esi
		push	[ebp+var_4]
		call	ObCloseHandle
		mov	ecx, [ebp+var_8]
		call	ObfDereferenceObject
		jmp	short loc_996186
; 

loc_99617A:				; CODE XREF: MiForceCrashForInvalidAccess(x,x)+11Fj
		mov	edx, 0C0000725h
		mov	ecx, ebx
		call	_PsTerminateProcess@8 ;	PsTerminateProcess(x,x)

loc_996186:				; CODE XREF: MiForceCrashForInvalidAccess(x,x)+47j
					; MiForceCrashForInvalidAccess(x,x)+6Aj ...
		mov	ecx, edi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiForceCrashForInvalidAccess@8	endp


;  S U B	R O U T	I N E 


; __stdcall MiInitializeLockedPagesTracking(x)
_MiInitializeLockedPagesTracking@4 proc	near
					; CODE XREF: MmInitializeProcessAddressSpace+173F87p
					; MmInitializeHandBuiltProcess2+83B5Cp
		mov	edi, edi
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		push	edi
		push	40h
		push	14h
		mov	edx, 78546D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		test	eax, eax
		jz	short loc_9961C3
		mov	[eax+0Ch], edi
		mov	[eax], edi
		mov	[eax+4], edi
		mov	dword ptr [eax+10h], 1
		mov	[esi+1ECh], eax

loc_9961C3:				; CODE XREF: MiInitializeLockedPagesTracking(x)+1Aj
		pop	edi
		pop	esi
		retn
_MiInitializeLockedPagesTracking@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiReturnProcessVads(x)
_MiReturnProcessVads@4 proc near	; CODE XREF: MiAllocateProcessVads+6Bp
					; MmInitializeProcessAddressSpace+173F9Ap
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_9961F0
		push	edi

loc_9961D0:				; CODE XREF: MiReturnProcessVads(x)+27j
		mov	edi, esi
		mov	esi, [esi]
		mov	eax, [edi+24h]
		test	eax, eax
		jz	short loc_9961E3
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9961E3:				; CODE XREF: MiReturnProcessVads(x)+13j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jnz	short loc_9961D0
		pop	edi

loc_9961F0:				; CODE XREF: MiReturnProcessVads(x)+7j
		pop	esi
		retn
_MiReturnProcessVads@4 endp


;  S U B	R O U T	I N E 


; __stdcall MmGetImageSectionBasedAddress(x)
_MmGetImageSectionBasedAddress@4 proc near
					; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1775p
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	eax, [eax]
		mov	eax, [eax+18h]
		retn
_MmGetImageSectionBasedAddress@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFillMapFileInfo(x, x)
_MiFillMapFileInfo@8 proc near		; CODE XREF: MmEnumerateAddressSpaceAndReferenceImages+162279p
					; MiLogMapFileEvent(x,x)+27p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		xor	edx, edx
		mov	[ebp+var_10], esi
		mov	[ebp+var_4], edx
		mov	eax, [edi+1Ch]
		lea	ebx, [esi+8]
		mov	[ebp+var_18], eax
		mov	eax, [edi+2Ch]
		mov	ecx, [eax]
		mov	eax, [edi+40h]
		and	eax, 0FFFFFFFEh
		mov	[ebp+var_14], ecx
		mov	[ebp+var_8], eax
		mov	eax, [edi+0Ch]
		mov	[ebx], edx
		mov	[ebx+4], edx
		mov	[ebp+var_C], eax
		cmp	[ecx+20h], edx
		jz	loc_9962D0
		call	MiReferenceControlAreaFile
		mov	ecx, [ebp+var_14]
		mov	edx, [eax+0Ch]
		mov	[esi+4], edx
		mov	edx, eax
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		mov	ecx, edi
		call	MiGetProtoPteAddress
		mov	ecx, [ebp+var_8]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, [edi+30h]
		mov	ecx, [ebp+var_4]
		push	eax
		call	MiStartingOffset
		mov	esi, [ebx]
		mov	ecx, [ebx+4]
		xor	esi, eax
		mov	eax, [ebp+var_18]
		xor	ecx, edx
		xor	esi, [ebx]
		and	ecx, 0FFFFh
		xor	ecx, [ebx+4]
		and	al, 70h
		mov	[ebx], esi
		mov	[ebx+4], ecx
		cmp	al, 20h
		jnz	short loc_9962C8
		mov	eax, [edi+1Ch]
		and	eax, 0F80h
		cmp	eax, 380h
		jnz	short loc_9962BA
		and	ecx, 0FF7FFFFFh
		or	ecx, 400000h
		jmp	short loc_9962DD
; 

loc_9962BA:				; CODE XREF: MiFillMapFileInfo(x,x)+ADj
		and	ecx, 0FFBFFFFFh
		or	ecx, (offset loc_7FFFFF+1)
		jmp	short loc_9962DD
; 

loc_9962C8:				; CODE XREF: MiFillMapFileInfo(x,x)+9Ej
		and	ecx, 0FF3FFFFFh
		jmp	short loc_9962DD
; 

loc_9962D0:				; CODE XREF: MiFillMapFileInfo(x,x)+3Fj
		mov	eax, [edi+30h]
		mov	ecx, 0C00000h
		mov	[esi+4], eax
		mov	esi, edx

loc_9962DD:				; CODE XREF: MiFillMapFileInfo(x,x)+BBj
					; MiFillMapFileInfo(x,x)+C9j ...
		mov	eax, ebx
		mov	[eax], esi
		mov	[eax+4], ecx
		mov	eax, [edi+28h]
		mov	esi, [ebx+4]
		mov	ecx, [ebp+var_10]
		and	esi, 0FFDFFFFFh
		mov	edx, [ebx]
		shr	eax, 18h
		and	eax, 1
		mov	[ebx], edx
		shl	eax, 15h
		or	esi, eax
		mov	eax, [ebp+var_8]
		mov	[ebx+4], esi
		and	esi, 0FFE0FFFFh
		mov	eax, [eax+0E4h]
		mov	[ecx+18h], eax
		mov	eax, [ebp+var_C]
		shl	eax, 0Ch
		mov	[ecx], eax
		mov	eax, [edi+10h]
		sub	eax, [edi+0Ch]
		inc	eax
		shl	eax, 0Ch
		mov	[ecx+10h], eax
		xor	eax, eax
		mov	ecx, [edi+1Ch]
		or	eax, edx
		shr	ecx, 7
		and	ecx, 1Fh
		mov	[ebx], eax
		shl	ecx, 10h
		or	ecx, esi
		mov	[ebx+4], ecx
		mov	eax, [edi+20h]
		mov	ecx, [ebp+var_10]
		pop	edi
		shl	eax, 0Ch
		pop	esi
		mov	[ecx+14h], eax
		pop	ebx
		leave
		retn
_MiFillMapFileInfo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogMapFileEvent(x, x)
_MiLogMapFileEvent@8 proc near		; CODE XREF: MiUnmapVad+164116p
					; MiMapViewOfImageSection+1637AFp ...

var_20		= dword	ptr -20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_20]
		push	8
		pop	ecx
		rep stosd
		mov	eax, [esi+1Ch]
		mov	ebx, edx
		and	al, 70h
		cmp	al, 10h
		jz	short loc_996397
		lea	edx, [ebp+var_20]
		mov	ecx, esi
		call	_MiFillMapFileInfo@8 ; MiFillMapFileInfo(x,x)
		push	(offset	off_401900+3)
		push	1Ch
		lea	eax, [ebp+var_20]
		mov	edx, 8000h
		push	eax
		mov	ecx, ebx
		call	_MiLogPerfMemoryEvent@20 ; MiLogPerfMemoryEvent(x,x,x,x,x)

loc_996397:				; CODE XREF: MiLogMapFileEvent(x,x)+20j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiLogMapFileEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMapImageInSystemProcess(x, x, x, x)
_MiMapImageInSystemProcess@16 proc near	; CODE XREF: MiMapImageInSystemSpace+1537F3p

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= byte ptr -2Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ecx
		mov	[ebp+var_4], edx
		push	ebx
		push	esi
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_8], eax
		mov	esi, [eax]
		mov	edx, ecx
		push	edi
		add	esi, 10h
		mov	eax, ecx
		nop
		mov	ebx, ecx
		lock cmpxchg8b qword ptr [esi]
		mov	edi, [ebp+arg_4]
		mov	edx, ecx
		mov	[edi], eax
		mov	eax, ecx
		nop
		mov	ebx, ecx
		lock cmpxchg8b qword ptr [esi]
		cmp	edx, 1
		ja	loc_996468
		push	0
		pop	ecx
		jb	short loc_9963E8
		cmp	eax, ecx
		jnb	loc_996468

loc_9963E8:				; CODE XREF: MiMapImageInSystemProcess(x,x,x,x)+42j
		mov	eax, ds:_MmHighestUserAddress
		mov	ebx, [edi]
		inc	eax
		cmp	ebx, eax
		ja	short loc_996468
		mov	eax, large fs:124h
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		push	58h		; size_t
		mov	[edi], ecx
		mov	esi, [eax+80h]
		lea	eax, [ebp+var_70]
		push	ecx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	edx, edx
		mov	ecx, esi
		call	MiGetUserReservationHighestAddress
		push	[ebp+var_4]
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_6C], eax
		lea	eax, [ebx+0FFFh]
		push	1
		and	eax, 0FFFFF000h
		mov	[ebp+var_2C], dl
		push	2
		push	edx
		mov	[ebp+var_64], eax
		lea	edx, [ebp+var_70]
		lea	eax, [ebp+var_10]
		mov	[ebp+var_68], 10000h
		push	eax
		push	edi
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], 40000h
		mov	[ebp+var_30], esi
		mov	[ebp+var_34], esi
		call	MiMapViewOfImageSection
		jmp	short loc_99646D
; 

loc_996468:				; CODE XREF: MiMapImageInSystemProcess(x,x,x,x)+39j
					; MiMapImageInSystemProcess(x,x,x,x)+46j ...
		mov	eax, 0C000001Fh

loc_99646D:				; CODE XREF: MiMapImageInSystemProcess(x,x,x,x)+CAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiMapImageInSystemProcess@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmGetSessionMappedViewInformation(x, x, x, x)
_MmGetSessionMappedViewInformation@16 proc near	; CODE XREF: PAGE:0077F710p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		and	[esp+50h+var_30], eax
		and	[esp+50h+var_38], eax
		and	[esp+50h+var_3C], eax
		mov	[esp+50h+var_24], edx
		mov	[esp+50h+var_2C], ebx
		mov	[esp+50h+var_40], eax
		mov	[esp+50h+var_44], eax
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [esp+58h+var_1C]
		push	6
		pop	ecx
		rep stosd
		test	edx, edx
		jz	short loc_9964F4
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+58h+var_48], al
		lea	eax, [esp+58h+var_30]
		push	eax
		lea	eax, [esp+5Ch+var_44]
		push	eax
		push	1
		push	[esp+64h+var_48]
		call	ExLockUserBuffer
		test	eax, eax
		js	loc_996623
		mov	eax, [esp+58h+var_44]
		mov	[esp+58h+var_40], eax

loc_9964F4:				; CODE XREF: MmGetSessionMappedViewInformation(x,x,x,x)+47j
					; MmGetSessionMappedViewInformation(x,x,x,x)+17Cj
		and	dword ptr [ebx], 0
		xor	edi, edi
		xor	ebx, ebx
		mov	[esp+58h+var_48], edi
		xor	esi, esi
		xor	ecx, ecx

loc_996503:				; CODE XREF: MmGetSessionMappedViewInformation(x,x,x,x)+161j
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9965FC
		mov	esi, [esp+58h+var_40]
		lea	eax, [ebx+14h]
		add	esi, 0FFFFFFECh
		mov	[esp+58h+var_28], eax
		add	esi, eax
		mov	ecx, edi
		mov	[esp+58h+var_34], esi
		call	_MmGetSessionId@4 ; MmGetSessionId(x)
		mov	edx, eax
		mov	eax, [ebp+arg_4]
		mov	[esp+58h+var_20], edx
		mov	ecx, [eax]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_996545
		cmp	edx, ecx
		jnz	loc_9965D3

loc_996545:				; CODE XREF: MmGetSessionMappedViewInformation(x,x,x,x)+C7j
		lea	edx, [esp+58h+var_1C]
		mov	ecx, edi
		call	MmAttachSession
		test	eax, eax
		js	short loc_9965CB
		mov	eax, [esp+58h+var_28]
		cmp	eax, ebx
		jb	short loc_9965DA
		mov	ebx, eax
		cmp	ebx, [esp+58h+var_24]
		jbe	short loc_99656E
		mov	[esp+58h+var_48], 0C0000004h
		jmp	short loc_9965C0
; 

loc_99656E:				; CODE XREF: MmGetSessionMappedViewInformation(x,x,x,x)+EEj
		mov	eax, large fs:124h
		lea	edx, [esp+58h+var_3C]
		mov	eax, [eax+80h]
		mov	esi, [eax+180h]
		lea	eax, [esp+58h+var_38]
		push	eax
		lea	ecx, [esi+23F0h]
		call	_MiGetSystemPteStatistics@12 ; MiGetSystemPteStatistics(x,x,x)
		mov	ecx, [esp+58h+var_34]
		mov	eax, [esp+58h+var_3C]
		shl	eax, 0Ch
		mov	[ecx+0Ch], eax
		mov	eax, [esp+58h+var_38]
		shl	eax, 0Ch
		mov	[ecx+10h], eax
		mov	eax, [esp+58h+var_20]
		mov	[ecx+4], eax
		mov	eax, [esi+80h]
		mov	esi, ecx
		mov	[esi+8], eax
		mov	[esi], ebx

loc_9965C0:				; CODE XREF: MmGetSessionMappedViewInformation(x,x,x,x)+F8j
		lea	edx, [esp+58h+var_1C]
		mov	ecx, edi
		call	MmDetachSession

loc_9965CB:				; CODE XREF: MmGetSessionMappedViewInformation(x,x,x,x)+DEj
		mov	eax, [ebp+arg_4]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_9965F5

loc_9965D3:				; CODE XREF: MmGetSessionMappedViewInformation(x,x,x,x)+CBj
		mov	ecx, edi
		jmp	loc_996503
; 

loc_9965DA:				; CODE XREF: MmGetSessionMappedViewInformation(x,x,x,x)+E6j
		lea	edx, [esp+58h+var_1C]
		mov	ecx, edi
		call	MmDetachSession
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	ebx, [esp+58h+var_2C]
		jmp	loc_9964F4
; 

loc_9965F5:				; CODE XREF: MmGetSessionMappedViewInformation(x,x,x,x)+15Dj
		mov	ecx, edi
		call	ObfDereferenceObject

loc_9965FC:				; CODE XREF: MmGetSessionMappedViewInformation(x,x,x,x)+98j
		mov	edi, [esp+58h+var_48]
		test	edi, edi
		js	short loc_99660B
		test	esi, esi
		jz	short loc_99660B
		and	dword ptr [esi], 0

loc_99660B:				; CODE XREF: MmGetSessionMappedViewInformation(x,x,x,x)+18Ej
					; MmGetSessionMappedViewInformation(x,x,x,x)+192j
		cmp	[esp+58h+var_44], 0
		jz	short loc_99661B
		mov	ecx, [esp+58h+var_30]
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)

loc_99661B:				; CODE XREF: MmGetSessionMappedViewInformation(x,x,x,x)+19Cj
		mov	eax, [esp+58h+var_2C]
		mov	[eax], ebx
		mov	eax, edi

loc_996623:				; CODE XREF: MmGetSessionMappedViewInformation(x,x,x,x)+72j
		mov	ecx, [esp+58h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_MmGetSessionMappedViewInformation@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtMapViewOfSectionEx(x, x, x, x, x,	x, x, x, x)
_NtMapViewOfSectionEx@36 proc near	; DATA XREF: .text:005812C4o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ecx
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_4], al
		xor	eax, eax
		push	[ebp+var_4]
		push	eax
		push	eax
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	eax
		call	MiMapViewOfSectionExCommon
		leave
		retn	24h
_NtMapViewOfSectionEx@36 endp


;  S U B	R O U T	I N E 


; __stdcall MiSplitDriverPage(x, x)
_MiSplitDriverPage@8 proc near		; CODE XREF: MiProbeLeafPteAccess(x,x)+2B8p
		mov	edi, edi
		push	ecx
		push	0
		push	edx
		call	_MiMakeDriverPagesPrivate@16 ; MiMakeDriverPagesPrivate(x,x,x,x)
		pop	ecx
		retn
_MiSplitDriverPage@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAddPhysicalMemory(x, x, x, x, x)
_MiAddPhysicalMemory@20	proc near	; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+273p
					; MiAllocateFileExtents(x,x,x,x,x)+48Fp

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 50h
		push	esi
		push	edi
		mov	[esp+58h+var_28], ecx
		lea	edi, [esp+58h+var_18]
		push	6
		xor	eax, eax
		mov	esi, edx
		mov	edx, [ebp+arg_4]
		pop	ecx
		rep stosd
		mov	eax, 0FFFh
		mov	[esp+58h+var_30], edx
		test	[esi], eax
		jnz	loc_996B7D
		mov	ecx, [ebp+arg_0]
		test	[ecx], eax
		jnz	loc_996B76
		mov	edi, [esi]
		or	edx, 1
		mov	eax, [esi+4]
		mov	esi, [ecx]
		shrd	edi, eax, 0Ch
		mov	eax, [ecx+4]
		shrd	esi, eax, 0Ch
		mov	[ebp+arg_4], edx
		mov	[esp+58h+var_44], esi
		lea	ecx, [edi+esi]
		mov	[esp+58h+var_48], ecx
		cmp	edi, ecx
		jnb	loc_996B7D
		mov	eax, dword_6D07B0
		mov	[esp+58h+var_4C], eax
		mov	eax, dword_6D0700
		mov	[esp+58h+var_40], eax
		mov	eax, dword_6D0704
		shrd	[esp+58h+var_40], eax, 0Ch
		mov	edx, [esp+58h+var_40]
		shr	eax, 0Ch
		add	edx, 0FFFFFFFFh
		mov	[esp+58h+var_2C], edx
		adc	eax, 0FFFFFFFFh
		xor	edx, edx
		cmp	edx, eax
		mov	edx, [ebp+arg_4]
		jb	short loc_99673A
		ja	short loc_996731
		mov	eax, [esp+58h+var_2C]
		cmp	[esp+58h+var_4C], eax
		jbe	short loc_99673A

loc_996731:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+9Fj
		mov	eax, [esp+58h+var_40]
		dec	eax
		mov	[esp+58h+var_4C], eax

loc_99673A:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+9Dj
					; MiAddPhysicalMemory(x,x,x,x,x)+A9j
		lea	eax, [ecx-1]
		cmp	eax, [esp+58h+var_4C]
		jbe	short loc_99675F
		test	byte ptr [esp+58h+var_30], 2
		jnz	loc_996B76
		mov	ecx, [esp+58h+var_4C]
		inc	ecx
		mov	esi, ecx
		mov	[esp+58h+var_48], ecx
		sub	esi, edi
		mov	[esp+58h+var_44], esi

loc_99675F:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+BBj
		cmp	edi, ecx
		jnb	loc_996B7D
		mov	eax, dword_6D3250
		lea	ecx, [edi+esi]
		cmp	ecx, eax
		jb	short loc_99677C
		add	eax, 800h
		cmp	edi, eax
		jb	short loc_996784

loc_99677C:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+EBj
		cmp	ecx, offset loc_7FFFFA
		jb	short loc_99678E

loc_996784:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+F4j
		mov	eax, 0C0000018h
		jmp	loc_996B82
; 

loc_99678E:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+FCj
		mov	eax, large fs:124h
		mov	[esp+58h+var_40], eax
		xor	eax, eax
		cmp	[esp+58h+var_28], offset _MiSystemPartition
		mov	[esp+58h+var_3C], eax
		mov	[esp+58h+var_38], eax
		mov	[esp+58h+var_34], eax
		mov	[esp+58h+var_1C], eax
		lea	eax, [esp+58h+var_24]
		mov	[esp+58h+var_20], eax
		mov	[esp+58h+var_24], eax
		jz	short loc_9967CA
		mov	edx, [esp+58h+var_30]
		or	edx, 5
		mov	[ebp+arg_4], edx

loc_9967CA:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+138j
		test	dl, 0FEh
		setnz	cl
		bt	edx, 8
		setb	al
		test	cl, al
		jz	short loc_9967E5
		mov	eax, 0C00000F2h
		jmp	loc_996B82
; 

loc_9967E5:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+153j
		mov	eax, edx
		and	eax, 2
		mov	[esp+58h+var_4C], eax
		jz	short loc_9967F9
		push	0
		call	_MiDeleteExtentPfns@4 ;	MiDeleteExtentPfns(x)
		jmp	short loc_996807
; 

loc_9967F9:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+168j
		mov	edx, [esp+58h+var_40]
		mov	ecx, offset _MiSystemPartition
		call	_MiLockDynamicMemoryExclusive@8	; MiLockDynamicMemoryExclusive(x,x)

loc_996807:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+171j
		cmp	[esp+58h+var_4C], 0
		jz	loc_996897
		mov	edx, [esp+58h+var_40]
		mov	ecx, offset _MiSystemPartition
		call	_MiLockDynamicMemoryShared@8 ; MiLockDynamicMemoryShared(x,x)
		mov	ecx, ds:_MmPhysicalMemoryBlock
		and	[esp+58h+var_30], 0
		mov	esi, [esp+58h+var_48]
		mov	eax, [ecx]
		mov	[esp+58h+var_2C], eax
		test	eax, eax
		jz	short loc_99687D
		add	ecx, 0Ch

loc_99683C:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+1F5j
		mov	edx, [ecx]
		mov	eax, [ecx-4]
		test	edx, edx
		jz	short loc_99686B
		cmp	edi, eax
		jnb	short loc_996865
		cmp	esi, eax
		jbe	short loc_99686B

loc_99684D:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+1E3j
		mov	edx, [esp+58h+var_40]
		mov	ecx, offset _MiSystemPartition
		call	_MiUnlockDynamicMemoryShared@8 ; MiUnlockDynamicMemoryShared(x,x)
		mov	esi, 0C0000018h
		jmp	loc_996AE5
; 

loc_996865:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+1C1j
		add	eax, edx
		cmp	edi, eax
		jb	short loc_99684D

loc_99686B:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+1BDj
					; MiAddPhysicalMemory(x,x,x,x,x)+1C5j
		mov	eax, [esp+58h+var_30]
		add	ecx, 8
		inc	eax
		mov	[esp+58h+var_30], eax
		cmp	eax, [esp+58h+var_2C]
		jb	short loc_99683C

loc_99687D:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+1B1j
		mov	edx, [esp+58h+var_40]
		mov	ecx, offset _MiSystemPartition
		mov	byte_6CF4BC, 1
		call	_MiUnlockDynamicMemoryShared@8 ; MiUnlockDynamicMemoryShared(x,x)
		jmp	loc_996A09
; 

loc_996897:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+186j
		mov	edx, dword_6D5D88
		mov	ecx, dword_6D06CC
		lea	eax, [edx+esi]
		cmp	eax, ecx
		jbe	short loc_9968BB
		mov	eax, ecx
		sub	eax, edx
		mov	[esp+58h+var_44], eax
		lea	esi, [edi+eax]
		mov	[esp+58h+var_48], esi
		jmp	short loc_9968BF
; 

loc_9968BB:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+222j
		mov	esi, [esp+58h+var_48]

loc_9968BF:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+233j
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		inc	edx
		call	MiReferencePageRuns
		mov	[esp+58h+var_38], eax
		cmp	edi, esi
		jb	short loc_9968DE
		mov	esi, 0C00000EFh
		jmp	loc_996AF4
; 

loc_9968DE:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+24Cj
		test	[ebp+arg_4], 404h
		jnz	short loc_9968FD
		push	0
		lea	edx, [esi-1]
		mov	ecx, edi
		call	_KeConfigureDynamicMemory@12 ; KeConfigureDynamicMemory(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_996AF4

loc_9968FD:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+25Fj
		mov	esi, [esp+58h+var_44]
		lea	ecx, [esp+58h+var_24]
		push	esi
		mov	edx, edi
		call	_MiDescribePageRun@12 ;	MiDescribePageRun(x,x,x)
		test	eax, eax
		jz	loc_996AEF
		mov	edx, ds:_MmPhysicalMemoryBlock
		lea	eax, [esp+58h+var_18]
		and	[esp+58h+var_18], 0
		lea	ecx, [esp+58h+var_34]
		push	eax		; size_t
		mov	[esp+5Ch+var_10], edi
		mov	[esp+5Ch+var_C], esi
		call	_MiConfigureMemoryInsertion@12 ; MiConfigureMemoryInsertion(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_996AF4
		mov	esi, [esp+58h+var_44]
		mov	edx, edi
		push	esi
		mov	ecx, offset _MiSystemPartition
		call	_MiSplitPfnBitMaps@12 ;	MiSplitPfnBitMaps(x,x,x)
		test	eax, eax
		jz	loc_996AEF
		and	[esp+58h+var_30], 0
		mov	ecx, offset dword_6D305C
		mov	[esp+58h+var_2C], ecx

loc_996967:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+30Aj
		push	esi
		mov	edx, edi
		call	_MiSplitMirrorBitMap@12	; MiSplitMirrorBitMap(x,x,x)
		test	eax, eax
		jz	loc_996AEF
		mov	eax, [esp+58h+var_30]
		mov	ecx, [esp+58h+var_2C]
		add	eax, 8
		add	ecx, 8
		mov	[esp+58h+var_30], eax
		mov	[esp+58h+var_2C], ecx
		cmp	eax, 10h
		jb	short loc_996967
		mov	ecx, [esp+58h+var_38]

loc_996996:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+37Dj
		mov	eax, [esp+58h+var_24]
		lea	edx, [esp+58h+var_24]
		mov	[esp+58h+var_2C], ecx
		mov	[esp+58h+var_30], eax
		cmp	eax, edx
		jz	short loc_996A05
		cmp	[eax+4], edx
		jnz	loc_996B51
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_996B51
		mov	[esp+58h+var_24], edx
		lea	esi, [esp+58h+var_24]
		mov	[edx+4], esi
		mov	edx, ecx
		push	eax		; size_t
		lea	ecx, [esp+5Ch+var_3C]
		call	_MiConfigureMemoryInsertion@12 ; MiConfigureMemoryInsertion(x,x,x)
		push	0
		push	[esp+5Ch+var_30]
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+58h+var_2C]
		cmp	eax, [esp+58h+var_38]
		jz	short loc_9969F7
		push	0
		add	eax, 0FFFFFFF8h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9969F7:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+364j
		test	esi, esi
		js	loc_996AF4
		mov	ecx, [esp+58h+var_3C]
		jmp	short loc_996996
; 

loc_996A05:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+322j
		mov	esi, [esp+58h+var_48]

loc_996A09:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+20Cj
		push	[ebp+arg_8]
		mov	edx, esi
		mov	ecx, edi
		push	[ebp+arg_4]
		push	[esp+60h+var_28]
		call	_MiMapNewPfns@20 ; MiMapNewPfns(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_996AE5
		mov	ecx, [esp+58h+var_44]
		mov	edx, 1000h
		mov	esi, [ebp+arg_0]
		mov	eax, ecx
		mul	edx
		cmp	[esp+58h+var_4C], 0
		mov	[esi], eax
		mov	[esi+4], edx
		jnz	loc_996AE3
		push	[ebp+arg_4]
		lea	eax, [esp+5Ch+var_3C]
		mov	edx, ecx
		push	eax
		lea	eax, [esp+60h+var_34]
		mov	ecx, edi
		push	eax
		call	_MiPerformMemoryChange@20 ; MiPerformMemoryChange(x,x,x,x,x)
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		inc	edx
		call	MiComputeNodeMemory
		mov	eax, dword_6D5D88
		mov	esi, [esp+58h+var_48]
		mov	ds:0FFDF02E8h, eax
		mov	eax, [ebp+arg_4]
		test	al, 40h
		jnz	short loc_996AA2
		push	0
		lea	ecx, [esi+1FFh]
		mov	eax, edi
		shr	ecx, 9
		mov	edx, edi
		shr	eax, 9
		sub	ecx, eax
		push	0
		push	ecx
		mov	ecx, offset _MiSystemPartition
		call	MiUpdateLargePageBitMap
		mov	eax, [ebp+arg_4]

loc_996AA2:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+3F6j
		test	al, 4
		jnz	short loc_996AB0
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	_MiEnableNewPfns@12 ; MiEnableNewPfns(x,x,x)

loc_996AB0:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+41Ej
		mov	eax, ds:_MiFlags
		test	eax, 10000000h
		jz	short loc_996AD4
		and	al, 30h
		cmp	al, 20h
		jb	short loc_996AD4
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_425315+3)
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)

loc_996AD4:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+434j
					; MiAddPhysicalMemory(x,x,x,x,x)+43Aj
		push	0
		push	0
		push	dword_6D4EF8
		call	KePulseEvent

loc_996AE3:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+3BAj
		xor	esi, esi

loc_996AE5:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+1DAj
					; MiAddPhysicalMemory(x,x,x,x,x)+39Aj
		mov	edi, [esp+58h+var_4C]
		test	edi, edi
		jnz	short loc_996B06
		jmp	short loc_996AF8
; 

loc_996AEF:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+289j
					; MiAddPhysicalMemory(x,x,x,x,x)+2CDj ...
		mov	esi, 0C000009Ah

loc_996AF4:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+253j
					; MiAddPhysicalMemory(x,x,x,x,x)+271j ...
		mov	edi, [esp+58h+var_4C]

loc_996AF8:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+467j
		mov	edx, [esp+58h+var_40]
		mov	ecx, offset _MiSystemPartition
		call	MiUnlockDynamicMemoryExclusive

loc_996B06:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+465j
		mov	eax, [esp+58h+var_34]
		test	eax, eax
		jz	short loc_996B19
		push	0
		add	eax, 0FFFFFFF8h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_996B19:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+486j
		mov	eax, [esp+58h+var_3C]
		test	eax, eax
		jz	short loc_996B2C
		add	eax, 0FFFFFFF8h

loc_996B24:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+4C9j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_996B2C:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+499j
		mov	eax, [esp+58h+var_24]
		lea	ecx, [esp+58h+var_24]
		cmp	eax, ecx
		jz	short loc_996B56
		cmp	[eax+4], ecx
		jnz	short loc_996B51
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_996B51
		lea	edx, [esp+58h+var_24]
		mov	[esp+58h+var_24], ecx
		mov	[ecx+4], edx
		jmp	short loc_996B24
; 

loc_996B51:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+327j
					; MiAddPhysicalMemory(x,x,x,x,x)+332j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_996B56:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+4B0j
		test	edi, edi
		jnz	short loc_996B72
		mov	eax, [esp+58h+var_38]
		test	eax, eax
		jz	short loc_996B69
		mov	ecx, eax
		call	_MiDereferencePageRuns@4 ; MiDereferencePageRuns(x)

loc_996B69:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+4DAj
		test	esi, esi
		js	short loc_996B72
		call	_IoUpdateDumpPhysicalRanges@0 ;	IoUpdateDumpPhysicalRanges()

loc_996B72:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+4D2j
					; MiAddPhysicalMemory(x,x,x,x,x)+4E5j
		mov	eax, esi
		jmp	short loc_996B82
; 

loc_996B76:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+37j
					; MiAddPhysicalMemory(x,x,x,x,x)+C2j
		mov	eax, 0C00000F0h
		jmp	short loc_996B82
; 

loc_996B7D:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+2Cj
					; MiAddPhysicalMemory(x,x,x,x,x)+62j ...
		mov	eax, 0C00000EFh

loc_996B82:				; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+103j
					; MiAddPhysicalMemory(x,x,x,x,x)+15Aj ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_MiAddPhysicalMemory@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAddPhysicalMemoryChunks(x, x, x, x)
_MiAddPhysicalMemoryChunks@16 proc near	; CODE XREF: MiActOnPartitionNodePages(x,x,x)+3EFp
					; MmAddPhysicalMemory(x,x)+40p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi		; struct _exception *
		xor	edi, edi
		mov	[ebp+var_1C], ecx
		and	[ebp+var_4], edi
		xor	ebx, ebx
		mov	ecx, [edx+4]
		and	[ebp+var_10], eax
		mov	[ebp+var_14], edi
		mov	edi, [edx]
		mov	edx, [esi]
		mov	esi, [esi+4]
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], esi
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax

loc_996BC6:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+2BDj
					; MiAddPhysicalMemoryChunks(x,x,x,x)+2E3j
		shrd	edi, ecx, 0Ch
		shrd	edx, esi, 0Ch
		mov	ecx, edi
		call	MiRestrictRangeToNode
		mov	ecx, 100000h
		mov	esi, eax
		cmp	edi, ecx
		jnb	short loc_996BEB
		lea	eax, [esi+edi]
		cmp	eax, ecx
		jbe	short loc_996BEB
		mov	esi, ecx
		sub	esi, edi

loc_996BEB:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+54j
					; MiAddPhysicalMemoryChunks(x,x,x,x)+5Bj
		mov	ecx, edi
		call	_MiPageToNode@4	; MiPageToNode(x)
		inc	eax
		push	eax
		call	MiGetClosestImplicitNode
		imul	ecx, eax, 280h
		mov	eax, dword_6D4E50
		add	eax, 0FFFFFD80h
		add	eax, ecx
		cmp	[ebp+var_10], 0
		mov	[ebp+var_18], eax
		jl	short loc_996C68
		xor	ebx, ebx
		xor	eax, eax
		test	edi, 1FFh
		jnz	short loc_996C51
		mov	ecx, 200h

loc_996C25:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+C5j
		cmp	esi, ecx
		jb	loc_996CBB
		neg	ecx
		and	esi, ecx
		test	eax, eax
		jz	loc_996CBB
		mov	ecx, ds:dword_4102F0[eax*4]
		dec	eax
		mov	[ebp+var_10], eax
		xor	edx, edx
		mov	eax, edi
		div	ecx
		mov	eax, [ebp+var_10]
		test	edx, edx
		jz	short loc_996C25

loc_996C51:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+94j
		mov	ecx, ds:_MiLargePageSizes[eax*4]
		xor	edx, edx
		mov	eax, edi
		div	ecx
		sub	ecx, edx
		cmp	esi, ecx
		jbe	short loc_996CBB
		mov	esi, ecx
		jmp	short loc_996CBB
; 

loc_996C68:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+88j
		mov	ecx, [ebp+var_C]
		mov	edx, 200h
		mov	esi, ecx
		cmp	ecx, edx
		jbe	short loc_996C78
		mov	esi, edx

loc_996C78:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+EAj
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	short loc_996C91
		xor	ebx, ebx
		cmp	ecx, edx
		ja	short loc_996CBB
		cmp	edi, 100000h
		setb	bl
		inc	ebx
		jmp	short loc_996CBB
; 

loc_996C91:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+F3j
		cmp	eax, 1
		jnz	short loc_996C9F
		cmp	edx, ecx
		sbb	ebx, ebx
		add	ebx, 2
		jmp	short loc_996CBB
; 

loc_996C9F:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+10Aj
		cmp	eax, 2
		jnz	short loc_996CA8
		push	3
		jmp	short loc_996CAF
; 

loc_996CA8:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+118j
		cmp	eax, 3
		jnz	short loc_996CB2
		push	4

loc_996CAF:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+11Cj
		pop	ebx
		jmp	short loc_996CBB
; 

loc_996CB2:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+121j
		cmp	eax, 4
		jz	loc_996E72

loc_996CBB:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+9Dj
					; MiAddPhysicalMemoryChunks(x,x,x,x)+A9j ...
		xor	eax, eax
		inc	eax
		mov	[ebp+var_C], eax
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	ecx, eax
		test	ecx, ecx
		jmp	short loc_996CED
; 

loc_996CCC:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+166j
		mov	eax, ds:_MiLargePageSizes[ecx*4]
		xor	edx, edx
		mov	[ebp+var_8], eax
		mov	eax, edi
		div	[ebp+var_8]
		test	edx, edx
		jnz	short loc_996CEA
		mov	eax, esi
		div	[ebp+var_8]
		test	edx, edx
		jz	short loc_996CF4

loc_996CEA:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+155j
		add	ecx, 1

loc_996CED:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+140j
		mov	[ebp+var_10], ecx
		jz	short loc_996CCC
		jmp	short loc_996CFA
; 

loc_996CF4:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+15Ej
		mov	eax, [ebp+var_8]
		mov	[ebp+var_C], eax

loc_996CFA:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+168j
		mov	ecx, [ebp+arg_4]
		mov	eax, 200h
		and	ecx, 0FFFFA7FFh
		mov	[ebp+arg_4], ecx
		cmp	esi, eax
		jb	loc_996DC5
		test	ebx, ebx
		jnz	short loc_996D45
		mov	ecx, [ebp+var_18]
		xor	edx, edx
		call	_MiNodeLargeFreeZeroPages2@8 ; MiNodeLargeFreeZeroPages2(x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_996D60
		lea	eax, [esi+edi]
		cmp	eax, 100000h
		mov	eax, 200h
		jbe	short loc_996D42
		cmp	esi, eax
		jbe	short loc_996D42
		and	[ebp+var_10], edx
		mov	esi, eax
		mov	[ebp+var_C], eax

loc_996D42:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+1AAj
					; MiAddPhysicalMemoryChunks(x,x,x,x)+1AEj
		xor	ebx, ebx
		inc	ebx

loc_996D45:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+18Bj
		cmp	ebx, 3
		jz	short loc_996DBC
		cmp	ebx, 1
		jnz	short loc_996DBC
		mov	ecx, [ebp+var_18]
		xor	edx, edx
		inc	edx
		call	_MiNodeLargeFreeZeroPages2@8 ; MiNodeLargeFreeZeroPages2(x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_996DB7

loc_996D60:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+19Bj
		mov	edi, [ebp+var_C]
		imul	eax, edi, 1Ch
		shr	eax, 0Ch
		cmp	edx, eax
		jnb	short loc_996D70
		xor	edi, edi
		inc	edi

loc_996D70:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+1E1j
		mov	ecx, [ebp+arg_4]
		cmp	edi, 1
		jz	short loc_996D9C
		or	ecx, 4000h
		cmp	[ebp+var_1C], offset _MiSystemPartition
		jnz	short loc_996D9C
		cmp	[ebp+var_10], 0
		jnz	short loc_996D95
		or	ecx, 800h
		jmp	short loc_996D9C
; 

loc_996D95:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+201j
		mov	eax, 1000h
		or	ecx, eax

loc_996D9C:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+1ECj
					; MiAddPhysicalMemoryChunks(x,x,x,x)+1FBj ...
		shl	edx, 0Ch
		neg	edi
		mov	eax, edx
		mov	[ebp+arg_4], 1Ch
		xor	edx, edx
		div	[ebp+arg_4]
		and	eax, edi
		cmp	esi, eax
		jbe	short loc_996DC5
		jmp	short loc_996DC3
; 

loc_996DB7:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+1D4j
		mov	eax, 200h

loc_996DBC:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+1BEj
					; MiAddPhysicalMemoryChunks(x,x,x,x)+1C3j
		mov	ecx, [ebp+arg_4]
		cmp	esi, eax
		jz	short loc_996DC5

loc_996DC3:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+22Bj
		mov	esi, eax

loc_996DC5:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+183j
					; MiAddPhysicalMemoryChunks(x,x,x,x)+229j ...
		cmp	ebx, 2
		jg	short loc_996DD2
		or	ecx, 2000h
		jmp	short loc_996DD8
; 

loc_996DD2:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+23Ej
		and	ecx, 0FFFFDFFFh

loc_996DD8:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+246j
		mov	eax, esi
		mov	[ebp+arg_4], ecx
		mov	edx, 1000h
		mov	[ebp+var_C], esi
		mul	edx
		push	0
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_38]
		push	ecx
		mov	ecx, [ebp+var_1C]
		mov	[ebp+var_34], edx
		lea	edx, [ebp+var_30]
		push	eax
		mov	[ebp+var_8], ebx
		call	_MiAddPhysicalMemory@20	; MiAddPhysicalMemory(x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_10], esi
		test	esi, esi
		js	short loc_996E4C
		mov	eax, [ebp+var_14]
		add	eax, [ebp+var_38]
		mov	ecx, [ebp+var_4]
		adc	ecx, [ebp+var_34]
		mov	edi, [ebp+var_30]
		add	edi, [ebp+var_38]
		mov	edx, [ebp+var_20]
		mov	[ebp+var_4], ecx
		mov	ecx, [ebp+var_2C]
		adc	ecx, [ebp+var_34]
		sub	edx, eax
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_24]
		sbb	eax, [ebp+var_4]
		mov	[ebp+var_18], eax
		mov	eax, edx
		or	eax, [ebp+var_18]
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], ecx
		jz	short loc_996E75
		mov	esi, [ebp+var_18]
		jmp	loc_996BC6
; 

loc_996E4C:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+27Fj
		cmp	esi, 0C000009Ah
		jz	short loc_996E5C
		cmp	esi, 0C000012Dh
		jnz	short loc_996E75

loc_996E5C:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+2C8j
		cmp	ebx, 4
		jz	short loc_996E75
		mov	ecx, [ebp+var_2C]
		mov	edi, [ebp+var_30]
		mov	esi, [ebp+var_34]
		mov	edx, [ebp+var_38]
		jmp	loc_996BC6
; 

loc_996E72:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+12Bj
		mov	esi, [ebp+var_10]

loc_996E75:				; CODE XREF: MiAddPhysicalMemoryChunks(x,x,x,x)+2B8j
					; MiAddPhysicalMemoryChunks(x,x,x,x)+2D0j ...
		mov	eax, [ebp+arg_0]
		mov	edi, [ebp+var_14]
		mov	ecx, [ebp+var_4]
		mov	[eax], edi
		pop	edi
		mov	[eax+4], ecx
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiAddPhysicalMemoryChunks@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	MiConfigureMemoryInsertion(size_t)
_MiConfigureMemoryInsertion@12 proc near ; CODE	XREF: MiAddPhysicalMemory(x,x,x,x,x)+2ABp
					; MiAddPhysicalMemory(x,x,x,x,x)+34Ap

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ecx
		mov	[ebp+var_C], edx
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_30], eax
		push	esi
		mov	[eax], ebx
		mov	eax, [ebp+arg_0]
		push	edi
		mov	ecx, [eax+8]
		mov	esi, [eax+0Ch]
		mov	[ebp+var_18], ecx
		add	ecx, esi
		mov	[ebp+var_20], ecx
		mov	ecx, [edx]
		mov	[ebp+var_10], esi
		mov	[ebp+var_14], ecx
		cmp	[eax], ebx
		jnz	short loc_996EC4
		mov	edi, ebx
		jmp	short loc_996ECA
; 

loc_996EC4:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+32j
		lea	edi, [edx+8]
		lea	edi, [edi+ecx*8]

loc_996ECA:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+36j
		lea	esi, [ecx+1]
		cmp	esi, ecx
		jb	loc_997199
		cmp	ecx, 1FFFFFFCh
		ja	loc_997199
		mov	eax, ecx
		shl	eax, 3
		mov	[ebp+var_2C], eax
		add	eax, 10h
		mov	[ebp+var_28], eax
		test	edi, edi
		jz	short loc_996F0D
		not	eax
		shr	eax, 3
		cmp	eax, esi
		jb	loc_997199
		mov	eax, ecx
		shl	eax, 3
		lea	esi, [eax+18h]
		add	esi, eax
		mov	[ebp+var_28], esi

loc_996F0D:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+65j
		mov	[ebp+var_4], ebx
		mov	esi, ebx
		mov	[ebp+var_8], 1
		add	edx, 0Ch
		mov	eax, ebx

loc_996F1E:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+117j
		mov	[ebp+var_1C], edx
		mov	ecx, edx
		mov	edx, [edx-4]
		mov	ecx, [ecx]
		test	ecx, ecx
		mov	[ebp+var_24], ecx
		mov	ecx, [ebp+var_14]
		jz	short loc_996F92
		add	[ebp+var_24], edx
		mov	eax, [ebp+var_18]
		cmp	eax, edx
		jnb	short loc_996F4B
		cmp	[ebp+var_20], edx
		jbe	short loc_996F50

loc_996F41:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+C2j
		mov	eax, 0C0000018h
		jmp	loc_99719E
; 

loc_996F4B:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+AEj
		cmp	eax, [ebp+var_24]
		jb	short loc_996F41

loc_996F50:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+B3j
		cmp	eax, [ebp+var_24]
		jz	short loc_996F5A
		cmp	[ebp+var_20], edx
		jnz	short loc_996F8F

loc_996F5A:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+C7j
		test	edi, edi
		jz	short loc_996F78
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+arg_0]
		mov	eax, [edi+eax*8]
		cmp	eax, [edx+10h]
		mov	eax, [ebp+var_4]
		jnz	short loc_996F92
		mov	eax, [edi+eax*8+4]
		cmp	eax, [edx+14h]
		jnz	short loc_996F8F

loc_996F78:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+D0j
		cmp	[ebp+var_8], 1
		mov	eax, [ebp+var_4]
		jnz	short loc_996F8A
		mov	esi, eax
		mov	edx, ebx

loc_996F85:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+101j
		mov	[ebp+var_8], edx
		jmp	short loc_996F95
; 

loc_996F8A:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+F3j
		or	edx, 0FFFFFFFFh
		jmp	short loc_996F85
; 

loc_996F8F:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+CCj
					; MiConfigureMemoryInsertion(x,x,x)+EAj
		mov	eax, [ebp+var_4]

loc_996F92:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+A4j
					; MiConfigureMemoryInsertion(x,x,x)+E1j
		mov	edx, [ebp+var_8]

loc_996F95:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+FCj
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, ecx
		jnb	short loc_996FA8
		mov	edx, [ebp+var_1C]
		add	edx, 8
		jmp	loc_996F1E
; 

loc_996FA8:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+10Fj
		mov	eax, [ebp+var_28]
		add	ecx, edx
		mov	[ebp+var_28], ecx
		lea	eax, [eax+edx*8]
		test	edi, edi
		jz	short loc_996FBA
		lea	eax, [eax+ecx*8]

loc_996FBA:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+129j
		push	ebx
		push	40h
		mov	edx, 20206D4Dh
		mov	ecx, eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		test	eax, eax
		jz	loc_997199
		mov	edx, [ebp+var_C]
		lea	ecx, [eax+8]
		mov	dword ptr [eax+4], 1
		mov	dword ptr [eax], offset	_MiSystemPartition
		mov	eax, [ebp+var_28]
		mov	[ecx], eax
		inc	eax
		mov	[ebp+var_4], ecx
		lea	ebx, [ecx+eax*8]
		mov	eax, [edx+4]
		add	eax, [ebp+var_10]
		mov	[ecx+4], eax
		add	ecx, 8
		cmp	[ebp+var_8], 0FFFFFFFFh
		jnz	loc_99709C
		lea	eax, ds:8[esi*8]
		push	eax		; size_t
		lea	eax, [edx+8]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		test	edi, edi
		jz	short loc_997031
		lea	eax, ds:8[esi*8]
		push	eax		; size_t
		push	edi		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_997031:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+191j
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_4]
		mov	eax, [edx+esi*8+14h]
		add	eax, [ebp+var_10]
		add	[ecx+esi*8+0Ch], eax
		lea	eax, [esi+2]
		mov	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	loc_99718D
		sub	ecx, esi
		lea	eax, ds:0FFFFFFF0h[ecx*8]
		push	eax		; size_t
		mov	[ebp+arg_0], eax
		lea	eax, [edx+18h]
		lea	eax, [eax+esi*8]
		push	eax		; void *
		mov	eax, [ebp+var_4]
		lea	eax, [eax+esi*8]
		add	eax, 10h
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		test	edi, edi
		jz	loc_99718D
		push	[ebp+arg_0]	; size_t
		lea	eax, [esi+2]
		lea	eax, [edi+eax*8]
		push	eax		; void *
		lea	eax, [esi+1]
		lea	eax, [ebx+eax*8]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_99718D
; 

loc_99709C:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+174j
		cmp	[ebp+var_8], 0
		lea	eax, [edx+8]
		mov	[ebp+var_14], eax
		jnz	short loc_9970F1
		push	[ebp+var_2C]	; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		test	edi, edi
		jz	short loc_9970C6
		push	[ebp+var_2C]	; size_t
		push	edi		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_9970C6:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+22Bj
		mov	edx, [ebp+var_C]
		mov	ebx, [ebp+var_10]
		mov	ecx, [edx+esi*8+8]
		mov	eax, [edx+esi*8+0Ch]
		mov	edx, [ebp+var_4]
		add	eax, ecx
		mov	ecx, [ebp+var_18]
		add	[edx+esi*8+0Ch], ebx
		cmp	ecx, eax
		jz	loc_997190
		mov	[edx+esi*8+8], ecx
		jmp	loc_997190
; 

loc_9970F1:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+21Aj
		xor	esi, esi
		mov	[ebp+var_1C], esi

loc_9970F6:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+2DCj
		cmp	[ebp+var_1C], 0
		jnz	short loc_997139
		mov	edx, [ebp+var_20]
		cmp	edx, [eax]
		mov	edx, [ebp+var_C]
		ja	short loc_997139
		mov	edx, [ebp+var_18]
		mov	[ecx], edx
		mov	edx, [ebp+var_10]
		mov	[ecx+4], edx
		add	ecx, 8
		mov	edx, [ebp+var_C]
		test	edi, edi
		jz	short loc_997132
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+14h]
		mov	[ebx+4], eax
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+10h]
		mov	[ebx], eax
		add	ebx, 8
		mov	eax, [ebp+var_14]

loc_997132:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+28Dj
		mov	[ebp+var_1C], 1

loc_997139:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+26Ej
					; MiConfigureMemoryInsertion(x,x,x)+278j
		mov	eax, [eax]
		mov	[ecx], eax
		mov	eax, [ebp+var_14]
		mov	eax, [eax+4]
		mov	[ecx+4], eax
		add	ecx, 8
		test	edi, edi
		jz	short loc_99715C
		mov	eax, [edi+esi*8]
		mov	[ebx], eax
		mov	eax, [edi+esi*8+4]
		mov	[ebx+4], eax
		add	ebx, 8

loc_99715C:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+2BFj
		mov	eax, [ebp+var_14]
		inc	esi
		add	eax, 8
		mov	[ebp+var_14], eax
		cmp	esi, [edx]
		jnz	short loc_9970F6
		cmp	[ebp+var_1C], 0
		jnz	short loc_99718D
		mov	eax, [ebp+var_18]
		mov	[ecx], eax
		mov	eax, [ebp+var_10]
		mov	[ecx+4], eax
		test	edi, edi
		jz	short loc_99718D
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+14h]
		mov	[ebx+4], eax
		mov	eax, [ecx+10h]
		mov	[ebx], eax

loc_99718D:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+1BEj
					; MiConfigureMemoryInsertion(x,x,x)+1ECj ...
		mov	edx, [ebp+var_4]

loc_997190:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+256j
					; MiConfigureMemoryInsertion(x,x,x)+260j
		mov	eax, [ebp+var_30]
		mov	[eax], edx
		xor	eax, eax
		jmp	short loc_99719E
; 

loc_997199:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+43j
					; MiConfigureMemoryInsertion(x,x,x)+4Fj ...
		mov	eax, 0C000009Ah

loc_99719E:				; CODE XREF: MiConfigureMemoryInsertion(x,x,x)+BAj
					; MiConfigureMemoryInsertion(x,x,x)+30Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiConfigureMemoryInsertion@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiConfigureMemoryRemoval(x,	x, x)
_MiConfigureMemoryRemoval@12 proc near	; CODE XREF: MiRemovePhysicalMemory(x,x,x)+CEp
					; MiRemovePhysicalMemory(x,x,x)+148p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		mov	[ebp+var_24], ecx
		mov	[ecx], eax
		mov	ecx, [edx]
		push	edi
		mov	[ebp+var_14], edx
		cmp	[esi], eax
		jnz	short loc_9971CA
		mov	edi, eax
		mov	[ebp+var_10], eax
		jmp	short loc_9971D3
; 

loc_9971CA:				; CODE XREF: MiConfigureMemoryRemoval(x,x,x)+1Cj
		lea	edi, [edx+8]
		lea	edi, [edi+ecx*8]
		mov	[ebp+var_10], edi

loc_9971D3:				; CODE XREF: MiConfigureMemoryRemoval(x,x,x)+23j
		mov	ebx, [esi+8]
		mov	esi, [esi+0Ch]
		mov	[ebp+var_C], ebx
		add	ebx, esi
		mov	[ebp+var_18], esi
		mov	esi, [ebp+var_14]
		add	esi, 0Ch
		mov	[ebp+var_8], ebx
		mov	[ebp+arg_0], eax
		mov	[ebp+var_4], esi

loc_9971F0:				; CODE XREF: MiConfigureMemoryRemoval(x,x,x)+78j
		mov	ebx, [esi-4]
		mov	edx, ecx
		mov	esi, [esi]
		add	esi, ebx
		mov	[ebp+var_1C], ebx
		cmp	[ebp+var_C], ebx
		mov	ebx, [ebp+var_8]
		push	0
		pop	eax
		jb	short loc_99720B
		cmp	ebx, esi
		jbe	short loc_99724C

loc_99720B:				; CODE XREF: MiConfigureMemoryRemoval(x,x,x)+60j
		mov	edx, [ebp+arg_0]
		mov	esi, [ebp+var_4]
		inc	edx
		add	esi, 8
		mov	[ebp+arg_0], edx
		mov	[ebp+var_4], esi
		cmp	edx, ecx
		jnz	short loc_9971F0
		push	0FFFFFFFEh
		pop	ebx

loc_997222:				; CODE XREF: MiConfigureMemoryRemoval(x,x,x)+C1j
		lea	edx, [ebx+ecx]
		shl	edx, 3
		lea	ecx, [edx+10h]
		test	edi, edi
		jz	short loc_997231
		add	ecx, edx

loc_997231:				; CODE XREF: MiConfigureMemoryRemoval(x,x,x)+88j
		push	eax
		push	40h
		mov	edx, 20206D4Dh
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		test	eax, eax
		jnz	short loc_99726C
		mov	eax, 0C000009Ah
		jmp	loc_997384
; 

loc_99724C:				; CODE XREF: MiConfigureMemoryRemoval(x,x,x)+64j
		mov	ecx, [ebp+var_C]
		cmp	ecx, [ebp+var_1C]
		jnz	short loc_99725D
		cmp	ebx, esi
		jnz	short loc_997268
		or	ebx, 0FFFFFFFFh
		jmp	short loc_997264
; 

loc_99725D:				; CODE XREF: MiConfigureMemoryRemoval(x,x,x)+ADj
		cmp	ebx, esi
		jz	short loc_997268
		xor	ebx, ebx
		inc	ebx

loc_997264:				; CODE XREF: MiConfigureMemoryRemoval(x,x,x)+B6j
					; MiConfigureMemoryRemoval(x,x,x)+C5j
		mov	ecx, edx
		jmp	short loc_997222
; 

loc_997268:				; CODE XREF: MiConfigureMemoryRemoval(x,x,x)+B1j
					; MiConfigureMemoryRemoval(x,x,x)+BAj
		mov	ebx, eax
		jmp	short loc_997264
; 

loc_99726C:				; CODE XREF: MiConfigureMemoryRemoval(x,x,x)+9Bj
		mov	edx, [ebp+var_14]
		lea	esi, [eax+8]
		mov	dword ptr [eax+4], 1
		mov	dword ptr [eax], offset	_MiSystemPartition
		mov	[ebp+var_20], esi
		mov	ecx, [edx]
		add	ecx, ebx
		mov	[esi], ecx
		mov	eax, [edx+4]
		lea	edx, [esi+8]
		sub	eax, [ebp+var_18]
		mov	[esi+4], eax
		lea	esi, [esi+ecx*8]
		mov	ecx, [ebp+var_14]
		xor	eax, eax
		add	esi, 8
		mov	ebx, eax
		add	ecx, 8
		mov	[ebp+var_4], ecx

loc_9972A7:				; CODE XREF: MiConfigureMemoryRemoval(x,x,x)+1CFj
		mov	ecx, [ecx]
		mov	[ebp+arg_0], ecx
		mov	ecx, [ebp+var_4]
		mov	ecx, [ecx+4]
		add	ecx, [ebp+arg_0]
		mov	[ebp+var_1C], ecx
		test	al, 1
		jnz	loc_997341
		mov	edi, [ebp+var_C]
		cmp	edi, [ebp+arg_0]
		mov	edi, [ebp+var_10]
		jb	short loc_997341
		cmp	[ebp+var_8], ecx
		ja	short loc_997341
		mov	edi, [ebp+var_C]
		or	eax, 1
		cmp	edi, [ebp+arg_0]
		mov	edi, [ebp+var_10]
		jnz	short loc_9972FA
		cmp	[ebp+var_8], ecx
		jz	loc_997367
		mov	ecx, [ebp+arg_0]
		add	ecx, [ebp+var_18]

loc_9972ED:				; CODE XREF: MiConfigureMemoryRemoval(x,x,x)+15Bj
		mov	[edx], ecx
		mov	ecx, [ebp+var_4]
		mov	ecx, [ecx+4]
		sub	ecx, [ebp+var_18]
		jmp	short loc_99734E
; 

loc_9972FA:				; CODE XREF: MiConfigureMemoryRemoval(x,x,x)+137j
		cmp	[ebp+var_8], ecx
		mov	ecx, [ebp+arg_0]
		jz	short loc_9972ED
		mov	[edx], ecx
		mov	ecx, [ebp+var_C]
		sub	ecx, [ebp+arg_0]
		mov	[edx+4], ecx
		test	edi, edi
		jz	short loc_99732D
		mov	ecx, [edi+ebx*8]
		mov	[esi], ecx
		mov	ecx, [edi+ebx*8+4]
		mov	[esi+4], ecx
		mov	ecx, [edi+ebx*8]
		mov	[esi+8], ecx
		mov	ecx, [edi+ebx*8+4]
		mov	[esi+0Ch], ecx
		add	esi, 10h

loc_99732D:				; CODE XREF: MiConfigureMemoryRemoval(x,x,x)+16Aj
		mov	ecx, [ebp+var_8]
		mov	[edx+8], ecx
		mov	ecx, [ebp+var_1C]
		sub	ecx, [ebp+var_8]
		mov	[edx+0Ch], ecx
		add	edx, 10h
		jmp	short loc_997367
; 

loc_997341:				; CODE XREF: MiConfigureMemoryRemoval(x,x,x)+115j
					; MiConfigureMemoryRemoval(x,x,x)+124j	...
		mov	ecx, [ebp+var_4]
		mov	ecx, [ecx]
		mov	[edx], ecx
		mov	ecx, [ebp+var_4]
		mov	ecx, [ecx+4]

loc_99734E:				; CODE XREF: MiConfigureMemoryRemoval(x,x,x)+153j
		mov	[edx+4], ecx
		add	edx, 8
		test	edi, edi
		jz	short loc_997367
		mov	ecx, [edi+ebx*8]
		mov	[esi], ecx
		mov	ecx, [edi+ebx*8+4]
		mov	[esi+4], ecx
		add	esi, 8

loc_997367:				; CODE XREF: MiConfigureMemoryRemoval(x,x,x)+13Cj
					; MiConfigureMemoryRemoval(x,x,x)+19Aj	...
		mov	ecx, [ebp+var_14]
		inc	ebx
		add	[ebp+var_4], 8
		cmp	ebx, [ecx]
		mov	ecx, [ebp+var_4]
		jnz	loc_9972A7
		mov	ecx, [ebp+var_24]
		mov	eax, [ebp+var_20]
		mov	[ecx], eax
		xor	eax, eax

loc_997384:				; CODE XREF: MiConfigureMemoryRemoval(x,x,x)+A2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiConfigureMemoryRemoval@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMapNewPfns(x, x, x, x, x)
_MiMapNewPfns@20 proc near		; CODE XREF: MiAddPhysicalMemory(x,x,x,x,x)+391p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		imul	ecx, edx, 1Ch
		push	esi
		push	edi
		mov	edi, ds:_MmPfnDatabase
		mov	[ebp+var_8], ebx
		add	ecx, edi
		mov	[ebp+var_4], edx
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		imul	esi, ebx, 1Ch
		lea	ecx, [edi-1]
		mov	[ebp+var_10], eax
		add	ecx, esi
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, edx
		mov	[ebp+var_C], eax
		call	_MiPageToNode@4	; MiPageToNode(x)
		inc	eax
		push	eax
		call	MiGetClosestImplicitNode
		mov	edi, [ebp+arg_4]
		mov	esi, eax
		and	edi, 2000h
		or	edi, 1508h
		shr	edi, 3
		test	[ebp+arg_4], 4000h
		jz	short loc_9973F4
		or	edi, 100h

loc_9973F4:				; CODE XREF: MiMapNewPfns(x,x,x,x,x)+61j
		mov	eax, [ebp+arg_4]
		and	eax, 2
		mov	[ebp+var_14], eax
		jz	short loc_997414
		mov	ebx, large fs:124h
		mov	ecx, offset _MiSystemPartition
		mov	edx, ebx
		call	_MiLockDynamicMemoryShared@8 ; MiLockDynamicMemoryShared(x,x)
		jmp	short loc_997416
; 

loc_997414:				; CODE XREF: MiMapNewPfns(x,x,x,x,x)+72j
		xor	ebx, ebx

loc_997416:				; CODE XREF: MiMapNewPfns(x,x,x,x,x)+87j
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		push	esi
		push	4
		push	edi
		call	MiMakeZeroedPageTablesEx
		test	eax, eax
		jnz	short loc_99743B
		test	ebx, ebx
		jz	short loc_997481
		mov	edx, ebx
		mov	ecx, offset _MiSystemPartition
		call	_MiUnlockDynamicMemoryShared@8 ; MiUnlockDynamicMemoryShared(x,x)
		jmp	short loc_997481
; 

loc_99743B:				; CODE XREF: MiMapNewPfns(x,x,x,x,x)+9Cj
		mov	esi, [ebp+var_8]
		xor	edi, edi
		mov	edx, [ebp+var_4]
		sub	esi, edx
		cmp	[ebp+var_14], edi
		jnz	loc_9974D1
		mov	eax, [ebp+arg_4]
		mov	ecx, esi
		and	eax, 4
		shl	ecx, 0Ch
		test	[ebp+arg_4], 200h
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], ecx
		jz	short loc_997488
		mov	eax, edx
		mov	edx, 1000h
		mul	edx
		push	4
		push	ecx
		push	edx
		push	eax
		call	_MmMapIoSpaceEx@16 ; MmMapIoSpaceEx(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_997488

loc_997481:				; CODE XREF: MiMapNewPfns(x,x,x,x,x)+A0j
					; MiMapNewPfns(x,x,x,x,x)+AEj
		mov	eax, 0C000009Ah
		jmp	short loc_997505
; 

loc_997488:				; CODE XREF: MiMapNewPfns(x,x,x,x,x)+DBj
					; MiMapNewPfns(x,x,x,x,x)+F4j
		xor	eax, eax
		mov	edx, esi
		cmp	[ebp+var_14], eax
		mov	ecx, offset _MiSystemPartition
		push	0
		setnz	al
		push	eax
		push	esi
		call	MiIncreaseCommitLimits
		test	eax, eax
		jnz	short loc_9974B8
		test	edi, edi
		jz	short loc_9974B1
		push	[ebp+var_10]
		push	edi
		call	MmUnmapIoSpace

loc_9974B1:				; CODE XREF: MiMapNewPfns(x,x,x,x,x)+11Bj
		mov	eax, 0C000012Dh
		jmp	short loc_997505
; 

loc_9974B8:				; CODE XREF: MiMapNewPfns(x,x,x,x,x)+117j
		test	[ebp+arg_4], 404h
		jnz	short loc_9974D1
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		push	1
		lea	edx, [edx-1]
		call	_KeConfigureDynamicMemory@12 ; KeConfigureDynamicMemory(x,x,x)

loc_9974D1:				; CODE XREF: MiMapNewPfns(x,x,x,x,x)+BDj
					; MiMapNewPfns(x,x,x,x,x)+134j
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		push	edi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_MiInitializeDynamicPfns@24 ; MiInitializeDynamicPfns(x,x,x,x,x,x)
		test	ebx, ebx
		jz	short loc_9974F5
		mov	edx, ebx
		mov	ecx, offset _MiSystemPartition
		call	_MiUnlockDynamicMemoryShared@8 ; MiUnlockDynamicMemoryShared(x,x)

loc_9974F5:				; CODE XREF: MiMapNewPfns(x,x,x,x,x)+15Cj
		test	edi, edi
		jz	short loc_997503
		shl	esi, 0Ch
		push	esi
		push	edi
		call	MmUnmapIoSpace

loc_997503:				; CODE XREF: MiMapNewPfns(x,x,x,x,x)+16Cj
		xor	eax, eax

loc_997505:				; CODE XREF: MiMapNewPfns(x,x,x,x,x)+FBj
					; MiMapNewPfns(x,x,x,x,x)+12Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MiMapNewPfns@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiNewPfnsSuitable(x)
_MiNewPfnsSuitable@4 proc near		; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+252p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		push	edi
		mov	edi, [ecx+4]
		xor	edx, edx
		mov	[ebp+var_4], edi
		test	edi, edi
		jz	short loc_997577
		add	ecx, 0Ch

loc_997537:				; CODE XREF: MiNewPfnsSuitable(x)+69j
		mov	esi, [ecx-4]
		cmp	esi, 80000000h
		jz	short loc_99756F
		mov	eax, [ecx]
		mov	edi, dword_6D3250
		add	eax, esi
		mov	[ebp+var_20], edi
		cmp	eax, edi
		mov	edi, [ebp+var_4]
		mov	[ebp+var_24], eax
		jb	short loc_997568
		mov	eax, [ebp+var_20]
		add	eax, 800h
		cmp	esi, eax
		jb	short loc_997583
		mov	eax, [ebp+var_24]

loc_997568:				; CODE XREF: MiNewPfnsSuitable(x)+4Bj
		cmp	eax, offset loc_7FFFFA
		jnb	short loc_997583

loc_99756F:				; CODE XREF: MiNewPfnsSuitable(x)+34j
		inc	edx
		add	ecx, 8
		cmp	edx, edi
		jb	short loc_997537

loc_997577:				; CODE XREF: MiNewPfnsSuitable(x)+26j
		xor	eax, eax
		inc	eax

loc_99757A:				; CODE XREF: MiNewPfnsSuitable(x)+79j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_997583:				; CODE XREF: MiNewPfnsSuitable(x)+57j
					; MiNewPfnsSuitable(x)+61j
		xor	eax, eax
		jmp	short loc_99757A
_MiNewPfnsSuitable@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRemovePhysicalMemory(x, x, x)
_MiRemovePhysicalMemory@12 proc	near	; CODE XREF: MiDeleteExtentPfns(x)+43p
					; MmRemovePhysicalMemory(x,x)+88p ...

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 50h
		mov	[esp+50h+var_3C], edx
		mov	eax, ecx
		mov	edx, [ebp+arg_0]
		lea	ecx, [esp+50h+var_24]
		push	esi
		xor	esi, esi
		mov	[esp+54h+var_20], ecx
		and	edx, 2
		mov	[esp+54h+var_24], ecx
		mov	ecx, large fs:124h
		mov	[esp+54h+var_2C], edx
		mov	edx, ecx
		push	edi
		mov	[esp+58h+var_48], eax
		mov	[esp+58h+var_14], esi
		mov	[esp+58h+var_8], esi
		mov	[esp+58h+var_4], esi
		mov	[esp+58h+var_44], esi
		mov	[esp+58h+var_40], esi
		mov	[esp+58h+var_38], esi
		mov	[esp+58h+var_1C], esi
		mov	[esp+58h+var_30], ecx
		jz	short loc_997626
		mov	edi, esi
		mov	esi, offset _MiSystemPartition
		mov	ecx, esi
		call	_MiLockDynamicMemoryExclusive@8	; MiLockDynamicMemoryExclusive(x,x)
		test	byte ptr [ebp+arg_0], 20h
		jz	short loc_997619
		lea	ecx, [esp+58h+var_3C]
		call	_MiGetDanglingExtent@4 ; MiGetDanglingExtent(x)
		mov	[esp+58h+var_48], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_997619
		mov	edx, [esp+58h+var_30]
		mov	ecx, esi
		call	MiUnlockDynamicMemoryExclusive
		xor	eax, eax
		jmp	loc_99788E
; 

loc_997619:				; CODE XREF: MiRemovePhysicalMemory(x,x,x)+6Cj
					; MiRemovePhysicalMemory(x,x,x)+7Ej
		mov	eax, [esp+58h+var_3C]
		mov	[esp+58h+var_4C], eax
		jmp	loc_997760
; 

loc_997626:				; CODE XREF: MiRemovePhysicalMemory(x,x,x)+58j
		mov	[esp+58h+var_18], esi
		mov	esi, offset _MiSystemPartition
		mov	[esp+58h+var_10], eax
		mov	ecx, esi
		mov	eax, [esp+58h+var_3C]
		mov	[esp+58h+var_4C], eax
		mov	[esp+58h+var_C], eax
		call	_MiLockDynamicMemoryExclusive@8	; MiLockDynamicMemoryExclusive(x,x)
		mov	edx, ds:_MmPhysicalMemoryBlock
		lea	eax, [esp+58h+var_18]
		push	eax
		lea	ecx, [esp+5Ch+var_38]
		call	_MiConfigureMemoryRemoval@12 ; MiConfigureMemoryRemoval(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_99780C
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	MiReferencePageRuns
		push	[esp+58h+var_4C]
		mov	edx, [esp+5Ch+var_48]
		lea	ecx, [esp+5Ch+var_24]
		mov	[esp+5Ch+var_40], eax
		call	_MiDescribePageRun@12 ;	MiDescribePageRun(x,x,x)
		test	eax, eax
		jnz	short loc_997691
		mov	edi, 0C000009Ah
		jmp	loc_99780C
; 

loc_997691:				; CODE XREF: MiRemovePhysicalMemory(x,x,x)+FEj
		mov	ecx, [esp+58h+var_40]

loc_997695:				; CODE XREF: MiRemovePhysicalMemory(x,x,x)+17Bj
		mov	eax, [esp+58h+var_24]
		lea	edx, [esp+58h+var_24]
		mov	[esp+58h+var_34], ecx
		mov	[esp+58h+var_28], eax
		cmp	eax, edx
		jz	short loc_997704
		cmp	[eax+4], edx
		jnz	loc_997862
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_997862
		mov	[esp+58h+var_24], edx
		lea	edi, [esp+58h+var_24]
		mov	[edx+4], edi
		mov	edx, ecx
		push	eax
		lea	ecx, [esp+5Ch+var_44]
		call	_MiConfigureMemoryRemoval@12 ; MiConfigureMemoryRemoval(x,x,x)
		push	0
		push	[esp+5Ch+var_28]
		mov	edi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+58h+var_34]
		cmp	eax, [esp+58h+var_40]
		jz	short loc_9976F6
		push	0
		add	eax, 0FFFFFFF8h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9976F6:				; CODE XREF: MiRemovePhysicalMemory(x,x,x)+162j
		test	edi, edi
		js	loc_99780C
		mov	ecx, [esp+58h+var_44]
		jmp	short loc_997695
; 

loc_997704:				; CODE XREF: MiRemovePhysicalMemory(x,x,x)+120j
		mov	eax, [esp+58h+var_4C]
		mov	ecx, esi
		push	eax
		mov	edx, eax
		call	_MiReduceCommitLimits@12 ; MiReduceCommitLimits(x,x,x)
		mov	edx, [esp+58h+var_4C]
		mov	ecx, esi
		call	MiReturnCommit
		mov	edx, [esp+58h+var_4C]
		lea	eax, [esp+58h+var_44]
		mov	ecx, [esp+58h+var_48]
		push	0
		push	eax
		lea	eax, [esp+60h+var_38]
		push	eax
		call	_MiPerformMemoryChange@20 ; MiPerformMemoryChange(x,x,x,x,x)
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	MiComputeNodeMemory
		mov	edx, [esp+58h+var_4C]
		mov	ecx, [esp+58h+var_48]
		dec	edx
		mov	eax, dword_6D5D88
		add	edx, ecx
		push	2
		mov	ds:0FFDF02E8h, eax
		call	_KeConfigureDynamicMemory@12 ; KeConfigureDynamicMemory(x,x,x)
		mov	eax, [esp+58h+var_4C]

loc_997760:				; CODE XREF: MiRemovePhysicalMemory(x,x,x)+9Aj
		mov	ecx, [esp+58h+var_48]
		mov	edx, eax
		push	0
		push	0
		push	[ebp+arg_0]
		push	esi
		call	_MiInitializeDynamicPfns@24 ; MiInitializeDynamicPfns(x,x,x,x,x,x)
		mov	eax, dword_6D4E70
		add	eax, [esp+58h+var_4C]
		mov	dword_6D4E70, eax
		cmp	eax, 9249h
		jb	short loc_9977BB
		cmp	byte_6D4EB4, 0
		jnz	short loc_9977BB
		and	dword_6D4E60, 0
		push	1
		push	offset dword_6D4E60
		mov	dword_6D4E68, offset MiFreeUnusedPfnPages
		mov	dword_6D4E6C, esi
		call	ExQueueWorkItem
		mov	byte_6D4EB4, 1

loc_9977BB:				; CODE XREF: MiRemovePhysicalMemory(x,x,x)+1FFj
					; MiRemovePhysicalMemory(x,x,x)+208j
		cmp	[esp+58h+var_2C], 0
		jnz	short loc_99780C
		mov	eax, ds:_MiFlags
		test	eax, 10000000h
		jz	short loc_9977E6
		and	al, 30h
		cmp	al, 20h
		jb	short loc_9977E6
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	(offset	loc_425315+3)
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)

loc_9977E6:				; CODE XREF: MiRemovePhysicalMemory(x,x,x)+245j
					; MiRemovePhysicalMemory(x,x,x)+24Bj
		push	0
		push	0
		push	dword_6D4EF8
		call	KePulseEvent
		test	edi, edi
		js	short loc_99780C
		call	_MiFlushEntireTbDueToAttributeChange@0 ; MiFlushEntireTbDueToAttributeChange()
		mov	edx, [esp+58h+var_4C]
		push	ecx
		mov	ecx, [esp+5Ch+var_48]
		call	_MiFlushCacheRange@12 ;	MiFlushCacheRange(x,x,x)

loc_99780C:				; CODE XREF: MiRemovePhysicalMemory(x,x,x)+D7j
					; MiRemovePhysicalMemory(x,x,x)+105j ...
		mov	edx, [esp+58h+var_30]
		mov	ecx, esi
		call	MiUnlockDynamicMemoryExclusive
		mov	eax, [esp+58h+var_38]
		test	eax, eax
		jz	short loc_99782A
		push	0
		add	eax, 0FFFFFFF8h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_99782A:				; CODE XREF: MiRemovePhysicalMemory(x,x,x)+296j
		mov	eax, [esp+58h+var_44]
		test	eax, eax
		jz	short loc_99783D
		add	eax, 0FFFFFFF8h

loc_997835:				; CODE XREF: MiRemovePhysicalMemory(x,x,x)+2D9j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_99783D:				; CODE XREF: MiRemovePhysicalMemory(x,x,x)+2A9j
		mov	eax, [esp+58h+var_24]
		lea	ecx, [esp+58h+var_24]
		cmp	eax, ecx
		jz	short loc_997867
		cmp	[eax+4], ecx
		jnz	short loc_997862
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_997862
		lea	edx, [esp+58h+var_24]
		mov	[esp+58h+var_24], ecx
		mov	[ecx+4], edx
		jmp	short loc_997835
; 

loc_997862:				; CODE XREF: MiRemovePhysicalMemory(x,x,x)+125j
					; MiRemovePhysicalMemory(x,x,x)+130j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_997867:				; CODE XREF: MiRemovePhysicalMemory(x,x,x)+2C0j
		mov	eax, [esp+58h+var_40]
		test	eax, eax
		jz	short loc_997876
		mov	ecx, eax
		call	_MiDereferencePageRuns@4 ; MiDereferencePageRuns(x)

loc_997876:				; CODE XREF: MiRemovePhysicalMemory(x,x,x)+2E6j
		test	edi, edi
		js	short loc_99788C
		test	byte ptr [ebp+arg_0], 8
		jnz	short loc_99788C
		cmp	[esp+58h+var_2C], 0
		jnz	short loc_99788C
		call	_IoUpdateDumpPhysicalRanges@0 ;	IoUpdateDumpPhysicalRanges()

loc_99788C:				; CODE XREF: MiRemovePhysicalMemory(x,x,x)+2F1j
					; MiRemovePhysicalMemory(x,x,x)+2F7j ...
		mov	eax, edi

loc_99788E:				; CODE XREF: MiRemovePhysicalMemory(x,x,x)+8Dj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
_MiRemovePhysicalMemory@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1363. MmAddPhysicalMemory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmAddPhysicalMemory(x, x)
		public _MmAddPhysicalMemory@8
_MmAddPhysicalMemory@8 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		test	ecx, 0FFFh
		mov	eax, [eax+4]
		setnz	dl
		mov	[ebp+var_4], eax
		test	cl, 1
		mov	[ebp+var_8], ecx
		setnz	al
		and	dl, al
		jz	short loc_9978C9
		and	ecx, 0FFFFFFFEh
		mov	[ebp+var_8], ecx

loc_9978C9:				; CODE XREF: MmAddPhysicalMemory(x,x)+26j
		movzx	eax, dl
		mov	ecx, offset _MiSystemPartition
		shl	eax, 8
		lea	edx, [ebp+var_8]
		push	eax
		push	[ebp+arg_4]
		call	_MiAddPhysicalMemoryChunks@16 ;	MiAddPhysicalMemoryChunks(x,x,x,x)
		leave
		retn	8
_MmAddPhysicalMemory@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1462. MmRemovePhysicalMemory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmRemovePhysicalMemory(x, x)
		public _MmRemovePhysicalMemory@8
_MmRemovePhysicalMemory@8 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	esi, [eax]
		mov	eax, [eax+4]
		shrd	esi, eax, 0Ch
		mov	eax, [ebp+arg_0]
		mov	edx, [eax]
		test	edx, 0FFFh
		mov	ecx, [eax+4]
		setnz	bl
		test	dl, 1
		setnz	al
		and	bl, al
		jz	short loc_99791F
		and	edx, 0FFFFFFFEh

loc_99791F:				; CODE XREF: MmRemovePhysicalMemory(x,x)+31j
		shrd	edx, ecx, 0Ch
		mov	[esp+10h+var_4], edx
		lea	eax, [edx+esi]
		cmp	edx, eax
		jb	short loc_997935
		mov	eax, 0C00000EFh
		jmp	short loc_9979A7
; 

loc_997935:				; CODE XREF: MmRemovePhysicalMemory(x,x)+43j
		test	bl, bl
		jz	short loc_997941
		push	esi
		call	_MiRemoveBadPages@12 ; MiRemoveBadPages(x,x,x)
		jmp	short loc_997965
; 

loc_997941:				; CODE XREF: MmRemovePhysicalMemory(x,x)+4Ej
		lea	ecx, [esp+10h+var_4]
		dec	eax
		push	ecx
		push	0
		push	0C100000h
		mov	ecx, 80000000h
		push	ecx
		push	ecx
		push	1
		push	esi
		push	0
		push	eax
		mov	ecx, offset _MiSystemPartition
		call	_MiFindContiguousPages@44 ; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)

loc_997965:				; CODE XREF: MmRemovePhysicalMemory(x,x)+56j
		test	eax, eax
		js	short loc_9979A7
		mov	ecx, [esp+10h+var_4]
		mov	edx, esi
		push	10h
		call	_MiRemovePhysicalMemory@12 ; MiRemovePhysicalMemory(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_99798F
		mov	ecx, 1000h
		mov	eax, esi
		mul	ecx
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		mov	[ecx+4], edx
		jmp	short loc_9979A5
; 

loc_99798F:				; CODE XREF: MmRemovePhysicalMemory(x,x)+91j
		mov	ecx, [esp+10h+var_4]
		mov	edx, esi
		test	bl, bl
		jz	short loc_9979A0
		call	_MiReturnBadPagesToBadList@8 ; MiReturnBadPagesToBadList(x,x)
		jmp	short loc_9979A5
; 

loc_9979A0:				; CODE XREF: MmRemovePhysicalMemory(x,x)+AEj
		call	_MiFreeContiguousPages@8 ; MiFreeContiguousPages(x,x)

loc_9979A5:				; CODE XREF: MmRemovePhysicalMemory(x,x)+A4j
					; MmRemovePhysicalMemory(x,x)+B5j
		mov	eax, edi

loc_9979A7:				; CODE XREF: MmRemovePhysicalMemory(x,x)+4Aj
					; MmRemovePhysicalMemory(x,x)+7Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_MmRemovePhysicalMemory@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1364. MmAddVerifierSpecialThunks

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmAddVerifierSpecialThunks(x, x, x)
		public _MmAddVerifierSpecialThunks@12
_MmAddVerifierSpecialThunks@12 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		test	byte ptr ds:_MiFlags, 1
		push	ebx
		push	esi
		push	edi
		jz	loc_997A82
		call	_VfIsVerifierEnabled@0 ; VfIsVerifierEnabled()
		test	eax, eax
		jz	loc_997A82
		test	_VfRuleClasses,	0FFAFFFFFh
		jnz	short loc_9979F3
		test	byte ptr dword_6FDE00, 6
		jz	loc_997A82

loc_9979F3:				; CODE XREF: MmAddVerifierSpecialThunks(x,x,x)+2Fj
		mov	esi, [ebp+arg_8]
		shr	esi, 3
		test	esi, esi
		jnz	short loc_997A07
		mov	eax, 0C00000F1h
		jmp	loc_997A87
; 

loc_997A07:				; CODE XREF: MmAddVerifierSpecialThunks(x,x,x)+46j
		call	_MmAcquireLoadLock@0 ; MmAcquireLoadLock()
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	[ebp+var_4], eax
		call	_MiLookupDataTableEntry@8 ; MiLookupDataTableEntry(x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_997A71
		mov	edx, [eax+18h]
		cmp	[ebp+4], edx
		jb	short loc_997A71
		mov	ecx, [eax+20h]
		add	ecx, edx
		cmp	[ebp+4], ecx
		jnb	short loc_997A71
		xor	edi, edi
		test	esi, esi
		jz	short loc_997A57
		mov	ebx, [ebp+arg_4]
		add	ebx, 4

loc_997A3E:				; CODE XREF: MmAddVerifierSpecialThunks(x,x,x)+A0j
		mov	eax, [ebx]
		cmp	eax, edx
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_8]
		jb	short loc_997A6A
		cmp	[ebp+var_C], ecx
		jnb	short loc_997A6A
		add	ebx, 8
		inc	edi
		cmp	edi, esi
		jb	short loc_997A3E

loc_997A57:				; CODE XREF: MmAddVerifierSpecialThunks(x,x,x)+81j
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	eax
		push	[ebp+arg_8]
		call	_VfThunkAddSpecialDriverThunks@16 ; VfThunkAddSpecialDriverThunks(x,x,x,x)
		mov	esi, eax
		jmp	short loc_997A76
; 

loc_997A6A:				; CODE XREF: MmAddVerifierSpecialThunks(x,x,x)+93j
					; MmAddVerifierSpecialThunks(x,x,x)+98j
		mov	esi, 0C00000F0h
		jmp	short loc_997A76
; 

loc_997A71:				; CODE XREF: MmAddVerifierSpecialThunks(x,x,x)+69j
					; MmAddVerifierSpecialThunks(x,x,x)+71j ...
		mov	esi, 0C00000EFh

loc_997A76:				; CODE XREF: MmAddVerifierSpecialThunks(x,x,x)+B3j
					; MmAddVerifierSpecialThunks(x,x,x)+BAj
		mov	ecx, [ebp+var_4]
		call	_MmReleaseLoadLock@4 ; MmReleaseLoadLock(x)
		mov	eax, esi
		jmp	short loc_997A87
; 

loc_997A82:				; CODE XREF: MmAddVerifierSpecialThunks(x,x,x)+12j
					; MmAddVerifierSpecialThunks(x,x,x)+1Fj ...
		mov	eax, 0C00000BBh

loc_997A87:				; CODE XREF: MmAddVerifierSpecialThunks(x,x,x)+4Dj
					; MmAddVerifierSpecialThunks(x,x,x)+CBj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MmAddVerifierSpecialThunks@12 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 1365. MmAddVerifierThunks

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmAddVerifierThunks(x, x)
		public _MmAddVerifierThunks@8
_MmAddVerifierThunks@8 proc near	; CODE XREF: PAGE:007B3D6Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		test	byte ptr ds:_MiFlags, 1
		push	ebx
		push	esi
		push	edi
		jz	loc_997B7E
		call	_VfIsVerifierEnabled@0 ; VfIsVerifierEnabled()
		test	eax, eax
		jz	loc_997B7E
		test	_VfRuleClasses,	0FFAFFFFFh
		jnz	short loc_997AD1
		test	byte ptr dword_6FDE00, 6
		jz	loc_997B7E

loc_997AD1:				; CODE XREF: MmAddVerifierThunks(x,x)+2Fj
		mov	esi, [ebp+arg_4]
		mov	ebx, [ebp+arg_0]
		mov	edi, ebx
		shr	esi, 3
		test	esi, esi
		jnz	short loc_997AEA
		mov	eax, 0C00000EFh
		jmp	loc_997B83
; 

loc_997AEA:				; CODE XREF: MmAddVerifierThunks(x,x)+4Bj
		call	_MmAcquireLoadLock@0 ; MmAcquireLoadLock()
		mov	ecx, [ebx]
		xor	edx, edx
		mov	[ebp+var_C], eax
		call	_MiLookupDataTableEntry@8 ; MiLookupDataTableEntry(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_997B6F
		mov	edx, [ecx+18h]
		mov	eax, [ecx+20h]
		add	eax, edx
		mov	[ebp+var_4], edx
		xor	edx, edx
		mov	[ebp+var_8], eax
		mov	eax, _PsLoadedModuleList
		mov	[ebp+arg_0], edx
		jmp	short loc_997B2A
; 

loc_997B1B:				; CODE XREF: MmAddVerifierThunks(x,x)+9Cj
		cmp	ecx, eax
		jz	short loc_997B6F
		inc	[ebp+arg_0]
		cmp	[ebp+arg_0], 2
		jnb	short loc_997B31
		mov	eax, [eax]

loc_997B2A:				; CODE XREF: MmAddVerifierThunks(x,x)+86j
		cmp	eax, offset _PsLoadedModuleList
		jnz	short loc_997B1B

loc_997B31:				; CODE XREF: MmAddVerifierThunks(x,x)+93j
		test	esi, esi
		jz	short loc_997B56

loc_997B35:				; CODE XREF: MmAddVerifierThunks(x,x)+C1j
		mov	eax, [edi]
		cmp	eax, [ebp+var_4]
		jb	short loc_997B6F
		cmp	eax, [ebp+var_8]
		jnb	short loc_997B6F
		mov	eax, [edi+4]
		cmp	eax, [ebp+var_4]
		jb	short loc_997B6F
		cmp	eax, [ebp+var_8]
		jnb	short loc_997B6F
		add	edi, 8
		inc	edx
		cmp	edx, esi
		jb	short loc_997B35

loc_997B56:				; CODE XREF: MmAddVerifierThunks(x,x)+A0j
		mov	edx, [ebp+arg_4]
		push	ecx
		mov	ecx, ebx
		call	_VfThunkAddDriverThunks@12 ; VfThunkAddDriverThunks(x,x,x)
		mov	ecx, [ebp+var_C]
		mov	esi, eax
		call	_MmReleaseLoadLock@4 ; MmReleaseLoadLock(x)
		mov	eax, esi
		jmp	short loc_997B83
; 

loc_997B6F:				; CODE XREF: MmAddVerifierThunks(x,x)+6Cj
					; MmAddVerifierThunks(x,x)+8Aj	...
		mov	ecx, [ebp+var_C]
		call	_MmReleaseLoadLock@4 ; MmReleaseLoadLock(x)
		mov	eax, 0C00000F0h
		jmp	short loc_997B83
; 

loc_997B7E:				; CODE XREF: MmAddVerifierThunks(x,x)+12j
					; MmAddVerifierThunks(x,x)+1Fj	...
		mov	eax, 0C00000BBh

loc_997B83:				; CODE XREF: MmAddVerifierThunks(x,x)+52j
					; MmAddVerifierThunks(x,x)+DAj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MmAddVerifierThunks@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1377. MmAllocateNonCachedMemory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmAllocateNonCachedMemory(x)
		public _MmAllocateNonCachedMemory@4
_MmAllocateNonCachedMemory@4 proc near

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		sub	esp, 14h
		mov	eax, edx
		push	ebx
		mov	ebx, edx
		and	ebx, 0FFFh
		neg	ebx
		push	edi
		sbb	ebx, ebx
		shr	eax, 0Ch
		neg	ebx
		xor	ecx, ecx
		add	ebx, eax
		mov	eax, large fs:124h
		push	ecx
		push	ecx
		push	0FFFFFFFFh
		mov	eax, [eax+16Ch]
		push	0FFFFFFFFh
		push	ecx
		push	ecx
		mov	eax, ds:_KiProcessorBlock[eax*4]
		push	4
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		push	eax
		push	ecx
		mov	ecx, offset _MiSystemPartition
		call	MiAllocatePagesForMdl
		mov	edi, eax
		test	edi, edi
		jz	loc_997D0A
		push	esi
		mov	edx, ebx
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		mov	esi, eax
		mov	[ebp+var_10], esi
		test	esi, esi
		jnz	short loc_997C1D
		push	edi
		call	_MmFreePagesFromMdl@4 ;	MmFreePagesFromMdl(x)
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		jmp	loc_997D09
; 

loc_997C1D:				; CODE XREF: MmAllocateNonCachedMemory(x)+78j
		lea	eax, [edi+1Ch]
		xor	edx, edx
		imul	ecx, [eax], 1Ch
		mov	[ebp+var_4], eax
		mov	eax, ds:_MmPfnDatabase
		push	0A000000Ch
		and	dword ptr [ecx+eax+0Ch], 0
		mov	[ecx+eax+8], edi
		mov	eax, esi
		shl	eax, 9
		mov	ecx, esi
		mov	[ebp+var_14], eax
		call	MiMakeValidPte
		mov	ecx, edx

loc_997C4C:				; CODE XREF: MmAllocateNonCachedMemory(x)+171j
		mov	esi, [ebp+var_4]
		xor	edi, edi
		and	[ebp+arg_0], 0
		and	eax, 0FFFh
		and	ecx, 0FFFFFFE0h
		mov	esi, [esi]
		and	esi, 1FFFFFFh
		shld	edi, esi, 0Ch
		shl	esi, 0Ch
		or	esi, eax
		mov	eax, edi
		or	eax, ecx
		mov	[ebp+var_8], esi
		mov	edi, esi
		mov	[ebp+var_C], eax
		mov	esi, [ebp+var_10]
		mov	edx, eax
		mov	ecx, esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_997CD7
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_997CBF
		xor	eax, eax
		inc	eax
		cmp	byte ptr word_6D07B8+1,	0
		mov	[ebp+arg_0], eax
		jnz	short loc_997CDA

loc_997CA2:				; CODE XREF: MmAllocateNonCachedMemory(x)+146j
		mov	ecx, [ebp+var_8]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		mov	eax, [ebp+arg_0]
		jz	short loc_997CDA
		mov	edx, [ebp+var_C]
		mov	edi, ecx
		or	edx, 80000000h
		jmp	short loc_997CDA
; 

loc_997CBF:				; CODE XREF: MmAllocateNonCachedMemory(x)+102j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_997CA2

loc_997CD7:				; CODE XREF: MmAllocateNonCachedMemory(x)+F9j
		mov	eax, [ebp+arg_0]

loc_997CDA:				; CODE XREF: MmAllocateNonCachedMemory(x)+111j
					; MmAllocateNonCachedMemory(x)+121j ...
		mov	[esi+4], edx
		nop
		mov	[esi], edi
		test	eax, eax
		jz	short loc_997CED
		push	edx
		push	edi
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_997CED:				; CODE XREF: MmAllocateNonCachedMemory(x)+153j
		add	[ebp+var_4], 4
		add	esi, 8
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_10], esi
		sub	ebx, 1
		jnz	loc_997C4C
		mov	eax, [ebp+var_14]

loc_997D09:				; CODE XREF: MmAllocateNonCachedMemory(x)+89j
		pop	esi

loc_997D0A:				; CODE XREF: MmAllocateNonCachedMemory(x)+5Ej
		pop	edi
		pop	ebx
		leave
		retn	4
_MmAllocateNonCachedMemory@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1402. MmFreeNonCachedMemory

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmFreeNonCachedMemory(x, x)
		public _MmFreeNonCachedMemory@8
_MmFreeNonCachedMemory@8 proc near

var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	ebx
		mov	ebx, eax
		and	ebx, 0FFFh
		neg	ebx
		push	esi
		sbb	ebx, ebx
		shr	eax, 0Ch
		neg	ebx
		push	edi
		add	ebx, eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	[ebp+arg_4], eax
		mov	esi, [eax]
		nop
		mov	edx, [eax+4]
		mov	ecx, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_997D5A
		push	edx
		push	esi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	esi, eax

loc_997D5A:				; CODE XREF: MmFreeNonCachedMemory(x,x)+3Aj
		nop
		lea	ecx, [ebp+var_8]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_997D70
		push	edx
		push	esi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	esi, eax

loc_997D70:				; CODE XREF: MmFreeNonCachedMemory(x,x)+50j
		shrd	esi, edx, 0Ch
		push	4
		and	esi, 1FFFFFFh
		imul	esi, 1Ch
		pop	ecx
		add	esi, ds:_MmPfnDatabase
		mov	edi, [esi+8]
		call	_MiMakeDemandZeroPte@4 ; MiMakeDemandZeroPte(x)
		push	edx
		push	eax
		mov	ecx, esi
		call	_MiSetPfnOriginalPte@12	; MiSetPfnOriginalPte(x,x,x)
		push	edi
		call	_MmFreePagesFromMdl@4 ;	MmFreePagesFromMdl(x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, [ebp+arg_4]
		mov	ecx, offset dword_6D35E0
		push	ebx
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MmFreeNonCachedMemory@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiRemoveMdlPages(x,	x)
_MiRemoveMdlPages@8 proc near		; CODE XREF: MiAllocatePagesForMdl+12151Ep

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		mov	[ebp+var_24], edi
		mov	ecx, [edi+14h]
		lea	eax, [edi+1Ch]
		shr	ecx, 0Ch
		mov	[ebp+var_10], eax
		mov	[ebp+var_28], ecx
		lea	eax, [eax+ecx*4]
		mov	ecx, edi
		mov	[ebp+var_14], eax
		call	_MiSortMdlFrames@4 ; MiSortMdlFrames(x)
		mov	eax, [ebp+var_8]
		or	ecx, 0FFFFFFFFh
		and	[ebp+var_18], 0
		xor	ebx, ebx
		shr	eax, 10h
		xor	esi, esi
		and	eax, 8
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_8], eax
		mov	edx, ecx
		lea	eax, [edi+1Ch]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], edx
		cmp	eax, [ebp+var_14]
		ja	loc_997EA9
		mov	edi, ecx

loc_997E19:				; CODE XREF: MiRemoveMdlPages(x,x)+E6j
		jz	short loc_997E27
		mov	ecx, [eax]
		mov	[ebp+var_C], ecx
		cmp	ecx, edi
		jnz	short loc_997E27
		inc	esi
		jmp	short loc_997E94
; 

loc_997E27:				; CODE XREF: MiRemoveMdlPages(x,x):loc_997E19j
					; MiRemoveMdlPages(x,x)+68j
		test	esi, esi
		jz	short loc_997E8C
		cmp	[ebp+var_18], 0
		jl	short loc_997E48
		push	[ebp+var_8]
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		call	_MiRemovePhysicalMemory@12 ; MiRemovePhysicalMemory(x,x,x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jns	short loc_997E86
		mov	edx, [ebp+var_4]

loc_997E48:				; CODE XREF: MiRemoveMdlPages(x,x)+75j
		test	esi, esi
		jz	short loc_997E77
		imul	edi, edx, 1Ch
		mov	ebx, esi

loc_997E51:				; CODE XREF: MiRemoveMdlPages(x,x)+B8j
		mov	ecx, ds:_MmPfnDatabase
		xor	edx, edx
		add	ecx, edi
		push	2
		movzx	eax, byte ptr [ecx+16h]
		shr	eax, 6
		push	eax
		push	0FFFFFFF8h
		call	_MiSetPfnOwnedAndActive@20 ; MiSetPfnOwnedAndActive(x,x,x,x,x)
		add	edi, 1Ch
		sub	ebx, 1
		jnz	short loc_997E51
		mov	ebx, [ebp+var_1C]

loc_997E77:				; CODE XREF: MiRemoveMdlPages(x,x)+90j
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		call	_MiFreeContiguousPages@8 ; MiFreeContiguousPages(x,x)
		add	ebx, esi
		mov	[ebp+var_1C], ebx

loc_997E86:				; CODE XREF: MiRemoveMdlPages(x,x)+89j
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_10]

loc_997E8C:				; CODE XREF: MiRemoveMdlPages(x,x)+6Fj
		mov	edx, ecx
		xor	esi, esi
		mov	[ebp+var_4], edx
		inc	esi

loc_997E94:				; CODE XREF: MiRemoveMdlPages(x,x)+6Bj
		add	eax, 4
		lea	edi, [ecx+1]
		mov	[ebp+var_10], eax
		cmp	eax, [ebp+var_14]
		jbe	loc_997E19
		mov	edi, [ebp+var_24]

loc_997EA9:				; CODE XREF: MiRemoveMdlPages(x,x)+57j
		mov	ecx, [ebp+var_28]
		mov	edx, offset dword_6D3620
		mov	eax, ecx
		neg	eax
		lock xadd [edx], eax
		test	ebx, ebx
		jz	short loc_997ED6
		cmp	ebx, ecx
		jnz	short loc_997ECD
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edi, edi
		jmp	short loc_997ED6
; 

loc_997ECD:				; CODE XREF: MiRemoveMdlPages(x,x)+105j
		imul	eax, ebx, 0FFFFF000h
		add	[edi+14h], eax

loc_997ED6:				; CODE XREF: MiRemoveMdlPages(x,x)+101j
					; MiRemoveMdlPages(x,x)+111j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiRemoveMdlPages@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogMemResetInfo(x, x, x)
_MiLogMemResetInfo@12 proc near		; CODE XREF: MiAllocateVirtualMemory+160613p
					; MiAllocateVirtualMemory+16063Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		mov	[ebp+var_C], ecx
		test	[ebp+arg_0], 80000h
		mov	[ebp+var_8], edx
		jz	short loc_997EFB
		and	eax, 0FFFFFFFCh
		jmp	short loc_997F12
; 

loc_997EFB:				; CODE XREF: MiLogMemResetInfo(x,x,x)+17j
		test	[ebp+arg_0], 1000000h
		jz	short loc_997F0C
		and	eax, 0FFFFFFFDh
		or	eax, 1
		jmp	short loc_997F12
; 

loc_997F0C:				; CODE XREF: MiLogMemResetInfo(x,x,x)+25j
		and	eax, 0FFFFFFFEh
		or	eax, 2

loc_997F12:				; CODE XREF: MiLogMemResetInfo(x,x,x)+1Cj
					; MiLogMemResetInfo(x,x,x)+2Dj
		push	(offset	off_401900+2)
		mov	[ebp+var_4], eax
		mov	edx, 20008000h
		push	0Ch
		lea	eax, [ebp+var_C]
		mov	ecx, 286h
		push	eax
		call	_MiLogPerfMemoryEvent@20 ; MiLogPerfMemoryEvent(x,x,x,x,x)
		leave
		retn	4
_MiLogMemResetInfo@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiValidateZeroBits(x)
_MiValidateZeroBits@4 proc near		; CODE XREF: MiAllocateVirtualMemoryPrepare+16060Dp
					; NtCreateEnclave(x,x,x,x,x,x,x,x,x)+C8p
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_997F44
		cmp	eax, 15h
		jbe	short loc_997F44
		mov	eax, 0C000000Dh
		retn
; 

loc_997F44:				; CODE XREF: MiValidateZeroBits(x)+4j
					; MiValidateZeroBits(x)+9j
		xor	eax, eax
		retn
_MiValidateZeroBits@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiStoreGraphicsProtectionInVad(x, x)
_MiStoreGraphicsProtectionInVad@8 proc near ; CODE XREF: MiReserveUserMemory+15FD39p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		test	edx, 20000h
		jz	short loc_997F62
		or	dword ptr [edi+1Ch], 2000000h
		and	edx, 0FFFDFFFFh

loc_997F62:				; CODE XREF: MiStoreGraphicsProtectionInVad(x,x)+Cj
		mov	esi, [edi+1Ch]
		test	edx, 40000h
		jz	short loc_997F79
		and	edx, 0FFFBFFFFh
		or	esi, 4000000h

loc_997F79:				; CODE XREF: MiStoreGraphicsProtectionInVad(x,x)+24j
		shr	edx, 0Bh
		push	0
		push	edx
		call	RtlFindMostSignificantBit
		movsx	eax, al
		shl	eax, 1Bh
		xor	eax, esi
		and	eax, 38000000h
		xor	eax, esi
		mov	[edi+1Ch], eax
		pop	edi
		pop	esi
		retn
_MiStoreGraphicsProtectionInVad@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1471. MmSetGraphicsPtes

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmSetGraphicsPtes(x, x, x, x, x, x)
		public _MmSetGraphicsPtes@24
_MmSetGraphicsPtes@24 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, dword_6D07D0
		sub	esp, 0Ch
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	esi, ecx
		jnb	loc_998134
		lea	eax, [esi+edi]
		cmp	eax, esi
		jbe	loc_998134
		cmp	eax, ecx
		jnb	loc_998134
		mov	ecx, large fs:124h
		dec	eax
		and	[ebp+arg_0], 0
		xor	edx, edx
		and	[ebp+arg_4], 0
		mov	[ebp+var_C], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_4], ecx
		mov	ecx, esi
		push	eax
		call	MiObtainReferencedVadEx
		mov	edx, eax
		mov	[ebp+var_8], edx
		test	edx, edx
		jnz	short loc_998004
		mov	eax, [ebp+arg_0]

loc_997FFE:				; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+191j
		pop	edi
		pop	esi
		leave
		retn	18h
; 

loc_998004:				; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+5Bj
		mov	ecx, [edx+1Ch]
		mov	eax, ecx
		and	eax, 1100000h
		cmp	eax, 1100000h
		jz	short loc_99801F
		mov	esi, 0C00000EFh
		jmp	loc_998126
; 

loc_99801F:				; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+75j
		mov	eax, [edx+10h]
		shl	eax, 0Ch
		or	eax, 0FFFh
		cmp	[ebp+var_C], eax
		jbe	short loc_998039
		mov	esi, 0C00000F0h
		jmp	loc_998126
; 

loc_998039:				; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+8Fj
		mov	eax, ecx
		mov	[ebp+arg_0], 1
		and	eax, 70h
		cmp	al, 30h
		jnz	short loc_99806E
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		mov	[ebp+arg_4], eax
		call	_MiLockAweVadsExclusive@4 ; MiLockAweVadsExclusive(x)
		mov	ecx, esi
		call	_MiGetAwePageSizeFromVa@4 ; MiGetAwePageSizeFromVa(x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_998086
		mov	esi, 0C00000EFh
		jmp	loc_99811B
; 

loc_99806E:				; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+A9j
		mov	eax, offset loc_500000
		and	ecx, eax
		cmp	ecx, eax
		jnz	loc_998110
		mov	ecx, edx
		call	_MiGetVadPageSize@4 ; MiGetVadPageSize(x)
		mov	ecx, eax

loc_998086:				; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+C4j
		test	[ebp+arg_14], 0FFFFFFFEh
		jz	short loc_998096
		mov	esi, 0C00000F4h
		jmp	short loc_998115
; 

loc_998096:				; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+EFj
		cmp	[ebp+arg_10], 0
		jz	short loc_9980A3
		mov	esi, 0C00000F3h
		jmp	short loc_998115
; 

loc_9980A3:				; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+FCj
		shl	ecx, 0Ch
		cmp	[ebp+arg_C], ecx
		jz	short loc_9980B2
		mov	esi, 0C00000F2h
		jmp	short loc_998115
; 

loc_9980B2:				; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+10Bj
		lea	eax, [ecx-1]
		mov	[ebp+arg_10], eax
		test	eax, esi
		jnz	short loc_998110
		test	eax, edi
		jnz	short loc_998110
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_9980F4
		test	byte ptr [ebp+arg_14], 1
		jnz	short loc_9980DD
		xor	edx, edx
		mov	eax, edi
		div	ecx
		mov	[ebp+arg_0], eax
		test	eax, eax
		mov	eax, [ebp+arg_8]
		jz	short loc_9980F4

loc_9980DD:				; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+12Dj
		xor	edx, edx

loc_9980DF:				; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+154j
		mov	ecx, [eax+edx*8]
		xor	eax, eax
		and	ecx, [ebp+arg_10]
		or	ecx, eax
		jnz	short loc_998109
		mov	eax, [ebp+arg_8]
		inc	edx
		cmp	edx, [ebp+arg_0]
		jb	short loc_9980DF

loc_9980F4:				; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+127j
					; MmSetGraphicsPtes(x,x,x,x,x,x)+13Dj
		push	[ebp+arg_14]
		mov	edx, edi
		push	ecx
		push	[ebp+arg_C]
		mov	ecx, esi
		push	eax
		call	_MiSetGraphicsPtes@24 ;	MiSetGraphicsPtes(x,x,x,x,x,x)
		mov	esi, eax
		jmp	short loc_998115
; 

loc_998109:				; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+14Bj
		mov	esi, 0C00000F1h
		jmp	short loc_998115
; 

loc_998110:				; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+D9j
					; MmSetGraphicsPtes(x,x,x,x,x,x)+11Cj ...
		mov	esi, 0C00000EFh

loc_998115:				; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+F6j
					; MmSetGraphicsPtes(x,x,x,x,x,x)+103j ...
		cmp	[ebp+arg_4], 0
		jz	short loc_998123

loc_99811B:				; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+CBj
		mov	ecx, [ebp+var_4]
		call	_MiUnlockAweVadsExclusive@4 ; MiUnlockAweVadsExclusive(x)

loc_998123:				; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+17Bj
		mov	edx, [ebp+var_8]

loc_998126:				; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+7Cj
					; MmSetGraphicsPtes(x,x,x,x,x,x)+96j
		mov	ecx, edx
		call	MiUnlockAndDereferenceVad
		mov	eax, esi
		jmp	loc_997FFE
; 

loc_998134:				; CODE XREF: MmSetGraphicsPtes(x,x,x,x,x,x)+18j
					; MmSetGraphicsPtes(x,x,x,x,x,x)+23j ...
		push	0
		push	edi
		push	esi
		push	0A000h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_MmSetGraphicsPtes@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmIdentifyPhysicalMemory(x,	x, x, x)
_MmIdentifyPhysicalMemory@16 proc near	; CODE XREF: EtwpKernelTraceRundown+12A007p
					; EtwpKernelTraceRundown+12A027p ...

var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+5Ch+var_4], eax
		push	ebx
		xor	eax, eax
		mov	ebx, edx
		push	esi
		push	edi
		lea	edi, [esp+68h+var_58]
		mov	[esp+68h+var_38], ebx
		stosd
		mov	esi, ecx
		xor	edx, edx
		mov	[esp+68h+var_34], esi
		mov	ecx, offset _MiSystemPartition
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+68h+var_18]
		stosd
		stosd
		stosd
		stosd
		xor	edi, edi
		mov	[esp+68h+var_24], edi
		call	MiReferencePageRuns
		mov	ecx, eax
		mov	edx, edi
		mov	[esp+68h+var_28], ecx
		mov	[esp+68h+var_40], edx
		cmp	[ecx], edi
		jbe	loc_9982DA
		lea	ebx, [ecx+0Ch]
		mov	[esp+68h+var_3C], ebx

loc_9981AB:				; CODE XREF: MmIdentifyPhysicalMemory(x,x,x,x)+185j
		imul	esi, [ebx-4], 1Ch
		imul	eax, [ebx], 1Ch
		add	esi, ds:_MmPfnDatabase
		add	eax, esi
		mov	[esp+68h+var_44], esi
		mov	[esp+68h+var_2C], eax
		cmp	esi, eax
		jnb	loc_9982BC

loc_9981CA:				; CODE XREF: MmIdentifyPhysicalMemory(x,x,x,x)+165j
		xor	edi, edi
		inc	edi
		cmp	[ebp+arg_4], 0
		jz	short loc_9981E9
		test	dword ptr [esi+18h], (offset loc_7FFFFF+1)
		jnz	short loc_9981E9
		mov	al, [esi+16h]
		and	al, 7
		cmp	al, 6
		jnz	loc_99829D

loc_9981E9:				; CODE XREF: MmIdentifyPhysicalMemory(x,x,x,x)+8Cj
					; MmIdentifyPhysicalMemory(x,x,x,x)+95j
		xor	eax, eax
		lea	edi, [esp+68h+var_58]
		stosd
		lea	edx, [esp+68h+var_58]
		mov	ecx, esi
		stosd
		stosd
		stosd
		call	_MiIdentifyPfnWrapper@8	; MiIdentifyPfnWrapper(x,x)
		cmp	[ebp+arg_4], 0
		mov	edi, eax
		mov	[esp+68h+var_30], edi
		jz	short loc_99821A
		mov	ecx, [esp+68h+var_58]
		and	ecx, 70h
		cmp	ecx, 60h
		jnz	loc_99829D

loc_99821A:				; CODE XREF: MmIdentifyPhysicalMemory(x,x,x,x)+C3j
		xor	eax, eax
		test	edi, edi
		jz	short loc_99829D
		mov	esi, [esp+68h+var_38]
		lea	ecx, [esp+68h+var_58]
		mov	ebx, edi
		mov	edi, [esp+68h+var_34]

loc_99822E:				; CODE XREF: MmIdentifyPhysicalMemory(x,x,x,x)+14Ej
		push	offset byte_401802
		push	[ebp+arg_0]
		xor	edx, edx
		mov	[esp+70h+var_18], ecx
		push	esi
		push	edi
		inc	edx
		mov	[esp+78h+var_14], eax
		lea	ecx, [esp+78h+var_18]
		mov	[esp+78h+var_10], 10h
		mov	[esp+78h+var_C], eax
		call	_EtwTraceSiloDcEvent@24	; EtwTraceSiloDcEvent(x,x,x,x,x,x)
		mov	eax, [esp+68h+var_58]
		inc	[esp+68h+var_50]
		and	eax, 0Fh
		cmp	eax, 2
		jnz	short loc_998271
		xor	eax, eax
		add	[esp+68h+var_4C], 8
		jmp	short loc_99828C
; 

loc_998271:				; CODE XREF: MmIdentifyPhysicalMemory(x,x,x,x)+121j
		mov	eax, [esp+68h+var_4C]
		test	eax, eax
		jz	short loc_99828A
		cmp	eax, ds:_MmBadPointer
		jz	short loc_99828A
		add	eax, 1000h
		mov	[esp+68h+var_4C], eax

loc_99828A:				; CODE XREF: MmIdentifyPhysicalMemory(x,x,x,x)+132j
					; MmIdentifyPhysicalMemory(x,x,x,x)+13Aj
		xor	eax, eax

loc_99828C:				; CODE XREF: MmIdentifyPhysicalMemory(x,x,x,x)+12Aj
		lea	ecx, [esp+68h+var_58]
		sub	ebx, 1
		jnz	short loc_99822E
		mov	esi, [esp+68h+var_44]
		mov	edi, [esp+68h+var_30]

loc_99829D:				; CODE XREF: MmIdentifyPhysicalMemory(x,x,x,x)+9Ej
					; MmIdentifyPhysicalMemory(x,x,x,x)+CFj ...
		imul	eax, edi, 1Ch
		add	esi, eax
		mov	[esp+68h+var_44], esi
		cmp	esi, [esp+68h+var_2C]
		jb	loc_9981CA
		mov	ebx, [esp+68h+var_3C]
		mov	ecx, [esp+68h+var_28]
		mov	edx, [esp+68h+var_40]

loc_9982BC:				; CODE XREF: MmIdentifyPhysicalMemory(x,x,x,x)+7Fj
		inc	edx
		add	ebx, 8
		mov	[esp+68h+var_40], edx
		mov	[esp+68h+var_3C], ebx
		cmp	edx, [ecx]
		jb	loc_9981AB
		mov	ebx, [esp+68h+var_38]
		xor	edi, edi
		mov	esi, [esp+68h+var_34]

loc_9982DA:				; CODE XREF: MmIdentifyPhysicalMemory(x,x,x,x)+59j
		call	_MiDereferencePageRuns@4 ; MiDereferencePageRuns(x)
		cmp	[ebp+arg_4], 0
		jnz	short loc_99832C
		mov	eax, ds:_MmPfnDatabase
		lea	ecx, [esp+68h+var_18]
		and	[esp+68h+var_24], 0FFFFFFE0h
		xor	edx, edx
		push	offset byte_401802
		mov	[esp+6Ch+var_20], eax
		inc	edx
		mov	eax, ds:_MxPfnAllocation
		push	27Bh
		mov	[esp+70h+var_1C], eax
		lea	eax, [esp+70h+var_24]
		push	ebx
		push	esi
		mov	[esp+78h+var_18], eax
		mov	[esp+78h+var_14], edi
		mov	[esp+78h+var_10], 0Ch
		mov	[esp+78h+var_C], edi
		call	_EtwTraceSiloDcEvent@24	; EtwTraceSiloDcEvent(x,x,x,x,x,x)

loc_99832C:				; CODE XREF: MmIdentifyPhysicalMemory(x,x,x,x)+19Ej
		mov	ecx, [esp+68h+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_MmIdentifyPhysicalMemory@16 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1391. MmCreateMirror

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmCreateMirror()
		public _MmCreateMirror@0
_MmCreateMirror@0 proc near		; CODE XREF: PAGE:loc_7B3E6Ep

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 30h
		push	3Eh
		and	[esp+34h+var_24], 0
		and	[esp+34h+var_2C], 0
		pop	eax
		push	40h
		mov	word ptr [esp+34h+var_1C], ax
		pop	eax
		push	4
		pop	ecx
		mov	word ptr [esp+30h+var_1C+2], ax
		lea	eax, [esp+30h+var_28]
		push	eax
		push	ecx
		lea	eax, [esp+38h+var_2C]
		mov	[esp+38h+var_18], offset ??_C@_1EA@PMBMBAFM@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy?$AAM?$AAi@NNGAKEGL@ ; "Kernel-MemoryMirroringSupported"
		push	eax
		lea	eax, [esp+3Ch+var_24]
		mov	[esp+3Ch+var_28], ecx
		push	eax
		lea	eax, [esp+40h+var_1C]
		push	eax
		call	_ZwQueryLicenseValue@20	; ZwQueryLicenseValue(x,x,x,x,x)
		test	eax, eax
		js	loc_998430
		cmp	[esp+30h+var_2C], 1
		jnz	loc_998430
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+30h+var_20], al
		test	al, al
		jz	short loc_9983DC
		push	[esp+30h+var_20]
		push	ds:dword_A949BC
		push	ds:_SeShutdownPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_9983DC
		mov	eax, 0C0000061h
		jmp	short loc_998435
; 

loc_9983DC:				; CODE XREF: MmCreateMirror()+73j
					; MmCreateMirror()+8Cj
		mov	ecx, ds:dword_7051BC
		test	cl, 1
		jnz	short loc_9983EE
		mov	eax, 0C00000BBh
		jmp	short loc_998435
; 

loc_9983EE:				; CODE XREF: MmCreateMirror()+9Ej
		mov	eax, off_6B2C00
		and	cl, 2
		mov	[esp+30h+var_14], eax
		mov	eax, off_6B2C04
		mov	[esp+30h+var_10], eax
		mov	eax, off_6B2C08
		mov	[esp+30h+var_C], eax
		movzx	eax, cl
		lea	ecx, [esp+30h+var_14]
		neg	eax
		mov	[esp+30h+var_4], 2
		sbb	eax, eax
		and	eax, off_6B2C10
		mov	[esp+30h+var_8], eax
		call	_MmDuplicateMemory@4 ; MmDuplicateMemory(x)
		jmp	short loc_998435
; 

loc_998430:				; CODE XREF: MmCreateMirror()+50j
					; MmCreateMirror()+5Bj
		mov	eax, 0C000026Ah

loc_998435:				; CODE XREF: MmCreateMirror()+93j
					; MmCreateMirror()+A5j	...
		mov	esp, ebp
		pop	ebp
		retn
_MmCreateMirror@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCheckDosCalls(x, x)
_MiCheckDosCalls@8 proc	near		; CODE XREF: MiComputeBadImageHeaderType(x,x,x)+22p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		movzx	ebx, word ptr [edi+1Eh]
		test	bx, bx
		jz	short loc_9984C7
		movzx	esi, word ptr [edi+28h]
		lea	eax, [esi+ebx*2]
		lea	ecx, [esi+edi]
		mov	[ebp+var_4], ecx
		cmp	eax, edx
		ja	short loc_9984C7
		xor	eax, eax
		xor	esi, esi
		cmp	ax, bx
		jnb	short loc_9984C7
		movzx	eax, word ptr [edi+2Ah]
		mov	[ebp+var_C], eax

loc_998473:				; CODE XREF: MiCheckDosCalls(x,x)+87j
		movzx	eax, word ptr [ecx]
		mov	ecx, [ebp+var_C]
		add	ecx, eax
		cmp	ecx, edx
		jnb	short loc_9984C7
		mov	dl, [ecx+edi]
		test	dl, dl
		jz	short loc_9984C7
		movzx	eax, dl
		add	eax, ecx
		cmp	eax, [ebp+var_8]
		jnb	short loc_9984C7
		cmp	dl, 8
		jnz	short loc_9984AE
		push	8		; size_t
		lea	eax, [edi+1]
		add	eax, ecx
		push	offset ??_C@_08KNIDAOLM@DOSCALLS@NNGAKEGL@ ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_9984C2

loc_9984AE:				; CODE XREF: MiCheckDosCalls(x,x)+5Aj
		mov	ecx, [ebp+var_4]
		add	ecx, 2
		inc	esi
		mov	[ebp+var_4], ecx
		cmp	si, bx
		jnb	short loc_9984C7
		mov	edx, [ebp+var_8]
		jmp	short loc_998473
; 

loc_9984C2:				; CODE XREF: MiCheckDosCalls(x,x)+73j
		xor	eax, eax
		inc	eax
		jmp	short loc_9984C9
; 

loc_9984C7:				; CODE XREF: MiCheckDosCalls(x,x)+17j
					; MiCheckDosCalls(x,x)+28j ...
		xor	eax, eax

loc_9984C9:				; CODE XREF: MiCheckDosCalls(x,x)+8Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiCheckDosCalls@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiComputeBadImageHeaderType(x, x, x)
_MiComputeBadImageHeaderType@12	proc near ; CODE XREF: MiVerifyImageHeader+14EC06p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		mov	ecx, 454Eh
		push	edi
		movzx	eax, word ptr [esi]
		cmp	ax, cx
		jnz	loc_99867F
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_MiCheckDosCalls@8 ; MiCheckDosCalls(x,x)
		test	eax, eax
		jnz	short loc_998538
		mov	al, [esi+36h]
		cmp	al, 2
		jz	short loc_998524
		test	al, al
		jnz	short loc_998538
		mov	ax, [esi+3Eh]
		mov	ecx, 0FF00h
		and	ax, cx
		mov	ecx, 200h
		cmp	ax, cx
		jz	short loc_998524
		mov	ecx, 300h
		cmp	ax, cx
		jnz	short loc_998538

loc_998524:				; CODE XREF: MiComputeBadImageHeaderType(x,x,x)+30j
					; MiComputeBadImageHeaderType(x,x,x)+4Aj
		mov	dword_6CF4F4, 3Ch
		mov	eax, 0C0000131h
		jmp	loc_9986A4
; 

loc_998538:				; CODE XREF: MiComputeBadImageHeaderType(x,x,x)+29j
					; MiComputeBadImageHeaderType(x,x,x)+34j ...
		mov	cl, [esi+36h]
		cmp	cl, 5
		jz	loc_998673
		mov	ax, [esi+4]
		cmp	ax, [esi+2Ah]
		jz	loc_998673
		cmp	cl, 1
		jnz	short loc_998580
		push	6		; size_t
		lea	eax, [ebx+200h]
		push	offset ??_C@_06CNEAIGOF@16STUB@NNGAKEGL@ ; "16STUB"
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_998580
		mov	dword_6CF4F4, 3Eh
		jmp	loc_99869F
; 

loc_998580:				; CODE XREF: MiComputeBadImageHeaderType(x,x,x)+87j
					; MiComputeBadImageHeaderType(x,x,x)+A1j
		movzx	edi, word ptr [ebx+8]
		shl	edi, 4
		cmp	edi, 0FC6h
		ja	short loc_9985DA
		push	18h		; size_t
		lea	eax, [ebx+18h]
		add	eax, edi
		push	offset ??_C@_0BI@PEGINIPD@Phar?5Lap?5Software?0?5Inc?4@NNGAKEGL@ ; void	*
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9985DA
		movzx	eax, word ptr [edi+ebx+38h]
		mov	ecx, 4B50h
		cmp	ax, cx
		jz	short loc_9985CB
		mov	ecx, 4F50h
		cmp	ax, cx
		jz	short loc_9985CB
		mov	ecx, 5650h
		cmp	ax, cx
		jnz	short loc_9985DA

loc_9985CB:				; CODE XREF: MiComputeBadImageHeaderType(x,x,x)+E7j
					; MiComputeBadImageHeaderType(x,x,x)+F1j
		mov	dword_6CF4F4, 3Fh
		jmp	loc_99869F
; 

loc_9985DA:				; CODE XREF: MiComputeBadImageHeaderType(x,x,x)+BFj
					; MiComputeBadImageHeaderType(x,x,x)+D8j ...
		lea	eax, [edi+32h]
		cmp	eax, 1000h
		ja	short loc_99861B
		lea	ecx, [edi+ebx]
		movzx	edx, word ptr [ecx+30h]
		lea	eax, [edx+edi]
		cmp	eax, 0FDCh
		ja	short loc_99861B
		push	24h		; size_t
		lea	eax, [edx+ecx]
		push	offset ??_C@_0CF@NMFFENGC@Copyright?5?$CIC?$CJ?5Rational?5Systems?0@NNGAKEGL@ ;	void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_99861B
		mov	dword_6CF4F4, 40h
		jmp	loc_99869F
; 

loc_99861B:				; CODE XREF: MiComputeBadImageHeaderType(x,x,x)+114j
					; MiComputeBadImageHeaderType(x,x,x)+125j ...
		mov	eax, [esi+2Ch]
		mov	ecx, [ebx+3Ch]
		cmp	eax, ecx
		ja	short loc_998636
		mov	dword_6CF4F4, 41h

loc_99862F:				; CODE XREF: MiComputeBadImageHeaderType(x,x,x)+1A3j
		mov	eax, 0C000011Bh
		jmp	short loc_9986A4
; 

loc_998636:				; CODE XREF: MiComputeBadImageHeaderType(x,x,x)+155j
		sub	eax, ecx
		lea	ecx, [eax+10h]
		cmp	ecx, eax
		jbe	short loc_998667
		cmp	ecx, [ebp+arg_0]
		jnb	short loc_998667
		push	0Fh		; size_t
		inc	eax
		add	eax, esi
		push	(offset	loc_8BBDE7+1) ;	void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_998667
		mov	dword_6CF4F4, 42h
		jmp	short loc_99869F
; 

loc_998667:				; CODE XREF: MiComputeBadImageHeaderType(x,x,x)+16Fj
					; MiComputeBadImageHeaderType(x,x,x)+174j ...
		mov	dword_6CF4F4, 43h
		jmp	short loc_99862F
; 

loc_998673:				; CODE XREF: MiComputeBadImageHeaderType(x,x,x)+70j
					; MiComputeBadImageHeaderType(x,x,x)+7Ej
		mov	dword_6CF4F4, 3Dh
		jmp	short loc_99869F
; 

loc_99867F:				; CODE XREF: MiComputeBadImageHeaderType(x,x,x)+17j
		mov	ecx, 454Ch
		cmp	ax, cx
		jnz	short loc_998695
		mov	dword_6CF4F4, 44h
		jmp	short loc_99869F
; 

loc_998695:				; CODE XREF: MiComputeBadImageHeaderType(x,x,x)+1B9j
		mov	dword_6CF4F4, 45h

loc_99869F:				; CODE XREF: MiComputeBadImageHeaderType(x,x,x)+ADj
					; MiComputeBadImageHeaderType(x,x,x)+107j ...
		mov	eax, 0C0000130h

loc_9986A4:				; CODE XREF: MiComputeBadImageHeaderType(x,x,x)+65j
					; MiComputeBadImageHeaderType(x,x,x)+166j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_MiComputeBadImageHeaderType@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogCreateImageFileMapFailure(x, x, x, x)
_MiLogCreateImageFileMapFailure@16 proc	near
					; CODE XREF: MiCreateImageFileMap(x,x,x,x,x,x,x,x)+581p

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, dword_6D35BC
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	loc_99879E
		cmp	dword ptr [esi], 5
		jbe	loc_99879E
		push	4000h
		xor	ebx, ebx
		mov	ecx, esi
		push	ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_99879E
		mov	edx, offset ??_C@_0BG@JOIBLAI@SectionAlignmentIssue@NNGAKEGL@
		lea	ecx, [ebp+var_68]
		call	_tlgCreate1Sz_char
		lea	eax, [ebp+var_40]
		mov	[ebp+var_54], ebx
		mov	[ebp+var_58], eax
		mov	edx, offset loc_41CBB7
		mov	eax, [edi+34h]
		mov	[ebp+var_48], eax
		movzx	eax, word ptr [edi+30h]
		mov	[ebp+var_40], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_8C]
		push	4
		pop	ecx
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_90]
		push	8
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_98]
		mov	[ebp+var_30], ecx
		mov	[ebp+var_20], ecx
		pop	ecx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_88]
		push	eax
		push	ecx
		push	ebx
		push	ebx
		push	1
		push	ebx
		mov	[ebp+var_10], ecx
		mov	ecx, esi
		push	ebx
		mov	[ebp+var_50], 2
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_98], 1000000h
		mov	[ebp+var_94], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], ebx
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)

loc_99879E:				; CODE XREF: MiLogCreateImageFileMapFailure(x,x,x,x)+22j
					; MiLogCreateImageFileMapFailure(x,x,x,x)+2Bj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_MiLogCreateImageFileMapFailure@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogSectionCreate(x, x)
_MiLogSectionCreate@8 proc near		; CODE XREF: MiCreatePagingFileMap(x)+7B3p
					; MiSegmentDelete+153928p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ecx]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_38]
		mov	[ebp+var_2C], edx
		stosd
		stosd
		stosd
		mov	eax, [ebx+20h]
		lea	edi, [ecx+50h]
		mov	[ebp+var_3C], eax

loc_9987DA:				; CODE XREF: MiLogSectionCreate(x,x)+E1j
		mov	esi, [edi+4]
		test	esi, esi
		jz	loc_998889
		mov	eax, [edi+1Ch]
		lea	ecx, [ebp+var_38]
		mov	[ebp+var_38], esi
		lea	eax, [esi+eax*8]
		mov	[ebp+var_34], eax
		cmp	edx, 1
		jnz	short loc_998856
		mov	eax, [ebp+var_3C]
		and	[ebp+var_14], 0
		and	[ebp+var_C], 0
		push	(offset	off_401900+2)
		push	249h
		mov	[ebp+var_18], ecx
		lea	ecx, [ebp+var_18]
		push	20400001h
		mov	[ebp+var_30], eax
		mov	[ebp+var_10], 0Ch
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	eax, 1000h
		test	[ebx+8], ax
		jz	short loc_998886
		test	ds:byte_70EFC4,	1
		jz	short loc_998886
		push	2
		xor	ecx, ecx
		pop	edx
		inc	ecx
		call	_MiInitPerfMemoryFlags@8 ; MiInitPerfMemoryFlags(x,x)
		push	dword ptr [edi+1Ch]
		xor	edx, edx
		mov	ecx, esi
		push	eax
		call	_MiLogPerfMemoryRangeEvent@16 ;	MiLogPerfMemoryRangeEvent(x,x,x,x)
		jmp	short loc_998886
; 

loc_998856:				; CODE XREF: MiLogSectionCreate(x,x)+48j
		or	[ebp+var_30], 0FFFFFFFFh
		xor	edx, edx
		and	[ebp+var_24], 0
		inc	edx
		and	[ebp+var_1C], 0
		push	1401902h
		push	24Fh
		mov	[ebp+var_28], ecx
		lea	ecx, [ebp+var_28]
		push	20400001h
		mov	[ebp+var_20], 0Ch
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_998886:				; CODE XREF: MiLogSectionCreate(x,x)+82j
					; MiLogSectionCreate(x,x)+8Bj ...
		mov	edx, [ebp+var_2C]

loc_998889:				; CODE XREF: MiLogSectionCreate(x,x)+30j
		mov	eax, [edi+8]
		mov	edi, eax
		test	eax, eax
		jnz	loc_9987DA
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiLogSectionCreate@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogSectionObjectEvent(x, x)
_MiLogSectionObjectEvent@8 proc	near	; CODE XREF: MiSectionDelete+F7EBEp
					; MiCreateSection+F7A7Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	[ebp+var_8], esi
		xor	ecx, ecx
		cmp	edx, 1
		mov	edx, 20400001h
		push	(offset	off_401900+2)
		mov	eax, [eax]
		setnz	cl
		push	8
		add	ecx, 287h
		mov	eax, [eax+28h]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_MiLogPerfMemoryEvent@20 ; MiLogPerfMemoryEvent(x,x,x,x,x)
		pop	esi
		leave
		retn
_MiLogSectionObjectEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCreateSectionEx(x, x, x, x, x, x,	x, x, x)
_NtCreateSectionEx@36 proc near		; DATA XREF: .text:00581114o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	MiCreateSectionCommon
		pop	ebp
		retn	24h
_NtCreateSectionEx@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLdwPopupWorker(x)
_MiLdwPopupWorker@4 proc near		; DATA XREF: MiWriteComplete+11AA2Do
					; MiFlushControlArea(x,x,x,x)+28Eo ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		cmp	byte ptr [eax+1Ch], 1
		mov	esi, [eax+10h]
		mov	edi, [eax+14h]
		jnz	short loc_998933
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_99893B
; 

loc_998933:				; CODE XREF: MiLdwPopupWorker(x)+17j
		xor	ecx, ecx
		add	eax, 18h
		lock and [eax],	ecx

loc_99893B:				; CODE XREF: MiLdwPopupWorker(x)+21j
		mov	edx, edi
		mov	ecx, esi
		call	_CcMmLogLostDelayedWriteError@8	; CcMmLogLostDelayedWriteError(x,x)
		mov	ecx, esi
		call	ObfDereferenceObject
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
_MiLdwPopupWorker@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiAllocatePartitionId(x)
_MiAllocatePartitionId@4 proc near	; CODE XREF: MmCreatePartition(x,x)+DFp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, large fs:124h
		mov	ebx, ecx
		push	edi
		dec	word ptr [esi+13Eh]
		nop
		mov	edi, offset dword_6D2FF4
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		jmp	short loc_998982
; 

loc_998979:				; CODE XREF: MiAllocatePartitionId(x)+45j
		call	_MiExpandPartitionIds@0	; MiExpandPartitionIds()
		test	eax, eax
		jz	short loc_9989DA

loc_998982:				; CODE XREF: MiAllocatePartitionId(x)+24j
		push	0
		push	1
		push	dword_6D3008
		call	RtlFindClearBitsAndSet
		mov	ecx, eax
		or	eax, 0FFFFFFFFh
		cmp	ecx, eax
		jz	short loc_998979
		movzx	edi, cx
		mov	ecx, dword_6D3018
		mov	edx, edi
		mov	byte_6D3024, 1
		mov	[ecx+edx*4], ebx
		mov	ebx, offset dword_6D2FF4
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9989C5
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9989C5:				; CODE XREF: MiAllocatePartitionId(x)+69j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ax, di

loc_9989D6:				; CODE XREF: MiAllocatePartitionId(x)+ABj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_9989DA:				; CODE XREF: MiAllocatePartitionId(x)+2Dj
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9989EE
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9989EE:				; CODE XREF: MiAllocatePartitionId(x)+92j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		xor	eax, eax
		jmp	short loc_9989D6
_MiAllocatePartitionId@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiFreePartitionId(x)
_MiFreePartitionId@4 proc near		; CODE XREF: MiDeletePartition(x)+18p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	si, cx
		dec	word ptr [edi+13Eh]
		nop
		mov	ebx, offset dword_6D2FF4
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, dword_6D3008
		movzx	esi, si
		mov	edx, esi
		shr	edx, 3
		add	edx, [eax+4]
		mov	eax, esi
		and	eax, 7
		movsx	ecx, byte ptr [edx]
		btr	ecx, eax
		mov	[edx], cl
		mov	eax, dword_6D3018
		and	dword ptr [eax+esi*4], 0
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_998A5F
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_998A5F:				; CODE XREF: MiFreePartitionId(x)+56j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
_MiFreePartitionId@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializePartitionThreads(x)
_MiInitializePartitionThreads@4	proc near ; CODE XREF: MmCreatePartition(x,x)+152p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		and	[esp+2Ch+var_28], 0
		and	[esp+2Ch+var_1C], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[esp+34h+var_18], 1
		push	edi
		mov	[esp+38h+var_14], 2
		xor	edi, edi
		mov	[esp+38h+var_10], offset MiZeroPageThread
		mov	eax, [esi+64h]
		mov	[esp+38h+var_C], offset	_MiRebuildLargePagesThread@4 ; MiRebuildLargePagesThread(x)
		mov	[esp+38h+var_8], offset	_MiPartitionWorkingSetManager@4	; MiPartitionWorkingSetManager(x)
		mov	eax, [eax+38h]
		mov	[esp+38h+var_24], eax

loc_998AC9:				; CODE XREF: MiInitializePartitionThreads(x)+B1j
		mov	ebx, [esp+edi+38h+var_1C]
		test	ebx, ebx
		jnz	short loc_998AE8
		xor	edx, edx
		xor	ecx, ecx
		call	_MiCreateZeroThreadContext@8 ; MiCreateZeroThreadContext(x,x)
		mov	[esi+0E18h], eax
		test	eax, eax
		jz	short loc_998B23
		mov	eax, [esp+38h+var_24]

loc_998AE8:				; CODE XREF: MiInitializePartitionThreads(x)+5Fj
		push	0
		push	0
		push	esi
		push	[esp+edi+44h+var_10]
		push	0
		push	eax
		push	0
		push	1FFFFFh
		lea	eax, [esp+58h+var_28]
		push	eax
		call	PsCreateSystemThreadEx
		mov	[esp+38h+var_20], eax
		test	eax, eax
		js	short loc_998B2E
		mov	eax, [esp+38h+var_28]
		add	edi, 4
		mov	[esi+ebx*4+4Ch], eax
		cmp	edi, 0Ch
		jnb	short loc_998B2A
		mov	eax, [esp+38h+var_24]
		jmp	short loc_998AC9
; 

loc_998B23:				; CODE XREF: MiInitializePartitionThreads(x)+72j
		mov	eax, 0C000009Ah
		jmp	short loc_998B47
; 

loc_998B2A:				; CODE XREF: MiInitializePartitionThreads(x)+ABj
		xor	eax, eax
		jmp	short loc_998B47
; 

loc_998B2E:				; CODE XREF: MiInitializePartitionThreads(x)+9Bj
		test	ebx, ebx
		jnz	short loc_998B47
		mov	ecx, [esi+0E18h]
		call	_MiDeleteZeroThreadContext@4 ; MiDeleteZeroThreadContext(x)
		and	[esi+0E18h], ebx
		mov	eax, [esp+38h+var_20]

loc_998B47:				; CODE XREF: MiInitializePartitionThreads(x)+B8j
					; MiInitializePartitionThreads(x)+BCj ...
		mov	ecx, [esp+38h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_MiInitializePartitionThreads@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogFailedDriverLoad(x, x,	x, x)
_MiLogFailedDriverLoad@16 proc near	; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+5BAp
					; MiResolveImageReferences+B19D9p ...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ecx]
		push	ebx
		push	esi
		mov	[ebp+var_24], eax
		xor	ebx, ebx
		mov	eax, [ecx+4]
		mov	esi, edx
		mov	edx, [ebp+arg_0]
		push	edi
		movzx	edi, word ptr [ecx]
		mov	[ebp+var_20], eax
		add	edi, 2
		xor	eax, eax
		mov	[ebp+var_34], esi
		inc	eax
		mov	[ebp+var_44], ebx
		test	esi, esi
		mov	[ebp+var_40], ebx
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_28], eax
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_30], ebx
		jz	loc_998C70
		cmp	esi, 0C0000262h
		jz	short loc_998BD0
		cmp	esi, 0C0000263h
		jz	short loc_998BD0
		cmp	esi, 0C0000034h
		jz	short loc_998BD0
		cmp	esi, 0C000007Ah
		jnz	loc_998C70

loc_998BD0:				; CODE XREF: MiLogFailedDriverLoad(x,x,x,x)+59j
					; MiLogFailedDriverLoad(x,x,x,x)+61j ...
		mov	ecx, (offset loc_8BBE69+1)
		mov	[ebp+var_18], ecx
		lea	eax, [ecx+2]
		mov	[ebp+var_28], eax

loc_998BDE:				; CODE XREF: MiLogFailedDriverLoad(x,x,x,x)+8Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_998BDE
		sub	ecx, [ebp+var_28]
		add	edi, 4
		mov	eax, [ebp+var_34]
		sar	ecx, 1
		add	ecx, ecx
		mov	[ebp+var_28], 3
		mov	[ebp+var_1C], cx
		movzx	eax, word ptr [eax]
		add	eax, ecx
		mov	ecx, [ebp+var_34]
		add	edi, eax
		mov	eax, [ecx]
		mov	[ebp+var_14], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_10], eax
		test	edx, edx
		jz	loc_998CBA
		test	edx, 0FFFF0000h
		jz	short loc_998C67
		push	edx
		lea	eax, [ebp+var_44]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_44]
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		jns	short loc_998C4A
		mov	[ebp+var_2C], 1

loc_998C4A:				; CODE XREF: MiLogFailedDriverLoad(x,x,x,x)+E8j
		mov	ecx, [ebp+var_3C]
		movzx	eax, cx
		add	eax, 2
		mov	[ebp+var_28], 4
		add	edi, eax
		mov	[ebp+var_C], ecx
		mov	eax, [ebp+var_38]
		mov	[ebp+var_8], eax
		jmp	short loc_998C6A
; 

loc_998C67:				; CODE XREF: MiLogFailedDriverLoad(x,x,x,x)+CBj
		mov	[ebp+var_30], edx

loc_998C6A:				; CODE XREF: MiLogFailedDriverLoad(x,x,x,x)+10Cj
		cmp	[ebp+var_2C], 1
		jnz	short loc_998CBA

loc_998C70:				; CODE XREF: MiLogFailedDriverLoad(x,x,x,x)+4Dj
					; MiLogFailedDriverLoad(x,x,x,x)+71j
		mov	edx, 1000h
		mov	[ebp+var_30], esi
		mov	ecx, esi
		call	_MiIsRetryIoStatus@8 ; MiIsRetryIoStatus(x,x)
		mov	ecx, offset ??_C@_1BO@GMLPGBG@?$AAf?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAl?$AAo?$AAa?$AAd@NNGAKEGL@
		mov	esi, eax
		mov	[ebp+var_18], ecx
		lea	edx, [ecx+2]

loc_998C8C:				; CODE XREF: MiLogFailedDriverLoad(x,x,x,x)+13Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_998C8C
		sub	ecx, edx
		add	edi, 2
		sar	ecx, 1
		lea	eax, [ecx+ecx]
		add	edi, eax
		mov	[ebp+var_1C], ax
		inc	[ebp+var_28]
		neg	esi
		sbb	esi, esi
		and	esi, 0FFFFFE2Eh
		add	esi, 0C000026Ch

loc_998CBA:				; CODE XREF: MiLogFailedDriverLoad(x,x,x,x)+BFj
					; MiLogFailedDriverLoad(x,x,x,x)+115j
		lea	eax, [edi+30h]
		cmp	eax, 0FFh
		jnb	short loc_998D31
		mov	cl, al
		call	_IoAllocateGenericErrorLogEntry@4 ; IoAllocateGenericErrorLogEntry(x)
		mov	edi, eax
		mov	[ebp+var_2C], edi
		test	edi, edi
		jz	short loc_998D31
		cmp	[ebp+var_28], 0
		lea	ebx, [edi+30h]
		mov	eax, [ebp+var_30]
		push	30h
		mov	[edi+10h], eax
		pop	eax
		mov	dword ptr [edi+0Ch], 4000001Ah
		mov	[edi+14h], esi
		mov	[edi+6], ax
		jbe	short loc_998D20
		xor	edi, edi

loc_998CF6:				; CODE XREF: MiLogFailedDriverLoad(x,x,x,x)+1C2j
		movzx	esi, word ptr [ebp+edi*8+var_24]
		push	esi		; size_t
		push	[ebp+edi*8+var_20] ; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		shr	esi, 1
		push	20h
		lea	ebx, [ebx+esi*2]
		pop	eax
		mov	[ebx], ax
		add	ebx, 2
		inc	edi
		cmp	edi, [ebp+var_28]
		jb	short loc_998CF6
		mov	edi, [ebp+var_2C]

loc_998D20:				; CODE XREF: MiLogFailedDriverLoad(x,x,x,x)+199j
		xor	eax, eax
		mov	[ebx-2], ax
		inc	eax
		push	edi
		mov	[edi+4], ax
		call	IoWriteErrorLogEntry

loc_998D31:				; CODE XREF: MiLogFailedDriverLoad(x,x,x,x)+169j
					; MiLogFailedDriverLoad(x,x,x,x)+179j
		lea	eax, [ebp+var_3C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_MiLogFailedDriverLoad@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogStrongCodeDriverLoadFailure(x,	x)
_MiLogStrongCodeDriverLoadFailure@8 proc near
					; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+3A0p
					; MiResolveImageImports+B1229p	...

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, dword_6D35BC
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8C], edi
		test	esi, esi
		jz	loc_998E49
		cmp	dword ptr [esi], 5
		jbe	loc_998EE0
		push	4000h
		push	0
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_998EE0
		mov	edx, edi
		lea	ecx, [ebp+var_68]
		call	_tlgCreate1Sz_char
		lea	eax, [ebp+var_40]
		mov	[ebp+var_50], 2
		mov	[ebp+var_58], eax
		xor	edx, edx
		mov	eax, [ebx+30h]
		mov	[ebp+var_48], eax
		movzx	eax, word ptr [ebx+2Ch]
		mov	[ebp+var_40], eax
		mov	eax, [ebx+40h]
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_90]
		push	4
		pop	ecx
		mov	[ebp+var_38], eax
		mov	eax, [ebx+58h]
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_8C]
		push	8
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_98]
		mov	[ebp+var_30], ecx
		mov	[ebp+var_20], ecx
		pop	ecx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_88]
		push	eax
		push	ecx
		push	edx
		push	edx
		push	1
		push	edx
		mov	[ebp+var_54], edx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_44], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_94], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		mov	ecx, esi
		mov	[ebp+var_C], edx
		push	edx
		mov	edx, offset loc_41CC19
		mov	[ebp+var_98], 81000000h
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)
		jmp	loc_998EE0
; 

loc_998E49:				; CODE XREF: MiLogStrongCodeDriverLoadFailure(x,x)+2Aj
		lea	ecx, [edi+1]

loc_998E4C:				; CODE XREF: MiLogStrongCodeDriverLoadFailure(x,x)+106j
		mov	al, [edi]
		inc	edi
		test	al, al
		jnz	short loc_998E4C
		sub	edi, ecx
		mov	edx, 46446D4Dh
		movzx	ecx, word ptr [ebx+2Ch]
		add	ecx, 1Dh
		push	0
		add	ecx, edi
		push	100h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_998EE0
		lea	ecx, [edi+1]
		push	ecx		; size_t
		push	[ebp+var_8C]	; void *
		lea	edx, [esi+1Ch]
		push	edx		; void *
		mov	[esi+8], edx
		call	_memcpy
		lea	ecx, [edi+1Dh]
		add	ecx, esi
		mov	[esi+10h], ecx
		movzx	eax, word ptr [ebx+2Ch]
		push	eax		; size_t
		push	dword ptr [ebx+30h] ; void *
		push	ecx		; void *
		call	_memcpy
		mov	ax, [ebx+2Ch]
		mov	ecx, offset dword_6CF568
		mov	[esi+0Ch], ax
		add	esp, 18h
		mov	ax, [ebx+2Ch]
		mov	[esi+0Eh], ax
		mov	eax, [ebx+40h]
		mov	[esi+14h], eax
		mov	eax, [ebx+58h]
		mov	[esi+18h], eax
		mov	eax, dword_6CF56C
		cmp	[eax], ecx
		jz	short loc_998ED3
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_998ED3:				; CODE XREF: MiLogStrongCodeDriverLoadFailure(x,x)+181j
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6CF56C, esi

loc_998EE0:				; CODE XREF: MiLogStrongCodeDriverLoadFailure(x,x)+33j
					; MiLogStrongCodeDriverLoadFailure(x,x)+49j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiLogStrongCodeDriverLoadFailure@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmGetSectionRange(x, x, x)
_MmGetSectionRange@12 proc near		; CODE XREF: PoSetHiberRange+8B5C5p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	edi, ecx
		mov	[ebp+var_10], edx
		mov	[ebp+var_4], 0C0000225h
		mov	[ebp+var_14], eax
		nop
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceSharedLite
		xor	edx, edx
		mov	ecx, edi
		call	_MiLookupDataTableEntry@8 ; MiLookupDataTableEntry(x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_998F8E
		mov	eax, [eax+18h]
		sub	edi, eax
		push	eax
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		xor	ebx, ebx
		movzx	ecx, word ptr [eax+14h]
		add	ecx, eax
		movzx	eax, word ptr [eax+6]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_998F8E
		add	ecx, 20h

loc_998F54:				; CODE XREF: MmGetSectionRange(x,x,x)+85j
		mov	edx, [ecx+8]
		mov	eax, [ecx]
		cmp	edx, eax
		jnb	short loc_998F5F
		mov	edx, eax

loc_998F5F:				; CODE XREF: MmGetSectionRange(x,x,x)+6Cj
		mov	esi, [ecx+4]
		cmp	edi, esi
		jb	short loc_998F6D
		lea	eax, [esi+edx]
		cmp	edi, eax
		jb	short loc_998F78

loc_998F6D:				; CODE XREF: MmGetSectionRange(x,x,x)+75j
		add	ecx, 28h
		inc	ebx
		cmp	ebx, [ebp+var_8]
		jb	short loc_998F54
		jmp	short loc_998F8E
; 

loc_998F78:				; CODE XREF: MmGetSectionRange(x,x,x)+7Cj
		mov	eax, [ebp+var_C]
		mov	eax, [eax+18h]
		add	eax, esi
		mov	esi, [ebp+var_10]
		and	[ebp+var_4], 0
		mov	[esi], eax
		mov	eax, [ebp+arg_0]
		mov	[eax], edx

loc_998F8E:				; CODE XREF: MmGetSectionRange(x,x,x)+42j
					; MmGetSectionRange(x,x,x)+60j	...
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite
		mov	ecx, [ebp+var_14]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MmGetSectionRange@12 endp


;  S U B	R O U T	I N E 


; __stdcall MmVerifyCallbackFunction(x)
_MmVerifyCallbackFunction@4 proc near	; CODE XREF: KeRegisterBoundCallback(x)+Bp
		mov	edi, edi
		push	ecx
		call	_MmVerifyCallbackFunctionCheckFlags@8 ;	MmVerifyCallbackFunctionCheckFlags(x,x)
		pop	ecx
		retn
_MmVerifyCallbackFunction@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1472. MmSetPermanentCacheAttribute

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmSetPermanentCacheAttribute(x, x, x, x, x,	x)
		public _MmSetPermanentCacheAttribute@24
_MmSetPermanentCacheAttribute@24 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 1
		jb	short loc_998FD5
		mov	eax, 0C000000Dh
		jmp	loc_999086
; 

loc_998FD5:				; CODE XREF: MmSetPermanentCacheAttribute(x,x,x,x,x,x)+10j
		test	[ebp+arg_14], 0FFFFFFFEh
		jz	short loc_998FE8
		mov	eax, 0C00000F2h
		jmp	loc_999086
; 

loc_998FE8:				; CODE XREF: MmSetPermanentCacheAttribute(x,x,x,x,x,x)+23j
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, 0FFFh
		test	esi, eax
		jz	short loc_998FFF
		mov	eax, 0C00000EFh
		jmp	loc_999085
; 

loc_998FFF:				; CODE XREF: MmSetPermanentCacheAttribute(x,x,x,x,x,x)+3Aj
		push	ebx
		mov	ebx, [ebp+arg_8]
		test	ebx, eax
		jnz	short loc_99907F
		mov	eax, [ebp+arg_4]
		shrd	esi, eax, 0Ch
		mov	eax, [ebp+arg_C]
		shrd	ebx, eax, 0Ch
		test	ebx, ebx
		jz	short loc_99907F
		cmp	[ebp+arg_10], 1
		jz	short loc_999026
		mov	eax, 0C00000F1h
		jmp	short loc_999084
; 

loc_999026:				; CODE XREF: MmSetPermanentCacheAttribute(x,x,x,x,x,x)+64j
		push	0
		push	40h
		push	18h
		mov	edx, 6F49694Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_999044
		mov	eax, 0C000009Ah
		jmp	short loc_999084
; 

loc_999044:				; CODE XREF: MmSetPermanentCacheAttribute(x,x,x,x,x,x)+82j
		lea	eax, [ebx-1]
		mov	[edi+0Ch], esi
		add	eax, esi
		mov	dword ptr [edi+14h], 1
		mov	[edi+10h], eax
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	eax
		push	offset _MiMakeIoRangePermanentDpc@16 ; MiMakeIoRangePermanentDpc(x,x,x,x)
		mov	[ebp+var_8], edi
		call	_KeGenericCallDpc@8 ; KeGenericCallDpc(x,x)
		mov	eax, [ebp+var_4]
		test	eax, eax
		jns	short loc_999084
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_4]
		jmp	short loc_999084
; 

loc_99907F:				; CODE XREF: MmSetPermanentCacheAttribute(x,x,x,x,x,x)+4Cj
					; MmSetPermanentCacheAttribute(x,x,x,x,x,x)+5Ej
		mov	eax, 0C00000F0h

loc_999084:				; CODE XREF: MmSetPermanentCacheAttribute(x,x,x,x,x,x)+6Bj
					; MmSetPermanentCacheAttribute(x,x,x,x,x,x)+89j ...
		pop	ebx

loc_999085:				; CODE XREF: MmSetPermanentCacheAttribute(x,x,x,x,x,x)+41j
		pop	esi

loc_999086:				; CODE XREF: MmSetPermanentCacheAttribute(x,x,x,x,x,x)+17j
					; MmSetPermanentCacheAttribute(x,x,x,x,x,x)+2Aj
		pop	edi
		leave
		retn	18h
_MmSetPermanentCacheAttribute@24 endp


;  S U B	R O U T	I N E 


; __stdcall MiMapCacheExceptionFilter(x, x)
_MiMapCacheExceptionFilter@8 proc near	; CODE XREF: MiMakePageAvoidRead(x,x,x,x,x,x,x)+629p
					; .text:0047CA62p
		mov	edx, [edx]
		mov	eax, [edx]
		cmp	eax, 0C0000006h
		jnz	short loc_99909F
		cmp	dword ptr [edx+10h], 3
		jb	short loc_9990AB
		mov	eax, [edx+1Ch]

loc_99909F:				; CODE XREF: MiMapCacheExceptionFilter(x,x)+9j
		cmp	eax, 0C0000005h
		jnz	short loc_9990AB
		mov	eax, 0C00000E8h

loc_9990AB:				; CODE XREF: MiMapCacheExceptionFilter(x,x)+Fj
					; MiMapCacheExceptionFilter(x,x)+19j
		mov	[ecx], eax
		xor	eax, eax
		inc	eax
		retn
_MiMapCacheExceptionFilter@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmFreeSystemCacheReserveView(x)
_MmFreeSystemCacheReserveView@4	proc near ; CODE XREF: CcUninitializePartitionVacbs(x)+3Ep

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	esi, eax
		mov	ecx, ebx
		lea	eax, [esi+200h]
		mov	[ebp+var_10], eax
		call	_MiGetSystemCacheReverseMap@4 ;	MiGetSystemCacheReverseMap(x)
		mov	[ebp+var_14], eax
		cmp	dword ptr [eax+8], 0
		jz	short loc_9990EE
		push	0
		push	ebx
		push	eax
		push	784h

loc_9990E7:				; CODE XREF: MmFreeSystemCacheReserveView(x)+9Dj
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_9990EE:				; CODE XREF: MmFreeSystemCacheReserveView(x)+2Bj
					; MmFreeSystemCacheReserveView(x)+81j
		mov	edi, [esi]
		mov	edx, esi
		mov	[ebp+var_C], edx
		nop
		mov	eax, [esi+4]
		mov	ecx, esi
		mov	[ebp+var_4], eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_999117
		push	[ebp+var_4]
		push	edi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	[ebp+var_4], edx
		mov	edi, eax
		mov	edx, esi

loc_999117:				; CODE XREF: MmFreeSystemCacheReserveView(x)+54j
		mov	ecx, edi
		xor	eax, eax
		and	ecx, 1
		or	ecx, eax
		jnz	short loc_999144
		and	edi, 400h
		or	edi, eax
		jnz	short loc_999144
		add	esi, 8
		cmp	esi, [ebp+var_10]
		jb	short loc_9990EE
		lea	ecx, [edx-1F8h]
		call	MiReleaseSystemCacheView
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_999144:				; CODE XREF: MmFreeSystemCacheReserveView(x)+6Fj
					; MmFreeSystemCacheReserveView(x)+79j
		push	eax
		push	ebx
		push	[ebp+var_14]
		push	785h
		jmp	short loc_9990E7
_MmFreeSystemCacheReserveView@4	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1464. MmReturnChargesToLockPagedPool

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmReturnChargesToLockPagedPool(x, x)
		public _MmReturnChargesToLockPagedPool@8
_MmReturnChargesToLockPagedPool@8 proc near
					; CODE XREF: MiDeleteSubsectionLargePages(x,x,x)+80p
					; MiCreatePagingFileMap(x)+588p ...

var_18		= dword	ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+20h+var_18]
		add	esi, 0FFFh
		rep stosd
		mov	ecx, [ebp+arg_0]
		lea	eax, [esp+20h+var_18]
		mov	edx, ecx
		and	edx, 0FFFh
		push	eax
		add	esi, edx
		push	8
		shr	esi, 0Ch
		push	esi
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		push	eax
		push	2
		pop	ecx
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		xor	edx, edx
		mov	ecx, eax
		call	_MiDeleteSystemPagableVm@24 ; MiDeleteSystemPagableVm(x,x,x,x,x,x)
		mov	edx, esi
		mov	ecx, offset _MiSystemPartition
		call	_MiReturnResident@8 ; MiReturnResident(x,x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
_MmReturnChargesToLockPagedPool@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmZeroPageFileAtShutdown()
_MmZeroPageFileAtShutdown@0 proc near	; CODE XREF: PAGELK:0071ED0Cp
					; PopGracefulShutdown(x)+38p ...

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_28], offset unk_AA00A8
		lea	edi, [ebp+var_18]
		mov	[ebp+var_24], offset ??_C@_1KK@IBFBOAIN@?$AA?2?$AAr?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAm?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		stosd
		xor	ebx, ebx
		push	2Eh
		mov	[ebp+var_1C], ebx
		mov	esi, ebx
		mov	[ebp+var_20], ebx
		stosd
		mov	[ebp+var_2C], offset ??_C@_1DA@JJABBNCH@?$AAC?$AAl?$AAe?$AAa?$AAr?$AAP?$AAa?$AAg?$AAe?$AAF?$AAi?$AAl?$AAe?$AAA?$AAt@NNGAKEGL@
		mov	[ebp+var_48], 18h
		mov	[ebp+var_44], ebx
		stosd
		mov	[ebp+var_3C], 240h
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		stosd
		stosd
		pop	eax
		push	30h
		mov	word ptr [ebp+var_30], ax
		pop	eax
		mov	word ptr [ebp+var_30+2], ax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	20019h
		lea	eax, [ebp+var_1C]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_999276
		lea	eax, [ebp+var_20]
		push	eax
		push	14h
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_1C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_99925D
		cmp	[ebp+var_14], 4
		jnz	short loc_99925D
		mov	esi, [ebp+var_C]

loc_99925D:				; CODE XREF: MmZeroPageFileAtShutdown()+99j
					; MmZeroPageFileAtShutdown()+9Fj
		push	ebx
		push	[ebp+var_1C]
		call	ObCloseHandle
		test	esi, esi
		jz	short loc_999276
		xor	eax, eax
		mov	byte_6D302A, 1
		inc	eax
		jmp	short loc_999278
; 

loc_999276:				; CODE XREF: MmZeroPageFileAtShutdown()+7Dj
					; MmZeroPageFileAtShutdown()+AFj
		xor	eax, eax

loc_999278:				; CODE XREF: MmZeroPageFileAtShutdown()+BBj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MmZeroPageFileAtShutdown@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmSetPriorityVaRanges(x, x,	x)
_MmSetPriorityVaRanges@12 proc near	; CODE XREF: SMKM_STORE_SM_TRAITS___SmStPrioritizeRegionsStore+D28A0p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		push	1
		call	MiProcessVaRangesInfoClass
		pop	ebp
		retn	4
_MmSetPriorityVaRanges@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiFreeRotateView(x)
_MiFreeRotateView@4 proc near		; CODE XREF: MiDeletePartialVad+DD40Fp
		mov	edi, edi
		push	esi
		push	8
		pop	edx
		call	MiGetVadWakeList
		mov	esi, eax
		test	esi, esi
		jz	short loc_9992BA
		mov	ecx, esi
		call	_MiFreeRotateVadEvent@4	; MiFreeRotateVadEvent(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9992BA:				; CODE XREF: MiFreeRotateView(x)+Fj
		pop	esi
		retn
_MiFreeRotateView@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetReadyInPageBlock(x)
_MiGetReadyInPageBlock@4 proc near	; CODE XREF: MiSwitchToTransition(x,x,x)+7Cp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	8
		pop	edx
		call	_MiLocateVadEvent@8 ; MiLocateVadEvent(x,x)
		mov	ebx, eax
		mov	esi, [ebx+4]
		jmp	short loc_9992E9
; 

loc_9992D0:				; CODE XREF: MiGetReadyInPageBlock(x)+31j
		xor	ecx, ecx
		call	_MiGetInPageSupportBlock@4 ; MiGetInPageSupportBlock(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9992F1
		push	offset _MiShortTime
		push	eax
		push	eax
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)

loc_9992E9:				; CODE XREF: MiGetReadyInPageBlock(x)+12j
		cmp	dword ptr [esi+68h], 1
		jnz	short loc_9992D0
		jmp	short loc_9992FD
; 

loc_9992F1:				; CODE XREF: MiGetReadyInPageBlock(x)+1Fj
		mov	ecx, esi
		call	_MiFreeInPageSupportBlock@4 ; MiFreeInPageSupportBlock(x)
		mov	[ebx+4], edi
		mov	esi, edi

loc_9992FD:				; CODE XREF: MiGetReadyInPageBlock(x)+33j
		xor	edx, edx
		mov	ecx, esi	; void *
		call	_MiInitializeInPageSupport@8 ; MiInitializeInPageSupport(x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_MiGetReadyInPageBlock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogVirtualRotateEvent(x, x, x)
_MiLogVirtualRotateEvent@12 proc near	; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+39Bp
					; MmRotatePhysicalView(x,x,x,x,x,x)+442p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], ecx
		mov	eax, esi
		mov	[ebp+var_8], edx
		xor	eax, [ebp+arg_0]
		mov	edx, 20008000h
		and	eax, 0Fh
		mov	ecx, 27Fh
		push	(offset	off_401900+2)
		xor	esi, eax
		lea	eax, [ebp+var_C]
		push	0Ch
		push	eax
		mov	[ebp+var_4], esi
		call	_MiLogPerfMemoryEvent@20 ; MiLogPerfMemoryEvent(x,x,x,x,x)
		pop	esi
		leave
		retn	4
_MiLogVirtualRotateEvent@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1465. MmRotatePhysicalView

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmRotatePhysicalView(x, x, x, x, x,	x)
		public _MmRotatePhysicalView@24
_MmRotatePhysicalView@24 proc near

var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_7C		= dword	ptr -7Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		push	124h
		push	offset dword_6A8880
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_E4], eax
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_104], esi
		mov	ebx, [ebp+arg_8]
		mov	[ebp+var_10C], ebx
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_124], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_120], eax
		and	[ebp+var_FC], 0
		xor	eax, eax
		lea	edi, [ebp+var_134]
		stosd
		stosd
		stosd
		push	60h		; size_t
		push	0		; int
		lea	eax, [ebp+var_7C]
		push	eax		; void *
		call	_memset
		push	60h		; size_t
		push	0		; int
		lea	eax, [ebp+var_DC]
		push	eax		; void *
		call	_memset
		add	esp, 18h
		and	[ebp+var_EC], 0
		xor	eax, eax
		mov	[ebp+var_100], eax
		mov	edi, [esi]
		mov	[ebp+var_108], edi
		and	[ebp+var_118], eax
		mov	eax, 0FFFh
		mov	ecx, [ebp+var_E4]
		test	ecx, eax
		jz	short loc_9993F2
		mov	esi, 0C00000EFh
		jmp	loc_999A41
; 

loc_9993F2:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+98j
		test	edi, eax
		jz	short loc_999400

loc_9993F6:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+CFj
		mov	esi, 0C00000F0h
		jmp	loc_999A41
; 

loc_999400:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+A6j
		cmp	[ebp+arg_C], 4
		jl	short loc_999410
		mov	esi, 0C00000F1h
		jmp	loc_999A41
; 

loc_999410:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+B6j
		lea	eax, [ecx-1]
		add	eax, edi
		mov	[ebp+var_114], eax
		cmp	eax, ecx
		jbe	short loc_9993F6
		xor	esi, esi
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	[ebp+var_110], eax

loc_99942C:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+6E5j
		mov	[ebp+var_11C], esi
		lea	eax, [ebp+var_FC]
		push	eax
		xor	edx, edx
		call	MiObtainReferencedVadEx
		mov	ecx, eax
		mov	[ebp+var_EC], ecx
		mov	[ebp+var_F8], ecx
		test	ecx, ecx
		jnz	short loc_99946E
		mov	esi, [ebp+var_FC]
		cmp	esi, 0C00000A0h
		jnz	loc_999A41
		mov	esi, 0C0000005h
		jmp	loc_999A41
; 

loc_99946E:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+102j
		mov	edx, [ecx+1Ch]
		mov	[ebp+var_F0], edx
		mov	eax, edx
		and	al, 70h
		cmp	al, 40h
		jnz	loc_999A3C
		mov	eax, [ebp+var_114]
		shr	eax, 0Ch
		cmp	[ecx+10h], eax
		jb	loc_999A3C
		mov	eax, 0C00h
		and	edx, eax
		test	[ebp+var_F0], 380h
		setnz	cl
		cmp	edx, eax
		setz	al
		test	cl, al
		jz	short loc_9994B7
		push	2
		pop	edx
		jmp	short loc_9994C4
; 

loc_9994B7:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+162j
		sub	edx, 400h
		neg	edx
		sbb	edx, edx
		and	edx, 1

loc_9994C4:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+167j
		mov	[ebp+var_F0], edx
		mov	ecx, edi
		mov	[ebp+var_E8], ecx
		mov	eax, edi
		shr	eax, 0Ch
		mov	[ebp+var_E0], eax
		cmp	[ebp+arg_C], 1
		jg	loc_99974B
		lea	ecx, [ebx+1Ch]
		mov	[ebp+var_F4], ecx
		and	[ebp+var_FC], 0
		test	eax, eax
		jz	short loc_999576

loc_9994FB:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+226j
		mov	esi, [ecx]
		mov	ecx, esi
		call	_MiIsPfn@4	; MiIsPfn(x)
		test	eax, eax
		jz	short loc_999522
		imul	ecx, esi, 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	_MiLegitimatePageForDriversToMap@4 ; MiLegitimatePageForDriversToMap(x)
		mov	esi, eax
		test	esi, esi
		js	loc_999A41
		jmp	short loc_999550
; 

loc_999522:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+1B8j
		mov	ecx, esi
		call	_MiSanitizePage@4 ; MiSanitizePage(x)
		push	ecx
		push	0
		push	0
		push	[ebp+var_F0]
		push	1
		mov	edx, eax
		xor	ecx, ecx
		inc	ecx
		call	MiReferenceIoPages
		mov	esi, eax
		test	esi, esi
		js	loc_999A41
		inc	[ebp+var_100]

loc_999550:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+1D2j
		mov	edx, [ebp+var_FC]
		inc	edx
		mov	[ebp+var_FC], edx
		mov	ecx, [ebp+var_F4]
		add	ecx, 4
		mov	[ebp+var_F4], ecx
		mov	eax, [ebp+var_E0]
		cmp	edx, eax
		jb	short loc_9994FB

loc_999576:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+1ABj
		push	0
		mov	edx, eax
		mov	ecx, [ebp+var_110]
		call	MiChargeCommit
		test	eax, eax
		jnz	short loc_999593

loc_999589:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+27Ej
		mov	esi, 0C000009Ah
		jmp	loc_999A41
; 

loc_999593:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+239j
		push	edi
		push	[ebp+var_E4]
		call	_MmSizeOfMdl@8	; MmSizeOfMdl(x,x)
		push	0
		push	40h
		mov	edx, 6F666E49h
		mov	ecx, eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_108], esi
		test	esi, esi
		jnz	short loc_9995CE
		mov	edx, [ebp+var_E0]
		mov	ecx, [ebp+var_110]
		call	MiReturnCommit
		jmp	short loc_999589
; 

loc_9995CE:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+26Bj
		and	dword ptr [esi], 0
		mov	ecx, [ebp+var_E4]
		and	ecx, 0FFFh
		lea	eax, [ecx+0FFFh]
		add	eax, edi
		shr	eax, 0Ch
		lea	eax, ds:1Ch[eax*4]
		mov	[esi+4], ax
		xor	eax, eax
		mov	[esi+6], ax
		mov	eax, [ebp+var_E4]
		and	eax, 0FFFFF000h
		mov	[esi+10h], eax
		mov	[esi+18h], ecx
		mov	[esi+14h], edi
		and	[ebp+ms_exc.disabled], 0
		push	0
		push	1
		push	esi
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_EC]
		mov	[ebp+var_130], eax
		mov	eax, large fs:124h
		mov	[ebp+var_12C], eax
		lea	eax, [ebp+var_134]
		push	eax
		mov	edx, [ebp+var_114]
		mov	ecx, [ebp+var_E4]
		call	_MiDeleteRotateAndStopFaults@12	; MiDeleteRotateAndStopFaults(x,x,x)
		cmp	[ebp+arg_C], 0
		jnz	short loc_999682
		mov	eax, 2000h
		or	[esi+6], ax
		push	[ebp+var_120]
		push	esi
		push	ebx
		call	[ebp+var_124]
		test	eax, eax
		jns	short loc_999682
		push	[ebp+var_EC]
		mov	edx, esi
		mov	ecx, ebx
		call	_MiSlowRotateCopy@12 ; MiSlowRotateCopy(x,x,x)

loc_999682:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+308j
					; MmRotatePhysicalView(x,x,x,x,x,x)+323j
		push	10h
		push	0
		push	[ebp+var_E0]
		push	[ebp+var_F0]
		lea	eax, [esi+1Ch]
		push	eax
		lea	edx, [ebx+1Ch]
		mov	ebx, [ebp+var_E4]
		mov	ecx, ebx
		call	MiMapLockedPagesInUserSpaceHelper
		lea	ecx, [ebp+var_134]
		call	_MiRotateComplete@4 ; MiRotateComplete(x)
		mov	ecx, [ebp+var_EC]
		call	MiUnlockAndDereferenceVad
		push	esi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_104]
		mov	[eax], edi
		test	dword ptr ds:byte_70EFC4, 8000h
		jz	short loc_9996EE
		test	edi, edi
		jz	short loc_9996EE
		push	[ebp+arg_C]
		mov	edx, edi
		mov	ecx, ebx
		call	_MiLogVirtualRotateEvent@12 ; MiLogVirtualRotateEvent(x,x,x)

loc_9996EE:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+38Ej
					; MmRotatePhysicalView(x,x,x,x,x,x)+392j ...
		xor	eax, eax
		jmp	loc_999A9C
; 

loc_9996F5:				; DATA XREF: .text:006A8894o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_128], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_999706:				; DATA XREF: .text:006A8898o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edx, [ebp+var_E0]
		mov	ecx, [ebp+var_110]
		call	MiReturnCommit
		push	0
		push	[ebp+var_108]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_128]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_F8]
		mov	[ebp+var_EC], ebx
		mov	ebx, [ebp+var_10C]
		jmp	loc_999A41
; 

loc_99974B:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+193j
		cmp	[ebp+arg_C], 3
		jnz	short loc_9997A8
		push	edx
		mov	edx, [ebp+var_114]
		mov	ebx, [ebp+var_E4]
		mov	ecx, ebx
		call	_MiReplaceRotateWithDemandZero@12 ; MiReplaceRotateWithDemandZero(x,x,x)
		mov	esi, eax
		mov	ecx, [ebp+var_EC]
		call	MiUnlockAndDereferenceVad
		mov	eax, [ebp+var_104]
		mov	[eax], edi
		test	dword ptr ds:byte_70EFC4, 8000h
		jz	short loc_999795
		test	edi, edi
		jz	short loc_999795
		push	3
		mov	edx, edi
		mov	ecx, ebx
		call	_MiLogVirtualRotateEvent@12 ; MiLogVirtualRotateEvent(x,x,x)

loc_999795:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+436j
					; MmRotatePhysicalView(x,x,x,x,x,x)+43Aj
		cmp	esi, 1
		jnz	loc_9996EE
		mov	eax, 40000019h
		jmp	loc_999A9C
; 

loc_9997A8:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+401j
		mov	ebx, 10000h
		cmp	edi, ebx
		ja	short loc_9997C2
		lea	edx, [ebp+var_7C]
		mov	[ebp+var_E0], edx
		mov	edi, [ebp+var_E4]
		jmp	short loc_999802
; 

loc_9997C2:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+461j
		push	edi
		mov	edi, [ebp+var_E4]
		push	edi
		call	_MmSizeOfMdl@8	; MmSizeOfMdl(x,x)
		push	0
		push	40h
		mov	edx, 6F666E49h
		mov	ecx, eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_E0], eax
		test	eax, eax
		jnz	short loc_9997FC
		lea	edx, [ebp+var_7C]
		mov	[ebp+var_E0], edx
		mov	ecx, ebx
		mov	[ebp+var_E8], ecx
		jmp	short loc_999802
; 

loc_9997FC:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+499j
		mov	ecx, [ebp+var_E8]

loc_999802:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+472j
					; MmRotatePhysicalView(x,x,x,x,x,x)+4ACj
		cmp	ecx, ebx
		jbe	short loc_99982D
		push	ecx
		push	edi
		call	_MmSizeOfMdl@8	; MmSizeOfMdl(x,x)
		push	0
		push	40h
		mov	edx, 6F666E49h
		mov	ecx, eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_F4], eax
		test	eax, eax
		jnz	short loc_999839
		mov	[ebp+var_E8], ebx

loc_99982D:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+4B6j
		lea	eax, [ebp+var_DC]
		mov	[ebp+var_F4], eax

loc_999839:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+4D7j
		mov	edx, [ebp+var_E0]
		and	dword ptr [edx], 0
		mov	ecx, edi
		and	ecx, 0FFFh
		mov	[ebp+var_F8], ecx
		mov	eax, [ebp+var_E8]
		add	eax, 0FFFh
		add	eax, ecx
		shr	eax, 0Ch
		lea	ebx, ds:1Ch[eax*4]
		mov	[edx+4], bx
		xor	eax, eax
		mov	[edx+6], ax
		and	edi, 0FFFFF000h
		mov	[edx+10h], edi
		mov	[edx+18h], ecx
		mov	eax, [ebp+var_E8]
		mov	[edx+14h], eax
		push	edx
		call	MmBuildMdlForNonPagedPool
		mov	edx, [ebp+var_E0]
		mov	ecx, 2000h
		or	[edx+6], cx
		mov	eax, [ebp+var_F4]
		and	dword ptr [eax], 0
		mov	[eax+4], bx
		mov	ebx, eax
		mov	[ebx+10h], edi
		mov	eax, [ebp+var_F8]
		mov	[ebx+18h], eax
		mov	eax, [ebp+var_E8]
		mov	[ebx+14h], eax
		mov	[ebx+6], cx
		push	[ebp+var_F0]
		mov	edi, [ebp+var_EC]
		mov	edx, edi
		mov	ecx, ebx
		call	_MiSwitchToTransition@12 ; MiSwitchToTransition(x,x,x)
		mov	[ebp+var_F0], eax
		mov	ecx, [ebx+14h]
		mov	eax, [ebp+var_E0]
		cmp	ecx, [ebp+var_E8]
		jz	short loc_9998FB
		mov	[ebp+var_E8], ecx
		mov	[eax+14h], ecx
		mov	ecx, [ebx+14h]

loc_9998FB:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+59Fj
		test	ecx, ecx
		jz	loc_99998C
		push	[ebp+var_120]
		push	eax
		push	ebx
		call	[ebp+var_124]
		mov	[ebp+var_FC], eax
		test	eax, eax
		jns	short loc_999929
		push	edi
		mov	edx, [ebp+var_E0]
		mov	ecx, ebx
		call	_MiSlowRotateCopy@12 ; MiSlowRotateCopy(x,x,x)

loc_999929:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+5CBj
		mov	edx, edi
		mov	ecx, ebx
		call	_MiMarkMdlComplete@8 ; MiMarkMdlComplete(x,x)
		mov	eax, [ebp+var_E0]
		lea	ecx, [eax+1Ch]
		mov	[ebp+var_10C], ecx
		mov	eax, [eax+14h]
		shr	eax, 0Ch
		mov	[ebp+var_F8], eax
		test	eax, eax
		jz	short loc_99998C
		mov	edi, eax
		mov	esi, ecx

loc_999955:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+630j
		mov	eax, [esi]
		mov	[ebp+var_F8], eax
		mov	ecx, eax
		call	_MiIsPfn@4	; MiIsPfn(x)
		test	eax, eax
		jnz	short loc_999978
		push	1
		mov	edx, [ebp+var_F8]
		xor	ecx, ecx
		inc	ecx
		call	MiDereferenceIoPages

loc_999978:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+618j
		add	esi, 4
		sub	edi, 1
		jnz	short loc_999955
		mov	esi, [ebp+var_11C]
		mov	edi, [ebp+var_EC]

loc_99998C:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+5AFj
					; MmRotatePhysicalView(x,x,x,x,x,x)+601j
		mov	ecx, edi
		call	MiUnlockAndDereferenceVad
		and	[ebp+var_EC], 0
		mov	edi, [ebp+var_E8]
		test	dword ptr ds:byte_70EFC4, 8000h
		jz	short loc_9999C0
		test	edi, edi
		jz	short loc_9999C0
		push	[ebp+arg_C]
		mov	edx, edi
		mov	ecx, [ebp+var_E4]
		call	_MiLogVirtualRotateEvent@12 ; MiLogVirtualRotateEvent(x,x,x)

loc_9999C0:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+65Cj
					; MmRotatePhysicalView(x,x,x,x,x,x)+660j
		lea	ecx, [ebp+var_7C]
		mov	eax, [ebp+var_E0]
		cmp	eax, ecx
		jz	short loc_9999D5
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9999D5:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+67Dj
		cmp	dword ptr [ebx+14h], 0
		jz	short loc_9999E1
		push	ebx
		call	_MmUnlockPages@4 ; MmUnlockPages(x)

loc_9999E1:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+68Bj
		lea	eax, [ebp+var_DC]
		cmp	ebx, eax
		jz	short loc_9999F3
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9999F3:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+69Bj
		add	[ebp+var_118], edi
		mov	ecx, [ebp+var_E4]
		add	ecx, edi
		mov	[ebp+var_E4], ecx
		cmp	[ebp+var_F0], 1
		jnz	short loc_999A17
		mov	esi, 40000019h
		jmp	short loc_999A41
; 

loc_999A17:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+6C0j
		mov	edi, [ebp+var_108]
		sub	edi, [ebp+var_E8]
		mov	[ebp+var_108], edi
		jz	short loc_999A38
		xor	ebx, ebx
		mov	[ebp+var_10C], ebx
		jmp	loc_99942C
; 

loc_999A38:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+6DBj
		xor	esi, esi
		jmp	short loc_999A41
; 

loc_999A3C:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+12Fj
					; MmRotatePhysicalView(x,x,x,x,x,x)+141j
		mov	esi, 0C0000018h

loc_999A41:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+9Fj
					; MmRotatePhysicalView(x,x,x,x,x,x)+ADj ...
		mov	edi, [ebp+var_EC]
		test	edi, edi
		jz	short loc_999A52
		mov	ecx, edi
		call	MiUnlockAndDereferenceVad

loc_999A52:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+6FBj
		test	esi, esi
		jns	short loc_999A8C
		add	ebx, 1Ch
		mov	edi, [ebp+var_100]
		jmp	short loc_999A88
; 

loc_999A61:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+73Cj
		mov	eax, [ebx]
		mov	[ebp+var_11C], eax
		mov	ecx, eax
		call	_MiIsPfn@4	; MiIsPfn(x)
		test	eax, eax
		jnz	short loc_999A85
		push	1
		mov	edx, [ebp+var_11C]
		xor	ecx, ecx
		inc	ecx
		call	MiDereferenceIoPages
		dec	edi

loc_999A85:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+724j
		add	ebx, 4

loc_999A88:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+711j
		test	edi, edi
		jnz	short loc_999A61

loc_999A8C:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+706j
		mov	eax, [ebp+var_104]
		mov	ecx, [ebp+var_118]
		mov	[eax], ecx
		mov	eax, esi

loc_999A9C:				; CODE XREF: MmRotatePhysicalView(x,x,x,x,x,x)+3A2j
					; MmRotatePhysicalView(x,x,x,x,x,x)+455j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_MmRotatePhysicalView@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeVadEventBitmap(x, x, x)
_MiFreeVadEventBitmap@12 proc near	; CODE XREF: MiAllocateNewSubAllocatedRegion+1736BEp
					; MiAllocateChildVads+B4A15p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	eax, edx
		mov	edx, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		mov	ecx, eax
		call	MiGetVadWakeList
		mov	esi, eax
		test	esi, esi
		jz	short loc_999ADB
		mov	edx, esi
		mov	ecx, edi
		call	_MiFreeVadEventBitmapCharges@8 ; MiFreeVadEventBitmapCharges(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_999ADB:				; CODE XREF: MiFreeVadEventBitmap(x,x,x)+1Aj
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
_MiFreeVadEventBitmap@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCoalescePlaceholderAllocations(x,	x, x, x)
_MiCoalescePlaceholderAllocations@16 proc near
					; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+202p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	[ebp+var_18], eax
		mov	ebx, edx
		mov	eax, [ebp+arg_0]
		push	edi
		push	1
		and	eax, 0FFFFF000h
		mov	[ebp+var_14], ecx
		push	eax
		call	MiLockVadRange
		mov	edi, eax
		mov	[ebp+var_10], edi
		cmp	edi, 2
		jb	loc_999C80
		mov	ecx, ebx
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	[ebp+var_C], eax
		mov	ecx, [eax+0Ch]
		shl	ecx, 0Ch
		cmp	ecx, ebx
		jnz	loc_999C80
		xor	edx, edx
		mov	esi, eax
		mov	[ebp+var_4], edx

loc_999B38:				; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+CFj
		mov	eax, [esi+20h]
		and	eax, 7FFFFFFFh
		cmp	eax, 0FFFFDh
		jnz	loc_999C80
		test	byte ptr [esi+1Ch], 8
		jz	short loc_999B7D
		mov	edx, [esi+0Ch]
		mov	ecx, esi
		mov	eax, [esi+10h]
		push	[ebp+arg_4]
		sub	eax, edx
		shl	edx, 0Ch
		inc	eax
		push	55h
		shl	eax, 0Ch
		push	eax
		call	MiCheckSecuredVad
		mov	edi, eax
		test	edi, edi
		js	loc_999C85
		mov	edi, [ebp+var_10]
		mov	edx, [ebp+var_4]

loc_999B7D:				; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+6Dj
		mov	eax, [esi+4]
		mov	ecx, esi
		mov	[ebp+var_8], esi
		test	eax, eax
		jz	short loc_999BA3
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_999BAB

loc_999B91:				; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+B7j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_999B91
		jmp	short loc_999BAB
; 

loc_999B9D:				; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+C7j
		cmp	[esi], ecx
		jz	short loc_999BAB
		mov	ecx, esi

loc_999BA3:				; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+A5j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_999B9D

loc_999BAB:				; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+ADj
					; MiCoalescePlaceholderAllocations(x,x,x,x)+B9j ...
		inc	edx
		mov	[ebp+var_4], edx
		cmp	edx, edi
		jb	short loc_999B38
		mov	eax, [ebp+var_8]
		mov	eax, [eax+10h]
		shl	eax, 0Ch
		or	eax, 0FFFh
		cmp	eax, [ebp+arg_0]
		jnz	loc_999C80
		mov	eax, [ebp+var_C]
		xor	ebx, ebx
		mov	ecx, eax
		mov	esi, [eax+4]
		test	esi, esi
		jz	short loc_999BEA
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_999BFD

loc_999BDE:				; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+104j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_999BDE
		jmp	short loc_999BFD
; 

loc_999BEA:				; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+F4j
		mov	esi, [eax+8]
		jmp	short loc_999BF8
; 

loc_999BEF:				; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+119j
		cmp	[esi], ecx
		jz	short loc_999BFD
		mov	ecx, esi
		mov	esi, [esi+8]

loc_999BF8:				; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+10Bj
		and	esi, 0FFFFFFFCh
		jnz	short loc_999BEF

loc_999BFD:				; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+FAj
					; MiCoalescePlaceholderAllocations(x,x,x,x)+106j ...
		mov	edi, [esi+4]
		mov	ecx, esi
		test	edi, edi
		jz	short loc_999C18
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_999C2B

loc_999C0C:				; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+132j
		mov	eax, [ecx]
		mov	edi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_999C0C
		jmp	short loc_999C2B
; 

loc_999C18:				; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+122j
		mov	edi, [esi+8]
		jmp	short loc_999C26
; 

loc_999C1D:				; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+147j
		cmp	[edi], ecx
		jz	short loc_999C2B
		mov	ecx, edi
		mov	edi, [edi+8]

loc_999C26:				; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+139j
		and	edi, 0FFFFFFFCh
		jnz	short loc_999C1D

loc_999C2B:				; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+128j
					; MiCoalescePlaceholderAllocations(x,x,x,x)+134j ...
		mov	ecx, esi
		call	_MiReferenceVad@4 ; MiReferenceVad(x)
		mov	ecx, esi
		call	_MiRemovePlaceholderVad@4 ; MiRemovePlaceholderVad(x)
		mov	[esi], ebx
		mov	ebx, esi
		cmp	esi, [ebp+var_8]
		jz	short loc_999C46
		mov	esi, edi
		jmp	short loc_999BFD
; 

loc_999C46:				; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+15Ej
		mov	esi, [ebp+var_C]
		mov	eax, [ebp+arg_0]
		mov	edi, [ebp+var_18]
		mov	ecx, edi
		mov	edx, [ebp+var_14]
		shr	eax, 0Ch
		mov	[esi+10h], eax
		call	UNLOCK_ADDRESS_SPACE_UNORDERED

loc_999C5F:				; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+18Fj
		mov	ecx, ebx
		xor	edx, edx
		mov	ebx, [ebx]
		push	40000000h
		call	_MiDeleteVad@12	; MiDeleteVad(x,x,x)
		test	ebx, ebx
		jnz	short loc_999C5F
		mov	edx, esi
		mov	ecx, edi
		call	MiUnlockVad
		xor	edi, edi
		jmp	short loc_999C94
; 

loc_999C80:				; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+31j
					; MiCoalescePlaceholderAllocations(x,x,x,x)+49j ...
		mov	edi, 0C0000018h

loc_999C85:				; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+8Fj
		mov	ecx, [ebp+var_14]
		mov	edx, ebx
		push	1
		push	[ebp+var_10]
		call	_MiUnlockVadRange@16 ; MiUnlockVadRange(x,x,x,x)

loc_999C94:				; CODE XREF: MiCoalescePlaceholderAllocations(x,x,x,x)+19Cj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiCoalescePlaceholderAllocations@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSessionObjectDelete(x)
_MiSessionObjectDelete@4 proc near	; DATA XREF: MiInitializeSessionIds+DDo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi+10h]
		test	byte ptr [ecx+4], 40h
		jz	short loc_999CB4
		call	MiReleaseProcessReferenceToSessionDataPage

loc_999CB4:				; CODE XREF: MiSessionObjectDelete(x)+10j
		mov	ecx, [esi+14h]
		test	ecx, ecx
		jz	short loc_999CCA
		call	KeRemoveSchedulingGroup
		push	0
		push	dword ptr [esi+14h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_999CCA:				; CODE XREF: MiSessionObjectDelete(x)+1Cj
		pop	esi
		pop	ebp
		retn	4
_MiSessionObjectDelete@4 endp


;  S U B	R O U T	I N E 


; __stdcall MmGetIoSessionState(x, x)
_MmGetIoSessionState@8 proc near	; CODE XREF: SessionGetSessionStateInfo(x,x)+10p
		mov	eax, [ecx+10h]
		test	edx, edx
		jz	short loc_999CDB
		mov	ecx, [eax+8]
		mov	[edx], ecx

loc_999CDB:				; CODE XREF: MmGetIoSessionState(x,x)+5j
		mov	eax, [eax+2438h]
		retn
_MmGetIoSessionState@8 endp


;  S U B	R O U T	I N E 


; __stdcall MmGetSessionSchedulingGroup(x)
_MmGetSessionSchedulingGroup@4 proc near ; CODE	XREF: PsSetCpuQuotaInformation(x,x,x)+1C9p
		mov	eax, [ecx+14h]
		retn
_MmGetSessionSchedulingGroup@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmPerfLogSessionRundown(x, x, x)
_MmPerfLogSessionRundown@12 proc near	; CODE XREF: EtwpKernelTraceRundown+129FC8p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		xor	eax, eax
		mov	[ebp+var_14], 8
		push	ebx
		mov	ebx, ecx
		xor	ecx, ecx
		cmp	[ebp+arg_0], eax
		push	esi
		setnz	al
		mov	[ebp+var_24], ecx
		add	eax, 24Ch
		mov	[ebp+var_20], ecx
		movzx	eax, ax
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_24]
		push	edi
		mov	edi, edx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		jmp	short loc_999D55
; 

loc_999D2F:				; CODE XREF: MmPerfLogSessionRundown(x,x,x)+78j
		mov	edx, [esi+180h]
		push	offset byte_401803
		push	[ebp+var_28]
		mov	ecx, [edx+8]
		mov	[ebp+var_24], edx
		xor	edx, edx
		push	edi
		mov	[ebp+var_20], ecx
		inc	edx
		push	ebx
		lea	ecx, [ebp+var_1C]
		call	_EtwTraceSiloDcEvent@24	; EtwTraceSiloDcEvent(x,x,x,x,x,x)
		mov	ecx, esi

loc_999D55:				; CODE XREF: MmPerfLogSessionRundown(x,x,x)+47j
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_999D2F
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_MmPerfLogSessionRundown@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAllocateFileExtents(x, x,	x, x, x)
_MiAllocateFileExtents@20 proc near	; CODE XREF: MiAddViewsForSection+2E3p
					; MiUpdateActiveSubsection(x)+70p ...

var_94		= dword	ptr -94h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 98h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_34], edx
		push	7
		xor	eax, eax
		mov	[ebp+var_10], ebx
		pop	ecx
		lea	edi, [ebp+var_94]
		xor	esi, esi
		rep stosd
		push	6
		pop	ecx
		lea	edi, [ebp+var_6C]
		mov	[ebp+var_44], esi
		rep stosd
		mov	eax, [ebp+arg_4]
		shl	eax, 0Ch
		mov	[ebp+var_48], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_38], eax

loc_999DB3:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+30Bj
		mov	ecx, 1000h
		mov	edi, eax
		mov	[ebp+var_8], esi
		mov	eax, [ebx]
		mov	[ebp+var_C], eax
		test	byte ptr [eax+1Ch], 20h
		jz	short loc_999E43
		mov	[ebp+var_1C], 1
		cmp	[ebx+4], esi
		jnz	short loc_999DDF
		mov	eax, edx
		mul	ecx
		mov	esi, eax
		mov	[ebp+var_18], esi
		jmp	short loc_999DEF
; 

loc_999DDF:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+61j
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		push	esi
		call	MiStartingOffset
		mov	esi, eax
		mov	[ebp+var_18], eax

loc_999DEF:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+6Cj
		mov	ecx, ebx
		mov	[ebp+var_14], edx
		call	_MiEndingOffset@4 ; MiEndingOffset(x)
		mov	ebx, eax
		mov	[ebp+var_20], edx
		mov	[ebp+var_40], ebx
		cmp	esi, ebx
		jnz	short loc_999E16
		mov	ecx, [ebp+var_14]
		cmp	ecx, edx
		jnz	short loc_999E16
		mov	eax, esi
		or	eax, ecx
		jz	loc_99A081

loc_999E16:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+92j
					; MiAllocateFileExtents(x,x,x,x,x)+99j
		mov	eax, [ebp+var_8]
		mov	ecx, edi
		add	ecx, esi
		adc	eax, [ebp+var_14]
		cmp	eax, edx
		jb	short loc_999E78
		ja	short loc_999E2A
		cmp	ecx, ebx
		jbe	short loc_999E78

loc_999E2A:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+B3j
		mov	edi, ebx
		xor	eax, eax
		sub	edi, esi
		add	edi, 1FFh
		adc	eax, eax
		and	edi, 0FFFFFE00h
		mov	[ebp+var_8], eax
		jmp	short loc_999E78
; 

loc_999E43:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+55j
		mov	ax, [ebx+10h]
		xor	esi, esi
		or	esi, [ebx+14h]
		shr	ax, 6
		movzx	eax, ax
		cdq
		mov	ecx, eax
		mov	[ebp+var_1C], 2
		mov	eax, [ebp+var_34]
		mov	edx, 1000h
		mul	edx
		shld	ecx, esi, 0Ch
		shl	esi, 0Ch
		add	esi, eax
		mov	[ebp+var_18], esi
		adc	ecx, edx
		mov	[ebp+var_14], ecx

loc_999E78:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+B1j
					; MiAllocateFileExtents(x,x,x,x,x)+B7j	...
		mov	ecx, [ebp+var_C]
		call	MiReferenceControlAreaFile
		mov	[ebp+var_30], eax
		rdtsc
		mov	ebx, eax
		mov	[ebp+var_50], 1
		shrd	ebx, edx, 4
		and	ebx, 7
		add	ebx, 8
		jmp	short loc_999EBC
; 

loc_999E9A:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+14Ej
		push	0
		lea	ecx, ds:8[ebx*8]
		mov	edx, 6546694Dh
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_999ED8
		cmp	[ebp+var_50], eax
		jz	short loc_999EC1
		shr	ebx, 1

loc_999EBC:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+127j
					; MiAllocateFileExtents(x,x,x,x,x)+240j
		cmp	ebx, 1
		jnb	short loc_999E9A

loc_999EC1:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+147j
		mov	edx, [ebp+var_30]
		mov	ecx, [ebp+var_C]
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)
		mov	eax, 0C000009Ah

loc_999ED1:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+2FCj
					; MiAllocateFileExtents(x,x,x,x,x)+312j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_999ED8:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+142j
		xor	eax, eax
		mov	[esi], ebx
		mov	[esi+4], eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+var_1C]
		cmp	eax, 1
		jnz	short loc_999F1A
		mov	ecx, [ebp+var_14]
		mov	edx, edi
		add	edx, [ebp+var_18]
		mov	eax, [ebp+var_20]
		adc	[ebp+var_8], ecx
		cmp	[ebp+var_8], eax
		mov	eax, [ebp+var_18]
		jb	short loc_999F17
		ja	short loc_999F0A
		cmp	edx, [ebp+var_40]
		jbe	short loc_999F17

loc_999F0A:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+192j
		mov	edi, [ebp+var_40]
		sub	edi, eax
		mov	eax, [ebp+var_20]
		sbb	eax, ecx
		mov	[ebp+var_28], eax

loc_999F17:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+190j
					; MiAllocateFileExtents(x,x,x,x,x)+197j
		mov	eax, [ebp+var_1C]

loc_999F1A:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+17Aj
		and	[ebp+var_8], 0
		add	edi, 0FFFh
		and	edi, 0FFFFF000h
		cmp	eax, 1
		jnz	short loc_999F38
		mov	eax, [ebp+var_C]
		test	byte ptr [eax+1Ch], 2
		jnz	short loc_999F5F

loc_999F38:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+1BCj
		mov	edx, [ebp+arg_8]
		lea	eax, [ebp+var_94]
		mov	ecx, [ebp+var_10]
		or	edx, 8
		push	eax
		call	_MiChangingSubsectionProtos@12 ; MiChangingSubsectionProtos(x,x,x)
		mov	[ebp+var_28], eax
		test	eax, eax
		js	loc_99A340
		mov	[ebp+var_3C], 1

loc_999F5F:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+1C5j
		mov	ecx, [ebp+var_30]
		push	esi
		push	[ebp+var_8]
		push	edi
		push	[ebp+var_14]
		push	[ebp+var_18]
		call	_FsRtlGetFileExtents@28	; FsRtlGetFileExtents(x,x,x,x,x,x,x)
		mov	[ebp+var_28], eax
		test	eax, eax
		js	loc_99A31D
		mov	eax, [esi+4]
		mov	[ebp+var_28], eax
		cmp	eax, ebx
		jbe	short loc_999FB6
		cmp	[ebp+var_3C], 1
		jnz	short loc_999FA3
		mov	ecx, [ebp+var_10]
		lea	edx, [ebp+var_94]
		push	0
		call	_MiUnlinkSubsectionWaitBlock@12	; MiUnlinkSubsectionWaitBlock(x,x,x)
		mov	eax, [esi+4]
		mov	[ebp+var_28], eax

loc_999FA3:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+21Aj
		push	0
		push	esi
		mov	[esi+4], ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, [ebp+var_28]
		jmp	loc_999EBC
; 

loc_999FB6:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+214j
		mov	edx, [ebp+var_30]
		mov	ecx, [ebp+var_C]
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)
		mov	ecx, esi
		call	_MiNewPfnsSuitable@4 ; MiNewPfnsSuitable(x)
		test	eax, eax
		jz	loc_99A2F3
		cmp	dword ptr [esi+4], 0
		jnz	short loc_999FF9
		test	byte ptr [ebp+arg_8], 40h
		jnz	loc_99A088
		mov	eax, [ebp+var_1C]
		cmp	eax, 1
		jz	loc_99A088
		xor	ebx, ebx
		xor	edi, edi
		or	[ebp+var_44], 0FFFFFFFFh
		mov	[ebp+var_48], ebx
		jmp	short loc_99A023
; 

loc_999FF9:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+263j
		lea	eax, [ebp+var_44]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_48]
		call	_MiConvertRunsToPages@12 ; MiConvertRunsToPages(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_99A2EC
		test	byte ptr [ebp+arg_8], 40h
		jz	short loc_99A01D
		cmp	[ebp+var_44], 0
		ja	short loc_99A092

loc_99A01D:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+2A4j
		mov	ebx, [ebp+var_48]
		mov	eax, [ebp+var_1C]

loc_99A023:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+286j
		mov	[ebp+var_18], ebx
		cmp	eax, 1
		jnz	short loc_99A034
		mov	eax, [ebp+var_C]
		test	byte ptr [eax+1Ch], 2
		jnz	short loc_99A0B1

loc_99A034:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+2B8j
		mov	edx, [ebp+arg_8]
		lea	eax, [ebp+var_94]
		mov	ecx, [ebp+var_10]
		or	edx, 10h
		push	eax
		call	_MiChangingSubsectionProtos@12 ; MiChangingSubsectionProtos(x,x,x)
		mov	[ebp+var_28], eax
		test	eax, eax
		jns	short loc_99A09C
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi
		test	edi, edi
		jz	short loc_99A065
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_99A065:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+2EBj
		mov	eax, [ebp+var_28]
		cmp	eax, 0C0000434h
		jnz	loc_999ED1
		mov	ebx, [ebp+var_10]
		mov	eax, [ebp+var_38]
		mov	edx, [ebp+var_34]
		jmp	loc_999DB3
; 

loc_99A081:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+9Fj
		xor	eax, eax
		jmp	loc_999ED1
; 

loc_99A088:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+269j
					; MiAllocateFileExtents(x,x,x,x,x)+275j
		mov	edi, 0C0000001h
		jmp	loc_99A2F8
; 

loc_99A092:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+2AAj
		mov	edi, 0C0000018h
		jmp	loc_99A2F8
; 

loc_99A09C:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+2DDj
		test	edi, edi
		jz	short loc_99A0B1
		test	byte ptr [ebp+arg_8], 1
		jnz	short loc_99A0B1
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		push	ebx
		call	_MiEliminateStaleExtents@12 ; MiEliminateStaleExtents(x,x,x)

loc_99A0B1:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+2C1j
					; MiAllocateFileExtents(x,x,x,x,x)+32Dj ...
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		jz	short loc_99A0F2
		mov	eax, [ebp+var_C]
		test	byte ptr [eax+1Ch], 20h
		setz	cl
		test	byte ptr [ebp+arg_8], 1
		setnz	al
		test	cl, al
		jz	short loc_99A0F2
		mov	eax, [ebp+var_60]
		lea	ecx, [ebp+var_6C]
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_58], ebx
		or	eax, 4
		xor	edx, edx
		mov	[ebp+var_60], eax
		inc	edx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_5C], eax
		call	_MiUpdateSystemProtoPtesTree@8 ; MiUpdateSystemProtoPtesTree(x,x)

loc_99A0F2:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+34Aj
					; MiAllocateFileExtents(x,x,x,x,x)+35Fj
		mov	edx, [ebp+arg_8]
		xor	ecx, ecx
		and	[ebp+var_20], ecx
		and	edx, 40h
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_34], edx
		mov	edx, [ebp+var_18]
		xor	esi, esi
		xor	ebx, ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_8], eax
		cmp	esi, edx

loc_99A112:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+4EBj
		jnz	short loc_99A15B
		test	ebx, ebx
		jz	loc_99A262

loc_99A11C:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+408j
		cmp	eax, 80000000h
		jnz	short loc_99A181
		test	ecx, ecx
		js	loc_99A24E
		mov	ecx, [ebp+var_10]
		call	_MiMakeSubsectionPte@4 ; MiMakeSubsectionPte(x)
		mov	ecx, esi
		sub	ecx, ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebx+ecx*8], eax
		nop
		test	byte ptr [ebp+arg_8], 2
		mov	eax, ebx
		mov	[eax+ecx*8+4], edx
		jz	loc_99A248
		mov	ecx, 0C0000709h
		mov	[ebp+var_14], ecx
		jmp	loc_99A265
; 

loc_99A15B:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x):loc_99A112j
		mov	eax, [edi+esi*4]
		mov	[ebp+var_38], eax
		test	ebx, ebx
		jnz	short loc_99A16E
		mov	[ebp+var_8], eax
		inc	ebx
		jmp	loc_99A259
; 

loc_99A16E:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+3F2j
		mov	eax, [edi+esi*4-4]
		inc	eax
		cmp	eax, [ebp+var_38]
		mov	eax, [ebp+var_8]
		jnz	short loc_99A11C
		inc	ebx
		jmp	loc_99A259
; 

loc_99A181:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+3B0j
		test	eax, 40000000h
		jz	short loc_99A1AC
		test	ecx, ecx
		jns	loc_99A24E
		lea	eax, [edi+esi*4]
		cmp	eax, [ebp+var_20]
		ja	loc_99A24B
		cmp	esi, edx
		jz	loc_99A262
		mov	eax, [ebp+var_8]
		jmp	loc_99A256
; 

loc_99A1AC:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+415j
		test	ecx, ecx
		js	short loc_99A224
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		cmp	[ebp+var_34], eax
		setz	al
		inc	eax
		mov	[ebp+var_70], eax
		mov	eax, [ebp+var_10]
		mov	[ebp+var_78], eax
		mov	eax, esi
		sub	eax, ebx
		mov	[ebp+var_38], eax
		lea	ecx, [ecx+eax*8]
		mov	eax, [ebp+var_8]
		mov	[ebp+var_74], ecx
		mov	ecx, 1000h
		mul	ecx
		mov	[ebp+var_54], eax
		mov	eax, ebx
		mov	[ebp+var_50], edx
		mul	ecx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	2
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_28], edx
		push	eax
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		lea	edx, [ebp+var_54]
		mov	ecx, eax
		call	_MiAddPhysicalMemory@20	; MiAddPhysicalMemory(x,x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jns	short loc_99A24B
		mov	eax, [ebp+var_38]
		xor	ebx, ebx
		mov	edx, [ebp+var_18]
		or	esi, 0FFFFFFFFh
		lea	eax, [edi+eax*4]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+var_8]
		jmp	short loc_99A259
; 

loc_99A224:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+43Dj
		lea	eax, [edi+esi*4]
		cmp	eax, [ebp+var_20]
		ja	short loc_99A24B
		cmp	[ebp+var_34], 0
		jz	short loc_99A23C
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		call	_MiDecrementProtoShareCounts@8 ; MiDecrementProtoShareCounts(x,x)

loc_99A23C:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+4BFj
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		push	12h
		call	_MiRemovePhysicalMemory@12 ; MiRemovePhysicalMemory(x,x,x)

loc_99A248:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+3D7j
		mov	ecx, [ebp+var_14]

loc_99A24B:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+425j
					; MiAllocateFileExtents(x,x,x,x,x)+49Bj ...
		mov	eax, [ebp+var_8]

loc_99A24E:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+3B4j
					; MiAllocateFileExtents(x,x,x,x,x)+419j
		cmp	esi, [ebp+var_18]
		jz	short loc_99A262
		mov	edx, [ebp+var_18]

loc_99A256:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+436j
		xor	ebx, ebx
		dec	esi

loc_99A259:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+3F8j
					; MiAllocateFileExtents(x,x,x,x,x)+40Bj ...
		inc	esi
		cmp	esi, edx
		jbe	loc_99A112

loc_99A262:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+3A5j
					; MiAllocateFileExtents(x,x,x,x,x)+42Dj ...
		mov	eax, [ebp+arg_0]

loc_99A265:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+3E5j
		test	ecx, ecx
		js	short loc_99A2A4
		test	byte ptr [ebp+arg_8], 1
		mov	ebx, [ebp+var_10]
		jz	short loc_99A2B7
		push	ecx
		mov	edx, eax
		mov	ecx, ebx
		call	_MiSetSubsectionBase@12	; MiSetSubsectionBase(x,x,x)
		cmp	[ebp+var_5C], 0
		lea	ecx, [ebx+44h]
		jz	short loc_99A291
		mov	edx, ecx
		lea	ecx, [ebp+var_6C]
		call	_MiReplaceSystemProtoPtesNode@8	; MiReplaceSystemProtoPtesNode(x,x)
		jmp	short loc_99A2B7
; 

loc_99A291:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+512j
		mov	eax, [ebp+var_C]
		test	byte ptr [eax+1Ch], 20h
		jnz	short loc_99A2BA
		xor	edx, edx
		inc	edx
		call	_MiUpdateSystemProtoPtesTree@8 ; MiUpdateSystemProtoPtesTree(x,x)
		jmp	short loc_99A2B7
; 

loc_99A2A4:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+4F6j
		cmp	[ebp+var_5C], 0
		jz	short loc_99A2B4
		xor	edx, edx
		lea	ecx, [ebp+var_6C]
		call	_MiUpdateSystemProtoPtesTree@8 ; MiUpdateSystemProtoPtesTree(x,x)

loc_99A2B4:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+537j
		mov	ebx, [ebp+var_10]

loc_99A2B7:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+4FFj
					; MiAllocateFileExtents(x,x,x,x,x)+51Ej ...
		mov	eax, [ebp+var_C]

loc_99A2BA:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+527j
		cmp	[ebp+var_1C], 1
		jnz	short loc_99A2C6
		test	byte ptr [eax+1Ch], 2
		jnz	short loc_99A2D8

loc_99A2C6:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+54Dj
		push	0
		push	[ebp+arg_4]
		lea	edx, [ebp+var_94]
		mov	ecx, ebx
		call	_MiSubsectionProtosCreated@16 ;	MiSubsectionProtosCreated(x,x,x,x)

loc_99A2D8:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+553j
		test	edi, edi
		jz	short loc_99A2E4
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_99A2E4:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+569j
		mov	eax, [ebp+var_14]
		jmp	loc_999ED1
; 

loc_99A2EC:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+29Aj
		mov	edi, 0C000009Ah
		jmp	short loc_99A2F8
; 

loc_99A2F3:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+259j
		mov	edi, 0C0000427h

loc_99A2F8:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+31Cj
					; MiAllocateFileExtents(x,x,x,x,x)+326j ...
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[ebp+var_3C], 1
		jnz	short loc_99A316
		mov	ecx, [ebp+var_10]
		lea	edx, [ebp+var_94]
		push	0
		call	_MiUnlinkSubsectionWaitBlock@12	; MiUnlinkSubsectionWaitBlock(x,x,x)

loc_99A316:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+593j
		mov	eax, edi
		jmp	loc_999ED1
; 

loc_99A31D:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+206j
		mov	edx, [ebp+var_30]
		mov	ecx, [ebp+var_C]
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)
		cmp	[ebp+var_3C], 1
		jnz	short loc_99A34B
		mov	ecx, [ebp+var_10]
		lea	edx, [ebp+var_94]
		push	0
		call	_MiUnlinkSubsectionWaitBlock@12	; MiUnlinkSubsectionWaitBlock(x,x,x)
		jmp	short loc_99A34B
; 

loc_99A340:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+1E1j
		mov	edx, [ebp+var_30]
		mov	ecx, [ebp+var_C]
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)

loc_99A34B:				; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+5BBj
					; MiAllocateFileExtents(x,x,x,x,x)+5CDj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_28]
		jmp	loc_999ED1
_MiAllocateFileExtents@20 endp


;  S U B	R O U T	I N E 


; __stdcall MiComputeIdealFirstSubsection(x)
_MiComputeIdealFirstSubsection@4 proc near ; CODE XREF:	MiCreateDataFileMap+14EEDFp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	0
		push	40h
		push	18h
		mov	ebx, ecx
		mov	edx, 6546694Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		xor	eax, eax
		test	esi, esi
		jz	short loc_99A3DE
		push	esi
		push	eax
		push	200000h
		push	eax
		push	eax
		mov	ecx, ebx
		mov	dword ptr [esi], 2
		mov	edi, eax
		mov	[esi+4], eax
		call	_FsRtlGetFileExtents@28	; FsRtlGetFileExtents(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_99A3D4
		mov	eax, [esi+4]
		cmp	eax, 1
		jnz	short loc_99A3B9
		test	dword ptr [esi+8], 1FFh
		jnz	short loc_99A3D4
		mov	eax, 200h
		cmp	[esi+0Ch], eax
		jnz	short loc_99A3D4
		mov	edi, eax
		jmp	short loc_99A3D4
; 

loc_99A3B9:				; CODE XREF: MiComputeIdealFirstSubsection(x)+45j
		cmp	eax, 2
		jnz	short loc_99A3D4
		mov	eax, [esi+14h]
		mov	ecx, [esi+0Ch]
		add	eax, ecx
		cmp	eax, 200h
		jnz	short loc_99A3D4
		test	cl, 0Fh
		jnz	short loc_99A3D4
		mov	edi, ecx

loc_99A3D4:				; CODE XREF: MiComputeIdealFirstSubsection(x)+3Dj
					; MiComputeIdealFirstSubsection(x)+4Ej	...
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi

loc_99A3DE:				; CODE XREF: MiComputeIdealFirstSubsection(x)+1Ej
		pop	edi
		pop	esi
		pop	ebx
		retn
_MiComputeIdealFirstSubsection@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiConvertRunsToPages(x, x, x)
_MiConvertRunsToPages@12 proc near	; CODE XREF: MiAllocateFileExtents(x,x,x,x,x)+291p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	eax, ecx
		mov	[ebp+var_18], edx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_1C], eax
		mov	ecx, [eax+4]
		mov	edx, edi
		mov	[ebp+var_C], ecx
		mov	esi, edi
		test	ecx, ecx
		jz	loc_99A48B
		lea	ebx, [eax+8]
		mov	[ebp+var_8], ebx

loc_99A40F:				; CODE XREF: MiConvertRunsToPages(x,x,x)+A0j
		mov	eax, [ebx+4]
		add	edx, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_14], edx
		test	esi, esi
		jnz	short loc_99A476
		mov	eax, [ebx]
		mov	[ebp+var_10], eax
		cmp	eax, 80000000h
		jnz	short loc_99A42F
		or	esi, 0FFFFFFFFh
		jmp	short loc_99A476
; 

loc_99A42F:				; CODE XREF: MiConvertRunsToPages(x,x,x)+46j
		mov	ebx, [ebp+var_10]
		mov	ecx, edi
		mov	edi, [ebp+var_4]

loc_99A437:				; CODE XREF: MiConvertRunsToPages(x,x,x)+87j
		mov	eax, ds:_MiLargePageSizes[ecx*4]
		xor	edx, edx
		mov	[ebp+var_4], eax
		mov	eax, ebx
		div	[ebp+var_4]
		test	edx, edx
		jnz	short loc_99A455
		mov	eax, edi
		div	[ebp+var_4]
		test	edx, edx
		jz	short loc_99A46B

loc_99A455:				; CODE XREF: MiConvertRunsToPages(x,x,x)+68j
		cmp	esi, ecx
		ja	short loc_99A45C
		lea	esi, [ecx+1]

loc_99A45C:				; CODE XREF: MiConvertRunsToPages(x,x,x)+75j
		cmp	[ebp+var_4], 200h
		jz	short loc_99A46B
		inc	ecx
		cmp	ecx, 2
		jb	short loc_99A437

loc_99A46B:				; CODE XREF: MiConvertRunsToPages(x,x,x)+71j
					; MiConvertRunsToPages(x,x,x)+81j
		mov	ebx, [ebp+var_8]
		xor	edi, edi
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+var_14]

loc_99A476:				; CODE XREF: MiConvertRunsToPages(x,x,x)+3Aj
					; MiConvertRunsToPages(x,x,x)+4Bj
		add	ebx, 8
		sub	ecx, 1
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], ecx
		jnz	short loc_99A40F
		test	esi, esi
		jz	short loc_99A48B
		or	esi, 0FFFFFFFFh

loc_99A48B:				; CODE XREF: MiConvertRunsToPages(x,x,x)+21j
					; MiConvertRunsToPages(x,x,x)+A4j
		mov	eax, [ebp+arg_0]
		mov	ecx, edx
		push	edi
		shl	ecx, 2
		push	40h
		mov	[eax], esi
		mov	eax, [ebp+var_18]
		mov	[eax], edx
		mov	edx, 6546694Dh
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_99A4DE
		mov	ecx, [ebp+var_1C]
		mov	esi, [ecx+4]
		test	esi, esi
		jz	short loc_99A4DC
		add	ecx, 0Ch

loc_99A4BA:				; CODE XREF: MiConvertRunsToPages(x,x,x)+F8j
		mov	edx, [ecx]
		mov	eax, [ecx-4]
		test	edx, edx
		jz	short loc_99A4D4

loc_99A4C3:				; CODE XREF: MiConvertRunsToPages(x,x,x)+F0j
		mov	[ebx+edi*4], eax
		cmp	eax, 80000000h
		jz	short loc_99A4CE
		inc	eax

loc_99A4CE:				; CODE XREF: MiConvertRunsToPages(x,x,x)+E9j
		inc	edi
		sub	edx, 1
		jnz	short loc_99A4C3

loc_99A4D4:				; CODE XREF: MiConvertRunsToPages(x,x,x)+DFj
		add	ecx, 8
		sub	esi, 1
		jnz	short loc_99A4BA

loc_99A4DC:				; CODE XREF: MiConvertRunsToPages(x,x,x)+D3j
		mov	eax, ebx

loc_99A4DE:				; CODE XREF: MiConvertRunsToPages(x,x,x)+C9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiConvertRunsToPages@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAttemptPageFileExtension(x, x, x)
_MiAttemptPageFileExtension@12 proc near ; CODE	XREF: MiExtendPagingFiles(x)+4Ep
					; MiExtendPagingFiles(x)+11Dp

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_58], ecx
		xor	eax, eax
		lea	edi, [ebp+var_44]
		push	6
		pop	ecx
		rep stosd
		mov	eax, [ebx+90h]
		xor	edx, edx
		mov	[ebp+var_5C], eax
		mov	eax, [ebx]
		mov	[ebp+var_10], edx
		cmp	eax, [ebx+4]
		jz	loc_99A633
		mov	ecx, [ebx+1Ch]
		lea	eax, [ebp+var_4C]
		push	edx
		push	eax
		lea	eax, [ebp+var_44]
		push	eax
		push	edx
		push	18h
		push	3
		pop	edx
		call	IopQueryXxxInformation
		test	eax, eax
		js	loc_99A633
		mov	edi, 4000h
		mov	ecx, 1000h

loc_99A54B:				; CODE XREF: MiAttemptPageFileExtension(x,x,x)+13Aj
		cmp	[ebp+arg_0], edi
		jnb	short loc_99A554
		mov	eax, edi
		jmp	short loc_99A559
; 

loc_99A554:				; CODE XREF: MiAttemptPageFileExtension(x,x,x)+69j
		mov	eax, [ebp+arg_0]
		mov	edi, ecx

loc_99A559:				; CODE XREF: MiAttemptPageFileExtension(x,x,x)+6Dj
		mov	ecx, [ebx+4]
		mov	edx, [ebx]
		mov	[ebp+var_4C], ecx
		sub	ecx, edx
		mov	[ebp+var_48], eax
		mov	[ebp+var_54], edx
		cmp	eax, ecx
		jbe	short loc_99A570
		mov	[ebp+var_48], ecx

loc_99A570:				; CODE XREF: MiAttemptPageFileExtension(x,x,x)+86j
		mov	ecx, [ebp+var_30]
		imul	ecx, [ebp+var_34]
		mov	eax, [ebp+var_38]
		mul	ecx
		mov	[ebp+var_50], eax
		mov	eax, [ebp+var_3C]
		mul	ecx
		mov	ecx, [ebp+var_50]
		mov	esi, eax
		add	ecx, edx
		jnz	short loc_99A599
		cmp	esi, 10000000h
		jbe	loc_99A633

loc_99A599:				; CODE XREF: MiAttemptPageFileExtension(x,x,x)+A6j
		mov	eax, [ebp+var_48]
		add	esi, 0F0000000h
		adc	ecx, 0FFFFFFFFh
		shrd	esi, ecx, 0Ch
		cmp	esi, eax
		jbe	short loc_99A5AF
		mov	esi, eax

loc_99A5AF:				; CODE XREF: MiAttemptPageFileExtension(x,x,x)+C6j
		test	byte ptr [ebx+74h], 10h
		jz	short loc_99A5BA
		cmp	esi, [ebp+arg_0]
		jb	short loc_99A633

loc_99A5BA:				; CODE XREF: MiAttemptPageFileExtension(x,x,x)+CEj
		mov	eax, [ebp+var_54]
		xor	edx, edx
		mov	ecx, eax
		add	ecx, esi
		adc	edx, edx
		shl	eax, 0Ch
		shld	edx, ecx, 0Ch
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_4C]
		shl	ecx, 0Ch
		mov	[ebp+var_2C], ecx
		mov	ecx, 1000h
		mov	[ebp+var_28], edx
		mul	ecx
		and	[ebp+var_20], 0
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_58]
		mov	[ebp+var_18], edx
		mov	al, [eax+2Fh]
		not	al
		and	eax, 20h
		or	eax, 8
		shr	eax, 3
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	20h
		push	14h
		push	dword ptr [ebx+1Ch]
		call	_IoSetInformation@16 ; IoSetInformation(x,x,x,x)
		test	eax, eax
		jz	short loc_99A624
		mov	ecx, 1000h
		cmp	edi, ecx
		jz	short loc_99A633
		mov	edi, ecx
		jmp	loc_99A54B
; 

loc_99A624:				; CODE XREF: MiAttemptPageFileExtension(x,x,x)+12Dj
		mov	ecx, [ebp+var_5C]
		mov	edx, ebx
		push	esi
		call	_MiFinishPageFileExtension@12 ;	MiFinishPageFileExtension(x,x,x)
		mov	eax, esi
		jmp	short loc_99A635
; 

loc_99A633:				; CODE XREF: MiAttemptPageFileExtension(x,x,x)+37j
					; MiAttemptPageFileExtension(x,x,x)+56j ...
		xor	eax, eax

loc_99A635:				; CODE XREF: MiAttemptPageFileExtension(x,x,x)+14Cj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_MiAttemptPageFileExtension@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiDeletePagefile(x,	x)
_MiDeletePagefile@8 proc near		; CODE XREF: MmStoreRegister+96261p
					; MiCreatePagingFile+961BFp ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		xor	edi, edi
		cmp	[esi+24h], edi
		jbe	short loc_99A669

loc_99A656:				; CODE XREF: MiDeletePagefile(x,x)+21j
		mov	ecx, [esi+20h]
		xor	edx, edx
		mov	ecx, [ecx+edi*4]
		call	_MiFreeModWriterEntry@8	; MiFreeModWriterEntry(x,x)
		inc	edi
		cmp	edi, [esi+24h]
		jb	short loc_99A656

loc_99A669:				; CODE XREF: MiDeletePagefile(x,x)+Ej
		mov	eax, [esi+20h]
		test	eax, eax
		jz	short loc_99A678
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_99A678:				; CODE XREF: MiDeletePagefile(x,x)+28j
		mov	ecx, [esi+38h]
		test	ecx, ecx
		jz	short loc_99A684
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_99A684:				; CODE XREF: MiDeletePagefile(x,x)+37j
		mov	ecx, [esi+80h]
		test	ecx, ecx
		jz	short loc_99A696
		mov	edx, [esi+4]
		call	_MiReleasePageHash@8 ; MiReleasePageHash(x,x)

loc_99A696:				; CODE XREF: MiDeletePagefile(x,x)+46j
		mov	ecx, [esi+90h]
		call	_MiFreePageFileHashPfns@4 ; MiFreePageFileHashPfns(x)
		movzx	eax, word ptr [esi+74h]
		mov	ecx, eax
		test	eax, 100h
		jz	short loc_99A6BB
		xor	edx, edx
		mov	ecx, esi
		call	MiUpdatePageFileList
		movzx	ecx, word ptr [esi+74h]

loc_99A6BB:				; CODE XREF: MiDeletePagefile(x,x)+66j
		test	ecx, 200h
		jz	short loc_99A6CD
		mov	ecx, [esi+1Ch]
		xor	dl, dl
		call	PiPagePathSetState

loc_99A6CD:				; CODE XREF: MiDeletePagefile(x,x)+7Bj
		mov	eax, [esi+84h]
		test	eax, eax
		jz	short loc_99A6DF
		push	0
		push	eax
		call	ObCloseHandle

loc_99A6DF:				; CODE XREF: MiDeletePagefile(x,x)+8Fj
		mov	ecx, [esi+1Ch]
		test	ecx, ecx
		jz	short loc_99A6EB
		call	ObfDereferenceObject

loc_99A6EB:				; CODE XREF: MiDeletePagefile(x,x)+9Ej
		mov	eax, [esi+34h]
		test	eax, eax
		jz	short loc_99A6FA
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_99A6FA:				; CODE XREF: MiDeletePagefile(x,x)+AAj
		mov	eax, [esi+6Ch]
		test	eax, eax
		jz	short loc_99A709
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_99A709:				; CODE XREF: MiDeletePagefile(x,x)+B9j
		test	ebx, ebx
		jz	short loc_99A715
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_99A715:				; CODE XREF: MiDeletePagefile(x,x)+C5j
		pop	edi
		pop	esi
		pop	ebx
		retn
_MiDeletePagefile@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeletePagingFiles(x)
_MiDeletePagingFiles@4 proc near	; CODE XREF: MiDeletePartitionResources(x)+16Dp
					; MiShutdownSystem()+155p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ecx+0F4Ch]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], eax
		mov	ebx, esi
		push	edi
		test	eax, eax
		jz	short loc_99A773
		lea	edi, [ecx+0F54h]

loc_99A73E:				; CODE XREF: MiDeletePagingFiles(x)+4Aj
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_99A75A
		test	byte ptr [ecx+74h], 50h
		jnz	short loc_99A74F
		add	ebx, [ecx]
		add	esi, 2

loc_99A74F:				; CODE XREF: MiDeletePagingFiles(x)+2Fj
		xor	edx, edx
		inc	edx
		call	_MiDeletePagefile@8 ; MiDeletePagefile(x,x)
		mov	eax, [ebp+var_4]

loc_99A75A:				; CODE XREF: MiDeletePagingFiles(x)+29j
		add	edi, 4
		sub	eax, 1
		mov	[ebp+var_4], eax
		jnz	short loc_99A73E
		test	esi, esi
		jz	short loc_99A773
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	MiReturnCommit

loc_99A773:				; CODE XREF: MiDeletePagingFiles(x)+1Dj
					; MiDeletePagingFiles(x)+4Ej
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_MiDeletePagingFiles@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiExtendPagingFiles(x)
_MiExtendPagingFiles@4 proc near	; CODE XREF: MiProcessDereferenceList+8FB26p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edx, [ebx+0Ch]
		mov	esi, [ebx+10h]
		movzx	ecx, byte ptr [ebx+2Ch]
		mov	[ebp+var_10], edx
		mov	eax, [edx+0F4Ch]
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_99A8D6
		cmp	ecx, eax
		jnb	short loc_99A7F4
		lfence	eax
		mov	ecx, [edx+ecx*4+0F54h]
		mov	[ebp+var_4], ecx
		mov	eax, [ecx+4]
		sub	eax, [ecx]
		cmp	eax, esi
		jb	loc_99A8D6
		mov	edx, ecx
		mov	ecx, ebx
		push	esi
		call	_MiAttemptPageFileExtension@12 ; MiAttemptPageFileExtension(x,x,x)
		mov	esi, [ebp+var_4]
		mov	edi, eax
		test	edi, edi
		jz	short loc_99A7E5
		test	byte ptr [ebx+2Fh], 2
		jz	short loc_99A7E5
		mov	edx, edi
		mov	ecx, esi
		call	_MiUpdatePagingFileMinimum@8 ; MiUpdatePagingFileMinimum(x,x)

loc_99A7E5:				; CODE XREF: MiExtendPagingFiles(x)+5Aj
					; MiExtendPagingFiles(x)+60j
		test	byte ptr [esi+74h], 50h
		push	0
		pop	eax
		setz	al
		jmp	loc_99A8BC
; 

loc_99A7F4:				; CODE XREF: MiExtendPagingFiles(x)+2Dj
		test	byte ptr [ebx+2Fh], 1
		jnz	short loc_99A82D
		mov	edi, [edx+1114h]
		mov	ecx, [edx+10BCh]
		mov	eax, [edx+0D9Ch]
		add	eax, ecx
		add	esi, eax
		cmp	esi, ecx
		jb	loc_99A8D6
		cmp	esi, edi
		ja	short loc_99A828
		mov	dword ptr [ebx+14h], 1
		jmp	loc_99A8D6
; 

loc_99A828:				; CODE XREF: MiExtendPagingFiles(x)+A0j
		mov	eax, [ebp+var_4]
		sub	esi, edi

loc_99A82D:				; CODE XREF: MiExtendPagingFiles(x)+7Ej
		xor	edi, edi
		test	eax, eax
		jz	short loc_99A867
		lea	ecx, [edx+0F54h]
		mov	[ebp+var_8], eax
		mov	edx, eax

loc_99A83E:				; CODE XREF: MiExtendPagingFiles(x)+E5j
		mov	eax, [ecx]
		mov	[ebp+var_C], eax
		test	byte ptr [eax+74h], 50h
		jnz	short loc_99A856
		mov	edx, [ebp+var_C]
		mov	eax, [eax+4]
		sub	eax, [edx]
		mov	edx, [ebp+var_8]
		add	edi, eax

loc_99A856:				; CODE XREF: MiExtendPagingFiles(x)+CDj
		add	ecx, 4
		sub	edx, 1
		mov	[ebp+var_8], edx
		jnz	short loc_99A83E
		mov	edx, [ebp+var_10]
		mov	eax, [ebp+var_4]

loc_99A867:				; CODE XREF: MiExtendPagingFiles(x)+B7j
		cmp	edi, esi
		jb	short loc_99A8D6
		xor	ecx, ecx
		xor	edi, edi
		mov	[ebp+var_8], ecx
		test	eax, eax
		jz	short loc_99A8D6
		add	edx, 0F54h
		mov	[ebp+var_C], edx

loc_99A87F:				; CODE XREF: MiExtendPagingFiles(x)+13Dj
		mov	ecx, [edx]
		mov	[ebp+var_14], ecx
		test	byte ptr [ecx+74h], 50h
		mov	ecx, [ebp+var_8]
		jnz	short loc_99A8AB
		mov	edx, [ebp+var_14]
		mov	eax, esi
		sub	eax, edi
		mov	ecx, ebx
		push	eax
		call	_MiAttemptPageFileExtension@12 ; MiAttemptPageFileExtension(x,x,x)
		add	edi, eax
		cmp	edi, esi
		jnb	short loc_99A8B9
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_C]

loc_99A8AB:				; CODE XREF: MiExtendPagingFiles(x)+111j
		inc	ecx
		add	edx, 4
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], edx
		cmp	ecx, eax
		jb	short loc_99A87F

loc_99A8B9:				; CODE XREF: MiExtendPagingFiles(x)+126j
		xor	eax, eax
		inc	eax

loc_99A8BC:				; CODE XREF: MiExtendPagingFiles(x)+75j
		test	edi, edi
		jz	short loc_99A8D6
		mov	[ebx+14h], edi
		test	eax, eax
		jz	short loc_99A8D6
		mov	ecx, [ebp+var_10]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		mov	edx, edi
		call	MiIncreaseCommitLimits

loc_99A8D6:				; CODE XREF: MiExtendPagingFiles(x)+25j
					; MiExtendPagingFiles(x)+43j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiExtendPagingFiles@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiScanPagefileSpace(x)
_MiScanPagefileSpace@4 proc near	; DATA XREF: MiScanPagefiles+F4476o

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	edx, edx
		push	esi
		push	edi
		mov	ecx, ebx
		movzx	eax, word ptr [ebx]
		mov	[ebp+var_8], eax
		xor	eax, eax
		mov	[ebp+var_C], eax
		call	MiReferencePageRuns
		mov	edx, [ebp+var_C]
		mov	ecx, eax
		mov	[ebp+var_1C], ecx
		lea	eax, [ecx+0Ch]
		mov	[ebp+var_18], eax

loc_99A90B:				; CODE XREF: MiScanPagefileSpace(x)+18Ej
		imul	edi, [eax-4], 1Ch
		imul	esi, [eax], 1Ch
		add	edi, ds:_MmPfnDatabase
		add	esi, edi
		mov	[ebp+var_4], esi
		cmp	edi, esi
		jnb	loc_99AA5D
		mov	eax, [ebp+var_4]
		lea	esi, [edi+8]
		mov	ecx, [ebp+var_8]

loc_99A92E:				; CODE XREF: MiScanPagefileSpace(x)+173j
		xor	edx, edx
		cmp	dx, cx
		jnz	loc_99AA46
		mov	al, [esi+0Eh]
		and	al, 7
		cmp	al, 2
		jz	short loc_99A94E
		cmp	al, 3
		jz	short loc_99A94E
		cmp	al, 7
		jnz	loc_99AA43

loc_99A94E:				; CODE XREF: MiScanPagefileSpace(x)+65j
					; MiScanPagefileSpace(x)+69j
		mov	eax, [esi]
		xor	edx, edx
		and	eax, 400h
		or	eax, edx
		jnz	loc_99AA43
		mov	ecx, esi
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		test	eax, eax
		jz	loc_99AA40
		mov	eax, [esi+10h]
		and	eax, offset loc_7FFFFF
		cmp	eax, 7FFFFDh
		jz	loc_99AA40
		xor	ecx, ecx
		cmp	[esi+0Ch], cx
		jz	loc_99AA40
		test	byte ptr [esi+0Eh], 28h
		jnz	loc_99AA40
		test	byte ptr [esi+0Fh], 10h
		jnz	loc_99AA40
		mov	eax, ecx
		mov	[ebp+var_14], ecx
		mov	ecx, edi
		mov	[ebp+var_10], eax
		call	_MiLockPage@4	; MiLockPage(x)
		mov	cl, [esi+0Eh]
		and	cl, 7
		mov	byte ptr [ebp+arg_0+3],	al
		cmp	cl, 2
		jz	short loc_99A9C8
		cmp	cl, 3
		jz	short loc_99A9C8
		cmp	cl, 7
		jnz	short loc_99AA1F

loc_99A9C8:				; CODE XREF: MiScanPagefileSpace(x)+E1j
					; MiScanPagefileSpace(x)+E6j
		mov	eax, [esi]
		xor	ecx, ecx
		and	eax, 400h
		or	eax, ecx
		jnz	short loc_99AA1F
		mov	ecx, esi
		call	_MiGetPagingFileOffset@4 ; MiGetPagingFileOffset(x)
		test	eax, eax
		jz	short loc_99AA1F
		mov	eax, [esi+10h]
		and	eax, offset loc_7FFFFF
		cmp	eax, 7FFFFDh
		jz	short loc_99AA1F
		xor	eax, eax
		cmp	[esi+0Ch], ax
		jz	short loc_99AA1F
		mov	cl, [esi+0Eh]
		mov	al, [esi+0Fh]
		and	cl, 28h
		neg	cl
		sbb	cl, cl
		shr	al, 4
		inc	cl
		not	al
		and	cl, al
		test	cl, 1
		jz	short loc_99AA1F
		mov	ecx, edi
		call	_MiCaptureDirtyBitToPfn@4 ; MiCaptureDirtyBitToPfn(x)
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], edx

loc_99AA1F:				; CODE XREF: MiScanPagefileSpace(x)+EBj
					; MiScanPagefileSpace(x)+F8j ...
		mov	dl, byte ptr [ebp+arg_0+3]
		mov	ecx, edi
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)
		mov	eax, [ebp+var_10]
		mov	ecx, eax
		mov	edx, [ebp+var_14]
		or	ecx, edx
		jz	short loc_99AA40
		push	edx
		push	eax
		xor	edx, edx
		mov	ecx, ebx
		call	MiReleasePageFileInfo

loc_99AA40:				; CODE XREF: MiScanPagefileSpace(x)+8Dj
					; MiScanPagefileSpace(x)+A0j ...
		mov	ecx, [ebp+var_8]

loc_99AA43:				; CODE XREF: MiScanPagefileSpace(x)+6Dj
					; MiScanPagefileSpace(x)+7Ej
		mov	eax, [ebp+var_4]

loc_99AA46:				; CODE XREF: MiScanPagefileSpace(x)+58j
		add	edi, 1Ch
		add	esi, 1Ch
		cmp	edi, eax
		jb	loc_99A92E
		mov	eax, [ebp+var_18]
		mov	ecx, [ebp+var_1C]
		mov	edx, [ebp+var_C]

loc_99AA5D:				; CODE XREF: MiScanPagefileSpace(x)+44j
		inc	edx
		add	eax, 8
		mov	[ebp+var_C], edx
		mov	[ebp+var_18], eax
		cmp	edx, [ecx]
		jnz	loc_99A90B
		call	_MiDereferencePageRuns@4 ; MiDereferencePageRuns(x)
		mov	ecx, [ebx+64h]
		xor	eax, eax
		mov	[ebx+24Ch], eax
		call	PsDereferencePartition
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiScanPagefileSpace@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmGetPageFileForCrashDump()
_MmGetPageFileForCrashDump@0 proc near	; CODE XREF: IoConfigureCrashDump:loc_5F5D55p

var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], ebx
		push	edi
		dec	word ptr [ebx+13Eh]
		mov	edi, esi
		nop
		xor	edx, edx
		mov	ecx, offset dword_6D50B8
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, dword_6D5D8C
		mov	eax, esi
		test	ecx, ecx
		jz	short loc_99AAEF
		mov	ebx, ecx

loc_99AAC6:				; CODE XREF: MmGetPageFileForCrashDump()+5Fj
		mov	ecx, dword_6D5D94[eax*4]
		mov	edx, 850h
		test	[ecx+74h], dx
		jnz	short loc_99AAE7
		mov	edx, [ecx+8]
		cmp	edx, edi
		jbe	short loc_99AAE7
		mov	esi, [ecx+84h]
		mov	edi, edx

loc_99AAE7:				; CODE XREF: MmGetPageFileForCrashDump()+4Bj
					; MmGetPageFileForCrashDump()+52j
		inc	eax
		cmp	eax, ebx
		jb	short loc_99AAC6
		mov	ebx, [ebp+var_8]

loc_99AAEF:				; CODE XREF: MmGetPageFileForCrashDump()+37j
		or	eax, 0FFFFFFFFh
		mov	edi, offset dword_6D50B8
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_99AB08
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_99AB08:				; CODE XREF: MmGetPageFileForCrashDump()+74j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, ebx
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_MmGetPageFileForCrashDump@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmFreeIndependentPages(x, x)
_MmFreeIndependentPages@8 proc near	; CODE XREF: HvlStartBootLogicalProcessors+8A83Bp
					; KeAllocateProcessorProfileStructures+8A671p ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		xor	eax, eax
		mov	esi, edx
		and	esi, 0FFFh
		mov	[ebp+var_34], eax
		neg	esi
		mov	[ebp+var_30], eax
		mov	[ebp+var_28], eax
		sbb	esi, esi
		mov	[ebp+var_24], eax
		neg	esi
		shr	edx, 0Ch
		add	esi, edx
		mov	eax, esi
		mov	[ebp+var_14], esi
		push	edi
		mov	[ebp+var_4], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_2C], eax
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	edi, eax
		mov	[ebp+var_18], edi
		lea	eax, [edi+esi*8]
		xor	esi, esi
		mov	[ebp+var_10], eax

loc_99AB6C:				; CODE XREF: MmFreeIndependentPages(x,x)+105j
		mov	ebx, [edi]
		nop
		mov	edx, [edi+4]
		mov	ecx, edi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_99AB86
		push	edx
		push	ebx
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	ebx, eax

loc_99AB86:				; CODE XREF: MmFreeIndependentPages(x,x)+5Ej
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], edx
		nop
		lea	ecx, [ebp+var_20]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_99ABA2
		push	edx
		push	ebx
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	ebx, eax

loc_99ABA2:				; CODE XREF: MmFreeIndependentPages(x,x)+7Aj
		shrd	ebx, edx, 0Ch
		and	ebx, 1FFFFFFh
		imul	ebx, 1Ch
		add	ebx, ds:_MmPfnDatabase
		mov	eax, [ebx+18h]
		and	eax, offset loc_7FFFFF
		imul	eax, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_C], eax
		mov	eax, ds:_ZeroPte
		mov	[edi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	ecx, ebx
		mov	[edi+4], eax
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		test	eax, eax
		jz	short loc_99AC04
		mov	eax, [ebp+var_4]
		dec	eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_8]
		dec	eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_2C], eax
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		jmp	short loc_99AC12
; 

loc_99AC04:				; CODE XREF: MmFreeIndependentPages(x,x)+CAj
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		cmp	eax, 3
		jnz	short loc_99AC12
		inc	esi
		mov	[ebp+var_34], esi

loc_99AC12:				; CODE XREF: MmFreeIndependentPages(x,x)+E5j
					; MmFreeIndependentPages(x,x)+EFj
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		add	edi, 8
		cmp	edi, [ebp+var_10]
		jb	loc_99AB6C
		mov	esi, [ebp+var_14]
		mov	ecx, offset dword_6D35E0
		mov	edx, [ebp+var_18]
		push	esi
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		xor	edx, edx
		lea	ecx, [ebp+var_38]
		inc	edx
		call	_MiReturnPoolCharges@8 ; MiReturnPoolCharges(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MmFreeIndependentPages@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiCloneDiscardVadCommit(x)
_MiCloneDiscardVadCommit@4 proc	near	; CODE XREF: MiCloneCaptureVadCommit+158p
					; MiAllocateChildVads+B4A0Ap
		mov	edi, edi
		push	edi
		mov	edi, ecx
		mov	eax, [edi+4]
		test	eax, eax
		jz	short loc_99AC67
		push	esi

loc_99AC56:				; CODE XREF: MiCloneDiscardVadCommit(x)+1Bj
		mov	esi, [eax]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		test	esi, esi
		jnz	short loc_99AC56
		pop	esi

loc_99AC67:				; CODE XREF: MiCloneDiscardVadCommit(x)+Aj
		and	dword ptr [edi+4], 0
		pop	edi
		retn
_MiCloneDiscardVadCommit@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSetVadBits(x)
_MiSetVadBits@4	proc near		; CODE XREF: MiUpdateVadBits+173A35p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ecx+0Ch]
		shr	eax, 4
		push	ebx
		movzx	ebx, ax
		mov	eax, [ecx+10h]
		shr	eax, 4
		movzx	edx, ax
		mov	eax, large fs:124h
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_14], ebx
		mov	eax, [eax+80h]
		mov	[ebp+var_4], edx
		mov	esi, [eax+24Ch]
		add	esi, 18h
		lea	ecx, [esi+48h]
		mov	[ebp+var_8], ecx
		cmp	[ecx], edi
		jbe	short loc_99AD13
		mov	eax, ecx

loc_99ACB3:				; CODE XREF: MiSetVadBits(x)+A4j
		mov	ecx, [esi+4]
		sub	ecx, dword_6D2E88
		shl	ecx, 3
		mov	[ebp+var_10], ecx
		cmp	edx, ecx
		jb	short loc_99AD0B
		mov	eax, [esi]
		add	eax, ecx
		mov	[ebp+var_C], eax
		cmp	ebx, eax
		jnb	short loc_99AD08
		mov	edx, ebx
		cmp	ebx, ecx
		jnb	short loc_99ACD9
		mov	edx, ecx

loc_99ACD9:				; CODE XREF: MiSetVadBits(x)+68j
		mov	eax, [ebp+var_4]
		sbb	ebx, ebx
		mov	ecx, eax
		neg	ebx
		cmp	ecx, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		jb	short loc_99ACF1
		mov	eax, [ebp+var_C]
		xor	ebx, ebx
		dec	eax
		inc	ebx

loc_99ACF1:				; CODE XREF: MiSetVadBits(x)+7Bj
		sub	eax, edx
		sub	edx, ecx
		inc	eax
		push	eax
		push	edx
		push	esi
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		test	ebx, ebx
		jz	short loc_99AD13
		mov	ebx, [ebp+var_14]
		mov	edx, [ebp+var_4]

loc_99AD08:				; CODE XREF: MiSetVadBits(x)+62j
		mov	eax, [ebp+var_8]

loc_99AD0B:				; CODE XREF: MiSetVadBits(x)+57j
		inc	edi
		add	esi, 24h
		cmp	edi, [eax]
		jb	short loc_99ACB3

loc_99AD13:				; CODE XREF: MiSetVadBits(x)+42j
					; MiSetVadBits(x)+93j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiSetVadBits@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmCheckForSafeExecution(x, x, x, x)
_MmCheckForSafeExecution@16 proc near	; CODE XREF: KiFlushReadyLists(x,x,x)+11Cp
					; KiFlushReadyLists(x,x,x)+172p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	esi, ecx
		mov	[ebp+var_4], edx
		mov	ecx, edi
		mov	bl, 1
		mov	eax, [edi+80h]
		mov	edx, eax
		mov	[ebp+var_8], eax
		call	_LOCK_ADDRESS_SPACE_SHARED@8 ; LOCK_ADDRESS_SPACE_SHARED(x,x)
		cmp	[ebp+arg_4], 0
		jnz	short loc_99AD6E
		mov	ecx, esi
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		mov	ecx, [ebp+var_4]
		mov	esi, eax
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		test	esi, esi
		jz	short loc_99AD83
		test	eax, eax
		jz	short loc_99AD83
		cmp	esi, eax
		jz	short loc_99AD83
		mov	eax, [esi+1Ch]
		and	al, 70h
		cmp	al, 20h
		jz	short loc_99AD83

loc_99AD6E:				; CODE XREF: MmCheckForSafeExecution(x,x,x,x)+2Ej
		mov	ecx, [ebp+arg_0]
		call	_MiLocateAddress@4 ; MiLocateAddress(x)
		test	eax, eax
		jz	short loc_99AD83
		mov	eax, [eax+1Ch]
		and	al, 70h
		cmp	al, 20h
		jz	short loc_99AD85

loc_99AD83:				; CODE XREF: MmCheckForSafeExecution(x,x,x,x)+43j
					; MmCheckForSafeExecution(x,x,x,x)+47j	...
		xor	bl, bl

loc_99AD85:				; CODE XREF: MmCheckForSafeExecution(x,x,x,x)+69j
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)
		cmp	bl, 1
		jnz	short loc_99ADA1
		mov	ecx, [ebp+arg_0]
		call	_MmValidateUserCallTarget@8 ; MmValidateUserCallTarget(x,x)
		test	eax, eax
		setnz	bl

loc_99ADA1:				; CODE XREF: MmCheckForSafeExecution(x,x,x,x)+7Aj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	8
_MmCheckForSafeExecution@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmIsFileMapped(x, x)
_MmIsFileMapped@8 proc near		; CODE XREF: IopQueryProcessIdsUsingFile(x,x,x,x)+9Dp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_1C]
		xor	eax, eax
		mov	[ebp+var_30], ebx
		and	[ebp+var_20], eax
		push	6
		pop	ecx
		rep stosd
		mov	edi, large fs:124h
		mov	eax, [edx+14h]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_24], edi
		cmp	[edi+80h], ebx
		jz	short loc_99ADFF
		lea	eax, [ebp+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, ebx
		call	KiStackAttachProcess
		mov	[ebp+var_28], 1
		jmp	short loc_99AE03
; 

loc_99ADFF:				; CODE XREF: MmIsFileMapped(x,x)+3Dj
		and	[ebp+var_28], 0

loc_99AE03:				; CODE XREF: MmIsFileMapped(x,x)+53j
		mov	edx, ebx
		mov	ecx, edi
		call	_LOCK_ADDRESS_SPACE_SHARED@8 ; LOCK_ADDRESS_SPACE_SHARED(x,x)
		mov	eax, [ebx+350h]
		xor	esi, esi
		jmp	short loc_99AE1A
; 

loc_99AE16:				; CODE XREF: MmIsFileMapped(x,x)+72j
		mov	esi, eax
		mov	eax, [eax]

loc_99AE1A:				; CODE XREF: MmIsFileMapped(x,x)+6Aj
		test	eax, eax
		jnz	short loc_99AE16
		test	esi, esi
		jz	loc_99AEB7

loc_99AE26:				; CODE XREF: MmIsFileMapped(x,x)+104j
		mov	eax, [esi+4]
		mov	ebx, esi
		mov	ecx, esi
		test	eax, eax
		jz	short loc_99AE4B
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_99AE53

loc_99AE39:				; CODE XREF: MmIsFileMapped(x,x)+97j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_99AE39
		jmp	short loc_99AE53
; 

loc_99AE45:				; CODE XREF: MmIsFileMapped(x,x)+A7j
		cmp	[esi], ecx
		jz	short loc_99AE53
		mov	ecx, esi

loc_99AE4B:				; CODE XREF: MmIsFileMapped(x,x)+85j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_99AE45

loc_99AE53:				; CODE XREF: MmIsFileMapped(x,x)+8Dj
					; MmIsFileMapped(x,x)+99j ...
		test	dword ptr [ebx+1Ch], 100000h
		jnz	short loc_99AEAC
		mov	edx, ebx
		mov	ecx, edi
		call	_MiLockVadShared@8 ; MiLockVadShared(x,x)
		mov	ecx, ebx
		call	_MiVadDeleted@4	; MiVadDeleted(x)
		test	eax, eax
		jnz	short loc_99AE9D
		mov	eax, [ebx+2Ch]
		mov	edi, [eax]
		cmp	dword ptr [edi+20h], 0
		jz	short loc_99AE9A
		mov	ecx, edi
		call	MiReferenceControlAreaFile
		mov	ecx, [ebp+var_2C]
		cmp	[eax+14h], ecx
		jnz	short loc_99AE91
		mov	[ebp+var_20], 1

loc_99AE91:				; CODE XREF: MmIsFileMapped(x,x)+DEj
		mov	edx, eax
		mov	ecx, edi
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)

loc_99AE9A:				; CODE XREF: MmIsFileMapped(x,x)+CFj
		mov	edi, [ebp+var_24]

loc_99AE9D:				; CODE XREF: MmIsFileMapped(x,x)+C4j
		mov	edx, ebx
		mov	ecx, edi
		call	_MiUnlockVadShared@8 ; MiUnlockVadShared(x,x)
		cmp	[ebp+var_20], 1
		jz	short loc_99AEB4

loc_99AEAC:				; CODE XREF: MmIsFileMapped(x,x)+B0j
		test	esi, esi
		jnz	loc_99AE26

loc_99AEB4:				; CODE XREF: MmIsFileMapped(x,x)+100j
		mov	ebx, [ebp+var_30]

loc_99AEB7:				; CODE XREF: MmIsFileMapped(x,x)+76j
		mov	edx, ebx
		mov	ecx, edi
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)
		cmp	[ebp+var_28], 1
		jnz	short loc_99AED0
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_99AED0:				; CODE XREF: MmIsFileMapped(x,x)+11Aj
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_20]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MmIsFileMapped@8 endp


;  S U B	R O U T	I N E 


; __stdcall MmSectionToSectionObjectPointers(x)
_MmSectionToSectionObjectPointers@4 proc near
					; CODE XREF: IopIsFileOpenOrSection(x,x,x,x)+68p
		mov	edi, edi
		push	edi
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	edi, eax
		cmp	dword ptr [edi+20h], 0
		jz	short loc_99AF0B
		push	esi
		mov	ecx, edi
		call	MiReferenceControlAreaFile
		mov	edx, eax
		mov	ecx, edi
		mov	esi, [eax+14h]
		call	_MiDereferenceControlAreaFile@8	; MiDereferenceControlAreaFile(x,x)
		mov	eax, esi
		pop	esi
		pop	edi
		retn
; 

loc_99AF0B:				; CODE XREF: MmSectionToSectionObjectPointers(x)+Ej
		xor	eax, eax
		pop	edi
		retn
_MmSectionToSectionObjectPointers@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiSnapUnresolvedImport(x, x, x)
_MiSnapUnresolvedImport@12 proc	near	; CODE XREF: MiResolveImageReferences+B1A2Ap

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		lea	eax, [ebp+var_4]
		mov	esi, edx
		push	eax
		push	0
		push	1
		push	[ebp+arg_0]
		mov	edi, ecx
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_99AF45
		mov	eax, [esi]
		test	eax, eax
		jns	short loc_99AF40
		sub	ax, [edx+10h]
		movzx	eax, ax
		jmp	short loc_99AF45
; 

loc_99AF40:				; CODE XREF: MiSnapUnresolvedImport(x,x,x)+26j
		add	eax, 2
		add	eax, edi

loc_99AF45:				; CODE XREF: MiSnapUnresolvedImport(x,x,x)+20j
					; MiSnapUnresolvedImport(x,x,x)+2Fj
		pop	edi
		pop	esi
		leave
		retn	4
_MiSnapUnresolvedImport@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmDeleteShadowMapping(x, x)
_MmDeleteShadowMapping@8 proc near	; CODE XREF: KeAllocateProcessorProfileStructures+8A668p
					; KiShadowProcessorAllocation+5970p ...

var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		mov	ebx, ecx
		lea	edi, [ebp+var_1C]
		pop	ecx
		xor	eax, eax
		mov	esi, edx
		push	98h		; size_t
		push	eax		; int
		rep stosd
		lea	eax, [ebp+var_B8]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, ebx
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		lea	ecx, [ebx-1]
		mov	edi, eax
		add	ecx, esi
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	[ebp+var_BC], eax
		lea	ecx, [ebp+var_B8]
		mov	eax, large fs:124h
		xor	edx, edx
		mov	[ebp+var_C0], eax
		push	21h
		mov	eax, [eax+80h]
		mov	[ebp+var_C4], eax
		call	_MiInitializeTbFlushList@12 ; MiInitializeTbFlushList(x,x,x)
		push	edx
		shr	esi, 0Ch
		and	ebx, 0FFFFF000h
		push	esi
		mov	edx, ebx
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	ebx, ds:_PsInitialSystemProcess
		cmp	[ebp+var_C4], ebx
		jz	short loc_99AFF3
		lea	eax, [ebp+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, ebx
		call	KiStackAttachProcess

loc_99AFF3:				; CODE XREF: MmDeleteShadowMapping(x,x)+99j
		mov	esi, [ebp+var_C0]
		dec	word ptr [esi+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset dword_6D05C8
		call	ExAcquirePushLockExclusiveEx
		cmp	edi, [ebp+var_BC]
		ja	short loc_99B03F
		mov	esi, [ebp+var_BC]

loc_99B01B:				; CODE XREF: MmDeleteShadowMapping(x,x)+ECj
		push	ds:dword_40F9FC
		xor	edx, edx
		mov	ecx, edi
		push	ds:_ZeroPte
		push	1
		call	MiReadWriteAnyLevelShadowPte
		add	edi, 8
		cmp	edi, esi
		jbe	short loc_99B01B
		mov	esi, [ebp+var_C0]

loc_99B03F:				; CODE XREF: MmDeleteShadowMapping(x,x)+C8j
		lea	ecx, [ebp+var_B8]
		call	MiFlushTbList
		or	eax, 0FFFFFFFFh
		mov	edi, offset dword_6D05C8
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_99B063
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_99B063:				; CODE XREF: MmDeleteShadowMapping(x,x)+10Fj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		cmp	[ebp+var_C4], ebx
		jz	short loc_99B083
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_99B083:				; CODE XREF: MmDeleteShadowMapping(x,x)+12Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MmDeleteShadowMapping@8 endp


;  S U B	R O U T	I N E 


; __stdcall MmFreeIsrStack(x)
_MmFreeIsrStack@4 proc near		; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+4F0p
					; KeStartAllProcessors+257C1p ...
		mov	edi, edi
		push	esi
		lea	esi, [ecx-3000h]
		mov	edx, 3000h
		mov	ecx, esi
		call	_MmFreeIndependentPages@8 ; MmFreeIndependentPages(x,x)
		push	1
		lea	ecx, [esi-1000h]
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	edx, eax
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		pop	esi
		retn
_MmFreeIsrStack@4 endp ; sp = -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmRelocatePfnList(x, x, x, x)
_MmRelocatePfnList@16 proc near		; CODE XREF: PfpPfnPrioRequest+15F895p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		xor	eax, eax
		and	[esp+34h+var_34], 0
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+40h+var_20]
		and	[esp+40h+var_30], 0
		stosd
		mov	ebx, edx
		mov	edx, [ebp+arg_0]
		mov	esi, ecx
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+40h+var_10]
		stosd
		stosd
		stosd
		stosd
		movzx	eax, ds:_KeNumberNodes
		cmp	edx, eax
		jb	short loc_99B109
		mov	eax, 0C00000F0h
		jmp	loc_99B26C
; 

loc_99B109:				; CODE XREF: MmRelocatePfnList(x,x,x,x)+3Bj
		mov	eax, [ebp+arg_4]
		cmp	eax, 1
		jb	short loc_99B11B
		mov	eax, 0C00000F1h
		jmp	loc_99B26C
; 

loc_99B11B:				; CODE XREF: MmRelocatePfnList(x,x,x,x)+4Dj
		mov	cl, byte_6D068D
		shl	eax, cl
		mov	cl, byte_6D068C
		shl	edx, cl
		mov	ecx, esi
		or	eax, edx
		mov	edx, 100h
		mov	[ebp+arg_4], eax
		lea	eax, [esp+40h+var_10]
		push	eax
		call	MiCreatePteCopyList
		mov	eax, large fs:124h
		mov	ecx, offset _MiSystemPartition
		shl	esi, 4
		mov	edx, eax
		add	esi, ebx
		mov	[esp+40h+var_24], eax
		mov	[esp+40h+var_28], esi
		call	_MiLockDynamicMemoryShared@8 ; MiLockDynamicMemoryShared(x,x)
		cmp	ebx, esi
		jnb	loc_99B253

loc_99B168:				; CODE XREF: MmRelocatePfnList(x,x,x,x)+18Bj
		mov	esi, [ebx+8]
		lea	edi, [esp+40h+var_20]
		xor	eax, eax
		mov	[esp+40h+var_2C], esi
		stosd
		mov	ecx, esi
		stosd
		stosd
		stosd
		mov	[esp+40h+var_18], esi
		call	_MiIsPfn@4	; MiIsPfn(x)
		test	eax, eax
		jz	loc_99B231
		imul	esi, 1Ch
		lea	edx, [esp+40h+var_20]
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiIdentifyPfnWrapper@8	; MiIdentifyPfnWrapper(x,x)
		mov	edx, [esp+40h+var_14]
		cmp	edx, [ebx+0Ch]
		jnz	loc_99B235
		mov	ecx, [ebx]
		mov	eax, [ebx+4]
		xor	ecx, [esp+40h+var_20]
		xor	eax, [esp+40h+var_1C]
		and	ecx, 0FFFFFE00h
		and	eax, 1FFFFFFh
		or	ecx, eax
		jnz	short loc_99B235
		lea	eax, [esp+40h+var_34]
		mov	edi, offset _MiSystemPartition
		push	eax
		push	ecx
		push	1
		mov	edx, esi
		mov	ecx, edi
		call	_MiPfnsWorthTrying@20 ;	MiPfnsWorthTrying(x,x,x,x,x)
		test	eax, eax
		jnz	short loc_99B231
		cmp	[esp+40h+var_34], 1
		jnz	short loc_99B1EF
		call	MiEmptyKernelStackCache

loc_99B1EF:				; CODE XREF: MmRelocatePfnList(x,x,x,x)+126j
		movzx	eax, byte ptr [esi+16h]
		lea	ecx, [esp+40h+var_30]
		mov	edx, [esp+40h+var_2C]
		push	ecx
		shr	eax, 6
		mov	ecx, edi
		push	eax
		push	0
		push	[ebp+arg_4]
		lea	eax, [esp+50h+var_10]
		push	400000h
		push	eax
		push	dword_6D07B0
		push	1
		call	MiClaimPhysicalRun
		test	eax, eax
		jnz	short loc_99B231
		mov	eax, [esp+40h+var_30]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_99B231
		mov	[esp+40h+var_18], eax
		jmp	short loc_99B23C
; 

loc_99B231:				; CODE XREF: MmRelocatePfnList(x,x,x,x)+C4j
					; MmRelocatePfnList(x,x,x,x)+11Fj ...
		mov	edx, [esp+40h+var_14]

loc_99B235:				; CODE XREF: MmRelocatePfnList(x,x,x,x)+E5j
					; MmRelocatePfnList(x,x,x,x)+105j
		or	edx, 2
		mov	[esp+40h+var_14], edx

loc_99B23C:				; CODE XREF: MmRelocatePfnList(x,x,x,x)+16Dj
		mov	edi, ebx
		lea	esi, [esp+40h+var_20]
		add	ebx, 10h
		movsd
		movsd
		movsd
		movsd
		cmp	ebx, [esp+40h+var_28]
		jb	loc_99B168

loc_99B253:				; CODE XREF: MmRelocatePfnList(x,x,x,x)+A0j
		mov	edx, [esp+40h+var_24]
		mov	ecx, offset _MiSystemPartition
		call	_MiUnlockDynamicMemoryShared@8 ; MiUnlockDynamicMemoryShared(x,x)
		lea	ecx, [esp+40h+var_10]
		call	_MiReleasePteCopyList@4	; MiReleasePteCopyList(x)
		xor	eax, eax

loc_99B26C:				; CODE XREF: MmRelocatePfnList(x,x,x,x)+42j
					; MmRelocatePfnList(x,x,x,x)+54j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_MmRelocatePfnList@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiHandleEnclaveFault(x)
_MiHandleEnclaveFault@4	proc near	; CODE XREF: MmAccessFault+14B28Dp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		lea	eax, [ebp+var_4]
		push	eax
		push	2
		pop	edx
		call	MiObtainReferencedVadEx
		mov	ecx, eax
		mov	esi, 0C0000005h
		test	ecx, ecx
		jz	short loc_99B2B8
		mov	eax, [ecx+1Ch]
		and	eax, 3100000h
		cmp	eax, 2100000h
		jnz	short loc_99B2B3
		test	byte ptr [ecx+28h], 1
		jz	short loc_99B2B3
		test	byte ptr [ecx+2Ch], 1
		jz	short loc_99B2B3
		mov	esi, 0C00004A2h

loc_99B2B3:				; CODE XREF: MiHandleEnclaveFault(x)+2Bj
					; MiHandleEnclaveFault(x)+31j ...
		call	MiUnlockAndDereferenceVadShared

loc_99B2B8:				; CODE XREF: MiHandleEnclaveFault(x)+1Cj
		mov	eax, esi
		pop	esi
		leave
		retn
_MiHandleEnclaveFault@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmVirtualAccessFault(x, x, x)
_MmVirtualAccessFault@12 proc near	; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+1A3p

var_3C		= dword	ptr -3Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_C], edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_8], ecx
		call	_memset
		mov	ebx, [ebp+arg_0]
		add	esp, 0Ch
		mov	esi, ebx
		and	esi, 2
		test	bl, 4
		jz	short loc_99B2EE
		or	esi, 10h

loc_99B2EE:				; CODE XREF: MmVirtualAccessFault(x,x,x)+2Cj
		mov	edx, [ebp+var_8]
		lea	edi, [ebp+var_3C]
		push	5
		push	1
		lea	ecx, [ebp+var_3C]
		or	edi, 1
		call	_MiInitializeFaultVaListCore@16	; MiInitializeFaultVaListCore(x,x,x,x)
		mov	eax, [ebp+var_C]
		mov	ecx, esi
		and	[ebp+var_24], 0
		shr	ecx, 2
		mov	[ebp+var_28], eax
		and	ecx, 4
		mov	eax, esi
		and	eax, 2
		or	ecx, eax
		shr	ecx, 1
		mov	[ebp+var_20], ecx
		test	bl, 8
		jz	short loc_99B32C
		or	ecx, 4
		mov	[ebp+var_20], ecx

loc_99B32C:				; CODE XREF: MmVirtualAccessFault(x,x,x)+67j
		test	bl, 10h
		jz	short loc_99B337
		or	ecx, 8
		mov	[ebp+var_20], ecx

loc_99B337:				; CODE XREF: MmVirtualAccessFault(x,x,x)+72j
		test	bl, 20h
		jz	short loc_99B342
		or	ecx, 10h
		mov	[ebp+var_20], ecx

loc_99B342:				; CODE XREF: MmVirtualAccessFault(x,x,x)+7Dj
		test	bl, 40h
		jz	short loc_99B34D
		or	ecx, 20h
		mov	[ebp+var_20], ecx

loc_99B34D:				; CODE XREF: MmVirtualAccessFault(x,x,x)+88j
		push	edi
		push	1
		push	dword ptr [edx]
		push	esi
		call	MmAccessFault
		test	eax, eax
		js	short loc_99B35E
		xor	eax, eax

loc_99B35E:				; CODE XREF: MmVirtualAccessFault(x,x,x)+9Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MmVirtualAccessFault@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAllocateEnclaveVad(x, x, x, x, x)
_MiAllocateEnclaveVad@20 proc near	; CODE XREF: MiCreateEnclave(x,x,x,x,x,x,x,x,x)+29p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], eax
		mov	eax, [eax+80h]
		mov	[ebp+var_14], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_4], eax
		push	edi
		cmp	ecx, 10h
		jz	short loc_99B3A1
		cmp	ecx, 11h
		jz	short loc_99B3A1
		mov	ecx, esi
		mov	[ebp+var_10], esi
		jmp	short loc_99B3A7
; 

loc_99B3A1:				; CODE XREF: MiAllocateEnclaveVad(x,x,x,x,x)+2Ej
					; MiAllocateEnclaveVad(x,x,x,x,x)+33j
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_10], ecx

loc_99B3A7:				; CODE XREF: MiAllocateEnclaveVad(x,x,x,x,x)+3Aj
		lea	eax, [edx+1000h]
		cmp	eax, 1000h
		jbe	loc_99B5D4
		test	ecx, ecx
		jz	short loc_99B3C3
		mov	ebx, 200000h
		jmp	short loc_99B3DD
; 

loc_99B3C3:				; CODE XREF: MiAllocateEnclaveVad(x,x,x,x,x)+55j
		lea	eax, [edx-1]
		mov	ebx, edx
		test	eax, edx
		jz	short loc_99B3D2
		mov	ebx, eax
		not	ebx
		and	ebx, edx

loc_99B3D2:				; CODE XREF: MiAllocateEnclaveVad(x,x,x,x,x)+65j
		mov	eax, 10000h
		cmp	ebx, eax
		jnb	short loc_99B3DD
		mov	ebx, eax

loc_99B3DD:				; CODE XREF: MiAllocateEnclaveVad(x,x,x,x,x)+5Cj
					; MiAllocateEnclaveVad(x,x,x,x,x)+74j
		mov	eax, ds:_MmHighestUserAddress
		lea	ecx, [eax+1]
		cmp	ebx, ecx
		jnb	loc_99B5D4
		cmp	edx, ecx
		jnb	loc_99B5D4
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_99B423
		cmp	edi, eax
		ja	loc_99B5D4
		sub	eax, edi
		inc	eax
		cmp	eax, edx
		jb	loc_99B5D4
		lea	eax, [ebx-1]
		test	eax, edi
		jnz	loc_99B5D4
		cmp	[ebp+arg_4], esi
		jnz	loc_99B5D4

loc_99B423:				; CODE XREF: MiAllocateEnclaveVad(x,x,x,x,x)+95j
		push	esi
		push	40h
		push	4Ch
		mov	edx, 45646156h
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_99B443

loc_99B439:				; CODE XREF: MiAllocateEnclaveVad(x,x,x,x,x)+103j
		mov	eax, 0C000009Ah
		jmp	loc_99B5D9
; 

loc_99B443:				; CODE XREF: MiAllocateEnclaveVad(x,x,x,x,x)+D2j
		cmp	[ebp+var_10], 0
		jnz	short loc_99B4A8
		or	dword ptr [esi+28h], 1
		xor	edx, edx
		inc	edx
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		mov	[esi+30h], eax
		test	eax, eax
		jnz	short loc_99B46A
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_99B439
; 

loc_99B46A:				; CODE XREF: MiAllocateEnclaveVad(x,x,x,x,x)+FAj
		cmp	[ebp+var_1C], 2
		jnz	short loc_99B498
		or	dword ptr [esi+2Ch], 1
		mov	edx, 6E45694Dh
		push	0
		push	40h
		mov	ecx, 1000h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[esi+34h], eax
		test	eax, eax
		jnz	short loc_99B498
		mov	ebx, 0C000009Ah
		jmp	loc_99B599
; 

loc_99B498:				; CODE XREF: MiAllocateEnclaveVad(x,x,x,x,x)+109j
					; MiAllocateEnclaveVad(x,x,x,x,x)+127j
		mov	eax, [esi+1Ch]
		and	eax, 0FFFFFFBFh
		or	eax, 30h
		mov	[esi+1Ch], eax
		and	dword ptr [esi+44h], 0

loc_99B4A8:				; CODE XREF: MiAllocateEnclaveVad(x,x,x,x,x)+E2j
		mov	eax, [esi+1Ch]
		mov	edx, [ebp+var_4]
		and	eax, 0FFFFF27Fh
		mov	ecx, [ebp+var_8]
		or	eax, 2100200h
		and	dword ptr [esi+18h], 0
		mov	[esi+1Ch], eax
		mov	dword ptr [esi+8], 0FFFFFFFEh
		call	_LOCK_ADDRESS_SPACE@8 ;	LOCK_ADDRESS_SPACE(x,x)
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+arg_4]
		call	MiGetUserReservationHighestAddress
		test	edi, edi
		jz	short loc_99B50A
		mov	ebx, [ebp+var_14]
		mov	edx, edi
		mov	ecx, [ebp+var_4]
		dec	ebx
		push	eax
		add	ebx, edi
		or	ebx, 0FFFh
		mov	eax, ebx
		sub	eax, edi
		push	0
		inc	eax
		push	eax
		call	MiIsVaRangeAvailable
		test	eax, eax
		jnz	short loc_99B533
		mov	ebx, 0C0000018h
		jmp	loc_99B599
; 

loc_99B50A:				; CODE XREF: MiAllocateEnclaveVad(x,x,x,x,x)+176j
		lea	ecx, [ebp+var_18]
		xor	edx, edx
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		push	0
		push	6
		push	ecx
		push	ebx
		mov	ebx, [ebp+var_14]
		xor	ecx, ecx
		push	ebx
		push	eax
		call	_MiSelectUserAddress@40	; MiSelectUserAddress(x,x,x,x,x,x,x,x,x,x)
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	short loc_99B596
		mov	edi, [ebp+var_18]
		dec	ebx
		add	ebx, edi

loc_99B533:				; CODE XREF: MiAllocateEnclaveVad(x,x,x,x,x)+199j
		mov	edx, [ebp+var_4]
		shr	ebx, 0Ch
		push	ecx
		shr	edi, 0Ch
		mov	ecx, esi
		mov	[ebp+arg_4], ebx
		mov	[esi+0Ch], edi
		mov	[esi+10h], ebx
		call	MiInsertVadCharges
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_99B599
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	_MiLockVad@8	; MiLockVad(x,x)
		mov	ebx, [ebp+var_4]
		mov	ecx, esi
		mov	edx, ebx
		call	MiInsertPrivateVad
		cmp	[ebp+var_C], 0
		jz	short loc_99B57C
		push	[ebp+var_C]
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		call	MiAdvanceVadHint

loc_99B57C:				; CODE XREF: MiAllocateEnclaveVad(x,x,x,x,x)+208j
		mov	ecx, esi
		call	_MiReferenceVad@4 ; MiReferenceVad(x)
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		call	UNLOCK_ADDRESS_SPACE_UNORDERED
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		xor	eax, eax
		jmp	short loc_99B5D9
; 

loc_99B596:				; CODE XREF: MiAllocateEnclaveVad(x,x,x,x,x)+1C6j
		mov	ebx, [ebp+arg_4]

loc_99B599:				; CODE XREF: MiAllocateEnclaveVad(x,x,x,x,x)+12Ej
					; MiAllocateEnclaveVad(x,x,x,x,x)+1A0j	...
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		call	UNLOCK_ADDRESS_SPACE
		test	byte ptr [esi+28h], 1
		jz	short loc_99B5C8
		mov	eax, [esi+34h]
		test	eax, eax
		jz	short loc_99B5B9
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_99B5B9:				; CODE XREF: MiAllocateEnclaveVad(x,x,x,x,x)+24Aj
		mov	edx, [esi+30h]
		mov	ecx, offset dword_6D35E0
		push	1
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_99B5C8:				; CODE XREF: MiAllocateEnclaveVad(x,x,x,x,x)+243j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, ebx
		jmp	short loc_99B5D9
; 

loc_99B5D4:				; CODE XREF: MiAllocateEnclaveVad(x,x,x,x,x)+4Dj
					; MiAllocateEnclaveVad(x,x,x,x,x)+82j ...
		mov	eax, 0C000000Dh

loc_99B5D9:				; CODE XREF: MiAllocateEnclaveVad(x,x,x,x,x)+D9j
					; MiAllocateEnclaveVad(x,x,x,x,x)+22Fj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MiAllocateEnclaveVad@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCopyPagesIntoEnclave(x, x, x, x, x, x, x,	x, x)
_MiCopyPagesIntoEnclave@36 proc	near	; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+34Bp

var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_7C		= dword	ptr -7Ch
var_78		= word ptr -78h
var_76		= word ptr -76h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		push	0E0h
		push	offset dword_6A89D8
		call	__SEH_prolog4_GS
		mov	[ebp+var_B8], edx
		mov	[ebp+var_D0], ecx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_AC], eax
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_98], esi
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_BC], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_D8], eax
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_94]
		rep stosd
		lea	edi, [ebp+var_F0]
		stosd
		stosd
		stosd
		stosd
		push	60h		; size_t
		xor	ebx, ebx
		push	ebx		; int
		lea	eax, [ebp+var_7C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_9C], ebx
		mov	edx, ebx
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jns	short loc_99B659
		push	8
		pop	edx

loc_99B659:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+74j
		test	ecx, 20000000h
		jz	short loc_99B664
		or	edx, 10h

loc_99B664:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+7Fj
		and	ecx, 5FFFFFFFh
		call	_MiMakeProtectionMask@4	; MiMakeProtectionMask(x)
		mov	ecx, eax
		mov	[ebp+var_B4], ecx
		test	cl, 7
		jz	loc_99BAF1
		cmp	ecx, 7
		ja	loc_99BAF1
		and	eax, 5
		cmp	al, 5
		jz	loc_99BAF1
		and	ecx, 2
		jz	short loc_99B6D0
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+490h], 100h
		jz	short loc_99B6CD
		mov	eax, large fs:124h
		test	dword ptr [eax+2FCh], 40000h
		jnz	short loc_99B6CD
		mov	eax, 0C0000604h
		jmp	loc_99BAF6
; 

loc_99B6CD:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+CFj
					; MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+E1j
		or	edx, 4

loc_99B6D0:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+B7j
		test	byte ptr [ebp+var_B4], 4
		jz	short loc_99B6DC
		or	edx, 2

loc_99B6DC:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+F7j
		or	edx, 1
		mov	[ebp+var_A4], edx
		mov	eax, [ebp+var_B8]
		test	byte ptr [eax+28h], 2
		jz	short loc_99B6FA
		or	edx, 40h
		mov	[ebp+var_A4], edx

loc_99B6FA:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+10Fj
		test	dl, 9
		jz	loc_99BAF1
		test	byte ptr [eax+2Ch], 1
		jz	short loc_99B714
		mov	eax, ecx
		or	eax, 4
		mov	[ebp+var_B4], eax

loc_99B714:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+127j
		mov	eax, [ebp+arg_C]
		mov	edx, eax
		mov	edi, 0FFFh
		and	edx, edi
		neg	edx
		sbb	edx, edx
		neg	edx
		shr	eax, 0Ch
		add	edx, eax
		mov	ecx, [ebp+var_AC]
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	[ebp+var_A0], eax
		lea	eax, [eax+edx*8]
		add	eax, 0FFFFFFF8h
		mov	[ebp+var_C0], eax
		cmp	edx, 21h
		jbe	short loc_99B750
		push	21h
		pop	edx

loc_99B750:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+16Bj
		lea	ecx, [edx+1]
		lea	eax, [ebp+var_F0]
		push	eax
		mov	edx, ecx
		call	MiCreatePteCopyList
		cmp	[ebp+var_EC], ebx
		jnz	short loc_99B773
		mov	eax, 0C000009Ah
		jmp	loc_99BAF6
; 

loc_99B773:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+187j
		test	esi, edi
		jz	short loc_99B7A2
		push	ebx
		push	100h
		mov	edx, 44456D4Dh
		mov	ecx, 10000h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_9C], edi
		test	edi, edi
		jnz	short loc_99B7A2
		mov	esi, 0C000009Ah
		jmp	loc_99B8A0
; 

loc_99B7A2:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+195j
					; MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+1B6j
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	[ebp+var_D4], eax
		mov	esi, ebx
		mov	eax, [ebp+var_BC]
		mov	[eax], ebx
		mov	eax, [ebp+var_B8]
		mov	eax, [eax+30h]
		shl	eax, 9
		mov	[ebp+var_DC], eax
		mov	edi, [ebp+var_A4]

loc_99B7CF:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+50Cj
		mov	ecx, [ebp+var_A0]
		mov	eax, [ebp+var_C0]
		cmp	ecx, eax
		ja	loc_99B89A
		push	10h
		pop	edx
		mov	[ebp+var_B0], edx
		sub	eax, ecx
		add	eax, 8
		sar	eax, 3
		cmp	eax, edx
		jnb	short loc_99B800
		mov	edx, eax
		mov	[ebp+var_B0], eax

loc_99B800:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+216j
		mov	al, [ebp+arg_0]
		cmp	al, 1
		jnz	short loc_99B83B
		mov	[ebp+ms_exc.disabled], ebx
		test	edx, 0FFFFFh
		jz	short loc_99B834
		mov	eax, edx
		shl	eax, 0Ch
		add	eax, [ebp+var_98]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_99B82F
		cmp	eax, [ebp+var_98]
		jnb	short loc_99B831

loc_99B82F:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+245j
		mov	[ecx], bl

loc_99B831:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+24Dj
		mov	al, [ebp+arg_0]

loc_99B834:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+230j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_99B83B:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+225j
		mov	ecx, [ebp+var_9C]
		test	ecx, ecx
		jz	loc_99B8E7
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, edx
		shl	eax, 0Ch
		push	eax		; size_t
		push	[ebp+var_98]	; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_9C]
		jmp	loc_99B993
; 

loc_99B877:				; DATA XREF: .text:006A89ECo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_C4], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_99B888:				; DATA XREF: .text:006A89F0o
		mov	esi, [ebp+var_C4]

loc_99B88E:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+305j
					; MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+3A8j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx

loc_99B89A:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+1FDj
					; MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+38Cj
		mov	edi, [ebp+var_9C]

loc_99B8A0:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+1BDj
		test	byte ptr [ebp+var_76], 2
		jz	short loc_99B8AF
		lea	eax, [ebp+var_7C]
		push	eax
		call	_MmUnlockPages@4 ; MmUnlockPages(x)

loc_99B8AF:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+2C4j
		test	edi, edi
		jz	short loc_99B8BA
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_99B8BA:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+2D1j
		lea	ecx, [ebp+var_F0]
		call	_MiReleasePteCopyList@4	; MiReleasePteCopyList(x)
		mov	eax, esi
		jmp	loc_99BAF6
; 

loc_99B8CC:				; DATA XREF: .text:006A89F8o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_C8], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_99B8DF:				; DATA XREF: .text:006A89FCo
		mov	esi, [ebp+var_C8]
		jmp	short loc_99B88E
; 

loc_99B8E7:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+263j
		cmp	al, 1
		jnz	loc_99B98D
		shl	edx, 0Ch
		mov	[ebp+var_7C], ebx
		mov	ecx, [ebp+var_98]
		and	ecx, 0FFFh
		lea	eax, [ecx+0FFFh]
		add	eax, edx
		shr	eax, 0Ch
		lea	eax, ds:1Ch[eax*4]
		mov	[ebp+var_78], ax
		xor	eax, eax
		mov	[ebp+var_76], ax
		mov	eax, [ebp+var_98]
		and	eax, 0FFFFF000h
		mov	[ebp+var_6C], eax
		mov	[ebp+var_64], ecx
		mov	[ebp+var_68], edx
		mov	[ebp+ms_exc.disabled], 2
		push	ebx
		push	ebx
		lea	eax, [ebp+var_7C]
		push	eax
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	0C0000000h
		push	ebx
		push	ebx
		push	1
		push	ebx
		lea	eax, [ebp+var_7C]
		push	eax
		call	MmMapLockedPagesSpecifyCache
		mov	[ebp+var_A8], eax
		test	eax, eax
		jnz	short loc_99B999
		mov	esi, 0C000009Ah
		jmp	loc_99B89A
; 

loc_99B971:				; DATA XREF: .text:006A8A04o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_CC], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_99B982:				; DATA XREF: .text:006A8A08o
		mov	esi, [ebp+var_CC]
		jmp	loc_99B88E
; 

loc_99B98D:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+309j
		mov	eax, [ebp+var_98]

loc_99B993:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+292j
		mov	[ebp+var_A8], eax

loc_99B999:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+385j
		mov	eax, [ebp+var_B0]
		shl	eax, 0Ch
		add	[ebp+var_98], eax
		lea	eax, [ebp+var_94]
		push	eax
		xor	edx, edx
		mov	ecx, [ebp+var_D0]
		call	KiStackAttachProcess
		cmp	[ebp+var_B0], 0
		jbe	loc_99BAD0
		mov	eax, [ebp+var_AC]
		sub	[ebp+var_A8], eax

loc_99B9D5:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+4DCj
		mov	edx, [ebp+var_D4]
		mov	ecx, [ebp+var_B8]
		call	_MiGetPageForEnclave@8 ; MiGetPageForEnclave(x,x)
		mov	[ebp+var_A4], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_99BACB
		push	0FFFFFFFFh
		mov	edx, eax
		lea	ecx, [ebp+var_F0]
		call	MiGetPteFromCopyList
		mov	esi, eax
		push	[ebp+var_D8]
		push	edi
		mov	edx, [ebp+var_AC]
		push	edx
		mov	ecx, esi
		shl	ecx, 9
		push	ecx
		add	edx, [ebp+var_A8]
		mov	ecx, [ebp+var_DC]
		call	_KeAddEnclavePage@24 ; KeAddEnclavePage(x,x,x,x,x,x)
		mov	[ebp+var_E0], eax
		mov	ecx, ds:_ZeroPte
		mov	[esi], ecx
		nop
		mov	ecx, ds:dword_40F9FC
		mov	[esi+4], ecx
		mov	esi, eax
		mov	ecx, [ebp+var_A4]
		test	esi, esi
		js	short loc_99BAC4
		push	[ebp+var_B4]
		mov	edx, [ebp+var_A0]
		call	_MiInitializeEnclavePfn@12 ; MiInitializeEnclavePfn(x,x,x)
		mov	eax, [ebp+var_B4]
		or	eax, 80000000h
		push	eax
		mov	edx, [ebp+var_A4]
		mov	ecx, [ebp+var_A0]
		call	MiMakeValidPte
		push	edx
		push	eax
		push	1
		push	ebx
		mov	edx, [ebp+var_B8]
		mov	ecx, [ebp+var_A0]
		call	_MiWriteEnclavePte@24 ;	MiWriteEnclavePte(x,x,x,x,x,x)
		mov	edx, 1000h
		add	[ebp+var_AC], edx
		add	[ebp+var_A0], 8
		mov	eax, [ebp+var_B0]
		dec	eax
		mov	[ebp+var_B0], eax
		mov	ecx, [ebp+var_BC]
		add	[ecx], edx
		test	eax, eax
		jnz	loc_99B9D5
		jmp	short loc_99BAD0
; 

loc_99BAC4:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+46Dj
		call	_MiReturnEnclavePage@4 ; MiReturnEnclavePage(x)
		jmp	short loc_99BAD0
; 

loc_99BACB:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+40Fj
		mov	esi, 0C0000017h

loc_99BAD0:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+3E3j
					; MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+4E2j ...
		test	byte ptr [ebp+var_76], 2
		jz	short loc_99BADF
		lea	eax, [ebp+var_7C]
		push	eax
		call	_MmUnlockPages@4 ; MmUnlockPages(x)

loc_99BADF:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+4F4j
		xor	edx, edx
		lea	ecx, [ebp+var_94]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		jmp	loc_99B7CF
; 

loc_99BAF1:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+9Aj
					; MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+A3j ...
		mov	eax, 0C0000045h

loc_99BAF6:				; CODE XREF: MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+E8j
					; MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)+18Ej ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_MiCopyPagesIntoEnclave@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreateEnclave(x, x, x, x,	x, x, x, x, x)
_MiCreateEnclave@36 proc near		; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+22Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_8], 0
		lea	eax, [esp+0Ch+var_8]
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[esp+18h+var_4], ecx
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_C]
		push	eax
		push	[ebp+arg_0]
		push	dword ptr [ebx]
		call	_MiAllocateEnclaveVad@20 ; MiAllocateEnclaveVad(x,x,x,x,x)
		mov	esi, [esp+18h+var_8]
		mov	edi, eax
		test	edi, edi
		js	short loc_99BB5E
		push	[ebp+arg_18]
		mov	eax, [esi+0Ch]
		mov	edx, esi
		push	[ebp+arg_10]
		mov	ecx, [esp+20h+var_4]
		push	[ebp+arg_8]
		shl	eax, 0Ch
		mov	[ebx], eax
		call	_MiCreateHardwareEnclave@20 ; MiCreateHardwareEnclave(x,x,x,x,x)
		mov	edi, eax

loc_99BB5E:				; CODE XREF: MiCreateEnclave(x,x,x,x,x,x,x,x,x)+36j
		test	esi, esi
		jz	short loc_99BB78
		mov	ecx, esi
		test	edi, edi
		jns	short loc_99BB73
		push	0
		xor	edx, edx
		call	_MiDeleteVad@12	; MiDeleteVad(x,x,x)
		jmp	short loc_99BB78
; 

loc_99BB73:				; CODE XREF: MiCreateEnclave(x,x,x,x,x,x,x,x,x)+5Ej
		call	MiUnlockAndDereferenceVad

loc_99BB78:				; CODE XREF: MiCreateEnclave(x,x,x,x,x,x,x,x,x)+58j
					; MiCreateEnclave(x,x,x,x,x,x,x,x,x)+69j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_MiCreateEnclave@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreateHardwareEnclave(x, x, x, x,	x)
_MiCreateHardwareEnclave@20 proc near	; CODE XREF: MiCreateEnclave(x,x,x,x,x,x,x,x,x)+4Fp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, large fs:124h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_14], eax
		mov	eax, [eax+80h]
		mov	[ebp+var_C], eax
		mov	eax, [edi+0Ch]
		mov	ebx, [edi+10h]
		shl	eax, 0Ch
		shl	ebx, 0Ch
		mov	[ebp+var_10], eax
		or	ebx, 0FFFh
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	esi, eax
		mov	ecx, offset unk_6D35A0
		mov	[ebp+var_4], esi
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_99BBDD
		mov	eax, 0C000010Ah
		jmp	loc_99BD68
; 

loc_99BBDD:				; CODE XREF: MiCreateHardwareEnclave(x,x,x,x,x)+4Ej
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_99BC0D
		mov	eax, ecx
		mov	edx, esi
		and	eax, 0FFFh
		neg	eax
		sbb	eax, eax
		shr	ecx, 0Ch
		neg	eax
		add	eax, ecx
		mov	ecx, edi
		push	eax
		call	_MiReserveEnclavePages@12 ; MiReserveEnclavePages(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_99BD5C
		mov	esi, [ebp+var_4]

loc_99BC0D:				; CODE XREF: MiCreateHardwareEnclave(x,x,x,x,x)+5Fj
		xor	edx, edx
		mov	ecx, esi
		call	_MiGetEnclavePage@8 ; MiGetEnclavePage(x,x)
		mov	[ebp+arg_0], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_99BC28
		mov	esi, 0C0000017h
		jmp	loc_99BD5C
; 

loc_99BC28:				; CODE XREF: MiCreateHardwareEnclave(x,x,x,x,x)+99j
		mov	esi, [edi+30h]
		mov	ecx, eax
		push	4
		mov	edx, esi
		mov	[ebp+var_4], esi
		call	_MiInitializeEnclavePfn@12 ; MiInitializeEnclavePfn(x,x,x)
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	0A0000004h
		call	MiMakeValidPte
		and	[ebp+arg_0], 0
		mov	esi, eax
		mov	ecx, [ebp+var_4]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_99BC9F
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_99BC87
		xor	eax, eax
		inc	eax
		cmp	byte ptr word_6D07B8+1,	0
		mov	[ebp+arg_0], eax
		jnz	short loc_99BCA2

loc_99BC72:				; CODE XREF: MiCreateHardwareEnclave(x,x,x,x,x)+11Aj
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		mov	eax, [ebp+arg_0]
		jz	short loc_99BCA2
		or	edx, 80000000h
		jmp	short loc_99BCA2
; 

loc_99BC87:				; CODE XREF: MiCreateHardwareEnclave(x,x,x,x,x)+DEj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_99BC72

loc_99BC9F:				; CODE XREF: MiCreateHardwareEnclave(x,x,x,x,x)+D5j
		mov	eax, [ebp+arg_0]

loc_99BCA2:				; CODE XREF: MiCreateHardwareEnclave(x,x,x,x,x)+EDj
					; MiCreateHardwareEnclave(x,x,x,x,x)+FAj ...
		mov	[ecx+4], edx
		nop
		mov	[ecx], esi
		test	eax, eax
		jz	short loc_99BCB6
		push	edx
		push	esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		mov	ecx, [ebp+var_4]

loc_99BCB6:				; CODE XREF: MiCreateHardwareEnclave(x,x,x,x,x)+127j
		push	[ebp+arg_8]
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_8]
		push	eax
		mov	eax, [edi+2Ch]
		sub	ebx, edx
		and	eax, 1
		shl	eax, 8
		inc	ebx
		push	eax
		push	ecx
		push	[ebp+arg_4]
		shl	ecx, 9
		push	ebx
		call	_KeCreateEnclave@32 ; KeCreateEnclave(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_99BD5C
		test	byte ptr [ebp+var_8], 2
		mov	ecx, [ebp+var_C]
		jz	short loc_99BCF9
		or	dword ptr [edi+28h], 4
		mov	eax, [ecx+24Ch]
		add	eax, 70h
		lock inc dword ptr [eax]

loc_99BCF9:				; CODE XREF: MiCreateHardwareEnclave(x,x,x,x,x)+164j
		mov	esi, [ebp+var_14]
		mov	[edi+40h], ecx
		dec	word ptr [esi+13Eh]
		nop
		mov	ebx, offset dword_6D359C
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, dword_6D3598
		mov	ecx, offset dword_6D3594
		add	edi, 44h
		cmp	[eax], ecx
		jz	short loc_99BD2B
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_99BD2B:				; CODE XREF: MiCreateHardwareEnclave(x,x,x,x,x)+1A1j
		mov	[edi+4], eax
		mov	[edi], ecx
		mov	[eax], edi
		or	eax, 0FFFFFFFFh
		mov	dword_6D3598, edi
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_99BD4C
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_99BD4C:				; CODE XREF: MiCreateHardwareEnclave(x,x,x,x,x)+1C0j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		xor	esi, esi

loc_99BD5C:				; CODE XREF: MiCreateHardwareEnclave(x,x,x,x,x)+81j
					; MiCreateHardwareEnclave(x,x,x,x,x)+A0j ...
		mov	ecx, offset unk_6D35A0
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	eax, esi

loc_99BD68:				; CODE XREF: MiCreateHardwareEnclave(x,x,x,x,x)+55j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MiCreateHardwareEnclave@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	MiDbgReadWriteEnclave(size_t,int,int)
_MiDbgReadWriteEnclave@20 proc near	; CODE XREF: MmCopyVirtualMemory+10ED11p
					; MmCopyVirtualMemory+10EDA8p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		mov	eax, edx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], eax
		mov	ecx, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		and	dword ptr [ecx], 0
		mov	ecx, ebx
		and	ecx, 3
		jz	short loc_99BDBF
		push	4
		pop	edi
		sub	edi, ecx
		cmp	esi, edi
		jnb	short loc_99BD9F
		mov	edi, esi

loc_99BD9F:				; CODE XREF: MiDbgReadWriteEnclave(x,x,x,x,x)+2Cj
		push	[ebp+arg_4]	; int
		mov	ecx, ebx
		push	edi		; size_t
		call	_MiDbgReadWriteEnclaveUnaligned@16 ; MiDbgReadWriteEnclaveUnaligned(x,x,x,x)
		test	eax, eax
		js	short loc_99BE18
		mov	eax, [ebp+arg_8]
		add	ebx, edi
		mov	[eax], edi
		mov	eax, [ebp+var_8]
		add	eax, edi
		sub	esi, edi
		mov	[ebp+var_8], eax

loc_99BDBF:				; CODE XREF: MiDbgReadWriteEnclave(x,x,x,x,x)+23j
		mov	edi, esi
		and	edi, 3
		sub	esi, edi
		jz	short loc_99BDFC
		cmp	[ebp+arg_4], 0
		lea	ecx, [ebp+var_4]
		push	ecx
		mov	edx, eax
		mov	ecx, ebx
		push	esi
		jnz	short loc_99BDDE
		call	_KeDebugWriteEnclaveMemory@16 ;	KeDebugWriteEnclaveMemory(x,x,x,x)
		jmp	short loc_99BDE3
; 

loc_99BDDE:				; CODE XREF: MiDbgReadWriteEnclave(x,x,x,x,x)+66j
		call	_KeDebugReadEnclaveMemory@16 ; KeDebugReadEnclaveMemory(x,x,x,x)

loc_99BDE3:				; CODE XREF: MiDbgReadWriteEnclave(x,x,x,x,x)+6Dj
		mov	ecx, [ebp+arg_8]
		mov	edx, eax
		mov	eax, [ebp+var_4]
		add	[ecx], eax
		test	edx, edx
		jns	short loc_99BDF5
		mov	eax, edx
		jmp	short loc_99BE18
; 

loc_99BDF5:				; CODE XREF: MiDbgReadWriteEnclave(x,x,x,x,x)+80j
		mov	eax, [ebp+var_8]
		add	ebx, esi
		add	eax, esi

loc_99BDFC:				; CODE XREF: MiDbgReadWriteEnclave(x,x,x,x,x)+57j
		test	edi, edi
		jz	short loc_99BE16
		push	[ebp+arg_4]	; int
		mov	edx, eax
		mov	ecx, ebx
		push	edi		; size_t
		call	_MiDbgReadWriteEnclaveUnaligned@16 ; MiDbgReadWriteEnclaveUnaligned(x,x,x,x)
		test	eax, eax
		js	short loc_99BE18
		mov	eax, [ebp+arg_8]
		add	[eax], edi

loc_99BE16:				; CODE XREF: MiDbgReadWriteEnclave(x,x,x,x,x)+8Fj
		xor	eax, eax

loc_99BE18:				; CODE XREF: MiDbgReadWriteEnclave(x,x,x,x,x)+3Dj
					; MiDbgReadWriteEnclave(x,x,x,x,x)+84j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MiDbgReadWriteEnclave@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	MiDbgReadWriteEnclaveUnaligned(size_t,int)
_MiDbgReadWriteEnclaveUnaligned@16 proc	near
					; CODE XREF: MiDbgReadWriteEnclave(x,x,x,x,x)+36p
					; MiDbgReadWriteEnclave(x,x,x,x,x)+99p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], edx
		mov	ebx, edi
		lea	edx, [ebp+var_4]
		and	ebx, 3
		push	eax
		sub	edi, ebx
		push	4
		mov	ecx, edi
		call	_KeDebugReadEnclaveMemory@16 ; KeDebugReadEnclaveMemory(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_99BE90
		push	[ebp+arg_0]	; size_t
		lea	eax, [ebp+var_4]
		add	eax, ebx
		cmp	[ebp+arg_4], 0
		jnz	short loc_99BE82
		push	[ebp+var_C]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_8]
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		push	eax
		push	4
		call	_KeDebugWriteEnclaveMemory@16 ;	KeDebugWriteEnclaveMemory(x,x,x,x)
		mov	esi, eax
		jmp	short loc_99BE8E ; size_t
; 

loc_99BE82:				; CODE XREF: MiDbgReadWriteEnclaveUnaligned(x,x,x,x)+41j
		push	eax		; void *
		push	[ebp+var_C]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_99BE8E:				; CODE XREF: MiDbgReadWriteEnclaveUnaligned(x,x,x,x)+61j
		mov	eax, esi

loc_99BE90:				; CODE XREF: MiDbgReadWriteEnclaveUnaligned(x,x,x,x)+33j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiDbgReadWriteEnclaveUnaligned@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDecommitEnclavePages(x, x, x, x, x)
_MiDecommitEnclavePages@20 proc	near	; CODE XREF: MmFreeVirtualMemory(x,x,x,x,x,x)+4BFp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	short loc_99BEE2
		test	byte ptr [edi+2Ch], 1
		jz	short loc_99BEE2
		mov	ecx, [ebp+arg_0]
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, esi
		mov	edx, eax
		and	ecx, 0FFFh
		neg	ecx
		push	0
		sbb	ecx, ecx
		shr	esi, 0Ch
		neg	ecx
		dec	esi
		add	ecx, esi
		lea	eax, [edx+ecx*8]
		mov	ecx, ebx
		push	eax
		push	edx
		mov	edx, edi
		call	_MiDecommitHardwareEnclavePages@20 ; MiDecommitHardwareEnclavePages(x,x,x,x,x)
		xor	eax, eax
		jmp	short loc_99BEE7
; 

loc_99BEE2:				; CODE XREF: MiDecommitEnclavePages(x,x,x,x,x)+11j
					; MiDecommitEnclavePages(x,x,x,x,x)+17j
		mov	eax, 0C00000A0h

loc_99BEE7:				; CODE XREF: MiDecommitEnclavePages(x,x,x,x,x)+49j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_MiDecommitEnclavePages@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeEnclave(x, x, x, x, x)
_MiInitializeEnclave@20	proc near	; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+473p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	edi
		mov	ecx, edx
		xor	edx, edx
		push	eax
		call	MiObtainReferencedVadEx
		mov	edi, eax
		test	edi, edi
		jnz	short loc_99BF11
		mov	eax, [ebp+var_4]
		jmp	short loc_99BF8B
; 

loc_99BF11:				; CODE XREF: MiInitializeEnclave(x,x,x,x,x)+1Cj
		mov	eax, [edi+1Ch]
		and	eax, 3100000h
		push	esi
		cmp	eax, 2100000h
		jz	short loc_99BF28
		mov	esi, 0C0000018h
		jmp	short loc_99BF81
; 

loc_99BF28:				; CODE XREF: MiInitializeEnclave(x,x,x,x,x)+31j
		mov	eax, [edi+28h]
		test	al, 2
		jz	short loc_99BF36
		mov	esi, 0C0000510h
		jmp	short loc_99BF81
; 

loc_99BF36:				; CODE XREF: MiInitializeEnclave(x,x,x,x,x)+3Fj
		test	al, 1
		jnz	short loc_99BF41
		mov	esi, 0C00000BBh
		jmp	short loc_99BF81
; 

loc_99BF41:				; CODE XREF: MiInitializeEnclave(x,x,x,x,x)+4Aj
		cmp	[ebp+arg_4], 1000h
		jz	short loc_99BF51
		mov	esi, 0C0000004h
		jmp	short loc_99BF81
; 

loc_99BF51:				; CODE XREF: MiInitializeEnclave(x,x,x,x,x)+5Aj
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		push	ecx
		lea	eax, [edx+800h]
		push	eax
		push	ecx
		mov	ecx, [edi+30h]
		shl	ecx, 9
		call	_KeInitializeEnclave@24	; KeInitializeEnclave(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_99BF81
		or	edx, 0FFFFFFFFh
		mov	ecx, edi
		call	_MiReturnReservedEnclavePages@8	; MiReturnReservedEnclavePages(x,x)
		or	dword ptr [edi+28h], 2
		xor	esi, esi

loc_99BF81:				; CODE XREF: MiInitializeEnclave(x,x,x,x,x)+38j
					; MiInitializeEnclave(x,x,x,x,x)+46j ...
		mov	ecx, edi
		call	MiUnlockAndDereferenceVad
		mov	eax, esi
		pop	esi

loc_99BF8B:				; CODE XREF: MiInitializeEnclave(x,x,x,x,x)+21j
		pop	edi
		leave
		retn	0Ch
_MiInitializeEnclave@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCreateEnclave(x, x, x, x,	x, x, x, x, x)
_NtCreateEnclave@36 proc near		; DATA XREF: .text:00581174o

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_39		= byte ptr -39h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		push	5Ch
		push	offset dword_6A8988
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_5C], eax
		mov	edx, [ebp+arg_20]
		mov	[ebp+var_6C], edx
		and	[ebp+var_48], 0
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		and	[ebp+var_4C], eax
		xor	edi, edi
		mov	[ebp+var_40], edi
		and	[ebp+var_54], eax
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_39], al
		mov	byte ptr [ebp+var_64], al
		test	edx, edx
		jz	short loc_99C027
		cmp	al, 1
		jnz	short loc_99C027
		and	[ebp+ms_exc.disabled], edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_99BFFB
		mov	edx, eax

loc_99BFFB:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+67j
		mov	eax, [edx]
		mov	[edx], eax
		push	0FFFFFFFEh
		pop	esi
		mov	[ebp+ms_exc.disabled], esi
		jmp	short loc_99C02A
; 

loc_99C007:				; DATA XREF: .text:006A899Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_58], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_99C015:				; DATA XREF: .text:006A89A0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_58]
		jmp	loc_99C260
; 

loc_99C027:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+57j
					; NtCreateEnclave(x,x,x,x,x,x,x,x,x)+5Bj
		push	0FFFFFFFEh
		pop	esi

loc_99C02A:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+75j
		mov	eax, [ebp+arg_14]
		sub	eax, 1
		jz	short loc_99C04C
		sub	eax, 1
		jnz	short loc_99C040
		test	byte ptr ds:7FFE036Ch, 4
		jnz	short loc_99C04C

loc_99C040:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+A5j
					; NtCreateEnclave(x,x,x,x,x,x,x,x,x)+C3j
		mov	[ebp+var_38], 0C00000BBh
		jmp	loc_99C203
; 

loc_99C04C:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+A0j
					; NtCreateEnclave(x,x,x,x,x,x,x,x,x)+AEj
		cmp	dword_6D3580, 0
		jz	short loc_99C040
		lea	ecx, [ebp+arg_8]
		call	_MiValidateZeroBits@4 ;	MiValidateZeroBits(x)
		test	eax, eax
		jns	short loc_99C06D
		mov	[ebp+var_38], 0C00000F1h
		jmp	loc_99C203
; 

loc_99C06D:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+CFj
		cmp	[ebp+arg_C], 0
		jnz	short loc_99C07F
		mov	[ebp+var_38], 0C00000F2h
		jmp	loc_99C203
; 

loc_99C07F:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+E1j
		mov	eax, [ebp+arg_10]
		cmp	eax, [ebp+arg_C]
		jbe	short loc_99C093
		mov	[ebp+var_38], 0C00000F3h
		jmp	loc_99C203
; 

loc_99C093:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+F5j
		mov	[ebp+ms_exc.disabled], 1
		mov	edx, [ebp+var_44]
		cmp	[ebp+var_39], 1
		jnz	short loc_99C0B4
		mov	ecx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_99C0B0
		mov	ecx, eax

loc_99C0B0:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+11Cj
		mov	eax, [ecx]
		mov	[ecx], eax

loc_99C0B4:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+111j
		mov	eax, [edx]
		mov	[ebp+var_4C], eax
		mov	[ebp+ms_exc.disabled], esi
		mov	eax, [ebp+var_5C]
		test	eax, eax
		jz	short loc_99C139
		mov	ecx, 1000h
		cmp	eax, ecx
		jz	short loc_99C0D8
		mov	[ebp+var_38], 0C0000004h
		jmp	loc_99C203
; 

loc_99C0D8:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+13Aj
		push	0
		push	100h
		mov	edx, 44456D4Dh
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_40], edi
		test	edi, edi
		jnz	short loc_99C0FE
		mov	[ebp+var_38], 0C000009Ah
		jmp	loc_99C203
; 

loc_99C0FE:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+160j
		mov	[ebp+ms_exc.disabled], 2
		mov	edx, [ebp+var_38]
		cmp	[ebp+var_39], 1
		jnz	short loc_99C127
		mov	ecx, edx
		test	dl, 3
		jnz	loc_99C272
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_99C124
		mov	ecx, eax

loc_99C124:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+190j
		nop
		mov	al, [ecx]

loc_99C127:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+17Cj
		push	1000h		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], esi

loc_99C139:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+131j
		mov	eax, [ebp+var_50]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_99C16A
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[ebp+var_40], eax
		jmp	short loc_99C1A3
; 

loc_99C152:				; DATA XREF: .text:006A89B4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_60], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_99C162:				; DATA XREF: .text:006A89B8o
		mov	eax, [ebp+var_60]
		jmp	loc_99C1F4
; 

loc_99C16A:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+1AFj
		push	0
		lea	ecx, [ebp+var_48]
		push	ecx
		push	6D566D4Dh
		push	[ebp+var_64]
		push	ds:_PsProcessType
		push	8
		push	eax
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp+var_38], eax
		test	eax, eax
		js	short loc_99C203
		lea	eax, [ebp+var_34]
		push	eax
		xor	edx, edx
		mov	eax, [ebp+var_48]
		mov	[ebp+var_40], eax
		mov	ecx, eax
		call	KiStackAttachProcess
		mov	eax, [ebp+var_48]

loc_99C1A3:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+1C0j
		lea	ecx, [ebp+var_54]
		push	ecx
		push	ecx
		push	edi
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		lea	edx, [ebp+var_4C]
		mov	ecx, eax
		call	_MiCreateEnclave@36 ; MiCreateEnclave(x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_38], eax
		cmp	[ebp+var_50], 0FFFFFFFFh
		jz	short loc_99C203
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	edx, 6D566D4Dh
		mov	ecx, [ebp+var_40]
		call	ObfDereferenceObjectWithTag
		jmp	short loc_99C203
; 

loc_99C1E1:				; DATA XREF: .text:006A89A8o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_68], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_99C1F1:				; DATA XREF: .text:006A89ACo
		mov	eax, [ebp+var_68]

loc_99C1F4:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+1D5j
		mov	esp, [ebp+ms_exc.old_esp]
		push	0FFFFFFFEh
		mov	[ebp+var_38], eax
		pop	esi
		mov	[ebp+ms_exc.disabled], esi
		mov	edi, [ebp+var_40]

loc_99C203:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+B7j
					; NtCreateEnclave(x,x,x,x,x,x,x,x,x)+D8j ...
		test	edi, edi
		jz	short loc_99C20F
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_99C20F:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+275j
		cmp	[ebp+var_38], 0
		jl	short loc_99C235
		mov	[ebp+ms_exc.disabled], 3
		mov	eax, [ebp+var_4C]
		mov	ecx, [ebp+var_44]
		mov	[ecx], eax
		jmp	short loc_99C232
; 

loc_99C226:				; DATA XREF: .text:006A89C0o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_99C22C:				; DATA XREF: .text:006A89C4o
		mov	esp, [ebp+ms_exc.old_esp]
		push	0FFFFFFFEh
		pop	esi

loc_99C232:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+294j
		mov	[ebp+ms_exc.disabled], esi

loc_99C235:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+283j
		mov	edx, [ebp+var_6C]
		test	edx, edx
		jz	short loc_99C25D
		mov	[ebp+ms_exc.disabled], 4
		mov	eax, [ebp+var_54]
		mov	[edx], eax
		mov	[ebp+ms_exc.disabled], esi
		jmp	short loc_99C25D
; 

loc_99C24D:				; DATA XREF: .text:006A89CCo
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_99C253:				; DATA XREF: .text:006A89D0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_99C25D:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+2AAj
					; NtCreateEnclave(x,x,x,x,x,x,x,x,x)+2BBj
		mov	eax, [ebp+var_38]

loc_99C260:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+92j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_99C272:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+183j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger

; __stdcall NtInitializeEnclave(x, x, x, x, x)
_NtInitializeEnclave@20:		; DATA XREF: .text:00580FE0o
		push	58h
		push	offset dword_6A8900
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_40], eax
		mov	[ebp+var_5C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_68], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_38], eax
		mov	edx, [ebp+arg_C]
		mov	[ebp+var_4C], edx
		mov	ebx, [ebp+arg_10]
		mov	[ebp+var_60], ebx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		xor	edi, edi
		mov	[ebp+var_44], edi
		mov	[ebp+var_50], edi
		mov	[ebp+var_48], edi
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_39], al
		mov	byte ptr [ebp+var_64], al
		test	ebx, ebx
		jz	short loc_99C310
		cmp	al, 1
		jnz	short loc_99C310
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_99C2E4
		mov	ecx, eax

loc_99C2E4:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+350j
		mov	eax, [ecx]
		mov	[ecx], eax
		push	0FFFFFFFEh
		pop	esi
		mov	[ebp+ms_exc.disabled], esi
		jmp	short loc_99C313
; 

loc_99C2F0:				; DATA XREF: .text:006A8914o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_54], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_99C2FE:				; DATA XREF: .text:006A8918o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_54]
		jmp	loc_99C468
; 

loc_99C310:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+33Ej
					; NtCreateEnclave(x,x,x,x,x,x,x,x,x)+342j
		push	0FFFFFFFEh
		pop	esi

loc_99C313:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+35Ej
		test	edx, edx
		jz	short loc_99C384
		cmp	edx, 1000h
		jbe	short loc_99C32B
		mov	[ebp+var_38], 0C0000004h
		jmp	loc_99C40B
; 

loc_99C32B:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+38Dj
		push	edi
		push	100h
		mov	edx, 44456D4Dh
		mov	ecx, [ebp+var_4C]
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_48], eax
		test	eax, eax
		jnz	short loc_99C351
		mov	[ebp+var_38], 0C000009Ah
		jmp	loc_99C40B
; 

loc_99C351:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+3B3j
		mov	[ebp+ms_exc.disabled], 1
		mov	edx, [ebp+var_38]
		cmp	[ebp+var_39], 1
		jnz	short loc_99C372
		mov	eax, edx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		jb	short loc_99C36F
		mov	eax, ecx

loc_99C36F:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+3DBj
		nop
		mov	al, [eax]

loc_99C372:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+3CFj
		push	[ebp+var_4C]	; size_t
		push	edx		; void *
		push	[ebp+var_48]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], esi

loc_99C384:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+385j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, [ebp+var_40]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_99C3C6
		mov	[ebp+var_44], eax
		jmp	short loc_99C3F6
; 

loc_99C39D:				; DATA XREF: .text:006A8920o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_58], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_99C3AD:				; DATA XREF: .text:006A8924o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_58]
		mov	[ebp+var_38], eax
		push	0FFFFFFFEh
		pop	esi
		mov	[ebp+ms_exc.disabled], esi
		xor	edi, edi
		mov	eax, [ebp+var_5C]
		mov	ebx, [ebp+var_60]
		jmp	short loc_99C40E
; 

loc_99C3C6:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+406j
		push	edi
		lea	eax, [ebp+var_44]
		push	eax
		push	6D566D4Dh
		push	[ebp+var_64]
		push	ds:_PsProcessType
		push	8
		push	ecx
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp+var_38], eax
		test	eax, eax
		js	short loc_99C40B
		lea	eax, [ebp+var_34]
		push	eax
		xor	edx, edx
		mov	ecx, [ebp+var_44]
		call	KiStackAttachProcess

loc_99C3F6:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+40Bj
		lea	eax, [ebp+var_50]
		push	eax
		push	[ebp+var_4C]
		push	[ebp+var_48]
		mov	edx, [ebp+var_68]
		call	_MiInitializeEnclave@20	; MiInitializeEnclave(x,x,x,x,x)
		mov	[ebp+var_38], eax

loc_99C40B:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+396j
					; NtCreateEnclave(x,x,x,x,x,x,x,x,x)+3BCj ...
		mov	eax, [ebp+var_40]

loc_99C40E:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+434j
		cmp	[ebp+var_44], 0
		jz	short loc_99C430
		cmp	eax, 0FFFFFFFFh
		jz	short loc_99C430
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	edx, 6D566D4Dh
		mov	ecx, [ebp+var_44]
		call	ObfDereferenceObjectWithTag

loc_99C430:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+482j
					; NtCreateEnclave(x,x,x,x,x,x,x,x,x)+487j
		test	ebx, ebx
		jz	short loc_99C457
		mov	[ebp+ms_exc.disabled], 2
		mov	eax, [ebp+var_50]
		mov	[ebx], eax
		mov	[ebp+ms_exc.disabled], esi
		jmp	short loc_99C457
; 

loc_99C445:				; DATA XREF: .text:006A892Co
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_99C44B:				; DATA XREF: .text:006A8930o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	edi, edi

loc_99C457:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+4A2j
					; NtCreateEnclave(x,x,x,x,x,x,x,x,x)+4B3j
		mov	eax, [ebp+var_48]
		test	eax, eax
		jz	short loc_99C465
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_99C465:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+4CCj
		mov	eax, [ebp+var_38]

loc_99C468:				; CODE XREF: NtCreateEnclave(x,x,x,x,x,x,x,x,x)+37Bj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_NtCreateEnclave@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtLoadEnclaveData(x, x, x, x, x, x,	x, x, x)
_NtLoadEnclaveData@36 proc near		; DATA XREF: .text:00580FBCo

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3D		= byte ptr -3Dh
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		push	74h
		push	offset dword_6A8938
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_80], eax
		mov	ecx, [ebp+arg_14]
		mov	[ebp+var_3C], ecx
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_44], eax
		mov	esi, [ebp+arg_1C]
		mov	[ebp+var_60], esi
		mov	edx, [ebp+arg_20]
		mov	[ebp+var_84], edx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		xor	ebx, ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_48], eax
		mov	[ebp+var_4C], ebx
		mov	edi, ebx
		mov	eax, large fs:124h
		mov	cl, [eax+15Ah]
		mov	[ebp+var_3D], cl
		mov	byte ptr [ebp+var_5C], cl
		cmp	cl, 1
		jnz	short loc_99C53D
		mov	[ebp+ms_exc.disabled], ebx
		test	edx, edx
		jz	short loc_99C4FD
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_99C4F9
		mov	edx, eax

loc_99C4F9:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+7Bj
		mov	eax, [edx]
		mov	[edx], eax

loc_99C4FD:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+72j
		test	esi, esi
		jz	short loc_99C515
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_99C50E
		mov	ecx, eax

loc_99C50E:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+90j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	cl, [ebp+var_3D]

loc_99C515:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+85j
		push	0FFFFFFFEh
		pop	esi
		mov	[ebp+ms_exc.disabled], esi
		jmp	short loc_99C540
; 

loc_99C51D:				; DATA XREF: .text:006A894Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_74], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_99C52B:				; DATA XREF: .text:006A8950o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_74]
		jmp	loc_99C81B
; 

loc_99C53D:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+6Bj
		push	0FFFFFFFEh
		pop	esi

loc_99C540:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+A1j
		mov	eax, [ebp+var_44]
		test	eax, eax
		jz	loc_99C664
		cmp	eax, 0FFFFh
		jbe	short loc_99C5BE
		mov	[ebp+var_38], 0C0000004h

loc_99C559:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+196j
					; NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+1FAj ...
		mov	ecx, ebx

loc_99C55B:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+24Fj
					; NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+2F8j ...
		test	ecx, ecx
		jz	short loc_99C564
		call	MiUnlockAndDereferenceVad

loc_99C564:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+E3j
		cmp	[ebp+var_48], 0
		jz	short loc_99C574
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_99C574:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+EEj
		mov	ecx, [ebp+var_4C]
		test	ecx, ecx
		jz	short loc_99C58B
		cmp	[ebp+var_50], 0FFFFFFFFh
		jz	short loc_99C58B
		mov	edx, 6D566D4Dh
		call	ObfDereferenceObjectWithTag

loc_99C58B:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+FFj
					; NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+105j
		test	edi, edi
		jz	short loc_99C5A2
		test	byte ptr [edi+6], 2
		jz	short loc_99C59B
		push	edi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)

loc_99C59B:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+119j
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_99C5A2:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+113j
		mov	ecx, [ebp+var_60]
		test	ecx, ecx
		jz	loc_99C7ED
		mov	[ebp+ms_exc.disabled], 3
		mov	eax, [ebp+var_6C]
		mov	[ecx], eax
		jmp	loc_99C7EA
; 

loc_99C5BE:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+D6j
		mov	[ebp+ms_exc.disabled], 1
		mov	edx, [ebp+var_3C]
		cmp	cl, 1
		jnz	short loc_99C5E2
		add	eax, edx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_99C5DD
		cmp	eax, edx
		jnb	short loc_99C5DF

loc_99C5DD:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+15Dj
		mov	[ecx], bl

loc_99C5DF:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+161j
		mov	eax, [ebp+var_44]

loc_99C5E2:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+151j
		mov	[ebp+ms_exc.disabled], esi
		cmp	eax, 20h
		jbe	short loc_99C664
		push	eax
		push	edx
		call	_MmSizeOfMdl@8	; MmSizeOfMdl(x,x)
		push	ebx
		push	40h
		mov	edx, 6C646D4Dh
		mov	ecx, eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_54], edi
		test	edi, edi
		jnz	short loc_99C615
		mov	[ebp+var_38], 0C000009Ah
		jmp	loc_99C559
; 

loc_99C615:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+18Dj
		mov	[edi], ebx
		mov	ecx, [ebp+var_3C]
		and	ecx, 0FFFh
		mov	edx, [ebp+var_44]
		lea	eax, [edx+0FFFh]
		add	eax, ecx
		shr	eax, 0Ch
		lea	eax, ds:1Ch[eax*4]
		mov	[edi+4], ax
		xor	eax, eax
		mov	[edi+6], ax
		mov	eax, [ebp+var_3C]
		and	eax, 0FFFFF000h
		mov	[edi+10h], eax
		mov	[edi+18h], ecx
		mov	[edi+14h], edx
		mov	[ebp+ms_exc.disabled], 2
		push	ebx
		push	[ebp+var_5C]
		push	edi
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	[ebp+ms_exc.disabled], esi

loc_99C664:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+CBj
					; NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+16Ej
		test	[ebp+var_58], 0FFFh
		jz	short loc_99C6CE
		mov	[ebp+var_38], 0C00000F0h
		jmp	loc_99C559
; 

loc_99C679:				; DATA XREF: .text:006A8964o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_78], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_99C687:				; DATA XREF: .text:006A8968o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_78]
		mov	[ebp+var_38], eax
		push	0FFFFFFFEh
		pop	esi
		mov	[ebp+ms_exc.disabled], esi
		xor	ebx, ebx
		mov	eax, ebx
		mov	edi, [ebp+var_54]
		jmp	short loc_99C6C4
; 

loc_99C69F:				; DATA XREF: .text:006A8958o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_7C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_99C6AF:				; DATA XREF: .text:006A895Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_7C]
		mov	[ebp+var_38], eax
		push	0FFFFFFFEh
		pop	esi
		mov	[ebp+ms_exc.disabled], esi
		xor	ebx, ebx
		mov	eax, ebx
		mov	edi, eax

loc_99C6C4:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+223j
		mov	[ebp+var_48], eax
		mov	ecx, eax
		jmp	loc_99C55B
; 

loc_99C6CE:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+1F1j
		test	[ebp+arg_C], 0FFFh
		jz	short loc_99C6E3
		mov	[ebp+var_38], 0C00000F2h
		jmp	loc_99C559
; 

loc_99C6E3:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+25Bj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, [ebp+var_50]
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_99C6FC
		mov	[ebp+var_4C], eax
		jmp	short loc_99C722
; 

loc_99C6FC:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+27Bj
		push	ebx
		lea	eax, [ebp+var_4C]
		push	eax
		push	6D566D4Dh
		push	[ebp+var_5C]
		push	ds:_PsProcessType
		push	8
		push	ecx
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	[ebp+var_38], eax
		test	eax, eax
		js	loc_99C559

loc_99C722:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+280j
		lea	eax, [ebp+var_34]
		push	eax
		xor	edx, edx
		mov	ecx, [ebp+var_4C]
		call	KiStackAttachProcess
		mov	[ebp+var_48], 1
		lea	eax, [ebp+var_38]
		push	eax
		xor	edx, edx
		mov	ecx, [ebp+var_58]
		call	MiObtainReferencedVadEx
		mov	ecx, eax
		mov	[ebp+var_3C], ecx
		test	ecx, ecx
		jz	loc_99C7D5
		mov	ecx, [ecx+1Ch]
		and	ecx, 3100000h
		cmp	ecx, 2100000h
		jnz	short loc_99C7D5
		mov	ecx, eax
		test	byte ptr [ecx+28h], 1
		jnz	short loc_99C777
		mov	[ebp+var_38], 0C00000BBh
		jmp	loc_99C55B
; 

loc_99C777:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+2EFj
		cmp	[ebp+var_44], 0
		jz	short loc_99C789
		mov	[ebp+var_38], 0C0000004h
		jmp	loc_99C55B
; 

loc_99C789:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+301j
		cmp	[ebp+arg_C], 0
		jnz	short loc_99C79B
		mov	[ebp+var_38], 0C00000F2h
		jmp	loc_99C55B
; 

loc_99C79B:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+313j
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	[ebp+var_48], ebx
		lea	eax, [ebp+var_70]
		push	eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+var_80]
		push	[ebp+var_58]
		push	[ebp+var_5C]
		mov	edx, [ebp+var_3C]
		mov	ecx, [ebp+var_4C]
		call	_MiCopyPagesIntoEnclave@36 ; MiCopyPagesIntoEnclave(x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_38], eax

loc_99C7CD:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+362j
		mov	ecx, [ebp+var_3C]
		jmp	loc_99C55B
; 

loc_99C7D5:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+2D2j
					; NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+2E7j
		mov	[ebp+var_38], 0C0000018h
		jmp	short loc_99C7CD
; 

loc_99C7DE:				; DATA XREF: .text:006A8970o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_99C7E4:				; DATA XREF: .text:006A8974o
		mov	esp, [ebp+ms_exc.old_esp]
		push	0FFFFFFFEh
		pop	esi

loc_99C7EA:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+13Fj
		mov	[ebp+ms_exc.disabled], esi

loc_99C7ED:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+12Dj
		mov	edx, [ebp+var_84]
		test	edx, edx
		jz	short loc_99C818
		mov	[ebp+ms_exc.disabled], 4
		mov	eax, [ebp+var_70]
		mov	[edx], eax
		mov	[ebp+ms_exc.disabled], esi
		jmp	short loc_99C818
; 

loc_99C808:				; DATA XREF: .text:006A897Co
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_99C80E:				; DATA XREF: .text:006A8980o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_99C818:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+37Bj
					; NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+38Cj
		mov	eax, [ebp+var_38]

loc_99C81B:				; CODE XREF: NtLoadEnclaveData(x,x,x,x,x,x,x,x,x)+BEj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
_NtLoadEnclaveData@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtTerminateEnclave(x, x)
_NtTerminateEnclave@8 proc near		; DATA XREF: .text:00580C1Co

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		xor	esi, esi
		test	[ebp+arg_4], 0FFFFFFFAh
		mov	[ebp+var_4], esi
		jz	short loc_99C849
		mov	eax, 0C00000F0h
		jmp	short loc_99C8B4
; 

loc_99C849:				; CODE XREF: NtTerminateEnclave(x,x)+13j
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	edi
		push	eax
		xor	edx, edx
		call	MiObtainReferencedVadEx
		mov	edi, eax
		test	edi, edi
		jnz	short loc_99C863
		mov	eax, [ebp+var_4]
		jmp	short loc_99C8B3
; 

loc_99C863:				; CODE XREF: NtTerminateEnclave(x,x)+2Fj
		mov	eax, [edi+1Ch]
		and	eax, 3100000h
		cmp	eax, 2100000h
		jz	short loc_99C879

loc_99C872:				; CODE XREF: NtTerminateEnclave(x,x)+55j
		mov	esi, 0C0000018h
		jmp	short loc_99C8AA
; 

loc_99C879:				; CODE XREF: NtTerminateEnclave(x,x)+43j
		mov	eax, [edi+0Ch]
		shl	eax, 0Ch
		cmp	eax, [ebp+arg_0]
		jnz	short loc_99C872
		mov	eax, [edi+28h]
		test	al, 1
		jz	short loc_99C8A5
		test	al, 8
		jnz	short loc_99C8AA
		mov	ecx, large fs:124h
		mov	edx, edi
		mov	ecx, [ecx+80h]
		call	_MiTerminateHardwareEnclave@8 ;	MiTerminateHardwareEnclave(x,x)
		jmp	short loc_99C8AA
; 

loc_99C8A5:				; CODE XREF: NtTerminateEnclave(x,x)+5Cj
		mov	esi, 0C00000BBh

loc_99C8AA:				; CODE XREF: NtTerminateEnclave(x,x)+4Aj
					; NtTerminateEnclave(x,x)+60j ...
		mov	ecx, edi
		call	MiUnlockAndDereferenceVad
		mov	eax, esi

loc_99C8B3:				; CODE XREF: NtTerminateEnclave(x,x)+34j
		pop	edi

loc_99C8B4:				; CODE XREF: NtTerminateEnclave(x,x)+1Aj
		pop	esi
		leave
		retn	8
_NtTerminateEnclave@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiQueryMemoryPhysicalContiguity(x, x, x, x)
_MiQueryMemoryPhysicalContiguity@16 proc near ;	CODE XREF: MmQueryVirtualMemory+FCB1Ep

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_40		= dword	ptr -40h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		push	98h
		push	offset dword_6A8A30
		call	__SEH_prolog4_GS ; struct _exception *
		mov	esi, edx
		mov	[ebp+var_78], ecx
		and	[ebp+var_7C], 0
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_58]
		rep stosd
		xor	edi, edi
		mov	[ebp+var_5C], edi
		xor	ebx, ebx
		mov	[ebp+var_60], ebx
		and	[ebp+var_70], eax
		mov	eax, large fs:124h
		mov	[ebp+var_64], eax
		cmp	[ebp+arg_0], 14h
		jz	short loc_99C901
		mov	esi, 0C0000004h
		jmp	loc_99CCC6
; 

loc_99C901:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+3Cj
		cmp	[ebp+arg_4], bl
		jz	short loc_99C951
		and	[ebp+ms_exc.disabled], ebx
		push	4
		push	14h
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	5
		pop	ecx
		lea	edi, [ebp+var_90]
		rep movsd
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi
		jmp	short loc_99C95F
; 

loc_99C926:				; DATA XREF: .text:006A8A44o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_94], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_99C937:				; DATA XREF: .text:006A8A48o
		mov	esi, [ebp+var_94]

loc_99C93D:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+1A2j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_60]
		mov	edi, ebx
		jmp	loc_99CCC6
; 

loc_99C951:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+4Bj
		push	5
		pop	ecx
		lea	edi, [ebp+var_90]
		rep movsd
		push	0FFFFFFFEh
		pop	edi

loc_99C95F:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+6Bj
		test	[ebp+var_84], edi
		jnz	loc_99CCBE
		mov	edx, [ebp+var_90]
		cmp	edx, ds:_MmHighestUserAddress
		ja	loc_99CCBE
		mov	esi, [ebp+var_88]
		test	esi, esi
		jz	loc_99CCBE
		lea	ecx, [esi-1]
		test	ecx, esi
		jnz	loc_99CCBE
		cmp	esi, 1000h
		jbe	loc_99CCBE
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	[ebp+var_68], eax
		cmp	eax, 2
		jnb	short loc_99C9D1
		mov	eax, esi
		shr	eax, 0Ch
		mov	ebx, [ebp+var_68]

loc_99C9B7:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+10Bj
		cmp	ds:_MiLargePageSizes[ebx*4], eax
		jz	short loc_99C9C6
		inc	ebx
		cmp	ebx, 2
		jb	short loc_99C9B7

loc_99C9C6:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+105j
		mov	[ebp+var_68], ebx
		xor	ebx, ebx
		mov	eax, [ebp+var_68]
		cmp	eax, 2

loc_99C9D1:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+F4j
		jnz	short loc_99C9DD
		mov	esi, 0C00000BBh
		jmp	loc_99CCC3
; 

loc_99C9DD:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x):loc_99C9D1j
		mov	eax, [ebp+var_8C]
		test	ecx, eax
		jnz	loc_99CCBE
		not	ecx
		and	ecx, edx
		cmp	ecx, edx
		jnz	loc_99CCBE
		mov	ecx, [ebp+var_84]
		and	ecx, 1
		add	ecx, ecx
		mov	[ebp+var_A0], ecx
		xor	edx, edx
		div	esi
		mov	ecx, eax
		mov	[ebp+var_6C], ecx
		mov	esi, ecx
		shl	esi, 2
		cmp	esi, 20h
		ja	short loc_99CA60
		lea	esi, [ebp+var_40]
		cmp	[ebp+arg_4], 0
		jz	short loc_99CA3C
		mov	[ebp+ms_exc.disabled], 1
		push	4
		shl	eax, 2
		push	eax
		push	[ebp+var_80]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	[ebp+ms_exc.disabled], edi

loc_99CA3C:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+169j
		mov	edi, [ebp+var_5C]
		jmp	loc_99CB0E
; 

loc_99CA44:				; DATA XREF: .text:006A8A50o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_98], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_99CA55:				; DATA XREF: .text:006A8A54o
		mov	esi, [ebp+var_98]
		jmp	loc_99C93D
; 

loc_99CA60:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+160j
		cmp	esi, 0FFFFE000h
		ja	loc_99CCBE
		push	esi
		push	[ebp+var_80]
		call	_MmSizeOfMdl@8	; MmSizeOfMdl(x,x)
		push	0
		push	40h
		mov	edx, 20206D4Dh
		mov	ecx, eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_5C], edi
		test	edi, edi
		jnz	short loc_99CA98

loc_99CA8E:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+253j
		mov	esi, 0C000009Ah
		jmp	loc_99CCC6
; 

loc_99CA98:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+1D3j
		and	dword ptr [edi], 0
		mov	ecx, [ebp+var_80]
		mov	edx, ecx
		and	edx, 0FFFh
		lea	eax, [edx+0FFFh]
		add	eax, esi
		shr	eax, 0Ch
		lea	eax, ds:1Ch[eax*4]
		mov	[edi+4], ax
		xor	eax, eax
		mov	[edi+6], ax
		and	ecx, 0FFFFF000h
		mov	[edi+10h], ecx
		mov	[edi+18h], edx
		mov	[edi+14h], esi
		mov	[ebp+ms_exc.disabled], 2
		push	1
		push	dword ptr [ebp+arg_4]
		push	edi
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	byte ptr [edi+6], 5
		jz	short loc_99CAF5
		mov	esi, [edi+0Ch]
		jmp	short loc_99CB0A
; 

loc_99CAF5:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+235j
		push	40000010h
		push	0
		push	0
		push	1
		push	0
		push	edi
		call	MmMapLockedPagesSpecifyCache
		mov	esi, eax

loc_99CB0A:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+23Aj
		test	esi, esi
		jz	short loc_99CA8E

loc_99CB0E:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+186j
		mov	eax, [ebp+var_64]
		mov	eax, [eax+80h]
		mov	ecx, [ebp+var_78]
		cmp	eax, ecx
		jz	short loc_99CB30
		lea	eax, [ebp+var_58]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		mov	[ebp+var_70], 1

loc_99CB30:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+263j
		mov	eax, [ebp+var_90]
		shr	eax, 0Ch
		mov	[ebp+var_64], eax
		mov	ecx, [ebp+var_88]
		shr	ecx, 0Ch
		mov	[ebp+var_9C], ecx
		and	[ebp+var_60], 0
		cmp	[ebp+var_6C], 0
		jbe	loc_99CC0A

loc_99CB59:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+330j
		test	ebx, ebx
		jz	short loc_99CB73
		cmp	eax, [ebx+0Ch]
		jb	short loc_99CB67
		cmp	eax, [ebx+10h]
		jbe	short loc_99CB73

loc_99CB67:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+2A7j
		mov	ecx, ebx
		call	MiUnlockAndDereferenceVadShared
		xor	ebx, ebx
		mov	eax, [ebp+var_64]

loc_99CB73:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+2A2j
					; MiQueryMemoryPhysicalContiguity(x,x,x,x)+2ACj
		mov	ecx, eax
		shl	ecx, 0Ch
		mov	[ebp+var_74], ecx
		test	ebx, ebx
		jnz	short loc_99CB94
		lea	eax, [ebp+var_7C]
		push	eax
		push	2
		pop	edx
		call	MiObtainReferencedVadEx
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_99CBEE
		mov	eax, [ebp+var_64]

loc_99CB94:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+2C4j
		add	eax, [ebp+var_9C]
		mov	[ebp+var_64], eax
		dec	eax
		cmp	eax, [ebx+10h]
		ja	short loc_99CC00
		mov	ecx, ebx
		call	_MiVadSupportsPhysicalContiguityQuery@4	; MiVadSupportsPhysicalContiguityQuery(x)
		test	eax, eax
		jz	short loc_99CBF6
		mov	eax, [ebp+var_60]
		and	dword ptr [esi+eax*4], 0
		push	[ebp+var_A0]
		push	[ebp+var_68]
		mov	edx, [ebp+var_74]
		mov	ecx, [ebp+var_78]
		lea	ecx, [ecx+240h]
		call	_MiQueryVaPhysicalContiguity@16	; MiQueryVaPhysicalContiguity(x,x,x,x)
		mov	edx, [ebp+var_60]
		mov	ecx, [esi+edx*4]
		xor	ecx, eax
		and	ecx, 3
		xor	[esi+edx*4], ecx
		inc	edx
		mov	[ebp+var_60], edx
		cmp	edx, [ebp+var_6C]
		jnb	short loc_99CC0A
		mov	eax, [ebp+var_64]
		jmp	loc_99CB59
; 

loc_99CBEE:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+2D6j
		mov	esi, [ebp+var_7C]
		jmp	loc_99CCD1
; 

loc_99CBF6:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+2F3j
		mov	esi, 0C00000BBh
		jmp	loc_99CCC6
; 

loc_99CC00:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+2E8j
		mov	esi, 0C0000018h
		jmp	loc_99CCC6
; 

loc_99CC0A:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+29Aj
					; MiQueryMemoryPhysicalContiguity(x,x,x,x)+32Bj
		test	ebx, ebx
		jz	short loc_99CC15
		mov	ecx, ebx
		call	MiUnlockAndDereferenceVadShared

loc_99CC15:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+353j
		xor	ebx, ebx
		mov	[ebp+var_74], ebx
		cmp	[ebp+var_70], ebx
		jz	short loc_99CC2C
		xor	edx, edx
		lea	ecx, [ebp+var_58]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		and	[ebp+var_70], ebx

loc_99CC2C:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+364j
		lea	eax, [ebp+var_40]
		cmp	esi, eax
		jnz	short loc_99CC94
		cmp	[ebp+arg_4], bl
		jz	short loc_99CC81
		mov	[ebp+ms_exc.disabled], 3
		mov	eax, [ebp+var_6C]
		shl	eax, 2
		push	eax		; size_t
		push	esi		; void *
		push	[ebp+var_80]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_99CC94
; 

loc_99CC5B:				; DATA XREF: .text:006A8A68o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_A4], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_99CC6C:				; DATA XREF: .text:006A8A6Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_A4]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_74]
		jmp	short loc_99CCC3
; 

loc_99CC81:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+37Dj
		mov	eax, [ebp+var_6C]
		shl	eax, 2
		push	eax		; size_t
		push	esi		; void *
		push	[ebp+var_80]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_99CC94:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+378j
					; MiQueryMemoryPhysicalContiguity(x,x,x,x)+3A0j
		xor	esi, esi
		jmp	short loc_99CCC6
; 

loc_99CC98:				; DATA XREF: .text:006A8A5Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_A8], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_99CCA9:				; DATA XREF: .text:006A8A60o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_A8]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_60]
		jmp	short loc_99CCC3
; 

loc_99CCBE:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+ACj
					; MiQueryMemoryPhysicalContiguity(x,x,x,x)+BEj	...
		mov	esi, 0C000000Dh

loc_99CCC3:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+11Fj
					; MiQueryMemoryPhysicalContiguity(x,x,x,x)+3C6j ...
		mov	edi, [ebp+var_5C]

loc_99CCC6:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+43j
					; MiQueryMemoryPhysicalContiguity(x,x,x,x)+93j	...
		test	ebx, ebx
		jz	short loc_99CCD1
		mov	ecx, ebx
		call	MiUnlockAndDereferenceVadShared

loc_99CCD1:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+338j
					; MiQueryMemoryPhysicalContiguity(x,x,x,x)+40Fj
		cmp	[ebp+var_70], 0
		jz	short loc_99CCE1
		xor	edx, edx
		lea	ecx, [ebp+var_58]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_99CCE1:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+41Cj
		test	edi, edi
		jz	short loc_99CCF9
		test	byte ptr [edi+6], 2
		jz	short loc_99CCF1
		push	edi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)

loc_99CCF1:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+430j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_99CCF9:				; CODE XREF: MiQueryMemoryPhysicalContiguity(x,x,x,x)+42Aj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiQueryMemoryPhysicalContiguity@16 endp


;  S U B	R O U T	I N E 


; __stdcall MiVadSupportsPhysicalContiguityQuery(x)
_MiVadSupportsPhysicalContiguityQuery@4	proc near
					; CODE XREF: MiProcessVaContiguityInformation(x,x,x)+10Bp
					; MiQueryMemoryPhysicalContiguity(x,x,x,x)+2ECp
		mov	eax, [ecx+1Ch]
		mov	cl, al
		and	cl, 70h
		neg	cl
		push	0
		sbb	cl, cl
		inc	cl
		bt	eax, 14h
		setb	al
		test	cl, al
		pop	eax
		setnz	al
		retn
_MiVadSupportsPhysicalContiguityQuery@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmLogSystemShareablePfnInfo(x, x)
_MmLogSystemShareablePfnInfo@8 proc near ; CODE	XREF: EtwpKernelTraceRundown+129FF6p
					; EtwpKernelTraceRundown+12A092p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_18], 0
		push	ebx
		push	esi
		mov	[ebp+var_28], ecx
		xor	esi, esi
		and	[ebp+var_1C], esi
		xor	ecx, ecx
		push	edi
		mov	[ebp+var_24], edx
		xor	ebx, ebx
		mov	[ebp+var_10], 2
		mov	[ebp+var_C], 3
		mov	[ebp+var_8], 4
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	ecx, eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_14], ecx
		mov	edx, [ecx+4Ch]
		call	_MiGetAggregateWorkingSetSize@4	; MiGetAggregateWorkingSetSize(x)
		mov	edi, eax
		cmp	edi, edx
		jbe	short loc_99CD8A
		sub	edi, edx
		add	edi, 40h
		jmp	short loc_99CD8D
; 

loc_99CD8A:				; CODE XREF: MmLogSystemShareablePfnInfo(x,x)+56j
		push	40h
		pop	edi

loc_99CD8D:				; CODE XREF: MmLogSystemShareablePfnInfo(x,x)+5Dj
		mov	eax, [ebp+var_18]

loc_99CD90:				; CODE XREF: MmLogSystemShareablePfnInfo(x,x)+103j
		mov	eax, [ebp+eax*4+var_10]
		dec	eax
		sub	eax, 1
		jz	short loc_99CDB3
		sub	eax, 1
		jz	short loc_99CDAE
		sub	eax, 1
		jnz	short loc_99CDB9
		xor	ecx, ecx
		inc	ecx

loc_99CDA7:				; CODE XREF: MmLogSystemShareablePfnInfo(x,x)+86j
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		jmp	short loc_99CDB6
; 

loc_99CDAE:				; CODE XREF: MmLogSystemShareablePfnInfo(x,x)+72j
		push	2
		pop	ecx
		jmp	short loc_99CDA7
; 

loc_99CDB3:				; CODE XREF: MmLogSystemShareablePfnInfo(x,x)+6Dj
		mov	eax, [ebp+var_20]

loc_99CDB6:				; CODE XREF: MmLogSystemShareablePfnInfo(x,x)+81j
		mov	[ebp+var_14], eax

loc_99CDB9:				; CODE XREF: MmLogSystemShareablePfnInfo(x,x)+77j
		cmp	[ebp+var_1C], edi
		jnb	short loc_99CDEB
		test	esi, esi
		jz	short loc_99CDCA
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_99CDCA:				; CODE XREF: MmLogSystemShareablePfnInfo(x,x)+95j
		imul	ebx, edi, 18h
		mov	edx, 4D777445h
		push	0
		push	40h
		add	ebx, 8
		mov	ecx, ebx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_99CE40
		mov	[ebp+var_1C], edi
		jmp	short loc_99CDF7
; 

loc_99CDEB:				; CODE XREF: MmLogSystemShareablePfnInfo(x,x)+91j
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch

loc_99CDF7:				; CODE XREF: MmLogSystemShareablePfnInfo(x,x)+BEj
		mov	ecx, [ebp+var_14]
		xor	edx, edx
		push	ebx
		push	esi
		call	MiGetWorkingSetInfoEx
		mov	ecx, [esi+4]
		test	eax, eax
		jns	short loc_99CE12
		mov	eax, [ebp+var_18]
		lea	edi, [ecx+40h]
		jmp	short loc_99CE2B
; 

loc_99CE12:				; CODE XREF: MmLogSystemShareablePfnInfo(x,x)+DDj
		test	ecx, ecx
		jz	short loc_99CE24
		mov	edx, [ebp+var_28]
		xor	ecx, ecx
		push	esi
		push	[ebp+var_24]
		call	_EtwLogPfnInfoRundown@16 ; EtwLogPfnInfoRundown(x,x,x,x)

loc_99CE24:				; CODE XREF: MmLogSystemShareablePfnInfo(x,x)+E9j
		mov	eax, [ebp+var_18]
		inc	eax
		mov	[ebp+var_18], eax

loc_99CE2B:				; CODE XREF: MmLogSystemShareablePfnInfo(x,x)+E5j
		cmp	eax, 3
		jb	loc_99CD90
		test	esi, esi
		jz	short loc_99CE40
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_99CE40:				; CODE XREF: MmLogSystemShareablePfnInfo(x,x)+B9j
					; MmLogSystemShareablePfnInfo(x,x)+10Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MmLogSystemShareablePfnInfo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAllocateAweInfo(x, x, x, x, x)
_MiAllocateAweInfo@20 proc near		; CODE XREF: MiCreatePagingFileMap(x)+433p
					; MiCreateProcessDefaultAweInfo(x,x)+45p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		mov	ebx, edx
		and	dword ptr [eax], 0
		push	edi
		mov	edi, ecx
		test	ebx, 0FFFFFFFEh
		jz	short loc_99CE77
		mov	eax, 0C00000EFh
		jmp	loc_99CF6B
; 

loc_99CE77:				; CODE XREF: MiAllocateAweInfo(x,x,x,x,x)+1Cj
		push	0
		push	40h
		push	2Ch
		mov	edx, 77416D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_99CE98
		mov	eax, 0C000009Ah
		jmp	loc_99CF6B
; 

loc_99CE98:				; CODE XREF: MiAllocateAweInfo(x,x,x,x,x)+3Dj
		mov	ecx, [ebp+arg_0]
		test	cl, 2
		jz	short loc_99CEA9
		mov	dword ptr [esi+4], 200h
		jmp	short loc_99CEBB
; 

loc_99CEA9:				; CODE XREF: MiAllocateAweInfo(x,x,x,x,x)+4Fj
		mov	al, cl
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 0Fh
		inc	eax
		mov	[esi+4], eax

loc_99CEBB:				; CODE XREF: MiAllocateAweInfo(x,x,x,x,x)+58j
		test	bl, 1
		jz	short loc_99CEC3
		or	dword ptr [esi], 1

loc_99CEC3:				; CODE XREF: MiAllocateAweInfo(x,x,x,x,x)+6Fj
		test	cl, 10h
		jz	short loc_99CECE
		and	dword ptr [esi+28h], 0
		jmp	short loc_99CEDB
; 

loc_99CECE:				; CODE XREF: MiAllocateAweInfo(x,x,x,x,x)+77j
		test	cl, 8
		push	0
		pop	eax
		setnz	al
		inc	eax
		mov	[esi+28h], eax

loc_99CEDB:				; CODE XREF: MiAllocateAweInfo(x,x,x,x,x)+7Dj
		and	dword ptr [esi+14h], 0
		mov	[esi+10h], edi
		test	cl, 4
		jz	short loc_99CF25
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		test	byte ptr [eax+4], 40h
		jnz	short loc_99CEF9
		mov	edi, 0C00000BBh
		jmp	short loc_99CF16
; 

loc_99CEF9:				; CODE XREF: MiAllocateAweInfo(x,x,x,x,x)+A1j
		push	[ebp+arg_4]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_99CF22
		mov	edi, 0C0000061h

loc_99CF16:				; CODE XREF: MiAllocateAweInfo(x,x,x,x,x)+A8j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		jmp	short loc_99CF6B
; 

loc_99CF22:				; CODE XREF: MiAllocateAweInfo(x,x,x,x,x)+C0j
		or	dword ptr [esi], 4

loc_99CF25:				; CODE XREF: MiAllocateAweInfo(x,x,x,x,x)+96j
		mov	ecx, esi
		call	_MiCreateAweInfoBitMap@4 ; MiCreateAweInfoBitMap(x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_99CF55
		push	1
		lea	ecx, [esi+1Ch]
		push	ecx
		call	_ExInitializeAutoExpandPushLock@8 ; ExInitializeAutoExpandPushLock(x,x)
		or	dword ptr [esi], 2
		test	edi, edi
		jz	short loc_99CF4E
		or	dword ptr [edi+34h], 20000h
		mov	[edi+4], esi

loc_99CF4E:				; CODE XREF: MiAllocateAweInfo(x,x,x,x,x)+F3j
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		jmp	short loc_99CF69
; 

loc_99CF55:				; CODE XREF: MiAllocateAweInfo(x,x,x,x,x)+E1j
		mov	ecx, large fs:124h
		mov	edx, esi
		mov	ecx, [ecx+80h]
		call	_MiDeleteAweInfo@8 ; MiDeleteAweInfo(x,x)

loc_99CF69:				; CODE XREF: MiAllocateAweInfo(x,x,x,x,x)+104j
		mov	eax, ebx

loc_99CF6B:				; CODE XREF: MiAllocateAweInfo(x,x,x,x,x)+23j
					; MiAllocateAweInfo(x,x,x,x,x)+44j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_MiAllocateAweInfo@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAllocateUserPhysicalPages(x, x, x, x, x)
_MiAllocateUserPhysicalPages@20	proc near
					; CODE XREF: NtAllocateUserPhysicalPages(x,x,x)+12p
					; NtAllocateUserPhysicalPagesEx(x,x,x,x,x)+14p

var_DC		= dword	ptr -0DCh
var_CC		= dword	ptr -0CCh
var_BF		= byte ptr -0BFh
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_59		= byte ptr -59h
var_58		= byte ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	0CCh
		push	offset dword_6A8AB8
		call	__SEH_prolog4_GS
		mov	[ebp+var_80], edx
		mov	[ebp+var_4C], ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_74], eax
		mov	esi, [ebp+arg_4]
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		xor	edi, edi
		mov	[ebp+var_68], edi
		mov	[ebp+var_48], edi
		push	38h		; size_t
		push	edi		; int
		lea	eax, [ebp+var_DC]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, edi
		mov	[ebp+var_38], eax
		mov	[ebp+var_70], eax
		mov	eax, large fs:124h
		mov	[ebp+var_3C], eax
		mov	ecx, [eax+80h]
		mov	[ebp+var_54], ecx
		mov	bl, [eax+15Ah]
		mov	[ebp+var_59], bl
		mov	[ebp+var_58], bl
		lea	eax, [ebp+var_DC]
		push	eax		; void *
		push	24h		; int
		push	dword ptr [ebp+var_58] ; char
		mov	edx, [ebp+arg_8]
		mov	ecx, esi
		call	MiCaptureAllocateMapExtendedParameters
		test	eax, eax
		js	loc_99D6A0
		mov	ecx, [ebp+var_B4]
		mov	eax, ecx
		and	eax, 0FFFFFFF5h
		or	eax, [ebp+var_B0]
		jnz	loc_99D69B
		mov	eax, ecx
		and	eax, 0Ah
		cmp	eax, 0Ah
		jz	loc_99D69B
		mov	eax, ecx
		and	eax, 2
		or	eax, edi
		jz	short loc_99D02D
		push	10h
		pop	esi
		jmp	short loc_99D039
; 

loc_99D02D:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+B2j
		and	ecx, 8
		or	ecx, edi
		jz	short loc_99D03E
		mov	esi, 200h

loc_99D039:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+B7j
		mov	[ebp+var_64], esi
		jmp	short loc_99D041
; 

loc_99D03E:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+BEj
		mov	[ebp+var_64], edi

loc_99D041:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+C8j
		movzx	eax, ds:_KeNumberNodes
		cmp	[ebp+var_CC], eax
		ja	loc_99D69B
		mov	[ebp+ms_exc.disabled], edi
		test	bl, bl
		jnz	short loc_99D078
		mov	eax, [ebp+var_80]
		mov	ebx, [eax]
		mov	[ebp+var_84], ebx
		test	ebx, ebx
		jnz	short loc_99D0C1

loc_99D06A:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+122j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	loc_99D6A0
; 

loc_99D078:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+E5j
		mov	edx, [ebp+var_80]
		mov	ecx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_99D088
		mov	ecx, eax

loc_99D088:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+110j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ebx, [edx]
		mov	[ebp+var_84], ebx
		test	ebx, ebx
		jz	short loc_99D06A
		cmp	ebx, 3FFFFFFFh
		jbe	short loc_99D0B1
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C00000F0h
		jmp	loc_99D6A0
; 

loc_99D0B1:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+12Aj
		push	4
		mov	eax, ebx
		shl	eax, 2
		push	eax
		push	[ebp+var_74]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_99D0C1:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+F4j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+var_40], edi
		lea	eax, [ebp+var_68]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		push	dword ptr [ebp+var_58]
		push	2
		pop	edx
		mov	ecx, [ebp+var_4C]
		call	_MiReferenceAweHandle@20 ; MiReferenceAweHandle(x,x,x,x,x)
		test	eax, eax
		js	loc_99D6A0
		mov	eax, [ebp+var_68]
		test	eax, eax
		jz	short loc_99D0FF
		mov	ecx, eax
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	eax, [eax+4]
		mov	[ebp+var_40], eax
		jmp	short loc_99D10F
; 

loc_99D0FF:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+17Aj
		mov	esi, [ebp+var_48]
		test	esi, esi
		jnz	short loc_99D115
		push	8
		pop	eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_70], eax

loc_99D10F:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+189j
		mov	esi, [ebp+var_54]
		mov	[ebp+var_48], esi

loc_99D115:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+190j
		push	dword ptr [ebp+var_58]
		push	ds:dword_A94A5C
		push	ds:_SeLockMemoryPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_99D137
		mov	edi, 0C0000061h
		jmp	loc_99D607
; 

loc_99D137:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+1B7j
		cmp	esi, [ebp+var_54]
		jz	short loc_99D152
		lea	eax, [ebp+var_34]
		push	eax
		push	esi
		call	KeStackAttachProcess
		mov	eax, [ebp+var_38]
		or	eax, 1
		mov	[ebp+var_38], eax
		mov	[ebp+var_70], eax

loc_99D152:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+1C6j
		mov	[ebp+var_50], edi
		mov	ecx, [ebp+var_40]
		test	ecx, ecx
		jnz	short loc_99D176
		lea	edx, [ebp+var_40]
		mov	cl, [ebp+var_59]
		call	_MiCreateProcessDefaultAweInfo@8 ; MiCreateProcessDefaultAweInfo(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_99D607
		xor	edi, edi
		mov	ecx, [ebp+var_40]

loc_99D176:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+1E6j
		call	_MiGetAwePageSize@4 ; MiGetAwePageSize(x)
		mov	[ebp+var_54], eax
		mov	ecx, [ebp+var_64]
		test	ecx, ecx
		jnz	short loc_99D18C
		mov	ecx, eax
		mov	[ebp+var_64], ecx
		jmp	short loc_99D1AE
; 

loc_99D18C:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+20Fj
		cmp	ecx, eax
		jbe	loc_99D602
		mov	eax, ecx
		xor	edx, edx
		div	[ebp+var_54]
		test	edx, edx
		jnz	loc_99D602
		lea	eax, [ecx-1]
		test	eax, ecx
		jnz	loc_99D602

loc_99D1AE:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+216j
		cmp	ecx, 1
		jbe	short loc_99D1CE
		mov	eax, ebx
		imul	eax, ecx
		cmp	ebx, eax
		jb	short loc_99D1C6
		mov	edi, 0C00000F0h
		jmp	loc_99D607
; 

loc_99D1C6:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+246j
		mov	ebx, eax
		mov	[ebp+var_84], ebx

loc_99D1CE:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+23Dj
		cmp	[ebp+var_68], 0
		jnz	short loc_99D247
		mov	edx, esi
		mov	ecx, [ebp+var_3C]
		call	_LOCK_ADDRESS_SPACE_SHARED@8 ; LOCK_ADDRESS_SPACE_SHARED(x,x)
		test	byte ptr [esi+0FCh], 20h
		jz	short loc_99D1FB
		mov	edx, esi
		mov	ecx, [ebp+var_3C]
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)
		mov	edi, 0C000010Ah
		jmp	loc_99D607
; 

loc_99D1FB:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+271j
		mov	edx, ebx
		mov	ecx, esi
		call	_MiChargeProcessPhysicalPages@8	; MiChargeProcessPhysicalPages(x,x)
		test	eax, eax
		jnz	short loc_99D21C
		mov	edx, esi

loc_99D20A:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+2B9j
		mov	ecx, [ebp+var_3C]
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)
		mov	edi, 0C000012Dh
		jmp	loc_99D607
; 

loc_99D21C:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+292j
		or	[ebp+var_38], 4
		mov	edx, ebx
		mov	ecx, esi
		call	MiChargeProcessCommitment
		mov	edx, esi
		test	eax, eax
		jz	short loc_99D20A
		mov	esi, [ebp+var_3C]
		mov	ecx, esi
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)
		mov	ecx, [ebp+var_38]
		or	ecx, 2
		mov	[ebp+var_38], ecx
		mov	[ebp+var_70], ecx
		jmp	short loc_99D24A
; 

loc_99D247:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+25Ej
		mov	esi, [ebp+var_3C]

loc_99D24A:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+2D1j
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	[ebp+var_7C], eax
		mov	dword ptr [ebp+var_58],	edi
		mov	eax, [eax+0F44h]
		mov	edx, 1000h
		mul	edx
		mov	[ebp+var_94], eax
		mov	[ebp+var_90], edx
		mov	[ebp+var_6C], 80000000h
		mov	eax, [ebp+var_CC]
		test	eax, eax
		jz	short loc_99D295
		lea	esi, [eax-1]
		cmp	[ebp+var_BF], 1
		jnz	short loc_99D2AF
		mov	eax, 80000002h
		mov	[ebp+var_6C], eax
		jmp	short loc_99D2B4
; 

loc_99D295:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+309j
		mov	eax, [esi+16Ch]
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	eax, [eax+338h]
		movzx	esi, word ptr [eax+8Ah]

loc_99D2AF:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+315j
		mov	eax, 80000000h

loc_99D2B4:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+31Fj
		mov	edx, [ebp+var_40]
		test	byte ptr [edx],	4
		jz	short loc_99D2C2
		or	eax, 1
		mov	[ebp+var_6C], eax

loc_99D2C2:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+346j
		mov	ecx, [ebp+var_64]
		shl	ecx, 0Ch
		mov	[ebp+var_98], ecx
		cmp	[ebp+var_64], 1
		jnz	short loc_99D2DC
		mov	[ebp+var_8C], edi
		jmp	short loc_99D2E6
; 

loc_99D2DC:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+35Ej
		or	[ebp+var_6C], 30h
		mov	[ebp+var_8C], ecx

loc_99D2E6:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+366j
					; MiAllocateUserPhysicalPages(x,x,x,x,x)+5B6j
		mov	eax, edi
		mov	[ebp+var_60], eax
		mov	[ebp+var_44], ebx
		mov	ecx, [ebp+var_50]
		sub	[ebp+var_44], ecx
		cmp	[ebp+var_44], 0C0000h
		mov	ecx, [ebp+var_38]
		jbe	short loc_99D307
		mov	[ebp+var_44], 0C0000h

loc_99D307:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+38Aj
		cmp	[ebp+var_44], 10h
		jb	short loc_99D359
		test	cl, 10h
		jnz	short loc_99D359
		push	edi
		push	[ebp+var_98]
		push	[ebp+var_90]
		push	[ebp+var_94]
		push	edi
		push	edi
		mov	eax, [ebp+var_6C]
		or	eax, 42h
		push	eax
		push	esi
		push	dword ptr [edx+28h]
		mov	edx, [ebp+var_44]
		shl	edx, 0Ch
		mov	ecx, [ebp+var_7C]
		call	MiAllocatePagesForMdl
		mov	[ebp+var_60], eax
		mov	edx, [ebp+var_40]
		test	eax, eax
		jnz	short loc_99D38E
		mov	eax, [ebp+var_38]
		or	eax, 10h
		mov	[ebp+var_38], eax
		mov	[ebp+var_70], eax
		mov	eax, [ebp+var_60]

loc_99D359:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+397j
					; MiAllocateUserPhysicalPages(x,x,x,x,x)+39Cj
		test	eax, eax
		jnz	short loc_99D38E
		push	edi
		push	[ebp+var_8C]
		push	[ebp+var_90]
		push	[ebp+var_94]
		push	edi
		push	edi
		push	[ebp+var_6C]
		push	esi
		push	dword ptr [edx+28h]
		mov	edx, [ebp+var_44]
		shl	edx, 0Ch
		mov	ecx, [ebp+var_7C]
		call	MiAllocatePagesForMdl
		mov	edi, eax
		mov	[ebp+var_60], edi
		jmp	short loc_99D391
; 

loc_99D38E:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+3D4j
					; MiAllocateUserPhysicalPages(x,x,x,x,x)+3E7j
		mov	edi, [ebp+var_60]

loc_99D391:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+418j
		test	edi, edi
		jz	loc_99D55A
		mov	ecx, edi
		call	_MiSortMdlFrames@4 ; MiSortMdlFrames(x)
		lea	eax, [edi+1Ch]
		mov	[ebp+var_78], eax
		mov	eax, [edi+14h]
		shr	eax, 0Ch
		mov	[ebp+var_88], eax
		add	eax, 7
		lea	eax, [edi+eax*4]
		mov	[ebp+var_9C], eax
		mov	eax, [eax-4]
		xor	edx, edx
		div	[ebp+var_54]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+var_40]

loc_99D3CC:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+4C3j
					; MiAllocateUserPhysicalPages(x,x,x,x,x)+4CBj
		mov	edi, [ebp+var_48]
		cmp	[ebp+var_68], 0
		jnz	short loc_99D3EF
		mov	edx, edi
		mov	ecx, [ebp+var_3C]
		call	_LOCK_ADDRESS_SPACE_SHARED@8 ; LOCK_ADDRESS_SPACE_SHARED(x,x)
		test	byte ptr [edi+0FCh], 20h
		jnz	loc_99D52F
		mov	eax, [ebp+var_40]

loc_99D3EF:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+45Fj
		mov	edx, [ebp+var_3C]
		mov	ecx, eax
		call	_MiLockAwePagesShared@8	; MiLockAwePagesShared(x,x)
		mov	edx, eax
		mov	[ebp+var_44], edx
		mov	eax, [ebp+var_40]
		mov	ecx, [eax+8]
		cmp	[ebp+var_4C], ecx
		jb	loc_99D496
		mov	ecx, [ebp+var_3C]
		call	_MiUnlockAwePagesShared@8 ; MiUnlockAwePagesShared(x,x)
		cmp	[ebp+var_68], 0
		jnz	short loc_99D425
		mov	edx, edi
		mov	ecx, [ebp+var_3C]
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)

loc_99D425:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+4A5j
		mov	ecx, [ebp+var_40]
		call	_MiResizeAweBitMap@4 ; MiResizeAweBitMap(x)
		mov	edi, eax
		mov	[ebp+var_44], edi
		test	edi, edi
		mov	eax, [ebp+var_40]
		jns	short loc_99D3CC
		mov	ecx, [ebp+var_4C]
		cmp	ecx, [eax+8]
		jb	short loc_99D3CC
		xor	edx, edx
		mov	esi, [ebp+var_60]
		mov	ecx, esi
		call	_MiFreePagesFromMdl@8 ;	MiFreePagesFromMdl(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_99D455:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+5ADj
					; MiAllocateUserPhysicalPages(x,x,x,x,x)+5E1j
		mov	esi, [ebp+var_50]

loc_99D458:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+5FEj
		mov	eax, [ebp+var_38]
		test	al, 1
		jz	short loc_99D474
		lea	eax, [ebp+var_34]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		mov	ecx, [ebp+var_38]
		and	ecx, 0FFFFFFFEh
		mov	[ebp+var_38], ecx
		mov	[ebp+var_70], ecx

loc_99D474:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+4E9j
		mov	[ebp+ms_exc.disabled], 1
		test	edi, edi
		js	loc_99D577
		mov	eax, esi
		xor	edx, edx
		mov	esi, [ebp+var_64]
		div	esi
		mov	ecx, [ebp+var_80]
		mov	[ecx], eax
		jmp	loc_99D57A
; 

loc_99D496:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+493j
		mov	eax, [eax+0Ch]
		mov	[ebp+var_4C], eax
		mov	ecx, [ebp+var_54]
		mov	edx, [ebp+var_78]

loc_99D4A2:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+560j
		mov	eax, [edx]
		xor	edx, edx
		div	ecx
		mov	ecx, eax
		and	ecx, 1Fh
		xor	edx, edx
		inc	edx
		shl	edx, cl
		shr	eax, 5
		mov	ecx, [ebp+var_4C]
		lea	eax, [ecx+eax*4]
		lock or	[eax], edx
		mov	ecx, [ebp+var_54]
		mov	eax, ecx
		shl	eax, 2
		mov	edx, [ebp+var_78]
		add	edx, eax
		mov	[ebp+var_78], edx
		cmp	edx, [ebp+var_9C]
		jnz	short loc_99D4A2
		mov	edx, [ebp+var_44]
		mov	ecx, [ebp+var_3C]
		call	_MiUnlockAwePagesShared@8 ; MiUnlockAwePagesShared(x,x)
		cmp	[ebp+var_68], 0
		jnz	short loc_99D4F1
		mov	edx, edi
		mov	ecx, [ebp+var_3C]
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)

loc_99D4F1:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+571j
		mov	eax, dword ptr [ebp+var_58]
		mov	ecx, [ebp+var_60]
		mov	[ecx], eax
		mov	dword ptr [ebp+var_58],	ecx
		mov	ecx, [ebp+var_88]
		mov	eax, [ebp+var_7C]
		add	eax, 111Ch
		lock xadd [eax], ecx
		mov	eax, [ebp+var_50]
		add	eax, [ebp+var_88]
		mov	[ebp+var_50], eax
		xor	edi, edi
		mov	[ebp+var_44], edi
		cmp	eax, ebx
		jz	loc_99D455
		mov	edx, [ebp+var_40]
		jmp	loc_99D2E6
; 

loc_99D52F:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+472j
		mov	edx, edi
		mov	ecx, [ebp+var_3C]
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)
		xor	edx, edx
		mov	esi, [ebp+var_60]
		mov	ecx, esi
		call	_MiFreePagesFromMdl@8 ;	MiFreePagesFromMdl(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, 0C000010Ah
		mov	[ebp+var_44], edi
		jmp	loc_99D455
; 

loc_99D55A:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+41Fj
		mov	esi, [ebp+var_50]
		mov	edi, esi
		neg	edi
		sbb	edi, edi
		and	edi, 3FFFFF66h
		add	edi, 0C000009Ah
		mov	[ebp+var_44], edi
		jmp	loc_99D458
; 

loc_99D577:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+509j
		mov	esi, [ebp+var_64]

loc_99D57A:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+51Dj
		mov	eax, dword ptr [ebp+var_58]

loc_99D57D:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+64Aj
		mov	[ebp+var_4C], eax
		test	eax, eax
		jz	short loc_99D5C0
		mov	ecx, [eax+14h]
		shr	ecx, 0Ch
		mov	[ebp+var_88], ecx
		xor	edx, edx
		mov	[ebp+var_A0], edx

loc_99D598:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+646j
		cmp	edx, ecx
		jnb	short loc_99D5BC
		mov	ecx, [eax+edx*4+1Ch]
		mov	eax, [ebp+var_74]
		mov	[eax], ecx
		add	[ebp+var_74], 4
		add	edx, esi
		mov	[ebp+var_A0], edx
		mov	eax, [ebp+var_4C]
		mov	ecx, [ebp+var_88]
		jmp	short loc_99D598
; 

loc_99D5BC:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+626j
		mov	eax, [eax]
		jmp	short loc_99D57D
; 

loc_99D5C0:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+60Ej
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_99D5E8
; 

loc_99D5C9:				; DATA XREF: .text:006A8AD8o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_99D5CF:				; DATA XREF: .text:006A8ADCo
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_44]
		mov	ebx, [ebp+var_84]
		mov	eax, [ebp+var_70]
		mov	[ebp+var_38], eax

loc_99D5E8:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+653j
		mov	eax, dword ptr [ebp+var_58]

loc_99D5EB:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+687j
		test	eax, eax
		jz	short loc_99D5FD
		mov	esi, [eax]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		jmp	short loc_99D5EB
; 

loc_99D5FD:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+679j
		sub	ebx, [ebp+var_50]
		jmp	short loc_99D607
; 

loc_99D602:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+21Aj
					; MiAllocateUserPhysicalPages(x,x,x,x,x)+229j ...
		mov	edi, 0C000000Dh

loc_99D607:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+1BEj
					; MiAllocateUserPhysicalPages(x,x,x,x,x)+1F7j ...
		mov	ecx, [ebp+var_38]
		mov	esi, [ebp+var_48]
		test	ebx, ebx
		jz	short loc_99D647
		test	cl, 2
		jz	short loc_99D636
		mov	edx, esi
		mov	ecx, [ebp+var_3C]
		call	_LOCK_ADDRESS_SPACE_SHARED@8 ; LOCK_ADDRESS_SPACE_SHARED(x,x)
		mov	edx, ebx
		mov	ecx, esi
		call	_MiReturnProcessCommitment@8 ; MiReturnProcessCommitment(x,x)
		mov	edx, esi
		mov	ecx, [ebp+var_3C]
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)
		mov	ecx, [ebp+var_38]

loc_99D636:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+6A0j
		test	cl, 4
		jz	short loc_99D647
		neg	ebx
		lea	eax, [esi+35Ch]
		lock xadd [eax], ebx

loc_99D647:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+69Bj
					; MiAllocateUserPhysicalPages(x,x,x,x,x)+6C5j
		test	cl, 1
		jz	short loc_99D658
		lea	eax, [ebp+var_34]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		mov	ecx, [ebp+var_38]

loc_99D658:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+6D6j
		test	cl, 8
		jnz	short loc_99D672
		mov	eax, [ebp+var_68]
		mov	edx, 68506D4Dh
		test	eax, eax
		mov	ecx, eax
		jnz	short loc_99D66D
		mov	ecx, esi

loc_99D66D:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+6F5j
		call	ObfDereferenceObjectWithTag

loc_99D672:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+6E7j
		mov	eax, edi
		jmp	short loc_99D6A0
; 

loc_99D676:				; DATA XREF: .text:006A8ACCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_A4], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_99D689:				; DATA XREF: .text:006A8AD0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_A4]
		jmp	short loc_99D6A0
; 

loc_99D69B:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+97j
					; MiAllocateUserPhysicalPages(x,x,x,x,x)+A5j ...
		mov	eax, 0C000000Dh

loc_99D6A0:				; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+80j
					; MiAllocateUserPhysicalPages(x,x,x,x,x)+FFj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_MiAllocateUserPhysicalPages@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAweViewInserter(x, x)
_MiAweViewInserter@8 proc near		; CODE XREF: MiInsertVad+14B98Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, [ecx+24Ch]
		mov	ebx, edx
		push	edi
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	_MiLockAweVadsExclusive@4 ; MiLockAweVadsExclusive(x)
		mov	eax, [ebx+0Ch]
		add	esi, 0A0h
		mov	byte ptr [ebp+var_4], 0
		mov	edi, [eax+0Ch]
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_99D712

loc_99D6EB:				; CODE XREF: MiAweViewInserter(x,x)+5Aj
		mov	ecx, [eax+0Ch]
		cmp	edi, [ecx+10h]
		ja	short loc_99D703
		cmp	edi, [ecx+0Ch]
		jnb	short loc_99D703
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_99D70A
		mov	byte ptr [ebp+var_4], cl
		jmp	short loc_99D712
; 

loc_99D703:				; CODE XREF: MiAweViewInserter(x,x)+3Fj
					; MiAweViewInserter(x,x)+44j
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_99D70E

loc_99D70A:				; CODE XREF: MiAweViewInserter(x,x)+4Aj
		mov	eax, ecx
		jmp	short loc_99D6EB
; 

loc_99D70E:				; CODE XREF: MiAweViewInserter(x,x)+56j
		mov	byte ptr [ebp+var_4], 1

loc_99D712:				; CODE XREF: MiAweViewInserter(x,x)+37j
					; MiAweViewInserter(x,x)+4Fj
		push	ebx
		push	[ebp+var_4]
		push	eax
		push	esi
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		mov	ecx, [ebp+var_8]
		call	_MiUnlockAweVadsExclusive@4 ; MiUnlockAweVadsExclusive(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiAweViewInserter@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCaptureUlongPtrArray(x, x, x)
_MiCaptureUlongPtrArray@12 proc	near	; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+289p
					; NtMapUserPhysicalPages(x,x,x)+C2p ...

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	0Ch
		push	offset dword_6A8A70
		call	__SEH_prolog4
		mov	edi, ecx
		xor	ebx, ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+arg_0]
		shl	eax, 2
		test	eax, eax
		jz	short loc_99D764
		test	dl, 3
		jz	short loc_99D751
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_99D751:				; CODE XREF: MiCaptureUlongPtrArray(x,x,x)+20j
		lea	esi, [eax+edx]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	esi, ecx
		ja	short loc_99D762
		cmp	esi, edx
		jnb	short loc_99D764

loc_99D762:				; CODE XREF: MiCaptureUlongPtrArray(x,x,x)+32j
		mov	[ecx], bl

loc_99D764:				; CODE XREF: MiCaptureUlongPtrArray(x,x,x)+1Bj
					; MiCaptureUlongPtrArray(x,x,x)+36j
		push	eax		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_99D785
; 

loc_99D771:				; DATA XREF: .text:006A8A84o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_99D77F:				; DATA XREF: .text:006A8A88o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_1C]

loc_99D785:				; CODE XREF: MiCaptureUlongPtrArray(x,x,x)+45j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiCaptureUlongPtrArray@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiComputeAweCharges(x, x)
_MiComputeAweCharges@8 proc near	; CODE XREF: MiInsertVadCharges+161358p
					; MiFreeAweView(x):loc_99DD2Bp
		xor	eax, eax
		inc	eax
		push	edi
		mov	edi, ecx
		test	edx, edx
		jz	short loc_99D7C5
		push	esi
		mov	esi, [edx+10h]
		test	[esi], al
		jnz	short loc_99D7C4
		mov	ecx, edx
		call	_MiGetAweViewPageSize@4	; MiGetAweViewPageSize(x)
		test	eax, eax
		jnz	short loc_99D7C4
		mov	ecx, esi
		call	_MiGetAwePageSize@4 ; MiGetAwePageSize(x)

loc_99D7C4:				; CODE XREF: MiComputeAweCharges(x,x)+10j
					; MiComputeAweCharges(x,x)+1Bj
		pop	esi

loc_99D7C5:				; CODE XREF: MiComputeAweCharges(x,x)+8j
		mov	edx, [edi+10h]
		cmp	eax, 200h
		mov	ecx, [edi+0Ch]
		sbb	eax, eax
		shl	edx, 0Ch
		inc	eax
		shl	ecx, 0Ch
		push	eax
		or	edx, 0FFFh
		call	_MiResidentPagesForSpan@12 ; MiResidentPagesForSpan(x,x,x)
		pop	edi
		retn
_MiComputeAweCharges@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreateAweInfoBitMap(x)
_MiCreateAweInfoBitMap@4 proc near	; CODE XREF: MiAllocateAweInfo(x,x,x,x,x)+D8p
					; MiResizeAweBitMap(x)+36p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax+80h]
		mov	esi, ecx
		mov	[ebp+var_8], eax
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	ebx, [eax+0F44h]
		call	_MiGetAwePageSize@4 ; MiGetAwePageSize(x)
		mov	edi, eax
		cmp	edi, 1
		jz	short loc_99D82C
		lea	eax, [ebx-1]
		mov	ecx, edi
		add	eax, edi
		neg	ecx
		and	eax, ecx
		xor	edx, edx
		div	edi
		mov	ebx, eax
		jmp	short loc_99D82D
; 

loc_99D82C:				; CODE XREF: MiCreateAweInfoBitMap(x)+30j
		inc	ebx

loc_99D82D:				; CODE XREF: MiCreateAweInfoBitMap(x)+43j
		push	0
		pop	ecx
		test	bl, 1Fh
		mov	eax, ebx
		push	0
		setnz	cl
		mov	edx, 4C646156h
		shr	eax, 5
		add	ecx, eax
		shl	ecx, 2
		push	40h
		mov	[ebp+var_4], ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_99D85E
		mov	eax, 0C000009Ah
		jmp	short loc_99D88A
; 

loc_99D85E:				; CODE XREF: MiCreateAweInfoBitMap(x)+6Ej
		test	byte ptr [esi],	1
		jz	short loc_99D882
		push	[ebp+var_4]
		push	[ebp+var_8]
		call	_PsChargeProcessNonPagedPoolQuota@8 ; PsChargeProcessNonPagedPoolQuota(x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jns	short loc_99D882
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_8]
		jmp	short loc_99D88A
; 

loc_99D882:				; CODE XREF: MiCreateAweInfoBitMap(x)+7Aj
					; MiCreateAweInfoBitMap(x)+8Cj
		mov	[esi+8], ebx
		xor	eax, eax
		mov	[esi+0Ch], edi

loc_99D88A:				; CODE XREF: MiCreateAweInfoBitMap(x)+75j
					; MiCreateAweInfoBitMap(x)+99j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiCreateAweInfoBitMap@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreateProcessDefaultAweInfo(x, x)
_MiCreateProcessDefaultAweInfo@8 proc near
					; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+1EEp
					; MiCreateUserPhysicalView(x,x,x,x)+15Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, large fs:124h
		mov	eax, edx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], eax
		mov	[eax], edi
		mov	eax, [ebx+80h]
		mov	[ebp+var_8], eax
		mov	eax, [eax+24Ch]
		mov	[ebp+var_C], eax
		mov	esi, [eax+9Ch]
		mov	[ebp+var_4], esi
		test	esi, esi
		jnz	short loc_99D931
		lea	eax, [ebp+var_4]
		xor	edx, edx
		push	eax
		push	ecx
		push	edi
		inc	edx
		xor	ecx, ecx
		call	_MiAllocateAweInfo@20 ;	MiAllocateAweInfo(x,x,x,x,x)
		test	eax, eax
		js	short loc_99D938
		mov	ecx, ebx
		call	_MiLockAweVadsExclusive@4 ; MiLockAweVadsExclusive(x)
		mov	ecx, [ebp+var_8]
		mov	esi, [ebp+var_4]
		mov	eax, [ecx+24Ch]
		cmp	[eax+9Ch], edi
		jnz	short loc_99D902
		mov	eax, [ebp+var_C]
		inc	edi
		mov	[eax+9Ch], esi

loc_99D902:				; CODE XREF: MiCreateProcessDefaultAweInfo(x,x)+67j
		mov	ecx, ebx
		call	_MiUnlockAweVadsExclusive@4 ; MiUnlockAweVadsExclusive(x)
		test	edi, edi
		jnz	short loc_99D931
		mov	ecx, large fs:124h
		mov	edx, [ebp+var_4]
		mov	ecx, [ecx+80h]
		call	_MiDeleteAweInfo@8 ; MiDeleteAweInfo(x,x)
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+24Ch]
		mov	esi, [eax+9Ch]

loc_99D931:				; CODE XREF: MiCreateProcessDefaultAweInfo(x,x)+38j
					; MiCreateProcessDefaultAweInfo(x,x)+7Cj
		mov	eax, [ebp+var_10]
		mov	[eax], esi
		xor	eax, eax

loc_99D938:				; CODE XREF: MiCreateProcessDefaultAweInfo(x,x)+4Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiCreateProcessDefaultAweInfo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreateUserPhysicalView(x,	x, x, x)
_MiCreateUserPhysicalView@16 proc near	; CODE XREF: MiReserveUserMemory+15FC29p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		mov	[ebp+var_10], ecx
		mov	esi, eax
		push	edi
		mov	ecx, [ebx+48h]
		mov	edi, [ebx+50h]
		mov	[ebp+var_14], edx
		mov	[ebp+var_8], eax
		mov	[ebp+arg_0], esi
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], eax
		test	ecx, ecx
		jz	loc_99DA7A
		and	edx, 4
		or	edx, 8
		shr	edx, 1
		test	byte ptr [ebp+var_14], 2
		jz	short loc_99D980
		or	edx, 8

loc_99D980:				; CODE XREF: MiCreateUserPhysicalView(x,x,x,x)+3Ej
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_14], al
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_14]
		call	_MiReferenceAweHandle@20 ; MiReferenceAweHandle(x,x,x,x,x)
		test	eax, eax
		js	loc_99DB22
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jnz	short loc_99D9C9
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_99D9BF
		mov	edx, 68506D4Dh
		call	ObfDereferenceObjectWithTag

loc_99D9BF:				; CODE XREF: MiCreateUserPhysicalView(x,x,x,x)+76j
		mov	eax, 0C0000008h
		jmp	loc_99DB22
; 

loc_99D9C9:				; CODE XREF: MiCreateUserPhysicalView(x,x,x,x)+6Fj
		mov	ecx, esi
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	[ebp+var_4], eax
		mov	eax, [eax+4]
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	_MiGetAwePageSize@4 ; MiGetAwePageSize(x)
		mov	edx, edi
		mov	ecx, eax
		and	edx, 2
		mov	[ebp+var_8], ecx
		or	edx, 0
		jz	short loc_99DA05

loc_99D9EF:				; CODE XREF: MiCreateUserPhysicalView(x,x,x,x)+DDj
					; MiCreateUserPhysicalView(x,x,x,x)+F7j ...
		mov	edx, 68506D4Dh
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_99D9FB:				; CODE XREF: MiCreateUserPhysicalView(x,x,x,x)+142j
		mov	eax, 0C000000Dh
		jmp	loc_99DB22
; 

loc_99DA05:				; CODE XREF: MiCreateUserPhysicalView(x,x,x,x)+B0j
		and	edi, 8
		or	edi, 0
		jz	short loc_99DA1C
		mov	eax, 200h
		mov	[ebp+arg_0], eax
		cmp	ecx, 10h
		jz	short loc_99DA21
		jmp	short loc_99D9EF
; 

loc_99DA1C:				; CODE XREF: MiCreateUserPhysicalView(x,x,x,x)+CEj
		mov	eax, ecx
		mov	[ebp+arg_0], ecx

loc_99DA21:				; CODE XREF: MiCreateUserPhysicalView(x,x,x,x)+DBj
		shl	eax, 0Ch
		cmp	[ebx+8], eax
		jnb	short loc_99DA2C
		mov	[ebx+8], eax

loc_99DA2C:				; CODE XREF: MiCreateUserPhysicalView(x,x,x,x)+EAj
		mov	edi, [ebx+0Ch]
		lea	ecx, [eax-1]
		test	edi, ecx
		jnz	short loc_99D9EF
		mov	eax, [ebx+4]
		mov	edx, [ebx]
		sub	eax, edx
		inc	eax
		cmp	eax, edi
		jnz	short loc_99DA46
		test	edx, ecx
		jnz	short loc_99D9EF

loc_99DA46:				; CODE XREF: MiCreateUserPhysicalView(x,x,x,x)+103j
		mov	ebx, [ebp+arg_0]

loc_99DA49:				; CODE XREF: MiCreateUserPhysicalView(x,x,x,x)+174j
		push	0
		push	40h
		push	28h
		mov	edx, 76706D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_99DAB3
		test	esi, esi
		jz	short loc_99DA70
		mov	edx, 68506D4Dh
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_99DA70:				; CODE XREF: MiCreateUserPhysicalView(x,x,x,x)+125j
		mov	eax, 0C000009Ah
		jmp	loc_99DB22
; 

loc_99DA7A:				; CODE XREF: MiCreateUserPhysicalView(x,x,x,x)+2Cj
		and	edi, 0Ah
		or	edi, esi
		jnz	loc_99D9FB
		cmp	edx, 4
		jz	short loc_99DA94
		mov	eax, 0C0000045h
		jmp	loc_99DB22
; 

loc_99DA94:				; CODE XREF: MiCreateUserPhysicalView(x,x,x,x)+14Bj
		mov	cl, [ebx+44h]
		lea	edx, [ebp+var_C]
		call	_MiCreateProcessDefaultAweInfo@8 ; MiCreateProcessDefaultAweInfo(x,x)
		test	eax, eax
		js	short loc_99DB22
		xor	eax, eax
		inc	eax
		mov	[ebp+var_8], eax
		mov	ebx, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_C], eax
		jmp	short loc_99DA49
; 

loc_99DAB3:				; CODE XREF: MiCreateUserPhysicalView(x,x,x,x)+121j
		mov	eax, [ebp+var_10]
		mov	[edi+10h], eax
		mov	eax, [ebp+var_C]
		mov	dword ptr [edi+24h], 100h
		mov	[edi+14h], eax
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	cx, [eax]
		mov	eax, [ebp+arg_4]
		mov	[eax], cx
		test	esi, esi
		jz	short loc_99DAF2
		mov	ecx, [ebp+var_4]
		call	MiCheckPurgeAndUpMapCount
		mov	eax, [ebp+var_4]
		mov	edx, 68506D4Dh
		mov	ecx, esi
		mov	[edi+18h], eax
		call	ObfDereferenceObjectWithTag

loc_99DAF2:				; CODE XREF: MiCreateUserPhysicalView(x,x,x,x)+199j
		cmp	ebx, [ebp+var_8]
		jz	short loc_99DB10
		mov	eax, [edi+18h]
		cmp	ebx, 10h
		jnz	short loc_99DB07
		and	eax, 0FFFFFFFDh
		or	eax, 1
		jmp	short loc_99DB0D
; 

loc_99DB07:				; CODE XREF: MiCreateUserPhysicalView(x,x,x,x)+1C0j
		and	eax, 0FFFFFFFEh
		or	eax, 2

loc_99DB0D:				; CODE XREF: MiCreateUserPhysicalView(x,x,x,x)+1C8j
		mov	[edi+18h], eax

loc_99DB10:				; CODE XREF: MiCreateUserPhysicalView(x,x,x,x)+1B8j
		mov	ecx, [ebp+var_10]
		mov	edx, edi
		and	dword ptr [edi+0Ch], 0
		push	0
		call	_MiInsertVadEvent@12 ; MiInsertVadEvent(x,x,x)
		xor	eax, eax

loc_99DB22:				; CODE XREF: MiCreateUserPhysicalView(x,x,x,x)+64j
					; MiCreateUserPhysicalView(x,x,x,x)+87j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiCreateUserPhysicalView@16 endp


;  S U B	R O U T	I N E 


; __stdcall MiDeleteAweBitMap(x, x)
_MiDeleteAweBitMap@8 proc near		; CODE XREF: MiDeleteAweInfo(x,x)+1Bp
					; MiResizeAweBitMap(x)+6Dp ...
		mov	edi, edi
		push	edi
		mov	edi, edx
		mov	eax, [edi+4]
		test	eax, eax
		jz	short loc_99DB63
		push	esi
		mov	esi, [edi]
		mov	edx, esi
		and	edx, 1Fh
		test	ecx, ecx
		jz	short loc_99DB5A
		xor	eax, eax
		test	edx, edx
		setnz	al
		shr	esi, 5
		add	eax, esi
		shl	eax, 2
		push	eax
		push	ecx
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		mov	eax, [edi+4]

loc_99DB5A:				; CODE XREF: MiDeleteAweBitMap(x,x)+16j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi

loc_99DB63:				; CODE XREF: MiDeleteAweBitMap(x,x)+Aj
		pop	edi
		retn
_MiDeleteAweBitMap@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiDeleteAweInfo(x, x)
_MiDeleteAweInfo@8 proc	near		; CODE XREF: MiDeleteSectionAwe(x)+12j
					; MiDeleteProcessPhysicalPages(x):loc_76263Bp ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		test	byte ptr [esi],	2
		jz	short loc_99DB7B
		lea	eax, [esi+1Ch]
		push	eax
		call	ExCleanupAutoExpandPushLock

loc_99DB7B:				; CODE XREF: MiDeleteAweInfo(x,x)+Bj
		lea	edx, [esi+8]
		mov	ecx, edi
		call	_MiDeleteAweBitMap@8 ; MiDeleteAweBitMap(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
_MiDeleteAweInfo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteAweInfoPages(x)
_MiDeleteAweInfoPages@4	proc near	; CODE XREF: MiDeleteSectionAwe(x)+8p
					; MmCleanProcessAddressSpace:loc_921A63p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		mov	ecx, large fs:124h
		push	edi
		mov	[ebp+var_4], esi
		mov	edi, ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_28], ecx
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	edx, ecx
		mov	[ebp+var_24], eax
		mov	ecx, esi
		call	_MiLockAwePagesExclusive@8 ; MiLockAwePagesExclusive(x,x)
		mov	ecx, esi
		call	_MiGetAwePageSize@4 ; MiGetAwePageSize(x)
		test	byte ptr [esi],	1
		mov	[ebp+var_8], eax
		lea	eax, [esi+8]
		jz	short loc_99DBF0
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		cmp	[ecx+35Ch], ebx
		jz	loc_99DCFF

loc_99DBF0:				; CODE XREF: MiDeleteAweInfoPages(x)+45j
					; MiDeleteAweInfoPages(x)+139j
		push	edi
		push	1
		push	eax
		call	RtlFindSetBits
		mov	esi, eax
		cmp	esi, edi
		jb	loc_99DCCF
		cmp	esi, 0FFFFFFFFh
		jz	loc_99DCCF
		mov	edi, [ebp+var_4]
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		add	edi, 8
		push	edi
		call	RtlFindNextForwardRunClear
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	short loc_99DC29
		mov	edi, [ebp+var_10]
		jmp	short loc_99DC2B
; 

loc_99DC29:				; CODE XREF: MiDeleteAweInfoPages(x)+92j
		mov	edi, [edi]

loc_99DC2B:				; CODE XREF: MiDeleteAweInfoPages(x)+97j
		mov	eax, [ebp+var_4]
		sub	edi, esi
		push	edi
		push	esi
		add	eax, 8
		push	eax
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		mov	eax, [ebp+var_18]
		mov	edx, ebx
		add	eax, edi
		add	eax, esi
		imul	esi, [ebp+var_8]
		mov	[ebp+var_20], eax
		mov	eax, edi
		imul	eax, [ebp+var_8]
		imul	ecx, esi, 1Ch
		add	[ebp+var_C], eax
		add	ecx, ds:_MmPfnDatabase
		mov	[ebp+var_18], ecx
		movzx	eax, byte ptr [ecx+16h]
		shr	eax, 6
		mov	[ebp+var_14], eax
		test	edi, edi
		jz	short loc_99DCB6
		imul	eax, [ebp+var_8], 1Ch
		mov	[ebp+var_1C], eax

loc_99DC75:				; CODE XREF: MiDeleteAweInfoPages(x)+124j
		movzx	eax, byte ptr [ecx+16h]
		shr	eax, 6
		cmp	eax, [ebp+var_14]
		jz	short loc_99DCA8
		push	ebx
		mov	ecx, esi
		call	_MiFreeMdlPageRun@12 ; MiFreeMdlPageRun(x,x,x)
		mov	ecx, [ebp+var_18]
		push	1Ch
		pop	esi
		movzx	eax, byte ptr [ecx+16h]
		shr	eax, 6
		mov	[ebp+var_14], eax
		mov	eax, ecx
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	esi
		mov	edx, ebx
		mov	esi, eax

loc_99DCA8:				; CODE XREF: MiDeleteAweInfoPages(x)+EFj
		add	ecx, [ebp+var_1C]
		add	edx, [ebp+var_8]
		mov	[ebp+var_18], ecx
		sub	edi, 1
		jnz	short loc_99DC75

loc_99DCB6:				; CODE XREF: MiDeleteAweInfoPages(x)+DCj
		push	ebx
		mov	ecx, esi
		call	_MiFreeMdlPageRun@12 ; MiFreeMdlPageRun(x,x,x)
		mov	eax, [ebp+var_4]
		mov	edi, [ebp+var_20]
		add	eax, 8
		cmp	edi, [eax]
		jb	loc_99DBF0

loc_99DCCF:				; CODE XREF: MiDeleteAweInfoPages(x)+6Dj
					; MiDeleteAweInfoPages(x)+76j
		mov	edx, [ebp+var_C]
		test	edx, edx
		jz	short loc_99DCFA
		mov	edi, [ebp+var_24]
		mov	esi, edx
		neg	esi
		mov	ecx, esi
		lea	eax, [edi+111Ch]
		lock xadd [eax], ecx
		cmp	edi, offset _MiSystemPartition
		jnz	short loc_99DCFA
		mov	eax, offset dword_6D3620
		lock xadd [eax], esi

loc_99DCFA:				; CODE XREF: MiDeleteAweInfoPages(x)+144j
					; MiDeleteAweInfoPages(x)+15Fj
		mov	esi, [ebp+var_4]
		mov	ebx, edx

loc_99DCFF:				; CODE XREF: MiDeleteAweInfoPages(x)+5Aj
		mov	edx, [ebp+var_28]
		mov	ecx, esi
		call	_MiUnlockAwePagesExclusive@8 ; MiUnlockAwePagesExclusive(x,x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_MiDeleteAweInfoPages@4	endp


;  S U B	R O U T	I N E 


; __stdcall MiFreeAweView(x)
_MiFreeAweView@4 proc near		; CODE XREF: MiReleaseVadEventBlocks+16162Cp
		lea	edx, [ecx+4]
		mov	ecx, [edx+0Ch]
		push	esi
		mov	esi, [edx+10h]
		cmp	dword ptr [ecx], 0FFFFFFFEh
		jnz	short loc_99DD2B
		cmp	dword ptr [ecx+4], 0FFFFFFFEh
		jnz	short loc_99DD2B
		cmp	dword ptr [ecx+8], 0FFFFFFFEh
		jz	short loc_99DD42

loc_99DD2B:				; CODE XREF: MiFreeAweView(x)+Dj
					; MiFreeAweView(x)+13j
		call	_MiComputeAweCharges@8 ; MiComputeAweCharges(x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_99DD42
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	ecx, eax
		call	_MiReturnResident@8 ; MiReturnResident(x,x)

loc_99DD42:				; CODE XREF: MiFreeAweView(x)+19j
					; MiFreeAweView(x)+24j
		test	byte ptr [esi],	1
		jnz	short loc_99DD50
		mov	ecx, [esi+10h]
		pop	esi
		jmp	_MiDereferenceControlArea@4 ; MiDereferenceControlArea(x)
; 

loc_99DD50:				; CODE XREF: MiFreeAweView(x)+35j
		pop	esi
		retn
_MiFreeAweView@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetAweVadPageSize(x)
_MiGetAweVadPageSize@4 proc near	; CODE XREF: MiVadPageTableChargeLevel(x)+29j
		mov	eax, [ecx+1Ch]
		and	eax, 3100000h
		cmp	eax, 2100000h
		jz	short loc_99DD91
		mov	edx, 100h
		call	_MiLocateVadEvent@8 ; MiLocateVadEvent(x,x)
		mov	edx, [eax+14h]
		test	byte ptr [edx],	1
		jnz	short loc_99DD91
		lea	ecx, [eax+4]
		call	_MiGetAweViewPageSize@4	; MiGetAweViewPageSize(x)
		test	eax, eax
		jnz	short loc_99DD86
		mov	ecx, edx
		call	_MiGetAwePageSize@4 ; MiGetAwePageSize(x)

loc_99DD86:				; CODE XREF: MiGetAweVadPageSize(x)+2Bj
		cmp	eax, 200h
		jb	short loc_99DD91
		xor	eax, eax
		inc	eax
		retn
; 

loc_99DD91:				; CODE XREF: MiGetAweVadPageSize(x)+Dj
					; MiGetAweVadPageSize(x)+1Fj ...
		xor	eax, eax
		retn
_MiGetAweVadPageSize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReferenceIncomingPhysicalPages(x,	x, x, x, x, x, x)
_MiReferenceIncomingPhysicalPages@28 proc near
					; CODE XREF: NtMapUserPhysicalPages(x,x,x)+25Cp
					; NtMapUserPhysicalPagesScatter(x,x,x)+287p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	[esp+48h+var_28], edx
		mov	[esp+48h+var_4], edi
		mov	eax, [esi+0Ch]
		mov	[esp+48h+var_2C], ebx
		mov	[esp+48h+var_20], eax
		mov	ecx, [eax+1Ch]
		and	ecx, 1100000h
		mov	[esp+48h+var_1C], ecx
		mov	ecx, eax
		call	_MiGetVadCacheAttribute@4 ; MiGetVadCacheAttribute(x)
		mov	ecx, edi
		mov	[esp+48h+var_10], eax
		mov	[esp+48h+var_24], ebx
		call	_MiGetAwePageSize@4 ; MiGetAwePageSize(x)
		mov	edx, eax
		mov	ecx, esi
		mov	[esp+48h+var_3C], edx
		call	_MiGetAweViewPageSize@4	; MiGetAweViewPageSize(x)
		mov	ecx, eax
		mov	[esp+48h+var_38], ecx
		test	ecx, ecx
		jnz	short loc_99DDFA
		mov	[esp+48h+var_38], edx

loc_99DDFA:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+60j
		mov	eax, [edi+8]
		mov	[esp+48h+var_C], eax
		mov	eax, [edi+0Ch]
		mov	edi, ebx
		mov	[esp+48h+var_8], eax
		mov	eax, [ebp+arg_10]
		mov	[esp+48h+var_30], eax
		mov	[esp+48h+var_34], edi
		cmp	[ebp+arg_0], ebx
		jbe	loc_99DEC8
		mov	eax, [ebp+arg_4]
		mov	ecx, [esp+48h+var_28]

loc_99DE25:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+12Aj
		mov	esi, [ecx+edi*4]
		mov	[esp+48h+var_14], esi
		test	eax, eax
		jz	loc_99DEEB
		test	esi, esi
		jnz	short loc_99DE3B
		inc	edi
		jmp	short loc_99DEB7
; 

loc_99DE3B:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+A2j
		mov	edx, [eax+edi*4]
		mov	ecx, edx
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, [esp+48h+var_20]
		mov	[esp+48h+var_30], eax
		mov	eax, [ecx+0Ch]
		shl	eax, 0Ch
		cmp	edx, eax
		jb	short loc_99DE6A
		mov	eax, [ecx+10h]
		shl	eax, 0Ch
		or	eax, 0FFFh
		cmp	edx, eax
		jbe	loc_99DEEB

loc_99DE6A:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+C1j
		mov	ecx, edx
		call	_MiGetAweNode@4	; MiGetAweNode(x)
		mov	edx, eax
		mov	ecx, edx
		call	_MiGetAweViewPageSize@4	; MiGetAweViewPageSize(x)
		test	eax, eax
		jnz	short loc_99DE82
		mov	eax, [esp+48h+var_3C]

loc_99DE82:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+E8j
		cmp	eax, [esp+48h+var_38]
		jnz	short loc_99DEA3
		mov	ecx, [edx+0Ch]
		mov	edx, 1100000h
		mov	[esp+48h+var_20], ecx
		mov	eax, [ecx+1Ch]
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_99DEDA
		cmp	[esp+48h+var_1C], edx
		jz	short loc_99DEE0

loc_99DEA3:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+F2j
					; MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+14Aj	...
		mov	[ebp+arg_0], edi
		mov	edi, ebx
		mov	[esp+48h+var_2C], 0C0000018h

loc_99DEB0:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+28Cj
		mov	ecx, [esp+48h+var_28]
		mov	eax, [ebp+arg_4]

loc_99DEB7:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+A5j
		mov	[esp+48h+var_34], edi
		cmp	edi, [ebp+arg_0]
		jb	loc_99DE25
		mov	ebx, [esp+48h+var_24]

loc_99DEC8:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+84j
		mov	eax, [ebp+arg_8]
		pop	edi
		pop	esi
		mov	[eax], ebx
		mov	eax, [esp+40h+var_2C]
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_99DEDA:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+107j
		cmp	[esp+48h+var_1C], edx
		jz	short loc_99DEA3

loc_99DEE0:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+10Dj
		call	_MiGetVadCacheAttribute@4 ; MiGetVadCacheAttribute(x)
		cmp	[esp+48h+var_10], eax
		jnz	short loc_99DEA3

loc_99DEEB:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+9Aj
					; MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+D0j
		mov	eax, esi
		xor	edx, edx
		div	[esp+48h+var_3C]
		mov	esi, eax
		cmp	esi, [esp+48h+var_C]
		jnb	short loc_99DEA3
		mov	ecx, [esp+48h+var_38]
		lea	eax, [ecx-1]
		test	[esp+48h+var_14], eax
		jnz	short loc_99DEA3
		xor	edx, edx
		mov	[esp+48h+var_18], ebx
		mov	eax, ecx
		div	[esp+48h+var_3C]
		mov	edx, eax
		test	edx, edx
		jz	short loc_99DF4A

loc_99DF1A:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+1B0j
		mov	ebx, [esp+48h+var_8]
		mov	eax, esi
		shr	eax, 5
		mov	ecx, esi
		and	ecx, 1Fh
		push	0
		mov	eax, [ebx+eax*4]
		shr	eax, cl
		pop	ebx
		test	al, 1
		jz	loc_99DEA3
		mov	eax, [esp+48h+var_18]
		inc	eax
		inc	esi
		mov	[esp+48h+var_18], eax
		cmp	eax, edx
		jb	short loc_99DF1A
		mov	ecx, [esp+48h+var_38]

loc_99DF4A:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+184j
		imul	esi, [esp+48h+var_14], 1Ch
		add	esi, ds:_MmPfnDatabase
		cmp	[esp+48h+var_2C], 0
		jl	loc_99DFE0
		mov	edi, ebx
		test	ecx, ecx
		jz	loc_99E010
		imul	eax, [esp+48h+var_3C], 1Ch
		mov	[esp+48h+var_14], eax

loc_99DF73:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+20Fj
		push	[esp+48h+var_30]
		mov	ecx, [esp+4Ch+var_4]
		mov	edx, esi
		push	[esp+4Ch+var_10]
		call	_MiIncrementAweMapCount@16 ; MiIncrementAweMapCount(x,x,x,x)
		mov	[esp+48h+var_2C], eax
		test	eax, eax
		js	short loc_99DFA7
		imul	eax, [esp+48h+var_3C], 1Ch
		add	edi, [esp+48h+var_3C]
		mov	ecx, [esp+48h+var_38]
		add	esi, eax
		mov	[esp+48h+var_14], eax
		cmp	edi, ecx
		jb	short loc_99DF73
		jmp	short loc_99E010
; 

loc_99DFA7:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+1F8j
		test	edi, edi
		jz	short loc_99DFC2

loc_99DFAB:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+22Cj
		sub	esi, [esp+48h+var_14]
		lea	eax, [esp+48h+var_24]
		push	ebx
		push	eax
		mov	edx, esi
		call	_MiDecrementAweMapCount@16 ; MiDecrementAweMapCount(x,x,x,x)
		sub	edi, [esp+48h+var_3C]
		jnz	short loc_99DFAB

loc_99DFC2:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+215j
		mov	ecx, [esp+48h+var_38]
		mov	eax, ecx
		mov	edi, [ebp+arg_10]
		shl	eax, 3
		sub	edi, eax
		mov	eax, [esp+48h+var_34]
		mov	[esp+48h+var_30], edi
		or	edi, 0FFFFFFFFh
		mov	[ebp+arg_0], eax
		jmp	short loc_99E014
; 

loc_99DFE0:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+1C6j
		mov	[esp+48h+var_14], ebx
		test	ecx, ecx
		jz	short loc_99E014
		imul	eax, [esp+48h+var_3C], 1Ch
		mov	edi, ebx
		mov	[esp+48h+var_18], eax

loc_99DFF3:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+27Aj
		push	ebx
		lea	eax, [esp+4Ch+var_24]
		mov	edx, esi
		push	eax
		call	_MiDecrementAweMapCount@16 ; MiDecrementAweMapCount(x,x,x,x)
		add	edi, [esp+48h+var_3C]
		add	esi, [esp+48h+var_18]
		mov	ecx, [esp+48h+var_38]
		cmp	edi, ecx
		jb	short loc_99DFF3

loc_99E010:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+1D0j
					; MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+211j
		mov	edi, [esp+48h+var_34]

loc_99E014:				; CODE XREF: MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+24Aj
					; MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)+252j
		mov	eax, [esp+48h+var_30]
		inc	edi
		lea	eax, [eax+ecx*8]
		mov	[esp+48h+var_30], eax
		jmp	loc_99DEB0
_MiReferenceIncomingPhysicalPages@28 endp


;  S U B	R O U T	I N E 


; __stdcall MiRemoveUserPhysicalPagesView(x)
_MiRemoveUserPhysicalPagesView@4 proc near ; CODE XREF:	MiDeleteVad(x,x,x)+116p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, [edi+1Ch]
		and	eax, 3100000h
		cmp	eax, 2100000h
		jnz	short loc_99E03F
		xor	eax, eax
		jmp	short loc_99E07F
; 

loc_99E03F:				; CODE XREF: MiRemoveUserPhysicalPagesView(x)+14j
		mov	ebx, large fs:124h
		mov	ecx, ebx
		mov	eax, [ebx+80h]
		mov	esi, [eax+24Ch]
		call	_MiLockAweVadsExclusive@4 ; MiLockAweVadsExclusive(x)
		mov	ecx, [edi+0Ch]
		add	esi, 0A0h
		mov	edx, esi
		call	_MiLocatePhysicalViewInTree@8 ;	MiLocatePhysicalViewInTree(x,x)
		mov	edi, eax
		push	edi
		push	esi
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		mov	ecx, ebx
		call	_MiUnlockAweVadsExclusive@4 ; MiUnlockAweVadsExclusive(x)
		and	dword ptr [edi+8], 0
		mov	eax, edi

loc_99E07F:				; CODE XREF: MiRemoveUserPhysicalPagesView(x)+18j
		pop	edi
		pop	esi
		pop	ebx
		retn
_MiRemoveUserPhysicalPagesView@4 endp ;	sp = -8


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiResizeAweBitMap(x)
_MiResizeAweBitMap@4 proc near		; CODE XREF: MiAllocateUserPhysicalPages(x,x,x,x,x)+4B4p

var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ecx
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		test	byte ptr [eax],	1
		push	edi
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], ebx
		jz	short loc_99E0AA
		mov	ebx, [ebx+80h]
		jmp	short loc_99E0AC
; 

loc_99E0AA:				; CODE XREF: MiResizeAweBitMap(x)+1Dj
		xor	ebx, ebx

loc_99E0AC:				; CODE XREF: MiResizeAweBitMap(x)+25j
		push	0Bh
		pop	ecx
		mov	esi, eax
		lea	edi, [ebp+var_3C]
		rep movsd
		lea	ecx, [ebp+var_3C]
		call	_MiCreateAweInfoBitMap@4 ; MiCreateAweInfoBitMap(x)
		test	eax, eax
		js	loc_99E179
		mov	edi, [ebp+var_8]
		mov	esi, [ebp+var_4]
		test	ebx, ebx
		jz	short loc_99E0FC
		mov	edx, ebx
		mov	ecx, esi
		call	_LOCK_ADDRESS_SPACE@8 ;	LOCK_ADDRESS_SPACE(x,x)
		test	byte ptr [ebx+0FCh], 20h
		jz	short loc_99E0FC
		mov	edx, ebx
		mov	ecx, esi
		call	UNLOCK_ADDRESS_SPACE
		lea	edx, [ebp+var_34]
		mov	ecx, ebx
		call	_MiDeleteAweBitMap@8 ; MiDeleteAweBitMap(x,x)
		mov	eax, 0C000010Ah
		jmp	short loc_99E179
; 

loc_99E0FC:				; CODE XREF: MiResizeAweBitMap(x)+4Bj
					; MiResizeAweBitMap(x)+5Dj
		mov	edx, esi
		mov	ecx, edi
		call	_MiLockAwePagesExclusive@8 ; MiLockAwePagesExclusive(x,x)
		mov	ecx, [ebp+var_34]
		lea	eax, [edi+8]
		cmp	ecx, [eax]
		ja	short loc_99E12A
		mov	edx, esi
		mov	ecx, edi
		call	_MiUnlockAwePagesExclusive@8 ; MiUnlockAwePagesExclusive(x,x)
		test	ebx, ebx
		jz	short loc_99E125
		mov	edx, ebx
		mov	ecx, esi
		call	UNLOCK_ADDRESS_SPACE

loc_99E125:				; CODE XREF: MiResizeAweBitMap(x)+97j
		lea	edx, [ebp+var_34]
		jmp	short loc_99E170
; 

loc_99E12A:				; CODE XREF: MiResizeAweBitMap(x)+8Aj
		push	0
		lea	ecx, [ebp+var_34]
		push	ecx
		push	eax
		call	RtlCopyBitMap
		mov	eax, [edi+8]
		mov	edx, esi
		mov	[ebp+var_10], eax
		mov	ecx, edi
		mov	eax, [edi+0Ch]
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_34]
		mov	[edi+8], eax
		mov	eax, [ebp+var_30]
		mov	[edi+0Ch], eax
		call	_MiUnlockAwePagesExclusive@8 ; MiUnlockAwePagesExclusive(x,x)
		test	ebx, ebx
		jz	short loc_99E167
		mov	edx, ebx
		mov	ecx, esi
		call	UNLOCK_ADDRESS_SPACE

loc_99E167:				; CODE XREF: MiResizeAweBitMap(x)+D9j
		cmp	[ebp+var_8], 0
		jz	short loc_99E177
		lea	edx, [ebp+var_10]

loc_99E170:				; CODE XREF: MiResizeAweBitMap(x)+A5j
		mov	ecx, ebx
		call	_MiDeleteAweBitMap@8 ; MiDeleteAweBitMap(x,x)

loc_99E177:				; CODE XREF: MiResizeAweBitMap(x)+E8j
		xor	eax, eax

loc_99E179:				; CODE XREF: MiResizeAweBitMap(x)+3Dj
					; MiResizeAweBitMap(x)+77j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiResizeAweBitMap@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiScrubProcessPhysicalPages(x)
_MiScrubProcessPhysicalPages@4 proc near ; CODE	XREF: MiScrubProcesses(x,x)+96p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	[ebp+var_C], ecx
		mov	ecx, edi
		mov	esi, [edi+80h]
		call	_MiLockAweVadsExclusive@4 ; MiLockAweVadsExclusive(x)
		mov	eax, [esi+24Ch]
		mov	esi, [eax+9Ch]
		test	esi, esi
		jz	loc_99E2B3
		mov	ecx, esi
		call	_MiGetAwePageSize@4 ; MiGetAwePageSize(x)
		xor	ebx, ebx
		mov	[ebp+var_14], eax
		mov	edx, edi
		mov	[ebp+var_10], ebx
		call	_MiLockAwePagesExclusive@8 ; MiLockAwePagesExclusive(x,x)
		mov	ecx, [ebp+var_C]
		call	_MiScrubInterrupted@4 ;	MiScrubInterrupted(x)
		test	eax, eax
		jnz	loc_99E2AA
		lea	eax, [esi+8]

loc_99E1DD:				; CODE XREF: MiScrubProcessPhysicalPages(x)+126j
		push	ebx
		push	1
		push	eax
		call	RtlFindSetBits
		mov	ebx, eax
		mov	[ebp+var_20], ebx
		cmp	ebx, [ebp+var_10]
		jb	loc_99E2AA
		cmp	ebx, 0FFFFFFFFh
		jz	loc_99E2AA
		mov	ecx, [ebp+var_14]
		mov	eax, ecx
		and	[ebp+var_10], 0
		imul	eax, ebx
		mov	[ebp+var_18], eax
		imul	eax, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_8], eax
		test	ecx, ecx
		jz	short loc_99E28E
		mov	eax, ebx
		shr	eax, 3
		mov	[ebp+var_1C], eax
		mov	al, bl
		mov	ebx, [ebp+var_18]
		and	al, 7
		mov	[ebp+var_1], al

loc_99E22E:				; CODE XREF: MiScrubProcessPhysicalPages(x)+10Bj
		mov	ecx, [ebp+var_C]
		mov	edx, ebx
		push	esi
		call	_MiScrubAwePage@12 ; MiScrubAwePage(x,x,x)
		test	eax, eax
		jns	short loc_99E248
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		inc	edx
		call	_MiMakePageBad@8 ; MiMakePageBad(x,x)

loc_99E248:				; CODE XREF: MiScrubProcessPhysicalPages(x)+BDj
		mov	edx, edi
		mov	ecx, esi
		call	_MiUnlockAwePagesExclusive@8 ; MiUnlockAwePagesExclusive(x,x)
		mov	ecx, edi
		call	_MiUnlockAweVadsExclusive@4 ; MiUnlockAweVadsExclusive(x)
		add	[ebp+var_8], 1Ch
		mov	ecx, edi
		inc	ebx
		call	_MiLockAweVadsExclusive@4 ; MiLockAweVadsExclusive(x)
		mov	edx, edi
		mov	ecx, esi
		call	_MiLockAwePagesExclusive@8 ; MiLockAwePagesExclusive(x,x)
		mov	ecx, [ebp+var_1C]
		mov	eax, [esi+0Ch]
		mov	al, [ecx+eax]
		mov	cl, [ebp+var_1]
		sar	al, cl
		test	al, 1
		jz	short loc_99E28B
		mov	eax, [ebp+var_10]
		inc	eax
		mov	[ebp+var_10], eax
		cmp	eax, [ebp+var_14]
		jb	short loc_99E22E

loc_99E28B:				; CODE XREF: MiScrubProcessPhysicalPages(x)+FFj
		mov	ebx, [ebp+var_20]

loc_99E28E:				; CODE XREF: MiScrubProcessPhysicalPages(x)+9Cj
		inc	ebx
		mov	[ebp+var_10], ebx
		cmp	ebx, [esi+8]
		jnb	short loc_99E2AA
		mov	ecx, [ebp+var_C]
		call	_MiScrubInterrupted@4 ;	MiScrubInterrupted(x)
		test	eax, eax
		lea	eax, [esi+8]
		jz	loc_99E1DD

loc_99E2AA:				; CODE XREF: MiScrubProcessPhysicalPages(x)+56j
					; MiScrubProcessPhysicalPages(x)+70j ...
		mov	edx, edi
		mov	ecx, esi
		call	_MiUnlockAwePagesExclusive@8 ; MiUnlockAwePagesExclusive(x,x)

loc_99E2B3:				; CODE XREF: MiScrubProcessPhysicalPages(x)+30j
		mov	ecx, edi
		call	_MiUnlockAweVadsExclusive@4 ; MiUnlockAweVadsExclusive(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiScrubProcessPhysicalPages@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiValidateUserPhysicalExternalFlags(x)
_MiValidateUserPhysicalExternalFlags@4 proc near ; CODE	XREF: MiCreatePagingFileMap(x)+41p
		test	ecx, 2BF7FFFFh
		jnz	short loc_99E2F2
		test	ecx, 4000000h
		jz	short loc_99E2F2
		test	ecx, 8000000h
		jnz	short loc_99E2F2
		mov	edx, 80080000h
		mov	eax, ecx
		and	eax, edx
		cmp	eax, edx
		jz	short loc_99E2F2
		mov	eax, 50000000h
		and	ecx, eax
		cmp	ecx, eax
		jz	short loc_99E2F2
		xor	eax, eax
		retn
; 

loc_99E2F2:				; CODE XREF: MiValidateUserPhysicalExternalFlags(x)+6j
					; MiValidateUserPhysicalExternalFlags(x)+Ej ...
		mov	eax, 0C000000Dh
		retn
_MiValidateUserPhysicalExternalFlags@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAllocateUserPhysicalPages(x, x, x)
_NtAllocateUserPhysicalPages@12	proc near ; DATA XREF: .text:00581258o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	0
		push	[ebp+arg_8]
		call	_MiAllocateUserPhysicalPages@20	; MiAllocateUserPhysicalPages(x,x,x,x,x)
		pop	ebp
		retn	0Ch
_NtAllocateUserPhysicalPages@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAllocateUserPhysicalPagesEx(x, x,	x, x, x)
_NtAllocateUserPhysicalPagesEx@20 proc near ; DATA XREF: .text:0058125Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_C]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_8]
		call	_MiAllocateUserPhysicalPages@20	; MiAllocateUserPhysicalPages(x,x,x,x,x)
		pop	ebp
		retn	14h
_NtAllocateUserPhysicalPagesEx@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtFreeUserPhysicalPages(x, x, x)
_NtFreeUserPhysicalPages@12 proc near	; DATA XREF: .text:00581030o

var_888		= dword	ptr -888h
var_884		= dword	ptr -884h
var_880		= dword	ptr -880h
var_87C		= dword	ptr -87Ch
var_878		= dword	ptr -878h
var_874		= dword	ptr -874h
var_870		= dword	ptr -870h
var_86C		= dword	ptr -86Ch
var_868		= dword	ptr -868h
var_864		= dword	ptr -864h
var_85D		= byte ptr -85Dh
var_85C		= dword	ptr -85Ch
var_858		= dword	ptr -858h
var_854		= dword	ptr -854h
var_850		= dword	ptr -850h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	878h
		push	offset dword_6A8A90
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_878], eax
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_880], esi
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_870], eax
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		push	81Ch		; size_t
		xor	edi, edi
		push	edi		; int
		lea	eax, [ebp+var_850]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_868], edi
		mov	[ebp+var_858], edi
		mov	[ebp+var_854], edi
		mov	eax, large fs:124h
		mov	[ebp+var_874], eax
		mov	ebx, [eax+80h]
		mov	[ebp+var_85C], ebx
		mov	al, [eax+15Ah]
		mov	[ebp+var_85D], al
		mov	byte ptr [ebp+var_87C],	al
		test	al, al
		jnz	short loc_99E3C5
		mov	eax, [esi]
		mov	[ebp+var_864], eax
		jmp	short loc_99E3F0
; 

loc_99E3C5:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+89j
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_99E3D5
		mov	ecx, eax

loc_99E3D5:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+A1j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, [esi]
		mov	[ebp+var_864], eax
		mov	[ebp+var_888], eax
		mov	[esi], edi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_99E3F0:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+93j
		test	eax, eax
		jnz	short loc_99E3FE
		mov	eax, 0C00000F0h
		jmp	loc_99E7AC
; 

loc_99E3FE:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+C2j
		mov	[ebp+var_86C], edi
		lea	edi, [ebp+var_850]
		lea	eax, [ebp+var_858]
		push	eax
		lea	eax, [ebp+var_868]
		push	eax
		push	[ebp+var_87C]
		push	2
		pop	eax
		mov	edx, eax
		mov	ecx, [ebp+var_878]
		call	_MiReferenceAweHandle@20 ; MiReferenceAweHandle(x,x,x,x,x)
		test	eax, eax
		js	loc_99E7AC
		mov	esi, [ebp+var_858]
		test	esi, esi
		jz	short loc_99E452
		mov	ecx, esi
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	eax, [eax+4]
		mov	[ebp+var_86C], eax
		jmp	short loc_99E472
; 

loc_99E452:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+10Ej
		mov	ebx, [ebp+var_868]
		mov	eax, [ebp+var_86C]
		test	ebx, ebx
		jnz	short loc_99E472
		mov	ebx, [ebp+var_85C]
		mov	[ebp+var_854], 4

loc_99E472:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+120j
					; NtFreeUserPhysicalPages(x,x,x)+130j
		and	[ebp+var_868], 0
		test	eax, eax
		jnz	short loc_99E4A2
		mov	eax, [ebx+24Ch]
		mov	eax, [eax+9Ch]
		mov	[ebp+var_86C], eax
		test	eax, eax
		jnz	short loc_99E4A2
		mov	[ebp+var_858], 0C00000EFh
		jmp	loc_99E718
; 

loc_99E4A2:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+14Bj
					; NtFreeUserPhysicalPages(x,x,x)+161j
		mov	ecx, eax
		call	_MiGetAwePageSize@4 ; MiGetAwePageSize(x)
		mov	ecx, eax
		mov	[ebp+var_85C], ecx
		xor	edi, edi
		mov	eax, 200h
		mov	esi, eax
		xor	edx, edx
		div	ecx
		mov	ecx, [ebp+var_864]
		cmp	ecx, eax
		jbe	short loc_99E528
		mov	eax, 0C0000h
		xor	edx, edx
		mov	esi, [ebp+var_85C]
		div	esi
		cmp	ecx, eax
		jbe	short loc_99E4E5
		neg	esi
		and	esi, 0C0000h
		jmp	short loc_99E4E8
; 

loc_99E4E5:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+1A9j
		imul	esi, ecx

loc_99E4E8:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+1B3j
		cmp	esi, 200h
		jbe	short loc_99E528

loc_99E4F0:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+1F0j
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		mov	eax, esi
		shl	eax, 0Ch
		push	eax
		push	ecx
		call	IoAllocateMdl
		mov	edi, eax
		test	edi, edi
		jnz	short loc_99E522
		shr	esi, 1
		dec	esi
		add	esi, [ebp+var_85C]
		mov	ecx, [ebp+var_85C]
		neg	ecx
		and	esi, ecx
		cmp	esi, 200h
		ja	short loc_99E4F0

loc_99E522:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+1D5j
		mov	ecx, [ebp+var_864]

loc_99E528:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+196j
					; NtFreeUserPhysicalPages(x,x,x)+1BEj
		test	edi, edi
		jnz	short loc_99E537
		lea	edi, [ebp+var_850]
		mov	esi, 200h

loc_99E537:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+1FAj
		mov	eax, esi
		xor	edx, edx
		div	[ebp+var_85C]
		mov	edx, eax
		mov	[ebp+var_87C], edx
		mov	esi, [ebp+var_858]

loc_99E54F:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+3CCj
		cmp	ecx, edx
		jnb	short loc_99E55B
		mov	edx, ecx
		mov	[ebp+var_87C], edx

loc_99E55B:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+221j
		mov	ecx, edx
		shl	ecx, 0Ch
		and	dword ptr [edi], 0
		lea	eax, [ecx+0FFFh]
		shr	eax, 0Ch
		lea	eax, ds:1Ch[eax*4]
		mov	[edi+4], ax
		xor	eax, eax
		mov	[edi+6], ax
		and	[edi+10h], eax
		and	[edi+18h], eax
		mov	[edi+14h], ecx
		and	[ebp+var_854], 0FFFFFFFEh
		cmp	[ebp+var_85D], al
		jnz	short loc_99E5AF
		mov	eax, edx
		shl	eax, 2
		push	eax		; size_t
		push	[ebp+var_870]	; void *
		lea	eax, [edi+1Ch]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_99E5CC
; 

loc_99E5AF:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+263j
		push	edx
		mov	edx, [ebp+var_870]
		lea	ecx, [edi+1Ch]
		call	_MiCaptureUlongPtrArray@12 ; MiCaptureUlongPtrArray(x,x,x)
		mov	[ebp+var_858], eax
		test	eax, eax
		js	loc_99E718

loc_99E5CC:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+27Dj
		mov	ecx, [ebp+var_874]
		cmp	[ecx+80h], ebx
		jz	short loc_99E5F1
		lea	eax, [ebp+var_34]
		push	eax
		push	ebx
		call	KeStackAttachProcess
		or	[ebp+var_854], 1
		mov	ecx, [ebp+var_874]

loc_99E5F1:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+2A8j
		test	esi, esi
		jnz	short loc_99E609
		mov	edx, ebx
		call	_LOCK_ADDRESS_SPACE@8 ;	LOCK_ADDRESS_SPACE(x,x)
		test	byte ptr [ebx+0FCh], 20h
		jnz	loc_99E701

loc_99E609:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+2C3j
		mov	edx, edi
		mov	ecx, [ebp+var_86C]
		call	_MiFreePhysicalPages@8 ; MiFreePhysicalPages(x,x)
		mov	[ebp+var_858], eax
		mov	eax, [edi+18h]
		mov	[ebp+var_878], eax
		test	eax, eax
		jz	short loc_99E649
		test	esi, esi
		jnz	short loc_99E643
		mov	edx, eax
		imul	edx, [ebp+var_85C]
		mov	ecx, ebx
		call	_MiReturnProcessCommitment@8 ; MiReturnProcessCommitment(x,x)
		mov	eax, [ebp+var_878]

loc_99E643:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+2FBj
		add	[ebp+var_868], eax

loc_99E649:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+2F7j
		test	esi, esi
		jnz	short loc_99E65A
		mov	edx, ebx
		mov	ecx, [ebp+var_874]
		call	UNLOCK_ADDRESS_SPACE

loc_99E65A:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+31Bj
		mov	edx, [edi+14h]
		test	edx, edx
		jz	short loc_99E6A9
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		imul	edx, [ebp+var_85C]
		neg	edx
		mov	ecx, edx
		add	eax, 111Ch
		lock xadd [eax], ecx
		test	esi, esi
		jnz	short loc_99E688
		lea	eax, [ebx+35Ch]
		lock xadd [eax], edx

loc_99E688:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+34Cj
		push	2
		pop	eax
		or	[edi+6], ax
		shl	dword ptr [edi+14h], 0Ch
		mov	edx, [ebp+var_85C]
		mov	ecx, edi
		call	_MiPreparePhysicalPagesMdlForFree@8 ; MiPreparePhysicalPagesMdlForFree(x,x)
		xor	edx, edx
		mov	ecx, edi
		call	_MiFreePagesFromMdl@8 ;	MiFreePagesFromMdl(x,x)

loc_99E6A9:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+32Fj
		mov	ecx, [ebp+var_864]
		sub	ecx, [ebp+var_878]
		mov	[ebp+var_864], ecx
		cmp	[ebp+var_858], 0
		jnz	short loc_99E718
		test	ecx, ecx
		jz	short loc_99E718
		test	byte ptr [ebp+var_854],	1
		jz	short loc_99E6E7
		lea	eax, [ebp+var_34]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		and	[ebp+var_854], 0FFFFFFFEh
		mov	ecx, [ebp+var_864]

loc_99E6E7:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+39Fj
		mov	edx, [ebp+var_87C]
		mov	eax, [ebp+var_870]
		lea	eax, [eax+edx*4]
		mov	[ebp+var_870], eax
		jmp	loc_99E54F
; 

loc_99E701:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+2D3j
		mov	edx, ebx
		mov	ecx, [ebp+var_874]
		call	UNLOCK_ADDRESS_SPACE
		mov	[ebp+var_858], 0C000010Ah

loc_99E718:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+16Dj
					; NtFreeUserPhysicalPages(x,x,x)+296j ...
		lea	eax, [ebp+var_850]
		cmp	edi, eax
		jz	short loc_99E72D
		and	word ptr [edi+6], 0FFFDh
		push	edi
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_99E72D:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+3F0j
		mov	eax, [ebp+var_854]
		test	al, 1
		jz	short loc_99E746
		lea	eax, [ebp+var_34]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		mov	eax, [ebp+var_854]

loc_99E746:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+405j
		test	al, 4
		jnz	short loc_99E75C
		mov	edx, 68506D4Dh
		test	esi, esi
		mov	ecx, esi
		jnz	short loc_99E757
		mov	ecx, ebx

loc_99E757:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+423j
		call	ObfDereferenceObjectWithTag

loc_99E75C:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+418j
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_880]
		mov	ecx, [ebp+var_868]
		mov	[eax], ecx
		jmp	short loc_99E77A
; 

loc_99E773:				; DATA XREF: .text:006A8AB0o
		xor	eax, eax
		inc	eax
		retn
; 

loc_99E777:				; DATA XREF: .text:006A8AB4o
		mov	esp, [ebp+ms_exc.old_esp]

loc_99E77A:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+441j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_858]
		jmp	short loc_99E7AC
; 

loc_99E789:				; DATA XREF: .text:006A8AA4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_884], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_99E79C:				; DATA XREF: .text:006A8AA8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_884]

loc_99E7AC:				; CODE XREF: NtFreeUserPhysicalPages(x,x,x)+C9j
					; NtFreeUserPhysicalPages(x,x,x)+100j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_NtFreeUserPhysicalPages@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtMapUserPhysicalPages(x, x, x)
_NtMapUserPhysicalPages@12 proc	near	; DATA XREF: .text:00580F90o

var_830		= dword	ptr -830h
var_82C		= dword	ptr -82Ch
var_828		= dword	ptr -828h
var_824		= dword	ptr -824h
var_820		= dword	ptr -820h
var_81C		= dword	ptr -81Ch
var_818		= dword	ptr -818h
var_814		= dword	ptr -814h
var_810		= dword	ptr -810h
var_80C		= dword	ptr -80Ch
var_808		= dword	ptr -808h
var_804		= dword	ptr -804h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 830h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, [ebp+arg_8]
		xor	edx, edx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_820], ecx
		mov	[ebp+var_828], edx
		mov	[ebp+var_824], edx
		test	edi, edi
		jz	loc_99EA6E
		cmp	edi, 0FFFFFh
		ja	loc_99EA6E
		mov	eax, large fs:124h
		and	esi, 0FFFFF000h
		mov	[ebp+var_80C], esi
		mov	ebx, edx
		mov	[ebp+var_81C], edx
		mov	[ebp+var_810], edx
		mov	[ebp+var_808], eax
		mov	[ebp+var_818], ebx
		test	ecx, ecx
		jz	short loc_99E897
		cmp	edi, 200h
		ja	short loc_99E84D
		lea	ebx, [ebp+var_804]
		mov	[ebp+var_818], ebx
		jmp	short loc_99E87B
; 

loc_99E84D:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+7Fj
		push	edx
		mov	ecx, edi
		mov	edx, 77526D4Dh
		shl	ecx, 2
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_818], ebx
		test	ebx, ebx
		jnz	short loc_99E875
		mov	eax, 0C000009Ah
		jmp	loc_99EA73
; 

loc_99E875:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+ABj
		mov	ecx, [ebp+var_820]

loc_99E87B:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+8Dj
		mov	edx, ecx
		mov	ecx, ebx
		push	edi
		call	_MiCaptureUlongPtrArray@12 ; MiCaptureUlongPtrArray(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_99E8D3
		mov	esi, [ebp+var_80C]
		mov	eax, [ebp+var_808]

loc_99E897:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+77j
		mov	ecx, eax
		call	_MiLockAweVadsShared@4 ; MiLockAweVadsShared(x)
		mov	ecx, esi
		mov	[ebp+var_830], eax
		call	_MiGetAweNode@4	; MiGetAweNode(x)
		mov	[ebp+var_810], eax
		test	eax, eax
		jnz	short loc_99E91D

loc_99E8B5:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+1A9j
		mov	esi, 0C00000EFh

loc_99E8BA:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+1C5j
					; NtMapUserPhysicalPages(x,x,x)+296j
		mov	edi, [ebp+var_808]

loc_99E8C0:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+2ABj
		mov	eax, [ebp+var_830]
		test	eax, eax
		jz	short loc_99E8D3
		mov	edx, eax
		mov	ecx, edi
		call	_MiUnlockAwePagesShared@8 ; MiUnlockAwePagesShared(x,x)

loc_99E8D3:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+CBj
					; NtMapUserPhysicalPages(x,x,x)+10Aj
		mov	ebx, [ebp+var_810]
		xor	edi, edi

loc_99E8DB:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+135j
		mov	edx, [ebp+edi*4+var_828]
		test	edx, edx
		jz	short loc_99E8EF
		push	0
		mov	ecx, ebx
		call	_MiFreePhysicalPageChain@12 ; MiFreePhysicalPageChain(x,x,x)

loc_99E8EF:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+126j
		inc	edi
		cmp	edi, 2
		jb	short loc_99E8DB
		cmp	[ebp+var_820], 0
		mov	ebx, [ebp+var_818]
		jz	short loc_99E916
		lea	eax, [ebp+var_804]
		cmp	ebx, eax
		jz	short loc_99E916
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_99E916:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+144j
					; NtMapUserPhysicalPages(x,x,x)+14Ej
		mov	eax, esi
		jmp	loc_99EA73
; 

loc_99E91D:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+F5j
		mov	ecx, [eax+0Ch]
		mov	[ebp+var_80C], ecx
		mov	ecx, [eax+10h]
		mov	[ebp+var_814], ecx
		mov	ecx, eax
		call	_MiGetAweViewPageSize@4	; MiGetAweViewPageSize(x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_99E949
		mov	ecx, [ebp+var_814]
		call	_MiGetAwePageSize@4 ; MiGetAwePageSize(x)
		mov	edx, eax

loc_99E949:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+17Cj
		xor	eax, eax
		cmp	edx, 200h
		setz	al
		mov	[ebp+var_82C], eax
		cmp	edx, 1
		jz	short loc_99E96D
		mov	eax, edx
		shl	eax, 0Ch
		dec	eax
		test	eax, esi
		jnz	loc_99E8B5

loc_99E96D:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+19Fj
		mov	eax, edi
		lea	ecx, [esi-1]
		imul	eax, edx
		shl	eax, 0Ch
		add	ecx, eax
		cmp	ecx, esi
		ja	short loc_99E988
		mov	esi, 0C00000F0h
		jmp	loc_99E8BA
; 

loc_99E988:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+1BEj
		mov	eax, [ebp+var_80C]
		mov	eax, [eax+0Ch]
		shl	eax, 0Ch
		cmp	esi, eax
		jb	loc_99EA47
		mov	eax, [ebp+var_80C]
		mov	eax, [eax+10h]
		shl	eax, 0Ch
		or	eax, 0FFFh
		cmp	ecx, eax
		ja	loc_99EA47
		mov	ecx, esi
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	esi, eax
		mov	[ebp+var_80C], esi
		cmp	edx, 200h
		jnz	short loc_99E9E6
		mov	edx, [ebp+var_82C]

loc_99E9D2:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+220j
		mov	ecx, esi
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	esi, eax
		sub	edx, 1
		jnz	short loc_99E9D2
		mov	[ebp+var_80C], eax

loc_99E9E6:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+20Cj
		mov	edx, [ebp+var_808]
		mov	ecx, [ebp+var_814]
		call	_MiLockAwePagesShared@8	; MiLockAwePagesShared(x,x)
		mov	[ebp+var_81C], eax
		test	ebx, ebx
		jz	short loc_99EA25
		mov	ecx, [ebp+var_814]
		lea	eax, [ebp+var_828]
		push	esi
		push	[ebp+var_810]
		mov	edx, ebx
		push	eax
		push	0
		push	edi
		call	_MiReferenceIncomingPhysicalPages@28 ; MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_99EA4C

loc_99EA25:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+241j
		mov	ecx, [ebp+var_810]
		mov	edx, ebx
		push	1
		push	[ebp+var_80C]
		push	0
		push	edi
		call	_MiWriteAwePtes@24 ; MiWriteAwePtes(x,x,x,x,x,x)
		mov	[ebp+var_824], eax
		xor	esi, esi
		jmp	short loc_99EA4C
; 

loc_99EA47:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+1D8j
					; NtMapUserPhysicalPages(x,x,x)+1F1j
		mov	esi, 0C00000EFh

loc_99EA4C:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+265j
					; NtMapUserPhysicalPages(x,x,x)+287j
		mov	eax, [ebp+var_81C]
		test	eax, eax
		jz	loc_99E8BA
		mov	edi, [ebp+var_808]
		mov	edx, eax
		mov	ecx, edi
		call	_MiUnlockAwePagesShared@8 ; MiUnlockAwePagesShared(x,x)
		jmp	loc_99E8C0
; 

loc_99EA6E:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+37j
					; NtMapUserPhysicalPages(x,x,x)+43j
		mov	eax, 0C00000F0h

loc_99EA73:				; CODE XREF: NtMapUserPhysicalPages(x,x,x)+B2j
					; NtMapUserPhysicalPages(x,x,x)+15Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_NtMapUserPhysicalPages@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtMapUserPhysicalPagesScatter(x, x,	x)
_NtMapUserPhysicalPagesScatter@12 proc near ; DATA XREF: .text:00580F8Co

var_1038	= dword	ptr -1038h
var_1034	= dword	ptr -1034h
var_1030	= dword	ptr -1030h
var_102C	= dword	ptr -102Ch
var_1028	= dword	ptr -1028h
var_1024	= dword	ptr -1024h
var_1020	= dword	ptr -1020h
var_101C	= dword	ptr -101Ch
var_1018	= dword	ptr -1018h
var_1014	= dword	ptr -1014h
var_1010	= dword	ptr -1010h
var_100C	= dword	ptr -100Ch
var_1008	= dword	ptr -1008h
var_1004	= dword	ptr -1004h
var_804		= dword	ptr -804h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, 1038h
		call	__chkstk
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		xor	esi, esi
		push	800h		; size_t
		mov	[ebp+var_1010],	eax
		lea	eax, [ebp+var_804]
		push	esi		; int
		push	eax		; void *
		mov	[ebp+var_1024],	edi
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_1030],	esi
		mov	[ebp+var_102C],	esi
		cmp	ebx, 0FFFFFh
		jbe	short loc_99EAEA
		mov	eax, 0C00000F0h
		jmp	loc_99EDBB
; 

loc_99EAEA:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+5Aj
		mov	eax, large fs:124h
		mov	ecx, ebx
		mov	[ebp+var_1018],	esi
		mov	[ebp+var_1014],	esi
		lea	esi, [ebp+var_804]
		shl	ecx, 2
		mov	[ebp+var_100C],	eax
		mov	[ebp+var_101C],	esi
		cmp	ebx, 200h
		jbe	short loc_99EB48
		test	edi, edi
		jz	short loc_99EB24
		mov	ecx, ebx
		shl	ecx, 3

loc_99EB24:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+99j
		push	0
		push	40h
		mov	edx, 77526D4Dh
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_101C],	esi
		test	esi, esi
		jnz	short loc_99EB48
		mov	eax, 0C000009Ah
		jmp	loc_99EDBB
; 

loc_99EB48:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+95j
					; NtMapUserPhysicalPagesScatter(x,x,x)+B8j
		mov	edx, [ebp+var_1010]
		mov	ecx, esi
		push	ebx
		mov	[ebp+var_1020],	esi
		call	_MiCaptureUlongPtrArray@12 ; MiCaptureUlongPtrArray(x,x,x)
		mov	edi, eax
		mov	[ebp+var_1008],	edi
		test	edi, edi
		js	loc_99ED79
		test	ebx, ebx
		jnz	short loc_99EB77
		xor	eax, eax
		jmp	loc_99EDBB
; 

loc_99EB77:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+EAj
		mov	edx, [ebp+var_1024]
		test	edx, edx
		jz	short loc_99EBB0
		lea	eax, [ebp+var_1004]
		cmp	ebx, 200h
		jbe	short loc_99EB92
		lea	eax, [esi+ebx*4]

loc_99EB92:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+109j
		push	ebx
		mov	ecx, eax
		mov	[ebp+var_1014],	eax
		call	_MiCaptureUlongPtrArray@12 ; MiCaptureUlongPtrArray(x,x,x)
		mov	edi, eax
		mov	[ebp+var_1008],	edi
		test	edi, edi
		js	loc_99ED79

loc_99EBB0:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+FBj
		mov	ecx, [ebp+var_100C]
		lea	eax, [esi+ebx*4]
		mov	esi, [esi]
		xor	edi, edi
		mov	[ebp+var_1034],	eax
		mov	[ebp+var_1008],	edi
		call	_MiLockAweVadsShared@4 ; MiLockAweVadsShared(x)
		mov	ecx, esi
		mov	[ebp+var_1038],	eax
		call	_MiGetAweNode@4	; MiGetAweNode(x)
		test	eax, eax
		jz	loc_99ED56
		test	byte ptr [eax+14h], 3
		jnz	loc_99ED56
		mov	esi, [eax+0Ch]
		mov	[ebp+var_1018],	eax
		mov	eax, [eax+10h]
		mov	[ebp+var_1010],	eax
		mov	ecx, [esi+1Ch]
		and	ecx, 1100000h
		mov	[ebp+var_1024],	ecx
		mov	ecx, eax
		call	_MiGetAwePageSize@4 ; MiGetAwePageSize(x)
		mov	edx, eax
		mov	eax, [ebp+var_1020]
		mov	[ebp+var_1028],	edx

loc_99EC23:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+248j
		mov	ecx, [eax]
		cmp	edx, 1
		jnz	short loc_99EC2E
		mov	edx, ecx
		jmp	short loc_99EC3F
; 

loc_99EC2E:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+1A4j
		shl	edx, 0Ch
		lea	eax, [edx-1]
		test	eax, ecx
		jnz	loc_99ED56
		dec	edx
		add	edx, ecx

loc_99EC3F:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+1A8j
		mov	eax, [esi+0Ch]
		shl	eax, 0Ch
		cmp	ecx, eax
		jb	short loc_99EC58
		mov	eax, [esi+10h]
		shl	eax, 0Ch
		or	eax, 0FFFh
		cmp	edx, eax
		jbe	short loc_99ECA9

loc_99EC58:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+1C3j
		call	_MiGetAweNode@4	; MiGetAweNode(x)
		test	eax, eax
		jz	loc_99ED56
		test	byte ptr [eax+14h], 3
		jnz	loc_99ED56
		mov	ecx, [ebp+var_1010]
		cmp	[eax+10h], ecx
		jnz	loc_99ED56
		mov	esi, [eax+0Ch]
		mov	edx, 1100000h
		mov	eax, [esi+1Ch]
		and	eax, edx
		cmp	[ebp+var_1024],	edx
		jnz	short loc_99ECA3
		cmp	eax, edx
		jz	short loc_99ECAF

loc_99EC97:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+223j
		mov	[ebp+var_1008],	0C00000EFh
		jmp	short loc_99ECAF
; 

loc_99ECA3:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+20Dj
		cmp	eax, edx
		jnz	short loc_99ECAF
		jmp	short loc_99EC97
; 

loc_99ECA9:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+1D2j
		mov	ecx, [ebp+var_1010]

loc_99ECAF:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+211j
					; NtMapUserPhysicalPagesScatter(x,x,x)+21Dj ...
		mov	eax, [ebp+var_1020]
		add	eax, 4
		mov	[ebp+var_1020],	eax
		cmp	eax, [ebp+var_1034]
		jnb	short loc_99ECD1
		mov	edx, [ebp+var_1028]
		jmp	loc_99EC23
; 

loc_99ECD1:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+240j
		mov	edx, [ebp+var_100C]
		call	_MiLockAwePagesShared@8	; MiLockAwePagesShared(x,x)
		mov	esi, [ebp+var_101C]
		mov	[ebp+var_1028],	eax
		mov	eax, [ebp+var_1014]
		test	eax, eax
		jz	short loc_99ED22
		push	0
		push	[ebp+var_1018]
		lea	ecx, [ebp+var_1030]
		mov	edx, eax
		push	ecx
		mov	ecx, [ebp+var_1010]
		push	esi
		push	ebx
		call	_MiReferenceIncomingPhysicalPages@28 ; MiReferenceIncomingPhysicalPages(x,x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_1008],	edi
		test	edi, edi
		js	short loc_99ED3B
		mov	eax, [ebp+var_1014]

loc_99ED22:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+26Cj
		mov	ecx, [ebp+var_1018]
		mov	edx, eax
		push	1
		push	0
		push	esi
		push	ebx
		call	_MiWriteAwePtes@24 ; MiWriteAwePtes(x,x,x,x,x,x)
		mov	[ebp+var_102C],	eax

loc_99ED3B:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+296j
		mov	eax, [ebp+var_1028]
		test	eax, eax
		jz	short loc_99ED60
		mov	ebx, [ebp+var_100C]
		mov	edx, eax
		mov	ecx, ebx
		call	_MiUnlockAwePagesShared@8 ; MiUnlockAwePagesShared(x,x)
		jmp	short loc_99ED66
; 

loc_99ED56:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+159j
					; NtMapUserPhysicalPagesScatter(x,x,x)+163j ...
		mov	[ebp+var_1008],	0C00000EFh

loc_99ED60:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+2BFj
		mov	ebx, [ebp+var_100C]

loc_99ED66:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+2D0j
		mov	eax, [ebp+var_1038]
		test	eax, eax
		jz	short loc_99ED79
		mov	edx, eax
		mov	ecx, ebx
		call	_MiUnlockAwePagesShared@8 ; MiUnlockAwePagesShared(x,x)

loc_99ED79:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+E2j
					; NtMapUserPhysicalPagesScatter(x,x,x)+126j ...
		mov	edi, [ebp+var_1018]
		xor	esi, esi

loc_99ED81:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+315j
		mov	edx, [ebp+esi*4+var_1030]
		test	edx, edx
		jz	short loc_99ED95
		push	0
		mov	ecx, edi
		call	_MiFreePhysicalPageChain@12 ; MiFreePhysicalPageChain(x,x,x)

loc_99ED95:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+306j
		inc	esi
		cmp	esi, 2
		jb	short loc_99ED81
		mov	eax, [ebp+var_101C]
		lea	ecx, [ebp+var_804]
		mov	edi, [ebp+var_1008]
		cmp	eax, ecx
		jz	short loc_99EDB9
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_99EDB9:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+32Bj
		mov	eax, edi

loc_99EDBB:				; CODE XREF: NtMapUserPhysicalPagesScatter(x,x,x)+61j
					; NtMapUserPhysicalPagesScatter(x,x,x)+BFj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_NtMapUserPhysicalPagesScatter@12 endp


;  S U B	R O U T	I N E 


; __stdcall NtFlushWriteBuffer()
_NtFlushWriteBuffer@0 proc near		; DATA XREF: .text:00581034o
		call	ds:__imp__KeFlushWriteBuffer@0 ; KeFlushWriteBuffer()
		xor	eax, eax
		retn
_NtFlushWriteBuffer@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiBadMemoryLogger(x)
_MiBadMemoryLogger@4 proc near		; DATA XREF: MiPageNotZero(x,x)+112o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	cl, 30h
		call	_IoAllocateGenericErrorLogEntry@4 ; IoAllocateGenericErrorLogEntry(x)
		mov	esi, [ebp+arg_0]
		mov	edx, eax
		test	edx, edx
		jz	short loc_99EE16
		mov	dword ptr [edx+0Ch], 0C0000709h
		mov	ecx, [esi]
		mov	[edx+10h], ecx
		mov	ecx, [esi+10h]
		mov	[edx+20h], ecx
		mov	eax, [esi+14h]
		mov	[edx+24h], eax
		mov	eax, [esi+8]
		push	4
		mov	[edx+28h], eax
		pop	eax
		push	edx
		mov	[edx+2], ax
		call	IoWriteErrorLogEntry

loc_99EE16:				; CODE XREF: MiBadMemoryLogger(x)+14j
		lock dec dword ptr [esi+4]
		pop	esi
		pop	ebp
		retn	4
_MiBadMemoryLogger@4 endp ; sp = -4


;  S U B	R O U T	I N E 


; __stdcall MiChargeProcessPhysicalPages(x, x)
_MiChargeProcessPhysicalPages@8	proc near ; CODE XREF: .text:0046315Ap
					; MiAllocateUserPhysicalPages(x,x,x,x,x)+28Bp ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		cmp	dword ptr [esi+360h], 0
		lea	ebx, [esi+35Ch]
		jnz	short loc_99EE3E
		lock xadd [ebx], edx

loc_99EE39:				; CODE XREF: MiChargeProcessPhysicalPages(x,x)+30j
		xor	eax, eax
		inc	eax
		jmp	short loc_99EE5F
; 

loc_99EE3E:				; CODE XREF: MiChargeProcessPhysicalPages(x,x)+14j
		mov	edi, [ebx]
		lea	ecx, [edi+edx]
		jmp	short loc_99EE55
; 

loc_99EE45:				; CODE XREF: MiChargeProcessPhysicalPages(x,x)+3Cj
		mov	eax, edi
		lock cmpxchg [ebx], ecx
		mov	ecx, eax
		cmp	ecx, edi
		jz	short loc_99EE39
		mov	edi, ecx
		add	ecx, edx

loc_99EE55:				; CODE XREF: MiChargeProcessPhysicalPages(x,x)+24j
		cmp	ecx, [esi+360h]
		jbe	short loc_99EE45
		xor	eax, eax

loc_99EE5F:				; CODE XREF: MiChargeProcessPhysicalPages(x,x)+1Dj
		pop	edi
		pop	esi
		pop	ebx
		retn
_MiChargeProcessPhysicalPages@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCommitRequestFailed(x, x,	x, x)
_MiCommitRequestFailed@16 proc near	; CODE XREF: MiChargeFullProcessCommitment+160003p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		push	esi
		mov	esi, large fs:124h
		push	edi
		push	[ebp+arg_4]
		mov	edi, ecx
		call	_MiLogCommitRequestFailed@12 ; MiLogCommitRequestFailed(x,x,x)
		cmp	byte ptr [esi+16Ah], 1
		jz	short loc_99EEA6
		test	dword ptr [esi+58h], 400h
		jnz	short loc_99EEA6
		test	dword ptr [edi+0FCh], 100h
		jz	short loc_99EEA6
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KeRequestTerminationProcess@8 ; KeRequestTerminationProcess(x,x)

loc_99EEA6:				; CODE XREF: MiCommitRequestFailed(x,x,x,x)+22j
					; MiCommitRequestFailed(x,x,x,x)+2Bj ...
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_MiCommitRequestFailed@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLogCommitRequestFailed(x,	x, x)
_MiLogCommitRequestFailed@12 proc near	; CODE XREF: MiCommitRequestFailed(x,x,x,x)+16p

var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_F8		= dword	ptr -0F8h
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 19Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+19Ch+var_4], eax
		xor	eax, eax
		cmp	dword_6D35BC, 0
		push	ebx
		push	esi
		push	edi
		mov	[esp+1A8h+var_190], eax
		lea	edi, [esp+1A8h+var_108]
		mov	[esp+1A8h+var_18C], eax
		mov	ebx, edx
		mov	[esp+1A8h+var_198], eax
		mov	esi, ecx
		mov	[esp+1A8h+var_194], eax
		mov	[esp+1A8h+var_188], eax
		mov	[esp+1A8h+var_184], eax
		mov	[esp+1A8h+var_180], eax
		mov	[esp+1A8h+var_17C], eax
		stosd
		stosd
		stosd
		stosd
		jz	loc_99F23B
		mov	edi, 400h
		lea	edx, [esi+3A8h]
		mov	eax, [edx]

loc_99EF16:				; CODE XREF: MiLogCommitRequestFailed(x,x,x)+72j
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_99EF16
		test	eax, edi
		jnz	loc_99F23B
		lea	edx, [esp+1A8h+var_108]
		mov	ecx, esi
		call	_EtwGetProcessAppSessionGuid@8 ; EtwGetProcessAppSessionGuid(x,x)
		mov	eax, [esi+188h]
		lea	edx, [esp+1A8h+var_198]
		mov	ecx, esi
		mov	edi, [eax+140h]
		mov	eax, [eax+100h]
		mov	[esp+1A8h+var_174], eax
		mov	eax, [esi+220h]
		mov	[esp+1A8h+var_170], eax
		mov	eax, [esi+224h]
		mov	[esp+1A8h+var_16C], eax
		lea	eax, [esp+1A8h+var_180]
		push	eax
		lea	eax, [esp+1ACh+var_188]
		push	eax
		lea	eax, [esp+1B0h+var_190]
		push	eax
		call	_PsQueryJobMemoryUsageByProcess@20 ; PsQueryJobMemoryUsageByProcess(x,x,x,x,x)
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	ecx, [eax+1114h]
		mov	eax, [eax+10BCh]
		mov	esi, dword_6D35BC
		mov	[esp+1A8h+var_168], ecx
		mov	[esp+1A8h+var_164], eax
		cmp	dword ptr [esi], 5
		jbe	loc_99F23B
		push	4000h
		push	0
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_99F23B
		lea	eax, [esp+1A8h+var_108]
		mov	[esp+1A8h+var_D0], 10h
		mov	[esp+1A8h+var_D8], eax
		xor	edx, edx
		lea	eax, [esp+1A8h+var_160]
		mov	[esp+1A8h+var_D4], edx
		mov	[esp+1A8h+var_C8], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+1A8h+var_178], eax
		lea	eax, [esp+1A8h+var_178]
		mov	[esp+1A8h+var_B8], eax
		lea	eax, [esp+1A8h+var_158]
		mov	[esp+1A8h+var_A8], eax
		mov	eax, [esp+1A8h+var_174]
		mov	[esp+1A8h+var_150], eax
		lea	eax, [esp+1A8h+var_150]
		mov	[esp+1A8h+var_98], eax
		mov	eax, [esp+1A8h+var_170]
		mov	[esp+1A8h+var_148], eax
		lea	eax, [esp+1A8h+var_148]
		mov	[esp+1A8h+var_88], eax
		mov	eax, [esp+1A8h+var_16C]
		mov	[esp+1A8h+var_140], eax
		lea	eax, [esp+1A8h+var_140]
		mov	[esp+1A8h+var_78], eax
		mov	eax, [esp+1A8h+var_198]
		mov	[esp+1A8h+var_138], eax
		mov	eax, [esp+1A8h+var_194]
		mov	[esp+1A8h+var_134], eax
		lea	eax, [esp+1A8h+var_138]
		mov	[esp+1A8h+var_68], eax
		mov	eax, [esp+1A8h+var_190]
		mov	[esp+1A8h+var_130], eax
		mov	eax, [esp+1A8h+var_18C]
		mov	[esp+1A8h+var_12C], eax
		lea	eax, [esp+1A8h+var_130]
		mov	[esp+1A8h+var_58], eax
		mov	eax, [esp+1A8h+var_188]
		mov	[esp+1A8h+var_128], eax
		mov	eax, [esp+1A8h+var_184]
		mov	[esp+1A8h+var_124], eax
		lea	eax, [esp+1A8h+var_128]
		push	8
		pop	ecx
		mov	[esp+1A8h+var_48], eax
		mov	eax, [esp+1A8h+var_180]
		mov	[esp+1A8h+var_CC], edx
		mov	[esp+1A8h+var_160], ebx
		mov	[esp+1A8h+var_15C], edx
		mov	[esp+1A8h+var_C4], edx
		mov	[esp+1A8h+var_C0], ecx
		mov	[esp+1A8h+var_BC], edx
		mov	[esp+1A8h+var_B4], edx
		mov	[esp+1A8h+var_B0], 4
		mov	[esp+1A8h+var_AC], edx
		mov	[esp+1A8h+var_158], edi
		mov	[esp+1A8h+var_154], edx
		mov	[esp+1A8h+var_A4], edx
		mov	[esp+1A8h+var_A0], ecx
		mov	[esp+1A8h+var_9C], edx
		mov	[esp+1A8h+var_14C], edx
		mov	[esp+1A8h+var_94], edx
		mov	[esp+1A8h+var_90], ecx
		mov	[esp+1A8h+var_8C], edx
		mov	[esp+1A8h+var_144], edx
		mov	[esp+1A8h+var_84], edx
		mov	[esp+1A8h+var_80], ecx
		mov	[esp+1A8h+var_7C], edx
		mov	[esp+1A8h+var_13C], edx
		mov	[esp+1A8h+var_74], edx
		mov	[esp+1A8h+var_70], ecx
		mov	[esp+1A8h+var_6C], edx
		mov	[esp+1A8h+var_64], edx
		mov	[esp+1A8h+var_60], ecx
		mov	[esp+1A8h+var_5C], edx
		mov	[esp+1A8h+var_54], edx
		mov	[esp+1A8h+var_50], ecx
		mov	[esp+1A8h+var_4C], edx
		mov	[esp+1A8h+var_44], edx
		mov	[esp+1A8h+var_40], ecx
		mov	[esp+1A8h+var_3C], edx
		mov	[esp+1A8h+var_120], eax
		mov	eax, [esp+1A8h+var_17C]
		mov	[esp+1A8h+var_11C], eax
		lea	eax, [esp+1A8h+var_120]
		mov	[esp+1A8h+var_38], eax
		mov	eax, [esp+1A8h+var_168]
		mov	[esp+1A8h+var_118], eax
		lea	eax, [esp+1A8h+var_118]
		mov	[esp+1A8h+var_28], eax
		mov	eax, [esp+1A8h+var_164]
		mov	[esp+1A8h+var_110], eax
		lea	eax, [esp+1A8h+var_110]
		mov	[esp+1A8h+var_18], eax
		lea	eax, [esp+1A8h+var_F8]
		push	eax
		push	0Fh
		push	edx
		push	edx
		push	1
		push	edx
		mov	[esp+1C0h+var_34], edx
		mov	[esp+1C0h+var_30], ecx
		mov	[esp+1C0h+var_2C], edx
		mov	[esp+1C0h+var_114], edx
		mov	[esp+1C0h+var_24], edx
		mov	[esp+1C0h+var_20], ecx
		mov	[esp+1C0h+var_1C], edx
		mov	[esp+1C0h+var_10C], edx
		mov	[esp+1C0h+var_14], edx
		mov	[esp+1C0h+var_10], ecx
		mov	ecx, esi
		mov	[esp+1C0h+var_C], edx
		push	edx
		mov	edx, offset loc_41CF70
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)

loc_99F23B:				; CODE XREF: MiLogCommitRequestFailed(x,x,x)+57j
					; MiLogCommitRequestFailed(x,x,x)+76j ...
		mov	ecx, [esp+1A8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_MiLogCommitRequestFailed@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiReturnProcessPhysicalPages(x, x)
_MiReturnProcessPhysicalPages@8	proc near ; CODE XREF: MiDeleteVad(x,x,x)+50Bp
					; .text:00463192p ...
		neg	edx
		lea	eax, [ecx+35Ch]
		lock xadd [eax], edx
		retn
_MiReturnProcessPhysicalPages@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInSwapPageDirectories(x, x)
_MiInSwapPageDirectories@8 proc	near	; CODE XREF: MmInSwapProcess+16276Bp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		push	esi
		push	edi
		mov	ecx, 0C0600000h
		mov	[ebp+var_24], ebx
		mov	eax, [edx+194h]
		movzx	esi, word ptr [edx+72h]
		mov	[ebp+var_14], edx
		mov	[ebp+var_1C], eax
		call	_MiGetPdeAddress@4 ; MiGetPdeAddress(x)
		mov	ecx, eax
		push	4
		mov	[ebp+var_20], ecx
		pop	edi

loc_99F293:				; CODE XREF: MiInSwapPageDirectories(x,x)+167j
		dec	edi
		cmp	edi, 3
		jnz	short loc_99F2A7
		mov	ebx, [edx+1A0h]
		mov	edx, [edx+1A4h]
		jmp	short loc_99F2BB
; 

loc_99F2A7:				; CODE XREF: MiInSwapPageDirectories(x,x)+38j
		push	esi
		mov	eax, edi
		mov	edx, ecx
		mov	ecx, [ebp+var_14]
		push	ebx
		shl	eax, 3
		push	eax
		call	_MiMakeOutswappedPageResident@20 ; MiMakeOutswappedPageResident(x,x,x,x,x)
		mov	ebx, eax

loc_99F2BB:				; CODE XREF: MiInSwapPageDirectories(x,x)+46j
		mov	[ebp+var_4], edx
		mov	[ebp+var_18], ebx
		nop
		lea	ecx, [ebp+var_10]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_99F2D7
		push	edx
		push	ebx
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		jmp	short loc_99F2D9
; 

loc_99F2D7:				; CODE XREF: MiInSwapPageDirectories(x,x)+6Dj
		mov	eax, ebx

loc_99F2D9:				; CODE XREF: MiInSwapPageDirectories(x,x)+76j
		shrd	eax, edx, 0Ch
		and	eax, 1FFFFFFh
		imul	ecx, eax, 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	_MiIsPfnTradable@4 ; MiIsPfnTradable(x)
		test	eax, eax
		jnz	short loc_99F2FB
		xor	edx, edx
		call	_MiMarkPfnTradable@8 ; MiMarkPfnTradable(x,x)

loc_99F2FB:				; CODE XREF: MiInSwapPageDirectories(x,x)+93j
		mov	eax, [ebp+var_1C]
		and	ebx, 0FFFFFE19h
		mov	edx, [ebp+var_4]
		and	edx, 7FFFFFFFh
		mov	[ebp+var_4], edx
		mov	[eax+edi*8], ebx
		mov	[eax+edi*8+4], edx
		mov	eax, [ebp+var_14]
		mov	ecx, [eax+304h]
		test	ecx, ecx
		jz	loc_99F3B5
		cmp	edi, 3
		jnz	short loc_99F377
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	ecx, [eax]
		mov	[ebp+var_18], ecx
		nop
		mov	ecx, [eax+4]
		mov	[ebp+var_C], ecx
		mov	ecx, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_99F35C
		push	[ebp+var_C]
		push	[ebp+var_18]
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	[ebp+var_C], edx
		mov	edx, [ebp+var_4]
		jmp	short loc_99F35F
; 

loc_99F35C:				; CODE XREF: MiInSwapPageDirectories(x,x)+E8j
		mov	eax, [ebp+var_18]

loc_99F35F:				; CODE XREF: MiInSwapPageDirectories(x,x)+FBj
		mov	ecx, ebx
		xor	ecx, eax
		mov	eax, edx
		xor	eax, [ebp+var_C]
		and	ecx, 0FFFFF000h
		and	eax, 1Fh
		xor	ebx, ecx
		xor	edx, eax
		jmp	short loc_99F3AA
; 

loc_99F377:				; CODE XREF: MiInSwapPageDirectories(x,x)+CCj
		cmp	edi, 2
		jnz	short loc_99F3AA
		cmp	dword_6D07D0, 0C0000000h
		jnb	short loc_99F3AA
		mov	ecx, dword_6D0624
		xor	eax, eax
		and	ecx, 1FFFFFFh
		and	ebx, 0FFFh
		shld	eax, ecx, 0Ch
		and	edx, 0FFFFFFE0h
		shl	ecx, 0Ch
		or	ebx, ecx
		or	edx, eax

loc_99F3AA:				; CODE XREF: MiInSwapPageDirectories(x,x)+116j
					; MiInSwapPageDirectories(x,x)+11Bj ...
		mov	eax, [ebp+var_1C]
		mov	[eax+edi*8+20h], ebx
		mov	[eax+edi*8+24h], edx

loc_99F3B5:				; CODE XREF: MiInSwapPageDirectories(x,x)+C3j
		mov	ecx, [ebp+var_20]
		mov	edx, [ebp+var_14]
		sub	ecx, 8
		mov	ebx, [ebp+var_24]
		mov	[ebp+var_20], ecx
		test	edi, edi
		jnz	loc_99F293
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiInSwapPageDirectories@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiOutSwapPageDirectoryPages(x)
_MiOutSwapPageDirectoryPages@4 proc near ; CODE	XREF: MmOutSwapProcess+162751p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ecx+194h]
		push	esi
		push	edi
		mov	[ebp+var_4], 3

loc_99F3E7:				; CODE XREF: MiOutSwapPageDirectoryPages(x)+60j
		mov	esi, dword_6D0700
		mov	eax, esi
		mov	edi, dword_6D0704
		or	eax, edi
		mov	ecx, [ebx]
		mov	edx, [ebx+4]
		jz	short loc_99F410
		mov	eax, ecx
		and	eax, 10h
		or	eax, 0
		jnz	short loc_99F410
		not	esi
		not	edi
		and	ecx, esi
		and	edx, edi

loc_99F410:				; CODE XREF: MiOutSwapPageDirectoryPages(x)+2Bj
					; MiOutSwapPageDirectoryPages(x)+35j
		shrd	ecx, edx, 0Ch
		xor	edx, edx
		and	ecx, 3FFFFFFh
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		add	ebx, 8
		sub	[ebp+var_4], 1
		jnz	short loc_99F3E7
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiOutSwapPageDirectoryPages@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiPaeFreePage(x)
_MiPaeFreePage@4 proc near		; CODE XREF: MiPaeFree+17235Bp
		mov	edi, edi
		push	ecx
		push	ecx
		call	MmFreeContiguousMemory
		lock dec dword_6D0650
		pop	ecx
		retn
_MiPaeFreePage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmBuildLargePages(x, x, x, x)
_MmBuildLargePages@16 proc near		; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+164p

var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		movzx	eax, ds:_KeNumberNodes
		mov	ecx, edx
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_8], ecx
		mov	byte ptr [ebp+var_1], bl
		push	esi
		push	edi		; struct _exception *
		cmp	ecx, eax
		jnb	short loc_99F4C0
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	esi, eax
		jmp	short loc_99F480
; 

loc_99F472:				; CODE XREF: MmBuildLargePages(x,x,x,x)+39j
		cmp	ds:_MiLargePageSizes[esi*4], 200h
		jz	short loc_99F485
		inc	esi

loc_99F480:				; CODE XREF: MmBuildLargePages(x,x,x,x)+26j
		cmp	esi, 2
		jb	short loc_99F472

loc_99F485:				; CODE XREF: MmBuildLargePages(x,x,x,x)+33j
		cmp	esi, 2
		jz	short loc_99F4C0
		lea	eax, [ebp+var_1]
		or	ecx, 0FFFFFFFFh
		push	eax
		call	MiPartitionObjectToPartition
		mov	edi, eax
		test	edi, edi
		jz	short loc_99F4B2
		push	200h
		push	[ebp+var_8]
		mov	edx, esi
		mov	ecx, edi
		call	_MiRebuildLargePage@16 ; MiRebuildLargePage(x,x,x,x)
		mov	ebx, eax
		shr	ebx, 9

loc_99F4B2:				; CODE XREF: MmBuildLargePages(x,x,x,x)+50j
		cmp	byte ptr [ebp+var_1], 0
		jz	short loc_99F4C0
		mov	ecx, [edi+64h]
		call	PsDereferencePartition

loc_99F4C0:				; CODE XREF: MmBuildLargePages(x,x,x,x)+1Dj
					; MmBuildLargePages(x,x,x,x)+3Ej ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_MmBuildLargePages@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetSystemPteStatistics(x,	x, x)
_MiGetSystemPteStatistics@12 proc near	; CODE XREF: MmGetSessionMappedViewInformation(x,x,x,x)+11Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		mov	eax, [ebx+0Ch]
		and	al, 4
		movzx	esi, al
		lea	eax, [ebp+var_8]
		neg	esi
		push	eax
		sbb	esi, esi
		and	esi, 0Fh
		push	ebx
		inc	esi
		call	RtlFindLongestRunClear
		mov	ecx, [ebp+arg_0]
		mov	edi, 20000h
		imul	eax, esi
		mov	[ecx], eax
		mov	ecx, dword_6D4254
		shr	ecx, 0Ch
		cmp	edi, ecx
		sbb	edi, edi
		lea	edx, [ecx-20000h]
		and	edi, edx
		cmp	edi, eax
		jbe	short loc_99F51D
		mov	eax, [ebp+arg_0]
		mov	[eax], edi

loc_99F51D:				; CODE XREF: MiGetSystemPteStatistics(x,x,x)+4Dj
		mov	ecx, ebx
		call	_MiGetNumberOfCachedPtes@4 ; MiGetNumberOfCachedPtes(x)
		add	eax, [ebx+30h]
		mov	ecx, [ebp+var_4]
		imul	eax, esi
		add	eax, edi
		pop	edi
		pop	esi
		mov	[ecx], eax
		pop	ebx
		leave
		retn	4
_MiGetSystemPteStatistics@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiApplyRawFixups(x,	x, x, x)
_MiApplyRawFixups@16 proc near		; CODE XREF: MiPerformFixups:loc_8DC234p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		and	eax, 0FFFFFFFEh
		mov	[ebp+var_4], ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax+4]
		lea	esi, [eax+8]
		mov	ecx, [eax]
		sub	edi, 8
		and	ecx, 0FFFh
		mov	ebx, edx
		shr	edi, 1
		mov	[ebp+arg_0], ecx
		jz	short loc_99F58C

loc_99F564:				; CODE XREF: MiApplyRawFixups(x,x,x,x)+52j
		movzx	ecx, word ptr [esi]
		dec	edi
		push	[ebp+arg_4]
		mov	edx, ecx
		and	ecx, 0FFFh
		add	ecx, [ebp+arg_0]
		shr	dx, 0Ch
		add	ecx, ebx
		call	_MiDoSingleFixup@12 ; MiDoSingleFixup(x,x,x)
		test	eax, eax
		jz	short loc_99F593
		add	esi, 2
		test	edi, edi
		jnz	short loc_99F564

loc_99F58C:				; CODE XREF: MiApplyRawFixups(x,x,x,x)+2Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_99F593:				; CODE XREF: MiApplyRawFixups(x,x,x,x)+4Bj
		push	esi
		push	ebx
		push	[ebp+var_4]
		push	30h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_MiApplyRawFixups@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCaptureSecureImageBaseAddress(x)
_MiCaptureSecureImageBaseAddress@4 proc	near ; CODE XREF: PAGE:00793A78p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ecx
		push	ebx
		mov	ebx, large fs:124h
		mov	ecx, ebx
		push	esi
		mov	esi, [eax+38h]
		push	edi
		mov	[ebp+var_4], eax
		mov	edi, [esi+10h]
		mov	edx, edi
		mov	esi, [esi+14h]
		and	esi, 0FFFFFFF8h
		call	_MI_LOCK_RELOCATIONS_EXCLUSIVE@8 ; MI_LOCK_RELOCATIONS_EXCLUSIVE(x,x)
		mov	ecx, dword_6BEA60
		test	ecx, ecx
		jnz	short loc_99F5DD
		mov	esi, 0C00000BBh
		jmp	short loc_99F5EB
; 

loc_99F5DD:				; CODE XREF: MiCaptureSecureImageBaseAddress(x)+32j
		mov	eax, [ebp+var_4]
		mov	eax, [eax]
		mov	eax, [eax+18h]
		push	eax
		push	esi
		call	ecx
		mov	esi, eax

loc_99F5EB:				; CODE XREF: MiCaptureSecureImageBaseAddress(x)+39j
		mov	edx, edi
		mov	ecx, ebx
		call	MI_UNLOCK_RELOCATIONS_EXCLUSIVE
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_MiCaptureSecureImageBaseAddress@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDoSingleFixup(x, x, x)
_MiDoSingleFixup@12 proc near		; CODE XREF: MiApplyRawFixups(x,x,x,x)+44p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	dx, dx
		jz	short loc_99F625
		cmp	dx, 3
		jz	short loc_99F60F
		xor	eax, eax
		jmp	short loc_99F628
; 

loc_99F60F:				; CODE XREF: MiDoSingleFixup(x,x,x)+Ej
		mov	eax, ecx
		mov	edx, 0FFCh
		and	eax, 0FFFh
		cmp	ax, dx
		ja	short loc_99F625
		mov	eax, [ebp+arg_0]
		add	[ecx], eax

loc_99F625:				; CODE XREF: MiDoSingleFixup(x,x,x)+8j
					; MiDoSingleFixup(x,x,x)+23j
		xor	eax, eax
		inc	eax

loc_99F628:				; CODE XREF: MiDoSingleFixup(x,x,x)+12j
		pop	ebp
		retn	4
_MiDoSingleFixup@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiGetNextDirectFixupProto(x, x)
_MiGetNextDirectFixupProto@8 proc near	; CODE XREF: .text:0047841Ep
					; .text:00478436p ...
		test	edx, edx
		jz	short loc_99F637
		mov	ecx, edx
		jmp	_MiGetLeafPfnBuddy@8 ; MiGetLeafPfnBuddy(x,x)
; 

loc_99F637:				; CODE XREF: MiGetNextDirectFixupProto(x,x)+2j
		mov	eax, [ecx+38h]
		mov	eax, [eax+10h]
		mov	eax, [eax+3Ch]
		retn
_MiGetNextDirectFixupProto@8 endp


;  S U B	R O U T	I N E 


; __stdcall MmValidateUserCallTarget(x,	x)
_MmValidateUserCallTarget@8 proc near	; CODE XREF: PAGE:007A8E3Dp
					; MmCheckForSafeExecution(x,x,x,x)+7Fp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_MiIsProcessCfgEnabled@0 ; MiIsProcessCfgEnabled()
		test	eax, eax
		jnz	short loc_99F652
		inc	eax
		pop	esi
		retn
; 

loc_99F652:				; CODE XREF: MmValidateUserCallTarget(x,x)+Cj
		mov	eax, large fs:124h
		mov	ecx, esi
		pop	esi
		mov	eax, [eax+80h]
		mov	edx, [eax+24Ch]
		add	edx, 0B8h
		jmp	MiValidateUserCallTarget
_MmValidateUserCallTarget@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFillPerSessionProtos(x, x, x, x, x, x, x,	x, x)
_MiFillPerSessionProtos@36 proc	near	; CODE XREF: MiAllocatePerSessionProtos+11CAC9p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		xor	eax, eax
		mov	[esp+30h+var_24], ecx
		push	esi
		push	edi
		mov	ecx, [ebp+arg_14]
		lea	edi, [esp+38h+var_1C]
		stosd
		xor	esi, esi
		mov	[esp+38h+var_2C], edx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+38h+var_10]
		stosd
		stosd
		stosd
		stosd
		mov	edi, [ebp+arg_4]
		test	ecx, ecx
		jnz	short loc_99F6DF
		cmp	[ebp+arg_10], ecx
		lea	eax, [esp+38h+var_10]
		push	eax
		setnz	cl
		add	ecx, 2
		imul	ecx, edi
		inc	ecx
		mov	edx, ecx
		call	MiCreatePteCopyList
		cmp	[esp+38h+var_C], esi
		jnz	short loc_99F6D0
		mov	eax, 0C000009Ah
		jmp	loc_99F81B
; 

loc_99F6D0:				; CODE XREF: MiFillPerSessionProtos(x,x,x,x,x,x,x,x,x)+52j
		push	esi
		lea	edx, [esp+3Ch+var_1C]
		xor	ecx, ecx
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		mov	ecx, [ebp+arg_14]

loc_99F6DF:				; CODE XREF: MiFillPerSessionProtos(x,x,x,x,x,x,x,x,x)+33j
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	ebx, eax
		mov	[esp+38h+var_28], ebx
		test	edi, edi
		jz	loc_99F810

loc_99F6F2:				; CODE XREF: MiFillPerSessionProtos(x,x,x,x,x,x,x,x,x)+186j
		test	ecx, ecx
		jnz	short loc_99F725
		lea	ecx, [esp+38h+var_1C]
		call	_MiGetNextPageColor@4 ;	MiGetNextPageColor(x)
		mov	edi, eax
		mov	ecx, ebx
		jmp	short loc_99F714
; 

loc_99F705:				; CODE XREF: MiFillPerSessionProtos(x,x,x,x,x,x,x,x,x)+AFj
		mov	ecx, [esp+38h+var_28]
		xor	edx, edx
		call	_MiWaitForFreePage@8 ; MiWaitForFreePage(x,x)
		mov	ecx, [esp+38h+var_28]

loc_99F714:				; CODE XREF: MiFillPerSessionProtos(x,x,x,x,x,x,x,x,x)+91j
		push	esi
		mov	edx, edi
		call	MiGetPage
		mov	ebx, eax
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_99F705
		jmp	short loc_99F732
; 

loc_99F725:				; CODE XREF: MiFillPerSessionProtos(x,x,x,x,x,x,x,x,x)+82j
		mov	edx, [ebp+arg_8]
		mov	ecx, ebx
		push	esi
		call	MiAllocateDriverPage
		mov	ebx, eax

loc_99F732:				; CODE XREF: MiFillPerSessionProtos(x,x,x,x,x,x,x,x,x)+B1j
		mov	edx, [esp+38h+var_2C]
		imul	edi, ebx, 1Ch
		push	ecx
		push	[ebp+arg_8]
		mov	ecx, ebx
		add	edi, ds:_MmPfnDatabase
		mov	[esp+40h+var_20], edi
		call	_MiInitializeProtoPfn@16 ; MiInitializeProtoPfn(x,x,x,x)
		cmp	[ebp+arg_14], esi
		jz	short loc_99F770
		push	esi
		push	esi
		sub	esp, 0Ch
		call	_ext_ms_win_ntos_tm_l1_1_0_NtQueryInformationTransactionManager@20 ; ext_ms_win_ntos_tm_l1_1_0_NtQueryInformationTransactionManager(x,x,x,x,x)
		test	eax, eax
		js	loc_99F7FD
		xor	edx, edx
		mov	ecx, edi
		call	_MiMarkPfnVerified@8 ; MiMarkPfnVerified(x,x)
		jmp	short loc_99F7CA
; 

loc_99F770:				; CODE XREF: MiFillPerSessionProtos(x,x,x,x,x,x,x,x,x)+DFj
		push	48h
		lea	eax, [esp+3Ch+var_10]
		mov	ecx, ebx
		push	eax
		mov	eax, [ebp+arg_0]
		mov	edx, [eax]
		call	_MiCopyPage@16	; MiCopyPage(x,x,x,x)
		cmp	[ebp+arg_10], esi
		jz	short loc_99F7C3
		push	0FFFFFFFFh
		mov	edx, ebx
		lea	ecx, [esp+44h+var_18]
		call	MiGetPteFromCopyList
		push	2
		push	ecx
		push	[ebp+arg_10]
		mov	ecx, [esp+4Ch+var_2C]
		mov	edi, eax
		push	ebx
		push	[ebp+arg_C]
		mov	edx, edi
		shl	edx, 9
		call	MiRelocateImagePfn
		mov	eax, ds:_ZeroPte
		mov	[edi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[edi+4], eax
		mov	edi, [esp+40h+var_28]

loc_99F7C3:				; CODE XREF: MiFillPerSessionProtos(x,x,x,x,x,x,x,x,x)+114j
		mov	ecx, edi
		call	_MiReturnPfnReferenceCount@4 ; MiReturnPfnReferenceCount(x)

loc_99F7CA:				; CODE XREF: MiFillPerSessionProtos(x,x,x,x,x,x,x,x,x)+FCj
		add	[ebp+arg_0], 4
		add	[esp+40h+var_34], 8
		mov	eax, [ebp+arg_4]
		inc	[ebp+arg_C]
		dec	eax
		mov	ecx, [ebp+arg_14]
		mov	[ebp+arg_4], eax
		test	ecx, ecx
		jz	short loc_99F7F0
		mov	edx, [ebp+arg_18]
		mov	edi, 1000h
		add	[ecx], edi
		add	[edx], edi

loc_99F7F0:				; CODE XREF: MiFillPerSessionProtos(x,x,x,x,x,x,x,x,x)+170j
		test	eax, eax
		jz	short loc_99F810
		mov	ebx, [esp+40h+var_30]
		jmp	loc_99F6F2
; 

loc_99F7FD:				; CODE XREF: MiFillPerSessionProtos(x,x,x,x,x,x,x,x,x)+EDj
		push	eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	dword ptr [eax]
		push	5150Ah
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_99F810:				; CODE XREF: MiFillPerSessionProtos(x,x,x,x,x,x,x,x,x)+7Aj
					; MiFillPerSessionProtos(x,x,x,x,x,x,x,x,x)+180j
		lea	ecx, [esp+4Ch+var_24]
		call	_MiReleasePteCopyList@4	; MiReleasePteCopyList(x)
		xor	eax, eax

loc_99F81B:				; CODE XREF: MiFillPerSessionProtos(x,x,x,x,x,x,x,x,x)+59j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_MiFillPerSessionProtos@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreatePlaceholderStorage(x)
_MiCreatePlaceholderStorage@4 proc near	; CODE XREF: MiDeletePartialVad+DD395p
					; MiReserveUserMemory+15FCA1p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax+80h]
		mov	ebx, ecx
		push	50h
		push	edi
		call	_PsChargeProcessNonPagedPoolQuota@8 ; PsChargeProcessNonPagedPoolQuota(x,x)
		test	eax, eax
		js	short loc_99F88F
		push	0
		push	40h
		push	28h
		mov	edx, 73706D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_99F882
		push	2
		xor	edx, edx
		mov	dword ptr [esi+24h], 80h
		xor	ecx, ecx
		call	MiAllocateVad
		mov	[esi+4], eax
		push	0
		test	eax, eax
		jnz	short loc_99F896
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_99F882:				; CODE XREF: MiCreatePlaceholderStorage(x)+3Bj
		push	50h
		push	edi
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		mov	eax, 0C000009Ah

loc_99F88F:				; CODE XREF: MiCreatePlaceholderStorage(x)+24j
					; MiCreatePlaceholderStorage(x)+7Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_99F896:				; CODE XREF: MiCreatePlaceholderStorage(x)+56j
		mov	edx, esi
		mov	ecx, ebx
		call	_MiInsertVadEvent@12 ; MiInsertVadEvent(x,x,x)
		xor	eax, eax
		jmp	short loc_99F88F
_MiCreatePlaceholderStorage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFinishPlaceholderVadReplacement(x, x, x)
_MiFinishPlaceholderVadReplacement@12 proc near	; CODE XREF: MiReserveUserMemory+15FE4Dp
					; MiMapViewOfDataSection+F9276p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ecx, large fs:124h
		push	edi
		mov	edi, edx
		mov	ebx, [ecx+80h]
		jz	short loc_99F90D
		mov	edx, esi
		call	_MiLockVadShared@8 ; MiLockVadShared(x,x)
		mov	ecx, esi
		call	_MiVadDeleted@4	; MiVadDeleted(x)
		test	eax, eax
		jnz	short loc_99F904
		test	dword ptr ds:byte_70EFC4, 8000h
		jz	short loc_99F904
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	ecx, [esi+0Ch]
		mov	edx, [esi+10h]
		sub	edx, ecx
		shl	ecx, 0Ch
		movzx	eax, word ptr [eax]
		inc	edx
		push	eax
		push	eax
		push	2000h
		push	ebx
		shl	edx, 0Ch
		call	_PerfInfoLogVirtualAlloc@24 ; PerfInfoLogVirtualAlloc(x,x,x,x,x,x)

loc_99F904:				; CODE XREF: MiFinishPlaceholderVadReplacement(x,x,x)+2Fj
					; MiFinishPlaceholderVadReplacement(x,x,x)+3Bj
		mov	ecx, esi
		call	MiUnlockAndDereferenceVadShared
		jmp	short loc_99F918
; 

loc_99F90D:				; CODE XREF: MiFinishPlaceholderVadReplacement(x,x,x)+1Dj
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	_MiDeleteVad@12	; MiDeleteVad(x,x,x)

loc_99F918:				; CODE XREF: MiFinishPlaceholderVadReplacement(x,x,x)+68j
		mov	ecx, edi
		call	_MiDecrementVadsBeingDeleted@4 ; MiDecrementVadsBeingDeleted(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_MiFinishPlaceholderVadReplacement@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiFreePlaceholderVadEvent(x)
_MiFreePlaceholderVadEvent@4 proc near	; CODE XREF: MiReleaseVadEventBlocks+D8p
					; MiFreePlaceholderStorage+1194E0p
		mov	eax, [ecx+4]
		push	esi
		push	28h
		pop	esi
		test	eax, eax
		jz	short loc_99F93C
		push	50h
		pop	esi
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_99F93C:				; CODE XREF: MiFreePlaceholderVadEvent(x)+9j
		mov	eax, large fs:124h
		push	esi
		push	dword ptr [eax+80h]
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		pop	esi
		retn
_MiFreePlaceholderVadEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPreparePlaceholderVadReplacement(x, x, x)
_MiPreparePlaceholderVadReplacement@12 proc near ; CODE	XREF: MiReserveUserMemory+15FD65p
					; MiMapViewOfDataSection+F921Ap

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		lock inc dword ptr [eax+50h]
		call	_MiReferenceVad@4 ; MiReferenceVad(x)
		mov	ecx, esi
		call	_MiRemovePlaceholderVad@4 ; MiRemovePlaceholderVad(x)
		mov	eax, [esi+0Ch]
		sub	eax, [esi+10h]
		shl	eax, 0Ch
		sub	eax, 1000h
		add	[edi+11Ch], eax
		mov	eax, 8000h
		test	dword ptr ds:byte_70EFC4, eax
		jz	short loc_99F9A6
		mov	ecx, [esi+0Ch]
		mov	edx, [esi+10h]
		sub	edx, ecx
		shl	ecx, 0Ch
		push	eax
		inc	edx
		push	edi
		shl	edx, 0Ch
		call	_PerfInfoLogVirtualFree@16 ; PerfInfoLogVirtualFree(x,x,x,x)

loc_99F9A6:				; CODE XREF: MiPreparePlaceholderVadReplacement(x,x,x)+3Ej
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
_MiPreparePlaceholderVadReplacement@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCaptureSparsePages(x, x)
_MiCaptureSparsePages@8	proc near	; CODE XREF: MiDeleteSparseRange(x,x)+14p

var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		xor	edi, edi
		mov	edx, dword_6D34F0
		mov	esi, ecx
		push	1
		mov	[ebp+var_4], edi
		call	MiMakeValidPte
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], edx
		test	ebx, ebx
		jz	short loc_99FA57

loc_99F9D8:				; CODE XREF: MiCaptureSparsePages(x,x)+A8j
		mov	edi, [esi]
		nop
		mov	edx, [esi+4]
		mov	ecx, esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_99F9F2
		push	edx
		push	edi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	edi, eax

loc_99F9F2:				; CODE XREF: MiCaptureSparsePages(x,x)+3Aj
		cmp	edi, [ebp+var_8]
		jnz	short loc_99F9FC
		cmp	edx, [ebp+var_C]
		jz	short loc_99FA4C

loc_99F9FC:				; CODE XREF: MiCaptureSparsePages(x,x)+48j
		nop
		lea	ecx, [ebp+var_18]
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_99FA12
		push	edx
		push	edi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	edi, eax

loc_99FA12:				; CODE XREF: MiCaptureSparsePages(x,x)+5Aj
		shrd	edi, edx, 0Ch
		mov	edx, [ebp+var_4]
		and	edi, 1FFFFFFh
		imul	ecx, edi, 1Ch
		add	ecx, ds:_MmPfnDatabase
		mov	eax, [ecx+18h]
		and	eax, offset loc_7FFFFF
		call	_MiSetPfnLink@8	; MiSetPfnLink(x,x)
		mov	edi, ecx
		xor	edx, edx
		imul	ecx, eax, 1Ch
		mov	[ebp+var_4], edi
		add	ecx, ds:_MmPfnDatabase
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		jmp	short loc_99FA4F
; 

loc_99FA4C:				; CODE XREF: MiCaptureSparsePages(x,x)+4Dj
		mov	edi, [ebp+var_4]

loc_99FA4F:				; CODE XREF: MiCaptureSparsePages(x,x)+9Dj
		add	esi, 8
		sub	ebx, 1
		jnz	short loc_99F9D8

loc_99FA57:				; CODE XREF: MiCaptureSparsePages(x,x)+29j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiCaptureSparsePages@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeletePfnBitMaps(x)
_MiDeletePfnBitMaps@4 proc near		; CODE XREF: MiDeletePartitionResources(x)+765p
					; MiCreatePfnBitMaps+6697Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		mov	ebx, dword_6D07B0
		push	esi
		push	edi
		mov	edi, ecx
		inc	ebx
		xor	esi, esi
		lea	eax, [edi+0B08h]
		mov	[esp+18h+var_4], eax

loc_99FA81:				; CODE XREF: MiDeletePfnBitMaps(x)+87j
		cmp	esi, 1
		jnb	short loc_99FA8F
		mov	ecx, ds:_MiLargePageSizes[esi*4]
		jmp	short loc_99FAA2
; 

loc_99FA8F:				; CODE XREF: MiDeletePfnBitMaps(x)+26j
		cmp	edi, offset _MiSystemPartition
		jnz	short loc_99FADA
		mov	ecx, 200h
		lea	eax, [edi+0D7Ch]

loc_99FAA2:				; CODE XREF: MiDeletePfnBitMaps(x)+2Fj
		xor	edx, edx
		mov	[esp+18h+var_8], eax
		mov	eax, ebx
		div	ecx
		xor	ecx, ecx
		test	edx, edx
		setnz	cl
		lea	edx, [ecx+7]
		mov	ecx, [esp+18h+var_8]
		add	edx, eax
		shr	edx, 3
		add	edx, 0FFFh
		mov	ecx, [ecx]
		shr	edx, 0Ch
		call	_MiDeleteSparseRange@8 ; MiDeleteSparseRange(x,x)
		mov	eax, [esp+18h+var_8]
		and	dword ptr [eax], 0
		mov	eax, [esp+18h+var_4]

loc_99FADA:				; CODE XREF: MiDeletePfnBitMaps(x)+37j
		inc	esi
		add	eax, 8
		mov	[esp+18h+var_4], eax
		cmp	esi, 2
		jb	short loc_99FA81
		mov	ecx, [edi+0B18h]
		mov	edx, ebx
		and	edx, 3FFFFh
		mov	eax, ebx
		neg	edx
		mov	esi, 0FFFh
		sbb	edx, edx
		shr	eax, 12h
		neg	edx
		add	edx, 7
		add	edx, eax
		shr	edx, 3
		add	edx, esi
		shr	edx, 0Ch
		call	_MiDeleteSparseRange@8 ; MiDeleteSparseRange(x,x)
		and	dword ptr [edi+0B18h], 0
		mov	edx, ebx
		mov	ecx, [edi+0B10h]
		and	edx, 1FFh
		neg	edx
		sbb	edx, edx
		shr	ebx, 9
		neg	edx
		add	edx, esi
		add	edx, ebx
		shr	edx, 0Ch
		call	_MiDeleteSparseRange@8 ; MiDeleteSparseRange(x,x)
		and	dword ptr [edi+0B10h], 0
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiDeletePfnBitMaps@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiDeleteSparseRange(x, x)
_MiDeleteSparseRange@8 proc near	; CODE XREF: MiDeletePfnBitMaps(x)+6Cp
					; MiDeletePfnBitMaps(x)+B4p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		test	ecx, ecx
		jz	short loc_99FB90
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		mov	esi, eax
		mov	ecx, esi
		call	_MiCaptureSparsePages@8	; MiCaptureSparsePages(x,x)
		push	edi
		mov	edx, esi
		mov	ecx, offset dword_6D35E0
		mov	ebx, eax
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		test	ebx, ebx
		jz	short loc_99FB90
		mov	ecx, ebx
		call	_MiReturnPfnList@4 ; MiReturnPfnList(x)
		push	9
		mov	edx, eax
		mov	ecx, offset _MiSystemPartition
		call	_MiReturnSplitPageCharges@12 ; MiReturnSplitPageCharges(x,x,x)

loc_99FB90:				; CODE XREF: MiDeleteSparseRange(x,x)+9j
					; MiDeleteSparseRange(x,x)+2Aj
		pop	edi
		pop	esi
		pop	ebx
		retn
_MiDeleteSparseRange@8 endp ; sp = -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiScrubNodeLargePages(x, x,	x)
_MiScrubNodeLargePages@12 proc near	; CODE XREF: MiScrubNode(x)+2Fp

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		imul	eax, esi, 280h
		push	edi
		mov	[ebp+var_1C], edx
		mov	[ebp+var_34], ecx
		add	eax, [edx+10h]
		xor	edx, edx
		mov	[ebp+var_2C], eax
		mov	edi, eax

loc_99FBBA:				; CODE XREF: MiScrubNodeLargePages(x,x,x)+44j
		mov	ecx, [edi+4]
		add	ecx, [edi]
		jz	short loc_99FBCC
		mov	eax, ds:_MiLargePageSizes[edx]
		imul	eax, ecx
		add	ebx, eax

loc_99FBCC:				; CODE XREF: MiScrubNodeLargePages(x,x,x)+2Bj
		add	edx, 4
		add	edi, 98h
		cmp	edx, 8
		jb	short loc_99FBBA
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		jz	loc_99FD09
		mov	edx, [ebp+var_2C]
		xor	eax, eax
		and	[ebp+var_8], eax
		mov	ecx, edx
		mov	[ebp+var_18], eax
		xor	ebx, ebx
		mov	[ebp+var_30], edx

loc_99FBF7:				; CODE XREF: MiScrubNodeLargePages(x,x,x)+15Fj
		mov	eax, [ecx+4]
		add	eax, [ecx]
		jz	loc_99FCE6
		mov	eax, dword_6D0740[ebx*4]
		and	[ebp+var_4], 0
		mov	[ebp+var_10], eax

loc_99FC10:				; CODE XREF: MiScrubNodeLargePages(x,x,x)+149j
		xor	edi, edi
		inc	edi

loc_99FC13:				; CODE XREF: MiScrubNodeLargePages(x,x,x)+13Aj
		test	edi, edi
		jnz	short loc_99FC2D
		cmp	[ebp+var_18], edi
		jnz	short loc_99FC2D
		mov	eax, [ebp+var_1C]
		lock inc dword ptr [eax+0DD0h]
		mov	[ebp+var_18], 1

loc_99FC2D:				; CODE XREF: MiScrubNodeLargePages(x,x,x)+81j
					; MiScrubNodeLargePages(x,x,x)+86j
		xor	ecx, ecx
		mov	[ebp+arg_0], ecx

loc_99FC32:				; CODE XREF: MiScrubNodeLargePages(x,x,x)+12Fj
		xor	eax, eax
		mov	[ebp+var_14], eax

loc_99FC37:				; CODE XREF: MiScrubNodeLargePages(x,x,x)+122j
		push	eax
		push	edi
		push	ecx
		mov	ecx, [ebp+var_4]
		push	ebx
		call	_MiGetLargePageListHeadBase@24 ; MiGetLargePageListHeadBase(x,x,x,x,x,x)
		xor	ecx, ecx
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], ecx
		cmp	[ebp+var_10], ecx
		jbe	short loc_99FCA9
		mov	edx, [ebp+var_10]

loc_99FC53:				; CODE XREF: MiScrubNodeLargePages(x,x,x)+110j
		cmp	[eax], eax
		jz	short loc_99FC98
		mov	eax, [ebp+var_C]
		mov	edx, ebx
		sub	eax, [ebp+var_8]
		push	ecx
		push	[ebp+var_34]
		mov	ecx, [ebp+var_1C]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_14]
		push	[ebp+arg_0]
		push	edi
		push	[ebp+var_4]
		push	esi
		call	_MiScrubNodeLargePageList@40 ; MiScrubNodeLargePageList(x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_8]
		add	ecx, [ebp+var_20]
		mov	[ebp+var_8], ecx
		cmp	ecx, [ebp+var_C]
		jnb	short loc_99FCF9
		test	eax, eax
		jz	short loc_99FCF9
		mov	eax, [ebp+var_28]
		mov	ecx, [ebp+var_24]
		mov	edx, [ebp+var_10]

loc_99FC98:				; CODE XREF: MiScrubNodeLargePages(x,x,x)+C1j
		inc	ecx
		add	eax, 0Ch
		mov	[ebp+var_24], ecx
		mov	[ebp+var_28], eax
		cmp	ecx, edx
		jb	short loc_99FC53
		mov	edx, [ebp+var_2C]

loc_99FCA9:				; CODE XREF: MiScrubNodeLargePages(x,x,x)+BAj
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+arg_0]
		inc	eax
		mov	[ebp+var_14], eax
		cmp	eax, 3
		jle	loc_99FC37
		inc	ecx
		mov	[ebp+arg_0], ecx
		cmp	ecx, 1
		jb	loc_99FC32
		test	edi, edi
		jz	short loc_99FCD3
		dec	edi
		jmp	loc_99FC13
; 

loc_99FCD3:				; CODE XREF: MiScrubNodeLargePages(x,x,x)+137j
		mov	eax, [ebp+var_4]
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, 1
		jle	loc_99FC10
		mov	ecx, [ebp+var_30]

loc_99FCE6:				; CODE XREF: MiScrubNodeLargePages(x,x,x)+68j
		inc	ebx
		add	ecx, 98h
		mov	[ebp+var_30], ecx
		cmp	ebx, 2
		jb	loc_99FBF7

loc_99FCF9:				; CODE XREF: MiScrubNodeLargePages(x,x,x)+F5j
					; MiScrubNodeLargePages(x,x,x)+F9j
		cmp	[ebp+var_18], 1
		jnz	short loc_99FD09
		mov	eax, [ebp+var_1C]
		lock dec dword ptr [eax+0DD0h]

loc_99FD09:				; CODE XREF: MiScrubNodeLargePages(x,x,x)+4Bj
					; MiScrubNodeLargePages(x,x,x)+169j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiScrubNodeLargePages@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiGetSectionStrongImageReference(x)
_MiGetSectionStrongImageReference@4 proc near ;	CODE XREF: .text:004783CFp
					; MiValidateInPage+132B9Ep ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		mov	ecx, dword_6BEA5C
		mov	[ebp+var_4], eax
		mov	edx, [esi+14h]
		and	edx, 0FFFFFFF8h
		test	ecx, ecx
		jnz	short loc_99FD32
		mov	ecx, eax
		jmp	short loc_99FD42
; 

loc_99FD32:				; CODE XREF: MiGetSectionStrongImageReference(x)+1Cj
		lea	eax, [ebp+var_4]
		push	eax
		push	edx
		call	ecx
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_99FD45
		mov	eax, [ebp+var_4]

loc_99FD42:				; CODE XREF: MiGetSectionStrongImageReference(x)+20j
		mov	[esi+18h], eax

loc_99FD45:				; CODE XREF: MiGetSectionStrongImageReference(x)+2Dj
		mov	eax, ecx
		pop	esi
		leave
		retn
_MiGetSectionStrongImageReference@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeleteInsertedCloneVads(x)
_MiDeleteInsertedCloneVads@4 proc near	; CODE XREF: MiCloneProcessAddressSpace+B4AA5p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_1C]
		push	6
		xor	eax, eax
		mov	[ebp+var_24], ebx
		pop	ecx
		rep stosd
		mov	eax, large fs:124h
		xor	edx, edx
		mov	[ebp+var_20], eax
		mov	ecx, ebx
		lea	eax, [ebp+var_1C]
		push	eax
		call	KiStackAttachProcess
		mov	eax, [ebx+24Ch]
		or	byte ptr [eax+85h], 1
		xor	esi, esi
		mov	eax, [ebx+350h]
		jmp	short loc_99FD9F
; 

loc_99FD9B:				; CODE XREF: MiDeleteInsertedCloneVads(x)+57j
		mov	esi, eax
		mov	eax, [eax]

loc_99FD9F:				; CODE XREF: MiDeleteInsertedCloneVads(x)+4Fj
		test	eax, eax
		jnz	short loc_99FD9B
		test	esi, esi
		jz	short loc_99FDF9
		mov	ebx, [ebp+var_20]

loc_99FDAA:				; CODE XREF: MiDeleteInsertedCloneVads(x)+AAj
		mov	eax, [esi+4]
		mov	edi, esi
		mov	ecx, esi
		test	eax, eax
		jz	short loc_99FDCF
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_99FDD7

loc_99FDBD:				; CODE XREF: MiDeleteInsertedCloneVads(x)+7Bj
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_99FDBD
		jmp	short loc_99FDD7
; 

loc_99FDC9:				; CODE XREF: MiDeleteInsertedCloneVads(x)+8Bj
		cmp	[esi], ecx
		jz	short loc_99FDD7
		mov	ecx, esi

loc_99FDCF:				; CODE XREF: MiDeleteInsertedCloneVads(x)+69j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_99FDC9

loc_99FDD7:				; CODE XREF: MiDeleteInsertedCloneVads(x)+71j
					; MiDeleteInsertedCloneVads(x)+7Dj ...
		mov	edx, edi
		mov	ecx, ebx
		call	_MiLockVad@8	; MiLockVad(x,x)
		mov	ecx, edi
		call	_MiReferenceVad@4 ; MiReferenceVad(x)
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	_MiDeleteVad@12	; MiDeleteVad(x,x,x)
		test	esi, esi
		jnz	short loc_99FDAA
		mov	ebx, [ebp+var_24]

loc_99FDF9:				; CODE XREF: MiDeleteInsertedCloneVads(x)+5Bj
		mov	eax, [ebx+148h]
		xor	esi, esi
		jmp	short loc_99FE07
; 

loc_99FE03:				; CODE XREF: MiDeleteInsertedCloneVads(x)+BFj
		mov	esi, eax
		mov	eax, [eax]

loc_99FE07:				; CODE XREF: MiDeleteInsertedCloneVads(x)+B7j
		test	eax, eax
		jnz	short loc_99FE03
		jmp	short loc_99FE43
; 

loc_99FE0D:				; CODE XREF: MiDeleteInsertedCloneVads(x)+FDj
		and	dword ptr [esi+18h], 0
		mov	edx, esi
		call	_MiDeleteCloneDescriptor@8 ; MiDeleteCloneDescriptor(x,x)
		mov	eax, [esi+4]
		mov	ecx, esi
		test	eax, eax
		jz	short loc_99FE3B
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_99FE43

loc_99FE29:				; CODE XREF: MiDeleteInsertedCloneVads(x)+E7j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_99FE29
		jmp	short loc_99FE43
; 

loc_99FE35:				; CODE XREF: MiDeleteInsertedCloneVads(x)+F7j
		cmp	[esi], ecx
		jz	short loc_99FE43
		mov	ecx, esi

loc_99FE3B:				; CODE XREF: MiDeleteInsertedCloneVads(x)+D5j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_99FE35

loc_99FE43:				; CODE XREF: MiDeleteInsertedCloneVads(x)+C1j
					; MiDeleteInsertedCloneVads(x)+DDj ...
		mov	ecx, ebx
		test	esi, esi
		jnz	short loc_99FE0D
		xor	edx, edx
		call	MiDeleteCloneZombies
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiDeleteInsertedCloneVads@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiDeletePartialCloneVads(x,	x)
_MiDeletePartialCloneVads@8 proc near	; CODE XREF: MiAllocateChildVads+B4A39p
					; MiInsertChildVads+B468Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	ebx, [eax+80h]
		mov	edi, ecx
		mov	[ebp+var_4], edx
		mov	esi, ecx
		jmp	loc_99FF55
; 

loc_99FE8C:				; CODE XREF: MiDeletePartialCloneVads(x,x)+EEj
		mov	edi, [edi]
		mov	edx, esi
		push	4
		mov	ecx, ebx
		call	_MiFreeVadEventBitmap@12 ; MiFreeVadEventBitmap(x,x,x)
		mov	ecx, esi
		call	_MiIsVadLargePrivate@4 ; MiIsVadLargePrivate(x)
		test	eax, eax
		jz	short loc_99FED2
		cmp	[ebp+var_4], 1
		jnz	short loc_99FEFD
		push	10h
		pop	edx
		call	MiGetVadWakeList
		push	1
		push	eax
		mov	edx, esi
		mov	[ebp+var_8], eax
		mov	ecx, ebx
		call	_MiFreeLargePageView@16	; MiFreeLargePageView(x,x,x,x)
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_99FEFD
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_99FEFD
; 

loc_99FED2:				; CODE XREF: MiDeletePartialCloneVads(x,x)+39j
		mov	eax, [esi+1Ch]
		and	al, 70h
		cmp	al, 20h
		jnz	short loc_99FEFD
		mov	eax, [esi+2Ch]
		mov	eax, [eax]
		mov	[ebp+var_8], eax
		test	dword ptr [eax+1Ch], 4000000h
		jz	short loc_99FEFD
		mov	ecx, ebx
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		call	_MiDereferencePerSessionProtos@8 ; MiDereferencePerSessionProtos(x,x)

loc_99FEFD:				; CODE XREF: MiDeletePartialCloneVads(x,x)+3Fj
					; MiDeletePartialCloneVads(x,x)+5Dj ...
		mov	ecx, esi
		call	_MiVadHasSharedCommit@4	; MiVadHasSharedCommit(x)
		test	eax, eax
		jz	short loc_99FF16
		mov	ecx, [esi+2Ch]
		mov	edx, ebx
		push	0
		mov	ecx, [ecx]
		call	MiRemoveSharedCommitNode

loc_99FF16:				; CODE XREF: MiDeletePartialCloneVads(x,x)+9Dj
		mov	ecx, [esi+1Ch]
		test	ecx, 100000h
		jnz	short loc_99FF3D
		mov	eax, ecx
		and	al, 70h
		cmp	al, 20h
		jnz	short loc_99FF3D
		test	ecx, 200000h
		jz	short loc_99FF3D
		mov	eax, [ebx+24Ch]
		dec	dword ptr [eax+98h]

loc_99FF3D:				; CODE XREF: MiDeletePartialCloneVads(x,x)+B6j
					; MiDeletePartialCloneVads(x,x)+BEj ...
		mov	ecx, esi
		call	MiFreePlaceholderStorage
		mov	ecx, esi
		call	_MiFreeVadEvents@4 ; MiFreeVadEvents(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, edi

loc_99FF55:				; CODE XREF: MiDeletePartialCloneVads(x,x)+1Ej
		test	edi, edi
		jnz	loc_99FE8C
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiDeletePartialCloneVads@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiExtendWorkingSetSwapPagefile(x, x, x)
_MiExtendWorkingSetSwapPagefile@12 proc	near ; CODE XREF: MmOutSwapVirtualAddresses+F7554p
					; MmOutSwapWorkingSet+F7124p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		add	edx, 7FFFh
		push	0
		and	edx, 0FFFF8000h
		call	_MiIssuePageExtendRequest@16 ; MiIssuePageExtendRequest(x,x,x,x)
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFF67h
		add	eax, 0C0000099h
		pop	ebp
		retn	4
_MiExtendWorkingSetSwapPagefile@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInSwapSharedWorkingSetWorker(x)
_MiInSwapSharedWorkingSetWorker@4 proc near ; DATA XREF: MmInSwapWorkingSet+F7645o

var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0A4h+var_4], eax
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, [edx+18h]
		lea	edi, [esp+0B0h+var_80]
		push	6
		pop	ecx
		rep stosd
		xor	edi, edi
		mov	[esp+0B0h+var_9C], edx
		lea	eax, [esp+0B0h+var_80]
		mov	[esp+0B0h+var_90], edi
		push	eax
		xor	edx, edx
		mov	[esp+0B4h+var_8C], edi
		mov	ecx, ebx
		mov	[esp+0B4h+var_88], edi
		mov	[esp+0B4h+var_84], edi
		call	KiStackAttachProcess
		mov	eax, _EtwpMemoryProvRegHandle
		xor	esi, esi
		push	edi
		push	80h
		push	edi
		mov	edi, dword_6BC304
		inc	esi
		push	edi
		push	eax
		mov	[esp+0C4h+var_94], esi
		mov	[esp+0C4h+var_A0], eax
		call	EtwProviderEnabled
		test	al, al
		jz	short loc_9A0059
		push	ebx
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		mov	[esp+0B0h+var_98], eax
		xor	ecx, ecx
		push	4
		pop	edx
		lea	eax, [esp+0B0h+var_98]
		mov	[esp+0B0h+var_64], ecx
		mov	[esp+0B0h+var_68], eax
		lea	eax, [esp+0B0h+var_94]
		mov	[esp+0B0h+var_58], eax
		lea	eax, [esp+0B0h+var_68]
		push	eax
		push	2
		push	ecx
		push	offset _KERNEL_MEM_EVENT_WS_INSWAP_START
		push	edi
		push	[esp+0C4h+var_A0]
		mov	[esp+0C8h+var_60], edx
		mov	[esp+0C8h+var_5C], ecx
		mov	[esp+0C8h+var_54], ecx
		mov	[esp+0C8h+var_50], edx
		mov	[esp+0C8h+var_4C], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9A0059:				; CODE XREF: MiInSwapSharedWorkingSetWorker(x)+7Aj
		lea	edi, [ebx+3D8h]
		mov	eax, 3E8h
		xchg	eax, [edi]
		push	esi
		mov	esi, [esp+0B4h+var_9C]
		mov	ecx, [esi+4]
		call	MiProcessWsInSwapSupport
		xor	eax, eax
		xchg	eax, [edi]
		mov	edi, dword_6BC304
		mov	eax, _EtwpMemoryProvRegHandle
		or	[esp+0B0h+var_84], 0FFFFFFFFh
		push	0
		push	80h
		push	0
		push	edi
		push	eax
		mov	[esp+0C4h+var_A0], eax
		call	EtwProviderEnabled
		test	al, al
		jz	short loc_9A00ED
		push	ebx
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		mov	[esp+0B0h+var_9C], eax
		xor	ecx, ecx
		push	4
		pop	edx
		lea	eax, [esp+0B0h+var_9C]
		mov	[esp+0B0h+var_64], ecx
		mov	[esp+0B0h+var_68], eax
		lea	eax, [esp+0B0h+var_84]
		mov	[esp+0B0h+var_58], eax
		lea	eax, [esp+0B0h+var_68]
		push	eax
		push	2
		push	ecx
		push	offset _KERNEL_MEM_EVENT_WS_INSWAP_STOP
		push	edi
		push	[esp+0C4h+var_A0]
		mov	[esp+0C8h+var_60], edx
		mov	[esp+0C8h+var_5C], ecx
		mov	[esp+0C8h+var_54], ecx
		mov	[esp+0C8h+var_50], edx
		mov	[esp+0C8h+var_4C], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9A00ED:				; CODE XREF: MiInSwapSharedWorkingSetWorker(x)+10Ej
		xor	edx, edx
		lea	ecx, [esp+0B0h+var_80]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		and	dword ptr [esi+18h], 0
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	edx, esi
		mov	ecx, eax
		call	_MiFreeWorkingSetSwapContext@8 ; MiFreeWorkingSetSwapContext(x,x)
		mov	edx, 73576D4Dh
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		mov	ecx, [esp+0B0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_MiInSwapSharedWorkingSetWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAllocateCrcList(x, x, x)
_MiAllocateCrcList@12 proc near		; CODE XREF: MiCombineAllPhysicalMemory(x)+DAp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx]
		mov	ecx, edi
		mov	ebx, [eax]
		shr	ebx, 5
		mov	esi, [edi+0B00h]
		call	_MiGetPrivatePageCount@4 ; MiGetPrivatePageCount(x)
		add	esi, eax
		cmp	esi, eax
		jnb	short loc_9A0155
		or	esi, 0FFFFFFFFh

loc_9A0155:				; CODE XREF: MiAllocateCrcList(x,x,x)+23j
		cmp	esi, ebx
		jbe	short loc_9A015B
		mov	esi, ebx

loc_9A015B:				; CODE XREF: MiAllocateCrcList(x,x,x)+2Aj
		mov	eax, [edi+1000h]
		shl	esi, 5
		sub	eax, 400h
		add	esi, 0FFFh
		shr	esi, 0Ch
		test	eax, eax
		jle	short loc_9A01D9
		cmp	esi, eax
		jbe	short loc_9A017C
		mov	esi, eax

loc_9A017C:				; CODE XREF: MiAllocateCrcList(x,x,x)+4Bj
		mov	eax, [edi+1114h]
		mov	ecx, [edi+10BCh]
		cmp	ecx, eax
		jnb	short loc_9A01D9
		sub	eax, ecx
		cmp	esi, eax
		jbe	short loc_9A0194
		mov	esi, eax

loc_9A0194:				; CODE XREF: MiAllocateCrcList(x,x,x)+63j
		push	2
		pop	edx
		mov	ecx, edi
		call	_MiGetAvailablePagesBelowPriority@8 ; MiGetAvailablePagesBelowPriority(x,x)
		cmp	esi, eax
		jbe	short loc_9A01A4
		mov	esi, eax

loc_9A01A4:				; CODE XREF: MiAllocateCrcList(x,x,x)+73j
		shl	esi, 0Ch
		mov	eax, 200000h
		cmp	esi, eax
		jnb	short loc_9A01B2
		mov	esi, eax

loc_9A01B2:				; CODE XREF: MiAllocateCrcList(x,x,x)+81j
					; MiAllocateCrcList(x,x,x)+A1j
		push	0
		push	40h
		mov	edx, 6D75534Dh
		mov	ecx, esi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		test	eax, eax
		jnz	short loc_9A01D2
		shr	esi, 1
		cmp	esi, 10000h
		jnb	short loc_9A01B2
		jmp	short loc_9A01DB
; 

loc_9A01D2:				; CODE XREF: MiAllocateCrcList(x,x,x)+97j
		mov	ecx, [ebp+arg_0]
		mov	[ecx], esi
		jmp	short loc_9A01DB
; 

loc_9A01D9:				; CODE XREF: MiAllocateCrcList(x,x,x)+47j
					; MiAllocateCrcList(x,x,x)+5Dj
		xor	eax, eax

loc_9A01DB:				; CODE XREF: MiAllocateCrcList(x,x,x)+A3j
					; MiAllocateCrcList(x,x,x)+AAj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_MiAllocateCrcList@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCombineAllPhysicalMemory(x)
_MiCombineAllPhysicalMemory@4 proc near	; CODE XREF: MiCombineIdenticalPages(x,x,x,x,x,x)+1FFp

var_88		= dword	ptr -88h
var_84		= word ptr -84h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= word ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_30], ecx
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_64]
		mov	ebx, [ecx]
		stosd
		xor	edx, edx
		mov	esi, large fs:124h
		inc	edx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_70], esi
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_88]
		stosd
		stosd
		stosd
		mov	eax, [ecx+4]
		xor	edi, edi
		mov	[ebp+var_6C], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_28], eax
		mov	eax, [ecx+20h]
		mov	[ebp+var_40], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_44], eax
		mov	eax, [ebx]
		mov	ecx, eax
		mov	[ebp+var_1C], edi
		mov	[ebp+var_68], eax
		call	MiReferencePageRuns
		and	[ebp+var_38], edi
		xor	edx, edx
		mov	[ebp+var_58], eax
		mov	[ebp+var_14], edx
		lea	edx, [ebp+var_88]
		mov	ecx, [eax]
		mov	[ebp+var_2C], ecx
		lea	eax, [eax+ecx*8]
		mov	ecx, esi
		add	eax, 8
		mov	[ebp+var_48], eax
		call	KeQueryAffinityThread
		xor	ecx, ecx
		xor	esi, esi
		cmp	cx, ds:_KeNumberNodes
		jz	loc_9A0572

loc_9A028A:				; CODE XREF: MiCombineAllPhysicalMemory(x)+378j
		mov	eax, [ebp+var_68]
		imul	ecx, esi, 280h
		mov	eax, [eax+10h]
		mov	eax, [ecx+eax+1DCh]
		cmp	eax, 10h
		jb	loc_9A0550
		shl	eax, 5
		mov	ecx, ebx
		add	eax, 0FFFh
		and	eax, 0FFFFF000h
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_MiAllocateCrcList@12 ;	MiAllocateCrcList(x,x,x)
		mov	edi, eax
		mov	[ebp+var_54], edi
		test	edi, edi
		jz	loc_9A058B
		mov	eax, [ebp+var_20]
		lea	edx, [ebp+var_64]
		and	eax, 0FFFFFFE0h
		mov	ecx, esi
		add	eax, edi
		mov	ebx, edi
		push	0
		mov	[ebp+var_7C], eax
		call	_KeQueryNodeActiveDpcGangAffinity@12 ; KeQueryNodeActiveDpcGangAffinity(x,x,x)
		mov	ax, [ebp+var_60]
		cmp	ax, [ebp+var_84]
		mov	eax, [ebp+var_64]
		jnz	short loc_9A0306
		mov	ecx, [ebp+var_88]
		and	ecx, eax
		jz	short loc_9A0306
		mov	eax, ecx
		mov	[ebp+var_64], eax

loc_9A0306:				; CODE XREF: MiCombineAllPhysicalMemory(x)+113j
					; MiCombineAllPhysicalMemory(x)+11Dj
		test	eax, eax
		jz	short loc_9A0328
		cmp	[ebp+var_38], 0
		jnz	short loc_9A031D
		lea	eax, [ebp+var_10]
		mov	[ebp+var_38], 1
		push	eax
		jmp	short loc_9A031F
; 

loc_9A031D:				; CODE XREF: MiCombineAllPhysicalMemory(x)+12Cj
		push	0

loc_9A031F:				; CODE XREF: MiCombineAllPhysicalMemory(x)+139j
		lea	eax, [ebp+var_64]
		push	eax
		call	KeSetSystemGroupAffinityThread

loc_9A0328:				; CODE XREF: MiCombineAllPhysicalMemory(x)+126j
		xor	eax, eax
		mov	[ebp+var_4C], eax
		cmp	[ebp+var_2C], eax
		jbe	loc_9A053F
		mov	ecx, [ebp+var_58]
		mov	edx, [ebp+var_2C]
		add	ecx, 0Ch
		mov	edi, [ebp+var_48]
		mov	[ebp+var_50], ecx

loc_9A0345:				; CODE XREF: MiCombineAllPhysicalMemory(x)+33Fj
		cmp	[edi+eax*8], esi
		jnz	loc_9A0515
		mov	edx, [ecx-4]
		mov	eax, [ecx]
		dec	edx
		imul	edi, edx, 1Ch
		mov	[ebp+var_24], eax
		add	edi, ds:_MmPfnDatabase
		test	eax, eax
		jz	loc_9A04E8

loc_9A0368:				; CODE XREF: MiCombineAllPhysicalMemory(x)+2E2j
		mov	eax, [ebp+var_6C]
		test	eax, eax
		jz	short loc_9A0379
		cmp	dword ptr [eax+4], 0
		jnz	loc_9A04DE

loc_9A0379:				; CODE XREF: MiCombineAllPhysicalMemory(x)+18Bj
		mov	eax, [ebp+var_70]
		mov	eax, [eax+2FCh]
		test	al, 1
		jnz	loc_9A04DE
		add	edi, 1Ch
		inc	edx

loc_9A038E:				; CODE XREF: MiCombineAllPhysicalMemory(x)+213j
		movzx	eax, byte ptr [edi+16h]
		xor	ecx, ecx
		and	[ebp+var_74], 0
		inc	ecx
		and	eax, 7
		mov	[ebp+var_18], edx
		test	dword ptr [edi+18h], 800000h
		mov	[ebp+var_20], edi
		mov	[ebp+var_78], ecx
		mov	[ebp+var_3C], eax
		jz	short loc_9A03D6
		lea	eax, [ebp+var_74]
		mov	ecx, edi
		push	eax
		lea	edx, [ebp+var_3C]
		call	_MiGetPfnPageSizeIndexUnsynchronized@12	; MiGetPfnPageSizeIndexUnsynchronized(x,x,x)
		mov	edx, [ebp+var_18]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9A03D0
		mov	ecx, ds:_MiLargePageSizes[eax*4]
		jmp	short loc_9A03DB
; 

loc_9A03D0:				; CODE XREF: MiCombineAllPhysicalMemory(x)+1E3j
		mov	eax, [ebp+var_3C]
		mov	ecx, [ebp+var_78]

loc_9A03D6:				; CODE XREF: MiCombineAllPhysicalMemory(x)+1CDj
		cmp	eax, 1
		jg	short loc_9A03F7

loc_9A03DB:				; CODE XREF: MiCombineAllPhysicalMemory(x)+1ECj
		lea	eax, [ecx-1]
		and	eax, edx
		sub	ecx, eax
		cmp	ecx, [ebp+var_24]
		jnb	loc_9A04E8
		imul	eax, ecx, 1Ch
		add	edx, ecx
		add	edi, eax
		sub	[ebp+var_24], ecx
		jmp	short loc_9A038E
; 

loc_9A03F7:				; CODE XREF: MiCombineAllPhysicalMemory(x)+1F7j
		mov	edx, [ebp+var_40]
		mov	ecx, [ebp+var_34]
		push	edi
		call	_MiCombineCandidate@12 ; MiCombineCandidate(x,x,x)
		test	eax, eax
		mov	eax, [ebp+var_14]
		jz	loc_9A04BD
		test	eax, eax
		jnz	short loc_9A042A
		xor	edx, edx
		mov	ecx, offset dword_6D35E0
		inc	edx
		call	MiReservePtes
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_9A04D4

loc_9A042A:				; CODE XREF: MiCombineAllPhysicalMemory(x)+22Ej
		mov	ecx, [ebp+var_28]
		mov	edx, ecx
		push	0
		push	0
		push	[ebp+var_40]
		mov	[ecx+24h], eax
		mov	[ecx+20h], edi
		mov	ecx, [ebp+var_34]
		call	_MiMapArbitraryPage@20 ; MiMapArbitraryPage(x,x,x,x,x)
		test	eax, eax
		jz	short loc_9A04BA
		mov	al, [edi+16h]
		and	al, 7
		cmp	al, 6
		mov	eax, [ebp+var_44]
		jnz	short loc_9A0459
		inc	dword ptr [eax+8]
		jmp	short loc_9A045C
; 

loc_9A0459:				; CODE XREF: MiCombineAllPhysicalMemory(x)+270j
		inc	dword ptr [eax+0Ch]

loc_9A045C:				; CODE XREF: MiCombineAllPhysicalMemory(x)+275j
		mov	edx, [ebp+var_28]
		mov	ecx, [ebp+var_30]
		push	ebx
		push	0
		call	_MiPerformCombineScan@16 ; MiPerformCombineScan(x,x,x,x)
		mov	ecx, [ebp+var_28]
		mov	edi, eax
		call	_MiReleaseArbitraryPage@4 ; MiReleaseArbitraryPage(x)
		mov	edx, [ebp+var_14]
		mov	ecx, offset dword_6D35E0
		push	1
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		mov	edx, [ebp+var_18]
		xor	eax, eax
		mov	[ebp+var_14], eax
		cmp	edi, 1
		jnz	short loc_9A04CF
		and	[ebx+0Ch], eax
		and	[ebx+18h], eax
		mov	[ebx+8], edx
		add	ebx, 20h
		cmp	ebx, [ebp+var_7C]
		jnz	short loc_9A04CF
		mov	edi, [ebp+var_54]
		sub	ebx, edi
		mov	ecx, [ebp+var_30] ; int
		mov	edx, edi	; void *
		push	esi		; int
		sar	ebx, 5
		push	ebx		; size_t
		call	_MiProcessCrcList@16 ; MiProcessCrcList(x,x,x,x)
		mov	ebx, edi
		mov	edi, [ebp+var_20]

loc_9A04BA:				; CODE XREF: MiCombineAllPhysicalMemory(x)+264j
		mov	eax, [ebp+var_14]

loc_9A04BD:				; CODE XREF: MiCombineAllPhysicalMemory(x)+226j
		mov	edx, [ebp+var_18]

loc_9A04C0:				; CODE XREF: MiCombineAllPhysicalMemory(x)+2F0j
		sub	[ebp+var_24], 1
		jnz	loc_9A0368
		mov	edi, [ebp+var_1C]
		jmp	short loc_9A04EE
; 

loc_9A04CF:				; CODE XREF: MiCombineAllPhysicalMemory(x)+2ACj
					; MiCombineAllPhysicalMemory(x)+2BDj
		mov	edi, [ebp+var_20]
		jmp	short loc_9A04C0
; 

loc_9A04D4:				; CODE XREF: MiCombineAllPhysicalMemory(x)+242j
		mov	edi, 0C000009Ah
		mov	[ebp+var_1C], edi
		jmp	short loc_9A04EE
; 

loc_9A04DE:				; CODE XREF: MiCombineAllPhysicalMemory(x)+191j
					; MiCombineAllPhysicalMemory(x)+1A2j
		mov	edi, 0C0000240h
		mov	[ebp+var_1C], edi
		jmp	short loc_9A04EB
; 

loc_9A04E8:				; CODE XREF: MiCombineAllPhysicalMemory(x)+180j
					; MiCombineAllPhysicalMemory(x)+203j
		mov	edi, [ebp+var_1C]

loc_9A04EB:				; CODE XREF: MiCombineAllPhysicalMemory(x)+304j
		mov	eax, [ebp+var_14]

loc_9A04EE:				; CODE XREF: MiCombineAllPhysicalMemory(x)+2EBj
					; MiCombineAllPhysicalMemory(x)+2FAj
		test	eax, eax
		jz	short loc_9A0505
		push	1
		mov	edx, eax
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		xor	edx, edx
		mov	[ebp+var_14], edx

loc_9A0505:				; CODE XREF: MiCombineAllPhysicalMemory(x)+30Ej
		test	edi, edi
		js	short loc_9A0527
		mov	eax, [ebp+var_4C]
		mov	ecx, [ebp+var_50]
		mov	edx, [ebp+var_2C]
		mov	edi, [ebp+var_48]

loc_9A0515:				; CODE XREF: MiCombineAllPhysicalMemory(x)+166j
		inc	eax
		add	ecx, 8
		mov	[ebp+var_4C], eax
		mov	[ebp+var_50], ecx
		cmp	eax, edx
		jb	loc_9A0345

loc_9A0527:				; CODE XREF: MiCombineAllPhysicalMemory(x)+325j
		mov	edi, [ebp+var_54]
		cmp	ebx, edi
		jz	short loc_9A053F
		mov	ecx, [ebp+var_30] ; int
		sub	ebx, edi
		push	esi		; int
		sar	ebx, 5
		mov	edx, edi	; void *
		push	ebx		; size_t
		call	_MiProcessCrcList@16 ; MiProcessCrcList(x,x,x,x)

loc_9A053F:				; CODE XREF: MiCombineAllPhysicalMemory(x)+14Ej
					; MiCombineAllPhysicalMemory(x)+34Aj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[ebp+var_1C], 0
		jl	short loc_9A0560
		mov	ebx, [ebp+var_34]

loc_9A0550:				; CODE XREF: MiCombineAllPhysicalMemory(x)+BEj
		movzx	eax, ds:_KeNumberNodes
		inc	esi
		cmp	esi, eax
		jnz	loc_9A028A

loc_9A0560:				; CODE XREF: MiCombineAllPhysicalMemory(x)+369j
		mov	edi, [ebp+var_1C]

loc_9A0563:				; CODE XREF: MiCombineAllPhysicalMemory(x)+3AEj
		cmp	[ebp+var_38], 1
		jnz	short loc_9A0572
		lea	eax, [ebp+var_10]
		push	eax
		call	KeRevertToUserGroupAffinityThread

loc_9A0572:				; CODE XREF: MiCombineAllPhysicalMemory(x)+A2j
					; MiCombineAllPhysicalMemory(x)+385j
		mov	ecx, [ebp+var_58]
		call	_MiDereferencePageRuns@4 ; MiDereferencePageRuns(x)
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_9A058B:				; CODE XREF: MiCombineAllPhysicalMemory(x)+E6j
		mov	edi, 0C000009Ah
		jmp	short loc_9A0563
_MiCombineAllPhysicalMemory@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCombineIdenticalPages(x, x, x, x,	x, x)
_MiCombineIdenticalPages@24 proc near	; CODE XREF: MmCombineIdenticalPages(x,x,x,x)+28p
					; MmManagePartitionCombineMemory(x,x,x,x)+2Dp

var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0C4h+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		push	edi
		mov	ebx, [ebp+arg_4]
		lea	edi, [esp+0D0h+var_90]
		mov	[esp+0D0h+var_B4], eax
		mov	esi, edx
		push	0Ah
		xor	eax, eax
		mov	[esp+0D4h+var_B0], ecx
		pop	ecx
		rep stosd
		lea	edi, [esp+0D0h+var_2C]
		stosd
		push	3Ch		; size_t
		push	0		; int
		stosd
		stosd
		stosd
		lea	eax, [esp+0D8h+var_68]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	edi, [esp+0D0h+var_1C]
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd
		mov	eax, [esp+0D0h+var_B4]
		xor	ecx, ecx
		mov	[esp+0D0h+var_BC], ecx
		mov	[esp+0D0h+var_C0], ecx
		mov	[eax], ecx
		mov	eax, [ebp+arg_0]
		test	eax, 0FFFFFFFCh
		jz	short loc_9A061A
		mov	esi, 0C00000F1h
		jmp	loc_9A081D
; 

loc_9A061A:				; CODE XREF: MiCombineIdenticalPages(x,x,x,x,x,x)+7Cj
		and	eax, 2
		mov	[esp+0D0h+var_AC], eax
		jz	short loc_9A063D
		test	ebx, ebx
		jnz	short loc_9A062A
		or	ebx, 0FFFFFFFFh

loc_9A062A:				; CODE XREF: MiCombineIdenticalPages(x,x,x,x,x,x)+93j
					; MiCombineIdenticalPages(x,x,x,x,x,x)+ADj
		test	ds:byte_7051B0,	1
		jz	short loc_9A064B
		mov	esi, 0C00000BBh
		jmp	loc_9A081D
; 

loc_9A063D:				; CODE XREF: MiCombineIdenticalPages(x,x,x,x,x,x)+8Fj
		test	ebx, ebx
		jz	short loc_9A062A
		mov	esi, 0C000000Dh
		jmp	loc_9A081D
; 

loc_9A064B:				; CODE XREF: MiCombineIdenticalPages(x,x,x,x,x,x)+9Fj
		test	esi, esi
		jz	short loc_9A067E
		mov	eax, ds:_ExEventObjectType
		push	ecx
		mov	[esp+0D4h+var_B8], ecx
		lea	ecx, [esp+0D4h+var_B8]
		push	ecx
		push	[ebp+arg_8]
		push	eax
		push	1
		push	esi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [esp+0D0h+var_B8]
		mov	[esp+0D0h+var_BC], eax
		test	esi, esi
		js	loc_9A0812
		xor	ecx, ecx

loc_9A067E:				; CODE XREF: MiCombineIdenticalPages(x,x,x,x,x,x)+BBj
		test	ebx, ebx
		jz	short loc_9A06BE
		mov	eax, ds:_PsProcessType
		push	ecx
		mov	[esp+0D4h+var_C0], ecx
		lea	ecx, [esp+0D4h+var_C0]
		push	ecx
		push	[ebp+arg_8]
		push	eax
		push	18h
		push	ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, [esp+0D0h+var_C0]
		mov	esi, eax
		test	esi, esi
		js	loc_9A07F5
		lea	eax, [esp+0D0h+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, ebx
		call	KiStackAttachProcess
		jmp	short loc_9A06C2
; 

loc_9A06BE:				; CODE XREF: MiCombineIdenticalPages(x,x,x,x,x,x)+EEj
		mov	ebx, [esp+0D0h+var_C0]

loc_9A06C2:				; CODE XREF: MiCombineIdenticalPages(x,x,x,x,x,x)+12Aj
		mov	edi, [esp+0D0h+var_B0]
		mov	eax, large fs:124h
		add	edi, 0E20h
		test	byte ptr [ebp+arg_0], 1
		mov	[esp+0D0h+var_C0], eax
		jz	short loc_9A06E6
		mov	esi, 0C00000BBh
		jmp	loc_9A07F5
; 

loc_9A06E6:				; CODE XREF: MiCombineIdenticalPages(x,x,x,x,x,x)+148j
		dec	word ptr [eax+13Ch]
		nop
		push	1
		lea	edx, [esp+0D4h+var_90]
		mov	ecx, edi
		call	_MiCombiningInProgress@12 ; MiCombiningInProgress(x,x,x)
		mov	eax, dword_6D3500
		lea	ecx, [esp+0D0h+var_68]
		and	[esp+0D0h+var_A8], 0
		or	[esp+0D0h+var_A4], 0FFFFFFFFh
		cmp	[esp+0D0h+var_AC], 0
		mov	[esp+0D0h+var_A0], eax
		mov	eax, dword_6D3504
		mov	[esp+0D0h+var_9C], eax
		mov	eax, dword_6D3508
		mov	[esp+0D0h+var_98], eax
		mov	eax, dword_6D350C
		mov	[esp+0D0h+var_94], eax
		lea	eax, [esp+0D0h+var_A0]
		mov	[esp+0D0h+var_54], eax
		lea	eax, [esp+0D0h+var_A8]
		mov	[esp+0D0h+var_50], eax
		mov	eax, [esp+0D0h+var_BC]
		mov	[esp+0D0h+var_64], eax
		lea	eax, [esp+0D0h+var_90]
		mov	[esp+0D0h+var_60], eax
		lea	eax, [esp+0D0h+var_2C]
		mov	[esp+0D0h+var_5C], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+0D0h+var_4C], 2
		mov	[esp+0D0h+var_68], edi
		mov	[esp+0D0h+var_48], eax
		jz	short loc_9A078C
		lea	eax, [ebx+240h]
		mov	[esp+0D0h+var_58], eax
		call	_MiCombineWorkingSet@4 ; MiCombineWorkingSet(x)
		jmp	short loc_9A0796
; 

loc_9A078C:				; CODE XREF: MiCombineIdenticalPages(x,x,x,x,x,x)+1E7j
		and	[esp+0D0h+var_58], 0
		call	_MiCombineAllPhysicalMemory@4 ;	MiCombineAllPhysicalMemory(x)

loc_9A0796:				; CODE XREF: MiCombineIdenticalPages(x,x,x,x,x,x)+1F8j
		mov	ecx, [esp+0D0h+var_B4]
		mov	esi, eax
		mov	eax, [esp+0D0h+var_2C]
		mov	[ecx], eax
		lock inc dword ptr [edi+0D0h]
		mov	ecx, [esp+0D0h+var_28]
		lea	eax, [edi+0C8h]
		lock xadd [eax], ecx
		mov	edx, [esp+0D0h+var_24]
		lea	eax, [edi+0B8h]
		lock xadd [eax], edx
		mov	edx, [esp+0D0h+var_20]
		lea	eax, [edi+0C0h]
		lock xadd [eax], edx
		push	0
		lea	edx, [esp+0D4h+var_90]
		mov	ecx, edi
		call	_MiCombiningInProgress@12 ; MiCombiningInProgress(x,x,x)
		mov	ecx, [esp+0D0h+var_C0]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_9A07F5:				; CODE XREF: MiCombineIdenticalPages(x,x,x,x,x,x)+113j
					; MiCombineIdenticalPages(x,x,x,x,x,x)+14Fj
		test	ebx, ebx
		jz	short loc_9A080E
		xor	edx, edx
		lea	ecx, [esp+0D0h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_9A080E:				; CODE XREF: MiCombineIdenticalPages(x,x,x,x,x,x)+265j
		mov	eax, [esp+0D0h+var_BC]

loc_9A0812:				; CODE XREF: MiCombineIdenticalPages(x,x,x,x,x,x)+E4j
		test	eax, eax
		jz	short loc_9A081D
		mov	ecx, eax
		call	ObfDereferenceObject

loc_9A081D:				; CODE XREF: MiCombineIdenticalPages(x,x,x,x,x,x)+83j
					; MiCombineIdenticalPages(x,x,x,x,x,x)+A6j ...
		mov	ecx, [esp+0D0h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_MiCombineIdenticalPages@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl MiCombinePageSortByHash(const void *,const void *)
_MiCombinePageSortByHash proc near	; DATA XREF: MiProcessCrcList(x,x,x,x)+51o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, [eax+4]
		mov	edx, [eax]
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		mov	eax, [eax+4]
		cmp	esi, eax
		ja	short loc_9A0865
		jb	short loc_9A0856
		cmp	edx, ecx
		jnb	short loc_9A085B

loc_9A0856:				; CODE XREF: _MiCombinePageSortByHash+1Aj
		or	eax, 0FFFFFFFFh
		jmp	short loc_9A086C
; 

loc_9A085B:				; CODE XREF: _MiCombinePageSortByHash+1Ej
		cmp	esi, eax
		jb	short loc_9A086A
		ja	short loc_9A0865
		cmp	edx, ecx
		jbe	short loc_9A086A

loc_9A0865:				; CODE XREF: _MiCombinePageSortByHash+18j
					; _MiCombinePageSortByHash+29j
		xor	eax, eax
		inc	eax
		jmp	short loc_9A086C
; 

loc_9A086A:				; CODE XREF: _MiCombinePageSortByHash+27j
					; _MiCombinePageSortByHash+2Dj
		xor	eax, eax

loc_9A086C:				; CODE XREF: _MiCombinePageSortByHash+23j
					; _MiCombinePageSortByHash+32j
		pop	esi
		pop	ebp
		retn
_MiCombinePageSortByHash endp


;  S U B	R O U T	I N E 


; __stdcall MiDereferenceCombineCrc(x)
_MiDereferenceCombineCrc@4 proc	near	; CODE XREF: MiProcessCrcList(x,x,x,x)+55Fp
					; MiProcessCrcList(x,x,x,x):loc_9A0F58p
		mov	edi, edi
		push	ecx
		mov	edx, [ecx+18h]
		cmp	edx, 100h
		jnb	short loc_9A0881
		xor	eax, eax
		pop	ecx
		retn
; 

loc_9A0881:				; CODE XREF: MiDereferenceCombineCrc(x)+Cj
		add	edx, 20h
		call	_MiDecrementCombinedPte@8 ; MiDecrementCombinedPte(x,x)
		xor	eax, eax
		inc	eax
		pop	ecx
		retn
_MiDereferenceCombineCrc@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeCombineMdls(x)
_MiFreeCombineMdls@4 proc near		; CODE XREF: MiCombineWorkingSet(x)+C4p
					; MiProcessCrcList(x,x,x,x)+5D1p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	eax, ecx
		push	esi
		push	edi
		mov	[ebp+var_C], eax
		xor	edi, edi
		lea	ebx, [eax+30h]

loc_9A08A3:				; CODE XREF: MiFreeCombineMdls(x)+84j
		mov	esi, [eax+edi*4+24h]
		test	esi, esi
		jz	short loc_9A0903

loc_9A08AB:				; CODE XREF: MiFreeCombineMdls(x)+70j
		mov	eax, [esi]
		mov	edx, [esi+18h]
		mov	[ebp+var_8], eax
		mov	eax, [esi+14h]
		cmp	edx, eax
		jz	short loc_9A08E6
		sub	eax, edx
		lea	ecx, [esi+1Ch]
		shr	eax, 0Ch
		mov	[ebp+var_4], eax
		shr	edx, 0Ch
		shl	eax, 2
		push	eax		; size_t
		lea	eax, [ecx+edx*4]
		push	eax		; void *
		push	ecx		; void *
		call	_memmove
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		shl	eax, 0Ch
		and	dword ptr [esi+18h], 0
		mov	[esi+14h], eax

loc_9A08E6:				; CODE XREF: MiFreeCombineMdls(x)+2Aj
		xor	edx, edx
		mov	ecx, esi
		call	_MiFreePagesFromMdl@8 ;	MiFreePagesFromMdl(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_8]
		mov	esi, eax
		test	eax, eax
		jnz	short loc_9A08AB
		mov	eax, [ebp+var_C]

loc_9A0903:				; CODE XREF: MiFreeCombineMdls(x)+1Bj
		and	dword ptr [eax+edi*4+24h], 0
		and	dword ptr [ebx], 0
		inc	edi
		add	ebx, 4
		cmp	edi, 3
		jb	short loc_9A08A3
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiFreeCombineMdls@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiPopulateCombineMdls(x, x,	x)
_MiPopulateCombineMdls@12 proc near	; CODE XREF: MiProcessCrcList(x,x,x,x)+4E4p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ecx]
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	eax, [eax]
		lea	esi, [ecx+24h]
		mov	[ebp+var_10], eax
		lea	ebx, [ecx+30h]
		mov	eax, offset _MiCombineMinimumPages
		mov	[ebp+var_8], ecx
		sub	edx, eax
		sub	eax, esi
		push	edi
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], eax

loc_9A0947:				; CODE XREF: MiPopulateCombineMdls(x,x,x)+C5j
		add	eax, esi
		mov	edx, [eax+edx]
		test	edx, edx
		jz	short loc_9A09C8
		cmp	edx, 0FFFFEh
		jbe	short loc_9A095D
		mov	edx, 0FFFFEh

loc_9A095D:				; CODE XREF: MiPopulateCombineMdls(x,x,x)+3Dj
		mov	ecx, [ebx]
		mov	edi, [esi]
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	short loc_9A096C
		cmp	ecx, edx
		jnb	short loc_9A09C8

loc_9A096C:				; CODE XREF: MiPopulateCombineMdls(x,x,x)+4Dj
		mov	ecx, [ebp+var_8]
		test	byte ptr [ecx+20h], 2
		mov	ecx, [ebp+var_C]
		jz	short loc_9A0980
		mov	eax, [eax]
		cmp	edx, eax
		jnb	short loc_9A0980
		mov	edx, eax

loc_9A0980:				; CODE XREF: MiPopulateCombineMdls(x,x,x)+5Dj
					; MiPopulateCombineMdls(x,x,x)+63j
		xor	eax, eax
		sub	edx, ecx
		mov	ecx, [ebp+var_10]
		push	eax
		push	eax
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		push	eax
		push	eax
		push	13h
		push	[ebp+arg_0]
		shl	edx, 0Ch
		push	[ebp+var_4]
		call	MiAllocatePagesForMdl
		mov	edx, eax
		test	edx, edx
		jz	short loc_9A09C8
		mov	ecx, [edx+14h]
		shr	ecx, 0Ch
		add	[ebx], ecx
		cmp	dword ptr [esi], 0
		jnz	short loc_9A09B6
		mov	[esi], edx
		jmp	short loc_9A09C8
; 

loc_9A09B6:				; CODE XREF: MiPopulateCombineMdls(x,x,x)+97j
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_9A09C6

loc_9A09BC:				; CODE XREF: MiPopulateCombineMdls(x,x,x)+ABj
		mov	eax, [ecx]
		mov	edi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_9A09BC

loc_9A09C6:				; CODE XREF: MiPopulateCombineMdls(x,x,x)+A1j
		mov	[edi], edx

loc_9A09C8:				; CODE XREF: MiPopulateCombineMdls(x,x,x)+35j
					; MiPopulateCombineMdls(x,x,x)+51j ...
		mov	eax, [ebp+var_4]
		add	ebx, 4
		mov	edx, [ebp+var_18]
		inc	eax
		add	esi, 4
		mov	[ebp+var_4], eax
		cmp	eax, 3
		mov	eax, [ebp+var_14]
		jb	loc_9A0947
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiPopulateCombineMdls@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall MiProcessCrcList(int,void *,size_t,int)
_MiProcessCrcList@16 proc near		; CODE XREF: MiCombineWorkingSetTail(x)+41p
					; MiCombineAllPhysicalMemory(x)+2CEp ...

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+6Ch+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[esp+70h+var_48], ecx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, edx
		mov	[esp+74h+var_2C], eax
		mov	[esp+74h+var_28], eax
		mov	[esp+74h+var_38], eax
		mov	[esp+74h+var_34], eax
		mov	[esp+74h+var_18], ebx
		push	edi
		lea	edi, [esp+78h+var_10]
		stosd
		stosd
		stosd
		test	esi, esi
		jz	loc_9A0FF4
		mov	eax, [ecx+20h]
		mov	edx, [ecx]
		and	[esp+78h+var_68], 0
		push	offset _MiCombinePageSortByHash	; int __cdecl (*)(const	void *,const void *)
		push	20h		; size_t
		mov	[esp+80h+var_40], eax
		mov	eax, [ecx+4]
		push	esi		; size_t
		push	ebx		; void *
		mov	[esp+88h+var_4C], edx
		mov	[esp+88h+var_1C], eax
		mov	[esp+88h+var_14], edx
		call	_qsort
		mov	ecx, large fs:124h
		lea	eax, [esp+88h+var_54]
		shl	esi, 5
		xor	edi, edi
		and	[esp+88h+var_20], edi
		add	esp, 10h
		and	[esp+78h+var_58], edi
		mov	[esp+78h+var_50], eax
		mov	[esp+78h+var_54], eax
		lea	eax, [esi-20h]
		add	eax, ebx
		mov	[esp+78h+var_3C], ecx
		mov	[esp+78h+var_6C], edi
		mov	esi, ebx
		mov	[esp+78h+var_64], eax
		cmp	ebx, eax
		ja	loc_9A0D47

loc_9A0A9B:				; CODE XREF: MiProcessCrcList(x,x,x,x)+353j
		mov	eax, [esp+78h+var_1C]
		test	eax, eax
		jz	short loc_9A0AAD
		cmp	dword ptr [eax+4], 0
		jnz	loc_9A0D43

loc_9A0AAD:				; CODE XREF: MiProcessCrcList(x,x,x,x)+B6j
		mov	eax, [ecx+2FCh]
		test	al, 1
		jnz	loc_9A0D43
		imul	ecx, [esi+8], 1Ch
		xor	ebx, ebx
		add	ecx, ds:_MmPfnDatabase
		mov	[esp+78h+var_5C], ecx
		mov	edi, [ecx+8]
		mov	eax, [ecx+0Ch]
		mov	edx, [ecx+4]
		shrd	edi, eax, 5
		or	edx, 80000000h
		and	edi, 1Fh
		mov	[esp+78h+var_24], edx
		mov	ecx, edi
		call	_MiValidCombineProtection@4 ; MiValidCombineProtection(x)
		test	eax, eax
		jz	loc_9A0D20
		lea	eax, [edx+40000000h]
		cmp	eax, offset loc_7FFFFF
		ja	loc_9A0D20
		mov	edx, [esi]
		mov	ecx, [esi+4]
		cmp	esi, [esp+6Ch+var_58]
		jz	short loc_9A0B1A
		cmp	edx, [esi+20h]
		jnz	short loc_9A0B1A
		cmp	ecx, [esi+24h]
		jz	short loc_9A0B2C

loc_9A0B1A:				; CODE XREF: MiProcessCrcList(x,x,x,x)+123j
					; MiProcessCrcList(x,x,x,x)+128j
		cmp	esi, [esp+6Ch+var_C]
		jz	short loc_9A0B43
		cmp	edx, [esp+6Ch+var_14]
		jnz	short loc_9A0B43
		cmp	ecx, [esp+6Ch+var_4C]
		jnz	short loc_9A0B43

loc_9A0B2C:				; CODE XREF: MiProcessCrcList(x,x,x,x)+12Dj
		mov	eax, [esp+6Ch+var_50]
		mov	al, [eax+16h]
		and	al, 0C0h
		cmp	al, 0C0h
		jb	short loc_9A0B63
		and	[esi], ebx
		and	[esi+4], ebx
		jmp	loc_9A0D20
; 

loc_9A0B43:				; CODE XREF: MiProcessCrcList(x,x,x,x)+133j
					; MiProcessCrcList(x,x,x,x)+139j ...
		push	0
		push	0
		push	ecx
		mov	ecx, [esp+78h+var_40]
		push	edx
		mov	edx, edi
		call	_MiAllocateCombineProto@24 ; MiAllocateCombineProto(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9A0D20
		mov	edx, [esi]
		mov	ecx, [esi+4]

loc_9A0B63:				; CODE XREF: MiProcessCrcList(x,x,x,x)+14Cj
		and	[esp+6Ch+var_54], 0
		lea	eax, [esp+6Ch+var_2C]
		push	eax
		lea	eax, [esp+70h+var_1C]
		push	eax
		lea	eax, [esp+74h+var_20]
		push	eax
		lea	eax, [esp+78h+var_54]
		push	eax
		push	ecx
		mov	ecx, [esp+80h+var_3C]
		push	edx
		push	[esp+84h+var_34]
		mov	edx, [esp+88h+var_50]
		call	_MiCapturePfnVm@36 ; MiCapturePfnVm(x,x,x,x,x,x,x,x,x)
		mov	[esp+6Ch+var_50], eax
		test	eax, eax
		jz	loc_9A0D00
		mov	eax, [esp+6Ch+var_18]
		cmp	[esp+6Ch+var_20], eax
		jnz	loc_9A0D00
		cmp	[esp+6Ch+var_1C], edi
		jnz	loc_9A0D00
		test	ebx, ebx
		jz	short loc_9A0C04
		mov	edx, [esp+6Ch+var_2C]
		cmp	[ebx+28h], edx
		jnz	short loc_9A0BC9
		mov	ecx, [esp+6Ch+var_28]
		cmp	[ebx+2Ch], ecx
		jz	short loc_9A0C0C

loc_9A0BC9:				; CODE XREF: MiProcessCrcList(x,x,x,x)+1D3j
		lea	edx, [ebx+20h]
		call	_MiDecrementCombinedPte@8 ; MiDecrementCombinedPte(x,x)
		mov	ecx, [esp+6Ch+var_40]
		lea	eax, [esp+6Ch+var_2C]
		push	0
		push	eax
		push	dword ptr [esi+4]
		mov	edx, edi
		push	dword ptr [esi]
		call	_MiAllocateCombineProto@24 ; MiAllocateCombineProto(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9A0C04
		mov	ecx, [esp+6Ch+var_54]
		test	ecx, ecx
		jz	loc_9A0D19
		call	ObfDereferenceObject
		jmp	loc_9A0D19
; 

loc_9A0C04:				; CODE XREF: MiProcessCrcList(x,x,x,x)+1CAj
					; MiProcessCrcList(x,x,x,x)+201j
		mov	ecx, [esp+6Ch+var_28]
		mov	edx, [esp+6Ch+var_2C]

loc_9A0C0C:				; CODE XREF: MiProcessCrcList(x,x,x,x)+1DCj
		mov	[esi+18h], edi
		mov	[esi+10h], edx
		mov	[esi+14h], ecx
		test	ebx, ebx
		jz	short loc_9A0C1C
		mov	[esi+18h], ebx

loc_9A0C1C:				; CODE XREF: MiProcessCrcList(x,x,x,x)+22Cj
		mov	edi, [esp+6Ch+var_5C]
		test	edi, edi
		jz	short loc_9A0C3A
		mov	ecx, [esp+6Ch+var_50]

loc_9A0C28:				; CODE XREF: MiProcessCrcList(x,x,x,x)+24Dj
		cmp	ecx, [edi+10h]
		ja	short loc_9A0C33
		jnb	short loc_9A0C7E
		mov	edi, [edi]
		jmp	short loc_9A0C36
; 

loc_9A0C33:				; CODE XREF: MiProcessCrcList(x,x,x,x)+240j
		mov	edi, [edi+4]

loc_9A0C36:				; CODE XREF: MiProcessCrcList(x,x,x,x)+246j
		test	edi, edi
		jnz	short loc_9A0C28

loc_9A0C3A:				; CODE XREF: MiProcessCrcList(x,x,x,x)+237j
					; MiProcessCrcList(x,x,x,x)+295j
		push	0
		push	40h
		push	1Ch
		mov	edx, 6D56694Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9A0C91
		mov	ecx, [esp+6Ch+var_54]
		test	ecx, ecx
		jz	short loc_9A0C5E
		call	ObfDereferenceObject

loc_9A0C5E:				; CODE XREF: MiProcessCrcList(x,x,x,x)+26Cj
		test	ebx, ebx
		jz	loc_9A0D20
		lea	edx, [ebx+20h]
		call	_MiDecrementCombinedPte@8 ; MiDecrementCombinedPte(x,x)
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0
		and	dword ptr [esi+18h], 0
		jmp	loc_9A0D20
; 

loc_9A0C7E:				; CODE XREF: MiProcessCrcList(x,x,x,x)+242j
		test	edi, edi
		jz	short loc_9A0C3A
		mov	ecx, [esp+6Ch+var_54]
		test	ecx, ecx
		jz	short loc_9A0CDF
		call	ObfDereferenceObject
		jmp	short loc_9A0CDF
; 

loc_9A0C91:				; CODE XREF: MiProcessCrcList(x,x,x,x)+264j
		mov	eax, [esp+6Ch+var_54]
		mov	edx, [esp+6Ch+var_50]
		mov	[edi+14h], eax
		mov	eax, [esp+6Ch+var_5C]
		mov	[edi+10h], edx
		mov	byte ptr [esp+6Ch+var_38], 0
		test	eax, eax
		jz	short loc_9A0CCF

loc_9A0CAC:				; CODE XREF: MiProcessCrcList(x,x,x,x)+2DDj
		lea	ecx, [eax+10h]
		cmp	edx, ecx
		jnb	short loc_9A0CBF
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_9A0CC6
		mov	byte ptr [esp+6Ch+var_38], cl
		jmp	short loc_9A0CCF
; 

loc_9A0CBF:				; CODE XREF: MiProcessCrcList(x,x,x,x)+2C6j
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_9A0CCA

loc_9A0CC6:				; CODE XREF: MiProcessCrcList(x,x,x,x)+2CCj
		mov	eax, ecx
		jmp	short loc_9A0CAC
; 

loc_9A0CCA:				; CODE XREF: MiProcessCrcList(x,x,x,x)+2D9j
		mov	byte ptr [esp+6Ch+var_38], 1

loc_9A0CCF:				; CODE XREF: MiProcessCrcList(x,x,x,x)+2BFj
					; MiProcessCrcList(x,x,x,x)+2D2j
		push	edi
		push	[esp+70h+var_38]
		push	eax
		lea	eax, [esp+78h+var_5C]
		push	eax
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)

loc_9A0CDF:				; CODE XREF: MiProcessCrcList(x,x,x,x)+29Dj
					; MiProcessCrcList(x,x,x,x)+2A4j
		mov	eax, [edi+18h]
		mov	[esi+0Ch], eax
		inc	dword ptr [edi+0Ch]
		mov	eax, [esp+6Ch+var_18]
		mov	[edi+18h], esi
		mov	edi, [esp+6Ch+var_60]
		inc	edi
		shl	eax, 9
		mov	[esp+6Ch+var_60], edi
		mov	[esi+8], eax
		jmp	short loc_9A0D24
; 

loc_9A0D00:				; CODE XREF: MiProcessCrcList(x,x,x,x)+1AAj
					; MiProcessCrcList(x,x,x,x)+1B8j ...
		mov	ecx, [esp+6Ch+var_54]
		test	ecx, ecx
		jz	short loc_9A0D0D
		call	ObfDereferenceObject

loc_9A0D0D:				; CODE XREF: MiProcessCrcList(x,x,x,x)+31Bj
		test	ebx, ebx
		jz	short loc_9A0D19
		lea	edx, [ebx+20h]
		call	_MiDecrementCombinedPte@8 ; MiDecrementCombinedPte(x,x)

loc_9A0D19:				; CODE XREF: MiProcessCrcList(x,x,x,x)+209j
					; MiProcessCrcList(x,x,x,x)+214j ...
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0

loc_9A0D20:				; CODE XREF: MiProcessCrcList(x,x,x,x)+103j
					; MiProcessCrcList(x,x,x,x)+114j ...
		mov	edi, [esp+6Ch+var_60]

loc_9A0D24:				; CODE XREF: MiProcessCrcList(x,x,x,x)+313j
		mov	eax, [esi]
		mov	[esp+6Ch+var_14], eax
		mov	eax, [esi+4]
		add	esi, 20h
		mov	[esp+6Ch+var_4C], eax
		cmp	esi, [esp+6Ch+var_58]
		ja	short loc_9A0D47
		mov	ecx, [esp+6Ch+var_30]
		jmp	loc_9A0A9B
; 

loc_9A0D43:				; CODE XREF: MiProcessCrcList(x,x,x,x)+BCj
					; MiProcessCrcList(x,x,x,x)+CAj
		mov	edi, [esp+78h+var_6C]

loc_9A0D47:				; CODE XREF: MiProcessCrcList(x,x,x,x)+AAj
					; MiProcessCrcList(x,x,x,x)+34Dj
		xor	ebx, ebx
		test	edi, edi
		jz	loc_9A0F99
		push	ebx
		mov	ecx, edi
		mov	edx, 6D56694Dh
		shl	ecx, 2
		push	100h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ebx, eax
		mov	[esp+78h+var_40], ebx
		test	ebx, ebx
		jz	loc_9A0F99
		mov	eax, [esp+78h+var_68]
		xor	esi, esi
		xor	ecx, ecx
		jmp	short loc_9A0D82
; 

loc_9A0D7E:				; CODE XREF: MiProcessCrcList(x,x,x,x)+399j
		mov	ecx, eax
		mov	eax, [eax]

loc_9A0D82:				; CODE XREF: MiProcessCrcList(x,x,x,x)+391j
		test	eax, eax
		jnz	short loc_9A0D7E
		jmp	short loc_9A0DC3
; 

loc_9A0D88:				; CODE XREF: MiProcessCrcList(x,x,x,x)+3DAj
		mov	eax, [ecx+18h]
		jmp	short loc_9A0D94
; 

loc_9A0D8D:				; CODE XREF: MiProcessCrcList(x,x,x,x)+3ABj
		mov	[ebx+esi*4], eax
		inc	esi
		mov	eax, [eax+0Ch]

loc_9A0D94:				; CODE XREF: MiProcessCrcList(x,x,x,x)+3A0j
		test	eax, eax
		jnz	short loc_9A0D8D
		mov	eax, [ecx+4]
		mov	edx, ecx
		test	eax, eax
		jz	short loc_9A0DBB
		mov	ecx, eax
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_9A0DC3

loc_9A0DA9:				; CODE XREF: MiProcessCrcList(x,x,x,x)+3C6j
		mov	eax, [edx]
		mov	ecx, edx
		mov	edx, eax
		test	eax, eax
		jnz	short loc_9A0DA9
		jmp	short loc_9A0DC3
; 

loc_9A0DB5:				; CODE XREF: MiProcessCrcList(x,x,x,x)+3D6j
		cmp	[ecx], edx
		jz	short loc_9A0DC3
		mov	edx, ecx

loc_9A0DBB:				; CODE XREF: MiProcessCrcList(x,x,x,x)+3B4j
		mov	ecx, [ecx+8]
		and	ecx, 0FFFFFFFCh
		jnz	short loc_9A0DB5

loc_9A0DC3:				; CODE XREF: MiProcessCrcList(x,x,x,x)+39Bj
					; MiProcessCrcList(x,x,x,x)+3BCj ...
		test	ecx, ecx
		jnz	short loc_9A0D88
		push	offset _MiCombineActiveCrcSortByHash ; int __cdecl (*)(const void *,const void *)
		push	4		; size_t
		push	edi		; size_t
		push	ebx		; void *
		call	_qsort
		and	[esp+88h+var_58], 0
		xor	edi, edi
		add	esp, 10h
		cmp	[esp+78h+var_6C], edi
		jbe	loc_9A0EC4
		lea	eax, [ebx+4]
		mov	[esp+78h+var_3C], eax
		mov	ebx, eax

loc_9A0DF2:				; CODE XREF: MiProcessCrcList(x,x,x,x)+4CFj
		mov	esi, [ebx-4]
		mov	eax, [esi+18h]
		mov	[esp+78h+var_64], eax
		cmp	eax, 100h
		ja	loc_9A0EB2
		test	edi, edi
		jz	short loc_9A0E19
		mov	edx, [ebx-8]
		mov	ecx, esi
		call	_MiCompareActiveCrcEntries@8 ; MiCompareActiveCrcEntries(x,x)
		test	eax, eax
		jz	short loc_9A0E31

loc_9A0E19:				; CODE XREF: MiProcessCrcList(x,x,x,x)+41Ej
		mov	eax, [esp+78h+var_6C]
		dec	eax
		cmp	edi, eax
		jz	short loc_9A0E2F
		mov	edx, [ebx]
		mov	ecx, esi
		call	_MiCompareActiveCrcEntries@8 ; MiCompareActiveCrcEntries(x,x)
		test	eax, eax
		jz	short loc_9A0E31

loc_9A0E2F:				; CODE XREF: MiProcessCrcList(x,x,x,x)+435j
		xor	edx, edx

loc_9A0E31:				; CODE XREF: MiProcessCrcList(x,x,x,x)+42Cj
					; MiProcessCrcList(x,x,x,x)+442j
		test	edx, edx
		jz	short loc_9A0E66
		mov	eax, [esp+78h+var_58]
		test	eax, eax
		jz	short loc_9A0E4A
		mov	edx, esi
		mov	ecx, eax
		call	_MiCompareActiveCrcEntries@8 ; MiCompareActiveCrcEntries(x,x)
		test	eax, eax
		jz	short loc_9A0EB2

loc_9A0E4A:				; CODE XREF: MiProcessCrcList(x,x,x,x)+450j
		mov	edx, [esp+78h+var_64]
		lea	eax, [esi+10h]
		mov	ecx, [esp+78h+var_4C]
		push	1
		push	eax
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		call	_MiAllocateCombineProto@24 ; MiAllocateCombineProto(x,x,x,x,x,x)
		mov	edx, eax
		jmp	short loc_9A0E88
; 

loc_9A0E66:				; CODE XREF: MiProcessCrcList(x,x,x,x)+448j
		mov	edx, [esp+78h+var_64]
		lea	eax, [esi+10h]
		mov	ecx, [esp+78h+var_4C]
		push	0
		push	eax
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		call	_MiAllocateCombineProto@24 ; MiAllocateCombineProto(x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_9A0E8C
		or	dword ptr [esi+8], 0FFFFFFFFh

loc_9A0E88:				; CODE XREF: MiProcessCrcList(x,x,x,x)+479j
		test	edx, edx
		jz	short loc_9A0EB2

loc_9A0E8C:				; CODE XREF: MiProcessCrcList(x,x,x,x)+497j
		mov	eax, [edx+10h]
		or	eax, [edx+14h]
		jnz	short loc_9A0EAB
		lea	ecx, [esp+78h+var_54]
		call	_MiPushCombineBlock@8 ;	MiPushCombineBlock(x,x)
		mov	ecx, [esi+18h]
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		inc	[esp+eax*4+78h+var_10]
		jmp	short loc_9A0EAE
; 

loc_9A0EAB:				; CODE XREF: MiProcessCrcList(x,x,x,x)+4A7j
		mov	[esi+18h], edx

loc_9A0EAE:				; CODE XREF: MiProcessCrcList(x,x,x,x)+4BEj
		mov	[esp+78h+var_58], esi

loc_9A0EB2:				; CODE XREF: MiProcessCrcList(x,x,x,x)+416j
					; MiProcessCrcList(x,x,x,x)+45Dj ...
		inc	edi
		add	ebx, 4
		cmp	edi, [esp+78h+var_6C]
		jb	loc_9A0DF2
		mov	ebx, [esp+78h+var_40]

loc_9A0EC4:				; CODE XREF: MiProcessCrcList(x,x,x,x)+3F8j
		push	[ebp+arg_4]
		mov	ecx, [esp+7Ch+var_48]
		lea	edx, [esp+7Ch+var_10]
		call	_MiPopulateCombineMdls@12 ; MiPopulateCombineMdls(x,x,x)
		jmp	loc_9A0F99
; 

loc_9A0ED9:				; CODE XREF: MiProcessCrcList(x,x,x,x)+5B3j
		mov	esi, [esp+78h+var_68]
		lea	eax, [esp+78h+var_68]
		push	esi
		push	eax
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		mov	ecx, [esi+0Ch]
		mov	edi, [esi+18h]
		mov	[esp+80h+var_6C], ecx
		test	ebx, ebx
		jz	short loc_9A0F52
		test	edi, edi
		jz	short loc_9A0F08
		mov	eax, ebx

loc_9A0EFC:				; CODE XREF: MiProcessCrcList(x,x,x,x)+51Bj
		mov	[eax], edi
		lea	eax, [eax+4]
		mov	edi, [edi+0Ch]
		test	edi, edi
		jnz	short loc_9A0EFC

loc_9A0F08:				; CODE XREF: MiProcessCrcList(x,x,x,x)+50Dj
		push	offset _MiCombineActiveCrcSortByVa ; int __cdecl (*)(const void	*,const	void *)
		push	4		; size_t
		push	ecx		; size_t
		push	ebx		; void *
		call	_qsort
		and	dword ptr [esi+18h], 0
		xor	edi, edi
		add	esp, 10h
		cmp	[esp+80h+var_6C], edi
		jbe	short loc_9A0F67

loc_9A0F25:				; CODE XREF: MiProcessCrcList(x,x,x,x)+57Aj
		mov	ecx, [ebx+edi*4]
		mov	edx, [ecx+8]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_9A0F58
		test	edi, edi
		jz	short loc_9A0F3D
		mov	eax, [ebx+edi*4-4]
		cmp	edx, [eax+8]
		jz	short loc_9A0F58

loc_9A0F3D:				; CODE XREF: MiProcessCrcList(x,x,x,x)+547j
		mov	eax, [esi+18h]
		mov	[ecx+0Ch], eax
		mov	[esi+18h], ecx
		jmp	short loc_9A0F60
; 

loc_9A0F48:				; CODE XREF: MiProcessCrcList(x,x,x,x)+569j
		mov	ecx, edi
		call	_MiDereferenceCombineCrc@4 ; MiDereferenceCombineCrc(x)
		mov	edi, [edi+0Ch]

loc_9A0F52:				; CODE XREF: MiProcessCrcList(x,x,x,x)+509j
		test	edi, edi
		jnz	short loc_9A0F48
		jmp	short loc_9A0F85
; 

loc_9A0F58:				; CODE XREF: MiProcessCrcList(x,x,x,x)+543j
					; MiProcessCrcList(x,x,x,x)+550j
		call	_MiDereferenceCombineCrc@4 ; MiDereferenceCombineCrc(x)
		dec	dword ptr [esi+0Ch]

loc_9A0F60:				; CODE XREF: MiProcessCrcList(x,x,x,x)+55Bj
		inc	edi
		cmp	edi, [esp+80h+var_6C]
		jb	short loc_9A0F25

loc_9A0F67:				; CODE XREF: MiProcessCrcList(x,x,x,x)+538j
		cmp	dword ptr [esi+0Ch], 0
		jz	short loc_9A0F85
		push	[ebp+arg_4]
		mov	ecx, [esp+84h+var_50]
		lea	eax, [esp+84h+var_1C]
		push	eax
		lea	eax, [esp+88h+var_5C]
		mov	edx, esi
		push	eax
		call	_MiSharePages@20 ; MiSharePages(x,x,x,x,x)

loc_9A0F85:				; CODE XREF: MiProcessCrcList(x,x,x,x)+56Bj
					; MiProcessCrcList(x,x,x,x)+580j
		mov	ecx, [esi+14h]
		test	ecx, ecx
		jz	short loc_9A0F91
		call	ObfDereferenceObject

loc_9A0F91:				; CODE XREF: MiProcessCrcList(x,x,x,x)+59Fj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A0F99:				; CODE XREF: MiProcessCrcList(x,x,x,x)+360j
					; MiProcessCrcList(x,x,x,x)+383j ...
		cmp	[esp+80h+var_70], 0
		jnz	loc_9A0ED9
		test	ebx, ebx
		jz	short loc_9A0FB0
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A0FB0:				; CODE XREF: MiProcessCrcList(x,x,x,x)+5BBj
		mov	eax, [esp+80h+var_50]
		test	byte ptr [eax+20h], 2
		jnz	short loc_9A0FC1
		mov	ecx, eax
		call	_MiFreeCombineMdls@4 ; MiFreeCombineMdls(x)

loc_9A0FC1:				; CODE XREF: MiProcessCrcList(x,x,x,x)+5CDj
					; MiProcessCrcList(x,x,x,x)+602j
		mov	ecx, [esp+80h+var_5C]
		lea	eax, [esp+80h+var_5C]
		cmp	ecx, eax
		jz	short loc_9A0FF4
		cmp	[ecx+4], eax
		jnz	short loc_9A0FEF
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_9A0FEF
		mov	[esp+80h+var_5C], eax
		lea	edx, [esp+80h+var_5C]
		mov	[eax+4], edx
		and	dword ptr [ecx+18h], 0
		call	_MiFreeCombineBlock@4 ;	MiFreeCombineBlock(x)
		jmp	short loc_9A0FC1
; 

loc_9A0FEF:				; CODE XREF: MiProcessCrcList(x,x,x,x)+5E5j
					; MiProcessCrcList(x,x,x,x)+5ECj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9A0FF4:				; CODE XREF: MiProcessCrcList(x,x,x,x)+41j
					; MiProcessCrcList(x,x,x,x)+5E0j
		mov	ecx, [esp+80h+var_C]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_MiProcessCrcList@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmCombineIdenticalPages(x, x, x, x)
_MmCombineIdenticalPages@16 proc near	; CODE XREF: PAGE:007B4492p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	[ebp+arg_4]
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_4], al
		push	[ebp+var_4]
		push	[ebp+arg_0]
		push	edx
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	edx, ecx
		mov	ecx, eax
		call	_MiCombineIdenticalPages@24 ; MiCombineIdenticalPages(x,x,x,x,x,x)
		leave
		retn	8
_MmCombineIdenticalPages@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmLogQueryCombineStats(x, x, x)
_MmLogQueryCombineStats@12 proc	near	; CODE XREF: PAGE:008DC87Dp
					; EtwpKernelTraceRundown+12A03Bp

var_4C		= dword	ptr -4Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		push	8
		xor	eax, eax
		lea	edi, [ebp+var_4C]
		pop	ecx
		rep stosd
		xor	edi, edi
		test	esi, esi
		jz	short loc_9A1067
		mov	eax, [esi]
		jmp	short loc_9A106A
; 

loc_9A1067:				; CODE XREF: MmLogQueryCombineStats(x,x,x)+28j
		lea	esi, [ebp+var_4C]

loc_9A106A:				; CODE XREF: MmLogQueryCombineStats(x,x,x)+2Cj
		and	eax, 0FFFFFFC1h
		or	eax, 1
		mov	[esi], eax
		mov	eax, dword_6D5D30
		mov	[esi+4], eax
		mov	ecx, dword_6D5D18
		add	ecx, dword_6D5D20
		mov	eax, dword_6D5D1C
		adc	eax, dword_6D5D24
		mov	[esi+8], ecx
		mov	[esi+0Ch], eax
		mov	eax, dword_6D5D28
		mov	[esi+10h], eax
		mov	eax, dword_6D5D2C
		mov	[esi+14h], eax
		mov	eax, dword_6D5D34
		mov	[esi+18h], eax
		mov	ecx, dword_6D5D38
		mov	[esi+1Ch], ecx
		cmp	eax, ecx
		jle	short loc_9A10BF
		mov	[esi+18h], ecx

loc_9A10BF:				; CODE XREF: MmLogQueryCombineStats(x,x,x)+81j
		lea	eax, [ebp+var_4C]
		cmp	esi, eax
		jnz	short loc_9A1122
		test	ebx, ebx
		jz	short loc_9A10F8
		test	edx, edx
		jz	short loc_9A10F8
		push	offset byte_401802
		push	27Ch
		push	dword ptr [edx]
		xor	edx, edx
		mov	[ebp+var_1C], esi
		push	ebx
		inc	edx
		mov	[ebp+var_18], edi
		lea	ecx, [ebp+var_1C]
		mov	[ebp+var_14], 20h
		mov	[ebp+var_10], edi
		call	_EtwTraceSiloDcEvent@24	; EtwTraceSiloDcEvent(x,x,x,x,x,x)
		jmp	short loc_9A1122
; 

loc_9A10F8:				; CODE XREF: MmLogQueryCombineStats(x,x,x)+8Fj
					; MmLogQueryCombineStats(x,x,x)+93j
		push	offset byte_401802
		push	27Ch
		xor	edx, edx
		mov	[ebp+var_2C], esi
		push	20080000h
		inc	edx
		mov	[ebp+var_28], edi
		lea	ecx, [ebp+var_2C]
		mov	[ebp+var_24], 20h
		mov	[ebp+var_20], edi
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_9A1122:				; CODE XREF: MmLogQueryCombineStats(x,x,x)+8Bj
					; MmLogQueryCombineStats(x,x,x)+BDj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_MmLogQueryCombineStats@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCopyLargeVad(x, x, x)
_MiCopyLargeVad@12 proc	near		; CODE XREF: MiCloneProcessAddressSpace+B4B0Bp

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		push	6
		mov	[ebp+var_38], ecx
		lea	edi, [ebp+var_20]
		pop	ecx
		rep stosd
		push	10h
		mov	[ebp+var_28], edx
		mov	ecx, ebx
		pop	edx
		mov	[ebp+var_3C], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		call	_MiLocateLockedVadEvent@8 ; MiLocateLockedVadEvent(x,x)
		mov	edi, [ebp+var_28]
		mov	esi, eax
		mov	ecx, edi
		call	_MiLocateVadEvent@8 ; MiLocateVadEvent(x,x)
		test	esi, esi
		jz	short loc_9A118D
		mov	cl, [eax+4]
		mov	[esi+4], cl
		mov	eax, [eax+8]
		mov	[esi+8], eax

loc_9A118D:				; CODE XREF: MiCopyLargeVad(x,x,x)+4Cj
		mov	ecx, [ebp+var_38]
		lea	eax, [ebp+var_20]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		push	0
		xor	dl, dl
		mov	ecx, ebx
		call	_MiMapUserLargePages@12	; MiMapUserLargePages(x,x,x)
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		mov	esi, eax
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		test	esi, esi
		jns	short loc_9A11BD
		mov	eax, esi
		jmp	loc_9A12C3
; 

loc_9A11BD:				; CODE XREF: MiCopyLargeVad(x,x,x)+81j
		mov	eax, [ebx+1Ch]
		xor	edx, edx
		and	eax, 200h
		mov	esi, 0FFE00000h
		mov	[ebp+var_40], eax
		mov	eax, [edi+0Ch]
		mov	ecx, eax
		mov	edi, [edi+10h]
		sub	edi, eax
		shl	ecx, 0Ch
		inc	edi
		mov	[ebp+var_24], ecx
		shl	edi, 0Ch
		test	edi, edi
		jz	loc_9A12C1

loc_9A11EB:				; CODE XREF: MiCopyLargeVad(x,x,x)+185j
		mov	ebx, edi
		cmp	edi, esi
		jbe	short loc_9A11F3
		mov	ebx, esi

loc_9A11F3:				; CODE XREF: MiCopyLargeVad(x,x,x)+BCj
		lea	eax, [ebp+var_34]
		mov	edx, ebx
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		push	0
		push	1
		call	ExLockUserBuffer
		mov	[ebp+var_28], eax
		test	eax, eax
		jns	short loc_9A122B

loc_9A120D:				; CODE XREF: MiCopyLargeVad(x,x,x)+13Bj
		mov	esi, ebx
		shr	esi, 1
		and	esi, 7FE00000h
		cmp	esi, 200000h
		jb	loc_9A12BE
		mov	ecx, [ebp+var_24]
		jmp	loc_9A12B6
; 

loc_9A122B:				; CODE XREF: MiCopyLargeVad(x,x,x)+D8j
		mov	ecx, [ebp+var_38]
		lea	eax, [ebp+var_20]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		cmp	[ebp+var_40], 0
		jnz	short loc_9A1275
		mov	ecx, [ebp+var_24]
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_2C]
		mov	edx, ebx
		push	eax
		push	1
		push	1
		call	ExLockUserBuffer
		mov	[ebp+var_28], eax
		test	eax, eax
		jns	short loc_9A1270
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [ebp+var_34]
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)
		jmp	short loc_9A120D
; 

loc_9A1270:				; CODE XREF: MiCopyLargeVad(x,x,x)+127j
		mov	eax, [ebp+var_2C]
		jmp	short loc_9A127F
; 

loc_9A1275:				; CODE XREF: MiCopyLargeVad(x,x,x)+10Aj
		mov	eax, [ebp+var_24]
		and	[ebp+var_30], 0
		mov	[ebp+var_2C], eax

loc_9A127F:				; CODE XREF: MiCopyLargeVad(x,x,x)+140j
		push	ebx		; size_t
		push	[ebp+var_3C]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	[ebp+var_40], 0
		jnz	short loc_9A129A
		mov	ecx, [ebp+var_30]
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)

loc_9A129A:				; CODE XREF: MiCopyLargeVad(x,x,x)+15Dj
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [ebp+var_34]
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)
		mov	ecx, [ebp+var_24]
		sub	edi, ebx
		add	ecx, ebx
		mov	[ebp+var_24], ecx

loc_9A12B6:				; CODE XREF: MiCopyLargeVad(x,x,x)+F3j
		test	edi, edi
		jnz	loc_9A11EB

loc_9A12BE:				; CODE XREF: MiCopyLargeVad(x,x,x)+EAj
		mov	edx, [ebp+var_28]

loc_9A12C1:				; CODE XREF: MiCopyLargeVad(x,x,x)+B2j
		mov	eax, edx

loc_9A12C3:				; CODE XREF: MiCopyLargeVad(x,x,x)+85j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_MiCopyLargeVad@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreateLargePageVad(x, x, x, x)
_MiCreateLargePageVad@16 proc near	; CODE XREF: MiReserveUserMemory+15FB7Ep
					; MiAllocateChildVads+B4980p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		inc	eax
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], eax
		mov	esi, eax
		test	dword ptr [edi+1Ch], 100000h
		jz	short loc_9A1303
		mov	eax, ebx
		neg	eax
		sbb	eax, eax
		and	esi, eax

loc_9A1303:				; CODE XREF: MiCreateLargePageVad(x,x,x,x)+25j
		mov	eax, large fs:124h
		mov	[ebp+arg_0], eax
		mov	eax, [eax+80h]
		mov	[ebp+var_C], eax
		test	esi, esi
		jz	short loc_9A133D
		push	0
		push	40h
		push	28h
		mov	edx, 624C6D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9A133A
		mov	eax, 0C000009Ah
		jmp	loc_9A13FA
; 

loc_9A133A:				; CODE XREF: MiCreateLargePageVad(x,x,x,x)+5Aj
		mov	ecx, [ebp+var_4]

loc_9A133D:				; CODE XREF: MiCreateLargePageVad(x,x,x,x)+43j
		mov	edi, [edi+20h]
		and	edi, 7FFFFFFFh
		jz	loc_9A13CE
		mov	edx, edi
		call	_MiChargeProcessPhysicalPages@8	; MiChargeProcessPhysicalPages(x,x)
		test	eax, eax
		jnz	short loc_9A136C
		test	esi, esi
		jz	short loc_9A1362
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A1362:				; CODE XREF: MiCreateLargePageVad(x,x,x,x)+85j
		mov	eax, 0C000012Dh
		jmp	loc_9A13FA
; 

loc_9A136C:				; CODE XREF: MiCreateLargePageVad(x,x,x,x)+81j
		test	ebx, ebx
		jnz	short loc_9A13D2
		cmp	[ebp+arg_4], 0
		mov	ebx, [ebp+var_4]
		jnz	short loc_9A138A
		cmp	[ebp+var_C], ebx
		jnz	short loc_9A138A
		mov	ecx, [ebp+arg_0]
		mov	edx, ebx
		call	_LOCK_ADDRESS_SPACE_SHARED@8 ; LOCK_ADDRESS_SPACE_SHARED(x,x)
		jmp	short loc_9A138E
; 

loc_9A138A:				; CODE XREF: MiCreateLargePageVad(x,x,x,x)+A3j
					; MiCreateLargePageVad(x,x,x,x)+A8j
		and	[ebp+var_8], 0

loc_9A138E:				; CODE XREF: MiCreateLargePageVad(x,x,x,x)+B4j
		mov	edx, edi
		mov	ecx, ebx
		call	MiChargeFullProcessCommitment
		cmp	[ebp+var_8], 0
		mov	[ebp+arg_4], eax
		jz	short loc_9A13AD
		mov	ecx, [ebp+arg_0]
		mov	edx, ebx
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)
		mov	eax, [ebp+arg_4]

loc_9A13AD:				; CODE XREF: MiCreateLargePageVad(x,x,x,x)+CAj
		test	eax, eax
		jns	short loc_9A13E1
		neg	edi
		lea	eax, [ebx+35Ch]
		lock xadd [eax], edi
		test	esi, esi
		jz	short loc_9A13C9
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A13C9:				; CODE XREF: MiCreateLargePageVad(x,x,x,x)+EBj
		mov	eax, [ebp+arg_4]
		jmp	short loc_9A13FA
; 

loc_9A13CE:				; CODE XREF: MiCreateLargePageVad(x,x,x,x)+72j
		test	ebx, ebx
		jz	short loc_9A13E1

loc_9A13D2:				; CODE XREF: MiCreateLargePageVad(x,x,x,x)+9Aj
		mov	edx, 746C6644h
		mov	ecx, ebx
		call	ObfReferenceObjectWithTag
		mov	[esi+0Ch], ebx

loc_9A13E1:				; CODE XREF: MiCreateLargePageVad(x,x,x,x)+DBj
					; MiCreateLargePageVad(x,x,x,x)+FCj
		test	esi, esi
		jz	short loc_9A13F8
		mov	ecx, [ebp+var_10]
		mov	edx, esi
		push	0
		mov	dword ptr [esi+24h], 10h
		call	_MiInsertVadEvent@12 ; MiInsertVadEvent(x,x,x)

loc_9A13F8:				; CODE XREF: MiCreateLargePageVad(x,x,x,x)+10Fj
		xor	eax, eax

loc_9A13FA:				; CODE XREF: MiCreateLargePageVad(x,x,x,x)+61j
					; MiCreateLargePageVad(x,x,x,x)+93j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiCreateLargePageVad@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFindLargePageMemory(x, x,	x, x, x, x, x)
_MiFindLargePageMemory@28 proc near	; CODE XREF: MiAllocateLargeZeroPages(x,x,x,x,x,x,x)+21Dp

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_10]
		and	[ebp+var_2C], 0
		push	ebx
		push	esi
		push	edi		; struct _exception *
		mov	ebx, ecx
		mov	[ebp+var_40], eax
		push	9
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_30], edx
		lea	edi, [ebp+var_28]
		mov	[ebp+var_48], ebx
		rep stosd
		add	edx, 0A0h
		mov	ecx, ebx
		call	MiSufficientAvailablePages
		test	eax, eax
		jz	loc_9A15A0
		push	[ebp+arg_0]
		lea	ecx, [ebp+var_28]
		call	_MiCreateColorAnchors@8	; MiCreateColorAnchors(x,x)
		test	eax, eax
		jz	loc_9A15A0
		mov	ecx, [ebp+arg_8]
		call	_MiProtectionToCacheAttribute@4	; MiProtectionToCacheAttribute(x)
		mov	ebx, dword_6D5D84
		xor	ecx, ecx
		mov	[ebp+var_3C], eax
		xor	esi, esi
		mov	[ebp+var_20], eax
		mov	[ebp+var_44], ecx
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	edi, eax
		mov	[ebp+var_38], edi
		cmp	edi, 2
		jnb	loc_9A1598

loc_9A1488:				; CODE XREF: MiFindLargePageMemory(x,x,x,x,x,x,x)+177j
		mov	edi, ds:_MiLargePageSizes[edi*4]
		cmp	[ebp+var_30], edi
		jb	loc_9A1563
		cmp	edi, [ebp+arg_4]
		jb	loc_9A157E
		test	esi, esi
		jnz	short loc_9A14BF
		push	esi
		push	40h
		push	18h
		mov	edx, 6C4C6D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_9A158A

loc_9A14BF:				; CODE XREF: MiFindLargePageMemory(x,x,x,x,x,x,x)+A2j
		mov	ecx, [ebp+var_48]
		lea	eax, [ebp+var_2C]
		push	eax
		push	0
		push	60100000h
		push	80000000h
		push	[ebp+arg_0]
		mov	edx, edi
		push	[ebp+var_3C]
		push	edi
		push	edi
		push	ebx
		call	_MiFindContiguousPages@44 ; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9A1563
		mov	ebx, [ebp+var_30]
		sub	ebx, edi
		test	[ebp+arg_C], 2
		mov	[ebp+var_30], ebx
		jnz	short loc_9A150B
		push	[ebp+var_3C]
		mov	edx, [ebp+var_2C]
		lea	ecx, [ebp+var_28]
		push	edi
		call	_MiUpdateLargePagePfns@16 ; MiUpdateLargePagePfns(x,x,x,x)
		cmp	eax, 1
		jnz	short loc_9A150B
		mov	[ebp+var_44], eax

loc_9A150B:				; CODE XREF: MiFindLargePageMemory(x,x,x,x,x,x,x)+F1j
					; MiFindLargePageMemory(x,x,x,x,x,x,x)+105j
		mov	eax, [ebp+var_2C]
		mov	edx, eax
		mov	ecx, [ebp+var_40]
		mov	[esi], eax
		mov	[esi+4], edi
		mov	byte ptr [esi+8], 1
		mov	ecx, [ecx]
		mov	byte ptr [ebp+var_34], 0
		test	ecx, ecx
		jz	short loc_9A1545

loc_9A1526:				; CODE XREF: MiFindLargePageMemory(x,x,x,x,x,x,x)+13Ej
		cmp	edx, [ecx-0Ch]
		jnb	short loc_9A1536
		mov	eax, [ecx]
		test	eax, eax
		jnz	short loc_9A153D
		mov	byte ptr [ebp+var_34], al
		jmp	short loc_9A1545
; 

loc_9A1536:				; CODE XREF: MiFindLargePageMemory(x,x,x,x,x,x,x)+128j
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_9A1541

loc_9A153D:				; CODE XREF: MiFindLargePageMemory(x,x,x,x,x,x,x)+12Ej
		mov	ecx, eax
		jmp	short loc_9A1526
; 

loc_9A1541:				; CODE XREF: MiFindLargePageMemory(x,x,x,x,x,x,x)+13Aj
		mov	byte ptr [ebp+var_34], 1

loc_9A1545:				; CODE XREF: MiFindLargePageMemory(x,x,x,x,x,x,x)+123j
					; MiFindLargePageMemory(x,x,x,x,x,x,x)+133j
		lea	eax, [esi+0Ch]
		push	eax
		push	[ebp+var_34]
		push	ecx
		push	[ebp+var_40]
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_9A158A
		mov	ebx, [ebp+var_2C]
		dec	ebx
		cmp	ebx, edi
		ja	short loc_9A1572

loc_9A1563:				; CODE XREF: MiFindLargePageMemory(x,x,x,x,x,x,x)+91j
					; MiFindLargePageMemory(x,x,x,x,x,x,x)+E3j
		mov	edi, [ebp+var_38]
		mov	ebx, dword_6D5D84
		inc	edi
		mov	[ebp+var_38], edi
		jmp	short loc_9A1575
; 

loc_9A1572:				; CODE XREF: MiFindLargePageMemory(x,x,x,x,x,x,x)+160j
		mov	edi, [ebp+var_38]

loc_9A1575:				; CODE XREF: MiFindLargePageMemory(x,x,x,x,x,x,x)+16Fj
		cmp	edi, 2
		jb	loc_9A1488

loc_9A157E:				; CODE XREF: MiFindLargePageMemory(x,x,x,x,x,x,x)+9Aj
		test	esi, esi
		jz	short loc_9A158A
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A158A:				; CODE XREF: MiFindLargePageMemory(x,x,x,x,x,x,x)+B8j
					; MiFindLargePageMemory(x,x,x,x,x,x,x)+158j ...
		cmp	[ebp+var_44], 0
		jz	short loc_9A1598
		lea	ecx, [ebp+var_28]
		call	_MiZeroInParallel@4 ; MiZeroInParallel(x)

loc_9A1598:				; CODE XREF: MiFindLargePageMemory(x,x,x,x,x,x,x)+81j
					; MiFindLargePageMemory(x,x,x,x,x,x,x)+18Dj
		lea	ecx, [ebp+var_28]
		call	_MiDeleteColorAnchors@4	; MiDeleteColorAnchors(x)

loc_9A15A0:				; CODE XREF: MiFindLargePageMemory(x,x,x,x,x,x,x)+40j
					; MiFindLargePageMemory(x,x,x,x,x,x,x)+53j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_MiFindLargePageMemory@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeLargePageView(x, x, x, x)
_MiFreeLargePageView@16	proc near	; CODE XREF: MiReleaseVadEventBlocks+16161Dp
					; MiReleaseVadEventBlocks+16165Bp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		mov	edi, [edx+20h]
		and	edi, 7FFFFFFFh
		jz	short loc_9A1621
		mov	eax, large fs:124h
		mov	ecx, edi
		mov	[ebp+arg_0], eax
		neg	ecx
		lea	eax, [ebx+35Ch]
		lock xadd [eax], ecx
		test	esi, esi
		jz	short loc_9A15EA
		cmp	dword ptr [esi+0Ch], 0
		jnz	short loc_9A1621

loc_9A15EA:				; CODE XREF: MiFreeLargePageView(x,x,x,x)+31j
		and	[ebp+arg_4], 1
		jnz	short loc_9A15FA
		mov	ecx, [ebp+arg_0]
		mov	edx, ebx
		call	_LOCK_ADDRESS_SPACE_SHARED@8 ; LOCK_ADDRESS_SPACE_SHARED(x,x)

loc_9A15FA:				; CODE XREF: MiFreeLargePageView(x,x,x,x)+3Dj
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	edx, edi
		mov	ecx, eax
		call	MiReturnCommit
		mov	edx, edi
		mov	ecx, ebx
		call	_MiReturnFullProcessCharges@8 ;	MiReturnFullProcessCharges(x,x)
		cmp	[ebp+arg_4], 0
		jnz	short loc_9A1621
		mov	ecx, [ebp+arg_0]
		mov	edx, ebx
		call	_UNLOCK_ADDRESS_SPACE_SHARED@8 ; UNLOCK_ADDRESS_SPACE_SHARED(x,x)

loc_9A1621:				; CODE XREF: MiFreeLargePageView(x,x,x,x)+16j
					; MiFreeLargePageView(x,x,x,x)+37j ...
		test	esi, esi
		jz	short loc_9A1636
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_9A1636
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag

loc_9A1636:				; CODE XREF: MiFreeLargePageView(x,x,x,x)+72j
					; MiFreeLargePageView(x,x,x,x)+79j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_MiFreeLargePageView@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	MiMapSystemImageWithLargePage(void *,int)
_MiMapSystemImageWithLargePage@16 proc near
					; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+2DBp
					; MiHandleBootImage+29E93p

var_48		= dword	ptr -48h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	38h
		push	offset dword_6A8B60
		call	__SEH_prolog4
		mov	ebx, edx
		mov	[ebp+var_20], ebx
		mov	esi, ecx
		mov	[ebp+var_2C], esi
		and	[ebp+var_1C], 0
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_48]
		rep stosd
		call	_MmGetNumberOfFreeSystemPtes@0 ; MmGetNumberOfFreeSystemPtes()
		cmp	eax, 4000h
		jb	loc_9A182C
		test	esi, esi
		jz	short loc_9A1697
		mov	ecx, esi
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	[ebp+var_24], eax
		lea	ecx, [eax+50h]
		jmp	short loc_9A1691
; 

loc_9A1684:				; CODE XREF: MiMapSystemImageWithLargePage(x,x,x,x)+56j
		test	byte ptr [ecx+10h], 3Eh
		jz	loc_9A182C
		mov	ecx, [ecx+8]

loc_9A1691:				; CODE XREF: MiMapSystemImageWithLargePage(x,x,x,x)+45j
		test	ecx, ecx
		jnz	short loc_9A1684
		jmp	short loc_9A169B
; 

loc_9A1697:				; CODE XREF: MiMapSystemImageWithLargePage(x,x,x,x)+36j
		and	[ebp+var_24], 0

loc_9A169B:				; CODE XREF: MiMapSystemImageWithLargePage(x,x,x,x)+58j
		lea	edi, [ebx+1FFh]
		and	edi, 0FFFFFE00h
		mov	ecx, edi
		call	_MiRoundUpToPowerOf2SizeT@4 ; MiRoundUpToPowerOf2SizeT(x)
		mov	esi, eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	0
		push	100000h
		mov	eax, 80000000h
		push	eax
		push	eax
		push	1
		push	esi
		push	esi
		push	dword_6D07B0
		mov	edx, 200h
		mov	ecx, offset _MiSystemPartition
		call	_MiFindContiguousPages@44 ; MiFindContiguousPages(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_9A182C
		cmp	esi, edi
		jbe	short loc_9A16F6
		sub	esi, edi
		mov	ecx, [ebp+var_1C]
		lea	ecx, [edi+ecx]
		mov	edx, esi
		call	_MiFreeContiguousPages@8 ; MiFreeContiguousPages(x,x)

loc_9A16F6:				; CODE XREF: MiMapSystemImageWithLargePage(x,x,x,x)+A8j
		mov	ecx, [ebp+var_1C]
		call	_MiPageToNode@4	; MiPageToNode(x)
		inc	eax
		push	eax
		push	ecx
		push	0Ch
		pop	edx
		mov	ecx, edi
		call	MiGetPageTablesForLargeMap
		mov	esi, eax
		mov	[ebp+var_28], esi
		test	esi, esi
		jnz	short loc_9A1723

loc_9A1714:				; CODE XREF: MiMapSystemImageWithLargePage(x,x,x,x)+106j
		mov	edx, edi
		mov	ecx, [ebp+var_1C]
		call	_MiFreeContiguousPages@8 ; MiFreeContiguousPages(x,x)
		jmp	loc_9A182C
; 

loc_9A1723:				; CODE XREF: MiMapSystemImageWithLargePage(x,x,x,x)+D5j
		test	ds:_MiFlags, 8000h
		jz	short loc_9A1745
		push	ecx
		push	ecx
		call	_xKdGetAcpiTablePhase0@8 ; xKdGetAcpiTablePhase0(x,x)
		test	eax, eax
		jns	short loc_9A1745
		mov	edx, ebx
		mov	ecx, esi
		call	_MiUnmapLargeDriver@8 ;	MiUnmapLargeDriver(x,x)
		jmp	short loc_9A1714
; 

loc_9A1745:				; CODE XREF: MiMapSystemImageWithLargePage(x,x,x,x)+F0j
					; MiMapSystemImageWithLargePage(x,x,x,x)+FBj
		xor	ecx, ecx
		inc	ecx
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	[ebp+var_30], eax
		push	1
		push	6
		push	0
		push	edi
		push	[ebp+var_1C]
		mov	edx, esi
		mov	ecx, eax
		call	MiMapWithLargePages
		and	[ebp+ms_exc.disabled], 0
		shl	ebx, 0Ch
		push	ebx		; size_t
		push	[ebp+arg_0]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	esi
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	[ebp+var_28], eax
		cmp	dword ptr [eax+74h], 5
		jbe	short loc_9A1807
		mov	ecx, [eax+0A0h]
		test	ecx, ecx
		jz	short loc_9A17B4
		mov	eax, [eax+0A4h]
		add	eax, ecx
		cmp	eax, ebx
		ja	short loc_9A1807
		sub	esp, 14h
		mov	ecx, esi
		call	_LdrRelocateImageWithBias@28 ; LdrRelocateImageWithBias(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9A1807
		mov	eax, [ebp+var_28]

loc_9A17B4:				; CODE XREF: MiMapSystemImageWithLargePage(x,x,x,x)+158j
		mov	[eax+34h], esi
		mov	ebx, [ebp+var_2C]
		test	ebx, ebx
		jz	short loc_9A17E4
		lea	eax, [ebp+var_48]
		push	eax
		push	1
		push	[ebp+var_20]
		mov	ecx, [ebp+arg_0]
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		push	eax
		mov	edx, [ebp+var_24]
		mov	ecx, [ebp+var_30]
		call	_MiDeleteSystemPagableVm@24 ; MiDeleteSystemPagableVm(x,x,x,x,x,x)
		xor	edx, edx
		mov	ecx, ebx
		call	_MiChargeSystemImageCommitment@8 ; MiChargeSystemImageCommitment(x,x)

loc_9A17E4:				; CODE XREF: MiMapSystemImageWithLargePage(x,x,x,x)+17Fj
		test	ds:byte_70EFC4,	1
		jz	short loc_9A1803
		push	6
		pop	edx
		xor	ecx, ecx
		inc	ecx
		call	_MiInitPerfMemoryFlags@8 ; MiInitPerfMemoryFlags(x,x)
		push	edi
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	_MiLogPerfMemoryRangeEvent@16 ;	MiLogPerfMemoryRangeEvent(x,x,x,x)

loc_9A1803:				; CODE XREF: MiMapSystemImageWithLargePage(x,x,x,x)+1AEj
		mov	eax, esi
		jmp	short loc_9A182E
; 

loc_9A1807:				; CODE XREF: MiMapSystemImageWithLargePage(x,x,x,x)+14Ej
					; MiMapSystemImageWithLargePage(x,x,x,x)+164j ...
		mov	edx, [ebp+var_20]
		mov	ecx, esi
		call	_MiUnmapLargeDriver@8 ;	MiUnmapLargeDriver(x,x)
		jmp	short loc_9A182C
; 
a3@LeslurlmS	db '3@ËeUM',1Bh,0 ; DATA XREF: .text:006A8B74o
					; .text:006A8B78o
		align 4
		dd 0FC45C700h, 0FFFFFFFEh
; 

loc_9A182C:				; CODE XREF: MiMapSystemImageWithLargePage(x,x,x,x)+2Ej
					; MiMapSystemImageWithLargePage(x,x,x,x)+4Bj ...
		xor	eax, eax

loc_9A182E:				; CODE XREF: MiMapSystemImageWithLargePage(x,x,x,x)+1C8j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiMapSystemImageWithLargePage@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUnmapLargeDriver(x, x)
_MiUnmapLargeDriver@8 proc near		; CODE XREF: MiUnloadSystemImage+14B8EBp
					; MiMapSystemImageWithLargePage(x,x,x,x)+101p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	eax, ecx
		mov	esi, edx
		push	edi
		mov	[ebp+var_4], eax
		call	_MiGetPdeAddress@4 ; MiGetPdeAddress(x)
		mov	edi, [eax]
		nop
		mov	ebx, [eax+4]
		mov	ecx, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_9A1871
		push	ebx
		push	edi
		call	_MiReadPteShadow@12 ; MiReadPteShadow(x,x,x)
		mov	edi, eax
		mov	ebx, edx

loc_9A1871:				; CODE XREF: MiUnmapLargeDriver(x,x)+24j
		mov	ecx, [ebp+var_4]
		add	esi, 1FFh
		and	esi, 0FFFFFE00h
		mov	edx, esi
		push	0Ch
		shl	edx, 0Ch
		call	MiUnmapLargePages
		shrd	edi, ebx, 0Ch
		mov	edx, esi
		and	edi, 1FFFFFFh
		mov	ecx, edi
		call	_MiFreeContiguousPages@8 ; MiFreeContiguousPages(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiUnmapLargeDriver@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreateSessionDriverProtos(x, x, x)
_MiCreateSessionDriverProtos@12	proc near ; CODE XREF: .text:005E538Cp

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_44], eax
		xor	eax, eax
		mov	[ebp+var_40], edx
		and	[ebp+var_38], eax
		lea	edi, [ebp+var_30]
		push	0Ah
		pop	ecx
		rep stosd
		mov	edi, [esi]
		mov	eax, 800h
		mov	[ebp+var_4C], esi
		test	[edi+8], ax
		jnz	loc_9A1998
		sub	edx, [edi+18h]
		lea	eax, [ebp+var_30]
		push	eax
		push	3
		mov	[ebp+var_3C], edx
		mov	ecx, esi
		pop	edx
		call	MiMapImageInSystemSpace
		test	eax, eax
		jns	short loc_9A1904

loc_9A18FD:				; CODE XREF: MiCreateSessionDriverProtos(x,x,x)+118j
		xor	eax, eax
		jmp	loc_9A199B
; 

loc_9A1904:				; CODE XREF: MiCreateSessionDriverProtos(x,x,x)+57j
		mov	ecx, [ebp+var_30]
		xor	ebx, ebx
		add	esi, 50h
		jmp	short loc_9A1982
; 

loc_9A190E:				; CODE XREF: MiCreateSessionDriverProtos(x,x,x)+E1j
		mov	eax, [esi+1Ch]
		mov	[ebp+var_48], eax
		mov	ax, [esi+10h]
		shr	ax, 1
		test	al, 4
		jnz	short loc_9A1972
		test	ds:_MiFlags, 8000h
		jnz	short loc_9A1938
		test	byte ptr ds:_MiFlags+2,	1
		jz	short loc_9A1938
		test	al, 2
		jnz	short loc_9A1972

loc_9A1938:				; CODE XREF: MiCreateSessionDriverProtos(x,x,x)+85j
					; MiCreateSessionDriverProtos(x,x,x)+8Ej
		lea	eax, [ebp+var_38]
		mov	edx, ecx
		push	eax
		push	[ebp+var_3C]
		mov	ecx, esi
		push	ebx
		call	MiAllocatePerSessionProtos
		test	eax, eax
		js	short loc_9A19AC
		mov	eax, [ebp+var_38]
		mov	ecx, [ebp+var_40]
		and	dword ptr [eax+20h], 0
		mov	[eax], ecx
		mov	[esi+0Ch], eax
		mov	eax, [ebp+var_44]
		test	eax, eax
		jz	short loc_9A196F
		push	dword ptr [esi+1Ch]
		push	ebx
		push	dword ptr [eax+14h]
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)

loc_9A196F:				; CODE XREF: MiCreateSessionDriverProtos(x,x,x)+BDj
		mov	ecx, [ebp+var_34]

loc_9A1972:				; CODE XREF: MiCreateSessionDriverProtos(x,x,x)+79j
					; MiCreateSessionDriverProtos(x,x,x)+92j
		mov	eax, [ebp+var_48]
		add	ebx, [ebp+var_48]
		mov	esi, [esi+8]
		shl	eax, 0Ch
		add	ecx, eax
		test	esi, esi

loc_9A1982:				; CODE XREF: MiCreateSessionDriverProtos(x,x,x)+68j
		mov	[ebp+var_34], ecx
		jnz	short loc_9A190E
		lea	ecx, [ebp+var_30]
		call	MiUnmapImageInSystemSpace
		mov	eax, 800h
		or	[edi+8], ax

loc_9A1998:				; CODE XREF: MiCreateSessionDriverProtos(x,x,x)+3Bj
		xor	eax, eax
		inc	eax

loc_9A199B:				; CODE XREF: MiCreateSessionDriverProtos(x,x,x)+5Bj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_9A19AC:				; CODE XREF: MiCreateSessionDriverProtos(x,x,x)+A7j
		lea	ecx, [ebp+var_30]
		call	MiUnmapImageInSystemSpace
		mov	ecx, [ebp+var_4C]
		call	MiDeleteSessionDriverProtos
		jmp	loc_9A18FD
_MiCreateSessionDriverProtos@12	endp


;  S U B	R O U T	I N E 


; __stdcall MmIsDriverLoadedCurrentSession(x)
_MmIsDriverLoadedCurrentSession@4 proc near
					; CODE XREF: VfThunkApplyMandatoryThunks(x,x)+51p
					; VfThunkApplyThunks(x,x)+51p
		call	_MiSessionLookupImage@4	; MiSessionLookupImage(x)
		neg	eax
		sbb	eax, eax
		neg	eax
		retn
_MmIsDriverLoadedCurrentSession@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiExpandPartitionIds()
_MiExpandPartitionIds@0	proc near	; CODE XREF: MiAllocatePartitionId(x):loc_998979p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, offset dword_6D3014
		mov	ecx, 400h
		cmp	dword_6D3018, edi
		jnz	short loc_9A19FE
		mov	edx, ecx
		jmp	short loc_9A1A07
; 

loc_9A19FE:				; CODE XREF: MiExpandPartitionIds()+2Bj
		mov	eax, dword_6D3008
		mov	edx, [eax]
		add	edx, ecx

loc_9A1A07:				; CODE XREF: MiExpandPartitionIds()+2Fj
		mov	eax, dword_6D3008
		mov	[ebp+var_4], edx
		cmp	edx, [eax]
		jbe	short loc_9A1A4E
		cmp	edx, ecx
		ja	short loc_9A1A4E
		push	0
		pop	ecx
		test	dl, 1Fh
		mov	eax, edx
		push	0
		setnz	cl
		mov	edx, 20206D4Dh
		add	ecx, 2
		shr	eax, 5
		add	ecx, eax
		shl	ecx, 2
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9A1A54
		mov	eax, [ebp+var_4]
		lea	ecx, [esi+8]
		mov	[esi], eax
		mov	[esi+4], ecx
		jmp	short loc_9A1A50
; 

loc_9A1A4E:				; CODE XREF: MiExpandPartitionIds()+44j
					; MiExpandPartitionIds()+48j
		xor	esi, esi

loc_9A1A50:				; CODE XREF: MiExpandPartitionIds()+7Fj
		test	esi, esi
		jnz	short loc_9A1A5B

loc_9A1A54:				; CODE XREF: MiExpandPartitionIds()+72j
					; MiExpandPartitionIds()+FCj
		xor	eax, eax
		jmp	loc_9A1B3E
; 

loc_9A1A5B:				; CODE XREF: MiExpandPartitionIds()+85j
		mov	ecx, dword_6D3018
		cmp	ecx, edi
		jnz	short loc_9A1A81
		xor	edx, edx
		mov	ecx, offset dword_6D35E0
		inc	edx
		call	MiReservePtes
		mov	edi, eax
		test	edi, edi
		jz	short loc_9A1AC1
		shl	edi, 9
		test	edi, edi
		jnz	short loc_9A1A8B
		jmp	short loc_9A1AC1
; 

loc_9A1A81:				; CODE XREF: MiExpandPartitionIds()+96j
		mov	eax, dword_6D3008
		mov	eax, [eax]
		lea	edi, [ecx+eax*4]

loc_9A1A8B:				; CODE XREF: MiExpandPartitionIds()+B0j
		mov	ecx, edi
		call	_MiGetPteAddress@4 ; MiGetPteAddress(x)
		push	9
		push	21h
		mov	edx, eax
		mov	[ebp+var_4], eax
		mov	ecx, eax
		call	_MiMakeZeroedPageTables@16 ; MiMakeZeroedPageTables(x,x,x,x)
		test	eax, eax
		jnz	short loc_9A1ACB
		cmp	dword_6D3018, offset dword_6D3014
		jnz	short loc_9A1AC1
		mov	edx, [ebp+var_4]
		mov	ecx, offset dword_6D35E0
		push	1
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_9A1AC1:				; CODE XREF: MiExpandPartitionIds()+A9j
					; MiExpandPartitionIds()+B2j ...
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9A1A54
; 

loc_9A1ACB:				; CODE XREF: MiExpandPartitionIds()+D7j
		push	1000h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	eax, dword_6D3018
		add	esp, 0Ch
		cmp	eax, offset dword_6D3014
		jnz	short loc_9A1AF1
		mov	eax, [eax]
		mov	[edi], eax
		mov	dword_6D3018, edi

loc_9A1AF1:				; CODE XREF: MiExpandPartitionIds()+118j
		push	esi
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		mov	edx, dword_6D3008
		push	0
		pop	eax
		mov	ecx, [edx]
		test	cl, 1Fh
		setnz	al
		shr	ecx, 5
		add	eax, ecx
		shl	eax, 2
		push	eax		; size_t
		push	dword ptr [edx+4] ; void *
		push	dword ptr [esi+4] ; void *
		call	_memcpy
		mov	ecx, dword_6D3008
		add	esp, 0Ch
		cmp	ecx, offset dword_6D300C
		jz	short loc_9A1B35
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A1B35:				; CODE XREF: MiExpandPartitionIds()+15Ej
		xor	eax, eax
		mov	dword_6D3008, esi
		inc	eax

loc_9A1B3E:				; CODE XREF: MiExpandPartitionIds()+89j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_MiExpandPartitionIds@0	endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreePartitionPageRun(x, x, x, x)
_MiFreePartitionPageRun@16 proc	near	; CODE XREF: MiActOnPartitionNodePages(x,x,x)+24Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		cmp	[ebp+arg_4], 1
		push	esi
		push	edi
		mov	esi, edx
		setz	al
		mov	edx, [ebp+arg_0]
		mov	edi, ecx
		push	eax
		mov	ecx, esi
		call	_MiFreeMdlPageRun@12 ; MiFreeMdlPageRun(x,x,x)
		test	eax, eax
		jz	short loc_9A1B7D
		cmp	edi, offset _MiSystemPartition
		jnz	short loc_9A1B7D
		neg	eax
		mov	ecx, offset dword_6D3620
		lock xadd [ecx], eax

loc_9A1B7D:				; CODE XREF: MiFreePartitionPageRun(x,x,x,x)+21j
					; MiFreePartitionPageRun(x,x,x,x)+29j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_MiFreePartitionPageRun@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreePartitionPhysicalPages(x, x)
_MiFreePartitionPhysicalPages@8	proc near ; CODE XREF: MiDeletePartitionResources(x)+1BEp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	edi, [esi+0F48h]
		call	_MiReturnPartitionPagesToParent@4 ; MiReturnPartitionPagesToParent(x)
		movzx	ecx, ds:_KeNumberNodes
		xor	eax, eax
		mov	edx, [esi+10h]
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	short loc_9A1BC6
		lea	ecx, [edx+214h]

loc_9A1BB4:				; CODE XREF: MiFreePartitionPhysicalPages(x,x)+41j
		mov	edx, [ecx]
		test	edx, edx
		jnz	short loc_9A1BE4
		add	ecx, 280h
		inc	eax
		cmp	eax, [ebp+var_4]
		jb	short loc_9A1BB4

loc_9A1BC6:				; CODE XREF: MiFreePartitionPhysicalPages(x,x)+29j
		xor	eax, eax
		cmp	[esi+900h], eax
		jz	short loc_9A1BF5
		push	dword ptr [esi+0FC0h]
		push	dword ptr [esi+0F48h]
		push	edi
		push	41006h
		jmp	short loc_9A1BEE
; 

loc_9A1BE4:				; CODE XREF: MiFreePartitionPhysicalPages(x,x)+35j
		push	0
		push	0
		push	edx
		push	41008h

loc_9A1BEE:				; CODE XREF: MiFreePartitionPhysicalPages(x,x)+5Fj
					; MiFreePartitionPhysicalPages(x,x)+8Cj ...
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_9A1BF5:				; CODE XREF: MiFreePartitionPhysicalPages(x,x)+4Bj
		cmp	[esi+0F48h], eax
		jz	short loc_9A1C11
		push	dword ptr [esi+0FC0h]
		push	dword ptr [esi+0F48h]
		push	edi
		push	41005h
		jmp	short loc_9A1BEE
; 

loc_9A1C11:				; CODE XREF: MiFreePartitionPhysicalPages(x,x)+78j
		cmp	[esi+0FC0h], eax
		jz	short loc_9A1C28
		push	eax
		push	dword ptr [esi+0FC0h]
		push	edi
		push	41004h
		jmp	short loc_9A1BEE
; 

loc_9A1C28:				; CODE XREF: MiFreePartitionPhysicalPages(x,x)+94j
		cmp	[esi+1000h], edi
		jnz	short loc_9A1C7E
		mov	eax, [esi+1000h]
		cmp	eax, [esi+1114h]
		jnz	short loc_9A1C7E
		mov	edx, [esi+1000h]
		mov	ecx, ebx
		call	_MiReturnResident@8 ; MiReturnResident(x,x)
		mov	esi, [esi+1114h]
		mov	edx, esi
		mov	ecx, ebx
		cmp	ebx, offset _MiSystemPartition
		jnz	short loc_9A1C72
		call	MiReturnCommit
		neg	esi
		mov	eax, offset dword_6D3620
		lock xadd [eax], esi

loc_9A1C6D:				; CODE XREF: MiFreePartitionPhysicalPages(x,x)+F9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_9A1C72:				; CODE XREF: MiFreePartitionPhysicalPages(x,x)+D8j
		push	0
		push	0
		push	esi
		call	MiIncreaseCommitLimits
		jmp	short loc_9A1C6D
; 

loc_9A1C7E:				; CODE XREF: MiFreePartitionPhysicalPages(x,x)+ABj
					; MiFreePartitionPhysicalPages(x,x)+B9j
		push	dword ptr [esi+1114h]
		push	dword ptr [esi+1000h]
		push	edi
		push	41003h
		jmp	loc_9A1BEE
_MiFreePartitionPhysicalPages@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiHotAddPartitionMemory(x, x, x)
_MiHotAddPartitionMemory@12 proc near	; CODE XREF: MmManagePartitionInitialAddMemory(x,x,x,x)+ECp

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_17		= byte ptr -17h
var_16		= byte ptr -16h
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+50h+var_3C], edx
		lea	edi, [esp+50h+var_30]
		mov	esi, ecx
		stosd
		push	8
		pop	ecx
		mov	[esp+50h+var_44], esi
		stosd
		stosd
		stosd
		xor	eax, eax
		and	[esp+50h+var_40], eax
		lea	edi, [esp+50h+var_20]
		rep stosd
		mov	ecx, [ebp+arg_0]
		cmp	esi, offset _MiSystemPartition
		jnz	short loc_9A1CF9
		test	byte ptr [ecx],	4
		jnz	short loc_9A1CF9
		mov	esi, 0C00000BBh

loc_9A1CDB:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+78j
					; MiHotAddPartitionMemory(x,x,x)+9Bj ...
		mov	ebx, [esp+50h+var_44]

loc_9A1CDF:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+13Aj
		push	0
		push	0
		lea	edx, [esp+58h+var_40]
		mov	ecx, ebx
		call	_MiFreePartitionTree@16	; MiFreePartitionTree(x,x,x,x)

loc_9A1CEE:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+287j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_9A1CF9:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+3Aj
					; MiHotAddPartitionMemory(x,x,x)+3Fj
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_9A1D0F
		mov	esi, 0C0000061h
		jmp	short loc_9A1CDB
; 

loc_9A1D0F:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+71j
		and	dword ptr [ecx+8], 0
		mov	eax, [ecx]
		mov	ebx, [ecx+4]
		xor	ecx, ecx
		inc	ecx
		test	al, cl
		jz	short loc_9A1D25
		mov	[esp+50h+var_38], ecx
		jmp	short loc_9A1D3B
; 

loc_9A1D25:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+88j
		test	byte ptr [esi+4], 40h
		jz	short loc_9A1D32

loc_9A1D2B:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+9Fj
		mov	esi, 0C00000F0h
		jmp	short loc_9A1CDB
; 

loc_9A1D32:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+94j
		test	al, 4
		jnz	short loc_9A1D2B
		and	[esp+50h+var_38], 0

loc_9A1D3B:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+8Ej
		xor	ecx, ecx
		xor	edi, edi
		cmp	ebx, 1FFFFFFDh
		jbe	short loc_9A1D4E

loc_9A1D47:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+EEj
		mov	esi, 0C000009Ah
		jmp	short loc_9A1CDB
; 

loc_9A1D4E:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+B0j
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_9A1D9E

loc_9A1D54:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+102j
		mov	edx, [edx]
		cmp	edx, ecx
		jb	short loc_9A1DB2
		mov	eax, [esp+50h+var_3C]
		mov	eax, [eax+4]
		lea	ecx, [eax+edx]
		mov	[esp+50h+var_34], ecx
		cmp	ecx, edx
		jbe	short loc_9A1DB2
		lea	ecx, [eax+edi]
		cmp	ecx, edi
		jbe	short loc_9A1DB2
		push	0
		mov	edi, ecx
		lea	ecx, [esp+54h+var_40]
		push	eax
		call	_MiAddRangeToPartitionTree@16 ;	MiAddRangeToPartitionTree(x,x,x,x)
		test	eax, eax
		jz	short loc_9A1D47
		mov	edx, [esp+50h+var_3C]
		inc	esi
		mov	ecx, [esp+50h+var_34]
		add	edx, 8
		mov	[esp+50h+var_3C], edx
		cmp	esi, ebx
		jb	short loc_9A1D54
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]

loc_9A1D9E:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+BDj
		test	al, 4
		jz	short loc_9A1DBC
		mov	[esp+50h+var_16], 1
		test	al, 2
		jz	short loc_9A1DD5
		mov	[esp+50h+var_15], 1
		jmp	short loc_9A1DD5
; 

loc_9A1DB2:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+C3j
					; MiHotAddPartitionMemory(x,x,x)+D5j ...
		mov	esi, 0C000000Dh
		jmp	loc_9A1CDB
; 

loc_9A1DBC:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+10Bj
		mov	ebx, [esp+50h+var_44]
		lea	edx, [esp+50h+var_40]
		mov	ecx, ebx
		call	_MiUpdatePartitionLargePfnBitMap@8 ; MiUpdatePartitionLargePfnBitMap(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9A1CDF

loc_9A1DD5:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+114j
					; MiHotAddPartitionMemory(x,x,x)+11Bj
		mov	ecx, [esp+50h+var_44]
		xor	esi, esi
		mov	ebx, [esp+50h+var_24]
		test	byte ptr [ecx+4], 40h
		jz	short loc_9A1DF1
		or	ebx, 8
		mov	[esp+50h+var_17], 1
		mov	[esp+50h+var_24], ebx

loc_9A1DF1:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+14Ej
		cmp	[esp+50h+var_38], esi
		jnz	short loc_9A1E03
		or	ebx, 2
		mov	[esp+50h+var_24], ebx
		jmp	loc_9A1EDC
; 

loc_9A1E03:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+160j
		and	[esp+50h+var_34], esi
		xor	edi, edi
		mov	eax, [esp+50h+var_40]
		mov	[esp+50h+var_20], ecx
		jmp	short loc_9A1E17
; 

loc_9A1E13:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+184j
		mov	edi, eax
		mov	eax, [eax]

loc_9A1E17:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+17Cj
		test	eax, eax
		jnz	short loc_9A1E13
		test	edi, edi
		jz	loc_9A1ED0
		mov	ebx, [esp+50h+var_34]

loc_9A1E27:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+22Dj
		mov	ecx, [edi+4]
		mov	eax, edi
		mov	[esp+50h+var_3C], eax
		mov	edx, edi
		test	ecx, ecx
		jz	short loc_9A1E54
		mov	edi, ecx
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_9A1E5C

loc_9A1E3E:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+1B1j
		mov	eax, [ecx]
		mov	edi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_9A1E3E
		mov	eax, [esp+50h+var_3C]
		jmp	short loc_9A1E5C
; 

loc_9A1E4E:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+1C5j
		cmp	[edi], edx
		jz	short loc_9A1E5C
		mov	edx, edi

loc_9A1E54:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+19Fj
		mov	edi, [edi+8]
		and	edi, 0FFFFFFFCh
		jnz	short loc_9A1E4E

loc_9A1E5C:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+1A7j
					; MiHotAddPartitionMemory(x,x,x)+1B7j ...
		cmp	ebx, 1
		jnz	short loc_9A1E87
		push	eax
		lea	eax, [esp+54h+var_40]
		push	eax
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		mov	eax, [esp+58h+var_44]
		push	0
		push	dword ptr [eax+14h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	[esp+5Ch+var_44]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9A1EC0
; 

loc_9A1E87:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+1CAj
		lea	ecx, [esp+50h+var_20]
		push	ecx
		push	9
		pop	edx
		mov	ecx, eax
		call	_MiActOnPartitionNodePages@12 ;	MiActOnPartitionNodePages(x,x,x)
		cmp	[esp+50h+var_14], 0
		jge	short loc_9A1EC0
		mov	eax, [esp+50h+var_3C]
		mov	esi, [esp+50h+var_14]
		add	eax, 10h
		push	200h
		push	0
		push	eax
		call	_RtlAreBitsClear@12 ; RtlAreBitsClear(x,x,x)
		cmp	al, 1
		jnz	short loc_9A1EBD
		mov	edi, [esp+50h+var_3C]

loc_9A1EBD:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+222j
		xor	ebx, ebx
		inc	ebx

loc_9A1EC0:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+1F0j
					; MiHotAddPartitionMemory(x,x,x)+206j
		test	edi, edi
		jnz	loc_9A1E27
		mov	ebx, [esp+50h+var_24]
		mov	ecx, [esp+50h+var_44]

loc_9A1ED0:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+188j
		mov	edi, [esp+50h+var_8]
		test	edi, edi
		jz	loc_9A1CDB

loc_9A1EDC:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+169j
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		test	al, 2
		jnz	short loc_9A1EEC
		or	ebx, 1
		mov	[esp+50h+var_24], ebx

loc_9A1EEC:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+24Ej
		lea	edx, [esp+50h+var_40]
		mov	[esp+50h+var_30], edx
		test	al, 4
		jz	short loc_9A1F03
		push	0
		push	0
		call	_MiFreePartitionTree@16	; MiFreePartitionTree(x,x,x,x)
		jmp	short loc_9A1F16
; 

loc_9A1F03:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+261j
		push	ecx
		push	edi
		lea	eax, [esp+58h+var_30]
		mov	edx, ecx
		push	eax
		mov	ecx, offset _MiSystemPartition
		call	_MiInsertPartitionPages@20 ; MiInsertPartitionPages(x,x,x,x,x)

loc_9A1F16:				; CODE XREF: MiHotAddPartitionMemory(x,x,x)+26Cj
		mov	eax, [ebp+arg_0]
		mov	[eax+8], edi
		jmp	loc_9A1CEE
_MiHotAddPartitionMemory@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiHotRemovePartitionPageRun(x, x)
_MiHotRemovePartitionPageRun@8 proc near ; CODE	XREF: MiActOnPartitionNodePages(x,x,x)+260p
		mov	edi, edi
		push	esi
		push	10h
		mov	esi, edx
		call	_MiRemovePhysicalMemory@12 ; MiRemovePhysicalMemory(x,x,x)
		test	eax, eax
		js	short loc_9A1F3C
		neg	esi
		mov	ecx, offset dword_6D3620
		lock xadd [ecx], esi

loc_9A1F3C:				; CODE XREF: MiHotRemovePartitionPageRun(x,x)+Ej
		pop	esi
		retn
_MiHotRemovePartitionPageRun@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMakePartitionMemoryBlock(x)
_MiMakePartitionMemoryBlock@4 proc near	; CODE XREF: MiInsertPartitionPages(x,x,x,x,x)+EEp
					; MiInsertPartitionPages(x,x,x,x,x)+327p ...

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+68h+var_50]
		stosd
		mov	edx, ecx
		push	8
		pop	ecx
		push	8
		stosd
		mov	[esp+6Ch+var_58], edx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+6Ch+var_20]
		xor	esi, esi
		rep stosd
		pop	ecx
		lea	edi, [esp+68h+var_40]
		rep stosd
		mov	eax, [edx+14h]
		jmp	short loc_9A1F7B
; 

loc_9A1F77:				; CODE XREF: MiMakePartitionMemoryBlock(x)+3Fj
		mov	esi, eax
		mov	eax, [eax]

loc_9A1F7B:				; CODE XREF: MiMakePartitionMemoryBlock(x)+37j
		test	eax, eax
		jnz	short loc_9A1F77
		jmp	short loc_9A1FBD
; 

loc_9A1F81:				; CODE XREF: MiMakePartitionMemoryBlock(x)+81j
		mov	eax, [esi+4]
		mov	edi, esi
		mov	ecx, esi
		test	eax, eax
		jz	short loc_9A1FA6
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_9A1FAE

loc_9A1F94:				; CODE XREF: MiMakePartitionMemoryBlock(x)+5Ej
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_9A1F94
		jmp	short loc_9A1FAE
; 

loc_9A1FA0:				; CODE XREF: MiMakePartitionMemoryBlock(x)+6Ej
		cmp	[esi], ecx
		jz	short loc_9A1FAE
		mov	ecx, esi

loc_9A1FA6:				; CODE XREF: MiMakePartitionMemoryBlock(x)+4Cj
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_9A1FA0

loc_9A1FAE:				; CODE XREF: MiMakePartitionMemoryBlock(x)+54j
					; MiMakePartitionMemoryBlock(x)+60j ...
		lea	eax, [esp+68h+var_40]
		mov	ecx, edi
		push	eax
		push	5
		pop	edx
		call	_MiActOnPartitionNodePages@12 ;	MiActOnPartitionNodePages(x,x,x)

loc_9A1FBD:				; CODE XREF: MiMakePartitionMemoryBlock(x)+41j
		test	esi, esi
		jnz	short loc_9A1F81
		xor	edi, edi
		inc	edi
		cmp	[esp+68h+var_28], esi
		jz	loc_9A20A3
		mov	esi, [esp+68h+var_2C]
		cmp	esi, 0FFFFFFFh
		ja	loc_9A20A1
		push	0
		lea	ecx, ds:8[esi*8]
		mov	edx, 6C4D6D4Dh
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9A20A1
		mov	eax, [esp+68h+var_28]
		mov	[ebx+4], eax
		mov	eax, [esp+68h+var_58]
		mov	[ebx], esi
		xor	esi, esi
		mov	[esp+68h+var_4], ebx
		mov	eax, [eax+14h]
		jmp	short loc_9A2019
; 

loc_9A2015:				; CODE XREF: MiMakePartitionMemoryBlock(x)+DDj
		mov	esi, eax
		mov	eax, [eax]

loc_9A2019:				; CODE XREF: MiMakePartitionMemoryBlock(x)+D5j
		test	eax, eax
		jnz	short loc_9A2015
		jmp	short loc_9A205F
; 

loc_9A201F:				; CODE XREF: MiMakePartitionMemoryBlock(x)+123j
		mov	eax, [esi+4]
		mov	ecx, esi
		mov	[esp+68h+var_54], esi
		test	eax, eax
		jz	short loc_9A2046
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_9A204E

loc_9A2034:				; CODE XREF: MiMakePartitionMemoryBlock(x)+FEj
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_9A2034
		jmp	short loc_9A204E
; 

loc_9A2040:				; CODE XREF: MiMakePartitionMemoryBlock(x)+10Ej
		cmp	[esi], ecx
		jz	short loc_9A204E
		mov	ecx, esi

loc_9A2046:				; CODE XREF: MiMakePartitionMemoryBlock(x)+ECj
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jnz	short loc_9A2040

loc_9A204E:				; CODE XREF: MiMakePartitionMemoryBlock(x)+F4j
					; MiMakePartitionMemoryBlock(x)+100j ...
		mov	ecx, [esp+68h+var_54]
		lea	eax, [esp+68h+var_20]
		push	eax
		push	6
		pop	edx
		call	_MiActOnPartitionNodePages@12 ;	MiActOnPartitionNodePages(x,x,x)

loc_9A205F:				; CODE XREF: MiMakePartitionMemoryBlock(x)+DFj
		test	esi, esi
		jnz	short loc_9A201F
		mov	ecx, [esp+68h+var_58]
		mov	edx, ebx
		call	_MiConvertInitialMemoryBlock@8 ; MiConvertInitialMemoryBlock(x,x)
		push	0
		mov	esi, eax
		push	ebx
		mov	[esp+70h+var_4C], esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jz	short loc_9A20A1
		mov	ecx, [esp+68h+var_58]
		mov	edx, esi
		call	MiCreateNodeLists
		mov	[esp+68h+var_48], eax
		test	eax, eax
		jnz	short loc_9A20A3
		xor	edx, edx
		mov	ecx, esi
		call	MiDereferencePageRunsEx
		and	[esp+68h+var_4C], 0

loc_9A20A1:				; CODE XREF: MiMakePartitionMemoryBlock(x)+9Aj
					; MiMakePartitionMemoryBlock(x)+B9j ...
		xor	edi, edi

loc_9A20A3:				; CODE XREF: MiMakePartitionMemoryBlock(x)+8Aj
					; MiMakePartitionMemoryBlock(x)+153j
		mov	ecx, [esp+68h+var_58]
		lea	edx, [esp+68h+var_50]
		push	edi
		call	_MiUpdatePartitionMemory@12 ; MiUpdatePartitionMemory(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_MiMakePartitionMemoryBlock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdatePartitionLargePfnBitMap(x, x)
_MiUpdatePartitionLargePfnBitMap@8 proc	near
					; CODE XREF: MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)+28Ep
					; MiHotAddPartitionMemory(x,x,x)+131p

var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		lea	edi, [ebp+var_28]
		mov	edx, ecx
		xor	eax, eax
		push	8
		pop	ecx
		rep stosd
		mov	eax, large fs:124h
		xor	ebx, ebx
		mov	[ebp+var_4], edx
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_28], edx
		mov	edx, eax
		mov	[ebp+var_8], eax
		call	_MiLockDynamicMemoryExclusive@8	; MiLockDynamicMemoryExclusive(x,x)
		mov	eax, [esi]
		mov	edi, ebx
		jmp	short loc_9A20F6
; 

loc_9A20F2:				; CODE XREF: MiUpdatePartitionLargePfnBitMap(x,x)+40j
		mov	edi, eax
		mov	eax, [eax]

loc_9A20F6:				; CODE XREF: MiUpdatePartitionLargePfnBitMap(x,x)+38j
		test	eax, eax
		jnz	short loc_9A20F2
		jmp	short loc_9A213C
; 

loc_9A20FC:				; CODE XREF: MiUpdatePartitionLargePfnBitMap(x,x)+86j
		mov	eax, [edi+4]
		mov	esi, edi
		mov	ecx, edi
		test	eax, eax
		jz	short loc_9A2121
		mov	edi, eax
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_9A2129

loc_9A210F:				; CODE XREF: MiUpdatePartitionLargePfnBitMap(x,x)+5Fj
		mov	eax, [ecx]
		mov	edi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_9A210F
		jmp	short loc_9A2129
; 

loc_9A211B:				; CODE XREF: MiUpdatePartitionLargePfnBitMap(x,x)+6Fj
		cmp	[edi], ecx
		jz	short loc_9A2129
		mov	ecx, edi

loc_9A2121:				; CODE XREF: MiUpdatePartitionLargePfnBitMap(x,x)+4Dj
		mov	edi, [edi+8]
		and	edi, 0FFFFFFFCh
		jnz	short loc_9A211B

loc_9A2129:				; CODE XREF: MiUpdatePartitionLargePfnBitMap(x,x)+55j
					; MiUpdatePartitionLargePfnBitMap(x,x)+61j ...
		lea	eax, [ebp+var_28]
		mov	ecx, esi
		push	eax
		push	3
		pop	edx
		call	_MiActOnPartitionNodePages@12 ;	MiActOnPartitionNodePages(x,x,x)
		cmp	[ebp+var_1C], ebx
		jl	short loc_9A2142

loc_9A213C:				; CODE XREF: MiUpdatePartitionLargePfnBitMap(x,x)+42j
		test	edi, edi
		jnz	short loc_9A20FC
		jmp	short loc_9A2145
; 

loc_9A2142:				; CODE XREF: MiUpdatePartitionLargePfnBitMap(x,x)+82j
		mov	ebx, [ebp+var_1C]

loc_9A2145:				; CODE XREF: MiUpdatePartitionLargePfnBitMap(x,x)+88j
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		call	MiUnlockDynamicMemoryExclusive
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_MiUpdatePartitionLargePfnBitMap@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmManagePartitionCombineMemory(x, x, x, x)
_MmManagePartitionCombineMemory@16 proc	near ; CODE XREF: sub_8ECDAC+Ep

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		mov	ecx, [ecx]
		push	esi
		mov	esi, edx
		test	byte ptr [esi+4], 1
		jz	short loc_9A2173
		mov	eax, 0C00000EFh
		jmp	short loc_9A2195
; 

loc_9A2173:				; CODE XREF: MmManagePartitionCombineMemory(x,x,x,x)+13j
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		push	0
		push	dword ptr [edx+4]
		mov	edx, [edx]
		call	_MiCombineIdenticalPages@24 ; MiCombineIdenticalPages(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9A2195
		mov	eax, [ebp+var_4]
		mov	[esi+8], eax
		xor	eax, eax

loc_9A2195:				; CODE XREF: MmManagePartitionCombineMemory(x,x,x,x)+1Aj
					; MmManagePartitionCombineMemory(x,x,x,x)+34j
		pop	esi
		leave
		retn	8
_MmManagePartitionCombineMemory@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmManagePartitionCreateLargePages(x, x, x)
_MmManagePartitionCreateLargePages@12 proc near	; CODE XREF: sub_8ECE0A+Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi		; struct _exception *
		push	[ebp+arg_0]
		mov	ebx, edx
		mov	[esp+1Ch+var_4], ecx
		push	ds:dword_A94A5C
		mov	[esp+20h+var_C], ebx
		push	ds:_SeLockMemoryPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_9A21D4
		mov	esi, 0C0000061h
		jmp	loc_9A225C
; 

loc_9A21D4:				; CODE XREF: MmManagePartitionCreateLargePages(x,x,x)+2Ej
		xor	esi, esi
		cmp	[ebx], esi
		jz	short loc_9A21E1

loc_9A21DA:				; CODE XREF: MmManagePartitionCreateLargePages(x,x,x)+53j
					; MmManagePartitionCreateLargePages(x,x,x)+5Ej	...
		mov	esi, 0C000000Dh
		jmp	short loc_9A225C
; 

loc_9A21E1:				; CODE XREF: MmManagePartitionCreateLargePages(x,x,x)+3Ej
		movzx	eax, ds:_KeNumberNodes
		mov	ecx, [ebx+4]
		cmp	ecx, eax
		jnb	short loc_9A21DA
		mov	ebx, [ebx+8]
		test	ebx, 0FFFh
		jnz	short loc_9A21DA
		shr	ebx, 0Ch
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	edi, eax
		jmp	short loc_9A2210
; 

loc_9A2206:				; CODE XREF: MmManagePartitionCreateLargePages(x,x,x)+79j
		cmp	ds:_MiLargePageSizes[edi*4], ebx
		jz	short loc_9A2215
		inc	edi

loc_9A2210:				; CODE XREF: MmManagePartitionCreateLargePages(x,x,x)+6Aj
		cmp	edi, 2
		jb	short loc_9A2206

loc_9A2215:				; CODE XREF: MmManagePartitionCreateLargePages(x,x,x)+73j
		cmp	edi, 2
		jnz	short loc_9A2221
		mov	esi, 0C00000BBh
		jmp	short loc_9A225C
; 

loc_9A2221:				; CODE XREF: MmManagePartitionCreateLargePages(x,x,x)+7Ej
		mov	eax, [esp+18h+var_C]
		mov	eax, [eax+0Ch]
		mov	[esp+18h+var_8], eax
		test	eax, eax
		jz	short loc_9A21DA
		xor	edx, edx
		or	eax, 0FFFFFFFFh
		div	ebx
		mov	edx, [esp+18h+var_8]
		cmp	edx, eax
		jnb	short loc_9A21DA
		imul	edx, ebx
		push	edx
		push	ecx
		mov	ecx, [esp+20h+var_4]
		mov	edx, edi
		mov	ecx, [ecx]
		call	_MiRebuildLargePage@16 ; MiRebuildLargePage(x,x,x,x)
		xor	edx, edx
		mov	ecx, [esp+18h+var_C]
		div	ebx
		mov	[ecx+10h], eax

loc_9A225C:				; CODE XREF: MmManagePartitionCreateLargePages(x,x,x)+35j
					; MmManagePartitionCreateLargePages(x,x,x)+45j	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MmManagePartitionCreateLargePages@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmManagePartitionInitialAddMemory(x, x, x, x)
_MmManagePartitionInitialAddMemory@16 proc near	; CODE XREF: sub_8ECDC4+Ep

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		push	14h
		push	offset dword_6A8BA0
		call	__SEH_prolog4
		mov	[ebp+var_1C], edx
		xor	ebx, ebx
		xor	edi, edi
		mov	eax, [ecx]
		mov	[ebp+var_24], eax
		mov	eax, [edx]
		test	eax, 0FFFFFFF8h
		jz	short loc_9A2292

loc_9A2288:				; CODE XREF: MmManagePartitionInitialAddMemory(x,x,x,x)+3Bj
					; MmManagePartitionInitialAddMemory(x,x,x,x)+42j ...
		mov	esi, 0C000000Dh
		jmp	loc_9A235A
; 

loc_9A2292:				; CODE XREF: MmManagePartitionInitialAddMemory(x,x,x,x)+1Fj
		test	al, 4
		jz	short loc_9A22A0
		mov	eax, 0C00000BBh
		jmp	loc_9A236C
; 

loc_9A22A0:				; CODE XREF: MmManagePartitionInitialAddMemory(x,x,x,x)+2Dj
		test	al, 7
		jz	short loc_9A2288
		mov	ecx, [edx+4]
		test	ecx, ecx
		jz	short loc_9A2288
		cmp	ecx, 1FFFFFFFh
		ja	short loc_9A2288
		mov	ebx, [ebp+arg_0]
		add	ebx, 0Ch
		mov	[ebp+arg_0], ebx
		cmp	[ebp+arg_4], 0
		jz	loc_9A234B
		mov	esi, ecx
		shl	esi, 3
		push	0
		push	40h
		mov	edx, 6148694Dh
		mov	ecx, esi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		mov	dword ptr [ebp+arg_4], edi
		test	edi, edi
		jnz	short loc_9A22EB
		mov	esi, 0C000009Ah
		jmp	short loc_9A235A
; 

loc_9A22EB:				; CODE XREF: MmManagePartitionInitialAddMemory(x,x,x,x)+7Bj
		and	[ebp+ms_exc.disabled], 0
		test	esi, esi
		jz	short loc_9A2311
		test	bl, 3
		jz	short loc_9A22FD
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9A22FD:				; CODE XREF: MmManagePartitionInitialAddMemory(x,x,x,x)+8Fj
		lea	eax, [esi+ebx]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_9A230E
		cmp	eax, ebx
		jnb	short loc_9A2311

loc_9A230E:				; CODE XREF: MmManagePartitionInitialAddMemory(x,x,x,x)+A1j
		mov	byte ptr [ecx],	0

loc_9A2311:				; CODE XREF: MmManagePartitionInitialAddMemory(x,x,x,x)+8Aj
					; MmManagePartitionInitialAddMemory(x,x,x,x)+A5j
		push	esi		; size_t
		push	ebx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edx, [ebp+var_1C]
		jmp	short loc_9A234D
; 

loc_9A2328:				; DATA XREF: .text:006A8BB4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9A2336:				; DATA XREF: .text:006A8BB8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_20]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+arg_0]
		mov	edi, dword ptr [ebp+arg_4]
		jmp	short loc_9A235A
; 

loc_9A234B:				; CODE XREF: MmManagePartitionInitialAddMemory(x,x,x,x)+59j
		mov	edi, ebx

loc_9A234D:				; CODE XREF: MmManagePartitionInitialAddMemory(x,x,x,x)+BFj
		push	edx
		mov	edx, edi
		mov	ecx, [ebp+var_24]
		call	_MiHotAddPartitionMemory@12 ; MiHotAddPartitionMemory(x,x,x)
		mov	esi, eax

loc_9A235A:				; CODE XREF: MmManagePartitionInitialAddMemory(x,x,x,x)+26j
					; MmManagePartitionInitialAddMemory(x,x,x,x)+82j ...
		test	edi, edi
		jz	short loc_9A236A
		cmp	edi, ebx
		jz	short loc_9A236A
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A236A:				; CODE XREF: MmManagePartitionInitialAddMemory(x,x,x,x)+F5j
					; MmManagePartitionInitialAddMemory(x,x,x,x)+F9j
		mov	eax, esi

loc_9A236C:				; CODE XREF: MmManagePartitionInitialAddMemory(x,x,x,x)+34j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MmManagePartitionInitialAddMemory@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmManagePartitionMoveMemory(x, x, x, x)
_MmManagePartitionMoveMemory@16	proc near ; CODE XREF: sub_8ECD6B+14p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	eax, [ecx]
		mov	edx, [edx]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[esp+18h+var_4], edx
		mov	[esp+18h+var_8], eax
		mov	ecx, [edi]
		test	ecx, ecx
		jnz	short loc_9A23A5
		xor	eax, eax
		jmp	short loc_9A241E
; 

loc_9A23A5:				; CODE XREF: MmManagePartitionMoveMemory(x,x,x,x)+21j
		mov	esi, [edi+4]
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_9A23CF
		mov	eax, large fs:124h
		mov	eax, [eax+16Ch]
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	eax, [eax+338h]
		movzx	esi, word ptr [eax+8Ah]
		jmp	short loc_9A23DA
; 

loc_9A23CF:				; CODE XREF: MmManagePartitionMoveMemory(x,x,x,x)+2Dj
		movzx	eax, ds:_KeNumberNodes
		cmp	esi, eax
		jnb	short loc_9A2419

loc_9A23DA:				; CODE XREF: MmManagePartitionMoveMemory(x,x,x,x)+4Fj
		mov	ebx, [edi+8]
		test	ebx, 0FFFFFC00h
		jnz	short loc_9A2419
		test	ebx, 200h
		jz	short loc_9A23F4
		mov	eax, 0C00000BBh
		jmp	short loc_9A241E
; 

loc_9A23F4:				; CODE XREF: MmManagePartitionMoveMemory(x,x,x,x)+6Dj
		test	bl, 12h
		jz	short loc_9A2401
		test	ebx, 1E0h
		jmp	short loc_9A240F
; 

loc_9A2401:				; CODE XREF: MmManagePartitionMoveMemory(x,x,x,x)+79j
		mov	eax, ebx
		and	eax, 180h
		test	bl, 60h
		jz	short loc_9A2427
		test	eax, eax

loc_9A240F:				; CODE XREF: MmManagePartitionMoveMemory(x,x,x,x)+81j
		jnz	short loc_9A2419
		test	ecx, 1FFh
		jz	short loc_9A242B

loc_9A2419:				; CODE XREF: MmManagePartitionMoveMemory(x,x,x,x)+5Aj
					; MmManagePartitionMoveMemory(x,x,x,x)+65j ...
		mov	eax, 0C000000Dh

loc_9A241E:				; CODE XREF: MmManagePartitionMoveMemory(x,x,x,x)+25j
					; MmManagePartitionMoveMemory(x,x,x,x)+74j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_9A2427:				; CODE XREF: MmManagePartitionMoveMemory(x,x,x,x)+8Dj
		test	eax, eax
		jnz	short loc_9A2419

loc_9A242B:				; CODE XREF: MmManagePartitionMoveMemory(x,x,x,x)+99j
		test	bl, 8
		jz	short loc_9A245E
		mov	eax, offset _MiSystemPartition
		cmp	[esp+18h+var_8], eax
		jnz	short loc_9A2419
		cmp	edx, eax
		jz	short loc_9A2419
		push	[ebp+arg_4]
		push	ds:dword_A94A5C
		push	ds:_SeLockMemoryPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_9A245E
		mov	eax, 0C0000061h
		jmp	short loc_9A241E
; 

loc_9A245E:				; CODE XREF: MmManagePartitionMoveMemory(x,x,x,x)+B0j
					; MmManagePartitionMoveMemory(x,x,x,x)+D7j
		mov	edx, [esp+18h+var_8]
		push	ecx
		mov	ecx, [esp+1Ch+var_4]
		push	ebx
		push	esi
		push	dword ptr [edi]
		call	_MiAllocatePartitionPhysicalPages@24 ; MiAllocatePartitionPhysicalPages(x,x,x,x,x,x)
		jmp	short loc_9A241E
_MmManagePartitionMoveMemory@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmManagePartitionNodeInformation(x,	x, x)
_MmManagePartitionNodeInformation@12 proc near ; CODE XREF: sub_8ECDF3+Dp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8

		push	2Ch
		push	offset dword_6A8B80
		call	__SEH_prolog4
		mov	ebx, edx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_24], ecx
		xor	esi, esi
		mov	edi, esi
		mov	[ebp+var_28], edi
		cmp	[ebx+4], esi
		jz	short loc_9A249C

loc_9A2492:				; CODE XREF: MmManagePartitionNodeInformation(x,x,x)+35j
		mov	ebx, 0C000000Dh
		jmp	loc_9A264B
; 

loc_9A249C:				; CODE XREF: MmManagePartitionNodeInformation(x,x,x)+1Ej
		mov	ecx, [ebx]
		movzx	eax, ds:_KeNumberNodes
		cmp	ecx, eax
		jnz	short loc_9A2492
		imul	eax, ecx, 48h
		mov	[ebp+var_30], eax
		cmp	[ebp+arg_0], 0
		jz	short loc_9A24E0
		push	esi
		push	40h
		mov	edx, 694E694Dh
		mov	ecx, eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_28], edi
		test	edi, edi
		jnz	short loc_9A24D7
		mov	ebx, 0C000009Ah
		jmp	loc_9A264B
; 

loc_9A24D7:				; CODE XREF: MmManagePartitionNodeInformation(x,x,x)+59j
		mov	edx, edi
		mov	[ebp+var_34], edi
		mov	ecx, [ebx]
		jmp	short loc_9A24E6
; 

loc_9A24E0:				; CODE XREF: MmManagePartitionNodeInformation(x,x,x)+41j
		mov	edx, [ebx+8]
		mov	[ebp+var_34], edx

loc_9A24E6:				; CODE XREF: MmManagePartitionNodeInformation(x,x,x)+6Cj
		mov	eax, large fs:124h
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+var_24]
		mov	eax, [eax]
		mov	eax, [eax+10h]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_20], esi
		test	ecx, ecx
		jz	loc_9A261B
		lea	edi, [edx+28h]

loc_9A2508:				; CODE XREF: MmManagePartitionNodeInformation(x,x,x)+1A0j
		lea	eax, [edi-28h]
		push	48h		; size_t
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, [ebp+var_2C]
		dec	word ptr [eax+13Eh]
		nop
		mov	eax, [ebp+var_1C]
		add	eax, 1FCh
		mov	[ebp+var_24], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockSharedEx
		mov	ecx, [ebp+var_1C]
		mov	eax, [ecx+1DCh]
		mov	[edi-28h], eax
		mov	[edi-24h], esi
		mov	eax, [ecx+1D0h]
		mov	[edi-18h], eax
		mov	[edi-14h], esi
		mov	eax, [ecx+1D4h]
		mov	[edi-20h], eax
		mov	[edi-1Ch], esi
		mov	eax, [ecx+98h]
		mov	[edi-8], eax
		mov	[edi-4], esi
		mov	eax, [ecx+9Ch]
		mov	[edi-10h], eax
		mov	[edi-0Ch], esi
		mov	eax, [ecx]
		mov	[edi+8], eax
		mov	[edi+0Ch], esi
		mov	eax, [ecx+4]
		mov	[edi], eax
		mov	[edi+4], esi
		xor	edx, edx
		push	11h
		pop	eax
		mov	ecx, [ebp+var_24]
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_9A259E
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp+var_24]

loc_9A259E:				; CODE XREF: MmManagePartitionNodeInformation(x,x,x)+122j
		call	KeAbPostRelease
		mov	ecx, [ebp+var_2C]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	edx, [edi+8]
		add	edx, [edi]
		mov	ecx, [edi+0Ch]
		adc	ecx, [edi+4]
		shld	ecx, edx, 9
		shl	edx, 9
		mov	eax, [edi-10h]
		add	eax, [edi-8]
		mov	[ebp+var_24], eax
		mov	eax, [edi-0Ch]
		adc	eax, [edi-4]
		mov	ebx, [ebp+var_24]
		shld	eax, ebx, 4
		shl	ebx, 4
		add	ebx, [edi-20h]
		adc	eax, [edi-1Ch]
		add	ebx, edx
		mov	[ebp+var_24], ebx
		adc	eax, ecx
		mov	ecx, ebx
		add	ecx, [edi-18h]
		adc	eax, [edi-14h]
		cmp	eax, [edi-24h]
		mov	ebx, [ebp+var_38]
		ja	short loc_9A260D
		jb	short loc_9A25FA
		cmp	ecx, [edi-28h]
		ja	short loc_9A260D

loc_9A25FA:				; CODE XREF: MmManagePartitionNodeInformation(x,x,x)+181j
		mov	eax, [ebp+var_20]
		inc	eax
		mov	[ebp+var_20], eax
		add	[ebp+var_1C], 280h
		add	edi, 48h
		jmp	short loc_9A2610
; 

loc_9A260D:				; CODE XREF: MmManagePartitionNodeInformation(x,x,x)+17Fj
					; MmManagePartitionNodeInformation(x,x,x)+186j
		mov	eax, [ebp+var_20]

loc_9A2610:				; CODE XREF: MmManagePartitionNodeInformation(x,x,x)+199j
		cmp	eax, [ebx]
		jb	loc_9A2508
		mov	edi, [ebp+var_28]

loc_9A261B:				; CODE XREF: MmManagePartitionNodeInformation(x,x,x)+8Dj
		cmp	[ebp+arg_0], 0
		jz	short loc_9A2649
		mov	[ebp+ms_exc.disabled], esi
		push	8
		push	[ebp+var_30]
		push	dword ptr [ebx+8]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	[ebp+var_30]	; size_t
		push	[ebp+var_34]	; void *
		push	dword ptr [ebx+8] ; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9A2649:				; CODE XREF: MmManagePartitionNodeInformation(x,x,x)+1ADj
		mov	ebx, esi

loc_9A264B:				; CODE XREF: MmManagePartitionNodeInformation(x,x,x)+25j
					; MmManagePartitionNodeInformation(x,x,x)+60j ...
		test	edi, edi
		jz	short loc_9A2656
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A2656:				; CODE XREF: MmManagePartitionNodeInformation(x,x,x)+1DBj
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MmManagePartitionNodeInformation@12 endp


;  S U B	R O U T	I N E 


sub_9A266A	proc near		; DATA XREF: .text:006A8B94o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_9A266A	endp


;  S U B	R O U T	I N E 


sub_9A2678	proc near		; DATA XREF: .text:006A8B98o
		mov	esp, [ebp-18h]
		mov	ebx, [ebp-3Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		xor	esi, esi
		mov	edi, [ebp-28h]
		jmp	short loc_9A264B
sub_9A2678	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmManagePartitionSetAttributes(x, x, x)
_MmManagePartitionSetAttributes@12 proc	near ; CODE XREF: sub_8ECDDC+Dp

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [edx]
		mov	eax, esi
		mov	edx, [edx+4]
		or	eax, edx
		jz	short loc_9A26C4
		and	esi, 0FFFFFFFCh
		or	esi, edx
		jnz	short loc_9A26BF
		cmp	dword ptr [ecx], offset	_MiSystemPartition
		jz	short loc_9A26BF
		xor	eax, eax
		cmp	[ebp+arg_0], al
		setz	al
		dec	eax
		and	eax, 0FFFFFFA6h
		add	eax, 0C00000BBh
		jmp	short loc_9A26C4
; 

loc_9A26BF:				; CODE XREF: MmManagePartitionSetAttributes(x,x,x)+16j
					; MmManagePartitionSetAttributes(x,x,x)+1Ej
		mov	eax, 0C000000Dh

loc_9A26C4:				; CODE XREF: MmManagePartitionSetAttributes(x,x,x)+Fj
					; MmManagePartitionSetAttributes(x,x,x)+31j
		pop	esi
		pop	ebp
		retn	4
_MmManagePartitionSetAttributes@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmQuerySystemVaInformation(x, x, x)
_MmQuerySystemVaInformation@12 proc near ; CODE	XREF: PAGE:00780FAEp

var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_80		= dword	ptr -80h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	8Ch
		push	offset dword_6A8BE0
		call	__SEH_prolog4_GS
		mov	edi, ecx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_9C], eax
		xor	ebx, ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], 5
		mov	[ebp+var_2C], 6
		mov	[ebp+var_28], 8
		mov	[ebp+var_24], 9
		xor	esi, esi
		inc	esi
		mov	[ebp+var_20], esi
		mov	[eax], ebx
		cmp	edx, 60h
		jnb	short loc_9A271B
		mov	eax, 0C0000004h
		jmp	loc_9A27DF
; 

loc_9A271B:				; CODE XREF: MmQuerySystemVaInformation(x,x,x)+46j
		mov	ecx, dword_6D07D0
		neg	ecx
		mov	eax, ecx
		sub	eax, dword_6D4254
		mov	[ebp+var_94], eax
		sub	ecx, dword_6D07C8
		mov	[ebp+var_90], ecx
		mov	[ebp+var_8C], ebx
		mov	ecx, ebx
		push	4
		pop	eax

loc_9A2748:				; CODE XREF: MmQuerySystemVaInformation(x,x,x)+8Bj
		add	ecx, dword_6D4194[eax]
		add	eax, 4
		cmp	eax, 40h
		jb	short loc_9A2748
		mov	[ebp+var_88], ecx
		lea	edx, [ebp+var_80]

loc_9A275F:				; CODE XREF: MmQuerySystemVaInformation(x,x,x)+D1j
		mov	ecx, [ebp+esi*4+var_34]
		mov	eax, dword_6D3D54[ecx*4]
		shl	eax, 15h
		mov	[edx-4], eax
		mov	eax, dword_6D4214[ecx*4]
		shl	eax, 15h
		mov	[edx], eax
		mov	eax, dword_6D41D4[ecx*4]
		shl	eax, 15h
		mov	[edx+4], eax
		mov	eax, dword_6D4194[ecx*4]
		mov	[edx+8], eax
		inc	esi
		lea	edx, [edx+10h]
		cmp	esi, 6
		jb	short loc_9A275F
		mov	[ebp+ms_exc.disabled], ebx
		push	18h
		pop	ecx
		lea	esi, [ebp+var_94]
		rep movsd
		jmp	short loc_9A27C6
; 

loc_9A27AC:				; DATA XREF: .text:006A8BF4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_98], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9A27BD:				; DATA XREF: .text:006A8BF8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_98]

loc_9A27C6:				; CODE XREF: MmQuerySystemVaInformation(x,x,x)+E1j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	ebx, ebx
		js	short loc_9A27DD
		mov	ecx, [ebp+var_9C]
		mov	dword ptr [ecx], 60h

loc_9A27DD:				; CODE XREF: MmQuerySystemVaInformation(x,x,x)+106j
		mov	eax, ebx

loc_9A27DF:				; CODE XREF: MmQuerySystemVaInformation(x,x,x)+4Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MmQuerySystemVaInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmSetSystemVaInformation(x,	x, x)
_MmSetSystemVaInformation@12 proc near	; CODE XREF: PAGE:007B42FCp

var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_80		= dword	ptr -80h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	94h
		push	offset dword_6A8BC0
		call	__SEH_prolog4_GS
		mov	esi, edx
		mov	edi, ecx
		and	[ebp+var_34], 0
		mov	[ebp+var_30], 5
		mov	[ebp+var_2C], 6
		mov	[ebp+var_28], 8
		mov	[ebp+var_24], 9
		mov	[ebp+var_20], 1
		push	[ebp+arg_0]
		push	ds:dword_A94A1C
		push	ds:_SeIncreaseQuotaPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_9A284D
		mov	eax, 0C0000061h
		jmp	loc_9A2944
; 

loc_9A284D:				; CODE XREF: MmSetSystemVaInformation(x,x,x)+50j
		cmp	esi, 60h
		jnb	short loc_9A285C
		mov	eax, 0C0000004h
		jmp	loc_9A2944
; 

loc_9A285C:				; CODE XREF: MmSetSystemVaInformation(x,x,x)+5Fj
		cmp	byte_6D35B1, 1
		jnz	short loc_9A286F
		mov	eax, 0C0000189h
		jmp	loc_9A2944
; 

loc_9A286F:				; CODE XREF: MmSetSystemVaInformation(x,x,x)+72j
		xor	ebx, ebx
		and	[ebp+ms_exc.disabled], ebx
		push	18h
		pop	ecx
		mov	esi, edi
		lea	edi, [ebp+var_98]
		rep movsd
		jmp	short loc_9A289D
; 

loc_9A2883:				; DATA XREF: .text:006A8BD4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_9C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9A2894:				; DATA XREF: .text:006A8BD8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_9C]

loc_9A289D:				; CODE XREF: MmSetSystemVaInformation(x,x,x)+90j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	esi, esi
		inc	esi
		test	ebx, ebx
		js	loc_9A2942
		mov	eax, dword_6D07D0
		neg	eax
		mov	[ebp+var_A0], eax
		mov	edi, large fs:124h
		mov	[ebp+var_A4], edi
		dec	word ptr [edi+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset dword_6D05C8
		call	ExAcquirePushLockExclusiveEx
		lea	edx, [ebp+var_80]
		mov	edi, [ebp+var_A0]

loc_9A28E6:				; CODE XREF: MmSetSystemVaInformation(x,x,x)+122j
		mov	ecx, [edx]
		cmp	ecx, edi
		jb	short loc_9A28F0
		xor	ecx, ecx
		jmp	short loc_9A28FC
; 

loc_9A28F0:				; CODE XREF: MmSetSystemVaInformation(x,x,x)+F9j
		add	ecx, 1FFFFFh
		and	ecx, 0FFE00000h

loc_9A28FC:				; CODE XREF: MmSetSystemVaInformation(x,x,x)+FDj
		mov	[edx], ecx
		shr	ecx, 15h
		mov	eax, [ebp+esi*4+var_34]
		mov	dword_6D41D4[eax*4], ecx
		inc	esi
		add	edx, 10h
		cmp	esi, 6
		jb	short loc_9A28E6
		or	eax, 0FFFFFFFFh
		mov	esi, offset dword_6D05C8
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		mov	edi, [ebp+var_A4]
		jnz	short loc_9A2934
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9A2934:				; CODE XREF: MmSetSystemVaInformation(x,x,x)+13Aj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, edi
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_9A2942:				; CODE XREF: MmSetSystemVaInformation(x,x,x)+B8j
		mov	eax, ebx

loc_9A2944:				; CODE XREF: MmSetSystemVaInformation(x,x,x)+57j
					; MmSetSystemVaInformation(x,x,x)+66j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MmSetSystemVaInformation@12 endp


;  S U B	R O U T	I N E 


; __stdcall MiInitializeScrubPacket(x)
_MiInitializeScrubPacket@4 proc	near	; CODE XREF: MiScrubMemoryWorker(x)+Fp
					; MiScrubProcesses(x,x)+3Dp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ecx, 100h
		push	edi
		mov	edx, ecx
		lea	eax, [esi+1Ch]
		push	eax
		call	MiCreatePteCopyList
		xor	edi, edi
		cmp	[esi+20h], edi
		jz	short loc_9A29AE
		mov	ebx, [esi]
		mov	edx, 6363454Dh
		push	edi
		push	40h
		mov	ecx, 1000h
		mov	[esi+2Ch], edi
		mov	[esi+34h], edi
		mov	[esi+30h], edi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[esi+2Ch], eax
		test	eax, eax
		jz	short loc_9A29AE
		cmp	dword ptr [esi+4], 0FFFFFFFFh
		jz	short loc_9A29BA
		mov	ecx, [ebx+1Ch]
		xor	edx, edx
		inc	edx
		call	MiReferencePageRuns
		mov	[esi+34h], eax
		jmp	short loc_9A29BA
; 

loc_9A29AE:				; CODE XREF: MiInitializeScrubPacket(x)+1Cj
					; MiInitializeScrubPacket(x)+40j
		mov	ecx, esi
		call	_MiReleaseScrubPacket@4	; MiReleaseScrubPacket(x)
		mov	edi, 0C000009Ah

loc_9A29BA:				; CODE XREF: MiInitializeScrubPacket(x)+46j
					; MiInitializeScrubPacket(x)+56j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_MiInitializeScrubPacket@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiReleaseScrubPacket(x)
_MiReleaseScrubPacket@4	proc near	; CODE XREF: MiInitializeScrubPacket(x)+5Ap
					; MiScrubMemoryWorker(x)+23p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		lea	ecx, [esi+1Ch]
		call	_MiReleasePteCopyList@4	; MiReleasePteCopyList(x)
		mov	eax, [esi+2Ch]
		test	eax, eax
		jz	short loc_9A29DC
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A29DC:				; CODE XREF: MiReleaseScrubPacket(x)+12j
		mov	ecx, [esi+34h]
		pop	esi
		test	ecx, ecx
		jnz	_MiDereferencePageRuns@4 ; MiDereferencePageRuns(x)
		retn
_MiReleaseScrubPacket@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiScrubMemoryWorker(x)
_MiScrubMemoryWorker@4 proc near	; DATA XREF: MmScrubMemory(x,x,x)+ADo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	edi
		mov	edi, [esi]
		call	_MiInitializeScrubPacket@4 ; MiInitializeScrubPacket(x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9A2A11
		mov	ecx, esi
		call	_MiScrubNode@4	; MiScrubNode(x)
		mov	ecx, esi
		call	_MiReleaseScrubPacket@4	; MiReleaseScrubPacket(x)

loc_9A2A11:				; CODE XREF: MiScrubMemoryWorker(x)+18j
		mov	ecx, [esi+30h]
		lea	eax, [edi+18h]
		mov	[esi+8], ebx
		lock xadd [eax], ecx
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		jnz	short loc_9A2A32
		xor	edx, edx
		lea	ecx, [edi+4]
		inc	edx
		call	KeSignalGate

loc_9A2A32:				; CODE XREF: MiScrubMemoryWorker(x)+3Cj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_MiScrubMemoryWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiScrubProcesses(x,	x)
_MiScrubProcesses@8 proc near		; CODE XREF: MmScrubMemory(x,x,x)+F1p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		mov	ebx, ecx
		mov	[ebp+var_20], edx
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		push	38h		; size_t
		push	eax		; int
		rep stosd
		lea	eax, [ebp+var_58]
		push	eax		; void *
		call	_memset
		or	[ebp+var_54], 0FFFFFFFFh
		lea	ecx, [ebp+var_58]
		add	esp, 0Ch
		mov	[ebp+var_58], ebx
		call	_MiInitializeScrubPacket@4 ; MiInitializeScrubPacket(x)
		test	eax, eax
		js	short loc_9A2AFD
		xor	ecx, ecx
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9A2AEB
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		mov	edi, eax

loc_9A2A93:				; CODE XREF: MiScrubProcesses(x,x)+B0j
		cmp	edi, [ebx+1Ch]
		jnz	short loc_9A2ADE
		lea	ecx, [ebp+var_58]
		call	_MiScrubInterrupted@4 ;	MiScrubInterrupted(x)
		test	eax, eax
		jnz	short loc_9A2AEB
		mov	ecx, esi
		call	_MiProcessHasAwePrivatePages@4 ; MiProcessHasAwePrivatePages(x)
		test	eax, eax
		jnz	short loc_9A2AB7
		cmp	[esi+394h], eax
		jz	short loc_9A2ADE

loc_9A2AB7:				; CODE XREF: MiScrubProcesses(x,x)+74j
		lea	eax, [ebp+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, esi
		call	KiStackAttachProcess
		lea	ecx, [ebp+var_58]
		call	_MiScrubProcessLargePages@4 ; MiScrubProcessLargePages(x)
		lea	ecx, [ebp+var_58]
		call	_MiScrubProcessPhysicalPages@4 ; MiScrubProcessPhysicalPages(x)
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_9A2ADE:				; CODE XREF: MiScrubProcesses(x,x)+5Dj
					; MiScrubProcesses(x,x)+7Cj
		mov	ecx, esi
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9A2A93

loc_9A2AEB:				; CODE XREF: MiScrubProcesses(x,x)+51j
					; MiScrubProcesses(x,x)+69j
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+var_28]
		mov	[ecx], eax
		lea	ecx, [ebp+var_58]
		call	_MiReleaseScrubPacket@4	; MiReleaseScrubPacket(x)
		xor	eax, eax

loc_9A2AFD:				; CODE XREF: MiScrubProcesses(x,x)+44j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiScrubProcesses@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmScrubMemory(x, x,	x)
_MmScrubMemory@12 proc near		; CODE XREF: PAGE:007B43C3p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		lea	ecx, [esp+0Ch+var_C]
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		mov	[eax], esi
		mov	eax, large fs:124h
		push	esi
		push	ecx
		mov	[esp+20h+var_C], esi
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+20h+var_4], al
		push	[esp+20h+var_4]
		mov	eax, ds:_ExEventObjectType
		push	eax
		push	1
		push	edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	loc_9A2C73
		movzx	edi, ds:_KeNumberNodes
		mov	edx, 6363454Dh
		imul	ecx, edi, 38h
		push	esi
		push	40h
		add	ecx, 24h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9A2B7E
		mov	edi, 0C000009Ah
		jmp	loc_9A2C68
; 

loc_9A2B7E:				; CODE XREF: MmScrubMemory(x,x,x)+66j
		lea	ecx, [ebx+4]
		mov	[ebx], edi
		call	@KeInitializeGate@8 ; KeInitializeGate(x,x)
		mov	eax, [esp+18h+var_C]
		mov	[ebx+14h], eax
		mov	eax, large fs:124h
		mov	[ebx+20h], eax
		lea	eax, [ebx+24h]
		mov	dword ptr [ebx+1Ch], offset _MiSystemPartition
		mov	[ebx+18h], esi
		mov	[esp+18h+var_8], eax
		test	edi, edi
		jz	short loc_9A2BF2
		lea	ecx, [eax+18h]
		mov	[esp+18h+var_4], ecx

loc_9A2BB4:				; CODE XREF: MmScrubMemory(x,x,x)+E4j
		mov	[ecx-14h], esi
		mov	[eax], ebx
		mov	dword ptr [ecx-4], offset _MiScrubMemoryWorker@4 ; MiScrubMemoryWorker(x)
		mov	[ecx], eax
		add	ecx, 0FFFFFFF4h
		and	dword ptr [ecx], 0
		push	dword_6D4EA4
		push	esi
		push	4
		pop	edx
		call	ExQueueWorkItemToPartition
		mov	eax, [esp+18h+var_8]
		mov	ecx, [esp+18h+var_4]
		add	eax, 38h
		add	ecx, 38h
		mov	[esp+18h+var_8], eax
		inc	esi
		mov	[esp+18h+var_4], ecx
		cmp	esi, edi
		jb	short loc_9A2BB4

loc_9A2BF2:				; CODE XREF: MmScrubMemory(x,x,x)+9Fj
		and	[esp+18h+var_4], 0
		lea	edx, [esp+18h+var_4]
		mov	ecx, ebx
		call	_MiScrubProcesses@8 ; MiScrubProcesses(x,x)
		push	ecx
		xor	edx, edx
		lea	ecx, [ebx+4]
		mov	edi, eax
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		test	edi, edi
		js	short loc_9A2C2C
		mov	eax, [esp+18h+var_8]
		add	eax, 8

loc_9A2C1A:				; CODE XREF: MmScrubMemory(x,x,x)+11Aj
		lea	eax, [eax-38h]
		mov	ecx, [eax]
		test	ecx, ecx
		js	short loc_9A2C2A
		sub	esi, 1
		jnz	short loc_9A2C1A
		jmp	short loc_9A2C2C
; 

loc_9A2C2A:				; CODE XREF: MmScrubMemory(x,x,x)+115j
		mov	edi, ecx

loc_9A2C2C:				; CODE XREF: MmScrubMemory(x,x,x)+105j
					; MmScrubMemory(x,x,x)+11Cj
		mov	eax, [ebx+18h]
		mov	ecx, [ebp+arg_0]
		add	eax, [esp+18h+var_4]
		push	0
		push	ebx
		mov	[ecx], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+18h+var_C]
		cmp	dword ptr [eax+4], 0
		jnz	short loc_9A2C63
		mov	eax, large fs:124h
		mov	eax, [eax+2FCh]
		test	al, 1
		jnz	short loc_9A2C63
		lock inc dword_6D30FC
		jmp	short loc_9A2C68
; 

loc_9A2C63:				; CODE XREF: MmScrubMemory(x,x,x)+13Cj
					; MmScrubMemory(x,x,x)+14Cj
		mov	edi, 0C0000240h

loc_9A2C68:				; CODE XREF: MmScrubMemory(x,x,x)+6Dj
					; MmScrubMemory(x,x,x)+155j
		mov	ecx, [esp+18h+var_C]
		call	ObfDereferenceObject
		mov	eax, edi

loc_9A2C73:				; CODE XREF: MmScrubMemory(x,x,x)+42j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_MmScrubMemory@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1533. NtMakePermanentObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtMakePermanentObject(x)
		public _NtMakePermanentObject@4
_NtMakePermanentObject@4 proc near	; DATA XREF: .text:00580F9Co

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_4], al
		push	[ebp+var_4]
		push	ds:dword_A94A34
		push	ds:_SeCreatePermanentPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_9A2CB6
		mov	eax, 0C0000061h
		jmp	short locret_9A2D07
; 

loc_9A2CB6:				; CODE XREF: NtMakePermanentObject(x)+2Cj
		push	ebx
		xor	ecx, ecx
		lea	eax, [ebp+var_8]
		push	ecx
		push	eax
		push	[ebp+var_4]
		mov	[ebp+var_8], ecx
		push	ecx
		push	ecx
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9A2D06
		push	esi
		push	edi
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	edi, [ebp+var_8]
		xor	edx, edx
		lea	ecx, [edi-10h]
		call	ExAcquirePushLockExclusiveEx
		or	byte ptr [edi-9], 10h
		lea	ecx, [edi-10h]
		xor	edx, edx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, edi
		call	ObfDereferenceObject
		pop	edi
		mov	eax, ebx
		pop	esi

loc_9A2D06:				; CODE XREF: NtMakePermanentObject(x)+51j
		pop	ebx

locret_9A2D07:				; CODE XREF: NtMakePermanentObject(x)+33j
		leave
		retn	4
_NtMakePermanentObject@4 endp


;  S U B	R O U T	I N E 


; __stdcall ObpAddToPendingDirectoryList(x)
_ObpAddToPendingDirectoryList@4	proc near
					; CODE XREF: ObpMarkDirectoryObjectsTemporary+E5CA3p
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _ObpPendingObjectDirectoryListLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, _ObpPendingObjectDirectoryList
		xor	edx, edx
		mov	ecx, edi
		mov	[esi], eax
		mov	_ObpPendingObjectDirectoryList,	esi
		call	ExReleasePushLockEx
		pop	edi
		pop	esi
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_ObpAddToPendingDirectoryList@4	endp


;  S U B	R O U T	I N E 


; __stdcall ObpGetShadowDirectory(x, x)
_ObpGetShadowDirectory@8 proc near	; CODE XREF: ObpLookupDirectoryEntryEx+E5D8Ap
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	eax, [edi+0A8h]
		test	al, 4
		jnz	short loc_9A2DA0
		push	ebx
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ebx, eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		lea	ecx, [ebx+70h]
		call	ExAcquirePushLockSharedEx
		mov	eax, [edi+98h]
		test	eax, eax
		jz	short loc_9A2D87
		mov	esi, [eax+4]

loc_9A2D87:				; CODE XREF: ObpGetShadowDirectory(x,x)+3Aj
		xor	edx, edx
		lea	ecx, [ebx+70h]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	ebx
		jmp	short loc_9A2DAE
; 

loc_9A2DA0:				; CODE XREF: ObpGetShadowDirectory(x,x)+10j
		test	al, 10h
		jz	short loc_9A2DA8
		test	dl, dl
		jz	short loc_9A2DAE

loc_9A2DA8:				; CODE XREF: ObpGetShadowDirectory(x,x)+5Aj
		mov	esi, [edi+9Ch]

loc_9A2DAE:				; CODE XREF: ObpGetShadowDirectory(x,x)+56j
					; ObpGetShadowDirectory(x,x)+5Ej
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_ObpGetShadowDirectory@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObAuditInheritedHandleProcedure(x, x, x, x)
_ObAuditInheritedHandleProcedure@16 proc near ;	DATA XREF: ObInitProcess+14A85Bo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ecx, esi
		push	edi
		push	4
		pop	edx
		call	_ExGetHandleAttributes@8 ; ExGetHandleAttributes(x,x)
		xor	ecx, ecx
		mov	edi, eax
		inc	ecx
		lock xadd [esi], ecx
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+arg_4]
		and	[ebp+arg_4], 0
		add	ecx, 20h
		xor	edx, edx
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	short loc_9A2DEB
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)

loc_9A2DEB:				; CODE XREF: ObAuditInheritedHandleProcedure(x,x,x,x)+31j
		test	edi, edi
		pop	edi
		pop	esi
		jz	short loc_9A2E03
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+arg_8]
		mov	edx, ecx
		push	dword ptr [eax]
		push	dword ptr [eax+4]
		call	_SeAuditHandleDuplication@16 ; SeAuditHandleDuplication(x,x,x,x)

loc_9A2E03:				; CODE XREF: ObAuditInheritedHandleProcedure(x,x,x,x)+3Cj
		xor	al, al
		pop	ebp
		retn	10h
_ObAuditInheritedHandleProcedure@16 endp


;  S U B	R O U T	I N E 


; __stdcall ObCleanupSiloState(x)
_ObCleanupSiloState@4 proc near		; CODE XREF: PspDeleteServerSiloGlobals(x)+14p
		mov	ecx, [ecx]
		test	ecx, ecx
		jnz	ObfDereferenceDeviceMap
		retn
_ObCleanupSiloState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObShutdownSystem(x)
_ObShutdownSystem@4 proc near		; CODE XREF: PoBroadcastSystemState+B219p
					; PopGracefulShutdown(x)+151p ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		xor	ebx, ebx
		push	esi
		push	edi
		sub	ecx, ebx
		jz	loc_9A2F66
		sub	ecx, 1
		jz	loc_9A2F44
		mov	edi, _ObpTypeObjectType
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_8], ebx
		mov	esi, [edi]
		jmp	short loc_9A2E53
; 

loc_9A2E45:				; CODE XREF: ObShutdownSystem(x)+41j
		lea	eax, [esi+28h]
		mov	esi, [esi]
		push	eax
		mov	[ebp+var_8], eax
		call	_ObMakeTemporaryObject@4 ; ObMakeTemporaryObject(x)

loc_9A2E53:				; CODE XREF: ObShutdownSystem(x)+2Fj
		cmp	esi, edi
		jnz	short loc_9A2E45
		push	offset ??_C@_1BG@NKCPFBJK@?$AAD?$AAo?$AAs?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAs@NNGAKEGL@
		lea	eax, [ebp+var_34]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		push	ebx
		push	_ObpSymbolicLinkObjectType
		lea	eax, [ebp+var_34]
		push	ebx
		push	ebx
		push	40h
		push	eax
		call	ObReferenceObjectByName
		test	eax, eax
		js	short loc_9A2E92
		push	[ebp+var_8]
		call	_ObMakeTemporaryObject@4 ; ObMakeTemporaryObject(x)
		mov	ecx, [ebp+var_8]
		call	ObfDereferenceObject

loc_9A2E92:				; CODE XREF: ObShutdownSystem(x)+6Cj
		push	(offset	loc_8BC071+1)
		lea	eax, [ebp+var_34]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		push	ebx
		push	_ObpSymbolicLinkObjectType
		lea	eax, [ebp+var_34]
		push	ebx
		push	ebx
		push	40h
		push	eax
		call	ObReferenceObjectByName
		test	eax, eax
		js	short loc_9A2ECD
		push	[ebp+var_8]
		call	_ObMakeTemporaryObject@4 ; ObMakeTemporaryObject(x)
		mov	ecx, [ebp+var_8]
		call	ObfDereferenceObject

loc_9A2ECD:				; CODE XREF: ObShutdownSystem(x)+A7j
		push	offset ??_C@_1BG@OFEBIDHK@?$AAG?$AAL?$AAO?$AAB?$AAA?$AAL?$AAR?$AAO?$AAO?$AAT@NNGAKEGL@
		lea	eax, [ebp+var_34]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		push	ebx
		push	_ObpSymbolicLinkObjectType
		lea	eax, [ebp+var_34]
		push	ebx
		push	ebx
		push	40h
		push	eax
		call	ObReferenceObjectByName
		test	eax, eax
		js	short loc_9A2F08
		push	[ebp+var_8]
		call	_ObMakeTemporaryObject@4 ; ObMakeTemporaryObject(x)
		mov	ecx, [ebp+var_8]
		call	ObfDereferenceObject

loc_9A2F08:				; CODE XREF: ObShutdownSystem(x)+E2j
		mov	ecx, _ObpRootDirectoryObject
		call	ObfDereferenceObject
		mov	ecx, _ObpDirectoryObjectType
		call	ObfDereferenceObject
		mov	ecx, _ObpSymbolicLinkObjectType
		call	ObfDereferenceObject
		mov	ecx, _ObpTypeDirectoryObject
		call	ObfDereferenceObject
		mov	ecx, _ObpTypeObjectType
		call	ObfDereferenceObject
		jmp	loc_9A314B
; 

loc_9A2F44:				; CODE XREF: ObShutdownSystem(x)+18j
		push	ebx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_28], ebx
		push	eax
		mov	eax, ds:_PsInitialSystemProcess
		push	offset _ObpShutdownCloseHandleProcedure@16 ; ObpShutdownCloseHandleProcedure(x,x,x,x)
		push	dword ptr [eax+18Ch]
		call	ExEnumHandleTable
		jmp	loc_9A314B
; 

loc_9A2F66:				; CODE XREF: ObShutdownSystem(x)+Fj
		mov	ecx, _ObpRootDirectoryObject
		mov	edi, ebx
		xor	ebx, ebx
		inc	ebx
		mov	[ebp+var_20], ebx
		jmp	loc_9A3140
; 

loc_9A2F79:				; CODE XREF: ObShutdownSystem(x)+302j
					; ObShutdownSystem(x)+331j
		xor	eax, eax
		mov	[ebp+var_10], ecx
		mov	edx, ecx

loc_9A2F80:				; CODE XREF: ObShutdownSystem(x)+2F6j
		mov	[ebp+var_28], eax
		cmp	eax, 25h
		jnb	loc_9A311B
		mov	esi, [edx]
		mov	[ebp+var_C], edx
		test	esi, esi
		jz	loc_9A3103

loc_9A2F99:				; CODE XREF: ObShutdownSystem(x)+2E6j
		mov	eax, [esi+4]
		mov	[ebp+var_14], eax
		add	eax, 0FFFFFFE8h
		mov	[ebp+var_8], eax
		shr	eax, 8
		movzx	ecx, al
		mov	eax, [ebp+var_8]
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edi
		movzx	eax, byte ptr [eax+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_1C], eax
		mov	dl, [ecx+0Eh]
		mov	[ebp+var_1], dl
		test	dl, 2
		mov	edx, [ebp+var_10]
		jz	short loc_9A2FF6
		movzx	eax, [ebp+var_1]
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_24], ecx
		jmp	short loc_9A2FFA
; 

loc_9A2FF6:				; CODE XREF: ObShutdownSystem(x)+1C8j
		and	[ebp+var_24], 0

loc_9A2FFA:				; CODE XREF: ObShutdownSystem(x)+1E0j
		test	edi, edi
		jz	short loc_9A3027
		mov	eax, [ebp+var_14]
		cmp	eax, edi
		jnz	short loc_9A3016
		xor	edi, edi
		cmp	[ebp+var_20], ebx
		jbe	short loc_9A3016
		mov	esi, edx
		mov	[ebp+var_20], ebx
		jmp	loc_9A30F3
; 

loc_9A3016:				; CODE XREF: ObShutdownSystem(x)+1EFj
					; ObShutdownSystem(x)+1F6j
		mov	edi, eax
		sub	edi, [ebp+var_2C]
		neg	edi
		sbb	edi, edi
		and	edi, [ebp+var_30]
		jmp	loc_9A30F3
; 

loc_9A3027:				; CODE XREF: ObShutdownSystem(x)+1E8j
		cmp	eax, _ObpTypeObjectType
		jz	loc_9A30F3
		cmp	eax, _ObpDirectoryObjectType
		jz	loc_9A310F
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	esi, [ebp+var_8]
		xor	edx, edx
		lea	ecx, [esi+8]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, esi
		lea	ecx, [esi+8]
		xor	edx, edx
		and	byte ptr [eax+0Fh], 0EFh
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+var_8]
		mov	esi, [ebp+var_C]
		cmp	dword ptr [eax+4], 0
		mov	ecx, [esi]
		jnz	short loc_9A30EE
		mov	eax, [ecx]
		push	0
		push	ecx
		mov	[esi], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_1C]
		test	byte ptr [ecx+2Ah], 8
		jnz	short loc_9A30A5
		mov	eax, [ebp+var_8]
		xor	edx, edx
		push	edx
		push	edx
		push	dword ptr [ecx+4Ch]
		add	eax, 14h
		push	eax
		push	edx
		push	edx
		push	edx
		push	2
		push	[ebp+var_14]
		call	dword ptr [ecx+6Ch]
		mov	ecx, [ebp+var_1C]

loc_9A30A5:				; CODE XREF: ObShutdownSystem(x)+273j
		cmp	ecx, _ObpSymbolicLinkObjectType
		jnz	short loc_9A30BE
		mov	ecx, [ebp+var_14]
		mov	[ebp+var_20], ebx
		call	ObpDeleteSymbolicLinkName
		mov	esi, [ebp+var_10]
		mov	[ebp+var_C], esi

loc_9A30BE:				; CODE XREF: ObShutdownSystem(x)+297j
		mov	eax, [ebp+var_24]
		push	0
		push	dword ptr [eax+8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_24]
		xor	ecx, ecx
		and	[eax], ecx
		and	dword ptr [eax+8], 0
		mov	[eax+4], ecx
		mov	ecx, [ebp+var_14]
		call	ObfDereferenceObject
		mov	ecx, [ebp+var_18]
		call	ObfDereferenceObject
		mov	edx, [ebp+var_10]
		jmp	short loc_9A30F6
; 

loc_9A30EE:				; CODE XREF: ObShutdownSystem(x)+25Ej
		mov	edx, [ebp+var_10]
		mov	esi, ecx

loc_9A30F3:				; CODE XREF: ObShutdownSystem(x)+1FDj
					; ObShutdownSystem(x)+20Ej ...
		mov	[ebp+var_C], esi

loc_9A30F6:				; CODE XREF: ObShutdownSystem(x)+2D8j
		mov	esi, [esi]
		test	esi, esi
		jnz	loc_9A2F99
		mov	eax, [ebp+var_28]

loc_9A3103:				; CODE XREF: ObShutdownSystem(x)+17Fj
		inc	eax
		add	edx, 4
		mov	[ebp+var_10], edx
		jmp	loc_9A2F80
; 

loc_9A310F:				; CODE XREF: ObShutdownSystem(x)+225j
		mov	ecx, [ebp+var_14]
		inc	ebx
		mov	[ebp+var_18], ecx
		jmp	loc_9A2F79
; 

loc_9A311B:				; CODE XREF: ObShutdownSystem(x)+172j
		mov	ecx, [ebp+var_18]
		dec	ebx
		lea	edx, [ecx-18h]
		mov	al, [edx+0Eh]
		test	al, 2
		jz	short loc_9A313A
		movzx	eax, al
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	edx, eax
		jmp	short loc_9A313C
; 

loc_9A313A:				; CODE XREF: ObShutdownSystem(x)+313j
		xor	edx, edx

loc_9A313C:				; CODE XREF: ObShutdownSystem(x)+324j
		mov	edi, ecx
		mov	ecx, [edx]

loc_9A3140:				; CODE XREF: ObShutdownSystem(x)+160j
		mov	[ebp+var_18], ecx
		test	ecx, ecx
		jnz	loc_9A2F79

loc_9A314B:				; CODE XREF: ObShutdownSystem(x)+12Bj
					; ObShutdownSystem(x)+14Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ObShutdownSystem@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpShutdownCloseHandleProcedure(x, x, x, x)
_ObpShutdownCloseHandleProcedure@16 proc near ;	DATA XREF: ObShutdownSystem(x)+13Do

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		push	esi
		inc	eax
		mov	esi, [ecx]
		and	esi, 0FFFFFFF8h
		lock xadd [ecx], eax
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+arg_4]
		and	[ebp+arg_4], 0
		add	ecx, 20h
		xor	edx, edx
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	short loc_9A3180
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)

loc_9A3180:				; CODE XREF: ObpShutdownCloseHandleProcedure(x,x,x,x)+29j
		push	[ebp+arg_8]
		lea	eax, [esi+18h]
		push	eax
		push	offset ??_C@_0CA@HHHJFCFN@?7Found?5object?5?$CFp?$CIhandle?5?$CF08lx?$CJ?6@NNGAKEGL@
		call	_DbgPrint
		mov	eax, [ebp+arg_C]
		add	esp, 0Ch
		inc	dword ptr [eax]
		xor	al, al
		pop	esi
		pop	ebp
		retn	10h
_ObpShutdownCloseHandleProcedure@16 endp


;  S U B	R O U T	I N E 


; __stdcall ObHandleRevocationBlockAddObject(x,	x)
_ObHandleRevocationBlockAddObject@8 proc near ;	CODE XREF: PAGE:008178A6p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	bl, bl
		push	edi
		lea	ecx, [edx-18h]
		call	_OBJECT_HEADER_TO_HANDLE_REVOCATION_INFO@4 ; OBJECT_HEADER_TO_HANDLE_REVOCATION_INFO(x)
		lea	ecx, [esi+0Ch]
		mov	edi, eax
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	ecx, large fs:124h
		mov	bh, al
		dec	word ptr [ecx+13Ch]
		nop
		lea	ecx, [esi+8]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	edx, esi
		lea	ecx, [edi+8]
		xor	eax, eax
		lock cmpxchg [ecx], edx
		test	eax, eax
		jnz	short loc_9A31FD
		mov	eax, [esi+4]
		cmp	[eax], esi
		jz	short loc_9A31F1
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9A31F1:				; CODE XREF: ObHandleRevocationBlockAddObject(x,x)+4Aj
		mov	[edi], esi
		mov	bl, 1
		mov	[edi+4], eax
		mov	[eax], edi
		mov	[esi+4], edi

loc_9A31FD:				; CODE XREF: ObHandleRevocationBlockAddObject(x,x)+43j
		xor	edx, edx
		lea	ecx, [esi+8]
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	bh, bh
		jz	short loc_9A321F
		test	bl, bl
		jnz	short loc_9A321F
		pop	edi
		lea	ecx, [esi+0Ch]
		pop	esi
		pop	ebx
		jmp	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
; 

loc_9A321F:				; CODE XREF: ObHandleRevocationBlockAddObject(x,x)+6Ej
					; ObHandleRevocationBlockAddObject(x,x)+72j
		pop	edi
		pop	esi
		pop	ebx
		retn
_ObHandleRevocationBlockAddObject@8 endp

; 

; __stdcall ObpHandleRevocationBlockRemoveInsertedObject(x, x, x, x)
_ObpHandleRevocationBlockRemoveInsertedObject@16:
					; CODE XREF: ObpHandleRevocationBlockRemoveObject+134E45p
					; ObRevokeHandles+A6570p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		push	2
		pop	esi
		mov	eax, ebx
		lea	ecx, [edi+8]
		lock cmpxchg [ecx], esi
		cmp	eax, ebx
		jnz	short loc_9A3295
		mov	dl, [ebp+0Ch]
		test	dl, dl
		jnz	short loc_9A3261
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [ebx+8]
		call	ExAcquirePushLockExclusiveEx
		mov	dl, [ebp+0Ch]

loc_9A3261:				; CODE XREF: PAGE:009A3244j
		mov	ecx, [edi]
		cmp	[ecx+4], edi
		jnz	short loc_9A329C
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	short loc_9A329C
		mov	[eax], ecx
		mov	[ecx+4], eax
		test	dl, dl
		jnz	short loc_9A3287
		xor	edx, edx
		lea	ecx, [ebx+8]
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9A3287:				; CODE XREF: PAGE:009A3276j
		lea	ecx, [ebx+0Ch]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	eax, [ebp+8]
		mov	[edi+8], eax

loc_9A3295:				; CODE XREF: PAGE:009A323Dj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_9A329C:				; CODE XREF: PAGE:009A3266j
					; PAGE:009A326Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
; 
		db 3 dup(0CCh)
		db 2 dup(0CCh)
; Exported entry 1633. ObOpenObjectByPointerWithTag

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObOpenObjectByPointerWithTag(x, x, x, x, x,	x, x, x)
		public _ObOpenObjectByPointerWithTag@32
_ObOpenObjectByPointerWithTag@32 proc near ; CODE XREF:	DbgkCaptureLiveKernelDump(x)+19Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_1C]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ObOpenObjectByPointer
		pop	ebp
		retn	20h
_ObOpenObjectByPointerWithTag@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpAuditObjectAccess(x, x, x, x, x)
_ObpAuditObjectAccess@20 proc near	; CODE XREF: ObpReferenceObjectByHandleWithTag+10A7EAp
					; ObReferenceFileObjectForWrite+FD333p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	eax, edx
		push	edi
		mov	[esp+18h+var_8], eax
		cmp	dword ptr [esi+4], 0
		jz	loc_9A33BE
		call	_ExpGetHandleExtraInfo@8 ; ExpGetHandleExtraInfo(x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9A33BE
		mov	eax, large fs:124h
		mov	[esp+18h+var_4], eax
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, [ebp+arg_0]
		mov	ecx, esi
		mov	edx, ebx
		call	_ExLockHandleTableEntry@8 ; ExLockHandleTableEntry(x,x)
		test	al, al
		jnz	short loc_9A3321
		xor	bl, bl
		jmp	loc_9A33B1
; 

loc_9A3321:				; CODE XREF: ObpAuditObjectAccess(x,x,x,x,x)+4Fj
		mov	eax, [ebx]
		xor	ecx, ecx
		mov	edx, [ebp+arg_4]
		and	eax, 0FFFFFFF8h
		inc	ecx
		cmp	edx, eax
		jz	short loc_9A3334
		xor	bl, bl
		jmp	short loc_9A3390
; 

loc_9A3334:				; CODE XREF: ObpAuditObjectAccess(x,x,x,x,x)+65j
		mov	eax, [edi]
		mov	ebx, eax
		mov	[esp+18h+var_C], eax
		mov	eax, [ebp+arg_8]
		and	ebx, eax
		jz	short loc_9A338E
		not	eax
		mov	ecx, edx
		and	eax, [esp+18h+var_C]
		mov	[edi], eax
		xor	edi, edi
		call	OBJECT_HEADER_TO_AUDIT_INFO
		test	eax, eax
		jz	short loc_9A335A
		mov	edi, [eax]

loc_9A335A:				; CODE XREF: ObpAuditObjectAccess(x,x,x,x,x)+8Dj
		push	edi
		push	ecx
		mov	eax, edx
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [edx+0Ch]
		add	edx, 18h
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		push	ebx
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		add	eax, 8
		push	eax
		push	[esp+28h+var_8]
		call	_SeOperationAuditAlarm@28 ; SeOperationAuditAlarm(x,x,x,x,x,x,x)
		xor	ecx, ecx
		inc	ecx

loc_9A338E:				; CODE XREF: ObpAuditObjectAccess(x,x,x,x,x)+78j
		mov	bl, cl

loc_9A3390:				; CODE XREF: ObpAuditObjectAccess(x,x,x,x,x)+69j
		mov	eax, [ebp+arg_0]
		lock xadd [eax], ecx
		and	[esp+18h+var_C], 0
		lea	ecx, [esi+20h]
		xor	edx, edx
		lea	eax, [esp+18h+var_C]
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	short loc_9A33B1
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)

loc_9A33B1:				; CODE XREF: ObpAuditObjectAccess(x,x,x,x,x)+53j
					; ObpAuditObjectAccess(x,x,x,x,x)+E1j
		mov	ecx, [esp+18h+var_4]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	al, bl
		jmp	short loc_9A33C0
; 

loc_9A33BE:				; CODE XREF: ObpAuditObjectAccess(x,x,x,x,x)+1Aj
					; ObpAuditObjectAccess(x,x,x,x,x)+29j
		mov	al, 1

loc_9A33C0:				; CODE XREF: ObpAuditObjectAccess(x,x,x,x,x)+F3j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_ObpAuditObjectAccess@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSetInformationSymbolicLink(x, x, x, x)
_NtSetInformationSymbolicLink@16 proc near ; DATA XREF:	.text:005812ACo

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	20h
		push	offset dword_6A8C20
		call	__SEH_prolog4
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_20], bl
		mov	eax, _ObpSymbolicLinkObjectType
		and	[ebp+var_1C], 0
		push	0
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_20]
		push	eax
		push	2
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9A3566
		mov	eax, [ebp+arg_4]
		sub	eax, 1
		jz	loc_9A34BD
		sub	eax, 1
		jz	short loc_9A3426
		mov	esi, 0C0000003h
		jmp	loc_9A355E
; 

loc_9A3426:				; CODE XREF: NtSetInformationSymbolicLink(x,x,x,x)+51j
		cmp	[ebp+arg_C], 4
		jnz	loc_9A34C3
		push	[ebp+var_20]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_9A3559
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_9A3559
		test	bl, bl
		jz	short loc_9A34A7
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+arg_8]
		test	al, 3
		jnz	loc_9A357A
		lea	edx, [eax+4]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		ja	short loc_9A3480
		cmp	edx, eax
		jnb	short loc_9A3483

loc_9A3480:				; CODE XREF: NtSetInformationSymbolicLink(x,x,x,x)+B1j
		mov	byte ptr [ecx],	0

loc_9A3483:				; CODE XREF: NtSetInformationSymbolicLink(x,x,x,x)+B5j
		mov	ecx, [eax]
		mov	[ebp+var_2C], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9A34AC
; 

loc_9A3491:				; DATA XREF: .text:006A8C40o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9A349F:				; DATA XREF: .text:006A8C44o
		mov	esi, [ebp+var_24]
		jmp	loc_9A3530
; 

loc_9A34A7:				; CODE XREF: NtSetInformationSymbolicLink(x,x,x,x)+92j
		mov	eax, [ebp+arg_8]
		mov	ecx, [eax]

loc_9A34AC:				; CODE XREF: NtSetInformationSymbolicLink(x,x,x,x)+C6j
		mov	eax, [ebp+var_1C]
		or	dword ptr [eax+14h], 8
		mov	[eax+18h], ecx
		xor	esi, esi
		jmp	loc_9A355E
; 

loc_9A34BD:				; CODE XREF: NtSetInformationSymbolicLink(x,x,x,x)+48j
		cmp	[ebp+arg_C], 4
		jz	short loc_9A34CD

loc_9A34C3:				; CODE XREF: NtSetInformationSymbolicLink(x,x,x,x)+61j
		mov	esi, 0C0000004h
		jmp	loc_9A355E
; 

loc_9A34CD:				; CODE XREF: NtSetInformationSymbolicLink(x,x,x,x)+F8j
		push	[ebp+var_20]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	short loc_9A3559
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	short loc_9A3559
		test	bl, bl
		jz	short loc_9A353C
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [ebp+arg_8]
		test	al, 3
		jnz	short loc_9A357A
		lea	edx, [eax+4]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		ja	short loc_9A350E
		cmp	edx, eax
		jnb	short loc_9A3511

loc_9A350E:				; CODE XREF: NtSetInformationSymbolicLink(x,x,x,x)+13Fj
		mov	byte ptr [ecx],	0

loc_9A3511:				; CODE XREF: NtSetInformationSymbolicLink(x,x,x,x)+143j
		mov	ecx, [eax]
		mov	[ebp+var_30], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9A3541
; 

loc_9A351F:				; DATA XREF: .text:006A8C34o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9A352D:				; DATA XREF: .text:006A8C38o
		mov	esi, [ebp+var_28]

loc_9A3530:				; CODE XREF: NtSetInformationSymbolicLink(x,x,x,x)+D9j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9A355E
; 

loc_9A353C:				; CODE XREF: NtSetInformationSymbolicLink(x,x,x,x)+127j
		mov	eax, [ebp+arg_8]
		mov	ecx, [eax]

loc_9A3541:				; CODE XREF: NtSetInformationSymbolicLink(x,x,x,x)+154j
		mov	edx, [ebp+var_1C]
		mov	eax, [edx+14h]
		or	eax, 1
		mov	[edx+14h], eax
		test	ecx, ecx
		jz	short loc_9A355E
		or	eax, 4
		mov	[edx+14h], eax
		jmp	short loc_9A355E
; 

loc_9A3559:				; CODE XREF: NtSetInformationSymbolicLink(x,x,x,x)+7Dj
					; NtSetInformationSymbolicLink(x,x,x,x)+8Aj ...
		mov	esi, 0C0000061h

loc_9A355E:				; CODE XREF: NtSetInformationSymbolicLink(x,x,x,x)+58j
					; NtSetInformationSymbolicLink(x,x,x,x)+EFj ...
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObject

loc_9A3566:				; CODE XREF: NtSetInformationSymbolicLink(x,x,x,x)+3Cj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_9A357A:				; CODE XREF: NtSetInformationSymbolicLink(x,x,x,x)+A0j
					; NtSetInformationSymbolicLink(x,x,x,x)+132j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger
_NtSetInformationSymbolicLink@16 endp


;  S U B	R O U T	I N E 


; __stdcall ObDereferenceProcessHandleTable(x)
_ObDereferenceProcessHandleTable@4 proc	near
					; CODE XREF: IoRevokeHandlesForProcess(x,x)+13Fp
					; PAGE:007A944Fp ...
		add	ecx, 0F0h
		jmp	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
_ObDereferenceProcessHandleTable@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObGetHandleInformation(x, x, x)
_ObGetHandleInformation@12 proc	near	; CODE XREF: ExpGetHandleInformation(x,x,x)+44p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		xor	eax, eax
		mov	[ebp+var_4], eax
		cmp	edx, 4
		jnb	short loc_9A35A2
		mov	eax, 0C0000004h
		jmp	short locret_9A35C2
; 

loc_9A35A2:				; CODE XREF: ObGetHandleInformation(x,x,x)+Ej
		push	eax
		mov	[ecx], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	edx
		mov	edx, ecx
		mov	ecx, offset _ObpCaptureHandleInformation@24 ; ObpCaptureHandleInformation(x,x,x,x,x,x)
		call	_ExpSnapShotHandleTables@20 ; ExpSnapShotHandleTables(x,x,x,x,x)
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	short locret_9A35C2
		mov	ecx, [ebp+var_4]
		mov	[edx], ecx

locret_9A35C2:				; CODE XREF: ObGetHandleInformation(x,x,x)+15j
					; ObGetHandleInformation(x,x,x)+30j
		leave
		retn	4
_ObGetHandleInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObGetHandleInformationEx(x,	x, x)
_ObGetHandleInformationEx@12 proc near	; CODE XREF: ExpGetHandleInformationEx(x,x,x)+44p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		cmp	edx, 8
		jnb	short loc_9A35DC
		mov	eax, 0C0000004h
		jmp	short locret_9A35FE
; 

loc_9A35DC:				; CODE XREF: ObGetHandleInformationEx(x,x,x)+Dj
		and	dword ptr [ecx], 0
		lea	eax, [ebp+var_4]
		push	1
		push	eax
		push	edx
		mov	edx, ecx
		mov	ecx, offset _ObpCaptureHandleInformationEx@24 ;	ObpCaptureHandleInformationEx(x,x,x,x,x,x)
		call	_ExpSnapShotHandleTables@20 ; ExpSnapShotHandleTables(x,x,x,x,x)
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	short locret_9A35FE
		mov	ecx, [ebp+var_4]
		mov	[edx], ecx

locret_9A35FE:				; CODE XREF: ObGetHandleInformationEx(x,x,x)+14j
					; ObGetHandleInformationEx(x,x,x)+31j
		leave
		retn	4
_ObGetHandleInformationEx@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpCaptureHandleInformation(x, x, x, x, x, x)
_ObpCaptureHandleInformation@24	proc near ; DATA XREF: ObGetHandleInformation(x,x,x)+21o

arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= word ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_14]
		add	dword ptr [eax], 10h
		mov	eax, [eax]
		cmp	eax, 10h
		jnb	short loc_9A361E
		mov	eax, 0C0000095h
		jmp	loc_9A36A6
; 

loc_9A361E:				; CODE XREF: ObpCaptureHandleInformation(x,x,x,x,x,x)+10j
		cmp	[ebp+arg_10], eax
		jnb	short loc_9A362A
		mov	eax, 0C0000004h
		jmp	short loc_9A36A6
; 

loc_9A362A:				; CODE XREF: ObpCaptureHandleInformation(x,x,x,x,x,x)+1Fj
		mov	ax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	ecx, [ebx]
		push	7
		pop	edx
		mov	esi, [edi]
		mov	[ecx], ax
		and	esi, 0FFFFFFF8h
		mov	ecx, edi
		call	_ExGetHandleAttributes@8 ; ExGetHandleAttributes(x,x)
		mov	ecx, [ebx]
		mov	[ecx+5], al
		mov	eax, esi
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [esi+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		mov	ecx, [ebx]
		mov	al, [eax+14h]
		mov	[ecx+4], al
		mov	ecx, [ebx]
		mov	ax, [ebp+arg_C]
		mov	[ecx+6], ax
		lea	ecx, [esi+18h]
		mov	eax, [ebx]
		mov	[eax+8], ecx
		xor	ecx, ecx
		mov	eax, [ebx]
		mov	[eax+2], cx
		mov	eax, [ebx]
		mov	ecx, [edi+4]
		and	ecx, 1FFFFFFh
		pop	edi
		mov	[eax+0Ch], ecx
		add	dword ptr [ebx], 10h
		xor	eax, eax
		pop	esi
		pop	ebx

loc_9A36A6:				; CODE XREF: ObpCaptureHandleInformation(x,x,x,x,x,x)+17j
					; ObpCaptureHandleInformation(x,x,x,x,x,x)+26j
		pop	ebp
		retn	18h
_ObpCaptureHandleInformation@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpCaptureHandleInformationEx(x, x,	x, x, x, x)
_ObpCaptureHandleInformationEx@24 proc near ; DATA XREF: ObGetHandleInformationEx(x,x,x)+22o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_14]
		add	dword ptr [eax], 1Ch
		mov	eax, [eax]
		cmp	eax, 1Ch
		jnb	short loc_9A36C6
		mov	eax, 0C0000095h
		jmp	loc_9A374F
; 

loc_9A36C6:				; CODE XREF: ObpCaptureHandleInformationEx(x,x,x,x,x,x)+10j
		cmp	[ebp+arg_10], eax
		jnb	short loc_9A36D2
		mov	eax, 0C0000004h
		jmp	short loc_9A374F
; 

loc_9A36D2:				; CODE XREF: ObpCaptureHandleInformationEx(x,x,x,x,x,x)+1Fj
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	ecx, [ebx]
		push	7
		pop	edx
		mov	esi, [edi]
		mov	[ecx+4], eax
		and	esi, 0FFFFFFF8h
		mov	ecx, edi
		call	_ExGetHandleAttributes@8 ; ExGetHandleAttributes(x,x)
		movzx	ecx, al
		mov	eax, [ebx]
		mov	[eax+14h], ecx
		mov	eax, esi
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [esi+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		movzx	ecx, byte ptr [eax+14h]
		mov	eax, [ebx]
		mov	[eax+12h], cx
		mov	ecx, [ebx]
		mov	eax, [ebp+arg_C]
		mov	[ecx+8], eax
		lea	ecx, [esi+18h]
		mov	eax, [ebx]
		mov	[eax], ecx
		xor	ecx, ecx
		mov	eax, [ebx]
		mov	[eax+10h], cx
		mov	eax, [ebx]
		mov	ecx, [edi+4]
		and	ecx, 1FFFFFFh
		pop	edi
		mov	[eax+0Ch], ecx
		add	dword ptr [ebx], 1Ch
		xor	eax, eax
		pop	esi
		pop	ebx

loc_9A374F:				; CODE XREF: ObpCaptureHandleInformationEx(x,x,x,x,x,x)+17j
					; ObpCaptureHandleInformationEx(x,x,x,x,x,x)+26j
		pop	ebp
		retn	18h
_ObpCaptureHandleInformationEx@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpCheckTraverseAccess(x, x, x, x, x, x)
_ObpCheckTraverseAccess@24 proc	near	; CODE XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+7DDp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		xor	eax, eax
		lea	edx, [ebp+var_8]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_10], eax
		mov	byte ptr [ebp+var_C], al
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		lea	eax, [esi-18h]
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		lea	eax, [ebp+var_C]
		push	edi
		push	[ebp+arg_8]
		mov	ebx, ds:_ObTypeIndexTable[ecx*4]
		mov	ecx, esi
		push	eax
		call	ObpGetObjectSecurity
		test	eax, eax
		jns	short loc_9A37AB
		mov	ecx, [ebp+arg_C]
		mov	[ecx], eax
		xor	al, al
		jmp	short loc_9A3819
; 

loc_9A37AB:				; CODE XREF: ObpCheckTraverseAccess(x,x,x,x,x,x)+4Dj
		mov	esi, [ebp+arg_0]
		mov	edx, esi
		push	ecx
		mov	ecx, [ebp+var_8]
		push	2
		call	_SeFastTraverseCheck@16	; SeFastTraverseCheck(x,x,x,x)
		test	al, al
		jnz	short loc_9A380A
		lea	edi, [esi+1Ch]
		push	edi
		call	_SeLockSubjectContext@4	; SeLockSubjectContext(x)
		push	[ebp+arg_C]
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+arg_8]
		lea	eax, [ebx+34h]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		push	2
		push	1
		push	edi
		push	[ebp+var_8]
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		cmp	[ebp+var_4], 0
		mov	bl, al
		jz	short loc_9A3802
		push	[ebp+var_4]
		push	esi
		call	SeAppendPrivileges
		push	[ebp+var_4]
		call	_SeFreePrivileges@4 ; SeFreePrivileges(x)

loc_9A3802:				; CODE XREF: ObpCheckTraverseAccess(x,x,x,x,x,x)+9Cj
		push	edi
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)
		jmp	short loc_9A380C
; 

loc_9A380A:				; CODE XREF: ObpCheckTraverseAccess(x,x,x,x,x,x)+6Aj
		mov	bl, 1

loc_9A380C:				; CODE XREF: ObpCheckTraverseAccess(x,x,x,x,x,x)+B5j
		push	[ebp+var_C]
		push	[ebp+var_8]
		call	_ObReleaseObjectSecurity@8 ; ObReleaseObjectSecurity(x,x)
		mov	al, bl

loc_9A3819:				; CODE XREF: ObpCheckTraverseAccess(x,x,x,x,x,x)+56j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_ObpCheckTraverseAccess@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ObpSetObjectAuditInfo(size_t)
_ObpSetObjectAuditInfo@12 proc near	; CODE XREF: PAGE:00817560p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	[ebp+var_4], ebx
		push	dword ptr [edi]
		call	_RtlValidSecurityDescriptor@4 ;	RtlValidSecurityDescriptor(x)
		test	al, al
		jnz	short loc_9A3845
		mov	eax, 0C0000079h
		jmp	loc_9A38E4
; 

loc_9A3845:				; CODE XREF: ObpSetObjectAuditInfo(x,x,x)+19j
		mov	ecx, ebx
		call	OBJECT_HEADER_TO_AUDIT_INFO
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9A38E2
		cmp	dword ptr [ebx], 0
		jnz	loc_9A38E2
		cmp	byte ptr [ebp+arg_0], 0
		mov	esi, [edi]
		jz	short loc_9A386C
		and	dword ptr [edi], 0
		jmp	short loc_9A389D
; 

loc_9A386C:				; CODE XREF: ObpSetObjectAuditInfo(x,x,x)+45j
		push	esi
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		push	4941624Fh
		push	eax
		push	1
		mov	[ebp+arg_0], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9A388F
		mov	eax, 0C000009Ah
		jmp	short loc_9A38E4
; 

loc_9A388F:				; CODE XREF: ObpSetObjectAuditInfo(x,x,x)+66j
		push	[ebp+arg_0]	; size_t
		push	dword ptr [edi]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_9A389D:				; CODE XREF: ObpSetObjectAuditInfo(x,x,x)+4Aj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [ebp+var_4]
		xor	edx, edx
		add	edi, 8
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		xor	edx, edx
		mov	ecx, edi
		cmp	[ebx], edx
		jz	short loc_9A38D6
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9A38E2
; 

loc_9A38D6:				; CODE XREF: ObpSetObjectAuditInfo(x,x,x)+A0j
		mov	[ebx], esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9A38E2:				; CODE XREF: ObpSetObjectAuditInfo(x,x,x)+30j
					; ObpSetObjectAuditInfo(x,x,x)+39j ...
		xor	eax, eax

loc_9A38E4:				; CODE XREF: ObpSetObjectAuditInfo(x,x,x)+20j
					; ObpSetObjectAuditInfo(x,x,x)+6Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ObpSetObjectAuditInfo@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtWaitForMultipleObjects32(x, x, x,	x, x)
_NtWaitForMultipleObjects32@20 proc near ; DATA	XREF: .text:00580BB4o

var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	124h
		push	offset dword_6A8C88
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_120], eax
		push	100h		; size_t
		xor	ebx, ebx
		push	ebx		; int
		lea	eax, [ebp+var_11C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_12C], ebx
		mov	[ebp+var_128], ebx
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	loc_9A3A24
		cmp	edx, 40h
		ja	loc_9A3A24
		cmp	[ebp+arg_8], 1
		jz	short loc_9A394F
		cmp	[ebp+arg_8], ebx
		jz	short loc_9A394F
		mov	eax, 0C00000F1h
		jmp	loc_9A3A29
; 

loc_9A394F:				; CODE XREF: NtWaitForMultipleObjects32(x,x,x,x,x)+53j
					; NtWaitForMultipleObjects32(x,x,x,x,x)+58j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_124],	al
		mov	[ebp+ms_exc.disabled], ebx
		test	al, al
		jz	short loc_9A39B9
		mov	ecx, [ebp+var_120]
		test	ecx, ecx
		jz	short loc_9A399B
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_9A397D
		mov	ecx, eax

loc_9A397D:				; CODE XREF: NtWaitForMultipleObjects32(x,x,x,x,x)+8Ej
		nop
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		mov	[ebp+var_12C], eax
		mov	[ebp+var_128], ecx
		lea	eax, [ebp+var_12C]
		mov	[ebp+var_120], eax

loc_9A399B:				; CODE XREF: NtWaitForMultipleObjects32(x,x,x,x,x)+85j
		mov	eax, edx
		shl	eax, 2
		test	eax, eax
		jz	short loc_9A39B9
		mov	ecx, [ebp+arg_4]
		lea	edi, [eax+ecx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		ja	short loc_9A39B7
		cmp	edi, ecx
		jnb	short loc_9A39B9

loc_9A39B7:				; CODE XREF: NtWaitForMultipleObjects32(x,x,x,x,x)+C6j
		mov	[eax], bl

loc_9A39B9:				; CODE XREF: NtWaitForMultipleObjects32(x,x,x,x,x)+7Bj
					; NtWaitForMultipleObjects32(x,x,x,x,x)+B7j ...
		mov	[ebp+var_130], ebx
		cmp	ebx, edx
		jnb	short loc_9A39D3
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+ebx*4]
		mov	[ebp+ebx*4+var_11C], eax
		inc	ebx
		jmp	short loc_9A39B9
; 

loc_9A39D3:				; CODE XREF: NtWaitForMultipleObjects32(x,x,x,x,x)+D6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	[ebp+var_120]
		push	[ebp+arg_C]
		push	[ebp+var_124]
		push	[ebp+arg_8]
		push	[ebp+var_124]
		lea	eax, [ebp+var_11C]
		push	eax
		push	edx
		call	ObWaitForMultipleObjects
		jmp	short loc_9A3A29
; 

loc_9A3A01:				; DATA XREF: .text:006A8C9Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_134], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9A3A12:				; DATA XREF: .text:006A8CA0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_134]
		jmp	short loc_9A3A29
; 

loc_9A3A24:				; CODE XREF: NtWaitForMultipleObjects32(x,x,x,x,x)+40j
					; NtWaitForMultipleObjects32(x,x,x,x,x)+49j
		mov	eax, 0C00000EFh

loc_9A3A29:				; CODE XREF: NtWaitForMultipleObjects32(x,x,x,x,x)+5Fj
					; NtWaitForMultipleObjects32(x,x,x,x,x)+114j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_NtWaitForMultipleObjects32@20 endp


;  S U B	R O U T	I N E 


; __fastcall ObFreeObjectCreateInfoBuffer(x)
@ObFreeObjectCreateInfoBuffer@4	proc near ; CODE XREF: IoCreateStreamFileObjectEx2+143p
		mov	edi, edi
		push	esi
		mov	esi, large fs:20h
		mov	edx, ecx
		mov	ecx, [esi+5C0h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	short loc_9A3A79
		inc	dword ptr [ecx+18h]
		mov	ecx, [esi+5C4h]
		mov	ax, [ecx+4]
		inc	dword ptr [ecx+14h]
		cmp	ax, [ecx+8]
		jb	short loc_9A3A79
		inc	dword ptr [ecx+18h]
		push	edx
		call	dword ptr [ecx+2Ch]
		pop	esi
		retn
; 

loc_9A3A79:				; CODE XREF: ObFreeObjectCreateInfoBuffer(x)+1Dj
					; ObFreeObjectCreateInfoBuffer(x)+33j
		pop	esi
		jmp	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
@ObFreeObjectCreateInfoBuffer@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObEnumerateObjectsByType(x,	x, x)
_ObEnumerateObjectsByType@12 proc near	; CODE XREF: IovUnloadDrivers()+28p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	ecx, ds:_IoDriverObjectType
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		call	_ObpCreateTypeArray@4 ;	ObpCreateTypeArray(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_9A3B1E
		mov	ebx, esi
		cmp	[edi], esi
		jbe	short loc_9A3B17
		lea	eax, [edi+4]
		mov	[ebp+var_4], eax

loc_9A3AAF:				; CODE XREF: ObEnumerateObjectsByType(x,x,x)+8Fj
		mov	edx, [eax]
		test	edx, edx
		jz	short loc_9A3B05
		mov	al, [edx+1Eh]
		test	al, 2
		jz	short loc_9A3AD0
		movzx	eax, al
		lea	ecx, [edx+10h]
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	ecx, eax
		jmp	short loc_9A3AD2
; 

loc_9A3AD0:				; CODE XREF: ObEnumerateObjectsByType(x,x,x)+3Bj
		mov	ecx, esi

loc_9A3AD2:				; CODE XREF: ObEnumerateObjectsByType(x,x,x)+4Fj
		test	ecx, ecx
		jz	short loc_9A3AE4
		mov	eax, [ecx+4]
		mov	[ebp+var_C], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_8], eax
		jmp	short loc_9A3AEA
; 

loc_9A3AE4:				; CODE XREF: ObEnumerateObjectsByType(x,x,x)+55j
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi

loc_9A3AEA:				; CODE XREF: ObEnumerateObjectsByType(x,x,x)+63j
		push	esi
		push	dword ptr [edx+10h]
		lea	eax, [ebp+var_C]
		push	dword ptr [edx+14h]
		push	eax
		lea	eax, [edx+28h]
		push	eax
		call	_IovpBuildDriverObjectList@20 ;	IovpBuildDriverObjectList(x,x,x,x,x)
		test	al, al
		jz	short loc_9A3B12
		mov	eax, [ebp+var_4]

loc_9A3B05:				; CODE XREF: ObEnumerateObjectsByType(x,x,x)+34j
		inc	ebx
		add	eax, 4
		mov	[ebp+var_4], eax
		cmp	ebx, [edi]
		jb	short loc_9A3AAF
		jmp	short loc_9A3B17
; 

loc_9A3B12:				; CODE XREF: ObEnumerateObjectsByType(x,x,x)+81j
		mov	esi, 8000001Ah

loc_9A3B17:				; CODE XREF: ObEnumerateObjectsByType(x,x,x)+28j
					; ObEnumerateObjectsByType(x,x,x)+91j
		mov	ecx, edi
		call	_ObpDestroyTypeArray@4 ; ObpDestroyTypeArray(x)

loc_9A3B1E:				; CODE XREF: ObEnumerateObjectsByType(x,x,x)+22j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_ObEnumerateObjectsByType@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObGetObjectInformation(x, x, x, x)
_ObGetObjectInformation@16 proc	near	; CODE XREF: ExpGetObjectInformation(x,x,x)+47p

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	68h
		push	offset dword_6A8CA8
		call	__SEH_prolog4
		mov	[ebp+var_40], edx
		mov	[ebp+var_5C], ecx
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	esi, ebx
		mov	[ebp+var_34], esi
		mov	ecx, ebx
		mov	[ebp+var_3C], ecx
		mov	eax, 210h
		mov	[ebp+var_4C], eax
		push	7241624Fh
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_30], edi
		test	edi, edi
		jnz	short loc_9A3B70
		mov	eax, 0C000009Ah
		jmp	loc_9A3FD3
; 

loc_9A3B70:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+3Dj
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], ebx
		and	[ebp+var_44], ebx
		mov	ecx, _ObpTypeObjectType
		call	_ObpCreateTypeArray@4 ;	ObpCreateTypeArray(x)
		mov	[ebp+var_64], eax
		test	eax, eax
		jnz	short loc_9A3BA0
		push	7241624Fh
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C0000001h
		jmp	loc_9A3FD3
; 

loc_9A3BA0:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+62j
		xor	ecx, ecx
		mov	[ebp+ms_exc.disabled], ecx
		mov	edx, ecx
		mov	[ebp+var_54], edx

loc_9A3BAA:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+12Aj
		cmp	edx, [eax]
		jnb	loc_9A3FB0
		mov	eax, [eax+edx*4+4]
		test	eax, eax
		jz	loc_9A3C4A
		lea	ecx, [eax+28h]
		mov	[ebp+var_48], ecx
		cmp	ecx, _ObpTypeObjectType
		jz	short loc_9A3C4A
		call	_ObpCreateTypeArray@4 ;	ObpCreateTypeArray(x)
		mov	[ebp+var_3C], eax
		test	eax, eax
		jz	short loc_9A3C47
		mov	[ebp+var_19], 1
		xor	ecx, ecx

loc_9A3BDE:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+484j
		mov	[ebp+var_60], ecx
		cmp	ecx, [eax]
		jnb	short loc_9A3C37
		mov	ecx, [eax+ecx*4+4]
		mov	[ebp+var_68], ecx
		test	ecx, ecx
		jz	loc_9A3FA7
		lea	edx, [ecx+10h]
		mov	[ebp+var_58], edx
		lea	ecx, [edx+18h]
		mov	[ebp+var_50], ecx
		cmp	[ebp+var_19], 0
		jz	loc_9A3CFF
		xor	edx, edx
		mov	[ebp+var_19], dl
		mov	eax, [ebp+var_44]
		test	eax, eax
		jz	short loc_9A3C1D
		cmp	ebx, [ebp+arg_0]
		jnb	short loc_9A3C1D
		mov	[eax], ebx

loc_9A3C1D:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+EDj
					; ObGetObjectInformation(x,x,x,x)+F2j
		mov	edi, [ebp+var_40]
		add	edi, ebx
		mov	[ebp+var_44], edi
		add	ebx, 30h
		mov	[ebp+var_38], ebx
		cmp	ebx, 30h
		jnb	short loc_9A3C56

loc_9A3C30:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+1FBj
					; ObGetObjectInformation(x,x,x,x)+3CEj	...
		mov	[ebp+var_24], 0C0000095h

loc_9A3C37:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+BCj
					; ObGetObjectInformation(x,x,x,x)+13Bj	...
		mov	ecx, [ebp+var_3C]
		call	_ObpDestroyTypeArray@4 ; ObpDestroyTypeArray(x)
		xor	eax, eax
		mov	[ebp+var_3C], eax
		mov	edi, [ebp+var_30]

loc_9A3C47:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+AFj
		mov	edx, [ebp+var_54]

loc_9A3C4A:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+91j
					; ObGetObjectInformation(x,x,x,x)+A3j
		inc	edx
		mov	[ebp+var_54], edx
		mov	eax, [ebp+var_64]
		jmp	loc_9A3BAA
; 

loc_9A3C56:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+107j
		cmp	ebx, [ebp+arg_0]
		jb	short loc_9A3C64

loc_9A3C5B:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+204j
		mov	[ebp+var_24], 0C0000004h
		jmp	short loc_9A3C37
; 

loc_9A3C64:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+132j
		mov	[edi], edx
		mov	edx, [ebp+var_48]
		mov	eax, [edx+18h]
		mov	[edi+4], eax
		mov	eax, [edx+1Ch]
		mov	[edi+8], eax
		movzx	eax, byte ptr [edx+14h]
		mov	[edi+0Ch], eax
		mov	eax, [edx+30h]
		mov	[edi+10h], eax
		lea	esi, [edx+34h]
		add	edi, 14h
		movsd
		movsd
		movsd
		movsd
		mov	eax, [edx+44h]
		mov	edi, [ebp+var_44]
		mov	[edi+24h], eax
		mov	eax, [edx+4Ch]
		mov	[edi+28h], eax
		mov	al, [edx+2Ah]
		shr	al, 3
		and	al, 1
		mov	[edi+2Ch], al
		mov	eax, [ebp+arg_0]
		sub	eax, ebx
		and	[ebp+var_20], 0
		lea	edx, [ebp+var_20]
		push	edx
		push	eax
		lea	edx, [edi+30h]
		call	_ObQueryTypeName@16 ; ObQueryTypeName(x,x,x,x)
		mov	[ebp+var_2C], eax
		mov	ecx, [ebp+var_20]
		add	ecx, 3
		and	ecx, 0FFFFFFFCh
		mov	[ebp+var_20], ecx
		test	eax, eax
		js	short loc_9A3CE4
		lea	eax, [ecx-8]
		mov	[edi+32h], ax
		mov	eax, [ebp+var_5C]
		sub	eax, [ebp+var_40]
		add	[edi+34h], eax
		mov	ecx, [ebp+var_20]
		jmp	short loc_9A3CE7
; 

loc_9A3CE4:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+1A6j
		mov	[ebp+var_24], eax

loc_9A3CE7:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+1BBj
		add	ebx, ecx
		mov	[ebp+var_38], ebx
		cmp	ebx, ecx
		jnb	short loc_9A3D08
		mov	[ebp+var_24], 0C0000095h
		mov	esi, [ebp+var_34]
		jmp	loc_9A3C37
; 

loc_9A3CFF:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+DDj
		cmp	ebx, [ebp+arg_0]
		jnb	short loc_9A3D0E
		mov	[esi], ebx
		jmp	short loc_9A3D0E
; 

loc_9A3D08:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+1C7j
		mov	edx, [ebp+var_58]
		mov	ecx, [ebp+var_50]

loc_9A3D0E:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+1DBj
					; ObGetObjectInformation(x,x,x,x)+1DFj
		mov	esi, [ebp+var_40]
		add	esi, ebx
		mov	[ebp+var_34], esi
		mov	[ebp+var_6C], esi
		add	ebx, 28h
		mov	[ebp+var_38], ebx
		cmp	ebx, 28h
		jb	loc_9A3C30
		cmp	ebx, [ebp+arg_0]
		jnb	loc_9A3C5B
		xor	eax, eax
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	ecx, [ebp+var_68]
		mov	eax, [ecx+8]
		mov	[esi+8], eax
		mov	ax, [ecx+0Ch]
		mov	[esi+0Ch], ax
		mov	eax, [edx]
		mov	[esi+10h], eax
		mov	eax, [edx+4]
		mov	[esi+14h], eax
		movzx	eax, byte ptr [edx+0Fh]
		mov	[esi+0Eh], ax
		mov	eax, [edx+14h]
		and	eax, 0FFFFFFF8h
		mov	[esi+24h], eax
		mov	ecx, edx
		call	_OBJECT_HEADER_TO_QUOTA_INFO@4 ; OBJECT_HEADER_TO_QUOTA_INFO(x)
		mov	edi, [ebp+var_48]
		mov	ecx, [edi+50h]
		mov	edi, [edi+54h]
		mov	[ebp+var_68], edi
		test	eax, eax
		mov	edi, [ebp+var_30]
		jz	short loc_9A3D86
		mov	ecx, [eax]
		mov	eax, [eax+4]
		jmp	short loc_9A3D89
; 

loc_9A3D86:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+256j
		mov	eax, [ebp+var_68]

loc_9A3D89:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+25Dj
		mov	[esi+18h], ecx
		mov	[esi+1Ch], eax
		mov	ecx, edx
		call	_OBJECT_HEADER_TO_PROCESS_INFO@4 ; OBJECT_HEADER_TO_PROCESS_INFO(x)
		test	eax, eax
		jz	short loc_9A3DA9
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_9A3DA9
		mov	eax, [eax+0E4h]
		mov	[esi+20h], eax

loc_9A3DA9:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+271j
					; ObGetObjectInformation(x,x,x,x)+277j
		xor	eax, eax
		mov	[ebp+var_20], eax
		mov	ecx, eax
		mov	[ebp+var_2C], ecx
		mov	eax, [ebp+var_48]
		cmp	[eax+70h], ecx
		jz	loc_9A3E4C
		cmp	eax, ds:_IoFileObjectType
		jnz	loc_9A3E4C
		lea	edi, [edx+18h]
		mov	eax, [edi+30h]
		mov	edx, [ebp+var_28]
		mov	[edx], eax
		mov	eax, [edi+34h]
		mov	[edx+4], eax
		movzx	eax, word ptr [edx]
		xor	edi, edi
		test	ax, ax
		jz	loc_9A3EDA
		cmp	[edx+4], edi
		jz	loc_9A3EDA
		add	eax, 2
		mov	[ebp+var_20], eax
		mov	ecx, 208h
		cmp	eax, ecx
		jbe	short loc_9A3E0E
		mov	[ebp+var_20], ecx
		lea	eax, [ecx-2]
		mov	[edx], ax
		mov	eax, [ebp+var_20]

loc_9A3E0E:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+2D9j
		lea	esi, [edx+8]
		add	eax, 0FFFFFFFEh
		push	eax		; size_t
		push	dword ptr [edx+4] ; void *
		push	esi		; void *
		call	_memmove
		add	esp, 0Ch
		mov	edx, [ebp+var_28]
		mov	[edx+4], esi
		mov	ax, word ptr [ebp+var_20]
		mov	[edx+2], ax
		movzx	ecx, word ptr [edx]
		shr	ecx, 1
		mov	eax, [edx+4]
		xor	esi, esi
		mov	[eax+ecx*2], si
		add	[ebp+var_20], 8
		mov	esi, [ebp+var_34]
		mov	ecx, [ebp+var_2C]
		jmp	loc_9A3EDA
; 

loc_9A3E4C:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+292j
					; ObGetObjectInformation(x,x,x,x)+29Ej
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_4C]
		push	[ebp+var_28]
		push	[ebp+var_50]
		call	_ObQueryNameString@16 ;	ObQueryNameString(x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_2C], ecx
		cmp	ecx, 0C0000004h
		jnz	short loc_9A3ED5
		mov	eax, [ebp+var_20]
		cmp	eax, [ebp+var_4C]
		jbe	short loc_9A3ED5
		lea	ecx, [ebx+eax]
		cmp	ecx, [ebp+arg_0]
		jnb	short loc_9A3ED2
		mov	[ebp+var_58], edi
		push	7241624Fh
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_30], edi
		mov	eax, [ebp+var_58]
		test	edi, edi
		jz	short loc_9A3EC8
		push	7241624Fh
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_20]
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_70], ecx
		mov	eax, edi
		mov	[ebp+var_28], eax
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_20]
		push	eax
		push	ecx
		push	edi
		push	[ebp+var_50]
		call	_ObQueryNameString@16 ;	ObQueryNameString(x,x,x,x)
		mov	ecx, eax

loc_9A3EC3:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+3A9j
		mov	[ebp+var_2C], ecx
		jmp	short loc_9A3ED5
; 

loc_9A3EC8:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+36Ej
		mov	[ebp+var_30], eax
		mov	ecx, 0C000009Ah
		jmp	short loc_9A3EC3
; 

loc_9A3ED2:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+352j
		mov	ecx, [ebp+var_2C]

loc_9A3ED5:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+342j
					; ObGetObjectInformation(x,x,x,x)+34Aj	...
		xor	edi, edi
		mov	edx, [ebp+var_28]

loc_9A3EDA:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+2BDj
					; ObGetObjectInformation(x,x,x,x)+2C6j	...
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	loc_9A3F7A
		add	eax, 3
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_20], eax
		add	ebx, eax
		mov	[ebp+var_38], ebx
		cmp	ebx, eax
		jb	loc_9A3C30
		test	ecx, ecx
		js	short loc_9A3F54
		movzx	eax, word ptr [edx]
		mov	[ebp+var_68], eax
		test	ax, ax
		jz	short loc_9A3F41
		cmp	ebx, [ebp+arg_0]
		jnb	short loc_9A3F41
		lea	edi, [esi+30h]
		add	eax, 2
		movzx	esi, ax
		mov	eax, [ebp+var_34]
		mov	ecx, [ebp+var_68]
		mov	[eax+28h], cx
		push	esi		; size_t
		push	dword ptr [edx+4] ; void *
		push	edi		; void *
		call	_memmove
		add	esp, 0Ch
		sub	edi, [ebp+var_40]
		add	edi, [ebp+var_5C]
		mov	eax, [ebp+var_34]
		mov	[eax+2Ch], edi
		mov	[eax+2Ah], si
		jmp	short loc_9A3FA1
; 

loc_9A3F41:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+3E1j
					; ObGetObjectInformation(x,x,x,x)+3E6j
		test	ecx, ecx
		js	short loc_9A3F54
		xor	eax, eax
		cmp	[edx], ax
		jnz	short loc_9A3F8E
		cmp	ebx, [ebp+arg_0]
		jnb	short loc_9A3F8E
		push	eax
		jmp	short loc_9A3F98
; 

loc_9A3F54:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+3D6j
					; ObGetObjectInformation(x,x,x,x)+41Cj
		add	ebx, 8
		mov	[ebp+var_38], ebx
		cmp	ebx, 8
		jb	loc_9A3C30
		cmp	ebx, [ebp+arg_0]
		jnb	short loc_9A3F8E
		push	edi
		lea	eax, [esi+28h]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_24], eax
		jmp	short loc_9A3FA1
; 

loc_9A3F7A:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+3B8j
		add	ebx, 8
		mov	[ebp+var_38], ebx
		cmp	ebx, 8
		jb	loc_9A3C30
		cmp	ebx, [ebp+arg_0]
		jb	short loc_9A3F97

loc_9A3F8E:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+423j
					; ObGetObjectInformation(x,x,x,x)+428j	...
		mov	[ebp+var_24], 0C0000004h
		jmp	short loc_9A3FA1
; 

loc_9A3F97:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+465j
		push	edi

loc_9A3F98:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+42Bj
		lea	eax, [esi+28h]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_9A3FA1:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+418j
					; ObGetObjectInformation(x,x,x,x)+451j	...
		mov	esi, [ebp+var_34]
		mov	eax, [ebp+var_3C]

loc_9A3FA7:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+C7j
		mov	ecx, [ebp+var_60]
		inc	ecx
		jmp	loc_9A3BDE
; 

loc_9A3FB0:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+85j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_9A3FB9
		mov	[eax], ebx

loc_9A3FB9:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+48Ej
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_9A3FE8
		cmp	[ebp+var_44], 0
		mov	eax, 0C0000001h
		jz	short loc_9A3FD3
		mov	eax, [ebp+var_24]

loc_9A3FD3:				; CODE XREF: ObGetObjectInformation(x,x,x,x)+44j
					; ObGetObjectInformation(x,x,x,x)+74j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_ObGetObjectInformation@16 endp


;  S U B	R O U T	I N E 


sub_9A3FE5	proc near		; DATA XREF: .text:006A8CC0o
		mov	edi, [ebp-30h]
sub_9A3FE5	endp


;  S U B	R O U T	I N E 


sub_9A3FE8	proc near		; CODE XREF: ObGetObjectInformation(x,x,x,x)+499p
		mov	ecx, [ebp-3Ch]
		test	ecx, ecx
		jz	short loc_9A3FF4
		call	_ObpDestroyTypeArray@4 ; ObpDestroyTypeArray(x)

loc_9A3FF4:				; CODE XREF: sub_9A3FE8+5j
		mov	ecx, [ebp-64h]
		call	_ObpDestroyTypeArray@4 ; ObpDestroyTypeArray(x)
		push	7241624Fh
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
sub_9A3FE8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpCreateTypeArray(x)
_ObpCreateTypeArray@4 proc near		; CODE XREF: ObEnumerateObjectsByType(x,x,x)+19p
					; ObGetObjectInformation(x,x,x,x)+58p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Eh]
		mov	edi, ecx
		nop
		lea	eax, [edi+80h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi]
		xor	ebx, ebx
		xor	esi, esi
		cmp	eax, edi
		jz	short loc_9A408C

loc_9A403E:				; CODE XREF: ObpCreateTypeArray(x)+3Bj
		mov	eax, [eax]
		inc	esi
		cmp	eax, edi
		jnz	short loc_9A403E
		test	esi, esi
		jz	short loc_9A408C
		push	7241624Fh
		lea	eax, ds:4[esi*4]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_9A4089
		mov	[eax], esi
		mov	esi, [edi]
		cmp	esi, edi
		jz	short loc_9A4089
		lea	ebx, [eax+4]

loc_9A406F:				; CODE XREF: ObpCreateTypeArray(x)+7Fj
		lea	ecx, [esi+28h]
		mov	[ebx], esi
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		test	al, al
		jnz	short loc_9A4080
		and	dword ptr [ebx], 0

loc_9A4080:				; CODE XREF: ObpCreateTypeArray(x)+73j
		mov	esi, [esi]
		add	ebx, 4
		cmp	esi, edi
		jnz	short loc_9A406F

loc_9A4089:				; CODE XREF: ObpCreateTypeArray(x)+5Aj
					; ObpCreateTypeArray(x)+62j
		mov	ebx, [ebp+var_4]

loc_9A408C:				; CODE XREF: ObpCreateTypeArray(x)+34j
					; ObpCreateTypeArray(x)+3Fj
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_ObpCreateTypeArray@4 endp


;  S U B	R O U T	I N E 


; __stdcall ObpDestroyTypeArray(x)
_ObpDestroyTypeArray@4 proc near	; CODE XREF: ObEnumerateObjectsByType(x,x,x)+9Ap
					; ObGetObjectInformation(x,x,x,x)+113p	...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	esi, esi
		jz	short loc_9A40DE
		xor	edi, edi
		cmp	[esi], edi
		jbe	short loc_9A40D3
		lea	ebx, [esi+4]

loc_9A40BD:				; CODE XREF: ObpDestroyTypeArray(x)+28j
		mov	ecx, [ebx]
		test	ecx, ecx
		jz	short loc_9A40CB
		add	ecx, 28h
		call	ObfDereferenceObject

loc_9A40CB:				; CODE XREF: ObpDestroyTypeArray(x)+18j
		inc	edi
		add	ebx, 4
		cmp	edi, [esi]
		jb	short loc_9A40BD

loc_9A40D3:				; CODE XREF: ObpDestroyTypeArray(x)+Fj
		push	7241624Fh
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A40DE:				; CODE XREF: ObpDestroyTypeArray(x)+9j
		pop	edi
		pop	esi
		pop	ebx
		retn
_ObpDestroyTypeArray@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1622. ObGetFilterVersion

;  S U B	R O U T	I N E 


; __stdcall ObGetFilterVersion()
		public _ObGetFilterVersion@0
_ObGetFilterVersion@0 proc near
		mov	eax, 100h
		retn
_ObGetFilterVersion@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpCallPostOperationCallbacks(x, x)
_ObpCallPostOperationCallbacks@8 proc near ; CODE XREF:	ObpCallPreOperationCallbacks+F47BBp
					; ObpPostInterceptHandleCreate(x,x,x,x,x)+63p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx

loc_9A40FB:				; CODE XREF: ObpCallPostOperationCallbacks(x,x)+4Bj
		cmp	[edi], edi
		jz	short loc_9A413F
		mov	ebx, [edi+4]
		cmp	[ebx], edi
		jnz	short loc_9A413A
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jnz	short loc_9A413A
		mov	[edi+4], eax
		mov	[eax], edi
		mov	esi, [ebx+8]
		mov	eax, [ebx+0Ch]
		mov	[ecx+10h], eax
		push	ecx
		mov	eax, [esi+10h]
		push	dword ptr [eax+4]
		call	dword ptr [esi+1Ch]
		lea	ecx, [esi+20h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_4]
		jmp	short loc_9A40FB
; 

loc_9A413A:				; CODE XREF: ObpCallPostOperationCallbacks(x,x)+17j
					; ObpCallPostOperationCallbacks(x,x)+1Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9A413F:				; CODE XREF: ObpCallPostOperationCallbacks(x,x)+10j
		mov	ecx, [ecx+8]
		mov	edx, 6243624Fh
		call	ObfDereferenceObjectWithTag
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
_ObpCallPostOperationCallbacks@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpPostInterceptHandleCreate(x, x, x, x, x)
_ObpPostInterceptHandleCreate@20 proc near ; CODE XREF:	PAGE:00817914p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		and	[ebp+var_10], 0
		lea	eax, [ebp+var_4]
		mov	[ebp+var_8], eax
		push	esi
		movzx	eax, dl
		xor	esi, esi
		xor	eax, esi
		mov	edx, [ebp+arg_8]
		and	eax, 1
		mov	[ebp+var_18], ecx
		xor	esi, eax
		mov	[ebp+var_20], 1
		push	edi
		lea	edi, [ecx-18h]
		mov	[ebp+var_1C], esi
		mov	eax, edi
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [edi+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		lea	ecx, [ebp+var_20]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_4], eax
		call	_ObpCallPostOperationCallbacks@8 ; ObpCallPostOperationCallbacks(x,x)
		pop	edi
		xor	eax, eax
		pop	esi
		leave
		retn	0Ch
_ObpPostInterceptHandleCreate@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpPostInterceptHandleDuplicate(x, x, x, x,	x)
_ObpPostInterceptHandleDuplicate@20 proc near ;	CODE XREF: ObDuplicateObject+2EEp
					; ObCompleteObjectDuplication+144735p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		lea	eax, [ebp+var_4]
		mov	[ebp+var_18], ecx
		mov	[ebp+var_8], eax
		xor	esi, esi
		movzx	eax, dl
		xor	eax, esi
		mov	edx, [ebp+arg_8]
		and	eax, 1
		mov	[ebp+var_10], esi
		xor	esi, eax
		mov	[ebp+var_20], 2
		push	edi
		lea	edi, [ecx-18h]
		mov	[ebp+var_1C], esi
		mov	eax, edi
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [edi+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		lea	ecx, [ebp+var_20]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_4], eax
		call	_ObpCallPostOperationCallbacks@8 ; ObpCallPostOperationCallbacks(x,x)
		pop	edi
		xor	eax, eax
		pop	esi
		leave
		retn	0Ch
_ObpPostInterceptHandleDuplicate@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObQueryTypeName(x, x, x, x)
_ObQueryTypeName@16 proc near		; CODE XREF: ObGetObjectInformation(x,x,x,x)+190p
					; SepQueryTypeString(x,x)+24p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	10h
		push	offset dword_6A8CC8
		call	__SEH_prolog4
		mov	edi, edx
		lea	eax, [ecx-18h]
		shr	eax, 8
		movzx	esi, al
		movzx	eax, byte ptr [ecx-0Ch]
		xor	esi, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	esi, eax
		mov	edx, ds:_ObTypeIndexTable[esi*4]
		movzx	eax, word ptr [edx+8]
		mov	ecx, eax
		mov	[ebp+var_1C], ecx
		mov	ebx, eax
		lea	ecx, [ebx+0Ah]
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+arg_0], ecx
		jnb	short loc_9A428E
		mov	eax, 0C0000004h
		jmp	short loc_9A42F1
; 

loc_9A428E:				; CODE XREF: ObQueryTypeName(x,x,x,x)+4Ej
		lea	esi, [edi-2]
		mov	[ebp+ms_exc.disabled], 1
		add	esi, ecx
		xor	eax, eax
		mov	[esi], ax
		movzx	eax, word ptr [edx+8]
		sub	esi, eax
		push	eax		; size_t
		push	dword ptr [edx+0Ch] ; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_1C]
		mov	[edi], ax
		lea	eax, [ebx+2]
		mov	[edi+2], ax
		mov	[edi+4], esi
		jmp	short loc_9A42CB
; 

loc_9A42C4:				; DATA XREF: .text:006A8CE8o
		xor	eax, eax
		inc	eax
		retn
; 

loc_9A42C8:				; DATA XREF: .text:006A8CECo
		mov	esp, [ebp+ms_exc.old_esp]

loc_9A42CB:				; CODE XREF: ObQueryTypeName(x,x,x,x)+8Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	short loc_9A42F1
; 

loc_9A42D6:				; DATA XREF: .text:006A8CDCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9A42E4:				; DATA XREF: .text:006A8CE0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_20]

loc_9A42F1:				; CODE XREF: ObQueryTypeName(x,x,x,x)+55j
					; ObQueryTypeName(x,x,x,x)+9Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_ObQueryTypeName@16 endp


;  S U B	R O U T	I N E 


; __stdcall ObDisableEtwReferenceTrace()
_ObDisableEtwReferenceTrace@0 proc near	; CODE XREF: EtwpDisableKernelTrace:loc_7E3AB7p
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Eh]
		nop
		mov	esi, offset _ObpStackTraceLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		and	ds:_ObpTraceFlags, 0FFFFFFFBh
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9A433B
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9A433B:				; CODE XREF: ObDisableEtwReferenceTrace()+2Fj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		pop	esi
		jmp	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
_ObDisableEtwReferenceTrace@0 endp


;  S U B	R O U T	I N E 


; __stdcall ObEnableEtwReferenceTrace()
_ObEnableEtwReferenceTrace@0 proc near	; CODE XREF: EtwpEnableKernelTrace:loc_90D26Ap
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Eh]
		nop
		mov	esi, offset _ObpStackTraceLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		or	ds:_ObpTraceFlags, 4
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9A4387
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9A4387:				; CODE XREF: ObEnableEtwReferenceTrace()+2Fj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		pop	esi
		jmp	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
_ObEnableEtwReferenceTrace@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObQueryRefTraceInformation(x, x, x)
_ObQueryRefTraceInformation@12 proc near ; CODE	XREF: PAGE:00780B77p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	34h
		push	offset dword_6A8CF0
		call	__SEH_prolog4
		mov	[ebp+var_28], edx
		mov	edi, ecx
		mov	[ebp+var_2C], edi
		xor	ebx, ebx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+ms_exc.disabled], ebx
		test	al, al
		jz	short loc_9A43CD
		push	4
		push	edx
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_9A43CD:				; CODE XREF: ObQueryRefTraceInformation(x,x,x)+27j
		push	0FFFFFFFEh
		pop	esi
		mov	[ebp+ms_exc.disabled], esi
		mov	[ebp+var_20], 14h
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset _ObpStackTraceLock
		call	ExAcquirePushLockExclusiveEx
		mov	edx, ds:_ObpTraceFlags
		test	dl, 2
		jnz	short loc_9A4433
		cmp	[ebp+var_28], 14h
		jnb	short loc_9A440F

loc_9A4405:				; CODE XREF: ObQueryRefTraceInformation(x,x,x)+E5j
		mov	ebx, 0C0000004h
		jmp	loc_9A458C
; 

loc_9A440F:				; CODE XREF: ObQueryRefTraceInformation(x,x,x)+68j
		mov	[ebp+ms_exc.disabled], 1
		mov	[edi], bl
		jmp	loc_9A4589
; 

loc_9A441D:				; DATA XREF: .text:006A8D10o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9A442B:				; DATA XREF: .text:006A8D14o
		mov	ebx, [ebp+var_34]
		jmp	loc_9A4583
; 

loc_9A4433:				; CODE XREF: ObQueryRefTraceInformation(x,x,x)+62j
		mov	ecx, ebx
		mov	[ebp+var_1C], ecx
		mov	eax, edx
		and	eax, 20h
		mov	[ebp+var_38], eax
		jz	short loc_9A444F
		movzx	eax, word ptr _ObpRuntimeTraceProcessName
		add	eax, 16h
		mov	[ebp+var_20], eax

loc_9A444F:				; CODE XREF: ObQueryRefTraceInformation(x,x,x)+A5j
		test	dl, 10h
		jz	short loc_9A447A

loc_9A4454:				; CODE XREF: ObQueryRefTraceInformation(x,x,x)+CFj
		cmp	cx, 10h
		jnb	short loc_9A446C
		movzx	eax, cx
		cmp	_ObpRuntimeTracePoolTags[eax*4], ebx
		jz	short loc_9A446C
		inc	ecx
		mov	[ebp+var_1C], ecx
		jmp	short loc_9A4454
; 

loc_9A446C:				; CODE XREF: ObQueryRefTraceInformation(x,x,x)+BDj
					; ObQueryRefTraceInformation(x,x,x)+C9j
		test	cx, cx
		jz	short loc_9A447A
		movzx	eax, cx
		imul	eax, 0Ah
		add	[ebp+var_20], eax

loc_9A447A:				; CODE XREF: ObQueryRefTraceInformation(x,x,x)+B7j
					; ObQueryRefTraceInformation(x,x,x)+D4j
		mov	eax, [ebp+var_28]
		cmp	[ebp+var_20], eax
		ja	short loc_9A4405
		mov	edx, [ebp+var_2C]
		mov	[ebp+ms_exc.disabled], 2
		xor	eax, eax
		mov	edi, edx
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	byte ptr [edx],	1
		mov	eax, ds:_ObpTraceFlags
		shr	eax, 6
		and	al, 1
		mov	[edx+1], al
		lea	edi, [edx+14h]
		cmp	[ebp+var_38], 0
		jz	short loc_9A44EE
		mov	ax, word ptr _ObpRuntimeTraceProcessName
		mov	[edx+4], ax
		mov	ax, word ptr _ObpRuntimeTraceProcessName+2
		mov	[edx+6], ax
		mov	[edx+8], edi
		movzx	eax, word ptr _ObpRuntimeTraceProcessName+2
		push	eax		; size_t
		push	dword_6C42CC	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		movzx	eax, word ptr _ObpRuntimeTraceProcessName+2
		shr	eax, 1
		lea	edi, [edi+eax*2]
		mov	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_1C]

loc_9A44EE:				; CODE XREF: ObQueryRefTraceInformation(x,x,x)+111j
		test	byte ptr ds:_ObpTraceFlags, 10h
		jz	loc_9A4589
		imul	ecx, 0Ah
		lea	eax, [ecx-2]
		movzx	eax, ax
		mov	[edx+0Ch], ax
		mov	[edx+0Eh], cx
		mov	[edx+10h], edi
		mov	ecx, ebx

loc_9A4511:				; CODE XREF: ObQueryRefTraceInformation(x,x,x)+1C6j
		mov	edx, [ebp+var_1C]
		mov	[ebp+var_24], ecx
		movzx	eax, dx
		cmp	ecx, eax
		jnb	short loc_9A4563
		mov	eax, ebx
		mov	[ebp+var_30], eax

loc_9A4523:				; CODE XREF: ObQueryRefTraceInformation(x,x,x)+1B9j
		imul	edx, ecx, 5
		add	edx, eax
		mov	[ebp+var_2C], edx
		cmp	eax, 4
		jnb	short loc_9A4556
		mov	ecx, eax
		shl	ecx, 3
		mov	eax, [ebp+var_24]
		mov	eax, _ObpRuntimeTracePoolTags[eax*4]
		shr	eax, cl
		movzx	eax, al
		mov	ecx, edx
		mov	[edi+ecx*2], ax
		mov	eax, [ebp+var_30]
		inc	eax
		mov	[ebp+var_30], eax
		mov	ecx, [ebp+var_24]
		jmp	short loc_9A4523
; 

loc_9A4556:				; CODE XREF: ObQueryRefTraceInformation(x,x,x)+193j
		mov	eax, [ebp+var_2C]
		push	3Bh
		pop	edx
		mov	[edi+eax*2], dx
		inc	ecx
		jmp	short loc_9A4511
; 

loc_9A4563:				; CODE XREF: ObQueryRefTraceInformation(x,x,x)+181j
		movzx	eax, dx
		imul	eax, 0Ah
		xor	ecx, ecx
		mov	[eax+edi-2], cx
		jmp	short loc_9A4589
; 

loc_9A4572:				; DATA XREF: .text:006A8D1Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_3C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9A4580:				; DATA XREF: .text:006A8D20o
		mov	ebx, [ebp+var_3C]

loc_9A4583:				; CODE XREF: ObQueryRefTraceInformation(x,x,x)+93j
		mov	esp, [ebp+ms_exc.old_esp]
		push	0FFFFFFFEh
		pop	esi

loc_9A4589:				; CODE XREF: ObQueryRefTraceInformation(x,x,x)+7Dj
					; ObQueryRefTraceInformation(x,x,x)+15Aj ...
		mov	[ebp+ms_exc.disabled], esi

loc_9A458C:				; CODE XREF: ObQueryRefTraceInformation(x,x,x)+6Fj
		mov	edi, offset _ObpStackTraceLock
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9A45A5
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9A45A5:				; CODE XREF: ObQueryRefTraceInformation(x,x,x)+201j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		test	ebx, ebx
		jns	short loc_9A45C4
		cmp	ebx, 0C0000004h
		jnz	short loc_9A45F7

loc_9A45C4:				; CODE XREF: ObQueryRefTraceInformation(x,x,x)+21Fj
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_9A45F7
		mov	[ebp+ms_exc.disabled], 3
		mov	eax, [ebp+var_20]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], esi
		jmp	short loc_9A45F7
; 

loc_9A45DC:				; DATA XREF: .text:006A8D28o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_40], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9A45EA:				; DATA XREF: .text:006A8D2Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_40]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9A45F7:				; CODE XREF: ObQueryRefTraceInformation(x,x,x)+227j
					; ObQueryRefTraceInformation(x,x,x)+22Ej ...
		mov	eax, ebx
		jmp	short loc_9A4616
; 

loc_9A45FB:				; DATA XREF: .text:006A8D04o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_44], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9A4609:				; DATA XREF: .text:006A8D08o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_44]

loc_9A4616:				; CODE XREF: ObQueryRefTraceInformation(x,x,x)+25Ej
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ObQueryRefTraceInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObSetRefTraceInformation(x,	x)
_ObSetRefTraceInformation@8 proc near	; CODE XREF: PAGE:007B408Fp

var_24		= dword	ptr -24h
var_1E		= dword	ptr -1Eh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

		push	18h
		push	offset dword_6A8D30
		call	__SEH_prolog4
		mov	esi, edx
		mov	ebx, ecx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		mov	byte ptr [ebp+var_1E], al
		push	[ebp+var_1E]
		push	ds:dword_A94A14
		push	ds:_SeDebugPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_9A4669
		mov	eax, 0C0000022h
		jmp	short loc_9A46D7
; 

loc_9A4669:				; CODE XREF: ObSetRefTraceInformation(x,x)+38j
		cmp	esi, 14h
		jnb	short loc_9A4675
		mov	eax, 0C000000Dh
		jmp	short loc_9A46D7
; 

loc_9A4675:				; CODE XREF: ObSetRefTraceInformation(x,x)+44j
		and	[ebp+ms_exc.disabled], 0
		cmp	[ebp+var_19], 0
		jz	short loc_9A469C
		test	bl, 3
		jz	short loc_9A4689
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9A4689:				; CODE XREF: ObSetRefTraceInformation(x,x)+5Aj
		lea	ecx, [ebx+esi]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_9A4699
		cmp	ecx, ebx
		jnb	short loc_9A469C

loc_9A4699:				; CODE XREF: ObSetRefTraceInformation(x,x)+6Bj
		mov	byte ptr [eax],	0

loc_9A469C:				; CODE XREF: ObSetRefTraceInformation(x,x)+55j
					; ObSetRefTraceInformation(x,x)+6Fj
		mov	al, [ebx]
		mov	[ebp+var_1A], al
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	al, al
		jz	short loc_9A46B5
		mov	ecx, ebx
		call	_ObpStartRuntimeStackTrace@4 ; ObpStartRuntimeStackTrace(x)
		jmp	short loc_9A46D7
; 

loc_9A46B5:				; CODE XREF: ObSetRefTraceInformation(x,x)+82j
		call	_ObpStopRuntimeStackTrace@0 ; ObpStopRuntimeStackTrace()
		jmp	short loc_9A46D7
; 

loc_9A46BC:				; DATA XREF: .text:006A8D44o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9A46CA:				; DATA XREF: .text:006A8D48o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_24]

loc_9A46D7:				; CODE XREF: ObSetRefTraceInformation(x,x)+3Fj
					; ObSetRefTraceInformation(x,x)+4Bj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ObSetRefTraceInformation@8 endp


;  S U B	R O U T	I N E 


; __stdcall ObpDeregisterObject(x)
_ObpDeregisterObject@4 proc near	; CODE XREF: ObfDereferenceObject+A1p
					; ObfDereferenceObjectWithTag+B7p ...
		test	byte ptr ds:dword_70EFD0, 80h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		jz	short loc_9A4701
		mov	edx, edi
		mov	ecx, 1131h
		call	_EtwTraceObject@8 ; EtwTraceObject(x,x)

loc_9A4701:				; CODE XREF: ObpDeregisterObject(x)+Cj
		mov	al, [edi+0Dh]
		and	al, 3
		cmp	al, 1
		jnz	loc_9A47D7
		mov	eax, large fs:124h
		xor	ebx, ebx
		dec	word ptr [eax+13Eh]
		nop
		mov	esi, offset _ObpStackTraceLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		test	byte ptr ds:_ObpTraceFlags, 73h
		jnz	short loc_9A475F
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9A4749
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9A4749:				; CODE XREF: ObpDeregisterObject(x)+59j
		mov	ecx, esi

loc_9A474B:				; CODE XREF: ObpDeregisterObject(x)+10Fj
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
; 

loc_9A475F:				; CODE XREF: ObpDeregisterObject(x)+4Cj
		lea	eax, [edi+18h]
		xor	edx, edx
		shr	eax, 4
		mov	ecx, 191h
		and	eax, 0FFFFFh
		div	ecx
		mov	ecx, _ObpObjectTable
		mov	esi, [ecx+edx*4]
		test	esi, esi
		jz	short loc_9A47DB

loc_9A4780:				; CODE XREF: ObpDeregisterObject(x)+A4j
		cmp	[esi], edi
		jz	short loc_9A478D
		mov	ebx, esi
		mov	esi, [esi+4]
		test	esi, esi
		jnz	short loc_9A4780

loc_9A478D:				; CODE XREF: ObpDeregisterObject(x)+9Bj
		test	esi, esi
		jz	short loc_9A47DB
		mov	eax, [esi+4]
		test	ebx, ebx
		jz	short loc_9A479D
		mov	[ebx+4], eax
		jmp	short loc_9A47A0
; 

loc_9A479D:				; CODE XREF: ObpDeregisterObject(x)+AFj
		mov	[ecx+edx*4], eax

loc_9A47A0:				; CODE XREF: ObpDeregisterObject(x)+B4j
		or	eax, 0FFFFFFFFh
		mov	edi, offset _ObpStackTraceLock
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9A47B9
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9A47B9:				; CODE XREF: ObpDeregisterObject(x)+C9j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		push	7452624Fh
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A47D7:				; CODE XREF: ObpDeregisterObject(x)+21j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_9A47DB:				; CODE XREF: ObpDeregisterObject(x)+97j
					; ObpDeregisterObject(x)+A8j
		or	eax, 0FFFFFFFFh
		mov	edi, offset _ObpStackTraceLock
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9A47F4
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9A47F4:				; CODE XREF: ObpDeregisterObject(x)+104j
		mov	ecx, edi
		jmp	loc_9A474B
_ObpDeregisterObject@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpDestroyStackAndObjectTables(x, x, x)
_ObpDestroyStackAndObjectTables@12 proc	near ; CODE XREF: ObpStopRuntimeStackTrace()+17Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	eax, edx
		mov	edi, ecx
		mov	ecx, 191h
		mov	[ebp+var_8], eax
		mov	ebx, eax
		mov	[ebp+var_4], ecx

loc_9A4816:				; CODE XREF: ObpDestroyStackAndObjectTables(x,x,x)+41j
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_9A4833

loc_9A481C:				; CODE XREF: ObpDestroyStackAndObjectTables(x,x,x)+33j
		mov	esi, [eax+4]
		push	7452624Fh
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		test	esi, esi
		jnz	short loc_9A481C
		mov	ecx, [ebp+var_4]

loc_9A4833:				; CODE XREF: ObpDestroyStackAndObjectTables(x,x,x)+1Fj
		add	ebx, 4
		sub	ecx, 1
		mov	[ebp+var_4], ecx
		jnz	short loc_9A4816
		push	7452624Fh
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ax, [edi+2]
		mov	ecx, 0FC00h
		and	ax, cx
		xor	esi, esi
		xor	ecx, ecx
		mov	ebx, 7452624Fh
		cmp	cx, ax
		jnb	short loc_9A4880

loc_9A4865:				; CODE XREF: ObpDestroyStackAndObjectTables(x,x,x)+83j
		movzx	eax, si
		push	ebx
		push	dword ptr [edi+eax*4+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ax, [edi+2]
		inc	esi
		shr	ax, 0Ah
		cmp	si, ax
		jb	short loc_9A4865

loc_9A4880:				; CODE XREF: ObpDestroyStackAndObjectTables(x,x,x)+68j
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+arg_0]
		jmp	short loc_9A4897
; 

loc_9A488C:				; CODE XREF: ObpDestroyStackAndObjectTables(x,x,x)+9Ej
		mov	eax, esi
		mov	esi, [esi]
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A4897:				; CODE XREF: ObpDestroyStackAndObjectTables(x,x,x)+8Fj
		test	esi, esi
		jnz	short loc_9A488C
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ObpDestroyStackAndObjectTables@12 endp


;  S U B	R O U T	I N E 


; __stdcall ObpFreeWorkItemBlock(x)
_ObpFreeWorkItemBlock@4	proc near	; CODE XREF: ObpPushStackInfoQueue(x)+32p
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		dec	word ptr [eax+13Eh]
		nop
		mov	edi, offset _ObpStackTraceLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		test	byte ptr ds:_ObpTraceFlags, 73h
		jz	short loc_9A48E7
		mov	eax, 1F4h
		cmp	word ptr dword_6C438C, ax
		jnb	short loc_9A48E7
		mov	edx, esi
		mov	ecx, offset _ObpWorkItemFreeList
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		jmp	short loc_9A48F2
; 

loc_9A48E7:				; CODE XREF: ObpFreeWorkItemBlock(x)+27j
					; ObpFreeWorkItemBlock(x)+35j
		push	7452624Fh
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A48F2:				; CODE XREF: ObpFreeWorkItemBlock(x)+43j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9A4906
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9A4906:				; CODE XREF: ObpFreeWorkItemBlock(x)+5Bj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		pop	edi
		pop	esi
		jmp	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
_ObpFreeWorkItemBlock@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpGetObjectRefInfo(x, x)
_ObpGetObjectRefInfo@8 proc near	; CODE XREF: ObpPushRefDerefInfo(x,x,x,x,x,x)+42p
					; ObpRegisterObject(x)+8Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		lea	eax, [ecx+18h]
		mov	[ebp+var_8], edx
		shr	eax, 4
		xor	edx, edx
		push	esi
		and	eax, 0FFFFFh
		mov	esi, 191h
		div	esi
		mov	eax, _ObpObjectTable
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_4], edx
		mov	esi, [eax+edx*4]
		test	esi, esi
		jz	loc_9A49D1

loc_9A4951:				; CODE XREF: ObpGetObjectRefInfo(x,x)+41j
		cmp	[esi], ecx
		jz	short loc_9A495E
		mov	ebx, esi
		mov	esi, [esi+4]
		test	esi, esi
		jnz	short loc_9A4951

loc_9A495E:				; CODE XREF: ObpGetObjectRefInfo(x,x)+38j
		test	esi, esi
		jz	short loc_9A49D1
		movzx	eax, word ptr [esi+1Ah]
		cmp	[esi+18h], ax
		jnz	short loc_9A49D1
		imul	eax, 0Ch
		push	7452624Fh
		add	eax, 181Ch
		push	eax
		mov	eax, 200h
		push	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9A4992
		mov	eax, 0C0000017h
		jmp	short loc_9A49D8
; 

loc_9A4992:				; CODE XREF: ObpGetObjectRefInfo(x,x)+6Ej
		movzx	eax, word ptr [esi+18h]
		imul	eax, 0Ch
		add	eax, 1Ch
		push	eax		; size_t
		push	esi		; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, 200h
		add	esp, 0Ch
		add	[edi+1Ah], ax
		test	ebx, ebx
		jz	short loc_9A49B9
		mov	[ebx+4], edi
		jmp	short loc_9A49C4
; 

loc_9A49B9:				; CODE XREF: ObpGetObjectRefInfo(x,x)+97j
		mov	eax, _ObpObjectTable
		mov	ecx, [ebp+var_4]
		mov	[eax+ecx*4], edi

loc_9A49C4:				; CODE XREF: ObpGetObjectRefInfo(x,x)+9Cj
		push	7452624Fh
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, edi

loc_9A49D1:				; CODE XREF: ObpGetObjectRefInfo(x,x)+30j
					; ObpGetObjectRefInfo(x,x)+45j	...
		mov	eax, [ebp+var_8]
		mov	[eax], esi
		xor	eax, eax

loc_9A49D8:				; CODE XREF: ObpGetObjectRefInfo(x,x)+75j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ObpGetObjectRefInfo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ObpGetTraceIndex(void *Source2)
_ObpGetTraceIndex@4 proc near		; CODE XREF: ObpPushRefDerefInfo(x,x,x,x,x,x)+5Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	eax, eax
		mov	[ebp+var_10], edi
		mov	esi, eax

loc_9A49F1:				; CODE XREF: ObpGetTraceIndex(x)+27j
		movzx	edx, word ptr [edi+esi*2+2]
		movzx	ecx, word ptr [edi+esi*2]
		add	esi, 2
		xor	edx, ecx
		add	eax, edx
		cmp	esi, 20h
		jb	short loc_9A49F1
		xor	edx, edx
		mov	ecx, 3FFDh
		div	ecx
		movzx	ecx, dx
		mov	edx, _ObpStackTable
		movzx	esi, cx
		movzx	eax, cx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], eax
		movzx	ebx, word ptr [edx+esi*2+44h]
		mov	[ebp+var_C], edx
		jmp	short loc_9A4A79
; 

loc_9A4A2E:				; CODE XREF: ObpGetTraceIndex(x)+A4j
		movzx	ecx, bx
		mov	eax, ecx
		and	ecx, 3FFh
		shr	eax, 0Ah
		push	40h		; Length
		shl	ecx, 6
		push	edi		; Source2
		add	ecx, [edx+eax*4+4]
		push	ecx		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 40h
		jz	short loc_9A4A85
		xor	edx, edx
		lea	eax, [esi+1]
		mov	ecx, 3FFDh
		div	ecx
		movzx	ecx, dx
		mov	[ebp+var_4], ecx
		cmp	cx, word ptr [ebp+var_8]
		jz	short loc_9A4AB8
		mov	eax, _ObpStackTable
		mov	edx, [ebp+var_C]
		movzx	esi, cx
		movzx	ebx, word ptr [eax+esi*2+44h]

loc_9A4A79:				; CODE XREF: ObpGetTraceIndex(x)+4Fj
		mov	eax, 0FFFFh
		cmp	bx, ax
		jnz	short loc_9A4A2E
		jmp	short loc_9A4A8F
; 

loc_9A4A85:				; CODE XREF: ObpGetTraceIndex(x)+72j
		mov	eax, 0FFFFh
		cmp	bx, ax
		jnz	short loc_9A4B08

loc_9A4A8F:				; CODE XREF: ObpGetTraceIndex(x)+A6j
		mov	edx, _ObpStackTable
		mov	ax, [edx]
		cmp	ax, [edx+2]
		jnz	short loc_9A4AD9
		push	7452624Fh
		push	10000h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_9A4ABF

loc_9A4AB8:				; CODE XREF: ObpGetTraceIndex(x)+8Aj
		mov	eax, 3FFDh
		jmp	short loc_9A4B0B
; 

loc_9A4ABF:				; CODE XREF: ObpGetTraceIndex(x)+D9j
		mov	edx, _ObpStackTable
		movzx	eax, word ptr [edx+2]
		shr	eax, 0Ah
		mov	[edx+eax*4+4], ecx
		mov	eax, 400h
		add	[edx+2], ax

loc_9A4AD9:				; CODE XREF: ObpGetTraceIndex(x)+BFj
		movzx	ecx, word ptr [edx]
		mov	eax, [ebp+var_4]
		mov	edi, ecx
		mov	esi, [ebp+var_10]
		mov	ebx, ecx
		movzx	eax, ax
		shr	edi, 0Ah
		push	10h
		mov	[edx+eax*2+44h], cx
		and	ecx, 3FFh
		mov	edi, [edx+edi*4+4]
		shl	ecx, 6
		add	edi, ecx
		pop	ecx
		rep movsd
		inc	word ptr [edx]

loc_9A4B08:				; CODE XREF: ObpGetTraceIndex(x)+B0j
		mov	ax, bx

loc_9A4B0B:				; CODE XREF: ObpGetTraceIndex(x)+E0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ObpGetTraceIndex@4 endp


;  S U B	R O U T	I N E 


; __stdcall ObpInitStackAndObjectTables()
_ObpInitStackAndObjectTables@0 proc near ; CODE	XREF: ObpStartRuntimeStackTrace(x)+29Dp
					; ObpInitStackTrace:loc_AEAF22p
		mov	edi, edi
		push	ebx
		push	edi
		mov	ebx, 7452624Fh
		push	ebx
		push	8040h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	_ObpStackTable,	edi
		test	edi, edi
		jnz	short loc_9A4B3F
		mov	eax, 0C0000017h
		jmp	loc_9A4C42
; 

loc_9A4B3F:				; CODE XREF: ObpInitStackAndObjectTables()+23j
		push	esi
		push	44h		; size_t
		xor	esi, esi
		push	esi		; int
		push	edi		; void *
		call	_memset
		push	7FFAh		; size_t
		lea	eax, [edi+44h]
		push	0FFh		; int
		push	eax		; void *
		call	_memset
		add	esp, 18h
		push	ebx
		push	10000h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, _ObpStackTable
		mov	[edi+4], eax
		test	eax, eax
		jz	loc_9A4C0D
		push	10000h		; size_t
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, 400h
		mov	[edi+2], ax
		mov	edi, 200h
		push	ebx
		push	644h
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	_ObpObjectTable, eax
		test	eax, eax
		jz	short loc_9A4C1D
		push	644h		; size_t
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	_ObpWorkItemFreeList, esi
		mov	dword_6C438C, esi

loc_9A4BCF:				; CODE XREF: ObpInitStackAndObjectTables()+DFj
		push	ebx
		push	58h
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, offset _ObpWorkItemFreeList
		test	eax, eax
		jz	short loc_9A4BF5
		mov	edx, eax
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		inc	esi
		cmp	esi, 1F4h
		jb	short loc_9A4BCF
		xor	eax, eax
		jmp	short loc_9A4C41
; 

loc_9A4BF5:				; CODE XREF: ObpInitStackAndObjectTables()+CFj
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		mov	esi, eax
		jmp	short loc_9A4C09
; 

loc_9A4BFE:				; CODE XREF: ObpInitStackAndObjectTables()+FBj
		mov	ecx, esi
		mov	esi, [esi]
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A4C09:				; CODE XREF: ObpInitStackAndObjectTables()+ECj
		test	esi, esi
		jnz	short loc_9A4BFE

loc_9A4C0D:				; CODE XREF: ObpInitStackAndObjectTables()+6Cj
		mov	eax, _ObpObjectTable
		test	eax, eax
		jz	short loc_9A4C1D
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A4C1D:				; CODE XREF: ObpInitStackAndObjectTables()+A2j
					; ObpInitStackAndObjectTables()+104j
		mov	eax, _ObpStackTable
		mov	eax, [eax+4]
		test	eax, eax
		jz	short loc_9A4C30
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A4C30:				; CODE XREF: ObpInitStackAndObjectTables()+117j
		push	ebx
		push	_ObpStackTable
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C0000017h

loc_9A4C41:				; CODE XREF: ObpInitStackAndObjectTables()+E3j
		pop	esi

loc_9A4C42:				; CODE XREF: ObpInitStackAndObjectTables()+2Aj
		pop	edi
		pop	ebx
		retn
_ObpInitStackAndObjectTables@0 endp


;  S U B	R O U T	I N E 


; __stdcall ObpIsObjectPoolTagTraced(x)
_ObpIsObjectPoolTagTraced@4 proc near	; CODE XREF: ObpRegisterObject(x)+7Dp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_9A4C8D
		test	byte ptr ds:_ObpTraceFlags, 10h
		jz	short loc_9A4C91
		mov	eax, esi
		xor	edx, edx
		shr	eax, 8
		movzx	ecx, al
		movzx	eax, byte ptr [esi+0Ch]
		xor	ecx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	ecx, eax
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		mov	ecx, [eax+84h]

loc_9A4C7D:				; CODE XREF: ObpIsObjectPoolTagTraced(x)+46j
		mov	eax, _ObpTracePoolTags
		cmp	ecx, [eax+edx*4]
		jz	short loc_9A4C91
		inc	edx
		cmp	edx, 10h
		jb	short loc_9A4C7D

loc_9A4C8D:				; CODE XREF: ObpIsObjectPoolTagTraced(x)+7j
		xor	al, al
		pop	esi
		retn
; 

loc_9A4C91:				; CODE XREF: ObpIsObjectPoolTagTraced(x)+10j
					; ObpIsObjectPoolTagTraced(x)+40j
		mov	al, 1
		pop	esi
		retn
_ObpIsObjectPoolTagTraced@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ObpPushRefDerefInfo(int,int,__int16,int,void *Source2,int)
_ObpPushRefDerefInfo@24	proc near	; CODE XREF: ObpPushStackInfo(x,x,x,x)+CFp
					; ObpPushStackInfoQueue(x)+26p

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
Source2		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		dec	word ptr [eax+13Eh]
		mov	esi, ecx
		push	edi		; char
		mov	[ebp+var_1], dl
		nop
		mov	ebx, offset _ObpStackTraceLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		test	byte ptr ds:_ObpTraceFlags, 73h
		jz	loc_9A4D9A
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	_ObpGetObjectRefInfo@8 ; ObpGetObjectRefInfo(x,x)
		test	eax, eax
		js	loc_9A4D8B
		mov	ebx, [ebp+var_8]
		test	ebx, ebx
		jz	loc_9A4D86
		mov	ecx, [ebp+Source2] ; Source2
		call	_ObpGetTraceIndex@4 ; ObpGetTraceIndex(x)
		movzx	esi, ax
		mov	eax, 3FFDh
		mov	[ebp+Source2], esi
		cmp	si, ax
		jnb	short loc_9A4D75
		movzx	ecx, word ptr [ebx+18h]
		test	cx, cx
		jz	short loc_9A4D38
		mov	edx, [ebp+arg_4]

loc_9A4D13:				; CODE XREF: ObpPushRefDerefInfo(x,x,x,x,x,x)+9Ej
		movzx	eax, cx
		lea	esi, [ebx+10h]
		imul	eax, 0Ch
		add	esi, eax
		cmp	edx, [esi]
		jnb	short loc_9A4D35
		lea	edi, [ebx+1Ch]
		add	ecx, 0FFFFh
		add	edi, eax
		movsd
		movsd
		movsd
		test	cx, cx
		jnz	short loc_9A4D13

loc_9A4D35:				; CODE XREF: ObpPushRefDerefInfo(x,x,x,x,x,x)+8Bj
		mov	esi, [ebp+Source2]

loc_9A4D38:				; CODE XREF: ObpPushRefDerefInfo(x,x,x,x,x,x)+79j
		movzx	eax, [ebp+var_1]
		movzx	edx, cx
		imul	ecx, edx, 0Ch
		neg	eax
		sbb	eax, eax
		and	eax, 8000h
		or	ax, si
		mov	[ecx+ebx+20h], ax
		mov	ax, [ebp+arg_0]
		mov	[ecx+ebx+22h], ax
		mov	eax, [ebp+arg_4]
		mov	[ecx+ebx+1Ch], eax
		lea	eax, [edx+3]
		imul	ecx, eax, 0Ch
		mov	eax, [ebp+arg_C]
		mov	[ecx+ebx], eax
		inc	word ptr [ebx+18h]
		jmp	short loc_9A4D86
; 

loc_9A4D75:				; CODE XREF: ObpPushRefDerefInfo(x,x,x,x,x,x)+70j
		push	offset ??_C@_0CO@CHACDCHL@ObpPushRefDerefInfo?5?9?5ObpStackT@NNGAKEGL@ ; char *
		push	1		; int
		push	0		; int
		call	_DbgPrintEx
		add	esp, 0Ch

loc_9A4D86:				; CODE XREF: ObpPushRefDerefInfo(x,x,x,x,x,x)+54j
					; ObpPushRefDerefInfo(x,x,x,x,x,x)+DEj
		mov	ebx, offset _ObpStackTraceLock

loc_9A4D8B:				; CODE XREF: ObpPushRefDerefInfo(x,x,x,x,x,x)+49j
		cmp	word ptr dword_6C438C, 64h
		jnb	short loc_9A4D9A
		call	_ObpRefillWorkItemFreeList@0 ; ObpRefillWorkItemFreeList()

loc_9A4D9A:				; CODE XREF: ObpPushRefDerefInfo(x,x,x,x,x,x)+37j
					; ObpPushRefDerefInfo(x,x,x,x,x,x)+FEj
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9A4DAE
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9A4DAE:				; CODE XREF: ObpPushRefDerefInfo(x,x,x,x,x,x)+110j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_ObpPushRefDerefInfo@24	endp


;  S U B	R O U T	I N E 


; __stdcall ObpPushStackInfoQueue(x)
_ObpPushStackInfoQueue@4 proc near	; DATA XREF: ObpInitStackTrace+43o
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, offset _ObpPushStackInfoList
		inc	edi

loc_9A4DD5:				; CODE XREF: ObpPushStackInfoQueue(x)+45j
					; ObpPushStackInfoQueue(x)+51j
		mov	esi, edi
		xchg	esi, [ebx]

loc_9A4DD9:				; CODE XREF: ObpPushStackInfoQueue(x)+3Dj
		push	dword ptr [esi+0Ch] ; int
		mov	dl, [esi+8]	; int
		lea	eax, [esi+14h]
		mov	ecx, [esi+4]	; int
		push	eax		; Source2
		push	dword ptr [esi+10h] ; int
		movzx	eax, word ptr [esi+0Ah]
		push	eax		; __int16
		call	_ObpPushRefDerefInfo@24	; ObpPushRefDerefInfo(x,x,x,x,x,x)
		mov	ecx, esi
		mov	esi, [esi]
		add	ecx, 0FFFFFFFCh
		call	_ObpFreeWorkItemBlock@4	; ObpFreeWorkItemBlock(x)
		test	esi, esi
		jz	short loc_9A4E07
		cmp	esi, edi
		jnz	short loc_9A4DD9

loc_9A4E07:				; CODE XREF: ObpPushStackInfoQueue(x)+39j
		cmp	_ObpPushStackInfoList, edi
		jnz	short loc_9A4DD5
		xor	ecx, ecx
		mov	eax, edi
		lock cmpxchg [ebx], ecx
		cmp	eax, edi
		jnz	short loc_9A4DD5
		pop	edi
		pop	esi
		pop	ebx
		retn	4
_ObpPushStackInfoQueue@4 endp


;  S U B	R O U T	I N E 


; __stdcall ObpRefillWorkItemFreeList()
_ObpRefillWorkItemFreeList@0 proc near	; CODE XREF: ObpPushRefDerefInfo(x,x,x,x,x,x)+100p
		mov	edi, edi
		push	esi
		push	64h
		pop	esi

loc_9A4E27:				; CODE XREF: ObpRefillWorkItemFreeList()+2Aj
		push	7452624Fh
		push	58h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_9A4E48
		mov	edx, eax
		mov	ecx, offset _ObpWorkItemFreeList
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_9A4E48:				; CODE XREF: ObpRefillWorkItemFreeList()+19j
		sub	esi, 1
		jnz	short loc_9A4E27
		pop	esi
		retn
_ObpRefillWorkItemFreeList@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpRegisterObject(x)
_ObpRegisterObject@4 proc near		; CODE XREF: CmpCreateKeyBody+1025A5p
					; IopAllocRealFileObject+FEC8Fp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	byte ptr ds:dword_70EFD0, 80h
		push	edi
		mov	edi, ecx
		jz	short loc_9A4E6D
		mov	edx, edi
		mov	ecx, 1130h
		call	_EtwTraceObject@8 ; EtwTraceObject(x,x)

loc_9A4E6D:				; CODE XREF: ObpRegisterObject(x)+10j
		test	byte ptr ds:_ObpTraceFlags, 73h
		jz	loc_9A4FC0
		mov	eax, large fs:124h
		and	[ebp+var_4], 0
		push	ebx
		dec	word ptr [eax+13Eh]
		nop
		mov	ebx, offset _ObpStackTraceLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, ds:_ObpTraceFlags
		test	al, 73h
		jz	loc_9A4F98
		push	esi
		mov	esi, 200h
		test	al, 20h
		jz	short loc_9A4ECA
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	[eax+0F8h], esi
		jz	loc_9A4F97

loc_9A4ECA:				; CODE XREF: ObpRegisterObject(x)+61j
		mov	ecx, edi
		call	_ObpIsObjectPoolTagTraced@4 ; ObpIsObjectPoolTagTraced(x)
		test	al, al
		jz	loc_9A4F97
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	_ObpGetObjectRefInfo@8 ; ObpGetObjectRefInfo(x,x)
		test	eax, eax
		js	loc_9A4F97
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jnz	short loc_9A4F3D
		push	7452624Fh
		push	17ECh
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	loc_9A4F97
		lea	eax, [edi+18h]
		mov	esi, 191h
		shr	eax, 4
		xor	edx, edx
		and	eax, 0FFFFFh
		div	esi
		mov	eax, _ObpObjectTable
		mov	eax, [eax+edx*4]
		mov	[ecx+4], eax
		mov	eax, _ObpObjectTable
		mov	[eax+edx*4], ecx
		lea	eax, [esi+6Bh]
		mov	[ecx+1Ah], ax

loc_9A4F3D:				; CODE XREF: ObpRegisterObject(x)+A1j
		mov	eax, large fs:124h
		inc	_ObpNumTracedObjects
		mov	esi, [ebp+var_4]
		mov	[ecx], edi
		mov	eax, [eax+80h]
		add	eax, 1ACh
		push	eax
		push	10h
		lea	ecx, [esi+8]
		pop	edx
		call	_RtlStringCbCopyA@12 ; RtlStringCbCopyA(x,x,x)
		xor	eax, eax
		mov	[esi+18h], ax
		movzx	eax, word ptr [esi+1Ah]
		imul	eax, 0Ch
		push	eax		; size_t
		lea	eax, [esi+1Ch]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	al, [edi+0Dh]
		add	esp, 0Ch
		or	al, 1
		test	byte ptr ds:_ObpTraceFlags, 40h
		mov	[edi+0Dh], al
		jz	short loc_9A4F97
		or	al, 2
		mov	[edi+0Dh], al

loc_9A4F97:				; CODE XREF: ObpRegisterObject(x)+75j
					; ObpRegisterObject(x)+84j ...
		pop	esi

loc_9A4F98:				; CODE XREF: ObpRegisterObject(x)+53j
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9A4FAC
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9A4FAC:				; CODE XREF: ObpRegisterObject(x)+154j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	ebx

loc_9A4FC0:				; CODE XREF: ObpRegisterObject(x)+25j
		pop	edi
		leave
		retn
_ObpRegisterObject@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpStartRuntimeStackTrace(x)
_ObpStartRuntimeStackTrace@4 proc near	; CODE XREF: ObSetRefTraceInformation(x,x)+86p

var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_65		= byte ptr -65h
var_64		= dword	ptr -64h
ms_exc		= CPPEH_RECORD ptr -18h

		push	0A0h
		push	offset dword_6A8D50
		call	__SEH_prolog4_GS
		mov	edi, ecx
		push	40h		; size_t
		xor	ebx, ebx
		push	ebx		; int
		lea	eax, [ebp+var_64]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_80], ebx
		mov	[ebp+var_70], ebx
		mov	esi, ebx
		mov	[ebp+var_6C], ebx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_65], al
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [edi+0Ch]
		mov	[ebp+var_A8], eax
		mov	ecx, [edi+10h]
		mov	[ebp+var_84], ecx
		mov	[ebp+var_A4], ecx
		mov	ecx, [edi+4]
		mov	[ebp+var_88], ecx
		mov	[ebp+var_B0], ecx
		mov	edx, [edi+8]
		mov	[ebp+var_74], edx
		mov	[ebp+var_AC], edx
		movzx	edx, byte ptr [edi+1]
		mov	[ebp+var_78], edx
		mov	[ebp+var_A0], edx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	ax, ax
		jz	loc_9A5117
		test	al, 1
		jnz	loc_9A51F2
		movzx	ecx, ax
		mov	eax, ecx
		shr	eax, 1
		xor	edx, edx
		push	5
		pop	esi
		div	esi
		test	edx, edx
		jz	short loc_9A5075
		cmp	edx, 4
		jnz	loc_9A51F2

loc_9A5075:				; CODE XREF: ObpStartRuntimeStackTrace(x)+A7j
		lea	eax, [ecx+2]
		xor	edx, edx
		push	0Ah
		pop	esi
		div	esi
		mov	esi, eax
		mov	[ebp+var_6C], eax
		cmp	esi, 10h
		jbe	short loc_9A508F
		push	10h
		pop	esi
		mov	[ebp+var_6C], esi

loc_9A508F:				; CODE XREF: ObpStartRuntimeStackTrace(x)+C4j
		mov	[ebp+ms_exc.disabled], 1
		cmp	[ebp+var_65], 0
		jz	short loc_9A50BF
		mov	edx, [ebp+var_84]
		test	dl, 1
		jz	short loc_9A50AC

loc_9A50A7:				; CODE XREF: ObpStartRuntimeStackTrace(x)+1E4j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9A50AC:				; CODE XREF: ObpStartRuntimeStackTrace(x)+E2j
		lea	eax, [ecx+edx]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_9A50BD
		cmp	eax, edx
		jnb	short loc_9A50BF

loc_9A50BD:				; CODE XREF: ObpStartRuntimeStackTrace(x)+F4j
		mov	[ecx], bl

loc_9A50BF:				; CODE XREF: ObpStartRuntimeStackTrace(x)+D7j
					; ObpStartRuntimeStackTrace(x)+F8j
		mov	edx, ebx
		mov	[ebp+var_90], edx
		mov	edi, [ebp+var_84]

loc_9A50CD:				; CODE XREF: ObpStartRuntimeStackTrace(x)+13Fj
		cmp	edx, esi
		jnb	short loc_9A5104
		mov	esi, ebx

loc_9A50D3:				; CODE XREF: ObpStartRuntimeStackTrace(x)+133j
		mov	[ebp+var_8C], esi
		cmp	esi, 4
		jnb	short loc_9A50F8
		imul	eax, edx, 5
		sub	eax, esi
		movzx	ecx, word ptr [edi+eax*2+6]
		mov	eax, [ebp+edx*4+var_64]
		shl	eax, 8
		or	ecx, eax
		mov	[ebp+edx*4+var_64], ecx
		inc	esi
		jmp	short loc_9A50D3
; 

loc_9A50F8:				; CODE XREF: ObpStartRuntimeStackTrace(x)+119j
		inc	edx
		mov	[ebp+var_90], edx
		mov	esi, [ebp+var_6C]
		jmp	short loc_9A50CD
; 

loc_9A5104:				; CODE XREF: ObpStartRuntimeStackTrace(x)+10Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	10h
		pop	esi
		mov	[ebp+var_6C], esi
		mov	ecx, [ebp+var_88]

loc_9A5117:				; CODE XREF: ObpStartRuntimeStackTrace(x)+89j
		test	cx, cx
		jz	loc_9A51EE
		test	cl, 1
		jnz	loc_9A51F2
		mov	eax, 80h
		cmp	cx, ax
		jnb	short loc_9A5157
		mov	ax, cx
		jmp	short loc_9A515A
; 

loc_9A5138:				; DATA XREF: .text:006A8D70o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_94], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9A5149:				; DATA XREF: .text:006A8D74o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_94]
		jmp	loc_9A5223
; 

loc_9A5157:				; CODE XREF: ObpStartRuntimeStackTrace(x)+16Ej
		push	7Eh
		pop	eax

loc_9A515A:				; CODE XREF: ObpStartRuntimeStackTrace(x)+173j
		mov	word ptr [ebp+var_80], ax
		movzx	edi, ax
		push	7452624Fh
		lea	eax, [edi+2]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_70], ecx
		mov	[ebp+var_7C], ecx
		test	ecx, ecx
		jnz	short loc_9A518A
		mov	eax, 0C0000017h
		jmp	loc_9A5366
; 

loc_9A518A:				; CODE XREF: ObpStartRuntimeStackTrace(x)+1BBj
		mov	eax, [ebp+var_80]
		add	eax, 2
		mov	word ptr [ebp+var_80+2], ax
		mov	[ebp+ms_exc.disabled], 2
		cmp	[ebp+var_65], 0
		jz	short loc_9A51C9
		mov	edx, [ebp+var_74]
		test	dl, 1
		jnz	loc_9A50A7
		mov	eax, [ebp+var_88]
		movzx	eax, ax
		add	eax, edx
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	short loc_9A51C7
		cmp	eax, [ebp+var_74]
		jnb	short loc_9A51C9

loc_9A51C7:				; CODE XREF: ObpStartRuntimeStackTrace(x)+1FDj
		mov	[edx], bl

loc_9A51C9:				; CODE XREF: ObpStartRuntimeStackTrace(x)+1DCj
					; ObpStartRuntimeStackTrace(x)+202j
		push	edi		; size_t
		push	[ebp+var_74]	; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		shr	edi, 1
		xor	ecx, ecx
		mov	eax, [ebp+var_70]
		mov	[eax+edi*2], cx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		or	esi, 20h
		mov	[ebp+var_6C], esi

loc_9A51EE:				; CODE XREF: ObpStartRuntimeStackTrace(x)+157j
		test	esi, esi
		jnz	short loc_9A522F

loc_9A51F2:				; CODE XREF: ObpStartRuntimeStackTrace(x)+91j
					; ObpStartRuntimeStackTrace(x)+ACj ...
		mov	eax, 0C000000Dh
		jmp	loc_9A5366
; 

loc_9A51FC:				; DATA XREF: .text:006A8D7Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_98], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9A520D:				; DATA XREF: .text:006A8D80o
		mov	esp, [ebp+ms_exc.old_esp]
		push	7452624Fh
		push	[ebp+var_7C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_98]

loc_9A5223:				; CODE XREF: ObpStartRuntimeStackTrace(x)+18Fj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_9A5366
; 

loc_9A522F:				; CODE XREF: ObpStartRuntimeStackTrace(x)+22Dj
		cmp	[ebp+var_78], 0
		jz	short loc_9A523B
		or	esi, 40h
		mov	[ebp+var_6C], esi

loc_9A523B:				; CODE XREF: ObpStartRuntimeStackTrace(x)+270j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		xor	edx, edx
		mov	esi, offset _ObpStackTraceLock
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, ds:_ObpTraceFlags
		test	al, 73h
		jnz	short loc_9A5267
		call	_ObpInitStackAndObjectTables@0 ; ObpInitStackAndObjectTables()
		mov	ebx, eax

loc_9A5267:				; CODE XREF: ObpStartRuntimeStackTrace(x)+29Bj
		test	ebx, ebx
		js	loc_9A5308
		mov	eax, dword_6C42CC
		mov	[ebp+var_78], eax
		mov	eax, [ebp+var_80]
		mov	_ObpRuntimeTraceProcessName, eax
		mov	eax, [ebp+var_70]
		mov	dword_6C42CC, eax
		push	10h
		pop	ecx
		lea	esi, [ebp+var_64]
		mov	edx, offset _ObpRuntimeTracePoolTags
		mov	edi, edx
		rep movsd
		mov	ecx, ds:_ObpTraceFlags
		and	ecx, 0FFFFFF8Eh
		or	ecx, [ebp+var_6C]
		or	ecx, 2
		mov	_ObpRuntimeTraceFlags, ecx
		mov	ds:_ObpTraceFlags, ecx
		mov	eax, ecx
		and	al, 10h
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, edx
		mov	_ObpTracePoolTags, eax
		and	cl, 20h
		movzx	eax, cl
		neg	eax
		sbb	eax, eax
		and	eax, offset _ObpRuntimeTraceProcessName
		mov	_ObpTraceProcessName, eax
		or	eax, 0FFFFFFFFh
		mov	esi, offset _ObpStackTraceLock
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9A52F0
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9A52F0:				; CODE XREF: ObpStartRuntimeStackTrace(x)+324j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+var_78]
		jmp	short loc_9A5332
; 

loc_9A5308:				; CODE XREF: ObpStartRuntimeStackTrace(x)+2A6j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9A531C
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9A531C:				; CODE XREF: ObpStartRuntimeStackTrace(x)+350j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+var_70]

loc_9A5332:				; CODE XREF: ObpStartRuntimeStackTrace(x)+343j
		test	eax, eax
		jz	short loc_9A5341
		push	7452624Fh
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A5341:				; CODE XREF: ObpStartRuntimeStackTrace(x)+371j
		mov	eax, ebx
		jmp	short loc_9A5366
; 

loc_9A5345:				; DATA XREF: .text:006A8D64o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_9C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9A5356:				; DATA XREF: .text:006A8D68o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_9C]

loc_9A5366:				; CODE XREF: ObpStartRuntimeStackTrace(x)+1C2j
					; ObpStartRuntimeStackTrace(x)+234j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ObpStartRuntimeStackTrace@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpStopRuntimeStackTrace()
_ObpStopRuntimeStackTrace@0 proc near	; CODE XREF: ObSetRefTraceInformation(x,x):loc_9A46B5p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	esi, esi
		dec	word ptr [eax+13Eh]
		push	edi
		nop
		mov	edi, offset _ObpStackTraceLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	ebx, ds:_ObpTraceFlags
		test	bl, 2
		jnz	short loc_9A53D4
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9A53BC
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9A53BC:				; CODE XREF: ObpStopRuntimeStackTrace()+3Dj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_9A5509
; 

loc_9A53D4:				; CODE XREF: ObpStopRuntimeStackTrace()+30j
		test	bl, 10h
		jz	short loc_9A53EA
		push	40h		; size_t
		push	0		; int
		push	offset _ObpRuntimeTracePoolTags	; void *
		call	_memset
		add	esp, 0Ch

loc_9A53EA:				; CODE XREF: ObpStopRuntimeStackTrace()+61j
		test	bl, 20h
		jz	short loc_9A5401
		mov	esi, dword_6C42CC
		push	0
		push	offset _ObpRuntimeTraceProcessName
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)

loc_9A5401:				; CODE XREF: ObpStopRuntimeStackTrace()+77j
		mov	ecx, ds:_ObpTraceFlags
		xor	eax, eax
		and	ecx, 0FFFFFF8Ch
		mov	_ObpRuntimeTraceFlags, eax
		or	ecx, _ObpRegTraceFlags
		mov	ds:_ObpTraceFlags, ecx
		test	cl, 1
		jz	short loc_9A5477
		mov	eax, ecx
		and	al, 10h
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	cl, 20h
		and	eax, offset _ObpRegTracePoolTags
		mov	_ObpTracePoolTags, eax
		movzx	eax, cl
		neg	eax
		sbb	eax, eax
		and	eax, offset _ObpRegTraceProcessName
		mov	_ObpTraceProcessName, eax
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9A545F
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9A545F:				; CODE XREF: ObpStopRuntimeStackTrace()+E0j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_9A54FA
; 

loc_9A5477:				; CODE XREF: ObpStopRuntimeStackTrace()+AAj
		mov	edi, _ObpStackTable
		and	ecx, 0FFFFFF8Ch
		mov	ebx, _ObpObjectTable
		mov	ds:_ObpTraceFlags, ecx
		mov	ecx, offset _ObpWorkItemFreeList
		mov	_ObpTracePoolTags, eax
		mov	_ObpTraceProcessName, eax
		mov	_ObpStackSequence, eax
		mov	_ObpNumTracedObjects, eax
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		and	_ObpStackTable,	0
		or	ecx, 0FFFFFFFFh
		and	_ObpObjectTable, 0
		mov	[ebp+var_4], eax
		mov	eax, offset _ObpStackTraceLock
		lock xadd [eax], ecx
		and	cl, 6
		cmp	cl, 2
		jnz	short loc_9A54DB
		mov	ecx, eax
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	eax, offset _ObpStackTraceLock

loc_9A54DB:				; CODE XREF: ObpStopRuntimeStackTrace()+157j
		mov	ecx, eax
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		push	[ebp+var_4]
		mov	edx, ebx
		mov	ecx, edi
		call	_ObpDestroyStackAndObjectTables@12 ; ObpDestroyStackAndObjectTables(x,x,x)

loc_9A54FA:				; CODE XREF: ObpStopRuntimeStackTrace()+FCj
		test	esi, esi
		jz	short loc_9A5509
		push	7452624Fh
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A5509:				; CODE XREF: ObpStopRuntimeStackTrace()+59j
					; ObpStopRuntimeStackTrace()+186j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
_ObpStopRuntimeStackTrace@0 endp


;  S U B	R O U T	I N E 


; __stdcall ObpRemoveNamespaceEntry(x, x)
_ObpRemoveNamespaceEntry@8 proc	near	; CODE XREF: NtCreatePrivateNamespace+125F7Cp
		mov	edi, edi
		push	esi
		mov	esi, [edx]
		cmp	[esi+4], edx
		jnz	short loc_9A552E
		mov	eax, [edx+4]
		cmp	[eax], edx
		jnz	short loc_9A552E
		mov	[eax], esi
		mov	[esi+4], eax
		dec	dword ptr [ecx+12Ch]
		pop	esi
		retn
; 

loc_9A552E:				; CODE XREF: ObpRemoveNamespaceEntry(x,x)+8j
					; ObpRemoveNamespaceEntry(x,x)+Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ObpRemoveNamespaceEntry@8 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObSetProcessDeviceMap(x, x,	x)
_ObSetProcessDeviceMap@12 proc near	; CODE XREF: PAGE:007A8093p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		push	edi
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		push	0
		push	2
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, eax
		push	esi
		call	ObpSetDeviceMap
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_ObSetProcessDeviceMap@12 endp


;  S U B	R O U T	I N E 


; __stdcall PfpOpenHandleInitialize(x)
_PfpOpenHandleInitialize@4 proc	near	; CODE XREF: PfpReadSupportInitialize(x)+12j
		xor	eax, eax
		mov	[ecx], eax
		mov	[ecx+4], eax
		mov	[ecx+8], eax
		mov	[ecx+0Ch], eax
		mov	dword ptr [ecx+10h], 2
		retn
_PfpOpenHandleInitialize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfpPrefetchFiles(x,	x)
_PfpPrefetchFiles@8 proc near		; CODE XREF: PfpPrefetchRequestPerform+1368EFp
					; PfpPrefetchRequestPerform+136936p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], edx
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_4], esi
		mov	[ebp+var_C], ebx
		mov	edi, [esi]
		mov	[ebp+var_30], edi
		call	_PFP_GET_CURRENT_TICK_COUNT_MS@0 ; PFP_GET_CURRENT_TICK_COUNT_MS()
		mov	ecx, [esi]
		xor	edx, edx
		mov	[ebp+var_34], eax
		mov	eax, [edi+8]
		mov	[ebp+var_8], edx
		movzx	esi, word ptr [ecx+1Eh]
		mov	ecx, [ecx+1Ch]
		and	esi, 7
		shl	esi, 3
		and	ecx, 7
		or	esi, ecx
		mov	[ebp+var_20], eax
		mov	[ebp+var_2C], esi
		test	eax, eax
		jz	loc_9A5818
		mov	ecx, [edi+20h]
		xor	esi, esi
		mov	ebx, [ebp+var_4]
		add	ecx, 0Ch
		mov	[ebp+var_24], esi

loc_9A55CD:				; CODE XREF: PfpPrefetchFiles(x,x)+C4j
		mov	eax, [ebx+8]
		test	byte ptr [esi+eax+10h],	4
		jz	short loc_9A5627
		and	[ebp+var_28], 0
		test	dword ptr [ecx], 0FFFFFFFEh
		jbe	short loc_9A5627
		mov	ebx, [ebp+var_28]
		xor	esi, esi

loc_9A55E8:				; CODE XREF: PfpPrefetchFiles(x,x)+AFj
		mov	eax, [ecx+4]
		mov	edx, [eax+esi]
		test	dl, 0Ah
		mov	[ebp+var_28], edx
		mov	edx, [ebp+var_8]
		jnz	short loc_9A5615
		cmp	dword ptr [eax+esi+10h], 0
		jz	short loc_9A5615
		cmp	byte ptr [ebp+var_14], 0
		jnz	short loc_9A560B
		inc	dword ptr [edi+3Ch]
		jmp	short loc_9A5611
; 

loc_9A560B:				; CODE XREF: PfpPrefetchFiles(x,x)+94j
		test	byte ptr [ebp+var_28], 1
		jz	short loc_9A5615

loc_9A5611:				; CODE XREF: PfpPrefetchFiles(x,x)+99j
		inc	edx
		mov	[ebp+var_8], edx

loc_9A5615:				; CODE XREF: PfpPrefetchFiles(x,x)+87j
					; PfpPrefetchFiles(x,x)+8Ej ...
		mov	eax, [ecx]
		inc	ebx
		shr	eax, 1
		add	esi, 20h
		cmp	ebx, eax
		jb	short loc_9A55E8
		mov	ebx, [ebp+var_4]
		mov	esi, [ebp+var_24]

loc_9A5627:				; CODE XREF: PfpPrefetchFiles(x,x)+65j
					; PfpPrefetchFiles(x,x)+71j
		add	esi, 28h
		add	ecx, 20h
		sub	[ebp+var_20], 1
		mov	[ebp+var_24], esi
		jnz	short loc_9A55CD
		mov	ebx, [ebp+var_C]
		test	edx, edx
		jz	loc_9A5818
		imul	eax, edx, 24h
		push	41536650h
		push	eax
		push	1
		mov	[ebp+var_28], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	short loc_9A5665
		mov	esi, 0C000009Ah
		jmp	loc_9A581D
; 

loc_9A5665:				; CODE XREF: PfpPrefetchFiles(x,x)+E9j
		mov	ecx, [ebp+var_8]
		push	[ebp+var_28]	; size_t
		shl	ecx, 5
		add	ecx, eax
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_8], ecx
		call	_memset
		xor	eax, eax
		add	esp, 0Ch
		mov	edx, eax
		mov	[ebp+var_1C], edx
		cmp	[edi+8], eax
		jbe	loc_9A57E8
		mov	ecx, [ebp+var_4]
		mov	esi, [ebp+var_10]
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax

loc_9A569A:				; CODE XREF: PfpPrefetchFiles(x,x)+1FCj
		mov	ebx, [ebp+var_20]
		mov	eax, [ecx+8]
		test	byte ptr [ebx+eax+10h],	4
		mov	ebx, [ebp+var_C]
		jz	loc_9A575D
		mov	eax, [edi+20h]
		add	eax, [ebp+var_24]
		and	[ebp+var_28], 0
		mov	[ebp+var_18], eax
		test	dword ptr [eax+0Ch], 0FFFFFFFEh
		jbe	loc_9A575D
		mov	edi, [ebp+var_4]
		mov	eax, ebx
		xor	edx, edx
		shl	eax, 5
		add	eax, esi
		mov	[ebp+var_C], edx
		mov	[ebp+var_38], eax
		mov	esi, eax

loc_9A56DC:				; CODE XREF: PfpPrefetchFiles(x,x)+1DCj
		mov	eax, [ebp+var_18]
		mov	ecx, [eax+10h]
		add	ecx, edx
		mov	[ebp+var_38], ecx
		mov	edx, [ecx]
		test	dl, 0Ah
		jnz	short loc_9A5735
		cmp	dword ptr [ecx+10h], 0
		jz	short loc_9A5735
		cmp	byte ptr [ebp+var_14], 0
		jz	short loc_9A56FF
		test	dl, 1
		jz	short loc_9A5735

loc_9A56FF:				; CODE XREF: PfpPrefetchFiles(x,x)+188j
		mov	ecx, esi
		call	_PfpReadSupportInitialize@4 ; PfpReadSupportInitialize(x)
		mov	edx, [ebp+var_38]
		mov	ecx, edi
		push	esi
		push	[ebp+var_14]
		push	[ebp+var_1C]
		call	PfpFileBuildReadSupport
		test	eax, eax
		js	short loc_9A5721
		inc	ebx
		add	esi, 20h
		jmp	short loc_9A5732
; 

loc_9A5721:				; CODE XREF: PfpPrefetchFiles(x,x)+1A9j
		mov	ecx, [edi+14h]
		mov	edx, esi
		call	_PfpReadSupportCleanup@8 ; PfpReadSupportCleanup(x,x)
		mov	ecx, esi
		call	_PfpReadSupportInitialize@4 ; PfpReadSupportInitialize(x)

loc_9A5732:				; CODE XREF: PfpPrefetchFiles(x,x)+1AFj
		mov	eax, [ebp+var_18]

loc_9A5735:				; CODE XREF: PfpPrefetchFiles(x,x)+17Cj
					; PfpPrefetchFiles(x,x)+182j ...
		mov	ecx, [ebp+var_28]
		mov	edx, [ebp+var_C]
		inc	ecx
		mov	eax, [eax+0Ch]
		add	edx, 20h
		shr	eax, 1
		mov	[ebp+var_28], ecx
		mov	[ebp+var_C], edx
		cmp	ecx, eax
		jb	short loc_9A56DC
		mov	edi, [ebp+var_30]
		mov	ecx, [ebp+var_4]
		mov	esi, [ebp+var_10]
		mov	edx, [ebp+var_1C]
		mov	[ebp+var_C], ebx

loc_9A575D:				; CODE XREF: PfpPrefetchFiles(x,x)+138j
					; PfpPrefetchFiles(x,x)+152j
		add	[ebp+var_20], 28h
		inc	edx
		add	[ebp+var_24], 20h
		mov	[ebp+var_1C], edx
		cmp	edx, [edi+8]
		jb	loc_9A569A
		mov	esi, [ebp+var_2C]
		test	ebx, ebx
		jz	short loc_9A57E8
		call	_PfpCheckPrefetchAbort@4 ; PfpCheckPrefetchAbort(x)
		test	eax, eax
		jz	short loc_9A5789
		mov	esi, 0C0000240h
		jmp	short loc_9A57F0
; 

loc_9A5789:				; CODE XREF: PfpPrefetchFiles(x,x)+210j
		xor	eax, eax
		xor	ebx, ebx
		mov	[ebp+var_24], eax
		cmp	[ebp+var_C], eax
		jle	short loc_9A57C7
		mov	edx, [ebp+var_10]
		mov	edi, [ebp+var_C]

loc_9A579B:				; CODE XREF: PfpPrefetchFiles(x,x)+24Fj
		mov	ecx, [edx]
		mov	eax, [edx+8]
		mov	[ecx], eax
		mov	ecx, [ebp+var_8]
		mov	eax, [edx]
		mov	[ecx+ebx*4], eax
		mov	ecx, [edx]
		mov	eax, [ecx+4]
		add	[ebp+var_24], eax
		test	eax, eax
		jz	short loc_9A57B9
		or	[ecx+10h], esi

loc_9A57B9:				; CODE XREF: PfpPrefetchFiles(x,x)+244j
		inc	ebx
		add	edx, 20h
		cmp	ebx, edi
		jl	short loc_9A579B
		mov	edi, [ebp+var_30]
		mov	eax, [ebp+var_24]

loc_9A57C7:				; CODE XREF: PfpPrefetchFiles(x,x)+223j
		cmp	byte ptr [ebp+var_14], 0
		jz	short loc_9A57D2
		add	[edi+4Ch], eax
		jmp	short loc_9A57D5
; 

loc_9A57D2:				; CODE XREF: PfpPrefetchFiles(x,x)+25Bj
		add	[edi+48h], eax

loc_9A57D5:				; CODE XREF: PfpPrefetchFiles(x,x)+260j
		mov	ebx, [ebp+var_C]
		mov	ecx, ebx
		mov	edx, [ebp+var_8]
		push	0
		call	MmPrefetchPagesEx
		mov	esi, eax
		jmp	short loc_9A57ED
; 

loc_9A57E8:				; CODE XREF: PfpPrefetchFiles(x,x)+118j
					; PfpPrefetchFiles(x,x)+207j
		mov	esi, 0C0000225h

loc_9A57ED:				; CODE XREF: PfpPrefetchFiles(x,x)+276j
		mov	ecx, [ebp+var_4]

loc_9A57F0:				; CODE XREF: PfpPrefetchFiles(x,x)+217j
		test	ebx, ebx
		jle	short loc_9A580C
		mov	edi, [ebp+var_10]

loc_9A57F7:				; CODE XREF: PfpPrefetchFiles(x,x)+29Aj
		mov	ecx, [ecx+14h]
		mov	edx, edi
		call	_PfpReadSupportCleanup@8 ; PfpReadSupportCleanup(x,x)
		mov	ecx, [ebp+var_4]
		add	edi, 20h
		sub	ebx, 1
		jnz	short loc_9A57F7

loc_9A580C:				; CODE XREF: PfpPrefetchFiles(x,x)+282j
		push	0
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9A581D
; 

loc_9A5818:				; CODE XREF: PfpPrefetchFiles(x,x)+49j
					; PfpPrefetchFiles(x,x)+CBj
		mov	esi, 0C0000225h

loc_9A581D:				; CODE XREF: PfpPrefetchFiles(x,x)+F0j
					; PfpPrefetchFiles(x,x)+2A6j
		call	_PFP_GET_CURRENT_TICK_COUNT_MS@0 ; PFP_GET_CURRENT_TICK_COUNT_MS()
		mov	ecx, [ebp+var_4]
		sub	eax, [ebp+var_34]
		cmp	byte ptr [ebp+var_14], 0
		mov	ecx, [ecx]
		jz	short loc_9A5835
		add	[ecx+5Ch], eax
		jmp	short loc_9A5838
; 

loc_9A5835:				; CODE XREF: PfpPrefetchFiles(x,x)+2BEj
		add	[ecx+58h], eax

loc_9A5838:				; CODE XREF: PfpPrefetchFiles(x,x)+2C3j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PfpPrefetchFiles@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfpPrefetchSharedConflictNotifyEnd(x, x)
_PfpPrefetchSharedConflictNotifyEnd@8 proc near
					; DATA XREF: PfpPrefetchSharedConflictNotifyStart(x,x,x)+6Bo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		push	esi
		mov	esi, [ebp+arg_0]
		jz	short loc_9A5871
		push	ebx
		mov	ebx, esi
		test	esi, esi
		jnz	short loc_9A585A
		mov	ebx, offset _PfGlobals

loc_9A585A:				; CODE XREF: PfpPrefetchSharedConflictNotifyEnd(x,x)+14j
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		push	0
		call	KeAbPreAcquire
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		call	KeAbPostReleaseEx
		pop	ebx

loc_9A5871:				; CODE XREF: PfpPrefetchSharedConflictNotifyEnd(x,x)+Dj
		test	esi, esi
		jz	short loc_9A5893
		or	eax, 0FFFFFFFFh
		lock xadd [esi+50h], eax
		dec	eax
		test	eax, eax
		jg	short loc_9A5893
		jz	short loc_9A588B
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_9A5893
; 

loc_9A588B:				; CODE XREF: PfpPrefetchSharedConflictNotifyEnd(x,x)+43j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A5893:				; CODE XREF: PfpPrefetchSharedConflictNotifyEnd(x,x)+34j
					; PfpPrefetchSharedConflictNotifyEnd(x,x)+41j ...
		pop	esi
		pop	ebp
		retn	8
_PfpPrefetchSharedConflictNotifyEnd@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfpPrefetchSharedConflictNotifyStart(x, x, x)
_PfpPrefetchSharedConflictNotifyStart@12 proc near ; DATA XREF:	PfFileInfoNotify+961o
					; PfpPrefetchSharedInitialize(x)+18o

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		xor	esi, esi
		inc	dword_6D4944
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, esi
		test	edi, edi
		jnz	short loc_9A58B8
		mov	ecx, offset _PfGlobals
		jmp	short loc_9A58E4
; 

loc_9A58B8:				; CODE XREF: PfpPrefetchSharedConflictNotifyStart(x,x,x)+17j
		xor	ecx, ecx
		inc	ecx
		mov	[edi+2Ch], ecx
		lock inc dword ptr [edi+4Ch]
		mov	[edi+20h], esi
		mov	eax, ecx
		lock xadd [edi+50h], eax
		inc	eax
		cmp	eax, ecx
		jg	short loc_9A58D6
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9A58D6:				; CODE XREF: PfpPrefetchSharedConflictNotifyStart(x,x,x)+37j
		cmp	[edi+54h], esi
		jnz	short loc_9A58E2

loc_9A58DB:				; CODE XREF: PfpPrefetchSharedConflictNotifyStart(x,x,x)+58j
		mov	esi, 0C000009Ah
		jmp	short loc_9A58F9
; 

loc_9A58E2:				; CODE XREF: PfpPrefetchSharedConflictNotifyStart(x,x,x)+41j
		mov	ecx, edi

loc_9A58E4:				; CODE XREF: PfpPrefetchSharedConflictNotifyStart(x,x,x)+1Ej
		push	esi
		xor	edx, edx
		call	KeAbPreAcquire
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_9A58DB
		mov	ecx, ebx
		call	_KeAbPreWait@4	; KeAbPreWait(x)

loc_9A58F9:				; CODE XREF: PfpPrefetchSharedConflictNotifyStart(x,x,x)+48j
		mov	ecx, [ebp+arg_8]
		mov	eax, esi
		pop	edi
		pop	esi
		mov	[ecx+4], ebx
		mov	dword ptr [ecx], offset	_PfpPrefetchSharedConflictNotifyEnd@8 ;	PfpPrefetchSharedConflictNotifyEnd(x,x)
		pop	ebx
		pop	ebp
		retn	0Ch
_PfpPrefetchSharedConflictNotifyStart@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfpQueryFileExtentsRequest(x, x, x)
_PfpQueryFileExtentsRequest@12 proc near ; CODE	XREF: PAGE:008DC8DEp

var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	0D4h
		push	offset dword_6A8D88
		call	__SEH_prolog4_GS
		mov	[ebp+var_45], dl
		mov	esi, ecx
		mov	[ebp+var_78], esi
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_7C], eax
		xor	ebx, ebx
		mov	[ebp+var_68], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_E4], ebx
		mov	[ebp+var_E0], ebx
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], ebx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_3C]
		rep stosd
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_54], ebx
		mov	edi, ebx
		mov	[ebp+var_44], edi
		mov	[ebp+var_B4], ebx
		mov	[ebp+var_B0], ebx
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_A8], ebx
		push	2
		pop	eax
		mov	[ebp+var_A4], eax
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_98], ebx
		mov	[ebp+var_94], ebx
		mov	[ebp+var_90], eax
		mov	[ebp+var_58], 1
		cmp	dword ptr [esi+10h], 28h
		jnb	short loc_9A59B9
		mov	edx, 0C0000206h

loc_9A59B1:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+1E7j
		mov	[ebp+var_40], edx
		jmp	loc_9A5E1A
; 

loc_9A59B9:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+9Cj
		mov	[ebp+ms_exc.disabled], ebx
		test	dl, dl
		jz	short loc_9A59CF
		push	8
		push	28h
		push	dword ptr [esi+0Ch]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	2
		pop	eax

loc_9A59CF:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+B0j
		push	0Ah
		pop	ecx
		mov	esi, [esi+0Ch]
		lea	edi, [ebp+var_DC]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+var_DC], eax
		jz	short loc_9A59FC
		mov	edx, 0C0000059h

loc_9A59F1:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+151j
					; PfpQueryFileExtentsRequest(x,x,x)+322j ...
		mov	[ebp+var_40], edx

loc_9A59F4:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+3DCj
					; PfpQueryFileExtentsRequest(x,x,x)+47Ej ...
		mov	edi, [ebp+var_44]
		jmp	loc_9A5E1A
; 

loc_9A59FC:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+DCj
		mov	eax, [ebp+var_D4]
		mov	[ebp+var_40], eax
		test	al, 1
		jnz	loc_9A5DE8
		test	eax, eax
		jz	loc_9A5DE8
		cmp	eax, 100000h
		ja	loc_9A5DE8
		mov	ecx, [ebp+var_D0]
		mov	[ebp+var_4C], ecx
		test	cl, 1
		jnz	loc_9A5DE8
		test	ecx, ecx
		jz	loc_9A5DE8
		cmp	ecx, eax
		jnb	loc_9A5DE8
		push	70436650h
		push	eax
		xor	edi, edi
		inc	edi
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_50], esi
		test	esi, esi
		jnz	short loc_9A5A61

loc_9A5A5A:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+346j
		mov	edx, 0C000009Ah
		jmp	short loc_9A59F1
; 

loc_9A5A61:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+14Aj
		mov	[ebp+ms_exc.disabled], edi
		cmp	[ebp+var_45], 0
		jz	short loc_9A5A96
		test	byte ptr [ebp+var_D8], 1
		jz	short loc_9A5A78
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9A5A78:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+163j
		mov	eax, [ebp+var_D8]
		mov	esi, [ebp+var_40]
		lea	ecx, [eax+esi]
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		ja	short loc_9A5A92
		cmp	ecx, eax
		jnb	short loc_9A5A99

loc_9A5A92:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+17Ej
		mov	[edx], bl
		jmp	short loc_9A5A99
; 

loc_9A5A96:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+15Aj
		mov	esi, [ebp+var_40]

loc_9A5A99:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+182j
					; PfpQueryFileExtentsRequest(x,x,x)+186j
		push	esi		; size_t
		push	[ebp+var_D8]	; void *
		mov	edi, [ebp+var_50]
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		shr	esi, 1
		cmp	[edi+esi*2-2], bx
		jnz	loc_9A5DE8
		mov	eax, [ebp+var_4C]
		shr	eax, 1
		mov	[ebp+var_4C], eax
		push	5Ch
		pop	ecx
		mov	esi, edi
		cmp	[esi+eax*2], cx
		jnz	loc_9A5DE8
		push	43536650h
		push	ecx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_44], edi
		test	edi, edi
		jnz	short loc_9A5AFA
		mov	edx, 0C000009Ah
		jmp	loc_9A59B1
; 

loc_9A5AFA:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+1E0j
		mov	ecx, edi	; void *
		call	_PfpPrefetchSharedInitialize@4 ; PfpPrefetchSharedInitialize(x)
		mov	dword ptr [edi+1Ch], 0Fh
		mov	dword ptr [edi+20h], 96h
		mov	ecx, edi
		call	_PfpPrefetchSharedStart@4 ; PfpPrefetchSharedStart(x)
		mov	edx, eax
		mov	[ebp+var_40], edx
		test	edx, edx
		js	loc_9A5E1A
		xor	ecx, ecx
		mov	eax, [ebp+var_4C]
		mov	[esi+eax*2], cx
		push	esi
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	edx, eax
		mov	[ebp+var_40], edx
		test	edx, edx
		js	loc_9A5E1A
		push	ebx
		push	ebx
		push	20h
		push	100180h
		push	ebx
		lea	eax, [ebp+var_60]
		push	eax
		mov	edx, edi
		lea	ecx, [ebp+var_B4]
		call	PfpOpenHandleCreate
		mov	edx, eax
		mov	[ebp+var_40], edx
		test	edx, edx
		js	loc_9A5E1A
		mov	eax, [ebp+var_4C]
		push	5Ch
		pop	ecx
		mov	[esi+eax*2], cx
		push	esi
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	edx, eax
		mov	[ebp+var_40], edx
		test	edx, edx
		js	loc_9A5E1A
		lea	eax, [ebp+var_B4]
		push	eax
		push	80h
		push	20h
		push	100080h
		push	ebx
		lea	eax, [ebp+var_60]
		push	eax
		mov	edx, edi
		lea	ecx, [ebp+var_A0]
		call	PfpOpenHandleCreate
		mov	edx, eax
		mov	[ebp+var_40], edx
		test	edx, edx
		js	loc_9A5E1A
		push	1
		push	18h
		lea	eax, [ebp+var_3C]
		push	eax
		lea	eax, [ebp+var_68]
		push	eax
		push	[ebp+var_B4]
		call	_ZwQueryVolumeInformationFile@20 ; ZwQueryVolumeInformationFile(x,x,x,x,x)
		mov	edx, eax
		mov	[ebp+var_40], edx
		cmp	edx, 103h
		jnz	short loc_9A5BF4
		push	ebx
		push	ebx
		push	ebx
		push	0F72h

loc_9A5BEA:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+383j
					; PfpQueryFileExtentsRequest(x,x,x)+3D5j
		push	191h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_9A5BF4:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+2D2j
		mov	eax, edx
		mov	ecx, 0C0000000h
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_9A5E1A
		mov	eax, [ebp+var_34]
		mov	[ebp+var_C4], eax
		mov	eax, [ebp+var_BC]
		mov	[ebp+var_4C], eax
		push	20h
		pop	edi
		cmp	eax, edi
		jbe	short loc_9A5C20
		mov	edi, eax

loc_9A5C20:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+30Ej
		mov	esi, [ebp+var_54]

loc_9A5C23:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+4BCj
		cmp	edi, 0A00000h
		jbe	short loc_9A5C35
		mov	edx, 0C0000206h
		jmp	loc_9A59F1
; 

loc_9A5C35:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+31Bj
		test	esi, esi
		jz	short loc_9A5C40
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A5C40:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+329j
		push	65466650h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_54], esi
		test	esi, esi
		jz	loc_9A5A5A
		push	edi
		push	esi
		push	8
		lea	eax, [ebp+var_E4]
		push	eax
		push	90073h
		lea	eax, [ebp+var_68]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+var_A0]
		call	_ZwFsControlFile@40 ; ZwFsControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	edx, eax
		mov	[ebp+var_40], edx
		cmp	edx, 103h
		jnz	short loc_9A5C96
		push	ebx
		push	ebx
		push	ebx
		push	0FB0h
		jmp	loc_9A5BEA
; 

loc_9A5C96:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+379j
		test	edx, edx
		js	short loc_9A5CAB
		mov	eax, [ebp+var_64]
		mov	[ebp+var_BC], eax
		cmp	[esi], ebx
		jz	short loc_9A5CB7
		mov	edx, ebx
		jmp	short loc_9A5D0D
; 

loc_9A5CAB:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+38Aj
		cmp	edx, 0C0000011h
		jnz	loc_9A5DBC

loc_9A5CB7:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+397j
		push	6
		push	8
		lea	eax, [ebp+var_74]
		push	eax
		lea	eax, [ebp+var_68]
		push	eax
		push	[ebp+var_A0]
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		mov	edx, eax
		mov	[ebp+var_40], edx
		cmp	edx, 103h
		jnz	short loc_9A5CE8
		push	ebx
		push	ebx
		push	ebx
		push	0FEBh
		jmp	loc_9A5BEA
; 

loc_9A5CE8:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+3CBj
		test	edx, edx
		js	loc_9A59F4
		mov	eax, [ebp+var_74]
		mov	[ebp+var_CC], eax
		mov	eax, [ebp+var_70]
		mov	[ebp+var_C8], eax
		mov	edx, 0C0000011h
		mov	eax, [ebp+var_BC]

loc_9A5D0D:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+39Bj
		mov	[ebp+var_40], edx
		mov	[ebp+ms_exc.disabled], 2
		push	0Ah
		pop	ecx
		lea	esi, [ebp+var_DC]
		mov	edi, [ebp+var_78]
		mov	edi, [edi+0Ch]
		rep movsd
		cmp	edx, 0C0000011h
		jnz	short loc_9A5D35
		mov	[ebp+var_58], ebx
		jmp	short loc_9A5D7C
; 

loc_9A5D35:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+420j
		cmp	[ebp+var_4C], eax
		jnb	short loc_9A5D4D
		mov	[ebp+var_58], ebx
		mov	edx, 0C0000023h
		mov	[ebp+var_40], edx
		mov	[ebp+var_84], edx
		jmp	short loc_9A5D7C
; 

loc_9A5D4D:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+42Aj
		cmp	[ebp+var_45], 0
		jz	short loc_9A5D67
		push	8
		push	eax
		push	[ebp+var_C0]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	eax, [ebp+var_BC]

loc_9A5D67:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+443j
		push	eax		; size_t
		push	[ebp+var_54]	; void *
		push	[ebp+var_C0]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edx, [ebp+var_40]

loc_9A5D7C:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+425j
					; PfpQueryFileExtentsRequest(x,x,x)+43Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_7C]
		mov	dword ptr [eax], 28h
		jmp	loc_9A59F4
; 

loc_9A5D91:				; DATA XREF: .text:006A8DB4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_80], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9A5D9F:				; DATA XREF: .text:006A8DB8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edx, [ebp+var_80]
		mov	[ebp+var_40], edx
		mov	[ebp+var_84], edx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		jmp	loc_9A59F4
; 

loc_9A5DBC:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+3A3j
		cmp	edx, 80000005h
		jnz	loc_9A59F4
		add	edi, edi
		jmp	loc_9A5C23
; 

loc_9A5DCF:				; DATA XREF: .text:006A8DA8o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_88], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9A5DE0:				; DATA XREF: .text:006A8DACo
		mov	edx, [ebp+var_88]
		jmp	short loc_9A5E09
; 

loc_9A5DE8:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+F9j
					; PfpQueryFileExtentsRequest(x,x,x)+101j ...
		mov	edx, 0C000000Dh
		jmp	loc_9A59F1
; 

loc_9A5DF2:				; DATA XREF: .text:006A8D9Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_8C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9A5E03:				; DATA XREF: .text:006A8DA0o
		mov	edx, [ebp+var_8C]

loc_9A5E09:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+4D8j
		mov	[ebp+var_40], edx
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	edi, ebx

loc_9A5E1A:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+A6j
					; PfpQueryFileExtentsRequest(x,x,x)+E9j ...
		cmp	[ebp+var_58], 0
		jz	short loc_9A5E37
		cmp	edx, 0C0000011h
		jz	short loc_9A5E30
		cmp	edx, 0C0000023h
		jnz	short loc_9A5E37

loc_9A5E30:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+518j
		mov	esi, 0C0000001h
		jmp	short loc_9A5E3A
; 

loc_9A5E37:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+510j
					; PfpQueryFileExtentsRequest(x,x,x)+520j
		mov	esi, [ebp+var_40]

loc_9A5E3A:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+527j
		test	byte ptr [ebp+var_90], 4
		jz	short loc_9A5E50
		mov	edx, edi
		lea	ecx, [ebp+var_A0]
		call	_PfpOpenHandleClose@8 ;	PfpOpenHandleClose(x,x)

loc_9A5E50:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+533j
		test	byte ptr [ebp+var_A4], 4
		jz	short loc_9A5E66
		mov	edx, edi
		lea	ecx, [ebp+var_B4]
		call	_PfpOpenHandleClose@8 ;	PfpOpenHandleClose(x,x)

loc_9A5E66:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+549j
		test	edi, edi
		jz	short loc_9A5E8E
		mov	ecx, edi
		call	_PfpPrefetchSharedCleanup@4 ; PfpPrefetchSharedCleanup(x)
		or	eax, 0FFFFFFFFh
		lock xadd [edi+50h], eax
		dec	eax
		test	eax, eax
		jg	short loc_9A5E8E
		jz	short loc_9A5E87
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_9A5E8E
; 

loc_9A5E87:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+570j
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A5E8E:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+55Aj
					; PfpQueryFileExtentsRequest(x,x,x)+56Ej ...
		mov	eax, [ebp+var_50]
		test	eax, eax
		jz	short loc_9A5E9C
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A5E9C:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+585j
		mov	eax, [ebp+var_54]
		test	eax, eax
		jz	short loc_9A5EAA
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A5EAA:				; CODE XREF: PfpQueryFileExtentsRequest(x,x,x)+593j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PfpQueryFileExtentsRequest@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfTCleanup(x, x)
_PfTCleanup@8	proc near		; CODE XREF: PfSetSuperfetchInformation+1374B2p
					; PfTStart+8B235p ...

var_A		= byte ptr -0Ah
var_9		= byte ptr -9
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		lea	eax, [esp+18h+var_8]
		mov	edi, ecx
		xor	ebx, ebx
		mov	[esp+18h+var_4], eax
		mov	[esp+18h+var_8], eax
		mov	eax, large fs:124h
		mov	[esp+18h+var_9], bl
		cmp	eax, [edi+40h]
		jnz	short loc_9A5EF0
		mov	[esp+18h+var_9], 1

loc_9A5EF0:				; CODE XREF: PfTCleanup(x,x)+2Bj
		push	1
		call	_PfTAccessTracingCleanup@12 ; PfTAccessTracingCleanup(x,x,x)
		lea	esi, [edi+180h]
		mov	ecx, esi
		call	ExAcquireFastMutex
		lea	eax, [esp+18h+var_8]
		mov	[edi+170h], ebx
		push	eax
		xor	edx, edx
		mov	[edi+178h], ebx
		xor	ecx, ecx
		call	_PfTTraceListTrim@12 ; PfTTraceListTrim(x,x,x)
		lea	eax, [esp+18h+var_8]
		xor	ecx, ecx
		push	eax
		xor	edx, edx
		inc	ecx
		call	_PfTTraceListTrim@12 ; PfTTraceListTrim(x,x,x)
		push	2
		mov	ecx, edi
		mov	[edi+17Ch], ebx
		call	_PfTAccessTracingCleanup@12 ; PfTAccessTracingCleanup(x,x,x)
		mov	ecx, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_9A5F43:				; CODE XREF: PfTCleanup(x,x)+ADj
		mov	ecx, [esp+18h+var_8]
		lea	eax, [esp+18h+var_8]
		cmp	ecx, eax
		jz	short loc_9A5F72
		cmp	[ecx+4], eax
		jnz	short loc_9A5F6D
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_9A5F6D
		lea	edx, [esp+18h+var_8]
		mov	[esp+18h+var_8], eax
		mov	[eax+4], edx
		call	_PfTFreeTraceDump@4 ; PfTFreeTraceDump(x)
		jmp	short loc_9A5F43
; 

loc_9A5F6D:				; CODE XREF: PfTCleanup(x,x)+94j
					; PfTCleanup(x,x)+9Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9A5F72:				; CODE XREF: PfTCleanup(x,x)+8Fj
		lea	ecx, [edi+150h]
		mov	[edi+158h], ebx
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		mov	esi, eax
		lea	ebx, [edi+100h]
		jmp	short loc_9A5FA3
; 

loc_9A5F8D:				; CODE XREF: PfTCleanup(x,x)+E7j
		mov	edx, esi
		mov	ecx, ebx
		mov	esi, [esi]
		push	1
		mov	eax, [edx+0Ch]
		push	dword ptr [edx+14h]
		sub	eax, edx
		push	eax
		call	PfFbBufferListInsertInFree

loc_9A5FA3:				; CODE XREF: PfTCleanup(x,x)+CDj
		test	esi, esi
		jnz	short loc_9A5F8D
		lea	esi, [edi+0A0h]
		mov	ecx, esi
		call	_PfFbBufferListShutdown@4 ; PfFbBufferListShutdown(x)
		mov	ecx, ebx
		call	_PfFbBufferListShutdown@4 ; PfFbBufferListShutdown(x)
		cmp	[esp+18h+var_9], 0
		jnz	short loc_9A5FF1
		xor	eax, eax
		cmp	[edi+40h], eax
		jz	short loc_9A5FF1
		push	eax
		push	eax
		lea	eax, [edi+80h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	dword ptr [edi+40h]
		call	KeWaitForSingleObject
		mov	ecx, [edi+40h]
		call	ObfDereferenceObject
		and	dword ptr [edi+40h], 0

loc_9A5FF1:				; CODE XREF: PfTCleanup(x,x)+102j
					; PfTCleanup(x,x)+109j
		mov	ecx, offset unk_6D4290
		call	_PfTCleanupBuffers@4 ; PfTCleanupBuffers(x)
		mov	ecx, offset unk_6D42A8
		call	_PfTCleanupBuffers@4 ; PfTCleanupBuffers(x)
		mov	ecx, esi
		call	_PfFbBufferListCleanup@4 ; PfFbBufferListCleanup(x)
		mov	ecx, ebx
		call	_PfFbBufferListCleanup@4 ; PfFbBufferListCleanup(x)
		mov	ecx, [edi+1A0h]
		test	ecx, ecx
		jz	short loc_9A6029
		call	ObfDereferenceObject
		and	dword ptr [edi+1A0h], 0

loc_9A6029:				; CODE XREF: PfTCleanup(x,x)+15Dj
		and	dword ptr [edi+4], 0
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PfTCleanup@8	endp


;  S U B	R O U T	I N E 


; __stdcall PfTCleanupBuffers(x)
_PfTCleanupBuffers@4 proc near		; CODE XREF: PfTCleanup(x,x)+138p
					; PfTCleanup(x,x)+142p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		lea	esi, [edi+10h]

loc_9A603D:				; CODE XREF: PfTCleanupBuffers(x)+28j
		mov	eax, [esi]
		cmp	eax, esi
		jz	short loc_9A6063
		cmp	[eax+4], esi
		jnz	short loc_9A605E
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_9A605E
		push	0
		mov	[esi], ecx
		push	eax
		mov	[ecx+4], esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9A603D
; 

loc_9A605E:				; CODE XREF: PfTCleanupBuffers(x)+12j
					; PfTCleanupBuffers(x)+19j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9A6063:				; CODE XREF: PfTCleanupBuffers(x)+Dj
		mov	esi, [edi+0Ch]
		test	esi, esi
		jz	short loc_9A6089
		mov	eax, [esi]
		mov	[edi+0Ch], eax

loc_9A606F:				; CODE XREF: PfTCleanupBuffers(x)+53j
		mov	ecx, esi
		mov	esi, [edi+0Ch]
		test	esi, esi
		jz	short loc_9A607D
		mov	eax, [esi]
		mov	[edi+0Ch], eax

loc_9A607D:				; CODE XREF: PfTCleanupBuffers(x)+42j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jnz	short loc_9A606F

loc_9A6089:				; CODE XREF: PfTCleanupBuffers(x)+34j
		xor	eax, eax
		mov	[edi+0Ah], ax
		pop	edi
		pop	esi
		retn
_PfTCleanupBuffers@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfTTraceListTrim(x,	x, x)
_PfTTraceListTrim@12 proc near		; CODE XREF: PAGE:008D8A1Fp
					; PfTCleanup(x,x)+5Bp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, edx
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		cmp	ecx, 1
		jnz	short loc_9A60B5
		mov	ecx, offset unk_6D43E4
		mov	esi, offset dword_6D43F4
		mov	ebx, offset dword_6D4494
		jmp	short loc_9A60C4
; 

loc_9A60B5:				; CODE XREF: PfTTraceListTrim(x,x,x)+10j
		mov	ecx, offset unk_6D43DC
		mov	esi, offset dword_6D43EC
		mov	ebx, offset unk_6D4490

loc_9A60C4:				; CODE XREF: PfTTraceListTrim(x,x,x)+21j
		cmp	[esi], eax
		jbe	short loc_9A610E
		push	edi
		mov	edi, [ebp+arg_0]

loc_9A60CC:				; CODE XREF: PfTTraceListTrim(x,x,x)+79j
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	short loc_9A610D
		cmp	[eax+4], ecx
		jnz	short loc_9A6114
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_9A6114
		mov	[ecx], edx
		mov	[edx+4], ecx
		cmp	dword ptr [eax+14h], 0
		jnz	short loc_9A60EE
		mov	edx, [eax+1Ch]
		jmp	short loc_9A60F1
; 

loc_9A60EE:				; CODE XREF: PfTTraceListTrim(x,x,x)+55j
		mov	edx, [eax+28h]

loc_9A60F1:				; CODE XREF: PfTTraceListTrim(x,x,x)+5Aj
		dec	dword ptr [esi]
		add	[ebx], edx
		mov	edx, [edi+4]
		cmp	[edx], edi
		jnz	short loc_9A6114
		mov	[eax], edi
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[edi+4], eax
		mov	eax, [ebp+var_4]
		cmp	[esi], eax
		ja	short loc_9A60CC

loc_9A610D:				; CODE XREF: PfTTraceListTrim(x,x,x)+3Ej
		pop	edi

loc_9A610E:				; CODE XREF: PfTTraceListTrim(x,x,x)+34j
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_9A6114:				; CODE XREF: PfTTraceListTrim(x,x,x)+43j
					; PfTTraceListTrim(x,x,x)+4Aj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall PfpSectInfoHandleOutOfBuffers(x)
_PfpSectInfoHandleOutOfBuffers@4:	; DATA XREF: PfTInitialize+16Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, 4000h
		call	PfFbBufferListAllocateTemporary
		pop	ebp
		retn	4
_PfTTraceListTrim@12 endp ; sp = -14h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfpRpShutdown(x)
_PfpRpShutdown@4 proc near		; CODE XREF: PfpParametersPropagate(x)+9Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		and	dword ptr [ebx+60h], 0FFFFFFFEh
		lea	ecx, [ebx+50h]
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	esi, [ebx+1Ch]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebx+8]
		mov	edx, ecx
		test	ecx, ecx
		jz	short loc_9A618B
		mov	edi, [ecx]
		mov	edx, 80000002h
		mov	eax, edi
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_9A6180
		xor	eax, eax
		mov	eax, [eax]
		mov	edi, [ecx]

loc_9A6180:				; CODE XREF: PfpRpShutdown(x)+49j
		test	edi, 1
		jz	short loc_9A61AE
		mov	edx, [ebx+8]

loc_9A618B:				; CODE XREF: PfpRpShutdown(x)+3Aj
		mov	eax, [ebx+4]
		add	ecx, 4
		shr	eax, 5
		lea	eax, [edx+eax*4]
		jmp	short loc_9A61A6
; 

loc_9A6199:				; CODE XREF: PfpRpShutdown(x)+79j
		mov	edi, [ecx]
		test	edi, 1
		jz	short loc_9A61AE
		add	ecx, 4

loc_9A61A6:				; CODE XREF: PfpRpShutdown(x)+68j
		cmp	ecx, eax
		jb	short loc_9A6199
		xor	eax, eax
		mov	edi, eax

loc_9A61AE:				; CODE XREF: PfpRpShutdown(x)+57j
					; PfpRpShutdown(x)+72j
		test	edi, edi
		jz	loc_9A6266

loc_9A61B6:				; CODE XREF: PfpRpShutdown(x)+12Ej
		mov	[ebp+var_8], edi
		test	edi, edi
		jz	short loc_9A6202
		mov	esi, [ebx+4]
		or	edx, 0FFFFFFFFh
		mov	ecx, esi
		shr	esi, 5
		and	ecx, 1Fh
		shl	edx, cl
		and	edx, [edi+4]
		movzx	eax, dl
		imul	ecx, eax, 25h
		movzx	eax, dh
		mov	[ebp+var_4], edx
		mov	edx, [ebx+8]
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+3]
		imul	ecx, 25h
		add	eax, 164B2F3Fh
		add	eax, ecx
		lea	ecx, [esi-1]
		and	ecx, eax
		lea	esi, [edx+ecx*4]
		jmp	short loc_9A6209
; 

loc_9A6202:				; CODE XREF: PfpRpShutdown(x)+8Cj
		mov	edi, [ebx+8]
		mov	esi, edi
		mov	edx, edi

loc_9A6209:				; CODE XREF: PfpRpShutdown(x)+D1j
		mov	ecx, edi
		test	edi, edi
		jz	short loc_9A622F
		mov	edi, [edi]
		mov	edx, 80000002h
		mov	eax, edi
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_9A6224
		xor	eax, eax
		mov	eax, [eax]
		mov	edi, [ecx]

loc_9A6224:				; CODE XREF: PfpRpShutdown(x)+EDj
		test	edi, 1
		jz	short loc_9A6250
		mov	edx, [ebx+8]

loc_9A622F:				; CODE XREF: PfpRpShutdown(x)+DEj
		mov	eax, [ebx+4]
		lea	ecx, [esi+4]
		shr	eax, 5
		lea	eax, [edx+eax*4]
		jmp	short loc_9A624A
; 

loc_9A623D:				; CODE XREF: PfpRpShutdown(x)+11Dj
		mov	edi, [ecx]
		test	edi, 1
		jz	short loc_9A6250
		add	ecx, 4

loc_9A624A:				; CODE XREF: PfpRpShutdown(x)+10Cj
		cmp	ecx, eax
		jb	short loc_9A623D
		xor	edi, edi

loc_9A6250:				; CODE XREF: PfpRpShutdown(x)+FBj
					; PfpRpShutdown(x)+116j
		xor	eax, eax
		push	eax
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		jnz	loc_9A61B6
		lea	esi, [ebx+1Ch]

loc_9A6266:				; CODE XREF: PfpRpShutdown(x)+81j
		mov	eax, [ebx+8]
		test	eax, eax
		jz	short loc_9A6276
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A6276:				; CODE XREF: PfpRpShutdown(x)+13Cj
		lea	eax, [ebx+10h]
		mov	[ebx+0Ch], eax
		xor	eax, eax
		mov	[ebx], eax
		mov	[ebx+8], eax
		mov	[ebx+4], eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9A629A
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9A629A:				; CODE XREF: PfpRpShutdown(x)+162j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, ebx
		call	_PfpRpControlRequestReset@8 ; PfpRpControlRequestReset(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PfpRpShutdown@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnAppLaunchScenarioControl(x, x)
_PfSnAppLaunchScenarioControl@8	proc near ; CODE XREF: PfSnSetPrefetcherInformation+1370B9p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [esp+30h+var_1C]
		xor	eax, eax
		push	6
		pop	ecx
		cmp	dword ptr [esi], 1
		mov	ebx, eax
		rep stosd
		mov	[esp+30h+var_20], eax
		jz	short loc_9A62EA
		mov	edi, 0C0000059h
		jmp	short loc_9A6369
; 

loc_9A62EA:				; CODE XREF: PfSnAppLaunchScenarioControl(x,x)+2Fj
		cmp	[esi+4], eax
		jnz	short loc_9A62F6
		mov	edi, 0C000000Dh
		jmp	short loc_9A6369
; 

loc_9A62F6:				; CODE XREF: PfSnAppLaunchScenarioControl(x,x)+3Bj
		push	eax
		lea	eax, [esp+34h+var_20]
		push	eax
		push	73576650h
		push	edx
		push	ds:_PsProcessType
		push	8
		push	dword ptr [esi+8]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9A6355
		mov	eax, large fs:124h
		mov	esi, [esp+30h+var_20]
		cmp	[eax+80h], esi
		jz	short loc_9A6338
		lea	eax, [esp+30h+var_1C]
		xor	ebx, ebx
		push	eax
		push	esi
		inc	ebx
		call	KeStackAttachProcess

loc_9A6338:				; CODE XREF: PfSnAppLaunchScenarioControl(x,x)+76j
		push	9
		xor	edx, edx
		mov	ecx, esi
		call	PfSnBeginAppLaunch
		xor	edi, edi
		test	ebx, ebx
		jz	short loc_9A6359
		lea	eax, [esp+30h+var_1C]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		jmp	short loc_9A6359
; 

loc_9A6355:				; CODE XREF: PfSnAppLaunchScenarioControl(x,x)+64j
		mov	esi, [esp+30h+var_20]

loc_9A6359:				; CODE XREF: PfSnAppLaunchScenarioControl(x,x)+95j
					; PfSnAppLaunchScenarioControl(x,x)+A1j
		test	esi, esi
		jz	short loc_9A6369
		mov	edx, 73576650h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_9A6369:				; CODE XREF: PfSnAppLaunchScenarioControl(x,x)+36j
					; PfSnAppLaunchScenarioControl(x,x)+42j ...
		mov	ecx, [esp+30h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_PfSnAppLaunchScenarioControl@8	endp


;  S U B	R O U T	I N E 


; __stdcall PfSnFailProcessTrace(x)
_PfSnFailProcessTrace@4	proc near	; CODE XREF: PfSnLogHelper+3Ep
					; PfSnLogStreamDelete(x,x)+68p	...
		lea	eax, [ecx+150h]
		test	byte ptr [eax],	2
		jnz	short loc_9A638F
		push	2
		pop	edx
		lock or	[eax], dx

loc_9A638F:				; CODE XREF: PfSnFailProcessTrace(x)+9j
		lea	eax, [ecx+0Ch]
		mov	ecx, [ecx+100h]
		push	eax		; void *
		push	0Ah
		pop	edx
		call	_PfSnEndProcessTrace@12	; PfSnEndProcessTrace(x,x,x)
		retn
_PfSnFailProcessTrace@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnPowerBoostWorker(x)
_PfSnPowerBoostWorker@4	proc near	; DATA XREF: PfSnPowerBoostInitialize(x)+14o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	ecx, ecx
		call	_PfSnPowerBoostUpdate@4	; PfSnPowerBoostUpdate(x)
		mov	ecx, [ebp+arg_0]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		pop	ebp
		retn	4
_PfSnPowerBoostWorker@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnVolumeCheckIsSdBus(x, x)
_PfSnVolumeCheckIsSdBus@8 proc near	; CODE XREF: PfSnOpenVolumesForPrefetch+11AAD1p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_18		= byte ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	8
		xor	ebx, ebx
		mov	[ebp+var_34], edx
		mov	esi, ecx
		mov	[ebp+var_3C], ebx
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_38], ebx
		push	ebx
		lea	edi, [ebp+var_30]
		mov	[ebp+var_8], ebx
		rep stosd
		push	edx
		mov	[ebp+var_10], 1
		mov	[ebp+var_C], ebx
		call	_ZwResetEvent@8	; ZwResetEvent(x,x)
		mov	edi, [ebp+var_34]
		lea	eax, [ebp+var_30]
		push	20h
		push	eax
		push	0Ch
		lea	eax, [ebp+var_10]
		push	eax
		push	2D1400h
		lea	eax, [ebp+var_3C]
		push	eax
		push	ebx
		push	ebx
		push	edi
		push	dword ptr [esi]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 103h
		jnz	short loc_9A642E
		push	ebx
		push	ebx
		push	edi
		call	_ZwWaitForSingleObject@12 ; ZwWaitForSingleObject(x,x,x)
		mov	eax, [ebp+var_3C]

loc_9A642E:				; CODE XREF: PfSnVolumeCheckIsSdBus(x,x)+67j
		test	eax, eax
		js	short loc_9A643B
		xor	ebx, ebx
		cmp	[ebp+var_18], 0Ch
		setz	bl

loc_9A643B:				; CODE XREF: PfSnVolumeCheckIsSdBus(x,x)+76j
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PfSnVolumeCheckIsSdBus@8 endp


;  S U B	R O U T	I N E 


; __stdcall PfpParametersPropagate(x)
_PfpParametersPropagate@4 proc near	; CODE XREF: PfpParametersWatcher(x)+11Cp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	ecx, offset _PfTGlobals
		call	_PfLockExclusiveAcquire@4 ; PfLockExclusiveAcquire(x)
		mov	ecx, dword_6D4284
		test	cl, 1
		jz	short loc_9A6475
		mov	eax, [edi+30h]
		cmp	eax, dword_6D43F0
		jz	short loc_9A6475
		inc	esi

loc_9A6475:				; CODE XREF: PfpParametersPropagate(x)+1Bj
					; PfpParametersPropagate(x)+26j
		test	cl, 2
		jz	short loc_9A6488
		mov	eax, [edi+2Ch]
		cmp	eax, dword_6D43F8
		jz	short loc_9A6488
		or	esi, 2

loc_9A6488:				; CODE XREF: PfpParametersPropagate(x)+2Cj
					; PfpParametersPropagate(x)+37j
		test	cl, 3
		jz	short loc_9A6493
		test	byte ptr [edi+24h], 1
		jz	short loc_9A6497

loc_9A6493:				; CODE XREF: PfpParametersPropagate(x)+3Fj
		test	esi, esi
		jz	short loc_9A64B8

loc_9A6497:				; CODE XREF: PfpParametersPropagate(x)+45j
		mov	ecx, offset _PfTGlobals
		call	_PfTCleanup@8	; PfTCleanup(x,x)
		push	1		; char
		mov	ecx, offset _PfTGlobals	; void *
		call	PfTInitialize
		push	esi
		mov	ecx, offset _PfTGlobals
		call	PfTStart

loc_9A64B8:				; CODE XREF: PfpParametersPropagate(x)+49j
		mov	edx, [edi+24h]
		mov	eax, dword_6D4920
		and	edx, 2
		push	0
		pop	ecx
		setnz	cl
		and	eax, 1
		cmp	ecx, eax
		jz	short loc_9A64F0
		test	edx, edx
		jz	short loc_9A64E6
		xor	eax, eax
		mov	ecx, offset unk_6D4910
		xchg	eax, [ecx]
		or	dword_6D4920, 1
		jmp	short loc_9A64F0
; 

loc_9A64E6:				; CODE XREF: PfpParametersPropagate(x)+86j
		mov	ecx, offset unk_6D48C0
		call	_PfpRpShutdown@4 ; PfpRpShutdown(x)

loc_9A64F0:				; CODE XREF: PfpParametersPropagate(x)+82j
					; PfpParametersPropagate(x)+98j
		mov	ecx, offset _PfTGlobals
		pop	edi
		pop	esi
		jmp	PfLockExclusiveRelease
_PfpParametersPropagate@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfpParametersWatcher(x)
_PfpParametersWatcher@4	proc near	; DATA XREF: PfpParametersInitialize(x)+27o

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		push	6
		xor	eax, eax
		lea	edi, [esp+34h+var_18]
		pop	ecx
		rep stosd
		mov	eax, large fs:124h
		xor	edx, edx
		mov	[esp+30h+var_20], edx
		mov	[esp+30h+var_1C], edx
		mov	[esp+30h+var_24], edx
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+arg_0]
		lea	edi, [esi+1D8h]
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+4]
		test	eax, eax
		jz	loc_9A6645
		push	1
		push	4
		lea	ebx, [esi+20h]
		push	ebx
		push	0
		push	1000000Fh
		lea	ecx, [esi+8]
		push	ecx
		push	1
		lea	edx, [esi+10h]
		push	edx
		push	0
		push	eax
		call	_ZwNotifyChangeKey@40 ;	ZwNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	loc_9A6609
		cmp	eax, 0C000017Ch
		jnz	loc_9A6645
		push	offset ??_C@_1NA@JBNHLOOM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		lea	eax, [esp+34h+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	ecx, ecx
		mov	[esp+30h+var_18], 18h
		push	ecx
		push	ecx
		push	ecx
		lea	eax, [esp+3Ch+var_20]
		mov	[esp+3Ch+var_14], ecx
		mov	[esp+3Ch+var_10], eax
		lea	eax, [esp+3Ch+var_18]
		push	ecx
		push	eax
		push	0F003Fh
		lea	eax, [esp+48h+var_24]
		mov	[esp+48h+var_C], 240h
		push	eax
		mov	[esp+4Ch+var_8], ecx
		mov	[esp+4Ch+var_4], ecx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9A6645
		mov	ecx, [esi+4]
		mov	eax, [esp+30h+var_24]
		mov	[esi+4], eax
		test	ecx, ecx
		jz	short loc_9A65E5
		push	ecx
		call	_ZwClose@4	; ZwClose(x)

loc_9A65E5:				; CODE XREF: PfpParametersWatcher(x)+E1j
		push	1
		push	4
		push	ebx
		push	0
		push	1000000Fh
		lea	eax, [esi+8]
		push	eax
		push	1
		lea	eax, [esi+10h]
		push	eax
		push	0
		push	dword ptr [esi+4]
		call	_ZwNotifyChangeKey@40 ;	ZwNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9A6645

loc_9A6609:				; CODE XREF: PfpParametersWatcher(x)+73j
		mov	ecx, esi
		xor	bl, bl
		call	PfpParametersRead
		test	eax, eax
		js	short loc_9A661F
		mov	ecx, esi
		call	_PfpParametersPropagate@4 ; PfpParametersPropagate(x)
		inc	bl

loc_9A661F:				; CODE XREF: PfpParametersWatcher(x)+118j
		mov	ecx, esi
		call	PfSnParametersRead
		test	eax, eax
		js	short loc_9A6631
		call	PfSnDetermineEnablePrefetcher
		mov	bl, 1

loc_9A6631:				; CODE XREF: PfpParametersWatcher(x)+12Cj
		test	bl, bl
		jz	short loc_9A6645
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_9A6645
		push	0
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_9A6645:				; CODE XREF: PfpParametersWatcher(x)+4Aj
					; PfpParametersWatcher(x)+7Ej ...
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
_PfpParametersWatcher@4	endp

		and	al, 6
		cmp	al, 2
		jnz	short loc_9A6659
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9A6659:				; CODE XREF: PAGE:009A6650j
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4

;  S U B	R O U T	I N E 


; __stdcall PfFbBufferListCleanup(x)
_PfFbBufferListCleanup@4 proc near	; CODE XREF: PfTCleanup(x,x)+149p
					; PfTCleanup(x,x)+150p
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		jmp	short loc_9A668D
; 

loc_9A6676:				; CODE XREF: PfFbBufferListCleanup(x)+2Bj
		test	byte ptr [ecx+14h], 1
		jz	short loc_9A668D
		push	dword ptr [esi+24h]
		mov	eax, ecx
		sub	eax, [ecx+0Ch]
		add	[esi+40h], eax
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A668D:				; CODE XREF: PfFbBufferListCleanup(x)+6j
					; PfFbBufferListCleanup(x)+Cj
		lea	ecx, [esi+10h]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_9A6676
		jmp	short loc_9A66B4
; 

loc_9A669D:				; CODE XREF: PfFbBufferListCleanup(x)+52j
		test	byte ptr [ecx+14h], 1
		jz	short loc_9A66B4
		push	dword ptr [esi+24h]
		mov	eax, ecx
		sub	eax, [ecx+0Ch]
		add	[esi+40h], eax
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A66B4:				; CODE XREF: PfFbBufferListCleanup(x)+2Dj
					; PfFbBufferListCleanup(x)+33j
		lea	ecx, [esi+8]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_9A669D
		jmp	short loc_9A66D3
; 

loc_9A66C4:				; CODE XREF: PfFbBufferListCleanup(x)+6Fj
		push	dword ptr [esi+24h]
		mov	ecx, [eax+0Ch]
		sub	[esi+40h], ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A66D3:				; CODE XREF: PfFbBufferListCleanup(x)+54j
		lea	ecx, [esi+18h]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jnz	short loc_9A66C4
		pop	edi
		pop	esi
		retn
_PfFbBufferListCleanup@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopNewProcessorCallback(x, x, x)
_PopNewProcessorCallback@12 proc near	; DATA XREF: PoInitSystem+5E7o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	esi
		xor	esi, esi
		inc	esi
		cmp	[eax], esi
		jnz	short loc_9A6723
		cmp	ds:_PoSkipTickMode, 0
		jnz	short loc_9A6712
		cmp	ds:_PopSkipTickPolicy, esi
		jnz	short loc_9A6712
		call	PopCheckSkipTick
		test	al, al
		jnz	short loc_9A6712
		mov	ds:_PoSkipTickMode, esi

loc_9A6712:				; CODE XREF: PopNewProcessorCallback(x,x,x)+17j
					; PopNewProcessorCallback(x,x,x)+1Fj ...
		xor	ecx, ecx
		call	PpmCheckInitProcessors
		call	_PpmEnableWmiInterface@0 ; PpmEnableWmiInterface()
		call	PpmIdleRegisterDefaultStates

loc_9A6723:				; CODE XREF: PopNewProcessorCallback(x,x,x)+Ej
		pop	esi
		pop	ebp
		retn	0Ch
_PopNewProcessorCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoGetLightestSystemStateForEject(x,	x, x, x)
_PoGetLightestSystemStateForEject@16 proc near
					; CODE XREF: PnpProcessQueryRemoveAndEject(x)+5DAp

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	dh, cl
		push	esi
		push	edi
		push	8
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_45], dl
		xor	esi, esi
		lea	edi, [ebp+var_44]
		mov	[ebp+var_58], esi
		mov	[ebp+var_54], esi
		mov	[ebp+var_4C], esi
		mov	[ebp+var_50], esi
		mov	[ebx], esi
		rep stosd
		lea	edi, [ebp+var_24]
		push	8
		pop	ecx
		rep stosd
		test	dl, dl
		jnz	short loc_9A6775
		cmp	[ebp+arg_0], al
		jnz	short loc_9A6775
		inc	dl
		mov	[ebp+var_45], dl

loc_9A6775:				; CODE XREF: PoGetLightestSystemStateForEject(x,x,x,x)+41j
					; PoGetLightestSystemStateForEject(x,x,x,x)+46j
		test	dh, dh
		jnz	short loc_9A678A
		xor	eax, eax
		test	dl, dl
		setz	al
		inc	eax
		mov	[ebx], eax
		xor	eax, eax
		jmp	loc_9A686A
; 

loc_9A678A:				; CODE XREF: PoGetLightestSystemStateForEject(x,x,x,x)+4Fj
		lea	ecx, [ebp+var_4C]
		call	_PopOpenPowerKey@4 ; PopOpenPowerKey(x)
		test	eax, eax
		js	loc_9A686A
		push	offset _PopUndockPolicyRegName
		lea	eax, [ebp+var_58]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_50]
		push	eax
		push	20h
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		lea	eax, [ebp+var_58]
		push	eax
		push	[ebp+var_4C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		push	[ebp+var_4C]
		mov	edi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	edi, edi
		jns	short loc_9A67E9
		cmp	edi, 0C0000034h
		jz	short loc_9A67DD
		mov	eax, edi
		jmp	loc_9A686A
; 

loc_9A67DD:				; CODE XREF: PoGetLightestSystemStateForEject(x,x,x,x)+ACj
		mov	[ebp+var_10], 0Ah
		mov	[ebp+var_C], esi
		jmp	short loc_9A6808
; 

loc_9A67E9:				; CODE XREF: PoGetLightestSystemStateForEject(x,x,x,x)+A4j
		mov	eax, [ebp+var_1C]
		cmp	eax, 8
		jb	short loc_9A6865
		cmp	[ebp+var_18], 1
		jz	short loc_9A67FE
		mov	eax, 0C0000001h
		jmp	short loc_9A686A
; 

loc_9A67FE:				; CODE XREF: PoGetLightestSystemStateForEject(x,x,x,x)+CDj
		cmp	eax, 10h
		jb	short loc_9A6865
		cmp	[ebp+var_14], eax
		jnz	short loc_9A6865

loc_9A6808:				; CODE XREF: PoGetLightestSystemStateForEject(x,x,x,x)+BFj
		push	20h
		lea	eax, [ebp+var_44]
		push	eax
		push	esi
		push	esi
		push	5
		call	_ZwPowerInformation@20 ; ZwPowerInformation(x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_9A686A
		cmp	[ebp+var_3C], esi
		jz	short loc_9A6834
		imul	edx, [ebp+var_38], 64h
		cmp	edx, [ebp+var_38]
		jbe	short loc_9A6834
		mov	eax, edx
		xor	edx, edx
		div	[ebp+var_3C]
		mov	esi, eax

loc_9A6834:				; CODE XREF: PoGetLightestSystemStateForEject(x,x,x,x)+F8j
					; PoGetLightestSystemStateForEject(x,x,x,x)+101j
		cmp	esi, [ebp+var_10]
		jb	short loc_9A6847
		cmp	[ebp+var_45], 0
		jz	short loc_9A6847
		mov	dword ptr [ebx], 1
		jmp	short loc_9A6861
; 

loc_9A6847:				; CODE XREF: PoGetLightestSystemStateForEject(x,x,x,x)+10Fj
					; PoGetLightestSystemStateForEject(x,x,x,x)+115j
		cmp	[ebp+arg_0], 0
		jz	short loc_9A685C
		cmp	esi, [ebp+var_C]
		sbb	eax, eax
		and	eax, 3
		add	eax, 2
		mov	[ebx], eax
		jmp	short loc_9A6861
; 

loc_9A685C:				; CODE XREF: PoGetLightestSystemStateForEject(x,x,x,x)+123j
		mov	ecx, 0C00002DEh

loc_9A6861:				; CODE XREF: PoGetLightestSystemStateForEject(x,x,x,x)+11Dj
					; PoGetLightestSystemStateForEject(x,x,x,x)+132j
		mov	eax, ecx
		jmp	short loc_9A686A
; 

loc_9A6865:				; CODE XREF: PoGetLightestSystemStateForEject(x,x,x,x)+C7j
					; PoGetLightestSystemStateForEject(x,x,x,x)+D9j ...
		mov	eax, 0C000014Ch

loc_9A686A:				; CODE XREF: PoGetLightestSystemStateForEject(x,x,x,x)+5Dj
					; PoGetLightestSystemStateForEject(x,x,x,x)+6Cj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PoGetLightestSystemStateForEject@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCheckTestsigningEnabled()
_PopCheckTestsigningEnabled@0 proc near	; CODE XREF: PopPowerInformationInternal:loc_8D6B10p
					; PopDripsWatchdogTakeAction(x,x,x)+207p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	8
		pop	ecx
		lea	eax, [ebp+var_4]
		mov	[ebp+var_C], ecx
		push	eax
		push	ecx
		lea	eax, [ebp+var_C]
		xor	ebx, ebx
		push	eax
		push	67h
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ebx
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_9A68AE
		test	byte ptr [ebp+var_8], 2
		jz	short loc_9A68AE
		mov	bl, 1

loc_9A68AE:				; CODE XREF: PopCheckTestsigningEnabled()+29j
					; PopCheckTestsigningEnabled()+2Fj
		mov	al, bl
		pop	ebx
		leave
		retn
_PopCheckTestsigningEnabled@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopClearConnectedStandbyMarker(x)
_PopClearConnectedStandbyMarker@4 proc near
					; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+5A3p
		cmp	_PopBsdSkipLogging, 0
		push	ebx
		mov	ebx, ecx
		jnz	short loc_9A6938
		mov	eax, large fs:124h
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopBsdUpdateLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	cl, byte_6D4A03
		and	_PopBsdPowerTransition,	0
		and	dword_6D49FC, 0
		and	byte_6D4A00, 0FDh
		mov	dword_6C3D9C, eax
		mov	al, cl
		xor	al, bl
		and	al, 3Fh
		xor	cl, al
		mov	byte_6D4A03, cl
		xor	ecx, ecx
		inc	ecx
		call	_PopBsdHandleRequest@4 ; PopBsdHandleRequest(x)
		cmp	dword_6C3D9C, 0
		jz	short loc_9A6928
		and	dword_6C3D9C, 0

loc_9A6928:				; CODE XREF: PopClearConnectedStandbyMarker(x)+6Cj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		pop	edi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
; 

loc_9A6938:				; CODE XREF: PopClearConnectedStandbyMarker(x)+Aj
		pop	ebx
		retn
_PopClearConnectedStandbyMarker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCloneUnicodeString(x, x)
_PopCloneUnicodeString@8 proc near	; CODE XREF: PopDirectedDripsDiagCreateDeviceDescription(x,x)+AEp
					; PopDirectedDripsDiagCreateDeviceDescription(x,x)+BDp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	eax, edx
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], eax
		push	edi
		mov	edx, [ebx+4]
		mov	edi, esi
		test	edx, edx
		jz	short loc_9A69D1
		movzx	ecx, word ptr [ebx]
		mov	[ebp+var_8], 2
		cmp	cx, word ptr [ebp+var_8]
		jb	short loc_9A69D1
		mov	esi, ecx
		xor	ecx, ecx
		and	esi, 0FFFFFFFEh
		cmp	[edx+esi-2], cx
		jz	short loc_9A6977
		add	esi, [ebp+var_8]

loc_9A6977:				; CODE XREF: PopCloneUnicodeString(x,x)+38j
		cmp	esi, 0FFFFh
		jb	short loc_9A6986
		mov	esi, 80000005h
		jmp	short loc_9A69EC
; 

loc_9A6986:				; CODE XREF: PopCloneUnicodeString(x,x)+43j
		push	67696450h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9A69A0
		mov	esi, 0C000009Ah
		jmp	short loc_9A69E9
; 

loc_9A69A0:				; CODE XREF: PopCloneUnicodeString(x,x)+5Dj
		push	esi		; size_t
		xor	eax, eax
		push	eax		; int
		push	edi		; void *
		call	_memset
		mov	eax, [ebp+var_4]
		xor	ecx, ecx
		add	esp, 0Ch
		mov	edx, ebx
		mov	[eax], cx
		mov	ecx, eax
		mov	[eax+4], edi
		mov	[eax+2], si
		call	_RtlUnicodeStringCopy@8	; RtlUnicodeStringCopy(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9A69D6
		xor	eax, eax
		mov	esi, eax
		jmp	short loc_9A69F3
; 

loc_9A69D1:				; CODE XREF: PopCloneUnicodeString(x,x)+1Aj
					; PopCloneUnicodeString(x,x)+2Aj
		mov	[ebx], esi
		mov	[ebx+4], esi

loc_9A69D6:				; CODE XREF: PopCloneUnicodeString(x,x)+8Fj
		test	edi, edi
		jz	short loc_9A69E5
		push	67696450h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A69E5:				; CODE XREF: PopCloneUnicodeString(x,x)+9Ej
		test	esi, esi
		jns	short loc_9A69F3

loc_9A69E9:				; CODE XREF: PopCloneUnicodeString(x,x)+64j
		mov	eax, [ebp+var_4]

loc_9A69EC:				; CODE XREF: PopCloneUnicodeString(x,x)+4Aj
		xor	edx, edx
		mov	[eax], edx
		mov	[eax+4], edx

loc_9A69F3:				; CODE XREF: PopCloneUnicodeString(x,x)+95j
					; PopCloneUnicodeString(x,x)+ADj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PopCloneUnicodeString@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFindNextSystemPowerState(x, x, x)
_PopFindNextSystemPowerState@12	proc near ; CODE XREF: PAGELK:0071EF78p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, dword_6C26E4
		push	esi
		mov	esi, ecx
		mov	dword_6C26E0, eax
		xor	ecx, ecx
		inc	ecx
		cmp	eax, ecx
		jnz	short loc_9A6A50
		test	dword_6C26CC, 80000000h
		jz	short loc_9A6A3C
		mov	eax, [ebp+arg_0]
		cmp	byte ptr [eax],	0
		jz	short loc_9A6A3C
		mov	byte ptr [eax],	0
		and	dword_6C26CC, 0EFFFFFFFh
		mov	dword_6C26E0, esi
		jmp	short loc_9A6A50
; 

loc_9A6A3C:				; CODE XREF: PopFindNextSystemPowerState(x,x,x)+23j
					; PopFindNextSystemPowerState(x,x,x)+2Bj
		test	dl, dl
		jz	short loc_9A6A4E
		push	5
		pop	eax
		cmp	esi, eax
		jnz	short loc_9A6A4E
		mov	dword_6C26E0, eax
		jmp	short loc_9A6A50
; 

loc_9A6A4E:				; CODE XREF: PopFindNextSystemPowerState(x,x,x)+44j
					; PopFindNextSystemPowerState(x,x,x)+4Bj
		xor	cl, cl

loc_9A6A50:				; CODE XREF: PopFindNextSystemPowerState(x,x,x)+17j
					; PopFindNextSystemPowerState(x,x,x)+40j ...
		mov	al, cl
		pop	esi
		pop	ebp
		retn	4
_PopFindNextSystemPowerState@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIsRemoteDesktopEnabled()
_PopIsRemoteDesktopEnabled@0 proc near	; CODE XREF: PopDiagTraceCsResiliencyEnter(x,x,x)+Ep
					; PopNetCheckOpportunisticDs+9BC2Ap

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		xor	ebx, ebx
		push	offset ??_C@_1CG@MAGDEAFE@?$AAf?$AAD?$AAe?$AAn?$AAy?$AAT?$AAS?$AAC?$AAo?$AAn?$AAn?$AAe?$AAc?$AAt?$AAi@NNGAKEGL@
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ebx
		stosd
		mov	[ebp+var_20], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		stosd
		mov	[ebp+var_1C], ebx
		stosd
		stosd
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1IG@IMCPMLBL@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_28]
		mov	[ebp+var_48], 18h
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	20019h
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_44], ebx
		push	eax
		mov	[ebp+var_3C], 240h
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_9A6B07
		lea	eax, [ebp+var_20]
		push	eax
		push	14h
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_1C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9A6B07
		cmp	[ebp+var_14], 4
		jnz	short loc_9A6B05
		cmp	[ebp+var_10], 4
		jnz	short loc_9A6B05
		cmp	[ebp+var_C], ebx
		jnz	short loc_9A6B07

loc_9A6B05:				; CODE XREF: PopIsRemoteDesktopEnabled()+A1j
					; PopIsRemoteDesktopEnabled()+A7j
		mov	bl, 1

loc_9A6B07:				; CODE XREF: PopIsRemoteDesktopEnabled()+7Fj
					; PopIsRemoteDesktopEnabled()+9Bj ...
		cmp	[ebp+var_1C], 0
		jz	short loc_9A6B15
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_9A6B15:				; CODE XREF: PopIsRemoteDesktopEnabled()+B4j
		mov	ecx, [ebp+var_4]
		mov	al, bl
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopIsRemoteDesktopEnabled@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopRecordAcDcState(x)
_PopRecordAcDcState@4 proc near		; CODE XREF: PopBatteryApplyCompositeState+A034Dp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	ebx, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopBsdUpdateLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	ecx, ecx
		mov	dword_6C3D9C, eax
		inc	ecx
		mov	al, byte_6D4A07
		and	al, 7Fh
		shl	bl, 7
		or	al, bl
		mov	byte_6D4A07, al
		call	_PopBsdHandleRequest@4 ; PopBsdHandleRequest(x)
		cmp	dword_6C3D9C, 0
		jz	short loc_9A6B79
		and	dword_6C3D9C, 0

loc_9A6B79:				; CODE XREF: PopRecordAcDcState(x)+4Bj
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopRecordAcDcState@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopRecordBatteryLevel(x)
_PopRecordBatteryLevel@4 proc near	; CODE XREF: PopBatteryApplyCompositeState+A062Fp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	ebx, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopBsdUpdateLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	ecx, ecx
		mov	dword_6C3D9C, eax
		inc	ecx
		mov	al, byte_6D4A02
		and	al, 3Fh
		shl	bl, 6
		or	al, bl
		mov	byte_6D4A02, al
		call	_PopBsdHandleRequest@4 ; PopBsdHandleRequest(x)
		cmp	dword_6C3D9C, 0
		jz	short loc_9A6BDD
		and	dword_6C3D9C, 0

loc_9A6BDD:				; CODE XREF: PopRecordBatteryLevel(x)+4Bj
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopRecordBatteryLevel@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopRecordBatteryPercentage(x)
_PopRecordBatteryPercentage@4 proc near	; CODE XREF: PopBatteryApplyCompositeState+A06E1p
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	ebx, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopBsdUpdateLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	cl, byte_6D4A07
		mov	dword_6C3D9C, eax
		mov	al, cl
		xor	al, bl
		and	al, 7Fh
		xor	cl, al
		mov	byte_6D4A07, cl
		xor	ecx, ecx
		inc	ecx
		call	_PopBsdHandleRequest@4 ; PopBsdHandleRequest(x)
		cmp	dword_6C3D9C, 0
		jz	short loc_9A6C44
		and	dword_6C3D9C, 0

loc_9A6C44:				; CODE XREF: PopRecordBatteryPercentage(x)+4Ej
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopRecordBatteryPercentage@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopRecordLidStateWorker(x)
_PopRecordLidStateWorker@4 proc	near	; DATA XREF: PoInitSystem+198o
		mov	ecx, offset _PopRecordLidStateWorkItem
		call	_PopOkayToQueueNextWorkItem@4 ;	PopOkayToQueueNextWorkItem(x)
		cmp	_PopErrataReportingIncorrectLidState, 0
		jnz	locret_9A6CEE
		push	ebx
		push	esi
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		cmp	_PopLidOpened, 0
		setz	bl
		dec	bl
		and	bl, 40h
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopBsdUpdateLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	ecx, ecx
		mov	dword_6C3D9C, eax
		inc	ecx
		mov	al, byte_6D4A03
		and	al, 3Fh
		or	al, bl
		mov	byte_6D4A03, al
		movzx	eax, al
		shr	eax, 6
		mov	dword_6BFDAC, eax
		call	_PopBsdHandleRequest@4 ; PopBsdHandleRequest(x)
		cmp	dword_6C3D9C, 0
		jz	short loc_9A6CDE
		and	dword_6C3D9C, 0

loc_9A6CDE:				; CODE XREF: PopRecordLidStateWorker(x)+81j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	esi
		pop	ebx

locret_9A6CEE:				; CODE XREF: PopRecordLidStateWorker(x)+11j
		retn	4
_PopRecordLidStateWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopRecordPhysicalPowerButton(x)
_PopRecordPhysicalPowerButton@4	proc near ; CODE XREF: PopPowerButtonWorkCallback(x)+8Ap
					; PopPowerButtonWorkCallback(x)+D5p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, large fs:124h
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		push	ebx
		dec	word ptr [eax+13Ch]
		mov	bl, cl
		push	esi
		push	edi
		nop
		xor	edx, edx
		mov	ecx, offset _PopBsdUpdateLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	edx, edx
		mov	ecx, dword_6BFD78
		add	ecx, dword_6BFD7C
		mov	dword_6C3D9C, eax
		and	ecx, 3Fh
		xor	eax, eax
		inc	eax
		call	__allshl
		mov	edi, eax
		mov	esi, edx
		lea	eax, [ebp+var_10]
		mov	[ebp+var_4], esi
		push	eax
		call	KeQuerySystemTime
		test	bl, bl
		jz	loc_9A6DF8
		mov	esi, [ebp+var_10]
		mov	edx, [ebp+var_C]
		mov	cl, byte ptr _PopBsdShutdownInProgress
		mov	_PopBsdPhysicalPowerButtonInfo,	esi
		and	cl, 1
		mov	dword_6D4A1C, edx
		add	cl, cl
		mov	ax, ds:0FFDF02C4h
		mov	word_6D4A24, ax
		mov	al, byte ptr _PopBsdLastPowerWatchdogStage
		inc	dword_6D4A20
		or	dword_6BFD80, edi
		mov	byte_6D4A26, al
		mov	al, byte ptr _PopBsdPowerWatchdogArmed
		and	al, 1
		mov	dword_6BFD88, esi
		or	cl, al
		mov	dword_6BFD8C, edx
		mov	al, byte_6D4A27
		and	al, 0FCh
		or	cl, al
		mov	al, byte ptr _PopBsdCurrentCsPhase
		mov	byte_6D4A38, al
		mov	eax, _PopBsdTransitionLatestCheckpointId
		mov	dword_6D4A3C, eax
		mov	eax, _PopBsdTransitionLatestCheckpointType
		mov	dword_6D4A40, eax
		mov	eax, _PopBsdTransitionLatestCheckpointSeqNumber
		mov	dword_6D4A44, eax
		mov	eax, [ebp+var_4]
		or	dword_6BFD84, eax
		inc	dword_6BFD78
		mov	byte_6D4A27, cl
		jmp	short loc_9A6E3E
; 

loc_9A6DF8:				; CODE XREF: PopRecordPhysicalPowerButton(x)+65j
		mov	edx, [ebp+var_10]
		not	edi
		mov	ecx, [ebp+var_C]
		not	esi
		mov	dword_6D4A28, edx
		mov	dword_6D4A2C, ecx
		mov	ax, ds:0FFDF02C4h
		inc	dword_6D4A30
		and	dword_6BFD80, edi
		and	dword_6BFD84, esi
		inc	dword_6BFD7C
		mov	word_6D4A34, ax
		mov	dword_6BFD90, edx
		mov	dword_6BFD94, ecx

loc_9A6E3E:				; CODE XREF: PopRecordPhysicalPowerButton(x)+105j
		mov	eax, dword_6BFD78
		mov	ecx, dword_6BFD7C
		cmp	eax, ecx
		jb	short loc_9A6E54
		sub	eax, ecx
		cmp	eax, 1
		jbe	short loc_9A6E5B

loc_9A6E54:				; CODE XREF: PopRecordPhysicalPowerButton(x)+15Aj
		mov	byte_6BFDA8, 1

loc_9A6E5B:				; CODE XREF: PopRecordPhysicalPowerButton(x)+161j
		push	4
		pop	ecx
		call	_PopBsdHandleRequest@4 ; PopBsdHandleRequest(x)
		cmp	dword_6C3D9C, 0
		jz	short loc_9A6E73
		and	dword_6C3D9C, 0

loc_9A6E73:				; CODE XREF: PopRecordPhysicalPowerButton(x)+179j
		xor	edx, edx
		mov	ecx, offset _PopBsdUpdateLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopRecordPhysicalPowerButton@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopRecordPowerButton()
_PopRecordPowerButton@0	proc near	; CODE XREF: PdcPoRecordButton()j

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	edi
		push	eax
		call	KeQuerySystemTime
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopBsdUpdateLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	ecx, ecx
		mov	dword_6C3D9C, eax
		inc	ecx
		mov	eax, [ebp+var_8]
		mov	_PopBsdPowerTransition,	eax
		mov	eax, [ebp+var_4]
		mov	dword_6D49FC, eax
		call	_PopBsdHandleRequest@4 ; PopBsdHandleRequest(x)
		cmp	dword_6C3D9C, 0
		jz	short loc_9A6EF1
		and	dword_6C3D9C, 0

loc_9A6EF1:				; CODE XREF: PopRecordPowerButton()+5Fj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		leave
		retn
_PopRecordPowerButton@0	endp


;  S U B	R O U T	I N E 


; __stdcall PopRecordSleepCheckpointSource(x)
_PopRecordSleepCheckpointSource@4 proc near ; CODE XREF: PopCheckShutdownMarker+2736Fp
					; PopCheckShutdownMarker+27395p
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	ebx, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopBsdUpdateLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C3D9C, eax
		mov	al, byte_6D4C81
		shl	bl, 2
		xor	bl, al
		and	bl, 0Ch
		push	8
		xor	al, bl
		pop	ecx
		mov	byte_6D4C81, al
		call	_PopBsdHandleRequest@4 ; PopBsdHandleRequest(x)
		cmp	dword_6C3D9C, 0
		jz	short loc_9A6F59
		and	dword_6C3D9C, 0

loc_9A6F59:				; CODE XREF: PopRecordSleepCheckpointSource(x)+4Ej
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopRecordSleepCheckpointSource@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSaveHibernateEnabled()
_PopSaveHibernateEnabled@0 proc	near	; CODE XREF: PopEnableHiberFile(x,x)+450p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		lea	ecx, [ebp+var_4]
		push	esi
		xor	esi, esi
		mov	edx, offset _PopControlRegKey
		cmp	ds:_PopHiberEnabled, al
		push	20006h
		setnz	al
		mov	[ebp+var_4], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	ds:_PopHiberEnabledReg,	eax
		call	_PopOpenKey@12	; PopOpenKey(x,x,x)
		test	eax, eax
		js	short loc_9A6FD2
		push	(offset	off_4284A6+2)
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		push	offset _PopHiberEnabledReg
		push	4
		push	esi
		mov	esi, [ebp+var_4]
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		test	esi, esi
		jz	short loc_9A6FD2
		push	esi
		call	_ZwClose@4	; ZwClose(x)

loc_9A6FD2:				; CODE XREF: PopSaveHibernateEnabled()+38j
					; PopSaveHibernateEnabled()+61j
		pop	esi
		leave
		retn
_PopSaveHibernateEnabled@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopSetCleanShutdownMarker()
_PopSetCleanShutdownMarker@0 proc near	; CODE XREF: PopGracefulShutdown(x)+1ACp
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopBsdUpdateLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		and	byte_6D4A00, 0FEh
		push	8
		pop	ecx
		mov	dword_6C3D9C, eax
		call	_PopBsdHandleRequest@4 ; PopBsdHandleRequest(x)
		cmp	dword_6C3D9C, 0
		jz	short loc_9A701C
		and	dword_6C3D9C, 0

loc_9A701C:				; CODE XREF: PopSetCleanShutdownMarker()+3Ej
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		pop	esi
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopSetCleanShutdownMarker@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopSetConnectedStandbyMarker(x, x, x)
_PopSetConnectedStandbyMarker@12 proc near
					; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+49Ep
		cmp	_PopBsdSkipLogging, 0
		push	ebx
		push	esi
		mov	esi, _PopWnfCsEnterScenarioId
		mov	ebx, ecx
		push	edi
		mov	edi, dword_6C1D84
		jnz	short loc_9A70BA
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopBsdUpdateLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	cl, byte_6D4A02
		or	byte_6D4A00, 2
		mov	dword_6C3D9C, eax
		mov	al, cl
		xor	al, bl
		mov	dword_6D4C98, esi
		and	al, 3Fh
		mov	dword_6D4C9C, edi
		xor	cl, al
		mov	byte_6D4A02, cl
		xor	ecx, ecx
		inc	ecx
		call	_PopBsdHandleRequest@4 ; PopBsdHandleRequest(x)
		cmp	dword_6C3D9C, 0
		jz	short loc_9A70A9
		and	dword_6C3D9C, 0

loc_9A70A9:				; CODE XREF: PopSetConnectedStandbyMarker(x,x,x)+75j
		xor	edx, edx
		mov	ecx, offset _PopBsdUpdateLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9A70BA:				; CODE XREF: PopSetConnectedStandbyMarker(x,x,x)+18j
		pop	edi
		pop	esi
		pop	ebx
		retn	8
_PopSetConnectedStandbyMarker@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopSetShutdownMarker()
_PopSetShutdownMarker@0	proc near	; CODE XREF: PAGELK:loc_71EF1Fp
		mov	_PopBsdShutdownInProgress, 1
		retn
_PopSetShutdownMarker@0	endp


;  S U B	R O U T	I N E 


; __stdcall PopSetSystemShutdownMarker()
_PopSetSystemShutdownMarker@0 proc near	; CODE XREF: NtInitiatePowerAction+A6933p
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopBsdUpdateLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		or	byte_6D4A00, 8
		mov	dword_6C3D9C, eax
		mov	al, byte ptr dword_6C26D4
		push	8
		pop	ecx
		mov	_PopBsdPowerTransitionExtension, al
		call	_PopBsdHandleRequest@4 ; PopBsdHandleRequest(x)
		cmp	dword_6C3D9C, 0
		jz	short loc_9A711C
		and	dword_6C3D9C, 0

loc_9A711C:				; CODE XREF: PopSetSystemShutdownMarker()+48j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		pop	esi
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopSetSystemShutdownMarker@0 endp


;  S U B	R O U T	I N E 


; __stdcall PpmClearSimulatedLoad(x)
_PpmClearSimulatedLoad@4 proc near	; CODE XREF: NtPowerInformation+17210Ep
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, ecx
		xor	esi, esi
		push	edi
		mov	ecx, offset _PpmPerfPolicyLock
		mov	edi, esi
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		cmp	byte ptr [ebx+3], 0
		jz	short loc_9A714D

loc_9A7146:				; CODE XREF: PpmClearSimulatedLoad(x)+2Bj
		mov	esi, 0C000000Dh
		jmp	short loc_9A716B
; 

loc_9A714D:				; CODE XREF: PpmClearSimulatedLoad(x)+19j
		push	ebx
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9A7146
		mov	ecx, eax
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	edi, [eax+3EACh]
		mov	[eax+3EACh], esi

loc_9A716B:				; CODE XREF: PpmClearSimulatedLoad(x)+20j
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		test	edi, edi
		jz	short loc_9A7184
		push	704D5050h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A7184:				; CODE XREF: PpmClearSimulatedLoad(x)+4Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_PpmClearSimulatedLoad@4 endp


;  S U B	R O U T	I N E 


; __stdcall PpmPerfAccumulateBrandedFrequency(x, x)
_PpmPerfAccumulateBrandedFrequency@8 proc near
					; CODE XREF: PpmPerfGetBrandedFrequency(x,x)+56p
					; PpmPerfGetBrandedFrequency(x,x)+88p
		mov	edi, edi
		push	esi
		mov	esi, edx
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, [eax+3EA0h]
		test	ecx, ecx
		jz	short loc_9A71A3
		mov	eax, [ecx+54h]
		jmp	short loc_9A71A9
; 

loc_9A71A3:				; CODE XREF: PpmPerfAccumulateBrandedFrequency(x,x)+12j
		mov	eax, [eax+3C0h]

loc_9A71A9:				; CODE XREF: PpmPerfAccumulateBrandedFrequency(x,x)+17j
		cmp	[esi+4], eax
		jnb	short loc_9A71B1
		mov	[esi+4], eax

loc_9A71B1:				; CODE XREF: PpmPerfAccumulateBrandedFrequency(x,x)+22j
		mov	dword ptr [esi], 1
		pop	esi
		retn
_PpmPerfAccumulateBrandedFrequency@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmPerfGetBrandedFrequency(x, x)
_PpmPerfGetBrandedFrequency@8 proc near	; CODE XREF: PopPowerInformationInternal+1718EEp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_6		= word ptr -6
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	eax, eax
		xor	esi, esi
		mov	[ebp+var_6], ax
		mov	ecx, offset _PpmPerfPolicyLock
		mov	[ebp+var_4], esi
		mov	ebx, edx
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		mov	[ebx+4], esi
		test	edi, edi
		jz	short loc_9A7216
		cmp	byte ptr [edi+3], 0
		jz	short loc_9A7200

loc_9A71EA:				; CODE XREF: PpmPerfGetBrandedFrequency(x,x)+50j
		mov	esi, 0C000000Dh

loc_9A71EF:				; CODE XREF: PpmPerfGetBrandedFrequency(x,x)+5Bj
					; PpmPerfGetBrandedFrequency(x,x)+81j
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_9A7200:				; CODE XREF: PpmPerfGetBrandedFrequency(x,x)+2Fj
		push	edi
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9A71EA
		mov	edx, ebx
		mov	ecx, eax
		call	_PpmPerfAccumulateBrandedFrequency@8 ; PpmPerfAccumulateBrandedFrequency(x,x)
		jmp	short loc_9A71EF
; 

loc_9A7216:				; CODE XREF: PpmPerfGetBrandedFrequency(x,x)+29j
		xor	eax, eax
		mov	[ebp+var_8], ax
		mov	eax, dword_6B5BAC
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], offset _PpmCheckRegistered

loc_9A722B:				; CODE XREF: PpmPerfGetBrandedFrequency(x,x)+8Dj
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short loc_9A71EF
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		call	_PpmPerfAccumulateBrandedFrequency@8 ; PpmPerfAccumulateBrandedFrequency(x,x)
		jmp	short loc_9A722B
_PpmPerfGetBrandedFrequency@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmPerfResizeHistory(x)
_PpmPerfResizeHistory@4	proc near	; CODE XREF: PpmPerfResizeHistoryAll()+3Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		xor	edi, edi
		mov	[ebp+var_C], ebx
		call	PpmGetPerfPolicyClass
		movzx	esi, al
		mov	eax, _PpmCurrentProfile
		imul	edx, dword_6C2D0C, 0F0h
		add	edx, eax
		mov	eax, [ebx+10h]
		mov	cl, [edx+esi+38h]
		mov	[ebp+var_1], cl
		movzx	ecx, cl
		mov	[ebp+var_8], ecx
		test	eax, eax
		jz	short loc_9A728B
		cmp	[eax], ecx
		jz	short loc_9A72E1

loc_9A728B:				; CODE XREF: PpmPerfResizeHistory(x)+3Dj
		mov	esi, 704D5050h
		test	eax, eax
		jz	short loc_9A72A1
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_8]
		mov	[ebx+10h], edi

loc_9A72A1:				; CODE XREF: PpmPerfResizeHistory(x)+4Aj
		cmp	[ebp+var_1], 1
		jbe	short loc_9A72E1
		imul	ebx, ecx, 0Ah
		push	esi
		add	ebx, 20h
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9A72C6
		mov	edi, 0C000009Ah
		jmp	short loc_9A72E1
; 

loc_9A72C6:				; CODE XREF: PpmPerfResizeHistory(x)+75j
		push	ebx		; size_t
		push	edi		; int
		push	esi		; void *
		call	_memset
		mov	ecx, [ebp+var_C]
		add	esp, 0Ch
		mov	eax, [ebp+var_8]
		mov	[esi], eax
		mov	[ecx+10h], esi
		call	PpmPerfResetHistory

loc_9A72E1:				; CODE XREF: PpmPerfResizeHistory(x)+41j
					; PpmPerfResizeHistory(x)+5Dj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PpmPerfResizeHistory@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmPerfResizeHistoryAll()
_PpmPerfResizeHistoryAll@0 proc	near	; CODE XREF: PpmReapplyPerfPolicy:loc_92FCAFp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		and	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	eax, dword_6B5BAC
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], offset _PpmCheckRegistered

loc_9A7307:				; CODE XREF: PpmPerfResizeHistoryAll()+43j
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_KeEnumerateNextProcessor@8 ; KeEnumerateNextProcessor(x,x)
		test	eax, eax
		jnz	short locret_9A732D
		mov	ecx, [ebp+var_4]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		lea	ecx, [eax+3EA0h]
		call	_PpmPerfResizeHistory@4	; PpmPerfResizeHistory(x)
		jmp	short loc_9A7307
; 

locret_9A732D:				; CODE XREF: PpmPerfResizeHistoryAll()+2Ej
		leave
		retn
_PpmPerfResizeHistoryAll@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmPerfTelemetryWorker(x)
_PpmPerfTelemetryWorker@4 proc near	; DATA XREF: PpmPerfInitialize+E3o

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+9Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		xor	ecx, ecx
		call	PpmPerfUpdateQosDisableReasons
		mov	esi, ds:dword_70ED40
		mov	ebx, 989680h
		mov	edi, ds:dword_70ED44
		mov	ecx, esi
		sub	ecx, ds:dword_70ED48
		mov	eax, edi
		push	0
		sbb	eax, ds:dword_70ED4C
		push	ebx
		push	eax
		push	ecx
		call	__aulldiv
		mov	ds:dword_70ED48, esi
		mov	esi, ds:dword_70ED50
		mov	ecx, esi
		sub	ecx, ds:dword_70ED58
		mov	[esp+0A8h+var_98], eax
		push	0
		mov	ds:dword_70ED4C, edi
		mov	edi, ds:dword_70ED54
		mov	eax, edi
		sbb	eax, ds:dword_70ED5C
		push	ebx
		push	eax
		push	ecx
		call	__aulldiv
		lea	ecx, [esp+0A8h+var_28]
		mov	[esp+0A8h+var_94], eax
		mov	ds:dword_70ED58, esi
		xor	ebx, ebx
		mov	ds:dword_70ED5C, edi
		mov	[esp+0A8h+var_90], ecx

loc_9A73DD:				; CODE XREF: PpmPerfTelemetryWorker(x)+F9j
		mov	esi, ds:dword_70ED60[ebx]
		mov	ecx, esi
		sub	ecx, ds:dword_70EDA8[ebx]
		mov	edi, ds:dword_70ED64[ebx]
		mov	eax, edi
		sbb	eax, ds:dword_70EDAC[ebx]
		push	0
		push	989680h
		push	eax
		push	ecx
		call	__aulldiv
		mov	ecx, [esp+0A8h+var_90]
		mov	ds:dword_70EDAC[ebx], edi
		push	4
		mov	ds:dword_70EDA8[ebx], esi
		add	ebx, 8
		pop	edi
		mov	[ecx], eax
		add	ecx, edi
		mov	[esp+0A8h+var_90], ecx
		cmp	ebx, 48h
		jb	short loc_9A73DD
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		cmp	dword_6B23F8, 5
		jbe	loc_9A74F7
		push	4000h
		xor	ebx, ebx
		mov	esi, offset dword_6B23F8
		push	ebx
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9A74F7
		mov	eax, [esp+0A8h+var_98]
		mov	[esp+0A8h+var_98], eax
		lea	eax, [esp+0A8h+var_98]
		mov	[esp+0A8h+var_68], eax
		mov	eax, [esp+0A8h+var_94]
		mov	[esp+0A8h+var_94], eax
		lea	eax, [esp+0A8h+var_94]
		mov	[esp+0A8h+var_58], eax
		lea	eax, [esp+0A8h+var_28]
		mov	[esp+0A8h+var_48], eax
		lea	eax, [esp+0A8h+var_90]
		mov	[esp+0A8h+var_38], eax
		lea	eax, [esp+0A8h+var_88]
		push	eax
		push	6
		push	ebx
		push	ebx
		push	offset loc_41D6D6
		push	esi
		mov	[esp+0C0h+var_64], ebx
		mov	[esp+0C0h+var_60], edi
		mov	[esp+0C0h+var_5C], ebx
		mov	[esp+0C0h+var_54], ebx
		mov	[esp+0C0h+var_50], edi
		mov	[esp+0C0h+var_4C], ebx
		mov	[esp+0C0h+var_44], ebx
		mov	[esp+0C0h+var_40], 24h
		mov	[esp+0C0h+var_3C], ebx
		mov	[esp+0C0h+var_90], 1000000h
		mov	[esp+0C0h+var_8C], ebx
		mov	[esp+0C0h+var_34], ebx
		mov	[esp+0C0h+var_30], 8
		mov	[esp+0C0h+var_2C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9A74F7:				; CODE XREF: PpmPerfTelemetryWorker(x)+10Cj
					; PpmPerfTelemetryWorker(x)+128j
		mov	ecx, offset unk_6C3CB8
		call	_PopOkayToQueueNextWorkItem@4 ;	PopOkayToQueueNextWorkItem(x)
		mov	ecx, [esp+0A8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_PpmPerfTelemetryWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmSetSimulatedLoad(x)
_PpmSetSimulatedLoad@4 proc near	; CODE XREF: NtPowerInformation+1720FDp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	ecx, offset _PpmPerfPolicyLock
		mov	ebx, esi
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		cmp	[edi+3], bl
		jz	short loc_9A753D

loc_9A7536:				; CODE XREF: PpmSetSimulatedLoad(x)+2Ej
		mov	esi, 0C000000Dh
		jmp	short loc_9A7589
; 

loc_9A753D:				; CODE XREF: PpmSetSimulatedLoad(x)+1Cj
		push	edi
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9A7536
		mov	ecx, eax
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		push	704D5050h
		push	2
		add	eax, 3EA0h
		push	200h
		mov	[ebp+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_9A7575
		mov	esi, 0C000009Ah
		jmp	short loc_9A7589
; 

loc_9A7575:				; CODE XREF: PpmSetSimulatedLoad(x)+54j
		mov	al, [edi+4]
		mov	[ecx], al
		mov	al, [edi+5]
		mov	[ecx+1], al
		mov	eax, [ebp+var_4]
		mov	ebx, [eax+0Ch]
		mov	[eax+0Ch], ecx

loc_9A7589:				; CODE XREF: PpmSetSimulatedLoad(x)+23j
					; PpmSetSimulatedLoad(x)+5Bj
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		test	ebx, ebx
		jz	short loc_9A75A2
		push	704D5050h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A75A2:				; CODE XREF: PpmSetSimulatedLoad(x)+7Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PpmSetSimulatedLoad@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmUpdatePerfStates(x)
_PpmUpdatePerfStates@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, offset _PpmPerfPolicyLock
		mov	ecx, edi
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi+4]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	eax, [eax+3EA0h]
		test	eax, eax
		jz	short loc_9A7602
		mov	ecx, [esi]
		cmp	[eax+58h], ecx
		jz	short loc_9A75E4
		mov	[eax+58h], ecx
		mov	cl, 1
		call	PpmPerfUpdateDomainPolicy
		jmp	short loc_9A75EB
; 

loc_9A75E4:				; CODE XREF: PpmUpdatePerfStates(x)+2Dj
		mov	ecx, edi
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)

loc_9A75EB:				; CODE XREF: PpmUpdatePerfStates(x)+39j
		cmp	ds:_PpmPerfDomainCount,	1
		jbe	short loc_9A7602
		mov	ecx, edi
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		mov	cl, 1
		call	_PpmReinitializeHeteroEngine@4 ; PpmReinitializeHeteroEngine(x)

loc_9A7602:				; CODE XREF: PpmUpdatePerfStates(x)+26j
					; PpmUpdatePerfStates(x)+49j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_PpmUpdatePerfStates@4 endp


;  S U B	R O U T	I N E 


; __stdcall PoFxAbandonDevice(x)
_PoFxAbandonDevice@4 proc near		; CODE XREF: PnpDriverLoadingFailed+8390Dp
					; IopRemoveDevice(x,x)+150p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	_PopDirectedDripsDiagDestroyDeviceDiagnostic@4 ; PopDirectedDripsDiagDestroyDeviceDiagnostic(x)
		lea	edi, [esi+0A8h]
		xor	edx, edx
		mov	eax, [edi]

loc_9A761E:				; CODE XREF: PoFxAbandonDevice(x)+1Ej
		mov	ecx, eax
		or	ecx, edx
		lock cmpxchg [edi], ecx
		jnz	short loc_9A761E
		test	al, 1
		jz	short loc_9A765F
		mov	ecx, esi
		call	_PopFxUnregisterDeviceOrWait@4 ; PopFxUnregisterDeviceOrWait(x)
		mov	eax, [esi+50h]
		lea	ebx, [esi+48h]
		test	eax, eax
		jz	short loc_9A7649
		mov	edx, ebx
		mov	ecx, eax
		call	_PopPluginAbandonDevice@8 ; PopPluginAbandonDevice(x,x)
		mov	eax, [esi+50h]

loc_9A7649:				; CODE XREF: PoFxAbandonDevice(x)+33j
		push	0
		push	ebx
		mov	edx, eax
		mov	ecx, esi
		call	_PopDiagTraceFxDevicePreparation@16 ; PopDiagTraceFxDevicePreparation(x,x,x,x)
		and	dword ptr [esi+50h], 0
		push	0FFFFFFFEh
		pop	eax
		lock and [edi],	eax

loc_9A765F:				; CODE XREF: PoFxAbandonDevice(x)+22j
		push	0FFFFFFFDh
		pop	edx
		mov	eax, [edi]

loc_9A7664:				; CODE XREF: PoFxAbandonDevice(x)+64j
		mov	ecx, eax
		and	ecx, edx
		lock cmpxchg [edi], ecx
		jnz	short loc_9A7664
		test	al, 2
		jz	short loc_9A767C
		mov	ecx, esi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_PopFxFreeUniqueId@4 ; PopFxFreeUniqueId(x)
; 

loc_9A767C:				; CODE XREF: PoFxAbandonDevice(x)+68j
		pop	edi
		pop	esi
		pop	ebx
		retn
_PoFxAbandonDevice@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1680. PoFxEnableDStateReporting

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoFxEnableDStateReporting(x, x)
		public _PoFxEnableDStateReporting@8
_PoFxEnableDStateReporting@8 proc near

var_78		= dword	ptr -78h
var_50		= dword	ptr -50h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+7Ch+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		test	ebx, ebx
		jnz	short loc_9A76AF

loc_9A76A8:				; CODE XREF: PoFxEnableDStateReporting(x,x)+2Cj
		mov	edi, 0C000000Dh
		jmp	short loc_9A771F
; 

loc_9A76AF:				; CODE XREF: PoFxEnableDStateReporting(x,x)+21j
		test	esi, esi
		jz	short loc_9A76A8
		push	0Ah
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+88h+var_78]
		push	30h		; size_t
		push	eax		; int
		rep stosd
		lea	eax, [esp+90h+var_50]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	edi, [esp+88h+var_20]
		xor	eax, eax
		xor	edx, edx
		inc	edx
		mov	[esp+88h+var_34], edx
		push	6
		pop	ecx
		rep stosd
		push	esi
		lea	eax, [esp+8Ch+var_20]
		mov	ecx, ebx
		mov	[esp+8Ch+var_30], eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	edx
		lea	eax, [esp+9Ch+var_50]
		push	eax
		lea	edx, [esp+0A0h+var_78]
		call	PopFxRegisterDevice
		mov	edi, eax
		test	edi, edi
		js	short loc_9A771F
		mov	ecx, [esi]
		mov	edx, [ecx+238h]
		mov	ecx, [esi]
		or	edx, 1
		mov	[ecx+238h], edx
		push	dword ptr [esi]
		call	PoFxStartDevicePowerManagement

loc_9A771F:				; CODE XREF: PoFxEnableDStateReporting(x,x)+28j
					; PoFxEnableDStateReporting(x,x)+7Ej
		mov	ecx, [esp+88h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_PoFxEnableDStateReporting@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1689. PoFxRegisterComponentPerfStates

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoFxRegisterComponentPerfStates(x, x, x, x,	x, x, x)
		public _PoFxRegisterComponentPerfStates@28
_PoFxRegisterComponentPerfStates@28 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		cmp	edx, [ecx+23Ch]
		jb	short loc_9A775F
		push	2
		push	edx
		mov	edx, ecx
		mov	ecx, 614h

loc_9A775A:				; CODE XREF: PoFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+43j
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_9A775F:				; CODE XREF: PoFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+11j
		lfence	eax
		mov	eax, [ecx+240h]
		push	esi
		mov	esi, [eax+edx*4]
		mov	eax, [esi+168h]
		test	eax, eax
		jz	short loc_9A7782
		push	0
		push	edx
		mov	edx, ecx
		mov	ecx, 600h
		jmp	short loc_9A775A
; 

loc_9A7782:				; CODE XREF: PoFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+37j
		push	[ebp+arg_18]
		mov	edx, esi
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_PopFxRegisterComponentPerfStates@28 ; PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)
		pop	esi
		pop	ebp
		retn	1Ch
_PoFxRegisterComponentPerfStates@28 endp ; sp =	-8

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1694. PoFxRegisterPlugin

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoFxRegisterPlugin(x, x)
		public _PoFxRegisterPlugin@8
_PoFxRegisterPlugin@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	0
		call	_PopFxRegisterPluginEx@16 ; PopFxRegisterPluginEx(x,x,x,x)
		pop	ebp
		retn	8
_PoFxRegisterPlugin@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1696. PoFxRegisterPrimaryDevice

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoFxRegisterPrimaryDevice(x, x, x)
		public _PoFxRegisterPrimaryDevice@12
_PoFxRegisterPrimaryDevice@12 proc near

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		xor	ebx, ebx
		push	esi
		push	edi
		mov	edi, ebx
		cmp	[ebp+arg_0], ebx
		jz	loc_9A7887
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	loc_9A7887
		cmp	dword ptr [esi], 1
		jnz	loc_9A7887
		mov	edx, [esi+4]
		lea	ecx, [esi+2Ch]
		call	PopFxConvertV1Components
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9A7809
		mov	ebx, 0C000009Ah
		jmp	loc_9A789B
; 

loc_9A7809:				; CODE XREF: PoFxRegisterPrimaryDevice(x,x,x)+3Ej
		push	[ebp+arg_8]
		mov	eax, [esi+0Ch]
		lea	edx, [esp+3Ch+var_28]
		mov	ecx, [ebp+arg_0]
		mov	[esp+3Ch+var_28], eax
		mov	eax, [esi+10h]
		mov	[esp+3Ch+var_24], eax
		mov	eax, [esi+14h]
		push	ebx
		mov	[esp+40h+var_20], eax
		mov	eax, [esi+18h]
		push	ebx
		push	dword ptr [esi+28h]
		mov	[esp+48h+var_1C], eax
		mov	eax, [esi+1Ch]
		push	dword ptr [esi+4]
		mov	[esp+4Ch+var_18], eax
		mov	eax, [esi+20h]
		mov	[esp+4Ch+var_14], eax
		mov	eax, [esi+24h]
		push	edi
		mov	[esp+50h+var_C], ebx
		mov	[esp+50h+var_8], ebx
		mov	[esp+50h+var_4], ebx
		mov	[esp+50h+var_10], eax
		call	PopFxRegisterDevice
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9A788C
		cmp	_PopErrataDisablePrimaryDeviceFastResume, 0
		jz	short loc_9A788C
		test	byte ptr [esi+8], 1
		jz	short loc_9A788C
		mov	eax, [ebp+arg_8]
		mov	ecx, 80h
		mov	eax, [eax]
		add	eax, 238h
		lock or	[eax], ecx
		jmp	short loc_9A788C
; 

loc_9A7887:				; CODE XREF: PoFxRegisterPrimaryDevice(x,x,x)+15j
					; PoFxRegisterPrimaryDevice(x,x,x)+20j	...
		mov	ebx, 0C000000Dh

loc_9A788C:				; CODE XREF: PoFxRegisterPrimaryDevice(x,x,x)+A3j
					; PoFxRegisterPrimaryDevice(x,x,x)+ACj	...
		test	edi, edi
		jz	short loc_9A789B
		push	4D584650h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A789B:				; CODE XREF: PoFxRegisterPrimaryDevice(x,x,x)+45j
					; PoFxRegisterPrimaryDevice(x,x,x)+CFj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PoFxRegisterPrimaryDevice@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1702. PoFxSetTargetDripsDevicePowerState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoFxSetTargetDripsDevicePowerState(x, x)
		public _PoFxSetTargetDripsDevicePowerState@8
_PoFxSetTargetDripsDevicePowerState@8 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _PopFxDeviceAccountingLevel
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		test	eax, eax
		js	short loc_9A78CF
		mov	esi, 0C00000BBh
		jmp	loc_9A79B2
; 

loc_9A78CF:				; CODE XREF: PoFxSetTargetDripsDevicePowerState(x,x)+18j
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	edi, 1
		jz	loc_9A79AC
		cmp	edi, 4
		jg	loc_9A79AC
		mov	eax, dword_6D4640
		mov	[ebp+arg_4], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_9A78FC
		mov	esi, 0C0000001h
		jmp	loc_9A79B1
; 

loc_9A78FC:				; CODE XREF: PoFxSetTargetDripsDevicePowerState(x,x)+45j
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jz	loc_9A79AC
		mov	ecx, ebx
		call	PopFxAddRefDevice
		xor	edx, edx
		lea	ecx, [ebx+238h]
		xor	eax, eax
		lock cmpxchg [ecx], edx
		test	al, 10h
		jnz	short loc_9A7927

loc_9A7920:				; CODE XREF: PoFxSetTargetDripsDevicePowerState(x,x)+81j
					; PoFxSetTargetDripsDevicePowerState(x,x)+97j ...
		mov	esi, 0C0000001h
		jmp	short loc_9A797F
; 

loc_9A7927:				; CODE XREF: PoFxSetTargetDripsDevicePowerState(x,x)+73j
		mov	ecx, [ebx+20h]
		test	ecx, ecx
		jz	short loc_9A7920
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		call	_PopPepGetMinimumDevicePowerState@20 ; PopPepGetMinimumDevicePowerState(x,x,x,x,x)
		test	al, al
		jz	short loc_9A7920
		mov	eax, [ebp+var_8]
		test	edi, edi
		jnz	short loc_9A7950
		cmp	eax, [ebp+var_4]
		jz	short loc_9A797F

loc_9A7950:				; CODE XREF: PoFxSetTargetDripsDevicePowerState(x,x)+9Ej
		cmp	edi, eax
		jz	short loc_9A797F
		cmp	[ebp+var_4], 1
		jle	short loc_9A7963
		test	edi, edi
		jz	short loc_9A7963
		cmp	edi, [ebp+var_4]
		jle	short loc_9A7920

loc_9A7963:				; CODE XREF: PoFxSetTargetDripsDevicePowerState(x,x)+ADj
					; PoFxSetTargetDripsDevicePowerState(x,x)+B1j
		push	4D584650h
		push	20h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_9A7988
		mov	esi, 0C000009Ah

loc_9A797F:				; CODE XREF: PoFxSetTargetDripsDevicePowerState(x,x)+7Aj
					; PoFxSetTargetDripsDevicePowerState(x,x)+A3j ...
		mov	ecx, ebx
		call	_PopFxReleaseDevice@4 ;	PopFxReleaseDevice(x)
		jmp	short loc_9A79B1
; 

loc_9A7988:				; CODE XREF: PoFxSetTargetDripsDevicePowerState(x,x)+CDj
		lea	eax, [edx+10h]
		mov	[edx+4], edx
		push	1
		push	eax
		mov	[edx], edx
		mov	[edx+8], ebx
		mov	[edx+0Ch], edi
		mov	dword ptr [eax+8], offset _PopFxUpdateVetoMaskWork@4 ; PopFxUpdateVetoMaskWork(x)
		mov	[eax+0Ch], edx
		mov	[eax], esi
		call	ExQueueWorkItem
		jmp	short loc_9A79B1
; 

loc_9A79AC:				; CODE XREF: PoFxSetTargetDripsDevicePowerState(x,x)+2Bj
					; PoFxSetTargetDripsDevicePowerState(x,x)+34j ...
		mov	esi, 0C000000Dh

loc_9A79B1:				; CODE XREF: PoFxSetTargetDripsDevicePowerState(x,x)+4Cj
					; PoFxSetTargetDripsDevicePowerState(x,x)+DBj ...
		pop	edi

loc_9A79B2:				; CODE XREF: PoFxSetTargetDripsDevicePowerState(x,x)+1Fj
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_PoFxSetTargetDripsDevicePowerState@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1704. PoFxUnregisterDevice

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoFxUnregisterDevice(x)
		public _PoFxUnregisterDevice@4
_PoFxUnregisterDevice@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [esi+1Ch]
		test	edi, edi
		jz	short loc_9A79D9
		mov	ecx, edi
		call	_PopFxUnregisterDeviceOrWait@4 ; PopFxUnregisterDeviceOrWait(x)
		jmp	short loc_9A79E0
; 

loc_9A79D9:				; CODE XREF: PoFxUnregisterDevice(x)+Fj
		mov	ecx, esi
		call	_PopFxUnregisterDevice@4 ; PopFxUnregisterDevice(x)

loc_9A79E0:				; CODE XREF: PoFxUnregisterDevice(x)+18j
		mov	edx, esi
		mov	ecx, edi
		call	_PopFxDestroyDeviceDpm@8 ; PopFxDestroyDeviceDpm(x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_PoFxUnregisterDevice@4	endp


;  S U B	R O U T	I N E 


; __stdcall PopFxDestroyDripsBlockingDeviceList(x)
_PopFxDestroyDripsBlockingDeviceList@4 proc near
					; CODE XREF: PopFxBuildDripsBlockingDeviceList(x,x,x)+786p
					; PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+159p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx

loc_9A79F6:				; CODE XREF: PopFxDestroyDripsBlockingDeviceList(x)+43j
		mov	esi, [edi]
		cmp	esi, edi
		jz	short loc_9A7A39
		cmp	[esi+4], edi
		jnz	short loc_9A7A34
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_9A7A34
		mov	[edi], eax
		mov	[eax+4], edi
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_9A7A27
		push	4D584650h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+0Ch], 0
		and	dword ptr [esi+10h], 0

loc_9A7A27:				; CODE XREF: PopFxDestroyDripsBlockingDeviceList(x)+23j
		lea	ecx, [esi-254h]
		call	_PopFxReleaseDevice@4 ;	PopFxReleaseDevice(x)
		jmp	short loc_9A79F6
; 

loc_9A7A34:				; CODE XREF: PopFxDestroyDripsBlockingDeviceList(x)+10j
					; PopFxDestroyDripsBlockingDeviceList(x)+17j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9A7A39:				; CODE XREF: PopFxDestroyDripsBlockingDeviceList(x)+Bj
		xor	edx, edx
		mov	ecx, offset _PopFxBlockingDeviceListLock
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	ecx, ecx
		pop	edi
		pop	esi
		pop	ebx
		jmp	PpDevNodeUnlockTree
_PopFxDestroyDripsBlockingDeviceList@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopFxFreeUniqueId(x)
_PopFxFreeUniqueId@4 proc near		; CODE XREF: PoFxAbandonDevice(x)+6Fj
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+4Ch]
		cmp	[esi+18h], eax
		jz	short loc_9A7A96
		test	eax, eax
		jz	short loc_9A7A96
		push	edi
		xor	edi, edi
		lea	edx, [esi+0A8h]
		mov	eax, [edx]

loc_9A7A77:				; CODE XREF: PopFxFreeUniqueId(x)+24j
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [edx], ecx
		jnz	short loc_9A7A77
		pop	edi
		test	eax, 2000h
		jnz	short loc_9A7A96
		push	4D584650h
		push	dword ptr [esi+4Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A7A96:				; CODE XREF: PopFxFreeUniqueId(x)+Bj
					; PopFxFreeUniqueId(x)+Fj ...
		and	dword ptr [esi+48h], 0
		and	dword ptr [esi+4Ch], 0
		pop	esi
		retn
_PopFxFreeUniqueId@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxInitializeSocSubsystemStaticInfo(x, x)
_PopFxInitializeSocSubsystemStaticInfo@8 proc near
					; CODE XREF: PopFxEnablePlatformStates(x)+29j

var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_91		= byte ptr -91h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	9
		mov	ebx, ecx
		lea	edi, [ebp+var_CC]
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_A4], ebx
		rep stosd
		mov	eax, 80h
		push	eax		; size_t
		lea	eax, [ebp+var_84]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		cmp	_PopFxProcessorPlugin, 0
		jnz	short loc_9A7AF7

loc_9A7AED:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+78j
		mov	esi, 0C0000002h
		jmp	loc_9A7DE3
; 

loc_9A7AF7:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+4Bj
		and	[ebp+var_8C], 0
		lea	edx, [ebp+var_90]
		and	[ebp+var_88], 0
		mov	[ebp+var_90], ebx
		call	_PopPluginQuerySocSubsystemCount@8 ; PopPluginQuerySocSubsystemCount(x,x)
		test	al, al
		jz	short loc_9A7AED
		mov	esi, [ebp+var_8C]
		mov	ecx, ebx
		call	_PopFxLookupSocSubsystemsByPlatformIdleState@4 ; PopFxLookupSocSubsystemsByPlatformIdleState(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_9A7B37
		mov	esi, 0C00000EFh
		jmp	loc_9A7D96
; 

loc_9A7B37:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+8Bj
		imul	edi, esi, 140h
		push	4D584650h
		add	edi, 10h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9A7B5D
		mov	esi, 0C000009Ah
		jmp	loc_9A7DE3
; 

loc_9A7B5D:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+B1j
		push	edi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	edx, [ebp+var_A4]
		xor	ecx, ecx
		add	esp, 0Ch
		mov	[ebx+8], edx
		mov	[ebx+0Ch], esi
		mov	[ebp+var_98], ecx
		test	esi, esi
		jz	loc_9A7C64
		lea	edi, [ebx+14h]

loc_9A7B88:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+1BEj
		mov	[edi+0Ch], ecx
		lea	eax, [edi+3Ch]
		mov	[edi], eax
		lea	esi, [edi+4]
		mov	dword ptr [edi-4], 800000h
		lea	eax, [edi+0BCh]
		mov	[edi+8], eax
		xor	ecx, ecx
		xor	eax, eax
		mov	[esi], ax
		mov	eax, 80h
		mov	[edi+6], ax
		mov	[ebp+var_CC], edx
		lea	edx, [ebp+var_CC]
		mov	[ebp+var_C4], ecx
		mov	eax, [edi+0Ch]
		mov	[ebp+var_C8], eax
		mov	eax, [edi-4]
		mov	[ebp+var_C0], eax
		mov	eax, [edi]
		mov	[ebp+var_BC], eax
		mov	eax, [esi]
		mov	[ebp+var_B8], eax
		mov	eax, [esi+4]
		mov	[ebp+var_B4], eax
		mov	[ebp+var_B0], ecx
		mov	[ebp+var_AC], ecx
		call	_PopPluginInitializeSocSubsystemStaticInfo@8 ; PopPluginInitializeSocSubsystemStaticInfo(x,x)
		mov	ax, word ptr [ebp+var_B8]
		mov	[esi], ax
		mov	ax, word ptr [ebp+var_C0]
		mov	[edi-4], ax
		mov	eax, [ebp+var_C4]
		mov	[edi+14h], eax
		mov	eax, [ebp+var_B0]
		mov	[edi+38h], eax
		lea	eax, [edi+10h]
		push	eax
		push	0
		push	0
		push	esi
		call	RtlHashUnicodeString
		mov	esi, eax
		test	esi, esi
		js	loc_9A7D94
		mov	ecx, [ebp+var_98]
		add	edi, 140h
		mov	esi, [ebx+0Ch]
		inc	ecx
		mov	edx, [ebp+var_A4]
		mov	[ebp+var_98], ecx
		cmp	ecx, esi
		jb	loc_9A7B88

loc_9A7C64:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+DFj
		xor	edx, edx
		mov	[ebp+var_91], 0
		mov	[ebp+var_A0], edx
		test	esi, esi
		jz	loc_9A7D90
		lea	ecx, [ebx+42h]
		mov	[ebp+var_9C], ecx

loc_9A7C84:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+2EAj
		mov	eax, [ecx-22h]
		lea	edi, [ecx-16h]
		mov	esi, offset _GUID_SLEEPSTUDY_BLOCKER_TOP_LEVEL_SOC_SUBSYSTEM
		inc	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_A4]
		movzx	esi, si
		mov	[ecx-12h], si
		mov	[ebp+var_A8], esi
		xor	esi, esi
		mov	[ecx-10h], ax
		mov	eax, [ecx-2Eh]
		mov	[ebp+var_98], eax
		cmp	[ebx+0Ch], esi
		jbe	short loc_9A7D0E
		lea	edi, [ebx+1Ch]

loc_9A7CBE:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+26Cj
		cmp	esi, edx
		jz	short loc_9A7CDF
		push	40h		; size_t
		push	dword ptr [edi]	; wchar_t *
		push	dword ptr [ecx-26h] ; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_9A7DA3
		mov	eax, [ebp+var_98]

loc_9A7CDF:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+220j
		push	40h		; size_t
		push	dword ptr [edi]	; wchar_t *
		push	eax		; wchar_t *
		call	_wcsncmp
		mov	ecx, [ebp+var_9C]
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_9A7D2F
		mov	edx, [ebp+var_A0]
		inc	esi
		mov	eax, [ebp+var_98]
		add	edi, 140h
		cmp	esi, [ebx+0Ch]
		jb	short loc_9A7CBE

loc_9A7D0E:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+219j
		cmp	[ebp+var_91], 0
		lea	ecx, [ebp+var_84]
		jnz	short loc_9A7D41
		push	eax
		push	40h
		pop	edx
		call	RtlStringCchCopyW
		mov	[ebp+var_91], 1
		jmp	short loc_9A7D51
; 

loc_9A7D2F:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+254j
		mov	eax, [edi+4]
		mov	edx, [ebp+var_A8]
		inc	eax
		movzx	eax, ax
		movzx	edx, dx
		jmp	short loc_9A7D5B
; 

loc_9A7D41:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+27Bj
		push	40h		; size_t
		push	ecx		; wchar_t *
		push	eax		; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9A7DB6

loc_9A7D51:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+28Dj
		mov	ecx, [ebp+var_9C]
		xor	eax, eax
		xor	edx, edx

loc_9A7D5B:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+29Fj
		mov	esi, offset _GUID_SLEEPSTUDY_BLOCKER_TOP_LEVEL_SOC_SUBSYSTEM
		lea	edi, [ecx-6]
		movsd
		movsd
		movsd
		movsd
		mov	[ecx-2], dx
		mov	edx, [ebp+var_A0]
		mov	[ecx], ax
		inc	edx
		add	ecx, 140h
		mov	[ebp+var_A0], edx
		mov	[ebp+var_9C], ecx
		cmp	edx, [ebx+0Ch]
		jb	loc_9A7C84

loc_9A7D90:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+1D5j
		xor	esi, esi
		test	esi, esi

loc_9A7D94:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+19Aj
		jz	short loc_9A7DC3

loc_9A7D96:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+92j
		push	4D584650h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9A7DE3
; 

loc_9A7DA3:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+233j
		push	esi
		push	4E616D65h

loc_9A7DA9:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+321j
		push	25h
		pop	edx
		mov	ecx, 706h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_9A7DB6:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+2AFj
		push	[ebp+var_A0]
		push	50617265h
		jmp	short loc_9A7DA9
; 

loc_9A7DC3:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x):loc_9A7D94j
		mov	eax, dword_6C39CC
		mov	ecx, offset _SocSubsystemsList
		cmp	[eax], ecx
		jz	short loc_9A7DD6
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9A7DD6:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+32Fj
		mov	[ebx], ecx
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	dword_6C39CC, ebx

loc_9A7DE3:				; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+52j
					; PopFxInitializeSocSubsystemStaticInfo(x,x)+B8j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopFxInitializeSocSubsystemStaticInfo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxInvokeDripsWatchdogCallback(x,	x, x)
_PopFxInvokeDripsWatchdogCallback@12 proc near
					; CODE XREF: PopDripsWatchdogInvokeDeviceCallbacks(x,x)+44p
					; PopDripsWatchdogInvokeDeviceCallbacks(x,x)+79p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ecx+28h]
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	short loc_9A7E3C
		cmp	dword ptr [esi+58h], 0
		jz	short loc_9A7E3C
		cmp	ecx, edi
		jz	short loc_9A7E20
		xor	edx, edx
		lea	ecx, [esi+238h]
		xor	eax, eax
		lock cmpxchg [ecx], edx
		test	al, 8
		jz	short loc_9A7E3C

loc_9A7E20:				; CODE XREF: PopFxInvokeDripsWatchdogCallback(x,x,x)+18j
		mov	ecx, [esi+250h]
		mov	eax, [edi+10h]
		test	ecx, ecx
		jz	short loc_9A7E32
		cmp	ecx, [eax+8]
		jnz	short loc_9A7E3C

loc_9A7E32:				; CODE XREF: PopFxInvokeDripsWatchdogCallback(x,x,x)+37j
		push	[ebp+arg_0]
		push	eax
		push	dword ptr [esi+64h]
		call	dword ptr [esi+58h]

loc_9A7E3C:				; CODE XREF: PopFxInvokeDripsWatchdogCallback(x,x,x)+Ej
					; PopFxInvokeDripsWatchdogCallback(x,x,x)+14j ...
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_PopFxInvokeDripsWatchdogCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxLogSocSubsystemBlockingTimes(x, x, x, x)
_PopFxLogSocSubsystemBlockingTimes@16 proc near
					; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+57Bp

var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_79		= dword	ptr -79h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, _PopWnfCsEnterScenarioId
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_9C], eax
		mov	eax, dword_6C1D84
		push	esi
		push	edi
		mov	[ebp+var_94], ecx
		mov	esi, ebx
		mov	[ebp+var_98], eax
		mov	[ebp+var_90], ebx
		mov	[ebp+var_8C], ebx
		mov	byte ptr [ebp+var_79], bl
		mov	[ebp+var_80], ebx
		call	_PopFxLookupSocSubsystemsByPlatformIdleState@4 ; PopFxLookupSocSubsystemsByPlatformIdleState(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9A7EA1
		mov	esi, 0C00000F0h
		jmp	loc_9A7FF1
; 

loc_9A7EA1:				; CODE XREF: PopFxLogSocSubsystemBlockingTimes(x,x,x,x)+53j
		mov	eax, ebx
		mov	[ebp+var_84], ebx
		cmp	[edi+0Ch], ebx
		jbe	loc_9A7FF1

loc_9A7EB2:				; CODE XREF: PopFxLogSocSubsystemBlockingTimes(x,x,x,x)+1A2j
		imul	ebx, eax, 140h
		xor	edx, edx
		mov	[ebp+var_B4], edx
		mov	[ebp+var_A4], edx
		mov	[ebp+var_C0], ecx
		mov	eax, [ebx+edi+28h]
		mov	[ebp+var_BC], eax
		lea	eax, [edi+18h]
		add	eax, ebx
		mov	[ebp+var_B0], edx
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_AC], edx
		mov	[ebp+var_A8], edx
		mov	edx, [ebx+edi+24h]
		push	eax
		call	_PopPluginQuerySocSubsystemBlockingTime@12 ; PopPluginQuerySocSubsystemBlockingTime(x,x,x)
		test	al, al
		jz	loc_9A7FEC
		mov	eax, [ebp+var_B0]
		xor	edx, edx
		mov	[ebp+var_90], eax
		mov	eax, [ebp+var_AC]
		mov	[ebp+var_8C], eax
		mov	al, byte ptr [ebp+var_9C]
		mov	byte ptr [ebp+var_79], al
		lea	eax, [ebp+var_79]
		mov	[ebp+var_79+1],	eax
		lea	eax, [edi+3Ch]
		add	eax, ebx
		mov	[ebp+var_74], edx
		mov	[ebp+var_68], eax
		mov	[ebp+var_6C], edx
		mov	[ebp+var_64], edx
		mov	[ebp+var_5C], edx
		mov	[ebp+var_70], 1
		mov	[ebp+var_60], 10h
		movzx	eax, word ptr [ebx+edi+18h]
		shr	eax, 1
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], edx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_50], 4
		movzx	ecx, word ptr [ebx+edi+18h]
		mov	eax, [ebx+edi+1Ch]
		mov	[ebp+var_48], eax
		mov	eax, ecx
		mov	[ebp+var_40], eax
		lea	eax, [edi+2Ch]
		add	eax, ebx
		mov	[ebp+var_44], edx
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_90]
		push	8
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_9C]
		pop	ecx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_C], edx
		lea	edx, [ebp+var_79+1]
		mov	[ebp+var_30], 10h
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], ecx
		call	_PopDiagTraceSleepStudyBlocker@8 ; PopDiagTraceSleepStudyBlocker(x,x)
		mov	eax, [ebp+var_84]
		mov	ecx, [ebp+var_94]
		inc	eax
		mov	[ebp+var_84], eax
		cmp	eax, [edi+0Ch]
		jb	loc_9A7EB2
		jmp	short loc_9A7FF1
; 

loc_9A7FEC:				; CODE XREF: PopFxLogSocSubsystemBlockingTimes(x,x,x,x)+C3j
		mov	esi, 0C00000E5h

loc_9A7FF1:				; CODE XREF: PopFxLogSocSubsystemBlockingTimes(x,x,x,x)+5Aj
					; PopFxLogSocSubsystemBlockingTimes(x,x,x,x)+6Aj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopFxLogSocSubsystemBlockingTimes@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxLogSocSubsystemMetadata(x, x, x, x)
_PopFxLogSocSubsystemMetadata@16 proc near
					; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+588p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, _PopWnfCsEnterScenarioId
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_38], eax
		mov	eax, dword_6C1D84
		push	esi
		mov	esi, ebx
		mov	[ebp+var_28], ecx
		push	edi
		mov	[ebp+var_34], eax
		mov	byte ptr [ebp+var_1], bl
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], esi
		call	_PopFxLookupSocSubsystemsByPlatformIdleState@4 ; PopFxLookupSocSubsystemsByPlatformIdleState(x)
		mov	edi, eax
		mov	[ebp+var_1C], edi
		test	edi, edi
		jnz	short loc_9A8047
		mov	esi, 0C00000F0h
		jmp	loc_9A837B
; 

loc_9A8047:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+37j
		mov	eax, ebx
		mov	[ebp+var_24], ebx
		cmp	[edi+0Ch], ebx
		jbe	loc_9A837B

loc_9A8055:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+341j
		imul	eax, 140h
		mov	[ebp+var_20], eax
		mov	eax, [eax+edi+4Ch]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_9A833B
		imul	eax, 118h
		push	4D584650h
		push	eax
		push	1
		mov	[ebp+var_18], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_10], ebx
		test	ebx, ebx
		jz	loc_9A8376
		push	[ebp+var_18]	; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		xor	edx, edx
		test	eax, eax
		jz	short loc_9A80E1
		lea	ecx, [ebx+4]
		mov	ebx, 80h

loc_9A80AF:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+DBj
		lea	eax, [ecx+0Ch]
		mov	[ecx-2], bx
		mov	[ecx], eax
		inc	edx
		lea	eax, [ecx+90h]
		mov	[ecx+6], bx
		mov	[ecx+8], eax
		lea	ecx, [ecx+118h]
		mov	eax, 0AABBAABBh
		mov	[ecx-8Ch], eax
		mov	[ecx-8], eax
		mov	eax, [ebp+var_8]
		cmp	edx, eax
		jb	short loc_9A80AF

loc_9A80E1:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+A1j
		lea	eax, ds:14h[eax*4]
		push	4D584650h
		push	eax
		push	1
		mov	[ebp+var_18], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_2C], ebx
		test	ebx, ebx
		jnz	short loc_9A810E
		mov	esi, 0C000009Ah

loc_9A8106:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+172j
		mov	[ebp+var_C], esi
		jmp	loc_9A831B
; 

loc_9A810E:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+FBj
		push	[ebp+var_18]	; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	ecx, [ebp+var_20]
		add	esp, 0Ch
		mov	eax, [ebp+var_28]
		and	[ebp+var_18], 0
		mov	[ebx], eax
		mov	eax, [ecx+edi+28h]
		and	dword ptr [ebx+0Ch], 0
		mov	[ebx+4], eax
		lea	eax, [ecx+18h]
		add	eax, edi
		mov	[ebx+8], eax
		mov	eax, [ebp+var_8]
		mov	[ebx+10h], eax
		cmp	[ebp+var_8], 0
		jbe	short loc_9A8163
		mov	eax, [ebp+var_10]
		lea	edx, [ebx+14h]
		mov	esi, [ebp+var_18]

loc_9A8150:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+15Aj
		mov	[edx], eax
		inc	esi
		add	eax, 118h
		lea	edx, [edx+4]
		cmp	esi, [ebp+var_8]
		jb	short loc_9A8150
		mov	esi, [ebp+var_C]

loc_9A8163:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+141j
		mov	edx, [ecx+edi+24h]
		push	ebx
		call	_PopPluginQuerySocSubsystemMetadata@12 ; PopPluginQuerySocSubsystemMetadata(x,x,x)
		test	al, al
		jnz	short loc_9A8178
		mov	esi, 0C00000E5h
		jmp	short loc_9A8106
; 

loc_9A8178:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+16Bj
		mov	edx, [ebp+var_8]
		xor	ecx, ecx
		test	edx, edx
		jz	short loc_9A81AC
		mov	eax, [ebp+var_10]
		mov	edi, 0AABBAABBh
		add	eax, 114h

loc_9A818E:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+1A6j
		cmp	[eax-84h], edi
		jnz	loc_9A8367
		cmp	[eax], edi
		jnz	loc_9A834D
		inc	ecx
		add	eax, 118h
		cmp	ecx, edx
		jb	short loc_9A818E

loc_9A81AC:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+17Bj
		imul	eax, edx, 5
		push	4D584650h
		add	eax, 3
		mov	[ebp+var_30], eax
		shl	eax, 4
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9A81D8
		mov	esi, 0C000009Ah
		mov	[ebp+var_C], esi
		jmp	loc_9A8318
; 

loc_9A81D8:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+1C5j
		mov	al, byte ptr [ebp+var_38]
		xor	edx, edx
		mov	byte ptr [ebp+var_1], al
		lea	eax, [ebp+var_1]
		mov	[edi], eax
		lea	eax, [ebp+var_8]
		mov	[edi+10h], eax
		push	2
		mov	[edi+4], edx
		mov	dword ptr [edi+8], 1
		mov	[edi+0Ch], edx
		mov	[edi+14h], edx
		mov	dword ptr [edi+18h], 4
		mov	[edi+1Ch], edx
		pop	eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], edx
		cmp	[ebp+var_8], edx
		jbe	loc_9A82EB
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_20]
		add	eax, 2Ch
		mov	ebx, [ebp+var_18]
		add	ecx, eax
		mov	eax, [ebp+var_14]
		push	20h
		mov	[ebp+var_20], ecx
		pop	edx

loc_9A822E:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+2D3j
		and	dword ptr [edx+edi+4], 0
		add	ebx, 5
		and	dword ptr [edx+edi+0Ch], 0
		mov	[edx+edi], ecx
		lea	edx, [edx+50h]
		mov	dword ptr [edx+edi-48h], 10h
		imul	esi, eax, 118h
		add	esi, [ebp+var_10]
		movzx	eax, word ptr [esi]
		lea	ecx, [esi+90h]
		shr	eax, 1
		mov	[ecx], eax
		and	dword ptr [edx+edi-3Ch], 0
		and	dword ptr [edx+edi-34h], 0
		mov	[edx+edi-40h], ecx
		mov	dword ptr [edx+edi-38h], 4
		movzx	ecx, word ptr [esi]
		mov	eax, [esi+4]
		and	dword ptr [edx+edi-2Ch], 0
		and	dword ptr [edx+edi-24h], 0
		mov	[edx+edi-30h], eax
		mov	[edx+edi-28h], ecx
		lea	ecx, [esi+114h]
		movzx	eax, word ptr [esi+8]
		shr	eax, 1
		mov	[ecx], eax
		and	dword ptr [edx+edi-1Ch], 0
		and	dword ptr [edx+edi-14h], 0
		mov	[edx+edi-20h], ecx
		mov	dword ptr [edx+edi-18h], 4
		movzx	ecx, word ptr [esi+8]
		mov	eax, [esi+0Ch]
		and	dword ptr [edx+edi-0Ch], 0
		and	dword ptr [edx+edi-4], 0
		mov	[edx+edi-10h], eax
		mov	eax, [ebp+var_14]
		mov	[edx+edi-8], ecx
		inc	eax
		mov	ecx, [ebp+var_20]
		mov	[ebp+var_14], eax
		cmp	eax, [ebp+var_8]
		jb	loc_9A822E
		mov	esi, [ebp+var_C]
		xor	edx, edx
		mov	[ebp+var_18], ebx
		mov	ebx, [ebp+var_2C]
		mov	eax, [ebp+var_18]

loc_9A82EB:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+20Dj
		add	eax, eax
		lea	ecx, [ebp+var_38]
		mov	[edi+eax*8], ecx
		mov	ecx, [ebp+var_30]
		mov	[edi+eax*8+4], edx
		mov	[edi+eax*8+0Ch], edx
		mov	edx, edi
		mov	dword ptr [edi+eax*8+8], 8
		call	_PopDiagTraceSleepStudyBlockerData@8 ; PopDiagTraceSleepStudyBlockerData(x,x)
		push	4D584650h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A8318:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+1CFj
		mov	edi, [ebp+var_1C]

loc_9A831B:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+105j
		push	4D584650h
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		jz	short loc_9A8337
		push	4D584650h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A8337:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+326j
		test	esi, esi
		js	short loc_9A837B

loc_9A833B:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+63j
		mov	eax, [ebp+var_24]
		inc	eax
		mov	[ebp+var_24], eax
		cmp	eax, [edi+0Ch]
		jb	loc_9A8055
		jmp	short loc_9A837B
; 

loc_9A834D:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+198j
		movzx	eax, word ptr [eax-10Ah]
		push	eax
		push	56616C75h

loc_9A835A:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+370j
		push	28h
		pop	edx
		mov	ecx, 706h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_9A8367:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+190j
		movzx	eax, word ptr [eax-112h]
		push	eax
		push	4B657920h
		jmp	short loc_9A835A
; 

loc_9A8376:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+86j
		mov	esi, 0C000009Ah

loc_9A837B:				; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+3Ej
					; PopFxLogSocSubsystemMetadata(x,x,x,x)+4Bj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_PopFxLogSocSubsystemMetadata@16 endp


;  S U B	R O U T	I N E 


; __stdcall PopFxLookupSocSubsystemsByPlatformIdleState(x)
_PopFxLookupSocSubsystemsByPlatformIdleState@4 proc near
					; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+445p
					; PopCaptureSleepStudyStatistics(x,x,x,x)+56Ap	...
		mov	edx, _SocSubsystemsList
		xor	eax, eax
		push	esi
		mov	esi, offset _SocSubsystemsList
		jmp	short loc_9A83A1
; 

loc_9A8394:				; CODE XREF: PopFxLookupSocSubsystemsByPlatformIdleState(x)+1Fj
		mov	eax, edx
		test	edx, edx
		jz	short loc_9A83A5
		cmp	[edx+8], ecx
		jz	short loc_9A83A5
		mov	edx, [edx]

loc_9A83A1:				; CODE XREF: PopFxLookupSocSubsystemsByPlatformIdleState(x)+Ej
		cmp	edx, esi
		jnz	short loc_9A8394

loc_9A83A5:				; CODE XREF: PopFxLookupSocSubsystemsByPlatformIdleState(x)+14j
					; PopFxLookupSocSubsystemsByPlatformIdleState(x)+19j
		pop	esi
		retn
_PopFxLookupSocSubsystemsByPlatformIdleState@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopFxPepPerfInfoFree(x)
_PopFxPepPerfInfoFree@4	proc near	; CODE XREF: PopFxPepPerfInfoQuery(x,x,x)+188p
					; PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+413p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_9A83F9
		push	ebx
		xor	ebx, ebx
		cmp	[esi], ebx
		jbe	short loc_9A83ED
		push	edi
		lea	edi, [esi+24h]

loc_9A83BB:				; CODE XREF: PopFxPepPerfInfoFree(x)+43j
		cmp	dword ptr [edi-8], 0
		jnz	short loc_9A83D2
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_9A83D2
		push	4D584650h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A83D2:				; CODE XREF: PopFxPepPerfInfoFree(x)+18j
					; PopFxPepPerfInfoFree(x)+1Ej
		mov	eax, [edi-18h]
		test	eax, eax
		jz	short loc_9A83E4
		push	4D584650h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A83E4:				; CODE XREF: PopFxPepPerfInfoFree(x)+30j
		inc	ebx
		add	edi, 28h
		cmp	ebx, [esi]
		jb	short loc_9A83BB
		pop	edi

loc_9A83ED:				; CODE XREF: PopFxPepPerfInfoFree(x)+Ej
		push	4D584650h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebx

loc_9A83F9:				; CODE XREF: PopFxPepPerfInfoFree(x)+7j
		pop	esi
		retn
_PopFxPepPerfInfoFree@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxPepPerfInfoQuery(x, x,	x)
_PopFxPepPerfInfoQuery@12 proc near	; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+2Cp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		and	[esp+14h+var_8], 0
		mov	eax, ecx
		and	[esp+14h+var_4], 0
		lea	ecx, [esp+14h+var_8]
		push	ebx
		push	esi
		push	edi
		push	ecx
		mov	ecx, eax
		mov	[esp+24h+var_10], edx
		mov	[esp+24h+var_C], eax
		xor	esi, esi
		xor	ebx, ebx
		call	_PopPluginQueryComponentPerfCapabilities@12 ; PopPluginQueryComponentPerfCapabilities(x,x,x)
		test	al, al
		jnz	short loc_9A843B
		mov	esi, 0C0000002h
		jmp	loc_9A8581
; 

loc_9A843B:				; CODE XREF: PopFxPepPerfInfoQuery(x,x,x)+34j
		imul	edi, [esp+24h+var_C], 28h
		push	4D584650h
		add	edi, 8
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9A8460

loc_9A8456:				; CODE XREF: PopFxPepPerfInfoQuery(x,x,x)+DBj
		mov	esi, 0C000009Ah
		jmp	loc_9A8581
; 

loc_9A8460:				; CODE XREF: PopFxPepPerfInfoQuery(x,x,x)+59j
		push	edi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [esp+30h+var_C]
		xor	edx, edx
		add	esp, 0Ch
		mov	[ebx], eax
		mov	[esp+24h+var_18], edx
		test	eax, eax
		jz	loc_9A858A
		lea	edi, [ebx+1Ch]

loc_9A8483:				; CODE XREF: PopFxPepPerfInfoQuery(x,x,x)+15Fj
		lea	ecx, [edi-4]
		lea	eax, [ecx+10h]
		push	eax
		lea	eax, [edi+4]
		push	eax
		push	eax
		push	edi
		push	ecx
		mov	ecx, [esp+38h+var_10]
		push	edx
		mov	edx, [esp+3Ch+var_14]
		call	_PopPluginQueryComponentPerfSet@32 ; PopPluginQueryComponentPerfSet(x,x,x,x,x,x,x,x)
		cmp	dword ptr [edi], 0
		jnz	short loc_9A84EE
		mov	eax, [edi+4]
		test	eax, eax
		jz	loc_9A8562
		push	10h
		pop	ecx
		mul	ecx
		lea	ecx, [esp+24h+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		push	4D584650h
		push	[esp+28h+var_8]
		mov	esi, eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi+8], eax
		test	eax, eax
		jz	loc_9A8456
		mov	edx, [esp+24h+var_14]
		mov	ecx, [esp+24h+var_10]
		push	eax
		push	[esp+28h+var_18]
		call	_PopPluginQueryComponentPerfStates@16 ;	PopPluginQueryComponentPerfStates(x,x,x,x)

loc_9A84EE:				; CODE XREF: PopFxPepPerfInfoQuery(x,x,x)+A7j
		mov	edx, [esp+24h+var_14]
		lea	eax, [edi-12h]
		mov	ecx, [esp+24h+var_10]
		push	0
		push	eax
		push	[esp+2Ch+var_18]
		call	_PopPluginQueryComponentPerfSetName@20 ; PopPluginQueryComponentPerfSetName(x,x,x,x,x)
		movzx	ecx, word ptr [edi-12h]
		test	cx, cx
		jnz	short loc_9A8519
		xor	eax, eax
		and	[edi-10h], eax
		mov	[edi-14h], ax
		jmp	short loc_9A854A
; 

loc_9A8519:				; CODE XREF: PopFxPepPerfInfoQuery(x,x,x)+111j
		push	4D584650h
		push	ecx
		lea	eax, [ecx-2]
		push	1
		mov	[edi-14h], ax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi-10h], eax
		test	eax, eax
		jz	short loc_9A8578
		mov	edx, [esp+24h+var_14]
		mov	ecx, [esp+24h+var_10]
		push	eax
		lea	eax, [edi-12h]
		push	eax
		push	[esp+2Ch+var_18]
		call	_PopPluginQueryComponentPerfSetName@20 ; PopPluginQueryComponentPerfSetName(x,x,x,x,x)

loc_9A854A:				; CODE XREF: PopFxPepPerfInfoQuery(x,x,x)+11Cj
		mov	edx, [esp+24h+var_18]
		add	edi, 28h
		inc	edx
		mov	[esp+24h+var_18], edx
		cmp	edx, [esp+24h+var_C]
		jb	loc_9A8483
		jmp	short loc_9A857D
; 

loc_9A8562:				; CODE XREF: PopFxPepPerfInfoQuery(x,x,x)+AEj
		mov	eax, [esp+24h+var_10]
		mov	ecx, 61Ah
		push	[esp+24h+var_14]
		push	eax
		mov	edx, [eax+24h]
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_9A8578:				; CODE XREF: PopFxPepPerfInfoQuery(x,x,x)+137j
		mov	esi, 0C000009Ah

loc_9A857D:				; CODE XREF: PopFxPepPerfInfoQuery(x,x,x)+165j
		test	esi, esi
		jns	short loc_9A858A

loc_9A8581:				; CODE XREF: PopFxPepPerfInfoQuery(x,x,x)+3Bj
					; PopFxPepPerfInfoQuery(x,x,x)+60j
		mov	ecx, ebx
		call	_PopFxPepPerfInfoFree@4	; PopFxPepPerfInfoFree(x)
		jmp	short loc_9A858F
; 

loc_9A858A:				; CODE XREF: PopFxPepPerfInfoQuery(x,x,x)+7Fj
					; PopFxPepPerfInfoQuery(x,x,x)+184j
		mov	eax, [ebp+arg_0]
		mov	[eax], ebx

loc_9A858F:				; CODE XREF: PopFxPepPerfInfoQuery(x,x,x)+18Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_PopFxPepPerfInfoQuery@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxRegisterComponentPerfStates(x,	x, x, x, x, x, x)
_PopFxRegisterComponentPerfStates@28 proc near
					; CODE XREF: PoFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+56p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_2C], ecx
		mov	eax, edx
		mov	[ebp+var_C], edi
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], edi
		cmp	[ebp+arg_C], edi
		jnz	short loc_9A85E0
		cmp	[ebp+arg_10], edi
		jz	short loc_9A85E5
		lea	edx, [ebp+var_10]
		push	edx
		mov	edx, [eax+10h]
		call	_PopFxPepPerfInfoQuery@12 ; PopFxPepPerfInfoQuery(x,x,x)
		mov	ebx, [ebp+var_10]
		mov	esi, eax
		test	esi, esi
		js	loc_9A89AB
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+var_2C]
		jmp	short loc_9A85F5
; 

loc_9A85E0:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+1Ej
		cmp	[ebp+arg_10], edi
		jz	short loc_9A85EF

loc_9A85E5:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+23j
		mov	eax, 0C000000Dh
		jmp	loc_9A89B4
; 

loc_9A85EF:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+49j
		mov	ebx, [ebp+arg_C]
		mov	[ebp+var_10], ebx

loc_9A85F5:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+44j
		cmp	[ebx], edi
		jnz	short loc_9A8603
		mov	esi, 0C000000Dh
		jmp	loc_9A89A5
; 

loc_9A8603:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+5Dj
		mov	edx, [eax+10h]
		push	ebx
		call	_PopPluginRegisterComponentPerfStates@12 ; PopPluginRegisterComponentPerfStates(x,x,x)
		mov	[ebp+var_1], al
		test	al, al
		jnz	short loc_9A8627
		mov	ecx, [ebp+arg_0]
		and	ecx, 1
		or	ecx, edi
		jnz	short loc_9A8627
		mov	esi, 0C0000002h
		jmp	loc_9A89A5
; 

loc_9A8627:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+77j
					; PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+81j
		mov	edi, [ebx]
		mov	eax, edi
		push	20h
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_8], 60h
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9A89A5
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		push	eax
		push	60h
		pop	ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9A89A5
		mov	eax, [ebp+var_8]
		lea	ecx, [ebp+var_8]
		push	ecx
		add	eax, 7
		and	eax, 0FFFFFFF8h
		push	8
		pop	edx
		mov	ecx, eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_8], eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9A89A5
		mov	eax, [ebp+var_8]
		push	28h
		pop	ecx
		mov	[ebp+var_20], eax
		mov	eax, edi
		mul	ecx
		lea	ecx, [ebp+var_C]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9A89A5
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		mov	ecx, [ebp+var_20]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9A89A5
		mov	eax, [ebp+var_8]
		xor	edx, edx
		add	eax, 7
		mov	[ebp+var_18], edx
		and	eax, 0FFFFFFF8h
		mov	[ebp+var_34], eax
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		push	10h
		pop	esi
		test	edi, edi
		jz	short loc_9A8739
		lea	eax, [ebx+20h]
		mov	[ebp+var_1C], eax

loc_9A86E8:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+19Aj
		cmp	dword ptr [eax-4], 0
		jnz	short loc_9A8728
		mov	eax, [eax]
		lea	ecx, [ebp+var_C]
		mul	esi
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9A89A5
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		mov	ecx, [ebp+var_8]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9A89A5
		mov	eax, [ebp+var_1C]
		mov	edx, [ebp+var_18]
		push	10h
		pop	esi

loc_9A8728:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+152j
		inc	edx
		add	eax, 28h
		mov	[ebp+var_18], edx
		mov	[ebp+var_1C], eax
		cmp	edx, edi
		jb	short loc_9A86E8
		mov	ecx, [ebp+var_8]

loc_9A8739:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+146j
		lea	eax, [ecx+1]
		xor	ecx, ecx
		and	eax, 0FFFFFFFEh
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_38], eax
		mov	esi, eax
		mov	[ebp+var_8], esi
		test	edi, edi
		jz	short loc_9A878F
		lea	eax, [ebx+8]
		mov	[ebp+var_18], eax

loc_9A8756:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+1F3j
		movzx	edx, word ptr [eax]
		test	dx, dx
		jz	short loc_9A8781
		lea	eax, [ebp+var_8]
		mov	ecx, esi
		push	eax
		push	2
		pop	eax
		add	edx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9A89A5
		mov	esi, [ebp+var_8]
		mov	eax, [ebp+var_18]
		mov	ecx, [ebp+var_1C]

loc_9A8781:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+1C2j
		inc	ecx
		add	eax, 28h
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], eax
		cmp	ecx, edi
		jb	short loc_9A8756

loc_9A878F:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+1B4j
		lea	eax, [esi+7]
		and	eax, 0FFFFFFF8h
		push	10h
		pop	ecx
		mov	[ebp+var_28], eax
		mov	[ebp+var_8], eax
		mov	eax, edi
		mul	ecx
		lea	ecx, [ebp+var_C]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9A89A5
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		mov	ecx, [ebp+var_28]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		mov	[ebp+var_18], esi
		test	esi, esi
		js	loc_9A89A5
		push	4D584650h
		push	[ebp+var_8]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_24], edi
		test	edi, edi
		jnz	short loc_9A87F7
		mov	esi, 0C000009Ah
		jmp	loc_9A89A5
; 

loc_9A87F7:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+251j
		push	[ebp+var_8]	; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	edx, [ebp+var_30]
		lea	ecx, [edi+60h]
		mov	eax, [ebp+arg_8]
		add	edx, edi
		and	[ebp+var_30], 0
		add	esp, 0Ch
		mov	[edi+14h], eax
		mov	eax, [ebx]
		mov	[edi+54h], eax
		mov	[edi+58h], ecx
		mov	eax, [ebx]
		mov	[edx], eax
		mov	eax, [ebp+var_20]
		add	eax, edi
		mov	[ebp+var_3C], edx
		cmp	dword ptr [ebx], 0
		mov	edx, eax
		mov	[ebp+arg_8], eax
		jbe	short loc_9A8848
		mov	eax, [ebp+var_30]

loc_9A8838:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+2A9j
		mov	[ecx], edx
		add	edx, 28h
		inc	eax
		lea	ecx, [ecx+20h]
		cmp	eax, [ebx]
		jb	short loc_9A8838
		mov	eax, [ebp+arg_8]

loc_9A8848:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+299j
		mov	edx, [ebp+var_34]
		xor	ecx, ecx
		add	edx, edi
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_20], edx
		cmp	[ebx], ecx
		jbe	short loc_9A88CC
		lea	edi, [eax+10h]
		lea	esi, [ebx+1Ch]

loc_9A885F:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+32Aj
		mov	eax, [esi-0Ch]
		mov	[edi-8], eax
		mov	eax, [esi-8]
		mov	[edi-4], eax
		mov	eax, [esi-4]
		mov	[edi], eax
		mov	eax, [esi]
		mov	[edi+4], eax
		mov	eax, [esi+4]
		cmp	dword ptr [esi], 0
		mov	[edi+8], eax
		jnz	short loc_9A88A6
		shl	eax, 4
		push	eax		; size_t
		mov	[edi+0Ch], edx
		push	dword ptr [esi+8] ; void *
		push	edx		; void *
		call	_memcpy
		mov	eax, [edi+8]
		add	esp, 0Ch
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_1C]
		shl	eax, 4
		add	edx, eax
		mov	[ebp+var_20], edx
		jmp	short loc_9A88B8
; 

loc_9A88A6:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+2E4j
		mov	eax, [esi+8]
		mov	[edi+0Ch], eax
		mov	eax, [esi+0Ch]
		mov	[edi+10h], eax
		mov	eax, [esi+10h]
		mov	[edi+14h], eax

loc_9A88B8:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+30Aj
		add	edi, 28h
		add	esi, 28h
		inc	ecx
		mov	[ebp+var_1C], ecx
		cmp	ecx, [ebx]
		jb	short loc_9A885F
		mov	esi, [ebp+var_18]
		mov	edi, [ebp+var_24]

loc_9A88CC:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+2BDj
		mov	ecx, [ebp+var_38]
		xor	edx, edx
		add	ecx, edi
		mov	[ebp+var_1C], edx
		mov	[ebp+var_20], ecx
		cmp	[ebx], edx
		jbe	short loc_9A8933
		mov	esi, [ebp+arg_8]
		lea	edi, [ebx+8]

loc_9A88E3:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+391j
		movzx	eax, word ptr [edi]
		test	ax, ax
		jz	short loc_9A8911
		mov	[esi+4], ecx
		mov	ax, [edi]
		push	2
		pop	ecx
		mov	[esi], ax
		mov	ax, [edi]
		push	edi
		add	ax, cx
		push	esi
		mov	[esi+2], ax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		movzx	eax, word ptr [edi]
		mov	ecx, [ebp+var_20]
		mov	edx, [ebp+var_1C]

loc_9A8911:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+34Fj
		movzx	eax, ax
		add	esi, 28h
		shr	eax, 1
		add	edi, 28h
		lea	ecx, [ecx+eax*2]
		add	ecx, 2
		inc	edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edx
		cmp	edx, [ebx]
		jb	short loc_9A88E3
		mov	esi, [ebp+var_18]
		mov	edi, [ebp+var_24]

loc_9A8933:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+341j
		mov	eax, [ebp+var_14]
		mov	[edi], eax
		mov	eax, [ebp+var_28]
		add	eax, edi
		push	1
		mov	[edi+1Ch], eax
		lea	eax, [edi+4]
		push	0
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [ebp+arg_0]
		and	eax, 6
		or	eax, 0
		jz	short loc_9A895C
		mov	byte ptr [edi+32h], 1

loc_9A895C:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+3BCj
		mov	al, [ebp+var_1]
		xor	dl, dl
		and	dword ptr [edi+38h], 0
		mov	ecx, edi
		mov	[edi+31h], al
		mov	dword ptr [edi+40h], offset _PopFxComponentPerfWork@4 ;	PopFxComponentPerfWork(x)
		mov	[edi+44h], edi
		call	_PopFxTracePerfRegistration@8 ;	PopFxTracePerfRegistration(x,x)
		mov	eax, [ebp+var_14]
		push	[ebp+arg_4]
		mov	ecx, [ebp+var_2C]
		push	[ebp+arg_0]
		mov	edx, [eax+10h]
		mov	ecx, [ecx+20h]
		call	_PopPepRegisterComponentPerfStates@16 ;	PopPepRegisterComponentPerfStates(x,x,x,x)
		mov	eax, [ebp+var_14]
		mov	[eax+168h], edi
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_9A89A5
		mov	ecx, [ebp+var_3C]
		mov	[eax], ecx

loc_9A89A5:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+64j
					; PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+88j ...
		cmp	[ebp+arg_C], 0
		jnz	short loc_9A89B2

loc_9A89AB:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+38j
		mov	ecx, ebx
		call	_PopFxPepPerfInfoFree@4	; PopFxPepPerfInfoFree(x)

loc_9A89B2:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+40Fj
		mov	eax, esi

loc_9A89B4:				; CODE XREF: PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+50j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_PopFxRegisterComponentPerfStates@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxResetSocSubsystemAccounting(x,	x)
_PopFxResetSocSubsystemAccounting@8 proc near
					; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+457p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		call	_PopFxLookupSocSubsystemsByPlatformIdleState@4 ; PopFxLookupSocSubsystemsByPlatformIdleState(x)
		test	eax, eax
		jnz	short loc_9A89D2
		mov	eax, 0C00000EFh
		leave
		retn
; 

loc_9A89D2:				; CODE XREF: PopFxResetSocSubsystemAccounting(x,x)+Ej
		and	[ebp+var_4], 0
		lea	edx, [ebp+var_8]
		mov	[ebp+var_8], ecx
		call	_PopPluginResetSocSubsystemAccounting@8	; PopPluginResetSocSubsystemAccounting(x,x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFF1Bh
		add	eax, 0C00000E5h
		leave
		retn
_PopFxResetSocSubsystemAccounting@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopFxUnregisterDevice(x)
_PopFxUnregisterDevice@4 proc near	; CODE XREF: PoFxUnregisterDevice(x)+1Cp
					; PopFxUnregisterDeviceOrWait(x)+2Fp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	eax, [esi+238h]
		test	al, 1
		jnz	short loc_9A8A4C
		mov	eax, [esi+23Ch]
		mov	edi, ebx
		test	eax, eax
		jz	short loc_9A8A27

loc_9A8A13:				; CODE XREF: PopFxUnregisterDevice(x)+31j
		push	2
		push	edi
		push	esi
		call	_PoFxActivateComponent@12 ; PoFxActivateComponent(x,x,x)
		mov	eax, [esi+23Ch]
		inc	edi
		cmp	edi, eax
		jb	short loc_9A8A13

loc_9A8A27:				; CODE XREF: PopFxUnregisterDevice(x)+1Dj
		mov	edi, ebx
		test	eax, eax
		jz	short loc_9A8A4C

loc_9A8A2D:				; CODE XREF: PopFxUnregisterDevice(x)+56j
		mov	eax, [esi+240h]
		push	ebx
		push	ebx
		push	ebx
		mov	eax, [eax+edi*4]
		push	ebx
		add	eax, 40h
		push	eax
		call	KeWaitForSingleObject
		inc	edi
		cmp	edi, [esi+23Ch]
		jb	short loc_9A8A2D

loc_9A8A4C:				; CODE XREF: PopFxUnregisterDevice(x)+11j
					; PopFxUnregisterDevice(x)+37j
		mov	edi, [esi+1Ch]
		test	edi, edi
		jz	short loc_9A8A6A
		mov	edx, esi
		call	_PopFxRemoveDevice@8 ; PopFxRemoveDevice(x,x)
		mov	ecx, edi
		call	_PopDiagTraceFxDeviceUnregistration@4 ;	PopDiagTraceFxDeviceUnregistration(x)
		xor	edx, edx
		mov	ecx, edi
		call	_PopFxAssignDeviceToDevNode@8 ;	PopFxAssignDeviceToDevNode(x,x)

loc_9A8A6A:				; CODE XREF: PopFxUnregisterDevice(x)+5Dj
		mov	ecx, ebx
		cmp	[esi+23Ch], ebx
		jbe	short loc_9A8A94

loc_9A8A74:				; CODE XREF: PopFxUnregisterDevice(x)+9Ej
		mov	eax, [esi+240h]
		mov	eax, [eax+ecx*4]
		mov	eax, [eax+3Ch]
		test	eax, eax
		jle	short loc_9A8A8B
		lock dec _PopFxResidentComponentCount

loc_9A8A8B:				; CODE XREF: PopFxUnregisterDevice(x)+8Ej
		inc	ecx
		cmp	ecx, [esi+23Ch]
		jb	short loc_9A8A74

loc_9A8A94:				; CODE XREF: PopFxUnregisterDevice(x)+7Ej
		push	18h
		push	ebx
		lea	eax, [esi+7Ch]
		push	eax
		call	_IoReleaseRemoveLockAndWaitEx@12 ; IoReleaseRemoveLockAndWaitEx(x,x,x)
		mov	ecx, [esi+20h]	; char
		call	_PopPepUnregisterDevice@4 ; PopPepUnregisterDevice(x)
		mov	ecx, [esi+24h]
		test	ecx, ecx
		jz	short loc_9A8AB7
		mov	edx, [esi+28h]
		call	_PopPluginUnregisterDevice@8 ; PopPluginUnregisterDevice(x,x)

loc_9A8AB7:				; CODE XREF: PopFxUnregisterDevice(x)+B9j
		mov	ecx, esi
		call	_PopPlUnregisterDevice@4 ; PopPlUnregisterDevice(x)
		test	edi, edi
		jz	short loc_9A8ACD
		push	ebx
		push	ebx
		lea	eax, [edi+30h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_9A8ACD:				; CODE XREF: PopFxUnregisterDevice(x)+CCj
		mov	eax, [esi+238h]
		test	al, 1
		jz	short loc_9A8AE3
		mov	edx, esi
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_PopFxDestroyDeviceDpm@8 ; PopFxDestroyDeviceDpm(x,x)
; 

loc_9A8AE3:				; CODE XREF: PopFxUnregisterDevice(x)+E1j
		pop	edi
		pop	esi
		pop	ebx
		retn
_PopFxUnregisterDevice@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopFxUnregisterDeviceOrWait(x)
_PopFxUnregisterDeviceOrWait@4 proc near ; CODE	XREF: PoFxAbandonDevice(x)+26p
					; PoFxUnregisterDevice(x)+13p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		push	8
		pop	ecx
		lea	esi, [edi+0A8h]
		mov	eax, [esi]

loc_9A8AF9:				; CODE XREF: PopFxUnregisterDeviceOrWait(x)+1Aj
		mov	edx, eax
		or	edx, ecx
		lock cmpxchg [esi], edx
		jnz	short loc_9A8AF9
		test	al, cl
		jnz	short loc_9A8B2C
		xor	dl, dl
		mov	ecx, edi
		call	PopFxLockDevice
		test	eax, eax
		jz	short loc_9A8B1D
		mov	ecx, eax
		call	_PopFxUnregisterDevice@4 ; PopFxUnregisterDevice(x)
		jmp	short loc_9A8B3B
; 

loc_9A8B1D:				; CODE XREF: PopFxUnregisterDeviceOrWait(x)+2Bj
		xor	eax, eax
		push	eax
		push	eax
		lea	eax, [edi+30h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_9A8B3B
; 

loc_9A8B2C:				; CODE XREF: PopFxUnregisterDeviceOrWait(x)+1Ej
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [edi+30h]
		push	eax
		call	KeWaitForSingleObject

loc_9A8B3B:				; CODE XREF: PopFxUnregisterDeviceOrWait(x)+34j
					; PopFxUnregisterDeviceOrWait(x)+43j
		pop	edi
		pop	esi
		pop	ecx
		retn
_PopFxUnregisterDeviceOrWait@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxUpdateVetoMaskWork(x)
_PopFxUpdateVetoMaskWork@4 proc	near	; DATA XREF: PoFxSetTargetDripsDevicePowerState(x,x)+EEo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, offset _PopFxUpdateDripsConstraintContext
		xor	edx, edx
		mov	ecx, esi
		mov	ebx, [edi+8]
		call	ExAcquirePushLockExclusiveEx
		or	eax, 0FFFFFFFFh
		cmp	byte_6C39EC, 0
		jz	short loc_9A8B8D
		mov	ecx, dword_6C39E8
		mov	edx, offset dword_6C39E4
		cmp	[ecx], edx
		jz	short loc_9A8B7B
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9A8B7B:				; CODE XREF: PopFxUpdateVetoMaskWork(x)+35j
		mov	[edi], edx
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	dword_6C39E8, edi
		jmp	loc_9A8C20
; 

loc_9A8B8D:				; CODE XREF: PopFxUpdateVetoMaskWork(x)+26j
		inc	dword_6C39F0
		push	offset unk_6C39F4
		call	_KeResetEvent@4	; KeResetEvent(x)
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9A8BB1
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9A8BB1:				; CODE XREF: PopFxUpdateVetoMaskWork(x)+69j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	eax, [ebx+1Ch]
		mov	esi, [eax+10h]
		mov	ecx, esi
		call	_PoFxActivateDevice@4 ;	PoFxActivateDevice(x)
		mov	edx, [edi+0Ch]
		mov	ecx, ebx
		call	_PopPepUpdateDripsDeviceVetoMask@8 ; PopPepUpdateDripsDeviceVetoMask(x,x)
		mov	ecx, esi
		call	PoFxIdleDevice
		mov	ecx, ebx
		call	_PopFxReleaseDevice@4 ;	PopFxReleaseDevice(x)
		push	4D584650h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edi, edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	offset _WNF_PO_DRIPS_DEVICE_CONSTRAINTS_UPDATED
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	esi, offset _PopFxUpdateDripsConstraintContext
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		sub	dword_6C39F0, 1
		jnz	short loc_9A8C1D
		push	edi
		push	edi
		push	offset unk_6C39F4
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_9A8C1D:				; CODE XREF: PopFxUpdateVetoMaskWork(x)+D0j
		or	eax, 0FFFFFFFFh

loc_9A8C20:				; CODE XREF: PopFxUpdateVetoMaskWork(x)+49j
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9A8C31
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9A8C31:				; CODE XREF: PopFxUpdateVetoMaskWork(x)+E9j
		mov	ecx, esi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PopFxUpdateVetoMaskWork@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxValidateReturnedUnicodeString(x, x, x)
_PopFxValidateReturnedUnicodeString@12 proc near
					; CODE XREF: PopPluginInitializeSocSubsystemStaticInfo(x,x)+55p
					; PopPluginInitializeSocSubsystemStaticInfo(x,x)+7Cp ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		and	[ebp+var_C], 0
		mov	eax, edx
		mov	edx, [ecx+4]
		push	ebx
		movzx	ebx, word ptr [ecx+2]
		mov	[ebp+var_8], edx
		movzx	edx, word ptr [ecx]
		push	esi
		push	edi
		movzx	edi, dx
		and	edx, 0FFFFFF01h
		movzx	ecx, di
		mov	esi, ecx
		mov	[ebp+var_20], ecx
		shr	esi, 1
		mov	ch, bl
		and	ch, 1
		mov	[ebp+var_10], edx
		movzx	edx, bx
		mov	[ebp+var_1C], ebx
		mov	bx, di
		mov	[ebp+var_14], esi
		mov	esi, [ebp+var_8]
		cmp	esi, eax
		mov	[ebp+var_18], edi
		setz	al
		xor	edi, edi
		cmp	[esi], di
		mov	esi, [ebp+var_14]
		setz	cl
		mov	edi, [ebp+var_18]
		dec	cl
		and	cl, al
		neg	bx
		sbb	bl, bl
		and	bl, cl
		cmp	edx, [ebp+arg_0]
		mov	edx, [ebp+var_10]
		setnz	al
		dec	al
		and	al, bl
		mov	ebx, [ebp+var_8]
		neg	dl
		sbb	dl, dl
		not	dl
		and	dl, al
		neg	ch
		sbb	ch, ch
		xor	eax, eax
		not	ch
		and	ch, dl
		cmp	[ebx+esi*2], ax
		mov	edx, [ebp+arg_0]
		setnz	al
		dec	al
		and	al, ch
		cmp	di, word ptr [ebp+var_1C]
		sbb	cl, cl
		and	cl, al
		lea	eax, [ebp+var_C]
		mov	[ebp+var_1], cl
		mov	ecx, ebx
		push	eax
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		test	eax, eax
		jns	short loc_9A8CF9
		xor	eax, eax
		jmp	short locret_9A8D07
; 

loc_9A8CF9:				; CODE XREF: PopFxValidateReturnedUnicodeString(x,x,x)+B4j
		mov	eax, [ebp+var_20]
		cmp	eax, [ebp+var_C]
		setnz	al
		dec	al
		and	al, [ebp+var_1]

locret_9A8D07:				; CODE XREF: PopFxValidateReturnedUnicodeString(x,x,x)+B8j
		leave
		retn	4
_PopFxValidateReturnedUnicodeString@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxVerifyDependencies(x, x, x)
_PopFxVerifyDependencies@12 proc near	; CODE XREF: PAGE:0089B1E5p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, ebx
		push	esi
		push	edi
		push	4D584650h
		shl	eax, 2
		mov	edi, ecx
		push	eax
		push	1
		mov	[ebp+var_8], edx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	short loc_9A8D41
		mov	esi, 0C000009Ah
		jmp	loc_9A8E0F
; 

loc_9A8D41:				; CODE XREF: PopFxVerifyDependencies(x,x,x)+2Aj
		xor	esi, esi
		mov	edx, esi
		mov	ecx, esi
		mov	[ebp+var_14], edx
		test	ebx, ebx
		jz	loc_9A8E01
		mov	[ebp+var_C], edi

loc_9A8D55:				; CODE XREF: PopFxVerifyDependencies(x,x,x)+170j
		mov	ebx, [ebp+var_C]
		cmp	[ebx], esi
		mov	ebx, [ebp+arg_0]
		jnz	loc_9A8E71
		mov	[eax+ecx*4], edx
		add	ecx, 1
		jz	loc_9A8E71

loc_9A8D6F:				; CODE XREF: PopFxVerifyDependencies(x,x,x)+15Aj
		mov	ebx, [eax+ecx*4-4]
		cmp	ebx, [ebp+arg_0]
		jnb	loc_9A8DFC
		imul	edx, ebx, 0Ch
		cmp	dword ptr [edx+edi], 2
		jz	short loc_9A8DFC
		mov	eax, [ebp+var_8]
		lfence	eax
		mov	eax, [eax+240h]
		mov	eax, [eax+ebx*4]
		mov	eax, [eax+7Ch]
		mov	[ebp+var_10], eax
		xor	eax, eax
		inc	eax
		cmp	[edx+edi], eax
		lfence	eax
		jnz	short loc_9A8E18
		mov	eax, [ebp+var_8]
		dec	ecx
		mov	dword ptr [edx+edi], 2
		mov	[ebp+var_1C], ecx
		mov	eax, [eax+240h]
		mov	eax, [eax+ebx*4]
		mov	eax, [eax+78h]
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	loc_9A8E60
		mov	ebx, esi
		mov	ecx, eax
		mov	esi, [edx+edi+4]

loc_9A8DD2:				; CODE XREF: PopFxVerifyDependencies(x,x,x)+DFj
		mov	eax, [ebp+var_10]
		imul	eax, [eax+ebx*8], 0Ch
		mov	eax, [eax+edi+4]
		cmp	eax, esi
		jbe	short loc_9A8DE7
		mov	esi, eax
		mov	[edx+edi+4], esi

loc_9A8DE7:				; CODE XREF: PopFxVerifyDependencies(x,x,x)+D4j
		inc	ebx
		cmp	ebx, ecx
		jb	short loc_9A8DD2
		mov	ecx, [ebp+var_1C]
		xor	esi, esi
		inc	dword ptr [edx+edi+4]
		cmp	dword ptr [edx+edi+4], 4
		jbe	short loc_9A8E60

loc_9A8DFC:				; CODE XREF: PopFxVerifyDependencies(x,x,x)+6Bj
					; PopFxVerifyDependencies(x,x,x)+78j
		mov	esi, 0C000000Dh

loc_9A8E01:				; CODE XREF: PopFxVerifyDependencies(x,x,x)+41j
					; PopFxVerifyDependencies(x,x,x)+176j
		mov	edx, [ebp+var_4]

loc_9A8E04:				; CODE XREF: PopFxVerifyDependencies(x,x,x)+180j
		push	4D584650h
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A8E0F:				; CODE XREF: PopFxVerifyDependencies(x,x,x)+31j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_9A8E18:				; CODE XREF: PopFxVerifyDependencies(x,x,x)+98j
		mov	[edx+edi], eax
		mov	eax, [ebp+var_8]
		mov	eax, [eax+240h]
		mov	eax, [eax+ebx*4]
		mov	ebx, esi
		mov	eax, [eax+78h]
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	short loc_9A8E60
		mov	edx, [ebp+var_4]

loc_9A8E36:				; CODE XREF: PopFxVerifyDependencies(x,x,x)+153j
		mov	eax, [ebp+var_10]
		mov	eax, [eax+ebx*8]
		mov	[ebp+var_1C], eax
		imul	eax, 0Ch
		mov	eax, [eax+edi]
		cmp	eax, 1
		jz	short loc_9A8E86
		test	eax, eax
		jnz	short loc_9A8E5A
		cmp	ecx, [ebp+arg_0]
		jnb	short loc_9A8E86
		mov	eax, [ebp+var_1C]
		mov	[edx+ecx*4], eax
		inc	ecx

loc_9A8E5A:				; CODE XREF: PopFxVerifyDependencies(x,x,x)+141j
		inc	ebx
		cmp	ebx, [ebp+var_18]
		jb	short loc_9A8E36

loc_9A8E60:				; CODE XREF: PopFxVerifyDependencies(x,x,x)+B9j
					; PopFxVerifyDependencies(x,x,x)+EFj ...
		mov	eax, [ebp+var_4]
		test	ecx, ecx
		jnz	loc_9A8D6F
		mov	ebx, [ebp+arg_0]
		mov	edx, [ebp+var_14]

loc_9A8E71:				; CODE XREF: PopFxVerifyDependencies(x,x,x)+52j
					; PopFxVerifyDependencies(x,x,x)+5Ej
		add	[ebp+var_C], 0Ch
		inc	edx
		mov	[ebp+var_14], edx
		cmp	edx, ebx
		jb	loc_9A8D55
		jmp	loc_9A8E01
; 

loc_9A8E86:				; CODE XREF: PopFxVerifyDependencies(x,x,x)+13Dj
					; PopFxVerifyDependencies(x,x,x)+146j
		mov	esi, 0C000000Dh
		jmp	loc_9A8E04
_PopFxVerifyDependencies@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginInitializeSocSubsystemStaticInfo(x, x)
_PopPluginInitializeSocSubsystemStaticInfo@8 proc near
					; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+15Cp

var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	ecx, _PopFxProcessorPlugin
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		push	esi
		push	25h
		mov	eax, [esi+0Ch]
		mov	[ebp+var_10], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_4], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_18], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_8], eax
		call	dword ptr [ecx+40h]
		test	al, al
		jnz	short loc_9A8EDA
		push	0
		push	_PopFxProcessorPlugin
		mov	ecx, 605h
		push	25h
		pop	edx

loc_9A8ED5:				; CODE XREF: PopPluginInitializeSocSubsystemStaticInfo(x,x)+6Fj
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_9A8EDA:				; CODE XREF: PopPluginInitializeSocSubsystemStaticInfo(x,x)+33j
		movzx	eax, word ptr [ebp+var_10+2]
		lea	ecx, [esi+0Ch]
		mov	edx, [ebp+var_4]
		push	eax
		call	_PopFxValidateReturnedUnicodeString@12 ; PopFxValidateReturnedUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_9A8F01
		lea	eax, [esi+10h]
		push	eax
		push	504E616Dh

loc_9A8EF7:				; CODE XREF: PopPluginInitializeSocSubsystemStaticInfo(x,x)+90j
					; PopPluginInitializeSocSubsystemStaticInfo(x,x)+ABj ...
		push	25h
		pop	edx
		mov	ecx, 706h
		jmp	short loc_9A8ED5
; 

loc_9A8F01:				; CODE XREF: PopPluginInitializeSocSubsystemStaticInfo(x,x)+5Cj
		movzx	eax, word ptr [ebp+var_18+2]
		lea	ecx, [esi+14h]
		mov	edx, [ebp+var_8]
		push	eax
		call	_PopFxValidateReturnedUnicodeString@12 ; PopFxValidateReturnedUnicodeString(x,x,x)
		mov	bl, al
		lea	edi, [esi+18h]
		test	bl, bl
		jnz	short loc_9A8F22
		push	edi
		push	534E616Dh
		jmp	short loc_9A8EF7
; 

loc_9A8F22:				; CODE XREF: PopPluginInitializeSocSubsystemStaticInfo(x,x)+88j
		push	40h		; size_t
		push	dword ptr [esi+10h] ; wchar_t *
		push	dword ptr [edi]	; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9A8F3D
		push	edi
		push	4E616D65h
		jmp	short loc_9A8EF7
; 

loc_9A8F3D:				; CODE XREF: PopPluginInitializeSocSubsystemStaticInfo(x,x)+A3j
		add	esi, 1Ch
		cmp	dword ptr [esi], 3E8h
		jbe	short loc_9A8F50
		push	esi
		push	4D436F75h
		jmp	short loc_9A8EF7
; 

loc_9A8F50:				; CODE XREF: PopPluginInitializeSocSubsystemStaticInfo(x,x)+B6j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_PopPluginInitializeSocSubsystemStaticInfo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginQuerySocSubsystemBlockingTime(x, x, x)
_PopPluginQuerySocSubsystemBlockingTime@12 proc	near
					; CODE XREF: PopFxLogSocSubsystemBlockingTimes(x,x,x,x)+BCp

var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, _PopFxProcessorPlugin
		push	esi
		mov	eax, [esi+8]
		push	27h
		mov	[ebp+var_C], edx
		mov	ecx, [eax]
		mov	eax, [eax+4]
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_8], eax
		call	dword ptr [edi+40h]
		mov	bl, al
		test	bl, bl
		jnz	short loc_9A8FA4
		push	0
		push	_PopFxProcessorPlugin
		mov	ecx, 605h
		push	27h
		pop	edx

loc_9A8F9F:				; CODE XREF: PopPluginQuerySocSubsystemBlockingTime(x,x,x)+97j
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_9A8FA4:				; CODE XREF: PopPluginQuerySocSubsystemBlockingTime(x,x,x)+36j
		mov	esi, [esi+8]
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		push	0
		push	esi
		call	RtlHashUnicodeString
		mov	ax, [esi+2]
		cmp	ax, word ptr [ebp+var_14+2]
		jnz	short loc_9A8FE0
		mov	eax, [ebp+arg_0]
		cmp	[esi], ax
		jnz	short loc_9A8FE0
		mov	eax, [ebp+var_8]
		cmp	[esi+4], eax
		jnz	short loc_9A8FE0
		mov	eax, [ebp+var_C]
		cmp	[ebp+var_4], eax
		jnz	short loc_9A8FE0
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
; 

loc_9A8FE0:				; CODE XREF: PopPluginQuerySocSubsystemBlockingTime(x,x,x)+66j
					; PopPluginQuerySocSubsystemBlockingTime(x,x,x)+6Ej ...
		push	4E616D65h
		push	27h
		mov	edx, edi
		mov	ecx, 705h
		jmp	short loc_9A8F9F
_PopPluginQuerySocSubsystemBlockingTime@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginQuerySocSubsystemCount(x, x)
_PopPluginQuerySocSubsystemCount@8 proc	near
					; CODE XREF: PopFxInitializeSocSubsystemStaticInfo(x,x)+71p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, _PopFxProcessorPlugin
		push	esi
		mov	esi, edx
		test	eax, eax
		jnz	short loc_9A9007
		xor	al, al

loc_9A9004:				; CODE XREF: PopPluginQuerySocSubsystemCount(x,x)+1Fj
					; PopPluginQuerySocSubsystemCount(x,x)+41j
		pop	esi
		leave
		retn
; 

loc_9A9007:				; CODE XREF: PopPluginQuerySocSubsystemCount(x,x)+10j
		push	esi
		push	24h
		call	dword ptr [eax+40h]
		test	al, al
		jz	short loc_9A9004
		mov	ecx, [esi+4]
		test	ecx, ecx
		jnz	short loc_9A902B
		push	ecx

loc_9A9019:				; CODE XREF: PopPluginQuerySocSubsystemCount(x,x)+44j
		push	53436F75h
		push	24h
		pop	edx
		mov	ecx, 706h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_9A902B:				; CODE XREF: PopPluginQuerySocSubsystemCount(x,x)+26j
		cmp	ecx, 3E8h
		jbe	short loc_9A9004
		push	ecx
		jmp	short loc_9A9019
_PopPluginQuerySocSubsystemCount@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginQuerySocSubsystemMetadata(x, x, x)
_PopPluginQuerySocSubsystemMetadata@12 proc near
					; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+164p

var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, _PopFxProcessorPlugin
		push	ebx
		mov	[ebp+var_18], eax
		xor	ebx, ebx
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		push	4D584650h
		mov	eax, [eax+10h]
		mov	esi, eax
		shl	esi, 3
		push	esi
		push	1
		mov	[ebp+var_28], edx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_1], bl
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_14], edi
		test	edi, edi
		jz	loc_9A9200
		push	esi		; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		push	4D584650h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_9A91E9
		mov	eax, [ebp+var_8]
		shl	eax, 3
		push	eax		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		mov	edx, [ebp+arg_0]
		add	esp, 0Ch
		mov	eax, [edx+8]
		mov	ecx, [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_30], ecx
		test	eax, eax
		jz	short loc_9A9107
		mov	ecx, edi
		mov	[ebp+var_C], eax
		sub	ecx, esi
		lea	ebx, [edx+14h]
		mov	edi, ecx
		mov	edx, esi

loc_9A90D8:				; CODE XREF: PopPluginQuerySocSubsystemMetadata(x,x,x)+C7j
		sub	[ebp+var_C], 1
		mov	ecx, [ebx]
		mov	eax, [ecx]
		mov	[edi+edx], eax
		mov	eax, [ecx+4]
		mov	[edi+edx+4], eax
		mov	ecx, [ebx]
		lea	ebx, [ebx+4]
		mov	eax, [ecx+8]
		mov	[edx], eax
		lea	edx, [edx+8]
		mov	eax, [ecx+0Ch]
		mov	[edx-4], eax
		jnz	short loc_9A90D8
		mov	edi, [ebp+var_14]
		xor	ebx, ebx
		mov	edx, [ebp+arg_0]

loc_9A9107:				; CODE XREF: PopPluginQuerySocSubsystemMetadata(x,x,x)+92j
		mov	eax, [ebp+var_18]
		push	edx
		push	28h
		call	dword ptr [eax+40h]
		mov	[ebp+var_1], al
		test	al, al
		jnz	short loc_9A912B
		push	ebx
		push	_PopFxProcessorPlugin
		mov	ecx, 605h
		push	28h
		pop	edx

loc_9A9126:				; CODE XREF: PopPluginQuerySocSubsystemMetadata(x,x,x)+1E5j
					; PopPluginQuerySocSubsystemMetadata(x,x,x)+204j
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_9A912B:				; CODE XREF: PopPluginQuerySocSubsystemMetadata(x,x,x)+DFj
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_10]
		push	ecx
		push	ebx
		push	ebx
		mov	eax, [eax+8]
		push	eax
		mov	[ebp+var_1C], eax
		call	RtlHashUnicodeString
		mov	ecx, [ebp+var_1C]
		mov	ax, [ecx+2]
		cmp	ax, word ptr [ebp+var_30+2]
		jnz	loc_9A922B
		mov	eax, [ebp+var_20]
		cmp	[ecx], ax
		jnz	loc_9A922B
		mov	eax, [ebp+var_24]
		cmp	[ecx+4], eax
		jnz	loc_9A922B
		mov	eax, [ebp+var_28]
		cmp	[ebp+var_10], eax
		jnz	loc_9A922B
		cmp	[ebp+var_8], 0
		jz	short loc_9A91E9
		lea	eax, [esi+2]
		mov	edx, esi
		mov	[ebp+var_C], eax
		lea	ecx, [edi+4]
		mov	eax, [ebp+arg_0]
		add	eax, 14h
		mov	[ebp+arg_0], ecx
		sub	edx, edi
		mov	[ebp+var_10], eax
		mov	[ebp+var_28], edx

loc_9A9197:				; CODE XREF: PopPluginQuerySocSubsystemMetadata(x,x,x)+1AEj
		mov	edi, [eax]
		movzx	eax, word ptr [ecx-2]
		mov	edx, [ecx]
		mov	ecx, edi
		push	eax
		call	_PopFxValidateReturnedUnicodeString@12 ; PopFxValidateReturnedUnicodeString(x,x,x)
		test	al, al
		jz	short loc_9A9220
		mov	eax, [ebp+var_C]
		lea	ecx, [edi+8]
		mov	edx, [ebp+arg_0]
		movzx	eax, word ptr [eax]
		push	eax
		mov	eax, [ebp+var_28]
		mov	edx, [eax+edx]
		call	_PopFxValidateReturnedUnicodeString@12 ; PopFxValidateReturnedUnicodeString(x,x,x)
		mov	[ebp+var_1], al
		test	al, al
		jz	short loc_9A920A
		mov	eax, [ebp+var_10]
		inc	ebx
		mov	ecx, [ebp+arg_0]
		add	eax, 4
		add	[ebp+var_C], 8
		add	ecx, 8
		mov	[ebp+var_10], eax
		mov	[ebp+arg_0], ecx
		cmp	ebx, [ebp+var_8]
		jb	short loc_9A9197
		mov	edi, [ebp+var_14]

loc_9A91E9:				; CODE XREF: PopPluginQuerySocSubsystemMetadata(x,x,x)+62j
					; PopPluginQuerySocSubsystemMetadata(x,x,x)+143j
		mov	ebx, 4D584650h
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jz	short loc_9A9200
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9A9200:				; CODE XREF: PopPluginQuerySocSubsystemMetadata(x,x,x)+40j
					; PopPluginQuerySocSubsystemMetadata(x,x,x)+1C1j
		mov	al, [ebp+var_1]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_9A920A:				; CODE XREF: PopPluginQuerySocSubsystemMetadata(x,x,x)+192j
		lea	eax, [edi+0Ch]
		push	eax
		push	56616C75h

loc_9A9213:				; CODE XREF: PopPluginQuerySocSubsystemMetadata(x,x,x)+1F3j
		push	28h
		pop	edx
		mov	ecx, 706h
		jmp	loc_9A9126
; 

loc_9A9220:				; CODE XREF: PopPluginQuerySocSubsystemMetadata(x,x,x)+173j
		lea	eax, [edi+4]
		push	eax
		push	4B657920h
		jmp	short loc_9A9213
; 

loc_9A922B:				; CODE XREF: PopPluginQuerySocSubsystemMetadata(x,x,x)+115j
					; PopPluginQuerySocSubsystemMetadata(x,x,x)+121j ...
		mov	edx, [ebp+var_18]
		mov	ecx, 705h
		push	534E616Dh
		push	28h
		jmp	loc_9A9126
_PopPluginQuerySocSubsystemMetadata@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPluginResetSocSubsystemAccounting(x, x)
_PopPluginResetSocSubsystemAccounting@8	proc near
					; CODE XREF: PopFxResetSocSubsystemAccounting(x,x)+21p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, _PopFxProcessorPlugin
		push	edx
		push	26h
		call	dword ptr [eax+40h]
		test	al, al
		jnz	short locret_9A9269
		push	0
		push	_PopFxProcessorPlugin
		mov	ecx, 605h
		push	26h
		pop	edx
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

locret_9A9269:				; CODE XREF: PopPluginResetSocSubsystemAccounting(x,x)+13j
		leave
		retn
_PopPluginResetSocSubsystemAccounting@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopAwayModePowerRequest(x, x, x)
_PopAwayModePowerRequest@12 proc near	; DATA XREF: .data:006B147Co

arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_PopAcquireAwaymodeLock@0 ; PopAcquireAwaymodeLock()
		cmp	[ebp+arg_8], 0
		setnz	byte_6C2D10
		call	_PopReleaseAwaymodeLock@0 ; PopReleaseAwaymodeLock()
		xor	eax, eax
		pop	ebp
		retn	0Ch
_PopAwayModePowerRequest@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopClearSpecialRequest(x, x)
_PopClearSpecialRequest@8 proc near	; CODE XREF: PopPowerRequestActionInfo:loc_8429ADp

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		cmp	edx, 3
		jz	short loc_9A92A5
		mov	edi, 0C000000Dh
		jmp	loc_9A933F
; 

loc_9A92A5:				; CODE XREF: PopClearSpecialRequest(x,x)+Ej
		mov	eax, large fs:124h
		push	ebx
		xor	ebx, ebx
		and	[ebp+var_8], ebx
		dec	word ptr [eax+13Ch]
		mov	[ebp+var_1], bl
		nop
		xor	edx, edx
		mov	ecx, offset _PopPowerRequestLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C3884, eax
		mov	eax, [esi+58h]
		test	eax, eax
		jnz	short loc_9A92E1
		mov	edi, 0C000000Dh
		jmp	short loc_9A92FE
; 

loc_9A92E1:				; CODE XREF: PopClearSpecialRequest(x,x)+4Dj
		and	[esi+58h], ebx
		mov	ecx, esi
		mov	ebx, [esi+54h]
		and	dword ptr [esi+54h], 0
		dec	dword ptr [esi+24h]
		mov	[ebp+var_8], eax
		mov	[ebp+var_1], 1
		call	_PopDiagTracePowerRequestChange@4 ; PopDiagTracePowerRequestChange(x)
		xor	edi, edi

loc_9A92FE:				; CODE XREF: PopClearSpecialRequest(x,x)+54j
		cmp	dword_6C3884, 0
		jz	short loc_9A930E
		and	dword_6C3884, 0

loc_9A930E:				; CODE XREF: PopClearSpecialRequest(x,x)+7Aj
		xor	edx, edx
		mov	ecx, offset _PopPowerRequestLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	[ebp+var_1], 0
		jz	short loc_9A933E
		push	esi
		push	[ebp+var_8]
		call	_PsReleaseProcessWakeCounter@8 ; PsReleaseProcessWakeCounter(x,x)
		test	ebx, ebx
		jz	short loc_9A933E
		mov	edx, 72506F50h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_9A933E:				; CODE XREF: PopClearSpecialRequest(x,x)+98j
					; PopClearSpecialRequest(x,x)+A5j
		pop	ebx

loc_9A933F:				; CODE XREF: PopClearSpecialRequest(x,x)+15j
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn
_PopClearSpecialRequest@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopExecutionRequiredTimeoutWorkerRoutine(x)
_PopExecutionRequiredTimeoutWorkerRoutine@4 proc near
					; DATA XREF: PopPowerRequestInit()+12Fo
		mov	edi, edi
		push	ebx
		push	edi
		xor	eax, eax
		mov	ecx, offset _PopExecutionRequiredWorkRequested
		xchg	eax, [ecx]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopPowerRequestLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	bl, bl
		cmp	ds:_PopExecutionRequiredTimeout, 0
		mov	dword_6C3884, eax
		jz	short loc_9A93D8
		cmp	byte_6C3863, bl
		jnz	short loc_9A9390

loc_9A938C:				; CODE XREF: PopExecutionRequiredTimeoutWorkerRoutine(x)+5Aj
					; PopExecutionRequiredTimeoutWorkerRoutine(x)+62j
		mov	bl, 1
		jmp	short loc_9A93D8
; 

loc_9A9390:				; CODE XREF: PopExecutionRequiredTimeoutWorkerRoutine(x)+45j
		cmp	ds:_PopPowerRequestActiveAudioEnablesExecutionRequired,	0
		jz	short loc_9A93A1
		cmp	byte_6C3862, bl
		jnz	short loc_9A938C

loc_9A93A1:				; CODE XREF: PopExecutionRequiredTimeoutWorkerRoutine(x)+52j
		cmp	byte_6C3861, bl
		jnz	short loc_9A938C
		push	esi
		call	KeQueryInterruptTime
		mov	esi, eax
		mov	ecx, edx
		sub	esi, dword_6C3868
		mov	edx, 989680h
		mov	eax, ds:_PopExecutionRequiredTimeout
		sbb	ecx, dword_6C386C
		mul	edx
		cmp	ecx, edx
		ja	short loc_9A93D7
		jb	short loc_9A93D5
		cmp	esi, eax
		jnb	short loc_9A93D7

loc_9A93D5:				; CODE XREF: PopExecutionRequiredTimeoutWorkerRoutine(x)+8Aj
		mov	bl, 1

loc_9A93D7:				; CODE XREF: PopExecutionRequiredTimeoutWorkerRoutine(x)+88j
					; PopExecutionRequiredTimeoutWorkerRoutine(x)+8Ej
		pop	esi

loc_9A93D8:				; CODE XREF: PopExecutionRequiredTimeoutWorkerRoutine(x)+3Dj
					; PopExecutionRequiredTimeoutWorkerRoutine(x)+49j
		cmp	_PopExecutionRequiredContext, bl
		jz	short loc_9A93ED
		mov	cl, bl
		mov	_PopExecutionRequiredContext, bl
		call	PopEnableExecutionRequiredPowerRequests

loc_9A93ED:				; CODE XREF: PopExecutionRequiredTimeoutWorkerRoutine(x)+99j
		cmp	dword_6C3884, 0
		jz	short loc_9A93FD
		and	dword_6C3884, 0

loc_9A93FD:				; CODE XREF: PopExecutionRequiredTimeoutWorkerRoutine(x)+AFj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	ebx
		retn	4
_PopExecutionRequiredTimeoutWorkerRoutine@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopGetPowerRequestDiagnosticBuffer(x, x, x)
_PopGetPowerRequestDiagnosticBuffer@12 proc near
					; CODE XREF: PopUmpoSendPowerRequestCreate(x)+15p
					; PopUmpoSendPowerRequestCreate(x)+58p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	eax, ecx
		mov	esi, offset _PopPowerRequestObjectList
		mov	ecx, _PopPowerRequestObjectList
		jmp	short loc_9A942C
; 

loc_9A9425:				; CODE XREF: PopGetPowerRequestDiagnosticBuffer(x,x,x)+1Ej
		cmp	[ecx+14h], eax
		jz	short loc_9A943A
		mov	ecx, [ecx]

loc_9A942C:				; CODE XREF: PopGetPowerRequestDiagnosticBuffer(x,x,x)+13j
		cmp	ecx, esi
		jnz	short loc_9A9425
		mov	eax, 0C0000225h

loc_9A9435:				; CODE XREF: PopGetPowerRequestDiagnosticBuffer(x,x,x)+36j
		pop	esi
		pop	ebp
		retn	4
; 

loc_9A943A:				; CODE XREF: PopGetPowerRequestDiagnosticBuffer(x,x,x)+18j
		mov	ecx, [ecx+40h]
		push	ecx
		push	[ebp+arg_0]
		call	PoStoreDiagnosticContext
		jmp	short loc_9A9435
_PopGetPowerRequestDiagnosticBuffer@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopNotifySessionUserPowerRequestAttributed(x, x, x)
_PopNotifySessionUserPowerRequestAttributed@12 proc near
					; CODE XREF: PopPowerInformationInternal+171959p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_4], ecx
		xor	bl, bl
		mov	edi, edx
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopPowerRequestLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	edx, offset _PopPowerRequestObjectList
		mov	ecx, _PopPowerRequestObjectList
		mov	dword_6C3884, eax
		cmp	ecx, edx
		jz	short loc_9A94AE
		mov	eax, [ebp+var_4]

loc_9A9492:				; CODE XREF: PopNotifySessionUserPowerRequestAttributed(x,x,x)+5Aj
		mov	esi, ecx
		cmp	[ecx+44h], eax
		jnz	short loc_9A949E
		cmp	[ecx+48h], edi
		jz	short loc_9A94A6

loc_9A949E:				; CODE XREF: PopNotifySessionUserPowerRequestAttributed(x,x,x)+4Fj
		mov	ecx, [ecx]
		cmp	ecx, edx
		jnz	short loc_9A9492
		jmp	short loc_9A94AE
; 

loc_9A94A6:				; CODE XREF: PopNotifySessionUserPowerRequestAttributed(x,x,x)+54j
		mov	eax, [ebp+arg_0]
		mov	bl, 1
		mov	[ecx+4Ch], eax

loc_9A94AE:				; CODE XREF: PopNotifySessionUserPowerRequestAttributed(x,x,x)+45j
					; PopNotifySessionUserPowerRequestAttributed(x,x,x)+5Cj
		cmp	dword_6C3884, 0
		jz	short loc_9A94BE
		and	dword_6C3884, 0

loc_9A94BE:				; CODE XREF: PopNotifySessionUserPowerRequestAttributed(x,x,x)+6Dj
		xor	edx, edx
		mov	ecx, offset _PopPowerRequestLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	bl, bl
		jz	short loc_9A94F5
		cmp	ds:_TtmpEnabled, 1
		jnz	short loc_9A94F5
		mov	edx, [esi+14h]
		mov	ecx, [esi+8]
		push	1
		push	dword ptr [esi+18h]
		push	dword ptr [esi+4Ch]
		push	dword ptr [esi+48h]
		push	dword ptr [esi+44h]
		call	_TtmNotifySessionPowerRequestPresent@28	; TtmNotifySessionPowerRequestPresent(x,x,x,x,x,x,x)

loc_9A94F5:				; CODE XREF: PopNotifySessionUserPowerRequestAttributed(x,x,x)+89j
					; PopNotifySessionUserPowerRequestAttributed(x,x,x)+92j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopNotifySessionUserPowerRequestAttributed@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopNotifySessionUserPowerRequestsPresent()
_PopNotifySessionUserPowerRequestsPresent@0 proc near
					; CODE XREF: NtPowerInformation+1722CFp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _PopPowerRequestLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	esi, _PopPowerRequestObjectList
		mov	edi, offset _PopPowerRequestObjectList
		jmp	short loc_9A9551
; 

loc_9A9531:				; CODE XREF: PopNotifySessionUserPowerRequestsPresent()+57j
		mov	eax, [esi+44h]
		test	eax, eax
		jz	short loc_9A954F
		mov	edx, [esi+14h]
		mov	ecx, [esi+8]
		push	0
		push	dword ptr [esi+18h]
		push	dword ptr [esi+4Ch]
		push	dword ptr [esi+48h]
		push	eax
		call	_TtmNotifySessionPowerRequestPresent@28	; TtmNotifySessionPowerRequestPresent(x,x,x,x,x,x,x)

loc_9A954F:				; CODE XREF: PopNotifySessionUserPowerRequestsPresent()+3Aj
		mov	esi, [esi]

loc_9A9551:				; CODE XREF: PopNotifySessionUserPowerRequestsPresent()+33j
		cmp	esi, edi
		jnz	short loc_9A9531
		cmp	dword_6C3884, 0
		jz	short loc_9A9565
		and	dword_6C3884, 0

loc_9A9565:				; CODE XREF: PopNotifySessionUserPowerRequestsPresent()+60j
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PopNotifySessionUserPowerRequestsPresent@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopNotifyUserPowerRequestAction(x, x, x)
_PopNotifyUserPowerRequestAction@12 proc near
					; CODE XREF: PoClearPowerRequestInternal+B3ECAp
					; PopProcessPowerRequestOverrideQueryResponse+B376Ep ...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= byte ptr -38h
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		cmp	_PopPowerRequestNotificationsEnabled, 0
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jz	short loc_9A95CF
		push	ebx
		push	44h		; size_t
		lea	eax, [ebp+var_44]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [edi+14h]
		lea	ecx, [ebp+var_44]
		mov	bl, [ebp+arg_0]
		add	esp, 0Ch
		mov	[ebp+var_44], 10h
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], esi
		push	0
		push	44h
		pop	edx
		mov	[ebp+var_38], bl
		call	PopUmpoSendPowerMessage
		test	bl, bl
		pop	ebx
		setnz	al
		mov	[edi+esi+5Dh], al

loc_9A95CF:				; CODE XREF: PopNotifyUserPowerRequestAction(x,x,x)+15j
		pop	edi
		pop	esi
		leave
		retn	4
_PopNotifyUserPowerRequestAction@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerRequestDeleteEntryNoLock(x)
_PopPowerRequestDeleteEntryNoLock@4 proc near
					; CODE XREF: PopCreatePowerRequestObject+E4859p
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopPowerRequestLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		push	esi
		push	offset _PopPowerRequestTable
		mov	dword_6C3884, eax
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)
		cmp	dword_6C3884, 0
		jz	short loc_9A961B
		and	dword_6C3884, 0

loc_9A961B:				; CODE XREF: PopPowerRequestDeleteEntryNoLock(x)+3Dj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		pop	edi
		pop	esi
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopPowerRequestDeleteEntryNoLock@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerRequestNotificationsBegin()
_PopPowerRequestNotificationsBegin@0 proc near
					; CODE XREF: PopUmpoProcessPowerMessage:loc_766640p
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopPowerRequestLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, offset _PopPowerRequestObjectList
		mov	dword_6C3884, eax
		mov	_PopPowerRequestNotificationsEnabled, 1
		call	_PopPowerRequestNotificationsFlush@4 ; PopPowerRequestNotificationsFlush(x)
		mov	ecx, offset _PopSpecialPowerRequestObjectList
		call	_PopPowerRequestNotificationsFlush@4 ; PopPowerRequestNotificationsFlush(x)
		cmp	dword_6C3884, 0
		jz	short loc_9A967E
		and	dword_6C3884, 0

loc_9A967E:				; CODE XREF: PopPowerRequestNotificationsBegin()+4Aj
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		pop	esi
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopPowerRequestNotificationsBegin@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerRequestNotificationsFlush(x)
_PopPowerRequestNotificationsFlush@4 proc near
					; CODE XREF: PopPowerRequestNotificationsBegin()+34p
					; PopPowerRequestNotificationsBegin()+3Ep

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	esi, [ebx]
		jmp	short loc_9A96F2
; 

loc_9A969C:				; CODE XREF: PopPowerRequestNotificationsFlush(x)+67j
		cmp	dword ptr [esi+44h], 0
		jz	short loc_9A96F0
		mov	ecx, [esi+14h]
		call	_PopUmpoSendPowerRequestCreate@4 ; PopUmpoSendPowerRequestCreate(x)
		lea	edx, [esi+18h]
		xor	edi, edi
		mov	[ebp+var_4], edx

loc_9A96B2:				; CODE XREF: PopPowerRequestNotificationsFlush(x)+61j
		xor	eax, eax
		mov	ecx, edi
		inc	eax
		shl	eax, cl
		test	[esi+10h], eax
		jnz	short loc_9A96E4
		cmp	dword ptr [edx], 0
		jbe	short loc_9A96E4
		test	edi, edi
		jz	short loc_9A96D6
		cmp	edi, 3
		jz	short loc_9A96D6
		cmp	edi, 1
		jz	short loc_9A96D6
		cmp	edi, 2
		jnz	short loc_9A96E4

loc_9A96D6:				; CODE XREF: PopPowerRequestNotificationsFlush(x)+38j
					; PopPowerRequestNotificationsFlush(x)+3Dj ...
		push	1
		mov	edx, edi
		mov	ecx, esi
		call	_PopNotifyUserPowerRequestAction@12 ; PopNotifyUserPowerRequestAction(x,x,x)
		mov	edx, [ebp+var_4]

loc_9A96E4:				; CODE XREF: PopPowerRequestNotificationsFlush(x)+2Fj
					; PopPowerRequestNotificationsFlush(x)+34j ...
		inc	edi
		add	edx, 4
		mov	[ebp+var_4], edx
		cmp	edi, 6
		jl	short loc_9A96B2

loc_9A96F0:				; CODE XREF: PopPowerRequestNotificationsFlush(x)+13j
		mov	esi, [esi]

loc_9A96F2:				; CODE XREF: PopPowerRequestNotificationsFlush(x)+Dj
		cmp	esi, ebx
		jnz	short loc_9A969C
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopPowerRequestNotificationsFlush@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerRequestNotifyMobileHotspotChanged(x)
_PopPowerRequestNotifyMobileHotspotChanged@4 proc near
					; CODE XREF: PopWnfMobileHotspotCallback(x,x,x,x,x,x)+47p
		mov	eax, large fs:124h
		push	ebx
		push	edi
		mov	bl, cl
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopPowerRequestLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	ecx, ecx
		mov	dl, bl
		mov	dword_6C3884, eax
		inc	ecx
		mov	byte_6C3861, bl
		call	_PopStatsScenarioStateChange@8 ; PopStatsScenarioStateChange(x,x)
		xor	bl, bl
		cmp	ds:_PopExecutionRequiredTimeout, 0
		jz	short loc_9A9795
		cmp	byte_6C3863, bl
		jnz	short loc_9A974D

loc_9A9749:				; CODE XREF: PopPowerRequestNotifyMobileHotspotChanged(x)+61j
					; PopPowerRequestNotifyMobileHotspotChanged(x)+69j
		mov	bl, 1
		jmp	short loc_9A9795
; 

loc_9A974D:				; CODE XREF: PopPowerRequestNotifyMobileHotspotChanged(x)+4Cj
		cmp	ds:_PopPowerRequestActiveAudioEnablesExecutionRequired,	0
		jz	short loc_9A975E
		cmp	byte_6C3862, bl
		jnz	short loc_9A9749

loc_9A975E:				; CODE XREF: PopPowerRequestNotifyMobileHotspotChanged(x)+59j
		cmp	byte_6C3861, bl
		jnz	short loc_9A9749
		push	esi
		call	KeQueryInterruptTime
		mov	esi, eax
		mov	ecx, edx
		sub	esi, dword_6C3868
		mov	edx, 989680h
		mov	eax, ds:_PopExecutionRequiredTimeout
		sbb	ecx, dword_6C386C
		mul	edx
		cmp	ecx, edx
		ja	short loc_9A9794
		jb	short loc_9A9792
		cmp	esi, eax
		jnb	short loc_9A9794

loc_9A9792:				; CODE XREF: PopPowerRequestNotifyMobileHotspotChanged(x)+91j
		mov	bl, 1

loc_9A9794:				; CODE XREF: PopPowerRequestNotifyMobileHotspotChanged(x)+8Fj
					; PopPowerRequestNotifyMobileHotspotChanged(x)+95j
		pop	esi

loc_9A9795:				; CODE XREF: PopPowerRequestNotifyMobileHotspotChanged(x)+44j
					; PopPowerRequestNotifyMobileHotspotChanged(x)+50j
		cmp	_PopExecutionRequiredContext, bl
		jz	short loc_9A97AA
		mov	cl, bl
		mov	_PopExecutionRequiredContext, bl
		call	PopEnableExecutionRequiredPowerRequests

loc_9A97AA:				; CODE XREF: PopPowerRequestNotifyMobileHotspotChanged(x)+A0j
		cmp	dword_6C3884, 0
		jz	short loc_9A97BA
		and	dword_6C3884, 0

loc_9A97BA:				; CODE XREF: PopPowerRequestNotifyMobileHotspotChanged(x)+B6j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		pop	edi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopPowerRequestNotifyMobileHotspotChanged@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerRequestNotifySystemIdleStateChanged(x)
_PopPowerRequestNotifySystemIdleStateChanged@4 proc near
					; CODE XREF: PopUpdatePdcSystemIdleState(x)+5p
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	bl, cl
		nop
		mov	edi, offset _PopPowerRequestLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C3884, eax
		cmp	byte_6C3863, bl
		jz	loc_9A98A9
		mov	byte_6C3863, bl
		test	bl, bl
		jz	short loc_9A9823
		call	KeQueryInterruptTime
		mov	dword_6C3868, eax
		mov	dword_6C386C, edx
		call	PopSetExecutionRequiredTimer
		jmp	short loc_9A983B
; 

loc_9A9823:				; CODE XREF: PopPowerRequestNotifySystemIdleStateChanged(x)+40j
		and	dword_6C3868, 0
		and	dword_6C386C, 0
		push	offset _PopExecutionRequiredTimer
		call	_KeCancelTimer@4 ; KeCancelTimer(x)

loc_9A983B:				; CODE XREF: PopPowerRequestNotifySystemIdleStateChanged(x)+57j
		xor	bl, bl
		cmp	ds:_PopExecutionRequiredTimeout, 0
		jz	short loc_9A9894
		cmp	byte_6C3863, bl
		jz	short loc_9A9892
		cmp	ds:_PopPowerRequestActiveAudioEnablesExecutionRequired,	0
		jz	short loc_9A985F
		cmp	byte_6C3862, bl
		jnz	short loc_9A9892

loc_9A985F:				; CODE XREF: PopPowerRequestNotifySystemIdleStateChanged(x)+8Bj
		cmp	byte_6C3861, bl
		jnz	short loc_9A9892
		call	KeQueryInterruptTime
		mov	esi, eax
		mov	ecx, edx
		sub	esi, dword_6C3868
		mov	edx, 989680h
		mov	eax, ds:_PopExecutionRequiredTimeout
		sbb	ecx, dword_6C386C
		mul	edx
		cmp	ecx, edx
		ja	short loc_9A9894
		jb	short loc_9A9892
		cmp	esi, eax
		jnb	short loc_9A9894

loc_9A9892:				; CODE XREF: PopPowerRequestNotifySystemIdleStateChanged(x)+82j
					; PopPowerRequestNotifySystemIdleStateChanged(x)+93j ...
		mov	bl, 1

loc_9A9894:				; CODE XREF: PopPowerRequestNotifySystemIdleStateChanged(x)+7Aj
					; PopPowerRequestNotifySystemIdleStateChanged(x)+C0j ...
		cmp	_PopExecutionRequiredContext, bl
		jz	short loc_9A98A9
		mov	cl, bl
		mov	_PopExecutionRequiredContext, bl
		call	PopEnableExecutionRequiredPowerRequests

loc_9A98A9:				; CODE XREF: PopPowerRequestNotifySystemIdleStateChanged(x)+32j
					; PopPowerRequestNotifySystemIdleStateChanged(x)+D0j
		cmp	dword_6C3884, 0
		jz	short loc_9A98B9
		and	dword_6C3884, 0

loc_9A98B9:				; CODE XREF: PopPowerRequestNotifySystemIdleStateChanged(x)+E6j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopPowerRequestNotifySystemIdleStateChanged@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetSpecialRequest(x, x, x)
_PopSetSpecialRequest@12 proc near	; CODE XREF: PopPowerRequestActionInfo+E3FA6p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		xor	bl, bl
		push	edi
		mov	edi, ecx
		cmp	edx, 3
		jz	short loc_9A98EA
		mov	esi, 0C000000Dh
		jmp	loc_9A99BE
; 

loc_9A98EA:				; CODE XREF: PopSetSpecialRequest(x,x,x)+14j
		push	0
		lea	eax, [ebp+var_4]
		push	eax
		push	72506F50h
		push	1
		push	ds:_PsProcessType
		push	2000h
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9A99BE
		push	edi
		push	3
		push	0
		push	[ebp+var_4]
		call	_PsChargeProcessWakeCounter@16 ; PsChargeProcessWakeCounter(x,x,x,x)
		mov	ecx, large fs:124h
		mov	esi, eax
		mov	[ebp+arg_0], esi
		dec	word ptr [ecx+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopPowerRequestLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C3884, eax
		cmp	dword ptr [edi+54h], 0
		jz	short loc_9A995B
		mov	bl, 1
		mov	esi, 0C000000Dh
		jmp	short loc_9A9983
; 

loc_9A995B:				; CODE XREF: PopSetSpecialRequest(x,x,x)+86j
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_9A9971
		mov	edx, 72506F50h
		mov	ecx, eax
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+var_4]

loc_9A9971:				; CODE XREF: PopSetSpecialRequest(x,x,x)+96j
		mov	[edi+54h], eax
		mov	ecx, edi
		mov	[edi+58h], esi
		inc	dword ptr [edi+24h]
		call	_PopDiagTracePowerRequestChange@4 ; PopDiagTracePowerRequestChange(x)
		xor	esi, esi

loc_9A9983:				; CODE XREF: PopSetSpecialRequest(x,x,x)+8Fj
		cmp	dword_6C3884, 0
		jz	short loc_9A9993
		and	dword_6C3884, 0

loc_9A9993:				; CODE XREF: PopSetSpecialRequest(x,x,x)+C0j
		xor	edx, edx
		mov	ecx, offset _PopPowerRequestLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	bl, bl
		jz	short loc_9A99B1
		push	edi
		push	[ebp+arg_0]
		call	_PsReleaseProcessWakeCounter@8 ; PsReleaseProcessWakeCounter(x,x)

loc_9A99B1:				; CODE XREF: PopSetSpecialRequest(x,x,x)+DCj
		mov	ecx, [ebp+var_4]
		mov	edx, 72506F50h
		call	ObfDereferenceObjectWithTag

loc_9A99BE:				; CODE XREF: PopSetSpecialRequest(x,x,x)+1Bj
					; PopSetSpecialRequest(x,x,x)+44j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopSetSpecialRequest@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmInstallCoordinatedIdleStates(x)
_PpmInstallCoordinatedIdleStates@4 proc	near

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		cmp	ds:_PpmPlatformStates, 0
		mov	edi, [ebp+arg_0]
		mov	dword_6C2ADC, eax
		mov	[ebp+var_24], 1
		jz	short loc_9A9A1A
		cmp	byte ptr [edi+14h], 0
		jnz	short loc_9A9A1A
		mov	esi, 0C0000189h
		jmp	loc_9A9F33
; 

loc_9A9A1A:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+41j
					; PpmInstallCoordinatedIdleStates(x)+47j
		mov	ecx, edi
		call	_PpmIdleUpdateCoordinatedDependencies@4	; PpmIdleUpdateCoordinatedDependencies(x)
		mov	esi, eax
		test	esi, esi
		js	loc_9A9F33
		mov	esi, [edi]
		mov	[ebp+var_8], esi
		test	esi, esi
		jnz	short loc_9A9A3E
		mov	esi, 0C000000Dh
		jmp	loc_9A9F33
; 

loc_9A9A3E:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+6Bj
		mov	edx, ds:_KeNumberProcessors
		mov	eax, esi
		imul	eax, edx
		xor	ebx, ebx
		mov	[ebp+var_4], edx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], eax
		mov	ecx, eax
		mov	[ebp+var_10], ecx
		test	esi, esi
		jz	short loc_9A9A8E
		lea	edx, [edi+40h]
		mov	[ebp+var_20], esi
		mov	edi, eax

loc_9A9A65:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+B0j
		mov	ecx, [edx+4]
		add	ebx, ecx
		mov	eax, [edx]
		lea	edx, [edx+38h]
		imul	eax, ecx
		add	edi, eax
		sub	esi, 1
		jnz	short loc_9A9A65
		mov	esi, [ebp+var_8]
		mov	eax, [ebp+var_18]
		mov	edx, [ebp+var_4]
		mov	[ebp+var_10], edi
		mov	edi, [ebp+arg_0]
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_1C], ebx

loc_9A9A8E:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+94j
		mov	ebx, ds:_PpmPlatformStates
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		jnz	loc_9A9D62
		imul	edx, [ebp+var_1C], 0Ch
		imul	ebx, esi, 0C0h
		shl	ecx, 4
		add	ebx, 43h
		and	ebx, 0FFFFFFFCh
		add	edx, ebx
		mov	[ebp+var_28], ebx
		add	ecx, edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_30], ecx
		lea	ecx, [ecx+eax*4]
		imul	eax, esi, 3F0h
		add	ecx, 7
		and	ecx, 0FFFFFFF8h
		mov	[ebp+var_18], ecx
		add	ecx, 1Fh
		add	eax, ecx
		mov	ecx, esi
		shl	ecx, 2
		and	eax, 0FFFFFFF8h
		mov	[ebp+var_38], ecx
		add	ecx, 0Fh
		and	ecx, 0FFFFFFF8h
		mov	[ebp+var_34], eax
		mov	[ebp+var_3C], ecx
		imul	ecx, [ebp+var_4]
		add	ecx, eax
		mov	eax, _PpmIdleVetoList
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_20], ecx
		test	eax, eax
		jz	short loc_9A9B0F
		mov	eax, [eax]
		imul	eax, esi
		imul	eax, 38h
		add	ecx, eax
		mov	[ebp+var_1C], ecx

loc_9A9B0F:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+139j
		push	694D5050h
		push	ecx
		push	204h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		jnz	short loc_9A9B32
		mov	esi, 0C000009Ah
		jmp	loc_9A9F33
; 

loc_9A9B32:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+15Fj
		push	[ebp+var_1C]	; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		xor	eax, eax
		mov	[ebx], esi
		inc	eax
		add	esp, 0Ch
		mov	[ebx+4], eax
		mov	[ebx+0Ch], al
		mov	eax, [ebp+var_4]
		mov	[ebx+8], eax
		mov	eax, [edi+4]
		mov	[ebx+10h], eax
		mov	eax, [edi+8]
		mov	[ebx+14h], eax
		mov	eax, [edi+0Ch]
		mov	[ebx+18h], eax
		mov	eax, [edi+10h]
		mov	[ebx+1Ch], eax
		mov	eax, [ebp+var_18]
		add	eax, ebx
		mov	[ebx+20h], eax
		mov	ecx, eax	; void *
		mov	[eax+4], esi
		call	_PpmResetPlatformIdleAccounting@4 ; PpmResetPlatformIdleAccounting(x)
		mov	eax, [ebp+var_20]
		xor	edx, edx
		add	eax, ebx
		mov	[ebp+var_14], eax
		cmp	[edi], edx
		jbe	short loc_9A9C03
		mov	eax, [ebp+var_18]
		lea	ecx, [ebx+54h]
		add	eax, 0C0h
		add	eax, ebx
		xor	ebx, ebx
		mov	[ebp+var_10], eax
		inc	ebx

loc_9A9B9C:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+234j
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		mov	byte ptr [ecx+8], 7
		cmp	ds:_PpmIdleDisableStatesAtBoot,	ebx
		jb	short loc_9A9BB4
		mov	dword ptr [ecx-4], 80000000h

loc_9A9BB4:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+1E4j
		mov	eax, _PpmIdleVetoList
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	short loc_9A9BEB
		mov	eax, [edi]
		dec	eax
		cmp	edx, eax
		jnz	short loc_9A9BCA
		mov	[ecx+9], bl

loc_9A9BCA:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+1FEj
		mov	eax, [ebp+var_1C]
		mov	esi, [ebp+var_14]
		mov	eax, [eax]
		mov	[ecx+0Ch], eax
		mov	eax, [ebp+var_1C]
		mov	[ecx+10h], esi
		imul	eax, [eax], 38h
		add	esi, eax
		lea	eax, [ecx-4]
		mov	[ebp+var_14], esi
		mov	esi, [ebp+var_10]
		mov	[esi], eax

loc_9A9BEB:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+1F7j
		add	[ebp+var_10], 3F0h
		inc	edx
		add	ecx, 0C0h
		cmp	edx, [edi]
		jb	short loc_9A9B9C
		mov	ebx, [ebp+var_C]
		mov	esi, [ebp+var_8]

loc_9A9C03:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+1C0j
		mov	ecx, [ebp+var_28]
		mov	eax, [ebp+var_2C]
		add	ecx, ebx
		add	eax, ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], eax
		test	esi, esi
		jz	loc_9A9C9B
		lea	edx, [edi+44h]
		mov	[ebp+var_18], esi
		lea	edi, [ebx+70h]
		mov	[ebp+var_1C], edi

loc_9A9C27:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+2C9j
		mov	eax, [edx-20h]
		lea	esi, [edx-2Ch]
		mov	[edi+0Ch], eax
		xor	ebx, ebx
		mov	eax, [edx-1Ch]
		mov	[edi+10h], eax
		mov	eax, [edx-14h]
		mov	[edi-30h], eax
		mov	eax, [edx-10h]
		mov	[edi-2Ch], eax
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_1C]
		mov	eax, [edx]
		mov	[edi-4], eax
		mov	[edi+14h], ecx
		mov	ecx, [edx]
		imul	eax, ecx, 0Ch
		add	[ebp+var_14], eax
		test	ecx, ecx
		jz	short loc_9A9C7D
		mov	ecx, [ebp+var_10]
		xor	esi, esi

loc_9A9C63:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+2B1j
		mov	eax, [edi+14h]
		lea	esi, [esi+0Ch]
		mov	[eax+esi-4], ecx
		mov	eax, [edx-4]
		shl	eax, 4
		add	ecx, eax
		inc	ebx
		cmp	ebx, [edx]
		jb	short loc_9A9C63
		mov	[ebp+var_10], ecx

loc_9A9C7D:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+295j
		mov	ecx, [ebp+var_14]
		add	edi, 0C0h
		add	edx, 38h
		mov	[ebp+var_1C], edi
		sub	[ebp+var_18], 1
		jnz	short loc_9A9C27
		mov	ebx, [ebp+var_C]
		mov	esi, [ebp+var_8]
		mov	edi, [ebp+arg_0]

loc_9A9C9B:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+24Ej
		mov	eax, [ebp+var_30]
		and	[ebp+var_18], 0
		add	eax, ebx
		cmp	[ebp+var_4], 0
		mov	[ebp+var_20], eax
		jbe	loc_9A9D7D
		mov	edi, [ebp+var_18]
		mov	eax, esi
		shl	eax, 4
		mov	[ebp+var_30], eax
		mov	eax, [ebp+var_34]
		add	eax, ebx
		mov	[ebp+var_1C], eax

loc_9A9CC4:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+390j
		mov	ecx, edi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, [ebp+var_10]
		and	[ebp+var_14], 0
		mov	edx, [eax+3D70h]
		mov	eax, [ebp+var_1C]
		mov	[edx+0F8h], ecx
		mov	[edx+0E8h], eax
		mov	eax, [ebp+var_30]
		add	ecx, eax
		mov	[ebp+var_10], ecx
		mov	ecx, [ebp+var_20]
		mov	[edx+108h], ecx
		add	ecx, [ebp+var_38]
		mov	[edx+0F4h], esi
		mov	[edx+0FCh], esi
		mov	[ebp+var_20], ecx
		test	esi, esi
		jz	short loc_9A9D4A
		lea	edi, [ebx+84h]
		mov	ebx, eax
		mov	eax, [ebp+var_14]

loc_9A9D19:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+37Bj
		mov	ecx, [edx+0F8h]
		lea	ebx, [ebx-10h]
		mov	[ebx+ecx+4], eax
		mov	eax, [edi-18h]
		mov	[ebx+ecx+8], eax
		mov	eax, [edi]
		lea	edi, [edi+0C0h]
		mov	[ebx+ecx+0Ch], eax
		mov	eax, [ebp+var_14]
		inc	eax
		mov	[ebp+var_14], eax
		cmp	eax, esi
		jb	short loc_9A9D19
		mov	ebx, [ebp+var_C]
		mov	edi, [ebp+var_18]

loc_9A9D4A:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+345j
		mov	eax, [ebp+var_3C]
		inc	edi
		add	[ebp+var_1C], eax
		mov	[ebp+var_18], edi
		cmp	edi, [ebp+var_4]
		jb	loc_9A9CC4
		mov	edi, [ebp+arg_0]
		jmp	short loc_9A9D7D
; 

loc_9A9D62:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+D2j
		cmp	[ebx+8], edx
		jnz	loc_9A9F28
		cmp	[ebx], esi
		jnz	loc_9A9F28
		cmp	dword ptr [ebx+4], 1
		jnz	loc_9A9F28

loc_9A9D7D:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+2E4j
					; PpmInstallCoordinatedIdleStates(x)+399j
		test	esi, esi
		jz	loc_9A9E88
		lea	ecx, [ebx+4Ch]
		mov	[ebp+var_10], esi
		add	edi, 3Ch
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], edi
		mov	edx, esi

loc_9A9D96:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+4B8j
		mov	eax, [edi-4]
		and	[ebp+var_20], 0
		mov	[ecx-4], eax
		mov	eax, [edi]
		mov	[ecx], eax
		mov	al, [edi+0Ch]
		mov	[ecx+1Dh], al
		cmp	dword ptr [edi+8], 0
		jbe	loc_9A9E6A
		xor	eax, eax
		mov	[ebp+var_1C], eax

loc_9A9DB9:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+49Aj
		mov	edx, [edi+10h]
		mov	esi, [ecx+38h]
		add	edx, eax
		and	[ebp+var_38], 0
		add	esi, eax
		mov	[ebp+var_3C], edx
		mov	[ebp+arg_0], esi
		mov	eax, [edx]
		mov	[esi], eax
		mov	eax, [edx+4]
		mov	[esi+4], eax
		mov	edx, [edx+4]
		test	edx, edx
		jz	short loc_9A9E4E
		mov	esi, [ebp+var_3C]
		mov	edi, [ebp+var_38]
		mov	eax, [ebp+arg_0]

loc_9A9DE7:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+47Fj
		mov	ecx, [esi+8]
		sub	edx, edi
		dec	edx
		shl	edx, 4
		add	edx, [eax+8]
		movzx	eax, byte ptr [ecx+edi*4]
		mov	[ebp+var_3C], eax
		mov	[edx+4], eax
		cmp	byte ptr [ecx+edi*4+1],	0
		setz	al
		mov	[edx], al
		mov	al, [ecx+edi*4+2]
		mov	[edx+1], al
		mov	al, [ecx+edi*4+3]
		mov	[edx+2], al
		mov	eax, [ebp+arg_0]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_9A9E37
		imul	ecx, [ebp+var_3C], 0C0h
		mov	eax, [ecx+ebx+6Ch]
		mov	[edx+8], eax
		mov	ecx, [ecx+ebx+84h]
		mov	eax, [ebp+arg_0]
		jmp	short loc_9A9E3D
; 

loc_9A9E37:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+454j
		and	dword ptr [edx+8], 0
		xor	ecx, ecx

loc_9A9E3D:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+46Ej
		mov	[edx+0Ch], ecx
		inc	edi
		mov	edx, [esi+4]
		cmp	edi, edx
		jb	short loc_9A9DE7
		mov	edi, [ebp+var_14]
		mov	ecx, [ebp+var_18]

loc_9A9E4E:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+415j
		mov	edx, [ebp+var_20]
		mov	eax, [ebp+var_1C]
		inc	edx
		add	eax, 0Ch
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], eax
		cmp	edx, [edi+8]
		jb	loc_9A9DB9
		mov	edx, [ebp+var_10]

loc_9A9E6A:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+3E7j
		add	ecx, 0C0h
		add	edi, 38h
		sub	edx, 1
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edx
		jnz	loc_9A9D96
		mov	esi, [ebp+var_8]

loc_9A9E88:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+3B8j
		and	[ebp+arg_0], 0
		cmp	[ebp+var_4], 0
		jbe	short loc_9A9EE2
		mov	ebx, [ebp+arg_0]

loc_9A9E95:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+516j
		mov	ecx, ebx
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	eax, [eax+3D70h]
		mov	[ebp+var_3C], eax
		test	esi, esi
		jz	short loc_9A9ED9
		mov	edi, esi
		mov	[ebp+arg_0], esi
		shl	edi, 4

loc_9A9EB1:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+50Dj
		mov	esi, [eax+0F8h]
		mov	ecx, ebx
		push	dword ptr [edi+esi-4]
		mov	edx, [edi+esi-8]
		call	_PpmCheckCoordinatedStateInitiator@12 ;	PpmCheckCoordinatedStateInitiator(x,x,x)
		sub	[ebp+arg_0], 1
		lea	edi, [edi-10h]
		mov	[edi+esi+1], al
		mov	eax, [ebp+var_3C]
		jnz	short loc_9A9EB1
		mov	esi, [ebp+var_8]

loc_9A9ED9:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+4E0j
		inc	ebx
		cmp	ebx, [ebp+var_4]
		jb	short loc_9A9E95
		mov	ebx, [ebp+var_C]

loc_9A9EE2:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+4C9j
		cmp	ds:_PpmPlatformStates, 0
		jnz	short loc_9A9F24
		cmp	dword_6C2ADC, 0
		mov	ds:_PpmIdleCoordinatedMode, 1
		mov	ds:_PpmPlatformStates, ebx
		jz	short loc_9A9F08
		and	dword_6C2ADC, 0

loc_9A9F08:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+538j
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebx]
		call	_PopFxEnablePlatformStates@4 ; PopFxEnablePlatformStates(x)
		mov	byte ptr [ebp+var_24], 0

loc_9A9F24:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+522j
		xor	esi, esi
		jmp	short loc_9A9F2D
; 

loc_9A9F28:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+39Ej
					; PpmInstallCoordinatedIdleStates(x)+3A6j ...
		mov	esi, 0C000000Dh

loc_9A9F2D:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+55Fj
		cmp	byte ptr [ebp+var_24], 0
		jz	short loc_9A9F54

loc_9A9F33:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+4Ej
					; PpmInstallCoordinatedIdleStates(x)+5Ej ...
		cmp	dword_6C2ADC, 0
		jz	short loc_9A9F43
		and	dword_6C2ADC, 0

loc_9A9F43:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+573j
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9A9F54:				; CODE XREF: PpmInstallCoordinatedIdleStates(x)+56Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_PpmInstallCoordinatedIdleStates@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmInstallPlatformIdleStates(x)
_PpmInstallPlatformIdleStates@4	proc near

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		cmp	ds:_PpmPlatformStates, 0
		mov	ebx, [ebp+arg_0]
		mov	dword_6C2ADC, eax
		mov	[ebp+var_28], 1
		jz	short loc_9A9FB0
		cmp	byte ptr [ebx+1Ch], 0
		jnz	short loc_9A9FB0
		mov	esi, 0C0000189h
		jmp	loc_9AA52D
; 

loc_9A9FB0:				; CODE XREF: PpmInstallPlatformIdleStates(x)+41j
					; PpmInstallPlatformIdleStates(x)+47j
		mov	eax, [ebx+4]
		mov	[ebp+var_14], eax
		test	eax, eax
		jnz	short loc_9A9FC4

loc_9A9FBA:				; CODE XREF: PpmInstallPlatformIdleStates(x)+6Aj
					; PpmInstallPlatformIdleStates(x)+8Aj ...
		mov	esi, 0C000000Dh
		jmp	loc_9AA52D
; 

loc_9A9FC4:				; CODE XREF: PpmInstallPlatformIdleStates(x)+5Bj
		cmp	[ebx+8], eax
		ja	short loc_9A9FBA
		mov	ecx, ebx
		call	_PpmIdleUpdatePlatformDependencies@4 ; PpmIdleUpdatePlatformDependencies(x)
		mov	esi, ds:_KeNumberProcessors
		xor	ecx, ecx
		mov	edx, [ebx+8]
		mov	[ebp+var_8], esi
		test	edx, edx
		jz	short loc_9A9FF1
		lea	eax, [ebx+30h]

loc_9A9FE5:				; CODE XREF: PpmInstallPlatformIdleStates(x)+92j
		cmp	[eax], esi
		ja	short loc_9A9FBA
		inc	ecx
		add	eax, 20h
		cmp	ecx, edx
		jb	short loc_9A9FE5

loc_9A9FF1:				; CODE XREF: PpmInstallPlatformIdleStates(x)+83j
		xor	edi, edi
		xor	eax, eax
		test	edx, edx
		jz	short loc_9AA02C
		mov	[ebp+var_10], eax
		test	esi, esi
		jz	short loc_9AA022

loc_9AA000:				; CODE XREF: PpmInstallPlatformIdleStates(x)+C0j
		mov	ecx, eax
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	eax, [eax+3D70h]
		test	eax, eax
		jz	short loc_9A9FBA
		add	edi, [eax+20h]
		mov	eax, [ebp+var_10]
		inc	eax
		mov	[ebp+var_10], eax
		cmp	eax, esi
		jb	short loc_9AA000
		mov	edx, [ebx+8]

loc_9AA022:				; CODE XREF: PpmInstallPlatformIdleStates(x)+A1j
		add	edi, esi
		mov	eax, edx
		imul	edi, edx
		imul	eax, esi

loc_9AA02C:				; CODE XREF: PpmInstallPlatformIdleStates(x)+9Aj
		mov	esi, ds:_PpmPlatformStates
		mov	[ebp+var_C], esi
		test	esi, esi
		jnz	loc_9AA326
		mov	ecx, [ebp+var_14]
		imul	eax, 0Ch
		imul	edx, ecx, 0C0h
		shl	edi, 4
		add	edx, 43h
		and	edx, 0FFFFFFFCh
		add	eax, edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], eax
		lea	edx, [eax+7]
		imul	eax, ecx, 3F0h
		add	edx, edi
		mov	edi, [ebp+var_8]
		and	edx, 0FFFFFFF8h
		mov	[ebp+var_18], edx
		add	eax, 1Fh
		add	eax, edx
		lea	edx, ds:0Fh[ecx*4]
		and	edx, 0FFFFFFF8h
		and	eax, 0FFFFFFF8h
		mov	[ebp+var_34], edx
		imul	edx, edi
		mov	[ebp+var_30], eax
		add	edx, eax
		mov	eax, _PpmIdleVetoList
		mov	[ebp+var_10], edx
		mov	[ebp+var_24], edx
		test	eax, eax
		jz	short loc_9AA0A7
		mov	eax, [eax]
		imul	eax, ecx
		imul	eax, 38h
		add	edx, eax
		mov	[ebp+var_10], edx

loc_9AA0A7:				; CODE XREF: PpmInstallPlatformIdleStates(x)+13Bj
		push	694D5050h
		push	edx
		push	204h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_C], esi
		test	esi, esi
		jnz	short loc_9AA0CA
		mov	esi, 0C000009Ah
		jmp	loc_9AA52D
; 

loc_9AA0CA:				; CODE XREF: PpmInstallPlatformIdleStates(x)+161j
		push	[ebp+var_10]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	ecx, [ebp+var_14]
		xor	eax, eax
		mov	[esi], ecx
		add	esp, 0Ch
		cmp	eax, [ebx+8]
		sbb	eax, eax
		neg	eax
		mov	[esi+4], eax
		mov	[esi+8], edi
		mov	eax, [ebx+0Ch]
		mov	[esi+10h], eax
		mov	eax, [ebx+10h]
		mov	[esi+14h], eax
		mov	eax, [ebx+14h]
		mov	[esi+18h], eax
		mov	eax, [ebx+18h]
		mov	[esi+1Ch], eax
		mov	eax, [ebp+var_18]
		add	eax, esi
		mov	[esi+20h], eax
		mov	[eax+4], ecx
		mov	ecx, eax	; void *
		call	_PpmResetPlatformIdleAccounting@4 ; PpmResetPlatformIdleAccounting(x)
		mov	eax, [ebp+var_24]
		and	[ebp+var_24], 0
		add	eax, esi
		cmp	dword ptr [ebx+4], 0
		mov	[ebp+var_4], eax
		jbe	loc_9AA1B0
		mov	eax, [ebp+var_18]
		lea	edi, [esi+54h]
		add	eax, 0C0h
		xor	edx, edx
		add	eax, esi
		mov	esi, [ebp+var_24]
		mov	[ebp+var_10], eax
		inc	edx

loc_9AA142:				; CODE XREF: PpmInstallPlatformIdleStates(x)+24Bj
		lea	eax, [edi+1Ch]
		mov	[edi+15h], dl
		push	eax
		call	_KeQueryActiveProcessorAffinity@4 ; KeQueryActiveProcessorAffinity(x)
		xor	edx, edx
		mov	[edi+4], edi
		inc	edx
		mov	[edi], edi
		mov	byte ptr [edi+8], 7
		cmp	ds:_PpmIdleDisableStatesAtBoot,	edx
		jb	short loc_9AA169
		mov	dword ptr [edi-4], 80000000h

loc_9AA169:				; CODE XREF: PpmInstallPlatformIdleStates(x)+203j
		mov	ecx, _PpmIdleVetoList
		test	ecx, ecx
		jz	short loc_9AA197
		mov	eax, [ebx+4]
		dec	eax
		cmp	esi, eax
		jnz	short loc_9AA17E
		mov	[edi+9], dl

loc_9AA17E:				; CODE XREF: PpmInstallPlatformIdleStates(x)+21Cj
		mov	eax, [ecx]
		mov	[edi+0Ch], eax
		mov	eax, [ebp+var_4]
		mov	[edi+10h], eax
		imul	eax, [ecx], 38h
		mov	ecx, [ebp+var_10]
		add	[ebp+var_4], eax
		lea	eax, [edi-4]
		mov	[ecx], eax

loc_9AA197:				; CODE XREF: PpmInstallPlatformIdleStates(x)+214j
		add	[ebp+var_10], 3F0h
		inc	esi
		add	edi, 0C0h
		cmp	esi, [ebx+4]
		jb	short loc_9AA142
		mov	esi, [ebp+var_C]
		mov	edi, [ebp+var_8]

loc_9AA1B0:				; CODE XREF: PpmInstallPlatformIdleStates(x)+1C9j
		mov	eax, [ebp+var_20]
		and	[ebp+var_20], 0
		add	eax, esi
		mov	edx, [ebx+8]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_1C]
		add	eax, esi
		mov	[ebp+var_4], eax
		test	edx, edx
		jz	loc_9AA277
		imul	eax, edi, 0Ch
		lea	ecx, [ebx+34h]
		add	esi, 84h
		mov	[ebp+var_24], ecx
		mov	[ebp+var_10], esi
		mov	[ebp+var_2C], eax

loc_9AA1E4:				; CODE XREF: PpmInstallPlatformIdleStates(x)+311j
		mov	eax, [ecx]
		xor	edx, edx
		mov	[esi-8], eax
		mov	eax, [ecx+4]
		mov	[esi-4], eax
		mov	eax, [ebp+var_18]
		mov	[esi], eax
		add	eax, [ebp+var_2C]
		mov	[esi-18h], edi
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], edx
		test	edi, edi
		jz	short loc_9AA253
		mov	ebx, [ebp+var_10]
		xor	eax, eax
		mov	[ebp+var_1C], eax

loc_9AA20E:				; CODE XREF: PpmInstallPlatformIdleStates(x)+2EBj
		mov	esi, [ebx]
		mov	ecx, edx
		add	esi, eax
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	edx, [ebp+var_14]
		mov	ecx, [eax+3D70h]
		mov	[esi], edx
		mov	eax, [ecx+20h]
		mov	[esi+4], eax
		mov	eax, [ebp+var_4]
		mov	[esi+8], eax
		mov	eax, [ecx+20h]
		shl	eax, 4
		add	[ebp+var_4], eax
		inc	edx
		mov	eax, [ebp+var_1C]
		add	eax, 0Ch
		mov	[ebp+var_14], edx
		mov	[ebp+var_1C], eax
		cmp	edx, edi
		jb	short loc_9AA20E
		mov	ebx, [ebp+arg_0]
		mov	esi, [ebp+var_10]
		mov	ecx, [ebp+var_24]

loc_9AA253:				; CODE XREF: PpmInstallPlatformIdleStates(x)+2A7j
		mov	eax, [ebp+var_20]
		add	esi, 0C0h
		mov	edx, [ebx+8]
		inc	eax
		add	ecx, 20h
		mov	[ebp+var_20], eax
		mov	[ebp+var_10], esi
		mov	[ebp+var_24], ecx
		cmp	eax, edx
		jb	loc_9AA1E4
		mov	esi, [ebp+var_C]

loc_9AA277:				; CODE XREF: PpmInstallPlatformIdleStates(x)+26Cj
		xor	eax, eax
		mov	[ebp+var_24], eax
		test	edi, edi
		jz	loc_9AA347
		mov	ecx, [ebp+var_30]
		add	ecx, esi
		mov	[ebp+var_14], ecx

loc_9AA28C:				; CODE XREF: PpmInstallPlatformIdleStates(x)+3C1j
		mov	ecx, eax
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		and	[ebp+var_30], 0
		mov	ecx, [eax+3D70h]
		mov	eax, [ebp+var_14]
		mov	[ebp+var_2C], ecx
		mov	[ecx+0E8h], eax
		mov	eax, [ebx+8]
		mov	[ecx+0F4h], eax
		mov	eax, [ebp+var_4]
		mov	[ecx+0F8h], eax
		mov	edx, [ebx+8]
		mov	eax, edx
		shl	eax, 4
		add	[ebp+var_4], eax
		test	edx, edx
		jz	short loc_9AA30F
		mov	edi, [ebp+var_30]
		lea	eax, [esi+84h]
		mov	[ebp+var_10], eax
		mov	esi, ecx

loc_9AA2D8:				; CODE XREF: PpmInstallPlatformIdleStates(x)+3AAj
		mov	ecx, [esi+0F8h]
		sub	edx, edi
		add	edx, edx
		mov	[ecx+edx*8-0Ch], edi
		inc	edi
		mov	eax, [eax-18h]
		mov	[ecx+edx*8-8], eax
		mov	eax, [ebp+var_10]
		mov	eax, [eax]
		mov	[ecx+edx*8-4], eax
		mov	eax, [ebp+var_10]
		mov	edx, [ebx+8]
		add	eax, 0C0h
		mov	[ebp+var_10], eax
		cmp	edi, edx
		jb	short loc_9AA2D8
		mov	esi, [ebp+var_C]
		mov	edi, [ebp+var_8]

loc_9AA30F:				; CODE XREF: PpmInstallPlatformIdleStates(x)+36Bj
		mov	eax, [ebp+var_24]
		mov	ecx, [ebp+var_34]
		inc	eax
		add	[ebp+var_14], ecx
		mov	[ebp+var_24], eax
		cmp	eax, edi
		jb	loc_9AA28C
		jmp	short loc_9AA347
; 

loc_9AA326:				; CODE XREF: PpmInstallPlatformIdleStates(x)+DAj
		mov	eax, [ebp+var_8]
		cmp	[esi+8], eax
		jnz	loc_9AA522
		mov	ecx, [ebp+var_14]
		cmp	[esi], ecx
		jnz	loc_9AA522
		cmp	dword ptr [esi+4], 1
		jnz	loc_9AA522

loc_9AA347:				; CODE XREF: PpmInstallPlatformIdleStates(x)+321j
					; PpmInstallPlatformIdleStates(x)+3C7j
		xor	edi, edi
		mov	[ebp+var_14], edi
		test	edx, edx
		jz	loc_9AA457
		lea	edx, [esi+4Ch]
		lea	ecx, [ebx+24h]
		mov	[ebp+var_4], edx
		mov	[ebp+var_24], ecx

loc_9AA360:				; CODE XREF: PpmInstallPlatformIdleStates(x)+4F4j
		mov	eax, [ecx+4]
		xor	esi, esi
		mov	[edx-4], eax
		mov	eax, [ecx+8]
		mov	[edx], eax
		cmp	[ecx+0Ch], esi
		jbe	short loc_9AA3F0
		mov	ebx, [ebp+var_4]

loc_9AA375:				; CODE XREF: PpmInstallPlatformIdleStates(x)+488j
		mov	eax, [ecx+18h]
		and	[ebp+var_34], 0
		mov	[ebp+var_30], eax
		imul	eax, [eax+esi*8], 0Ch
		add	eax, [ebx+38h]
		mov	[ebp+var_2C], eax
		mov	edx, [eax+4]
		test	edx, edx
		jz	short loc_9AA3E1
		mov	ebx, [ebp+var_34]

loc_9AA393:				; CODE XREF: PpmInstallPlatformIdleStates(x)+47Fj
		sub	edx, ebx
		dec	edx
		shl	edx, 4
		add	edx, [eax+8]
		xor	eax, eax
		mov	edi, edx
		stosd
		stosd
		stosd
		stosd
		mov	[edx+4], ebx
		cmp	byte ptr [ecx],	0
		jnz	short loc_9AA3B8
		movzx	eax, byte ptr [ecx+1]
		cmp	ebx, eax
		jnz	short loc_9AA3B8
		mov	byte ptr [edx+1], 1

loc_9AA3B8:				; CODE XREF: PpmInstallPlatformIdleStates(x)+44Dj
					; PpmInstallPlatformIdleStates(x)+455j
		mov	edi, [ebp+var_30]
		movzx	eax, byte ptr [edi+esi*8+4]
		cmp	ebx, eax
		jb	short loc_9AA3D3
		xor	eax, eax
		inc	eax
		mov	[edx+2], al
		cmp	byte ptr [edi+esi*8+6],	0
		jnz	short loc_9AA3D3
		mov	[edx], al

loc_9AA3D3:				; CODE XREF: PpmInstallPlatformIdleStates(x)+465j
					; PpmInstallPlatformIdleStates(x)+472j
		mov	eax, [ebp+var_2C]
		inc	ebx
		mov	edx, [eax+4]
		cmp	ebx, edx
		jb	short loc_9AA393
		mov	ebx, [ebp+var_4]

loc_9AA3E1:				; CODE XREF: PpmInstallPlatformIdleStates(x)+431j
		inc	esi
		cmp	esi, [ecx+0Ch]
		jb	short loc_9AA375
		mov	ebx, [ebp+arg_0]
		mov	edx, [ebp+var_4]
		mov	edi, [ebp+var_14]

loc_9AA3F0:				; CODE XREF: PpmInstallPlatformIdleStates(x)+413j
		cmp	byte ptr [ecx],	0
		jz	short loc_9AA43B
		lea	esi, [ecx-4]
		push	esi
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		imul	edi, eax, 0Ch
		mov	eax, [ebp+var_4]
		add	edi, [eax+38h]
		mov	eax, [edi+4]
		shl	eax, 4
		push	eax		; size_t
		push	0		; int
		push	dword ptr [edi+8] ; void *
		call	_memset
		movzx	ecx, byte ptr [esi+5]
		add	esp, 0Ch
		mov	edx, [edi+4]
		mov	eax, [edi+8]
		sub	edx, ecx
		mov	edi, [ebp+var_14]
		add	edx, edx
		mov	[eax+edx*8-0Ch], ecx
		mov	ecx, [ebp+var_24]
		mov	byte ptr [eax+edx*8-0Fh], 1
		mov	edx, [ebp+var_4]

loc_9AA43B:				; CODE XREF: PpmInstallPlatformIdleStates(x)+496j
		inc	edi
		add	edx, 0C0h
		add	ecx, 20h
		mov	[ebp+var_14], edi
		mov	[ebp+var_4], edx
		mov	[ebp+var_24], ecx
		cmp	edi, [ebx+8]
		jb	loc_9AA360

loc_9AA457:				; CODE XREF: PpmInstallPlatformIdleStates(x)+3F1j
		mov	edi, [ebp+var_8]
		xor	eax, eax
		mov	[ebp+var_10], eax
		test	edi, edi
		jz	short loc_9AA4D9

loc_9AA463:				; CODE XREF: PpmInstallPlatformIdleStates(x)+57Aj
		mov	ecx, eax
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		xor	ecx, ecx
		mov	[ebp+var_14], ecx
		mov	edx, [eax+3D70h]
		mov	[ebp+var_24], edx
		mov	esi, [edx+0F4h]
		test	esi, esi
		jz	short loc_9AA4CE
		mov	edi, [ebp+var_10]
		lea	eax, [ebx+20h]
		mov	[ebp+var_34], eax
		mov	ebx, eax

loc_9AA48D:				; CODE XREF: PpmInstallPlatformIdleStates(x)+569j
		sub	esi, ecx
		shl	esi, 4
		add	esi, [edx+0F8h]
		cmp	byte ptr [ebx+4], 0
		jz	short loc_9AA4B2
		push	ebx
		call	_KeGetProcessorIndexFromNumber@4 ; KeGetProcessorIndexFromNumber(x)
		mov	ecx, [ebp+var_14]
		mov	edx, [ebp+var_24]
		cmp	eax, edi
		jz	short loc_9AA4B2
		xor	al, al
		jmp	short loc_9AA4B4
; 

loc_9AA4B2:				; CODE XREF: PpmInstallPlatformIdleStates(x)+53Fj
					; PpmInstallPlatformIdleStates(x)+54Fj
		mov	al, 1

loc_9AA4B4:				; CODE XREF: PpmInstallPlatformIdleStates(x)+553j
		inc	ecx
		mov	[esi-0Fh], al
		mov	esi, [edx+0F4h]
		add	ebx, 20h
		mov	[ebp+var_14], ecx
		cmp	ecx, esi
		jb	short loc_9AA48D
		mov	ebx, [ebp+arg_0]
		mov	edi, [ebp+var_8]

loc_9AA4CE:				; CODE XREF: PpmInstallPlatformIdleStates(x)+523j
		mov	eax, [ebp+var_10]
		inc	eax
		mov	[ebp+var_10], eax
		cmp	eax, edi
		jb	short loc_9AA463

loc_9AA4D9:				; CODE XREF: PpmInstallPlatformIdleStates(x)+504j
		cmp	ds:_PpmPlatformStates, 0
		jnz	short loc_9AA51E
		cmp	dword_6C2ADC, 0
		mov	esi, [ebp+var_C]
		mov	ds:_PpmIdleCoordinatedMode, 0
		mov	ds:_PpmPlatformStates, esi
		jz	short loc_9AA502
		and	dword_6C2ADC, 0

loc_9AA502:				; CODE XREF: PpmInstallPlatformIdleStates(x)+59Cj
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [esi]
		call	_PopFxEnablePlatformStates@4 ; PopFxEnablePlatformStates(x)
		mov	byte ptr [ebp+var_28], 0

loc_9AA51E:				; CODE XREF: PpmInstallPlatformIdleStates(x)+583j
		xor	esi, esi
		jmp	short loc_9AA527
; 

loc_9AA522:				; CODE XREF: PpmInstallPlatformIdleStates(x)+3CFj
					; PpmInstallPlatformIdleStates(x)+3DAj	...
		mov	esi, 0C000000Dh

loc_9AA527:				; CODE XREF: PpmInstallPlatformIdleStates(x)+5C3j
		cmp	byte ptr [ebp+var_28], 0
		jz	short loc_9AA54E

loc_9AA52D:				; CODE XREF: PpmInstallPlatformIdleStates(x)+4Ej
					; PpmInstallPlatformIdleStates(x)+62j ...
		cmp	dword_6C2ADC, 0
		jz	short loc_9AA53D
		and	dword_6C2ADC, 0

loc_9AA53D:				; CODE XREF: PpmInstallPlatformIdleStates(x)+5D7j
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9AA54E:				; CODE XREF: PpmInstallPlatformIdleStates(x)+5CEj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_PpmInstallPlatformIdleStates@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmRegisterVetoList(x)
_PpmRegisterVetoList@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PpmIdlePolicyLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, large fs:124h
		cmp	_PpmIdleVetoList, 0
		mov	dword_6C2ADC, ecx
		jz	short loc_9AA597
		mov	esi, 0C0000189h
		jmp	short loc_9AA5A1
; 

loc_9AA597:				; CODE XREF: PpmRegisterVetoList(x)+37j
		mov	eax, [ebp+arg_0]
		xor	esi, esi
		mov	_PpmIdleVetoList, eax

loc_9AA5A1:				; CODE XREF: PpmRegisterVetoList(x)+3Ej
		test	ecx, ecx
		jz	short loc_9AA5AC
		and	dword_6C2ADC, 0

loc_9AA5AC:				; CODE XREF: PpmRegisterVetoList(x)+4Cj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_PpmRegisterVetoList@4 endp


;  S U B	R O U T	I N E 


; __stdcall PpmUpdateIdleContext(x, x)
_PpmUpdateIdleContext@8	proc near	; CODE XREF: PpmUpdateIdleStates+DFp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	esi, [eax+3D70h]
		test	esi, esi
		jnz	short loc_9AA5DE
		mov	eax, 0C00000BBh
		jmp	short loc_9AA5FF
; 

loc_9AA5DE:				; CODE XREF: PpmUpdateIdleContext(x,x)+13j
		xor	eax, eax
		cmp	[esi+88h], eax
		jnz	short loc_9AA5EF
		mov	eax, 0C0000189h
		jmp	short loc_9AA5FF
; 

loc_9AA5EF:				; CODE XREF: PpmUpdateIdleContext(x,x)+24j
		mov	dword ptr [esi+24h], 4
		mov	ecx, [edi+8]
		mov	[esi+88h], ecx

loc_9AA5FF:				; CODE XREF: PpmUpdateIdleContext(x,x)+1Aj
					; PpmUpdateIdleContext(x,x)+2Bj
		pop	edi
		pop	esi
		retn
_PpmUpdateIdleContext@8	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1669. PoDeleteThermalRequest

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoDeleteThermalRequest(x)
		public _PoDeleteThermalRequest@4
_PoDeleteThermalRequest@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	_PopDeactiveThermalRequest@4 ; PopDeactiveThermalRequest(x)
		mov	ecx, [esi+0Ch]
		call	_PoDestroyReasonContext@4 ; PoDestroyReasonContext(x)
		push	6C6F4350h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		pop	ebp
		retn	4
_PoDeleteThermalRequest@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1729. PoSetThermalActiveCooling

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoSetThermalActiveCooling(x, x)
		public _PoSetThermalActiveCooling@8
_PoSetThermalActiveCooling@8 proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	1
		push	esi
		call	_PoGetThermalRequestSupport@8 ;	PoGetThermalRequestSupport(x,x)
		test	al, al
		jnz	short loc_9AA653
		mov	esi, 0C00000BBh
		jmp	loc_9AA6D4
; 

loc_9AA653:				; CODE XREF: PoSetThermalActiveCooling(x,x)+13j
		mov	eax, [esi+10h]
		cmp	[ebp+arg_4], 0
		push	ebx
		push	edi
		mov	dword ptr [ebp+arg_4], eax
		lea	edi, [eax+10h]
		mov	eax, large fs:124h
		setnz	bl
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[edi+4], eax
		cmp	byte ptr [esi+0Ah], 0
		jz	short loc_9AA6B5
		mov	al, [esi+9]
		cmp	al, bl
		jz	short loc_9AA6B1
		test	al, al
		lea	ecx, [esi+18h]
		setz	dl
		call	_PopThermalUpdateActiveTimeTracking@8 ;	PopThermalUpdateActiveTimeTracking(x,x)
		mov	ecx, esi
		mov	[esi+9], bl
		call	_PopDiagTraceThermalRequestActiveUpdate@4 ; PopDiagTraceThermalRequestActiveUpdate(x)
		mov	ecx, dword ptr [ebp+arg_4]
		call	_PopPropogateCoolingChange@4 ; PopPropogateCoolingChange(x)

loc_9AA6B1:				; CODE XREF: PoSetThermalActiveCooling(x,x)+5Cj
		xor	esi, esi
		jmp	short loc_9AA6BA
; 

loc_9AA6B5:				; CODE XREF: PoSetThermalActiveCooling(x,x)+55j
		mov	esi, 0C0000189h

loc_9AA6BA:				; CODE XREF: PoSetThermalActiveCooling(x,x)+7Fj
		cmp	dword ptr [edi+4], 0
		jz	short loc_9AA6C4
		and	dword ptr [edi+4], 0

loc_9AA6C4:				; CODE XREF: PoSetThermalActiveCooling(x,x)+8Aj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	ebx

loc_9AA6D4:				; CODE XREF: PoSetThermalActiveCooling(x,x)+1Aj
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_PoSetThermalActiveCooling@8 endp

; 
		align 10h
; Exported entry 1730. PoSetThermalPassiveCooling

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoSetThermalPassiveCooling(x, x)
		public _PoSetThermalPassiveCooling@8
_PoSetThermalPassiveCooling@8 proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	0
		push	esi
		call	_PoGetThermalRequestSupport@8 ;	PoGetThermalRequestSupport(x,x)
		test	al, al
		jnz	short loc_9AA6FF
		mov	esi, 0C00000BBh
		jmp	loc_9AA783
; 

loc_9AA6FF:				; CODE XREF: PoSetThermalPassiveCooling(x,x)+13j
		push	ebx
		mov	bl, [ebp+arg_4]
		cmp	bl, 64h
		jbe	short loc_9AA70F
		mov	esi, 0C000000Dh
		jmp	short loc_9AA782
; 

loc_9AA70F:				; CODE XREF: PoSetThermalPassiveCooling(x,x)+26j
		mov	eax, [esi+10h]
		push	edi
		mov	dword ptr [ebp+arg_4], eax
		lea	edi, [eax+10h]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[edi+4], eax
		cmp	byte ptr [esi+0Ah], 0
		jz	short loc_9AA764
		mov	dl, [esi+8]
		cmp	dl, bl
		jz	short loc_9AA760
		lea	ecx, [esi+18h]
		call	_PopThermalUpdatePassiveTimeTracking@8 ; PopThermalUpdatePassiveTimeTracking(x,x)
		mov	ecx, esi
		mov	[esi+8], bl
		call	_PopDiagTraceThermalRequestPassiveUpdate@4 ; PopDiagTraceThermalRequestPassiveUpdate(x)
		mov	ecx, dword ptr [ebp+arg_4]
		call	_PopPropogateCoolingChange@4 ; PopPropogateCoolingChange(x)

loc_9AA760:				; CODE XREF: PoSetThermalPassiveCooling(x,x)+64j
		xor	esi, esi
		jmp	short loc_9AA769
; 

loc_9AA764:				; CODE XREF: PoSetThermalPassiveCooling(x,x)+5Dj
		mov	esi, 0C0000189h

loc_9AA769:				; CODE XREF: PoSetThermalPassiveCooling(x,x)+82j
		cmp	dword ptr [edi+4], 0
		jz	short loc_9AA773
		and	dword ptr [edi+4], 0

loc_9AA773:				; CODE XREF: PoSetThermalPassiveCooling(x,x)+8Dj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi

loc_9AA782:				; CODE XREF: PoSetThermalPassiveCooling(x,x)+2Dj
		pop	ebx

loc_9AA783:				; CODE XREF: PoSetThermalPassiveCooling(x,x)+1Aj
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_PoSetThermalPassiveCooling@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopCleanCoolingExtension(x)
_PopCleanCoolingExtension@4 proc near	; CODE XREF: PopAssociateThermalRequest+1FDp
					; PopDeactiveThermalRequest(x)+242p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+1Ch]
		test	ecx, ecx
		jz	short loc_9AA79D
		mov	dl, 1
		call	PnpUnregisterPlugPlayNotification

loc_9AA79D:				; CODE XREF: PopCleanCoolingExtension(x)+Aj
		cmp	byte ptr [esi+20h], 0
		jz	short loc_9AA7A9
		push	dword ptr [esi+30h]
		call	dword ptr [esi+38h]

loc_9AA7A9:				; CODE XREF: PopCleanCoolingExtension(x)+17j
		push	6C6F4350h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
_PopCleanCoolingExtension@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCoolingExtensionPnpNotification(x, x)
_PopCoolingExtensionPnpNotification@8 proc near
					; DATA XREF: PopOrphanCoolingExtension(x)+1F5o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	10h		; size_t
		add	esi, 4
		push	(offset	loc_4055E5+3) ;	void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9AA7E4
		mov	ecx, [ebp+arg_4]
		call	_PopDisableCoolingExtension@4 ;	PopDisableCoolingExtension(x)
		jmp	short loc_9AA85E
; 

loc_9AA7E4:				; CODE XREF: PopCoolingExtensionPnpNotification(x,x)+22j
		push	10h		; size_t
		push	offset _GUID_TARGET_DEVICE_REMOVE_COMPLETE ; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9AA805
		mov	ecx, [ebp+arg_4]
		call	_PopDisableCoolingExtension@4 ;	PopDisableCoolingExtension(x)
		mov	ecx, [ebp+arg_4]
		jmp	short loc_9AA859
; 

loc_9AA805:				; CODE XREF: PopCoolingExtensionPnpNotification(x,x)+40j
		push	10h		; size_t
		push	offset _GUID_TARGET_DEVICE_REMOVE_CANCELLED ; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9AA85E
		mov	esi, [ebp+arg_4]
		mov	ecx, esi
		call	_PopAcquireCoolingInterface@4 ;	PopAcquireCoolingInterface(x)
		test	eax, eax
		js	short loc_9AA857
		lea	ecx, [esi+10h]
		call	_PopAcquireRwLockExclusive@4 ; PopAcquireRwLockExclusive(x)
		mov	edx, offset _POP_ETW_EVENT_COOLING_EXTENSION_ADD
		mov	byte ptr [esi+20h], 1
		mov	ecx, esi
		call	PopDiagTraceCoolingExtension
		lea	eax, [esi+8]
		cmp	[eax], eax
		jz	short loc_9AA84D
		mov	ecx, esi
		call	_PopPropogateCoolingChange@4 ; PopPropogateCoolingChange(x)

loc_9AA84D:				; CODE XREF: PopCoolingExtensionPnpNotification(x,x)+8Ej
		lea	ecx, [esi+10h]
		call	_PopReleaseRwLock@4 ; PopReleaseRwLock(x)
		jmp	short loc_9AA85E
; 

loc_9AA857:				; CODE XREF: PopCoolingExtensionPnpNotification(x,x)+6Fj
		mov	ecx, esi

loc_9AA859:				; CODE XREF: PopCoolingExtensionPnpNotification(x,x)+4Dj
		call	_PopOrphanCoolingExtension@4 ; PopOrphanCoolingExtension(x)

loc_9AA85E:				; CODE XREF: PopCoolingExtensionPnpNotification(x,x)+2Cj
					; PopCoolingExtensionPnpNotification(x,x)+61j ...
		pop	edi
		xor	eax, eax
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
_PopCoolingExtensionPnpNotification@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDeactiveThermalRequest(x)
_PopDeactiveThermalRequest@4 proc near	; CODE XREF: PoDeleteThermalRequest(x)+Bp

var_12		= byte ptr -12h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+20h+var_11], 0
		lea	edi, [esp+20h+var_10]
		mov	ebx, ecx
		stosd
		mov	esi, [ebx+10h]
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		lea	edi, [esi+10h]
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[edi+4], eax
		cmp	byte ptr [ebx+0Ah], 0
		jz	short loc_9AA909
		cmp	dword ptr [esi+44h], 0
		lea	eax, [ebx+18h]
		jz	short loc_9AA8D7
		mov	dl, [ebx+8]
		mov	ecx, eax
		call	_PopThermalUpdatePassiveTimeTracking@8 ; PopThermalUpdatePassiveTimeTracking(x,x)
		mov	ecx, ebx
		call	PopTraceThermalRequestPassiveHistogram
		xor	cl, cl
		call	PopThermalUpdateTelemetryClientCount
		lea	eax, [ebx+18h]

loc_9AA8D7:				; CODE XREF: PopDeactiveThermalRequest(x)+52j
		cmp	dword ptr [esi+40h], 0
		jz	short loc_9AA8F2
		cmp	byte ptr [ebx+9], 0
		mov	ecx, eax
		setz	dl
		call	_PopThermalUpdateActiveTimeTracking@8 ;	PopThermalUpdateActiveTimeTracking(x,x)
		mov	ecx, ebx
		call	_PopTraceThermalRequestActiveActivity@4	; PopTraceThermalRequestActiveActivity(x)

loc_9AA8F2:				; CODE XREF: PopDeactiveThermalRequest(x)+73j
		mov	edx, offset _POP_ETW_EVENT_THERMAL_REQUEST_REMOVE
		mov	ecx, ebx
		call	PopDiagTraceThermalRequest
		mov	ecx, esi
		mov	byte ptr [ebx+0Ah], 0
		call	_PopPropogateCoolingChange@4 ; PopPropogateCoolingChange(x)

loc_9AA909:				; CODE XREF: PopDeactiveThermalRequest(x)+49j
		cmp	dword ptr [edi+4], 0
		jz	short loc_9AA913
		and	dword ptr [edi+4], 0

loc_9AA913:				; CODE XREF: PopDeactiveThermalRequest(x)+A5j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopCoolingExtensionLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C21A4, eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[edi+4], eax
		mov	ecx, [ebx]
		cmp	[ecx+4], ebx
		jnz	loc_9AAAB6
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jnz	loc_9AAAB6
		mov	[eax], ecx
		mov	[ecx+4], eax
		lea	eax, [esi+8]
		cmp	[eax], eax
		jnz	short loc_9AA9CC
		mov	ecx, [esi+18h]
		test	ecx, ecx
		jz	short loc_9AA9C8
		call	PopGetDope
		and	dword ptr [eax+30h], 0
		cmp	byte ptr [esi+20h], 0
		jz	short loc_9AA9AA
		mov	edx, offset _POP_ETW_EVENT_COOLING_EXTENSION_REMOVE
		mov	ecx, esi
		call	PopDiagTraceCoolingExtension

loc_9AA9AA:				; CODE XREF: PopDeactiveThermalRequest(x)+134j
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_9AAAB6
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_9AAAB6
		mov	[ecx], eax
		mov	[eax+4], ecx
		and	dword ptr [esi], 0

loc_9AA9C8:				; CODE XREF: PopDeactiveThermalRequest(x)+125j
		mov	bl, 1
		jmp	short loc_9AA9D0
; 

loc_9AA9CC:				; CODE XREF: PopDeactiveThermalRequest(x)+11Ej
		mov	bl, [esp+20h+var_11]

loc_9AA9D0:				; CODE XREF: PopDeactiveThermalRequest(x)+162j
		cmp	dword ptr [edi+4], 0
		jz	short loc_9AA9DA
		and	dword ptr [edi+4], 0

loc_9AA9DA:				; CODE XREF: PopDeactiveThermalRequest(x)+16Cj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	dword_6C21A4, 0
		jz	short loc_9AA9F8
		and	dword_6C21A4, 0

loc_9AA9F8:				; CODE XREF: PopDeactiveThermalRequest(x)+187j
		xor	edx, edx
		mov	ecx, offset _PopCoolingExtensionLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	bl, bl
		jz	loc_9AAAAF
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	ebx, ebx
		mov	[edi+4], eax
		cmp	[esi+23h], bl
		jz	short loc_9AAA92
		push	ebx
		push	ebx
		lea	eax, [esp+28h+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+20h+var_10]
		mov	[esi+24h], eax
		cmp	[edi+4], ebx
		jz	short loc_9AAA53
		mov	[edi+4], ebx

loc_9AAA53:				; CODE XREF: PopDeactiveThermalRequest(x)+1E6j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esp+30h+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[edi+4], eax
		mov	[esi+24h], ebx

loc_9AAA92:				; CODE XREF: PopDeactiveThermalRequest(x)+1CEj
		cmp	[edi+4], ebx
		jz	short loc_9AAA9A
		mov	[edi+4], ebx

loc_9AAA9A:				; CODE XREF: PopDeactiveThermalRequest(x)+22Dj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	_PopCleanCoolingExtension@4 ; PopCleanCoolingExtension(x)

loc_9AAAAF:				; CODE XREF: PopDeactiveThermalRequest(x)+1A3j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_9AAAB6:				; CODE XREF: PopDeactiveThermalRequest(x)+103j
					; PopDeactiveThermalRequest(x)+10Ej ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PopDeactiveThermalRequest@4 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDisableCoolingExtension(x)
_PopDisableCoolingExtension@4 proc near	; CODE XREF: PopCoolingExtensionPnpNotification(x,x)+27p
					; PopCoolingExtensionPnpNotification(x,x)+45p

var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		mov	edi, ecx
		dec	word ptr [eax+13Ch]
		lea	esi, [edi+10h]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	ebx, ebx
		mov	[esi+4], eax
		cmp	[edi+20h], bl
		jnz	short loc_9AAB15
		cmp	eax, ebx
		jz	short loc_9AAB02
		mov	[esi+4], ebx

loc_9AAB02:				; CODE XREF: PopDisableCoolingExtension(x)+42j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_9AABA6
; 

loc_9AAB15:				; CODE XREF: PopDisableCoolingExtension(x)+3Ej
		mov	edx, offset _POP_ETW_EVENT_COOLING_EXTENSION_REMOVE
		mov	[edi+20h], bl
		mov	ecx, edi
		call	PopDiagTraceCoolingExtension
		push	ebx
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [ebp+var_14]
		mov	ecx, edi
		mov	[edi+28h], eax
		call	_PopPropogateCoolingChange@4 ; PopPropogateCoolingChange(x)
		cmp	[esi+4], ebx
		jz	short loc_9AAB44
		mov	[esi+4], ebx

loc_9AAB44:				; CODE XREF: PopDisableCoolingExtension(x)+84j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+4], eax
		mov	eax, [edi+30h]
		mov	[edi+28h], ebx
		mov	edi, [edi+38h]
		mov	[ebp+var_4], eax
		cmp	[esi+4], ebx
		jz	short loc_9AAB93
		mov	[esi+4], ebx

loc_9AAB93:				; CODE XREF: PopDisableCoolingExtension(x)+D3j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	[ebp+var_4]
		call	edi

loc_9AABA6:				; CODE XREF: PopDisableCoolingExtension(x)+55j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopDisableCoolingExtension@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopOrphanCoolingExtension(x)
_PopOrphanCoolingExtension@4 proc near	; CODE XREF: PopCoolingExtensionPnpNotification(x,x):loc_9AA859p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h

		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	edi, ecx
		nop
		xor	edx, edx
		mov	ecx, offset _PopCoolingExtensionLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C21A4, eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [edi+10h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[edi+14h], eax
		mov	ecx, [edi+18h]
		test	ecx, ecx
		jz	loc_9AAC8A
		lea	eax, [edi+8]
		mov	esi, [eax]
		cmp	esi, eax
		jz	short loc_9AAC67

loc_9AAC0A:				; CODE XREF: PopOrphanCoolingExtension(x)+B7j
		cmp	byte ptr [esi+0Ah], 0
		jz	short loc_9AAC5E
		mov	byte ptr [esi+0Ah], 0
		cmp	dword ptr [edi+44h], 0
		jz	short loc_9AAC33
		mov	dl, [esi+8]
		lea	ecx, [esi+18h]
		call	_PopThermalUpdatePassiveTimeTracking@8 ; PopThermalUpdatePassiveTimeTracking(x,x)
		mov	ecx, esi
		call	PopTraceThermalRequestPassiveHistogram
		xor	cl, cl
		call	PopThermalUpdateTelemetryClientCount

loc_9AAC33:				; CODE XREF: PopOrphanCoolingExtension(x)+6Dj
		cmp	dword ptr [edi+40h], 0
		jz	short loc_9AAC4F
		cmp	byte ptr [esi+9], 0
		lea	ecx, [esi+18h]
		setz	dl
		call	_PopThermalUpdateActiveTimeTracking@8 ;	PopThermalUpdateActiveTimeTracking(x,x)
		mov	ecx, esi
		call	_PopTraceThermalRequestActiveActivity@4	; PopTraceThermalRequestActiveActivity(x)

loc_9AAC4F:				; CODE XREF: PopOrphanCoolingExtension(x)+8Cj
		mov	edx, offset _POP_ETW_EVENT_THERMAL_REQUEST_REMOVE
		mov	ecx, esi
		call	PopDiagTraceThermalRequest
		lea	eax, [edi+8]

loc_9AAC5E:				; CODE XREF: PopOrphanCoolingExtension(x)+63j
		mov	esi, [esi]
		cmp	esi, eax
		jnz	short loc_9AAC0A
		mov	ecx, [edi+18h]

loc_9AAC67:				; CODE XREF: PopOrphanCoolingExtension(x)+5Dj
		call	PopGetDope
		and	dword ptr [eax+30h], 0
		mov	ecx, [edi]
		cmp	[ecx+4], edi
		jnz	short loc_9AACC7
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	short loc_9AACC7
		mov	[eax], ecx
		mov	[ecx+4], eax
		and	dword ptr [edi], 0
		and	dword ptr [edi+18h], 0

loc_9AAC8A:				; CODE XREF: PopOrphanCoolingExtension(x)+50j
		cmp	dword ptr [edi+14h], 0
		jz	short loc_9AAC94
		and	dword ptr [edi+14h], 0

loc_9AAC94:				; CODE XREF: PopOrphanCoolingExtension(x)+E3j
		xor	edx, edx
		lea	ecx, [edi+10h]
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	dword_6C21A4, 0
		jz	short loc_9AACB3
		and	dword_6C21A4, 0

loc_9AACB3:				; CODE XREF: PopOrphanCoolingExtension(x)+FFj
		xor	edx, edx
		mov	ecx, offset _PopCoolingExtensionLock
		call	ExReleasePushLockEx
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
; 

loc_9AACC7:				; CODE XREF: PopOrphanCoolingExtension(x)+CAj
					; PopOrphanCoolingExtension(x)+D1j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall PopRegisterCoolingExtensionProtection(x)
_PopRegisterCoolingExtensionProtection@4: ; CODE XREF: PopAssociateThermalRequest+A20D0p
					; PopAssociateThermalRequest+A20EFp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, ecx
		push	ebx
		xor	ebx, ebx
		mov	[esp+30h+var_1C], eax
		push	esi
		lea	ecx, [eax+1Ch]
		mov	[esp+34h+var_2C], ebx
		push	edi
		mov	[esp+38h+var_18], ebx
		mov	[esp+38h+var_14], ebx
		mov	[esp+38h+var_24], ebx
		mov	[esp+38h+var_28], ebx
		mov	[esp+38h+var_20], ecx
		cmp	[ecx], ebx
		jz	short loc_9AAD08
		mov	esi, ebx
		jmp	loc_9AADDD
; 

loc_9AAD08:				; CODE XREF: PopOrphanCoolingExtension(x)+154j
		push	dword ptr [eax+18h]
		call	_IoGetDeviceAttachmentBaseRef@4	; IoGetDeviceAttachmentBaseRef(x)
		mov	edi, eax
		lea	eax, [esp+38h+var_2C]
		push	eax
		push	ebx
		push	ebx
		push	0Bh
		push	edi
		call	IoGetDeviceProperty
		cmp	eax, 0C0000023h
		jz	short loc_9AAD32
		mov	esi, 0C0000001h
		jmp	loc_9AADD2
; 

loc_9AAD32:				; CODE XREF: PopOrphanCoolingExtension(x)+17Bj
		push	6C6F4350h
		push	[esp+3Ch+var_2C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9AAD52
		mov	esi, 0C000009Ah
		jmp	loc_9AADD2
; 

loc_9AAD52:				; CODE XREF: PopOrphanCoolingExtension(x)+19Bj
		lea	eax, [esp+38h+var_2C]
		push	eax
		push	ebx
		push	[esp+40h+var_2C]
		push	0Bh
		push	edi
		call	IoGetDeviceProperty
		mov	esi, eax
		test	esi, esi
		js	short loc_9AADC7
		push	ebx
		lea	eax, [esp+3Ch+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+38h+var_24]
		push	eax
		lea	eax, [esp+3Ch+var_28]
		push	eax
		push	1F01FFh
		lea	eax, [esp+44h+var_18]
		push	eax
		call	IoGetDeviceObjectPointer
		mov	esi, eax
		test	esi, esi
		js	short loc_9AADB7
		push	[esp+38h+var_20]
		mov	eax, [esp+3Ch+var_24]
		push	[esp+3Ch+var_1C]
		push	offset _PopCoolingExtensionPnpNotification@8 ; PopCoolingExtensionPnpNotification(x,x)
		push	dword ptr [eax+8]
		push	[esp+48h+var_28]
		push	0
		push	3
		call	IoRegisterPlugPlayNotification
		mov	esi, eax

loc_9AADB7:				; CODE XREF: PopOrphanCoolingExtension(x)+1E7j
		cmp	[esp+38h+var_28], 0
		jz	short loc_9AADC7
		mov	ecx, [esp+38h+var_28]
		call	ObfDereferenceObject

loc_9AADC7:				; CODE XREF: PopOrphanCoolingExtension(x)+1BDj
					; PopOrphanCoolingExtension(x)+211j
		push	6C6F4350h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9AADD2:				; CODE XREF: PopOrphanCoolingExtension(x)+182j
					; PopOrphanCoolingExtension(x)+1A2j
		test	edi, edi
		jz	short loc_9AADDD
		mov	ecx, edi
		call	ObfDereferenceObject

loc_9AADDD:				; CODE XREF: PopOrphanCoolingExtension(x)+158j
					; PopOrphanCoolingExtension(x)+229j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PopOrphanCoolingExtension@4 endp ; sp =  4


;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsAcquireTransitionLock(x)
_PopDirectedDripsAcquireTransitionLock@4 proc near
					; CODE XREF: PopDirectedDripsSuspendDevices(x)+67p
		mov	edi, edi
		push	esi
		push	40h
		pop	esi
		mov	eax, [ecx]

loc_9AADEE:				; CODE XREF: PopDirectedDripsAcquireTransitionLock(x)+10j
		mov	edx, eax
		or	edx, esi
		lock cmpxchg [ecx], edx
		jnz	short loc_9AADEE
		test	al, 40h
		jnz	short loc_9AAE05
		push	7
		pop	ecx
		pop	esi
		jmp	_PopAcquireTransitionLock@4 ; PopAcquireTransitionLock(x)
; 

loc_9AAE05:				; CODE XREF: PopDirectedDripsAcquireTransitionLock(x)+14j
		pop	esi
		retn
_PopDirectedDripsAcquireTransitionLock@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsDestroyBroadcast()
_PopDirectedDripsDestroyBroadcast@0 proc near
					; CODE XREF: PopDirectedDripsResumeDevices(x,x)+46p
					; PopDirectedDripsSuspendDevices(x)+108p
		mov	edi, edi
		push	ecx
		mov	edx, _IopRootDeviceNode
		jmp	short loc_9AAE14
; 

loc_9AAE12:				; CODE XREF: PopDirectedDripsDestroyBroadcast()+12j
		mov	edx, eax

loc_9AAE14:				; CODE XREF: PopDirectedDripsDestroyBroadcast()+9j
		mov	eax, [edx+4]
		test	eax, eax
		jnz	short loc_9AAE12
		jmp	short loc_9AAE5D
; 

loc_9AAE1D:				; CODE XREF: PopDirectedDripsDestroyBroadcast()+5Cj
		mov	ecx, 0FFFFFEFFh
		lea	eax, [edx+0A8h]
		lock and [eax],	ecx
		lea	ecx, [edx+1D4h]
		lea	eax, [ecx+8]
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		mov	[eax+4], eax
		mov	[eax], eax
		and	dword ptr [ecx+10h], 0FFF8FFFFh
		and	dword ptr [ecx+14h], 0
		mov	eax, [edx]
		test	eax, eax
		jz	short loc_9AAE5A

loc_9AAE4F:				; CODE XREF: PopDirectedDripsDestroyBroadcast()+4Fj
		mov	edx, eax
		mov	eax, [edx+4]
		test	eax, eax
		jnz	short loc_9AAE4F
		jmp	short loc_9AAE5D
; 

loc_9AAE5A:				; CODE XREF: PopDirectedDripsDestroyBroadcast()+46j
		mov	edx, [edx+8]

loc_9AAE5D:				; CODE XREF: PopDirectedDripsDestroyBroadcast()+14j
					; PopDirectedDripsDestroyBroadcast()+51j
		cmp	edx, _IopRootDeviceNode
		jnz	short loc_9AAE1D
		call	_PoClearBroadcast@0 ; PoClearBroadcast()
		pop	ecx
		retn
_PopDirectedDripsDestroyBroadcast@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsHandleResiliencyNotification(x)
_PopDirectedDripsHandleResiliencyNotification@4	proc near
					; CODE XREF: PopDirectedDripsWorkerRoutine+8ACFFp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	edx, edx
		push	edi
		lea	edi, [esi+7Ch]
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+84h]
		mov	bl, [esi+81h]
		mov	[ebp+var_4], eax
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9AAEA6
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9AAEA6:				; CODE XREF: PopDirectedDripsHandleResiliencyNotification(x)+31j
		mov	ecx, edi
		call	KeAbPostRelease
		cmp	[esi+80h], bl
		jz	short loc_9AAED0
		mov	dl, bl
		call	_PopDirectedDripsDiagPnpActionQueueAccountingUpdate@8 ;	PopDirectedDripsDiagPnpActionQueueAccountingUpdate(x,x)
		mov	ecx, esi
		test	bl, bl
		jnz	short loc_9AAECB
		xor	dl, dl
		call	_PopDirectedDripsResumeDevices@8 ; PopDirectedDripsResumeDevices(x,x)
		jmp	short loc_9AAED0
; 

loc_9AAECB:				; CODE XREF: PopDirectedDripsHandleResiliencyNotification(x)+54j
		call	_PopDirectedDripsSuspendDevices@4 ; PopDirectedDripsSuspendDevices(x)

loc_9AAED0:				; CODE XREF: PopDirectedDripsHandleResiliencyNotification(x)+47j
					; PopDirectedDripsHandleResiliencyNotification(x)+5Dj
		xor	edx, edx
		mov	[esi+80h], bl
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_4]
		cmp	[esi+84h], eax
		jnz	short loc_9AAEFF
		xor	edx, edx
		mov	byte ptr [esi+88h], 1
		lea	ecx, [esi+8Ch]
		inc	edx
		call	_PopQueueWorkItem@8 ; PopQueueWorkItem(x,x)

loc_9AAEFF:				; CODE XREF: PopDirectedDripsHandleResiliencyNotification(x)+7Cj
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9AAF13
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9AAF13:				; CODE XREF: PopDirectedDripsHandleResiliencyNotification(x)+9Ej
		mov	ecx, edi
		call	KeAbPostRelease
		push	8
		pop	ecx
		call	PopDeepSleepClearDisengageReason
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopDirectedDripsHandleResiliencyNotification@4	endp


;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsIdleResiliencyCallback(x, x)
_PopDirectedDripsIdleResiliencyCallback@8 proc near
					; CODE XREF: PopPdcIdleResiliencyCallback(x,x)+EFp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	bl, dl
		mov	edi, ecx
		xor	edx, edx
		mov	ecx, offset _PopDirectedDripsState
		mov	eax, [ecx]

loc_9AAF39:				; CODE XREF: PopDirectedDripsIdleResiliencyCallback(x,x)+1Aj
		mov	esi, eax
		or	esi, edx
		lock cmpxchg [ecx], esi
		jnz	short loc_9AAF39
		test	al, 1
		jnz	short loc_9AAF4B
		xor	esi, esi
		jmp	short loc_9AAFA9
; 

loc_9AAF4B:				; CODE XREF: PopDirectedDripsIdleResiliencyCallback(x,x)+1Ej
		push	8
		pop	ecx
		call	PopDeepSleepSetDisengageReason
		mov	esi, offset dword_6C371C
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		push	0
		push	400h
		mov	byte ptr word_6C3720+1,	bl
		mov	dword_6C3724, edi
		mov	byte_6C3728, 0
		call	_PopQueueDirectedDripsWork@12 ;	PopQueueDirectedDripsWork(x,x,x)
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9AAF94
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9AAF94:				; CODE XREF: PopDirectedDripsIdleResiliencyCallback(x,x)+64j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	esi, 103h
		test	bl, bl
		jz	short loc_9AAFA9
		call	_PopDirectedDripsUmMarkTestDevices@0 ; PopDirectedDripsUmMarkTestDevices()

loc_9AAFA9:				; CODE XREF: PopDirectedDripsIdleResiliencyCallback(x,x)+22j
					; PopDirectedDripsIdleResiliencyCallback(x,x)+7Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_PopDirectedDripsIdleResiliencyCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsInitializeBroadcast(x)
_PopDirectedDripsInitializeBroadcast@4 proc near
					; CODE XREF: PopDirectedDripsSuspendDevices(x)+91p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		xor	ebx, ebx
		mov	eax, ecx
		push	esi
		push	edi
		mov	[ebp+var_18], eax
		xor	ecx, ecx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		lock or	[eax], ecx
		lea	eax, [ebp+var_4]
		push	eax
		lea	edx, [ebp+var_C]
		lea	ecx, [ebp+var_8]
		call	_PopDirectedDripsQueryMitigationStatus@12 ; PopDirectedDripsQueryMitigationStatus(x,x,x)
		mov	esi, [ebp+var_8]
		and	esi, [ebp+var_C]
		or	esi, [ebp+var_4]
		mov	[ebp+var_14], esi
		jnz	short loc_9AAFFC
		mov	esi, 0C0000001h
		jmp	loc_9AB18A
; 

loc_9AAFFC:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+41j
		mov	cl, 1
		call	_IoControlPnpDeviceActionQueue@4 ; IoControlPnpDeviceActionQueue(x)
		mov	edx, _IopRootDeviceNode
		jmp	short loc_9AB00D
; 

loc_9AB00B:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+63j
		mov	edx, eax

loc_9AB00D:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+5Aj
		mov	eax, [edx+4]
		test	eax, eax
		jnz	short loc_9AB00B
		jmp	short loc_9AB055
; 

loc_9AB016:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+ACj
		mov	ecx, 0FFFFFEFFh
		lea	eax, [edx+0A8h]
		lock and [eax],	ecx
		lea	ecx, [edx+1D4h]
		lea	eax, [ecx+8]
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		mov	[eax+4], eax
		mov	[eax], eax
		and	dword ptr [ecx+10h], 0FFF8FFFFh
		mov	[ecx+14h], ebx
		mov	eax, [edx]
		test	eax, eax
		jz	short loc_9AB052

loc_9AB047:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+9Fj
		mov	edx, eax
		mov	eax, [edx+4]
		test	eax, eax
		jnz	short loc_9AB047
		jmp	short loc_9AB055
; 

loc_9AB052:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+96j
		mov	edx, [edx+8]

loc_9AB055:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+65j
					; PopDirectedDripsInitializeBroadcast(x)+A1j
		cmp	edx, _IopRootDeviceNode
		jnz	short loc_9AB016
		lea	ecx, [ebp+var_20]
		call	_PopFxBuildDirectedDripsCandidateDeviceList@4 ;	PopFxBuildDirectedDripsCandidateDeviceList(x)
		mov	edi, [ebp+var_20]
		lea	eax, [ebp+var_20]
		mov	[ebp+var_8], ebx
		mov	[ebp+var_10], ebx
		cmp	edi, eax
		jz	loc_9AB158

loc_9AB079:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+103j
		mov	ecx, [edi-238h]
		lea	eax, [ebp+var_10]
		push	eax
		mov	edx, esi
		call	_PopDirectedDripsBuildBroadcastTreePartial@12 ;	PopDirectedDripsBuildBroadcastTreePartial(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9AB099
		mov	eax, [ebp+var_8]
		inc	eax
		mov	[ebp+var_8], eax
		jmp	short loc_9AB0A8
; 

loc_9AB099:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+DFj
		cmp	esi, 0C00000BBh
		jnz	loc_9AB15D
		mov	eax, [ebp+var_8]

loc_9AB0A8:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+E8j
		mov	edi, [edi]
		lea	ecx, [ebp+var_20]
		mov	esi, [ebp+var_14]
		cmp	edi, ecx
		jnz	short loc_9AB079
		test	eax, eax
		jz	loc_9AB158
		mov	edx, [ebp+var_10]
		test	edx, edx
		jz	loc_9AB158
		test	dl, 1
		setnz	cl
		test	byte ptr [ebp+var_4], 1
		setz	al
		test	cl, al
		jz	short loc_9AB0E3
		mov	eax, [ebp+var_18]
		mov	ecx, 400h
		lock or	[eax], ecx

loc_9AB0E3:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+127j
		test	dl, 2
		setnz	cl
		test	byte ptr [ebp+var_4], 2
		setz	al
		test	cl, al
		jz	short loc_9AB0FD
		mov	bl, 1
		mov	esi, 0C000022Dh
		jmp	short loc_9AB15D
; 

loc_9AB0FD:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+143j
		mov	ecx, _IopRootDeviceNode
		jmp	short loc_9AB107
; 

loc_9AB105:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+15Dj
		mov	ecx, eax

loc_9AB107:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+154j
		mov	eax, [ecx+4]
		test	eax, eax
		jnz	short loc_9AB105
		jmp	short loc_9AB144
; 

loc_9AB110:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+19Bj
		mov	eax, [ecx+1E4h]
		test	eax, 30000h
		jz	short loc_9AB130
		call	_PopDirectedDripsDiagTraceTransition@4 ; PopDirectedDripsDiagTraceTransition(x)
		mov	edx, 100h
		lea	eax, [ecx+0A8h]
		lock or	[eax], edx

loc_9AB130:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+16Cj
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_9AB141

loc_9AB136:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+18Ej
		mov	ecx, eax
		mov	eax, [ecx+4]
		test	eax, eax
		jnz	short loc_9AB136
		jmp	short loc_9AB144
; 

loc_9AB141:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+185j
		mov	ecx, [ecx+8]

loc_9AB144:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+15Fj
					; PopDirectedDripsInitializeBroadcast(x)+190j
		cmp	ecx, _IopRootDeviceNode
		jnz	short loc_9AB110
		xor	ecx, ecx
		inc	ecx
		call	PoInitializeBroadcast
		mov	esi, eax
		jmp	short loc_9AB15D
; 

loc_9AB158:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+C4j
					; PopDirectedDripsInitializeBroadcast(x)+107j ...
		mov	esi, 0C0000001h

loc_9AB15D:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+F0j
					; PopDirectedDripsInitializeBroadcast(x)+14Cj ...
		lea	ecx, [ebp+var_20]
		call	_PopFxDestroyDirectedDripsCandidateDeviceList@4	; PopFxDestroyDirectedDripsCandidateDeviceList(x)
		test	esi, esi
		jns	short loc_9AB170
		xor	cl, cl
		call	_IoControlPnpDeviceActionQueue@4 ; IoControlPnpDeviceActionQueue(x)

loc_9AB170:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+1B8j
		test	bl, bl
		jz	short loc_9AB18A
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		push	2Ah
		push	4
		xor	edx, edx
		pop	ecx
		call	_PopPowerAggregatorHandleIntent@12 ; PopPowerAggregatorHandleIntent(x,x,x)
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_9AB18A:				; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+48j
					; PopDirectedDripsInitializeBroadcast(x)+1C3j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PopDirectedDripsInitializeBroadcast@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsMarkCandidateDevice(x)
_PopDirectedDripsMarkCandidateDevice@4 proc near
					; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x):loc_9B462Ap
					; PopDirectedDripsUmMarkTestDevices()+C0p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		push	40h
		pop	edi
		lea	esi, [ecx+238h]
		mov	eax, [esi]

loc_9AB1A1:				; CODE XREF: PopDirectedDripsMarkCandidateDevice(x)+18j
		mov	edx, eax
		or	edx, edi
		lock cmpxchg [esi], edx
		jnz	short loc_9AB1A1
		test	al, 40h
		jnz	short loc_9AB1C3
		inc	dword_6C36C8
		inc	dword_6C3830
		mov	ecx, [ecx+1Ch]
		call	_PopDirectedDripsDiagTraceMarkDevice@4 ; PopDirectedDripsDiagTraceMarkDevice(x)

loc_9AB1C3:				; CODE XREF: PopDirectedDripsMarkCandidateDevice(x)+1Cj
		pop	edi
		pop	esi
		pop	ecx
		retn
_PopDirectedDripsMarkCandidateDevice@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsNotifyAppsAndServices(x, x,	x)
_PopDirectedDripsNotifyAppsAndServices@12 proc near
					; CODE XREF: PopDirectedDripsEngage(x,x)+44p
					; PopDisengageDirectedDrips(x)+23p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		xor	eax, eax
		lock or	[edi], eax
		call	KeQueryInterruptTime
		cmp	[ebp+arg_0], 0
		mov	[esp+18h+var_8], eax
		mov	[esp+18h+var_4], edx
		jz	short loc_9AB242
		mov	ecx, ds:_ExPageLockHandle
		xor	edx, edx
		inc	edx
		call	MiLockPagableImageSection
		mov	eax, [esi]
		lea	ecx, [esi+24h]
		mov	dword ptr [esi+28h], 2
		mov	dword ptr [esi+2Ch], 5
		mov	[esi+30h], eax
		mov	dword ptr [esi+38h], 15h
		call	PoBlockConsoleSwitch
		mov	dl, 1
		mov	[esi+20h], eax
		mov	cl, dl
		call	_PopDirectedDripsSendSuspendResumeNotification@8 ; PopDirectedDripsSendSuspendResumeNotification(x,x)
		mov	dl, 1
		xor	cl, cl
		call	_PopDirectedDripsSendSuspendResumeNotification@8 ; PopDirectedDripsSendSuspendResumeNotification(x,x)
		push	8
		pop	eax
		lock or	[edi], eax
		and	dword ptr [edi+68h], 0
		jmp	short loc_9AB27F
; 

loc_9AB242:				; CODE XREF: PopDirectedDripsNotifyAppsAndServices(x,x,x)+28j
		xor	dl, dl
		xor	cl, cl
		call	_PopDirectedDripsSendSuspendResumeNotification@8 ; PopDirectedDripsSendSuspendResumeNotification(x,x)
		xor	dl, dl
		mov	cl, 1
		call	_PopDirectedDripsSendSuspendResumeNotification@8 ; PopDirectedDripsSendSuspendResumeNotification(x,x)
		mov	eax, [esi+20h]
		lea	edx, [esp+18h+var_C]
		lea	ecx, [esi+24h]
		mov	[esp+18h+var_C], eax
		mov	dword ptr [esi+34h], 7
		call	PopDispatchStateCallout
		push	ds:_ExPageLockHandle
		call	_MmUnlockPagableImageSection@4 ; MmUnlockPagableImageSection(x)
		push	0FFFFFFF7h
		pop	eax
		lock and [edi],	eax

loc_9AB27F:				; CODE XREF: PopDirectedDripsNotifyAppsAndServices(x,x,x)+79j
		call	KeQueryInterruptTime
		sub	eax, [esp+18h+var_8]
		push	0
		sbb	edx, [esp+1Ch+var_4]
		push	2710h
		push	edx
		push	eax
		call	__aulldiv
		mov	cl, [ebp+arg_0]
		push	edx
		push	eax
		call	_PopDiagTraceDirectedDripsNotifyAppsAndServices@16 ; PopDiagTraceDirectedDripsNotifyAppsAndServices(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_PopDirectedDripsNotifyAppsAndServices@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsNotifyTransitionFailed(x)
_PopDirectedDripsNotifyTransitionFailed@4 proc near
					; CODE XREF: PoBroadcastSystemState+B281p
		mov	edi, edi
		push	esi
		mov	edx, 67696450h
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	esi, eax
		test	esi, esi
		jz	short loc_9AB2DE
		mov	ecx, [esi+0B0h]
		mov	ecx, [ecx+14h]
		test	ecx, ecx
		jz	short loc_9AB2D2
		call	_PopDirectedDripsDiagTraceBroadcastFailureDevice@4 ; PopDirectedDripsDiagTraceBroadcastFailureDevice(x)

loc_9AB2D2:				; CODE XREF: PopDirectedDripsNotifyTransitionFailed(x)+1Ej
		mov	edx, 67696450h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_9AB2DE:				; CODE XREF: PopDirectedDripsNotifyTransitionFailed(x)+11j
		mov	byte_6C3840, 1
		pop	esi
		retn
_PopDirectedDripsNotifyTransitionFailed@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsQueryEmSettings(x)
_PopDirectedDripsQueryEmSettings@4 proc	near
					; CODE XREF: PopDirectedDripsQueryPs4Support+87799p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		lea	eax, [ebp+var_4]
		xor	ebx, ebx
		push	eax		; int
		inc	ebx
		mov	esi, ecx
		push	offset _GUID_EM_RULE_DISABLE_DIRECTED_DRIPS_CPU_MATCH ;	void *
		mov	[ebp+var_4], ebx
		call	EmClientQueryRuleState
		test	eax, eax
		js	short loc_9AB30F
		cmp	[ebp+var_4], 2
		jz	short loc_9AB311

loc_9AB30F:				; CODE XREF: PopDirectedDripsQueryEmSettings(x)+20j
		xor	bl, bl

loc_9AB311:				; CODE XREF: PopDirectedDripsQueryEmSettings(x)+26j
		mov	[esi], bl
		pop	esi
		pop	ebx
		leave
		retn
_PopDirectedDripsQueryEmSettings@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsQueryMitigationStatus(x, x,	x)
_PopDirectedDripsQueryMitigationStatus@12 proc near
					; CODE XREF: PopDirectedDripsNotify+9C2A1p
					; PopDirectedDripsInitializeBroadcast(x)+30p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, dword_6C36C4
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	edi, ecx
		mov	ecx, offset _PopDirectedDripsState
		xor	edx, edx
		mov	eax, [ecx]

loc_9AB334:				; CODE XREF: PopDirectedDripsQueryMitigationStatus(x,x,x)+25j
		mov	esi, eax
		or	esi, edx
		lock cmpxchg [ecx], esi
		jnz	short loc_9AB334
		mov	esi, eax
		mov	edx, [ebp+var_4]
		xor	eax, eax
		test	edi, edi
		jz	short loc_9AB35F
		mov	[edi], eax
		mov	ecx, eax
		test	bl, 1
		jz	short loc_9AB355
		inc	ecx
		mov	[edi], ecx

loc_9AB355:				; CODE XREF: PopDirectedDripsQueryMitigationStatus(x,x,x)+39j
		test	bl, 2
		jz	short loc_9AB35F
		or	ecx, 2
		mov	[edi], ecx

loc_9AB35F:				; CODE XREF: PopDirectedDripsQueryMitigationStatus(x,x,x)+30j
					; PopDirectedDripsQueryMitigationStatus(x,x,x)+41j
		test	edx, edx
		jz	short loc_9AB381
		mov	[edx], eax
		mov	ecx, eax
		test	esi, 1000h
		jz	short loc_9AB374
		xor	ecx, ecx
		inc	ecx
		mov	[edx], ecx

loc_9AB374:				; CODE XREF: PopDirectedDripsQueryMitigationStatus(x,x,x)+56j
		test	esi, 2000h
		jz	short loc_9AB381
		or	ecx, 2
		mov	[edx], ecx

loc_9AB381:				; CODE XREF: PopDirectedDripsQueryMitigationStatus(x,x,x)+4Aj
					; PopDirectedDripsQueryMitigationStatus(x,x,x)+63j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_9AB3A4
		mov	[ecx], eax
		test	esi, 400h
		jz	short loc_9AB397
		xor	eax, eax
		inc	eax
		mov	[ecx], eax

loc_9AB397:				; CODE XREF: PopDirectedDripsQueryMitigationStatus(x,x,x)+79j
		test	esi, 800h
		jz	short loc_9AB3A4
		or	eax, 2
		mov	[ecx], eax

loc_9AB3A4:				; CODE XREF: PopDirectedDripsQueryMitigationStatus(x,x,x)+6Fj
					; PopDirectedDripsQueryMitigationStatus(x,x,x)+86j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopDirectedDripsQueryMitigationStatus@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsReleaseTransitionLock(x)
_PopDirectedDripsReleaseTransitionLock@4 proc near
					; CODE XREF: PopDirectedDripsResumeDevices(x,x)+77p
					; PopDirectedDripsSuspendDevices(x)+117p
		mov	edi, edi
		push	esi
		push	0FFFFFFBFh
		pop	esi
		mov	eax, [ecx]

loc_9AB3B3:				; CODE XREF: PopDirectedDripsReleaseTransitionLock(x)+10j
		mov	edx, eax
		and	edx, esi
		lock cmpxchg [ecx], edx
		jnz	short loc_9AB3B3
		test	al, 40h
		jz	short loc_9AB3CA
		push	7
		pop	ecx
		pop	esi
		jmp	_PopReleaseTransitionLock@4 ; PopReleaseTransitionLock(x)
; 

loc_9AB3CA:				; CODE XREF: PopDirectedDripsReleaseTransitionLock(x)+14j
		pop	esi
		retn
_PopDirectedDripsReleaseTransitionLock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsResumeDevices(x, x)
_PopDirectedDripsResumeDevices@8 proc near
					; CODE XREF: PopDirectedDripsRefreshDisengageState+AA373j
					; PopDirectedDripsWorkerRoutine+8AD24p	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_1], dl
		mov	edi, ecx
		call	KeQueryInterruptTime
		mov	[ebp+var_8], eax
		xor	ecx, ecx
		mov	[ebp+var_C], edx
		mov	eax, [edi]

loc_9AB3EB:				; CODE XREF: PopDirectedDripsResumeDevices(x,x)+27j
		mov	esi, eax
		or	esi, ecx
		lock cmpxchg [edi], esi
		jnz	short loc_9AB3EB
		mov	ebx, eax
		test	bl, 10h
		jz	short loc_9AB40E
		lea	ecx, [edi+30h]
		mov	byte ptr [edi+49h], 1
		call	PoBroadcastSystemState
		push	20h
		pop	eax
		lock or	[edi], eax

loc_9AB40E:				; CODE XREF: PopDirectedDripsResumeDevices(x,x)+2Ej
		test	bl, bl
		jns	short loc_9AB417
		call	_PopDirectedDripsDestroyBroadcast@0 ; PopDirectedDripsDestroyBroadcast()

loc_9AB417:				; CODE XREF: PopDirectedDripsResumeDevices(x,x)+44j
		cmp	[ebp+var_1], 0
		jnz	short loc_9AB433
		test	ebx, 200h
		jnz	short loc_9AB433
		call	_PopDirectedDripsUmIsTestModeEnabled@0 ; PopDirectedDripsUmIsTestModeEnabled()
		test	al, al
		jnz	short loc_9AB433
		call	_PopFxClearDirectedDripsCandidateDeviceList@0 ;	PopFxClearDirectedDripsCandidateDeviceList()

loc_9AB433:				; CODE XREF: PopDirectedDripsResumeDevices(x,x)+4Fj
					; PopDirectedDripsResumeDevices(x,x)+57j ...
		mov	eax, 0FFFFFF6Fh
		lock and [edi],	eax
		cmp	[ebp+var_1], 0
		jnz	short loc_9AB448
		mov	ecx, edi
		call	_PopDirectedDripsReleaseTransitionLock@4 ; PopDirectedDripsReleaseTransitionLock(x)

loc_9AB448:				; CODE XREF: PopDirectedDripsResumeDevices(x,x)+73j
		call	KeQueryInterruptTime
		sub	eax, [ebp+var_8]
		push	0
		sbb	edx, [ebp+var_C]
		push	989680h
		push	edx
		push	eax
		call	__aulldiv
		push	edx
		push	eax
		xor	edx, edx
		xor	cl, cl
		call	_PopDirectedDripsDiagTraceNotifyDevices@16 ; PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopDirectedDripsResumeDevices@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsSendSessionData(x)
_PopDirectedDripsSendSessionData@4 proc	near ; CODE XREF: PopDirectedDripsNotify+9C2FDp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		lea	edx, [ebp+var_8]
		mov	[ebp+var_8], eax
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_PopDirectedDripsQueryMitigationStatus@12 ; PopDirectedDripsQueryMitigationStatus(x,x,x)
		push	[ebp+var_4]
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		call	_PopDirectedDripsDiagNotifySessionStop@12 ; PopDirectedDripsDiagNotifySessionStop(x,x,x)
		leave
		retn
_PopDirectedDripsSendSessionData@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsSendSuspendResumeNotification(x, x)
_PopDirectedDripsSendSuspendResumeNotification@8 proc near
					; CODE XREF: PopDirectedDripsNotifyAppsAndServices(x,x,x)+61p
					; PopDirectedDripsNotifyAppsAndServices(x,x,x)+6Ap ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	al, dl
		mov	[ebp+var_1], al
		push	ebx
		push	esi
		push	edi
		test	cl, cl
		jnz	short loc_9AB51B
		xor	ebx, ebx
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], ebx
		mov	byte ptr [ebp+var_8], al
		mov	word ptr [ebp+var_8+1],	bx
		call	_PopSuspendResumeInvocation@4 ;	PopSuspendResumeInvocation(x)
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		stosd
		cmp	[ebp+var_1], bl
		jnz	short loc_9AB501
		lea	ecx, [ebp+var_14]
		mov	[ebp+var_10], 12h
		mov	[ebp+var_14], 3
		mov	word ptr [ebp+var_8], 1
		call	_PopUmpoSendLegacyEvent@4 ; PopUmpoSendLegacyEvent(x)
		mov	[ebp+var_10], 7
		jmp	short loc_9AB511
; 

loc_9AB501:				; CODE XREF: PopDirectedDripsSendSuspendResumeNotification(x,x)+37j
		mov	[ebp+var_10], 4
		mov	[ebp+var_14], ebx
		mov	word ptr [ebp+var_8], 100h

loc_9AB511:				; CODE XREF: PopDirectedDripsSendSuspendResumeNotification(x,x)+5Cj
		lea	ecx, [ebp+var_14]
		call	_PopUmpoSendLegacyEvent@4 ; PopUmpoSendLegacyEvent(x)
		jmp	short loc_9AB558
; 

loc_9AB51B:				; CODE XREF: PopDirectedDripsSendSuspendResumeNotification(x,x)+12j
		xor	ecx, ecx
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9AB558
		xor	ebx, ebx

loc_9AB52A:				; CODE XREF: PopDirectedDripsSendSuspendResumeNotification(x,x)+B3j
		mov	ecx, esi
		mov	[ebp+var_8], ebx
		call	_MmGetSessionId@4 ; MmGetSessionId(x)
		mov	[ebp+var_C], eax
		lea	ecx, [ebp+var_C]
		mov	al, [ebp+var_1]
		mov	byte ptr [ebp+var_8], al
		mov	word ptr [ebp+var_8+1],	1
		call	_PopSuspendResumeInvocation@4 ;	PopSuspendResumeInvocation(x)
		mov	ecx, esi
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9AB52A

loc_9AB558:				; CODE XREF: PopDirectedDripsSendSuspendResumeNotification(x,x)+76j
					; PopDirectedDripsSendSuspendResumeNotification(x,x)+83j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopDirectedDripsSendSuspendResumeNotification@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsSuspendDevices(x)
_PopDirectedDripsSuspendDevices@4 proc near
					; CODE XREF: PopDirectedDripsRefreshDisengageState+AA385j
					; PopDirectedDripsWorkerRoutine+8AD2Bp	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		call	KeQueryInterruptTime
		mov	[esp+18h+var_8], eax
		xor	ecx, ecx
		mov	[esp+18h+var_4], edx
		mov	eax, [edi]

loc_9AB57E:				; CODE XREF: PopDirectedDripsSuspendDevices(x)+29j
		mov	esi, eax
		or	esi, ecx
		lock cmpxchg [edi], esi
		jnz	short loc_9AB57E
		mov	ebx, eax
		cmp	[edi+74h], ecx
		jnz	loc_9AB64A
		test	ebx, 3000h
		setnz	cl
		test	bl, 10h
		setz	al
		test	cl, al
		jz	loc_9AB64A
		mov	eax, ebx
		and	eax, 808h
		cmp	eax, 800h
		jnz	short loc_9AB5C2
		mov	esi, 0C0000120h
		jmp	loc_9AB653
; 

loc_9AB5C2:				; CODE XREF: PopDirectedDripsSuspendDevices(x)+59j
		mov	ecx, edi
		call	_PopDirectedDripsAcquireTransitionLock@4 ; PopDirectedDripsAcquireTransitionLock(x)
		and	dword ptr [edi+48h], 0
		xor	ecx, ecx
		inc	ecx
		mov	dword ptr [edi+40h], 2
		push	5
		pop	eax
		mov	[edi+30h], ecx
		mov	[edi+34h], eax
		mov	[edi+38h], eax
		mov	eax, [edi+2Ch]
		mov	[edi+3Ch], ecx
		mov	ecx, edi
		mov	[edi+44h], eax
		call	_PopDirectedDripsInitializeBroadcast@4 ; PopDirectedDripsInitializeBroadcast(x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9AB5FE
		mov	[edi+6Ch], esi
		jmp	short loc_9AB64F
; 

loc_9AB5FE:				; CODE XREF: PopDirectedDripsSuspendDevices(x)+9Aj
		mov	eax, 80h
		lock or	[edi], eax
		lea	esi, [edi+30h]
		test	ebx, 800h
		jz	short loc_9AB61C
		mov	ecx, esi
		mov	byte ptr [edi+4Ah], 3
		call	PoBroadcastSystemState

loc_9AB61C:				; CODE XREF: PopDirectedDripsSuspendDevices(x)+B2j
		mov	byte ptr [edi+1A0h], 0
		mov	ecx, esi
		mov	byte ptr [edi+4Ah], 2
		call	PoBroadcastSystemState
		mov	esi, eax
		mov	[edi+6Ch], esi
		test	esi, esi
		js	short loc_9AB653
		push	10h
		pop	eax
		lock or	[edi], eax
		push	0FFFFFFDFh
		pop	eax
		lock and [edi],	eax
		inc	dword ptr [edi+70h]
		xor	esi, esi
		jmp	short loc_9AB679
; 

loc_9AB64A:				; CODE XREF: PopDirectedDripsSuspendDevices(x)+30j
					; PopDirectedDripsSuspendDevices(x)+47j
		mov	esi, 0C0000001h

loc_9AB64F:				; CODE XREF: PopDirectedDripsSuspendDevices(x)+9Fj
		test	esi, esi
		jns	short loc_9AB679

loc_9AB653:				; CODE XREF: PopDirectedDripsSuspendDevices(x)+60j
					; PopDirectedDripsSuspendDevices(x)+D8j
		xor	edx, edx
		mov	eax, [edi]

loc_9AB657:				; CODE XREF: PopDirectedDripsSuspendDevices(x)+102j
		mov	ecx, eax
		or	ecx, edx
		lock cmpxchg [edi], ecx
		jnz	short loc_9AB657
		test	al, al
		jns	short loc_9AB672
		call	_PopDirectedDripsDestroyBroadcast@0 ; PopDirectedDripsDestroyBroadcast()
		mov	eax, 0FFFFFF7Fh
		lock and [edi],	eax

loc_9AB672:				; CODE XREF: PopDirectedDripsSuspendDevices(x)+106j
		mov	ecx, edi
		call	_PopDirectedDripsReleaseTransitionLock@4 ; PopDirectedDripsReleaseTransitionLock(x)

loc_9AB679:				; CODE XREF: PopDirectedDripsSuspendDevices(x)+EBj
					; PopDirectedDripsSuspendDevices(x)+F4j
		call	KeQueryInterruptTime
		sub	eax, [esp+18h+var_8]
		push	0
		sbb	edx, [esp+1Ch+var_4]
		push	(offset	loc_98967E+2)
		push	edx
		push	eax
		call	__aulldiv
		push	edx
		push	eax
		mov	edx, esi
		mov	cl, 1
		call	_PopDirectedDripsDiagTraceNotifyDevices@16 ; PopDirectedDripsDiagTraceNotifyDevices(x,x,x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PopDirectedDripsSuspendDevices@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopDisengageDirectedDrips(x)
_PopDisengageDirectedDrips@4 proc near	; CODE XREF: PopDirectedDripsNotify:loc_90C5E1p
		mov	edi, edi
		push	esi
		xor	esi, esi
		mov	ecx, offset _PopDirectedDripsState
		mov	eax, [ecx]

loc_9AB6B4:				; CODE XREF: PopDisengageDirectedDrips(x)+14j
		mov	edx, eax
		or	edx, esi
		lock cmpxchg [ecx], edx
		jnz	short loc_9AB6B4
		test	eax, 800h
		jz	short loc_9AB6D0
		push	esi
		mov	edx, offset dword_6C36CC
		call	_PopDirectedDripsNotifyAppsAndServices@12 ; PopDirectedDripsNotifyAppsAndServices(x,x,x)

loc_9AB6D0:				; CODE XREF: PopDisengageDirectedDrips(x)+1Bj
		pop	esi
		retn
_PopDisengageDirectedDrips@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopIsDirectedDripsEnabled()
_PopIsDirectedDripsEnabled@0 proc near	; CODE XREF: PopDirectedDripsDiagDestroyDeviceDiagnostic(x)+5p
					; PopDirectedDripsDiagNotifySessionStart(x,x,x)+8p ...
		mov	edi, edi
		push	esi
		xor	esi, esi
		mov	edx, offset _PopDirectedDripsState
		mov	eax, [edx]

loc_9AB6DE:				; CODE XREF: PopIsDirectedDripsEnabled()+14j
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_9AB6DE
		and	al, 1
		pop	esi
		retn
_PopIsDirectedDripsEnabled@0 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1672. PoDisableSleepStates

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoDisableSleepStates(x, x, x)
		public _PoDisableSleepStates@12
_PoDisableSleepStates@12 proc near	; CODE XREF: PoInitHiberServices+A1EE2p
					; PoInitHiberServices+A1EFAp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	64536F50h
		push	10h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9AB714
		mov	edi, 0C000009Ah
		jmp	short loc_9AB75F
; 

loc_9AB714:				; CODE XREF: PoDisableSleepStates(x,x,x)+1Aj
		mov	eax, [ebp+arg_0]
		xor	edi, edi
		mov	[esi], edi
		mov	ebx, offset _PopDisableSleepMutex
		mov	[esi+4], edi
		mov	ecx, ebx
		mov	[esi+8], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+0Ch], eax
		call	ExAcquireFastMutex
		mov	eax, dword_6C3684
		mov	ecx, offset _PopDisableSleepList
		cmp	[eax], ecx
		jz	short loc_9AB746
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9AB746:				; CODE XREF: PoDisableSleepStates(x,x,x)+4Ej
		mov	[esi], ecx
		mov	ecx, ebx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6C3684, esi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		mov	ecx, [ebp+arg_8]
		mov	[ecx], esi

loc_9AB75F:				; CODE XREF: PoDisableSleepStates(x,x,x)+21j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_PoDisableSleepStates@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1712. PoReenableSleepStates

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoReenableSleepStates(x)
		public _PoReenableSleepStates@4
_PoReenableSleepStates@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, offset _PopDisableSleepMutex
		mov	ecx, edi
		call	ExAcquireFastMutex
		mov	esi, [ebp+arg_0]
		mov	edx, [esi]
		cmp	[edx+4], esi
		jnz	short loc_9AB7AE
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_9AB7AE
		mov	[eax], edx
		mov	ecx, edi
		mov	[edx+4], eax
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		push	64536F50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_9AB7AE:				; CODE XREF: PoReenableSleepStates(x)+1Bj
					; PoReenableSleepStates(x)+22j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PoReenableSleepStates@4 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopApplyAdminPolicy(x, x)
_PopApplyAdminPolicy@8 proc near	; CODE XREF: NtPowerInformation+171C90p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	6
		mov	esi, edx
		lea	edi, [ebp+var_1C]
		pop	ecx
		rep movsd
		mov	edx, [ebp+var_1C]
		lea	eax, [edx-2]
		cmp	eax, 3
		ja	short loc_9AB821
		mov	ecx, [ebp+var_18]
		lea	eax, [ecx-2]
		cmp	eax, 3
		ja	short loc_9AB821
		cmp	edx, ecx
		jg	short loc_9AB821
		mov	eax, [ebp+var_14]
		cmp	eax, [ebp+var_10]
		ja	short loc_9AB821
		mov	eax, [ebp+var_C]
		cmp	eax, [ebp+var_8]
		ja	short loc_9AB821
		push	18h		; size_t
		mov	edi, offset _PopAdminPolicy
		lea	eax, [ebp+var_1C]
		push	edi		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9AB817

loc_9AB813:				; CODE XREF: PopApplyAdminPolicy(x,x)+6Cj
		xor	eax, eax
		jmp	short loc_9AB826
; 

loc_9AB817:				; CODE XREF: PopApplyAdminPolicy(x,x)+5Ej
		push	6
		pop	ecx
		lea	esi, [ebp+var_1C]
		rep movsd
		jmp	short loc_9AB813
; 

loc_9AB821:				; CODE XREF: PopApplyAdminPolicy(x,x)+27j
					; PopApplyAdminPolicy(x,x)+32j	...
		mov	eax, 0C000000Dh

loc_9AB826:				; CODE XREF: PopApplyAdminPolicy(x,x)+62j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopApplyAdminPolicy@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopGetPowerRequestListInfo(x, x)
_PopGetPowerRequestListInfo@8 proc near	; CODE XREF: NtPowerInformation+172373p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], ecx
		nop
		xor	edx, edx
		mov	ecx, offset _PopPowerRequestLock
		call	ExAcquirePushLockSharedEx
		mov	eax, _PopPowerRequestObjectCount
		mov	ebx, offset _PopPowerRequestObjectList
		mov	edi, _PopPowerRequestObjectList
		lea	esi, ds:7[eax*4]
		jmp	short loc_9AB895
; 

loc_9AB878:				; CODE XREF: PopGetPowerRequestListInfo(x,x)+66j
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ecx
		mov	ecx, [edi+40h]
		xor	edx, edx
		push	eax
		call	PoStoreDiagnosticContext
		mov	eax, [ebp+var_4]
		mov	edi, [edi]
		add	eax, 1Fh
		add	esi, eax

loc_9AB895:				; CODE XREF: PopGetPowerRequestListInfo(x,x)+42j
		and	esi, 0FFFFFFFCh
		cmp	edi, ebx
		jnz	short loc_9AB878
		push	206D654Dh
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9AB8B9
		mov	ebx, 0C000009Ah
		jmp	loc_9AB982
; 

loc_9AB8B9:				; CODE XREF: PopGetPowerRequestListInfo(x,x)+79j
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		lea	eax, [edi+4]
		add	esp, 0Ch
		mov	[ebp+var_10], eax
		mov	eax, _PopPowerRequestObjectCount
		mov	[edi], eax
		mov	ebx, _PopPowerRequestObjectList
		lea	ecx, ds:7[eax*4]
		and	ecx, 0FFFFFFFCh
		sub	esi, ecx
		jmp	short loc_9AB957
; 

loc_9AB8E6:				; CODE XREF: PopGetPowerRequestListInfo(x,x)+12Fj
		cmp	esi, 34h
		jb	loc_9AB9AA
		mov	eax, [ebx+0Ch]
		lea	edx, [ecx+4]
		mov	[edi+ecx], eax
		add	edx, edi
		push	6
		lea	ecx, [ebx+18h]
		pop	ebx

loc_9AB900:				; CODE XREF: PopGetPowerRequestListInfo(x,x)+D9j
		mov	eax, [ecx]
		lea	ecx, [ecx+4]
		mov	[edx], eax
		lea	edx, [edx+4]
		sub	ebx, 1
		jnz	short loc_9AB900
		mov	ecx, [ebp+var_8]
		lea	eax, [esi-1Ch]
		mov	ebx, [ebp+var_C]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	ecx
		lea	edx, [ecx+1Ch]
		mov	ecx, [ebx+40h]
		add	edx, edi
		push	eax
		call	PoStoreDiagnosticContext
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9AB973
		mov	eax, [ebp+var_4]
		add	eax, 1Fh
		and	eax, 0FFFFFFFCh
		cmp	esi, eax
		jb	short loc_9AB9AA
		mov	edx, [ebp+var_10]
		sub	esi, eax
		mov	ecx, [ebp+var_8]
		mov	ebx, [ebp+var_C]
		mov	[edx], ecx
		add	ecx, eax
		add	edx, 4
		mov	ebx, [ebx]
		mov	[ebp+var_10], edx

loc_9AB957:				; CODE XREF: PopGetPowerRequestListInfo(x,x)+B0j
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ecx
		cmp	ebx, offset _PopPowerRequestObjectList
		jnz	short loc_9AB8E6
		mov	eax, [ebp+var_14]
		mov	[eax], edi
		xor	edi, edi
		mov	eax, [ebp+var_18]
		xor	ebx, ebx
		mov	[eax], ecx

loc_9AB973:				; CODE XREF: PopGetPowerRequestListInfo(x,x)+FDj
					; PopGetPowerRequestListInfo(x,x)+17Bj
		test	edi, edi
		jz	short loc_9AB982
		push	206D654Dh
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9AB982:				; CODE XREF: PopGetPowerRequestListInfo(x,x)+80j
					; PopGetPowerRequestListInfo(x,x)+141j
		cmp	dword_6C3884, 0
		jz	short loc_9AB992
		and	dword_6C3884, 0

loc_9AB992:				; CODE XREF: PopGetPowerRequestListInfo(x,x)+155j
		xor	edx, edx
		mov	ecx, offset _PopPowerRequestLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_9AB9AA:				; CODE XREF: PopGetPowerRequestListInfo(x,x)+B5j
					; PopGetPowerRequestListInfo(x,x)+10Aj
		mov	ebx, 0C0000023h
		jmp	short loc_9AB973
_PopGetPowerRequestListInfo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopLidSwitchChangeCallback(x, x, x,	x)
_PopLidSwitchChangeCallback@16 proc near

var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, [ebp+arg_4]
		xor	ecx, ecx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, offset _GUID_LIDSWITCH_STATE_CHANGE

loc_9AB9D2:				; CODE XREF: PopLidSwitchChangeCallback(x,x,x,x)+2Dj
		mov	eax, [edi+ecx*4]
		cmp	eax, [esi+ecx*4]
		jnz	short loc_9ABA14
		inc	ecx
		cmp	ecx, 4
		jnz	short loc_9AB9D2
		cmp	[ebp+arg_8], ecx
		jnz	short loc_9ABA14
		test	edx, edx
		jz	short loc_9ABA14
		mov	eax, [edx]
		lea	edi, [ebp+var_18]
		movsd
		xor	ecx, ecx
		movsd
		movsd
		movsd
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	14h
		pop	edx
		call	_PopBroadcastSessionInfo@12 ; PopBroadcastSessionInfo(x,x,x)
		xor	edx, edx
		mov	ecx, offset _PopRecordLidStateWorkItem
		inc	edx
		call	_PopQueueWorkItem@8 ; PopQueueWorkItem(x,x)
		xor	eax, eax
		jmp	short loc_9ABA19
; 

loc_9ABA14:				; CODE XREF: PopLidSwitchChangeCallback(x,x,x,x)+27j
					; PopLidSwitchChangeCallback(x,x,x,x)+32j ...
		mov	eax, 0C000000Dh

loc_9ABA19:				; CODE XREF: PopLidSwitchChangeCallback(x,x,x,x)+61j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_PopLidSwitchChangeCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopS0LowPowerIdleInfo(x)
_PopS0LowPowerIdleInfo@4 proc near	; CODE XREF: PopPowerInformationInternal+17120Ep

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		cmp	_PopPlatformAoAc, 0
		mov	[ebp+var_4], esi
		mov	[edi], esi
		mov	[edi+4], esi
		jnz	short loc_9ABA51
		mov	esi, 0C00000BBh
		jmp	loc_9ABAE6
; 

loc_9ABA51:				; CODE XREF: PopS0LowPowerIdleInfo(x)+1Cj
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		lea	ecx, [ebp+var_4]
		call	_PopNetIsDisconnectStandbyActive@4 ; PopNetIsDisconnectStandbyActive(x)
		mov	ebx, [ebp+var_4]
		mov	dl, al
		mov	cl, [edi+4]
		mov	[edi], ebx
		cmp	_PopCsDeviceCompliance,	1
		setz	al
		and	cl, 0FEh
		or	cl, al
		mov	[edi+4], cl
		cmp	dword_6FE09C, 1
		setnz	al
		and	cl, 0FDh
		dec	al
		and	al, 2
		or	cl, al
		mov	[edi+4], cl
		cmp	dword_6FE0A0, 1
		setnz	al
		and	cl, 0FBh
		dec	al
		and	al, 4
		or	cl, al
		mov	[edi+4], cl
		cmp	dword_6FE0A8, 1
		setnz	al
		and	cl, 0F7h
		dec	al
		and	al, 8
		or	cl, al
		test	dl, dl
		mov	[edi+4], cl
		mov	cl, [edi+5]
		setnz	al
		and	cl, 0FEh
		or	cl, al
		mov	[edi+5], cl
		cmp	ebx, 3
		jz	short loc_9ABADB
		cmp	ebx, 4
		jz	short loc_9ABADB
		and	cl, 0FDh
		jmp	short loc_9ABADE
; 

loc_9ABADB:				; CODE XREF: PopS0LowPowerIdleInfo(x)+A6j
					; PopS0LowPowerIdleInfo(x)+ABj
		or	cl, 2

loc_9ABADE:				; CODE XREF: PopS0LowPowerIdleInfo(x)+B0j
		mov	[edi+5], cl
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_9ABAE6:				; CODE XREF: PopS0LowPowerIdleInfo(x)+23j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PopS0LowPowerIdleInfo@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopWnfFullscreenVideoCallback(x, x,	x, x, x, x)
_PopWnfFullscreenVideoCallback@24 proc near
					; DATA XREF: PopSetupFullScrenVideoNotification()+9o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_10]
		push	esi
		push	edi
		push	8
		pop	edi
		push	ecx		; int
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_10], edi
		push	ecx		; void *
		lea	ecx, [ebp+arg_C]
		push	ecx		; int
		push	eax		; int
		call	_ExQueryWnfStateData@16	; ExQueryWnfStateData(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9ABB64
		cmp	[ebp+var_10], edi
		jnb	short loc_9ABB2B
		xor	esi, esi
		jmp	short loc_9ABB64
; 

loc_9ABB2B:				; CODE XREF: PopWnfFullscreenVideoCallback(x,x,x,x,x,x)+38j
		mov	edi, offset _PopFxSystemLatencyLock
		mov	ecx, edi
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		cmp	byte_6C2D4E, 0
		mov	eax, [ebp+var_C]
		jnz	short loc_9ABB4A
		and	eax, 2
		jnz	short loc_9ABB4F
		jmp	short loc_9ABB5D
; 

loc_9ABB4A:				; CODE XREF: PopWnfFullscreenVideoCallback(x,x,x,x,x,x)+54j
		and	eax, 2
		jnz	short loc_9ABB5D

loc_9ABB4F:				; CODE XREF: PopWnfFullscreenVideoCallback(x,x,x,x,x,x)+59j
		test	eax, eax
		setnz	byte_6C2D4E
		call	PoFxSendSystemLatencyUpdate

loc_9ABB5D:				; CODE XREF: PopWnfFullscreenVideoCallback(x,x,x,x,x,x)+5Bj
					; PopWnfFullscreenVideoCallback(x,x,x,x,x,x)+60j
		mov	ecx, edi
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)

loc_9ABB64:				; CODE XREF: PopWnfFullscreenVideoCallback(x,x,x,x,x,x)+33j
					; PopWnfFullscreenVideoCallback(x,x,x,x,x,x)+3Cj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_PopWnfFullscreenVideoCallback@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopWnfUserAwayPredictionCallback(x,	x, x, x, x, x)
_PopWnfUserAwayPredictionCallback@24 proc near
					; DATA XREF: PopSetupUserPresencePredictionNotification()+9o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		lea	eax, [ebp+var_4]
		and	[ebp+var_8], 0
		push	esi
		push	eax		; int
		lea	eax, [ebp+var_C]
		mov	[ebp+var_4], 8
		push	eax		; void *
		lea	eax, [ebp+arg_C]
		push	eax		; int
		push	[ebp+arg_0]	; int
		call	_ExQueryWnfStateData@16	; ExQueryWnfStateData(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9ABBCA
		cmp	[ebp+var_4], 8
		jnb	short loc_9ABBB2
		xor	esi, esi
		jmp	short loc_9ABBCA
; 

loc_9ABBB2:				; CODE XREF: PopWnfUserAwayPredictionCallback(x,x,x,x,x,x)+36j
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		push	[ebp+var_8]
		push	[ebp+var_C]
		push	3
		pop	ecx
		call	_PopUpdateSmartUserPresencePredictions@12 ; PopUpdateSmartUserPresencePredictions(x,x,x)
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_9ABBCA:				; CODE XREF: PopWnfUserAwayPredictionCallback(x,x,x,x,x,x)+30j
					; PopWnfUserAwayPredictionCallback(x,x,x,x,x,x)+3Aj
		mov	eax, esi
		pop	esi
		leave
		retn	18h
_PopWnfUserAwayPredictionCallback@24 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1711. PoQueueShutdownWorkItem

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoQueueShutdownWorkItem(x)
		public _PoQueueShutdownWorkItem@4
_PoQueueShutdownWorkItem@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, offset _PopShutdownListMutex
		mov	ecx, edi
		call	ExAcquireFastMutex
		cmp	_PopShutdownListAvailable, 0
		jz	short loc_9ABC19
		mov	ecx, dword_6C358C
		mov	edx, offset _PopShutdownQueue
		cmp	[ecx], edx
		jz	short loc_9ABC06
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9ABC06:				; CODE XREF: PoQueueShutdownWorkItem(x)+29j
		mov	eax, [ebp+arg_0]
		xor	esi, esi
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	dword_6C358C, eax
		jmp	short loc_9ABC1E
; 

loc_9ABC19:				; CODE XREF: PoQueueShutdownWorkItem(x)+1Aj
		mov	esi, 0C00002EBh

loc_9ABC1E:				; CODE XREF: PoQueueShutdownWorkItem(x)+41j
		mov	ecx, edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_PoQueueShutdownWorkItem@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1735. PoUnregisterCoalescingCallback

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoUnregisterCoalescingCallback(x)
		public _PoUnregisterCoalescingCallback@4
_PoUnregisterCoalescingCallback@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		dec	word ptr [edi+13Ch]
		nop
		mov	ebx, [ebp+arg_0]
		add	ebx, 20h
		mov	ecx, ebx
		call	ExReferenceCallBackBlock
		mov	esi, eax
		xor	edx, edx
		push	esi
		mov	ecx, ebx
		call	ExCompareExchangeCallBack
		mov	edx, esi
		mov	ecx, ebx
		test	al, al
		jz	loc_9ABCEE
		call	_ExDereferenceCallBackBlock@8 ;	ExDereferenceCallBackBlock(x,x)
		mov	ecx, edi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, esi
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopCoalRegistrationListLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+arg_0]
		mov	eax, large fs:124h
		add	ecx, 18h
		mov	dword_6C3544, eax
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_9ABCE9
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	short loc_9ABCE9
		mov	[eax], edx
		mov	[edx+4], eax
		cmp	dword_6C3544, 0
		jz	short loc_9ABCD1
		and	dword_6C3544, 0

loc_9ABCD1:				; CODE XREF: PoUnregisterCoalescingCallback(x)+96j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9ABCFA
; 

loc_9ABCE9:				; CODE XREF: PoUnregisterCoalescingCallback(x)+81j
					; PoUnregisterCoalescingCallback(x)+88j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9ABCEE:				; CODE XREF: PoUnregisterCoalescingCallback(x)+36j
		call	_ExDereferenceCallBackBlock@8 ;	ExDereferenceCallBackBlock(x,x)
		mov	ecx, edi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_9ABCFA:				; CODE XREF: PoUnregisterCoalescingCallback(x)+B5j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PoUnregisterCoalescingCallback@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCoalescingCallback(x, x,	x)
_PopCoalescingCallback@12 proc near	; DATA XREF: PoRegisterCoalescingCallback+40o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+arg_4]
		push	dword ptr [ecx+14h]
		push	[ebp+arg_8]
		push	dword ptr [eax+4]
		call	dword ptr [ecx+0Ch]
		pop	ebp
		retn	0Ch
_PopCoalescingCallback@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopCoalescingCallbackWorker(x)
_PopCoalescingCallbackWorker@4 proc near ; DATA	XREF: PopCoalescingInitialize()+Ao
		mov	edi, edi

loc_9ABD1E:				; CODE XREF: PopCoalescingCallbackWorker(x)+61j
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	al, _PopCoalescingState
		test	al, 2
		jnz	short loc_9ABD41
		test	al, 1
		jz	short loc_9ABD7F
		xor	cl, cl
		call	_PopCoalescingSetActiveState@4 ; PopCoalescingSetActiveState(x)
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		push	ecx
		push	2
		jmp	short loc_9ABD71
; 

loc_9ABD41:				; CODE XREF: PopCoalescingCallbackWorker(x)+Ej
		test	al, 1
		jnz	short loc_9ABD5E
		and	al, 0FBh
		mov	cl, 1
		mov	_PopCoalescingState, al
		call	_PopCoalescingSetActiveState@4 ; PopCoalescingSetActiveState(x)
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		xor	edx, edx
		push	ecx
		inc	edx
		jmp	short loc_9ABD72
; 

loc_9ABD5E:				; CODE XREF: PopCoalescingCallbackWorker(x)+27j
		test	al, 4
		jz	short loc_9ABD7F
		and	al, 0FBh
		mov	_PopCoalescingState, al
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		push	ecx
		push	3

loc_9ABD71:				; CODE XREF: PopCoalescingCallbackWorker(x)+23j
		pop	edx

loc_9ABD72:				; CODE XREF: PopCoalescingCallbackWorker(x)+40j
		mov	ecx, _PopCoalescingRegistration
		call	_PoIssueCoalescingNotification@12 ; PoIssueCoalescingNotification(x,x,x)
		jmp	short loc_9ABD1E
; 

loc_9ABD7F:				; CODE XREF: PopCoalescingCallbackWorker(x)+12j
					; PopCoalescingCallbackWorker(x)+44j
		and	al, 0F7h
		mov	_PopCoalescingState, al
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		retn	4
_PopCoalescingCallbackWorker@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopCoalescingNotify()
_PopCoalescingNotify@0 proc near
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		test	_PopCoalescingState, 2
		jz	short loc_9ABDCC
		push	offset _PopCoalescingTimer
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		or	_PopCoalescingState, 4
		call	_PopEnsureCoalescingWorkerWillRun@0 ; PopEnsureCoalescingWorkerWillRun()
		call	_PopDiagTraceIoCoalescingFlush@0 ; PopDiagTraceIoCoalescingFlush()
		call	KeQueryInterruptTime
		mov	_PopCoalescingLastFlushTime, eax
		mov	dword_6C3534, edx
		call	_PopCoalescingSetTimer@0 ; PopCoalescingSetTimer()

loc_9ABDCC:				; CODE XREF: PopCoalescingNotify()+Cj
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		mov	eax, large fs:124h
		cmp	dword ptr [eax+13Ch], 0
		jz	short loc_9ABDE5
		push	20h
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9ABDE5:				; CODE XREF: PopCoalescingNotify()+50j
		xor	eax, eax
		retn
_PopCoalescingNotify@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCalculateWakeTimeAdjustment()
_PopCalculateWakeTimeAdjustment@0 proc near ; CODE XREF: PopValidateRTCWake+7164p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		xor	eax, eax
		cmp	dword_6C26E0, 4
		mov	[ebp+var_4], eax
		jnz	short loc_9ABE19
		cmp	_PoResumeFromHibernate,	al
		jnz	short loc_9ABE21
		push	eax
		lea	ecx, [ebp+var_4]
		xor	edx, edx
		push	ecx
		push	eax
		push	eax
		xor	ecx, ecx
		call	_PopPowerTransitionTimesInMs@24	; PopPowerTransitionTimesInMs(x,x,x,x,x,x)
		mov	eax, [ebp+var_4]
		leave
		retn
; 

loc_9ABE19:				; CODE XREF: PopCalculateWakeTimeAdjustment()+12j
		cmp	_PoResumeFromHibernate,	al
		jz	short locret_9ABE3E

loc_9ABE21:				; CODE XREF: PopCalculateWakeTimeAdjustment()+1Aj
		push	dword_6C2994
		push	dword_6C2990
		push	dword_6C29CC
		push	dword_6C29C8
		call	__aulldiv

locret_9ABE3E:				; CODE XREF: PopCalculateWakeTimeAdjustment()+37j
		leave
		retn
_PopCalculateWakeTimeAdjustment@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCopyWakeSource(x, x, x)
_PopCopyWakeSource@12 proc near		; CODE XREF: PopGetWakeSource+A6B1Ep

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	esi, ecx
		mov	ecx, [ebp+arg_0]
		call	_PopWakeSourceSize@4 ; PopWakeSourceSize(x)
		mov	[esi+4], eax
		mov	edx, [ecx+8]
		test	edx, edx
		jz	short loc_9ABECB
		xor	edi, edi
		inc	edi
		cmp	edx, edi
		jz	short loc_9ABEB1
		jbe	loc_9ABEEA
		cmp	edx, 3
		jbe	short loc_9ABE8F
		push	4
		pop	eax
		cmp	edx, eax
		jnz	short loc_9ABEEA
		mov	[esi], eax
		mov	eax, [ecx+0Ch]
		sub	eax, 0
		jz	short loc_9ABEC5
		sub	eax, edi
		jz	short loc_9ABEC0
		sub	eax, edi
		jnz	short loc_9ABEEA
		mov	dword ptr [esi+8], 2
		jmp	short loc_9ABEEA
; 

loc_9ABE8F:				; CODE XREF: PopCopyWakeSource(x,x,x)+2Bj
		xor	eax, eax
		cmp	edx, 2
		setnz	al
		add	eax, 2
		mov	[esi], eax
		add	esi, 8
		mov	eax, [ecx+0Ch]
		test	eax, eax
		jz	short loc_9ABEAC
		push	dword ptr [eax]
		push	eax
		push	esi
		jmp	short loc_9ABEE2
; 

loc_9ABEAC:				; CODE XREF: PopCopyWakeSource(x,x,x)+64j
		and	dword ptr [esi], 0
		jmp	short loc_9ABEEA
; 

loc_9ABEB1:				; CODE XREF: PopCopyWakeSource(x,x,x)+20j
		mov	[esi], edi
		mov	eax, [ecx+0Ch]
		sub	eax, 1
		jz	short loc_9ABEC5
		sub	eax, 1
		jnz	short loc_9ABEEA

loc_9ABEC0:				; CODE XREF: PopCopyWakeSource(x,x,x)+40j
		mov	[esi+8], edi
		jmp	short loc_9ABEEA
; 

loc_9ABEC5:				; CODE XREF: PopCopyWakeSource(x,x,x)+3Cj
					; PopCopyWakeSource(x,x,x)+79j
		and	dword ptr [esi+8], 0
		jmp	short loc_9ABEEA
; 

loc_9ABECB:				; CODE XREF: PopCopyWakeSource(x,x,x)+19j
		and	dword ptr [esi], 0
		mov	ax, [ecx+0Ch]
		mov	[esi+8], ax
		movzx	eax, word ptr [ecx+0Ch]
		push	eax		; size_t
		push	dword ptr [ecx+10h] ; void *
		lea	eax, [esi+0Ah]
		push	eax		; void *

loc_9ABEE2:				; CODE XREF: PopCopyWakeSource(x,x,x)+6Aj
		call	_memcpy
		add	esp, 0Ch

loc_9ABEEA:				; CODE XREF: PopCopyWakeSource(x,x,x)+22j
					; PopCopyWakeSource(x,x,x)+32j	...
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_PopCopyWakeSource@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopFinalizeDeviceWakeSource(x)
_PopFinalizeDeviceWakeSource@4 proc near ; CODE	XREF: PopFinalizeWakeInfo+A6A1Dp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, 206D654Dh
		push	edi
		xor	edi, edi
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_9ABF12
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+14h], edi
		mov	[esi+18h], edi

loc_9ABF12:				; CODE XREF: PopFinalizeDeviceWakeSource(x)+13j
		mov	eax, [esi+20h]
		test	eax, eax
		jz	short loc_9ABF26
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+1Ch], edi
		mov	[esi+20h], edi

loc_9ABF26:				; CODE XREF: PopFinalizeDeviceWakeSource(x)+27j
		pop	edi
		pop	esi
		pop	ebx
		retn
_PopFinalizeDeviceWakeSource@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFreeWakeInfo(x)
_PopFreeWakeInfo@4 proc	near		; DATA XREF: PopWakeInfoDereference+88C7Do

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_PopUnlinkWakeSources@4	; PopUnlinkWakeSources(x)
		push	206D654Dh
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	4
_PopFreeWakeInfo@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopFreeWakeSource(x)
_PopFreeWakeSource@4 proc near		; CODE XREF: PopUpdateWakeSourceWorker(x)+17Ep
					; PopProcessWakeSourceWork(x,x,x)+BEp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, 206D654Dh
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_9ABF70
		add	eax, 0FFFFFFFEh
		cmp	eax, 1
		ja	short loc_9ABF9A
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_9ABF9A
		call	_ExDeleteWakeTimerInfo@4 ; ExDeleteWakeTimerInfo(x)
		jmp	short loc_9ABF9A
; 

loc_9ABF70:				; CODE XREF: PopFreeWakeSource(x)+10j
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_9ABF7E
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9ABF7E:				; CODE XREF: PopFreeWakeSource(x)+2Dj
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_9ABF8C
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9ABF8C:				; CODE XREF: PopFreeWakeSource(x)+3Bj
		mov	eax, [esi+20h]
		test	eax, eax
		jz	short loc_9ABF9A
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9ABF9A:				; CODE XREF: PopFreeWakeSource(x)+18j
					; PopFreeWakeSource(x)+1Fj ...
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
_PopFreeWakeSource@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopNewWakeSource(x)
_PopNewWakeSource@4 proc near		; CODE XREF: PopHandleWakeSources+713Bp
					; PopProcessWakeSourceWork(x,x,x)+85p
		mov	edi, edi
		push	esi
		push	206D654Dh
		push	28h
		push	200h
		mov	esi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_9ABFCE
		push	edi
		push	0Ah
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd
		mov	[edx+8], esi
		pop	edi

loc_9ABFCE:				; CODE XREF: PopNewWakeSource(x)+1Aj
		mov	eax, edx
		pop	esi
		retn
_PopNewWakeSource@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopProcessWakeSourceWork(x,	x, x)
_PopProcessWakeSourceWork@12 proc near	; CODE XREF: PopUpdateWakeSourceWorker(x)+6Ap

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ecx+8]
		and	[ebp+var_C], 0
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+0Ch]
		test	eax, eax
		jz	short loc_9ABFFC
		mov	eax, [eax+0B0h]
		mov	ebx, [eax+14h]
		jmp	short loc_9ABFFE
; 

loc_9ABFFC:				; CODE XREF: PopProcessWakeSourceWork(x,x,x)+1Dj
		xor	ebx, ebx

loc_9ABFFE:				; CODE XREF: PopProcessWakeSourceWork(x,x,x)+28j
		mov	edx, [ebx+54h]
		add	edi, 0Ch
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edi
		mov	esi, [edi]
		cmp	esi, edi
		jz	short loc_9AC055
		mov	eax, edi

loc_9AC012:				; CODE XREF: PopProcessWakeSourceWork(x,x,x)+7Cj
		mov	edi, esi
		mov	esi, [esi]
		cmp	dword ptr [edi+8], 0
		jnz	short loc_9AC04C
		cmp	[edi+24h], edx
		jbe	short loc_9AC036
		lea	edx, [edi+0Ch]
		mov	ecx, ebx
		call	_PopWakeSourceIsParent@8 ; PopWakeSourceIsParent(x,x)
		test	al, al
		jz	short loc_9AC046
		mov	edi, 0C0000001h
		jmp	short loc_9AC095
; 

loc_9AC036:				; CODE XREF: PopProcessWakeSourceWork(x,x,x)+4Dj
		jnb	short loc_9AC04C
		lea	edx, [edi+0Ch]
		mov	ecx, ebx
		call	_PopWakeSourceIsChild@8	; PopWakeSourceIsChild(x,x)
		test	al, al
		jnz	short loc_9AC052

loc_9AC046:				; CODE XREF: PopProcessWakeSourceWork(x,x,x)+5Bj
		mov	edx, [ebp+var_8]
		mov	eax, [ebp+var_4]

loc_9AC04C:				; CODE XREF: PopProcessWakeSourceWork(x,x,x)+48j
					; PopProcessWakeSourceWork(x,x,x):loc_9AC036j
		cmp	esi, eax
		jnz	short loc_9AC012
		jmp	short loc_9AC055
; 

loc_9AC052:				; CODE XREF: PopProcessWakeSourceWork(x,x,x)+72j
		mov	[ebp+var_C], edi

loc_9AC055:				; CODE XREF: PopProcessWakeSourceWork(x,x,x)+3Cj
					; PopProcessWakeSourceWork(x,x,x)+7Ej
		xor	ecx, ecx
		call	_PopNewWakeSource@4 ; PopNewWakeSource(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9AC069
		mov	edi, 0C000009Ah
		jmp	short loc_9AC095
; 

loc_9AC069:				; CODE XREF: PopProcessWakeSourceWork(x,x,x)+8Ej
		mov	eax, [ebp+var_8]
		add	ebx, 14h
		mov	[esi+24h], eax
		push	206D654Dh
		movzx	eax, word ptr [ebx]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+10h], eax
		test	eax, eax
		jnz	short loc_9AC09B
		mov	ecx, esi
		mov	edi, 0C000009Ah
		call	_PopFreeWakeSource@4 ; PopFreeWakeSource(x)

loc_9AC095:				; CODE XREF: PopProcessWakeSourceWork(x,x,x)+62j
					; PopProcessWakeSourceWork(x,x,x)+95j
		xor	eax, eax
		xor	esi, esi
		jmp	short loc_9AC0CB
; 

loc_9AC09B:				; CODE XREF: PopProcessWakeSourceWork(x,x,x)+B5j
		mov	ax, [ebx]
		mov	[esi+0Eh], ax
		lea	eax, [esi+0Ch]
		push	ebx
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		mov	edi, [ebp+var_10]
		lea	ecx, [esi+14h]
		push	edi
		push	9
		pop	edx
		call	_PopWakeSourceGetDeviceProperty@12 ; PopWakeSourceGetDeviceProperty(x,x,x)
		push	edi
		lea	ecx, [esi+1Ch]
		xor	edx, edx
		call	_PopWakeSourceGetDeviceProperty@12 ; PopWakeSourceGetDeviceProperty(x,x,x)
		xor	edi, edi
		mov	eax, [ebp+var_C]

loc_9AC0CB:				; CODE XREF: PopProcessWakeSourceWork(x,x,x)+C7j
		mov	ecx, [ebp+var_14]
		mov	[ecx], esi
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopProcessWakeSourceWork@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopUnlinkWakeSources(x)
_PopUnlinkWakeSources@4	proc near	; CODE XREF: PopHandleWakeSources+715Bp
					; PopFreeWakeInfo(x)+8p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		lea	esi, [edi+0Ch]

loc_9AC0E7:				; CODE XREF: PopUnlinkWakeSources(x)+28j
		mov	ecx, [esi]
		cmp	ecx, esi
		jz	short loc_9AC10D
		cmp	[ecx+4], esi
		jnz	short loc_9AC108
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_9AC108
		mov	[esi], eax
		mov	[eax+4], esi
		call	_PopFreeWakeSource@4 ; PopFreeWakeSource(x)
		dec	dword ptr [edi+14h]
		jmp	short loc_9AC0E7
; 

loc_9AC108:				; CODE XREF: PopUnlinkWakeSources(x)+12j
					; PopUnlinkWakeSources(x)+19j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9AC10D:				; CODE XREF: PopUnlinkWakeSources(x)+Dj
		pop	edi
		pop	esi
		retn
_PopUnlinkWakeSources@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopWakeSourceGetDeviceProperty(x, x, x)
_PopWakeSourceGetDeviceProperty@12 proc	near
					; CODE XREF: PopProcessWakeSourceWork(x,x,x)+E4p
					; PopProcessWakeSourceWork(x,x,x)+EFp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_4]
		mov	ebx, ecx
		push	eax
		xor	ecx, ecx
		mov	edi, edx
		push	ecx
		push	ecx
		push	edi
		push	[ebp+arg_0]
		mov	[ebp+var_4], ecx
		call	IoGetDeviceProperty
		cmp	eax, 0C0000023h
		jnz	short loc_9AC19A
		push	206D654Dh
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9AC19A
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		push	[ebp+var_4]
		push	edi
		push	[ebp+arg_0]
		call	IoGetDeviceProperty
		test	eax, eax
		js	short loc_9AC18B
		mov	ax, word ptr [ebp+var_4]
		mov	ecx, esi
		mov	[ebx+2], ax
		xor	edi, edi
		lea	edx, [ecx+2]

loc_9AC171:				; CODE XREF: PopWakeSourceGetDeviceProperty(x,x,x)+6Aj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_9AC171
		sub	ecx, edx
		mov	[ebx+4], esi
		sar	ecx, 1
		mov	esi, edi
		lea	eax, [ecx+ecx]
		mov	[ebx], ax

loc_9AC18B:				; CODE XREF: PopWakeSourceGetDeviceProperty(x,x,x)+50j
		test	esi, esi
		jz	short loc_9AC19A
		push	206D654Dh
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9AC19A:				; CODE XREF: PopWakeSourceGetDeviceProperty(x,x,x)+26j
					; PopWakeSourceGetDeviceProperty(x,x,x)+3Bj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopWakeSourceGetDeviceProperty@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopWakeSourceIsChild(x, x)
_PopWakeSourceIsChild@8	proc near	; CODE XREF: PopProcessWakeSourceWork(x,x,x)+6Bp
		mov	eax, [ecx+8]
		push	esi
		push	edi
		mov	edi, edx
		jmp	short loc_9AC1CB
; 

loc_9AC1AA:				; CODE XREF: PopWakeSourceIsChild(x,x)+38j
		movzx	eax, word ptr [esi+14h]
		cmp	ax, [edi]
		jnz	short loc_9AC1C8
		shr	eax, 1
		push	eax		; size_t
		push	dword ptr [edi+4] ; wchar_t *
		push	dword ptr [esi+18h] ; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_9AC1E0

loc_9AC1C8:				; CODE XREF: PopWakeSourceIsChild(x,x)+10j
		mov	eax, [esi+8]

loc_9AC1CB:				; CODE XREF: PopWakeSourceIsChild(x,x)+7j
		mov	esi, eax
		sub	esi, _IopRootDeviceNode
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jnz	short loc_9AC1AA
		xor	al, al

loc_9AC1DD:				; CODE XREF: PopWakeSourceIsChild(x,x)+41j
		pop	edi
		pop	esi
		retn
; 

loc_9AC1E0:				; CODE XREF: PopWakeSourceIsChild(x,x)+25j
		mov	al, 1
		jmp	short loc_9AC1DD
_PopWakeSourceIsChild@8	endp


;  S U B	R O U T	I N E 


; __stdcall PopWakeSourceIsParent(x, x)
_PopWakeSourceIsParent@8 proc near	; CODE XREF: PopProcessWakeSourceWork(x,x,x)+54p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	eax, [ebx+4]
		test	eax, eax
		jz	short loc_9AC24B

loc_9AC1F4:				; CODE XREF: PopWakeSourceIsParent(x,x)+17j
		mov	esi, eax
		mov	eax, [eax+4]
		test	eax, eax
		jnz	short loc_9AC1F4

loc_9AC1FD:				; CODE XREF: PopWakeSourceIsParent(x,x)+65j
		movzx	eax, word ptr [esi+14h]
		cmp	ax, [edi]
		jnz	short loc_9AC21B
		shr	eax, 1
		push	eax		; size_t
		push	dword ptr [edi+4] ; wchar_t *
		push	dword ptr [esi+18h] ; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_9AC251

loc_9AC21B:				; CODE XREF: PopWakeSourceIsParent(x,x)+20j
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_9AC22C

loc_9AC221:				; CODE XREF: PopWakeSourceIsParent(x,x)+44j
		mov	esi, eax
		mov	eax, [eax+4]
		test	eax, eax
		jnz	short loc_9AC221
		jmp	short loc_9AC247
; 

loc_9AC22C:				; CODE XREF: PopWakeSourceIsParent(x,x)+3Bj
		mov	eax, [esi+8]
		mov	ecx, eax
		sub	ecx, _IopRootDeviceNode
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	esi, ecx
		sub	esi, ebx
		neg	esi
		sbb	esi, esi
		and	esi, ecx

loc_9AC247:				; CODE XREF: PopWakeSourceIsParent(x,x)+46j
		test	esi, esi
		jnz	short loc_9AC1FD

loc_9AC24B:				; CODE XREF: PopWakeSourceIsParent(x,x)+Ej
		xor	al, al

loc_9AC24D:				; CODE XREF: PopWakeSourceIsParent(x,x)+6Fj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_9AC251:				; CODE XREF: PopWakeSourceIsParent(x,x)+35j
		mov	al, 1
		jmp	short loc_9AC24D
_PopWakeSourceIsParent@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopWakeSourceSize(x)
_PopWakeSourceSize@4 proc near		; CODE XREF: PopGetWakeSource+A6ADAp
					; PopCopyWakeSource(x,x,x)+Cp
		mov	edx, [ecx+8]
		xor	eax, eax
		test	edx, edx
		jz	short loc_9AC284
		cmp	edx, 1
		jz	short loc_9AC26F
		jbe	short locret_9AC28B
		cmp	edx, 3
		jbe	short loc_9AC273
		cmp	edx, 4
		jnz	short locret_9AC28B

loc_9AC26F:				; CODE XREF: PopWakeSourceSize(x)+Cj
		push	0Ch
		jmp	short loc_9AC282
; 

loc_9AC273:				; CODE XREF: PopWakeSourceSize(x)+13j
		mov	eax, [ecx+0Ch]
		test	eax, eax
		jz	short loc_9AC280
		mov	eax, [eax]
		add	eax, 8
		retn
; 

loc_9AC280:				; CODE XREF: PopWakeSourceSize(x)+23j
		push	20h

loc_9AC282:				; CODE XREF: PopWakeSourceSize(x)+1Cj
		pop	eax
		retn
; 

loc_9AC284:				; CODE XREF: PopWakeSourceSize(x)+7j
		movzx	eax, word ptr [ecx+0Ch]
		add	eax, 0Ah

locret_9AC28B:				; CODE XREF: PopWakeSourceSize(x)+Ej
					; PopWakeSourceSize(x)+18j
		retn
_PopWakeSourceSize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopReadPagesFromHiberFile(x, x, x)
_PopReadPagesFromHiberFile@12 proc near	; CODE XREF: PopPowerInformationInternal+171B02p
					; PopReadResumeContext(x,x)+2Cp ...

var_5C		= dword	ptr -5Ch
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	4Ch
		push	offset dword_6A8DE0
		call	__SEH_prolog4
		mov	[ebp+var_28], ecx
		xor	ebx, ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ebx
		xor	eax, eax
		lea	edi, [ebp+var_5C]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_24], ebx
		mov	edi, ebx
		mov	[ebp+var_1D], bl
		cmp	byte_6C2E28, bl
		jz	loc_9AC444
		mov	eax, _PopHiberInfo
		cmp	eax, 0FFFFFFFFh
		jz	loc_9AC444
		test	eax, eax
		jz	loc_9AC444
		mov	eax, dword_6C24A4
		cmp	eax, 0FFFFFFFFh
		jz	loc_9AC444
		test	eax, eax
		jz	loc_9AC444
		mov	eax, dword_6C24AC
		mov	[ebp+var_2C], eax
		mov	ecx, 1000h
		cmp	eax, ebx
		ja	short loc_9AC315
		cmp	dword_6C24A8, ecx
		jb	loc_9AC444

loc_9AC315:				; CODE XREF: PopReadPagesFromHiberFile(x,x,x)+7Bj
		mov	eax, edx
		mul	ecx
		push	edx
		push	eax
		lea	ecx, [ebp+var_24]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9AC449
		push	ecx
		push	ecx
		push	ebx
		push	[ebp+var_28]
		lea	ecx, [ebp+var_3C]
		call	_RtlLongLongMult@20 ; RtlLongLongMult(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9AC449
		push	ebx
		push	[ebp+var_24]
		push	[ebp+var_38]
		push	[ebp+var_3C]
		lea	ecx, [ebp+var_44]
		call	_RtlLongLongAdd@20 ; RtlLongLongAdd(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9AC449
		mov	eax, [ebp+var_2C]
		cmp	[ebp+var_40], eax
		jb	short loc_9AC380
		ja	short loc_9AC376
		mov	eax, [ebp+var_44]
		cmp	eax, dword_6C24A8
		jbe	short loc_9AC380

loc_9AC376:				; CODE XREF: PopReadPagesFromHiberFile(x,x,x)+DDj
		mov	esi, 0C0000011h
		jmp	loc_9AC449
; 

loc_9AC380:				; CODE XREF: PopReadPagesFromHiberFile(x,x,x)+DBj
					; PopReadPagesFromHiberFile(x,x,x)+E8j
		push	206D654Dh
		push	[ebp+var_24]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		test	ecx, ecx
		jnz	short loc_9AC3A4
		mov	esi, 0C0000017h
		jmp	loc_9AC449
; 

loc_9AC3A4:				; CODE XREF: PopReadPagesFromHiberFile(x,x,x)+10Cj
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+var_24]
		push	ecx
		call	IoAllocateMdl
		mov	edi, eax
		mov	[ebp+var_2C], edi
		test	edi, edi
		jnz	short loc_9AC3C3
		mov	esi, 0C000009Ah
		jmp	loc_9AC449
; 

loc_9AC3C3:				; CODE XREF: PopReadPagesFromHiberFile(x,x,x)+12Bj
		mov	[ebp+ms_exc.disabled], ebx
		push	ebx
		push	ebx
		push	edi
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9AC3F7
; 

loc_9AC3D7:				; DATA XREF: .text:006A8DF4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9AC3E5:				; DATA XREF: .text:006A8DF8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_30]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	edi, [ebp+var_2C]

loc_9AC3F7:				; CODE XREF: PopReadPagesFromHiberFile(x,x,x)+149j
		test	esi, esi
		js	short loc_9AC449
		mov	[ebp+var_1D], 1
		push	ebx
		push	ebx
		lea	eax, [ebp+var_5C]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [ebp+var_4C]
		push	eax
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		push	edi
		push	dword_6C24A4
		call	_IoPageRead@20	; IoPageRead(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 103h
		jnz	short loc_9AC449
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_5C]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, eax
		test	esi, esi
		js	short loc_9AC449
		mov	esi, [ebp+var_4C]
		jmp	short loc_9AC449
; 

loc_9AC444:				; CODE XREF: PopReadPagesFromHiberFile(x,x,x)+3Aj
					; PopReadPagesFromHiberFile(x,x,x)+48j	...
		mov	esi, 0C00000BBh

loc_9AC449:				; CODE XREF: PopReadPagesFromHiberFile(x,x,x)+9Bj
					; PopReadPagesFromHiberFile(x,x,x)+B3j	...
		cmp	[ebp+var_1D], 0
		jz	short loc_9AC455
		push	edi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)

loc_9AC455:				; CODE XREF: PopReadPagesFromHiberFile(x,x,x)+1C1j
		test	edi, edi
		jz	short loc_9AC45F
		push	edi
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_9AC45F:				; CODE XREF: PopReadPagesFromHiberFile(x,x,x)+1CBj
		test	esi, esi
		jns	short loc_9AC479
		mov	edi, [ebp+arg_0]
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_9AC479
		push	206D654Dh
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[edi], ebx

loc_9AC479:				; CODE XREF: PopReadPagesFromHiberFile(x,x,x)+1D5j
					; PopReadPagesFromHiberFile(x,x,x)+1DEj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopReadPagesFromHiberFile@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopReadResumeContext(x, x)
_PopReadResumeContext@8	proc near	; CODE XREF: PopPowerInformationInternal+171AAFp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		xor	eax, eax
		mov	[ebp+var_18], ecx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_10], eax
		mov	edi, eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_14], eax
		xor	edx, edx
		lea	eax, [ebp+var_10]
		mov	[ebp+var_4], ebx
		push	eax
		inc	edx
		mov	[ebp+var_C], edi
		xor	ecx, ecx
		call	_PopReadPagesFromHiberFile@12 ;	PopReadPagesFromHiberFile(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9AC58D
		mov	ebx, [ebp+var_10]
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_9AC4FE
		cmp	eax, 52424948h
		jz	short loc_9AC4FE
		cmp	eax, 52545352h
		jz	short loc_9AC4FE
		cmp	eax, 454B4157h
		jz	short loc_9AC4FE
		cmp	eax, 504B5242h
		jz	short loc_9AC4FE
		cmp	eax, 4D524F48h
		jz	short loc_9AC4FE

loc_9AC4F4:				; CODE XREF: PopReadResumeContext(x,x)+79j
					; PopReadResumeContext(x,x)+B0j ...
		mov	esi, 0C0000229h
		jmp	loc_9AC58A
; 

loc_9AC4FE:				; CODE XREF: PopReadResumeContext(x,x)+42j
					; PopReadResumeContext(x,x)+49j ...
		mov	edx, [ebx+2D8h]
		test	edx, edx
		jz	short loc_9AC4F4
		lea	eax, [ebp+var_C]
		push	eax
		push	2
		pop	ecx
		call	_PopReadPagesFromHiberFile@12 ;	PopReadPagesFromHiberFile(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9AC587
		mov	eax, [ebx+2D8h]
		mov	ecx, 1000h
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9AC587
		mov	edi, [ebp+var_C]
		cmp	dword ptr [edi], 1
		jnz	short loc_9AC4F4
		mov	ebx, [edi+4]
		cmp	ebx, [ebp+var_8]
		ja	short loc_9AC4F4
		mov	eax, [edi+8]
		push	28h
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_14]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9AC58A
		cmp	[ebp+var_14], ebx
		ja	short loc_9AC4F4
		mov	eax, [ebp+var_8]
		sub	eax, ebx
		push	eax		; size_t
		lea	eax, [ebx+edi]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ebx, [ebp+var_4]
		add	esp, 0Ch
		mov	ecx, [ebp+var_18]
		mov	eax, [edi+4]
		mov	[ebx], edi
		mov	[ecx], eax
		jmp	short loc_9AC58D
; 

loc_9AC587:				; CODE XREF: PopReadResumeContext(x,x)+8Bj
					; PopReadResumeContext(x,x)+A8j
		mov	edi, [ebp+var_C]

loc_9AC58A:				; CODE XREF: PopReadResumeContext(x,x)+6Cj
					; PopReadResumeContext(x,x)+D0j
		mov	ebx, [ebp+var_4]

loc_9AC58D:				; CODE XREF: PopReadResumeContext(x,x)+35j
					; PopReadResumeContext(x,x)+F8j
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_9AC59F
		push	206D654Dh
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9AC59F:				; CODE XREF: PopReadResumeContext(x,x)+105j
		test	esi, esi
		jns	short loc_9AC5BB
		test	edi, edi
		jz	short loc_9AC5B2
		push	206D654Dh
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9AC5B2:				; CODE XREF: PopReadResumeContext(x,x)+118j
		mov	eax, [ebp+var_18]
		and	dword ptr [ebx], 0
		and	dword ptr [eax], 0

loc_9AC5BB:				; CODE XREF: PopReadResumeContext(x,x)+114j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PopReadResumeContext@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetHiberFileSize(x, x)
_PopSetHiberFileSize@8 proc near	; CODE XREF: NtPowerInformation+171EB8p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		xor	eax, eax
		mov	[esp+14h+var_10], eax
		mov	[esp+14h+var_C], eax
		mov	[esp+14h+var_14], eax
		mov	[esp+14h+var_8], eax
		mov	[esp+14h+var_4], eax
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		cmp	ecx, 64h
		ja	loc_9AC6A5
		mov	edi, ds:_PopHiberFileSizePercent
		xor	edx, edx
		mov	ds:_PopHiberFileSizePercent, ecx
		lea	ecx, [esp+20h+var_10]
		call	_PopCalculateHiberFileSize@8 ; PopCalculateHiberFileSize(x,x)
		push	[esp+20h+var_C]
		xor	edx, edx
		xor	ecx, ecx
		push	[esp+24h+var_10]
		call	PopValidateHiberFileSize
		mov	esi, eax
		test	esi, esi
		jns	short loc_9AC629

loc_9AC61E:				; CODE XREF: PopSetHiberFileSize(x,x)+7Ej
					; PopSetHiberFileSize(x,x)+97j	...
		mov	ds:_PopHiberFileSizePercent, edi
		jmp	loc_9AC6AA
; 

loc_9AC629:				; CODE XREF: PopSetHiberFileSize(x,x)+5Aj
		cmp	ds:_PopHiberFileSizePercent, 28h
		jb	short loc_9AC642
		push	2
		xor	edx, edx
		pop	ecx
		call	_PopSetHiberFileType@8 ; PopSetHiberFileType(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9AC61E

loc_9AC642:				; CODE XREF: PopSetHiberFileSize(x,x)+6Ej
		push	20006h
		mov	edx, offset _PopControlRegKey
		lea	ecx, [esp+24h+var_14]
		call	_PopOpenKey@12	; PopOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9AC61E
		push	(offset	loc_428503+1)
		lea	eax, [esp+24h+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		push	offset _PopHiberFileSizePercent
		push	4
		push	0
		lea	eax, [esp+30h+var_8]
		push	eax
		push	[esp+34h+var_14]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[esp+20h+var_14]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_9AC61E
		test	ebx, ebx
		jz	short loc_9AC6AA
		mov	eax, [esp+20h+var_10]
		mov	[ebx], eax
		mov	eax, [esp+20h+var_C]
		mov	[ebx+4], eax
		jmp	short loc_9AC6AA
; 

loc_9AC6A5:				; CODE XREF: PopSetHiberFileSize(x,x)+28j
		mov	esi, 0C000000Dh

loc_9AC6AA:				; CODE XREF: PopSetHiberFileSize(x,x)+62j
					; PopSetHiberFileSize(x,x)+D2j	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PopSetHiberFileSize@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetHiberFileType(x, x)
_PopSetHiberFileType@8 proc near	; CODE XREF: NtPowerInformation+171EDDp
					; PopSetHiberFileSize(x,x)+75p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		xor	eax, eax
		cmp	ds:_PopHiberFileSizePercent, 28h
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[esp+20h+var_10], eax
		mov	[esp+20h+var_C], eax
		mov	[esp+20h+var_14], eax
		mov	[esp+20h+var_8], eax
		mov	[esp+20h+var_4], eax
		jb	short loc_9AC6EB
		cmp	ecx, 2
		jnz	loc_9AC79A

loc_9AC6EB:				; CODE XREF: PopSetHiberFileType(x,x)+2Dj
		lea	eax, [ecx-1]
		cmp	eax, 1
		ja	loc_9AC79A
		mov	edi, ds:_PopHiberFileType
		xor	edx, edx
		mov	ds:_PopHiberFileType, ecx
		lea	ecx, [esp+20h+var_10]
		call	_PopCalculateHiberFileSize@8 ; PopCalculateHiberFileSize(x,x)
		push	[esp+20h+var_C]
		xor	edx, edx
		xor	ecx, ecx
		push	[esp+24h+var_10]
		call	PopValidateHiberFileSize
		mov	esi, eax
		test	esi, esi
		jns	short loc_9AC72D

loc_9AC725:				; CODE XREF: PopSetHiberFileType(x,x)+91j
					; PopSetHiberFileType(x,x)+C8j
		mov	ds:_PopHiberFileType, edi
		jmp	short loc_9AC79F
; 

loc_9AC72D:				; CODE XREF: PopSetHiberFileType(x,x)+70j
		push	20006h
		mov	edx, offset _PopControlRegKey
		lea	ecx, [esp+24h+var_14]
		call	_PopOpenKey@12	; PopOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9AC725
		push	offset _PopHiberFileTypeRegName
		lea	eax, [esp+24h+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		push	offset _PopHiberFileType
		push	4
		push	0
		lea	eax, [esp+30h+var_8]
		push	eax
		push	[esp+34h+var_14]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[esp+20h+var_14]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_9AC725
		mov	eax, ds:_PopHiberFileType
		mov	ds:_PopHiberFileTypeReg, eax
		test	ebx, ebx
		jz	short loc_9AC79F
		mov	eax, [esp+20h+var_10]
		mov	[ebx], eax
		mov	eax, [esp+20h+var_C]
		mov	[ebx+4], eax
		jmp	short loc_9AC79F
; 

loc_9AC79A:				; CODE XREF: PopSetHiberFileType(x,x)+32j
					; PopSetHiberFileType(x,x)+3Ej
		mov	esi, 0C000000Dh

loc_9AC79F:				; CODE XREF: PopSetHiberFileType(x,x)+78j
					; PopSetHiberFileType(x,x)+D6j	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PopSetHiberFileType@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopZeroHiberFile(x,	x)
_PopZeroHiberFile@8 proc near		; CODE XREF: PAGELK:0071ED21p
					; PopEnableHiberFile(x,x)+FBp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_30], 0
		xor	eax, eax
		and	[ebp+var_2C], 0
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_20]
		push	6
		pop	ecx
		rep stosd
		mov	ebx, edx
		call	_PopDiagTraceZeroHiberFile@0 ; PopDiagTraceZeroHiberFile()
		push	5
		push	18h
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		test	eax, eax
		js	short loc_9AC846
		mov	edx, [ebp+var_1C]
		xor	edi, edi
		mov	[ebp+var_28], edi
		mov	ecx, edi
		mov	[ebp+var_24], edi
		mov	esi, edi

loc_9AC7FD:				; CODE XREF: PopZeroHiberFile(x,x)+95j
					; PopZeroHiberFile(x,x)+9Cj
		mov	eax, [ebp+var_20]
		sub	eax, ecx
		mov	ecx, ebx
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_38]
		sbb	edx, esi
		mov	esi, 10000h
		push	esi
		mov	[ebp+var_34], edx
		lea	edx, [ebp+var_28]
		push	eax
		call	MmZeroPageWrite
		test	eax, eax
		jns	short loc_9AC846
		mov	ecx, [ebp+var_28]
		mov	edx, [ebp+var_1C]
		and	ecx, 0FFFF0000h
		add	ecx, esi
		mov	esi, [ebp+var_24]
		mov	[ebp+var_28], ecx
		adc	esi, edi
		mov	[ebp+var_24], esi
		cmp	esi, edx
		jl	short loc_9AC7FD
		jg	short loc_9AC846
		cmp	ecx, [ebp+var_20]
		jb	short loc_9AC7FD

loc_9AC846:				; CODE XREF: PopZeroHiberFile(x,x)+44j
					; PopZeroHiberFile(x,x)+78j ...
		call	_PopDiagTraceZeroHiberFileEnd@0	; PopDiagTraceZeroHiberFileEnd()
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopZeroHiberFile@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoEndPartitionReplace(x, x)
_PoEndPartitionReplace@8 proc near	; CODE XREF: PnprWakeDevices(x)+33p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	[ebp+var_4], edx
		lea	edx, [ebp+var_4]
		mov	dword ptr [ecx+10h], 0Bh
		call	PopDispatchStateCallout
		leave
		retn
_PoEndPartitionReplace@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1732. PoShutdownBugCheck

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoShutdownBugCheck(x, x, x,	x, x, x)
		public _PoShutdownBugCheck@24
_PoShutdownBugCheck@24 proc near	; CODE XREF: ExpSystemErrorHandler(x,x,x,x,x)+62Bp
					; PoInitHiberServices+A1F18p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		cmp	ds:_PopCriticalShutdownInProgress, 0
		push	ebx
		push	esi
		push	edi
		push	0
		pop	ebx
		jz	short loc_9AC8A6
		or	[ebp+var_4], 0FFFFFFFFh
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		push	ebx
		mov	[ebp+var_8], 0EE1E5D00h
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)

loc_9AC8A6:				; CODE XREF: PoShutdownBugCheck(x,x,x,x,x,x)+15j
		push	ebx
		xor	edx, edx
		xor	ecx, ecx
		call	@PopInternalAddToDumpFile@12 ; PopInternalAddToDumpFile(x,x,x)
		cmp	[ebp+arg_0], 0
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[ebp+var_28], eax
		jnz	short loc_9AC8D1
		xor	dl, dl
		mov	[ebp+var_28], ebx
		xor	ecx, ecx
		call	IoConfigureCrashDump

loc_9AC8D1:				; CODE XREF: PoShutdownBugCheck(x,x,x,x,x,x)+4Aj
		mov	eax, large fs:124h
		mov	[ebp+var_2C], eax
		call	_PsGetCurrentThreadId@0	; PsGetCurrentThreadId()
		mov	[ebp+var_24], eax
		call	_PsGetCurrentThreadProcessId@0 ; PsGetCurrentThreadProcessId()
		mov	ebx, [ebp+arg_C]
		mov	edi, [ebp+arg_10]
		mov	esi, [ebp+arg_14]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_4]
		push	0
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_8]
		push	0C0000004h
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_2C]
		push	4
		push	5
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], esi
		mov	dword_6C26F0, eax
		call	_ZwInitiatePowerAction@16 ; ZwInitiatePowerAction(x,x,x,x)
		push	esi
		push	edi
		push	ebx
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

; __stdcall PoStartPartitionReplace(x, x)
_PoStartPartitionReplace@8:		; CODE XREF: PnprQuiesceDevices(x)+98p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		lea	edx, [ebp+var_4]
		mov	dword ptr [esi+10h], 0Ah
		call	PopDispatchStateCallout
		xor	edx, edx
		mov	dword ptr [esi+10h], 9
		mov	ecx, esi
		call	PopDispatchStateCallout
		pop	esi
		leave
		retn
_PoShutdownBugCheck@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCriticalShutdown(x)
_PopCriticalShutdown@4 proc near	; CODE XREF: PopCheckAndHandleThermalConditions+82ABFp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		xor	eax, eax
		mov	[ebp+var_C], 6
		mov	[ebp+var_4], eax
		lea	ecx, [ebp+var_1C]
		mov	[ebp+var_14], eax
		xor	edx, edx
		mov	[ebp+var_10], eax
		inc	eax
		push	eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_8], 0C0000004h
		mov	[ebp+var_18], 80h
		mov	ds:_PopCriticalShutdownInProgress, al
		lea	eax, [ebp+var_C]
		push	5
		push	eax
		call	PopExecutePowerAction
		leave
		retn
_PopCriticalShutdown@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetAwayModeStatus(x)
_PopSetAwayModeStatus@4	proc near	; CODE XREF: PopSetSystemAwayMode(x)+9Cp
					; PopSetSystemAwayMode(x)+B2p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, offset _GUID_SYSTEM_AWAYMODE
		lea	edi, [ebp+var_18]
		xor	eax, eax
		mov	bl, cl
		test	bl, bl
		movsd
		setnz	al
		mov	[ebp+var_1C], eax
		xor	ecx, ecx
		movsd
		movsd
		movsd
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	14h
		pop	edx
		call	_PopBroadcastSessionInfo@12 ; PopBroadcastSessionInfo(x,x,x)
		lea	eax, [ebp+var_1C]
		mov	ecx, offset _GUID_SYSTEM_AWAYMODE ; int
		push	eax		; void *
		push	4
		pop	edx
		call	_PopSetPowerSettingValueAcDc@12	; PopSetPowerSettingValueAcDc(x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		mov	byte_6C2D11, bl
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopSetAwayModeStatus@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetSystemAwayMode(x)
_PopSetSystemAwayMode@4	proc near	; CODE XREF: PopIssueActionRequest+A77FDp
					; DATA XREF: .text:00403CD0o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		cmp	[ebp+arg_0], esi
		jz	loc_9ACAA8
		cmp	byte_6C2D11, 0
		jz	short loc_9ACA2C

loc_9ACA25:				; CODE XREF: PopSetSystemAwayMode(x)+AAj
		xor	esi, esi
		jmp	loc_9ACAC9
; 

loc_9ACA2C:				; CODE XREF: PopSetSystemAwayMode(x)+1Ej
		cmp	byte_6C2D10, 0
		jnz	short loc_9ACA3F
		mov	esi, 0C000000Dh
		jmp	loc_9ACAC9
; 

loc_9ACA3F:				; CODE XREF: PopSetSystemAwayMode(x)+2Ej
		mov	edi, offset _PopUserPresentCompletedEvent
		push	edi
		call	_KeResetEvent@4	; KeResetEvent(x)
		xor	eax, eax
		mov	ebx, offset unk_6C2D14
		inc	eax
		xchg	eax, [ebx]
		xor	ecx, ecx
		mov	edx, offset _PopUserPresentSetStatus
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	short loc_9ACA6F
		push	esi
		push	esi
		push	esi
		push	esi
		push	edi
		call	KeWaitForSingleObject

loc_9ACA6F:				; CODE XREF: PopSetSystemAwayMode(x)+5Ej
		push	ebx
		push	offset _PopAwayModeUserPresenceDpc@16 ;	PopAwayModeUserPresenceDpc(x,x,x,x)
		mov	edi, offset _PopAwayModeUserPresenceDpcObject
		push	edi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	0FFFFFFFFh
		push	0FE363C80h
		push	edi
		push	esi
		xor	edx, edx
		mov	ecx, offset _PopAwayModeUserPresenceTimer
		call	KiSetTimerEx
		mov	ecx, offset _POP_ETW_EVENT_AWAYMODE
		call	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
		mov	cl, 1
		call	_PopSetAwayModeStatus@4	; PopSetAwayModeStatus(x)
		jmp	short loc_9ACAC9
; 

loc_9ACAA8:				; CODE XREF: PopSetSystemAwayMode(x)+11j
		cmp	byte_6C2D11, 0
		jz	loc_9ACA25
		xor	cl, cl
		call	_PopSetAwayModeStatus@4	; PopSetAwayModeStatus(x)
		push	_PopAwaymodeExitReason
		xor	cl, cl
		call	PopNotifyConsoleUserPresent

loc_9ACAC9:				; CODE XREF: PopSetSystemAwayMode(x)+22j
					; PopSetSystemAwayMode(x)+35j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_PopSetSystemAwayMode@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopStartStopTtmSxTranstion(x)
_PopStartStopTtmSxTranstion@4 proc near	; CODE XREF: PoTtmInitiatePowerStateTransition(x,x)+5Ap

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		test	cl, cl
		jz	short loc_9ACB23
		cmp	_PopTtmIsSxTransitionInProgress, 0
		jnz	short loc_9ACB38
		xor	eax, eax
		mov	[ebp+var_1C], 5
		inc	eax
		mov	[ebp+var_18], 80h
		push	eax
		mov	[ebp+var_8], eax
		lea	ecx, [ebp+var_1C]
		push	4
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], 2
		push	eax
		xor	edx, edx
		call	PopExecutePowerAction
		jmp	short loc_9ACB38
; 

loc_9ACB23:				; CODE XREF: PopStartStopTtmSxTranstion(x)+16j
		cmp	_PopTtmIsSxTransitionInProgress, 0
		jz	short loc_9ACB38
		mov	_PopTtmIsSxCompleteNotificationPending,	1
		mov	esi, 103h

loc_9ACB38:				; CODE XREF: PopStartStopTtmSxTranstion(x)+1Fj
					; PopStartStopTtmSxTranstion(x)+4Dj ...
		mov	eax, esi
		pop	esi
		leave
		retn
_PopStartStopTtmSxTranstion@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopBroadcastLegacyLidSwitchChangeCallback(void *,int,int,int)
_PopBroadcastLegacyLidSwitchChangeCallback@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	10h		; size_t
		push	[ebp+arg_0]	; void *
		xor	esi, esi
		push	offset _GUID_LIDSWITCH_STATE_CHANGE ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9ACB79
		cmp	[ebp+arg_8], 4
		jnz	short loc_9ACB79
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_9ACB79
		push	dword ptr [eax]
		push	4
		push	_ExCbPowerState
		call	_ExNotifyCallback@12 ; ExNotifyCallback(x,x,x)
		jmp	short loc_9ACB7E
; 

loc_9ACB79:				; CODE XREF: PopBroadcastLegacyLidSwitchChangeCallback(x,x,x,x)+1Cj
					; PopBroadcastLegacyLidSwitchChangeCallback(x,x,x,x)+22j ...
		mov	esi, 0C000000Dh

loc_9ACB7E:				; CODE XREF: PopBroadcastLegacyLidSwitchChangeCallback(x,x,x,x)+3Aj
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	10h
_PopBroadcastLegacyLidSwitchChangeCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopNotifyLidStateChange(x)
_PopNotifyLidStateChange@4 proc	near	; CODE XREF: PdcPoReportLidState(x)+Dp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	_PopErrataReportingIncorrectLidState, 0
		push	ebx
		mov	bl, cl
		jnz	short loc_9ACBB9
		cmp	_PopLidOpened, bl
		jz	short loc_9ACBB9
		mov	_PopLidOpened, bl
		test	bl, bl
		jnz	short loc_9ACBB9
		cmp	_PopPlatformAoAc, cl
		jz	short loc_9ACBB9
		push	4
		pop	ecx
		call	_PopPowerAggregatorForceSessionSwitch@4	; PopPowerAggregatorForceSessionSwitch(x)

loc_9ACBB9:				; CODE XREF: PopNotifyLidStateChange(x)+10j
					; PopNotifyLidStateChange(x)+18j ...
		xor	eax, eax
		mov	ecx, offset _GUID_LIDSWITCH_STATE_CHANGE ; int
		test	bl, bl
		setnz	al
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	eax		; void *
		push	4
		pop	edx
		call	_PopSetPowerSettingValueAcDc@12	; PopSetPowerSettingValueAcDc(x,x,x)
		pop	ebx
		leave
		retn
_PopNotifyLidStateChange@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopUserShutdownDelayWorkerCallback(x)
_PopUserShutdownDelayWorkerCallback@4 proc near	; DATA XREF: PoUserShutdownInitiated+69o
		xor	eax, eax
		mov	ecx, offset _PopUserShutdown
		xchg	eax, [ecx]
		xor	cl, cl
		call	_PopUserShutdownCancelled@4 ; PopUserShutdownCancelled(x)
		retn	4
_PopUserShutdownDelayWorkerCallback@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoThermalCounterSetCallback(x, x, x)
_PoThermalCounterSetCallback@12	proc near ; DATA XREF: ExpPcwHostCallback+1ACo

var_2E		= byte ptr -2Eh
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [esp+40h+var_14]
		mov	[esp+40h+var_28], ebx
		stosd
		mov	ecx, offset _PopPolicyDeviceLock
		mov	[esp+40h+var_2D], 0
		stosd
		stosd
		stosd
		xor	edi, edi
		mov	[esp+40h+var_2C], edi
		call	_PopAcquireRwLockShared@4 ; PopAcquireRwLockShared(x)
		mov	eax, [ebp+arg_0]
		dec	eax
		sub	eax, 1
		jz	short loc_9ACC5A
		sub	eax, 1
		jnz	loc_9ACD86
		mov	eax, [ebx+8]
		mov	edi, [ebx+14h]
		push	offset ??_C@_15EAECJAPL@?$AA?$CK?$AA?$DP@NNGAKEGL@ ; wchar_t *
		mov	[esp+44h+var_20], edi
		push	dword ptr [eax+4] ; wchar_t *
		call	_wcspbrk
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_9ACC66
		jmp	short loc_9ACC61
; 

loc_9ACC5A:				; CODE XREF: PoThermalCounterSetCallback(x,x,x)+46j
		mov	eax, [ebx+14h]
		mov	[esp+40h+var_20], eax

loc_9ACC61:				; CODE XREF: PoThermalCounterSetCallback(x,x,x)+6Ej
		mov	[esp+40h+var_2D], 1

loc_9ACC66:				; CODE XREF: PoThermalCounterSetCallback(x,x,x)+6Cj
		mov	esi, _PopThermal
		jmp	loc_9ACD6C
; 

loc_9ACC71:				; CODE XREF: PoThermalCounterSetCallback(x,x,x)+188j
		test	byte ptr [esi+21h], 2
		jz	loc_9ACD6A
		mov	ecx, [esi+18h]
		mov	edx, 6D546F50h
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_9ACC99
		mov	eax, [ebx+0B0h]
		mov	eax, [eax+14h]
		jmp	short loc_9ACC9B
; 

loc_9ACC99:				; CODE XREF: PoThermalCounterSetCallback(x,x,x)+A2j
		xor	eax, eax

loc_9ACC9B:				; CODE XREF: PoThermalCounterSetCallback(x,x,x)+ADj
		mov	[esp+40h+var_24], eax
		test	eax, eax
		jnz	short loc_9ACCB4
		mov	edx, 6D546F50h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		jmp	loc_9ACD6A
; 

loc_9ACCB4:				; CODE XREF: PoThermalCounterSetCallback(x,x,x)+B7j
		cmp	[esp+40h+var_2D], 0
		mov	ecx, [esp+40h+var_28]
		jnz	short loc_9ACCF7
		mov	edx, [eax+4Ch]
		mov	eax, [ecx+8]
		mov	eax, [eax+4]

loc_9ACCC8:				; CODE XREF: PoThermalCounterSetCallback(x,x,x)+FEj
		mov	di, [eax]
		cmp	di, [edx]
		jnz	short loc_9ACCEE
		test	di, di
		jz	short loc_9ACCEA
		mov	di, [eax+2]
		cmp	di, [edx+2]
		jnz	short loc_9ACCEE
		add	eax, 4
		add	edx, 4
		test	di, di
		jnz	short loc_9ACCC8

loc_9ACCEA:				; CODE XREF: PoThermalCounterSetCallback(x,x,x)+E9j
		xor	eax, eax
		jmp	short loc_9ACCF3
; 

loc_9ACCEE:				; CODE XREF: PoThermalCounterSetCallback(x,x,x)+E4j
					; PoThermalCounterSetCallback(x,x,x)+F3j
		sbb	eax, eax
		or	eax, 1

loc_9ACCF3:				; CODE XREF: PoThermalCounterSetCallback(x,x,x)+102j
		test	eax, eax
		jnz	short loc_9ACD56

loc_9ACCF7:				; CODE XREF: PoThermalCounterSetCallback(x,x,x)+D3j
		xor	eax, eax
		lea	edi, [esp+40h+var_14]
		cmp	[ebp+arg_0], 3
		stosd
		stosd
		stosd
		stosd
		jnz	short loc_9ACD1F
		push	dword ptr [ecx+4]
		lea	edx, [esp+44h+var_14]
		push	dword ptr [ecx]
		mov	ecx, esi
		call	_PopThermalReadCounters@16 ; PopThermalReadCounters(x,x,x,x)
		mov	[esp+40h+var_2C], eax
		test	eax, eax
		js	short loc_9ACD7A

loc_9ACD1F:				; CODE XREF: PoThermalCounterSetCallback(x,x,x)+11Bj
		mov	eax, [esi+178h]
		lea	ecx, [esp+40h+var_14]
		mov	[esp+40h+var_1C], ecx
		lea	ecx, [esp+40h+var_1C]
		push	ecx
		push	1
		push	eax
		mov	eax, [esp+4Ch+var_24]
		add	eax, 48h
		mov	[esp+4Ch+var_18], 10h
		push	eax
		push	[esp+50h+var_20]
		call	_PcwAddInstance@20 ; PcwAddInstance(x,x,x,x,x)
		mov	edi, eax
		mov	[esp+40h+var_2C], edi
		jmp	short loc_9ACD5A
; 

loc_9ACD56:				; CODE XREF: PoThermalCounterSetCallback(x,x,x)+10Bj
		mov	edi, [esp+40h+var_2C]

loc_9ACD5A:				; CODE XREF: PoThermalCounterSetCallback(x,x,x)+16Aj
		mov	edx, 6D546F50h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		test	edi, edi
		js	short loc_9ACD86

loc_9ACD6A:				; CODE XREF: PoThermalCounterSetCallback(x,x,x)+8Bj
					; PoThermalCounterSetCallback(x,x,x)+C5j
		mov	esi, [esi]

loc_9ACD6C:				; CODE XREF: PoThermalCounterSetCallback(x,x,x)+82j
		cmp	esi, offset _PopThermal
		jnz	loc_9ACC71
		jmp	short loc_9ACD86
; 

loc_9ACD7A:				; CODE XREF: PoThermalCounterSetCallback(x,x,x)+133j
		mov	edx, 6D546F50h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_9ACD86:				; CODE XREF: PoThermalCounterSetCallback(x,x,x)+4Bj
					; PoThermalCounterSetCallback(x,x,x)+17Ej ...
		mov	ecx, offset _PopPolicyDeviceLock
		call	_PopReleaseRwLock@4 ; PopReleaseRwLock(x)
		mov	ecx, [esp+40h+var_4]
		mov	eax, [esp+40h+var_2C]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PoThermalCounterSetCallback@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopThermalProcessUsermodeEvent(x)
_PopThermalProcessUsermodeEvent@4 proc near ; CODE XREF: NtPowerInformation+17262Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		call	_PopDiagTraceUsermodeThermalEvent@4 ; PopDiagTraceUsermodeThermalEvent(x)
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_9ACE0C
		mov	cx, [ebx+0Ch]
		lea	edi, [ebx+0Eh]
		push	1
		push	dword ptr [ebx+8]
		mov	edx, edi
		call	_PopDiagTraceUsermodeTripPointExceeded@16 ; PopDiagTraceUsermodeTripPointExceeded(x,x,x,x)
		mov	cx, [ebx+0Ch]
		mov	edx, edi
		push	1
		push	dword ptr [ebx+4]
		push	dword ptr [ebx+8]
		call	_PopSqmThermalUsermodeEvent@20 ; PopSqmThermalUsermodeEvent(x,x,x,x,x)
		mov	ax, [ebx+0Ch]
		lea	edx, [ebx+4]
		add	ax, ax
		mov	[esp+18h+var_4], edi
		lea	ecx, [esp+18h+var_8]
		mov	word ptr [esp+18h+var_8], ax
		mov	word ptr [esp+18h+var_8+2], ax
		call	_PopThermalWriteShutdownToRegistry@8 ; PopThermalWriteShutdownToRegistry(x,x)
		jmp	short loc_9ACE47
; 

loc_9ACE0C:				; CODE XREF: PopThermalProcessUsermodeEvent(x)+19j
		cmp	eax, 1
		jnz	short loc_9ACE47
		mov	cx, [ebx+0Ch]
		lea	edx, [ebx+0Eh]
		push	0
		push	dword ptr [ebx+8]
		call	_PopDiagTraceUsermodeTripPointExceeded@16 ; PopDiagTraceUsermodeTripPointExceeded(x,x,x,x)
		mov	cx, [ebx+0Ch]
		lea	edx, [ebx+0Eh]
		push	0
		push	dword ptr [ebx+4]
		push	dword ptr [ebx+8]
		call	_PopSqmThermalUsermodeEvent@20 ; PopSqmThermalUsermodeEvent(x,x,x,x,x)
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	_PopThermalHibernateInitiated, 1
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_9ACE47:				; CODE XREF: PopThermalProcessUsermodeEvent(x)+62j
					; PopThermalProcessUsermodeEvent(x)+67j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PopThermalProcessUsermodeEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopThermalReadCounters(x, x, x, x)
_PopThermalReadCounters@16 proc	near	; CODE XREF: PoThermalCounterSetCallback(x,x,x)+128p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		xor	esi, esi
		cmp	byte ptr [edi+0C4h], 0
		jnz	loc_9ACEFD
		mov	eax, [ebp+arg_0]
		and	eax, 9
		or	eax, esi
		jz	loc_9ACEFD
		mov	eax, large fs:124h
		lea	ebx, [edi+150h]
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[ebx+4], eax
		lea	eax, [edi+168h]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		push	dword ptr [edi+1Ch]
		mov	[edi+50h], esi
		call	IoCancelIrp
		cmp	[ebx+4], esi
		jz	short loc_9ACEC0
		mov	[ebx+4], esi

loc_9ACEC0:				; CODE XREF: PopThermalReadCounters(x,x,x,x)+6Bj
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	esi
		push	esi
		push	esi
		push	esi
		lea	eax, [edi+168h]
		mov	[ebp+arg_0], eax
		lea	eax, [edi+158h]
		push	esi
		mov	[ebp+arg_4], eax
		lea	eax, [ebp+arg_0]
		push	1
		push	eax
		push	2
		call	KeWaitForMultipleObjects
		test	eax, eax
		jz	short loc_9ACEFD
		mov	esi, 0C0000001h
		jmp	short loc_9ACF5D
; 

loc_9ACEFD:				; CODE XREF: PopThermalReadCounters(x,x,x,x)+17j
					; PopThermalReadCounters(x,x,x,x)+25j ...
		mov	eax, large fs:124h
		lea	ebx, [edi+150h]
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	edx, edx
		mov	[ebx+4], eax
		mov	eax, [edi+60h]
		push	0Ah
		pop	ecx
		div	ecx
		mov	ecx, [ebp+var_4]
		mov	[ecx], eax
		mov	eax, [edi+60h]
		mov	[ecx+0Ch], eax
		mov	eax, [edi+30h]
		mov	[ecx+4], eax
		mov	eax, [edi+0B4h]
		mov	[ecx+8], eax
		cmp	[ebx+4], esi
		jz	short loc_9ACF4F
		mov	[ebx+4], esi

loc_9ACF4F:				; CODE XREF: PopThermalReadCounters(x,x,x,x)+FAj
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9ACF5D:				; CODE XREF: PopThermalReadCounters(x,x,x,x)+ABj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_PopThermalReadCounters@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopThermalZoneRemove(x)
_PopThermalZoneRemove@4	proc near	; DATA XREF: .data:006B2F2Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	dword ptr [esi+1Ch]
		mov	byte ptr [esi+22h], 1
		call	IoCancelIrp
		xor	ebx, ebx
		lea	eax, [esi+158h]
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	eax
		call	KeWaitForSingleObject
		lea	edi, [esi+180h]
		cmp	[esi+71h], bl
		jz	short loc_9ACFAF
		mov	dl, [esi+30h]
		mov	ecx, edi
		call	_PopThermalUpdatePassiveTimeTracking@8 ; PopThermalUpdatePassiveTimeTracking(x,x)
		mov	ecx, esi
		call	PopTraceThermalZonePassiveHistogram

loc_9ACFAF:				; CODE XREF: PopThermalZoneRemove(x)+36j
		cmp	[esi+181h], bl
		jbe	short loc_9ACFC8
		mov	dl, [esi+25h]
		mov	ecx, edi
		call	_PopThermalUpdateActiveTimeTracking@8 ;	PopThermalUpdateActiveTimeTracking(x,x)
		mov	ecx, esi
		call	PopTraceThermalZoneActiveActivity

loc_9ACFC8:				; CODE XREF: PopThermalZoneRemove(x)+4Fj
		cmp	[esi+28h], bl
		jz	short loc_9AD026
		mov	ecx, [esi+18h]
		xor	edx, edx
		call	_PopDiagTraceThermalStandbyState@8 ; PopDiagTraceThermalStandbyState(x,x)
		mov	edi, offset _PopSystemThermalInfo
		mov	ecx, edi
		call	_PopAcquireRwLockExclusive@4 ; PopAcquireRwLockExclusive(x)
		mov	ecx, dword_6C1F90
		mov	edx, esi
		dec	dword_6C1F8C
		call	_PopTraceZoneCr3Mitigated@8 ; PopTraceZoneCr3Mitigated(x,x)
		cmp	dword_6C1F8C, ebx
		jnz	short loc_9AD01F
		mov	ecx, dword_6C1F90
		call	_PopTraceCr3Mitigated@4	; PopTraceCr3Mitigated(x)
		cmp	byte ptr word_6C1F88+1,	1
		jnz	short loc_9AD01F
		xor	cl, cl
		call	_PopThermalStandbyNotify@4 ; PopThermalStandbyNotify(x)
		mov	byte ptr word_6C1F88+1,	bl

loc_9AD01F:				; CODE XREF: PopThermalZoneRemove(x)+96j
					; PopThermalZoneRemove(x)+AAj
		mov	ecx, edi
		call	_PopReleaseRwLock@4 ; PopReleaseRwLock(x)

loc_9AD026:				; CODE XREF: PopThermalZoneRemove(x)+65j
		cmp	[esi+29h], bl
		jz	short loc_9AD034
		xor	dl, dl
		mov	ecx, esi
		call	_PopUpdateOverThrottledCount@8 ; PopUpdateOverThrottledCount(x,x)

loc_9AD034:				; CODE XREF: PopThermalZoneRemove(x)+C3j
		push	ebx
		push	1
		lea	ecx, [esi+0F8h]
		mov	dl, 1
		call	KeDisableTimer2
		or	byte ptr [esi+21h], 80h
		sub	_PopThermalZoneCount, 1
		jnz	short loc_9AD06E
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		cmp	byte_6C2E2D, bl
		jz	short loc_9AD069
		mov	byte_6C2E2D, bl
		call	PopResetCurrentPolicies

loc_9AD069:				; CODE XREF: PopThermalZoneRemove(x)+F6j
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_9AD06E:				; CODE XREF: PopThermalZoneRemove(x)+E9j
		xor	cl, cl
		call	PopThermalUpdateTelemetryClientCount
		mov	eax, [esi+39Ch]
		test	eax, eax
		jz	short loc_9AD086
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9AD086:				; CODE XREF: PopThermalZoneRemove(x)+117j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_PopThermalZoneRemove@4	endp


;  S U B	R O U T	I N E 


; __stdcall PopThermalZoneUpdateCoolingPolicy()
_PopThermalZoneUpdateCoolingPolicy@0 proc near
					; CODE XREF: PopThermalCoolingPowerSettingCallback+81976p
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopPolicyDeviceLock
		call	ExAcquirePushLockSharedEx
		mov	esi, _PopThermal
		cmp	esi, offset _PopThermal
		jz	short loc_9AD10A
		push	edi

loc_9AD0B9:				; CODE XREF: PopThermalZoneUpdateCoolingPolicy()+78j
		mov	eax, large fs:124h
		lea	edi, [esi+150h]
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[edi+4], eax
		push	dword ptr [esi+1Ch]
		call	IoCancelIrp
		cmp	dword ptr [edi+4], 0
		jz	short loc_9AD0F1
		and	dword ptr [edi+4], 0

loc_9AD0F1:				; CODE XREF: PopThermalZoneUpdateCoolingPolicy()+5Cj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	esi, [esi]
		cmp	esi, offset _PopThermal
		jnz	short loc_9AD0B9
		pop	edi

loc_9AD10A:				; CODE XREF: PopThermalZoneUpdateCoolingPolicy()+27j
		cmp	dword_6C2044, 0
		pop	esi
		jz	short loc_9AD11B
		and	dword_6C2044, 0

loc_9AD11B:				; CODE XREF: PopThermalZoneUpdateCoolingPolicy()+83j
		xor	edx, edx
		mov	ecx, offset _PopPolicyDeviceLock
		call	ExReleasePushLockEx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopThermalZoneUpdateCoolingPolicy@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUpdateOverThrottledCount(x, x)
_PopUpdateOverThrottledCount@8 proc near
					; CODE XREF: PopCheckAndHandleThermalConditions+82AD3p
					; PopThermalZoneRemove(x)+C9p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ecx+18h]
		push	ebx
		push	esi
		mov	bl, dl
		xor	esi, esi
		movzx	edx, bl
		mov	[ebp+var_4], esi
		call	_PopDiagTraceThermalOverthrottleState@8	; PopDiagTraceThermalOverthrottleState(x,x)
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		test	bl, bl
		jz	short loc_9AD167
		mov	eax, dword_6C1FA0
		xor	ecx, ecx
		inc	eax
		inc	ecx
		mov	dword_6C1FA0, eax
		cmp	eax, ecx
		jnz	short loc_9AD184
		mov	[ebp+var_4], ecx
		jmp	short loc_9AD170
; 

loc_9AD167:				; CODE XREF: PopUpdateOverThrottledCount(x,x)+22j
		sub	dword_6C1FA0, 1
		jnz	short loc_9AD184

loc_9AD170:				; CODE XREF: PopUpdateOverThrottledCount(x,x)+39j
		push	esi
		push	esi
		push	esi
		push	esi
		push	4
		lea	eax, [ebp+var_4]
		push	eax
		push	offset _WNF_PO_THERMAL_OVERTHROTTLE
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)

loc_9AD184:				; CODE XREF: PopUpdateOverThrottledCount(x,x)+34j
					; PopUpdateOverThrottledCount(x,x)+42j
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		pop	esi
		pop	ebx
		leave
		retn
_PopUpdateOverThrottledCount@8 endp


;  S U B	R O U T	I N E 


; __stdcall PoDiagFreeUsermodeStack(x)
_PoDiagFreeUsermodeStack@4 proc	near	; CODE XREF: .text:00685281p
					; NtSetTimerResolution(x,x,x)+1BAp ...
		push	50455654h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
_PoDiagFreeUsermodeStack@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoDiagTraceDirectedDripsCandidateDevice(x)
_PoDiagTraceDirectedDripsCandidateDevice@4 proc	near
					; CODE XREF: IoDiagTraceDirectedDripsCandidateDevices()+35p

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopTriggerDiagHandleRegistered, 0
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jz	loc_9AD27B
		cmp	dword_6B23F8, 5
		jbe	loc_9AD27B
		push	4000h
		xor	edi, edi
		mov	ebx, offset dword_6B23F8
		push	edi
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9AD27B
		mov	eax, _PopWnfCsEnterScenarioId
		mov	[ebp+var_88], eax
		mov	eax, dword_6C1D84
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_88]
		mov	[ebp+var_58], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_20]
		mov	[ebp+var_38], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_28], eax
		movzx	eax, word ptr [esi+14h]
		push	4
		mov	[ebp+var_20], eax
		mov	eax, [esi+58h]
		pop	ecx
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	7
		push	edi
		push	edi
		push	offset loc_41E166
		push	ebx
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], 8
		mov	[ebp+var_4C], edi
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], 2
		mov	[ebp+var_2C], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9AD27B:				; CODE XREF: PoDiagTraceDirectedDripsCandidateDevice(x)+21j
					; PoDiagTraceDirectedDripsCandidateDevice(x)+2Ej ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PoDiagTraceDirectedDripsCandidateDevice@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagQueryDevicePropertyString(x,	x, x)
_PopDiagQueryDevicePropertyString@12 proc near
					; CODE XREF: PopDiagTraceFxDeviceAccounting(x,x,x,x,x,x)+12Bp
					; PopDiagTraceFxDeviceAccounting(x,x,x,x,x,x)+142p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	eax, ecx
		mov	ebx, edx
		xor	edx, edx
		mov	[ebp+var_C], eax
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_4], edx
		push	ecx
		push	edx
		push	edx
		push	ebx
		push	eax
		mov	[ebp+var_8], edx
		call	IoGetDeviceProperty
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_9AD324
		cmp	[ebp+var_4], 0FFFFh
		jbe	short loc_9AD2CB
		mov	esi, 80000005h
		jmp	short loc_9AD324
; 

loc_9AD2CB:				; CODE XREF: PopDiagQueryDevicePropertyString(x,x,x)+38j
		push	67696450h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9AD2E7
		mov	esi, 0C000009Ah
		jmp	short loc_9AD324
; 

loc_9AD2E7:				; CODE XREF: PopDiagQueryDevicePropertyString(x,x,x)+54j
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		push	[ebp+var_4]
		push	ebx
		push	[ebp+var_C]
		call	IoGetDeviceProperty
		mov	esi, eax
		test	esi, esi
		js	short loc_9AD315
		mov	ecx, [ebp+arg_0]
		mov	ax, word ptr [ebp+var_8]
		mov	[ecx], ax
		mov	ax, word ptr [ebp+var_4]
		mov	[ecx+4], edi
		xor	edi, edi
		mov	[ecx+2], ax

loc_9AD315:				; CODE XREF: PopDiagQueryDevicePropertyString(x,x,x)+72j
		test	edi, edi
		jz	short loc_9AD324
		push	67696450h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9AD324:				; CODE XREF: PopDiagQueryDevicePropertyString(x,x,x)+2Fj
					; PopDiagQueryDevicePropertyString(x,x,x)+3Fj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopDiagQueryDevicePropertyString@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceAcDcStateChange(x, x, x)
_PopDiagTraceAcDcStateChange@12	proc near ; CODE XREF: PopUpdateAcDcState+827F8p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		push	ebx
		mov	[ebp+var_3C], edx
		mov	ebx, ecx
		jz	short loc_9AD3BD
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_ACDC_STATE_CHANGE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9AD3BB
		xor	eax, eax
		test	ebx, ebx
		push	4
		setz	al
		xor	edx, edx
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_3C]
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	offset _POP_ETW_EVENT_ACDC_STATE_CHANGE
		push	esi
		push	edi
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9AD3BB:				; CODE XREF: PopDiagTraceAcDcStateChange(x,x,x)+3Dj
		pop	edi
		pop	esi

loc_9AD3BD:				; CODE XREF: PopDiagTraceAcDcStateChange(x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDiagTraceAcDcStateChange@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceBatteryAlarmStatus(x, x, x)
_PopDiagTraceBatteryAlarmStatus@12 proc	near
					; CODE XREF: PopBatteryApplyCompositeState+A0454p

var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_FE		= dword	ptr -0FEh
var_DC		= dword	ptr -0DCh
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 130h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax]
		mov	esi, edx
		mov	[ebp+var_104], ecx
		cmp	eax, 1
		ja	loc_9AD723
		mov	eax, ds:_IndexToActionName[eax*4]
		xor	edi, edi
		mov	ebx, dword_6C2544
		mov	[ebp+var_11C], eax
		and	ebx, 1
		cmp	dword_6B23F8, 5
		mov	eax, dword_6C2634
		mov	[ebp+var_108], eax
		jbe	loc_9AD5FD
		push	4000h
		push	edi
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9AD5FD
		mov	edx, [ebp+var_11C]
		lea	ecx, [ebp+var_DC]
		call	_tlgCreate1Sz_char
		lea	eax, [ebp+var_FE+1]
		mov	byte ptr [ebp+var_FE+1], bl
		mov	[ebp+var_CC], eax
		xor	edx, edx
		mov	eax, [ebp+var_108]
		xor	ecx, ecx
		mov	[ebp+var_108], eax
		inc	ecx
		lea	eax, [ebp+var_108]
		mov	[ebp+var_C4], ecx
		mov	[ebp+var_BC], eax
		mov	eax, dword_6C2544
		mov	[ebp+var_120], eax
		lea	eax, [ebp+var_120]
		mov	[ebp+var_AC], eax
		mov	al, [esi]
		mov	byte ptr [ebp+var_FE], al
		lea	eax, [ebp+var_FE]
		mov	[ebp+var_9C], eax
		mov	eax, [esi+4]
		mov	[ebp+var_124], eax
		lea	eax, [ebp+var_124]
		mov	[ebp+var_8C], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_128], eax
		lea	eax, [ebp+var_128]
		mov	[ebp+var_7C], eax
		mov	eax, [esi+8]
		mov	[ebp+var_12C], eax
		lea	eax, [ebp+var_12C]
		mov	[ebp+var_6C], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_10C], eax
		lea	eax, [ebp+var_10C]
		mov	[ebp+var_5C], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_110], eax
		lea	eax, [ebp+var_110]
		mov	[ebp+var_94], ecx
		mov	ecx, [ebp+var_104]
		mov	[ebp+var_4C], eax
		push	4
		pop	ebx
		mov	eax, [ecx+4]
		mov	[ebp+var_104], eax
		lea	eax, [ebp+var_104]
		mov	[ebp+var_3C], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_114], eax
		lea	eax, [ebp+var_114]
		mov	[ebp+var_C8], edx
		mov	[ebp+var_C0], edx
		mov	[ebp+var_B8], edx
		mov	[ebp+var_B4], ebx
		mov	[ebp+var_B0], edx
		mov	[ebp+var_A8], edx
		mov	[ebp+var_A4], ebx
		mov	[ebp+var_A0], edx
		mov	[ebp+var_98], edx
		mov	[ebp+var_90], edx
		mov	[ebp+var_88], edx
		mov	[ebp+var_84], ebx
		mov	[ebp+var_80], edx
		mov	[ebp+var_78], edx
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], edx
		mov	[ebp+var_68], edx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], edx
		mov	[ebp+var_58], edx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], eax
		movzx	eax, byte_6C25E8
		mov	[ebp+var_118], eax
		lea	eax, [ebp+var_118]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_FE+2]
		push	eax
		push	0Fh
		push	edx
		push	edx
		push	offset loc_41DB76
		push	offset dword_6B23F8
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9AD5FD:				; CODE XREF: PopDiagTraceBatteryAlarmStatus(x,x,x)+58j
					; PopDiagTraceBatteryAlarmStatus(x,x,x)+70j
		cmp	dword_6C252C, 1
		jbe	loc_9AD723
		mov	esi, dword_6C253C
		cmp	esi, offset dword_6C253C
		jz	loc_9AD723
		mov	edx, 186A0h

loc_9AD621:				; CODE XREF: PopDiagTraceBatteryAlarmStatus(x,x,x)+351j
		mov	ecx, [esi+30h]
		inc	edi
		mov	ebx, edx
		test	ecx, ecx
		jz	short loc_9AD63C
		mov	eax, [esi+48h]
		mul	edx
		push	0
		push	ecx
		push	edx
		push	eax
		call	__aulldiv
		mov	ebx, eax

loc_9AD63C:				; CODE XREF: PopDiagTraceBatteryAlarmStatus(x,x,x)+25Dj
		cmp	dword_6B23F8, 5
		jbe	loc_9AD710
		push	4000h
		push	0
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9AD710
		mov	edx, [ebp+var_11C]
		lea	ecx, [ebp+var_6C]
		call	_tlgCreate1Sz_char
		lea	eax, [ebp+var_118]
		mov	[ebp+var_118], edi
		mov	[ebp+var_5C], eax
		xor	ecx, ecx
		mov	eax, [esi+30h]
		mov	[ebp+var_114], eax
		lea	eax, [ebp+var_114]
		mov	[ebp+var_4C], eax
		mov	eax, [esi+48h]
		mov	[ebp+var_104], eax
		lea	eax, [ebp+var_104]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_110]
		push	4
		pop	edx
		mov	[ebp+var_2C], eax
		mov	eax, [esi+34h]
		mov	[ebp+var_10C], eax
		lea	eax, [ebp+var_10C]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_8C]
		push	eax
		push	8
		push	ecx
		push	ecx
		push	offset loc_41DAE2
		push	offset dword_6B23F8
		mov	[ebp+var_58], ecx
		mov	[ebp+var_54], edx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_110], ebx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9AD710:				; CODE XREF: PopDiagTraceBatteryAlarmStatus(x,x,x)+277j
					; PopDiagTraceBatteryAlarmStatus(x,x,x)+290j
		mov	esi, [esi]
		mov	edx, 186A0h
		cmp	esi, offset dword_6C253C
		jnz	loc_9AD621

loc_9AD723:				; CODE XREF: PopDiagTraceBatteryAlarmStatus(x,x,x)+28j
					; PopDiagTraceBatteryAlarmStatus(x,x,x)+238j ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDiagTraceBatteryAlarmStatus@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceBatteryCountChange(x, x, x)
_PopDiagTraceBatteryCountChange@12 proc	near
					; CODE XREF: PopBatteryApplyCompositeState+A03D1p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], ecx
		jz	short loc_9AD7B9
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_BATTERY_COUNT_CHANGE
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9AD7B6
		lea	eax, [ebp+var_38]
		xor	edx, edx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_3C]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9AD7B6:				; CODE XREF: PopDiagTraceBatteryCountChange(x,x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebx

loc_9AD7B9:				; CODE XREF: PopDiagTraceBatteryCountChange(x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDiagTraceBatteryCountChange@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceBatteryTriggerMet(x, x,	x)
_PopDiagTraceBatteryTriggerMet@12 proc near
					; CODE XREF: PopBatteryApplyCompositeState+A0489p

var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1F8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	esi, [eax]
		cmp	esi, 1
		ja	loc_9ADC87
		mov	eax, dword_6C252C
		mov	ebx, dword_6C2544
		mov	[ebp+var_1A4], eax
		and	ebx, 1
		mov	[ebp+var_1C8], eax
		mov	eax, [ecx+4]
		xor	ecx, ecx
		cmp	byte_6C25E8, cl
		mov	[ebp+var_1A8], eax
		setnz	cl
		mov	[ebp+var_1CC], eax
		mov	eax, dword_6C2634
		mov	[ebp+var_1A0], ecx
		mov	[ebp+var_1D8], ecx
		xor	ecx, ecx
		cmp	[edx], cl
		mov	[ebp+var_1C4], eax
		setnz	cl
		mov	[ebp+var_1D0], esi
		mov	[ebp+var_1AC], ecx
		add	eax, 1F4h
		mov	[ebp+var_1DC], ecx
		mov	ecx, [edx+8]
		mov	[ebp+var_1B0], ecx
		mov	[ebp+var_1E0], ecx
		mov	ecx, [edx+4]
		mov	[ebp+var_1B4], ecx
		mov	[ebp+var_1E4], ecx
		mov	ecx, [edx+10h]
		mov	[ebp+var_1B8], ecx
		mov	[ebp+var_1E8], ecx
		mov	ecx, [edx+14h]
		xor	edx, edx
		mov	[ebp+var_1BC], ecx
		mov	[ebp+var_1EC], ecx
		mov	ecx, 3E8h
		div	ecx
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_1C0], ebx
		mov	[ebp+var_1D4], ebx
		mov	[ebp+var_1F0], eax
		jz	loc_9ADA56
		mov	edi, dword_6C1D74
		mov	ebx, _PopDiagHandle
		push	offset _POP_ETW_EVENT_BATTERY_TRIGGER_MET
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jz	loc_9ADA50
		lea	eax, [ebp+var_1D0]
		xor	ecx, ecx
		mov	[ebp+var_BC], eax
		lea	eax, [ebp+var_1C8]
		mov	[ebp+var_AC], eax
		lea	eax, [ebp+var_1F0]
		mov	[ebp+var_9C], eax
		lea	eax, [ebp+var_1D4]
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_1CC]
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_1D8]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_1DC]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_1E0]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_1E4]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_1E8]
		push	4
		pop	edx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_1EC]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_BC]
		push	eax
		push	0Bh
		push	ecx
		push	offset _POP_ETW_EVENT_BATTERY_TRIGGER_MET
		push	edi
		push	ebx
		mov	[ebp+var_B8], ecx
		mov	[ebp+var_B4], edx
		mov	[ebp+var_B0], ecx
		mov	[ebp+var_A8], ecx
		mov	[ebp+var_A4], edx
		mov	[ebp+var_A0], ecx
		mov	[ebp+var_98], ecx
		mov	[ebp+var_94], edx
		mov	[ebp+var_90], ecx
		mov	[ebp+var_88], ecx
		mov	[ebp+var_84], edx
		mov	[ebp+var_80], ecx
		mov	[ebp+var_78], ecx
		mov	[ebp+var_74], edx
		mov	[ebp+var_70], ecx
		mov	[ebp+var_68], ecx
		mov	[ebp+var_64], edx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_58], ecx
		mov	[ebp+var_54], edx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	eax, [ebp+var_1C8]
		mov	esi, [ebp+var_1D0]
		mov	ebx, [ebp+var_1D4]
		mov	edi, [ebp+var_1D8]
		mov	[ebp+var_1A4], eax
		mov	eax, [ebp+var_1CC]
		mov	[ebp+var_1A8], eax
		mov	eax, [ebp+var_1DC]
		mov	[ebp+var_1AC], eax
		mov	eax, [ebp+var_1E0]
		mov	[ebp+var_1B0], eax
		mov	eax, [ebp+var_1E4]
		mov	[ebp+var_1B4], eax
		mov	eax, [ebp+var_1E8]
		mov	[ebp+var_1B8], eax
		mov	eax, [ebp+var_1EC]
		mov	[ebp+var_1BC], eax
		jmp	short loc_9ADA5C
; 

loc_9ADA50:				; CODE XREF: PopDiagTraceBatteryTriggerMet(x,x,x)+10Dj
		mov	ebx, [ebp+var_1C0]

loc_9ADA56:				; CODE XREF: PopDiagTraceBatteryTriggerMet(x,x,x)+EDj
		mov	edi, [ebp+var_1A0]

loc_9ADA5C:				; CODE XREF: PopDiagTraceBatteryTriggerMet(x,x,x)+287j
		cmp	dword_6B23F8, 5
		jbe	loc_9ADC87
		push	4000h
		push	0
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9ADC87
		lea	eax, [ebp+var_1C0]
		mov	[ebp+var_1C0], esi
		mov	[ebp+var_17C], eax
		xor	ecx, ecx
		mov	eax, [ebp+var_1A4]
		mov	[ebp+var_1A4], eax
		lea	eax, [ebp+var_1A4]
		mov	[ebp+var_16C], eax
		mov	eax, [ebp+var_1F0]
		mov	[ebp+var_1A0], eax
		lea	eax, [ebp+var_1A0]
		mov	[ebp+var_15C], eax
		mov	eax, [ebp+var_1C4]
		mov	[ebp+var_1C4], eax
		lea	eax, [ebp+var_1C4]
		mov	[ebp+var_14C], eax
		lea	eax, [ebp+var_1F4]
		mov	[ebp+var_13C], eax
		mov	eax, [ebp+var_1A8]
		mov	[ebp+var_1A8], eax
		lea	eax, [ebp+var_1A8]
		mov	[ebp+var_12C], eax
		lea	eax, [ebp+var_1F8]
		mov	[ebp+var_11C], eax
		mov	eax, [ebp+var_1AC]
		mov	[ebp+var_1AC], eax
		lea	eax, [ebp+var_1AC]
		mov	[ebp+var_10C], eax
		mov	eax, [ebp+var_1B0]
		mov	[ebp+var_1B0], eax
		lea	eax, [ebp+var_1B0]
		mov	[ebp+var_FC], eax
		mov	eax, [ebp+var_1B4]
		mov	[ebp+var_1B4], eax
		lea	eax, [ebp+var_1B4]
		mov	[ebp+var_EC], eax
		mov	eax, [ebp+var_1B8]
		mov	[ebp+var_1B8], eax
		lea	eax, [ebp+var_1B8]
		mov	[ebp+var_DC], eax
		mov	eax, [ebp+var_1BC]
		push	4
		pop	edx
		mov	[ebp+var_1BC], eax
		lea	eax, [ebp+var_1BC]
		mov	[ebp+var_178], ecx
		mov	[ebp+var_174], edx
		mov	[ebp+var_170], ecx
		mov	[ebp+var_168], ecx
		mov	[ebp+var_164], edx
		mov	[ebp+var_160], ecx
		mov	[ebp+var_158], ecx
		mov	[ebp+var_154], edx
		mov	[ebp+var_150], ecx
		mov	[ebp+var_148], ecx
		mov	[ebp+var_144], edx
		mov	[ebp+var_140], ecx
		mov	[ebp+var_1F4], ebx
		mov	[ebp+var_138], ecx
		mov	[ebp+var_134], edx
		mov	[ebp+var_130], ecx
		mov	[ebp+var_128], ecx
		mov	[ebp+var_124], edx
		mov	[ebp+var_120], ecx
		mov	[ebp+var_1F8], edi
		mov	[ebp+var_118], ecx
		mov	[ebp+var_114], edx
		mov	[ebp+var_110], ecx
		mov	[ebp+var_108], ecx
		mov	[ebp+var_104], edx
		mov	[ebp+var_100], ecx
		mov	[ebp+var_F8], ecx
		mov	[ebp+var_F4], edx
		mov	[ebp+var_F0], ecx
		mov	[ebp+var_E8], ecx
		mov	[ebp+var_E4], edx
		mov	[ebp+var_E0], ecx
		mov	[ebp+var_D8], ecx
		mov	[ebp+var_D4], edx
		mov	[ebp+var_D0], ecx
		mov	[ebp+var_CC], eax
		lea	eax, [ebp+var_19C]
		mov	[ebp+var_C8], ecx
		push	eax
		push	0Eh
		push	ecx
		push	ecx
		push	offset loc_41DCB0
		push	offset dword_6B23F8
		mov	[ebp+var_C4], edx
		mov	[ebp+var_C0], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9ADC87:				; CODE XREF: PopDiagTraceBatteryTriggerMet(x,x,x)+20j
					; PopDiagTraceBatteryTriggerMet(x,x,x)+29Cj ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDiagTraceBatteryTriggerMet@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceCoolingExtensionActiveUpdate(x)
_PopDiagTraceCoolingExtensionActiveUpdate@4 proc near
					; CODE XREF: PopPropogateCoolingChange(x)+DBp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		push	ebx
		mov	ebx, ecx
		jz	short loc_9ADD1A
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_COOLING_EXTENSION_ACTIVE_UPDATE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9ADD18
		xor	eax, eax
		mov	[ebp+var_2C], ebx
		cmp	[ebx+21h], al
		push	4
		setnz	al
		xor	edx, edx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_28]
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	offset _POP_ETW_EVENT_COOLING_EXTENSION_ACTIVE_UPDATE
		push	esi
		push	edi
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9ADD18:				; CODE XREF: PopDiagTraceCoolingExtensionActiveUpdate(x)+3Aj
		pop	edi
		pop	esi

loc_9ADD1A:				; CODE XREF: PopDiagTraceCoolingExtensionActiveUpdate(x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceCoolingExtensionActiveUpdate@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceCoolingExtensionPassiveUpdate(x)
_PopDiagTraceCoolingExtensionPassiveUpdate@4 proc near
					; CODE XREF: PopPropogateCoolingChange(x)+76p

var_2C		= dword	ptr -2Ch
var_25		= dword	ptr -25h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		push	ebx
		mov	ebx, ecx
		jz	short loc_9ADDA9
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_COOLING_EXTENSION_PASSIVE_UPDATE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9ADDA7
		mov	al, [ebx+22h]
		xor	ecx, ecx
		mov	byte ptr [ebp+var_25], al
		lea	eax, [ebp+var_25]
		mov	[ebp+var_25+1],	eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_25+1]
		push	eax
		push	2
		push	ecx
		push	offset _POP_ETW_EVENT_COOLING_EXTENSION_PASSIVE_UPDATE
		push	esi
		push	edi
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], 1
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9ADDA7:				; CODE XREF: PopDiagTraceCoolingExtensionPassiveUpdate(x)+3Aj
		pop	edi
		pop	esi

loc_9ADDA9:				; CODE XREF: PopDiagTraceCoolingExtensionPassiveUpdate(x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceCoolingExtensionPassiveUpdate@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceCsConsumption(x)
_PopDiagTraceCsConsumption@4 proc near	; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+552p

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_59		= byte ptr -59h
var_58		= dword	ptr -58h
var_54		= word ptr -54h
var_52		= byte ptr -52h
var_51		= byte ptr -51h
var_50		= word ptr -50h
var_4E		= byte ptr -4Eh
var_4D		= byte ptr -4Dh
var_4C		= byte ptr -4Ch
var_4B		= byte ptr -4Bh
var_4A		= byte ptr -4Ah
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
var_3C		= dword	ptr -3Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		lea	edi, [ebp+var_58]
		push	0
		mov	eax, [esi+20h]
		mov	[ebp+var_68], eax
		mov	eax, [esi+80h]
		mov	ecx, [esi+24h]
		mov	[ebp+var_64], eax
		mov	eax, [esi+84h]
		mov	ebx, [esi+38h]
		mov	[ebp+var_6C], eax
		mov	al, [esi+7Ch]
		mov	[ebp+var_59], al
		xor	eax, eax
		stosd
		push	3938700h
		push	ecx
		mov	[ebp+var_60], ecx
		stosd
		stosd
		stosd
		mov	eax, [esi]
		mov	edi, [ebp+var_68]
		push	edi
		mov	[ebp+var_58], eax
		call	__aulldiv
		mov	[ebp+var_54], ax
		mov	eax, edi
		or	eax, [ebp+var_60]
		jz	loc_9ADF1F
		mov	eax, [esi+2Ch]
		push	64h
		pop	ecx
		mul	ecx
		push	64h
		pop	edx
		push	[ebp+var_60]
		mov	ecx, eax
		mov	eax, [esi+28h]
		mul	edx
		push	edi
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		push	64h
		pop	ecx
		mov	[ebp+var_52], al
		mov	eax, [esi+34h]
		mul	ecx
		push	64h
		pop	edx
		push	[ebp+var_60]
		mov	ecx, eax
		mov	eax, [esi+30h]
		mul	edx
		push	edi
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		push	64h
		pop	ecx
		mov	[ebp+var_51], al
		mov	eax, [esi+44h]
		mul	ecx
		push	64h
		pop	edx
		push	[ebp+var_60]
		mov	ecx, eax
		mov	eax, [esi+40h]
		mul	edx
		push	edi
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		push	64h
		pop	ecx
		mov	[ebp+var_4E], al
		mov	eax, [esi+4Ch]
		mul	ecx
		push	64h
		pop	edx
		push	[ebp+var_60]
		mov	ecx, eax
		mov	eax, [esi+48h]
		mul	edx
		push	edi
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		push	64h
		pop	ecx
		mov	[ebp+var_4D], al
		mov	eax, [esi+5Ch]
		mul	ecx
		push	64h
		pop	edx
		push	[ebp+var_60]
		mov	ecx, eax
		mov	eax, [esi+58h]
		mul	edx
		push	edi
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		mov	[ebp+var_4B], al
		mov	eax, [esi+64h]
		push	64h
		pop	ecx
		mul	ecx
		push	64h
		pop	edx
		mov	ecx, eax
		mov	eax, [esi+60h]
		mov	esi, [ebp+var_60]
		mul	edx
		push	esi
		push	edi
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		mov	ecx, [ebp+var_64]
		mov	[ebp+var_4A], al
		mov	eax, [ebp+var_6C]
		and	ecx, eax
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_9ADF1B
		push	64h
		pop	ecx
		mul	ecx
		push	64h
		pop	edx
		mov	ecx, eax
		mov	eax, [ebp+var_64]
		mul	edx
		push	esi
		push	edi
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		mov	[ebp+var_49], al
		jmp	short loc_9ADF1F
; 

loc_9ADF1B:				; CODE XREF: PopDiagTraceCsConsumption(x)+144j
		mov	[ebp+var_49], 0FFh

loc_9ADF1F:				; CODE XREF: PopDiagTraceCsConsumption(x)+66j
					; PopDiagTraceCsConsumption(x)+163j
		mov	eax, 0FFFFh
		cmp	ebx, eax
		jbe	short loc_9ADF2A
		mov	ebx, eax

loc_9ADF2A:				; CODE XREF: PopDiagTraceCsConsumption(x)+170j
		mov	al, [ebp+var_59]
		lea	ecx, [ebp+var_3C]
		mov	[ebp+var_50], bx
		xor	ebx, ebx
		push	4
		mov	[ebp+var_4C], al
		mov	edx, ebx
		pop	esi

loc_9ADF3E:				; CODE XREF: PopDiagTraceCsConsumption(x)+19Fj
		lea	eax, [ebp+var_58]
		mov	[ecx-8], ebx
		lea	eax, [eax+edx*4]
		mov	[ecx-4], esi
		inc	edx
		mov	[ecx-0Ch], eax
		mov	[ecx], ebx
		lea	ecx, [ecx+10h]
		cmp	edx, esi
		jb	short loc_9ADF3E
		lea	eax, [ebp+var_48]
		push	eax
		push	esi
		push	ebx
		push	offset _POP_ETW_EVENT_CS_CONSUMPTION_PERFTRACK
		push	dword_6C1D74
		push	_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceCsConsumption@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceCsEnterReason(x, x, x)
_PopDiagTraceCsEnterReason@12 proc near	; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+495p

var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 144h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	eax, _PopWnfCsEnterScenarioId
		push	ebx
		push	esi
		movzx	esi, _PopConsoleExternalDisplayConnected
		mov	ebx, ecx
		mov	ecx, dword_6D4590
		mov	[ebp+var_138], eax
		mov	eax, dword_6C1D84
		push	edi
		movzx	edi, _PopLidOpened
		mov	[ebp+var_134], eax
		mov	eax, _PopCsConsumption
		mov	[ebp+var_11C], ebx
		mov	[ebp+var_114], esi
		mov	[ebp+var_118], edi
		mov	[ebp+var_10C], eax
		mov	[ebp+var_124], eax
		mov	[ebp+var_110], ecx
		mov	[ebp+var_120], ecx
		jz	loc_9AE0FF
		mov	esi, dword_6C1D74
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_CS_ENTER_REASON
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	loc_9AE0F3
		lea	eax, [ebp+var_11C]
		mov	[ebp+var_50], 1
		mov	[ebp+var_88], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_118]
		mov	[ebp+var_84], ecx
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_114]
		push	4
		pop	edx
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_138]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_124]
		push	8
		pop	ebx
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_120]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_88]
		push	eax
		push	ebx
		push	ecx
		push	offset _POP_ETW_EVENT_CS_ENTER_REASON
		push	esi
		push	edi
		mov	[ebp+var_80], edx
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_70], edx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], offset _PopWnfCsEnterScenarioId
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], 0FFDF02C4h
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	eax, [ebp+var_120]
		mov	ebx, [ebp+var_11C]
		mov	[ebp+var_110], eax
		mov	eax, [ebp+var_124]
		mov	[ebp+var_10C], eax

loc_9AE0F3:				; CODE XREF: PopDiagTraceCsEnterReason(x,x,x)+9Aj
		mov	edi, [ebp+var_118]
		mov	esi, [ebp+var_114]

loc_9AE0FF:				; CODE XREF: PopDiagTraceCsEnterReason(x,x,x)+7Aj
		cmp	dword_6B23F8, 5
		jbe	loc_9AE23C
		push	4000h
		push	0
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9AE23C
		mov	eax, _PopWnfCsEnterScenarioId
		xor	ecx, ecx
		mov	[ebp+var_140], eax
		mov	eax, dword_6C1D84
		mov	[ebp+var_13C], eax
		lea	eax, [ebp+var_140]
		mov	[ebp+var_E8], eax
		lea	eax, [ebp+var_128]
		mov	[ebp+var_D8], eax
		lea	eax, [ebp+var_12C]
		mov	[ebp+var_C8], eax
		lea	eax, [ebp+var_130]
		mov	[ebp+var_B8], eax
		mov	eax, [ebp+var_10C]
		mov	[ebp+var_10C], eax
		lea	eax, [ebp+var_10C]
		push	4
		pop	edx
		mov	[ebp+var_A8], eax
		mov	eax, [ebp+var_110]
		mov	[ebp+var_110], eax
		lea	eax, [ebp+var_110]
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_108]
		push	eax
		push	8
		push	ecx
		push	ecx
		push	offset loc_41EEC6
		push	offset dword_6B23F8
		mov	[ebp+var_E4], ecx
		mov	[ebp+var_E0], 8
		mov	[ebp+var_DC], ecx
		mov	[ebp+var_128], ebx
		mov	[ebp+var_D4], ecx
		mov	[ebp+var_D0], edx
		mov	[ebp+var_CC], ecx
		mov	[ebp+var_12C], edi
		mov	[ebp+var_C4], ecx
		mov	[ebp+var_C0], edx
		mov	[ebp+var_BC], ecx
		mov	[ebp+var_130], esi
		mov	[ebp+var_B4], ecx
		mov	[ebp+var_B0], edx
		mov	[ebp+var_AC], ecx
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_A0], edx
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_94], ecx
		mov	[ebp+var_90], edx
		mov	[ebp+var_8C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9AE23C:				; CODE XREF: PopDiagTraceCsEnterReason(x,x,x)+184j
					; PopDiagTraceCsEnterReason(x,x,x)+19Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopDiagTraceCsEnterReason@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceCsExitReason(x,	x, x)
_PopDiagTraceCsExitReason@12 proc near	; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+55Fp

var_3C8		= dword	ptr -3C8h
var_3C4		= dword	ptr -3C4h
var_3C0		= dword	ptr -3C0h
var_3BC		= dword	ptr -3BCh
var_3B8		= dword	ptr -3B8h
var_3B4		= dword	ptr -3B4h
var_3B0		= dword	ptr -3B0h
var_3AC		= dword	ptr -3ACh
var_3A8		= dword	ptr -3A8h
var_3A4		= dword	ptr -3A4h
var_3A0		= dword	ptr -3A0h
var_39C		= dword	ptr -39Ch
var_398		= dword	ptr -398h
var_394		= dword	ptr -394h
var_390		= dword	ptr -390h
var_388		= dword	ptr -388h
var_384		= dword	ptr -384h
var_380		= dword	ptr -380h
var_37C		= dword	ptr -37Ch
var_378		= dword	ptr -378h
var_374		= dword	ptr -374h
var_370		= dword	ptr -370h
var_36C		= dword	ptr -36Ch
var_368		= dword	ptr -368h
var_364		= dword	ptr -364h
var_360		= dword	ptr -360h
var_35C		= dword	ptr -35Ch
var_358		= dword	ptr -358h
var_354		= dword	ptr -354h
var_350		= dword	ptr -350h
var_34C		= dword	ptr -34Ch
var_348		= dword	ptr -348h
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_33C		= dword	ptr -33Ch
var_338		= dword	ptr -338h
var_334		= dword	ptr -334h
var_330		= dword	ptr -330h
var_32C		= dword	ptr -32Ch
var_328		= dword	ptr -328h
var_324		= dword	ptr -324h
var_320		= dword	ptr -320h
var_31C		= dword	ptr -31Ch
var_318		= dword	ptr -318h
var_314		= dword	ptr -314h
var_310		= dword	ptr -310h
var_30C		= dword	ptr -30Ch
var_308		= dword	ptr -308h
var_304		= dword	ptr -304h
var_300		= dword	ptr -300h
var_2FC		= dword	ptr -2FCh
var_2F8		= dword	ptr -2F8h
var_2F4		= dword	ptr -2F4h
var_2F0		= dword	ptr -2F0h
var_2EC		= dword	ptr -2ECh
var_2E8		= dword	ptr -2E8h
var_2E4		= dword	ptr -2E4h
var_2E0		= dword	ptr -2E0h
var_2DC		= dword	ptr -2DCh
var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_2CC		= dword	ptr -2CCh
var_2C8		= dword	ptr -2C8h
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_294		= dword	ptr -294h
var_290		= dword	ptr -290h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_27C		= dword	ptr -27Ch
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3CCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		and	[ebp+var_26C], 0
		mov	eax, [edi]
		mov	[ebp+var_270], eax
		mov	eax, [edi+28h]
		mov	[ebp+var_258], eax
		mov	eax, [edi+2Ch]
		mov	[ebp+var_254], eax
		mov	eax, [edi+30h]
		mov	[ebp+var_260], eax
		mov	eax, [edi+34h]
		mov	[ebp+var_25C], eax
		mov	eax, [edi+38h]
		mov	[ebp+var_274], eax
		mov	eax, [edi+40h]
		mov	[ebp+var_268], eax
		mov	eax, [edi+44h]
		mov	[ebp+var_264], eax
		mov	eax, [edi+48h]
		mov	[ebp+var_248], eax
		mov	eax, [edi+4Ch]
		mov	[ebp+var_244], eax
		mov	eax, [edi+5Ch]
		mov	[ebp+var_240], eax
		mov	[ebp+var_24C], eax
		mov	eax, [edi+60h]
		mov	[ebp+var_2B8], eax
		mov	eax, [edi+64h]
		mov	cl, [edi+7Ch]
		mov	[ebp+var_2B4], eax
		mov	eax, [edi+68h]
		mov	[ebp+var_2C8], eax
		mov	eax, [edi+6Ch]
		mov	[ebp+var_2C4], eax
		mov	eax, [edi+50h]
		mov	[ebp+var_2D0], eax
		mov	eax, [edi+54h]
		mov	[ebp+var_2CC], eax
		mov	eax, [edi+80h]
		mov	[ebp+var_2C0], eax
		mov	eax, [edi+84h]
		mov	[ebp+var_2BC], eax
		mov	al, cl
		shr	al, 1
		mov	byte ptr [ebp+var_23C+3], al
		mov	eax, [edi+74h]
		mov	[ebp+var_278], eax
		mov	esi, [edi+20h]
		mov	edx, [edi+24h]
		mov	ebx, [edi+58h]
		movzx	eax, cl
		movzx	ecx, byte ptr [edi+7Dh]
		and	eax, 1
		mov	[ebp+var_27C], eax
		mov	eax, [edi+98h]
		mov	[ebp+var_2A8], eax
		mov	eax, [edi+9Ch]
		mov	[ebp+var_2A4], eax
		mov	eax, ecx
		and	eax, 1
		shr	ecx, 1
		mov	[ebp+var_284], eax
		and	ecx, 1
		mov	eax, [edi+0E0h]
		mov	[ebp+var_2E0], eax
		mov	eax, [edi+0E4h]
		mov	[ebp+var_2DC], eax
		mov	eax, [edi+0E8h]
		mov	[ebp+var_2D8], eax
		mov	eax, [edi+0ECh]
		mov	[ebp+var_2D4], eax
		mov	eax, [edi+0F0h]
		mov	[ebp+var_2E8], eax
		mov	eax, [edi+0F4h]
		mov	[ebp+var_2B0], esi
		mov	[ebp+var_2AC], edx
		mov	[ebp+var_250], ebx
		mov	[ebp+var_280], ecx
		or	esi, edx
		mov	[ebp+var_2E4], eax
		mov	eax, [edi+0F8h]
		mov	[ebp+var_2F0], eax
		mov	eax, [edi+0FCh]
		mov	[ebp+var_2EC], eax
		mov	eax, [edi+100h]
		mov	[ebp+var_2A0], eax
		mov	eax, [edi+104h]
		mov	[ebp+var_29C], eax
		mov	eax, [edi+0B4h]
		mov	[ebp+var_2F4], eax
		mov	eax, [edi+0B8h]
		mov	[ebp+var_2F8], eax
		movzx	eax, _PopConsoleExternalDisplayConnected
		mov	[ebp+var_28C], eax
		movzx	eax, _PopLidOpened
		mov	[ebp+var_288], eax
		movzx	eax, byte ptr [edi+0BCh]
		mov	[ebp+var_2FC], eax
		mov	eax, [edi+0C0h]
		mov	[ebp+var_290], eax
		mov	eax, [edi+0C4h]
		mov	[ebp+var_294], eax
		mov	eax, [edi+0D8h]
		mov	[ebp+var_390], eax
		jnz	short loc_9AE4B4
		mov	[ebp+var_260], esi
		mov	ebx, esi
		mov	[ebp+var_25C], esi
		mov	eax, esi
		mov	[ebp+var_258], esi
		mov	[ebp+var_254], esi
		mov	[ebp+var_268], esi
		mov	[ebp+var_264], esi
		mov	[ebp+var_248], esi
		mov	[ebp+var_244], esi
		mov	[ebp+var_250], esi
		mov	[ebp+var_24C], esi
		jmp	short loc_9AE4BC
; 

loc_9AE4B4:				; CODE XREF: PopDiagTraceCsExitReason(x,x,x)+223j
		mov	eax, [ebp+var_240]
		xor	esi, esi

loc_9AE4BC:				; CODE XREF: PopDiagTraceCsExitReason(x,x,x)+265j
		or	ebx, eax
		jz	short loc_9AE4C5
		xor	eax, eax
		inc	eax
		jmp	short loc_9AE4C7
; 

loc_9AE4C5:				; CODE XREF: PopDiagTraceCsExitReason(x,x,x)+271j
		mov	eax, esi

loc_9AE4C7:				; CODE XREF: PopDiagTraceCsExitReason(x,x,x)+276j
		cmp	_PopDiagHandleRegistered, 0
		mov	ebx, esi
		mov	[ebp+var_240], eax
		mov	eax, [edi+108h]
		mov	[ebp+var_324], eax
		mov	eax, [edi+10Ch]
		mov	[ebp+var_334], eax
		jz	short loc_9AE52A
		push	offset _POP_ETW_EVENT_CS_EXIT_REASON
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9AE52A
		push	50455654h
		push	2E0h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_9AEB57
		mov	ebx, 0C000009Ah

loc_9AE52A:				; CODE XREF: PopDiagTraceCsExitReason(x,x,x)+2A1j
					; PopDiagTraceCsExitReason(x,x,x)+2BBj
		push	4
		pop	edi

loc_9AE52D:				; CODE XREF: PopDiagTraceCsExitReason(x,x,x)+E9Bj
		cmp	dword_6B23F8, 5
		jbe	loc_9AEB46
		push	4000h
		push	esi
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9AEB46
		mov	eax, _PopWnfCsEnterScenarioId
		xor	edx, edx
		mov	[ebp+var_348], eax
		inc	edx
		mov	eax, dword_6C1D84
		mov	[ebp+var_344], eax
		lea	eax, [ebp+var_348]
		mov	[ebp+var_218], eax
		mov	eax, [ebp+var_270]
		mov	[ebp+var_300], eax
		lea	eax, [ebp+var_300]
		mov	[ebp+var_208], eax
		mov	eax, [ebp+var_260]
		mov	[ebp+var_340], eax
		mov	eax, [ebp+var_25C]
		mov	[ebp+var_33C], eax
		lea	eax, [ebp+var_340]
		mov	[ebp+var_1F8], eax
		mov	eax, [ebp+var_248]
		mov	[ebp+var_388], eax
		mov	eax, [ebp+var_244]
		mov	[ebp+var_384], eax
		lea	eax, [ebp+var_388]
		mov	[ebp+var_1E8], eax
		mov	eax, [ebp+var_268]
		mov	[ebp+var_350], eax
		mov	eax, [ebp+var_264]
		mov	[ebp+var_34C], eax
		lea	eax, [ebp+var_350]
		mov	[ebp+var_1D8], eax
		mov	eax, [ebp+var_258]
		mov	[ebp+var_358], eax
		mov	eax, [ebp+var_254]
		mov	[ebp+var_354], eax
		lea	eax, [ebp+var_358]
		mov	[ebp+var_1C8], eax
		mov	eax, [ebp+var_2B0]
		mov	[ebp+var_360], eax
		mov	eax, [ebp+var_2AC]
		mov	[ebp+var_35C], eax
		lea	eax, [ebp+var_360]
		mov	[ebp+var_1B8], eax
		mov	eax, [ebp+var_274]
		mov	[ebp+var_304], eax
		lea	eax, [ebp+var_304]
		mov	[ebp+var_1A8], eax
		mov	al, byte ptr [ebp+var_23C+3]
		mov	byte ptr [ebp+var_23C+2], al
		lea	eax, [ebp+var_23C+2]
		push	8
		pop	ecx
		mov	[ebp+var_198], eax
		mov	eax, [ebp+var_240]
		mov	[ebp+var_214], esi
		mov	[ebp+var_210], ecx
		mov	[ebp+var_20C], esi
		mov	[ebp+var_204], esi
		mov	[ebp+var_200], edi
		mov	[ebp+var_1FC], esi
		mov	[ebp+var_1F4], esi
		mov	[ebp+var_1F0], ecx
		mov	[ebp+var_1EC], esi
		mov	[ebp+var_1E4], esi
		mov	[ebp+var_1E0], ecx
		mov	[ebp+var_1DC], esi
		mov	[ebp+var_1D4], esi
		mov	[ebp+var_1D0], ecx
		mov	[ebp+var_1CC], esi
		mov	[ebp+var_1C4], esi
		mov	[ebp+var_1C0], ecx
		mov	[ebp+var_1BC], esi
		mov	[ebp+var_1B4], esi
		mov	[ebp+var_1B0], ecx
		mov	[ebp+var_1AC], esi
		mov	[ebp+var_1A4], esi
		mov	[ebp+var_1A0], edi
		mov	[ebp+var_19C], esi
		mov	[ebp+var_194], esi
		mov	[ebp+var_190], edx
		mov	[ebp+var_18C], esi
		mov	[ebp+var_308], eax
		lea	eax, [ebp+var_308]
		mov	[ebp+var_184], esi
		mov	[ebp+var_188], eax
		mov	eax, [ebp+var_278]
		mov	[ebp+var_30C], eax
		lea	eax, [ebp+var_30C]
		mov	[ebp+var_178], eax
		mov	eax, [ebp+var_250]
		mov	[ebp+var_368], eax
		mov	eax, [ebp+var_24C]
		mov	[ebp+var_364], eax
		lea	eax, [ebp+var_368]
		mov	[ebp+var_168], eax
		mov	eax, [ebp+var_2B8]
		mov	[ebp+var_370], eax
		mov	eax, [ebp+var_2B4]
		mov	[ebp+var_36C], eax
		lea	eax, [ebp+var_370]
		mov	[ebp+var_158], eax
		mov	eax, [ebp+var_27C]
		mov	[ebp+var_310], eax
		lea	eax, [ebp+var_310]
		mov	[ebp+var_148], eax
		mov	eax, [ebp+var_2C0]
		mov	[ebp+var_378], eax
		mov	eax, [ebp+var_2BC]
		mov	[ebp+var_374], eax
		lea	eax, [ebp+var_378]
		mov	[ebp+var_138], eax
		mov	eax, [ebp+var_2A8]
		mov	[ebp+var_380], eax
		mov	eax, [ebp+var_2A4]
		mov	[ebp+var_37C], eax
		lea	eax, [ebp+var_380]
		mov	[ebp+var_128], eax
		mov	eax, [ebp+var_280]
		mov	[ebp+var_314], eax
		lea	eax, [ebp+var_314]
		mov	[ebp+var_118], eax
		mov	eax, [ebp+var_284]
		mov	[ebp+var_318], eax
		lea	eax, [ebp+var_318]
		mov	[ebp+var_108], eax
		mov	eax, [ebp+var_2C8]
		mov	[ebp+var_3C8], eax
		mov	eax, [ebp+var_2C4]
		mov	[ebp+var_3C4], eax
		lea	eax, [ebp+var_3C8]
		mov	[ebp+var_F8], eax
		mov	eax, [ebp+var_288]
		mov	[ebp+var_32C], eax
		lea	eax, [ebp+var_32C]
		mov	[ebp+var_180], edi
		mov	[ebp+var_17C], esi
		mov	[ebp+var_174], esi
		mov	[ebp+var_170], edi
		mov	[ebp+var_16C], esi
		mov	[ebp+var_164], esi
		mov	[ebp+var_160], ecx
		mov	[ebp+var_15C], esi
		mov	[ebp+var_154], esi
		mov	[ebp+var_150], ecx
		mov	[ebp+var_14C], esi
		mov	[ebp+var_144], esi
		mov	[ebp+var_140], edi
		mov	[ebp+var_13C], esi
		mov	[ebp+var_134], esi
		mov	[ebp+var_130], ecx
		mov	[ebp+var_12C], esi
		mov	[ebp+var_124], esi
		mov	[ebp+var_120], ecx
		mov	[ebp+var_11C], esi
		mov	[ebp+var_114], esi
		mov	[ebp+var_110], edi
		mov	[ebp+var_10C], esi
		mov	[ebp+var_104], esi
		mov	[ebp+var_100], edi
		mov	[ebp+var_FC], esi
		mov	[ebp+var_F4], esi
		mov	[ebp+var_F0], ecx
		mov	[ebp+var_EC], esi
		mov	[ebp+var_E8], eax
		mov	eax, [ebp+var_28C]
		mov	[ebp+var_31C], eax
		lea	eax, [ebp+var_31C]
		mov	[ebp+var_D8], eax
		mov	eax, [ebp+var_290]
		mov	[ebp+var_320], eax
		lea	eax, [ebp+var_320]
		mov	[ebp+var_C8], eax
		mov	eax, [ebp+var_294]
		mov	[ebp+var_338], eax
		lea	eax, [ebp+var_338]
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_330]
		mov	[ebp+var_A8], eax
		mov	eax, [ebp+var_390]
		mov	[ebp+var_328], eax
		lea	eax, [ebp+var_328]
		mov	[ebp+var_98], eax
		mov	eax, [ebp+var_2D0]
		mov	[ebp+var_398], eax
		mov	eax, [ebp+var_2CC]
		mov	[ebp+var_394], eax
		lea	eax, [ebp+var_398]
		mov	[ebp+var_88], eax
		mov	eax, [ebp+var_2D8]
		mov	[ebp+var_3A0], eax
		mov	eax, [ebp+var_2D4]
		mov	[ebp+var_39C], eax
		lea	eax, [ebp+var_3A0]
		mov	[ebp+var_78], eax
		mov	eax, [ebp+var_2E0]
		mov	[ebp+var_3A8], eax
		mov	eax, [ebp+var_2DC]
		mov	[ebp+var_3A4], eax
		lea	eax, [ebp+var_3A8]
		mov	[ebp+var_68], eax
		mov	eax, [ebp+var_2E8]
		mov	[ebp+var_3B0], eax
		mov	eax, [ebp+var_2E4]
		mov	[ebp+var_3AC], eax
		lea	eax, [ebp+var_3B0]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+var_2F0]
		mov	[ebp+var_3B8], eax
		mov	eax, [ebp+var_2EC]
		mov	[ebp+var_3B4], eax
		lea	eax, [ebp+var_3B8]
		mov	[ebp+var_E4], esi
		mov	[ebp+var_E0], edi
		mov	[ebp+var_DC], esi
		mov	[ebp+var_D4], esi
		mov	[ebp+var_D0], edi
		mov	[ebp+var_CC], esi
		mov	[ebp+var_C4], esi
		mov	[ebp+var_C0], edi
		mov	[ebp+var_BC], esi
		mov	[ebp+var_B4], esi
		mov	[ebp+var_B0], edi
		mov	[ebp+var_AC], esi
		mov	[ebp+var_330], ebx
		mov	[ebp+var_A4], esi
		mov	[ebp+var_A0], edi
		mov	[ebp+var_9C], esi
		mov	[ebp+var_94], esi
		mov	[ebp+var_90], edi
		mov	[ebp+var_8C], esi
		mov	[ebp+var_84], esi
		mov	[ebp+var_80], ecx
		mov	[ebp+var_7C], esi
		mov	[ebp+var_74], esi
		mov	[ebp+var_70], ecx
		mov	[ebp+var_6C], esi
		mov	[ebp+var_64], esi
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], esi
		mov	[ebp+var_54], esi
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], esi
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], esi
		mov	eax, [ebp+var_2A0]
		mov	[ebp+var_3C0], eax
		mov	eax, [ebp+var_29C]
		mov	[ebp+var_3BC], eax
		lea	eax, [ebp+var_3C0]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_324]
		mov	byte ptr [ebp+var_23C+1], al
		lea	eax, [ebp+var_23C+1]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_334]
		mov	byte ptr [ebp+var_23C],	al
		lea	eax, [ebp+var_23C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_238]
		push	eax
		push	23h
		push	esi
		push	esi
		push	offset loc_41EC20
		push	offset dword_6B23F8
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], esi
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9AEB46:				; CODE XREF: PopDiagTraceCsExitReason(x,x,x)+2E7j
					; PopDiagTraceCsExitReason(x,x,x)+2FFj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_9AEB57:				; CODE XREF: PopDiagTraceCsExitReason(x,x,x)+2D2j
		lea	eax, [ebp+var_270]
		mov	dword ptr [esi+8], 4
		mov	[esi], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_260]
		mov	[esi+4], ecx
		mov	[esi+10h], eax
		lea	eax, [ebp+var_248]
		mov	[esi+20h], eax
		lea	eax, [ebp+var_268]
		mov	[esi+30h], eax
		lea	eax, [ebp+var_258]
		mov	[esi+40h], eax
		lea	eax, [ebp+var_2B0]
		mov	[esi+50h], eax
		lea	eax, [ebp+var_274]
		mov	[esi+60h], eax
		lea	eax, [ebp+var_23C+3]
		mov	[esi+70h], eax
		lea	eax, [ebp+var_240]
		mov	[esi+80h], eax
		lea	eax, [ebp+var_278]
		mov	[esi+90h], eax
		lea	eax, [ebp+var_250]
		mov	[esi+0A0h], eax
		lea	eax, [ebp+var_2B8]
		mov	[esi+0B0h], eax
		lea	eax, [ebp+var_27C]
		mov	[esi+0C0h], eax
		lea	eax, [ebp+var_2C0]
		mov	[esi+0D0h], eax
		lea	eax, [ebp+var_2A8]
		push	8
		pop	edx
		mov	[esi+0E0h], eax
		lea	eax, [ebp+var_280]
		mov	[esi+0Ch], ecx
		mov	[esi+14h], ecx
		mov	[esi+18h], edx
		mov	[esi+1Ch], ecx
		mov	[esi+24h], ecx
		mov	[esi+28h], edx
		mov	[esi+2Ch], ecx
		mov	[esi+34h], ecx
		mov	[esi+38h], edx
		mov	[esi+3Ch], ecx
		mov	[esi+44h], ecx
		mov	[esi+48h], edx
		mov	[esi+4Ch], ecx
		mov	[esi+54h], ecx
		mov	[esi+58h], edx
		mov	[esi+5Ch], ecx
		mov	[esi+64h], ecx
		mov	dword ptr [esi+68h], 4
		mov	[esi+6Ch], ecx
		mov	[esi+74h], ecx
		mov	dword ptr [esi+78h], 1
		mov	[esi+7Ch], ecx
		mov	[esi+84h], ecx
		mov	dword ptr [esi+88h], 4
		mov	[esi+8Ch], ecx
		mov	[esi+94h], ecx
		mov	dword ptr [esi+98h], 4
		mov	[esi+9Ch], ecx
		mov	[esi+0A4h], ecx
		mov	[esi+0A8h], edx
		mov	[esi+0ACh], ecx
		mov	[esi+0B4h], ecx
		mov	[esi+0B8h], edx
		mov	[esi+0BCh], ecx
		mov	[esi+0C4h], ecx
		mov	dword ptr [esi+0C8h], 4
		mov	[esi+0CCh], ecx
		mov	[esi+0D4h], ecx
		mov	[esi+0D8h], edx
		mov	[esi+0DCh], ecx
		mov	[esi+0E4h], ecx
		mov	[esi+0E8h], edx
		mov	[esi+0ECh], ecx
		mov	[esi+0F0h], eax
		mov	[esi+0F4h], ecx
		lea	eax, [ebp+var_284]
		mov	dword ptr [esi+0F8h], 4
		mov	[esi+100h], eax
		lea	eax, [ebp+var_2C8]
		mov	[esi+110h], eax
		lea	eax, [ebp+var_2F4]
		mov	[esi+120h], eax
		lea	eax, [ebp+var_2F8]
		mov	[esi+130h], eax
		lea	eax, [ebp+var_288]
		mov	[esi+140h], eax
		lea	eax, [ebp+var_28C]
		mov	[esi+150h], eax
		lea	eax, [ebp+arg_0]
		mov	[esi+160h], eax
		lea	eax, [ebp+var_2FC]
		mov	[esi+170h], eax
		lea	eax, [ebp+var_290]
		mov	[esi+180h], eax
		lea	eax, [ebp+var_294]
		mov	[esi+190h], eax
		push	4
		pop	eax
		mov	[esi+198h], eax
		mov	[esi+1B8h], eax
		lea	eax, [ebp+var_390]
		mov	[esi+1C0h], eax
		lea	eax, [ebp+var_2D0]
		mov	[esi+1D0h], eax
		lea	eax, [ebp+var_2D8]
		mov	[esi+1E0h], eax
		lea	eax, [ebp+var_2E0]
		mov	[esi+0FCh], ecx
		mov	[esi+104h], ecx
		mov	dword ptr [esi+108h], 4
		mov	[esi+10Ch], ecx
		mov	[esi+114h], ecx
		mov	[esi+118h], edx
		mov	[esi+11Ch], ecx
		mov	[esi+124h], ecx
		mov	dword ptr [esi+128h], 4
		mov	[esi+12Ch], ecx
		mov	[esi+134h], ecx
		mov	dword ptr [esi+138h], 4
		mov	[esi+13Ch], ecx
		mov	[esi+144h], ecx
		mov	dword ptr [esi+148h], 4
		mov	[esi+14Ch], ecx
		mov	[esi+154h], ecx
		mov	dword ptr [esi+158h], 4
		mov	[esi+15Ch], ecx
		mov	[esi+164h], ecx
		mov	dword ptr [esi+168h], 1
		mov	[esi+16Ch], ecx
		mov	[esi+174h], ecx
		mov	dword ptr [esi+178h], 4
		mov	[esi+17Ch], ecx
		mov	[esi+184h], ecx
		mov	dword ptr [esi+188h], 4
		mov	[esi+18Ch], ecx
		mov	[esi+194h], ecx
		mov	[esi+19Ch], ecx
		mov	dword ptr [esi+1A0h], offset _PopWnfCsEnterScenarioId
		mov	[esi+1A4h], ecx
		mov	[esi+1A8h], edx
		mov	[esi+1ACh], ecx
		mov	dword ptr [esi+1B0h], 0FFDF02C4h
		mov	[esi+1B4h], ecx
		mov	[esi+1BCh], ecx
		mov	[esi+1C4h], ecx
		mov	dword ptr [esi+1C8h], 4
		mov	[esi+1CCh], ecx
		mov	[esi+1D4h], ecx
		mov	[esi+1D8h], edx
		mov	[esi+1DCh], ecx
		mov	[esi+1E4h], ecx
		mov	[esi+1E8h], edx
		mov	[esi+1ECh], ecx
		mov	[esi+1F0h], eax
		mov	[esi+1F4h], ecx
		mov	[esi+1F8h], edx
		lea	eax, [ebp+var_2E8]
		mov	[esi+208h], edx
		mov	[esi+200h], eax
		lea	eax, [ebp+var_2F0]
		mov	[esi+210h], eax
		lea	eax, [ebp+var_2A0]
		mov	[esi+220h], eax
		mov	[esi+218h], edx
		mov	[esi+228h], edx
		mov	[esi+1FCh], ecx
		mov	[esi+204h], ecx
		mov	[esi+20Ch], ecx
		mov	[esi+214h], ecx
		mov	[esi+21Ch], ecx
		mov	[esi+224h], ecx
		mov	[esi+22Ch], ecx
		movzx	eax, byte ptr [edi+110h]
		mov	[ebp+var_26C], eax
		lea	eax, [ebp+var_26C]
		mov	[esi+230h], eax
		lea	eax, [edi+120h]
		mov	[esi+240h], eax
		lea	eax, [edi+124h]
		mov	[esi+250h], eax
		lea	eax, [edi+118h]
		mov	[esi+260h], eax
		lea	eax, [edi+138h]
		mov	[esi+270h], eax
		lea	eax, [edi+13Ch]
		mov	[esi+280h], eax
		lea	eax, [edi+130h]
		mov	[esi+290h], eax
		lea	eax, [edi+128h]
		push	4
		mov	[esi+2A0h], eax
		lea	eax, [edi+12Ch]
		mov	[esi+2B0h], eax
		lea	eax, [edi+140h]
		mov	[esi+268h], edx
		mov	[esi+298h], edx
		pop	edx
		push	edx
		mov	[esi+2C0h], eax
		lea	eax, [edi+144h]
		pop	edi
		push	esi
		push	2Eh
		push	ecx
		mov	[esi+234h], ecx
		mov	dword ptr [esi+238h], 4
		mov	[esi+23Ch], ecx
		mov	[esi+244h], ecx
		mov	dword ptr [esi+248h], 4
		mov	[esi+24Ch], ecx
		mov	[esi+254h], ecx
		mov	dword ptr [esi+258h], 4
		mov	[esi+25Ch], ecx
		mov	[esi+264h], ecx
		mov	[esi+26Ch], ecx
		mov	[esi+274h], ecx
		mov	dword ptr [esi+278h], 4
		mov	[esi+27Ch], ecx
		mov	[esi+284h], ecx
		mov	dword ptr [esi+288h], 4
		mov	[esi+28Ch], ecx
		mov	[esi+294h], ecx
		mov	[esi+29Ch], ecx
		mov	[esi+2A4h], ecx
		mov	[esi+2A8h], edx
		mov	[esi+2ACh], ecx
		mov	[esi+2B4h], ecx
		mov	[esi+2B8h], edx
		mov	[esi+2BCh], ecx
		mov	[esi+2C4h], ecx
		mov	[esi+2C8h], edx
		mov	[esi+2CCh], ecx
		mov	[esi+2D0h], eax
		mov	[esi+2D4h], ecx
		mov	[esi+2D8h], edi
		mov	[esi+2DCh], ecx
		push	offset _POP_ETW_EVENT_CS_EXIT_REASON
		push	dword_6C1D74
		push	_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		push	50455654h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi
		jmp	loc_9AE52D
_PopDiagTraceCsExitReason@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceCsResiliencyStats(x)
_PopDiagTraceCsResiliencyStats@4 proc near
					; CODE XREF: PopSleepstudyCaptureResiliencyStatistics(x,x,x,x)+13Ap

var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 22Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	ebx, [esi+70h]
		test	ebx, ebx
		jnz	short loc_9AF11C
		and	[ebp+var_1A4], ebx
		and	[ebp+var_19C], ebx
		jmp	short loc_9AF12E
; 

loc_9AF11C:				; CODE XREF: PopDiagTraceCsResiliencyStats(x)+1Fj
		mov	eax, [esi+60h]
		mov	[ebp+var_1A4], eax
		mov	eax, [esi+64h]
		mov	[ebp+var_19C], eax

loc_9AF12E:				; CODE XREF: PopDiagTraceCsResiliencyStats(x)+2Dj
		mov	edi, [esi+90h]
		test	edi, edi
		jnz	short loc_9AF146
		and	[ebp+var_1AC], edi
		and	[ebp+var_1A0], edi
		jmp	short loc_9AF15E
; 

loc_9AF146:				; CODE XREF: PopDiagTraceCsResiliencyStats(x)+49j
		mov	eax, [esi+80h]
		mov	[ebp+var_1AC], eax
		mov	eax, [esi+84h]
		mov	[ebp+var_1A0], eax

loc_9AF15E:				; CODE XREF: PopDiagTraceCsResiliencyStats(x)+57j
		cmp	dword_6B23F8, 5
		jbe	loc_9AF56B
		push	4000h
		push	0
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9AF56B
		mov	eax, _PopWdiCurrentScenarioInstanceId
		xor	ecx, ecx
		mov	[ebp+var_1D8], eax
		mov	eax, dword_6C1F7C
		mov	[ebp+var_1D4], eax
		lea	eax, [ebp+var_1D8]
		mov	[ebp+var_178], eax
		mov	eax, [esi]
		mov	[ebp+var_1B4], eax
		lea	eax, [ebp+var_1B4]
		mov	[ebp+var_168], eax
		mov	eax, [esi+20h]
		mov	[ebp+var_1B8], eax
		lea	eax, [ebp+var_1B8]
		mov	[ebp+var_158], eax
		mov	eax, [esi+30h]
		mov	[ebp+var_1E0], eax
		mov	eax, [esi+34h]
		mov	[ebp+var_1DC], eax
		lea	eax, [ebp+var_1E0]
		mov	[ebp+var_148], eax
		mov	eax, [esi+28h]
		mov	[ebp+var_1E8], eax
		lea	eax, [ebp+var_1E8]
		mov	[ebp+var_138], eax
		mov	eax, [esi+38h]
		mov	[ebp+var_1BC], eax
		lea	eax, [ebp+var_1BC]
		and	[ebp+var_15C], 0
		and	[ebp+var_154], 0
		and	[ebp+var_14C], 0
		and	[ebp+var_144], 0
		and	[ebp+var_13C], 0
		and	[ebp+var_1E4], 0
		and	[ebp+var_134], 0
		and	[ebp+var_12C], 0
		and	[ebp+var_124], 0
		and	[ebp+var_11C], 0
		and	[ebp+var_114], 0
		and	[ebp+var_10C], 0
		and	[ebp+var_104], 0
		and	[ebp+var_FC], 0
		and	[ebp+var_F4], 0
		and	[ebp+var_EC], 0
		and	[ebp+var_E4], 0
		mov	[ebp+var_128], eax
		mov	eax, [esi+3Ch]
		mov	[ebp+var_1C0], eax
		lea	eax, [ebp+var_1C0]
		mov	[ebp+var_118], eax
		mov	eax, [esi+40h]
		mov	[ebp+var_1C4], eax
		lea	eax, [ebp+var_1C4]
		mov	[ebp+var_108], eax
		mov	eax, [esi+44h]
		mov	[ebp+var_1C8], eax
		lea	eax, [ebp+var_1C8]
		push	8
		pop	edx
		mov	[ebp+var_F8], eax
		mov	eax, [esi+8]
		mov	[ebp+var_1F0], eax
		mov	eax, [esi+0Ch]
		push	4
		mov	[ebp+var_174], ecx
		mov	[ebp+var_16C], ecx
		mov	[ebp+var_164], ecx
		pop	ecx
		mov	[ebp+var_1EC], eax
		lea	eax, [ebp+var_1F0]
		mov	[ebp+var_170], edx
		mov	[ebp+var_160], ecx
		mov	[ebp+var_150], ecx
		mov	[ebp+var_140], edx
		mov	[ebp+var_130], edx
		mov	[ebp+var_120], ecx
		mov	[ebp+var_110], ecx
		mov	[ebp+var_100], ecx
		mov	[ebp+var_F0], ecx
		mov	[ebp+var_E8], eax
		mov	[ebp+var_E0], edx
		mov	eax, [esi+18h]
		mov	[ebp+var_1F8], eax
		mov	eax, [esi+1Ch]
		mov	[ebp+var_1F4], eax
		lea	eax, [ebp+var_1F8]
		mov	[ebp+var_D8], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_200], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_1FC], eax
		lea	eax, [ebp+var_200]
		mov	[ebp+var_C8], eax
		mov	eax, [esi+48h]
		mov	[ebp+var_208], eax
		mov	eax, [esi+4Ch]
		mov	[ebp+var_204], eax
		lea	eax, [ebp+var_208]
		mov	[ebp+var_B8], eax
		mov	eax, [esi+50h]
		mov	[ebp+var_1CC], eax
		lea	eax, [ebp+var_1CC]
		mov	[ebp+var_A8], eax
		mov	eax, [ebp+var_1A4]
		mov	[ebp+var_1A8], eax
		mov	eax, [ebp+var_19C]
		mov	[ebp+var_1A4], eax
		lea	eax, [ebp+var_1A8]
		mov	[ebp+var_98], eax
		mov	eax, [esi+58h]
		and	[ebp+var_DC], 0
		and	[ebp+var_D4], 0
		and	[ebp+var_CC], 0
		and	[ebp+var_C4], 0
		and	[ebp+var_BC], 0
		and	[ebp+var_B4], 0
		and	[ebp+var_AC], 0
		and	[ebp+var_A4], 0
		and	[ebp+var_9C], 0
		and	[ebp+var_94], 0
		and	[ebp+var_8C], 0
		mov	[ebp+var_210], eax
		mov	eax, [esi+5Ch]
		and	[ebp+var_84], 0
		and	[ebp+var_7C], 0
		and	[ebp+var_74], 0
		and	[ebp+var_6C], 0
		mov	[ebp+var_20C], eax
		lea	eax, [ebp+var_210]
		mov	[ebp+var_88], eax
		mov	eax, [esi+68h]
		mov	[ebp+var_218], eax
		mov	eax, [esi+6Ch]
		mov	[ebp+var_214], eax
		lea	eax, [ebp+var_218]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_19C]
		mov	[ebp+var_68], eax
		mov	eax, [ebp+var_1AC]
		mov	[ebp+var_1B0], eax
		mov	eax, [ebp+var_1A0]
		mov	[ebp+var_1AC], eax
		lea	eax, [ebp+var_1B0]
		mov	[ebp+var_58], eax
		mov	eax, [esi+78h]
		mov	[ebp+var_19C], ebx
		xor	ebx, ebx
		mov	[ebp+var_220], eax
		mov	eax, [esi+7Ch]
		mov	[ebp+var_D0], edx
		mov	[ebp+var_C0], edx
		mov	[ebp+var_B0], edx
		mov	[ebp+var_A0], ecx
		mov	[ebp+var_90], edx
		mov	[ebp+var_80], edx
		mov	[ebp+var_70], edx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_21C], eax
		lea	eax, [ebp+var_220]
		mov	[ebp+var_48], eax
		mov	eax, [esi+88h]
		mov	[ebp+var_228], eax
		mov	eax, [esi+8Ch]
		mov	[ebp+var_224], eax
		lea	eax, [ebp+var_228]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_1A0]
		mov	[ebp+var_28], eax
		lea	eax, [esi+98h]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_198]
		push	eax
		push	19h
		push	ebx
		push	ebx
		push	offset loc_41D8C7
		push	offset dword_6B23F8
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_1A0], edi
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], 50h
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9AF56B:				; CODE XREF: PopDiagTraceCsResiliencyStats(x)+78j
					; PopDiagTraceCsResiliencyStats(x)+91j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceCsResiliencyStats@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceDirectedDripsNotifyAppsAndServices(x, x, x, x)
_PopDiagTraceDirectedDripsNotifyAppsAndServices@16 proc	near
					; CODE XREF: PopDirectedDripsNotifyAppsAndServices(x,x,x)+D8p

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_55		= dword	ptr -55h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_5C], 0
		cmp	_PopDiagHandleRegistered, 0
		push	ebx
		mov	bl, cl
		jz	loc_9AF639
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_DIRECTED_DRIPS_NOTIFY_APPS_SERVICES
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9AF637
		movzx	eax, bl
		xor	edx, edx
		mov	[ebp+var_60], eax
		mov	al, byte ptr _PopWdiCurrentScenarioInstanceId
		mov	byte ptr [ebp+var_55], al
		lea	eax, [ebp+var_55]
		mov	[ebp+var_55+1],	eax
		lea	eax, [ebp+var_60]
		push	4
		pop	ecx
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_5C]
		push	8
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_24], eax
		pop	eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_55+1]
		push	eax
		push	5
		push	edx
		push	offset _POP_ETW_EVENT_DIRECTED_DRIPS_NOTIFY_APPS_SERVICES
		push	esi
		push	edi
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], 1
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], offset _PopWdiCurrentScenarioInstanceId
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9AF637:				; CODE XREF: PopDiagTraceDirectedDripsNotifyAppsAndServices(x,x,x,x)+42j
		pop	edi
		pop	esi

loc_9AF639:				; CODE XREF: PopDiagTraceDirectedDripsNotifyAppsAndServices(x,x,x,x)+20j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopDiagTraceDirectedDripsNotifyAppsAndServices@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceDisplayBurstWin32kCallout(x, x,	x)
_PopDiagTraceDisplayBurstWin32kCallout@12 proc near ; CODE XREF: NtPowerInformation+1725EAp

var_60		= dword	ptr -60h
var_5A		= dword	ptr -5Ah
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+60h+var_4], eax
		cmp	dword_6B23F8, 5
		mov	al, _PopConsoleExternalDisplayConnected
		mov	cl, _PopLidOpened
		jbe	short loc_9AF6D8
		mov	byte ptr [esp+60h+var_5A+1], al
		xor	edx, edx
		lea	eax, [esp+60h+var_5A+1]
		mov	byte ptr [esp+60h+var_5A], cl
		mov	[esp+60h+var_28], eax
		lea	ecx, [esp+60h+var_5A]
		mov	al, [ebp+arg_0]
		mov	byte ptr [esp+60h+var_60], al
		lea	eax, [esp+60h+var_60]
		mov	[esp+60h+var_18], eax
		lea	eax, [esp+60h+var_5A+2]
		push	eax
		push	5
		push	edx
		mov	[esp+6Ch+var_38], ecx
		xor	ecx, ecx
		push	edx
		inc	ecx
		mov	[esp+70h+var_34], edx
		push	offset loc_41E38E
		push	offset dword_6B23F8
		mov	[esp+78h+var_30], ecx
		mov	[esp+78h+var_2C], edx
		mov	[esp+78h+var_24], edx
		mov	[esp+78h+var_20], ecx
		mov	[esp+78h+var_1C], edx
		mov	[esp+78h+var_14], edx
		mov	[esp+78h+var_10], ecx
		mov	[esp+78h+var_C], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9AF6D8:				; CODE XREF: PopDiagTraceDisplayBurstWin32kCallout(x,x,x)+28j
		mov	ecx, [esp+60h+var_4]
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_PopDiagTraceDisplayBurstWin32kCallout@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceDozeDeferralDecision(x,	x, x, x, x, x, x, x, x)
_PopDiagTraceDozeDeferralDecision@36 proc near ; CODE XREF: PopDeferDoze(x,x,x)+116p

var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_122		= dword	ptr -122h
var_11C		= dword	ptr -11Ch
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_8C		= dword	ptr -8Ch
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= byte ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 150h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp-11Dh], cl
		xor	esi, esi
		mov	ebx, edx
		test	eax, eax
		jz	short loc_9AF742
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	short loc_9AF727
		add	ecx, eax
		test	byte ptr [ecx],	1
		jz	short loc_9AF727
		mov	edi, [ecx+4]
		add	edi, ecx

loc_9AF727:				; CODE XREF: PopDiagTraceDozeDeferralDecision(x,x,x,x,x,x,x,x,x)+30j
					; PopDiagTraceDozeDeferralDecision(x,x,x,x,x,x,x,x,x)+37j
		mov	ecx, [eax+8]
		cmp	[eax+4], esi
		jnz	short loc_9AF73B
		mov	esi, ecx
		add	eax, esi
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jmp	short loc_9AF742
; 

loc_9AF73B:				; CODE XREF: PopDiagTraceDozeDeferralDecision(x,x,x,x,x,x,x,x,x)+44j
		test	ecx, ecx
		jz	short loc_9AF742
		lea	esi, [eax+ecx]

loc_9AF742:				; CODE XREF: PopDiagTraceDozeDeferralDecision(x,x,x,x,x,x,x,x,x)+29j
					; PopDiagTraceDozeDeferralDecision(x,x,x,x,x,x,x,x,x)+50j ...
		cmp	dword_6B23F8, 5
		jbe	loc_9AF982
		push	4000h
		push	0
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9AF982
		movzx	eax, byte ptr [ebp-11Dh]
		mov	[ebp+var_128], eax
		lea	eax, [ebp+var_128]
		mov	[ebp+var_FC], eax
		lea	eax, [ebp+var_12C]
		mov	[ebp+var_EC], eax
		mov	eax, dword_6C2778
		mov	[ebp+var_13C], eax
		mov	eax, dword_6C277C
		and	[ebp+var_F8], 0
		and	[ebp+var_F0], 0
		mov	[ebp+var_138], eax
		lea	eax, [ebp+var_13C]
		mov	[ebp+var_DC], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_144], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_140], eax
		lea	eax, [ebp+var_144]
		mov	[ebp+var_CC], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_14C], eax
		mov	eax, [ebp+arg_10]
		push	4
		pop	edx
		mov	[ebp+var_148], eax
		lea	eax, [ebp+var_14C]
		push	8
		pop	ecx
		mov	[ebp+var_BC], eax
		mov	eax, ds:_PopDozeDeferralMaxSeconds
		mov	[ebp+var_130], eax
		lea	eax, [ebp+var_130]
		mov	[ebp+var_F4], edx
		mov	[ebp+var_12C], ebx
		xor	ebx, ebx
		mov	[ebp+var_E4], edx
		mov	[ebp+var_D4], ecx
		mov	[ebp+var_C4], ecx
		mov	[ebp+var_B4], ecx
		lea	ecx, [ebp+var_9C]
		mov	[ebp+var_A4], edx
		mov	edx, esi
		mov	[ebp+var_E8], ebx
		mov	[ebp+var_E0], ebx
		mov	[ebp+var_D8], ebx
		mov	[ebp+var_D0], ebx
		mov	[ebp+var_C8], ebx
		mov	[ebp+var_C0], ebx
		mov	[ebp+var_B8], ebx
		mov	[ebp+var_B0], ebx
		mov	[ebp+var_AC], eax
		mov	[ebp+var_A8], ebx
		mov	[ebp+var_A0], ebx
		call	_tlgCreate1Sz_wchar_t
		mov	edx, edi
		lea	ecx, [ebp+var_8C]
		call	_tlgCreate1Sz_wchar_t
		mov	al, [ebp+arg_14]
		xor	ecx, ecx
		mov	[ebp-11Dh], al
		inc	ecx
		lea	eax, [ebp-11Dh]
		mov	[ebp+var_78], ebx
		mov	[ebp+var_7C], eax
		mov	al, [ebp+arg_18]
		mov	[ebp-11Eh], al
		lea	eax, [ebp-11Eh]
		mov	[ebp+var_6C], eax
		mov	al, byte ptr _PopPlatformRole
		mov	byte ptr [ebp+var_122+3], al
		lea	eax, [ebp+var_122+3]
		mov	[ebp+var_74], ecx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_68], ebx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], eax
		mov	[ebp+var_58], ebx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], ebx
		movzx	eax, byte_6C2E34
		mov	[ebp+var_134], eax
		lea	eax, [ebp+var_134]
		mov	[ebp+var_4C], eax
		mov	al, byte_6C2E33
		mov	byte ptr [ebp+var_122+2], al
		lea	eax, [ebp+var_122+2]
		mov	[ebp+var_3C], eax
		mov	al, byte_6C2E58
		mov	byte ptr [ebp+var_122+1], al
		lea	eax, [ebp+var_122+1]
		mov	[ebp+var_2C], eax
		mov	al, byte ptr dword_6C2E60
		mov	byte ptr [ebp+var_122],	al
		lea	eax, [ebp+var_122]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_11C]
		push	eax
		push	11h
		push	ebx
		push	ebx
		push	offset loc_41DE69
		push	offset dword_6B23F8
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], 4
		mov	[ebp+var_40], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9AF982:				; CODE XREF: PopDiagTraceDozeDeferralDecision(x,x,x,x,x,x,x,x,x)+60j
					; PopDiagTraceDozeDeferralDecision(x,x,x,x,x,x,x,x,x)+79j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
_PopDiagTraceDozeDeferralDecision@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceFxComponentAccounting(x, x, x, x, x, x,	x)
_PopDiagTraceFxComponentAccounting@28 proc near
					; CODE XREF: PopFxStopDeviceAccounting()+194p

var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_15D		= dword	ptr -15Dh
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 198h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_178], edx
		mov	esi, offset ??_C@_11LOCGONAA@@NNGAKEGL@
		mov	[ebp+var_164], ecx
		push	esi
		lea	eax, [ebp+var_16C]
		mov	[ebp+var_16C], ebx
		push	eax
		mov	[ebp+var_168], ebx
		mov	[ebp+var_174], ebx
		mov	[ebp+var_170], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_174]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	bh, bl
		xor	bl, bl
		cmp	_PopDiagHandleRegistered, bl
		jz	loc_9AFD4F
		mov	esi, dword_6C1D74
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_COMPONENT_ACCOUNTING
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	loc_9AFD4F
		mov	al, byte ptr _PopWnfCsEnterScenarioId
		xor	ecx, ecx
		mov	byte ptr [ebp+var_15D],	al
		lea	eax, [ebp+var_15D]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_164]
		push	4
		pop	edx
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_178]
		push	8
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_2C], eax
		pop	eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	5
		push	ecx
		push	offset _POP_ETW_EVENT_COMPONENT_ACCOUNTING
		push	esi
		push	edi
		mov	[ebp+var_58], ecx
		mov	[ebp+var_54], 1
		mov	[ebp+var_50], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], offset _PopWnfCsEnterScenarioId
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	edi, [ebp+arg_0]
		cmp	dword ptr [edi+8], 0FFFFFFFFh
		jz	loc_9AFD4F
		cmp	_PopDiagFxAccountingTelemetryDisabled, 0
		jnz	loc_9AFD4F
		mov	eax, [ebp+var_164]
		mov	esi, [eax+10h]
		lea	eax, [ebp+var_16C]
		push	eax
		push	5
		pop	edx
		mov	ecx, esi
		call	_PopDiagQueryDevicePropertyString@12 ; PopDiagQueryDevicePropertyString(x,x,x)
		test	eax, eax
		js	short loc_9AFAD9
		mov	bh, 1

loc_9AFAD9:				; CODE XREF: PopDiagTraceFxComponentAccounting(x,x,x,x,x,x,x)+142j
		lea	eax, [ebp+var_174]
		mov	ecx, esi
		push	eax
		push	6
		pop	edx
		call	_PopDiagQueryDevicePropertyString@12 ; PopDiagQueryDevicePropertyString(x,x,x)
		test	eax, eax
		js	short loc_9AFAF0
		mov	bl, 1

loc_9AFAF0:				; CODE XREF: PopDiagTraceFxComponentAccounting(x,x,x,x,x,x,x)+159j
		cmp	dword_6B23F8, 5
		jbe	loc_9AFD2A
		push	4000h
		push	0
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9AFD2A
		mov	eax, _PopWnfCsEnterScenarioId
		lea	edx, [ebp+var_114]
		and	[ebp+var_138], 0
		and	[ebp+var_130], 0
		mov	[ebp+var_184], eax
		mov	eax, dword_6C1D84
		mov	[ebp+var_180], eax
		lea	eax, [ebp+var_184]
		mov	[ebp+var_13C], eax
		mov	eax, [ebp+var_164]
		push	8
		pop	esi
		mov	[ebp+var_134], esi
		movzx	ecx, word ptr [eax+14h]
		mov	eax, [eax+18h]
		mov	[ebp+var_11C], eax
		mov	eax, ecx
		mov	[ebp+var_114], eax
		xor	ecx, ecx
		mov	eax, [ebp+var_178]
		mov	[ebp+var_17C], eax
		lea	eax, [ebp+var_17C]
		mov	[ebp+var_10C], eax
		mov	eax, [edi+18h]
		mov	[ebp+var_18C], eax
		mov	eax, [edi+1Ch]
		mov	[ebp+var_188], eax
		lea	eax, [ebp+var_18C]
		and	[ebp+var_128], 0
		and	[ebp+var_120], 0
		and	[ebp+var_118], 0
		and	[ebp+var_E0], 0
		and	[ebp+var_D8], 0
		mov	[ebp+var_FC], eax
		lea	eax, [edi+28h]
		mov	[ebp+var_EC], eax
		lea	eax, [edi+50h]
		mov	[ebp+var_DC], eax
		mov	eax, [edi+20h]
		mov	[ebp+var_194], eax
		mov	eax, [edi+24h]
		mov	[ebp+var_190], eax
		lea	eax, [ebp+var_194]
		mov	[ebp+var_CC], eax
		lea	eax, [ebp+var_A4]
		push	2
		mov	[ebp+var_12C], edx
		pop	edx
		mov	[ebp+var_BC], eax
		mov	eax, [ebp+var_168]
		mov	[ebp+var_110], ecx
		mov	[ebp+var_108], ecx
		mov	[ebp+var_100], ecx
		mov	[ebp+var_F8], ecx
		mov	[ebp+var_F0], ecx
		mov	[ebp+var_E8], ecx
		push	28h
		pop	ecx
		mov	[ebp+var_AC], eax
		movzx	eax, word ptr [ebp+var_16C]
		mov	[ebp+var_E4], ecx
		mov	[ebp+var_D4], ecx
		xor	ecx, ecx
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_124], edx
		mov	[ebp+var_104], 4
		mov	[ebp+var_F4], esi
		mov	[ebp+var_D0], ecx
		mov	[ebp+var_C8], ecx
		mov	[ebp+var_C4], esi
		mov	[ebp+var_C0], ecx
		mov	[ebp+var_B8], ecx
		mov	[ebp+var_B4], edx
		mov	[ebp+var_B0], ecx
		mov	[ebp+var_A8], ecx
		mov	[ebp+var_A0], ecx
		mov	[ebp+var_9C], eax
		mov	[ebp+var_98], ecx
		mov	[ebp+var_94], edx
		mov	[ebp+var_90], ecx
		mov	eax, [ebp+var_170]
		mov	[ebp+var_8C], eax
		movzx	eax, word ptr [ebp+var_174]
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_88], ecx
		mov	[ebp+var_80], ecx
		mov	[ebp+var_78], ecx
		mov	[ebp+var_70], ecx
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_7C], eax
		mov	[ebp+var_74], edx
		xor	edx, edx
		mov	[ebp+var_68], edx
		mov	eax, [ecx+4]
		mov	[ebp+var_6C], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_15D+1]
		push	eax
		push	10h
		push	edx
		push	edx
		push	offset loc_41F1C5
		push	offset dword_6B23F8
		mov	[ebp+var_60], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9AFD2A:				; CODE XREF: PopDiagTraceFxComponentAccounting(x,x,x,x,x,x,x)+164j
					; PopDiagTraceFxComponentAccounting(x,x,x,x,x,x,x)+17Dj
		mov	esi, 67696450h
		test	bh, bh
		jz	short loc_9AFD3F
		push	esi
		push	[ebp+var_168]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9AFD3F:				; CODE XREF: PopDiagTraceFxComponentAccounting(x,x,x,x,x,x,x)+39Ej
		test	bl, bl
		jz	short loc_9AFD4F
		push	esi
		push	[ebp+var_170]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9AFD4F:				; CODE XREF: PopDiagTraceFxComponentAccounting(x,x,x,x,x,x,x)+67j
					; PopDiagTraceFxComponentAccounting(x,x,x,x,x,x,x)+87j	...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_PopDiagTraceFxComponentAccounting@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceFxComponentRegistration(x, x, x, x, x, x, x)
_PopDiagTraceFxComponentRegistration@28	proc near
					; CODE XREF: PopFxTraceDeviceRegistration+E6199p

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		movzx	eax, [ebp+arg_4]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_C]
		push	esi
		mov	[ebp+var_24], eax
		xor	esi, esi
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_14], eax
		imul	eax, [ebp+arg_C], arg_10
		push	4
		mov	[ebp+var_68], edx
		pop	edx
		mov	[ebp+var_60], esi
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	6
		push	esi
		push	ecx
		push	dword_6C1D74
		mov	[ebp+var_5C], edx
		push	_PopDiagHandle
		mov	[ebp+var_58], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_PopDiagTraceFxComponentRegistration@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceFxDevicePreparation(x, x, x, x)
_PopDiagTraceFxDevicePreparation@16 proc near ;	CODE XREF: PoFxPrepareDevice(x,x)+B8p
					; PoFxAbandonDevice(x)+48p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_5C], edx
		mov	[ebp+var_58], ecx
		jz	loc_9AFEDB
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_DEVICE_PREPARATION
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	loc_9AFED9
		mov	ecx, [ebp+arg_0]
		movzx	eax, [ebp+arg_4]
		mov	[ebp+var_64], eax
		and	[ebp+var_50], 0
		movzx	edx, word ptr [ecx]
		mov	ax, dx
		and	[ebp+var_48], 0
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_5C]
		and	[ebp+var_40], 0
		and	[ebp+var_38], 0
		and	[ebp+var_30], 0
		and	[ebp+var_28], 0
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_34], eax
		mov	eax, [ecx+4]
		xor	ecx, ecx
		push	ebx
		mov	[ebp+var_24], eax
		mov	eax, edx
		push	4
		pop	ebx
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		push	ecx
		push	offset _POP_ETW_EVENT_DEVICE_PREPARATION
		push	esi
		push	edi
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_2C], 2
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	ebx

loc_9AFED9:				; CODE XREF: PopDiagTraceFxDevicePreparation(x,x,x,x)+41j
		pop	edi
		pop	esi

loc_9AFEDB:				; CODE XREF: PopDiagTraceFxDevicePreparation(x,x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopDiagTraceFxDevicePreparation@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceFxDeviceRegistration(x,	x, x, x, x, x, x, x)
_PopDiagTraceFxDeviceRegistration@32 proc near
					; CODE XREF: PopFxTraceDeviceRegistration+E604Ep

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_85		= dword	ptr -85h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 90h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	al, [ebp+arg_4]
		dec	al
		mov	[ebp+var_8C], edx
		mov	edx, [ebp+arg_C]
		push	ebx
		mov	byte ptr [ebp+var_85], al
		xor	ebx, ebx
		push	esi
		movzx	esi, word ptr [edx]
		mov	ax, si
		mov	[ebp+var_80], ebx
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_85+1],	eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_85]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_90]
		mov	[ebp+var_44], eax
		mov	eax, [edx+4]
		mov	[ebp+var_34], eax
		mov	eax, esi
		push	edi
		push	4
		pop	edi
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+arg_10]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_85+1]
		push	eax
		push	8
		push	ebx
		push	ecx
		push	dword_6C1D74
		mov	[ebp+var_7C], edi
		push	_PopDiagHandle
		mov	[ebp+var_78], ebx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_6C], edi
		mov	[ebp+var_68], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], 1
		mov	[ebp+var_58], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], edi
		mov	[ebp+var_48], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], 2
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], 0Ch
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_PopDiagTraceFxDeviceRegistration@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceFxDeviceUnregistration(x)
_PopDiagTraceFxDeviceUnregistration@4 proc near	; CODE XREF: PopFxUnregisterDevice(x)+68p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_18], ecx
		push	ebx
		push	ebx
		push	2
		xor	edx, edx
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)
		cmp	_PopDiagHandleRegistered, bl
		jz	short loc_9B005C
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_DEVICE_UNREGISTRATION
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B005A
		lea	eax, [ebp+var_18]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	1
		push	ebx
		push	offset _POP_ETW_EVENT_DEVICE_UNREGISTRATION
		push	esi
		push	edi
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B005A:				; CODE XREF: PopDiagTraceFxDeviceUnregistration(x)+47j
		pop	edi
		pop	esi

loc_9B005C:				; CODE XREF: PopDiagTraceFxDeviceUnregistration(x)+29j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceFxDeviceUnregistration@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceFxPerfRegistration(x, x, x, x)
_PopDiagTraceFxPerfRegistration@16 proc	near
					; CODE XREF: PopFxTracePerfRegistration(x,x)+70p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		lea	eax, [ebp+var_38]
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], eax
		xor	esi, esi
		push	4
		pop	edx
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_30], esi
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	esi
		push	ecx
		push	dword_6C1D74
		mov	[ebp+var_2C], edx
		push	_PopDiagHandle
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopDiagTraceFxPerfRegistration@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceFxPerfSetRegistration(x, x, x, x, x, x,	x, x, x, x, x, x, x, x,	x)
_PopDiagTraceFxPerfSetRegistration@60 proc near
					; CODE XREF: PopFxTracePerfRegistration(x,x)+1D3p

var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	[ebp+var_C8], edx
		xor	ebx, ebx
		mov	edx, [ebp+arg_20]
		push	edi
		push	4
		pop	edi
		movzx	esi, word ptr [edx]
		mov	ax, si
		mov	[ebp+var_C0], ebx
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_CC], eax
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_CC]
		mov	[ebp+var_94], eax
		mov	eax, [edx+4]
		mov	[ebp+var_84], eax
		mov	eax, esi
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+arg_C]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+arg_10]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+arg_18]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_24]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_28]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_24]
		shl	eax, 3
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+arg_2C]
		push	8
		pop	edx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_C4]
		push	eax
		mov	[ebp+var_BC], edi
		mov	[ebp+var_B8], ebx
		mov	[ebp+var_B0], ebx
		mov	[ebp+var_AC], edi
		mov	[ebp+var_A8], ebx
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_9C], edi
		mov	[ebp+var_98], ebx
		mov	[ebp+var_90], ebx
		mov	[ebp+var_8C], 2
		mov	[ebp+var_88], ebx
		mov	[ebp+var_80], ebx
		mov	[ebp+var_78], ebx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_6C], edi
		mov	[ebp+var_68], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], edi
		mov	[ebp+var_58], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], edi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ebx
		push	0Ch
		push	ebx
		push	ecx
		push	dword_6C1D74
		push	_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	34h
_PopDiagTraceFxPerfSetRegistration@60 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceFxPluginRegistration(x,	x, x, x)
_PopDiagTraceFxPluginRegistration@16 proc near ; CODE XREF: PopDiagTraceFxRundown+B4110p
					; PopFxRegisterPluginEx(x,x,x,x)+353p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	[ebp+var_28], ecx
		push	esi
		mov	esi, offset _POP_ETW_EVENT_PLUGIN_REGISTRATION_RUNDOWN
		test	dl, dl
		jnz	short loc_9B025E
		mov	esi, offset _POP_ETW_EVENT_PLUGIN_REGISTRATION

loc_9B025E:				; CODE XREF: PopDiagTraceFxPluginRegistration(x,x,x,x)+1Dj
		cmp	_PopDiagHandleRegistered, 0
		jz	short loc_9B02BA
		push	ebx
		mov	ebx, _PopDiagHandle
		push	edi
		mov	edi, dword_6C1D74
		push	esi
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B02B8
		lea	eax, [ebp+var_28]
		mov	[ebp+var_1C], 4
		mov	[ebp+var_24], eax
		xor	ecx, ecx
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	ecx
		push	esi
		push	edi
		push	ebx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], 8
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B02B8:				; CODE XREF: PopDiagTraceFxPluginRegistration(x,x,x,x)+45j
		pop	edi
		pop	ebx

loc_9B02BA:				; CODE XREF: PopDiagTraceFxPluginRegistration(x,x,x,x)+2Bj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopDiagTraceFxPluginRegistration@16 endp


;  S U B	R O U T	I N E 


; __stdcall PopDiagTraceIoCoalescingFlush()
_PopDiagTraceIoCoalescingFlush@0 proc near ; CODE XREF:	PopCoalescingNotify()+24p
		push	offset ??_C@_0CJ@NGLEBKHO@PopCoalescing?3?5FLUSH?5notificati@NNGAKEGL@ ; "PopCoalescing: FLUSH notification sent."...
		push	3
		call	_PopPrintEx
		pop	ecx
		pop	ecx
		mov	ecx, offset _POP_ETW_IO_COALESCING_FLUSH
		jmp	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
_PopDiagTraceIoCoalescingFlush@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopDiagTraceIoCoalescingOff()
_PopDiagTraceIoCoalescingOff@0 proc near
					; CODE XREF: PopCoalescingSetActiveState(x):loc_64FB06j
		push	offset ??_C@_0CH@BAMFGFLD@PopCoalescing?3?5OFF?5notification@NNGAKEGL@
		push	3
		call	_PopPrintEx
		pop	ecx
		pop	ecx
		mov	ecx, offset _POP_ETW_IO_COALESCING_OFF
		jmp	_PopDiagTraceEventNoPayload@4 ;	PopDiagTraceEventNoPayload(x)
_PopDiagTraceIoCoalescingOff@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceIoCoalescingOn(x, x, x,	x)
_PopDiagTraceIoCoalescingOn@16 proc near ; CODE	XREF: PopCoalescingSetActiveState(x)+73p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	[ebp+arg_4]
		mov	edx, _PopCoalescingFlushInterval
		mov	ecx, _PopCoalescingTimerInterval
		mov	eax, ds:_PopCurrentCoalescingSpindownTimeout
		push	edx
		push	ecx
		push	eax
		push	offset ??_C@_0HF@KKFAOMK@PopCoalescing?3?5ON?5notification?5@NNGAKEGL@
		push	3
		mov	[ebp+var_48], edx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], eax
		call	_PopPrintEx
		add	esp, 18h
		cmp	_PopDiagHandleRegistered, 0
		jz	short loc_9B03B5
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_IO_COALESCING_ON
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B03B2
		lea	eax, [ebp+var_4C]
		xor	edx, edx
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_48]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B03B2:				; CODE XREF: PopDiagTraceIoCoalescingOn(x,x,x,x)+68j
		pop	edi
		pop	esi
		pop	ebx

loc_9B03B5:				; CODE XREF: PopDiagTraceIoCoalescingOn(x,x,x,x)+48j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopDiagTraceIoCoalescingOn@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceMonitorOnWithLidClosed(x)
_PopDiagTraceMonitorOnWithLidClosed@4 proc near	; CODE XREF: PopMonitorInvocation+A94ACp

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7B		= byte ptr -7Bh
var_7A		= byte ptr -7Ah
var_79		= dword	ptr -79h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	dword_6C2D0C, 0
		mov	dl, _PopConsoleExternalDisplayConnected
		push	ebx
		push	esi
		setz	bl
		mov	esi, ecx
		cmp	_PopLidOpened, 0
		push	edi
		jnz	loc_9B04BA
		test	dl, dl
		jnz	loc_9B04BA
		cmp	dword_6B23F8, 5
		jbe	loc_9B04BA
		push	4000h
		mov	edi, offset dword_6B23F8
		push	0
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9B04BA
		lea	eax, [ebp+var_79]
		mov	[ebp+var_80], esi
		mov	[ebp+var_58], eax
		xor	edx, edx
		lea	eax, [ebp-7Ah]
		mov	byte ptr [ebp+var_79], dl
		mov	[ebp+var_48], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_80]
		mov	[ebp+var_54], edx
		mov	[ebp+var_38], eax
		inc	ecx
		lea	eax, [ebp-7Bh]
		mov	[ebp+var_50], ecx
		mov	[ebp+var_28], eax
		mov	eax, _PopWnfCsEnterScenarioId
		mov	[ebp+var_88], eax
		mov	eax, dword_6C1D84
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_88]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_79+1]
		push	eax
		push	7
		push	edx
		push	edx
		push	offset loc_41DDD7
		push	edi
		mov	[ebp+var_4C], edx
		mov	[ebp+var_7A], dl
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], 4
		mov	[ebp+var_2C], edx
		mov	[ebp+var_7B], bl
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], 8
		mov	[ebp+var_C], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9B04BA:				; CODE XREF: PopDiagTraceMonitorOnWithLidClosed(x)+31j
					; PopDiagTraceMonitorOnWithLidClosed(x)+39j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceMonitorOnWithLidClosed@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTracePassiveCooling(x, x, x,	x, x)
_PopDiagTracePassiveCooling@20 proc near ; CODE	XREF: PopThermalWorker+8AB99p
					; PopThermalWorker+8ABB8p ...

var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0E0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		xor	eax, eax
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_CC], eax
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_C0], eax
		mov	[ebp+var_DC], eax
		mov	[ebp+var_D8], eax
		mov	[ebp+var_C8], eax
		mov	[ebp+var_C4], eax
		cmp	_PopDiagHandleRegistered, al
		jz	loc_9B073A
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jnz	short loc_9B053C
		push	offset _POP_ETW_EVENT_PASSIVE_COOLING_DIAGNOSTIC
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_9B073A

loc_9B053C:				; CODE XREF: PopDiagTracePassiveCooling(x,x,x,x,x)+53j
		cmp	esi, 1
		jnz	short loc_9B055F
		push	offset _POP_ETW_EVENT_PASSIVE_COOLING_OPERATIONAL
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_9B073A

loc_9B055F:				; CODE XREF: PopDiagTracePassiveCooling(x,x,x,x,x)+76j
		test	esi, esi
		jz	short loc_9B056C
		cmp	esi, 1
		jnz	loc_9B073A

loc_9B056C:				; CODE XREF: PopDiagTracePassiveCooling(x,x,x,x,x)+98j
		mov	edx, 67446F50h
		mov	ecx, edi
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	edi, eax
		test	edi, edi
		jz	short loc_9B0589
		mov	ecx, [edi+0B0h]
		mov	edx, [ecx+14h]
		jmp	short loc_9B058B
; 

loc_9B0589:				; CODE XREF: PopDiagTracePassiveCooling(x,x,x,x,x)+B3j
		xor	edx, edx

loc_9B058B:				; CODE XREF: PopDiagTracePassiveCooling(x,x,x,x,x)+BEj
		test	edx, edx
		jz	loc_9B072A
		mov	cx, [edx+48h]
		and	[ebp+var_B8], 0
		and	[ebp+var_B0], 0
		shr	cx, 1
		movzx	eax, cx
		mov	[ebp+var_C0], eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_BC], eax
		mov	[ebp+var_B4], 2
		mov	eax, [edx+4Ch]
		xor	edx, edx
		mov	[ebp+var_AC], eax
		movzx	eax, cx
		add	eax, eax
		mov	[ebp+var_A8], edx
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_D4]
		push	eax
		mov	[ebp+var_A0], edx
		mov	[ebp+var_D4], edx
		mov	[ebp+var_D0], edx
		call	KeQuerySystemTime
		lea	eax, [ebp+var_DC]
		push	eax
		lea	eax, [ebp+var_D4]
		push	eax
		call	_ExSystemTimeToLocalTime@8 ; ExSystemTimeToLocalTime(x,x)
		xor	ecx, ecx
		mov	[ebp+var_94], 8
		lea	eax, [ebp+var_DC]
		mov	[ebp+var_98], ecx
		mov	[ebp+var_9C], eax
		xor	eax, eax
		cmp	[ebp+arg_0], al
		push	0Ah
		setnz	al
		mov	[ebp+var_90], ecx
		movzx	eax, ax
		xor	edx, edx
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_C4]
		mov	[ebp+var_8C], eax
		mov	eax, [ebx+14h]
		mov	[ebp+var_88], ecx
		mov	[ebp+var_80], ecx
		pop	ecx
		div	ecx
		xor	edx, edx
		and	[ebp+var_78], 0
		mov	[ebp+var_C8], eax
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_7C], eax
		mov	eax, [ebx+10h]
		div	ecx
		and	[ebp+var_70], 0
		xor	edx, edx
		mov	[ebp+var_CC], eax
		lea	eax, [ebp+var_CC]
		mov	[ebp+var_6C], eax
		lea	eax, [ebx+4]
		mov	[ebp+var_5C], eax
		lea	eax, [ebx+8]
		push	4
		pop	ecx
		mov	[ebp+var_4C], eax
		lea	eax, [ebx+0Ch]
		mov	[ebp+var_84], 2
		mov	[ebp+var_74], 4
		mov	[ebp+var_68], edx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_60], edx
		mov	[ebp+var_58], edx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], edx
		mov	[ebp+var_28], edx
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_2C], eax
		lea	eax, [ebx+50h]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_BC]
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], edx
		push	eax
		push	0Bh
		push	edx
		test	esi, esi
		jnz	short loc_9B0714
		push	offset _POP_ETW_EVENT_PASSIVE_COOLING_DIAGNOSTIC
		jmp	short loc_9B0719
; 

loc_9B0714:				; CODE XREF: PopDiagTracePassiveCooling(x,x,x,x,x)+242j
		push	offset _POP_ETW_EVENT_PASSIVE_COOLING_OPERATIONAL

loc_9B0719:				; CODE XREF: PopDiagTracePassiveCooling(x,x,x,x,x)+249j
		push	dword_6C1D74
		push	_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B072A:				; CODE XREF: PopDiagTracePassiveCooling(x,x,x,x,x)+C4j
		test	edi, edi
		jz	short loc_9B073A
		mov	edx, 67446F50h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_9B073A:				; CODE XREF: PopDiagTracePassiveCooling(x,x,x,x,x)+48j
					; PopDiagTracePassiveCooling(x,x,x,x,x)+6Dj ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_PopDiagTracePassiveCooling@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTracePowerButtonBugcheck(x)
_PopDiagTracePowerButtonBugcheck@4 proc	near ; CODE XREF: PopPowerButtonWorkCallback(x)+158p

var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EA		= dword	ptr -0EAh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 124h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		cmp	ecx, 1B58h
		jnz	loc_9B092E
		xor	ebx, ebx
		inc	ebx
		mov	cl, bl
		call	_PopRecordLongPowerButtonPressDetected@4 ; PopRecordLongPowerButtonPressDetected(x)
		cmp	dword_6B23F8, 5
		jbe	loc_9B0B26
		push	4000h
		xor	esi, esi
		mov	edi, offset dword_6B23F8
		push	esi
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9B0B26
		lea	eax, [ebp+var_F0]
		mov	[ebp+var_F0], 1B58h
		mov	[ebp+var_C8], eax
		mov	eax, dword_6BFD68
		mov	[ebp+var_F4], eax
		lea	eax, [ebp+var_F4]
		mov	[ebp+var_B8], eax
		mov	eax, dword_6BFD64
		mov	[ebp+var_F8], eax
		lea	eax, [ebp+var_F8]
		mov	[ebp+var_A8], eax
		mov	al, byte_6BFDA8
		mov	byte ptr [ebp+var_EA+1], al
		lea	eax, [ebp+var_EA+1]
		mov	[ebp+var_98], eax
		mov	eax, dword_6BFD70
		mov	[ebp+var_118], eax
		mov	eax, dword_6BFD74
		mov	[ebp+var_114], eax
		lea	eax, [ebp+var_118]
		mov	[ebp+var_88], eax
		mov	eax, dword_6BFD78
		mov	[ebp+var_FC], eax
		lea	eax, [ebp+var_FC]
		mov	[ebp+var_78], eax
		mov	eax, dword_6BFD7C
		mov	[ebp+var_100], eax
		lea	eax, [ebp+var_100]
		mov	[ebp+var_68], eax
		mov	eax, dword_6BFD80
		mov	[ebp+var_120], eax
		mov	eax, dword_6BFD84
		mov	[ebp+var_11C], eax
		lea	eax, [ebp+var_120]
		mov	[ebp+var_58], eax
		mov	eax, dword_6BFDAC
		mov	[ebp+var_104], eax
		lea	eax, [ebp+var_104]
		mov	[ebp+var_48], eax
		mov	al, byte_6BFDB8
		mov	byte ptr [ebp+var_EA], al
		lea	eax, [ebp+var_EA]
		mov	[ebp+var_38], eax
		mov	eax, dword_6BFDB0
		push	4
		pop	ecx
		mov	[ebp+var_108], eax
		lea	eax, [ebp+var_108]
		mov	[ebp+var_28], eax
		mov	eax, dword_6BFDB4
		push	8
		pop	edx
		mov	[ebp+var_10C], eax
		lea	eax, [ebp+var_10C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_EA+2]
		push	eax
		push	0Eh
		push	esi
		push	esi
		mov	[ebp+var_C4], esi
		mov	[ebp+var_C0], ecx
		mov	[ebp+var_BC], esi
		mov	[ebp+var_B4], esi
		mov	[ebp+var_B0], ecx
		mov	[ebp+var_AC], esi
		mov	[ebp+var_A4], esi
		mov	[ebp+var_A0], ecx
		mov	[ebp+var_9C], esi
		mov	[ebp+var_94], esi
		mov	[ebp+var_90], ebx
		mov	[ebp+var_8C], esi
		mov	[ebp+var_84], esi
		mov	[ebp+var_80], edx
		mov	[ebp+var_7C], esi
		mov	[ebp+var_74], esi
		mov	[ebp+var_70], ecx
		mov	[ebp+var_6C], esi
		push	offset loc_41F4D3
		jmp	loc_9B0AEA
; 

loc_9B092E:				; CODE XREF: PopDiagTracePowerButtonBugcheck(x)+1Ej
		mov	ebx, 3A98h
		cmp	ecx, ebx
		jnz	loc_9B0B26
		cmp	dword_6B23F8, 5
		jbe	loc_9B0B26
		push	8000h
		xor	esi, esi
		mov	edi, offset dword_6B23F8
		push	esi
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9B0B26
		lea	eax, [ebp+var_10C]
		mov	[ebp+var_10C], ebx
		mov	[ebp+var_C8], eax
		xor	ebx, ebx
		mov	eax, dword_6BFD68
		inc	ebx
		mov	[ebp+var_108], eax
		lea	eax, [ebp+var_108]
		mov	[ebp+var_B8], eax
		mov	eax, dword_6BFD64
		mov	[ebp+var_104], eax
		lea	eax, [ebp+var_104]
		mov	[ebp+var_A8], eax
		mov	al, byte_6BFDA8
		mov	byte ptr [ebp+var_EA], al
		lea	eax, [ebp+var_EA]
		mov	[ebp+var_98], eax
		mov	eax, dword_6BFD70
		mov	[ebp+var_120], eax
		mov	eax, dword_6BFD74
		mov	[ebp+var_11C], eax
		lea	eax, [ebp+var_120]
		mov	[ebp+var_88], eax
		mov	eax, dword_6BFD78
		mov	[ebp+var_100], eax
		lea	eax, [ebp+var_100]
		mov	[ebp+var_78], eax
		mov	eax, dword_6BFD7C
		mov	[ebp+var_FC], eax
		lea	eax, [ebp+var_FC]
		mov	[ebp+var_68], eax
		mov	eax, dword_6BFD80
		mov	[ebp+var_118], eax
		mov	eax, dword_6BFD84
		mov	[ebp+var_114], eax
		lea	eax, [ebp+var_118]
		mov	[ebp+var_58], eax
		mov	eax, dword_6BFDAC
		mov	[ebp+var_F8], eax
		lea	eax, [ebp+var_F8]
		mov	[ebp+var_48], eax
		mov	al, byte_6BFDB8
		mov	byte ptr [ebp+var_EA+1], al
		lea	eax, [ebp+var_EA+1]
		mov	[ebp+var_38], eax
		mov	eax, dword_6BFDB0
		push	4
		pop	ecx
		mov	[ebp+var_F4], eax
		lea	eax, [ebp+var_F4]
		mov	[ebp+var_28], eax
		mov	eax, dword_6BFDB4
		push	8
		pop	edx
		mov	[ebp+var_F0], eax
		lea	eax, [ebp+var_F0]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_EA+2]
		push	eax
		push	0Eh
		push	esi
		push	esi
		mov	[ebp+var_C4], esi
		mov	[ebp+var_C0], ecx
		mov	[ebp+var_BC], esi
		mov	[ebp+var_B4], esi
		mov	[ebp+var_B0], ecx
		mov	[ebp+var_AC], esi
		mov	[ebp+var_A4], esi
		mov	[ebp+var_A0], ecx
		mov	[ebp+var_9C], esi
		mov	[ebp+var_94], esi
		mov	[ebp+var_90], ebx
		mov	[ebp+var_8C], esi
		mov	[ebp+var_84], esi
		mov	[ebp+var_80], edx
		mov	[ebp+var_7C], esi
		mov	[ebp+var_74], esi
		mov	[ebp+var_70], ecx
		mov	[ebp+var_6C], esi
		push	offset loc_41F3AE

loc_9B0AEA:				; CODE XREF: PopDiagTracePowerButtonBugcheck(x)+1DEj
		push	edi
		mov	[ebp+var_64], esi
		mov	[ebp+var_5C], esi
		mov	[ebp+var_60], ecx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_44], esi
		mov	[ebp+var_4C], esi
		mov	[ebp+var_50], edx
		mov	[ebp+var_54], esi
		mov	[ebp+var_3C], esi
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9B0B26:				; CODE XREF: PopDiagTracePowerButtonBugcheck(x)+35j
					; PopDiagTracePowerButtonBugcheck(x)+51j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTracePowerButtonBugcheck@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTracePowerStateEvent(x, x)
_PopDiagTracePowerStateEvent@8 proc near ; CODE	XREF: PopTriggerMonitorPowerEvent(x,x)+CEp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], ecx
		jz	short loc_9B0BAB
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_POWER_STATE
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B0BA8
		push	4
		pop	ecx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_24], eax
		xor	edx, edx
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_20], edx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B0BA8:				; CODE XREF: PopDiagTracePowerStateEvent(x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebx

loc_9B0BAB:				; CODE XREF: PopDiagTracePowerStateEvent(x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTracePowerStateEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceSkipTick(x, x)
_PopDiagTraceSkipTick@8	proc near	; CODE XREF: PoInitSystem+237A2p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		push	ebx
		mov	bl, dl
		mov	bh, cl
		jz	short loc_9B0C39
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_SKIP_TICK
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B0C37
		movzx	eax, bh
		xor	edx, edx
		mov	[ebp+var_28], eax
		movzx	eax, bl
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_28]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	offset _POP_ETW_EVENT_SKIP_TICK
		push	esi
		push	edi
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B0C37:				; CODE XREF: PopDiagTraceSkipTick(x,x)+3Cj
		pop	edi
		pop	esi

loc_9B0C39:				; CODE XREF: PopDiagTraceSkipTick(x,x)+1Ej
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceSkipTick@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceSleepStudyBlockerData(x, x)
_PopDiagTraceSleepStudyBlockerData@8 proc near
					; CODE XREF: PopFxLogSocSubsystemMetadata(x,x,x,x)+304p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	_PopDiagSleepStudyHandleRegistered, 0
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		jz	short loc_9B0C8D
		push	esi
		mov	esi, dword_6C1F6C
		push	edi
		mov	edi, _PopDiagSleepStudyHandle
		push	offset _SLEEPSTUDY_EVT_SCENARIO_BLOCKER_DATA
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B0C8B
		push	ebx
		push	[ebp+var_4]
		push	0
		push	offset _SLEEPSTUDY_EVT_SCENARIO_BLOCKER_DATA
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B0C8B:				; CODE XREF: PopDiagTraceSleepStudyBlockerData(x,x)+31j
		pop	edi
		pop	esi

loc_9B0C8D:				; CODE XREF: PopDiagTraceSleepStudyBlockerData(x,x)+13j
		pop	ebx
		leave
		retn
_PopDiagTraceSleepStudyBlockerData@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceSleepStudyStart()
_PopDiagTraceSleepStudyStart@0 proc near ; CODE	XREF: PopSleepstudyStartNextSession+A6DC7p
					; PopSleepstudyScenarioStopWorker(x):loc_9BE7DCp

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_85		= dword	ptr -85h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		xor	esi, esi
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_94], esi
		mov	[ebp+var_90], esi
		jz	loc_9B0DBF
		push	edi
		mov	edi, offset _POP_ETW_EVENT_SPM_SCENARIO_START
		push	edi
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_9B0DBE
		lea	eax, [ebp+var_94]
		push	eax
		call	KeQuerySystemTime
		mov	eax, _PopWdiCurrentScenario
		xor	edx, edx
		mov	[ebp+var_85+1],	eax
		mov	cl, 1
		mov	al, byte ptr _PopWdiCurrentScenarioInstanceId
		mov	byte ptr [ebp+var_85], al
		lea	eax, [ebp+var_85]
		mov	[ebp+var_80], esi
		mov	[ebp+var_7C], 10h
		mov	[ebp+var_78], esi
		mov	[ebp+var_74], eax
		mov	[ebp+var_70], esi
		mov	[ebp+var_6C], 1
		mov	[ebp+var_68], esi
		call	_PopGetModernStandbyTransitionReason@8 ; PopGetModernStandbyTransitionReason(x,x)
		push	4
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_64], eax
		pop	eax
		push	8
		pop	ecx
		mov	[ebp+var_5C], eax
		mov	[ebp+var_4C], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_94]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_85+1]
		push	eax
		push	ecx
		push	offset _PopDiagActivityId
		push	edi
		push	dword_6C1D74
		mov	[ebp+var_60], esi
		push	_PopDiagHandle
		mov	[ebp+var_58], esi
		mov	[ebp+var_54], offset _PopCsConsumption
		mov	[ebp+var_50], esi
		mov	[ebp+var_48], esi
		mov	[ebp+var_44], offset dword_6D4590
		mov	[ebp+var_40], esi
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], offset _PopWdiCurrentScenarioInstanceId
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], 0FFDF02C4h
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B0DBE:				; CODE XREF: PopDiagTraceSleepStudyStart()+4Bj
		pop	edi

loc_9B0DBF:				; CODE XREF: PopDiagTraceSleepStudyStart()+2Bj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceSleepStudyStart@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceSleepStudyStop()
_PopDiagTraceSleepStudyStop@0 proc near	; CODE XREF: PopSleepstudyScenarioStopWorker(x)+3Dp

var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 200h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		jz	loc_9B1194
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_SPM_SCENARIO_STOP
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	loc_9B1192
		movzx	eax, byte_6C1E1C
		xor	edx, edx
		movzx	ecx, byte_6C1E1D
		inc	edx
		and	eax, edx
		mov	[ebp+var_14C], edx
		mov	[ebp+var_1E8], eax
		mov	eax, ecx
		and	eax, edx
		mov	[ebp+var_1E4], offset _PopWdiScenarioStopEventData
		mov	[ebp+var_1F0], eax
		mov	eax, ecx
		shr	eax, 1
		and	eax, edx
		shr	ecx, 2
		mov	[ebp+var_1EC], eax
		and	ecx, edx
		movzx	eax, byte_6C1E6D
		mov	[ebp+var_200], eax
		movzx	eax, byte_6C1E6C
		mov	[ebp+var_1F8], eax
		movzx	eax, byte_6C1E4C
		push	ebx
		mov	[ebp+var_1FC], eax
		xor	eax, eax
		push	4
		pop	ebx
		mov	[ebp+var_1E0], eax
		mov	[ebp+var_1D8], eax
		mov	[ebp+var_1D0], eax
		mov	[ebp+var_1C8], eax
		lea	eax, [ebp+var_1E8]
		push	8
		mov	[ebp+var_1C4], eax
		xor	eax, eax
		xor	edx, edx
		mov	[ebp+var_1F4], ecx
		pop	ecx
		mov	[ebp+var_1DC], ebx
		mov	[ebp+var_1D4], offset unk_6C1DC8
		mov	[ebp+var_1CC], ecx
		mov	[ebp+var_1C0], eax
		mov	[ebp+var_1BC], ebx
		mov	[ebp+var_1B8], eax
		mov	[ebp+var_1B4], offset unk_6C1E20
		mov	[ebp+var_1B0], eax
		mov	[ebp+var_1AC], ecx
		mov	[ebp+var_1A8], eax
		mov	[ebp+var_1A4], offset unk_6C1E28
		mov	[ebp+var_1A0], eax
		mov	[ebp+var_19C], ecx
		mov	[ebp+var_198], eax
		mov	[ebp+var_194], offset unk_6C1E30
		mov	[ebp+var_190], eax
		mov	[ebp+var_18C], ecx
		mov	[ebp+var_188], eax
		mov	[ebp+var_184], offset unk_6C1DC0
		mov	[ebp+var_180], eax
		mov	[ebp+var_17C], ecx
		mov	[ebp+var_178], eax
		mov	[ebp+var_174], offset unk_6C1DBC
		mov	[ebp+var_170], eax
		mov	[ebp+var_16C], ebx
		mov	[ebp+var_168], eax
		mov	[ebp+var_164], offset unk_6C1E00
		mov	[ebp+var_160], eax
		mov	[ebp+var_15C], ecx
		mov	[ebp+var_158], eax
		mov	[ebp+var_154], offset unk_6C1E40
		mov	[ebp+var_150], eax
		mov	[ebp+var_148], edx
		mov	[ebp+var_144], offset unk_6C1DB8
		mov	[ebp+var_140], edx
		mov	[ebp+var_13C], ebx
		mov	[ebp+var_138], edx
		mov	[ebp+var_134], offset unk_6C1DF8
		mov	[ebp+var_130], edx
		mov	[ebp+var_12C], ecx
		mov	[ebp+var_128], edx
		mov	[ebp+var_124], offset unk_6C1E18
		mov	[ebp+var_120], edx
		lea	eax, [ebp+var_1EC]
		mov	[ebp+var_11C], ebx
		mov	[ebp+var_114], eax
		lea	eax, [ebp+var_1F0]
		mov	[ebp+var_104], eax
		lea	eax, [ebp+var_1F4]
		mov	[ebp+var_E4], eax
		lea	eax, [ebp+var_1F8]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_1FC]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_200]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_1E4]
		push	eax
		push	1Eh
		push	offset _PopDiagActivityId
		mov	[ebp+var_118], edx
		mov	[ebp+var_110], edx
		mov	[ebp+var_10C], ebx
		mov	[ebp+var_108], edx
		mov	[ebp+var_100], edx
		mov	[ebp+var_FC], ebx
		mov	[ebp+var_F8], edx
		mov	[ebp+var_F4], offset unk_6C1E08
		mov	[ebp+var_F0], edx
		mov	[ebp+var_EC], ecx
		mov	[ebp+var_E8], edx
		mov	[ebp+var_E0], edx
		mov	[ebp+var_DC], ebx
		mov	[ebp+var_D8], edx
		mov	[ebp+var_D4], offset unk_6C1E44
		mov	[ebp+var_D0], edx
		mov	[ebp+var_CC], ebx
		mov	[ebp+var_C8], edx
		mov	[ebp+var_C4], offset unk_6C1E48
		mov	[ebp+var_C0], edx
		mov	[ebp+var_BC], ebx
		mov	[ebp+var_B8], edx
		mov	[ebp+var_B4], offset unk_6C1E50
		mov	[ebp+var_B0], edx
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_A8], edx
		mov	[ebp+var_A4], offset unk_6C1E54
		mov	[ebp+var_A0], edx
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_98], edx
		mov	[ebp+var_94], offset unk_6C1E58
		mov	[ebp+var_90], edx
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_88], edx
		mov	[ebp+var_84], offset unk_6C1DA8
		mov	[ebp+var_80], edx
		mov	[ebp+var_7C], ebx
		mov	[ebp+var_78], edx
		mov	[ebp+var_74], offset unk_6C1DB0
		mov	[ebp+var_70], edx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], edx
		mov	[ebp+var_64], offset unk_6C1E68
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_48], edx
		mov	[ebp+var_44], offset unk_6C1E70
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], offset unk_6C1E74
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], edx
		push	offset _POP_ETW_EVENT_SPM_SCENARIO_STOP
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	ebx

loc_9B1192:				; CODE XREF: PopDiagTraceSleepStudyStop()+3Ej
		pop	edi
		pop	esi

loc_9B1194:				; CODE XREF: PopDiagTraceSleepStudyStop()+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceSleepStudyStop@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceSystemIdleAction(x, x, x)
_PopDiagTraceSystemIdleAction@12 proc near
					; CODE XREF: PopExecuteSystemIdleAction(x,x,x)+BAp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		push	ebx
		mov	bl, dl
		mov	[ebp+var_3C], ecx
		jz	short loc_9B122C
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_SIDLE_UPDATE_NOTIFICATION_WORKER
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B122A
		movzx	eax, bl
		xor	edx, edx
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_0]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	offset _POP_ETW_EVENT_SIDLE_UPDATE_NOTIFICATION_WORKER
		push	esi
		push	edi
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B122A:				; CODE XREF: PopDiagTraceSystemIdleAction(x,x,x)+3Dj
		pop	edi
		pop	esi

loc_9B122C:				; CODE XREF: PopDiagTraceSystemIdleAction(x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDiagTraceSystemIdleAction@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceSystemIdleAssessment(x,	x, x)
_PopDiagTraceSystemIdleAssessment@12 proc near ; CODE XREF: PopIsSystemIdle(x,x,x,x)+9Fp

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], ecx
		jz	short loc_9B12C7
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_SYSTEM_IDLE_ASSESSMENT
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B12C4
		lea	eax, [ebp+var_38]
		xor	edx, edx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_24], eax
		movzx	eax, [ebp+arg_0]
		push	4
		pop	ecx
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B12C4:				; CODE XREF: PopDiagTraceSystemIdleAssessment(x,x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebx

loc_9B12C7:				; CODE XREF: PopDiagTraceSystemIdleAssessment(x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDiagTraceSystemIdleAssessment@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceSystemIdleContextUpdate(x, x, x, x, x)
_PopDiagTraceSystemIdleContextUpdate@20	proc near
					; CODE XREF: PopUpdateSystemIdleContext(x)+126p

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_5C], edx
		mov	[ebp+var_58], ecx
		jz	loc_9B137C
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_SYSTEM_IDLE_CONTEXT_UPDATE
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B1379
		lea	eax, [ebp+var_58]
		xor	edx, edx
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_4]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B1379:				; CODE XREF: PopDiagTraceSystemIdleContextUpdate(x,x,x,x,x)+43j
		pop	edi
		pop	esi
		pop	ebx

loc_9B137C:				; CODE XREF: PopDiagTraceSystemIdleContextUpdate(x,x,x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_PopDiagTraceSystemIdleContextUpdate@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceSystemIdleEventAssessment(x, x,	x, x, x)
_PopDiagTraceSystemIdleEventAssessment@20 proc near
					; CODE XREF: PopAssessSystemIdleEvent(x,x,x)+8Bp

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_5C], edx
		mov	[ebp+var_58], ecx
		jz	loc_9B1438
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_SYSTEM_IDLE_EVENT_ASSESSMENT
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B1435
		lea	eax, [ebp+var_58]
		xor	edx, edx
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_34], eax
		movzx	eax, [ebp+arg_4]
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_60]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		push	edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B1435:				; CODE XREF: PopDiagTraceSystemIdleEventAssessment(x,x,x,x,x)+43j
		pop	edi
		pop	esi
		pop	ebx

loc_9B1438:				; CODE XREF: PopDiagTraceSystemIdleEventAssessment(x,x,x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_PopDiagTraceSystemIdleEventAssessment@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceThermalRequestActiveUpdate(x)
_PopDiagTraceThermalRequestActiveUpdate@4 proc near
					; CODE XREF: PoSetThermalActiveCooling(x,x)+70p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		push	ebx
		mov	ebx, ecx
		jz	short loc_9B14C8
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_THERMAL_REQUEST_ACTIVE_UPDATE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B14C6
		xor	eax, eax
		mov	[ebp+var_2C], ebx
		cmp	[ebx+9], al
		push	4
		setnz	al
		xor	edx, edx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_28]
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edx
		push	offset _POP_ETW_EVENT_THERMAL_REQUEST_ACTIVE_UPDATE
		push	esi
		push	edi
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B14C6:				; CODE XREF: PopDiagTraceThermalRequestActiveUpdate(x)+3Aj
		pop	edi
		pop	esi

loc_9B14C8:				; CODE XREF: PopDiagTraceThermalRequestActiveUpdate(x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceThermalRequestActiveUpdate@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceThermalRequestPassiveUpdate(x)
_PopDiagTraceThermalRequestPassiveUpdate@4 proc	near
					; CODE XREF: PoSetThermalPassiveCooling(x,x)+73p

var_2C		= dword	ptr -2Ch
var_25		= dword	ptr -25h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		push	ebx
		mov	ebx, ecx
		jz	short loc_9B1557
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_THERMAL_REQUEST_PASSIVE_UPDATE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B1555
		mov	al, [ebx+8]
		xor	ecx, ecx
		mov	byte ptr [ebp+var_25], al
		lea	eax, [ebp+var_25]
		mov	[ebp+var_25+1],	eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_25+1]
		push	eax
		push	2
		push	ecx
		push	offset _POP_ETW_EVENT_THERMAL_REQUEST_PASSIVE_UPDATE
		push	esi
		push	edi
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], 1
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B1555:				; CODE XREF: PopDiagTraceThermalRequestPassiveUpdate(x)+3Aj
		pop	edi
		pop	esi

loc_9B1557:				; CODE XREF: PopDiagTraceThermalRequestPassiveUpdate(x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceThermalRequestPassiveUpdate@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceTripPointExceeded(x, x,	x, x)
_PopDiagTraceTripPointExceeded@16 proc near
					; CODE XREF: PopDiagTraceUsermodeTripPointExceeded(x,x,x,x)+2Cp
					; PopDiagTraceUsermodeTripPointExceeded(x,x,x,x)+39p ...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, edx
		push	edi
		mov	di, cx
		mov	word ptr [ebp+var_48], di
		jz	loc_9B161C
		push	esi
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B161C
		and	[ebp+var_40], 0
		lea	eax, [ebp+var_48]
		and	[ebp+var_38], 0
		mov	[ebp+var_44], eax
		movzx	eax, di
		add	eax, eax
		mov	[ebp+var_34], ebx
		xor	ebx, ebx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_3C], 2
		push	eax
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ebx
		call	KeQuerySystemTime
		push	4
		lea	eax, [ebp+var_50]
		mov	[ebp+var_20], ebx
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	ebx
		push	esi
		push	dword_6C1D74
		mov	[ebp+var_1C], 8
		push	_PopDiagHandle
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B161C:				; CODE XREF: PopDiagTraceTripPointExceeded(x,x,x,x)+28j
					; PopDiagTraceTripPointExceeded(x,x,x,x)+42j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopDiagTraceTripPointExceeded@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceUmpoAlpcProcessingError(x)
_PopDiagTraceUmpoAlpcProcessingError@4 proc near ; CODE	XREF: PopUmpoProcessMessages+EEp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	dword_6B23F8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jbe	short loc_9B168E
		push	4000h
		xor	edi, edi
		mov	ebx, offset dword_6B23F8
		push	edi
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9B168E
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_3C], esi
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	3
		push	edi
		push	edi
		push	offset loc_41E0E7
		push	ebx
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9B168E:				; CODE XREF: PopDiagTraceUmpoAlpcProcessingError(x)+1Ej
					; PopDiagTraceUmpoAlpcProcessingError(x)+36j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceUmpoAlpcProcessingError@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceUsermodeThermalEvent(x)
_PopDiagTraceUsermodeThermalEvent@4 proc near
					; CODE XREF: PopThermalProcessUsermodeEvent(x)+10p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		push	esi
		mov	esi, ecx
		jz	loc_9B1748
		push	ebx
		mov	ebx, _PopDiagHandle
		push	edi
		mov	edi, dword_6C1D74
		push	offset _POP_ETW_EVENT_THERMAL_EVENT
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B1746
		lea	ecx, [esi+0Ch]
		mov	[ebp+var_4C], 2
		lea	eax, [esi+0Eh]
		mov	[ebp+var_54], ecx
		mov	[ebp+var_44], eax
		xor	edx, edx
		movzx	eax, word ptr [ecx]
		add	eax, eax
		mov	[ebp+var_50], edx
		mov	[ebp+var_3C], eax
		lea	eax, [esi+4]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [esi+8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		push	eax
		push	5
		push	edx
		push	offset _POP_ETW_EVENT_THERMAL_EVENT
		push	edi
		push	ebx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B1746:				; CODE XREF: PopDiagTraceUsermodeThermalEvent(x)+3Ej
		pop	edi
		pop	ebx

loc_9B1748:				; CODE XREF: PopDiagTraceUsermodeThermalEvent(x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDiagTraceUsermodeThermalEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceUsermodeTripPointExceeded(x, x,	x, x)
_PopDiagTraceUsermodeTripPointExceeded@16 proc near
					; CODE XREF: PopThermalProcessUsermodeEvent(x)+29p
					; PopThermalProcessUsermodeEvent(x)+75p

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		jz	short loc_9B1773
		mov	esi, offset _POP_ETW_EVENT_CRITICAL_TRIP_POINT_SYSTEM
		mov	eax, offset _POP_ETW_EVENT_CRITICAL_TRIP_POINT_DIAGNOSTIC
		jmp	short loc_9B177D
; 

loc_9B1773:				; CODE XREF: PopDiagTraceUsermodeTripPointExceeded(x,x,x,x)+10j
		mov	esi, offset _POP_ETW_EVENT_S4_TRIP_POINT_SYSTEM
		mov	eax, offset _POP_ETW_EVENT_S4_TRIP_POINT_DIAGNOSTIC

loc_9B177D:				; CODE XREF: PopDiagTraceUsermodeTripPointExceeded(x,x,x,x)+1Cj
		push	eax
		push	[ebp+arg_0]
		call	_PopDiagTraceTripPointExceeded@16 ; PopDiagTraceTripPointExceeded(x,x,x,x)
		push	esi
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, ebx
		call	_PopDiagTraceTripPointExceeded@16 ; PopDiagTraceTripPointExceeded(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_PopDiagTraceUsermodeTripPointExceeded@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceZoneCriticalTripPointExceeded(x, x)
_PopDiagTraceZoneCriticalTripPointExceeded@8 proc near
					; CODE XREF: PopCheckAndHandleThermalConditions+829A3p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	_PopDiagHandleRegistered, 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		jz	loc_9B1855
		mov	esi, dword_6C1D74
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_CRITICAL_TRIP_POINT_DIAGNOSTIC
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	short loc_9B17E1
		push	offset _POP_ETW_EVENT_CRITICAL_TRIP_POINT_SYSTEM
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B1855

loc_9B17E1:				; CODE XREF: PopDiagTraceZoneCriticalTripPointExceeded(x,x)+35j
		mov	edx, 67446F50h
		mov	ecx, ebx
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	esi, eax
		test	esi, esi
		jz	short loc_9B17FE
		mov	ecx, [esi+0B0h]
		mov	edi, [ecx+14h]
		jmp	short loc_9B1800
; 

loc_9B17FE:				; CODE XREF: PopDiagTraceZoneCriticalTripPointExceeded(x,x)+57j
		xor	edi, edi

loc_9B1800:				; CODE XREF: PopDiagTraceZoneCriticalTripPointExceeded(x,x)+62j
		test	edi, edi
		jz	short loc_9B1845
		mov	ebx, [ebp+var_4]
		xor	edx, edx
		push	offset _POP_ETW_EVENT_CRITICAL_TRIP_POINT_DIAGNOSTIC
		push	0Ah
		pop	ecx
		mov	eax, [ebx+1Ch]
		div	ecx
		movzx	ecx, word ptr [edi+48h]
		mov	edx, [edi+4Ch]
		push	eax
		shr	cx, 1
		call	_PopDiagTraceTripPointExceeded@16 ; PopDiagTraceTripPointExceeded(x,x,x,x)
		mov	eax, [ebx+1Ch]
		xor	edx, edx
		push	offset _POP_ETW_EVENT_CRITICAL_TRIP_POINT_SYSTEM
		push	0Ah
		pop	ecx
		div	ecx
		movzx	ecx, word ptr [edi+48h]
		mov	edx, [edi+4Ch]
		push	eax
		shr	cx, 1
		call	_PopDiagTraceTripPointExceeded@16 ; PopDiagTraceTripPointExceeded(x,x,x,x)

loc_9B1845:				; CODE XREF: PopDiagTraceZoneCriticalTripPointExceeded(x,x)+68j
		test	esi, esi
		jz	short loc_9B1855
		mov	edx, 67446F50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_9B1855:				; CODE XREF: PopDiagTraceZoneCriticalTripPointExceeded(x,x)+15j
					; PopDiagTraceZoneCriticalTripPointExceeded(x,x)+45j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopDiagTraceZoneCriticalTripPointExceeded@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceZoneS4TripPointExceeded(x, x)
_PopDiagTraceZoneS4TripPointExceeded@8 proc near
					; CODE XREF: PopCheckAndHandleThermalConditions+829B7p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	_PopDiagHandleRegistered, 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		jz	loc_9B1915
		mov	esi, dword_6C1D74
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_CRITICAL_TRIP_POINT_DIAGNOSTIC
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	short loc_9B18A1
		push	offset _POP_ETW_EVENT_CRITICAL_TRIP_POINT_SYSTEM
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B1915

loc_9B18A1:				; CODE XREF: PopDiagTraceZoneS4TripPointExceeded(x,x)+35j
		mov	edx, 67446F50h
		mov	ecx, ebx
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	esi, eax
		test	esi, esi
		jz	short loc_9B18BE
		mov	ecx, [esi+0B0h]
		mov	edi, [ecx+14h]
		jmp	short loc_9B18C0
; 

loc_9B18BE:				; CODE XREF: PopDiagTraceZoneS4TripPointExceeded(x,x)+57j
		xor	edi, edi

loc_9B18C0:				; CODE XREF: PopDiagTraceZoneS4TripPointExceeded(x,x)+62j
		test	edi, edi
		jz	short loc_9B1905
		mov	ebx, [ebp+var_4]
		xor	edx, edx
		push	offset _POP_ETW_EVENT_S4_TRIP_POINT_DIAGNOSTIC
		push	0Ah
		pop	ecx
		mov	eax, [ebx+4Ch]
		div	ecx
		movzx	ecx, word ptr [edi+48h]
		mov	edx, [edi+4Ch]
		push	eax
		shr	cx, 1
		call	_PopDiagTraceTripPointExceeded@16 ; PopDiagTraceTripPointExceeded(x,x,x,x)
		mov	eax, [ebx+4Ch]
		xor	edx, edx
		push	offset _POP_ETW_EVENT_S4_TRIP_POINT_SYSTEM
		push	0Ah
		pop	ecx
		div	ecx
		movzx	ecx, word ptr [edi+48h]
		mov	edx, [edi+4Ch]
		push	eax
		shr	cx, 1
		call	_PopDiagTraceTripPointExceeded@16 ; PopDiagTraceTripPointExceeded(x,x,x,x)

loc_9B1905:				; CODE XREF: PopDiagTraceZoneS4TripPointExceeded(x,x)+68j
		test	esi, esi
		jz	short loc_9B1915
		mov	edx, 67446F50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_9B1915:				; CODE XREF: PopDiagTraceZoneS4TripPointExceeded(x,x)+15j
					; PopDiagTraceZoneS4TripPointExceeded(x,x)+45j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopDiagTraceZoneS4TripPointExceeded@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFxTracePerfRegistration(x, x)
_PopFxTracePerfRegistration@8 proc near	; CODE XREF: PopFxTraceDeviceRegistration+E61AEp
					; PopFxRegisterComponentPerfStates(x,x,x,x,x,x,x)+3DAp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		mov	bl, dl
		mov	esi, ecx
		mov	[ebp+var_2C], esi
		push	edi
		test	bl, bl
		jz	short loc_9B1937
		mov	edi, offset _POP_ETW_EVENT_PERFORMANCE_STATE_REGISTRATION_RUNDOWN
		jmp	short loc_9B1953
; 

loc_9B1937:				; CODE XREF: PopFxTracePerfRegistration(x,x)+14j
		mov	edx, [esi]
		mov	edi, offset _POP_ETW_EVENT_PERFORMANCE_STATE_REGISTRATION
		push	0
		push	dword ptr [esi+54h]
		mov	ecx, [edx+30h]
		mov	edx, [edx+10h]
		push	0Ch
		mov	ecx, [ecx+1Ch]
		call	_PopFxAddLogEntry@20 ; PopFxAddLogEntry(x,x,x,x,x)

loc_9B1953:				; CODE XREF: PopFxTracePerfRegistration(x,x)+1Bj
		cmp	_PopDiagHandleRegistered, 0
		jz	loc_9B1B1C
		push	edi
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_9B1B1C
		mov	edx, [esi]
		mov	ecx, edi
		push	dword ptr [esi+54h]
		push	dword ptr [edx+10h]
		mov	edx, [edx+30h]
		mov	edx, [edx+1Ch]
		call	_PopDiagTraceFxPerfRegistration@16 ; PopDiagTraceFxPerfRegistration(x,x,x,x)
		mov	eax, offset _POP_ETW_EVENT_PERFORMANCE_STATE_SET_REGISTRATION_RUNDOWN
		test	bl, bl
		jnz	short loc_9B199D
		mov	eax, offset _POP_ETW_EVENT_PERFORMANCE_STATE_SET_REGISTRATION

loc_9B199D:				; CODE XREF: PopFxTracePerfRegistration(x,x)+7Cj
		push	eax
		push	dword_6C1D74
		mov	[ebp+var_24], eax
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_9B1B1C
		mov	eax, [esi+54h]
		xor	edi, edi
		test	eax, eax
		jz	short loc_9B19DF
		mov	ecx, [esi+58h]

loc_9B19C6:				; CODE XREF: PopFxTracePerfRegistration(x,x)+C3j
		mov	edx, [ecx]
		cmp	dword ptr [edx+14h], 0
		jnz	short loc_9B19D7
		mov	edx, [edx+18h]
		cmp	edx, edi
		jbe	short loc_9B19D7
		mov	edi, edx

loc_9B19D7:				; CODE XREF: PopFxTracePerfRegistration(x,x)+B2j
					; PopFxTracePerfRegistration(x,x)+B9j
		add	ecx, 20h
		sub	eax, 1
		jnz	short loc_9B19C6

loc_9B19DF:				; CODE XREF: PopFxTracePerfRegistration(x,x)+A7j
		xor	eax, eax
		mov	[ebp+var_8], eax
		test	edi, edi
		jz	short loc_9B1A24
		push	8
		pop	ecx
		mov	eax, edi
		mul	ecx
		lea	ecx, [ebp+var_28]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_9B1B1C
		mov	ebx, edi
		push	4D584650h
		shl	ebx, 3
		push	ebx
		push	1
		mov	[ebp+var_8], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9B1B1C
		mov	eax, ebx
		jmp	short loc_9B1A26
; 

loc_9B1A24:				; CODE XREF: PopFxTracePerfRegistration(x,x)+CCj
		xor	edi, edi

loc_9B1A26:				; CODE XREF: PopFxTracePerfRegistration(x,x)+108j
		and	[ebp+var_28], 0
		cmp	dword ptr [esi+54h], 0
		jbe	loc_9B1B0D
		xor	edx, edx
		mov	[ebp+var_4], edx

loc_9B1A39:				; CODE XREF: PopFxTracePerfRegistration(x,x)+1EDj
		mov	ecx, [esi+58h]
		mov	ebx, [edx+ecx]
		mov	edx, [ebx+14h]
		mov	[ebp+var_20], edx
		test	edx, edx
		jnz	short loc_9B1A9C
		push	eax		; size_t
		push	edx		; int
		push	edi		; void *
		call	_memset
		mov	eax, [ebx+18h]
		add	esp, 0Ch
		xor	edx, edx
		test	eax, eax
		jz	short loc_9B1A7E
		xor	esi, esi

loc_9B1A5F:				; CODE XREF: PopFxTracePerfRegistration(x,x)+15Fj
		mov	ecx, [ebx+1Ch]
		mov	eax, [esi+ecx]
		lea	esi, [esi+10h]
		mov	[edi+edx*8], eax
		mov	eax, [esi+ecx-0Ch]
		mov	[edi+edx*8+4], eax
		inc	edx
		mov	eax, [ebx+18h]
		cmp	edx, eax
		jb	short loc_9B1A5F
		mov	esi, [ebp+var_2C]

loc_9B1A7E:				; CODE XREF: PopFxTracePerfRegistration(x,x)+141j
		and	[ebp+var_1C], 0
		and	[ebp+var_18], 0
		and	[ebp+var_14], 0
		mov	edx, [ebx+14h]
		and	[ebp+var_10], 0
		mov	ecx, [esi+58h]
		mov	[ebp+var_C], edi
		mov	[ebp+var_20], edx
		jmp	short loc_9B1AB9
; 

loc_9B1A9C:				; CODE XREF: PopFxTracePerfRegistration(x,x)+12Dj
		mov	edx, [ebx+18h]
		xor	eax, eax
		and	[ebp+var_C], eax
		mov	[ebp+var_1C], edx
		mov	edx, [ebx+1Ch]
		mov	[ebp+var_18], edx
		mov	edx, [ebx+20h]
		mov	[ebp+var_14], edx
		mov	edx, [ebx+24h]
		mov	[ebp+var_10], edx

loc_9B1AB9:				; CODE XREF: PopFxTracePerfRegistration(x,x)+180j
		mov	edx, [esi]
		mov	esi, [ebp+var_4]
		push	dword ptr [esi+ecx+0Ch]
		push	dword ptr [esi+ecx+8]
		mov	ecx, [ebp+var_24]
		push	[ebp+var_C]
		push	eax
		push	ebx
		push	[ebp+var_10]
		push	[ebp+var_14]
		push	[ebp+var_18]
		push	[ebp+var_1C]
		push	dword ptr [ebx+10h]
		mov	ebx, [ebp+var_28]
		push	[ebp+var_20]
		push	ebx
		push	dword ptr [edx+10h]
		mov	edx, [edx+30h]
		mov	edx, [edx+1Ch]
		call	_PopDiagTraceFxPerfSetRegistration@60 ;	PopDiagTraceFxPerfSetRegistration(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	eax, [ebp+var_8]
		mov	edx, esi
		mov	esi, [ebp+var_2C]
		inc	ebx
		add	edx, 20h
		mov	[ebp+var_28], ebx
		mov	[ebp+var_4], edx
		cmp	ebx, [esi+54h]
		jb	loc_9B1A39

loc_9B1B0D:				; CODE XREF: PopFxTracePerfRegistration(x,x)+114j
		test	edi, edi
		jz	short loc_9B1B1C
		push	4D584650h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9B1B1C:				; CODE XREF: PopFxTracePerfRegistration(x,x)+40j
					; PopFxTracePerfRegistration(x,x)+5Aj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopFxTracePerfRegistration@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopPreCriticalBatteryNotify()
_PopPreCriticalBatteryNotify@0 proc near
		push	2Dh
		pop	ecx
		call	_PopPowerAggregatorForceSessionSwitch@4	; PopPowerAggregatorForceSessionSwitch(x)
		xor	eax, eax
		retn
_PopPreCriticalBatteryNotify@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceEsBgActivityPolicyUpdate(x,	x)
_PopTraceEsBgActivityPolicyUpdate@8 proc near ;	CODE XREF: PopEsInStandbyEvaluate()+A1p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+7Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, _PopEsBgActivityPolicy
		mov	esi, ecx
		xor	ebx, ebx
		mov	[esp+88h+var_6C], esi
		cmp	dword_6B23F8, 5
		mov	[esp+88h+var_78], edi
		jbe	short loc_9B1BCD
		push	4000h
		push	ebx
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9B1BCD
		push	4
		pop	ecx
		lea	eax, [esp+88h+var_74]
		mov	[esp+88h+var_74], esi
		mov	[esp+88h+var_28], eax
		lea	eax, [esp+88h+var_70]
		mov	[esp+88h+var_18], eax
		lea	eax, [esp+88h+var_48]
		push	eax
		push	ecx
		push	ebx
		push	ebx
		push	offset loc_41E511
		push	offset dword_6B23F8
		mov	[esp+0A0h+var_24], ebx
		mov	[esp+0A0h+var_20], ecx
		mov	[esp+0A0h+var_1C], ebx
		mov	[esp+0A0h+var_70], edi
		mov	[esp+0A0h+var_14], ebx
		mov	[esp+0A0h+var_10], ecx
		mov	[esp+0A0h+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9B1BCD:				; CODE XREF: PopTraceEsBgActivityPolicyUpdate(x,x)+32j
					; PopTraceEsBgActivityPolicyUpdate(x,x)+46j
		cmp	_PopDiagHandleRegistered, bl
		jz	short loc_9B1C30
		mov	esi, dword_6C1D74
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_BACKGROUND_ACTIVITY_POLICY_UPDATE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B1C30
		push	4
		pop	ecx
		lea	eax, [esp+88h+var_6C]
		mov	[esp+88h+var_64], ebx
		mov	[esp+88h+var_68], eax
		lea	eax, [esp+88h+var_78]
		mov	[esp+88h+var_58], eax
		lea	eax, [esp+88h+var_68]
		push	eax
		push	2
		push	ebx
		push	offset _POP_ETW_EVENT_BACKGROUND_ACTIVITY_POLICY_UPDATE
		push	esi
		push	edi
		mov	[esp+0A0h+var_60], ecx
		mov	[esp+0A0h+var_5C], ebx
		mov	[esp+0A0h+var_54], ebx
		mov	[esp+0A0h+var_50], ecx
		mov	[esp+0A0h+var_4C], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B1C30:				; CODE XREF: PopTraceEsBgActivityPolicyUpdate(x,x)+A7j
					; PopTraceEsBgActivityPolicyUpdate(x,x)+C3j
		mov	ecx, [esp+88h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_PopTraceEsBgActivityPolicyUpdate@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceInputSuppressionActionUpdate(x, x, x, x, x,	x, x)
_PopTraceInputSuppressionActionUpdate@28 proc near
					; CODE XREF: PopEvaluateInputSuppressionAction()+E4p

var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_B8		= dword	ptr -0B8h
var_B2		= dword	ptr -0B2h
var_AE		= byte ptr -0AEh
var_AC		= dword	ptr -0ACh
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	dword_6B23F8, 5
		push	ebx
		push	esi
		push	edi
		mov	bl, dl
		jbe	loc_9B1D9A
		push	4000h
		xor	esi, esi
		mov	edi, offset dword_6B23F8
		push	esi
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9B1D9A
		mov	al, _PopIgnoreLidStateForInputSuppression
		xor	ecx, ecx
		mov	[ebp-0ADh], al
		inc	ecx
		lea	eax, [ebp-0ADh]
		cmp	[ebp+arg_4], 0
		mov	[ebp+var_8C], eax
		lea	eax, [ebp-0AEh]
		mov	[ebp+var_7C], eax
		setz	byte ptr [ebp+var_B2+1]
		mov	al, [ebp+arg_0]
		mov	byte ptr [ebp+var_B2+3], al
		lea	eax, [ebp+var_B2+3]
		mov	[ebp+var_6C], eax
		mov	al, [ebp+arg_8]
		mov	byte ptr [ebp+var_B2+2], al
		lea	eax, [ebp+var_B2+2]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_B2+1]
		mov	[ebp+var_4C], eax
		mov	al, _PopEnableInputSuppression
		mov	byte ptr [ebp+var_B2], al
		lea	eax, [ebp+var_B2]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_2C], eax
		mov	eax, _PopWnfCsEnterScenarioId
		mov	[ebp+var_C4], eax
		mov	eax, dword_6C1D84
		mov	[ebp+var_C0], eax
		lea	eax, [ebp+var_C4]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_AC]
		push	eax
		push	0Ah
		push	esi
		push	esi
		push	offset loc_41E1D0
		push	edi
		mov	[ebp+var_88], esi
		mov	[ebp+var_84], ecx
		mov	[ebp+var_80], esi
		mov	[ebp+var_AE], bl
		mov	[ebp+var_78], esi
		mov	[ebp+var_74], ecx
		mov	[ebp+var_70], esi
		mov	[ebp+var_68], esi
		mov	[ebp+var_64], ecx
		mov	[ebp+var_60], esi
		mov	[ebp+var_58], esi
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], esi
		mov	[ebp+var_48], esi
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], esi
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], 4
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], 8
		mov	[ebp+var_10], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9B1D9A:				; CODE XREF: PopTraceInputSuppressionActionUpdate(x,x,x,x,x,x,x)+21j
					; PopTraceInputSuppressionActionUpdate(x,x,x,x,x,x,x)+3Dj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_PopTraceInputSuppressionActionUpdate@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceMonitorOnRequestUserInput(x)
_PopTraceMonitorOnRequestUserInput@4 proc near ; CODE XREF: PopMonitorInvocation+A945Ap

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	dword_6B23F8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jbe	short loc_9B1E2D
		push	4000h
		xor	edi, edi
		mov	ebx, offset dword_6B23F8
		push	edi
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9B1E2D
		mov	eax, _PopWdiCurrentScenarioInstanceId
		mov	[ebp+var_58], eax
		mov	eax, dword_6C1F7C
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_58]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	ecx
		push	edi
		push	edi
		push	offset loc_41E08A
		push	ebx
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], 8
		mov	[ebp+var_1C], edi
		mov	[ebp+var_4C], esi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9B1E2D:				; CODE XREF: PopTraceMonitorOnRequestUserInput(x)+1Ej
					; PopTraceMonitorOnRequestUserInput(x)+36j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopTraceMonitorOnRequestUserInput@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceNetRefreshTimerArmed(x, x)
_PopTraceNetRefreshTimerArmed@8	proc near ; CODE XREF: PopNetArmRefreshTimer(x,x,x)+6Cp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		jz	short loc_9B1EB5
		push	esi
		mov	esi, dword_6C1D74
		push	edi
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_NET_REFRESH_TIMER_ARMED
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B1EB3
		push	ebx
		xor	ebx, ebx
		push	ebx
		push	0Ah
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	__aulldiv
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	1
		push	ebx
		push	offset _POP_ETW_EVENT_NET_REFRESH_TIMER_ARMED
		push	esi
		push	edi
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], 8
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	ebx

loc_9B1EB3:				; CODE XREF: PopTraceNetRefreshTimerArmed(x,x)+37j
		pop	edi
		pop	esi

loc_9B1EB5:				; CODE XREF: PopTraceNetRefreshTimerArmed(x,x)+19j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopTraceNetRefreshTimerArmed@8	endp


;  S U B	R O U T	I N E 


; __stdcall PopTraceNetRefreshTimerDisarmed()
_PopTraceNetRefreshTimerDisarmed@0 proc	near
					; CODE XREF: PopNetWnfLowPowerEpochCallback(x,x,x,x,x,x)+A4p
		cmp	_PopDiagHandleRegistered, 0
		jz	short locret_9B1EFC
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_NET_REFRESH_TIMER_DISARMED
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B1EF9
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	ebx
		push	esi
		push	edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B1EF9:				; CODE XREF: PopTraceNetRefreshTimerDisarmed()+27j
		pop	edi
		pop	esi
		pop	ebx

locret_9B1EFC:				; CODE XREF: PopTraceNetRefreshTimerDisarmed()+7j
		retn
_PopTraceNetRefreshTimerDisarmed@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceSleepCheckpointInitFailure(x)
_PopTraceSleepCheckpointInitFailure@4 proc near
					; CODE XREF: PopEnableSystemSleepCheckpoint()+132p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	dword_6B23F8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jbe	short loc_9B1F5E
		push	4000h
		xor	edi, edi
		mov	ebx, offset dword_6B23F8
		push	edi
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9B1F5E
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_3C], esi
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	3
		push	edi
		push	edi
		push	offset loc_41E4DE
		push	ebx
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9B1F5E:				; CODE XREF: PopTraceSleepCheckpointInitFailure(x)+1Ej
					; PopTraceSleepCheckpointInitFailure(x)+36j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopTraceSleepCheckpointInitFailure@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceSystemIdleS0LowPowerDoze(x)
_PopTraceSystemIdleS0LowPowerDoze@4 proc near ;	CODE XREF: PopIdleAoAcDozeToS4(x)+1Cp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		jz	short loc_9B1FD2
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_SYSTEM_IDLE_S0_LOW_POWER_DOZE
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B1FCF
		lea	eax, [ebp+var_18]
		mov	[ebp+var_C], 4
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_18], ecx
		push	eax
		push	1
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B1FCF:				; CODE XREF: PopTraceSystemIdleS0LowPowerDoze(x)+39j
		pop	edi
		pop	esi
		pop	ebx

loc_9B1FD2:				; CODE XREF: PopTraceSystemIdleS0LowPowerDoze(x)+19j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopTraceSystemIdleS0LowPowerDoze@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceSystemIdleS0LowPowerDozeTimerArmed(x, x, x)
_PopTraceSystemIdleS0LowPowerDozeTimerArmed@12 proc near
					; CODE XREF: PopIdleArmAoAcDozeS4Timer()+DEp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		xor	esi, esi
		mov	[ebp+var_28], ecx
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		jz	short loc_9B206F
		push	edi
		mov	edi, offset _POP_ETW_EVENT_SYSTEM_IDLE_S0_LOW_POWER_DOZE_TIMER_ARMED
		push	edi
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B206E
		push	[ebp+arg_4]
		lea	eax, [ebp+var_28]
		mov	[ebp+var_20], esi
		push	[ebp+arg_0]
		lea	ecx, [ebp+var_30]
		mov	[ebp+var_24], eax
		mov	[ebp+var_1C], 4
		mov	[ebp+var_18], esi
		call	_PopDiagInterruptTimeToSystemTime@12 ; PopDiagInterruptTimeToSystemTime(x,x,x)
		lea	eax, [ebp+var_30]
		mov	[ebp+var_10], esi
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	esi
		push	edi
		push	dword_6C1D74
		mov	[ebp+var_C], 8
		push	_PopDiagHandle
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B206E:				; CODE XREF: PopTraceSystemIdleS0LowPowerDozeTimerArmed(x,x,x)+41j
		pop	edi

loc_9B206F:				; CODE XREF: PopTraceSystemIdleS0LowPowerDozeTimerArmed(x,x,x)+25j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopTraceSystemIdleS0LowPowerDozeTimerArmed@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTraceSystemIdleS0LowPowerDozeTimerCancelled(x)
_PopTraceSystemIdleS0LowPowerDozeTimerCancelled@4 proc near
					; CODE XREF: PopIdleCancelAoAcDozeS4Timer+56p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	[ebp+var_18], ecx
		jz	short loc_9B20E3
		push	ebx
		push	esi
		mov	esi, dword_6C1D74
		mov	ebx, offset _POP_ETW_EVENT_SYSTEM_IDLE_S0_LOW_POWER_DOZE_TIMER_CANCELLED
		push	edi
		mov	edi, _PopDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B20E0
		lea	eax, [ebp+var_18]
		mov	[ebp+var_C], 4
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], ecx
		push	eax
		push	1
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B20E0:				; CODE XREF: PopTraceSystemIdleS0LowPowerDozeTimerCancelled(x)+3Cj
		pop	edi
		pop	esi
		pop	ebx

loc_9B20E3:				; CODE XREF: PopTraceSystemIdleS0LowPowerDozeTimerCancelled(x)+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopTraceSystemIdleS0LowPowerDozeTimerCancelled@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CalculateBatteryCount(x, x,	x)
_CalculateBatteryCount@12 proc near	; CODE XREF: PopBatteryApplyCompositeState+A03A6p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, dword_6C2534
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, offset dword_6C2534
		push	edi
		mov	edi, ecx
		and	dword ptr [esi], 0
		and	dword ptr [edx], 0
		jmp	short loc_9B2125
; 

loc_9B210E:				; CODE XREF: CalculateBatteryCount(x,x,x)+38j
		mov	ecx, [eax+38h]
		dec	ecx
		sub	ecx, 1
		jz	short loc_9B2121
		dec	ecx
		sub	ecx, 1
		jnz	short loc_9B2123
		inc	dword ptr [esi]
		jmp	short loc_9B2123
; 

loc_9B2121:				; CODE XREF: CalculateBatteryCount(x,x,x)+26j
		inc	dword ptr [edx]

loc_9B2123:				; CODE XREF: CalculateBatteryCount(x,x,x)+2Cj
					; CalculateBatteryCount(x,x,x)+30j
		mov	eax, [eax]

loc_9B2125:				; CODE XREF: CalculateBatteryCount(x,x,x)+1Dj
		cmp	eax, ebx
		jnz	short loc_9B210E
		mov	eax, dword_6C252C
		mov	[edi], eax
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_CalculateBatteryCount@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopAccountBatteryEnergyChange(x)
_PopAccountBatteryEnergyChange@4 proc near ; CODE XREF:	PopBatteryWorker+9FEC2p

var_1F8		= dword	ptr -1F8h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_158		= dword	ptr -158h
var_148		= dword	ptr -148h
var_138		= dword	ptr -138h
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_C8		= dword	ptr -0C8h
var_B8		= dword	ptr -0B8h
var_A8		= dword	ptr -0A8h
var_98		= dword	ptr -98h
var_88		= dword	ptr -88h
var_78		= dword	ptr -78h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1FCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	eax, [ebx+0A0h]
		mov	edx, [ebx+68h]
		mov	ecx, [ebx+50h]
		mov	[ebp+var_1CC], eax
		mov	[ebp+var_1C0], eax
		mov	eax, [ebx+0A4h]
		mov	[ebp+var_1C4], edi
		mov	[ebp+var_1C8], edi
		lea	edi, [ebp+var_1F8]
		mov	[ebp+var_1BC], eax
		lea	eax, [ebx+90h]
		mov	esi, eax
		mov	[ebp+var_1D4], edx
		push	4
		mov	[ebp+var_1D0], ecx
		movsd
		movsd
		movsd
		movsd
		xor	edi, edi
		test	dword ptr [ebx+40h], 40000000h
		mov	[eax], edi
		pop	esi
		jz	short loc_9B21BF
		mov	dword ptr [eax], 2
		push	2

loc_9B21B9:				; CODE XREF: PopAccountBatteryEnergyChange(x)+A6j
		pop	ecx
		jmp	loc_9B2285
; 

loc_9B21BF:				; CODE XREF: PopAccountBatteryEnergyChange(x)+78j
		test	ecx, ecx
		jz	loc_9B2275
		cmp	ecx, 0FFFFFFFFh
		jz	loc_9B2275
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_9B21DF
		mov	dword ptr [eax], 8
		push	8
		jmp	short loc_9B21B9
; 

loc_9B21DF:				; CODE XREF: PopAccountBatteryEnergyChange(x)+9Cj
		mov	esi, [ebp+var_1BC]
		test	esi, esi
		jnz	short loc_9B21FF
		mov	[ebx+0A4h], ecx
		xor	ecx, ecx
		inc	ecx
		mov	[ebx+0A0h], edx
		mov	[eax], ecx
		jmp	loc_9B2285
; 

loc_9B21FF:				; CODE XREF: PopAccountBatteryEnergyChange(x)+B0j
		cmp	esi, ecx
		jz	short loc_9B2247
		mov	eax, [ebp+var_1CC]
		mov	edx, 186A0h
		mul	edx
		push	edi
		push	esi
		push	edx
		push	eax
		call	__aulldiv
		mov	esi, [ebp+var_1D0]
		mov	ecx, 186A0h
		mov	[ebp+var_1E4], edx
		mul	esi
		push	edi
		push	ecx
		push	edx
		push	eax
		call	__alldiv
		mov	edx, [ebp+var_1D4]
		mov	[ebp+var_1C0], eax
		mov	[ebx+0A4h], esi

loc_9B2247:				; CODE XREF: PopAccountBatteryEnergyChange(x)+CAj
		xor	ecx, ecx
		mov	[ebx+0A0h], edx
		mov	eax, edx
		sub	eax, [ebp+var_1C0]
		mov	[ebp+var_1C4], eax
		sbb	ecx, edi
		add	[ebx+98h], eax
		mov	[ebp+var_1C8], ecx
		adc	[ebx+9Ch], ecx
		mov	ecx, edi
		jmp	short loc_9B2285
; 

loc_9B2275:				; CODE XREF: PopAccountBatteryEnergyChange(x)+8Aj
					; PopAccountBatteryEnergyChange(x)+93j
		mov	[ebx+0A0h], edi
		mov	ecx, esi
		mov	[ebx+0A4h], edi
		mov	[eax], esi

loc_9B2285:				; CODE XREF: PopAccountBatteryEnergyChange(x)+83j
					; PopAccountBatteryEnergyChange(x)+C3j	...
		cmp	ecx, [ebp+var_1F8]
		jnz	short loc_9B22AD
		mov	eax, [ebx+98h]
		cmp	eax, [ebp+var_1F0]
		jnz	short loc_9B22AD
		mov	eax, [ebx+9Ch]
		cmp	eax, [ebp+var_1EC]
		jz	loc_9B2632

loc_9B22AD:				; CODE XREF: PopAccountBatteryEnergyChange(x)+154j
					; PopAccountBatteryEnergyChange(x)+162j
		cmp	dword_6B23F8, 5
		jbe	loc_9B2632
		mov	[ebp+var_194], edi
		lea	eax, [ebp+var_180]
		mov	[ebp+var_198], eax
		mov	esi, (offset loc_8BD074+4)
		mov	eax, [ebx+14h]
		mov	edx, offset ??_C@_0BL@IEGKJEJE@Energy?5Counter?5Unavailable@NNGAKEGL@
		mov	[ebp+var_188], eax
		movzx	eax, word ptr [ebx+10h]
		mov	[ebp+var_180], eax
		mov	eax, [ebx+98h]
		mov	[ebp+var_1F0], eax
		mov	eax, [ebx+9Ch]
		mov	[ebp+var_1EC], eax
		lea	eax, [ebp+var_1F0]
		mov	[ebp+var_190], 2
		mov	[ebp+var_18C], edi
		mov	[ebp+var_184], edi
		mov	[ebp+var_17C], edi
		mov	[ebp+var_178], eax
		mov	[ebp+var_174], edi
		mov	[ebp+var_170], 8
		mov	[ebp+var_16C], edi
		test	cl, 1
		jnz	short loc_9B2346
		mov	edx, esi

loc_9B2346:				; CODE XREF: PopAccountBatteryEnergyChange(x)+20Bj
		lea	ecx, [ebp+var_168]
		call	_tlgCreate1Sz_char
		lea	edi, [ebx+90h]
		mov	edx, offset ??_C@_0BH@BFPPAGEL@Relative?5Capacity?5Unit@NNGAKEGL@
		test	byte ptr [edi],	2
		jnz	short loc_9B2363
		mov	edx, esi

loc_9B2363:				; CODE XREF: PopAccountBatteryEnergyChange(x)+228j
		lea	ecx, [ebp+var_158]
		call	_tlgCreate1Sz_char
		test	byte ptr [edi],	4
		mov	edx, offset ??_C@_0BA@DBAOEMLN@FCC?5Unavailable@NNGAKEGL@
		jnz	short loc_9B237A
		mov	edx, esi

loc_9B237A:				; CODE XREF: PopAccountBatteryEnergyChange(x)+23Fj
		lea	ecx, [ebp+var_148]
		call	_tlgCreate1Sz_char
		test	byte ptr [edi],	8
		mov	edx, (offset loc_8BD175+7)
		jnz	short loc_9B2391
		mov	edx, esi

loc_9B2391:				; CODE XREF: PopAccountBatteryEnergyChange(x)+256j
		lea	ecx, [ebp+var_138]
		call	_tlgCreate1Sz_char
		mov	eax, [ebp+var_1C4]
		xor	edi, edi
		test	byte ptr [ebx+64h], 1
		mov	edx, offset ??_C@_08KKBGCHG@AC?5Power@NNGAKEGL@
		mov	[ebp+var_1E8], eax
		mov	eax, [ebp+var_1C8]
		mov	[ebp+var_1E4], eax
		lea	eax, [ebp+var_1E8]
		mov	[ebp+var_128], eax
		mov	eax, [ebp+var_1CC]
		mov	[ebp+var_1D4], eax
		lea	eax, [ebp+var_1D4]
		mov	[ebp+var_118], eax
		mov	eax, [ebp+var_1C0]
		mov	[ebp+var_1D0], eax
		lea	eax, [ebp+var_1D0]
		mov	[ebp+var_108], eax
		mov	eax, [ebp+var_1BC]
		mov	[ebp+var_1CC], eax
		lea	eax, [ebp+var_1CC]
		mov	[ebp+var_F8], eax
		mov	eax, dword_6C252C
		push	4
		pop	ecx
		mov	[ebp+var_1C8], eax
		lea	eax, [ebp+var_1C8]
		mov	[ebp+var_124], edi
		mov	[ebp+var_120], 8
		mov	[ebp+var_11C], edi
		mov	[ebp+var_114], edi
		mov	[ebp+var_110], ecx
		mov	[ebp+var_10C], edi
		mov	[ebp+var_104], edi
		mov	[ebp+var_100], ecx
		mov	[ebp+var_FC], edi
		mov	[ebp+var_F4], edi
		mov	[ebp+var_F0], ecx
		mov	[ebp+var_EC], edi
		mov	[ebp+var_E8], eax
		mov	[ebp+var_E4], edi
		mov	[ebp+var_E0], ecx
		mov	[ebp+var_DC], edi
		jnz	short loc_9B2492
		mov	edx, (offset loc_8BD059+1)

loc_9B2492:				; CODE XREF: PopAccountBatteryEnergyChange(x)+354j
		lea	ecx, [ebp+var_D8]
		call	_tlgCreate1Sz_char
		test	byte ptr [ebx+64h], 2
		mov	edx, offset ??_C@_0BE@HBALMBOB@Battery?5Discharging@NNGAKEGL@
		jnz	short loc_9B24AA
		mov	edx, esi

loc_9B24AA:				; CODE XREF: PopAccountBatteryEnergyChange(x)+36Fj
		lea	ecx, [ebp+var_C8]
		call	_tlgCreate1Sz_char
		test	byte ptr [ebx+64h], 4
		mov	edx, (offset loc_8BD074+6)
		jnz	short loc_9B24C2
		mov	edx, esi

loc_9B24C2:				; CODE XREF: PopAccountBatteryEnergyChange(x)+387j
		lea	ecx, [ebp+var_B8]
		call	_tlgCreate1Sz_char
		test	byte ptr [ebx+64h], 8
		mov	edx, offset ??_C@_0BB@PMCEFKNF@Battery?5Critical@NNGAKEGL@
		jnz	short loc_9B24DA
		mov	edx, esi

loc_9B24DA:				; CODE XREF: PopAccountBatteryEnergyChange(x)+39Fj
		lea	ecx, [ebp+var_A8]
		call	_tlgCreate1Sz_char
		test	byte ptr [ebx+64h], 10h
		mov	edx, offset ??_C@_0BN@OMAGIAMP@Battery?5charge?5limiting?5mode@NNGAKEGL@
		jnz	short loc_9B24F2
		mov	edx, esi

loc_9B24F2:				; CODE XREF: PopAccountBatteryEnergyChange(x)+3B7j
		lea	ecx, [ebp+var_98]
		call	_tlgCreate1Sz_char
		test	byte ptr [ebx+64h], 20h
		mov	edx, offset ??_C@_0CM@BIFDFPBB@Battery?5charging?5state?5power?5su@NNGAKEGL@
		jnz	short loc_9B250A
		mov	edx, esi

loc_9B250A:				; CODE XREF: PopAccountBatteryEnergyChange(x)+3CFj
		lea	ecx, [ebp+var_88]
		call	_tlgCreate1Sz_char
		test	byte ptr [ebx+64h], 40h
		jz	short loc_9B2520
		mov	esi, offset ??_C@_0CA@NILBEDJH@Battery?5charging?5state?5adequate@NNGAKEGL@

loc_9B2520:				; CODE XREF: PopAccountBatteryEnergyChange(x)+3E2j
		mov	edx, esi
		lea	ecx, [ebp+var_78]
		call	_tlgCreate1Sz_char
		mov	esi, [ebx+50h]
		test	esi, esi
		jnz	short loc_9B2540
		mov	ecx, edi
		mov	edi, [ebx+68h]
		mov	eax, edi
		mov	[ebp+var_1BC], eax
		jmp	short loc_9B255A
; 

loc_9B2540:				; CODE XREF: PopAccountBatteryEnergyChange(x)+3F8j
		mov	edi, [ebx+68h]
		mov	ecx, esi
		imul	eax, edi, 64h
		xor	edx, edx
		shr	ecx, 1
		mov	[ebp+var_1BC], edi
		add	eax, ecx
		div	esi
		mov	ecx, eax
		mov	eax, edi

loc_9B255A:				; CODE XREF: PopAccountBatteryEnergyChange(x)+407j
		mov	[ebp+var_1C4], ecx
		lea	ecx, [ebp+var_1C4]
		push	4
		mov	[ebp+var_68], ecx
		xor	ecx, ecx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_5C], ecx
		pop	edx
		mov	[ebp+var_60], edx
		test	esi, esi
		jnz	short loc_9B257F
		mov	eax, ecx
		jmp	short loc_9B259A
; 

loc_9B257F:				; CODE XREF: PopAccountBatteryEnergyChange(x)+442j
		mov	edx, 186A0h
		mul	edx
		push	ecx
		push	esi
		push	edx
		push	eax
		call	__aulldiv
		mov	edi, [ebp+var_1BC]
		xor	ecx, ecx
		push	4
		pop	edx

loc_9B259A:				; CODE XREF: PopAccountBatteryEnergyChange(x)+446j
		mov	[ebp+var_1BC], eax
		lea	eax, [ebp+var_1BC]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_1C0]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_1D8]
		mov	[ebp+var_38], eax
		mov	eax, [ebx+6Ch]
		mov	[ebp+var_1DC], eax
		lea	eax, [ebp+var_1DC]
		mov	[ebp+var_28], eax
		mov	eax, [ebx+70h]
		mov	[ebp+var_1E0], eax
		lea	eax, [ebp+var_1E0]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_1B8]
		push	eax
		push	1Bh
		push	ecx
		push	ecx
		push	offset loc_41F7F0
		push	offset dword_6B23F8
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_1C0], edi
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_1D8], esi
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9B2632:				; CODE XREF: PopAccountBatteryEnergyChange(x)+170j
					; PopAccountBatteryEnergyChange(x)+17Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopAccountBatteryEnergyChange@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBatteryAdd(x)
_PopBatteryAdd@4 proc near		; DATA XREF: .data:006B2F3Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	0
		push	1
		lea	eax, [esi+28h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, dword_6C2528
		inc	eax
		mov	dword_6C2528, eax
		cmp	eax, 1
		jnz	short loc_9B268F
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		cmp	byte_6C2E3E, 1
		jz	short loc_9B2682
		mov	byte_6C2E3E, 1
		call	PopResetCurrentPolicies

loc_9B2682:				; CODE XREF: PopBatteryAdd(x)+33j
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		xor	ecx, ecx
		inc	ecx
		call	_PopCadTriggerDriverLoad@4 ; PopCadTriggerDriverLoad(x)

loc_9B268F:				; CODE XREF: PopBatteryAdd(x)+25j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopCB
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	dword_6C2524, eax
		mov	byte_6C2530, 1
		call	_PopBatteryWaitTag@4 ; PopBatteryWaitTag(x)
		push	8
		pop	ecx
		call	_PopBatteryQueueWork@4 ; PopBatteryQueueWork(x)
		cmp	dword_6C2524, 0
		jz	short loc_9B26DC
		and	dword_6C2524, 0

loc_9B26DC:				; CODE XREF: PopBatteryAdd(x)+92j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_PopBatteryAdd@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBatteryCheckTriggerAllBatteries(x, x)
_PopBatteryCheckTriggerAllBatteries@8 proc near
					; CODE XREF: PopBatteryApplyCompositeState+A03F4p
					; PopBatteryCheckTrigger+A054Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, dword_6C253C
		mov	eax, ecx
		mov	[ebp+var_8], edx
		mov	bl, 1
		mov	[ebp+var_C], eax
		cmp	esi, offset dword_6C253C
		jz	short loc_9B2770
		push	edi
		push	64h
		pop	edi

loc_9B2716:				; CODE XREF: PopBatteryCheckTriggerAllBatteries(x,x)+79j
		mov	ecx, [esi+30h]
		test	ecx, ecx
		jz	short loc_9B2761
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_9B2761
		mov	eax, [eax+0Ch]
		xor	edx, edx
		imul	eax, ecx
		mov	[ebp+var_4], 0C8h
		push	64h
		div	edi
		xor	edx, edx
		mov	edi, eax
		mov	eax, ecx
		div	[ebp+var_4]
		imul	ecx, [ebp+var_8]
		xor	edx, edx
		add	edi, eax
		mov	eax, ecx
		pop	ecx
		div	ecx
		mov	ecx, [esi+34h]
		cmp	ecx, edi
		jbe	short loc_9B2754
		mov	edi, ecx

loc_9B2754:				; CODE XREF: PopBatteryCheckTriggerAllBatteries(x,x)+60j
		add	eax, edi
		cmp	[esi+48h], eax
		ja	short loc_9B276D
		mov	eax, [ebp+var_C]
		push	64h
		pop	edi

loc_9B2761:				; CODE XREF: PopBatteryCheckTriggerAllBatteries(x,x)+2Bj
					; PopBatteryCheckTriggerAllBatteries(x,x)+30j
		mov	esi, [esi]
		cmp	esi, offset dword_6C253C
		jnz	short loc_9B2716
		jmp	short loc_9B276F
; 

loc_9B276D:				; CODE XREF: PopBatteryCheckTriggerAllBatteries(x,x)+69j
		xor	bl, bl

loc_9B276F:				; CODE XREF: PopBatteryCheckTriggerAllBatteries(x,x)+7Bj
		pop	edi

loc_9B2770:				; CODE XREF: PopBatteryCheckTriggerAllBatteries(x,x)+20j
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_PopBatteryCheckTriggerAllBatteries@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBatteryDeviceState(x, x)
_PopBatteryDeviceState@8 proc near	; CODE XREF: NtPowerInformation+171DB6p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		push	ecx
		mov	[ebp+var_4], edx
		xor	ebx, ebx
		push	ecx
		mov	edx, ecx
		mov	[ebp+var_C], ebx
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_8], ebx
		call	RtlUnicodeStringInitWorker
		mov	esi, eax
		test	esi, esi
		js	loc_9B28E5
		mov	si, word ptr [ebp+var_C]
		push	8
		pop	eax
		cmp	si, ax
		ja	short loc_9B27B8

loc_9B27AE:				; CODE XREF: PopBatteryDeviceState(x,x)+66j
		mov	esi, 0C0000033h
		jmp	loc_9B28E5
; 

loc_9B27B8:				; CODE XREF: PopBatteryDeviceState(x,x)+36j
		push	ebx
		lea	eax, [ebp+var_C]
		push	eax
		push	offset _PopDevicePrefixNt
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_9B27DE
		push	ebx
		lea	eax, [ebp+var_C]
		push	eax
		push	(offset	loc_404D24+4)
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_9B27AE

loc_9B27DE:				; CODE XREF: PopBatteryDeviceState(x,x)+53j
		add	[ebp+var_8], 8
		mov	eax, 0FFF8h
		add	word ptr [ebp+var_C+2],	ax
		add	si, ax
		mov	eax, large fs:124h
		mov	word ptr [ebp+var_C], si
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopPolicyDeviceLock
		call	ExAcquirePushLockSharedEx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopCB
		call	ExAcquirePushLockSharedEx
		mov	esi, dword_6C2534
		cmp	esi, offset dword_6C2534
		jz	short loc_9B289E
		mov	edi, 0FFF8h

loc_9B2839:				; CODE XREF: PopBatteryDeviceState(x,x)+F9j
		mov	eax, [esi+10h]
		mov	ebx, esi
		mov	[ebp+var_14], eax
		mov	eax, [esi+14h]
		add	word ptr [ebp+var_14], di
		add	eax, 8
		add	word ptr [ebp+var_14+2], di
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_14]
		push	1
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_9B2871
		mov	esi, [esi]
		xor	ebx, ebx
		cmp	esi, offset dword_6C2534
		jnz	short loc_9B2839

loc_9B2871:				; CODE XREF: PopBatteryDeviceState(x,x)+EDj
		mov	edi, [ebp+var_4]
		test	ebx, ebx
		jz	short loc_9B289E
		cmp	dword ptr [ebx+38h], 3
		jz	short loc_9B2885
		mov	esi, 0C00000A3h
		jmp	short loc_9B28A3
; 

loc_9B2885:				; CODE XREF: PopBatteryDeviceState(x,x)+106j
		push	9
		lea	esi, [ebx+40h]
		pop	ecx
		rep movsd
		mov	edi, [ebp+var_4]
		lea	esi, [ebx+64h]
		add	edi, 24h
		movsd
		movsd
		movsd
		movsd
		xor	esi, esi
		jmp	short loc_9B28A3
; 

loc_9B289E:				; CODE XREF: PopBatteryDeviceState(x,x)+BCj
					; PopBatteryDeviceState(x,x)+100j
		mov	esi, 0C0000034h

loc_9B28A3:				; CODE XREF: PopBatteryDeviceState(x,x)+10Dj
					; PopBatteryDeviceState(x,x)+126j
		cmp	dword_6C2524, 0
		jz	short loc_9B28B3
		and	dword_6C2524, 0

loc_9B28B3:				; CODE XREF: PopBatteryDeviceState(x,x)+134j
		xor	edx, edx
		mov	ecx, offset _PopCB
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	dword_6C2044, 0
		jz	short loc_9B28D4
		and	dword_6C2044, 0

loc_9B28D4:				; CODE XREF: PopBatteryDeviceState(x,x)+155j
		xor	edx, edx
		mov	ecx, offset _PopPolicyDeviceLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9B28E5:				; CODE XREF: PopBatteryDeviceState(x,x)+26j
					; PopBatteryDeviceState(x,x)+3Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PopBatteryDeviceState@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopBatteryEstimatesSpoiled()
_PopBatteryEstimatesSpoiled@0 proc near	; CODE XREF: PopBatteryWorker:loc_908FB6p
					; PopEstimateChargeTime()+4Bp
		mov	edi, edi
		push	ebx		; char
		call	KeQueryInterruptTime
		cmp	dword_6B3F34, edx
		jb	short loc_9B291E
		ja	short loc_9B2906
		cmp	_PopEstimateSpoiledUntilTime, eax
		jb	short loc_9B291E

loc_9B2906:				; CODE XREF: PopBatteryEstimatesSpoiled()+10j
		push	(offset	loc_8BD0C7+1) ;	char *
		push	3		; int
		push	92h		; int
		mov	bl, 1
		call	_DbgPrintEx
		add	esp, 0Ch
		jmp	short loc_9B2920
; 

loc_9B291E:				; CODE XREF: PopBatteryEstimatesSpoiled()+Ej
					; PopBatteryEstimatesSpoiled()+18j
		xor	bl, bl

loc_9B2920:				; CODE XREF: PopBatteryEstimatesSpoiled()+30j
		mov	al, bl
		pop	ebx
		retn
_PopBatteryEstimatesSpoiled@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBatteryEtwCallback(x, x,	x, x, x, x, x, x, x)
_PopBatteryEtwCallback@36 proc near	; DATA XREF: PopBatteryInitPhaseTwo()+4Bo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 2
		jnz	loc_9B29BD
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopPolicyDeviceLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopCB
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	cl, 1
		mov	dword_6C2524, eax
		call	PopBatteryTraceSystemBatteryStatus
		cmp	dword_6C2524, 0
		jz	short loc_9B298F
		and	dword_6C2524, 0

loc_9B298F:				; CODE XREF: PopBatteryEtwCallback(x,x,x,x,x,x,x,x,x)+62j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	dword_6C2044, 0
		jz	short loc_9B29AD
		and	dword_6C2044, 0

loc_9B29AD:				; CODE XREF: PopBatteryEtwCallback(x,x,x,x,x,x,x,x,x)+80j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi

loc_9B29BD:				; CODE XREF: PopBatteryEtwCallback(x,x,x,x,x,x,x,x,x)+9j
		pop	ebp
		retn	24h
_PopBatteryEtwCallback@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBatteryInitialize(x)
_PopBatteryInitialize@4	proc near	; CODE XREF: PopBatteryWorker+9FE73p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	edx, 294044h
		push	edi
		xor	ecx, ecx
		push	24h
		mov	eax, [ebx+3Ch]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_30]
		push	0Ch
		push	eax
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_2C], ecx
		push	ecx
		mov	ecx, [ebx+1Ch]
		call	_PopPrepareIoctl@24 ; PopPrepareIoctl(x,x,x,x,x,x)
		push	dword ptr [ebx+1Ch]
		push	dword ptr [ebx+18h]
		call	_IoSynchronousCallDriver@8 ; IoSynchronousCallDriver(x,x)
		test	eax, eax
		js	loc_9B2AB3
		push	9
		pop	ecx
		lea	esi, [ebp+var_30]
		mov	[ebp+var_8], 0
		lea	edi, [ebx+40h]
		rep movsd
		cmp	byte ptr [ebx+44h], 0
		mov	eax, [ebx+48h]
		mov	[ebp+var_C], eax
		mov	eax, (offset loc_8BCE7A+2)
		jz	short loc_9B2A46
		mov	eax, offset ??_C@_0N@EOKLPMEM@rechargeable@NNGAKEGL@

loc_9B2A46:				; CODE XREF: PopBatteryInitialize(x)+7Ej
		push	dword ptr [ebx+60h]
		lea	ecx, [ebp+var_C]
		push	dword ptr [ebx+5Ch]
		push	dword ptr [ebx+58h]
		push	dword ptr [ebx+54h]
		push	dword ptr [ebx+50h]
		push	dword ptr [ebx+4Ch]
		push	ecx
		push	eax
		push	dword ptr [ebx+40h]
		push	dword ptr [ebx+3Ch]
		push	ebx		; char
		push	offset ??_C@_0BEB@BEBGFMCD@?6Battery?5Information?5?$FL?$CFp?$FN?6?$HM?9?9?5T@NNGAKEGL@	; char *
		push	2		; int
		push	92h		; int
		call	_DbgPrintEx
		add	esp, 38h
		mov	edx, offset dword_6C253C
		push	3
		pop	ecx
		mov	[ebx+38h], ecx
		add	ebx, 20h
		mov	eax, dword_6C2540
		cmp	[eax], edx
		jz	short loc_9B2A91
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9B2A91:				; CODE XREF: PopBatteryInitialize(x)+CCj
		mov	[ebx+4], eax
		mov	[ebx], edx
		mov	[eax], ebx
		inc	dword_6C252C
		inc	dword_6C257C
		xor	eax, eax
		mov	dword_6C2540, ebx
		mov	byte_6C2530, 1

loc_9B2AB3:				; CODE XREF: PopBatteryInitialize(x)+5Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopBatteryInitialize@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBatteryQueryEstimatedTime(x, x)
_PopBatteryQueryEstimatedTime@8	proc near ; CODE XREF: PopBatteryWorker+9FF07p
					; PopBatteryWorker+A008Ap

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		push	4
		push	0Ch
		mov	edx, 294044h
		mov	[ebp+var_C], 3
		mov	eax, [esi+3Ch]
		mov	ecx, [esi+1Ch]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_10]
		push	eax
		push	0
		call	_PopPrepareIoctl@24 ; PopPrepareIoctl(x,x,x,x,x,x)
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		call	_IoSynchronousCallDriver@8 ; IoSynchronousCallDriver(x,x)
		test	eax, eax
		jns	short loc_9B2B12
		or	eax, 0FFFFFFFFh
		jmp	short loc_9B2B15
; 

loc_9B2B12:				; CODE XREF: PopBatteryQueryEstimatedTime(x,x)+49j
		mov	eax, [ebp+var_10]

loc_9B2B15:				; CODE XREF: PopBatteryQueryEstimatedTime(x,x)+4Ej
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopBatteryQueryEstimatedTime@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PopBatteryQueryStatus(char)
_PopBatteryQueryStatus@8 proc near	; CODE XREF: PopBatteryWorker+9FEA6p
					; PopBatteryWorker+A0278p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1], dl
		and	dword ptr [edi+7Ch], 0
		lea	ebx, [edi+78h]
		and	dword ptr [edi+80h], 0
		and	dword ptr [edi+84h], 0
		and	dword ptr [edi+88h], 0
		mov	eax, [edi+3Ch]
		mov	[ebx], eax
		test	dl, dl
		jnz	loc_9B2C03
		mov	eax, [edi+64h]
		or	ecx, 0FFFFFFFFh
		mov	ebx, [edi+68h]
		mov	[edi+80h], eax
		mov	eax, [edi+58h]
		mov	[edi+7Ch], ecx
		cmp	ebx, eax
		jbe	short loc_9B2B79
		lea	esi, [eax+1]
		jmp	short loc_9B2B89
; 

loc_9B2B79:				; CODE XREF: PopBatteryQueryStatus(x,x)+50j
		mov	ecx, [edi+54h]
		cmp	ebx, ecx
		jbe	short loc_9B2B87
		lea	esi, [ecx+1]
		mov	ecx, eax
		jmp	short loc_9B2B89
; 

loc_9B2B87:				; CODE XREF: PopBatteryQueryStatus(x,x)+5Cj
		xor	esi, esi

loc_9B2B89:				; CODE XREF: PopBatteryQueryStatus(x,x)+55j
					; PopBatteryQueryStatus(x,x)+63j
		mov	eax, [edi+50h]
		mov	[ebp+var_8], 64h
		lea	edx, [eax+eax]
		mov	[ebp+var_14], edx
		imul	edx, eax, 0C7h
		mov	[ebp+var_C], edx

loc_9B2BA2:				; CODE XREF: PopBatteryQueryStatus(x,x)+B1j
		mov	eax, edx
		mov	[ebp+var_10], 0C8h
		xor	edx, edx
		div	[ebp+var_10]
		lea	edx, [eax-1]
		cmp	edx, ebx
		jb	short loc_9B2BBD
		cmp	edx, ecx
		jnb	short loc_9B2BBD
		mov	ecx, edx

loc_9B2BBD:				; CODE XREF: PopBatteryQueryStatus(x,x)+93j
					; PopBatteryQueryStatus(x,x)+97j
		cmp	eax, ebx
		jbe	short loc_9B2BD7
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_C]
		dec	eax
		sub	edx, [ebp+var_14]
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], edx
		test	eax, eax
		jnz	short loc_9B2BA2
		jmp	short loc_9B2BDD
; 

loc_9B2BD7:				; CODE XREF: PopBatteryQueryStatus(x,x)+9Dj
		cmp	eax, esi
		jbe	short loc_9B2BDD
		mov	esi, eax

loc_9B2BDD:				; CODE XREF: PopBatteryQueryStatus(x,x)+B3j
					; PopBatteryQueryStatus(x,x)+B7j
		push	esi
		push	ecx
		push	edi		; char
		push	offset ??_C@_0DC@JKFKDJC@?6Battery?5Triggers?5?$FL?$CFp?$FN?6?$HM?9?5High?5@NNGAKEGL@ ;	char *
		push	2		; int
		push	92h		; int
		mov	[edi+88h], ecx
		mov	[edi+84h], esi
		call	_DbgPrintEx
		add	esp, 18h
		lea	ebx, [edi+78h]

loc_9B2C03:				; CODE XREF: PopBatteryQueryStatus(x,x)+33j
		mov	ecx, [edi+1Ch]
		mov	edx, 294064h
		push	10h
		push	14h
		push	ebx
		push	0
		call	_PopPrepareIoctl@24 ; PopPrepareIoctl(x,x,x,x,x,x)
		cmp	[ebp+var_1], 0
		mov	eax, [edi+1Ch]
		jnz	short loc_9B2C3E
		mov	eax, [eax+60h]
		mov	dword ptr [eax-8], offset _PopBatteryIrpComplete@12 ; PopBatteryIrpComplete(x,x,x)
		mov	[eax-4], edi
		mov	byte ptr [eax-21h], 0E0h
		mov	edx, [edi+1Ch]
		mov	ecx, [edi+18h]
		call	IofCallDriver
		jmp	short loc_9B2C54
; 

loc_9B2C3E:				; CODE XREF: PopBatteryQueryStatus(x,x)+FCj
		push	eax
		push	dword ptr [edi+18h]
		call	_IoSynchronousCallDriver@8 ; IoSynchronousCallDriver(x,x)
		test	eax, eax
		js	short loc_9B2C56
		add	edi, 64h
		mov	esi, ebx
		movsd
		movsd
		movsd
		movsd

loc_9B2C54:				; CODE XREF: PopBatteryQueryStatus(x,x)+11Aj
		xor	eax, eax

loc_9B2C56:				; CODE XREF: PopBatteryQueryStatus(x,x)+127j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopBatteryQueryStatus@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopBatteryReadTag(x)
_PopBatteryReadTag@4 proc near		; CODE XREF: PopBatteryWorker+9FE37p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edx, 294040h
		push	4
		push	4
		mov	ecx, [esi+1Ch]
		lea	ebx, [esi+78h]
		and	dword ptr [ebx], 0
		push	ebx
		push	0
		call	_PopPrepareIoctl@24 ; PopPrepareIoctl(x,x,x,x,x,x)
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		call	_IoSynchronousCallDriver@8 ; IoSynchronousCallDriver(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9B2CA6
		mov	eax, [ebx]
		xor	edi, edi
		push	edi
		mov	[esi+3Ch], eax
		lea	eax, [esi+28h]
		push	edi
		push	eax
		mov	dword ptr [esi+38h], 1
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_9B2CA6:				; CODE XREF: PopBatteryReadTag(x)+30j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_PopBatteryReadTag@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBatteryRemove(x)
_PopBatteryRemove@4 proc near		; DATA XREF: .data:006B2F40o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	dword ptr [esi+1Ch]
		call	IoCancelIrp
		xor	ebx, ebx
		lea	eax, [esi+28h]
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	eax
		call	KeWaitForSingleObject
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopCB
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		add	esi, 20h
		mov	dword_6C2524, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_9B2D2C
		cmp	[ecx+4], esi
		jnz	short loc_9B2D7D
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_9B2D7D
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	[esi], ebx
		dec	dword_6C252C
		inc	dword_6C257C
		push	3
		pop	ecx
		mov	byte_6C2530, 1
		call	_PopBatteryQueueWork@4 ; PopBatteryQueueWork(x)

loc_9B2D2C:				; CODE XREF: PopBatteryRemove(x)+50j
		push	8
		pop	ecx
		call	_PopBatteryQueueWork@4 ; PopBatteryQueueWork(x)
		cmp	dword_6C2524, ebx
		jz	short loc_9B2D42
		mov	dword_6C2524, ebx

loc_9B2D42:				; CODE XREF: PopBatteryRemove(x)+8Ej
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		sub	dword_6C2528, 1
		jnz	short loc_9B2D76
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		cmp	byte_6C2E3E, bl
		jz	short loc_9B2D71
		mov	byte_6C2E3E, bl
		call	PopResetCurrentPolicies

loc_9B2D71:				; CODE XREF: PopBatteryRemove(x)+B8j
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_9B2D76:				; CODE XREF: PopBatteryRemove(x)+ABj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_9B2D7D:				; CODE XREF: PopBatteryRemove(x)+55j
					; PopBatteryRemove(x)+5Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PopBatteryRemove@4 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBatteryTracePercentageRemaining(x, x, x,	x)
_PopBatteryTracePercentageRemaining@16 proc near
					; CODE XREF: PopBatteryApplyCompositeState+A075Ap

var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		cmp	[ebp+arg_0], ebx
		push	esi
		push	edi
		setz	bl
		mov	esi, edx
		cmp	_PopBatteryEtwRegistered, 0
		mov	edi, ecx
		mov	[ebp+var_B4], esi
		mov	[ebp+var_B8], edi
		mov	[ebp+var_BC], ebx
		jz	loc_9B2E63
		mov	eax, dword_6C1CD4
		push	offset _BATTERY_EVT_BATTERY_PERCENT_REMAINING
		push	eax
		mov	[ebp+var_AC], eax
		mov	eax, _PopBatteryEtwHandle
		push	eax
		mov	[ebp+var_B0], eax
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B2E63
		lea	eax, [ebp+var_B8]
		xor	ecx, ecx
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_B4]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_BC]
		push	4
		pop	edx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	edx
		push	ecx
		push	offset _BATTERY_EVT_BATTERY_PERCENT_REMAINING
		push	[ebp+var_AC]
		mov	[ebp+var_44], ecx
		push	[ebp+var_B0]
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	esi, [ebp+var_B4]
		mov	edi, [ebp+var_B8]
		mov	ebx, [ebp+var_BC]

loc_9B2E63:				; CODE XREF: PopBatteryTracePercentageRemaining(x,x,x,x)+3Dj
					; PopBatteryTracePercentageRemaining(x,x,x,x)+67j
		cmp	dword_6B23F8, 5
		jbe	loc_9B2F11
		push	4000h
		push	0
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9B2F11
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_B0], edi
		mov	[ebp+var_88], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_AC]
		mov	[ebp+var_84], ecx
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_C0]
		push	4
		pop	edx
		mov	[ebp+var_68], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_C4]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_A8]
		push	eax
		push	6
		push	ecx
		push	ecx
		push	offset loc_41FE9D
		push	offset dword_6B23F8
		mov	[ebp+var_80], edx
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_AC], esi
		mov	[ebp+var_74], ecx
		mov	[ebp+var_70], edx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_C0], ebx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9B2F11:				; CODE XREF: PopBatteryTracePercentageRemaining(x,x,x,x)+E8j
					; PopBatteryTracePercentageRemaining(x,x,x,x)+101j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopBatteryTracePercentageRemaining@16 endp

; 
		db 0CCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBatteryUpdateCompositeInformation()
_PopBatteryUpdateCompositeInformation@0	proc near ; CODE XREF: PopBatteryWorker:loc_908C80p

var_28		= byte ptr -28h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		push	9
		xor	eax, eax
		lea	edi, [ebp+var_28]
		pop	ecx
		rep stosd
		mov	eax, dword_6C253C
		mov	edx, [ebp+var_18]
		mov	ebx, [ebp+var_1C]
		cmp	eax, offset dword_6C253C
		jz	short loc_9B2FB8
		mov	edi, [ebp+var_14]

loc_9B2F4D:				; CODE XREF: PopBatteryUpdateCompositeInformation()+8Dj
		mov	ecx, dword ptr [ebp+var_28]
		or	ecx, [eax+20h]
		mov	dword ptr [ebp+var_28],	ecx
		mov	ecx, [eax+2Ch]
		mov	[ebp+var_4], ecx
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_9B2F63
		add	ebx, ecx

loc_9B2F63:				; CODE XREF: PopBatteryUpdateCompositeInformation()+3Cj
		mov	ecx, [eax+30h]
		mov	[ebp+var_4], ecx
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_9B2F70
		add	edx, ecx

loc_9B2F70:				; CODE XREF: PopBatteryUpdateCompositeInformation()+49j
		mov	esi, [eax+34h]
		cmp	edi, esi
		mov	[ebp+var_4], esi
		mov	esi, [ebp+var_10]
		jnb	short loc_9B2F83
		mov	edi, [ebp+var_4]
		mov	[ebp+var_14], edi

loc_9B2F83:				; CODE XREF: PopBatteryUpdateCompositeInformation()+58j
		mov	ecx, [eax+38h]
		cmp	esi, ecx
		mov	[ebp+var_4], ecx
		mov	ecx, [ebp+var_C]
		jnb	short loc_9B2F96
		mov	esi, [ebp+var_4]
		mov	[ebp+var_10], esi

loc_9B2F96:				; CODE XREF: PopBatteryUpdateCompositeInformation()+6Bj
		mov	edi, [eax+3Ch]
		cmp	ecx, edi
		mov	[ebp+var_4], edi
		mov	edi, [ebp+var_14]
		jnb	short loc_9B2FA9
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_C], ecx

loc_9B2FA9:				; CODE XREF: PopBatteryUpdateCompositeInformation()+7Ej
		mov	eax, [eax]
		cmp	eax, offset dword_6C253C
		jnz	short loc_9B2F4D
		mov	[ebp+var_18], edx
		mov	[ebp+var_1C], ebx

loc_9B2FB8:				; CODE XREF: PopBatteryUpdateCompositeInformation()+25j
		test	edx, edx
		jnz	short loc_9B2FC1
		mov	edx, ebx
		mov	[ebp+var_18], edx

loc_9B2FC1:				; CODE XREF: PopBatteryUpdateCompositeInformation()+97j
		push	9
		pop	ecx
		push	[ebp+var_C]
		lea	esi, [ebp+var_28]
		mov	edi, offset dword_6C2558
		push	[ebp+var_10]
		rep movsd
		push	[ebp+var_14]
		push	edx
		push	ebx
		push	dword ptr [ebp+var_28] ; char
		push	(offset	loc_8BCD19+1) ;	char *
		push	2		; int
		push	92h		; int
		call	_DbgPrintEx
		add	esp, 24h
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		cmp	byte_6C2E3F, 0
		jz	short loc_9B300A
		mov	byte_6C2E3F, 0
		call	PopResetCurrentPolicies

loc_9B300A:				; CODE XREF: PopBatteryUpdateCompositeInformation()+D9j
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopBatteryUpdateCompositeInformation@0	endp


;  S U B	R O U T	I N E 


; __stdcall PopBatteryWaitTag(x)
_PopBatteryWaitTag@4 proc near		; CODE XREF: PopBatteryWorker+9FE42p
					; PopBatteryWorker+9FE85p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, 294040h
		push	4
		push	4
		mov	ecx, [esi+1Ch]
		lea	eax, [esi+78h]
		and	dword ptr [esi+38h], 0
		or	dword ptr [eax], 0FFFFFFFFh
		push	eax
		push	0
		call	_PopPrepareIoctl@24 ; PopPrepareIoctl(x,x,x,x,x,x)
		mov	eax, [esi+1Ch]
		mov	eax, [eax+60h]
		mov	dword ptr [eax-8], offset _PopBatteryIrpComplete@12 ; PopBatteryIrpComplete(x,x,x)
		mov	[eax-4], esi
		mov	byte ptr [eax-21h], 0E0h
		mov	edx, [esi+1Ch]
		mov	ecx, [esi+18h]
		pop	esi
		jmp	IofCallDriver
_PopBatteryWaitTag@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEstimateChargeTime()
_PopEstimateChargeTime@0 proc near	; CODE XREF: PopBatteryWorker+A00BFp

var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= byte ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_89		= dword	ptr -89h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		push	ebx
		push	esi
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_90], eax
		mov	ebx, eax
		mov	[ebp+var_94], eax
		push	edi
		mov	[ebp+var_9C], esi
		mov	edi, eax
		mov	dword ptr [ebp+var_AC],	ebx
		mov	[ebp+var_98], eax
		mov	[ebp+var_B4], esi
		mov	[ebp+var_BC], esi
		call	_PopBatteryEstimatesSpoiled@0 ;	PopBatteryEstimatesSpoiled()
		test	al, al
		jz	short loc_9B30B2
		mov	bl, 53h
		jmp	loc_9B31C0
; 

loc_9B30B2:				; CODE XREF: PopEstimateChargeTime()+52j
		mov	ecx, dword_6C253C
		cmp	ecx, offset dword_6C253C
		jz	short loc_9B310B

loc_9B30C0:				; CODE XREF: PopEstimateChargeTime()+ACj
		mov	eax, [ecx+30h]
		cmp	eax, esi
		jz	short loc_9B30E1
		mov	edx, [ecx+48h]
		cmp	edx, esi
		jz	short loc_9B30E1
		cmp	edx, eax
		jnb	short loc_9B30E1
		sub	eax, edx
		add	[ebp+var_90], eax
		adc	[ebp+var_94], 0

loc_9B30E1:				; CODE XREF: PopEstimateChargeTime()+6Ej
					; PopEstimateChargeTime()+75j ...
		mov	eax, [ecx+50h]
		cmp	eax, 80000000h
		jz	short loc_9B30F8
		test	eax, eax
		jle	short loc_9B30F8
		cdq
		add	ebx, eax
		adc	[ebp+var_98], edx

loc_9B30F8:				; CODE XREF: PopEstimateChargeTime()+92j
					; PopEstimateChargeTime()+96j
		or	edi, [ecx+44h]
		mov	ecx, [ecx]
		cmp	ecx, offset dword_6C253C
		jnz	short loc_9B30C0
		mov	dword ptr [ebp+var_AC],	ebx

loc_9B310B:				; CODE XREF: PopEstimateChargeTime()+67j
		and	edi, 7
		mov	[ebp+var_A4], edi
		cmp	edi, 5
		jz	short loc_9B3120
		mov	bl, 50h
		jmp	loc_9B31C0
; 

loc_9B3120:				; CODE XREF: PopEstimateChargeTime()+C0j
		mov	edi, dword_6FE094
		mov	ecx, [ebp+var_98]
		cmp	edi, ecx
		ja	short loc_9B3148
		jb	short loc_9B313A
		cmp	_PopMaxChargeRate, ebx
		jnb	short loc_9B3148

loc_9B313A:				; CODE XREF: PopEstimateChargeTime()+D9j
		mov	edi, ecx
		mov	_PopMaxChargeRate, ebx
		mov	dword_6FE094, edi

loc_9B3148:				; CODE XREF: PopEstimateChargeTime()+D7j
					; PopEstimateChargeTime()+E1j
		mov	ebx, [ebp+var_90]
		mov	eax, ebx
		mov	ecx, [ebp+var_94]
		or	eax, ecx
		jz	short loc_9B31B8
		mov	eax, _PopMaxChargeRate
		mov	[ebp+var_A0], eax
		or	eax, edi
		jz	short loc_9B31B8
		mov	eax, ecx
		mov	edx, 0FA0h
		mul	edx
		mov	edx, 0FA0h
		mov	ecx, eax
		mov	eax, ebx
		mul	edx
		push	edi
		push	[ebp+var_A0]
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		mov	ecx, edx
		mov	[ebp+var_B4], eax
		mov	[ebp+var_BC], ecx
		test	ecx, ecx
		ja	short loc_9B31B4
		jb	short loc_9B31A8
		cmp	eax, 5460h
		ja	short loc_9B31B4

loc_9B31A8:				; CODE XREF: PopEstimateChargeTime()+148j
		mov	esi, eax
		mov	[ebp+var_9C], ecx
		mov	bl, 4Fh
		jmp	short loc_9B31BA
; 

loc_9B31B4:				; CODE XREF: PopEstimateChargeTime()+146j
					; PopEstimateChargeTime()+14Fj
		mov	bl, 4Ch
		jmp	short loc_9B31BA
; 

loc_9B31B8:				; CODE XREF: PopEstimateChargeTime()+101j
					; PopEstimateChargeTime()+110j
		mov	bl, 5Ah

loc_9B31BA:				; CODE XREF: PopEstimateChargeTime()+15Bj
					; PopEstimateChargeTime()+15Fj
		mov	edi, [ebp+var_A4]

loc_9B31C0:				; CODE XREF: PopEstimateChargeTime()+56j
					; PopEstimateChargeTime()+C4j
		push	[ebp+var_9C]
		push	esi
		push	dword_6FE094
		push	_PopMaxChargeRate
		push	[ebp+var_94]
		push	[ebp+var_90]
		push	[ebp+var_98]
		push	dword ptr [ebp+var_AC] ; char
		push	(offset	loc_8BD087+5) ;	char *
		push	3		; int
		push	92h		; int
		call	_DbgPrintEx
		add	esp, 2Ch
		cmp	dword_6B23F8, 5
		jbe	loc_9B3308
		mov	eax, [ebp+var_90]
		xor	edx, edx
		mov	[ebp+var_A8], eax
		mov	eax, [ebp+var_94]
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_68], eax
		mov	eax, [ebp+var_B4]
		mov	[ebp+var_B8], eax
		mov	eax, [ebp+var_BC]
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_58], eax
		mov	eax, _PopMaxChargeRate
		mov	[ebp+var_C0], eax
		mov	eax, dword_6FE094
		mov	[ebp+var_BC], eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_89]
		mov	[ebp+var_38], eax
		mov	eax, dword ptr [ebp+var_AC]
		mov	[ebp+var_B0], eax
		mov	eax, [ebp+var_98]
		mov	dword ptr [ebp+var_AC],	eax
		lea	eax, [ebp+var_B0]
		push	8
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_89+1]
		push	eax
		push	ecx
		push	edx
		push	edx
		push	offset loc_41FE49
		push	offset dword_6B23F8
		mov	[ebp+var_64], edx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], edx
		mov	[ebp+var_54], edx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], edx
		mov	byte ptr [ebp+var_89], bl
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], 1
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_A0], edi
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9B3308:				; CODE XREF: PopEstimateChargeTime()+1AFj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		mov	edx, [ebp+var_9C]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopEstimateChargeTime@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopRecalculateCBTriggerLevels(x)
_PopRecalculateCBTriggerLevels@4 proc near
					; CODE XREF: PopBatteryApplyCompositeState:loc_9094C6p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		xor	esi, esi
		mov	[ebp+var_4], esi
		mov	edx, esi

loc_9B3334:				; CODE XREF: PopRecalculateCBTriggerLevels(x)+8Ej
		lea	eax, [esi+4]
		mov	ecx, esi
		imul	edi, eax, 18h
		shl	ecx, 4
		add	edi, _PopPolicy
		test	byte ptr dword_6C25F4[ecx], 80h
		jnz	short loc_9B33A4
		mov	eax, [edi+4]
		mov	dword_6C25FC[ecx], eax
		cmp	byte ptr [edi],	0
		jz	short loc_9B33A4
		or	dword_6C25F4[ecx], 80h
		lea	ecx, [ebp+var_4]
		shl	edx, 4
		add	edx, offset dword_6C25F0
		call	PopDiagTraceBatteryTriggerFlags
		mov	esi, [ebp+var_4]
		mov	edi, esi
		shl	edi, 4
		lea	ebx, dword_6C25F0[edi]
		mov	ecx, ebx
		call	PopBatteryCheckTrigger
		test	al, al
		jz	short loc_9B33A4
		or	dword_6C25F4[edi], 2
		lea	ecx, [ebp+var_4]
		mov	edx, ebx
		call	PopDiagTraceBatteryTriggerFlags
		mov	esi, [ebp+var_4]

loc_9B33A4:				; CODE XREF: PopRecalculateCBTriggerLevels(x)+2Dj
					; PopRecalculateCBTriggerLevels(x)+3Bj	...
		inc	esi
		mov	[ebp+var_4], esi
		mov	edx, esi
		cmp	esi, 4
		jb	short loc_9B3334
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopRecalculateCBTriggerLevels@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUsbErrorWNFNotificationCallback(x, x, x,	x, x, x)
_PopUsbErrorWNFNotificationCallback@24 proc near ; DATA	XREF: PopBatteryInitPhaseTwo()+65o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_14]
		push	esi
		push	edi
		push	0Ch
		pop	edi
		push	ecx		; int
		lea	ecx, [ebp+var_10]
		mov	[ebp+var_14], edi
		push	ecx		; void *
		lea	ecx, [ebp+arg_C]
		push	ecx		; int
		push	eax		; int
		call	_ExQueryWnfStateData@16	; ExQueryWnfStateData(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9B346A
		cmp	[ebp+var_14], edi
		jz	short loc_9B33F8
		lea	esi, [edi+74h]
		jmp	short loc_9B346A
; 

loc_9B33F8:				; CODE XREF: PopUsbErrorWNFNotificationCallback(x,x,x,x,x,x)+38j
		cmp	[ebp+var_8], 1
		mov	eax, large fs:124h
		push	ebx
		setz	bl
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset dword_6C2650
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		test	bl, bl
		mov	byte_6C264C, bl
		mov	dword_6C2654, eax
		pop	ebx
		jnz	short loc_9B343B
		cmp	dword_6C2648, 1
		jmp	short loc_9B3442
; 

loc_9B343B:				; CODE XREF: PopUsbErrorWNFNotificationCallback(x,x,x,x,x,x)+77j
		cmp	dword_6C2648, 0

loc_9B3442:				; CODE XREF: PopUsbErrorWNFNotificationCallback(x,x,x,x,x,x)+80j
		jnz	short loc_9B344C
		push	40h
		pop	ecx
		call	_PopBatteryQueueWork@4 ; PopBatteryQueueWork(x)

loc_9B344C:				; CODE XREF: PopUsbErrorWNFNotificationCallback(x,x,x,x,x,x):loc_9B3442j
		cmp	dword_6C2654, 0
		jz	short loc_9B345C
		and	dword_6C2654, 0

loc_9B345C:				; CODE XREF: PopUsbErrorWNFNotificationCallback(x,x,x,x,x,x)+9Aj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9B346A:				; CODE XREF: PopUsbErrorWNFNotificationCallback(x,x,x,x,x,x)+33j
					; PopUsbErrorWNFNotificationCallback(x,x,x,x,x,x)+3Dj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_PopUsbErrorWNFNotificationCallback@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorActiveToScreenOffStateHandler(x)
_PopPowerAggregatorActiveToScreenOffStateHandler@4 proc	near ; DATA XREF: PAGEDATA:00A9349Co

var_20		= dword	ptr -20h
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 20h
		push	esi
		mov	esi, [ebp+arg_0]
		lea	edx, [esp+24h+var_20]
		push	edi
		push	8
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+28h+var_20]
		rep stosd
		mov	ecx, esi
		mov	[esp+28h+var_20], 3
		call	_PopPowerAggregatorSetCurrentState@8 ; PopPowerAggregatorSetCurrentState(x,x)
		mov	edx, [esi+20h]
		xor	ecx, ecx
		inc	ecx
		call	_PopPowerAggregatorStartNextSession@8 ;	PopPowerAggregatorStartNextSession(x,x)
		cmp	dword_6C09A4, 0
		jz	short loc_9B34C5
		and	dword_6C09A4, 0

loc_9B34C5:				; CODE XREF: PopPowerAggregatorActiveToScreenOffStateHandler(x)+40j
		mov	edi, offset _PopPowerAggregatorLock
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	6
		pop	edx
		push	3
		pop	ecx
		call	PopTransitionTelemetryOsState
		mov	ecx, [esi+20h]
		call	_PopGetMonitorReasonFromPowerEventId@4 ; PopGetMonitorReasonFromPowerEventId(x)
		cmp	eax, 17h
		setz	cl
		call	_PopThermalCsEntry@4 ; PopThermalCsEntry(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		pop	edi
		mov	dword_6C09A4, eax
		xor	eax, eax
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
_PopPowerAggregatorActiveToScreenOffStateHandler@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerAggregatorAllowModernStandbyPromotion(x, x)
_PopPowerAggregatorAllowModernStandbyPromotion@8 proc near
					; CODE XREF: PopPowerAggregatorHandleModernStandbyIntent(x,x,x)+71p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	eax, eax
		inc	eax
		cmp	[esi], eax
		jnz	short loc_9B356F
		mov	ecx, [esi+4]
		cmp	ecx, 3
		jnz	short loc_9B353E
		cmp	dword ptr [edx+4], 2
		jnz	short loc_9B3549
		jmp	short loc_9B356D
; 

loc_9B353E:				; CODE XREF: PopPowerAggregatorAllowModernStandbyPromotion(x,x)+12j
		cmp	ecx, 2
		jnz	short loc_9B3549
		cmp	dword ptr [edx+4], 3
		jz	short loc_9B356F

loc_9B3549:				; CODE XREF: PopPowerAggregatorAllowModernStandbyPromotion(x,x)+18j
					; PopPowerAggregatorAllowModernStandbyPromotion(x,x)+1Fj
		mov	ecx, [edx+8]
		cmp	ecx, 4
		jnz	short loc_9B3559
		cmp	dword ptr [edx+20h], 0
		jz	short loc_9B356D
		pop	esi
		retn
; 

loc_9B3559:				; CODE XREF: PopPowerAggregatorAllowModernStandbyPromotion(x,x)+2Dj
		cmp	ecx, 2Bh
		jz	short loc_9B356F
		cmp	ecx, 2Eh
		jz	short loc_9B356F
		cmp	ecx, 2Dh
		jnz	short loc_9B356D
		cmp	[esi+8], ecx
		jnz	short loc_9B356F

loc_9B356D:				; CODE XREF: PopPowerAggregatorAllowModernStandbyPromotion(x,x)+1Aj
					; PopPowerAggregatorAllowModernStandbyPromotion(x,x)+33j ...
		xor	al, al

loc_9B356F:				; CODE XREF: PopPowerAggregatorAllowModernStandbyPromotion(x,x)+Aj
					; PopPowerAggregatorAllowModernStandbyPromotion(x,x)+25j ...
		pop	esi
		retn
_PopPowerAggregatorAllowModernStandbyPromotion@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerAggregatorAreTargetStatesEqual(x, x)
_PopPowerAggregatorAreTargetStatesEqual@8 proc near
					; CODE XREF: PopPowerAggregatorRecordIntent+A73DFp
					; PopPowerAggregatorRecordIntent+A73F2p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi]
		cmp	edi, [edx]
		jnz	short loc_9B35D4
		mov	eax, [esi+4]
		cmp	eax, [edx+4]
		jnz	short loc_9B35D4
		mov	eax, [esi+8]
		cmp	eax, [edx+8]
		jnz	short loc_9B35D4
		xor	ecx, ecx
		sub	edi, ecx
		jz	short loc_9B35D0
		sub	edi, 1
		jz	short loc_9B35A8
		sub	edi, 1
		jnz	short loc_9B35D0
		mov	al, [esi+18h]
		cmp	al, [edx+18h]
		setz	cl
		jmp	short loc_9B35D6
; 

loc_9B35A8:				; CODE XREF: PopPowerAggregatorAreTargetStatesEqual(x,x)+25j
		mov	eax, [esi+18h]
		cmp	eax, [edx+18h]
		jnz	short loc_9B35D6
		mov	eax, [esi+1Ch]
		cmp	eax, [edx+1Ch]
		jnz	short loc_9B35D6
		mov	eax, [esi+24h]
		cmp	eax, [edx+24h]
		jnz	short loc_9B35D6
		mov	al, [esi+28h]
		cmp	al, [edx+28h]
		jnz	short loc_9B35D6
		mov	al, [esi+29h]
		cmp	al, [edx+29h]
		jnz	short loc_9B35D6

loc_9B35D0:				; CODE XREF: PopPowerAggregatorAreTargetStatesEqual(x,x)+20j
					; PopPowerAggregatorAreTargetStatesEqual(x,x)+2Aj
		mov	cl, 1
		jmp	short loc_9B35D6
; 

loc_9B35D4:				; CODE XREF: PopPowerAggregatorAreTargetStatesEqual(x,x)+Aj
					; PopPowerAggregatorAreTargetStatesEqual(x,x)+12j ...
		xor	cl, cl

loc_9B35D6:				; CODE XREF: PopPowerAggregatorAreTargetStatesEqual(x,x)+35j
					; PopPowerAggregatorAreTargetStatesEqual(x,x)+3Dj ...
		pop	edi
		mov	al, cl
		pop	esi
		retn
_PopPowerAggregatorAreTargetStatesEqual@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorDisengageModernStandby(x)
_PopPowerAggregatorDisengageModernStandby@4 proc near
					; CODE XREF: PopPowerAggregatorModernStandbyEnterStateHandler(x)+Ep
					; PopPowerAggregatorModernStandbyExitStateHandler(x)+4Cp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, [ecx+28h]
		sub	esp, 2Ch
		push	ebx
		mov	ebx, [ecx+64h]
		push	esi
		push	edi
		mov	edi, [ecx+18h]
		cmp	eax, [ecx+50h]
		jnz	short loc_9B3604
		mov	eax, [ecx+2Ch]
		cmp	eax, [ecx+54h]
		jnz	short loc_9B3604
		push	2Fh
		pop	esi
		jmp	short loc_9B3607
; 

loc_9B3604:				; CODE XREF: PopPowerAggregatorDisengageModernStandby(x)+1Aj
					; PopPowerAggregatorDisengageModernStandby(x)+22j
		mov	esi, [ecx+20h]

loc_9B3607:				; CODE XREF: PopPowerAggregatorDisengageModernStandby(x)+27j
		xor	eax, eax
		lea	edx, [esp+38h+var_20]
		mov	[esp+38h+var_1C], eax
		mov	[esp+38h+var_18], eax
		mov	[esp+38h+var_14], eax
		mov	[esp+38h+var_8], eax
		mov	[esp+38h+var_4], eax
		push	4
		pop	eax
		mov	[esp+38h+var_20], eax
		mov	[esp+38h+var_10], eax
		mov	eax, [ecx+5Ch]
		mov	[esp+38h+var_C], eax
		call	_PopPowerAggregatorSetCurrentState@8 ; PopPowerAggregatorSetCurrentState(x,x)
		cmp	dword_6C09A4, 0
		jz	short loc_9B3648
		and	dword_6C09A4, 0

loc_9B3648:				; CODE XREF: PopPowerAggregatorDisengageModernStandby(x)+64j
		xor	edx, edx
		mov	ecx, offset _PopPowerAggregatorLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		call	_PopSleepstudySnapModernStandbySessionData@0 ; PopSleepstudySnapModernStandbySessionData()
		cmp	edi, 1
		jnz	short loc_9B366D
		xor	ecx, ecx
		mov	edx, esi
		inc	ecx
		call	PopSleepstudyStartNextSession

loc_9B366D:				; CODE XREF: PopPowerAggregatorDisengageModernStandby(x)+86j
		push	7
		xor	esi, esi
		lea	edx, [esp+3Ch+var_28]
		pop	ecx
		mov	[esp+38h+var_28], esi
		mov	[esp+38h+var_24], esi
		call	PopDirectedDripsNotify
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		xor	ecx, ecx
		inc	ecx
		call	_PopNetClearConnectivityConstraint@4 ; PopNetClearConnectivityConstraint(x)
		push	7
		pop	ecx
		call	_PopNetClearConnectivityConstraint@4 ; PopNetClearConnectivityConstraint(x)
		mov	_PopAggressiveStandbyAppliedActions, esi
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		push	ebx
		call	dword_6D6FF4
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopPowerAggregatorLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		pop	edi
		pop	esi
		mov	dword_6C09A4, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PopPowerAggregatorDisengageModernStandby@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorDisplayPoweringOnStateHandler(x)
_PopPowerAggregatorDisplayPoweringOnStateHandler@4 proc	near ; DATA XREF: PAGEDATA:00A934B8o
					; PAGEDATA:00A934C0o

var_20		= dword	ptr -20h
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 20h
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		cmp	byte ptr [esi+58h], 0
		jz	short loc_9B3768
		push	8
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+28h+var_20]
		rep stosd
		lea	edx, [esp+28h+var_20]
		mov	ecx, esi
		call	_PopPowerAggregatorSetCurrentState@8 ; PopPowerAggregatorSetCurrentState(x,x)
		mov	edx, [esi+20h]
		xor	ecx, ecx
		mov	_PoModernStandbyActionInProgress, 0
		call	_PopPowerAggregatorStartNextSession@8 ;	PopPowerAggregatorStartNextSession(x,x)
		cmp	dword_6C09A4, 0
		jz	short loc_9B3723
		and	dword_6C09A4, 0

loc_9B3723:				; CODE XREF: PopPowerAggregatorDisplayPoweringOnStateHandler(x)+44j
		mov	esi, offset _PopPowerAggregatorLock
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	6
		pop	edx
		push	4
		pop	ecx
		call	PopTransitionTelemetryOsState
		call	_PopThermalCsExit@0 ; PopThermalCsExit()
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C09A4, eax

loc_9B3768:				; CODE XREF: PopPowerAggregatorDisplayPoweringOnStateHandler(x)+14j
		pop	edi
		xor	eax, eax
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
_PopPowerAggregatorDisplayPoweringOnStateHandler@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerAggregatorEngageAggressiveStandbyActions(x,	x)
_PopPowerAggregatorEngageAggressiveStandbyActions@8 proc near
					; CODE XREF: PopPowerAggregatorScreenOffEnterStateHandler(x)+1B9p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	eax, [esi+8]
		test	al, 2
		jnz	short loc_9B378C
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_9B3793
; 

loc_9B378C:				; CODE XREF: PopPowerAggregatorEngageAggressiveStandbyActions(x,x)+13j
		test	al, 4
		jz	short loc_9B3798
		push	7
		pop	ecx

loc_9B3793:				; CODE XREF: PopPowerAggregatorEngageAggressiveStandbyActions(x,x)+18j
		call	PopNetSetConnectivityConstraint

loc_9B3798:				; CODE XREF: PopPowerAggregatorEngageAggressiveStandbyActions(x,x)+1Cj
		cmp	edi, 4
		jz	short loc_9B37A2
		cmp	edi, 5
		jnz	short loc_9B37B9

loc_9B37A2:				; CODE XREF: PopPowerAggregatorEngageAggressiveStandbyActions(x,x)+29j
		mov	eax, _PopAggressiveStandbyAppliedActions
		mov	ecx, _PopAggressiveStandbyEnabledActions
		xor	ecx, eax
		and	ecx, 1
		xor	eax, ecx
		mov	_PopAggressiveStandbyAppliedActions, eax

loc_9B37B9:				; CODE XREF: PopPowerAggregatorEngageAggressiveStandbyActions(x,x)+2Ej
		mov	eax, _PopAggressiveStandbyAppliedActions
		mov	ecx, _PopAggressiveStandbyEnabledActions
		xor	ecx, eax
		and	ecx, 2
		xor	eax, ecx
		mov	_PopAggressiveStandbyAppliedActions, eax
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		pop	edi
		pop	esi
		pop	ecx
		retn
_PopPowerAggregatorEngageAggressiveStandbyActions@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerAggregatorForceSessionSwitch(x)
_PopPowerAggregatorForceSessionSwitch@4	proc near
					; CODE XREF: PopPowerSourceChangeCallback+89AF3p
					; PopNotifyLidStateChange(x)+2Fp ...
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopPowerAggregatorLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		cmp	dword_6C09D8, 1
		mov	dword_6C09A4, eax
		jnz	short loc_9B3818
		push	esi
		push	3
		xor	edx, edx
		pop	ecx
		call	_PopPowerAggregatorHandleIntentUnsafe@12 ; PopPowerAggregatorHandleIntentUnsafe(x,x,x)

loc_9B3818:				; CODE XREF: PopPowerAggregatorForceSessionSwitch(x)+32j
		cmp	dword_6C09A4, 0
		jz	short loc_9B3828
		and	dword_6C09A4, 0

loc_9B3828:				; CODE XREF: PopPowerAggregatorForceSessionSwitch(x)+46j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		pop	edi
		pop	esi
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopPowerAggregatorForceSessionSwitch@4	endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerAggregatorGetModernStandbySessionType(x, x)
_PopPowerAggregatorGetModernStandbySessionType@8 proc near
					; CODE XREF: PopPowerAggregatorHandleModernStandbyIntent(x,x,x)+24p
					; PopPowerAggregatorHandleModernStandbyResumeIntent(x,x,x)+29p
		mov	edi, edi
		push	ebx
		mov	bl, dl
		xor	eax, eax
		mov	edx, [ecx+8]
		test	dl, 8
		jz	short loc_9B3857
		push	2
		pop	eax
		test	dl, 1
		jnz	short loc_9B3857
		cmp	dword ptr [ecx], 1
		jnz	short loc_9B3857
		push	4
		pop	eax

loc_9B3857:				; CODE XREF: PopPowerAggregatorGetModernStandbySessionType(x,x)+Dj
					; PopPowerAggregatorGetModernStandbySessionType(x,x)+15j ...
		test	bl, bl
		pop	ebx
		jz	short locret_9B385D
		inc	eax

locret_9B385D:				; CODE XREF: PopPowerAggregatorGetModernStandbySessionType(x,x)+22j
		retn
_PopPowerAggregatorGetModernStandbySessionType@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorHandleActiveIntent(x, x, x)
_PopPowerAggregatorHandleActiveIntent@12 proc near ; DATA XREF:	PAGEDATA:00A93478o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+18h]
		sub	eax, 0
		jz	short loc_9B388E
		sub	eax, 1
		jz	short loc_9B387F
		sub	eax, 1
		jz	short loc_9B388E
		mov	eax, 0C000A003h
		jmp	short loc_9B389A
; 

loc_9B387F:				; CODE XREF: PopPowerAggregatorHandleActiveIntent(x,x,x)+13j
		movzx	eax, byte ptr [ecx+40h]
		neg	eax
		sbb	eax, eax
		and	eax, 0C0000001h
		jmp	short loc_9B3890
; 

loc_9B388E:				; CODE XREF: PopPowerAggregatorHandleActiveIntent(x,x,x)+Ej
					; PopPowerAggregatorHandleActiveIntent(x,x,x)+18j
		xor	eax, eax

loc_9B3890:				; CODE XREF: PopPowerAggregatorHandleActiveIntent(x,x,x)+2Ej
		test	eax, eax
		js	short loc_9B389A
		mov	ecx, [ebp+arg_4]
		and	dword ptr [ecx], 0

loc_9B389A:				; CODE XREF: PopPowerAggregatorHandleActiveIntent(x,x,x)+1Fj
					; PopPowerAggregatorHandleActiveIntent(x,x,x)+34j
		pop	ebp
		retn	0Ch
_PopPowerAggregatorHandleActiveIntent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorHandleDirectedDripsIntent(x, x, x)
_PopPowerAggregatorHandleDirectedDripsIntent@12	proc near ; DATA XREF: PAGEDATA:00A93484o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+18h]
		sub	eax, 1
		jz	short loc_9B38B6
		mov	eax, 0C000A003h
		jmp	short loc_9B38D6
; 

loc_9B38B6:				; CODE XREF: PopPowerAggregatorHandleDirectedDripsIntent(x,x,x)+Fj
		mov	ecx, [ebp+arg_4]
		push	edi
		mov	dword ptr [ecx], 1
		lea	edi, [ecx+1Ch]
		mov	eax, [esi+30h]
		add	esi, 34h
		mov	[ecx+18h], eax
		xor	eax, eax
		movsd
		movsd
		movsd
		mov	byte ptr [ecx+29h], 1
		pop	edi

loc_9B38D6:				; CODE XREF: PopPowerAggregatorHandleDirectedDripsIntent(x,x,x)+16j
		pop	esi
		pop	ebp
		retn	0Ch
_PopPowerAggregatorHandleDirectedDripsIntent@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorHandleIntent(x, x, x)
_PopPowerAggregatorHandleIntent@12 proc	near
					; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+1D1p
					; PopTriggerMonitorPowerEvent(x,x)+DFp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	esi, edx
		mov	edi, ecx
		nop
		mov	ebx, offset _PopPowerAggregatorLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	edx, esi
		push	[ebp+arg_0]
		mov	ecx, edi
		mov	dword_6C09A4, eax
		call	_PopPowerAggregatorHandleIntentUnsafe@12 ; PopPowerAggregatorHandleIntentUnsafe(x,x,x)
		cmp	dword_6C09A4, 0
		mov	esi, eax
		jz	short loc_9B392C
		and	dword_6C09A4, 0

loc_9B392C:				; CODE XREF: PopPowerAggregatorHandleIntent(x,x,x)+48j
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PopPowerAggregatorHandleIntent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorHandleModernStandbyIntent(x, x, x)
_PopPowerAggregatorHandleModernStandbyIntent@12	proc near ; DATA XREF: PAGEDATA:00A9347Co
					; PAGEDATA:00A93480o

var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_C]
		sub	esp, 0Ch
		cmp	[ebp+arg_8], 2
		setz	dl
		push	ebx
		push	esi
		push	edi
		lea	esi, [eax+8]
		lea	edi, [ebp+var_C]
		movsd
		lea	ebx, [eax+18h]
		movsd
		movsd
		call	_PopPowerAggregatorGetModernStandbySessionType@8 ; PopPowerAggregatorGetModernStandbySessionType(x,x)
		mov	ecx, [ebx]
		test	ecx, ecx
		jz	short loc_9B3983
		cmp	ecx, 1
		jz	short loc_9B3983
		cmp	ecx, 2
		jz	short loc_9B3983
		mov	eax, 0C000A003h
		jmp	short loc_9B39C8
; 

loc_9B3983:				; CODE XREF: PopPowerAggregatorHandleModernStandbyIntent(x,x,x)+2Dj
					; PopPowerAggregatorHandleModernStandbyIntent(x,x,x)+32j ...
		mov	edx, [ebp+arg_4]
		lea	esi, [ebp+var_C]
		xor	ecx, ecx
		inc	ecx
		lea	edi, [edx+1Ch]
		mov	[edx], ecx
		movsd
		mov	[edx+18h], eax
		movsd
		movsd
		cmp	[ebx], ecx
		jnz	short loc_9B39A6
		mov	eax, [ebp+arg_0]
		mov	al, [eax+40h]
		mov	[edx+28h], al
		jmp	short loc_9B39B2
; 

loc_9B39A6:				; CODE XREF: PopPowerAggregatorHandleModernStandbyIntent(x,x,x)+56j
		cmp	_PopPowerAggregatorOneWayEntry,	0
		jz	short loc_9B39B2
		mov	[edx+28h], cl

loc_9B39B2:				; CODE XREF: PopPowerAggregatorHandleModernStandbyIntent(x,x,x)+61j
					; PopPowerAggregatorHandleModernStandbyIntent(x,x,x)+6Aj
		mov	ecx, ebx
		call	_PopPowerAggregatorAllowModernStandbyPromotion@8 ; PopPowerAggregatorAllowModernStandbyPromotion(x,x)
		test	al, al
		jnz	short loc_9B39C6
		push	0Ch
		pop	ecx
		mov	esi, ebx
		mov	edi, edx
		rep movsd

loc_9B39C6:				; CODE XREF: PopPowerAggregatorHandleModernStandbyIntent(x,x,x)+78j
		xor	eax, eax

loc_9B39C8:				; CODE XREF: PopPowerAggregatorHandleModernStandbyIntent(x,x,x)+3Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PopPowerAggregatorHandleModernStandbyIntent@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorHandleModernStandbyResumeIntent(x, x, x)
_PopPowerAggregatorHandleModernStandbyResumeIntent@12 proc near
					; DATA XREF: PAGEDATA:00A9348Co

var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		sub	esp, 0Ch
		cmp	dword ptr [eax+18h], 2
		jz	short loc_9B39E7
		mov	eax, 0C000A003h
		jmp	short locret_9B3A18
; 

loc_9B39E7:				; CODE XREF: PopPowerAggregatorHandleModernStandbyResumeIntent(x,x,x)+Fj
		mov	dl, [eax+30h]
		lea	ecx, [ebp+var_C]
		push	esi
		push	edi
		lea	esi, [eax+8]
		lea	edi, [ebp+var_C]
		movsd
		movsd
		movsd
		call	_PopPowerAggregatorGetModernStandbySessionType@8 ; PopPowerAggregatorGetModernStandbySessionType(x,x)
		mov	ecx, eax
		lea	esi, [ebp+var_C]
		mov	eax, [ebp+arg_4]
		lea	edi, [eax+1Ch]
		mov	dword ptr [eax], 1
		movsd
		mov	[eax+18h], ecx
		xor	eax, eax
		movsd
		movsd
		pop	edi
		pop	esi

locret_9B3A18:				; CODE XREF: PopPowerAggregatorHandleModernStandbyResumeIntent(x,x,x)+16j
		leave
		retn	0Ch
_PopPowerAggregatorHandleModernStandbyResumeIntent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorHandleModernStandbySuspendIntent(x, x, x)
_PopPowerAggregatorHandleModernStandbySuspendIntent@12 proc near
					; DATA XREF: PAGEDATA:00A93488o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		xor	edx, edx
		add	esi, 18h
		mov	eax, [esi]
		sub	eax, edx
		jz	short loc_9B3A6E
		sub	eax, 1
		jz	short loc_9B3A41
		sub	eax, 1
		jz	short loc_9B3A6E
		mov	edx, 0C000A003h
		jmp	short loc_9B3A78
; 

loc_9B3A41:				; CODE XREF: PopPowerAggregatorHandleModernStandbySuspendIntent(x,x,x)+17j
		cmp	[esi+28h], dl
		jz	short loc_9B3A4D
		mov	edx, 0C0000001h
		jmp	short loc_9B3A78
; 

loc_9B3A4D:				; CODE XREF: PopPowerAggregatorHandleModernStandbySuspendIntent(x,x,x)+28j
		mov	ecx, [ebp+arg_4]
		mov	eax, [esi+18h]
		mov	dword ptr [ecx], 2
		cmp	eax, 5
		jz	short loc_9B3A68
		cmp	eax, 3
		jz	short loc_9B3A68
		cmp	eax, 1
		jnz	short loc_9B3A78

loc_9B3A68:				; CODE XREF: PopPowerAggregatorHandleModernStandbySuspendIntent(x,x,x)+40j
					; PopPowerAggregatorHandleModernStandbySuspendIntent(x,x,x)+45j
		mov	byte ptr [ecx+18h], 1
		jmp	short loc_9B3A78
; 

loc_9B3A6E:				; CODE XREF: PopPowerAggregatorHandleModernStandbySuspendIntent(x,x,x)+12j
					; PopPowerAggregatorHandleModernStandbySuspendIntent(x,x,x)+1Cj
		push	edi
		mov	edi, [ebp+arg_4]
		push	0Ch
		pop	ecx
		rep movsd
		pop	edi

loc_9B3A78:				; CODE XREF: PopPowerAggregatorHandleModernStandbySuspendIntent(x,x,x)+23j
					; PopPowerAggregatorHandleModernStandbySuspendIntent(x,x,x)+2Fj ...
		mov	eax, edx
		pop	esi
		pop	ebp
		retn	0Ch
_PopPowerAggregatorHandleModernStandbySuspendIntent@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerAggregatorLockAcquire()
_PopPowerAggregatorLockAcquire@0 proc near
					; CODE XREF: PopPowerAggregatorModernStandbyExitStateHandler(x)+35p
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopPowerAggregatorLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C09A4, eax
		retn
_PopPowerAggregatorLockAcquire@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerAggregatorLockRelease()
_PopPowerAggregatorLockRelease@0 proc near
					; CODE XREF: PopPowerAggregatorModernStandbyExitStateHandler(x):loc_9B3B2Cp
		cmp	dword_6C09A4, 0
		jz	short loc_9B3AB5
		and	dword_6C09A4, 0

loc_9B3AB5:				; CODE XREF: PopPowerAggregatorLockRelease()+7j
		xor	edx, edx
		mov	ecx, offset _PopPowerAggregatorLock
		call	ExReleasePushLockEx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopPowerAggregatorLockRelease@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorModernStandbyEnterStateHandler(x)
_PopPowerAggregatorModernStandbyEnterStateHandler@4 proc near
					; DATA XREF: PAGEDATA:00A934ACo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		cmp	byte ptr [ecx+60h], 0
		jz	short loc_9B3ADB
		call	_PopPowerAggregatorDisengageModernStandby@4 ; PopPowerAggregatorDisengageModernStandby(x)
		jmp	short loc_9B3B00
; 

loc_9B3ADB:				; CODE XREF: PopPowerAggregatorModernStandbyEnterStateHandler(x)+Cj
		mov	eax, [ecx+50h]
		cmp	eax, [ecx+28h]
		jnz	short loc_9B3AEB
		mov	eax, [ecx+54h]
		cmp	eax, [ecx+2Ch]
		jz	short loc_9B3B00

loc_9B3AEB:				; CODE XREF: PopPowerAggregatorModernStandbyEnterStateHandler(x)+1Bj
		cmp	byte ptr [ecx+68h], 0
		jnz	short loc_9B3B00
		push	1
		lea	eax, [ecx+6Ch]
		mov	byte ptr [ecx+68h], 1
		push	eax
		call	ExQueueWorkItem

loc_9B3B00:				; CODE XREF: PopPowerAggregatorModernStandbyEnterStateHandler(x)+13j
					; PopPowerAggregatorModernStandbyEnterStateHandler(x)+23j ...
		xor	eax, eax
		pop	ebp
		retn	4
_PopPowerAggregatorModernStandbyEnterStateHandler@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorModernStandbyExitStateHandler(x)
_PopPowerAggregatorModernStandbyExitStateHandler@4 proc	near ; DATA XREF: PAGEDATA:00A934A8o
					; PAGEDATA:00A934B0o ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		xor	edi, edi
		inc	edi
		mov	eax, [esi+58h]
		test	eax, eax
		jz	short loc_9B3B2C
		cmp	eax, edi
		jz	short loc_9B3B50
		jle	short loc_9B3B57
		cmp	eax, 3
		jle	short loc_9B3B2C
		cmp	eax, 4
		jz	short loc_9B3B47
		jmp	short loc_9B3B57
; 

loc_9B3B2C:				; CODE XREF: PopPowerAggregatorModernStandbyExitStateHandler(x)+12j
					; PopPowerAggregatorModernStandbyExitStateHandler(x)+1Dj
		call	_PopPowerAggregatorLockRelease@0 ; PopPowerAggregatorLockRelease()
		call	_PdcPoPerfOverride@0 ; PdcPoPerfOverride()
		call	_PopPdcDisengagePhases@0 ; PopPdcDisengagePhases()
		call	_PopPowerAggregatorLockAcquire@0 ; PopPowerAggregatorLockAcquire()
		mov	dword ptr [esi+58h], 4

loc_9B3B47:				; CODE XREF: PopPowerAggregatorModernStandbyExitStateHandler(x)+22j
		cmp	byte ptr [esi+60h], 0
		jz	short loc_9B3B57
		mov	[esi+58h], edi

loc_9B3B50:				; CODE XREF: PopPowerAggregatorModernStandbyExitStateHandler(x)+16j
		mov	ecx, esi
		call	_PopPowerAggregatorDisengageModernStandby@4 ; PopPowerAggregatorDisengageModernStandby(x)

loc_9B3B57:				; CODE XREF: PopPowerAggregatorModernStandbyExitStateHandler(x)+18j
					; PopPowerAggregatorModernStandbyExitStateHandler(x)+24j ...
		pop	edi
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	4
_PopPowerAggregatorModernStandbyExitStateHandler@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorNotifyCsStateExited()
_PopPowerAggregatorNotifyCsStateExited@0 proc near
					; CODE XREF: PopPowerAggregatorScreenOffActiveToActiveStateHandler(x)+4Fp

var_1C		= dword	ptr -1Ch
var_18		= byte ptr -18h
var_17		= word ptr -17h
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		or	[ebp+var_4], 0FFFFFFFFh
		xor	eax, eax
		push	ebx
		push	edi
		push	6
		pop	ecx
		lea	edi, [ebp+var_1C]
		rep stosd
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		call	_PopBlockSessionSwitch@8 ; PopBlockSessionSwitch(x,x)
		xor	ebx, ebx
		cmp	ds:_TtmpEnabled, 1
		jnz	short loc_9B3B97
		mov	ecx, [ebp+var_4]
		call	_TtmNotifyLowPowerStateExited@4	; TtmNotifyLowPowerStateExited(x)
		jmp	short loc_9B3BC3
; 

loc_9B3B97:				; CODE XREF: PopPowerAggregatorNotifyCsStateExited()+2Cj
		xor	eax, eax
		mov	[ebp+var_15], bl
		push	5
		pop	ecx
		mov	[ebp+var_17], ax
		lea	edx, [ebp+var_1C]
		lea	eax, [ebp+var_4]
		mov	[ebp+var_1C], ecx
		push	eax
		push	1
		mov	[ebp+var_18], bl
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		call	PopInvokeWin32Callout

loc_9B3BC3:				; CODE XREF: PopPowerAggregatorNotifyCsStateExited()+36j
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		call	_PopBlockSessionSwitch@8 ; PopBlockSessionSwitch(x,x)
		pop	edi
		pop	ebx
		leave
		retn
_PopPowerAggregatorNotifyCsStateExited@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerAggregatorNotifyPdcPhasesExit()
_PopPowerAggregatorNotifyPdcPhasesExit@0 proc near ; CODE XREF:	PopNotifyCsStateExited()j
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopPowerAggregatorLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, offset _PopPowerAggregatorContext
		mov	dword_6C09A4, eax
		call	_PopPowerAggregatorScheduleWorker@4 ; PopPowerAggregatorScheduleWorker(x)
		push	0
		xor	edx, edx
		mov	ecx, offset _POP_ETW_EVENT_POWER_AGGREGATOR_PDC_PHASES_EXITED
		call	PopPowerAggregatorDiagTraceEvent
		cmp	dword_6C09A4, 0
		jz	short loc_9B3C21
		and	dword_6C09A4, 0

loc_9B3C21:				; CODE XREF: PopPowerAggregatorNotifyPdcPhasesExit()+47j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		pop	esi
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopPowerAggregatorNotifyPdcPhasesExit@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerAggregatorNotifyPdcSleepTransition(x, x)
_PopPowerAggregatorNotifyPdcSleepTransition@8 proc near
					; CODE XREF: PdcPoCurrentPdcPhase(x,x,x)+A9p
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	edi, edx
		mov	bl, cl
		nop
		xor	edx, edx
		mov	ecx, offset _PopPowerAggregatorLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C09A4, eax
		mov	eax, dword_6C0A08
		push	0
		pop	ecx
		sub	eax, 1
		jz	short loc_9B3CA4
		sub	eax, 3
		jz	short loc_9B3C75
		mov	esi, 0C000000Dh
		jmp	short loc_9B3CDA
; 

loc_9B3C75:				; CODE XREF: PopPowerAggregatorNotifyPdcSleepTransition(x,x)+3Cj
		test	bl, bl
		jz	short loc_9B3C88
		mov	byte_6C0A20, 1
		mov	dword_6C0A24, edi
		jmp	short loc_9B3C94
; 

loc_9B3C88:				; CODE XREF: PopPowerAggregatorNotifyPdcSleepTransition(x,x)+47j
		mov	byte_6C0A20, cl
		mov	dword_6C0A24, ecx

loc_9B3C94:				; CODE XREF: PopPowerAggregatorNotifyPdcSleepTransition(x,x)+56j
		movzx	esi, bl
		mov	eax, 103h
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jmp	short loc_9B3CCC
; 

loc_9B3CA4:				; CODE XREF: PopPowerAggregatorNotifyPdcSleepTransition(x,x)+37j
		test	bl, bl
		jz	short loc_9B3CB8
		mov	byte_6C0A20, cl
		mov	esi, ecx
		mov	dword_6C0A24, ecx
		jmp	short loc_9B3CDA
; 

loc_9B3CB8:				; CODE XREF: PopPowerAggregatorNotifyPdcSleepTransition(x,x)+76j
		mov	eax, 103h
		mov	byte_6C0A20, 1
		mov	dword_6C0A24, edi
		mov	esi, eax

loc_9B3CCC:				; CODE XREF: PopPowerAggregatorNotifyPdcSleepTransition(x,x)+72j
		cmp	esi, eax
		jnz	short loc_9B3CDA
		mov	ecx, offset _PopPowerAggregatorContext
		call	_PopPowerAggregatorScheduleWorker@4 ; PopPowerAggregatorScheduleWorker(x)

loc_9B3CDA:				; CODE XREF: PopPowerAggregatorNotifyPdcSleepTransition(x,x)+43j
					; PopPowerAggregatorNotifyPdcSleepTransition(x,x)+86j ...
		push	esi
		push	offset dword_6C0A08
		push	offset dword_6C09D8
		mov	edx, edi
		mov	cl, bl
		call	_PopPowerAggregatorDiagTracePdcSleepTransition@20 ; PopPowerAggregatorDiagTracePdcSleepTransition(x,x,x,x,x)
		cmp	dword_6C09A4, 0
		jz	short loc_9B3CFE
		and	dword_6C09A4, 0

loc_9B3CFE:				; CODE XREF: PopPowerAggregatorNotifyPdcSleepTransition(x,x)+C5j
		xor	edx, edx
		mov	ecx, offset _PopPowerAggregatorLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_PopPowerAggregatorNotifyPdcSleepTransition@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerAggregatorNotifyResiliencyReached()
_PopPowerAggregatorNotifyResiliencyReached@0 proc near
					; CODE XREF: PdcPoCurrentPdcPhase(x,x,x)+35p
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopPowerAggregatorLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	edx, large fs:124h
		mov	eax, dword_6C09D8
		mov	dword_6C09A4, edx
		sub	eax, 1
		jnz	short loc_9B3D4E
		mov	byte_6C0A00, al

loc_9B3D4E:				; CODE XREF: PopPowerAggregatorNotifyResiliencyReached()+32j
		test	edx, edx
		jz	short loc_9B3D59
		and	dword_6C09A4, 0

loc_9B3D59:				; CODE XREF: PopPowerAggregatorNotifyResiliencyReached()+3Bj
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		pop	esi
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopPowerAggregatorNotifyResiliencyReached@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorScreenOffActiveToActiveStateHandler(x)
_PopPowerAggregatorScreenOffActiveToActiveStateHandler@4 proc near
					; DATA XREF: PAGEDATA:00A934C8o
					; PAGEDATA:00A934D0o

var_20		= dword	ptr -20h
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 20h
		push	esi
		push	edi
		push	8
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+28h+var_20]
		rep stosd
		mov	ecx, [ebp+arg_0]
		lea	edx, [esp+28h+var_20]
		mov	[esp+28h+var_20], 2
		call	_PopPowerAggregatorSetCurrentState@8 ; PopPowerAggregatorSetCurrentState(x,x)
		cmp	dword_6C09A4, 0
		jz	short loc_9B3DA4
		and	dword_6C09A4, 0

loc_9B3DA4:				; CODE XREF: PopPowerAggregatorScreenOffActiveToActiveStateHandler(x)+33j
		mov	esi, offset _PopPowerAggregatorLock
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		call	_PopPowerAggregatorNotifyCsStateExited@0 ; PopPowerAggregatorNotifyCsStateExited()
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		pop	edi
		mov	dword_6C09A4, eax
		xor	eax, eax
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
_PopPowerAggregatorScreenOffActiveToActiveStateHandler@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorScreenOffEnterStateHandler(x)
_PopPowerAggregatorScreenOffEnterStateHandler@4	proc near ; DATA XREF: PAGEDATA:00A934CCo
					; PAGEDATA:00A934DCo

var_42		= byte ptr -42h
var_3E		= byte ptr -3Eh
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	8
		cmp	dword ptr [ebx+48h], 3
		lea	edi, [esp+54h+var_20]
		pop	ecx
		rep stosd
		jnz	short loc_9B3E43
		mov	eax, [ebx+30h]
		lea	edx, [esp+50h+var_20]
		xor	esi, esi
		mov	[esp+50h+var_20], 4
		mov	ecx, ebx
		mov	[esp+50h+var_1C], esi
		mov	[esp+50h+var_18], esi
		mov	[esp+50h+var_14], esi
		mov	[esp+50h+var_10], esi
		mov	[esp+50h+var_8], esi
		mov	[esp+50h+var_4], esi
		mov	[esp+50h+var_C], eax
		call	_PopPowerAggregatorSetCurrentState@8 ; PopPowerAggregatorSetCurrentState(x,x)
		jmp	loc_9B4007
; 

loc_9B3E43:				; CODE XREF: PopPowerAggregatorScreenOffEnterStateHandler(x)+20j
		mov	eax, [ebx+28h]
		cmp	eax, [ebx+50h]
		jnz	loc_9B3FD4
		mov	eax, [ebx+2Ch]
		cmp	eax, [ebx+54h]
		jnz	loc_9B3FD4
		mov	al, [ebx+41h]
		lea	esi, [ebx+34h]
		mov	edx, [ebx+5Ch]
		lea	edi, [esp+50h+var_2C]
		movsd
		mov	[esp+13h], al
		mov	eax, [ebx+58h]
		mov	[esp+50h+var_3C], edx
		movsd
		movsd
		test	eax, eax
		js	loc_9B4007
		xor	esi, esi
		cmp	eax, 1
		jle	short loc_9B3E9E
		cmp	eax, 2
		jz	short loc_9B3EFC
		mov	ecx, edx
		cmp	eax, 3
		jz	loc_9B3F1A
		cmp	eax, 4
		jnz	loc_9B4007

loc_9B3E9E:				; CODE XREF: PopPowerAggregatorScreenOffEnterStateHandler(x)+9Bj
		mov	edi, ds:_PopPowerAggregatorModernStandbyResourceMasks[edx*4]
		cmp	dword_6C09A4, esi
		jz	short loc_9B3EB3
		mov	dword_6C09A4, esi

loc_9B3EB3:				; CODE XREF: PopPowerAggregatorScreenOffEnterStateHandler(x)+C3j
		xor	edx, edx
		mov	ecx, offset _PopPowerAggregatorLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, dword_6D6FDC
		test	eax, eax
		jz	short loc_9B3ED0
		push	edi
		call	eax

loc_9B3ED0:				; CODE XREF: PopPowerAggregatorScreenOffEnterStateHandler(x)+E3j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopPowerAggregatorLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C09A4, eax
		mov	dword ptr [ebx+58h], 2

loc_9B3EFC:				; CODE XREF: PopPowerAggregatorScreenOffEnterStateHandler(x)+A0j
		cmp	byte ptr [ebx+68h], 0
		jnz	loc_9B4007
		cmp	byte ptr [ebx+60h], 0
		jz	loc_9B4007
		mov	ecx, [ebx+5Ch]
		mov	dword ptr [ebx+58h], 3

loc_9B3F1A:				; CODE XREF: PopPowerAggregatorScreenOffEnterStateHandler(x)+A7j
		mov	edi, [ebx+64h]
		lea	edx, [esp+54h+var_24]
		mov	[esp+54h+var_10], ecx
		mov	ecx, ebx
		mov	[esp+54h+var_20], esi
		mov	[esp+54h+var_1C], esi
		mov	[esp+54h+var_18], esi
		mov	[esp+54h+var_14], esi
		mov	[esp+54h+var_C], esi
		mov	[esp+54h+var_8], esi
		mov	[esp+54h+var_24], 1
		call	_PopPowerAggregatorSetCurrentState@8 ; PopPowerAggregatorSetCurrentState(x,x)
		mov	edx, [ebx+4Ch]
		push	2
		pop	ecx
		call	_PopPowerAggregatorStartNextSession@8 ;	PopPowerAggregatorStartNextSession(x,x)
		cmp	dword_6C09A4, esi
		jz	short loc_9B3F65
		mov	dword_6C09A4, esi

loc_9B3F65:				; CODE XREF: PopPowerAggregatorScreenOffEnterStateHandler(x)+175j
		xor	edx, edx
		mov	ecx, offset _PopPowerAggregatorLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	bl, [esp+13h]
		mov	cl, bl
		call	_PopDripsWatchdogNotifySessionStart@4 ;	PopDripsWatchdogNotifySessionStart(x)
		push	6
		mov	[esp+58h+var_3C], esi
		lea	edx, [esp+58h+var_3C]
		pop	ecx
		mov	[esp+54h+var_38], esi
		mov	byte ptr [esp+54h+var_3C], bl
		call	PopDirectedDripsNotify
		mov	ecx, [esp+14h]
		lea	edx, [esp+54h+var_30]
		call	_PopPowerAggregatorEngageAggressiveStandbyActions@8 ; PopPowerAggregatorEngageAggressiveStandbyActions(x,x)
		push	edi
		call	dword_6D6FF4
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopPowerAggregatorLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C09A4, eax
		jmp	short loc_9B4007
; 

loc_9B3FD4:				; CODE XREF: PopPowerAggregatorScreenOffEnterStateHandler(x)+61j
					; PopPowerAggregatorScreenOffEnterStateHandler(x)+6Dj
		mov	eax, [ebx+30h]
		lea	edx, [esp+50h+var_20]
		mov	[esp+50h+var_C], eax
		mov	ecx, ebx
		mov	al, [ebx+60h]
		mov	byte ptr [esp+50h+var_8], al
		mov	eax, [ebx+64h]
		mov	[esp+50h+var_20], 4
		mov	[esp+50h+var_4], eax
		call	_PopPowerAggregatorSetCurrentState@8 ; PopPowerAggregatorSetCurrentState(x,x)
		mov	edx, [ebx+20h]
		xor	ecx, ecx
		inc	ecx
		call	_PopPowerAggregatorStartNextSession@8 ;	PopPowerAggregatorStartNextSession(x,x)

loc_9B4007:				; CODE XREF: PopPowerAggregatorScreenOffEnterStateHandler(x)+56j
					; PopPowerAggregatorScreenOffEnterStateHandler(x)+90j ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_PopPowerAggregatorScreenOffEnterStateHandler@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorScreenOffExitStateHandler(x)
_PopPowerAggregatorScreenOffExitStateHandler@4 proc near ; DATA	XREF: PAGEDATA:00A934D8o
					; PAGEDATA:00A934E0o ...

var_20		= dword	ptr -20h
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, offset _PopPowerAggregatorLock
		mov	eax, [esi+58h]
		test	eax, eax
		jz	short loc_9B404D
		cmp	eax, 1
		jz	loc_9B410D
		jle	loc_9B412B
		cmp	eax, 3
		jle	short loc_9B404D
		cmp	eax, 4
		jz	short loc_9B40AD
		jmp	loc_9B412B
; 

loc_9B404D:				; CODE XREF: PopPowerAggregatorScreenOffExitStateHandler(x)+1Bj
					; PopPowerAggregatorScreenOffExitStateHandler(x)+2Fj
		cmp	dword_6C09A4, 0
		jz	short loc_9B405D
		and	dword_6C09A4, 0

loc_9B405D:				; CODE XREF: PopPowerAggregatorScreenOffExitStateHandler(x)+42j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		call	_PpmBeginHighPerfRequest@0 ; PpmBeginHighPerfRequest()
		xor	cl, cl
		call	_PpmDisableHighPerfRequestDeferredExpiration@4 ; PpmDisableHighPerfRequestDeferredExpiration(x)
		xor	ecx, ecx
		inc	ecx
		call	PpmEndHighPerfRequest
		call	_PopPdcDisengagePhases@0 ; PopPdcDisengagePhases()
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C09A4, eax
		mov	dword ptr [esi+58h], 4

loc_9B40AD:				; CODE XREF: PopPowerAggregatorScreenOffExitStateHandler(x)+34j
		cmp	dword_6C09A4, 0
		jz	short loc_9B40BD
		and	dword_6C09A4, 0

loc_9B40BD:				; CODE XREF: PopPowerAggregatorScreenOffExitStateHandler(x)+A2j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		call	_PopPdcDisengagePhases@0 ; PopPdcDisengagePhases()
		mov	eax, dword_6D6FE8
		mov	bl, 1
		test	eax, eax
		jz	short loc_9B40DF
		call	eax
		mov	bl, al

loc_9B40DF:				; CODE XREF: PopPowerAggregatorScreenOffExitStateHandler(x)+C7j
		mov	ecx, large fs:124h
		dec	word ptr [ecx+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C09A4, eax
		test	bl, bl
		jz	short loc_9B412B
		mov	dword ptr [esi+58h], 1

loc_9B410D:				; CODE XREF: PopPowerAggregatorScreenOffExitStateHandler(x)+20j
		push	8
		pop	ecx
		xor	eax, eax
		lea	edi, [esp+30h+var_20]
		rep stosd
		lea	edx, [esp+30h+var_20]
		mov	[esp+30h+var_20], 3
		mov	ecx, esi
		call	_PopPowerAggregatorSetCurrentState@8 ; PopPowerAggregatorSetCurrentState(x,x)

loc_9B412B:				; CODE XREF: PopPowerAggregatorScreenOffExitStateHandler(x)+26j
					; PopPowerAggregatorScreenOffExitStateHandler(x)+36j ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_PopPowerAggregatorScreenOffExitStateHandler@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorSessionSwitchWorker(x)
_PopPowerAggregatorSessionSwitchWorker@4 proc near
					; DATA XREF: PopPowerAggregatorInitialize(x)+5Fo

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		mov	eax, large fs:124h
		sub	esp, 10h
		push	ebx
		xor	bl, bl
		dec	word ptr [eax+13Ch]
		push	esi
		nop
		mov	esi, offset _PopPowerAggregatorLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	bh, byte_6C0A29
		mov	dword_6C09A4, eax
		test	bh, bh
		jz	short loc_9B418D
		mov	ecx, offset _PopPowerAggregatorContext
		mov	word ptr unk_6C0A28, 0
		inc	bl
		call	_PopPowerAggregatorScheduleWorker@4 ; PopPowerAggregatorScheduleWorker(x)
		jmp	short loc_9B4194
; 

loc_9B418D:				; CODE XREF: PopPowerAggregatorSessionSwitchWorker(x)+3Ej
		mov	byte_6C0A29, 1

loc_9B4194:				; CODE XREF: PopPowerAggregatorSessionSwitchWorker(x)+55j
		cmp	dword_6C09A4, 0
		jz	short loc_9B41A4
		and	dword_6C09A4, 0

loc_9B41A4:				; CODE XREF: PopPowerAggregatorSessionSwitchWorker(x)+65j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	bl, bl
		jz	short loc_9B41BF
		xor	dl, dl
		call	_PdcTaskClientRequest@8	; PdcTaskClientRequest(x,x)
		jmp	short loc_9B41F6
; 

loc_9B41BF:				; CODE XREF: PopPowerAggregatorSessionSwitchWorker(x)+7Ej
		test	bh, bh
		jnz	short loc_9B41F6
		mov	dl, 1
		call	_PdcTaskClientRequest@8	; PdcTaskClientRequest(x,x)
		or	[esp+18h+var_8], 0FFFFFFFFh
		lea	eax, [esp+18h+var_10]
		or	[esp+18h+var_4], 0FFFFFFFFh
		xor	ecx, ecx
		push	eax
		push	ecx
		push	ecx
		push	0FFFFFFFFh
		push	0FD050F80h
		push	offset unk_6C0A40
		mov	[esp+30h+var_10], ecx
		mov	[esp+30h+var_C], ecx
		call	KeSetTimer2

loc_9B41F6:				; CODE XREF: PopPowerAggregatorSessionSwitchWorker(x)+87j
					; PopPowerAggregatorSessionSwitchWorker(x)+8Bj
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_PopPowerAggregatorSessionSwitchWorker@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerAggregatorSnapDiagnosticContext(x)
_PopPowerAggregatorSnapDiagnosticContext@4 proc	near
					; CODE XREF: PopIdlePhaseWatchdogCallback(x,x,x,x,x,x)+90p
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		and	dword ptr [edi], 0
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _PopPowerAggregatorLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		push	67696450h
		push	1308h
		push	1
		mov	dword_6C09A4, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9B4259
		push	1308h		; size_t
		push	offset _PopPowerAggregatorContext ; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[edi], esi

loc_9B4259:				; CODE XREF: PopPowerAggregatorSnapDiagnosticContext(x)+44j
		cmp	dword_6C09A4, 0
		jz	short loc_9B4269
		and	dword_6C09A4, 0

loc_9B4269:				; CODE XREF: PopPowerAggregatorSnapDiagnosticContext(x)+62j
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopPowerAggregatorSnapDiagnosticContext@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEvaluateInputSuppressionAction()
_PopEvaluateInputSuppressionAction@0 proc near
					; CODE XREF: PopBroadcastInputSuppressionCallback:loc_90C950p
					; PopExternalMonitorUpdatedWorker+82EE2p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		and	[esp+2Ch+var_28], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+38h+var_18]
		stosd
		stosd
		stosd
		stosd
		stosd
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopInputSuppressionLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		cmp	_PopLidOpened, 0
		mov	cl, _PopConsoleExternalDisplayConnected
		setz	bl
		mov	dword_6C099C, eax
		xor	edi, edi
		mov	byte ptr [esp+38h+var_20], cl
		inc	edi
		cmp	dword_6C2D0C, edi
		setz	dl
		cmp	_PopConsoleDisplayState, 0
		mov	byte ptr [esp+38h+var_1C], dl
		setz	al
		cmp	_PopErrataReportingIncorrectLidState, 0
		mov	byte ptr [esp+38h+var_24], al
		jnz	short loc_9B4325
		cmp	_PopIgnoreLidStateForInputSuppression, 0
		jnz	short loc_9B4315
		test	bl, bl
		jz	short loc_9B4325

loc_9B4315:				; CODE XREF: PopEvaluateInputSuppressionAction()+95j
		test	dl, dl
		jz	short loc_9B4325
		test	cl, cl
		jnz	short loc_9B4325
		test	al, al
		jz	short loc_9B4325
		mov	esi, edi
		jmp	short loc_9B4327
; 

loc_9B4325:				; CODE XREF: PopEvaluateInputSuppressionAction()+8Cj
					; PopEvaluateInputSuppressionAction()+99j ...
		xor	esi, esi

loc_9B4327:				; CODE XREF: PopEvaluateInputSuppressionAction()+A9j
		cmp	_PopEnableInputSuppression, 0
		jnz	short loc_9B4337
		cmp	esi, edi
		jnz	short loc_9B4337
		push	2
		pop	esi

loc_9B4337:				; CODE XREF: PopEvaluateInputSuppressionAction()+B4j
					; PopEvaluateInputSuppressionAction()+B8j
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		cmp	_PopInputSuppressionRequired, esi
		jz	loc_9B43E0
		push	esi
		push	ecx
		push	[esp+40h+var_24]
		mov	dl, bl
		mov	_PopInputSuppressionRequired, esi
		push	[esp+44h+var_20]
		push	[esp+48h+var_1C]
		call	_PopTraceInputSuppressionActionUpdate@28 ; PopTraceInputSuppressionActionUpdate(x,x,x,x,x,x,x)
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	4
		push	offset _PopInputSuppressionRequired
		push	(offset	loc_409ACF+1)
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		cmp	_PopEnableInputSuppression, bl
		jz	short loc_9B43E2
		mov	eax, _PopInputSuppressionRequired
		cmp	eax, edi
		jz	short loc_9B438F
		test	eax, eax
		jnz	short loc_9B4396

loc_9B438F:				; CODE XREF: PopEvaluateInputSuppressionAction()+10Fj
		lock inc _PopInputSuppressionActionCount

loc_9B4396:				; CODE XREF: PopEvaluateInputSuppressionAction()+113j
		push	ebx
		xor	eax, eax
		cmp	_PopInputSuppressionRequired, edi
		push	ebx
		push	ebx
		setz	al
		push	ebx
		mov	[esp+48h+var_28], eax
		lea	eax, [esp+48h+var_28]
		push	4
		push	eax
		push	offset _WNF_PO_INPUT_SUPPRESS_NOTIFICATION
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	eax, [esp+38h+var_28]
		lea	edi, [esp+38h+var_18]
		mov	esi, offset _GUID_INPUT_SUPPRESS_REQUESTED
		xor	ecx, ecx
		movsd
		movsd
		movsd
		movsd
		mov	[esp+38h+var_8], eax
		lea	eax, [esp+38h+var_18]
		push	eax
		push	14h
		pop	edx
		call	_PopBroadcastSessionInfo@12 ; PopBroadcastSessionInfo(x,x,x)
		jmp	short loc_9B43E2
; 

loc_9B43E0:				; CODE XREF: PopEvaluateInputSuppressionAction()+C8j
		xor	ebx, ebx

loc_9B43E2:				; CODE XREF: PopEvaluateInputSuppressionAction()+106j
					; PopEvaluateInputSuppressionAction()+164j
		cmp	dword_6C099C, 0
		jz	short loc_9B43F1
		mov	dword_6C099C, ebx

loc_9B43F1:				; CODE XREF: PopEvaluateInputSuppressionAction()+16Fj
		xor	edx, edx
		mov	ecx, offset _PopInputSuppressionLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [esp+38h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_PopEvaluateInputSuppressionAction@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopIsInputSuppressionEngaged(x)
_PopIsInputSuppressionEngaged@4	proc near ; CODE XREF: PopMonitorInvocation+A9443p
		lea	eax, [ecx-1Fh]
		xor	dl, dl
		cmp	eax, 8
		ja	short loc_9B4465
		cmp	_PopEnableInputSuppression, dl
		jz	short loc_9B4465
		cmp	_PopLidOpened, dl
		mov	cl, _PopConsoleExternalDisplayConnected
		setz	ah
		cmp	dword_6C2D0C, 1
		push	ebx
		setz	bl
		cmp	_PopConsoleDisplayState, 0
		setz	al
		cmp	_PopErrataReportingIncorrectLidState, dl
		jnz	short loc_9B4464
		test	ah, ah
		jz	short loc_9B4464
		test	bl, bl
		jz	short loc_9B4464
		test	cl, cl
		jnz	short loc_9B4464
		test	al, al
		jz	short loc_9B4464
		inc	dl

loc_9B4464:				; CODE XREF: PopIsInputSuppressionEngaged(x)+3Cj
					; PopIsInputSuppressionEngaged(x)+40j ...
		pop	ebx

loc_9B4465:				; CODE XREF: PopIsInputSuppressionEngaged(x)+8j
					; PopIsInputSuppressionEngaged(x)+10j
		mov	al, dl
		retn
_PopIsInputSuppressionEngaged@4	endp


;  S U B	R O U T	I N E 


; __stdcall PopQueryInputSuppressionCount(x)
_PopQueryInputSuppressionCount@4 proc near ; CODE XREF:	PopCalculateCsSummary(x,x)+3E3p
					; PopCaptureSleepStudyStatistics(x,x,x,x)+4D2p
		xor	eax, eax
		mov	edx, offset _PopInputSuppressionActionCount
		lock xadd [edx], eax
		mov	[ecx], eax
		retn
_PopQueryInputSuppressionCount@4 endp


;  S U B	R O U T	I N E 


; int __fastcall PopPepUnregisterDevice(char)
_PopPepUnregisterDevice@4 proc near	; CODE XREF: PopFxUnregisterDevice(x)+AFp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		push	esi		; char
		push	offset ??_C@_0CC@JGJLDCMO@PopPep?3?5unregister?5device?5?$CI0x?$CFp@NNGAKEGL@ ;	char *
		push	3		; int
		push	92h		; int
		call	_DbgPrintEx
		add	esp, 10h
		xor	edi, edi
		xor	edx, edx
		push	edi
		push	ecx
		push	5
		push	6
		mov	ecx, esi
		call	_PopPepProcessEvent@24 ; PopPepProcessEvent(x,x,x,x,x,x)
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [esi+1Ch]
		push	eax
		call	KeWaitForSingleObject
		mov	ecx, esi
		call	_PopPepWaitForDeviceRelease@4 ;	PopPepWaitForDeviceRelease(x)
		mov	ecx, esi
		call	_PopPepRemoveDevice@4 ;	PopPepRemoveDevice(x)
		mov	eax, [esi+78h]
		mov	ecx, edi
		cmp	eax, 4
		jz	short loc_9B44CC
		mov	ecx, [esi+eax*4+5Ch]

loc_9B44CC:				; CODE XREF: PopPepUnregisterDevice(x)+50j
		push	edi
		xor	edx, edx
		call	PopPepUpdateIdleStateRefCount
		mov	ebx, edi
		cmp	[esi+84h], edi
		jbe	short loc_9B4501
		lea	edi, [esi+128h]

loc_9B44E4:				; CODE XREF: PopPepUnregisterDevice(x)+89j
		mov	ecx, [edi]
		xor	edx, edx
		push	0
		mov	ecx, [ecx+10h]
		call	PopPepUpdateIdleStateRefCount
		inc	ebx
		lea	edi, [edi+0A8h]
		cmp	ebx, [esi+84h]
		jb	short loc_9B44E4

loc_9B4501:				; CODE XREF: PopPepUnregisterDevice(x)+66j
		push	54706550h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		retn
_PopPepUnregisterDevice@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDripsWatchdogCallbackHandler(x, x, x, x,	x, x, x, x, x)
_PopDripsWatchdogCallbackHandler@36 proc near
					; CODE XREF: PopDripsWatchdogCallbackWorker(x)+1D3p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= byte ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_10]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_18], eax
		mov	esi, ecx
		mov	eax, [ebp+arg_14]
		mov	edi, ecx
		mov	[ebp+var_8], edx
		and	esi, 80h
		xor	edx, edx
		mov	[ebp+var_14], eax
		mov	eax, ds:_PopDirectedDripsTimeout
		and	edi, 100h
		mov	[ebp+var_4], ecx
		mov	bl, dl
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edx
		mov	[ebp+arg_14], eax
		test	eax, eax
		jz	short loc_9B456F
		push	edx
		push	989680h
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	__aulldiv
		test	edx, edx
		ja	short loc_9B4574
		jb	short loc_9B456F
		cmp	eax, [ebp+arg_14]
		jnb	short loc_9B4574

loc_9B456F:				; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+41j
					; PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+58j
		cmp	[ebp+arg_18], bl
		jz	short loc_9B4585

loc_9B4574:				; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+56j
					; PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+5Dj
		test	byte_6D4580, 1
		jz	short loc_9B4583
		test	byte ptr [ebp+var_4], 1
		jz	short loc_9B4585

loc_9B4583:				; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+6Bj
		mov	bl, 1

loc_9B4585:				; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+62j
					; PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+71j
		test	esi, esi
		jnz	short loc_9B4595
		test	edi, edi
		jnz	short loc_9B4595
		test	bl, bl
		jz	loc_9B466E

loc_9B4595:				; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+77j
					; PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+7Bj
		call	_PopDeviceConstraintsEnforced@0	; PopDeviceConstraintsEnforced()
		test	al, al
		jz	loc_9B466E
		push	[ebp+arg_4]
		lea	ecx, [ebp+var_10]
		push	[ebp+arg_0]
		call	_PopFxBuildDripsBlockingDeviceList@12 ;	PopFxBuildDripsBlockingDeviceList(x,x,x)
		test	eax, eax
		js	loc_9B466E
		test	bl, bl
		jz	short loc_9B45C0
		push	4
		jmp	short loc_9B45C6
; 

loc_9B45C0:				; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+AAj
		test	edi, edi
		jz	short loc_9B45CF
		push	2

loc_9B45C6:				; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+AEj
		lea	edx, [ebp+var_18]
		pop	ecx
		call	PopDirectedDripsNotify

loc_9B45CF:				; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+B2j
		call	KeQueryInterruptTime
		mov	esi, [ebp+var_10]
		jmp	short loc_9B4631
; 

loc_9B45D9:				; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+126j
		lea	ecx, [esi-254h]
		test	bl, bl
		jnz	short loc_9B462A
		test	edi, edi
		jz	short loc_9B464D
		call	_PopDripsWatchdogGetDeviceActiveTime@4 ; PopDripsWatchdogGetDeviceActiveTime(x)
		push	0
		push	989680h
		push	edx
		push	eax
		call	__aulldiv
		mov	dword ptr [ebp+arg_18],	edx
		lea	ecx, [esi-254h]
		xor	edx, edx
		mov	[ebp+arg_14], eax
		call	_PopFxIsDirectedPowerTransitionSupported@8 ; PopFxIsDirectedPowerTransitionSupported(x,x)
		lea	ecx, [esi-254h]
		test	al, al
		jz	short loc_9B4640
		cmp	dword ptr [ebp+arg_18],	0
		mov	eax, [ecx+268h]
		jb	short loc_9B464D
		ja	short loc_9B462A

loc_9B4625:				; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+13Bj
		cmp	[ebp+arg_14], eax
		jb	short loc_9B464D

loc_9B462A:				; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+D1j
					; PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+113j ...
		call	_PopDirectedDripsMarkCandidateDevice@4 ; PopDirectedDripsMarkCandidateDevice(x)

loc_9B462F:				; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+145j
		mov	esi, [esi]

loc_9B4631:				; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+C7j
		lea	eax, [ebp+var_10]
		cmp	esi, eax
		jnz	short loc_9B45D9
		test	bl, bl
		jz	short loc_9B4657
		push	5
		jmp	short loc_9B465D
; 

loc_9B4640:				; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+105j
		cmp	dword ptr [ebp+arg_18],	0
		mov	eax, _PopFxDirectedFxDefaultTimeout
		ja	short loc_9B462A
		jnb	short loc_9B4625

loc_9B464D:				; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+D5j
					; PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+111j ...
		mov	edx, [ebp+var_8]
		call	_PopDripsWatchdogInvokeDeviceCallbacks@8 ; PopDripsWatchdogInvokeDeviceCallbacks(x,x)
		jmp	short loc_9B462F
; 

loc_9B4657:				; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+12Aj
		test	edi, edi
		jz	short loc_9B4666
		push	3

loc_9B465D:				; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+12Ej
		lea	edx, [ebp+var_18]
		pop	ecx
		call	PopDirectedDripsNotify

loc_9B4666:				; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+149j
		lea	ecx, [ebp+var_10]
		call	_PopFxDestroyDripsBlockingDeviceList@4 ; PopFxDestroyDripsBlockingDeviceList(x)

loc_9B466E:				; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+7Fj
					; PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+8Cj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_PopDripsWatchdogCallbackHandler@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDripsWatchdogCallbackWorker(x)
_PopDripsWatchdogCallbackWorker@4 proc near
					; DATA XREF: PopDripsWatchdogInitializeCallbackTimer(x)+24o

var_4E		= byte ptr -4Eh
var_4D		= byte ptr -4Dh
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	8
		pop	ecx
		lea	edi, [esp+60h+var_20]
		rep stosd
		mov	eax, large fs:124h
		lea	esi, [ebx+40h]
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	ebx
		call	ExAcquireResourceExclusiveLite
		test	byte ptr [ebx+38h], 4
		jz	loc_9B4877
		test	byte ptr [esi+74h], 2
		jz	loc_9B4877
		inc	dword ptr [ebx+1D0h]
		mov	ecx, esi
		inc	dword ptr [ebx+0C4h]
		call	_PopDripsWatchdogScheduleNextTimer@4 ; PopDripsWatchdogScheduleNextTimer(x)
		call	KeQueryInterruptTime
		mov	edi, eax
		mov	[esp+60h+var_4C], edx
		lea	ecx, [esp+60h+var_20]
		mov	[esp+60h+var_48], edi
		call	_PopCalculateIdleInformation@4 ; PopCalculateIdleInformation(x)
		mov	eax, [esp+60h+var_8]
		sub	eax, [ebx+100h]
		mov	[esp+60h+var_44], eax
		jz	short loc_9B473D
		mov	edx, [esp+60h+var_4C]
		lea	esi, [esp+60h+var_20]
		mov	eax, _PopDripsWatchdogDebounceTickInterval
		and	dword ptr [ebx+0C4h], 0
		mov	[ebx+0D8h], edi
		mov	[ebx+0D0h], edi
		lea	edi, [ebx+0E8h]
		push	8
		pop	ecx
		rep movsd
		mov	edi, [esp+60h+var_48]
		lea	esi, [ebx+40h]
		mov	[ebx+0DCh], edx
		mov	[ebx+0C8h], eax
		mov	[ebx+0D4h], edx

loc_9B473D:				; CODE XREF: PopDripsWatchdogCallbackWorker(x)+82j
		mov	eax, [ebx+0C8h]
		test	eax, eax
		jz	short loc_9B476F
		xor	ecx, ecx
		cmp	[ebx+0C4h], eax
		jb	short loc_9B476A
		call	_PopDirectedDripsSetDisengageReason@4 ;	PopDirectedDripsSetDisengageReason(x)
		mov	eax, [ebx+0C4h]
		add	eax, _PopDripsWatchdogDebounceTickInterval
		mov	[ebx+0C8h], eax
		jmp	short loc_9B476F
; 

loc_9B476A:				; CODE XREF: PopDripsWatchdogCallbackWorker(x)+DAj
		call	_PopDirectedDripsClearDisengageReason@4	; PopDirectedDripsClearDisengageReason(x)

loc_9B476F:				; CODE XREF: PopDripsWatchdogCallbackWorker(x)+D0j
					; PopDripsWatchdogCallbackWorker(x)+F3j
		mov	ecx, [esi+74h]
		test	cl, 4
		jnz	loc_9B4877
		mov	eax, [ebx+3Ch]
		mov	[esp+60h+var_24], eax
		mov	eax, [ebx+0C0h]
		mov	[esp+60h+var_28], eax
		mov	eax, edi
		sub	eax, [ebx+0D0h]
		mov	[esp+60h+var_2C], eax
		mov	eax, [esp+60h+var_4C]
		mov	edx, eax
		sbb	edx, [ebx+0D4h]
		mov	[esp+60h+var_30], edx
		mov	edx, edi
		sub	edx, [ebx+0D8h]
		mov	[esp+60h+var_34], edx
		sbb	eax, [ebx+0DCh]
		or	ecx, 4
		mov	[esp+60h+var_38], eax
		mov	eax, [ebx+1D8h]
		mov	[esp+60h+var_3C], eax
		mov	eax, [ebx+1DCh]
		mov	[esp+60h+var_40], eax
		mov	al, [ebx+0E0h]
		mov	[esi+74h], ecx
		mov	ecx, ebx
		mov	byte ptr [esp+60h+var_48], al
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	[esp+60h+var_4D], 1
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		cmp	[esp+60h+var_44], 0
		jnz	short loc_9B4813
		mov	eax, dword_6D4518
		or	eax, dword_6D451C
		jz	short loc_9B4818

loc_9B4813:				; CODE XREF: PopDripsWatchdogCallbackWorker(x)+18Fj
		mov	[esp+60h+var_4D], 0

loc_9B4818:				; CODE XREF: PopDripsWatchdogCallbackWorker(x)+19Cj
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		cmp	[esp+60h+var_4D], 0
		jz	short loc_9B484D
		push	[esp+60h+var_48]
		mov	edx, [esp+64h+var_28]
		push	[esp+64h+var_40]
		mov	ecx, [esp+68h+var_24]
		push	[esp+68h+var_3C]
		push	[esp+6Ch+var_38]
		push	[esp+70h+var_34]
		push	[esp+74h+var_30]
		push	[esp+78h+var_2C]
		call	_PopDripsWatchdogCallbackHandler@36 ; PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)

loc_9B484D:				; CODE XREF: PopDripsWatchdogCallbackWorker(x)+1ADj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	ebx
		call	ExAcquireResourceExclusiveLite
		mov	edx, [esp+60h+var_4C]
		mov	[ebx+0D0h], edi
		mov	[ebx+0D4h], edx
		and	dword ptr [esi+74h], 0FFFFFFFBh

loc_9B4877:				; CODE XREF: PopDripsWatchdogCallbackWorker(x)+39j
					; PopDripsWatchdogCallbackWorker(x)+43j ...
		mov	ecx, ebx
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_PopDripsWatchdogCallbackWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDripsWatchdogCheckHwDivergence(x, x, x, x)
_PopDripsWatchdogCheckHwDivergence@16 proc near
					; CODE XREF: PopDripsWatchdogDiagnosticWorker(x)+1ADp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_C]
		cmp	edi, ebx
		jb	short loc_9B492B
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+arg_0]
		ja	short loc_9B48BE
		cmp	ecx, eax
		jbe	short loc_9B492B

loc_9B48BE:				; CODE XREF: PopDripsWatchdogCheckHwDivergence(x,x,x,x)+25j
		sub	ecx, eax
		mov	eax, edi
		sbb	eax, ebx
		xor	esi, esi
		push	esi
		push	0F4240h
		push	eax
		push	ecx
		call	__aulldiv
		mov	ecx, ds:_PopDripsSwHwDivergenceThreshold ; int
		cmp	esi, edx
		ja	short loc_9B492B
		jb	short loc_9B48E3
		cmp	ecx, eax
		jnb	short loc_9B492B

loc_9B48E3:				; CODE XREF: PopDripsWatchdogCheckHwDivergence(x,x,x,x)+4Aj
		mov	eax, [ebp+arg_8]
		push	esi
		push	esi
		push	esi
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_0]
		push	esi
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_18]
		push	10h
		push	eax
		push	offset _WNF_PO_SW_HW_DRIPS_DIVERGENCE
		mov	[ebp+var_14], edi
		mov	[ebp+var_C], ebx
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		cmp	ds:_PopDripsSwHwDivergenceEnableLiveDump, esi
		jz	short loc_9B492B
		push	esi		; int
		push	esi		; int
		push	esi		; int
		push	esi		; int
		push	esi		; int
		push	[ebp+var_10]	; int
		push	[ebp+var_18]	; int
		push	1A4h		; int
		push	offset ??_C@_1BK@BDJAGJBB@?$AAD?$AAr?$AAi?$AAp?$AAs?$AAD?$AAi?$AAv?$AAe?$AAr?$AAg?$AAe@NNGAKEGL@ ; int
		call	_DbgkWerCaptureLiveKernelDump@36 ; DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)

loc_9B492B:				; CODE XREF: PopDripsWatchdogCheckHwDivergence(x,x,x,x)+1Dj
					; PopDripsWatchdogCheckHwDivergence(x,x,x,x)+29j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_PopDripsWatchdogCheckHwDivergence@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDripsWatchdogDiagnosticWorker(x)
_PopDripsWatchdogDiagnosticWorker@4 proc near
					; DATA XREF: PopDripsWatchdogInitializeDiagnosticTimer(x)+1Fo

var_66		= byte ptr -66h
var_65		= byte ptr -65h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+6Ch+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		push	8
		pop	ecx
		lea	edi, [esp+78h+var_40]
		rep stosd
		push	7
		pop	ecx
		lea	edi, [esp+78h+var_20]
		rep stosd
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	ebx
		call	ExAcquireResourceExclusiveLite
		test	byte ptr [ebx+38h], 4
		jz	loc_9B4B08
		test	byte ptr [ebx+17Ch], 2
		jz	loc_9B4B08
		inc	dword ptr [ebx+1D0h]
		call	KeQueryInterruptTime
		mov	edi, eax
		lea	ecx, [esp+78h+var_40]
		xor	eax, eax
		mov	esi, edx
		mov	[esp+78h+var_48], eax
		mov	[esp+78h+var_50], eax
		mov	[esp+78h+var_60], eax
		mov	[esp+78h+var_5C], eax
		mov	[esp+78h+var_54], eax
		call	_PopCalculateIdleInformation@4 ; PopCalculateIdleInformation(x)
		lea	eax, [esp+78h+var_54]
		mov	ecx, ebx
		push	eax
		lea	eax, [esp+7Ch+var_60]
		push	eax
		lea	eax, [esp+80h+var_50]
		push	eax
		push	esi
		push	edi
		lea	edx, [esp+8Ch+var_40]
		call	_PopDripsWatchdogUpdateMetrics@28 ; PopDripsWatchdogUpdateMetrics(x,x,x,x,x,x,x)
		mov	ecx, [esp+78h+var_30]
		lea	edx, [ebx+188h]
		xor	eax, eax
		mov	[esp+78h+var_64], eax
		mov	[esp+78h+var_65], al
		mov	eax, ecx
		and	eax, [esp+78h+var_2C]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9B4A26
		mov	esi, [edx+38h]
		mov	eax, esi
		mov	edi, [edx+3Ch]
		and	eax, edi
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9B4A26
		sub	ecx, esi
		mov	[esp+78h+var_65], 1
		mov	[esp+78h+var_48], ecx
		mov	ecx, [esp+78h+var_2C]
		sbb	ecx, edi
		mov	[esp+78h+var_64], ecx

loc_9B4A26:				; CODE XREF: PopDripsWatchdogDiagnosticWorker(x)+C4j
					; PopDripsWatchdogDiagnosticWorker(x)+D3j
		mov	eax, [ebx+17Ch]
		test	al, 4
		jnz	loc_9B4B08
		mov	ecx, [ebx+3Ch]
		lea	edi, [esp+78h+var_20]
		mov	[esp+78h+var_4C], ecx
		mov	esi, edx
		mov	ecx, [ebx+1D0h]
		or	eax, 4
		mov	[esp+78h+var_44], ecx
		push	7
		pop	ecx
		rep movsd
		lea	esi, [ebx+108h]
		mov	ecx, esi
		mov	[esi+74h], eax
		call	_PopDripsWatchdogScheduleNextTimer@4 ; PopDripsWatchdogScheduleNextTimer(x)
		mov	ecx, ebx
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	[esp+78h+var_54], 0
		jnz	short loc_9B4A9D
		mov	eax, dword_6D4518
		or	eax, dword_6D451C
		jnz	short loc_9B4ABA
		push	[esp+78h+var_44]
		mov	edx, [esp+7Ch+var_4C]
		lea	ecx, [esp+7Ch+var_20]
		call	_PopDripsWatchdogTakeAction@12 ; PopDripsWatchdogTakeAction(x,x,x)
		jmp	short loc_9B4ABA
; 

loc_9B4A9D:				; CODE XREF: PopDripsWatchdogDiagnosticWorker(x)+13Fj
		cmp	[esp+78h+var_50], 0
		jnz	short loc_9B4ABA
		call	_PopDeepSleepEnabled@0 ; PopDeepSleepEnabled()
		test	al, al
		jz	short loc_9B4ABA
		mov	edx, [esp+78h+var_4C]
		lea	ecx, [esp+78h+var_20]
		call	_PopDeepSleepWatchdogTakeAction@8 ; PopDeepSleepWatchdogTakeAction(x,x)

loc_9B4ABA:				; CODE XREF: PopDripsWatchdogDiagnosticWorker(x)+14Cj
					; PopDripsWatchdogDiagnosticWorker(x)+15Fj ...
		push	[esp+78h+var_64]
		mov	edi, [esp+7Ch+var_48]
		movzx	ecx, [esp+7Ch+var_65]
		push	edi
		push	[esp+80h+var_5C]
		push	[esp+84h+var_60]
		call	_PopDiagTraceCsDripsDivergence@24 ; PopDiagTraceCsDripsDivergence(x,x,x,x,x,x)
		cmp	[esp+78h+var_65], 0
		jz	short loc_9B4AEE
		push	[esp+78h+var_5C]
		push	[esp+7Ch+var_60]
		push	[esp+80h+var_64]
		push	edi
		call	_PopDripsWatchdogCheckHwDivergence@16 ;	PopDripsWatchdogCheckHwDivergence(x,x,x,x)

loc_9B4AEE:				; CODE XREF: PopDripsWatchdogDiagnosticWorker(x)+19Ej
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	ebx
		call	ExAcquireResourceExclusiveLite
		and	dword ptr [esi+74h], 0FFFFFFFBh

loc_9B4B08:				; CODE XREF: PopDripsWatchdogDiagnosticWorker(x)+4Aj
					; PopDripsWatchdogDiagnosticWorker(x)+57j ...
		mov	ecx, ebx
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [esp+78h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_PopDripsWatchdogDiagnosticWorker@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopDripsWatchdogNotifySessionStart(x)
_PopDripsWatchdogNotifySessionStart@4 proc near
					; CODE XREF: PopPowerAggregatorScreenOffEnterStateHandler(x)+194p
		mov	edi, edi
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	bl, cl
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	esi, offset _PopDripsWatchdogContext
		push	esi
		call	ExAcquireResourceExclusiveLite
		mov	eax, _PopDripsWatchdogDebounceTickInterval
		xor	ecx, ecx
		and	dword_6C07A4, 0
		mov	dword_6C07A8, eax
		mov	byte_6C07C0, bl
		call	_PopDirectedDripsClearDisengageReason@4	; PopDirectedDripsClearDisengageReason(x)
		mov	ecx, esi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	esi
		pop	ebx
		pop	ecx
		retn
_PopDripsWatchdogNotifySessionStart@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDripsWatchdogScheduleNextTimer(x)
_PopDripsWatchdogScheduleNextTimer@4 proc near
					; CODE XREF: PopDripsWatchdogCallbackWorker(x)+57p
					; PopDripsWatchdogDiagnosticWorker(x)+122p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	KeQueryInterruptTime
		push	0FFFFFFFFh
		push	0FF676980h
		push	0
		push	dword ptr [esi+70h]
		mov	[esi+78h], eax
		mov	[esi+7Ch], edx
		call	__allmul
		or	[ebp+var_8], 0FFFFFFFFh
		xor	ecx, ecx
		or	[ebp+var_4], 0FFFFFFFFh
		mov	edi, eax
		mov	ebx, edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		cmp	[esi+68h], ecx
		jz	short loc_9B4BD2
		lea	ecx, [esi+58h]
		call	_PopOkayToQueueNextWorkItem@4 ;	PopOkayToQueueNextWorkItem(x)
		xor	ecx, ecx

loc_9B4BD2:				; CODE XREF: PopDripsWatchdogScheduleNextTimer(x)+40j
		lea	eax, [ebp+var_10]
		push	eax
		push	ecx
		push	ecx
		push	ebx
		push	edi
		push	esi
		call	KeSetTimer2
		or	dword ptr [esi+74h], 2
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopDripsWatchdogScheduleNextTimer@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDripsWatchdogStartWatchdog()
_PopDripsWatchdogStartWatchdog@0 proc near
					; CODE XREF: PopPdcIdleResiliencyCallback(x,x)+7Ep

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		push	8
		pop	ecx
		lea	edi, [esp+38h+var_20]
		rep stosd
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PopDripsWatchdogContext
		call	ExAcquireResourceExclusiveLite
		test	byte ptr dword_6C0718, 2
		jz	loc_9B4D23
		call	_PopDirectedDripsUmIsTestModeEnabled@0 ; PopDirectedDripsUmIsTestModeEnabled()
		test	al, al
		jnz	loc_9B4D23
		call	KeQueryInterruptTime
		mov	esi, eax
		lea	ecx, [esp+38h+var_20]
		mov	edi, edx
		mov	[esp+38h+var_2C], esi
		mov	[esp+38h+var_28], edi
		call	_PopCalculateIdleInformation@4 ; PopCalculateIdleInformation(x)
		test	byte ptr dword_6C0794, 1
		mov	eax, dword_6C1F7C
		mov	ebx, _PopWdiCurrentScenarioInstanceId
		mov	[esp+38h+var_24], eax
		jz	short loc_9B4CBD
		mov	eax, _PopDripsWatchdogDebounceTickInterval
		and	dword_6C07A4, 0
		mov	dword_6C07B0, esi
		lea	esi, [esp+38h+var_20]
		mov	dword_6C07B4, edi
		mov	edi, offset unk_6C07C8
		push	8
		mov	dword_6C07A8, eax
		mov	eax, [esp+3Ch+var_2C]
		pop	ecx
		rep movsd
		and	dword_6C0798, 0
		mov	ecx, offset unk_6C0720
		and	dword_6C079C, 0
		mov	dword_6C07B8, eax
		mov	eax, [esp+38h+var_28]
		mov	dword_6C07BC, eax
		call	_PopDripsWatchdogScheduleNextTimer@4 ; PopDripsWatchdogScheduleNextTimer(x)

loc_9B4CBD:				; CODE XREF: PopDripsWatchdogStartWatchdog()+7Dj
		test	byte ptr dword_6C085C, 1
		jz	short loc_9B4D0D
		push	50h		; size_t
		push	0		; int
		push	offset unk_6C0860 ; void *
		call	_memset
		mov	eax, dword_6C2548
		lea	esi, [esp+44h+var_20]
		add	esp, 0Ch
		mov	dword_6C0884, eax
		mov	eax, dword_6D4528
		mov	edi, offset unk_6C0890
		push	8
		pop	ecx
		rep movsd
		mov	dword_6C0888, eax
		mov	ecx, offset unk_6C07E8
		mov	eax, dword_6D452C
		mov	dword_6C088C, eax
		call	_PopDripsWatchdogScheduleNextTimer@4 ; PopDripsWatchdogScheduleNextTimer(x)

loc_9B4D0D:				; CODE XREF: PopDripsWatchdogStartWatchdog()+DBj
		mov	eax, [esp+38h+var_24]
		or	dword_6C0718, 4
		mov	dword_6C08B8, ebx
		mov	dword_6C08BC, eax

loc_9B4D23:				; CODE XREF: PopDripsWatchdogStartWatchdog()+3Aj
					; PopDripsWatchdogStartWatchdog()+47j
		mov	ecx, offset _PopDripsWatchdogContext
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PopDripsWatchdogStartWatchdog@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopDripsWatchdogStopWatchdog()
_PopDripsWatchdogStopWatchdog@0	proc near ; CODE XREF: PopPdcIdleResiliencyCallback(x,x)+D2p
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	esi, offset _PopDripsWatchdogContext
		push	esi
		call	ExAcquireResourceExclusiveLite
		mov	eax, dword_6C0718
		test	al, 4
		jz	short loc_9B4D6D
		and	eax, 0FFFFFFFBh
		mov	dword_6C0718, eax

loc_9B4D6D:				; CODE XREF: PopDripsWatchdogStopWatchdog()+23j
		mov	ecx, esi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		pop	esi
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_PopDripsWatchdogStopWatchdog@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDripsWatchdogUpdateMetrics(x, x,	x, x, x, x, x)
_PopDripsWatchdogUpdateMetrics@28 proc near
					; CODE XREF: PopDripsWatchdogDiagnosticWorker(x)+A2p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	al, byte_6D4580
		and	[ebp+var_18], 0
		and	al, 1
		and	[ebp+var_14], 0
		push	ebx
		mov	ebx, dword_6C2548
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		push	0
		push	2710h
		mov	[edi+1A0h], al
		mov	eax, [esi+1Ch]
		mov	ecx, eax
		sub	ecx, [edi+1CCh]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_C], ecx
		mov	[eax], ecx
		mov	eax, [esi+8]
		mov	edx, eax
		sub	edx, [edi+1B8h]
		mov	ecx, [esi+0Ch]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_8], ecx
		sbb	ecx, [edi+1BCh]
		mov	[eax+4], ecx
		mov	ecx, [ebp+arg_0]
		mov	[eax], edx
		mov	eax, [esi+18h]
		mov	esi, eax
		sub	esi, [edi+1C8h]
		sub	ecx, [edi+180h]
		mov	[ebp+arg_C], eax
		mov	eax, [ebp+arg_10]
		mov	[eax], esi
		mov	eax, [ebp+arg_4]
		sbb	eax, [edi+184h]
		push	eax
		push	ecx
		call	__aulldiv
		mov	ecx, eax
		mov	edx, 3E8h
		mov	[ebp+arg_8], ecx
		mov	[edi+190h], ecx
		test	esi, esi
		jnz	short loc_9B4E79
		add	[edi+188h], ecx
		mov	eax, [edi+188h]
		jz	short loc_9B4E62
		test	dword_6C2558, 40000000h
		jnz	short loc_9B4E62
		mov	ecx, [edi+1A4h]
		cmp	ebx, ecx
		jnb	short loc_9B4E5F
		mul	edx
		sub	ecx, ebx
		push	edx
		push	eax
		call	_PopBatteryCapacityToRate@12 ; PopBatteryCapacityToRate(x,x,x)
		mov	[edi+19Ch], eax

loc_9B4E5F:				; CODE XREF: PopDripsWatchdogUpdateMetrics(x,x,x,x,x,x,x)+CBj
		mov	ecx, [ebp+arg_8]

loc_9B4E62:				; CODE XREF: PopDripsWatchdogUpdateMetrics(x,x,x,x,x,x,x)+B5j
					; PopDripsWatchdogUpdateMetrics(x,x,x,x,x,x,x)+C1j ...
		cmp	[ebp+var_C], 0
		jnz	short loc_9B4EAA
		call	_PopDeepSleepEnabled@0 ; PopDeepSleepEnabled()
		test	al, al
		jz	short loc_9B4EAA
		add	[edi+18Ch], ecx
		jmp	short loc_9B4EBA
; 

loc_9B4E79:				; CODE XREF: PopDripsWatchdogUpdateMetrics(x,x,x,x,x,x,x)+A7j
		and	dword ptr [edi+188h], 0
		and	dword ptr [edi+19Ch], 0
		mov	eax, [ebp+arg_C]
		mov	[edi+1C8h], eax
		mov	eax, [ebp+var_4]
		mov	[edi+1B8h], eax
		mov	eax, [ebp+var_8]
		mov	[edi+1BCh], eax
		mov	[edi+1A4h], ebx
		jmp	short loc_9B4E62
; 

loc_9B4EAA:				; CODE XREF: PopDripsWatchdogUpdateMetrics(x,x,x,x,x,x,x)+E5j
					; PopDripsWatchdogUpdateMetrics(x,x,x,x,x,x,x)+EEj
		and	dword ptr [edi+18Ch], 0
		mov	eax, [ebp+var_10]
		mov	[edi+1CCh], eax

loc_9B4EBA:				; CODE XREF: PopDripsWatchdogUpdateMetrics(x,x,x,x,x,x,x)+F6j
		lea	eax, [ebp+var_18]
		xor	cl, cl
		push	eax
		lea	edx, [edi+1A8h]
		call	_PopAccumulateNonActivatedCpuTime@12 ; PopAccumulateNonActivatedCpuTime(x,x,x)
		push	0
		push	3E8h
		push	[ebp+var_14]
		push	[ebp+var_18]
		call	_PpmConvertTimeTo@16 ; PpmConvertTimeTo(x,x,x,x)
		mov	ecx, [edi+190h]
		mov	[edi+194h], eax
		cmp	eax, ecx
		jbe	short loc_9B4EF2
		push	64h
		pop	eax
		jmp	short loc_9B4EF9
; 

loc_9B4EF2:				; CODE XREF: PopDripsWatchdogUpdateMetrics(x,x,x,x,x,x,x)+16Aj
		imul	eax, 64h
		xor	edx, edx
		div	ecx

loc_9B4EF9:				; CODE XREF: PopDripsWatchdogUpdateMetrics(x,x,x,x,x,x,x)+16Fj
		mov	[edi+198h], eax
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_PopDripsWatchdogUpdateMetrics@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PdcPoNetworkResiliency(x)
_PdcPoNetworkResiliency@4 proc near	; DATA XREF: PopPdcRegister+99o

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	cl, [ebp+arg_0]
		call	_PopNetResiliencyStateChanged@4	; PopNetResiliencyStateChanged(x)
		pop	ebp
		retn	4
_PdcPoNetworkResiliency@4 endp


;  S U B	R O U T	I N E 


; __stdcall PdcPoPerfOverride()
_PdcPoPerfOverride@0 proc near		; CODE XREF: PopPowerAggregatorModernStandbyExitStateHandler(x)+2Bp
		mov	edi, edi
		push	ecx
		call	_PpmBeginHighPerfRequest@0 ; PpmBeginHighPerfRequest()
		xor	cl, cl
		call	_PpmDisableHighPerfRequestDeferredExpiration@4 ; PpmDisableHighPerfRequestDeferredExpiration(x)
		xor	ecx, ecx
		inc	ecx
		call	PpmEndHighPerfRequest
		pop	ecx
		retn
_PdcPoPerfOverride@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PdcPoPpmApplyProfile(x)
_PdcPoPpmApplyProfile@4	proc near	; DATA XREF: PopPdcRegister+8Bo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_PpmApplyProfile@4 ; PpmApplyProfile(x)
		pop	ebp
		retn	4
_PdcPoPpmApplyProfile@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PdcPoPpmResetProfile(x, x)
_PdcPoPpmResetProfile@8	proc near	; DATA XREF: PopPdcRegister+92o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr _PpmProfileStatus, 2
		jnz	short loc_9B4F7C
		cmp	[ebp+arg_4], 0
		jz	short loc_9B4F74
		push	esi
		mov	esi, offset _PpmPerfPolicyLock
		mov	ecx, esi
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		mov	ecx, [ebp+arg_0]
		call	PpmEnableProfile
		mov	ecx, esi
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		pop	esi
		jmp	short loc_9B4F7C
; 

loc_9B4F74:				; CODE XREF: PdcPoPpmResetProfile(x,x)+12j
		mov	ecx, [ebp+arg_0]
		call	_PpmDisableProfile@4 ; PpmDisableProfile(x)

loc_9B4F7C:				; CODE XREF: PdcPoPpmResetProfile(x,x)+Cj
					; PdcPoPpmResetProfile(x,x)+31j
		pop	ebp
		retn	8
_PdcPoPpmResetProfile@8	endp


;  S U B	R O U T	I N E 


; __stdcall PdcPoRecordButton()
_PdcPoRecordButton@0 proc near		; DATA XREF: PopPdcRegister+4Co
		jmp	_PopRecordPowerButton@0	; PopRecordPowerButton()
_PdcPoRecordButton@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PdcPoReportLidState(x)
_PdcPoReportLidState@4 proc near	; DATA XREF: PopPdcRegister+45o

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	cl, [ebp+arg_0]
		call	_PopNotifyLidStateChange@4 ; PopNotifyLidStateChange(x)
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		pop	ebp
		retn	4
_PdcPoReportLidState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PdcPoResiliencyClient(x, x,	x)
_PdcPoResiliencyClient@12 proc near	; DATA XREF: PopPdcRegister+2Ao

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		sub	eax, 1
		jz	short loc_9B4FEB
		sub	eax, 1
		jz	short loc_9B4FC7
		sub	eax, 1
		jnz	short loc_9B4FE7
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		cmp	ds:_PopDeepIoCoalescingEnabled,	0
		jz	short loc_9B4FE2
		jmp	short loc_9B4FD5
; 

loc_9B4FC7:				; CODE XREF: PdcPoResiliencyClient(x,x,x)+10j
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		cmp	ds:_PopDeepIoCoalescingEnabled,	0
		jnz	short loc_9B4FE2

loc_9B4FD5:				; CODE XREF: PdcPoResiliencyClient(x,x,x)+25j
		mov	al, [ebp+arg_4]
		mov	_PopPdcIoCoalescing, al
		call	PopCheckResiliencyScenarios

loc_9B4FE2:				; CODE XREF: PdcPoResiliencyClient(x,x,x)+23j
					; PdcPoResiliencyClient(x,x,x)+33j
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_9B4FE7:				; CODE XREF: PdcPoResiliencyClient(x,x,x)+15j
		xor	eax, eax
		jmp	short loc_9B4FF6
; 

loc_9B4FEB:				; CODE XREF: PdcPoResiliencyClient(x,x,x)+Bj
		mov	dl, [ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		call	_PopPdcIdleResiliencyCallback@8	; PopPdcIdleResiliencyCallback(x,x)

loc_9B4FF6:				; CODE XREF: PdcPoResiliencyClient(x,x,x)+49j
		pop	ebp
		retn	0Ch
_PdcPoResiliencyClient@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PdcPoSetPowerAction(x, x, x, x, x)
_PdcPoSetPowerAction@20	proc near	; DATA XREF: PopPdcRegister+37o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_C]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_8]
		call	PopExecutePowerAction
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		pop	ebp
		retn	14h
_PdcPoSetPowerAction@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PdcPoVerifyActionPolicy(x)
_PdcPoVerifyActionPolicy@4 proc	near	; DATA XREF: PopPdcRegister+53o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	ecx, [ebp+arg_0]
		call	PopVerifyPowerActionPolicy
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		pop	ebp
		retn	4
_PdcPoVerifyActionPolicy@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoTtmInitiatePowerStateTransition(x, x)
_PoTtmInitiatePowerStateTransition@8 proc near
					; CODE XREF: TtmpInitiateModernStandbyTransition(x,x,x)+31p

var_50		= dword	ptr -50h
var_4C		= byte ptr -4Ch
var_4B		= byte ptr -4Bh
var_3C		= byte ptr -3Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		push	ebx
		push	esi
		push	edi
		push	4Ch		; size_t
		xor	esi, esi
		lea	eax, [ebp+var_50]
		push	esi		; int
		push	eax		; void *
		mov	edi, edx
		mov	bl, cl
		call	_memset
		add	esp, 0Ch
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		lea	edx, [ebp+var_50]
		mov	ecx, offset _PopCapabilities
		call	PopFilterCapabilities
		cmp	[ebp+var_3C], 0
		jz	short loc_9B5082
		test	bl, bl
		mov	edx, edi
		setz	cl
		call	_PopTriggerMonitorPowerEvent@8 ; PopTriggerMonitorPowerEvent(x,x)
		jmp	short loc_9B509B
; 

loc_9B5082:				; CODE XREF: PoTtmInitiatePowerStateTransition(x,x)+36j
		cmp	byte ptr [ebp+var_50+3], 0
		jnz	short loc_9B5094
		cmp	[ebp+var_4C], 0
		jnz	short loc_9B5094
		cmp	[ebp+var_4B], 0
		jz	short loc_9B509D

loc_9B5094:				; CODE XREF: PoTtmInitiatePowerStateTransition(x,x)+4Aj
					; PoTtmInitiatePowerStateTransition(x,x)+50j
		mov	cl, bl
		call	_PopStartStopTtmSxTranstion@4 ;	PopStartStopTtmSxTranstion(x)

loc_9B509B:				; CODE XREF: PoTtmInitiatePowerStateTransition(x,x)+44j
		mov	esi, eax

loc_9B509D:				; CODE XREF: PoTtmInitiatePowerStateTransition(x,x)+56j
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PoTtmInitiatePowerStateTransition@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopArmIdlePhaseWatchdog(x)
_PopArmIdlePhaseWatchdog@4 proc	near	; CODE XREF: PopProcessSessionDisplayStateChange(x,x)+14p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, _PopPdcIdlePhaseWatchdogContext
		mov	esi, ecx
		mov	[ebp+var_3C], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		test	edi, edi
		jz	loc_9B5192
		mov	eax, dword_6D6FE8
		test	eax, eax
		jz	short loc_9B50EB
		call	eax
		test	al, al
		jz	loc_9B5192

loc_9B50EB:				; CODE XREF: PopArmIdlePhaseWatchdog(x)+36j
		lea	edx, [ebp+var_8]
		lea	ecx, [ebp+var_4]
		call	_PopSnapSystemIdleContext@8 ; PopSnapSystemIdleContext(x,x)
		mov	ecx, offset unk_6C06C4
		call	_PopAcquireRwLockExclusive@4 ; PopAcquireRwLockExclusive(x)
		mov	eax, [ebp+var_4]
		mov	ecx, offset unk_6C06C4
		mov	ebx, [ebp+var_8]
		mov	dword_6C06CC, eax
		mov	dword_6C06D0, ebx
		call	_PopReleaseRwLock@4 ; PopReleaseRwLock(x)
		cmp	esi, 0Ch
		jz	short loc_9B5131
		cmp	esi, 5
		jz	short loc_9B5131
		cmp	esi, 6
		jz	short loc_9B5131
		mov	eax, _PopPdcIdlePhaseDefaultWatchdogTimeoutSeconds
		jmp	short loc_9B5138
; 

loc_9B5131:				; CODE XREF: PopArmIdlePhaseWatchdog(x)+75j
					; PopArmIdlePhaseWatchdog(x)+7Aj ...
		mov	eax, _PopIdleScanInterval
		add	eax, ebx

loc_9B5138:				; CODE XREF: PopArmIdlePhaseWatchdog(x)+86j
		xor	ecx, ecx
		imul	eax, 3E8h
		push	ecx
		push	ecx
		push	38h
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_34], eax
		mov	eax, ds:_PopEventProcessorEnabled
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_40]
		push	eax
		push	57h
		mov	[ebp+var_30], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_40], 15h
		mov	[ebp+var_38], edi
		mov	[ebp+var_2C], 0A0h
		mov	[ebp+var_28], 802h
		mov	[ebp+var_24], esi
		mov	[ebp+var_1C], offset _PopPdcIdlePhaseWatchdogContext
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], offset _PopIdlePhaseWatchdogCallback@24 ;	PopIdlePhaseWatchdogCallback(x,x,x,x,x,x)
		call	_ZwPowerInformation@20 ; ZwPowerInformation(x,x,x,x,x)

loc_9B5192:				; CODE XREF: PopArmIdlePhaseWatchdog(x)+29j
					; PopArmIdlePhaseWatchdog(x)+3Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopArmIdlePhaseWatchdog@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBlockSessionSwitch(x, x)
_PopBlockSessionSwitch@8 proc near	; CODE XREF: PoSessionBuiltinPanelState(x,x)+24p
					; PoSessionBuiltinPanelState(x,x)+77p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+20h+var_4], eax
		push	esi
		mov	esi, [ebp+arg_4]
		xor	eax, eax
		push	edi
		lea	edi, [esp+28h+var_1C]
		push	6
		pop	ecx
		rep stosd
		lea	ecx, [esp+28h+var_1C]
		mov	[esp+28h+var_14], 1
		cmp	[ebp+arg_0], al
		jz	short loc_9B51D7
		call	PoBlockConsoleSwitch
		mov	[esi], eax
		jmp	short loc_9B51EE
; 

loc_9B51D7:				; CODE XREF: PopBlockSessionSwitch(x,x)+35j
		mov	eax, [esi]
		lea	edx, [esp+28h+var_20]
		mov	[esp+28h+var_20], eax
		mov	[esp+28h+var_C], 7
		call	PopDispatchStateCallout

loc_9B51EE:				; CODE XREF: PopBlockSessionSwitch(x,x)+3Ej
		mov	ecx, [esp+28h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_PopBlockSessionSwitch@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopControlMonitor(x, x)
_PopControlMonitor@8 proc near		; CODE XREF: PopScreenOff(x)+2Fp
					; PopScreenOn(x)+2Cp
					; DATA XREF: ...

var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_11		= byte ptr -11h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		xor	eax, eax
		xor	ecx, ecx
		cmp	ds:_TtmpEnabled, 1
		mov	[esp+18h+var_14+1], ax
		mov	[esp+18h+var_11], cl
		jnz	short loc_9B5234
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		push	dword ptr [edx]
		mov	edx, [edx+4]
		call	_TtmSessionMonitorControl@12 ; TtmSessionMonitorControl(x,x,x)
		jmp	short loc_9B5273
; 

loc_9B5234:				; CODE XREF: PopControlMonitor(x,x)+1Fj
		xor	eax, eax
		mov	[esp+18h+var_11], cl
		mov	[esp+18h+var_14+1], ax
		lea	edx, [esp+18h+var_18]
		mov	eax, [ebp+arg_0]
		mov	[esp+18h+var_C], eax
		lea	eax, [ebp+arg_4]
		push	eax
		push	1
		push	5
		mov	byte ptr [esp+24h+var_14], cl
		mov	[esp+24h+var_8], ecx
		mov	[esp+24h+var_4], ecx
		pop	ecx
		mov	[esp+20h+var_18], 3
		mov	[esp+20h+var_10], 8
		call	PopInvokeWin32Callout

loc_9B5273:				; CODE XREF: PopControlMonitor(x,x)+31j
		mov	esp, ebp
		pop	ebp
		retn	8
_PopControlMonitor@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDisarmIdlePhaseWatchdog()
_PopDisarmIdlePhaseWatchdog@0 proc near	; CODE XREF: PdcPoCurrentPdcPhase(x,x,x):loc_6562CAp
					; PopProcessSessionDisplayStateChange(x,x):loc_9B5600p

var_38		= dword	ptr -38h
var_30		= dword	ptr -30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	esi
		mov	esi, _PopPdcIdlePhaseWatchdogContext
		test	esi, esi
		jz	short loc_9B52BC
		push	38h		; size_t
		lea	eax, [ebp+var_38]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_38], 15h
		lea	eax, [ebp+var_38]
		mov	[ebp+var_30], esi
		push	0
		push	0
		push	38h
		push	eax
		push	57h
		call	_ZwPowerInformation@20 ; ZwPowerInformation(x,x,x,x,x)
		call	_PopResetIdlePhaseWatchdogDiagnosticContext@0 ;	PopResetIdlePhaseWatchdogDiagnosticContext()

loc_9B52BC:				; CODE XREF: PopDisarmIdlePhaseWatchdog()+11j
		pop	esi
		leave
		retn
_PopDisarmIdlePhaseWatchdog@0 endp

; [00000005 BYTES: COLLAPSED FUNCTION PopNotifyCsStateExited().	PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 


; __stdcall PopPdcCompleteResiliencyCallback(x,	x)
_PopPdcCompleteResiliencyCallback@8 proc near
					; CODE XREF: PopDirectedDripsNotifyResiliencyCompletionWorker(x)+215p
		mov	edi, edi
		push	edx
		push	1
		call	dword_6D6FEC
		retn
_PopPdcCompleteResiliencyCallback@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopPdcCsDeviceNotification(x)
_PopPdcCsDeviceNotification@4 proc near	; CODE XREF: NtPowerInformation+172509p
					; PopPdcCsCheckSystemVolumeDevice+F60Dp
		mov	edi, edi
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		push	edi
		cmp	_PopPlatformAoAc, bl
		jz	loc_9B545B
		cmp	dword ptr [esi+4], 4
		ja	loc_9B5456
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopPdcDeviceListLock
		call	ExAcquirePushLockExclusiveEx
		mov	edx, _PopPdcDeviceList
		mov	edi, ebx
		mov	cl, bl
		cmp	edx, offset _PopPdcDeviceList
		jz	short loc_9B5332
		mov	eax, [esi]

loc_9B531D:				; CODE XREF: PopPdcCsDeviceNotification(x)+5Cj
		mov	edi, edx
		cmp	[edx+8], eax
		jz	short loc_9B5330
		mov	edx, [edx]
		cmp	edx, offset _PopPdcDeviceList
		jnz	short loc_9B531D
		jmp	short loc_9B5332
; 

loc_9B5330:				; CODE XREF: PopPdcCsDeviceNotification(x)+52j
		mov	cl, 1

loc_9B5332:				; CODE XREF: PopPdcCsDeviceNotification(x)+49j
					; PopPdcCsDeviceNotification(x)+5Ej
		or	eax, 0FFFFFFFFh
		cmp	[esi+8], bl
		jz	short loc_9B53A9
		test	cl, cl
		jnz	short loc_9B53A1
		push	6F435343h
		push	18h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_9B5394
		xor	eax, eax
		mov	edi, edx
		push	6
		pop	ecx
		rep stosd
		mov	eax, [esi]
		mov	ecx, offset _PopPdcDeviceList
		mov	[edx+8], eax
		mov	eax, [esi+4]
		mov	[edx+0Ch], eax
		mov	al, [esi+9]
		mov	[edx+14h], al
		mov	dword ptr [edx+10h], 1
		mov	eax, off_6B35AC
		cmp	[eax], ecx
		jnz	loc_9B5421
		mov	[edx], ecx
		mov	[edx+4], eax
		mov	[eax], edx
		mov	off_6B35AC, edx
		jmp	short loc_9B53D5
; 

loc_9B5394:				; CODE XREF: PopPdcCsDeviceNotification(x)+80j
		mov	ebx, 0C0000017h

loc_9B5399:				; CODE XREF: PopPdcCsDeviceNotification(x)+14Cj
		or	eax, 0FFFFFFFFh
		jmp	loc_9B542B
; 

loc_9B53A1:				; CODE XREF: PopPdcCsDeviceNotification(x)+6Cj
		inc	dword ptr [edi+10h]
		jmp	loc_9B542B
; 

loc_9B53A9:				; CODE XREF: PopPdcCsDeviceNotification(x)+68j
		test	cl, cl
		jz	short loc_9B5426
		dec	dword ptr [edi+10h]
		mov	ecx, [edi+10h]
		test	ecx, ecx
		jg	short loc_9B542B
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	short loc_9B5421
		mov	ecx, [edx+4]
		cmp	[ecx], edx
		jnz	short loc_9B5421
		push	6F435343h
		mov	[ecx], eax
		push	edi
		mov	[eax+4], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9B53D5:				; CODE XREF: PopPdcCsDeviceNotification(x)+C2j
		call	_PopPdcUpdateDeviceCompliance@0	; PopPdcUpdateDeviceCompliance()
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	edx, [esi+4]
		cmp	edx, 1
		jz	short loc_9B5405
		cmp	edx, 2
		jz	short loc_9B5405
		cmp	edx, 4
		jz	short loc_9B5405
		cmp	_PopCsDeviceCompliance[edx*4], 0FFFFFFFFh
		jnz	short loc_9B5417
		mov	cl, [esi+8]
		call	_PopNetNonCompliantDeviceUpdate@8 ; PopNetNonCompliantDeviceUpdate(x,x)
		jmp	short loc_9B5417
; 

loc_9B5405:				; CODE XREF: PopPdcCsDeviceNotification(x)+115j
					; PopPdcCsDeviceNotification(x)+11Aj ...
		cmp	[esi+9], bl
		jz	short loc_9B5412
		mov	cl, [esi+8]
		call	_PopNetCompliantNicUpdate@4 ; PopNetCompliantNicUpdate(x)

loc_9B5412:				; CODE XREF: PopPdcCsDeviceNotification(x)+138j
		call	PopNetUpdateCsConsumptionFlags

loc_9B5417:				; CODE XREF: PopPdcCsDeviceNotification(x)+129j
					; PopPdcCsDeviceNotification(x)+133j
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		jmp	loc_9B5399
; 

loc_9B5421:				; CODE XREF: PopPdcCsDeviceNotification(x)+AFj
					; PopPdcCsDeviceNotification(x)+ECj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9B5426:				; CODE XREF: PopPdcCsDeviceNotification(x)+DBj
		mov	ebx, 0C000000Dh

loc_9B542B:				; CODE XREF: PopPdcCsDeviceNotification(x)+CCj
					; PopPdcCsDeviceNotification(x)+D4j ...
		mov	esi, offset _PopPdcDeviceListLock
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9B5441
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9B5441:				; CODE XREF: PopPdcCsDeviceNotification(x)+168j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	short loc_9B545B
; 

loc_9B5456:				; CODE XREF: PopPdcCsDeviceNotification(x)+19j
		mov	ebx, 0C000000Dh

loc_9B545B:				; CODE XREF: PopPdcCsDeviceNotification(x)+Fj
					; PopPdcCsDeviceNotification(x)+184j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		retn
_PopPdcCsDeviceNotification@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopPdcDisengagePhases()
_PopPdcDisengagePhases@0 proc near	; CODE XREF: PopPowerAggregatorModernStandbyExitStateHandler(x)+30p
					; PopPowerAggregatorScreenOffExitStateHandler(x)+6Dp ...
		mov	ecx, dword_6D6FE0
		mov	eax, 0C0000002h
		test	ecx, ecx
		jz	short locret_9B5472
		jmp	ecx
; 

locret_9B5472:				; CODE XREF: PopPdcDisengagePhases()+Dj
		retn
_PopPdcDisengagePhases@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPdcIdleResiliencyCallback(x, x)
_PopPdcIdleResiliencyCallback@8	proc near ; CODE XREF: PdcPoResiliencyClient(x,x,x)+51p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	bl, dl
		mov	[ebp+var_8], ecx
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		movzx	eax, bl
		mov	ecx, offset _GUID_PDC_IDLE_RESILIENCY_ENGAGED ;	int
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	eax		; void *
		push	4
		pop	edx
		mov	_PopPdcIdleResiliency, bl
		call	_PopSetPowerSettingValueAcDc@12	; PopSetPowerSettingValueAcDc(x,x,x)
		call	PopCheckResiliencyScenarios
		push	offset dword_6D4530
		mov	edx, offset dword_6D4528
		mov	cl, bl
		call	_PopAccumulateNonActivatedCpuTime@12 ; PopAccumulateNonActivatedCpuTime(x,x,x)
		call	_PpmQueryTime@0	; PpmQueryTime()
		mov	esi, eax
		mov	edi, edx
		test	bl, bl
		jz	short loc_9B5506
		mov	ecx, _PopFxDeviceAccountingLevel
		mov	dword_6D44F8, esi
		mov	dword_6D44FC, edi
		test	cl, 4
		jz	short loc_9B54E3
		call	_PopFxResumeDeviceAccounting@0 ; PopFxResumeDeviceAccounting()

loc_9B54E3:				; CODE XREF: PopPdcIdleResiliencyCallback(x,x)+69j
		mov	cl, 1
		call	_PpmIdleCsVetoAccountingResiliencyUpdate@4 ; PpmIdleCsVetoAccountingResiliencyUpdate(x)
		xor	cl, cl
		call	_PopUpdateNonAttributedCpuTimeReference@4 ; PopUpdateNonAttributedCpuTimeReference(x)
		call	_PopDripsWatchdogStartWatchdog@0 ; PopDripsWatchdogStartWatchdog()
		mov	cl, 1
		call	_PpmDisableHighPerfRequestDeferredExpiration@4 ; PpmDisableHighPerfRequestDeferredExpiration(x)
		push	edi
		push	esi
		call	_PopFxBeginDeviceIRPhaseAccounting@8 ; PopFxBeginDeviceIRPhaseAccounting(x,x)
		jmp	short loc_9B5551
; 

loc_9B5506:				; CODE XREF: PopPdcIdleResiliencyCallback(x,x)+52j
		mov	ecx, esi
		mov	eax, edi
		sub	ecx, dword_6D44F8
		push	edi
		sbb	eax, dword_6D44FC
		add	dword_6D4500, ecx
		push	esi
		adc	dword_6D4504, eax
		call	_PopFxEndDeviceIRPhaseAccounting@8 ; PopFxEndDeviceIRPhaseAccounting(x,x)
		mov	eax, _PopFxDeviceAccountingLevel
		test	al, 4
		jz	short loc_9B5537
		call	_PopFxPauseDeviceAccounting@0 ;	PopFxPauseDeviceAccounting()

loc_9B5537:				; CODE XREF: PopPdcIdleResiliencyCallback(x,x)+BDj
		xor	cl, cl
		call	_PpmIdleCsVetoAccountingResiliencyUpdate@4 ; PpmIdleCsVetoAccountingResiliencyUpdate(x)
		mov	cl, 1
		call	_PopUpdateNonAttributedCpuTimeReference@4 ; PopUpdateNonAttributedCpuTimeReference(x)
		call	_PopDripsWatchdogStopWatchdog@0	; PopDripsWatchdogStopWatchdog()
		xor	cl, cl
		call	_PpmDisableHighPerfRequestDeferredExpiration@4 ; PpmDisableHighPerfRequestDeferredExpiration(x)

loc_9B5551:				; CODE XREF: PopPdcIdleResiliencyCallback(x,x)+91j
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		mov	cl, bl
		call	_PopIdleWakeNotifyIdleResiliencyState@4	; PopIdleWakeNotifyIdleResiliencyState(x)
		mov	ecx, [ebp+var_8]
		mov	dl, bl
		call	_PopDirectedDripsIdleResiliencyCallback@8 ; PopDirectedDripsIdleResiliencyCallback(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopPdcIdleResiliencyCallback@8	endp


;  S U B	R O U T	I N E 


; __stdcall PopPdcSnapDiagnosticContext(x)
_PopPdcSnapDiagnosticContext@4 proc near
					; CODE XREF: PopIdlePhaseWatchdogCallback(x,x,x,x,x,x)+35p
		mov	eax, dword_6D6FF0
		test	eax, eax
		jz	short locret_9B5578
		push	ecx
		call	eax

locret_9B5578:				; CODE XREF: PopPdcSnapDiagnosticContext(x)+7j
		retn
_PopPdcSnapDiagnosticContext@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopPdcUpdateDeviceCompliance()
_PopPdcUpdateDeviceCompliance@0	proc near
					; CODE XREF: PopPdcCsDeviceNotification(x):loc_9B53D5p
		mov	eax, _PopPdcDeviceList
		mov	edx, offset _PopPdcDeviceList
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, esi
		mov	ebx, esi
		jmp	short loc_9B559F
; 

loc_9B558E:				; CODE XREF: PopPdcUpdateDeviceCompliance()+28j
		mov	ecx, [eax+0Ch]
		bts	ebx, ecx
		cmp	byte ptr [eax+14h], 0
		jz	short loc_9B559D
		bts	edi, ecx

loc_9B559D:				; CODE XREF: PopPdcUpdateDeviceCompliance()+1Fj
		mov	eax, [eax]

loc_9B559F:				; CODE XREF: PopPdcUpdateDeviceCompliance()+13j
		cmp	eax, edx
		jnz	short loc_9B558E
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()

loc_9B55A8:				; CODE XREF: PopPdcUpdateDeviceCompliance()+62j
		mov	eax, _PopCsDeviceCompliance[esi*4]
		xor	edx, edx
		inc	edx
		mov	ecx, esi
		shl	edx, cl
		test	edx, edi
		jz	short loc_9B55BF
		xor	edx, edx
		inc	edx
		jmp	short loc_9B55C5
; 

loc_9B55BF:				; CODE XREF: PopPdcUpdateDeviceCompliance()+3Fj
		and	edx, ebx
		neg	edx
		sbb	edx, edx

loc_9B55C5:				; CODE XREF: PopPdcUpdateDeviceCompliance()+44j
		cmp	edx, eax
		jz	short loc_9B55D7
		mov	ecx, esi
		mov	_PopCsDeviceCompliance[esi*4], edx
		call	_PopDiagTraceDeviceComplianceUpdate@8 ;	PopDiagTraceDeviceComplianceUpdate(x,x)

loc_9B55D7:				; CODE XREF: PopPdcUpdateDeviceCompliance()+4Ej
		inc	esi
		cmp	esi, 5
		jb	short loc_9B55A8
		pop	edi
		pop	esi
		pop	ebx
		jmp	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
_PopPdcUpdateDeviceCompliance@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopProcessSessionDisplayStateChange(x, x)
_PopProcessSessionDisplayStateChange@8 proc near ; CODE	XREF: NtPowerInformation+17232Ap
					; PopMonitorInvocation+A9463p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ebx
		mov	bl, cl
		push	esi
		mov	esi, edx
		test	bl, bl
		jnz	short loc_9B5600
		mov	ecx, esi
		call	_PopArmIdlePhaseWatchdog@4 ; PopArmIdlePhaseWatchdog(x)
		jmp	short loc_9B5605
; 

loc_9B5600:				; CODE XREF: PopProcessSessionDisplayStateChange(x,x)+10j
		call	_PopDisarmIdlePhaseWatchdog@0 ;	PopDisarmIdlePhaseWatchdog()

loc_9B5605:				; CODE XREF: PopProcessSessionDisplayStateChange(x,x)+19j
		cmp	ds:_TtmpEnabled, 1
		jz	short loc_9B5619
		mov	edx, esi
		mov	cl, bl
		call	_PopTriggerMonitorPowerEvent@8 ; PopTriggerMonitorPowerEvent(x,x)
		jmp	short loc_9B561E
; 

loc_9B5619:				; CODE XREF: PopProcessSessionDisplayStateChange(x,x)+27j
		mov	eax, 0C00000BBh

loc_9B561E:				; CODE XREF: PopProcessSessionDisplayStateChange(x,x)+32j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PopProcessSessionDisplayStateChange@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopResetIdlePhaseWatchdogDiagnosticContext()
_PopResetIdlePhaseWatchdogDiagnosticContext@0 proc near
					; CODE XREF: PopDisarmIdlePhaseWatchdog()+3Ep
		mov	edi, edi
		push	esi
		mov	esi, offset unk_6C06C4
		mov	ecx, esi
		call	_PopAcquireRwLockExclusive@4 ; PopAcquireRwLockExclusive(x)
		and	dword_6C06D0, 0
		mov	eax, dword_6C06CC
		test	eax, eax
		jz	short loc_9B5655
		push	67696450h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword_6C06CC, 0

loc_9B5655:				; CODE XREF: PopResetIdlePhaseWatchdogDiagnosticContext()+1Dj
		mov	ecx, esi
		pop	esi
		jmp	_PopReleaseRwLock@4 ; PopReleaseRwLock(x)
_PopResetIdlePhaseWatchdogDiagnosticContext@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopScreenOff(x)
_PopScreenOff@4	proc near		; CODE XREF: NtPowerInformation+1724BFp
					; PopPowerInformationInternal+171569p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		or	[esp+0Ch+var_C], 0FFFFFFFFh
		lea	eax, [esp+0Ch+var_C]
		push	esi
		push	eax
		push	1
		mov	esi, ecx
		call	_PopBlockSessionSwitch@8 ; PopBlockSessionSwitch(x,x)
		push	[esp+10h+var_C]
		and	[esp+14h+var_8], 0
		lea	eax, [esp+14h+var_8]
		push	eax
		mov	[esp+18h+var_4], esi
		call	_PopControlMonitor@8 ; PopControlMonitor(x,x)
		lea	eax, [esp+10h+var_C]
		push	eax
		push	0
		call	_PopBlockSessionSwitch@8 ; PopBlockSessionSwitch(x,x)
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_PopScreenOff@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopScreenOn(x)
_PopScreenOn@4	proc near		; CODE XREF: PopPowerInformationInternal+17155Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		or	[ebp+var_4], 0FFFFFFFFh
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		call	_PopBlockSessionSwitch@8 ; PopBlockSessionSwitch(x,x)
		push	[ebp+var_4]
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], 2
		push	eax
		mov	[ebp+var_8], 1Eh
		call	_PopControlMonitor@8 ; PopControlMonitor(x,x)
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		call	_PopBlockSessionSwitch@8 ; PopBlockSessionSwitch(x,x)
		leave
		retn
_PopScreenOn@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtGetDevicePowerState(x, x)
_NtGetDevicePowerState@8 proc near	; CODE XREF: PfpVolumeOpenAndVerify+1366B8p
					; DATA XREF: .text:00581008o

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	20h
		push	offset dword_6A8E00
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp+var_20], edx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	short loc_9B571D
		mov	[ebp+ms_exc.disabled], edx
		mov	ecx, [ebp+arg_4]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_9B5712
		mov	ecx, eax

loc_9B5712:				; CODE XREF: NtGetDevicePowerState(x,x)+2Ej
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9B571D:				; CODE XREF: NtGetDevicePowerState(x,x)+1Fj
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_28], al
		mov	eax, ds:_IoFileObjectType
		mov	[ebp+var_1C], edx
		push	edx
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_28]
		push	eax
		push	edx
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9B57C1
		lea	edx, [ebp+var_20]
		mov	ecx, [ebp+var_1C]
		call	_IoGetRelatedTargetDevice@8 ; IoGetRelatedTargetDevice(x,x)
		mov	esi, eax
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObject
		test	esi, esi
		js	short loc_9B57BF
		mov	eax, [ebp+var_20]
		mov	ecx, [eax+0B0h]
		call	_PopLockGetDoDevicePowerState@4	; PopLockGetDoDevicePowerState(x)
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		jmp	short loc_9B57B0
; 

loc_9B577F:				; DATA XREF: .text:006A8E14o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9B578D:				; DATA XREF: .text:006A8E18o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_24]
		jmp	short loc_9B57C1
; 

loc_9B579C:				; DATA XREF: .text:006A8E20o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9B57AA:				; DATA XREF: .text:006A8E24o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_2C]

loc_9B57B0:				; CODE XREF: NtGetDevicePowerState(x,x)+9Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_20]
		call	ObfDereferenceObject

loc_9B57BF:				; CODE XREF: NtGetDevicePowerState(x,x)+81j
		mov	eax, esi

loc_9B57C1:				; CODE XREF: NtGetDevicePowerState(x,x)+68j
					; NtGetDevicePowerState(x,x)+BAj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_NtGetDevicePowerState@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDeferDoze(x, x, x)
_PopDeferDoze@12 proc near		; CODE XREF: PAGELK:0071F371p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_C], edx
		push	esi
		mov	esi, ebx
		mov	[ebp+var_10], ecx
		push	edi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ebx
		cmp	ds:_PopDozeDeferralMaxSeconds, ebx
		jnz	short loc_9B5800
		inc	esi

loc_9B5800:				; CODE XREF: PopDeferDoze(x,x,x)+2Aj
		mov	eax, dword_6C2778
		or	eax, dword_6C277C
		jnz	short loc_9B5810
		or	esi, 2

loc_9B5810:				; CODE XREF: PopDeferDoze(x,x,x)+38j
		test	dword_6C26CC, 40000000h
		jz	short loc_9B581F
		or	esi, 4

loc_9B581F:				; CODE XREF: PopDeferDoze(x,x,x)+47j
		test	ecx, ecx
		jnz	short loc_9B582A
		test	edx, edx
		jnz	short loc_9B582A
		or	esi, 8

loc_9B582A:				; CODE XREF: PopDeferDoze(x,x,x)+4Ej
					; PopDeferDoze(x,x,x)+52j
		mov	ecx, offset _PopCapabilities
		call	PopIsDozeSupported
		test	al, al
		jnz	short loc_9B583B
		or	esi, 10h

loc_9B583B:				; CODE XREF: PopDeferDoze(x,x,x)+63j
		mov	eax, _PopPolicy
		cmp	[eax+58h], ebx
		jnz	short loc_9B5848
		or	esi, 20h

loc_9B5848:				; CODE XREF: PopDeferDoze(x,x,x)+70j
		lea	eax, [ebp+var_8]
		mov	ecx, offset _GUID_LEGACY_RTC_MITIGATION
		push	eax
		lea	edx, [ebp+var_4]
		call	_PopQueryPowerSettingUlong@12 ;	PopQueryPowerSettingUlong(x,x,x)
		test	al, al
		mov	eax, [ebp+arg_0]
		jz	short loc_9B586E
		mov	ecx, [ebp+var_8]
		cmp	[eax], bl
		jz	short loc_9B586A
		mov	ecx, [ebp+var_4]

loc_9B586A:				; CODE XREF: PopDeferDoze(x,x,x)+92j
		test	ecx, ecx
		jnz	short loc_9B5871

loc_9B586E:				; CODE XREF: PopDeferDoze(x,x,x)+8Bj
		or	esi, 40h

loc_9B5871:				; CODE XREF: PopDeferDoze(x,x,x)+99j
		cmp	[eax+3], bl
		jz	short loc_9B588B
		cmp	[eax], bl
		jz	short loc_9B588B
		cmp	[ebp+var_4], 1
		jnz	short loc_9B588B
		cmp	[ebp+var_8], ebx
		jnz	short loc_9B588B
		or	esi, 100h

loc_9B588B:				; CODE XREF: PopDeferDoze(x,x,x)+A1j
					; PopDeferDoze(x,x,x)+A5j ...
		call	KeQueryInterruptTime
		lea	ecx, [ebp+var_14]
		mov	edi, eax
		push	ecx
		mov	eax, edx
		lea	ecx, [ebp+var_20]
		mov	edx, [ebp+var_C]
		push	ecx
		mov	ecx, [ebp+var_10]
		push	eax
		push	edi
		mov	[ebp+arg_0], eax
		call	_PopIsWakeTimerImmanent@24 ; PopIsWakeTimerImmanent(x,x,x,x,x,x)
		test	al, al
		jnz	short loc_9B58B6
		or	esi, 80h

loc_9B58B6:				; CODE XREF: PopDeferDoze(x,x,x)+DBj
		mov	eax, ds:_PopDozeDeferralChecksToIgnore
		not	eax
		and	esi, eax
		jnz	short loc_9B58D1
		push	offset ??_C@_0BG@HKNPJPGK@Deferring?5doze?5to?5S4?6@NNGAKEGL@ ;	"Deferring doze	to S4\n"
		push	3
		mov	bl, 1
		call	_PopPrintEx
		pop	ecx
		pop	ecx

loc_9B58D1:				; CODE XREF: PopDeferDoze(x,x,x)+ECj
		push	[ebp+var_C]
		mov	edx, esi
		mov	cl, bl
		push	[ebp+var_10]
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	[ebp+arg_0]
		push	edi
		mov	edi, [ebp+var_14]
		push	edi
		call	_PopDiagTraceDozeDeferralDecision@36 ; PopDiagTraceDozeDeferralDecision(x,x,x,x,x,x,x,x,x)
		test	edi, edi
		jz	short loc_9B58FD
		push	53577254h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9B58FD:				; CODE XREF: PopDeferDoze(x,x,x)+11Dj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
_PopDeferDoze@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIsWakeTimerImmanent(x, x, x, x, x, x)
_PopIsWakeTimerImmanent@24 proc	near	; CODE XREF: PopDeferDoze(x,x,x)+D4p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, [ebp+arg_C]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_1C], ecx
		mov	ecx, dword_6C277C
		push	esi
		or	esi, 0FFFFFFFFh
		mov	[eax], ebx
		mov	eax, dword_6C2778
		push	edi
		mov	edi, ebx
		mov	[ebp+var_14], eax
		or	eax, ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_C], edi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_1], bl
		mov	[ebp+var_18], ecx
		jz	loc_9B5A65
		mov	eax, ds:_PopDozeDeferralMaxSeconds
		test	eax, eax
		jz	loc_9B5A65
		mov	ecx, 0F4240h
		mul	ecx
		push	0Ah
		mov	ecx, eax
		mov	eax, edx
		pop	edx
		mul	edx
		push	0Ah
		mov	[ebp+var_8], eax
		mov	eax, ecx
		pop	ecx
		mul	ecx
		mov	ecx, [ebp+var_8]
		add	ecx, edx
		mov	edx, eax
		add	edx, [ebp+var_14]
		mov	eax, [ebp+var_1C]
		adc	ecx, [ebp+var_18]
		mov	[ebp+var_14], edx
		mov	[ebp+var_8], ecx
		test	eax, eax
		jz	short loc_9B59D2
		cmp	eax, 2
		jnz	short loc_9B59A5
		test	_PopSimulate, 80000000h
		mov	cl, 1
		jz	short loc_9B59A7

loc_9B59A5:				; CODE XREF: PopIsWakeTimerImmanent(x,x,x,x,x,x)+8Fj
		mov	cl, bl

loc_9B59A7:				; CODE XREF: PopIsWakeTimerImmanent(x,x,x,x,x,x)+9Dj
		lea	eax, [ebp+var_C]
		push	eax
		mov	eax, [ebp+var_8]
		push	eax
		push	edx
		push	[ebp+arg_4]
		lea	edx, [ebp+var_28]
		push	[ebp+arg_0]
		call	_ExGetNextWakeTime@28 ;	ExGetNextWakeTime(x,x,x,x,x,x,x)
		mov	esi, [ebp+var_28]
		mov	edi, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_14]
		test	al, al
		jz	short loc_9B59D2
		mov	[ebp+var_1], 1

loc_9B59D2:				; CODE XREF: PopIsWakeTimerImmanent(x,x,x,x,x,x)+8Aj
					; PopIsWakeTimerImmanent(x,x,x,x,x,x)+C6j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_9B5A0D
		cmp	eax, 2
		jnz	short loc_9B59EC
		test	_PopSimulate, 80000000h
		jnz	short loc_9B59EC
		mov	bl, 1

loc_9B59EC:				; CODE XREF: PopIsWakeTimerImmanent(x,x,x,x,x,x)+D6j
					; PopIsWakeTimerImmanent(x,x,x,x,x,x)+E2j
		lea	eax, [ebp+var_10]
		push	eax
		push	ecx
		push	edx
		push	[ebp+arg_4]
		lea	edx, [ebp+var_30]
		mov	cl, bl
		push	[ebp+arg_0]
		call	_ExGetNextWakeTime@28 ;	ExGetNextWakeTime(x,x,x,x,x,x,x)
		mov	ebx, [ebp+var_10]
		test	al, al
		jz	short loc_9B5A0D
		mov	[ebp+var_1], 1

loc_9B5A0D:				; CODE XREF: PopIsWakeTimerImmanent(x,x,x,x,x,x)+D1j
					; PopIsWakeTimerImmanent(x,x,x,x,x,x)+101j
		cmp	[ebp+var_1], 0
		jz	short loc_9B5A65
		mov	eax, [ebp+var_24]
		cmp	eax, [ebp+var_2C]
		ja	short loc_9B5A43
		jb	short loc_9B5A22
		cmp	esi, [ebp+var_30]
		ja	short loc_9B5A43

loc_9B5A22:				; CODE XREF: PopIsWakeTimerImmanent(x,x,x,x,x,x)+115j
		test	ebx, ebx
		jz	short loc_9B5A31
		push	53577254h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9B5A31:				; CODE XREF: PopIsWakeTimerImmanent(x,x,x,x,x,x)+11Ej
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_24]
		mov	[eax], esi
		mov	[eax+4], ecx
		mov	eax, [ebp+arg_C]
		mov	[eax], edi
		jmp	short loc_9B5A65
; 

loc_9B5A43:				; CODE XREF: PopIsWakeTimerImmanent(x,x,x,x,x,x)+113j
					; PopIsWakeTimerImmanent(x,x,x,x,x,x)+11Aj
		test	edi, edi
		jz	short loc_9B5A52
		push	53577254h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9B5A52:				; CODE XREF: PopIsWakeTimerImmanent(x,x,x,x,x,x)+13Fj
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+var_30]
		mov	[ecx], eax
		mov	eax, [ebp+var_2C]
		mov	[ecx+4], eax
		mov	eax, [ebp+arg_C]
		mov	[eax], ebx

loc_9B5A65:				; CODE XREF: PopIsWakeTimerImmanent(x,x,x,x,x,x)+45j
					; PopIsWakeTimerImmanent(x,x,x,x,x,x)+52j ...
		mov	al, [ebp+var_1]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PopIsWakeTimerImmanent@24 endp


;  S U B	R O U T	I N E 


; __stdcall PopIssueDirectedPowerTransition(x, x)
_PopIssueDirectedPowerTransition@8 proc	near ; CODE XREF: PopWakeDeviceList:loc_552BE4p
					; PopSleepDeviceList:loc_552DA2p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [edx-34h]
		cmp	byte ptr [esi],	3
		jnz	short loc_9B5A8B
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	_PopCompleteDirectedPowerTransitionCallback@12 ; PopCompleteDirectedPowerTransitionCallback(x,x,x)
		jmp	short loc_9B5AAA
; 

loc_9B5A8B:				; CODE XREF: PopIssueDirectedPowerTransition(x,x)+Dj
		xor	bl, bl
		cmp	dword ptr [esi+4], 1
		jz	short loc_9B5AA0
		mov	ecx, [edi+1Ch]
		inc	bl
		mov	ecx, [ecx+10h]
		call	_PoFxActivateDevice@4 ;	PoFxActivateDevice(x)

loc_9B5AA0:				; CODE XREF: PopIssueDirectedPowerTransition(x,x)+22j
		push	esi
		mov	dl, bl
		mov	ecx, edi
		call	_PopFxIssueDirectedPowerTransition@12 ;	PopFxIssueDirectedPowerTransition(x,x,x)

loc_9B5AAA:				; CODE XREF: PopIssueDirectedPowerTransition(x,x)+1Aj
		pop	edi
		pop	esi
		pop	ebx
		retn
_PopIssueDirectedPowerTransition@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmCompareAndApplyPolicySettings(x,	x, x)
_PpmCompareAndApplyPolicySettings@12 proc near ; CODE XREF: PpmApplyProfile(x)+13Ep
					; PpmProfileAcDcUpdate()+ABp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		xor	eax, eax
		mov	[esp+2Ch+var_1C], edx
		and	[esp+2Ch+var_C], eax
		push	ebx
		push	esi
		push	edi
		mov	[esp+38h+var_2C], eax
		cmp	ds:_PopHeteroSystem, eax
		jz	short loc_9B5AE3
		cmp	ds:_PpmPerfSchedulerDirectedPerfStatesSupported, al
		jz	short loc_9B5AE3
		or	eax, 1002h
		mov	[esp+38h+var_2C], eax

loc_9B5AE3:				; CODE XREF: PpmCompareAndApplyPolicySettings(x,x,x)+22j
					; PpmCompareAndApplyPolicySettings(x,x,x)+2Aj
		mov	esi, [ecx]
		xor	edi, edi
		mov	edx, [ecx+4]
		and	esi, 0D8030FC0h
		and	edx, 1CFFFFh
		mov	[esp+38h+var_8], edi
		xor	ebx, ebx
		mov	[esp+38h+var_28], edx
		mov	ecx, esi
		mov	[esp+38h+var_4], ebx
		or	ecx, edx
		jz	loc_9B5BEC

loc_9B5B0E:				; CODE XREF: PpmCompareAndApplyPolicySettings(x,x,x)+124j
		bsf	ecx, esi
		mov	[esp+38h+var_24], ecx
		jnz	short loc_9B5B27
		bsf	ecx, edx
		jz	loc_9B5BD7
		add	ecx, 20h
		mov	[esp+38h+var_24], ecx

loc_9B5B27:				; CODE XREF: PpmCompareAndApplyPolicySettings(x,x,x)+67j
		xor	eax, eax
		xor	edx, edx
		inc	eax
		call	__allshl
		not	eax
		not	edx
		and	[esp+38h+var_28], edx
		and	esi, eax
		mov	[esp+38h+var_C], esi
		xor	eax, eax
		imul	esi, [esp+38h+var_24], 1Ch
		inc	eax
		xor	edx, edx
		mov	[esp+38h+var_20], esi
		movzx	ecx, ds:byte_7056D8[esi]
		call	__allshl
		test	ds:byte_7056D9[esi], 4
		mov	[esp+38h+var_18], eax
		push	0
		pop	eax
		setnz	al
		mov	[esp+38h+var_14], edx
		inc	eax
		mov	[esp+38h+var_10], eax
		xor	eax, eax
		mov	[esp+38h+var_24], eax

loc_9B5B79:				; CODE XREF: PpmCompareAndApplyPolicySettings(x,x,x)+116j
		mov	esi, ds:dword_7056D4[esi]
		mov	ecx, esi
		imul	ecx, eax
		mov	eax, [esp+38h+var_20]
		push	esi		; Length
		mov	eax, ds:dword_7056D0[eax]
		add	ecx, eax
		mov	eax, [ebp+arg_0]
		add	eax, ecx
		push	eax		; Source2
		mov	eax, [esp+40h+var_1C]
		add	eax, ecx
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, esi
		jz	short loc_9B5BB3
		or	edi, [esp+38h+var_18]
		or	ebx, [esp+38h+var_14]
		mov	[esp+38h+var_8], edi

loc_9B5BB3:				; CODE XREF: PpmCompareAndApplyPolicySettings(x,x,x)+F7j
		mov	eax, [esp+38h+var_24]
		mov	esi, [esp+38h+var_20]
		inc	eax
		mov	[esp+38h+var_24], eax
		cmp	eax, [esp+38h+var_10]
		jb	short loc_9B5B79
		mov	esi, [esp+38h+var_C]
		mov	edx, [esp+38h+var_28]
		mov	[esp+38h+var_4], ebx
		jmp	loc_9B5B0E
; 

loc_9B5BD7:				; CODE XREF: PpmCompareAndApplyPolicySettings(x,x,x)+6Cj
		or	edi, ebx
		jz	short loc_9B5BE8
		lea	edx, [esp+38h+var_2C]
		lea	ecx, [esp+38h+var_8]
		call	PpmGetPolicyAction

loc_9B5BE8:				; CODE XREF: PpmCompareAndApplyPolicySettings(x,x,x)+12Bj
		mov	eax, [esp+38h+var_2C]

loc_9B5BEC:				; CODE XREF: PpmCompareAndApplyPolicySettings(x,x,x)+5Aj
		test	al, 1
		jz	short loc_9B5C10
		push	0
		push	0
		mov	edx, offset _PpmApplyIdlePolicyChanges@12 ; PpmApplyIdlePolicyChanges(x,x,x)
		mov	ecx, offset _KeActiveProcessors
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)
		mov	esi, [esp+38h+var_2C]
		and	esi, 0FFFFFFFEh
		mov	[esp+38h+var_2C], esi
		jmp	short loc_9B5C14
; 

loc_9B5C10:				; CODE XREF: PpmCompareAndApplyPolicySettings(x,x,x)+140j
		mov	esi, [esp+38h+var_2C]

loc_9B5C14:				; CODE XREF: PpmCompareAndApplyPolicySettings(x,x,x)+160j
		cmp	dword_6C2ADC, 0
		jz	short loc_9B5C24
		and	dword_6C2ADC, 0

loc_9B5C24:				; CODE XREF: PpmCompareAndApplyPolicySettings(x,x,x)+16Dj
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	si, si
		jz	short loc_9B5C45
		lea	ecx, [esp+38h+var_2C]
		call	PpmReapplyPerfPolicy
		jmp	short loc_9B5C4F
; 

loc_9B5C45:				; CODE XREF: PpmCompareAndApplyPolicySettings(x,x,x)+18Aj
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)

loc_9B5C4F:				; CODE XREF: PpmCompareAndApplyPolicySettings(x,x,x)+195j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_PpmCompareAndApplyPolicySettings@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmInfoTraceProfileSettings()
_PpmInfoTraceProfileSettings@0 proc near ; CODE	XREF: PpmEventTraceControlCallback+82F0Dp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_5		= byte ptr -5
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_15], 0
		lea	edi, [ebp+var_14]
		stosd
		stosd
		stosd
		stosd
		mov	eax, offset _PpmDefaultProfile

loc_9B5C7F:				; CODE XREF: PpmInfoTraceProfileSettings()+12Dj
		lea	ecx, [eax+20h]
		mov	[ebp+var_20], eax
		mov	edi, offset dword_7056D0
		mov	[ebp+var_30], ecx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_2C], 35h

loc_9B5C97:				; CODE XREF: PpmInfoTraceProfileSettings()+108j
		movzx	ecx, byte ptr [edi+8]
		xor	eax, eax
		inc	eax
		xor	edx, edx
		call	__allshl
		test	byte ptr [edi+9], 4
		mov	esi, [edi-0Ch]
		lea	edi, [ebp+var_14]
		mov	[ebp+var_24], eax
		push	0
		pop	eax
		movsd
		setnz	al
		inc	eax
		mov	[ebp+var_28], edx
		mov	[ebp+var_38], eax
		xor	ebx, ebx
		movsd
		movsd
		movsd

loc_9B5CC5:				; CODE XREF: PpmInfoTraceProfileSettings()+F8j
		mov	edx, [ebp+var_30]
		mov	edi, [ebp+var_1C]
		mov	esi, [ebp+var_20]
		mov	ecx, [edx+ebx*8]
		mov	eax, [edx+ebx*8+4]
		and	ecx, [ebp+var_24]
		and	eax, [ebp+var_28]
		or	ecx, eax
		jz	short loc_9B5D09
		mov	eax, [edi+4]
		mov	cl, bl
		push	1
		push	0
		push	eax
		imul	eax, ebx
		mov	[ebp+var_34], ecx
		add	eax, [edi]
		add	eax, edx
		mov	edx, [edi-10h]
		push	eax
		push	ecx
		mov	cl, [esi+4]
		lea	eax, [ebp+var_14]
		push	eax
		call	PpmEventTraceProfileSetting
		mov	edx, [ebp+var_34]
		jmp	short loc_9B5D0B
; 

loc_9B5D09:				; CODE XREF: PpmInfoTraceProfileSettings()+85j
		mov	dl, bl

loc_9B5D0B:				; CODE XREF: PpmInfoTraceProfileSettings()+AFj
		mov	ecx, [esi+ebx*8+110h]
		mov	eax, [esi+ebx*8+114h]
		and	ecx, [ebp+var_24]
		and	eax, [ebp+var_28]
		or	ecx, eax
		jz	short loc_9B5D49
		mov	eax, [edi+4]
		lea	ecx, [esi+110h]
		push	1
		push	1
		push	eax
		imul	eax, ebx
		add	eax, [edi]
		add	eax, ecx
		mov	cl, [esi+4]
		push	eax
		push	edx
		mov	edx, [edi-10h]
		lea	eax, [ebp+var_14]
		push	eax
		call	PpmEventTraceProfileSetting

loc_9B5D49:				; CODE XREF: PpmInfoTraceProfileSettings()+C9j
		inc	ebx
		inc	[ebp+var_5]
		cmp	ebx, [ebp+var_38]
		jb	loc_9B5CC5
		add	edi, 1Ch
		sub	[ebp+var_2C], 1
		mov	[ebp+var_1C], edi
		jnz	loc_9B5C97
		mov	cl, [ebp+var_15]
		cmp	cl, _PpmProfileCount
		jz	short loc_9B5D8A
		movzx	eax, cl
		imul	eax, 228h
		add	eax, _PpmProfiles
		inc	cl
		mov	[ebp+var_15], cl
		jmp	loc_9B5C7F
; 

loc_9B5D8A:				; CODE XREF: PpmInfoTraceProfileSettings()+117j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmInfoTraceProfileSettings@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PpmPerfProcCapFloorSettingCallback(void	*,int,int,int)
_PpmPerfProcCapFloorSettingCallback@16 proc near ; DATA	XREF: PpmInfoRegisterCallbacks()+39o

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_5		= byte ptr -5
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1Ch+var_4], eax
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	al, [ecx+0Fh]
		lea	edi, [esp+28h+var_14]
		mov	esi, offset _GUID_PROC_CAP_BASE
		movzx	edx, al
		push	10h		; size_t
		push	ecx		; void *
		mov	[esp+30h+var_18], edx
		movsd
		movsd
		movsd
		movsd
		mov	[esp+30h+var_5], al
		lea	eax, [esp+30h+var_14]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		xor	ebx, ebx
		test	eax, eax
		mov	ecx, offset _PpmPerfPolicyLock
		setz	bl
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		cmp	[ebp+arg_8], 4
		jnz	short loc_9B5E31
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_9B5E31
		mov	esi, [esi]
		cmp	esi, 64h
		jbe	short loc_9B5E08
		push	64h
		pop	esi

loc_9B5E08:				; CODE XREF: PpmPerfProcCapFloorSettingCallback(x,x,x,x)+6Aj
		mov	ecx, [esp+28h+var_18]
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		test	eax, eax
		jz	short loc_9B5E31
		mov	eax, [eax+3EA4h]
		test	eax, eax
		jz	short loc_9B5E2B
		test	ebx, ebx
		jz	short loc_9B5E28
		mov	[eax+20h], esi
		jmp	short loc_9B5E2B
; 

loc_9B5E28:				; CODE XREF: PpmPerfProcCapFloorSettingCallback(x,x,x,x)+88j
		mov	[eax+24h], esi

loc_9B5E2B:				; CODE XREF: PpmPerfProcCapFloorSettingCallback(x,x,x,x)+84j
					; PpmPerfProcCapFloorSettingCallback(x,x,x,x)+8Dj
		xor	eax, eax
		mov	esi, eax
		jmp	short loc_9B5E38
; 

loc_9B5E31:				; CODE XREF: PpmPerfProcCapFloorSettingCallback(x,x,x,x)+5Cj
					; PpmPerfProcCapFloorSettingCallback(x,x,x,x)+63j ...
		xor	eax, eax
		mov	esi, 0C000000Dh

loc_9B5E38:				; CODE XREF: PpmPerfProcCapFloorSettingCallback(x,x,x,x)+96j
		or	eax, 0Eh
		lea	ecx, [esp+28h+var_18]
		mov	[esp+28h+var_18], eax
		call	PpmReapplyPerfPolicy
		mov	ecx, [esp+28h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_PpmPerfProcCapFloorSettingCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDisplayBurstEventHandler(x, x)
_PopDisplayBurstEventHandler@8 proc near ; DATA	XREF: PAGEDATA:00A935A4o
					; PAGEDATA:00A935E4o ...

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		cmp	[ebp+arg_0], cl
		setz	cl
		add	ecx, 5
		mov	[eax], ecx
		xor	eax, eax
		pop	ebp
		retn	8
_PopDisplayBurstEventHandler@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopGenericEventHandler(x, x)
_PopGenericEventHandler@8 proc near	; DATA XREF: PAGEDATA:00A93504o
					; PAGEDATA:00A93524o ...

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		cmp	[ebp+arg_0], cl
		setz	cl
		lea	ecx, ds:1[ecx*2]
		mov	[eax], ecx
		xor	eax, eax
		pop	ebp
		retn	8
_PopGenericEventHandler@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopGetPowerEventFromId(x)
_PopGetPowerEventFromId@4 proc near	; CODE XREF: PopTriggerMonitorPowerEvent(x,x)+3Ap
		mov	edi, edi
		push	esi
		push	edi
		xor	eax, eax
		mov	edi, offset _PopPowerEventTable
		mov	edx, eax
		mov	esi, edi

loc_9B5EA7:				; CODE XREF: PopGetPowerEventFromId(x)+1Aj
		cmp	[esi], ecx
		jz	short loc_9B5EB6
		inc	edx
		add	esi, 20h
		cmp	edx, 30h
		jb	short loc_9B5EA7
		jmp	short loc_9B5EBD
; 

loc_9B5EB6:				; CODE XREF: PopGetPowerEventFromId(x)+11j
		mov	eax, edx
		shl	eax, 5
		add	eax, edi

loc_9B5EBD:				; CODE XREF: PopGetPowerEventFromId(x)+1Cj
		pop	edi
		pop	esi
		retn
_PopGetPowerEventFromId@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopGetPowerEventIdFromMonitorReason(x)
_PopGetPowerEventIdFromMonitorReason@4 proc near
					; CODE XREF: PopTriggerMonitorPowerEvent(x,x)+22p
		xor	edx, edx
		mov	eax, edx

loc_9B5EC4:				; CODE XREF: PopGetPowerEventIdFromMonitorReason(x)+11j
		cmp	ds:_PopMonitorEventMapping[eax*8], ecx
		jz	short loc_9B5ED5
		inc	eax
		cmp	eax, 33h
		jb	short loc_9B5EC4
		jmp	short loc_9B5EDC
; 

loc_9B5ED5:				; CODE XREF: PopGetPowerEventIdFromMonitorReason(x)+Bj
		mov	edx, ds:dword_705CA4[eax*8]

loc_9B5EDC:				; CODE XREF: PopGetPowerEventIdFromMonitorReason(x)+13j
		mov	eax, edx
		retn
_PopGetPowerEventIdFromMonitorReason@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSystemIdleEventHandler(x, x)
_PopSystemIdleEventHandler@8 proc near	; DATA XREF: PAGEDATA:00A936C4o
					; PAGEDATA:00A937A4o

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		cmp	[ebp+arg_0], cl
		setz	cl
		inc	ecx
		mov	[eax], ecx
		xor	eax, eax
		pop	ebp
		retn	8
_PopSystemIdleEventHandler@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTriggerMonitorPowerEvent(x, x)
_PopTriggerMonitorPowerEvent@8 proc near
					; CODE XREF: PoTtmInitiatePowerStateTransition(x,x)+3Fp
					; PopProcessSessionDisplayStateChange(x,x)+2Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		cmp	_PopPlatformAoAc, 0
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jnz	short loc_9B5F18
		mov	edi, 0C00000BBh
		jmp	loc_9B5FFF
; 

loc_9B5F18:				; CODE XREF: PopTriggerMonitorPowerEvent(x,x)+14j
		mov	ecx, edx
		call	_PopGetPowerEventIdFromMonitorReason@4 ; PopGetPowerEventIdFromMonitorReason(x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	short loc_9B5F30
		mov	edi, 0C000000Dh
		jmp	loc_9B5FFF
; 

loc_9B5F30:				; CODE XREF: PopTriggerMonitorPowerEvent(x,x)+2Cj
		mov	ecx, eax
		call	_PopGetPowerEventFromId@4 ; PopGetPowerEventFromId(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9B5F47
		mov	edi, 0C0000001h
		jmp	loc_9B5FFF
; 

loc_9B5F47:				; CODE XREF: PopTriggerMonitorPowerEvent(x,x)+43j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopPowerEventLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		and	[ebp+var_4], 0
		mov	dword_6C040C, eax
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		call	dword ptr [ebx+0Ch]
		mov	edi, eax
		call	KeQueryInterruptTime
		add	dword ptr [ebx+10h], 1
		mov	esi, eax
		mov	eax, _PopPowerEventTraceCount
		adc	dword ptr [ebx+14h], 0
		imul	ecx, eax, 18h
		mov	[ebx+18h], esi
		mov	[ebx+1Ch], edx
		add	ecx, offset _PopPowerEventTrace
		inc	eax
		and	eax, 1Fh
		mov	_PopPowerEventTraceCount, eax
		mov	eax, [ebp+var_8]
		mov	[ecx], eax
		mov	eax, [ebp+var_4]
		mov	[ecx+8], eax
		mov	eax, [ebp+var_8]
		mov	[ecx+4], edi
		mov	[ecx+10h], esi
		mov	[ecx+14h], edx
		test	edi, edi
		js	short loc_9B5FDE
		mov	edx, [ebp+var_4]
		mov	ecx, eax
		call	_PopDiagTracePowerStateEvent@8 ; PopDiagTracePowerStateEvent(x,x)
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_9B5FDE
		push	dword ptr [ebx]
		mov	edx, [ebx+8]
		call	_PopPowerAggregatorHandleIntent@12 ; PopPowerAggregatorHandleIntent(x,x,x)
		mov	edi, eax

loc_9B5FDE:				; CODE XREF: PopTriggerMonitorPowerEvent(x,x)+C7j
					; PopTriggerMonitorPowerEvent(x,x)+D8j
		cmp	dword_6C040C, 0
		jz	short loc_9B5FEE
		and	dword_6C040C, 0

loc_9B5FEE:				; CODE XREF: PopTriggerMonitorPowerEvent(x,x)+EDj
		xor	edx, edx
		mov	ecx, offset _PopPowerEventLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9B5FFF:				; CODE XREF: PopTriggerMonitorPowerEvent(x,x)+1Bj
					; PopTriggerMonitorPowerEvent(x,x)+33j	...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopTriggerMonitorPowerEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopExecuteSystemIdleAction(x, x, x)
_PopExecuteSystemIdleAction@12 proc near ; CODE	XREF: PopSystemIdleWorker()+C7p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_5], dl
		lea	edi, [ebp+var_28]
		mov	ebx, ecx
		stosd
		stosd
		stosd
		stosd
		call	KeQueryInterruptTime
		xor	esi, esi
		push	esi
		push	989680h
		push	edx
		push	eax
		call	__aulldiv
		mov	[ebp+var_C], edx
		mov	edi, eax
		cmp	ebx, 1
		jz	short loc_9B609A
		cmp	ebx, 2
		jle	short loc_9B6093
		cmp	ebx, 4
		jle	short loc_9B6050
		cmp	ebx, 5
		jnz	short loc_9B6093
		xor	cl, cl
		jmp	short loc_9B609D
; 

loc_9B6050:				; CODE XREF: PopExecuteSystemIdleAction(x,x,x)+3Fj
		cmp	[ebp+var_5], 0
		jz	short loc_9B60A4
		mov	[ebp+var_28], 7
		mov	[ebp+var_24], 80h
		mov	[ebp+var_10], esi
		mov	[ebp+var_18], 3
		mov	[ebp+var_14], 80000024h
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		push	1
		push	5
		lea	eax, [ebp+var_18]
		xor	edx, edx
		push	eax
		lea	ecx, [ebp+var_28]
		call	PopExecutePowerAction
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		jmp	short loc_9B60A4
; 

loc_9B6093:				; CODE XREF: PopExecuteSystemIdleAction(x,x,x)+3Aj
					; PopExecuteSystemIdleAction(x,x,x)+44j
		mov	esi, 0C000000Dh
		jmp	short loc_9B60A4
; 

loc_9B609A:				; CODE XREF: PopExecuteSystemIdleAction(x,x,x)+35j
		mov	cl, [ebp+var_5]

loc_9B609D:				; CODE XREF: PopExecuteSystemIdleAction(x,x,x)+48j
		call	_PopUpdatePdcSystemIdleState@4 ; PopUpdatePdcSystemIdleState(x)
		mov	esi, eax

loc_9B60A4:				; CODE XREF: PopExecuteSystemIdleAction(x,x,x)+4Ej
					; PopExecuteSystemIdleAction(x,x,x)+8Bj ...
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_C]
		push	esi
		mov	[eax+4], ecx
		mov	cl, [ebp+var_5]
		mov	[eax+0Ch], cl
		mov	dl, cl
		mov	ecx, ebx
		mov	[eax], edi
		mov	[eax+8], ebx
		mov	[eax+10h], esi
		call	_PopDiagTraceSystemIdleAction@12 ; PopDiagTraceSystemIdleAction(x,x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopExecuteSystemIdleAction@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopProcessPendingSystemIdleResets()
_PopProcessPendingSystemIdleResets@0 proc near ; CODE XREF: PopSystemIdleWorker()+4Ap
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		jmp	short loc_9B60EF
; 

loc_9B60D6:				; CODE XREF: PopProcessPendingSystemIdleResets()+28j
		xor	eax, eax
		mov	edx, offset _PopPendingSystemIdleResetMask
		inc	eax
		shl	eax, cl
		not	eax
		lock and [edx],	eax
		cmp	ecx, 2
		jnz	short loc_9B60EF
		call	_PopPulseSystemIdleEvent@4 ; PopPulseSystemIdleEvent(x)

loc_9B60EF:				; CODE XREF: PopProcessPendingSystemIdleResets()+6j
					; PopProcessPendingSystemIdleResets()+1Aj
		bsf	ecx, _PopPendingSystemIdleResetMask
		jnz	short loc_9B60D6
		leave
		retn
_PopProcessPendingSystemIdleResets@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopSnapSystemIdleContext(x,	x)
_PopSnapSystemIdleContext@8 proc near	; CODE XREF: PopIdlePhaseWatchdogCallback(x,x,x,x,x,x)+2Cp
					; PopArmIdlePhaseWatchdog(x)+48p
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	ebx, edx
		mov	esi, ecx
		nop
		xor	edx, edx
		mov	ecx, offset _PopSystemIdleLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		push	67696450h
		push	148h
		push	1
		mov	dword_6C00E4, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi], eax
		mov	edi, eax
		push	52h
		pop	ecx
		mov	esi, offset _PopSystemIdleContext
		rep movsd
		xor	edi, edi
		mov	[ebx], edi
		cmp	dword_6B3E5C, edi
		jz	short loc_9B61AA
		mov	esi, edi

loc_9B6153:				; CODE XREF: PopSnapSystemIdleContext(x,x)+AEj
		cmp	byte_6B3D80[esi], 0
		jz	short loc_9B619F
		mov	eax, dword_6B3D84[esi]
		test	eax, eax
		jnz	short loc_9B616A
		mov	eax, edi
		jmp	short loc_9B6199
; 

loc_9B616A:				; CODE XREF: PopSnapSystemIdleContext(x,x)+6Aj
		cmp	eax, 1
		jnz	short loc_9B6196
		mov	ecx, dword_6B3D78[esi]
		sub	ecx, dword_6B3D70[esi]
		mov	eax, dword_6B3D7C[esi]
		sbb	eax, dword_6B3D74[esi]
		push	edi
		push	989680h
		push	eax
		push	ecx
		call	__aulldiv
		jmp	short loc_9B6199
; 

loc_9B6196:				; CODE XREF: PopSnapSystemIdleContext(x,x)+73j
		or	eax, 0FFFFFFFFh

loc_9B6199:				; CODE XREF: PopSnapSystemIdleContext(x,x)+6Ej
					; PopSnapSystemIdleContext(x,x)+9Aj
		cmp	eax, [ebx]
		jbe	short loc_9B619F
		mov	[ebx], eax

loc_9B619F:				; CODE XREF: PopSnapSystemIdleContext(x,x)+60j
					; PopSnapSystemIdleContext(x,x)+A1j
		add	esi, 38h
		cmp	esi, 0E0h
		jb	short loc_9B6153

loc_9B61AA:				; CODE XREF: PopSnapSystemIdleContext(x,x)+55j
		cmp	dword_6C00E4, edi
		jz	short loc_9B61B8
		mov	dword_6C00E4, edi

loc_9B61B8:				; CODE XREF: PopSnapSystemIdleContext(x,x)+B6j
		xor	edx, edx
		mov	ecx, offset _PopSystemIdleLock
		call	ExReleasePushLockEx
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopSnapSystemIdleContext@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSystemIdleWorker()
_PopSystemIdleWorker@0 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		cmp	_PopPlatformAoAc, 0
		mov	[esp+18h+var_8], edi
		mov	[esp+18h+var_4], edi
		jz	loc_9B62E6
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopSystemIdleLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C00E4, eax
		call	_PopProcessPendingSystemIdleResets@0 ; PopProcessPendingSystemIdleResets()
		call	_PopUpdateLastUserInputTime@0 ;	PopUpdateLastUserInputTime()
		mov	esi, dword_6B3D3C
		lea	eax, [esp+18h+var_8]
		push	offset unk_6B3E50
		push	eax
		mov	edx, esi
		mov	ecx, offset unk_6B3D50
		call	_PopIsSystemIdle@16 ; PopIsSystemIdle(x,x,x,x)
		mov	bl, al
		mov	ecx, _PopSystemIdleContext
		mov	dword_6B3E30, ecx
		cmp	dword_6C00E4, edi
		jz	short loc_9B6258
		mov	dword_6C00E4, edi

loc_9B6258:				; CODE XREF: PopSystemIdleWorker()+84j
		xor	edx, edx
		mov	ecx, offset _PopSystemIdleLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	edi
		push	_PopIdleScanInterval
		push	[esp+20h+var_4]
		push	[esp+24h+var_8]
		call	__aulldiv
		push	edx
		push	eax
		mov	ecx, esi
		call	_PopIdleDetection@12 ; PopIdleDetection(x,x,x)
		mov	ecx, dword_6B3E30
		mov	dl, bl
		push	offset unk_6B3E38
		call	_PopExecuteSystemIdleAction@12 ; PopExecuteSystemIdleAction(x,x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _PopSystemIdleLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C00E4, eax
		mov	dword_6B3E30, edi
		test	eax, eax
		jz	short loc_9B62CF
		mov	dword_6C00E4, edi

loc_9B62CF:				; CODE XREF: PopSystemIdleWorker()+FBj
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_9B62E6:				; CODE XREF: PopSystemIdleWorker()+1Fj
		push	edi
		push	edi
		push	100h
		push	0Ah
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_PopSystemIdleWorker@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopUpdatePdcSystemIdleState(x)
_PopUpdatePdcSystemIdleState@4 proc near
					; CODE XREF: PopExecuteSystemIdleAction(x,x,x):loc_9B609Dp
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		call	_PopPowerRequestNotifySystemIdleStateChanged@4 ; PopPowerRequestNotifySystemIdleStateChanged(x)
		mov	ecx, dword_6D6FC8
		mov	eax, 0C0000002h
		test	ecx, ecx
		jz	short loc_9B6316
		push	ebx
		call	ecx

loc_9B6316:				; CODE XREF: PopUpdatePdcSystemIdleState(x)+17j
		pop	ebx
		retn
_PopUpdatePdcSystemIdleState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUpdateSystemIdleContext(x)
_PopUpdateSystemIdleContext@4 proc near	; CODE XREF: PopInitSIdle+9DE46p

var_60		= dword	ptr -60h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		lea	eax, [ebp+var_60]
		push	ebx
		push	esi
		push	edi
		push	4Ch		; size_t
		xor	ebx, ebx
		mov	edi, ecx
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		cmp	_PopPlatformAoAc, bl
		jz	loc_9B6469
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopSystemIdleLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C00E4, eax
		mov	eax, _PopSystemIdleContext
		mov	[ebp+var_C], eax
		mov	eax, dword_6B3D3C
		mov	[ebp+var_10], eax
		call	KeQueryInterruptTime
		push	ebx
		push	989680h
		push	edx
		push	eax
		call	__aulldiv
		mov	[ebp+var_8], edx
		mov	ecx, offset _PopCapabilities
		lea	edx, [ebp+var_60]
		mov	[ebp+var_4], eax
		call	PopFilterCapabilities
		mov	ecx, _PopFullWake
		test	cl, 3
		jnz	short loc_9B63C1
		test	_PopSimulate, 1000000h
		jnz	short loc_9B63C1
		mov	esi, dword_6C2D20
		test	esi, esi
		jz	short loc_9B63D2
		push	4
		jmp	short loc_9B63D6
; 

loc_9B63C1:				; CODE XREF: PopUpdateSystemIdleContext(x)+8Dj
					; PopUpdateSystemIdleContext(x)+99j
		mov	eax, _PopPolicy
		mov	esi, [eax+3Ch]
		test	esi, esi
		jz	short loc_9B63D2
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_9B63D7
; 

loc_9B63D2:				; CODE XREF: PopUpdateSystemIdleContext(x)+A3j
					; PopUpdateSystemIdleContext(x)+B3j
		xor	esi, esi
		push	5

loc_9B63D6:				; CODE XREF: PopUpdateSystemIdleContext(x)+A7j
		pop	ebx

loc_9B63D7:				; CODE XREF: PopUpdateSystemIdleContext(x)+B8j
		cmp	edi, 1
		jz	short loc_9B63E1
		cmp	edi, 4
		jnz	short loc_9B63E9

loc_9B63E1:				; CODE XREF: PopUpdateSystemIdleContext(x)+C2j
		push	3
		pop	ecx
		call	_PopPulseSystemIdleEvent@4 ; PopPulseSystemIdleEvent(x)

loc_9B63E9:				; CODE XREF: PopUpdateSystemIdleContext(x)+C7j
		cmp	edi, 3
		jnz	short loc_9B6404
		push	6
		pop	ecx
		call	PopIdleCancelAoAcDozeS4Timer
		cmp	byte_6C22F1, 0
		jz	short loc_9B6404
		call	_PopIdleArmAoAcDozeS4Timer@0 ; PopIdleArmAoAcDozeS4Timer()

loc_9B6404:				; CODE XREF: PopUpdateSystemIdleContext(x)+D4j
					; PopUpdateSystemIdleContext(x)+E5j
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_10]
		push	esi
		mov	dword_6B3E68, eax
		mov	eax, [ebp+var_8]
		push	ebx
		mov	dword_6B3E6C, eax
		mov	eax, [ebp+var_C]
		mov	edx, eax
		mov	dword_6B3E78, ecx
		push	ecx
		mov	ecx, edi
		mov	_PopSystemIdleContext, ebx
		mov	dword_6B3D3C, esi
		mov	dword_6B3E70, edi
		mov	dword_6B3E74, eax
		call	_PopDiagTraceSystemIdleContextUpdate@20	; PopDiagTraceSystemIdleContextUpdate(x,x,x,x,x)
		cmp	dword_6C00E4, 0
		jz	short loc_9B6453
		and	dword_6C00E4, 0

loc_9B6453:				; CODE XREF: PopUpdateSystemIdleContext(x)+132j
		xor	edx, edx
		mov	ecx, offset _PopSystemIdleLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_9B6469:				; CODE XREF: PopUpdateSystemIdleContext(x)+24j
		push	ebx
		push	ebx
		push	101h
		push	0Ah
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_PopUpdateSystemIdleContext@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopDispatchAcDcCallback(x)
_PopDispatchAcDcCallback@4 proc	near	; DATA XREF: .text:00403CB0o
		xor	eax, eax
		cmp	dword_6C2D0C, eax
		setz	al
		push	eax
		push	1
		push	_ExCbPowerState
		call	_ExNotifyCallback@12 ; ExNotifyCallback(x,x,x)
		mov	eax, large fs:124h
		cmp	dword ptr [eax+13Ch], 0
		jz	short locret_9B64AA
		push	20h
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

locret_9B64AA:				; CODE XREF: PopDispatchAcDcCallback(x)+26j
		retn	4
_PopDispatchAcDcCallback@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopDispatchShutdownEvent(x)
_PopDispatchShutdownEvent@4 proc near	; DATA XREF: .text:00403CC0o
		xor	edx, edx
		mov	eax, offset _PopShutdownEventCode
		xchg	edx, [eax]
		test	edx, edx
		jz	short loc_9B64C2
		xor	ecx, ecx
		inc	ecx
		call	PopEventCalloutDispatch

loc_9B64C2:				; CODE XREF: PopDispatchShutdownEvent(x)+Bj
		mov	eax, _PoPdcCallbacks
		test	eax, eax
		jz	short loc_9B64CD
		call	eax

loc_9B64CD:				; CODE XREF: PopDispatchShutdownEvent(x)+1Cj
		mov	eax, large fs:124h
		cmp	dword ptr [eax+13Ch], 0
		jz	short locret_9B64E1
		push	20h
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

locret_9B64E1:				; CODE XREF: PopDispatchShutdownEvent(x)+2Dj
		retn	4
_PopDispatchShutdownEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUpdateSingleProcessHeteroPolicies(x, x)
_PopUpdateSingleProcessHeteroPolicies@8	proc near
					; DATA XREF: PopInitializeHeteroProcessors(x)+230o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, offset _PopUpdateSingleThreadHeteroPolicies@12 ; PopUpdateSingleThreadHeteroPolicies(x,x,x)
		push	0
		call	PsEnumProcessThreads
		xor	eax, eax
		pop	ebp
		retn	8
_PopUpdateSingleProcessHeteroPolicies@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUpdateSingleThreadHeteroPolicies(x, x, x)
_PopUpdateSingleThreadHeteroPolicies@12	proc near
					; DATA XREF: PopUpdateSingleProcessHeteroPolicies(x,x)+8o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		mov	al, [ecx+62h]
		test	al, al
		js	short loc_9B651F
		and	al, 7Fh
		cmp	al, 8
		jnz	short loc_9B651F
		push	1
		push	1
		push	8
		pop	edx
		call	_KiSetHeteroPolicyThread@16 ; KiSetHeteroPolicyThread(x,x,x,x)

loc_9B651F:				; CODE XREF: PopUpdateSingleThreadHeteroPolicies(x,x,x)+Dj
					; PopUpdateSingleThreadHeteroPolicies(x,x,x)+13j
		xor	eax, eax
		pop	ebp
		retn	0Ch
_PopUpdateSingleThreadHeteroPolicies@12	endp


;  S U B	R O U T	I N E 


; __stdcall PpmHeteroComputeBias(x, x)
_PpmHeteroComputeBias@8	proc near	; CODE XREF: PopConfigureHeteroPolicies(x,x)+44Bp
					; PopConfigureHeteroPolicies(x,x)+481p
		test	cl, cl
		jnz	short loc_9B6534
		test	dl, dl
		jnz	short loc_9B6530
		xor	eax, eax
		retn
; 

loc_9B6530:				; CODE XREF: PpmHeteroComputeBias(x,x)+6j
		push	2
		pop	eax
		retn
; 

loc_9B6534:				; CODE XREF: PpmHeteroComputeBias(x,x)+2j
		xor	eax, eax
		test	dl, dl
		setz	al
		lea	eax, ds:1[eax*2]
		retn
_PpmHeteroComputeBias@8	endp


;  S U B	R O U T	I N E 


; __stdcall PopPolicyDeviceRemove(x)
_PopPolicyDeviceRemove@4 proc near	; CODE XREF: PopPolicyDeviceTargetChange(x,x)+4Ep
					; PopPolicyDeviceTargetChange(x,x)+6Bp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_9B6588
		cmp	[eax+4], esi
		jnz	short loc_9B6583
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_9B6583
		mov	[ecx], eax
		mov	[eax+4], ecx
		imul	eax, [esi+8], 14h
		and	dword ptr [esi], 0
		push	esi
		call	dword_6B2F18[eax]
		push	dword ptr [esi+1Ch]
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		mov	ecx, [esi+18h]
		mov	edx, 64506F50h
		pop	esi
		jmp	ObfDereferenceObjectWithTag
; 

loc_9B6583:				; CODE XREF: PopPolicyDeviceRemove(x)+Ej
					; PopPolicyDeviceRemove(x)+15j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9B6588:				; CODE XREF: PopPolicyDeviceRemove(x)+9j
		pop	esi
		retn
_PopPolicyDeviceRemove@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPolicyDeviceTargetChange(x, x)
_PopPolicyDeviceTargetChange@8 proc near ; DATA	XREF: PopConnectToPolicyDevice+A8o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	bl, bl
		dec	word ptr [eax+13Ch]
		push	edi
		nop
		xor	edx, edx
		mov	ecx, offset _PopPolicyDeviceLock
		call	ExAcquirePushLockExclusiveEx
		mov	edi, [ebp+arg_0]
		mov	eax, large fs:124h
		add	edi, 4
		push	10h		; size_t
		push	(offset	loc_4055E5+3) ;	void *
		push	edi		; void *
		mov	dword_6C2044, eax
		call	_memcmp
		mov	esi, [ebp+arg_4]
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9B65DF
		mov	ecx, esi
		call	_PopPolicyDeviceRemove@4 ; PopPolicyDeviceRemove(x)
		jmp	short loc_9B661D
; 

loc_9B65DF:				; CODE XREF: PopPolicyDeviceTargetChange(x,x)+4Aj
		push	10h		; size_t
		push	offset _GUID_TARGET_DEVICE_REMOVE_COMPLETE ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9B65FC
		mov	ecx, esi
		call	_PopPolicyDeviceRemove@4 ; PopPolicyDeviceRemove(x)
		jmp	short loc_9B661B
; 

loc_9B65FC:				; CODE XREF: PopPolicyDeviceTargetChange(x,x)+67j
		push	10h		; size_t
		push	offset _GUID_TARGET_DEVICE_REMOVE_CANCELLED ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9B661D
		mov	ecx, [esi+8]
		lea	edx, [esi+10h]
		call	PopConnectToPolicyDevice

loc_9B661B:				; CODE XREF: PopPolicyDeviceTargetChange(x,x)+70j
		mov	bl, 1

loc_9B661D:				; CODE XREF: PopPolicyDeviceTargetChange(x,x)+53j
					; PopPolicyDeviceTargetChange(x,x)+84j
		cmp	dword_6C2044, 0
		jz	short loc_9B662D
		and	dword_6C2044, 0

loc_9B662D:				; CODE XREF: PopPolicyDeviceTargetChange(x,x)+9Aj
		xor	edx, edx
		mov	ecx, offset _PopPolicyDeviceLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	bl, bl
		jz	short loc_9B665C
		mov	ecx, [esi+0Ch]
		mov	dl, 1
		call	PnpUnregisterPlugPlayNotification
		imul	eax, [esi+8], 14h
		push	dword_6B2F0C[eax]
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9B665C:				; CODE XREF: PopPolicyDeviceTargetChange(x,x)+B6j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	8
_PopPolicyDeviceTargetChange@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFanAdd(x)
_PopFanAdd@4	proc near		; DATA XREF: .data:006B2FC8o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		push	ebx
		push	ebx
		mov	eax, [edi+1Ch]
		mov	dword ptr [eax+18h], 0C000009Dh
		lea	eax, [edi+44h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	esi, [edi+2Ch]
		mov	dword ptr [esi+8], offset _PopFanWorker@4 ; PopFanWorker(x)
		mov	[esi+0Ch], edi
		mov	[esi], ebx
		mov	[edi+3Ch], ebx
		mov	[edi+40h], ebx
		call	_PopSqmFanEnumeration@0	; PopSqmFanEnumeration()
		push	1
		push	esi
		call	ExQueueWorkItem
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PopFanAdd@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFanEndCsFanPeriod()
_PopFanEndCsFanPeriod@0	proc near	; CODE XREF: PopFanUpdateCsState(x)+62p
					; PopFanUpdateRunningState(x)+78p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, dword_6C20CC
		mov	ecx, dword_6C20D4
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, dword_6C20C8
		mov	[ebp+var_8], esi
		push	edi
		cmp	eax, ecx
		ja	short loc_9B66EB
		jb	short loc_9B66DF
		cmp	esi, dword_6C20D0
		jnb	short loc_9B66EB

loc_9B66DF:				; CODE XREF: PopFanEndCsFanPeriod()+25j
		mov	esi, dword_6C20D0
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], ecx

loc_9B66EB:				; CODE XREF: PopFanEndCsFanPeriod()+23j
					; PopFanEndCsFanPeriod()+2Dj
		call	KeQueryInterruptTime
		sub	esi, dword_6C20D0
		mov	ebx, eax
		mov	ecx, [ebp+var_4]
		mov	edi, edx
		sbb	ecx, dword_6C20D4
		push	0
		push	(offset	loc_98967E+2)
		push	ecx
		push	esi
		call	__aulldiv
		sub	ebx, [ebp+var_8]
		mov	esi, eax
		push	0
		sbb	edi, [ebp+var_4]
		push	(offset	loc_98967E+2)
		push	edi
		push	ebx
		call	__aulldiv
		mov	edx, esi
		mov	ecx, eax
		call	_PopDiagTraceCsFanPerfTrack@8 ;	PopDiagTraceCsFanPerfTrack(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopFanEndCsFanPeriod@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFanRemove(x)
_PopFanRemove@4	proc near		; DATA XREF: .data:006B2FCCo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	dword ptr [esi+1Ch]
		mov	byte ptr [esi+54h], 1
		call	IoCancelIrp
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esi+44h]
		push	eax
		call	KeWaitForSingleObject
		pop	esi
		pop	ebp
		retn	4
_PopFanRemove@4	endp


;  S U B	R O U T	I N E 


; __stdcall PopFanUpdateCsState(x)
_PopFanUpdateCsState@4 proc near	; CODE XREF: PopConnectedStandbySettingCallback+9FED3p
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	bl, cl
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopFanLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C204C, eax
		test	bl, bl
		jnz	short loc_9B67AE
		cmp	byte_6C20C5, bl
		jnz	short loc_9B67DA
		mov	byte_6C20C5, 1
		call	KeQueryInterruptTime
		mov	dword_6C20D0, eax
		mov	dword_6C20D4, edx
		jmp	short loc_9B67DA
; 

loc_9B67AE:				; CODE XREF: PopFanUpdateCsState(x)+2Dj
		cmp	byte_6C20C5, 0
		jz	short loc_9B67DA
		cmp	byte_6C20C4, 0
		jz	short loc_9B67C5
		call	_PopFanEndCsFanPeriod@0	; PopFanEndCsFanPeriod()

loc_9B67C5:				; CODE XREF: PopFanUpdateCsState(x)+60j
		and	dword_6C20D0, 0
		and	dword_6C20D4, 0
		mov	byte_6C20C5, 0

loc_9B67DA:				; CODE XREF: PopFanUpdateCsState(x)+35j
					; PopFanUpdateCsState(x)+4Ej ...
		cmp	dword_6C204C, 0
		jz	short loc_9B67EA
		and	dword_6C204C, 0

loc_9B67EA:				; CODE XREF: PopFanUpdateCsState(x)+83j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopFanUpdateCsState@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopFanUpdateRunningState(x)
_PopFanUpdateRunningState@4 proc near	; CODE XREF: PopFanWorker(x)+D0p
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	bl, cl
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopFanLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C204C, eax
		test	bl, bl
		jnz	short loc_9B6831
		dec	_PopFanTracking
		jmp	short loc_9B6837
; 

loc_9B6831:				; CODE XREF: PopFanUpdateRunningState(x)+2Dj
		inc	_PopFanTracking

loc_9B6837:				; CODE XREF: PopFanUpdateRunningState(x)+35j
		xor	ebx, ebx
		cmp	_PopFanTracking, ebx
		jz	short loc_9B6862
		cmp	byte_6C20C4, bl
		jnz	short loc_9B6889
		mov	byte_6C20C4, 1
		call	KeQueryInterruptTime
		mov	dword_6C20C8, eax
		mov	dword_6C20CC, edx
		jmp	short loc_9B6889
; 

loc_9B6862:				; CODE XREF: PopFanUpdateRunningState(x)+45j
		cmp	byte_6C20C4, bl
		jz	short loc_9B6889
		cmp	byte_6C20C5, bl
		jz	short loc_9B6877
		call	_PopFanEndCsFanPeriod@0	; PopFanEndCsFanPeriod()

loc_9B6877:				; CODE XREF: PopFanUpdateRunningState(x)+76j
		mov	byte_6C20C4, bl
		mov	dword_6C20C8, ebx
		mov	dword_6C20CC, ebx

loc_9B6889:				; CODE XREF: PopFanUpdateRunningState(x)+4Dj
					; PopFanUpdateRunningState(x)+66j ...
		cmp	dword_6C204C, ebx
		jz	short loc_9B6897
		mov	dword_6C204C, ebx

loc_9B6897:				; CODE XREF: PopFanUpdateRunningState(x)+95j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopFanUpdateRunningState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopFanWorker(x)
_PopFanWorker@4	proc near		; DATA XREF: PopFanAdd(x)+25o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	bl, bl
		xor	bh, bh
		push	edi
		mov	eax, [esi+1Ch]
		mov	[ebp+arg_0], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_4], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [esi+3Ch]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+40h], eax
		cmp	[esi+54h], bh
		jz	short loc_9B6906

loc_9B68E9:				; CODE XREF: PopFanWorker(x)+93j
		cmp	byte ptr [esi+28h], 0
		jz	short loc_9B68F5
		mov	bh, 1
		mov	byte ptr [esi+28h], 0

loc_9B68F5:				; CODE XREF: PopFanWorker(x)+46j
		push	0
		push	0
		lea	eax, [esi+44h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		xor	bl, bl
		jmp	short loc_9B6971
; 

loc_9B6906:				; CODE XREF: PopFanWorker(x)+40j
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+18h]
		test	eax, eax
		js	short loc_9B692E
		cmp	byte ptr [esi+28h], 0
		mov	al, [esi+24h]
		mov	cl, al
		jnz	short loc_9B6921
		test	al, al
		jnz	short loc_9B6925
		jmp	short loc_9B693C
; 

loc_9B6921:				; CODE XREF: PopFanWorker(x)+72j
		test	al, al
		jnz	short loc_9B693C

loc_9B6925:				; CODE XREF: PopFanWorker(x)+76j
		mov	bh, 1
		mov	[esi+28h], cl
		mov	bl, cl
		jmp	short loc_9B693C
; 

loc_9B692E:				; CODE XREF: PopFanWorker(x)+67j
		cmp	eax, 0C000009Dh
		jz	short loc_9B693C
		cmp	eax, 0C0000120h
		jnz	short loc_9B68E9

loc_9B693C:				; CODE XREF: PopFanWorker(x)+78j
					; PopFanWorker(x)+7Cj ...
		mov	ecx, [esi+1Ch]
		lea	eax, [esi+20h]
		push	8
		push	8
		push	eax
		push	1
		mov	edx, 294240h
		call	_PopPrepareIoctl@24 ; PopPrepareIoctl(x,x,x,x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	edx, ecx
		mov	eax, [ecx+60h]
		mov	ecx, [ebp+var_4]
		mov	dword ptr [eax-8], offset _PopFanIrpComplete@12	; PopFanIrpComplete(x,x,x)
		mov	[eax-4], esi
		mov	byte ptr [eax-21h], 0E0h
		call	IofCallDriver

loc_9B6971:				; CODE XREF: PopFanWorker(x)+5Dj
		test	bh, bh
		jz	short loc_9B697C
		mov	cl, bl
		call	_PopFanUpdateRunningState@4 ; PopFanUpdateRunningState(x)

loc_9B697C:				; CODE XREF: PopFanWorker(x)+CCj
		cmp	dword ptr [esi+40h], 0
		jz	short loc_9B6986
		and	dword ptr [esi+40h], 0

loc_9B6986:				; CODE XREF: PopFanWorker(x)+D9j
		xor	edx, edx
		lea	ecx, [esi+3Ch]
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopFanWorker@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PpmWmiGetAllData(int,void *,int,int,int,char)
_PpmWmiGetAllData@24 proc near		; CODE XREF: PpmWmiDispatch+893E2p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ebx, ecx
		mov	eax, edx
		mov	[ebp+var_10], ebx
		push	10h		; size_t
		push	eax		; void *
		lea	ecx, [ebx-3D70h]
		mov	[ebp+var_4], eax
		push	offset _PPM_IDLESTATES_DATA_GUID ; void	*
		mov	[ebp+var_14], ecx
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9B69F1
		mov	eax, large fs:124h
		mov	byte ptr [ebp+arg_4+3],	1
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExAcquirePushLockSharedEx
		jmp	short loc_9B69F5
; 

loc_9B69F1:				; CODE XREF: PpmWmiGetAllData(x,x,x,x,x,x)+33j
		mov	byte ptr [ebp+arg_4+3],	0

loc_9B69F5:				; CODE XREF: PpmWmiGetAllData(x,x,x,x,x,x)+53j
		mov	esi, [ebx+130h]
		push	10h		; size_t
		push	[ebp+var_4]	; void *
		mov	[ebp+var_8], esi
		push	offset _PPM_PERFSTATES_DATA_GUID ; void	*
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9B6A1C
		test	esi, esi
		jz	short loc_9B6A1C
		push	50h
		jmp	short loc_9B6A67
; 

loc_9B6A1C:				; CODE XREF: PpmWmiGetAllData(x,x,x,x,x,x)+76j
					; PpmWmiGetAllData(x,x,x,x,x,x)+7Aj
		push	10h		; size_t
		push	[ebp+var_4]	; void *
		push	offset _PPM_IDLESTATES_DATA_GUID ; void	*
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9B6A43
		mov	ebx, [ebx]
		test	ebx, ebx
		jz	short loc_9B6A43
		mov	ebx, [ebx+20h]
		shl	ebx, 5
		add	ebx, 38h
		jmp	short loc_9B6A68
; 

loc_9B6A43:				; CODE XREF: PpmWmiGetAllData(x,x,x,x,x,x)+94j
					; PpmWmiGetAllData(x,x,x,x,x,x)+9Aj
		push	10h		; size_t
		push	[ebp+var_4]	; void *
		push	offset _PPM_PERFMON_PERFSTATE_GUID ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_9B6C4E
		test	esi, esi
		jz	loc_9B6C4E
		push	0Ch

loc_9B6A67:				; CODE XREF: PpmWmiGetAllData(x,x,x,x,x,x)+7Ej
		pop	ebx

loc_9B6A68:				; CODE XREF: PpmWmiGetAllData(x,x,x,x,x,x)+A5j
		mov	dl, [ebp+arg_C]
		xor	ecx, ecx
		test	dl, dl
		setnz	cl
		lea	ecx, ds:40h[ecx*8]
		lea	eax, [ecx+ebx]
		mov	[ebp+var_C], ecx
		mov	dword ptr [ebp+arg_C], eax
		cmp	[ebp+arg_0], eax
		jnb	short loc_9B6AAF
		cmp	[ebp+arg_0], 38h
		jb	short loc_9B6AA2
		push	38h
		mov	[edi+30h], eax
		pop	eax
		mov	dword ptr [edi+2Ch], 20h
		mov	dword ptr [ebp+arg_C], eax
		jmp	loc_9B6C47
; 

loc_9B6AA2:				; CODE XREF: PpmWmiGetAllData(x,x,x,x,x,x)+EFj
		mov	esi, 0C0000023h

loc_9B6AA7:				; CODE XREF: PpmWmiGetAllData(x,x,x,x,x,x)+2ADj
		mov	edi, dword ptr [ebp+arg_C]
		jmp	loc_9B6C55
; 

loc_9B6AAF:				; CODE XREF: PpmWmiGetAllData(x,x,x,x,x,x)+E9j
		mov	[edi], eax
		lea	esi, [edi+ecx]
		test	dl, dl
		jz	short loc_9B6AD4
		lea	eax, [edi+10h]
		push	eax
		call	KeQuerySystemTime
		mov	eax, [ebp+var_C]
		or	dword ptr [edi+2Ch], 10h
		mov	dword ptr [edi+34h], 1
		mov	[edi+30h], eax
		jmp	short loc_9B6AD7
; 

loc_9B6AD4:				; CODE XREF: PpmWmiGetAllData(x,x,x,x,x,x)+11Aj
		mov	[edi+38h], ecx

loc_9B6AD7:				; CODE XREF: PpmWmiGetAllData(x,x,x,x,x,x)+136j
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		mov	[edi+3Ch], ebx
		call	_memset
		mov	edi, [ebp+var_4]
		push	10h		; size_t
		push	edi		; void *
		push	offset _PPM_PERFSTATES_DATA_GUID ; void	*
		call	_memcmp
		mov	ebx, [ebp+var_8]
		add	esp, 18h
		test	eax, eax
		jnz	short loc_9B6B4E
		test	ebx, ebx
		jz	short loc_9B6B4E
		xor	ecx, ecx
		mov	[esi], ecx
		mov	eax, [ebx+54h]
		mov	[esi+4], eax
		mov	[esi+8], ecx
		mov	[esi+0Ch], ecx
		mov	[esi+10h], ecx
		mov	[esi+14h], ecx
		mov	byte ptr [esi+1Ch], 64h
		mov	al, [ebx+79h]
		mov	[esi+1Dh], al
		mov	ecx, _PpmCurrentProfile
		imul	eax, dword_6C2D0C, 0F0h
		mov	eax, [eax+ecx+34h]
		mov	[esi+20h], eax
		mov	eax, [ebx+14h]
		and	dword ptr [esi+2Ch], 0
		mov	[esi+28h], eax
		mov	dword ptr [esi+40h], 1
		jmp	loc_9B6C47
; 

loc_9B6B4E:				; CODE XREF: PpmWmiGetAllData(x,x,x,x,x,x)+15Fj
					; PpmWmiGetAllData(x,x,x,x,x,x)+163j
		push	10h		; size_t
		push	edi		; void *
		push	offset _PPM_IDLESTATES_DATA_GUID ; void	*
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_9B6C1A
		mov	ecx, [ebp+var_10]
		mov	eax, [ecx]
		test	eax, eax
		jz	loc_9B6C1A
		mov	eax, [eax+20h]
		mov	[esi+4], eax
		mov	eax, [ecx]
		mov	eax, [eax+10h]
		mov	[esi+8], eax
		mov	eax, [ecx]
		mov	eax, [eax+18h]
		mov	[esi+0Ch], eax
		mov	eax, [ecx-39A8h]
		and	dword ptr [esi+14h], 0
		mov	[esi+10h], eax
		mov	edi, [ecx]
		mov	eax, [edi+20h]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	loc_9B6C47
		xor	ebx, ebx
		add	esi, 20h

loc_9B6BAB:				; CODE XREF: PpmWmiGetAllData(x,x,x,x,x,x)+27Aj
		mov	eax, [ecx]
		lea	ebx, [ebx+44h]
		xor	edx, edx
		mov	[ebp+var_10], 0Ah
		mov	eax, [ebx+eax+0DCh]
		div	[ebp+var_10]
		mov	[esi-8], eax
		mov	eax, [ecx]
		mov	eax, [ebx+eax+0E4h]
		mov	[esi-4], eax
		mov	eax, [edi+0B4h]
		mov	[esi], eax
		lea	esi, [esi+20h]
		mov	al, [edi+0B8h]
		mov	[esi-1Ch], al
		mov	al, [edi+0B9h]
		mov	[esi-1Bh], al
		mov	eax, [ecx]
		mov	al, [ebx+eax+104h]
		mov	[esi-1Ah], al
		mov	eax, [ecx]
		mov	eax, [ebx+eax+0E8h]
		and	dword ptr [esi-14h], 0
		sub	[ebp+arg_0], 1
		mov	[esi-18h], eax
		mov	dword ptr [esi-10h], 1
		jnz	short loc_9B6BAB
		jmp	short loc_9B6C47
; 

loc_9B6C1A:				; CODE XREF: PpmWmiGetAllData(x,x,x,x,x,x)+1C4j
					; PpmWmiGetAllData(x,x,x,x,x,x)+1D1j
		push	10h		; size_t
		push	edi		; void *
		push	offset _PPM_PERFMON_PERFSTATE_GUID ; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9B6C47
		test	ebx, ebx
		jz	short loc_9B6C47
		mov	ecx, [ebp+var_14]
		mov	edx, esi
		push	eax
		lea	eax, [esi+4]
		push	eax
		lea	eax, [esi+8]
		push	eax
		push	0
		call	PpmPerfGetCurrentState

loc_9B6C47:				; CODE XREF: PpmWmiGetAllData(x,x,x,x,x,x)+101j
					; PpmWmiGetAllData(x,x,x,x,x,x)+1ADj ...
		xor	esi, esi
		jmp	loc_9B6AA7
; 

loc_9B6C4E:				; CODE XREF: PpmWmiGetAllData(x,x,x,x,x,x)+BBj
					; PpmWmiGetAllData(x,x,x,x,x,x)+C3j
		mov	esi, 0C0000010h
		xor	edi, edi

loc_9B6C55:				; CODE XREF: PpmWmiGetAllData(x,x,x,x,x,x)+10Ej
		cmp	byte ptr [ebp+arg_4+3],	0
		jz	short loc_9B6C7C
		cmp	dword_6C2ADC, 0
		jz	short loc_9B6C6B
		and	dword_6C2ADC, 0

loc_9B6C6B:				; CODE XREF: PpmWmiGetAllData(x,x,x,x,x,x)+2C6j
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9B6C7C:				; CODE XREF: PpmWmiGetAllData(x,x,x,x,x,x)+2BDj
		test	esi, esi
		jns	short loc_9B6C82
		xor	edi, edi

loc_9B6C82:				; CODE XREF: PpmWmiGetAllData(x,x,x,x,x,x)+2E2j
		mov	ecx, [ebp+arg_8]
		mov	eax, esi
		mov	[ecx], edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PpmWmiGetAllData@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmWmiIdleAccountingWork(x)
_PpmWmiIdleAccountingWork@4 proc near	; DATA XREF: PpmWmiIdleAccountingProcedure(x,x,x,x)+1Bo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	656C6469h
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	0
		mov	edx, offset _PpmWmiFireIdleAccountingEvent@12 ;	PpmWmiFireIdleAccountingEvent(x,x,x)
		mov	ecx, offset _KeActiveProcessors
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)
		pop	ebp
		retn	4
_PpmWmiIdleAccountingWork@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopNetArmDsEvaluationTimer()
_PopNetArmDsEvaluationTimer@0 proc near	; CODE XREF: PopNetResiliencyStateChanged(x)+25p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		xor	esi, esi
		call	KeQueryInterruptTime
		mov	ecx, dword_6D44C8
		mov	ebx, eax
		mov	eax, dword_6D44CC
		mov	[ebp+var_4], eax
		mov	eax, ds:_PopStandbyConnectivityGracePeriod
		mov	[ebp+var_C], edx
		mov	edx, 989680h
		mul	edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], eax
		mov	eax, ecx
		add	eax, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		adc	ecx, edx
		mov	[ebp+var_14], edx
		mov	edx, [ebp+var_C]
		cmp	edx, ecx
		ja	short loc_9B6D1C
		jb	short loc_9B6D0C
		cmp	ebx, eax
		jnb	short loc_9B6D1C

loc_9B6D0C:				; CODE XREF: PopNetArmDsEvaluationTimer()+4Dj
		mov	edi, [ebp+var_10]
		mov	esi, [ebp+var_4]
		sub	edi, ebx
		sbb	esi, edx
		add	edi, [ebp+var_8]
		adc	esi, [ebp+var_14]

loc_9B6D1C:				; CODE XREF: PopNetArmDsEvaluationTimer()+4Bj
					; PopNetArmDsEvaluationTimer()+51j
		xor	eax, eax
		neg	edi
		push	eax
		push	eax
		push	eax
		adc	esi, eax
		neg	esi
		push	esi
		push	edi
		push	offset _PopNetEvaluationTimer
		call	KeSetTimer2
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopNetArmDsEvaluationTimer@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopNetArmRefreshTimer(x, x,	x)
_PopNetArmRefreshTimer@12 proc near	; CODE XREF: PopNetRefreshTimerWorkerCallback(x)+44p
					; PopNetRefreshTimerWorkerCallback(x)+5Fp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	al, cl
		push	esi
		xor	esi, esi
		mov	[ebp+var_1], al
		test	al, al
		mov	[ebp+var_C], esi
		mov	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	edi
		mov	[ebp+var_8], esi
		jnz	short loc_9B6D62
		neg	ecx
		adc	eax, esi
		neg	eax

loc_9B6D62:				; CODE XREF: PopNetArmRefreshTimer(x,x,x)+22j
		push	esi
		push	esi
		push	esi
		push	eax
		push	ecx
		push	offset _PopNetRefreshTimer
		call	KeSetTimer2
		cmp	[ebp+var_1], 0
		mov	edi, esi
		jz	short loc_9B6D9D
		lea	eax, [ebp+var_C]
		push	eax
		call	KeQuerySystemTime
		mov	eax, [ebp+arg_4]
		cmp	[ebp+var_8], eax
		jg	short loc_9B6DA2
		jl	short loc_9B6D91
		cmp	[ebp+var_C], ebx
		jnb	short loc_9B6DA2

loc_9B6D91:				; CODE XREF: PopNetArmRefreshTimer(x,x,x)+52j
		mov	esi, ebx
		mov	edi, eax
		sub	esi, [ebp+var_C]
		sbb	edi, [ebp+var_8]
		jmp	short loc_9B6DA2
; 

loc_9B6D9D:				; CODE XREF: PopNetArmRefreshTimer(x,x,x)+3Fj
		mov	edi, [ebp+arg_4]
		mov	esi, ebx

loc_9B6DA2:				; CODE XREF: PopNetArmRefreshTimer(x,x,x)+50j
					; PopNetArmRefreshTimer(x,x,x)+57j ...
		push	edi
		push	esi
		call	_PopTraceNetRefreshTimerArmed@8	; PopTraceNetRefreshTimerArmed(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PopNetArmRefreshTimer@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopNetClearConnectivityConstraint(x)
_PopNetClearConnectivityConstraint@4 proc near
					; CODE XREF: PopPowerAggregatorDisengageModernStandby(x)+B0p
					; PopPowerAggregatorDisengageModernStandby(x)+B8p ...
		mov	eax, _PopNetStandbyStateMask
		xor	dl, dl
		btr	eax, ecx
		mov	_PopNetStandbyStateMask, eax
		cmp	ecx, 3
		jz	short loc_9B6DC9
		cmp	ecx, 6
		jnz	short loc_9B6DCB

loc_9B6DC9:				; CODE XREF: PopNetClearConnectivityConstraint(x)+12j
		mov	dl, 1

loc_9B6DCB:				; CODE XREF: PopNetClearConnectivityConstraint(x)+17j
		xor	eax, eax
		mov	ecx, offset _PopNetGracePeriodState
		lock xadd [ecx], eax
		cmp	eax, 2
		jnz	short loc_9B6DDD
		mov	dl, 1

loc_9B6DDD:				; CODE XREF: PopNetClearConnectivityConstraint(x)+29j
		test	dl, dl
		jz	short locret_9B6DEE
		xor	edx, edx
		mov	ecx, offset unk_6BFEF8
		inc	edx
		jmp	_PopQueueWorkItem@8 ; PopQueueWorkItem(x,x)
; 

locret_9B6DEE:				; CODE XREF: PopNetClearConnectivityConstraint(x)+2Fj
		retn
_PopNetClearConnectivityConstraint@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopNetCompliantNicUpdate(x)
_PopNetCompliantNicUpdate@4 proc near	; CODE XREF: PopPdcCsDeviceNotification(x)+13Dp
		mov	eax, _PopNetCompliantNicCount
		test	cl, cl
		jnz	short loc_9B6E0E
		test	eax, eax
		jz	short locret_9B6E21
		sub	eax, 1
		mov	_PopNetCompliantNicCount, eax
		jnz	short locret_9B6E21
		push	6
		pop	ecx
		jmp	PopNetSetConnectivityConstraint
; 

loc_9B6E0E:				; CODE XREF: PopNetCompliantNicUpdate(x)+7j
		inc	eax
		mov	_PopNetCompliantNicCount, eax
		cmp	eax, 1
		jnz	short locret_9B6E21
		push	6
		pop	ecx
		jmp	_PopNetClearConnectivityConstraint@4 ; PopNetClearConnectivityConstraint(x)
; 

locret_9B6E21:				; CODE XREF: PopNetCompliantNicUpdate(x)+Bj
					; PopNetCompliantNicUpdate(x)+15j ...
		retn
_PopNetCompliantNicUpdate@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopNetDisengageNetworkRefresh()
_PopNetDisengageNetworkRefresh@0 proc near
					; CODE XREF: PopNetRefreshTimerWorkerCallback(x)+4Cp
					; PopNetWnfLowPowerEpochCallback(x,x,x,x,x,x)+B2p

var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	ebx, ebx
		lea	eax, [ebp-1]
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	1
		push	eax
		push	offset _WNF_PO_OPPORTUNISTIC_CS
		mov	[ebp+var_1], bl
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		xor	cl, cl
		call	_PopNetSetResiliencyPhaseBias@4	; PopNetSetResiliencyPhaseBias(x)
		mov	_PopNetRefreshIntervalActive, bl
		pop	ebx
		leave
		retn
_PopNetDisengageNetworkRefresh@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopNetEngageNetworkRefresh()
_PopNetEngageNetworkRefresh@0 proc near	; CODE XREF: PopNetRefreshTimerWorkerCallback(x)+31p

var_2		= byte ptr -2

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	cl, 1
		call	_PopNetSetResiliencyPhaseBias@4	; PopNetSetResiliencyPhaseBias(x)
		xor	eax, eax
		mov	byte ptr [ebp-1], 1
		push	eax
		push	eax
		push	eax
		push	eax
		push	1
		lea	eax, [ebp-1]
		push	eax
		push	offset _WNF_PO_OPPORTUNISTIC_CS
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	_PopNetRefreshIntervalActive, 1
		leave
		retn
_PopNetEngageNetworkRefresh@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopNetGetNextDueRefreshTime()
_PopNetGetNextDueRefreshTime@0 proc near
					; CODE XREF: PopNetRefreshTimerWorkerCallback(x)+51p
					; PopNetWnfLowPowerEpochCallback(x,x,x,x,x,x)+60p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	eax, [ebp+var_8]
		push	edi
		push	eax
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	KeQuerySystemTime
		mov	ecx, dword_6C22C8
		mov	edi, 47868C00h
		mov	edx, dword_6C22CC
		mov	eax, ecx
		or	eax, edx
		jz	short loc_9B6EE2
		cmp	[ebp+var_4], edx
		jg	short loc_9B6EE2
		jl	short loc_9B6EC7
		cmp	[ebp+var_8], ecx
		jnb	short loc_9B6EE2

loc_9B6EC7:				; CODE XREF: PopNetGetNextDueRefreshTime()+3Ej
		mov	esi, ecx
		mov	eax, edx
		sub	esi, [ebp+var_8]
		sbb	eax, [ebp+var_4]
		mov	[ebp+var_14], eax
		js	short loc_9B6EE2
		jg	short loc_9B6EDC
		cmp	esi, edi
		jb	short loc_9B6EE2

loc_9B6EDC:				; CODE XREF: PopNetGetNextDueRefreshTime()+54j
		sub	ecx, edi
		sbb	edx, ebx
		jmp	short loc_9B6F51
; 

loc_9B6EE2:				; CODE XREF: PopNetGetNextDueRefreshTime()+37j
					; PopNetGetNextDueRefreshTime()+3Cj ...
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_ExSystemTimeToLocalTime@8 ; ExSystemTimeToLocalTime(x,x)
		mov	esi, [ebp+var_10]
		mov	eax, 30E23400h
		mov	edi, [ebp+var_C]
		add	esi, eax
		push	4
		push	eax
		adc	edi, 4
		push	edi
		push	esi
		call	__allrem
		sub	esi, eax
		mov	ecx, esi
		sbb	edi, edx
		sub	ecx, [ebp+var_10]
		mov	eax, edi
		sbb	eax, [ebp+var_C]
		cmp	eax, ebx
		ja	short loc_9B6F2F
		jb	short loc_9B6F25
		cmp	ecx, 47868C00h
		jnb	short loc_9B6F2F

loc_9B6F25:				; CODE XREF: PopNetGetNextDueRefreshTime()+99j
		push	3
		mov	eax, 0E95BA800h
		pop	ecx
		jmp	short loc_9B6F37
; 

loc_9B6F2F:				; CODE XREF: PopNetGetNextDueRefreshTime()+97j
					; PopNetGetNextDueRefreshTime()+A1j
		mov	eax, 0B8797400h
		or	ecx, 0FFFFFFFFh

loc_9B6F37:				; CODE XREF: PopNetGetNextDueRefreshTime()+ABj
		add	esi, eax
		lea	eax, [ebp+var_10]
		push	eax
		adc	edi, ecx
		mov	[ebp+var_10], esi
		push	eax
		mov	[ebp+var_C], edi
		call	_ExLocalTimeToSystemTime@8 ; ExLocalTimeToSystemTime(x,x)
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_10]

loc_9B6F51:				; CODE XREF: PopNetGetNextDueRefreshTime()+5Ej
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn
_PopNetGetNextDueRefreshTime@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopNetIsCompliantNicPresent()
_PopNetIsCompliantNicPresent@0 proc near
					; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+2A7p
		cmp	_PopNetCompliantNicCount, 0
		setnz	al
		retn
_PopNetIsCompliantNicPresent@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopNetIsDisconnectStandbyActive(x)
_PopNetIsDisconnectStandbyActive@4 proc	near
					; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+21Cp
					; PopS0LowPowerIdleInfo(x)+30p	...
		push	2
		pop	edx
		test	ecx, ecx
		jz	short loc_9B6FB4
		mov	eax, _PopNetStandbyReason
		sub	eax, 0
		jz	short loc_9B6FB1
		sub	eax, 1
		jz	short loc_9B6FAD
		sub	eax, 1
		jz	short loc_9B6FA5
		sub	eax, 1
		jz	short loc_9B6F9D
		sub	eax, 3
		jz	short loc_9B6F95
		sub	eax, 1
		jnz	short loc_9B6FB4
		mov	dword ptr [ecx], 5
		jmp	short loc_9B6FB4
; 

loc_9B6F95:				; CODE XREF: PopNetIsDisconnectStandbyActive(x)+23j
		mov	dword ptr [ecx], 1
		jmp	short loc_9B6FB4
; 

loc_9B6F9D:				; CODE XREF: PopNetIsDisconnectStandbyActive(x)+1Ej
		mov	dword ptr [ecx], 4
		jmp	short loc_9B6FB4
; 

loc_9B6FA5:				; CODE XREF: PopNetIsDisconnectStandbyActive(x)+19j
		mov	dword ptr [ecx], 3
		jmp	short loc_9B6FB4
; 

loc_9B6FAD:				; CODE XREF: PopNetIsDisconnectStandbyActive(x)+14j
		mov	[ecx], edx
		jmp	short loc_9B6FB4
; 

loc_9B6FB1:				; CODE XREF: PopNetIsDisconnectStandbyActive(x)+Fj
		and	dword ptr [ecx], 0

loc_9B6FB4:				; CODE XREF: PopNetIsDisconnectStandbyActive(x)+5j
					; PopNetIsDisconnectStandbyActive(x)+28j ...
		cmp	_PopNetStandbyState, edx
		setz	al
		retn
_PopNetIsDisconnectStandbyActive@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopNetIsNetworkRefreshEnabled()
_PopNetIsNetworkRefreshEnabled@0 proc near
					; CODE XREF: PopNetRefreshTimerWorkerCallback(x)+Ep
					; PopNetWnfLowPowerEpochCallback(x,x,x,x,x,x)+57p
		mov	eax, _PopNetStandbyStateMask
		test	al, 4Eh
		jz	short loc_9B6FCA

loc_9B6FC7:				; CODE XREF: PopNetIsNetworkRefreshEnabled()+Ej
		xor	al, al
		retn
; 

loc_9B6FCA:				; CODE XREF: PopNetIsNetworkRefreshEnabled()+7j
		test	al, al
		jns	short loc_9B6FC7
		cmp	ds:_PopEnableDsNetRefresh, 0
		setnz	al
		retn
_PopNetIsNetworkRefreshEnabled@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopNetNonCompliantDeviceUpdate(x, x)
_PopNetNonCompliantDeviceUpdate@8 proc near ; CODE XREF: PopPdcCsDeviceNotification(x)+12Ep
		test	edx, edx
		jnz	short loc_9B6FE5
		cmp	_PopIgnoreCsComplianceCheck, edx
		jnz	short locret_9B7017

loc_9B6FE5:				; CODE XREF: PopNetNonCompliantDeviceUpdate(x,x)+2j
		mov	eax, _PopNetNonCompliantDeviceCount
		test	cl, cl
		jnz	short loc_9B7004
		test	eax, eax
		jz	short locret_9B7017
		sub	eax, 1
		mov	_PopNetNonCompliantDeviceCount,	eax
		jnz	short locret_9B7017
		push	3
		pop	ecx
		jmp	_PopNetClearConnectivityConstraint@4 ; PopNetClearConnectivityConstraint(x)
; 

loc_9B7004:				; CODE XREF: PopNetNonCompliantDeviceUpdate(x,x)+13j
		inc	eax
		mov	_PopNetNonCompliantDeviceCount,	eax
		cmp	eax, 1
		jnz	short locret_9B7017
		push	3
		pop	ecx
		jmp	PopNetSetConnectivityConstraint
; 

locret_9B7017:				; CODE XREF: PopNetNonCompliantDeviceUpdate(x,x)+Aj
					; PopNetNonCompliantDeviceUpdate(x,x)+17j ...
		retn
_PopNetNonCompliantDeviceUpdate@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopNetRefreshTimerWorkerCallback(x)
_PopNetRefreshTimerWorkerCallback@4 proc near ;	DATA XREF: PopNetInitialize+112o
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		cmp	_PopNetInLpePhase, 0
		jz	short loc_9B707E
		call	_PopNetIsNetworkRefreshEnabled@0 ; PopNetIsNetworkRefreshEnabled()
		test	al, al
		jz	short loc_9B707E
		push	edi
		xor	eax, eax
		mov	edi, offset _PopNetRefreshTimerState
		lock xadd [edi], eax
		cmp	eax, 2
		jnz	short loc_9B707D
		cmp	_PopNetRefreshIntervalActive, 0
		jnz	short loc_9B7063
		call	_PopNetEngageNetworkRefresh@0 ;	PopNetEngageNetworkRefresh()
		xor	eax, eax
		inc	eax
		xchg	eax, [edi]
		push	0
		push	11E1A300h
		xor	cl, cl
		call	_PopNetArmRefreshTimer@12 ; PopNetArmRefreshTimer(x,x,x)
		jmp	short loc_9B707D
; 

loc_9B7063:				; CODE XREF: PopNetRefreshTimerWorkerCallback(x)+2Fj
		push	esi
		call	_PopNetDisengageNetworkRefresh@0 ; PopNetDisengageNetworkRefresh()
		call	_PopNetGetNextDueRefreshTime@0 ; PopNetGetNextDueRefreshTime()
		xor	esi, esi
		inc	esi
		xchg	esi, [edi]
		push	edx
		push	eax
		mov	cl, 1
		call	_PopNetArmRefreshTimer@12 ; PopNetArmRefreshTimer(x,x,x)
		pop	esi

loc_9B707D:				; CODE XREF: PopNetRefreshTimerWorkerCallback(x)+26j
					; PopNetRefreshTimerWorkerCallback(x)+49j
		pop	edi

loc_9B707E:				; CODE XREF: PopNetRefreshTimerWorkerCallback(x)+Cj
					; PopNetRefreshTimerWorkerCallback(x)+15j
		mov	ecx, offset unk_6BFF98
		call	_PopOkayToQueueNextWorkItem@4 ;	PopOkayToQueueNextWorkItem(x)
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		retn	4
_PopNetRefreshTimerWorkerCallback@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopNetResiliencyStateChanged(x)
_PopNetResiliencyStateChanged@4	proc near ; CODE XREF: PdcPoNetworkResiliency(x)+8p
		mov	edi, edi
		push	ebx
		mov	bl, cl
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	cl, bl
		call	_PopNetUpdateDsAccounting@4 ; PopNetUpdateDsAccounting(x)
		test	bl, bl
		pop	ebx
		jz	short loc_9B70BC
		xor	eax, eax
		mov	ecx, offset _PopNetGracePeriodState
		inc	eax
		mov	_PopNetResiliencyEngaged, al
		xchg	eax, [ecx]
		call	_PopNetArmDsEvaluationTimer@0 ;	PopNetArmDsEvaluationTimer()
		jmp	short loc_9B70E5
; 

loc_9B70BC:				; CODE XREF: PopNetResiliencyStateChanged(x)+14j
		push	0
		push	offset _PopNetEvaluationTimer
		mov	_PopNetResiliencyEngaged, 0
		call	KeCancelTimer2
		xor	eax, eax
		mov	ecx, offset _PopNetGracePeriodState
		xchg	eax, [ecx]
		xor	edx, edx
		mov	ecx, offset unk_6BFEF8
		inc	edx
		call	_PopQueueWorkItem@8 ; PopQueueWorkItem(x,x)

loc_9B70E5:				; CODE XREF: PopNetResiliencyStateChanged(x)+2Aj
		jmp	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
_PopNetResiliencyStateChanged@4	endp


;  S U B	R O U T	I N E 


; __stdcall PopNetSetResiliencyPhaseBias(x)
_PopNetSetResiliencyPhaseBias@4	proc near ; CODE XREF: PopNetEvaluationWorkerCallback+124p
					; PopNetEvaluationWorkerCallback+7EE0Ap ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		mov	eax, dword_6D6FD0
		test	eax, eax
		jz	short loc_9B7100
		push	esi
		call	eax

loc_9B7100:				; CODE XREF: PopNetSetResiliencyPhaseBias(x)+11j
		pop	esi
		jmp	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
_PopNetSetResiliencyPhaseBias@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopNetUpdateStandbyRequest(x)
_PopNetUpdateStandbyRequest@4 proc near	; CODE XREF: PopPowerInformationInternal+1712AAp

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _PopNetBIServiceSid
		mov	[ebp+var_1], 0
		push	ebx
		mov	bl, cl
		push	esi
		test	eax, eax
		jnz	short loc_9B7125
		mov	esi, 0C0000001h
		jmp	short loc_9B7161
; 

loc_9B7125:				; CODE XREF: PopNetUpdateStandbyRequest(x)+16j
		lea	ecx, [ebp-1]
		push	ecx
		push	eax
		push	0
		call	_RtlCheckTokenMembership@12 ; RtlCheckTokenMembership(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9B7161
		cmp	[ebp+var_1], 0
		jnz	short loc_9B7144
		mov	esi, 0C0000022h
		jmp	short loc_9B7161
; 

loc_9B7144:				; CODE XREF: PopNetUpdateStandbyRequest(x)+35j
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		cmp	_PopNetBIRequestActive,	0
		jnz	short loc_9B7167
		test	bl, bl
		jz	short loc_9B716B

loc_9B7156:				; CODE XREF: PopNetUpdateStandbyRequest(x)+63j
		mov	_PopNetBIRequestActive,	bl

loc_9B715C:				; CODE XREF: PopNetUpdateStandbyRequest(x)+6Aj
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_9B7161:				; CODE XREF: PopNetUpdateStandbyRequest(x)+1Dj
					; PopNetUpdateStandbyRequest(x)+2Fj ...
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_9B7167:				; CODE XREF: PopNetUpdateStandbyRequest(x)+4Aj
		test	bl, bl
		jz	short loc_9B7156

loc_9B716B:				; CODE XREF: PopNetUpdateStandbyRequest(x)+4Ej
		mov	esi, 0C000000Dh
		jmp	short loc_9B715C
_PopNetUpdateStandbyRequest@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopNetWnfLowPowerEpochCallback(x, x, x, x, x, x)
_PopNetWnfLowPowerEpochCallback@24 proc	near ; DATA XREF: PopNetInitialize+22EF2o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_10]
		push	esi
		push	edi
		push	8
		pop	esi
		push	ecx		; int
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_10], esi
		push	ecx		; void *
		lea	ecx, [ebp+arg_C]
		push	ecx		; int
		push	eax		; int
		call	_ExQueryWnfStateData@16	; ExQueryWnfStateData(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9B722E
		cmp	[ebp+var_10], esi
		jnb	short loc_9B71B4
		xor	edi, edi
		jmp	short loc_9B722E
; 

loc_9B71B4:				; CODE XREF: PopNetWnfLowPowerEpochCallback(x,x,x,x,x,x)+3Cj
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		test	byte ptr [ebp+var_C], 2
		jz	short loc_9B71EC
		mov	_PopNetInLpePhase, 1
		call	_PopNetIsNetworkRefreshEnabled@0 ; PopNetIsNetworkRefreshEnabled()
		test	al, al
		jz	short loc_9B7229
		call	_PopNetGetNextDueRefreshTime@0 ; PopNetGetNextDueRefreshTime()
		xor	esi, esi
		mov	ecx, offset _PopNetRefreshTimerState
		inc	esi
		xchg	esi, [ecx]
		push	edx
		push	eax
		mov	cl, 1
		call	_PopNetArmRefreshTimer@12 ; PopNetArmRefreshTimer(x,x,x)
		jmp	short loc_9B7229
; 

loc_9B71EC:				; CODE XREF: PopNetWnfLowPowerEpochCallback(x,x,x,x,x,x)+4Bj
		cmp	_PopNetInLpePhase, 0
		jz	short loc_9B7229
		and	_PopNetInLpePhase, 0
		xor	eax, eax
		mov	ecx, offset _PopNetRefreshTimerState
		xchg	eax, [ecx]
		cmp	eax, 1
		jnz	short loc_9B721B
		push	0
		push	offset _PopNetRefreshTimer
		call	KeCancelTimer2
		call	_PopTraceNetRefreshTimerDisarmed@0 ; PopTraceNetRefreshTimerDisarmed()

loc_9B721B:				; CODE XREF: PopNetWnfLowPowerEpochCallback(x,x,x,x,x,x)+96j
		cmp	_PopNetRefreshIntervalActive, 0
		jz	short loc_9B7229
		call	_PopNetDisengageNetworkRefresh@0 ; PopNetDisengageNetworkRefresh()

loc_9B7229:				; CODE XREF: PopNetWnfLowPowerEpochCallback(x,x,x,x,x,x)+5Ej
					; PopNetWnfLowPowerEpochCallback(x,x,x,x,x,x)+78j ...
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()

loc_9B722E:				; CODE XREF: PopNetWnfLowPowerEpochCallback(x,x,x,x,x,x)+33j
					; PopNetWnfLowPowerEpochCallback(x,x,x,x,x,x)+40j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_PopNetWnfLowPowerEpochCallback@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerButtonBugcheckWatchCallback(x)
_PopPowerButtonBugcheckWatchCallback@4 proc near
					; DATA XREF: PopInitializePowerButtonHold(x)+C7o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	PopPowerButtonBugcheckConfigure
		pop	ebp
		retn	4
_PopPowerButtonBugcheckWatchCallback@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopPublishPowerButtonState(x)
_PopPublishPowerButtonState@4 proc near	; CODE XREF: PopPowerButtonWorkCallback(x)+A2p
					; PopPowerButtonWorkCallback(x)+134p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	dword ptr [esi+4]
		mov	edx, [esi]
		mov	eax, edx
		shr	eax, 1
		and	edx, 1
		push	eax
		push	edx		; char
		push	offset ??_C@_0EA@HAJBOCIE@Power?5button?5hold?5update?5?$CIdown?3@NNGAKEGL@ ; char *
		push	3		; int
		push	92h		; int
		call	_DbgPrintEx
		add	esp, 18h
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	8
		push	esi
		push	offset _WNF_PO_POWER_BUTTON_STATE
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		pop	esi
		retn
_PopPublishPowerButtonState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopQueryPowerButtonBugcheckEnabled()
_PopQueryPowerButtonBugcheckEnabled@0 proc near
					; CODE XREF: PopPowerButtonWorkCallback(x)+E0p
					; PopPowerInformationInternal+1719E0p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		sub	esp, 0Ch
		dec	word ptr [eax+13Ch]
		push	ebx
		push	esi
		push	edi
		nop
		mov	edi, offset _PopPowerButtonBugcheckLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	esi, _PopPowerButtonBugcheckConfig
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_9B72CF
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9B72CF:				; CODE XREF: PopQueryPowerButtonBugcheckEnabled()+39j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		sub	esi, 1
		jz	short loc_9B7305
		sub	esi, 1
		jz	short loc_9B7300
		mov	eax, _Feature_PowerButtonBugcheck__private_featureState
		xor	ebx, ebx
		test	al, 10h
		jnz	short loc_9B7307
		push	ebx
		push	eax
		call	_Feature_PowerButtonBugcheck__private_ReportUsageFallback@12 ; Feature_PowerButtonBugcheck__private_ReportUsageFallback(x,x,x)
		jmp	short loc_9B7307
; 

loc_9B7300:				; CODE XREF: PopQueryPowerButtonBugcheckEnabled()+5Dj
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_9B7307
; 

loc_9B7305:				; CODE XREF: PopQueryPowerButtonBugcheckEnabled()+58j
		xor	ebx, ebx

loc_9B7307:				; CODE XREF: PopQueryPowerButtonBugcheckEnabled()+68j
					; PopQueryPowerButtonBugcheckEnabled()+71j ...
		pop	edi
		pop	esi
		mov	byte_6BFDB8, bl
		mov	eax, ebx
		pop	ebx
		leave
		retn
_PopQueryPowerButtonBugcheckEnabled@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBootStatCheckIntegrity(x)
_PopBootStatCheckIntegrity@4 proc near	; CODE XREF: PopPowerInformationInternal+1716FCp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_1B		= byte ptr -1Bh
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

		push	30h
		push	offset dword_6A8E28
		call	__SEH_prolog4
		mov	[ebp+var_24], ecx
		and	[ebp+var_2C], 0
		mov	[ebp+var_1A], 0
		xor	esi, esi
		and	[ebp+var_20], esi
		mov	[ebp+var_1C], 0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		mov	[ebp+var_1B], al
		test	al, al
		jz	loc_9B7408
		lea	eax, [ebp+var_2C]
		push	eax
		push	0Ch
		pop	edx
		mov	ecx, [ecx+8]
		call	_RtlSIZETMult@12 ; RtlSIZETMult(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9B74A3
		push	206D654Dh
		mov	edi, [ebp+var_2C]
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_28], esi
		test	esi, esi
		jnz	short loc_9B738A
		mov	edi, 0C000009Ah
		jmp	loc_9B74A3
; 

loc_9B738A:				; CODE XREF: PopBootStatCheckIntegrity(x)+6Aj
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [ebp+var_24]
		test	edi, edi
		jz	short loc_9B73BA
		mov	ecx, [eax+0Ch]
		test	cl, 3
		jnz	loc_9B7501
		lea	edx, [ecx+edi]
		mov	[ebp+var_30], edx
		mov	edx, ds:_MmUserProbeAddress
		cmp	[ebp+var_30], edx
		ja	short loc_9B73B7
		cmp	[ebp+var_30], ecx
		jnb	short loc_9B73BA

loc_9B73B7:				; CODE XREF: PopBootStatCheckIntegrity(x)+9Cj
		mov	byte ptr [edx],	0

loc_9B73BA:				; CODE XREF: PopBootStatCheckIntegrity(x)+7Fj
					; PopBootStatCheckIntegrity(x)+A1j
		push	edi		; size_t
		push	dword ptr [eax+0Ch] ; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	edi, edi

loc_9B73C9:				; CODE XREF: PopBootStatCheckIntegrity(x)+D3j
		mov	[ebp+var_34], edi
		mov	eax, [ebp+var_24]
		cmp	edi, [eax+8]
		jnb	short loc_9B73E9
		imul	eax, edi, 0Ch
		push	1
		push	dword ptr [eax+esi+8]
		push	dword ptr [eax+esi+4]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		inc	edi
		jmp	short loc_9B73C9
; 

loc_9B73E9:				; CODE XREF: PopBootStatCheckIntegrity(x)+BEj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9B740E
; 

loc_9B73F2:				; DATA XREF: .text:006A8E3Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_38], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9B7400:				; DATA XREF: .text:006A8E40o
		mov	edi, [ebp+var_38]
		jmp	loc_9B7490
; 

loc_9B7408:				; CODE XREF: PopBootStatCheckIntegrity(x)+34j
		mov	esi, [ecx+0Ch]
		mov	[ebp+var_28], esi

loc_9B740E:				; CODE XREF: PopBootStatCheckIntegrity(x)+DCj
		mov	[ebp+var_1C], 1
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	edx, edx
		mov	ecx, offset _PopBootStatLock
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlLockBootStatusData@4 ; RtlLockBootStatusData(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9B74A3
		mov	al, [ebp+var_19]
		test	al, al
		jz	short loc_9B744B
		push	1
		mov	dl, al
		mov	ecx, [ebp+var_20]
		call	_PopBootStatAccessCheck@12 ; PopBootStatAccessCheck(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9B74A3

loc_9B744B:				; CODE XREF: PopBootStatCheckIntegrity(x)+123j
		lea	edx, [ebp+var_1A]
		mov	ecx, [ebp+var_20]
		call	_RtlCheckBootStatusIntegrity@8 ; RtlCheckBootStatusIntegrity(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9B74A3
		xor	eax, eax
		inc	eax
		cmp	[esi+8], eax
		jnb	short loc_9B746B
		mov	edi, 0C000000Dh
		jmp	short loc_9B74A3
; 

loc_9B746B:				; CODE XREF: PopBootStatCheckIntegrity(x)+14Ej
		mov	[ebp+ms_exc.disabled], eax
		mov	ecx, [esi+4]
		mov	al, [ebp+var_1A]
		mov	[ecx], al
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9B74A3
; 

loc_9B747F:				; DATA XREF: .text:006A8E48o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_3C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9B748D:				; DATA XREF: .text:006A8E4Co
		mov	edi, [ebp+var_3C]

loc_9B7490:				; CODE XREF: PopBootStatCheckIntegrity(x)+EFj
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	al, [ebp+var_1B]
		mov	[ebp+var_19], al
		mov	esi, [ebp+var_28]

loc_9B74A3:				; CODE XREF: PopBootStatCheckIntegrity(x)+4Dj
					; PopBootStatCheckIntegrity(x)+71j ...
		cmp	[ebp+var_20], 0
		jz	short loc_9B74B1
		push	[ebp+var_20]
		call	_RtlUnlockBootStatusData@4 ; RtlUnlockBootStatusData(x)

loc_9B74B1:				; CODE XREF: PopBootStatCheckIntegrity(x)+193j
		cmp	[ebp+var_1C], 0
		jz	short loc_9B74DD
		or	eax, 0FFFFFFFFh
		mov	ecx, offset _PopBootStatLock
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9B74D3
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset _PopBootStatLock

loc_9B74D3:				; CODE XREF: PopBootStatCheckIntegrity(x)+1B3j
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9B74DD:				; CODE XREF: PopBootStatCheckIntegrity(x)+1A1j
		cmp	[ebp+var_19], 0
		jz	short loc_9B74EF
		test	esi, esi
		jz	short loc_9B74EF
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9B74EF:				; CODE XREF: PopBootStatCheckIntegrity(x)+1CDj
					; PopBootStatCheckIntegrity(x)+1D1j
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_9B7501:				; CODE XREF: PopBootStatCheckIntegrity(x)+87j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger

; __stdcall PopBootStatRestoreDefaults(x)
_PopBootStatRestoreDefaults@4:		; CODE XREF: PopPowerInformationInternal+17170Bp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		and	[ebp+ms_exc.disabled], 0
		push	ebx
		push	esi
		mov	bl, [eax+15Ah]
		push	edi
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	edx, edx
		mov	ecx, offset _PopBootStatLock
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [ebp+ms_exc.disabled]
		push	eax
		call	_RtlLockBootStatusData@4 ; RtlLockBootStatusData(x)
		mov	esi, [ebp+ms_exc.disabled]
		mov	edi, eax
		test	edi, edi
		js	short loc_9B7561
		test	bl, bl
		jz	short loc_9B7558
		push	1
		mov	dl, bl
		mov	ecx, esi
		call	_PopBootStatAccessCheck@12 ; PopBootStatAccessCheck(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9B7561

loc_9B7558:				; CODE XREF: PopBootStatCheckIntegrity(x)+231j
		mov	ecx, esi
		call	_RtlRestoreBootStatusDefaults@4	; RtlRestoreBootStatusDefaults(x)
		mov	edi, eax

loc_9B7561:				; CODE XREF: PopBootStatCheckIntegrity(x)+22Dj
					; PopBootStatCheckIntegrity(x)+242j
		test	esi, esi
		jz	short loc_9B756B
		push	esi
		call	_RtlUnlockBootStatusData@4 ; RtlUnlockBootStatusData(x)

loc_9B756B:				; CODE XREF: PopBootStatCheckIntegrity(x)+24Fj
		or	eax, 0FFFFFFFFh
		mov	esi, offset _PopBootStatLock
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9B7584
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9B7584:				; CODE XREF: PopBootStatCheckIntegrity(x)+267j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopBootStatCheckIntegrity@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopBootStatUnlock(x)
_PopBootStatUnlock@4 proc near		; CODE XREF: PopPowerInformationInternal+17171Ap
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopBootStatLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		push	0
		call	_RtlUnlockBootStatusData@4 ; RtlUnlockBootStatusData(x)
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9B75CF
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9B75CF:				; CODE XREF: PopBootStatUnlock(x)+2Fj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	eax, eax
		pop	esi
		retn
_PopBootStatUnlock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUmpoSendPowerRequestCreate(x)
_PopUmpoSendPowerRequestCreate@4 proc near ; CODE XREF:	PopCreateUserPowerRequest(x,x,x)+F7p
					; PopPowerRequestNotificationsFlush(x)+18p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		push	esi
		push	edi
		push	eax
		xor	edx, edx
		mov	ebx, ecx
		call	_PopGetPowerRequestDiagnosticBuffer@12 ; PopGetPowerRequestDiagnosticBuffer(x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_9B765D
		mov	edi, [ebp+var_4]
		push	6F706D55h
		add	edi, 8
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9B765D
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [esi], 0Fh
		lea	eax, [ebp+var_4]
		mov	[esi+4], ebx
		lea	edx, [esi+8]
		mov	ecx, ebx
		push	eax
		call	_PopGetPowerRequestDiagnosticBuffer@12 ; PopGetPowerRequestDiagnosticBuffer(x,x,x)
		test	eax, eax
		js	short loc_9B7652
		push	0
		mov	edx, edi
		mov	ecx, esi
		call	PopUmpoSendPowerMessage

loc_9B7652:				; CODE XREF: PopUmpoSendPowerRequestCreate(x)+5Fj
		push	6F706D55h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9B765D:				; CODE XREF: PopUmpoSendPowerRequestCreate(x)+1Fj
					; PopUmpoSendPowerRequestCreate(x)+38j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopUmpoSendPowerRequestCreate@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopMonitorAlpcCallback(x, x, x)
_PopMonitorAlpcCallback@12 proc	near	; DATA XREF: PopUmpoInitializeMonitorChannel+CFo
		call	PopMonitorProcessLoop
		retn	0Ch
_PopMonitorAlpcCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopMonitorProcessBrightnessAction(x, x)
_PopMonitorProcessBrightnessAction@8 proc near ; CODE XREF: SmProcessConfigRequest+84578p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], esi
		sub	ecx, 0
		jz	short loc_9B76B8
		dec	ecx
		sub	ecx, 1
		jz	short loc_9B768F
		sub	ecx, 1
		jnz	short loc_9B76C9
		mov	ecx, offset _GUID_VIDEO_CURRENT_MONITOR_BRIGHTNESS
		jmp	short loc_9B76BD
; 

loc_9B768F:				; CODE XREF: PopMonitorProcessBrightnessAction(x,x)+17j
		push	44h		; size_t
		lea	eax, [ebp+var_50]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_50], 0Bh
		lea	ecx, [ebp+var_50]
		mov	[ebp+var_4C], esi
		push	0
		push	44h
		pop	edx
		call	PopUmpoSendPowerMessage
		jmp	short loc_9B76C9
; 

loc_9B76B8:				; CODE XREF: PopMonitorProcessBrightnessAction(x,x)+11j
		mov	ecx, offset _GUID_DEVICE_POWER_POLICY_VIDEO_BRIGHTNESS ; int

loc_9B76BD:				; CODE XREF: PopMonitorProcessBrightnessAction(x,x)+23j
		lea	eax, [ebp+var_4]
		push	eax		; void *
		push	4
		pop	edx
		call	_PopSetPowerSettingValueAcDc@12	; PopSetPowerSettingValueAcDc(x,x,x)

loc_9B76C9:				; CODE XREF: PopMonitorProcessBrightnessAction(x,x)+1Cj
					; PopMonitorProcessBrightnessAction(x,x)+4Cj
		pop	esi
		leave
		retn
_PopMonitorProcessBrightnessAction@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopEsHostStateChange(x)
_PopEsHostStateChange@4	proc near	; CODE XREF: PopPowerInformationInternal+171770p
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	bl, cl
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopEsLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6BFD2C, eax
		mov	_PopEsEnabledOnHost, bl
		test	eax, eax
		jz	short loc_9B7708
		and	dword_6BFD2C, 0

loc_9B7708:				; CODE XREF: PopEsHostStateChange(x)+33j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	4
		pop	ecx
		pop	esi
		pop	ebx
		jmp	_PopEsWorkItemSchedule@4 ; PopEsWorkItemSchedule(x)
_PopEsHostStateChange@4	endp


;  S U B	R O U T	I N E 


; __stdcall PopEsInStandbyLowPowerEpochCallback(x, x, x, x)
_PopEsInStandbyLowPowerEpochCallback@16	proc near ; DATA XREF: PopEsInit+230C4o
					; PopEsInit+230DBo
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopEsLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6BFD2C, eax
		call	_PopEsInStandbyEvaluate@0 ; PopEsInStandbyEvaluate()
		cmp	dword_6BFD2C, 0
		jz	short loc_9B775D
		and	dword_6BFD2C, 0

loc_9B775D:				; CODE XREF: PopEsInStandbyLowPowerEpochCallback(x,x,x,x)+34j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	eax, eax
		pop	esi
		retn	10h
_PopEsInStandbyLowPowerEpochCallback@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PopEsInStandbyEvaluate(int)
_PopEsInStandbyEvaluate@0 proc near	; CODE XREF: PopEsInStandbyLowPowerEpochCallback(x,x,x,x)+28p
					; PopEsWnfOpportunisticCsCallback(x,x,x,x,x,x)+28p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	edi
		lea	eax, [ebp+var_8]
		xor	ebx, ebx
		push	eax		; int
		push	ecx		; int
		lea	eax, [ebp+var_10]
		mov	[ebp+var_10], ebx
		push	eax		; void *
		push	3		; int
		mov	ecx, (offset loc_407FB3+5)
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	byte ptr [ebp+var_1], bl
		call	_PopGetPowerSettingValue@24 ; PopGetPowerSettingValue(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9B7820
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	ecx		; int
		lea	eax, [ebp+var_C]
		mov	ecx, offset _GUID_LOW_POWER_EPOCH
		push	eax		; void *
		push	3		; int
		call	_PopGetPowerSettingValue@24 ; PopGetPowerSettingValue(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9B7820
		push	esi
		lea	eax, [ebp+var_8]
		xor	esi, esi
		push	eax		; int
		lea	eax, [ebp+var_1]
		inc	esi
		push	eax		; void *
		lea	eax, [ebp+var_14]
		mov	[ebp+var_8], esi
		push	eax		; int
		push	_PopEsWnfSubscriptionOpportunisticCs ; int
		call	_ExQueryWnfStateData@16	; ExQueryWnfStateData(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9B781F
		cmp	[ebp+var_8], ebx
		jz	short loc_9B781F
		cmp	[ebp+var_C], ebx
		jz	short loc_9B7800
		cmp	[ebp+var_10], esi
		jnz	short loc_9B7800
		cmp	byte ptr [ebp+var_1], bl
		jnz	short loc_9B7800
		test	byte ptr _PopAggressiveStandbyAppliedActions, 1
		jz	short loc_9B7802

loc_9B7800:				; CODE XREF: PopEsInStandbyEvaluate()+7Aj
					; PopEsInStandbyEvaluate()+7Fj	...
		mov	esi, ebx

loc_9B7802:				; CODE XREF: PopEsInStandbyEvaluate()+8Dj
		mov	ecx, _PopEsBgActivityPolicy
		cmp	ecx, esi
		jz	short loc_9B781F
		mov	_PopEsBgActivityPolicy,	esi
		call	_PopTraceEsBgActivityPolicyUpdate@8 ; PopTraceEsBgActivityPolicyUpdate(x,x)
		push	4
		pop	ecx
		call	_PopEsWorkItemSchedule@4 ; PopEsWorkItemSchedule(x)

loc_9B781F:				; CODE XREF: PopEsInStandbyEvaluate()+70j
					; PopEsInStandbyEvaluate()+75j	...
		pop	esi

loc_9B7820:				; CODE XREF: PopEsInStandbyEvaluate()+31j
					; PopEsInStandbyEvaluate()+4Cj
		mov	eax, edi
		pop	edi
		pop	ebx
		leave
		retn
_PopEsInStandbyEvaluate@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopEsWnfOpportunisticCsCallback(x, x, x, x,	x, x)
_PopEsWnfOpportunisticCsCallback@24 proc near ;	DATA XREF: PopEsInit+230ECo
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopEsLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6BFD2C, eax
		call	_PopEsInStandbyEvaluate@0 ; PopEsInStandbyEvaluate()
		cmp	dword_6BFD2C, 0
		jz	short loc_9B7863
		and	dword_6BFD2C, 0

loc_9B7863:				; CODE XREF: PopEsWnfOpportunisticCsCallback(x,x,x,x,x,x)+34j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	eax, eax
		pop	esi
		retn	18h
_PopEsWnfOpportunisticCsCallback@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEsWnfSubscriptionOverrideCallback(x, x, x, x, x,	x)
_PopEsWnfSubscriptionOverrideCallback@24 proc near ; DATA XREF:	PopEsWorker+1AAo

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_8]
		push	eax		; int
		lea	eax, [ebp+var_4]
		mov	[ebp+var_8], 4
		push	eax		; void *
		lea	eax, [ebp+arg_C]
		push	eax		; int
		push	[ebp+arg_0]	; int
		call	_ExQueryWnfStateData@16	; ExQueryWnfStateData(x,x,x,x)
		test	eax, eax
		js	short loc_9B78FB
		cmp	[ebp+var_4], 2
		ja	short loc_9B78FB
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset _PopEsLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, large fs:124h
		mov	eax, [ebp+var_4]
		mov	dword_6BFD2C, ecx
		mov	_PopEsMode, eax
		test	ecx, ecx
		jz	short loc_9B78E4
		and	dword_6BFD2C, 0

loc_9B78E4:				; CODE XREF: PopEsWnfSubscriptionOverrideCallback(x,x,x,x,x,x)+64j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	2
		pop	ecx
		call	_PopEsWorkItemSchedule@4 ; PopEsWorkItemSchedule(x)
		pop	esi

loc_9B78FB:				; CODE XREF: PopEsWnfSubscriptionOverrideCallback(x,x,x,x,x,x)+28j
					; PopEsWnfSubscriptionOverrideCallback(x,x,x,x,x,x)+2Ej
		xor	eax, eax
		leave
		retn	18h
_PopEsWnfSubscriptionOverrideCallback@24 endp


;  S U B	R O U T	I N E 


; __stdcall PoQueryProcessEnergyTrackingState(x, x)
_PoQueryProcessEnergyTrackingState@8 proc near ; CODE XREF: PAGE:0083F364p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	90h		; size_t
		mov	edi, edx
		mov	esi, ecx
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	ebx, [esi+3E0h]
		add	esp, 0Ch
		test	ebx, ebx
		jz	short loc_9B798F
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	esi, [ebx+1B0h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		movzx	eax, word ptr [ebx+1C0h]
		mov	[edi+4], eax
		mov	eax, [ebx+1C4h]
		mov	[edi+8], eax
		mov	ecx, [ebx+1BCh]
		test	ecx, ecx
		jz	short loc_9B7974
		mov	eax, [ecx+0Ch]
		shr	eax, 0Bh
		push	eax
		lea	eax, [ecx+10h]
		push	eax
		push	40h
		lea	ecx, [edi+10h]
		pop	edx
		call	RtlStringCchCopyNW

loc_9B7974:				; CODE XREF: PoQueryProcessEnergyTrackingState(x,x)+5Bj
		cmp	dword ptr [esi+4], 0
		jz	short loc_9B797E
		and	dword ptr [esi+4], 0

loc_9B797E:				; CODE XREF: PoQueryProcessEnergyTrackingState(x,x)+77j
		xor	edx, edx
		mov	ecx, esi
		call	ExReleasePushLockEx
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
; 

loc_9B798F:				; CODE XREF: PoQueryProcessEnergyTrackingState(x,x)+21j
		pop	edi
		pop	esi
		pop	ebx
		retn
_PoQueryProcessEnergyTrackingState@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtEnergyTrackerCleanup(x)
_PopEtEnergyTrackerCleanup@4 proc near	; CODE XREF: PopEtEnergyTrackerDelete(x)+8p

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, _PopEtGlobals
		dec	word ptr [eax+13Ch]
		push	edi
		mov	edi, ecx
		nop
		xor	edx, edx
		lea	ecx, [esi+8]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+0Ch], eax
		mov	ecx, [edi]
		cmp	[ecx+4], edi
		jnz	loc_9B7AEA
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	loc_9B7AEA
		mov	[eax], ecx
		xor	ebx, ebx
		mov	[ecx+4], eax
		mov	ecx, _PopEtGlobals
		add	ecx, 8
		cmp	[ecx+4], ebx
		jz	short loc_9B79F3
		mov	[ecx+4], ebx

loc_9B79F3:				; CODE XREF: PopEtEnergyTrackerCleanup(x)+5Bj
		xor	edx, edx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, edi
		call	PopEtEnergyTrackerCleanupAggregates
		mov	eax, [edi+24h]
		test	eax, eax
		jz	short loc_9B7A18
		push	54456F50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9B7A18:				; CODE XREF: PopEtEnergyTrackerCleanup(x)+78j
		mov	edx, [edi+30h]
		mov	esi, edx
		mov	[ebp+var_4], edx

loc_9B7A20:				; CODE XREF: PopEtEnergyTrackerCleanup(x)+133j
		test	esi, esi
		jz	short loc_9B7A44
		mov	ecx, [esi]
		mov	eax, ecx
		and	eax, 80000002h
		cmp	eax, 80000002h
		jnz	short loc_9B7A38
		mov	eax, [ebx]
		mov	ecx, [esi]

loc_9B7A38:				; CODE XREF: PopEtEnergyTrackerCleanup(x)+9Fj
		test	ecx, 1
		jnz	short loc_9B7A44
		mov	esi, ecx
		jmp	short loc_9B7A67
; 

loc_9B7A44:				; CODE XREF: PopEtEnergyTrackerCleanup(x)+8Fj
					; PopEtEnergyTrackerCleanup(x)+ABj
		mov	ecx, [edi+2Ch]
		add	edx, 4
		mov	eax, [edi+30h]
		shr	ecx, 5
		lea	ecx, [eax+ecx*4]
		jmp	short loc_9B7A5E
; 

loc_9B7A55:				; CODE XREF: PopEtEnergyTrackerCleanup(x)+CDj
		mov	eax, [edx]
		test	al, 1
		jz	short loc_9B7A8E
		add	edx, 4

loc_9B7A5E:				; CODE XREF: PopEtEnergyTrackerCleanup(x)+C0j
		cmp	edx, ecx
		jb	short loc_9B7A55
		mov	edx, [ebp+var_4]
		mov	ecx, ebx

loc_9B7A67:				; CODE XREF: PopEtEnergyTrackerCleanup(x)+AFj
					; PopEtEnergyTrackerCleanup(x)+102j
		test	ecx, ecx
		jz	short loc_9B7ACB
		mov	eax, [esi]
		mov	ecx, 80000002h
		and	eax, ecx
		mov	ebx, esi
		cmp	eax, ecx
		jnz	short loc_9B7A7E
		xor	eax, eax
		mov	eax, [eax]

loc_9B7A7E:				; CODE XREF: PopEtEnergyTrackerCleanup(x)+E5j
		mov	ecx, edx

loc_9B7A80:				; CODE XREF: PopEtEnergyTrackerCleanup(x)+F9j
		mov	eax, [ecx]
		test	al, 1
		jnz	short loc_9B7AA8
		cmp	eax, esi
		jz	short loc_9B7A97
		mov	ecx, eax
		jmp	short loc_9B7A80
; 

loc_9B7A8E:				; CODE XREF: PopEtEnergyTrackerCleanup(x)+C6j
		mov	esi, eax
		mov	[ebp+var_4], edx
		mov	ecx, esi
		jmp	short loc_9B7A67
; 

loc_9B7A97:				; CODE XREF: PopEtEnergyTrackerCleanup(x)+F5j
		mov	eax, [esi]
		mov	[ecx], eax
		dec	dword ptr [edi+28h]
		or	dword ptr [esi], 80000002h
		mov	esi, ecx
		jmp	short loc_9B7AAE
; 

loc_9B7AA8:				; CODE XREF: PopEtEnergyTrackerCleanup(x)+F1j
		xor	ecx, ecx
		mov	ebx, ecx
		mov	eax, [ecx]

loc_9B7AAE:				; CODE XREF: PopEtEnergyTrackerCleanup(x)+113j
		lea	ecx, [ebx+8]
		call	_PopEtAggregateKeyCleanup@4 ; PopEtAggregateKeyCleanup(x)
		push	54456F50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, [ebp+var_4]
		xor	ebx, ebx
		jmp	loc_9B7A20
; 

loc_9B7ACB:				; CODE XREF: PopEtEnergyTrackerCleanup(x)+D6j
		mov	eax, [edi+30h]
		test	eax, eax
		jz	short loc_9B7ADD
		push	54456F50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9B7ADD:				; CODE XREF: PopEtEnergyTrackerCleanup(x)+13Dj
		lea	ecx, [edi+40h]
		call	_PopEtAggregateKeyCleanup@4 ; PopEtAggregateKeyCleanup(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_9B7AEA:				; CODE XREF: PopEtEnergyTrackerCleanup(x)+37j
					; PopEtEnergyTrackerCleanup(x)+42j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall PopEtEnergyTrackerClose(x, x, x, x)
_PopEtEnergyTrackerClose@16:		; DATA XREF: PopEtInit+193o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 1
		jnz	short loc_9B7B40
		mov	eax, large fs:124h
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [esi+8]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+0Ch], eax
		or	dword ptr [esi+254h], 2
		test	eax, eax
		jz	short loc_9B7B2F
		and	dword ptr [esi+0Ch], 0

loc_9B7B2F:				; CODE XREF: PopEtEnergyTrackerCleanup(x)+196j
		xor	edx, edx
		lea	ecx, [esi+8]
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi

loc_9B7B40:				; CODE XREF: PopEtEnergyTrackerCleanup(x)+165j
		pop	ebp
		retn	10h
_PopEtEnergyTrackerCleanup@4 endp ; sp = -14h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEtEnergyTrackerDelete(x)
_PopEtEnergyTrackerDelete@4 proc near	; DATA XREF: PopEtInit+19Ao

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_PopEtEnergyTrackerCleanup@4 ; PopEtEnergyTrackerCleanup(x)
		pop	ebp
		retn	4
_PopEtEnergyTrackerDelete@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventStaticPolicyRundown()
_PpmEventStaticPolicyRundown@0 proc near ; CODE	XREF: PpmEventTraceControlCallback+82E7Bp

var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PpmEtwRegistered, 0
		jz	loc_9B7C8F
		push	ebx
		push	esi
		mov	esi, dword_6BFD04
		mov	ebx, offset _PPM_ETW_STATIC_POLICY_RUNDOWN
		push	edi
		mov	edi, _PpmEtwHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	loc_9B7C8C
		xor	ecx, ecx
		mov	[ebp+var_A4], offset _PpmPerfBoostAtGuaranteed
		lea	eax, [ebp+var_AC]
		mov	[ebp+var_AC], ecx
		push	4
		pop	edx
		mov	[ebp+var_54], eax
		mov	eax, ds:_PpmPerfQosTransitionHysteresisOverride
		mov	[ebp+var_A0], ecx
		mov	[ebp+var_9C], edx
		mov	[ebp+var_98], ecx
		mov	[ebp+var_94], offset _PpmPerfIdealAggressiveIncreaseThreshold
		mov	[ebp+var_90], ecx
		mov	[ebp+var_8C], edx
		mov	[ebp+var_88], ecx
		mov	[ebp+var_84], offset _PpmPerfSingleStepSize
		mov	[ebp+var_80], ecx
		mov	[ebp+var_7C], edx
		mov	[ebp+var_78], ecx
		mov	[ebp+var_74], offset _PpmPerfCalculateActualUtilization
		mov	[ebp+var_70], ecx
		mov	[ebp+var_6C], edx
		mov	[ebp+var_68], ecx
		mov	[ebp+var_64], offset _PpmPerfArtificialDomainEnabled
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], edx
		mov	[ebp+var_58], ecx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], offset _PpmParkUseCoreGranularity
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], offset _PpmParkMultiparkGranularity
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], offset _PpmPerfQosManageIdleProcessors
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], ecx
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_9B7C62
		mov	eax, ds:_PpmPerfQosTransitionHysteresis

loc_9B7C62:				; CODE XREF: PpmEventStaticPolicyRundown()+106j
		mov	[ebp+var_A8], eax
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_A4]
		push	eax
		push	0Ah
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B7C8C:				; CODE XREF: PpmEventStaticPolicyRundown()+40j
		pop	edi
		pop	esi
		pop	ebx

loc_9B7C8F:				; CODE XREF: PpmEventStaticPolicyRundown()+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventStaticPolicyRundown@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventTraceAccountingBucketIntervalsRundown()
_PpmEventTraceAccountingBucketIntervalsRundown@0 proc near
					; CODE XREF: PpmEventTraceControlCallback+82F42p

var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0F8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PpmEtwRegistered, 0
		jz	loc_9B7D54
		push	edi
		mov	edi, offset _PPM_ETW_ACCOUNTING_BUCKET_INTERVALS_RUNDOWN
		push	edi
		push	dword_6BFD04
		push	_PpmEtwHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B7D53
		push	esi
		xor	esi, esi
		mov	[ebp+var_F8], 1Ah
		lea	edx, [ebp+var_F4]
		mov	ecx, esi

loc_9B7CEE:				; CODE XREF: PpmEventTraceAccountingBucketIntervalsRundown()+70j
		mov	eax, ds:dword_705208[ecx]
		mov	[edx], eax
		lea	edx, [edx+8]
		mov	eax, ds:dword_70520C[ecx]
		add	ecx, 18h
		mov	[edx-4], eax
		cmp	ecx, 270h
		jb	short loc_9B7CEE
		lea	eax, [ebp+var_F8]
		mov	[ebp+var_20], esi
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_F4]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	esi
		push	edi
		push	dword_6BFD04
		mov	[ebp+var_1C], 4
		push	_PpmEtwHandle
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], 0D0h
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	esi

loc_9B7D53:				; CODE XREF: PpmEventTraceAccountingBucketIntervalsRundown()+3Cj
		pop	edi

loc_9B7D54:				; CODE XREF: PpmEventTraceAccountingBucketIntervalsRundown()+1Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventTraceAccountingBucketIntervalsRundown@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventTraceCoordinatedIdleStates()
_PpmEventTraceCoordinatedIdleStates@0 proc near
					; CODE XREF: PpmEventTraceControlCallback+82F5Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		cmp	_PpmEtwRegistered, 0
		jz	locret_9B7E93
		push	offset _PPM_ETW_COORDINATED_IDLE_RUNDOWN
		push	dword_6BFD04
		push	_PpmEtwHandle
		call	EtwEventEnabled
		test	al, al
		jz	locret_9B7E93
		push	edi
		mov	edi, ds:_PpmPlatformStates
		test	edi, edi
		jnz	short loc_9B7DA2
		xor	eax, eax
		jmp	short loc_9B7DA4
; 

loc_9B7DA2:				; CODE XREF: PpmEventTraceCoordinatedIdleStates()+3Cj
		mov	eax, [edi]

loc_9B7DA4:				; CODE XREF: PpmEventTraceCoordinatedIdleStates()+40j
		push	ebx
		lea	ecx, ds:1[eax*2]
		mov	[ebp+var_4], eax
		imul	eax, 0Ch
		mov	ebx, ecx
		push	esi
		shl	ebx, 4
		push	654D5050h
		mov	[ebp+var_C], ecx
		add	eax, ebx
		push	eax
		push	1
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_9B7E90
		push	[ebp+var_8]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		and	dword ptr [esi+4], 0
		lea	eax, [ebp+var_4]
		and	dword ptr [esi+0Ch], 0
		lea	edx, [ebx+esi]
		and	[ebp+var_8], 0
		add	esp, 0Ch
		mov	[esi], eax
		mov	dword ptr [esi+8], 4
		cmp	[ebp+var_4], 0
		jbe	short loc_9B7E69
		add	edi, 4Ch
		lea	ecx, [esi+1Ch]

loc_9B7E0C:				; CODE XREF: PpmEventTraceCoordinatedIdleStates()+107j
		mov	eax, [edi-4]
		mov	[edx], eax
		mov	eax, [edi]
		mov	[edx+4], eax
		movzx	eax, byte ptr [edi+1Dh]
		mov	[edx+8], eax
		and	dword ptr [ecx-8], 0
		and	dword ptr [ecx], 0
		mov	[ecx-0Ch], edx
		mov	dword ptr [ecx-4], 0Ch
		mov	eax, [edi+34h]
		test	eax, eax
		jz	short loc_9B7E3B
		movzx	ebx, word ptr [edi+32h]
		jmp	short loc_9B7E43
; 

loc_9B7E3B:				; CODE XREF: PpmEventTraceCoordinatedIdleStates()+D3j
		push	1Ch
		pop	ebx
		mov	eax, offset ??_C@_1BM@BCFBFHLN@?$AA?$DM?$AAu?$AAn?$AAs?$AAp?$AAe?$AAc?$AAi?$AAf?$AAi?$AAe?$AAd?$AA?$DO@NNGAKEGL@

loc_9B7E43:				; CODE XREF: PpmEventTraceCoordinatedIdleStates()+D9j
		mov	[ecx+4], eax
		add	edx, 0Ch
		and	dword ptr [ecx+8], 0
		add	edi, 0C0h
		mov	[ecx+0Ch], ebx
		and	dword ptr [ecx+10h], 0
		add	ecx, 20h
		mov	ebx, [ebp+var_8]
		inc	ebx
		mov	[ebp+var_8], ebx
		cmp	ebx, [ebp+var_4]
		jb	short loc_9B7E0C

loc_9B7E69:				; CODE XREF: PpmEventTraceCoordinatedIdleStates()+A4j
		push	esi
		push	[ebp+var_C]
		push	0
		push	offset _PPM_ETW_COORDINATED_IDLE_RUNDOWN
		push	dword_6BFD04
		push	_PpmEtwHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		push	654D5050h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9B7E90:				; CODE XREF: PpmEventTraceCoordinatedIdleStates()+71j
		pop	esi
		pop	ebx
		pop	edi

locret_9B7E93:				; CODE XREF: PpmEventTraceCoordinatedIdleStates()+Fj
					; PpmEventTraceCoordinatedIdleStates()+2Dj
		leave
		retn
_PpmEventTraceCoordinatedIdleStates@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventTraceDripsAccountingSnapshot(x, x)
_PpmEventTraceDripsAccountingSnapshot@8	proc near
					; CODE XREF: PpmSnapDripsAccountingSnapshot(x,x,x,x,x,x)+A5p

var_4C		= dword	ptr -4Ch
var_45		= dword	ptr -45h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PpmEtwRegistered, 0
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4C], 1Ah
		jz	loc_9B7F43
		push	esi
		mov	esi, dword_6BFD04
		push	edi
		mov	edi, _PpmEtwHandle
		push	offset _PPM_ETW_DRIPS_ACCOUNTING_SNAPSHOT
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B7F41
		mov	al, byte ptr _PopWnfCsEnterScenarioId
		xor	edx, edx
		mov	byte ptr [ebp+var_45], al
		lea	eax, [ebp+var_45]
		push	4
		pop	ecx
		mov	[ebp+var_45+1],	eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_45+1]
		push	eax
		push	ecx
		push	edx
		push	offset _PPM_ETW_DRIPS_ACCOUNTING_SNAPSHOT
		push	esi
		push	edi
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], 1
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], 0D0h
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], offset _PopWnfCsEnterScenarioId
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], 8
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B7F41:				; CODE XREF: PpmEventTraceDripsAccountingSnapshot(x,x)+45j
		pop	edi
		pop	esi

loc_9B7F43:				; CODE XREF: PpmEventTraceDripsAccountingSnapshot(x,x)+23j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventTraceDripsAccountingSnapshot@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventTraceParkNodeRundown(x)
_PpmEventTraceParkNodeRundown@4	proc near ; CODE XREF: PpmEventTraceControlCallback+82EA1p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 78h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PpmEtwRegistered, 0
		push	esi
		mov	esi, ecx
		jz	loc_9B8036
		push	offset _PPM_ETW_PARK_NODE_RUNDOWN
		push	dword_6BFD04
		push	_PpmEtwHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_9B8036
		push	ebx
		lea	eax, [esi+4]
		xor	ecx, ecx
		mov	[ebp+var_74], eax
		lea	eax, [esi+8]
		push	edi
		xor	edi, edi
		mov	[ebp+var_64], eax
		push	2
		lea	eax, [esi+14h]
		mov	[ebp+var_70], edi
		mov	[ebp+var_54], eax
		inc	ecx
		pop	edx
		lea	eax, [esi+5Eh]
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_44], eax
		lea	eax, [esi+60h]
		push	4
		pop	ebx
		mov	[ebp+var_34], eax
		mov	eax, edi
		mov	[ebp+var_2C], ecx
		lea	ecx, [esi+20h]
		mov	[ebp+var_6C], edx
		mov	[ebp+var_68], edi
		mov	[ebp+var_60], edi
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], edi
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_48], edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_28], edi

loc_9B7FED:				; CODE XREF: PpmEventTraceParkNodeRundown(x)+A4j
		or	eax, [ecx]
		add	ecx, ebx
		sub	edx, 1
		jnz	short loc_9B7FED
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_24], eax
		lea	eax, [esi+1Ch]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	7
		push	edi
		push	offset _PPM_ETW_PARK_NODE_RUNDOWN
		push	dword_6BFD04
		mov	[ebp+var_20], edi
		push	_PpmEtwHandle
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	edi
		pop	ebx

loc_9B8036:				; CODE XREF: PpmEventTraceParkNodeRundown(x)+1Cj
					; PpmEventTraceParkNodeRundown(x)+3Aj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventTraceParkNodeRundown@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventTracePlatformIdleAccounting()
_PpmEventTracePlatformIdleAccounting@0 proc near
					; CODE XREF: PpmEventTraceControlCallback+82F63p

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_55		= dword	ptr -55h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_68], 0
		push	ebx
		xor	ebx, ebx
		mov	byte ptr [ebp+var_55], 20h
		push	esi
		inc	ebx
		xor	esi, esi
		cmp	_PpmEtwRegistered, 0
		mov	[ebp+var_6C], ebx
		jz	loc_9B828B
		push	offset _PPM_ETW_PLATFORM_IDLE_ACCOUNTING_RUNDOWN
		push	dword_6BFD04
		push	_PpmEtwHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_9B828B
		mov	eax, ds:_PpmPlatformStates
		test	eax, eax
		jz	loc_9B828B
		mov	ecx, [eax+20h]
		and	[ebp+var_64], esi
		push	edi
		mov	[ebp+var_60], ecx
		mov	edi, [ecx+4]
		cmp	[eax+4], ebx
		jnz	loc_9B81AF
		imul	ebx, edi, 50h
		push	654D5050h
		push	ebx
		push	200h
		mov	[ebp+var_64], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_9B828A
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		test	edi, edi
		jz	loc_9B81AF
		mov	edx, [ebp+var_60]
		lea	ecx, [esi+10h]
		add	edx, 70h
		mov	ebx, edi

loc_9B80F4:				; CODE XREF: PpmEventTracePlatformIdleAccounting()+166j
		mov	eax, [edx-8]
		mov	[ecx-8], eax
		mov	eax, [edx-4]
		mov	[ecx-4], eax
		mov	eax, [edx]
		lea	edx, [edx+3F0h]
		mov	[ecx], eax
		lea	ecx, [ecx+50h]
		mov	eax, [edx-3ECh]
		mov	[ecx-4Ch], eax
		mov	eax, [edx-3E0h]
		mov	[ecx-48h], eax
		mov	eax, [edx-3DCh]
		mov	[ecx-44h], eax
		mov	eax, [edx-3E8h]
		mov	[ecx-40h], eax
		mov	eax, [edx-3E4h]
		mov	[ecx-3Ch], eax
		mov	eax, [edx-408h]
		mov	[ecx-28h], eax
		mov	eax, [edx-404h]
		mov	[ecx-24h], eax
		mov	eax, [edx-410h]
		mov	[ecx-20h], eax
		mov	eax, [edx-40Ch]
		mov	[ecx-1Ch], eax
		mov	eax, [edx-418h]
		mov	[ecx-18h], eax
		mov	eax, [edx-414h]
		mov	[ecx-14h], eax
		mov	eax, [edx-3C8h]
		mov	[ecx-60h], eax
		mov	eax, [edx-3C4h]
		mov	[ecx-5Ch], eax
		mov	eax, [edx-3B8h]
		mov	[ecx-38h], eax
		mov	eax, [edx-3B4h]
		mov	[ecx-34h], eax
		mov	eax, [edx-3C0h]
		mov	[ecx-30h], eax
		mov	eax, [edx-3BCh]
		mov	[ecx-2Ch], eax
		sub	ebx, 1
		jnz	loc_9B80F4

loc_9B81AF:				; CODE XREF: PpmEventTracePlatformIdleAccounting()+6Cj
					; PpmEventTracePlatformIdleAccounting()+A0j
		imul	ebx, edi, 298h
		push	654D5050h
		add	ebx, 20h
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_5C], eax
		test	eax, eax
		jz	loc_9B827B
		push	ebx		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+var_5C]
		add	esp, 0Ch
		mov	ecx, [ebp+var_60]
		call	_PpmTranslatePlatformIdleAccounting@8 ;	PpmTranslatePlatformIdleAccounting(x,x)
		mov	eax, [ebp+var_5C]
		xor	edx, edx
		mov	[ebp+var_55+1],	eax
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_55]
		mov	[ebp+var_50], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], 2
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], 1
		mov	[ebp+var_28], edx
		push	4
		pop	ebx
		mov	ecx, ebx
		test	esi, esi
		jz	short loc_9B823E
		mov	eax, [ebp+var_64]
		push	5
		pop	ecx
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], edx
		jmp	short loc_9B8240
; 

loc_9B823E:				; CODE XREF: PpmEventTracePlatformIdleAccounting()+1E5j
		mov	edi, edx

loc_9B8240:				; CODE XREF: PpmEventTracePlatformIdleAccounting()+1F9j
		lea	eax, [ebp+var_68]
		mov	[ebp+var_68], edi
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_55+1]
		push	eax
		push	ecx
		push	edx
		push	offset _PPM_ETW_PLATFORM_IDLE_ACCOUNTING_RUNDOWN
		push	dword_6BFD04
		mov	[ebp+var_20], edx
		push	_PpmEtwHandle
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		push	654D5050h
		push	[ebp+var_5C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9B827B:				; CODE XREF: PpmEventTracePlatformIdleAccounting()+18Aj
		test	esi, esi
		jz	short loc_9B828A
		push	654D5050h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9B828A:				; CODE XREF: PpmEventTracePlatformIdleAccounting()+8Cj
					; PpmEventTracePlatformIdleAccounting()+23Aj
		pop	edi

loc_9B828B:				; CODE XREF: PpmEventTracePlatformIdleAccounting()+2Bj
					; PpmEventTracePlatformIdleAccounting()+49j ...
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventTracePlatformIdleAccounting@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventTracePpmProfileStatusRundown()
_PpmEventTracePpmProfileStatusRundown@0	proc near
					; CODE XREF: PpmEventTraceControlCallback+82EDEp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PpmEtwRegistered, 0
		jz	short loc_9B82FC
		push	ebx
		push	esi
		mov	esi, dword_6BFD04
		mov	ebx, offset _PPM_ETW_PROCESSOR_PROFILE_STATUS_RUNDOWN
		push	edi
		mov	edi, _PpmEtwHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B82F9
		lea	eax, [ebp+var_14]
		mov	[ebp+var_14], offset _PpmProfileStatus
		push	eax
		push	1
		xor	ecx, ecx
		mov	[ebp+var_C], 4
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B82F9:				; CODE XREF: PpmEventTracePpmProfileStatusRundown()+39j
		pop	edi
		pop	esi
		pop	ebx

loc_9B82FC:				; CODE XREF: PpmEventTracePpmProfileStatusRundown()+19j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventTracePpmProfileStatusRundown@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventTraceProcessorIdle(x)
_PpmEventTraceProcessorIdle@4 proc near	; CODE XREF: PpmEventTraceControlCallback+82FB2p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		cmp	_PpmEtwRegistered, 0
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_C], ebx
		jz	loc_9B84C8
		push	offset _PPM_ETW_CURRENT_IDLE_RUNDOWN
		push	dword_6BFD04
		push	_PpmEtwHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_9B84C8
		mov	ebx, [ebx+3D70h]
		test	ebx, ebx
		jnz	short loc_9B8354
		and	[ebp+var_4], ebx
		xor	ecx, ecx
		xor	eax, eax
		jmp	short loc_9B835D
; 

loc_9B8354:				; CODE XREF: PpmEventTraceProcessorIdle(x)+41j
		mov	eax, [ebx+20h]
		mov	[ebp+var_4], eax
		mov	ecx, [ebx+24h]

loc_9B835D:				; CODE XREF: PpmEventTraceProcessorIdle(x)+4Aj
		push	esi
		push	edi
		mov	[ebp+var_14], ecx
		lea	ecx, ds:4[eax*2]
		imul	eax, 25h
		mov	edi, ecx
		shl	edi, 4
		push	654D5050h
		mov	[ebp+var_1C], ecx
		add	eax, edi
		push	eax
		push	1
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_18], esi
		test	esi, esi
		jz	loc_9B84C6
		push	[ebp+var_8]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	ecx, [ebp+var_C]
		add	esp, 0Ch
		xor	edx, edx
		add	edi, esi
		mov	[ebp+var_C], edx
		movzx	eax, byte ptr [ecx+3C5h]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_10]
		mov	[esi], eax
		lea	eax, [ecx+3C4h]
		mov	[esi+10h], eax
		lea	eax, [ebp+var_14]
		mov	[esi+20h], eax
		lea	eax, [ebp+var_4]
		push	4
		pop	ecx
		mov	[esi+4], edx
		mov	dword ptr [esi+8], 2
		mov	[esi+0Ch], edx
		mov	[esi+14h], edx
		mov	dword ptr [esi+18h], 1
		mov	[esi+1Ch], edx
		mov	[esi+24h], edx
		mov	[esi+28h], ecx
		mov	[esi+2Ch], edx
		mov	[esi+30h], eax
		mov	[esi+34h], edx
		mov	[esi+38h], ecx
		mov	[esi+3Ch], edx
		cmp	[ebp+var_4], edx
		jbe	loc_9B84A0
		lea	edx, [esi+4Ch]
		mov	esi, [ebp+var_C]
		lea	ecx, [ebx+124h]

loc_9B8413:				; CODE XREF: PpmEventTraceProcessorIdle(x)+18Dj
		mov	eax, [ecx-4]
		mov	[edi], eax
		mov	eax, [ecx]
		mov	[edi+4], eax
		mov	al, [ecx+24h]
		mov	[edi+8], al
		movzx	eax, byte ptr [ecx+25h]
		mov	[edi+9], eax
		movzx	eax, byte ptr [ecx+26h]
		mov	[edi+0Dh], eax
		movzx	eax, byte ptr [ecx+27h]
		mov	[edi+11h], eax
		movzx	eax, byte ptr [ecx+28h]
		mov	[edi+15h], eax
		movzx	eax, byte ptr [ecx+29h]
		mov	[edi+19h], eax
		movzx	eax, byte ptr [ecx+2Ah]
		mov	[edi+1Dh], eax
		movzx	eax, byte ptr [ecx+2Bh]
		mov	[edi+21h], eax
		and	dword ptr [edx-8], 0
		and	dword ptr [edx], 0
		mov	[edx-0Ch], edi
		mov	dword ptr [edx-4], 25h
		mov	eax, [ecx-8]
		test	eax, eax
		jz	short loc_9B8472
		movzx	ebx, word ptr [ecx-0Ah]
		jmp	short loc_9B847A
; 

loc_9B8472:				; CODE XREF: PpmEventTraceProcessorIdle(x)+162j
		push	1Ch
		pop	ebx
		mov	eax, offset ??_C@_1BM@BCFBFHLN@?$AA?$DM?$AAu?$AAn?$AAs?$AAp?$AAe?$AAc?$AAi?$AAf?$AAi?$AAe?$AAd?$AA?$DO@NNGAKEGL@

loc_9B847A:				; CODE XREF: PpmEventTraceProcessorIdle(x)+168j
		mov	[edx+4], eax
		add	edi, 25h
		and	dword ptr [edx+8], 0
		add	ecx, 44h
		mov	[edx+0Ch], ebx
		and	dword ptr [edx+10h], 0
		inc	esi
		add	edx, 20h
		cmp	esi, [ebp+var_4]
		jb	loc_9B8413
		mov	esi, [ebp+var_18]
		xor	edx, edx

loc_9B84A0:				; CODE XREF: PpmEventTraceProcessorIdle(x)+F9j
		push	esi
		push	[ebp+var_1C]
		push	edx
		push	offset _PPM_ETW_CURRENT_IDLE_RUNDOWN
		push	dword_6BFD04
		push	_PpmEtwHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		push	654D5050h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9B84C6:				; CODE XREF: PpmEventTraceProcessorIdle(x)+85j
		pop	edi
		pop	esi

loc_9B84C8:				; CODE XREF: PpmEventTraceProcessorIdle(x)+15j
					; PpmEventTraceProcessorIdle(x)+33j
		pop	ebx
		leave
		retn
_PpmEventTraceProcessorIdle@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventTraceProcessorPerformance(x)
_PpmEventTraceProcessorPerformance@4 proc near
					; CODE XREF: PpmEventTraceControlCallback+82E4Cp

var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1B0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PpmEtwRegistered, 0
		push	esi
		mov	esi, ecx
		jz	loc_9B88AD
		mov	eax, _PpmEtwHandle
		push	ebx
		mov	ebx, dword_6BFD04
		push	offset _PPM_ETW_CURRENT_PERF_RUNDOWN
		push	ebx
		push	eax
		mov	[ebp+var_1B0], eax
		call	EtwEventEnabled
		test	al, al
		jz	loc_9B88AC
		movzx	eax, byte ptr [esi+3ED4h]
		mov	ecx, [esi+3EA4h]
		push	edi
		mov	edi, [esi+3EA0h]
		mov	[ebp+var_1A0], eax
		mov	eax, [esi+3F0Ch]
		mov	[ebp+var_1A4], eax
		push	64h
		pop	eax
		test	edi, edi
		jz	short loc_9B8560
		mov	edx, [edi+54h]
		xor	eax, eax
		mov	[ebp+var_174], edx
		cmp	[edi+7Fh], al
		setnz	al
		mov	[ebp+var_188], eax
		movzx	eax, byte ptr [edi+78h]
		jmp	short loc_9B8573
; 

loc_9B8560:				; CODE XREF: PpmEventTraceProcessorPerformance(x)+76j
		mov	edx, [esi+3C0h]
		and	[ebp+var_188], 0
		mov	[ebp+var_174], edx

loc_9B8573:				; CODE XREF: PpmEventTraceProcessorPerformance(x)+93j
		mov	[ebp+var_1A8], eax
		mov	edi, edx
		push	64h
		test	ecx, ecx
		jz	short loc_9B85F0
		mov	eax, [ecx+8]
		xor	edx, edx
		mov	[ebp+var_168], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_16C], eax
		mov	eax, [ecx+38h]
		mov	[ebp+var_170], eax
		mov	eax, [ecx+40h]
		mov	[ebp+var_178], eax
		mov	eax, [ecx+44h]
		mov	[ebp+var_17C], eax
		mov	eax, [ecx+48h]
		mov	[ebp+var_180], eax
		mov	eax, [ecx+4Ch]
		mov	[ebp+var_18C], eax
		mov	eax, [ecx+50h]
		mov	[ebp+var_190], eax
		mov	eax, [ecx+3Ch]
		mov	[ebp+var_194], eax
		mov	eax, [ecx+68h]
		mov	[ebp+var_184], eax
		mov	eax, [ecx+64h]
		imul	eax, edi
		pop	ecx
		div	ecx
		xor	edi, edi
		mov	[ebp+var_198], eax
		jmp	short loc_9B8635
; 

loc_9B85F0:				; CODE XREF: PpmEventTraceProcessorPerformance(x)+B4j
		pop	eax
		xor	edi, edi
		mov	[ebp+var_168], eax
		mov	[ebp+var_16C], eax
		mov	[ebp+var_170], eax
		mov	[ebp+var_178], eax
		mov	[ebp+var_17C], eax
		mov	[ebp+var_180], eax
		mov	[ebp+var_18C], edi
		mov	[ebp+var_190], edi
		mov	[ebp+var_194], edx
		mov	[ebp+var_184], eax
		mov	[ebp+var_198], edx

loc_9B8635:				; CODE XREF: PpmEventTraceProcessorPerformance(x)+123j
		movzx	eax, byte ptr [esi+3C5h]
		xor	ecx, ecx
		mov	[ebp+var_19C], eax
		inc	ecx
		lea	eax, [ebp+var_19C]
		mov	[ebp+var_160], edi
		mov	[ebp+var_164], eax
		lea	eax, [esi+3C4h]
		mov	[ebp+var_154], eax
		lea	eax, [ebp+var_1A0]
		mov	[ebp+var_144], eax
		lea	eax, [ebp+var_168]
		mov	[ebp+var_134], eax
		lea	eax, [ebp+var_16C]
		mov	[ebp+var_124], eax
		lea	eax, [ebp+var_170]
		mov	[ebp+var_114], eax
		lea	eax, [ebp+var_174]
		mov	[ebp+var_104], eax
		lea	eax, [ebp+var_178]
		mov	[ebp+var_F4], eax
		lea	eax, [ebp+var_17C]
		mov	[ebp+var_E4], eax
		lea	eax, [ebp+var_180]
		mov	[ebp+var_D4], eax
		lea	eax, [ebp+var_184]
		mov	[ebp+var_C4], eax
		lea	eax, [esi+3ED0h]
		mov	[ebp+var_B4], eax
		lea	eax, [esi+3ED1h]
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_188]
		push	4
		pop	edx
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_18C]
		mov	[ebp+var_15C], 2
		mov	[ebp+var_158], edi
		mov	[ebp+var_150], edi
		mov	[ebp+var_14C], ecx
		mov	[ebp+var_148], edi
		mov	[ebp+var_140], edi
		mov	[ebp+var_13C], edx
		mov	[ebp+var_138], edi
		mov	[ebp+var_130], edi
		mov	[ebp+var_12C], edx
		mov	[ebp+var_128], edi
		mov	[ebp+var_120], edi
		mov	[ebp+var_11C], edx
		mov	[ebp+var_118], edi
		mov	[ebp+var_110], edi
		mov	[ebp+var_10C], edx
		mov	[ebp+var_108], edi
		mov	[ebp+var_100], edi
		mov	[ebp+var_FC], edx
		mov	[ebp+var_F8], edi
		mov	[ebp+var_F0], edi
		mov	[ebp+var_EC], edx
		mov	[ebp+var_E8], edi
		mov	[ebp+var_E0], edi
		mov	[ebp+var_DC], edx
		mov	[ebp+var_D8], edi
		mov	[ebp+var_D0], edi
		mov	[ebp+var_CC], edx
		mov	[ebp+var_C8], edi
		mov	[ebp+var_C0], edi
		mov	[ebp+var_BC], edx
		mov	[ebp+var_B8], edi
		mov	[ebp+var_B0], edi
		mov	[ebp+var_AC], ecx
		mov	[ebp+var_A8], edi
		mov	[ebp+var_A0], edi
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_98], edi
		mov	[ebp+var_90], edi
		mov	[ebp+var_8C], edx
		mov	[ebp+var_88], edi
		mov	[ebp+var_84], eax
		mov	[ebp+var_80], edi
		mov	[ebp+var_7C], edx
		mov	[ebp+var_78], edi
		lea	eax, [ebp+var_190]
		mov	[ebp+var_70], edi
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_1A4]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_1A8]
		mov	[ebp+var_54], eax
		lea	eax, [esi+3ED2h]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_194]
		mov	[ebp+var_34], eax
		movzx	eax, byte ptr [esi+3D9Bh]
		mov	[ebp+var_1AC], eax
		lea	eax, [ebp+var_1AC]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_198]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_164]
		push	eax
		push	16h
		push	edi
		push	offset _PPM_ETW_CURRENT_PERF_RUNDOWN
		push	ebx
		push	[ebp+var_1B0]
		mov	[ebp+var_6C], edx
		mov	[ebp+var_68], edi
		mov	[ebp+var_60], edi
		mov	[ebp+var_5C], edx
		mov	[ebp+var_58], edi
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	edi

loc_9B88AC:				; CODE XREF: PpmEventTraceProcessorPerformance(x)+45j
		pop	ebx

loc_9B88AD:				; CODE XREF: PpmEventTraceProcessorPerformance(x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventTraceProcessorPerformance@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventTraceProcessorPerformanceDomainRundown(x)
_PpmEventTraceProcessorPerformanceDomainRundown@4 proc near
					; CODE XREF: PpmEventTraceControlCallback+82E62p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_34		= dword	ptr -34h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PpmEtwRegistered, 0
		push	esi
		mov	esi, ecx
		jz	loc_9B89CD
		push	offset _PPM_ETW_PERF_DOMAIN_RUNDOWN
		push	dword_6BFD04
		push	_PpmEtwHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_9B89CD
		push	ebx
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		xor	ebx, ebx
		push	ebx
		mov	[ebp+var_54], ebx
		stosd
		stosd
		call	_KeQueryGroupAffinity@4	; KeQueryGroupAffinity(x)
		mov	[ebp+var_10], eax
		mov	edi, ebx
		lea	eax, [ebp+var_10]
		push	eax
		push	eax
		lea	eax, [esi+0Ch]
		push	eax
		call	KeAndGroupAffinityEx
		xor	esi, esi
		inc	esi
		test	eax, eax
		jz	short loc_9B892E
		mov	[ebp+var_54], esi
		mov	edi, esi

loc_9B892E:				; CODE XREF: PpmEventTraceProcessorPerformanceDomainRundown(x)+6Dj
		lea	ecx, [ebp+var_54]
		movzx	eax, di
		mov	[ebp+var_50], ecx
		xor	ecx, ecx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_48], 2
		mov	[ebp+var_44], ebx
		cmp	cx, ax
		jnb	short loc_9B898E
		mov	edi, eax
		lea	edx, [ebp+var_34]
		lea	esi, ds:1[edi*2]

loc_9B8957:				; CODE XREF: PpmEventTraceProcessorPerformanceDomainRundown(x)+D0j
		imul	eax, ebx, 0Ch
		lea	ecx, [ebp+var_10]
		mov	dword ptr [edx-4], 2
		add	ecx, eax
		lea	eax, [ecx+4]
		mov	[edx-0Ch], eax
		xor	eax, eax
		mov	[edx-8], eax
		inc	ebx
		mov	[edx], eax
		lea	edx, [edx+20h]
		mov	[edx-1Ch], ecx
		mov	[edx-18h], eax
		mov	dword ptr [edx-14h], 4
		mov	[edx-10h], eax
		sub	edi, 1
		jnz	short loc_9B8957
		xor	ebx, ebx

loc_9B898E:				; CODE XREF: PpmEventTraceProcessorPerformanceDomainRundown(x)+8Fj
		mov	eax, esi
		mov	[ebp+var_58], ebx
		add	eax, eax
		lea	ecx, [ebp+var_58]
		mov	[ebp+eax*8+var_50], ecx
		mov	[ebp+eax*8+var_4C], ebx
		mov	[ebp+eax*8+var_48], 4
		mov	[ebp+eax*8+var_44], ebx
		lea	eax, [ebp+var_50]
		push	eax
		lea	eax, [esi+1]
		push	eax
		push	ebx
		push	offset _PPM_ETW_PERF_DOMAIN_RUNDOWN
		push	dword_6BFD04
		push	_PpmEtwHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	edi
		pop	ebx

loc_9B89CD:				; CODE XREF: PpmEventTraceProcessorPerformanceDomainRundown(x)+1Cj
					; PpmEventTraceProcessorPerformanceDomainRundown(x)+3Aj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventTraceProcessorPerformanceDomainRundown@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventTraceProfileChange(x, x)
_PpmEventTraceProfileChange@8 proc near	; CODE XREF: PpmApplyProfile(x)+14Ap

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PpmEtwRegistered, 0
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_28], ecx
		jz	short loc_9B8A54
		push	esi
		mov	esi, dword_6BFD04
		push	edi
		mov	edi, _PpmEtwHandle
		push	offset _PPM_ETW_PROCESSOR_PROFILE_CHANGE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B8A52
		mov	eax, [ebp+var_28]
		xor	edx, edx
		add	eax, 4
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], eax
		xor	ecx, ecx
		lea	eax, [ebx+4]
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], eax
		inc	ecx
		lea	eax, [ebp+var_24]
		mov	[ebp+var_1C], ecx
		push	eax
		push	2
		push	edx
		push	offset _PPM_ETW_PROCESSOR_PROFILE_CHANGE
		push	esi
		push	edi
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B8A52:				; CODE XREF: PpmEventTraceProfileChange(x,x)+3Dj
		pop	edi
		pop	esi

loc_9B8A54:				; CODE XREF: PpmEventTraceProfileChange(x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventTraceProfileChange@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEventVetoReasonRundown()
_PpmEventVetoReasonRundown@0 proc near	; CODE XREF: PpmEventTraceControlCallback+82F68p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	edi
		xor	edi, edi
		cmp	_PpmEtwRegistered, 0
		mov	[ebp+var_28], edi
		jz	loc_9B8B06
		push	ebx
		mov	ebx, offset _PPM_ETW_VETO_NAME_RUNDOWN
		push	ebx
		push	dword_6BFD04
		push	_PpmEtwHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9B8B05
		mov	eax, _PpmIdleVetoList
		test	eax, eax
		jz	short loc_9B8B05
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_20], edi
		mov	[ebp+var_24], ecx
		mov	edx, edi
		mov	[ebp+var_1C], 4
		mov	[ebp+var_18], edi
		cmp	[eax], edi
		jbe	short loc_9B8B05
		push	esi

loc_9B8AC5:				; CODE XREF: PpmEventVetoReasonRundown()+A1j
		lea	esi, [edx+1]
		mov	[ebp+var_28], esi
		movzx	ecx, word ptr [eax+edx*8+6]
		mov	eax, [eax+edx*8+8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	edi
		push	ebx
		push	dword_6BFD04
		mov	[ebp+var_10], edi
		push	_PpmEtwHandle
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	eax, _PpmIdleVetoList
		mov	edx, esi
		cmp	edx, [eax]
		jb	short loc_9B8AC5
		pop	esi

loc_9B8B05:				; CODE XREF: PpmEventVetoReasonRundown()+3Fj
					; PpmEventVetoReasonRundown()+48j ...
		pop	ebx

loc_9B8B06:				; CODE XREF: PpmEventVetoReasonRundown()+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmEventVetoReasonRundown@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleWakeConvertIntervalBucketsTo(x, x, x, x, x)
_PopIdleWakeConvertIntervalBucketsTo@20	proc near
					; CODE XREF: PopIdleWakeNotifyModernStandbyExit(x,x)+DAp
					; PopIdleWakeSourceAccountingToDiagnostic(x,x)+13Ep ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		test	ebx, ebx
		jz	short loc_9B8B48
		push	esi
		mov	esi, [ebp+arg_0]
		sub	edi, esi

loc_9B8B28:				; CODE XREF: PopIdleWakeConvertIntervalBucketsTo(x,x,x,x,x)+32j
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	dword ptr [edi+esi+4]
		push	dword ptr [edi+esi]
		call	_PpmConvertTimeTo@16 ; PpmConvertTimeTo(x,x,x,x)
		mov	[esi], eax
		lea	esi, [esi+8]
		mov	[esi-4], edx
		sub	ebx, 1
		jnz	short loc_9B8B28
		pop	esi

loc_9B8B48:				; CODE XREF: PopIdleWakeConvertIntervalBucketsTo(x,x,x,x,x)+Dj
		pop	edi
		pop	ebx
		pop	ebp
		retn	0Ch
_PopIdleWakeConvertIntervalBucketsTo@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleWakeGenerateDescriptionString(x, x)
_PopIdleWakeGenerateDescriptionString@8	proc near
					; CODE XREF: PopIdleWakeSourceAccountingToDiagnostic(x,x)+237p

var_28		= dword	ptr -28h
var_24		= byte ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		push	esi
		mov	esi, edx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_28], eax
		mov	eax, [ecx]
		mov	[ebp+var_20], esi
		lea	ebx, [esi+184h]
		push	edi
		lea	edi, [ecx+4]
		cmp	eax, 4
		ja	short loc_9B8B95
		mov	edx, dword ptr ds:(loc_A400B1+3)[eax*4]
		push	ecx
		push	ecx
		mov	ecx, ebx
		call	RtlUnicodeStringInitWorker
		jmp	loc_9B8D98
; 

loc_9B8B95:				; CODE XREF: PopIdleWakeGenerateDescriptionString(x,x)+30j
		cmp	eax, 6
		jnz	loc_9B8CA9
		mov	al, [edi]
		mov	[ebp+var_15], al
		cmp	al, 10h
		jb	short loc_9B8BEC
		push	67696450h
		push	40h
		pop	eax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+4], eax
		test	eax, eax
		jnz	short loc_9B8BC8

loc_9B8BBE:				; CODE XREF: PopIdleWakeGenerateDescriptionString(x,x)+117j
					; PopIdleWakeGenerateDescriptionString(x,x)+1DCj
		mov	eax, 0C000009Ah
		jmp	loc_9B8D98
; 

loc_9B8BC8:				; CODE XREF: PopIdleWakeGenerateDescriptionString(x,x)+6Ej
		mov	byte ptr [esi+180h], 1
		xor	eax, eax
		mov	[ebx], ax
		mov	edx, offset ??_C@_1DM@EGKJDIJH@?$AAT?$AAi?$AAm?$AAe?$AAr?$AA?$CI?$AAC?$AAo?$AAm?$AAp?$AAo?$AAn?$AAe?$AAn?$AAt@NNGAKEGL@	; "Timer(Component:Index): %d:%d"
		push	40h
		pop	eax
		mov	[ebx+2], ax
		movzx	ecx, byte ptr [edi]
		movzx	eax, byte ptr [edi+2]
		jmp	loc_9B8C98
; 

loc_9B8BEC:				; CODE XREF: PopIdleWakeGenerateDescriptionString(x,x)+57j
		movzx	eax, al
		lea	ecx, [ebp+var_1C]
		push	ecx
		mov	edx, 0FFFFh
		mov	eax, dword ptr ds:_PopIrTimerDescriptions[eax*4]
		mov	ecx, eax
		mov	dword ptr [ebp+var_24],	eax
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		test	eax, eax
		js	loc_9B8D98
		cmp	[ebp+var_15], 3
		jnz	short loc_9B8C3B
		lea	eax, [ebp+var_28]
		mov	edx, 80h
		push	eax
		lea	ecx, [edi+2]
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		test	eax, eax
		js	loc_9B8D98
		mov	esi, [ebp+var_28]
		add	esi, 2Ah
		add	esi, [ebp+var_1C]
		jmp	short loc_9B8C41
; 

loc_9B8C3B:				; CODE XREF: PopIdleWakeGenerateDescriptionString(x,x)+C7j
		mov	esi, [ebp+var_1C]
		add	esi, 30h

loc_9B8C41:				; CODE XREF: PopIdleWakeGenerateDescriptionString(x,x)+EBj
		cmp	esi, 0FFFFh
		jbe	short loc_9B8C53

loc_9B8C49:				; CODE XREF: PopIdleWakeGenerateDescriptionString(x,x)+1C4j
		mov	eax, 80000005h
		jmp	loc_9B8D98
; 

loc_9B8C53:				; CODE XREF: PopIdleWakeGenerateDescriptionString(x,x)+F9j
		push	67696450h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+4], eax
		test	eax, eax
		jz	loc_9B8BBE
		mov	ecx, [ebp+var_20]
		xor	eax, eax
		mov	byte ptr [ecx+180h], 1
		mov	ecx, dword ptr [ebp+var_24]
		mov	[ebx], ax
		lea	eax, [edi+2]
		mov	[ebx+2], si
		cmp	byte ptr [edi],	3
		jnz	short loc_9B8C90
		mov	edx, offset ??_C@_1DC@FCCKNOPN@?$AAT?$AAi?$AAm?$AAe?$AAr?$AA?$CI?$AAN?$AAa?$AAm?$AAe?$AA?3?$AAI?$AAn?$AAd?$AAe@NNGAKEGL@ ; "Timer(Name:Index): %s:%s"
		jmp	short loc_9B8C98
; 

loc_9B8C90:				; CODE XREF: PopIdleWakeGenerateDescriptionString(x,x)+139j
		movzx	eax, byte ptr [eax]
		mov	edx, offset ??_C@_1DC@JPOELBNL@?$AAT?$AAi?$AAm?$AAe?$AAr?$AA?$CI?$AAN?$AAa?$AAm?$AAe?$AA?3?$AAI?$AAn?$AAd?$AAe@NNGAKEGL@ ; "T"

loc_9B8C98:				; CODE XREF: PopIdleWakeGenerateDescriptionString(x,x)+99j
					; PopIdleWakeGenerateDescriptionString(x,x)+140j
		push	eax
		push	ecx		; char
		push	edx		; wchar_t *
		push	ebx		; int
		call	_RtlUnicodeStringPrintf
		add	esp, 10h
		jmp	loc_9B8D98
; 

loc_9B8CA9:				; CODE XREF: PopIdleWakeGenerateDescriptionString(x,x)+4Aj
		cmp	eax, 5
		jnz	loc_9B8D93
		lea	eax, [esi+18Ch]
		mov	ecx, offset _PopIdleWakeSystemImageCallback@8 ;	PopIdleWakeSystemImageCallback(x,x)
		mov	esi, edi
		mov	[ebp+var_8], eax
		lea	edi, [ebp+var_14]
		lea	edx, [ebp+var_14]
		movsd
		movsd
		movsd
		call	MmEnumerateSystemImages
		test	eax, eax
		js	loc_9B8D98
		mov	eax, [ebp+var_20]
		xor	edi, edi
		mov	esi, edi
		mov	ecx, edi
		mov	edx, [eax+18Ch]
		mov	dword ptr [ebp+var_24],	edx
		test	edx, edx
		jz	short loc_9B8D09
		lea	edx, [eax+190h]

loc_9B8CF4:				; CODE XREF: PopIdleWakeGenerateDescriptionString(x,x)+1B9j
		test	ecx, ecx
		jz	short loc_9B8CFB
		add	esi, 4

loc_9B8CFB:				; CODE XREF: PopIdleWakeGenerateDescriptionString(x,x)+1A8j
		movzx	eax, word ptr [edx]
		add	edx, 8
		add	esi, eax
		inc	ecx
		cmp	ecx, dword ptr [ebp+var_24]
		jb	short loc_9B8CF4

loc_9B8D09:				; CODE XREF: PopIdleWakeGenerateDescriptionString(x,x)+19Ej
		add	esi, 18h
		cmp	esi, 0FFFFh
		ja	loc_9B8C49
		push	67696450h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+4], eax
		test	eax, eax
		jz	loc_9B8BBE
		mov	eax, [ebp+var_20]
		mov	edx, offset ??_C@_1BI@BGBJMENA@?$AAI?$AAn?$AAt?$AAe?$AAr?$AAr?$AAu?$AAp?$AAt?$AA?3?$AA?5@NNGAKEGL@ ; "Interrupt: "
		mov	ecx, ebx
		mov	byte ptr [eax+180h], 1
		xor	eax, eax
		mov	[ebx], ax
		mov	[ebx+2], si
		call	_RtlUnicodeStringCopyString@8 ;	RtlUnicodeStringCopyString(x,x)
		mov	esi, [ebp+var_20]
		cmp	[esi+18Ch], edi
		jbe	short loc_9B8D98
		lea	ecx, [esi+190h]
		mov	[ebp+var_1C], ecx

loc_9B8D63:				; CODE XREF: PopIdleWakeGenerateDescriptionString(x,x)+241j
		test	edi, edi
		jz	short loc_9B8D76
		mov	edx, offset ??_C@_15JOGBDECP@?$AA?0?$AA?5@NNGAKEGL@
		mov	ecx, ebx
		call	_RtlUnicodeStringCatString@8 ; RtlUnicodeStringCatString(x,x)
		mov	ecx, [ebp+var_1C]

loc_9B8D76:				; CODE XREF: PopIdleWakeGenerateDescriptionString(x,x)+217j
		mov	edx, ecx
		mov	ecx, ebx
		call	_RtlUnicodeStringCat@8 ; RtlUnicodeStringCat(x,x)
		mov	ecx, [ebp+var_1C]
		inc	edi
		add	ecx, 8
		mov	[ebp+var_1C], ecx
		cmp	edi, [esi+18Ch]
		jb	short loc_9B8D63
		jmp	short loc_9B8D98
; 

loc_9B8D93:				; CODE XREF: PopIdleWakeGenerateDescriptionString(x,x)+15Ej
		mov	eax, 0C000000Dh

loc_9B8D98:				; CODE XREF: PopIdleWakeGenerateDescriptionString(x,x)+42j
					; PopIdleWakeGenerateDescriptionString(x,x)+75j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopIdleWakeGenerateDescriptionString@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleWakeSourceAccountingToDiagnostic(x, x)
_PopIdleWakeSourceAccountingToDiagnostic@8 proc	near
					; CODE XREF: PopIdleWakeNotifyModernStandbyExit(x,x)+208p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	1B8h		; size_t
		xor	edi, edi
		mov	ebx, edx
		mov	esi, ecx
		push	edi		; int
		push	ebx		; void *
		mov	[ebp+var_4], esi
		call	_memset
		mov	eax, [esi]
		add	esp, 0Ch
		mov	[ebx], eax
		mov	eax, [esi+98h]
		mov	[ebx+4], eax
		mov	eax, [esi+94h]
		push	edi
		push	0F4240h
		mov	[ebx+8], eax
		push	dword ptr [esi+0A4h]
		push	dword ptr [esi+0A0h]
		call	_PpmConvertTimeTo@16 ; PpmConvertTimeTo(x,x,x,x)
		push	edi
		push	0F4240h
		mov	[ebx+10h], eax
		mov	[ebx+14h], edx
		push	dword ptr [esi+0ACh]
		push	dword ptr [esi+0A8h]
		call	_PpmConvertTimeTo@16 ; PpmConvertTimeTo(x,x,x,x)
		push	edi
		push	0F4240h
		mov	[ebx+18h], eax
		mov	[ebx+1Ch], edx
		push	dword ptr [esi+0B4h]
		push	dword ptr [esi+0B0h]
		call	_PpmConvertTimeTo@16 ; PpmConvertTimeTo(x,x,x,x)
		mov	[ebx+24h], edx
		lea	edi, [ebx+28h]
		mov	edx, [ebp+var_4]
		add	esi, 0B8h
		push	9
		pop	ecx
		mov	[ebx+20h], eax
		rep movsd
		push	0Bh
		lea	esi, [edx+0DCh]
		lea	edi, [ebx+4Ch]
		pop	ecx
		rep movsd
		xor	edi, edi
		mov	ecx, edi

loc_9B8E58:				; CODE XREF: PopIdleWakeSourceAccountingToDiagnostic(x,x)+F0j
		movzx	eax, word ptr [ebx+1A8h]
		imul	esi, eax, 0Ah
		mov	[esi+ebx+1AAh],	cx
		test	cx, cx
		jnz	short loc_9B8E77
		mov	eax, [edx+90h]
		jmp	short loc_9B8E79
; 

loc_9B8E77:				; CODE XREF: PopIdleWakeSourceAccountingToDiagnostic(x,x)+C6j
		mov	eax, edi

loc_9B8E79:				; CODE XREF: PopIdleWakeSourceAccountingToDiagnostic(x,x)+CEj
		mov	[esi+ebx+1ACh],	eax
		or	eax, edi
		mov	[esi+ebx+1B0h],	edi
		jz	short loc_9B8E92
		inc	word ptr [ebx+1A8h]

loc_9B8E92:				; CODE XREF: PopIdleWakeSourceAccountingToDiagnostic(x,x)+E2j
		inc	ecx
		cmp	cx, 1
		jb	short loc_9B8E58
		push	edi
		push	0F4240h
		push	dword ptr [edx+114h]
		push	dword ptr [edx+110h]
		call	_PpmConvertTimeTo@16 ; PpmConvertTimeTo(x,x,x,x)
		mov	esi, [ebp+var_4]
		lea	edi, [ebx+80h]
		push	5
		pop	ecx
		mov	[ebx+78h], eax
		add	esi, 118h
		mov	[ebx+7Ch], edx
		lea	eax, [ebx+98h]
		rep movsd
		mov	esi, [ebp+var_4]
		mov	edi, 0F4240h
		push	0
		push	edi
		push	eax
		push	5
		lea	edx, [esi+130h]
		pop	ecx
		call	_PopIdleWakeConvertIntervalBucketsTo@20	; PopIdleWakeConvertIntervalBucketsTo(x,x,x,x,x)
		push	0
		push	edi
		push	dword ptr [esi+15Ch]
		push	dword ptr [esi+158h]
		call	_PpmConvertTimeTo@16 ; PpmConvertTimeTo(x,x,x,x)
		push	5
		pop	ecx
		mov	[ebx+0C0h], eax
		lea	edi, [ebx+0C8h]
		mov	[ebx+0C4h], edx
		lea	eax, [ebx+0E0h]
		add	esi, 160h
		rep movsd
		mov	esi, [ebp+var_4]
		mov	edi, 0F4240h
		push	0
		push	edi
		push	eax
		push	5
		lea	edx, [esi+178h]
		pop	ecx
		call	_PopIdleWakeConvertIntervalBucketsTo@20	; PopIdleWakeConvertIntervalBucketsTo(x,x,x,x,x)
		push	0
		push	edi
		push	dword ptr [esi+1A4h]
		push	dword ptr [esi+1A0h]
		call	_PpmConvertTimeTo@16 ; PpmConvertTimeTo(x,x,x,x)
		push	5
		pop	ecx
		mov	[ebx+108h], eax
		lea	edi, [ebx+110h]
		mov	[ebx+10Ch], edx
		lea	eax, [ebx+128h]
		add	esi, 1A8h
		rep movsd
		mov	esi, [ebp+var_4]
		mov	edi, 0F4240h
		push	0
		push	edi
		push	eax
		push	5
		lea	edx, [esi+1C0h]
		pop	ecx
		call	_PopIdleWakeConvertIntervalBucketsTo@20	; PopIdleWakeConvertIntervalBucketsTo(x,x,x,x,x)
		push	0
		push	edi
		push	dword ptr [esi+1ECh]
		push	dword ptr [esi+1E8h]
		call	_PpmConvertTimeTo@16 ; PpmConvertTimeTo(x,x,x,x)
		add	esi, 1F0h
		mov	[ebx+150h], eax
		mov	[ebx+154h], edx
		lea	edi, [ebx+158h]
		push	0
		push	0F4240h
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_4]
		lea	eax, [ebx+168h]
		push	eax
		push	3
		pop	ecx
		lea	edx, [esi+200h]
		call	_PopIdleWakeConvertIntervalBucketsTo@20	; PopIdleWakeConvertIntervalBucketsTo(x,x,x,x,x)
		mov	edx, ebx
		mov	ecx, esi
		call	_PopIdleWakeGenerateDescriptionString@8	; PopIdleWakeGenerateDescriptionString(x,x)
		test	eax, eax
		js	short loc_9B8FE9
		xor	eax, eax

loc_9B8FE9:				; CODE XREF: PopIdleWakeSourceAccountingToDiagnostic(x,x)+23Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopIdleWakeSourceAccountingToDiagnostic@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleWakeSystemImageCallback(x, x)
_PopIdleWakeSystemImageCallback@8 proc near
					; DATA XREF: PopIdleWakeGenerateDescriptionString(x,x)+16Ao

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	ecx, [eax+0Ch]
		mov	[ebp+var_4], ecx
		xor	ecx, ecx
		push	edi
		mov	edi, ecx

loc_9B9008:				; CODE XREF: PopIdleWakeSystemImageCallback(x,x)+98j
		mov	esi, [eax+edi*4]
		test	esi, esi
		jz	loc_9B9096
		mov	edx, [ebx+18h]
		cmp	esi, edx
		jb	short loc_9B9082
		mov	eax, [ebx+20h]
		add	eax, edx
		cmp	esi, eax
		jnb	short loc_9B907F
		mov	edx, [ebp+var_4]
		mov	eax, [edx]
		lea	ecx, [edx+4]
		lea	ecx, [ecx+eax*8]
		inc	eax
		mov	[edx], eax
		movzx	eax, word ptr [ebx+2Ch]
		sub	esi, [ebx+18h]
		add	eax, 18h
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_8], eax
		cmp	eax, 0FFFFh
		ja	short loc_9B9091
		push	67696450h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	[ecx+4], eax
		test	eax, eax
		jz	short loc_9B908A
		xor	eax, eax
		mov	[ecx], ax
		mov	eax, [ebp+var_8]
		push	esi
		mov	[ecx+2], ax
		push	dword ptr [ebx+30h] ; char
		push	offset ??_C@_1BE@OMOPHHFG@?$AA?$CF?$AAs?$AA?$CL?$AA0?$AAx?$AA?$CF?$AA0?$AA8?$AAX@NNGAKEGL@ ; wchar_t *
		push	ecx		; int
		call	_RtlUnicodeStringPrintf
		add	esp, 10h
		mov	ecx, eax

loc_9B907F:				; CODE XREF: PopIdleWakeSystemImageCallback(x,x)+33j
		mov	eax, [ebp+arg_4]

loc_9B9082:				; CODE XREF: PopIdleWakeSystemImageCallback(x,x)+2Aj
		inc	edi
		cmp	edi, 3
		jb	short loc_9B9008
		jmp	short loc_9B9096
; 

loc_9B908A:				; CODE XREF: PopIdleWakeSystemImageCallback(x,x)+6Fj
		mov	ecx, 0C000009Ah
		jmp	short loc_9B9096
; 

loc_9B9091:				; CODE XREF: PopIdleWakeSystemImageCallback(x,x)+58j
		mov	ecx, 80000005h

loc_9B9096:				; CODE XREF: PopIdleWakeSystemImageCallback(x,x)+1Fj
					; PopIdleWakeSystemImageCallback(x,x)+9Aj ...
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	8
_PopIdleWakeSystemImageCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleWakeTraceWakeSourceDiagnostic(x, x, x)
_PopIdleWakeTraceWakeSourceDiagnostic@12 proc near
					; CODE XREF: PopIdleWakeNotifyModernStandbyExit(x,x)+21Ep

var_330		= dword	ptr -330h
var_32C		= dword	ptr -32Ch
var_328		= dword	ptr -328h
var_324		= dword	ptr -324h
var_320		= dword	ptr -320h
var_31C		= dword	ptr -31Ch
var_318		= dword	ptr -318h
var_314		= dword	ptr -314h
var_310		= dword	ptr -310h
var_30C		= dword	ptr -30Ch
var_308		= dword	ptr -308h
var_304		= dword	ptr -304h
var_300		= dword	ptr -300h
var_2FC		= dword	ptr -2FCh
var_2F4		= dword	ptr -2F4h
var_2F0		= dword	ptr -2F0h
var_2EC		= dword	ptr -2ECh
var_2E8		= dword	ptr -2E8h
var_2E4		= dword	ptr -2E4h
var_2E0		= dword	ptr -2E0h
var_2D9		= dword	ptr -2D9h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_2CC		= dword	ptr -2CCh
var_2C8		= dword	ptr -2C8h
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_294		= dword	ptr -294h
var_290		= dword	ptr -290h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_27C		= dword	ptr -27Ch
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_24C		= dword	ptr -24Ch
var_228		= dword	ptr -228h
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 334h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_2F4], 0
		xor	eax, eax
		and	[ebp+var_2F0], 0
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	esi, ecx
		stosd
		push	offset ??_C@_11LOCGONAA@@NNGAKEGL@
		stosd
		stosd
		lea	eax, [ebp+var_2F4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ebx, [esi]
		push	3
		pop	edx
		cmp	ebx, 5
		jnz	short loc_9B9110
		mov	ecx, [esi+18Ch]
		cmp	ecx, edx
		jbe	short loc_9B90F6
		mov	ecx, edx

loc_9B90F6:				; CODE XREF: PopIdleWakeTraceWakeSourceDiagnostic(x,x,x)+53j
		xor	edi, edi
		test	ecx, ecx
		jz	short loc_9B911C

loc_9B90FC:				; CODE XREF: PopIdleWakeTraceWakeSourceDiagnostic(x,x,x)+6Dj
		lea	eax, [esi+190h]
		lea	eax, [eax+edi*8]
		mov	[ebp+edi*4+var_18], eax
		inc	edi
		cmp	edi, ecx
		jb	short loc_9B90FC
		jmp	short loc_9B911C
; 

loc_9B9110:				; CODE XREF: PopIdleWakeTraceWakeSourceDiagnostic(x,x,x)+49j
		xor	ecx, ecx
		lea	eax, [esi+184h]
		inc	ecx
		mov	[ebp+var_18], eax

loc_9B911C:				; CODE XREF: PopIdleWakeTraceWakeSourceDiagnostic(x,x,x)+5Bj
					; PopIdleWakeTraceWakeSourceDiagnostic(x,x,x)+6Fj
		cmp	ecx, edx
		jnb	short loc_9B9132
		lea	edi, [ebp+var_18]
		sub	edx, ecx
		lea	edi, [edi+ecx*4]
		mov	ecx, edx
		lea	eax, [ebp+var_2F4]
		rep stosd

loc_9B9132:				; CODE XREF: PopIdleWakeTraceWakeSourceDiagnostic(x,x,x)+7Fj
		xor	edi, edi
		cmp	dword_6B23F8, 5
		jbe	loc_9B95B8
		push	4000h
		push	edi
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9B95B8
		mov	eax, [ebp+arg_0]
		lea	edx, [ebp+var_1D0]
		mov	[ebp+var_300], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_2FC], eax
		lea	eax, [ebp+var_300]
		mov	[ebp+var_208], eax
		lea	eax, [ebp+var_2E8]
		mov	[ebp+var_1F8], eax
		mov	eax, [ebp+var_18]
		mov	[ebp+var_2E8], ebx
		mov	[ebp+var_204], edi
		mov	[ebp+var_200], 8
		mov	[ebp+var_1FC], edi
		mov	[ebp+var_1F4], edi
		mov	[ebp+var_1F0], 4
		mov	[ebp+var_1EC], edi
		movzx	ecx, word ptr [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_1D8], eax
		mov	eax, ecx
		mov	[ebp+var_1D0], eax
		mov	eax, [ebp+var_14]
		push	2
		pop	ebx
		mov	[ebp+var_1E8], edx
		lea	edx, [ebp+var_1B0]
		mov	[ebp+var_1E0], ebx
		mov	[ebp+var_1E4], edi
		mov	[ebp+var_1DC], edi
		mov	[ebp+var_1D4], edi
		mov	[ebp+var_1CC], edi
		movzx	ecx, word ptr [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_1B8], eax
		mov	eax, ecx
		mov	[ebp+var_1B0], eax
		mov	eax, [ebp+var_10]
		mov	[ebp+var_1C8], edx
		lea	edx, [ebp+var_190]
		mov	[ebp+var_1C0], ebx
		mov	[ebp+var_1C4], edi
		mov	[ebp+var_1BC], edi
		mov	[ebp+var_1B4], edi
		mov	[ebp+var_1AC], edi
		movzx	ecx, word ptr [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_198], eax
		mov	eax, ecx
		mov	[ebp+var_190], eax
		mov	eax, [esi+8]
		mov	[ebp+var_2E0], eax
		lea	eax, [ebp+var_2E0]
		mov	[ebp+var_188], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_308], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_304], eax
		lea	eax, [ebp+var_308]
		push	4
		mov	[ebp+var_1A8], edx
		pop	edx
		mov	[ebp+var_178], eax
		mov	eax, [esi+18h]
		push	8
		mov	[ebp+var_310], eax
		mov	eax, [esi+1Ch]
		mov	[ebp+var_1A0], ebx
		pop	ebx
		mov	[ebp+var_30C], eax
		lea	eax, [ebp+var_310]
		mov	[ebp+var_1A4], edi
		mov	[ebp+var_19C], edi
		mov	[ebp+var_194], edi
		mov	[ebp+var_18C], edi
		mov	[ebp+var_184], edi
		mov	[ebp+var_180], edx
		mov	[ebp+var_17C], edi
		mov	[ebp+var_174], edi
		mov	[ebp+var_170], ebx
		mov	[ebp+var_16C], edi
		mov	[ebp+var_168], eax
		lea	ecx, [esi+1A8h]
		mov	eax, [esi+20h]
		mov	[ebp+var_318], eax
		mov	eax, [esi+24h]
		mov	[ebp+var_314], eax
		lea	eax, [ebp+var_318]
		mov	[ebp+var_158], eax
		lea	eax, [esi+1AAh]
		mov	[ebp+var_138], eax
		movzx	eax, word ptr [ecx]
		imul	eax, 0Ah
		push	14h
		mov	[ebp+var_E0], edx
		pop	edx
		push	28h
		mov	[ebp+var_130], eax
		lea	eax, [esi+28h]
		mov	[ebp+var_118], eax
		lea	eax, [esi+4Ch]
		mov	[ebp+var_F8], eax
		mov	eax, [esi+4]
		mov	[ebp+var_2E4], eax
		lea	eax, [ebp+var_2E4]
		mov	[ebp+var_E8], eax
		mov	eax, [esi+78h]
		mov	[ebp+var_320], eax
		mov	eax, [esi+7Ch]
		mov	[ebp+var_31C], eax
		lea	eax, [ebp+var_320]
		mov	[ebp+var_D8], eax
		lea	eax, [esi+80h]
		mov	[ebp+var_C8], eax
		lea	eax, [esi+98h]
		mov	[ebp+var_B8], eax
		mov	eax, [esi+0C0h]
		mov	[ebp+var_328], eax
		mov	eax, [esi+0C4h]
		mov	[ebp+var_148], ecx
		mov	[ebp+var_324], eax
		lea	eax, [ebp+var_328]
		pop	ecx
		mov	[ebp+var_164], edi
		mov	[ebp+var_160], ebx
		mov	[ebp+var_15C], edi
		mov	[ebp+var_154], edi
		mov	[ebp+var_150], ebx
		mov	[ebp+var_14C], edi
		mov	[ebp+var_144], edi
		mov	[ebp+var_140], 2
		mov	[ebp+var_13C], edi
		mov	[ebp+var_134], edi
		mov	[ebp+var_12C], edi
		mov	[ebp+var_128], offset _PopIdleWakeIdleAccountingBucketLimitsMs
		mov	[ebp+var_124], edi
		mov	[ebp+var_120], 50h
		mov	[ebp+var_11C], edi
		mov	[ebp+var_114], edi
		mov	[ebp+var_110], 24h
		mov	[ebp+var_10C], edi
		mov	[ebp+var_108], offset _PopIdleWakePeriodAccountingBucketLimitsMs
		mov	[ebp+var_104], edi
		mov	[ebp+var_100], 60h
		mov	[ebp+var_FC], edi
		mov	[ebp+var_F4], edi
		mov	[ebp+var_F0], 2Ch
		mov	[ebp+var_EC], edi
		mov	[ebp+var_E4], edi
		mov	[ebp+var_DC], edi
		mov	[ebp+var_D4], edi
		mov	[ebp+var_D0], ebx
		mov	[ebp+var_CC], edi
		mov	[ebp+var_C4], edi
		mov	[ebp+var_C0], edx
		mov	[ebp+var_BC], edi
		mov	[ebp+var_B4], edi
		mov	[ebp+var_B0], ecx
		mov	[ebp+var_AC], edi
		mov	[ebp+var_A8], eax
		mov	[ebp+var_A4], edi
		mov	[ebp+var_A0], ebx
		lea	eax, [esi+0C8h]
		mov	[ebp+var_9C], edi
		mov	[ebp+var_98], eax
		lea	eax, [esi+0E0h]
		mov	[ebp+var_88], eax
		mov	eax, [esi+108h]
		mov	[ebp+var_330], eax
		mov	eax, [esi+10Ch]
		mov	[ebp+var_32C], eax
		lea	eax, [ebp+var_330]
		mov	[ebp+var_78], eax
		lea	eax, [esi+110h]
		mov	[ebp+var_68], eax
		lea	eax, [esi+128h]
		mov	[ebp+var_58], eax
		mov	eax, [esi+150h]
		mov	[ebp+var_18], eax
		mov	eax, [esi+154h]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_48], eax
		lea	eax, [esi+158h]
		mov	[ebp+var_38], eax
		lea	eax, [esi+168h]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_228]
		push	eax
		push	21h
		push	edi
		push	edi
		push	offset loc_42022B
		push	offset dword_6B23F8
		mov	[ebp+var_94], edi
		mov	[ebp+var_90], edx
		mov	[ebp+var_8C], edi
		mov	[ebp+var_84], edi
		mov	[ebp+var_80], ecx
		mov	[ebp+var_7C], edi
		mov	[ebp+var_74], edi
		mov	[ebp+var_70], ebx
		mov	[ebp+var_6C], edi
		mov	[ebp+var_64], edi
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], edi
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], edi
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], 0Ch
		mov	[ebp+var_2C], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], 18h
		mov	[ebp+var_1C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	short loc_9B95BB
; 

loc_9B95B8:				; CODE XREF: PopIdleWakeTraceWakeSourceDiagnostic(x,x,x)+9Cj
					; PopIdleWakeTraceWakeSourceDiagnostic(x,x,x)+B4j
		push	8
		pop	ebx

loc_9B95BB:				; CODE XREF: PopIdleWakeTraceWakeSourceDiagnostic(x,x,x)+517j
		cmp	_PopDiagHandleRegistered, 0
		jz	loc_9B979F
		push	offset _POP_ETW_EVENT_DRIPS_WAKE_ACCOUNTING_SUMMARY
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_9B979F
		mov	al, byte ptr _PopWnfCsEnterScenarioId
		movzx	ecx, word ptr [esi+184h]
		mov	byte ptr [ebp+var_2D9],	al
		lea	eax, [ebp+var_2D9]
		mov	[ebp+var_2D9+1], eax
		lea	eax, [esi+8]
		mov	[ebp+var_2C8], eax
		lea	eax, [esi+10h]
		mov	[ebp+var_2B8], eax
		lea	eax, [esi+18h]
		mov	[ebp+var_2A8], eax
		lea	eax, [esi+20h]
		mov	[ebp+var_298], eax
		mov	eax, ecx
		shr	eax, 1
		mov	[ebp+var_2EC], eax
		lea	eax, [ebp+var_2EC]
		mov	[ebp+var_288], eax
		mov	eax, [esi+188h]
		mov	[ebp+var_278], eax
		lea	eax, [esi+1A8h]
		push	4
		mov	[ebp+var_268], eax
		movzx	eax, word ptr [eax]
		mov	[ebp+var_2D4], edi
		mov	[ebp+var_2D0], 1
		mov	[ebp+var_2CC], edi
		mov	[ebp+var_2C4], edi
		mov	[ebp+var_2BC], edi
		mov	[ebp+var_2B4], edi
		mov	[ebp+var_2B0], ebx
		mov	[ebp+var_2AC], edi
		mov	[ebp+var_2A4], edi
		mov	[ebp+var_2A0], ebx
		mov	[ebp+var_29C], edi
		mov	[ebp+var_294], edi
		mov	[ebp+var_290], ebx
		mov	[ebp+var_28C], edi
		mov	[ebp+var_284], edi
		mov	[ebp+var_27C], edi
		mov	[ebp+var_274], edi
		mov	[ebp+var_270], ecx
		mov	[ebp+var_26C], edi
		mov	[ebp+var_264], edi
		mov	[ebp+var_260], 2
		mov	[ebp+var_25C], edi
		pop	edx
		mov	[ebp+var_2C0], edx
		mov	[ebp+var_280], edx
		test	eax, eax
		jz	short loc_9B9753
		lea	ebx, ds:8[eax*2]
		mov	[ebp+var_2E0], ebx
		lea	edx, [ebp+var_24C]
		mov	ebx, eax

loc_9B970D:				; CODE XREF: PopIdleWakeTraceWakeSourceDiagnostic(x,x,x)+6AAj
		and	dword ptr [edx-8], 0
		lea	eax, [esi+1AAh]
		and	dword ptr [edx], 0
		lea	edx, [edx+20h]
		imul	ecx, edi, 0Ah
		mov	dword ptr [edx-24h], 2
		add	eax, ecx
		mov	[edx-2Ch], eax
		lea	eax, [esi+1ACh]
		add	eax, ecx
		mov	dword ptr [edx-14h], 4
		xor	ecx, ecx
		mov	[edx-1Ch], eax
		inc	edi
		mov	[edx-18h], ecx
		mov	[edx-10h], ecx
		cmp	edi, ebx
		jb	short loc_9B970D
		mov	ebx, [ebp+var_2E0]
		jmp	short loc_9B9755
; 

loc_9B9753:				; CODE XREF: PopIdleWakeTraceWakeSourceDiagnostic(x,x,x)+657j
		xor	ecx, ecx

loc_9B9755:				; CODE XREF: PopIdleWakeTraceWakeSourceDiagnostic(x,x,x)+6B2j
		mov	eax, ebx
		add	eax, eax
		mov	[ebp+eax*8+var_2D9+1], offset _PopWnfCsEnterScenarioId
		mov	[ebp+eax*8+var_2D4], ecx
		mov	[ebp+eax*8+var_2D0], 8
		mov	[ebp+eax*8+var_2CC], ecx
		lea	eax, [ebp+var_2D9+1]
		push	eax
		lea	eax, [ebx+1]
		push	eax
		push	ecx
		push	offset _POP_ETW_EVENT_DRIPS_WAKE_ACCOUNTING_SUMMARY
		push	dword_6C1D74
		push	_PopDiagHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9B979F:				; CODE XREF: PopIdleWakeTraceWakeSourceDiagnostic(x,x,x)+523j
					; PopIdleWakeTraceWakeSourceDiagnostic(x,x,x)+541j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopIdleWakeTraceWakeSourceDiagnostic@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopActiveLockScreenPowerRequest(x, x, x)
_PopActiveLockScreenPowerRequest@12 proc near ;	DATA XREF: .data:006B1494o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		xor	ebx, ebx
		xor	cl, cl
		mov	[esp+10h+var_8], ebx
		mov	[esp+10h+var_4], ebx
		call	PopAcquireAdaptiveLock
		cmp	[ebp+arg_8], bl
		jnz	short loc_9B97F6
		mov	byte_6BFBB5, bl
		call	_PopGetLockConsoleTimeoutUnsafe@4 ; PopGetLockConsoleTimeoutUnsafe(x)
		mov	[esp+10h+var_8], eax
		test	eax, eax
		jz	short loc_9B9830
		cmp	byte_6BFBB4, bl
		jz	short loc_9B9830
		mov	byte_6BFBB6, 1
		jmp	short loc_9B9814
; 

loc_9B97F6:				; CODE XREF: PopActiveLockScreenPowerRequest(x,x,x)+20j
		mov	byte_6BFBB5, 1
		cmp	byte_6BFBB6, bl
		jz	short loc_9B9830
		mov	eax, _PopDisplayTimeout
		mov	byte_6BFBB6, bl
		mov	[esp+10h+var_8], eax

loc_9B9814:				; CODE XREF: PopActiveLockScreenPowerRequest(x,x,x)+44j
		mov	ecx, _PopConsoleContext
		lea	edx, [esp+10h+var_8]
		push	ebx
		mov	dword_6BFB6C, eax
		mov	byte ptr word_6BFB70+1,	1
		call	_PopUpdateTimeouts@12 ;	PopUpdateTimeouts(x,x,x)

loc_9B9830:				; CODE XREF: PopActiveLockScreenPowerRequest(x,x,x)+33j
					; PopActiveLockScreenPowerRequest(x,x,x)+3Bj ...
		call	PopReleaseAdaptiveLock
		xor	eax, eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PopActiveLockScreenPowerRequest@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopCheckConsoleTimeouts()
_PopCheckConsoleTimeouts@0 proc	near	; CODE XREF: PopAdaptivePowerSettingCallback:loc_886B5Ep
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	offset ??_C@_0CN@MDILNJAB@PopAdaptive?3?5?$DO?$DO?$DO?$DO?$DO?5Policy?5param@NNGAKEGL@ ; "PopAdaptive: >>>>> Policy parameters ch"...
		push	3
		call	_PopPrintEx
		mov	ebx, _PopConsoleContext
		pop	ecx
		pop	ecx
		mov	ecx, ebx
		call	_PopGetDisplayTimeout@4	; PopGetDisplayTimeout(x)
		cmp	byte ptr dword_6BFBA8+1, 0
		mov	esi, eax
		mov	edi, _PopInputTimeout
		jz	short loc_9B9873
		test	edi, edi
		jnz	short loc_9B98DD

loc_9B9873:				; CODE XREF: PopCheckConsoleTimeouts()+2Fj
		test	edi, edi
		jnz	short loc_9B9880
		mov	byte ptr dword_6BFBA8+1, 0
		jmp	short loc_9B9888
; 

loc_9B9880:				; CODE XREF: PopCheckConsoleTimeouts()+37j
		cmp	edi, dword_6BFBA4
		jz	short loc_9B98DD

loc_9B9888:				; CODE XREF: PopCheckConsoleTimeouts()+40j
		push	edi
		push	dword_6BFBA4
		push	offset ??_C@_0CE@EMIHCFNH@PopAdaptive?3?5Input?5timeout?3?5?$CFu?9@NNGAKEGL@ ; "PopAdaptive: Input timeout: %u->%u\n"
		push	3
		call	_PopPrintEx
		movzx	eax, byte ptr dword_6BFBA8
		add	esp, 10h
		movzx	edx, byte ptr dword_6BFBA8+1
		mov	ecx, edi
		mov	dword_6BFBA4, edi
		push	eax
		call	_PopDiagTraceInputTimeout@12 ; PopDiagTraceInputTimeout(x,x,x)
		test	edi, edi
		mov	dword_6BFB68, edi
		mov	byte ptr word_6BFB70, 1
		setnz	byte_6BFBC4
		test	edi, edi
		jnz	short loc_9B98DD
		xor	edx, edx
		mov	ecx, ebx
		call	_PopSetSessionUserStatus@8 ; PopSetSessionUserStatus(x,x)

loc_9B98DD:				; CODE XREF: PopCheckConsoleTimeouts()+33j
					; PopCheckConsoleTimeouts()+48j ...
		cmp	byte ptr dword_6BFBB0, 0
		jz	short loc_9B98F9
		test	esi, esi
		jz	short loc_9B98F9
		push	dword_6BFBBC
		mov	edx, esi
		call	_PopComputeTimeout@12 ;	PopComputeTimeout(x,x,x)
		mov	esi, eax

loc_9B98F9:				; CODE XREF: PopCheckConsoleTimeouts()+A6j
					; PopCheckConsoleTimeouts()+AAj
		mov	eax, dword_6BFBAC
		cmp	esi, eax
		jz	short loc_9B993C
		push	esi
		push	eax
		push	offset ??_C@_0CG@JOMKCNGF@PopAdaptive?3?5Display?5timeout?3?5?$CF@NNGAKEGL@ ; "PopAdaptive: Display timeout: %u->%u\n"
		push	3
		call	_PopPrintEx
		movzx	eax, byte ptr dword_6BFBB0
		add	esp, 10h
		movzx	edx, byte ptr dword_6BFBB0+1
		mov	ecx, esi
		mov	dword_6BFBAC, esi
		push	eax
		call	_PopDiagTraceDisplayTimeout@12 ; PopDiagTraceDisplayTimeout(x,x,x)
		mov	dword_6BFB6C, esi
		mov	byte ptr word_6BFB70+1,	1

loc_9B993C:				; CODE XREF: PopCheckConsoleTimeouts()+C2j
		pop	edi
		pop	esi
		pop	ebx
		retn
_PopCheckConsoleTimeouts@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopComputeTimeout(x, x, x)
_PopComputeTimeout@12 proc near		; CODE XREF: PopCheckConsoleTimeouts()+B4p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		mov	ecx, edx
		sub	eax, dword_6BFBB8
		xor	edx, edx
		push	esi
		mov	esi, 3E8h
		div	esi
		pop	esi
		mov	edx, eax
		xor	eax, eax
		add	edx, ecx
		adc	eax, eax
		jnz	short loc_9B996C
		cmp	edx, 0FFFFFFFFh
		jbe	short loc_9B996F

loc_9B996C:				; CODE XREF: PopComputeTimeout(x,x,x)+25j
		or	edx, 0FFFFFFFFh

loc_9B996F:				; CODE XREF: PopComputeTimeout(x,x,x)+2Aj
		mov	eax, edx
		leave
		retn	4
_PopComputeTimeout@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopGetLockConsoleTimeoutUnsafe(x)
_PopGetLockConsoleTimeoutUnsafe@4 proc near ; CODE XREF: CmpInitializeLazyWriters+A151Bp
					; PopActiveLockScreenPowerRequest(x,x,x)+28p ...

var_28		= dword	ptr -28h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, _PopDisplayTimeout
		push	ebx
		push	esi
		mov	esi, _PopAdaptiveLockConsoleTimeout
		cmp	esi, eax
		jbe	short loc_9B99DA
		cmp	ds:_PopEnforceConsoleLockScreenTimeout,	0
		jnz	short loc_9B99A5
		mov	esi, eax
		jmp	short loc_9B99DA
; 

loc_9B99A5:				; CODE XREF: PopGetLockConsoleTimeoutUnsafe(x)+2Aj
		cmp	dword_6B23F8, 5
		jbe	short loc_9B99DA
		push	4000h
		mov	ebx, offset dword_6B23F8
		push	0
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9B99DA
		lea	eax, [ebp+var_28]
		push	eax
		push	2
		push	0
		push	0
		push	offset loc_420475
		push	ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9B99DA:				; CODE XREF: PopGetLockConsoleTimeoutUnsafe(x)+21j
					; PopGetLockConsoleTimeoutUnsafe(x)+2Ej ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopGetLockConsoleTimeoutUnsafe@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopInputDisabled(x,	x, x)
_PopInputDisabled@12 proc near		; CODE XREF: PopAdaptivePowerSettingCallback+A144Cp

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	[ebp+arg_0], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_1], dl
		mov	ebx, ecx
		jz	short loc_9B9A31
		xor	ecx, ecx
		jmp	short loc_9B9A26
; 

loc_9B9A03:				; CODE XREF: PopInputDisabled(x,x,x)+45j
		mov	ecx, esi
		call	_MmGetSessionId@4 ; MmGetSessionId(x)
		mov	edi, eax
		mov	ecx, edi
		call	_PsIsServiceSession@4 ;	PsIsServiceSession(x)
		test	al, al
		jnz	short loc_9B9A24
		cmp	ebx, edi
		jz	short loc_9B9A24
		xor	edx, edx
		mov	ecx, edi
		call	_PopSetSessionUserStatus@8 ; PopSetSessionUserStatus(x,x)

loc_9B9A24:				; CODE XREF: PopInputDisabled(x,x,x)+2Bj
					; PopInputDisabled(x,x,x)+2Fj
		mov	ecx, esi

loc_9B9A26:				; CODE XREF: PopInputDisabled(x,x,x)+17j
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9B9A03

loc_9B9A31:				; CODE XREF: PopInputDisabled(x,x,x)+13j
		cmp	[ebp+var_1], 0
		jz	short loc_9B9A40
		xor	edx, edx
		mov	ecx, ebx
		call	_PopSetSessionUserStatus@8 ; PopSetSessionUserStatus(x,x)

loc_9B9A40:				; CODE XREF: PopInputDisabled(x,x,x)+4Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopInputDisabled@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopIsLockConsoleTimeoutActive()
_PopIsLockConsoleTimeoutActive@0 proc near
					; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+A5p
		mov	edi, edi
		push	ebx
		xor	cl, cl
		call	PopAcquireAdaptiveLock
		mov	bl, byte_6BFBB6
		call	PopReleaseAdaptiveLock
		mov	al, bl
		pop	ebx
		retn
_PopIsLockConsoleTimeoutActive@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopLazySensorActiveInput(x,	x)
_PopLazySensorActiveInput@8 proc near	; CODE XREF: PopSessionWinlogonNotification(x,x)+CFp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edx, ecx
		mov	byte_6BFB72, 1
		push	6
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_30], edx
		lea	edi, [ebp+var_1C]
		mov	dword_6BFB74, 0Ah
		xor	esi, esi
		rep stosd
		mov	ebx, esi
		mov	[ebp+var_24], esi
		mov	ecx, edx
		mov	[ebp+var_20], ebx
		call	_MmGetSessionById@4 ; MmGetSessionById(x)
		mov	edi, eax
		mov	[ebp+var_28], edi
		test	edi, edi
		jz	loc_9B9B49
		lea	edx, [ebp+var_1C]
		mov	ecx, edi
		call	MmAttachSession
		test	eax, eax
		js	short loc_9B9B2D
		mov	ebx, ds:0FFDF0004h
		mov	esi, 0FFDF0324h
		mov	edx, 0FFDF0320h
		mov	[ebp+var_2C], ebx
		mov	ecx, 0FFDF0328h
		mov	esi, [esi]
		mov	edx, [edx]
		mov	eax, [ecx]
		cmp	esi, eax
		jz	short loc_9B9B00
		lea	edi, [ecx-4]
		lea	ebx, [ecx-8]

loc_9B9AE9:				; CODE XREF: PopLazySensorActiveInput(x,x)+98j
		pause
		mov	esi, [edi]
		mov	edx, [ebx]
		mov	ecx, [ecx]
		cmp	esi, ecx
		mov	ecx, 0FFDF0328h
		jnz	short loc_9B9AE9
		mov	edi, [ebp+var_28]
		mov	ebx, [ebp+var_2C]

loc_9B9B00:				; CODE XREF: PopLazySensorActiveInput(x,x)+81j
		mov	ecx, [ebp+var_30]
		lea	eax, [ebp+var_24]
		push	eax
		mov	eax, edx
		shl	esi, 8
		mul	ebx
		imul	esi, ebx
		shrd	eax, edx, 18h
		lea	edx, [esi+eax]
		call	_PopConsoleSessionActiveInput@12 ; PopConsoleSessionActiveInput(x,x,x)
		lea	edx, [ebp+var_1C]
		mov	ecx, edi
		call	MmDetachSession
		mov	ebx, [ebp+var_20]
		mov	esi, [ebp+var_24]

loc_9B9B2D:				; CODE XREF: PopLazySensorActiveInput(x,x)+5Fj
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	dword_6BFB6C, ebx
		mov	word_6BFB70, 101h
		mov	dword_6BFB68, esi

loc_9B9B49:				; CODE XREF: PopLazySensorActiveInput(x,x)+4Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopLazySensorActiveInput@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopSensorActiveInput(x)
_PopSensorActiveInput@4	proc near	; CODE XREF: PopReleaseAdaptiveLock+E5660p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		xor	cl, cl
		push	dword ptr [edi+14h]
		mov	esi, [edi+4]
		call	PopNotifyConsoleUserPresent
		mov	edx, [edi+0Ch]
		mov	ecx, esi
		call	_PopSetWin32kDisplayTimeout@8 ;	PopSetWin32kDisplayTimeout(x,x)
		mov	edx, [edi+8]
		mov	ecx, esi
		call	_PopSetWin32kInputTimeout@8 ; PopSetWin32kInputTimeout(x,x)
		pop	edi
		pop	esi
		pop	ecx
		retn
_PopSensorActiveInput@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSessionWinlogonNotification(x, x)
_PopSessionWinlogonNotification@8 proc near ; CODE XREF: NtPowerInformation+172264p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		and	[esp+8+var_8], 0
		and	[esp+8+var_4], 0
		push	ebx
		mov	bl, [edx+5]
		mov	bh, [edx+4]
		push	esi
		mov	esi, ecx
		mov	ecx, offset _POP_ETW_ADPM_SESSION_LOCKED
		test	bl, bl
		jnz	short loc_9B9BAF
		mov	ecx, offset _POP_ETW_ADPM_SESSION_UNLOCKED

loc_9B9BAF:				; CODE XREF: PopSessionWinlogonNotification(x,x)+24j
		movzx	eax, bh
		mov	edx, esi
		push	eax
		call	_PopDiagTraceSessionState@12 ; PopDiagTraceSessionState(x,x,x)
		mov	ecx, offset ??_C@_06GFKCFIPE@Locked@NNGAKEGL@ ;	"Locked"
		test	bl, bl
		jnz	short loc_9B9BC8
		mov	ecx, offset ??_C@_08CMNOBMAI@Unlocked@NNGAKEGL@

loc_9B9BC8:				; CODE XREF: PopSessionWinlogonNotification(x,x)+3Dj
		mov	eax, offset ??_C@_07PGLPGHFC@Console@NNGAKEGL@ ; "Console"
		test	bh, bh
		jnz	short loc_9B9BD6
		mov	eax, offset ??_C@_06MHHFENDB@Remote@NNGAKEGL@ ;	"Remote"

loc_9B9BD6:				; CODE XREF: PopSessionWinlogonNotification(x,x)+4Bj
		push	ecx
		push	esi
		push	eax
		push	offset ??_C@_0CH@NLKNEIKC@PopAdaptive?3?$DO?$DO?$DO?$DO?$DO?5?$CFs?5session?5?$CFu@NNGAKEGL@ ; "PopAdaptive:>>>>> %s session %u	is %s\n"
		push	3
		call	_PopPrintEx
		add	esp, 14h
		test	bh, bh
		jz	loc_9B9C7A
		xor	cl, cl
		call	PopAcquireAdaptiveLock
		test	bl, bl
		jz	short loc_9B9C3A
		mov	byte_6BFBB4, 1
		call	_PopGetLockConsoleTimeoutUnsafe@4 ; PopGetLockConsoleTimeoutUnsafe(x)
		mov	[esp+10h+var_8], eax
		test	eax, eax
		jz	short loc_9B9C58
		cmp	byte_6BFBB5, 0
		jnz	short loc_9B9C58
		push	0
		lea	edx, [esp+14h+var_8]
		mov	byte_6BFBB6, 1
		mov	ecx, esi
		mov	dword_6BFB6C, eax
		mov	byte ptr word_6BFB70+1,	1
		call	_PopUpdateTimeouts@12 ;	PopUpdateTimeouts(x,x,x)
		jmp	short loc_9B9C58
; 

loc_9B9C3A:				; CODE XREF: PopSessionWinlogonNotification(x,x)+75j
		cmp	byte_6BFBB6, 0
		mov	byte_6BFBB4, 0
		jz	short loc_9B9C58
		mov	ecx, esi
		mov	byte_6BFBB6, 0
		call	_PopLazySensorActiveInput@8 ; PopLazySensorActiveInput(x,x)

loc_9B9C58:				; CODE XREF: PopSessionWinlogonNotification(x,x)+89j
					; PopSessionWinlogonNotification(x,x)+92j ...
		call	PopReleaseAdaptiveLock
		xor	eax, eax
		mov	ecx, offset _GUID_CONSOLE_LOCKED ; int
		test	bl, bl
		setnz	al
		mov	[esp+10h+var_8], eax
		lea	eax, [esp+10h+var_8]
		push	eax		; void *
		push	4
		pop	edx
		call	_PopSetPowerSettingValueAcDc@12	; PopSetPowerSettingValueAcDc(x,x,x)

loc_9B9C7A:				; CODE XREF: PopSessionWinlogonNotification(x,x)+66j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PopSessionWinlogonNotification@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetWin32kDisplayTimeout(x, x)
_PopSetWin32kDisplayTimeout@8 proc near	; CODE XREF: PopReleaseAdaptiveLock+E5682p
					; PopSensorActiveInput(x)+19p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, offset _GUID_CONSOLE_VIDEO_TIMEOUT
		mov	[ebp+var_1C], edx
		mov	esi, ebx
		lea	edi, [ebp+var_18]
		lea	eax, [ebp+var_18]
		push	eax
		push	ecx
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+var_8], edx
		call	_PopSendSessionInfo@16 ; PopSendSessionInfo(x,x,x,x)
		lea	eax, [ebp+var_1C]
		mov	ecx, ebx	; int
		push	eax		; void *
		push	4
		pop	edx
		call	_PopSetPowerSettingValueAcDc@12	; PopSetPowerSettingValueAcDc(x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopSetWin32kDisplayTimeout@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSetWin32kInputTimeout(x,	x)
_PopSetWin32kInputTimeout@8 proc near	; CODE XREF: PopReleaseAdaptiveLock+E5672p
					; PopReleaseAdaptiveLock+E56ACp ...

var_18		= dword	ptr -18h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		call	SessionIsInteractive
		test	al, al
		lea	edi, [ebp+var_18]
		lea	eax, [ebp+var_18]
		push	eax
		jnz	short loc_9B9D0F
		mov	esi, offset _GUID_TS_INPUT_TIMEOUT
		xor	ecx, ecx
		push	14h
		pop	edx
		movsd
		movsd
		movsd
		movsd
		call	_PopBroadcastSessionInfo@12 ; PopBroadcastSessionInfo(x,x,x)
		jmp	short loc_9B9D20
; 

loc_9B9D0F:				; CODE XREF: PopSetWin32kInputTimeout(x,x)+28j
		mov	esi, (offset loc_42E047+1)
		push	ecx
		mov	ecx, ebx
		movsd
		movsd
		movsd
		movsd
		call	_PopSendSessionInfo@16 ; PopSendSessionInfo(x,x,x,x)

loc_9B9D20:				; CODE XREF: PopSetWin32kInputTimeout(x,x)+3Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopSetWin32kInputTimeout@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUserPresentOverride(x)
_PopUserPresentOverride@4 proc near	; CODE XREF: NtPowerInformation+1722A0p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ebx
		mov	bl, cl
		mov	cl, 1
		push	esi
		call	PopAcquireAdaptiveLock
		mov	eax, _PopUserPresentOverrideCount
		test	bl, bl
		jnz	short loc_9B9D59
		test	eax, eax
		jnz	short loc_9B9D56
		mov	esi, 0C000000Dh
		jmp	short loc_9B9D77
; 

loc_9B9D56:				; CODE XREF: PopUserPresentOverride(x)+1Ej
		dec	eax
		jmp	short loc_9B9D5A
; 

loc_9B9D59:				; CODE XREF: PopUserPresentOverride(x)+1Aj
		inc	eax

loc_9B9D5A:				; CODE XREF: PopUserPresentOverride(x)+28j
		mov	_PopUserPresentOverrideCount, eax
		cmp	eax, 1
		jnz	short loc_9B9D68
		test	bl, bl
		jnz	short loc_9B9D70

loc_9B9D68:				; CODE XREF: PopUserPresentOverride(x)+33j
		test	eax, eax
		jnz	short loc_9B9D75
		test	bl, bl
		jnz	short loc_9B9D75

loc_9B9D70:				; CODE XREF: PopUserPresentOverride(x)+37j
		call	PopEvaluateGlobalUserStatus

loc_9B9D75:				; CODE XREF: PopUserPresentOverride(x)+3Bj
					; PopUserPresentOverride(x)+3Fj
		xor	esi, esi

loc_9B9D77:				; CODE XREF: PopUserPresentOverride(x)+25j
		call	PopReleaseAdaptiveLock
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PopUserPresentOverride@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoSessionPowerControl(x, x,	x)
_PoSessionPowerControl@12 proc near	; CODE XREF: TtmpSessionPowerControl(x,x,x)+34p

var_28		= dword	ptr -28h
var_24		= byte ptr -24h
var_23		= word ptr -23h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		and	[ebp+var_8], 0
		xor	eax, eax
		push	ebx
		push	esi
		mov	[ebp+var_23], ax
		mov	esi, edx
		mov	[ebp+var_21], al
		mov	bl, cl
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		call	_PopBlockSessionSwitch@8 ; PopBlockSessionSwitch(x,x)
		xor	eax, eax
		mov	[ebp+var_C], esi
		mov	[ebp+var_23], ax
		lea	edx, [ebp+var_28]
		lea	eax, [ebp+var_10]
		mov	[ebp+var_28], 6
		mov	[ebp+var_1C], eax
		xor	ecx, ecx
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_10], ecx
		push	eax
		push	1
		push	5
		mov	[ebp+var_21], cl
		mov	[ebp+var_24], cl
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		pop	ecx
		mov	byte ptr [ebp+var_10], bl
		mov	[ebp+var_20], 8
		call	PopInvokeWin32Callout
		lea	eax, [ebp+var_8]
		push	eax
		push	0
		call	_PopBlockSessionSwitch@8 ; PopBlockSessionSwitch(x,x)
		pop	esi
		pop	ebx
		leave
		retn	4
_PoSessionPowerControl@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSendSessionInfo(x, x, x,	x)
_PopSendSessionInfo@16 proc near	; CODE XREF: PopSetWin32kDisplayTimeout(x,x)+2Ep
					; PopSetWin32kInputTimeout(x,x)+4Bp

var_1C		= dword	ptr -1Ch
var_18		= byte ptr -18h
var_17		= word ptr -17h
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		xor	eax, eax
		mov	[ebp+var_4], ecx
		xor	ecx, ecx
		mov	[ebp+var_17], ax
		mov	[ebp+var_15], cl
		cmp	_PsWin32CalloutsEstablished, al
		jz	short locret_9B9E45
		mov	eax, [ebp+arg_4]
		lea	edx, [ebp+var_1C]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		push	5
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], cl
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		pop	ecx
		mov	[ebp+var_14], 14h
		call	PopInvokeWin32Callout

locret_9B9E45:				; CODE XREF: PopSendSessionInfo(x,x,x,x)+1Cj
		leave
		retn	8
_PopSendSessionInfo@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUpdateWakeOnVoiceState(x)
_PopUpdateWakeOnVoiceState@4 proc near	; CODE XREF: PopPowerInformationInternal+1717C3p

var_2		= byte ptr -2

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		xor	eax, eax
		mov	[ebp-1], cl
		push	eax
		push	eax
		push	eax
		push	eax
		push	1
		lea	eax, [ebp-1]
		push	eax
		push	(offset	loc_425327+1)
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		leave
		retn
_PopUpdateWakeOnVoiceState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopWin32CalloutWatchdogCallbackLiveDump(x, x, x, x,	x, x)
_PopWin32CalloutWatchdogCallbackLiveDump@24 proc near ;	DATA XREF: PopInvokeWin32Callout+F2o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		push	eax		; int
		push	eax		; int
		push	eax		; int
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		push	[ebp+arg_4]	; int
		push	(offset	loc_8BD7AD+1) ;	int
		call	_DbgkWerCaptureLiveKernelDump@36 ; DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	18h
_PopWin32CalloutWatchdogCallbackLiveDump@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopIdleAoAcDozeToS4(x)
_PopIdleAoAcDozeToS4@4 proc near	; DATA XREF: PopIdleInitAoAcDozeS4Timer()+3Fo

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 20h
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+28h+var_8], edi
		mov	[esp+28h+var_4], edi
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		call	_PopTraceSystemIdleS0LowPowerDoze@4 ; PopTraceSystemIdleS0LowPowerDoze(x)
		mov	eax, dword_6C22E8
		mov	[esp+28h+var_8], edi
		mov	[esp+28h+var_4], edi
		mov	dword_6C22D0, edi
		sub	eax, 1
		jz	short loc_9B9F37
		sub	eax, 1
		jz	short loc_9B9EED
		sub	eax, 1
		jz	short loc_9B9EE3
		sub	eax, 1
		jnz	short loc_9B9F37
		mov	[esp+28h+var_10], 0Eh
		jmp	short loc_9B9F3F
; 

loc_9B9EE3:				; CODE XREF: PopIdleAoAcDozeToS4(x)+41j
		mov	[esp+28h+var_10], 0Dh
		jmp	short loc_9B9F3F
; 

loc_9B9EED:				; CODE XREF: PopIdleAoAcDozeToS4(x)+3Cj
		mov	eax, dword_6C2710
		or	eax, dword_6C2714
		mov	[esp+28h+var_10], 0Bh
		jz	short loc_9B9F3F
		call	KeQueryInterruptTime
		mov	esi, eax
		mov	ecx, edx
		sub	esi, dword_6C2710
		mov	edx, (offset loc_98967E+2)
		mov	eax, ds:_PopSmartUserPresenceCheckTimeout
		sbb	ecx, dword_6C2714
		mul	edx
		cmp	ecx, edx
		jb	short loc_9B9F3F
		ja	short loc_9B9F2D
		cmp	esi, eax
		jbe	short loc_9B9F3F

loc_9B9F2D:				; CODE XREF: PopIdleAoAcDozeToS4(x)+96j
		mov	[esp+28h+var_10], 0Ch
		jmp	short loc_9B9F3F
; 

loc_9B9F37:				; CODE XREF: PopIdleAoAcDozeToS4(x)+37j
					; PopIdleAoAcDozeToS4(x)+46j
		mov	[esp+28h+var_10], 6

loc_9B9F3F:				; CODE XREF: PopIdleAoAcDozeToS4(x)+50j
					; PopIdleAoAcDozeToS4(x)+5Aj ...
		push	1
		push	5
		lea	eax, [esp+30h+var_1C]
		mov	[esp+30h+var_C], 80h
		push	eax
		xor	edx, edx
		mov	[esp+34h+var_14], edi
		lea	ecx, [esp+34h+var_10]
		mov	[esp+34h+var_1C], 3
		mov	[esp+34h+var_18], 80000024h
		call	PopExecutePowerAction
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		xor	ecx, ecx
		mov	eax, offset unk_6C22EC
		lock and [eax],	ecx
		push	4
		pop	ecx
		call	PopDeepSleepClearDisengageReason
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
_PopIdleAoAcDozeToS4@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopIdleCsStateChanged(x)
_PopIdleCsStateChanged@4 proc near	; CODE XREF: PdcPoCurrentPdcPhase(x,x,x)+B9p
		mov	edi, edi
		push	ebx
		mov	bl, cl
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		mov	byte_6C22F1, bl
		test	bl, bl
		pop	ebx
		jz	short loc_9B9FD4
		mov	ecx, dword_6D44C8
		mov	eax, dword_6D44CC
		mov	dword_6C22F8, ecx
		or	ecx, eax
		mov	dword_6C22FC, eax
		jnz	short loc_9B9FCD
		call	KeQueryInterruptTime
		mov	dword_6C22F8, eax
		mov	dword_6C22FC, edx

loc_9B9FCD:				; CODE XREF: PopIdleCsStateChanged(x)+2Dj
		call	_PopIdleArmAoAcDozeS4Timer@0 ; PopIdleArmAoAcDozeS4Timer()
		jmp	short loc_9B9FFB
; 

loc_9B9FD4:				; CODE XREF: PopIdleCsStateChanged(x)+13j
		xor	edx, edx
		xor	cl, cl
		call	_PopGetModernStandbyTransitionReason@8 ; PopGetModernStandbyTransitionReason(x,x)
		cmp	eax, 6
		jz	short loc_9B9FFB
		xor	ecx, ecx
		inc	ecx
		call	PopIdleCancelAoAcDozeS4Timer
		xor	eax, eax
		mov	dword_6C22D0, eax
		mov	dword_6C22F8, eax
		mov	dword_6C22FC, eax

loc_9B9FFB:				; CODE XREF: PopIdleCsStateChanged(x)+44j
					; PopIdleCsStateChanged(x)+52j
		jmp	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
_PopIdleCsStateChanged@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopIdleTriggerAdaptiveStandbyAction(x)
_PopIdleTriggerAdaptiveStandbyAction@4 proc near
					; CODE XREF: PopUmpoProcessPowerMessage+1710BAp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		cmp	byte_6C22F1, 0
		mov	dword_6C22D0, esi
		jz	short loc_9BA026
		push	4
		pop	ecx
		call	PopIdleCancelAoAcDozeS4Timer
		call	_PopIdleArmAoAcDozeS4Timer@0 ; PopIdleArmAoAcDozeS4Timer()

loc_9BA026:				; CODE XREF: PopIdleTriggerAdaptiveStandbyAction(x)+17j
		pop	esi
		jmp	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
_PopIdleTriggerAdaptiveStandbyAction@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopPreSleepNotifyWorker(x)
_PopPreSleepNotifyWorker@4 proc	near	; DATA XREF: PopInitializePreSleepNotifications+33o
		inc	_PopPreSleepWnfPayload
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	8
		push	offset _PopPreSleepWnfPayload
		push	(offset	loc_425355+3)
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	ecx, offset _PopPreSleepNotifyWorkItem
		call	_PopOkayToQueueNextWorkItem@4 ;	PopOkayToQueueNextWorkItem(x)
		retn	4
_PopPreSleepNotifyWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopUpdateSmartUserPresencePredictions(x, x,	x)
_PopUpdateSmartUserPresencePredictions@12 proc near
					; CODE XREF: PopPowerInformationInternal+171254p
					; PopWnfAudioCallback+A9982p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		cmp	byte_6C2D4D, 0
		push	esi
		push	edi
		mov	edi, ecx
		jnz	short loc_9BA0A3
		lea	eax, [ebp+var_8]
		push	eax
		call	KeQuerySystemTime
		mov	edx, [ebp+arg_4]
		mov	esi, [ebp+var_4]
		cmp	edx, esi
		jb	short loc_9BA0A3
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_8]
		ja	short loc_9BA091
		cmp	ecx, eax
		jb	short loc_9BA0A3

loc_9BA091:				; CODE XREF: PopUpdateSmartUserPresencePredictions(x,x,x)+35j
		sub	eax, ecx
		sbb	esi, edx
		cmp	esi, 10h
		ja	short loc_9BA0A7
		jb	short loc_9BA0A3
		cmp	eax, 0C388D000h
		jnb	short loc_9BA0A7

loc_9BA0A3:				; CODE XREF: PopUpdateSmartUserPresencePredictions(x,x,x)+1Aj
					; PopUpdateSmartUserPresencePredictions(x,x,x)+2Dj ...
		xor	ecx, ecx
		xor	edx, edx

loc_9BA0A7:				; CODE XREF: PopUpdateSmartUserPresencePredictions(x,x,x)+42j
					; PopUpdateSmartUserPresencePredictions(x,x,x)+4Bj
		cmp	dword_6C22C8, ecx
		jnz	short loc_9BA0B7
		cmp	dword_6C22CC, edx
		jz	short loc_9BA0F0

loc_9BA0B7:				; CODE XREF: PopUpdateSmartUserPresencePredictions(x,x,x)+57j
		cmp	ds:_PopSmartUserPresenceAction,	0
		mov	dword_6C22C8, ecx
		mov	dword_6C22CC, edx
		jz	short loc_9BA0F0
		cmp	byte_6C22F1, 0
		jz	short loc_9BA0F0
		mov	ecx, edi
		call	PopIdleCancelAoAcDozeS4Timer
		test	al, al
		jnz	short loc_9BA0EB
		mov	eax, _PopPolicy
		cmp	dword ptr [eax+58h], 0
		jnz	short loc_9BA0F0

loc_9BA0EB:				; CODE XREF: PopUpdateSmartUserPresencePredictions(x,x,x)+88j
		call	_PopIdleArmAoAcDozeS4Timer@0 ; PopIdleArmAoAcDozeS4Timer()

loc_9BA0F0:				; CODE XREF: PopUpdateSmartUserPresencePredictions(x,x,x)+5Fj
					; PopUpdateSmartUserPresencePredictions(x,x,x)+74j ...
		pop	edi
		pop	esi
		leave
		retn	8
_PopUpdateSmartUserPresencePredictions@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCadHpmiPnpNotification(x, x)
_PopCadHpmiPnpNotification@8 proc near	; DATA XREF: PoInitDriverServices()+A6o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		push	10h		; size_t
		push	offset _GUID_DEVINTERFACE_HPMI ; void *
		lea	eax, [edi+14h]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_9BA120
		mov	esi, 0C000000Dh
		jmp	short loc_9BA13F
; 

loc_9BA120:				; CODE XREF: PopCadHpmiPnpNotification(x,x)+21j
		push	10h		; size_t
		lea	eax, [edi+4]
		push	offset _GUID_DEVICE_INTERFACE_ARRIVAL ;	void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9BA13F
		push	2
		pop	ecx
		call	_PopCadTriggerDriverLoad@4 ; PopCadTriggerDriverLoad(x)

loc_9BA13F:				; CODE XREF: PopCadHpmiPnpNotification(x,x)+28j
					; PopCadHpmiPnpNotification(x,x)+3Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_PopCadHpmiPnpNotification@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCadTriggerDriverLoad(x)
_PopCadTriggerDriverLoad@4 proc	near	; CODE XREF: PopBatteryAdd(x)+49p
					; PopCadHpmiPnpNotification(x,x)+44p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		mov	esi, offset _PopCadLoadReason
		mov	eax, [esi]

loc_9BA15E:				; CODE XREF: PopCadTriggerDriverLoad(x)+1Fj
		mov	edx, eax
		or	edx, ecx
		lock cmpxchg [esi], edx
		jnz	short loc_9BA15E
		pop	esi
		test	eax, eax
		jnz	short locret_9BA184
		push	offset ??_C@_1HA@HJKOIFFF@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\Registry\\Machine\\System\\CurrentControl"...
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		call	_ZwLoadDriver@4	; ZwLoadDriver(x)

locret_9BA184:				; CODE XREF: PopCadTriggerDriverLoad(x)+24j
		leave
		retn
_PopCadTriggerDriverLoad@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopBcdOpen(x)
_PopBcdOpen@4	proc near		; CODE XREF: PopAllocateHiberContext+186p
					; PoInitHiberServices+7Cp
		mov	edi, edi
		push	ecx
		push	ecx
		push	2
		pop	edx
		call	BcdOpenStore
		pop	ecx
		retn
_PopBcdOpen@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBcdRegenerateResumeObject(x, x, x)
_PopBcdRegenerateResumeObject@12 proc near ; CODE XREF:	PopBcdEstablishResumeObject+A2BF7p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_44], eax
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_28]
		mov	[ebp+var_4C], 1
		stosd
		mov	ebx, edx
		xor	edx, edx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_48], 10200004h
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	edi, eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_2C], edi
		push	eax
		call	_BcdCreateObject@16 ; BcdCreateObject(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9BA308
		lea	eax, [ebp+var_38]
		mov	edx, 12000004h
		push	eax
		lea	eax, [ebp+var_30]
		mov	ecx, ebx
		push	eax
		call	PopBcdReadElement
		mov	esi, eax
		test	esi, esi
		js	loc_9BA2E2
		lea	eax, [ebp+var_3C]
		mov	edx, 12000005h
		push	eax
		lea	eax, [ebp+var_2C]
		mov	ecx, ebx
		push	eax
		call	PopBcdReadElement
		push	[ebp+var_38]
		mov	ebx, [ebp+var_34]
		mov	edx, 12000004h
		push	[ebp+var_30]
		push	ecx
		mov	ecx, ebx
		call	BcdSetElementDataWithFlags
		mov	edi, [ebp+var_2C]
		mov	esi, eax
		test	esi, esi
		js	loc_9BA2EA
		test	edi, edi
		jz	short loc_9BA270
		push	[ebp+var_3C]
		mov	edx, 12000005h
		push	edi
		push	ecx
		mov	ecx, ebx
		call	BcdSetElementDataWithFlags
		mov	esi, eax
		test	esi, esi
		js	short loc_9BA2EA

loc_9BA270:				; CODE XREF: PopBcdRegenerateResumeObject(x,x,x)+C3j
		mov	edx, [ebp+var_40]
		push	ecx
		push	ecx
		mov	ecx, ebx
		call	PopBcdSetDefaultResumeObjectElements
		mov	esi, eax
		test	esi, esi
		js	short loc_9BA2EA
		mov	esi, offset _GUID_RESUME_LOADER_SETTINGS_GROUP
		lea	edi, [ebp+var_18]
		push	10h
		lea	eax, [ebp+var_18]
		mov	edx, 14000006h
		push	eax
		movsd
		push	ecx
		mov	ecx, ebx
		movsd
		movsd
		movsd
		call	BcdSetElementDataWithFlags
		mov	esi, eax
		test	esi, esi
		js	short loc_9BA2E7
		lea	eax, [ebp+var_28]
		xor	edx, edx
		push	eax
		push	0
		mov	ecx, ebx
		call	_BcdQueryObject@16 ; BcdQueryObject(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9BA2E7
		push	10h
		lea	eax, [ebp+var_28]
		mov	edx, 23000003h
		push	eax
		push	ecx
		mov	ecx, [ebp+var_40]
		call	BcdSetElementDataWithFlags
		mov	edi, [ebp+var_2C]
		mov	esi, eax
		test	esi, esi
		js	short loc_9BA2EA
		mov	eax, [ebp+var_44]
		mov	[eax], ebx
		xor	ebx, ebx
		jmp	short loc_9BA2EA
; 

loc_9BA2E2:				; CODE XREF: PopBcdRegenerateResumeObject(x,x,x)+84j
		mov	ebx, [ebp+var_34]
		jmp	short loc_9BA2EA
; 

loc_9BA2E7:				; CODE XREF: PopBcdRegenerateResumeObject(x,x,x)+111j
					; PopBcdRegenerateResumeObject(x,x,x)+126j
		mov	edi, [ebp+var_2C]

loc_9BA2EA:				; CODE XREF: PopBcdRegenerateResumeObject(x,x,x)+BBj
					; PopBcdRegenerateResumeObject(x,x,x)+DAj ...
		cmp	[ebp+var_30], 0
		jz	short loc_9BA2FA
		push	0
		push	[ebp+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9BA2FA:				; CODE XREF: PopBcdRegenerateResumeObject(x,x,x)+15Aj
		test	edi, edi
		jz	short loc_9BA30B
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9BA30B
; 

loc_9BA308:				; CODE XREF: PopBcdRegenerateResumeObject(x,x,x)+66j
		mov	ebx, [ebp+var_34]

loc_9BA30B:				; CODE XREF: PopBcdRegenerateResumeObject(x,x,x)+168j
					; PopBcdRegenerateResumeObject(x,x,x)+172j
		test	ebx, ebx
		jz	short loc_9BA321
		mov	ecx, ebx
		test	esi, esi
		js	short loc_9BA31C
		call	_BcdCloseObject@4 ; BcdCloseObject(x)
		jmp	short loc_9BA321
; 

loc_9BA31C:				; CODE XREF: PopBcdRegenerateResumeObject(x,x,x)+17Fj
		call	_BcdDeleteObject@4 ; BcdDeleteObject(x)

loc_9BA321:				; CODE XREF: PopBcdRegenerateResumeObject(x,x,x)+179j
					; PopBcdRegenerateResumeObject(x,x,x)+186j
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopBcdRegenerateResumeObject@12 endp


;  S U B	R O U T	I N E 


; __stdcall PpmAllocateQueryTable(x)
_PpmAllocateQueryTable@4 proc near	; CODE XREF: PpmRegisterSpmSettings(x)+BEp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	704D5053h
		mov	edi, 29Ch
		mov	ebx, ecx
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9BA39B
		push	edi		; size_t
		xor	edi, edi
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	edx, [esi+24Ch]
		lea	ecx, [esi+0Ch]

loc_9BA369:				; CODE XREF: PpmAllocateQueryTable(x)+65j
		mov	eax, ds:_PpmPolicyAliasList[edi]
		add	edi, 8
		mov	[ecx-4], eax
		push	4
		pop	eax
		mov	[ecx], edx
		add	edx, eax
		mov	[ecx+8], ebx
		lea	ecx, [ecx+1Ch]
		mov	[ecx-10h], eax
		mov	dword ptr [ecx-18h], 4000004h
		mov	dword ptr [ecx-24h], 120h
		cmp	edi, 0A0h
		jb	short loc_9BA369

loc_9BA39B:				; CODE XREF: PpmAllocateQueryTable(x)+1Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_PpmAllocateQueryTable@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmApplyProfile(x)
_PpmApplyProfile@4 proc	near		; CODE XREF: PdcPoPpmApplyProfile(x)+8p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, dword_6C2D0C
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_8], eax
		mov	edi, offset _PpmPerfPolicyLock
		xor	esi, esi
		mov	ecx, edi
		mov	[ebp+var_4], esi
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, offset _PpmDefaultProfile
		mov	dword_6C2ADC, eax
		mov	eax, _PpmCurrentProfile
		mov	[ebp+var_C], eax
		test	ebx, ebx
		jnz	short loc_9BA3FF
		mov	ebx, ecx

loc_9BA3FF:				; CODE XREF: PpmApplyProfile(x)+5Aj
		cmp	ebx, _PpmLowPowerProfile
		jnz	short loc_9BA412
		cmp	_PpmPerfMultimediaQosSupported,	0
		jz	short loc_9BA412
		mov	ebx, ecx

loc_9BA412:				; CODE XREF: PpmApplyProfile(x)+64j
					; PpmApplyProfile(x)+6Dj
		cmp	eax, ebx
		jnz	short loc_9BA441
		cmp	dword_6C2ADC, esi
		jz	short loc_9BA424
		mov	dword_6C2ADC, esi

loc_9BA424:				; CODE XREF: PpmApplyProfile(x)+7Bj
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, edi
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		jmp	loc_9BA50C
; 

loc_9BA441:				; CODE XREF: PpmApplyProfile(x)+73j
		call	KeQueryInterruptTime
		mov	ecx, [ebp+var_C]
		mov	edi, edx
		mov	esi, eax
		push	edi
		push	esi
		call	_PpmEndProfileAccumulation@12 ;	PpmEndProfileAccumulation(x,x,x)
		or	dword ptr [ebx+18h], 2
		mov	edx, ecx
		and	dword ptr [edx+18h], 0FFFFFFFDh
		mov	_PpmCurrentProfile, ebx
		mov	[ebx+200h], esi
		xor	esi, esi
		mov	[ebx+204h], edi
		mov	ecx, esi
		mov	edi, esi

loc_9BA476:				; CODE XREF: PpmApplyProfile(x)+115j
		cmp	ebx, offset _PpmDefaultProfile
		jz	short loc_9BA494
		imul	ecx, [ebp+var_8], 1Eh
		add	ecx, edi
		or	esi, [ebx+ecx*8+20h]
		mov	eax, [ebx+ecx*8+24h]
		mov	ecx, [ebp+var_4]
		or	ecx, eax
		mov	[ebp+var_4], ecx

loc_9BA494:				; CODE XREF: PpmApplyProfile(x)+DBj
		cmp	edx, offset _PpmDefaultProfile
		jz	short loc_9BA4B2
		imul	ecx, [ebp+var_8], 1Eh
		add	ecx, edi
		or	esi, [edx+ecx*8+20h]
		mov	eax, [edx+ecx*8+24h]
		mov	ecx, [ebp+var_4]
		or	ecx, eax
		mov	[ebp+var_4], ecx

loc_9BA4B2:				; CODE XREF: PpmApplyProfile(x)+F9j
		inc	edi
		cmp	edi, 2
		jb	short loc_9BA476
		and	ecx, 1CFFFFh
		and	esi, 0D8030FC0h
		mov	[ebp+var_10], ecx
		imul	ecx, [ebp+var_8], 0F0h
		mov	[ebp+var_14], esi
		lea	eax, [ecx+20h]
		add	ecx, 20h
		add	eax, ebx
		add	edx, ecx
		push	eax
		lea	ecx, [ebp+var_14]
		call	_PpmCompareAndApplyPolicySettings@12 ; PpmCompareAndApplyPolicySettings(x,x,x)
		mov	edx, ebx
		mov	ebx, [ebp+var_C]
		mov	ecx, ebx
		call	_PpmEventTraceProfileChange@8 ;	PpmEventTraceProfileChange(x,x)
		mov	eax, _PpmLowPowerProfile
		test	eax, eax
		jz	short loc_9BA50C
		cmp	ebx, eax
		jnz	short loc_9BA50C
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		call	_PpmPostProcessMediaBuffering@0	; PpmPostProcessMediaBuffering()

loc_9BA50C:				; CODE XREF: PpmApplyProfile(x)+9Bj
					; PpmApplyProfile(x)+156j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PpmApplyProfile@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmDisableProfile(x)
_PpmDisableProfile@4 proc near		; CODE XREF: PdcPoPpmResetProfile(x,x)+36p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		mov	al, [esi+4]
		xor	ebx, ebx
		and	dword ptr [esi+18h], 0FFFFFFFEh
		mov	ecx, esi
		inc	ebx
		mov	[ebp+var_1], al
		call	_PpmResetProfileSettings@4 ; PpmResetProfileSettings(x)
		push	10h		; size_t
		add	esi, 8
		push	offset _GUID_POWER_POLICY_PROFILE_LOW_POWER ; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9BA558
		and	_PpmLowPowerProfile, eax
		jmp	short loc_9BA5B3
; 

loc_9BA558:				; CODE XREF: PpmDisableProfile(x)+3Dj
		push	10h		; size_t
		push	(offset	loc_408894+4) ;	void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9BA574
		and	_PpmBackgroundProfile, eax
		jmp	short loc_9BA5AA
; 

loc_9BA574:				; CODE XREF: PpmDisableProfile(x)+59j
		push	10h		; size_t
		push	offset _GUID_POWER_POLICY_PROFILE_ENTRY_LEVEL_PERF ; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9BA590
		and	_PpmEntryLevelPerfProfile, eax
		jmp	short loc_9BA5AA
; 

loc_9BA590:				; CODE XREF: PpmDisableProfile(x)+75j
		push	10h		; size_t
		push	offset _GUID_POWER_POLICY_PROFILE_QOS_MULTIMEDIA ; void	*
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9BA5B3
		and	_PpmMultimediaQosProfile, eax

loc_9BA5AA:				; CODE XREF: PpmDisableProfile(x)+61j
					; PpmDisableProfile(x)+7Dj
		mov	cl, bl
		call	_PpmReinitializeHeteroEngine@4 ; PpmReinitializeHeteroEngine(x)
		xor	bl, bl

loc_9BA5B3:				; CODE XREF: PpmDisableProfile(x)+45j
					; PpmDisableProfile(x)+91j
		mov	cl, [ebp+var_1]
		xor	dl, dl
		call	PpmEventTraceProfileEnable
		pop	esi
		test	bl, bl
		pop	ebx
		jz	short locret_9BA5CD
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)

locret_9BA5CD:				; CODE XREF: PpmDisableProfile(x)+B0j
		leave
		retn
_PpmDisableProfile@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmEndProfileAccumulation(x, x, x)
_PpmEndProfileAccumulation@12 proc near	; CODE XREF: PpmEventTraceProfiles+88D3Fp
					; PpmApplyProfile(x)+AEp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		sub	edx, [ecx+200h]
		push	esi
		mov	esi, [ebp+arg_4]
		sbb	esi, [ecx+204h]
		add	[ecx+220h], edx
		adc	[ecx+224h], esi
		cmp	[ecx+214h], esi
		ja	short loc_9BA611
		jb	short loc_9BA605
		cmp	[ecx+210h], edx
		jnb	short loc_9BA611

loc_9BA605:				; CODE XREF: PpmEndProfileAccumulation(x,x,x)+2Cj
		mov	[ecx+210h], edx
		mov	[ecx+214h], esi

loc_9BA611:				; CODE XREF: PpmEndProfileAccumulation(x,x,x)+2Aj
					; PpmEndProfileAccumulation(x,x,x)+34j
		cmp	[ecx+21Ch], esi
		jb	short loc_9BA62F
		ja	short loc_9BA623
		cmp	[ecx+218h], edx
		jbe	short loc_9BA62F

loc_9BA623:				; CODE XREF: PpmEndProfileAccumulation(x,x,x)+4Aj
		mov	[ecx+218h], edx
		mov	[ecx+21Ch], esi

loc_9BA62F:				; CODE XREF: PpmEndProfileAccumulation(x,x,x)+48j
					; PpmEndProfileAccumulation(x,x,x)+52j
		add	dword ptr [ecx+208h], 1
		push	0
		pop	eax
		adc	[ecx+20Ch], eax
		mov	[ecx+200h], eax
		mov	[ecx+204h], eax
		pop	esi
		pop	ebp
		retn	8
_PpmEndProfileAccumulation@12 endp


;  S U B	R O U T	I N E 


; __stdcall PpmPdcNotifyMediaBufferingUpdate(x)
_PpmPdcNotifyMediaBufferingUpdate@4 proc near ;	CODE XREF: PpmMediaBufferingWorker+95135p
		mov	eax, dword_6D6FCC
		test	eax, eax
		jz	short locret_9BA65C
		push	ecx
		call	eax

locret_9BA65C:				; CODE XREF: PpmPdcNotifyMediaBufferingUpdate(x)+7j
		retn
_PpmPdcNotifyMediaBufferingUpdate@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PpmPolicyNameToGuid(wchar_t *)
_PpmPolicyNameToGuid@8 proc near	; CODE XREF: PpmProcessSettingsFromQueryTable(x,x,x)+35p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	ebx, ecx
		mov	esi, offset _PpmPolicyAliasList
		xor	edi, edi

loc_9BA672:				; CODE XREF: PpmPolicyNameToGuid(x,x)+2Fj
		push	dword ptr [esi]	; wchar_t *
		push	ebx		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_9BA695
		add	edi, 8
		add	esi, 8
		cmp	edi, 0A0h
		jb	short loc_9BA672
		mov	eax, 0C0000001h
		jmp	short loc_9BA6A1
; 

loc_9BA695:				; CODE XREF: PpmPolicyNameToGuid(x,x)+21j
		mov	esi, [esi+4]
		xor	eax, eax
		mov	edi, [ebp+var_4]
		movsd
		movsd
		movsd
		movsd

loc_9BA6A1:				; CODE XREF: PpmPolicyNameToGuid(x,x)+36j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PpmPolicyNameToGuid@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmPostProcessMediaBuffering()
_PpmPostProcessMediaBuffering@0	proc near ; CODE XREF: PpmApplyProfile(x)+166p

var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		stosd
		stosd
		stosd
		call	_PpmCheckApplyResetNotification@0 ; PpmCheckApplyResetNotification()
		cmp	ds:_PpmPlatformStates, 0
		pop	edi
		jz	short loc_9BA707
		lea	ecx, [ebp+var_1C]
		call	_PoCopyDeepIdleMask@4 ;	PoCopyDeepIdleMask(x)
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	offset _KeActiveProcessors
		call	_KeSubtractAffinityEx@12 ; KeSubtractAffinityEx(x,x,x)
		test	eax, eax
		jz	short loc_9BA707
		push	0
		push	0
		mov	edx, offset _PpmResetInterruptRate@12 ;	PpmResetInterruptRate(x,x,x)
		lea	ecx, [ebp+var_10]
		call	_PopExecuteOnTargetProcessors@16 ; PopExecuteOnTargetProcessors(x,x,x,x)

loc_9BA707:				; CODE XREF: PpmPostProcessMediaBuffering()+30j
					; PpmPostProcessMediaBuffering()+4Ej
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmPostProcessMediaBuffering@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmProcessSettingsFromQueryTable(x,	x, x)
_PpmProcessSettingsFromQueryTable@12 proc near ; CODE XREF: PpmRegisterSpmSettings(x)+206p
					; PpmRegisterSpmSettings(x)+218p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		lea	edi, [ebp+var_18]
		mov	[ebp+var_20], edx
		stosd
		xor	bl, bl
		push	14h
		mov	[ebp+var_24], ecx
		add	esi, 0Ch
		stosd
		stosd
		stosd
		pop	edi

loc_9BA742:				; CODE XREF: PpmProcessSettingsFromQueryTable(x,x,x)+C2j
		mov	ecx, [esi-4]	; wchar_t *
		lea	edx, [ebp+var_18]
		call	_PpmPolicyNameToGuid@8 ; PpmPolicyNameToGuid(x,x)
		mov	eax, [esi]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9BA7CF
		push	10h		; size_t
		lea	eax, [ebp+var_18]
		push	offset _GUID_PROCESSOR_PERF_INCREASE_HISTORY ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9BA779
		or	_PpmProfileStatus, 4
		jmp	short loc_9BA7CF
; 

loc_9BA779:				; CODE XREF: PpmProcessSettingsFromQueryTable(x,x,x)+5Bj
		push	10h		; size_t
		lea	eax, [ebp+var_18]
		push	(offset	loc_428356+2) ;	void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9BA799
		or	_PpmProfileStatus, 8
		jmp	short loc_9BA7CF
; 

loc_9BA799:				; CODE XREF: PpmProcessSettingsFromQueryTable(x,x,x)+7Bj
		push	10h		; size_t
		lea	eax, [ebp+var_18]
		push	(offset	loc_428376+2) ;	void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9BA7B9
		or	_PpmProfileStatus, 10h
		jmp	short loc_9BA7CF
; 

loc_9BA7B9:				; CODE XREF: PpmProcessSettingsFromQueryTable(x,x,x)+9Bj
		mov	ecx, [ebp+var_24] ; void *
		lea	eax, [ebp+var_1C]
		push	4		; int
		push	eax		; int
		push	[ebp+var_20]	; int
		lea	edx, [ebp+var_18] ; int
		mov	bl, 1
		call	PpmSetProfilePolicySetting

loc_9BA7CF:				; CODE XREF: PpmProcessSettingsFromQueryTable(x,x,x)+44j
					; PpmProcessSettingsFromQueryTable(x,x,x)+64j ...
		add	esi, 1Ch
		sub	edi, 1
		jnz	loc_9BA742
		mov	ecx, [ebp+var_8]
		mov	al, bl
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PpmProcessSettingsFromQueryTable@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmProfileAcDcUpdate()
_PpmProfileAcDcUpdate@0	proc near	; CODE XREF: PopBatteryApplyCompositeState+A035Fp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, dword_6C2D0C
		mov	ecx, offset _PpmPerfPolicyLock
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], esi
		mov	ebx, edi
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PpmIdlePolicyLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6C2ADC, eax
		mov	eax, _PpmCurrentProfile
		push	2
		mov	[ebp+var_8], eax
		pop	esi
		lea	edx, [eax+20h]

loc_9BA843:				; CODE XREF: PpmProfileAcDcUpdate()+70j
		mov	ecx, [edx+0F0h]
		mov	eax, [edx+0F4h]
		or	ecx, [edx]
		lea	edx, [edx+8]
		or	eax, [edx-4]
		or	edi, ecx
		or	ebx, eax
		sub	esi, 1
		jnz	short loc_9BA843
		mov	esi, [ebp+var_4]
		and	edi, 0D8030FC0h
		mov	ecx, [ebp+var_8]
		and	ebx, 1CFFFFh
		imul	eax, esi, 0F0h
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], ebx
		lea	edx, [ecx+110h]
		add	eax, 20h
		add	eax, ecx
		neg	esi
		push	eax
		sbb	esi, esi
		lea	ecx, [ebp+var_10]
		and	esi, 0FFFFFF10h
		add	edx, esi
		call	_PpmCompareAndApplyPolicySettings@12 ; PpmCompareAndApplyPolicySettings(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PpmProfileAcDcUpdate@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmRegisterSpmSettings(x)
_PpmRegisterSpmSettings@4 proc near

var_7E		= byte ptr -7Eh
var_7D		= byte ptr -7Dh
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+84h+var_4], eax
		or	[esp+84h+var_60], 0FFFFFFFFh
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	edx, offset ??_C@_15NLNBCPEE@?$AAv?$AA1@NNGAKEGL@ ; "v1"
		push	edi
		push	ecx
		push	ecx
		lea	ecx, [esp+98h+var_5C]
		mov	[esp+98h+var_54], eax
		mov	[esp+98h+var_50], eax
		mov	ebx, eax
		mov	[esp+98h+var_78], eax
		mov	[esp+98h+var_68], eax
		mov	[esp+98h+var_64], eax
		mov	[esp+98h+var_74], eax
		mov	[esp+98h+var_5C], eax
		mov	[esp+98h+var_58], eax
		mov	[esp+98h+var_7C], eax
		call	RtlUnicodeStringInitWorker
		push	ecx
		push	ecx
		mov	edx, offset ??_C@_1BA@GHOECOCL@?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt@NNGAKEGL@ ; "D"
		lea	ecx, [esp+98h+var_54]
		call	RtlUnicodeStringInitWorker
		and	[esp+90h+var_C], ebx
		lea	eax, [esp+90h+var_5C]
		and	[esp+90h+var_8], ebx
		mov	[esp+90h+var_14], eax
		lea	eax, [esp+90h+var_1C]
		push	eax
		push	8
		lea	eax, [esp+98h+var_7C]
		mov	[esp+98h+var_1C], 18h
		push	eax
		mov	[esp+9Ch+var_18], esi
		mov	[esp+9Ch+var_10], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9BAB08
		lea	ecx, [esp+90h+var_60]
		call	_PpmAllocateQueryTable@4 ; PpmAllocateQueryTable(x)
		mov	ebx, eax
		mov	[esp+90h+var_70], ebx
		test	ebx, ebx
		jnz	short loc_9BA97A
		mov	esi, 0C000009Ah
		jmp	loc_9BAB08
; 

loc_9BA97A:				; CODE XREF: PpmRegisterSpmSettings(x)+CBj
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		xor	al, al
		mov	[esp+90h+var_7D], al
		cmp	_PpmProfileCount, al
		jbe	loc_9BAAF5

loc_9BA996:				; CODE XREF: PpmRegisterSpmSettings(x)+24Cj
		movzx	eax, al
		lea	edi, [esp+90h+var_1C]
		imul	eax, 228h
		push	10h		; size_t
		push	offset _GUID_POWER_POLICY_PROFILE_LOW_POWER ; void *
		add	eax, _PpmProfiles
		mov	[esp+98h+var_6C], eax
		lea	esi, [eax+8]
		movsd
		lea	eax, [esp+98h+var_1C]
		push	eax		; void *
		movsd
		movsd
		movsd
		call	_memcmp
		add	esp, 0Ch
		push	ecx
		push	ecx
		lea	ecx, [esp+98h+var_68]
		test	eax, eax
		jz	short loc_9BA9DF
		mov	edi, [esp+98h+var_6C]
		mov	edx, [edi]
		call	RtlUnicodeStringInitWorker
		jmp	short loc_9BA9ED
; 

loc_9BA9DF:				; CODE XREF: PpmRegisterSpmSettings(x)+12Dj
		mov	edx, offset ??_C@_1BM@DADMLMO@?$AAV?$AAi?$AAd?$AAe?$AAo?$AAB?$AAa?$AAt?$AAc?$AAh?$AAi?$AAn?$AAg@NNGAKEGL@
		call	RtlUnicodeStringInitWorker
		mov	edi, [esp+90h+var_6C]

loc_9BA9ED:				; CODE XREF: PpmRegisterSpmSettings(x)+13Aj
		mov	eax, [esp+90h+var_7C]
		and	[esp+90h+var_3C], 0
		and	[esp+90h+var_38], 0
		mov	[esp+90h+var_48], eax
		lea	eax, [esp+90h+var_68]
		push	18h
		pop	esi
		mov	[esp+90h+var_44], eax
		lea	eax, [esp+90h+var_4C]
		push	eax
		push	8
		lea	eax, [esp+98h+var_78]
		mov	[esp+98h+var_4C], esi
		push	eax
		mov	[esp+9Ch+var_40], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_9BAADF
		mov	eax, [esp+90h+var_78]
		and	[esp+90h+var_24], 0
		and	[esp+90h+var_20], 0
		mov	[esp+90h+var_30], eax
		lea	eax, [esp+90h+var_54]
		mov	[esp+90h+var_2C], eax
		lea	eax, [esp+90h+var_34]
		push	eax
		push	8
		lea	eax, [esp+98h+var_74]
		mov	[esp+98h+var_34], esi
		push	eax
		mov	[esp+9Ch+var_28], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		push	[esp+90h+var_78]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_9BAADF
		mov	edx, [esp+90h+var_74]
		push	1
		push	ecx
		push	0
		push	ebx
		mov	ecx, 40000000h
		call	RtlpQueryRegistryValues
		push	[esp+90h+var_74]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		test	esi, esi
		js	short loc_9BAB08
		push	ebx
		xor	edx, edx
		lea	ecx, [esp+94h+var_1C]
		call	_PpmProcessSettingsFromQueryTable@12 ; PpmProcessSettingsFromQueryTable(x,x,x)
		push	[esp+90h+var_70]
		xor	edx, edx
		lea	ecx, [esp+94h+var_1C]
		inc	edx
		mov	bl, al
		call	_PpmProcessSettingsFromQueryTable@12 ; PpmProcessSettingsFromQueryTable(x,x,x)
		mov	ecx, offset _PpmPerfPolicyLock
		mov	bh, al
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		test	bl, bl
		jnz	short loc_9BAAD4
		test	bh, bh
		jz	short loc_9BAADB

loc_9BAAD4:				; CODE XREF: PpmRegisterSpmSettings(x)+22Bj
		mov	ecx, edi
		call	PpmEnableProfile

loc_9BAADB:				; CODE XREF: PpmRegisterSpmSettings(x)+22Fj
		mov	ebx, [esp+90h+var_70]

loc_9BAADF:				; CODE XREF: PpmRegisterSpmSettings(x)+186j
					; PpmRegisterSpmSettings(x)+1D0j
		mov	al, [esp+90h+var_7D]
		inc	al
		mov	[esp+90h+var_7D], al
		cmp	al, _PpmProfileCount
		jb	loc_9BA996

loc_9BAAF5:				; CODE XREF: PpmRegisterSpmSettings(x)+EDj
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		or	_PpmProfileStatus, 2
		xor	esi, esi

loc_9BAB08:				; CODE XREF: PpmRegisterSpmSettings(x)+B4j
					; PpmRegisterSpmSettings(x)+D2j ...
		cmp	[esp+90h+var_7C], 0
		jz	short loc_9BAB18
		push	[esp+90h+var_7C]
		call	_ZwClose@4	; ZwClose(x)

loc_9BAB18:				; CODE XREF: PpmRegisterSpmSettings(x)+26Aj
		test	ebx, ebx
		jz	short loc_9BAB27
		push	704D5053h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9BAB27:				; CODE XREF: PpmRegisterSpmSettings(x)+277j
		mov	ecx, [esp+90h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_PpmRegisterSpmSettings@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmParkApplyForcedMask(x, x)
_PpmParkApplyForcedMask@8 proc near	; CODE XREF: NtPowerInformation+17215Cp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	ecx, offset _PpmPerfPolicyLock
		mov	[ebp+var_C], ebx
		mov	edi, edx
		movzx	eax, word ptr [esi+4]
		mov	[ebp+var_4], eax
		mov	eax, [esi]
		mov	[ebp+var_8], eax
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		xor	eax, eax
		inc	eax
		cmp	word ptr [ebp+var_4], ax
		ja	short loc_9BAB92
		cmp	[esi+6], bx
		jnz	short loc_9BAB92
		cmp	[esi+8], bx
		jnz	short loc_9BAB92
		cmp	[esi+0Ah], bx
		jnz	short loc_9BAB92
		test	edi, edi
		jz	short loc_9BABA8
		mov	eax, [ebp+var_8]
		not	eax
		test	[edi], eax
		jz	short loc_9BABAB

loc_9BAB92:				; CODE XREF: PpmParkApplyForcedMask(x,x)+31j
					; PpmParkApplyForcedMask(x,x)+37j ...
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		mov	ebx, 0C000000Dh

loc_9BABA1:				; CODE XREF: PpmParkApplyForcedMask(x,x)+C9j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_9BABA8:				; CODE XREF: PpmParkApplyForcedMask(x,x)+47j
		lea	edi, [ebp+var_C]

loc_9BABAB:				; CODE XREF: PpmParkApplyForcedMask(x,x)+50j
		mov	eax, _PpmParkNumNodes
		mov	cl, bl
		mov	[ebp+var_10], eax
		mov	esi, ebx
		test	eax, eax
		jz	short loc_9BAB92
		mov	eax, ebx
		mov	ebx, [ebp+var_10]

loc_9BABC0:				; CODE XREF: PpmParkApplyForcedMask(x,x)+B1j
		imul	edx, eax, 0D0h
		mov	eax, [ebp+var_4]
		add	edx, _PpmParkNodes
		cmp	[edx+4], ax
		jnz	short loc_9BABEB
		mov	ecx, [edx+8]
		mov	eax, ecx
		and	eax, [ebp+var_8]
		mov	[edx+14h], eax
		and	ecx, [edi]
		or	byte ptr [edx+6Ah], 1
		mov	[edx+1Ch], ecx
		mov	cl, 1

loc_9BABEB:				; CODE XREF: PpmParkApplyForcedMask(x,x)+93j
		inc	esi
		movzx	eax, si
		cmp	eax, ebx
		jb	short loc_9BABC0
		push	0
		pop	ebx
		test	cl, cl
		jz	short loc_9BAB92
		call	PpmParkApplyPolicy
		call	_PpmParkParkingAvailable@0 ; PpmParkParkingAvailable()
		call	_PpmCheckApplyParkConstraints@0	; PpmCheckApplyParkConstraints()
		jmp	short loc_9BABA1
_PpmParkApplyForcedMask@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmParkClearForcedMask(x)
_PpmParkClearForcedMask@4 proc near	; CODE XREF: NtPowerInformation+17216Dp

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		xor	eax, eax
		inc	eax
		cmp	[esi], ax
		jb	short loc_9BAC3C
		mov	ebx, 0C000000Dh

loc_9BAC2C:				; CODE XREF: PpmParkClearForcedMask(x)+7Dj
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)

loc_9BAC36:				; CODE XREF: PpmParkClearForcedMask(x)+8Ej
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_9BAC3C:				; CODE XREF: PpmParkClearForcedMask(x)+1Aj
		xor	ebx, ebx
		push	edi
		mov	edi, _PpmParkNumNodes
		mov	cl, bl
		mov	[ebp+var_1], cl
		mov	edx, ebx
		test	edi, edi
		jz	short loc_9BAC85
		mov	eax, ebx

loc_9BAC52:				; CODE XREF: PpmParkClearForcedMask(x)+78j
		imul	ecx, eax, 0D0h
		add	ecx, _PpmParkNodes
		mov	ax, [ecx+4]
		cmp	ax, [esi]
		jnz	short loc_9BAC7A
		mov	al, [ecx+6Ah]
		test	al, 1
		jz	short loc_9BAC7A
		and	al, 0FEh
		mov	[ecx+6Ah], al
		mov	cl, 1
		mov	[ebp+var_1], cl
		jmp	short loc_9BAC7D
; 

loc_9BAC7A:				; CODE XREF: PpmParkClearForcedMask(x)+5Aj
					; PpmParkClearForcedMask(x)+61j
		mov	cl, [ebp+var_1]

loc_9BAC7D:				; CODE XREF: PpmParkClearForcedMask(x)+6Dj
		inc	edx
		movzx	eax, dx
		cmp	eax, edi
		jb	short loc_9BAC52

loc_9BAC85:				; CODE XREF: PpmParkClearForcedMask(x)+43j
		pop	edi
		test	cl, cl
		jz	short loc_9BAC2C
		call	PpmParkApplyPolicy
		call	_PpmParkParkingAvailable@0 ; PpmParkParkingAvailable()
		call	_PpmCheckApplyParkConstraints@0	; PpmCheckApplyParkConstraints()
		jmp	short loc_9BAC36
_PpmParkClearForcedMask@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleUpdateCoordinatedDependencies(x)
_PpmIdleUpdateCoordinatedDependencies@4	proc near
					; CODE XREF: PpmInstallCoordinatedIdleStates(x)+55p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	edx, edx
		test	byte ptr ds:_HvlpFlags,	2
		push	edi
		mov	edi, ecx
		jz	short loc_9BACBD
		test	ds:_HvlEnlightenments, 400h
		jmp	short loc_9BACC3
; 

loc_9BACBD:				; CODE XREF: PpmIdleUpdateCoordinatedDependencies(x)+14j
		cmp	ds:_HvlHypervisorConnected, dl

loc_9BACC3:				; CODE XREF: PpmIdleUpdateCoordinatedDependencies(x)+20j
		jz	short loc_9BAD3A
		mov	eax, ds:_HvlEnlightenments
		and	eax, 200h
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_C], eax
		cmp	[edi], edx
		jbe	short loc_9BAD39
		push	esi
		lea	esi, [edi+44h]

loc_9BACDD:				; CODE XREF: PpmIdleUpdateCoordinatedDependencies(x)+94j
		cmp	[esi+4], dl
		jz	short loc_9BAD33
		mov	[ebp+var_8], edx
		cmp	[esi], edx
		jbe	short loc_9BAD29
		mov	[ebp+var_4], edx

loc_9BACEC:				; CODE XREF: PpmIdleUpdateCoordinatedDependencies(x)+8Cj
		mov	ecx, [esi+8]
		add	ecx, [ebp+var_4]
		cmp	dword ptr [ecx], 0FFFFFFFFh
		jz	short loc_9BAD33
		cmp	[ecx+4], edx
		jz	short loc_9BAD33
		mov	dword ptr [ecx+4], 1
		test	eax, eax
		mov	ecx, [ecx+8]
		setnz	al
		add	[ebp+var_4], 0Ch
		mov	[ecx], al
		mov	eax, [ebp+var_8]
		inc	eax
		mov	word ptr [ecx+1], 101h
		mov	byte ptr [ecx+3], 1
		cmp	eax, [esi]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_C]
		jb	short loc_9BACEC

loc_9BAD29:				; CODE XREF: PpmIdleUpdateCoordinatedDependencies(x)+4Cj
		inc	ebx
		add	esi, 38h
		cmp	ebx, [edi]
		jb	short loc_9BACDD
		jmp	short loc_9BAD38
; 

loc_9BAD33:				; CODE XREF: PpmIdleUpdateCoordinatedDependencies(x)+45j
					; PpmIdleUpdateCoordinatedDependencies(x)+5Aj ...
		mov	edx, 0C00000BBh

loc_9BAD38:				; CODE XREF: PpmIdleUpdateCoordinatedDependencies(x)+96j
		pop	esi

loc_9BAD39:				; CODE XREF: PpmIdleUpdateCoordinatedDependencies(x)+3Cj
		pop	ebx

loc_9BAD3A:				; CODE XREF: PpmIdleUpdateCoordinatedDependencies(x):loc_9BACC3j
		mov	eax, edx
		pop	edi
		leave
		retn
_PpmIdleUpdateCoordinatedDependencies@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleUpdateHvStates(x)
_PpmIdleUpdateHvStates@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ds:_HvlEnlightenments, 408h
		jnz	short loc_9BAD57
		mov	eax, 0C00000BBh
		jmp	short loc_9BAD7A
; 

loc_9BAD57:				; CODE XREF: PpmIdleUpdateHvStates(x)+Fj
		push	esi
		mov	esi, [ebp+arg_0]
		push	dword ptr [esi+4]
		call	_HvlGetLpIndexFromApicId@4 ; HvlGetLpIndexFromApicId(x)
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_9BAD6F
		mov	eax, 0C000000Dh
		jmp	short loc_9BAD79
; 

loc_9BAD6F:				; CODE XREF: PpmIdleUpdateHvStates(x)+27j
		mov	edx, [esi+8]
		mov	ecx, eax
		call	_HvlConfigureIdleStates@8 ; HvlConfigureIdleStates(x,x)

loc_9BAD79:				; CODE XREF: PpmIdleUpdateHvStates(x)+2Ej
		pop	esi

loc_9BAD7A:				; CODE XREF: PpmIdleUpdateHvStates(x)+16j
		pop	ebp
		retn	4
_PpmIdleUpdateHvStates@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmIdleUpdatePlatformDependencies(x)
_PpmIdleUpdatePlatformDependencies@4 proc near
					; CODE XREF: PpmInstallPlatformIdleStates(x)+6Ep

var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		test	byte ptr ds:_HvlpFlags,	2
		mov	edx, ecx
		mov	[ebp+var_8], edx
		jz	short loc_9BAD9F
		test	ds:_HvlEnlightenments, 400h
		jmp	short loc_9BADA6
; 

loc_9BAD9F:				; CODE XREF: PpmIdleUpdatePlatformDependencies(x)+13j
		cmp	ds:_HvlHypervisorConnected, 0

loc_9BADA6:				; CODE XREF: PpmIdleUpdatePlatformDependencies(x)+1Fj
		jz	short locret_9BADEC
		push	esi
		push	edi
		mov	edi, ds:_HvlEnlightenments
		xor	esi, esi
		and	edi, 200h
		cmp	[edx+8], esi
		jbe	short loc_9BADEA
		lea	ecx, [edx+30h]
		push	ebx

loc_9BADC1:				; CODE XREF: PpmIdleUpdatePlatformDependencies(x)+69j
		test	edi, edi
		setnz	al
		xor	ebx, ebx
		mov	[ecx-0Bh], al
		cmp	[ecx], ebx
		jbe	short loc_9BADE0
		mov	dl, al

loc_9BADD1:				; CODE XREF: PpmIdleUpdatePlatformDependencies(x)+5Dj
		mov	eax, [ecx+0Ch]
		mov	[eax+ebx*8+4], dl
		inc	ebx
		cmp	ebx, [ecx]
		jb	short loc_9BADD1
		mov	edx, [ebp+var_8]

loc_9BADE0:				; CODE XREF: PpmIdleUpdatePlatformDependencies(x)+4Fj
		inc	esi
		add	ecx, 20h
		cmp	esi, [edx+8]
		jb	short loc_9BADC1
		pop	ebx

loc_9BADEA:				; CODE XREF: PpmIdleUpdatePlatformDependencies(x)+3Dj
		pop	edi
		pop	esi

locret_9BADEC:				; CODE XREF: PpmIdleUpdatePlatformDependencies(x):loc_9BADA6j
		leave
		retn
_PpmIdleUpdatePlatformDependencies@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmPerfRegisterHvCap(x)
_PpmPerfRegisterHvCap@4	proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		test	byte ptr ds:_HvlEnlightenments,	8
		jnz	short loc_9BAE06
		mov	eax, 0C00000BBh
		jmp	short locret_9BAE3B
; 

loc_9BAE06:				; CODE XREF: PpmPerfRegisterHvCap(x)+Fj
		push	esi
		mov	esi, [ebp+arg_0]
		push	dword ptr [esi+4]
		call	_HvlGetLpIndexFromApicId@4 ; HvlGetLpIndexFromApicId(x)
		mov	ecx, eax
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_9BAE20
		mov	eax, 0C000000Dh
		jmp	short loc_9BAE3A
; 

loc_9BAE20:				; CODE XREF: PpmPerfRegisterHvCap(x)+29j
		mov	eax, [esi+8]
		lea	edx, [ebp+var_C]
		mov	[ebp+var_C], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_8], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_4], eax
		call	_HvlConfigurePerfStateCap@8 ; HvlConfigurePerfStateCap(x,x)

loc_9BAE3A:				; CODE XREF: PpmPerfRegisterHvCap(x)+30j
		pop	esi

locret_9BAE3B:				; CODE XREF: PpmPerfRegisterHvCap(x)+16j
		leave
		retn	4
_PpmPerfRegisterHvCap@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmPerfRegisterHvPerfStateCounters(x)
_PpmPerfRegisterHvPerfStateCounters@4 proc near

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		test	ds:_HvlEnlightenments, 400h
		push	ebx
		push	esi
		push	edi
		jnz	short loc_9BAE63
		mov	esi, 0C00000BBh
		jmp	loc_9BAF1A
; 

loc_9BAE63:				; CODE XREF: PpmPerfRegisterHvPerfStateCounters(x)+18j
		mov	eax, [ebp+arg_0]
		mov	ebx, [eax+8]
		mov	ecx, [eax+4]
		mov	[esp+28h+var_14], ecx
		mov	ecx, offset _PpmPerfPolicyLock
		mov	esi, [ebx+10h]
		mov	[esp+28h+var_4], esi
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		xor	edi, edi
		test	esi, esi
		jz	loc_9BAF0F
		mov	eax, [esp+28h+var_14]
		mov	esi, edi
		mov	[esp+28h+var_10], esi
		mov	[esp+28h+var_18], eax

loc_9BAE99:				; CODE XREF: PpmPerfRegisterHvPerfStateCounters(x)+CEj
		mov	eax, [ebx+0A8h]
		mov	eax, [esi+eax]
		mov	[esp+28h+var_C], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9BAF25
		push	eax
		call	_HvlGetLpIndexFromProcessorIndex@4 ; HvlGetLpIndexFromProcessorIndex(x)
		mov	ecx, [esp+28h+var_C]
		mov	[esp+28h+var_8], eax
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		add	eax, 3D70h
		cmp	[esp+28h+var_14], 0
		mov	[esp+28h+var_C], eax
		jz	short loc_9BAEEE
		mov	ecx, [esp+28h+var_8]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_9BAEEE
		mov	edx, [esp+28h+var_18]
		call	_HvlRegisterPerfFeedbackCounters@8 ; HvlRegisterPerfFeedbackCounters(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9BAF2A
		mov	esi, [esp+28h+var_10]
		mov	eax, [esp+28h+var_C]

loc_9BAEEE:				; CODE XREF: PpmPerfRegisterHvPerfStateCounters(x)+8Dj
					; PpmPerfRegisterHvPerfStateCounters(x)+96j
		test	eax, eax
		jz	short loc_9BAEFC
		mov	dword ptr [eax+0C8h], 3

loc_9BAEFC:				; CODE XREF: PpmPerfRegisterHvPerfStateCounters(x)+B1j
		add	[esp+28h+var_18], 68h
		inc	edi
		add	esi, 14h
		mov	[esp+28h+var_10], esi
		cmp	edi, [esp+28h+var_4]
		jb	short loc_9BAE99

loc_9BAF0F:				; CODE XREF: PpmPerfRegisterHvPerfStateCounters(x)+46j
		mov	dl, 1
		mov	ecx, ebx
		call	PpmRegisterPerfStates
		mov	esi, eax

loc_9BAF1A:				; CODE XREF: PpmPerfRegisterHvPerfStateCounters(x)+1Fj
					; PpmPerfRegisterHvPerfStateCounters(x)+F5j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_9BAF25:				; CODE XREF: PpmPerfRegisterHvPerfStateCounters(x)+6Aj
		mov	esi, 0C000000Dh

loc_9BAF2A:				; CODE XREF: PpmPerfRegisterHvPerfStateCounters(x)+A5j
		mov	ecx, offset _PpmPerfPolicyLock
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		jmp	short loc_9BAF1A
_PpmPerfRegisterHvPerfStateCounters@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmPerfRegisterHvStates(x)
_PpmPerfRegisterHvStates@4 proc	near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		test	byte ptr ds:_HvlEnlightenments,	8
		mov	esi, edi
		jnz	short loc_9BAF56
		mov	esi, 0C00000BBh
		jmp	short loc_9BAFB1
; 

loc_9BAF56:				; CODE XREF: PpmPerfRegisterHvStates(x)+17j
		mov	ebx, [ebp+arg_0]
		push	dword ptr [ebx+4]
		call	_HvlGetLpIndexFromApicId@4 ; HvlGetLpIndexFromApicId(x)
		mov	[esp+10h+var_4], eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_9BAF71
		mov	esi, 0C000000Dh
		jmp	short loc_9BAFB1
; 

loc_9BAF71:				; CODE XREF: PpmPerfRegisterHvStates(x)+32j
		mov	edx, [ebx+10h]
		mov	ecx, [ebx+8]
		mov	ebx, [ebx+0Ch]
		test	edx, edx
		jz	short loc_9BAF89
		mov	ecx, eax
		call	_HvlConfigurePcc@8 ; HvlConfigurePcc(x,x)
		mov	esi, eax
		jmp	short loc_9BAFB1
; 

loc_9BAF89:				; CODE XREF: PpmPerfRegisterHvStates(x)+46j
		test	ecx, ecx
		jz	short loc_9BAF9C
		mov	edx, ecx
		mov	ecx, eax
		call	_HvlConfigurePerfStates@8 ; HvlConfigurePerfStates(x,x)
		mov	esi, eax
		mov	eax, [esp+10h+var_4]

loc_9BAF9C:				; CODE XREF: PpmPerfRegisterHvStates(x)+55j
		test	ebx, ebx
		jz	short loc_9BAFAB
		mov	edx, ebx
		mov	ecx, eax
		call	_HvlConfigureThrottleStates@8 ;	HvlConfigureThrottleStates(x,x)
		mov	edi, eax

loc_9BAFAB:				; CODE XREF: PpmPerfRegisterHvStates(x)+68j
		test	esi, esi
		jnz	short loc_9BAFB1
		mov	esi, edi

loc_9BAFB1:				; CODE XREF: PpmPerfRegisterHvStates(x)+1Ej
					; PpmPerfRegisterHvStates(x)+39j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_PpmPerfRegisterHvStates@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsDiagBroadcastTreeBegin(x, x, x)
_PopDirectedDripsDiagBroadcastTreeBegin@12 proc	near
					; CODE XREF: PopDirectedDripsBuildBroadcastTreePartial(x,x,x)+37p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		and	dword ptr [eax], 0
		mov	esi, offset _PopDirectedDripsDiagLock
		push	edi
		xor	edx, edx
		mov	[ebp+var_4], ebx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	edi, [ebx+1F0h]
		test	edi, edi
		jnz	short loc_9BAFFD
		mov	ecx, ebx
		call	_PopDirectedDripsDiagCreateDeviceDiagnostic@4 ;	PopDirectedDripsDiagCreateDeviceDiagnostic(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9BB0BA

loc_9BAFFD:				; CODE XREF: PopDirectedDripsDiagBroadcastTreeBegin(x,x,x)+2Ej
		mov	ebx, [edi+54h]
		cmp	ebx, 0FFFFFFFFh
		jnz	short loc_9BB016
		mov	eax, dword_6BF82C
		mov	[edi+54h], eax
		inc	dword_6BF82C
		mov	ebx, [edi+54h]

loc_9BB016:				; CODE XREF: PopDirectedDripsDiagBroadcastTreeBegin(x,x,x)+47j
		mov	eax, _PopDirectedDripsDiagSessionContext
		mov	ecx, offset _PopDirectedDripsDiagSessionContext
		cmp	eax, ecx
		jz	short loc_9BB037

loc_9BB024:				; CODE XREF: PopDirectedDripsDiagBroadcastTreeBegin(x,x,x)+75j
		mov	esi, eax
		cmp	[eax+10h], ebx
		jz	short loc_9BB033
		mov	eax, [eax]
		xor	esi, esi
		cmp	eax, ecx
		jnz	short loc_9BB024

loc_9BB033:				; CODE XREF: PopDirectedDripsDiagBroadcastTreeBegin(x,x,x)+6Dj
		test	esi, esi
		jnz	short loc_9BB084

loc_9BB037:				; CODE XREF: PopDirectedDripsDiagBroadcastTreeBegin(x,x,x)+66j
		push	67696450h
		push	0D8h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9BB0B5
		push	0D8h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	[esi+10h], ebx
		mov	ecx, offset _PopDirectedDripsDiagSessionContext
		mov	[esi+8], edi
		add	esp, 0Ch
		mov	eax, dword_6BF644
		cmp	[eax], ecx
		jz	short loc_9BB077
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9BB077:				; CODE XREF: PopDirectedDripsDiagBroadcastTreeBegin(x,x,x)+B4j
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6BF644, esi

loc_9BB084:				; CODE XREF: PopDirectedDripsDiagBroadcastTreeBegin(x,x,x)+79j
		mov	ecx, [ebp+var_4]
		mov	ecx, [ecx+28h]
		call	_PopDirectedDripsDiagGetDeviceActiveStamp@4 ; PopDirectedDripsDiagGetDeviceActiveStamp(x)
		mov	[esi+20h], eax
		mov	[esi+24h], edx
		mov	eax, dword_6BF830
		mov	[esi+14h], eax
		mov	eax, [esi+18h]
		xor	eax, [ebp+var_8]
		and	eax, 0Fh
		xor	[esi+18h], eax
		mov	eax, [ebp+arg_0]
		or	dword ptr [edi+58h], 60000h
		mov	[eax], esi

loc_9BB0B5:				; CODE XREF: PopDirectedDripsDiagBroadcastTreeBegin(x,x,x)+90j
		mov	esi, offset _PopDirectedDripsDiagLock

loc_9BB0BA:				; CODE XREF: PopDirectedDripsDiagBroadcastTreeBegin(x,x,x)+3Bj
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9BB0CE
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9BB0CE:				; CODE XREF: PopDirectedDripsDiagBroadcastTreeBegin(x,x,x)+109j
		mov	ecx, esi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopDirectedDripsDiagBroadcastTreeBegin@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsDiagBroadcastTreeEnd(x, x, x, x)
_PopDirectedDripsDiagBroadcastTreeEnd@16 proc near
					; CODE XREF: PopDirectedDripsBuildBroadcastTreePartial(x,x,x)+D0p

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	short loc_9BB141
		mov	ebx, offset _PopDirectedDripsDiagLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		test	edi, edi
		js	short loc_9BB11F
		mov	eax, [ebp+arg_0]
		shl	eax, 4
		xor	eax, [esi+18h]
		and	eax, 0F0h
		xor	[esi+18h], eax
		cmp	[ebp+arg_4], 0
		jnz	short loc_9BB11F
		and	dword ptr [esi+18h], 0FFFFFEFFh
		jmp	short loc_9BB126
; 

loc_9BB11F:				; CODE XREF: PopDirectedDripsDiagBroadcastTreeEnd(x,x,x,x)+21j
					; PopDirectedDripsDiagBroadcastTreeEnd(x,x,x,x)+38j
		or	dword ptr [esi+18h], 100h

loc_9BB126:				; CODE XREF: PopDirectedDripsDiagBroadcastTreeEnd(x,x,x,x)+41j
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9BB13A
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9BB13A:				; CODE XREF: PopDirectedDripsDiagBroadcastTreeEnd(x,x,x,x)+55j
		mov	ecx, ebx
		call	KeAbPostRelease

loc_9BB141:				; CODE XREF: PopDirectedDripsDiagBroadcastTreeEnd(x,x,x,x)+Fj
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
_PopDirectedDripsDiagBroadcastTreeEnd@16 endp


;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsDiagCreateBlockerEntryBoolean(x, x,	x)
_PopDirectedDripsDiagCreateBlockerEntryBoolean@12 proc near
					; CODE XREF: PopDirectedDripsDiagRundownDevices()+123p
					; PopDirectedDripsDiagRundownDevices()+153p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, edx
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		lea	ecx, [esi+2]

loc_9BB157:				; CODE XREF: PopDirectedDripsDiagCreateBlockerEntryBoolean(x,x,x)+17j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, bx
		jnz	short loc_9BB157
		sub	esi, ecx
		mov	[edi+4], edx
		push	offset ??_C@_19ELAAHEEL@?$AAT?$AAR?$AAU?$AAE@NNGAKEGL@ ; "TRUE"
		sar	esi, 1
		push	offset ??_C@_15GANGMFKL@?$AA?$CF?$AAs@NNGAKEGL@	; "%"
		mov	[edi], esi
		lea	esi, [edi+0Ch]
		push	10h		; int
		push	esi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 10h
		lea	ecx, [esi+2]

loc_9BB186:				; CODE XREF: PopDirectedDripsDiagCreateBlockerEntryBoolean(x,x,x)+46j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, bx
		jnz	short loc_9BB186
		sub	esi, ecx
		sar	esi, 1
		mov	[edi+8], esi
		pop	edi
		pop	esi
		pop	ebx
		retn	4
_PopDirectedDripsDiagCreateBlockerEntryBoolean@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsDiagCreateBlockerEntryULong(x, x, x)
_PopDirectedDripsDiagCreateBlockerEntryULong@12	proc near
					; CODE XREF: PopDirectedDripsDiagRundownDevices()+CAp
					; PopDirectedDripsDiagRundownDevices()+F6p

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		lea	ecx, [esi+2]

loc_9BB1AF:				; CODE XREF: PopDirectedDripsDiagCreateBlockerEntryULong(x,x,x)+1Aj
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, bx
		jnz	short loc_9BB1AF
		push	dword ptr [ebp+arg_0] ;	char
		sub	esi, ecx
		mov	[edi+4], edx
		sar	esi, 1
		push	offset ??_C@_15KNBIKKIN@?$AA?$CF?$AAd@NNGAKEGL@	; wchar_t *
		mov	[edi], esi
		lea	esi, [edi+0Ch]
		push	10h		; int
		push	esi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 10h
		lea	ecx, [esi+2]

loc_9BB1DC:				; CODE XREF: PopDirectedDripsDiagCreateBlockerEntryULong(x,x,x)+47j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, bx
		jnz	short loc_9BB1DC
		sub	esi, ecx
		sar	esi, 1
		mov	[edi+8], esi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PopDirectedDripsDiagCreateBlockerEntryULong@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsDiagCreateDeviceDescription(x, x)
_PopDirectedDripsDiagCreateDeviceDescription@8 proc near
					; CODE XREF: PopDirectedDripsDiagCreateDeviceDiagnostic(x)+41p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	[ebp+var_4], edi
		mov	eax, [edi+10h]
		cdq
		mov	[esi+14h], edx
		lea	edx, [esi+20h]
		mov	[esi+10h], eax
		call	PopGenerateDeviceFriendlyName
		test	eax, eax
		js	loc_9BB2BD
		mov	ecx, [edi+10h]
		lea	ebx, [esi+28h]
		xor	edx, edx
		push	ebx
		inc	edx
		call	_PopDiagQueryDevicePropertyString@12 ; PopDiagQueryDevicePropertyString(x,x,x)
		xor	ecx, ecx
		test	eax, eax
		js	short loc_9BB262
		movzx	eax, word ptr [ebx]
		shr	eax, 1
		cmp	eax, 2
		jbe	short loc_9BB269
		push	2
		pop	edx
		xor	edi, edi

loc_9BB243:				; CODE XREF: PopDirectedDripsDiagCreateDeviceDescription(x,x)+66j
		mov	ebx, [esi+2Ch]
		cmp	[ecx+ebx], di
		jnz	short loc_9BB255
		push	2Ch
		pop	edi
		mov	[ecx+ebx], di
		xor	edi, edi

loc_9BB255:				; CODE XREF: PopDirectedDripsDiagCreateDeviceDescription(x,x)+55j
		add	ecx, 2
		inc	edx
		cmp	edx, eax
		jb	short loc_9BB243
		mov	edi, [ebp+var_4]
		jmp	short loc_9BB269
; 

loc_9BB262:				; CODE XREF: PopDirectedDripsDiagCreateDeviceDescription(x,x)+3Dj
		cmp	eax, 0C0000034h
		jnz	short loc_9BB2BD

loc_9BB269:				; CODE XREF: PopDirectedDripsDiagCreateDeviceDescription(x,x)+47j
					; PopDirectedDripsDiagCreateDeviceDescription(x,x)+6Bj
		mov	ecx, [edi+10h]
		lea	eax, [esi+30h]
		push	eax
		push	5
		pop	edx
		call	_PopDiagQueryDevicePropertyString@12 ; PopDiagQueryDevicePropertyString(x,x,x)
		test	eax, eax
		jns	short loc_9BB283
		cmp	eax, 0C0000034h
		jnz	short loc_9BB2BD

loc_9BB283:				; CODE XREF: PopDirectedDripsDiagCreateDeviceDescription(x,x)+85j
		mov	ecx, [edi+10h]
		lea	eax, [esi+38h]
		push	eax
		push	6
		pop	edx
		call	_PopDiagQueryDevicePropertyString@12 ; PopDiagQueryDevicePropertyString(x,x,x)
		test	eax, eax
		jns	short loc_9BB29D
		cmp	eax, 0C0000034h
		jnz	short loc_9BB2BD

loc_9BB29D:				; CODE XREF: PopDirectedDripsDiagCreateDeviceDescription(x,x)+9Fj
		lea	edx, [esi+40h]
		lea	ecx, [edi+14h]
		call	_PopCloneUnicodeString@8 ; PopCloneUnicodeString(x,x)
		test	eax, eax
		js	short loc_9BB2BD
		lea	edx, [esi+48h]
		lea	ecx, [edi+1Ch]
		call	_PopCloneUnicodeString@8 ; PopCloneUnicodeString(x,x)
		test	eax, eax
		js	short loc_9BB2BD
		xor	eax, eax

loc_9BB2BD:				; CODE XREF: PopDirectedDripsDiagCreateDeviceDescription(x,x)+24j
					; PopDirectedDripsDiagCreateDeviceDescription(x,x)+72j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopDirectedDripsDiagCreateDeviceDescription@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsDiagCreateDeviceDiagnostic(x)
_PopDirectedDripsDiagCreateDeviceDiagnostic@4 proc near
					; CODE XREF: PopDirectedDripsDiagBroadcastTreeBegin(x,x,x)+32p
					; PopDirectedDripsDiagTraceBroadcastVisit(x,x,x)+52p ...
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		push	67696450h
		push	68h
		push	1
		mov	edi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9BB33D
		push	68h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	[esi+8], edi
		add	esp, 0Ch
		mov	eax, dword_6BF828
		mov	edx, esi
		mov	[esi+0Ch], eax
		mov	ecx, edi
		inc	dword_6BF828
		or	dword ptr [esi+54h], 0FFFFFFFFh
		call	_PopDirectedDripsDiagCreateDeviceDescription@8 ; PopDirectedDripsDiagCreateDeviceDescription(x,x)
		test	eax, eax
		js	short loc_9BB334
		mov	[edi+1F0h], esi
		mov	ecx, offset dword_6BF648
		mov	eax, dword_6BF64C
		cmp	[eax], ecx
		jz	short loc_9BB325
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9BB325:				; CODE XREF: PopDirectedDripsDiagCreateDeviceDiagnostic(x)+5Cj
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6BF64C, esi
		jmp	short loc_9BB33D
; 

loc_9BB334:				; CODE XREF: PopDirectedDripsDiagCreateDeviceDiagnostic(x)+48j
		mov	ecx, esi
		call	_PopDirectedDripsDiagFreeDeviceDiagnostic@4 ; PopDirectedDripsDiagFreeDeviceDiagnostic(x)
		xor	esi, esi

loc_9BB33D:				; CODE XREF: PopDirectedDripsDiagCreateDeviceDiagnostic(x)+19j
					; PopDirectedDripsDiagCreateDeviceDiagnostic(x)+70j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ecx
		retn
_PopDirectedDripsDiagCreateDeviceDiagnostic@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsDiagDestroyDeviceDiagnostic(x)
_PopDirectedDripsDiagDestroyDeviceDiagnostic@4 proc near
					; CODE XREF: PoFxAbandonDevice(x)+7p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_PopIsDirectedDripsEnabled@0 ; PopIsDirectedDripsEnabled()
		test	al, al
		jz	short loc_9BB392
		push	edi
		mov	edi, offset _PopDirectedDripsDiagLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+1F0h]
		test	eax, eax
		jz	short loc_9BB375
		and	dword ptr [esi+1F0h], 0
		and	dword ptr [eax+8], 0

loc_9BB375:				; CODE XREF: PopDirectedDripsDiagDestroyDeviceDiagnostic(x)+25j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9BB389
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9BB389:				; CODE XREF: PopDirectedDripsDiagDestroyDeviceDiagnostic(x)+3Dj
		mov	ecx, edi
		pop	edi
		pop	esi
		jmp	KeAbPostRelease
; 

loc_9BB392:				; CODE XREF: PopDirectedDripsDiagDestroyDeviceDiagnostic(x)+Cj
		pop	esi
		retn
_PopDirectedDripsDiagDestroyDeviceDiagnostic@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsDiagExtractDeviceDescription(x, x, x, x, x,	x, x)
_PopDirectedDripsDiagExtractDeviceDescription@28 proc near
					; CODE XREF: PopDirectedDripsDiagRundownDevices()+19Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, offset _PopDirectedDripsDiagEmptyString
		mov	eax, esi
		cmp	[ecx+24h], edi
		jz	short loc_9BB3AC
		lea	eax, [ecx+20h]

loc_9BB3AC:				; CODE XREF: PopDirectedDripsDiagExtractDeviceDescription(x,x,x,x,x,x,x)+13j
		mov	[edx], eax
		mov	edx, esi
		cmp	[ecx+2Ch], edi
		jz	short loc_9BB3B8
		lea	edx, [ecx+28h]

loc_9BB3B8:				; CODE XREF: PopDirectedDripsDiagExtractDeviceDescription(x,x,x,x,x,x,x)+1Fj
		mov	eax, [ebp+arg_0]
		mov	[eax], edx
		mov	edx, esi
		cmp	[ecx+34h], edi
		jz	short loc_9BB3C7
		lea	edx, [ecx+30h]

loc_9BB3C7:				; CODE XREF: PopDirectedDripsDiagExtractDeviceDescription(x,x,x,x,x,x,x)+2Ej
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		mov	edx, esi
		cmp	[ecx+3Ch], edi
		jz	short loc_9BB3D6
		lea	edx, [ecx+38h]

loc_9BB3D6:				; CODE XREF: PopDirectedDripsDiagExtractDeviceDescription(x,x,x,x,x,x,x)+3Dj
		mov	eax, [ebp+arg_8]
		mov	[eax], edx
		mov	edx, esi
		cmp	[ecx+44h], edi
		jz	short loc_9BB3E5
		lea	edx, [ecx+40h]

loc_9BB3E5:				; CODE XREF: PopDirectedDripsDiagExtractDeviceDescription(x,x,x,x,x,x,x)+4Cj
		mov	eax, [ebp+arg_C]
		mov	[eax], edx
		cmp	[ecx+4Ch], edi
		jz	short loc_9BB3F2
		lea	esi, [ecx+48h]

loc_9BB3F2:				; CODE XREF: PopDirectedDripsDiagExtractDeviceDescription(x,x,x,x,x,x,x)+59j
		mov	eax, [ebp+arg_10]
		pop	edi
		mov	[eax], esi
		pop	esi
		pop	ebp
		retn	14h
_PopDirectedDripsDiagExtractDeviceDescription@28 endp


;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsDiagFreeDeviceDiagnostic(x)
_PopDirectedDripsDiagFreeDeviceDiagnostic@4 proc near
					; CODE XREF: PopDirectedDripsDiagCreateDeviceDiagnostic(x)+74p
					; PopDirectedDripsDiagRundownDevices()+84Fp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, 67696450h
		mov	eax, [esi+24h]
		test	eax, eax
		jz	short loc_9BB416
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9BB416:				; CODE XREF: PopDirectedDripsDiagFreeDeviceDiagnostic(x)+10j
		mov	eax, [esi+2Ch]
		test	eax, eax
		jz	short loc_9BB424
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9BB424:				; CODE XREF: PopDirectedDripsDiagFreeDeviceDiagnostic(x)+1Ej
		mov	eax, [esi+34h]
		test	eax, eax
		jz	short loc_9BB432
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9BB432:				; CODE XREF: PopDirectedDripsDiagFreeDeviceDiagnostic(x)+2Cj
		mov	eax, [esi+3Ch]
		test	eax, eax
		jz	short loc_9BB440
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9BB440:				; CODE XREF: PopDirectedDripsDiagFreeDeviceDiagnostic(x)+3Aj
		mov	eax, [esi+44h]
		test	eax, eax
		jz	short loc_9BB44E
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9BB44E:				; CODE XREF: PopDirectedDripsDiagFreeDeviceDiagnostic(x)+48j
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
_PopDirectedDripsDiagFreeDeviceDiagnostic@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsDiagInsertErrorRecord(x, x,	x)
_PopDirectedDripsDiagInsertErrorRecord@12 proc near
					; CODE XREF: PopDirectedDripsDiagTraceBroadcastFailureDevice(x)+4Cp
					; PopDirectedDripsDiagTraceProblemDevice(x,x,x)+54p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		lea	esi, [ecx+0Ch]
		mov	ebx, edx
		mov	ecx, [esi]
		push	edi
		test	ecx, ecx
		jz	short loc_9BB482

loc_9BB46B:				; CODE XREF: PopDirectedDripsDiagInsertErrorRecord(x,x,x)+28j
		cmp	[ecx+4], ebx
		jnz	short loc_9BB478
		mov	eax, [ebp+arg_0]
		cmp	[ecx+8], eax
		jz	short loc_9BB482

loc_9BB478:				; CODE XREF: PopDirectedDripsDiagInsertErrorRecord(x,x,x)+16j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_9BB46B

loc_9BB482:				; CODE XREF: PopDirectedDripsDiagInsertErrorRecord(x,x,x)+11j
					; PopDirectedDripsDiagInsertErrorRecord(x,x,x)+1Ej
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_9BB4B3
		push	67696450h
		push	10h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esi], edi
		test	edi, edi
		jz	short loc_9BB4B6
		xor	eax, eax
		mov	ecx, [ebp+arg_0]
		stosd
		stosd
		stosd
		stosd
		mov	eax, [esi]
		mov	[eax+4], ebx
		mov	eax, [esi]
		mov	[eax+8], ecx
		mov	eax, [esi]

loc_9BB4B3:				; CODE XREF: PopDirectedDripsDiagInsertErrorRecord(x,x,x)+2Ej
		inc	dword ptr [eax+0Ch]

loc_9BB4B6:				; CODE XREF: PopDirectedDripsDiagInsertErrorRecord(x,x,x)+44j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PopDirectedDripsDiagInsertErrorRecord@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsDiagNotifySessionStart(x, x, x)
_PopDirectedDripsDiagNotifySessionStart@12 proc	near
					; CODE XREF: PopDirectedDripsNotify+9C2AFp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		call	_PopIsDirectedDripsEnabled@0 ; PopIsDirectedDripsEnabled()
		test	al, al
		jz	short loc_9BB50F
		push	edi
		mov	edi, offset _PopDirectedDripsDiagLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+arg_0]
		mov	dword_6BF650, eax
		mov	eax, [ebp+arg_4]
		mov	dword_6BF654, eax
		or	eax, 0FFFFFFFFh
		mov	dword_6BF658, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9BB507
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9BB507:				; CODE XREF: PopDirectedDripsDiagNotifySessionStart(x,x,x)+41j
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi

loc_9BB50F:				; CODE XREF: PopDirectedDripsDiagNotifySessionStart(x,x,x)+Fj
		pop	esi
		pop	ebp
		retn	8
_PopDirectedDripsDiagNotifySessionStart@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsDiagNotifySessionStop(x, x,	x)
_PopDirectedDripsDiagNotifySessionStop@12 proc near
					; CODE XREF: PopDirectedDripsSendSessionData(x)+2Bp

var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_114		= dword	ptr -114h
var_AC		= dword	ptr -0ACh
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 210h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		and	[ebp+var_1F4], 0
		and	[ebp+var_1F0], 0
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	_PopIsDirectedDripsEnabled@0 ; PopIsDirectedDripsEnabled()
		test	al, al
		jz	loc_9BB6F0
		lea	eax, [ebp+var_1E4]
		push	eax
		lea	eax, [ebp+var_114]
		push	eax
		lea	edx, [ebp+var_1F4]
		call	_PopDirectedDripsDiagQueryAndResetPnpAccounting@16 ; PopDirectedDripsDiagQueryAndResetPnpAccounting(x,x,x,x)
		mov	eax, dword_6C1D84
		xor	edx, edx
		mov	ebx, _PopWnfCsEnterScenarioId
		mov	ecx, offset _PopDirectedDripsDiagLock
		mov	[ebp+var_1E8], eax
		call	ExAcquirePushLockExclusiveEx
		cmp	_PopDirectedDripsDiagTraceHandleRegistered, 0
		jz	loc_9BB6C6
		cmp	ds:dword_A93B08, 5
		jbe	loc_9BB6C6
		push	4000h
		push	0
		mov	ecx, offset dword_A93B08
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9BB6C6
		mov	eax, [ebp+var_1E8]
		mov	[ebp+var_200], eax
		lea	eax, [ebp+var_204]
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_1E8]
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_1F8]
		mov	[ebp+var_6C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_1FC], eax
		lea	eax, [ebp+var_1FC]
		mov	[ebp+var_5C], eax
		mov	eax, [ebp+var_1F4]
		mov	[ebp+var_20C], eax
		mov	eax, [ebp+var_1F0]
		mov	[ebp+var_208], eax
		lea	eax, [ebp+var_20C]
		push	8
		pop	edx
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_114]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_1E4]
		push	4
		pop	ecx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_1F4]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_AC]
		push	eax
		push	0Ah
		mov	[ebp+var_204], ebx
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	offset loc_420728
		push	offset dword_A93B08
		mov	[ebp+var_88], ebx
		mov	[ebp+var_84], edx
		mov	[ebp+var_80], ebx
		mov	[ebp+var_1E8], edi
		mov	[ebp+var_78], ebx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_1F8], esi
		mov	[ebp+var_68], ebx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], 68h
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], 0D0h
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1F4], 1000000h
		mov	[ebp+var_1F0], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9BB6C6:				; CODE XREF: PopDirectedDripsDiagNotifySessionStop(x,x,x)+74j
					; PopDirectedDripsDiagNotifySessionStop(x,x,x)+81j ...
		call	_PopDirectedDripsDiagRundownBroadcastTrees@0 ; PopDirectedDripsDiagRundownBroadcastTrees()
		call	_PopDirectedDripsDiagRundownDevices@0 ;	PopDirectedDripsDiagRundownDevices()
		or	eax, 0FFFFFFFFh
		mov	esi, offset _PopDirectedDripsDiagLock
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9BB6E9
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9BB6E9:				; CODE XREF: PopDirectedDripsDiagNotifySessionStop(x,x,x)+1CCj
		mov	ecx, esi
		call	KeAbPostRelease

loc_9BB6F0:				; CODE XREF: PopDirectedDripsDiagNotifySessionStop(x,x,x)+31j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDirectedDripsDiagNotifySessionStop@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsDiagRundownBroadcastTrees()
_PopDirectedDripsDiagRundownBroadcastTrees@0 proc near
					; CODE XREF: PopDirectedDripsDiagNotifySessionStop(x,x,x):loc_9BB6C6p

var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 184h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, _PopWnfCsEnterScenarioId
		push	ebx
		push	esi
		mov	[ebp+var_130], eax
		xor	ebx, ebx
		mov	eax, dword_6C1D84
		push	edi
		mov	[ebp+var_12C], eax

loc_9BB731:				; CODE XREF: PopDirectedDripsDiagRundownBroadcastTrees()+434j
		mov	esi, _PopDirectedDripsDiagSessionContext
		mov	ecx, offset _PopDirectedDripsDiagSessionContext
		push	4
		pop	edi
		cmp	esi, ecx
		jz	loc_9BBB3F
		mov	eax, [esi]
		cmp	[esi+4], ecx
		jnz	loc_9BBB3A
		cmp	[eax+4], esi
		jnz	loc_9BBB3A
		mov	_PopDirectedDripsDiagSessionContext, eax
		mov	[eax+4], ecx
		cmp	ds:dword_A93B08, 5
		jbe	loc_9BBB1F
		push	4000h
		push	ebx
		mov	ecx, offset dword_A93B08
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9BBB1F
		mov	eax, [ebp+var_130]
		mov	ecx, [esi+8]
		mov	[ebp+var_168], eax
		mov	eax, [ebp+var_12C]
		mov	[ebp+var_164], eax
		lea	eax, [ebp+var_168]
		mov	[ebp+var_B8], eax
		push	8
		pop	edx
		mov	[ebp+var_B4], ebx
		mov	[ebp+var_B0], edx
		mov	[ebp+var_AC], ebx
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_134], eax
		lea	eax, [ebp+var_134]
		mov	[ebp+var_A8], eax
		mov	[ebp+var_A0], edi
		mov	[ebp+var_A4], ebx
		mov	[ebp+var_9C], ebx
		mov	eax, [ecx+50h]
		mov	[ebp+var_138], eax
		lea	eax, [ebp+var_138]
		mov	[ebp+var_98], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_13C], eax
		lea	eax, [ebp+var_13C]
		mov	[ebp+var_88], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_140], eax
		lea	eax, [ebp+var_140]
		mov	[ebp+var_78], eax
		lea	eax, [esi+28h]
		mov	[ebp+var_68], eax
		lea	eax, [esi+40h]
		mov	[ebp+var_58], eax
		lea	eax, [esi+0B0h]
		mov	[ebp+var_48], eax
		lea	eax, [esi+70h]
		push	14h
		pop	ecx
		mov	[ebp+var_38], eax
		lea	eax, [esi+88h]
		push	28h
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_170]
		mov	[ebp+var_90], edi
		mov	[ebp+var_80], edi
		mov	[ebp+var_70], edi
		pop	edi
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_D8]
		push	eax
		push	0Dh
		push	ebx
		mov	[ebp+var_94], ebx
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_84], ebx
		mov	[ebp+var_7C], ebx
		mov	[ebp+var_74], ebx
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], 24h
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_170], 1000000h
		mov	[ebp+var_16C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ebx
		push	ebx
		push	offset loc_420593
		push	offset dword_A93B08
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_9BBB1F
; 

loc_9BB8EA:				; CODE XREF: PopDirectedDripsDiagRundownBroadcastTrees()+423j
		cmp	ds:dword_A93B08, 5
		jbe	loc_9BBA29
		push	4000h
		push	ebx
		mov	ecx, offset dword_A93B08
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9BBA29
		mov	eax, [ebp+var_130]
		mov	[ebp+var_178], eax
		mov	eax, [ebp+var_12C]
		mov	[ebp+var_174], eax
		lea	eax, [ebp+var_178]
		mov	[ebp+var_88], eax
		mov	eax, [esi+8]
		push	8
		pop	edx
		mov	[ebp+var_84], ebx
		mov	[ebp+var_80], edx
		mov	[ebp+var_7C], ebx
		mov	eax, [eax+0Ch]
		mov	[ebp+var_144], eax
		lea	eax, [ebp+var_144]
		mov	[ebp+var_78], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_148], eax
		lea	eax, [ebp+var_148]
		mov	[ebp+var_68], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_14C], eax
		lea	eax, [ebp+var_14C]
		mov	[ebp+var_58], eax
		mov	eax, [edi+4]
		push	4
		pop	ecx
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], ecx
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], ebx
		mov	eax, [eax+0Ch]
		mov	[ebp+var_150], eax
		lea	eax, [ebp+var_150]
		mov	[ebp+var_48], eax
		mov	eax, [edi+8]
		mov	[ebp+var_154], eax
		lea	eax, [ebp+var_154]
		mov	[ebp+var_38], eax
		mov	eax, [edi+0Ch]
		mov	[ebp+var_158], eax
		lea	eax, [ebp+var_158]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_180]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_A8]
		push	eax
		push	0Ah
		push	ebx
		push	ebx
		push	offset loc_42069B
		push	offset dword_A93B08
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_180], 1000000h
		mov	[ebp+var_17C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9BBA29:				; CODE XREF: PopDirectedDripsDiagRundownBroadcastTrees()+1F0j
					; PopDirectedDripsDiagRundownBroadcastTrees()+208j
		cmp	_PopDiagHandleRegistered, 0
		jz	loc_9BBB0F
		mov	ebx, dword_6C1D74
		mov	eax, _PopDiagHandle
		push	offset _POP_ETW_EVENT_DIRECTED_DRIPS_ERROR_RECORD
		push	ebx
		push	eax
		mov	[ebp+var_15C], eax
		call	EtwEventEnabled
		test	al, al
		jz	loc_9BBB0D
		xor	ecx, ecx
		lea	eax, [ebp+var_130]
		push	8
		pop	edx
		mov	[ebp+var_128], eax
		push	4
		mov	[ebp+var_120], edx
		mov	[ebp+var_124], ecx
		mov	[ebp+var_11C], ecx
		mov	eax, [esi+8]
		add	eax, edx
		mov	[ebp+var_114], ecx
		pop	edx
		mov	[ebp+var_118], eax
		mov	[ebp+var_110], edx
		mov	[ebp+var_10C], ecx
		mov	eax, [edi+4]
		add	eax, 8
		mov	[ebp+var_104], ecx
		mov	[ebp+var_108], eax
		lea	eax, [edi+8]
		mov	[ebp+var_F8], eax
		lea	eax, [edi+0Ch]
		mov	[ebp+var_E8], eax
		lea	eax, [ebp+var_128]
		push	eax
		push	5
		push	ecx
		push	offset _POP_ETW_EVENT_DIRECTED_DRIPS_ERROR_RECORD
		push	ebx
		push	[ebp+var_15C]
		mov	[ebp+var_100], edx
		mov	[ebp+var_FC], ecx
		mov	[ebp+var_F4], ecx
		mov	[ebp+var_F0], edx
		mov	[ebp+var_EC], ecx
		mov	[ebp+var_E4], ecx
		mov	[ebp+var_E0], edx
		mov	[ebp+var_DC], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9BBB0D:				; CODE XREF: PopDirectedDripsDiagRundownBroadcastTrees()+354j
		xor	ebx, ebx

loc_9BBB0F:				; CODE XREF: PopDirectedDripsDiagRundownBroadcastTrees()+32Fj
		mov	eax, [edi]
		push	67696450h
		push	edi
		mov	[esi+0Ch], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9BBB1F:				; CODE XREF: PopDirectedDripsDiagRundownBroadcastTrees()+69j
					; PopDirectedDripsDiagRundownBroadcastTrees()+81j ...
		mov	edi, [esi+0Ch]
		test	edi, edi
		jnz	loc_9BB8EA
		push	67696450h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_9BB731
; 

loc_9BBB3A:				; CODE XREF: PopDirectedDripsDiagRundownBroadcastTrees()+4Bj
					; PopDirectedDripsDiagRundownBroadcastTrees()+54j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9BBB3F:				; CODE XREF: PopDirectedDripsDiagRundownBroadcastTrees()+40j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDirectedDripsDiagRundownBroadcastTrees@0 endp

; 
		db 0CCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsDiagRundownDevices()
_PopDirectedDripsDiagRundownDevices@0 proc near
					; CODE XREF: PopDirectedDripsDiagNotifySessionStop(x,x,x)+1B7p

var_290		= dword	ptr -290h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_27C		= dword	ptr -27Ch
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_221		= dword	ptr -221h
var_219		= dword	ptr -219h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_168		= dword	ptr -168h
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 294h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, _PopWnfCsEnterScenarioId
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	byte ptr [ebp+var_219],	al
		mov	[ebp+var_260], eax
		mov	eax, dword_6C1D84
		mov	[ebp+var_221+1], edi
		mov	[ebp+var_230], edi
		mov	[ebp+var_250], edi
		mov	[ebp+var_234], edi
		mov	[ebp+var_254], edi
		mov	[ebp+var_22C], edi
		mov	[ebp+var_244], edi
		mov	[ebp+var_248], edi
		mov	[ebp+var_24C], edi
		mov	[ebp+var_23C], edi
		mov	[ebp+var_240], edi
		mov	[ebp+var_25C], eax

loc_9BBBC7:				; CODE XREF: PopDirectedDripsDiagRundownDevices()+854j
		mov	ebx, dword_6BF648
		mov	ecx, offset dword_6BF648
		mov	[ebp+var_27C], ebx
		cmp	ebx, ecx
		jz	loc_9BC3AD
		cmp	[ebx+4], ecx
		jnz	loc_9BC3A8
		mov	eax, [ebx]
		cmp	[eax+4], ebx
		jnz	loc_9BC3A8
		mov	dword_6BF648, eax
		mov	esi, edi
		mov	[eax+4], ecx
		mov	ecx, edi
		mov	[ebp+var_221+1], esi
		mov	eax, [ebx+5Ch]
		test	eax, eax
		jz	short loc_9BBC2D
		push	eax
		mov	edx, offset ??_C@_1CK@JLMDIOGK@?$AAD?$AAF?$AAX?$AA?5?$AAT?$AAr?$AAa?$AAn?$AAs?$AAi?$AAt?$AAi?$AAo?$AAn?$AA?5@NNGAKEGL@ ; "DFX Transition Count"
		lea	ecx, [ebp+var_219+1]
		call	_PopDirectedDripsDiagCreateBlockerEntryULong@12	; PopDirectedDripsDiagCreateBlockerEntryULong(x,x,x)
		mov	esi, [ebp+var_221+1]
		inc	esi
		mov	[ebp+var_221+1], esi
		mov	ecx, esi

loc_9BBC2D:				; CODE XREF: PopDirectedDripsDiagRundownDevices()+BCj
		mov	eax, [ebx+60h]
		test	eax, eax
		jz	short loc_9BBC59
		push	eax
		imul	eax, ecx, 2Ch
		mov	edx, offset ??_C@_1CK@NDPAMCI@?$AAP?$AAS?$AA4?$AA?5?$AAT?$AAr?$AAa?$AAn?$AAs?$AAi?$AAt?$AAi?$AAo?$AAn?$AA?5@NNGAKEGL@
		lea	ecx, [ebp+var_219+1]
		add	ecx, eax
		call	_PopDirectedDripsDiagCreateBlockerEntryULong@12	; PopDirectedDripsDiagCreateBlockerEntryULong(x,x,x)
		mov	esi, [ebp+var_221+1]
		inc	esi
		mov	[ebp+var_221+1], esi
		mov	ecx, esi

loc_9BBC59:				; CODE XREF: PopDirectedDripsDiagRundownDevices()+E3j
		mov	edi, [ebx+58h]
		test	di, di
		jz	short loc_9BBC89
		imul	eax, ecx, 2Ch
		mov	edx, offset ??_C@_1BO@ONJLICHL@?$AAP?$AAr?$AAo?$AAb?$AAl?$AAe?$AAm?$AA?5?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@NNGAKEGL@ ; "Problem Device"
		push	ecx
		lea	ecx, [ebp+var_219+1]
		add	ecx, eax
		call	_PopDirectedDripsDiagCreateBlockerEntryBoolean@12 ; PopDirectedDripsDiagCreateBlockerEntryBoolean(x,x,x)
		mov	esi, [ebp+var_221+1]
		inc	esi
		mov	[ebp+var_221+1], esi
		mov	ecx, esi
		mov	edi, [ebx+58h]

loc_9BBC89:				; CODE XREF: PopDirectedDripsDiagRundownDevices()+110j
		test	edi, 10000h
		jz	short loc_9BBCB7
		imul	eax, ecx, 2Ch
		mov	edx, offset ??_C@_1DC@LOGLNINF@?$AAI?$AAn?$AAi?$AAt?$AAi?$AAa?$AAt?$AAe?$AAd?$AA?5?$AAP?$AAS?$AA4?$AA?5?$AAT@NNGAKEGL@ ; "I"
		push	ecx
		lea	ecx, [ebp+var_219+1]
		add	ecx, eax
		call	_PopDirectedDripsDiagCreateBlockerEntryBoolean@12 ; PopDirectedDripsDiagCreateBlockerEntryBoolean(x,x,x)
		mov	esi, [ebp+var_221+1]
		inc	esi
		mov	[ebp+var_221+1], esi
		mov	edi, [ebx+58h]

loc_9BBCB7:				; CODE XREF: PopDirectedDripsDiagRundownDevices()+140j
		test	edi, 40000h
		jz	loc_9BC21F
		lea	eax, [ebp+var_240]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_23C]
		push	eax
		lea	eax, [ebp+var_234]
		push	eax
		lea	eax, [ebp+var_230]
		push	eax
		lea	eax, [ebp+var_248]
		push	eax
		lea	edx, [ebp+var_22C]
		call	_PopDirectedDripsDiagExtractDeviceDescription@28 ; PopDirectedDripsDiagExtractDeviceDescription(x,x,x,x,x,x,x)
		cmp	ds:dword_A93B08, 5
		jbe	loc_9BBFE7
		push	4000h
		push	0
		mov	ecx, offset dword_A93B08
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9BBFE7
		mov	al, byte ptr [ebp+var_219]
		lea	edx, [ebp+var_120]
		mov	byte ptr [ebp+var_221],	al
		xor	esi, esi
		lea	eax, [ebp+var_221]
		mov	[ebp+var_144], esi
		mov	[ebp+var_148], eax
		mov	eax, [ebp+var_22C]
		mov	[ebp+var_140], 1
		mov	[ebp+var_13C], esi
		movzx	ecx, word ptr [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_128], eax
		mov	eax, ecx
		lea	ecx, [ebx+28h]
		mov	[ebp+var_138], edx
		mov	[ebp+var_134], esi
		mov	[ebp+var_130], 2
		mov	[ebp+var_12C], esi
		mov	[ebp+var_124], esi
		mov	[ebp+var_120], eax
		mov	[ebp+var_11C], esi
		call	_PopDirectedDripsDiagSanitizeHardwareId@4 ; PopDirectedDripsDiagSanitizeHardwareId(x)
		lea	ecx, [ebp+var_100]
		mov	[ebp+var_114], esi
		mov	[ebp+var_118], ecx
		lea	edx, [ebp+var_E0]
		mov	[ebp+var_110], 2
		mov	ecx, [eax+4]
		movzx	eax, word ptr [eax]
		mov	[ebp+var_100], eax
		mov	eax, [ebp+var_230]
		mov	[ebp+var_108], ecx
		mov	[ebp+var_10C], esi
		mov	[ebp+var_104], esi
		mov	[ebp+var_FC], esi
		movzx	ecx, word ptr [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_E8], eax
		mov	eax, ecx
		mov	[ebp+var_E0], eax
		mov	eax, [ebp+var_234]
		mov	[ebp+var_F8], edx
		lea	edx, [ebp+var_C0]
		mov	[ebp+var_F4], esi
		mov	[ebp+var_F0], 2
		mov	[ebp+var_EC], esi
		mov	[ebp+var_E4], esi
		mov	[ebp+var_DC], esi
		movzx	ecx, word ptr [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_C8], eax
		mov	eax, ecx
		mov	[ebp+var_C0], eax
		mov	eax, [ebx+54h]
		mov	[ebp+var_264], eax
		lea	eax, [ebp+var_264]
		mov	[ebp+var_B8], eax
		mov	eax, [ebx+5Ch]
		mov	[ebp+var_268], eax
		lea	eax, [ebp+var_268]
		mov	[ebp+var_A8], eax
		mov	eax, [ebx+60h]
		push	4
		pop	ecx
		mov	[ebp+var_26C], eax
		lea	eax, [ebp+var_26C]
		mov	[ebp+var_D8], edx
		mov	[ebp+var_D4], esi
		mov	[ebp+var_D0], 2
		mov	[ebp+var_CC], esi
		mov	[ebp+var_C4], esi
		mov	[ebp+var_BC], esi
		mov	[ebp+var_B4], esi
		mov	[ebp+var_B0], ecx
		mov	[ebp+var_AC], esi
		mov	[ebp+var_A4], esi
		mov	[ebp+var_A0], ecx
		mov	[ebp+var_9C], esi
		mov	[ebp+var_98], eax
		mov	[ebp+var_94], esi
		lea	eax, [ebp+var_270]
		mov	[ebp+var_270], edi
		mov	[ebp+var_88], eax
		lea	edx, [ebp+var_60]
		mov	eax, [ebp+var_23C]
		mov	[ebp+var_90], ecx
		mov	[ebp+var_8C], esi
		mov	[ebp+var_84], esi
		mov	[ebp+var_80], ecx
		mov	[ebp+var_7C], esi
		movzx	ecx, word ptr [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_68], eax
		mov	eax, ecx
		mov	[ebp+var_60], eax
		mov	eax, [ebp+var_260]
		mov	[ebp+var_288], eax
		mov	eax, [ebp+var_25C]
		mov	[ebp+var_284], eax
		lea	eax, [ebp+var_288]
		mov	[ebp+var_58], eax
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_274], eax
		lea	eax, [ebp+var_274]
		push	2
		mov	[ebp+var_48], eax
		mov	eax, [ebp+var_240]
		pop	edi
		mov	[ebp+var_78], edx
		lea	edx, [ebp+var_20]
		mov	[ebp+var_74], esi
		mov	[ebp+var_70], edi
		mov	[ebp+var_6C], esi
		mov	[ebp+var_64], esi
		mov	[ebp+var_5C], esi
		mov	[ebp+var_54], esi
		mov	[ebp+var_50], 8
		mov	[ebp+var_4C], esi
		mov	[ebp+var_44], esi
		mov	[ebp+var_40], 4
		mov	[ebp+var_3C], esi
		movzx	ecx, word ptr [eax]
		mov	eax, [eax+4]
		mov	[ebp+var_28], eax
		mov	eax, ecx
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_290]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_168]
		push	eax
		push	16h
		push	esi
		push	esi
		push	offset loc_4204A6
		push	offset dword_A93B08
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_290], 1000000h
		mov	[ebp+var_28C], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], 8
		mov	[ebp+var_C], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		mov	esi, [ebp+var_221+1]

loc_9BBFE7:				; CODE XREF: PopDirectedDripsDiagRundownDevices()+1ABj
					; PopDirectedDripsDiagRundownDevices()+1C4j
		cmp	_PopDiagHandleRegistered, 0
		jz	loc_9BC21F
		mov	edi, dword_6C1D74
		mov	eax, _PopDiagHandle
		push	offset _POP_ETW_EVENT_DIRECTED_DRIPS_DEVICE_STATS
		push	edi
		push	eax
		mov	[ebp+var_228], eax
		call	EtwEventEnabled
		test	al, al
		jz	loc_9BC21F
		mov	edx, [ebp+var_22C]
		lea	eax, [ebp+var_219]
		mov	_PopDirectedDripsDiagEventData,	eax
		xor	esi, esi
		mov	dword_6BF4E4, esi
		lea	eax, [ebx+8]
		mov	dword_6BF4F0, eax
		mov	dword_6BF4E8, 1
		mov	dword_6BF4EC, esi
		mov	dword_6BF4F4, esi
		mov	dword_6BF4FC, esi
		push	4
		pop	ecx
		mov	dword_6BF4F8, ecx
		movzx	eax, word ptr [edx]
		shr	eax, 1
		mov	[ebp+var_244], eax
		lea	eax, [ebp+var_244]
		mov	dword_6BF500, eax
		mov	dword_6BF504, esi
		mov	dword_6BF508, ecx
		mov	dword_6BF50C, esi
		movzx	ecx, word ptr [edx]
		mov	eax, [edx+4]
		mov	edx, [ebp+var_248]
		mov	dword_6BF510, eax
		mov	eax, ecx
		mov	dword_6BF518, eax
		mov	dword_6BF514, esi
		mov	dword_6BF51C, esi
		movzx	eax, word ptr [edx]
		shr	eax, 1
		mov	[ebp+var_24C], eax
		lea	eax, [ebp+var_24C]
		mov	dword_6BF520, eax
		mov	dword_6BF524, esi
		mov	dword_6BF528, 4
		mov	dword_6BF52C, esi
		movzx	ecx, word ptr [edx]
		mov	eax, [edx+4]
		mov	edx, [ebp+var_230]
		mov	dword_6BF530, eax
		mov	eax, ecx
		mov	dword_6BF538, eax
		mov	dword_6BF534, esi
		mov	dword_6BF53C, esi
		movzx	eax, word ptr [edx]
		shr	eax, 1
		mov	[ebp+var_250], eax
		lea	eax, [ebp+var_250]
		mov	dword_6BF540, eax
		mov	dword_6BF544, esi
		mov	dword_6BF548, 4
		mov	dword_6BF54C, esi
		movzx	ecx, word ptr [edx]
		mov	eax, [edx+4]
		mov	edx, [ebp+var_234]
		mov	dword_6BF550, eax
		mov	eax, ecx
		mov	dword_6BF558, eax
		mov	dword_6BF554, esi
		mov	dword_6BF55C, esi
		movzx	eax, word ptr [edx]
		shr	eax, 1
		mov	[ebp+var_254], eax
		lea	eax, [ebp+var_254]
		mov	dword_6BF560, eax
		mov	dword_6BF564, esi
		mov	dword_6BF568, 4
		mov	dword_6BF56C, esi
		movzx	ecx, word ptr [edx]
		mov	eax, [edx+4]
		mov	dword_6BF570, eax
		mov	eax, ecx
		mov	dword_6BF578, eax
		lea	eax, [ebx+54h]
		mov	dword_6BF574, esi
		mov	dword_6BF57C, esi
		mov	dword_6BF580, eax
		mov	dword_6BF584, esi
		push	4
		pop	ecx
		push	offset _PopDirectedDripsDiagEventData
		push	0Eh
		push	esi
		lea	eax, [ebx+5Ch]
		mov	dword_6BF588, ecx
		mov	dword_6BF590, eax
		lea	eax, [ebx+60h]
		push	offset _POP_ETW_EVENT_DIRECTED_DRIPS_DEVICE_STATS
		push	edi
		push	[ebp+var_228]
		mov	dword_6BF5A0, eax
		lea	eax, [ebx+58h]
		mov	dword_6BF58C, esi
		mov	dword_6BF594, esi
		mov	dword_6BF598, ecx
		mov	dword_6BF59C, esi
		mov	dword_6BF5A4, esi
		mov	dword_6BF5A8, ecx
		mov	dword_6BF5AC, esi
		mov	dword_6BF5B0, eax
		mov	dword_6BF5B4, esi
		mov	dword_6BF5B8, ecx
		mov	dword_6BF5BC, esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	esi, [ebp+var_221+1]

loc_9BC21F:				; CODE XREF: PopDirectedDripsDiagRundownDevices()+16Ej
					; PopDirectedDripsDiagRundownDevices()+49Fj ...
		xor	edi, edi
		cmp	_PopDiagSleepStudyHandleRegistered, 0
		jz	loc_9BC38C
		test	esi, esi
		jz	loc_9BC38C
		mov	eax, edi
		mov	[ebp+var_238], edi
		push	2
		lea	ecx, [ebx+10h]
		mov	edi, offset dword_6BF50C
		mov	ebx, [ebp+var_238]
		pop	eax
		mov	[ebp+var_278], ecx
		mov	[ebp+var_228], eax

loc_9BC25B:				; CODE XREF: PopDirectedDripsDiagRundownDevices()+7A5j
		mov	[edi-0Ch], ecx
		lea	ecx, [ebp+var_219+1]
		mov	dword ptr [edi-4], 10h
		mov	[ebp+var_238], eax
		xor	eax, eax
		mov	[edi-8], eax
		mov	[edi], eax
		lea	edi, [edi+50h]
		mov	[edi-48h], eax
		mov	[edi-40h], eax
		imul	edx, ebx, 2Ch
		mov	dword ptr [edi-44h], 4
		add	ecx, edx
		mov	[edi-4Ch], ecx
		and	dword ptr [edi-38h], 0
		mov	eax, [ebp+edx+var_214]
		mov	[edi-3Ch], eax
		mov	eax, [ecx]
		lea	ecx, [ebp+var_210]
		add	eax, eax
		add	ecx, edx
		mov	[edi-34h], eax
		xor	eax, eax
		mov	[edi-30h], eax
		mov	[edi-28h], eax
		mov	[edi-20h], eax
		lea	eax, [ebp+var_20C]
		add	eax, edx
		mov	[edi-2Ch], ecx
		mov	dword ptr [edi-24h], 4
		and	dword ptr [edi-18h], 0
		and	dword ptr [edi-10h], 0
		mov	[edi-1Ch], eax
		mov	eax, [ecx]
		mov	ecx, [ebp+var_278]
		add	eax, eax
		mov	[edi-14h], eax
		inc	ebx
		mov	eax, [ebp+var_228]
		add	eax, 5
		mov	[ebp+var_228], eax
		cmp	ebx, esi
		jb	loc_9BC25B
		mov	eax, [ebp+var_238]
		lea	ecx, [ebp+var_219]
		mov	ebx, [ebp+var_27C]
		xor	edi, edi
		mov	_PopDirectedDripsDiagEventData,	ecx
		lea	ecx, [ebp+var_221+1]
		shl	eax, 4
		add	eax, offset dword_6BF530
		mov	dword_6BF4F0, ecx
		mov	dword_6BF4E4, edi
		lea	ecx, [ebp+var_260]
		mov	dword_6BF4E8, 1
		mov	dword_6BF4EC, edi
		mov	dword_6BF4F4, edi
		mov	dword_6BF4F8, 4
		mov	dword_6BF4FC, edi
		mov	[eax], ecx
		mov	[eax+4], edi
		mov	dword ptr [eax+8], 8
		mov	[eax+0Ch], edi
		imul	eax, esi, 5
		push	offset _PopDirectedDripsDiagEventData
		add	eax, 3
		push	eax
		push	edi
		push	offset _SLEEPSTUDY_EVT_SCENARIO_BLOCKER_DATA
		push	dword_6C1F6C
		push	_PopDiagSleepStudyHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9BC38C:				; CODE XREF: PopDirectedDripsDiagRundownDevices()+6D9j
					; PopDirectedDripsDiagRundownDevices()+6E1j
		mov	eax, [ebx+8]
		test	eax, eax
		jz	short loc_9BC39C
		mov	[eax+1F0h], edi
		mov	[ebx+8], edi

loc_9BC39C:				; CODE XREF: PopDirectedDripsDiagRundownDevices()+842j
		mov	ecx, ebx
		call	_PopDirectedDripsDiagFreeDeviceDiagnostic@4 ; PopDirectedDripsDiagFreeDeviceDiagnostic(x)
		jmp	loc_9BBBC7
; 

loc_9BC3A8:				; CODE XREF: PopDirectedDripsDiagRundownDevices()+94j
					; PopDirectedDripsDiagRundownDevices()+9Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9BC3AD:				; CODE XREF: PopDirectedDripsDiagRundownDevices()+8Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDirectedDripsDiagRundownDevices@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsDiagSanitizeHardwareId(x)
_PopDirectedDripsDiagSanitizeHardwareId@4 proc near
					; CODE XREF: PopDirectedDripsDiagRundownDevices()+245p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		push	edi
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		movzx	edi, word ptr [esi]
		shr	edi, 1
		jz	short loc_9BC42E
		mov	edx, [esi+4]
		mov	[ebp+var_4], edx

loc_9BC3DE:				; CODE XREF: PopDirectedDripsDiagSanitizeHardwareId(x)+69j
		mov	ebx, ecx
		cmp	ecx, edi
		jnb	short loc_9BC3F5
		lea	eax, [edx+ecx*2]

loc_9BC3E7:				; CODE XREF: PopDirectedDripsDiagSanitizeHardwareId(x)+37j
		cmp	word ptr [eax],	2Ch
		jz	short loc_9BC3F5
		inc	ebx
		add	eax, 2
		cmp	ebx, edi
		jb	short loc_9BC3E7

loc_9BC3F5:				; CODE XREF: PopDirectedDripsDiagSanitizeHardwareId(x)+26j
					; PopDirectedDripsDiagSanitizeHardwareId(x)+2Fj
		lea	eax, [edx+ecx*2]
		mov	[ebp+var_8], eax
		mov	eax, ebx
		sub	eax, ecx
		add	eax, eax
		mov	word ptr [ebp+var_C], ax
		mov	word ptr [ebp+var_C+2],	ax
		lea	eax, [ebp+var_C]
		push	1
		push	eax
		push	offset _PopBthEnumEnumeratorPrefix
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_9BC429
		mov	edx, [ebp+var_4]
		lea	ecx, [ebx+1]
		cmp	ecx, edi
		jb	short loc_9BC3DE
		jmp	short loc_9BC42E
; 

loc_9BC429:				; CODE XREF: PopDirectedDripsDiagSanitizeHardwareId(x)+5Fj
		mov	esi, offset _PopBthEnumEnumeratorPrefix

loc_9BC42E:				; CODE XREF: PopDirectedDripsDiagSanitizeHardwareId(x)+1Aj
					; PopDirectedDripsDiagSanitizeHardwareId(x)+6Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PopDirectedDripsDiagSanitizeHardwareId@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsDiagTraceBroadcastFailureDevice(x)
_PopDirectedDripsDiagTraceBroadcastFailureDevice@4 proc	near
					; CODE XREF: PopDirectedDripsNotifyTransitionFailed(x)+20p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, offset _PopDirectedDripsDiagLock
		push	edi
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	edi, [esi+1F0h]
		test	edi, edi
		jz	short loc_9BC45E
		mov	eax, [edi+58h]
		bts	eax, 5
		mov	[edi+58h], eax

loc_9BC45E:				; CODE XREF: PopDirectedDripsDiagTraceBroadcastFailureDevice(x)+1Dj
		mov	esi, _PopDirectedDripsDiagSessionContext
		jmp	short loc_9BC488
; 

loc_9BC466:				; CODE XREF: PopDirectedDripsDiagTraceBroadcastFailureDevice(x)+59j
		mov	eax, [esi+14h]
		cmp	eax, dword_6BF830
		jnz	short loc_9BC486
		inc	dword ptr [esi+0C4h]
		test	edi, edi
		jz	short loc_9BC486
		push	5
		mov	edx, edi
		mov	ecx, esi
		call	_PopDirectedDripsDiagInsertErrorRecord@12 ; PopDirectedDripsDiagInsertErrorRecord(x,x,x)

loc_9BC486:				; CODE XREF: PopDirectedDripsDiagTraceBroadcastFailureDevice(x)+3Aj
					; PopDirectedDripsDiagTraceBroadcastFailureDevice(x)+44j
		mov	esi, [esi]

loc_9BC488:				; CODE XREF: PopDirectedDripsDiagTraceBroadcastFailureDevice(x)+2Fj
		cmp	esi, offset _PopDirectedDripsDiagSessionContext
		jnz	short loc_9BC466
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9BC4A4
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9BC4A4:				; CODE XREF: PopDirectedDripsDiagTraceBroadcastFailureDevice(x)+66j
		mov	ecx, ebx
		pop	edi
		pop	esi
		pop	ebx
		jmp	KeAbPostRelease
_PopDirectedDripsDiagTraceBroadcastFailureDevice@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsDiagTraceBroadcastVisit(x, x, x)
_PopDirectedDripsDiagTraceBroadcastVisit@12 proc near
					; CODE XREF: PopDirectedDripsVisitDevice(x,x,x,x)+36p

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_70], ecx
		mov	esi, edx
		mov	[ebp+var_7C], eax
		mov	ebx, offset _PopDirectedDripsDiagLock
		mov	[ebp+var_78], eax
		push	edi
		xor	edx, edx
		mov	[ebp+var_80], eax
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		test	esi, esi
		jz	short loc_9BC4ED
		mov	eax, [esi+10h]
		jmp	short loc_9BC4F0
; 

loc_9BC4ED:				; CODE XREF: PopDirectedDripsDiagTraceBroadcastVisit(x,x,x)+38j
		or	eax, 0FFFFFFFFh

loc_9BC4F0:				; CODE XREF: PopDirectedDripsDiagTraceBroadcastVisit(x,x,x)+3Dj
		mov	ecx, [ebp+var_70]
		mov	[ebp+var_74], eax
		mov	esi, [ecx+1F0h]
		test	esi, esi
		jnz	short loc_9BC512
		call	_PopDirectedDripsDiagCreateDeviceDiagnostic@4 ;	PopDirectedDripsDiagCreateDeviceDiagnostic(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_9BC5F4
		mov	eax, [ebp+var_74]

loc_9BC512:				; CODE XREF: PopDirectedDripsDiagTraceBroadcastVisit(x,x,x)+50j
		test	dword ptr [esi+58h], 20000h
		mov	[esi+54h], eax
		jz	short loc_9BC525
		mov	[ebp+var_78], 1

loc_9BC525:				; CODE XREF: PopDirectedDripsDiagTraceBroadcastVisit(x,x,x)+6Ej
		cmp	_PopDiagHandleRegistered, 0
		jz	loc_9BC5ED
		mov	edi, dword_6C1D74
		mov	ebx, _PopDiagHandle
		push	offset _POP_ETW_EVENT_DIRECTED_DRIPS_DEVICE_VISIT
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jz	loc_9BC5E8
		mov	edx, [ebp+var_70]
		push	4
		pop	ecx
		movzx	eax, word ptr [edx+14h]
		and	[ebp+var_68], 0
		and	[ebp+var_60], 0
		and	[ebp+var_58], 0
		and	[ebp+var_50], 0
		and	[ebp+var_48], 0
		and	[ebp+var_40], 0
		and	[ebp+var_38], 0
		and	[ebp+var_30], 0
		shr	eax, 1
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_74]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_64], ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_34], ecx
		movzx	ecx, word ptr [edx+14h]
		mov	eax, [edx+18h]
		xor	edx, edx
		mov	[ebp+var_2C], eax
		mov	eax, ecx
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	6
		push	edx
		push	offset _POP_ETW_EVENT_DIRECTED_DRIPS_DEVICE_VISIT
		push	edi
		push	ebx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], 4
		mov	[ebp+var_10], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9BC5E8:				; CODE XREF: PopDirectedDripsDiagTraceBroadcastVisit(x,x,x)+9Ej
		mov	ebx, offset _PopDirectedDripsDiagLock

loc_9BC5ED:				; CODE XREF: PopDirectedDripsDiagTraceBroadcastVisit(x,x,x)+7Ej
		or	dword ptr [esi+58h], 40000h

loc_9BC5F4:				; CODE XREF: PopDirectedDripsDiagTraceBroadcastVisit(x,x,x)+5Bj
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9BC608
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9BC608:				; CODE XREF: PopDirectedDripsDiagTraceBroadcastVisit(x,x,x)+151j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDirectedDripsDiagTraceBroadcastVisit@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsDiagTraceMarkDevice(x)
_PopDirectedDripsDiagTraceMarkDevice@4 proc near
					; CODE XREF: PopDirectedDripsMarkCandidateDevice(x)+2Dp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	[ebp+var_2C], ecx
		mov	ebx, offset _PopDirectedDripsDiagLock
		push	edi
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_2C]
		mov	eax, [ecx+1F0h]
		test	eax, eax
		jnz	short loc_9BC65C
		call	_PopDirectedDripsDiagCreateDeviceDiagnostic@4 ;	PopDirectedDripsDiagCreateDeviceDiagnostic(x)
		test	eax, eax
		jz	short loc_9BC65F

loc_9BC65C:				; CODE XREF: PopDirectedDripsDiagTraceMarkDevice(x)+31j
		inc	dword ptr [eax+50h]

loc_9BC65F:				; CODE XREF: PopDirectedDripsDiagTraceMarkDevice(x)+3Aj
		cmp	_PopDiagHandleRegistered, 0
		jz	short loc_9BC6C0
		mov	esi, dword_6C1D74
		mov	edi, _PopDiagHandle
		push	offset _POP_ETW_EVENT_DIRECTED_DRIPS_MARK_DEVICE
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9BC6C0
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_28], offset _PopWnfCsEnterScenarioId
		mov	[ebp+var_18], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_24], ecx
		push	eax
		push	2
		push	ecx
		push	offset _POP_ETW_EVENT_DIRECTED_DRIPS_MARK_DEVICE
		push	esi
		push	edi
		mov	[ebp+var_20], 1
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9BC6C0:				; CODE XREF: PopDirectedDripsDiagTraceMarkDevice(x)+46j
					; PopDirectedDripsDiagTraceMarkDevice(x)+62j
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9BC6D4
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9BC6D4:				; CODE XREF: PopDirectedDripsDiagTraceMarkDevice(x)+ABj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopDirectedDripsDiagTraceMarkDevice@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsDiagTraceProblemDevice(x, x, x)
_PopDirectedDripsDiagTraceProblemDevice@12 proc	near
					; CODE XREF: PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+12Bp
					; PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+171p	...

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_44], ecx
		mov	ebx, offset _PopDirectedDripsDiagLock
		mov	[ebp+var_40], eax
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_44]
		mov	esi, [eax+1F0h]
		test	edi, edi
		jz	short loc_9BC743
		mov	eax, [ebp+var_40]
		inc	dword ptr [edi+eax*4+0B0h]
		test	esi, esi
		jz	loc_9BC7C2
		push	[ebp+var_40]
		mov	edx, esi
		mov	ecx, edi
		call	_PopDirectedDripsDiagInsertErrorRecord@12 ; PopDirectedDripsDiagInsertErrorRecord(x,x,x)

loc_9BC743:				; CODE XREF: PopDirectedDripsDiagTraceProblemDevice(x,x,x)+39j
		test	esi, esi
		jz	short loc_9BC7C2
		mov	ecx, [esi+58h]
		mov	eax, [ebp+var_40]
		bts	ecx, eax
		cmp	_PopDiagHandleRegistered, 0
		mov	[esi+58h], ecx
		jz	short loc_9BC7C2
		mov	edi, dword_6C1D74
		mov	ebx, _PopDiagHandle
		push	offset _POP_ETW_EVENT_DIRECTED_DRIPS_PROBLEM_DEVICE
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9BC7BD
		lea	eax, [esi+54h]
		xor	edx, edx
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_44]
		push	4
		pop	ecx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_3C]
		push	eax
		push	3
		push	edx
		push	offset _POP_ETW_EVENT_DIRECTED_DRIPS_PROBLEM_DEVICE
		push	edi
		push	ebx
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9BC7BD:				; CODE XREF: PopDirectedDripsDiagTraceProblemDevice(x,x,x)+8Cj
		mov	ebx, offset _PopDirectedDripsDiagLock

loc_9BC7C2:				; CODE XREF: PopDirectedDripsDiagTraceProblemDevice(x,x,x)+47j
					; PopDirectedDripsDiagTraceProblemDevice(x,x,x)+5Bj ...
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9BC7D6
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9BC7D6:				; CODE XREF: PopDirectedDripsDiagTraceProblemDevice(x,x,x)+E3j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopDirectedDripsDiagTraceProblemDevice@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsDiagTraceTransition(x)
_PopDirectedDripsDiagTraceTransition@4 proc near
					; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+16Ep
		mov	eax, [ecx+1E4h]
		test	eax, 20000h
		jz	short loc_9BC809
		mov	eax, [ecx+1F0h]
		test	eax, eax
		jz	short locret_9BC823
		inc	dword ptr [eax+60h]
		retn
; 

loc_9BC809:				; CODE XREF: PopDirectedDripsDiagTraceTransition(x)+Bj
		mov	eax, [ecx+1E4h]
		test	eax, 10000h
		jz	short locret_9BC823
		mov	eax, [ecx+1F0h]
		test	eax, eax
		jz	short locret_9BC823
		inc	dword ptr [eax+5Ch]

locret_9BC823:				; CODE XREF: PopDirectedDripsDiagTraceTransition(x)+15j
					; PopDirectedDripsDiagTraceTransition(x)+26j ...
		retn
_PopDirectedDripsDiagTraceTransition@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPlInitComponent(x, x, x,	x, x)
_PopPlInitComponent@20 proc near	; CODE XREF: PopPlInitComponents(x,x,x,x,x,x,x)+79p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		xor	ebx, ebx
		mov	[ebp+var_8], edi
		mov	edx, ebx
		mov	esi, [edi+10h]
		test	esi, esi
		jz	loc_9BC8CB
		mov	eax, [edi+14h]
		add	eax, [ebp+arg_0]
		mov	[ebp+var_C], eax
		lea	eax, [eax+esi*8]
		cmp	eax, [ebp+arg_4]
		jbe	short loc_9BC85E
		mov	ebx, 0C0000206h
		jmp	short loc_9BC8CB
; 

loc_9BC85E:				; CODE XREF: PopPlInitComponent(x,x,x,x,x)+31j
		push	6C506F50h
		lea	esi, ds:18h[esi*8]
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+arg_0], edx
		test	edx, edx
		jnz	short loc_9BC885
		mov	ebx, 0C000009Ah
		jmp	short loc_9BC8CB
; 

loc_9BC885:				; CODE XREF: PopPlInitComponent(x,x,x,x,x)+58j
		push	esi		; size_t
		push	ebx		; int
		push	edx		; void *
		call	_memset
		mov	edx, [ebp+arg_0]
		mov	esi, edi
		mov	eax, [ebp+var_4]
		mov	edi, edx
		add	esp, 0Ch
		mov	ecx, ebx
		movsd
		movsd
		movsd
		movsd
		mov	[edx+10h], eax
		mov	eax, [ebp+var_8]
		mov	eax, [eax+10h]
		mov	[edx+14h], eax
		test	eax, eax
		jz	short loc_9BC8CB
		mov	esi, [ebp+var_C]
		lea	edi, [edx+18h]

loc_9BC8B6:				; CODE XREF: PopPlInitComponent(x,x,x,x,x)+A5j
		mov	eax, [esi+ecx*8]
		mov	[edi], eax
		lea	edi, [edi+8]
		mov	eax, [esi+ecx*8+4]
		inc	ecx
		mov	[edi-4], eax
		cmp	ecx, [edx+14h]
		jb	short loc_9BC8B6

loc_9BC8CB:				; CODE XREF: PopPlInitComponent(x,x,x,x,x)+1Cj
					; PopPlInitComponent(x,x,x,x,x)+38j ...
		mov	ecx, [ebp+arg_8]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		mov	[ecx], edx
		leave
		retn	0Ch
_PopPlInitComponent@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPlInitComponents(x, x, x, x, x, x, x)
_PopPlInitComponents@28	proc near	; CODE XREF: PopPlInitDevice(x,x,x,x,x)+9Fp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], ecx
		xor	esi, esi
		mov	ecx, [ebp+arg_0]
		xor	edi, edi
		mov	[ebp+var_4], edx
		test	ecx, ecx
		jnz	short loc_9BC900
		xor	ebx, ebx
		jmp	loc_9BC9AD
; 

loc_9BC900:				; CODE XREF: PopPlInitComponents(x,x,x,x,x,x,x)+1Ej
		imul	eax, ecx, 18h
		add	eax, edx
		cmp	eax, [ebp+arg_8]
		jbe	short loc_9BC914
		mov	ebx, 0C0000206h
		jmp	loc_9BC9AD
; 

loc_9BC914:				; CODE XREF: PopPlInitComponents(x,x,x,x,x,x,x)+2Fj
		mov	eax, ecx
		push	6C506F50h
		shl	eax, 2
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9BC936
		mov	ebx, 0C000009Ah
		jmp	short loc_9BC9AD
; 

loc_9BC936:				; CODE XREF: PopPlInitComponents(x,x,x,x,x,x,x)+54j
		xor	ebx, ebx
		and	[ebp+var_C], ebx
		cmp	[ebp+arg_0], ebx
		jbe	short loc_9BC9AD
		mov	eax, [ebp+var_4]

loc_9BC943:				; CODE XREF: PopPlInitComponents(x,x,x,x,x,x,x)+A1j
		lea	ecx, [ebp+var_8]
		mov	edx, eax
		push	ecx
		push	[ebp+arg_8]
		mov	ecx, [ebp+var_10]
		push	[ebp+arg_4]
		call	_PopPlInitComponent@20 ; PopPlInitComponent(x,x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_14], ebx
		test	ebx, ebx
		js	short loc_9BC97E
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_4]
		mov	[esi+edi*4], ecx
		add	eax, 18h
		mov	ecx, [ebp+var_C]
		inc	edi
		inc	ecx
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], ecx
		cmp	ecx, [ebp+arg_0]
		jb	short loc_9BC943
		jmp	short loc_9BC9AD
; 

loc_9BC97E:				; CODE XREF: PopPlInitComponents(x,x,x,x,x,x,x)+85j
		and	[ebp+arg_0], 0
		test	edi, edi
		jz	short loc_9BC99E
		mov	ebx, [ebp+arg_0]

loc_9BC989:				; CODE XREF: PopPlInitComponents(x,x,x,x,x,x,x)+C0j
		push	6C506F50h
		push	dword ptr [esi+ebx*4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		inc	ebx
		cmp	ebx, edi
		jb	short loc_9BC989
		mov	ebx, [ebp+var_14]

loc_9BC99E:				; CODE XREF: PopPlInitComponents(x,x,x,x,x,x,x)+ABj
		push	6C506F50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi
		xor	edi, edi

loc_9BC9AD:				; CODE XREF: PopPlInitComponents(x,x,x,x,x,x,x)+22j
					; PopPlInitComponents(x,x,x,x,x,x,x)+36j ...
		mov	eax, [ebp+arg_10]
		mov	[eax], esi
		mov	eax, [ebp+arg_C]
		mov	[eax], edi
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_PopPlInitComponents@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPlInitDevice(x, x, x, x,	x)
_PopPlInitDevice@20 proc near		; CODE XREF: PopPlInitDevices(x,x,x,x,x,x,x)+86p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		push	esi
		xor	esi, esi
		push	edi
		lea	eax, [ebx+2Ch]
		cmp	eax, [ebp+arg_4]
		jbe	short loc_9BC9E2
		mov	edi, 0C0000206h
		jmp	loc_9BCA77
; 

loc_9BC9E2:				; CODE XREF: PopPlInitDevice(x,x,x,x,x)+16j
		push	6C506F50h
		push	3Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9BCA00
		mov	edi, 0C000009Ah
		jmp	short loc_9BCA77
; 

loc_9BCA00:				; CODE XREF: PopPlInitDevice(x,x,x,x,x)+37j
		push	3Ch		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	edx, [ebx]
		add	esp, 0Ch
		mov	ecx, esi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_PopPlInitWString@16 ; PopPlInitWString(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9BCA6A
		mov	eax, [ebp+var_4]
		lea	ecx, [esi+14h]
		push	4
		mov	[esi+8], eax
		lea	edx, [ebx+4]
		pop	edi

loc_9BCA31:				; CODE XREF: PopPlInitDevice(x,x,x,x,x)+84j
		mov	eax, [edx]
		lea	edx, [edx+8]
		mov	[ecx], eax
		lea	ecx, [ecx+8]
		mov	eax, [edx-4]
		mov	[ecx-4], eax
		sub	edi, 1
		jnz	short loc_9BCA31
		mov	edx, [ebx+28h]
		lea	eax, [esi+38h]
		add	edx, [ebp+arg_0]
		mov	ecx, esi
		push	eax
		lea	eax, [esi+34h]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	dword ptr [ebx+24h]
		call	_PopPlInitComponents@28	; PopPlInitComponents(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_9BCA77

loc_9BCA6A:				; CODE XREF: PopPlInitDevice(x,x,x,x,x)+60j
		push	6C506F50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi

loc_9BCA77:				; CODE XREF: PopPlInitDevice(x,x,x,x,x)+1Dj
					; PopPlInitDevice(x,x,x,x,x)+3Ej ...
		mov	eax, [ebp+arg_8]
		mov	[eax], esi
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PopPlInitDevice@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPlInitDevices(x,	x, x, x, x, x, x)
_PopPlInitDevices@28 proc near		; CODE XREF: PopPlInitPowerPlane(x,x,x,x)+75p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], ecx
		xor	edi, edi
		mov	ecx, [ebp+arg_0]
		xor	esi, esi
		mov	[ebp+var_4], edx
		test	ecx, ecx
		jnz	short loc_9BCAAF
		mov	ebx, 0C000000Dh
		jmp	loc_9BCBAA
; 

loc_9BCAAF:				; CODE XREF: PopPlInitDevices(x,x,x,x,x,x,x)+1Ej
		imul	eax, ecx, 2Ch
		add	eax, edx
		cmp	eax, [ebp+arg_8]
		jbe	short loc_9BCAC3
		mov	ebx, 0C0000206h
		jmp	loc_9BCBAA
; 

loc_9BCAC3:				; CODE XREF: PopPlInitDevices(x,x,x,x,x,x,x)+32j
		mov	eax, ecx
		push	6C506F50h
		shl	eax, 2
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_14], edi
		test	edi, edi
		jnz	short loc_9BCAEB
		mov	ebx, 0C000009Ah
		jmp	loc_9BCBAA
; 

loc_9BCAEB:				; CODE XREF: PopPlInitDevices(x,x,x,x,x,x,x)+5Aj
		xor	ebx, ebx
		and	[ebp+var_C], ebx
		cmp	[ebp+arg_0], ebx
		jbe	loc_9BCBAA
		mov	eax, [ebp+var_4]

loc_9BCAFC:				; CODE XREF: PopPlInitDevices(x,x,x,x,x,x,x)+AEj
		lea	ecx, [ebp+var_8]
		mov	edx, eax
		push	ecx
		push	[ebp+arg_8]
		mov	ecx, [ebp+var_10]
		push	[ebp+arg_4]
		call	_PopPlInitDevice@20 ; PopPlInitDevice(x,x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_18], ebx
		test	ebx, ebx
		js	short loc_9BCB37
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_4]
		mov	[edi+esi*4], ecx
		add	eax, 2Ch
		mov	ecx, [ebp+var_C]
		inc	esi
		inc	ecx
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], ecx
		cmp	ecx, [ebp+arg_0]
		jb	short loc_9BCAFC
		jmp	short loc_9BCBAA
; 

loc_9BCB37:				; CODE XREF: PopPlInitDevices(x,x,x,x,x,x,x)+92j
		xor	eax, eax
		mov	[ebp+arg_8], eax
		test	esi, esi
		jz	short loc_9BCB9B

loc_9BCB40:				; CODE XREF: PopPlInitDevices(x,x,x,x,x,x,x)+111j
		mov	eax, [edi+eax*4]
		xor	ebx, ebx
		mov	[ebp+arg_0], eax
		mov	ecx, [eax+34h]
		test	ecx, ecx
		jz	short loc_9BCB80
		mov	edi, eax

loc_9BCB51:				; CODE XREF: PopPlInitDevices(x,x,x,x,x,x,x)+E2j
		mov	eax, [edi+38h]
		push	6C506F50h
		push	dword ptr [eax+ebx*4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [edi+34h]
		inc	ebx
		cmp	ebx, ecx
		jb	short loc_9BCB51
		mov	edi, [ebp+var_14]
		mov	eax, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_9BCB80
		push	6C506F50h
		push	dword ptr [eax+38h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9BCB80:				; CODE XREF: PopPlInitDevices(x,x,x,x,x,x,x)+C8j
					; PopPlInitDevices(x,x,x,x,x,x,x)+ECj
		push	6C506F50h
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_8]
		inc	eax
		mov	[ebp+arg_8], eax
		cmp	eax, esi
		jb	short loc_9BCB40
		mov	ebx, [ebp+var_18]

loc_9BCB9B:				; CODE XREF: PopPlInitDevices(x,x,x,x,x,x,x)+B9j
		push	6C506F50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edi, edi
		xor	esi, esi

loc_9BCBAA:				; CODE XREF: PopPlInitDevices(x,x,x,x,x,x,x)+25j
					; PopPlInitDevices(x,x,x,x,x,x,x)+39j ...
		mov	eax, [ebp+arg_10]
		mov	[eax], edi
		mov	eax, [ebp+arg_C]
		pop	edi
		mov	[eax], esi
		mov	eax, ebx
		pop	esi
		pop	ebx
		leave
		retn	14h
_PopPlInitDevices@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPlInitPowerPlane(x, x, x, x)
_PopPlInitPowerPlane@16	proc near	; CODE XREF: PopPlRegisterPowerPlane(x,x)+5Cp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		xor	esi, esi
		push	edi
		lea	eax, [ebx+34h]
		cmp	eax, [ebp+arg_0]
		jbe	short loc_9BCBDC
		mov	edi, 0C0000206h
		jmp	short loc_9BCC51
; 

loc_9BCBDC:				; CODE XREF: PopPlInitPowerPlane(x,x,x,x)+16j
		push	6C506F50h
		push	24h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9BCBFA
		mov	edi, 0C000009Ah
		jmp	short loc_9BCC51
; 

loc_9BCBFA:				; CODE XREF: PopPlInitPowerPlane(x,x,x,x)+34j
		push	9
		pop	ecx
		push	[ebp+arg_0]
		xor	eax, eax
		mov	edi, esi
		push	[ebp+var_4]
		rep stosd
		mov	edx, [ebx]
		mov	ecx, esi
		call	_PopPlInitWString@16 ; PopPlInitWString(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9BCC44
		and	dword ptr [esi+8], 0
		lea	eax, [esi+20h]
		push	eax
		lea	eax, [esi+1Ch]
		mov	ecx, esi
		push	eax
		push	[ebp+arg_0]
		lea	edx, [ebx+8]
		push	[ebp+var_4]
		push	dword ptr [ebx+4]
		call	_PopPlInitDevices@28 ; PopPlInitDevices(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_9BCC51
		mov	ecx, esi
		call	_PopPlUninitWString@4 ;	PopPlUninitWString(x)

loc_9BCC44:				; CODE XREF: PopPlInitPowerPlane(x,x,x,x)+59j
		push	6C506F50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi

loc_9BCC51:				; CODE XREF: PopPlInitPowerPlane(x,x,x,x)+1Dj
					; PopPlInitPowerPlane(x,x,x,x)+3Bj ...
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PopPlInitPowerPlane@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPlInitWString(x,	x, x, x)
_PopPlInitWString@16 proc near		; CODE XREF: PopPlInitDevice(x,x,x,x,x)+57p
					; PopPlInitPowerPlane(x,x,x,x)+50p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], eax
		add	ebx, edx
		mov	edx, [ebp+arg_4]
		sub	edx, ebx
		mov	ecx, ebx
		mov	[edi], eax
		mov	[edi+4], eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9BCCF2
		mov	esi, [ebp+var_4]
		cmp	esi, 7FFFh
		jbe	short loc_9BCCA1
		mov	esi, 0C0000004h
		jmp	short loc_9BCCF2
; 

loc_9BCCA1:				; CODE XREF: PopPlInitWString(x,x,x,x)+39j
		test	esi, esi
		jz	short loc_9BCCF2
		lea	eax, [esi+esi]
		push	6C506F50h
		push	eax
		push	200h
		mov	[edi+2], ax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi+4], eax
		test	eax, eax
		jnz	short loc_9BCCCE
		mov	[edi+2], ax
		mov	esi, 0C000009Ah
		jmp	short loc_9BCCF2
; 

loc_9BCCCE:				; CODE XREF: PopPlInitWString(x,x,x,x)+62j
		push	esi
		mov	edx, ebx
		mov	ecx, edi
		call	_RtlUnicodeStringCchCopyStringN@12 ; RtlUnicodeStringCchCopyStringN(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9BCCF2
		push	6C506F50h
		push	dword ptr [edi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi], 0
		and	dword ptr [edi+4], 0

loc_9BCCF2:				; CODE XREF: PopPlInitWString(x,x,x,x)+2Ej
					; PopPlInitWString(x,x,x,x)+40j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_PopPlInitWString@16 endp


;  S U B	R O U T	I N E 


; __stdcall PopPlUninitWString(x)
_PopPlUninitWString@4 proc near		; CODE XREF: PopPlInitPowerPlane(x,x,x,x)+82p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_9BCD12
		push	6C506F50h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9BCD12:				; CODE XREF: PopPlUninitWString(x)+Aj
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0
		pop	esi
		retn
_PopPlUninitWString@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPlUnregisterComponent(x)
_PopPlUnregisterComponent@4 proc near	; CODE XREF: PopPlUnregisterDevice(x)+1A3p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		cmp	dword_6B23F8, 5
		jbe	short loc_9BCD7D
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_4C], 1
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	4
		push	edi
		push	edi
		push	offset loc_4209E8
		push	offset dword_6B23F8
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], 2
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], 10h
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9BCD7D:				; CODE XREF: PopPlUnregisterComponent(x)+1Fj
		mov	ecx, [ebp+var_4]
		mov	[esi+16Ch], edi
		xor	ecx, ebp
		pop	edi
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopPlUnregisterComponent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPlUnregisterDevice(x)
_PopPlUnregisterDevice@4 proc near	; CODE XREF: PopFxUnregisterDevice(x)+C5p

var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0BCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0BCh+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, [edi+304h]
		test	ebx, ebx
		jz	loc_9BCF56
		mov	eax, [ebx+8]
		mov	ecx, eax
		mov	[esp+0C8h+var_BC], eax
		call	_PopPlLockPowerPlane@4 ; PopPlLockPowerPlane(x)
		and	[esp+0C8h+var_B8], 0
		lea	eax, [esp+0C8h+var_B8]
		mov	esi, [ebx+10h]
		lea	edx, [esp+0C8h+var_B4]
		push	0
		push	eax
		mov	ecx, edi
		mov	[esp+0D0h+var_B4], 1
		call	_PopPlCalculateDevicePowerDraw@16 ; PopPlCalculateDevicePowerDraw(x,x,x,x)
		mov	edx, eax
		mov	ecx, edx
		mov	[ebx+10h], edx
		sub	ecx, esi
		cmp	dword_6B23F8, 5
		mov	[esp+0C8h+var_9C], ecx
		jbe	loc_9BCF16
		and	[esp+0C8h+var_74], 0
		lea	eax, [esp+0C8h+var_B0]
		mov	[esp+0C8h+var_78], eax
		lea	eax, [esp+0C8h+var_50]
		and	[esp+0C8h+var_6C], 0
		and	[esp+0C8h+var_64], 0
		and	[esp+0C8h+var_3C], 0
		mov	[esp+0C8h+var_68], eax
		mov	eax, [edi+74h]
		mov	[esp+0C8h+var_58], eax
		movzx	eax, word ptr [edi+70h]
		mov	[esp+0C8h+var_50], eax
		lea	eax, [esp+0C8h+var_AC]
		push	2
		pop	esi
		mov	[esp+0C8h+var_48], eax
		lea	eax, [esp+0C8h+var_A8]
		mov	[esp+0C8h+var_38], eax
		lea	eax, [esp+0C8h+var_A4]
		push	4
		mov	[esp+0CCh+var_28], eax
		mov	eax, [ebx+8]
		mov	[esp+0CCh+var_70], esi
		mov	[esp+0CCh+var_60], esi
		xor	esi, esi
		mov	[esp+0CCh+var_5C], esi
		mov	[esp+0CCh+var_54], esi
		mov	[esp+0CCh+var_4C], esi
		mov	[esp+0CCh+var_44], esi
		pop	esi
		mov	[esp+0C8h+var_A8], edx
		xor	edx, edx
		mov	[esp+0C8h+var_B0], 1
		mov	[esp+0C8h+var_AC], ecx
		mov	[esp+0C8h+var_40], esi
		mov	[esp+0C8h+var_34], edx
		mov	[esp+0C8h+var_30], esi
		mov	[esp+0C8h+var_2C], edx
		mov	[esp+0C8h+var_A4], ecx
		mov	[esp+0C8h+var_24], edx
		mov	[esp+0C8h+var_20], esi
		mov	[esp+0C8h+var_1C], edx
		mov	eax, [eax+10h]
		add	eax, ecx
		mov	[esp+0C8h+var_14], edx
		mov	[esp+0C8h+var_A0], eax
		lea	eax, [esp+0C8h+var_A0]
		mov	[esp+0C8h+var_18], eax
		lea	eax, [esp+0C8h+var_98]
		push	eax
		push	9
		push	edx
		push	edx
		push	offset loc_420965
		push	offset dword_6B23F8
		mov	[esp+0E0h+var_10], esi
		mov	[esp+0E0h+var_C], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		mov	ecx, [esp+0C8h+var_9C]

loc_9BCF16:				; CODE XREF: PopPlUnregisterDevice(x)+73j
		mov	edx, ecx
		mov	ecx, [esp+0C8h+var_BC]
		call	_PopPlPublishSystemPowerChange@8 ; PopPlPublishSystemPowerChange(x,x)
		xor	esi, esi
		cmp	[edi+23Ch], esi
		jbe	short loc_9BCF42

loc_9BCF2B:				; CODE XREF: PopPlUnregisterDevice(x)+1AFj
		mov	ecx, [edi+240h]
		mov	ecx, [ecx+esi*4]
		call	_PopPlUnregisterComponent@4 ; PopPlUnregisterComponent(x)
		inc	esi
		cmp	esi, [edi+23Ch]
		jb	short loc_9BCF2B

loc_9BCF42:				; CODE XREF: PopPlUnregisterDevice(x)+198j
		and	dword ptr [ebx+0Ch], 0
		mov	ecx, [esp+0C8h+var_BC]
		and	dword ptr [edi+304h], 0
		call	_PopPlUnlockPowerPlane@4 ; PopPlUnlockPowerPlane(x)

loc_9BCF56:				; CODE XREF: PopPlUnregisterDevice(x)+29j
		mov	ecx, [esp+0C8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_PopPlUnregisterDevice@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPublishAndPurgePowerRequestStats(x, x, x)
_PopPublishAndPurgePowerRequestStats@12	proc near
					; CODE XREF: PopStatsNotifyPowerRequestCsState(x,x,x)+93p

var_132		= dword	ptr -132h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_108		= dword	ptr -108h
var_104		= byte ptr -104h
var_F8		= dword	ptr -0F8h
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 134h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+134h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		mov	[esp+140h+var_132+2], eax
		lea	edi, [esp+140h+var_108]
		mov	edx, [ebx+8]
		mov	ecx, edx
		mov	[esp+140h+var_12C], eax
		mov	[esp+140h+var_128], eax
		stosd
		lea	esi, [ecx+2]
		stosd
		stosd
		stosd
		xor	edi, edi

loc_9BCFAD:				; CODE XREF: PopPublishAndPurgePowerRequestStats(x,x,x)+4Bj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_9BCFAD
		mov	al, byte ptr [ebp+arg_4]
		sub	ecx, esi
		mov	byte ptr [esp+140h+var_132+1], al
		lea	eax, [esp+0Fh]
		mov	[esp+140h+var_E8], eax
		lea	eax, [esp+140h+var_128]
		sar	ecx, 1
		mov	[esp+140h+var_C8], eax
		mov	[esp+140h+var_E4], edi
		mov	[esp+140h+var_DC], edi
		mov	[esp+140h+var_C4], edi
		lea	eax, [ecx+ecx]
		mov	[esp+140h+var_BC], edi
		mov	[esp+140h+var_B4], edi
		mov	[esp+140h+var_B0], eax
		xor	eax, eax
		mov	[esp+140h+var_AC], edi
		lea	edi, [esp+140h+var_118]
		stosd
		mov	[esp+140h+var_128], ecx
		mov	[esp+140h+var_E0], 1
		mov	[esp+140h+var_C0], 4
		stosd
		mov	[esp+140h+var_B8], edx
		stosd
		stosd
		lea	eax, [esp+140h+var_124]
		push	eax
		call	_RtlRandomEx@4	; RtlRandomEx(x)
		mov	[esp+140h+var_118], eax
		lea	esi, [esp+140h+var_118]
		lea	edi, [esp+140h+var_F8]
		mov	[esp+140h+var_A0], 10h
		movsd
		lea	eax, [esp+140h+var_F8]
		mov	[esp+140h+var_A8], eax
		xor	eax, eax
		mov	[esp+140h+var_A4], eax
		mov	[esp+140h+var_9C], eax
		movsd
		movsd
		movsd
		mov	esi, eax

loc_9BD068:				; CODE XREF: PopPublishAndPurgePowerRequestStats(x,x,x)+2B3j
		push	eax
		mov	edx, esi
		mov	ecx, ebx
		call	_PopGetStopWatchByRequestType@12 ; PopGetStopWatchByRequestType(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9BD217
		xor	eax, eax
		lea	edx, [esp+140h+var_132+2]
		mov	byte ptr [esp+140h+var_132], al
		mov	[esp+140h+var_132+2], eax
		mov	[esp+140h+var_12C], eax
		lea	eax, [esp+140h+var_132]
		push	ecx
		push	eax
		mov	ecx, edi
		call	PoQueryStopWatch
		mov	ecx, edi
		call	_PoResetStopWatch@4 ; PoResetStopWatch(x)
		cmp	dword_6B23F8, 5
		jbe	loc_9BD191
		mov	edx, (offset loc_8BD9E5+3)
		lea	ecx, [esp+140h+var_58]
		call	_tlgCreate1Sz_char
		mov	edx, [ebx+8]
		lea	ecx, [esp+140h+var_48]
		call	_tlgCreate1Sz_wchar_t
		xor	edi, edi
		push	edi
		push	0Ah
		push	[esp+148h+var_12C]
		push	[esp+14Ch+var_132+2]
		call	__aulldiv
		push	edi
		push	0F4240h
		push	edx
		push	eax
		call	__aulldiv
		mov	[esp+140h+var_120], eax
		xor	ecx, ecx
		lea	eax, [esp+140h+var_120]
		mov	[esp+140h+var_11C], edx
		mov	[esp+140h+var_38], eax
		movzx	eax, byte ptr [esp+140h+var_132]
		mov	[esp+140h+var_124], eax
		lea	eax, [esp+140h+var_124]
		mov	[esp+140h+var_28], eax
		mov	eax, [ebp+arg_4]
		push	8
		mov	[esp+144h+var_118], eax
		mov	eax, [ebp+arg_8]
		pop	edx
		mov	[esp+140h+var_114], eax
		lea	eax, [esp+140h+var_118]
		mov	[esp+140h+var_18], eax
		lea	eax, [esp+140h+var_78]
		push	eax
		push	7
		push	ecx
		push	ecx
		push	offset loc_420E1D
		push	offset dword_6B23F8
		mov	[esp+158h+var_34], ecx
		mov	[esp+158h+var_30], edx
		mov	[esp+158h+var_2C], ecx
		mov	[esp+158h+var_24], ecx
		mov	[esp+158h+var_20], 4
		mov	[esp+158h+var_1C], ecx
		mov	[esp+158h+var_14], ecx
		mov	[esp+158h+var_10], edx
		mov	[esp+158h+var_C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9BD191:				; CODE XREF: PopPublishAndPurgePowerRequestStats(x,x,x)+13Ej
		mov	eax, [esp+140h+var_132+2]
		or	eax, [esp+140h+var_12C]
		jz	short loc_9BD217
		xor	eax, eax
		mov	[esp+140h+var_D0], 10h
		lea	edi, [esp+140h+var_108]
		xor	ecx, ecx
		stosd
		push	8
		pop	edx
		mov	[esp+140h+var_90], edx
		stosd
		mov	[esp+140h+var_80], edx
		lea	edx, [esp+140h+var_E8]
		mov	[esp+140h+var_D4], ecx
		mov	[esp+140h+var_CC], ecx
		stosd
		mov	[esp+140h+var_94], ecx
		mov	[esp+140h+var_8C], ecx
		mov	[esp+140h+var_84], ecx
		stosd
		lea	eax, [esp+140h+var_108]
		mov	[esp+140h+var_D8], eax
		lea	eax, [esp+140h+var_132+2]
		mov	[esp+140h+var_98], eax
		lea	eax, [ebp+arg_4]
		mov	[esp+140h+var_108], 0AADDAADDh
		mov	[esp+140h+var_104], 6
		mov	[esp+140h+var_88], eax
		mov	[esp+140h+var_7C], ecx
		call	_PopDiagTraceSleepStudyBlocker@8 ; PopDiagTraceSleepStudyBlocker(x,x)

loc_9BD217:				; CODE XREF: PopPublishAndPurgePowerRequestStats(x,x,x)+10Bj
					; PopPublishAndPurgePowerRequestStats(x,x,x)+22Ej
		inc	esi
		push	0
		pop	eax
		cmp	esi, 4
		jb	loc_9BD068
		lock xadd [ebx], eax
		test	eax, eax
		jg	short loc_9BD233
		mov	ecx, ebx
		call	_PopAvlDeleteStatsForPowerRequest@4 ; PopAvlDeleteStatsForPowerRequest(x)

loc_9BD233:				; CODE XREF: PopPublishAndPurgePowerRequestStats(x,x,x)+2BFj
		mov	ecx, [esp+140h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PopPublishAndPurgePowerRequestStats@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopStatsNotifyPowerRequestCsState(x, x, x)
_PopStatsNotifyPowerRequestCsState@12 proc near
					; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+4A7p
					; PopCaptureSleepStudyStatistics(x,x,x,x)+593p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, dword_6C1D84
		test	cl, cl
		push	esi
		push	edi
		mov	edi, _PopWnfCsEnterScenarioId
		mov	ecx, offset ??_C@_08NOLPACJD@CS?5Entry@NNGAKEGL@
		jnz	short loc_9BD26D
		mov	ecx, offset ??_C@_07BKJDAAJD@CS?5Exit@NNGAKEGL@

loc_9BD26D:				; CODE XREF: PopStatsNotifyPowerRequestCsState(x,x,x)+1Cj
		push	0
		xor	edx, edx
		call	_PopLogPowerRequestAction@12 ; PopLogPowerRequestAction(x,x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PowerReqestStatsLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	esi, esi
		mov	dword_6BF4B4, eax

loc_9BD29D:				; CODE XREF: PopStatsNotifyPowerRequestCsState(x,x,x)+85j
		lea	ecx, [esi-3]
		neg	ecx
		sbb	ecx, ecx
		not	ecx
		and	ecx, offset _ExecutionRequiredStopWatchCollection
		jz	short loc_9BD2C0
		call	_PoIsArmedStopWatchCollection@4	; PoIsArmedStopWatchCollection(x)
		test	al, al
		jz	short loc_9BD2C0
		call	_PoUnarmStopWatchCollection@4 ;	PoUnarmStopWatchCollection(x)
		mov	al, 1
		jmp	short loc_9BD2C7
; 

loc_9BD2C0:				; CODE XREF: PopStatsNotifyPowerRequestCsState(x,x,x)+62j
					; PopStatsNotifyPowerRequestCsState(x,x,x)+6Bj
		cmp	esi, 4
		jnb	short loc_9BD339
		xor	al, al

loc_9BD2C7:				; CODE XREF: PopStatsNotifyPowerRequestCsState(x,x,x)+74j
		mov	byte ptr [ebp+esi+var_4], al
		inc	esi
		cmp	esi, 3
		jbe	short loc_9BD29D
		push	1
		mov	esi, offset _PowerRequestStatsDatabase
		jmp	short loc_9BD2E4
; 

loc_9BD2DA:				; CODE XREF: PopStatsNotifyPowerRequestCsState(x,x,x)+A2j
		push	ebx
		push	edi
		push	eax
		call	_PopPublishAndPurgePowerRequestStats@12	; PopPublishAndPurgePowerRequestStats(x,x,x)
		push	0

loc_9BD2E4:				; CODE XREF: PopStatsNotifyPowerRequestCsState(x,x,x)+8Ej
		push	esi
		call	_RtlEnumerateGenericTableAvl@8 ; RtlEnumerateGenericTableAvl(x,x)
		test	eax, eax
		jnz	short loc_9BD2DA
		xor	esi, esi

loc_9BD2F0:				; CODE XREF: PopStatsNotifyPowerRequestCsState(x,x,x)+C5j
		cmp	byte ptr [ebp+esi+var_4], 0
		jz	short loc_9BD30B
		lea	ecx, [esi-3]
		neg	ecx
		sbb	ecx, ecx
		not	ecx
		and	ecx, offset _ExecutionRequiredStopWatchCollection
		call	_PoArmStopWatchCollection@4 ; PoArmStopWatchCollection(x)

loc_9BD30B:				; CODE XREF: PopStatsNotifyPowerRequestCsState(x,x,x)+ABj
		inc	esi
		cmp	esi, 3
		jbe	short loc_9BD2F0
		cmp	dword_6BF4B4, 0
		jz	short loc_9BD321
		and	dword_6BF4B4, 0

loc_9BD321:				; CODE XREF: PopStatsNotifyPowerRequestCsState(x,x,x)+CEj
		xor	edx, edx
		mov	ecx, offset _PowerReqestStatsLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_9BD339:				; CODE XREF: PopStatsNotifyPowerRequestCsState(x,x,x)+79j
		call	___report_rangecheckfailure
		int	3		; Trap to Debugger

; __stdcall PopDirectedDripsUmCreateTestDevice(x, x, x,	x)
_PopDirectedDripsUmCreateTestDevice@16:	; CODE XREF: PopDirectedDripsUmDirectedFxAddTestDevice(x,x)+65p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	eax, [ebp+var_4]
		push	8
		pop	ecx
		mov	esi, edx
		mov	[ebp+var_4], ecx
		lea	ebx, [edi+edi]
		mov	[ebp+var_C], esi
		push	eax
		mov	edx, ebx
		mov	[ebp+var_8], ebx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_9BD3DD
		xor	eax, eax
		test	edi, edi
		jz	short loc_9BD37C
		cmp	[ebx+esi-2], ax
		jnz	short loc_9BD37C
		dec	edi
		jmp	short loc_9BD38F
; 

loc_9BD37C:				; CODE XREF: PopStatsNotifyPowerRequestCsState(x,x,x)+126j
					; PopStatsNotifyPowerRequestCsState(x,x,x)+12Dj
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	2
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_9BD3DD

loc_9BD38F:				; CODE XREF: PopStatsNotifyPowerRequestCsState(x,x,x)+130j
		mov	ebx, [ebp+var_4]
		push	4D554444h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9BD3AC
		mov	eax, 0C000009Ah
		jmp	short loc_9BD3DD
; 

loc_9BD3AC:				; CODE XREF: PopStatsNotifyPowerRequestCsState(x,x,x)+159j
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		push	[ebp+var_8]	; size_t
		lea	eax, [esi+8]
		push	[ebp+var_C]	; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		add	esp, 18h
		and	dword ptr [esi], 0
		mov	[esi+4], edi
		mov	[eax], esi
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_9BD3DB
		mov	[eax], ebx

loc_9BD3DB:				; CODE XREF: PopStatsNotifyPowerRequestCsState(x,x,x)+18Dj
		xor	eax, eax

loc_9BD3DD:				; CODE XREF: PopStatsNotifyPowerRequestCsState(x,x,x)+120j
					; PopStatsNotifyPowerRequestCsState(x,x,x)+143j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PopStatsNotifyPowerRequestCsState@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsUmDirectedFxAddTestDevice(x, x)
_PopDirectedDripsUmDirectedFxAddTestDevice@8 proc near
					; CODE XREF: PopDirectedDripsUmPowerInformationInternal(x,x,x,x,x)+6Dp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		xor	eax, eax
		mov	ebx, edx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	edi, eax
		mov	byte ptr [ebp+var_1], al
		mov	[ebp+var_8], edi
		cmp	esi, 10h
		jnb	short loc_9BD412
		mov	esi, 0C000000Dh
		jmp	loc_9BD4EA
; 

loc_9BD412:				; CODE XREF: PopDirectedDripsUmDirectedFxAddTestDevice(x,x)+22j
		mov	eax, [ebx+0Ch]
		push	2
		pop	ecx
		mov	[ebp+var_14], eax
		mul	ecx
		lea	ecx, [ebp+var_C]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_9BD4D6
		lea	eax, [esi-10h]
		cmp	[ebp+var_C], eax
		ja	loc_9BD4D6
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	edx, [ebx+10h]
		call	_PopDirectedDripsUmCreateTestDevice@16 ; PopDirectedDripsUmCreateTestDevice(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9BD4D1
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _PopDirectedDripsUmLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	edi, [ebp+var_8]
		mov	dword_6BF3E4, eax
		lea	eax, [ebp+var_1]
		push	eax		; int
		push	[ebp+var_10]	; size_t
		push	edi		; void *
		push	offset _PopDirectedDripsUmTestDeviceTable ; int
		call	_RtlInsertElementGenericTableAvl@16 ; RtlInsertElementGenericTableAvl(x,x,x,x)
		test	eax, eax
		jnz	short loc_9BD49B
		mov	esi, 0C000009Ah
		jmp	short loc_9BD4B1
; 

loc_9BD49B:				; CODE XREF: PopDirectedDripsUmDirectedFxAddTestDevice(x,x)+AEj
		cmp	byte ptr [ebp+var_1], 0
		jnz	short loc_9BD4A8
		mov	esi, 0C0000718h
		jmp	short loc_9BD4B1
; 

loc_9BD4A8:				; CODE XREF: PopDirectedDripsUmDirectedFxAddTestDevice(x,x)+BBj
		lock inc _PopDirectedDripsUmTestDeviceCount
		xor	esi, esi

loc_9BD4B1:				; CODE XREF: PopDirectedDripsUmDirectedFxAddTestDevice(x,x)+B5j
					; PopDirectedDripsUmDirectedFxAddTestDevice(x,x)+C2j
		cmp	dword_6BF3E4, 0
		jz	short loc_9BD4C1
		and	dword_6BF3E4, 0

loc_9BD4C1:				; CODE XREF: PopDirectedDripsUmDirectedFxAddTestDevice(x,x)+D4j
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	short loc_9BD4DB
; 

loc_9BD4D1:				; CODE XREF: PopDirectedDripsUmDirectedFxAddTestDevice(x,x)+6Ej
		mov	edi, [ebp+var_8]
		jmp	short loc_9BD4DB
; 

loc_9BD4D6:				; CODE XREF: PopDirectedDripsUmDirectedFxAddTestDevice(x,x)+45j
					; PopDirectedDripsUmDirectedFxAddTestDevice(x,x)+51j
		mov	esi, 0C000000Dh

loc_9BD4DB:				; CODE XREF: PopDirectedDripsUmDirectedFxAddTestDevice(x,x)+EBj
					; PopDirectedDripsUmDirectedFxAddTestDevice(x,x)+F0j
		test	edi, edi
		jz	short loc_9BD4EA
		push	4D554444h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9BD4EA:				; CODE XREF: PopDirectedDripsUmDirectedFxAddTestDevice(x,x)+29j
					; PopDirectedDripsUmDirectedFxAddTestDevice(x,x)+F9j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PopDirectedDripsUmDirectedFxAddTestDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsUmDirectedFxRemoveTestDevice(x, x)
_PopDirectedDripsUmDirectedFxRemoveTestDevice@8	proc near
					; CODE XREF: PopDirectedDripsUmPowerInformationInternal(x,x,x,x,x)+61p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		cmp	esi, 0Ch
		jnb	short loc_9BD512
		mov	esi, 0C000000Dh
		jmp	loc_9BD5B6
; 

loc_9BD512:				; CODE XREF: PopDirectedDripsUmDirectedFxRemoveTestDevice(x,x)+15j
		push	ebx
		mov	ebx, [edi+8]
		mov	eax, ebx
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_9BD5B0
		lea	eax, [esi-0Ch]
		cmp	[ebp+var_4], eax
		ja	short loc_9BD5B0
		lea	eax, [edi+0Ch]
		mov	[ebp+var_10], 1
		mov	[ebp+var_8], eax
		mov	eax, large fs:124h
		mov	[ebp+var_C], ebx
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopDirectedDripsUmLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6BF3E4, eax
		lea	eax, [ebp+var_10]
		push	eax
		push	offset _PopDirectedDripsUmTestDeviceTable
		call	_RtlDeleteElementGenericTableAvl@8 ; RtlDeleteElementGenericTableAvl(x,x)
		test	al, al
		jz	short loc_9BD58B
		lock dec _PopDirectedDripsUmTestDeviceCount
		xor	esi, esi
		jmp	short loc_9BD590
; 

loc_9BD58B:				; CODE XREF: PopDirectedDripsUmDirectedFxRemoveTestDevice(x,x)+8Dj
		mov	esi, 0C0000225h

loc_9BD590:				; CODE XREF: PopDirectedDripsUmDirectedFxRemoveTestDevice(x,x)+98j
		cmp	dword_6BF3E4, 0
		jz	short loc_9BD5A0
		and	dword_6BF3E4, 0

loc_9BD5A0:				; CODE XREF: PopDirectedDripsUmDirectedFxRemoveTestDevice(x,x)+A6j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	short loc_9BD5B5
; 

loc_9BD5B0:				; CODE XREF: PopDirectedDripsUmDirectedFxRemoveTestDevice(x,x)+38j
					; PopDirectedDripsUmDirectedFxRemoveTestDevice(x,x)+44j
		mov	esi, 0C000000Dh

loc_9BD5B5:				; CODE XREF: PopDirectedDripsUmDirectedFxRemoveTestDevice(x,x)+BDj
		pop	ebx

loc_9BD5B6:				; CODE XREF: PopDirectedDripsUmDirectedFxRemoveTestDevice(x,x)+1Cj
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_PopDirectedDripsUmDirectedFxRemoveTestDevice@8	endp


;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsUmDirectedFxSetMode(x, x)
_PopDirectedDripsUmDirectedFxSetMode@8 proc near
					; CODE XREF: PopDirectedDripsUmPowerInformationInternal(x,x,x,x,x)+55p
		mov	edi, edi
		push	esi
		mov	esi, edx
		cmp	ecx, 0Ch
		jnb	short loc_9BD5CD
		mov	esi, 0C000000Dh
		jmp	short loc_9BD61B
; 

loc_9BD5CD:				; CODE XREF: PopDirectedDripsUmDirectedFxSetMode(x,x)+8j
		mov	eax, large fs:124h
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopDirectedDripsUmLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6BF3E4, eax
		cmp	byte ptr [esi+8], 0
		setnz	_PopDirectedDripsUmTestPermissive
		xor	esi, esi
		test	eax, eax
		jz	short loc_9BD60C
		mov	dword_6BF3E4, esi

loc_9BD60C:				; CODE XREF: PopDirectedDripsUmDirectedFxSetMode(x,x)+48j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi

loc_9BD61B:				; CODE XREF: PopDirectedDripsUmDirectedFxSetMode(x,x)+Fj
		mov	eax, esi
		pop	esi
		retn
_PopDirectedDripsUmDirectedFxSetMode@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsUmGetDeviceInstancePath(x, x)
_PopDirectedDripsUmGetDeviceInstancePath@8 proc	near
					; CODE XREF: PopDirectedDripsUmTestDeviceCompare(x,x,x)+17p
					; PopDirectedDripsUmTestDeviceCompare(x,x,x)+24p
		cmp	dword ptr [ecx], 0
		lea	eax, [ecx+8]
		jz	short loc_9BD629
		mov	eax, [eax]

loc_9BD629:				; CODE XREF: PopDirectedDripsUmGetDeviceInstancePath(x,x)+6j
		mov	ecx, [ecx+4]
		mov	[edx], ecx
		retn
_PopDirectedDripsUmGetDeviceInstancePath@8 endp


;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsUmIsTestModeEnabled()
_PopDirectedDripsUmIsTestModeEnabled@0 proc near
					; CODE XREF: PopDirectedDripsResumeDevices(x,x)+59p
					; PopDripsWatchdogStartWatchdog()+40p
		mov	edi, edi
		push	esi
		push	edi
		xor	dl, dl
		xor	edi, edi
		mov	esi, offset _PopDirectedDripsUmTestDeviceCount
		mov	eax, [esi]

loc_9BD63E:				; CODE XREF: PopDirectedDripsUmIsTestModeEnabled()+17j
		mov	ecx, eax
		or	ecx, edi
		lock cmpxchg [esi], ecx
		jnz	short loc_9BD63E
		pop	edi
		pop	esi
		test	eax, eax
		jz	short loc_9BD650
		inc	dl

loc_9BD650:				; CODE XREF: PopDirectedDripsUmIsTestModeEnabled()+1Dj
		mov	al, dl
		retn
_PopDirectedDripsUmIsTestModeEnabled@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsUmMarkTestDevices()
_PopDirectedDripsUmMarkTestDevices@0 proc near
					; CODE XREF: PopDirectedDripsIdleResiliencyCallback(x,x)+7Dp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		mov	edx, offset _PopDirectedDripsUmTestDeviceCount
		push	esi
		push	edi
		xor	esi, esi
		mov	eax, [edx]

loc_9BD669:				; CODE XREF: PopDirectedDripsUmMarkTestDevices()+1Ej
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_9BD669
		test	eax, eax
		jz	loc_9BD774
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopDirectedDripsUmLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	eax, _PopWnfCsEnterScenarioId
		lea	edx, [esp+20h+var_18]
		xor	ecx, ecx
		mov	[esp+20h+var_18], eax
		cmp	_PopDirectedDripsUmTestPermissive, cl
		mov	eax, dword_6C1D84
		setnz	cl
		mov	[esp+20h+var_14], eax
		lea	ecx, ds:2[ecx*2]
		call	PopDirectedDripsNotify
		xor	ecx, ecx
		call	PpDevNodeLockTree
		mov	esi, _IopRootDeviceNode
		jmp	short loc_9BD6D5
; 

loc_9BD6D3:				; CODE XREF: PopDirectedDripsUmMarkTestDevices()+87j
		mov	esi, eax

loc_9BD6D5:				; CODE XREF: PopDirectedDripsUmMarkTestDevices()+7Ej
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_9BD6D3
		jmp	short loc_9BD72C
; 

loc_9BD6DE:				; CODE XREF: PopDirectedDripsUmMarkTestDevices()+DFj
		cmp	dword ptr [esi+28h], 0
		jz	short loc_9BD718
		movzx	eax, word ptr [esi+14h]
		shr	eax, 1
		mov	[esp+20h+var_8], eax
		mov	eax, [esi+18h]
		mov	[esp+20h+var_4], eax
		lea	eax, [esp+20h+var_C]
		push	eax
		push	offset _PopDirectedDripsUmTestDeviceTable
		mov	[esp+28h+var_C], 1
		call	_RtlLookupElementGenericTableAvl@8 ; RtlLookupElementGenericTableAvl(x,x)
		test	eax, eax
		jz	short loc_9BD718
		mov	ecx, [esi+28h]
		call	_PopDirectedDripsMarkCandidateDevice@4 ; PopDirectedDripsMarkCandidateDevice(x)

loc_9BD718:				; CODE XREF: PopDirectedDripsUmMarkTestDevices()+8Fj
					; PopDirectedDripsUmMarkTestDevices()+BBj
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_9BD729

loc_9BD71E:				; CODE XREF: PopDirectedDripsUmMarkTestDevices()+D2j
		mov	esi, eax
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_9BD71E
		jmp	short loc_9BD72C
; 

loc_9BD729:				; CODE XREF: PopDirectedDripsUmMarkTestDevices()+C9j
		mov	esi, [esi+8]

loc_9BD72C:				; CODE XREF: PopDirectedDripsUmMarkTestDevices()+89j
					; PopDirectedDripsUmMarkTestDevices()+D4j
		cmp	esi, _IopRootDeviceNode
		jnz	short loc_9BD6DE
		xor	ecx, ecx
		call	PpDevNodeUnlockTree
		xor	ecx, ecx
		lea	edx, [esp+20h+var_18]
		cmp	_PopDirectedDripsUmTestPermissive, cl
		setnz	cl
		lea	ecx, ds:3[ecx*2]
		call	PopDirectedDripsNotify
		cmp	dword_6BF3E4, 0
		jz	short loc_9BD766
		and	dword_6BF3E4, 0

loc_9BD766:				; CODE XREF: PopDirectedDripsUmMarkTestDevices()+10Aj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9BD774:				; CODE XREF: PopDirectedDripsUmMarkTestDevices()+22j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_PopDirectedDripsUmMarkTestDevices@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsUmPowerInformationInternal(x, x, x,	x, x)
_PopDirectedDripsUmPowerInformationInternal@20 proc near
					; CODE XREF: PopPowerInformationInternal+171A41p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		and	dword ptr [ebx], 0
		and	dword ptr [eax], 0
		call	_PopIsDirectedDripsEnabled@0 ; PopIsDirectedDripsEnabled()
		test	al, al
		jnz	short loc_9BD7A2
		mov	eax, 0C00000BBh
		jmp	short loc_9BD7EC
; 

loc_9BD7A2:				; CODE XREF: PopDirectedDripsUmPowerInformationInternal(x,x,x,x,x)+1Fj
		sub	esi, 35h
		jz	short loc_9BD7E2
		sub	esi, 1
		jz	short loc_9BD7D6
		dec	esi
		sub	esi, 1
		jz	short loc_9BD7CA
		sub	esi, 8
		jz	short loc_9BD7BE
		mov	eax, 0C000000Dh
		jmp	short loc_9BD7EC
; 

loc_9BD7BE:				; CODE XREF: PopDirectedDripsUmPowerInformationInternal(x,x,x,x,x)+3Bj
		mov	edx, [ebp+arg_8]
		mov	ecx, ebx
		call	_PopDirectedDripsUmQueryCapabilities@8 ; PopDirectedDripsUmQueryCapabilities(x,x)
		jmp	short loc_9BD7EC
; 

loc_9BD7CA:				; CODE XREF: PopDirectedDripsUmPowerInformationInternal(x,x,x,x,x)+36j
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_PopDirectedDripsUmDirectedFxSetMode@8 ; PopDirectedDripsUmDirectedFxSetMode(x,x)
		jmp	short loc_9BD7EC
; 

loc_9BD7D6:				; CODE XREF: PopDirectedDripsUmPowerInformationInternal(x,x,x,x,x)+30j
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_PopDirectedDripsUmDirectedFxRemoveTestDevice@8	; PopDirectedDripsUmDirectedFxRemoveTestDevice(x,x)
		jmp	short loc_9BD7EC
; 

loc_9BD7E2:				; CODE XREF: PopDirectedDripsUmPowerInformationInternal(x,x,x,x,x)+2Bj
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_PopDirectedDripsUmDirectedFxAddTestDevice@8 ; PopDirectedDripsUmDirectedFxAddTestDevice(x,x)

loc_9BD7EC:				; CODE XREF: PopDirectedDripsUmPowerInformationInternal(x,x,x,x,x)+26j
					; PopDirectedDripsUmPowerInformationInternal(x,x,x,x,x)+42j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_PopDirectedDripsUmPowerInformationInternal@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsUmQueryCapabilities(x, x)
_PopDirectedDripsUmQueryCapabilities@8 proc near
					; CODE XREF: PopDirectedDripsUmPowerInformationInternal(x,x,x,x,x)+49p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	206D654Dh
		push	2
		xor	edi, edi
		mov	[ebp+var_8], ecx
		push	1
		mov	ebx, edx
		mov	[ebp+var_4], edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9BD822
		mov	edi, 0C000009Ah
		jmp	short loc_9BD850
; 

loc_9BD822:				; CODE XREF: PopDirectedDripsUmQueryCapabilities(x,x)+26j
		xor	eax, eax
		lea	ecx, [ebp+var_4]
		push	edi
		xor	edx, edx
		mov	[esi], ax
		call	_PopDirectedDripsQueryMitigationStatus@12 ; PopDirectedDripsQueryMitigationStatus(x,x,x)
		test	byte ptr [ebp+var_4], 1
		jz	short loc_9BD83B
		mov	byte ptr [esi],	1

loc_9BD83B:				; CODE XREF: PopDirectedDripsUmQueryCapabilities(x,x)+43j
		test	byte ptr [ebp+var_4], 2
		jz	short loc_9BD845
		mov	byte ptr [esi+1], 1

loc_9BD845:				; CODE XREF: PopDirectedDripsUmQueryCapabilities(x,x)+4Cj
		mov	eax, [ebp+var_8]
		mov	dword ptr [eax], 2
		mov	[ebx], esi

loc_9BD850:				; CODE XREF: PopDirectedDripsUmQueryCapabilities(x,x)+2Dj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopDirectedDripsUmQueryCapabilities@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsUmTestDeviceAllocate(x, x)
_PopDirectedDripsUmTestDeviceAllocate@8	proc near
					; DATA XREF: PopDirectedDripsUmInitialize()+Bo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	4D554444h
		push	[ebp+arg_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	8
_PopDirectedDripsUmTestDeviceAllocate@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsUmTestDeviceCompare(x, x, x)
_PopDirectedDripsUmTestDeviceCompare@12	proc near
					; DATA XREF: PopDirectedDripsUmInitialize()+10o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_4]
		lea	edx, [ebp+var_8]
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	_PopDirectedDripsUmGetDeviceInstancePath@8 ; PopDirectedDripsUmGetDeviceInstancePath(x,x)
		mov	ecx, [ebp+arg_8]
		lea	edx, [ebp+var_4]
		mov	esi, eax
		call	_PopDirectedDripsUmGetDeviceInstancePath@8 ; PopDirectedDripsUmGetDeviceInstancePath(x,x)
		push	1
		push	[ebp+var_4]
		push	eax
		push	[ebp+var_8]
		push	esi
		call	_RtlCompareUnicodeStrings@20 ; RtlCompareUnicodeStrings(x,x,x,x,x)
		test	eax, eax
		js	short loc_9BD8B1
		test	eax, eax
		setz	bl
		inc	ebx

loc_9BD8B1:				; CODE XREF: PopDirectedDripsUmTestDeviceCompare(x,x,x)+3Aj
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
_PopDirectedDripsUmTestDeviceCompare@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsUmTestDeviceFree(x,	x)
_PopDirectedDripsUmTestDeviceFree@8 proc near ;	DATA XREF: PopDirectedDripsUmInitialize()+6o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	4D554444h
		push	[ebp+arg_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	8
_PopDirectedDripsUmTestDeviceFree@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsBuildBroadcastTreeFull(x, x, x, x)
_PopDirectedDripsBuildBroadcastTreeFull@16 proc	near
					; CODE XREF: PopDirectedDripsBuildBroadcastTreePartial(x,x,x)+57p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_C], 0
		lea	eax, [ebp+var_18]
		and	[ebp+var_8], 0
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_20]
		push	ebx
		mov	[ebp+var_1C], eax
		xor	ebx, ebx
		mov	[ebp+var_20], eax
		mov	eax, [ecx+1E4h]
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		test	eax, 30000h
		jnz	loc_9BDA70
		lea	eax, [ecx+1D4h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_9BDAB8
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_9BDAB8
		mov	[ecx], edx
		mov	[edx+4], ecx
		lea	edx, [ebp+var_18]
		mov	ecx, [ebp+var_14]
		cmp	[ecx], edx
		jnz	loc_9BDAB8
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[ebp+var_14], eax

loc_9BD943:				; CODE XREF: PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+B8j
					; PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+10Cj	...
		mov	esi, [ebp+var_18]
		lea	eax, [ebp+var_18]
		cmp	esi, eax
		jz	loc_9BDA70
		cmp	[esi+4], eax
		jnz	loc_9BDAB8
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_9BDAB8
		mov	[ebp+var_18], eax
		lea	ecx, [ebp+var_18]
		mov	[eax+4], ecx
		lea	edi, [esi-1D4h]
		mov	[esi+4], esi
		mov	[esi], esi
		mov	eax, [edi+28h]
		mov	[ebp+var_10], eax
		mov	eax, [esi+10h]
		test	eax, 30000h
		jnz	short loc_9BD943
		push	0
		push	[ebp+var_4]
		mov	edx, esi
		lea	ecx, [ebp+var_20]
		call	_PopDirectedDripsVisitDevice@16	; PopDirectedDripsVisitDevice(x,x,x,x)
		lea	edx, [ebp+var_C]
		mov	ecx, edi
		call	_PopDirectedDripsIsLikelySpecialDevice@8 ; PopDirectedDripsIsLikelySpecialDevice(x,x)
		test	al, al
		jnz	loc_9BDA33
		test	[ebp+arg_0], 1
		jz	short loc_9BD9EF
		and	[ebp+var_8], 0
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_9BD9EA
		lea	edx, [ebp+var_8]
		mov	ecx, eax
		call	_PopFxIsDirectedPowerTransitionSupported@8 ; PopFxIsDirectedPowerTransitionSupported(x,x)
		test	al, al
		jz	short loc_9BD9E0
		push	[ebp+var_4]
		lea	edx, [ebp+var_20]
		push	esi
		lea	ecx, [ebp+var_18]
		call	_PopDirectedDripsMarkDfxDevice@16 ; PopDirectedDripsMarkDfxDevice(x,x,x,x)
		or	ebx, 1
		jmp	loc_9BD943
; 

loc_9BD9E0:				; CODE XREF: PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+F8j
		cmp	[ebp+var_8], 2
		jnz	short loc_9BD9EA
		push	4
		jmp	short loc_9BD9F1
; 

loc_9BD9EA:				; CODE XREF: PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+EAj
					; PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+115j
		xor	eax, eax
		inc	eax
		jmp	short loc_9BD9F2
; 

loc_9BD9EF:				; CODE XREF: PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+DFj
		push	8

loc_9BD9F1:				; CODE XREF: PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+119j
		pop	eax

loc_9BD9F2:				; CODE XREF: PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+11Ej
		mov	esi, [ebp+var_4]
		mov	ecx, edi
		push	eax
		mov	edx, esi
		call	_PopDirectedDripsDiagTraceProblemDevice@12 ; PopDirectedDripsDiagTraceProblemDevice(x,x,x)
		test	[ebp+arg_0], 2
		jz	short loc_9BDA45
		push	esi
		lea	edx, [ebp+var_20]
		mov	ecx, edi
		call	_PopDirectedDripsBuildPs4BroadcastTree@12 ; PopDirectedDripsBuildPs4BroadcastTree(x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_9BDA4A
		mov	eax, [edi+1F0h]
		or	ebx, 2
		test	eax, eax
		jz	loc_9BD943
		or	dword ptr [eax+58h], 10000h
		jmp	loc_9BD943
; 

loc_9BDA33:				; CODE XREF: PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+D5j
		or	dword ptr [esi+10h], 40000h
		push	[ebp+var_C]
		mov	edx, [ebp+var_4]
		call	_PopDirectedDripsDiagTraceProblemDevice@12 ; PopDirectedDripsDiagTraceProblemDevice(x,x,x)

loc_9BDA45:				; CODE XREF: PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+134j
		mov	edx, 0C00000BBh

loc_9BDA4A:				; CODE XREF: PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+145j
					; PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+19Fj
		mov	eax, [ebp+var_18]
		lea	ecx, [ebp+var_18]
		cmp	eax, ecx
		jz	short loc_9BDA72
		cmp	[eax+4], ecx
		jnz	short loc_9BDAB8
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_9BDAB8
		mov	[ebp+var_18], ecx
		lea	esi, [ebp+var_18]
		mov	[ecx+4], esi
		mov	[eax+4], eax
		mov	[eax], eax
		jmp	short loc_9BDA4A
; 

loc_9BDA70:				; CODE XREF: PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+35j
					; PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+7Cj
		xor	edx, edx

loc_9BDA72:				; CODE XREF: PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+183j
					; PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+1D5j
		mov	ecx, [ebp+var_20]
		lea	eax, [ebp+var_20]
		cmp	ecx, eax
		jz	short loc_9BDAA6
		cmp	[ecx+4], eax
		jnz	short loc_9BDAB8
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_9BDAB8
		mov	[ebp+var_20], eax
		lea	esi, [ebp+var_20]
		mov	[eax+4], esi
		test	edx, edx
		jns	short loc_9BDA9B
		mov	eax, [ecx+0Ch]
		mov	[ecx+8], eax

loc_9BDA9B:				; CODE XREF: PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+1C4j
		and	dword ptr [ecx+0Ch], 0
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		jmp	short loc_9BDA72
; 

loc_9BDAA6:				; CODE XREF: PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+1ABj
		test	edx, edx
		js	short loc_9BDAAF
		mov	eax, [ebp+arg_4]
		or	[eax], ebx

loc_9BDAAF:				; CODE XREF: PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+1D9j
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	8
; 

loc_9BDAB8:				; CODE XREF: PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+46j
					; PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+51j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PopDirectedDripsBuildBroadcastTreeFull@16 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsBuildBroadcastTreePartial(x, x, x)
_PopDirectedDripsBuildBroadcastTreePartial@12 proc near
					; CODE XREF: PopDirectedDripsInitializeBroadcast(x)+D6p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, ecx
		xor	ecx, ecx
		push	esi
		mov	esi, edx
		mov	[ebp+var_C], ecx
		push	edi
		mov	eax, [ebx+1E4h]
		mov	[ebp+var_10], esi
		mov	byte ptr [ebp+var_14], cl
		mov	[ebp+var_8], ecx
		test	eax, 30000h
		jz	short loc_9BDAEE
		mov	esi, ecx
		jmp	loc_9BDB82
; 

loc_9BDAEE:				; CODE XREF: PopDirectedDripsBuildBroadcastTreePartial(x,x,x)+28j
		lea	eax, [ebp+var_C]
		mov	ecx, ebx
		push	eax
		call	_PopDirectedDripsDiagBroadcastTreeBegin@12 ; PopDirectedDripsDiagBroadcastTreeBegin(x,x,x)
		xor	edx, edx
		mov	edi, ebx
		mov	[ebp+var_4], edx

loc_9BDB00:				; CODE XREF: PopDirectedDripsBuildBroadcastTreePartial(x,x,x)+A9j
		mov	eax, [edi+1E4h]
		test	al, 2
		jnz	short loc_9BDB4D
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		mov	ecx, edi
		call	_PopDirectedDripsBuildBroadcastTreeFull@16 ; PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9BDB30
		mov	byte ptr [ebp+var_14], 1
		cmp	esi, 0C00000BBh
		jnz	short loc_9BDB82
		mov	edx, [ebp+var_4]
		jmp	short loc_9BDB37
; 

loc_9BDB30:				; CODE XREF: PopDirectedDripsBuildBroadcastTreePartial(x,x,x)+60j
		mov	edx, [ebp+var_4]
		inc	edx
		mov	[ebp+var_4], edx

loc_9BDB37:				; CODE XREF: PopDirectedDripsBuildBroadcastTreePartial(x,x,x)+71j
		mov	esi, [ebp+var_10]

loc_9BDB3A:				; CODE XREF: PopDirectedDripsBuildBroadcastTreePartial(x,x,x)+94j
					; PopDirectedDripsBuildBroadcastTreePartial(x,x,x)+9Ej
		cmp	edi, ebx
		jz	short loc_9BDB68

loc_9BDB3E:				; CODE XREF: PopDirectedDripsBuildBroadcastTreePartial(x,x,x)+8Cj
		mov	eax, [edi]
		test	eax, eax
		jnz	short loc_9BDB62
		mov	edi, [edi+8]
		cmp	edi, ebx
		jnz	short loc_9BDB3E
		jmp	short loc_9BDB64
; 

loc_9BDB4D:				; CODE XREF: PopDirectedDripsBuildBroadcastTreePartial(x,x,x)+4Bj
		cmp	dword ptr [edi+4], 0
		jz	short loc_9BDB3A
		mov	eax, [edi+1E4h]
		test	al, 4
		jnz	short loc_9BDB3A
		mov	edi, [edi+4]
		jmp	short loc_9BDB64
; 

loc_9BDB62:				; CODE XREF: PopDirectedDripsBuildBroadcastTreePartial(x,x,x)+85j
		mov	edi, eax

loc_9BDB64:				; CODE XREF: PopDirectedDripsBuildBroadcastTreePartial(x,x,x)+8Ej
					; PopDirectedDripsBuildBroadcastTreePartial(x,x,x)+A3j
		cmp	edi, ebx
		jnz	short loc_9BDB00

loc_9BDB68:				; CODE XREF: PopDirectedDripsBuildBroadcastTreePartial(x,x,x)+7Fj
		mov	ecx, [ebp+arg_0]
		mov	esi, edx
		mov	eax, [ebp+var_8]
		or	[ecx], eax
		neg	esi
		sbb	esi, esi
		and	esi, 3FFFFF45h
		add	esi, 0C00000BBh

loc_9BDB82:				; CODE XREF: PopDirectedDripsBuildBroadcastTreePartial(x,x,x)+2Cj
					; PopDirectedDripsBuildBroadcastTreePartial(x,x,x)+6Cj
		push	[ebp+var_14]
		mov	ecx, [ebp+var_C]
		mov	edx, esi
		push	[ebp+var_8]
		call	_PopDirectedDripsDiagBroadcastTreeEnd@16 ; PopDirectedDripsDiagBroadcastTreeEnd(x,x,x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopDirectedDripsBuildBroadcastTreePartial@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsBuildPs4BroadcastTree(x, x,	x)
_PopDirectedDripsBuildPs4BroadcastTree@12 proc near
					; CODE XREF: PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+13Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		add	ecx, 1D4h
		mov	[ebp+var_4], edx
		push	ebx
		push	esi
		lea	eax, [ebp+var_C]
		mov	esi, [ecx]
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		push	edi
		cmp	[esi+4], ecx
		jnz	loc_9BDCF8
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	loc_9BDCF8
		mov	[eax], esi
		lea	edx, [ebp+var_C]
		mov	[esi+4], eax
		mov	eax, [ebp+var_8]
		cmp	[eax], edx
		jnz	loc_9BDCF8
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	[ebp+var_8], ecx

loc_9BDBEB:				; CODE XREF: PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+8Ej
					; PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+10Fj
		mov	esi, [ebp+var_C]
		lea	eax, [ebp+var_C]
		cmp	esi, eax
		jz	loc_9BDCED
		cmp	[esi+4], eax
		jnz	loc_9BDCF8
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_9BDCF8
		mov	[ebp+var_C], eax
		lea	ecx, [ebp+var_C]
		mov	[eax+4], ecx
		lea	ebx, [esi-1D4h]
		mov	[esi+4], esi
		mov	[esi], esi
		mov	eax, [esi+10h]
		test	eax, 20000h
		jnz	short loc_9BDBEB
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		push	4
		push	[ebp+arg_0]
		call	_PopDirectedDripsVisitDevice@16	; PopDirectedDripsVisitDevice(x,x,x,x)
		mov	edi, ebx
		test	ebx, ebx
		jz	short loc_9BDCAF

loc_9BDC40:				; CODE XREF: PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+B4j
		mov	eax, [edi+1E4h]
		test	al, 1
		jnz	short loc_9BDC51
		mov	edi, [edi+8]
		test	edi, edi
		jnz	short loc_9BDC40

loc_9BDC51:				; CODE XREF: PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+ADj
		test	edi, edi
		jz	short loc_9BDCAF
		push	[ebp+arg_0]
		mov	ebx, [ebp+var_4]
		lea	edx, [ebp+var_C]
		push	ebx
		mov	ecx, edi
		call	_PopDirectedDripsVisitPs4Device@16 ; PopDirectedDripsVisitPs4Device(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_9BDCC7
		mov	eax, [edi+4]
		mov	esi, edi
		jmp	short loc_9BDC78
; 

loc_9BDC73:				; CODE XREF: PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+DFj
		mov	esi, eax
		mov	eax, [esi+4]

loc_9BDC78:				; CODE XREF: PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+D6j
		test	eax, eax
		jnz	short loc_9BDC73
		jmp	short loc_9BDCA6
; 

loc_9BDC7E:				; CODE XREF: PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+10Dj
		push	[ebp+arg_0]
		lea	edx, [ebp+var_C]
		mov	ecx, esi
		push	ebx
		call	_PopDirectedDripsVisitPs4Device@16 ; PopDirectedDripsVisitPs4Device(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_9BDCC7
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_9BDCA3

loc_9BDC98:				; CODE XREF: PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+104j
		mov	esi, eax
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_9BDC98
		jmp	short loc_9BDCA6
; 

loc_9BDCA3:				; CODE XREF: PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+FBj
		mov	esi, [esi+8]

loc_9BDCA6:				; CODE XREF: PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+E1j
					; PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+106j
		cmp	esi, edi
		jnz	short loc_9BDC7E
		jmp	loc_9BDBEB
; 

loc_9BDCAF:				; CODE XREF: PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+A3j
					; PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+B8j
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		or	dword ptr [esi+10h], 40000h
		push	3
		call	_PopDirectedDripsDiagTraceProblemDevice@12 ; PopDirectedDripsDiagTraceProblemDevice(x,x,x)
		mov	ecx, 0C00000BBh

loc_9BDCC7:				; CODE XREF: PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+CFj
					; PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+F5j ...
		mov	eax, [ebp+var_C]
		lea	edx, [ebp+var_C]
		cmp	eax, edx
		jz	short loc_9BDCEF
		cmp	[eax+4], edx
		jnz	short loc_9BDCF8
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_9BDCF8
		mov	[ebp+var_C], edx
		lea	esi, [ebp+var_C]
		mov	[edx+4], esi
		mov	[eax+4], eax
		mov	[eax], eax
		jmp	short loc_9BDCC7
; 

loc_9BDCED:				; CODE XREF: PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+58j
		xor	ecx, ecx

loc_9BDCEF:				; CODE XREF: PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+134j
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	4
; 

loc_9BDCF8:				; CODE XREF: PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+22j
					; PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+2Dj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PopDirectedDripsBuildPs4BroadcastTree@12 endp ; AL = character	to display


;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsIsLikelySpecialDevice(x, x)
_PopDirectedDripsIsLikelySpecialDevice@8 proc near
					; CODE XREF: PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+CEp
					; PopDirectedDripsVisitPs4Device(x,x,x,x)+2Fp
		mov	eax, [ecx+1E4h]
		test	al, 10h
		jz	short loc_9BDD0C
		and	dword ptr [edx], 0
		jmp	short loc_9BDD30
; 

loc_9BDD0C:				; CODE XREF: PopDirectedDripsIsLikelySpecialDevice(x,x)+8j
		mov	eax, [ecx+10h]
		test	dword ptr [eax+1Ch], 2000000h
		jz	short loc_9BDD20
		mov	dword ptr [edx], 7
		jmp	short loc_9BDD30
; 

loc_9BDD20:				; CODE XREF: PopDirectedDripsIsLikelySpecialDevice(x,x)+19j
		xor	eax, eax
		cmp	[ecx+1ECh], eax
		jbe	short locret_9BDD32
		mov	dword ptr [edx], 6

loc_9BDD30:				; CODE XREF: PopDirectedDripsIsLikelySpecialDevice(x,x)+Dj
					; PopDirectedDripsIsLikelySpecialDevice(x,x)+21j
		mov	al, 1

locret_9BDD32:				; CODE XREF: PopDirectedDripsIsLikelySpecialDevice(x,x)+2Bj
		retn
_PopDirectedDripsIsLikelySpecialDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsMarkDfxDevice(x, x,	x, x)
_PopDirectedDripsMarkDfxDevice@16 proc near
					; CODE XREF: PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+104p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, edx
		push	1
		push	[ebp+arg_4]
		mov	ebx, ecx
		mov	[ebp+var_8], eax
		or	dword ptr [edi+10h], 10000h
		mov	edx, edi
		mov	ecx, eax
		call	_PopDirectedDripsVisitDevice@16	; PopDirectedDripsVisitDevice(x,x,x,x)
		mov	eax, [edi+10h]
		mov	esi, [edi-1ACh]
		mov	byte ptr [ebp+var_4], 0
		test	al, 4
		jnz	loc_9BDE59
		test	esi, esi
		jz	short loc_9BDDA4
		add	esi, 238h
		xor	ecx, ecx
		xor	eax, eax
		lock cmpxchg [esi], ecx
		mov	edx, eax
		xor	ecx, ecx
		xor	eax, eax
		lock cmpxchg [esi], ecx
		mov	ecx, eax
		shr	ecx, 0Ah
		and	ecx, 0FFFFFF01h
		mov	[ebp+var_4], ecx
		and	edx, 200h
		jnz	short loc_9BDDF9

loc_9BDDA4:				; CODE XREF: PopDirectedDripsMarkDfxDevice(x,x,x,x)+41j
		mov	eax, [edi-1D0h]
		jmp	short loc_9BDDF2
; 

loc_9BDDAC:				; CODE XREF: PopDirectedDripsMarkDfxDevice(x,x,x,x)+C4j
		mov	ecx, [ebp+var_8]
		lea	esi, [eax+1D4h]
		push	2
		push	[ebp+arg_4]
		mov	edx, esi
		call	_PopDirectedDripsVisitDevice@16	; PopDirectedDripsVisitDevice(x,x,x,x)
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	loc_9BDE60
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	loc_9BDE60
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jnz	short loc_9BDE60
		mov	[esi+4], eax
		mov	[esi], ebx
		mov	[eax], esi
		mov	eax, [ebp+arg_0]
		mov	[ebx+4], esi
		mov	eax, [eax]

loc_9BDDF2:				; CODE XREF: PopDirectedDripsMarkDfxDevice(x,x,x,x)+77j
		mov	[ebp+arg_0], eax
		test	eax, eax
		jnz	short loc_9BDDAC

loc_9BDDF9:				; CODE XREF: PopDirectedDripsMarkDfxDevice(x,x,x,x)+6Fj
		cmp	byte ptr [ebp+var_4], 0
		jnz	short loc_9BDE59
		mov	eax, [edi-170h]
		add	edi, 0FFFFFE90h
		jmp	short loc_9BDE52
; 

loc_9BDE0D:				; CODE XREF: PopDirectedDripsMarkDfxDevice(x,x,x,x)+124j
		mov	esi, [eax-4]
		mov	ecx, [ebp+var_8]
		push	3
		push	[ebp+arg_4]
		lea	edx, [esi+178h]
		call	_PopDirectedDripsVisitDevice@16	; PopDirectedDripsVisitDevice(x,x,x,x)
		add	esi, 178h
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_9BDE60
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_9BDE60
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jnz	short loc_9BDE60
		mov	[esi+4], eax
		mov	[esi], ebx
		mov	[eax], esi
		mov	eax, [ebp+arg_0]
		mov	[ebx+4], esi
		mov	eax, [eax]

loc_9BDE52:				; CODE XREF: PopDirectedDripsMarkDfxDevice(x,x,x,x)+D8j
		mov	[ebp+arg_0], eax
		cmp	eax, edi
		jnz	short loc_9BDE0D

loc_9BDE59:				; CODE XREF: PopDirectedDripsMarkDfxDevice(x,x,x,x)+39j
					; PopDirectedDripsMarkDfxDevice(x,x,x,x)+CAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_9BDE60:				; CODE XREF: PopDirectedDripsMarkDfxDevice(x,x,x,x)+93j
					; PopDirectedDripsMarkDfxDevice(x,x,x,x)+9Ej ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PopDirectedDripsMarkDfxDevice@16 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsVisitDevice(x, x, x, x)
_PopDirectedDripsVisitDevice@16	proc near
					; CODE XREF: PopDirectedDripsBuildBroadcastTreeFull(x,x,x,x)+C4p
					; PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+9Ap ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		lea	esi, [edx+8]
		cmp	[esi], esi
		jnz	short loc_9BDE8F
		mov	eax, [edx+10h]
		mov	[edx+14h], eax
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jz	short loc_9BDE85
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9BDE85:				; CODE XREF: PopDirectedDripsVisitDevice(x,x,x,x)+19j
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[ecx+4], esi

loc_9BDE8F:				; CODE XREF: PopDirectedDripsVisitDevice(x,x,x,x)+Cj
		push	[ebp+arg_4]
		lea	ecx, [edx-1D4h]
		mov	edx, [ebp+arg_0]
		call	_PopDirectedDripsDiagTraceBroadcastVisit@12 ; PopDirectedDripsDiagTraceBroadcastVisit(x,x,x)
		pop	esi
		pop	ecx
		pop	ebp
		retn	8
_PopDirectedDripsVisitDevice@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDirectedDripsVisitPs4Device(x, x, x, x)
_PopDirectedDripsVisitPs4Device@16 proc	near
					; CODE XREF: PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+C6p
					; PopDirectedDripsBuildPs4BroadcastTree(x,x,x)+ECp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		mov	ecx, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		push	5
		push	[ebp+arg_4]
		lea	edi, [esi+1D4h]
		mov	[ebp+var_4], ebx
		mov	edx, edi
		call	_PopDirectedDripsVisitDevice@16	; PopDirectedDripsVisitDevice(x,x,x,x)
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	_PopDirectedDripsIsLikelySpecialDevice@8 ; PopDirectedDripsIsLikelySpecialDevice(x,x)
		test	al, al
		jz	short loc_9BDEF7
		push	[ebp+var_4]

loc_9BDEE1:				; CODE XREF: PopDirectedDripsVisitPs4Device(x,x,x,x)+5Aj
		mov	edx, [ebp+arg_4]
		call	_PopDirectedDripsDiagTraceProblemDevice@12 ; PopDirectedDripsDiagTraceProblemDevice(x,x,x)
		mov	ebx, 0C00000BBh

loc_9BDEEE:				; CODE XREF: PopDirectedDripsVisitPs4Device(x,x,x,x)+6Dj
					; PopDirectedDripsVisitPs4Device(x,x,x,x)+B9j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_9BDEF7:				; CODE XREF: PopDirectedDripsVisitPs4Device(x,x,x,x)+36j
		mov	eax, [edi+10h]
		test	al, 8
		jz	short loc_9BDF02
		push	3
		jmp	short loc_9BDEE1
; 

loc_9BDF02:				; CODE XREF: PopDirectedDripsVisitPs4Device(x,x,x,x)+56j
		or	dword ptr [edi+10h], 20000h
		lea	eax, [esi+64h]
		mov	edi, [eax]
		mov	[ebp+var_4], eax
		cmp	edi, eax
		jz	short loc_9BDEEE

loc_9BDF15:				; CODE XREF: PopDirectedDripsVisitPs4Device(x,x,x,x)+B7j
		mov	esi, [edi-4]
		mov	ecx, [ebp+arg_0]
		push	6
		push	[ebp+arg_4]
		lea	edx, [esi+178h]
		call	_PopDirectedDripsVisitDevice@16	; PopDirectedDripsVisitDevice(x,x,x,x)
		add	esi, 178h
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_9BDF61
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_9BDF61
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	short loc_9BDF61
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[ecx+4], esi
		mov	edi, [edi]
		cmp	edi, [ebp+var_4]
		jnz	short loc_9BDF15
		jmp	short loc_9BDEEE
; 

loc_9BDF61:				; CODE XREF: PopDirectedDripsVisitPs4Device(x,x,x,x)+90j
					; PopDirectedDripsVisitPs4Device(x,x,x,x)+97j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PopDirectedDripsVisitPs4Device@16 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSqmBatteryUpdate(x, x, x, x)
_PopSqmBatteryUpdate@16	proc near	; CODE XREF: PopBatteryApplyCompositeState+A0747p

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopPlatformAoAc, 0
		mov	eax, edx
		jz	short loc_9BDFBC
		mov	edx, ecx
		lea	ecx, [ebp+var_24]
		call	_PopSqmCreateDwordStreamEntry@8	; PopSqmCreateDwordStreamEntry(x,x)
		mov	edx, eax
		lea	ecx, [ebp+var_1C]
		call	_PopSqmCreateDwordStreamEntry@8	; PopSqmCreateDwordStreamEntry(x,x)
		xor	edx, edx
		lea	ecx, [ebp+var_14]
		cmp	[ebp+arg_0], edx
		setz	dl
		call	_PopSqmCreateDwordStreamEntry@8	; PopSqmCreateDwordStreamEntry(x,x)
		mov	edx, [ebp+arg_4]
		lea	ecx, [ebp+var_C]
		call	_PopSqmCreateDwordStreamEntry@8	; PopSqmCreateDwordStreamEntry(x,x)
		lea	eax, [ebp+var_24]
		push	eax
		push	ecx
		call	_PopSqmAddToStream@16 ;	PopSqmAddToStream(x,x,x,x)

loc_9BDFBC:				; CODE XREF: PopSqmBatteryUpdate(x,x,x,x)+1Bj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopSqmBatteryUpdate@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSqmFanEnumeration()
_PopSqmFanEnumeration@0	proc near	; CODE XREF: PopFanAdd(x)+37p
					; PopFanReportBootStartDevices():loc_ADBF1Ep

var_28		= dword	ptr -28h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		cmp	dword_6B23F8, 5
		push	edi
		jbe	short loc_9BE017
		push	4000h
		mov	edi, offset dword_6B23F8
		push	0
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9BE017
		lea	eax, [esp+30h+var_28]
		push	eax
		push	2
		push	0
		push	0
		push	offset loc_42110A
		push	edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9BE017:				; CODE XREF: PopSqmFanEnumeration()+1Ej
					; PopSqmFanEnumeration()+35j
		mov	ecx, [esp+30h+var_4]
		pop	edi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_PopSqmFanEnumeration@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSqmThermalCriticalEvent(x, x, x)
_PopSqmThermalCriticalEvent@12 proc near ; CODE	XREF: PopSqmThermalCriticalShutdown(x)+8p
					; PopSqmThermalHibernate(x)+Bp

var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= byte ptr -0C0h
var_BF		= byte ptr -0BFh
var_BE		= dword	ptr -0BEh
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C8], edx
		mov	edx, 67446F50h
		mov	ecx, [edi+18h]
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	esi, eax
		test	esi, esi
		jz	short loc_9BE065
		mov	ecx, [esi+0B0h]
		mov	ebx, [ecx+14h]
		jmp	short loc_9BE067
; 

loc_9BE065:				; CODE XREF: PopSqmThermalCriticalEvent(x,x,x)+31j
		xor	ebx, ebx

loc_9BE067:				; CODE XREF: PopSqmThermalCriticalEvent(x,x,x)+3Cj
		test	ebx, ebx
		jz	loc_9BE1E1
		mov	eax, [edi+60h]
		mov	[ebp+var_C4], eax
		mov	eax, [edi+39Ch]
		mov	[ebp+var_CC], eax
		test	eax, eax
		jnz	short loc_9BE092
		mov	[ebp+var_CC], offset ??_C@_11LOCGONAA@@NNGAKEGL@

loc_9BE092:				; CODE XREF: PopSqmThermalCriticalEvent(x,x,x)+5Fj
		cmp	dword_6B23F8, 5
		jbe	loc_9BE1E1
		push	8000h
		push	0
		mov	ecx, offset dword_6B23F8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9BE1E1
		cmp	byte ptr [edi+0C4h], 0
		lea	eax, [ebp+var_BE+1]
		mov	cl, [edi+21h]
		setnz	byte ptr [ebp+var_BE+1]
		mov	[ebp+var_9C], eax
		and	[ebp+var_98], 0
		xor	edx, edx
		and	[ebp+var_90], 0
		inc	edx
		and	[ebp+var_48], 0
		mov	al, cl
		and	al, dl
		shr	cl, 2
		mov	byte ptr [ebp+var_BE], al
		and	cl, dl
		lea	eax, [ebp+var_BE]
		mov	[ebp+var_94], edx
		mov	[ebp+var_8C], eax
		xor	edi, edi
		lea	eax, [ebp-0BFh]
		mov	[ebp+var_84], edx
		mov	[ebp+var_7C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_BF], cl
		lea	ecx, [ebp+var_C4]
		mov	[ebp+var_74], edx
		xor	edx, edx
		mov	[ebp+var_D0], eax
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_88], edi
		mov	[ebp+var_80], edi
		mov	[ebp+var_78], edi
		push	4
		pop	edi
		mov	[ebp+var_70], edx
		mov	[ebp+var_6C], eax
		mov	eax, [ebp+var_C4]
		mov	[ebp+var_68], edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ecx
		mov	ecx, [ebp+var_C8]
		mov	[ebp+var_58], edx
		mov	[ebp+var_50], edx
		lea	edx, [ebp+var_C8]
		mov	[ebp+var_64], edi
		mov	[ebp+var_54], edi
		mov	[ebp+var_44], edi
		xor	edi, edi
		cmp	eax, ecx
		mov	[ebp+var_C4], eax
		mov	[ebp+var_C8], ecx
		lea	eax, [ebp-0C0h]
		mov	[ebp+var_4C], edx
		lea	ecx, [ebp+var_2C]
		mov	edx, [ebx+4Ch]
		setnbe	[ebp+var_C0]
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], 1
		mov	[ebp+var_30], edi
		call	_tlgCreate1Sz_wchar_t
		mov	edx, [ebp+var_CC]
		lea	ecx, [ebp+var_1C]
		call	_tlgCreate1Sz_wchar_t
		lea	eax, [ebp+var_BE+2]
		push	eax
		push	0Bh
		push	edi
		push	edi
		push	offset loc_420FF3
		push	offset dword_6B23F8
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9BE1E1:				; CODE XREF: PopSqmThermalCriticalEvent(x,x,x)+42j
					; PopSqmThermalCriticalEvent(x,x,x)+72j ...
		test	esi, esi
		jz	short loc_9BE1F1
		mov	edx, 67446F50h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_9BE1F1:				; CODE XREF: PopSqmThermalCriticalEvent(x,x,x)+1BCj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PopSqmThermalCriticalEvent@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopSqmThermalCriticalShutdown(x)
_PopSqmThermalCriticalShutdown@4 proc near
					; CODE XREF: PopCheckAndHandleThermalConditions+82999p
		mov	edi, edi
		push	ecx
		mov	edx, [ecx+6Ch]
		push	1
		call	_PopSqmThermalCriticalEvent@12 ; PopSqmThermalCriticalEvent(x,x,x)
		pop	ecx
		retn
_PopSqmThermalCriticalShutdown@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopSqmThermalHibernate(x)
_PopSqmThermalHibernate@4 proc near	; CODE XREF: PopCheckAndHandleThermalConditions+829BEp
		mov	edi, edi
		push	ecx
		mov	edx, [ecx+9Ch]
		push	0
		call	_PopSqmThermalCriticalEvent@12 ; PopSqmThermalCriticalEvent(x,x,x)
		pop	ecx
		retn
_PopSqmThermalHibernate@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSqmThermalUsermodeEvent(x, x, x,	x, x)
_PopSqmThermalUsermodeEvent@20 proc near ; CODE	XREF: PopThermalProcessUsermodeEvent(x)+3Cp
					; PopThermalProcessUsermodeEvent(x)+89p

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	dword_6B23F8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	di, cx
		jbe	loc_9BE2F5
		push	8000h
		xor	ebx, ebx
		mov	ecx, offset dword_6B23F8
		push	ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9BE2F5
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_5C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_4C], eax
		xor	eax, eax
		cmp	[ebp+arg_8], al
		push	4
		setnz	al
		mov	[ebp+var_58], ebx
		mov	[ebp+var_88], eax
		lea	eax, [ebp+var_88]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_14]
		pop	ecx
		mov	[ebp+var_2C], eax
		movzx	eax, di
		add	eax, eax
		mov	[ebp+var_54], ecx
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_7C]
		push	eax
		push	7
		push	ebx
		push	ebx
		push	(offset	loc_4210AC+6)
		push	offset dword_6B23F8
		mov	[ebp+var_50], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], 2
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9BE2F5:				; CODE XREF: PopSqmThermalUsermodeEvent(x,x,x,x,x)+24j
					; PopSqmThermalUsermodeEvent(x,x,x,x,x)+3Ej
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_PopSqmThermalUsermodeEvent@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSqmThermalZoneEnumeration(x, x, x, x, x,	x, x, x, x, x, x, x)
_PopSqmThermalZoneEnumeration@48 proc near
					; CODE XREF: PopDiagTraceThermalZoneEnumeration+82E19p

var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_C8		= dword	ptr -0C8h
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 114h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [edx+4]
		push	edi
		mov	edi, ecx
		test	esi, esi
		jnz	short loc_9BE32C
		mov	esi, offset ??_C@_11LOCGONAA@@NNGAKEGL@

loc_9BE32C:				; CODE XREF: PopSqmThermalZoneEnumeration(x,x,x,x,x,x,x,x,x,x,x,x)+1Fj
		cmp	dword_6B23F8, 5
		jbe	loc_9BE4C0
		push	4000h
		xor	ebx, ebx
		mov	ecx, offset dword_6B23F8
		push	ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9BE4C0
		mov	edx, [edi+4]
		lea	ecx, [ebp+var_C8]
		call	_tlgCreate1Sz_wchar_t
		mov	eax, [ebp+arg_10]
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_EC], eax
		mov	edx, esi
		lea	eax, [ebp+var_EC]
		mov	[ebp+var_B4], ebx
		mov	[ebp+var_B8], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_F0], eax
		lea	eax, [ebp+var_F0]
		mov	[ebp+var_A8], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_F4], eax
		lea	eax, [ebp+var_F4]
		mov	[ebp+var_98], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_F8], eax
		lea	eax, [ebp+var_F8]
		mov	[ebp+var_88], eax
		mov	eax, [ebp+arg_20]
		mov	[ebp+var_FC], eax
		lea	eax, [ebp+var_FC]
		mov	[ebp+var_78], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_100], eax
		lea	eax, [ebp+var_100]
		mov	[ebp+var_68], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_104], eax
		lea	eax, [ebp+var_104]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_108], eax
		lea	eax, [ebp+var_108]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+arg_8]
		push	4
		pop	edi
		mov	[ebp+var_10C], eax
		lea	eax, [ebp+var_10C]
		mov	[ebp+var_B0], edi
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_A4], ebx
		mov	[ebp+var_A0], edi
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_94], ebx
		mov	[ebp+var_90], edi
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_84], ebx
		mov	[ebp+var_80], edi
		mov	[ebp+var_7C], ebx
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], edi
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], edi
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], ebx
		call	_tlgCreate1Sz_wchar_t
		mov	eax, [ebp+arg_24]
		mov	[ebp+var_110], eax
		lea	eax, [ebp+var_110]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_E8]
		push	eax
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], ebx
		push	0Eh
		push	ebx
		push	ebx
		push	offset loc_420EE6
		push	offset dword_6B23F8
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9BE4C0:				; CODE XREF: PopSqmThermalZoneEnumeration(x,x,x,x,x,x,x,x,x,x,x,x)+2Dj
					; PopSqmThermalZoneEnumeration(x,x,x,x,x,x,x,x,x,x,x,x)+47j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	28h
_PopSqmThermalZoneEnumeration@48 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSleepstudyCaptureResiliencyStatistics(x,	x, x, x)
_PopSleepstudyCaptureResiliencyStatistics@16 proc near
					; CODE XREF: PopSleepstudyStartNextSession+A6C4Bp
					; PopSleepstudyStartNextSession+A6D81p

var_140		= dword	ptr -140h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_30		= dword	ptr -30h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 144h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_30]
		xor	eax, eax
		mov	ebx, edx
		push	0Ah
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_140]
		mov	[ebp+var_12C], ebx
		stosd
		lea	ecx, [ebp+var_140]
		stosd
		stosd
		stosd
		call	_PopGetEnergyCounter@4 ; PopGetEnergyCounter(x)
		cmp	[ebp+arg_4], 0
		jz	short loc_9BE52E
		mov	dl, byte ptr [ebp+arg_0]
		lea	eax, [ebp+var_140]
		push	eax
		mov	ecx, ebx
		call	_PopDiagTraceCsResiliencyEnter@12 ; PopDiagTraceCsResiliencyEnter(x,x,x)
		jmp	loc_9BE610
; 

loc_9BE52E:				; CODE XREF: PopSleepstudyCaptureResiliencyStatistics(x,x,x,x)+45j
		mov	ecx, [esi+58h]
		sub	ecx, [esi+10h]
		mov	eax, [esi+5Ch]
		sbb	eax, [esi+14h]
		push	0
		push	0Ah
		push	eax
		push	ecx
		call	__aulldiv
		mov	ecx, edx
		mov	[ebp+var_128], eax
		push	ecx
		push	eax
		push	dword ptr [esi+44h]
		mov	[ebp+var_124], ecx
		push	dword ptr [esi+40h]
		push	dword ptr [esi+3Ch]
		push	dword ptr [esi+38h]
		call	_PopCalculateTotalHwDripsResidency@24 ;	PopCalculateTotalHwDripsResidency(x,x,x,x,x,x)
		mov	edi, eax
		mov	ebx, edx
		mov	ecx, edi
		and	ecx, ebx
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_9BE577
		xor	edi, edi
		xor	ebx, ebx

loc_9BE577:				; CODE XREF: PopSleepstudyCaptureResiliencyStatistics(x,x,x,x)+A0j
		add	dword_6D4548, edi
		adc	dword_6D454C, ebx
		mov	eax, [esi+50h]
		sub	eax, [esi+40h]
		mov	ecx, [esi+54h]
		sbb	ecx, [esi+44h]
		add	dword_6D4550, eax
		mov	[ebp+var_120], eax
		adc	dword_6D4554, ecx
		mov	eax, dword_6D6FE4
		mov	[ebp+var_11C], ecx
		test	eax, eax
		jz	short loc_9BE5B6
		lea	ecx, [ebp+var_30]
		push	ecx
		call	eax

loc_9BE5B6:				; CODE XREF: PopSleepstudyCaptureResiliencyStatistics(x,x,x,x)+DDj
		push	0E8h		; size_t
		lea	eax, [ebp+var_118]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	edx, [ebp+var_12C]
		lea	eax, [ebp+var_30]
		lea	ecx, [ebp+var_118]
		push	eax
		push	[ebp+var_11C]
		lea	eax, [ebp+var_140]
		push	[ebp+var_120]
		push	ebx
		push	edi
		push	[ebp+var_124]
		push	[ebp+var_128]
		push	eax
		push	[ebp+arg_0]
		call	_PopDiagTraceCsResiliencyExit@44 ; PopDiagTraceCsResiliencyExit(x,x,x,x,x,x,x,x,x,x,x)
		lea	ecx, [ebp+var_118]
		call	_PopDiagTraceCsResiliencyStats@4 ; PopDiagTraceCsResiliencyStats(x)

loc_9BE610:				; CODE XREF: PopSleepstudyCaptureResiliencyStatistics(x,x,x,x)+58j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopSleepstudyCaptureResiliencyStatistics@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PopSleepstudyCaptureSessionStatistics(int,int,void *)
_PopSleepstudyCaptureSessionStatistics@20 proc near
					; CODE XREF: PopSleepstudyStartNextSession+A6CBDp
					; PopSleepstudyStartNextSession+A6DB9p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ebx, edx
		push	edi
		mov	edi, [ebp+arg_0]
		push	148h		; size_t
		push	0		; int
		push	esi		; void *
		mov	[ebp+var_4], ebx
		mov	_PopWdiCurrentScenario,	ebx
		mov	_PopWdiCurrentScenarioInstanceId, edi
		mov	dword_6C1F7C, ecx
		call	_memset
		add	esp, 0Ch
		push	10h		; size_t
		push	offset _GUID_NULL ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_9BE723
		xor	ebx, ebx
		inc	ebx

loc_9BE676:				; CODE XREF: PopSleepstudyCaptureSessionStatistics(x,x,x,x,x)+C8j
		mov	eax, dword_6BF0B0
		sub	eax, ebx
		and	eax, 7
		imul	edi, eax, 60h
		push	0
		push	0Ah
		add	edi, offset dword_6BF0B8
		mov	ecx, [edi+18h]
		sub	ecx, [edi+10h]
		mov	eax, [edi+1Ch]
		sbb	eax, [edi+14h]
		push	eax
		push	ecx
		call	__aulldiv
		mov	ecx, [edi]
		cmp	ecx, 2
		jnz	short loc_9BE6E0
		mov	byte ptr [esi+110h], 1
		mov	[esi+130h], eax
		mov	[esi+134h], edx
		mov	eax, [edi+28h]
		mov	[esi+138h], eax
		mov	eax, [edi+30h]
		mov	[esi+140h], eax
		mov	eax, [edi+2Ch]
		mov	[esi+13Ch], eax
		mov	eax, [edi+34h]
		mov	[esi+144h], eax
		jmp	short loc_9BE6E5
; 

loc_9BE6E0:				; CODE XREF: PopSleepstudyCaptureSessionStatistics(x,x,x,x,x)+84j
		cmp	ecx, 1
		jz	short loc_9BE6ED

loc_9BE6E5:				; CODE XREF: PopSleepstudyCaptureSessionStatistics(x,x,x,x,x)+BDj
		inc	ebx
		cmp	ebx, 2
		jbe	short loc_9BE676
		jmp	short loc_9BE71D
; 

loc_9BE6ED:				; CODE XREF: PopSleepstudyCaptureSessionStatistics(x,x,x,x,x)+C2j
		mov	[esi+118h], eax
		mov	[esi+11Ch], edx
		mov	eax, [edi+28h]
		mov	[esi+120h], eax
		mov	eax, [edi+30h]
		mov	[esi+128h], eax
		mov	eax, [edi+2Ch]
		mov	[esi+124h], eax
		mov	eax, [edi+34h]
		mov	[esi+12Ch], eax

loc_9BE71D:				; CODE XREF: PopSleepstudyCaptureSessionStatistics(x,x,x,x,x)+CAj
		mov	edi, [ebp+arg_0]
		mov	ebx, [ebp+var_4]

loc_9BE723:				; CODE XREF: PopSleepstudyCaptureSessionStatistics(x,x,x,x,x)+4Cj
		cmp	dword_6BF3BC, 0
		jz	short loc_9BE733
		and	dword_6BF3BC, 0

loc_9BE733:				; CODE XREF: PopSleepstudyCaptureSessionStatistics(x,x,x,x,x)+109j
		xor	edx, edx
		mov	ecx, offset _PopSleepstudySessionLock
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	[ebp+arg_4]
		mov	edx, esi
		mov	ecx, ebx
		push	edi
		call	_PopCaptureSleepStudyStatistics@16 ; PopCaptureSleepStudyStatistics(x,x,x,x)
		mov	eax, dword_6D6FD8
		test	eax, eax
		jz	short loc_9BE762
		mov	ecx, [ebp+arg_4]
		push	ecx
		push	edi
		push	ebx
		call	eax

loc_9BE762:				; CODE XREF: PopSleepstudyCaptureSessionStatistics(x,x,x,x,x)+137j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PopSleepstudySessionLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		pop	edi
		pop	esi
		mov	dword_6BF3BC, eax
		pop	ebx
		leave
		retn	0Ch
_PopSleepstudyCaptureSessionStatistics@20 endp


;  S U B	R O U T	I N E 


; __stdcall PopSleepstudyScenarioStopWorker(x)
_PopSleepstudyScenarioStopWorker@4 proc	near ; DATA XREF: PopSleepstudyInitialize()+48o
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopSleepstudySessionLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		imul	esi, dword_6BF0B0, 60h
		mov	dword_6BF3BC, eax
		mov	_PopSleepstudySessionContext, 0
		add	esi, offset dword_6BF0B8
		call	_PopDiagTraceSleepStudyStop@0 ;	PopDiagTraceSleepStudyStop()
		mov	eax, [esi]
		cmp	eax, 1
		jz	short loc_9BE7DC
		cmp	eax, 2
		jnz	short loc_9BE7E1

loc_9BE7DC:				; CODE XREF: PopSleepstudyScenarioStopWorker(x)+47j
		call	_PopDiagTraceSleepStudyStart@0 ; PopDiagTraceSleepStudyStart()

loc_9BE7E1:				; CODE XREF: PopSleepstudyScenarioStopWorker(x)+4Cj
		cmp	dword_6BF3BC, 0
		jz	short loc_9BE7F1
		and	dword_6BF3BC, 0

loc_9BE7F1:				; CODE XREF: PopSleepstudyScenarioStopWorker(x)+5Aj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		retn	4
_PopSleepstudyScenarioStopWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSleepstudySendWnfNotification(x,	x, x, x)
_PopSleepstudySendWnfNotification@16 proc near
					; CODE XREF: PopSleepstudyStartNextSession+A6C36p
					; PopSleepstudyStartNextSession+A6D32p	...

var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	eax, [ebp+arg_0]
		mov	esi, edx
		push	edi
		lea	edi, [ebp+var_20]
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_C], eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	18h
		lea	eax, [ebp+var_20]
		push	eax
		push	ecx
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PopSleepstudySendWnfNotification@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSleepstudySnapModernStandbySessionData()
_PopSleepstudySnapModernStandbySessionData@0 proc near
					; CODE XREF: PopPowerAggregatorDisengageModernStandby(x)+7Ep

var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		push	edi
		push	8
		xor	eax, eax
		lea	edi, [ebp+var_28]
		pop	ecx
		rep stosd
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopSleepstudySessionLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_28]
		imul	esi, dword_6BF0B0, 60h
		mov	dword_6BF3BC, eax
		call	_PopCalculateIdleInformation@4 ; PopCalculateIdleInformation(x)
		mov	eax, [ebp+var_18]
		mov	dword_6BF100[esi], eax
		mov	eax, [ebp+var_14]
		mov	dword_6BF104[esi], eax
		mov	eax, [ebp+var_20]
		mov	dword_6BF108[esi], eax
		mov	eax, [ebp+var_1C]
		mov	dword_6BF10C[esi], eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_KeQueryInterruptTimePrecise@4 ; KeQueryInterruptTimePrecise(x)
		mov	dword_6BF110[esi], eax
		mov	dword_6BF114[esi], edx
		cmp	dword_6BF3BC, 0
		jz	short loc_9BE8E2
		and	dword_6BF3BC, 0

loc_9BE8E2:				; CODE XREF: PopSleepstudySnapModernStandbySessionData()+8Aj
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		leave
		retn
_PopSleepstudySnapModernStandbySessionData@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerAggregatorDiagTracePdcSleepTransition(x, x,	x, x, x)
_PopPowerAggregatorDiagTracePdcSleepTransition@20 proc near
					; CODE XREF: PopPowerAggregatorNotifyPdcSleepTransition(x,x)+B9p

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		movzx	eax, cl
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_4]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_54]
		mov	[ebp+var_5C], edx
		xor	edx, edx
		push	eax
		push	5
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	ecx, offset _POP_ETW_EVENT_POWER_AGGREGATOR_PDC_SLEEP_TRANSITION
		mov	[ebp+var_8], edx
		pop	edx
		call	PopPowerAggregatorDiagTraceEvent
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_PopPowerAggregatorDiagTracePdcSleepTransition@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDeepSleepWatchdogTakeAction(x, x)
_PopDeepSleepWatchdogTakeAction@8 proc near
					; CODE XREF: PopDripsWatchdogDiagnosticWorker(x)+179p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		push	esi
		mov	ebx, edx
		imul	eax, [edi+8], 2710h
		push	eax
		call	_PopPowerSettingPendingUpdateWatchdog@8	; PopPowerSettingPendingUpdateWatchdog(x,x)
		cmp	byte ptr [edi+18h], 0
		mov	edx, [edi+0Ch]	; int
		mov	byte ptr [ebp+var_4], al
		setnz	cl		; int
		push	[ebp+var_4]
		movzx	ecx, cl
		push	ebx
		push	ecx
		push	dword ptr [edi+8]
		mov	ecx, [edi+4]
		call	_PopDiagTraceCsDeepSleepWatchdog@24 ; PopDiagTraceCsDeepSleepWatchdog(x,x,x,x,x,x)
		cmp	byte ptr [edi+18h], 0
		jz	short loc_9BE9C6
		test	bl, 1
		jz	short loc_9BEA0D

loc_9BE9C6:				; CODE XREF: PopDeepSleepWatchdogTakeAction(x,x)+41j
		cmp	_KdDebuggerEnabled, 0
		jz	short loc_9BE9E4
		cmp	_KdDebuggerNotPresent, 0
		jnz	short loc_9BE9E4
		test	bl, 8
		jz	short loc_9BE9E4
		cmp	dword ptr [edi+10h], 64h
		ja	short loc_9BE9E4
		int	3		; Trap to Debugger

loc_9BE9E4:				; CODE XREF: PopDeepSleepWatchdogTakeAction(x,x)+4Fj
					; PopDeepSleepWatchdogTakeAction(x,x)+58j ...
		test	bl, 4
		jz	short loc_9BEA0D
		cmp	byte ptr [ebp+var_4], 0
		mov	eax, [edi+4]
		push	esi		; int
		push	esi		; int
		push	esi		; int
		push	esi		; int
		push	eax		; int
		push	edi		; int
		jz	short loc_9BE9FC
		push	5
		jmp	short loc_9BE9FE
; 

loc_9BE9FC:				; CODE XREF: PopDeepSleepWatchdogTakeAction(x,x)+78j
		push	4		; int

loc_9BE9FE:				; CODE XREF: PopDeepSleepWatchdogTakeAction(x,x)+7Cj
		push	15Fh		; int
		push	offset ??_C@_1BM@GHLLGMBK@?$AAD?$AAr?$AAi?$AAp?$AAs?$AAW?$AAa?$AAt?$AAc?$AAh?$AAd?$AAo?$AAg@NNGAKEGL@ ;	int
		call	_DbgkWerCaptureLiveKernelDump@36 ; DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)

loc_9BEA0D:				; CODE XREF: PopDeepSleepWatchdogTakeAction(x,x)+46j
					; PopDeepSleepWatchdogTakeAction(x,x)+69j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopDeepSleepWatchdogTakeAction@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDripsWatchdogInvokeDeviceCallbacks(x, x)
_PopDripsWatchdogInvokeDeviceCallbacks@8 proc near
					; CODE XREF: PopDripsWatchdogCallbackHandler(x,x,x,x,x,x,x,x,x)+140p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, ecx
		mov	eax, edx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], eax
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], edi
		cmp	[ebx+264h], edi
		jbe	short loc_9BEA77

loc_9BEA34:				; CODE XREF: PopDripsWatchdogInvokeDeviceCallbacks(x,x)+60j
		mov	eax, [ebx+260h]
		mov	eax, [eax+edi*4]
		mov	esi, eax
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_9BEA68
		mov	edi, [ebp+var_4]
		mov	ebx, eax

loc_9BEA4B:				; CODE XREF: PopDripsWatchdogInvokeDeviceCallbacks(x,x)+4Ej
		cmp	dword ptr [esi+28h], 0
		jz	short loc_9BEA5B
		push	edi
		mov	edx, ebx
		mov	ecx, esi
		call	_PopFxInvokeDripsWatchdogCallback@12 ; PopFxInvokeDripsWatchdogCallback(x,x,x)

loc_9BEA5B:				; CODE XREF: PopDripsWatchdogInvokeDeviceCallbacks(x,x)+3Dj
		mov	esi, [esi+8]
		test	esi, esi
		jnz	short loc_9BEA4B
		mov	edi, [ebp+var_8]
		mov	ebx, [ebp+var_10]

loc_9BEA68:				; CODE XREF: PopDripsWatchdogInvokeDeviceCallbacks(x,x)+32j
		inc	edi
		mov	[ebp+var_8], edi
		cmp	edi, [ebx+264h]
		jb	short loc_9BEA34
		mov	eax, [ebp+var_4]

loc_9BEA77:				; CODE XREF: PopDripsWatchdogInvokeDeviceCallbacks(x,x)+20j
		mov	edi, [ebx+1Ch]
		mov	esi, edi
		test	edi, edi
		jz	short loc_9BEA9A

loc_9BEA80:				; CODE XREF: PopDripsWatchdogInvokeDeviceCallbacks(x,x)+86j
		cmp	dword ptr [esi+28h], 0
		jz	short loc_9BEA90
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	_PopFxInvokeDripsWatchdogCallback@12 ; PopFxInvokeDripsWatchdogCallback(x,x,x)

loc_9BEA90:				; CODE XREF: PopDripsWatchdogInvokeDeviceCallbacks(x,x)+72j
		mov	esi, [esi+8]
		mov	eax, [ebp+var_4]
		test	esi, esi
		jnz	short loc_9BEA80

loc_9BEA9A:				; CODE XREF: PopDripsWatchdogInvokeDeviceCallbacks(x,x)+6Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PopDripsWatchdogInvokeDeviceCallbacks@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDripsWatchdogTakeAction(x, x, x)
_PopDripsWatchdogTakeAction@12 proc near
					; CODE XREF: PopDripsWatchdogDiagnosticWorker(x)+15Ap

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		push	esi
		lea	ecx, [ebp+var_20]
		mov	[ebp+var_20], esi
		mov	ebx, edx
		mov	[ebp+var_1C], esi
		imul	eax, [edi+8], 2710h
		mov	[ebp+var_10], esi
		mov	[ebp+var_14], esi
		push	eax
		call	_PopFxBuildDripsBlockingDeviceList@12 ;	PopFxBuildDripsBlockingDeviceList(x,x,x)
		test	eax, eax
		js	loc_9BED00
		mov	ecx, [ebp+var_20]
		lea	eax, [ebp+var_20]
		cmp	ecx, eax
		mov	[ebp+var_C], ecx
		lea	edx, [ebp+var_20]
		setnz	al
		mov	[ebp+var_4], eax
		cmp	ecx, edx
		jz	loc_9BEB88

loc_9BEAF1:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+E0j
		mov	edx, [ecx-238h]
		mov	eax, [ecx+10h]
		add	edx, 1Ch
		mov	[ebp+var_18], edx
		test	eax, eax
		jnz	short loc_9BEB2C
		push	[ebp+arg_0]
		cmp	[edi+18h], al
		mov	ecx, [edi]
		push	esi
		push	esi
		push	edx
		mov	edx, [edi+0Ch]
		setnz	al
		push	ebx
		push	1
		push	dword ptr [edi+14h]
		movzx	eax, al
		push	eax
		push	dword ptr [edi+8]
		call	_PopDiagTraceCsDripsWatchdog@44	; PopDiagTraceCsDripsWatchdog(x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_C]
		jmp	short loc_9BEB75
; 

loc_9BEB2C:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+63j
		mov	[ebp+var_8], esi
		test	eax, eax
		jz	short loc_9BEB75

loc_9BEB33:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+D4j
		push	[ebp+arg_0]
		mov	eax, [ecx+0Ch]
		mov	ecx, [ebp+var_8]
		push	esi
		mov	eax, [eax+ecx*4]
		mov	ecx, [edi]
		add	eax, 1Ch
		cmp	byte ptr [edi+18h], 0
		push	eax
		push	edx
		mov	edx, [edi+0Ch]
		setnz	al
		push	ebx
		push	1
		push	dword ptr [edi+14h]
		movzx	eax, al
		push	eax
		push	dword ptr [edi+8]
		call	_PopDiagTraceCsDripsWatchdog@44	; PopDiagTraceCsDripsWatchdog(x,x,x,x,x,x,x,x,x,x,x)
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		inc	eax
		mov	edx, [ebp+var_18]
		mov	[ebp+var_8], eax
		cmp	eax, [ecx+10h]
		jb	short loc_9BEB33

loc_9BEB75:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+8Bj
					; PopDripsWatchdogTakeAction(x,x,x)+92j
		mov	ecx, [ecx]
		lea	eax, [ebp+var_20]
		mov	[ebp+var_C], ecx
		cmp	ecx, eax
		jnz	loc_9BEAF1
		mov	eax, [ebp+var_4]

loc_9BEB88:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+4Cj
		test	al, al
		jnz	short loc_9BEBC8
		imul	eax, [edi+8], 2710h
		lea	edx, [ebp+var_14]
		push	esi
		lea	ecx, [ebp+var_10]
		push	eax
		call	_PpmIdlePrevetoWatchdog@16 ; PpmIdlePrevetoWatchdog(x,x,x,x)
		push	[ebp+arg_0]
		cmp	byte ptr [edi+18h], 0
		push	[ebp+var_10]
		mov	edx, [edi+0Ch]
		setnz	al
		mov	ecx, [edi]
		push	esi
		push	esi
		push	ebx
		push	esi
		push	dword ptr [edi+14h]
		movzx	eax, al
		push	eax
		push	dword ptr [edi+8]
		call	_PopDiagTraceCsDripsWatchdog@44	; PopDiagTraceCsDripsWatchdog(x,x,x,x,x,x,x,x,x,x,x)
		mov	eax, [ebp+var_4]

loc_9BEBC8:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+EBj
		mov	cl, [edi+18h]
		test	cl, cl
		jz	short loc_9BEBD8
		test	bl, 1
		jz	loc_9BECF8

loc_9BEBD8:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+12Ej
		test	bl, 2
		jz	short loc_9BEBF3
		mov	edx, [edi+0Ch]
		push	ebx
		push	eax
		push	dword ptr [edi+14h]
		movzx	eax, cl
		mov	ecx, [edi]
		push	eax
		push	dword ptr [edi+8]
		call	_PopDiagTraceCsDripsWatchdogPerfTrack@28 ; PopDiagTraceCsDripsWatchdogPerfTrack(x,x,x,x,x,x,x)

loc_9BEBF3:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+13Cj
		cmp	byte ptr [ebp+var_4], 0
		jz	short loc_9BEC1D
		mov	ecx, [ebp+var_20]
		add	ecx, 0FFFFFDACh
		mov	[ebp+var_8], ecx
		lea	eax, [ecx+254h]
		lea	edx, [ecx+1Ch]
		mov	[ebp+var_C], eax
		cmp	[eax+10h], esi
		jz	short loc_9BEC19
		mov	edx, [eax+0Ch]

loc_9BEC19:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+175j
		mov	edx, [edx]
		jmp	short loc_9BEC29
; 

loc_9BEC1D:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+158j
		mov	ecx, esi
		mov	[ebp+var_C], esi
		mov	edx, esi
		mov	[ebp+var_8], ecx
		mov	eax, esi

loc_9BEC29:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+17Cj
		cmp	_KdDebuggerEnabled, 0
		mov	[ebp+arg_0], edx
		jz	short loc_9BEC9D
		cmp	_KdDebuggerNotPresent, 0
		jnz	short loc_9BEC9D
		test	bl, 8
		jz	short loc_9BEC79
		cmp	dword ptr [edi+10h], 64h
		ja	short loc_9BEC4A
		int	3		; Trap to Debugger

loc_9BEC4A:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+1A8j
					; PopDripsWatchdogTakeAction(x,x,x)+1DEj ...
		call	_PopDeviceConstraintsEnforced@0	; PopDeviceConstraintsEnforced()
		test	al, al
		jz	loc_9BECF8
		test	bl, 4
		jz	loc_9BECF8
		cmp	byte ptr [ebp+var_4], 0
		jz	short loc_9BECC8
		mov	eax, [ebp+var_C]
		push	esi
		push	esi
		push	esi
		push	[ebp+arg_0]
		push	dword ptr [eax+8]
		push	[ebp+var_8]
		push	2
		jmp	short loc_9BECE9
; 

loc_9BEC79:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+1A2j
		cmp	byte ptr [ebp+var_4], 0
		jz	short loc_9BEC4A
		test	bl, 40h
		jz	short loc_9BEC88
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	short loc_9BEC4A
; 

loc_9BEC88:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+1E3j
		test	bl, 20h
		jz	short loc_9BEC4A
		push	edx
		push	dword ptr [eax+8]
		mov	edx, ecx

loc_9BEC93:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+227j
		mov	ecx, 619h
		call	_PopFxBugCheck@16 ; PopFxBugCheck(x,x,x,x)

loc_9BEC9D:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+194j
					; PopDripsWatchdogTakeAction(x,x,x)+19Dj
		call	_VfIsVerifierEnabled@0 ; VfIsVerifierEnabled()
		test	eax, eax
		jnz	short loc_9BECAF
		call	_PopCheckTestsigningEnabled@0 ;	PopCheckTestsigningEnabled()
		test	al, al
		jz	short loc_9BEC4A

loc_9BECAF:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+205j
		cmp	byte ptr [ebp+var_4], 0
		jz	short loc_9BEC4A
		test	bl, 20h
		jz	short loc_9BEC4A
		mov	eax, [ebp+var_C]
		push	[ebp+arg_0]
		mov	edx, [ebp+var_8]
		push	dword ptr [eax+8]
		jmp	short loc_9BEC93
; 

loc_9BECC8:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+1C5j
		mov	ecx, [ebp+var_10] ; int
		test	ecx, ecx
		jz	short loc_9BECF8
		mov	eax, _PopFxProcessorPlugin
		test	eax, eax
		jz	short loc_9BECDD
		mov	eax, [eax+44h]
		jmp	short loc_9BECDF
; 

loc_9BECDD:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+237j
		mov	eax, esi

loc_9BECDF:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+23Cj
		push	esi		; int
		push	esi		; int
		push	esi		; int
		push	eax		; int
		push	[ebp+var_14]	; int
		push	ecx		; int
		push	3		; int

loc_9BECE9:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+1D8j
		push	15Fh		; int
		push	offset ??_C@_1BM@GHLLGMBK@?$AAD?$AAr?$AAi?$AAp?$AAs?$AAW?$AAa?$AAt?$AAc?$AAh?$AAd?$AAo?$AAg@NNGAKEGL@ ;	int
		call	_DbgkWerCaptureLiveKernelDump@36 ; DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)

loc_9BECF8:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+133j
					; PopDripsWatchdogTakeAction(x,x,x)+1B2j ...
		lea	ecx, [ebp+var_20]
		call	_PopFxDestroyDripsBlockingDeviceList@4 ; PopFxDestroyDripsBlockingDeviceList(x)

loc_9BED00:				; CODE XREF: PopDripsWatchdogTakeAction(x,x,x)+30j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PopDripsWatchdogTakeAction@12 endp


;  S U B	R O U T	I N E 


; __stdcall PopRecordPoBlackboxInformation()
_PopRecordPoBlackboxInformation@0 proc near ; CODE XREF: PopPowerButtonWorkCallback(x)+15Dp
		mov	edi, edi
		push	ecx
		call	_PopRecordPoIrpBlackboxInformation@0 ; PopRecordPoIrpBlackboxInformation()
		call	_PopRecordPepWorkorderBlackboxInformation@0 ; PopRecordPepWorkorderBlackboxInformation()
		call	_PopRecordPowerWatchdogBlackboxInformation@0 ; PopRecordPowerWatchdogBlackboxInformation()
		pop	ecx
		retn
_PopRecordPoBlackboxInformation@0 endp


;  S U B	R O U T	I N E 


; __stdcall SshpAddBlockerDataToCache(x, x)
_SshpAddBlockerDataToCache@8 proc near	; CODE XREF: SshpSendSessionData()+135p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	eax, [esi+8]
		cmp	eax, 10h
		jb	short loc_9BED34
		call	_SshpFlushBlockerDataCache@4 ; SshpFlushBlockerDataCache(x)
		mov	eax, [esi+8]

loc_9BED34:				; CODE XREF: SshpAddBlockerDataToCache(x,x)+Fj
		inc	eax
		imul	edi, eax, 0Ch
		lea	eax, [esi+4]
		add	eax, edi
		push	eax
		mov	[edi+esi], ebx
		and	dword ptr [eax], 0
		and	dword ptr [eax+4], 0
		push	dword ptr [ebx+8]
		call	dword ptr [ebx+0Ch]
		test	eax, eax
		js	short loc_9BED59
		inc	dword ptr [esi+8]

loc_9BED55:				; CODE XREF: SshpAddBlockerDataToCache(x,x)+44j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_9BED59:				; CODE XREF: SshpAddBlockerDataToCache(x,x)+35j
		mov	ecx, [edi+esi+8]
		test	ecx, ecx
		jz	short loc_9BED55
		mov	edx, [esi]
		pop	edi
		pop	esi
		pop	ebx
		jmp	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
_SshpAddBlockerDataToCache@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SshpFlushBlockerDataCache(x)
_SshpFlushBlockerDataCache@4 proc near	; CODE XREF: SshpAddBlockerDataToCache(x,x)+11p
					; SshpSendSessionData()+158p

var_548		= dword	ptr -548h
var_544		= dword	ptr -544h
var_540		= dword	ptr -540h
var_53C		= dword	ptr -53Ch
var_535		= dword	ptr -535h
var_530		= dword	ptr -530h
var_52C		= dword	ptr -52Ch
var_528		= dword	ptr -528h
var_524		= dword	ptr -524h
var_520		= dword	ptr -520h
var_51C		= dword	ptr -51Ch
var_518		= dword	ptr -518h
var_514		= dword	ptr -514h
var_510		= dword	ptr -510h
var_50C		= dword	ptr -50Ch
var_508		= dword	ptr -508h
var_504		= dword	ptr -504h
var_500		= dword	ptr -500h
var_4FC		= dword	ptr -4FCh
var_4F8		= dword	ptr -4F8h
var_4F4		= dword	ptr -4F4h
var_4F0		= dword	ptr -4F0h
var_4EC		= dword	ptr -4ECh
var_4E8		= dword	ptr -4E8h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 548h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	edx, edx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_540], edx
		push	edi
		mov	byte ptr [ebp+var_535],	dl
		mov	[ebp+var_544], edx
		cmp	_SshpTraceHandleRegistered, dl
		jz	loc_9BEF53
		mov	edi, [ebx+8]
		test	edi, edi
		jz	loc_9BEF53
		mov	eax, edx
		mov	ecx, edx
		mov	[ebp+var_548], eax
		mov	[ebp+var_53C], eax
		push	esi

loc_9BEDC0:				; CODE XREF: SshpFlushBlockerDataCache(x)+14Fj
		imul	esi, eax, 5
		lea	ecx, [ebx+4]
		add	esi, 2
		inc	eax
		imul	edx, eax, 0Ch
		add	esi, esi
		add	edx, ebx
		mov	eax, [edx]
		movzx	eax, word ptr [eax]
		shr	eax, 1
		mov	[ebp+var_540], eax
		movzx	eax, word ptr [edx+4]
		mov	[ebp+esi*8+var_535+1], ecx
		lea	ecx, [ebp+var_540]
		mov	[ebp+esi*8+var_52C], 10h
		shr	eax, 1
		mov	[ebp+var_544], eax
		xor	eax, eax
		mov	[ebp+esi*8+var_530], eax
		mov	[ebp+esi*8+var_528], eax
		mov	[ebp+esi*8+var_520], eax
		mov	[ebp+esi*8+var_518], eax
		mov	[ebp+esi*8+var_524], ecx
		mov	[ebp+esi*8+var_51C], 4
		mov	eax, [edx]
		movzx	ecx, word ptr [eax]
		mov	eax, [eax+4]
		mov	[ebp+esi*8+var_514], eax
		xor	eax, eax
		mov	[ebp+esi*8+var_50C], ecx
		lea	ecx, [ebp+var_544]
		mov	[ebp+esi*8+var_510], eax
		mov	[ebp+esi*8+var_508], eax
		mov	[ebp+esi*8+var_500], eax
		mov	[ebp+esi*8+var_4F8], eax
		mov	[ebp+esi*8+var_504], ecx
		mov	[ebp+esi*8+var_4FC], 4
		movzx	ecx, word ptr [edx+4]
		mov	eax, [edx+8]
		xor	edx, edx
		mov	[ebp+esi*8+var_4F4], eax
		mov	eax, [ebp+var_548]
		inc	eax
		mov	[ebp+esi*8+var_4EC], ecx
		mov	[ebp+esi*8+var_4F0], edx
		mov	ecx, eax
		mov	[ebp+esi*8+var_4E8], edx
		mov	[ebp+var_548], eax
		mov	[ebp+var_53C], eax
		cmp	eax, edi
		jb	loc_9BEDC0
		mov	al, byte ptr _SshpSessionId
		mov	byte ptr [ebp+var_535],	al
		lea	eax, [ebp+var_535]
		mov	[ebp+var_535+1], eax
		lea	eax, [ebp+var_53C]
		mov	[ebp+var_524], eax
		imul	eax, edi, 50h
		mov	[ebp+var_530], edx
		mov	[ebp+var_52C], 1
		mov	[ebp+var_528], edx
		mov	[ebp+var_520], edx
		mov	[ebp+var_51C], 4
		mov	[ebp+var_518], edx
		pop	esi
		mov	[ebp+eax+var_514], offset _SshpSessionId
		mov	[ebp+eax+var_510], edx
		mov	[ebp+eax+var_50C], 8
		mov	[ebp+eax+var_508], edx
		lea	eax, [ebp+var_535+1]
		push	eax
		imul	eax, ecx, 5
		add	eax, 3
		push	eax
		push	ecx
		push	ecx
		mov	ecx, offset _SLEEPSTUDY_EVT_SCENARIO_BLOCKER_DATA
		call	_SSHSupportEtwWrite@24 ; SSHSupportEtwWrite(x,x,x,x,x,x)
		xor	edx, edx

loc_9BEF53:				; CODE XREF: SshpFlushBlockerDataCache(x)+33j
					; SshpFlushBlockerDataCache(x)+3Ej
		mov	eax, edx
		mov	[ebp+var_53C], eax
		cmp	[ebx+8], edx
		jbe	short loc_9BEF89

loc_9BEF60:				; CODE XREF: SshpFlushBlockerDataCache(x)+21Aj
		mov	edx, [ebx]
		inc	eax
		imul	edi, eax, 0Ch
		add	edi, ebx
		mov	ecx, [edi+8]
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
		xor	eax, eax
		stosd
		stosd
		stosd
		mov	eax, [ebp+var_53C]
		inc	eax
		mov	[ebp+var_53C], eax
		cmp	eax, [ebx+8]
		jb	short loc_9BEF60
		xor	edx, edx

loc_9BEF89:				; CODE XREF: SshpFlushBlockerDataCache(x)+1F3j
		mov	ecx, [ebp+var_4]
		pop	edi
		mov	[ebx+8], edx
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_SshpFlushBlockerDataCache@4 endp


;  S U B	R O U T	I N E 


; __stdcall SshpFreeDataEntry(x)
_SshpFreeDataEntry@4 proc near		; CODE XREF: SleepstudyHelperCreateBlockerData(x,x,x,x,x)+149p
					; SleepstudyHelperDestroyBlockerData(x)+Fp ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	edx, edx
		push	edi
		mov	ecx, [esi+8]
		add	ecx, 8
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_9BEFFC
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_9BEFFC
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	ecx, [esi+8]
		add	ecx, 8
		call	SSHSupportReleasePushLockExclusive
		xor	ebx, ebx
		cmp	[esi+20h], ebx
		jbe	short loc_9BEFEC
		lea	edi, [esi+28h]

loc_9BEFD6:				; CODE XREF: SshpFreeDataEntry(x)+50j
		mov	edx, [esi+8]
		mov	ecx, [edi]
		mov	edx, [edx+0Ch]
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
		inc	ebx
		lea	edi, [edi+10h]
		cmp	ebx, [esi+20h]
		jb	short loc_9BEFD6

loc_9BEFEC:				; CODE XREF: SshpFreeDataEntry(x)+37j
		mov	edx, [esi+8]
		mov	ecx, esi
		mov	edx, [edx+0Ch]
		pop	edi
		pop	esi
		pop	ebx
		jmp	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
; 

loc_9BEFFC:				; CODE XREF: SshpFreeDataEntry(x)+19j
					; SshpFreeDataEntry(x)+20j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_SshpFreeDataEntry@4 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SshpSendSessionData()
_SshpSendSessionData@0 proc near	; CODE XREF: SshpWnfCallback(x,x,x,x,x,x)+5Fp

var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0F4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	0CCh		; size_t
		lea	eax, [ebp+var_D8]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_E0]
		xor	edx, edx
		mov	[ebp+var_DC], eax
		mov	ecx, offset _SshpLibraryListLock
		mov	[ebp+var_E0], eax
		call	ExAcquirePushLockExclusiveEx
		call	_SSHSupportQueryInterruptTime@0	; SSHSupportQueryInterruptTime()
		sub	eax, _SshpSessionStartTime
		mov	ecx, edx
		mov	edi, _SshpLibraryList
		sbb	ecx, dword_6BEF8C
		mov	[ebp+var_EC], eax
		mov	[ebp+var_E8], ecx
		jmp	loc_9BF168
; 

loc_9BF077:				; CODE XREF: SshpSendSessionData()+173j
		lea	ecx, [edi+8]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+0Ch]
		mov	[ebp+var_D8], eax
		lea	eax, [edi+14h]
		mov	esi, [eax]
		jmp	short loc_9BF0F5
; 

loc_9BF091:				; CODE XREF: SshpSendSessionData()+F6j
		push	[ebp+var_E8]
		mov	ecx, [esi+44h]
		mov	ebx, esi
		push	[ebp+var_EC]
		call	_SshpWriteBlocker@12 ; SshpWriteBlocker(x,x,x)
		mov	ecx, [esi+44h]
		call	_SshpQueryBlockerPendingDelete@4 ; SshpQueryBlockerPendingDelete(x)
		test	al, al
		jz	short loc_9BF0F0
		mov	eax, [ebx]
		lea	ecx, [esi+4]
		mov	esi, [ecx]
		cmp	[eax+4], ebx
		jnz	loc_9BF1EB
		cmp	[esi], ebx
		jnz	loc_9BF1EB
		mov	[esi], eax
		lea	edx, [ebp+var_E0]
		mov	[eax+4], esi
		mov	eax, [ebp+var_DC]
		cmp	[eax], edx
		jnz	loc_9BF1EB
		mov	[ebx], edx
		mov	[ecx], eax
		mov	[eax], ebx
		mov	[ebp+var_DC], ebx

loc_9BF0F0:				; CODE XREF: SshpSendSessionData()+B0j
		mov	esi, [esi]
		lea	eax, [edi+14h]

loc_9BF0F5:				; CODE XREF: SshpSendSessionData()+8Ej
		cmp	esi, eax
		jnz	short loc_9BF091
		push	10h		; size_t
		push	offset _GUID_SPM_LOW_POWER_CS ;	void *
		push	offset _SshpSessionGuid	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9BF15E
		lea	ebx, [edi+1Ch]
		mov	esi, [ebx]
		jmp	short loc_9BF14F
; 

loc_9BF118:				; CODE XREF: SshpSendSessionData()+150j
		and	[ebp+var_F0], 0
		cmp	dword ptr [esi+20h], 0
		jbe	short loc_9BF14D
		mov	ebx, [ebp+var_F0]
		lea	edi, [esi+24h]

loc_9BF12E:				; CODE XREF: SshpSendSessionData()+141j
		mov	edx, edi
		lea	ecx, [ebp+var_D8]
		call	_SshpAddBlockerDataToCache@8 ; SshpAddBlockerDataToCache(x,x)
		inc	ebx
		add	edi, 10h
		cmp	ebx, [esi+20h]
		jb	short loc_9BF12E
		mov	edi, [ebp+var_E4]
		lea	ebx, [edi+1Ch]

loc_9BF14D:				; CODE XREF: SshpSendSessionData()+122j
		mov	esi, [esi]

loc_9BF14F:				; CODE XREF: SshpSendSessionData()+115j
		cmp	esi, ebx
		jnz	short loc_9BF118
		lea	ecx, [ebp+var_D8]
		call	_SshpFlushBlockerDataCache@4 ; SshpFlushBlockerDataCache(x)

loc_9BF15E:				; CODE XREF: SshpSendSessionData()+10Ej
		lea	ecx, [edi+8]
		call	SSHSupportReleasePushLockExclusive
		mov	edi, [edi]

loc_9BF168:				; CODE XREF: SshpSendSessionData()+71j
		mov	[ebp+var_E4], edi
		cmp	edi, offset _SshpLibraryList
		jnz	loc_9BF077
		mov	ecx, offset _SshpLibraryListLock
		call	SSHSupportReleasePushLockExclusive

loc_9BF184:				; CODE XREF: SshpSendSessionData()+1E8j
		mov	esi, [ebp+var_E0]
		lea	eax, [ebp+var_E0]
		cmp	esi, eax
		jz	short loc_9BF1F0
		cmp	[esi+4], eax
		jnz	short loc_9BF1EB
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_9BF1EB
		mov	[ebp+var_E0], eax
		lea	ecx, [ebp+var_E0]
		mov	[eax+4], ecx
		xor	edx, edx
		mov	edi, [esi+14h]
		shl	edi, 4
		add	edi, offset _SshpBlockerCollections
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [esi+8]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_9BF1EB
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_9BF1EB
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, edi
		call	SSHSupportReleasePushLockExclusive
		mov	ecx, [esi+44h]
		call	SshpDereferenceBlocker
		jmp	short loc_9BF184
; 

loc_9BF1EB:				; CODE XREF: SshpSendSessionData()+BCj
					; SshpSendSessionData()+C4j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9BF1F0:				; CODE XREF: SshpSendSessionData()+191j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_SshpSendSessionData@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelperCreateBlockerFromComponent(x, x, x,	x, x)
_SleepstudyHelperCreateBlockerFromComponent@20 proc near ; DATA	XREF: .data:006B35CCo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		test	esi, esi
		jz	loc_9BF296
		cmp	[ebp+arg_4], ebx
		jz	short loc_9BF296
		cmp	[ebp+arg_8], ebx
		jz	short loc_9BF296
		cmp	[ebp+arg_10], ebx
		jz	short loc_9BF296
		mov	eax, [esi+0Ch]
		push	eax
		push	38h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9BF23C
		mov	esi, 0C000009Ah
		jmp	short loc_9BF2A5
; 

loc_9BF23C:				; CODE XREF: SleepstudyHelperCreateBlockerFromComponent(x,x,x,x,x)+34j
		push	edi
		push	38h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [ebp+arg_8]
		lea	edi, [ebx+8]
		mov	[ebx], esi
		add	esp, 0Ch
		mov	esi, [ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		cdq
		movsd
		movsd
		movsd
		movsd
		mov	[ebx+18h], eax
		mov	eax, [ebp+arg_C]
		mov	[ebx+24h], eax
		lea	eax, [ebx+28h]
		push	eax
		mov	eax, [ebp+arg_0]
		mov	[ebx+1Ch], edx
		lea	edx, [ebp+arg_C]
		mov	dword ptr [ebx+20h], 0CCCCh
		mov	byte ptr [ebx+34h], 1
		push	dword ptr [eax+0Ch]
		call	_SshpGenerateDeviceFriendlyName@16 ; SshpGenerateDeviceFriendlyName(x,x,x,x)
		mov	esi, eax
		pop	edi
		test	esi, esi
		js	short loc_9BF29B
		mov	eax, [ebp+arg_10]
		xor	esi, esi
		mov	[eax], ebx
		jmp	short loc_9BF2A5
; 

loc_9BF296:				; CODE XREF: SleepstudyHelperCreateBlockerFromComponent(x,x,x,x,x)+Ej
					; SleepstudyHelperCreateBlockerFromComponent(x,x,x,x,x)+17j ...
		mov	esi, 0C000000Dh

loc_9BF29B:				; CODE XREF: SleepstudyHelperCreateBlockerFromComponent(x,x,x,x,x)+8Cj
		test	ebx, ebx
		jz	short loc_9BF2A5
		push	ebx
		call	SleepstudyHelperDestroyBlockerBuilder

loc_9BF2A5:				; CODE XREF: SleepstudyHelperCreateBlockerFromComponent(x,x,x,x,x)+3Bj
					; SleepstudyHelperCreateBlockerFromComponent(x,x,x,x,x)+95j ...
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
_SleepstudyHelperCreateBlockerFromComponent@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelperCreateBlockerFromDevice(x, x, x, x)
_SleepstudyHelperCreateBlockerFromDevice@16 proc near
					; CODE XREF: SleepstudyHelper_RegisterPdoWithParentGuid(x,x,x,x,x,x,x)+44p
					; SleepstudyHelper_RegisterPdoWithParentHandle(x,x,x,x)+5Bp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		test	esi, esi
		jz	short loc_9BF332
		cmp	[ebp+arg_4], ebx
		jz	short loc_9BF332
		cmp	[ebp+arg_8], ebx
		jz	short loc_9BF332
		cmp	[ebp+arg_C], ebx
		jz	short loc_9BF332
		mov	eax, [esi+0Ch]
		push	eax
		push	38h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9BF2E8
		mov	esi, 0C000009Ah
		jmp	short loc_9BF341
; 

loc_9BF2E8:				; CODE XREF: SleepstudyHelperCreateBlockerFromDevice(x,x,x,x)+32j
		push	38h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [ebp+arg_8]
		lea	edi, [ebx+8]
		mov	[ebx], esi
		add	esp, 0Ch
		mov	esi, [ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		cdq
		movsd
		movsd
		movsd
		movsd
		mov	[ebx+18h], eax
		lea	eax, [ebx+28h]
		push	eax
		mov	eax, [ebp+arg_0]
		mov	[ebx+1Ch], edx
		xor	edx, edx
		mov	byte ptr [ebx+34h], 1
		push	dword ptr [eax+0Ch]
		call	_SshpGenerateDeviceFriendlyName@16 ; SshpGenerateDeviceFriendlyName(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9BF337
		mov	eax, [ebp+arg_C]
		xor	esi, esi
		mov	[eax], ebx
		jmp	short loc_9BF341
; 

loc_9BF332:				; CODE XREF: SleepstudyHelperCreateBlockerFromDevice(x,x,x,x)+10j
					; SleepstudyHelperCreateBlockerFromDevice(x,x,x,x)+15j	...
		mov	esi, 0C000000Dh

loc_9BF337:				; CODE XREF: SleepstudyHelperCreateBlockerFromDevice(x,x,x,x)+7Aj
		test	ebx, ebx
		jz	short loc_9BF341
		push	ebx
		call	SleepstudyHelperDestroyBlockerBuilder

loc_9BF341:				; CODE XREF: SleepstudyHelperCreateBlockerFromDevice(x,x,x,x)+39j
					; SleepstudyHelperCreateBlockerFromDevice(x,x,x,x)+83j	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	10h
_SleepstudyHelperCreateBlockerFromDevice@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SshpGenerateDeviceFriendlyName(x, x, x, x)
_SshpGenerateDeviceFriendlyName@16 proc	near
					; CODE XREF: SleepstudyHelperCreateBlockerFromComponent(x,x,x,x,x)+82p
					; SleepstudyHelperCreateBlockerFromDevice(x,x,x,x)+71p	...

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ecx+0B0h]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		xor	esi, esi
		mov	[ebp+var_64], edx
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_50], esi
		mov	eax, [eax+14h]
		mov	[ebp+var_68], ecx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_60], esi
		mov	[ebp+var_5C], esi
		mov	[ebp+var_54], esi
		mov	[ebp+var_58], eax
		push	edi
		test	eax, eax
		jnz	short loc_9BF397
		mov	esi, 0C000000Dh
		jmp	loc_9BF514
; 

loc_9BF397:				; CODE XREF: SshpGenerateDeviceFriendlyName(x,x,x,x)+40j
		lea	eax, [ebp+var_50]
		push	eax
		push	esi
		push	esi
		push	esi
		push	ecx
		call	IoGetDeviceProperty
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_9BF3C8
		mov	edi, [ebp+var_50]
		cmp	edi, 0FFFFh
		jbe	short loc_9BF3C3

loc_9BF3B9:				; CODE XREF: SshpGenerateDeviceFriendlyName(x,x,x,x)+EDj
		mov	esi, 80000005h
		jmp	loc_9BF511
; 

loc_9BF3C3:				; CODE XREF: SshpGenerateDeviceFriendlyName(x,x,x,x)+6Cj
		add	edi, 4
		jmp	short loc_9BF3D6
; 

loc_9BF3C8:				; CODE XREF: SshpGenerateDeviceFriendlyName(x,x,x,x)+61j
		cmp	esi, 0C0000034h
		jnz	loc_9BF508
		xor	edi, edi

loc_9BF3D6:				; CODE XREF: SshpGenerateDeviceFriendlyName(x,x,x,x)+7Bj
		mov	eax, [ebp+var_58]
		add	eax, 48h
		mov	[ebp+var_58], eax
		movzx	eax, word ptr [eax]
		add	edi, eax
		mov	eax, [ebp+var_64]
		test	eax, eax
		jz	short loc_9BF421
		lea	ecx, [ebp+var_48]
		mov	[ebp+var_5C], ecx
		xor	ecx, ecx
		push	40h
		mov	word ptr [ebp+var_60], cx
		pop	ecx
		push	dword ptr [eax]	; char
		lea	eax, [ebp+var_60]
		mov	word ptr [ebp+var_60+2], cx
		push	offset ??_C@_1M@DPFIGAIG@?$AA?5?$AA?$CI?$AA?$CF?$AAd?$AA?$CJ@NNGAKEGL@ ; " "
		push	eax		; int
		call	_RtlUnicodeStringPrintf
		mov	esi, eax
		add	esp, 0Ch
		test	esi, esi
		js	loc_9BF511
		movzx	eax, word ptr [ebp+var_60]
		add	edi, eax

loc_9BF421:				; CODE XREF: SshpGenerateDeviceFriendlyName(x,x,x,x)+9Ej
		test	edi, edi
		jnz	short loc_9BF42F
		mov	esi, 0C000000Dh
		jmp	loc_9BF511
; 

loc_9BF42F:				; CODE XREF: SshpGenerateDeviceFriendlyName(x,x,x,x)+D8j
		add	edi, 2
		cmp	edi, 0FFFFh
		jnb	loc_9BF3B9
		push	[ebp+var_4C]
		lea	eax, [edi+edi]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_54], esi
		test	esi, esi
		jnz	short loc_9BF45F
		mov	esi, 0C000009Ah
		jmp	loc_9BF511
; 

loc_9BF45F:				; CODE XREF: SshpGenerateDeviceFriendlyName(x,x,x,x)+108j
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		cmp	[ebp+var_50], 0
		jz	short loc_9BF4B3
		lea	eax, [ebp+var_50]
		push	eax
		push	esi
		push	[ebp+var_50]
		push	0
		push	[ebp+var_68]
		call	IoGetDeviceProperty
		mov	esi, eax
		test	esi, esi
		js	loc_9BF511
		mov	edx, [ebp+var_54]
		push	ecx
		push	ecx
		mov	ecx, ebx
		call	RtlUnicodeStringInitWorker
		mov	esi, eax
		mov	[ebx+2], di
		test	esi, esi
		js	short loc_9BF511
		mov	edx, offset ??_C@_15CMBHNMLL@?$AA?5?$AA?$CI@NNGAKEGL@ ;	" ("
		mov	ecx, ebx
		call	_RtlUnicodeStringCatString@8 ; RtlUnicodeStringCatString(x,x)
		mov	esi, eax
		jmp	short loc_9BF4C4
; 

loc_9BF4B3:				; CODE XREF: SshpGenerateDeviceFriendlyName(x,x,x,x)+124j
		push	ecx
		push	ecx
		mov	edx, esi
		mov	ecx, ebx
		call	RtlUnicodeStringInitWorker
		mov	[ebx+2], di
		xor	esi, esi

loc_9BF4C4:				; CODE XREF: SshpGenerateDeviceFriendlyName(x,x,x,x)+166j
		test	esi, esi
		js	short loc_9BF511
		mov	edx, [ebp+var_58]
		mov	ecx, ebx
		call	_RtlUnicodeStringCat@8 ; RtlUnicodeStringCat(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9BF511
		cmp	[ebp+var_50], 0
		jz	short loc_9BF4EC
		mov	edx, offset ??_C@_13DIBMAFH@?$AA?$CJ@NNGAKEGL@
		mov	ecx, ebx
		call	_RtlUnicodeStringCatString@8 ; RtlUnicodeStringCatString(x,x)
		mov	esi, eax

loc_9BF4EC:				; CODE XREF: SshpGenerateDeviceFriendlyName(x,x,x,x)+191j
		test	esi, esi
		js	short loc_9BF511
		cmp	[ebp+var_64], 0
		jz	short loc_9BF502
		lea	edx, [ebp+var_60]
		mov	ecx, ebx
		call	_RtlUnicodeStringCat@8 ; RtlUnicodeStringCat(x,x)
		mov	esi, eax

loc_9BF502:				; CODE XREF: SshpGenerateDeviceFriendlyName(x,x,x,x)+1A9j
		test	esi, esi
		js	short loc_9BF511
		xor	esi, esi

loc_9BF508:				; CODE XREF: SshpGenerateDeviceFriendlyName(x,x,x,x)+83j
		xor	edx, edx
		mov	[ebp+var_54], edx
		test	esi, esi
		jns	short loc_9BF529

loc_9BF511:				; CODE XREF: SshpGenerateDeviceFriendlyName(x,x,x,x)+73j
					; SshpGenerateDeviceFriendlyName(x,x,x,x)+CAj ...
		mov	edx, [ebp+var_4C]

loc_9BF514:				; CODE XREF: SshpGenerateDeviceFriendlyName(x,x,x,x)+47j
		and	dword ptr [ebx], 0
		and	dword ptr [ebx+4], 0
		mov	ebx, [ebp+var_54]
		test	ebx, ebx
		jz	short loc_9BF529
		mov	ecx, ebx
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)

loc_9BF529:				; CODE XREF: SshpGenerateDeviceFriendlyName(x,x,x,x)+1C4j
					; SshpGenerateDeviceFriendlyName(x,x,x,x)+1D5j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_SshpGenerateDeviceFriendlyName@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelper_GetPdoFriendlyName(x, x)
_SleepstudyHelper_GetPdoFriendlyName@8 proc near ; DATA	XREF: .data:006B3638o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		push	6C687373h
		call	_SshpGenerateDeviceFriendlyName@16 ; SshpGenerateDeviceFriendlyName(x,x,x,x)
		pop	ebp
		retn	8
_SleepstudyHelper_GetPdoFriendlyName@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelper_Initialize(x, x)
_SleepstudyHelper_Initialize@8 proc near ; DATA	XREF: .data:006B3600o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		push	6C687373h
		call	SleepstudyHelperCreateLibrary
		test	eax, eax
		js	short locret_9BF581
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+arg_4]
		mov	[edx+10h], ecx
		mov	ecx, [ebp+arg_0]
		mov	[ecx], edx

locret_9BF581:				; CODE XREF: SleepstudyHelper_Initialize(x,x)+1Aj
		leave
		retn	8
_SleepstudyHelper_Initialize@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelper_RegisterComponentEx(x, x, x, x, x,	x, x, x, x, x, x)
_SleepstudyHelper_RegisterComponentEx@44 proc near ; DATA XREF:	.data:006B3618o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_14		= dword	ptr  1Ch
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, ebx
		mov	[esp+34h+var_28], ebx
		push	edi
		mov	[esp+38h+var_24], esi
		cmp	[ebp+arg_0], ebx
		jz	short loc_9BF60B
		cmp	[ebp+arg_24], ebx
		jz	short loc_9BF60B
		cmp	[ebp+arg_28], ebx
		jz	short loc_9BF60B
		lea	esi, [ebp+arg_4]
		lea	edi, [esp+38h+var_10]
		movsd
		lea	eax, [esp+38h+var_24]
		push	eax
		push	ebx
		push	[ebp+arg_24]
		movsd
		lea	eax, [esp+44h+var_20]
		push	eax
		lea	eax, [esp+48h+var_10]
		push	eax
		push	[ebp+arg_0]
		movsd
		movsd
		lea	esi, [ebp+arg_14]
		lea	edi, [esp+50h+var_20]
		movsd
		movsd
		movsd
		movsd
		call	SleepstudyHelperCreateBlockerFromGuid
		mov	esi, [esp+38h+var_24]
		mov	edi, eax
		test	edi, edi
		js	short loc_9BF610
		lea	eax, [esp+38h+var_28]
		push	eax
		push	esi
		call	SleepstudyHelperBuildBlocker
		mov	edi, eax
		test	edi, edi
		js	short loc_9BF605
		mov	ecx, [ebp+arg_28]
		mov	eax, [esp+38h+var_28]
		mov	[ecx], eax
		jmp	short loc_9BF624
; 

loc_9BF605:				; CODE XREF: SleepstudyHelper_RegisterComponentEx(x,x,x,x,x,x,x,x,x,x,x)+73j
		mov	ebx, [esp+38h+var_28]
		jmp	short loc_9BF610
; 

loc_9BF60B:				; CODE XREF: SleepstudyHelper_RegisterComponentEx(x,x,x,x,x,x,x,x,x,x,x)+1Dj
					; SleepstudyHelper_RegisterComponentEx(x,x,x,x,x,x,x,x,x,x,x)+22j ...
		mov	edi, 0C000000Dh

loc_9BF610:				; CODE XREF: SleepstudyHelper_RegisterComponentEx(x,x,x,x,x,x,x,x,x,x,x)+62j
					; SleepstudyHelper_RegisterComponentEx(x,x,x,x,x,x,x,x,x,x,x)+84j
		test	esi, esi
		jz	short loc_9BF61A
		push	esi
		call	SleepstudyHelperDestroyBlockerBuilder

loc_9BF61A:				; CODE XREF: SleepstudyHelper_RegisterComponentEx(x,x,x,x,x,x,x,x,x,x,x)+8Dj
		test	ebx, ebx
		jz	short loc_9BF624
		push	ebx
		call	_SleepstudyHelperDestroyBlocker@4 ; SleepstudyHelperDestroyBlocker(x)

loc_9BF624:				; CODE XREF: SleepstudyHelper_RegisterComponentEx(x,x,x,x,x,x,x,x,x,x,x)+7Ej
					; SleepstudyHelper_RegisterComponentEx(x,x,x,x,x,x,x,x,x,x,x)+97j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	2Ch
_SleepstudyHelper_RegisterComponentEx@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelper_RegisterPdoWithParentGuid(x, x, x,	x, x, x, x)
_SleepstudyHelper_RegisterPdoWithParentGuid@28 proc near ; DATA	XREF: .data:006B3614o

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, ebx
		mov	[esp+24h+var_18], ebx
		push	edi
		mov	[esp+28h+var_14], esi
		cmp	[ebp+arg_0], ebx
		jz	short loc_9BF6A4
		cmp	[ebp+arg_14], ebx
		jz	short loc_9BF6A4
		cmp	[ebp+arg_18], ebx
		jz	short loc_9BF6A4
		lea	esi, [ebp+arg_4]
		lea	edi, [esp+28h+var_10]
		movsd
		lea	eax, [esp+28h+var_14]
		push	eax
		push	[ebp+arg_14]
		lea	eax, [esp+30h+var_10]
		movsd
		push	eax
		push	[ebp+arg_0]
		movsd
		movsd
		call	_SleepstudyHelperCreateBlockerFromDevice@16 ; SleepstudyHelperCreateBlockerFromDevice(x,x,x,x)
		mov	esi, [esp+28h+var_14]
		mov	edi, eax
		test	edi, edi
		js	short loc_9BF6A9
		lea	eax, [esp+28h+var_18]
		push	eax
		push	esi
		call	SleepstudyHelperBuildBlocker
		mov	edi, eax
		test	edi, edi
		js	short loc_9BF69E
		mov	ecx, [ebp+arg_18]
		mov	eax, [esp+28h+var_18]
		mov	[ecx], eax
		jmp	short loc_9BF6BD
; 

loc_9BF69E:				; CODE XREF: SleepstudyHelper_RegisterPdoWithParentGuid(x,x,x,x,x,x,x)+62j
		mov	ebx, [esp+28h+var_18]
		jmp	short loc_9BF6A9
; 

loc_9BF6A4:				; CODE XREF: SleepstudyHelper_RegisterPdoWithParentGuid(x,x,x,x,x,x,x)+1Dj
					; SleepstudyHelper_RegisterPdoWithParentGuid(x,x,x,x,x,x,x)+22j ...
		mov	edi, 0C000000Dh

loc_9BF6A9:				; CODE XREF: SleepstudyHelper_RegisterPdoWithParentGuid(x,x,x,x,x,x,x)+51j
					; SleepstudyHelper_RegisterPdoWithParentGuid(x,x,x,x,x,x,x)+73j
		test	esi, esi
		jz	short loc_9BF6B3
		push	esi
		call	SleepstudyHelperDestroyBlockerBuilder

loc_9BF6B3:				; CODE XREF: SleepstudyHelper_RegisterPdoWithParentGuid(x,x,x,x,x,x,x)+7Cj
		test	ebx, ebx
		jz	short loc_9BF6BD
		push	ebx
		call	_SleepstudyHelperDestroyBlocker@4 ; SleepstudyHelperDestroyBlocker(x)

loc_9BF6BD:				; CODE XREF: SleepstudyHelper_RegisterPdoWithParentGuid(x,x,x,x,x,x,x)+6Dj
					; SleepstudyHelper_RegisterPdoWithParentGuid(x,x,x,x,x,x,x)+86j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_SleepstudyHelper_RegisterPdoWithParentGuid@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelper_RegisterPdoWithParentHandle(x, x, x, x)
_SleepstudyHelper_RegisterPdoWithParentHandle@16 proc near ; DATA XREF:	.data:006B3610o

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+28h+var_10]
		stosd
		xor	ebx, ebx
		mov	[esp+28h+var_18], ebx
		stosd
		stosd
		stosd
		mov	edi, ebx
		mov	[esp+28h+var_14], edi
		cmp	[ebp+arg_0], ebx
		jz	short loc_9BF754
		cmp	[ebp+arg_4], ebx
		jz	short loc_9BF754
		cmp	[ebp+arg_8], ebx
		jz	short loc_9BF754
		cmp	[ebp+arg_C], ebx
		jz	short loc_9BF754
		lea	eax, [esp+28h+var_10]
		push	eax
		push	[ebp+arg_4]
		call	_SleepstudyHelperGetBlockerGuid@8 ; SleepstudyHelperGetBlockerGuid(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9BF76D
		lea	eax, [esp+28h+var_14]
		push	eax
		push	[ebp+arg_8]
		lea	eax, [esp+30h+var_10]
		push	eax
		push	[ebp+arg_0]
		call	_SleepstudyHelperCreateBlockerFromDevice@16 ; SleepstudyHelperCreateBlockerFromDevice(x,x,x,x)
		mov	edi, [esp+28h+var_14]
		mov	esi, eax
		test	esi, esi
		js	short loc_9BF759
		lea	eax, [esp+28h+var_18]
		push	eax
		push	edi
		call	SleepstudyHelperBuildBlocker
		mov	esi, eax
		test	esi, esi
		js	short loc_9BF74E
		mov	ecx, [ebp+arg_C]
		mov	eax, [esp+28h+var_18]
		mov	[ecx], eax
		jmp	short loc_9BF76D
; 

loc_9BF74E:				; CODE XREF: SleepstudyHelper_RegisterPdoWithParentHandle(x,x,x,x)+79j
		mov	ebx, [esp+28h+var_18]
		jmp	short loc_9BF759
; 

loc_9BF754:				; CODE XREF: SleepstudyHelper_RegisterPdoWithParentHandle(x,x,x,x)+27j
					; SleepstudyHelper_RegisterPdoWithParentHandle(x,x,x,x)+2Cj ...
		mov	esi, 0C000000Dh

loc_9BF759:				; CODE XREF: SleepstudyHelper_RegisterPdoWithParentHandle(x,x,x,x)+68j
					; SleepstudyHelper_RegisterPdoWithParentHandle(x,x,x,x)+8Aj
		test	edi, edi
		jz	short loc_9BF763
		push	edi
		call	SleepstudyHelperDestroyBlockerBuilder

loc_9BF763:				; CODE XREF: SleepstudyHelper_RegisterPdoWithParentHandle(x,x,x,x)+93j
		test	ebx, ebx
		jz	short loc_9BF76D
		push	ebx
		call	_SleepstudyHelperDestroyBlocker@4 ; SleepstudyHelperDestroyBlocker(x)

loc_9BF76D:				; CODE XREF: SleepstudyHelper_RegisterPdoWithParentHandle(x,x,x,x)+49j
					; SleepstudyHelper_RegisterPdoWithParentHandle(x,x,x,x)+84j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_SleepstudyHelper_RegisterPdoWithParentHandle@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelper_RegisterPdoWithParentPdo(x, x, x, x)
_SleepstudyHelper_RegisterPdoWithParentPdo@16 proc near	; DATA XREF: .data:006B360Co

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, edi
		mov	[esp+28h+var_18], edi
		mov	[esp+28h+var_14], esi
		cmp	[ebp+arg_0], esi
		jz	short loc_9BF7FA
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_9BF7FA
		cmp	[ebp+arg_8], esi
		jz	short loc_9BF7FA
		cmp	[ebp+arg_C], esi
		jz	short loc_9BF7FA
		cdq
		mov	[esp+28h+var_10], eax
		lea	eax, [esp+28h+var_14]
		push	eax
		push	[ebp+arg_8]
		lea	eax, [esp+30h+var_10]
		mov	[esp+30h+var_8], edi
		push	eax
		push	[ebp+arg_0]
		mov	[esp+38h+var_4], edi
		mov	[esp+38h+var_C], edx
		call	_SleepstudyHelperCreateBlockerFromDevice@16 ; SleepstudyHelperCreateBlockerFromDevice(x,x,x,x)
		mov	esi, [esp+28h+var_14]
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9BF7FF
		lea	eax, [esp+28h+var_18]
		push	eax
		push	esi
		call	SleepstudyHelperBuildBlocker
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9BF7F4
		mov	ecx, [ebp+arg_C]
		mov	eax, [esp+28h+var_18]
		mov	[ecx], eax
		jmp	short loc_9BF813
; 

loc_9BF7F4:				; CODE XREF: SleepstudyHelper_RegisterPdoWithParentPdo(x,x,x,x)+6Fj
		mov	edi, [esp+28h+var_18]
		jmp	short loc_9BF7FF
; 

loc_9BF7FA:				; CODE XREF: SleepstudyHelper_RegisterPdoWithParentPdo(x,x,x,x)+1Dj
					; SleepstudyHelper_RegisterPdoWithParentPdo(x,x,x,x)+24j ...
		mov	ebx, 0C000000Dh

loc_9BF7FF:				; CODE XREF: SleepstudyHelper_RegisterPdoWithParentPdo(x,x,x,x)+5Ej
					; SleepstudyHelper_RegisterPdoWithParentPdo(x,x,x,x)+80j
		test	esi, esi
		jz	short loc_9BF809
		push	esi
		call	SleepstudyHelperDestroyBlockerBuilder

loc_9BF809:				; CODE XREF: SleepstudyHelper_RegisterPdoWithParentPdo(x,x,x,x)+89j
		test	edi, edi
		jz	short loc_9BF813
		push	edi
		call	_SleepstudyHelperDestroyBlocker@4 ; SleepstudyHelperDestroyBlocker(x)

loc_9BF813:				; CODE XREF: SleepstudyHelper_RegisterPdoWithParentPdo(x,x,x,x)+7Aj
					; SleepstudyHelper_RegisterPdoWithParentPdo(x,x,x,x)+93j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_SleepstudyHelper_RegisterPdoWithParentPdo@16 endp

; [00000005 BYTES: COLLAPSED FUNCTION SleepstudyHelper_Uninitialize(x).	PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelperCreateBlockerData(x, x, x, x, x)
_SleepstudyHelperCreateBlockerData@20 proc near	; DATA XREF: .data:006B35C8o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, esi
		mov	[ebp+var_4], esi
		test	edi, edi
		jz	loc_9BF961
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	loc_9BF961
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	loc_9BF961
		cmp	[ebp+arg_10], ebx
		jz	loc_9BF961
		mov	edx, esi
		push	10h
		pop	ebx
		test	ecx, ecx
		jz	short loc_9BF87F
		add	eax, 0Ch

loc_9BF869:				; CODE XREF: SleepstudyHelperCreateBlockerData(x,x,x,x,x)+5Aj
		cmp	[eax-8], esi
		jz	short loc_9BF8CA
		cmp	[eax-0Ch], si
		jz	short loc_9BF8CA
		cmp	[eax], esi
		jz	short loc_9BF8CA
		inc	edx
		add	eax, ebx
		cmp	edx, ecx
		jb	short loc_9BF869

loc_9BF87F:				; CODE XREF: SleepstudyHelperCreateBlockerData(x,x,x,x,x)+41j
		mov	eax, ecx
		lea	ecx, [ebp+var_4]
		mul	ebx
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9BF971
		mov	eax, ecx
		mov	ecx, [ebp+var_4]
		push	eax
		push	24h
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9BF971
		mov	edx, [edi+0Ch]
		mov	ecx, [ebp+var_4]
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9BF8D4
		mov	esi, 0C000009Ah
		jmp	loc_9BF971
; 

loc_9BF8CA:				; CODE XREF: SleepstudyHelperCreateBlockerData(x,x,x,x,x)+49j
					; SleepstudyHelperCreateBlockerData(x,x,x,x,x)+4Fj ...
		mov	esi, 0C000000Dh
		jmp	loc_9BF971
; 

loc_9BF8D4:				; CODE XREF: SleepstudyHelperCreateBlockerData(x,x,x,x,x)+9Bj
		push	[ebp+var_4]	; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	esi, [ebp+arg_4]
		lea	edi, [ebx+10h]
		add	esp, 0Ch
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+arg_0]
		mov	[ebx+4], ebx
		mov	[ebx], ebx
		and	dword ptr [ebx+20h], 0
		cmp	[ebp+arg_8], 0
		mov	[ebx+8], edi
		jbe	short loc_9BF92C
		xor	ecx, ecx

loc_9BF903:				; CODE XREF: SleepstudyHelperCreateBlockerData(x,x,x,x,x)+107j
		mov	edx, [ebp+arg_C]
		lea	eax, [ebx+24h]
		shl	ecx, 4
		add	eax, ecx
		push	eax
		lea	edx, [ecx+edx]
		mov	ecx, [edi+0Ch]
		call	_SshpCopyDataEntry@12 ;	SshpCopyDataEntry(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9BF966
		mov	ecx, [ebx+20h]
		inc	ecx
		mov	[ebx+20h], ecx
		cmp	ecx, [ebp+arg_8]
		jb	short loc_9BF903

loc_9BF92C:				; CODE XREF: SleepstudyHelperCreateBlockerData(x,x,x,x,x)+DCj
		lea	esi, [edi+8]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+20h]
		add	edi, 1Ch
		cmp	[eax], edi
		jz	short loc_9BF947
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9BF947:				; CODE XREF: SleepstudyHelperCreateBlockerData(x,x,x,x,x)+11Dj
		mov	[ebx], edi
		mov	ecx, esi
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	[edi+4], ebx
		call	SSHSupportReleasePushLockExclusive
		mov	eax, [ebp+arg_10]
		xor	esi, esi
		mov	[eax], ebx
		jmp	short loc_9BF971
; 

loc_9BF961:				; CODE XREF: SleepstudyHelperCreateBlockerData(x,x,x,x,x)+15j
					; SleepstudyHelperCreateBlockerData(x,x,x,x,x)+20j ...
		mov	esi, 0C000000Dh

loc_9BF966:				; CODE XREF: SleepstudyHelperCreateBlockerData(x,x,x,x,x)+FBj
		test	ebx, ebx
		jz	short loc_9BF971
		mov	ecx, ebx
		call	_SshpFreeDataEntry@4 ; SshpFreeDataEntry(x)

loc_9BF971:				; CODE XREF: SleepstudyHelperCreateBlockerData(x,x,x,x,x)+6Ej
					; SleepstudyHelperCreateBlockerData(x,x,x,x,x)+86j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
_SleepstudyHelperCreateBlockerData@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelperDestroyBlockerData(x)
_SleepstudyHelperDestroyBlockerData@4 proc near	; DATA XREF: .data:006B35E4o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_9BF98E
		mov	ecx, esi
		call	_SshpFreeDataEntry@4 ; SshpFreeDataEntry(x)

loc_9BF98E:				; CODE XREF: SleepstudyHelperDestroyBlockerData(x)+Bj
		neg	esi
		sbb	esi, esi
		and	esi, 3FFFFFF3h
		lea	eax, [esi-3FFFFFF3h]
		pop	esi
		pop	ebp
		retn	4
_SleepstudyHelperDestroyBlockerData@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SleepstudyHelperDestroyLibrary(x)
_SleepstudyHelperDestroyLibrary@4 proc near ; CODE XREF: SleepstudyHelper_Uninitialize(x)j
					; SshpUninitialize()+5Ep
					; DATA XREF: ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	esi, esi
		jnz	short loc_9BF9BE
		mov	eax, 0C000000Dh

loc_9BF9B7:				; CODE XREF: SleepstudyHelperDestroyLibrary(x)+C0j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_9BF9BE:				; CODE XREF: SleepstudyHelperDestroyLibrary(x)+Dj
		mov	edi, offset _SshpLibraryListLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	loc_9BFA68
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	loc_9BFA68
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	ecx, edi
		call	SSHSupportReleasePushLockExclusive
		lea	ebx, [esi+14h]

loc_9BF9F1:				; CODE XREF: SleepstudyHelperDestroyLibrary(x)+A2j
		mov	edi, [ebx]
		cmp	edi, ebx
		jz	short loc_9BFA47
		cmp	[edi+4], ebx
		jnz	short loc_9BFA68
		mov	eax, [edi]
		cmp	[eax+4], edi
		jnz	short loc_9BFA68
		mov	[ebx], eax
		xor	edx, edx
		mov	[eax+4], ebx
		mov	eax, [edi+14h]
		shl	eax, 4
		add	eax, offset _SshpBlockerCollections
		mov	ecx, eax
		mov	[ebp+arg_0], eax
		call	ExAcquirePushLockExclusiveEx
		lea	ecx, [edi+8]
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_9BFA68
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	short loc_9BFA68
		mov	ecx, [ebp+arg_0]
		mov	[eax], edx
		mov	[edx+4], eax
		call	SSHSupportReleasePushLockExclusive
		mov	ecx, [edi+44h]
		call	SshpDereferenceBlocker
		jmp	short loc_9BF9F1
; 

loc_9BFA47:				; CODE XREF: SleepstudyHelperDestroyLibrary(x)+52j
		lea	edi, [esi+1Ch]

loc_9BFA4A:				; CODE XREF: SleepstudyHelperDestroyLibrary(x)+B2j
		mov	ecx, [edi]
		cmp	ecx, edi
		jz	short loc_9BFA57
		call	_SshpFreeDataEntry@4 ; SshpFreeDataEntry(x)
		jmp	short loc_9BFA4A
; 

loc_9BFA57:				; CODE XREF: SleepstudyHelperDestroyLibrary(x)+ABj
		mov	edx, [esi+0Ch]
		mov	ecx, esi
		call	_CmpFreePoolWithTag@8 ;	CmpFreePoolWithTag(x,x)
		xor	eax, eax
		jmp	loc_9BF9B7
; 

loc_9BFA68:				; CODE XREF: SleepstudyHelperDestroyLibrary(x)+2Ej
					; SleepstudyHelperDestroyLibrary(x)+39j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_SleepstudyHelperDestroyLibrary@4 endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall SSHSupportEtwUnregister(x, x)
_SSHSupportEtwUnregister@8 proc	near	; CODE XREF: SshpUninitialize()+46p
		mov	edi, edi
		push	ecx
		mov	eax, dword_6BEFAC
		mov	ecx, _SshpTraceHandle
		push	eax
		push	ecx
		call	EtwUnregister
		pop	ecx
		retn	8
_SSHSupportEtwUnregister@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SSHSupportUnregisterPowerSettingCallback(x)
_SSHSupportUnregisterPowerSettingCallback@4 proc near
					; CODE XREF: SshpUnsubscribeCallbacks()+Cp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _SshpPowerSettingHandle
		push	eax
		call	PoUnregisterPowerSettingCallback
		leave
		retn
_SSHSupportUnregisterPowerSettingCallback@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SshpPowerSettingCallback(void *,int,int,int)
_SshpPowerSettingCallback@16 proc near	; DATA XREF: SSHSupportRegisterPowerSettingCallback(x,x,x,x,x)+7o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	10h		; size_t
		push	offset _GUID_PDC_IDLE_RESILIENCY_ENGAGED ; void	*
		push	[ebp+arg_0]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9BFADA
		mov	eax, [ebp+arg_4]
		push	ebx
		cmp	dword ptr [eax], 0
		setnz	bl
		cmp	bl, _SshpIdleResiliencyEngaged
		jz	short loc_9BFAD9
		mov	dl, bl
		mov	ecx, offset _SshpBlockerCollections
		call	_SshpSetCollectionActive@8 ; SshpSetCollectionActive(x,x)
		mov	_SshpIdleResiliencyEngaged, bl

loc_9BFAD9:				; CODE XREF: SshpPowerSettingCallback(x,x,x,x)+2Bj
		pop	ebx

loc_9BFADA:				; CODE XREF: SshpPowerSettingCallback(x,x,x,x)+19j
		xor	eax, eax
		pop	ebp
		retn	10h
_SshpPowerSettingCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SshpWnfCallback(int,void *,int,int,int,int)
_SshpWnfCallback@24 proc near		; DATA XREF: SshpSubscribeCallbacks()+1Do

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		push	6
		pop	ecx
		push	8		; size_t
		push	offset _WNF_PO_UMPO_SCENARIO_CHANGE ; void *
		push	[ebp+arg_4]	; void *
		lea	edi, [esp+3Ch+var_20]
		rep stosd
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9BFB7A
		lea	eax, [esp+30h+var_24]
		mov	[esp+30h+var_24], 18h
		push	eax		; int
		lea	eax, [esp+34h+var_20]
		push	eax		; void *
		lea	eax, [ebp+arg_C]
		push	eax		; int
		push	esi		; int
		call	_ExQueryWnfStateData@16	; ExQueryWnfStateData(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9BFB7F
		call	_SshpSendSessionData@0 ; SshpSendSessionData()
		mov	eax, [esp+30h+var_10]
		lea	esi, [esp+30h+var_20]
		mov	edi, offset _SshpSessionGuid
		mov	_SshpSessionId,	eax
		mov	eax, [esp+30h+var_C]
		mov	dword_6BEF84, eax
		movsd
		movsd
		movsd
		movsd
		call	_SSHSupportQueryInterruptTime@0	; SSHSupportQueryInterruptTime()
		mov	_SshpSessionStartTime, eax
		mov	dword_6BEF8C, edx
		call	_SshpQueryRegistryValues@0 ; SshpQueryRegistryValues()
		jmp	short loc_9BFB7F
; 

loc_9BFB7A:				; CODE XREF: SshpWnfCallback(x,x,x,x,x,x)+3Bj
		mov	ebx, 0C00000BBh

loc_9BFB7F:				; CODE XREF: SshpWnfCallback(x,x,x,x,x,x)+5Dj
					; SshpWnfCallback(x,x,x,x,x,x)+98j
		mov	ecx, [esp+30h+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	18h
_SshpWnfCallback@24 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2574. TtmNotifyDeviceArrival

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmNotifyDeviceArrival(x, x, x, x, x, x)
		public _TtmNotifyDeviceArrival@24
_TtmNotifyDeviceArrival@24 proc	near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	eax, [ebp+arg_C]
		xor	ecx, ecx
		push	ebx
		push	esi
		or	edx, 0FFFFFFFFh
		mov	[esp+14h+var_4], ecx
		mov	ebx, ecx
		mov	esi, edx
		push	edi
		test	eax, eax
		jz	loc_9BFD8A
		cmp	[eax], ecx
		jnz	short loc_9BFBDF
		mov	edi, 0C000000Dh
		push	edi
		push	edx
		mov	edx, 176h

loc_9BFBD0:				; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+5Bj
					; TtmNotifyDeviceArrival(x,x,x,x,x,x)+83j
		mov	ecx, offset ??_C@_0BH@DOLIBDDI@TtmNotifyDeviceArrival@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	loc_9BFDC5
; 

loc_9BFBDF:				; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+28j
		cmp	[eax+0Ch], ecx
		jz	short loc_9BFBF7
		cmp	[eax+8], ecx
		jz	short loc_9BFBF7
		mov	edi, 0C000000Dh
		push	edi
		push	edx
		mov	edx, 17Dh
		jmp	short loc_9BFBD0
; 

loc_9BFBF7:				; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+48j
					; TtmNotifyDeviceArrival(x,x,x,x,x,x)+4Dj
		mov	eax, [ebp+arg_14]
		test	eax, eax
		jz	short loc_9BFC1F
		lea	ecx, [esp+18h+var_8]
		mov	edx, 104h
		push	ecx
		mov	ecx, [eax+4]
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_9BFC1F
		push	edi
		push	edi
		mov	edx, 191h
		jmp	short loc_9BFBD0
; 

loc_9BFC1F:				; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+62j
					; TtmNotifyDeviceArrival(x,x,x,x,x,x)+7Aj
		lea	ecx, [esp+18h+var_4]
		call	_TtmiAcquireCurrentSession@4 ; TtmiAcquireCurrentSession(x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_9BFC3A
		push	edi
		push	edi
		mov	edx, 19Ch
		jmp	loc_9BFD96
; 

loc_9BFC3A:				; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+92j
		mov	edi, [esp+18h+var_4]
		mov	ecx, edi
		mov	edx, [ebp+arg_0]
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_TtmpFindDeviceByToken@20 ; TtmpFindDeviceByToken(x,x,x,x,x)
		test	al, al
		jz	short loc_9BFC66
		mov	edi, 0C0000038h
		mov	edx, 1AEh
		push	edi
		push	0FFFFFFFFh
		jmp	loc_9BFD96
; 

loc_9BFC66:				; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+B8j
		xor	esi, esi
		inc	esi
		mov	eax, esi
		lock xadd [edi+48h], eax
		inc	eax
		push	446D7454h
		mov	edi, 248h
		mov	[esp+1Ch+var_8], eax
		push	edi
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9BFCAC
		mov	edi, 0C000009Ah
		mov	edx, 1C4h
		push	edi
		push	0FFFFFFFFh

loc_9BFC99:				; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+177j
		mov	ecx, offset ??_C@_0BH@DOLIBDDI@TtmNotifyDeviceArrival@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)

loc_9BFCA3:				; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+1EBj
		mov	esi, [esp+18h+var_8]
		jmp	loc_9BFDA0
; 

loc_9BFCAC:				; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+F0j
		push	edi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	ecx, [ebp+arg_C]
		mov	edx, 104h
		mov	[ebx+8], eax
		mov	eax, [ebp+arg_4]
		mov	[ebx+10h], eax
		mov	eax, [ebp+arg_8]
		mov	[ebx+14h], eax
		mov	eax, [esp+18h+var_8]
		mov	[ebx+18h], eax
		mov	eax, [ecx]
		mov	[ebx+1Ch], eax
		mov	eax, [ecx+4]
		mov	[ebx+20h], eax
		mov	eax, [ecx+8]
		mov	[ebx+24h], eax
		mov	eax, [ecx+0Ch]
		lea	ecx, [ebx+30h]
		mov	[ebx+28h], eax
		mov	eax, [ebp+arg_10]
		mov	[ebx+2Ch], eax
		mov	eax, [ebp+arg_14]
		push	dword ptr [eax+4]
		call	RtlStringCchCopyW
		mov	edi, eax
		test	edi, edi
		jns	short loc_9BFD13
		push	edi
		push	edi
		mov	edx, 1DBh
		jmp	short loc_9BFC99
; 

loc_9BFD13:				; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+16Ej
		cmp	dword ptr [ebx+8], 2
		jnz	short loc_9BFD3B
		mov	eax, [ebx+2Ch]
		cmp	eax, esi
		jz	short loc_9BFD34
		cmp	eax, 2
		jz	short loc_9BFD34
		cmp	eax, 4
		jz	short loc_9BFD34
		cmp	eax, 8
		jz	short loc_9BFD34
		cmp	eax, 10h
		jnz	short loc_9BFD3B

loc_9BFD34:				; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+184j
					; TtmNotifyDeviceArrival(x,x,x,x,x,x)+189j ...
		mov	ecx, 80h
		jmp	short loc_9BFD3D
; 

loc_9BFD3B:				; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+17Dj
					; TtmNotifyDeviceArrival(x,x,x,x,x,x)+198j
		xor	ecx, ecx

loc_9BFD3D:				; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+19Fj
		mov	eax, [ebx+23Ch]
		or	dword ptr [ebx+238h], 0FFFFFFFFh
		and	eax, 0FFFFFF7Fh
		or	eax, ecx
		or	eax, esi
		mov	[ebx+23Ch], eax
		mov	eax, [esp+18h+var_4]
		lea	ecx, [eax+40h]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jz	short loc_9BFD6C
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9BFD6C:				; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+1CBj
		mov	[ebx], ecx
		mov	[ebx+4], edx
		mov	[edx], ebx
		mov	[ecx+4], ebx
		mov	ecx, eax
		inc	dword ptr [eax+4Ch]
		push	esi
		call	_TtmiScheduleSessionWorker@8 ; TtmiScheduleSessionWorker(x,x)
		xor	ebx, ebx
		xor	edi, edi
		jmp	loc_9BFCA3
; 

loc_9BFD8A:				; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+20j
		mov	edi, 0C000000Dh
		push	edi
		push	edx
		mov	edx, 182h

loc_9BFD96:				; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+9Bj
					; TtmNotifyDeviceArrival(x,x,x,x,x,x)+C7j
		mov	ecx, offset ??_C@_0BH@DOLIBDDI@TtmNotifyDeviceArrival@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)

loc_9BFDA0:				; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+10Dj
		cmp	[esp+18h+var_4], 0
		jz	short loc_9BFDB6
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9BFDB6:				; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+20Bj
		test	ebx, ebx
		jz	short loc_9BFDC5
		push	446D7454h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9BFDC5:				; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+40j
					; TtmNotifyDeviceArrival(x,x,x,x,x,x)+21Ej
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		push	edi
		push	[ebp+arg_10]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_TtmiLogDeviceArrivalNotified@24 ; TtmiLogDeviceArrivalNotified(x,x,x,x,x,x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
_TtmNotifyDeviceArrival@24 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2575. TtmNotifyDeviceDeparture

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmNotifyDeviceDeparture(x,	x, x)
		public _TtmNotifyDeviceDeparture@12
_TtmNotifyDeviceDeparture@12 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		xor	ebx, ebx
		lea	ecx, [esp+10h+var_8]
		mov	[esp+10h+var_8], ebx
		mov	[esp+10h+var_4], ebx
		call	_TtmiAcquireCurrentSession@4 ; TtmiAcquireCurrentSession(x)
		test	eax, eax
		jns	short loc_9BFE1F
		push	eax
		push	eax
		mov	edx, 270h
		mov	ecx, (offset loc_8BDB7C+6)
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9BFE6D
; 

loc_9BFE1F:				; CODE XREF: TtmNotifyDeviceDeparture(x,x,x)+21j
		mov	ecx, [esp+10h+var_8]
		lea	eax, [esp+10h+var_4]
		mov	edx, [ebp+arg_0]
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_TtmpFindDeviceByToken@20 ; TtmpFindDeviceByToken(x,x,x,x,x)
		mov	bl, al
		test	bl, bl
		jz	short loc_9BFE5E
		mov	ecx, [esp+10h+var_4]
		mov	eax, [ecx+23Ch]
		test	al, 4
		jnz	short loc_9BFE5E
		or	eax, 4
		mov	[ecx+23Ch], eax
		mov	ecx, [esp+10h+var_8]
		push	1
		call	_TtmiScheduleSessionWorker@8 ; TtmiScheduleSessionWorker(x,x)

loc_9BFE5E:				; CODE XREF: TtmNotifyDeviceDeparture(x,x,x)+51j
					; TtmNotifyDeviceDeparture(x,x,x)+5Fj
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9BFE6D:				; CODE XREF: TtmNotifyDeviceDeparture(x,x,x)+34j
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		mov	dl, bl
		push	[ebp+arg_4]
		call	_TtmiLogDeviceDepartureNotified@16 ; TtmiLogDeviceDepartureNotified(x,x,x,x)
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_TtmNotifyDeviceDeparture@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2576. TtmNotifyDeviceInput

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmNotifyDeviceInput(x, x, x, x)
		public _TtmNotifyDeviceInput@16
_TtmNotifyDeviceInput@16 proc near

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		xor	eax, eax
		lea	ecx, [esp+18h+var_14]
		push	esi
		push	edi
		mov	[esp+20h+var_10], eax
		mov	[esp+20h+var_14], eax
		mov	[esp+20h+var_C], eax
		mov	byte ptr [esp+20h+var_18], al
		mov	byte ptr [esp+20h+var_4], al
		mov	byte ptr [esp+20h+var_8], al
		call	_TtmiAcquireCurrentSession@4 ; TtmiAcquireCurrentSession(x)
		mov	esi, [esp+20h+var_14]
		test	eax, eax
		jns	short loc_9BFED8
		mov	edx, 2F9h

loc_9BFEC6:				; CODE XREF: TtmNotifyDeviceInput(x,x,x,x)+C3j
		push	0FFFFFFFFh
		push	eax

loc_9BFEC9:				; CODE XREF: TtmNotifyDeviceInput(x,x,x,x)+61j
					; TtmNotifyDeviceInput(x,x,x,x)+8Cj
		mov	ecx, offset ??_C@_0BF@EMLFFGPB@TtmNotifyDeviceInput@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	loc_9BFF7F
; 

loc_9BFED8:				; CODE XREF: TtmNotifyDeviceInput(x,x,x,x)+36j
		test	byte ptr [esi+4], 4
		jz	short loc_9BFEEC
		push	0FFFFFFFFh
		push	0C0000455h
		mov	edx, 301h
		jmp	short loc_9BFEC9
; 

loc_9BFEEC:				; CODE XREF: TtmNotifyDeviceInput(x,x,x,x)+53j
		mov	edx, [ebp+arg_0]
		lea	eax, [esp+20h+var_10]
		push	eax
		push	[ebp+arg_8]
		mov	ecx, esi
		push	[ebp+arg_4]
		call	_TtmpFindDeviceByToken@20 ; TtmpFindDeviceByToken(x,x,x,x,x)
		mov	byte ptr [esp+20h+var_4], al
		test	al, al
		jnz	short loc_9BFF17
		push	0FFFFFFFFh
		push	0C0000225h
		mov	edx, 312h
		jmp	short loc_9BFEC9
; 

loc_9BFF17:				; CODE XREF: TtmNotifyDeviceInput(x,x,x,x)+7Ej
		call	KeQueryInterruptTime
		mov	edi, [esp+20h+var_10]
		mov	[edi+240h], eax
		mov	[edi+244h], edx
		mov	eax, [edi+238h]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9BFF7F
		push	eax
		mov	edx, esi
		lea	ecx, [esp+24h+var_C]
		call	_TtmiGetTerminalById@12	; TtmiGetTerminalById(x,x,x)
		test	eax, eax
		jns	short loc_9BFF51
		mov	edx, 325h
		jmp	loc_9BFEC6
; 

loc_9BFF51:				; CODE XREF: TtmNotifyDeviceInput(x,x,x,x)+BCj
		test	[ebp+arg_C], 1
		jz	short loc_9BFF65
		test	byte ptr [edi+23Ch], 80h
		jz	short loc_9BFF65
		mov	byte ptr [esp+20h+var_18], 1

loc_9BFF65:				; CODE XREF: TtmNotifyDeviceInput(x,x,x,x)+CCj
					; TtmNotifyDeviceInput(x,x,x,x)+D5j
		push	[esp+20h+var_18]
		mov	edx, [esp+24h+var_C]
		mov	ecx, esi
		push	54544941h
		push	4
		call	_TtmiResetTerminalTimeouts@20 ;	TtmiResetTerminalTimeouts(x,x,x,x,x)
		mov	byte ptr [esp+20h+var_8], al

loc_9BFF7F:				; CODE XREF: TtmNotifyDeviceInput(x,x,x,x)+4Aj
					; TtmNotifyDeviceInput(x,x,x,x)+ACj
		push	[esp+20h+var_18]
		mov	edx, dword ptr [ebp+arg_C]
		push	[esp+24h+var_8]
		mov	ecx, [ebp+arg_0]
		push	[esp+28h+var_4]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_TtmiLogDeviceInputNotified@28 ; TtmiLogDeviceInputNotified(x,x,x,x,x,x,x)
		test	esi, esi
		jz	short loc_9BFFAF
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9BFFAF:				; CODE XREF: TtmNotifyDeviceInput(x,x,x,x)+115j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	10h
_TtmNotifyDeviceInput@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiAssignDevice(x,	x, x)
_TtmiAssignDevice@12 proc near		; CODE XREF: TtmpDispatchAssignDevice(x)+49p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_4]
		mov	[ebp+var_8], edx
		mov	edx, [ebp+arg_0]
		xor	edi, edi
		push	eax
		mov	ebx, ecx
		mov	[ebp+var_4], edi
		call	_TtmpFindDeviceByDeviceId@12 ; TtmpFindDeviceByDeviceId(x,x,x)
		test	al, al
		jnz	short loc_9BFFF4
		mov	edi, 0C0000225h
		mov	edx, 466h
		push	edi
		push	0FFFFFFFFh
		mov	ecx, offset ??_C@_0BB@JGKHLLGE@TtmiAssignDevice@NNGAKEGL@ ; "TtmiAssignDevice"
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C002D
; 

loc_9BFFF4:				; CODE XREF: TtmiAssignDevice(x,x,x)+22j
		mov	esi, [ebp+var_4]
		xor	edx, edx
		mov	eax, [ebp+var_8]
		mov	ecx, ebx
		push	4
		push	esi
		mov	eax, [eax+10h]
		mov	[esi+238h], eax
		call	_TtmpPublishDeviceEvent@16 ; TtmpPublishDeviceEvent(x,x,x,x)
		mov	edx, [ebp+arg_0]
		mov	ecx, [esi+238h]
		call	_TtmiLogDeviceToTerminalAssigned@8 ; TtmiLogDeviceToTerminalAssigned(x,x)
		or	dword ptr [esi+23Ch], 60h
		mov	ecx, ebx
		push	1
		call	_TtmiScheduleSessionWorker@8 ; TtmiScheduleSessionWorker(x,x)

loc_9C002D:				; CODE XREF: TtmiAssignDevice(x,x,x)+3Bj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_TtmiAssignDevice@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiDevicesRundown(x)
_TtmiDevicesRundown@4 proc near		; CODE XREF: TtmiSessionsRundown()+91p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	edx, ecx
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_28]
		push	0Ah
		pop	ecx
		rep stosd
		test	edx, edx
		jz	short loc_9C00B2
		mov	ebx, [edx]
		lea	edi, [edx+40h]
		mov	esi, [edi]
		jmp	short loc_9C00AE
; 

loc_9C005A:				; CODE XREF: TtmiDevicesRundown(x)+7Aj
		mov	ecx, [esi+23Ch]
		test	cl, 8
		jnz	short loc_9C00AC
		mov	eax, [esi+238h]
		mov	[ebp+var_24], eax
		mov	eax, [esi+8]
		mov	[ebp+var_20], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_10], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_C], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_1C], eax
		mov	eax, [esi+2Ch]
		mov	[ebp+var_18], eax
		mov	eax, [esi+240h]
		mov	[ebp+var_8], eax
		mov	eax, [esi+244h]
		mov	[ebp+var_14], ecx
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_28], ebx
		mov	[ebp+var_4], eax
		call	_TtmiLogDeviceRundown@4	; TtmiLogDeviceRundown(x)

loc_9C00AC:				; CODE XREF: TtmiDevicesRundown(x)+2Dj
		mov	esi, [esi]

loc_9C00AE:				; CODE XREF: TtmiDevicesRundown(x)+22j
		cmp	esi, edi
		jnz	short loc_9C005A

loc_9C00B2:				; CODE XREF: TtmiDevicesRundown(x)+19j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_TtmiDevicesRundown@4 endp


;  S U B	R O U T	I N E 


; __stdcall TtmiEvacuateDevices(x, x)
_TtmiEvacuateDevices@8 proc near	; CODE XREF: TtmiSessionTerminalListWorker(x,x,x)+86p
					; TtmpDispatchEvacuateDevices(x)+44p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		lea	edi, [ecx+40h]
		mov	ebx, edx
		mov	esi, [edi]
		xor	al, al
		jmp	short loc_9C00F5
; 

loc_9C00C7:				; CODE XREF: TtmiEvacuateDevices(x,x)+40j
		mov	ecx, [ebx+10h]
		cmp	[esi+238h], ecx
		jnz	short loc_9C00F3
		push	dword ptr [esi+18h]
		mov	edx, [esi+8]
		push	dword ptr [esi+14h]
		push	dword ptr [esi+10h]
		call	_TtmiLogDeviceFromTerminalRemoved@20 ; TtmiLogDeviceFromTerminalRemoved(x,x,x,x,x)
		or	dword ptr [esi+238h], 0FFFFFFFFh
		mov	al, 1
		or	dword ptr [esi+23Ch], 10h

loc_9C00F3:				; CODE XREF: TtmiEvacuateDevices(x,x)+19j
		mov	esi, [esi]

loc_9C00F5:				; CODE XREF: TtmiEvacuateDevices(x,x)+Ej
		cmp	esi, edi
		jnz	short loc_9C00C7
		pop	edi
		pop	esi
		pop	ebx
		retn
_TtmiEvacuateDevices@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiPublishDeviceEnumerationEvents(x, x)
_TtmiPublishDeviceEnumerationEvents@8 proc near
					; CODE XREF: TtmiWriteEnumerationEventsToQueue(x,x)+12p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		lea	ebx, [ecx+40h]
		mov	[ebp+var_8], edx
		push	edi
		mov	edi, [ebx]
		mov	[ebp+var_4], ecx
		jmp	short loc_9C0137
; 

loc_9C0115:				; CODE XREF: TtmiPublishDeviceEnumerationEvents(x,x)+3Cj
		mov	eax, [edi+23Ch]
		and	al, 0Ah
		cmp	al, 2
		jnz	short loc_9C0135
		push	0
		push	edi
		call	_TtmpPublishDeviceEvent@16 ; TtmpPublishDeviceEvent(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9C0144
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_8]

loc_9C0135:				; CODE XREF: TtmiPublishDeviceEnumerationEvents(x,x)+22j
		mov	edi, [edi]

loc_9C0137:				; CODE XREF: TtmiPublishDeviceEnumerationEvents(x,x)+16j
		cmp	edi, ebx
		jnz	short loc_9C0115
		xor	esi, esi

loc_9C013D:				; CODE XREF: TtmiPublishDeviceEnumerationEvents(x,x)+58j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_9C0144:				; CODE XREF: TtmiPublishDeviceEnumerationEvents(x,x)+30j
		push	esi
		push	esi
		mov	edx, 41Fh
		mov	ecx, offset ??_C@_0CD@KMMNFJNH@TtmiPublishDeviceEnumerationEve@NNGAKEGL@ ; "TtmiPublishDeviceEnumerationEvents"
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C013D
_TtmiPublishDeviceEnumerationEvents@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiSessionDeviceListWorker(x)
_TtmiSessionDeviceListWorker@4 proc near ; CODE	XREF: TtmpSessionWorker(x)+163p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	ebx, [edi+40h]
		mov	esi, [ebx]
		jmp	loc_9C027F
; 

loc_9C016C:				; CODE XREF: TtmiSessionDeviceListWorker(x)+12Aj
		mov	ecx, [esi+23Ch]
		mov	[ebp+var_4], esi
		test	cl, 4
		jnz	loc_9C01FF
		test	cl, 1
		jz	short loc_9C01A6
		and	ecx, 0FFFFFFFEh
		or	ecx, 2
		mov	[esi+23Ch], ecx
		test	dword ptr [edi+4], 800h
		jz	short loc_9C01A2
		and	dword ptr [esi+238h], 0
		or	ecx, 40h

loc_9C01A2:				; CODE XREF: TtmiSessionDeviceListWorker(x)+3Fj
		push	3
		jmp	short loc_9C01C9
; 

loc_9C01A6:				; CODE XREF: TtmiSessionDeviceListWorker(x)+2Aj
		test	cl, 10h
		jz	short loc_9C01DC
		and	ecx, 0FFFFFFEFh
		mov	[esi+23Ch], ecx
		test	dword ptr [edi+4], 800h
		jz	short loc_9C01C7
		and	dword ptr [esi+238h], 0
		or	ecx, 40h

loc_9C01C7:				; CODE XREF: TtmiSessionDeviceListWorker(x)+64j
		push	4

loc_9C01C9:				; CODE XREF: TtmiSessionDeviceListWorker(x)+4Dj
		or	ecx, 20h
		xor	edx, edx
		mov	[esi+23Ch], ecx
		mov	ecx, edi
		push	esi
		call	_TtmpPublishDeviceEvent@16 ; TtmpPublishDeviceEvent(x,x,x,x)

loc_9C01DC:				; CODE XREF: TtmiSessionDeviceListWorker(x)+52j
		mov	ecx, [esi+23Ch]
		test	cl, 20h
		jz	short loc_9C01FF
		and	ecx, 0FFFFFFDFh
		mov	edx, esi
		mov	[esi+23Ch], ecx
		mov	ecx, edi
		call	_TtmpCallAssignedToTerminal@8 ;	TtmpCallAssignedToTerminal(x,x)
		mov	ecx, [esi+23Ch]

loc_9C01FF:				; CODE XREF: TtmiSessionDeviceListWorker(x)+21j
					; TtmiSessionDeviceListWorker(x)+8Ej
		mov	eax, ecx
		and	al, 44h
		cmp	al, 40h
		jnz	short loc_9C022B
		and	ecx, 0FFFFFFBFh
		mov	edx, esi
		mov	[esi+23Ch], ecx
		mov	ecx, edi
		call	_TtmpPushTerminalState@8 ; TtmpPushTerminalState(x,x)
		test	al, al
		jz	short loc_9C022B
		or	dword ptr [esi+23Ch], 40h
		or	dword ptr [edi+4], 1000h

loc_9C022B:				; CODE XREF: TtmiSessionDeviceListWorker(x)+AEj
					; TtmiSessionDeviceListWorker(x)+C4j
		mov	eax, [esi+23Ch]
		test	al, 4
		jz	short loc_9C027D
		test	al, 2
		jz	short loc_9C024E
		push	5
		or	eax, 8
		xor	edx, edx
		push	esi
		mov	ecx, edi
		mov	[esi+23Ch], eax
		call	_TtmpPublishDeviceEvent@16 ; TtmpPublishDeviceEvent(x,x,x,x)

loc_9C024E:				; CODE XREF: TtmiSessionDeviceListWorker(x)+E0j
		mov	edx, esi
		mov	ecx, edi
		call	_TtmpCallClose@8 ; TtmpCallClose(x,x)
		mov	edx, [ebp+var_4]
		mov	eax, [esi+4]
		mov	esi, eax
		mov	ecx, [edx]
		cmp	[ecx+4], edx
		jnz	short loc_9C02B3
		cmp	[eax], edx
		jnz	short loc_9C02B3
		mov	[eax], ecx
		push	446D7454h
		mov	[ecx+4], eax
		dec	dword ptr [edi+4Ch]
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9C027D:				; CODE XREF: TtmiSessionDeviceListWorker(x)+DCj
		mov	esi, [esi]

loc_9C027F:				; CODE XREF: TtmiSessionDeviceListWorker(x)+10j
		cmp	esi, ebx
		jnz	loc_9C016C
		xor	edx, edx
		mov	ecx, edi
		call	_TtmpCommitTerminalDisplayStateUpdateWorker@8 ;	TtmpCommitTerminalDisplayStateUpdateWorker(x,x)
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	_TtmpCommitTerminalDisplayStateUpdateWorker@8 ;	TtmpCommitTerminalDisplayStateUpdateWorker(x,x)
		push	2
		pop	edx
		mov	ecx, edi
		call	_TtmpCommitTerminalDisplayStateUpdateWorker@8 ;	TtmpCommitTerminalDisplayStateUpdateWorker(x,x)
		push	3
		pop	edx
		mov	ecx, edi
		call	_TtmpCommitTerminalDisplayStateUpdateWorker@8 ;	TtmpCommitTerminalDisplayStateUpdateWorker(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_9C02B3:				; CODE XREF: TtmiSessionDeviceListWorker(x)+10Dj
					; TtmiSessionDeviceListWorker(x)+111j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall TtmiSetInputWakeCapability(x, x, x,	x)
_TtmiSetInputWakeCapability@16:		; CODE XREF: TtmpDispatchSetInputWakeCapability(x)+4Cp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	eax, ecx
		mov	esi, edx
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_4]
		push	edi
		push	ecx
		xor	edi, edi
		mov	[ebp+var_8], eax
		mov	ecx, eax
		mov	[ebp+var_4], edi
		call	_TtmpFindDeviceByDeviceId@12 ; TtmpFindDeviceByDeviceId(x,x,x)
		test	al, al
		jnz	short loc_9C02FA
		mov	edi, 0C0000225h
		mov	edx, 533h

loc_9C02EB:				; CODE XREF: TtmiSessionDeviceListWorker(x)+1BBj
		push	edi
		push	0FFFFFFFFh
		mov	ecx, offset ??_C@_0BL@CELAKALM@TtmiSetInputWakeCapability@NNGAKEGL@ ; "TtmiSetInputWakeCapability"
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C0345
; 

loc_9C02FA:				; CODE XREF: TtmiSessionDeviceListWorker(x)+188j
		mov	ebx, [ebp+var_4]
		mov	ecx, [esi+10h]
		cmp	ecx, [ebx+238h]
		jz	short loc_9C0314
		mov	edi, 0C000000Dh
		mov	edx, 53Ch
		jmp	short loc_9C02EB
; 

loc_9C0314:				; CODE XREF: TtmiSessionDeviceListWorker(x)+1AFj
		mov	esi, [ebp+arg_4]
		push	esi
		call	_TtmiLogDeviceSetInputWakeCapability@12	; TtmiLogDeviceSetInputWakeCapability(x,x,x)
		mov	ecx, [ebp+var_8]
		shl	esi, 7
		xor	esi, [ebx+23Ch]
		and	esi, 80h
		xor	esi, [ebx+23Ch]
		or	esi, 40h
		push	1
		mov	[ebx+23Ch], esi
		call	_TtmiScheduleSessionWorker@8 ; TtmiScheduleSessionWorker(x,x)

loc_9C0345:				; CODE XREF: TtmiSessionDeviceListWorker(x)+1A1j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_TtmiSessionDeviceListWorker@4 endp


;  S U B	R O U T	I N E 


; __stdcall TtmiSetUpdateTerminalDevices(x, x)
_TtmiSetUpdateTerminalDevices@8	proc near
					; CODE XREF: TtmiSessionTerminalListWorker(x,x,x)+116p
		mov	edi, edi
		push	esi
		lea	esi, [ecx+40h]
		mov	ecx, [esi]
		jmp	short loc_9C036C
; 

loc_9C0358:				; CODE XREF: TtmiSetUpdateTerminalDevices(x,x)+20j
		mov	eax, [ecx+238h]
		cmp	eax, [edx+10h]
		jnz	short loc_9C036A
		or	dword ptr [ecx+23Ch], 40h

loc_9C036A:				; CODE XREF: TtmiSetUpdateTerminalDevices(x,x)+13j
		mov	ecx, [ecx]

loc_9C036C:				; CODE XREF: TtmiSetUpdateTerminalDevices(x,x)+8j
		cmp	ecx, esi
		jnz	short loc_9C0358
		pop	esi
		retn
_TtmiSetUpdateTerminalDevices@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpCallAssignedToTerminal(x, x)
_TtmpCallAssignedToTerminal@8 proc near	; CODE XREF: TtmiSessionDeviceListWorker(x)+9Dp

var_18		= dword	ptr -18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	edx, ecx
		push	edi
		mov	ebx, [esi+20h]
		test	ebx, ebx
		jz	short loc_9C03D4
		push	6
		pop	ecx
		push	dword ptr [esi+238h]
		xor	eax, eax
		lea	edi, [ebp+var_18]
		push	ebx
		rep stosd
		push	1
		push	esi
		lea	ecx, [ebp+var_18]
		call	_TtmpStartCallout@24 ; TtmpStartCallout(x,x,x,x,x,x)
		push	dword ptr [esi+238h]
		push	dword ptr [esi+14h]
		push	dword ptr [esi+10h]
		call	ebx
		mov	esi, eax
		lea	ecx, [ebp+var_18]
		mov	edx, esi
		call	_TtmpStopCallout@8 ; TtmpStopCallout(x,x)
		test	esi, esi
		jns	short loc_9C03D4
		push	0FFFFFFFFh
		push	esi
		mov	edx, 94Dh
		mov	ecx, offset ??_C@_0BL@HAIHHJGF@TtmpCallAssignedToTerminal@NNGAKEGL@ ; "TtmpCallAssignedToTerminal"
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)

loc_9C03D4:				; CODE XREF: TtmpCallAssignedToTerminal(x,x)+14j
					; TtmpCallAssignedToTerminal(x,x)+4Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_TtmpCallAssignedToTerminal@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpCallClose(x, x)
_TtmpCallClose@8 proc near		; CODE XREF: TtmiSessionDeviceListWorker(x)+FBp

var_18		= dword	ptr -18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	edx, ecx
		push	edi
		mov	ebx, [esi+1Ch]
		test	ebx, ebx
		jz	short loc_9C0418
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_18]
		push	eax
		push	ebx
		rep stosd
		push	2
		push	esi
		lea	ecx, [ebp+var_18]
		call	_TtmpStartCallout@24 ; TtmpStartCallout(x,x,x,x,x,x)
		push	dword ptr [esi+14h]
		push	dword ptr [esi+10h]
		call	ebx
		xor	edx, edx
		lea	ecx, [ebp+var_18]
		call	_TtmpStopCallout@8 ; TtmpStopCallout(x,x)

loc_9C0418:				; CODE XREF: TtmpCallClose(x,x)+14j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_TtmpCallClose@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpCallSetBuiltinPanelState(x, x, x)
_TtmpCallSetBuiltinPanelState@12 proc near
					; CODE XREF: TtmpPushTerminalDisplayStateOntoDevice(x,x,x)+2Bp
					; TtmpPushTerminalDisplayStateOntoDevice(x,x,x)+59p ...

var_1C		= dword	ptr -1Ch
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		cmp	dword ptr [edx+8], 1
		push	esi
		push	edi
		mov	esi, ecx
		jnz	short loc_9C0468
		test	byte ptr [edx+2Ch], 1
		jz	short loc_9C0468
		push	6
		pop	ecx
		push	[ebp+arg_0]
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		push	offset _PoSessionBuiltinPanelState@8 ; PoSessionBuiltinPanelState(x,x)
		push	5
		rep stosd
		push	edx
		mov	edx, esi
		lea	ecx, [ebp+var_1C]
		call	_TtmpStartCallout@24 ; TtmpStartCallout(x,x,x,x,x,x)
		push	dword ptr [esi]
		push	[ebp+arg_0]
		call	_PoSessionBuiltinPanelState@8 ;	PoSessionBuiltinPanelState(x,x)
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_TtmpStopCallout@8 ; TtmpStopCallout(x,x)

loc_9C0468:				; CODE XREF: TtmpCallSetBuiltinPanelState(x,x,x)+10j
					; TtmpCallSetBuiltinPanelState(x,x,x)+16j
		pop	edi
		pop	esi
		leave
		retn	4
_TtmpCallSetBuiltinPanelState@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpCallSetDisplayState(x, x, x)
_TtmpCallSetDisplayState@12 proc near	; CODE XREF: TtmpPushTerminalDisplayStateOntoDevice(x,x,x)+35p

var_24		= dword	ptr -24h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		mov	esi, edx
		mov	edx, ecx
		push	edi
		mov	[ebp+var_8], edx
		mov	ebx, [esi+24h]
		test	ebx, ebx
		jz	short loc_9C04D3
		push	6
		pop	ecx
		push	[ebp+arg_0]
		xor	eax, eax
		lea	edi, [ebp+var_24]
		push	ebx
		rep stosd
		push	4
		push	esi
		lea	ecx, [ebp+var_24]
		call	_TtmpStartCallout@24 ; TtmpStartCallout(x,x,x,x,x,x)
		mov	eax, [ebp+var_8]
		push	dword ptr [eax+50h]
		push	[ebp+arg_0]
		push	dword ptr [esi+14h]
		push	dword ptr [esi+10h]
		call	ebx
		mov	esi, eax
		lea	ecx, [ebp+var_24]
		mov	edx, esi
		call	_TtmpStopCallout@8 ; TtmpStopCallout(x,x)
		test	esi, esi
		jns	short loc_9C04D3
		push	0FFFFFFFFh
		push	esi
		mov	edx, 989h
		mov	ecx, offset ??_C@_0BI@GCEDGMJO@TtmpCallSetDisplayState@NNGAKEGL@ ; "TtmpCallSetDisplayState"
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)

loc_9C04D3:				; CODE XREF: TtmpCallSetDisplayState(x,x,x)+17j
					; TtmpCallSetDisplayState(x,x,x)+51j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_TtmpCallSetDisplayState@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpCallSetInputMode(x, x, x)
_TtmpCallSetInputMode@12 proc near	; CODE XREF: TtmpPushTerminalState(x,x)+88p

var_1C		= dword	ptr -1Ch
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	esi, edx
		mov	edx, ecx
		push	edi
		mov	ebx, [esi+28h]
		test	ebx, ebx
		jz	short loc_9C0536
		push	6
		pop	ecx
		push	[ebp+arg_0]
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		push	ebx
		rep stosd
		push	3
		push	esi
		lea	ecx, [ebp+var_1C]
		call	_TtmpStartCallout@24 ; TtmpStartCallout(x,x,x,x,x,x)
		push	[ebp+arg_0]
		push	dword ptr [esi+14h]
		push	dword ptr [esi+10h]
		call	ebx
		mov	esi, eax
		lea	ecx, [ebp+var_1C]
		mov	edx, esi
		call	_TtmpStopCallout@8 ; TtmpStopCallout(x,x)
		test	esi, esi
		jns	short loc_9C0536
		push	0FFFFFFFFh
		push	esi
		mov	edx, 9C2h
		mov	ecx, offset ??_C@_0BF@JFHECOGP@TtmpCallSetInputMode@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)

loc_9C0536:				; CODE XREF: TtmpCallSetInputMode(x,x,x)+14j
					; TtmpCallSetInputMode(x,x,x)+48j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_TtmpCallSetInputMode@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpCalloutArmWatchdog(x, x, x, x)
_TtmpCalloutArmWatchdog@16 proc	near	; CODE XREF: TtmpStartCallout(x,x,x,x,x,x)+71p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	esi
		test	ecx, ecx
		jz	short loc_9C05AA
		mov	eax, [ecx+0Ch]
		test	eax, eax
		jz	short loc_9C05AA
		mov	[ebp+var_30], eax
		xor	esi, esi
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_2C], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_20], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_1C], eax
		mov	eax, large fs:124h
		push	esi
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_4]
		push	esi
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_38]
		push	38h
		push	eax
		push	57h
		mov	[ebp+var_34], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_38], 15h
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], 1A0h
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], offset _TtmpCalloutWatchdogCallback@24 ; TtmpCalloutWatchdogCallback(x,x,x,x,x,x)
		call	NtPowerInformation

loc_9C05AA:				; CODE XREF: TtmpCalloutArmWatchdog(x,x,x,x)+Bj
					; TtmpCalloutArmWatchdog(x,x,x,x)+12j
		pop	esi
		leave
		retn	8
_TtmpCalloutArmWatchdog@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpCalloutCreateWatchdog(x)
_TtmpCalloutCreateWatchdog@4 proc near	; CODE XREF: TtmpStartCallout(x,x,x,x,x,x)+57p

var_38		= dword	ptr -38h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	esi
		mov	esi, ecx
		test	esi, esi
		jnz	short loc_9C05C5
		mov	eax, 0C000009Ah
		jmp	short loc_9C05EF
; 

loc_9C05C5:				; CODE XREF: TtmpCalloutCreateWatchdog(x)+Dj
		push	38h		; size_t
		lea	eax, [ebp+var_38]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_38], 15h
		lea	eax, [esi+0Ch]
		push	4
		push	eax
		push	38h
		lea	eax, [ebp+var_38]
		push	eax
		push	57h
		call	NtPowerInformation

loc_9C05EF:				; CODE XREF: TtmpCalloutCreateWatchdog(x)+14j
		pop	esi
		leave
		retn
_TtmpCalloutCreateWatchdog@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpCalloutDestroyWatchdog(x)
_TtmpCalloutDestroyWatchdog@4 proc near	; CODE XREF: TtmpStopCallout(x,x)+2Ap

var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_4		= byte ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	esi, esi
		jz	short loc_9C063B
		mov	edi, [esi+0Ch]
		test	edi, edi
		jz	short loc_9C063B
		push	38h		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_38]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_38], 15h
		lea	eax, [ebp+var_38]
		mov	[ebp+var_4], 1
		mov	[ebp+var_30], edi
		mov	[esi+0Ch], ebx
		push	ebx
		push	ebx
		push	38h
		push	eax
		push	57h
		call	NtPowerInformation

loc_9C063B:				; CODE XREF: TtmpCalloutDestroyWatchdog(x)+Fj
					; TtmpCalloutDestroyWatchdog(x)+16j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_TtmpCalloutDestroyWatchdog@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpCalloutWatchdogCallback(x, x, x, x, x, x)
_TtmpCalloutWatchdogCallback@24	proc near ; DATA XREF: TtmpCalloutArmWatchdog(x,x,x,x)+61o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		push	4
		lea	eax, [ebp+var_4]
		mov	[ebp+var_C], 25h
		push	eax
		push	8
		lea	eax, [ebp+var_C]
		xor	esi, esi
		push	eax
		push	57h
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		call	NtPowerInformation
		test	eax, eax
		js	short loc_9C0693
		cmp	_TtmpDeviceCalloutCrashDumpEnabled, 0
		mov	ecx, [ebp+var_4]
		jz	short loc_9C0696
		test	ecx, ecx
		jnz	short loc_9C0696
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_9C0693:				; CODE XREF: TtmpCalloutWatchdogCallback(x,x,x,x,x,x)+2Dj
		or	ecx, 0FFFFFFFFh	; int

loc_9C0696:				; CODE XREF: TtmpCalloutWatchdogCallback(x,x,x,x,x,x)+39j
					; TtmpCalloutWatchdogCallback(x,x,x,x,x,x)+3Dj
		push	[ebp+arg_14]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_TtmiLogCalloutWatchdogCrashSkipped@24 ; TtmiLogCalloutWatchdogCrashSkipped(x,x,x,x,x,x)
		push	esi		; int
		push	offset _TtmpCalloutLiveDumpSecondaryCallback@32	; int
		push	esi		; int
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		push	[ebp+arg_4]	; int
		push	offset ??_C@_1BI@CHIFCFNN@?$AAT?$AAT?$AAM?$AAD?$AAC?$AAa?$AAl?$AAl?$AAo?$AAu?$AAt@NNGAKEGL@ ; int
		call	_DbgkWerCaptureLiveKernelDump@36 ; DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		pop	esi
		leave
		retn	18h
_TtmpCalloutWatchdogCallback@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpCommitTerminalDisplayStateUpdateWorker(x, x)
_TtmpCommitTerminalDisplayStateUpdateWorker@8 proc near
					; CODE XREF: TtmiSessionDeviceListWorker(x)+134p
					; TtmiSessionDeviceListWorker(x)+13Ep ...

var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_251		= byte ptr -251h
var_250		= dword	ptr -250h
var_248		= dword	ptr -248h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_22C		= dword	ptr -22Ch
var_224		= dword	ptr -224h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 264h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	248h		; size_t
		lea	eax, [ebp+var_250]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_258], esi
		mov	ebx, ecx
		call	_memset
		or	[ebp+var_238], 0FFFFFFFFh
		xor	eax, eax
		or	[ebp+var_240], 0FFFFFFFFh
		add	esp, 0Ch
		mov	[ebp+var_23C], eax
		mov	[ebp+var_251], al
		mov	[ebp+var_25C], eax
		lea	eax, ds:54h[esi*8]
		add	eax, ebx
		mov	[ebp+var_260], eax
		mov	edi, [eax]
		cmp	edi, eax
		jz	loc_9C0849

loc_9C0744:				; CODE XREF: TtmpCommitTerminalDisplayStateUpdateWorker(x,x)+156j
		mov	edx, [edi+18h]
		lea	eax, [ebp+var_25C]
		push	eax
		mov	ecx, ebx
		call	_TtmpFindDeviceByDeviceId@12 ; TtmpFindDeviceByDeviceId(x,x,x)
		test	al, al
		jnz	short loc_9C0774
		push	0FFFFFFFFh
		push	0C0000225h
		mov	edx, 0BA6h
		mov	ecx, offset ??_C@_0CL@EACOCOHK@TtmpCommitTerminalDisplayStateU@NNGAKEGL@ ; "TtmpCommitTerminalDisplayStateUpdateWor"...
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	loc_9C0801
; 

loc_9C0774:				; CODE XREF: TtmpCommitTerminalDisplayStateUpdateWorker(x,x)+86j
		mov	eax, [ebp+var_22C]
		mov	esi, [ebp+var_25C]
		test	eax, eax
		jnz	short loc_9C07AF
		cmp	dword ptr [esi+24h], 0
		jz	short loc_9C07AF
		mov	eax, [esi+8]
		mov	cl, 1
		mov	[ebp+var_248], eax
		mov	eax, [esi+2Ch]
		mov	[ebp+var_224], eax
		mov	eax, [esi+24h]
		mov	[ebp+var_22C], eax
		mov	[ebp+var_251], cl
		jmp	short loc_9C07B5
; 

loc_9C07AF:				; CODE XREF: TtmpCommitTerminalDisplayStateUpdateWorker(x,x)+B1j
					; TtmpCommitTerminalDisplayStateUpdateWorker(x,x)+B7j
		mov	cl, [ebp+var_251]

loc_9C07B5:				; CODE XREF: TtmpCommitTerminalDisplayStateUpdateWorker(x,x)+DCj
		test	cl, cl
		jz	short loc_9C07F2
		mov	ecx, [esi+24h]
		test	ecx, ecx
		jz	short loc_9C07F2
		cmp	ecx, eax
		jz	short loc_9C07F2
		push	[ebp+var_258]
		lea	edx, [ebp+var_250]
		mov	ecx, ebx
		call	_TtmpPushTerminalDisplayStateOntoDevice@12 ; TtmpPushTerminalDisplayStateOntoDevice(x,x,x)
		mov	eax, [esi+8]
		mov	[ebp+var_248], eax
		mov	eax, [esi+2Ch]
		mov	[ebp+var_224], eax
		mov	eax, [esi+24h]
		mov	[ebp+var_22C], eax

loc_9C07F2:				; CODE XREF: TtmpCommitTerminalDisplayStateUpdateWorker(x,x)+E6j
					; TtmpCommitTerminalDisplayStateUpdateWorker(x,x)+EDj ...
		push	[ebp+var_258]
		mov	edx, esi
		mov	ecx, ebx
		call	_TtmpPushTerminalDisplayStateOntoDevice@12 ; TtmpPushTerminalDisplayStateOntoDevice(x,x,x)

loc_9C0801:				; CODE XREF: TtmpCommitTerminalDisplayStateUpdateWorker(x,x)+9Ej
		mov	eax, [edi]
		mov	esi, [edi+4]
		cmp	[eax+4], edi
		jnz	short loc_9C0858
		cmp	[esi], edi
		jnz	short loc_9C0858
		push	446D7454h
		mov	[esi], eax
		push	edi
		mov	[eax+4], esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [esi]
		cmp	edi, [ebp+var_260]
		jnz	loc_9C0744
		cmp	[ebp+var_251], 0
		jz	short loc_9C0849
		push	[ebp+var_258]
		lea	edx, [ebp+var_250]
		mov	ecx, ebx
		call	_TtmpPushTerminalDisplayStateOntoDevice@12 ; TtmpPushTerminalDisplayStateOntoDevice(x,x,x)

loc_9C0849:				; CODE XREF: TtmpCommitTerminalDisplayStateUpdateWorker(x,x)+6Dj
					; TtmpCommitTerminalDisplayStateUpdateWorker(x,x)+163j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_9C0858:				; CODE XREF: TtmpCommitTerminalDisplayStateUpdateWorker(x,x)+138j
					; TtmpCommitTerminalDisplayStateUpdateWorker(x,x)+13Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_TtmpCommitTerminalDisplayStateUpdateWorker@8 endp ; AL	= character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpFindDeviceByDeviceId(x,	x, x)
_TtmpFindDeviceByDeviceId@12 proc near	; CODE XREF: TtmiAssignDevice(x,x,x)+1Bp
					; TtmiSessionDeviceListWorker(x)+181p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		add	ecx, 40h
		mov	eax, [ecx]
		jmp	short loc_9C0873
; 

loc_9C086C:				; CODE XREF: TtmpFindDeviceByDeviceId(x,x,x)+18j
		cmp	[eax+18h], edx
		jz	short loc_9C0879
		mov	eax, [eax]

loc_9C0873:				; CODE XREF: TtmpFindDeviceByDeviceId(x,x,x)+Dj
		cmp	eax, ecx
		jnz	short loc_9C086C
		jmp	short loc_9C087B
; 

loc_9C0879:				; CODE XREF: TtmpFindDeviceByDeviceId(x,x,x)+12j
		mov	esi, eax

loc_9C087B:				; CODE XREF: TtmpFindDeviceByDeviceId(x,x,x)+1Aj
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_9C0884
		mov	[eax], esi

loc_9C0884:				; CODE XREF: TtmpFindDeviceByDeviceId(x,x,x)+23j
		test	esi, esi
		pop	esi
		setnz	al
		pop	ebp
		retn	4
_TtmpFindDeviceByDeviceId@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpFindDeviceByToken(x, x,	x, x, x)
_TtmpFindDeviceByToken@20 proc near	; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+B1p
					; TtmNotifyDeviceDeparture(x,x,x)+48p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		lea	edi, [ecx+40h]
		xor	esi, esi
		mov	ecx, [edi]
		jmp	short loc_9C08B5
; 

loc_9C089E:				; CODE XREF: TtmpFindDeviceByToken(x,x,x,x,x)+29j
		cmp	[ecx+8], edx
		jnz	short loc_9C08B3
		mov	eax, [ecx+10h]
		cmp	eax, [ebp+arg_0]
		jnz	short loc_9C08B3
		mov	eax, [ecx+14h]
		cmp	eax, [ebp+arg_4]
		jz	short loc_9C08BB

loc_9C08B3:				; CODE XREF: TtmpFindDeviceByToken(x,x,x,x,x)+13j
					; TtmpFindDeviceByToken(x,x,x,x,x)+1Bj
		mov	ecx, [ecx]

loc_9C08B5:				; CODE XREF: TtmpFindDeviceByToken(x,x,x,x,x)+Ej
		cmp	ecx, edi
		jnz	short loc_9C089E
		jmp	short loc_9C08BD
; 

loc_9C08BB:				; CODE XREF: TtmpFindDeviceByToken(x,x,x,x,x)+23j
		mov	esi, ecx

loc_9C08BD:				; CODE XREF: TtmpFindDeviceByToken(x,x,x,x,x)+2Bj
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_9C08C6
		mov	[eax], esi

loc_9C08C6:				; CODE XREF: TtmpFindDeviceByToken(x,x,x,x,x)+34j
		test	esi, esi
		pop	edi
		setnz	al
		pop	esi
		pop	ebp
		retn	0Ch
_TtmpFindDeviceByToken@20 endp


;  S U B	R O U T	I N E 


; __stdcall TtmpGetCalloutTagFromCalloutType(x)
_TtmpGetCalloutTagFromCalloutType@4 proc near ;	CODE XREF: TtmpStartCallout(x,x,x,x,x,x)+8Bp
					; TtmpStopCallout(x,x)+3Dp
		sub	ecx, 1
		jz	short loc_9C0913
		sub	ecx, 1
		jz	short loc_9C090D
		sub	ecx, 1
		jz	short loc_9C0907
		sub	ecx, 1
		jz	short loc_9C0901
		sub	ecx, 1
		jz	short loc_9C08FB
		sub	ecx, 1
		jz	short loc_9C08F5
		mov	eax, 72724543h
		retn
; 

loc_9C08F5:				; CODE XREF: TtmpGetCalloutTagFromCalloutType(x)+1Cj
		mov	eax, 57445053h
		retn
; 

loc_9C08FB:				; CODE XREF: TtmpGetCalloutTagFromCalloutType(x)+17j
		mov	eax, 53504253h
		retn
; 

loc_9C0901:				; CODE XREF: TtmpGetCalloutTagFromCalloutType(x)+12j
		mov	eax, 53736944h
		retn
; 

loc_9C0907:				; CODE XREF: TtmpGetCalloutTagFromCalloutType(x)+Dj
		mov	eax, 4D706E49h
		retn
; 

loc_9C090D:				; CODE XREF: TtmpGetCalloutTagFromCalloutType(x)+8j
		mov	eax, 736F6C43h
		retn
; 

loc_9C0913:				; CODE XREF: TtmpGetCalloutTagFromCalloutType(x)+3j
		mov	eax, 6D726554h
		retn
_TtmpGetCalloutTagFromCalloutType@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpGetConfigOverride(x, x,	x)
_TtmpGetConfigOverride@12 proc near	; CODE XREF: TtmpInitializeWatchdogTimeouts()+1Bp
					; TtmpInitializeWatchdogTimeouts()+3Ep

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	[ebp+var_1C], eax
		lea	edi, [ebp+var_18]
		mov	[ebp+var_20], eax
		mov	esi, edx
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		stosd
		push	offset aRegistryMach_5 ; "\\Registry\\Machine\\SYSTEM\\CurrentControl"...
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_28]
		mov	[ebp+var_48], 18h
		mov	[ebp+var_40], eax
		xor	edi, edi
		lea	eax, [ebp+var_48]
		mov	[ebp+var_44], edi
		push	eax
		push	20019h
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_3C], 240h
		push	eax
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_9C09D6
		push	esi
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_20]
		push	eax
		push	10h
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_1C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		push	[ebp+var_1C]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_9C09D6
		cmp	[ebp+var_14], 4
		jnz	short loc_9C09D6
		cmp	[ebp+var_10], 4
		jnz	short loc_9C09D6
		mov	eax, [ebp+var_C]
		mov	[ebx], eax
		mov	al, 1
		jmp	short loc_9C09DA
; 

loc_9C09D6:				; CODE XREF: TtmpGetConfigOverride(x,x,x)+76j
					; TtmpGetConfigOverride(x,x,x)+A6j ...
		mov	[ebx], edi
		xor	al, al

loc_9C09DA:				; CODE XREF: TtmpGetConfigOverride(x,x,x)+BBj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_TtmpGetConfigOverride@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpInitializeWatchdogTimeouts()
_TtmpInitializeWatchdogTimeouts@0 proc near ; CODE XREF: TtmpStartCallout(x,x,x,x,x,x)+19p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi

loc_9C09FC:				; CODE XREF: TtmpInitializeWatchdogTimeouts()+33j
		mov	edx, off_6B3644[esi]
		lea	eax, [ebp+var_4]
		push	eax
		call	_TtmpGetConfigOverride@12 ; TtmpGetConfigOverride(x,x,x)
		cmp	al, 1
		jnz	short loc_9C0A18
		mov	eax, [ebp+var_4]
		mov	dword_6B3648[esi], eax

loc_9C0A18:				; CODE XREF: TtmpInitializeWatchdogTimeouts()+22j
		add	esi, 0Ch
		cmp	esi, 48h
		jb	short loc_9C09FC
		lea	eax, [ebp+var_8]
		mov	edx, offset aTtmdevicecallo ; "TtmDeviceCalloutCrashEnabled"
		push	eax
		call	_TtmpGetConfigOverride@12 ; TtmpGetConfigOverride(x,x,x)
		cmp	al, 1
		jnz	short loc_9C0A3D
		cmp	[ebp+var_8], 0
		jz	short loc_9C0A3D
		mov	_TtmpDeviceCalloutCrashDumpEnabled, al

loc_9C0A3D:				; CODE XREF: TtmpInitializeWatchdogTimeouts()+45j
					; TtmpInitializeWatchdogTimeouts()+4Bj
		mov	al, 1
		pop	esi
		leave
		retn
_TtmpInitializeWatchdogTimeouts@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpPublishDeviceEvent(x, x, x, x)
_TtmpPublishDeviceEvent@16 proc	near	; CODE XREF: TtmiAssignDevice(x,x,x)+53p
					; TtmiPublishDeviceEnumerationEvents(x,x)+27p ...

var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 22Ch
		push	ebx
		push	esi
		push	edi
		push	218h		; size_t
		xor	ebx, ebx
		mov	[ebp+var_8], edx
		lea	eax, [ebp+var_224]
		mov	esi, ecx
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_4], esi
		call	_memset
		mov	edi, [ebp+arg_4]
		add	esp, 0Ch
		mov	[ebp+var_228], edi
		test	edi, edi
		jz	short loc_9C0AC4
		cmp	edi, 3
		jz	short loc_9C0AC4
		cmp	edi, 4
		jnz	short loc_9C0AA8
		mov	edx, [ebp+arg_0]
		mov	ecx, [edx+18h]
		mov	edx, [edx+238h]
		mov	[ebp+var_224], ecx
		mov	[ebp+var_220], edx
		call	_TtmiLogDeviceAssignedTerminalEvent@8 ;	TtmiLogDeviceAssignedTerminalEvent(x,x)
		jmp	loc_9C0B36
; 

loc_9C0AA8:				; CODE XREF: TtmpPublishDeviceEvent(x,x,x,x)+42j
		cmp	edi, 5
		jnz	loc_9C0B36
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+18h]
		mov	[ebp+var_224], ecx
		call	_TtmiLogDeviceDepartedTerminalEvent@4 ;	TtmiLogDeviceDepartedTerminalEvent(x)
		jmp	short loc_9C0B36
; 

loc_9C0AC4:				; CODE XREF: TtmpPublishDeviceEvent(x,x,x,x)+38j
					; TtmpPublishDeviceEvent(x,x,x,x)+3Dj
		mov	esi, [ebp+arg_0]
		lea	ecx, [ebp+var_214]
		mov	edx, 104h
		mov	eax, [esi+18h]
		mov	[ebp+var_224], eax
		mov	eax, [esi+238h]
		mov	[ebp+var_220], eax
		mov	eax, [esi+8]
		mov	[ebp+var_21C], eax
		mov	eax, [esi+2Ch]
		mov	[ebp+var_218], eax
		lea	eax, [esi+30h]
		push	eax
		call	RtlStringCchCopyW
		mov	eax, [esi+238h]
		mov	ecx, [esi+2Ch]
		mov	edx, [esi+8]
		mov	[ebp+arg_0], eax
		mov	eax, [esi+18h]
		mov	[ebp+arg_4], eax
		lea	eax, [esi+30h]
		push	eax
		push	ecx
		mov	ecx, [ebp+arg_4]
		push	edx
		mov	edx, [ebp+arg_0]
		test	edi, edi
		jnz	short loc_9C0B2E
		call	_TtmiLogDeviceEnumeratedTerminalEvent@20 ; TtmiLogDeviceEnumeratedTerminalEvent(x,x,x,x,x)
		jmp	short loc_9C0B33
; 

loc_9C0B2E:				; CODE XREF: TtmpPublishDeviceEvent(x,x,x,x)+E3j
		call	_TtmiLogDeviceArrivedTerminalEvent@20 ;	TtmiLogDeviceArrivedTerminalEvent(x,x,x,x,x)

loc_9C0B33:				; CODE XREF: TtmpPublishDeviceEvent(x,x,x,x)+EAj
		mov	esi, [ebp+var_4]

loc_9C0B36:				; CODE XREF: TtmpPublishDeviceEvent(x,x,x,x)+61j
					; TtmpPublishDeviceEvent(x,x,x,x)+69j ...
		mov	eax, [ebp+var_8]
		lea	edx, [ebp+var_228]
		test	eax, eax
		jz	short loc_9C0B4E
		mov	ecx, eax
		call	_TtmiWriteEventToSingleQueue@8 ; TtmiWriteEventToSingleQueue(x,x)
		mov	ebx, eax
		jmp	short loc_9C0B55
; 

loc_9C0B4E:				; CODE XREF: TtmpPublishDeviceEvent(x,x,x,x)+FFj
		mov	ecx, esi
		call	_TtmiWriteEventToAllQueues@8 ; TtmiWriteEventToAllQueues(x,x)

loc_9C0B55:				; CODE XREF: TtmpPublishDeviceEvent(x,x,x,x)+10Aj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_TtmpPublishDeviceEvent@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpPushTerminalDisplayStateOntoDevice(x, x, x)
_TtmpPushTerminalDisplayStateOntoDevice@12 proc	near
					; CODE XREF: TtmpCommitTerminalDisplayStateUpdateWorker(x,x)+101p
					; TtmpCommitTerminalDisplayStateUpdateWorker(x,x)+12Bp	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		xor	eax, eax
		push	edi
		mov	ebx, ecx
		cmp	[esi+24h], eax
		jz	short loc_9C0BE0
		cmp	dword ptr [esi+10h], 0FFFFFFFFh
		mov	edi, [ebp+arg_0]
		jnz	short loc_9C0B7F
		cmp	[esi+14h], eax
		jz	short loc_9C0B8E

loc_9C0B7F:				; CODE XREF: TtmpPushTerminalDisplayStateOntoDevice(x,x,x)+1Aj
		test	edi, edi
		jz	short loc_9C0B88
		cmp	edi, 1
		jnz	short loc_9C0B8E

loc_9C0B88:				; CODE XREF: TtmpPushTerminalDisplayStateOntoDevice(x,x,x)+23j
		push	eax
		call	_TtmpCallSetBuiltinPanelState@12 ; TtmpCallSetBuiltinPanelState(x,x,x)

loc_9C0B8E:				; CODE XREF: TtmpPushTerminalDisplayStateOntoDevice(x,x,x)+1Fj
					; TtmpPushTerminalDisplayStateOntoDevice(x,x,x)+28j
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	_TtmpCallSetDisplayState@12 ; TtmpCallSetDisplayState(x,x,x)
		cmp	dword ptr [esi+10h], 0FFFFFFFFh
		jnz	short loc_9C0BAA
		cmp	dword ptr [esi+14h], 0
		jnz	short loc_9C0BAA
		lock inc dword ptr [ebx+50h]
		jmp	short loc_9C0BE0
; 

loc_9C0BAA:				; CODE XREF: TtmpPushTerminalDisplayStateOntoDevice(x,x,x)+3Ej
					; TtmpPushTerminalDisplayStateOntoDevice(x,x,x)+44j
		push	2
		pop	edi
		cmp	[ebp+arg_0], edi
		jnz	short loc_9C0BBE
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	_TtmpCallSetBuiltinPanelState@12 ; TtmpCallSetBuiltinPanelState(x,x,x)
		jmp	short loc_9C0BD6
; 

loc_9C0BBE:				; CODE XREF: TtmpPushTerminalDisplayStateOntoDevice(x,x,x)+52j
		cmp	[ebp+arg_0], 3
		jnz	short loc_9C0BD4
		push	1
		mov	edx, esi
		mov	ecx, ebx
		call	_TtmpCallSetBuiltinPanelState@12 ; TtmpCallSetBuiltinPanelState(x,x,x)
		xor	edi, edi
		inc	edi
		jmp	short loc_9C0BD6
; 

loc_9C0BD4:				; CODE XREF: TtmpPushTerminalDisplayStateOntoDevice(x,x,x)+64j
		xor	edi, edi

loc_9C0BD6:				; CODE XREF: TtmpPushTerminalDisplayStateOntoDevice(x,x,x)+5Ej
					; TtmpPushTerminalDisplayStateOntoDevice(x,x,x)+74j
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	_TtmpUpdatePrimaryDisplayWnf@12	; TtmpUpdatePrimaryDisplayWnf(x,x,x)

loc_9C0BE0:				; CODE XREF: TtmpPushTerminalDisplayStateOntoDevice(x,x,x)+11j
					; TtmpPushTerminalDisplayStateOntoDevice(x,x,x)+4Aj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_TtmpPushTerminalDisplayStateOntoDevice@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpPushTerminalState(x, x)
_TtmpPushTerminalState@8 proc near	; CODE XREF: TtmiSessionDeviceListWorker(x)+BDp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], ebx
		mov	eax, [esi+238h]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9C0C74
		push	eax
		mov	edx, edi
		lea	ecx, [ebp+var_4]
		call	_TtmiGetTerminalById@12	; TtmiGetTerminalById(x,x,x)
		test	eax, eax
		jns	short loc_9C0C27
		push	0FFFFFFFFh
		push	eax
		mov	edx, 0C67h
		mov	ecx, offset ??_C@_0BG@BFKCPEJA@TtmpPushTerminalState@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C0C74
; 

loc_9C0C27:				; CODE XREF: TtmpPushTerminalState(x,x)+2Aj
		test	byte ptr [edi+4], 8
		mov	eax, [ebp+var_4]
		mov	eax, [eax+0BCh]
		jnz	short loc_9C0C44
		cmp	eax, 3
		jz	short loc_9C0C40
		cmp	eax, 2
		jnz	short loc_9C0C44

loc_9C0C40:				; CODE XREF: TtmpPushTerminalState(x,x)+52j
		mov	bl, 1
		jmp	short loc_9C0C74
; 

loc_9C0C44:				; CODE XREF: TtmpPushTerminalState(x,x)+4Dj
					; TtmpPushTerminalState(x,x)+57j
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	_TtmpQueueTerminalDisplayStateOntoDevice@12 ; TtmpQueueTerminalDisplayStateOntoDevice(x,x,x)
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+24h]
		cmp	eax, 2
		jnz	short loc_9C0C65
		test	byte ptr [esi+23Ch], 80h
		jnz	short loc_9C0C65
		xor	eax, eax
		inc	eax

loc_9C0C65:				; CODE XREF: TtmpPushTerminalState(x,x)+70j
					; TtmpPushTerminalState(x,x)+79j
		cmp	[esi+28h], ebx
		jz	short loc_9C0C74
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	_TtmpCallSetInputMode@12 ; TtmpCallSetInputMode(x,x,x)

loc_9C0C74:				; CODE XREF: TtmpPushTerminalState(x,x)+1Bj
					; TtmpPushTerminalState(x,x)+3Ej ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_TtmpPushTerminalState@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpQueueTerminalDisplayStateOntoDevice(x, x, x)
_TtmpQueueTerminalDisplayStateOntoDevice@12 proc near
					; CODE XREF: TtmpPushTerminalState(x,x)+62p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	edx, [ebx+24h]
		mov	[ebp+var_4], edx
		test	edx, edx
		jz	loc_9C0D42
		mov	eax, [ebp+arg_0]
		lea	ecx, [ecx+eax*8]
		add	ecx, 54h
		mov	esi, [ecx]
		cmp	esi, ecx
		jz	short loc_9C0CE9
		mov	eax, [ebx+14h]
		mov	edi, [ebx+10h]
		mov	[ebp+arg_0], eax

loc_9C0CAC:				; CODE XREF: TtmpQueueTerminalDisplayStateOntoDevice(x,x,x)+4Fj
		cmp	[esi+10h], edi
		jnz	short loc_9C0CC1
		mov	eax, [esi+14h]
		cmp	eax, [ebp+arg_0]
		jnz	short loc_9C0CC1
		mov	eax, [esi+18h]
		cmp	eax, [ebx+18h]
		jz	short loc_9C0CCE

loc_9C0CC1:				; CODE XREF: TtmpQueueTerminalDisplayStateOntoDevice(x,x,x)+34j
					; TtmpQueueTerminalDisplayStateOntoDevice(x,x,x)+3Cj
		cmp	[esi+8], edx
		jnb	short loc_9C0CE6
		mov	esi, [esi]
		cmp	esi, ecx
		jnz	short loc_9C0CAC
		jmp	short loc_9C0CE9
; 

loc_9C0CCE:				; CODE XREF: TtmpQueueTerminalDisplayStateOntoDevice(x,x,x)+44j
		push	0FFFFFFFFh
		push	0C000022Ah
		mov	edx, 0B2Eh

loc_9C0CDA:				; CODE XREF: TtmpQueueTerminalDisplayStateOntoDevice(x,x,x)+8Ej
		mov	ecx, offset ??_C@_0CI@EOPJHCKE@TtmpQueueTerminalDisplayStateOn@NNGAKEGL@ ; "TtmpQueueTerminalDisplayStateOntoDevice"...
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C0D42
; 

loc_9C0CE6:				; CODE XREF: TtmpQueueTerminalDisplayStateOntoDevice(x,x,x)+49j
		mov	esi, [esi+4]

loc_9C0CE9:				; CODE XREF: TtmpQueueTerminalDisplayStateOntoDevice(x,x,x)+26j
					; TtmpQueueTerminalDisplayStateOntoDevice(x,x,x)+51j
		push	446D7454h
		push	20h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_9C0D0B
		push	0FFFFFFFFh
		push	0C000009Ah
		mov	edx, 0B51h
		jmp	short loc_9C0CDA
; 

loc_9C0D0B:				; CODE XREF: TtmpQueueTerminalDisplayStateOntoDevice(x,x,x)+80j
		xor	eax, eax
		mov	edi, edx
		push	8
		pop	ecx
		rep stosd
		mov	eax, [ebp+var_4]
		mov	[edx+8], eax
		mov	eax, [ebx+10h]
		mov	[edx+10h], eax
		mov	eax, [ebx+14h]
		mov	[edx+14h], eax
		mov	eax, [ebx+18h]
		mov	[edx+18h], eax
		mov	eax, [esi]
		cmp	[eax+4], esi
		jz	short loc_9C0D38
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9C0D38:				; CODE XREF: TtmpQueueTerminalDisplayStateOntoDevice(x,x,x)+B6j
		mov	[edx], eax
		mov	[edx+4], esi
		mov	[eax+4], edx
		mov	[esi], edx

loc_9C0D42:				; CODE XREF: TtmpQueueTerminalDisplayStateOntoDevice(x,x,x)+13j
					; TtmpQueueTerminalDisplayStateOntoDevice(x,x,x)+69j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_TtmpQueueTerminalDisplayStateOntoDevice@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpStartCallout(x,	x, x, x, x, x)
_TtmpStartCallout@24 proc near		; CODE XREF: TtmpCallAssignedToTerminal(x,x)+2Dp
					; TtmpCallClose(x,x)+28p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	_TtmpDeviceCalloutTimeoutsSet, 0
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		push	edi
		mov	[ebp+var_4], ebx
		jnz	short loc_9C0D6C
		call	_TtmpInitializeWatchdogTimeouts@0 ; TtmpInitializeWatchdogTimeouts()
		mov	_TtmpDeviceCalloutTimeoutsSet, al

loc_9C0D6C:				; CODE XREF: TtmpStartCallout(x,x,x,x,x,x)+17j
		mov	edx, [ebp+arg_4]
		mov	eax, offset _TtmpDeviceWatchdogTimeouts
		mov	[esi], ebx
		xor	ecx, ecx
		mov	ebx, [ebp+arg_0]
		mov	[esi+4], ebx
		mov	[esi+8], edx

loc_9C0D81:				; CODE XREF: TtmpStartCallout(x,x,x,x,x,x)+45j
		cmp	[eax], edx
		jz	short loc_9C0D97
		add	ecx, 0Ch
		add	eax, 0Ch
		cmp	ecx, 48h
		jb	short loc_9C0D81
		mov	edi, 7530h
		jmp	short loc_9C0D9A
; 

loc_9C0D97:				; CODE XREF: TtmpStartCallout(x,x,x,x,x,x)+3Aj
		mov	edi, [eax+8]

loc_9C0D9A:				; CODE XREF: TtmpStartCallout(x,x,x,x,x,x)+4Cj
		test	edi, edi
		jz	short loc_9C0DBF
		mov	ecx, esi
		call	_TtmpCalloutCreateWatchdog@4 ; TtmpCalloutCreateWatchdog(x)
		test	eax, eax
		js	short loc_9C0DBF
		cmp	dword ptr [esi+0Ch], 0
		jz	short loc_9C0DBF
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		push	[ebp+arg_8]
		push	edi
		mov	edx, [edx]
		call	_TtmpCalloutArmWatchdog@16 ; TtmpCalloutArmWatchdog(x,x,x,x)

loc_9C0DBF:				; CODE XREF: TtmpStartCallout(x,x,x,x,x,x)+53j
					; TtmpStartCallout(x,x,x,x,x,x)+5Ej ...
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	[ebp+arg_C]
		mov	ecx, [ebp+arg_4]
		call	_TtmpGetCalloutTagFromCalloutType@4 ; TtmpGetCalloutTagFromCalloutType(x)
		push	dword ptr [ebx+14h]
		mov	ecx, [ebx+8]
		mov	edx, eax
		push	dword ptr [ebx+10h]
		call	_TtmiLogCalloutStart@20	; TtmiLogCalloutStart(x,x,x,x,x)
		call	KeQueryInterruptTime
		pop	edi
		mov	[esi+10h], eax
		mov	[esi+14h], edx
		pop	esi
		pop	ebx
		leave
		retn	10h
_TtmpStartCallout@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpStopCallout(x, x)
_TtmpStopCallout@8 proc	near		; CODE XREF: TtmpCallAssignedToTerminal(x,x)+47p
					; TtmpCallClose(x,x)+3Ap ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		mov	edi, ecx
		call	KeQueryInterruptTime
		mov	ebx, eax
		mov	eax, edx
		sub	ebx, [edi+10h]
		sbb	eax, [edi+14h]
		cmp	dword ptr [edi+0Ch], 0
		mov	[ebp+var_4], eax
		jz	short loc_9C0E2D
		mov	ecx, edi
		call	_TtmpCalloutDestroyWatchdog@4 ;	TtmpCalloutDestroyWatchdog(x)
		mov	eax, [ebp+var_4]

loc_9C0E2D:				; CODE XREF: TtmpStopCallout(x,x)+26j
		mov	ecx, [edi+8]
		mov	esi, [edi+4]
		push	eax
		push	ebx
		push	[ebp+var_8]
		call	_TtmpGetCalloutTagFromCalloutType@4 ; TtmpGetCalloutTagFromCalloutType(x)
		mov	edx, [esi+2Ch]
		mov	ecx, [esi+8]
		push	eax
		push	dword ptr [esi+14h]
		push	dword ptr [esi+10h]
		call	_TtmiLogCalloutStop@32 ; TtmiLogCalloutStop(x,x,x,x,x,x,x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _TtmpSessionLock
		call	ExAcquireResourceExclusiveLite
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_TtmpStopCallout@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpUpdatePrimaryDisplayWnf(x, x, x)
_TtmpUpdatePrimaryDisplayWnf@12	proc near
					; CODE XREF: TtmpPushTerminalDisplayStateOntoDevice(x,x,x)+7Dp

var_1C		= dword	ptr -1Ch
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		cmp	dword ptr [edx+8], 1
		push	esi
		push	edi
		mov	esi, ecx
		jnz	short loc_9C0EC5
		test	byte ptr [edx+2Ch], 1
		jz	short loc_9C0EC5
		push	6
		pop	ecx
		push	[ebp+arg_0]
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		push	offset _ZwUpdateWnfStateData@28	; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		push	6
		rep stosd
		push	edx
		mov	edx, esi
		lea	ecx, [ebp+var_1C]
		call	_TtmpStartCallout@24 ; TtmpStartCallout(x,x,x,x,x,x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	4
		lea	eax, [ebp+arg_0]
		push	eax
		push	offset _WNF_PO_PRIMARY_DISPLAY_VISIBLE_STATE
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_TtmpStopCallout@8 ; TtmpStopCallout(x,x)

loc_9C0EC5:				; CODE XREF: TtmpUpdatePrimaryDisplayWnf(x,x,x)+10j
					; TtmpUpdatePrimaryDisplayWnf(x,x,x)+16j
		pop	edi
		pop	esi
		leave
		retn	4
_TtmpUpdatePrimaryDisplayWnf@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiCreateTerminal(x, x, x,	x, x, x)
_TtmiCreateTerminal@24 proc near	; CODE XREF: TtmInitCurrentSession()+133p
					; TtmpDispatchCreateTerminal(x,x)+67p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_10], edx
		push	edi
		mov	[eax], ebx
		mov	edi, ecx
		mov	eax, [ebp+arg_8]
		push	ebx
		push	1
		mov	[ebp+var_4], edi
		or	dword ptr [eax], 0FFFFFFFFh
		lea	eax, [edi+28h]
		push	eax
		mov	[ebp+var_8], ebx
		call	RtlFindClearBitsAndSet
		mov	esi, eax
		mov	[ebp+var_C], esi
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_9C0F30
		mov	ebx, 0C0000044h
		mov	edx, 643h
		push	ebx
		push	eax
		mov	ecx, (offset loc_8BDE74+4)
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		mov	edx, 245h

loc_9C0F1F:				; CODE XREF: TtmiCreateTerminal(x,x,x,x,x,x)+C6j
		push	ebx
		push	ebx
		mov	ecx, offset ??_C@_0BD@GLEDGKEL@TtmiCreateTerminal@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	loc_9C10C6
; 

loc_9C0F30:				; CODE XREF: TtmiCreateTerminal(x,x,x,x,x,x)+37j
		mov	eax, 200h
		cmp	byte ptr [ebp+arg_0], bl
		jz	short loc_9C0F3C
		mov	eax, ebx

loc_9C0F3C:				; CODE XREF: TtmiCreateTerminal(x,x,x,x,x,x)+6Dj
		mov	edx, ds:_TtmpTerminalObjectType
		push	ebx
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		push	ebx
		push	0C8h
		push	ecx
		push	[ebp+arg_0]
		lea	eax, [ebp+var_28]
		mov	[ebp+var_24], ebx
		push	eax
		xor	cl, cl
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_28], 18h
		call	ObCreateObjectEx
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_9C0F93
		mov	edx, esi
		and	esi, 7
		shr	edx, 3
		add	edx, [edi+2Ch]
		movsx	ecx, byte ptr [edx]
		btr	ecx, esi
		mov	[edx], cl
		mov	edx, 266h
		jmp	short loc_9C0F1F
; 

loc_9C0F93:				; CODE XREF: TtmiCreateTerminal(x,x,x,x,x,x)+ACj
		mov	edi, [ebp+var_8]
		mov	ecx, edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		push	0C8h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	ebx, [ebp+var_C]
		add	esp, 0Ch
		mov	dword ptr [edi+0Ch], 546D7454h
		mov	[edi+10h], esi
		push	2
		pop	esi
		push	3
		pop	eax
		test	ebx, ebx
		jnz	short loc_9C0FED
		mov	[edi+1Ch], eax
		mov	[edi+0BCh], eax
		and	[edi+24h], ebx
		or	dword ptr [edi+18h], 10h
		call	KeQueryInterruptTime
		mov	ecx, [ebp+var_4]
		mov	[edi+40h], eax
		mov	[edi+44h], edx
		mov	dl, 1
		push	1Ah
		call	_TtmiUpdateActiveTerminalCount@12 ; TtmiUpdateActiveTerminalCount(x,x,x)
		jmp	short loc_9C1007
; 

loc_9C0FED:				; CODE XREF: TtmiCreateTerminal(x,x,x,x,x,x)+F7j
		xor	eax, eax
		inc	eax
		mov	[edi+1Ch], eax
		mov	[edi+0BCh], eax
		mov	[edi+24h], esi
		mov	dword ptr [edi+38h], 11E1A300h
		and	dword ptr [edi+3Ch], 0

loc_9C1007:				; CODE XREF: TtmiCreateTerminal(x,x,x,x,x,x)+120j
		push	0
		lea	eax, [edi+48h]
		push	eax
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	edi
		push	offset _TtmpScheduledEvaluationDpc@16 ;	TtmpScheduledEvaluationDpc(x,x,x,x)
		lea	eax, [edi+70h]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		and	dword ptr [edi+90h], 0
		mov	eax, [ebp+var_4]
		mov	dword ptr [edi+98h], offset _TtmpScheduledEvaluationWorker@4 ; TtmpScheduledEvaluationWorker(x)
		mov	[edi+9Ch], edi
		lock inc dword ptr [eax+8]
		mov	[edi+8], eax
		add	eax, 20h
		mov	edx, [eax+4]
		cmp	[edx], eax
		jz	short loc_9C1051
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9C1051:				; CODE XREF: TtmiCreateTerminal(x,x,x,x,x,x)+17Fj
		mov	[edi+4], edx
		mov	ecx, edi
		mov	[edi], eax
		mov	[edx], edi
		mov	edx, ebx
		mov	[eax+4], edi
		call	_TtmiLogTerminalCreated@8 ; TtmiLogTerminalCreated(x,x)
		push	[ebp+arg_4]
		xor	edx, edx
		mov	ecx, edi
		push	0
		push	0
		push	1
		push	[ebp+var_10]
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_9C10AA
		push	ebx
		push	ebx
		mov	edx, 2C1h
		mov	ecx, offset ??_C@_0BD@GLEDGKEL@TtmiCreateTerminal@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		mov	ecx, [ebp+var_4]
		or	dword ptr [edi+18h], 1
		push	esi
		call	_TtmiScheduleSessionWorker@8 ; TtmiScheduleSessionWorker(x,x)
		push	0
		push	0
		mov	ecx, edi
		call	_TtmpResetEvaluationTimer@12 ; TtmpResetEvaluationTimer(x,x,x)
		jmp	short loc_9C10C6
; 

loc_9C10AA:				; CODE XREF: TtmiCreateTerminal(x,x,x,x,x,x)+1B2j
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+var_C]
		mov	[ecx], eax
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_9C10BD
		mov	[eax], edi
		jmp	short loc_9C10C4
; 

loc_9C10BD:				; CODE XREF: TtmiCreateTerminal(x,x,x,x,x,x)+1ECj
		mov	ecx, edi
		call	ObfDereferenceObject

loc_9C10C4:				; CODE XREF: TtmiCreateTerminal(x,x,x,x,x,x)+1F0j
		xor	ebx, ebx

loc_9C10C6:				; CODE XREF: TtmiCreateTerminal(x,x,x,x,x,x)+60j
					; TtmiCreateTerminal(x,x,x,x,x,x)+1DDj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
_TtmiCreateTerminal@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiGetTerminalById(x, x, x)
_TtmiGetTerminalById@12	proc near	; CODE XREF: TtmNotifyDeviceInput(x,x,x,x)+B5p
					; TtmpPushTerminalState(x,x)+23p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		add	edx, 20h
		push	esi
		xor	esi, esi
		mov	eax, [edx]
		cmp	eax, edx
		jz	short loc_9C10F4
		push	edi
		mov	edi, [ebp+arg_0]

loc_9C10E4:				; CODE XREF: TtmiGetTerminalById(x,x,x)+22j
		mov	esi, eax
		cmp	[eax+10h], edi
		jz	short loc_9C10F3
		mov	eax, [eax]
		xor	esi, esi
		cmp	eax, edx
		jnz	short loc_9C10E4

loc_9C10F3:				; CODE XREF: TtmiGetTerminalById(x,x,x)+1Aj
		pop	edi

loc_9C10F4:				; CODE XREF: TtmiGetTerminalById(x,x,x)+Fj
		mov	eax, esi
		mov	[ecx], esi
		neg	eax
		pop	esi
		sbb	eax, eax
		and	eax, 3FFFFDDBh
		add	eax, 0C0000225h
		pop	ebp
		retn	4
_TtmiGetTerminalById@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiOpenDefaultTerminal(x, x, x, x)
_TtmiOpenDefaultTerminal@16 proc near	; CODE XREF: TtmpDispatchOpenTerminal(x,x)+52p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_TtmpTerminalObjectType
		mov	ecx, [ecx+18h]
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	ebx, edx
		push	esi
		lea	edx, [ebp+var_4]
		mov	[ebp+var_4], esi
		push	edx
		push	esi
		push	eax
		push	ebx
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C1141
		mov	edx, 314h
		jmp	short loc_9C1178
; 

loc_9C1141:				; CODE XREF: TtmiOpenDefaultTerminal(x,x,x,x)+2Dj
		cmp	byte ptr [ebp+arg_0], 0
		jnz	short loc_9C114E
		mov	eax, 200h
		jmp	short loc_9C1150
; 

loc_9C114E:				; CODE XREF: TtmiOpenDefaultTerminal(x,x,x,x)+3Aj
		xor	eax, eax

loc_9C1150:				; CODE XREF: TtmiOpenDefaultTerminal(x,x,x,x)+41j
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	ds:_TtmpTerminalObjectType
		push	ebx
		push	0
		push	eax
		push	edi
		call	ObOpenObjectByPointer
		mov	ecx, edi
		mov	esi, eax
		call	ObfDereferenceObject
		test	esi, esi
		jns	short loc_9C1184
		mov	edx, 32Dh

loc_9C1178:				; CODE XREF: TtmiOpenDefaultTerminal(x,x,x,x)+34j
		push	esi
		push	esi
		mov	ecx, (offset loc_8BDCF0+6)
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)

loc_9C1184:				; CODE XREF: TtmiOpenDefaultTerminal(x,x,x,x)+66j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_TtmiOpenDefaultTerminal@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiReferenceTerminalByHandle(x, x,	x, x)
_TtmiReferenceTerminalByHandle@16 proc near
					; CODE XREF: TtmpAcquireSessionFromTerminalHandle(x,x,x,x,x)+30p

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_TtmpTerminalObjectType
		and	[ebp+var_4], 0
		push	esi
		push	edi
		push	0
		mov	edi, ecx
		lea	ecx, [ebp+var_4]
		push	ecx
		push	[ebp+arg_4]
		push	eax
		push	2
		push	edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C11CE
		and	dword ptr [edi], 0
		mov	edx, 365h
		push	esi
		push	esi
		mov	ecx, offset ??_C@_0BO@DJAIEDEC@TtmiReferenceTerminalByHandle@NNGAKEGL@ ; "TtmiReferenceTerminalByHandle"
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C11D5
; 

loc_9C11CE:				; CODE XREF: TtmiReferenceTerminalByHandle(x,x,x,x)+29j
		mov	eax, [ebp+var_4]
		xor	esi, esi
		mov	[edi], eax

loc_9C11D5:				; CODE XREF: TtmiReferenceTerminalByHandle(x,x,x,x)+3Fj
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	8
_TtmiReferenceTerminalByHandle@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiResetTerminalTimeouts(x, x, x, x, x)
_TtmiResetTerminalTimeouts@20 proc near	; CODE XREF: TtmNotifyDeviceInput(x,x,x,x)+EDp
					; TtmNotifyConsoleUserPresent(x,x)+43p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	KeQueryInterruptTime
		mov	[esi+40h], eax
		mov	eax, [esi+1Ch]
		mov	[esi+44h], edx
		cmp	eax, 3
		jz	short loc_9C1201
		cmp	[ebp+arg_8], 0
		jnz	short loc_9C1206

loc_9C1201:				; CODE XREF: TtmiResetTerminalTimeouts(x,x,x,x,x)+1Cj
		cmp	eax, 2
		jnz	short loc_9C121B

loc_9C1206:				; CODE XREF: TtmiResetTerminalTimeouts(x,x,x,x,x)+22j
		push	[ebp+arg_4]
		mov	edx, esi
		mov	ecx, edi
		push	[ebp+arg_0]
		push	1
		call	_TtmiSetPendingOnOffRequest@20 ; TtmiSetPendingOnOffRequest(x,x,x,x,x)
		mov	al, 1
		jmp	short loc_9C121D
; 

loc_9C121B:				; CODE XREF: TtmiResetTerminalTimeouts(x,x,x,x,x)+27j
		xor	al, al

loc_9C121D:				; CODE XREF: TtmiResetTerminalTimeouts(x,x,x,x,x)+3Cj
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
_TtmiResetTerminalTimeouts@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiSessionTerminalListWorker(x, x,	x)
_TtmiSessionTerminalListWorker@12 proc near ; CODE XREF: TtmpSessionWorker(x)+F3p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= dword	ptr -2
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	eax, edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], eax
		xor	ecx, ecx
		mov	[eax], cl
		mov	eax, [ebp+arg_0]
		mov	byte ptr [ebp+var_2], cl
		mov	byte ptr [ebp+var_2+1],	cl
		mov	[ebp+var_3], cl
		mov	[eax], cl
		lea	eax, [edi+20h]
		mov	esi, [eax]
		cmp	esi, eax
		jz	loc_9C138A

loc_9C1254:				; CODE XREF: TtmiSessionTerminalListWorker(x,x,x)+154j
		lea	ecx, [esi+18h]
		mov	ebx, esi
		mov	eax, [ecx]
		mov	[ebp+var_8], ecx
		test	al, 1
		jz	loc_9C1317
		mov	edx, [edi]
		lea	eax, [esi+4]
		mov	esi, [eax]
		mov	ecx, ebx
		mov	[ebp+var_10], eax
		mov	eax, [ebx+10h]
		push	eax
		mov	[ebp+var_14], eax
		call	_TtmiLogTerminalCleanup@12 ; TtmiLogTerminalCleanup(x,x,x)
		mov	eax, [ebp+var_8]
		test	byte ptr [eax],	10h
		jz	short loc_9C129B
		push	1Ah
		xor	dl, dl
		mov	ecx, edi
		call	_TtmiUpdateActiveTerminalCount@12 ; TtmiUpdateActiveTerminalCount(x,x,x)
		test	al, al
		jz	short loc_9C129B
		mov	eax, [ebp+var_C]
		mov	byte ptr [eax],	1

loc_9C129B:				; CODE XREF: TtmiSessionTerminalListWorker(x,x,x)+61j
					; TtmiSessionTerminalListWorker(x,x,x)+70j
		cmp	dword ptr [ebx+14h], 0
		jz	short loc_9C12A5
		mov	[ebp+var_3], 1

loc_9C12A5:				; CODE XREF: TtmiSessionTerminalListWorker(x,x,x)+7Cj
		mov	edx, ebx
		mov	ecx, edi
		call	_TtmiEvacuateDevices@8 ; TtmiEvacuateDevices(x,x)
		test	al, al
		jz	short loc_9C12B8
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax],	1

loc_9C12B8:				; CODE XREF: TtmiSessionTerminalListWorker(x,x,x)+8Dj
		mov	eax, [ebx]
		cmp	[eax+4], ebx
		jnz	loc_9C1391
		mov	ecx, [ebp+var_10]
		mov	ecx, [ecx]
		cmp	[ecx], ebx
		jnz	loc_9C1391
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	ecx, edi
		and	dword ptr [ebx+8], 0
		call	_TtmpDereferenceSessionMaybeLast@4 ; TtmpDereferenceSessionMaybeLast(x)
		mov	ecx, [ebp+var_14]
		mov	edx, ecx
		shr	edx, 3
		and	ecx, 7
		add	edx, [edi+2Ch]
		movsx	eax, byte ptr [edx]
		btr	eax, ecx
		mov	ecx, [ebp+var_8]
		mov	[edx], al
		and	dword ptr [ebx+8], 0
		mov	dword ptr [ebx+0Ch], 54787454h
		mov	eax, [ecx]
		and	eax, 0FFFFFFFEh
		or	eax, 2
		mov	[ecx], eax
		mov	ecx, ebx
		call	ObfDereferenceObject
		jmp	short loc_9C1370
; 

loc_9C1317:				; CODE XREF: TtmiSessionTerminalListWorker(x,x,x)+3Dj
		test	al, 4
		jz	short loc_9C1370
		and	eax, 0FFFFFFFBh
		mov	edx, esi
		mov	[ecx], eax
		lea	eax, [ebp+var_2+1]
		push	eax
		lea	eax, [ebp+var_2]
		push	eax
		call	_TtmpUpdateTerminalState@16 ; TtmpUpdateTerminalState(x,x,x,x)
		cmp	byte ptr [ebp+var_2+1],	0
		jz	short loc_9C134B
		mov	edx, esi
		mov	ecx, edi
		call	_TtmiSetUpdateTerminalDevices@8	; TtmiSetUpdateTerminalDevices(x,x)
		mov	ecx, edi
		call	_TtmpWriteDisplayStateChangedEvent@8 ; TtmpWriteDisplayStateChangedEvent(x,x)
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax],	1

loc_9C134B:				; CODE XREF: TtmiSessionTerminalListWorker(x,x,x)+110j
		cmp	byte ptr [ebp+var_2], 0
		jz	short loc_9C1370
		mov	eax, [ebp+var_8]
		mov	ecx, edi
		push	dword ptr [esi+20h]
		mov	edx, [eax]
		shr	edx, 4
		and	dl, 1
		call	_TtmiUpdateActiveTerminalCount@12 ; TtmiUpdateActiveTerminalCount(x,x,x)
		test	al, al
		jz	short loc_9C1370
		mov	eax, [ebp+var_C]
		mov	byte ptr [eax],	1

loc_9C1370:				; CODE XREF: TtmiSessionTerminalListWorker(x,x,x)+F2j
					; TtmiSessionTerminalListWorker(x,x,x)+F6j ...
		mov	esi, [esi]
		lea	eax, [edi+20h]
		cmp	esi, eax
		jnz	loc_9C1254
		cmp	[ebp+var_3], 0
		jz	short loc_9C138A
		mov	ecx, edi
		call	_TtmiPurgeSessionPowerRequestEntries@4 ; TtmiPurgeSessionPowerRequestEntries(x)

loc_9C138A:				; CODE XREF: TtmiSessionTerminalListWorker(x,x,x)+2Bj
					; TtmiSessionTerminalListWorker(x,x,x)+15Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_9C1391:				; CODE XREF: TtmiSessionTerminalListWorker(x,x,x)+9Aj
					; TtmiSessionTerminalListWorker(x,x,x)+A7j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_TtmiSessionTerminalListWorker@12 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiSetPendingOnOffRequest(x, x, x,	x, x)
_TtmiSetPendingOnOffRequest@20 proc near
					; CODE XREF: TtmiResetTerminalTimeouts(x,x,x,x,x)+35p
					; TtmiTerminalMonitorControl(x,x,x,x)+55p ...

var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		mov	bl, [ebp+arg_0]
		push	esi
		mov	esi, edx
		mov	[esp+0Ch+var_4], ecx
		push	edi
		mov	edi, [ebp+arg_4]
		test	byte ptr [esi+18h], 8
		jz	short loc_9C13D4
		test	bl, bl
		jz	short loc_9C13E7
		cmp	edi, 1
		jnz	short loc_9C13E7
		mov	ecx, esi
		call	_TtmpShouldEscapeProximity@4 ; TtmpShouldEscapeProximity(x)
		test	al, al
		jz	short loc_9C13E7
		mov	ecx, [esp+10h+var_4]
		mov	edx, esi
		push	edi
		call	_TtmpExitProximity@12 ;	TtmpExitProximity(x,x,x)

loc_9C13D4:				; CODE XREF: TtmiSetPendingOnOffRequest(x,x,x,x,x)+1Cj
		mov	ecx, [esi+10h]
		mov	edx, edi
		push	[ebp+arg_8]
		test	bl, bl
		jnz	short loc_9C13F5
		call	_TtmiLogTerminalOffRequest@12 ;	TtmiLogTerminalOffRequest(x,x,x)
		jmp	short loc_9C13FA
; 

loc_9C13E7:				; CODE XREF: TtmiSetPendingOnOffRequest(x,x,x,x,x)+20j
					; TtmiSetPendingOnOffRequest(x,x,x,x,x)+25j ...
		push	[ebp+arg_8]
		mov	edx, edi
		mov	cl, bl
		call	_TtmiLogProximityBlockedRequest@12 ; TtmiLogProximityBlockedRequest(x,x,x)
		jmp	short loc_9C1417
; 

loc_9C13F5:				; CODE XREF: TtmiSetPendingOnOffRequest(x,x,x,x,x)+48j
		call	_TtmiLogTerminalOnRequest@12 ; TtmiLogTerminalOnRequest(x,x,x)

loc_9C13FA:				; CODE XREF: TtmiSetPendingOnOffRequest(x,x,x,x,x)+4Fj
		mov	ecx, [esp+10h+var_4]
		xor	eax, eax
		test	bl, bl
		mov	[esi+2Ch], edi
		push	2
		setz	al
		or	dword ptr [esi+18h], 4
		inc	eax
		mov	[esi+28h], eax
		call	_TtmiScheduleSessionWorker@8 ; TtmiScheduleSessionWorker(x,x)

loc_9C1417:				; CODE XREF: TtmiSetPendingOnOffRequest(x,x,x,x,x)+5Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_TtmiSetPendingOnOffRequest@20 endp


;  S U B	R O U T	I N E 


; __stdcall TtmiSetTerminalPendingEvaluation(x,	x)
_TtmiSetTerminalPendingEvaluation@8 proc near
					; CODE XREF: TtmpScheduledEvaluationWorker(x)+35p
		or	dword ptr [edx+18h], 4
		push	2
		call	_TtmiScheduleSessionWorker@8 ; TtmiScheduleSessionWorker(x,x)
		retn
_TtmiSetTerminalPendingEvaluation@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiTerminalMonitorControl(x, x, x,	x)
_TtmiTerminalMonitorControl@16 proc near ; CODE	XREF: TtmSessionMonitorControl(x,x,x)+38p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_4]
		push	ebx
		xor	ebx, ebx
		mov	byte ptr [ebp+var_4], bl
		sub	eax, ebx
		jz	short loc_9C14A2
		sub	eax, 1
		jz	short loc_9C1494
		sub	eax, 1
		jz	short loc_9C1462
		mov	ebx, 0C000000Dh
		mov	edx, 54Fh
		push	ebx
		push	0FFFFFFFFh
		mov	ecx, offset ??_C@_0BL@IKIKMBNF@TtmiTerminalMonitorControl@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C1486
; 

loc_9C1462:				; CODE XREF: TtmiTerminalMonitorControl(x,x,x,x)+1Bj
		mov	eax, [edx+0BCh]
		cmp	eax, 3
		jz	short loc_9C148D
		cmp	eax, 2
		jz	short loc_9C148D

loc_9C1472:				; CODE XREF: TtmiTerminalMonitorControl(x,x,x,x)+6Cj
		mov	byte ptr [ebp+var_4], 1

loc_9C1476:				; CODE XREF: TtmiTerminalMonitorControl(x,x,x,x)+7Aj
		push	434D6553h
		push	[ebp+arg_0]
		push	[ebp+var_4]
		call	_TtmiSetPendingOnOffRequest@20 ; TtmiSetPendingOnOffRequest(x,x,x,x,x)

loc_9C1486:				; CODE XREF: TtmiTerminalMonitorControl(x,x,x,x)+34j
					; TtmiTerminalMonitorControl(x,x,x,x)+66j ...
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_9C148D:				; CODE XREF: TtmiTerminalMonitorControl(x,x,x,x)+3Fj
					; TtmiTerminalMonitorControl(x,x,x,x)+44j
		mov	ebx, 0FFh
		jmp	short loc_9C1486
; 

loc_9C1494:				; CODE XREF: TtmiTerminalMonitorControl(x,x,x,x)+16j
		cmp	[ebp+arg_0], 16h
		jnz	short loc_9C1472
		push	ebx
		call	_TtmpExitProximity@12 ;	TtmpExitProximity(x,x,x)
		jmp	short loc_9C1486
; 

loc_9C14A2:				; CODE XREF: TtmiTerminalMonitorControl(x,x,x,x)+11j
		cmp	[ebp+arg_0], 16h
		jnz	short loc_9C1476
		call	_TtmpEnterProximity@8 ;	TtmpEnterProximity(x,x)
		jmp	short loc_9C1486
_TtmiTerminalMonitorControl@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiTerminalSetDisplayTimeouts(x, x, x, x)
_TtmiTerminalSetDisplayTimeouts@16 proc	near
					; CODE XREF: TtmpTerminal0PowerSettingCallback(x,x,x,x)+78p
					; TtmpDispatchSetDisplayTimeouts(x)+65p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	[esp+10h+var_4], ecx
		mov	ecx, 989680h
		push	esi
		mov	esi, edx
		mul	ecx
		push	edi
		mov	ebx, eax
		mov	eax, edx
		mov	[esp+18h+var_8], eax
		mov	[esi+3Ch], eax
		mov	eax, [ebp+arg_0]
		mul	ecx
		mov	[esi+38h], ebx
		mov	edi, edx
		mov	[esi+30h], eax
		mov	[esi+34h], edi
		mov	ecx, eax
		test	edi, edi
		jnz	short loc_9C14F2
		test	eax, eax
		jz	short loc_9C1515

loc_9C14F2:				; CODE XREF: TtmiTerminalSetDisplayTimeouts(x,x,x,x)+3Dj
		cmp	[esp+18h+var_8], 0
		ja	short loc_9C14FD
		test	ebx, ebx
		jz	short loc_9C1515

loc_9C14FD:				; CODE XREF: TtmiTerminalSetDisplayTimeouts(x,x,x,x)+48j
		cmp	edi, [esp+18h+var_8]
		jb	short loc_9C1515
		ja	short loc_9C1509
		cmp	eax, ebx
		jb	short loc_9C1515

loc_9C1509:				; CODE XREF: TtmiTerminalSetDisplayTimeouts(x,x,x,x)+54j
		and	dword ptr [esi+30h], 0
		xor	ecx, ecx
		and	dword ptr [esi+34h], 0
		xor	edx, edx

loc_9C1515:				; CODE XREF: TtmiTerminalSetDisplayTimeouts(x,x,x,x)+41j
					; TtmiTerminalSetDisplayTimeouts(x,x,x,x)+4Cj ...
		push	[esp+18h+var_8]
		mov	edi, [esp+1Ch+var_4]
		push	ebx
		push	edx
		mov	edx, [esi+10h]
		push	ecx
		push	[ebp+arg_4]
		mov	ecx, [edi]
		push	[ebp+arg_0]
		call	_TtmiLogTerminalDisplayTimeouts@32 ; TtmiLogTerminalDisplayTimeouts(x,x,x,x,x,x,x,x)
		or	dword ptr [esi+18h], 4
		mov	ecx, edi
		push	2
		call	_TtmiScheduleSessionWorker@8 ; TtmiScheduleSessionWorker(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_TtmiTerminalSetDisplayTimeouts@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiTerminalsRundown(x)
_TtmiTerminalsRundown@4	proc near	; CODE XREF: TtmiSessionsRundown()+8Ap

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		lea	edi, [ebx+20h]
		mov	esi, [edi]
		jmp	loc_9C1615
; 

loc_9C155D:				; CODE XREF: TtmiTerminalsRundown(x)+D1j
		mov	eax, [ebx]
		and	[ebp+var_4], 0
		mov	[ebp+var_58], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_54], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_50], eax
		mov	eax, [esi+1Ch]
		mov	[ebp+var_4C], eax
		mov	eax, [esi+20h]
		push	0
		mov	[ebp+var_48], eax
		mov	eax, [esi+24h]
		push	989680h
		push	dword ptr [esi+34h]
		mov	[ebp+var_44], eax
		mov	eax, [esi+28h]
		push	dword ptr [esi+30h]
		mov	[ebp+var_40], eax
		mov	eax, [esi+2Ch]
		mov	[ebp+var_3C], eax
		call	__aulldiv
		push	0
		push	989680h
		push	dword ptr [esi+3Ch]
		mov	[ebp+var_38], eax
		push	dword ptr [esi+38h]
		mov	[ebp+var_34], edx
		call	__aulldiv
		mov	[ebp+var_30], eax
		lea	ecx, [ebp+var_58]
		mov	eax, [esi+40h]
		mov	[ebp+var_28], eax
		mov	eax, [esi+44h]
		mov	[ebp+var_24], eax
		mov	eax, [esi+0A8h]
		mov	[ebp+var_20], eax
		mov	eax, [esi+0ACh]
		mov	[ebp+var_1C], eax
		mov	eax, [esi+0B0h]
		mov	[ebp+var_18], eax
		mov	eax, [esi+0B4h]
		mov	[ebp+var_14], eax
		mov	eax, [esi+0B8h]
		mov	[ebp+var_10], eax
		mov	eax, [esi+0BCh]
		mov	[ebp+var_C], eax
		mov	eax, [esi+0C0h]
		mov	[ebp+var_2C], edx
		mov	[ebp+var_8], eax
		call	_TtmiLogTerminalRundown@4 ; TtmiLogTerminalRundown(x)
		mov	esi, [esi]

loc_9C1615:				; CODE XREF: TtmiTerminalsRundown(x)+12j
		cmp	esi, edi
		jnz	loc_9C155D
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_TtmiTerminalsRundown@4	endp


;  S U B	R O U T	I N E 


; __stdcall TtmiUndimTerminal(x, x)
_TtmiUndimTerminal@8 proc near		; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+9Ep
		mov	eax, [edx+1Ch]
		push	ebx
		cmp	eax, 2
		jz	short loc_9C1634
		cmp	eax, 3
		jz	short loc_9C1634
		xor	bl, bl
		jmp	short loc_9C1636
; 

loc_9C1634:				; CODE XREF: TtmiUndimTerminal(x,x)+7j
					; TtmiUndimTerminal(x,x)+Cj
		mov	bl, 1

loc_9C1636:				; CODE XREF: TtmiUndimTerminal(x,x)+10j
		cmp	eax, 2
		jnz	short loc_9C1649
		push	54416455h
		push	8
		push	1
		call	_TtmiSetPendingOnOffRequest@20 ; TtmiSetPendingOnOffRequest(x,x,x,x,x)

loc_9C1649:				; CODE XREF: TtmiUndimTerminal(x,x)+17j
		mov	al, bl
		pop	ebx
		retn
_TtmiUndimTerminal@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpCloseTerminalHandle(x, x, x, x)
_TtmpCloseTerminalHandle@16 proc near	; DATA XREF: TtmInit+836F5o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 1
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	eax, [esi+8]
		mov	ebx, [esi+10h]
		mov	edi, [eax]
		jnz	short loc_9C16A8
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _TtmpSessionLock
		call	ExAcquireResourceExclusiveLite
		mov	ecx, [esi+8]
		or	dword ptr [esi+18h], 1
		push	2
		call	_TtmiScheduleSessionWorker@8 ; TtmiScheduleSessionWorker(x,x)
		push	0
		push	0
		mov	ecx, esi
		call	_TtmpResetEvaluationTimer@12 ; TtmpResetEvaluationTimer(x,x,x)
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9C16A8:				; CODE XREF: TtmpCloseTerminalHandle(x,x,x,x)+17j
		push	[ebp+arg_C]
		push	[ebp+arg_0]
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		push	eax
		mov	edx, ebx
		mov	ecx, edi
		call	_TtmiLogTerminalHandleClosed@16	; TtmiLogTerminalHandleClosed(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
_TtmpCloseTerminalHandle@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpDeleteTerminal(x)
_TtmpDeleteTerminal@4 proc near		; DATA XREF: TtmInit+836FCo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_TtmiLogTerminalDestroyed@4 ; TtmiLogTerminalDestroyed(x)
		pop	ebp
		retn	4
_TtmpDeleteTerminal@4 endp


;  S U B	R O U T	I N E 


; __stdcall TtmpEnterProximity(x, x)
_TtmpEnterProximity@8 proc near		; CODE XREF: TtmiTerminalMonitorControl(x,x,x,x)+7Cp
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	eax, [esi+18h]
		test	al, 8
		jnz	short loc_9C1717
		or	dword ptr [esi+0A8h], 0FFFFFFFFh
		or	eax, 8
		or	dword ptr [esi+0ACh], 0FFFFFFFFh
		inc	dword ptr [esi+0B4h]
		mov	ecx, [esi+0B4h]
		mov	[esi+18h], eax
		call	_TtmiLogEnterProximity@4 ; TtmiLogEnterProximity(x)
		or	dword ptr [esi+18h], 4
		mov	ecx, edi
		push	2
		call	_TtmiScheduleSessionWorker@8 ; TtmiScheduleSessionWorker(x,x)

loc_9C1717:				; CODE XREF: TtmpEnterProximity(x,x)+Ej
		pop	edi
		pop	esi
		pop	ecx
		retn
_TtmpEnterProximity@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpExitProximity(x, x, x)
_TtmpExitProximity@12 proc near		; CODE XREF: TtmiSetPendingOnOffRequest(x,x,x,x,x)+39p
					; TtmiTerminalMonitorControl(x,x,x,x)+6Fp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	eax, [esi+18h]
		test	al, 8
		jz	short loc_9C1758
		push	[ebp+arg_0]
		mov	edx, [esi+0B8h]
		and	eax, 0FFFFFFF7h
		mov	ecx, [esi+0B4h]
		or	eax, 40h
		mov	[esi+18h], eax
		call	_TtmiLogExitProximity@12 ; TtmiLogExitProximity(x,x,x)
		or	dword ptr [esi+18h], 4
		mov	ecx, edi
		push	2
		call	_TtmiScheduleSessionWorker@8 ; TtmiScheduleSessionWorker(x,x)

loc_9C1758:				; CODE XREF: TtmpExitProximity(x,x,x)+11j
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
_TtmpExitProximity@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpOpenTerminalHandle(x, x, x, x, x, x)
_TtmpOpenTerminalHandle@24 proc	near	; DATA XREF: TtmInit+836EEo

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		mov	eax, ds:_PsInitialSystemProcess
		jz	short loc_9C1772
		mov	eax, [ebp+arg_8]

loc_9C1772:				; CODE XREF: TtmpOpenTerminalHandle(x,x,x,x,x,x)+Ej
		xor	ecx, ecx
		test	eax, eax
		jz	short loc_9C1780
		push	eax
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		mov	ecx, eax

loc_9C1780:				; CODE XREF: TtmpOpenTerminalHandle(x,x,x,x,x,x)+17j
		mov	edx, [ebp+arg_C]
		push	[ebp+arg_0]
		push	ecx
		mov	ecx, [edx+8]
		mov	edx, [edx+10h]
		mov	ecx, [ecx]
		call	_TtmiLogTerminalHandleOpened@16	; TtmiLogTerminalHandleOpened(x,x,x,x)
		xor	eax, eax
		pop	ebp
		retn	18h
_TtmpOpenTerminalHandle@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpResetEvaluationTimer(x,	x, x)
_TtmpResetEvaluationTimer@12 proc near	; CODE XREF: TtmiCreateTerminal(x,x,x,x,x,x)+1D8p
					; TtmpCloseTerminalHandle(x,x,x,x)+47p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [ebp+arg_4]
		lea	eax, [esi+48h]
		test	edi, edi
		jnz	short loc_9C17BD
		test	ebx, ebx
		jnz	short loc_9C17BD
		push	eax
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		jmp	short loc_9C17D8
; 

loc_9C17BD:				; CODE XREF: TtmpResetEvaluationTimer(x,x,x)+15j
					; TtmpResetEvaluationTimer(x,x,x)+19j
		neg	ebx
		adc	edi, 0
		neg	edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		lea	eax, [esi+70h]
		push	eax
		push	edi
		push	ebx
		lea	eax, [esi+48h]
		push	eax
		call	_KeSetTimer@16	; KeSetTimer(x,x,x,x)

loc_9C17D8:				; CODE XREF: TtmpResetEvaluationTimer(x,x,x)+21j
		test	al, al
		jz	short loc_9C17E3
		mov	ecx, esi
		call	ObfDereferenceObject

loc_9C17E3:				; CODE XREF: TtmpResetEvaluationTimer(x,x,x)+40j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_TtmpResetEvaluationTimer@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpScheduledEvaluationWorker(x)
_TtmpScheduledEvaluationWorker@4 proc near ; DATA XREF:	TtmiCreateTerminal(x,x,x,x,x,x)+160o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		xor	ecx, ecx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [esi+0A0h]
		xchg	ecx, [eax]
		test	ecx, ecx
		jz	short loc_9C1833
		mov	edx, esi
		lea	ecx, [ebp+var_4]
		call	_TtmiAcquireTerminalSession@8 ;	TtmiAcquireTerminalSession(x,x)
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_9C1824
		test	byte ptr [esi+18h], 3
		jnz	short loc_9C1824
		mov	edx, esi
		call	_TtmiSetTerminalPendingEvaluation@8 ; TtmiSetTerminalPendingEvaluation(x,x)

loc_9C1824:				; CODE XREF: TtmpScheduledEvaluationWorker(x)+2Bj
					; TtmpScheduledEvaluationWorker(x)+31j
		lea	ecx, [ebp+var_4]
		call	_TtmiReleaseSession@4 ;	TtmiReleaseSession(x)
		mov	ecx, esi
		call	ObfDereferenceObject

loc_9C1833:				; CODE XREF: TtmpScheduledEvaluationWorker(x)+1Aj
		pop	esi
		leave
		retn	4
_TtmpScheduledEvaluationWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpShouldEscapeProximity(x)
_TtmpShouldEscapeProximity@4 proc near	; CODE XREF: TtmiSetPendingOnOffRequest(x,x,x,x,x)+29p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		inc	dword ptr [esi+0B0h]
		call	KeQueryInterruptTime
		mov	[ebp+var_8], edx
		or	ecx, 0FFFFFFFFh
		mov	edx, [esi+0ACh]
		xor	ebx, ebx
		mov	[ebp+var_4], eax
		cmp	edx, ecx
		mov	eax, [esi+0A8h]
		mov	edi, ecx
		mov	[ebp+var_C], edx
		mov	edx, [ebp+var_8]
		ja	short loc_9C189F
		jb	short loc_9C1879
		cmp	eax, ecx
		jnb	short loc_9C189F

loc_9C1879:				; CODE XREF: TtmpShouldEscapeProximity(x)+3Bj
		mov	ecx, [ebp+var_4]
		mov	edi, edx
		sub	ecx, eax
		sbb	edi, [ebp+var_C]
		imul	eax, ds:_TtmpProximityEscapeMsec, 2710h
		cmp	edi, ebx
		ja	short loc_9C189F
		jb	short loc_9C1897
		cmp	ecx, eax
		jnb	short loc_9C189F

loc_9C1897:				; CODE XREF: TtmpShouldEscapeProximity(x)+59j
		inc	dword ptr [esi+0B8h]
		mov	bl, 1

loc_9C189F:				; CODE XREF: TtmpShouldEscapeProximity(x)+39j
					; TtmpShouldEscapeProximity(x)+3Fj ...
		push	dword ptr [esi+0B8h]
		mov	edx, [esi+0B0h]
		push	dword ptr [esi+0B4h]
		push	edi
		push	ecx
		mov	cl, bl
		call	_TtmiLogProximityPowerPress@24 ; TtmiLogProximityPowerPress(x,x,x,x,x,x)
		mov	eax, [ebp+var_4]
		mov	[esi+0A8h], eax
		mov	eax, [ebp+var_8]
		pop	edi
		mov	[esi+0ACh], eax
		mov	al, bl
		pop	esi
		pop	ebx
		leave
		retn
_TtmpShouldEscapeProximity@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpTsmEvaluateTimeouts(x, x, x, x,	x, x, x, x)
_TtmpTsmEvaluateTimeouts@32 proc near	; CODE XREF: TtmpTsmIterate(x,x)+A7p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_14]
		xor	esi, esi
		mov	edi, ecx
		push	[ebp+arg_10]
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_8], esi
		push	[ebp+arg_C]
		mov	ebx, edx
		mov	[ebp+var_4], esi
		push	[ebp+arg_8]
		call	_TtmpTsmTestTimeout@20 ; TtmpTsmTestTimeout(x,x,x,x,x)
		test	al, al
		jz	short loc_9C1909
		mov	dword ptr [edi], 1
		jmp	short loc_9C1929
; 

loc_9C1909:				; CODE XREF: TtmpTsmEvaluateTimeouts(x,x,x,x,x,x,x,x)+2Cj
		push	[ebp+arg_14]
		lea	ecx, [ebp+var_8]
		push	[ebp+arg_10]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_TtmpTsmTestTimeout@20 ; TtmpTsmTestTimeout(x,x,x,x,x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		add	eax, 3
		mov	[edi], eax

loc_9C1929:				; CODE XREF: TtmpTsmEvaluateTimeouts(x,x,x,x,x,x,x,x)+34j
		mov	eax, [ebp+var_4]
		cmp	eax, esi
		ja	short loc_9C1939
		cmp	[ebp+var_8], esi
		ja	short loc_9C1939
		mov	eax, esi
		jmp	short loc_9C1942
; 

loc_9C1939:				; CODE XREF: TtmpTsmEvaluateTimeouts(x,x,x,x,x,x,x,x)+5Bj
					; TtmpTsmEvaluateTimeouts(x,x,x,x,x,x,x,x)+60j
		mov	esi, [ebp+var_8]
		sub	esi, [ebp+arg_10]
		sbb	eax, [ebp+arg_14]

loc_9C1942:				; CODE XREF: TtmpTsmEvaluateTimeouts(x,x,x,x,x,x,x,x)+64j
		mov	[ebx], esi
		pop	edi
		pop	esi
		mov	[ebx+4], eax
		pop	ebx
		leave
		retn	18h
_TtmpTsmEvaluateTimeouts@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpTsmIterate(x, x)
_TtmpTsmIterate@8 proc near		; CODE XREF: TtmpUpdateTerminalState(x,x,x,x)+93p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_C], edi
		mov	eax, [esi+2Ch]
		cmp	eax, 2
		jnz	short loc_9C1971
		xor	edx, edx
		inc	edx
		jmp	short loc_9C1979
; 

loc_9C1971:				; CODE XREF: TtmpTsmIterate(x,x)+1Cj
		cmp	eax, 1
		jnz	short loc_9C197E
		push	3
		pop	edx

loc_9C1979:				; CODE XREF: TtmpTsmIterate(x,x)+21j
		mov	ebx, [esi+30h]
		jmp	short loc_9C1982
; 

loc_9C197E:				; CODE XREF: TtmpTsmIterate(x,x)+26j
		mov	edx, [esi]
		xor	ebx, ebx

loc_9C1982:				; CODE XREF: TtmpTsmIterate(x,x)+2Ej
		cmp	byte ptr [esi+29h], 0
		jnz	short loc_9C19B1
		cmp	eax, 1
		jz	short loc_9C19B1
		mov	eax, [esi+8]
		mov	ecx, [esi+0Ch]
		mov	[edi+10h], eax
		mov	[edi+14h], ecx
		mov	edi, [esi+10h]
		sub	edi, eax
		mov	eax, [esi+14h]
		mov	[ebp+var_10], edi
		mov	edi, [ebp+var_C]
		sbb	eax, ecx
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_4], eax
		jmp	short loc_9C19C2
; 

loc_9C19B1:				; CODE XREF: TtmpTsmIterate(x,x)+38j
					; TtmpTsmIterate(x,x)+3Dj
		mov	eax, [esi+10h]
		xor	ecx, ecx
		and	[ebp+var_4], ecx
		mov	[edi+10h], eax
		mov	eax, [esi+14h]
		mov	[edi+14h], eax

loc_9C19C2:				; CODE XREF: TtmpTsmIterate(x,x)+61j
		cmp	edx, 3
		jz	short loc_9C19CC
		cmp	edx, 2
		jnz	short loc_9C19D5

loc_9C19CC:				; CODE XREF: TtmpTsmIterate(x,x)+77j
		cmp	byte ptr [esi+28h], 0
		jz	short loc_9C19DF
		push	3
		pop	edx

loc_9C19D5:				; CODE XREF: TtmpTsmIterate(x,x)+7Cj
		and	dword ptr [edi+18h], 0
		and	dword ptr [edi+1Ch], 0
		jmp	short loc_9C1A0A
; 

loc_9C19DF:				; CODE XREF: TtmpTsmIterate(x,x)+82j
		push	[ebp+var_4]
		lea	edx, [edi+18h]
		push	ecx
		push	dword ptr [esi+24h]
		lea	ecx, [ebp+var_8]
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		call	_TtmpTsmEvaluateTimeouts@32 ; TtmpTsmEvaluateTimeouts(x,x,x,x,x,x,x,x)
		mov	edx, [ebp+var_8]
		cmp	edx, 2
		jz	short loc_9C1A07
		cmp	edx, 1
		jnz	short loc_9C1A0A

loc_9C1A07:				; CODE XREF: TtmpTsmIterate(x,x)+B2j
		push	0Ch
		pop	ebx

loc_9C1A0A:				; CODE XREF: TtmpTsmIterate(x,x)+8Fj
					; TtmpTsmIterate(x,x)+B7j
		mov	[edi], edx
		cmp	[esi], edx
		setnz	al
		mov	[edi+4], al
		mov	[edi+8], ebx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_TtmpTsmIterate@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpTsmTestTimeout(x, x, x,	x, x)
_TtmpTsmTestTimeout@20 proc near	; CODE XREF: TtmpTsmEvaluateTimeouts(x,x,x,x,x,x,x,x)+25p
					; TtmpTsmEvaluateTimeouts(x,x,x,x,x,x,x,x)+45p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_9C1A2F
		test	eax, eax
		jz	short loc_9C1A44

loc_9C1A2F:				; CODE XREF: TtmpTsmTestTimeout(x,x,x,x,x)+Dj
		cmp	edx, [ebp+arg_C]
		ja	short loc_9C1A3F
		jb	short loc_9C1A3B
		cmp	eax, [ebp+arg_8]
		ja	short loc_9C1A3F

loc_9C1A3B:				; CODE XREF: TtmpTsmTestTimeout(x,x,x,x,x)+18j
		mov	al, 1
		jmp	short loc_9C1A46
; 

loc_9C1A3F:				; CODE XREF: TtmpTsmTestTimeout(x,x,x,x,x)+16j
					; TtmpTsmTestTimeout(x,x,x,x,x)+1Dj
		mov	[ecx], eax
		mov	[ecx+4], edx

loc_9C1A44:				; CODE XREF: TtmpTsmTestTimeout(x,x,x,x,x)+11j
		xor	al, al

loc_9C1A46:				; CODE XREF: TtmpTsmTestTimeout(x,x,x,x,x)+21j
		pop	ebp
		retn	10h
_TtmpTsmTestTimeout@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpUpdateTerminalState(x, x, x, x)
_TtmpUpdateTerminalState@16 proc near	; CODE XREF: TtmiSessionTerminalListWorker(x,x,x)+107p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= byte ptr -30h
var_2F		= byte ptr -2Fh
var_2E		= word ptr -2Eh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		and	[ebp+var_54], 0
		xor	eax, eax
		and	[ebp+var_24], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_2E], ax
		push	8
		pop	ecx
		lea	edi, [ebp+var_20]
		rep stosd
		mov	eax, [esi+1Ch]
		mov	[ebp+var_58], eax
		mov	eax, [esi+40h]
		mov	[ebp+var_50], eax
		mov	eax, [esi+44h]
		mov	[ebp+var_4C], eax
		call	KeQueryInterruptTime
		mov	[ebp+var_48], eax
		xor	ecx, ecx
		mov	eax, [esi+30h]
		mov	[ebp+var_40], eax
		mov	eax, [esi+34h]
		mov	[ebp+var_3C], eax
		mov	eax, [esi+38h]
		mov	[ebp+var_38], eax
		mov	eax, [esi+3Ch]
		mov	[ebp+var_34], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_44], edx
		cmp	[esi+14h], ecx
		ja	short loc_9C1AB5
		mov	[ebp+var_30], cl
		test	al, 8
		jz	short loc_9C1AB9

loc_9C1AB5:				; CODE XREF: TtmpUpdateTerminalState(x,x,x,x)+62j
		mov	[ebp+var_30], 1

loc_9C1AB9:				; CODE XREF: TtmpUpdateTerminalState(x,x,x,x)+69j
		test	al, 60h
		lea	edx, [ebp+var_20]
		setnz	[ebp+var_2F]
		and	eax, 0FFFFFF9Fh
		mov	[esi+18h], eax
		mov	eax, [esi+28h]
		mov	[ebp+var_2C], eax
		mov	eax, [esi+2Ch]
		mov	[esi+28h], ecx
		mov	[esi+2Ch], ecx
		lea	ecx, [ebp+var_58]
		mov	[ebp+var_28], eax
		call	_TtmpTsmIterate@8 ; TtmpTsmIterate(x,x)
		mov	ecx, [esi+10h]
		lea	eax, [ebp+var_20]
		push	eax
		lea	edx, [ebp+var_58]
		call	_TtmiLogTerminalStateMachine@12	; TtmiLogTerminalStateMachine(x,x,x)
		cmp	[ebp+var_1C], 0
		mov	eax, [ebp+var_10]
		mov	edi, [ebp+var_20]
		mov	[esi+40h], eax
		mov	eax, [ebp+var_C]
		mov	[esi+44h], eax
		mov	[esi+1Ch], edi
		jz	short loc_9C1B35
		mov	eax, [ebp+var_18]
		xor	ecx, ecx
		mov	edx, [esi+18h]
		cmp	edi, 1
		mov	[esi+20h], eax
		mov	eax, edx
		setnz	cl
		shr	eax, 4
		and	eax, 1
		cmp	eax, ecx
		jz	short loc_9C1B35
		shl	ecx, 4
		and	edx, 0FFFFFFEFh
		or	ecx, edx
		mov	al, 1
		mov	[esi+18h], ecx
		jmp	short loc_9C1B37
; 

loc_9C1B35:				; CODE XREF: TtmpUpdateTerminalState(x,x,x,x)+BDj
					; TtmpUpdateTerminalState(x,x,x,x)+DAj
		xor	al, al

loc_9C1B37:				; CODE XREF: TtmpUpdateTerminalState(x,x,x,x)+E9j
		mov	[ebx], al
		mov	eax, [esi+18h]
		mov	edx, [esi+20h]
		shr	eax, 3
		test	al, 1
		jnz	short loc_9C1B4B
		mov	eax, [esi+1Ch]
		jmp	short loc_9C1B4D
; 

loc_9C1B4B:				; CODE XREF: TtmpUpdateTerminalState(x,x,x,x)+FAj
		xor	eax, eax

loc_9C1B4D:				; CODE XREF: TtmpUpdateTerminalState(x,x,x,x)+FFj
		mov	ecx, [esi+0BCh]
		cmp	ecx, eax
		jnz	short loc_9C1B5B
		xor	dl, dl
		jmp	short loc_9C1B76
; 

loc_9C1B5B:				; CODE XREF: TtmpUpdateTerminalState(x,x,x,x)+10Bj
		test	ecx, ecx
		jz	short loc_9C1B63
		test	eax, eax
		jnz	short loc_9C1B66

loc_9C1B63:				; CODE XREF: TtmpUpdateTerminalState(x,x,x,x)+113j
		push	16h
		pop	edx

loc_9C1B66:				; CODE XREF: TtmpUpdateTerminalState(x,x,x,x)+117j
		mov	[esi+0C0h], edx
		mov	ecx, eax
		mov	[esi+0BCh], eax
		mov	dl, 1

loc_9C1B76:				; CODE XREF: TtmpUpdateTerminalState(x,x,x,x)+10Fj
		mov	eax, [ebp+arg_4]
		mov	[eax], dl
		sub	ecx, 0
		jz	short loc_9C1B94
		sub	ecx, 1
		jz	short loc_9C1B8B
		and	dword ptr [esi+24h], 0
		jmp	short loc_9C1B9B
; 

loc_9C1B8B:				; CODE XREF: TtmpUpdateTerminalState(x,x,x,x)+139j
		mov	dword ptr [esi+24h], 2
		jmp	short loc_9C1B9B
; 

loc_9C1B94:				; CODE XREF: TtmpUpdateTerminalState(x,x,x,x)+134j
		mov	dword ptr [esi+24h], 1

loc_9C1B9B:				; CODE XREF: TtmpUpdateTerminalState(x,x,x,x)+13Fj
					; TtmpUpdateTerminalState(x,x,x,x)+148j
		push	[ebp+var_4]
		mov	ecx, esi
		push	[ebp+var_8]
		call	_TtmpResetEvaluationTimer@12 ; TtmpResetEvaluationTimer(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_TtmpUpdateTerminalState@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpWriteDisplayStateChangedEvent(x, x)
_TtmpWriteDisplayStateChangedEvent@8 proc near
					; CODE XREF: TtmiSessionTerminalListWorker(x,x,x)+11Dp

var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 220h
		push	esi
		push	edi
		push	20Ch		; size_t
		lea	eax, [ebp+var_210]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		mov	eax, [esi+0C0h]
		add	esp, 0Ch
		mov	ecx, [esi+10h]
		mov	edx, [esi+0BCh]
		mov	[ebp+var_220], 2
		push	eax
		mov	[ebp+var_21C], ecx
		mov	[ebp+var_218], edx
		mov	[ebp+var_214], eax
		call	_TtmiLogTerminalDisplayStateChangedEvent@12 ; TtmiLogTerminalDisplayStateChangedEvent(x,x,x)
		lea	edx, [ebp+var_220]
		mov	ecx, edi
		call	_TtmiWriteEventToAllQueues@8 ; TtmiWriteEventToAllQueues(x,x)
		pop	edi
		pop	esi
		leave
		retn
_TtmpWriteDisplayStateChangedEvent@8 endp


;  S U B	R O U T	I N E 


; __stdcall TtmCleanupCurrentSession()
_TtmCleanupCurrentSession@0 proc near	; CODE XREF: NtPowerInformation:loc_8D6570p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		call	_TtmiLogCleanupCurrentSessionStart@0 ; TtmiLogCleanupCurrentSessionStart()
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	ecx, large fs:124h
		mov	edi, eax
		dec	word ptr [ecx+13Ch]
		nop
		push	1
		mov	ebx, offset _TtmpSessionLock
		push	ebx
		call	ExAcquireResourceExclusiveLite
		mov	esi, ds:_TtmpSession
		test	esi, esi
		jz	short loc_9C1C6D
		cmp	[esi], edi
		jz	short loc_9C1C6D
		mov	ecx, ebx
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	short loc_9C1CE4
; 

loc_9C1C6D:				; CODE XREF: TtmCleanupCurrentSession()+41j
					; TtmCleanupCurrentSession()+45j
		mov	ecx, esi
		call	_TtmpCleanupPowerRequestsTrackingFromCurrentSession@4 ;	TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)
		mov	ecx, [esi+1Ch]
		call	ObfDereferenceObject
		xor	edi, edi
		push	edi
		push	dword ptr [esi+18h]
		mov	[esi+1Ch], edi
		call	ObCloseHandle
		or	dword ptr [esi+4], 4
		mov	ecx, esi
		mov	[esi+18h], edi
		call	_TtmpDereferenceSessionMaybeLast@4 ; TtmpDereferenceSessionMaybeLast(x)
		mov	ecx, ebx
		mov	ds:_TtmpSession, edi
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [esi+90h]
		test	eax, eax
		jz	short loc_9C1CC7
		push	eax
		call	PoUnregisterPowerSettingCallback
		mov	ecx, esi
		mov	[esi+90h], edi
		call	_TtmpDereferenceSessionMaybeLast@4 ; TtmpDereferenceSessionMaybeLast(x)

loc_9C1CC7:				; CODE XREF: TtmCleanupCurrentSession()+9Aj
		mov	eax, [esi+94h]
		test	eax, eax
		jz	short loc_9C1CE4
		push	eax
		call	PoUnregisterPowerSettingCallback
		mov	ecx, esi
		mov	[esi+94h], edi
		call	_TtmpDereferenceSessionMaybeLast@4 ; TtmpDereferenceSessionMaybeLast(x)

loc_9C1CE4:				; CODE XREF: TtmCleanupCurrentSession()+53j
					; TtmCleanupCurrentSession()+B7j
		pop	edi
		pop	esi
		pop	ebx
		jmp	_TtmiLogCleanupCurrentSessionStop@0 ; TtmiLogCleanupCurrentSessionStop()
_TtmCleanupCurrentSession@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmGetSessionDisplayRequiredCount(x)
_TtmGetSessionDisplayRequiredCount@4 proc near
					; CODE XREF: PopGetConsoleDisplayRequestCount():loc_4C597Fp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	edx, ecx
		xor	esi, esi
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_4], esi
		call	_TtmpAcquireSessionById@8 ; TtmpAcquireSessionById(x,x)
		test	eax, eax
		js	short loc_9C1D1D
		mov	eax, [ebp+var_4]
		mov	ecx, offset _TtmpSessionLock
		mov	esi, [eax+14h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	short loc_9C1D2F
; 

loc_9C1D1D:				; CODE XREF: TtmGetSessionDisplayRequiredCount(x)+18j
		push	0FFFFFFFFh
		push	eax
		mov	edx, 0FAFh
		mov	ecx, (offset loc_8BDF27+3)
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)

loc_9C1D2F:				; CODE XREF: TtmGetSessionDisplayRequiredCount(x)+2Fj
		mov	eax, esi
		pop	esi
		leave
		retn
_TtmGetSessionDisplayRequiredCount@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmInitCurrentSession()
_TtmInitCurrentSession@0 proc near	; CODE XREF: NtPowerInformation:loc_8D6602p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		call	_TtmiLogInitCurrentSessionStart@0 ; TtmiLogInitCurrentSessionStart()
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	ecx, large fs:124h
		mov	edi, eax
		dec	word ptr [ecx+13Ch]
		nop
		push	1
		push	offset _TtmpSessionLock
		call	ExAcquireResourceExclusiveLite
		cmp	ds:_TtmpSession, 0
		jz	short loc_9C1D98
		mov	edi, 0C00000BBh
		mov	edx, 4BBh

loc_9C1D86:				; CODE XREF: TtmInitCurrentSession()+89j
		push	edi
		push	0FFFFFFFFh
		mov	ecx, offset ??_C@_0BG@JEEPDNHE@TtmInitCurrentSession@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	loc_9C1EFF
; 

loc_9C1D98:				; CODE XREF: TtmInitCurrentSession()+46j
		push	536D7454h
		mov	ebx, 0ACh
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9C1DBF
		mov	edi, 0C000009Ah
		mov	edx, 4C4h
		jmp	short loc_9C1D86
; 

loc_9C1DBF:				; CODE XREF: TtmInitCurrentSession()+7Dj
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	[esi], edi
		lea	eax, [esi+20h]
		mov	[eax+4], eax
		lea	ebx, [esi+8]
		mov	[eax], eax
		xor	ecx, ecx
		lea	eax, [esi+38h]
		inc	ecx
		mov	[eax+4], eax
		add	esp, 0Ch
		mov	[eax], eax
		xor	edi, edi
		mov	[ebx], ecx
		lea	eax, [esi+30h]
		mov	[esi+2Ch], eax
		lea	eax, [esi+40h]
		mov	dword ptr [esi+28h], 20h
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+54h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+5Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+64h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+6Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		or	dword ptr [esi+4], 800h
		mov	[esi+48h], edi
		mov	[esi+4Ch], edi
		mov	[esi+50h], ecx
		call	_TtmiLogSessionDeviceAssignmentPolicySet@4 ; TtmiLogSessionDeviceAssignmentPolicySet(x)
		or	dword ptr [esi+4], 8
		lea	eax, [esi+1Ch]
		push	eax
		lea	eax, [esp+14h+var_4]
		mov	[esi+84h], edi
		push	eax
		lea	eax, [esi+18h]
		mov	dword ptr [esi+7Ch], offset _TtmpSessionWorker@4 ; TtmpSessionWorker(x)
		push	eax
		push	edi
		mov	edx, 1F0003h
		mov	[esi+80h], esi
		mov	ecx, esi
		mov	[esi+74h], edi
		mov	dword ptr [esi+34h], 1
		call	_TtmiCreateTerminal@24 ; TtmiCreateTerminal(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_9C1E85
		push	edi
		push	edi
		mov	edx, 50Eh
		mov	ecx, offset ??_C@_0BG@JEEPDNHE@TtmInitCurrentSession@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C1EF0
; 

loc_9C1E85:				; CODE XREF: TtmInitCurrentSession()+13Cj
		xor	edi, edi
		xor	dl, dl
		push	edi
		mov	ecx, esi
		call	_TtmiUpdateActiveTerminalCount@12 ; TtmiUpdateActiveTerminalCount(x,x,x)
		lea	eax, [esi+90h]
		mov	byte ptr [esi+8Ch], 1
		push	eax		; int
		push	esi		; int
		push	offset _TtmpTerminal0PowerSettingCallback@16 ; int
		push	(offset	loc_408998+4) ;	void *
		push	edi		; int
		call	PoRegisterPowerSettingCallback
		test	eax, eax
		js	short loc_9C1EB7
		lock inc dword ptr [ebx]

loc_9C1EB7:				; CODE XREF: TtmInitCurrentSession()+17Ej
		lea	eax, [esi+94h]
		push	eax		; int
		push	esi		; int
		push	offset _TtmpTerminal0PowerSettingCallback@16 ; int
		push	offset _GUID_CONSOLE_VIDEO_TIMEOUT ; void *
		push	edi		; int
		call	PoRegisterPowerSettingCallback
		test	eax, eax
		js	short loc_9C1ED6
		lock inc dword ptr [ebx]

loc_9C1ED6:				; CODE XREF: TtmInitCurrentSession()+19Dj
		mov	[esi+0A0h], edi
		mov	[esi+0A8h], edi
		mov	[esi+0A4h], edi
		mov	ds:_TtmpSession, esi
		xor	esi, esi

loc_9C1EF0:				; CODE XREF: TtmInitCurrentSession()+14Fj
		test	esi, esi
		jz	short loc_9C1EFF
		push	536D7454h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9C1EFF:				; CODE XREF: TtmInitCurrentSession()+5Fj
					; TtmInitCurrentSession()+1BEj
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, edi
		call	_TtmiLogInitCurrentSessionStop@4 ; TtmiLogInitCurrentSessionStop(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_TtmInitCurrentSession@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmNotifyConsoleUserPresent(x, x)
_TtmNotifyConsoleUserPresent@8 proc near ; CODE	XREF: PopNotifyConsoleUserPresent+A9A93p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	ebx, ecx
		lea	ecx, [ebp+var_4]
		push	edi
		mov	edi, edx
		mov	edx, ebx
		call	_TtmpAcquireSessionById@8 ; TtmpAcquireSessionById(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C1F53
		push	0FFFFFFFFh
		push	esi
		mov	edx, 0D0Ch
		mov	ecx, offset ??_C@_0BM@NKHGFOL@TtmNotifyConsoleUserPresent@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C1F75
; 

loc_9C1F53:				; CODE XREF: TtmNotifyConsoleUserPresent(x,x)+1Fj
		mov	ecx, [ebp+var_4]
		push	1
		push	5055434Eh
		push	edi
		mov	edx, [ecx+1Ch]
		call	_TtmiResetTerminalTimeouts@20 ;	TtmiResetTerminalTimeouts(x,x,x,x,x)
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9C1F75:				; CODE XREF: TtmNotifyConsoleUserPresent(x,x)+33j
		push	esi
		mov	edx, edi
		mov	ecx, ebx
		call	_TtmiLogConsoleUserPresent@12 ;	TtmiLogConsoleUserPresent(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_TtmNotifyConsoleUserPresent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmNotifyLowPowerStateExited(x)
_TtmNotifyLowPowerStateExited@4	proc near ; CODE XREF: PopIssueActionRequest+A78CDp
					; PopPowerAggregatorNotifyCsStateExited()+31p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx
		lea	ecx, [ebp+var_4]
		mov	edx, esi
		call	_TtmpAcquireSessionById@8 ; TtmpAcquireSessionById(x,x)
		test	eax, eax
		jns	short loc_9C1FB2
		push	eax
		push	eax
		mov	edx, 0C5Bh
		mov	ecx, offset ??_C@_0BN@OFKAFAOH@TtmNotifyLowPowerStateExited@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C1FD9
; 

loc_9C1FB2:				; CODE XREF: TtmNotifyLowPowerStateExited(x)+19j
		mov	ecx, esi
		call	_TtmiLogSessionCsExitComplete@4	; TtmiLogSessionCsExitComplete(x)
		mov	ecx, [ebp+var_4]
		push	4
		and	dword ptr [ecx+4], 0FFFFFCFFh
		call	_TtmiScheduleSessionWorker@8 ; TtmiScheduleSessionWorker(x,x)
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9C1FD9:				; CODE XREF: TtmNotifyLowPowerStateExited(x)+2Cj
		pop	esi
		leave
		retn
_TtmNotifyLowPowerStateExited@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmNotifySessionDisplayBurst(x, x)
_TtmNotifySessionDisplayBurst@8	proc near ; CODE XREF: PopPowerSourceChangeCallback+89AE2p
					; NtPowerInformation+17259Ep

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	edi, edx
		mov	edx, ecx
		lea	ecx, [ebp+var_4]
		call	_TtmpAcquireSessionById@8 ; TtmpAcquireSessionById(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C200D
		push	esi
		push	esi
		mov	edx, 0CD4h
		mov	ecx, offset ??_C@_0BN@NGIINBFO@TtmNotifySessionDisplayBurst@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C204C
; 

loc_9C200D:				; CODE XREF: TtmNotifySessionDisplayBurst(x,x)+1Cj
		cmp	edi, 5
		jnz	short loc_9C2019
		mov	eax, 42444341h
		jmp	short loc_9C202C
; 

loc_9C2019:				; CODE XREF: TtmNotifySessionDisplayBurst(x,x)+34j
		xor	eax, eax
		cmp	edi, 10h
		setnz	al
		dec	eax
		and	eax, 0FFFFDDEFh
		add	eax, 42446553h

loc_9C202C:				; CODE XREF: TtmNotifySessionDisplayBurst(x,x)+3Bj
		mov	ecx, [ebp+var_4]
		push	1
		push	eax
		push	edi
		mov	edx, [ecx+1Ch]
		call	_TtmiResetTerminalTimeouts@20 ;	TtmiResetTerminalTimeouts(x,x,x,x,x)
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	esi, esi

loc_9C204C:				; CODE XREF: TtmNotifySessionDisplayBurst(x,x)+2Fj
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_TtmNotifySessionDisplayBurst@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmNotifySessionDisplayRequiredChange(x, x,	x)
_TtmNotifySessionDisplayRequiredChange@12 proc near
					; CODE XREF: PopNotifySessionDisplayRequired+AB041p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_10], edx
		push	esi
		mov	[ebp+var_8], ecx
		mov	edx, ecx
		push	edi
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_C], eax
		mov	[ebp+var_14], eax
		mov	bl, al
		mov	byte ptr [ebp+var_1], al
		call	_TtmpAcquireSessionById@8 ; TtmpAcquireSessionById(x,x)
		mov	edi, [ebp+var_C]
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C2097
		mov	edx, 0F0Dh

loc_9C2088:				; CODE XREF: TtmNotifySessionDisplayRequiredChange(x,x,x)+68j
					; TtmNotifySessionDisplayRequiredChange(x,x,x)+84j
		push	0FFFFFFFFh
		push	esi
		mov	ecx, (offset loc_8BDF02+2)
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C20F2
; 

loc_9C2097:				; CODE XREF: TtmNotifySessionDisplayRequiredChange(x,x,x)+2Fj
		push	[ebp+arg_0]
		mov	edx, [ebp+var_10]
		mov	ecx, edi
		call	_TtmpUpdateDisplayRequiredPowerRequest@12 ; TtmpUpdateDisplayRequiredPowerRequest(x,x,x)
		mov	eax, [edi+14h]
		cmp	byte ptr [ebp+arg_0], bl
		jnz	short loc_9C20C7
		test	eax, eax
		jnz	short loc_9C20BC
		mov	esi, 0C000000Dh
		mov	edx, 0F2Dh
		jmp	short loc_9C2088
; 

loc_9C20BC:				; CODE XREF: TtmNotifySessionDisplayRequiredChange(x,x,x)+5Cj
		sub	eax, 1
		mov	[edi+14h], eax
		setz	bl
		jmp	short loc_9C20E3
; 

loc_9C20C7:				; CODE XREF: TtmNotifySessionDisplayRequiredChange(x,x,x)+58j
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_9C20D8
		mov	esi, 0C0000095h
		mov	edx, 0F41h
		jmp	short loc_9C2088
; 

loc_9C20D8:				; CODE XREF: TtmNotifySessionDisplayRequiredChange(x,x,x)+78j
		inc	eax
		mov	[edi+14h], eax
		cmp	eax, 1
		jnz	short loc_9C20E3
		mov	bl, al

loc_9C20E3:				; CODE XREF: TtmNotifySessionDisplayRequiredChange(x,x,x)+73j
					; TtmNotifySessionDisplayRequiredChange(x,x,x)+8Dj
		xor	esi, esi
		test	bl, bl
		jz	short loc_9C20F2
		cmp	[edi+14h], esi
		jbe	short loc_9C20F2
		mov	byte ptr [ebp+var_1], 1

loc_9C20F2:				; CODE XREF: TtmNotifySessionDisplayRequiredChange(x,x,x)+43j
					; TtmNotifySessionDisplayRequiredChange(x,x,x)+95j ...
		test	edi, edi
		jz	short loc_9C210A
		mov	edi, [edi+14h]
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	short loc_9C210D
; 

loc_9C210A:				; CODE XREF: TtmNotifySessionDisplayRequiredChange(x,x,x)+A2j
		mov	edi, [ebp+var_14]

loc_9C210D:				; CODE XREF: TtmNotifySessionDisplayRequiredChange(x,x,x)+B6j
		test	bl, bl
		jz	short loc_9C2132
		xor	ecx, ecx
		lea	eax, [ebp+var_8]
		push	ecx
		push	ecx
		push	eax
		push	ecx
		push	1
		lea	eax, [ebp+var_1]
		push	eax
		push	(offset	loc_42536F+1)
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	cl, byte ptr [ebp+var_1]
		call	_PoSessionEngagementUpdate@8 ; PoSessionEngagementUpdate(x,x)

loc_9C2132:				; CODE XREF: TtmNotifySessionDisplayRequiredChange(x,x,x)+BDj
		cmp	byte ptr [ebp+arg_0], 0
		mov	edx, edi
		mov	ecx, [ebp+var_8]
		push	esi
		jnz	short loc_9C2145
		call	_TtmiLogSessionDisplayRequiredDereference@12 ; TtmiLogSessionDisplayRequiredDereference(x,x,x)
		jmp	short loc_9C214A
; 

loc_9C2145:				; CODE XREF: TtmNotifySessionDisplayRequiredChange(x,x,x)+EAj
		call	_TtmiLogSessionDisplayRequiredReference@12 ; TtmiLogSessionDisplayRequiredReference(x,x,x)

loc_9C214A:				; CODE XREF: TtmNotifySessionDisplayRequiredChange(x,x,x)+F1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_TtmNotifySessionDisplayRequiredChange@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmNotifySessionPowerRequestDeleted(x, x)
_TtmNotifySessionPowerRequestDeleted@8 proc near
					; CODE XREF: PopNotifySessionUserPowerRequestDeleted:loc_842DC4p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		and	[esp+14h+var_10], 0
		push	ebx
		mov	ebx, ecx
		mov	[esp+18h+var_C], edx
		push	esi
		push	edi
		mov	edx, ebx
		lea	ecx, [esp+20h+var_10]
		call	_TtmpAcquireSessionById@8 ; TtmpAcquireSessionById(x,x)
		mov	edi, [esp+20h+var_10]
		test	eax, eax
		jns	short loc_9C2194
		push	0FFFFFFFFh
		push	eax
		mov	edx, 0E52h
		mov	ecx, (offset loc_8BDEDE+2)
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	loc_9C2253
; 

loc_9C2194:				; CODE XREF: TtmNotifySessionPowerRequestDeleted(x,x)+2Aj
		cmp	dword ptr [edi+0A0h], 0
		jz	loc_9C223F
		mov	esi, [edi+0A4h]
		or	eax, 0FFFFFFFFh
		mov	ecx, esi
		shr	esi, 5
		and	ecx, 1Fh
		shl	eax, cl
		mov	edx, eax
		mov	[esp+20h+var_4], eax
		and	edx, [esp+20h+var_C]
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	[esp+20h+var_10], edx
		imul	ecx, eax, 25h
		movzx	eax, dh
		mov	[esp+20h+var_8], edx
		add	ecx, eax
		movzx	eax, byte ptr [esp+20h+var_10+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [esp+20h+var_10+3]
		imul	edx, ecx, 25h
		lea	ecx, [esi-1]
		mov	esi, [esp+20h+var_8]
		add	edx, eax
		mov	eax, [edi+0A8h]
		and	ecx, edx
		lea	edx, [eax+ecx*4]

loc_9C21FC:				; CODE XREF: TtmNotifySessionPowerRequestDeleted(x,x)+C2j
		mov	ecx, [edx]
		test	ecx, 1
		jnz	short loc_9C2227
		mov	eax, [ecx+4]
		and	eax, [esp+20h+var_4]
		cmp	eax, esi
		jz	short loc_9C2215
		mov	edx, ecx
		jmp	short loc_9C21FC
; 

loc_9C2215:				; CODE XREF: TtmNotifySessionPowerRequestDeleted(x,x)+BEj
		mov	eax, [ecx]
		mov	[edx], eax
		dec	dword ptr [edi+0A0h]
		or	dword ptr [ecx], 80000002h
		jmp	short loc_9C2229
; 

loc_9C2227:				; CODE XREF: TtmNotifySessionPowerRequestDeleted(x,x)+B3j
		xor	ecx, ecx

loc_9C2229:				; CODE XREF: TtmNotifySessionPowerRequestDeleted(x,x)+D4j
		test	ecx, ecx
		jz	short loc_9C223F
		push	52507454h
		push	ecx
		mov	byte ptr [esp+28h+var_10], 1
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9C2244
; 

loc_9C223F:				; CODE XREF: TtmNotifySessionPowerRequestDeleted(x,x)+4Aj
					; TtmNotifySessionPowerRequestDeleted(x,x)+DAj
		mov	byte ptr [esp+20h+var_10], 0

loc_9C2244:				; CODE XREF: TtmNotifySessionPowerRequestDeleted(x,x)+ECj
		push	[esp+20h+var_10]
		mov	edx, [esp+24h+var_C]
		mov	ecx, ebx
		call	_TtmiLogSessionPowerRequestDeleted@12 ;	TtmiLogSessionPowerRequestDeleted(x,x,x)

loc_9C2253:				; CODE XREF: TtmNotifySessionPowerRequestDeleted(x,x)+3Ej
		test	edi, edi
		jz	short loc_9C2266
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9C2266:				; CODE XREF: TtmNotifySessionPowerRequestDeleted(x,x)+104j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_TtmNotifySessionPowerRequestDeleted@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmNotifySessionPowerRequestPresent(x, x, x, x, x, x, x)
_TtmNotifySessionPowerRequestPresent@28	proc near
					; CODE XREF: PopNotifySessionUserPowerRequestAttributed(x,x,x)+A8p
					; PopNotifySessionUserPowerRequestsPresent()+4Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_10], 0
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		push	ebx
		push	[ebp+arg_8]
		mov	esi, edx
		mov	edi, ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		jnz	short loc_9C2293
		call	_TtmpInsertPowerRequestToSession@24 ; TtmpInsertPowerRequestToSession(x,x,x,x,x,x)
		jmp	short loc_9C2298
; 

loc_9C2293:				; CODE XREF: TtmNotifySessionPowerRequestPresent(x,x,x,x,x,x,x)+1Dj
		call	_TtmpUpdatePowerRequestAttribute@24 ; TtmpUpdatePowerRequestAttribute(x,x,x,x,x,x)

loc_9C2298:				; CODE XREF: TtmNotifySessionPowerRequestPresent(x,x,x,x,x,x,x)+24j
		mov	byte ptr [ebp+arg_C], al
		mov	edx, esi
		push	[ebp+arg_C]
		mov	ecx, edi
		push	dword ptr [ebp+arg_10]
		push	ebx
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_TtmiLogSessionPowerRequestAcknowledged@32 ; TtmiLogSessionPowerRequestAcknowledged(x,x,x,x,x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
_TtmNotifySessionPowerRequestPresent@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmNotifySessionPowerStateChange(x,	x)
_TtmNotifySessionPowerStateChange@8 proc near
					; CODE XREF: PopPowerInformationInternal+1712CEp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		mov	bl, dl
		mov	edx, ecx
		lea	ecx, [ebp+var_4]
		call	_TtmpAcquireSessionById@8 ; TtmpAcquireSessionById(x,x)
		test	eax, eax
		jns	short loc_9C22EA
		push	0FFFFFFFFh
		push	eax
		mov	edx, 0C8Fh
		mov	ecx, offset ??_C@_0CB@CKBAICGM@TtmNotifySessionPowerStateChang@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C232B
; 

loc_9C22EA:				; CODE XREF: TtmNotifySessionPowerStateChange(x,x)+19j
		mov	cl, bl
		call	_TtmiLogSessionPowerStateChange@4 ; TtmiLogSessionPowerStateChange(x)
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+4]
		test	bl, bl
		jnz	short loc_9C2309
		test	al, 40h
		jz	short loc_9C231C
		and	eax, 0FFFFFFBFh
		or	eax, 400h
		jmp	short loc_9C2312
; 

loc_9C2309:				; CODE XREF: TtmNotifySessionPowerStateChange(x,x)+3Ej
		test	al, al
		jns	short loc_9C231C
		and	eax, 0FFFFFB7Fh

loc_9C2312:				; CODE XREF: TtmNotifySessionPowerStateChange(x,x)+4Cj
		push	4
		mov	[ecx+4], eax
		call	_TtmiScheduleSessionWorker@8 ; TtmiScheduleSessionWorker(x,x)

loc_9C231C:				; CODE XREF: TtmNotifySessionPowerStateChange(x,x)+42j
					; TtmNotifySessionPowerStateChange(x,x)+50j
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9C232B:				; CODE XREF: TtmNotifySessionPowerStateChange(x,x)+2Dj
		pop	ebx
		leave
		retn
_TtmNotifySessionPowerStateChange@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmNotifySessionTerminalInput(x, x,	x)
_TtmNotifySessionTerminalInput@12 proc near ; CODE XREF: PopPowerInformationInternal+1713F5p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, edx
		mov	edx, ecx
		lea	ecx, [ebp+var_4]
		call	_TtmpAcquireSessionById@8 ; TtmpAcquireSessionById(x,x)
		test	eax, eax
		jns	short loc_9C235E
		push	0FFFFFFFFh
		push	eax
		mov	edx, 1079h
		mov	ecx, offset ??_C@_0BO@JAKBMKC@TtmNotifySessionTerminalInput@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C2393
; 

loc_9C235E:				; CODE XREF: TtmNotifySessionTerminalInput(x,x,x)+1Aj
		mov	ecx, [ebp+var_4]
		lea	eax, [ecx+20h]
		mov	edx, [eax]
		jmp	short loc_9C236F
; 

loc_9C2368:				; CODE XREF: TtmNotifySessionTerminalInput(x,x,x)+43j
		cmp	[edx+10h], esi
		jz	short loc_9C2375
		mov	edx, [edx]

loc_9C236F:				; CODE XREF: TtmNotifySessionTerminalInput(x,x,x)+38j
		cmp	edx, eax
		jnz	short loc_9C2368
		jmp	short loc_9C2384
; 

loc_9C2375:				; CODE XREF: TtmNotifySessionTerminalInput(x,x,x)+3Dj
		push	[ebp+arg_0]
		push	74495453h
		push	4
		call	_TtmiResetTerminalTimeouts@20 ;	TtmiResetTerminalTimeouts(x,x,x,x,x)

loc_9C2384:				; CODE XREF: TtmNotifySessionTerminalInput(x,x,x)+45j
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9C2393:				; CODE XREF: TtmNotifySessionTerminalInput(x,x,x)+2Ej
		pop	esi
		leave
		retn	4
_TtmNotifySessionTerminalInput@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmSessionMonitorControl(x,	x, x)
_TtmSessionMonitorControl@12 proc near	; CODE XREF: PopControlMonitor(x,x)+2Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		mov	eax, ecx
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_8], eax
		push	edi
		mov	edx, eax
		lea	ecx, [ebp+var_4]
		call	_TtmpAcquireSessionById@8 ; TtmpAcquireSessionById(x,x)
		mov	edi, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C23C7
		mov	edx, 0FE3h
		jmp	short loc_9C23E0
; 

loc_9C23C7:				; CODE XREF: TtmSessionMonitorControl(x,x,x)+26j
		push	[ebp+arg_0]
		mov	edx, [edi+1Ch]
		mov	ecx, edi
		push	ebx
		call	_TtmiTerminalMonitorControl@16 ; TtmiTerminalMonitorControl(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C23EC
		mov	edx, 0FEFh

loc_9C23E0:				; CODE XREF: TtmSessionMonitorControl(x,x,x)+2Dj
		push	esi
		push	esi
		mov	ecx, (offset loc_8BDFC4+4)
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)

loc_9C23EC:				; CODE XREF: TtmSessionMonitorControl(x,x,x)+41j
		test	edi, edi
		jz	short loc_9C23FF
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9C23FF:				; CODE XREF: TtmSessionMonitorControl(x,x,x)+56j
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		push	esi
		push	[ebp+arg_0]
		call	_TtmiLogSessionMonitorControl@16 ; TtmiLogSessionMonitorControl(x,x,x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_TtmSessionMonitorControl@12 endp


;  S U B	R O U T	I N E 


; __stdcall TtmiAcquireCurrentSession(x)
_TtmiAcquireCurrentSession@4 proc near	; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+89p
					; TtmNotifyDeviceDeparture(x,x,x)+1Ap ...
		mov	eax, large fs:124h
		push	esi
		mov	esi, ecx
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_9C2447
		mov	esi, 0C0000455h
		mov	edx, 6E2h
		push	esi
		push	eax
		mov	ecx, offset ??_C@_0BK@CMMGJFEO@TtmiAcquireCurrentSession@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C2452
; 

loc_9C2447:				; CODE XREF: TtmiAcquireCurrentSession(x)+17j
		mov	edx, eax
		mov	ecx, esi
		call	_TtmpAcquireSessionById@8 ; TtmpAcquireSessionById(x,x)
		mov	esi, eax

loc_9C2452:				; CODE XREF: TtmiAcquireCurrentSession(x)+2Fj
		mov	eax, esi
		pop	esi
		retn
_TtmiAcquireCurrentSession@4 endp


;  S U B	R O U T	I N E 


; __stdcall TtmiAcquireTerminalSession(x, x)
_TtmiAcquireTerminalSession@8 proc near	; CODE XREF: TtmpScheduledEvaluationWorker(x)+21p
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _TtmpSessionLock
		call	ExAcquireResourceExclusiveLite
		mov	eax, [esi+8]
		mov	[edi], eax
		pop	edi
		pop	esi
		retn
_TtmiAcquireTerminalSession@8 endp


;  S U B	R O U T	I N E 


; __stdcall TtmiAddQueueToSession(x, x)
_TtmiAddQueueToSession@8 proc near	; CODE XREF: TtmiCreateEventQueue(x,x)+ACp
		mov	edi, edi
		lock inc dword ptr [ecx+8]
		mov	[edx+8], ecx
		add	ecx, 38h
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jz	short loc_9C2496
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9C2496:				; CODE XREF: TtmiAddQueueToSession(x,x)+11j
		mov	[edx], ecx
		mov	[edx+4], eax
		mov	[eax], edx
		mov	[ecx+4], edx
		retn
_TtmiAddQueueToSession@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiPurgeSessionPowerRequestEntries(x)
_TtmiPurgeSessionPowerRequestEntries@4 proc near
					; CODE XREF: TtmiSessionTerminalListWorker(x,x,x)+162p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	[ebp+var_4], ebx
		mov	edx, [ebx+0A8h]
		mov	edi, edx
		mov	[ebp+var_8], edx
		jmp	short loc_9C24C1
; 

loc_9C24BE:				; CODE XREF: TtmiPurgeSessionPowerRequestEntries(x)+7Aj
					; TtmiPurgeSessionPowerRequestEntries(x)+CCj
		mov	ebx, [ebp+var_4]

loc_9C24C1:				; CODE XREF: TtmiPurgeSessionPowerRequestEntries(x)+1Bj
		xor	esi, esi
		test	edi, edi
		jz	short loc_9C24E7
		mov	ecx, [edi]
		mov	eax, ecx
		and	eax, 80000002h
		cmp	eax, 80000002h
		jnz	short loc_9C24DB
		mov	eax, [esi]
		mov	ecx, [edi]

loc_9C24DB:				; CODE XREF: TtmiPurgeSessionPowerRequestEntries(x)+34j
		test	ecx, 1
		jnz	short loc_9C24E7
		mov	edi, ecx
		jmp	short loc_9C2510
; 

loc_9C24E7:				; CODE XREF: TtmiPurgeSessionPowerRequestEntries(x)+24j
					; TtmiPurgeSessionPowerRequestEntries(x)+40j
		mov	ecx, [ebx+0A4h]
		add	edx, 4
		mov	eax, [ebx+0A8h]
		shr	ecx, 5
		lea	ecx, [eax+ecx*4]
		jmp	short loc_9C2507
; 

loc_9C24FE:				; CODE XREF: TtmiPurgeSessionPowerRequestEntries(x)+68j
		mov	eax, [edx]
		test	al, 1
		jz	short loc_9C2572
		add	edx, 4

loc_9C2507:				; CODE XREF: TtmiPurgeSessionPowerRequestEntries(x)+5Bj
		cmp	edx, ecx
		jb	short loc_9C24FE
		mov	edx, [ebp+var_8]
		mov	ecx, esi

loc_9C2510:				; CODE XREF: TtmiPurgeSessionPowerRequestEntries(x)+44j
					; TtmiPurgeSessionPowerRequestEntries(x)+D8j
		test	ecx, ecx
		jz	short loc_9C2580
		lea	ebx, [ecx+1Ch]
		mov	esi, [ebx]
		cmp	esi, ebx
		jz	short loc_9C24BE

loc_9C251D:				; CODE XREF: TtmiPurgeSessionPowerRequestEntries(x)+C7j
		lea	eax, [esi-4]
		mov	[ebp+var_C], esi
		mov	ecx, [eax]
		mov	edx, ecx
		mov	[ebp+var_10], eax
		and	cl, 7
		mov	eax, [ebp+var_4]
		shr	edx, 3
		mov	eax, [eax+2Ch]
		mov	al, [edx+eax]
		sar	al, cl
		test	al, 1
		jnz	short loc_9C2564
		mov	edx, [ebp+var_C]
		mov	eax, [esi+4]
		mov	esi, eax
		mov	ecx, [edx]
		cmp	[ecx+4], edx
		jnz	short loc_9C257B
		cmp	[eax], edx
		jnz	short loc_9C257B
		push	52507454h
		push	[ebp+var_10]
		mov	[eax], ecx
		mov	[ecx+4], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9C2564:				; CODE XREF: TtmiPurgeSessionPowerRequestEntries(x)+9Cj
		mov	esi, [esi]
		cmp	esi, ebx
		jnz	short loc_9C251D
		mov	edx, [ebp+var_8]
		jmp	loc_9C24BE
; 

loc_9C2572:				; CODE XREF: TtmiPurgeSessionPowerRequestEntries(x)+61j
		mov	edi, eax
		mov	[ebp+var_8], edx
		mov	ecx, edi
		jmp	short loc_9C2510
; 

loc_9C257B:				; CODE XREF: TtmiPurgeSessionPowerRequestEntries(x)+ABj
					; TtmiPurgeSessionPowerRequestEntries(x)+AFj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9C2580:				; CODE XREF: TtmiPurgeSessionPowerRequestEntries(x)+71j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_TtmiPurgeSessionPowerRequestEntries@4 endp


;  S U B	R O U T	I N E 


; __stdcall TtmiReleaseSession(x)
_TtmiReleaseSession@4 proc near		; CODE XREF: TtmpScheduledEvaluationWorker(x)+3Dp
					; TtmpDispatchAssignDevice(x)+59p ...
		mov	edi, edi
		push	ecx
		and	dword ptr [ecx], 0
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	ecx
		retn
_TtmiReleaseSession@4 endp


;  S U B	R O U T	I N E 


; __stdcall TtmiRemoveQueueFromSession(x)
_TtmiRemoveQueueFromSession@4 proc near	; CODE XREF: TtmpDeleteQueue(x)+Cp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	esi, ecx
		nop
		push	1
		mov	ebx, offset _TtmpSessionLock
		push	ebx
		call	ExAcquireResourceExclusiveLite
		mov	edx, [esi]
		mov	edi, [esi+8]
		cmp	[edx+4], esi
		jnz	short loc_9C25E8
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_9C25E8
		mov	[eax], edx
		mov	ecx, ebx
		mov	[edx+4], eax
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_TtmpDereferenceSessionMaybeLast@4 ; TtmpDereferenceSessionMaybeLast(x)
; 

loc_9C25E8:				; CODE XREF: TtmiRemoveQueueFromSession(x)+28j
					; TtmiRemoveQueueFromSession(x)+2Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_TtmiRemoveQueueFromSession@4 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiScheduleSessionWorker(x, x)
_TtmiScheduleSessionWorker@8 proc near	; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+1E2p
					; TtmNotifyDeviceDeparture(x,x,x)+70p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		or	[ecx+84h], eax
		test	byte ptr [ecx+4], 3
		jnz	short loc_9C2614
		lock inc dword ptr [ecx+8]
		or	dword ptr [ecx+4], 1
		lea	eax, [ecx+74h]
		push	1
		push	eax
		call	ExQueueWorkItem

loc_9C2614:				; CODE XREF: TtmiScheduleSessionWorker(x,x)+12j
		pop	ebp
		retn	4
_TtmiScheduleSessionWorker@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiSessionsRundown()
_TtmiSessionsRundown@0 proc near	; CODE XREF: TtmpTraceLoggingCallback(x,x,x,x,x,x,x,x,x)+Bp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		and	[esp+2Ch+var_2C], 0
		lea	ecx, [esp+2Ch+var_2C]
		push	esi
		call	_TtmiAcquireCurrentSession@4 ; TtmiAcquireCurrentSession(x)
		mov	esi, [esp+30h+var_2C]
		test	eax, eax
		jns	short loc_9C264C
		push	0FFFFFFFFh
		push	eax
		mov	edx, 10C9h
		mov	ecx, (offset loc_8BDFFF+1)
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C26AE
; 

loc_9C264C:				; CODE XREF: TtmiSessionsRundown()+1Ej
		mov	eax, [esi]
		lea	ecx, [esp+30h+var_28]
		mov	[esp+30h+var_28], eax
		mov	eax, [esi+4]
		mov	[esp+30h+var_24], eax
		mov	eax, [esi+8]
		mov	[esp+30h+var_20], eax
		mov	eax, [esi+34h]
		mov	[esp+30h+var_1C], eax
		mov	eax, [esi+4Ch]
		mov	[esp+30h+var_18], eax
		mov	eax, [esi+0Ch]
		mov	[esp+30h+var_14], eax
		mov	eax, [esi+10h]
		mov	[esp+30h+var_10], eax
		mov	eax, [esi+14h]
		mov	[esp+30h+var_C], eax
		mov	eax, [esi+98h]
		mov	[esp+30h+var_8], eax
		mov	eax, [esi+9Ch]
		mov	[esp+30h+var_4], eax
		call	_TtmiLogSessionRundown@4 ; TtmiLogSessionRundown(x)
		mov	ecx, esi
		call	_TtmiTerminalsRundown@4	; TtmiTerminalsRundown(x)
		mov	ecx, esi
		call	_TtmiDevicesRundown@4 ;	TtmiDevicesRundown(x)

loc_9C26AE:				; CODE XREF: TtmiSessionsRundown()+32j
		test	esi, esi
		jz	short loc_9C26C1
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9C26C1:				; CODE XREF: TtmiSessionsRundown()+98j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_TtmiSessionsRundown@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiSetDisplayPowerRequest(x, x, x,	x)
_TtmiSetDisplayPowerRequest@16 proc near
					; CODE XREF: TtmpDispatchSetDisplayPowerRequest(x)+4Cp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	eax, ecx
		mov	ebx, edx
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_4]
		push	edi
		xor	esi, esi
		mov	[ebp+var_C], eax
		push	ecx
		mov	ecx, eax
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		call	_TtmpFindPowerRequestEntryById@12 ; TtmpFindPowerRequestEntryById(x,x,x)
		cmp	[ebp+arg_4], esi
		jz	loc_9C27C9
		test	al, al
		jnz	short loc_9C2705
		mov	edx, 332h
		jmp	loc_9C2811
; 

loc_9C2705:				; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+33j
		mov	edi, [ebp+var_4]
		add	edi, 1Ch
		mov	[ebp+var_10], edi
		mov	eax, [edi]
		jmp	short loc_9C2734
; 

loc_9C2712:				; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+73j
		push	dword ptr [eax-4]
		mov	edx, [ebp+var_C]
		lea	ecx, [ebp+var_8]
		call	_TtmiGetTerminalById@12	; TtmiGetTerminalById(x,x,x)
		test	eax, eax
		js	short loc_9C272F
		mov	eax, [ebp+var_8]
		mov	eax, [eax+10h]
		cmp	eax, [ebx+10h]
		jz	short loc_9C2750

loc_9C272F:				; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+5Cj
		mov	eax, [ebp+var_4]
		mov	eax, [eax]

loc_9C2734:				; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+4Aj
		mov	[ebp+var_4], eax
		cmp	eax, edi
		jnz	short loc_9C2712
		cmp	dword ptr [ebx+14h], 0FFFFFFFFh
		jnz	short loc_9C275F
		mov	esi, 0C0000095h
		mov	edx, 36Ah
		jmp	loc_9C2816
; 

loc_9C2750:				; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+67j
		mov	esi, 0C000022Ah
		mov	edx, 35Dh
		jmp	loc_9C2816
; 

loc_9C275F:				; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+79j
		mov	ecx, [ebp+var_C]
		mov	edx, ebx
		call	_TtmiUndimTerminal@8 ; TtmiUndimTerminal(x,x)
		test	al, al
		jz	short loc_9C27C2
		push	52507454h
		push	0Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_9C2796
		mov	esi, 0C000009Ah
		mov	edx, 37Ch
		push	esi
		push	0FFFFFFFFh
		jmp	loc_9C2819
; 

loc_9C2796:				; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+BCj
		xor	eax, eax
		mov	edi, ecx
		stosd
		stosd
		stosd
		mov	eax, [ebx+10h]
		mov	[ecx], eax
		add	ecx, 4
		mov	eax, [ebp+var_10]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_9C288A
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		inc	dword ptr [ebx+14h]
		jmp	short loc_9C2823
; 

loc_9C27C2:				; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+A5j
		mov	esi, 0C00000BBh
		jmp	short loc_9C2823
; 

loc_9C27C9:				; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+2Bj
		test	al, al
		jnz	short loc_9C27D4
		mov	edx, 3A9h
		jmp	short loc_9C2811
; 

loc_9C27D4:				; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+105j
		mov	eax, [ebp+var_4]
		add	eax, 1Ch
		mov	[ebp+var_10], eax
		mov	edi, [eax]
		cmp	edi, eax
		jz	short loc_9C280C

loc_9C27E3:				; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+144j
		mov	edx, [ebp+var_C]
		lea	eax, [edi-4]
		push	dword ptr [eax]
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_4], eax
		call	_TtmiGetTerminalById@12	; TtmiGetTerminalById(x,x,x)
		test	eax, eax
		js	short loc_9C2805
		mov	eax, [ebp+var_8]
		mov	eax, [eax+10h]
		cmp	eax, [ebx+10h]
		jz	short loc_9C283B

loc_9C2805:				; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+132j
		mov	edi, [edi]
		cmp	edi, [ebp+var_10]
		jnz	short loc_9C27E3

loc_9C280C:				; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+11Bj
		mov	edx, 3D5h

loc_9C2811:				; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+3Aj
					; TtmiSetDisplayPowerRequest(x,x,x,x)+10Cj
		mov	esi, 0C0000225h

loc_9C2816:				; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+85j
					; TtmiSetDisplayPowerRequest(x,x,x,x)+94j ...
		push	0FFFFFFFFh
		push	esi

loc_9C2819:				; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+CBj
		mov	ecx, offset ??_C@_0BL@OLPLCIPG@TtmiSetDisplayPowerRequest@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)

loc_9C2823:				; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+FAj
					; TtmiSetDisplayPowerRequest(x,x,x,x)+101j ...
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebx+10h]
		push	esi
		push	[ebp+arg_4]
		call	_TtmiLogDisplayPowerRequestSet@16 ; TtmiLogDisplayPowerRequestSet(x,x,x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_9C283B:				; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+13Dj
		mov	edi, [ebp+var_4]
		lea	eax, [edi+4]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_9C288A
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_9C288A
		push	52507454h
		mov	[ecx], edx
		push	edi
		mov	[edx+4], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebx+14h]
		test	eax, eax
		jnz	short loc_9C2872
		mov	esi, 0C000000Dh
		mov	edx, 3F0h
		jmp	short loc_9C2816
; 

loc_9C2872:				; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+19Ej
		sub	eax, 1
		mov	[ebx+14h], eax
		jnz	short loc_9C2823
		mov	ecx, [ebp+var_C]
		or	dword ptr [ebx+18h], 24h
		push	2
		call	_TtmiScheduleSessionWorker@8 ; TtmiScheduleSessionWorker(x,x)
		jmp	short loc_9C2823
; 

loc_9C288A:				; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+E7j
					; TtmiSetDisplayPowerRequest(x,x,x,x)+180j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_TtmiSetDisplayPowerRequest@16 endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall TtmiSetSessionDeviceAssignmentPolicy(x, x)
_TtmiSetSessionDeviceAssignmentPolicy@8	proc near
					; CODE XREF: TtmpDispatchSetDefaultDeviceAssignment(x)+49p
		mov	edi, edi
		push	ecx
		movzx	eax, dl
		shl	eax, 0Bh
		xor	eax, [ecx+4]
		and	eax, 800h
		xor	[ecx+4], eax
		mov	cl, dl
		call	_TtmiLogSessionDeviceAssignmentPolicySet@4 ; TtmiLogSessionDeviceAssignmentPolicySet(x)
		xor	eax, eax
		pop	ecx
		retn
_TtmiSetSessionDeviceAssignmentPolicy@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiUpdateActiveTerminalCount(x, x,	x)
_TtmiUpdateActiveTerminalCount@12 proc near
					; CODE XREF: TtmiCreateTerminal(x,x,x,x,x,x)+11Bp
					; TtmiSessionTerminalListWorker(x,x,x)+69p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+34h]
		push	ebx
		xor	bl, bl
		test	dl, dl
		jnz	short loc_9C28D9
		sub	eax, 1
		mov	[ecx+34h], eax
		jnz	short loc_9C28F6
		mov	eax, [ecx+4]
		and	eax, 0FFFFFFEFh
		or	eax, 20h
		mov	[ecx+4], eax
		mov	eax, [ebp+arg_0]
		mov	[ecx+10h], eax
		jmp	short loc_9C28F4
; 

loc_9C28D9:				; CODE XREF: TtmiUpdateActiveTerminalCount(x,x,x)+Dj
		inc	eax
		mov	[ecx+34h], eax
		cmp	eax, 1
		jnz	short loc_9C28F6
		mov	eax, [ecx+4]
		and	eax, 0FFFFFFDFh
		or	eax, 10h
		mov	[ecx+4], eax
		mov	eax, [ebp+arg_0]
		mov	[ecx+0Ch], eax

loc_9C28F4:				; CODE XREF: TtmiUpdateActiveTerminalCount(x,x,x)+29j
		mov	bl, 1

loc_9C28F6:				; CODE XREF: TtmiUpdateActiveTerminalCount(x,x,x)+15j
					; TtmiUpdateActiveTerminalCount(x,x,x)+32j
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	4
_TtmiUpdateActiveTerminalCount@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiWriteEnumerationEventsToQueue(x, x)
_TtmiWriteEnumerationEventsToQueue@8 proc near
					; CODE XREF: TtmpDispatchCreateEventQueue(x,x)+78p

var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 224h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		call	_TtmiPublishDeviceEnumerationEvents@8 ;	TtmiPublishDeviceEnumerationEvents(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C292F
		mov	edx, 845h

loc_9C291F:				; CODE XREF: TtmiWriteEnumerationEventsToQueue(x,x)+73j
		push	esi
		push	esi
		mov	ecx, (offset loc_8BDDF4+2)
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		mov	eax, esi
		jmp	short loc_9C2974
; 

loc_9C292F:				; CODE XREF: TtmiWriteEnumerationEventsToQueue(x,x)+1Bj
		mov	edx, edi
		mov	ecx, ebx
		call	_TtmpPublishDisplayRequiredPowerRequestEvents@8	; TtmpPublishDisplayRequiredPowerRequestEvents(x,x)
		push	218h		; size_t
		lea	eax, [ebp+var_21C]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_220], 1
		lea	edx, [ebp+var_220]
		mov	ecx, edi
		call	_TtmiWriteEventToSingleQueue@8 ; TtmiWriteEventToSingleQueue(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C2972
		mov	edx, 858h
		jmp	short loc_9C291F
; 

loc_9C2972:				; CODE XREF: TtmiWriteEnumerationEventsToQueue(x,x)+6Cj
		xor	eax, eax

loc_9C2974:				; CODE XREF: TtmiWriteEnumerationEventsToQueue(x,x)+30j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_TtmiWriteEnumerationEventsToQueue@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiWriteEventToAllQueues(x, x)
_TtmiWriteEventToAllQueues@8 proc near	; CODE XREF: TtmpPublishDeviceEvent(x,x,x,x)+10Ep
					; TtmpWriteDisplayStateChangedEvent(x,x)+60p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	eax, edx
		lea	edi, [ecx+38h]
		mov	esi, [edi]
		mov	[ebp+var_4], eax
		jmp	short loc_9C29BB
; 

loc_9C298E:				; CODE XREF: TtmiWriteEventToAllQueues(x,x)+44j
		mov	ebx, esi
		mov	edx, eax
		mov	esi, [esi]
		mov	ecx, ebx
		call	_TtmiWriteEventToSingleQueue@8 ; TtmiWriteEventToSingleQueue(x,x)
		test	eax, eax
		jns	short loc_9C29B8
		push	0FFFFFFFFh
		push	eax
		mov	edx, 896h
		mov	ecx, (offset loc_8BDE17+1)
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		mov	ecx, ebx
		call	_TtmiCloseEventQueue@4 ; TtmiCloseEventQueue(x)

loc_9C29B8:				; CODE XREF: TtmiWriteEventToAllQueues(x,x)+24j
		mov	eax, [ebp+var_4]

loc_9C29BB:				; CODE XREF: TtmiWriteEventToAllQueues(x,x)+13j
		cmp	esi, edi
		jnz	short loc_9C298E
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_TtmiWriteEventToAllQueues@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpAcquireSessionById(x, x)
_TtmpAcquireSessionById@8 proc near	; CODE XREF: TtmGetSessionDisplayRequiredCount(x)+11p
					; TtmNotifyConsoleUserPresent(x,x)+16p	...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		cmp	ds:_TtmpEnabled, 1
		mov	ebx, edx
		mov	[edi], esi
		jz	short loc_9C29FA
		mov	esi, 0C00000BBh
		mov	edx, 69Ah
		push	esi
		push	0FFFFFFFFh
		mov	ecx, offset ??_C@_0BH@LDFBAIGP@TtmpAcquireSessionById@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C2A4B
; 

loc_9C29FA:				; CODE XREF: TtmpAcquireSessionById(x,x)+1Bj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _TtmpSessionLock
		call	ExAcquireResourceExclusiveLite
		mov	eax, ds:_TtmpSession
		test	eax, eax
		jz	short loc_9C2A25
		cmp	[eax], ebx
		jnz	short loc_9C2A25
		mov	[edi], eax
		jmp	short loc_9C2A4B
; 

loc_9C2A25:				; CODE XREF: TtmpAcquireSessionById(x,x)+57j
					; TtmpAcquireSessionById(x,x)+5Bj
		mov	esi, 0C0000455h
		mov	edx, 6A5h
		push	esi
		push	0FFFFFFFFh
		mov	ecx, offset ??_C@_0BH@LDFBAIGP@TtmpAcquireSessionById@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9C2A4B:				; CODE XREF: TtmpAcquireSessionById(x,x)+34j
					; TtmpAcquireSessionById(x,x)+5Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_TtmpAcquireSessionById@8 endp


;  S U B	R O U T	I N E 


; __stdcall TtmpAcquireSessionLock()
_TtmpAcquireSessionLock@0 proc near	; CODE XREF: TtmpSessionWorker(x)+37p
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _TtmpSessionLock
		call	ExAcquireResourceExclusiveLite
		retn
_TtmpAcquireSessionLock@0 endp


;  S U B	R O U T	I N E 


; __stdcall TtmpActivateSessionWorker(x)
_TtmpActivateSessionWorker@4 proc near	; CODE XREF: TtmpSessionWorker(x)+133p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		mov	edx, [edi+4]
		test	dl, 8
		jz	short loc_9C2A88
		and	edx, 0FFFFFFEFh
		mov	[edi+4], edx

loc_9C2A84:				; CODE XREF: TtmpActivateSessionWorker(x)+5Bj
		xor	esi, esi
		jmp	short loc_9C2AFF
; 

loc_9C2A88:				; CODE XREF: TtmpActivateSessionWorker(x)+Dj
		test	dl, 40h
		jz	short loc_9C2A94

loc_9C2A8D:				; CODE XREF: TtmpActivateSessionWorker(x)+34j
					; TtmpActivateSessionWorker(x)+67j ...
		mov	esi, 103h
		jmp	short loc_9C2AFF
; 

loc_9C2A94:				; CODE XREF: TtmpActivateSessionWorker(x)+1Cj
		test	edx, 200h
		jz	short loc_9C2ACC
		mov	ecx, 100h
		test	edx, ecx
		jnz	short loc_9C2A8D
		mov	eax, [edi+0Ch]
		or	edx, ecx
		mov	[edi+4], edx
		mov	ecx, edi
		push	eax
		xor	dl, dl
		call	_TtmpInitiateModernStandbyTransition@12	; TtmpInitiateModernStandbyTransition(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9C2AFF
		and	dword ptr [edi+4], 0FFFFFCFFh
		mov	edx, [edi+4]
		test	dl, 10h
		jz	short loc_9C2A84

loc_9C2ACC:				; CODE XREF: TtmpActivateSessionWorker(x)+2Bj
		test	edx, 400h
		jz	short loc_9C2AEF
		test	dl, dl
		js	short loc_9C2A8D
		push	dword ptr [edi+0Ch]
		or	edx, 80h
		mov	ecx, edi
		mov	[edi+4], edx
		mov	dl, 1
		call	_TtmpSessionPowerControl@12 ; TtmpSessionPowerControl(x,x,x)
		jmp	short loc_9C2A8D
; 

loc_9C2AEF:				; CODE XREF: TtmpActivateSessionWorker(x)+63j
		and	edx, 0FFFFFFEFh
		xor	esi, esi
		or	edx, 8
		mov	[edi+4], edx
		call	_TtmiLogSessionActivate@0 ; TtmiLogSessionActivate()

loc_9C2AFF:				; CODE XREF: TtmpActivateSessionWorker(x)+17j
					; TtmpActivateSessionWorker(x)+23j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ecx
		retn
_TtmpActivateSessionWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)
_TtmpCleanupPowerRequestsTrackingFromCurrentSession@4 proc near
					; CODE XREF: TtmCleanupCurrentSession()+57p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edi
		mov	edx, [edi+0A8h]
		mov	esi, edx
		mov	[ebp+var_4], edx

loc_9C2B1F:				; CODE XREF: TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)+F2j
		xor	ebx, ebx
		test	esi, esi
		jz	short loc_9C2B45
		mov	ecx, [esi]
		mov	eax, ecx
		and	eax, 80000002h
		cmp	eax, 80000002h
		jnz	short loc_9C2B39
		mov	eax, [ebx]
		mov	ecx, [esi]

loc_9C2B39:				; CODE XREF: TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)+2Ej
		test	ecx, 1
		jnz	short loc_9C2B45
		mov	esi, ecx
		jmp	short loc_9C2B6E
; 

loc_9C2B45:				; CODE XREF: TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)+1Ej
					; TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)+3Aj
		mov	ecx, [edi+0A4h]
		add	edx, 4
		mov	eax, [edi+0A8h]
		shr	ecx, 5
		lea	ecx, [eax+ecx*4]
		jmp	short loc_9C2B65
; 

loc_9C2B5C:				; CODE XREF: TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)+62j
		mov	eax, [edx]
		test	al, 1
		jz	short loc_9C2B99
		add	edx, 4

loc_9C2B65:				; CODE XREF: TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)+55j
		cmp	edx, ecx
		jb	short loc_9C2B5C
		mov	edx, [ebp+var_4]
		mov	ecx, ebx

loc_9C2B6E:				; CODE XREF: TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)+3Ej
					; TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)+9Bj
		test	ecx, ecx
		jz	loc_9C2C01
		mov	eax, [esi]
		mov	ecx, 80000002h
		and	eax, ecx
		mov	ebx, esi
		cmp	eax, ecx
		jnz	short loc_9C2B89
		xor	eax, eax
		mov	eax, [eax]

loc_9C2B89:				; CODE XREF: TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)+7Ej
		mov	ecx, edx

loc_9C2B8B:				; CODE XREF: TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)+92j
		mov	eax, [ecx]
		test	al, 1
		jnz	short loc_9C2BB6
		cmp	eax, esi
		jz	short loc_9C2BA2
		mov	ecx, eax
		jmp	short loc_9C2B8B
; 

loc_9C2B99:				; CODE XREF: TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)+5Bj
		mov	esi, eax
		mov	[ebp+var_4], edx
		mov	ecx, esi
		jmp	short loc_9C2B6E
; 

loc_9C2BA2:				; CODE XREF: TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)+8Ej
		mov	eax, [esi]
		mov	[ecx], eax
		dec	dword ptr [edi+0A0h]
		or	dword ptr [esi], 80000002h
		mov	esi, ecx
		jmp	short loc_9C2BBC
; 

loc_9C2BB6:				; CODE XREF: TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)+8Aj
		xor	ecx, ecx
		mov	ebx, ecx
		mov	eax, [ecx]

loc_9C2BBC:				; CODE XREF: TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)+AFj
		lea	edi, [ebx+1Ch]

loc_9C2BBF:				; CODE XREF: TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)+DFj
		mov	eax, [edi]
		cmp	eax, edi
		jz	short loc_9C2BE6
		cmp	[eax+4], edi
		jnz	short loc_9C2BFC
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_9C2BFC
		push	52507454h
		add	eax, 0FFFFFFFCh
		mov	[edi], ecx
		push	eax
		mov	[ecx+4], edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9C2BBF
; 

loc_9C2BE6:				; CODE XREF: TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)+BEj
		push	52507454h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [ebp+var_8]
		mov	edx, [ebp+var_4]
		jmp	loc_9C2B1F
; 

loc_9C2BFC:				; CODE XREF: TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)+C3j
					; TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)+CAj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9C2C01:				; CODE XREF: TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)+6Bj
		mov	eax, [edi+0A8h]
		pop	edi
		pop	esi
		pop	ebx
		test	eax, eax
		jz	short locret_9C2C19
		push	52507454h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

locret_9C2C19:				; CODE XREF: TtmpCleanupPowerRequestsTrackingFromCurrentSession(x)+107j
		leave
		retn
_TtmpCleanupPowerRequestsTrackingFromCurrentSession@4 endp


;  S U B	R O U T	I N E 


; __stdcall TtmpDeactivateSessionWorker(x)
_TtmpDeactivateSessionWorker@4 proc near ; CODE	XREF: TtmpSessionWorker(x)+174p
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, [esi+4]
		test	al, 4
		jz	short loc_9C2C2D

loc_9C2C29:				; CODE XREF: TtmpDeactivateSessionWorker(x)+71j
		xor	eax, eax
		jmp	short loc_9C2C68
; 

loc_9C2C2D:				; CODE XREF: TtmpDeactivateSessionWorker(x)+Cj
		test	eax, 180h
		jnz	short loc_9C2C63
		test	al, 8
		jz	short loc_9C2C46
		and	eax, 0FFFFFFF7h
		mov	[esi+4], eax
		call	_TtmiLogSessionDeactivate@0 ; TtmiLogSessionDeactivate()
		mov	eax, [esi+4]

loc_9C2C46:				; CODE XREF: TtmpDeactivateSessionWorker(x)+1Bj
		test	eax, 400h
		jnz	short loc_9C2C6C
		test	al, 40h
		jnz	short loc_9C2C63
		push	dword ptr [esi+10h]
		or	eax, 40h
		xor	dl, dl
		mov	ecx, esi
		mov	[esi+4], eax
		call	_TtmpSessionPowerControl@12 ; TtmpSessionPowerControl(x,x,x)

loc_9C2C63:				; CODE XREF: TtmpDeactivateSessionWorker(x)+17j
					; TtmpDeactivateSessionWorker(x)+34j
		mov	eax, 103h

loc_9C2C68:				; CODE XREF: TtmpDeactivateSessionWorker(x)+10j
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_9C2C6C:				; CODE XREF: TtmpDeactivateSessionWorker(x)+30j
		mov	edi, 200h
		test	eax, edi
		jnz	short loc_9C2C86
		push	dword ptr [esi+10h]
		mov	dl, 1
		mov	ecx, esi
		call	_TtmpInitiateModernStandbyTransition@12	; TtmpInitiateModernStandbyTransition(x,x,x)
		mov	eax, [esi+4]
		or	eax, edi

loc_9C2C86:				; CODE XREF: TtmpDeactivateSessionWorker(x)+58j
		and	eax, 0FFFFFFDFh
		mov	[esi+4], eax
		jmp	short loc_9C2C29
_TtmpDeactivateSessionWorker@4 endp


;  S U B	R O U T	I N E 


; __stdcall TtmpDereferenceSessionMaybeLast(x)
_TtmpDereferenceSessionMaybeLast@4 proc	near
					; CODE XREF: TtmiSessionTerminalListWorker(x,x,x)+B8p
					; TtmCleanupCurrentSession()+7Bp ...
		mov	edi, edi
		push	esi
		or	esi, 0FFFFFFFFh
		lock xadd [ecx+8], esi
		dec	esi
		jnz	short loc_9C2CA7
		push	536D7454h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9C2CA7:				; CODE XREF: TtmpDereferenceSessionMaybeLast(x)+Cj
		mov	eax, esi
		pop	esi
		retn
_TtmpDereferenceSessionMaybeLast@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpFindPowerRequestEntryById(x, x,	x)
_TtmpFindPowerRequestEntryById@12 proc near
					; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+23p
					; TtmpSetDisplayRequestEnded(x,x)+19p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	eax, ecx
		mov	[ebp+var_8], edx
		xor	edi, edi
		mov	[ebp+var_C], eax
		mov	esi, edi

loc_9C2CC2:				; CODE XREF: TtmpFindPowerRequestEntryById(x,x,x)+9Ej
		mov	edx, [eax+0A4h]
		mov	ecx, edx
		and	ecx, 1Fh
		or	eax, 0FFFFFFFFh
		shl	eax, cl
		mov	ebx, eax
		mov	[ebp+var_10], eax
		and	ebx, [ebp+var_8]
		mov	[ebp+var_4], ebx
		test	esi, esi
		jnz	short loc_9C2D1B
		shr	edx, 5
		test	edx, edx
		jz	short loc_9C2D4E
		movzx	eax, bl
		imul	ecx, eax, 25h
		movzx	eax, bh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+3]
		imul	ecx, 25h
		add	eax, 164B2F3Fh
		add	eax, ecx
		lea	ecx, [edx-1]
		and	ecx, eax
		mov	eax, [ebp+var_C]
		mov	eax, [eax+0A8h]
		lea	esi, [eax+ecx*4]

loc_9C2D1B:				; CODE XREF: TtmpFindPowerRequestEntryById(x,x,x)+34j
		mov	ecx, [ebp+var_10]

loc_9C2D1E:				; CODE XREF: TtmpFindPowerRequestEntryById(x,x,x)+86j
		mov	esi, [esi]
		test	esi, 1
		jnz	short loc_9C2D33
		mov	eax, [esi+4]
		and	eax, ecx
		cmp	ebx, eax
		jz	short loc_9C2D35
		jmp	short loc_9C2D1E
; 

loc_9C2D33:				; CODE XREF: TtmpFindPowerRequestEntryById(x,x,x)+7Bj
		mov	esi, edi

loc_9C2D35:				; CODE XREF: TtmpFindPowerRequestEntryById(x,x,x)+84j
		test	esi, esi
		jz	short loc_9C2D54
		push	[ebp+var_8]
		push	esi
		call	_TtmpPowerRequestEntryComparator@8 ; TtmpPowerRequestEntryComparator(x,x)
		test	eax, eax
		jnz	short loc_9C2D50
		mov	eax, [ebp+var_C]
		jmp	loc_9C2CC2
; 

loc_9C2D4E:				; CODE XREF: TtmpFindPowerRequestEntryById(x,x,x)+3Bj
		mov	esi, edi

loc_9C2D50:				; CODE XREF: TtmpFindPowerRequestEntryById(x,x,x)+99j
		test	esi, esi
		jnz	short loc_9C2D6C

loc_9C2D54:				; CODE XREF: TtmpFindPowerRequestEntryById(x,x,x)+8Cj
		push	0FFFFFFFFh
		push	0C0000225h
		mov	edx, 191h
		mov	ecx, (offset loc_8BDDD7+1)
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C2D6E
; 

loc_9C2D6C:				; CODE XREF: TtmpFindPowerRequestEntryById(x,x,x)+A7j
		mov	edi, esi

loc_9C2D6E:				; CODE XREF: TtmpFindPowerRequestEntryById(x,x,x)+BFj
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_9C2D77
		mov	[eax], edi

loc_9C2D77:				; CODE XREF: TtmpFindPowerRequestEntryById(x,x,x)+C8j
		test	edi, edi
		pop	edi
		pop	esi
		setnz	al
		pop	ebx
		leave
		retn	4
_TtmpFindPowerRequestEntryById@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpInitiateModernStandbyTransition(x, x, x)
_TtmpInitiateModernStandbyTransition@12	proc near
					; CODE XREF: TtmpActivateSessionWorker(x)+43p
					; TtmpDeactivateSessionWorker(x)+61p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	bl, dl
		mov	edx, [ebp+arg_0]
		push	edi
		mov	edi, ecx
		mov	cl, bl
		call	_TtmiLogInitiateModernStandbyTransitionStart@8 ; TtmiLogInitiateModernStandbyTransitionStart(x,x)
		and	dword ptr [edi+88h], 0
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	edx, [ebp+arg_0]
		mov	cl, bl
		call	_PoTtmInitiatePowerStateTransition@8 ; PoTtmInitiatePowerStateTransition(x,x)
		mov	ecx, large fs:124h
		mov	esi, eax
		dec	word ptr [ecx+13Ch]
		nop
		push	1
		push	offset _TtmpSessionLock
		call	ExAcquireResourceExclusiveLite
		mov	ecx, large fs:124h
		mov	[edi+88h], ecx
		mov	ecx, esi
		call	_TtmiLogInitiateModernStandbyTransitionStop@4 ;	TtmiLogInitiateModernStandbyTransitionStop(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_TtmpInitiateModernStandbyTransition@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpInsertPowerRequestToSession(x, x, x, x,	x, x)
_TtmpInsertPowerRequestToSession@24 proc near
					; CODE XREF: PopNotifySessionUserPowerRequestCreated+E4BDBp
					; TtmNotifySessionPowerRequestPresent(x,x,x,x,x,x,x)+1Fp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	ebx, ebx
		mov	edx, ecx
		mov	[esp+30h+var_10], edi
		lea	ecx, [esp+30h+var_14]
		mov	[esp+30h+var_14], ebx
		call	_TtmpAcquireSessionById@8 ; TtmpAcquireSessionById(x,x)
		test	eax, eax
		jns	short loc_9C2E33
		push	0FFFFFFFFh
		push	eax
		mov	edx, 0D5Ah

loc_9C2E24:				; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+67j
		mov	ecx, offset ??_C@_0CA@DCLMPIDB@TtmpInsertPowerRequestToSession@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	loc_9C3061
; 

loc_9C2E33:				; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+27j
		push	52507454h
		push	24h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[esp+30h+var_18], esi
		test	esi, esi
		jnz	short loc_9C2E5C
		push	0FFFFFFFFh
		push	0C000009Ah
		mov	edx, 0D63h
		jmp	short loc_9C2E24
; 

loc_9C2E5C:				; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+59j
		mov	eax, [ebp+arg_0]
		mov	ebx, [esp+30h+var_14]
		and	[esp+30h+var_1C], 0
		add	ebx, 0A0h
		mov	[esi+0Ch], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+10h], eax
		mov	eax, [ebp+arg_8]
		mov	[esi+14h], eax
		mov	eax, [ebp+arg_C]
		mov	[esi+18h], eax
		lea	eax, [esi+1Ch]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[esi+4], edi
		mov	[esi+8], edi
		mov	edi, [ebx+4]
		mov	ecx, edi
		shr	ecx, 5
		mov	[esp+30h+var_4], ebx
		lea	eax, [ecx+ecx]
		cmp	[ebx], eax
		jb	loc_9C3005
		push	2
		mov	eax, ecx
		pop	ecx
		mul	ecx
		lea	ecx, [esp+30h+var_1C]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		jns	short loc_9C2EC7
		mov	eax, [esp+30h+var_10]
		jmp	loc_9C3008
; 

loc_9C2EC7:				; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+C9j
		mov	esi, [esp+30h+var_1C]
		cmp	esi, 4
		jnb	short loc_9C2ED3
		push	4
		pop	esi

loc_9C2ED3:				; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+DBj
		xor	edi, edi
		mov	eax, esi
		push	edi
		shl	eax, 2
		push	eax
		call	_TtmpPowerRequestHashAllocator@8 ; TtmpPowerRequestHashAllocator(x,x)
		mov	ecx, eax
		mov	[esp+30h+var_20], ecx
		test	ecx, ecx
		jz	loc_9C3082
		lea	eax, [esi-1]
		test	eax, esi
		jz	short loc_9C2F0B
		or	ecx, 0FFFFFFFFh
		test	esi, esi
		jz	short loc_9C2F02

loc_9C2EFD:				; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+10Dj
		inc	ecx
		shr	esi, 1
		jnz	short loc_9C2EFD

loc_9C2F02:				; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+108j
		xor	esi, esi
		inc	esi
		shl	esi, cl
		mov	ecx, [esp+30h+var_20]

loc_9C2F0B:				; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+101j
		mov	eax, 4000000h
		cmp	esi, eax
		jbe	short loc_9C2F16
		mov	esi, eax

loc_9C2F16:				; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+11Fj
		mov	[esp+30h+var_10], ecx
		mov	edx, esi
		shl	edx, 2
		mov	eax, ebx
		add	ecx, edx
		mov	[esp+30h+var_1C], edi
		or	eax, 1
		shr	edx, 2
		cmp	ecx, [esp+30h+var_20]
		sbb	ecx, ecx
		not	ecx
		and	ecx, edx
		jbe	short loc_9C2F4C
		mov	edx, [esp+30h+var_10]

loc_9C2F3D:				; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+157j
		inc	[esp+30h+var_1C]
		mov	[edx], eax
		lea	edx, [edx+4]
		cmp	[esp+30h+var_1C], ecx
		jb	short loc_9C2F3D

loc_9C2F4C:				; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+144j
		mov	eax, [ebx+4]
		or	edx, 0FFFFFFFFh
		mov	ecx, eax
		and	ecx, 1Fh
		shl	edx, cl
		mov	[esp+30h+var_C], edx
		test	eax, 0FFFFFFE0h
		jbe	short loc_9C2FDA

loc_9C2F64:				; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+1E5j
		mov	edx, [ebx+8]
		mov	[esp+30h+var_8], edx

loc_9C2F6B:				; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+1D6j
		mov	ecx, [edx+edi*4]
		mov	[esp+30h+var_10], ecx
		test	ecx, 1
		jnz	short loc_9C2FCB
		mov	eax, [ecx]
		mov	[edx+edi*4], eax
		mov	edx, [ecx+4]
		and	edx, [esp+30h+var_C]
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	ebx, [esp+30h+var_10]
		imul	ecx, eax, 25h
		movzx	eax, dh
		mov	[esp+30h+var_1C], edx
		lea	edx, [esi-1]
		add	ecx, eax
		movzx	eax, byte ptr [esp+30h+var_1C+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [esp+30h+var_1C+3]
		imul	ecx, 25h
		add	ecx, eax
		and	edx, ecx
		mov	ecx, [esp+30h+var_20]
		mov	eax, [ecx+edx*4]
		mov	[ebx], eax
		mov	eax, ebx
		mov	[ecx+edx*4], eax
		mov	edx, [esp+30h+var_8]
		jmp	short loc_9C2F6B
; 

loc_9C2FCB:				; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+185j
		mov	ebx, [esp+30h+var_4]
		inc	edi
		mov	eax, [ebx+4]
		shr	eax, 5
		cmp	edi, eax
		jb	short loc_9C2F64

loc_9C2FDA:				; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+16Fj
		mov	edi, [ebx+4]
		mov	ecx, [ebx+8]
		and	edi, 1Fh
		mov	eax, [esp+30h+var_20]
		shl	esi, 5
		or	edi, esi
		mov	[ebx+8], eax
		mov	[ebx+4], edi
		test	ecx, ecx
		jz	short loc_9C3001
		push	0
		push	ecx
		call	_TtmpPowerRequestHashDeallocator@8 ; TtmpPowerRequestHashDeallocator(x,x)
		mov	edi, [ebx+4]

loc_9C3001:				; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+201j
					; TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+295j
		mov	esi, [esp+30h+var_18]

loc_9C3005:				; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+AFj
		mov	eax, [esi+4]

loc_9C3008:				; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+CFj
		mov	edx, edi
		and	edi, 1Fh
		mov	ecx, edi
		shr	edx, 5
		or	edi, 0FFFFFFFFh
		shl	edi, cl
		mov	ecx, edi
		mov	[esp+30h+var_18], edi
		and	ecx, eax
		movzx	eax, cl
		mov	[esp+30h+var_10], ecx
		add	eax, offset unk_B15DCB
		mov	[esp+30h+var_18], ecx
		imul	ecx, eax, 25h
		mov	eax, [esp+30h+var_18]
		movzx	eax, ah
		add	ecx, eax
		movzx	eax, byte ptr [esp+30h+var_10+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [esp+30h+var_10+3]
		imul	ecx, 25h
		add	ecx, eax
		dec	edx
		and	edx, ecx
		mov	ecx, [ebx+8]
		mov	eax, [ecx+edx*4]
		mov	[esi], eax
		mov	[ecx+edx*4], esi
		inc	dword ptr [ebx]
		mov	bl, 1

loc_9C3061:				; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+3Bj
					; TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+2C1j
		cmp	[esp+30h+var_14], 0
		jz	short loc_9C3077
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9C3077:				; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+273j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_9C3082:				; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+F6j
		mov	edi, [ebx+4]
		cmp	edi, 20h
		jnb	loc_9C3001
		push	0FFFFFFFFh
		push	0C000009Ah
		mov	edx, 0D7Ah
		mov	ecx, offset ??_C@_0CA@DCLMPIDB@TtmpInsertPowerRequestToSession@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		push	52507454h
		push	[esp+34h+var_18]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ebx, ebx
		jmp	short loc_9C3061
_TtmpInsertPowerRequestToSession@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpPowerRequestEntryComparator(x, x)
_TtmpPowerRequestEntryComparator@8 proc	near
					; CODE XREF: TtmpFindPowerRequestEntryById(x,x,x)+92p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		mov	ecx, [ecx+8]
		cmp	ecx, [ebp+arg_4]
		setz	al
		pop	ebp
		retn	8
_TtmpPowerRequestEntryComparator@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpPowerRequestHashAllocator(x, x)
_TtmpPowerRequestHashAllocator@8 proc near
					; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+E9p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	52507454h
		push	[ebp+arg_0]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	8
_TtmpPowerRequestHashAllocator@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpPowerRequestHashDeallocator(x, x)
_TtmpPowerRequestHashDeallocator@8 proc	near
					; CODE XREF: TtmpInsertPowerRequestToSession(x,x,x,x,x,x)+206p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	52507454h
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	8
_TtmpPowerRequestHashDeallocator@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpPublishDisplayRequiredPowerRequestEvents(x, x)
_TtmpPublishDisplayRequiredPowerRequestEvents@8	proc near
					; CODE XREF: TtmiWriteEnumerationEventsToQueue(x,x)+36p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		mov	ebx, [edi+0A8h]
		mov	esi, ebx

loc_9C3114:				; CODE XREF: TtmpPublishDisplayRequiredPowerRequestEvents(x,x)+70j
					; TtmpPublishDisplayRequiredPowerRequestEvents(x,x)+7Dj
		test	esi, esi
		jz	short loc_9C313C
		mov	ecx, [esi]
		mov	eax, ecx
		and	eax, 80000002h
		cmp	eax, 80000002h
		jnz	short loc_9C312E
		xor	eax, eax
		mov	eax, [eax]
		mov	ecx, [esi]

loc_9C312E:				; CODE XREF: TtmpPublishDisplayRequiredPowerRequestEvents(x,x)+28j
		test	ecx, 1
		jnz	short loc_9C313C
		mov	esi, ecx
		xor	eax, eax
		jmp	short loc_9C3167
; 

loc_9C313C:				; CODE XREF: TtmpPublishDisplayRequiredPowerRequestEvents(x,x)+18j
					; TtmpPublishDisplayRequiredPowerRequestEvents(x,x)+36j
		mov	ecx, [edi+0A4h]
		lea	edx, [ebx+4]
		mov	eax, [edi+0A8h]
		shr	ecx, 5
		lea	ecx, [eax+ecx*4]
		jmp	short loc_9C315C
; 

loc_9C3153:				; CODE XREF: TtmpPublishDisplayRequiredPowerRequestEvents(x,x)+60j
		mov	eax, [edx]
		test	al, 1
		jz	short loc_9C317D
		add	edx, 4

loc_9C315C:				; CODE XREF: TtmpPublishDisplayRequiredPowerRequestEvents(x,x)+53j
		cmp	edx, ecx
		jb	short loc_9C3153
		xor	eax, eax
		mov	ecx, eax

loc_9C3164:				; CODE XREF: TtmpPublishDisplayRequiredPowerRequestEvents(x,x)+87j
		mov	edx, [ebp+var_4]

loc_9C3167:				; CODE XREF: TtmpPublishDisplayRequiredPowerRequestEvents(x,x)+3Cj
		test	ecx, ecx
		jz	short loc_9C3187
		cmp	[ecx+18h], eax
		jbe	short loc_9C3114
		push	ecx
		mov	ecx, edi
		call	_TtmpWriteDisplayRequiredPowerRequestUpdatedEvent@12 ; TtmpWriteDisplayRequiredPowerRequestUpdatedEvent(x,x,x)
		mov	edx, [ebp+var_4]
		jmp	short loc_9C3114
; 

loc_9C317D:				; CODE XREF: TtmpPublishDisplayRequiredPowerRequestEvents(x,x)+59j
		mov	esi, eax
		mov	ebx, edx
		mov	ecx, esi
		xor	eax, eax
		jmp	short loc_9C3164
; 

loc_9C3187:				; CODE XREF: TtmpPublishDisplayRequiredPowerRequestEvents(x,x)+6Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_TtmpPublishDisplayRequiredPowerRequestEvents@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpSessionPowerControl(x, x, x)
_TtmpSessionPowerControl@12 proc near	; CODE XREF: TtmpActivateSessionWorker(x)+79p
					; TtmpDeactivateSessionWorker(x)+43p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	bl, dl
		mov	edx, [ebp+arg_0]
		mov	cl, bl
		mov	esi, [edi]
		call	_TtmiLogSessionPowerControlStart@8 ; TtmiLogSessionPowerControlStart(x,x)
		and	dword ptr [edi+88h], 0
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	edx, [ebp+arg_0]
		mov	cl, bl
		push	esi
		call	_PoSessionPowerControl@12 ; PoSessionPowerControl(x,x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _TtmpSessionLock
		call	ExAcquireResourceExclusiveLite
		mov	eax, large fs:124h
		mov	[edi+88h], eax
		call	_TtmiLogSessionPowerControlStop@0 ; TtmiLogSessionPowerControlStop()
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_TtmpSessionPowerControl@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpSessionWorker(x)
_TtmpSessionWorker@4 proc near		; DATA XREF: TtmInitCurrentSession()+113o

var_30		= byte ptr -30h
var_2F		= byte ptr -2Fh
var_2E		= byte ptr -2Eh
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+40h+var_1C]
		mov	[esp+40h+var_2E], al
		rep stosd
		mov	[esp+40h+var_2F], al
		mov	[esp+40h+var_2D], al
		mov	[esp+40h+var_20], eax
		call	_TtmpAcquireSessionLock@0 ; TtmpAcquireSessionLock()
		mov	ebx, [esi]
		mov	ecx, ebx
		mov	[esp+40h+var_28], ebx
		call	_TtmiLogSessionWorkerStart@4 ; TtmiLogSessionWorkerStart(x)
		mov	ecx, [esi+4]
		mov	eax, large fs:124h
		and	ecx, 0FFFFFFFEh
		or	ecx, 2
		mov	[esi+88h], eax
		mov	[esi+4], ecx
		test	cl, 4
		jnz	short loc_9C32AD
		mov	ecx, ebx
		call	_MmGetSessionById@4 ; MmGetSessionById(x)
		mov	ebx, eax
		mov	[esp+40h+var_20], ebx
		test	ebx, ebx
		jnz	short loc_9C328A
		mov	edi, 0C0000455h
		mov	edx, 0B62h
		push	edi
		push	0FFFFFFFFh

loc_9C327B:				; CODE XREF: TtmpSessionWorker(x)+ABj
		mov	ecx, offset ??_C@_0BC@BCJCLPBN@TtmpSessionWorker@NNGAKEGL@ ; "TtmpSessionWorker"
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	loc_9C33AF
; 

loc_9C328A:				; CODE XREF: TtmpSessionWorker(x)+75j
		lea	edx, [esp+40h+var_1C]
		mov	ecx, ebx
		call	MmAttachSession
		mov	edi, eax
		test	edi, edi
		jns	short loc_9C32A4
		push	edi
		push	edi
		mov	edx, 0B6Bh
		jmp	short loc_9C327B
; 

loc_9C32A4:				; CODE XREF: TtmpSessionWorker(x)+A2j
		mov	ebx, [esp+40h+var_28]
		mov	[esp+40h+var_2D], 1

loc_9C32AD:				; CODE XREF: TtmpSessionWorker(x)+64j
		mov	eax, [esi+84h]
		xor	edi, edi
		and	[esi+84h], edi
		and	eax, 7
		push	1
		pop	ecx
		jmp	loc_9C338D
; 

loc_9C32C6:				; CODE XREF: TtmpSessionWorker(x)+19Ej
		push	ecx
		mov	edx, eax
		mov	ecx, ebx
		call	_TtmiLogSessionWorkerPass@12 ; TtmiLogSessionWorkerPass(x,x,x)
		mov	eax, [esp+40h+var_2C]
		test	al, 2
		jz	short loc_9C3312
		and	eax, 0FFFFFFFDh
		lea	edx, [esp+11h]
		mov	[esp+40h+var_2C], eax
		mov	ecx, esi
		lea	eax, [esp+40h+var_2E]
		push	eax
		call	_TtmiSessionTerminalListWorker@12 ; TtmiSessionTerminalListWorker(x,x,x)
		movzx	ecx, [esp+40h+var_2F]
		mov	eax, [esp+40h+var_2C]
		shl	ecx, 2
		or	ecx, eax
		xor	ecx, eax
		and	ecx, 4
		xor	eax, ecx
		movzx	ecx, [esp+40h+var_2E]
		or	ecx, eax
		xor	ecx, eax
		and	ecx, 1
		xor	eax, ecx

loc_9C3312:				; CODE XREF: TtmpSessionWorker(x)+DFj
		mov	ebx, eax
		and	eax, 0FFFFFFFBh
		shr	ebx, 2
		mov	[esp+40h+var_2C], eax
		test	bl, bl
		jz	short loc_9C3354
		test	byte ptr [esi+4], 10h
		jz	short loc_9C3354
		mov	ecx, esi
		call	_TtmpActivateSessionWorker@4 ; TtmpActivateSessionWorker(x)
		mov	edi, eax
		cmp	edi, 103h
		jz	short loc_9C3350
		mov	eax, [esi+4]
		test	eax, 1000h
		jz	short loc_9C3350
		and	eax, 0FFFFEFFFh
		mov	[esi+4], eax
		xor	eax, eax
		inc	eax
		jmp	short loc_9C3354
; 

loc_9C3350:				; CODE XREF: TtmpSessionWorker(x)+140j
					; TtmpSessionWorker(x)+14Aj
		mov	eax, [esp+40h+var_2C]

loc_9C3354:				; CODE XREF: TtmpSessionWorker(x)+129j
					; TtmpSessionWorker(x)+12Fj ...
		test	al, 1
		jz	short loc_9C335F
		mov	ecx, esi
		call	_TtmiSessionDeviceListWorker@4 ; TtmiSessionDeviceListWorker(x)

loc_9C335F:				; CODE XREF: TtmpSessionWorker(x)+15Fj
		test	bl, bl
		jz	short loc_9C3372
		test	byte ptr [esi+4], 20h
		jz	short loc_9C3372
		mov	ecx, esi
		call	_TtmpDeactivateSessionWorker@4 ; TtmpDeactivateSessionWorker(x)
		mov	edi, eax

loc_9C3372:				; CODE XREF: TtmpSessionWorker(x)+16Aj
					; TtmpSessionWorker(x)+170j
		mov	eax, [esi+84h]
		and	dword ptr [esi+84h], 0
		and	eax, 7
		mov	ecx, [esp+40h+var_24]
		mov	ebx, [esp+40h+var_28]
		inc	ecx
		test	eax, eax

loc_9C338D:				; CODE XREF: TtmpSessionWorker(x)+CAj
		mov	[esp+40h+var_24], ecx
		mov	[esp+40h+var_2C], eax
		jnz	loc_9C32C6
		cmp	[esp+40h+var_2D], 0
		jz	short loc_9C33AF
		mov	ecx, [esp+40h+var_20]
		lea	edx, [esp+40h+var_1C]
		call	MmDetachSession

loc_9C33AF:				; CODE XREF: TtmpSessionWorker(x)+8Ej
					; TtmpSessionWorker(x)+1A9j
		and	dword ptr [esi+4], 0FFFFFFFDh
		mov	ecx, offset _TtmpSessionLock
		and	dword ptr [esi+88h], 0
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, esi
		call	_TtmpDereferenceSessionMaybeLast@4 ; TtmpDereferenceSessionMaybeLast(x)
		mov	ecx, [esp+40h+var_28]
		mov	edx, edi
		call	_TtmiLogSessionWorkerStop@8 ; TtmiLogSessionWorkerStop(x,x)
		mov	ecx, [esp+40h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_TtmpSessionWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpSetDisplayRequestEnded(x, x)
_TtmpSetDisplayRequestEnded@8 proc near	; CODE XREF: TtmpUpdateDisplayRequiredPowerRequest(x,x,x)+88p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_4]
		xor	ebx, ebx
		push	eax
		mov	edi, ecx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ebx
		call	_TtmpFindPowerRequestEntryById@12 ; TtmpFindPowerRequestEntryById(x,x,x)
		test	al, al
		jz	loc_9C34C1
		mov	esi, [ebp+var_4]
		add	esi, 1Ch

loc_9C341B:				; CODE XREF: TtmpSetDisplayRequestEnded(x,x)+8Aj
					; TtmpSetDisplayRequestEnded(x,x)+BBj
		mov	eax, [esi]
		cmp	eax, esi
		jz	loc_9C34B4
		cmp	[eax+4], esi
		jnz	loc_9C34AF
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_9C34AF
		add	eax, 0FFFFFFFCh
		mov	[esi], ecx
		mov	[ecx+4], esi
		mov	edx, edi
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_4], eax
		push	dword ptr [eax]
		call	_TtmiGetTerminalById@12	; TtmiGetTerminalById(x,x,x)
		test	eax, eax
		js	short loc_9C348B
		mov	ecx, [ebp+var_8]
		cmp	dword ptr [ecx+0Ch], 546D7454h
		jnz	short loc_9C349D
		mov	eax, [ecx+14h]
		test	eax, eax
		jnz	short loc_9C347B
		push	0FFFFFFFFh
		push	0C000000Dh
		mov	edx, 2CEh
		mov	ecx, offset ??_C@_0BL@NMBCILAH@TtmpSetDisplayRequestEnded@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C341B
; 

loc_9C347B:				; CODE XREF: TtmpSetDisplayRequestEnded(x,x)+72j
		sub	eax, 1
		mov	[ecx+14h], eax
		jnz	short loc_9C349D
		or	dword ptr [ecx+18h], 24h
		mov	bl, 1
		jmp	short loc_9C349D
; 

loc_9C348B:				; CODE XREF: TtmpSetDisplayRequestEnded(x,x)+5Fj
		push	0FFFFFFFFh
		push	eax
		mov	edx, 2E0h
		mov	ecx, offset ??_C@_0BL@NMBCILAH@TtmpSetDisplayRequestEnded@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)

loc_9C349D:				; CODE XREF: TtmpSetDisplayRequestEnded(x,x)+6Bj
					; TtmpSetDisplayRequestEnded(x,x)+92j ...
		push	52507454h
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_9C341B
; 

loc_9C34AF:				; CODE XREF: TtmpSetDisplayRequestEnded(x,x)+39j
					; TtmpSetDisplayRequestEnded(x,x)+44j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9C34B4:				; CODE XREF: TtmpSetDisplayRequestEnded(x,x)+30j
		test	bl, bl
		jz	short loc_9C34C1
		push	2
		mov	ecx, edi
		call	_TtmiScheduleSessionWorker@8 ; TtmiScheduleSessionWorker(x,x)

loc_9C34C1:				; CODE XREF: TtmpSetDisplayRequestEnded(x,x)+20j
					; TtmpSetDisplayRequestEnded(x,x)+C7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_TtmpSetDisplayRequestEnded@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	TtmpTerminal0PowerSettingCallback(void *,int,int,int)
_TtmpTerminal0PowerSettingCallback@16 proc near	; DATA XREF: TtmInitCurrentSession()+16Co
					; TtmInitCurrentSession()+18Bo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	edi, offset _TtmpSessionLock
		push	edi
		call	ExAcquireResourceExclusiveLite
		cmp	[ebp+arg_8], 4
		jnz	short loc_9C3543
		cmp	byte ptr [esi+8Ch], 0
		jz	short loc_9C3543
		test	byte ptr [esi+4], 4
		jnz	short loc_9C3543
		push	10h		; size_t
		push	(offset	loc_408998+4) ;	void *
		push	[ebp+arg_0]	; void *
		call	_memcmp
		mov	ecx, [ebp+arg_4]
		add	esp, 0Ch
		mov	ecx, [ecx]
		test	eax, eax
		jnz	short loc_9C3529
		mov	eax, [esi+9Ch]
		mov	[esi+98h], ecx
		jmp	short loc_9C3537
; 

loc_9C3529:				; CODE XREF: TtmpTerminal0PowerSettingCallback(x,x,x,x)+53j
		mov	[esi+9Ch], ecx
		mov	eax, ecx
		mov	ecx, [esi+98h]

loc_9C3537:				; CODE XREF: TtmpTerminal0PowerSettingCallback(x,x,x,x)+61j
		mov	edx, [esi+1Ch]
		push	eax
		push	ecx
		mov	ecx, esi
		call	_TtmiTerminalSetDisplayTimeouts@16 ; TtmiTerminalSetDisplayTimeouts(x,x,x,x)

loc_9C3543:				; CODE XREF: TtmpTerminal0PowerSettingCallback(x,x,x,x)+29j
					; TtmpTerminal0PowerSettingCallback(x,x,x,x)+32j ...
		mov	ecx, edi
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	10h
_TtmpTerminal0PowerSettingCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpUpdateDisplayRequiredPowerRequest(x, x,	x)
_TtmpUpdateDisplayRequiredPowerRequest@12 proc near
					; CODE XREF: TtmNotifySessionDisplayRequiredChange(x,x,x)+4Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		push	eax
		mov	edi, edx
		mov	byte ptr [ebp+var_8], 0
		mov	esi, ecx
		call	_TtmpFindPowerRequestEntryById@12 ; TtmpFindPowerRequestEntryById(x,x,x)
		test	al, al
		jz	short loc_9C35E8
		cmp	[ebp+arg_0], 0
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+18h]
		jz	short loc_9C35B7
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_9C35A2
		push	eax
		push	0C0000095h
		mov	edx, 443h

loc_9C3596:				; CODE XREF: TtmpUpdateDisplayRequiredPowerRequest(x,x,x)+70j
		mov	ecx, offset ??_C@_0CG@MIPDLOBK@TtmpUpdateDisplayRequiredPowerR@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C35E8
; 

loc_9C35A2:				; CODE XREF: TtmpUpdateDisplayRequiredPowerRequest(x,x,x)+32j
		inc	eax
		mov	[ecx+18h], eax
		cmp	eax, 1
		jnz	short loc_9C35E4
		push	ecx
		xor	edx, edx
		mov	ecx, esi
		call	_TtmpWriteDisplayRequiredPowerRequestUpdatedEvent@12 ; TtmpWriteDisplayRequiredPowerRequestUpdatedEvent(x,x,x)
		jmp	short loc_9C35E4
; 

loc_9C35B7:				; CODE XREF: TtmpUpdateDisplayRequiredPowerRequest(x,x,x)+2Dj
		test	eax, eax
		jnz	short loc_9C35C9
		push	0FFFFFFFFh
		push	0C000000Dh
		mov	edx, 45Ch
		jmp	short loc_9C3596
; 

loc_9C35C9:				; CODE XREF: TtmpUpdateDisplayRequiredPowerRequest(x,x,x)+62j
		sub	eax, 1
		mov	[ecx+18h], eax
		jnz	short loc_9C35E4
		push	ecx
		xor	edx, edx
		mov	ecx, esi
		call	_TtmpWriteDisplayRequiredPowerRequestUpdatedEvent@12 ; TtmpWriteDisplayRequiredPowerRequestUpdatedEvent(x,x,x)
		mov	edx, edi
		mov	ecx, esi
		call	_TtmpSetDisplayRequestEnded@8 ;	TtmpSetDisplayRequestEnded(x,x)

loc_9C35E4:				; CODE XREF: TtmpUpdateDisplayRequiredPowerRequest(x,x,x)+52j
					; TtmpUpdateDisplayRequiredPowerRequest(x,x,x)+5Ej ...
		mov	byte ptr [ebp+var_8], 1

loc_9C35E8:				; CODE XREF: TtmpUpdateDisplayRequiredPowerRequest(x,x,x)+21j
					; TtmpUpdateDisplayRequiredPowerRequest(x,x,x)+49j
		push	[ebp+var_8]
		mov	ecx, [esi]
		mov	edx, edi
		call	_TtmiLogSessionDisplayRequiredPowerRequestUpdated@12 ; TtmiLogSessionDisplayRequiredPowerRequestUpdated(x,x,x)
		pop	edi
		pop	esi
		leave
		retn	4
_TtmpUpdateDisplayRequiredPowerRequest@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpUpdatePowerRequestAttribute(x, x, x, x,	x, x)
_TtmpUpdatePowerRequestAttribute@24 proc near
					; CODE XREF: TtmNotifySessionPowerRequestPresent(x,x,x,x,x,x,x):loc_9C2293p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		xor	ebx, ebx
		mov	edx, ecx
		mov	[ebp+var_4], ebx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_8], ebx
		call	_TtmpAcquireSessionById@8 ; TtmpAcquireSessionById(x,x)
		test	eax, eax
		jns	short loc_9C362F
		push	0FFFFFFFFh
		push	eax
		mov	edx, 0DCEh
		mov	ecx, (offset loc_8BDEBC+4)
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C3664
; 

loc_9C362F:				; CODE XREF: TtmpUpdatePowerRequestAttribute(x,x,x,x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		mov	edx, esi
		call	_TtmpFindPowerRequestEntryById@12 ; TtmpFindPowerRequestEntryById(x,x,x)
		test	al, al
		jz	short loc_9C3664
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+0Ch]
		cmp	eax, [ebp+arg_0]
		jnz	short loc_9C3664
		mov	eax, [ecx+10h]
		cmp	eax, [ebp+arg_4]
		jnz	short loc_9C3664
		mov	eax, [ecx+18h]
		cmp	eax, [ebp+arg_C]
		jnz	short loc_9C3664
		mov	eax, [ebp+arg_8]
		mov	bl, 1
		mov	[ecx+14h], eax

loc_9C3664:				; CODE XREF: TtmpUpdatePowerRequestAttribute(x,x,x,x,x,x)+33j
					; TtmpUpdatePowerRequestAttribute(x,x,x,x,x,x)+45j ...
		cmp	[ebp+var_4], 0
		jz	short loc_9C3679
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9C3679:				; CODE XREF: TtmpUpdatePowerRequestAttribute(x,x,x,x,x,x)+6Ej
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	10h
_TtmpUpdatePowerRequestAttribute@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpWriteDisplayRequiredPowerRequestUpdatedEvent(x,	x, x)
_TtmpWriteDisplayRequiredPowerRequestUpdatedEvent@12 proc near
					; CODE XREF: TtmpPublishDisplayRequiredPowerRequestEvents(x,x)+75p
					; TtmpUpdateDisplayRequiredPowerRequest(x,x,x)+59p ...

var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= byte ptr -210h
var_20F		= dword	ptr -20Fh
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 224h
		push	esi
		push	edi
		push	20Bh		; size_t
		lea	eax, [ebp+var_20F]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_220]
		add	esp, 0Ch
		mov	[ebp+var_220], 6
		mov	eax, [ecx+8]
		cmp	dword ptr [ecx+18h], 0
		mov	[ebp+var_21C], eax
		mov	eax, [ecx+0Ch]
		setnbe	[ebp+var_210]
		mov	[ebp+var_218], eax
		mov	eax, [ecx+14h]
		mov	[ebp+var_214], eax
		test	esi, esi
		jz	short loc_9C3704
		mov	ecx, esi
		call	_TtmiWriteEventToSingleQueue@8 ; TtmiWriteEventToSingleQueue(x,x)
		test	eax, eax
		jns	short loc_9C370B
		push	0FFFFFFFFh
		push	eax
		mov	edx, 22Bh
		mov	ecx, offset ??_C@_0DB@BBINAPKO@TtmpWriteDisplayRequiredPowerRe@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C370B
; 

loc_9C3704:				; CODE XREF: TtmpWriteDisplayRequiredPowerRequestUpdatedEvent(x,x,x)+62j
		mov	ecx, edi
		call	_TtmiWriteEventToAllQueues@8 ; TtmiWriteEventToAllQueues(x,x)

loc_9C370B:				; CODE XREF: TtmpWriteDisplayRequiredPowerRequestUpdatedEvent(x,x,x)+6Dj
					; TtmpWriteDisplayRequiredPowerRequestUpdatedEvent(x,x,x)+81j
		pop	edi
		pop	esi
		leave
		retn	4
_TtmpWriteDisplayRequiredPowerRequestUpdatedEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmDispatchApi(x, x, x, x, x, x, x,	x)
_TtmDispatchApi@32 proc	near		; CODE XREF: NtPowerInformation+1726BEp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	eax, ecx
		mov	esi, edx
		push	edi
		mov	[esp+18h+var_4], eax
		call	_TtmiLogDispatchApiStart@4 ; TtmiLogDispatchApiStart(x)
		mov	eax, [ebp+arg_C]
		xor	ecx, ecx
		mov	[esp+18h+var_8], ecx
		mov	[eax], ecx
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx
		mov	eax, [ebp+arg_14]
		mov	[eax], cl
		call	_TtmIsEnabled@0	; TtmIsEnabled()
		test	al, al
		jnz	short loc_9C3766
		mov	esi, 0C00000BBh
		mov	edx, 426h

loc_9C3754:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+D8j
					; TtmDispatchApi(x,x,x,x,x,x,x,x)+15Ej
		push	esi
		push	0FFFFFFFFh
		mov	ecx, (offset loc_8BE10B+5)
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	loc_9C38B6
; 

loc_9C3766:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+37j
		mov	ebx, [esp+18h+var_4]
		add	ebx, 0FFFFF000h	; switch 11 cases
		cmp	ebx, 0Ah
		ja	loc_9C3874	; default
		jmp	ds:off_9C38CD[ebx*4] ; switch jump

loc_9C3780:				; DATA XREF: PAGE:off_9C38CDo
		push	0Ch		; case 0x1000
		pop	eax
		push	4

loc_9C3785:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+7Cj
		pop	edi
		jmp	short loc_9C37A5
; 

loc_9C3788:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+68j
					; DATA XREF: PAGE:off_9C38CDo
		push	10h		; case 0x1001
		pop	eax
		push	8
		jmp	short loc_9C3785
; 

loc_9C378F:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+68j
					; DATA XREF: PAGE:off_9C38CDo
		push	0Ch		; case 0x1004
		mov	edi, 21Ch
		jmp	short loc_9C37A4
; 

loc_9C3798:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+68j
					; DATA XREF: PAGE:off_9C38CDo
		push	0Ch		; case 0x1002
		jmp	short loc_9C37A2
; 

loc_9C379C:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+68j
					; DATA XREF: PAGE:off_9C38CDo
		push	10h		; case 0x1005
		jmp	short loc_9C37A2
; 

loc_9C37A0:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+68j
					; DATA XREF: PAGE:off_9C38CDo
		push	14h		; case 0x1007

loc_9C37A2:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+89j
					; TtmDispatchApi(x,x,x,x,x,x,x,x)+8Dj
		mov	edi, ecx

loc_9C37A4:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+85j
		pop	eax

loc_9C37A5:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+75j
		cmp	[ebp+arg_0], eax
		jb	loc_9C3865
		cmp	[ebp+arg_4], ecx
		jnz	short loc_9C37BB
		test	edi, edi
		jnz	loc_9C3865

loc_9C37BB:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+A0j
		cmp	[ebp+arg_8], edi
		jb	loc_9C3865
		test	edi, edi
		jz	short loc_9C37EE
		push	206D654Dh
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+18h+var_8], ecx
		test	ecx, ecx
		jnz	short loc_9C37EE
		mov	esi, 0C0000017h
		mov	edx, 482h
		jmp	loc_9C3754
; 

loc_9C37EE:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+B5j
					; TtmDispatchApi(x,x,x,x,x,x,x,x)+CCj
		jmp	ds:off_9C38F9[ebx*4]

loc_9C37F5:				; DATA XREF: PAGE:off_9C38F9o
		mov	edx, ecx
		mov	ecx, esi
		call	_TtmpDispatchOpenTerminal@8 ; TtmpDispatchOpenTerminal(x,x)

loc_9C37FE:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+FDj
					; TtmDispatchApi(x,x,x,x,x,x,x,x)+108j	...
		mov	esi, eax
		jmp	loc_9C388D
; 

loc_9C3805:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x):loc_9C37EEj
					; DATA XREF: PAGE:009C38FDo
		mov	edx, ecx
		mov	ecx, esi
		call	_TtmpDispatchCreateTerminal@8 ;	TtmpDispatchCreateTerminal(x,x)
		jmp	short loc_9C37FE
; 

loc_9C3810:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x):loc_9C37EEj
					; DATA XREF: PAGE:009C3905o
		mov	edx, ecx
		mov	ecx, esi
		call	_TtmpDispatchCreateEventQueue@8	; TtmpDispatchCreateEventQueue(x,x)
		jmp	short loc_9C37FE
; 

loc_9C381B:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x):loc_9C37EEj
					; DATA XREF: PAGE:009C3909o
		mov	edx, ecx
		mov	ecx, esi
		call	_TtmpDispatchGetTerminalEvent@8	; TtmpDispatchGetTerminalEvent(x,x)
		jmp	short loc_9C37FE
; 

loc_9C3826:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x):loc_9C37EEj
					; DATA XREF: PAGE:009C3915o
		mov	ecx, esi
		call	_TtmpDispatchSetDisplayState@4 ; TtmpDispatchSetDisplayState(x)
		jmp	short loc_9C37FE
; 

loc_9C382F:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x):loc_9C37EEj
					; DATA XREF: PAGE:009C3919o
		mov	ecx, esi
		call	_TtmpDispatchSetDisplayTimeouts@4 ; TtmpDispatchSetDisplayTimeouts(x)
		jmp	short loc_9C37FE
; 

loc_9C3838:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x):loc_9C37EEj
					; DATA XREF: PAGE:009C3901o
		mov	ecx, esi
		call	_TtmpDispatchEvacuateDevices@4 ; TtmpDispatchEvacuateDevices(x)
		jmp	short loc_9C37FE
; 

loc_9C3841:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x):loc_9C37EEj
					; DATA XREF: PAGE:009C390Do
		mov	ecx, esi
		call	_TtmpDispatchSetDefaultDeviceAssignment@4 ; TtmpDispatchSetDefaultDeviceAssignment(x)
		jmp	short loc_9C37FE
; 

loc_9C384A:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x):loc_9C37EEj
					; DATA XREF: PAGE:009C3911o
		mov	ecx, esi
		call	_TtmpDispatchAssignDevice@4 ; TtmpDispatchAssignDevice(x)
		jmp	short loc_9C37FE
; 

loc_9C3853:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x):loc_9C37EEj
					; DATA XREF: PAGE:009C391Do
		mov	ecx, esi
		call	_TtmpDispatchSetDisplayPowerRequest@4 ;	TtmpDispatchSetDisplayPowerRequest(x)
		jmp	short loc_9C37FE
; 

loc_9C385C:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x):loc_9C37EEj
					; DATA XREF: PAGE:009C3921o
		mov	ecx, esi
		call	_TtmpDispatchSetInputWakeCapability@4 ;	TtmpDispatchSetInputWakeCapability(x)
		jmp	short loc_9C37FE
; 

loc_9C3865:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+97j
					; TtmDispatchApi(x,x,x,x,x,x,x,x)+A4j ...
		mov	esi, 0C0000023h
		mov	edx, 473h
		jmp	loc_9C3754
; 

loc_9C3874:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+62j
		mov	edi, ecx	; default
		mov	edx, 468h
		mov	esi, 0C000000Dh
		mov	ecx, (offset loc_8BE10B+5)
		push	esi
		push	0FFFFFFFFh
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)

loc_9C388D:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+EFj
		mov	eax, [esp+18h+var_8]
		test	eax, eax
		jz	short loc_9C38B6
		test	esi, esi
		js	short loc_9C38AB
		mov	ecx, [ebp+arg_C]
		mov	[ecx], eax
		mov	eax, [ebp+arg_10]
		mov	[eax], edi
		mov	eax, [ebp+arg_14]
		mov	byte ptr [eax],	1
		jmp	short loc_9C38B6
; 

loc_9C38AB:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+186j
		push	206D654Dh
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9C38B6:				; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+50j
					; TtmDispatchApi(x,x,x,x,x,x,x,x)+182j	...
		mov	ecx, [esp+18h+var_4]
		mov	edx, esi
		call	_TtmiLogDispatchApiStop@8 ; TtmiLogDispatchApiStop(x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
_TtmDispatchApi@32 endp

; 
		db 90h
off_9C38CD	dd offset loc_9C3780	; DATA XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+68r
		dd offset loc_9C3788	; jump table for switch	statement
		dd offset loc_9C3798
		dd offset loc_9C3780
		dd offset loc_9C378F
		dd offset loc_9C379C
		dd offset loc_9C379C
		dd offset loc_9C37A0
		dd offset loc_9C37A0
		dd offset loc_9C37A0
		dd offset loc_9C37A0
off_9C38F9	dd offset loc_9C37F5	; DATA XREF: TtmDispatchApi(x,x,x,x,x,x,x,x):loc_9C37EEr
		dd offset loc_9C3805
		dd offset loc_9C3838
		dd offset loc_9C3810
		dd offset loc_9C381B
		dd offset loc_9C3841
		dd offset loc_9C384A
		dd offset loc_9C3826
		dd offset loc_9C382F
		dd offset loc_9C3853
		dd offset loc_9C385C

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpAcquireSessionFromTerminalHandle(x, x, x, x, x)
_TtmpAcquireSessionFromTerminalHandle@20 proc near
					; CODE XREF: TtmpDispatchAssignDevice(x)+22p
					; TtmpDispatchCreateEventQueue(x,x)+2Bp ...

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	al, [eax+15Ah]
		push	edi
		mov	edi, [ebp+arg_8]
		and	dword ptr [ebx], 0
		mov	byte ptr [ebp+arg_4], al
		push	[ebp+arg_4]
		and	dword ptr [edi], 0
		mov	[ebp+var_1], dl
		mov	edx, ecx
		push	ecx
		mov	ecx, edi
		call	_TtmiReferenceTerminalByHandle@16 ; TtmiReferenceTerminalByHandle(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C3973
		push	esi
		push	esi
		push	58h

loc_9C3964:				; CODE XREF: TtmpAcquireSessionFromTerminalHandle(x,x,x,x,x)+66j
					; TtmpAcquireSessionFromTerminalHandle(x,x,x,x,x)+78j ...
		pop	edx
		mov	ecx, (offset loc_8BE087+1)
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		mov	eax, esi
		jmp	short loc_9C39DF
; 

loc_9C3973:				; CODE XREF: TtmpAcquireSessionFromTerminalHandle(x,x,x,x,x)+39j
		mov	esi, [edi]
		cmp	dword ptr [esi+10h], 0
		jnz	short loc_9C398D
		cmp	[ebp+var_1], 0
		jnz	short loc_9C399F
		mov	esi, 0C0000024h
		push	esi
		push	0FFFFFFFFh
		push	5Dh
		jmp	short loc_9C3964
; 

loc_9C398D:				; CODE XREF: TtmpAcquireSessionFromTerminalHandle(x,x,x,x,x)+54j
		cmp	[ebp+arg_0], 0
		jnz	short loc_9C399F
		mov	esi, 0C0000024h
		push	esi
		push	0FFFFFFFFh
		push	62h
		jmp	short loc_9C3964
; 

loc_9C399F:				; CODE XREF: TtmpAcquireSessionFromTerminalHandle(x,x,x,x,x)+5Aj
					; TtmpAcquireSessionFromTerminalHandle(x,x,x,x,x)+6Cj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	edi, offset _TtmpSessionLock
		push	edi
		call	ExAcquireResourceExclusiveLite
		mov	eax, [esi+8]
		test	byte ptr [eax+4], 4
		jz	short loc_9C39DB
		mov	ecx, edi
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	esi, 0C0000455h
		push	esi
		push	0FFFFFFFFh
		push	69h
		jmp	short loc_9C3964
; 

loc_9C39DB:				; CODE XREF: TtmpAcquireSessionFromTerminalHandle(x,x,x,x,x)+9Cj
		mov	[ebx], eax
		xor	eax, eax

loc_9C39DF:				; CODE XREF: TtmpAcquireSessionFromTerminalHandle(x,x,x,x,x)+4Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_TtmpAcquireSessionFromTerminalHandle@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpDispatchAssignDevice(x)
_TtmpDispatchAssignDevice@4 proc near	; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+13Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		mov	dl, 1
		push	ebx
		push	esi
		push	eax
		mov	ebx, ecx
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		mov	ecx, [ebx+8]
		call	_TtmpAcquireSessionFromTerminalHandle@20 ; TtmpAcquireSessionFromTerminalHandle(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C3A26
		push	esi
		push	esi
		mov	edx, 310h
		mov	ecx, offset ??_C@_0BJ@IJIIOIGH@TtmpDispatchAssignDevice@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C3A36
; 

loc_9C3A26:				; CODE XREF: TtmpDispatchAssignDevice(x)+2Bj
		push	dword ptr [ebx+0Ch]
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		call	_TtmiAssignDevice@12 ; TtmiAssignDevice(x,x,x)
		mov	esi, eax

loc_9C3A36:				; CODE XREF: TtmpDispatchAssignDevice(x)+3Ej
		cmp	[ebp+var_4], 0
		jz	short loc_9C3A44
		lea	ecx, [ebp+var_4]
		call	_TtmiReleaseSession@4 ;	TtmiReleaseSession(x)

loc_9C3A44:				; CODE XREF: TtmpDispatchAssignDevice(x)+54j
		cmp	[ebp+var_8], 0
		jz	short loc_9C3A52
		mov	ecx, [ebp+var_8]
		call	ObfDereferenceObject

loc_9C3A52:				; CODE XREF: TtmpDispatchAssignDevice(x)+62j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_TtmpDispatchAssignDevice@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpDispatchCreateEventQueue(x, x)
_TtmpDispatchCreateEventQueue@8	proc near ; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+103p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	ecx, [ecx+8]
		lea	eax, [ebp+var_10]
		push	esi
		push	edi
		push	eax
		mov	[ebp+var_14], edx
		lea	eax, [ebp+var_4]
		xor	edx, edx
		push	eax
		mov	edi, edx
		mov	[ebp+var_4], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edx
		push	edx
		mov	dl, 1
		mov	[ebp+var_8], edi
		call	_TtmpAcquireSessionFromTerminalHandle@20 ; TtmpAcquireSessionFromTerminalHandle(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C3AA1
		mov	edx, 133h

loc_9C3A93:				; CODE XREF: TtmpDispatchCreateEventQueue(x,x)+88j
					; TtmpDispatchCreateEventQueue(x,x)+ABj
		push	esi
		push	esi
		mov	ecx, offset ??_C@_0BN@OJIDHFAI@TtmpDispatchCreateEventQueue@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C3B12
; 

loc_9C3AA1:				; CODE XREF: TtmpDispatchCreateEventQueue(x,x)+34j
		mov	ecx, [ebp+var_4]
		lea	edx, [ebp+var_8]
		call	_TtmiCreateEventQueue@8	; TtmiCreateEventQueue(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C3AC8
		push	esi
		push	esi
		mov	edx, 139h
		mov	ecx, offset ??_C@_0BN@OJIDHFAI@TtmpDispatchCreateEventQueue@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		mov	edi, [ebp+var_8]
		jmp	short loc_9C3B12
; 

loc_9C3AC8:				; CODE XREF: TtmpDispatchCreateEventQueue(x,x)+58j
		mov	edi, [ebp+var_8]
		mov	edx, edi
		mov	ecx, [ebp+var_4]
		call	_TtmiWriteEnumerationEventsToQueue@8 ; TtmiWriteEnumerationEventsToQueue(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C3AE2
		mov	edx, 143h
		jmp	short loc_9C3A93
; 

loc_9C3AE2:				; CODE XREF: TtmpDispatchCreateEventQueue(x,x)+81j
		lea	eax, [ebp+var_C]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	1F0000h
		push	eax
		push	edi
		call	_ObInsertObject@24 ; ObInsertObject(x,x,x,x,x,x)
		mov	esi, eax
		xor	edi, edi
		test	esi, esi
		jns	short loc_9C3B05
		mov	edx, 156h
		jmp	short loc_9C3A93
; 

loc_9C3B05:				; CODE XREF: TtmpDispatchCreateEventQueue(x,x)+A4j
		mov	ecx, [ebp+var_14]
		mov	eax, [ebp+var_C]
		and	[ebp+var_C], edi
		xor	esi, esi
		mov	[ecx], eax

loc_9C3B12:				; CODE XREF: TtmpDispatchCreateEventQueue(x,x)+47j
					; TtmpDispatchCreateEventQueue(x,x)+6Ej
		cmp	[ebp+var_4], 0
		jz	short loc_9C3B27
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9C3B27:				; CODE XREF: TtmpDispatchCreateEventQueue(x,x)+BEj
		mov	ecx, [ebp+var_10]
		test	ecx, ecx
		jz	short loc_9C3B33
		call	ObfDereferenceObject

loc_9C3B33:				; CODE XREF: TtmpDispatchCreateEventQueue(x,x)+D4j
		test	edi, edi
		jz	short loc_9C3B3E
		mov	ecx, edi
		call	ObfDereferenceObject

loc_9C3B3E:				; CODE XREF: TtmpDispatchCreateEventQueue(x,x)+DDj
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_TtmpDispatchCreateEventQueue@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpDispatchCreateTerminal(x, x)
_TtmpDispatchCreateTerminal@8 proc near	; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+F8p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_8]
		mov	ebx, ecx
		push	eax
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	eax
		mov	edi, edx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], ecx
		mov	dl, 1
		push	ecx
		mov	ecx, [ebx+0Ch]
		call	_TtmpAcquireSessionFromTerminalHandle@20 ; TtmpAcquireSessionFromTerminalHandle(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C3B8A
		push	esi
		push	esi
		mov	edx, 0E3h
		mov	ecx, (offset loc_8BE013+1)
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		mov	edi, [ebp+var_4]
		jmp	short loc_9C3BCB
; 

loc_9C3B8A:				; CODE XREF: TtmpDispatchCreateTerminal(x,x)+2Ej
		mov	eax, large fs:124h
		mov	edx, [ebx+8]
		push	0
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_C], al
		lea	eax, [edi+4]
		push	eax
		push	edi
		push	[ebp+var_C]
		mov	edi, [ebp+var_4]
		mov	ecx, edi
		call	_TtmiCreateTerminal@24 ; TtmiCreateTerminal(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C3BC9
		push	esi
		push	esi
		mov	edx, 0EFh
		mov	ecx, (offset loc_8BE013+1)
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C3BCB
; 

loc_9C3BC9:				; CODE XREF: TtmpDispatchCreateTerminal(x,x)+70j
		xor	esi, esi

loc_9C3BCB:				; CODE XREF: TtmpDispatchCreateTerminal(x,x)+44j
					; TtmpDispatchCreateTerminal(x,x)+83j
		test	edi, edi
		jz	short loc_9C3BDE
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9C3BDE:				; CODE XREF: TtmpDispatchCreateTerminal(x,x)+89j
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_9C3BEA
		call	ObfDereferenceObject

loc_9C3BEA:				; CODE XREF: TtmpDispatchCreateTerminal(x,x)+9Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_TtmpDispatchCreateTerminal@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpDispatchEvacuateDevices(x)
_TtmpDispatchEvacuateDevices@4 proc near ; CODE	XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+129p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	ecx, [ecx+8]
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		xor	dl, dl
		and	[ebp+var_8], 0
		push	esi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		call	_TtmpAcquireSessionFromTerminalHandle@20 ; TtmpAcquireSessionFromTerminalHandle(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C3C2F
		push	esi
		push	esi
		mov	edx, 267h
		mov	ecx, offset ??_C@_0BM@IMHPPNOC@TtmpDispatchEvacuateDevices@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C3C4A
; 

loc_9C3C2F:				; CODE XREF: TtmpDispatchEvacuateDevices(x)+29j
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		call	_TtmiEvacuateDevices@8 ; TtmiEvacuateDevices(x,x)
		test	al, al
		jz	short loc_9C3C48
		mov	ecx, [ebp+var_4]
		push	1
		call	_TtmiScheduleSessionWorker@8 ; TtmiScheduleSessionWorker(x,x)

loc_9C3C48:				; CODE XREF: TtmpDispatchEvacuateDevices(x)+4Bj
		xor	esi, esi

loc_9C3C4A:				; CODE XREF: TtmpDispatchEvacuateDevices(x)+3Cj
		cmp	[ebp+var_4], 0
		jz	short loc_9C3C58
		lea	ecx, [ebp+var_4]
		call	_TtmiReleaseSession@4 ;	TtmiReleaseSession(x)

loc_9C3C58:				; CODE XREF: TtmpDispatchEvacuateDevices(x)+5Dj
		cmp	[ebp+var_8], 0
		jz	short loc_9C3C66
		mov	ecx, [ebp+var_8]
		call	ObfDereferenceObject

loc_9C3C66:				; CODE XREF: TtmpDispatchEvacuateDevices(x)+6Bj
		mov	eax, esi
		pop	esi
		leave
		retn
_TtmpDispatchEvacuateDevices@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpDispatchGetTerminalEvent(x, x)
_TtmpDispatchGetTerminalEvent@8	proc near ; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+10Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		mov	ecx, [ecx+8]
		and	[ebp+var_4], 0
		push	ebx
		mov	al, [eax+15Ah]
		mov	ebx, edx
		push	esi
		push	edi
		push	0
		lea	edx, [ebp+var_4]
		mov	byte ptr [ebp+var_8], al
		mov	eax, ds:_TtmpQueueObjectType
		push	edx
		push	[ebp+var_8]
		push	eax
		push	0F0000h
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C3CD9
		push	esi
		push	esi
		mov	edx, 136h
		mov	ecx, (offset loc_8BE1C3+1)
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		test	esi, esi
		jns	short loc_9C3CD9
		mov	edx, 19Ah

loc_9C3CCB:				; CODE XREF: TtmpDispatchGetTerminalEvent(x,x)+82j
		push	esi
		push	esi
		mov	ecx, offset ??_C@_0BN@DLFLDOIN@TtmpDispatchGetTerminalEvent@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C3CF1
; 

loc_9C3CD9:				; CODE XREF: TtmpDispatchGetTerminalEvent(x,x)+44j
					; TtmpDispatchGetTerminalEvent(x,x)+59j
		mov	edx, ebx
		mov	ecx, edi
		call	_TtmiRetrieveEventFromQueue@8 ;	TtmiRetrieveEventFromQueue(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C3CEF
		mov	edx, 1A2h
		jmp	short loc_9C3CCB
; 

loc_9C3CEF:				; CODE XREF: TtmpDispatchGetTerminalEvent(x,x)+7Bj
		xor	esi, esi

loc_9C3CF1:				; CODE XREF: TtmpDispatchGetTerminalEvent(x,x)+6Cj
		test	edi, edi
		jz	short loc_9C3CFC
		mov	ecx, edi
		call	ObfDereferenceObject

loc_9C3CFC:				; CODE XREF: TtmpDispatchGetTerminalEvent(x,x)+88j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_TtmpDispatchGetTerminalEvent@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpDispatchOpenTerminal(x,	x)
_TtmpDispatchOpenTerminal@8 proc near	; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+E8p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	ebx, ecx
		lea	ecx, [ebp+var_4]
		push	edi
		mov	edi, edx
		call	_TtmiAcquireCurrentSession@4 ; TtmiAcquireCurrentSession(x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C3D3A
		push	esi
		push	esi
		mov	edx, 9Ah
		mov	ecx, offset ??_C@_0BJ@GAHIIGFP@TtmpDispatchOpenTerminal@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		mov	edi, [ebp+var_4]
		jmp	short loc_9C3D5C
; 

loc_9C3D3A:				; CODE XREF: TtmpDispatchOpenTerminal(x,x)+1Fj
		mov	eax, large fs:124h
		mov	edx, [ebx+8]
		push	edi
		mov	edi, [ebp+var_4]
		mov	ecx, edi
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_8], al
		push	[ebp+var_8]
		call	_TtmiOpenDefaultTerminal@16 ; TtmiOpenDefaultTerminal(x,x,x,x)
		mov	esi, eax

loc_9C3D5C:				; CODE XREF: TtmpDispatchOpenTerminal(x,x)+35j
		test	edi, edi
		jz	short loc_9C3D68
		lea	ecx, [ebp+var_4]
		call	_TtmiReleaseSession@4 ;	TtmiReleaseSession(x)

loc_9C3D68:				; CODE XREF: TtmpDispatchOpenTerminal(x,x)+5Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_TtmpDispatchOpenTerminal@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpDispatchSetDefaultDeviceAssignment(x)
_TtmpDispatchSetDefaultDeviceAssignment@4 proc near
					; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+132p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		lea	eax, [ebp+var_8]
		mov	edi, ecx
		push	eax
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	eax
		mov	[ebp+var_4], ecx
		mov	dl, 1
		mov	[ebp+var_8], ecx
		push	ecx
		mov	ecx, [edi+8]
		call	_TtmpAcquireSessionFromTerminalHandle@20 ; TtmpAcquireSessionFromTerminalHandle(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C3DAE
		push	esi
		push	esi
		mov	edx, 2C3h
		mov	ecx, (offset loc_8BE15B+1)
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C3DBF
; 

loc_9C3DAE:				; CODE XREF: TtmpDispatchSetDefaultDeviceAssignment(x)+2Aj
		cmp	byte ptr [edi+0Ch], 0
		mov	ecx, [ebp+var_4]
		setnz	dl
		call	_TtmiSetSessionDeviceAssignmentPolicy@8	; TtmiSetSessionDeviceAssignmentPolicy(x,x)
		mov	esi, eax

loc_9C3DBF:				; CODE XREF: TtmpDispatchSetDefaultDeviceAssignment(x)+3Dj
		cmp	[ebp+var_4], 0
		jz	short loc_9C3DCD
		lea	ecx, [ebp+var_4]
		call	_TtmiReleaseSession@4 ;	TtmiReleaseSession(x)

loc_9C3DCD:				; CODE XREF: TtmpDispatchSetDefaultDeviceAssignment(x)+54j
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_9C3DD9
		call	ObfDereferenceObject

loc_9C3DD9:				; CODE XREF: TtmpDispatchSetDefaultDeviceAssignment(x)+63j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_TtmpDispatchSetDefaultDeviceAssignment@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpDispatchSetDisplayPowerRequest(x)
_TtmpDispatchSetDisplayPowerRequest@4 proc near
					; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+144p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		mov	dl, 1
		push	ebx
		push	esi
		push	eax
		mov	ebx, ecx
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		mov	ecx, [ebx+8]
		call	_TtmpAcquireSessionFromTerminalHandle@20 ; TtmpAcquireSessionFromTerminalHandle(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C3E1F
		push	esi
		push	esi
		mov	edx, 35Ch
		mov	ecx, (offset loc_8BE0C2+6)
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C3E32
; 

loc_9C3E1F:				; CODE XREF: TtmpDispatchSetDisplayPowerRequest(x)+2Bj
		push	dword ptr [ebx+10h]
		mov	edx, [ebp+var_4]
		push	dword ptr [ebx+0Ch]
		mov	ecx, [ebp+var_8]
		call	_TtmiSetDisplayPowerRequest@16 ; TtmiSetDisplayPowerRequest(x,x,x,x)
		mov	esi, eax

loc_9C3E32:				; CODE XREF: TtmpDispatchSetDisplayPowerRequest(x)+3Ej
		cmp	[ebp+var_8], 0
		jz	short loc_9C3E47
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9C3E47:				; CODE XREF: TtmpDispatchSetDisplayPowerRequest(x)+57j
		cmp	[ebp+var_4], 0
		jz	short loc_9C3E55
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject

loc_9C3E55:				; CODE XREF: TtmpDispatchSetDisplayPowerRequest(x)+6Cj
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_TtmpDispatchSetDisplayPowerRequest@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpDispatchSetDisplayState(x)
_TtmpDispatchSetDisplayState@4 proc near ; CODE	XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+117p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		mov	dl, 1
		push	ebx
		push	esi
		push	eax
		mov	ebx, ecx
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		mov	ecx, [ebx+8]
		call	_TtmpAcquireSessionFromTerminalHandle@20 ; TtmpAcquireSessionFromTerminalHandle(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C3E9B
		push	esi
		push	esi
		mov	edx, 1DBh
		mov	ecx, offset ??_C@_0BM@GPIGGCHB@TtmpDispatchSetDisplayState@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C3EB5
; 

loc_9C3E9B:				; CODE XREF: TtmpDispatchSetDisplayState(x)+2Bj
		movzx	eax, byte ptr [ebx+0Ch]
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		push	53445354h
		push	dword ptr [ebx+10h]
		push	eax
		call	_TtmiSetPendingOnOffRequest@20 ; TtmiSetPendingOnOffRequest(x,x,x,x,x)
		xor	esi, esi

loc_9C3EB5:				; CODE XREF: TtmpDispatchSetDisplayState(x)+3Ej
		cmp	[ebp+var_4], 0
		jz	short loc_9C3EC3
		lea	ecx, [ebp+var_4]
		call	_TtmiReleaseSession@4 ;	TtmiReleaseSession(x)

loc_9C3EC3:				; CODE XREF: TtmpDispatchSetDisplayState(x)+5Ej
		cmp	[ebp+var_8], 0
		jz	short loc_9C3ED1
		mov	ecx, [ebp+var_8]
		call	ObfDereferenceObject

loc_9C3ED1:				; CODE XREF: TtmpDispatchSetDisplayState(x)+6Cj
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_TtmpDispatchSetDisplayState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpDispatchSetDisplayTimeouts(x)
_TtmpDispatchSetDisplayTimeouts@4 proc near
					; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+120p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		mov	eax, ecx
		and	[ebp+var_8], 0
		lea	ecx, [ebp+var_8]
		push	ebx
		push	esi
		push	edi
		push	ecx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_C], eax
		push	ecx
		mov	ecx, [eax+8]
		mov	dl, 1
		push	1
		call	_TtmpAcquireSessionFromTerminalHandle@20 ; TtmpAcquireSessionFromTerminalHandle(x,x,x,x,x)
		mov	ebx, [ebp+var_4]
		mov	esi, eax
		mov	edi, [ebp+var_8]
		test	esi, esi
		jns	short loc_9C3F22
		push	esi
		push	esi
		mov	edx, 21Fh
		mov	ecx, offset ??_C@_0BP@MLGNHNPH@TtmpDispatchSetDisplayTimeouts@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C3F43
; 

loc_9C3F22:				; CODE XREF: TtmpDispatchSetDisplayTimeouts(x)+36j
		cmp	dword ptr [edi+10h], 0
		jnz	short loc_9C3F2F
		mov	byte ptr [ebx+8Ch], 0

loc_9C3F2F:				; CODE XREF: TtmpDispatchSetDisplayTimeouts(x)+4Fj
		mov	eax, [ebp+var_C]
		mov	edx, edi
		mov	ecx, ebx
		push	dword ptr [eax+10h]
		push	dword ptr [eax+0Ch]
		call	_TtmiTerminalSetDisplayTimeouts@16 ; TtmiTerminalSetDisplayTimeouts(x,x,x,x)
		xor	esi, esi

loc_9C3F43:				; CODE XREF: TtmpDispatchSetDisplayTimeouts(x)+49j
		test	ebx, ebx
		jz	short loc_9C3F56
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9C3F56:				; CODE XREF: TtmpDispatchSetDisplayTimeouts(x)+6Ej
		test	edi, edi
		jz	short loc_9C3F61
		mov	ecx, edi
		call	ObfDereferenceObject

loc_9C3F61:				; CODE XREF: TtmpDispatchSetDisplayTimeouts(x)+81j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_TtmpDispatchSetDisplayTimeouts@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpDispatchSetInputWakeCapability(x)
_TtmpDispatchSetInputWakeCapability@4 proc near
					; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+14Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		mov	dl, 1
		push	ebx
		push	esi
		push	eax
		mov	ebx, ecx
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		mov	ecx, [ebx+8]
		call	_TtmpAcquireSessionFromTerminalHandle@20 ; TtmpAcquireSessionFromTerminalHandle(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9C3FA8
		push	esi
		push	esi
		mov	edx, 3AAh
		mov	ecx, offset ??_C@_0CD@DFJIPKNB@TtmpDispatchSetInputWakeCapabil@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C3FBB
; 

loc_9C3FA8:				; CODE XREF: TtmpDispatchSetInputWakeCapability(x)+2Bj
		push	dword ptr [ebx+10h]
		mov	edx, [ebp+var_4]
		push	dword ptr [ebx+0Ch]
		mov	ecx, [ebp+var_8]
		call	_TtmiSetInputWakeCapability@16 ; TtmiSetInputWakeCapability(x,x,x,x)
		mov	esi, eax

loc_9C3FBB:				; CODE XREF: TtmpDispatchSetInputWakeCapability(x)+3Ej
		cmp	[ebp+var_8], 0
		jz	short loc_9C3FD0
		mov	ecx, offset _TtmpSessionLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9C3FD0:				; CODE XREF: TtmpDispatchSetInputWakeCapability(x)+57j
		cmp	[ebp+var_4], 0
		jz	short loc_9C3FDE
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject

loc_9C3FDE:				; CODE XREF: TtmpDispatchSetInputWakeCapability(x)+6Cj
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_TtmpDispatchSetInputWakeCapability@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogCalloutStart(x, x, x, x, x)
_TtmiLogCalloutStart@20	proc near	; CODE XREF: TtmpStartCallout(x,x,x,x,x,x)+9Bp

var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_98], edx
		mov	esi, ecx
		jbe	loc_9C40EA
		xor	edi, edi
		mov	ebx, offset dword_A93BC8
		push	edi
		push	1
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C40EA
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_90]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_94]
		mov	[ebp+var_5C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_A4], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_24]
		push	4
		pop	edx
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_98]
		push	8
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_8]
		pop	ecx
		mov	[ebp+var_9C], eax
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_8C]
		push	eax
		push	ecx
		push	edi
		push	edi
		push	offset loc_421880
		push	ebx
		mov	[ebp+var_68], edi
		mov	[ebp+var_64], edx
		mov	[ebp+var_60], edi
		mov	[ebp+var_94], esi
		mov	[ebp+var_58], edi
		mov	[ebp+var_54], edx
		mov	[ebp+var_50], edi
		mov	[ebp+var_48], edi
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], 2
		mov	[ebp+var_30], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C40EA:				; CODE XREF: TtmiLogCalloutStart(x,x,x,x,x)+27j
					; TtmiLogCalloutStart(x,x,x,x,x)+40j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_TtmiLogCalloutStart@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogCalloutStop(x, x, x,	x, x, x, x, x)
_TtmiLogCalloutStop@32 proc near	; CODE XREF: TtmpStopCallout(x,x)+4Fp

var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 194h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_10]
		mov	ebx, edx
		push	edi
		mov	edi, [ebp+arg_14]
		mov	[ebp+var_14C], ecx
		test	edi, edi
		ja	loc_9C4262
		jb	short loc_9C4137
		cmp	esi, 1312D00h
		ja	loc_9C4262

loc_9C4137:				; CODE XREF: TtmiLogCalloutStop(x,x,x,x,x,x,x,x)+2Ej
		cmp	ds:dword_A93BC8, 5
		jbe	loc_9C43ED
		push	0
		push	1
		mov	ecx, offset dword_A93BC8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C43ED
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_150], eax
		xor	edx, edx
		lea	eax, [ebp+var_150]
		mov	[ebp+var_84], edx
		mov	[ebp+var_88], eax
		mov	eax, [ebp+var_14C]
		mov	[ebp+var_154], eax
		lea	eax, [ebp+var_154]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_158]
		mov	[ebp+var_68], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_178], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_174], eax
		lea	eax, [ebp+var_178]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_30]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+arg_8]
		push	4
		pop	ecx
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_15C], eax
		lea	eax, [ebp+var_15C]
		push	8
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_180]
		mov	[ebp+var_7C], edx
		mov	[ebp+var_74], edx
		mov	[ebp+var_6C], edx
		pop	edx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_A8]
		push	eax
		push	0Ah
		mov	[ebp+var_158], ebx
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	offset loc_422660
		mov	[ebp+var_80], ecx
		mov	[ebp+var_70], ecx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], 2
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_180], esi
		mov	[ebp+var_17C], edi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ebx
		push	offset dword_A93BC8
		jmp	loc_9C43E8
; 

loc_9C4262:				; CODE XREF: TtmiLogCalloutStop(x,x,x,x,x,x,x,x)+28j
					; TtmiLogCalloutStop(x,x,x,x,x,x,x,x)+36j
		cmp	ds:dword_A93C00, 5
		jbe	loc_9C43ED
		push	4000h
		push	1
		mov	ecx, offset dword_A93C00
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C43ED
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_160], eax
		xor	edx, edx
		lea	eax, [ebp+var_160]
		mov	[ebp+var_124], edx
		mov	[ebp+var_128], eax
		mov	eax, [ebp+var_14C]
		mov	[ebp+var_164], eax
		lea	eax, [ebp+var_164]
		mov	[ebp+var_118], eax
		lea	eax, [ebp+var_168]
		mov	[ebp+var_108], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_188], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_184], eax
		lea	eax, [ebp+var_188]
		mov	[ebp+var_F8], eax
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_E8], eax
		lea	eax, [ebp+arg_8]
		push	4
		pop	ecx
		mov	[ebp+var_D8], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_16C], eax
		lea	eax, [ebp+var_16C]
		push	8
		mov	[ebp+var_C8], eax
		lea	eax, [ebp+var_190]
		mov	[ebp+var_11C], edx
		mov	[ebp+var_114], edx
		mov	[ebp+var_10C], edx
		pop	edx
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_148]
		push	eax
		push	0Ah
		mov	[ebp+var_168], ebx
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	offset loc_421F41
		mov	[ebp+var_120], ecx
		mov	[ebp+var_110], ecx
		mov	[ebp+var_104], ebx
		mov	[ebp+var_100], ecx
		mov	[ebp+var_FC], ebx
		mov	[ebp+var_F4], ebx
		mov	[ebp+var_F0], edx
		mov	[ebp+var_EC], ebx
		mov	[ebp+var_E4], ebx
		mov	[ebp+var_E0], 2
		mov	[ebp+var_DC], ebx
		mov	[ebp+var_D4], ebx
		mov	[ebp+var_D0], ecx
		mov	[ebp+var_CC], ebx
		mov	[ebp+var_C4], ebx
		mov	[ebp+var_C0], ecx
		mov	[ebp+var_BC], ebx
		mov	[ebp+var_190], esi
		mov	[ebp+var_18C], edi
		mov	[ebp+var_B4], ebx
		mov	[ebp+var_B0], edx
		mov	[ebp+var_AC], ebx
		push	offset dword_A93C00

loc_9C43E8:				; CODE XREF: TtmiLogCalloutStop(x,x,x,x,x,x,x,x)+162j
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C43ED:				; CODE XREF: TtmiLogCalloutStop(x,x,x,x,x,x,x,x)+43j
					; TtmiLogCalloutStop(x,x,x,x,x,x,x,x)+59j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_TtmiLogCalloutStop@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogCalloutWatchdogCrashSkipped(x, x, x,	x, x, x)
_TtmiLogCalloutWatchdogCrashSkipped@24 proc near
					; CODE XREF: TtmpCalloutWatchdogCallback(x,x,x,x,x,x)+65p

var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0B4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0B4h+var_4], eax
		cmp	ds:dword_A93C00, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	loc_9C455D
		push	4000h
		mov	ebx, offset dword_A93C00
		push	1
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C455D
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[esp+0C0h+var_B4], eax
		xor	edx, edx
		lea	eax, [esp+0C0h+var_B4]
		mov	[esp+0C0h+var_74], edx
		mov	[esp+0C0h+var_78], eax
		lea	eax, [esp+0C0h+var_B0]
		mov	[esp+0C0h+var_68], eax
		lea	eax, [esp+0C0h+var_AC]
		mov	[esp+0C0h+var_58], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+0C0h+var_A8], eax
		lea	eax, [esp+0C0h+var_A8]
		mov	[esp+0C0h+var_48], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+0C0h+var_A4], eax
		lea	eax, [esp+0C0h+var_A4]
		mov	[esp+0C0h+var_38], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+0C0h+var_A0], eax
		lea	eax, [esp+0C0h+var_A0]
		push	4
		pop	ecx
		mov	[esp+0C0h+var_28], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+0C0h+var_9C], eax
		lea	eax, [esp+0C0h+var_9C]
		mov	[esp+0C0h+var_18], eax
		lea	eax, [esp+0C0h+var_98]
		push	eax
		push	9
		push	edx
		push	edx
		push	offset loc_4219CF
		push	ebx
		mov	[esp+0D8h+var_70], ecx
		mov	[esp+0D8h+var_6C], edx
		mov	[esp+0D8h+var_B0], edi
		mov	[esp+0D8h+var_64], edx
		mov	[esp+0D8h+var_60], ecx
		mov	[esp+0D8h+var_5C], edx
		mov	[esp+0D8h+var_AC], esi
		mov	[esp+0D8h+var_54], edx
		mov	[esp+0D8h+var_50], ecx
		mov	[esp+0D8h+var_4C], edx
		mov	[esp+0D8h+var_44], edx
		mov	[esp+0D8h+var_40], ecx
		mov	[esp+0D8h+var_3C], edx
		mov	[esp+0D8h+var_34], edx
		mov	[esp+0D8h+var_30], ecx
		mov	[esp+0D8h+var_2C], edx
		mov	[esp+0D8h+var_24], edx
		mov	[esp+0D8h+var_20], ecx
		mov	[esp+0D8h+var_1C], edx
		mov	[esp+0D8h+var_14], edx
		mov	[esp+0D8h+var_10], ecx
		mov	[esp+0D8h+var_C], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C455D:				; CODE XREF: TtmiLogCalloutWatchdogCrashSkipped(x,x,x,x,x,x)+2Aj
					; TtmiLogCalloutWatchdogCrashSkipped(x,x,x,x,x,x)+45j
		mov	ecx, [esp+0C0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_TtmiLogCalloutWatchdogCrashSkipped@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogCleanupCurrentSessionStart()
_TtmiLogCleanupCurrentSessionStart@0 proc near ; CODE XREF: TtmCleanupCurrentSession()+5p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+40h+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	esi
		push	edi
		jbe	short loc_9C45EB
		xor	esi, esi
		mov	edi, offset dword_A93BC8
		push	esi
		push	1
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C45EB
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[esp+48h+var_3C], eax
		lea	eax, [esp+48h+var_3C]
		mov	[esp+48h+var_18], eax
		lea	eax, [esp+48h+var_38]
		push	eax
		push	3
		push	esi
		push	esi
		push	offset loc_421D85
		push	edi
		mov	[esp+60h+var_14], esi
		mov	[esp+60h+var_10], 4
		mov	[esp+60h+var_C], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C45EB:				; CODE XREF: TtmiLogCleanupCurrentSessionStart()+1Fj
					; TtmiLogCleanupCurrentSessionStart()+34j
		mov	ecx, [esp+48h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_TtmiLogCleanupCurrentSessionStart@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogCleanupCurrentSessionStop()
_TtmiLogCleanupCurrentSessionStop@0 proc near ;	CODE XREF: TtmCleanupCurrentSession()+CFj

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+40h+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	esi
		push	edi
		jbe	short loc_9C4673
		xor	esi, esi
		mov	edi, offset dword_A93BC8
		push	esi
		push	1
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C4673
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[esp+48h+var_3C], eax
		lea	eax, [esp+48h+var_3C]
		mov	[esp+48h+var_18], eax
		lea	eax, [esp+48h+var_38]
		push	eax
		push	3
		push	esi
		push	esi
		push	(offset	loc_42274B+5)
		push	edi
		mov	[esp+60h+var_14], esi
		mov	[esp+60h+var_10], 4
		mov	[esp+60h+var_C], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C4673:				; CODE XREF: TtmiLogCleanupCurrentSessionStop()+1Fj
					; TtmiLogCleanupCurrentSessionStop()+34j
		mov	ecx, [esp+48h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_TtmiLogCleanupCurrentSessionStop@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogConsoleUserPresent(x, x, x)
_TtmiLogConsoleUserPresent@12 proc near	; CODE XREF: TtmNotifyConsoleUserPresent(x,x)+5Cp

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	short loc_9C470C
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C470C
		lea	eax, [ebp+var_60]
		mov	[ebp+var_60], edi
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_64]
		push	4
		pop	ecx
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	5
		push	ebx
		push	ebx
		push	offset loc_421EAF
		push	offset dword_A93BC8
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_64], esi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C470C:				; CODE XREF: TtmiLogConsoleUserPresent(x,x,x)+20j
					; TtmiLogConsoleUserPresent(x,x,x)+33j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_TtmiLogConsoleUserPresent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogDeviceArrivalNotified(x, x, x, x, x,	x)
_TtmiLogDeviceArrivalNotified@24 proc near
					; CODE XREF: TtmNotifyDeviceArrival(x,x,x,x,x,x)+23Ap

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	loc_9C482F
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C482F
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_90]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_A8], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_94]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_8]
		push	4
		pop	edx
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_98]
		push	8
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_C]
		pop	ecx
		mov	[ebp+var_9C], eax
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_88]
		push	eax
		push	ecx
		push	ebx
		push	ebx
		push	offset loc_421306
		push	offset dword_A93BC8
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_90], edi
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_94], esi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C482F:				; CODE XREF: TtmiLogDeviceArrivalNotified(x,x,x,x,x,x)+23j
					; TtmiLogDeviceArrivalNotified(x,x,x,x,x,x)+3Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_TtmiLogDeviceArrivalNotified@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogDeviceArrivedTerminalEvent(x, x, x, x, x)
_TtmiLogDeviceArrivedTerminalEvent@20 proc near
					; CODE XREF: TtmpPublishDeviceEvent(x,x,x,x):loc_9C0B2Ep

var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	loc_9C493C
		push	0
		push	1
		mov	ecx, offset dword_A93BC8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C493C
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_90], eax
		xor	edx, edx
		lea	eax, [ebp+var_90]
		mov	[ebp+var_68], edx
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_94]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_98]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_9C], eax
		lea	eax, [ebp+var_9C]
		push	4
		pop	ecx
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_64], ecx
		mov	[ebp+var_60], edx
		mov	[ebp+var_58], edx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], ecx
		lea	ecx, [ebp+var_1C]
		mov	[ebp+var_20], edx
		mov	edx, ebx
		mov	[ebp+var_94], edi
		mov	[ebp+var_98], esi
		mov	[ebp+var_2C], eax
		call	_tlgCreate1Sz_wchar_t
		lea	eax, [ebp+var_8C]
		push	eax
		push	8
		push	0
		push	0
		push	offset loc_42213A
		push	offset dword_A93BC8
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C493C:				; CODE XREF: TtmiLogDeviceArrivedTerminalEvent(x,x,x,x,x)+26j
					; TtmiLogDeviceArrivedTerminalEvent(x,x,x,x,x)+3Cj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_TtmiLogDeviceArrivedTerminalEvent@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogDeviceAssignedTerminalEvent(x, x)
_TtmiLogDeviceAssignedTerminalEvent@8 proc near
					; CODE XREF: TtmpPublishDeviceEvent(x,x,x,x)+5Cp

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	short loc_9C49E3
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C49E3
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_60]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	5
		push	ebx
		push	ebx
		push	offset loc_421514
		push	offset dword_A93BC8
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_60], edi
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_64], esi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C49E3:				; CODE XREF: TtmiLogDeviceAssignedTerminalEvent(x,x)+20j
					; TtmiLogDeviceAssignedTerminalEvent(x,x)+33j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogDeviceAssignedTerminalEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogDeviceDepartedTerminalEvent(x)
_TtmiLogDeviceDepartedTerminalEvent@4 proc near
					; CODE XREF: TtmpPublishDeviceEvent(x,x,x,x)+7Bp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jbe	short loc_9C4A71
		xor	edi, edi
		mov	ebx, offset dword_A93BC8
		push	edi
		push	1
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C4A71
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_4C]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	ecx
		push	edi
		push	edi
		push	offset loc_4220F5
		push	ebx
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_50], esi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C4A71:				; CODE XREF: TtmiLogDeviceDepartedTerminalEvent(x)+1Ej
					; TtmiLogDeviceDepartedTerminalEvent(x)+33j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogDeviceDepartedTerminalEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogDeviceDepartureNotified(x, x, x, x)
_TtmiLogDeviceDepartureNotified@16 proc	near
					; CODE XREF: TtmNotifyDeviceDeparture(x,x,x)+8Fp

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_69		= dword	ptr -69h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	bl, dl
		mov	esi, ecx
		jbe	loc_9C4B44
		xor	edi, edi
		mov	ecx, offset dword_A93BC8
		push	edi
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C4B44
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_74]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_80], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_80]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_69]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_69+1]
		push	eax
		push	6
		push	edi
		push	edi
		push	offset loc_422703
		push	offset dword_A93BC8
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], edi
		mov	[ebp+var_74], esi
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], 8
		mov	[ebp+var_1C], edi
		mov	byte ptr [ebp+var_69], bl
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], 1
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C4B44:				; CODE XREF: TtmiLogDeviceDepartureNotified(x,x,x,x)+23j
					; TtmiLogDeviceDepartureNotified(x,x,x,x)+3Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_TtmiLogDeviceDepartureNotified@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogDeviceEnumeratedTerminalEvent(x, x, x, x, x)
_TtmiLogDeviceEnumeratedTerminalEvent@20 proc near
					; CODE XREF: TtmpPublishDeviceEvent(x,x,x,x)+E5p

var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	loc_9C4C51
		push	0
		push	1
		mov	ecx, offset dword_A93BC8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C4C51
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_90], eax
		xor	edx, edx
		lea	eax, [ebp+var_90]
		mov	[ebp+var_68], edx
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_94]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_98]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_9C], eax
		lea	eax, [ebp+var_9C]
		push	4
		pop	ecx
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_A0], eax
		lea	eax, [ebp+var_A0]
		mov	[ebp+var_64], ecx
		mov	[ebp+var_60], edx
		mov	[ebp+var_58], edx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], ecx
		lea	ecx, [ebp+var_1C]
		mov	[ebp+var_20], edx
		mov	edx, ebx
		mov	[ebp+var_94], edi
		mov	[ebp+var_98], esi
		mov	[ebp+var_2C], eax
		call	_tlgCreate1Sz_wchar_t
		lea	eax, [ebp+var_8C]
		push	eax
		push	8
		push	0
		push	0
		push	offset loc_421AED
		push	offset dword_A93BC8
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C4C51:				; CODE XREF: TtmiLogDeviceEnumeratedTerminalEvent(x,x,x,x,x)+26j
					; TtmiLogDeviceEnumeratedTerminalEvent(x,x,x,x,x)+3Cj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_TtmiLogDeviceEnumeratedTerminalEvent@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogDeviceFromTerminalRemoved(x,	x, x, x, x)
_TtmiLogDeviceFromTerminalRemoved@20 proc near ; CODE XREF: TtmiEvacuateDevices(x,x)+27p

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 98h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	loc_9C4D52
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C4D52
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_88]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_94], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_94]
		push	4
		pop	ecx
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_7C]
		push	eax
		push	7
		push	ebx
		push	ebx
		push	offset loc_421E4F
		push	offset dword_A93BC8
		mov	[ebp+var_58], ebx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_84], edi
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_88], esi
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], 8
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C4D52:				; CODE XREF: TtmiLogDeviceFromTerminalRemoved(x,x,x,x,x)+23j
					; TtmiLogDeviceFromTerminalRemoved(x,x,x,x,x)+3Aj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_TtmiLogDeviceFromTerminalRemoved@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogDeviceInputNotified(x, x, x,	x, x, x, x)
_TtmiLogDeviceInputNotified@28 proc near ; CODE	XREF: TtmNotifyDeviceInput(x,x,x,x)+10Ep

var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_9F		= dword	ptr -9Fh
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h
arg_10		= byte ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	loc_9C4E95
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C4E95
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_6C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_B4], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_B0], eax
		lea	eax, [ebp+var_B4]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_AC]
		mov	[ebp+var_4C], eax
		mov	al, [ebp+arg_8]
		mov	byte ptr [ebp+var_9F+2], al
		lea	eax, [ebp+var_9F+2]
		mov	[ebp+var_3C], eax
		mov	al, [ebp+arg_C]
		mov	byte ptr [ebp+var_9F+1], al
		lea	eax, [ebp+var_9F+1]
		mov	[ebp+var_2C], eax
		mov	al, [ebp+arg_10]
		push	4
		pop	ecx
		mov	byte ptr [ebp+var_9F], al
		lea	eax, [ebp+var_9F]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_9F+3]
		push	eax
		push	9
		push	ebx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_44], ecx
		xor	ecx, ecx
		push	ebx
		inc	ecx
		mov	[ebp+var_78], ebx
		push	offset loc_4223BF
		push	offset dword_A93BC8
		mov	[ebp+var_70], ebx
		mov	[ebp+var_A8], edi
		mov	[ebp+var_68], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_54], 8
		mov	[ebp+var_50], ebx
		mov	[ebp+var_AC], esi
		mov	[ebp+var_48], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C4E95:				; CODE XREF: TtmiLogDeviceInputNotified(x,x,x,x,x,x,x)+23j
					; TtmiLogDeviceInputNotified(x,x,x,x,x,x,x)+3Aj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_TtmiLogDeviceInputNotified@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogDeviceRundown(x)
_TtmiLogDeviceRundown@4	proc near	; CODE XREF: TtmiDevicesRundown(x)+71p

var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jbe	loc_9C4FF1
		xor	edi, edi
		mov	ebx, offset dword_A93BC8
		push	edi
		push	1
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C4FF1
		mov	eax, [esi]
		mov	[ebp+var_AC], eax
		lea	eax, [ebp+var_AC]
		mov	[ebp+var_88], eax
		mov	eax, [esi+4]
		mov	[ebp+var_B0], eax
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_78], eax
		mov	eax, [esi+8]
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_B4]
		mov	[ebp+var_68], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_C8], eax
		mov	eax, [esi+1Ch]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_58], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_48], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_BC], eax
		lea	eax, [ebp+var_BC]
		mov	[ebp+var_38], eax
		mov	eax, [esi+20h]
		mov	[ebp+var_D0], eax
		mov	eax, [esi+24h]
		push	4
		pop	edx
		mov	[ebp+var_CC], eax
		lea	eax, [ebp+var_D0]
		push	8
		mov	[ebp+var_28], eax
		mov	eax, [esi+14h]
		pop	ecx
		mov	[ebp+var_C0], eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_A8]
		push	eax
		push	0Ah
		push	edi
		push	edi
		push	offset loc_422837
		push	ebx
		mov	[ebp+var_84], edi
		mov	[ebp+var_80], edx
		mov	[ebp+var_7C], edi
		mov	[ebp+var_74], edi
		mov	[ebp+var_70], edx
		mov	[ebp+var_6C], edi
		mov	[ebp+var_64], edi
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], edi
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], edi
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C4FF1:				; CODE XREF: TtmiLogDeviceRundown(x)+21j
					; TtmiLogDeviceRundown(x)+3Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogDeviceRundown@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogDeviceSetInputWakeCapability(x, x, x)
_TtmiLogDeviceSetInputWakeCapability@12	proc near
					; CODE XREF: TtmiSessionDeviceListWorker(x)+1C1p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	loc_9C50B2
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C50B2
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_74]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_78]
		push	4
		pop	ecx
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	6
		push	ebx
		push	ebx
		push	(offset	loc_4213B6+4)
		push	offset dword_A93BC8
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_74], edi
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_78], esi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C50B2:				; CODE XREF: TtmiLogDeviceSetInputWakeCapability(x,x,x)+23j
					; TtmiLogDeviceSetInputWakeCapability(x,x,x)+3Aj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_TtmiLogDeviceSetInputWakeCapability@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogDeviceToTerminalAssigned(x, x)
_TtmiLogDeviceToTerminalAssigned@8 proc	near ; CODE XREF: TtmiAssignDevice(x,x,x)+61p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	short loc_9C5159
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C5159
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_60]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	5
		push	ebx
		push	ebx
		push	offset loc_4217DE
		push	offset dword_A93BC8
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_60], edi
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_64], esi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C5159:				; CODE XREF: TtmiLogDeviceToTerminalAssigned(x,x)+20j
					; TtmiLogDeviceToTerminalAssigned(x,x)+33j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogDeviceToTerminalAssigned@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogDispatchApiStart(x)
_TtmiLogDispatchApiStart@4 proc	near	; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+16p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jbe	short loc_9C51E7
		xor	edi, edi
		mov	ebx, offset dword_A93BC8
		push	edi
		push	1
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C51E7
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_4C]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	ecx
		push	edi
		push	edi
		push	(offset	loc_422427+4)
		push	ebx
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_50], esi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C51E7:				; CODE XREF: TtmiLogDispatchApiStart(x)+1Ej
					; TtmiLogDispatchApiStart(x)+33j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogDispatchApiStart@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogDispatchApiStop(x, x)
_TtmiLogDispatchApiStop@8 proc near	; CODE XREF: TtmDispatchApi(x,x,x,x,x,x,x,x)+1ABp

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	short loc_9C528C
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C528C
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_60]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	5
		push	ebx
		push	ebx
		push	offset loc_422913
		push	offset dword_A93BC8
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_60], edi
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_64], esi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C528C:				; CODE XREF: TtmiLogDispatchApiStop(x,x)+20j
					; TtmiLogDispatchApiStop(x,x)+33j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogDispatchApiStop@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogDisplayPowerRequestSet(x, x,	x, x)
_TtmiLogDisplayPowerRequestSet@16 proc near
					; CODE XREF: TtmiSetDisplayPowerRequest(x,x,x,x)+167p

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	loc_9C5378
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C5378
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_88], eax
		lea	eax, [ebp+var_88]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	7
		push	ebx
		push	ebx
		push	offset loc_422494
		push	offset dword_A93BC8
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_80], edi
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_84], esi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C5378:				; CODE XREF: TtmiLogDisplayPowerRequestSet(x,x,x,x)+23j
					; TtmiLogDisplayPowerRequestSet(x,x,x,x)+3Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_TtmiLogDisplayPowerRequestSet@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogEnterProximity(x)
_TtmiLogEnterProximity@4 proc near	; CODE XREF: TtmpEnterProximity(x,x)+30p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jbe	short loc_9C5408
		xor	edi, edi
		mov	ebx, offset dword_A93BC8
		push	edi
		push	1
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C5408
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_4C]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	ecx
		push	edi
		push	edi
		push	offset loc_4214D7
		push	ebx
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_50], esi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C5408:				; CODE XREF: TtmiLogEnterProximity(x)+1Ej
					; TtmiLogEnterProximity(x)+33j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogEnterProximity@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogError(x, x, x, x)
_TtmiLogError@16 proc near		; CODE XREF: TtmiCreateEventQueue(x,x)+6Fp
					; TtmNotifyDeviceArrival(x,x,x,x,x,x)+3Bp ...

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+8Ch+var_4], eax
		cmp	ds:_TtmpBreakOnError, 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, edx
		mov	[esp+98h+var_88], ecx
		jz	short loc_9C5473
		mov	eax, ds:dword_A93BF4
		test	eax, eax
		jz	short loc_9C5458
		cmp	eax, esi
		jnz	short loc_9C5473

loc_9C5458:				; CODE XREF: TtmiLogError(x,x,x,x)+3Bj
		mov	eax, ds:dword_A93BF8
		test	eax, eax
		jz	short loc_9C5465
		cmp	eax, ebx
		jnz	short loc_9C5473

loc_9C5465:				; CODE XREF: TtmiLogError(x,x,x,x)+48j
		mov	eax, ds:dword_A93BFC
		test	eax, eax
		jz	short loc_9C5472
		cmp	eax, edi
		jnz	short loc_9C5473

loc_9C5472:				; CODE XREF: TtmiLogError(x,x,x,x)+55j
		int	3		; Trap to Debugger

loc_9C5473:				; CODE XREF: TtmiLogError(x,x,x,x)+32j
					; TtmiLogError(x,x,x,x)+3Fj ...
		cmp	ds:dword_A93BC8, 5
		jbe	loc_9C5552
		push	0
		push	2
		mov	ecx, offset dword_A93BC8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C5552
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	edx, [esp+98h+var_88]
		lea	ecx, [esp+98h+var_48]
		and	[esp+98h+var_54], 0
		and	[esp+98h+var_4C], 0
		mov	[esp+98h+var_8C], eax
		lea	eax, [esp+98h+var_8C]
		mov	[esp+98h+var_58], eax
		mov	[esp+98h+var_50], 4
		call	_tlgCreate1Sz_char
		lea	eax, [esp+98h+var_84]
		mov	[esp+98h+var_84], esi
		mov	[esp+98h+var_38], eax
		xor	edx, edx
		push	4
		pop	ecx
		lea	eax, [esp+98h+var_80]
		mov	[esp+98h+var_34], edx
		mov	[esp+98h+var_28], eax
		lea	eax, [esp+98h+var_7C]
		mov	[esp+98h+var_18], eax
		lea	eax, [esp+98h+var_78]
		push	eax
		push	7
		push	edx
		push	edx
		push	(offset	loc_42136A+4)
		push	offset dword_A93BC8
		mov	[esp+0B0h+var_30], ecx
		mov	[esp+0B0h+var_2C], edx
		mov	[esp+0B0h+var_80], ebx
		mov	[esp+0B0h+var_24], edx
		mov	[esp+0B0h+var_20], ecx
		mov	[esp+0B0h+var_1C], edx
		mov	[esp+0B0h+var_7C], edi
		mov	[esp+0B0h+var_14], edx
		mov	[esp+0B0h+var_10], ecx
		mov	[esp+0B0h+var_C], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C5552:				; CODE XREF: TtmiLogError(x,x,x,x)+63j
					; TtmiLogError(x,x,x,x)+79j
		mov	ecx, [esp+98h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_TtmiLogError@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogExitProximity(x, x, x)
_TtmiLogExitProximity@12 proc near	; CODE XREF: TtmpExitProximity(x,x,x)+2Bp

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_6D		= dword	ptr -6Dh
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	loc_9C561F
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C561F
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_74]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_2C], eax
		mov	al, [ebp+arg_0]
		push	4
		pop	ecx
		mov	byte ptr [ebp+var_6D], al
		lea	eax, [ebp+var_6D]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_6D+1]
		push	eax
		push	6
		push	ebx
		push	ebx
		push	offset loc_421C53
		push	offset dword_A93BC8
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_78], edi
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_7C], esi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], 1
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C561F:				; CODE XREF: TtmiLogExitProximity(x,x,x)+23j
					; TtmiLogExitProximity(x,x,x)+3Aj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_TtmiLogExitProximity@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogInitCurrentSessionStart()
_TtmiLogInitCurrentSessionStart@0 proc near ; CODE XREF: TtmInitCurrentSession()+Cp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	esi
		push	edi
		jbe	short loc_9C569C
		xor	esi, esi
		mov	edi, offset dword_A93BC8
		push	esi
		push	1
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C569C
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	3
		push	esi
		push	esi
		push	offset loc_4226D1
		push	edi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C569C:				; CODE XREF: TtmiLogInitCurrentSessionStart()+1Bj
					; TtmiLogInitCurrentSessionStart()+30j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogInitCurrentSessionStart@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogInitCurrentSessionStop(x)
_TtmiLogInitCurrentSessionStop@4 proc near ; CODE XREF:	TtmInitCurrentSession()+1DCp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jbe	short loc_9C5729
		xor	edi, edi
		mov	ebx, offset dword_A93BC8
		push	edi
		push	1
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C5729
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_4C]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	ecx
		push	edi
		push	edi
		push	(offset	loc_42252F+4)
		push	ebx
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_50], esi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C5729:				; CODE XREF: TtmiLogInitCurrentSessionStop(x)+1Ej
					; TtmiLogInitCurrentSessionStop(x)+33j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogInitCurrentSessionStop@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogInitiateModernStandbyTransitionStart(x, x)
_TtmiLogInitiateModernStandbyTransitionStart@8 proc near
					; CODE XREF: TtmpInitiateModernStandbyTransition(x,x,x)+11p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_59		= dword	ptr -59h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	bl, cl
		jbe	short loc_9C57D2
		xor	edi, edi
		mov	ecx, offset dword_A93BC8
		push	edi
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C57D2
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_59]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_59+1]
		push	eax
		push	5
		push	edi
		push	edi
		push	offset loc_42182C
		push	offset dword_A93BC8
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], edi
		mov	byte ptr [ebp+var_59], bl
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], 1
		mov	[ebp+var_1C], edi
		mov	[ebp+var_64], esi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C57D2:				; CODE XREF: TtmiLogInitiateModernStandbyTransitionStart(x,x)+20j
					; TtmiLogInitiateModernStandbyTransitionStart(x,x)+33j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogInitiateModernStandbyTransitionStart@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogInitiateModernStandbyTransitionStop(x)
_TtmiLogInitiateModernStandbyTransitionStop@4 proc near
					; CODE XREF: TtmpInitiateModernStandbyTransition(x,x,x)+62p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jbe	short loc_9C5860
		xor	edi, edi
		mov	ebx, offset dword_A93BC8
		push	edi
		push	1
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C5860
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_4C]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	ecx
		push	edi
		push	edi
		push	offset loc_4222F9
		push	ebx
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_50], esi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C5860:				; CODE XREF: TtmiLogInitiateModernStandbyTransitionStop(x)+1Ej
					; TtmiLogInitiateModernStandbyTransitionStop(x)+33j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogInitiateModernStandbyTransitionStop@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogProximityBlockedRequest(x, x, x)
_TtmiLogProximityBlockedRequest@12 proc	near
					; CODE XREF: TtmiSetPendingOnOffRequest(x,x,x,x,x)+58p

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_7D		= dword	ptr -7Dh
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	bl, cl
		jbe	loc_9C5942
		xor	edi, edi
		mov	ecx, offset dword_A93BC8
		push	edi
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C5942
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_7D]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_88]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_14]
		push	4
		pop	ecx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_7D+1]
		push	eax
		push	7
		push	edi
		push	edi
		push	offset loc_422345
		push	offset dword_A93BC8
		mov	[ebp+var_58], edi
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], edi
		mov	byte ptr [ebp+var_7D], bl
		mov	[ebp+var_48], edi
		mov	[ebp+var_44], 1
		mov	[ebp+var_40], edi
		mov	[ebp+var_88], esi
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], 2
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C5942:				; CODE XREF: TtmiLogProximityBlockedRequest(x,x,x)+23j
					; TtmiLogProximityBlockedRequest(x,x,x)+3Aj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_TtmiLogProximityBlockedRequest@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogProximityPowerPress(x, x, x,	x, x, x)
_TtmiLogProximityPowerPress@24 proc near ; CODE	XREF: TtmpShouldEscapeProximity(x)+7Dp

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_89		= dword	ptr -89h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	bl, cl
		jbe	loc_9C5A69
		xor	edi, edi
		mov	ecx, offset dword_A93BC8
		push	edi
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C5A69
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_90]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_89]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_A8], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_94]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_8]
		push	4
		pop	edx
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_98]
		push	8
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_C]
		pop	ecx
		mov	[ebp+var_9C], eax
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_89+1]
		push	eax
		push	ecx
		push	edi
		push	edi
		push	offset loc_421459
		push	offset dword_A93BC8
		mov	[ebp+var_64], edi
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], edi
		mov	byte ptr [ebp+var_89], bl
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], 1
		mov	[ebp+var_4C], edi
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], edi
		mov	[ebp+var_94], esi
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C5A69:				; CODE XREF: TtmiLogProximityPowerPress(x,x,x,x,x,x)+23j
					; TtmiLogProximityPowerPress(x,x,x,x,x,x)+3Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_TtmiLogProximityPowerPress@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogQueueCreated(x)
_TtmiLogQueueCreated@4 proc near	; CODE XREF: TtmiCreateEventQueue(x,x)+B3p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jbe	short loc_9C5AF9
		xor	edi, edi
		mov	ebx, offset dword_A93BC8
		push	edi
		push	1
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C5AF9
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_4C]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	ecx
		push	edi
		push	edi
		push	offset loc_42199C
		push	ebx
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_50], esi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C5AF9:				; CODE XREF: TtmiLogQueueCreated(x)+1Ej
					; TtmiLogQueueCreated(x)+33j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogQueueCreated@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogQueueDequeueEvent(x,	x)
_TtmiLogQueueDequeueEvent@8 proc near	; CODE XREF: TtmiRetrieveEventFromQueue(x,x)+85p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	short loc_9C5B8F
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C5B8F
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_5C], edi
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_60]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		mov	eax, [esi]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	5
		push	ebx
		push	ebx
		push	offset loc_4220BA
		push	offset dword_A93BC8
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_60], esi
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C5B8F:				; CODE XREF: TtmiLogQueueDequeueEvent(x,x)+20j
					; TtmiLogQueueDequeueEvent(x,x)+33j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogQueueDequeueEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogQueueDestroyed(x)
_TtmiLogQueueDestroyed@4 proc near	; CODE XREF: TtmpDeleteQueue(x)+48p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jbe	short loc_9C5C07
		xor	edi, edi
		mov	ebx, offset dword_A93BC8
		push	edi
		push	1
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C5C07
		lea	eax, [esp+48h+var_3C]
		mov	[esp+48h+var_3C], esi
		mov	[esp+48h+var_18], eax
		lea	eax, [esp+48h+var_38]
		push	eax
		push	3
		push	edi
		push	edi
		push	offset loc_421FB2
		push	ebx
		mov	[esp+60h+var_14], edi
		mov	[esp+60h+var_10], 4
		mov	[esp+60h+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C5C07:				; CODE XREF: TtmiLogQueueDestroyed(x)+22j
					; TtmiLogQueueDestroyed(x)+37j
		mov	ecx, [esp+48h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_TtmiLogQueueDestroyed@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogQueueEnqueueEvent(x,	x)
_TtmiLogQueueEnqueueEvent@8 proc near	; CODE XREF: TtmiRetrieveEventFromQueue(x,x)+155p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	short loc_9C5CA0
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C5CA0
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_5C], edi
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_60]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		mov	eax, [esi]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	5
		push	ebx
		push	ebx
		push	offset loc_421E14
		push	offset dword_A93BC8
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_60], esi
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C5CA0:				; CODE XREF: TtmiLogQueueEnqueueEvent(x,x)+20j
					; TtmiLogQueueEnqueueEvent(x,x)+33j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogQueueEnqueueEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogQueueHandleClosed(x,	x, x)
_TtmiLogQueueHandleClosed@12 proc near	; CODE XREF: TtmpCloseQueueHandle(x,x,x,x)+15p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+64h+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	short loc_9C5D4E
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C5D4E
		lea	eax, [esp+70h+var_64]
		mov	[esp+70h+var_64], edi
		mov	[esp+70h+var_38], eax
		lea	eax, [esp+70h+var_60]
		push	4
		pop	ecx
		mov	[esp+70h+var_28], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+70h+var_5C], eax
		lea	eax, [esp+70h+var_5C]
		mov	[esp+70h+var_18], eax
		lea	eax, [esp+70h+var_58]
		push	eax
		push	5
		push	ebx
		push	ebx
		push	offset loc_4218D0
		push	offset dword_A93BC8
		mov	[esp+88h+var_34], ebx
		mov	[esp+88h+var_30], ecx
		mov	[esp+88h+var_2C], ebx
		mov	[esp+88h+var_60], esi
		mov	[esp+88h+var_24], ebx
		mov	[esp+88h+var_20], ecx
		mov	[esp+88h+var_1C], ebx
		mov	[esp+88h+var_14], ebx
		mov	[esp+88h+var_10], ecx
		mov	[esp+88h+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C5D4E:				; CODE XREF: TtmiLogQueueHandleClosed(x,x,x)+24j
					; TtmiLogQueueHandleClosed(x,x,x)+37j
		mov	ecx, [esp+70h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_TtmiLogQueueHandleClosed@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogQueueHandleOpened(x,	x, x)
_TtmiLogQueueHandleOpened@12 proc near	; CODE XREF: TtmpOpenQueueHandle(x,x,x,x,x,x)+27p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+64h+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	short loc_9C5E01
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C5E01
		lea	eax, [esp+70h+var_64]
		mov	[esp+70h+var_64], edi
		mov	[esp+70h+var_38], eax
		lea	eax, [esp+70h+var_60]
		push	4
		pop	ecx
		mov	[esp+70h+var_28], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+70h+var_5C], eax
		lea	eax, [esp+70h+var_5C]
		mov	[esp+70h+var_18], eax
		lea	eax, [esp+70h+var_58]
		push	eax
		push	5
		push	ebx
		push	ebx
		push	offset loc_421AA8
		push	offset dword_A93BC8
		mov	[esp+88h+var_34], ebx
		mov	[esp+88h+var_30], ecx
		mov	[esp+88h+var_2C], ebx
		mov	[esp+88h+var_60], esi
		mov	[esp+88h+var_24], ebx
		mov	[esp+88h+var_20], ecx
		mov	[esp+88h+var_1C], ebx
		mov	[esp+88h+var_14], ebx
		mov	[esp+88h+var_10], ecx
		mov	[esp+88h+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C5E01:				; CODE XREF: TtmiLogQueueHandleOpened(x,x,x)+24j
					; TtmiLogQueueHandleOpened(x,x,x)+37j
		mov	ecx, [esp+70h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_TtmiLogQueueHandleOpened@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogSessionActivate()
_TtmiLogSessionActivate@0 proc near	; CODE XREF: TtmpActivateSessionWorker(x)+8Bp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	esi
		push	edi
		jbe	short loc_9C5E81
		xor	esi, esi
		mov	edi, offset dword_A93BC8
		push	esi
		push	1
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C5E81
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	3
		push	esi
		push	esi
		push	offset loc_42202D
		push	edi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C5E81:				; CODE XREF: TtmiLogSessionActivate()+1Bj
					; TtmiLogSessionActivate()+30j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogSessionActivate@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogSessionCsExitComplete(x)
_TtmiLogSessionCsExitComplete@4	proc near ; CODE XREF: TtmNotifyLowPowerStateExited(x)+30p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jbe	short loc_9C5EED
		xor	edi, edi
		mov	ebx, offset dword_A93BC8
		push	edi
		push	1
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C5EED
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_3C], esi
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	3
		push	edi
		push	edi
		push	offset loc_421967
		push	ebx
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C5EED:				; CODE XREF: TtmiLogSessionCsExitComplete(x)+1Ej
					; TtmiLogSessionCsExitComplete(x)+33j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogSessionCsExitComplete@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogSessionDeactivate()
_TtmiLogSessionDeactivate@0 proc near	; CODE XREF: TtmpDeactivateSessionWorker(x)+23p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	esi
		push	edi
		jbe	short loc_9C5F68
		xor	esi, esi
		mov	edi, offset dword_A93BC8
		push	esi
		push	1
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C5F68
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	3
		push	esi
		push	esi
		push	offset loc_42256E
		push	edi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C5F68:				; CODE XREF: TtmiLogSessionDeactivate()+1Bj
					; TtmiLogSessionDeactivate()+30j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogSessionDeactivate@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogSessionDeviceAssignmentPolicySet(x)
_TtmiLogSessionDeviceAssignmentPolicySet@4 proc	near
					; CODE XREF: TtmInitCurrentSession()+F8p
					; TtmiSetSessionDeviceAssignmentPolicy(x,x)+16p

var_50		= dword	ptr -50h
var_49		= dword	ptr -49h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		mov	bl, cl
		jbe	short loc_9C5FFA
		xor	esi, esi
		mov	ecx, offset dword_A93BC8
		push	esi
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C5FFA
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_50]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_49]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_49+1]
		push	eax
		push	ecx
		push	esi
		push	esi
		push	offset loc_421B72
		push	offset dword_A93BC8
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], esi
		mov	byte ptr [ebp+var_49], bl
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], 1
		mov	[ebp+var_C], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C5FFA:				; CODE XREF: TtmiLogSessionDeviceAssignmentPolicySet(x)+1Dj
					; TtmiLogSessionDeviceAssignmentPolicySet(x)+30j
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogSessionDeviceAssignmentPolicySet@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogSessionDisplayRequiredDereference(x,	x, x)
_TtmiLogSessionDisplayRequiredDereference@12 proc near
					; CODE XREF: TtmNotifySessionDisplayRequiredChange(x,x,x)+ECp

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	short loc_9C6090
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C6090
		lea	eax, [ebp+var_60]
		mov	[ebp+var_60], edi
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_64]
		push	4
		pop	ecx
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	5
		push	ebx
		push	ebx
		push	offset loc_421FDC
		push	offset dword_A93BC8
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_64], esi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C6090:				; CODE XREF: TtmiLogSessionDisplayRequiredDereference(x,x,x)+20j
					; TtmiLogSessionDisplayRequiredDereference(x,x,x)+33j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_TtmiLogSessionDisplayRequiredDereference@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogSessionDisplayRequiredPowerRequestUpdated(x,	x, x)
_TtmiLogSessionDisplayRequiredPowerRequestUpdated@12 proc near
					; CODE XREF: TtmpUpdateDisplayRequiredPowerRequest(x,x,x)+98p

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5D		= dword	ptr -5Dh
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	short loc_9C612D
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C612D
		lea	eax, [ebp+var_64]
		mov	[ebp+var_64], edi
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_2C], eax
		mov	al, [ebp+arg_0]
		push	4
		pop	ecx
		mov	byte ptr [ebp+var_5D], al
		lea	eax, [ebp+var_5D]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_5D+1]
		push	eax
		push	5
		push	ebx
		push	ebx
		push	offset loc_421BC3
		push	offset dword_A93BC8
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_68], esi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], 1
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C612D:				; CODE XREF: TtmiLogSessionDisplayRequiredPowerRequestUpdated(x,x,x)+20j
					; TtmiLogSessionDisplayRequiredPowerRequestUpdated(x,x,x)+33j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_TtmiLogSessionDisplayRequiredPowerRequestUpdated@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogSessionDisplayRequiredReference(x, x, x)
_TtmiLogSessionDisplayRequiredReference@12 proc	near
					; CODE XREF: TtmNotifySessionDisplayRequiredChange(x,x,x):loc_9C2145p

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	short loc_9C61C6
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C61C6
		lea	eax, [ebp+var_60]
		mov	[ebp+var_60], edi
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_64]
		push	4
		pop	ecx
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	5
		push	ebx
		push	ebx
		push	offset loc_421EF2
		push	offset dword_A93BC8
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_64], esi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C61C6:				; CODE XREF: TtmiLogSessionDisplayRequiredReference(x,x,x)+20j
					; TtmiLogSessionDisplayRequiredReference(x,x,x)+33j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_TtmiLogSessionDisplayRequiredReference@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogSessionMonitorControl(x, x, x, x)
_TtmiLogSessionMonitorControl@16 proc near ; CODE XREF:	TtmSessionMonitorControl(x,x,x)+70p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	short loc_9C6274
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C6274
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_6C], edi
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_74]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	6
		push	ebx
		push	ebx
		push	offset loc_42191B
		push	offset dword_A93BC8
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_70], esi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C6274:				; CODE XREF: TtmiLogSessionMonitorControl(x,x,x,x)+20j
					; TtmiLogSessionMonitorControl(x,x,x,x)+33j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_TtmiLogSessionMonitorControl@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogSessionPowerControlStart(x, x)
_TtmiLogSessionPowerControlStart@8 proc	near ; CODE XREF: TtmpSessionPowerControl(x,x,x)+13p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_59		= dword	ptr -59h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	bl, cl
		jbe	short loc_9C631F
		xor	edi, edi
		mov	ecx, offset dword_A93BC8
		push	edi
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C631F
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_59]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_59+1]
		push	eax
		push	5
		push	edi
		push	edi
		push	offset loc_421D40
		push	offset dword_A93BC8
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], edi
		mov	byte ptr [ebp+var_59], bl
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], 1
		mov	[ebp+var_1C], edi
		mov	[ebp+var_64], esi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C631F:				; CODE XREF: TtmiLogSessionPowerControlStart(x,x)+20j
					; TtmiLogSessionPowerControlStart(x,x)+33j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogSessionPowerControlStart@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogSessionPowerControlStop()
_TtmiLogSessionPowerControlStop@0 proc near ; CODE XREF: TtmpSessionPowerControl(x,x,x)+5Fp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	esi
		push	edi
		jbe	short loc_9C639A
		xor	esi, esi
		mov	edi, offset dword_A93BC8
		push	esi
		push	1
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C639A
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	3
		push	esi
		push	esi
		push	offset loc_42245D
		push	edi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C639A:				; CODE XREF: TtmiLogSessionPowerControlStop()+1Bj
					; TtmiLogSessionPowerControlStop()+30j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogSessionPowerControlStop@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogSessionPowerRequestAcknowledged(x, x, x, x, x, x, x,	x)
_TtmiLogSessionPowerRequestAcknowledged@32 proc	near
					; CODE XREF: TtmNotifySessionPowerRequestPresent(x,x,x,x,x,x,x)+42p

var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AA		= dword	ptr -0AAh
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h
arg_14		= byte ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	loc_9C64E0
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C64E0
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_B0], edi
		mov	[ebp+var_88], eax
		lea	eax, [ebp+var_B4]
		mov	[ebp+var_78], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_68], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_BC], eax
		lea	eax, [ebp+var_BC]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_C0], eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_C4]
		mov	[ebp+var_38], eax
		mov	al, [ebp+arg_10]
		mov	byte ptr [ebp+var_AA+1], al
		lea	eax, [ebp+var_AA+1]
		mov	[ebp+var_28], eax
		mov	al, [ebp+arg_14]
		push	4
		pop	ecx
		mov	byte ptr [ebp+var_AA], al
		lea	eax, [ebp+var_AA]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_AA+2]
		push	eax
		push	0Ah
		push	ebx
		mov	[ebp+var_80], ecx
		mov	[ebp+var_70], ecx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_30], ecx
		xor	ecx, ecx
		push	ebx
		inc	ecx
		mov	[ebp+var_84], ebx
		push	(offset	loc_421CA0+6)
		push	offset dword_A93BC8
		mov	[ebp+var_7C], ebx
		mov	[ebp+var_B4], esi
		mov	[ebp+var_74], ebx
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C64E0:				; CODE XREF: TtmiLogSessionPowerRequestAcknowledged(x,x,x,x,x,x,x,x)+23j
					; TtmiLogSessionPowerRequestAcknowledged(x,x,x,x,x,x,x,x)+3Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_TtmiLogSessionPowerRequestAcknowledged@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogSessionPowerRequestCreated(x, x, x)
_TtmiLogSessionPowerRequestCreated@12 proc near
					; CODE XREF: PopNotifySessionUserPowerRequestCreated+E4BEBp

var_62		= byte ptr -62h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+64h+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	short loc_9C6594
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C6594
		lea	eax, [esp+70h+var_60]
		mov	[esp+70h+var_60], edi
		mov	[esp+70h+var_38], eax
		lea	eax, [esp+70h+var_5C]
		mov	[esp+70h+var_28], eax
		mov	al, [ebp+arg_0]
		push	4
		pop	ecx
		mov	[esp+0Fh], al
		lea	eax, [esp+0Fh]
		mov	[esp+70h+var_18], eax
		lea	eax, [esp+70h+var_58]
		push	eax
		push	5
		push	ebx
		push	ebx
		push	offset loc_421A53
		push	offset dword_A93BC8
		mov	[esp+88h+var_34], ebx
		mov	[esp+88h+var_30], ecx
		mov	[esp+88h+var_2C], ebx
		mov	[esp+88h+var_5C], esi
		mov	[esp+88h+var_24], ebx
		mov	[esp+88h+var_20], ecx
		mov	[esp+88h+var_1C], ebx
		mov	[esp+88h+var_14], ebx
		mov	[esp+88h+var_10], 1
		mov	[esp+88h+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C6594:				; CODE XREF: TtmiLogSessionPowerRequestCreated(x,x,x)+24j
					; TtmiLogSessionPowerRequestCreated(x,x,x)+37j
		mov	ecx, [esp+70h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_TtmiLogSessionPowerRequestCreated@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogSessionPowerRequestDeleted(x, x, x)
_TtmiLogSessionPowerRequestDeleted@12 proc near
					; CODE XREF: TtmNotifySessionPowerRequestDeleted(x,x)+FDp

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5D		= dword	ptr -5Dh
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	short loc_9C6634
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C6634
		lea	eax, [ebp+var_64]
		mov	[ebp+var_64], edi
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_2C], eax
		mov	al, [ebp+arg_0]
		push	4
		pop	ecx
		mov	byte ptr [ebp+var_5D], al
		lea	eax, [ebp+var_5D]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_5D+1]
		push	eax
		push	5
		push	ebx
		push	ebx
		push	offset loc_421DBA
		push	offset dword_A93BC8
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_68], esi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], 1
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C6634:				; CODE XREF: TtmiLogSessionPowerRequestDeleted(x,x,x)+20j
					; TtmiLogSessionPowerRequestDeleted(x,x,x)+33j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_TtmiLogSessionPowerRequestDeleted@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogSessionPowerStateChange(x)
_TtmiLogSessionPowerStateChange@4 proc near
					; CODE XREF: TtmNotifySessionPowerStateChange(x,x)+31p

var_50		= dword	ptr -50h
var_49		= dword	ptr -49h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		mov	bl, cl
		jbe	short loc_9C66C9
		xor	esi, esi
		mov	ecx, offset dword_A93BC8
		push	esi
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C66C9
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_50]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_49]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_49+1]
		push	eax
		push	ecx
		push	esi
		push	esi
		push	(offset	loc_4224F3+4)
		push	offset dword_A93BC8
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], esi
		mov	byte ptr [ebp+var_49], bl
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], 1
		mov	[ebp+var_C], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C66C9:				; CODE XREF: TtmiLogSessionPowerStateChange(x)+1Dj
					; TtmiLogSessionPowerStateChange(x)+30j
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogSessionPowerStateChange@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogSessionRundown(x)
_TtmiLogSessionRundown@4 proc near	; CODE XREF: TtmiSessionsRundown()+83p

var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0F4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jbe	loc_9C685B
		xor	edi, edi
		mov	ebx, offset dword_A93BC8
		push	edi
		push	1
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C685B
		mov	eax, [esi]
		mov	[ebp+var_CC], eax
		lea	eax, [ebp+var_CC]
		mov	[ebp+var_A8], eax
		mov	eax, [esi+4]
		mov	[ebp+var_D0], eax
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_98], eax
		mov	eax, [esi+8]
		mov	[ebp+var_D4], eax
		lea	eax, [ebp+var_D4]
		mov	[ebp+var_88], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_D8], eax
		lea	eax, [ebp+var_D8]
		mov	[ebp+var_78], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_DC], eax
		lea	eax, [ebp+var_DC]
		mov	[ebp+var_68], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_E0], eax
		lea	eax, [ebp+var_E0]
		mov	[ebp+var_58], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_E4], eax
		lea	eax, [ebp+var_E4]
		mov	[ebp+var_48], eax
		mov	eax, [esi+1Ch]
		mov	[ebp+var_E8], eax
		lea	eax, [ebp+var_E8]
		mov	[ebp+var_38], eax
		mov	eax, [esi+20h]
		mov	[ebp+var_EC], eax
		lea	eax, [ebp+var_EC]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		mov	eax, [esi+24h]
		mov	[ebp+var_F0], eax
		lea	eax, [ebp+var_F0]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_C8]
		push	eax
		push	0Ch
		push	edi
		push	edi
		push	offset loc_422785
		push	ebx
		mov	[ebp+var_A4], edi
		mov	[ebp+var_A0], ecx
		mov	[ebp+var_9C], edi
		mov	[ebp+var_94], edi
		mov	[ebp+var_90], ecx
		mov	[ebp+var_8C], edi
		mov	[ebp+var_84], edi
		mov	[ebp+var_80], ecx
		mov	[ebp+var_7C], edi
		mov	[ebp+var_74], edi
		mov	[ebp+var_70], ecx
		mov	[ebp+var_6C], edi
		mov	[ebp+var_64], edi
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], edi
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], edi
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C685B:				; CODE XREF: TtmiLogSessionRundown(x)+21j
					; TtmiLogSessionRundown(x)+3Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogSessionRundown@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogSessionWorkerPass(x,	x, x)
_TtmiLogSessionWorkerPass@12 proc near	; CODE XREF: TtmpSessionWorker(x)+D4p

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	short loc_9C68F2
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C68F2
		lea	eax, [ebp+var_60]
		mov	[ebp+var_60], edi
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_64]
		push	4
		pop	ecx
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	5
		push	ebx
		push	ebx
		push	offset loc_42259F
		push	offset dword_A93BC8
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_64], esi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C68F2:				; CODE XREF: TtmiLogSessionWorkerPass(x,x,x)+20j
					; TtmiLogSessionWorkerPass(x,x,x)+33j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_TtmiLogSessionWorkerPass@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogSessionWorkerStart(x)
_TtmiLogSessionWorkerStart@4 proc near	; CODE XREF: TtmpSessionWorker(x)+44p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jbe	short loc_9C6961
		xor	edi, edi
		mov	ebx, offset dword_A93BC8
		push	edi
		push	1
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C6961
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_3C], esi
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	3
		push	edi
		push	edi
		push	offset loc_422392
		push	ebx
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], 4
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C6961:				; CODE XREF: TtmiLogSessionWorkerStart(x)+1Ej
					; TtmiLogSessionWorkerStart(x)+33j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogSessionWorkerStart@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogSessionWorkerStop(x,	x)
_TtmiLogSessionWorkerStop@8 proc near	; CODE XREF: TtmpSessionWorker(x)+1DFp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	short loc_9C69E2
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C69E2
		push	4
		pop	ecx
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_4C], edi
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	ecx
		push	ebx
		push	ebx
		push	offset loc_4225E5
		push	offset dword_A93BC8
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_50], esi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C69E2:				; CODE XREF: TtmiLogSessionWorkerStop(x,x)+20j
					; TtmiLogSessionWorkerStop(x,x)+33j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogSessionWorkerStop@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogTerminalCleanup(x, x, x)
_TtmiLogTerminalCleanup@12 proc	near	; CODE XREF: TtmiSessionTerminalListWorker(x,x,x)+56p

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	short loc_9C6A79
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C6A79
		lea	eax, [ebp+var_60]
		mov	[ebp+var_60], esi
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_64]
		push	4
		pop	ecx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	5
		push	ebx
		push	ebx
		push	(offset	loc_421412+2)
		push	offset dword_A93BC8
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_68], edi
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C6A79:				; CODE XREF: TtmiLogTerminalCleanup(x,x,x)+20j
					; TtmiLogTerminalCleanup(x,x,x)+33j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_TtmiLogTerminalCleanup@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogTerminalCreated(x, x)
_TtmiLogTerminalCreated@8 proc near	; CODE XREF: TtmiCreateTerminal(x,x,x,x,x,x)+194p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	short loc_9C6B20
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C6B20
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_60]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	5
		push	ebx
		push	ebx
		push	offset loc_42261B
		push	offset dword_A93BC8
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_60], esi
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_64], edi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C6B20:				; CODE XREF: TtmiLogTerminalCreated(x,x)+20j
					; TtmiLogTerminalCreated(x,x)+33j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogTerminalCreated@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogTerminalDestroyed(x)
_TtmiLogTerminalDestroyed@4 proc near	; CODE XREF: TtmpDeleteTerminal(x)+8p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jbe	short loc_9C6B98
		xor	edi, edi
		mov	ebx, offset dword_A93BC8
		push	edi
		push	1
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C6B98
		lea	eax, [esp+48h+var_3C]
		mov	[esp+48h+var_3C], esi
		mov	[esp+48h+var_18], eax
		lea	eax, [esp+48h+var_38]
		push	eax
		push	3
		push	edi
		push	edi
		push	(offset	loc_421C1F+4)
		push	ebx
		mov	[esp+60h+var_14], edi
		mov	[esp+60h+var_10], 4
		mov	[esp+60h+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C6B98:				; CODE XREF: TtmiLogTerminalDestroyed(x)+22j
					; TtmiLogTerminalDestroyed(x)+37j
		mov	ecx, [esp+48h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_TtmiLogTerminalDestroyed@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogTerminalDisplayStateChangedEvent(x, x, x)
_TtmiLogTerminalDisplayStateChangedEvent@12 proc near
					; CODE XREF: TtmpWriteDisplayStateChangedEvent(x,x)+53p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	loc_9C6C5C
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9C6C5C
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_74]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_78]
		push	4
		pop	ecx
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	6
		push	ebx
		push	ebx
		push	offset loc_4212A4
		push	offset dword_A93BC8
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_74], edi
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_78], esi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C6C5C:				; CODE XREF: TtmiLogTerminalDisplayStateChangedEvent(x,x,x)+23j
					; TtmiLogTerminalDisplayStateChangedEvent(x,x,x)+3Aj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_TtmiLogTerminalDisplayStateChangedEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogTerminalDisplayTimeouts(x, x, x, x, x, x, x,	x)
_TtmiLogTerminalDisplayTimeouts@32 proc	near
					; CODE XREF: TtmiTerminalSetDisplayTimeouts(x,x,x,x)+7Cp

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	loc_9C6D7A
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C6D7A
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_8C], edi
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_90]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_94]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_98]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_A0], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_9C], eax
		lea	eax, [ebp+var_A0]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_10]
		push	8
		mov	[ebp+var_A8], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_60], ecx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_30], ecx
		pop	ecx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_88]
		push	eax
		push	ecx
		push	ebx
		push	ebx
		push	offset loc_42156D
		push	offset dword_A93BC8
		mov	[ebp+var_64], ebx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_90], esi
		mov	[ebp+var_54], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C6D7A:				; CODE XREF: TtmiLogTerminalDisplayTimeouts(x,x,x,x,x,x,x,x)+23j
					; TtmiLogTerminalDisplayTimeouts(x,x,x,x,x,x,x,x)+3Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_TtmiLogTerminalDisplayTimeouts@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogTerminalHandleClosed(x, x, x, x)
_TtmiLogTerminalHandleClosed@16	proc near ; CODE XREF: TtmpCloseTerminalHandle(x,x,x,x)+6Bp

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+7Ch+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	loc_9C6E5C
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C6E5C
		lea	eax, [esp+88h+var_78]
		mov	[esp+88h+var_78], edi
		mov	[esp+88h+var_48], eax
		lea	eax, [esp+88h+var_74]
		mov	[esp+88h+var_38], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+88h+var_70], eax
		lea	eax, [esp+88h+var_70]
		push	4
		pop	ecx
		mov	[esp+88h+var_28], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+88h+var_6C], eax
		lea	eax, [esp+88h+var_6C]
		mov	[esp+88h+var_18], eax
		lea	eax, [esp+88h+var_68]
		push	eax
		push	6
		push	ebx
		push	ebx
		push	offset loc_42205C
		push	offset dword_A93BC8
		mov	[esp+0A0h+var_44], ebx
		mov	[esp+0A0h+var_40], ecx
		mov	[esp+0A0h+var_3C], ebx
		mov	[esp+0A0h+var_74], esi
		mov	[esp+0A0h+var_34], ebx
		mov	[esp+0A0h+var_30], ecx
		mov	[esp+0A0h+var_2C], ebx
		mov	[esp+0A0h+var_24], ebx
		mov	[esp+0A0h+var_20], ecx
		mov	[esp+0A0h+var_1C], ebx
		mov	[esp+0A0h+var_14], ebx
		mov	[esp+0A0h+var_10], ecx
		mov	[esp+0A0h+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C6E5C:				; CODE XREF: TtmiLogTerminalHandleClosed(x,x,x,x)+24j
					; TtmiLogTerminalHandleClosed(x,x,x,x)+3Bj
		mov	ecx, [esp+88h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_TtmiLogTerminalHandleClosed@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogTerminalHandleOpened(x, x, x, x)
_TtmiLogTerminalHandleOpened@16	proc near
					; CODE XREF: TtmpOpenTerminalHandle(x,x,x,x,x,x)+30p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+7Ch+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	loc_9C6F44
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C6F44
		lea	eax, [esp+88h+var_78]
		mov	[esp+88h+var_78], edi
		mov	[esp+88h+var_48], eax
		lea	eax, [esp+88h+var_74]
		mov	[esp+88h+var_38], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+88h+var_70], eax
		lea	eax, [esp+88h+var_70]
		push	4
		pop	ecx
		mov	[esp+88h+var_28], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+88h+var_6C], eax
		lea	eax, [esp+88h+var_6C]
		mov	[esp+88h+var_18], eax
		lea	eax, [esp+88h+var_68]
		push	eax
		push	6
		push	ebx
		push	ebx
		push	offset loc_4228BB
		push	offset dword_A93BC8
		mov	[esp+0A0h+var_44], ebx
		mov	[esp+0A0h+var_40], ecx
		mov	[esp+0A0h+var_3C], ebx
		mov	[esp+0A0h+var_74], esi
		mov	[esp+0A0h+var_34], ebx
		mov	[esp+0A0h+var_30], ecx
		mov	[esp+0A0h+var_2C], ebx
		mov	[esp+0A0h+var_24], ebx
		mov	[esp+0A0h+var_20], ecx
		mov	[esp+0A0h+var_1C], ebx
		mov	[esp+0A0h+var_14], ebx
		mov	[esp+0A0h+var_10], ecx
		mov	[esp+0A0h+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C6F44:				; CODE XREF: TtmiLogTerminalHandleOpened(x,x,x,x)+24j
					; TtmiLogTerminalHandleOpened(x,x,x,x)+3Bj
		mov	ecx, [esp+88h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_TtmiLogTerminalHandleOpened@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogTerminalOffRequest(x, x, x)
_TtmiLogTerminalOffRequest@12 proc near	; CODE XREF: TtmiSetPendingOnOffRequest(x,x,x,x,x)+4Ap

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	loc_9C702A
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C702A
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_88]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_14]
		push	4
		pop	ecx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_7C]
		push	eax
		push	7
		push	ebx
		push	ebx
		push	offset loc_421647
		push	offset dword_A93BC8
		mov	[ebp+var_58], ebx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_84], edi
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_88], esi
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], 2
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C702A:				; CODE XREF: TtmiLogTerminalOffRequest(x,x,x)+23j
					; TtmiLogTerminalOffRequest(x,x,x)+3Aj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_TtmiLogTerminalOffRequest@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogTerminalOnRequest(x,	x, x)
_TtmiLogTerminalOnRequest@12 proc near	; CODE XREF: TtmiSetPendingOnOffRequest(x,x,x,x,x):loc_9C13F5p

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	loc_9C710A
		xor	ebx, ebx
		mov	ecx, offset dword_A93BC8
		push	ebx
		push	1
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C710A
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_88]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_14]
		push	4
		pop	ecx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_7C]
		push	eax
		push	7
		push	ebx
		push	ebx
		push	(offset	loc_4215F3+6)
		push	offset dword_A93BC8
		mov	[ebp+var_58], ebx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_84], edi
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_88], esi
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], 2
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C710A:				; CODE XREF: TtmiLogTerminalOnRequest(x,x,x)+23j
					; TtmiLogTerminalOnRequest(x,x,x)+3Aj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_TtmiLogTerminalOnRequest@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogTerminalRundown(x)
_TtmiLogTerminalRundown@4 proc near	; CODE XREF: TtmiTerminalsRundown(x)+C8p

var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 194h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jbe	loc_9C73D7
		xor	edi, edi
		mov	ebx, offset dword_A93BC8
		push	edi
		push	1
		mov	ecx, ebx
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C73D7
		mov	eax, [esi]
		mov	[ebp+var_13C], eax
		lea	eax, [ebp+var_13C]
		mov	[ebp+var_118], eax
		mov	eax, [esi+4]
		mov	[ebp+var_140], eax
		lea	eax, [ebp+var_140]
		mov	[ebp+var_108], eax
		mov	eax, [esi+8]
		mov	[ebp+var_144], eax
		lea	eax, [ebp+var_144]
		mov	[ebp+var_F8], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_148], eax
		lea	eax, [ebp+var_148]
		mov	[ebp+var_E8], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_14C], eax
		lea	eax, [ebp+var_14C]
		mov	[ebp+var_D8], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_150], eax
		lea	eax, [ebp+var_150]
		mov	[ebp+var_C8], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_154], eax
		lea	eax, [ebp+var_154]
		mov	[ebp+var_B8], eax
		mov	eax, [esi+1Ch]
		mov	[ebp+var_158], eax
		lea	eax, [ebp+var_158]
		mov	[ebp+var_A8], eax
		mov	eax, [esi+20h]
		mov	[ebp+var_178], eax
		mov	eax, [esi+24h]
		mov	[ebp+var_174], eax
		lea	eax, [ebp+var_178]
		mov	[ebp+var_98], eax
		mov	eax, [esi+28h]
		mov	[ebp+var_180], eax
		mov	eax, [esi+2Ch]
		push	4
		pop	edx
		mov	[ebp+var_17C], eax
		lea	eax, [ebp+var_180]
		push	8
		mov	[ebp+var_88], eax
		mov	eax, [esi+30h]
		pop	ecx
		mov	[ebp+var_188], eax
		mov	eax, [esi+34h]
		mov	[ebp+var_114], edi
		mov	[ebp+var_110], edx
		mov	[ebp+var_10C], edi
		mov	[ebp+var_104], edi
		mov	[ebp+var_100], edx
		mov	[ebp+var_FC], edi
		mov	[ebp+var_F4], edi
		mov	[ebp+var_F0], edx
		mov	[ebp+var_EC], edi
		mov	[ebp+var_E4], edi
		mov	[ebp+var_E0], edx
		mov	[ebp+var_DC], edi
		mov	[ebp+var_D4], edi
		mov	[ebp+var_D0], edx
		mov	[ebp+var_CC], edi
		mov	[ebp+var_C4], edi
		mov	[ebp+var_C0], edx
		mov	[ebp+var_BC], edi
		mov	[ebp+var_B4], edi
		mov	[ebp+var_B0], edx
		mov	[ebp+var_AC], edi
		mov	[ebp+var_A4], edi
		mov	[ebp+var_A0], edx
		mov	[ebp+var_9C], edi
		mov	[ebp+var_94], edi
		mov	[ebp+var_90], ecx
		mov	[ebp+var_8C], edi
		mov	[ebp+var_84], edi
		mov	[ebp+var_80], ecx
		mov	[ebp+var_7C], edi
		mov	[ebp+var_184], eax
		lea	eax, [ebp+var_188]
		mov	[ebp+var_78], eax
		mov	eax, [esi+38h]
		mov	[ebp+var_190], eax
		mov	eax, [esi+3Ch]
		mov	[ebp+var_18C], eax
		lea	eax, [ebp+var_190]
		mov	[ebp+var_68], eax
		mov	eax, [esi+40h]
		mov	[ebp+var_15C], eax
		lea	eax, [ebp+var_15C]
		mov	[ebp+var_58], eax
		mov	eax, [esi+44h]
		mov	[ebp+var_160], eax
		lea	eax, [ebp+var_160]
		mov	[ebp+var_48], eax
		mov	eax, [esi+48h]
		mov	[ebp+var_164], eax
		lea	eax, [ebp+var_164]
		mov	[ebp+var_38], eax
		mov	eax, [esi+4Ch]
		mov	[ebp+var_168], eax
		lea	eax, [ebp+var_168]
		mov	[ebp+var_28], eax
		mov	eax, [esi+50h]
		mov	[ebp+var_16C], eax
		lea	eax, [ebp+var_16C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_138]
		push	eax
		push	13h
		push	edi
		push	edi
		push	offset loc_421696
		push	ebx
		mov	[ebp+var_74], edi
		mov	[ebp+var_70], ecx
		mov	[ebp+var_6C], edi
		mov	[ebp+var_64], edi
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], edi
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], edi
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C73D7:				; CODE XREF: TtmiLogTerminalRundown(x)+21j
					; TtmiLogTerminalRundown(x)+3Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_TtmiLogTerminalRundown@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiLogTerminalStateMachine(x, x, x)
_TtmiLogTerminalStateMachine@12	proc near ; CODE XREF: TtmpUpdateTerminalState(x,x,x,x)+A2p

var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_12F		= dword	ptr -12Fh
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 180h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	ds:dword_A93BC8, 5
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jbe	loc_9C76AB
		push	0
		push	1
		mov	ecx, offset dword_A93BC8
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9C76AB
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessSessionIdEx@4 ; PsGetProcessSessionIdEx(x)
		mov	[ebp+var_134], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_134]
		and	[ebp+var_108], 0
		mov	[ebp+var_10C], eax
		lea	eax, [ebp+var_138]
		mov	[ebp+var_FC], eax
		mov	eax, [esi]
		mov	[ebp+var_13C], eax
		lea	eax, [ebp+var_13C]
		mov	[ebp+var_EC], eax
		mov	eax, [esi+8]
		mov	[ebp+var_154], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_150], eax
		lea	eax, [ebp+var_154]
		mov	[ebp+var_DC], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_15C], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_158], eax
		lea	eax, [ebp+var_15C]
		mov	[ebp+var_CC], eax
		mov	eax, [esi+18h]
		and	[ebp+var_100], 0
		mov	[ebp+var_164], eax
		mov	eax, [esi+1Ch]
		mov	[ebp+var_160], eax
		lea	eax, [ebp+var_164]
		mov	[ebp+var_BC], eax
		mov	eax, [esi+20h]
		mov	[ebp+var_16C], eax
		mov	eax, [esi+24h]
		mov	[ebp+var_168], eax
		lea	eax, [ebp+var_16C]
		mov	[ebp+var_AC], eax
		mov	al, [esi+28h]
		mov	byte ptr [ebp+var_12F+2], al
		lea	eax, [ebp+var_12F+2]
		push	4
		pop	ebx
		mov	[ebp+var_9C], eax
		mov	al, [esi+29h]
		mov	byte ptr [ebp+var_12F+1], al
		lea	eax, [ebp+var_12F+1]
		mov	[ebp+var_138], edi
		xor	edi, edi
		push	8
		pop	edx
		inc	ecx
		mov	[ebp+var_8C], eax
		mov	eax, [esi+2Ch]
		mov	[ebp+var_104], ebx
		mov	[ebp+var_F8], edi
		mov	[ebp+var_F4], ebx
		mov	[ebp+var_F0], edi
		mov	[ebp+var_E8], edi
		mov	[ebp+var_E4], ebx
		mov	[ebp+var_E0], edi
		mov	[ebp+var_D8], edi
		mov	[ebp+var_D4], edx
		mov	[ebp+var_D0], edi
		mov	[ebp+var_C8], edi
		mov	[ebp+var_C4], edx
		mov	[ebp+var_C0], edi
		mov	[ebp+var_B8], edi
		mov	[ebp+var_B4], edx
		mov	[ebp+var_B0], edi
		mov	[ebp+var_A8], edi
		mov	[ebp+var_A4], edx
		mov	[ebp+var_A0], edi
		mov	[ebp+var_98], edi
		mov	[ebp+var_94], ecx
		mov	[ebp+var_90], edi
		mov	[ebp+var_88], edi
		mov	[ebp+var_84], ecx
		mov	[ebp+var_80], edi
		mov	[ebp+var_140], eax
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_140]
		mov	[ebp+var_7C], eax
		mov	eax, [esi+30h]
		mov	[ebp+var_144], eax
		lea	eax, [ebp+var_144]
		mov	[ebp+var_6C], eax
		mov	eax, [ecx]
		mov	[ebp+var_148], eax
		lea	eax, [ebp+var_148]
		mov	[ebp+var_5C], eax
		mov	al, [ecx+4]
		mov	byte ptr [ebp+var_12F],	al
		lea	eax, [ebp+var_12F]
		mov	[ebp+var_4C], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_14C], eax
		lea	eax, [ebp+var_14C]
		mov	[ebp+var_3C], eax
		mov	eax, [ecx+10h]
		mov	[ebp+var_174], eax
		mov	eax, [ecx+14h]
		mov	[ebp+var_170], eax
		lea	eax, [ebp+var_174]
		mov	[ebp+var_2C], eax
		mov	eax, [ecx+18h]
		mov	[ebp+var_17C], eax
		mov	eax, [ecx+1Ch]
		mov	[ebp+var_178], eax
		lea	eax, [ebp+var_17C]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_12F+3]
		push	eax
		push	12h
		push	edi
		push	edi
		push	offset loc_4221BC
		push	offset dword_A93BC8
		mov	[ebp+var_78], edi
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], edi
		mov	[ebp+var_68], edi
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], edi
		mov	[ebp+var_58], edi
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], edi
		mov	[ebp+var_48], edi
		mov	[ebp+var_44], 1
		mov	[ebp+var_40], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9C76AB:				; CODE XREF: TtmiLogTerminalStateMachine(x,x,x)+23j
					; TtmiLogTerminalStateMachine(x,x,x)+39j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_TtmiLogTerminalStateMachine@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpTraceLoggingCallback(x,	x, x, x, x, x, x, x, x)
_TtmpTraceLoggingCallback@36 proc near	; DATA XREF: TtmInit+53o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 2
		jnz	short loc_9C76CC
		call	_TtmiSessionsRundown@0 ; TtmiSessionsRundown()

loc_9C76CC:				; CODE XREF: TtmpTraceLoggingCallback(x,x,x,x,x,x,x,x,x)+9j
		pop	ebp
		retn	24h
_TtmpTraceLoggingCallback@36 endp


;  S U B	R O U T	I N E 


; __stdcall TtmiCloseEventQueue(x)
_TtmiCloseEventQueue@4 proc near	; CODE XREF: TtmiWriteEventToAllQueues(x,x)+3Ap
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	edi, ecx
		nop
		push	1
		lea	ebx, [edi+0Ch]
		push	ebx
		call	ExAcquireResourceExclusiveLite
		mov	byte ptr [edi+5Ch], 0
		lea	esi, [edi+54h]

loc_9C76F5:				; CODE XREF: TtmiCloseEventQueue(x)+47j
		mov	eax, [esi]
		cmp	eax, esi
		jz	short loc_9C771E
		cmp	[eax+4], esi
		jnz	short loc_9C7719
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_9C7719
		push	716D7454h
		mov	[esi], ecx
		push	eax
		mov	[ecx+4], esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9C76F5
; 

loc_9C7719:				; CODE XREF: TtmiCloseEventQueue(x)+2Ej
					; TtmiCloseEventQueue(x)+35j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9C771E:				; CODE XREF: TtmiCloseEventQueue(x)+29j
		push	0
		push	0
		lea	eax, [edi+44h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, ebx
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_TtmiCloseEventQueue@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmiRetrieveEventFromQueue(x, x)
_TtmiRetrieveEventFromQueue@8 proc near	; CODE XREF: TtmpDispatchGetTerminalEvent(x,x)+72p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	edi, ecx
		mov	[ebp+var_4], edx
		nop
		lea	eax, [edi+0Ch]
		push	1
		push	eax
		mov	[ebp+var_8], eax
		call	ExAcquireResourceExclusiveLite
		cmp	byte ptr [edi+5Ch], 0
		jnz	short loc_9C778C
		mov	esi, 0C0000700h
		mov	edx, 1DDh

loc_9C777D:				; CODE XREF: TtmiRetrieveEventFromQueue(x,x)+5Ej
		push	esi
		push	0FFFFFFFFh
		mov	ecx, (offset loc_8BE1FB+1)
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C77E2
; 

loc_9C778C:				; CODE XREF: TtmiRetrieveEventFromQueue(x,x)+30j
		lea	eax, [edi+54h]
		mov	ebx, [eax]
		cmp	ebx, eax
		jnz	short loc_9C77A1
		mov	esi, 8000001Ah
		mov	edx, 1E2h
		jmp	short loc_9C777D
; 

loc_9C77A1:				; CODE XREF: TtmiRetrieveEventFromQueue(x,x)+52j
		cmp	[ebx+4], eax
		jnz	short loc_9C77FD
		mov	ecx, [ebx]
		cmp	[ecx+4], ebx
		jnz	short loc_9C77FD
		mov	[eax], ecx
		mov	[ecx+4], eax
		cmp	[eax], eax
		jnz	short loc_9C77BF
		lea	eax, [edi+44h]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_9C77BF:				; CODE XREF: TtmiRetrieveEventFromQueue(x,x)+73j
		lea	esi, [ebx+8]
		mov	ecx, edi
		mov	edx, esi
		call	_TtmiLogQueueDequeueEvent@8 ; TtmiLogQueueDequeueEvent(x,x)
		mov	edi, [ebp+var_4]
		mov	ecx, 87h
		push	716D7454h
		rep movsd
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi

loc_9C77E2:				; CODE XREF: TtmiRetrieveEventFromQueue(x,x)+49j
		mov	ecx, [ebp+var_8]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_9C77FD:				; CODE XREF: TtmiRetrieveEventFromQueue(x,x)+63j
					; TtmiRetrieveEventFromQueue(x,x)+6Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall TtmiWriteEventToSingleQueue(x, x)
_TtmiWriteEventToSingleQueue@8:		; CODE XREF: TtmpPublishDeviceEvent(x,x,x,x)+103p
					; TtmiWriteEnumerationEventsToQueue(x,x)+63p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	ebx, ecx
		dec	word ptr [eax+13Ch]
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ebx
		nop
		lea	eax, [ebx+0Ch]
		push	1
		push	eax
		mov	[ebp+var_C], eax
		call	ExAcquireResourceExclusiveLite
		cmp	byte ptr [ebx+5Ch], 0
		jnz	short loc_9C784F
		mov	ebx, 0C0000700h
		mov	edx, 19Ch

loc_9C7840:				; CODE XREF: TtmiRetrieveEventFromQueue(x,x)+133j
		push	ebx
		push	0FFFFFFFFh
		mov	ecx, offset ??_C@_0BM@OGGHEBOD@TtmiWriteEventToSingleQueue@NNGAKEGL@
		call	_TtmiLogError@16 ; TtmiLogError(x,x,x,x)
		jmp	short loc_9C78C2
; 

loc_9C784F:				; CODE XREF: TtmiRetrieveEventFromQueue(x,x)+F3j
		push	716D7454h
		mov	ebx, 224h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_8], esi
		test	esi, esi
		jnz	short loc_9C7876
		mov	ebx, 0C000009Ah
		mov	edx, 1A9h
		jmp	short loc_9C7840
; 

loc_9C7876:				; CODE XREF: TtmiRetrieveEventFromQueue(x,x)+127j
		push	ebx		; size_t
		xor	ebx, ebx
		push	ebx		; int
		push	esi		; void *
		call	_memset
		lea	edx, [esi+8]
		mov	ecx, 87h
		mov	esi, edi
		add	esp, 0Ch
		mov	edi, edx
		rep movsd
		mov	esi, [ebp+var_4]
		mov	ecx, esi
		call	_TtmiLogQueueEnqueueEvent@8 ; TtmiLogQueueEnqueueEvent(x,x)
		lea	ecx, [esi+54h]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jz	short loc_9C78AA
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9C78AA:				; CODE XREF: TtmiRetrieveEventFromQueue(x,x)+162j
		mov	eax, [ebp+var_8]
		push	ebx
		push	ebx
		mov	[eax+4], edx
		mov	[eax], ecx
		mov	[edx], eax
		lea	edx, [esi+44h]
		push	edx
		mov	[ecx+4], eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_9C78C2:				; CODE XREF: TtmiRetrieveEventFromQueue(x,x)+10Cj
		mov	ecx, [ebp+var_C]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_TtmiRetrieveEventFromQueue@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpCloseQueueHandle(x, x, x, x)
_TtmpCloseQueueHandle@16 proc near	; DATA XREF: TtmInit+83646o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	[ebp+arg_0]
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		mov	ecx, [ebp+arg_4]
		mov	edx, eax
		call	_TtmiLogQueueHandleClosed@12 ; TtmiLogQueueHandleClosed(x,x,x)
		pop	ebp
		retn	10h
_TtmpCloseQueueHandle@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpDeleteQueue(x)
_TtmpDeleteQueue@4 proc	near		; DATA XREF: TtmInit+8364Do

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		call	_TtmiRemoveQueueFromSession@4 ;	TtmiRemoveQueueFromSession(x)
		lea	eax, [edi+0Ch]
		push	eax
		call	ExDeleteResourceLite
		lea	esi, [edi+54h]

loc_9C7918:				; CODE XREF: TtmpDeleteQueue(x)+3Fj
		mov	eax, [esi]
		cmp	eax, esi
		jz	short loc_9C7941
		cmp	[eax+4], esi
		jnz	short loc_9C793C
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_9C793C
		push	716D7454h
		mov	[esi], ecx
		push	eax
		mov	[ecx+4], esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9C7918
; 

loc_9C793C:				; CODE XREF: TtmpDeleteQueue(x)+26j
					; TtmpDeleteQueue(x)+2Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9C7941:				; CODE XREF: TtmpDeleteQueue(x)+21j
		mov	ecx, edi
		call	_TtmiLogQueueDestroyed@4 ; TtmiLogQueueDestroyed(x)
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_TtmpDeleteQueue@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TtmpOpenQueueHandle(x, x, x, x, x, x)
_TtmpOpenQueueHandle@24	proc near	; DATA XREF: TtmInit+8363Fo

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		mov	eax, ds:_PsInitialSystemProcess
		jz	short loc_9C7961
		mov	eax, [ebp+arg_8]

loc_9C7961:				; CODE XREF: TtmpOpenQueueHandle(x,x,x,x,x,x)+Ej
		xor	edx, edx
		test	eax, eax
		jz	short loc_9C796F
		push	eax
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		mov	edx, eax

loc_9C796F:				; CODE XREF: TtmpOpenQueueHandle(x,x,x,x,x,x)+17j
		push	[ebp+arg_0]
		mov	ecx, [ebp+arg_C]
		call	_TtmiLogQueueHandleOpened@12 ; TtmiLogQueueHandleOpened(x,x,x)
		xor	eax, eax
		pop	ebp
		retn	18h
_TtmpOpenQueueHandle@24	endp


;  S U B	R O U T	I N E 


; __stdcall PspDeleteProtectedProcessParameters(x)
_PspDeleteProtectedProcessParameters@4 proc near
					; CODE XREF: PspDeleteServerSiloGlobals(x)+8Dp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+254h]
		test	eax, eax
		jz	short loc_9C79A1
		push	6C537350h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+254h], 0

loc_9C79A1:				; CODE XREF: PspDeleteProtectedProcessParameters(x)+Dj
		pop	esi
		retn
_PspDeleteProtectedProcessParameters@4 endp


;  S U B	R O U T	I N E 


; __stdcall PspDfssConfigurationChangeHandler(x)
_PspDfssConfigurationChangeHandler@4 proc near
					; DATA XREF: PspReadDfssConfigurationValues()+FCo
		call	_PspReadDfssConfigurationValues@0 ; PspReadDfssConfigurationValues()
		retn	4
_PspDfssConfigurationChangeHandler@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSwapSystemDll(x)
_PspSwapSystemDll@4 proc near		; CODE XREF: PsShutdownSystem():loc_9CAFE5p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, large fs:124h
		xor	edx, edx
		push	edi
		mov	ebx, ecx
		call	@ObFastReplaceObject@8 ; ObFastReplaceObject(x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_9C79FA
		dec	word ptr [esi+13Ch]
		nop
		and	[ebp+var_4], 0
		lea	ecx, [ebx+4]
		xor	edx, edx
		lea	eax, [ebp+var_4]
		lock or	[eax], edx
		mov	eax, [ecx]
		test	al, 1
		jz	short loc_9C79EC
		call	@ExfAcquireReleasePushLockExclusive@4 ;	ExfAcquireReleasePushLockExclusive(x)

loc_9C79EC:				; CODE XREF: PspSwapSystemDll(x)+3Aj
		mov	ecx, esi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, edi
		call	ObfDereferenceObject

loc_9C79FA:				; CODE XREF: PspSwapSystemDll(x)+1Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PspSwapSystemDll@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; 
; Exported entry 1764. PsFreeSiloContextSlot

; __stdcall PsFreeSiloContextSlot(x)
		public _PsFreeSiloContextSlot@4
_PsFreeSiloContextSlot@4:		; CODE XREF: VrpRegistryUnload(x)+30p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		xor	edi, edi
		xor	ecx, ecx
		mov	[ebp-4], edi
		jmp	short loc_9C7A31
; 

loc_9C7A15:				; CODE XREF: PAGE:009C7A3Cj
		mov	ecx, [esi+308h]
		test	ecx, ecx
		jz	short loc_9C7A2F
		mov	edx, [ebp+8]
		lea	eax, [ebp-4]
		push	eax
		call	_PspStorageGetObject@12	; PspStorageGetObject(x,x,x)
		test	eax, eax
		jns	short loc_9C7A4C

loc_9C7A2F:				; CODE XREF: PAGE:009C7A1Dj
		mov	ecx, esi

loc_9C7A31:				; CODE XREF: PAGE:009C7A13j
		xor	dl, dl
		call	_PspGetNextSilo@8 ; PspGetNextSilo(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9C7A15
		mov	ecx, [ebp+8]
		call	_PspStorageFreeSlot@4 ;	PspStorageFreeSlot(x)
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_9C7A4C:				; CODE XREF: PAGE:009C7A2Dj
		mov	ecx, [ebp-4]
		call	ObfDereferenceObject
		push	edi
		push	edi
		push	edi
		push	dword ptr [esi+308h]
		push	199h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 0CCh
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1771. PsGetCurrentServerSiloName

;  S U B	R O U T	I N E 


; __stdcall PsGetCurrentServerSiloName()
		public _PsGetCurrentServerSiloName@0
_PsGetCurrentServerSiloName@0 proc near
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		add	eax, 274h
		cmp	word ptr [eax],	0
		ja	short locret_9C7A82
		mov	eax, (offset loc_A4056B+1)

locret_9C7A82:				; CODE XREF: PsGetCurrentServerSiloName()+Ej
		retn
_PsGetCurrentServerSiloName@0 endp

; 
		align 8
; Exported entry 1792. PsGetParentSilo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetParentSilo(x)
		public _PsGetParentSilo@4
_PsGetParentSilo@4 proc	near		; CODE XREF: IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)+1529p
					; PAGE:008D2975p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_9C7A98
		xor	eax, eax
		jmp	short loc_9C7AA3
; 

loc_9C7A98:				; CODE XREF: PsGetParentSilo(x)+Aj
		mov	ecx, [ecx+244h]
		call	_PspGetJobSilo@4 ; PspGetJobSilo(x)

loc_9C7AA3:				; CODE XREF: PsGetParentSilo(x)+Ej
		pop	ebp
		retn	4
_PsGetParentSilo@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1820. PsGetSiloContainerId

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetSiloContainerId(x)
		public _PsGetSiloContainerId@4
_PsGetSiloContainerId@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		lea	ecx, [eax+2D8h]
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		pop	ebp
		retn	4
_PsGetSiloContainerId@4	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1849. PsIsProcessInAppSilo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsIsProcessInAppSilo(x)
		public _PsIsProcessInAppSilo@4
_PsIsProcessInAppSilo@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		call	_PsGetProcessSilo@4 ; PsGetProcessSilo(x)
		test	eax, eax
		jz	short loc_9C7AE9
		mov	ecx, eax
		call	_PsIsServerSilo@4 ; PsIsServerSilo(x)
		test	al, al
		jnz	short loc_9C7AE9
		inc	al
		jmp	short loc_9C7AEB
; 

loc_9C7AE9:				; CODE XREF: PsIsProcessInAppSilo(x)+Fj
					; PsIsProcessInAppSilo(x)+1Aj
		xor	al, al

loc_9C7AEB:				; CODE XREF: PsIsProcessInAppSilo(x)+1Ej
		pop	ebp
		retn	4
_PsIsProcessInAppSilo@4	endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1867. PsMakeSiloContextPermanent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsMakeSiloContextPermanent(x, x)
		public _PsMakeSiloContextPermanent@8
_PsMakeSiloContextPermanent@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, ds:dword_717F7C
		test	eax, eax
		jz	short loc_9C7B0C
		mov	ecx, [eax+308h]

loc_9C7B0C:				; CODE XREF: PsMakeSiloContextPermanent(x,x)+10j
		mov	edx, [ebp+arg_4]
		call	PspStorageMakeSlotReadOnly
		pop	ebp
		retn	8
_PsMakeSiloContextPermanent@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1887. PsRemoveSiloContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsRemoveSiloContext(x, x, x)
		public _PsRemoveSiloContext@12
_PsRemoveSiloContext@12	proc near	; CODE XREF: PspSiloInitializeSystemRootBuffer(x)+18p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, ds:dword_717F7C
		test	eax, eax
		jz	short loc_9C7B35
		mov	ecx, [eax+308h]

loc_9C7B35:				; CODE XREF: PsRemoveSiloContext(x,x,x)+10j
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		push	0
		call	_PspStorageRemoveObject@16 ; PspStorageRemoveObject(x,x,x,x)
		pop	ebp
		retn	0Ch
_PsRemoveSiloContext@12	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1888. PsReplaceSiloContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsReplaceSiloContext(x, x, x, x)
		public _PsReplaceSiloContext@16
_PsReplaceSiloContext@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, ds:dword_717F7C
		test	esi, esi
		jz	short loc_9C7B65
		mov	edi, [esi+308h]

loc_9C7B65:				; CODE XREF: PsReplaceSiloContext(x,x,x,x)+12j
		mov	ecx, [ebp+arg_8]
		call	_PspIsSiloContext@4 ; PspIsSiloContext(x)
		test	al, al
		jz	short loc_9C7B9E
		lea	edx, [ecx-18h]
		mov	al, [edx+0Eh]
		test	al, 40h
		jz	short loc_9C7B91
		movzx	eax, al
		and	eax, 7Fh
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	edx, eax
		mov	eax, [edx]
		add	eax, 10h
		jmp	short loc_9C7B93
; 

loc_9C7B91:				; CODE XREF: PsReplaceSiloContext(x,x,x,x)+2Ej
		xor	eax, eax

loc_9C7B93:				; CODE XREF: PsReplaceSiloContext(x,x,x,x)+44j
		cmp	[eax], esi
		jz	short loc_9C7B9E
		mov	eax, 0C000000Dh
		jmp	short loc_9C7BAC
; 

loc_9C7B9E:				; CODE XREF: PsReplaceSiloContext(x,x,x,x)+24j
					; PsReplaceSiloContext(x,x,x,x)+4Aj
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_4]
		push	ecx
		mov	ecx, edi
		call	_PspStorageReplaceObject@16 ; PspStorageReplaceObject(x,x,x,x)

loc_9C7BAC:				; CODE XREF: PsReplaceSiloContext(x,x,x,x)+51j
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
_PsReplaceSiloContext@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsRootSiloInformation(x, x,	x)
_PsRootSiloInformation@12 proc near	; CODE XREF: PAGE:00781E24p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	2Ch
		push	offset dword_6A8E70
		call	__SEH_prolog4
		mov	eax, edx
		mov	[ebp+var_30], eax
		mov	[ebp+var_28], ecx
		push	4
		pop	ecx
		mov	[ebp+var_1C], ecx
		cmp	eax, ecx
		jnb	short loc_9C7BDA
		mov	eax, 0C0000023h
		jmp	loc_9C7CC1
; 

loc_9C7BDA:				; CODE XREF: PsRootSiloInformation(x,x,x)+1Cj
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		mov	[ebp+var_2C], eax
		xor	esi, esi
		mov	ebx, esi
		mov	[ebp+var_20], ebx
		xor	dl, dl
		xor	ecx, ecx
		call	_PspGetNextSilo@8 ; PspGetNextSilo(x,x)
		mov	edi, eax
		mov	[ebp+var_24], edi

loc_9C7BF7:				; CODE XREF: PsRootSiloInformation(x,x,x)+BBj
		test	edi, edi
		jz	short loc_9C7C2B
		mov	eax, [ebp+var_2C]
		cmp	edi, eax
		jz	short loc_9C7C5F
		mov	edx, eax
		mov	ecx, edi
		call	PspIsSiloInSilo
		test	al, al
		jz	short loc_9C7C5F
		mov	edx, [ebp+var_1C]
		add	edx, 4
		cmp	edx, [ebp+var_30]
		jbe	short loc_9C7C41
		mov	esi, 0C0000023h
		mov	edx, 6E457350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_9C7C2B:				; CODE XREF: PsRootSiloInformation(x,x,x)+47j
					; PsRootSiloInformation(x,x,x)+E8j
		test	esi, esi
		js	loc_9C7CBF
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_28]
		mov	[eax], ebx
		jmp	short loc_9C7CB0
; 

loc_9C7C41:				; CODE XREF: PsRootSiloInformation(x,x,x)+66j
		mov	[ebp+ms_exc.disabled], esi
		mov	eax, [edi+2D4h]
		mov	ecx, [ebp+var_28]
		mov	[ecx+ebx*4+4], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+var_1C], edx
		inc	ebx
		mov	[ebp+var_20], ebx

loc_9C7C5F:				; CODE XREF: PsRootSiloInformation(x,x,x)+4Ej
					; PsRootSiloInformation(x,x,x)+5Bj
		xor	dl, dl
		mov	ecx, edi
		call	_PspGetNextSilo@8 ; PspGetNextSilo(x,x)
		mov	edi, eax
		mov	[ebp+var_24], eax
		jmp	short loc_9C7BF7
; 

loc_9C7C6F:				; DATA XREF: .text:006A8E84o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9C7C7D:				; DATA XREF: .text:006A8E88o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_34]
		mov	edx, 6E457350h
		mov	ecx, [ebp+var_24]
		call	ObfDereferenceObjectWithTag
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_20]
		jmp	short loc_9C7C2B
; 

loc_9C7C9C:				; DATA XREF: .text:006A8E90o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_38], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9C7CAA:				; DATA XREF: .text:006A8E94o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_38]

loc_9C7CB0:				; CODE XREF: PsRootSiloInformation(x,x,x)+8Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_1C]
		mov	[edx], ecx

loc_9C7CBF:				; CODE XREF: PsRootSiloInformation(x,x,x)+7Bj
		mov	eax, esi

loc_9C7CC1:				; CODE XREF: PsRootSiloInformation(x,x,x)+23j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PsRootSiloInformation@12 endp

; 
		align 8
; Exported entry 1921. PsTerminateServerSilo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsTerminateServerSilo(x, x)
		public _PsTerminateServerSilo@8
_PsTerminateServerSilo@8 proc near	; CODE XREF: PAGELK:0071EB7Ap
					; ExpSystemErrorHandler(x,x,x,x,x)+5F1p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_9C7CF7
		call	_PsIsServerSilo@4 ; PsIsServerSilo(x)
		test	al, al
		jz	short loc_9C7CF7
		mov	edx, [ebp+arg_4]
		push	0
		call	PspTerminateAllProcessesInJobHierarchy

loc_9C7CF7:				; CODE XREF: PsTerminateServerSilo(x,x)+Aj
					; PsTerminateServerSilo(x,x)+13j
		pop	ebp
		retn	8
_PsTerminateServerSilo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspApiSetCopyToSystemSpace(x, x, x,	x)
_PspApiSetCopyToSystemSpace@16 proc near ; CODE	XREF: PspSiloLoadApiSets(x)+60p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], ecx
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		mov	esi, edx
		push	ecx
		push	ecx
		push	8000000h
		push	4
		push	eax
		push	ecx
		push	0F001Fh
		lea	eax, [ebp+var_4]
		mov	[ebp+var_8], ecx
		push	eax
		mov	[ebp+var_4], ecx
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		call	MmCreateSection
		mov	ebx, [ebp+var_4]
		mov	edi, eax
		test	edi, edi
		js	short loc_9C7D6F
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		call	_MmMapViewInSystemSpace@12 ; MmMapViewInSystemSpace(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9C7D6F
		push	esi		; size_t
		push	[ebp+var_10]	; void *
		mov	esi, [ebp+var_8]
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	[eax], ebx
		mov	eax, [ebp+arg_4]
		mov	[eax], esi

loc_9C7D6F:				; CODE XREF: PspApiSetCopyToSystemSpace(x,x,x,x)+44j
					; PspApiSetCopyToSystemSpace(x,x,x,x)+58j
		test	ebx, ebx
		jz	short loc_9C7D7E
		test	edi, edi
		jns	short loc_9C7D7E
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_9C7D7E:				; CODE XREF: PspApiSetCopyToSystemSpace(x,x,x,x)+76j
					; PspApiSetCopyToSystemSpace(x,x,x,x)+7Aj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PspApiSetCopyToSystemSpace@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspAssignSiloSystemRootPath(x, x)
_PspAssignSiloSystemRootPath@8 proc near ; CODE	XREF: sub_8D40FD+FBp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		movzx	eax, word ptr [esi]
		cmp	eax, 8
		jb	loc_9C7E34
		mov	edx, eax
		lea	eax, [edx-2]
		cmp	eax, 208h
		ja	loc_9C7E34
		mov	ecx, [esi+4]
		mov	ax, [ecx]
		sub	ax, 41h
		cmp	ax, 19h
		ja	short loc_9C7E34
		cmp	word ptr [ecx+2], 3Ah
		jnz	short loc_9C7E34
		push	5Ch
		pop	edi
		cmp	[ecx+4], di
		jnz	short loc_9C7E34
		mov	eax, edx
		shr	eax, 1
		cmp	[ecx+eax*2-2], di
		jz	short loc_9C7E34
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		push	1
		lea	eax, [edx+8]
		push	eax
		push	ebx
		call	PsCreateSiloContext
		test	eax, eax
		js	short loc_9C7E39
		mov	edi, [ebp+var_4]
		lea	ecx, [edi+8]
		mov	[edi+4], ecx
		mov	ax, [esi]
		mov	[edi], ax
		mov	ax, [esi]
		mov	[edi+2], ax
		movzx	eax, word ptr [esi]
		push	eax		; size_t
		push	dword ptr [esi+4] ; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	edi
		push	ds:_PsSystemRootSiloContextSlot
		push	ebx
		call	_PsInsertSiloContext@12	; PsInsertSiloContext(x,x,x)
		push	edi
		mov	esi, eax
		call	_PsDereferenceSiloContext@4 ; PsDereferenceSiloContext(x)
		mov	eax, esi
		jmp	short loc_9C7E39
; 

loc_9C7E34:				; CODE XREF: PspAssignSiloSystemRootPath(x,x)+17j
					; PspAssignSiloSystemRootPath(x,x)+27j	...
		mov	eax, 0C000000Dh

loc_9C7E39:				; CODE XREF: PspAssignSiloSystemRootPath(x,x)+6Cj
					; PspAssignSiloSystemRootPath(x,x)+ABj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PspAssignSiloSystemRootPath@8 endp


;  S U B	R O U T	I N E 


; __stdcall PspCompleteServerSiloShutdown(x)
_PspCompleteServerSiloShutdown@4 proc near ; CODE XREF:	PspTerminateProcessesJobCallback+A1p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	PsGetServerSiloState
		cmp	eax, 3
		jz	short loc_9C7E4F
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_9C7E4F:				; CODE XREF: PspCompleteServerSiloShutdown(x)+Dj
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, esi
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		add	eax, 294h
		push	1
		push	eax
		mov	dword ptr [eax+8], offset _PspCompleteServerSiloShutdownDeferred@4 ; PspCompleteServerSiloShutdownDeferred(x)
		and	dword ptr [eax], 0
		mov	[eax+0Ch], esi
		call	ExQueueWorkItem
		pop	esi
		retn
_PspCompleteServerSiloShutdown@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspCompleteServerSiloShutdownDeferred(x)
_PspCompleteServerSiloShutdownDeferred@4 proc near
					; DATA XREF: PspCompleteServerSiloShutdown(x)+25o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	esi, eax
		call	PsGetServerSiloState
		cmp	eax, 3
		jz	short loc_9C7E96
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_9C7E96:				; CODE XREF: PspCompleteServerSiloShutdownDeferred(x)+1Bj
		call	_PspTerminateSiloSubsystemProcesses@4 ;	PspTerminateSiloSubsystemProcesses(x)
		mov	ecx, [esi+1F8h]
		test	ecx, ecx
		jz	short loc_9C7EB1
		call	ObfDereferenceObject
		and	dword ptr [esi+1F8h], 0

loc_9C7EB1:				; CODE XREF: PspCompleteServerSiloShutdownDeferred(x)+2Cj
		mov	ecx, [esi+1FCh]
		test	ecx, ecx
		jz	short loc_9C7EC7
		call	ObfDereferenceObject
		and	dword ptr [esi+1FCh], 0

loc_9C7EC7:				; CODE XREF: PspCompleteServerSiloShutdownDeferred(x)+42j
		mov	ecx, edi
		call	_PspNotifyServerSiloTermination@4 ; PspNotifyServerSiloTermination(x)
		mov	ecx, edi
		call	_PspDeleteExternalServerSiloState@4 ; PspDeleteExternalServerSiloState(x)
		mov	ecx, [esi+1F4h]
		test	ecx, ecx
		jz	short loc_9C7EEB
		call	ObfDereferenceObject
		and	dword ptr [esi+1F4h], 0

loc_9C7EEB:				; CODE XREF: PspCompleteServerSiloShutdownDeferred(x)+66j
		mov	edx, [esi+284h]
		mov	ecx, edi
		call	_PspSendSiloTerminationNotification@8 ;	PspSendSiloTerminationNotification(x,x)
		mov	ecx, edi
		call	ObfDereferenceObject
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_PspCompleteServerSiloShutdownDeferred@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspConvertSiloToServerSilo(x, x, x,	x)
_PspConvertSiloToServerSilo@16 proc near ; CODE	XREF: sub_8D3F7C+68p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	[ebp+var_4], edx
		mov	esi, ecx
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jz	short loc_9C7F24
		mov	eax, 0C0000061h
		jmp	loc_9C8061
; 

loc_9C7F24:				; CODE XREF: PspConvertSiloToServerSilo(x,x,x,x)+13j
		push	ebx
		push	edi
		push	476C6953h
		mov	ebx, 2A8h
		push	ebx
		push	204h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9C7F4B
		mov	eax, 0C000009Ah
		jmp	loc_9C805F
; 

loc_9C7F4B:				; CODE XREF: PspConvertSiloToServerSilo(x,x,x,x)+3Aj
		push	ebx		; size_t
		xor	ebx, ebx
		push	ebx		; int
		push	edi		; void *
		call	_memset
		mov	al, [ebp+arg_4]
		add	esp, 0Ch
		mov	[edi+280h], ebx
		mov	dword ptr [edi+284h], 103h
		mov	[edi+2A4h], al
		cmp	[ebp+arg_0], ebx
		jz	short loc_9C7F9D
		push	ebx
		lea	eax, [edi+288h]
		push	eax
		push	65446953h
		push	[ebp+var_4]
		push	ds:_ExEventObjectType
		push	2
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	dword ptr [ebp+arg_4], eax
		test	eax, eax
		js	short loc_9C7FB1

loc_9C7F9D:				; CODE XREF: PspConvertSiloToServerSilo(x,x,x,x)+6Fj
		lea	edx, [edi+274h]
		mov	ecx, esi
		call	_ObGetSiloRootDirectoryPath@8 ;	ObGetSiloRootDirectoryPath(x,x)
		mov	dword ptr [ebp+arg_4], eax
		test	eax, eax
		jns	short loc_9C7FC0

loc_9C7FB1:				; CODE XREF: PspConvertSiloToServerSilo(x,x,x,x)+96j
		mov	ecx, edi
		call	_PspDeleteServerSiloGlobals@4 ;	PspDeleteServerSiloGlobals(x)
		mov	eax, dword ptr [ebp+arg_4]
		jmp	loc_9C805F
; 

loc_9C7FC0:				; CODE XREF: PspConvertSiloToServerSilo(x,x,x,x)+AAj
		mov	eax, large fs:124h
		mov	ecx, esi
		mov	edx, eax
		mov	dword ptr [ebp+arg_4], eax
		call	_PspLockJobExclusive@8 ; PspLockJobExclusive(x,x)
		mov	ecx, esi
		call	_PsIsServerSilo@4 ; PsIsServerSilo(x)
		test	al, al
		jz	short loc_9C7FE4
		mov	ebx, 0C0000508h
		jmp	short loc_9C8029
; 

loc_9C7FE4:				; CODE XREF: PspConvertSiloToServerSilo(x,x,x,x)+D6j
		test	esi, esi
		jz	short loc_9C7FFE
		mov	ecx, [esi+244h]
		call	_PspGetJobSilo@4 ; PspGetJobSilo(x)
		test	eax, eax
		jz	short loc_9C7FFE
		mov	ebx, 0C0000021h
		jmp	short loc_9C8029
; 

loc_9C7FFE:				; CODE XREF: PspConvertSiloToServerSilo(x,x,x,x)+E1j
					; PspConvertSiloToServerSilo(x,x,x,x)+F0j
		mov	ecx, esi
		call	_PspJobHasChildren@4 ; PspJobHasChildren(x)
		test	al, al
		jz	short loc_9C8010
		mov	ebx, 0C000050Fh
		jmp	short loc_9C8029
; 

loc_9C8010:				; CODE XREF: PspConvertSiloToServerSilo(x,x,x,x)+102j
		test	dword ptr [esi+0B0h], 400000h
		jnz	short loc_9C8023
		mov	ebx, 0C000000Dh
		jmp	short loc_9C8029
; 

loc_9C8023:				; CODE XREF: PspConvertSiloToServerSilo(x,x,x,x)+115j
		mov	[esi+2F8h], edi

loc_9C8029:				; CODE XREF: PspConvertSiloToServerSilo(x,x,x,x)+DDj
					; PspConvertSiloToServerSilo(x,x,x,x)+F7j ...
		mov	edx, dword ptr [ebp+arg_4]
		mov	ecx, esi
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		test	ebx, ebx
		jns	short loc_9C8042
		mov	ecx, edi
		call	_PspDeleteServerSiloGlobals@4 ;	PspDeleteServerSiloGlobals(x)
		mov	eax, ebx
		jmp	short loc_9C805F
; 

loc_9C8042:				; CODE XREF: PspConvertSiloToServerSilo(x,x,x,x)+130j
		xor	edx, edx
		mov	ecx, esi
		call	_EtwTraceJobServerSiloStateChange@8 ; EtwTraceJobServerSiloStateChange(x,x)
		mov	edx, esi
		call	_PspQueueDeferredWorkAndWait@8 ; PspQueueDeferredWorkAndWait(x,x)
		test	eax, eax
		jns	short loc_9C805D
		mov	eax, 0C0000365h
		jmp	short loc_9C805F
; 

loc_9C805D:				; CODE XREF: PspConvertSiloToServerSilo(x,x,x,x)+14Fj
		xor	eax, eax

loc_9C805F:				; CODE XREF: PspConvertSiloToServerSilo(x,x,x,x)+41j
					; PspConvertSiloToServerSilo(x,x,x,x)+B6j ...
		pop	edi
		pop	ebx

loc_9C8061:				; CODE XREF: PspConvertSiloToServerSilo(x,x,x,x)+1Aj
		pop	esi
		leave
		retn	8
_PspConvertSiloToServerSilo@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspDeferredWorkerRoutine(x)
_PspDeferredWorkerRoutine@4 proc near	; DATA XREF: PspQueueDeferredWorkAndWait(x,x)+71o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	dword ptr [esi+14h]
		call	dword ptr [esi+10h]
		push	0
		push	1
		push	esi
		mov	[esi+18h], eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	esi
		pop	ebp
		retn	4
_PspDeferredWorkerRoutine@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspDeleteExternalServerSiloState(x)
_PspDeleteExternalServerSiloState@4 proc near
					; CODE XREF: PspCompleteServerSiloShutdownDeferred(x)+59p
					; PspInitializeServerSiloDeferred(x)+DAp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		mov	edi, ecx
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	ebx, eax
		cmp	dword ptr [ebx+1F0h], 0
		jz	short loc_9C80B8
		push	esi
		push	edi
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		xor	cl, cl
		mov	esi, eax
		call	EtwShutdown
		push	esi
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		pop	esi

loc_9C80B8:				; CODE XREF: PspDeleteExternalServerSiloState(x)+18j
		lea	edx, [ebx+1A4h]
		mov	ecx, edi
		call	_SeShutdownServerSilo@8	; SeShutdownServerSilo(x,x)
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		push	_CmpSiloContextSlot
		push	edi
		call	PsGetPermanentSiloContext
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_9C80E5
		call	_CmpStopSiloKeyLockTracker@4 ; CmpStopSiloKeyLockTracker(x)

loc_9C80E5:				; CODE XREF: PspDeleteExternalServerSiloState(x)+57j
		mov	ecx, edi
		call	_ExpTimeZoneCleanupSiloState@4 ; ExpTimeZoneCleanupSiloState(x)
		pop	edi
		pop	ebx
		leave
		retn
_PspDeleteExternalServerSiloState@4 endp


;  S U B	R O U T	I N E 


; __stdcall PspDeleteServerSiloGlobals(x)
_PspDeleteServerSiloGlobals@4 proc near	; CODE XREF: PspConvertSiloToServerSilo(x,x,x,x)+AEp
					; PspConvertSiloToServerSilo(x,x,x,x)+134p ...
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		lea	ecx, [esi+238h]
		call	_DbgkCleanupServerSiloState@4 ;	DbgkCleanupServerSiloState(x)
		mov	ecx, esi
		call	_ObCleanupSiloState@4 ;	ObCleanupSiloState(x)
		lea	ecx, [esi+1C0h]
		call	_SeRmCleanupSiloState@4	; SeRmCleanupSiloState(x)
		lea	ecx, [esi+208h]
		call	_ExWnfCleanupServerSiloState@4 ; ExWnfCleanupServerSiloState(x)
		mov	ecx, [esi+1F0h]
		xor	edi, edi
		test	ecx, ecx
		jz	short loc_9C8136
		call	_EtwDeleteSiloState@4 ;	EtwDeleteSiloState(x)
		mov	[esi+1F0h], edi

loc_9C8136:				; CODE XREF: PspDeleteServerSiloGlobals(x)+39j
		cmp	[esi+278h], edi
		jz	short loc_9C8150
		lea	eax, [esi+274h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	[esi+278h], edi

loc_9C8150:				; CODE XREF: PspDeleteServerSiloGlobals(x)+4Cj
		mov	ecx, [esi+258h]
		test	ecx, ecx
		jz	short loc_9C8165
		call	ObfDereferenceObject
		mov	[esi+258h], edi

loc_9C8165:				; CODE XREF: PspDeleteServerSiloGlobals(x)+68j
		mov	eax, [esi+25Ch]
		test	eax, eax
		jz	short loc_9C817B
		push	eax
		call	_MmUnmapViewInSystemSpace@4 ; MmUnmapViewInSystemSpace(x)
		mov	[esi+25Ch], edi

loc_9C817B:				; CODE XREF: PspDeleteServerSiloGlobals(x)+7Dj
		mov	ecx, esi
		call	_PspDeleteProtectedProcessParameters@4 ; PspDeleteProtectedProcessParameters(x)
		cmp	[esi+290h], edi
		jz	short loc_9C81AC
		push	dword ptr [esi+28Ch]
		call	_MmUnmapViewInSystemSpace@4 ; MmUnmapViewInSystemSpace(x)
		mov	ecx, [esi+290h]
		mov	[esi+28Ch], edi
		call	ObfDereferenceObject
		mov	[esi+290h], edi

loc_9C81AC:				; CODE XREF: PspDeleteServerSiloGlobals(x)+98j
		mov	ecx, [esi+204h]
		test	ecx, ecx
		jz	short loc_9C81C1
		call	_ExpDeleteSiloState@4 ;	ExpDeleteSiloState(x)
		mov	[esi+204h], edi

loc_9C81C1:				; CODE XREF: PspDeleteServerSiloGlobals(x)+C4j
		mov	eax, [esi+264h]
		test	eax, eax
		jz	short loc_9C81D7
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		mov	[esi+264h], edi

loc_9C81D7:				; CODE XREF: PspDeleteServerSiloGlobals(x)+D9j
		mov	eax, [esi+288h]
		test	eax, eax
		jz	short loc_9C81FF
		push	edi
		push	edi
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [esi+288h]
		mov	edx, 65446953h
		call	ObfDereferenceObjectWithTag
		mov	[esi+288h], edi

loc_9C81FF:				; CODE XREF: PspDeleteServerSiloGlobals(x)+EFj
		cmp	byte ptr [esi+261h], 0
		jz	short loc_9C8214
		push	edi
		push	dword ptr [esi+268h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9C8214:				; CODE XREF: PspDeleteServerSiloGlobals(x)+116j
		push	476C6953h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ecx
		retn
_PspDeleteServerSiloGlobals@4 endp


;  S U B	R O U T	I N E 


; __stdcall PspDeleteSilo(x)
_PspDeleteSilo@4 proc near		; CODE XREF: .text:005E76BDp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	dword ptr [esi+90h], 0
		jz	short loc_9C8233
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_9C8233:				; CODE XREF: PspDeleteSilo(x)+Cj
		call	_PsIsServerSilo@4 ; PsIsServerSilo(x)
		test	al, al
		jz	short loc_9C8248
		call	PsGetServerSiloState
		cmp	eax, 4
		jz	short loc_9C8248
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_9C8248:				; CODE XREF: PspDeleteSilo(x)+17j
					; PspDeleteSilo(x)+21j
		mov	ecx, esi
		call	_PsIsServerSilo@4 ; PsIsServerSilo(x)
		test	al, al
		jz	short loc_9C8265
		mov	ecx, [esi+2F8h]
		call	_PspDeleteServerSiloGlobals@4 ;	PspDeleteServerSiloGlobals(x)
		and	dword ptr [esi+2F8h], 0

loc_9C8265:				; CODE XREF: PspDeleteSilo(x)+2Ej
		pop	esi
		retn
_PspDeleteSilo@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspInitializeServerSiloDeferred(x)
_PspInitializeServerSiloDeferred@4 proc	near
					; CODE XREF: PspQueueDeferredWorkAndWait(x,x)+3Ep
					; DATA XREF: PspQueueDeferredWorkAndWait(x,x)+56o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	ebx, eax
		call	sub_685EF9
		test	eax, eax
		js	loc_9C8349
		mov	ecx, esi
		call	_PspSiloInitializeUserSharedData@4 ; PspSiloInitializeUserSharedData(x)
		test	eax, eax
		js	loc_9C8349
		mov	ecx, esi
		call	_PspSiloInitializeSystemRootSymlink@4 ;	PspSiloInitializeSystemRootSymlink(x)
		test	eax, eax
		js	loc_9C8349
		mov	ecx, ebx
		call	PspInitializeProtectedProcessParameters
		test	eax, eax
		js	loc_9C8349
		mov	ecx, esi
		call	_PspSiloLoadApiSets@4 ;	PspSiloLoadApiSets(x)
		test	eax, eax
		js	loc_9C8349
		mov	ecx, esi
		call	_PspSiloInitializeIsMultiSessionSku@4 ;	PspSiloInitializeIsMultiSessionSku(x)
		test	eax, eax
		js	short loc_9C8349
		push	edi
		mov	ecx, esi
		call	ObInitServerSilo
		mov	edi, eax
		test	edi, edi
		js	short loc_9C8335
		mov	ecx, esi
		call	_ExpTimeZoneInitSiloState@4 ; ExpTimeZoneInitSiloState(x)
		test	eax, eax
		js	short loc_9C8348
		mov	ecx, esi
		call	_SeInitServerSilo@4 ; SeInitServerSilo(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9C8335
		mov	ecx, esi
		call	_CmInitServerSiloState@4 ; CmInitServerSiloState(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9C8335
		mov	ecx, esi
		call	EtwInitializeSiloState
		mov	edi, eax
		test	edi, edi
		js	short loc_9C8335
		mov	ecx, esi
		call	_DbgkInitializeServerSilo@4 ; DbgkInitializeServerSilo(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9C8335
		mov	ecx, esi
		call	_PspNotifyServerSiloCreation@4 ; PspNotifyServerSiloCreation(x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_9C8331
		push	edi
		push	esi
		call	_PsTerminateServerSilo@8 ; PsTerminateServerSilo(x,x)
		jmp	short loc_9C8346
; 

loc_9C8331:				; CODE XREF: PspInitializeServerSiloDeferred(x)+BFj
		xor	eax, eax
		jmp	short loc_9C8348
; 

loc_9C8335:				; CODE XREF: PspInitializeServerSiloDeferred(x)+73j
					; PspInitializeServerSiloDeferred(x)+8Bj ...
		mov	ecx, esi
		mov	dword ptr [ebx+280h], 4
		call	_PspDeleteExternalServerSiloState@4 ; PspDeleteExternalServerSiloState(x)

loc_9C8346:				; CODE XREF: PspInitializeServerSiloDeferred(x)+C8j
		mov	eax, edi

loc_9C8348:				; CODE XREF: PspInitializeServerSiloDeferred(x)+7Ej
					; PspInitializeServerSiloDeferred(x)+CCj
		pop	edi

loc_9C8349:				; CODE XREF: PspInitializeServerSiloDeferred(x)+1Aj
					; PspInitializeServerSiloDeferred(x)+29j ...
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_PspInitializeServerSiloDeferred@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspQueueDeferredWorkAndWait(x, x)
_PspQueueDeferredWorkAndWait@8 proc near
					; CODE XREF: PspConvertSiloToServerSilo(x,x,x,x)+148p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 30h
		mov	eax, large fs:124h
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, edx
		mov	[esp+38h+var_28], edi
		mov	[esp+38h+var_1C], edi
		mov	[esp+38h+var_18], edi
		mov	[esp+38h+var_14], edi
		mov	[esp+38h+var_10], edi
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_9C8394
		push	esi
		call	_PspInitializeServerSiloDeferred@4 ; PspInitializeServerSiloDeferred(x)
		jmp	short loc_9C83E4
; 

loc_9C8394:				; CODE XREF: PspQueueDeferredWorkAndWait(x,x)+3Bj
		push	edi
		push	1
		lea	eax, [esp+40h+var_1C]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+38h+var_1C]
		mov	[esp+38h+var_C], offset	_PspInitializeServerSiloDeferred@4 ; PspInitializeServerSiloDeferred(x)
		mov	[esp+38h+var_20], eax
		lea	eax, [esp+38h+var_2C]
		push	1
		push	eax
		mov	[esp+40h+var_8], esi
		mov	[esp+40h+var_4], edi
		mov	[esp+40h+var_24], offset _PspDeferredWorkerRoutine@4 ; PspDeferredWorkerRoutine(x)
		mov	[esp+40h+var_2C], edi
		call	ExQueueWorkItem
		push	edi
		push	edi
		push	edi
		push	6
		lea	eax, [esp+48h+var_1C]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esp+38h+var_4]

loc_9C83E4:				; CODE XREF: PspQueueDeferredWorkAndWait(x,x)+43j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_PspQueueDeferredWorkAndWait@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspShutdownCsrProcess(x, x,	x)
_PspShutdownCsrProcess@12 proc near	; CODE XREF: PspTerminateSiloSubsystemProcesses(x)+77p
					; PspTerminateSiloSubsystemProcesses(x)+ADp

var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_FC		= word ptr -0FCh
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 148h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_140], eax
		xor	eax, eax
		lea	edi, [ebp+var_114]
		push	6
		pop	ecx
		mov	ebx, edx
		mov	[ebp+var_124], eax
		rep stosd
		push	esi
		mov	[ebp+var_144], ebx
		mov	[ebp+var_120], eax
		mov	[ebp+var_11C], eax
		mov	[ebp+var_118], eax
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		push	ebx		; char
		push	offset ??_C@_1GC@IAMDDNOD@?$AA?2?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAs?$AA?2?$AA?$CF?$AAd?$AA?2?$AAB?$AAa@NNGAKEGL@ ;	wchar_t	*
		mov	esi, eax
		lea	eax, [ebp+var_FC]
		push	78h		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 10h
		lea	eax, [ebp+var_FC]
		push	eax
		lea	eax, [ebp+var_124]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	18h
		pop	edi
		lea	eax, [ebp+var_124]
		mov	[ebp+var_13C], edi
		mov	[ebp+var_134], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_13C]
		mov	[ebp+var_138], ecx
		push	eax
		push	1F0003h
		lea	eax, [ebp+var_118]
		mov	[ebp+var_130], 240h
		push	eax
		mov	[ebp+var_12C], ecx
		mov	[ebp+var_128], ecx
		call	_ZwOpenEvent@12	; ZwOpenEvent(x,x,x)
		push	ebx		; char
		push	offset ??_C@_1FK@NCPHCDPH@?$AA?2?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAs?$AA?2?$AA?$CF?$AAd?$AA?2?$AAB?$AAa@NNGAKEGL@ ;	wchar_t	*
		lea	eax, [ebp+var_FC]
		push	78h		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 10h
		lea	eax, [ebp+var_FC]
		push	eax
		lea	eax, [ebp+var_124]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_13C], edi
		lea	eax, [ebp+var_124]
		xor	edi, edi
		mov	[ebp+var_134], eax
		push	edi
		push	edi
		lea	eax, [ebp+var_13C]
		mov	[ebp+var_138], edi
		push	eax
		push	1F0003h
		lea	eax, [ebp+var_11C]
		mov	[ebp+var_130], 2C0h
		push	eax
		mov	[ebp+var_12C], edi
		mov	[ebp+var_128], edi
		call	_ZwCreateEvent@20 ; ZwCreateEvent(x,x,x,x,x)
		test	eax, eax
		jns	short loc_9C8535
		mov	[ebp+var_11C], edi

loc_9C8535:				; CODE XREF: PspShutdownCsrProcess(x,x,x)+143j
		push	esi
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		mov	ebx, [ebp+var_140]
		lea	eax, [ebp+var_114]
		push	eax
		xor	edx, edx
		mov	ecx, ebx
		call	KiStackAttachProcess
		lea	eax, [ebp+var_144]
		push	eax
		push	1
		push	edi
		push	1Fh
		call	PsInvokeWin32Callout
		xor	edx, edx
		lea	ecx, [ebp+var_114]
		mov	esi, eax
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		cmp	[ebp+var_118], edi
		jz	short loc_9C8596
		push	edi
		push	[ebp+var_118]
		call	_ZwSetEvent@8	; ZwSetEvent(x,x)
		push	[ebp+var_118]
		call	_ZwClose@4	; ZwClose(x)
		mov	[ebp+var_118], edi

loc_9C8596:				; CODE XREF: PspShutdownCsrProcess(x,x,x)+18Dj
		mov	eax, [ebp+var_11C]
		test	eax, eax
		jz	short loc_9C85BE
		test	esi, esi
		js	short loc_9C85B2
		push	edi
		push	edi
		push	eax
		call	_ZwWaitForSingleObject@12 ; ZwWaitForSingleObject(x,x,x)
		mov	eax, [ebp+var_11C]

loc_9C85B2:				; CODE XREF: PspShutdownCsrProcess(x,x,x)+1B8j
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		mov	[ebp+var_11C], edi

loc_9C85BE:				; CODE XREF: PspShutdownCsrProcess(x,x,x)+1B4j
		mov	edx, 0C00002EBh
		mov	ecx, ebx
		call	_PsTerminateProcess@8 ;	PsTerminateProcess(x,x)
		test	eax, eax
		js	short loc_9C85D5
		mov	ecx, ebx
		call	_PspWaitForUsermodeExit@4 ; PspWaitForUsermodeExit(x)

loc_9C85D5:				; CODE XREF: PspShutdownCsrProcess(x,x,x)+1E2j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_PspShutdownCsrProcess@12 endp


;  S U B	R O U T	I N E 


; __stdcall PspShutdownServerSilos()
_PspShutdownServerSilos@0 proc near	; CODE XREF: PsShutdownSystem():loc_9CAE9Ep
		mov	edi, edi
		push	esi
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jz	short loc_9C85F4
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_9C85F4:				; CODE XREF: PspShutdownServerSilos()+Aj
		xor	ecx, ecx
		jmp	short loc_9C8605
; 

loc_9C85F8:				; CODE XREF: PspShutdownServerSilos()+2Aj
		push	0C00002EBh
		push	esi
		call	_PsTerminateServerSilo@8 ; PsTerminateServerSilo(x,x)
		mov	ecx, esi

loc_9C8605:				; CODE XREF: PspShutdownServerSilos()+10j
		mov	dl, 1
		call	_PspGetNextSilo@8 ; PspGetNextSilo(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9C85F8
		pop	esi
		retn
_PspShutdownServerSilos@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSiloGetMultiUserTsFromRegistry(x)
_PspSiloGetMultiUserTsFromRegistry@4 proc near
					; CODE XREF: PspSiloInitializeSuiteMask(x)+28p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	eax, [ebp+var_3C]
		push	38h		; size_t
		push	ebx		; int
		push	eax		; void *
		mov	esi, ecx
		mov	[ebp+var_4], ebx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_38], 124h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_34], offset ??_C@_1BI@LIHNICPI@?$AAT?$AAS?$AAA?$AAp?$AAp?$AAC?$AAo?$AAm?$AAp?$AAa?$AAt@NNGAKEGL@ ; "T"
		mov	[ebp+var_30], eax
		mov	edx, offset ??_C@_1CA@BFNKNOIB@?$AAT?$AAe?$AAr?$AAm?$AAi?$AAn?$AAa?$AAl?$AA?5?$AAS?$AAe?$AAr?$AAv?$AAe?$AAr@NNGAKEGL@
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_2C], 4000000h
		push	1
		push	ecx
		push	ebx
		push	eax
		push	2
		pop	ecx
		call	RtlpQueryRegistryValues
		cmp	eax, 0C0000034h
		jnz	short loc_9C866F
		mov	eax, ebx
		jmp	short loc_9C8676
; 

loc_9C866F:				; CODE XREF: PspSiloGetMultiUserTsFromRegistry(x)+55j
		test	eax, eax
		js	short loc_9C8678
		mov	ebx, [ebp+var_4]

loc_9C8676:				; CODE XREF: PspSiloGetMultiUserTsFromRegistry(x)+59j
		mov	[esi], bl

loc_9C8678:				; CODE XREF: PspSiloGetMultiUserTsFromRegistry(x)+5Dj
		pop	esi
		pop	ebx
		leave
		retn
_PspSiloGetMultiUserTsFromRegistry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSiloGetSuiteMaskStringFromRegistry(x)
_PspSiloGetSuiteMaskStringFromRegistry@4 proc near
					; CODE XREF: PspSiloInitializeSuiteMask(x)+1Ap

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_40]
		push	38h		; size_t
		push	edi		; int
		push	eax		; void *
		mov	esi, ecx
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_3C], 134h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_38], offset ??_C@_1BK@HJNBLNLJ@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAS?$AAu?$AAi?$AAt?$AAe@NNGAKEGL@
		mov	[ebp+var_34], eax
		mov	edx, offset ??_C@_1BO@EDPDEJHE@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAO?$AAp?$AAt?$AAi?$AAo?$AAn?$AAs@NNGAKEGL@	; "ProductOptions"
		lea	eax, [ebp+var_40]
		mov	[ebp+var_30], 7000000h
		push	1
		push	ecx
		push	edi
		push	eax
		push	2
		pop	ecx
		call	RtlpQueryRegistryValues
		test	eax, eax
		js	short loc_9C86DE
		mov	ecx, [ebp+var_8]
		mov	[esi], ecx
		mov	ecx, [ebp+var_4]
		mov	[esi+4], ecx

loc_9C86DE:				; CODE XREF: PspSiloGetSuiteMaskStringFromRegistry(x)+55j
		pop	edi
		pop	esi
		leave
		retn
_PspSiloGetSuiteMaskStringFromRegistry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSiloInitializeIsMultiSessionSku(x)
_PspSiloInitializeIsMultiSessionSku@4 proc near
					; CODE XREF: PspInitializeServerSiloDeferred(x)+5Ep

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ecx+2F8h]
		push	esi
		push	edi
		push	ecx
		mov	[ebp+var_1], 0
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		lea	ecx, [ebp-1]
		mov	esi, eax
		call	ExIsMultiSessionSku
		push	esi
		mov	edi, eax
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		test	edi, edi
		js	short loc_9C871D
		mov	edx, [ebx+28Ch]
		mov	cl, [ebp+var_1]
		mov	[edx+1Ch], cl

loc_9C871D:				; CODE XREF: PspSiloInitializeIsMultiSessionSku(x)+2Dj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PspSiloInitializeIsMultiSessionSku@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSiloInitializeSuiteMask(x)
_PspSiloInitializeSuiteMask@4 proc near	; CODE XREF: PspSiloInitializeUserSharedData(x)+C3p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		xor	eax, eax
		push	edi
		mov	edi, ecx
		mov	byte ptr [ebp+var_1], al
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		call	_PspSiloGetSuiteMaskStringFromRegistry@4 ; PspSiloGetSuiteMaskStringFromRegistry(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9C8774
		lea	ecx, [ebp+var_1]
		call	_PspSiloGetMultiUserTsFromRegistry@4 ; PspSiloGetMultiUserTsFromRegistry(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9C8765
		mov	dl, byte ptr [ebp+var_1]
		mov	ecx, [ebp+var_8]
		call	_ExGetSuiteMask@8 ; ExGetSuiteMask(x,x)
		mov	[edi+14h], eax

loc_9C8765:				; CODE XREF: PspSiloInitializeSuiteMask(x)+31j
		cmp	[ebp+var_8], 0
		jz	short loc_9C8774
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_9C8774:				; CODE XREF: PspSiloInitializeSuiteMask(x)+23j
					; PspSiloInitializeSuiteMask(x)+45j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_PspSiloInitializeSuiteMask@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSiloInitializeSystemRootBuffer(x)
_PspSiloInitializeSystemRootBuffer@4 proc near
					; CODE XREF: PspSiloInitializeUserSharedData(x)+94p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	eax
		push	ds:_PsSystemRootSiloContextSlot
		mov	esi, ecx
		push	esi
		call	_PsRemoveSiloContext@12	; PsRemoveSiloContext(x,x,x)
		test	eax, eax
		js	short loc_9C87D2
		mov	eax, [esi+2F8h]
		mov	edx, 208h
		push	[ebp+var_4]
		lea	ecx, [eax+26Ch]
		mov	eax, [eax+28Ch]
		and	dword ptr [ecx], 0
		add	eax, 1Eh
		push	ecx
		mov	[ecx+2], dx
		mov	[ecx+4], eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		push	[ebp+var_4]
		call	_PsDereferenceSiloContext@4 ; PsDereferenceSiloContext(x)
		xor	eax, eax

loc_9C87D2:				; CODE XREF: PspSiloInitializeSystemRootBuffer(x)+1Fj
		pop	esi
		leave
		retn
_PspSiloInitializeSystemRootBuffer@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSiloInitializeSystemRootSymlink(x)
_PspSiloInitializeSystemRootSymlink@4 proc near
					; CODE XREF: PspInitializeServerSiloDeferred(x)+31p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		and	[ebp+var_4], 0
		mov	eax, ecx
		and	[ebp+var_C], 0
		push	esi
		mov	[ebp+var_10], eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		lea	esi, [eax+26Ch]
		mov	dx, [esi]
		lea	eax, [ebp+var_4]
		push	eax
		push	14h
		pop	ecx
		call	_RtlUShortAdd@12 ; RtlUShortAdd(x,x,x)
		test	eax, eax
		js	loc_9C88B8
		push	ebx
		mov	ebx, [ebp+var_4]
		push	edi
		push	70537350h
		movzx	eax, bx
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9C8832
		mov	eax, 0C000009Ah
		jmp	loc_9C88B6
; 

loc_9C8832:				; CODE XREF: PspSiloInitializeSystemRootSymlink(x)+51j
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		push	(offset	loc_A40563+1)
		push	eax
		mov	word ptr [ebp+var_8+2],	bx
		mov	[ebp+var_4], edi
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	[ebp+var_10]
		xor	eax, eax
		mov	[ebp+var_28], 18h
		mov	[ebp+var_24], eax
		mov	[ebp+var_1C], 210h
		mov	[ebp+var_20], (offset loc_A4055B+1)
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	esi, eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		push	0F0001h
		lea	eax, [ebp+var_C]
		push	eax
		call	_ZwCreateSymbolicLinkObject@16 ; ZwCreateSymbolicLinkObject(x,x,x,x)
		push	esi
		mov	ebx, eax
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		test	ebx, ebx
		js	short loc_9C88A9
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_9C88A9:				; CODE XREF: PspSiloInitializeSystemRootSymlink(x)+CAj
		push	70537350h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, ebx

loc_9C88B6:				; CODE XREF: PspSiloInitializeSystemRootSymlink(x)+58j
		pop	edi
		pop	ebx

loc_9C88B8:				; CODE XREF: PspSiloInitializeSystemRootSymlink(x)+32j
		pop	esi
		leave
		retn
_PspSiloInitializeSystemRootSymlink@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSiloInitializeUserSharedData(x)
_PspSiloInitializeUserSharedData@4 proc	near
					; CODE XREF: PspInitializeServerSiloDeferred(x)+22p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_10], 270h
		push	esi
		push	esi
		push	8000000h
		push	4
		lea	eax, [ebp+var_10]
		mov	[ebp+var_8], esi
		push	eax
		push	esi
		push	0F001Fh
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], esi
		push	eax
		mov	ebx, ecx
		mov	[ebp+var_C], esi
		call	MmCreateSection
		test	eax, eax
		js	loc_9C89A0
		push	edi
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], esi
		mov	esi, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	_MmMapViewInSystemSpace@12 ; MmMapViewInSystemSpace(x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_9C8923
		mov	ecx, esi
		call	ObfDereferenceObject
		mov	eax, edi
		jmp	short loc_9C899F
; 

loc_9C8923:				; CODE XREF: PspSiloInitializeUserSharedData(x)+5Bj
		mov	ecx, ebx
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	ecx, [ebp+var_8]
		mov	edi, eax
		push	ebx
		mov	[edi+290h], esi
		mov	[edi+28Ch], ecx
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	ecx, [edi+28Ch]
		mov	[ebp+var_C], eax
		or	dword ptr [ecx], 0FFFFFFFFh
		mov	ecx, ebx
		call	_PspSiloInitializeSystemRootBuffer@4 ; PspSiloInitializeSystemRootBuffer(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9C8995
		mov	ebx, [edi+28Ch]
		lea	ecx, [ebp+var_8]
		and	[ebp+var_8], 0
		call	_RtlpGetNtProductTypeFromRegistry@4 ; RtlpGetNtProductTypeFromRegistry(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9C8995
		mov	eax, [ebp+var_8]
		mov	[ebx+10h], eax
		mov	ecx, [edi+28Ch]
		call	_PspSiloInitializeSuiteMask@4 ;	PspSiloInitializeSuiteMask(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9C8995
		mov	eax, [edi+28Ch]
		or	dword ptr [eax+18h], 0FFFFFFFFh
		xor	esi, esi

loc_9C8995:				; CODE XREF: PspSiloInitializeUserSharedData(x)+9Dj
					; PspSiloInitializeUserSharedData(x)+B5j ...
		push	[ebp+var_C]
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		mov	eax, esi

loc_9C899F:				; CODE XREF: PspSiloInitializeUserSharedData(x)+66j
		pop	edi

loc_9C89A0:				; CODE XREF: PspSiloInitializeUserSharedData(x)+3Cj
		pop	esi
		pop	ebx
		leave
		retn
_PspSiloInitializeUserSharedData@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSiloLoadApiSets(x)
_PspSiloLoadApiSets@4 proc near		; CODE XREF: PspInitializeServerSiloDeferred(x)+4Fp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	eax, ecx
		mov	[ebp+var_1C], offset ??_C@_1EM@FKFCCHGE@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@
		xor	ecx, ecx
		mov	[ebp+var_14], eax
		push	4Ah
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], ecx
		pop	ecx
		push	4Ch
		mov	word ptr [ebp+var_20], cx
		pop	ecx
		push	eax
		mov	word ptr [ebp+var_20+2], cx
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	esi, eax
		lea	edx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		mov	[ebp+var_18], esi
		push	eax
		lea	ecx, [ebp+var_20]
		call	_ApiSetLoadSchemaWithExtensions@12 ; ApiSetLoadSchemaWithExtensions(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9C8A47
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_10]
		mov	ecx, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	_PspApiSetCopyToSystemSpace@16 ; PspApiSetCopyToSystemSpace(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9C8A39
		mov	ecx, [ebp+var_14]
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	ecx, [ebp+var_C]
		mov	esi, eax
		mov	edx, [ebp+var_10]
		mov	[esi+258h], ecx
		mov	[esi+25Ch], edx
		call	_PspQueryForwardersEnabled@0 ; PspQueryForwardersEnabled()
		mov	[esi+260h], al
		mov	esi, [ebp+var_18]

loc_9C8A39:				; CODE XREF: PspSiloLoadApiSets(x)+69j
		cmp	[ebp+var_4], 0
		jz	short loc_9C8A47
		mov	ecx, [ebp+var_4]
		call	_ApiSetReleaseSchema@4 ; ApiSetReleaseSchema(x)

loc_9C8A47:				; CODE XREF: PspSiloLoadApiSets(x)+50j
					; PspSiloLoadApiSets(x)+99j
		push	esi
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_PspSiloLoadApiSets@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspTerminateSiloSubsystemProcesses(x)
_PspTerminateSiloSubsystemProcesses@4 proc near
					; CODE XREF: PspCompleteServerSiloShutdownDeferred(x):loc_9C7E96p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+20h+var_C]
		stosd
		xor	esi, esi
		push	2
		xor	edx, edx
		mov	[esp+24h+var_14], esi
		mov	ebx, ecx
		mov	[esp+24h+var_10], esi
		stosd
		stosd
		lea	eax, [esp+24h+var_14]
		push	eax
		push	esi
		push	offset _PspWaitOnAllProcessesJobCallback@8 ; PspWaitOnAllProcessesJobCallback(x,x)
		call	PspEnumJobsAndProcessesInJobHierarchy
		mov	edi, large fs:124h
		push	ebx
		call	_PsGetServerSiloServiceSessionId@4 ; PsGetServerSiloServiceSessionId(x)
		mov	[esp+20h+var_14], eax
		jmp	short loc_9C8ACF
; 

loc_9C8A9D:				; CODE XREF: PspTerminateSiloSubsystemProcesses(x)+8Fj
		test	byte ptr [esi+3A8h], 40h
		jnz	short loc_9C8AAF
		test	byte ptr [esi+0F8h], 1
		jnz	short loc_9C8ACF

loc_9C8AAF:				; CODE XREF: PspTerminateSiloSubsystemProcesses(x)+51j
		push	esi
		call	_PsIsSystemProcess@4 ; PsIsSystemProcess(x)
		test	al, al
		jnz	short loc_9C8ACF
		push	esi
		call	_PsGetProcessSessionId@4 ; PsGetProcessSessionId(x)
		cmp	eax, [esp+20h+var_14]
		jz	short loc_9C8ACF
		push	esi
		mov	edx, eax
		mov	ecx, ebx
		call	_PspShutdownCsrProcess@12 ; PspShutdownCsrProcess(x,x,x)

loc_9C8ACF:				; CODE XREF: PspTerminateSiloSubsystemProcesses(x)+48j
					; PspTerminateSiloSubsystemProcesses(x)+5Aj ...
		push	esi
		lea	eax, [esp+24h+var_C]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	_PspGetNextJobProcess@16 ; PspGetNextJobProcess(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9C8A9D
		mov	ecx, ebx
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	ecx, [eax+1F8h]
		test	ecx, ecx
		jz	short loc_9C8B05
		mov	edx, [eax+28Ch]
		push	ecx
		mov	ecx, ebx
		mov	edx, [edx]
		call	_PspShutdownCsrProcess@12 ; PspShutdownCsrProcess(x,x,x)

loc_9C8B05:				; CODE XREF: PspTerminateSiloSubsystemProcesses(x)+A0j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_PspTerminateSiloSubsystemProcesses@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCreateProcess(x, x, x, x,	x, x, x, x)
_NtCreateProcess@32 proc near		; DATA XREF: .text:00581128o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_14]
		and	eax, 1
		test	byte ptr [ebp+arg_18], 1
		jz	short loc_9C8B20
		or	eax, 2

loc_9C8B20:				; CODE XREF: NtCreateProcess(x,x,x,x,x,x,x,x)+Fj
		cmp	[ebp+arg_10], 0
		jz	short loc_9C8B29
		or	eax, 4

loc_9C8B29:				; CODE XREF: NtCreateProcess(x,x,x,x,x,x,x,x)+18j
		push	0
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	eax
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	NtCreateProcessEx
		pop	ebp
		retn	20h
_NtCreateProcess@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCreateThread(x, x, x, x, x, x, x,	x)
_NtCreateThread@32 proc	near		; DATA XREF: .text:00581104o

var_330		= dword	ptr -330h
var_32C		= dword	ptr -32Ch
var_328		= dword	ptr -328h
var_31C		= dword	ptr -31Ch
var_318		= dword	ptr -318h
var_314		= dword	ptr -314h
var_310		= dword	ptr -310h
var_30C		= dword	ptr -30Ch
var_308		= dword	ptr -308h
var_304		= dword	ptr -304h
var_300		= dword	ptr -300h
var_2F9		= byte ptr -2F9h
var_2F8		= dword	ptr -2F8h
var_2C		= dword	ptr -2Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= byte ptr  24h

		push	320h
		push	offset dword_6A8E98
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_300], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_314], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_310], eax
		mov	ecx, [ebp+arg_10]
		mov	[ebp+var_30C], ecx
		mov	ebx, [ebp+arg_14]
		mov	esi, [ebp+arg_18]
		mov	[ebp+var_304], esi
		xor	eax, eax
		lea	edi, [ebp+var_32C]
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		stosd
		stosd
		stosd
		stosd
		test	ebx, ebx
		jnz	short loc_9C8BAD

loc_9C8BA3:				; CODE XREF: NtCreateThread(x,x,x,x,x,x,x,x)+17Fj
		mov	eax, 0C000000Dh
		jmp	loc_9C8D46
; 

loc_9C8BAD:				; CODE XREF: NtCreateThread(x,x,x,x,x,x,x,x)+57j
		and	[ebp+ms_exc.disabled], 0
		mov	eax, large fs:124h
		mov	[ebp+var_330], eax
		mov	dl, [eax+15Ah]
		mov	[ebp+var_2F9], dl
		test	dl, dl
		jz	loc_9C8C69
		mov	edx, [ebp+var_300]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_9C8BE2
		mov	edx, eax

loc_9C8BE2:				; CODE XREF: NtCreateThread(x,x,x,x,x,x,x,x)+94j
		mov	eax, [edx]
		mov	[edx], eax
		test	ecx, ecx
		jz	short loc_9C8C05
		test	cl, 3
		jnz	short loc_9C8C64
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_9C8BFB
		mov	byte ptr [eax],	0

loc_9C8BFB:				; CODE XREF: NtCreateThread(x,x,x,x,x,x,x,x)+ACj
		mov	al, [ecx]
		mov	[ecx], al
		mov	al, [ecx+4]
		mov	[ecx+4], al

loc_9C8C05:				; CODE XREF: NtCreateThread(x,x,x,x,x,x,x,x)+9Ej
		mov	ecx, ebx
		test	bl, 3
		jnz	short loc_9C8C64
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_9C8C17
		mov	ecx, eax

loc_9C8C17:				; CODE XREF: NtCreateThread(x,x,x,x,x,x,x,x)+C9j
		nop
		mov	al, [ecx]
		mov	ecx, 0B3h
		mov	esi, ebx
		lea	edi, [ebp+var_2F8]
		rep movsd
		lea	eax, [ebp+var_2F8]
		mov	[ebp+var_308], eax
		mov	eax, [ebp+var_304]
		mov	edx, eax
		test	al, 3
		jnz	short loc_9C8C64
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_9C8C4D
		mov	edx, ecx

loc_9C8C4D:				; CODE XREF: NtCreateThread(x,x,x,x,x,x,x,x)+FFj
		nop
		mov	al, [edx]
		mov	ebx, [ebp+var_308]
		mov	dl, [ebp+var_2F9]
		mov	esi, [ebp+var_304]
		jmp	short loc_9C8C6F
; 

loc_9C8C64:				; CODE XREF: NtCreateThread(x,x,x,x,x,x,x,x)+A3j
					; NtCreateThread(x,x,x,x,x,x,x,x)+C0j ...
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9C8C69:				; CODE XREF: NtCreateThread(x,x,x,x,x,x,x,x)+81j
		mov	[ebp+var_308], ebx

loc_9C8C6F:				; CODE XREF: NtCreateThread(x,x,x,x,x,x,x,x)+118j
		mov	ecx, ebx
		call	RtlpSanitizeContextFlags
		test	eax, eax
		jns	short loc_9C8C86
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_9C8D46
; 

loc_9C8C86:				; CODE XREF: NtCreateThread(x,x,x,x,x,x,x,x)+12Ej
		and	dword ptr [ebx], 1003Fh
		mov	eax, [ebp+var_300]
		xor	edx, edx
		mov	[eax], edx
		mov	eax, [esi]
		mov	[ebp+var_32C], eax
		mov	ecx, [esi+4]
		mov	[ebp+var_328], ecx
		test	eax, eax
		jnz	short loc_9C8D15
		test	ecx, ecx
		jnz	short loc_9C8D15
		push	5
		pop	ecx
		lea	edi, [ebp+var_32C]
		rep movsd
		cmp	[ebp+var_31C], edx
		jnz	short loc_9C8CCE
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_9C8BA3
; 

loc_9C8CCE:				; CODE XREF: NtCreateThread(x,x,x,x,x,x,x,x)+176j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	byte ptr [ebp+var_2C], 1
		lea	eax, [ebp+var_2C]
		push	eax
		push	edx
		push	edx
		xor	eax, eax
		cmp	[ebp+arg_1C], 1
		setz	al
		push	eax
		lea	eax, [ebp+var_32C]
		push	eax
		push	ebx
		push	[ebp+var_30C]
		push	edx
		push	edx
		push	[ebp+var_310]
		push	[ebp+var_314]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_300]
		call	PspCreateThread
		jmp	short loc_9C8D46
; 

loc_9C8D15:				; CODE XREF: NtCreateThread(x,x,x,x,x,x,x,x)+15Fj
					; NtCreateThread(x,x,x,x,x,x,x,x)+163j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C00000BBh
		jmp	short loc_9C8D46
; 

loc_9C8D23:				; DATA XREF: .text:006A8EACo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_318], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_9C8D36:				; DATA XREF: .text:006A8EB0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_318]

loc_9C8D46:				; CODE XREF: NtCreateThread(x,x,x,x,x,x,x,x)+5Ej
					; NtCreateThread(x,x,x,x,x,x,x,x)+137j	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
_NtCreateThread@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspRemoveQuotaBlock(x)
_PspRemoveQuotaBlock@4 proc near	; CODE XREF: ObpFreeObject+100FDFp
					; PspDereferenceQuotaBlock+EC42Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ecx
		mov	ecx, large fs:124h
		push	ebx
		push	esi
		push	edi
		lea	edi, [eax+208h]
		mov	[ebp+var_4], ecx
		mov	esi, [edi]
		mov	[ebp+var_8], eax
		add	eax, 240h
		lea	ecx, [esi-1]
		neg	ecx
		sbb	ecx, ecx
		xor	edx, edx
		and	ecx, eax
		call	@PspHashKeyValue@8 ; PspHashKeyValue(x,x)
		imul	ebx, eax, 0Ch
		mov	eax, [ebp+var_4]
		add	ebx, ds:_PspQuotaBlockTable
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		cmp	esi, 1
		jz	short loc_9C8DCE
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_9C8DE0
		cmp	[eax+4], edi
		jnz	short loc_9C8DC9
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	short loc_9C8DC9
		mov	[ecx], eax
		mov	[eax+4], ecx
		jmp	short loc_9C8DE0
; 

loc_9C8DC9:				; CODE XREF: PspRemoveQuotaBlock(x)+61j
					; PspRemoveQuotaBlock(x)+68j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9C8DCE:				; CODE XREF: PspRemoveQuotaBlock(x)+56j
		mov	eax, [ebp+var_8]
		cmp	eax, ds:_PspDefaultQuotaBlock
		jnz	short loc_9C8DE0
		and	ds:_PspDefaultQuotaBlock, 0

loc_9C8DE0:				; CODE XREF: PspRemoveQuotaBlock(x)+5Cj
					; PspRemoveQuotaBlock(x)+6Fj ...
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9C8DF4
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9C8DF4:				; CODE XREF: PspRemoveQuotaBlock(x)+93j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [ebp+var_4]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PspRemoveQuotaBlock@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1847. PsIsProcessBeingDebugged

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsIsProcessBeingDebugged(x)
		public _PsIsProcessBeingDebugged@4
_PsIsProcessBeingDebugged@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	dword ptr [eax+190h], 0
		setnz	al
		pop	ebp
		retn	4
_PsIsProcessBeingDebugged@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsIsProcessPrimaryTokenFrozen(x)
_PsIsProcessPrimaryTokenFrozen@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+0F8h]
		shr	eax, 0Fh
		and	al, 1
		pop	ebp
		retn	4
_PsIsProcessPrimaryTokenFrozen@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1854. PsIsThreadImpersonating

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsIsThreadImpersonating(x)
		public _PsIsThreadImpersonating@4
_PsIsThreadImpersonating@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+2FCh]
		shr	eax, 3
		and	al, 1
		pop	ebp
		retn	4
_PsIsThreadImpersonating@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1872. PsQueryProcessExceptionFlags

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsQueryProcessExceptionFlags(x, x, x)
		public _PsQueryProcessExceptionFlags@12
_PsQueryProcessExceptionFlags@12 proc near

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	48h
		push	offset dword_6A8EE0
		call	__SEH_prolog4_GS
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_54], ebx
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_44], eax
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		xor	esi, esi
		mov	[ebp+var_38], esi
		cmp	[ebp+arg_4], eax
		jz	short loc_9C8E91
		mov	eax, 0C00000F0h
		jmp	loc_9C8FB0
; 

loc_9C8E91:				; CODE XREF: PsQueryProcessExceptionFlags(x,x,x)+2Aj
		cmp	[ebx+17Ch], esi
		jnz	short loc_9C8EA3
		mov	eax, 0C00000EFh
		jmp	loc_9C8FB0
; 

loc_9C8EA3:				; CODE XREF: PsQueryProcessExceptionFlags(x,x,x)+3Cj
		mov	edi, large fs:124h
		mov	[ebp+var_50], edi
		cmp	[edi+80h], ebx
		jz	short loc_9C8EBE
		mov	[ebp+var_38], 3
		jmp	short loc_9C8ED3
; 

loc_9C8EBE:				; CODE XREF: PsQueryProcessExceptionFlags(x,x,x)+58j
		cmp	[edi+150h], ebx
		jz	short loc_9C8ECD
		mov	[ebp+var_38], 2

loc_9C8ECD:				; CODE XREF: PsQueryProcessExceptionFlags(x,x,x)+69j
		cmp	[ebp+var_38], 2
		jb	short loc_9C8EFB

loc_9C8ED3:				; CODE XREF: PsQueryProcessExceptionFlags(x,x,x)+61j
		dec	word ptr [edi+13Ch]
		nop
		lea	ecx, [ebx+0F0h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_9C8EFB
		mov	ecx, edi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, 0C000010Ah
		jmp	loc_9C8FB0
; 

loc_9C8EFB:				; CODE XREF: PsQueryProcessExceptionFlags(x,x,x)+76j
					; PsQueryProcessExceptionFlags(x,x,x)+8Dj
		mov	eax, [ebp+var_38]
		and	eax, 1
		mov	[ebp+var_58], eax
		jz	short loc_9C8F13
		lea	eax, [ebp+var_34]
		push	eax
		xor	edx, edx
		mov	ecx, ebx
		call	KiStackAttachProcess

loc_9C8F13:				; CODE XREF: PsQueryProcessExceptionFlags(x,x,x)+A9j
		mov	ecx, [ebx+17Ch]
		mov	[ebp+ms_exc.disabled], esi
		mov	ecx, [ecx+28h]
		mov	[ebp+var_40], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_3C], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9C8F5F
; 

loc_9C8F31:				; DATA XREF: .text:006A8EF4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_4C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9C8F3F:				; DATA XREF: .text:006A8EF8o
		mov	esp, [ebp+ms_exc.old_esp]
		xor	esi, esi
		mov	eax, esi
		mov	[ebp+var_40], eax
		mov	[ebp+var_48], eax
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_3C], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_50]
		mov	ebx, [ebp+var_54]

loc_9C8F5F:				; CODE XREF: PsQueryProcessExceptionFlags(x,x,x)+D4j
		cmp	[ebp+var_58], 0
		jz	short loc_9C8F6F
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_9C8F6F:				; CODE XREF: PsQueryProcessExceptionFlags(x,x,x)+108j
		cmp	[ebp+var_38], 2
		jb	short loc_9C8F87
		lea	ecx, [ebx+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	ecx, edi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_9C8F87:				; CODE XREF: PsQueryProcessExceptionFlags(x,x,x)+118j
		mov	eax, [ebp+var_3C]
		test	eax, eax
		js	short loc_9C8FB0
		mov	edx, [ebp+var_44]
		mov	[edx], esi
		mov	ecx, [ebp+var_40]
		test	cl, 4
		jz	short loc_9C8FA4
		mov	dword ptr [edx], 1
		xor	esi, esi
		inc	esi

loc_9C8FA4:				; CODE XREF: PsQueryProcessExceptionFlags(x,x,x)+13Ej
		test	cl, 8
		jz	short loc_9C8FB0
		or	esi, 2
		mov	ecx, edx
		mov	[ecx], esi

loc_9C8FB0:				; CODE XREF: PsQueryProcessExceptionFlags(x,x,x)+31j
					; PsQueryProcessExceptionFlags(x,x,x)+43j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PsQueryProcessExceptionFlags@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1911. PsSetProcessSecurityPort

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSetProcessSecurityPort(x,	x)
		public _PsSetProcessSecurityPort@8
_PsSetProcessSecurityPort@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	[eax+1BCh], ecx
		xor	eax, eax
		pop	ebp
		retn	8
_PsSetProcessSecurityPort@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspControlHwTracingThread(x, x)
_PspControlHwTracingThread@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		sub	eax, 0
		jz	short loc_9C8FFF
		sub	eax, 1
		jnz	short loc_9C9018
		mov	ecx, [ebp+arg_0]
		and	dword ptr [ecx+238h], 0FFFFFEFFh
		jmp	short loc_9C900C
; 

loc_9C8FFF:				; CODE XREF: PspControlHwTracingThread(x,x)+Bj
		mov	ecx, [ebp+arg_0]
		or	dword ptr [ecx+238h], 100h

loc_9C900C:				; CODE XREF: PspControlHwTracingThread(x,x)+1Fj
		mov	eax, [ecx+23Ch]
		mov	[ecx+23Ch], eax

loc_9C9018:				; CODE XREF: PspControlHwTracingThread(x,x)+10j
		pop	ebp
		retn	8
_PspControlHwTracingThread@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspQueryHwTracingThread(x)
_PspQueryHwTracingThread@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+238h]
		and	eax, 100h
		or	eax, 0
		jz	short loc_9C9038
		xor	eax, eax
		jmp	short loc_9C903B
; 

loc_9C9038:				; CODE XREF: PspQueryHwTracingThread(x)+16j
		xor	eax, eax
		inc	eax

loc_9C903B:				; CODE XREF: PspQueryHwTracingThread(x)+1Aj
		pop	ebp
		retn	4
_PspQueryHwTracingThread@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PsSynchronizeWithThreadInsertion(x, x)
@PsSynchronizeWithThreadInsertion@8 proc near ;	CODE XREF: NtGetNextThread+124C2Ep
					; DbgkpPostFakeThreadMessages(x,x,x,x,x)+101p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, edx
		dec	word ptr [esi+13Ch]
		nop
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		add	ecx, 2F0h
		xor	edx, edx
		lock or	[eax], edx
		mov	eax, [ecx]
		test	al, 1
		jz	short loc_9C906D
		call	@ExfAcquireReleasePushLockExclusive@4 ;	ExfAcquireReleasePushLockExclusive(x)

loc_9C906D:				; CODE XREF: PsSynchronizeWithThreadInsertion(x,x)+27j
		mov	ecx, esi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	esi
		leave
		retn
@PsSynchronizeWithThreadInsertion@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PspSetProcessAffinityUpdateMode(x,	x)
@PspSetProcessAffinityUpdateMode@8 proc	near ; CODE XREF: PAGE:007A90CCp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, [eax+80h]
		mov	eax, [edx]
		mov	edx, eax
		and	edx, 2
		mov	[ebp+var_4], esi
		shl	edx, 11h
		push	edi
		test	al, 1
		jz	short loc_9C90A6
		or	edx, 80000h

loc_9C90A6:				; CODE XREF: PspSetProcessAffinityUpdateMode(x,x)+27j
		mov	edi, [ebx+0F8h]
		jmp	short loc_9C90D5
; 

loc_9C90AE:				; CODE XREF: PspSetProcessAffinityUpdateMode(x,x)+67j
		test	edi, 40000h
		jnz	short loc_9C910F
		mov	ecx, edi
		lea	esi, [ebx+0F8h]
		and	edi, 0FFF3FFFFh
		mov	eax, ecx
		or	edi, edx
		lock cmpxchg [esi], edi
		mov	esi, [ebp+var_4]
		mov	edi, eax
		cmp	edi, ecx
		jz	short loc_9C90E0

loc_9C90D5:				; CODE XREF: PspSetProcessAffinityUpdateMode(x,x)+35j
		mov	eax, edi
		and	eax, 0C0000h
		cmp	eax, edx
		jnz	short loc_9C90AE

loc_9C90E0:				; CODE XREF: PspSetProcessAffinityUpdateMode(x,x)+5Cj
		cmp	edx, 40000h
		jnz	short loc_9C9116
		dec	word ptr [esi+13Ch]
		nop
		and	[ebp+var_8], 0
		lea	ecx, [ebx+0E0h]
		xor	edx, edx
		lea	eax, [ebp+var_8]
		lock or	[eax], edx
		mov	eax, [ecx]
		test	al, 1
		jz	short loc_9C9170
		call	@ExfAcquireReleasePushLockExclusive@4 ;	ExfAcquireReleasePushLockExclusive(x)
		jmp	short loc_9C9170
; 

loc_9C910F:				; CODE XREF: PspSetProcessAffinityUpdateMode(x,x)+3Dj
		mov	eax, 0C0000001h
		jmp	short loc_9C9179
; 

loc_9C9116:				; CODE XREF: PspSetProcessAffinityUpdateMode(x,x)+6Fj
		test	edx, 80000h
		jz	short loc_9C9177
		cmp	ds:_KeDynamicPartitioningSupported, 0
		jz	short loc_9C9177
		dec	word ptr [esi+13Ch]
		nop
		mov	edi, offset _PspAffinityUpdateLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		cmp	dword_6B6658, 0
		jz	short loc_9C9154
		push	offset _PspLastUpdateAffinityMask
		mov	edx, ebx
		mov	ecx, esi
		call	_PspUpdateSingleProcessAffinity@12 ; PspUpdateSingleProcessAffinity(x,x,x)

loc_9C9154:				; CODE XREF: PspSetProcessAffinityUpdateMode(x,x)+CDj
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_9C9169
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9C9169:				; CODE XREF: PspSetProcessAffinityUpdateMode(x,x)+E9j
		mov	ecx, edi
		call	KeAbPostRelease

loc_9C9170:				; CODE XREF: PspSetProcessAffinityUpdateMode(x,x)+8Fj
					; PspSetProcessAffinityUpdateMode(x,x)+96j
		mov	ecx, esi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_9C9177:				; CODE XREF: PspSetProcessAffinityUpdateMode(x,x)+A5j
					; PspSetProcessAffinityUpdateMode(x,x)+AEj
		xor	eax, eax

loc_9C9179:				; CODE XREF: PspSetProcessAffinityUpdateMode(x,x)+9Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
@PspSetProcessAffinityUpdateMode@8 endp


;  S U B	R O U T	I N E 


; __stdcall NtGetCurrentProcessorNumber()
_NtGetCurrentProcessorNumber@0 proc near ; DATA	XREF: .text:00581010o
		mov	eax, large fs:20h
		movzx	eax, byte ptr [eax+3C4h]
		retn
_NtGetCurrentProcessorNumber@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtGetCurrentProcessorNumberEx(x)
_NtGetCurrentProcessorNumberEx@4 proc near ; DATA XREF:	.text:0058100Co

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	10h
		push	offset dword_6A8F20
		call	__SEH_prolog4
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	short loc_9C91BF
		and	[ebp+ms_exc.disabled], 0
		push	1
		push	4
		push	[ebp+arg_0]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9C91BF:				; CODE XREF: NtGetCurrentProcessorNumberEx(x)+1Aj
		mov	edx, large fs:20h
		mov	[ebp+ms_exc.disabled], 1
		movzx	eax, byte ptr [edx+3C5h]
		mov	ecx, [ebp+arg_0]
		mov	[ecx], ax
		mov	al, [edx+3C4h]
		mov	[ecx+2], al
		mov	byte ptr [ecx+3], 0
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	short loc_9C922C
; 

loc_9C91F2:				; DATA XREF: .text:006A8F34o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9C9200:				; DATA XREF: .text:006A8F38o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]
		jmp	short loc_9C922C
; 

loc_9C920F:				; DATA XREF: .text:006A8F40o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_9C921F:				; DATA XREF: .text:006A8F44o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_20]

loc_9C922C:				; CODE XREF: NtGetCurrentProcessorNumberEx(x)+64j
					; NtGetCurrentProcessorNumberEx(x)+81j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_NtGetCurrentProcessorNumberEx@4 endp


;  S U B	R O U T	I N E 


; __stdcall VdmpExceptionHandler(x)
_VdmpExceptionHandler@4	proc near	; CODE XREF: VdmpDelayIntApcRoutine(x,x,x,x,x):loc_676679p
					; VdmpQueueIntApcRoutine(x,x,x,x,x):loc_676EE0p
					; DATA XREF: ...
		xor	eax, eax
		inc	eax
		retn
_VdmpExceptionHandler@4	endp


;  S U B	R O U T	I N E 


; __stdcall PsGetKeepAliveCountProcess(x, x)
_PsGetKeepAliveCountProcess@8 proc near	; CODE XREF: IopKeepAliveWorker(x)+E7p
					; PAGE:0083E62Cp ...
		test	dl, dl
		jz	short loc_9C924E
		mov	eax, [ecx+46Ch]
		jmp	short loc_9C9254
; 

loc_9C924E:				; CODE XREF: PsGetKeepAliveCountProcess(x,x)+2j
		mov	eax, [ecx+48Ch]

loc_9C9254:				; CODE XREF: PsGetKeepAliveCountProcess(x,x)+Aj
		and	eax, 7FFFFFFFh
		retn
_PsGetKeepAliveCountProcess@8 endp


;  S U B	R O U T	I N E 


; __stdcall PsIsGuiThread(x)
_PsIsGuiThread@4 proc near		; CODE XREF: PAGE:007A951Bp
		cmp	dword ptr [ecx+3Ch], offset _KeServiceDescriptorTable
		setnz	al
		retn
_PsIsGuiThread@4 endp


;  S U B	R O U T	I N E 


; __stdcall PsSetProcessHandleTracingInformation(x, x)
_PsSetProcessHandleTracingInformation@8	proc near ; CODE XREF: PAGE:loc_7A8321p
					; ViSettingsEnableKernelHandleChecking(x)+13p ...
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		test	eax, eax
		jz	short loc_9C929D
		mov	ecx, eax
		test	esi, esi
		jz	short loc_9C9289
		mov	edx, [esi+4]
		call	_ExEnableHandleTracing@8 ; ExEnableHandleTracing(x,x)
		mov	esi, eax
		jmp	short loc_9C9290
; 

loc_9C9289:				; CODE XREF: PsSetProcessHandleTracingInformation(x,x)+16j
		call	_ExDisableHandleTracing@4 ; ExDisableHandleTracing(x)
		xor	esi, esi

loc_9C9290:				; CODE XREF: PsSetProcessHandleTracingInformation(x,x)+22j
		lea	ecx, [edi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		jmp	short loc_9C92A2
; 

loc_9C929D:				; CODE XREF: PsSetProcessHandleTracingInformation(x,x)+10j
		mov	esi, 0C000010Ah

loc_9C92A2:				; CODE XREF: PsSetProcessHandleTracingInformation(x,x)+36j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ecx
		retn
_PsSetProcessHandleTracingInformation@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSwapProcessWorkingSet(x, x)
_PsSwapProcessWorkingSet@8 proc	near	; CODE XREF: MmProcessWorkingSetControl+14EDFDp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1], dl
		xor	esi, esi
		mov	[ebp+var_C], edi
		dec	word ptr [eax+13Ch]
		mov	[ebp+var_10], eax
		nop
		lea	ebx, [edi+0E0h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	eax, [edi+158h]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_9C9301
		lea	edi, [eax+20h]
		push	1
		push	edi
		call	ExAcquireResourceSharedLite
		mov	ecx, [ebp+var_8]
		call	_PspComputeExecutionState@4 ; PspComputeExecutionState(x)
		mov	esi, eax
		jmp	short loc_9C9304
; 

loc_9C9301:				; CODE XREF: PsSwapProcessWorkingSet(x,x)+40j
		push	20h
		pop	edi

loc_9C9304:				; CODE XREF: PsSwapProcessWorkingSet(x,x)+57j
		cmp	[ebp+var_1], 0
		jz	short loc_9C930F
		or	esi, 2
		jmp	short loc_9C9312
; 

loc_9C930F:				; CODE XREF: PsSwapProcessWorkingSet(x,x)+60j
		and	esi, 0FFFFFFFDh

loc_9C9312:				; CODE XREF: PsSwapProcessWorkingSet(x,x)+65j
		mov	edx, esi
		mov	esi, [ebp+var_C]
		push	1
		mov	ecx, esi
		call	PspRequestProcessExecutionState
		cmp	[ebp+var_8], 0
		jz	short loc_9C932D
		mov	ecx, edi
		call	ExReleaseResourceLite

loc_9C932D:				; CODE XREF: PsSwapProcessWorkingSet(x,x)+7Cj
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_9C9342
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9C9342:				; CODE XREF: PsSwapProcessWorkingSet(x,x)+91j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, esi
		call	PspChangeProcessExecutionState
		mov	ecx, [ebp+var_10]
		mov	esi, eax
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PsSwapProcessWorkingSet@8 endp


;  S U B	R O U T	I N E 


; __stdcall PsUpdateActiveProcessAffinity()
_PsUpdateActiveProcessAffinity@0 proc near ; CODE XREF:	KeStartDynamicProcessor(x,x,x,x)+6Dp
		mov	edi, edi
		push	ebx
		mov	ebx, large fs:124h
		push	esi
		push	edi
		dec	word ptr [ebx+13Ch]
		nop
		mov	esi, offset _PspAffinityUpdateLock
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		push	offset _PspLastUpdateAffinityMask
		mov	edi, offset _KeActiveProcessors
		push	edi
		call	_KeIsSubsetAffinityEx@8	; KeIsSubsetAffinityEx(x,x)
		test	eax, eax
		jnz	short loc_9C93C5
		mov	esi, edi
		xor	ecx, ecx
		mov	edi, offset _PspLastUpdateAffinityMask
		movsd
		movsd
		movsd

loc_9C93A3:				; CODE XREF: PsUpdateActiveProcessAffinity()+5Dj
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9C93C0
		push	offset _KeActiveProcessors
		mov	edx, esi
		mov	ecx, ebx
		call	_PspUpdateSingleProcessAffinity@12 ; PspUpdateSingleProcessAffinity(x,x,x)
		mov	ecx, esi
		jmp	short loc_9C93A3
; 

loc_9C93C0:				; CODE XREF: PsUpdateActiveProcessAffinity()+4Bj
		mov	esi, offset _PspAffinityUpdateLock

loc_9C93C5:				; CODE XREF: PsUpdateActiveProcessAffinity()+34j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9C93D9
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9C93D9:				; CODE XREF: PsUpdateActiveProcessAffinity()+6Fj
		mov	ecx, esi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		mov	ecx, ebx
		pop	ebx
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_PsUpdateActiveProcessAffinity@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspAdjustKeepAliveCountProcess(x, x, x, x)
_PspAdjustKeepAliveCountProcess@16 proc	near
					; CODE XREF: IopDeleteFileObjectExtension+EE313p
					; IoIncrementKeepAliveCount(x,x)+61p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		mov	eax, edx
		cmp	[ebp+arg_4], 0
		push	esi
		jnz	short loc_9C9402
		push	2
		pop	edx
		jmp	short loc_9C9404
; 

loc_9C9402:				; CODE XREF: PspAdjustKeepAliveCountProcess(x,x,x,x)+11j
		xor	edx, edx

loc_9C9404:				; CODE XREF: PspAdjustKeepAliveCountProcess(x,x,x,x)+16j
		lea	esi, [ebp+var_4]
		push	esi
		push	0
		push	eax
		push	[ebp+arg_0]
		push	1
		call	_PspChargeProcessWakeCounter@28	; PspChargeProcessWakeCounter(x,x,x,x,x,x,x)
		mov	eax, [ebp+var_4]
		pop	esi
		leave
		retn	8
_PspAdjustKeepAliveCountProcess@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspQueryLastCallThread(x, x, x, x)
_PspQueryLastCallThread@16 proc	near	; CODE XREF: NtQueryInformationThread+F4F6Bp

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	2Ch
		push	offset dword_6A8F00
		call	__SEH_prolog4
		mov	ebx, edx
		mov	esi, [ebp+arg_0]
		cmp	esi, 10h
		jz	short loc_9C9442
		cmp	esi, 8
		jz	short loc_9C9442
		mov	eax, 0C0000004h
		jmp	loc_9C955E
; 

loc_9C9442:				; CODE XREF: PspQueryLastCallThread(x,x,x,x)+14j
					; PspQueryLastCallThread(x,x,x,x)+19j
		mov	eax, large fs:124h
		cmp	ecx, eax
		jnz	short loc_9C9456
		mov	eax, 0C000000Dh
		jmp	loc_9C955E
; 

loc_9C9456:				; CODE XREF: PspQueryLastCallThread(x,x,x,x)+2Dj
		mov	edx, [ecx+8Ch]
		xor	edi, edi
		mov	[ebp+var_20], edi
		lea	eax, [ebp+var_20]
		xor	esi, esi
		lock or	[eax], esi
		cmp	byte ptr [ecx+90h], 5
		jnz	loc_9C9559
		cmp	byte ptr [ecx+15Ah], 1
		jnz	loc_9C9559
		mov	eax, [ecx+68h]
		mov	[ebp+var_28], eax
		movzx	eax, word ptr [ecx+64h]
		mov	[ebp+var_1C], eax
		mov	eax, [ecx+138h]
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], edi
		mov	[ebp+var_24], edi
		lea	eax, [ebp+var_24]
		lock or	[eax], esi
		cmp	edx, [ecx+8Ch]
		mov	esi, [ebp+arg_0]
		jnz	loc_9C9559
		mov	eax, ds:_KeTickCount
		sub	eax, [ebp+var_34]
		mul	ds:_KeMaximumIncrement
		mov	[ebp+arg_0], eax
		mov	[ebp+var_24], edx
		mov	ecx, [ebp+var_1C]
		movzx	ecx, cx
		test	ecx, 1000h
		jz	short loc_9C94E2
		mov	eax, ds:dword_70E718
		mov	edx, offset unk_70E71C
		jmp	short loc_9C94EC
; 

loc_9C94E2:				; CODE XREF: PspQueryLastCallThread(x,x,x,x)+B7j
		mov	eax, ds:dword_70E708
		mov	edx, offset dword_70E70C

loc_9C94EC:				; CODE XREF: PspQueryLastCallThread(x,x,x,x)+C3j
		and	ecx, 0FFFh
		cmp	ecx, eax
		jnb	short loc_9C9559
		mov	eax, [edx]
		movzx	eax, byte ptr [ecx+eax]
		neg	eax
		sbb	eax, eax
		and	eax, [ebp+var_28]
		mov	[ebp+ms_exc.disabled], edi
		mov	[ebx], eax
		mov	eax, [ebp+var_1C]
		mov	[ebx+4], ax
		cmp	esi, 8
		jz	short loc_9C9520
		mov	eax, [ebp+arg_0]
		mov	[ebx+8], eax
		mov	eax, [ebp+var_24]
		mov	[ebx+0Ch], eax

loc_9C9520:				; CODE XREF: PspQueryLastCallThread(x,x,x,x)+F5j
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_9C954E
		xor	eax, eax
		cmp	esi, 8
		setnz	al
		lea	eax, ds:8[eax*8]
		mov	[ecx], eax
		jmp	short loc_9C954E
; 

loc_9C953A:				; DATA XREF: .text:006A8F14o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9C9548:				; DATA XREF: .text:006A8F18o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_2C]

loc_9C954E:				; CODE XREF: PspQueryLastCallThread(x,x,x,x)+108j
					; PspQueryLastCallThread(x,x,x,x)+11Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, edi
		jmp	short loc_9C955E
; 

loc_9C9559:				; CODE XREF: PspQueryLastCallThread(x,x,x,x)+53j
					; PspQueryLastCallThread(x,x,x,x)+60j ...
		mov	eax, 0C0000001h

loc_9C955E:				; CODE XREF: PspQueryLastCallThread(x,x,x,x)+20j
					; PspQueryLastCallThread(x,x,x,x)+34j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PspQueryLastCallThread@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspQueryPooledQuotaLimits(x, x, x, x, x)
_PspQueryPooledQuotaLimits@20 proc near	; CODE XREF: PAGE:0083BBB4p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	3Ch
		push	offset dword_6A8F48
		call	__SEH_prolog4
		mov	ebx, edx
		xor	eax, eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		cmp	[ebp+arg_0], 24h
		jz	short loc_9C95A5
		mov	eax, 0C0000004h
		jmp	loc_9C96A3
; 

loc_9C95A5:				; CODE XREF: PspQueryPooledQuotaLimits(x,x,x,x,x)+29j
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	79517350h
		push	[ebp+arg_8]
		push	ds:_PsProcessType
		push	1000h
		push	ecx
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_9C96A3
		mov	eax, [ebp+var_1C]
		mov	ecx, [eax+188h]
		mov	eax, [ecx+0C0h]
		mov	[ebp+var_44], eax
		mov	edx, [ecx+80h]
		mov	[ebp+var_48], edx
		mov	esi, [ecx+84h]
		mov	[ebp+var_20], esi
		mov	[ebp+var_4C], esi
		mov	esi, [ecx+40h]
		mov	[ebp+arg_0], esi
		mov	[ebp+var_38], esi
		mov	edi, [ecx]
		mov	[ebp+var_3C], edi
		mov	esi, [ecx+4]
		mov	[ebp+var_24], esi
		mov	[ebp+var_40], esi
		mov	esi, [ecx+140h]
		mov	[ebp+arg_8], esi
		mov	[ebp+var_2C], esi
		mov	esi, [ecx+100h]
		mov	[ebp+var_30], esi
		mov	ecx, [ecx+104h]
		mov	[ebp+var_34], ecx
		cmp	eax, edx
		ja	short loc_9C962E
		mov	[ebp+var_44], edx

loc_9C962E:				; CODE XREF: PspQueryPooledQuotaLimits(x,x,x,x,x)+B9j
		cmp	[ebp+arg_0], edi
		ja	short loc_9C9636
		mov	[ebp+var_38], edi

loc_9C9636:				; CODE XREF: PspQueryPooledQuotaLimits(x,x,x,x,x)+C1j
		cmp	[ebp+arg_8], esi
		ja	short loc_9C963E
		mov	[ebp+var_2C], esi

loc_9C963E:				; CODE XREF: PspQueryPooledQuotaLimits(x,x,x,x,x)+C9j
		cmp	[ebp+var_20], edx
		ja	short loc_9C9646
		mov	[ebp+var_4C], edx

loc_9C9646:				; CODE XREF: PspQueryPooledQuotaLimits(x,x,x,x,x)+D1j
		cmp	[ebp+var_24], edi
		ja	short loc_9C964E
		mov	[ebp+var_40], edi

loc_9C964E:				; CODE XREF: PspQueryPooledQuotaLimits(x,x,x,x,x)+D9j
		cmp	ecx, esi
		ja	short loc_9C9655
		mov	[ebp+var_34], esi

loc_9C9655:				; CODE XREF: PspQueryPooledQuotaLimits(x,x,x,x,x)+E0j
		mov	edx, 79517350h
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObjectWithTag
		and	[ebp+ms_exc.disabled], 0
		push	9
		pop	ecx
		lea	esi, [ebp+var_4C]
		mov	edi, ebx
		rep movsd
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_9C967D
		mov	dword ptr [eax], 24h

loc_9C967D:				; CODE XREF: PspQueryPooledQuotaLimits(x,x,x,x,x)+105j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	short loc_9C96A3
; 

loc_9C9688:				; DATA XREF: .text:006A8F5Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9C9696:				; DATA XREF: .text:006A8F60o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_28]

loc_9C96A3:				; CODE XREF: PspQueryPooledQuotaLimits(x,x,x,x,x)+30j
					; PspQueryPooledQuotaLimits(x,x,x,x,x)+55j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PspQueryPooledQuotaLimits@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspQueryWorkingSetWatch(x, x, x, x,	x, x)
_PspQueryWorkingSetWatch@24 proc near	; CODE XREF: PAGE:0083B7ECp

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		push	38h
		push	offset dword_6A8F68
		call	__SEH_prolog4
		mov	eax, edx
		mov	[ebp+var_38], eax
		mov	esi, ecx
		xor	ebx, ebx
		mov	[ebp+var_24], ebx
		cmp	eax, 2Ah
		jnz	short loc_9C96EB
		test	byte ptr [ebp+arg_4], 0Fh
		jz	short loc_9C96E2
		mov	eax, 0C0000004h
		jmp	loc_9C97A7
; 

loc_9C96E2:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+21j
		mov	[ebp+var_28], 10h
		jmp	short loc_9C96F2
; 

loc_9C96EB:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+1Bj
		mov	[ebp+var_28], 8

loc_9C96F2:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+34j
		mov	cl, [ebp+arg_C]
		call	_ExIsRestrictedCaller@4	; ExIsRestrictedCaller(x)
		test	eax, eax
		jz	short loc_9C9708
		mov	eax, 0C0000022h
		jmp	loc_9C97A7
; 

loc_9C9708:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+47j
		push	ebx
		lea	eax, [ebp+var_24]
		push	eax
		push	79517350h
		push	dword ptr [ebp+arg_C]
		push	ds:_PsProcessType
		push	400h
		push	esi
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9C97A7
		mov	ecx, [ebp+var_24]
		mov	edi, [ecx+168h]
		mov	[ebp+var_3C], edi
		mov	[ebp+var_30], edi
		test	edi, edi
		jnz	short loc_9C9744
		mov	esi, 0C0000001h
		jmp	short loc_9C979B
; 

loc_9C9744:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+86j
		mov	eax, large fs:124h
		mov	[ebp+var_48], eax
		mov	esi, ebx
		mov	[ebp+var_40], esi
		mov	[ebp+var_20], ebx
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		inc	edx
		mov	eax, [edi]

loc_9C9762:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+B5j
		mov	ecx, eax
		or	ecx, edx
		lock cmpxchg [edi], ecx
		jnz	short loc_9C9762
		test	al, dl
		jz	short loc_9C9777
		mov	esi, 8000001Ah
		jmp	short loc_9C9790
; 

loc_9C9777:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+B9j
		mov	ecx, eax
		shr	ecx, 1
		and	ecx, 7FFFh
		mov	dword ptr [ebp+arg_C], ecx
		jnz	short loc_9C97B9
		mov	esi, 8000001Ah

loc_9C978B:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+20Dj
		lock btr dword ptr [edi], 0

loc_9C9790:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+C0j
					; PspQueryWorkingSetWatch(x,x,x,x,x,x)+221j
		mov	ecx, [ebp+var_48]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		mov	ecx, [ebp+var_24]

loc_9C979B:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+8Dj
		mov	edx, 79517350h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi

loc_9C97A7:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+28j
					; PspQueryWorkingSetWatch(x,x,x,x,x,x)+4Ej ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_9C97B9:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+CFj
		test	eax, 7FFF0000h
		jbe	short loc_9C97D1
		push	ecx
		lea	ecx, [edi+8]
		xor	edx, edx
		call	@KeWaitForGate@12 ; KeWaitForGate(x,x,x)
		mov	ecx, dword ptr [ebp+arg_C]
		xor	edx, edx
		inc	edx

loc_9C97D1:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+109j
		lea	eax, [ecx+1]
		imul	eax, [ebp+var_28]
		mov	[ebp+var_28], eax
		cmp	[ebp+arg_4], eax
		jnb	short loc_9C980B
		mov	esi, 0C0000023h
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	loc_9C98C0
		mov	[ebp+ms_exc.disabled], ebx
		jmp	short loc_9C9865
; 

loc_9C97F5:				; DATA XREF: .text:006A8F7Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9C9803:				; DATA XREF: .text:006A8F80o
		mov	esi, [ebp+var_34]
		jmp	loc_9C98B1
; 

loc_9C980B:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+129j
		mov	eax, [edi+4]
		mov	[ebp+var_20], eax
		mov	[ebp+ms_exc.disabled], edx
		cmp	[ebp+var_38], 2Ah
		jnz	short loc_9C9870
		mov	ecx, ebx

loc_9C981C:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+18Dj
		mov	[ebp+var_1C], ecx
		mov	edx, ecx
		shl	edx, 4
		mov	esi, [ebp+arg_0]
		add	edx, esi
		cmp	ecx, dword ptr [ebp+arg_C]
		jnb	short loc_9C9844
		lea	eax, [ecx+2]
		imul	esi, eax, 0Ch
		add	esi, edi
		mov	edi, edx
		movsd
		movsd
		movsd
		mov	[edx+0Ch], ebx
		inc	ecx
		mov	edi, [ebp+var_3C]
		jmp	short loc_9C981C
; 

loc_9C9844:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+177j
		mov	[ebp+var_2C], edx
		mov	[edx+8], ebx
		add	ecx, ecx
		mov	[esi+ecx*8+0Ch], ebx
		mov	esi, [ebp+var_40]

loc_9C9853:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+1C8j
		mov	[edx], ebx
		mov	eax, [ebp+var_20]
		mov	[edx+4], eax
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_9C9867
		mov	eax, [ebp+var_28]

loc_9C9865:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+13Ej
		mov	[ecx], eax

loc_9C9867:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+1ABj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9C98C0
; 

loc_9C9870:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+163j
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_2C], edx
		mov	eax, ebx

loc_9C9878:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+1E9j
		mov	[ebp+var_1C], eax
		cmp	eax, ecx
		jnb	short loc_9C9853
		add	eax, 2
		imul	ecx, eax, 0Ch
		mov	eax, [ecx+edi]
		mov	[edx], eax
		mov	eax, [ecx+edi+4]
		mov	[edx+4], eax
		add	edx, 8
		mov	[ebp+var_2C], edx
		mov	eax, [ebp+var_1C]
		inc	eax
		mov	ecx, dword ptr [ebp+arg_C]
		jmp	short loc_9C9878
; 

loc_9C98A0:				; DATA XREF: .text:006A8F88o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_44], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9C98AE:				; DATA XREF: .text:006A8F8Co
		mov	esi, [ebp+var_44]

loc_9C98B1:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+151j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_30]
		xor	ebx, ebx

loc_9C98C0:				; CODE XREF: PspQueryWorkingSetWatch(x,x,x,x,x,x)+135j
					; PspQueryWorkingSetWatch(x,x,x,x,x,x)+1B9j
		test	esi, esi
		js	loc_9C978B
		mov	ecx, [ebp+var_20]
		neg	ecx
		lea	eax, [edi+4]
		lock xadd [eax], ecx
		mov	[edi], ebx
		jmp	loc_9C9790
_PspQueryWorkingSetWatch@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetProcessAffinitySafe(x, x, x, x, x)
_PspSetProcessAffinitySafe@20 proc near	; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1903p
					; PAGE:007A7D8Ep ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	[ebp+var_24], eax
		xor	ebx, ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_1C], edx
		lea	edi, [ebp+var_10]
		mov	edx, ecx
		mov	ecx, [ebp+arg_0]
		inc	ebx
		stosd
		mov	[ebp+var_20], edx
		mov	[ebp+var_14], ecx
		stosd
		stosd
		mov	eax, [ebp+arg_4]
		xor	edi, edi
		mov	[ebp+var_18], edi
		test	eax, eax
		jz	short loc_9C9939
		mov	eax, [eax]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_1C]
		mov	word ptr [ebp+var_10], bx
		mov	word ptr [ebp+var_10+2], bx
		mov	[ebp+var_C], edi
		mov	[ebp+var_18], ebx
		jmp	short loc_9C9947
; 

loc_9C9939:				; CODE XREF: PspSetProcessAffinitySafe(x,x,x,x,x)+3Ej
		mov	eax, [ebp+var_1C]
		test	al, 2
		jz	short loc_9C9947
		mov	[ebp+var_18], 2

loc_9C9947:				; CODE XREF: PspSetProcessAffinitySafe(x,x,x,x,x)+5Cj
					; PspSetProcessAffinitySafe(x,x,x,x,x)+63j
		test	al, 1
		jnz	short loc_9C9993
		test	dword ptr [edx+3A8h], 1000h
		jnz	short loc_9C9993
		mov	esi, [edx+158h]
		test	esi, esi
		jz	short loc_9C9995
		push	ebx
		lea	eax, [esi+20h]
		push	eax
		call	ExAcquireResourceSharedLite
		mov	eax, [esi+18Ch]
		test	al, 10h
		jz	short loc_9C9995
		test	eax, 4000h
		jz	short loc_9C998F
		lea	eax, [esi+15Ch]
		push	eax
		push	[ebp+var_14]
		call	_KeIsSubsetAffinityEx@8	; KeIsSubsetAffinityEx(x,x)
		test	eax, eax
		jnz	short loc_9C9995

loc_9C998F:				; CODE XREF: PspSetProcessAffinitySafe(x,x,x,x,x)+9Fj
		mov	ebx, edi
		jmp	short loc_9C99A6
; 

loc_9C9993:				; CODE XREF: PspSetProcessAffinitySafe(x,x,x,x,x)+6Ej
					; PspSetProcessAffinitySafe(x,x,x,x,x)+7Aj
		mov	esi, edi

loc_9C9995:				; CODE XREF: PspSetProcessAffinitySafe(x,x,x,x,x)+84j
					; PspSetProcessAffinitySafe(x,x,x,x,x)+98j ...
		mov	edx, [ebp+var_18]
		push	ecx
		push	[ebp+var_14]
		mov	ecx, [ebp+var_20]
		call	KeSetAffinityProcess
		mov	edi, eax

loc_9C99A6:				; CODE XREF: PspSetProcessAffinitySafe(x,x,x,x,x)+B6j
		test	esi, esi
		jz	short loc_9C99B2
		lea	ecx, [esi+20h]
		call	ExReleaseResourceLite

loc_9C99B2:				; CODE XREF: PspSetProcessAffinitySafe(x,x,x,x,x)+CDj
		test	edi, edi
		js	short loc_9C99BB
		mov	eax, [ebp+var_24]
		mov	[eax], ebx

loc_9C99BB:				; CODE XREF: PspSetProcessAffinitySafe(x,x,x,x,x)+D9j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_PspSetProcessAffinitySafe@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspTrySetProcessPebThrottlingFlags(x, x)
_PspTrySetProcessPebThrottlingFlags@8 proc near

var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		push	24h
		push	offset dword_6A8F90
		call	__SEH_prolog4_GS
		mov	esi, [ebp+arg_0]
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		lea	eax, [ebp+var_34]
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	KiStackAttachProcess
		mov	eax, [esi+17Ch]
		test	eax, eax
		jz	short loc_9C9A29
		and	[ebp+ms_exc.disabled], 0
		add	eax, 28h
		cmp	[ebp+arg_4], 0
		jz	short loc_9C9A13
		push	60h
		pop	ecx
		lock or	[eax], ecx
		jmp	short loc_9C9A22
; 

loc_9C9A13:				; CODE XREF: PspTrySetProcessPebThrottlingFlags(x,x)+3Bj
		push	0FFFFFFBFh
		pop	ecx
		lock and [eax],	ecx
		jmp	short loc_9C9A22
; 

loc_9C9A1B:				; DATA XREF: .text:006A8FA4o
		xor	eax, eax
		inc	eax
		retn
; 

loc_9C9A1F:				; DATA XREF: .text:006A8FA8o
		mov	esp, [ebp+ms_exc.old_esp]

loc_9C9A22:				; CODE XREF: PspTrySetProcessPebThrottlingFlags(x,x)+43j
					; PspTrySetProcessPebThrottlingFlags(x,x)+4Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9C9A29:				; CODE XREF: PspTrySetProcessPebThrottlingFlags(x,x)+2Ej
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PspTrySetProcessPebThrottlingFlags@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspUpdateSingleProcessAffinity(x, x, x)
_PspUpdateSingleProcessAffinity@12 proc	near
					; CODE XREF: PspSetProcessAffinityUpdateMode(x,x)+D8p
					; PsUpdateActiveProcessAffinity()+56p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, edx
		mov	[ebp+var_8], ecx
		test	dword ptr [esi+0F8h], 80000h
		jz	short loc_9C9AC7
		push	ebx
		push	edi
		lea	edi, [esi+0E0h]
		xor	ebx, ebx
		xor	edx, edx
		mov	[ebp+var_4], ebx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	eax, [esi+0F8h]
		test	eax, 80000h
		jz	short loc_9C9A95
		lea	eax, [ebp+var_4]
		mov	ecx, esi
		push	eax
		push	ebx
		push	[ebp+arg_0]
		push	2
		pop	edx
		call	_PspSetProcessAffinitySafe@20 ;	PspSetProcessAffinitySafe(x,x,x,x,x)
		mov	ebx, eax

loc_9C9A95:				; CODE XREF: PspUpdateSingleProcessAffinity(x,x,x)+3Aj
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_9C9AAA
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9C9AAA:				; CODE XREF: PspUpdateSingleProcessAffinity(x,x,x)+5Cj
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		test	ebx, ebx
		pop	ebx
		js	short loc_9C9AC7
		cmp	[ebp+var_4], 0
		jz	short loc_9C9AC7
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	PspWritePebAffinityInfo

loc_9C9AC7:				; CODE XREF: PspUpdateSingleProcessAffinity(x,x,x)+17j
					; PspUpdateSingleProcessAffinity(x,x,x)+70j ...
		pop	esi
		leave
		retn	4
_PspUpdateSingleProcessAffinity@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1894. PsRevertThreadToSelf

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsRevertThreadToSelf(x)
		public _PsRevertThreadToSelf@4
_PsRevertThreadToSelf@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	2
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_0]
		call	PsImpersonateClient
		pop	ebp
		retn	4
_PsRevertThreadToSelf@4	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1895. PsRevertToSelf

;  S U B	R O U T	I N E 


; __stdcall PsRevertToSelf()
		public _PsRevertToSelf@0
_PsRevertToSelf@0 proc near		; CODE XREF: CmpOpenHiveFile:loc_8D2089p
		mov	edi, edi
		push	ecx
		push	2
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		mov	eax, large fs:124h
		push	eax
		call	PsImpersonateClient
		pop	ecx
		retn
_PsRevertToSelf@0 endp


;  S U B	R O U T	I N E 


; __fastcall PspConvertJobToMixed(x, x)
@PspConvertJobToMixed@8	proc near	; CODE XREF: PspBindProcessSessionToJob+17F688j
		mov	eax, [ecx+0E8h]
		push	0FFFFFFFEh
		pop	edx
		cmp	eax, edx
		jnz	short loc_9C9B16

loc_9C9B13:				; CODE XREF: PspConvertJobToMixed(x,x)+36j
		xor	eax, eax
		retn
; 

loc_9C9B16:				; CODE XREF: PspConvertJobToMixed(x,x)+Bj
		mov	eax, [ecx+310h]
		test	al, 10h
		jnz	short loc_9C9B3E
		test	eax, 40000000h
		jnz	short loc_9C9B36
		mov	eax, [ecx+3A0h]
		test	eax, eax
		jz	short loc_9C9B3E
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9C9B3E

loc_9C9B36:				; CODE XREF: PspConvertJobToMixed(x,x)+1Fj
		mov	[ecx+0E8h], edx
		jmp	short loc_9C9B13
; 

loc_9C9B3E:				; CODE XREF: PspConvertJobToMixed(x,x)+18j
					; PspConvertJobToMixed(x,x)+29j ...
		mov	eax, 0C0000022h
		retn
@PspConvertJobToMixed@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsQueryJobMemoryUsageByProcess(x, x, x, x, x)
_PsQueryJobMemoryUsageByProcess@20 proc	near
					; CODE XREF: MiLogCommitRequestFailed(x,x,x)+C9p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_14], edx
		mov	ebx, esi
		push	edi
		mov	edi, esi
		cmp	[ecx+158h], esi
		jnz	short loc_9C9B70
		mov	[ebp+var_10], esi
		mov	edx, esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_4], esi
		jmp	short loc_9C9BA0
; 

loc_9C9B70:				; CODE XREF: PsQueryJobMemoryUsageByProcess(x,x,x,x,x)+1Aj
		mov	eax, [ecx+158h]
		mov	ecx, [eax+31Ch]
		mov	edx, [eax+14Ch]
		mov	[ebp+var_4], ecx
		mov	ecx, [eax+150h]
		mov	[ebp+var_10], ecx
		mov	ecx, [eax+208h]
		mov	eax, [eax+20Ch]
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], eax

loc_9C9BA0:				; CODE XREF: PsQueryJobMemoryUsageByProcess(x,x,x,x,x)+2Aj
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_4]
		mov	[eax], ecx
		mov	ecx, [ebp+var_10]
		mov	[eax+4], esi
		mov	eax, [ebp+arg_4]
		mov	esi, [ebp+var_8]
		mov	[eax], esi
		mov	esi, [ebp+var_C]
		mov	[eax+4], esi
		mov	eax, [ebp+var_14]
		mov	[eax], edx
		mov	[eax+4], ebx
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	[eax+4], edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PsQueryJobMemoryUsageByProcess@20 endp


;  S U B	R O U T	I N E 


; __stdcall PsReportProcessMemoryLimitViolation()
_PsReportProcessMemoryLimitViolation@0 proc near
					; CODE XREF: MiChargeProcessCommitment+14D97Dp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	ebx, [edi+80h]
		mov	eax, [ebx+158h]
		mov	esi, [eax+17Ch]
		test	esi, esi
		jz	short loc_9C9C51
		test	dword ptr [esi+0B0h], 100h
		jz	short loc_9C9C51
		mov	edx, edi
		mov	ecx, esi
		call	_PspLockJobMemoryLimitsShared@8	; PspLockJobMemoryLimitsShared(x,x)
		cmp	dword ptr [esi+0D4h], 0
		jz	short loc_9C9C45
		test	dword ptr [esi+1A8h], 200h
		jz	short loc_9C9C45
		lea	ecx, [ebx+0F8h]
		mov	eax, [ecx]
		and	al, 24h
		cmp	al, 4
		jnz	short loc_9C9C45
		push	20h
		pop	eax
		lock or	[ecx], eax
		push	1
		push	dword ptr [ebx+0E4h]
		mov	ecx, esi
		push	9
		pop	edx
		call	_PspSendJobNotification@16 ; PspSendJobNotification(x,x,x,x)

loc_9C9C45:				; CODE XREF: PsReportProcessMemoryLimitViolation()+3Ej
					; PsReportProcessMemoryLimitViolation()+4Aj ...
		mov	edx, edi
		mov	ecx, esi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_PspUnlockJobMemoryLimitsShared@8 ; PspUnlockJobMemoryLimitsShared(x,x)
; 

loc_9C9C51:				; CODE XREF: PsReportProcessMemoryLimitViolation()+20j
					; PsReportProcessMemoryLimitViolation()+2Cj
		pop	edi
		pop	esi
		pop	ebx
		retn
_PsReportProcessMemoryLimitViolation@0 endp


;  S U B	R O U T	I N E 


; __stdcall PspAddProcessToWorkingSetChangeList(x)
_PspAddProcessToWorkingSetChangeList@4 proc near ; CODE	XREF: sub_759647+179EF7p
					; PspSetJobLimitsProcessCallback+11894Bp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	byte ptr [esi+0F8h], 1
		jnz	short loc_9C9CC9
		push	edi
		mov	edi, [esi+158h]
		test	byte ptr [edi+18Ch], 1
		jz	short loc_9C9CD9
		mov	edx, 624A7350h
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jz	short loc_9C9CC8
		push	72437350h
		push	14h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_9C9CCB
		mov	[eax+8], esi
		mov	edx, offset _PspWorkingSetChangeHead
		mov	ecx, [edi+174h]
		mov	[eax+10h], ecx
		mov	ecx, [edi+170h]
		mov	[eax+0Ch], ecx
		mov	ecx, dword_6BEF14
		cmp	[ecx], edx
		jz	short loc_9C9CBC
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9C9CBC:				; CODE XREF: PspAddProcessToWorkingSetChangeList(x)+60j
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	dword_6BEF14, eax

loc_9C9CC8:				; CODE XREF: PspAddProcessToWorkingSetChangeList(x)+2Aj
		pop	edi

loc_9C9CC9:				; CODE XREF: PspAddProcessToWorkingSetChangeList(x)+Cj
		pop	esi
		retn
; 

loc_9C9CCB:				; CODE XREF: PspAddProcessToWorkingSetChangeList(x)+3Cj
		pop	edi
		mov	ecx, esi
		mov	edx, 624A7350h
		pop	esi
		jmp	ObfDereferenceObjectWithTag
; 

loc_9C9CD9:				; CODE XREF: PspAddProcessToWorkingSetChangeList(x)+1Cj
		push	2
		pop	edx
		pop	edi
		pop	esi
		jmp	MmEnforceWorkingSetLimit
_PspAddProcessToWorkingSetChangeList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspApplyWorkingSetLimits(x,	x)
_PspApplyWorkingSetLimits@8 proc near	; CODE XREF: sub_759647+179F05p
					; PspSetJobLimitsJobPostCallback+11966Fp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [esp+30h+var_1C]
		push	6
		xor	eax, eax
		pop	ecx
		rep stosd
		lea	eax, [esp+30h+var_24]
		mov	edi, offset _PspWorkingSetChangeHead
		mov	[esp+30h+var_20], eax
		mov	[esp+30h+var_24], eax

loc_9C9D1A:				; CODE XREF: PspApplyWorkingSetLimits(x,x)+A9j
		mov	esi, _PspWorkingSetChangeHead
		cmp	esi, edi
		jz	short loc_9C9D8E
		cmp	[esi+4], edi
		jnz	loc_9C9DDE
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_9C9DDE
		mov	_PspWorkingSetChangeHead, eax
		lea	ecx, [esp+30h+var_24]
		mov	[eax+4], edi
		mov	eax, [esp+30h+var_20]
		cmp	[eax], ecx
		jnz	loc_9C9DDE
		mov	[esi+4], eax
		mov	[esi], ecx
		mov	[eax], esi
		lea	eax, [esp+30h+var_1C]
		push	eax
		mov	[esp+34h+var_20], esi
		push	dword ptr [esi+8]
		call	KeStackAttachProcess
		push	1
		push	0
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		call	_MmAdjustWorkingSetSize@16 ; MmAdjustWorkingSetSize(x,x,x,x)
		mov	ecx, [esi+8]
		xor	edx, edx
		inc	edx
		call	MmEnforceWorkingSetLimit
		lea	eax, [esp+30h+var_1C]
		push	eax
		call	_KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
		jmp	short loc_9C9D1A
; 

loc_9C9D8E:				; CODE XREF: PspApplyWorkingSetLimits(x,x)+3Fj
		mov	ecx, 0FFFFFEFFh
		lea	eax, [ebx+310h]
		lock and [eax],	ecx
		call	_PspUnlockWorkingSetChangeExclusiveUnsafe@0 ; PspUnlockWorkingSetChangeExclusiveUnsafe()

loc_9C9DA1:				; CODE XREF: PspApplyWorkingSetLimits(x,x)+F9j
		mov	esi, [esp+30h+var_24]
		lea	eax, [esp+30h+var_24]
		cmp	esi, eax
		jz	short loc_9C9DE3
		cmp	[esi+4], eax
		jnz	short loc_9C9DDE
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_9C9DDE
		mov	[esp+30h+var_24], eax
		lea	ecx, [esp+30h+var_24]
		mov	[eax+4], ecx
		mov	edx, 624A7350h
		mov	ecx, [esi+8]
		call	ObfDereferenceObjectWithTag
		push	72437350h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9C9DA1
; 

loc_9C9DDE:				; CODE XREF: PspApplyWorkingSetLimits(x,x)+44j
					; PspApplyWorkingSetLimits(x,x)+4Fj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9C9DE3:				; CODE XREF: PspApplyWorkingSetLimits(x,x)+C8j
		mov	ecx, [esp+30h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_PspApplyWorkingSetLimits@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspAssociateCompletionPortCallback(x, x)
_PspAssociateCompletionPortCallback@8 proc near	; DATA XREF: sub_759647+929o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		lea	ecx, [esi+0F8h]
		test	byte ptr [ecx],	1
		jnz	short loc_9C9E26
		push	20h
		push	4
		pop	edx
		call	@RtlInterlockedSetClearBits@12 ; RtlInterlockedSetClearBits(x,x,x)
		mov	ecx, [ebp+arg_4]
		push	0
		push	dword ptr [esi+0E4h]
		push	6
		pop	edx
		call	_PspSendJobNotification@16 ; PspSendJobNotification(x,x,x,x)

loc_9C9E26:				; CODE XREF: PspAssociateCompletionPortCallback(x,x)+12j
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	8
_PspAssociateCompletionPortCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspCheckJobAccessState(x, x)
_PspCheckJobAccessState@8 proc near	; CODE XREF: PspValidateJobAssignmentProcessLimits:loc_8D07C5p
					; PspValidateJobAffinityState+11F80Fp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_10], ebx
		mov	eax, ebx
		mov	byte ptr [ebp+var_C], bl
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], eax
		test	byte ptr [edi+0F8h], 1
		jnz	short loc_9C9EA5
		test	byte ptr [esi],	1
		jnz	short loc_9C9EA5
		push	ebx
		lea	eax, [ebp+var_C]
		mov	ecx, edi
		push	eax
		lea	edx, [ebp+var_4]
		call	ObpGetObjectSecurity
		mov	[ebp+var_8], eax
		test	eax, eax
		js	short loc_9C9EA5
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		mov	eax, ds:_PsProcessType
		push	1
		add	eax, 34h
		push	eax
		push	ebx
		push	ebx
		push	200h
		push	ebx
		lea	eax, [esi+4]
		push	eax
		push	[ebp+var_4]
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		push	[ebp+var_C]
		push	[ebp+var_4]
		call	_ObReleaseObjectSecurity@8 ; ObReleaseObjectSecurity(x,x)
		mov	eax, [ebp+var_8]

loc_9C9EA5:				; CODE XREF: PspCheckJobAccessState(x,x)+26j
					; PspCheckJobAccessState(x,x)+2Bj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PspCheckJobAccessState@8 endp


;  S U B	R O U T	I N E 


; __stdcall PspConvertJobLimitViolationToV1(x, x)
_PspConvertJobLimitViolationToV1@8 proc	near ; CODE XREF: PAGE:008D27A7p
		mov	edi, edi
		push	esi
		mov	esi, [ecx]
		mov	[edx], esi
		push	edi
		mov	edi, [ecx+4]
		mov	[edx+4], edi
		mov	eax, [ecx+8]
		mov	[edx+8], eax
		mov	eax, [ecx+0Ch]
		mov	[edx+0Ch], eax
		mov	eax, [ecx+10h]
		mov	[edx+10h], eax
		mov	eax, [ecx+14h]
		mov	[edx+14h], eax
		mov	eax, [ecx+18h]
		mov	[edx+18h], eax
		mov	eax, [ecx+1Ch]
		mov	[edx+1Ch], eax
		mov	eax, [ecx+20h]
		mov	[edx+20h], eax
		mov	eax, [ecx+24h]
		mov	[edx+24h], eax
		mov	eax, [ecx+28h]
		mov	[edx+28h], eax
		mov	eax, [ecx+2Ch]
		mov	[edx+2Ch], eax
		mov	eax, [ecx+30h]
		mov	[edx+30h], eax
		mov	eax, [ecx+34h]
		mov	[edx+34h], eax
		mov	eax, [ecx+38h]
		mov	[edx+38h], eax
		mov	eax, [ecx+3Ch]
		mov	[edx+3Ch], eax
		mov	eax, [ecx+40h]
		mov	[edx+40h], eax
		mov	eax, [ecx+44h]
		mov	[edx+44h], eax
		mov	eax, [ecx+48h]
		mov	[edx+48h], eax
		mov	eax, [ecx+4Ch]
		mov	[edx+4Ch], eax
		mov	eax, 70204h
		and	edi, eax
		and	esi, eax
		mov	[edx+4], edi
		pop	edi
		mov	[edx], esi
		pop	esi
		retn
_PspConvertJobLimitViolationToV1@8 endp


;  S U B	R O U T	I N E 


; __stdcall PspConvertJobNotificationLimitFromV1(x, x)
_PspConvertJobNotificationLimitFromV1@8	proc near ; CODE XREF: sub_759647+17A478p
		and	dword ptr [edx], 0
		mov	eax, [ecx+28h]
		mov	[edx+28h], eax
		mov	eax, [ecx]
		mov	[edx], eax
		mov	eax, [ecx+4]
		mov	[edx+4], eax
		mov	eax, [ecx+8]
		mov	[edx+8], eax
		mov	eax, [ecx+0Ch]
		mov	[edx+0Ch], eax
		mov	eax, [ecx+10h]
		mov	[edx+10h], eax
		mov	eax, [ecx+14h]
		mov	[edx+14h], eax
		mov	eax, [ecx+18h]
		mov	[edx+18h], eax
		mov	eax, [ecx+1Ch]
		mov	[edx+1Ch], eax
		mov	eax, [ecx+20h]
		mov	[edx+20h], eax
		mov	eax, [ecx+24h]
		mov	[edx+24h], eax
		retn
_PspConvertJobNotificationLimitFromV1@8	endp


;  S U B	R O U T	I N E 


; __stdcall PspConvertJobNotificationLimitToV1(x, x)
_PspConvertJobNotificationLimitToV1@8 proc near	; CODE XREF: PAGE:008D274Dp
		mov	edi, edi
		push	esi
		mov	esi, [ecx+28h]
		mov	[edx+28h], esi
		and	esi, 70204h
		mov	eax, [ecx]
		mov	[edx], eax
		mov	eax, [ecx+4]
		mov	[edx+4], eax
		mov	eax, [ecx+8]
		mov	[edx+8], eax
		mov	eax, [ecx+0Ch]
		mov	[edx+0Ch], eax
		mov	eax, [ecx+10h]
		mov	[edx+10h], eax
		mov	eax, [ecx+14h]
		mov	[edx+14h], eax
		mov	eax, [ecx+18h]
		mov	[edx+18h], eax
		mov	eax, [ecx+1Ch]
		mov	[edx+1Ch], eax
		mov	eax, [ecx+20h]
		mov	[edx+20h], eax
		mov	eax, [ecx+24h]
		mov	[edx+28h], esi
		mov	[edx+24h], eax
		pop	esi
		retn
_PspConvertJobNotificationLimitToV1@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspEstablishDfssHierarchy(x, x, x)
_PspEstablishDfssHierarchy@12 proc near	; CODE XREF: PspEstablishJobHierarchy+17FA24p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 1
		push	esi
		mov	esi, ecx
		jz	short loc_9C9FDF
		cmp	[ebp+arg_0], 3
		jnz	loc_9CA0A4

loc_9C9FDF:				; CODE XREF: PspEstablishDfssHierarchy(x,x,x)+Cj
		push	ebx
		push	edi
		mov	ecx, edx
		call	_MmGetSessionSchedulingGroupByProcess@4	; MmGetSessionSchedulingGroupByProcess(x)
		mov	edi, eax
		call	_MmGetSessionObjectByProcess@4 ; MmGetSessionObjectByProcess(x)
		mov	ecx, [esi+248h]
		mov	ebx, eax
		xor	eax, eax
		cmp	[ecx+21Ch], eax
		jnz	short loc_9CA037
		cmp	[esi+220h], edi
		jz	short loc_9CA037
		mov	eax, [esi+248h]
		cmp	[eax+220h], edi
		jz	short loc_9CA02F
		mov	eax, [esi+248h]
		mov	[eax+220h], edi
		mov	eax, [esi+248h]
		mov	[eax+258h], ebx

loc_9CA02F:				; CODE XREF: PspEstablishDfssHierarchy(x,x,x)+4Ej
		mov	[esi+220h], edi
		jmp	short loc_9CA0A2
; 

loc_9CA037:				; CODE XREF: PspEstablishDfssHierarchy(x,x,x)+38j
					; PspEstablishDfssHierarchy(x,x,x)+40j
		cmp	[ebp+arg_0], 1
		jnz	short loc_9CA0A2
		cmp	[esi+248h], esi
		jnz	short loc_9CA0A2
		cmp	[esi+21Ch], eax
		jz	short loc_9CA0A2
		cmp	[esi+90h], eax
		jnz	short loc_9CA0A2
		cmp	[esi+258h], ebx
		jz	short loc_9CA0A2
		mov	ecx, [esi+220h]
		call	KeRemoveSchedulingGroup
		mov	ecx, [esi+21Ch]
		mov	edx, edi
		add	ecx, 40h
		push	dword ptr [ecx+4]
		push	dword ptr [ecx]
		call	KeInsertSchedulingGroup
		mov	ecx, [esi+258h]
		mov	edi, 624A7350h
		test	ecx, ecx
		jz	short loc_9CA093
		mov	edx, edi
		call	ObfDereferenceObjectWithTag

loc_9CA093:				; CODE XREF: PspEstablishDfssHierarchy(x,x,x)+C3j
		mov	edx, edi
		mov	[esi+258h], ebx
		mov	ecx, ebx
		call	ObfReferenceObjectWithTag

loc_9CA0A2:				; CODE XREF: PspEstablishDfssHierarchy(x,x,x)+6Ej
					; PspEstablishDfssHierarchy(x,x,x)+74j	...
		pop	edi
		pop	ebx

loc_9CA0A4:				; CODE XREF: PspEstablishDfssHierarchy(x,x,x)+12j
		pop	esi
		pop	ebp
		retn	4
_PspEstablishDfssHierarchy@12 endp ; sp	= -8


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspGetProcessInJobHierarchyCallback(x, x)
_PspGetProcessInJobHierarchyCallback@8 proc near
					; DATA XREF: PspSendNoWakeChargeLimitNotification(x)+2Ao

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	edx, 624A7350h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		mov	eax, 0C0000240h
		pop	esi
		pop	ebp
		retn	8
_PspGetProcessInJobHierarchyCallback@8 endp


;  S U B	R O U T	I N E 


; __stdcall PspIsJobMovable(x)
_PspIsJobMovable@4 proc	near		; CODE XREF: PspAssignProcessToJob:loc_90E885p
					; PspGetJobAssignmentDisposition:loc_90EB45p
		cmp	[ecx+3A4h], ecx
		jnz	short loc_9CA0FB
		call	_PsIsJobParentImmutable@4 ; PsIsJobParentImmutable(x)
		test	al, al
		jnz	short loc_9CA0FB
		lea	eax, [ecx+23Ch]
		cmp	[eax], eax
		jnz	short loc_9CA0FB
		xor	eax, eax
		inc	eax
		cmp	[ecx+90h], eax
		jnz	short loc_9CA0FB
		cmp	[ecx+8Ch], eax
		jz	short locret_9CA0FD

loc_9CA0FB:				; CODE XREF: PspIsJobMovable(x)+6j
					; PspIsJobMovable(x)+Fj ...
		xor	al, al

locret_9CA0FD:				; CODE XREF: PspIsJobMovable(x)+2Cj
		retn
_PspIsJobMovable@4 endp


;  S U B	R O U T	I N E 


; __stdcall PspLockJobListShared(x)
_PspLockJobListShared@4	proc near	; CODE XREF: PAGE:008D2505p
		dec	word ptr [ecx+13Eh]
		nop
		xor	edx, edx
		mov	ecx, offset _PspJobListLock
		jmp	ExAcquirePushLockSharedEx
_PspLockJobListShared@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspModifyAncestorBits(x, x,	x)
_PspModifyAncestorBits@12 proc near	; CODE XREF: PspRemoveRateControl(x,x,x,x,x)+57p
					; PspSetJobRateControl(x,x,x,x,x,x)+81p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ecx+244h]
		push	esi
		mov	esi, edx
		test	ecx, ecx
		jz	short loc_9CA149
		push	ebx
		mov	bl, [ebp+arg_0]

loc_9CA128:				; CODE XREF: PspModifyAncestorBits(x,x,x)+34j
		lea	edx, [ecx+310h]
		test	bl, bl
		jz	short loc_9CA137
		lock or	[edx], esi
		jmp	short loc_9CA13E
; 

loc_9CA137:				; CODE XREF: PspModifyAncestorBits(x,x,x)+1Ej
		mov	eax, esi
		not	eax
		lock and [edx],	eax

loc_9CA13E:				; CODE XREF: PspModifyAncestorBits(x,x,x)+23j
		mov	ecx, [ecx+244h]
		test	ecx, ecx
		jnz	short loc_9CA128
		pop	ebx

loc_9CA149:				; CODE XREF: PspModifyAncestorBits(x,x,x)+10j
		pop	esi
		pop	ebp
		retn	4
_PspModifyAncestorBits@12 endp


;  S U B	R O U T	I N E 


; __stdcall PspNetRateControlDispatch(x)
_PspNetRateControlDispatch@4 proc near	; CODE XREF: .text:005E760Ap
					; PspQueryRateControlHistory+17A65Fp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, _PspNetRateControlExtensionHost
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jnz	short loc_9CA169
		mov	esi, 0C0000002h
		jmp	short loc_9CA179
; 

loc_9CA169:				; CODE XREF: PspNetRateControlDispatch(x)+12j
		push	esi
		call	dword ptr [eax]
		mov	ecx, _PspNetRateControlExtensionHost
		mov	esi, eax
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_9CA179:				; CODE XREF: PspNetRateControlDispatch(x)+19j
		mov	eax, esi
		pop	esi
		retn
_PspNetRateControlDispatch@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspQueryJobHierarchyInterferenceCount(x, x)
_PspQueryJobHierarchyInterferenceCount@8 proc near ; CODE XREF:	PAGE:008D288Fp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	20h
		push	offset dword_6A8FD0
		call	__SEH_prolog4
		mov	[ebp+var_1C], edx
		mov	edi, ecx
		mov	esi, large fs:124h
		mov	edx, esi
		call	_PspLockJobShared@8 ; PspLockJobShared(x,x)
		xor	ecx, ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx
		lea	eax, [ebp+var_28]
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], edi
		push	1
		lea	eax, [ebp+var_30]
		push	eax
		push	offset _PspQueryProcessInterferenceCountCallback@8 ; PspQueryProcessInterferenceCountCallback(x,x)
		push	ecx
		xor	edx, edx
		mov	ecx, edi
		call	PspEnumJobsAndProcessesInJobHierarchy
		mov	ebx, eax
		mov	edx, esi
		mov	ecx, edi
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		test	ebx, ebx
		js	short loc_9CA202
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [ebp+var_28]
		mov	ecx, [ebp+var_1C]
		mov	[ecx], eax
		mov	eax, [ebp+var_24]
		mov	[ecx+4], eax
		jmp	short loc_9CA1FB
; 

loc_9CA1E5:				; DATA XREF: .text:006A8FE4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_9CA1F5:				; DATA XREF: .text:006A8FE8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_20]

loc_9CA1FB:				; CODE XREF: PspQueryJobHierarchyInterferenceCount(x,x)+66j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9CA202:				; CODE XREF: PspQueryJobHierarchyInterferenceCount(x,x)+52j
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PspQueryJobHierarchyInterferenceCount@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspQueryProcessInterferenceCountCallback(x,	x)
_PspQueryProcessInterferenceCountCallback@8 proc near
					; DATA XREF: PspQueryJobHierarchyInterferenceCount(x,x)+36o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		test	byte ptr [esi+0F8h], 1
		jnz	short loc_9CA2AF
		mov	edx, 624A7350h
		mov	ecx, esi
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jz	short loc_9CA2AF
		lea	ecx, [esi+0F0h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_9CA2A3
		push	edi
		mov	edi, [ebp+arg_4]
		mov	eax, [edi+4]
		mov	eax, [eax+0E8h]
		mov	[ebp+arg_4], eax
		cmp	eax, 0FFFFFFFDh
		ja	short loc_9CA297
		lea	eax, [ebp+var_4]
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], eax
		lea	eax, [ebp+arg_4]
		push	eax
		push	1
		lea	eax, [ebp+var_C]
		push	eax
		push	18h
		call	PsInvokeWin32Callout
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9CA297
		mov	edi, [edi]
		mov	esi, [ebp+var_4]
		add	[edi], esi
		mov	esi, [ebp+arg_0]
		adc	dword ptr [edi+4], 0

loc_9CA297:				; CODE XREF: PspQueryProcessInterferenceCountCallback(x,x)+53j
					; PspQueryProcessInterferenceCountCallback(x,x)+73j
		lea	ecx, [esi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		pop	edi

loc_9CA2A3:				; CODE XREF: PspQueryProcessInterferenceCountCallback(x,x)+3Ej
		mov	edx, 624A7350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_9CA2AF:				; CODE XREF: PspQueryProcessInterferenceCountCallback(x,x)+1Fj
					; PspQueryProcessInterferenceCountCallback(x,x)+2Fj
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_PspQueryProcessInterferenceCountCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspQuitNextJobProcess(x, x,	x, x)
_PspQuitNextJobProcess@16 proc near	; CODE XREF: PspAssignProcessToJob+12663Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		call	_PspLockJobExclusive@8 ; PspLockJobExclusive(x,x)
		mov	eax, [ebp+arg_0]
		mov	esi, [eax]
		cmp	[esi+4], eax
		jnz	short loc_9CA301
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_9CA301
		mov	[ecx], esi
		mov	edx, edi
		mov	[esi+4], ecx
		mov	ecx, ebx
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_9CA2F9
		mov	edx, 624A7350h
		call	ObfDereferenceObjectWithTag

loc_9CA2F9:				; CODE XREF: PspQuitNextJobProcess(x,x,x,x)+36j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
; 

loc_9CA301:				; CODE XREF: PspQuitNextJobProcess(x,x,x,x)+1Aj
					; PspQuitNextJobProcess(x,x,x,x)+21j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PspQuitNextJobProcess@16 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspRemoveRateControl(x, x, x, x, x)
_PspRemoveRateControl@20 proc near	; CODE XREF: .text:005E7614p
					; PspSetJobRateControl(x,x,x,x,x,x)+C1p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_7		= word ptr -7
var_5		= byte ptr -5

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		xor	ebx, ebx
		mov	[ebp+var_7], ax
		mov	[ebp+var_5], bl
		mov	ecx, 0FBFFFFFFh
		lea	eax, [esi+310h]
		lock and [eax],	ecx
		push	5
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_1C], ebx
		push	eax
		push	offset _PspSetRateControlProcessCallback@8 ; PspSetRateControlProcessCallback(x,x)
		push	ebx
		mov	edx, offset _PspSetRateControlJobPreCallback@8 ; PspSetRateControlJobPreCallback(x,x)
		mov	[ebp+var_18], ebx
		mov	ecx, esi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], bl
		call	PspEnumJobsAndProcessesInJobHierarchy
		push	ebx
		mov	edx, 2000000h
		mov	ecx, esi
		call	_PspModifyAncestorBits@12 ; PspModifyAncestorBits(x,x,x)
		mov	ecx, [esi+30Ch]
		xor	edx, edx
		call	_PspFreeRateControl@8 ;	PspFreeRateControl(x,x)
		mov	[esi+30Ch], ebx
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PspRemoveRateControl@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSendNoWakeChargeLimitNotification(x)
_PspSendNoWakeChargeLimitNotification@4	proc near
					; CODE XREF: PspEnforceLimitsJobPostCallback+17AC9Bp
					; PspEnforceLimitsJobPostCallback+17ACABp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		test	ecx, ecx
		jnz	short loc_9CA395
		or	[ebp+var_C], 0FFFFFFFFh
		xor	esi, esi
		mov	[ebp+var_8], esi
		push	4
		jmp	short loc_9CA3D4
; 

loc_9CA395:				; CODE XREF: PspSendNoWakeChargeLimitNotification(x)+Bj
		cmp	ds:_PspNoWakeChargeReferencedProcess, 0
		jnz	short loc_9CA3E8
		xor	esi, esi
		lea	eax, [ebp+var_4]
		push	esi
		push	eax
		push	offset _PspGetProcessInJobHierarchyCallback@8 ;	PspGetProcessInJobHierarchyCallback(x,x)
		push	esi
		xor	edx, edx
		mov	[ebp+var_4], esi
		call	PspEnumJobsAndProcessesInJobHierarchy
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_9CA3E8
		mov	[ebp+var_C], 1
		mov	eax, [ecx+0E4h]
		mov	[ebp+var_8], eax
		push	8
		mov	ds:_PspNoWakeChargeReferencedProcess, ecx

loc_9CA3D4:				; CODE XREF: PspSendNoWakeChargeLimitNotification(x)+18j
		pop	eax
		push	esi
		push	esi
		push	esi
		push	esi
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	offset _WNF_PS_WAKE_CHARGE_RESOURCE_POLICY
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)

loc_9CA3E8:				; CODE XREF: PspSendNoWakeChargeLimitNotification(x)+21j
					; PspSendNoWakeChargeLimitNotification(x)+3Fj
		pop	esi
		leave
		retn
_PspSendNoWakeChargeLimitNotification@4	endp


;  S U B	R O U T	I N E 


; __stdcall PspSendSiloTerminationNotification(x, x)
_PspSendSiloTerminationNotification@8 proc near
					; CODE XREF: PspCompleteServerSiloShutdownDeferred(x)+7Cp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	ebx, edx
		mov	edx, edi
		mov	esi, ecx
		call	_PspLockJobShared@8 ; PspLockJobShared(x,x)
		cmp	dword ptr [esi+0D4h], 0
		jz	short loc_9CA424
		test	dword ptr [esi+1A8h], 2000h
		jz	short loc_9CA424
		push	0
		push	ebx
		push	0Dh
		pop	edx
		mov	ecx, esi
		call	_PspSendJobNotification@16 ; PspSendJobNotification(x,x,x,x)

loc_9CA424:				; CODE XREF: PspSendSiloTerminationNotification(x,x)+1Ej
					; PspSendSiloTerminationNotification(x,x)+2Aj
		mov	edx, edi
		mov	ecx, esi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_PspUnlockJob@8	; PspUnlockJob(x,x)
_PspSendSiloTerminationNotification@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetAffinityLimitCallback(x, x)
_PspSetAffinityLimitCallback@8 proc near ; DATA	XREF: sub_759647+179DCBo
					; sub_759647+17A306o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		test	dword ptr [edx+0FCh], 4000000h
		jz	short loc_9CA457
		test	byte ptr [edx+0F8h], 1
		jnz	short loc_9CA457
		mov	ecx, [ebp+arg_4]
		call	_PspCheckJobAccessState@8 ; PspCheckJobAccessState(x,x)
		jmp	short loc_9CA459
; 

loc_9CA457:				; CODE XREF: PspSetAffinityLimitCallback(x,x)+12j
					; PspSetAffinityLimitCallback(x,x)+1Bj
		xor	eax, eax

loc_9CA459:				; CODE XREF: PspSetAffinityLimitCallback(x,x)+25j
		pop	ebp
		retn	8
_PspSetAffinityLimitCallback@8 endp


;  S U B	R O U T	I N E 


; __stdcall PspSetEffectiveRateControlJob(x, x,	x)
_PspSetEffectiveRateControlJob@12 proc near ; CODE XREF: PspEstablishJobHierarchy+17F951p
					; PspSetRateControlJobPreCallback(x,x)+13p
		lea	eax, [ecx+310h]
		push	esi
		test	edx, edx
		jz	short loc_9CA472
		mov	esi, 2000000h
		lock or	[eax], esi
		jmp	short loc_9CA47A
; 

loc_9CA472:				; CODE XREF: PspSetEffectiveRateControlJob(x,x,x)+9j
		mov	esi, 0FDFFFFFFh
		lock and [eax],	esi

loc_9CA47A:				; CODE XREF: PspSetEffectiveRateControlJob(x,x,x)+13j
		mov	[ecx+184h], edx
		pop	esi
		retn	4
_PspSetEffectiveRateControlJob@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetJobIoRateControlForVolume(x, x, x, x,	x)
_PspSetJobIoRateControlForVolume@20 proc near ;	CODE XREF: PspSetJobIoRateControl+18CCF3p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		xor	ecx, ecx
		mov	[ebp+var_8], edi
		mov	[eax], cl
		mov	bl, cl
		mov	eax, [ebp+arg_4]
		push	694A7350h
		push	1Ch
		push	200h
		mov	[eax], cl
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9CA4CA
		mov	edi, 0C000009Ah
		jmp	loc_9CA54B
; 

loc_9CA4CA:				; CODE XREF: PspSetJobIoRateControlForVolume(x,x,x,x,x)+3Aj
		mov	ecx, esi
		call	_PspIoRateEntryInitialize@4 ; PspIoRateEntryInitialize(x)
		push	0
		push	[ebp+var_4]
		mov	edx, edi
		mov	ecx, esi
		call	PspIoRateEntryActivate
		mov	edi, eax
		test	edi, edi
		js	short loc_9CA534
		mov	edx, [esi+0Ch]
		xor	ebx, ebx
		mov	ecx, [ebp+var_8]
		inc	ebx
		call	_PspJobIoRateVolumeEntryRemove@8 ; PspJobIoRateVolumeEntryRemove(x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_9CA50D
		mov	ecx, edi
		call	PspIoRateEntryDeactivate
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_0]
		mov	[eax], bl

loc_9CA50D:				; CODE XREF: PspSetJobIoRateControlForVolume(x,x,x,x,x)+73j
		mov	ecx, [ebp+var_4]
		call	_PspIoRateControlInfoIsAnySet@4	; PspIoRateControlInfoIsAnySet(x)
		test	al, al
		jz	short loc_9CA532
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		mov	eax, [esi+14h]
		mov	[ecx], eax
		mov	ecx, [ebp+var_8]
		call	_PspJobIoRateVolumeEntryInsert@8 ; PspJobIoRateVolumeEntryInsert(x,x)
		mov	eax, [ebp+arg_4]
		xor	esi, esi
		mov	[eax], bl

loc_9CA532:				; CODE XREF: PspSetJobIoRateControlForVolume(x,x,x,x,x)+93j
		xor	edi, edi

loc_9CA534:				; CODE XREF: PspSetJobIoRateControlForVolume(x,x,x,x,x)+5Fj
		test	esi, esi
		jz	short loc_9CA54B
		test	bl, bl
		jz	short loc_9CA543
		mov	ecx, esi
		call	PspIoRateEntryDeactivate

loc_9CA543:				; CODE XREF: PspSetJobIoRateControlForVolume(x,x,x,x,x)+B6j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9CA54B:				; CODE XREF: PspSetJobIoRateControlForVolume(x,x,x,x,x)+41j
					; PspSetJobIoRateControlForVolume(x,x,x,x,x)+B2j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_PspSetJobIoRateControlForVolume@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetJobRateControl(x, x, x, x, x,	x)
_PspSetJobRateControl@24 proc near	; CODE XREF: PspSetNetRateControl(x,x,x)+139p
					; PspSetNetRateControl(x,x,x)+174p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [esp+28h+var_18]
		xor	eax, eax
		mov	edx, 4000000h
		push	6
		pop	ecx
		rep stosd
		mov	ecx, [ebx+310h]
		xor	esi, esi
		mov	eax, ecx
		xor	edi, edi
		and	ecx, 2000000h
		and	eax, edx
		test	[ebp+arg_0], 1
		mov	[esp+28h+var_1C], ecx
		jz	short loc_9CA605
		test	eax, eax
		jnz	short loc_9CA5DA
		test	ecx, ecx
		jz	short loc_9CA5A4
		mov	esi, 0C00000BBh
		jmp	loc_9CA62F
; 

loc_9CA5A4:				; CODE XREF: PspSetJobRateControl(x,x,x,x,x,x)+44j
		xor	ecx, ecx
		call	PspAllocateRateControl
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9CA5B8
		mov	esi, 0C0000017h
		jmp	short loc_9CA62B
; 

loc_9CA5B8:				; CODE XREF: PspSetJobRateControl(x,x,x,x,x,x)+5Bj
		mov	[ebx+30Ch], edi
		lea	eax, [ebx+310h]
		mov	ecx, 4000000h
		lock or	[eax], ecx
		push	1
		mov	edx, 2000000h
		mov	ecx, ebx
		call	_PspModifyAncestorBits@12 ; PspModifyAncestorBits(x,x,x)

loc_9CA5DA:				; CODE XREF: PspSetJobRateControl(x,x,x,x,x,x)+40j
		and	[esp+28h+var_8], esi
		lea	eax, [esp+28h+var_18]
		push	5
		push	eax
		push	offset _PspSetRateControlProcessCallback@8 ; PspSetRateControlProcessCallback(x,x)
		push	0
		mov	edx, offset _PspSetRateControlJobPreCallback@8 ; PspSetRateControlJobPreCallback(x,x)
		mov	[esp+38h+var_C], ebx
		mov	ecx, ebx
		mov	[esp+38h+var_4], 1
		call	PspEnumJobsAndProcessesInJobHierarchy
		mov	esi, eax
		jmp	short loc_9CA61A
; 

loc_9CA605:				; CODE XREF: PspSetJobRateControl(x,x,x,x,x,x)+3Cj
		test	eax, eax
		jnz	short loc_9CA610
		mov	esi, 0C000000Dh
		jmp	short loc_9CA62F
; 

loc_9CA610:				; CODE XREF: PspSetJobRateControl(x,x,x,x,x,x)+B3j
		sub	esp, 0Ch
		mov	ecx, ebx
		call	_PspRemoveRateControl@20 ; PspRemoveRateControl(x,x,x,x,x)

loc_9CA61A:				; CODE XREF: PspSetJobRateControl(x,x,x,x,x,x)+AFj
		test	esi, esi
		jns	short loc_9CA688
		test	edi, edi
		jz	short loc_9CA62B
		xor	edx, edx
		mov	ecx, edi
		call	_PspFreeRateControl@8 ;	PspFreeRateControl(x,x)

loc_9CA62B:				; CODE XREF: PspSetJobRateControl(x,x,x,x,x,x)+62j
					; PspSetJobRateControl(x,x,x,x,x,x)+CCj
		mov	ecx, [esp+28h+var_1C]

loc_9CA62F:				; CODE XREF: PspSetJobRateControl(x,x,x,x,x,x)+4Bj
					; PspSetJobRateControl(x,x,x,x,x,x)+BAj
		and	dword ptr [ebx+30Ch], 0
		lea	eax, [ebx+310h]
		mov	edi, 0FBFFFFFFh
		lock and [eax],	edi
		test	ecx, ecx
		jnz	short loc_9CA688
		push	ecx
		mov	edx, 2000000h
		mov	ecx, ebx
		call	_PspModifyAncestorBits@12 ; PspModifyAncestorBits(x,x,x)
		xor	ecx, ecx
		lea	eax, [esp+28h+var_18]
		push	5
		push	eax
		push	offset _PspSetRateControlProcessCallback@8 ; PspSetRateControlProcessCallback(x,x)
		mov	[esp+34h+var_4], cl
		mov	edx, offset _PspSetRateControlJobPreCallback@8 ; PspSetRateControlJobPreCallback(x,x)
		mov	[esp+34h+var_18], ecx
		mov	[esp+34h+var_14], ecx
		mov	[esp+34h+var_10], ecx
		mov	[esp+34h+var_C], ecx
		mov	[esp+34h+var_8], ecx
		push	ecx
		mov	ecx, ebx
		call	PspEnumJobsAndProcessesInJobHierarchy

loc_9CA688:				; CODE XREF: PspSetJobRateControl(x,x,x,x,x,x)+C8j
					; PspSetJobRateControl(x,x,x,x,x,x)+F2j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_PspSetJobRateControl@24 endp


;  S U B	R O U T	I N E 


; __stdcall PspSetJobSiloThreadImpersonationPolicy(x, x)
_PspSetJobSiloThreadImpersonationPolicy@8 proc near ; CODE XREF: sub_8D3EE6+32p
					; sub_8D3F7C+32p ...
		mov	edi, edi
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, edx
		cmp	esi, 2
		push	edi
		setz	bl
		lea	edi, [ecx+314h]
		mov	eax, [edi]
		lea	ebx, ds:2[ebx*2]
		test	eax, esi
		jz	short loc_9CA6C9

loc_9CA6B5:				; CODE XREF: PspSetJobSiloThreadImpersonationPolicy(x,x)+34j
		mov	al, 1

loc_9CA6B7:				; CODE XREF: PspSetJobSiloThreadImpersonationPolicy(x,x)+3Cj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_9CA6BB:				; CODE XREF: PspSetJobSiloThreadImpersonationPolicy(x,x)+38j
		mov	edx, eax
		or	edx, esi
		mov	ecx, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_9CA6B5

loc_9CA6C9:				; CODE XREF: PspSetJobSiloThreadImpersonationPolicy(x,x)+20j
		test	ebx, eax
		jz	short loc_9CA6BB
		xor	al, al
		jmp	short loc_9CA6B7
_PspSetJobSiloThreadImpersonationPolicy@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetJobTimeLimitCallback(x, x)
_PspSetJobTimeLimitCallback@8 proc near	; DATA XREF: sub_759647+179E87o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		and	[ebp+var_4], 0
		test	byte ptr [ecx+0F8h], 2
		jnz	short loc_9CA6FF
		lea	edx, [ebp+var_4]
		call	_PsQueryRuntimeProcess@8 ; PsQueryRuntimeProcess(x,x)
		mov	eax, ds:_KeMaximumIncrement
		mul	[ebp+var_4]
		mov	ecx, [ebp+arg_4]
		add	[ecx], eax
		adc	[ecx+4], edx

loc_9CA6FF:				; CODE XREF: PspSetJobTimeLimitCallback(x,x)+14j
		xor	eax, eax
		leave
		retn	8
_PspSetJobTimeLimitCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetNetRateControl(x, x, x)
_PspSetNetRateControl@12 proc near	; CODE XREF: sub_8D3D73+Fp

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= byte ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= byte ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	70h
		push	offset dword_6A8FB0
		call	__SEH_prolog4_GS
		mov	esi, ecx
		mov	ebx, [ebp+arg_0]
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_44]
		rep stosd
		lea	edi, [ebp+var_2C]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_4C], eax
		mov	[ebp+var_45], al
		mov	[ebp+ms_exc.disabled], eax
		push	edx		; size_t
		push	esi		; void *
		lea	eax, [ebp+var_2C]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edx, [ebp+var_24]
		test	edx, 0FFFFFFF8h
		jz	short loc_9CA75C

loc_9CA752:				; CODE XREF: PspSetNetRateControl(x,x,x)+6Fj
					; PspSetNetRateControl(x,x,x)+76j
		mov	esi, 0C000000Dh
		jmp	loc_9CA965
; 

loc_9CA75C:				; CODE XREF: PspSetNetRateControl(x,x,x)+4Bj
		mov	eax, edx
		and	eax, 1
		mov	[ebp+var_50], eax
		mov	esi, edx
		jz	short loc_9CA77D
		and	esi, 4
		mov	[ebp+var_54], esi
		jz	short loc_9CA776
		cmp	[ebp+var_20], 40h
		ja	short loc_9CA752

loc_9CA776:				; CODE XREF: PspSetNetRateControl(x,x,x)+69j
		test	dl, 6
		jnz	short loc_9CA783
		jmp	short loc_9CA752
; 

loc_9CA77D:				; CODE XREF: PspSetNetRateControl(x,x,x)+61j
		and	esi, 4
		mov	[ebp+var_54], esi

loc_9CA783:				; CODE XREF: PspSetNetRateControl(x,x,x)+74j
		push	8
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_74]
		rep stosd
		lea	eax, [ebx+2D8h]
		mov	[ebp+var_64], eax
		xor	edi, edi
		mov	[ebp+var_70], edi
		and	edx, 2
		mov	[ebp+var_78], edx
		jz	short loc_9CA7B3
		or	[ebp+var_60], 10h
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_6C], eax
		mov	eax, [ebp+var_28]
		mov	[ebp+var_68], eax

loc_9CA7B3:				; CODE XREF: PspSetNetRateControl(x,x,x)+9Cj
		test	esi, esi
		jz	short loc_9CA7C1
		or	[ebp+var_60], 8
		mov	al, [ebp+var_20]
		mov	[ebp+var_5C], al

loc_9CA7C1:				; CODE XREF: PspSetNetRateControl(x,x,x)+B0j
		mov	eax, large fs:124h
		mov	[ebp+var_7C], eax
		lea	ecx, [ebp+var_4C]
		push	ecx
		mov	edx, eax
		mov	ecx, ebx
		call	PspLockRootJobExclusive
		push	ecx
		lea	edx, [ebp+var_4C]
		mov	ecx, ebx
		call	_PspLockJobConditionally@12 ; PspLockJobConditionally(x,x,x)
		mov	edx, [ebx+310h]
		mov	ecx, edx
		and	edx, 2000000h
		and	ecx, 4000000h
		jz	short loc_9CA804
		mov	eax, [ebx+30Ch]
		mov	eax, [eax+24h]
		mov	[ebp+var_74], eax

loc_9CA804:				; CODE XREF: PspSetNetRateControl(x,x,x)+F1j
		mov	eax, [ebp+var_50]
		test	al, al
		jnz	short loc_9CA819
		test	ecx, ecx
		jz	short loc_9CA815
		or	[ebp+var_60], 4
		jmp	short loc_9CA82F
; 

loc_9CA815:				; CODE XREF: PspSetNetRateControl(x,x,x)+108j
		test	al, al
		jz	short loc_9CA82F

loc_9CA819:				; CODE XREF: PspSetNetRateControl(x,x,x)+104j
		test	edx, edx
		jnz	short loc_9CA823
		or	[ebp+var_60], 1
		jmp	short loc_9CA82F
; 

loc_9CA823:				; CODE XREF: PspSetNetRateControl(x,x,x)+116j
		test	al, al
		jz	short loc_9CA82F
		test	ecx, ecx
		jz	short loc_9CA82F
		or	[ebp+var_60], 2

loc_9CA82F:				; CODE XREF: PspSetNetRateControl(x,x,x)+10Ej
					; PspSetNetRateControl(x,x,x)+112j ...
		mov	al, byte ptr [ebp+var_60]
		test	al, 1
		jz	short loc_9CA85B
		sub	esp, 0Ch
		push	[ebp+var_24]
		mov	ecx, ebx
		call	_PspSetJobRateControl@24 ; PspSetJobRateControl(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9CA918
		mov	[ebp+var_45], 1
		lea	ecx, [ebp+var_74]
		call	_PspNetRateControlDispatch@4 ; PspNetRateControlDispatch(x)
		jmp	short loc_9CA87E
; 

loc_9CA85B:				; CODE XREF: PspSetNetRateControl(x,x,x)+12Fj
		test	al, 7
		jz	short loc_9CA871
		lea	ecx, [ebp+var_74]
		call	_PspNetRateControlDispatch@4 ; PspNetRateControlDispatch(x)
		mov	esi, eax
		test	esi, esi
		js	loc_9CA918

loc_9CA871:				; CODE XREF: PspSetNetRateControl(x,x,x)+158j
		sub	esp, 0Ch
		push	[ebp+var_24]
		mov	ecx, ebx
		call	_PspSetJobRateControl@24 ; PspSetJobRateControl(x,x,x,x,x,x)

loc_9CA87E:				; CODE XREF: PspSetNetRateControl(x,x,x)+154j
		mov	esi, eax
		test	esi, esi
		js	loc_9CA918
		cmp	[ebp+var_50], edi
		jz	short loc_9CA8F3
		cmp	[ebp+var_78], edi
		jz	short loc_9CA8AE
		mov	eax, [ebx+30Ch]
		or	dword ptr [eax+20h], 1
		mov	ecx, [ebx+30Ch]
		mov	eax, [ebp+var_6C]
		mov	[ecx+18h], eax
		mov	eax, [ebp+var_68]
		mov	[ecx+1Ch], eax

loc_9CA8AE:				; CODE XREF: PspSetNetRateControl(x,x,x)+18Bj
		cmp	[ebp+var_54], edi
		jz	short loc_9CA8C9
		mov	eax, [ebx+30Ch]
		or	dword ptr [eax+20h], 2
		mov	ecx, [ebx+30Ch]
		mov	al, [ebp+var_5C]
		mov	[ecx+28h], al

loc_9CA8C9:				; CODE XREF: PspSetNetRateControl(x,x,x)+1ACj
		mov	ecx, [ebx+30Ch]
		mov	eax, [ebp+var_74]
		mov	[ecx+24h], eax
		mov	ecx, [ebx+30Ch]
		mov	eax, [ecx+20h]
		mov	[ebp+var_44], eax
		mov	eax, [ecx+18h]
		mov	[ebp+var_3C], eax
		mov	eax, [ecx+1Ch]
		mov	[ebp+var_38], eax
		mov	al, [ecx+28h]
		mov	[ebp+var_34], al

loc_9CA8F3:				; CODE XREF: PspSetNetRateControl(x,x,x)+186j
		test	ds:_PerfGlobalGroupMask, 80000h
		jz	short loc_9CA914
		push	725h
		push	esi
		push	edi
		lea	eax, [ebp+var_44]
		push	eax
		push	20h
		pop	edx
		mov	ecx, ebx
		call	_EtwTraceJobSetQuery@24	; EtwTraceJobSetQuery(x,x,x,x,x,x)

loc_9CA914:				; CODE XREF: PspSetNetRateControl(x,x,x)+1F8j
		test	esi, esi
		jns	short loc_9CA929

loc_9CA918:				; CODE XREF: PspSetNetRateControl(x,x,x)+142j
					; PspSetNetRateControl(x,x,x)+166j ...
		cmp	[ebp+var_45], 0
		jz	short loc_9CA929
		sub	esp, 0Ch
		push	edi
		mov	ecx, ebx
		call	_PspSetJobRateControl@24 ; PspSetJobRateControl(x,x,x,x,x,x)

loc_9CA929:				; CODE XREF: PspSetNetRateControl(x,x,x)+211j
					; PspSetNetRateControl(x,x,x)+217j ...
		cmp	ebx, [ebp+edi*4+var_4C]
		jz	short loc_9CA93D
		inc	edi
		cmp	edi, 1
		jb	short loc_9CA929
		lea	ecx, [ebx+20h]
		call	ExReleaseResourceLite

loc_9CA93D:				; CODE XREF: PspSetNetRateControl(x,x,x)+228j
		mov	edx, [ebp+var_7C]
		mov	ecx, [ebp+var_4C]
		call	_PspUnlockJob@8	; PspUnlockJob(x,x)
		jmp	short loc_9CA965
; 

loc_9CA94A:				; DATA XREF: .text:006A8FC4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_80], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9CA958:				; DATA XREF: .text:006A8FC8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_80]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9CA965:				; CODE XREF: PspSetNetRateControl(x,x,x)+52j
					; PspSetNetRateControl(x,x,x)+243j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PspSetNetRateControl@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetRateControlJobPreCallback(x, x)
_PspSetRateControlJobPreCallback@8 proc	near
					; DATA XREF: PspRemoveRateControl(x,x,x,x,x)+34o
					; PspSetJobRateControl(x,x,x,x,x,x)+98o ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	esi, esi
		push	ecx
		mov	ecx, [ebp+arg_0]
		mov	edx, [edi+0Ch]
		call	_PspSetEffectiveRateControlJob@12 ; PspSetEffectiveRateControlJob(x,x,x)
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_9CA99F
		push	dword ptr [edi+8]
		push	ecx
		call	eax
		mov	esi, eax

loc_9CA99F:				; CODE XREF: PspSetRateControlJobPreCallback(x,x)+1Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_PspSetRateControlJobPreCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetRateControlProcessCallback(x,	x)
_PspSetRateControlProcessCallback@8 proc near
					; DATA XREF: PspRemoveRateControl(x,x,x,x,x)+2Eo
					; PspSetJobRateControl(x,x,x,x,x,x)+91o ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		mov	edx, [ecx+4]
		test	edx, edx
		jz	short loc_9CA9C0
		push	dword ptr [ecx+8]
		push	[ebp+arg_0]
		call	edx

loc_9CA9C0:				; CODE XREF: PspSetRateControlProcessCallback(x,x)+Fj
		pop	ebp
		retn	8
_PspSetRateControlProcessCallback@8 endp


;  S U B	R O U T	I N E 


; __stdcall PspSubtractAccountingValues(x, x)
_PspSubtractAccountingValues@8 proc near ; CODE	XREF: PspRemoveProcessFromJobChain+17CD3Bp
		mov	eax, [ecx]
		push	ebx
		push	esi
		mov	esi, edx
		mov	edx, [ecx+4]
		push	edi
		mov	ebx, [esi+4]
		mov	edi, [esi]
		cmp	ebx, edx
		ja	short loc_9CA9E3
		jb	short loc_9CA9DD
		cmp	edi, eax
		ja	short loc_9CA9E3

loc_9CA9DD:				; CODE XREF: PspSubtractAccountingValues(x,x)+13j
		sub	eax, edi
		sbb	edx, ebx
		jmp	short loc_9CA9E7
; 

loc_9CA9E3:				; CODE XREF: PspSubtractAccountingValues(x,x)+11j
					; PspSubtractAccountingValues(x,x)+17j
		xor	eax, eax
		xor	edx, edx

loc_9CA9E7:				; CODE XREF: PspSubtractAccountingValues(x,x)+1Dj
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	ebx, [esi+0Ch]
		mov	edx, [ecx+0Ch]
		mov	edi, [esi+8]
		mov	eax, [ecx+8]
		cmp	ebx, edx
		ja	short loc_9CAA08
		jb	short loc_9CAA02
		cmp	edi, eax
		ja	short loc_9CAA08

loc_9CAA02:				; CODE XREF: PspSubtractAccountingValues(x,x)+38j
		sub	eax, edi
		sbb	edx, ebx
		jmp	short loc_9CAA0C
; 

loc_9CAA08:				; CODE XREF: PspSubtractAccountingValues(x,x)+36j
					; PspSubtractAccountingValues(x,x)+3Cj
		xor	eax, eax
		xor	edx, edx

loc_9CAA0C:				; CODE XREF: PspSubtractAccountingValues(x,x)+42j
		mov	[ecx+8], eax
		mov	[ecx+0Ch], edx
		mov	ebx, [esi+1Ch]
		mov	edx, [ecx+1Ch]
		mov	edi, [esi+18h]
		mov	eax, [ecx+18h]
		cmp	ebx, edx
		ja	short loc_9CAA2E
		jb	short loc_9CAA28
		cmp	edi, eax
		ja	short loc_9CAA2E

loc_9CAA28:				; CODE XREF: PspSubtractAccountingValues(x,x)+5Ej
		sub	eax, edi
		sbb	edx, ebx
		jmp	short loc_9CAA32
; 

loc_9CAA2E:				; CODE XREF: PspSubtractAccountingValues(x,x)+5Cj
					; PspSubtractAccountingValues(x,x)+62j
		xor	eax, eax
		xor	edx, edx

loc_9CAA32:				; CODE XREF: PspSubtractAccountingValues(x,x)+68j
		mov	[ecx+18h], eax
		mov	[ecx+1Ch], edx
		mov	ebx, [esi+2Ch]
		mov	edx, [ecx+2Ch]
		mov	edi, [esi+28h]
		mov	eax, [ecx+28h]
		cmp	ebx, edx
		jg	short loc_9CAA54
		jl	short loc_9CAA4E
		cmp	edi, eax
		ja	short loc_9CAA54

loc_9CAA4E:				; CODE XREF: PspSubtractAccountingValues(x,x)+84j
		sub	eax, edi
		sbb	edx, ebx
		jmp	short loc_9CAA58
; 

loc_9CAA54:				; CODE XREF: PspSubtractAccountingValues(x,x)+82j
					; PspSubtractAccountingValues(x,x)+88j
		xor	eax, eax
		xor	edx, edx

loc_9CAA58:				; CODE XREF: PspSubtractAccountingValues(x,x)+8Ej
		mov	[ecx+28h], eax
		mov	[ecx+2Ch], edx
		mov	ebx, [esi+34h]
		mov	edx, [ecx+34h]
		mov	edi, [esi+30h]
		mov	eax, [ecx+30h]
		cmp	ebx, edx
		jg	short loc_9CAA7A
		jl	short loc_9CAA74
		cmp	edi, eax
		ja	short loc_9CAA7A

loc_9CAA74:				; CODE XREF: PspSubtractAccountingValues(x,x)+AAj
		sub	eax, edi
		sbb	edx, ebx
		jmp	short loc_9CAA7E
; 

loc_9CAA7A:				; CODE XREF: PspSubtractAccountingValues(x,x)+A8j
					; PspSubtractAccountingValues(x,x)+AEj
		xor	eax, eax
		xor	edx, edx

loc_9CAA7E:				; CODE XREF: PspSubtractAccountingValues(x,x)+B4j
		mov	[ecx+30h], eax
		mov	[ecx+34h], edx
		mov	ebx, [esi+3Ch]
		mov	edx, [ecx+3Ch]
		mov	edi, [esi+38h]
		mov	eax, [ecx+38h]
		cmp	ebx, edx
		jg	short loc_9CAAA0
		jl	short loc_9CAA9A
		cmp	edi, eax
		ja	short loc_9CAAA0

loc_9CAA9A:				; CODE XREF: PspSubtractAccountingValues(x,x)+D0j
		sub	eax, edi
		sbb	edx, ebx
		jmp	short loc_9CAAA4
; 

loc_9CAAA0:				; CODE XREF: PspSubtractAccountingValues(x,x)+CEj
					; PspSubtractAccountingValues(x,x)+D4j
		xor	eax, eax
		xor	edx, edx

loc_9CAAA4:				; CODE XREF: PspSubtractAccountingValues(x,x)+DAj
		mov	[ecx+38h], eax
		mov	[ecx+3Ch], edx
		mov	ebx, [esi+44h]
		mov	edx, [ecx+44h]
		mov	edi, [esi+40h]
		mov	eax, [ecx+40h]
		cmp	ebx, edx
		jg	short loc_9CAAC6
		jl	short loc_9CAAC0
		cmp	edi, eax
		ja	short loc_9CAAC6

loc_9CAAC0:				; CODE XREF: PspSubtractAccountingValues(x,x)+F6j
		sub	eax, edi
		sbb	edx, ebx
		jmp	short loc_9CAACA
; 

loc_9CAAC6:				; CODE XREF: PspSubtractAccountingValues(x,x)+F4j
					; PspSubtractAccountingValues(x,x)+FAj
		xor	eax, eax
		xor	edx, edx

loc_9CAACA:				; CODE XREF: PspSubtractAccountingValues(x,x)+100j
		mov	[ecx+40h], eax
		mov	[ecx+44h], edx
		mov	ebx, [esi+4Ch]
		mov	edx, [ecx+4Ch]
		mov	edi, [esi+48h]
		mov	eax, [ecx+48h]
		cmp	ebx, edx
		jg	short loc_9CAAEC
		jl	short loc_9CAAE6
		cmp	edi, eax
		ja	short loc_9CAAEC

loc_9CAAE6:				; CODE XREF: PspSubtractAccountingValues(x,x)+11Cj
		sub	eax, edi
		sbb	edx, ebx
		jmp	short loc_9CAAF0
; 

loc_9CAAEC:				; CODE XREF: PspSubtractAccountingValues(x,x)+11Aj
					; PspSubtractAccountingValues(x,x)+120j
		xor	eax, eax
		xor	edx, edx

loc_9CAAF0:				; CODE XREF: PspSubtractAccountingValues(x,x)+126j
		mov	[ecx+48h], eax
		mov	[ecx+4Ch], edx
		mov	edi, [esi+50h]
		mov	esi, [esi+54h]
		mov	edx, [ecx+54h]
		mov	eax, [ecx+50h]
		cmp	esi, edx
		jg	short loc_9CAB12
		jl	short loc_9CAB0C
		cmp	edi, eax
		ja	short loc_9CAB12

loc_9CAB0C:				; CODE XREF: PspSubtractAccountingValues(x,x)+142j
		sub	eax, edi
		sbb	edx, esi
		jmp	short loc_9CAB16
; 

loc_9CAB12:				; CODE XREF: PspSubtractAccountingValues(x,x)+140j
					; PspSubtractAccountingValues(x,x)+146j
		xor	eax, eax
		xor	edx, edx

loc_9CAB16:				; CODE XREF: PspSubtractAccountingValues(x,x)+14Cj
		pop	edi
		pop	esi
		mov	[ecx+50h], eax
		mov	[ecx+54h], edx
		pop	ebx
		retn
_PspSubtractAccountingValues@8 endp


;  S U B	R O U T	I N E 


; __stdcall PspUnlockJobListShared(x)
_PspUnlockJobListShared@4 proc near	; CODE XREF: PAGE:008D250Cp
		mov	edi, edi
		push	esi
		push	edi
		push	11h
		mov	esi, ecx
		xor	edx, edx
		mov	edi, offset _PspJobListLock
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_9CAB40
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9CAB40:				; CODE XREF: PspUnlockJobListShared(x)+17j
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		mov	ecx, esi
		pop	esi
		jmp	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
_PspUnlockJobListShared@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspWaitOnAllProcessesJobCallback(x,	x)
_PspWaitOnAllProcessesJobCallback@8 proc near
					; DATA XREF: PspTerminateSiloSubsystemProcesses(x)+2Do

var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		mov	ebx, large fs:124h
		mov	edx, ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		push	0
		stosd
		stosd
		lea	eax, [ebp+var_C]
		push	eax
		call	_PspGetNextJobProcess@16 ; PspGetNextJobProcess(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9CABBA
		mov	edi, [ebp+arg_4]

loc_9CAB83:				; CODE XREF: PspWaitOnAllProcessesJobCallback(x,x)+68j
		test	byte ptr [esi+3A8h], 40h
		jnz	short loc_9CABA5
		mov	eax, large fs:124h
		cmp	esi, [eax+80h]
		jz	short loc_9CABA5
		or	byte ptr [edi+4], 2
		mov	ecx, esi
		call	_PspWaitForUsermodeExit@4 ; PspWaitForUsermodeExit(x)

loc_9CABA5:				; CODE XREF: PspWaitOnAllProcessesJobCallback(x,x)+3Aj
					; PspWaitOnAllProcessesJobCallback(x,x)+48j
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_C]
		push	esi
		push	eax
		mov	edx, ebx
		call	_PspGetNextJobProcess@16 ; PspGetNextJobProcess(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9CAB83

loc_9CABBA:				; CODE XREF: PspWaitOnAllProcessesJobCallback(x,x)+2Ej
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	8
_PspWaitOnAllProcessesJobCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSetVmProcessorHostProcess(x)
_PsSetVmProcessorHostProcess@4 proc near ; CODE	XREF: VmSetVpHostProcess(x)+8p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+40h+var_10]
		mov	ebx, ecx
		stosd
		mov	esi, 800000h
		mov	[esp+40h+var_2C], ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+40h+var_20]
		stosd
		stosd
		stosd
		stosd
		lea	edi, [ebx+3A8h]
		mov	eax, [edi]
		mov	edx, eax
		mov	[esp+40h+var_28], edi
		mov	[esp+40h+var_34], eax
		test	edx, esi
		jnz	short loc_9CAC22

loc_9CAC06:				; CODE XREF: PsSetVmProcessorHostProcess(x)+5Dj
		mov	ecx, edx
		mov	eax, edx
		or	ecx, 1800000h
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_9CAC52
		mov	edx, eax
		mov	[esp+40h+var_34], edx
		test	eax, esi
		jz	short loc_9CAC06

loc_9CAC22:				; CODE XREF: PsSetVmProcessorHostProcess(x)+41j
		mov	ebx, 1000000h
		test	edx, ebx
		jz	short loc_9CAC4B
		xor	esi, esi

loc_9CAC2D:				; CODE XREF: PsSetVmProcessorHostProcess(x)+86j
		push	esi
		push	4
		lea	eax, [esp+48h+var_34]
		mov	edx, edi
		push	eax
		mov	ecx, offset _PsVmProcessorHostTransitionEvent
		call	ExBlockOnAddressPushLock
		mov	eax, [edi]
		mov	[esp+40h+var_34], eax
		test	eax, ebx
		jnz	short loc_9CAC2D

loc_9CAC4B:				; CODE XREF: PsSetVmProcessorHostProcess(x)+66j
					; PsSetVmProcessorHostProcess(x)+14Cj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_9CAC52:				; CODE XREF: PsSetVmProcessorHostProcess(x)+53j
		lea	esi, [ebx+4A0h]
		xor	eax, eax
		xor	edx, edx
		nop
		xor	ebx, ebx
		xor	ecx, ecx
		lock cmpxchg8b qword ptr [esi]
		or	eax, edx
		push	ecx
		pop	esi
		jnz	short loc_9CACBA
		mov	eax, 200000h
		lock or	[edi], eax

loc_9CAC73:				; CODE XREF: PsSetVmProcessorHostProcess(x)+DDj
					; PsSetVmProcessorHostProcess(x)+E1j
		mov	eax, _PsNextSecurityDomain
		mov	ebx, eax
		mov	edi, dword_6B5BC4
		add	ebx, 1
		mov	ecx, edi
		mov	[esp+40h+var_30], eax
		adc	ecx, esi
		mov	edx, edi
		mov	esi, offset _PsNextSecurityDomain
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [esp+40h+var_30]
		push	0
		pop	esi
		cmp	eax, ecx
		jnz	short loc_9CAC73
		cmp	edx, edi
		jnz	short loc_9CAC73
		add	ecx, 1
		adc	edi, esi
		push	edi
		push	ecx
		mov	ecx, [esp+48h+var_2C]
		call	PspWriteProcessSecurityDomain
		mov	edi, [esp+40h+var_28]

loc_9CACBA:				; CODE XREF: PsSetVmProcessorHostProcess(x)+A6j
		push	esi
		push	1
		lea	eax, [esp+48h+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+40h+var_10]
		mov	[esp+40h+var_18], offset _PspSetVmProcessorHostProcessWorkerRoutine@4 ;	PspSetVmProcessorHostProcessWorkerRoutine(x)
		mov	[esp+40h+var_14], eax
		lea	eax, [esp+40h+var_20]
		push	esi
		push	eax
		mov	[esp+48h+var_20], esi
		call	ExQueueWorkItem
		push	esi
		push	esi
		push	esi
		push	esi
		lea	eax, [esp+50h+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, 0FEFFFFFFh
		lock and [edi],	eax
		mov	[esp+40h+var_24], esi
		lea	eax, [esp+40h+var_24]
		xor	ecx, ecx
		lock or	[eax], ecx
		cmp	_PsVmProcessorHostTransitionEvent, ecx
		jz	loc_9CAC4B
		xor	edx, edx
		mov	ecx, offset _PsVmProcessorHostTransitionEvent
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	loc_9CAC4B
_PsSetVmProcessorHostProcess@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspAssignProcessToJobList(x, x, x)
_PspAssignProcessToJobList@12 proc near	; CODE XREF: PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)+64Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], edx
		push	edi
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], eax
		cmp	[ebp+arg_0], esi
		jbe	short loc_9CAD96

loc_9CAD47:				; CODE XREF: PspAssignProcessToJobList(x,x,x)+63j
		mov	eax, [eax+2FCh]
		test	al, 1
		jnz	short loc_9CAD8F
		mov	ebx, [edx+esi*4]
		push	0
		push	ecx
		push	ebx
		call	PsAssignProcessToJobObject
		test	ds:_PerfGlobalGroupMask, 80000h
		mov	edi, eax
		jz	short loc_9CAD76
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		push	edi
		call	_EtwTraceJobAssignProcess@12 ; EtwTraceJobAssignProcess(x,x,x)

loc_9CAD76:				; CODE XREF: PspAssignProcessToJobList(x,x,x)+43j
		test	edi, edi
		js	short loc_9CAD8B
		inc	esi
		cmp	esi, [ebp+arg_0]
		jnb	short loc_9CAD96
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_C]
		jmp	short loc_9CAD47
; 

loc_9CAD8B:				; CODE XREF: PspAssignProcessToJobList(x,x,x)+52j
		mov	eax, edi
		jmp	short loc_9CAD98
; 

loc_9CAD8F:				; CODE XREF: PspAssignProcessToJobList(x,x,x)+29j
		mov	eax, 0C000004Bh
		jmp	short loc_9CAD98
; 

loc_9CAD96:				; CODE XREF: PspAssignProcessToJobList(x,x,x)+1Fj
					; PspAssignProcessToJobList(x,x,x)+58j
		xor	eax, eax

loc_9CAD98:				; CODE XREF: PspAssignProcessToJobList(x,x,x)+67j
					; PspAssignProcessToJobList(x,x,x)+6Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PspAssignProcessToJobList@12 endp


;  S U B	R O U T	I N E 


; __stdcall PspDeleteObjectAccessState(x)
_PspDeleteObjectAccessState@4 proc near	; CODE XREF: PAGE:007A36D8p
					; PspCreateProcess+2A4p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	SepDeleteAccessState
		lea	eax, [esi+1Ch]
		push	eax
		call	SeReleaseSubjectContext
		pop	esi
		retn
_PspDeleteObjectAccessState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PspGenerateObjectAccessState(int,int,int,void *)
_PspGenerateObjectAccessState@16 proc near ; CODE XREF:	PspInsertProcess+14Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]	; int
		push	edx		; int
		mov	edx, [ebp+arg_4]
		lea	eax, [edx+74h]
		push	eax		; void *
		push	edx		; void *
		push	ecx		; int
		push	0		; int
		call	_SeCreateAccessStateEx@24 ; SeCreateAccessStateEx(x,x,x,x,x,x)
		pop	ebp
		retn	8
_PspGenerateObjectAccessState@16 endp


;  S U B	R O U T	I N E 


; __stdcall PspInitClonedThread(x, x)
_PspInitClonedThread@8 proc near	; CODE XREF: PspAllocateThread+1688D2p
		mov	edi, edi
		push	esi
		mov	esi, edx
		xor	edx, edx
		push	edi
		mov	edi, ecx
		inc	edx
		mov	ecx, esi
		call	_PsQueryThreadStartAddress@8 ; PsQueryThreadStartAddress(x,x)
		xor	edx, edx
		mov	[edi+298h], eax
		mov	ecx, esi
		call	_PsQueryThreadStartAddress@8 ; PsQueryThreadStartAddress(x,x)
		or	dword ptr [edi+300h], 10h
		mov	[edi+2DCh], eax
		pop	edi
		pop	esi
		retn
_PspInitClonedThread@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetVmProcessorHostProcessWorkerRoutine(x)
_PspSetVmProcessorHostProcessWorkerRoutine@4 proc near
					; DATA XREF: PsSetVmProcessorHostProcess(x)+108o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	2
		push	0
		mov	edx, offset _RtlEndStrongEnumerationHashTable@8	; RtlEndStrongEnumerationHashTable(x,x)
		mov	ecx, offset _KeActiveProcessors
		call	_KeGenericProcessorCallback@16 ; KeGenericProcessorCallback(x,x,x,x)
		push	0
		push	0
		push	[ebp+arg_0]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	ebp
		retn	4
_PspSetVmProcessorHostProcessWorkerRoutine@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1904. PsSetLegoNotifyRoutine

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSetLegoNotifyRoutine(x)
		public _PsSetLegoNotifyRoutine@4
_PsSetLegoNotifyRoutine@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ds:_PspLegoNotifyRoutine, eax
		mov	eax, 1B8h
		pop	ebp
		retn	4
_PsSetLegoNotifyRoutine@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsShutdownSystem()
_PsShutdownSystem@0 proc near		; CODE XREF: PopGracefulShutdown(x)+69p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		or	[ebp+var_24], 0FFFFFFFFh
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		mov	[ebp+var_28], 0C4653600h
		stosd
		xor	ecx, ecx
		mov	[ebp+var_20], 1
		stosd
		stosd
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	ecx, large fs:124h
		mov	edx, offset _PspShutdownThread
		mov	[ebp+var_1C], eax
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	short loc_9CAE9E
		xor	eax, eax
		jmp	loc_9CB056
; 

loc_9CAE9E:				; CODE XREF: PsShutdownSystem()+4Dj
		call	_PspShutdownServerSilos@0 ; PspShutdownServerSilos()
		xor	edx, edx
		mov	ecx, offset _PspFreezeProcessWorker@8 ;	PspFreezeProcessWorker(x,x)
		call	PsEnumProcesses
		xor	ebx, ebx
		mov	[ebp+var_18], ebx

loc_9CAEB4:				; CODE XREF: PsShutdownSystem()+144j
		xor	eax, eax
		xor	ecx, ecx
		xor	edi, edi
		mov	[ebp+var_14], eax
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_9CAF85

loc_9CAECC:				; CODE XREF: PsShutdownSystem()+E8j
		push	esi
		call	_PsIsSystemProcess@4 ; PsIsSystemProcess(x)
		test	al, al
		jnz	short loc_9CAF25
		cmp	esi, ds:_PsIdleProcess
		jz	short loc_9CAF25
		mov	eax, [ebp+var_1C]
		cmp	esi, [eax+1F8h]
		jz	short loc_9CAF25
		mov	ecx, esi
		call	_SmIsCompressionProcess@4 ; SmIsCompressionProcess(x)
		test	eax, eax
		jnz	short loc_9CAF25
		mov	edx, 0C00002EBh
		call	_PsTerminateProcess@8 ;	PsTerminateProcess(x,x)
		test	byte ptr [esi+0FCh], 4
		mov	ebx, eax
		mov	[ebp+var_14], ebx
		jnz	short loc_9CAF25
		cmp	ebx, 122h
		jz	short loc_9CAF25
		cmp	edi, 3
		jnb	short loc_9CAF25
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	[ebp+edi*4+var_10], esi
		inc	edi

loc_9CAF25:				; CODE XREF: PsShutdownSystem()+8Cj
					; PsShutdownSystem()+94j ...
		mov	ecx, esi
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9CAECC
		mov	ebx, [ebp+var_18]
		test	edi, edi
		jz	short loc_9CAF85
		push	esi
		lea	eax, [ebp+var_28]
		push	eax
		push	esi
		push	esi
		push	esi
		push	1
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		call	KeWaitForMultipleObjects
		mov	[ebp+var_14], eax
		test	edi, edi
		jz	short loc_9CAF85

loc_9CAF54:				; CODE XREF: PsShutdownSystem()+118j
		mov	ecx, [ebp+esi*4+var_10]
		call	ObfDereferenceObject
		inc	esi
		cmp	esi, edi
		jb	short loc_9CAF54
		test	edi, edi
		jz	short loc_9CAF85
		cmp	[ebp+var_14], 102h
		jnz	short loc_9CAF85
		inc	ebx
		mov	[ebp+var_18], ebx
		cmp	ebx, 0Ah
		jbe	short loc_9CAF8A
		mov	al, ds:_PsContinueWaiting
		test	al, al
		jnz	short loc_9CAF8A
		xor	edi, edi
		jmp	short loc_9CAF95
; 

loc_9CAF85:				; CODE XREF: PsShutdownSystem()+7Ej
					; PsShutdownSystem()+EFj ...
		xor	ebx, ebx
		mov	[ebp+var_18], ebx

loc_9CAF8A:				; CODE XREF: PsShutdownSystem()+12Ej
					; PsShutdownSystem()+137j
		test	edi, edi
		jnz	loc_9CAEB4
		mov	edi, [ebp+var_20]

loc_9CAF95:				; CODE XREF: PsShutdownSystem()+13Bj
		cmp	_PopShutdownCleanly, 0
		jz	short loc_9CAFC0
		mov	ebx, [ebp+var_1C]
		mov	ecx, [ebx+1F8h]
		test	ecx, ecx
		jz	short loc_9CAFC0
		mov	edx, 0C00002EBh
		call	_PsTerminateProcess@8 ;	PsTerminateProcess(x,x)
		mov	ecx, [ebx+1F8h]
		call	_PspWaitForUsermodeExit@4 ; PspWaitForUsermodeExit(x)

loc_9CAFC0:				; CODE XREF: PsShutdownSystem()+154j
					; PsShutdownSystem()+161j
		xor	esi, esi

loc_9CAFC2:				; CODE XREF: PsShutdownSystem()+1A8j
		mov	ecx, ds:_PspSystemDlls[esi]
		test	ecx, ecx
		jz	short loc_9CAFEA
		mov	eax, [ecx+14h]
		test	eax, eax
		jz	short loc_9CAFE5
		push	eax
		push	ds:_PsInitialSystemProcess
		call	_MmUnmapViewOfSection@8	; MmUnmapViewOfSection(x,x)
		mov	ecx, ds:_PspSystemDlls[esi]

loc_9CAFE5:				; CODE XREF: PsShutdownSystem()+189j
		call	_PspSwapSystemDll@4 ; PspSwapSystemDll(x)

loc_9CAFEA:				; CODE XREF: PsShutdownSystem()+182j
		add	esi, 4
		cmp	esi, 18h
		jb	short loc_9CAFC2
		mov	eax, ds:_PspSystemPartition
		push	dword ptr [eax+38h]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, ds:_PspSystemPartition
		xor	esi, esi
		mov	[eax+38h], esi
		mov	eax, ds:_PsInitialSystemProcess
		mov	ecx, [eax+1BCh]
		test	ecx, ecx
		jz	short loc_9CB02F
		xor	ebx, ebx
		inc	ebx
		cmp	ecx, ebx
		jz	short loc_9CB02F
		call	ObfDereferenceObject
		mov	eax, ds:_PsInitialSystemProcess
		mov	[eax+1BCh], ebx

loc_9CB02F:				; CODE XREF: PsShutdownSystem()+1CEj
					; PsShutdownSystem()+1D5j
		mov	ecx, dword_6B1F6C
		mov	edx, dword_6B1F68
		push	ecx
		push	edx
		mov	dword_6B1F50, esi
		mov	dword_6B1F68, esi
		mov	dword_6B1F6C, esi
		call	EtwUnregister
		mov	eax, edi

loc_9CB056:				; CODE XREF: PsShutdownSystem()+51j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PsShutdownSystem@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsTerminateMinimalProcess(x, x)
_PsTerminateMinimalProcess@8 proc near	; CODE XREF: PspTeardownPartition(x)+9Cp
					; VmTerminateMemoryProcess(x,x)+2Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	esi, ecx
		push	8
		mov	[ebp+var_4], edx
		pop	ebx
		mov	[ebp+var_8], eax
		nop
		lea	edi, [esi+0E0h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		cmp	dword ptr [esi+1D8h], 0
		jnz	short loc_9CB0BA
		cmp	dword ptr [esi+34Ch], 103h
		mov	ebx, 2000008h
		jnz	short loc_9CB0BA
		mov	eax, [ebp+var_4]
		mov	[esi+34Ch], eax

loc_9CB0BA:				; CODE XREF: PsTerminateMinimalProcess(x,x)+39j
					; PsTerminateMinimalProcess(x,x)+4Aj
		lea	edx, [esi+0FCh]
		mov	eax, [edx]

loc_9CB0C2:				; CODE XREF: PsTerminateMinimalProcess(x,x)+65j
		mov	ecx, eax
		or	ecx, ebx
		lock cmpxchg [edx], ecx
		jnz	short loc_9CB0C2
		mov	[ebp+var_4], eax
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9CB0E3
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9CB0E3:				; CODE XREF: PsTerminateMinimalProcess(x,x)+75j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_8]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		bt	[ebp+var_4], 19h
		setnb	cl
		bt	ebx, 19h
		setb	al
		test	cl, al
		jz	short loc_9CB10E
		mov	dl, 1
		mov	ecx, esi
		call	_PspRundownSingleProcess@8 ; PspRundownSingleProcess(x,x)

loc_9CB10E:				; CODE XREF: PsTerminateMinimalProcess(x,x)+9Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PsTerminateMinimalProcess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsWaitForAllProcesses()
_PsWaitForAllProcesses@0 proc near	; CODE XREF: PopGracefulShutdown(x)+137p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		or	eax, 0FFFFFFFFh
		mov	ebx, 0FFFE7960h
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax

loc_9CB133:				; CODE XREF: PsWaitForAllProcesses()+A2j
					; PsWaitForAllProcesses()+C4j
		xor	ecx, ecx
		jmp	short loc_9CB167
; 

loc_9CB137:				; CODE XREF: PsWaitForAllProcesses()+5Dj
		push	edi
		call	_PsIsSystemProcess@4 ; PsIsSystemProcess(x)
		test	al, al
		jnz	short loc_9CB165
		cmp	edi, ds:_PsIdleProcess
		jz	short loc_9CB165
		test	byte ptr [edi+0FCh], 4
		jz	short loc_9CB165
		mov	ecx, edi
		call	_SmIsCompressionProcess@4 ; SmIsCompressionProcess(x)
		test	eax, eax
		jnz	short loc_9CB165
		cmp	[edi+18Ch], eax
		jnz	short loc_9CB179

loc_9CB165:				; CODE XREF: PsWaitForAllProcesses()+2Cj
					; PsWaitForAllProcesses()+34j ...
		mov	ecx, edi

loc_9CB167:				; CODE XREF: PsWaitForAllProcesses()+22j
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9CB137
		mov	al, 1

loc_9CB174:				; CODE XREF: PsWaitForAllProcesses()+CCj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_9CB179:				; CODE XREF: PsWaitForAllProcesses()+50j
		mov	edx, 65547350h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag
		mov	edx, 6E457350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		lea	eax, [ebp+var_10]
		push	eax
		push	0
		push	0
		push	0
		push	edi
		call	KeWaitForSingleObject
		mov	edx, 65547350h
		mov	ecx, edi
		mov	esi, eax
		call	ObfDereferenceObjectWithTag
		cmp	esi, 102h
		jnz	loc_9CB133
		mov	esi, [ebp+var_8]
		mov	eax, [ebp+var_4]
		shld	esi, ebx, 1
		inc	eax
		add	ebx, ebx
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], esi
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], esi
		cmp	eax, 0Dh
		jbe	loc_9CB133
		xor	al, al
		jmp	short loc_9CB174
_PsWaitForAllProcesses@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspCatchCriticalBreak(x, x,	x, x, x)
_PspCatchCriticalBreak@20 proc near	; CODE XREF: PspExitThread+168624p
					; PspExitThread+168646p ...

var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[esp+38h+var_20], ecx
		lea	edi, [esp+38h+var_1C]
		push	6
		mov	[esp+3Ch+var_24], eax
		mov	esi, edx
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		pop	ecx
		rep stosd
		mov	ecx, edx
		mov	[esp+38h+var_28], edx
		xor	bl, bl
		call	PsGetServerSiloState
		cmp	eax, 2
		jl	short loc_9CB22D
		mov	bh, 1
		mov	bl, bh
		jmp	short loc_9CB288
; 

loc_9CB22D:				; CODE XREF: PspCatchCriticalBreak(x,x,x,x,x)+44j
		xor	bh, bh
		cmp	_KdDebuggerEnabled, bh
		jz	short loc_9CB28C
		push	[esp+38h+var_24]
		push	esi		; char
		push	[esp+40h+var_20] ; char	*
		push	0		; int
		push	0		; int
		call	_DbgPrintEx
		add	esp, 14h

loc_9CB24C:				; CODE XREF: PspCatchCriticalBreak(x,x,x,x,x)+A1j
		cmp	_KdDebuggerNotPresent, 0
		jnz	short loc_9CB284
		push	2
		lea	eax, [esp+3Ch+var_2C]
		push	eax
		push	offset ??_C@_0BI@JHHLMHGI@Break?0?5or?5Ignore?5?$CIbi?$CJ?$DP?5@NNGAKEGL@
		call	_DbgPrompt@12	; DbgPrompt(x,x,x)
		mov	ax, word ptr [esp+38h+var_2C]
		cmp	al, 42h
		jz	short loc_9CB27D
		cmp	al, 49h
		jz	short loc_9CB27E
		cmp	al, 62h
		jz	short loc_9CB27D
		cmp	al, 69h
		jz	short loc_9CB27E
		jmp	short loc_9CB280
; 

loc_9CB27D:				; CODE XREF: PspCatchCriticalBreak(x,x,x,x,x)+8Cj
					; PspCatchCriticalBreak(x,x,x,x,x)+94j
		int	3		; Trap to Debugger

loc_9CB27E:				; CODE XREF: PspCatchCriticalBreak(x,x,x,x,x)+90j
					; PspCatchCriticalBreak(x,x,x,x,x)+98j
		mov	bl, 1

loc_9CB280:				; CODE XREF: PspCatchCriticalBreak(x,x,x,x,x)+9Aj
		test	bl, bl
		jz	short loc_9CB24C

loc_9CB284:				; CODE XREF: PspCatchCriticalBreak(x,x,x,x,x)+72j
		mov	edx, [esp+38h+var_28]

loc_9CB288:				; CODE XREF: PspCatchCriticalBreak(x,x,x,x,x)+4Aj
		test	bl, bl
		jnz	short loc_9CB2EB

loc_9CB28C:				; CODE XREF: PspCatchCriticalBreak(x,x,x,x,x)+54j
		mov	bl, [esi]
		and	bl, 7Fh
		cmp	bl, 6
		jnz	short loc_9CB29E
		mov	edi, [esi+150h]
		jmp	short loc_9CB2A0
; 

loc_9CB29E:				; CODE XREF: PspCatchCriticalBreak(x,x,x,x,x)+B3j
		mov	edi, esi

loc_9CB2A0:				; CODE XREF: PspCatchCriticalBreak(x,x,x,x,x)+BBj
		push	edx
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jz	short loc_9CB2DB
		mov	eax, large fs:124h
		cmp	edi, [eax+80h]
		jz	short loc_9CB2C3
		lea	eax, [esp+38h+var_1C]
		push	eax
		push	edi
		call	KeStackAttachProcess

loc_9CB2C3:				; CODE XREF: PspCatchCriticalBreak(x,x,x,x,x)+D5j
		xor	eax, eax
		cmp	bl, 6
		push	0
		push	0
		setz	al
		push	eax
		push	esi
		push	0EFh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_9CB2DB:				; CODE XREF: PspCatchCriticalBreak(x,x,x,x,x)+C7j
		test	bh, bh
		jnz	short loc_9CB2EB
		push	[ebp+arg_8]
		push	[esp+50h+var_3C]
		call	_PsTerminateServerSilo@8 ; PsTerminateServerSilo(x,x)

loc_9CB2EB:				; CODE XREF: PspCatchCriticalBreak(x,x,x,x,x)+A9j
					; PspCatchCriticalBreak(x,x,x,x,x)+FCj
		mov	ecx, [esp+4Ch+var_18]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PspCatchCriticalBreak@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspFreezeProcessWorker(x, x)
_PspFreezeProcessWorker@8 proc near	; DATA XREF: PsShutdownSystem()+5Do

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	ecx, ecx
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	esi, [ebp+arg_0]
		test	dword ptr [esi+3A8h], 1000h
		jnz	short loc_9CB355
		cmp	esi, ds:_PsIdleProcess
		jz	short loc_9CB355
		cmp	esi, [eax+1F8h]
		jz	short loc_9CB355
		mov	ecx, esi
		call	_SmIsCompressionProcess@4 ; SmIsCompressionProcess(x)
		test	eax, eax
		jnz	short loc_9CB355
		call	_PsCaptureExceptionPort@4 ; PsCaptureExceptionPort(x)
		test	eax, eax
		jz	short loc_9CB346
		mov	ecx, eax
		call	ObfDereferenceObject

loc_9CB346:				; CODE XREF: PspFreezeProcessWorker(x,x)+3Ej
		test	byte ptr [esi+0FCh], 4
		jnz	short loc_9CB355
		push	esi
		call	PsSuspendProcess

loc_9CB355:				; CODE XREF: PspFreezeProcessWorker(x,x)+1Aj
					; PspFreezeProcessWorker(x,x)+22j ...
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	8
_PspFreezeProcessWorker@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspProcessRundownWorker(x)
_PspProcessRundownWorker@4 proc	near	; DATA XREF: PspInitPhase0+6A9o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	esi
		push	edi
		mov	edi, offset _PspRundownNeededCount

loc_9CB36B:				; CODE XREF: PspProcessRundownWorker(x)+80j
		xor	eax, eax
		inc	eax
		xchg	eax, [edi]
		xor	ecx, ecx
		jmp	short loc_9CB398
; 

loc_9CB374:				; CODE XREF: PspProcessRundownWorker(x)+45j
		lea	ecx, [esi+0F8h]
		lock btr dword ptr [ecx], 8
		jnb	short loc_9CB396
		xor	dl, dl
		mov	ecx, esi
		call	_PspRundownSingleProcess@8 ; PspRundownSingleProcess(x,x)
		mov	edx, 77537350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_9CB396:				; CODE XREF: PspProcessRundownWorker(x)+23j
		mov	ecx, esi

loc_9CB398:				; CODE XREF: PspProcessRundownWorker(x)+16j
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9CB374
		jmp	short loc_9CB3C7
; 

loc_9CB3A5:				; CODE XREF: PspProcessRundownWorker(x)+72j
		xor	esi, esi
		mov	eax, offset _PspRundownProcessCache
		xchg	esi, [eax]
		test	esi, esi
		jz	short loc_9CB3D0
		xor	dl, dl
		mov	ecx, esi
		call	_PspRundownSingleProcess@8 ; PspRundownSingleProcess(x,x)
		mov	edx, 77537350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_9CB3C7:				; CODE XREF: PspProcessRundownWorker(x)+47j
		cmp	ds:_PspRundownProcessCache, 0
		jnz	short loc_9CB3A5

loc_9CB3D0:				; CODE XREF: PspProcessRundownWorker(x)+54j
		xor	eax, eax
		xor	ecx, ecx
		inc	eax
		lock cmpxchg [edi], ecx
		cmp	eax, 1
		jnz	short loc_9CB36B
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
_PspProcessRundownWorker@4 endp


;  S U B	R O U T	I N E 


; __stdcall PspWaitForUsermodeExit(x)
_PspWaitForUsermodeExit@4 proc near	; CODE XREF: PspShutdownCsrProcess(x,x,x)+1E6p
					; PspWaitOnAllProcessesJobCallback(x,x)+50p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx

loc_9CB3EF:				; CODE XREF: PspWaitForUsermodeExit(x)+59j
		push	ebx
		jmp	short loc_9CB401
; 

loc_9CB3F2:				; CODE XREF: PspWaitForUsermodeExit(x)+25j
		test	dword ptr [esi+58h], 400h
		jnz	short loc_9CB400
		cmp	[esi+4], bl
		jz	short loc_9CB411

loc_9CB400:				; CODE XREF: PspWaitForUsermodeExit(x)+13j
		push	esi

loc_9CB401:				; CODE XREF: PspWaitForUsermodeExit(x)+Aj
		push	edi
		call	_PsGetNextProcessThread@8 ; PsGetNextProcessThread(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9CB3F2
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_9CB411:				; CODE XREF: PspWaitForUsermodeExit(x)+18j
		mov	edx, 65547350h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	edx, 6E457350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	esi
		call	KeWaitForSingleObject
		mov	edx, 65547350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		jmp	short loc_9CB3EF
_PspWaitForUsermodeExit@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSetContextThread(x, x)
_NtSetContextThread@8 proc near		; DATA XREF: .text:00580D04o

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_1C]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, large fs:124h
		and	[ebp+var_1C], 0
		push	0
		push	edx
		mov	al, [edi+15Ah]
		mov	byte ptr [ebp+var_18], al
		push	[ebp+var_18]
		mov	eax, ds:_PsThreadType
		push	eax
		push	10h
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9CB4E8
		push	edi
		call	_IoThreadToProcess@4 ; IoThreadToProcess(x)
		mov	edi, [ebp+var_1C]
		mov	esi, eax
		test	dword ptr [esi+0F8h], 20000h
		jz	short loc_9CB4B5
		push	edi
		call	_IoThreadToProcess@4 ; IoThreadToProcess(x)
		cmp	esi, eax
		jnz	short loc_9CB4B5
		mov	esi, 0C000060Ah
		jmp	short loc_9CB4E1
; 

loc_9CB4B5:				; CODE XREF: NtSetContextThread(x,x)+61j
					; NtSetContextThread(x,x)+6Bj
		test	dword ptr [edi+58h], 400h
		jnz	short loc_9CB4DC
		cmp	dword ptr [edi+37Ch], 0
		jnz	short loc_9CB4DC
		push	1
		push	[ebp+var_18]
		mov	edx, ebx
		mov	ecx, edi
		push	[ebp+var_18]
		call	PspSetContextThreadInternal
		mov	esi, eax
		jmp	short loc_9CB4E1
; 

loc_9CB4DC:				; CODE XREF: NtSetContextThread(x,x)+7Bj
					; NtSetContextThread(x,x)+84j
		mov	esi, 0C0000008h

loc_9CB4E1:				; CODE XREF: NtSetContextThread(x,x)+72j
					; NtSetContextThread(x,x)+99j
		mov	ecx, edi
		call	ObfDereferenceObject

loc_9CB4E8:				; CODE XREF: NtSetContextThread(x,x)+4Aj
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], ecx
		push	eax
		push	1
		push	ecx
		push	offset _KERNEL_AUDIT_API_SETCONTEXTTHREAD
		push	dword_6BC5D4
		mov	[ebp+var_C], 4
		push	_EtwApiCallsProvRegHandle
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_NtSetContextThread@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1896. PsSetContextThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSetContextThread(x, x, x)
		public _PsSetContextThread@12
_PsSetContextThread@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	1
		push	[ebp+arg_8]
		push	[ebp+arg_8]
		call	PspSetContextThreadInternal
		pop	ebp
		retn	0Ch
_PsSetContextThread@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspUserApcReserveKernelRoutine(x, x, x, x, x)
_PspUserApcReserveKernelRoutine@20 proc	near
					; DATA XREF: NtQueueApcThreadEx2(x,x,x,x,x,x,x)+CAo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		add	ecx, 0FFFFFFFCh
		mov	dword ptr [ecx], 0
		call	ObfDereferenceObject
		pop	ebp
		retn	14h
_PspUserApcReserveKernelRoutine@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspUserApcReserveRundownRoutine(x)
_PspUserApcReserveRundownRoutine@4 proc	near
					; DATA XREF: NtQueueApcThreadEx2(x,x,x,x,x,x,x)+CFo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		add	ecx, 0FFFFFFFCh
		mov	dword ptr [ecx], 0
		call	ObfDereferenceObject
		pop	ebp
		retn	4
_PspUserApcReserveRundownRoutine@4 endp


;  S U B	R O U T	I N E 


; __stdcall PsIsSiloStartedAndNotTerminated(x)
_PsIsSiloStartedAndNotTerminated@4 proc	near ; CODE XREF: PsStartSiloMonitor+89163p
					; PsStartSiloMonitor+8919Ap ...
		call	_PspGetServerSiloStatePointer@4	; PspGetServerSiloStatePointer(x)
		mov	ecx, [eax]
		xor	eax, eax
		inc	eax
		cmp	ecx, eax
		jz	short locret_9CB59F
		cmp	ecx, 2
		jz	short locret_9CB59F
		cmp	ecx, 3
		jz	short locret_9CB59F
		xor	al, al

locret_9CB59F:				; CODE XREF: PsIsSiloStartedAndNotTerminated(x)+Cj
					; PsIsSiloStartedAndNotTerminated(x)+11j ...
		retn
_PsIsSiloStartedAndNotTerminated@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1925. PsUnregisterSiloMonitor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsUnregisterSiloMonitor(x)
		public _PsUnregisterSiloMonitor@4
_PsUnregisterSiloMonitor@4 proc	near

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1Ch+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+28h+var_1C]
		rep stosd
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PspSiloMonitorLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi]
		xor	ebx, ebx
		test	eax, eax
		jnz	short loc_9CB5F5
		cmp	[esi+4], ebx
		jz	short loc_9CB66C

loc_9CB5F5:				; CODE XREF: PsUnregisterSiloMonitor(x)+49j
		cmp	[esi+14h], ebx
		jz	short loc_9CB64E
		mov	ecx, ds:_PsInitialSystemProcess
		lea	eax, [esp+28h+var_1C]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		xor	ecx, ecx
		jmp	short loc_9CB621
; 

loc_9CB610:				; CODE XREF: PsUnregisterSiloMonitor(x)+87j
		mov	ecx, edi
		call	_PsIsSiloStartedAndNotTerminated@4 ; PsIsSiloStartedAndNotTerminated(x)
		test	al, al
		jz	short loc_9CB61F
		push	edi		; struct _exception *
		call	dword ptr [esi+14h]

loc_9CB61F:				; CODE XREF: PsUnregisterSiloMonitor(x)+74j
		mov	ecx, edi

loc_9CB621:				; CODE XREF: PsUnregisterSiloMonitor(x)+69j
		mov	dl, 1
		call	_PspGetNextSilo@8 ; PspGetNextSilo(x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9CB610
		cmp	[esi+8], bl
		jz	short loc_9CB63C
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		push	eax
		call	dword ptr [esi+14h]

loc_9CB63C:				; CODE XREF: PsUnregisterSiloMonitor(x)+8Cj
		xor	edx, edx
		lea	ecx, [esp+30h+var_24]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	eax, [esi]
		mov	edi, offset _PspSiloMonitorLock

loc_9CB64E:				; CODE XREF: PsUnregisterSiloMonitor(x)+53j
		cmp	[eax+4], esi
		jnz	loc_9CB6FE
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_9CB6FE
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	[esi], ebx
		mov	[esi+4], ebx

loc_9CB66C:				; CODE XREF: PsUnregisterSiloMonitor(x)+4Ej
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9CB680
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9CB680:				; CODE XREF: PsUnregisterSiloMonitor(x)+D2j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	[esi+8], bl
		jz	short loc_9CB6D7
		mov	ecx, ds:_PsInitialSystemProcess
		lea	eax, [esp+30h+var_24]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		push	ebx
		push	1
		call	_PspGetHostSiloStorage@0 ; PspGetHostSiloStorage()
		mov	edx, [esi+0Ch]
		mov	ecx, eax
		call	_PspStorageRemoveObject@16 ; PspStorageRemoveObject(x,x,x,x)
		xor	edx, edx
		lea	ecx, [esp+30h+var_24]
		mov	edi, eax
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		test	edi, edi
		jz	short loc_9CB6D7
		cmp	edi, 0C0000225h
		jz	short loc_9CB6D7
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_9CB6D7:				; CODE XREF: PsUnregisterSiloMonitor(x)+F1j
					; PsUnregisterSiloMonitor(x)+126j ...
		mov	ecx, [esi+0Ch]
		call	_PspStorageFreeSlot@4 ;	PspStorageFreeSlot(x)
		push	4D6C6953h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [esp+30h+var_C]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_9CB6FE:				; CODE XREF: PsUnregisterSiloMonitor(x)+ACj
					; PsUnregisterSiloMonitor(x)+B7j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PsUnregisterSiloMonitor@4 endp		; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall PspInvokeTerminateCallback(x, x)
_PspInvokeTerminateCallback@8 proc near	; CODE XREF: PsStartSiloMonitor+8918Ep
					; PsStartSiloMonitor+891FAp ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		push	0
		mov	edx, ebx
		lea	esi, [edi+18h]
		push	esi
		push	2
		pop	ecx
		call	EtwTraceJobServerSiloMonitorCallback
		push	ebx
		call	dword ptr [edi+14h]
		push	0
		push	esi
		push	3
		mov	edx, ebx
		pop	ecx
		call	EtwTraceJobServerSiloMonitorCallback
		pop	edi
		pop	esi
		pop	ebx
		retn
_PspInvokeTerminateCallback@8 endp


;  S U B	R O U T	I N E 


; __stdcall PspMarkServerSiloAsTerminating(x)
_PspMarkServerSiloAsTerminating@4 proc near
					; CODE XREF: PspTerminateProcessesJobCallback+126359p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	_PspGetServerSiloStatePointer@4	; PspGetServerSiloStatePointer(x)
		mov	edx, large fs:124h
		mov	edi, eax
		dec	word ptr [edx+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PspSiloMonitorLock
		call	ExAcquirePushLockSharedEx
		mov	edx, [edi]
		push	3
		pop	ebx
		cmp	edx, ebx
		jge	short loc_9CB775

loc_9CB763:				; CODE XREF: PspMarkServerSiloAsTerminating(x)+42j
		mov	ecx, ebx
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_9CB7AA
		mov	edx, eax
		cmp	eax, ebx
		jl	short loc_9CB763

loc_9CB775:				; CODE XREF: PspMarkServerSiloAsTerminating(x)+30j
		xor	bl, bl

loc_9CB777:				; CODE XREF: PspMarkServerSiloAsTerminating(x)+84j
		push	11h
		xor	edx, edx
		mov	esi, offset _PspSiloMonitorLock
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_9CB791
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9CB791:				; CODE XREF: PspMarkServerSiloAsTerminating(x)+57j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		retn
; 

loc_9CB7AA:				; CODE XREF: PspMarkServerSiloAsTerminating(x)+3Cj
		mov	edx, ebx
		mov	ecx, esi
		call	_EtwTraceJobServerSiloStateChange@8 ; EtwTraceJobServerSiloStateChange(x,x)
		mov	bl, 1
		jmp	short loc_9CB777
_PspMarkServerSiloAsTerminating@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspNotifyServerSiloCreation(x)
_PspNotifyServerSiloCreation@4 proc near ; CODE	XREF: PspInitializeServerSiloDeferred(x)+B6p

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edi, ecx
		mov	[ebp+var_1], bl
		call	_PspGetServerSiloStatePointer@4	; PspGetServerSiloStatePointer(x)
		mov	edx, large fs:124h
		mov	esi, eax
		mov	[ebp+var_8], esi
		dec	word ptr [edx+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PspSiloMonitorLock
		call	ExAcquirePushLockSharedEx
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_9CB7F8
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9CB7F8:				; CODE XREF: PspNotifyServerSiloCreation(x)+3Aj
		mov	esi, _PspSiloMonitorList
		sub	esi, offset _PspSiloMonitorList
		neg	esi
		sbb	esi, esi
		and	esi, _PspSiloMonitorList
		jz	short loc_9CB849

loc_9CB810:				; CODE XREF: PspNotifyServerSiloCreation(x)+85j
		cmp	[esi+10h], ebx
		jz	short loc_9CB829
		mov	edx, esi
		mov	ecx, edi
		call	_PspInvokeCreateCallback@8 ; PspInvokeCreateCallback(x,x)
		test	eax, eax
		jns	short loc_9CB829
		mov	cl, 1
		mov	[ebp+var_1], cl
		jmp	short loc_9CB82C
; 

loc_9CB829:				; CODE XREF: PspNotifyServerSiloCreation(x)+5Cj
					; PspNotifyServerSiloCreation(x)+69j
		mov	cl, [ebp+var_1]

loc_9CB82C:				; CODE XREF: PspNotifyServerSiloCreation(x)+70j
		mov	eax, [esi]
		mov	esi, eax
		sub	esi, offset _PspSiloMonitorList
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jnz	short loc_9CB810
		test	cl, cl
		jz	short loc_9CB849
		mov	ebx, 0C0000240h
		jmp	short loc_9CB85C
; 

loc_9CB849:				; CODE XREF: PspNotifyServerSiloCreation(x)+57j
					; PspNotifyServerSiloCreation(x)+89j
		mov	eax, [ebp+var_8]
		xor	edx, edx
		inc	edx
		mov	ecx, edi
		mov	dword ptr [eax], 1
		call	_EtwTraceJobServerSiloStateChange@8 ; EtwTraceJobServerSiloStateChange(x,x)

loc_9CB85C:				; CODE XREF: PspNotifyServerSiloCreation(x)+90j
		push	11h
		xor	edx, edx
		mov	esi, offset _PspSiloMonitorLock
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_9CB876
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9CB876:				; CODE XREF: PspNotifyServerSiloCreation(x)+B6j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_PspNotifyServerSiloCreation@4 endp


;  S U B	R O U T	I N E 


; __stdcall PspNotifyServerSiloTermination(x)
_PspNotifyServerSiloTermination@4 proc near
					; CODE XREF: PspCompleteServerSiloShutdownDeferred(x)+52p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		call	_PspGetServerSiloStatePointer@4	; PspGetServerSiloStatePointer(x)
		mov	edx, large fs:124h
		mov	ebx, eax
		dec	word ptr [edx+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PspSiloMonitorLock
		call	ExAcquirePushLockSharedEx
		mov	eax, [ebx]
		cmp	eax, 3
		jz	short loc_9CB8C5
		push	5
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9CB8C5:				; CODE XREF: PspNotifyServerSiloTermination(x)+2Ej
		mov	esi, _PspSiloMonitorList
		sub	esi, offset _PspSiloMonitorList
		neg	esi
		sbb	esi, esi
		and	esi, _PspSiloMonitorList
		jz	short loc_9CB8FE

loc_9CB8DD:				; CODE XREF: PspNotifyServerSiloTermination(x)+6Cj
		cmp	dword ptr [esi+14h], 0
		jz	short loc_9CB8EC
		mov	edx, esi
		mov	ecx, edi
		call	_PspInvokeTerminateCallback@8 ;	PspInvokeTerminateCallback(x,x)

loc_9CB8EC:				; CODE XREF: PspNotifyServerSiloTermination(x)+51j
		mov	eax, [esi]
		mov	esi, eax
		sub	esi, offset _PspSiloMonitorList
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jnz	short loc_9CB8DD

loc_9CB8FE:				; CODE XREF: PspNotifyServerSiloTermination(x)+4Bj
		push	4
		pop	edx
		mov	ecx, edi
		mov	[ebx], edx
		call	_EtwTraceJobServerSiloStateChange@8 ; EtwTraceJobServerSiloStateChange(x,x)
		push	11h
		xor	edx, edx
		mov	esi, offset _PspSiloMonitorLock
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_9CB924
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9CB924:				; CODE XREF: PspNotifyServerSiloTermination(x)+8Bj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
_PspNotifyServerSiloTermination@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall PsPicoSystemCallDispatch(x)
@PsPicoSystemCallDispatch@4 proc near	; CODE XREF: Dr_kass_a+3F0p
					; PsPicoAltSystemCallDispatch(x)p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		lea	eax, [ebp+var_4]
		mov	esi, ecx
		push	eax
		mov	[ebp+var_4], esi
		call	dword_6BEDE4
		mov	eax, [esi+40h]
		pop	esi
		leave
		retn
@PsPicoSystemCallDispatch@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsPicoWalkUserStack(x, x)
_PsPicoWalkUserStack@8 proc near	; CODE XREF: EtwpTraceStackWalk(x,x,x,x)+139p

var_90		= dword	ptr -90h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 90h
		push	ebx
		push	esi
		mov	[ebp+var_4], ecx
		mov	ebx, edx
		mov	ecx, large fs:124h
		call	_PsGetBaseTrapFrame@8 ;	PsGetBaseTrapFrame(x,x)
		cmp	dword_6BEDF8, 0
		mov	esi, eax
		jnz	short loc_9CB983
		xor	eax, eax
		jmp	short loc_9CB9BB
; 

loc_9CB983:				; CODE XREF: PsPicoWalkUserStack(x,x)+27j
		mov	eax, large fs:124h
		push	edi
		dec	word ptr [eax+13Eh]
		nop
		push	23h
		pop	ecx
		lea	edi, [ebp+var_90]
		rep movsd
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		push	ebx
		push	[ebp+var_4]
		lea	eax, [ebp+var_90]
		push	eax
		call	dword_6BEDF8
		pop	edi

loc_9CB9BB:				; CODE XREF: PsPicoWalkUserStack(x,x)+2Bj
		pop	esi
		pop	ebx
		leave
		retn
_PsPicoWalkUserStack@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1879. PsRegisterAltSystemCallHandler

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsRegisterAltSystemCallHandler(x, x)
		public _PsRegisterAltSystemCallHandler@8
_PsRegisterAltSystemCallHandler@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		test	ebx, ebx
		jz	loc_9CBA58
		mov	edi, [ebp+arg_4]
		cmp	edi, 2
		jnb	short loc_9CBA58
		test	edi, edi
		jnz	short loc_9CB9F4
		xor	esi, esi
		push	esi
		push	esi
		push	esi
		push	3

loc_9CB9EA:				; CODE XREF: PsRegisterAltSystemCallHandler(x,x)+71j
					; PsRegisterAltSystemCallHandler(x,x)+9Bj
		push	1E0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_9CB9F4:				; CODE XREF: PsRegisterAltSystemCallHandler(x,x)+1Dj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _PsAltSystemCallRegistrationLock
		call	ExAcquirePushLockExclusiveEx
		xor	esi, esi
		xor	edx, edx
		mov	ecx, offset _PsAltSystemCallRegistrationLock
		cmp	ds:_PsAltSystemCallHandlers[edi*4], esi
		jz	short loc_9CBA37
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	esi
		push	esi
		push	ds:_PsAltSystemCallHandlers[edi*4]
		push	1
		jmp	short loc_9CB9EA
; 

loc_9CBA37:				; CODE XREF: PsRegisterAltSystemCallHandler(x,x)+5Aj
		mov	ds:_PsAltSystemCallHandlers[edi*4], ebx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	8
; 

loc_9CBA58:				; CODE XREF: PsRegisterAltSystemCallHandler(x,x)+Dj
					; PsRegisterAltSystemCallHandler(x,x)+19j
		xor	esi, esi
		push	esi
		push	esi
		push	esi
		push	2
		jmp	short loc_9CB9EA
_PsRegisterAltSystemCallHandler@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1880. PsRegisterPicoProvider

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsRegisterPicoProvider(x, x)
		public _PsRegisterPicoProvider@8
_PsRegisterPicoProvider@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	30h
		pop	edx
		cmp	[esi], edx
		jz	short loc_9CBA80

loc_9CBA76:				; CODE XREF: PsRegisterPicoProvider(x,x)+1Fj
		mov	eax, 0C0000004h
		jmp	loc_9CBB0A
; 

loc_9CBA80:				; CODE XREF: PsRegisterPicoProvider(x,x)+Ej
		mov	eax, [ebp+arg_4]
		cmp	[eax], edx
		jnz	short loc_9CBA76
		mov	ecx, 0FFE00000h
		test	[esi+24h], ecx
		jz	short loc_9CBA98

loc_9CBA91:				; CODE XREF: PsRegisterPicoProvider(x,x)+35j
		mov	eax, 0C000000Dh
		jmp	short loc_9CBB0A
; 

loc_9CBA98:				; CODE XREF: PsRegisterPicoProvider(x,x)+29j
		test	[esi+28h], ecx
		jnz	short loc_9CBA91
		cmp	_PspPicoRegistrationDisabled, 0
		jz	short loc_9CBAAD
		mov	eax, 0C0000189h
		jmp	short loc_9CBB0A
; 

loc_9CBAAD:				; CODE XREF: PsRegisterPicoProvider(x,x)+3Ej
		push	edi
		push	0Ch
		pop	ecx
		mov	edi, offset _PspPicoProviderRoutines
		rep movsd
		mov	[eax], edx
		mov	dword ptr [eax+4], offset _PspCreatePicoProcess@12 ; PspCreatePicoProcess(x,x,x)
		mov	dword ptr [eax+8], offset _PspCreatePicoThread@12 ; PspCreatePicoThread(x,x,x)
		mov	dword ptr [eax+0Ch], offset _PspGetPicoProcessContext@4	; PspGetPicoProcessContext(x)
		mov	dword ptr [eax+10h], offset _PspGetPicoThreadContext@4 ; PspGetPicoThreadContext(x)
		mov	dword ptr [eax+14h], offset _PspPicoGetContextThreadEx@20 ; PspPicoGetContextThreadEx(x,x,x,x,x)
		mov	dword ptr [eax+18h], offset _PspPicoSetContextThreadEx@20 ; PspPicoSetContextThreadEx(x,x,x,x,x)
		mov	dword ptr [eax+1Ch], offset PspTerminateThreadByPointer
		mov	dword ptr [eax+20h], offset PsResumeThread
		mov	dword ptr [eax+24h], offset _PspSetPicoThreadDescriptorBase@8 ;	PspSetPicoThreadDescriptorBase(x,x)
		mov	dword ptr [eax+28h], offset PsSuspendThread
		mov	dword ptr [eax+2Ch], offset _PspTerminatePicoProcess@8 ; PspTerminatePicoProcess(x,x)
		xor	eax, eax
		pop	edi

loc_9CBB0A:				; CODE XREF: PsRegisterPicoProvider(x,x)+15j
					; PsRegisterPicoProvider(x,x)+30j ...
		pop	esi
		pop	ebp
		retn	8
_PsRegisterPicoProvider@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspCreatePicoProcess(x, x, x)
_PspCreatePicoProcess@12 proc near	; DATA XREF: PsRegisterPicoProvider(x,x)+54o

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, large fs:124h
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	ebx, [ecx+0Ch]
		mov	[esp+28h+var_8], eax
		mov	[esp+28h+var_14], edx
		mov	[esp+28h+var_18], edx
		mov	[esp+28h+var_10], edx
		mov	[esp+28h+var_C], edx
		test	ebx, 0FFFFFFF0h
		jz	short loc_9CBB51

loc_9CBB47:				; CODE XREF: PspCreatePicoProcess(x,x,x)+4Ej
					; PspCreatePicoProcess(x,x,x)+53j
		mov	esi, 0C000000Dh
		jmp	loc_9CBCCF
; 

loc_9CBB51:				; CODE XREF: PspCreatePicoProcess(x,x,x)+36j
		mov	edi, ebx
		and	edi, 1
		test	bl, 6
		jz	short loc_9CBB5F
		test	edi, edi
		jz	short loc_9CBB47

loc_9CBB5F:				; CODE XREF: PspCreatePicoProcess(x,x,x)+4Aj
		cmp	[ecx+8], edx
		jz	short loc_9CBB47
		mov	eax, ds:_PsProcessType
		mov	ecx, [ecx]
		push	edx
		push	edx
		lea	edx, [esp+30h+var_18]
		push	edx
		push	72437350h
		push	0
		push	eax
		mov	edx, 80h
		call	ObpReferenceObjectByHandleWithTag
		mov	esi, eax
		test	esi, esi
		js	loc_9CBCCF
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_9CBBC1
		push	0
		lea	ecx, [esp+2Ch+var_14]
		push	ecx
		push	72437350h
		push	0
		push	ds:_SeTokenObjectType
		push	9
		push	eax
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9CBCBA
		mov	ecx, [ebp+arg_0]

loc_9CBBC1:				; CODE XREF: PspCreatePicoProcess(x,x,x)+87j
		xor	eax, eax
		test	edi, edi
		jz	short loc_9CBBDD
		mov	eax, ebx
		and	eax, 2
		or	eax, 1000h
		add	eax, eax
		test	bl, 4
		jz	short loc_9CBBDD
		or	eax, 4000h

loc_9CBBDD:				; CODE XREF: PspCreatePicoProcess(x,x,x)+B6j
					; PspCreatePicoProcess(x,x,x)+C7j
		test	bl, 8
		jz	short loc_9CBBE5
		or	eax, 1

loc_9CBBE5:				; CODE XREF: PspCreatePicoProcess(x,x,x)+D1j
		mov	edx, [ebp+arg_4]
		xor	esi, esi
		xor	edi, edi
		test	edx, edx
		jz	short loc_9CBBF6
		mov	esi, [edx+4]
		mov	edi, [edx+8]

loc_9CBBF6:				; CODE XREF: PspCreatePicoProcess(x,x,x)+DFj
		mov	ebx, [esp+28h+var_14]
		lea	edx, [esp+28h+var_10]
		push	edx
		push	0
		push	dword ptr [ecx+8]
		mov	ecx, [esp+34h+var_18]
		mov	edx, esi
		push	2
		push	eax
		push	ebx
		mov	byte ptr [esp+40h+var_4], 0
		push	[esp+40h+var_4]
		push	edi
		call	PsCreateMinimalProcess
		mov	edi, [esp+28h+var_10]
		mov	esi, eax
		test	esi, esi
		js	short loc_9CBCA0
		mov	eax, ds:_PsProcessType
		lea	ecx, [esp+28h+var_C]
		xor	edx, edx
		push	edx
		push	edx
		push	ecx
		push	72437350h
		push	edx
		push	eax
		mov	edx, 80h
		mov	ecx, edi
		call	ObpReferenceObjectByHandleWithTag
		mov	esi, eax
		test	esi, esi
		js	short loc_9CBCA0
		mov	ebx, [esp+28h+var_C]
		mov	ecx, ebx
		mov	edx, [esp+28h+var_8]
		call	_PspLockProcessExclusive@8 ; PspLockProcessExclusive(x,x)
		test	byte ptr [ebx+0FCh], 8
		jnz	short loc_9CBC7A
		lea	eax, [ebx+0F8h]
		lock bts dword ptr [eax], 0Ah
		mov	eax, [ebp+arg_8]
		mov	[eax], edi
		xor	edi, edi
		jmp	short loc_9CBC7F
; 

loc_9CBC7A:				; CODE XREF: PspCreatePicoProcess(x,x,x)+155j
		mov	esi, 0C000010Ah

loc_9CBC7F:				; CODE XREF: PspCreatePicoProcess(x,x,x)+169j
		mov	edx, [esp+28h+var_8]
		mov	ecx, ebx
		call	PspUnlockProcessExclusive
		test	esi, esi
		js	short loc_9CBC90
		xor	esi, esi

loc_9CBC90:				; CODE XREF: PspCreatePicoProcess(x,x,x)+17Dj
		mov	edx, 72437350h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag
		mov	ebx, [esp+28h+var_14]

loc_9CBCA0:				; CODE XREF: PspCreatePicoProcess(x,x,x)+116j
					; PspCreatePicoProcess(x,x,x)+13Dj
		test	edi, edi
		jz	short loc_9CBCAA
		push	edi
		call	_ZwClose@4	; ZwClose(x)

loc_9CBCAA:				; CODE XREF: PspCreatePicoProcess(x,x,x)+193j
		test	ebx, ebx
		jz	short loc_9CBCBA
		mov	edx, 72437350h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_9CBCBA:				; CODE XREF: PspCreatePicoProcess(x,x,x)+A9j
					; PspCreatePicoProcess(x,x,x)+19Dj
		cmp	[esp+28h+var_18], 0
		jz	short loc_9CBCCF
		mov	ecx, [esp+28h+var_18]
		mov	edx, 72437350h
		call	ObfDereferenceObjectWithTag

loc_9CBCCF:				; CODE XREF: PspCreatePicoProcess(x,x,x)+3Dj
					; PspCreatePicoProcess(x,x,x)+79j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PspCreatePicoProcess@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspCreatePicoThread(x, x, x)
_PspCreatePicoThread@12	proc near	; DATA XREF: PsRegisterPicoProvider(x,x)+5Bo

var_594		= dword	ptr -594h
var_590		= dword	ptr -590h
var_58C		= dword	ptr -58Ch
var_588		= dword	ptr -588h
var_584		= dword	ptr -584h
var_580		= dword	ptr -580h
var_57C		= dword	ptr -57Ch
var_578		= dword	ptr -578h
var_574		= dword	ptr -574h
var_570		= dword	ptr -570h
var_56C		= dword	ptr -56Ch
var_568		= dword	ptr -568h
var_454		= dword	ptr -454h
var_420		= dword	ptr -420h
var_394		= dword	ptr -394h
var_390		= dword	ptr -390h
var_384		= dword	ptr -384h
var_380		= dword	ptr -380h
var_378		= dword	ptr -378h
var_374		= dword	ptr -374h
var_36C		= dword	ptr -36Ch
var_35C		= dword	ptr -35Ch
var_150		= dword	ptr -150h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 594h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+594h+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	[esp+5A0h+var_57C], eax
		xor	esi, esi
		mov	eax, [ebp+arg_8]
		push	148h		; size_t
		mov	[esp+5A4h+var_578], eax
		lea	eax, [esp+5A4h+var_568]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+5A0h+var_588], esi
		lea	eax, [esp+5A0h+var_150]
		mov	[esp+5A0h+var_580], esi
		push	144h		; size_t
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	ecx, large fs:124h
		lea	edi, [esp+5ACh+var_574]
		xor	eax, eax
		mov	[esp+5ACh+var_594], esi
		stosd
		add	esp, 0Ch
		mov	[esp+5A0h+var_58C], esi
		mov	[esp+5A0h+var_584], ecx
		stosd
		stosd
		mov	eax, esi
		mov	[esp+5A0h+var_590], eax
		cmp	[ebx+3Ch], esi
		jnz	short loc_9CBD72
		mov	esi, [esp+5A0h+var_58C]
		mov	edi, 0C000000Dh
		jmp	loc_9CBF55
; 

loc_9CBD72:				; CODE XREF: PspCreatePicoThread(x,x,x)+88j
		mov	eax, ds:_PsProcessType
		lea	edx, [esp+5A0h+var_58C]
		mov	ecx, [ebx]
		push	esi
		push	esi
		push	edx
		push	72437350h
		push	esi
		push	eax
		push	2
		pop	edx
		call	ObpReferenceObjectByHandleWithTag
		mov	edi, eax
		test	edi, edi
		js	loc_9CBF2C
		mov	esi, [esp+5A0h+var_58C]
		xor	edi, edi
		cmp	[esi+3D4h], edi
		jnz	short loc_9CBDB1
		mov	edi, 0C0000008h
		jmp	loc_9CBF2C
; 

loc_9CBDB1:				; CODE XREF: PspCreatePicoThread(x,x,x)+CBj
		mov	eax, [esp+5A0h+var_584]
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+0F0h]
		mov	[esp+5A0h+var_590], 1
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_9CBDDE
		mov	edi, 0C000010Ah
		jmp	loc_9CBF2C
; 

loc_9CBDDE:				; CODE XREF: PspCreatePicoThread(x,x,x)+F8j
		mov	edx, 72437350h
		mov	[esp+5A0h+var_590], 3
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		push	2CCh		; size_t
		lea	eax, [esp+5A4h+var_420]
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [esp+5A0h+var_420]
		xor	edx, edx
		push	dword ptr [ebx+10h]
		push	dword ptr [ebx+0Ch]
		push	dword ptr [ebx+8]
		call	_PspCreateUserContext@20 ; PspCreateUserContext(x,x,x,x,x)
		mov	eax, [ebx+4]
		mov	[esp+5A0h+var_35C], eax
		movzx	eax, word ptr [ebx+1Ch]
		mov	[esp+5A0h+var_390], eax
		movzx	eax, word ptr [ebx+1Eh]
		mov	[esp+5A0h+var_394], eax
		mov	eax, [ebx+14h]
		mov	[esp+5A0h+var_570], eax
		mov	eax, [ebx+18h]
		mov	[esp+5A0h+var_56C], eax
		mov	eax, [ebx+28h]
		mov	[esp+5A0h+var_374], eax
		mov	eax, [ebx+2Ch]
		mov	[esp+5A0h+var_378], eax
		mov	eax, [ebx+30h]
		mov	[esp+5A0h+var_384], eax
		mov	eax, [ebx+34h]
		mov	[esp+5A0h+var_380], eax
		mov	eax, [ebx+38h]
		mov	[esp+5A0h+var_36C], eax
		lea	eax, [esp+5A0h+var_150]
		push	eax
		push	edi
		lea	eax, [esp+5A8h+var_594]
		mov	[esp+5A8h+var_588], 1
		push	eax
		lea	eax, [esp+5ACh+var_588]
		mov	[esp+5ACh+var_574], edi
		push	eax
		push	edi
		push	edi
		lea	eax, [esp+5B8h+var_574]
		push	eax
		mov	eax, ecx
		mov	ecx, esi
		push	eax
		push	edi
		push	edi
		call	PspAllocateThread
		mov	edi, eax
		test	edi, edi
		jns	short loc_9CBEC1
		and	[esp+5A0h+var_594], 0
		jmp	loc_9CBF42
; 

loc_9CBEC1:				; CODE XREF: PspCreatePicoThread(x,x,x)+1DBj
		mov	eax, [esp+5A0h+var_57C]
		xor	edx, edx
		test	eax, eax
		jz	short loc_9CBED6
		mov	[esp+5A0h+var_454], eax
		lea	edx, [esp+5A0h+var_568]

loc_9CBED6:				; CODE XREF: PspCreatePicoThread(x,x,x)+1EFj
		mov	eax, [esp+5A0h+var_594]
		mov	ecx, [ebx+3Ch]
		xor	ebx, ebx
		push	ebx
		mov	[eax+37Ch], ecx
		lea	eax, [esp+5A4h+var_580]
		mov	ecx, [esp+5A4h+var_594]
		push	eax
		lea	eax, [esp+5A8h+var_150]
		push	eax
		push	ebx
		push	edx
		push	ebx
		push	1FFFFFh
		lea	eax, [esp+5BCh+var_588]
		mov	edx, esi
		push	eax
		push	ebx
		call	_PspInsertThread@44 ; PspInsertThread(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9CBF2C
		mov	eax, [esp+5A0h+var_594]
		add	eax, 2FCh
		lock bts dword ptr [eax], 14h
		mov	ecx, [esp+5A0h+var_578]
		mov	edi, ebx
		mov	eax, [esp+5A0h+var_580]
		mov	[ecx], eax

loc_9CBF2C:				; CODE XREF: PspCreatePicoThread(x,x,x)+B9j
					; PspCreatePicoThread(x,x,x)+D2j ...
		mov	ecx, [esp+5A0h+var_594]
		test	ecx, ecx
		jz	short loc_9CBF39
		call	ObfDereferenceObject

loc_9CBF39:				; CODE XREF: PspCreatePicoThread(x,x,x)+258j
		mov	eax, [esp+5A0h+var_590]
		cmp	eax, 2
		jb	short loc_9CBF51

loc_9CBF42:				; CODE XREF: PspCreatePicoThread(x,x,x)+1E2j
		lea	ecx, [esi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	eax, [esp+5A0h+var_590]

loc_9CBF51:				; CODE XREF: PspCreatePicoThread(x,x,x)+266j
		mov	ecx, [esp+5A0h+var_584]

loc_9CBF55:				; CODE XREF: PspCreatePicoThread(x,x,x)+93j
		test	al, 1
		jz	short loc_9CBF5E
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)

loc_9CBF5E:				; CODE XREF: PspCreatePicoThread(x,x,x)+27Dj
		test	esi, esi
		jz	short loc_9CBF6E
		mov	edx, 72437350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_9CBF6E:				; CODE XREF: PspCreatePicoThread(x,x,x)+286j
		mov	ecx, [esp+5A0h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PspCreatePicoThread@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspPicoGetContextThreadEx(x, x, x, x, x)
_PspPicoGetContextThreadEx@20 proc near	; DATA XREF: PsRegisterPicoProvider(x,x)+70o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		cmp	[ebp+arg_10], al
		mov	ecx, [ebp+arg_0]
		setnz	al
		push	eax
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	PspGetContextThreadInternal
		pop	ebp
		retn	14h
_PspPicoGetContextThreadEx@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspPicoSetContextThreadEx(x, x, x, x, x)
_PspPicoSetContextThreadEx@20 proc near	; DATA XREF: PsRegisterPicoProvider(x,x)+77o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		cmp	[ebp+arg_10], al
		mov	ecx, [ebp+arg_0]
		setnz	al
		push	eax
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	PspSetContextThreadInternal
		pop	ebp
		retn	14h
_PspPicoSetContextThreadEx@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspTerminatePicoProcess(x, x)
_PspTerminatePicoProcess@8 proc	near	; DATA XREF: PsRegisterPicoProvider(x,x)+9Ao

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, large fs:124h
		dec	word ptr [edi+13Ch]
		nop
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		push	8
		push	[ebp+arg_4]
		call	PspTerminateProcess
		mov	ecx, edi
		mov	esi, eax
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_PspTerminatePicoProcess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAlertResumeThread(x, x)
_NtAlertResumeThread@8 proc near	; DATA XREF: .text:00581270o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	18h
		push	offset dword_6A8FF0
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp+var_1C], edx
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_20], bl
		mov	[ebp+ms_exc.disabled], edx
		test	bl, bl
		jz	short loc_9CC040
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_9CC040
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_9CC03C
		mov	ecx, eax

loc_9CC03C:				; CODE XREF: NtAlertResumeThread(x,x)+35j
		mov	eax, [ecx]
		mov	[ecx], eax

loc_9CC040:				; CODE XREF: NtAlertResumeThread(x,x)+25j
					; NtAlertResumeThread(x,x)+2Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	edx
		lea	eax, [ebp+var_1C]
		push	eax
		mov	edi, 75537350h
		push	edi
		push	[ebp+var_20]
		push	ds:_PsThreadType
		push	2
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_9CC0F9
		test	bl, bl
		jz	short loc_9CC08D
		mov	esi, [ebp+var_1C]
		test	dword ptr [esi+58h], 400h
		jz	short loc_9CC08D
		mov	edx, edi
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	eax, 0C0000022h
		jmp	short loc_9CC0F9
; 

loc_9CC08D:				; CODE XREF: NtAlertResumeThread(x,x)+6Cj
					; NtAlertResumeThread(x,x)+78j
		mov	ecx, [ebp+var_1C]
		call	_KeAlertResumeThread@4 ; KeAlertResumeThread(x)
		mov	edi, eax
		mov	edx, 75537350h
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObjectWithTag
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_9CC0B4
		mov	[ecx], edi

loc_9CC0B4:				; CODE XREF: NtAlertResumeThread(x,x)+ADj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	short loc_9CC0F9
; 

loc_9CC0BF:				; DATA XREF: .text:006A9010o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_9CC0CF:				; DATA XREF: .text:006A9014o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_24]
		jmp	short loc_9CC0F9
; 

loc_9CC0DE:				; DATA XREF: .text:006A9004o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9CC0EC:				; DATA XREF: .text:006A9008o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_28]

loc_9CC0F9:				; CODE XREF: NtAlertResumeThread(x,x)+64j
					; NtAlertResumeThread(x,x)+88j	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_NtAlertResumeThread@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAlertThread(x)
_NtAlertThread@4 proc near		; DATA XREF: .text:0058126Co

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		and	[ebp+var_4], 0
		push	esi
		push	0
		mov	al, [eax+15Ah]
		mov	esi, 75537350h
		mov	byte ptr [ebp+var_8], al
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		push	[ebp+var_8]
		push	ds:_PsThreadType
		push	4
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9CC160
		push	[ebp+var_8]
		push	[ebp+var_4]
		call	_KeAlertThread@8 ; KeAlertThread(x,x)
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		call	ObfDereferenceObjectWithTag
		xor	eax, eax

loc_9CC160:				; CODE XREF: NtAlertThread(x)+3Cj
		pop	esi
		leave
		retn	4
_NtAlertThread@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1928. PsWow64GetProcessMachine

;  S U B	R O U T	I N E 


; __stdcall PsWow64GetProcessMachine(x)
		public _PsWow64GetProcessMachine@4
_PsWow64GetProcessMachine@4 proc near
		mov	eax, 14Ch
		retn	4
_PsWow64GetProcessMachine@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspDeletePartition(x)
_PspDeletePartition@4 proc near		; DATA XREF: PspInitPhase0+4C7o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+0Ch]
		test	eax, eax
		jz	short loc_9CC191
		push	0
		push	eax
		push	ecx
		push	0
		push	18Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_9CC191:				; CODE XREF: PspDeletePartition(x)+Dj
		cmp	dword ptr [ecx+14h], 0
		jz	short loc_9CC19C
		call	_PspRemovePartitionFromGlobalList@4 ; PspRemovePartitionFromGlobalList(x)

loc_9CC19C:				; CODE XREF: PspDeletePartition(x)+23j
		pop	ebp
		retn	4
_PspDeletePartition@4 endp ; sp	= -14h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspTeardownPartition(x)
_PspTeardownPartition@4	proc near	; DATA XREF: PsDereferencePartition+E3A64o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		cmp	edi, ds:_PspSystemPartition
		jnz	short loc_9CC1C5
		push	esi
		push	esi
		push	edi
		push	1
		push	18Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_9CC1C5:				; CODE XREF: PspTeardownPartition(x)+14j
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_9CC1D2
		call	_MiDeletePartition@4 ; MiDeletePartition(x)
		mov	[edi], esi

loc_9CC1D2:				; CODE XREF: PspTeardownPartition(x)+29j
		mov	ecx, [edi+8]
		test	ecx, ecx
		jz	short loc_9CC1E1
		call	_ExpPartitionDestroy@4 ; ExpPartitionDestroy(x)
		mov	[edi+8], esi

loc_9CC1E1:				; CODE XREF: PspTeardownPartition(x)+37j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		lea	ecx, [edi+30h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+1Ch]
		lea	ecx, [edi+30h]
		mov	ebx, [edi+34h]
		mov	[ebp+var_4], eax
		mov	eax, ds:_MmBadPointer
		mov	[edi+1Ch], eax
		mov	eax, ds:_MmBadPointer
		mov	[edi+34h], eax
		mov	eax, [edi+38h]
		mov	[ebp+arg_0], eax
		or	eax, 0FFFFFFFFh
		mov	[edi+38h], esi
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9CC22A
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [edi+30h]

loc_9CC22A:				; CODE XREF: PspTeardownPartition(x)+80j
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	ebx, ebx
		jz	short loc_9CC25B
		xor	edx, edx
		mov	ecx, ebx
		call	_PsTerminateMinimalProcess@8 ; PsTerminateMinimalProcess(x,x)
		push	esi
		push	esi
		push	esi
		push	esi
		push	ebx
		call	KeWaitForSingleObject
		mov	ecx, ebx
		call	ObfDereferenceObject
		push	esi
		push	[ebp+arg_0]
		call	ObCloseHandle

loc_9CC25B:				; CODE XREF: PspTeardownPartition(x)+96j
		mov	ecx, [ebp+var_4]
		call	PsDereferencePartition
		mov	edx, 64726148h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PspTeardownPartition@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetNextProcessEx(x)
_PsGetNextProcessEx@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_9CC296
		mov	edx, 6E457350h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	ecx, esi
		call	ObfDereferenceObject

loc_9CC296:				; CODE XREF: PsGetNextProcessEx(x)+Bj
		mov	ecx, esi
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9CC2B6
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edx, 6E457350h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_9CC2B6:				; CODE XREF: PsGetNextProcessEx(x)+2Bj
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_PsGetNextProcessEx@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsGetPreviousProcess(x)
_PsGetPreviousProcess@4	proc near	; CODE XREF: NtGetNextProcess:loc_90ADCDp
					; NtGetNextProcess:loc_90AE3Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		xor	eax, eax
		mov	ecx, large fs:124h
		push	esi
		push	edi
		mov	[ebp+var_4], eax
		mov	esi, eax
		dec	word ptr [ecx+13Eh]
		mov	[ebp+var_8], ecx
		nop
		xor	edx, edx
		mov	ecx, offset _PspActiveProcessLock
		call	ExAcquirePushLockSharedEx
		mov	edi, dword_6BEEDC
		test	ebx, ebx
		jz	short loc_9CC31C
		mov	edi, [ebx+0ECh]
		jmp	short loc_9CC31C
; 

loc_9CC300:				; CODE XREF: PsGetPreviousProcess(x)+65j
		lea	eax, [edi-0E8h]
		mov	edx, 6E457350h
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	@ObReferenceObjectSafeWithTag@8	; ObReferenceObjectSafeWithTag(x,x)
		test	al, al
		jnz	short loc_9CC326
		mov	edi, [edi+4]

loc_9CC31C:				; CODE XREF: PsGetPreviousProcess(x)+39j
					; PsGetPreviousProcess(x)+41j
		cmp	edi, offset _PsActiveProcessHead
		jnz	short loc_9CC300
		jmp	short loc_9CC329
; 

loc_9CC326:				; CODE XREF: PsGetPreviousProcess(x)+5Aj
		xor	esi, esi
		inc	esi

loc_9CC329:				; CODE XREF: PsGetPreviousProcess(x)+67j
		push	11h
		xor	edx, edx
		mov	edi, offset _PspActiveProcessLock
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_9CC343
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9CC343:				; CODE XREF: PsGetPreviousProcess(x)+7Dj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_8]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		test	ebx, ebx
		jz	short loc_9CC362
		mov	edx, 6E457350h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_9CC362:				; CODE XREF: PsGetPreviousProcess(x)+97j
		neg	esi
		pop	edi
		sbb	esi, esi
		and	esi, [ebp+var_4]
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PsGetPreviousProcess@4	endp


;  S U B	R O U T	I N E 


; __stdcall PsQuitNextProcess(x)
_PsQuitNextProcess@4 proc near		; CODE XREF: KdRegisterDebuggerDataBlock+848p
		mov	edx, 6E457350h
		jmp	ObfDereferenceObjectWithTag
_PsQuitNextProcess@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsQuitNextProcessThread(x)
_PsQuitNextProcessThread@4 proc	near	; CODE XREF: PAGE:007A8CB7p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, 6E457350h
		call	ObfDereferenceObjectWithTag
		pop	ebp
		retn	4
_PsQuitNextProcessThread@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspEnumProcessesInJobHierarchy(x, x, x, x)
_PspEnumProcessesInJobHierarchy@16 proc	near ; CODE XREF: sub_759647+930p
					; sub_759647+179E8Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		push	0
		xor	edx, edx
		call	PspEnumJobsAndProcessesInJobHierarchy
		pop	ebp
		retn	8
_PspEnumProcessesInJobHierarchy@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Ps386GetVdmIoHandler(x, x, x, x)
_Ps386GetVdmIoHandler@16 proc near	; CODE XREF: Ki386VdmDispatchIo(x,x,x,x,x)+E2p
					; Ki386VdmDispatchStringIo(x,x,x,x,x,x,x,x)+60p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	eax, edx
		mov	[ebp+var_C], eax
		mov	ebx, [esi+0F4h]
		test	ebx, ebx
		jz	short loc_9CC42D
		test	al, 3
		jnz	short loc_9CC42D
		cmp	dword ptr [ebx], 0
		jz	short loc_9CC42D
		xor	eax, eax
		inc	eax
		mov	cl, al
		mov	[ebp+var_8], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_1], al
		mov	eax, [ebx]
		push	1
		add	eax, 4
		push	eax
		call	ExAcquireResourceExclusiveLite
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		call	_Psp386GetVdmIoHandler@8 ; Psp386GetVdmIoHandler(x,x)
		test	eax, eax
		jz	short loc_9CC411
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, eax
		push	1Eh
		pop	ecx
		rep movsd
		mov	eax, [ebx]
		pop	edi
		mov	ecx, [eax+3Ch]
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		jmp	short loc_9CC415
; 

loc_9CC411:				; CODE XREF: Ps386GetVdmIoHandler(x,x,x,x)+4Ej
		mov	byte ptr [ebp+var_8], 0

loc_9CC415:				; CODE XREF: Ps386GetVdmIoHandler(x,x,x,x)+66j
		mov	ecx, [ebx]
		add	ecx, 4
		call	ExReleaseResourceLite
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, byte ptr [ebp+var_8]
		jmp	short loc_9CC42F
; 

loc_9CC42D:				; CODE XREF: Ps386GetVdmIoHandler(x,x,x,x)+19j
					; Ps386GetVdmIoHandler(x,x,x,x)+1Dj ...
		xor	al, al

loc_9CC42F:				; CODE XREF: Ps386GetVdmIoHandler(x,x,x,x)+82j
		pop	esi
		pop	ebx
		leave
		retn	8
_Ps386GetVdmIoHandler@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Psp386CreateVdmIoListHead(x)
_Psp386CreateVdmIoListHead@4 proc near	; CODE XREF: Psp386InstallIoHandler(x,x,x,x)+39p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

		push	18h
		push	offset dword_6A9018
		call	__SEH_prolog4
		mov	ebx, [ecx+0F4h]
		mov	[ebp+var_28], ebx
		and	[ebp+var_20], 0
		xor	edi, edi
		cmp	[ebx], edi
		jnz	loc_9CC4EB
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_19], al
		push	1
		push	offset _VdmIoListCreationResource
		call	ExAcquireResourceExclusiveLite
		cmp	[ebx], edi
		jnz	short loc_9CC4EB
		and	[ebp+ms_exc.disabled], edi
		push	4C567350h
		push	40h
		push	200h
		call	ExAllocatePoolWithQuotaTag
		mov	esi, eax
		mov	[ebp+var_20], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9CC4C2
; 

loc_9CC495:				; DATA XREF: .text:006A902Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9CC4A3:				; DATA XREF: .text:006A9030o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_24]
		mov	esi, [ebp+var_20]
		test	esi, esi
		jz	short loc_9CC4B8
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9CC4B8:				; CODE XREF: Psp386CreateVdmIoListHead(x)+79j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_28]

loc_9CC4C2:				; CODE XREF: Psp386CreateVdmIoListHead(x)+5Ej
		test	edi, edi
		js	short loc_9CC4FD
		test	esi, esi
		jz	short loc_9CC4FD
		lea	eax, [esi+4]
		push	eax
		call	ExInitializeResourceLite
		and	dword ptr [esi], 0
		mov	[ebx], esi
		mov	ecx, offset _VdmIoListCreationResource
		call	ExReleaseResourceLite
		mov	cl, [ebp+var_19]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_9CC4EB:				; CODE XREF: Psp386CreateVdmIoListHead(x)+1Dj
					; Psp386CreateVdmIoListHead(x)+3Cj
		xor	eax, eax

loc_9CC4ED:				; CODE XREF: Psp386CreateVdmIoListHead(x)+E6j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_9CC4FD:				; CODE XREF: Psp386CreateVdmIoListHead(x)+8Fj
					; Psp386CreateVdmIoListHead(x)+93j
		mov	ecx, offset _VdmIoListCreationResource
		call	ExReleaseResourceLite
		mov	cl, [ebp+var_19]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	edi, edi
		jnz	short loc_9CC519
		mov	edi, 0C000009Ah

loc_9CC519:				; CODE XREF: Psp386CreateVdmIoListHead(x)+DDj
		mov	eax, edi
		jmp	short loc_9CC4ED
_Psp386CreateVdmIoListHead@4 endp


;  S U B	R O U T	I N E 


; __stdcall Psp386GetVdmIoHandler(x, x)
_Psp386GetVdmIoHandler@8 proc near	; CODE XREF: Ps386GetVdmIoHandler(x,x,x,x)+47p
					; Psp386InstallIoHandler(x,x,x,x)+7Bp ...
		test	dl, 3
		jz	short loc_9CC525
		xor	eax, eax
		retn
; 

loc_9CC525:				; CODE XREF: Psp386GetVdmIoHandler(x,x)+3j
		mov	eax, [ecx+0F4h]
		mov	eax, [eax]
		jmp	short loc_9CC534
; 

loc_9CC52F:				; CODE XREF: Psp386GetVdmIoHandler(x,x)+1Bj
		cmp	[eax+4], edx
		jz	short locret_9CC53A

loc_9CC534:				; CODE XREF: Psp386GetVdmIoHandler(x,x)+10j
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_9CC52F

locret_9CC53A:				; CODE XREF: Psp386GetVdmIoHandler(x,x)+15j
		retn
_Psp386GetVdmIoHandler@8 endp


;  S U B	R O U T	I N E 


; __stdcall Psp386InsertVdmIoHandlerBlock(x, x)
_Psp386InsertVdmIoHandlerBlock@8 proc near ; CODE XREF:	Psp386InstallIoHandler(x,x,x,x)+127p
		mov	eax, [ecx+0F4h]
		xor	ecx, ecx
		push	esi
		push	edi
		mov	esi, [eax]
		mov	edi, [esi]
		mov	eax, edi
		test	eax, eax
		jz	short loc_9CC575
		push	ebx
		mov	ebx, [edx+4]

loc_9CC553:				; CODE XREF: Psp386InsertVdmIoHandlerBlock(x,x)+23j
		cmp	[eax+4], ebx
		jnb	short loc_9CC560
		mov	ecx, eax
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_9CC553

loc_9CC560:				; CODE XREF: Psp386InsertVdmIoHandlerBlock(x,x)+1Bj
		pop	ebx
		test	ecx, ecx
		jz	short loc_9CC575
		test	eax, eax
		jnz	short loc_9CC56F
		mov	[ecx], edx
		and	[edx], eax
		jmp	short loc_9CC579
; 

loc_9CC56F:				; CODE XREF: Psp386InsertVdmIoHandlerBlock(x,x)+2Cj
		mov	[edx], eax
		mov	[ecx], edx
		jmp	short loc_9CC579
; 

loc_9CC575:				; CODE XREF: Psp386InsertVdmIoHandlerBlock(x,x)+12j
					; Psp386InsertVdmIoHandlerBlock(x,x)+28j
		mov	[edx], edi
		mov	[esi], edx

loc_9CC579:				; CODE XREF: Psp386InsertVdmIoHandlerBlock(x,x)+32j
					; Psp386InsertVdmIoHandlerBlock(x,x)+38j
		pop	edi
		xor	eax, eax
		pop	esi
		retn
_Psp386InsertVdmIoHandlerBlock@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Psp386InstallIoHandler(x, x, x, x)
_Psp386InstallIoHandler@16 proc	near	; CODE XREF: PspSetProcessIoHandlers(x,x,x)+8Ap

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	2Ch
		push	offset dword_6A9038
		call	__SEH_prolog4
		mov	edi, edx
		mov	[ebp+var_30], edi
		mov	esi, ecx
		mov	[ebp+var_3C], esi
		mov	ebx, [esi+0F4h]
		mov	[ebp+var_24], ebx
		mov	[ebp+var_34], ebx
		test	ebx, ebx
		jnz	short loc_9CC5AE
		mov	eax, 0C0000001h
		jmp	loc_9CC7A1
; 

loc_9CC5AE:				; CODE XREF: Psp386InstallIoHandler(x,x,x,x)+24j
		and	[ebp+var_20], 0
		cmp	dword ptr [ebx], 0
		jnz	short loc_9CC5C7
		call	_Psp386CreateVdmIoListHead@4 ; Psp386CreateVdmIoListHead(x)
		mov	[ebp+var_20], eax
		test	eax, eax
		js	loc_9CC7A1

loc_9CC5C7:				; CODE XREF: Psp386InstallIoHandler(x,x,x,x)+37j
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_19], al
		push	1
		mov	ecx, [ebx]
		add	ecx, 4
		push	ecx
		call	ExAcquireResourceExclusiveLite
		mov	edx, [ebx]
		mov	ecx, [ebp+arg_4]
		mov	[edx+3Ch], ecx
		mov	ebx, [ebp+arg_0]
		mov	eax, ebx
		and	eax, 0FFFFFFFCh
		mov	[ebp+arg_4], eax
		mov	[ebp+var_38], eax
		mov	edx, eax
		mov	ecx, esi
		call	_Psp386GetVdmIoHandler@8 ; Psp386GetVdmIoHandler(x,x)
		mov	esi, eax
		mov	[ebp+var_28], esi
		test	esi, esi
		jnz	loc_9CC6CF
		and	[ebp+ms_exc.disabled], eax
		push	48567350h
		push	78h
		push	1
		call	ExAllocatePoolWithQuotaTag
		mov	esi, eax
		mov	[ebp+var_28], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_24]
		jmp	short loc_9CC66C
; 

loc_9CC62D:				; DATA XREF: .text:006A904Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9CC63B:				; DATA XREF: .text:006A9050o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_20], eax
		mov	esi, [ebp+var_28]
		test	esi, esi
		jz	short loc_9CC653
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9CC653:				; CODE XREF: Psp386InstallIoHandler(x,x,x,x)+CBj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+arg_0]
		mov	edi, [ebp+var_30]
		mov	eax, [ebp+var_34]
		mov	[ebp+var_24], eax
		mov	ecx, [ebp+var_38]
		mov	[ebp+arg_4], ecx

loc_9CC66C:				; CODE XREF: Psp386InstallIoHandler(x,x,x,x)+ADj
		cmp	[ebp+var_20], 0
		jge	short loc_9CC68D
		mov	ecx, [eax]
		add	ecx, 4
		call	ExReleaseResourceLite
		mov	cl, [ebp+var_19]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_20]
		jmp	loc_9CC7A1
; 

loc_9CC68D:				; CODE XREF: Psp386InstallIoHandler(x,x,x,x)+F2j
		push	78h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, [ebp+arg_4]
		mov	[esi+4], eax
		mov	edx, esi
		mov	ecx, [ebp+var_3C]
		call	_Psp386InsertVdmIoHandlerBlock@8 ; Psp386InsertVdmIoHandlerBlock(x,x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		jns	short loc_9CC6CF
		mov	ecx, [ebp+var_24]
		mov	ecx, [ecx]
		add	ecx, 4
		call	ExReleaseResourceLite
		mov	cl, [ebp+var_19]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+arg_0]
		jmp	loc_9CC7A1
; 

loc_9CC6CF:				; CODE XREF: Psp386InstallIoHandler(x,x,x,x)+87j
					; Psp386InstallIoHandler(x,x,x,x)+131j
		test	byte ptr [edi+0Ch], 1
		jz	short loc_9CC72E
		mov	eax, [edi+8]
		sub	eax, 0
		jz	short loc_9CC716
		sub	eax, 1
		jz	short loc_9CC6FA
		sub	eax, 1
		jnz	short loc_9CC72E
		mov	eax, [edi+10h]
		cmp	byte ptr [edi+0Dh], 0
		jz	short loc_9CC6F5
		mov	[esi+0Ch], eax
		jmp	short loc_9CC72E
; 

loc_9CC6F5:				; CODE XREF: Psp386InstallIoHandler(x,x,x,x)+170j
		mov	[esi+8], eax
		jmp	short loc_9CC72E
; 

loc_9CC6FA:				; CODE XREF: Psp386InstallIoHandler(x,x,x,x)+162j
		mov	eax, ebx
		shr	eax, 1
		and	eax, 1
		mov	ecx, [edi+10h]
		cmp	byte ptr [edi+0Dh], 0
		jz	short loc_9CC710
		mov	[esi+eax*4+18h], ecx
		jmp	short loc_9CC72E
; 

loc_9CC710:				; CODE XREF: Psp386InstallIoHandler(x,x,x,x)+18Aj
		mov	[esi+eax*4+10h], ecx
		jmp	short loc_9CC72E
; 

loc_9CC716:				; CODE XREF: Psp386InstallIoHandler(x,x,x,x)+15Dj
		mov	eax, ebx
		and	eax, 3
		mov	ecx, [edi+10h]
		cmp	byte ptr [edi+0Dh], 0
		jz	short loc_9CC72A
		mov	[esi+eax*4+30h], ecx
		jmp	short loc_9CC72E
; 

loc_9CC72A:				; CODE XREF: Psp386InstallIoHandler(x,x,x,x)+1A4j
		mov	[esi+eax*4+20h], ecx

loc_9CC72E:				; CODE XREF: Psp386InstallIoHandler(x,x,x,x)+155j
					; Psp386InstallIoHandler(x,x,x,x)+167j	...
		test	byte ptr [edi+0Ch], 2
		jz	short loc_9CC789
		mov	eax, [edi+8]
		sub	eax, 0
		jz	short loc_9CC773
		sub	eax, 1
		jz	short loc_9CC759
		sub	eax, 1
		jnz	short loc_9CC789
		mov	eax, [edi+10h]
		cmp	byte ptr [edi+0Dh], 0
		jz	short loc_9CC754
		mov	[esi+44h], eax
		jmp	short loc_9CC789
; 

loc_9CC754:				; CODE XREF: Psp386InstallIoHandler(x,x,x,x)+1CFj
		mov	[esi+40h], eax
		jmp	short loc_9CC789
; 

loc_9CC759:				; CODE XREF: Psp386InstallIoHandler(x,x,x,x)+1C1j
		shr	ebx, 1
		and	ebx, 1
		mov	eax, [edi+10h]
		cmp	byte ptr [edi+0Dh], 0
		jz	short loc_9CC76D
		mov	[esi+ebx*4+50h], eax
		jmp	short loc_9CC789
; 

loc_9CC76D:				; CODE XREF: Psp386InstallIoHandler(x,x,x,x)+1E7j
		mov	[esi+ebx*4+48h], eax
		jmp	short loc_9CC789
; 

loc_9CC773:				; CODE XREF: Psp386InstallIoHandler(x,x,x,x)+1BCj
		and	ebx, 3
		mov	eax, [edi+10h]
		cmp	byte ptr [edi+0Dh], 0
		jz	short loc_9CC785
		mov	[esi+ebx*4+68h], eax
		jmp	short loc_9CC789
; 

loc_9CC785:				; CODE XREF: Psp386InstallIoHandler(x,x,x,x)+1FFj
		mov	[esi+ebx*4+58h], eax

loc_9CC789:				; CODE XREF: Psp386InstallIoHandler(x,x,x,x)+1B4j
					; Psp386InstallIoHandler(x,x,x,x)+1C6j	...
		mov	ecx, [ebp+var_24]
		mov	ecx, [ecx]
		add	ecx, 4
		call	ExReleaseResourceLite
		mov	cl, [ebp+var_19]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax

loc_9CC7A1:				; CODE XREF: Psp386InstallIoHandler(x,x,x,x)+2Bj
					; Psp386InstallIoHandler(x,x,x,x)+43j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_Psp386InstallIoHandler@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Psp386RemoveIoHandler(x, x,	x)
_Psp386RemoveIoHandler@12 proc near	; CODE XREF: PspSetProcessIoHandlers(x,x,x)+92p

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ecx
		push	ebx
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], eax
		mov	ebx, [eax+0F4h]
		test	ebx, ebx
		jnz	short loc_9CC7D7
		mov	eax, 0C0000001h
		jmp	loc_9CC8CB
; 

loc_9CC7D7:				; CODE XREF: Psp386RemoveIoHandler(x,x,x)+18j
		cmp	dword ptr [ebx], 0
		jz	loc_9CC8C9
		push	esi
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [ebx]
		push	1
		add	ecx, 4
		mov	[ebp+var_1], al
		push	ecx
		call	ExAcquireResourceExclusiveLite
		mov	esi, [ebp+arg_0]
		mov	edx, esi
		mov	ecx, [ebp+var_8]
		and	edx, 0FFFFFFFCh
		call	_Psp386GetVdmIoHandler@8 ; Psp386GetVdmIoHandler(x,x)
		test	eax, eax
		jz	loc_9CC8B5
		xor	edx, edx
		test	byte ptr [edi+0Ch], 1
		jz	short loc_9CC865
		mov	ecx, [edi+8]
		sub	ecx, edx
		jz	short loc_9CC851
		sub	ecx, 1
		jz	short loc_9CC839
		sub	ecx, 1
		jnz	short loc_9CC865
		cmp	[edi+0Dh], dl
		jz	short loc_9CC834
		mov	[eax+0Ch], edx
		jmp	short loc_9CC865
; 

loc_9CC834:				; CODE XREF: Psp386RemoveIoHandler(x,x,x)+7Aj
		mov	[eax+8], edx
		jmp	short loc_9CC865
; 

loc_9CC839:				; CODE XREF: Psp386RemoveIoHandler(x,x,x)+70j
		mov	ecx, esi
		shr	ecx, 1
		and	ecx, 1
		cmp	[edi+0Dh], dl
		jz	short loc_9CC84B
		mov	[eax+ecx*4+18h], edx
		jmp	short loc_9CC865
; 

loc_9CC84B:				; CODE XREF: Psp386RemoveIoHandler(x,x,x)+90j
		mov	[eax+ecx*4+10h], edx
		jmp	short loc_9CC865
; 

loc_9CC851:				; CODE XREF: Psp386RemoveIoHandler(x,x,x)+6Bj
		mov	ecx, esi
		and	ecx, 3
		cmp	[edi+0Dh], dl
		jz	short loc_9CC861
		mov	[eax+ecx*4+30h], edx
		jmp	short loc_9CC865
; 

loc_9CC861:				; CODE XREF: Psp386RemoveIoHandler(x,x,x)+A6j
		mov	[eax+ecx*4+20h], edx

loc_9CC865:				; CODE XREF: Psp386RemoveIoHandler(x,x,x)+64j
					; Psp386RemoveIoHandler(x,x,x)+75j ...
		test	byte ptr [edi+0Ch], 2
		jz	short loc_9CC8B5
		mov	ecx, [edi+8]
		sub	ecx, edx
		jz	short loc_9CC8A2
		sub	ecx, 1
		jz	short loc_9CC88B
		sub	ecx, 1
		jnz	short loc_9CC8B5
		cmp	[edi+0Dh], cl
		jz	short loc_9CC886
		mov	[eax+44h], edx
		jmp	short loc_9CC8B5
; 

loc_9CC886:				; CODE XREF: Psp386RemoveIoHandler(x,x,x)+CCj
		mov	[eax+40h], edx
		jmp	short loc_9CC8B5
; 

loc_9CC88B:				; CODE XREF: Psp386RemoveIoHandler(x,x,x)+C2j
		shr	esi, 1
		and	esi, 1
		cmp	byte ptr [edi+0Dh], 0
		jz	short loc_9CC89C
		mov	[eax+esi*4+50h], edx
		jmp	short loc_9CC8B5
; 

loc_9CC89C:				; CODE XREF: Psp386RemoveIoHandler(x,x,x)+E1j
		mov	[eax+esi*4+48h], edx
		jmp	short loc_9CC8B5
; 

loc_9CC8A2:				; CODE XREF: Psp386RemoveIoHandler(x,x,x)+BDj
		and	esi, 3
		cmp	byte ptr [edi+0Dh], 0
		jz	short loc_9CC8B1
		mov	[eax+esi*4+68h], edx
		jmp	short loc_9CC8B5
; 

loc_9CC8B1:				; CODE XREF: Psp386RemoveIoHandler(x,x,x)+F6j
		mov	[eax+esi*4+58h], edx

loc_9CC8B5:				; CODE XREF: Psp386RemoveIoHandler(x,x,x)+58j
					; Psp386RemoveIoHandler(x,x,x)+B6j ...
		mov	ecx, [ebx]
		add	ecx, 4
		call	ExReleaseResourceLite
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi

loc_9CC8C9:				; CODE XREF: Psp386RemoveIoHandler(x,x,x)+27j
		xor	eax, eax

loc_9CC8CB:				; CODE XREF: Psp386RemoveIoHandler(x,x,x)+1Fj
		pop	edi
		pop	ebx
		leave
		retn	4
_Psp386RemoveIoHandler@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetProcessIoHandlers(x, x, x)
_PspSetProcessIoHandlers@12 proc near	; CODE XREF: PAGE:007A79FAp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_9CC8F8
		mov	eax, 0C000000Dh
		jmp	loc_9CC98E
; 

loc_9CC8F8:				; CODE XREF: PspSetProcessIoHandlers(x,x,x)+1Bj
		cmp	[ebp+arg_0], 10h
		jnb	short loc_9CC908
		mov	eax, 0C0000004h
		jmp	loc_9CC98E
; 

loc_9CC908:				; CODE XREF: PspSetProcessIoHandlers(x,x,x)+2Bj
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, [edi+0Ch]
		cmp	[edi+4], ebx
		jbe	short loc_9CC98A

loc_9CC914:				; CODE XREF: PspSetProcessIoHandlers(x,x,x)+B7j
		mov	eax, [esi+8]
		sub	eax, 0
		jz	short loc_9CC933
		sub	eax, 1
		jz	short loc_9CC92A
		mov	[ebp+arg_0], 4
		jmp	short loc_9CC93A
; 

loc_9CC92A:				; CODE XREF: PspSetProcessIoHandlers(x,x,x)+4Ej
		mov	[ebp+arg_0], 2
		jmp	short loc_9CC93A
; 

loc_9CC933:				; CODE XREF: PspSetProcessIoHandlers(x,x,x)+49j
		mov	[ebp+arg_0], 1

loc_9CC93A:				; CODE XREF: PspSetProcessIoHandlers(x,x,x)+57j
					; PspSetProcessIoHandlers(x,x,x)+60j
		and	[ebp+var_8], 0
		cmp	dword ptr [esi+4], 0
		jbe	short loc_9CC981
		xor	ecx, ecx
		mov	[ebp+var_C], ecx

loc_9CC949:				; CODE XREF: PspSetProcessIoHandlers(x,x,x)+AEj
		mov	eax, [esi]
		mov	edx, esi
		add	eax, ecx
		cmp	byte ptr [edi],	0
		mov	ecx, [ebp+var_4]
		jz	short loc_9CC962
		push	dword ptr [edi+8]
		push	eax
		call	_Psp386InstallIoHandler@16 ; Psp386InstallIoHandler(x,x,x,x)
		jmp	short loc_9CC968
; 

loc_9CC962:				; CODE XREF: PspSetProcessIoHandlers(x,x,x)+84j
		push	eax
		call	_Psp386RemoveIoHandler@12 ; Psp386RemoveIoHandler(x,x,x)

loc_9CC968:				; CODE XREF: PspSetProcessIoHandlers(x,x,x)+8Fj
		test	eax, eax
		js	short loc_9CC98C
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		inc	eax
		add	ecx, [ebp+arg_0]
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], ecx
		cmp	eax, [esi+4]
		jb	short loc_9CC949

loc_9CC981:				; CODE XREF: PspSetProcessIoHandlers(x,x,x)+71j
		inc	ebx
		add	esi, 14h
		cmp	ebx, [edi+4]
		jb	short loc_9CC914

loc_9CC98A:				; CODE XREF: PspSetProcessIoHandlers(x,x,x)+41j
		xor	eax, eax

loc_9CC98C:				; CODE XREF: PspSetProcessIoHandlers(x,x,x)+99j
		pop	esi
		pop	ebx

loc_9CC98E:				; CODE XREF: PspSetProcessIoHandlers(x,x,x)+22j
					; PspSetProcessIoHandlers(x,x,x)+32j
		pop	edi
		leave
		retn	4
_PspSetProcessIoHandlers@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSetLdtEntries(x, x, x, x,	x, x)
_NtSetLdtEntries@24 proc near		; CODE XREF: sub_59A621+85p
					; DATA XREF: .text:00580C8Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_14]	; int
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_10]	; void *
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; size_t
		call	_PsSetLdtEntries@24 ; PsSetLdtEntries(x,x,x,x,x,x)
		pop	ebp
		retn	18h
_NtSetLdtEntries@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PsSetLdtEntries(size_t,int,void	*,int)
_PsSetLdtEntries@24 proc near		; CODE XREF: NtSetLdtEntries(x,x,x,x,x,x)+17p
					; NtVdmControl(x,x)+1D4p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_C], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	eax, ebx
		or	eax, edi
		mov	[ebp+arg_4], edi
		mov	[ebp+var_4], ebx
		test	eax, 0FFFF0000h
		jnz	loc_9CCC37
		xor	esi, esi
		and	edi, 0FFFFFFF8h
		mov	[ebp+var_8], esi
		and	ebx, 0FFFFFFF8h
		jz	short loc_9CCA06
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_1C]
		inc	esi
		mov	[ebp+var_1C], edx
		mov	[ebp+var_8], esi
		mov	[ebp+var_18], eax
		call	PspIsDescriptorValid
		test	eax, eax
		jz	loc_9CCC37

loc_9CCA06:				; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+34j
		test	edi, edi
		jz	short loc_9CCA29
		mov	eax, [ebp+arg_8]
		lea	ecx, [ebp+var_1C]
		lea	ecx, [ecx+esi*8]
		mov	[ecx], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+esi*8+var_18], eax
		call	PspIsDescriptorValid
		test	eax, eax
		jz	loc_9CCC37

loc_9CCA29:				; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+55j
		mov	eax, [ebp+var_4]
		cmp	ebx, edi
		ja	short loc_9CCA33
		mov	eax, [ebp+arg_4]

loc_9CCA33:				; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+7Bj
		and	eax, 0FFFFFFF8h
		mov	[ebp+var_4], eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[ebp+arg_4], eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _LdtMutex
		call	KeWaitForSingleObject
		test	eax, eax
		js	loc_9CCC3C
		mov	eax, [ebp+arg_4]
		mov	esi, [eax+174h]
		test	esi, esi
		jz	loc_9CCB15
		mov	ecx, [ebp+var_4]
		add	ecx, 8
		cmp	[esi], ecx
		jb	short loc_9CCABC
		test	ebx, ebx
		jz	short loc_9CCA91
		push	[ebp+var_18]
		mov	edx, ebx
		mov	ecx, eax
		push	[ebp+var_1C]
		call	_Ke386SetDescriptorProcess@16 ;	Ke386SetDescriptorProcess(x,x,x,x)
		mov	eax, [ebp+arg_4]

loc_9CCA91:				; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+CAj
		test	edi, edi
		jz	short loc_9CCAA9
		mov	edx, [ebp+var_8]
		mov	ecx, eax
		push	[ebp+edx*8+var_18]
		push	[ebp+edx*8+var_1C]
		mov	edx, edi
		call	_Ke386SetDescriptorProcess@16 ;	Ke386SetDescriptorProcess(x,x,x,x)

loc_9CCAA9:				; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+E0j
					; PsSetLdtEntries(x,x,x,x,x,x)+160j
		push	0
		push	offset _LdtMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		xor	eax, eax
		jmp	loc_9CCC3C
; 

loc_9CCABC:				; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+C6j
		cmp	[esi+4], ecx
		jb	short loc_9CCB15
		push	0
		xor	edx, edx
		mov	ecx, eax
		call	_Ke386SetLdtProcess@12 ; Ke386SetLdtProcess(x,x,x)
		test	ebx, ebx
		jz	short loc_9CCAE3
		mov	ecx, [esi+8]
		mov	eax, [ebp+var_1C]
		shr	ebx, 3
		mov	[ecx+ebx*8], eax
		mov	eax, [ebp+var_18]
		mov	[ecx+ebx*8+4], eax

loc_9CCAE3:				; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+11Bj
		test	edi, edi
		jz	short loc_9CCAFF
		mov	edx, [ebp+var_8]
		mov	ecx, [esi+8]
		shr	edi, 3
		mov	eax, [ebp+edx*8+var_1C]
		mov	[ecx+edi*8], eax
		mov	eax, [ebp+edx*8+var_18]
		mov	[ecx+edi*8+4], eax

loc_9CCAFF:				; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+132j
		mov	eax, [ebp+var_4]
		mov	edx, [esi+8]
		add	eax, 8
		mov	ecx, [ebp+arg_4]
		push	eax
		mov	[esi], eax
		call	_Ke386SetLdtProcess@12 ; Ke386SetLdtProcess(x,x,x)
		jmp	short loc_9CCAA9
; 

loc_9CCB15:				; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+B8j
					; PsSetLdtEntries(x,x,x,x,x,x)+10Cj
		and	[ebp+arg_C], 0
		test	esi, esi
		jnz	short loc_9CCB51
		push	644C7350h
		push	0Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9CCB3E

loc_9CCB34:				; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+1BAj
					; PsSetLdtEntries(x,x,x,x,x,x)+1D6j
		mov	esi, 0C000009Ah
		jmp	loc_9CCC16
; 

loc_9CCB3E:				; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+17Fj
		mov	eax, [ebp+arg_4]
		mov	[eax+174h], esi
		xor	eax, eax
		mov	[esi], eax
		mov	[esi+4], eax
		mov	[esi+8], eax

loc_9CCB51:				; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+168j
		mov	eax, [ebp+var_4]
		add	eax, 1007h
		and	eax, 0FFFFF000h
		mov	ecx, eax
		mov	[ebp+arg_0], eax
		call	PspAllocateLdtMemory
		mov	[ebp+arg_8], eax
		test	eax, eax
		jz	short loc_9CCB34
		push	[ebp+arg_0]
		push	[ebp+arg_4]
		call	_PsChargeProcessNonPagedPoolQuota@8 ; PsChargeProcessNonPagedPoolQuota(x,x)
		test	eax, eax
		jns	short loc_9CCB8B
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_8]
		call	PspFreeLdtMemory
		jmp	short loc_9CCB34
; 

loc_9CCB8B:				; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+1C9j
		push	[ebp+arg_0]	; size_t
		push	0		; int
		push	[ebp+arg_8]	; void *
		call	_memset
		mov	eax, [esi+8]
		add	esp, 0Ch
		mov	[ebp+arg_C], eax
		test	eax, eax
		jz	short loc_9CCBC3
		mov	ecx, [esi+4]
		push	ecx		; size_t
		push	eax		; void *
		push	[ebp+arg_8]	; void *
		mov	[ebp+var_C], ecx
		call	_memcpy
		add	esp, 0Ch
		push	[ebp+var_C]
		push	[ebp+arg_4]
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)

loc_9CCBC3:				; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+1F0j
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_8]
		add	eax, 8
		mov	[esi], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+4], eax
		mov	[esi+8], ecx
		test	ebx, ebx
		jz	short loc_9CCBEB
		mov	eax, [ebp+var_1C]
		shr	ebx, 3
		mov	[ecx+ebx*8], eax
		mov	eax, [ebp+var_18]
		mov	[ecx+ebx*8+4], eax

loc_9CCBEB:				; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+226j
		test	edi, edi
		jz	short loc_9CCC07
		mov	edx, [ebp+var_8]
		mov	ecx, [esi+8]
		shr	edi, 3
		mov	eax, [ebp+edx*8+var_1C]
		mov	[ecx+edi*8], eax
		mov	eax, [ebp+edx*8+var_18]
		mov	[ecx+edi*8+4], eax

loc_9CCC07:				; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+23Aj
		push	dword ptr [esi]
		mov	edx, [esi+8]
		mov	ecx, [ebp+arg_4]
		call	_Ke386SetLdtProcess@12 ; Ke386SetLdtProcess(x,x,x)
		xor	esi, esi

loc_9CCC16:				; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+186j
		push	0
		push	offset _LdtMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_9CCC33
		mov	edx, [ebp+var_C]
		mov	ecx, eax
		call	PspFreeLdtMemory

loc_9CCC33:				; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+274j
		mov	eax, esi
		jmp	short loc_9CCC3C
; 

loc_9CCC37:				; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+23j
					; PsSetLdtEntries(x,x,x,x,x,x)+4Dj ...
		mov	eax, 0C000011Ah

loc_9CCC3C:				; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+A7j
					; PsSetLdtEntries(x,x,x,x,x,x)+104j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PsSetLdtEntries@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PsSetProcessLdtInfo(x, x)
_PsSetProcessLdtInfo@8 proc near	; CODE XREF: NtVdmControl(x,x):loc_9E86A2p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	34h
		push	offset dword_6A9058
		call	__SEH_prolog4
		mov	[ebp+var_2C], edx
		mov	[ebp+var_3C], ecx
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_34], eax
		xor	ebx, ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_20], ebx
		cmp	edx, 10h
		jnb	short loc_9CCC81
		mov	eax, 0C0000004h
		jmp	loc_9CCFE7
; 

loc_9CCC81:				; CODE XREF: PsSetProcessLdtInfo(x,x)+32j
		push	6C646D56h
		push	edx
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	esi, eax
		mov	[ebp+var_38], esi
		test	esi, esi
		jnz	short loc_9CCCA4
		mov	eax, 0C000009Ah
		jmp	loc_9CCFE7
; 

loc_9CCCA4:				; CODE XREF: PsSetProcessLdtInfo(x,x)+55j
		mov	edi, ebx
		mov	[ebp+ms_exc.disabled], ebx
		push	[ebp+var_2C]	; size_t
		push	[ebp+var_3C]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9CCCF4
; 

loc_9CCCC1:				; DATA XREF: .text:006A906Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_44], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9CCCCF:				; DATA XREF: .text:006A9070o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_44]
		xor	ebx, ebx
		push	ebx
		mov	esi, [ebp+var_38]
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_34]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_30]
		mov	[ebp+var_20], eax

loc_9CCCF4:				; CODE XREF: PsSetProcessLdtInfo(x,x)+7Cj
		test	edi, edi
		jns	short loc_9CCD09
		lea	eax, [edi+3FFFFFFBh]
		neg	eax
		sbb	eax, eax
		and	eax, edi
		jmp	loc_9CCFE7
; 

loc_9CCD09:				; CODE XREF: PsSetProcessLdtInfo(x,x)+B3j
		mov	edx, [esi]
		mov	eax, 0FFFF0000h
		test	edx, eax
		jnz	loc_9CCFD9
		mov	ecx, [esi+4]
		test	ecx, eax
		jnz	loc_9CCFD2
		mov	eax, [ebp+var_2C]
		add	eax, 0FFFFFFF8h
		cmp	eax, ecx
		jnb	short loc_9CCD37
		mov	edi, 0C0000004h
		jmp	loc_9CCFDE
; 

loc_9CCD37:				; CODE XREF: PsSetProcessLdtInfo(x,x)+E8j
		test	cl, 7
		jnz	loc_9CCFD2
		test	dl, 7
		jnz	loc_9CCFD9
		lea	edi, [esi+8]
		lea	eax, [esi+8]
		add	eax, ecx
		mov	[ebp+var_3C], eax
		cmp	edi, eax
		jnb	short loc_9CCD6F

loc_9CCD58:				; CODE XREF: PsSetProcessLdtInfo(x,x)+12Aj
		mov	ecx, edi
		call	PspIsDescriptorValid
		test	eax, eax
		jz	loc_9CCE22
		add	edi, 8
		cmp	edi, [ebp+var_3C]
		jb	short loc_9CCD58

loc_9CCD6F:				; CODE XREF: PsSetProcessLdtInfo(x,x)+113j
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _LdtMutex
		call	KeWaitForSingleObject
		mov	edi, eax
		mov	[ebp+var_24], edi
		test	edi, edi
		js	loc_9CCFDE
		mov	edi, [ebp+var_1C]
		mov	ecx, [edi+174h]
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		jnz	short loc_9CCDC4
		push	644C7350h
		push	0Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_28], eax
		test	ecx, ecx
		jz	short loc_9CCDFC
		xor	eax, eax
		mov	edi, ecx
		stosd
		stosd
		stosd
		mov	edi, [ebp+var_1C]
		mov	[edi+174h], ecx

loc_9CCDC4:				; CODE XREF: PsSetProcessLdtInfo(x,x)+155j
		mov	edx, [esi+4]
		mov	[ebp+var_34], edx
		mov	eax, [ecx+8]
		mov	[ebp+var_3C], eax
		test	edx, edx
		jnz	short loc_9CCE2C
		test	eax, eax
		jz	short loc_9CCDFC
		mov	edx, [ecx+4]
		mov	[ebp+var_20], edx
		mov	[ebp+var_40], eax
		mov	[ecx+4], ebx
		mov	[ecx], ebx
		mov	[ecx+8], ebx
		push	ebx
		xor	edx, edx
		mov	ecx, edi
		call	_Ke386SetLdtProcess@12 ; Ke386SetLdtProcess(x,x,x)
		push	[ebp+var_20]
		push	edi
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)

loc_9CCDFC:				; CODE XREF: PsSetProcessLdtInfo(x,x)+16Fj
					; PsSetProcessLdtInfo(x,x)+193j ...
		mov	edi, [ebp+var_24]

loc_9CCDFF:				; CODE XREF: PsSetProcessLdtInfo(x,x)+21Ej
					; PsSetProcessLdtInfo(x,x)+23Aj ...
		push	ebx
		push	offset _LdtMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	ecx, [ebp+var_40]
		test	ecx, ecx
		jz	loc_9CCFDE
		mov	edx, [ebp+var_20]
		call	PspFreeLdtMemory
		jmp	loc_9CCFDE
; 

loc_9CCE22:				; CODE XREF: PsSetProcessLdtInfo(x,x)+11Ej
		mov	edi, 0C000011Ah
		jmp	loc_9CCFDE
; 

loc_9CCE2C:				; CODE XREF: PsSetProcessLdtInfo(x,x)+18Fj
		mov	edx, [esi]
		mov	[ebp+var_2C], edx
		mov	eax, [ebp+var_34]
		add	eax, edx
		cmp	[ebp+var_3C], 0
		jnz	short loc_9CCEAA
		lea	ecx, [eax+0FFFh]
		and	ecx, 0FFFFF000h
		mov	[ebp+var_24], ecx
		push	ecx		; size_t
		push	eax		; int
		lea	ecx, [esi+8]
		call	PspCreateLdt
		mov	[ebp+var_30], eax
		test	eax, eax
		jnz	short loc_9CCE63

loc_9CCE5C:				; CODE XREF: PsSetProcessLdtInfo(x,x)+29Dj
		mov	edi, 0C000009Ah
		jmp	short loc_9CCDFF
; 

loc_9CCE63:				; CODE XREF: PsSetProcessLdtInfo(x,x)+217j
		push	[ebp+var_24]
		push	edi
		call	_PsChargeProcessNonPagedPoolQuota@8 ; PsChargeProcessNonPagedPoolQuota(x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_9CCE7F
		mov	edx, [ebp+var_24]
		mov	ecx, [ebp+var_30]

loc_9CCE78:				; CODE XREF: PsSetProcessLdtInfo(x,x)+2B8j
		call	PspFreeLdtMemory
		jmp	short loc_9CCDFF
; 

loc_9CCE7F:				; CODE XREF: PsSetProcessLdtInfo(x,x)+22Dj
		mov	edx, [ebp+var_28]
		mov	eax, [ebp+var_30]
		mov	[edx+8], eax
		mov	eax, [ebp+var_2C]
		add	eax, [ebp+var_34]
		mov	[edx], eax
		mov	ecx, [ebp+var_24]
		mov	[edx+4], ecx
		push	eax
		mov	edx, [ebp+var_30]
		mov	ecx, [ebp+var_1C]
		call	_Ke386SetLdtProcess@12 ; Ke386SetLdtProcess(x,x,x)
		mov	esi, [ebp+var_38]
		jmp	loc_9CCDFF
; 

loc_9CCEAA:				; CODE XREF: PsSetProcessLdtInfo(x,x)+1F7j
		cmp	eax, [ecx]
		jbe	loc_9CCFA1
		mov	edx, [ecx+4]
		cmp	eax, edx
		jbe	loc_9CCF55
		mov	ecx, edx
		mov	[ebp+var_20], ecx
		add	eax, 0FFFh
		and	eax, 0FFFFF000h
		mov	[ebp+var_30], eax
		push	eax		; size_t
		push	ecx		; int
		xor	edx, edx
		mov	ecx, [ebp+var_3C]
		call	PspCreateLdt
		mov	[ebp+var_24], eax
		test	eax, eax
		jz	loc_9CCE5C
		push	[ebp+var_30]
		push	edi
		call	_PsChargeProcessNonPagedPoolQuota@8 ; PsChargeProcessNonPagedPoolQuota(x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_9CCF00
		mov	edx, [ebp+var_30]
		mov	ecx, [ebp+var_24]
		jmp	loc_9CCE78
; 

loc_9CCF00:				; CODE XREF: PsSetProcessLdtInfo(x,x)+2B0j
		push	[ebp+var_20]
		push	[ebp+var_1C]
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		mov	ecx, [ebp+var_28]
		mov	eax, [ecx+8]
		mov	[ebp+var_40], eax
		mov	eax, [ebp+var_24]
		mov	[ecx+8], eax
		mov	eax, [ebp+var_2C]
		add	eax, [ebp+var_34]
		mov	[ecx], eax
		mov	eax, [ebp+var_30]
		mov	[ecx+4], eax
		mov	esi, [ebp+var_38]
		push	dword ptr [esi+4] ; size_t
		lea	eax, [esi+8]
		push	eax		; void *
		mov	eax, [esi]
		add	eax, [ebp+var_24]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edx, [ebp+var_28]
		push	dword ptr [edx]
		mov	edx, [edx+8]
		mov	ecx, [ebp+var_1C]
		call	_Ke386SetLdtProcess@12 ; Ke386SetLdtProcess(x,x,x)
		jmp	loc_9CCDFF
; 

loc_9CCF55:				; CODE XREF: PsSetProcessLdtInfo(x,x)+274j
		mov	[ecx], eax
		push	eax
		mov	edx, [ebp+var_3C]
		mov	ecx, edi
		call	_Ke386SetLdtProcess@12 ; Ke386SetLdtProcess(x,x,x)
		mov	ecx, [esi]
		mov	[ebp+var_3C], ecx
		mov	eax, [esi+4]
		add	eax, ecx
		cmp	ecx, eax
		jnb	loc_9CCDFC
		lea	ebx, [esi+8]

loc_9CCF77:				; CODE XREF: PsSetProcessLdtInfo(x,x)+355j
		push	dword ptr [ebx+4]
		push	dword ptr [ebx]
		mov	edx, ecx
		mov	ecx, edi
		call	_Ke386SetDescriptorProcess@16 ;	Ke386SetDescriptorProcess(x,x,x,x)
		mov	ecx, [ebp+var_3C]
		add	ecx, 8
		mov	[ebp+var_3C], ecx
		lea	ebx, [ebx+8]
		mov	eax, [esi+4]
		add	eax, [esi]
		cmp	ecx, eax
		jb	short loc_9CCF77
		xor	ebx, ebx
		jmp	loc_9CCDFC
; 

loc_9CCFA1:				; CODE XREF: PsSetProcessLdtInfo(x,x)+269j
		cmp	edx, eax
		jnb	short loc_9CCFCB
		lea	ebx, [esi+8]

loc_9CCFA8:				; CODE XREF: PsSetProcessLdtInfo(x,x)+384j
		push	dword ptr [ebx+4]
		push	dword ptr [ebx]
		mov	ecx, edi
		call	_Ke386SetDescriptorProcess@16 ;	Ke386SetDescriptorProcess(x,x,x,x)
		mov	edx, [ebp+var_2C]
		add	edx, 8
		mov	[ebp+var_2C], edx
		lea	ebx, [ebx+8]
		mov	eax, [esi+4]
		add	eax, [esi]
		cmp	edx, eax
		jb	short loc_9CCFA8
		xor	ebx, ebx

loc_9CCFCB:				; CODE XREF: PsSetProcessLdtInfo(x,x)+360j
		mov	edi, ebx
		jmp	loc_9CCDFF
; 

loc_9CCFD2:				; CODE XREF: PsSetProcessLdtInfo(x,x)+DAj
					; PsSetProcessLdtInfo(x,x)+F7j
		mov	edi, 0C0000118h
		jmp	short loc_9CCFDE
; 

loc_9CCFD9:				; CODE XREF: PsSetProcessLdtInfo(x,x)+CFj
					; PsSetProcessLdtInfo(x,x)+100j
		mov	edi, 0C0000119h

loc_9CCFDE:				; CODE XREF: PsSetProcessLdtInfo(x,x)+EFj
					; PsSetProcessLdtInfo(x,x)+141j ...
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi

loc_9CCFE7:				; CODE XREF: PsSetProcessLdtInfo(x,x)+39j
					; PsSetProcessLdtInfo(x,x)+5Cj	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PsSetProcessLdtInfo@8 endp


;  S U B	R O U T	I N E 


PspAllocateLdtMemory proc near		; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+1B0p
					; PspCreateLdt+Fp
		mov	edi, edi
		push	esi
		push	edi
		push	ecx
		push	ecx
		or	edx, 0FFFFFFFFh
		mov	edi, ecx
		call	MmAllocateIndependentPagesEx
		cmp	ds:_KiKvaShadow, 0
		mov	esi, eax
		jz	short loc_9CD01F
		test	esi, esi
		jz	short loc_9CD01F
		mov	edx, edi
		mov	ecx, esi
		call	MmCreateShadowMapping

loc_9CD01F:				; CODE XREF: PspAllocateLdtMemory+19j
					; PspAllocateLdtMemory+1Dj
		pop	edi
		mov	eax, esi
		pop	esi
		retn
PspAllocateLdtMemory endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PspCreateLdt(int,size_t)
PspCreateLdt	proc near		; CODE XREF: PsSetProcessLdtInfo(x,x)+20Dp
					; PsSetProcessLdtInfo(x,x)+293p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	ecx, [ebp+arg_4]
		push	edi
		mov	edi, edx
		call	PspAllocateLdtMemory
		mov	esi, eax
		test	esi, esi
		jz	short loc_9CD05C
		push	[ebp+arg_4]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	ecx, [ebp+arg_0]
		lea	eax, [esi+edi]
		sub	ecx, edi
		push	ecx		; size_t
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 18h

loc_9CD05C:				; CODE XREF: PspCreateLdt+18j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
PspCreateLdt	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspFreeLdtMemory proc near		; CODE XREF: PspProcessDelete+17E195p
					; PsSetLdtEntries(x,x,x,x,x,x)+1D1p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		cmp	ds:_KiKvaShadow, 0
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		jz	short loc_9CD085
		test	esi, esi
		jz	short loc_9CD085
		call	_MmDeleteShadowMapping@8 ; MmDeleteShadowMapping(x,x)

loc_9CD085:				; CODE XREF: PspFreeLdtMemory+15j
					; PspFreeLdtMemory+19j
		mov	edx, edi
		mov	ecx, esi
		call	_MmFreeIndependentPages@8 ; MmFreeIndependentPages(x,x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
PspFreeLdtMemory endp


;  S U B	R O U T	I N E 


PspIsDescriptorValid proc near		; CODE XREF: PsSetLdtEntries(x,x,x,x,x,x)+46p
					; PsSetLdtEntries(x,x,x,x,x,x)+69p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, [ecx+4]
		mov	ebx, 6000h
		mov	edx, esi
		shr	edx, 8
		mov	ecx, edx
		and	cl, 1Fh
		neg	cl
		push	edi
		sbb	cl, cl
		mov	edi, esi
		inc	cl
		and	edi, ebx
		setz	al
		test	cl, al
		jnz	short loc_9CD0E8
		mov	eax, 208000h
		and	esi, eax
		cmp	esi, eax
		jz	short loc_9CD0E4
		cmp	edi, ebx
		jnz	short loc_9CD0E4
		test	dl, 10h
		jz	short loc_9CD0E4
		mov	eax, edx
		and	eax, 18h
		cmp	al, 18h
		setz	cl
		test	dl, 4
		setnz	al
		test	cl, al
		jz	short loc_9CD0E8

loc_9CD0E4:				; CODE XREF: PspIsDescriptorValid+31j
					; PspIsDescriptorValid+35j ...
		xor	eax, eax
		jmp	short loc_9CD0EB
; 

loc_9CD0E8:				; CODE XREF: PspIsDescriptorValid+26j
					; PspIsDescriptorValid+4Ej
		xor	eax, eax
		inc	eax

loc_9CD0EB:				; CODE XREF: PspIsDescriptorValid+52j
		pop	edi
		pop	esi
		pop	ebx
		retn
PspIsDescriptorValid endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspQueryDescriptorThread(x,	x, x, x)
_PspQueryDescriptorThread@16 proc near	; CODE XREF: NtQueryInformationThread+F4F5Ap

var_38		= dword	ptr -38h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	28h
		push	offset dword_6A90F8
		call	__SEH_prolog4
		mov	eax, edx
		mov	[ebp+var_24], eax
		mov	edx, ecx
		mov	[ebp+var_1C], edx
		cmp	[ebp+arg_0], 0Ch
		jz	short loc_9CD115
		mov	eax, 0C0000004h
		jmp	loc_9CD24A
; 

loc_9CD115:				; CODE XREF: PspQueryDescriptorThread(x,x,x,x)+1Aj
		xor	ebx, ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	esi, eax
		lea	edi, [ebp+var_38]
		movsd
		movsd
		movsd
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi
		mov	esi, ebx
		mov	ecx, [ebp+var_38]
		test	cl, 4
		jnz	short loc_9CD18E
		and	ecx, 0FFFFFFF8h
		cmp	ecx, 50h
		jb	short loc_9CD144
		mov	eax, 0C0000005h
		jmp	loc_9CD24A
; 

loc_9CD144:				; CODE XREF: PspQueryDescriptorThread(x,x,x,x)+49j
		mov	[ebp+ms_exc.disabled], 1
		add	eax, 4
		push	eax
		mov	edx, ecx
		mov	ecx, [ebp+var_1C]
		call	_Ke386GetGdtEntryThread@12 ; Ke386GetGdtEntryThread(x,x,x)
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_9CD166
		mov	dword ptr [eax], 8

loc_9CD166:				; CODE XREF: PspQueryDescriptorThread(x,x,x,x)+6Fj
		mov	[ebp+ms_exc.disabled], edi
		jmp	loc_9CD22B
; 

loc_9CD16E:				; DATA XREF: .text:006A9118o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9CD17C:				; DATA XREF: .text:006A911Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_20]
		jmp	loc_9CD24A
; 

loc_9CD18E:				; CODE XREF: PspQueryDescriptorThread(x,x,x,x)+41j
		mov	edi, [edx+150h]
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _LdtMutex
		call	KeWaitForSingleObject
		mov	esi, eax
		test	esi, esi
		js	loc_9CD24A
		mov	ecx, [edi+174h]
		test	ecx, ecx
		jnz	short loc_9CD1BD
		mov	esi, 0C0000117h
		jmp	short loc_9CD220
; 

loc_9CD1BD:				; CODE XREF: PspQueryDescriptorThread(x,x,x,x)+C5j
		mov	edx, [ebp+var_38]
		mov	eax, edx
		and	eax, 0FFFFFFF8h
		cmp	eax, [ecx]
		jb	short loc_9CD1D0
		mov	esi, 0C0000005h
		jmp	short loc_9CD220
; 

loc_9CD1D0:				; CODE XREF: PspQueryDescriptorThread(x,x,x,x)+D8j
		mov	[ebp+ms_exc.disabled], 2
		and	edx, 0FFFFFFF8h
		mov	ecx, [ecx+8]
		mov	eax, [edx+ecx]
		mov	edi, [ebp+var_24]
		mov	[edi+4], eax
		mov	eax, [edx+ecx+4]
		mov	[edi+8], eax
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_9CD1FA
		mov	dword ptr [eax], 8

loc_9CD1FA:				; CODE XREF: PspQueryDescriptorThread(x,x,x,x)+103j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9CD220
; 

loc_9CD203:				; DATA XREF: .text:006A9124o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9CD211:				; DATA XREF: .text:006A9128o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_28]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx

loc_9CD220:				; CODE XREF: PspQueryDescriptorThread(x,x,x,x)+CCj
					; PspQueryDescriptorThread(x,x,x,x)+DFj ...
		push	ebx
		push	offset _LdtMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)

loc_9CD22B:				; CODE XREF: PspQueryDescriptorThread(x,x,x,x)+7Aj
		mov	eax, esi
		jmp	short loc_9CD24A
; 

loc_9CD22F:				; DATA XREF: .text:006A910Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9CD23D:				; DATA XREF: .text:006A9110o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_2C]

loc_9CD24A:				; CODE XREF: PspQueryDescriptorThread(x,x,x,x)+21j
					; PspQueryDescriptorThread(x,x,x,x)+50j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PspQueryDescriptorThread@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspQueryLdtInformation(x, x, x, x)
_PspQueryLdtInformation@16 proc	near	; CODE XREF: PAGE:0083C3C7p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	24h
		push	offset dword_6A9078
		call	__SEH_prolog4
		mov	edi, edx
		mov	esi, ecx
		xor	edx, edx
		mov	[ebp+var_1C], edx
		mov	eax, [ebp+arg_0]
		cmp	eax, 10h
		jb	loc_9CD3CB
		mov	[ebp+ms_exc.disabled], edx
		mov	ecx, [edi+4]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_34], ecx
		mov	ebx, [edi]
		mov	[ebp+var_1C], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		add	eax, 0FFFFFFF8h
		cmp	eax, ecx
		jb	loc_9CD3CB
		test	cl, 7
		jz	short loc_9CD2AF
		mov	eax, 0C0000118h
		jmp	loc_9CD3D0
; 

loc_9CD2AF:				; CODE XREF: PspQueryLdtInformation(x,x,x,x)+47j
		test	bl, 7
		jz	short loc_9CD2BE
		mov	eax, 0C0000119h
		jmp	loc_9CD3D0
; 

loc_9CD2BE:				; CODE XREF: PspQueryLdtInformation(x,x,x,x)+56j
		push	edx
		push	edx
		push	edx
		push	edx
		push	offset _LdtMutex
		call	KeWaitForSingleObject
		test	eax, eax
		js	loc_9CD3D0
		mov	eax, [esi+174h]
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_9CD338
		mov	edx, [eax]
		test	edx, edx
		jz	short loc_9CD338
		cmp	edx, ebx
		jnb	short loc_9CD2EF
		mov	esi, ebx
		jmp	short loc_9CD302
; 

loc_9CD2EF:				; CODE XREF: PspQueryLdtInformation(x,x,x,x)+8Dj
		mov	eax, edx
		sub	eax, ebx
		mov	ecx, [ebp+var_20]
		cmp	eax, ecx
		mov	eax, [ebp+arg_0]
		lea	esi, [ebx+ecx]
		ja	short loc_9CD302
		mov	esi, edx

loc_9CD302:				; CODE XREF: PspQueryLdtInformation(x,x,x,x)+91j
					; PspQueryLdtInformation(x,x,x,x)+A2j
		sub	esi, ebx
		mov	[ebp+ms_exc.disabled], 1
		mov	[edi+4], edx
		jz	short loc_9CD344
		push	esi		; size_t
		mov	eax, [eax+8]
		add	eax, ebx
		push	eax		; void *
		lea	eax, [edi+8]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_9CD344
; 

loc_9CD325:				; DATA XREF: .text:006A9098o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9CD333:				; DATA XREF: .text:006A909Co
		mov	esi, [ebp+var_24]
		jmp	short loc_9CD394
; 

loc_9CD338:				; CODE XREF: PspQueryLdtInformation(x,x,x,x)+83j
					; PspQueryLdtInformation(x,x,x,x)+89j
		xor	esi, esi
		mov	[ebp+ms_exc.disabled], 2
		and	[edi+4], esi

loc_9CD344:				; CODE XREF: PspQueryLdtInformation(x,x,x,x)+B2j
					; PspQueryLdtInformation(x,x,x,x)+C7j
		push	0FFFFFFFEh
		pop	edx
		mov	[ebp+ms_exc.disabled], edx
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_9CD360
		mov	[ebp+ms_exc.disabled], 3
		lea	eax, [esi+8]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], edx

loc_9CD360:				; CODE XREF: PspQueryLdtInformation(x,x,x,x)+F3j
		push	0
		push	offset _LdtMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		xor	eax, eax
		jmp	short loc_9CD3D0
; 

loc_9CD370:				; DATA XREF: .text:006A90B0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9CD37E:				; DATA XREF: .text:006A90B4o
		mov	esi, [ebp+var_28]
		jmp	short loc_9CD394
; 

loc_9CD383:				; DATA XREF: .text:006A90A4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9CD391:				; DATA XREF: .text:006A90A8o
		mov	esi, [ebp+var_2C]

loc_9CD394:				; CODE XREF: PspQueryLdtInformation(x,x,x,x)+DAj
					; PspQueryLdtInformation(x,x,x,x)+125j
		mov	esp, [ebp+ms_exc.old_esp]
		push	0
		push	offset _LdtMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi
		jmp	short loc_9CD3D0
; 

loc_9CD3AE:				; DATA XREF: .text:006A908Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9CD3BC:				; DATA XREF: .text:006A9090o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_30]
		jmp	short loc_9CD3D0
; 

loc_9CD3CB:				; CODE XREF: PspQueryLdtInformation(x,x,x,x)+1Bj
					; PspQueryLdtInformation(x,x,x,x)+3Ej
		mov	eax, 0C0000004h

loc_9CD3D0:				; CODE XREF: PspQueryLdtInformation(x,x,x,x)+4Ej
					; PspQueryLdtInformation(x,x,x,x)+5Dj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PspQueryLdtInformation@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetLdtInformation(x, x, x)
_PspSetLdtInformation@12 proc near	; CODE XREF: PAGE:007A795Dp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	2Ch
		push	offset dword_6A90B8
		call	__SEH_prolog4
		mov	ebx, edx
		mov	[ebp+var_20], ecx
		xor	eax, eax
		mov	[ebp+var_30], eax
		and	[ebp+var_1C], eax
		mov	esi, [ebp+arg_0]
		cmp	esi, 10h
		jnb	short loc_9CD40D
		mov	eax, 0C0000004h
		jmp	loc_9CD732
; 

loc_9CD40D:				; CODE XREF: PspSetLdtInformation(x,x,x)+1Fj
		push	644C7350h
		push	esi
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	edi, eax
		mov	[ebp+var_24], edi
		test	edi, edi
		jnz	short loc_9CD430
		mov	eax, 0C000009Ah
		jmp	loc_9CD732
; 

loc_9CD430:				; CODE XREF: PspSetLdtInformation(x,x,x)+42j
		and	[ebp+ms_exc.disabled], 0
		push	esi		; size_t
		push	ebx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edx, [edi]
		mov	eax, 0FFFF0000h
		test	edx, eax
		jnz	loc_9CD6FC
		mov	ecx, [edi+4]
		test	ecx, eax
		jnz	loc_9CD6F5
		lea	eax, [esi-8]
		cmp	eax, ecx
		jnb	short loc_9CD471
		mov	esi, 0C0000004h
		jmp	loc_9CD701
; 

loc_9CD471:				; CODE XREF: PspSetLdtInformation(x,x,x)+83j
		test	cl, 7
		jnz	loc_9CD6F5
		test	dl, 7
		jnz	loc_9CD6FC
		lea	esi, [edi+8]
		lea	ebx, [edi+8]
		add	ebx, ecx
		jmp	short loc_9CD49F
; 

loc_9CD48D:				; CODE XREF: PspSetLdtInformation(x,x,x)+BFj
		mov	ecx, esi
		call	PspIsDescriptorValid
		test	eax, eax
		jz	loc_9CD53C
		add	esi, 8

loc_9CD49F:				; CODE XREF: PspSetLdtInformation(x,x,x)+A9j
		cmp	esi, ebx
		jb	short loc_9CD48D
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _LdtMutex
		call	KeWaitForSingleObject
		mov	esi, eax
		test	esi, esi
		js	loc_9CD701
		mov	ecx, [ebp+var_20]
		mov	ebx, [ecx+174h]
		test	ebx, ebx
		jnz	short loc_9CD4F8
		push	644C7350h
		push	0Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9CD6D4
		mov	ecx, [ebp+var_20]
		mov	[ecx+174h], ebx
		xor	eax, eax
		mov	edi, ebx
		stosd
		stosd
		stosd
		mov	edi, [ebp+var_24]

loc_9CD4F8:				; CODE XREF: PspSetLdtInformation(x,x,x)+E6j
		mov	edx, [edi+4]
		mov	[ebp+var_28], edx
		mov	eax, [ebx+8]
		mov	[ebp+var_2C], eax
		test	edx, edx
		jnz	short loc_9CD546
		test	eax, eax
		jz	loc_9CD6D4
		mov	edx, [ebx+4]
		mov	[ebp+var_1C], edx
		mov	[ebp+var_30], eax
		xor	eax, eax
		mov	[ebx+4], eax
		mov	[ebx], eax
		mov	[ebx+8], eax
		push	eax
		xor	edx, edx
		call	_Ke386SetLdtProcess@12 ; Ke386SetLdtProcess(x,x,x)
		mov	ebx, [ebp+var_1C]
		push	ebx
		push	[ebp+var_20]
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		jmp	loc_9CD6D7
; 

loc_9CD53C:				; CODE XREF: PspSetLdtInformation(x,x,x)+B4j
		mov	esi, 0C000011Ah
		jmp	loc_9CD701
; 

loc_9CD546:				; CODE XREF: PspSetLdtInformation(x,x,x)+124j
		mov	edx, [edi]
		mov	[ebp+arg_0], edx
		mov	eax, [ebp+var_28]
		add	eax, edx
		cmp	[ebp+var_2C], 0
		jnz	short loc_9CD5C4
		lea	esi, [eax+0FFFh]
		and	esi, 0FFFFF000h
		mov	[ebp+var_34], esi
		push	esi		; size_t
		push	eax		; int
		lea	ecx, [edi+8]
		call	PspCreateLdt
		mov	[ebp+var_2C], eax
		test	eax, eax
		jnz	short loc_9CD580

loc_9CD576:				; CODE XREF: PspSetLdtInformation(x,x,x)+21Aj
		mov	esi, 0C000009Ah
		jmp	loc_9CD6D4
; 

loc_9CD580:				; CODE XREF: PspSetLdtInformation(x,x,x)+192j
		push	esi
		push	[ebp+var_20]
		call	_PsChargeProcessNonPagedPoolQuota@8 ; PsChargeProcessNonPagedPoolQuota(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9CD59F
		mov	edx, [ebp+var_34]
		mov	ecx, [ebp+var_2C]

loc_9CD595:				; CODE XREF: PspSetLdtInformation(x,x,x)+235j
		call	PspFreeLdtMemory
		jmp	loc_9CD6D4
; 

loc_9CD59F:				; CODE XREF: PspSetLdtInformation(x,x,x)+1ABj
		mov	edx, [ebp+var_2C]
		mov	[ebx+8], edx
		mov	eax, [ebp+arg_0]
		add	eax, [ebp+var_28]
		mov	[ebx], eax
		mov	ecx, [ebp+var_34]
		mov	[ebx+4], ecx
		push	eax
		mov	ecx, [ebp+var_20]
		call	_Ke386SetLdtProcess@12 ; Ke386SetLdtProcess(x,x,x)
		mov	edi, [ebp+var_24]
		jmp	loc_9CD6D4
; 

loc_9CD5C4:				; CODE XREF: PspSetLdtInformation(x,x,x)+172j
		cmp	eax, [ebx]
		jbe	loc_9CD6A9
		mov	edx, [ebx+4]
		cmp	eax, edx
		jbe	loc_9CD667
		mov	ecx, edx
		mov	[ebp+var_1C], ecx
		lea	esi, [eax+0FFFh]
		and	esi, 0FFFFF000h
		mov	[ebp+var_38], esi
		push	esi		; size_t
		push	ecx		; int
		xor	edx, edx
		mov	ecx, [ebp+var_2C]
		call	PspCreateLdt
		mov	[ebp+var_34], eax
		test	eax, eax
		jz	loc_9CD576
		push	esi
		push	[ebp+var_20]
		call	_PsChargeProcessNonPagedPoolQuota@8 ; PsChargeProcessNonPagedPoolQuota(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9CD61C
		mov	edx, [ebp+var_38]
		mov	ecx, [ebp+var_34]
		jmp	loc_9CD595
; 

loc_9CD61C:				; CODE XREF: PspSetLdtInformation(x,x,x)+22Dj
		push	[ebp+var_1C]
		push	[ebp+var_20]
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		mov	eax, [ebx+8]
		mov	[ebp+var_30], eax
		mov	edx, [ebp+var_34]
		mov	[ebx+8], edx
		mov	eax, [ebp+arg_0]
		add	eax, [ebp+var_28]
		mov	[ebx], eax
		mov	eax, [ebp+var_38]
		mov	[ebx+4], eax
		mov	edi, [ebp+var_24]
		push	dword ptr [edi+4] ; size_t
		lea	eax, [edi+8]
		push	eax		; void *
		mov	eax, [edi]
		add	eax, edx
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		push	dword ptr [ebx]
		mov	edx, [ebx+8]
		mov	ecx, [ebp+var_20]
		call	_Ke386SetLdtProcess@12 ; Ke386SetLdtProcess(x,x,x)
		jmp	short loc_9CD6D4
; 

loc_9CD667:				; CODE XREF: PspSetLdtInformation(x,x,x)+1EFj
		mov	[ebx], eax
		push	eax
		mov	edx, [ebp+var_2C]
		call	_Ke386SetLdtProcess@12 ; Ke386SetLdtProcess(x,x,x)
		mov	ecx, [edi]
		mov	[ebp+arg_0], ecx
		mov	eax, [edi+4]
		add	eax, ecx
		cmp	ecx, eax
		jnb	short loc_9CD6D4
		lea	ebx, [edi+8]

loc_9CD683:				; CODE XREF: PspSetLdtInformation(x,x,x)+2C3j
		push	dword ptr [ebx+4]
		push	dword ptr [ebx]
		mov	edx, ecx
		mov	ecx, [ebp+var_20]
		call	_Ke386SetDescriptorProcess@16 ;	Ke386SetDescriptorProcess(x,x,x,x)
		mov	ecx, [ebp+arg_0]
		add	ecx, 8
		mov	[ebp+arg_0], ecx
		lea	ebx, [ebx+8]
		mov	eax, [edi+4]
		add	eax, [edi]
		cmp	ecx, eax
		jb	short loc_9CD683
		jmp	short loc_9CD6D4
; 

loc_9CD6A9:				; CODE XREF: PspSetLdtInformation(x,x,x)+1E4j
		cmp	edx, eax
		jnb	short loc_9CD6D2
		lea	ebx, [edi+8]

loc_9CD6B0:				; CODE XREF: PspSetLdtInformation(x,x,x)+2EEj
		push	dword ptr [ebx+4]
		push	dword ptr [ebx]
		call	_Ke386SetDescriptorProcess@16 ;	Ke386SetDescriptorProcess(x,x,x,x)
		mov	edx, [ebp+arg_0]
		add	edx, 8
		mov	[ebp+arg_0], edx
		lea	ebx, [ebx+8]
		mov	eax, [edi+4]
		add	eax, [edi]
		cmp	edx, eax
		mov	ecx, [ebp+var_20]
		jb	short loc_9CD6B0

loc_9CD6D2:				; CODE XREF: PspSetLdtInformation(x,x,x)+2C9j
		xor	esi, esi

loc_9CD6D4:				; CODE XREF: PspSetLdtInformation(x,x,x)+FDj
					; PspSetLdtInformation(x,x,x)+128j ...
		mov	ebx, [ebp+var_1C]

loc_9CD6D7:				; CODE XREF: PspSetLdtInformation(x,x,x)+155j
		push	0
		push	offset _LdtMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, [ebp+var_30]
		test	eax, eax
		jz	short loc_9CD701
		mov	edx, ebx
		mov	ecx, eax
		call	PspFreeLdtMemory
		jmp	short loc_9CD701
; 

loc_9CD6F5:				; CODE XREF: PspSetLdtInformation(x,x,x)+78j
					; PspSetLdtInformation(x,x,x)+92j
		mov	esi, 0C0000118h
		jmp	short loc_9CD701
; 

loc_9CD6FC:				; CODE XREF: PspSetLdtInformation(x,x,x)+6Dj
					; PspSetLdtInformation(x,x,x)+9Bj
		mov	esi, 0C0000119h

loc_9CD701:				; CODE XREF: PspSetLdtInformation(x,x,x)+8Aj
					; PspSetLdtInformation(x,x,x)+D5j ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		jmp	short loc_9CD732
; 

loc_9CD70D:				; DATA XREF: .text:006A90CCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_3C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9CD71B:				; DATA XREF: .text:006A90D0o
		mov	esp, [ebp+ms_exc.old_esp]
		push	0
		push	[ebp+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_3C]

loc_9CD732:				; CODE XREF: PspSetLdtInformation(x,x,x)+26j
					; PspSetLdtInformation(x,x,x)+49j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PspSetLdtInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspSetLdtSize(x, x,	x)
_PspSetLdtSize@12 proc near		; CODE XREF: PAGE:007A79B7p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	18h
		push	offset dword_6A90D8
		call	__SEH_prolog4
		mov	esi, ecx
		mov	[ebp+var_20], esi
		xor	eax, eax
		mov	edi, eax
		mov	[ebp+var_1C], eax
		cmp	[ebp+arg_0], 4
		jz	short loc_9CD76C
		mov	eax, 0C0000004h
		jmp	loc_9CD881
; 

loc_9CD76C:				; CODE XREF: PspSetLdtSize(x,x,x)+1Cj
		mov	[ebp+ms_exc.disabled], eax
		mov	ebx, [edx]
		mov	[ebp+var_28], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	bl, 7
		jz	short loc_9CD78A
		mov	eax, 0C0000118h
		jmp	loc_9CD881
; 

loc_9CD78A:				; CODE XREF: PspSetLdtSize(x,x,x)+3Aj
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _LdtMutex
		call	KeWaitForSingleObject
		test	eax, eax
		js	loc_9CD881
		mov	esi, [esi+174h]
		test	esi, esi
		jz	loc_9CD851
		mov	eax, [esi]
		test	eax, eax
		jz	loc_9CD851
		cmp	ebx, eax
		jbe	short loc_9CD7C6
		mov	esi, 0C0000118h
		jmp	loc_9CD856
; 

loc_9CD7C6:				; CODE XREF: PspSetLdtSize(x,x,x)+76j
		mov	ecx, [esi+8]
		mov	[esi], ebx
		mov	edx, [esi+4]
		test	ebx, ebx
		jnz	short loc_9CD7DE
		mov	edi, edx
		mov	[ebp+var_1C], ecx
		and	[esi+4], ebx
		xor	ecx, ecx
		jmp	short loc_9CD814
; 

loc_9CD7DE:				; CODE XREF: PspSetLdtSize(x,x,x)+8Cj
		mov	eax, edx
		sub	eax, ebx
		cmp	eax, 1000h
		jb	short loc_9CD814
		mov	edi, edx
		mov	[ebp+var_1C], ecx
		lea	eax, [ebx+0FFFh]
		and	eax, 0FFFFF000h
		mov	[esi+4], eax
		push	eax		; size_t
		push	ebx		; int
		xor	edx, edx
		call	PspCreateLdt
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_9CD814
		mov	ecx, [ebp+var_1C]
		mov	[esi+4], edi
		and	[ebp+var_1C], eax

loc_9CD814:				; CODE XREF: PspSetLdtSize(x,x,x)+98j
					; PspSetLdtSize(x,x,x)+A3j ...
		mov	[esi+8], ecx
		push	dword ptr [esi]
		mov	edx, ecx
		mov	ebx, [ebp+var_20]
		mov	ecx, ebx
		call	_Ke386SetLdtProcess@12 ; Ke386SetLdtProcess(x,x,x)
		mov	esi, [esi+4]
		push	0
		push	offset _LdtMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_9CD84D
		mov	edx, edi
		mov	ecx, eax
		call	PspFreeLdtMemory
		sub	edi, esi
		push	edi
		push	ebx
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)

loc_9CD84D:				; CODE XREF: PspSetLdtSize(x,x,x)+F5j
		xor	eax, eax
		jmp	short loc_9CD881
; 

loc_9CD851:				; CODE XREF: PspSetLdtSize(x,x,x)+64j
					; PspSetLdtSize(x,x,x)+6Ej
		mov	esi, 0C0000117h

loc_9CD856:				; CODE XREF: PspSetLdtSize(x,x,x)+7Dj
		push	0
		push	offset _LdtMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, esi
		jmp	short loc_9CD881
; 

loc_9CD866:				; DATA XREF: .text:006A90ECo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9CD874:				; DATA XREF: .text:006A90F0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_24]

loc_9CD881:				; CODE XREF: PspSetLdtSize(x,x,x)+23j
					; PspSetLdtSize(x,x,x)+41j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_PspSetLdtSize@12 endp


;  S U B	R O U T	I N E 


; __stdcall PspFreeStorage(x)
_PspFreeStorage@4 proc near		; CODE XREF: PspCreateSilo(x)+BBp
					; PspJobDeleteStorageArrays+1267FBp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	20h
		pop	edx
		lea	eax, [esi+4]

loc_9CD89E:				; CODE XREF: PspFreeStorage(x)+1Ej
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_9CD8AB
		cmp	ecx, 1
		jz	short loc_9CD8AB
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_9CD8AB:				; CODE XREF: PspFreeStorage(x)+Fj
					; PspFreeStorage(x)+14j
		add	eax, 8
		sub	edx, 1
		jnz	short loc_9CD89E
		mov	eax, [esi+100h]
		test	eax, eax
		jz	short loc_9CD8E7
		push	edi
		lea	ecx, [eax+4]
		mov	edi, 100h

loc_9CD8C6:				; CODE XREF: PspFreeStorage(x)+46j
		mov	edx, [ecx]
		test	edx, edx
		jz	short loc_9CD8D3
		cmp	edx, 1
		jz	short loc_9CD8D3
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_9CD8D3:				; CODE XREF: PspFreeStorage(x)+37j
					; PspFreeStorage(x)+3Cj
		add	ecx, 8
		sub	edi, 1
		jnz	short loc_9CD8C6
		push	78457350h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi

loc_9CD8E7:				; CODE XREF: PspFreeStorage(x)+28j
		push	74537350h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
_PspFreeStorage@4 endp


;  S U B	R O U T	I N E 


; __stdcall PspLazyInitializeStorageExpansion(x)
_PspLazyInitializeStorageExpansion@4 proc near ; CODE XREF: PspGetStorageArray+13B330p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, 78457350h
		mov	edi, ecx
		push	ebx
		push	800h
		push	204h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9CD91D
		mov	eax, 0C000009Ah
		jmp	short loc_9CD94B
; 

loc_9CD91D:				; CODE XREF: PspLazyInitializeStorageExpansion(x)+20j
		xor	eax, eax

loc_9CD91F:				; CODE XREF: PspLazyInitializeStorageExpansion(x)+3Aj
		and	dword ptr [esi+eax*8], 0
		and	dword ptr [esi+eax*8+4], 0
		inc	eax
		cmp	eax, 100h
		jb	short loc_9CD91F
		mov	edx, esi
		lea	ecx, [edi+100h]
		xor	eax, eax
		lock cmpxchg [ecx], edx
		test	eax, eax
		jz	short loc_9CD949
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9CD949:				; CODE XREF: PspLazyInitializeStorageExpansion(x)+4Cj
		xor	eax, eax

loc_9CD94B:				; CODE XREF: PspLazyInitializeStorageExpansion(x)+27j
		pop	edi
		pop	esi
		pop	ebx
		retn
_PspLazyInitializeStorageExpansion@4 endp


;  S U B	R O U T	I N E 


; __stdcall PspStorageEmptyAll(x)
_PspStorageEmptyAll@4 proc near		; CODE XREF: PspJobDeleteStorageArrays:loc_90E7A4p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		push	20h
		pop	edx
		mov	esi, ecx
		call	_PspStorageEmptyArray@8	; PspStorageEmptyArray(x,x)
		mov	ecx, [esi+100h]
		mov	edi, eax
		test	ecx, ecx
		jz	short loc_9CD976
		mov	edx, 100h
		call	_PspStorageEmptyArray@8	; PspStorageEmptyArray(x,x)
		add	edi, eax

loc_9CD976:				; CODE XREF: PspStorageEmptyAll(x)+19j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ecx
		retn
_PspStorageEmptyAll@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspStorageEmptyArray(x, x)
_PspStorageEmptyArray@8	proc near	; CODE XREF: PspStorageEmptyAll(x)+Ap
					; PspStorageEmptyAll(x)+20p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	ebx, ebx
		mov	esi, ecx
		test	edi, edi
		jz	short loc_9CD9D8

loc_9CD98F:				; CODE XREF: PspStorageEmptyArray(x,x)+5Aj
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi+4]
		and	eax, 0FFFFFFFEh
		mov	dword ptr [esi+4], 1
		mov	[ebp+var_4], eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9CD9BC
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9CD9BC:				; CODE XREF: PspStorageEmptyArray(x,x)+37j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_9CD9D0
		call	ObfDereferenceObject
		inc	ebx

loc_9CD9D0:				; CODE XREF: PspStorageEmptyArray(x,x)+4Cj
		add	esi, 8
		sub	edi, 1
		jnz	short loc_9CD98F

loc_9CD9D8:				; CODE XREF: PspStorageEmptyArray(x,x)+11j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_PspStorageEmptyArray@8	endp


;  S U B	R O U T	I N E 


; __stdcall PspStorageFreeSlot(x)
_PspStorageFreeSlot@4 proc near		; CODE XREF: PAGE:009C7A41p
					; PsUnregisterSiloMonitor(x)+135p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		cmp	esi, 20h
		jnb	short loc_9CDA2A
		mov	edi, offset _PspStorageBitmap

loc_9CD9F0:				; CODE XREF: PspStorageFreeSlot(x)+59j
		mov	ebx, offset _PspStorageBitmapLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [edi+4]
		mov	eax, esi
		shr	eax, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [edx+eax*4]
		sar	eax, cl
		test	al, 1
		jz	short loc_9CDA41
		mov	ecx, esi
		and	esi, 7
		shr	ecx, 3
		movsx	eax, byte ptr [ecx+edx]
		btr	eax, esi
		xor	esi, esi
		mov	[ecx+edx], al
		jmp	short loc_9CDA46
; 

loc_9CDA2A:				; CODE XREF: PspStorageFreeSlot(x)+Aj
		add	esi, 0FFFFFFE0h
		mov	edi, offset _PspStorageExpansionBitmap
		cmp	esi, 100h
		jb	short loc_9CD9F0
		mov	eax, 0C000000Dh
		jmp	short loc_9CDA65
; 

loc_9CDA41:				; CODE XREF: PspStorageFreeSlot(x)+33j
		mov	esi, 0C000000Dh

loc_9CDA46:				; CODE XREF: PspStorageFreeSlot(x)+49j
		or	edx, 0FFFFFFFFh
		lock xadd [ebx], edx
		and	dl, 6
		cmp	dl, 2
		jnz	short loc_9CDA5C
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9CDA5C:				; CODE XREF: PspStorageFreeSlot(x)+74j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	eax, esi

loc_9CDA65:				; CODE XREF: PspStorageFreeSlot(x)+60j
		pop	edi
		pop	esi
		pop	ebx
		retn
_PspStorageFreeSlot@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspStorageRemoveObject(x, x, x, x)
_PspStorageRemoveObject@16 proc	near	; CODE XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+2C4p
					; PsRemoveSiloContext(x,x,x)+20p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		push	edi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	PspGetStorageArrayIfPossible
		mov	edi, eax
		test	edi, edi
		js	short loc_9CDB05
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		mov	eax, [ebp+var_8]
		push	ebx
		push	esi
		lea	esi, [eax+ecx*8]
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ebx, [esi+4]
		test	ebx, ebx
		jz	short loc_9CDAC5
		cmp	[ebp+arg_0], 0
		jnz	short loc_9CDABB
		test	bl, 1
		jz	short loc_9CDABB
		xor	ebx, ebx
		mov	edi, 0C00000BBh
		jmp	short loc_9CDAC5
; 

loc_9CDABB:				; CODE XREF: PspStorageRemoveObject(x,x,x,x)+42j
					; PspStorageRemoveObject(x,x,x,x)+47j
		mov	dword ptr [esi+4], 0
		and	ebx, 0FFFFFFFEh

loc_9CDAC5:				; CODE XREF: PspStorageRemoveObject(x,x,x,x)+3Cj
					; PspStorageRemoveObject(x,x,x,x)+50j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9CDAD9
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9CDAD9:				; CODE XREF: PspStorageRemoveObject(x,x,x,x)+67j
		mov	ecx, esi
		call	KeAbPostRelease
		test	edi, edi
		js	short loc_9CDB01
		test	ebx, ebx
		jnz	short loc_9CDAEF
		mov	eax, 0C0000225h
		jmp	short loc_9CDB03
; 

loc_9CDAEF:				; CODE XREF: PspStorageRemoveObject(x,x,x,x)+7Dj
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_9CDAFA
		mov	[eax], ebx
		jmp	short loc_9CDB01
; 

loc_9CDAFA:				; CODE XREF: PspStorageRemoveObject(x,x,x,x)+8Bj
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_9CDB01:				; CODE XREF: PspStorageRemoveObject(x,x,x,x)+79j
					; PspStorageRemoveObject(x,x,x,x)+8Fj
		mov	eax, edi

loc_9CDB03:				; CODE XREF: PspStorageRemoveObject(x,x,x,x)+84j
		pop	esi
		pop	ebx

loc_9CDB05:				; CODE XREF: PspStorageRemoveObject(x,x,x,x)+21j
		pop	edi
		leave
		retn	8
_PspStorageRemoveObject@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspStorageReplaceObject(x, x, x, x)
_PspStorageReplaceObject@16 proc near	; CODE XREF: PsReplaceSiloContext(x,x,x,x)+5Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		push	esi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	PspGetStorageArray
		mov	esi, eax
		test	esi, esi
		js	short loc_9CDBA6
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	edi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		mov	eax, [ebp+var_8]
		lea	edi, [eax+ecx*8]
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	ebx, [edi+4]
		test	bl, 1
		jnz	short loc_9CDB59
		mov	eax, [ebp+arg_0]
		mov	[edi+4], eax
		jmp	short loc_9CDB60
; 

loc_9CDB59:				; CODE XREF: PspStorageReplaceObject(x,x,x,x)+45j
		xor	ebx, ebx
		mov	esi, 0C00000BBh

loc_9CDB60:				; CODE XREF: PspStorageReplaceObject(x,x,x,x)+4Dj
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9CDB74
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9CDB74:				; CODE XREF: PspStorageReplaceObject(x,x,x,x)+61j
		mov	ecx, edi
		call	KeAbPostRelease
		test	esi, esi
		js	short loc_9CDB9A
		mov	eax, [ebp+arg_4]
		test	ebx, ebx
		jnz	short loc_9CDB8E
		test	eax, eax
		jz	short loc_9CDBA2
		and	[eax], ebx
		jmp	short loc_9CDBA2
; 

loc_9CDB8E:				; CODE XREF: PspStorageReplaceObject(x,x,x,x)+7Aj
		test	eax, eax
		jz	short loc_9CDB96
		mov	[eax], ebx
		jmp	short loc_9CDBA2
; 

loc_9CDB96:				; CODE XREF: PspStorageReplaceObject(x,x,x,x)+86j
		mov	ecx, ebx
		jmp	short loc_9CDB9D
; 

loc_9CDB9A:				; CODE XREF: PspStorageReplaceObject(x,x,x,x)+73j
		mov	ecx, [ebp+arg_0]

loc_9CDB9D:				; CODE XREF: PspStorageReplaceObject(x,x,x,x)+8Ej
		call	ObfDereferenceObject

loc_9CDBA2:				; CODE XREF: PspStorageReplaceObject(x,x,x,x)+7Ej
					; PspStorageReplaceObject(x,x,x,x)+82j	...
		pop	edi
		mov	eax, esi
		pop	ebx

loc_9CDBA6:				; CODE XREF: PspStorageReplaceObject(x,x,x,x)+21j
		pop	esi
		leave
		retn	8
_PspStorageReplaceObject@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RawShutdown(x, x)
_RawShutdown@8	proc near		; DATA XREF: RawInitialize+109o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	RawScanDeletedList
		push	_RawDeviceDiskObject
		call	_IoUnregisterFileSystem@4 ; IoUnregisterFileSystem(x)
		push	_RawDeviceCdRomObject
		call	_IoUnregisterFileSystem@4 ; IoUnregisterFileSystem(x)
		push	_RawDeviceTapeObject
		call	_IoUnregisterFileSystem@4 ; IoUnregisterFileSystem(x)
		push	_RawDeviceTapeObject
		call	IoDeleteDevice
		push	_RawDeviceCdRomObject
		call	IoDeleteDevice
		push	_RawDeviceDiskObject
		call	IoDeleteDevice
		mov	ecx, [ebp+arg_4]
		mov	dl, 1
		and	dword ptr [ecx+18h], 0
		call	IofCompleteRequest
		xor	eax, eax
		pop	ebp
		retn	8
_RawShutdown@8	endp


;  S U B	R O U T	I N E 


; __stdcall RawUnload(x)
_RawUnload@4	proc near		; DATA XREF: RawInitialize+50o
		mov	ecx, _RawDeviceTapeObject
		call	ObfDereferenceObject
		mov	ecx, _RawDeviceCdRomObject
		call	ObfDereferenceObject
		mov	ecx, _RawDeviceDiskObject
		call	ObfDereferenceObject
		retn	4
_RawUnload@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RawPerformDevIoCtrl(x, x, x, x, x, x, x, x,	x)
_RawPerformDevIoCtrl@36	proc near	; CODE XREF: RawQueryFileSystemInformation(x,x,x)+69p

var_1C		= dword	ptr -1Ch
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		stosd
		mov	esi, edx
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_1C]
		xor	edi, edi
		push	edi
		push	edi
		push	eax
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		push	18h
		push	[ebp+arg_8]
		push	edi
		push	edi
		push	esi
		push	70000h
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_9CDC7F
		mov	eax, 0C000009Ah
		jmp	short loc_9CDCA4
; 

loc_9CDC7F:				; CODE XREF: RawPerformDevIoCtrl(x,x,x,x,x,x,x,x,x)+47j
		mov	eax, [edx+60h]
		mov	ecx, esi
		or	byte ptr [eax-22h], 2
		call	IofCallDriver
		cmp	eax, 103h
		jnz	short loc_9CDCA4
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [ebp+var_C]

loc_9CDCA4:				; CODE XREF: RawPerformDevIoCtrl(x,x,x,x,x,x,x,x,x)+4Ej
					; RawPerformDevIoCtrl(x,x,x,x,x,x,x,x,x)+63j
		pop	edi
		pop	esi
		leave
		retn	1Ch
_RawPerformDevIoCtrl@36	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RawQueryFsDeviceInfo(x, x, x, x)
_RawQueryFsDeviceInfo@16 proc near	; CODE XREF: RawQueryVolumeInformation+16EEBEp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		cmp	dword ptr [esi], 8
		jnb	short loc_9CDCC5
		mov	eax, 80000005h
		jmp	short loc_9CDCFF
; 

loc_9CDCC5:				; CODE XREF: RawQueryFsDeviceInfo(x,x,x,x)+12j
		call	_RawBeginOperation@8 ; RawBeginOperation(x,x)
		test	al, al
		jnz	short loc_9CDCD5
		mov	eax, 0C000026Eh
		jmp	short loc_9CDCFF
; 

loc_9CDCD5:				; CODE XREF: RawQueryFsDeviceInfo(x,x,x,x)+22j
		mov	ecx, [ebp+arg_0]
		mov	edx, ebx
		add	dword ptr [esi], 0FFFFFFF8h
		and	dword ptr [ecx], 0
		and	dword ptr [ecx+4], 0
		mov	dword ptr [ecx], 7
		mov	eax, [edi+88h]
		mov	eax, [eax+20h]
		mov	[ecx+4], eax
		mov	ecx, edi
		call	_RawEndOperation@8 ; RawEndOperation(x,x)
		xor	eax, eax

loc_9CDCFF:				; CODE XREF: RawQueryFsDeviceInfo(x,x,x,x)+19j
					; RawQueryFsDeviceInfo(x,x,x,x)+29j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_RawQueryFsDeviceInfo@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RawQueryFsSizeInfo(x, x, x,	x)
_RawQueryFsSizeInfo@16 proc near	; CODE XREF: RawQueryVolumeInformation+16EED0p

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+74h+var_4], eax
		and	[esp+74h+var_70], 0
		xor	eax, eax
		and	[esp+74h+var_6C], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		lea	edi, [esp+80h+var_54]
		mov	[esp+80h+var_64], edx
		mov	edx, [ebp+arg_4]
		mov	esi, ecx
		stosd
		push	6
		pop	ecx
		mov	[esp+80h+var_44], esi
		stosd
		mov	[esp+80h+var_68], edx
		stosd
		stosd
		xor	eax, eax
		cmp	dword ptr [edx], 18h
		lea	edi, [esp+80h+var_20]
		rep stosd
		mov	[esp+80h+var_40], eax
		mov	[esp+80h+var_3C], eax
		mov	[esp+80h+var_30], eax
		mov	[esp+80h+var_2C], eax
		mov	[esp+80h+var_28], eax
		mov	[esp+80h+var_24], eax
		mov	[esp+80h+var_60], eax
		mov	[esp+80h+var_5C], eax
		jnb	short loc_9CDD81
		mov	eax, 80000005h
		jmp	loc_9CDF5E
; 

loc_9CDD81:				; CODE XREF: RawQueryFsSizeInfo(x,x,x,x)+6Fj
		mov	edx, [esp+80h+var_64]
		mov	ecx, esi
		call	_RawBeginOperation@8 ; RawBeginOperation(x,x)
		test	al, al
		jnz	short loc_9CDD9A
		mov	eax, 0C000026Eh
		jmp	loc_9CDF5E
; 

loc_9CDD9A:				; CODE XREF: RawQueryFsSizeInfo(x,x,x,x)+88j
		push	6
		pop	ecx
		xor	eax, eax
		mov	edi, ebx
		push	eax
		push	eax
		rep stosd
		lea	eax, [esp+88h+var_54]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [esi+8Ch]
		xor	ecx, ecx
		mov	edi, [eax+0Ch]
		lea	eax, [esp+80h+var_70]
		push	eax
		lea	eax, [esp+84h+var_54]
		push	eax
		push	ecx
		push	18h
		lea	eax, [esp+90h+var_20]
		push	eax
		push	ecx
		push	ecx
		push	edi
		push	70000h
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	loc_9CDF4A
		mov	edx, eax
		mov	ecx, edi
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jnz	short loc_9CDE08
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+90h+var_54]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esp+80h+var_70]

loc_9CDE08:				; CODE XREF: RawQueryFsSizeInfo(x,x,x,x)+ECj
		test	esi, esi
		jns	short loc_9CDE18
		mov	eax, [esp+80h+var_68]
		and	dword ptr [eax], 0
		jmp	loc_9CDF4F
; 

loc_9CDE18:				; CODE XREF: RawQueryFsSizeInfo(x,x,x,x)+104j
		test	byte ptr [edi+20h], 4
		jz	short loc_9CDE31
		xor	ecx, ecx
		xor	al, al
		xor	edx, edx
		mov	[esp+80h+var_38], ecx
		mov	[esp+80h+var_34], edx
		jmp	loc_9CDEFF
; 

loc_9CDE31:				; CODE XREF: RawQueryFsSizeInfo(x,x,x,x)+116j
		lea	eax, [esp+80h+var_54]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		lea	eax, [esp+80h+var_70]
		xor	ecx, ecx
		push	eax
		lea	eax, [esp+84h+var_54]
		push	eax
		push	ecx
		push	8
		lea	eax, [esp+90h+var_60]
		push	eax
		push	ecx
		push	ecx
		push	edi
		push	7405Ch
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	loc_9CDF4A
		mov	edx, eax
		mov	ecx, edi
		call	IofCallDriver
		mov	esi, 103h
		cmp	eax, esi
		jnz	short loc_9CDE8A
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+90h+var_54]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esp+80h+var_70]

loc_9CDE8A:				; CODE XREF: RawQueryFsSizeInfo(x,x,x,x)+16Ej
		mov	ecx, [esp+80h+var_60]
		mov	edx, [esp+80h+var_5C]
		mov	[esp+80h+var_38], ecx
		mov	[esp+80h+var_34], edx
		test	eax, eax
		jns	short loc_9CDEFD
		lea	eax, [esp+80h+var_54]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		lea	eax, [esp+80h+var_70]
		xor	ecx, ecx
		push	eax
		lea	eax, [esp+84h+var_54]
		push	eax
		push	ecx
		push	20h
		lea	eax, [esp+90h+var_40]
		push	eax
		push	ecx
		push	ecx
		push	edi
		push	74004h
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_9CDF4A
		mov	edx, eax
		mov	ecx, edi
		call	IofCallDriver
		cmp	eax, esi
		jnz	short loc_9CDEEE
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+90h+var_54]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esp+80h+var_70]

loc_9CDEEE:				; CODE XREF: RawQueryFsSizeInfo(x,x,x,x)+1D2j
		mov	edx, [esp+80h+var_34]
		mov	ecx, [esp+80h+var_38]
		shr	eax, 1Fh
		xor	al, 1
		jmp	short loc_9CDEFF
; 

loc_9CDEFD:				; CODE XREF: RawQueryFsSizeInfo(x,x,x,x)+196j
		mov	al, 1

loc_9CDEFF:				; CODE XREF: RawQueryFsSizeInfo(x,x,x,x)+126j
					; RawQueryFsSizeInfo(x,x,x,x)+1F5j
		mov	esi, [esp+80h+var_C]
		mov	[ebx+14h], esi
		mov	dword ptr [ebx+10h], 1
		cmp	al, 1
		jnz	short loc_9CDF1D
		push	0
		push	esi
		push	edx
		push	ecx
		call	_RtlExtendedLargeIntegerDivide@16 ; RtlExtendedLargeIntegerDivide(x,x,x,x)
		jmp	short loc_9CDF34
; 

loc_9CDF1D:				; CODE XREF: RawQueryFsSizeInfo(x,x,x,x)+209j
		mov	eax, [esp+80h+var_10]
		imul	eax, [esp+80h+var_14]
		push	eax
		push	[esp+84h+var_1C]
		push	[esp+88h+var_20]
		call	_RtlExtendedIntegerMultiply@12 ; RtlExtendedIntegerMultiply(x,x,x)

loc_9CDF34:				; CODE XREF: RawQueryFsSizeInfo(x,x,x,x)+215j
		mov	[ebx+8], eax
		mov	[ebx], eax
		mov	eax, [esp+80h+var_68]
		mov	[ebx+0Ch], edx
		mov	[ebx+4], edx
		add	dword ptr [eax], 0FFFFFFE8h
		xor	esi, esi
		jmp	short loc_9CDF4F
; 

loc_9CDF4A:				; CODE XREF: RawQueryFsSizeInfo(x,x,x,x)+D5j
					; RawQueryFsSizeInfo(x,x,x,x)+158j ...
		mov	esi, 0C000009Ah

loc_9CDF4F:				; CODE XREF: RawQueryFsSizeInfo(x,x,x,x)+10Dj
					; RawQueryFsSizeInfo(x,x,x,x)+242j
		mov	edx, [esp+80h+var_64]
		mov	ecx, [esp+80h+var_44]
		call	_RawEndOperation@8 ; RawEndOperation(x,x)
		mov	eax, esi

loc_9CDF5E:				; CODE XREF: RawQueryFsSizeInfo(x,x,x,x)+76j
					; RawQueryFsSizeInfo(x,x,x,x)+8Fj
		mov	ecx, [esp+80h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_RawQueryFsSizeInfo@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RawQueryInformation(x, x, x)
_RawQueryInformation@12	proc near	; CODE XREF: RawDispatch+16F198p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, edx
		mov	eax, ecx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], eax
		mov	edx, [edi+18h]
		call	_RawBeginOperation@8 ; RawBeginOperation(x,x)
		test	al, al
		jnz	short loc_9CDF9C
		mov	esi, 0C000026Eh
		jmp	short loc_9CDFE7
; 

loc_9CDF9C:				; CODE XREF: RawQueryInformation(x,x,x)+21j
		cmp	dword ptr [edi+8], 0Eh
		jnz	short loc_9CDFD7
		push	8
		pop	ebx
		cmp	[edi+4], ebx
		jnb	short loc_9CDFB3
		mov	esi, 80000005h
		xor	ebx, ebx
		jmp	short loc_9CDFCD
; 

loc_9CDFB3:				; CODE XREF: RawQueryInformation(x,x,x)+36j
		mov	ecx, [edi+18h]
		mov	edx, [ebp+var_4]
		mov	eax, [ecx+38h]
		mov	edx, [edx+0Ch]
		mov	[edx], eax
		mov	eax, [ecx+3Ch]
		mov	[edx+4], eax
		add	dword ptr [edi+4], 0FFFFFFF8h
		xor	esi, esi

loc_9CDFCD:				; CODE XREF: RawQueryInformation(x,x,x)+3Fj
		mov	eax, [ebp+var_4]
		mov	[eax+1Ch], ebx
		mov	ebx, eax
		jmp	short loc_9CDFDC
; 

loc_9CDFD7:				; CODE XREF: RawQueryInformation(x,x,x)+2Ej
		mov	esi, 0C0000010h

loc_9CDFDC:				; CODE XREF: RawQueryInformation(x,x,x)+63j
		mov	edx, [edi+18h]
		mov	ecx, [ebp+var_8]
		call	_RawEndOperation@8 ; RawEndOperation(x,x)

loc_9CDFE7:				; CODE XREF: RawQueryInformation(x,x,x)+28j
		mov	dl, 1
		mov	[ebx+18h], esi
		mov	ecx, ebx
		call	IofCompleteRequest
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_RawQueryInformation@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RawSetInformation(x, x, x)
_RawSetInformation@12 proc near		; CODE XREF: RawDispatch+16F1A7p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], eax
		mov	edx, [ebx+18h]
		mov	[ebp+var_8], edi
		call	_RawBeginOperation@8 ; RawBeginOperation(x,x)
		test	al, al
		jnz	short loc_9CE026
		mov	esi, 0C000026Eh
		jmp	short loc_9CE06A
; 

loc_9CE026:				; CODE XREF: RawSetInformation(x,x,x)+21j
		cmp	dword ptr [ebx+8], 0Eh
		mov	esi, [edi+0Ch]
		mov	edi, [ebx+18h]
		jnz	short loc_9CE058
		push	edi
		call	IoGetRelatedDeviceObject
		mov	eax, [eax+5Ch]
		test	[esi], eax
		jz	short loc_9CE046
		mov	esi, 0C000000Dh
		jmp	short loc_9CE053
; 

loc_9CE046:				; CODE XREF: RawSetInformation(x,x,x)+41j
		mov	eax, [esi]
		mov	[edi+38h], eax
		mov	eax, [esi+4]
		xor	esi, esi
		mov	[edi+3Ch], eax

loc_9CE053:				; CODE XREF: RawSetInformation(x,x,x)+48j
		mov	edi, [ebx+18h]
		jmp	short loc_9CE05D
; 

loc_9CE058:				; CODE XREF: RawSetInformation(x,x,x)+34j
		mov	esi, 0C0000010h

loc_9CE05D:				; CODE XREF: RawSetInformation(x,x,x)+5Aj
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		call	_RawEndOperation@8 ; RawEndOperation(x,x)
		mov	edi, [ebp+var_8]

loc_9CE06A:				; CODE XREF: RawSetInformation(x,x,x)+28j
		mov	dl, 1
		mov	[edi+18h], esi
		mov	ecx, edi
		call	IofCompleteRequest
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_RawSetInformation@12 endp


;  S U B	R O U T	I N E 


; __stdcall RawComputeFileSystemInformationChecksum(x)
_RawComputeFileSystemInformationChecksum@4 proc	near
					; CODE XREF: RawQueryFileSystemInformation(x,x,x)+13Bp
		mov	edi, edi
		push	edi
		movzx	edi, word ptr [ecx+14h]
		xor	eax, eax
		push	3
		pop	edx
		cmp	dx, di
		jnb	short loc_9CE0BD
		push	esi
		lea	esi, [ecx+3]

loc_9CE094:				; CODE XREF: RawComputeFileSystemInformationChecksum(x)+3Bj
		movzx	ecx, ax
		cmp	dx, 16h
		jz	short loc_9CE0B5
		cmp	dx, 17h
		jz	short loc_9CE0B5
		shr	ax, 1
		shl	ecx, 0Fh
		add	cx, ax
		movzx	eax, byte ptr [esi]
		add	cx, ax
		movzx	eax, cx

loc_9CE0B5:				; CODE XREF: RawComputeFileSystemInformationChecksum(x)+1Cj
					; RawComputeFileSystemInformationChecksum(x)+22j
		inc	edx
		inc	esi
		cmp	dx, di
		jb	short loc_9CE094
		pop	esi

loc_9CE0BD:				; CODE XREF: RawComputeFileSystemInformationChecksum(x)+Fj
		pop	edi
		retn
_RawComputeFileSystemInformationChecksum@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RawQueryFileSystemInformation(x, x,	x)
_RawQueryFileSystemInformation@12 proc near ; CODE XREF: RawUserFsCtrl(x,x,x)+141p

var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		and	[ebp+var_38], 0
		xor	eax, eax
		and	[ebp+var_34], 0
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		lea	edi, [ebp+var_48]
		mov	[ebp+var_28], ebx
		stosd
		mov	esi, ecx
		push	6
		pop	ecx
		mov	[ebp+var_30], esi
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_24]
		rep stosd
		mov	ecx, [edx+4]
		cmp	ecx, 9
		jnb	short loc_9CE10C
		mov	esi, 0C0000023h
		jmp	loc_9CE22C
; 

loc_9CE10C:				; CODE XREF: RawQueryFileSystemInformation(x,x,x)+41j
		mov	eax, [esi+0Ch]
		push	ecx		; size_t
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_2C], eax
		call	_memset
		mov	edx, [ebx+88h]
		lea	eax, [ebp+var_24]
		push	ecx
		push	eax
		push	ecx
		push	ecx
		call	_RawPerformDevIoCtrl@36	; RawPerformDevIoCtrl(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9CE22C
		mov	ebx, [ebp+var_10]
		push	18h
		pop	eax
		cmp	ebx, eax
		jnb	short loc_9CE14B
		mov	esi, 0C00000BBh
		jmp	loc_9CE22C
; 

loc_9CE14B:				; CODE XREF: RawQueryFileSystemInformation(x,x,x)+80j
		push	62574152h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9CE168
		mov	esi, 0C000009Ah
		jmp	loc_9CE22C
; 

loc_9CE168:				; CODE XREF: RawQueryFileSystemInformation(x,x,x)+9Dj
		push	ebx		; size_t
		xor	esi, esi
		push	esi		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_48]
		push	esi
		push	esi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	dword ptr [ebp+4] ; int
		mov	esi, [ebp+var_28]
		lea	ecx, [ebp+var_38]
		push	ecx		; int
		lea	ecx, [ebp+var_48]
		push	ecx		; int
		mov	eax, [esi+88h]
		push	0		; int
		push	ebx		; size_t
		push	edi		; void *
		push	eax		; int
		push	3		; int
		call	_IopBuildSynchronousFsdRequest@32 ; IopBuildSynchronousFsdRequest(x,x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_9CE1AD
		mov	esi, 0C000009Ah
		jmp	short loc_9CE224
; 

loc_9CE1AD:				; CODE XREF: RawQueryFileSystemInformation(x,x,x)+E5j
		mov	eax, [edx+60h]
		or	byte ptr [eax-22h], 2
		mov	ecx, [esi+88h]
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jnz	short loc_9CE1DB
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [ebp+var_38]

loc_9CE1DB:				; CODE XREF: RawQueryFileSystemInformation(x,x,x)+108j
		test	esi, esi
		js	short loc_9CE224
		cmp	dword ptr [edi+10h], 53525346h
		jnz	short loc_9CE21F
		movzx	ecx, word ptr [edi+14h]
		cmp	ecx, ebx
		ja	short loc_9CE21F
		push	18h
		pop	eax
		cmp	cx, ax
		jb	short loc_9CE21F
		mov	ecx, edi
		call	_RawComputeFileSystemInformationChecksum@4 ; RawComputeFileSystemInformationChecksum(x)
		cmp	ax, [edi+16h]
		jnz	short loc_9CE21F
		mov	ecx, [ebp+var_2C]
		mov	eax, [edi+3]
		mov	[ecx], eax
		mov	eax, [edi+7]
		mov	[ecx+4], eax
		mov	eax, [ebp+var_30]
		mov	dword ptr [eax+1Ch], 9
		jmp	short loc_9CE224
; 

loc_9CE21F:				; CODE XREF: RawQueryFileSystemInformation(x,x,x)+127j
					; RawQueryFileSystemInformation(x,x,x)+12Fj ...
		mov	esi, 0C00000BBh

loc_9CE224:				; CODE XREF: RawQueryFileSystemInformation(x,x,x)+ECj
					; RawQueryFileSystemInformation(x,x,x)+11Ej ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9CE22C:				; CODE XREF: RawQueryFileSystemInformation(x,x,x)+48j
					; RawQueryFileSystemInformation(x,x,x)+72j ...
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_RawQueryFileSystemInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RawUserFsCtrl(x, x,	x)
_RawUserFsCtrl@12 proc near		; CODE XREF: RawFileSystemControl+122458p

var_E		= byte ptr -0Eh
var_D		= byte ptr -0Dh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		mov	eax, edx
		mov	[esp+14h+var_4], ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, [eax+0Ch]
		xor	ebx, ebx
		mov	edi, [eax+18h]
		mov	ecx, 90018h
		mov	[esp+20h+var_8], eax
		mov	eax, esi
		mov	[esp+20h+var_E], bl
		mov	[esp+20h+var_D], bl
		mov	[esp+20h+var_C], esi
		sub	eax, ecx
		jz	short loc_9CE2C8
		sub	eax, 8
		jnz	short loc_9CE2D5
		push	1
		push	edi
		call	_FsRtlNotifyVolumeEvent@8 ; FsRtlNotifyVolumeEvent(x,x)

loc_9CE283:				; CODE XREF: RawUserFsCtrl(x,x,x)+98j
		mov	eax, esi
		sub	eax, 9001Ch
		jz	loc_9CE3F9
		sub	eax, 4
		jz	loc_9CE38C
		sub	eax, 22Ch
		jz	loc_9CE363

loc_9CE2A4:				; CODE XREF: RawUserFsCtrl(x,x,x)+B2j
		mov	ebx, 0C000000Dh

loc_9CE2A9:				; CODE XREF: RawUserFsCtrl(x,x,x)+CFj
					; RawUserFsCtrl(x,x,x)+203j
		mov	eax, [esp+20h+var_C]
		sub	eax, 90018h
		jz	loc_9CE454
		sub	eax, 8
		jnz	loc_9CE45C
		push	2
		jmp	loc_9CE456
; 

loc_9CE2C8:				; CODE XREF: RawUserFsCtrl(x,x,x)+35j
		push	3
		push	edi
		call	_FsRtlNotifyVolumeEvent@8 ; FsRtlNotifyVolumeEvent(x,x)
		mov	ecx, 90018h

loc_9CE2D5:				; CODE XREF: RawUserFsCtrl(x,x,x)+3Aj
		cmp	esi, ecx
		ja	short loc_9CE283
		jz	short loc_9CE31A
		mov	eax, esi
		sub	eax, 90000h
		jz	short loc_9CE2F3
		sub	eax, 4
		jz	short loc_9CE2F3
		sub	eax, 8
		jz	short loc_9CE2F3
		sub	eax, 8
		jnz	short loc_9CE2A4

loc_9CE2F3:				; CODE XREF: RawUserFsCtrl(x,x,x)+A3j
					; RawUserFsCtrl(x,x,x)+A8j ...
		mov	esi, [ebp+arg_0]
		mov	edx, edi
		mov	ecx, esi
		call	_RawBeginOperation@8 ; RawBeginOperation(x,x)
		mov	bl, al
		mov	[esp+20h+var_E], bl
		test	bl, bl
		jnz	short loc_9CE310

loc_9CE309:				; CODE XREF: RawUserFsCtrl(x,x,x)+136j
		mov	ebx, 0C000026Eh
		jmp	short loc_9CE2A9
; 

loc_9CE310:				; CODE XREF: RawUserFsCtrl(x,x,x)+C8j
		mov	ebx, 0C0000002h
		jmp	loc_9CE42C
; 

loc_9CE31A:				; CODE XREF: RawUserFsCtrl(x,x,x)+9Aj
		mov	esi, [ebp+arg_0]
		mov	edx, edi
		mov	ecx, esi
		call	_RawBeginOperation@8 ; RawBeginOperation(x,x)
		mov	[esp+20h+var_E], al
		test	al, al
		jnz	short loc_9CE333
		mov	ebx, 0C000026Eh

loc_9CE333:				; CODE XREF: RawUserFsCtrl(x,x,x)+EDj
		lea	ecx, [esi+0A0h]
		call	ExAcquireFastMutex
		mov	eax, [esi+48h]
		test	al, 1
		jnz	short loc_9CE359
		cmp	dword ptr [esi+4Ch], 1
		jnz	short loc_9CE359
		mov	[esi+98h], edi
		or	eax, 1
		jmp	loc_9CE41E
; 

loc_9CE359:				; CODE XREF: RawUserFsCtrl(x,x,x)+104j
					; RawUserFsCtrl(x,x,x)+10Aj
		mov	ebx, 0C0000022h
		jmp	loc_9CE421
; 

loc_9CE363:				; CODE XREF: RawUserFsCtrl(x,x,x)+5Fj
		mov	esi, [ebp+arg_0]
		mov	edx, edi
		mov	ecx, esi
		call	_RawBeginOperation@8 ; RawBeginOperation(x,x)
		mov	[esp+20h+var_E], al
		test	al, al
		jz	short loc_9CE309
		mov	edx, [esp+20h+var_8]
		mov	ecx, [esp+20h+var_4]
		push	esi
		call	_RawQueryFileSystemInformation@12 ; RawQueryFileSystemInformation(x,x,x)
		mov	ebx, eax
		jmp	loc_9CE42C
; 

loc_9CE38C:				; CODE XREF: RawUserFsCtrl(x,x,x)+54j
		mov	eax, [ebp+arg_0]
		add	eax, 0A0h
		mov	ecx, eax
		mov	[esp+20h+var_8], eax
		call	ExAcquireFastMutex
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+48h]
		test	cl, 2
		jnz	short loc_9CE3B7
		or	ecx, 2
		mov	[esp+20h+var_D], 1
		mov	[eax+48h], ecx
		jmp	short loc_9CE3BC
; 

loc_9CE3B7:				; CODE XREF: RawUserFsCtrl(x,x,x)+169j
		mov	ebx, 0C000026Eh

loc_9CE3BC:				; CODE XREF: RawUserFsCtrl(x,x,x)+176j
		lea	ecx, [eax+0A0h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		cmp	[esp+20h+var_D], 0
		jz	short loc_9CE440
		mov	ecx, [ebp+arg_0]
		mov	ecx, [ecx+9Ch]
		call	@ExWaitForRundownProtectionReleaseCacheAware@4 ; ExWaitForRundownProtectionReleaseCacheAware(x)
		mov	ecx, [esp+20h+var_8]
		call	ExAcquireFastMutex
		mov	eax, [ebp+arg_0]
		mov	ecx, [esp+20h+var_8]
		mov	[eax+94h], edi
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		jmp	short loc_9CE440
; 

loc_9CE3F9:				; CODE XREF: RawUserFsCtrl(x,x,x)+4Bj
		mov	esi, [ebp+arg_0]
		lea	ecx, [esi+0A0h]
		call	ExAcquireFastMutex
		mov	eax, [esi+48h]
		test	al, 1
		jnz	short loc_9CE415
		mov	ebx, 0C000002Ah
		jmp	short loc_9CE421
; 

loc_9CE415:				; CODE XREF: RawUserFsCtrl(x,x,x)+1CDj
		and	eax, 0FFFFFFFEh
		mov	[esi+98h], ebx

loc_9CE41E:				; CODE XREF: RawUserFsCtrl(x,x,x)+115j
		mov	[esi+48h], eax

loc_9CE421:				; CODE XREF: RawUserFsCtrl(x,x,x)+11Fj
					; RawUserFsCtrl(x,x,x)+1D4j
		lea	ecx, [esi+0A0h]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_9CE42C:				; CODE XREF: RawUserFsCtrl(x,x,x)+D6j
					; RawUserFsCtrl(x,x,x)+148j
		cmp	[esp+20h+var_E], 0
		jz	short loc_9CE43C
		mov	edx, edi
		mov	ecx, esi
		call	_RawEndOperation@8 ; RawEndOperation(x,x)

loc_9CE43C:				; CODE XREF: RawUserFsCtrl(x,x,x)+1F2j
		mov	esi, [esp+20h+var_C]

loc_9CE440:				; CODE XREF: RawUserFsCtrl(x,x,x)+18Dj
					; RawUserFsCtrl(x,x,x)+1B8j
		test	ebx, ebx
		js	loc_9CE2A9
		cmp	esi, 9001Ch
		jnz	short loc_9CE45C
		push	5
		jmp	short loc_9CE456
; 

loc_9CE454:				; CODE XREF: RawUserFsCtrl(x,x,x)+73j
		push	4

loc_9CE456:				; CODE XREF: RawUserFsCtrl(x,x,x)+84j
					; RawUserFsCtrl(x,x,x)+213j
		push	edi
		call	_FsRtlNotifyVolumeEvent@8 ; FsRtlNotifyVolumeEvent(x,x)

loc_9CE45C:				; CODE XREF: RawUserFsCtrl(x,x,x)+7Cj
					; RawUserFsCtrl(x,x,x)+20Fj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_RawUserFsCtrl@12 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2043. RtlDowncaseUnicodeChar

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlDowncaseUnicodeChar(x)
		public _RtlDowncaseUnicodeChar@4
_RtlDowncaseUnicodeChar@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	NLS_DOWNCASE
		pop	ebp
		retn	4
_RtlDowncaseUnicodeChar@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2270. RtlOemStringToCountedUnicodeString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlOemStringToCountedUnicodeString(x, x, x)
		public _RtlOemStringToCountedUnicodeString@12
_RtlOemStringToCountedUnicodeString@12 proc near

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		push	10h
		push	offset dword_6A9130
		call	__SEH_prolog4
		mov	edi, [ebp+arg_4]
		push	edi
		call	_RtlxOemStringToUnicodeSize@4 ;	RtlxOemStringToUnicodeSize(x)
		dec	eax
		sub	eax, 1
		jnz	short loc_9CE4AE
		xor	ecx, ecx
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		and	[eax+4], ecx
		xor	eax, eax
		jmp	loc_9CE53A
; 

loc_9CE4AE:				; CODE XREF: RtlOemStringToCountedUnicodeString(x,x,x)+19j
		cmp	eax, 0FFFEh
		jbe	short loc_9CE4BC
		mov	eax, 0C00000F0h
		jmp	short loc_9CE53A
; 

loc_9CE4BC:				; CODE XREF: RtlOemStringToCountedUnicodeString(x,x,x)+31j
		movzx	ecx, ax
		mov	esi, [ebp+arg_0]
		mov	[esi], cx
		mov	bl, [ebp+arg_8]
		test	bl, bl
		jz	short loc_9CE4E4
		mov	[esi+2], cx
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[esi+4], eax
		test	eax, eax
		jnz	short loc_9CE4F1
		mov	eax, 0C0000017h
		jmp	short loc_9CE53A
; 

loc_9CE4E4:				; CODE XREF: RtlOemStringToCountedUnicodeString(x,x,x)+48j
		cmp	cx, [esi+2]
		jbe	short loc_9CE4F1
		mov	eax, 80000005h
		jmp	short loc_9CE53A
; 

loc_9CE4F1:				; CODE XREF: RtlOemStringToCountedUnicodeString(x,x,x)+59j
					; RtlOemStringToCountedUnicodeString(x,x,x)+66j
		and	[ebp+var_1C], 0
		and	[ebp+ms_exc.disabled], 0
		mov	[ebp+arg_4], 1
		movzx	eax, word ptr [edi]
		push	eax
		push	dword ptr [edi+4]
		lea	eax, [ebp+var_20]
		push	eax
		movzx	eax, word ptr [esi]
		push	eax
		push	dword ptr [esi+4]
		call	RtlOemToUnicodeN
		mov	edi, eax
		mov	[ebp+var_1C], edi
		test	edi, edi
		js	short loc_9CE525
		xor	edi, edi
		mov	[ebp+var_1C], edi

loc_9CE525:				; CODE XREF: RtlOemStringToCountedUnicodeString(x,x,x)+9Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+arg_4], 0
		call	sub_9CE555
		mov	eax, edi

loc_9CE53A:				; CODE XREF: RtlOemStringToCountedUnicodeString(x,x,x)+27j
					; RtlOemStringToCountedUnicodeString(x,x,x)+38j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_RtlOemStringToCountedUnicodeString@12 endp


;  S U B	R O U T	I N E 


sub_9CE54C	proc near		; DATA XREF: .text:006A9148o
		mov	bl, [ebp+10h]
		mov	esi, [ebp+8]
		mov	edi, [ebp-1Ch]
sub_9CE54C	endp


;  S U B	R O U T	I N E 


sub_9CE555	proc near		; CODE XREF: RtlOemStringToCountedUnicodeString(x,x,x)+B1p
		cmp	dword ptr [ebp+0Ch], 0
		jnz	short loc_9CE55F
		test	edi, edi
		jns	short locret_9CE56F

loc_9CE55F:				; CODE XREF: sub_9CE555+4j
		test	bl, bl
		jz	short locret_9CE56F
		push	dword ptr [esi+4]
		call	_ExFreePool@4	; ExFreePool(x)
		and	dword ptr [esi+4], 0

locret_9CE56F:				; CODE XREF: sub_9CE555+8j
					; sub_9CE555+Cj
		retn
sub_9CE555	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2354. RtlSuffixUnicodeString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSuffixUnicodeString(x, x, x)
		public _RtlSuffixUnicodeString@12
_RtlSuffixUnicodeString@12 proc	near	; CODE XREF: PiDrvDbSetupNodeHive(x,x)+24Ep
					; PiDrvDbSetupNodeHive(x,x)+29Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		movzx	ecx, word ptr [edx]
		movzx	eax, word ptr [edi]
		cmp	cx, ax
		jb	short loc_9CE5EF
		mov	edi, [edi+4]
		mov	esi, eax
		shr	eax, 1
		lea	ebx, [edi+eax*2]
		cmp	edi, ebx
		jnb	short loc_9CE5EB
		mov	eax, [edx+4]
		sub	ecx, esi
		shr	ecx, 1
		cmp	[ebp+arg_8], 0
		jz	short loc_9CE5D6
		lea	eax, [eax+ecx*2]
		sub	eax, edi
		mov	dword ptr [ebp+arg_8], eax

loc_9CE5B1:				; CODE XREF: RtlSuffixUnicodeString(x,x,x)+5Dj
		mov	cx, [eax+edi]
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	cx, [edi]
		mov	si, ax
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		cmp	ax, si
		jnz	short loc_9CE5EF
		mov	eax, dword ptr [ebp+arg_8]
		add	edi, 2
		cmp	edi, ebx
		jb	short loc_9CE5B1
		jmp	short loc_9CE5EB
; 

loc_9CE5D6:				; CODE XREF: RtlSuffixUnicodeString(x,x,x)+32j
		lea	ecx, [eax+ecx*2]
		sub	ecx, edi

loc_9CE5DB:				; CODE XREF: RtlSuffixUnicodeString(x,x,x)+74j
		mov	ax, [edi]
		cmp	ax, [ecx+edi]
		jnz	short loc_9CE5EF
		add	edi, 2
		cmp	edi, ebx
		jb	short loc_9CE5DB

loc_9CE5EB:				; CODE XREF: RtlSuffixUnicodeString(x,x,x)+25j
					; RtlSuffixUnicodeString(x,x,x)+5Fj
		mov	al, 1
		jmp	short loc_9CE5F1
; 

loc_9CE5EF:				; CODE XREF: RtlSuffixUnicodeString(x,x,x)+17j
					; RtlSuffixUnicodeString(x,x,x)+53j ...
		xor	al, al

loc_9CE5F1:				; CODE XREF: RtlSuffixUnicodeString(x,x,x)+78j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_RtlSuffixUnicodeString@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2392. RtlUpcaseUnicodeStringToAnsiString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlUpcaseUnicodeStringToAnsiString(x, x, x)
		public _RtlUpcaseUnicodeStringToAnsiString@12
_RtlUpcaseUnicodeStringToAnsiString@12 proc near

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		push	10h
		push	offset dword_6A9150
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	edi, [ebp+arg_4]
		push	edi
		call	_RtlxUnicodeStringToAnsiSize@4 ; RtlxUnicodeStringToAnsiSize(x)
		cmp	eax, 0FFFFh
		jbe	short loc_9CE628
		mov	eax, 0C00000F0h
		jmp	loc_9CE6AE
; 

loc_9CE628:				; CODE XREF: RtlUpcaseUnicodeStringToAnsiString(x,x,x)+1Fj
		movzx	edx, ax
		lea	ecx, [edx-1]
		mov	esi, [ebp+arg_0]
		mov	[esi], cx
		cmp	[ebp+arg_8], bl
		jz	short loc_9CE651
		mov	[esi+2], dx
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[esi+4], eax
		test	eax, eax
		jnz	short loc_9CE65E
		mov	eax, 0C0000017h
		jmp	short loc_9CE6AE
; 

loc_9CE651:				; CODE XREF: RtlUpcaseUnicodeStringToAnsiString(x,x,x)+3Aj
		cmp	cx, [esi+2]
		jb	short loc_9CE65E
		mov	eax, 80000005h
		jmp	short loc_9CE6AE
; 

loc_9CE65E:				; CODE XREF: RtlUpcaseUnicodeStringToAnsiString(x,x,x)+4Bj
					; RtlUpcaseUnicodeStringToAnsiString(x,x,x)+58j
		mov	[ebp+var_1C], ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	[ebp+arg_4], 1
		movzx	eax, word ptr [edi]
		push	eax
		push	dword ptr [edi+4]
		lea	eax, [ebp+var_20]
		push	eax
		movzx	eax, word ptr [esi]
		push	eax
		push	dword ptr [esi+4]
		call	RtlUpcaseUnicodeToMultiByteN
		mov	edi, eax
		mov	[ebp+var_1C], edi
		test	edi, edi
		js	short loc_9CE699
		mov	ecx, [esi+4]
		mov	eax, [ebp+var_20]
		mov	[eax+ecx], bl
		mov	edi, ebx
		mov	[ebp+var_1C], edi

loc_9CE699:				; CODE XREF: RtlUpcaseUnicodeStringToAnsiString(x,x,x)+8Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+arg_4], 0
		call	sub_9CE6C8
		mov	eax, edi

loc_9CE6AE:				; CODE XREF: RtlUpcaseUnicodeStringToAnsiString(x,x,x)+26j
					; RtlUpcaseUnicodeStringToAnsiString(x,x,x)+52j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_RtlUpcaseUnicodeStringToAnsiString@12 endp


;  S U B	R O U T	I N E 


sub_9CE6C0	proc near		; DATA XREF: .text:006A9168o
		xor	ebx, ebx
		mov	esi, [ebp+8]
		mov	edi, [ebp-1Ch]
sub_9CE6C0	endp


;  S U B	R O U T	I N E 


sub_9CE6C8	proc near		; CODE XREF: RtlUpcaseUnicodeStringToAnsiString(x,x,x)+AAp
		cmp	[ebp+0Ch], ebx
		jnz	short loc_9CE6D1
		test	edi, edi
		jns	short locret_9CE6E2

loc_9CE6D1:				; CODE XREF: sub_9CE6C8+3j
		cmp	byte ptr [ebp+10h], 0
		jz	short locret_9CE6E2
		push	dword ptr [esi+4]
		call	_ExFreePool@4	; ExFreePool(x)
		mov	[esi+4], ebx

locret_9CE6E2:				; CODE XREF: sub_9CE6C8+7j
					; sub_9CE6C8+Dj
		retn
sub_9CE6C8	endp

; 
		align 8
; Exported entry 2253. RtlMergeRangeLists

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlMergeRangeLists(x, x, x,	x)
		public _RtlMergeRangeLists@16
_RtlMergeRangeLists@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_4]
		mov	edi, [ebp+arg_0]
		push	edi
		call	RtlCopyRangeList
		mov	esi, eax
		test	esi, esi
		js	loc_9CE7B0
		mov	edx, [ebp+arg_8]
		mov	ecx, [edx]
		lea	ebx, [ecx-1Ch]
		cmp	edx, ecx
		jz	loc_9CE79D

loc_9CE716:				; CODE XREF: RtlMergeRangeLists(x,x,x,x)+AFj
		test	byte ptr [ebx+1Ah], 1
		jz	short loc_9CE765
		mov	ecx, [ebx+10h]
		sub	ecx, 1Ch
		mov	[ebp+arg_4], ecx
		lea	eax, [ecx+0Ch]
		cmp	ebx, eax
		jz	short loc_9CE78F

loc_9CE72C:				; CODE XREF: RtlMergeRangeLists(x,x,x,x)+79j
		call	RtlpCopyRangeListEntry
		test	eax, eax
		jz	short loc_9CE7AB
		mov	ecx, [ebp+arg_4]
		test	byte ptr [ecx+19h], 2
		mov	ecx, [ebp+arg_C]
		jz	short loc_9CE744
		or	ecx, 1

loc_9CE744:				; CODE XREF: RtlMergeRangeLists(x,x,x,x)+57j
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	_RtlpAddRange@12 ; RtlpAddRange(x,x,x)
		mov	ecx, [ebp+arg_4]
		mov	esi, eax
		mov	ecx, [ecx+1Ch]
		sub	ecx, 1Ch
		mov	[ebp+arg_4], ecx
		lea	eax, [ecx+0Ch]
		cmp	ebx, eax
		jnz	short loc_9CE72C
		jmp	short loc_9CE78C
; 

loc_9CE765:				; CODE XREF: RtlMergeRangeLists(x,x,x,x)+32j
		mov	ecx, ebx
		call	RtlpCopyRangeListEntry
		test	eax, eax
		jz	short loc_9CE7AB
		test	byte ptr [ebx+19h], 2
		mov	ecx, [ebp+arg_C]
		jz	short loc_9CE77C
		or	ecx, 1

loc_9CE77C:				; CODE XREF: RtlMergeRangeLists(x,x,x,x)+8Fj
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	_RtlpAddRange@12 ; RtlpAddRange(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9CE7B0

loc_9CE78C:				; CODE XREF: RtlMergeRangeLists(x,x,x,x)+7Bj
		mov	edx, [ebp+arg_8]

loc_9CE78F:				; CODE XREF: RtlMergeRangeLists(x,x,x,x)+42j
		mov	eax, [ebx+1Ch]
		lea	ebx, [eax-1Ch]
		cmp	edx, eax
		jnz	loc_9CE716

loc_9CE79D:				; CODE XREF: RtlMergeRangeLists(x,x,x,x)+28j
		mov	eax, [edx+0Ch]
		add	[edi+0Ch], eax
		mov	eax, [edx+0Ch]
		add	[edi+10h], eax
		jmp	short loc_9CE7B6
; 

loc_9CE7AB:				; CODE XREF: RtlMergeRangeLists(x,x,x,x)+4Bj
					; RtlMergeRangeLists(x,x,x,x)+86j
		mov	esi, 0C000009Ah

loc_9CE7B0:				; CODE XREF: RtlMergeRangeLists(x,x,x,x)+18j
					; RtlMergeRangeLists(x,x,x,x)+A2j
		push	edi
		call	_RtlFreeRangeList@4 ; RtlFreeRangeList(x)

loc_9CE7B6:				; CODE XREF: RtlMergeRangeLists(x,x,x,x)+C1j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
_RtlMergeRangeLists@16 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2019. RtlCreateUserThread

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCreateUserThread(x, x, x, x, x, x, x, x,	x, x)
		public _RtlCreateUserThread@40
_RtlCreateUserThread@40	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_24]
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		push	[ebp+arg_20]
		cmp	[ebp+arg_8], 1
		push	[ebp+arg_1C]
		setz	al
		push	[ebp+arg_18]
		push	ecx
		push	[ebp+arg_14]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	eax
		call	RtlpCreateUserThreadEx
		pop	ebp
		retn	28h
_RtlCreateUserThread@40	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2115. RtlGetConsoleSessionForegroundProcessId

;  S U B	R O U T	I N E 


; __stdcall RtlGetConsoleSessionForegroundProcessId()
		public _RtlGetConsoleSessionForegroundProcessId@0
_RtlGetConsoleSessionForegroundProcessId@0 proc	near
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	short loc_9CE812
		mov	eax, ds:0FFDF0338h
		mov	edx, ds:0FFDF033Ch
		retn
; 

loc_9CE812:				; CODE XREF: RtlGetConsoleSessionForegroundProcessId()+7j
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	edx, [eax+28Ch]
		mov	eax, [edx+8]
		mov	edx, [edx+0Ch]
		retn
_RtlGetConsoleSessionForegroundProcessId@0 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2241. RtlLocalTimeToSystemTime

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlLocalTimeToSystemTime(x,	x)
		public _RtlLocalTimeToSystemTime@8
_RtlLocalTimeToSystemTime@8 proc near

var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, [ebp+arg_4]
		lea	eax, [ebp+var_34]
		push	30h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_34]
		push	0
		push	30h
		push	eax
		push	3
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_9CE877
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		add	ecx, [ebp+var_24]
		mov	eax, [eax+4]
		adc	eax, [ebp+var_20]
		mov	[esi+4], eax
		xor	eax, eax
		mov	[esi], ecx

loc_9CE877:				; CODE XREF: RtlLocalTimeToSystemTime(x,x)+37j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_RtlLocalTimeToSystemTime@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2358. RtlTimeToElapsedTimeFields

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlTimeToElapsedTimeFields(x, x)
		public _RtlTimeToElapsedTimeFields@8
_RtlTimeToElapsedTimeFields@8 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		and	[ebp+var_8], 0
		lea	edx, [ebp+var_8]
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		push	eax
		call	TimeToDaysAndFraction
		mov	eax, [ebp+var_4]
		xor	edx, edx
		mov	ecx, 3E8h
		mov	esi, [ebp+arg_4]
		div	ecx
		push	3Ch
		mov	ebx, edx
		mov	edi, eax
		pop	ecx
		xor	edx, edx
		mov	[esi+0Ch], bx
		div	ecx
		xor	ecx, ecx
		xor	edx, edx
		mov	[esi], ecx
		mov	cx, word ptr [ebp+var_8]
		push	3Ch
		mov	[esi+4], cx
		pop	ecx
		div	ecx
		mov	[esi+6], ax
		mov	eax, edi
		mov	[esi+8], dx
		xor	edx, edx
		div	ecx
		pop	edi
		mov	[esi+0Ah], dx
		pop	esi
		pop	ebx
		leave
		retn	8
_RtlTimeToElapsedTimeFields@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1990. RtlCompressChunks

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlCompressChunks(void *,int,void *,int,int,int,int)
		public _RtlCompressChunks@28
_RtlCompressChunks@28 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	ecx, [ebp+arg_10]
		push	ebx
		push	esi
		push	edi
		mov	cl, [ecx+3]
		xor	edi, edi
		inc	edi
		xor	ebx, ebx
		shl	edi, cl
		mov	ecx, [ebp+arg_4]
		mov	eax, ecx
		shr	eax, 4
		mov	edx, ecx
		sub	edx, eax
		mov	[ebp+var_4], ebx
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_8], edx
		xor	edx, edx
		mov	[eax+6], dx
		lea	edx, [eax+8]
		mov	[ebp+var_C], edx
		mov	edx, [ebp+arg_8]

loc_9CE937:				; CODE XREF: RtlCompressChunks(x,x,x,x,x,x,x)+D5j
		mov	esi, ecx
		cmp	ecx, edi
		jb	short loc_9CE93F
		mov	esi, edi

loc_9CE93F:				; CODE XREF: RtlCompressChunks(x,x,x,x,x,x,x)+40j
		push	[ebp+arg_18]
		movzx	eax, word ptr [eax]
		lea	ecx, [ebp+var_4]
		push	ecx
		push	edi
		push	[ebp+var_8]
		push	edx
		push	esi
		push	[ebp+arg_0]
		push	eax
		call	_RtlCompressBuffer@32 ;	RtlCompressBuffer(x,x,x,x,x,x,x,x)
		cmp	eax, 117h
		jnz	short loc_9CE966
		mov	eax, ebx

loc_9CE961:				; CODE XREF: RtlCompressChunks(x,x,x,x,x,x,x)+9Dj
		mov	[ebp+var_4], eax
		jmp	short loc_9CE99D
; 

loc_9CE966:				; CODE XREF: RtlCompressChunks(x,x,x,x,x,x,x)+62j
		test	eax, eax
		jns	short loc_9CE99A
		cmp	[ebp+var_8], edi
		jb	short loc_9CE9D5
		push	esi		; size_t
		push	[ebp+arg_0]	; void *
		push	[ebp+arg_8]	; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	edi, esi
		jbe	short loc_9CE996
		mov	eax, edi
		sub	eax, esi
		push	eax		; size_t
		mov	eax, [ebp+arg_8]
		add	eax, esi
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_9CE996:				; CODE XREF: RtlCompressChunks(x,x,x,x,x,x,x)+85j
		mov	eax, edi
		jmp	short loc_9CE961
; 

loc_9CE99A:				; CODE XREF: RtlCompressChunks(x,x,x,x,x,x,x)+6Dj
		mov	eax, [ebp+var_4]

loc_9CE99D:				; CODE XREF: RtlCompressChunks(x,x,x,x,x,x,x)+69j
		mov	ecx, [ebp+var_C]
		add	[ebp+arg_0], esi
		mov	[ecx], eax
		add	ecx, 4
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+arg_10]
		inc	word ptr [ecx+6]
		mov	ecx, [ebp+arg_4]
		cmp	esi, ecx
		ja	short loc_9CE9DE
		mov	edx, [ebp+arg_8]
		sub	ecx, esi
		sub	[ebp+var_8], eax
		add	edx, eax
		mov	[ebp+arg_4], ecx
		mov	[ebp+arg_8], edx
		test	ecx, ecx
		jz	short loc_9CE9DA
		mov	eax, [ebp+arg_10]
		jmp	loc_9CE937
; 

loc_9CE9D5:				; CODE XREF: RtlCompressChunks(x,x,x,x,x,x,x)+72j
		mov	ebx, 0C0000023h

loc_9CE9DA:				; CODE XREF: RtlCompressChunks(x,x,x,x,x,x,x)+D0j
		mov	eax, ebx
		jmp	short loc_9CE9E3
; 

loc_9CE9DE:				; CODE XREF: RtlCompressChunks(x,x,x,x,x,x,x)+BCj
		mov	eax, 0C0000242h

loc_9CE9E3:				; CODE XREF: RtlCompressChunks(x,x,x,x,x,x,x)+E1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_RtlCompressChunks@28 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2025. RtlDecompressChunks

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlDecompressChunks(void *,int,void *,size_t,void *,int,int)
		public _RtlDecompressChunks@28
_RtlDecompressChunks@28	proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	edx, [ebp+arg_18]
		and	[ebp+var_10], 0
		push	ebx
		push	esi
		movzx	eax, word ptr [edx+6]
		mov	cl, [edx+3]
		mov	[ebp+var_4], eax
		xor	eax, eax
		inc	eax
		shl	eax, cl
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		lea	ecx, [edi+eax]
		mov	[ebp+var_C], ecx
		cmp	ecx, edi
		jb	loc_9CEBCA
		mov	ebx, [ebp+arg_C]
		add	edx, 8
		mov	ecx, [ebp+arg_8]
		mov	[ebp+arg_0], edx

loc_9CEA33:				; CODE XREF: RtlDecompressChunks(x,x,x,x,x,x,x)+ECj
		mov	esi, eax
		cmp	eax, [ebp+var_8]
		jb	short loc_9CEA3D
		mov	esi, [ebp+var_8]

loc_9CEA3D:				; CODE XREF: RtlDecompressChunks(x,x,x,x,x,x,x)+49j
		cmp	[ebp+var_4], 0
		jz	loc_9CEB90
		mov	eax, [edx]
		test	eax, eax
		jz	loc_9CEB90
		mov	edx, [ebp+var_8]
		cmp	eax, edx
		jnz	loc_9CEAE6
		cmp	esi, ebx
		jb	short loc_9CEA98
		cmp	[ebp+arg_14], 0
		jnz	short loc_9CEA6E
		cmp	esi, ebx
		ja	loc_9CEBC3

loc_9CEA6E:				; CODE XREF: RtlDecompressChunks(x,x,x,x,x,x,x)+75j
		push	ebx		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, esi
		sub	eax, ebx
		push	eax		; size_t
		push	[ebp+arg_10]	; void *
		lea	eax, [edi+ebx]
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+arg_10]
		add	esp, 18h
		sub	ecx, ebx
		add	ebx, [ebp+arg_14]
		and	[ebp+arg_14], 0
		jmp	short loc_9CEAA6
; 

loc_9CEA98:				; CODE XREF: RtlDecompressChunks(x,x,x,x,x,x,x)+6Fj
		push	esi		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_9CEAA3:				; CODE XREF: RtlDecompressChunks(x,x,x,x,x,x,x)+1B9j
		mov	ecx, [ebp+arg_8]

loc_9CEAA6:				; CODE XREF: RtlDecompressChunks(x,x,x,x,x,x,x)+A7j
		mov	edx, [ebp+arg_0]

loc_9CEAA9:				; CODE XREF: RtlDecompressChunks(x,x,x,x,x,x,x)+19Cj
					; RtlDecompressChunks(x,x,x,x,x,x,x)+1CFj
		add	edi, esi
		cmp	edi, [ebp+var_C]
		ja	loc_9CEBC3
		mov	eax, [ebp+arg_4]
		cmp	esi, eax
		ja	loc_9CEBC3
		sub	eax, esi
		mov	[ebp+arg_4], eax
		mov	eax, [edx]
		add	ecx, eax
		sub	ebx, eax
		mov	[ebp+arg_8], ecx
		mov	eax, [ebp+arg_4]
		add	edx, 4
		dec	[ebp+var_4]
		mov	[ebp+arg_0], edx
		test	eax, eax
		jnz	loc_9CEA33
		jmp	loc_9CEBCF
; 

loc_9CEAE6:				; CODE XREF: RtlDecompressChunks(x,x,x,x,x,x,x)+67j
		cmp	eax, ebx
		jbe	short loc_9CEB46
		cmp	[ebp+arg_14], 0
		jz	loc_9CEBC3
		mov	eax, edi
		sub	eax, edx
		add	eax, [ebp+arg_4]
		mov	[ebp+arg_C], eax
		lea	edx, [eax+ebx]
		mov	[ebp+arg_8], edx
		cmp	edx, eax
		jb	loc_9CEBCA
		cmp	eax, edi
		jb	loc_9CEBC3
		cmp	edx, [ebp+var_C]
		ja	loc_9CEBC3
		push	ebx		; size_t
		push	ecx		; void *
		push	eax		; void *
		call	_memmove
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		sub	eax, ebx
		push	eax		; size_t
		push	[ebp+arg_10]	; void *
		push	[ebp+arg_8]	; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		add	esp, 18h
		mov	ecx, [ebp+arg_C]
		mov	[ebp+arg_8], ecx
		mov	eax, [eax]

loc_9CEB46:				; CODE XREF: RtlDecompressChunks(x,x,x,x,x,x,x)+F9j
		lea	edx, [ebp+var_10]
		push	edx
		push	eax
		mov	eax, [ebp+arg_18]
		push	ecx
		push	esi
		push	edi
		movzx	eax, word ptr [eax]
		push	eax
		call	_RtlDecompressBuffer@24	; RtlDecompressBuffer(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9CEBCF
		mov	ecx, [ebp+var_10]
		cmp	esi, ecx
		jbe	short loc_9CEB78
		mov	eax, esi
		sub	eax, ecx
		push	eax		; size_t
		lea	eax, [ecx+edi]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_9CEB78:				; CODE XREF: RtlDecompressChunks(x,x,x,x,x,x,x)+174j
		mov	edx, [ebp+arg_0]
		cmp	[edx], ebx
		jb	short loc_9CEBBB
		mov	ecx, [ebp+arg_10]
		sub	ecx, ebx
		add	ebx, [ebp+arg_14]
		and	[ebp+arg_14], 0
		jmp	loc_9CEAA9
; 

loc_9CEB90:				; CODE XREF: RtlDecompressChunks(x,x,x,x,x,x,x)+52j
					; RtlDecompressChunks(x,x,x,x,x,x,x)+5Cj
		lea	eax, [esi+edi]
		cmp	eax, [ebp+var_C]
		ja	short loc_9CEBC3
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		cmp	[ebp+var_4], 0
		jnz	loc_9CEAA3
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_4], 1
		sub	edx, 4

loc_9CEBBB:				; CODE XREF: RtlDecompressChunks(x,x,x,x,x,x,x)+18Ej
		mov	ecx, [ebp+arg_8]
		jmp	loc_9CEAA9
; 

loc_9CEBC3:				; CODE XREF: RtlDecompressChunks(x,x,x,x,x,x,x)+79j
					; RtlDecompressChunks(x,x,x,x,x,x,x)+BFj ...
		mov	eax, 0C0000242h
		jmp	short loc_9CEBCF
; 

loc_9CEBCA:				; CODE XREF: RtlDecompressChunks(x,x,x,x,x,x,x)+32j
					; RtlDecompressChunks(x,x,x,x,x,x,x)+117j
		mov	eax, 0C000000Dh

loc_9CEBCF:				; CODE XREF: RtlDecompressChunks(x,x,x,x,x,x,x)+F2j
					; RtlDecompressChunks(x,x,x,x,x,x,x)+16Dj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_RtlDecompressChunks@28	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2026. RtlDecompressFragment

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlDecompressFragment(x, x,	x, x, x, x, x, x)
		public _RtlDecompressFragment@32
_RtlDecompressFragment@32 proc near

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, [ebp+arg_0]
		test	ax, ax
		jz	short loc_9CEC1A
		cmp	eax, 1
		jz	short loc_9CEC1A
		cmp	eax, 4
		jbe	short loc_9CEBFA
		mov	eax, 0C000025Fh
		jmp	short loc_9CEC1F
; 

loc_9CEBFA:				; CODE XREF: RtlDecompressFragment(x,x,x,x,x,x,x,x)+16j
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	0
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	ds:_RtlDecompressFragmentProcs[eax*4]
		jmp	short loc_9CEC1F
; 

loc_9CEC1A:				; CODE XREF: RtlDecompressFragment(x,x,x,x,x,x,x,x)+Cj
					; RtlDecompressFragment(x,x,x,x,x,x,x,x)+11j
		mov	eax, 0C000000Dh

loc_9CEC1F:				; CODE XREF: RtlDecompressFragment(x,x,x,x,x,x,x,x)+1Dj
					; RtlDecompressFragment(x,x,x,x,x,x,x,x)+3Dj
		pop	ebp
		retn	20h
_RtlDecompressFragment@32 endp

; 
		align 8
; Exported entry 2040. RtlDescribeChunk

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlDescribeChunk(x,	x, x, x, x)
		public _RtlDescribeChunk@20
_RtlDescribeChunk@20 proc near

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, [ebp+arg_0]
		test	ax, ax
		jz	short loc_9CEC5C
		cmp	eax, 1
		jz	short loc_9CEC5C
		cmp	eax, 4
		jbe	short loc_9CEC47
		mov	eax, 0C000025Fh
		jmp	short loc_9CEC61
; 

loc_9CEC47:				; CODE XREF: RtlDescribeChunk(x,x,x,x,x)+16j
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	ds:_RtlDescribeChunkProcs[eax*4]
		jmp	short loc_9CEC61
; 

loc_9CEC5C:				; CODE XREF: RtlDescribeChunk(x,x,x,x,x)+Cj
					; RtlDescribeChunk(x,x,x,x,x)+11j
		mov	eax, 0C000000Dh

loc_9CEC61:				; CODE XREF: RtlDescribeChunk(x,x,x,x,x)+1Dj
					; RtlDescribeChunk(x,x,x,x,x)+32j
		pop	ebp
		retn	14h
_RtlDescribeChunk@20 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2316. RtlReserveChunk

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlReserveChunk(x, x, x, x,	x)
		public _RtlReserveChunk@20
_RtlReserveChunk@20 proc near

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, [ebp+arg_0]
		test	ax, ax
		jz	short loc_9CEC9E
		cmp	eax, 1
		jz	short loc_9CEC9E
		cmp	eax, 4
		jbe	short loc_9CEC89
		mov	eax, 0C000025Fh
		jmp	short loc_9CECA3
; 

loc_9CEC89:				; CODE XREF: RtlReserveChunk(x,x,x,x,x)+16j
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	ds:_RtlReserveChunkProcs[eax*4]
		jmp	short loc_9CECA3
; 

loc_9CEC9E:				; CODE XREF: RtlReserveChunk(x,x,x,x,x)+Cj
					; RtlReserveChunk(x,x,x,x,x)+11j
		mov	eax, 0C000000Dh

loc_9CECA3:				; CODE XREF: RtlReserveChunk(x,x,x,x,x)+1Dj
					; RtlReserveChunk(x,x,x,x,x)+32j
		pop	ebp
		retn	14h
_RtlReserveChunk@20 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 1343. LdrEnumResources

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LdrEnumResources(x,	x, x, x, x)
		public _LdrEnumResources@20
_LdrEnumResources@20 proc near

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, [ebp+arg_C]
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], edi
		cmp	[ebp+arg_10], edi
		jnz	short loc_9CECC8
		and	[ebp+var_18], edi
		jmp	short loc_9CECCD
; 

loc_9CECC8:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+15j
		mov	ecx, [eax]
		mov	[ebp+var_18], ecx

loc_9CECCD:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+1Aj
		and	[eax], edi
		lea	eax, [ebp+var_3C]
		push	eax
		push	2
		push	1
		push	[ebp+arg_0]
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9CECEF
		mov	eax, 0C0000089h
		jmp	loc_9CEED4
; 

loc_9CECEF:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+37j
		movzx	ecx, word ptr [esi+0Eh]
		movzx	eax, word ptr [esi+0Ch]
		push	ebx
		add	ecx, eax
		mov	[ebp+var_28], edi
		push	0
		mov	[ebp+var_3C], ecx
		lea	ebx, [esi+10h]
		pop	ecx
		mov	[ebp+var_2C], ecx
		jz	loc_9CEECC

loc_9CED0F:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+214j
		cmp	[ebp+arg_8], 0
		jbe	short loc_9CED32
		mov	eax, [ebp+arg_4]
		lea	ecx, [ebp-1]
		push	ecx		; int
		push	ebx		; int
		push	esi		; int
		mov	eax, [eax]
		push	eax		; wchar_t *
		mov	byte ptr [ebp+var_1], 0
		call	_LdrpCompareResourceNamesWithValidation@24 ; LdrpCompareResourceNamesWithValidation(x,x,x,x,x,x)
		test	eax, eax
		jnz	loc_9CEEB3

loc_9CED32:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+67j
		mov	eax, [ebx+4]
		test	eax, eax
		jns	loc_9CEEDA
		mov	edi, [ebx]
		test	edi, edi
		jns	short loc_9CED4D
		and	edi, 7FFFFFFFh
		add	edi, esi
		jmp	short loc_9CED50
; 

loc_9CED4D:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+95j
		movzx	edi, di

loc_9CED50:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+9Fj
		and	eax, 7FFFFFFFh
		mov	[ebp+var_24], 0
		lea	ecx, [esi+10h]
		add	ecx, eax
		mov	[ebp+var_10], ecx
		movzx	edx, word ptr [eax+esi+0Eh]
		movzx	eax, word ptr [eax+esi+0Ch]
		add	edx, eax
		mov	[ebp+var_38], edx
		jz	loc_9CEEB3

loc_9CED79:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+201j
		cmp	[ebp+arg_8], 1
		jbe	short loc_9CEDA0
		mov	eax, [ebp+arg_4]
		lea	edx, [ebp+var_1]
		push	edx		; int
		push	ecx		; int
		push	esi		; int
		mov	eax, [eax+4]
		push	eax		; wchar_t *
		mov	byte ptr [ebp+var_1], 0
		call	_LdrpCompareResourceNamesWithValidation@24 ; LdrpCompareResourceNamesWithValidation(x,x,x,x,x,x)
		test	eax, eax
		jnz	loc_9CEE9A
		mov	ecx, [ebp+var_10]

loc_9CEDA0:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+D1j
		mov	eax, [ecx+4]
		test	eax, eax
		jns	loc_9CEEDA
		mov	ecx, [ecx]
		test	ecx, ecx
		jns	short loc_9CEDBB
		and	ecx, 7FFFFFFFh
		add	ecx, esi
		jmp	short loc_9CEDC1
; 

loc_9CEDBB:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+103j
		mov	ecx, [ebp+var_10]
		movzx	ecx, word ptr [ecx]

loc_9CEDC1:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+10Dj
		and	eax, 7FFFFFFFh
		mov	[ebp+var_1C], ecx
		lea	edx, [esi+10h]
		mov	[ebp+var_20], 0
		add	edx, eax
		mov	[ebp+var_14], edx
		movzx	ecx, word ptr [eax+esi+0Eh]
		movzx	eax, word ptr [eax+esi+0Ch]
		add	ecx, eax
		mov	[ebp+var_34], ecx
		jz	loc_9CEE9A
		imul	ecx, [ebp+var_C], arg_10
		add	ecx, [ebp+arg_10]
		mov	[ebp+var_8], ecx

loc_9CEDF7:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+1E8j
		cmp	[ebp+arg_8], 2
		jbe	short loc_9CEE1D
		mov	eax, [ebp+arg_4]
		lea	ecx, [ebp+var_1]
		push	ecx		; int
		push	edx		; int
		push	esi		; int
		mov	eax, [eax+8]
		push	eax		; wchar_t *
		mov	byte ptr [ebp+var_1], 0
		call	_LdrpCompareResourceNamesWithValidation@24 ; LdrpCompareResourceNamesWithValidation(x,x,x,x,x,x)
		mov	ecx, [ebp+var_8]
		test	eax, eax
		jnz	short loc_9CEE81
		mov	edx, [ebp+var_14]

loc_9CEE1D:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+14Fj
		mov	eax, [edx+4]
		mov	[ebp+var_30], eax
		test	eax, eax
		js	loc_9CEEDA
		mov	eax, [edx]
		test	eax, eax
		jns	short loc_9CEE3A
		and	eax, 7FFFFFFFh
		add	eax, esi
		jmp	short loc_9CEE3D
; 

loc_9CEE3A:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+183j
		movzx	eax, ax

loc_9CEE3D:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+18Cj
		inc	[ebp+var_C]
		mov	edx, ecx
		add	ecx, 18h
		mov	[ebp+var_8], ecx
		mov	ecx, [ebp+var_18]
		cmp	[ebp+var_C], ecx
		mov	ecx, [ebp+var_8]
		ja	short loc_9CEE7A
		mov	ecx, [ebp+var_1C]
		mov	[edx+4], ecx
		mov	ecx, [ebp+var_30]
		mov	[edx+8], eax
		mov	[edx], edi
		mov	eax, [ecx+esi]
		add	eax, [ebp+arg_0]
		mov	[edx+0Ch], eax
		mov	eax, [ecx+esi+4]
		and	dword ptr [edx+14h], 0
		mov	ecx, [ebp+var_8]
		mov	[edx+10h], eax
		jmp	short loc_9CEE81
; 

loc_9CEE7A:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+1A5j
		mov	[ebp+var_2C], 0C0000004h

loc_9CEE81:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+16Cj
					; LdrEnumResources(x,x,x,x,x)+1CCj
		mov	eax, [ebp+var_20]
		mov	edx, [ebp+var_14]
		inc	eax
		add	edx, 8
		mov	[ebp+var_20], eax
		mov	[ebp+var_14], edx
		cmp	eax, [ebp+var_34]
		jb	loc_9CEDF7

loc_9CEE9A:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+EBj
					; LdrEnumResources(x,x,x,x,x)+13Bj
		mov	eax, [ebp+var_24]
		mov	ecx, [ebp+var_10]
		inc	eax
		add	ecx, 8
		mov	[ebp+var_24], eax
		mov	[ebp+var_10], ecx
		cmp	eax, [ebp+var_38]
		jb	loc_9CED79

loc_9CEEB3:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+80j
					; LdrEnumResources(x,x,x,x,x)+C7j
		mov	eax, [ebp+var_28]
		add	ebx, 8
		inc	eax
		mov	[ebp+var_28], eax
		cmp	eax, [ebp+var_3C]
		jb	loc_9CED0F
		mov	edi, [ebp+var_C]
		mov	ecx, [ebp+var_2C]

loc_9CEECC:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+5Dj
		mov	eax, [ebp+arg_C]
		mov	[eax], edi
		mov	eax, ecx

loc_9CEED3:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+233j
		pop	ebx

loc_9CEED4:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+3Ej
		pop	edi
		pop	esi
		leave
		retn	14h
; 

loc_9CEEDA:				; CODE XREF: LdrEnumResources(x,x,x,x,x)+8Bj
					; LdrEnumResources(x,x,x,x,x)+F9j ...
		mov	eax, 0C000007Bh
		jmp	short loc_9CEED3
_LdrEnumResources@20 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1344. LdrFindResourceDirectory_U

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LdrFindResourceDirectory_U(x, x, x,	x)
		public _LdrFindResourceDirectory_U@16
_LdrFindResourceDirectory_U@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	2
		push	[ebp+arg_8]
		call	_LdrpSearchResourceSection_U@20	; LdrpSearchResourceSection_U(x,x,x,x,x)
		pop	ebp
		retn	10h
_LdrFindResourceDirectory_U@16 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1345. LdrFindResourceEx_U

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LdrFindResourceEx_U(x, x, x, x, x)
		public _LdrFindResourceEx_U@20
_LdrFindResourceEx_U@20	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_8]
		push	[ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		push	[ebp+arg_C]
		call	_LdrpSearchResourceSection_U@20	; LdrpSearchResourceSection_U(x,x,x,x,x)
		pop	ebp
		retn	14h
_LdrFindResourceEx_U@20	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2021. RtlCustomCPToUnicodeN

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCustomCPToUnicodeN(x, x,	x, x, x, x)
		public _RtlCustomCPToUnicodeN@24
_RtlCustomCPToUnicodeN@24 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	eax, 0FDE9h
		push	esi
		cmp	[ecx], ax
		jnz	short loc_9CEF76
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jnz	short loc_9CEF46
		lea	eax, [ebp+arg_0]

loc_9CEF46:				; CODE XREF: RtlCustomCPToUnicodeN(x,x,x,x,x,x)+18j
		xor	esi, esi
		cmp	[ebp+arg_14], esi
		jnz	short loc_9CEF51
		mov	[eax], esi
		jmp	short loc_9CEF6F
; 

loc_9CEF51:				; CODE XREF: RtlCustomCPToUnicodeN(x,x,x,x,x,x)+22j
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	RtlUTF8ToUnicodeN
		cmp	eax, 0C0000023h
		jnz	short loc_9CEF6F
		mov	esi, 80000005h

loc_9CEF6F:				; CODE XREF: RtlCustomCPToUnicodeN(x,x,x,x,x,x)+26j
					; RtlCustomCPToUnicodeN(x,x,x,x,x,x)+3Fj
		mov	eax, esi
		jmp	loc_9CF056
; 

loc_9CEF76:				; CODE XREF: RtlCustomCPToUnicodeN(x,x,x,x,x,x)+11j
		push	ebx
		mov	ebx, [ebp+arg_8]
		xor	esi, esi
		shr	ebx, 1
		push	edi
		mov	edi, [ebp+arg_14]
		mov	[ebp+arg_8], ebx
		cmp	[ecx+0Ch], si
		jnz	short loc_9CEFD2
		mov	edx, ebx
		cmp	ebx, edi
		jb	short loc_9CEF93
		mov	edx, edi

loc_9CEF93:				; CODE XREF: RtlCustomCPToUnicodeN(x,x,x,x,x,x)+66j
		cmp	[ebp+arg_C], esi
		jz	short loc_9CEFA3
		mov	ecx, [ebp+arg_C]
		lea	eax, [edx+edx]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_0]

loc_9CEFA3:				; CODE XREF: RtlCustomCPToUnicodeN(x,x,x,x,x,x)+6Dj
		mov	eax, [ecx+1Ch]
		mov	[ebp+arg_0], eax
		test	edx, edx
		jz	loc_9CF04B
		mov	ecx, [ebp+arg_10]
		mov	edi, eax
		mov	ebx, [ebp+arg_4]

loc_9CEFB9:				; CODE XREF: RtlCustomCPToUnicodeN(x,x,x,x,x,x)+9Fj
		movzx	eax, byte ptr [esi+ecx]
		mov	ax, [edi+eax*2]
		mov	[ebx+esi*2], ax
		inc	esi
		cmp	esi, edx
		jb	short loc_9CEFB9
		mov	edi, [ebp+arg_14]
		mov	ebx, [ebp+arg_8]
		jmp	short loc_9CF04B
; 

loc_9CEFD2:				; CODE XREF: RtlCustomCPToUnicodeN(x,x,x,x,x,x)+60j
		mov	edx, [ebp+arg_4]
		mov	esi, edx
		mov	eax, [ecx+28h]
		mov	[ebp+arg_4], esi
		mov	[ebp+arg_8], eax
		test	ebx, ebx
		jz	short loc_9CF040
		mov	esi, [ebp+arg_10]

loc_9CEFE7:				; CODE XREF: RtlCustomCPToUnicodeN(x,x,x,x,x,x)+112j
		test	edi, edi
		jz	short loc_9CF03D
		movzx	eax, byte ptr [esi]
		dec	ebx
		mov	ecx, [ebp+arg_8]
		add	eax, eax
		mov	[ebp+arg_10], eax
		dec	edi
		movzx	eax, word ptr [eax+ecx]
		mov	ecx, eax
		mov	[ebp+arg_14], ecx
		mov	ecx, [ebp+arg_0]
		test	ax, ax
		jz	short loc_9CF020
		test	edi, edi
		jz	short loc_9CF05B
		inc	esi
		movzx	eax, ax
		dec	edi
		movzx	ecx, byte ptr [esi]
		add	ecx, eax
		mov	eax, [ebp+arg_8]
		movzx	eax, word ptr [eax+ecx*2]
		jmp	short loc_9CF02A
; 

loc_9CF020:				; CODE XREF: RtlCustomCPToUnicodeN(x,x,x,x,x,x)+DEj
		mov	eax, [ecx+1Ch]
		mov	ecx, [ebp+arg_10]
		movzx	eax, word ptr [ecx+eax]

loc_9CF02A:				; CODE XREF: RtlCustomCPToUnicodeN(x,x,x,x,x,x)+F5j
		mov	[ebp+arg_14], eax
		inc	esi
		mov	ecx, [ebp+arg_14]
		lea	eax, [edx+2]
		mov	[edx], cx
		mov	edx, eax
		test	ebx, ebx
		jnz	short loc_9CEFE7

loc_9CF03D:				; CODE XREF: RtlCustomCPToUnicodeN(x,x,x,x,x,x)+C0j
					; RtlCustomCPToUnicodeN(x,x,x,x,x,x)+13Aj
		mov	esi, [ebp+arg_4]

loc_9CF040:				; CODE XREF: RtlCustomCPToUnicodeN(x,x,x,x,x,x)+B9j
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_9CF04B
		sub	edx, esi
		mov	[eax], edx

loc_9CF04B:				; CODE XREF: RtlCustomCPToUnicodeN(x,x,x,x,x,x)+82j
					; RtlCustomCPToUnicodeN(x,x,x,x,x,x)+A7j ...
		cmp	ebx, edi
		pop	edi
		sbb	eax, eax
		and	eax, 80000005h
		pop	ebx

loc_9CF056:				; CODE XREF: RtlCustomCPToUnicodeN(x,x,x,x,x,x)+48j
		pop	esi
		pop	ebp
		retn	18h
; 

loc_9CF05B:				; CODE XREF: RtlCustomCPToUnicodeN(x,x,x,x,x,x)+E2j
		xor	eax, eax
		mov	[edx], ax
		add	edx, 2
		jmp	short loc_9CF03D
_RtlCustomCPToUnicodeN@24 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2381. RtlUnicodeToCustomCPN

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlUnicodeToCustomCPN(x, x,	x, x, x, x)
		public _RtlUnicodeToCustomCPN@24
_RtlUnicodeToCustomCPN@24 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, 0FDE9h
		push	esi
		cmp	[eax], cx
		jnz	short loc_9CF0B7
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jnz	short loc_9CF087
		lea	eax, [ebp+arg_C]

loc_9CF087:				; CODE XREF: RtlUnicodeToCustomCPN(x,x,x,x,x,x)+18j
		xor	esi, esi
		cmp	[ebp+arg_14], esi
		jnz	short loc_9CF092
		mov	[eax], esi
		jmp	short loc_9CF0B0
; 

loc_9CF092:				; CODE XREF: RtlUnicodeToCustomCPN(x,x,x,x,x,x)+22j
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	RtlUnicodeToUTF8N
		cmp	eax, 0C0000023h
		jnz	short loc_9CF0B0
		mov	esi, 80000005h

loc_9CF0B0:				; CODE XREF: RtlUnicodeToCustomCPN(x,x,x,x,x,x)+26j
					; RtlUnicodeToCustomCPN(x,x,x,x,x,x)+3Fj
		mov	eax, esi
		jmp	loc_9CF165
; 

loc_9CF0B7:				; CODE XREF: RtlUnicodeToCustomCPN(x,x,x,x,x,x)+11j
		mov	ecx, [ebp+arg_8]
		xor	esi, esi
		push	ebx
		push	edi
		mov	edi, [ebp+arg_14]
		shr	edi, 1
		mov	[ebp+arg_0], edi
		cmp	[eax+0Ch], si
		jnz	short loc_9CF103
		mov	edx, edi
		cmp	edi, ecx
		jb	short loc_9CF0D4
		mov	edx, ecx

loc_9CF0D4:				; CODE XREF: RtlUnicodeToCustomCPN(x,x,x,x,x,x)+66j
		mov	ebx, [ebp+arg_C]
		test	ebx, ebx
		jz	short loc_9CF0DD
		mov	[ebx], edx

loc_9CF0DD:				; CODE XREF: RtlUnicodeToCustomCPN(x,x,x,x,x,x)+6Fj
		mov	eax, [eax+20h]
		test	edx, edx
		jz	short loc_9CF15A
		mov	ebx, [ebp+arg_10]
		mov	ecx, eax
		mov	edi, [ebp+arg_4]

loc_9CF0EC:				; CODE XREF: RtlUnicodeToCustomCPN(x,x,x,x,x,x)+8Fj
		movzx	eax, word ptr [ebx+esi*2]
		mov	al, [eax+ecx]
		mov	[esi+edi], al
		inc	esi
		cmp	esi, edx
		jb	short loc_9CF0EC
		mov	ecx, [ebp+arg_8]
		mov	edi, [ebp+arg_0]
		jmp	short loc_9CF15A
; 

loc_9CF103:				; CODE XREF: RtlUnicodeToCustomCPN(x,x,x,x,x,x)+60j
		mov	edx, [ebp+arg_4]
		mov	ebx, edx
		mov	eax, [eax+20h]
		mov	[ebp+arg_14], ebx
		mov	[ebp+arg_4], eax
		test	edi, edi
		jz	short loc_9CF14F
		mov	esi, [ebp+arg_10]

loc_9CF118:				; CODE XREF: RtlUnicodeToCustomCPN(x,x,x,x,x,x)+E0j
		test	ecx, ecx
		jz	short loc_9CF14C
		movzx	eax, word ptr [esi]
		add	esi, 2
		mov	ebx, [ebp+arg_4]
		movzx	eax, word ptr [ebx+eax*2]
		mov	ebx, eax
		mov	[ebp+arg_8], eax
		shr	ebx, 8
		test	bl, bl
		jz	short loc_9CF143
		mov	eax, ecx
		dec	ecx
		cmp	eax, 2
		jb	short loc_9CF14C
		mov	eax, [ebp+arg_8]
		mov	[edx], bl
		inc	edx

loc_9CF143:				; CODE XREF: RtlUnicodeToCustomCPN(x,x,x,x,x,x)+C9j
		mov	[edx], al
		inc	edx
		dec	ecx
		sub	edi, 1
		jnz	short loc_9CF118

loc_9CF14C:				; CODE XREF: RtlUnicodeToCustomCPN(x,x,x,x,x,x)+B0j
					; RtlUnicodeToCustomCPN(x,x,x,x,x,x)+D1j
		mov	ebx, [ebp+arg_14]

loc_9CF14F:				; CODE XREF: RtlUnicodeToCustomCPN(x,x,x,x,x,x)+A9j
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_9CF15A
		sub	edx, ebx
		mov	[eax], edx

loc_9CF15A:				; CODE XREF: RtlUnicodeToCustomCPN(x,x,x,x,x,x)+78j
					; RtlUnicodeToCustomCPN(x,x,x,x,x,x)+97j ...
		cmp	ecx, edi
		pop	edi
		sbb	eax, eax
		and	eax, 80000005h
		pop	ebx

loc_9CF165:				; CODE XREF: RtlUnicodeToCustomCPN(x,x,x,x,x,x)+48j
		pop	esi
		pop	ebp
		retn	18h
_RtlUnicodeToCustomCPN@24 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2395. RtlUpcaseUnicodeToCustomCPN

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlUpcaseUnicodeToCustomCPN(x, x, x, x, x, x)
		public _RtlUpcaseUnicodeToCustomCPN@24
_RtlUpcaseUnicodeToCustomCPN@24	proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_14]
		push	esi
		mov	esi, [ebp+arg_8]
		shr	ebx, 1
		push	edi
		mov	[ebp+arg_14], ebx
		cmp	[edx+0Ch], ax
		jnz	short loc_9CF1E8
		mov	edi, ebx
		cmp	ebx, esi
		jb	short loc_9CF197
		mov	edi, esi

loc_9CF197:				; CODE XREF: RtlUpcaseUnicodeToCustomCPN(x,x,x,x,x,x)+24j
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_9CF1A0
		mov	[eax], edi

loc_9CF1A0:				; CODE XREF: RtlUpcaseUnicodeToCustomCPN(x,x,x,x,x,x)+2Dj
		mov	ecx, [edx+20h]
		mov	[ebp+arg_C], ecx
		test	edi, edi
		jz	loc_9CF27A
		mov	ebx, edx
		xor	esi, esi

loc_9CF1B2:				; CODE XREF: RtlUpcaseUnicodeToCustomCPN(x,x,x,x,x,x)+6Cj
		mov	eax, [ebp+arg_10]
		movzx	eax, word ptr [eax+esi*2]
		movzx	ecx, byte ptr [eax+ecx]
		mov	eax, [ebx+1Ch]
		mov	cx, [eax+ecx*2]
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	ecx, [ebp+arg_C]
		mov	edx, [ebp+arg_4]
		movzx	eax, ax
		mov	al, [eax+ecx]
		mov	[esi+edx], al
		inc	esi
		cmp	esi, edi
		jb	short loc_9CF1B2
		mov	esi, [ebp+arg_8]
		mov	ebx, [ebp+arg_14]
		jmp	loc_9CF27A
; 

loc_9CF1E8:				; CODE XREF: RtlUpcaseUnicodeToCustomCPN(x,x,x,x,x,x)+1Ej
		mov	edi, [ebp+arg_4]
		mov	eax, [edx+28h]
		mov	ecx, [edx+20h]
		mov	[ebp+var_8], edi
		mov	[ebp+arg_4], eax
		mov	[ebp+var_4], ecx
		test	ebx, ebx
		jz	short loc_9CF26E
		mov	eax, [ebp+arg_10]
		mov	[ebp+arg_14], eax

loc_9CF204:				; CODE XREF: RtlUpcaseUnicodeToCustomCPN(x,x,x,x,x,x)+FDj
		test	esi, esi
		jz	short loc_9CF26E
		movzx	eax, word ptr [eax]
		mov	edx, [ebp+arg_4]
		add	[ebp+arg_14], 2
		movzx	ecx, word ptr [ecx+eax*2]
		mov	eax, ecx
		movzx	ecx, cl
		shr	eax, 8
		movzx	eax, word ptr [edx+eax*2]
		mov	edx, [ebp+arg_0]
		test	ax, ax
		jz	short loc_9CF235
		add	eax, ecx
		mov	ecx, [ebp+arg_4]
		movzx	ecx, word ptr [ecx+eax*2]
		jmp	short loc_9CF23C
; 

loc_9CF235:				; CODE XREF: RtlUpcaseUnicodeToCustomCPN(x,x,x,x,x,x)+B9j
		mov	eax, [edx+1Ch]
		movzx	ecx, word ptr [eax+ecx*2]

loc_9CF23C:				; CODE XREF: RtlUpcaseUnicodeToCustomCPN(x,x,x,x,x,x)+C4j
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	ecx, [ebp+var_4]
		movzx	eax, ax
		movzx	edx, word ptr [ecx+eax*2]
		mov	ecx, edx
		shr	ecx, 8
		test	cl, cl
		jz	short loc_9CF25F
		mov	eax, esi
		dec	esi
		cmp	eax, 2
		jb	short loc_9CF26E
		mov	[edi], cl
		inc	edi

loc_9CF25F:				; CODE XREF: RtlUpcaseUnicodeToCustomCPN(x,x,x,x,x,x)+E3j
		mov	eax, [ebp+arg_14]
		mov	ecx, [ebp+var_4]
		mov	[edi], dl
		inc	edi
		dec	esi
		sub	ebx, 1
		jnz	short loc_9CF204

loc_9CF26E:				; CODE XREF: RtlUpcaseUnicodeToCustomCPN(x,x,x,x,x,x)+8Dj
					; RtlUpcaseUnicodeToCustomCPN(x,x,x,x,x,x)+97j	...
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_9CF27A
		sub	edi, [ebp+var_8]
		mov	[eax], edi

loc_9CF27A:				; CODE XREF: RtlUpcaseUnicodeToCustomCPN(x,x,x,x,x,x)+39j
					; RtlUpcaseUnicodeToCustomCPN(x,x,x,x,x,x)+74j	...
		cmp	esi, ebx
		pop	edi
		sbb	eax, eax
		pop	esi
		and	eax, 80000005h
		pop	ebx
		leave
		retn	18h
_RtlUpcaseUnicodeToCustomCPN@24	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1956. RtlAppendAsciizToString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlAppendAsciizToString(int,void *)
		public _RtlAppendAsciizToString@8
_RtlAppendAsciizToString@8 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		test	edx, edx
		jz	short loc_9CF2D8
		mov	esi, edx
		lea	ecx, [esi+1]

loc_9CF2A3:				; CODE XREF: RtlAppendAsciizToString(x,x)+19j
		mov	al, [esi]
		inc	esi
		test	al, al
		jnz	short loc_9CF2A3
		sub	esi, ecx
		cmp	esi, 0FFFFh
		ja	short loc_9CF2E1
		mov	edi, [ebp+arg_0]
		movzx	ebx, word ptr [edi]
		movzx	eax, word ptr [edi+2]
		lea	ecx, [ebx+esi]
		cmp	ecx, eax
		ja	short loc_9CF2E1
		mov	eax, [edi+4]
		push	esi		; size_t
		push	edx		; void *
		add	eax, ebx
		push	eax		; void *
		call	_memmove
		add	esp, 0Ch
		add	[edi], si

loc_9CF2D8:				; CODE XREF: RtlAppendAsciizToString(x,x)+Dj
		xor	eax, eax

loc_9CF2DA:				; CODE XREF: RtlAppendAsciizToString(x,x)+57j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_9CF2E1:				; CODE XREF: RtlAppendAsciizToString(x,x)+23j
					; RtlAppendAsciizToString(x,x)+34j
		mov	eax, 0C0000023h
		jmp	short loc_9CF2DA
_RtlAppendAsciizToString@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2098. RtlFormatMessage

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlFormatMessage(x,	x, x, x, x, x, x, x, x)
		public _RtlFormatMessage@36
_RtlFormatMessage@36 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_RtlFormatMessageEx@40 ; RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	24h
_RtlFormatMessage@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlFormatMessageEx(x, x, x,	x, x, x, x, x, x, x)
_RtlFormatMessageEx@40 proc near	; CODE XREF: PiGetDeviceRegProperty+14A02Cp
					; PiGetDeviceRegistryProperty(x,x,x,x,x,x)+218p ...

var_700		= dword	ptr -700h
var_6FC		= dword	ptr -6FCh
var_6F8		= dword	ptr -6F8h
var_6F4		= dword	ptr -6F4h
var_6F0		= dword	ptr -6F0h
var_6EC		= dword	ptr -6ECh
var_6E8		= dword	ptr -6E8h
var_6E4		= dword	ptr -6E4h
var_6E0		= dword	ptr -6E0h
var_6DC		= dword	ptr -6DCh
var_6D8		= dword	ptr -6D8h
var_6D4		= dword	ptr -6D4h
var_6D0		= dword	ptr -6D0h
var_6CC		= dword	ptr -6CCh
var_6C8		= dword	ptr -6C8h
var_6C4		= dword	ptr -6C4h
var_6C0		= byte ptr -6C0h
var_6BC		= dword	ptr -6BCh
var_6B8		= dword	ptr -6B8h
var_6B4		= dword	ptr -6B4h
var_6B0		= dword	ptr -6B0h
var_6AC		= dword	ptr -6ACh
var_6A8		= dword	ptr -6A8h
var_6A4		= dword	ptr -6A4h
var_6A0		= dword	ptr -6A0h
var_69C		= dword	ptr -69Ch
var_695		= byte ptr -695h
var_694		= dword	ptr -694h
var_690		= dword	ptr -690h
var_689		= byte ptr -689h
var_688		= byte ptr -688h
var_684		= dword	ptr -684h
var_48		= word ptr -48h
var_40		= dword	ptr -40h
var_A		= dword	ptr -0Ah
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 700h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_14]
		mov	ebx, ecx
		mov	ecx, [ebp+arg_18]
		mov	[ebp+var_6D4], edx
		xor	edx, edx
		mov	[ebp+var_6A8], eax
		mov	eax, [ebp+arg_10]
		mov	esi, eax
		shr	edi, 1
		mov	[ebp+var_700], ecx
		mov	ecx, edx
		mov	[ebp+var_6C4], eax
		mov	[ebp+var_6B4], edx
		mov	[ebp+var_6B0], edx
		mov	[ebp+var_6A4], edx
		mov	[ebp+var_694], edi
		mov	[ebp+var_6D8], 25h
		mov	[ebp+var_6DC], 8
		mov	[ebp+var_6C8], 30h
		mov	[ebp+var_6CC], 39h
		mov	[ebp+var_6D0], 21h
		mov	[ebp+var_6E0], 68h
		mov	[ebp+var_6E4], 77h
		mov	[ebp+var_6E8], 6Ch
		mov	[ebp+var_6F0], 0Dh
		mov	[ebp+var_6F4], 0Ah
		mov	[ebp+var_6FC], 9
		mov	[ebp+var_6F8], 20h

loc_9CF3EE:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+8EFj
		mov	[ebp+var_6AC], edx

loc_9CF3F4:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+8CEj
		mov	[ebp+var_6A0], esi
		mov	[ebp+var_69C], ecx

loc_9CF400:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+7ACj
					; RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+7B5j	...
		movzx	eax, word ptr [ebx]
		test	ax, ax
		jz	loc_9CFC13
		add	ebx, 2
		cmp	ax, word ptr [ebp+var_6D8]
		jnz	loc_9CFA33
		movzx	ecx, word ptr [ebx]
		push	30h
		mov	[ebp+var_6EC], esi
		lea	eax, [ecx-31h]
		cmp	ax, word ptr [ebp+var_6DC]
		pop	eax
		ja	loc_9CF8FF
		add	ebx, 2
		sub	ecx, eax
		mov	[ebp+var_690], ebx
		movzx	edx, word ptr [ebx]
		mov	eax, edx
		cmp	dx, word ptr [ebp+var_6C8]
		jb	short loc_9CF4B8
		cmp	dx, word ptr [ebp+var_6CC]
		ja	short loc_9CF4B8
		add	ebx, 2
		imul	ecx, 0Ah
		add	eax, 0FFFFFFD0h
		mov	[ebp+var_690], ebx
		movzx	edx, word ptr [ebx]
		add	ecx, eax
		mov	eax, edx
		cmp	dx, word ptr [ebp+var_6C8]
		jb	short loc_9CF4B8
		cmp	dx, word ptr [ebp+var_6CC]
		ja	short loc_9CF4B8
		imul	eax, ecx, 0Ah
		add	ebx, 2
		add	edx, 0FFFFFFD0h
		mov	[ebp+var_690], ebx
		push	30h
		movzx	ecx, word ptr [ebx]
		add	eax, edx
		pop	edx
		mov	[ebp+var_6BC], eax
		mov	eax, ecx
		cmp	cx, dx
		jb	short loc_9CF4B2
		push	39h
		pop	edx
		cmp	cx, dx
		jbe	loc_9CFC0C

loc_9CF4B2:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+18Cj
		mov	ecx, [ebp+var_6BC]

loc_9CF4B8:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+137j
					; RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+140j	...
		mov	dword ptr [ebp+var_6C0], ecx
		xor	ebx, ebx
		dec	ecx
		mov	[ebp+var_6B8], ebx
		push	21h
		mov	[ebp+var_6BC], ecx
		pop	ecx
		cmp	ax, cx
		jnz	loc_9CF5DA
		push	25h
		pop	eax
		mov	[ebp+var_48], ax
		mov	eax, [ebp+var_690]
		add	eax, 2
		mov	[ebp+var_695], bl
		lea	ebx, [ebp-46h]
		mov	[ebp+var_690], eax
		mov	[ebp+var_6B4], ebx
		mov	edx, ebx
		movzx	ecx, word ptr [eax]
		cmp	cx, word ptr [ebp+var_6D0]
		jz	short loc_9CF581
		mov	eax, ecx
		mov	edi, ebx

loc_9CF510:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+25Bj
		test	ax, ax
		jz	loc_9CFC0C
		lea	edx, [ebp+var_A]
		cmp	edi, edx
		jnb	loc_9CFC0C
		movzx	edx, ax
		cmp	ax, 2Ah
		jnz	short loc_9CF548
		mov	edx, [ebp+var_6B8]
		mov	eax, edx
		inc	edx
		mov	[ebp+var_6B8], edx
		movzx	edx, cx
		cmp	eax, 1
		ja	loc_9CFC0C

loc_9CF548:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+213j
		mov	eax, [ebp+var_690]
		add	eax, 2
		mov	[ebx], dx
		lea	ebx, [edi+2]
		mov	[ebp+var_690], eax
		mov	[ebp+var_6B4], ebx
		mov	edi, ebx
		mov	edx, ebx
		movzx	ecx, word ptr [eax]
		mov	eax, ecx
		cmp	cx, word ptr [ebp+var_6D0]
		jnz	short loc_9CF510
		mov	edi, [ebp+var_694]
		mov	eax, [ebp+var_690]

loc_9CF581:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+1F2j
		add	eax, 2
		lea	ecx, [ebp+var_40]
		mov	[ebp+var_690], eax
		xor	eax, eax
		mov	[ebx], ax
		xor	ah, ah
		mov	[ebp+var_689], ah
		cmp	ecx, edx
		ja	short loc_9CF603
		lea	ecx, [ebp-42h]
		jmp	short loc_9CF5A9
; 

loc_9CF5A3:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+2B8j
		mov	ah, [ebp+var_689]

loc_9CF5A9:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+289j
		test	ah, ah
		jnz	short loc_9CF5D2
		cmp	word ptr [ecx-4], 49h
		jnz	short loc_9CF5C8
		cmp	word ptr [ecx-2], 36h
		jnz	short loc_9CF5C8
		cmp	word ptr [ecx],	34h
		jnz	short loc_9CF5C8
		mov	[ebp+var_689], 1

loc_9CF5C8:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+29Aj
					; RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+2A1j	...
		add	ecx, 2
		lea	eax, [ecx+2]
		cmp	eax, ebx
		jbe	short loc_9CF5A3

loc_9CF5D2:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+293j
		mov	al, [ebp+var_695]
		jmp	short loc_9CF605
; 

loc_9CF5DA:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+1BBj
		push	ebx
		push	ebx
		lea	eax, [ebp+var_6B4]
		push	eax
		push	offset ??_C@_15GANGMFKL@?$AA?$CF?$AAs@NNGAKEGL@	; "%"
		push	40h
		pop	edx
		lea	ecx, [ebp+var_48]
		call	RtlStringCbCopyExW
		mov	[ebp+var_689], bl
		mov	al, 1
		mov	ebx, [ebp+var_6B4]
		jmp	short loc_9CF605
; 

loc_9CF603:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+284j
		mov	al, ah

loc_9CF605:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+2C0j
					; RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+2E9j
		cmp	[ebp+arg_0], 0
		jz	loc_9CF698
		cmp	al, 1
		jz	short loc_9CF673
		mov	ecx, offset ??_C@_15GANGMFKL@?$AA?$CF?$AAs@NNGAKEGL@ ; "%"
		lea	eax, [ebp+var_48]

loc_9CF61B:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+323j
		mov	dx, [eax]
		cmp	dx, [ecx]
		jnz	short loc_9CF641
		test	dx, dx
		jz	short loc_9CF63D
		mov	dx, [eax+2]
		cmp	dx, [ecx+2]
		jnz	short loc_9CF641
		add	eax, 4
		add	ecx, 4
		test	dx, dx
		jnz	short loc_9CF61B

loc_9CF63D:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+30Ej
		xor	eax, eax
		jmp	short loc_9CF646
; 

loc_9CF641:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+309j
					; RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+318j
		sbb	eax, eax
		or	eax, 1

loc_9CF646:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+327j
		test	eax, eax
		jz	short loc_9CF673
		lea	eax, [ebp-46h]
		push	eax
		push	dword ptr [ebp+var_6C0]	; char
		lea	eax, [ebp+var_6B0]
		push	offset ??_C@_1BC@DNCBBMLH@?$AA?$CF?$AA?$CF?$AA?$CF?$AAu?$AA?$CB?$AA?$CF?$AAs?$AA?$CB@NNGAKEGL@ ; wchar_t *
		push	0		; int
		push	0		; int
		push	eax		; int
		push	edi		; int
		push	esi		; void *
		call	RtlStringCchPrintfExW
		add	esp, 20h
		jmp	loc_9CF8CB
; 

loc_9CF673:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+2F9j
					; RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+330j
		push	dword ptr [ebp+var_6C0]	; char
		lea	eax, [ebp+var_6B0]
		push	offset ??_C@_19PBHPHAE@?$AA?$CF?$AA?$CF?$AA?$CF?$AAu@NNGAKEGL@ ; wchar_t *
		push	0		; int
		push	0		; int
		push	eax		; int
		push	edi		; int
		push	esi		; void *
		call	RtlStringCchPrintfExW
		add	esp, 1Ch
		jmp	loc_9CF8CB
; 

loc_9CF698:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+2F1j
		cmp	[ebp+var_6A8], 0
		jz	loc_9CFC0C
		mov	eax, [ebp+var_6B8]
		mov	edi, [ebp+var_6BC]
		add	eax, edi
		cmp	eax, 0C8h
		jnb	loc_9CFC0C
		cmp	[ebp+arg_4], 0
		jz	short loc_9CF73E
		lea	ecx, [ebx-2]
		movzx	edx, word ptr [ecx]
		push	63h
		pop	eax
		cmp	dx, ax
		jnz	short loc_9CF6F8
		movzx	eax, word ptr [ebx-4]
		cmp	ax, word ptr [ebp+var_6E0]
		jz	short loc_9CF6F8
		cmp	ax, word ptr [ebp+var_6E4]
		jz	short loc_9CF6F8
		cmp	ax, word ptr [ebp+var_6E8]
		jz	short loc_9CF6F8
		push	offset ??_C@_15IDAJILIG@?$AAh?$AAc@NNGAKEGL@
		jmp	short loc_9CF721
; 

loc_9CF6F8:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+3B8j
					; RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+3C5j	...
		push	73h
		pop	eax
		cmp	dx, ax
		jnz	short loc_9CF72E
		movzx	eax, word ptr [ebx-4]
		push	68h
		pop	ebx
		cmp	ax, bx
		jz	short loc_9CF72B
		push	77h
		pop	ebx
		cmp	ax, bx
		jz	short loc_9CF72B
		push	6Ch
		pop	ebx
		cmp	ax, bx
		jz	short loc_9CF72B
		push	(offset	loc_8BEA77+1)

loc_9CF721:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+3DEj
		push	3
		pop	edx
		call	RtlStringCchCopyW
		jmp	short loc_9CF73E
; 

loc_9CF72B:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+3F2j
					; RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+3FAj	...
		push	73h
		pop	eax

loc_9CF72E:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+3E6j
		cmp	edx, 53h
		jz	short loc_9CF73B
		cmp	edx, 43h
		jnz	short loc_9CF73E
		push	63h
		pop	eax

loc_9CF73B:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+419j
		mov	[ecx], ax

loc_9CF73E:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+3AAj
					; RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+411j	...
		mov	eax, [ebp+var_6A4]
		cmp	edi, eax
		jb	short loc_9CF7BF
		mov	bl, [ebp+var_689]
		mov	esi, [ebp+var_6A8]

loc_9CF754:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+499j
		cmp	[ebp+arg_8], 0
		lea	edx, [eax+1]
		jz	short loc_9CF76A
		mov	ecx, [esi]
		add	esi, 4
		mov	[ebp+var_6A8], esi
		jmp	short loc_9CF785
; 

loc_9CF76A:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+443j
		mov	eax, [esi]
		test	bl, bl
		jz	short loc_9CF77D
		add	eax, 8
		mov	[esi], eax
		mov	ecx, [eax-8]
		mov	eax, [eax-4]
		jmp	short loc_9CF787
; 

loc_9CF77D:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+456j
		add	eax, 4
		mov	[esi], eax
		mov	ecx, [eax-4]

loc_9CF785:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+450j
		xor	eax, eax

loc_9CF787:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+463j
		mov	esi, [ebp+var_6A4]
		mov	dword ptr [ebp+esi*8+var_688], ecx
		mov	ecx, [ebp+var_6A4]
		mov	esi, [ebp+var_6A8]
		mov	[ebp+ecx*8+var_684], eax
		mov	eax, edx
		mov	[ebp+var_6A4], eax
		cmp	edx, edi
		jbe	short loc_9CF754
		mov	esi, [ebp+var_6A0]
		mov	[ebp+var_6A4], edx

loc_9CF7BF:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+42Ej
		mov	ebx, dword ptr [ebp+edi*8+var_688]
		xor	edx, edx
		mov	ecx, [ebp+var_6B8]
		xor	edi, edi
		mov	[ebp+var_6B4], ebx
		test	ecx, ecx
		jz	loc_9CF871
		mov	eax, [ebp+var_6A8]
		cmp	[ebp+arg_8], dl
		jz	short loc_9CF817
		mov	ecx, [ebp+var_6A4]
		mov	edi, [eax]
		and	[ebp+ecx*8+var_684], edx
		mov	dword ptr [ebp+ecx*8+var_688], edi
		inc	ecx
		add	eax, 4
		mov	[ebp+var_6A4], ecx
		mov	ecx, [ebp+var_6B8]
		mov	[ebp+var_6A8], eax
		jmp	short loc_9CF825
; 

loc_9CF817:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+4CFj
		add	dword ptr [eax], 4
		mov	eax, [eax]
		mov	edi, [eax-4]
		mov	eax, [ebp+var_6A8]

loc_9CF825:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+4FDj
		cmp	ecx, 1
		jbe	short loc_9CF871
		mov	edx, [ebp+var_6A4]
		lea	ecx, [ebp+var_688]
		lea	ecx, [ecx+edx*8]
		inc	edx
		cmp	[ebp+arg_8], 0
		mov	[ebp+var_6A4], edx
		jz	short loc_9CF857
		mov	edx, [eax]
		and	dword ptr [ecx+4], 0
		add	eax, 4
		mov	[ebp+var_6A8], eax
		jmp	short loc_9CF86F
; 

loc_9CF857:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+52Cj
		add	dword ptr [eax], 4
		mov	eax, [eax]
		and	dword ptr [ecx+4], 0
		mov	edx, [eax-4]
		mov	eax, [ebp+var_6A4]
		mov	[ebp+var_6A4], eax

loc_9CF86F:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+53Dj
		mov	[ecx], edx

loc_9CF871:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+4C0j
					; RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+510j
		cmp	[ebp+var_689], 0
		push	edx
		push	edi
		mov	edi, [ebp+var_694]
		jz	short loc_9CF8B1
		mov	eax, [ebp+var_6BC]
		push	[ebp+eax*8+var_684]
		push	dword ptr [ebp+eax*8+var_688] ;	char
		lea	eax, [ebp+var_48]
		push	eax		; wchar_t *
		push	0		; int
		push	0		; int
		lea	eax, [ebp+var_6B0]
		push	eax		; int
		push	edi		; int
		push	esi		; void *
		call	RtlStringCchPrintfExW
		add	esp, 28h
		jmp	short loc_9CF8CB
; 

loc_9CF8B1:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+568j
		push	ebx		; char
		lea	eax, [ebp+var_48]
		push	eax		; wchar_t *
		push	0		; int
		push	0		; int
		lea	eax, [ebp+var_6B0]
		push	eax		; int
		push	edi		; int
		push	esi		; void *
		call	RtlStringCchPrintfExW
		add	esp, 24h

loc_9CF8CB:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+356j
					; RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+37Bj	...
		test	eax, eax
		js	loc_9CFC18
		mov	eax, [ebp+var_6B0]
		sub	eax, esi
		sar	eax, 1
		sub	edi, eax
		mov	[ebp+var_694], edi
		js	loc_9CFC18
		mov	ebx, [ebp+var_690]
		lea	esi, [esi+eax*2]
		mov	edx, [ebp+var_6AC]
		jmp	loc_9CFA01
; 

loc_9CF8FF:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+11Aj
		cmp	cx, ax
		jz	loc_9CFC13
		test	cx, cx
		jz	loc_9CFC0C
		cmp	ecx, 72h
		jnz	short loc_9CF942
		sub	edi, 1
		mov	[ebp+var_694], edi
		js	loc_9CFC18
		push	0Dh
		pop	eax
		mov	[esi], ax
		add	esi, 2
		add	ebx, 2

loc_9CF931:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+652j
		mov	[ebp+var_6A0], esi
		mov	[ebp+var_690], ebx
		jmp	loc_9CFA11
; 

loc_9CF942:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+5FCj
		cmp	ecx, 6Eh
		jnz	short loc_9CF96C
		push	2
		pop	eax
		sub	edi, eax
		mov	[ebp+var_694], edi
		js	loc_9CFC18
		push	0Dh
		pop	ecx
		mov	[esi], cx
		add	esi, eax
		push	0Ah
		pop	ecx
		mov	[esi], cx
		add	esi, eax
		add	ebx, eax
		jmp	short loc_9CF931
; 

loc_9CF96C:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+62Dj
		cmp	ecx, 74h
		jnz	short loc_9CF9A0
		sub	edi, 1
		mov	[ebp+var_694], edi
		js	loc_9CFC18
		test	dl, 7
		jz	short loc_9CF98D
		add	edx, 7
		and	edx, 0FFFFFFF8h
		jmp	short loc_9CF992
; 

loc_9CF98D:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+66Bj
		push	8
		pop	eax
		add	edx, eax

loc_9CF992:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+673j
		push	9

loc_9CF994:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+69Ej
		pop	eax
		mov	[ebp+var_69C], esi
		mov	[esi], ax
		jmp	short loc_9CF9F5
; 

loc_9CF9A0:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+657j
		cmp	ecx, 62h
		jnz	short loc_9CF9B8
		sub	edi, 1
		mov	[ebp+var_694], edi
		js	loc_9CFC18
		push	20h
		jmp	short loc_9CF994
; 

loc_9CF9B8:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+68Bj
		cmp	[ebp+arg_0], 0
		jz	short loc_9CF9E3
		push	2
		pop	ecx
		sub	edi, ecx
		mov	[ebp+var_694], edi
		js	loc_9CFC18
		push	25h
		pop	eax
		mov	[esi], ax
		add	esi, ecx
		mov	ax, [ebx]
		mov	[esi], ax
		add	esi, ecx
		add	ebx, ecx
		jmp	short loc_9CF9FB
; 

loc_9CF9E3:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+6A4j
		sub	edi, 1
		mov	[ebp+var_694], edi
		js	loc_9CFC18
		mov	[esi], cx

loc_9CF9F5:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+686j
		add	esi, 2
		add	ebx, 2

loc_9CF9FB:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+6C9j
		mov	[ebp+var_690], ebx

loc_9CFA01:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+5E2j
		mov	ecx, [ebp+var_6EC]
		mov	[ebp+var_6A0], esi
		test	ecx, ecx
		jnz	short loc_9CFA20

loc_9CFA11:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+625j
		xor	ecx, ecx
		xor	edx, edx
		mov	[ebp+var_69C], ecx
		jmp	loc_9CFAB6
; 

loc_9CFA20:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+6F7j
		mov	eax, esi
		sub	eax, ecx
		mov	ecx, [ebp+var_69C]
		sar	eax, 1
		add	edx, eax
		jmp	loc_9CFAB6
; 

loc_9CFA33:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+FEj
		mov	[ebp+var_690], ebx
		cmp	ax, word ptr [ebp+var_6F0]
		jz	short loc_9CFA4B
		cmp	ax, word ptr [ebp+var_6F4]
		jnz	short loc_9CFA89

loc_9CFA4B:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+728j
		push	0Ah
		pop	ecx
		push	0Dh
		cmp	ax, cx
		pop	ecx
		jnz	short loc_9CFA5B
		cmp	[ebx], cx
		jz	short loc_9CFA68

loc_9CFA5B:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+73Cj
		cmp	ax, cx
		jnz	short loc_9CFA71
		push	0Ah
		pop	eax
		cmp	[ebx], ax
		jnz	short loc_9CFA71

loc_9CFA68:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+741j
		add	ebx, 2
		mov	[ebp+var_690], ebx

loc_9CFA71:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+746j
					; RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+74Ej
		cmp	[ebp+var_6D4], 0
		jz	loc_9CFBEB
		mov	ecx, esi
		push	20h
		mov	[ebp+var_69C], ecx
		pop	eax

loc_9CFA89:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+731j
		sub	edi, 1
		mov	[ebp+var_694], edi
		js	loc_9CFC18
		cmp	ax, word ptr [ebp+var_6F8]
		jnz	short loc_9CFAA9
		mov	ecx, esi
		mov	[ebp+var_69C], ecx

loc_9CFAA9:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+787j
		mov	[esi], ax
		add	esi, 2
		mov	[ebp+var_6A0], esi
		inc	edx

loc_9CFAB6:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+703j
					; RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+716j
		mov	eax, [ebp+var_6D4]
		mov	[ebp+var_6AC], edx
		test	eax, eax
		jz	loc_9CF400
		cmp	eax, 0FFFFFFFFh
		jz	loc_9CF400
		cmp	edx, eax
		jb	loc_9CF400
		test	ecx, ecx
		jz	loc_9CFBBF
		push	20h
		pop	edx

loc_9CFAE6:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+7E4j
		movzx	eax, word ptr [ecx]
		cmp	ax, dx
		jz	short loc_9CFAF7
		cmp	ax, word ptr [ebp+var_6FC]
		jnz	short loc_9CFAFE

loc_9CFAF7:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+7D4j
		add	ecx, 2
		cmp	ecx, esi
		jnz	short loc_9CFAE6

loc_9CFAFE:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+7DDj
		mov	edx, [ebp+var_69C]
		mov	dword ptr [ebp+var_6C0], ecx
		cmp	edx, [ebp+var_6C4]
		jbe	short loc_9CFB59
		mov	esi, [ebp+var_6C4]
		mov	edi, edx
		push	20h
		pop	ecx
		push	9
		pop	ebx

loc_9CFB20:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+821j
		movzx	eax, word ptr [edi-2]
		cmp	ax, cx
		jz	short loc_9CFB2E
		cmp	ax, bx
		jnz	short loc_9CFB3B

loc_9CFB2E:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+80Fj
		add	edi, 0FFFFFFFEh
		mov	[ebp+var_69C], edi
		cmp	edi, esi
		ja	short loc_9CFB20

loc_9CFB3B:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+814j
		mov	esi, [ebp+var_6A0]
		mov	ecx, dword ptr [ebp+var_6C0]
		mov	edi, [ebp+var_694]
		mov	ebx, [ebp+var_690]
		mov	edx, [ebp+var_69C]

loc_9CFB59:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+7F8j
		mov	eax, ecx
		sub	eax, edx
		sar	eax, 1
		cmp	eax, 1
		jnz	short loc_9CFB74
		sub	edi, eax
		mov	[ebp+var_694], edi
		js	loc_9CFC18
		jmp	short loc_9CFB84
; 

loc_9CFB74:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+84Aj
		cmp	eax, 2
		jbe	short loc_9CFB84
		add	edi, 0FFFFFFFEh
		add	edi, eax
		mov	[ebp+var_694], edi

loc_9CFB84:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+85Aj
					; RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+85Fj
		sub	esi, ecx
		sar	esi, 1
		mov	[ebp+var_6AC], esi
		lea	eax, [esi+esi]
		mov	esi, [ebp+var_69C]
		push	eax		; size_t
		push	ecx		; void *
		lea	eax, [esi+4]
		push	eax		; void *
		call	_memmove
		mov	edx, [ebp+var_6AC]
		add	esp, 0Ch
		push	0Dh
		pop	eax
		mov	[esi], ax
		add	esi, 2
		push	0Ah
		pop	eax
		mov	[esi], ax
		lea	esi, [esi+edx*2]
		jmp	short loc_9CFBE1
; 

loc_9CFBBF:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+7C5j
		sub	edi, 2
		mov	[ebp+var_694], edi
		js	short loc_9CFC18
		push	0Dh
		pop	eax
		mov	[esi], ax
		add	esi, 2
		push	0Ah
		pop	eax
		xor	edx, edx
		mov	[esi], ax
		mov	[ebp+var_6AC], edx

loc_9CFBE1:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+8A5j
		xor	ecx, ecx
		add	esi, 2
		jmp	loc_9CF3F4
; 

loc_9CFBEB:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+760j
		sub	edi, 2
		mov	[ebp+var_694], edi
		js	short loc_9CFC18
		push	0Ah
		mov	[esi], cx
		xor	ecx, ecx
		pop	eax
		mov	[esi+2], ax
		add	esi, 4
		xor	edx, edx
		jmp	loc_9CF3EE
; 

loc_9CFC0C:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+194j
					; RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+1FBj	...
		mov	eax, 0C000000Dh
		jmp	short loc_9CFC3E
; 

loc_9CFC13:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+EEj
					; RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+5EAj
		cmp	edi, 1
		jge	short loc_9CFC1F

loc_9CFC18:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+5B5j
					; RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+5CDj	...
		mov	eax, 80000005h
		jmp	short loc_9CFC3E
; 

loc_9CFC1F:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+8FEj
		xor	eax, eax
		mov	[esi], ax
		mov	eax, [ebp+var_700]
		test	eax, eax
		jz	short loc_9CFC3C
		sub	esi, [ebp+var_6C4]
		add	esi, 2
		and	esi, 0FFFFFFFEh
		mov	[eax], esi

loc_9CFC3C:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+914j
		xor	eax, eax

loc_9CFC3E:				; CODE XREF: RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+8F9j
					; RtlFormatMessageEx(x,x,x,x,x,x,x,x,x,x)+905j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	20h
_RtlFormatMessageEx@40 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2240. RtlLoadString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlLoadString(int,__int16,void *,int,int,int,int,int)
		public _RtlLoadString@32
_RtlLoadString@32 proc near

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		push	48h
		push	offset dword_6A9170
		call	__SEH_prolog4_GS
		mov	ebx, [ebp+arg_0]
		mov	ecx, [ebp+arg_8] ; void	*
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_40], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_54], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_50], eax
		mov	edi, [ebp+arg_1C]
		mov	[ebp+var_4C], edi
		xor	esi, esi
		mov	[ebp+var_3C], esi
		mov	[ebp+var_38], esi
		mov	dl, byte ptr [ebp+arg_C]
		and	dl, 1
		mov	[ebp+var_2D], dl
		test	ebx, ebx
		jz	short loc_9CFCDD
		cmp	[ebp+var_40], esi
		jz	short loc_9CFCDD
		test	[ebp+arg_C], 0FFFFFFFEh
		jnz	short loc_9CFCDD
		test	dl, dl
		jz	short loc_9CFCB4
		test	eax, eax
		jnz	short loc_9CFCAD
		test	edi, edi
		jz	short loc_9CFCB4

loc_9CFCAD:				; CODE XREF: RtlLoadString(x,x,x,x,x,x,x,x)+53j
		mov	eax, 0C00000BBh
		jmp	short loc_9CFCE2
; 

loc_9CFCB4:				; CODE XREF: RtlLoadString(x,x,x,x,x,x,x,x)+4Fj
					; RtlLoadString(x,x,x,x,x,x,x,x)+57j
		cmp	ecx, 0FFFFh
		jbe	short loc_9CFD05
		mov	[ebp+ms_exc.disabled], esi
		cmp	[ecx], si
		jz	short loc_9CFCF4
		push	2
		pop	edx
		call	_DownLevelLanguageNameToLangID@8 ; DownLevelLanguageNameToLangID(x,x)
		movzx	ecx, ax
		mov	[ebp+var_44], ecx
		test	ecx, ecx
		jnz	short loc_9CFCFB
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9CFCDD:				; CODE XREF: RtlLoadString(x,x,x,x,x,x,x,x)+3Dj
					; RtlLoadString(x,x,x,x,x,x,x,x)+42j ...
		mov	eax, 0C000000Dh

loc_9CFCE2:				; CODE XREF: RtlLoadString(x,x,x,x,x,x,x,x)+5Ej
					; RtlLoadString(x,x,x,x,x,x,x,x)+123j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
; 

loc_9CFCF4:				; CODE XREF: RtlLoadString(x,x,x,x,x,x,x,x)+6Ej
		mov	ecx, esi
		mov	[ebp+var_44], ecx
		jmp	short loc_9CFCFE
; 

loc_9CFCFB:				; CODE XREF: RtlLoadString(x,x,x,x,x,x,x,x)+80j
		mov	dl, [ebp+var_2D]

loc_9CFCFE:				; CODE XREF: RtlLoadString(x,x,x,x,x,x,x,x)+A5j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9CFD05:				; CODE XREF: RtlLoadString(x,x,x,x,x,x,x,x)+66j
		mov	[ebp+var_2C], 6
		movzx	edi, [ebp+arg_4]
		mov	eax, edi
		shr	eax, 4
		inc	eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edi
		mov	[ebp+var_34], esi
		test	dl, dl
		jnz	short loc_9CFD7C
		push	[ebp+var_4C]
		push	[ebp+var_50]
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		push	1
		push	4
		lea	eax, [ebp+var_2C]
		push	eax
		push	ebx
		call	_LdrResSearchResource@32 ; LdrResSearchResource(x,x,x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	loc_9CFE23
		cmp	[ebp+var_34], 0FFFFh
		jbe	short loc_9CFDA9
		mov	ecx, 0C000007Bh
		jmp	short loc_9CFDA9
; 

loc_9CFD5C:				; DATA XREF: .text:006A9184o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_48], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9CFD6A:				; DATA XREF: .text:006A9188o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_48]
		jmp	loc_9CFCE2
; 

loc_9CFD7C:				; CODE XREF: RtlLoadString(x,x,x,x,x,x,x,x)+D0j
		lea	eax, [ebp+var_3C]
		push	eax
		push	1
		push	4
		lea	edx, [ebp+var_2C]
		mov	ecx, ebx
		call	_LdrpSearchResourceSection_U@20	; LdrpSearchResourceSection_U(x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	loc_9CFE23
		push	esi
		lea	eax, [ebp+var_38]
		push	eax
		mov	edx, [ebp+var_3C]
		mov	ecx, ebx
		call	LdrpAccessResourceData
		mov	ecx, eax

loc_9CFDA9:				; CODE XREF: RtlLoadString(x,x,x,x,x,x,x,x)+FFj
					; RtlLoadString(x,x,x,x,x,x,x,x)+106j
		test	ecx, ecx
		js	short loc_9CFE23
		mov	ebx, [ebp+var_38]
		test	ebx, ebx
		jz	short loc_9CFE23
		and	edi, 0Fh
		shr	[ebp+var_34], 1

loc_9CFDBA:				; CODE XREF: RtlLoadString(x,x,x,x,x,x,x,x)+181j
		movzx	eax, si
		movzx	edx, word ptr [ebx+eax*2]
		inc	esi
		add	esi, edx
		cmp	[ebp+var_2D], 0
		jnz	short loc_9CFDD2
		movzx	eax, si
		cmp	eax, [ebp+var_34]
		ja	short loc_9CFE01

loc_9CFDD2:				; CODE XREF: RtlLoadString(x,x,x,x,x,x,x,x)+174j
		sub	edi, 1
		jns	short loc_9CFDBA
		test	si, si
		jz	short loc_9CFDE3
		test	dx, dx
		jz	short loc_9CFDE3
		sub	esi, edx

loc_9CFDE3:				; CODE XREF: RtlLoadString(x,x,x,x,x,x,x,x)+186j
					; RtlLoadString(x,x,x,x,x,x,x,x)+18Bj
		mov	[ebp+ms_exc.disabled], 1
		movzx	eax, si
		lea	eax, [ebx+eax*2]
		mov	ebx, [ebp+var_40]
		mov	[ebx], eax
		mov	eax, [ebp+var_54]
		test	eax, eax
		jz	short loc_9CFE1C
		mov	[eax], dx
		jmp	short loc_9CFE1C
; 

loc_9CFE01:				; CODE XREF: RtlLoadString(x,x,x,x,x,x,x,x)+17Cj
		mov	ecx, 0C000007Bh
		jmp	short loc_9CFE23
; 

loc_9CFE08:				; DATA XREF: .text:006A9190o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_58], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9CFE16:				; DATA XREF: .text:006A9194o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ecx, [ebp+var_58]

loc_9CFE1C:				; CODE XREF: RtlLoadString(x,x,x,x,x,x,x,x)+1A6j
					; RtlLoadString(x,x,x,x,x,x,x,x)+1ABj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9CFE23:				; CODE XREF: RtlLoadString(x,x,x,x,x,x,x,x)+F2j
					; RtlLoadString(x,x,x,x,x,x,x,x)+13Ej ...
		mov	eax, ecx
		jmp	loc_9CFCE2
_RtlLoadString@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlStdInitializeStackDatabase(x, x,	x, x)
_RtlStdInitializeStackDatabase@16 proc near
					; CODE XREF: RtlpInitializeStackTraceDatabase(x,x,x)+23p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	edx, edx
		jz	short loc_9CFE4B
		cmp	edx, eax
		jnz	loc_9CFEEF
		test	esi, esi
		jz	loc_9CFEEF

loc_9CFE4B:				; CODE XREF: RtlStdInitializeStackDatabase(x,x,x,x)+Fj
		cmp	eax, 1000000h
		sbb	ecx, ecx
		and	ecx, 0FFFFF072h
		add	ecx, 254Fh
		imul	edi, ecx, 0Ch
		lea	ebx, [edi+188h]
		cmp	eax, ebx
		jbe	loc_9CFEEF
		test	esi, esi
		jz	short loc_9CFEEF
		cmp	edx, eax
		jnz	short loc_9CFEEF
		add	eax, esi
		mov	byte ptr [esi+44h], 1
		push	edi		; size_t
		mov	[esi+58h], eax
		mov	[esi+64h], eax
		lea	eax, [esi+17Ch]
		push	0		; int
		push	eax		; void *
		mov	[esi+48h], esi
		mov	[esi+178h], ecx
		call	_memset
		lea	eax, [ebx+7]
		xor	ebx, ebx
		and	eax, 0FFFFFFF8h
		add	eax, 4
		add	eax, esi
		push	100h		; size_t
		mov	[esi+54h], eax
		mov	[esi+40h], eax
		lea	eax, [esi+78h]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 18h
		mov	[esi], ebx
		mov	[esi+4], bl
		mov	ecx, ebx
		cmp	[esi+178h], ebx
		jbe	short loc_9CFEE6
		lea	eax, [esi+180h]

loc_9CFED5:				; CODE XREF: RtlStdInitializeStackDatabase(x,x,x,x)+BAj
		mov	[eax], ebx
		inc	ecx
		mov	[eax+4], bl
		lea	eax, [eax+0Ch]
		cmp	ecx, [esi+178h]
		jb	short loc_9CFED5

loc_9CFEE6:				; CODE XREF: RtlStdInitializeStackDatabase(x,x,x,x)+A3j
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		xor	eax, eax
		jmp	short loc_9CFEF4
; 

loc_9CFEEF:				; CODE XREF: RtlStdInitializeStackDatabase(x,x,x,x)+13j
					; RtlStdInitializeStackDatabase(x,x,x,x)+1Bj ...
		mov	eax, 0C000000Dh

loc_9CFEF4:				; CODE XREF: RtlStdInitializeStackDatabase(x,x,x,x)+C3j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_RtlStdInitializeStackDatabase@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpInitializeStackTraceDatabase(x,	x, x)
_RtlpInitializeStackTraceDatabase@12 proc near
					; CODE XREF: RtlControlStackTraceDataBase(x,x,x)+1Cp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		cmp	_RtlpStackTraceDatabase, 0
		push	esi
		push	edi
		jz	short loc_9CFF17

loc_9CFF10:				; CODE XREF: RtlpInitializeStackTraceDatabase(x,x,x)+61j
		mov	eax, 0C000020Ah
		jmp	short loc_9CFF60
; 

loc_9CFF17:				; CODE XREF: RtlpInitializeStackTraceDatabase(x,x,x)+13j
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_0]
		call	_RtlStdInitializeStackDatabase@16 ; RtlStdInitializeStackDatabase(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9CFF5E
		mov	edx, [ebp+var_4]
		mov	edi, offset _RtlpStackTraceDatabase
		mov	ecx, edx
		xor	eax, eax
		lock cmpxchg [edi], ecx
		test	eax, eax
		jz	short loc_9CFF5E
		mov	eax, [edx+64h]
		sub	eax, edx
		mov	[ebp+var_4], edx
		mov	[ebp+arg_0], eax
		lea	eax, [ebp+arg_0]
		push	8000h
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	0FFFFFFFFh
		call	NtFreeVirtualMemory
		jmp	short loc_9CFF10
; 

loc_9CFF5E:				; CODE XREF: RtlpInitializeStackTraceDatabase(x,x,x)+2Cj
					; RtlpInitializeStackTraceDatabase(x,x,x)+40j
		mov	eax, esi

loc_9CFF60:				; CODE XREF: RtlpInitializeStackTraceDatabase(x,x,x)+1Aj
		pop	edi
		pop	esi
		leave
		retn	4
_RtlpInitializeStackTraceDatabase@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CompareNamesCaseSensitive(x, x)
_CompareNamesCaseSensitive@8 proc near	; CODE XREF: PfxFindPrefix(x,x)+33p
					; PfxInsertPrefix(x,x,x)+61p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		push	esi
		xor	ecx, ecx
		push	edi
		movzx	esi, word ptr [ebx]
		inc	ecx
		movzx	edi, word ptr [edx]
		mov	eax, esi
		mov	[ebp+var_14], eax
		mov	eax, edi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], eax
		cmp	si, cx
		jnz	short loc_9CFFAA
		mov	eax, [ebx+4]
		cmp	byte ptr [eax],	5Ch
		jnz	short loc_9CFFAA
		cmp	di, cx
		jbe	short loc_9CFFB1
		mov	eax, [edx+4]
		cmp	byte ptr [eax],	5Ch
		jz	loc_9D009F

loc_9CFFAA:				; CODE XREF: CompareNamesCaseSensitive(x,x)+29j
					; CompareNamesCaseSensitive(x,x)+31j
		mov	eax, esi
		cmp	si, di
		jb	short loc_9CFFB3

loc_9CFFB1:				; CODE XREF: CompareNamesCaseSensitive(x,x)+36j
		mov	eax, edi

loc_9CFFB3:				; CODE XREF: CompareNamesCaseSensitive(x,x)+49j
		movzx	esi, ax
		push	esi		; Length
		push	dword ptr [edx+4] ; Source2
		push	dword ptr [ebx+4] ; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		mov	edi, [ebp+var_8]
		mov	edx, eax
		cmp	edx, esi
		jnb	loc_9D0085
		mov	eax, [ebx+4]
		mov	ecx, [edi+4]
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], ecx
		mov	ah, [eax+edx]
		mov	ch, [ecx+edx]
		cmp	ah, 5Ch
		mov	[ebp+var_2], ch
		setz	bh
		dec	bh
		and	bh, ah
		cmp	ch, 5Ch
		mov	bl, bh
		setz	cl
		dec	cl
		and	cl, ch
		cmp	ds:_NlsMbCodePageTag, 0
		mov	[ebp+var_1], cl
		mov	al, cl
		jz	short loc_9D007F
		xor	esi, esi
		cmp	ah, 5Ch
		jnz	short loc_9D0046
		test	edx, edx
		jz	short loc_9D003C
		mov	edi, [ebp+var_C]

loc_9D0016:				; CODE XREF: CompareNamesCaseSensitive(x,x)+CBj
		movzx	eax, byte ptr [edi+esi]
		xor	ecx, ecx
		xor	edi, edi
		cmp	ds:_NlsLeadByteInfoTable[eax*2], di
		mov	edi, [ebp+var_C]
		setnz	cl
		inc	ecx
		add	esi, ecx
		cmp	esi, edx
		jb	short loc_9D0016
		mov	edi, [ebp+var_8]
		mov	cl, [ebp+var_1]
		mov	ch, [ebp+var_2]

loc_9D003C:				; CODE XREF: CompareNamesCaseSensitive(x,x)+ABj
		mov	bl, bh
		cmp	esi, edx
		jz	short loc_9D0044
		mov	bl, 5Ch

loc_9D0044:				; CODE XREF: CompareNamesCaseSensitive(x,x)+DAj
		xor	esi, esi

loc_9D0046:				; CODE XREF: CompareNamesCaseSensitive(x,x)+A7j
		mov	al, cl
		cmp	ch, 5Ch
		jnz	short loc_9D007F
		test	edx, edx
		jz	short loc_9D0077
		mov	edi, [ebp+var_10]

loc_9D0054:				; CODE XREF: CompareNamesCaseSensitive(x,x)+109j
		movzx	eax, byte ptr [edi+esi]
		xor	ecx, ecx
		xor	edi, edi
		cmp	ds:_NlsLeadByteInfoTable[eax*2], di
		mov	edi, [ebp+var_10]
		setnz	cl
		inc	ecx
		add	esi, ecx
		cmp	esi, edx
		jb	short loc_9D0054
		mov	edi, [ebp+var_8]
		mov	cl, [ebp+var_1]

loc_9D0077:				; CODE XREF: CompareNamesCaseSensitive(x,x)+E9j
		mov	al, cl
		cmp	esi, edx
		jz	short loc_9D007F
		mov	al, 5Ch

loc_9D007F:				; CODE XREF: CompareNamesCaseSensitive(x,x)+A0j
					; CompareNamesCaseSensitive(x,x)+E5j ...
		cmp	bl, al
		jb	short loc_9D00A3
		ja	short loc_9D00A9

loc_9D0085:				; CODE XREF: CompareNamesCaseSensitive(x,x)+63j
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+var_18]
		cmp	ax, cx
		jnb	short loc_9D00A7
		mov	ecx, [edi+4]
		mov	edx, [ebp+var_1C]
		cmp	byte ptr [edx+ecx], 5Ch
		jnz	short loc_9D00A3
		xor	ecx, ecx
		inc	ecx

loc_9D009F:				; CODE XREF: CompareNamesCaseSensitive(x,x)+3Ej
		mov	eax, ecx
		jmp	short loc_9D00B0
; 

loc_9D00A3:				; CODE XREF: CompareNamesCaseSensitive(x,x)+11Bj
					; CompareNamesCaseSensitive(x,x)+134j
		xor	eax, eax
		jmp	short loc_9D00B0
; 

loc_9D00A7:				; CODE XREF: CompareNamesCaseSensitive(x,x)+128j
		jbe	short loc_9D00AD

loc_9D00A9:				; CODE XREF: CompareNamesCaseSensitive(x,x)+11Dj
		push	3
		jmp	short loc_9D00AF
; 

loc_9D00AD:				; CODE XREF: CompareNamesCaseSensitive(x,x):loc_9D00A7j
		push	2

loc_9D00AF:				; CODE XREF: CompareNamesCaseSensitive(x,x)+145j
		pop	eax

loc_9D00B0:				; CODE XREF: CompareNamesCaseSensitive(x,x)+13Bj
					; CompareNamesCaseSensitive(x,x)+13Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CompareNamesCaseSensitive@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ComputeNameLength(x)
_ComputeNameLength@4 proc near		; CODE XREF: PfxFindPrefix(x,x)+11p
					; PfxInsertPrefix(x,x,x)+Ap

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		xor	ecx, ecx
		inc	ecx
		push	edi
		movzx	edx, word ptr [esi]
		dec	edx
		mov	[ebp+var_4], edx
		cmp	ds:_NlsMbCodePageTag, al
		jz	short loc_9D0107
		mov	edi, eax
		test	edx, edx
		jz	short loc_9D011A
		mov	esi, [esi+4]
		push	ebx

loc_9D00DD:				; CODE XREF: ComputeNameLength(x)+4Dj
		mov	bl, [esi+edi]
		xor	edx, edx
		movzx	eax, bl
		cmp	ds:_NlsLeadByteInfoTable[eax*2], dx
		jz	short loc_9D00F4
		push	2
		pop	eax
		jmp	short loc_9D00FD
; 

loc_9D00F4:				; CODE XREF: ComputeNameLength(x)+38j
		cmp	bl, 5Ch
		jnz	short loc_9D00FA
		inc	ecx

loc_9D00FA:				; CODE XREF: ComputeNameLength(x)+42j
		xor	eax, eax
		inc	eax

loc_9D00FD:				; CODE XREF: ComputeNameLength(x)+3Dj
		add	edi, eax
		cmp	edi, [ebp+var_4]
		jb	short loc_9D00DD
		pop	ebx
		jmp	short loc_9D011A
; 

loc_9D0107:				; CODE XREF: ComputeNameLength(x)+1Cj
		test	edx, edx
		jz	short loc_9D011A
		mov	esi, [esi+4]

loc_9D010E:				; CODE XREF: ComputeNameLength(x)+63j
		cmp	byte ptr [esi+eax], 5Ch
		jnz	short loc_9D0115
		inc	ecx

loc_9D0115:				; CODE XREF: ComputeNameLength(x)+5Dj
		inc	eax
		cmp	eax, edx
		jb	short loc_9D010E

loc_9D011A:				; CODE XREF: ComputeNameLength(x)+22j
					; ComputeNameLength(x)+50j ...
		pop	edi
		mov	eax, ecx
		pop	esi
		leave
		retn
_ComputeNameLength@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1658. PfxFindPrefix

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfxFindPrefix(x, x)
		public _PfxFindPrefix@8
_PfxFindPrefix@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+4]
		mov	ecx, [ebp+arg_4]
		call	_ComputeNameLength@4 ; ComputeNameLength(x)
		jmp	short loc_9D0143
; 

loc_9D013D:				; CODE XREF: PfxFindPrefix(x,x)+22j
		mov	[ebp+arg_0], edi
		mov	edi, [edi+4]

loc_9D0143:				; CODE XREF: PfxFindPrefix(x,x)+16j
		cmp	[edi+2], ax
		jg	short loc_9D013D
		xor	esi, esi
		jmp	short loc_9D0178
; 

loc_9D014D:				; CODE XREF: PfxFindPrefix(x,x)+57j
		lea	ebx, [edi+8]
		jmp	short loc_9D016E
; 

loc_9D0152:				; CODE XREF: PfxFindPrefix(x,x)+4Bj
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebx+0Ch]
		call	_CompareNamesCaseSensitive@8 ; CompareNamesCaseSensitive(x,x)
		cmp	eax, 3
		jnz	short loc_9D0167
		mov	ebx, [ebx+4]
		jmp	short loc_9D016E
; 

loc_9D0167:				; CODE XREF: PfxFindPrefix(x,x)+3Bj
		test	eax, eax
		jnz	short loc_9D0187
		mov	ebx, [ebx+8]

loc_9D016E:				; CODE XREF: PfxFindPrefix(x,x)+2Bj
					; PfxFindPrefix(x,x)+40j
		test	ebx, ebx
		jnz	short loc_9D0152
		mov	[ebp+arg_0], edi
		mov	edi, [edi+4]

loc_9D0178:				; CODE XREF: PfxFindPrefix(x,x)+26j
		cmp	[edi+2], si
		jg	short loc_9D014D
		xor	eax, eax

loc_9D0180:				; CODE XREF: PfxFindPrefix(x,x)+6Dj
					; PfxFindPrefix(x,x)+93j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_9D0187:				; CODE XREF: PfxFindPrefix(x,x)+44j
		mov	ecx, 202h
		lea	eax, [ebx-8]
		cmp	[eax], cx
		jnz	short loc_9D0180
		mov	esi, [edi+4]
		and	dword ptr [edi+4], 0
		push	ebx
		mov	[edi], cx
		call	_RtlSplay@4	; RtlSplay(x)
		sub	eax, 8
		mov	ecx, 201h
		mov	[eax], cx
		mov	ecx, [ebp+arg_0]
		mov	[ecx+4], eax
		mov	[eax+4], esi
		jmp	short loc_9D0180
_PfxFindPrefix@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1659. PfxInitialize

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfxInitialize(x)
		public _PfxInitialize@4
_PfxInitialize@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 200h
		mov	[eax+4], eax
		pop	ebp
		retn	4
_PfxInitialize@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1660. PfxInsertPrefix

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfxInsertPrefix(x, x, x)
		public _PfxInsertPrefix@12
_PfxInsertPrefix@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		push	esi
		push	edi
		call	_ComputeNameLength@4 ; ComputeNameLength(x)
		mov	esi, [ebp+arg_8]
		mov	ecx, eax
		mov	edx, [ebp+arg_4]
		lea	eax, [esi+8]
		mov	[esi+2], cx
		and	dword ptr [eax+4], 0
		and	dword ptr [eax+8], 0
		mov	[eax], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+14h], edx
		mov	[ebp+arg_8], eax
		mov	edi, [eax+4]
		jmp	short loc_9D0217
; 

loc_9D020F:				; CODE XREF: PfxInsertPrefix(x,x,x)+42j
		mov	eax, edi
		mov	[ebp+arg_8], edi
		mov	edi, [edi+4]

loc_9D0217:				; CODE XREF: PfxInsertPrefix(x,x,x)+34j
		cmp	[edi+2], cx
		jg	short loc_9D020F
		jz	short loc_9D0234
		mov	[eax+4], esi
		mov	eax, 201h
		mov	[esi], ax
		mov	al, 1
		mov	[esi+4], edi
		jmp	loc_9D02B7
; 

loc_9D0234:				; CODE XREF: PfxInsertPrefix(x,x,x)+44j
		push	ebx
		mov	ebx, edi

loc_9D0237:				; CODE XREF: PfxInsertPrefix(x,x,x)+9Aj
		mov	ecx, [ebx+14h]
		call	_CompareNamesCaseSensitive@8 ; CompareNamesCaseSensitive(x,x)
		cmp	eax, 2
		jz	short loc_9D02B4
		cmp	eax, 3
		jnz	short loc_9D0266
		mov	eax, [ebx+0Ch]
		test	eax, eax
		jnz	short loc_9D026D
		and	[esi+4], eax
		mov	ecx, 202h
		add	ebx, 8
		mov	[esi], cx
		lea	eax, [esi+8]
		mov	[ebx+4], eax
		jmp	short loc_9D028A
; 

loc_9D0266:				; CODE XREF: PfxInsertPrefix(x,x,x)+6Ej
		mov	eax, [ebx+10h]
		test	eax, eax
		jz	short loc_9D0275

loc_9D026D:				; CODE XREF: PfxInsertPrefix(x,x,x)+75j
		mov	edx, [ebp+arg_4]
		lea	ebx, [eax-8]
		jmp	short loc_9D0237
; 

loc_9D0275:				; CODE XREF: PfxInsertPrefix(x,x,x)+92j
		and	dword ptr [esi+4], 0
		lea	eax, [esi+8]
		add	ebx, 8
		mov	ecx, 202h
		mov	[esi], cx
		mov	[ebx+8], eax

loc_9D028A:				; CODE XREF: PfxInsertPrefix(x,x,x)+8Bj
		mov	[eax], ebx
		mov	esi, [edi+4]
		and	dword ptr [edi+4], 0
		push	ebx
		mov	[edi], cx
		call	_RtlSplay@4	; RtlSplay(x)
		sub	eax, 8
		mov	ecx, 201h
		mov	[eax], cx
		mov	ecx, [ebp+arg_8]
		mov	[ecx+4], eax
		mov	[eax+4], esi
		mov	al, 1
		jmp	short loc_9D02B6
; 

loc_9D02B4:				; CODE XREF: PfxInsertPrefix(x,x,x)+69j
		xor	al, al

loc_9D02B6:				; CODE XREF: PfxInsertPrefix(x,x,x)+D9j
		pop	ebx

loc_9D02B7:				; CODE XREF: PfxInsertPrefix(x,x,x)+56j
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
_PfxInsertPrefix@12 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 1661. PfxRemovePrefix

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfxRemovePrefix(x, x)
		public _PfxRemovePrefix@8
_PfxRemovePrefix@8 proc	near

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		push	ebx
		mov	ebx, 201h
		movzx	eax, word ptr [ecx]
		cmp	ax, bx
		jl	short loc_9D0348
		lea	edx, [ebx+1]
		cmp	ax, dx
		jg	short loc_9D0348
		lea	edx, [ecx+8]
		push	esi
		mov	esi, edx
		mov	ecx, [esi]
		cmp	ecx, esi
		jz	short loc_9D02F6

loc_9D02EC:				; CODE XREF: PfxRemovePrefix(x,x)+32j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		cmp	eax, esi
		jnz	short loc_9D02EC

loc_9D02F6:				; CODE XREF: PfxRemovePrefix(x,x)+28j
		push	edi
		push	edx
		lea	edi, [esi-8]
		call	_RtlDelete@4	; RtlDelete(x)
		test	eax, eax
		jnz	short loc_9D0319
		mov	edx, [esi-4]
		mov	eax, edx
		jmp	short loc_9D030D
; 

loc_9D030B:				; CODE XREF: PfxRemovePrefix(x,x)+50j
		mov	eax, ecx

loc_9D030D:				; CODE XREF: PfxRemovePrefix(x,x)+47j
		mov	ecx, [eax+4]
		cmp	ecx, edi
		jnz	short loc_9D030B
		mov	[eax+4], edx
		jmp	short loc_9D0346
; 

loc_9D0319:				; CODE XREF: PfxRemovePrefix(x,x)+40j
		cmp	esi, eax
		jz	short loc_9D0346
		lea	edx, [eax-8]
		mov	eax, [esi-4]
		jmp	short loc_9D0327
; 

loc_9D0325:				; CODE XREF: PfxRemovePrefix(x,x)+6Aj
		mov	eax, ecx

loc_9D0327:				; CODE XREF: PfxRemovePrefix(x,x)+61j
		mov	ecx, [eax+4]
		cmp	ecx, edi
		jnz	short loc_9D0325
		mov	[edx], bx
		mov	[eax+4], edx
		mov	eax, [esi-4]
		mov	[edx+4], eax
		mov	eax, 202h
		and	dword ptr [esi-4], 0
		mov	[edi], ax

loc_9D0346:				; CODE XREF: PfxRemovePrefix(x,x)+55j
					; PfxRemovePrefix(x,x)+59j
		pop	edi
		pop	esi

loc_9D0348:				; CODE XREF: PfxRemovePrefix(x,x)+14j
					; PfxRemovePrefix(x,x)+1Cj
		pop	ebx
		pop	ebp
		retn	8
_PfxRemovePrefix@8 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2324. RtlSelfRelativeToAbsoluteSD2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSelfRelativeToAbsoluteSD2(x, x)
		public _RtlSelfRelativeToAbsoluteSD2@8
_RtlSelfRelativeToAbsoluteSD2@8	proc near
					; CODE XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+180p
					; RtlpSysVolCheckOwnerAndSecurity(x,x)+1C5p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		test	ecx, ecx
		jnz	short loc_9D0376
		mov	eax, 0C00000EFh
		jmp	short locret_9D03EA
; 

loc_9D0376:				; CODE XREF: RtlSelfRelativeToAbsoluteSD2(x,x)+1Bj
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	short loc_9D0384
		mov	eax, 0C00000F0h
		jmp	short locret_9D03EA
; 

loc_9D0384:				; CODE XREF: RtlSelfRelativeToAbsoluteSD2(x,x)+29j
		cmp	dword ptr [eax], 14h
		jnb	short loc_9D0390
		mov	eax, 0C000000Dh
		jmp	short locret_9D03EA
; 

loc_9D0390:				; CODE XREF: RtlSelfRelativeToAbsoluteSD2(x,x)+35j
		push	esi
		movzx	esi, word ptr [ecx+2]
		test	si, si
		js	short loc_9D03A1
		mov	eax, 0C00000E7h
		jmp	short loc_9D03E9
; 

loc_9D03A1:				; CODE XREF: RtlSelfRelativeToAbsoluteSD2(x,x)+46j
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+arg_4]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		lea	edx, [ebp+var_4]
		call	RtlpQuerySecurityDescriptor
		mov	eax, [ebp+var_4]
		and	esi, 7FFFh
		mov	[ecx+4], eax
		mov	eax, [ebp+var_8]
		mov	[ecx+8], eax
		mov	eax, [ebp+var_C]
		mov	[ecx+0Ch], eax
		mov	eax, [ebp+var_10]
		mov	[ecx+10h], eax
		xor	eax, eax
		mov	[ecx+2], si

loc_9D03E9:				; CODE XREF: RtlSelfRelativeToAbsoluteSD2(x,x)+4Dj
		pop	esi

locret_9D03EA:				; CODE XREF: RtlSelfRelativeToAbsoluteSD2(x,x)+22j
					; RtlSelfRelativeToAbsoluteSD2(x,x)+30j ...
		leave
		retn	8
_RtlSelfRelativeToAbsoluteSD2@8	endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 1940. RtlAddAccessAllowedObjectAce

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlAddAccessAllowedObjectAce(int,int,int,int,int,int,void *)
		public _RtlAddAccessAllowedObjectAce@28
_RtlAddAccessAllowedObjectAce@28 proc near ; CODE XREF:	LocalGetAclForString+AEA97p
					; LocalGetAclForString+AEB67p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_10], 0
		jnz	short loc_9D041C
		cmp	[ebp+arg_14], 0
		jnz	short loc_9D041C
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		push	[ebp+arg_18]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	RtlpAddKnownAce
		jmp	short loc_9D0438
; 

loc_9D041C:				; CODE XREF: RtlAddAccessAllowedObjectAce(x,x,x,x,x,x,x)+9j
					; RtlAddAccessAllowedObjectAce(x,x,x,x,x,x,x)+Fj
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	5		; char
		push	[ebp+arg_18]	; void *
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		call	_RtlpAddKnownObjectAce@32 ; RtlpAddKnownObjectAce(x,x,x,x,x,x,x,x)

loc_9D0438:				; CODE XREF: RtlAddAccessAllowedObjectAce(x,x,x,x,x,x,x)+27j
		pop	ebp
		retn	1Ch
_RtlAddAccessAllowedObjectAce@28 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1942. RtlAddAccessDeniedObjectAce

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlAddAccessDeniedObjectAce(int,int,int,int,int,int,void *)
		public _RtlAddAccessDeniedObjectAce@28
_RtlAddAccessDeniedObjectAce@28	proc near ; CODE XREF: LocalGetAclForString+AEB2Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_10], 0
		jnz	short loc_9D046A
		cmp	[ebp+arg_14], 0
		jnz	short loc_9D046A
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	1
		push	[ebp+arg_18]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	RtlpAddKnownAce
		jmp	short loc_9D0486
; 

loc_9D046A:				; CODE XREF: RtlAddAccessDeniedObjectAce(x,x,x,x,x,x,x)+9j
					; RtlAddAccessDeniedObjectAce(x,x,x,x,x,x,x)+Fj
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	6		; char
		push	[ebp+arg_18]	; void *
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		call	_RtlpAddKnownObjectAce@32 ; RtlpAddKnownObjectAce(x,x,x,x,x,x,x,x)

loc_9D0486:				; CODE XREF: RtlAddAccessDeniedObjectAce(x,x,x,x,x,x,x)+27j
		pop	ebp
		retn	1Ch
_RtlAddAccessDeniedObjectAce@28	endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1943. RtlAddAccessFilterAce

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlAddAccessFilterAce(x, x,	x, x, x, x, x, x)
		public _RtlAddAccessFilterAce@32
_RtlAddAccessFilterAce@32 proc near

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_D		= byte ptr -0Dh
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= word ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_18]
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], 100h
		push	edi
		mov	edi, [ebp+arg_C]
		test	esi, esi
		jz	loc_9D064A
		push	esi
		call	RtlValidAcl
		test	al, al
		jz	loc_9D064A
		test	ebx, ebx
		jz	short loc_9D0524
		mov	bx, [ebp+arg_1C]
		mov	eax, 0FFFFh
		cmp	bx, ax
		jz	short loc_9D0524
		push	6
		pop	eax
		cmp	bx, ax
		jb	short loc_9D0524
		mov	eax, [ebp+var_1C]
		cmp	dword ptr [eax], 78747261h
		jnz	short loc_9D0524
		cmp	[ebp+arg_10], 15h
		jnz	short loc_9D0524
		push	edi
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jnz	short loc_9D0513
		mov	eax, 0C0000078h
		jmp	loc_9D064F
; 

loc_9D0513:				; CODE XREF: RtlAddAccessFilterAce(x,x,x,x,x,x,x,x)+78j
		test	byte ptr [ebp+arg_8], 40h
		jz	short loc_9D052E
		mov	ecx, edi
		call	_RtlIsValidProcessTrustLabelSid@4 ; RtlIsValidProcessTrustLabelSid(x)
		test	al, al
		jnz	short loc_9D054F

loc_9D0524:				; CODE XREF: RtlAddAccessFilterAce(x,x,x,x,x,x,x,x)+47j
					; RtlAddAccessFilterAce(x,x,x,x,x,x,x,x)+55j ...
		mov	eax, 0C000000Dh
		jmp	loc_9D064F
; 

loc_9D052E:				; CODE XREF: RtlAddAccessFilterAce(x,x,x,x,x,x,x,x)+88j
		push	6		; size_t
		lea	eax, [ebp+var_C]
		push	eax		; void *
		lea	eax, [edi+2]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9D0524
		cmp	byte ptr [edi+1], 1
		jnz	short loc_9D0524
		cmp	[edi+8], eax
		jnz	short loc_9D0524

loc_9D054F:				; CODE XREF: RtlAddAccessFilterAce(x,x,x,x,x,x,x,x)+93j
		mov	cl, [esi]
		mov	[ebp+var_D], cl
		cmp	cl, 4
		ja	loc_9D0643
		cmp	[ebp+arg_4], 4
		ja	loc_9D0643
		movzx	eax, cl
		cmp	eax, [ebp+arg_4]
		ja	short loc_9D0575
		mov	al, byte ptr [ebp+arg_4]
		mov	[ebp+var_D], al

loc_9D0575:				; CODE XREF: RtlAddAccessFilterAce(x,x,x,x,x,x,x,x)+DEj
		test	[ebp+arg_8], 0FFFFFFA0h
		jnz	short loc_9D0524
		test	[ebp+arg_14], 0FF000000h
		jnz	short loc_9D0524
		lea	eax, [ebp+var_18]
		push	eax
		push	esi
		call	_RtlFirstFreeAce@8 ; RtlFirstFreeAce(x,x)
		test	al, al
		jz	loc_9D064A
		movzx	eax, byte ptr [edi+1]
		lea	ecx, [ebp+var_14]
		push	ecx
		lea	edx, ds:10h[eax*4]
		movzx	eax, bx
		mov	[ebp+var_14], edx
		mov	[ebp+var_C], eax
		lea	ecx, [eax+3]
		and	ecx, 0FFFFFFFCh
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jns	short loc_9D05CA
		mov	eax, 0C0000095h
		jmp	loc_9D064F
; 

loc_9D05CA:				; CODE XREF: RtlAddAccessFilterAce(x,x,x,x,x,x,x,x)+12Fj
		mov	edx, [ebp+var_14]
		cmp	edx, 0FFFFh
		ja	loc_9D0524
		mov	ebx, [ebp+var_18]
		test	ebx, ebx
		jz	short loc_9D063C
		movzx	ecx, word ptr [esi+2]
		lea	eax, [edx+ebx]
		add	ecx, esi
		cmp	eax, ecx
		ja	short loc_9D063C
		mov	eax, [ebp+arg_8]
		mov	[ebx+1], al
		mov	eax, [ebp+arg_14]
		mov	[ebx+4], eax
		lea	eax, [ebx+8]
		push	edi		; void *
		push	eax		; void *
		mov	byte ptr [ebx],	15h
		mov	[ebx+2], dx
		movzx	eax, byte ptr [edi+1]
		lea	eax, ds:8[eax*4]
		push	eax		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		movzx	eax, byte ptr [edi+1]
		push	[ebp+var_C]	; size_t
		add	eax, 4
		push	[ebp+var_1C]	; void *
		lea	eax, [ebx+eax*4]
		push	eax		; void *
		call	_memcpy
		mov	al, [ebp+var_D]
		add	esp, 0Ch
		inc	word ptr [esi+4]
		mov	[esi], al
		xor	eax, eax
		jmp	short loc_9D064F
; 

loc_9D063C:				; CODE XREF: RtlAddAccessFilterAce(x,x,x,x,x,x,x,x)+14Fj
					; RtlAddAccessFilterAce(x,x,x,x,x,x,x,x)+15Cj
		mov	eax, 0C0000099h
		jmp	short loc_9D064F
; 

loc_9D0643:				; CODE XREF: RtlAddAccessFilterAce(x,x,x,x,x,x,x,x)+C8j
					; RtlAddAccessFilterAce(x,x,x,x,x,x,x,x)+D2j
		mov	eax, 0C0000059h
		jmp	short loc_9D064F
; 

loc_9D064A:				; CODE XREF: RtlAddAccessFilterAce(x,x,x,x,x,x,x,x)+31j
					; RtlAddAccessFilterAce(x,x,x,x,x,x,x,x)+3Fj ...
		mov	eax, 0C0000077h

loc_9D064F:				; CODE XREF: RtlAddAccessFilterAce(x,x,x,x,x,x,x,x)+7Fj
					; RtlAddAccessFilterAce(x,x,x,x,x,x,x,x)+9Aj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	20h
_RtlAddAccessFilterAce@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlAddAuditAccessAce(x, x, x, x, x,	x)
_RtlAddAuditAccessAce@24 proc near	; CODE XREF: SepInitProcessAuditSd+86B8Cp
					; ObInitSystem+2179Bp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	2
		pop	edx
		push	edx
		push	_SeWorldSid
		push	[ebp+arg_0]
		push	0C0h
		call	RtlpAddKnownAce
		pop	ebp
		retn	10h
_RtlAddAuditAccessAce@24 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1947. RtlAddAuditAccessAceEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlAddAuditAccessAceEx(x, x, x, x, x, x, x)
		public _RtlAddAuditAccessAceEx@28
_RtlAddAuditAccessAceEx@28 proc	near	; CODE XREF: LocalGetAclForString+AEA60p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= byte ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_14], 0
		mov	eax, [ebp+arg_8]
		jz	short loc_9D0696
		or	eax, 40h

loc_9D0696:				; CODE XREF: RtlAddAuditAccessAceEx(x,x,x,x,x,x,x)+Cj
		cmp	[ebp+arg_18], 0
		jz	short loc_9D06A1
		or	eax, 80h

loc_9D06A1:				; CODE XREF: RtlAddAuditAccessAceEx(x,x,x,x,x,x,x)+15j
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	2
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	eax
		call	RtlpAddKnownAce
		pop	ebp
		retn	1Ch
_RtlAddAuditAccessAceEx@28 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1948. RtlAddAuditAccessObjectAce

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlAddAuditAccessObjectAce(int,int,int,int,int,int,void	*,char,char)
		public _RtlAddAuditAccessObjectAce@36
_RtlAddAuditAccessObjectAce@36 proc near ; CODE	XREF: LocalGetAclForString+AEAFBp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= byte ptr  24h
arg_20		= byte ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_1C], 0
		mov	eax, [ebp+arg_8]
		jz	short loc_9D06CF
		or	eax, 40h

loc_9D06CF:				; CODE XREF: RtlAddAuditAccessObjectAce(x,x,x,x,x,x,x,x,x)+Cj
		cmp	[ebp+arg_20], 0
		jz	short loc_9D06DA
		or	eax, 80h

loc_9D06DA:				; CODE XREF: RtlAddAuditAccessObjectAce(x,x,x,x,x,x,x,x,x)+15j
		cmp	[ebp+arg_10], 0
		jnz	short loc_9D06FC
		cmp	[ebp+arg_14], 0
		jnz	short loc_9D06FC
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	2
		push	[ebp+arg_18]
		push	[ebp+arg_C]
		push	eax
		call	RtlpAddKnownAce
		jmp	short loc_9D0716
; 

loc_9D06FC:				; CODE XREF: RtlAddAuditAccessObjectAce(x,x,x,x,x,x,x,x,x)+20j
					; RtlAddAuditAccessObjectAce(x,x,x,x,x,x,x,x,x)+26j
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	7		; char
		push	[ebp+arg_18]	; void *
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	eax		; int
		call	_RtlpAddKnownObjectAce@32 ; RtlpAddKnownObjectAce(x,x,x,x,x,x,x,x)

loc_9D0716:				; CODE XREF: RtlAddAuditAccessObjectAce(x,x,x,x,x,x,x,x,x)+3Cj
		pop	ebp
		retn	24h
_RtlAddAuditAccessObjectAce@36 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1951. RtlAddResourceAttributeAce

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlAddResourceAttributeAce(x, x, x,	x, x, x, x)
		public _RtlAddResourceAttributeAce@28
_RtlAddResourceAttributeAce@28 proc near

var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_10D		= byte ptr -10Dh
var_10C		= dword	ptr -10Ch
var_108		= word ptr -108h
var_104		= dword	ptr -104h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 12Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, [ebp+arg_14]
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_10]
		push	edi
		push	100h		; size_t
		push	eax		; int
		mov	[ebp+var_124], eax
		mov	edi, eax
		mov	[ebp+var_10C], eax
		lea	eax, [ebp+var_104]
		mov	[ebp+var_114], ecx
		mov	ecx, [ebp+arg_18]
		push	eax		; void *
		mov	[ebp+var_120], esi
		mov	[ebp+var_128], ecx
		mov	[ebp+var_108], 100h
		call	_memset
		mov	eax, [ebp+var_128]
		add	esp, 0Ch
		mov	[ebp+var_118], 100h
		test	eax, eax
		jnz	short loc_9D07A1

loc_9D0797:				; CODE XREF: RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+BDj
					; RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+103j ...
		mov	esi, 0C000000Dh
		jmp	loc_9D0A60
; 

loc_9D07A1:				; CODE XREF: RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+76j
		and	[eax], edi
		test	ebx, ebx
		jnz	short loc_9D07B1
		mov	esi, 0C0000077h
		jmp	loc_9D0A60
; 

loc_9D07B1:				; CODE XREF: RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+86j
		push	esi
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jnz	short loc_9D07C5
		mov	esi, 0C0000078h
		jmp	loc_9D0A60
; 

loc_9D07C5:				; CODE XREF: RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+9Aj
		push	6		; size_t
		lea	eax, [ebp+var_10C]
		push	eax		; void *
		lea	eax, [esi+2]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9D0797
		cmp	byte ptr [esi+1], 1
		jnz	loc_9D0A45
		cmp	[esi+8], edi
		jnz	loc_9D0A45
		mov	al, [ebx]
		mov	[ebp+var_10D], al
		cmp	al, 4
		ja	loc_9D0A3E
		push	4
		pop	ecx
		cmp	[ebp+arg_4], ecx
		ja	loc_9D0A3E
		cmp	al, byte ptr [ebp+arg_4]
		ja	short loc_9D081B
		mov	al, byte ptr [ebp+arg_4]
		mov	[ebp+var_10D], al

loc_9D081B:				; CODE XREF: RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+F1j
		test	[ebp+arg_8], 0FFFFFFE0h
		jnz	loc_9D0797
		cmp	[ebp+arg_C], edi
		jnz	loc_9D0797
		mov	esi, [ebp+var_114]
		mov	ecx, esi
		call	_RtlpValidAttributeInfo@4 ; RtlpValidAttributeInfo(x)
		test	al, al
		jz	loc_9D0797
		cmp	dword ptr [esi+4], 1
		jnz	loc_9D0797
		mov	ecx, [esi+8]
		lea	edi, [ebp+var_104]
		lea	eax, [ebp+var_118]
		mov	[ebp+var_12C], edi
		push	eax		; void *
		mov	edx, edi
		call	_RtlpConvertAbsoluteToRelativeSecurityAttribute@12 ; RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)
		mov	esi, eax
		mov	[ebp+var_11C], esi
		cmp	esi, 0C0000023h
		jnz	short loc_9D08C5
		push	62507452h
		push	[ebp+var_118]
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	edi, eax
		mov	[ebp+var_12C], edi
		test	edi, edi
		jnz	short loc_9D08A6
		add	esi, 0FFFFFFF4h
		jmp	loc_9D0A60
; 

loc_9D08A6:				; CODE XREF: RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+17Dj
		mov	ecx, [ebp+var_114]
		lea	eax, [ebp+var_118]
		push	eax		; void *
		mov	edx, edi
		mov	ecx, [ecx+8]
		call	_RtlpConvertAbsoluteToRelativeSecurityAttribute@12 ; RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)
		mov	esi, eax
		mov	[ebp+var_11C], eax

loc_9D08C5:				; CODE XREF: RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+15Cj
		test	esi, esi
		js	loc_9D0A4A
		push	ebx
		call	RtlValidAcl
		test	al, al
		jnz	short loc_9D08E1

loc_9D08D7:				; CODE XREF: RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+1D1j
		mov	esi, 0C0000077h
		jmp	loc_9D0A4A
; 

loc_9D08E1:				; CODE XREF: RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+1B6j
		lea	eax, [ebp+var_124]
		push	eax
		push	ebx
		call	_RtlFirstFreeAce@8 ; RtlFirstFreeAce(x,x)
		test	al, al
		jz	short loc_9D08D7
		mov	eax, [ebp+var_120]
		push	4
		pop	ecx
		movzx	eax, byte ptr [eax+1]
		add	ax, cx
		shl	ax, 2
		cmp	[ebp+var_118], 0FFFFh
		movzx	ecx, ax
		mov	[ebp+var_114], ecx
		ja	loc_9D0A37
		mov	edx, [ebp+var_118]
		lea	eax, [ebp+var_114]
		push	eax
		call	_RtlUShortAdd@12 ; RtlUShortAdd(x,x,x)
		test	eax, eax
		js	loc_9D0A37
		mov	edx, [ebp+var_128]
		xor	eax, eax
		and	[ebp+var_10C], 0
		push	8
		pop	ecx
		mov	[edx], ecx
		cmp	ax, [ebx+4]
		jnb	short loc_9D0979
		mov	edi, [ebp+var_10C]
		lea	esi, [ebx+8]

loc_9D095C:				; CODE XREF: RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+252j
		movzx	ecx, word ptr [esi+2]
		add	ecx, [edx]
		inc	edi
		mov	[edx], ecx
		movzx	eax, word ptr [esi+2]
		add	esi, eax
		movzx	eax, word ptr [ebx+4]
		cmp	edi, eax
		jb	short loc_9D095C
		mov	edi, [ebp+var_12C]

loc_9D0979:				; CODE XREF: RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+232j
		mov	eax, [ebp+var_114]
		movzx	eax, ax
		add	eax, ecx
		mov	[edx], eax
		mov	edx, [ebp+var_124]
		mov	[ebp+var_10C], eax
		test	edx, edx
		jz	loc_9D0A22
		mov	esi, [ebp+var_114]
		movzx	ecx, word ptr [ebx+2]
		movzx	eax, si
		add	ecx, ebx
		mov	esi, [ebp+var_11C]
		add	eax, edx
		cmp	eax, ecx
		ja	short loc_9D0A1C
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_120]
		and	dword ptr [edx+4], 0
		mov	[edx+1], al
		mov	eax, [ebp+var_114]
		mov	[edx+2], ax
		lea	eax, [edx+8]
		push	ecx		; void *
		push	eax		; void *
		mov	byte ptr [edx],	12h
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:8[eax*4]
		push	eax		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		mov	eax, [ebp+var_120]
		mov	ecx, [ebp+var_124]
		push	[ebp+var_118]	; size_t
		add	ecx, 10h
		movzx	eax, byte ptr [eax+1]
		push	edi		; void *
		lea	eax, [ecx+eax*4]
		push	eax		; void *
		call	_memcpy
		mov	al, [ebp+var_10D]
		add	esp, 0Ch
		inc	word ptr [ebx+4]
		mov	[ebx], al
		jmp	short loc_9D0A4A
; 

loc_9D0A1C:				; CODE XREF: RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+294j
		mov	eax, [ebp+var_10C]

loc_9D0A22:				; CODE XREF: RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+275j
		mov	ecx, [ebp+var_128]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		mov	esi, 0C0000099h
		mov	[ecx], eax
		jmp	short loc_9D0A4A
; 

loc_9D0A37:				; CODE XREF: RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+1FAj
					; RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+214j
		mov	esi, 0C0000095h
		jmp	short loc_9D0A4A
; 

loc_9D0A3E:				; CODE XREF: RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+DCj
					; RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+E8j
		mov	esi, 0C0000059h
		jmp	short loc_9D0A60
; 

loc_9D0A45:				; CODE XREF: RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+C3j
					; RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+CCj
		mov	esi, 0C000000Dh

loc_9D0A4A:				; CODE XREF: RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+1A8j
					; RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+1BDj ...
		test	edi, edi
		jz	short loc_9D0A60
		lea	eax, [ebp+var_104]
		cmp	edi, eax
		jz	short loc_9D0A60
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9D0A60:				; CODE XREF: RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+7Dj
					; RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+8Dj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
_RtlAddResourceAttributeAce@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlpAddKnownObjectAce(int,int,int,int,void *,char)
_RtlpAddKnownObjectAce@32 proc near	; CODE XREF: RtlAddAccessAllowedObjectAce(x,x,x,x,x,x,x)+40p
					; RtlAddAccessDeniedObjectAce(x,x,x,x,x,x,x)+40p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_10]
		mov	edi, [ebp+arg_8]
		mov	esi, edx
		and	[ebp+arg_8], 0
		mov	ebx, ecx
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jnz	short loc_9D0A9E
		mov	eax, 0C0000078h
		jmp	loc_9D0BB3
; 

loc_9D0A9E:				; CODE XREF: RtlpAddKnownObjectAce(x,x,x,x,x,x,x,x)+1Fj
		cmp	byte ptr [ebx],	4
		ja	loc_9D0BAE
		cmp	esi, 4
		jnz	loc_9D0BAE
		mov	ecx, [ebp+arg_0]
		mov	eax, ecx
		and	eax, 0FFFFFFE0h
		jz	short loc_9D0AD5
		cmp	[ebp+arg_14], 7
		jnz	short loc_9D0AC7
		mov	eax, ecx
		and	eax, 0FFFFFF20h

loc_9D0AC7:				; CODE XREF: RtlpAddKnownObjectAce(x,x,x,x,x,x,x,x)+4Bj
		test	eax, eax
		jz	short loc_9D0AD5
		mov	eax, 0C000000Dh
		jmp	loc_9D0BB3
; 

loc_9D0AD5:				; CODE XREF: RtlpAddKnownObjectAce(x,x,x,x,x,x,x,x)+45j
					; RtlpAddKnownObjectAce(x,x,x,x,x,x,x,x)+56j
		push	ebx
		call	RtlValidAcl
		test	al, al
		jz	loc_9D0BA7
		lea	eax, [ebp+arg_8]
		push	eax
		push	ebx
		call	_RtlFirstFreeAce@8 ; RtlFirstFreeAce(x,x)
		test	al, al
		jz	loc_9D0BA7
		mov	eax, [ebp+arg_10]
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_8], eax
		movzx	eax, ax
		mov	ecx, eax
		add	eax, 0Ch
		movzx	esi, ax
		test	edi, edi
		jz	short loc_9D0B1B
		lea	eax, [ecx+1Ch]
		movzx	esi, ax

loc_9D0B1B:				; CODE XREF: RtlpAddKnownObjectAce(x,x,x,x,x,x,x,x)+A0j
		xor	eax, eax
		test	edi, edi
		setnz	al
		cmp	[ebp+arg_C], 0
		mov	[ebp+var_4], eax
		jz	short loc_9D0B34
		or	eax, 2
		add	esi, 10h
		mov	[ebp+var_4], eax

loc_9D0B34:				; CODE XREF: RtlpAddKnownObjectAce(x,x,x,x,x,x,x,x)+B6j
		mov	edx, [ebp+arg_8]
		test	edx, edx
		jz	short loc_9D0BA0
		movzx	ecx, word ptr [ebx+2]
		movzx	eax, si
		add	ecx, ebx
		add	eax, edx
		cmp	eax, ecx
		ja	short loc_9D0BA0
		mov	eax, [ebp+arg_0]
		mov	[edx+1], al
		mov	al, [ebp+arg_14]
		mov	[edx], al
		mov	eax, [ebp+arg_4]
		mov	[edx+4], eax
		mov	eax, [ebp+var_4]
		mov	[edx+2], si
		mov	[edx+8], eax
		add	edx, 0Ch
		test	edi, edi
		jz	short loc_9D0B77
		mov	esi, edi
		mov	edi, edx
		add	edx, 10h
		movsd
		movsd
		movsd
		movsd

loc_9D0B77:				; CODE XREF: RtlpAddKnownObjectAce(x,x,x,x,x,x,x,x)+F7j
		cmp	[ebp+arg_C], 0
		jz	short loc_9D0B89
		mov	esi, [ebp+arg_C]
		mov	edi, edx
		add	edx, 10h
		movsd
		movsd
		movsd
		movsd

loc_9D0B89:				; CODE XREF: RtlpAddKnownObjectAce(x,x,x,x,x,x,x,x)+108j
		push	[ebp+arg_10]	; void *
		push	edx		; void *
		push	[ebp+var_8]	; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		inc	word ptr [ebx+4]
		xor	eax, eax
		mov	byte ptr [ebx],	4
		jmp	short loc_9D0BB3
; 

loc_9D0BA0:				; CODE XREF: RtlpAddKnownObjectAce(x,x,x,x,x,x,x,x)+C6j
					; RtlpAddKnownObjectAce(x,x,x,x,x,x,x,x)+D5j
		mov	eax, 0C0000099h
		jmp	short loc_9D0BB3
; 

loc_9D0BA7:				; CODE XREF: RtlpAddKnownObjectAce(x,x,x,x,x,x,x,x)+6Aj
					; RtlpAddKnownObjectAce(x,x,x,x,x,x,x,x)+7Cj
		mov	eax, 0C0000077h
		jmp	short loc_9D0BB3
; 

loc_9D0BAE:				; CODE XREF: RtlpAddKnownObjectAce(x,x,x,x,x,x,x,x)+2Ej
					; RtlpAddKnownObjectAce(x,x,x,x,x,x,x,x)+37j
		mov	eax, 0C0000059h

loc_9D0BB3:				; CODE XREF: RtlpAddKnownObjectAce(x,x,x,x,x,x,x,x)+26j
					; RtlpAddKnownObjectAce(x,x,x,x,x,x,x,x)+5Dj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_RtlpAddKnownObjectAce@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlpConvertAbsoluteToRelativeSecurityAttribute(void *)
_RtlpConvertAbsoluteToRelativeSecurityAttribute@12 proc	near
					; CODE XREF: RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+149p
					; RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+199p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_10], edx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], 14h
		mov	[ebp+var_1C], esi
		mov	edx, ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], ebx
		push	edi
		test	esi, esi
		jz	loc_9D0FCB
		cmp	[ebp+arg_0], edx
		jz	loc_9D0FCB
		mov	eax, [esi+0Ch]
		mov	[ebp+var_14], eax
		push	4
		pop	ecx
		test	eax, eax
		jz	short loc_9D0C19
		dec	eax
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9D0FD0
		mov	edx, [ebp+var_8]

loc_9D0C19:				; CODE XREF: RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+43j
		lea	eax, [ebp+var_4]
		push	eax
		push	14h
		pop	ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9D0FD0
		mov	ecx, [esi]
		lea	eax, [ebp+var_C]
		push	eax
		mov	edx, 0FFFFh
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9D0FD0
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		pop	eax
		mov	edx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9D0FD0
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9D0FD0
		movzx	ecx, word ptr [esi+4]
		mov	eax, ecx
		push	3
		pop	edi
		test	ax, ax
		jz	loc_9D0DD0
		push	2
		pop	edx
		cmp	ax, dx
		jbe	loc_9D0D9B
		cmp	ax, di
		jz	loc_9D0D24
		push	5
		pop	edx
		cmp	ax, dx
		jz	short loc_9D0CC4
		push	6
		pop	edx
		cmp	ax, dx
		jz	loc_9D0D9B
		push	10h
		pop	eax
		cmp	cx, ax
		jnz	loc_9D0DD0

loc_9D0CC4:				; CODE XREF: RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+F0j
		mov	[ebp+var_8], ebx
		cmp	[ebp+var_14], ebx
		jbe	loc_9D0DD0
		mov	eax, [esi+10h]
		add	eax, 4
		mov	[ebp+var_20], eax

loc_9D0CD9:				; CODE XREF: RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+163j
		mov	edx, [eax]
		lea	ecx, [ebp+var_4]
		push	ecx
		mov	ecx, [ebp+var_4]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9D0FD0
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9D0FD0
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_20]
		inc	ecx
		add	eax, 8
		mov	[ebp+var_8], ecx
		mov	[ebp+var_20], eax
		cmp	ecx, [ebp+var_14]
		jb	short loc_9D0CD9
		jmp	loc_9D0DD0
; 

loc_9D0D24:				; CODE XREF: RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+E4j
		mov	[ebp+var_20], ebx
		cmp	[ebp+var_14], ebx
		jbe	loc_9D0DD0
		mov	eax, [esi+10h]
		mov	[ebp+var_24], eax

loc_9D0D36:				; CODE XREF: RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+1DDj
		lea	ecx, [ebp+var_C]
		mov	edx, 0FFFFh
		push	ecx
		mov	ecx, [eax]
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9D0FD0
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		push	eax
		push	2
		pop	eax
		mov	edx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9D0FD0
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9D0FD0
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+var_24]
		inc	ecx
		add	eax, 4
		mov	[ebp+var_20], ecx
		mov	[ebp+var_24], eax
		cmp	ecx, [ebp+var_14]
		jb	short loc_9D0D36
		jmp	short loc_9D0DD0
; 

loc_9D0D9B:				; CODE XREF: RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+DBj
					; RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+F8j
		mov	eax, [ebp+var_14]
		push	8
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9D0FD0
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_4]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9D0FD0

loc_9D0DD0:				; CODE XREF: RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+CFj
					; RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+104j ...
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	3
		pop	eax
		mov	edx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edi, eax
		mov	[ebp+var_20], edi
		test	edi, edi
		js	loc_9D0FD0
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		and	ecx, 0FFFFFFFCh
		cmp	[edx], ecx
		jnb	short loc_9D0E07
		mov	[edx], ecx
		mov	edi, 0C0000023h
		jmp	loc_9D0FD0
; 

loc_9D0E07:				; CODE XREF: RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+23Fj
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	loc_9D0FCB
		push	ecx		; size_t
		push	ebx		; int
		push	eax		; void *
		mov	[edx], ecx
		call	_memset
		mov	ax, [esi+4]
		mov	ecx, [ebp+var_10]
		push	[ebp+var_18]	; size_t
		mov	[ecx+4], ax
		mov	ax, [esi+6]
		mov	[ecx+6], ax
		mov	eax, [esi+8]
		mov	[ecx+8], eax
		mov	eax, [esi+0Ch]
		mov	[ecx+0Ch], eax
		mov	esi, [esi+0Ch]
		lea	eax, ds:0FFFFFFFCh[esi*4]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		mov	eax, [ebp+var_1C]
		add	esi, 14h
		mov	[ecx], esi
		push	dword ptr [eax]	; void *
		lea	eax, [esi+ecx]
		push	eax		; void *
		call	_memcpy
		add	esi, [ebp+var_18]
		add	esp, 18h
		mov	eax, [ebp+var_10]
		mov	edx, [ebp+var_1C]
		mov	[ebp+var_14], esi
		lea	ecx, [esi+eax]
		mov	[ebp+arg_0], ecx
		movzx	ecx, word ptr [edx+4]
		mov	[ebp+var_24], ecx
		movzx	ecx, cx
		mov	[ebp+var_18], ecx
		test	cx, cx
		jz	loc_9D0FCB
		push	2
		pop	ecx
		cmp	word ptr [ebp+var_18], cx
		jbe	loc_9D0F89
		push	3
		pop	ecx
		cmp	word ptr [ebp+var_18], cx
		jz	loc_9D0F2E
		push	5
		pop	ecx
		cmp	word ptr [ebp+var_18], cx
		lea	ecx, [esi+eax]
		jz	short loc_9D0ECF
		push	6
		pop	ecx
		cmp	word ptr [ebp+var_18], cx
		lea	ecx, [esi+eax]
		jz	loc_9D0F89
		push	10h
		pop	eax
		cmp	word ptr [ebp+var_24], ax
		jnz	loc_9D0FCB

loc_9D0ECF:				; CODE XREF: RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+2F6j
		cmp	[edx+0Ch], ebx
		jbe	loc_9D0FD0
		mov	edi, [ebp+var_10]
		lea	eax, [edi+10h]
		mov	[ebp+arg_0], eax

loc_9D0EE1:				; CODE XREF: RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+36Aj
		mov	[eax], esi
		add	esi, 4
		mov	eax, [edx+10h]
		mov	eax, [eax+ebx*8+4]
		mov	[ecx], eax
		mov	eax, [edx+10h]
		mov	ecx, [eax+ebx*8+4]
		test	ecx, ecx
		jz	short loc_9D0F10
		push	ecx		; size_t
		push	dword ptr [eax+ebx*8] ;	void *
		lea	eax, [esi+edi]
		push	eax		; void *
		call	_memcpy
		mov	edx, [ebp+var_1C]
		add	esp, 0Ch
		mov	eax, [edx+10h]

loc_9D0F10:				; CODE XREF: RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+33Ej
		add	esi, [eax+ebx*8+4]
		inc	ebx
		mov	eax, [ebp+arg_0]
		add	eax, 4
		mov	[ebp+arg_0], eax
		lea	ecx, [esi+edi]
		cmp	ebx, [edx+0Ch]
		jb	short loc_9D0EE1

loc_9D0F26:				; CODE XREF: RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+40Cj
		mov	edi, [ebp+var_20]
		jmp	loc_9D0FD0
; 

loc_9D0F2E:				; CODE XREF: RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+2E6j
		cmp	[edx+0Ch], ebx
		jbe	loc_9D0FD0

loc_9D0F37:				; CODE XREF: RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+3CBj
		mov	[eax+ebx*4+10h], esi
		lea	ecx, [ebp+var_C]
		mov	eax, [edx+10h]
		mov	edx, 0FFFFh
		push	ecx
		mov	eax, [eax+ebx*4]
		mov	ecx, eax
		mov	[ebp+var_24], eax
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9D0FD0
		mov	esi, [ebp+var_C]
		add	esi, 2
		push	esi		; size_t
		push	[ebp+var_24]	; void *
		push	[ebp+arg_0]	; void *
		call	_memcpy
		add	[ebp+var_14], esi
		add	esp, 0Ch
		mov	esi, [ebp+var_14]
		inc	ebx
		mov	eax, [ebp+var_10]
		mov	edx, [ebp+var_1C]
		lea	ecx, [esi+eax]
		mov	[ebp+arg_0], ecx
		cmp	ebx, [edx+0Ch]
		jb	short loc_9D0F37
		jmp	short loc_9D0FD0
; 

loc_9D0F89:				; CODE XREF: RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+2D9j
					; RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+302j
		cmp	[edx+0Ch], ebx
		jbe	short loc_9D0FD0
		add	eax, 10h
		mov	[ebp+var_24], eax

loc_9D0F94:				; CODE XREF: RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+40Aj
		mov	edi, [ebp+arg_0]
		mov	[eax], esi
		mov	ecx, [edx+10h]
		push	8
		mov	eax, [ecx+ebx*8]
		mov	[edi], eax
		mov	eax, [ecx+ebx*8+4]
		mov	ecx, edi
		mov	[ecx+4], eax
		pop	eax
		add	esi, eax
		mov	eax, [ebp+var_10]
		add	eax, esi
		inc	ebx
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_24]
		add	eax, 4
		mov	[ebp+var_24], eax
		cmp	ebx, [edx+0Ch]
		jb	short loc_9D0F94
		jmp	loc_9D0F26
; 

loc_9D0FCB:				; CODE XREF: RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+29j
					; RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+32j ...
		mov	edi, 0C000000Dh

loc_9D0FD0:				; CODE XREF: RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+56j
					; RtlpConvertAbsoluteToRelativeSecurityAttribute(x,x,x)+6Fj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_RtlpConvertAbsoluteToRelativeSecurityAttribute@12 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpValidAccessFilterAce(x)
_RtlpValidAccessFilterAce@4 proc near	; CODE XREF: RtlValidAcl+F543Ap
		mov	edi, edi
		push	esi
		test	ecx, ecx
		jz	short loc_9D1024
		movzx	esi, word ptr [ecx+2]
		mov	edx, esi
		lea	eax, [edx+3]
		and	eax, 0FFFFFFFCh
		cmp	eax, edx
		jnz	short loc_9D1024
		cmp	esi, 10h
		jb	short loc_9D1024
		cmp	byte ptr [ecx+8], 1
		jnz	short loc_9D1024
		mov	al, [ecx+9]
		cmp	al, 0Fh
		ja	short loc_9D1024
		movzx	eax, al
		lea	eax, ds:8[eax*4]
		sub	edx, eax
		sub	edx, 8
		cmp	edx, 6
		jl	short loc_9D1024
		cmp	dword ptr [eax+ecx+8], 78747261h
		jnz	short loc_9D1024
		mov	al, 1
		pop	esi
		retn
; 

loc_9D1024:				; CODE XREF: RtlpValidAccessFilterAce(x)+5j
					; RtlpValidAccessFilterAce(x)+15j ...
		xor	al, al
		pop	esi
		retn
_RtlpValidAccessFilterAce@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpValidAttribute(x)
_RtlpValidAttribute@4 proc near		; CODE XREF: RtlpValidAttributeInfo(x)+25p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		push	edi
		test	esi, esi
		jz	short loc_9D10B2
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_9D10B2
		lea	eax, [ebp+var_4]
		mov	edx, 0FFFFh
		push	eax
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		test	eax, eax
		js	short loc_9D10B2
		cmp	[ebp+var_4], ebx
		jz	short loc_9D10B2
		cmp	[esi+6], bx
		jnz	short loc_9D10B2
		test	dword ptr [esi+8], 0FFC0h
		jnz	short loc_9D10B2
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_9D10B2
		mov	edx, [esi+10h]
		test	edx, edx
		jz	short loc_9D10B2
		movzx	esi, word ptr [esi+4]
		mov	eax, esi
		test	ax, ax
		jz	short loc_9D10B2
		cmp	eax, 2
		jbe	loc_9D1114
		cmp	eax, 3
		jz	short loc_9D1102
		cmp	eax, 5
		jz	short loc_9D10EA
		cmp	eax, 6
		jz	short loc_9D10C7
		cmp	esi, 10h
		jnz	short loc_9D10B2
		mov	eax, ebx
		test	ecx, ecx
		jz	short loc_9D1114
		add	edx, 4

loc_9D10A7:				; CODE XREF: RtlpValidAttribute(x)+9Bj
		mov	esi, [edx]
		cmp	[edx-4], ebx
		jnz	short loc_9D10B9
		test	esi, esi
		jz	short loc_9D10BD

loc_9D10B2:				; CODE XREF: RtlpValidAttribute(x)+12j
					; RtlpValidAttribute(x)+18j ...
		xor	al, al

loc_9D10B4:				; CODE XREF: RtlpValidAttribute(x)+EEj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_9D10B9:				; CODE XREF: RtlpValidAttribute(x)+84j
		test	esi, esi
		jz	short loc_9D10B2

loc_9D10BD:				; CODE XREF: RtlpValidAttribute(x)+88j
		inc	eax
		add	edx, 8
		cmp	eax, ecx
		jb	short loc_9D10A7
		jmp	short loc_9D1114
; 

loc_9D10C7:				; CODE XREF: RtlpValidAttribute(x)+6Fj
		mov	esi, ebx
		test	ecx, ecx
		jz	short loc_9D1114

loc_9D10CD:				; CODE XREF: RtlpValidAttribute(x)+BEj
		mov	ebx, [edx+esi*8]
		mov	eax, ebx
		mov	edi, [edx+esi*8+4]
		or	eax, edi
		jz	short loc_9D10E3
		cmp	ebx, 1
		jnz	short loc_9D10B2
		test	edi, edi
		jnz	short loc_9D10B2

loc_9D10E3:				; CODE XREF: RtlpValidAttribute(x)+B0j
		inc	esi
		cmp	esi, ecx
		jb	short loc_9D10CD
		jmp	short loc_9D1114
; 

loc_9D10EA:				; CODE XREF: RtlpValidAttribute(x)+6Aj
		mov	eax, ebx
		test	ecx, ecx
		jz	short loc_9D1114

loc_9D10F0:				; CODE XREF: RtlpValidAttribute(x)+D6j
		cmp	[edx+eax*8], ebx
		jz	short loc_9D10B2
		cmp	[edx+eax*8+4], ebx
		jz	short loc_9D10B2
		inc	eax
		cmp	eax, ecx
		jb	short loc_9D10F0
		jmp	short loc_9D1114
; 

loc_9D1102:				; CODE XREF: RtlpValidAttribute(x)+65j
		mov	esi, ebx
		test	ecx, ecx
		jz	short loc_9D1114

loc_9D1108:				; CODE XREF: RtlpValidAttribute(x)+EAj
		cmp	[edx], ebx
		jz	short loc_9D10B2
		inc	esi
		add	edx, 4
		cmp	esi, ecx
		jb	short loc_9D1108

loc_9D1114:				; CODE XREF: RtlpValidAttribute(x)+5Cj
					; RtlpValidAttribute(x)+7Aj ...
		mov	al, 1
		jmp	short loc_9D10B4
_RtlpValidAttribute@4 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpValidAttributeInfo(x)
_RtlpValidAttributeInfo@4 proc near	; CODE XREF: RtlAddResourceAttributeAce(x,x,x,x,x,x,x)+11Ap
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	short loc_9D1153
		xor	eax, eax
		inc	eax
		cmp	[ecx], ax
		jnz	short loc_9D1153
		xor	esi, esi
		cmp	[ecx+2], si
		jnz	short loc_9D1153
		mov	edi, [ecx+4]
		test	edi, edi
		jz	short loc_9D1153
		mov	ebx, [ecx+8]

loc_9D113B:				; CODE XREF: RtlpValidAttributeInfo(x)+34j
		mov	ecx, ebx
		call	_RtlpValidAttribute@4 ;	RtlpValidAttribute(x)
		test	al, al
		jz	short loc_9D1153
		inc	esi
		add	ebx, 14h
		cmp	esi, edi
		jb	short loc_9D113B
		xor	eax, eax
		inc	eax
		jmp	short loc_9D1155
; 

loc_9D1153:				; CODE XREF: RtlpValidAttributeInfo(x)+7j
					; RtlpValidAttributeInfo(x)+Fj	...
		xor	al, al

loc_9D1155:				; CODE XREF: RtlpValidAttributeInfo(x)+39j
		pop	edi
		pop	esi
		pop	ebx
		retn
_RtlpValidAttributeInfo@4 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpValidCompoundAce(x)
_RtlpValidCompoundAce@4	proc near	; CODE XREF: RtlValidAcl+F53F0p
		mov	edi, edi
		push	ebx
		push	esi
		test	ecx, ecx
		jz	short loc_9D11BC
		movzx	esi, word ptr [ecx+2]
		mov	edx, esi
		lea	eax, [edx+3]
		and	eax, 0FFFFFFFCh
		cmp	eax, edx
		jnz	short loc_9D11BC
		cmp	esi, 18h
		jb	short loc_9D11BC
		xor	ebx, ebx
		inc	ebx
		cmp	[ecx+8], bx
		jnz	short loc_9D11BC
		cmp	[ecx+0Ch], bl
		jnz	short loc_9D11BC
		mov	al, [ecx+0Dh]
		cmp	al, 0Fh
		ja	short loc_9D11BC
		movzx	esi, al
		lea	eax, ds:20h[esi*4]
		cmp	edx, eax
		jb	short loc_9D11BC
		cmp	[ecx+esi*4+14h], bl
		jnz	short loc_9D11BC
		mov	cl, [ecx+esi*4+15h]
		cmp	cl, 0Fh
		ja	short loc_9D11BC
		movzx	ecx, cl
		add	ecx, esi
		lea	ecx, ds:1Ch[ecx*4]
		cmp	edx, ecx
		jb	short loc_9D11BC
		mov	al, bl
		jmp	short loc_9D11BE
; 

loc_9D11BC:				; CODE XREF: RtlpValidCompoundAce(x)+6j
					; RtlpValidCompoundAce(x)+16j ...
		xor	al, al

loc_9D11BE:				; CODE XREF: RtlpValidCompoundAce(x)+61j
		pop	esi
		pop	ebx
		retn
_RtlpValidCompoundAce@4	endp


;  S U B	R O U T	I N E 


; __stdcall RtlpValidObjectAce(x)
_RtlpValidObjectAce@4 proc near		; CODE XREF: RtlValidAcl+F5421p
		mov	edi, edi
		push	ebx
		mov	edx, ecx
		push	esi
		push	edi
		test	edx, edx
		jz	short loc_9D122C
		movzx	ecx, word ptr [edx+2]
		mov	esi, ecx
		lea	eax, [esi+3]
		and	eax, 0FFFFFFFCh
		cmp	eax, esi
		jnz	short loc_9D122C
		push	0Ch
		pop	eax
		cmp	cx, ax
		jb	short loc_9D122C
		mov	ecx, [edx+8]
		mov	edi, ecx
		and	edi, 1
		shl	edi, 4
		mov	ebx, edi
		and	ecx, 2
		jz	short loc_9D11F9
		lea	ebx, [edi+10h]

loc_9D11F9:				; CODE XREF: RtlpValidObjectAce(x)+33j
		lea	eax, [ebx+18h]
		cmp	esi, eax
		jb	short loc_9D122C
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 10h
		add	ecx, 0Ch
		add	ecx, edi
		cmp	byte ptr [ecx+edx], 1
		jnz	short loc_9D122C
		mov	cl, [ecx+edx+1]
		cmp	cl, 0Fh
		ja	short loc_9D122C
		movzx	ecx, cl
		add	ecx, 5
		lea	ecx, [ebx+ecx*4]
		cmp	esi, ecx
		jb	short loc_9D122C
		mov	al, 1
		jmp	short loc_9D122E
; 

loc_9D122C:				; CODE XREF: RtlpValidObjectAce(x)+9j
					; RtlpValidObjectAce(x)+19j ...
		xor	al, al

loc_9D122E:				; CODE XREF: RtlpValidObjectAce(x)+69j
		pop	edi
		pop	esi
		pop	ebx
		retn
_RtlpValidObjectAce@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2046. RtlEmptyAtomTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlEmptyAtomTable(x, x)
		public _RtlEmptyAtomTable@8
_RtlEmptyAtomTable@8 proc near

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		call	_RtlpLockAtomTable@4 ; RtlpLockAtomTable(x)
		test	al, al
		jnz	short loc_9D1256
		mov	eax, 0C000000Dh
		jmp	loc_9D12FB
; 

loc_9D1256:				; CODE XREF: RtlEmptyAtomTable(x,x)+13j
		xor	eax, eax
		lea	ecx, [edi+18h]
		mov	[ebp+arg_0], eax
		cmp	[edi+14h], eax
		jbe	short loc_9D12D6
		push	ebx
		push	esi

loc_9D1265:				; CODE XREF: RtlEmptyAtomTable(x,x)+9Bj
		mov	ebx, ecx
		add	ecx, 4
		mov	[ebp+var_4], ecx
		mov	esi, [ebx]
		test	esi, esi
		jz	short loc_9D12CB
		mov	al, [ebp+arg_4]

loc_9D1276:				; CODE XREF: RtlEmptyAtomTable(x,x)+8Cj
		test	al, al
		jnz	short loc_9D1284
		test	byte ptr [esi+16h], 1
		jz	short loc_9D1284
		mov	ebx, esi
		jmp	short loc_9D12BF
; 

loc_9D1284:				; CODE XREF: RtlEmptyAtomTable(x,x)+41j
					; RtlEmptyAtomTable(x,x)+47j
		mov	eax, [esi]
		mov	edx, esi
		mov	[ebx], eax
		mov	ecx, edi
		and	dword ptr [esi], 0
		call	_RtlpFreeHandleForAtom@8 ; RtlpFreeHandleForAtom(x,x)

loc_9D1294:				; CODE XREF: RtlEmptyAtomTable(x,x)+7Cj
		lea	eax, [esi+8]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_9D12B5
		cmp	[ecx+4], eax
		jnz	short loc_9D1300
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_9D1300
		mov	[eax], edx
		mov	[edx+4], eax
		call	_RtlpFreeAtom@4	; RtlpFreeAtom(x)
		jmp	short loc_9D1294
; 

loc_9D12B5:				; CODE XREF: RtlEmptyAtomTable(x,x)+64j
		mov	ecx, esi
		call	_RtlpFreeAtom@4	; RtlpFreeAtom(x)
		mov	al, [ebp+arg_4]

loc_9D12BF:				; CODE XREF: RtlEmptyAtomTable(x,x)+4Bj
		mov	esi, [ebx]
		test	esi, esi
		jnz	short loc_9D1276
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_4]

loc_9D12CB:				; CODE XREF: RtlEmptyAtomTable(x,x)+3Aj
		inc	eax
		mov	[ebp+arg_0], eax
		cmp	eax, [edi+14h]
		jb	short loc_9D1265
		pop	esi
		pop	ebx

loc_9D12D6:				; CODE XREF: RtlEmptyAtomTable(x,x)+2Aj
		add	edi, 8
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9D12ED
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9D12ED:				; CODE XREF: RtlEmptyAtomTable(x,x)+ADj
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	eax, eax

loc_9D12FB:				; CODE XREF: RtlEmptyAtomTable(x,x)+1Aj
		pop	edi
		leave
		retn	8
; 

loc_9D1300:				; CODE XREF: RtlEmptyAtomTable(x,x)+69j
					; RtlEmptyAtomTable(x,x)+70j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall RtlQueryAtomsInAtomTable(x,	x, x, x)
_RtlQueryAtomsInAtomTable@16:		; CODE XREF: NtQueryInformationAtom+1264C1p
		push	24h
		push	offset dword_6A9198
		call	__SEH_prolog4
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		call	_RtlpLockAtomTable@4 ; RtlpLockAtomTable(x)
		test	al, al
		jnz	short loc_9D132A
		mov	eax, 0C000000Dh
		jmp	loc_9D13D4
; 

loc_9D132A:				; CODE XREF: RtlEmptyAtomTable(x,x)+E7j
		xor	edi, edi
		and	[ebp+var_4], edi
		xor	esi, esi
		mov	[ebp+var_28], esi
		xor	ebx, ebx

loc_9D1336:				; CODE XREF: RtlEmptyAtomTable(x,x)+14Ej
		mov	[ebp+var_2C], ebx
		mov	eax, [ebp+var_20]
		cmp	ebx, [eax+14h]
		jnb	short loc_9D1387
		mov	eax, [eax+ebx*4+18h]

loc_9D1345:				; CODE XREF: RtlEmptyAtomTable(x,x)+14Bj
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	short loc_9D1384
		push	0
		mov	edx, eax
		mov	ecx, [ebp+var_20]
		call	_RtlpLookupLowBox@12 ; RtlpLookupLowBox(x,x,x)
		test	eax, eax
		jz	short loc_9D137D
		cmp	esi, [ebp+var_24]
		jnb	short loc_9D1371
		mov	eax, [ebp+var_1C]
		mov	ax, [eax+6]
		mov	ecx, dword ptr [ebp+arg_4]
		mov	[ecx+esi*2], ax
		jmp	short loc_9D1379
; 

loc_9D1371:				; CODE XREF: RtlEmptyAtomTable(x,x)+128j
		mov	edi, 0C0000004h
		mov	[ebp+var_34], edi

loc_9D1379:				; CODE XREF: RtlEmptyAtomTable(x,x)+138j
		inc	esi
		mov	[ebp+var_28], esi

loc_9D137D:				; CODE XREF: RtlEmptyAtomTable(x,x)+123j
		mov	eax, [ebp+var_1C]
		mov	eax, [eax]
		jmp	short loc_9D1345
; 

loc_9D1384:				; CODE XREF: RtlEmptyAtomTable(x,x)+113j
		inc	ebx
		jmp	short loc_9D1336
; 

loc_9D1387:				; CODE XREF: RtlEmptyAtomTable(x,x)+108j
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		jmp	short loc_9D13A5
; 

loc_9D138E:				; DATA XREF: .text:006A91ACo
		mov	eax, [ebp+var_14]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9D139C:				; DATA XREF: .text:006A91B0o
		mov	esp, [ebp+var_18]
		mov	edi, [ebp+var_30]
		mov	[ebp+var_34], edi

loc_9D13A5:				; CODE XREF: RtlEmptyAtomTable(x,x)+155j
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	esi, [ebp+var_20]
		add	esi, 8
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9D13C6
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9D13C6:				; CODE XREF: RtlEmptyAtomTable(x,x)+186j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, edi

loc_9D13D4:				; CODE XREF: RtlEmptyAtomTable(x,x)+EEj
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_RtlEmptyAtomTable@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlAllocateAndInitializeSidEx(x, x,	x, x)
_RtlAllocateAndInitializeSidEx@16 proc near
					; CODE XREF: EtwpUserInAdminOrLogUsersGroup()+4Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	62507452h
		push	10h
		push	208h
		mov	esi, ecx
		call	ExAllocatePoolWithQuotaTag
		mov	edx, eax
		test	edx, edx
		jnz	short loc_9D140C
		mov	eax, 0C0000017h
		jmp	short loc_9D1440
; 

loc_9D140C:				; CODE XREF: RtlAllocateAndInitializeSidEx(x,x,x,x)+1Dj
		mov	eax, [esi]
		mov	ecx, [ebp+arg_0]
		push	ebx
		mov	[edx+2], eax
		mov	ax, [esi+4]
		lea	esi, [edx+8]
		push	2
		pop	ebx
		mov	byte ptr [edx],	1
		mov	[edx+6], ax
		mov	[edx+1], bl

loc_9D1429:				; CODE XREF: RtlAllocateAndInitializeSidEx(x,x,x,x)+50j
		mov	eax, [ecx]
		lea	ecx, [ecx+4]
		mov	[esi], eax
		lea	esi, [esi+4]
		sub	ebx, 1
		jnz	short loc_9D1429
		mov	eax, [ebp+arg_4]
		pop	ebx
		mov	[eax], edx
		xor	eax, eax

loc_9D1440:				; CODE XREF: RtlAllocateAndInitializeSidEx(x,x,x,x)+24j
		pop	esi
		pop	ebp
		retn	8
_RtlAllocateAndInitializeSidEx@16 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1967. RtlCapabilityCheck

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCapabilityCheck(x, x, x)
		public _RtlCapabilityCheck@12
_RtlCapabilityCheck@12 proc near	; CODE XREF: PopCapabilityCheck(x)+31p
					; RtlCapabilityCheckForSingleSessionSku(x,x,x)+2Ap ...

var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= byte ptr -0D4h
var_D2		= byte ptr -0D2h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= byte ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_80		= dword	ptr -80h
var_70		= dword	ptr -70h
var_64		= dword	ptr -64h
var_44		= dword	ptr -44h
var_38		= dword	ptr -38h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0D4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0D4h+var_4], eax
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		mov	esi, [ebp+arg_4]
		lea	edi, [esp+0E0h+var_98]
		mov	[esp+0E0h+var_D0], eax
		mov	bh, dl
		mov	eax, [ebp+arg_8]
		mov	bl, dl
		mov	[esp+0E0h+var_CC], eax
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd
		lea	edi, [esp+0E0h+var_80]
		mov	[esp+0E0h+var_B4], esi
		stosd
		push	edx
		mov	[esp+0E4h+var_AC], edx
		mov	[esp+0E4h+var_A8], edx
		stosd
		mov	[esp+0E4h+var_A4], edx
		mov	[esp+0E4h+var_BC], edx
		mov	[esp+0E4h+var_B0], dl
		stosd
		mov	[esp+0E4h+var_C8], edx
		mov	word ptr [esp+0E4h+var_C4], 500h
		mov	[esp+13h], dl
		stosd
		mov	byte ptr [esp+0E4h+var_C0], bh
		mov	[esp+11h], bl
		mov	byte ptr [esp+0E4h+var_B8], dl
		mov	[esp+0E4h+var_D2], dl
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	edi, [esp+0E4h+var_D0]
		mov	[esp+0E4h+var_A4], eax
		mov	[esp+0E4h+var_A0], edx
		test	esi, esi
		jz	loc_9D179E
		test	edi, edi
		jz	loc_9D179E
		lea	eax, [esp+0E4h+var_38]
		mov	byte ptr [edi],	0
		push	eax
		lea	eax, [esp+0E8h+var_64]
		push	eax
		push	esi
		call	RtlDeriveCapabilitySidsFromName
		mov	esi, eax
		test	esi, esi
		js	loc_9D17A3
		call	RtlIsMultiSessionSku
		test	al, al
		jz	loc_9D1688
		push	offset ??_C@_1IO@LDLHHDBF@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\"
		lea	eax, [esp+0F4h+var_B8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+0F0h+var_B8]
		mov	[esp+0F0h+var_A8], 18h
		mov	[esp+0F0h+var_A0], eax
		xor	ecx, ecx
		lea	eax, [esp+0F0h+var_A8]
		mov	[esp+0F0h+var_A4], ecx
		push	eax
		push	80000000h
		lea	eax, [esp+0F8h+var_CC]
		mov	[esp+0F8h+var_9C], 240h
		push	eax
		mov	[esp+0FCh+var_98], ecx
		mov	[esp+0FCh+var_94], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_9D1688
		lea	eax, [esp+0F0h+var_BC]
		push	eax
		push	10h
		lea	eax, [esp+0F8h+var_90]
		push	eax
		push	2
		push	[esp+100h+var_C4]
		push	[esp+104h+var_CC]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_9D1688
		push	1
		lea	eax, [esp+0F4h+var_D8]
		mov	byte ptr [esp+0F4h+var_C0], 1
		push	eax
		lea	eax, [esp+0F8h+var_80]
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	0
		lea	eax, [esp+0F4h+var_80]
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	[esp+0F0h+var_DC], eax
		mov	dword ptr [eax], 12h
		lea	eax, [esp+0F0h+var_E4+1]
		push	eax
		lea	eax, [esp+0F4h+var_80]
		push	eax
		push	[esp+0F8h+var_E0]
		call	_RtlCheckTokenMembership@12 ; RtlCheckTokenMembership(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9D1798
		mov	bl, byte ptr [esp+0F0h+var_E4+1]
		test	bl, bl
		jnz	short loc_9D1634
		push	2
		lea	eax, [esp+0F4h+var_D8]
		push	eax
		lea	eax, [esp+0F8h+var_80]
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	eax, [esp+0F0h+var_DC]
		push	1
		mov	dword ptr [eax], 20h
		lea	eax, [esp+0F4h+var_80]
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	dword ptr [eax], 220h
		lea	eax, [esp+0F0h+var_D0]
		push	eax
		lea	eax, [esp+0F4h+var_80]
		push	eax
		push	[esp+0F8h+var_E0]
		call	_RtlCheckTokenMembership@12 ; RtlCheckTokenMembership(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9D17A3
		mov	bh, byte ptr [esp+0F0h+var_D0]
		test	bh, bh
		jz	short loc_9D165A

loc_9D1634:				; CODE XREF: RtlCapabilityCheck(x,x,x)+196j
					; RtlCapabilityCheck(x,x,x)+265j ...
		lea	eax, [esp+0F0h+var_E4+3]
		push	eax
		lea	eax, [esp+0F4h+var_44]
		push	eax
		push	[esp+0F8h+var_E0]
		call	_RtlCheckTokenCapability@12 ; RtlCheckTokenCapability(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9D17A3
		mov	al, byte ptr [esp+0F0h+var_E4+3]
		mov	[edi], al

loc_9D165A:				; CODE XREF: RtlCapabilityCheck(x,x,x)+1E8j
					; RtlCapabilityCheck(x,x,x)+343j
		cmp	byte ptr [edi],	0
		jz	loc_9D17A3
		test	bh, bh
		jnz	loc_9D17A3
		test	bl, bl
		jnz	loc_9D17A3
		mov	edx, [esp+0F0h+var_C4]
		mov	ecx, [esp+0F0h+var_E0]
		push	edi
		call	_RtlpCapabilityCheckSystemCapability@12	; RtlpCapabilityCheckSystemCapability(x,x,x)
		mov	esi, eax
		jmp	loc_9D17A3
; 

loc_9D1688:				; CODE XREF: RtlCapabilityCheck(x,x,x)+CDj
					; RtlCapabilityCheck(x,x,x)+11Ej ...
		lea	eax, [esp+0F0h+var_E4+2]
		push	eax
		push	2
		lea	eax, [esp+0F8h+var_70]
		push	eax
		push	[esp+0FCh+var_E0]
		call	_RtlCheckTokenMembershipEx@16 ;	RtlCheckTokenMembershipEx(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9D17A3
		cmp	byte ptr [esp+0F0h+var_E4+2], 0
		jnz	short loc_9D1634
		push	1
		lea	eax, [esp+0F4h+var_D8]
		push	eax
		lea	eax, [esp+0F8h+var_80]
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	0
		lea	eax, [esp+0F4h+var_80]
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	[esp+0F0h+var_DC], eax
		mov	dword ptr [eax], 12h
		lea	eax, [esp+0F0h+var_E4+1]
		push	eax
		lea	eax, [esp+0F4h+var_80]
		push	eax
		push	[esp+0F8h+var_E0]
		call	_RtlCheckTokenMembership@12 ; RtlCheckTokenMembership(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9D1798
		mov	bl, byte ptr [esp+0F0h+var_E4+1]
		test	bl, bl
		jnz	loc_9D1634
		push	2
		lea	eax, [esp+0F4h+var_D8]
		push	eax
		lea	eax, [esp+0F8h+var_80]
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	eax, [esp+0F0h+var_DC]
		push	1
		mov	dword ptr [eax], 20h
		lea	eax, [esp+0F4h+var_80]
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	dword ptr [eax], 220h
		lea	eax, [esp+0F0h+var_D0]
		push	eax
		lea	eax, [esp+0F4h+var_80]
		push	eax
		push	[esp+0F8h+var_E0]
		call	_RtlCheckTokenMembership@12 ; RtlCheckTokenMembership(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D17A3
		mov	bh, byte ptr [esp+0F0h+var_D0]
		test	bh, bh
		jnz	loc_9D1634
		push	1
		lea	eax, [esp+0F4h+var_D8]
		push	eax
		lea	eax, [esp+0F8h+var_80]
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	eax, [esp+0F0h+var_DC]
		mov	dword ptr [eax], 4
		lea	eax, [esp+0F0h+var_C8]
		push	eax
		push	2
		lea	eax, [esp+0F8h+var_80]
		push	eax
		push	[esp+0FCh+var_E0]
		call	_RtlCheckTokenMembershipEx@16 ;	RtlCheckTokenMembershipEx(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D17A3
		cmp	byte ptr [esp+0F0h+var_C8], bh
		jz	loc_9D165A
		jmp	loc_9D1634
; 

loc_9D1798:				; CODE XREF: RtlCapabilityCheck(x,x,x)+18Aj
					; RtlCapabilityCheck(x,x,x)+2A5j
		mov	bl, byte ptr [esp+0F0h+var_E4+1]
		jmp	short loc_9D17A3
; 

loc_9D179E:				; CODE XREF: RtlCapabilityCheck(x,x,x)+95j
					; RtlCapabilityCheck(x,x,x)+9Dj
		mov	esi, 0C000000Dh

loc_9D17A3:				; CODE XREF: RtlCapabilityCheck(x,x,x)+C0j
					; RtlCapabilityCheck(x,x,x)+1DCj ...
		cmp	[esp+0E4h+var_C0], 0
		jz	short loc_9D17B3
		push	[esp+0E4h+var_C0]
		call	_ZwClose@4	; ZwClose(x)

loc_9D17B3:				; CODE XREF: RtlCapabilityCheck(x,x,x)+35Ej
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	[esp+0E8h+var_D0], eax
		mov	[esp+0E8h+var_CC], edx
		test	bl, bl
		jnz	short loc_9D17ED
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	short loc_9D17ED
		movzx	eax, byte ptr [edi]
		lea	edx, [esp+0E8h+var_D0]
		push	eax
		push	[esp+0ECh+var_B8]
		lea	ecx, [esp+0F0h+var_A8]
		push	[esp+0F0h+var_C0]
		push	[esp+0F4h+var_C8]
		call	_RtlpLogCapabilityCheckLatency@24 ; RtlpLogCapabilityCheckLatency(x,x,x,x,x,x)

loc_9D17ED:				; CODE XREF: RtlCapabilityCheck(x,x,x)+37Bj
					; RtlCapabilityCheck(x,x,x)+384j
		mov	ecx, [esp+0E8h+var_C]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_RtlCapabilityCheck@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1968. RtlCapabilityCheckForSingleSessionSku

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCapabilityCheckForSingleSessionSku(x, x,	x)
		public _RtlCapabilityCheckForSingleSessionSku@12
_RtlCapabilityCheckForSingleSessionSku@12 proc near
					; CODE XREF: PopPowerInformationInternal+1711C3p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jnz	short loc_9D181F
		mov	eax, 0C000000Dh
		jmp	short loc_9D183A
; 

loc_9D181F:				; CODE XREF: RtlCapabilityCheckForSingleSessionSku(x,x,x)+Bj
		call	RtlIsMultiSessionSku
		test	al, al
		jz	short loc_9D182E
		xor	eax, eax
		mov	[esi], al
		jmp	short loc_9D183A
; 

loc_9D182E:				; CODE XREF: RtlCapabilityCheckForSingleSessionSku(x,x,x)+1Bj
		push	esi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_RtlCapabilityCheck@12 ; RtlCapabilityCheck(x,x,x)

loc_9D183A:				; CODE XREF: RtlCapabilityCheckForSingleSessionSku(x,x,x)+12j
					; RtlCapabilityCheckForSingleSessionSku(x,x,x)+21j
		pop	esi
		pop	ebp
		retn	0Ch
_RtlCapabilityCheckForSingleSessionSku@12 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2059. RtlEqualLuid

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlEqualLuid(x, x)
		public _RtlEqualLuid@8
_RtlEqualLuid@8	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		mov	eax, [ecx+4]
		cmp	eax, [edx+4]
		jnz	short loc_9D1861
		mov	eax, [ecx]
		cmp	eax, [edx]
		jnz	short loc_9D1861
		mov	al, 1
		jmp	short loc_9D1863
; 

loc_9D1861:				; CODE XREF: RtlEqualLuid(x,x)+11j
					; RtlEqualLuid(x,x)+17j
		xor	al, al

loc_9D1863:				; CODE XREF: RtlEqualLuid(x,x)+1Bj
		pop	ebp
		retn	8
_RtlEqualLuid@8	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2111. RtlGetAppContainerParent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetAppContainerParent(x,	x)
		public _RtlGetAppContainerParent@8
_RtlGetAppContainerParent@8 proc near	; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+297p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	eax
		push	[ebp+arg_0]
		and	dword ptr [ebx], 0
		call	RtlGetAppContainerSidType
		test	eax, eax
		js	short loc_9D1901
		cmp	[ebp+var_4], 1
		jnz	short loc_9D1901
		push	62507452h
		push	28h
		push	208h
		call	ExAllocatePoolWithQuotaTag
		mov	esi, eax
		mov	[ebp+var_8], esi
		test	esi, esi
		jnz	short loc_9D18B6
		mov	eax, 0C000009Ah
		jmp	short loc_9D1906
; 

loc_9D18B6:				; CODE XREF: RtlGetAppContainerParent(x,x)+41j
		push	edi
		push	8
		push	offset _RtlpAppPackageAuthority
		push	esi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9D18F4
		lea	eax, [esi+8]
		xor	ebx, ebx
		push	8
		pop	edi
		mov	esi, eax

loc_9D18D4:				; CODE XREF: RtlGetAppContainerParent(x,x)+7Cj
		push	ebx
		push	[ebp+arg_0]
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		inc	ebx
		mov	eax, [eax]
		mov	[esi], eax
		lea	esi, [esi+4]
		sub	edi, 1
		jnz	short loc_9D18D4
		mov	ebx, [ebp+arg_4]
		mov	esi, [ebp+var_8]
		mov	[ebx], esi
		jmp	short loc_9D18FC
; 

loc_9D18F4:				; CODE XREF: RtlGetAppContainerParent(x,x)+5Cj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9D18FC:				; CODE XREF: RtlGetAppContainerParent(x,x)+86j
		mov	eax, edi
		pop	edi
		jmp	short loc_9D1906
; 

loc_9D1901:				; CODE XREF: RtlGetAppContainerParent(x,x)+21j
					; RtlGetAppContainerParent(x,x)+27j
		mov	eax, 0C000000Dh

loc_9D1906:				; CODE XREF: RtlGetAppContainerParent(x,x)+48j
					; RtlGetAppContainerParent(x,x)+93j
		pop	esi
		pop	ebx
		leave
		retn	8
_RtlGetAppContainerParent@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2138. RtlGetSessionProperties

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetSessionProperties(x, x)
		public _RtlGetSessionProperties@8
_RtlGetSessionProperties@8 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_9D1943
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_9D1943
		xor	esi, esi
		mov	[edi], esi
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		xor	ecx, ecx
		mov	eax, [eax+28Ch]
		cmp	[eax+18h], ebx
		setz	cl
		mov	[edi], ecx
		jmp	short loc_9D1948
; 

loc_9D1943:				; CODE XREF: RtlGetSessionProperties(x,x)+Ej
					; RtlGetSessionProperties(x,x)+15j
		mov	esi, 0C000000Dh

loc_9D1948:				; CODE XREF: RtlGetSessionProperties(x,x)+30j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_RtlGetSessionProperties@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2144. RtlGetTokenNamedObjectPath

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlGetTokenNamedObjectPath(x, x, x)
		public _RtlGetTokenNamedObjectPath@12
_RtlGetTokenNamedObjectPath@12 proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		cmp	[ebp+arg_4], al
		setnz	al
		xor	edx, edx
		push	eax
		call	_RtlpGetTokenNamedObjectPath@16	; RtlpGetTokenNamedObjectPath(x,x,x,x)
		pop	ebp
		retn	0Ch
_RtlGetTokenNamedObjectPath@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2213. RtlIsMultiUsersInSessionSku

;  S U B	R O U T	I N E 


; __stdcall RtlIsMultiUsersInSessionSku()
		public _RtlIsMultiUsersInSessionSku@0
_RtlIsMultiUsersInSessionSku@0 proc near
					; CODE XREF: GetGlobalizationUserModelType:loc_5F557Ap
		mov	eax, ds:0FFDF02F0h
		shr	eax, 9
		and	al, 1
		retn
_RtlIsMultiUsersInSessionSku@0 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2315. RtlReplaceSidInSd

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlReplaceSidInSd(int,void *,int,int)
		public _RtlReplaceSidInSd@16
_RtlReplaceSidInSd@16 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		and	dword ptr [eax], 0
		push	esi
		mov	byte ptr [ebp+var_1], 0
		call	_RtlSubAuthorityCountSid@4 ; RtlSubAuthorityCountSid(x)
		and	[ebp+var_8], 0
		movzx	ebx, byte ptr [eax]
		lea	eax, [ebp+arg_4+3]
		push	eax
		lea	eax, [ebp+var_8]
		shl	ebx, 2
		push	eax
		push	[ebp+arg_0]
		mov	[ebp+var_C], ebx
		call	_RtlGetOwnerSecurityDescriptor@12 ; RtlGetOwnerSecurityDescriptor(x,x,x)
		test	eax, eax
		js	loc_9D1C66
		push	edi
		mov	edi, [ebp+var_8]
		test	edi, edi
		jz	short loc_9D1A30
		mov	al, [edi]
		cmp	al, [esi]
		jnz	short loc_9D1A30
		mov	al, [edi+1]
		mov	cl, [esi+1]
		cmp	al, cl
		jz	short loc_9D19EF
		movzx	ecx, cl
		inc	ecx
		movzx	eax, al
		cmp	eax, ecx
		jnz	short loc_9D1A30

loc_9D19EF:				; CODE XREF: RtlReplaceSidInSd(x,x,x,x)+58j
		push	6		; size_t
		lea	eax, [esi+2]
		push	eax		; void *
		lea	eax, [edi+2]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9D1A30
		push	ebx		; size_t
		lea	eax, [esi+8]
		add	edi, 8
		push	eax		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9D1A30
		mov	eax, [ebp+arg_8]
		push	ebx		; size_t
		add	eax, 8
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [ebp+arg_C]
		add	esp, 0Ch
		inc	dword ptr [eax]

loc_9D1A30:				; CODE XREF: RtlReplaceSidInSd(x,x,x,x)+48j
					; RtlReplaceSidInSd(x,x,x,x)+4Ej ...
		and	[ebp+var_8], 0
		lea	eax, [ebp+arg_4+3]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_0]
		call	_RtlGetGroupSecurityDescriptor@12 ; RtlGetGroupSecurityDescriptor(x,x,x)
		test	eax, eax
		js	loc_9D1C65
		mov	edi, [ebp+var_8]
		test	edi, edi
		jz	short loc_9D1AAF
		mov	al, [edi]
		cmp	al, [esi]
		jnz	short loc_9D1AAF
		mov	al, [edi+1]
		mov	cl, [esi+1]
		cmp	al, cl
		jz	short loc_9D1A6E
		movzx	ecx, cl
		inc	ecx
		movzx	eax, al
		cmp	eax, ecx
		jnz	short loc_9D1AAF

loc_9D1A6E:				; CODE XREF: RtlReplaceSidInSd(x,x,x,x)+D7j
		push	6		; size_t
		lea	eax, [esi+2]
		push	eax		; void *
		lea	eax, [edi+2]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9D1AAF
		push	ebx		; size_t
		lea	eax, [esi+8]
		add	edi, 8
		push	eax		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9D1AAF
		mov	eax, [ebp+arg_8]
		push	ebx		; size_t
		add	eax, 8
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		mov	ebx, [ebp+arg_C]
		add	esp, 0Ch
		inc	dword ptr [ebx]

loc_9D1AAF:				; CODE XREF: RtlReplaceSidInSd(x,x,x,x)+C7j
					; RtlReplaceSidInSd(x,x,x,x)+CDj ...
		and	[ebp+var_8], 0
		lea	eax, [ebp+arg_4+3]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_1]
		push	eax
		push	[ebp+arg_0]
		call	_RtlGetDaclSecurityDescriptor@16 ; RtlGetDaclSecurityDescriptor(x,x,x,x)
		test	eax, eax
		js	loc_9D1C65
		cmp	byte ptr [ebp+var_1], 0
		jz	loc_9D1B89
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	loc_9D1B89
		movzx	ecx, word ptr [eax+4]
		lea	edi, [eax+8]
		jmp	loc_9D1B7E
; 

loc_9D1AF0:				; CODE XREF: RtlReplaceSidInSd(x,x,x,x)+1F9j
		mov	al, [edi]
		cmp	al, 3
		ja	short loc_9D1AFB
		lea	ebx, [edi+8]
		jmp	short loc_9D1B10
; 

loc_9D1AFB:				; CODE XREF: RtlReplaceSidInSd(x,x,x,x)+16Aj
		cmp	al, 4
		jnz	short loc_9D1B77
		lea	eax, [edi+0Ch]
		push	eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		mov	ecx, [ebp+arg_4]
		lea	ebx, [edi+0Ch]
		add	ebx, eax

loc_9D1B10:				; CODE XREF: RtlReplaceSidInSd(x,x,x,x)+16Fj
		mov	al, [ebx]
		cmp	al, [esi]
		jnz	short loc_9D1B77
		mov	al, [ebx+1]
		mov	cl, [esi+1]
		cmp	al, cl
		jz	short loc_9D1B2B
		movzx	ecx, cl
		inc	ecx
		movzx	eax, al
		cmp	eax, ecx
		jnz	short loc_9D1B74

loc_9D1B2B:				; CODE XREF: RtlReplaceSidInSd(x,x,x,x)+194j
		push	6		; size_t
		lea	eax, [esi+2]
		push	eax		; void *
		lea	eax, [ebx+2]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9D1B74
		lea	ecx, [ebx+8]
		mov	ebx, [ebp+var_C]
		push	ebx		; size_t
		lea	eax, [esi+8]
		mov	[ebp+var_8], ecx
		push	eax		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9D1B74
		mov	eax, [ebp+arg_8]
		push	ebx		; size_t
		add	eax, 8
		push	eax		; void *
		push	[ebp+var_8]	; void *
		call	_memcpy
		mov	eax, [ebp+arg_C]
		add	esp, 0Ch
		inc	dword ptr [eax]

loc_9D1B74:				; CODE XREF: RtlReplaceSidInSd(x,x,x,x)+19Fj
					; RtlReplaceSidInSd(x,x,x,x)+1B5j ...
		mov	ecx, [ebp+arg_4]

loc_9D1B77:				; CODE XREF: RtlReplaceSidInSd(x,x,x,x)+173j
					; RtlReplaceSidInSd(x,x,x,x)+18Aj
		movzx	eax, word ptr [edi+2]
		dec	ecx
		add	edi, eax

loc_9D1B7E:				; CODE XREF: RtlReplaceSidInSd(x,x,x,x)+161j
		mov	[ebp+arg_4], ecx
		test	ecx, ecx
		jnz	loc_9D1AF0

loc_9D1B89:				; CODE XREF: RtlReplaceSidInSd(x,x,x,x)+149j
					; RtlReplaceSidInSd(x,x,x,x)+154j
		and	[ebp+var_8], 0
		lea	eax, [ebp+arg_4+3]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_1]
		push	eax
		push	[ebp+arg_0]
		call	_RtlGetSaclSecurityDescriptor@16 ; RtlGetSaclSecurityDescriptor(x,x,x,x)
		test	eax, eax
		js	loc_9D1C65
		cmp	byte ptr [ebp+var_1], 0
		jz	loc_9D1C65
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	loc_9D1C65
		lea	edi, [ecx+8]
		movzx	ecx, word ptr [ecx+4]
		jmp	loc_9D1C58
; 

loc_9D1BCA:				; CODE XREF: RtlReplaceSidInSd(x,x,x,x)+2D3j
		mov	al, [edi]
		cmp	al, 3
		ja	short loc_9D1BD5
		lea	ebx, [edi+8]
		jmp	short loc_9D1BEA
; 

loc_9D1BD5:				; CODE XREF: RtlReplaceSidInSd(x,x,x,x)+244j
		cmp	al, 4
		jnz	short loc_9D1C51
		lea	eax, [edi+0Ch]
		push	eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		mov	ecx, [ebp+arg_0]
		lea	ebx, [edi+0Ch]
		add	ebx, eax

loc_9D1BEA:				; CODE XREF: RtlReplaceSidInSd(x,x,x,x)+249j
		mov	al, [ebx]
		cmp	al, [esi]
		jnz	short loc_9D1C51
		mov	al, [ebx+1]
		mov	cl, [esi+1]
		cmp	al, cl
		jz	short loc_9D1C05
		movzx	ecx, cl
		inc	ecx
		movzx	eax, al
		cmp	eax, ecx
		jnz	short loc_9D1C4E

loc_9D1C05:				; CODE XREF: RtlReplaceSidInSd(x,x,x,x)+26Ej
		push	6		; size_t
		lea	eax, [esi+2]
		push	eax		; void *
		lea	eax, [ebx+2]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9D1C4E
		lea	ecx, [ebx+8]
		mov	ebx, [ebp+var_C]
		push	ebx		; size_t
		lea	eax, [esi+8]
		mov	[ebp+arg_4], ecx
		push	eax		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9D1C4E
		mov	eax, [ebp+arg_8]
		push	ebx		; size_t
		add	eax, 8
		push	eax		; void *
		push	[ebp+arg_4]	; void *
		call	_memcpy
		mov	eax, [ebp+arg_C]
		add	esp, 0Ch
		inc	dword ptr [eax]

loc_9D1C4E:				; CODE XREF: RtlReplaceSidInSd(x,x,x,x)+279j
					; RtlReplaceSidInSd(x,x,x,x)+28Fj ...
		mov	ecx, [ebp+arg_0]

loc_9D1C51:				; CODE XREF: RtlReplaceSidInSd(x,x,x,x)+24Dj
					; RtlReplaceSidInSd(x,x,x,x)+264j
		movzx	eax, word ptr [edi+2]
		dec	ecx
		add	edi, eax

loc_9D1C58:				; CODE XREF: RtlReplaceSidInSd(x,x,x,x)+23Bj
		mov	[ebp+arg_0], ecx
		test	ecx, ecx
		jnz	loc_9D1BCA
		xor	eax, eax

loc_9D1C65:				; CODE XREF: RtlReplaceSidInSd(x,x,x,x)+BCj
					; RtlReplaceSidInSd(x,x,x,x)+13Fj ...
		pop	edi

loc_9D1C66:				; CODE XREF: RtlReplaceSidInSd(x,x,x,x)+3Cj
		pop	esi
		pop	ebx
		leave
		retn	10h
_RtlReplaceSidInSd@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpCapabilityCheckSystemCapability(x, x, x)
_RtlpCapabilityCheckSystemCapability@12	proc near
					; CODE XREF: RtlCapabilityCheck(x,x,x)+232p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= word ptr -20h
var_1A		= dword	ptr -1Ah
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_20], 500h
		xor	ecx, ecx
		mov	eax, edx
		push	esi
		mov	[ebp+var_2C], ecx
		lea	edx, [ebp+var_2C]
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx
		mov	byte ptr [ebp+var_1A+1], cl
		mov	byte ptr [ebp+var_1A], cl
		mov	ecx, eax
		push	edi
		mov	edi, [ebp+arg_0]
		call	_RtlpGetPolicyValueForSystemCapability@8 ; RtlpGetPolicyValueForSystemCapability(x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_9D1CBA
		xor	esi, esi
		jmp	loc_9D1D7C
; 

loc_9D1CBA:				; CODE XREF: RtlpCapabilityCheckSystemCapability(x,x,x)+45j
		mov	byte ptr [edi],	0
		test	esi, esi
		js	loc_9D1D7C
		push	0
		push	(offset	loc_404D6F+1)
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jnz	short loc_9D1D0C
		push	2
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_1A+2]
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	0
		lea	eax, [ebp+var_1A+2]
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	1
		mov	dword ptr [eax], 20h
		lea	eax, [ebp+var_1A+2]
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	dword ptr [eax], 247h
		jmp	short loc_9D1D40
; 

loc_9D1D0C:				; CODE XREF: RtlpCapabilityCheckSystemCapability(x,x,x)+6Bj
		push	0
		push	(offset	_FsRtlLegalAnsiCharacterArray+4)
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jnz	short loc_9D1D77
		push	1
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_1A+2]
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	0
		lea	eax, [ebp+var_1A+2]
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	dword ptr [eax], 4

loc_9D1D40:				; CODE XREF: RtlpCapabilityCheckSystemCapability(x,x,x)+9Ej
		lea	eax, [ebp+var_1A+1]
		push	eax
		push	2
		lea	eax, [ebp+var_1A+2]
		push	eax
		push	ebx
		call	_RtlCheckTokenMembershipEx@16 ;	RtlCheckTokenMembershipEx(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D1D7C
		cmp	byte ptr [ebp+var_1A+1], 0
		jz	short loc_9D1D7C
		lea	edx, [ebp+var_1A]
		mov	ecx, ebx
		call	_RtlpIsAppContainer@8 ;	RtlpIsAppContainer(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D1D7C
		cmp	byte ptr [ebp+var_1A], 0
		jz	short loc_9D1D7C
		mov	byte ptr [edi],	1
		jmp	short loc_9D1D7C
; 

loc_9D1D77:				; CODE XREF: RtlpCapabilityCheckSystemCapability(x,x,x)+B2j
		mov	esi, 0C0000001h

loc_9D1D7C:				; CODE XREF: RtlpCapabilityCheckSystemCapability(x,x,x)+49j
					; RtlpCapabilityCheckSystemCapability(x,x,x)+53j ...
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_RtlpCapabilityCheckSystemCapability@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpCompareKnownObjectAces(x, x, x,	x)
_RtlpCompareKnownObjectAces@16 proc near ; CODE	XREF: RtlpIsDuplicateAce+FD658p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_8], ecx
		push	esi
		movzx	esi, byte ptr [ecx]
		push	edi
		movzx	edi, byte ptr [ebx]
		mov	[ebp+var_14], ebx
		mov	al, ds:_RtlBaseAceType[edi]
		cmp	al, ds:_RtlBaseAceType[esi]
		jnz	short loc_9D1E32
		cmp	ds:_RtlIsSystemAceType[edi], 0
		jz	short loc_9D1DD2
		mov	al, [ebx+1]
		xor	al, [ecx+1]
		test	al, 0C0h
		jnz	short loc_9D1E32

loc_9D1DD2:				; CODE XREF: RtlpCompareKnownObjectAces(x,x,x,x)+2Ej
		mov	edi, [ebx+8]
		lea	eax, [ebx+0Ch]
		mov	edx, edi
		mov	[ebp+var_4], eax
		and	edx, 1
		mov	ecx, edx
		mov	[ebp+var_10], edx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		and	edi, 2
		jz	short loc_9D1DF9
		test	edx, edx
		jz	short loc_9D1DFE
		lea	eax, [ebx+1Ch]
		jmp	short loc_9D1DFB
; 

loc_9D1DF9:				; CODE XREF: RtlpCompareKnownObjectAces(x,x,x,x)+56j
		xor	eax, eax

loc_9D1DFB:				; CODE XREF: RtlpCompareKnownObjectAces(x,x,x,x)+5Fj
		mov	[ebp+var_4], eax

loc_9D1DFE:				; CODE XREF: RtlpCompareKnownObjectAces(x,x,x,x)+5Aj
		mov	esi, [ebp+var_8]
		mov	ebx, [esi+8]
		mov	edx, ebx
		and	edx, 1
		add	esi, 0Ch
		mov	[ebp+var_C], edx
		neg	edx
		sbb	edx, edx
		and	edx, esi
		and	ebx, 2
		jz	short loc_9D1E28
		cmp	[ebp+var_C], 0
		jz	short loc_9D1E2A
		mov	esi, [ebp+var_8]
		add	esi, 1Ch
		jmp	short loc_9D1E2A
; 

loc_9D1E28:				; CODE XREF: RtlpCompareKnownObjectAces(x,x,x,x)+80j
		xor	esi, esi

loc_9D1E2A:				; CODE XREF: RtlpCompareKnownObjectAces(x,x,x,x)+86j
					; RtlpCompareKnownObjectAces(x,x,x,x)+8Ej
		test	eax, eax
		jnz	short loc_9D1E3B
		test	esi, esi
		jz	short loc_9D1E66

loc_9D1E32:				; CODE XREF: RtlpCompareKnownObjectAces(x,x,x,x)+25j
					; RtlpCompareKnownObjectAces(x,x,x,x)+38j ...
		xor	al, al

loc_9D1E34:				; CODE XREF: RtlpCompareKnownObjectAces(x,x,x,x)+135j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_9D1E3B:				; CODE XREF: RtlpCompareKnownObjectAces(x,x,x,x)+94j
		test	esi, esi
		jz	short loc_9D1E32
		mov	eax, [eax]
		cmp	eax, [esi]
		jnz	short loc_9D1E32
		mov	eax, [ebp+var_4]
		mov	eax, [eax+4]
		cmp	eax, [esi+4]
		jnz	short loc_9D1E32
		mov	eax, [ebp+var_4]
		mov	eax, [eax+8]
		cmp	eax, [esi+8]
		jnz	short loc_9D1E32
		mov	eax, [ebp+var_4]
		mov	eax, [eax+0Ch]
		cmp	eax, [esi+0Ch]
		jnz	short loc_9D1E32

loc_9D1E66:				; CODE XREF: RtlpCompareKnownObjectAces(x,x,x,x)+98j
		test	ecx, ecx
		jz	short loc_9D1E8E
		test	edx, edx
		jz	short loc_9D1E32
		mov	eax, [ecx]
		cmp	eax, [edx]
		jnz	short loc_9D1E32
		mov	eax, [ecx+4]
		cmp	eax, [edx+4]
		jnz	short loc_9D1E32
		mov	eax, [ecx+8]
		cmp	eax, [edx+8]
		jnz	short loc_9D1E32
		mov	eax, [ecx+0Ch]
		cmp	eax, [edx+0Ch]
		jz	short loc_9D1E92
		jmp	short loc_9D1E32
; 

loc_9D1E8E:				; CODE XREF: RtlpCompareKnownObjectAces(x,x,x,x)+D0j
		test	edx, edx
		jnz	short loc_9D1E32

loc_9D1E92:				; CODE XREF: RtlpCompareKnownObjectAces(x,x,x,x)+F2j
		mov	eax, [ebp+var_C]
		neg	ebx
		mov	ecx, [ebp+var_10]
		sbb	ebx, ebx
		shl	eax, 4
		and	ebx, 10h
		add	ebx, 0Ch
		add	ebx, [ebp+var_8]
		add	eax, ebx
		neg	edi
		push	eax
		sbb	edi, edi
		shl	ecx, 4
		and	edi, 10h
		add	edi, 0Ch
		add	edi, [ebp+var_14]
		add	ecx, edi
		push	ecx
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	loc_9D1E32
		mov	al, 1
		jmp	loc_9D1E34
_RtlpCompareKnownObjectAces@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlpComputeMergedAcl2(int,int,int,int,int,int,int,void *,int)
_RtlpComputeMergedAcl2@44 proc near	; CODE XREF: RtlpComputeMergedAcl(x,x,x,x,x,x,x,x,x,x)+52p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_8], 0
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_1C]
		xor	bh, bh
		push	edi
		mov	edi, [ebp+arg_18]
		mov	bl, 1
		push	2
		pop	eax
		push	eax		; int
		push	dword ptr [edi]	; size_t
		mov	[ebp+var_10], edx
		push	esi		; void *
		mov	[ebp+var_14], ecx
		mov	[ebp+var_4], eax
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	eax, [ebp+arg_20]
		mov	ecx, 1000h
		mov	dword ptr [eax], 400h
		test	[ebp+arg_4], ecx
		jz	short loc_9D1F72
		mov	ecx, [ebp+arg_0]
		mov	dword ptr [eax], 1400h
		test	ecx, ecx
		jz	loc_9D1FB1
		movzx	eax, byte ptr [ecx]
		cmp	eax, 2
		jb	short loc_9D1F33
		mov	[ebp+var_4], eax

loc_9D1F33:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+5Cj
		push	esi
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_14]
		push	0
		push	1
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	1
		push	10h

loc_9D1F4F:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+D3j
		mov	edx, [ebp+arg_10]
		push	2
		call	RtlpCopyAces
		xor	edx, edx
		cmp	eax, 0C0000023h
		jnz	short loc_9D1F66
		mov	bh, 1
		mov	eax, edx

loc_9D1F66:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+8Ej
		test	eax, eax
		js	loc_9D20B2
		mov	bl, dl
		jmp	short loc_9D1FB3
; 

loc_9D1F72:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+43j
		test	[ebp+var_10], ecx
		jz	short loc_9D1FCE
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_9D1FA7
		movzx	eax, byte ptr [ecx]
		cmp	eax, 2
		jb	short loc_9D1F89
		mov	[ebp+var_4], eax

loc_9D1F89:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+B2j
		push	esi
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_14]
		push	1
		push	1
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	1
		push	0
		jmp	short loc_9D1F4F
; 

loc_9D1FA7:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+AAj
		cmp	[ebp+arg_14], 1
		jz	loc_9D203B

loc_9D1FB1:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+50j
		xor	edx, edx

loc_9D1FB3:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+9Ej
					; RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+1B2j
		mov	eax, [ebp+var_8]
		add	eax, [ebp+var_C]
		jnz	loc_9D2089
		test	bl, bl
		jz	loc_9D2089
		mov	[edi], edx
		jmp	loc_9D20B0
; 

loc_9D1FCE:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+A3j
		mov	edi, [ebp+arg_0]
		xor	ecx, ecx
		inc	ecx
		cmp	[ebp+arg_14], ecx
		setnz	al
		mov	byte ptr [ebp+arg_1C+3], al
		test	edi, edi
		jz	short loc_9D2034
		movzx	eax, byte ptr [edi]
		cmp	eax, 2
		jb	short loc_9D1FEC
		mov	[ebp+var_4], eax

loc_9D1FEC:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+115j
		push	esi
		mov	edx, [ebp+arg_10]
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_14]
		push	0
		push	ecx
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	ecx
		push	0
		push	ecx
		mov	ecx, edi
		call	RtlpCopyAces
		xor	edx, edx
		cmp	eax, 0C0000023h
		jnz	short loc_9D201E
		mov	bh, 1
		mov	eax, edx

loc_9D201E:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+146j
		test	eax, eax
		js	loc_9D20B2
		cmp	[edi+4], dx
		setz	bl
		dec	bl
		and	bl, byte ptr [ebp+arg_1C+3]
		jmp	short loc_9D2044
; 

loc_9D2034:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+10Dj
		mov	bl, al
		cmp	[ebp+arg_14], ecx
		jnz	short loc_9D2042

loc_9D203B:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+D9j
		mov	eax, 0C0000077h
		jmp	short loc_9D20B2
; 

loc_9D2042:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+167j
		xor	edx, edx

loc_9D2044:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+160j
		mov	ecx, [ebp+var_14]
		test	ecx, ecx
		jz	short loc_9D2081
		movzx	eax, byte ptr [ecx]
		cmp	[ebp+var_4], eax
		ja	short loc_9D2056
		mov	[ebp+var_4], eax

loc_9D2056:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+17Fj
		push	esi
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+arg_14]
		push	edx
		push	1
		push	edx
		push	edx
		push	edx
		push	edx
		push	edx
		push	edx
		push	edx
		mov	edx, [ebp+arg_10]
		call	RtlpCopyAces
		xor	edx, edx
		cmp	eax, 0C0000023h
		jnz	short loc_9D207D
		mov	bh, 1
		mov	eax, edx

loc_9D207D:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+1A5j
		test	eax, eax
		js	short loc_9D20B2

loc_9D2081:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+177j
		mov	edi, [ebp+arg_18]
		jmp	loc_9D1FB3
; 

loc_9D2089:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+E7j
					; RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+EFj
		add	eax, 8
		cmp	eax, 0FFFFh
		jbe	short loc_9D209A
		mov	eax, 0C000007Dh
		jmp	short loc_9D20B2
; 

loc_9D209A:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+1BFj
		mov	[edi], eax
		test	bh, bh
		jz	short loc_9D20A7
		mov	eax, 0C0000023h
		jmp	short loc_9D20B2
; 

loc_9D20A7:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+1CCj
		mov	[esi+2], ax
		mov	eax, [ebp+var_4]
		mov	[esi], al

loc_9D20B0:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+F7j
		xor	eax, eax

loc_9D20B2:				; CODE XREF: RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+96j
					; RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)+14Ej ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
_RtlpComputeMergedAcl2@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpComputeMergedAcl(x, x, x, x, x,	x, x, x, x, x)
_RtlpComputeMergedAcl@40 proc near	; CODE XREF: RtlpNewSecurityObject+102635p
					; RtlpSetSecurityObject+EE4D9p	...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_18]
		mov	eax, 400h
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], edi
		xor	ebx, ebx
		mov	[ebp+var_4], eax

loc_9D20D9:				; CODE XREF: RtlpComputeMergedAcl(x,x,x,x,x,x,x,x,x,x)+7Dj
		push	63416553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi], eax
		test	eax, eax
		jz	short loc_9D214E
		push	[ebp+arg_1C]	; int
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		push	eax		; void *
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	[ebp+arg_14]	; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		call	_RtlpComputeMergedAcl2@44 ; RtlpComputeMergedAcl2(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_9D2138
		push	0
		push	dword ptr [esi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi], 0
		cmp	edi, 0C0000023h
		jnz	short loc_9D214A
		inc	ebx
		cmp	ebx, 2
		jnb	short loc_9D214A
		mov	eax, [ebp+var_4]
		mov	edi, [ebp+var_C]
		jmp	short loc_9D20D9
; 

loc_9D2138:				; CODE XREF: RtlpComputeMergedAcl(x,x,x,x,x,x,x,x,x,x)+5Bj
		cmp	[ebp+var_4], 0
		jnz	short loc_9D214A
		push	0
		push	dword ptr [esi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi], 0

loc_9D214A:				; CODE XREF: RtlpComputeMergedAcl(x,x,x,x,x,x,x,x,x,x)+6Fj
					; RtlpComputeMergedAcl(x,x,x,x,x,x,x,x,x,x)+75j ...
		mov	eax, edi
		jmp	short loc_9D2153
; 

loc_9D214E:				; CODE XREF: RtlpComputeMergedAcl(x,x,x,x,x,x,x,x,x,x)+31j
		mov	eax, 0C0000017h

loc_9D2153:				; CODE XREF: RtlpComputeMergedAcl(x,x,x,x,x,x,x,x,x,x)+93j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
_RtlpComputeMergedAcl@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpGetPolicyValueForSystemCapability(x, x)
_RtlpGetPolicyValueForSystemCapability@8 proc near
					; CODE XREF: RtlpCapabilityCheckSystemCapability(x,x,x)+38p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	eax, ecx
		xor	ecx, ecx
		mov	[ebp+var_14], eax
		mov	ebx, ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], ecx
		push	esi
		push	edi
		mov	edi, edx
		test	eax, eax
		jz	loc_9D22B9
		test	edi, edi
		jz	loc_9D22B9
		mov	ax, [eax]
		add	ax, 38h
		movzx	eax, ax
		mov	[ebp+var_10], eax
		movzx	eax, ax
		push	eax
		mov	[ebp+var_4], eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9D21B5
		mov	esi, 0C0000017h
		jmp	loc_9D226D
; 

loc_9D21B5:				; CODE XREF: RtlpGetPolicyValueForSystemCapability(x,x)+4Fj
		push	[ebp+var_4]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_10]
		add	esp, 0Ch
		mov	word ptr [ebp+var_1C+2], ax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_18], esi
		push	(offset	loc_404D67+1)
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9D226D
		push	[ebp+var_14]
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D226D
		lea	eax, [ebp+var_8]
		push	eax
		push	0
		push	0
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	_ZwQueryLicenseValue@20	; ZwQueryLicenseValue(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	loc_9D22BE
		mov	ebx, [ebp+var_8]
		push	62507452h
		push	ebx
		push	208h
		call	ExAllocatePoolWithQuotaTag
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_4], eax
		push	ecx
		push	ebx
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	_ZwQueryLicenseValue@20	; ZwQueryLicenseValue(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D226A
		cmp	[ebp+var_C], 1
		jnz	short loc_9D22B2
		cmp	ebx, 1
		jb	short loc_9D22B2
		test	bl, 1
		jnz	short loc_9D22B2
		push	ebx
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9D2293
		mov	esi, 0C0000017h

loc_9D226A:				; CODE XREF: RtlpGetPolicyValueForSystemCapability(x,x)+EDj
					; RtlpGetPolicyValueForSystemCapability(x,x)+15Dj
		mov	ebx, [ebp+var_4]

loc_9D226D:				; CODE XREF: RtlpGetPolicyValueForSystemCapability(x,x)+56j
					; RtlpGetPolicyValueForSystemCapability(x,x)+85j ...
		test	edi, edi
		jz	short loc_9D2277
		push	edi
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_9D2277:				; CODE XREF: RtlpGetPolicyValueForSystemCapability(x,x)+115j
					; RtlpGetPolicyValueForSystemCapability(x,x)+156j
		test	ebx, ebx
		jz	short loc_9D2283
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9D2283:				; CODE XREF: RtlpGetPolicyValueForSystemCapability(x,x)+11Fj
					; RtlpGetPolicyValueForSystemCapability(x,x)+166j
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_9D2293:				; CODE XREF: RtlpGetPolicyValueForSystemCapability(x,x)+109j
		push	ebx		; size_t
		mov	ebx, [ebp+var_4]
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		pop	ecx
		mov	edx, esi
		mov	ecx, edi
		call	RtlUnicodeStringInitWorker
		mov	esi, eax
		test	esi, esi
		js	short loc_9D226D
		xor	esi, esi
		jmp	short loc_9D2277
; 

loc_9D22B2:				; CODE XREF: RtlpGetPolicyValueForSystemCapability(x,x)+F3j
					; RtlpGetPolicyValueForSystemCapability(x,x)+F8j ...
		mov	esi, 0C0000001h
		jmp	short loc_9D226A
; 

loc_9D22B9:				; CODE XREF: RtlpGetPolicyValueForSystemCapability(x,x)+24j
					; RtlpGetPolicyValueForSystemCapability(x,x)+2Cj
		mov	esi, 0C000000Dh

loc_9D22BE:				; CODE XREF: RtlpGetPolicyValueForSystemCapability(x,x)+BAj
		test	esi, esi
		jns	short loc_9D2283
		jmp	short loc_9D226D
_RtlpGetPolicyValueForSystemCapability@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpGetTokenNamedObjectPath(x, x, x, x)
_RtlpGetTokenNamedObjectPath@16	proc near
					; CODE XREF: RtlGetAppContainerNamedObjectPath(x,x,x,x)+186p
					; RtlGetTokenNamedObjectPath(x,x,x)+16p

var_616		= byte ptr -616h
var_615		= byte ptr -615h
var_614		= dword	ptr -614h
var_610		= dword	ptr -610h
var_60C		= dword	ptr -60Ch
var_608		= dword	ptr -608h
var_604		= dword	ptr -604h
var_600		= dword	ptr -600h
var_5FC		= byte ptr -5FCh
var_5F8		= dword	ptr -5F8h
var_5F4		= dword	ptr -5F4h
var_5F0		= dword	ptr -5F0h
var_5EC		= dword	ptr -5ECh
var_5E8		= dword	ptr -5E8h
var_5E4		= dword	ptr -5E4h
var_5E0		= dword	ptr -5E0h
var_5DC		= dword	ptr -5DCh
var_5D8		= dword	ptr -5D8h
var_5D4		= dword	ptr -5D4h
var_5D0		= dword	ptr -5D0h
var_5CC		= dword	ptr -5CCh
var_5C8		= dword	ptr -5C8h
var_578		= dword	ptr -578h
var_530		= dword	ptr -530h
var_52C		= byte ptr -52Ch
var_418		= word ptr -418h
var_210		= word ptr -210h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 61Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+61Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	eax, eax
		push	48h		; size_t
		push	eax		; int
		mov	[esp+630h+var_5F4], eax
		mov	ebx, eax
		mov	[esp+630h+var_5F8], eax
		mov	esi, ecx
		lea	eax, [esp+630h+var_578]
		mov	[esp+630h+var_5D0], edx
		push	eax		; void *
		mov	[esp+634h+var_614], esi
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		mov	[esp+628h+var_60C], eax
		mov	[esp+628h+var_604], eax
		push	208h		; size_t
		push	eax		; int
		lea	eax, [esp+630h+var_418]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+628h+var_210]
		push	208h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+628h+var_5C8]
		push	4Ch		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		and	[esp+634h+var_5D8], ebx
		add	esp, 0Ch
		and	[esp+628h+var_5D4], ebx
		mov	[esp+628h+var_5E4], offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@
		push	2
		pop	eax
		mov	word ptr [esp+628h+var_5E8], ax
		push	4
		pop	eax
		mov	word ptr [esp+628h+var_5E8+2], ax
		test	edi, edi
		jz	loc_9D281B
		test	esi, esi
		jz	loc_9D281B
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		mov	edx, ecx
		inc	eax
		and	edx, eax
		mov	[esp+628h+var_615], al
		mov	[esp+628h+var_5CC], edx
		mov	edx, ecx
		and	edx, 2
		mov	[esp+628h+var_5F0], edx
		mov	edx, ecx
		and	ecx, 4
		and	edx, 8
		mov	[ebp+arg_0], ecx
		xor	ecx, ecx
		mov	[edi], ecx
		mov	[edi+4], ecx
		mov	[esp+628h+var_600], ecx
		mov	dword ptr [esp+628h+var_5FC], ecx
		mov	[esp+628h+var_5E0], ecx
		mov	[esp+628h+var_5DC], ecx
		mov	[esp+628h+var_610], ecx
		mov	[esp+628h+var_608], ecx
		mov	ecx, [esp+628h+var_5D0]
		mov	[esp+628h+var_5EC], edx
		test	ecx, ecx
		jz	short loc_9D23DE
		mov	ebx, ecx
		mov	[esp+628h+var_610], eax
		jmp	short loc_9D243F
; 

loc_9D23DE:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+110j
		lea	eax, [esp+628h+var_60C]
		push	eax
		push	4
		lea	eax, [esp+630h+var_610]
		push	eax
		push	1Dh
		push	esi
		call	_NtQueryInformationToken@20 ; NtQueryInformationToken(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9D27E2
		cmp	[esp+628h+var_610], ebx
		jz	short loc_9D243B
		lea	eax, [esp+628h+var_60C]
		push	eax
		push	48h
		lea	eax, [esp+630h+var_578]
		push	eax
		push	1Fh
		push	[esp+638h+var_614]
		call	_NtQueryInformationToken@20 ; NtQueryInformationToken(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9D27E2
		mov	ebx, [esp+628h+var_578]
		test	ebx, ebx
		jnz	short loc_9D243B
		mov	esi, 0C0000001h
		jmp	loc_9D27E2
; 

loc_9D243B:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+13Cj
					; RtlpGetTokenNamedObjectPath(x,x,x,x)+16Bj
		mov	esi, [esp+628h+var_614]

loc_9D243F:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+118j
		lea	eax, [esp+628h+var_60C]
		push	eax
		push	4
		lea	eax, [esp+630h+var_608]
		push	eax
		push	2Ah
		push	esi
		call	_NtQueryInformationToken@20 ; NtQueryInformationToken(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9D27E2
		cmp	[esp+628h+var_608], 0
		jz	short loc_9D249F
		lea	eax, [esp+628h+var_60C]
		push	eax
		push	4Ch
		lea	eax, [esp+630h+var_5C8]
		push	eax
		push	1
		push	[esp+638h+var_614]
		call	_NtQueryInformationToken@20 ; NtQueryInformationToken(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9D27E2
		push	1
		push	[esp+62Ch+var_5C8]
		lea	eax, [esp+630h+var_5E0]
		push	eax
		call	RtlConvertSidToUnicodeString
		mov	esi, eax
		test	esi, esi
		js	loc_9D27E2

loc_9D249F:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+19Ej
		lea	eax, [esp+628h+var_60C]
		push	eax
		push	4
		lea	eax, [esp+630h+var_604]
		push	eax
		push	0Ch
		push	[esp+638h+var_614]
		call	_NtQueryInformationToken@20 ; NtQueryInformationToken(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9D27E2
		cmp	[esp+628h+var_610], 0
		jz	short loc_9D24FA
		lea	eax, [esp+628h+var_5F4]
		push	eax
		push	ebx
		call	RtlGetAppContainerSidType
		mov	esi, eax
		test	esi, esi
		js	loc_9D27E2
		cmp	[esp+628h+var_5F4], 2
		jnz	short loc_9D2555
		push	1
		push	ebx
		lea	eax, [esp+630h+var_600]
		push	eax
		call	RtlConvertSidToUnicodeString
		mov	esi, eax
		test	esi, esi
		js	loc_9D27E2

loc_9D24FA:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+201j
		mov	ebx, 104h

loc_9D24FF:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+332j
		lea	eax, [esp+628h+var_60C]
		push	eax
		push	118h
		lea	eax, [esp+630h+var_530]
		push	eax
		push	2Ch
		push	[esp+638h+var_614]
		call	_NtQueryInformationToken@20 ; NtQueryInformationToken(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9D27E2
		cmp	[esp+628h+var_608], 0
		jnz	loc_9D25FB
		cmp	[esp+628h+var_610], 0
		jnz	loc_9D25FB
		call	_RtlGetCurrentServiceSessionId@0 ; RtlGetCurrentServiceSessionId()
		mov	ecx, [esp+628h+var_604]
		cmp	ecx, eax
		jnz	loc_9D25FF
		xor	eax, eax
		inc	eax
		jmp	loc_9D2601
; 

loc_9D2555:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+21Dj
		lea	eax, [esp+628h+var_5F8]
		push	eax
		push	ebx
		call	_RtlGetAppContainerParent@8 ; RtlGetAppContainerParent(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9D27E2
		push	1
		push	[esp+62Ch+var_5F8]
		lea	eax, [esp+630h+var_600]
		push	eax
		call	RtlConvertSidToUnicodeString
		mov	esi, eax
		test	esi, esi
		js	loc_9D27E2
		push	0Bh
		push	ebx
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	dword ptr [eax]
		push	0Ah
		push	ebx
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	dword ptr [eax]
		push	9
		push	ebx
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	dword ptr [eax]
		push	8
		push	ebx
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	ebx, 104h
		push	dword ptr [eax]
		lea	eax, [esp+638h+var_210]
		push	dword ptr [esp+638h+var_5FC] ; char
		push	offset ??_C@_1BO@FFPNCKK@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAu?$AA?9?$AA?$CF?$AAu?$AA?9?$AA?$CF?$AAu?$AA?9?$AA?$CF?$AAu@NNGAKEGL@ ; "%s\\%u-%u-%u-%u"
		push	ebx		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		mov	esi, eax
		add	esp, 20h
		test	esi, esi
		js	loc_9D27E2
		lea	eax, [esp+628h+var_600]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esp+628h+var_210]
		push	eax
		lea	eax, [esp+62Ch+var_600]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[esp+628h+var_615], 0
		jmp	loc_9D24FF
; 

loc_9D25FB:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+267j
					; RtlpGetTokenNamedObjectPath(x,x,x,x)+272j
		mov	ecx, [esp+628h+var_604]

loc_9D25FF:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+283j
		xor	al, al

loc_9D2601:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+28Cj
		cmp	byte ptr [esp+628h+var_5CC], 0
		jnz	short loc_9D2643
		test	al, al
		jnz	short loc_9D263C
		cmp	[esp+628h+var_610], 0
		mov	eax, offset ??_C@_1DC@JGKFLOCH@?$AAA?$AAp?$AAp?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAN?$AAa?$AAm@NNGAKEGL@
		jnz	short loc_9D261D
		mov	eax, offset ??_C@_1CC@GOIMJBIF@?$AAB?$AAa?$AAs?$AAe?$AAN?$AAa?$AAm?$AAe?$AAd?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt@NNGAKEGL@

loc_9D261D:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+352j
		push	eax
		push	ecx
		push	offset ??_C@_1BE@GBAFMKEO@?$AA?2?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAs@NNGAKEGL@ ; "\\Sessions"
		push	offset ??_C@_1BE@BNDIFIKI@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAl?$AAd?$AA?2?$AA?$CF?$AAs@NNGAKEGL@ ; wchar_t *
		lea	eax, [esp+638h+var_418]
		push	ebx		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 18h
		jmp	short loc_9D2687
; 

loc_9D263C:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+346j
		push	offset ??_C@_1CE@NPBNEBGN@?$AA?2?$AAB?$AAa?$AAs?$AAe?$AAN?$AAa?$AAm?$AAe?$AAd?$AAO?$AAb?$AAj?$AAe?$AAc@NNGAKEGL@
		jmp	short loc_9D2679
; 

loc_9D2643:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+342j
		cmp	[ebp+arg_0], 0
		jnz	short loc_9D2674
		cmp	[esp+628h+var_610], 0
		mov	eax, offset ??_C@_1DE@ECFPHGNH@?$AA?2?$AAA?$AAp?$AAp?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAN?$AAa@NNGAKEGL@
		jnz	short loc_9D265A
		mov	eax, offset ??_C@_11LOCGONAA@@NNGAKEGL@

loc_9D265A:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+38Fj
		push	eax
		push	ecx		; char
		push	offset ??_C@_1CK@LDAJCDKF@?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AA?2?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?2@NNGAKEGL@ ; "Global\\Session\\%ld%s"
		lea	eax, [esp+634h+var_418]
		push	ebx		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 14h
		jmp	short loc_9D2687
; 

loc_9D2674:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+383j
		push	offset ??_C@_1DC@JGKFLOCH@?$AAA?$AAp?$AAp?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAN?$AAa?$AAm@NNGAKEGL@

loc_9D2679:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+37Dj
		mov	edx, ebx
		lea	ecx, [esp+62Ch+var_418]
		call	RtlStringCchCopyW

loc_9D2687:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+376j
					; RtlpGetTokenNamedObjectPath(x,x,x,x)+3AEj
		mov	esi, eax
		test	esi, esi
		js	loc_9D27E2
		and	[esp+628h+var_614], 0
		lea	eax, [esp+628h+var_614]
		push	eax
		mov	edx, 208h
		lea	ecx, [esp+62Ch+var_418]
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9D27E2
		cmp	[esp+628h+var_608], 0
		jz	short loc_9D26D2
		cmp	[esp+628h+var_5F0], 0
		jnz	short loc_9D26D2
		movzx	esi, word ptr [esp+628h+var_5E0]
		add	esi, 2
		add	esi, [esp+628h+var_614]
		jmp	short loc_9D26D6
; 

loc_9D26D2:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+3F7j
					; RtlpGetTokenNamedObjectPath(x,x,x,x)+3FEj
		mov	esi, [esp+628h+var_614]

loc_9D26D6:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+40Cj
		cmp	[esp+628h+var_610], 0
		jz	short loc_9D26E7
		movzx	eax, word ptr [esp+628h+var_600]
		add	eax, 2
		add	esi, eax

loc_9D26E7:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+417j
		cmp	[esp+628h+var_52C], 0
		jz	short loc_9D2713
		cmp	[esp+628h+var_5EC], 0
		jnz	short loc_9D2713
		push	[esp+628h+var_530]
		lea	eax, [esp+62Ch+var_5D8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	eax, word ptr [esp+628h+var_5D8]
		add	eax, 2
		add	esi, eax

loc_9D2713:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+42Bj
					; RtlpGetTokenNamedObjectPath(x,x,x,x)+432j
		add	esi, 2
		push	esi
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9D272C
		mov	esi, 0C000009Ah
		jmp	loc_9D27E2
; 

loc_9D272C:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+45Cj
		push	esi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		and	dword ptr [edi], 0
		lea	eax, [esp+634h+var_418]
		add	esp, 0Ch
		mov	[edi+2], si
		mov	[edi+4], ebx
		push	eax		; void *
		push	edi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9D27E2
		cmp	[esp+628h+var_608], 0
		jz	short loc_9D278A
		cmp	[esp+628h+var_5F0], 0
		jnz	short loc_9D278A
		lea	eax, [esp+628h+var_5E8]
		push	eax
		push	edi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D27E2
		lea	eax, [esp+628h+var_5E0]
		push	eax
		push	edi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D27E2

loc_9D278A:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+49Bj
					; RtlpGetTokenNamedObjectPath(x,x,x,x)+4A2j
		cmp	[esp+628h+var_610], 0
		jz	short loc_9D27B3
		lea	eax, [esp+628h+var_5E8]
		push	eax
		push	edi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D27E2
		lea	eax, [esp+628h+var_600]
		push	eax
		push	edi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D27E2

loc_9D27B3:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+4CBj
		cmp	[esp+628h+var_52C], 0
		jz	short loc_9D27E2
		cmp	[esp+628h+var_5EC], 0
		jnz	short loc_9D27E2
		lea	eax, [esp+628h+var_5E8]
		push	eax
		push	edi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D27E2
		lea	eax, [esp+628h+var_5D8]
		push	eax
		push	edi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax

loc_9D27E2:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+132j
					; RtlpGetTokenNamedObjectPath(x,x,x,x)+15Cj ...
		lea	eax, [esp+628h+var_5E0]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	esi, esi
		jns	short loc_9D27F6
		push	edi
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_9D27F6:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+52Aj
		cmp	[esp+628h+var_615], 0
		jz	short loc_9D2807
		lea	eax, [esp+628h+var_600]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_9D2807:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+537j
		mov	eax, [esp+628h+var_5F8]
		test	eax, eax
		jz	short loc_9D2817
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9D2817:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+549j
		mov	eax, esi
		jmp	short loc_9D2820
; 

loc_9D281B:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+B3j
					; RtlpGetTokenNamedObjectPath(x,x,x,x)+BBj
		mov	eax, 0C000000Dh

loc_9D2820:				; CODE XREF: RtlpGetTokenNamedObjectPath(x,x,x,x)+555j
		mov	ecx, [esp+628h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_RtlpGetTokenNamedObjectPath@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall RtlpGuidPresentInGuidList(void	*,int,int)
_RtlpGuidPresentInGuidList@12 proc near	; CODE XREF: RtlpCopyEffectiveAce+13E9DBp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		cmp	[ebp+arg_0], esi
		jbe	short loc_9D2862

loc_9D284A:				; CODE XREF: RtlpGuidPresentInGuidList(x,x,x)+29j
		push	10h		; size_t
		push	dword ptr [edi+esi*4] ;	void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_9D286B
		inc	esi
		cmp	esi, [ebp+arg_0]
		jb	short loc_9D284A

loc_9D2862:				; CODE XREF: RtlpGuidPresentInGuidList(x,x,x)+11j
		xor	al, al

loc_9D2864:				; CODE XREF: RtlpGuidPresentInGuidList(x,x,x)+36j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_9D286B:				; CODE XREF: RtlpGuidPresentInGuidList(x,x,x)+23j
		mov	al, 1
		jmp	short loc_9D2864
_RtlpGuidPresentInGuidList@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpIsAppContainer(x, x)
_RtlpIsAppContainer@8 proc near		; CODE XREF: RtlpCapabilityCheckSystemCapability(x,x,x)+F5p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_34]
		xor	eax, eax
		mov	ebx, edx
		push	6
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_10]
		xor	edx, edx
		stosd
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], edx
		stosd
		mov	[ebx], dl
		stosd
		test	esi, esi
		jnz	loc_9D2933
		lea	eax, [ebp+var_14]
		mov	edi, 200h
		push	eax
		push	edi
		push	1
		push	8
		push	0FFFFFFFEh
		call	_ZwOpenThreadTokenEx@20	; ZwOpenThreadTokenEx(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C000007Ch
		jnz	short loc_9D292C
		lea	eax, [ebp+var_18]
		push	eax
		push	edi
		push	0Ah
		push	0FFFFFFFFh
		call	_ZwOpenProcessTokenEx@16 ; ZwOpenProcessTokenEx(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D294E
		push	2
		pop	ecx
		lea	eax, [ebp+var_10]
		mov	[ebp+var_34], 18h
		mov	[ebp+var_20], eax
		xor	edx, edx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_30], edx
		push	eax
		push	ecx
		push	edx
		lea	eax, [ebp+var_34]
		mov	[ebp+var_28], edi
		push	eax
		push	8
		push	[ebp+var_18]
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_10], 0Ch
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], 1
		call	_ZwDuplicateToken@24 ; ZwDuplicateToken(x,x,x,x,x,x)
		push	[ebp+var_18]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)

loc_9D292C:				; CODE XREF: RtlpIsAppContainer(x,x)+5Bj
		test	esi, esi
		js	short loc_9D294E
		mov	esi, [ebp+var_14]

loc_9D2933:				; CODE XREF: RtlpIsAppContainer(x,x)+38j
		lea	eax, [ebp+var_1C]
		push	eax
		push	1Dh
		push	esi
		call	_SeQueryInformationToken@12 ; SeQueryInformationToken(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D294E
		cmp	[ebp+var_1C], 0
		setnz	al
		mov	[ebx], al

loc_9D294E:				; CODE XREF: RtlpIsAppContainer(x,x)+6Fj
					; RtlpIsAppContainer(x,x)+BFj ...
		cmp	[ebp+var_14], 0
		jz	short loc_9D295C
		push	[ebp+var_14]
		call	_ZwClose@4	; ZwClose(x)

loc_9D295C:				; CODE XREF: RtlpIsAppContainer(x,x)+E3j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_RtlpIsAppContainer@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpValidFilterAclSubjectContext(x,	x)
_RtlpValidFilterAclSubjectContext@8 proc near ;	CODE XREF: RtlpSetSecurityObject+EE45Ap
					; RtlpSetSecurityObject+EE473p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[ebp+var_18], edx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], 100h
		mov	[ebp+var_10], eax

loc_9D2998:				; CODE XREF: RtlpValidFilterAclSubjectContext(x,x)+8Dj
		lea	eax, [ebp+var_10]
		push	eax
		push	15h
		push	ebx
		call	_RtlFindAceByType@12 ; RtlFindAceByType(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9D29F5
		test	dword ptr [esi+4], 0FF000000h
		jnz	short loc_9D2A0E
		test	byte ptr [esi+1], 40h
		jz	short loc_9D29D4
		lea	eax, [ebp+var_14]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_18]
		lea	edx, [esi+8]
		call	_RtlpValidTrustSubjectContext@16 ; RtlpValidTrustSubjectContext(x,x,x,x)
		test	al, al
		jnz	short loc_9D29F5
		mov	eax, 0C0000022h
		jmp	short loc_9D29FF
; 

loc_9D29D4:				; CODE XREF: RtlpValidFilterAclSubjectContext(x,x)+4Aj
		push	6		; size_t
		lea	eax, [ebp+var_C]
		push	eax		; void *
		lea	eax, [esi+0Ah]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9D2A0E
		cmp	byte ptr [esi+9], 1
		jnz	short loc_9D2A0E
		cmp	[esi+10h], eax
		jnz	short loc_9D2A0E

loc_9D29F5:				; CODE XREF: RtlpValidFilterAclSubjectContext(x,x)+3Bj
					; RtlpValidFilterAclSubjectContext(x,x)+5Ej
		inc	[ebp+var_10]
		test	esi, esi
		jnz	short loc_9D2998
		mov	eax, [ebp+var_14]

loc_9D29FF:				; CODE XREF: RtlpValidFilterAclSubjectContext(x,x)+65j
					; RtlpValidFilterAclSubjectContext(x,x)+A6j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_9D2A0E:				; CODE XREF: RtlpValidFilterAclSubjectContext(x,x)+44j
					; RtlpValidFilterAclSubjectContext(x,x)+7Bj ...
		mov	eax, 0C000000Dh
		jmp	short loc_9D29FF
_RtlpValidFilterAclSubjectContext@8 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpTerminateCurrentProcess(x)
_RtlpTerminateCurrentProcess@4 proc near ; CODE	XREF: RtlAssert(x,x,x,x):loc_661DBBp
		mov	eax, large fs:124h
		mov	edx, 0C0000001h
		mov	ecx, [eax+80h]
		jmp	_PsTerminateProcess@8 ;	PsTerminateProcess(x,x)
_RtlpTerminateCurrentProcess@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlLargeIntegerToUnicode(x,	x, x, x)
_RtlLargeIntegerToUnicode@16 proc near	; CODE XREF: RtlConvertSidToUnicodeString+EE681p

var_A4		= dword	ptr -0A4h
var_1E		= dword	ptr -1Eh
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	94h
		push	offset dword_6A91F8
		call	__SEH_prolog4_GS
		mov	ebx, [ebp+arg_4]
		lea	edx, [ebp+var_1E]
		mov	esi, [ecx]
		mov	ecx, [ecx+4]

loc_9D2A45:				; CODE XREF: RtlLargeIntegerToUnicode(x,x,x,x)+38j
		mov	eax, esi
		and	eax, 0Fh
		shrd	esi, ecx, 4
		shr	ecx, 4
		sub	edx, 2
		mov	ax, ds:_RtlpIntegerWChars[eax*2]
		mov	[edx], ax
		mov	eax, esi
		or	eax, ecx
		jnz	short loc_9D2A45
		lea	edi, [ebp+var_1E]
		sub	edi, edx
		sar	edi, 1
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jns	short loc_9D2A85
		neg	esi

loc_9D2A75:				; CODE XREF: RtlLargeIntegerToUnicode(x,x,x,x)+58j
		cmp	edi, esi
		jge	short loc_9D2A87
		push	30h
		pop	eax
		mov	[ebx], ax
		add	ebx, 2
		dec	esi
		jmp	short loc_9D2A75
; 

loc_9D2A85:				; CODE XREF: RtlLargeIntegerToUnicode(x,x,x,x)+46j
		cmp	edi, esi

loc_9D2A87:				; CODE XREF: RtlLargeIntegerToUnicode(x,x,x,x)+4Cj
		jle	short loc_9D2A90
		mov	eax, 80000005h
		jmp	short loc_9D2AD8
; 

loc_9D2A90:				; CODE XREF: RtlLargeIntegerToUnicode(x,x,x,x):loc_9D2A87j
		and	[ebp+ms_exc.disabled], 0
		lea	eax, [edi+edi]
		push	eax		; size_t
		push	edx		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	edi, esi
		jge	short loc_9D2AAC
		xor	eax, eax
		mov	[ebx+edi*2], ax

loc_9D2AAC:				; CODE XREF: RtlLargeIntegerToUnicode(x,x,x,x)+79j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	short loc_9D2AD8
; 

loc_9D2AB7:				; DATA XREF: .text:006A920Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_A4], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9D2AC8:				; DATA XREF: .text:006A9210o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_A4]

loc_9D2AD8:				; CODE XREF: RtlLargeIntegerToUnicode(x,x,x,x)+63j
					; RtlLargeIntegerToUnicode(x,x,x,x)+8Aj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_RtlLargeIntegerToUnicode@16 endp

; 
		align 4
		db 3 dup(0CCh)
; 
; Exported entry 2376. RtlUnicodeStringToInt64

; __stdcall RtlUnicodeStringToInt64(x, x, x, x)
		public _RtlUnicodeStringToInt64@16
_RtlUnicodeStringToInt64@16:		; CODE XREF: GetFlags(x,x,x)+3Ap
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 98h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		mov	eax, [ebp+10h]
		and	dword ptr [ebp-90h], 0
		push	ebx
		mov	ebx, [ebp+8]
		mov	[ebp-94h], eax
		mov	eax, [ebp+14h]
		push	esi
		movzx	ecx, word ptr [ebx]
		movzx	edx, word ptr [ebx+2]
		mov	esi, [ebx+4]
		mov	[ebp-98h], eax
		lea	eax, [ecx+2]
		mov	[ebp-8Ch], esi
		push	edi
		mov	edi, esi
		cmp	edx, eax
		jb	short loc_9D2B47
		shr	edx, 1
		xor	eax, eax
		cmp	[esi+edx*2-2], ax
		jz	short loc_9D2B7E

loc_9D2B47:				; CODE XREF: PAGE:009D2B3Aj
		shr	ecx, 1
		cmp	ecx, 40h
		jb	short loc_9D2B51
		push	40h
		pop	ecx

loc_9D2B51:				; CODE XREF: PAGE:009D2B4Cj
		lea	esi, [ecx+ecx]
		push	esi
		push	dword ptr [ebp-8Ch]
		lea	edi, [ebp-88h]
		mov	eax, edi
		push	eax
		call	_memcpy
		add	esp, 0Ch
		cmp	esi, 82h
		jnb	short loc_9D2BE9
		xor	eax, eax
		mov	[ebp+esi-88h], ax

loc_9D2B7E:				; CODE XREF: PAGE:009D2B45j
		xor	ecx, ecx
		lea	eax, [ebp-8Ch]
		push	eax
		push	ecx
		push	dword ptr [ebp+0Ch]
		lea	eax, [ebp-90h]
		mov	[ebp-8Ch], ecx
		push	eax
		push	edi
		push	ecx
		call	_wcstoxq
		mov	ecx, [ebp-94h]
		add	esp, 18h
		mov	[ecx+4], edx
		mov	edx, [ebp-98h]
		mov	[ecx], eax
		test	edx, edx
		jz	short loc_9D2BC9
		mov	ecx, [ebp-90h]
		mov	eax, [ebx+4]
		sub	ecx, edi
		sar	ecx, 1
		lea	eax, [eax+ecx*2]
		mov	[edx], eax

loc_9D2BC9:				; CODE XREF: PAGE:009D2BB5j
		mov	eax, [ebp-8Ch]
		mov	ecx, [ebp-4]
		neg	eax
		pop	edi
		sbb	eax, eax
		xor	ecx, ebp
		pop	esi
		and	eax, 0C0000095h
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_9D2BE9:				; CODE XREF: PAGE:009D2B72j
		call	___report_rangecheckfailure
; 
		dw 0CCCCh
		dd 0CCCCCCCCh
; Exported entry 2131. RtlGetNtGlobalFlags

;  S U B	R O U T	I N E 


; __stdcall RtlGetNtGlobalFlags()
		public _RtlGetNtGlobalFlags@0
_RtlGetNtGlobalFlags@0 proc near	; CODE XREF: RtlpAllocateHeap(x,x,x,x,x,x)+FCp
		mov	eax, _NtGlobalFlag
		retn
_RtlGetNtGlobalFlags@0 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2300. RtlQueryTimeZoneInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlQueryTimeZoneInformation(x)
		public _RtlQueryTimeZoneInformation@4
_RtlQueryTimeZoneInformation@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, 0ACh
		call	_RtlpQueryTimeZoneInformationWorker@8 ;	RtlpQueryTimeZoneInformationWorker(x,x)
		pop	ebp
		retn	4
_RtlQueryTimeZoneInformation@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2333. RtlSetDynamicTimeZoneInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSetDynamicTimeZoneInformation(x)
		public _RtlSetDynamicTimeZoneInformation@4
_RtlSetDynamicTimeZoneInformation@4 proc near
					; CODE XREF: ExpRefreshTimeZoneInformation(x)+2B4p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		mov	edx, 1B0h
		call	_RtlpSetTimeZoneInformationWorker@8 ; RtlpSetTimeZoneInformationWorker(x,x)
		pop	ecx
		pop	ebp
		retn	4
_RtlSetDynamicTimeZoneInformation@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2342. RtlSetTimeZoneInformation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSetTimeZoneInformation(x)
		public _RtlSetTimeZoneInformation@4
_RtlSetTimeZoneInformation@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, 0ACh
		call	_RtlpSetTimeZoneInformationWorker@8 ; RtlpSetTimeZoneInformationWorker(x,x)
		pop	ebp
		retn	4
_RtlSetTimeZoneInformation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpSetTimeZoneInformationWorker(x,	x)
_RtlpSetTimeZoneInformationWorker@8 proc near
					; CODE XREF: RtlSetDynamicTimeZoneInformation(x)+Ep
					; RtlSetTimeZoneInformation(x)+Dp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		push	20h
		xor	edi, edi
		lea	ebx, [esi+4]
		mov	[ebp+var_8], edi
		push	ebx
		call	_wcsnlen
		mov	[ebp+var_C], eax
		pop	ecx
		pop	ecx
		cmp	eax, 20h
		jnb	loc_9D2E1B
		lea	eax, [esi+58h]
		push	20h
		push	eax
		call	_wcsnlen
		mov	[ebp+var_10], eax
		pop	ecx
		pop	ecx
		cmp	eax, 20h
		jnb	loc_9D2E1B
		cmp	[ebp+var_4], 1B0h
		jb	short loc_9D2CBE
		lea	eax, [esi+0ACh]
		push	80h
		push	eax
		call	_wcsnlen
		mov	edi, eax
		pop	ecx
		pop	ecx
		cmp	edi, 80h
		jnb	loc_9D2E1B

loc_9D2CBE:				; CODE XREF: RtlpSetTimeZoneInformationWorker(x,x)+4Ej
		lea	edx, [ebp+var_8]
		mov	cl, 1
		call	RtlpGetTimeZoneInfoHandle
		test	eax, eax
		js	loc_9D2E20
		push	4
		push	esi
		push	4
		push	offset _szBias	; "Bias"
		push	[ebp+var_8]
		push	40000000h
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)
		test	eax, eax
		js	loc_9D2DC6
		mov	eax, [ebp+var_C]
		lea	eax, ds:2[eax*2]
		push	eax
		push	ebx
		push	1
		push	offset _szStandardName
		push	[ebp+var_8]
		mov	ebx, 40000000h
		push	ebx
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)
		test	eax, eax
		js	loc_9D2DCB
		push	4
		lea	eax, [esi+54h]
		push	eax
		push	4
		push	offset _szStandardBias
		push	[ebp+var_8]
		push	ebx
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)
		test	eax, eax
		js	loc_9D2DCB
		push	10h
		lea	eax, [esi+44h]
		push	eax
		push	3
		push	offset _szStandardStart
		push	[ebp+var_8]
		push	ebx
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9D2DCB
		mov	eax, [ebp+var_10]
		lea	eax, ds:2[eax*2]
		push	eax
		lea	eax, [esi+58h]
		push	eax
		push	1
		push	offset _szDaylightName
		push	[ebp+var_8]
		push	ebx
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9D2DCB
		push	4
		lea	eax, [esi+0A8h]
		push	eax
		push	4
		push	offset _szDaylightBias
		push	[ebp+var_8]
		push	ebx
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9D2DCB
		push	10h
		lea	eax, [esi+98h]
		push	eax
		push	3
		push	offset _szDaylightStart	; "DaylightStart"
		push	[ebp+var_8]
		push	ebx
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9D2DCB
		cmp	[ebp+var_4], 1B0h
		jb	short loc_9D2DCB
		lea	eax, ds:2[edi*2]
		push	eax
		lea	eax, [esi+0ACh]
		jmp	short loc_9D2DD6
; 

loc_9D2DC6:				; CODE XREF: RtlpSetTimeZoneInformationWorker(x,x)+9Cj
		mov	ebx, 40000000h

loc_9D2DCB:				; CODE XREF: RtlpSetTimeZoneInformationWorker(x,x)+C5j
					; RtlpSetTimeZoneInformationWorker(x,x)+E3j ...
		xor	eax, eax
		mov	word ptr [ebp+var_4], ax
		lea	eax, [ebp+var_4]
		push	2

loc_9D2DD6:				; CODE XREF: RtlpSetTimeZoneInformationWorker(x,x)+177j
		push	eax
		push	1
		push	offset _szTimeZoneKeyName ; "TimeZoneKeyName"
		push	[ebp+var_8]
		push	ebx
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9D2E0F
		movzx	eax, byte ptr [esi+1ACh]
		push	4
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_10]
		push	eax
		push	4
		push	offset _szDynamicDaylightDisabled
		push	[ebp+var_8]
		push	ebx
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)
		mov	edi, eax

loc_9D2E0F:				; CODE XREF: RtlpSetTimeZoneInformationWorker(x,x)+19Ej
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, edi
		jmp	short loc_9D2E20
; 

loc_9D2E1B:				; CODE XREF: RtlpSetTimeZoneInformationWorker(x,x)+28j
					; RtlpSetTimeZoneInformationWorker(x,x)+41j ...
		mov	eax, 0C000000Dh

loc_9D2E20:				; CODE XREF: RtlpSetTimeZoneInformationWorker(x,x)+7Dj
					; RtlpSetTimeZoneInformationWorker(x,x)+1CCj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_RtlpSetTimeZoneInformationWorker@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCheckBootStatusIntegrity(x, x)
_RtlCheckBootStatusIntegrity@8 proc near ; CODE	XREF: PopBootStatCheckIntegrity(x)+13Dp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	eax, ecx
		push	ebx
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_14], eax
		push	ecx
		push	4
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_C], ebx
		push	ecx
		lea	ecx, [ebp+var_1C]
		mov	[ebp+var_10], ebx
		push	ecx
		push	ebx
		push	ebx
		push	ebx
		push	eax
		mov	edi, edx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ebx
		call	_ZwReadFile@36	; ZwReadFile(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9D2F09
		lea	eax, [ebp+var_10]
		push	eax
		push	0Fh
		lea	edx, [ebp+var_C]
		pop	ecx
		call	_RtlBootStatusItemInfo@12 ; RtlBootStatusItemInfo(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9D2F09
		mov	eax, [ebp+var_10]
		add	eax, [ebp+var_C]
		cmp	[ebp+var_8], eax
		jnb	short loc_9D2E98

loc_9D2E94:				; CODE XREF: RtlCheckBootStatusIntegrity(x,x)+7Aj
		mov	[edi], bl
		jmp	short loc_9D2F09
; 

loc_9D2E98:				; CODE XREF: RtlCheckBootStatusIntegrity(x,x)+6Dj
		cmp	[ebp+var_8], 800h
		ja	short loc_9D2E94
		push	66647362h
		push	[ebp+var_8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9D2EBD
		mov	esi, 0C0000017h
		jmp	short loc_9D2F09
; 

loc_9D2EBD:				; CODE XREF: RtlCheckBootStatusIntegrity(x,x)+8Fj
		xor	ecx, ecx
		lea	eax, [ebp+var_28]
		push	ecx
		push	eax
		push	[ebp+var_8]
		lea	eax, [ebp+var_1C]
		push	ebx
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+var_14]
		call	_ZwReadFile@36	; ZwReadFile(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D2F01
		mov	ecx, [ebp+var_8]
		cmp	[ebp+var_18], ecx
		jz	short loc_9D2EEA
		mov	byte ptr [edi],	0
		jmp	short loc_9D2F01
; 

loc_9D2EEA:				; CODE XREF: RtlCheckBootStatusIntegrity(x,x)+BEj
		xor	eax, eax
		mov	dl, al
		test	ecx, ecx
		jz	short loc_9D2EFA

loc_9D2EF2:				; CODE XREF: RtlCheckBootStatusIntegrity(x,x)+D3j
		add	dl, [eax+ebx]
		inc	eax
		cmp	eax, ecx
		jb	short loc_9D2EF2

loc_9D2EFA:				; CODE XREF: RtlCheckBootStatusIntegrity(x,x)+CBj
		test	dl, dl
		setz	al
		mov	[edi], al

loc_9D2F01:				; CODE XREF: RtlCheckBootStatusIntegrity(x,x)+B6j
					; RtlCheckBootStatusIntegrity(x,x)+C3j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9D2F09:				; CODE XREF: RtlCheckBootStatusIntegrity(x,x)+45j
					; RtlCheckBootStatusIntegrity(x,x)+5Ej	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_RtlCheckBootStatusIntegrity@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1974. RtlCheckSystemBootStatusIntegrity

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCheckSystemBootStatusIntegrity(x)
		public _RtlCheckSystemBootStatusIntegrity@4
_RtlCheckSystemBootStatusIntegrity@4 proc near

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	[ebp+var_C], ecx
		test	eax, eax
		jnz	short loc_9D2F30
		mov	eax, 0C000000Dh
		jmp	short locret_9D2F5B
; 

loc_9D2F30:				; CODE XREF: RtlCheckSystemBootStatusIntegrity(x)+12j
		mov	[ebp+var_8], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_18], ecx
		push	ecx
		mov	[ebp+var_4], eax
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_C]
		push	ecx
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_1C]
		push	10h
		push	eax
		push	57h
		mov	[ebp+var_1C], 22h
		call	_ZwPowerInformation@20 ; ZwPowerInformation(x,x,x,x,x)

locret_9D2F5B:				; CODE XREF: RtlCheckSystemBootStatusIntegrity(x)+19j
		leave
		retn	4
_RtlCheckSystemBootStatusIntegrity@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlRestoreBootStatusDefaults(x)
_RtlRestoreBootStatusDefaults@4	proc near ; CODE XREF: PopBootStatCheckIntegrity(x)+246p

var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_AF		= word ptr -0AFh
var_AD		= byte ptr -0ADh
var_87		= byte ptr -87h
var_86		= byte ptr -86h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_B4]
		push	0ACh		; size_t
		push	ebx		; int
		push	eax		; void *
		mov	esi, ecx
		mov	[ebp+var_C8], ebx
		mov	[ebp+var_C4], ebx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_B4]
		mov	edi, 0B0h
		mov	[ebp+var_B8], edi
		push	eax
		call	_RtlGetNtProductType@4 ; RtlGetNtProductType(x)
		mov	[ebp+var_AF], 11Eh
		mov	cl, bl
		mov	[ebp+var_87], 1
		mov	eax, ebx
		mov	[ebp+var_AD], bl
		mov	[ebp+var_10], ebx

loc_9D2FD0:				; CODE XREF: RtlRestoreBootStatusDefaults(x)+7Bj
		sub	cl, byte ptr [ebp+eax+var_B8]
		inc	eax
		cmp	eax, edi
		jb	short loc_9D2FD0
		push	edi
		mov	[ebp+var_86], cl
		lea	edx, [ebp+var_B8]
		push	ebx
		xor	cl, cl
		mov	[ebp+var_C0], ebx
		mov	[ebp+var_BC], ebx
		call	_RtlpRecordBootStatusData@16 ; RtlpRecordBootStatusData(x,x,x,x)
		push	ebx
		lea	eax, [ebp+var_C0]
		push	eax
		push	edi
		lea	eax, [ebp+var_B8]
		push	eax
		lea	eax, [ebp+var_C8]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	esi
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9D3046
		cmp	_BootStatFileHandleAcquired, bl
		jz	short loc_9D3046
		cmp	_BootStatFileHandle, esi
		jnz	short loc_9D3046
		mov	edi, _BootStatDataCache
		test	edi, edi
		jz	short loc_9D3046
		push	2Ch
		pop	ecx
		lea	esi, [ebp+var_B8]
		rep movsd

loc_9D3046:				; CODE XREF: RtlRestoreBootStatusDefaults(x)+C0j
					; RtlRestoreBootStatusDefaults(x)+C8j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_RtlRestoreBootStatusDefaults@4	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2317. RtlRestoreSystemBootStatusDefaults

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlRestoreSystemBootStatusDefaults()
		public _RtlRestoreSystemBootStatusDefaults@0
_RtlRestoreSystemBootStatusDefaults@0 proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		mov	[ebp+var_10], 23h
		push	eax
		push	eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_10]
		push	10h
		push	eax
		push	57h
		call	_ZwPowerInformation@20 ; ZwPowerInformation(x,x,x,x,x)
		leave
		retn
_RtlRestoreSystemBootStatusDefaults@0 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1992. RtlConstructCrossVmEventPath
; Exported entry 1993. RtlConstructCrossVmMutexPath

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlConstructCrossVmMutexPath(x, x, x)
		public _RtlConstructCrossVmMutexPath@12
_RtlConstructCrossVmMutexPath@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi	; RtlConstructCrossVmEventPath
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	_RtlpConstructCrossVmObjectPath@12 ; RtlpConstructCrossVmObjectPath(x,x,x)
		pop	ebp
		retn	0Ch
_RtlConstructCrossVmMutexPath@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpConstructCrossVmObjectPath(x, x, x)
_RtlpConstructCrossVmObjectPath@12 proc	near
					; CODE XREF: RtlConstructCrossVmMutexPath(x,x,x)+Ep

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		mov	[ebp+var_8], ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_4], edx
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_C], eax
		push	esi
		push	edi
		push	70h
		pop	ecx
		mov	word ptr [ebp+var_10+2], cx
		test	ebx, ebx
		jz	short loc_9D30DB
		lea	eax, [ecx+4Eh]
		mov	word ptr [ebp+var_10+2], ax

loc_9D30DB:				; CODE XREF: RtlpConstructCrossVmObjectPath(x,x,x)+31j
		mov	eax, ebx
		neg	eax
		sbb	eax, eax
		and	eax, 4Eh
		add	eax, ecx
		push	eax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	edi, eax
		mov	[ebp+var_C], edi
		test	edi, edi
		jnz	short loc_9D30FF
		mov	esi, 0C0000017h
		jmp	loc_9D31A0
; 

loc_9D30FF:				; CODE XREF: RtlpConstructCrossVmObjectPath(x,x,x)+52j
		push	offset loc_404D78
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9D319D
		mov	edi, offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@
		lea	eax, [ebp+var_10]
		push	edi		; void *
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D319D
		test	ebx, ebx
		jz	short loc_9D3165
		push	1
		lea	edx, [ebp+var_18]
		mov	ecx, ebx
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D319D
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D319D
		push	edi		; void *
		lea	eax, [ebp+var_10]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D319D

loc_9D3165:				; CODE XREF: RtlpConstructCrossVmObjectPath(x,x,x)+8Dj
		mov	ecx, [ebp+var_4]
		lea	edx, [ebp+var_20]
		push	1
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D319D
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D319D
		mov	ecx, [ebp+var_8]
		xor	edi, edi
		mov	eax, [ebp+var_10]
		mov	[ecx], eax
		mov	eax, [ebp+var_C]
		mov	[ecx+4], eax
		jmp	short loc_9D31A0
; 

loc_9D319D:				; CODE XREF: RtlpConstructCrossVmObjectPath(x,x,x)+70j
					; RtlpConstructCrossVmObjectPath(x,x,x)+89j ...
		mov	edi, [ebp+var_C]

loc_9D31A0:				; CODE XREF: RtlpConstructCrossVmObjectPath(x,x,x)+59j
					; RtlpConstructCrossVmObjectPath(x,x,x)+FAj
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	edi, edi
		jz	short loc_9D31BC
		push	edi
		call	_ExFreePool@4	; ExFreePool(x)

loc_9D31BC:				; CODE XREF: RtlpConstructCrossVmObjectPath(x,x,x)+113j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_RtlpConstructCrossVmObjectPath@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2411. RtlZeroHeap

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlZeroHeap(x, x)
		public _RtlZeroHeap@8
_RtlZeroHeap@8	proc near

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	3Ch
		push	offset dword_6A9258
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	edi, ebx
		mov	[ebp+var_20], edi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_38], esi
		mov	[ebp+var_19], bl
		cmp	dword ptr [esi+8], 0DDEEDDEEh
		jnz	short loc_9D31F6
		xor	eax, eax
		jmp	loc_9D34AD
; 

loc_9D31F6:				; CODE XREF: RtlZeroHeap(x,x)+23j
		mov	eax, [ebp+arg_4]
		or	eax, [esi+44h]
		mov	[ebp+var_3C], ebx
		mov	[ebp+ms_exc.disabled], ebx
		test	al, 1
		jnz	short loc_9D3217
		push	1
		push	dword ptr [esi+0C8h]
		call	ExAcquireResourceExclusiveLite
		mov	[ebp+var_19], 1

loc_9D3217:				; CODE XREF: RtlZeroHeap(x,x)+3Aj
		mov	[ebp+ms_exc.disabled], 1
		lea	ecx, [esi+0A4h]
		mov	eax, [ecx]

loc_9D3226:				; CODE XREF: RtlZeroHeap(x,x)+2A6j
		mov	[ebp+var_30], eax
		cmp	eax, ecx
		jz	loc_9D3475
		mov	ecx, [eax+14h]
		mov	[ebp+arg_4], ecx
		mov	[ebp+var_2C], ecx

loc_9D323A:				; CODE XREF: RtlZeroHeap(x,x)+24Cj
		cmp	ecx, [eax+18h]
		jnb	loc_9D3468
		test	edi, edi
		jz	short loc_9D325C
		cmp	[esi+4Ch], ebx
		jz	short loc_9D3280
		mov	al, [edi+2]
		xor	al, [edi+1]
		xor	al, [edi]
		mov	[edi+3], al
		mov	eax, [esi+50h]
		xor	[edi], eax

loc_9D325C:				; CODE XREF: RtlZeroHeap(x,x)+7Bj
		cmp	[esi+4Ch], ebx
		jz	short loc_9D3280
		mov	eax, [esi+50h]
		xor	[ecx], eax
		mov	al, [ecx+2]
		xor	al, [ecx+1]
		xor	al, [ecx]
		cmp	[ecx+3], al
		jz	short loc_9D3280
		push	ecx
		mov	edx, ecx
		mov	ecx, esi
		call	_RtlpAnalyzeHeapFailure@12 ; RtlpAnalyzeHeapFailure(x,x,x)
		mov	ecx, [ebp+arg_4]

loc_9D3280:				; CODE XREF: RtlZeroHeap(x,x)+80j
					; RtlZeroHeap(x,x)+95j	...
		mov	edi, ecx
		mov	[ebp+var_20], edi
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_28], eax
		mov	dl, [ecx+2]
		test	dl, 1
		jnz	loc_9D344A
		mov	eax, ecx
		mov	[ebp+var_34], eax
		test	dl, 8
		jz	loc_9D341B
		lea	edx, [ecx+8]
		mov	[ebp+var_24], edx
		mov	edi, [edx]
		mov	[ebp+var_40], edi
		mov	edx, [ecx+0Ch]
		mov	[ebp+var_48], edx
		mov	edx, [edx]
		mov	edi, [edi+4]
		cmp	edx, edi
		jnz	loc_9D33FB
		cmp	edx, [ebp+var_24]
		jnz	loc_9D33FB
		mov	edx, [ebp+var_28]
		sub	[esi+74h], edx
		mov	edx, [esi+0B4h]
		test	edx, edx
		jz	short loc_9D3303
		movzx	edi, word ptr [ecx]

loc_9D32DF:				; CODE XREF: RtlZeroHeap(x,x)+16Dj
		mov	ecx, [edx+4]
		cmp	edi, ecx
		jnb	short loc_9D32EA
		mov	eax, edi
		jmp	short loc_9D32F3
; 

loc_9D32EA:				; CODE XREF: RtlZeroHeap(x,x)+11Aj
		mov	eax, [edx]
		test	eax, eax
		jnz	short loc_9D3335
		lea	eax, [ecx-1]

loc_9D32F3:				; CODE XREF: RtlZeroHeap(x,x)+11Ej
		push	edi
		push	eax
		push	[ebp+var_24]
		push	ecx
		mov	ecx, esi
		call	_RtlpHeapRemoveListEntry@24 ; RtlpHeapRemoveListEntry(x,x,x,x,x,x)
		mov	eax, [ebp+var_34]

loc_9D3303:				; CODE XREF: RtlZeroHeap(x,x)+110j
		mov	ecx, [ebp+var_40]
		mov	edx, [ebp+var_48]
		mov	[edx], ecx
		mov	[ecx+4], edx
		movzx	ecx, word ptr [eax]
		mov	[ebp+var_48], ecx
		mov	[eax+2], bl
		mov	[eax+7], bl
		lea	edi, [esi+0C0h]
		cmp	[esi+0B4h], ebx
		jz	short loc_9D3339
		mov	edx, ecx
		mov	ecx, esi
		call	_RtlpFindEntry@8 ; RtlpFindEntry(x,x)
		mov	ecx, eax
		jmp	short loc_9D333B
; 

loc_9D3335:				; CODE XREF: RtlZeroHeap(x,x)+124j
		mov	edx, eax
		jmp	short loc_9D32DF
; 

loc_9D3339:				; CODE XREF: RtlZeroHeap(x,x)+15Cj
		mov	ecx, [edi]

loc_9D333B:				; CODE XREF: RtlZeroHeap(x,x)+169j
					; RtlZeroHeap(x,x)+1AAj
		cmp	edi, ecx
		jz	short loc_9D3376
		cmp	[esi+4Ch], ebx
		jz	short loc_9D3366
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ebx
		mov	edx, [ecx-8]
		mov	[ebp+var_44], edx
		test	[esi+4Ch], edx
		jz	short loc_9D335B
		xor	edx, [esi+50h]
		mov	[ebp+var_44], edx

loc_9D335B:				; CODE XREF: RtlZeroHeap(x,x)+189j
		movzx	edx, dx
		mov	eax, [ebp+var_2C]
		mov	[ebp+arg_4], eax
		jmp	short loc_9D336A
; 

loc_9D3366:				; CODE XREF: RtlZeroHeap(x,x)+178j
		movzx	edx, word ptr [ecx-8]

loc_9D336A:				; CODE XREF: RtlZeroHeap(x,x)+19Aj
		movzx	eax, dx
		cmp	[ebp+var_48], eax
		jbe	short loc_9D3376
		mov	ecx, [ecx]
		jmp	short loc_9D333B
; 

loc_9D3376:				; CODE XREF: RtlZeroHeap(x,x)+173j
					; RtlZeroHeap(x,x)+1A6j
		mov	edi, [ebp+var_34]
		lea	eax, [edi+8]
		mov	edx, [ecx+4]
		mov	esi, [edx]
		mov	[ebp+var_48], esi
		cmp	esi, ecx
		mov	esi, [ebp+arg_0]
		jnz	short loc_9D3397
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		jmp	short loc_9D33A7
; 

loc_9D3397:				; CODE XREF: RtlZeroHeap(x,x)+1BFj
		push	ebx
		push	[ebp+var_48]
		push	ebx
		push	ecx
		xor	edx, edx
		push	0Dh
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_9D33A7:				; CODE XREF: RtlZeroHeap(x,x)+1CBj
		movzx	eax, word ptr [edi]
		add	[esi+74h], eax
		mov	edx, [esi+0B4h]
		test	edx, edx
		jz	short loc_9D33E0
		movzx	eax, word ptr [edi]

loc_9D33BA:				; CODE XREF: RtlZeroHeap(x,x)+22Fj
		mov	ecx, [edx+4]
		mov	[ebp+var_48], ecx
		cmp	eax, ecx
		jnb	short loc_9D33C8
		mov	ecx, eax
		jmp	short loc_9D33D2
; 

loc_9D33C8:				; CODE XREF: RtlZeroHeap(x,x)+1F8j
		mov	ecx, [edx]
		test	ecx, ecx
		jnz	short loc_9D33F7
		mov	ecx, [ebp+var_48]
		dec	ecx

loc_9D33D2:				; CODE XREF: RtlZeroHeap(x,x)+1FCj
		push	eax
		push	ecx
		lea	eax, [edi+8]
		push	eax
		push	ecx
		mov	ecx, esi
		call	_RtlpHeapAddListEntry@24 ; RtlpHeapAddListEntry(x,x,x,x,x,x)

loc_9D33E0:				; CODE XREF: RtlZeroHeap(x,x)+1EBj
		cmp	[esi+4Ch], ebx
		jz	short loc_9D340B
		mov	al, [edi+2]
		xor	al, [edi+1]
		xor	al, [edi]
		mov	[edi+3], al
		mov	eax, [esi+50h]
		xor	[edi], eax
		jmp	short loc_9D340B
; 

loc_9D33F7:				; CODE XREF: RtlZeroHeap(x,x)+202j
		mov	edx, ecx
		jmp	short loc_9D33BA
; 

loc_9D33FB:				; CODE XREF: RtlZeroHeap(x,x)+F3j
					; RtlZeroHeap(x,x)+FCj
		push	ebx
		push	edx
		push	edi
		push	[ebp+var_24]
		mov	edx, esi
		push	0Dh
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_9D340B:				; CODE XREF: RtlZeroHeap(x,x)+219j
					; RtlZeroHeap(x,x)+22Bj
		mov	edi, ebx
		mov	[ebp+var_20], edi
		mov	ecx, [ebp+arg_4]

loc_9D3413:				; CODE XREF: RtlZeroHeap(x,x)+294j
		mov	eax, [ebp+var_30]
		jmp	loc_9D323A
; 

loc_9D341B:				; CODE XREF: RtlZeroHeap(x,x)+D5j
		add	ecx, 10h
		test	byte ptr [esi+40h], 40h
		setnz	al
		shr	dl, 2
		and	al, dl
		mov	edx, [ebp+var_28]
		test	al, 1
		lea	eax, ds:0FFFFFFF0h[edx*8]
		jz	short loc_9D343F
		push	0FEEEFEEEh
		jmp	short loc_9D3440
; 

loc_9D343F:				; CODE XREF: RtlZeroHeap(x,x)+26Cj
		push	ebx

loc_9D3440:				; CODE XREF: RtlZeroHeap(x,x)+273j
		push	eax
		push	ecx
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		mov	ecx, [ebp+arg_4]

loc_9D344A:				; CODE XREF: RtlZeroHeap(x,x)+C7j
		cmp	byte ptr [ecx+7], 3
		jnz	short loc_9D3460
		mov	eax, [ecx+1Ch]
		add	ecx, 20h
		add	ecx, eax

loc_9D3458:				; CODE XREF: RtlZeroHeap(x,x)+29Cj
		mov	[ebp+arg_4], ecx
		mov	[ebp+var_2C], ecx
		jmp	short loc_9D3413
; 

loc_9D3460:				; CODE XREF: RtlZeroHeap(x,x)+284j
		movzx	eax, word ptr [ecx]
		lea	ecx, [ecx+eax*8]
		jmp	short loc_9D3458
; 

loc_9D3468:				; CODE XREF: RtlZeroHeap(x,x)+73j
		mov	eax, [eax]
		lea	ecx, [esi+0A4h]
		jmp	loc_9D3226
; 

loc_9D3475:				; CODE XREF: RtlZeroHeap(x,x)+61j
		mov	[ebp+ms_exc.disabled], ebx
		jmp	short loc_9D349E
; 

loc_9D347A:				; DATA XREF: .text:006A9278o
		mov	edx, [ebp+ms_exc.exc_ptr]
		mov	eax, [edx]
		mov	ecx, [eax]
		mov	[ebp+var_4C], ecx
		call	_RtlpHeapExceptionFilter@8 ; RtlpHeapExceptionFilter(x,x)
		retn
; 

loc_9D348A:				; DATA XREF: .text:006A927Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_3C], eax
		xor	ebx, ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	edi, [ebp+var_20]
		mov	esi, [ebp+var_38]

loc_9D349E:				; CODE XREF: RtlZeroHeap(x,x)+2AEj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_9D34C7
		mov	eax, [ebp+var_3C]

loc_9D34AD:				; CODE XREF: RtlZeroHeap(x,x)+27j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_RtlZeroHeap@8	endp


;  S U B	R O U T	I N E 


sub_9D34BF	proc near		; DATA XREF: .text:006A9270o
		xor	ebx, ebx
		mov	edi, [ebp-20h]
		mov	esi, [ebp-38h]
sub_9D34BF	endp


;  S U B	R O U T	I N E 


sub_9D34C7	proc near		; CODE XREF: RtlZeroHeap(x,x)+2DBp
		test	edi, edi
		jz	short loc_9D34E0
		cmp	[esi+4Ch], ebx
		jz	short loc_9D34E0
		mov	al, [edi+2]
		xor	al, [edi+1]
		xor	al, [edi]
		mov	[edi+3], al
		mov	eax, [esi+50h]
		xor	[edi], eax

loc_9D34E0:				; CODE XREF: sub_9D34C7+2j
					; sub_9D34C7+7j
		cmp	byte ptr [ebp-19h], 0
		jz	short locret_9D34F1
		mov	ecx, [esi+0C8h]
		call	ExReleaseResourceLite

locret_9D34F1:				; CODE XREF: sub_9D34C7+1Dj
		retn
sub_9D34C7	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpDestroyHeapSegment(x)
_RtlpDestroyHeapSegment@4 proc near	; CODE XREF: RtlDestroyHeap+A600Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		test	byte ptr [esi+0Ch], 1
		jnz	short loc_9D3551
		lea	eax, [esi+10h]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		push	ebx
		push	edi
		mov	ebx, [ecx+4]
		mov	edi, [edx]
		cmp	edi, ebx
		jnz	short loc_9D3520
		cmp	edi, eax
		jnz	short loc_9D3520
		mov	[edx], ecx
		mov	[ecx+4], edx
		jmp	short loc_9D352F
; 

loc_9D3520:				; CODE XREF: RtlpDestroyHeapSegment(x)+21j
					; RtlpDestroyHeapSegment(x)+25j
		push	0
		push	edi
		push	ebx
		push	eax
		push	0Dh
		xor	edx, edx
		pop	ecx
		call	_RtlpLogHeapFailure@24 ; RtlpLogHeapFailure(x,x,x,x,x,x)

loc_9D352F:				; CODE XREF: RtlpDestroyHeapSegment(x)+2Cj
		mov	eax, [esi+1Ch]
		and	[ebp+var_4], 0
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_4]
		push	8000h
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	0FFFFFFFFh
		call	_ZwFreeVirtualMemory@16	; ZwFreeVirtualMemory(x,x,x,x)
		pop	edi
		pop	ebx
		jmp	short loc_9D3553
; 

loc_9D3551:				; CODE XREF: RtlpDestroyHeapSegment(x)+Ej
		xor	eax, eax

loc_9D3553:				; CODE XREF: RtlpDestroyHeapSegment(x)+5Dj
		pop	esi
		leave
		retn
_RtlpDestroyHeapSegment@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2016. RtlCreateSystemVolumeInformationFolder

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlCreateSystemVolumeInformationFolder(x)
		public _RtlCreateSystemVolumeInformationFolder@4
_RtlCreateSystemVolumeInformationFolder@4 proc near

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	eax, [esp+44h+var_28]
		push	edi
		push	offset ??_C@_1DE@LIBHJBEH@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?5?$AAV?$AAo?$AAl?$AAu?$AAm?$AAe?$AA?5?$AAI@NNGAKEGL@
		push	eax
		mov	[esp+50h+var_28], ebx
		mov	[esp+50h+var_24], ebx
		mov	[esp+50h+var_30], ebx
		mov	[esp+50h+var_2C], ebx
		mov	[esp+50h+var_34], ebx
		mov	[esp+50h+var_38], ebx
		mov	[esp+50h+var_3C], ebx
		mov	[esp+50h+var_20], ebx
		mov	[esp+50h+var_1C], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	esi, [ebp+arg_0]
		mov	ecx, [esp+48h+var_28]
		movzx	eax, word ptr [esi]
		mov	edi, eax
		lea	edx, [eax+ecx]
		mov	word ptr [esp+48h+var_30], dx
		cmp	dx, di
		jb	loc_9D37AF
		cmp	dx, cx
		jb	loc_9D37AF
		mov	eax, [esi+4]
		mov	ecx, edi
		shr	ecx, 1
		push	5Ch
		movzx	eax, word ptr [eax+ecx*2-2]
		pop	ecx
		mov	edi, eax
		cmp	ax, cx
		jz	short loc_9D35E2
		lea	eax, [edx+2]
		mov	word ptr [esp+48h+var_30], ax

loc_9D35E2:				; CODE XREF: RtlCreateSystemVolumeInformationFolder(x)+7Dj
		mov	eax, [esp+48h+var_30]
		add	eax, 2
		mov	word ptr [esp+48h+var_30+2], ax
		push	536C6F56h
		movzx	eax, ax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+48h+var_2C], ecx
		test	ecx, ecx
		jnz	short loc_9D3612
		mov	eax, 0C000009Ah
		jmp	loc_9D37B4
; 

loc_9D3612:				; CODE XREF: RtlCreateSystemVolumeInformationFolder(x)+ABj
		movzx	eax, word ptr [esi]
		push	eax		; size_t
		push	dword ptr [esi+4] ; void *
		push	ecx		; void *
		call	_memcpy
		movzx	ecx, word ptr [esi]
		add	esp, 0Ch
		mov	word ptr [esp+48h+var_30], cx
		push	5Ch
		pop	edx
		cmp	di, dx
		jz	short loc_9D364A
		mov	eax, [esp+48h+var_2C]
		shr	ecx, 1
		mov	[eax+ecx*2], dx
		mov	cx, word ptr [esp+48h+var_30]
		add	cx, 2
		mov	word ptr [esp+48h+var_30], cx

loc_9D364A:				; CODE XREF: RtlCreateSystemVolumeInformationFolder(x)+D5j
		movzx	eax, word ptr [esp+48h+var_28]
		push	eax		; size_t
		push	[esp+4Ch+var_24] ; void	*
		movzx	eax, cx
		add	eax, [esp+50h+var_2C]
		push	eax		; void *
		call	_memcpy
		mov	ax, word ptr [esp+54h+var_30]
		xor	edx, edx
		add	ax, word ptr [esp+54h+var_28]
		add	esp, 0Ch
		movzx	ecx, ax
		mov	word ptr [esp+48h+var_30], ax
		mov	eax, [esp+48h+var_2C]
		shr	ecx, 1
		mov	[eax+ecx*2], dx
		lea	edx, [esp+48h+var_38]
		lea	ecx, [esp+48h+var_34]
		call	_RtlpSysVolCreateSecurityDescriptor@8 ;	RtlpSysVolCreateSecurityDescriptor(x,x)
		mov	esi, eax
		push	ebx
		test	esi, esi
		jns	short loc_9D36A6
		push	[esp+4Ch+var_2C]

loc_9D369A:				; CODE XREF: RtlCreateSystemVolumeInformationFolder(x)+227j
					; RtlCreateSystemVolumeInformationFolder(x)+24Fj
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		jmp	loc_9D37B4	; void *
; 

loc_9D36A6:				; CODE XREF: RtlCreateSystemVolumeInformationFolder(x)+139j
		push	20h		; int
		push	ebx		; int
		mov	edi, [esp+54h+var_34]
		lea	eax, [esp+54h+var_30]
		push	ebx		; int
		push	ebx		; int
		push	ebx		; int
		push	ebx		; void *
		push	201060h		; int
		push	1		; int
		push	7		; int
		push	ebx		; int
		mov	[esp+74h+var_10], eax
		lea	ecx, [esp+74h+var_3C]
		push	ebx		; int
		lea	eax, [esp+78h+var_20]
		mov	[esp+78h+var_18], 18h
		push	eax		; int
		lea	eax, [esp+7Ch+var_18]
		mov	[esp+7Ch+var_14], ebx
		push	eax		; int
		mov	edx, 10000h
		mov	[esp+80h+var_C], 240h
		mov	[esp+80h+var_8], edi
		mov	[esp+80h+var_4], ebx
		call	_IopCreateFile@64 ; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9D3705
		push	[esp+48h+var_3C]
		call	NtClose

loc_9D3705:				; CODE XREF: RtlCreateSystemVolumeInformationFolder(x)+19Fj
		push	ebx		; void *
		push	20h		; int
		push	ebx		; int
		push	ebx		; int
		push	ebx		; int
		push	ebx		; int
		push	ebx		; void *
		push	21h		; int
		push	3		; int
		push	7		; int
		push	6		; int
		push	ebx		; int
		lea	eax, [esp+78h+var_20]
		mov	edx, 1E0000h
		push	eax		; int
		lea	eax, [esp+7Ch+var_18]
		push	eax		; int
		lea	ecx, [esp+80h+var_3C]
		call	_IopCreateFile@64 ; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9D3768
		lea	ecx, [esp+48h+var_30]
		call	_RtlpSysVolTakeOwnership@4 ; RtlpSysVolTakeOwnership(x)
		push	ebx		; void *
		push	20h		; int
		push	ebx		; int
		push	ebx		; int
		push	ebx		; int
		push	ebx		; int
		push	ebx		; void *
		push	21h		; int
		push	3		; int
		push	7		; int
		push	6		; int
		push	ebx		; int
		lea	eax, [esp+78h+var_20]
		mov	edx, 1E0000h
		push	eax		; int
		lea	eax, [esp+7Ch+var_18]
		push	eax		; int
		lea	ecx, [esp+80h+var_3C]
		call	_IopCreateFile@64 ; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax

loc_9D3768:				; CODE XREF: RtlCreateSystemVolumeInformationFolder(x)+1D7j
		push	ebx
		push	[esp+4Ch+var_2C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	ebx
		test	esi, esi
		jns	short loc_9D3787
		push	[esp+4Ch+var_38]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	ebx
		push	edi
		jmp	loc_9D369A
; 

loc_9D3787:				; CODE XREF: RtlCreateSystemVolumeInformationFolder(x)+21Aj
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, [esp+48h+var_38]
		mov	ecx, [esp+48h+var_3C]
		call	_RtlpSysVolCheckOwnerAndSecurity@8 ; RtlpSysVolCheckOwnerAndSecurity(x,x)
		push	[esp+48h+var_3C]
		mov	esi, eax
		call	NtClose
		push	ebx
		push	[esp+4Ch+var_38]
		jmp	loc_9D369A
; 

loc_9D37AF:				; CODE XREF: RtlCreateSystemVolumeInformationFolder(x)+5Aj
					; RtlCreateSystemVolumeInformationFolder(x)+63j
		mov	eax, 0C000000Dh

loc_9D37B4:				; CODE XREF: RtlCreateSystemVolumeInformationFolder(x)+B2j
					; RtlCreateSystemVolumeInformationFolder(x)+146j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_RtlCreateSystemVolumeInformationFolder@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpSysVolCheckOwnerAndSecurity(x, x)
_RtlpSysVolCheckOwnerAndSecurity@8 proc	near
					; CODE XREF: RtlCreateSystemVolumeInformationFolder(x)+23Ap

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_39		= dword	ptr -39h
var_34		= dword	ptr -34h
var_2E		= word ptr -2Eh
var_2C		= dword	ptr -2Ch
var_1C		= dword	ptr -1Ch
var_16		= word ptr -16h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_50], edx
		xor	ecx, ecx
		mov	[ebp+var_4C], ebx
		lea	eax, [ebp+var_39+1]
		mov	[ebp+var_39+1],	ecx
		push	eax
		push	ecx
		push	ecx
		push	5
		push	ebx
		mov	[ebp+var_40], ecx
		mov	byte ptr [ebp+var_39], cl
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], ecx
		call	NtQuerySecurityObject
		cmp	eax, 0C0000023h
		jz	short loc_9D3807
		xor	eax, eax
		jmp	loc_9D3A30
; 

loc_9D3807:				; CODE XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+41j
		push	536C6F56h
		push	[ebp+var_39+1]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9D3826
		mov	eax, 0C000009Ah
		jmp	loc_9D3A30
; 

loc_9D3826:				; CODE XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+5Dj
		lea	eax, [ebp+var_39+1]
		push	eax
		push	[ebp+var_39+1]
		push	esi
		push	5
		push	ebx
		call	NtQuerySecurityObject
		mov	edi, eax
		test	edi, edi
		jns	short loc_9D384B

loc_9D383C:				; CODE XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+A4j
					; RtlpSysVolCheckOwnerAndSecurity(x,x)+B8j ...
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		jmp	loc_9D3A30
; 

loc_9D384B:				; CODE XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+7Dj
		lea	eax, [ebp-3Ah]
		push	eax
		lea	eax, [ebp+var_44]
		push	eax
		lea	eax, [ebp+var_39]
		push	eax
		push	esi
		call	_RtlGetDaclSecurityDescriptor@16 ; RtlGetDaclSecurityDescriptor(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9D383C
		lea	eax, [ebp-3Ah]
		push	eax
		lea	eax, [ebp+var_40]
		push	eax
		push	esi
		call	_RtlGetOwnerSecurityDescriptor@12 ; RtlGetOwnerSecurityDescriptor(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9D383C
		cmp	[ebp+var_40], 0
		mov	ax, ds:word_42DD4C
		mov	ecx, ds:dword_42DD48
		mov	word ptr [ebp+var_34], 101h
		mov	[ebp+var_34+2],	ecx
		mov	[ebp+var_2E], ax
		mov	[ebp+var_2C], 12h
		mov	word ptr [ebp+var_1C], 201h
		mov	[ebp+var_1C+2],	ecx
		mov	[ebp+var_16], ax
		mov	[ebp+var_14], 20h
		mov	[ebp+var_10], 220h
		jz	short loc_9D3932
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_40]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	short loc_9D3932
		cmp	byte ptr [ebp+var_39], 0
		jz	short loc_9D3932
		cmp	[ebp+var_44], 0
		jz	short loc_9D3932
		xor	ebx, ebx

loc_9D38D6:				; CODE XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+14Fj
		lea	eax, [ebp+var_48]
		push	eax
		push	ebx
		push	[ebp+var_44]
		call	_RtlGetAce@12	; RtlGetAce(x,x,x)
		test	eax, eax
		jns	short loc_9D38EE
		xor	edi, edi
		mov	[ebp+var_48], edi
		jmp	short loc_9D38F1
; 

loc_9D38EE:				; CODE XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+128j
		mov	edi, [ebp+var_48]

loc_9D38F1:				; CODE XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+12Fj
		test	edi, edi
		jz	short loc_9D3932
		cmp	byte ptr [edi],	0
		jnz	short loc_9D390B
		lea	ecx, [ebp+var_34]
		lea	eax, [edi+8]
		push	ecx
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	short loc_9D390E

loc_9D390B:				; CODE XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+13Bj
		inc	ebx
		jmp	short loc_9D38D6
; 

loc_9D390E:				; CODE XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+14Cj
		mov	al, [edi+1]
		test	al, 1
		jz	short loc_9D3920
		test	al, 2
		jz	short loc_9D3920
		xor	edi, edi
		jmp	loc_9D383C
; 

loc_9D3920:				; CODE XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+156j
					; RtlpSysVolCheckOwnerAndSecurity(x,x)+15Aj
		push	esi
		push	4
		push	[ebp+var_4C]
		or	al, 3
		mov	[edi+1], al
		call	NtSetSecurityObject
		jmp	short loc_9D39AD
; 

loc_9D3932:				; CODE XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+F9j
					; RtlpSysVolCheckOwnerAndSecurity(x,x)+109j ...
		mov	ebx, [ebp+var_39+1]
		lea	eax, [ebp+var_39+1]
		push	eax
		push	esi
		mov	[ebp+var_39+1],	ebx
		call	_RtlSelfRelativeToAbsoluteSD2@8	; RtlSelfRelativeToAbsoluteSD2(x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_9D399C
		push	536C6F56h
		push	[ebp+var_39+1]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9D39F0
		push	ebx		; size_t
		push	esi		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_39+1]
		mov	esi, edi
		mov	[ebp+var_39+1],	eax
		lea	eax, [ebp+var_39+1]
		push	eax
		push	edi
		call	_RtlSelfRelativeToAbsoluteSD2@8	; RtlSelfRelativeToAbsoluteSD2(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_9D399C

loc_9D398D:				; CODE XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+256j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, ebx
		jmp	loc_9D3A30
; 

loc_9D399C:				; CODE XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+18Aj
					; RtlpSysVolCheckOwnerAndSecurity(x,x)+1CEj
		xor	edi, edi
		lea	eax, [ebp+var_1C]
		push	edi
		push	eax
		push	esi
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		test	eax, eax
		jns	short loc_9D39B4

loc_9D39AD:				; CODE XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+173j
					; RtlpSysVolCheckOwnerAndSecurity(x,x)+205j ...
		mov	edi, eax
		jmp	loc_9D383C
; 

loc_9D39B4:				; CODE XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+1EEj
		push	edi
		push	[ebp+var_50]
		push	1
		push	esi
		call	RtlSetDaclSecurityDescriptor
		test	eax, eax
		js	short loc_9D39AD
		lea	eax, [ebp+var_39+1]
		mov	[ebp+var_39+1],	edi
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	RtlMakeSelfRelativeSD
		cmp	eax, 0C0000023h
		jnz	short loc_9D39AD
		push	536C6F56h
		push	[ebp+var_39+1]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9D39FA

loc_9D39F0:				; CODE XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+19Fj
		mov	edi, 0C000009Ah
		jmp	loc_9D383C
; 

loc_9D39FA:				; CODE XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+231j
		lea	eax, [ebp+var_39+1]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	RtlMakeSelfRelativeSD
		push	0
		push	esi
		mov	ebx, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		js	loc_9D398D
		push	edi
		push	5
		push	[ebp+var_4C]
		call	NtSetSecurityObject
		push	0
		push	edi
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi

loc_9D3A30:				; CODE XREF: RtlpSysVolCheckOwnerAndSecurity(x,x)+45j
					; RtlpSysVolCheckOwnerAndSecurity(x,x)+64j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_RtlpSysVolCheckOwnerAndSecurity@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpSysVolCreateSecurityDescriptor(x, x)
_RtlpSysVolCreateSecurityDescriptor@8 proc near
					; CODE XREF: RtlCreateSystemVolumeInformationFolder(x)+12Fp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_16		= word ptr -16h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	edi
		push	536C6F56h
		push	14h
		push	1
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9D3A76
		mov	eax, 0C000009Ah
		jmp	loc_9D3B43
; 

loc_9D3A76:				; CODE XREF: RtlpSysVolCreateSecurityDescriptor(x,x)+2Bj
		push	ebx
		push	esi
		push	1
		push	edi
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9D3B29
		mov	eax, ds:dword_42DD48
		mov	[ebp+var_1C+2],	eax
		mov	ax, ds:word_42DD4C
		mov	[ebp+var_16], ax
		lea	eax, [ebp-1Ch]
		push	eax
		mov	word ptr [ebp+var_1C], 101h
		mov	[ebp+var_14], 12h
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	536C6F56h
		lea	ebx, [eax+10h]
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9D3ACF
		mov	esi, 0C000009Ah
		jmp	short loc_9D3B29
; 

loc_9D3ACF:				; CODE XREF: RtlpSysVolCreateSecurityDescriptor(x,x)+87j
		push	2		; int
		push	ebx		; size_t
		push	esi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	ebx, eax
		push	0
		test	ebx, ebx
		js	short loc_9D3B21
		lea	eax, [ebp+var_1C]
		mov	ecx, esi
		push	eax
		push	1FFFFFh
		push	3
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	ebx, eax
		push	0
		push	esi
		test	ebx, ebx
		js	short loc_9D3B22
		push	1
		push	edi
		call	RtlSetDaclSecurityDescriptor
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9D3B1F
		mov	eax, 1000h
		push	eax
		push	eax
		push	edi
		call	_RtlSetControlSecurityDescriptor@12 ; RtlSetControlSecurityDescriptor(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_9D3B35

loc_9D3B1F:				; CODE XREF: RtlpSysVolCreateSecurityDescriptor(x,x)+CBj
		push	0

loc_9D3B21:				; CODE XREF: RtlpSysVolCreateSecurityDescriptor(x,x)+9Fj
		push	esi

loc_9D3B22:				; CODE XREF: RtlpSysVolCreateSecurityDescriptor(x,x)+BDj
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, ebx

loc_9D3B29:				; CODE XREF: RtlpSysVolCreateSecurityDescriptor(x,x)+45j
					; RtlpSysVolCreateSecurityDescriptor(x,x)+8Ej
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		jmp	short loc_9D3B41
; 

loc_9D3B35:				; CODE XREF: RtlpSysVolCreateSecurityDescriptor(x,x)+DEj
		mov	eax, [ebp+var_20]
		mov	[eax], edi
		mov	eax, [ebp+var_24]
		mov	[eax], esi
		xor	eax, eax

loc_9D3B41:				; CODE XREF: RtlpSysVolCreateSecurityDescriptor(x,x)+F4j
		pop	esi
		pop	ebx

loc_9D3B43:				; CODE XREF: RtlpSysVolCreateSecurityDescriptor(x,x)+32j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_RtlpSysVolCreateSecurityDescriptor@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpSysVolTakeOwnership(x)
_RtlpSysVolTakeOwnership@4 proc	near	; CODE XREF: RtlCreateSystemVolumeInformationFolder(x)+1DDp

var_68		= dword	ptr -68h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_1A		= dword	ptr -1Ah
var_16		= word ptr -16h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_68]
		stosd
		xor	esi, esi
		mov	ebx, ecx
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_3C], esi
		stosd
		mov	[ebp+var_38], esi
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_34]
		push	eax
		push	200h
		push	28h
		push	0FFFFFFFFh
		call	NtOpenProcessTokenEx
		test	eax, eax
		js	loc_9D3C64
		push	esi
		push	esi
		push	10h
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_24], esi
		push	eax
		push	esi
		mov	esi, [ebp+var_34]
		push	esi
		mov	[ebp+var_2C], 1
		mov	[ebp+var_28], 9
		mov	[ebp+var_20], 2
		call	NtAdjustPrivilegesToken
		test	eax, eax
		js	loc_9D3C5E
		push	21h
		push	7
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_54], 18h
		push	eax
		lea	eax, [ebp+var_54]
		mov	[ebp+var_48], 240h
		push	eax
		xor	edi, edi
		mov	[ebp+var_4C], ebx
		push	180000h
		lea	eax, [ebp+var_30]
		mov	[ebp+var_50], edi
		push	eax
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], edi
		call	_NtOpenFile@24	; NtOpenFile(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9D3C5E
		push	1
		lea	eax, [ebp+var_68]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	eax, ds:dword_42DD48
		mov	[ebp+var_1A], eax
		mov	ax, ds:word_42DD4C
		mov	[ebp+var_16], ax
		lea	eax, [ebp-1Ch]
		push	edi
		push	eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_1C], 201h
		push	eax
		mov	[ebp+var_14], 20h
		mov	[ebp+var_10], 220h
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		test	eax, eax
		js	short loc_9D3C56
		lea	eax, [ebp+var_68]
		push	eax
		push	1
		push	[ebp+var_30]
		call	NtSetSecurityObject

loc_9D3C56:				; CODE XREF: RtlpSysVolTakeOwnership(x)+F6j
		push	[ebp+var_30]
		call	NtClose

loc_9D3C5E:				; CODE XREF: RtlpSysVolTakeOwnership(x)+75j
					; RtlpSysVolTakeOwnership(x)+B3j
		push	esi
		call	NtClose

loc_9D3C64:				; CODE XREF: RtlpSysVolTakeOwnership(x)+43j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_RtlpSysVolTakeOwnership@4 endp

; 
		align 8
; Exported entry 2228. RtlLCIDToCultureName

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlLCIDToCultureName(x, x)
		public _RtlLCIDToCultureName@8
_RtlLCIDToCultureName@8	proc near	; CODE XREF: RtlpGetNameFromLangInfoNode+87DA2p
					; IoGetDevicePropertyData+125C4Bp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		xor	ebx, ebx
		push	edi
		cmp	[ebp+arg_0], ebx
		jz	short loc_9D3CC1
		cmp	[ebp+arg_4], ebx
		jz	short loc_9D3CC1
		cmp	[ebp+arg_0], 1000h
		jz	short loc_9D3CC1
		push	offset ??_C@_0CF@NPDALNAN@?$CB?$CB?$CB?5RTLMUI?3?5Reusing?5LocaleBuffe@NNGAKEGL@
		call	_DbgPrint
		pop	ecx
		mov	ecx, [ebp+arg_0]
		mov	edi, offset unk_6FF1A0
		push	2
		push	40h
		mov	edx, edi
		call	DownLevelLangIDToLanguageName
		test	eax, eax
		jle	short loc_9D3CC1
		push	edi
		push	[ebp+arg_4]
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	bl, 1

loc_9D3CC1:				; CODE XREF: RtlLCIDToCultureName(x,x)+Cj
					; RtlLCIDToCultureName(x,x)+11j ...
		pop	edi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	8
_RtlLCIDToCultureName@8	endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2063. RtlEqualWnfChangeStamps

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlEqualWnfChangeStamps(x, x)
		public _RtlEqualWnfChangeStamps@8
_RtlEqualWnfChangeStamps@8 proc	near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	eax, [ebp+arg_4]
		setz	al
		pop	ebp
		retn	8
_RtlEqualWnfChangeStamps@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2069. RtlExtendCorrelationVector

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlExtendCorrelationVector(x)
		public _RtlExtendCorrelationVector@4
_RtlExtendCorrelationVector@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		mov	ecx, esi
		call	RtlpGetCorrelationVectorEndPosition
		mov	edx, eax
		test	edx, edx
		js	short loc_9D3D19
		mov	ecx, esi
		call	RtlpGetCorrelationVectorBufferLength
		sub	eax, 3
		cmp	edx, eax
		jge	short loc_9D3D19
		mov	word ptr [edx+esi+1], 302Eh
		mov	[edx+esi+3], bl
		jmp	short loc_9D3D1E
; 

loc_9D3D19:				; CODE XREF: RtlExtendCorrelationVector(x)+17j
					; RtlExtendCorrelationVector(x)+25j
		mov	ebx, 80000005h

loc_9D3D1E:				; CODE XREF: RtlExtendCorrelationVector(x)+32j
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	4
_RtlExtendCorrelationVector@4 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2153. RtlIncrementCorrelationVector

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIncrementCorrelationVector(x)
		public _RtlIncrementCorrelationVector@4
_RtlIncrementCorrelationVector@4 proc near

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_14], 0
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		call	RtlpGetCorrelationVectorBufferLength
		push	edi
		mov	[ebp+var_18], eax
		call	_RtlValidateCorrelationVector@4	; RtlValidateCorrelationVector(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D3DCA
		push	ebx
		mov	ecx, edi
		call	RtlpGetCorrelationVectorLastDotPosition
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9D3DC4
		lea	eax, [ebp+var_14]
		add	edi, 2
		push	eax
		add	edi, ebx
		push	offset ??_C@_02DPKJAMEF@?$CFd@NNGAKEGL@
		push	edi
		call	_sscanf_s
		add	esp, 0Ch
		cmp	eax, 1
		jnz	short loc_9D3DC4
		mov	eax, [ebp+var_14]
		inc	eax
		push	eax
		push	offset ??_C@_02DPKJAMEF@?$CFd@NNGAKEGL@
		push	0Ch
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_10]
		push	0Ch
		push	eax
		call	__snprintf_s
		mov	ecx, eax
		add	esp, 14h
		mov	eax, [ebp+var_18]
		sub	eax, ebx
		sub	eax, 2
		cmp	ecx, eax
		jge	short loc_9D3DC4
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ecx+1]
		push	eax
		push	edi
		call	_strcpy_s
		add	esp, 0Ch
		jmp	short loc_9D3DC9
; 

loc_9D3DC4:				; CODE XREF: RtlIncrementCorrelationVector(x)+3Dj
					; RtlIncrementCorrelationVector(x)+59j	...
		mov	esi, 80000005h

loc_9D3DC9:				; CODE XREF: RtlIncrementCorrelationVector(x)+97j
		pop	ebx

loc_9D3DCA:				; CODE XREF: RtlIncrementCorrelationVector(x)+2Fj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_RtlIncrementCorrelationVector@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2167. RtlInitializeCorrelationVector

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlInitializeCorrelationVector(x, x, x)
		public _RtlInitializeCorrelationVector@12
_RtlInitializeCorrelationVector@12 proc	near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	bl, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [ebx-1]
		cmp	al, 1
		ja	short loc_9D3E3D
		cmp	[ebp+arg_8], 0
		jz	short loc_9D3E3D
		push	81h		; size_t
		lea	eax, [esi+1]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+arg_8]
		lea	eax, [esi+1]
		add	esp, 8
		mov	[esi], bl
		push	eax
		call	RtlpBase64Encode
		test	eax, eax
		js	short loc_9D3E42
		cmp	bl, 1
		jnz	short loc_9D3E31
		mov	word ptr [esi+11h], 302Eh
		mov	byte ptr [esi+13h], 0
		jmp	short loc_9D3E42
; 

loc_9D3E31:				; CODE XREF: RtlInitializeCorrelationVector(x,x,x)+42j
		mov	word ptr [esi+17h], 302Eh
		mov	byte ptr [esi+19h], 0
		jmp	short loc_9D3E42
; 

loc_9D3E3D:				; CODE XREF: RtlInitializeCorrelationVector(x,x,x)+12j
					; RtlInitializeCorrelationVector(x,x,x)+18j
		mov	eax, 0C000000Dh

loc_9D3E42:				; CODE XREF: RtlInitializeCorrelationVector(x,x,x)+3Dj
					; RtlInitializeCorrelationVector(x,x,x)+4Ej ...
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_RtlInitializeCorrelationVector@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2404. RtlValidateCorrelationVector

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlValidateCorrelationVector(x)
		public _RtlValidateCorrelationVector@4
_RtlValidateCorrelationVector@4	proc near ; CODE XREF: RtlIncrementCorrelationVector(x)+26p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_9D3E88
		mov	ecx, edi
		call	RtlpGetCorrelationVectorBufferLength
		test	eax, eax
		js	short loc_9D3E88
		mov	ecx, edi
		call	RtlpGetLastContiguosBase64Position
		mov	ecx, edi
		mov	esi, eax
		call	RtlpGetCorrelationVectorEndPosition
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9D3E88
		mov	al, [edi]
		cmp	al, 1
		jnz	short loc_9D3E94
		cmp	esi, 0Fh
		jz	short loc_9D3E9D

loc_9D3E88:				; CODE XREF: RtlValidateCorrelationVector(x)+Dj
					; RtlValidateCorrelationVector(x)+18j ...
		mov	eax, 0C000000Dh

loc_9D3E8D:				; CODE XREF: RtlValidateCorrelationVector(x)+A4j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_9D3E94:				; CODE XREF: RtlValidateCorrelationVector(x)+34j
		cmp	al, 2
		jnz	short loc_9D3E9D
		cmp	esi, 15h
		jnz	short loc_9D3E88

loc_9D3E9D:				; CODE XREF: RtlValidateCorrelationVector(x)+39j
					; RtlValidateCorrelationVector(x)+49j
		inc	esi
		cmp	byte ptr [esi+edi+1], 2Eh
		jnz	short loc_9D3E88
		jmp	short loc_9D3EEB
; 

loc_9D3EA7:				; CODE XREF: RtlValidateCorrelationVector(x)+A0j
		cmp	byte ptr [edi+esi+1], 2Eh
		jnz	short loc_9D3E88
		inc	esi
		xor	ecx, ecx
		mov	edx, esi
		cmp	esi, ebx
		jge	short loc_9D3E88

loc_9D3EB7:				; CODE XREF: RtlValidateCorrelationVector(x)+78j
		mov	al, [edi+esi+1]
		sub	al, 30h
		cmp	al, 9
		ja	short loc_9D3EC7
		inc	esi
		inc	ecx
		cmp	esi, ebx
		jl	short loc_9D3EB7

loc_9D3EC7:				; CODE XREF: RtlValidateCorrelationVector(x)+72j
		test	ecx, ecx
		jz	short loc_9D3E88
		cmp	ecx, 0Ah
		jg	short loc_9D3E88
		jnz	short loc_9D3EEB
		push	0Ah		; size_t
		lea	eax, [edi+1]
		add	eax, edx
		push	offset ??_C@_0L@KLDLBCKA@2147483647@NNGAKEGL@ ;	char *
		push	eax		; char *
		call	_strncmp
		add	esp, 0Ch
		test	eax, eax
		jg	short loc_9D3E88

loc_9D3EEB:				; CODE XREF: RtlValidateCorrelationVector(x)+58j
					; RtlValidateCorrelationVector(x)+83j
		cmp	esi, ebx
		jl	short loc_9D3EA7
		xor	eax, eax
		jmp	short loc_9D3E8D
_RtlValidateCorrelationVector@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpBase64Encode proc near		; CODE XREF: RtlInitializeCorrelationVector(x,x,x)+36p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, ecx
		xor	esi, esi
		mov	[ebp+var_4], 5

loc_9D3F0A:				; CODE XREF: RtlpBase64Encode+83j
		mov	dl, [eax]
		mov	bh, [eax+1]
		mov	bl, [eax+2]
		add	eax, 3
		mov	[ebp+arg_0], eax
		movzx	eax, dl
		and	dl, 3
		shr	eax, 2
		shl	dl, 4
		movzx	ecx, dl
		movzx	edx, bl
		mov	al, ds:byte_42DD50[eax]
		mov	[esi+edi], al
		lea	esi, [esi+4]
		movzx	eax, bh
		and	bh, 0Fh
		shr	eax, 4
		or	ecx, eax
		shl	bh, 2
		mov	al, ds:byte_42DD50[ecx]
		mov	[esi+edi-3], al
		mov	eax, edx
		shr	eax, 6
		and	edx, 3Fh
		movzx	ecx, bh
		or	ecx, eax
		sub	[ebp+var_4], 1
		mov	al, ds:byte_42DD50[ecx]
		mov	[esi+edi-2], al
		mov	al, ds:byte_42DD50[edx]
		mov	[esi+edi-1], al
		mov	eax, [ebp+arg_0]
		jnz	short loc_9D3F0A
		mov	cl, [eax]
		movzx	eax, cl
		and	cl, 3
		shr	eax, 2
		shl	cl, 4
		mov	al, ds:byte_42DD50[eax]
		mov	[esi+edi], al
		movzx	eax, cl
		mov	al, ds:byte_42DD50[eax]
		mov	[esi+edi+1], al
		mov	word ptr [esi+edi+2], 3D3Dh
		mov	byte ptr [esi+edi+4], 0
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	8
RtlpBase64Encode endp


;  S U B	R O U T	I N E 


RtlpGetCorrelationVectorBufferLength proc near
					; CODE XREF: RtlpGetCorrelationVectorEndPosition+7p
					; RtlpGetCorrelationVectorLastDotPosition+Cp ...
		mov	cl, [ecx]
		cmp	cl, 1
		jnz	short loc_9D3FBC
		push	41h
		pop	eax
		retn
; 

loc_9D3FBC:				; CODE XREF: RtlpGetCorrelationVectorBufferLength+5j
		xor	eax, eax
		cmp	cl, 2
		setnz	al
		dec	eax
		and	eax, 82h
		dec	eax
		retn
RtlpGetCorrelationVectorBufferLength endp


;  S U B	R O U T	I N E 


RtlpGetLastContiguosBase64Position proc	near
					; CODE XREF: RtlValidateCorrelationVector(x)+1Cp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		or	esi, 0FFFFFFFFh
		xor	edx, edx
		call	RtlpGetCorrelationVectorBufferLength
		mov	ebx, eax

loc_9D3FDF:				; CODE XREF: RtlpGetLastContiguosBase64Position+46j
		mov	ecx, edx
		cmp	edx, ebx
		jge	short loc_9D4014
		mov	al, [edx+edi+1]
		test	al, al
		jz	short loc_9D4014
		cmp	al, 41h
		jl	short loc_9D3FF5
		cmp	al, 5Ah
		jle	short loc_9D400D

loc_9D3FF5:				; CODE XREF: RtlpGetLastContiguosBase64Position+23j
		cmp	al, 61h
		jl	short loc_9D3FFD
		cmp	al, 7Ah
		jle	short loc_9D400D

loc_9D3FFD:				; CODE XREF: RtlpGetLastContiguosBase64Position+2Bj
		cmp	al, 30h
		jl	short loc_9D4005
		cmp	al, 39h
		jle	short loc_9D400D

loc_9D4005:				; CODE XREF: RtlpGetLastContiguosBase64Position+33j
		cmp	al, 2Bh
		jz	short loc_9D400D
		cmp	al, 2Fh
		jnz	short loc_9D400F

loc_9D400D:				; CODE XREF: RtlpGetLastContiguosBase64Position+27j
					; RtlpGetLastContiguosBase64Position+2Fj ...
		mov	esi, edx

loc_9D400F:				; CODE XREF: RtlpGetLastContiguosBase64Position+3Fj
		inc	edx
		cmp	esi, ecx
		jz	short loc_9D3FDF

loc_9D4014:				; CODE XREF: RtlpGetLastContiguosBase64Position+17j
					; RtlpGetLastContiguosBase64Position+1Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
RtlpGetLastContiguosBase64Position endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2226. RtlIsValidOemCharacter

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIsValidOemCharacter(x)
		public _RtlIsValidOemCharacter@4
_RtlIsValidOemCharacter@4 proc near	; CODE XREF: GetNextWchar+12FC39p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	cl, 1
		call	RtlpIsUtf8Process
		mov	edi, [ebp+arg_0]
		movzx	ecx, word ptr [edi]
		cmp	al, 1
		jnz	short loc_9D404C
		cmp	ecx, 7Fh
		ja	loc_9D40C9
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		mov	[edi], ax
		jmp	loc_9D40D0
; 

loc_9D404C:				; CODE XREF: RtlIsValidOemCharacter(x)+15j
		cmp	ds:_NlsMbOemCodePageTag, 0
		mov	eax, ecx
		push	esi
		jnz	short loc_9D407D
		mov	esi, ds:_NlsUnicodeToOemData
		movzx	ecx, byte ptr [eax+esi]
		mov	eax, ds:_NlsOemToUnicodeData
		mov	cx, [eax+ecx*2]
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		movzx	ecx, ax
		movsx	ax, byte ptr [ecx+esi]
		movzx	eax, ax
		jmp	short loc_9D40BF
; 

loc_9D407D:				; CODE XREF: RtlIsValidOemCharacter(x)+37j
		mov	esi, ds:_NlsUnicodeToMbOemData
		movzx	ecx, word ptr [esi+eax*2]
		mov	eax, ecx
		movzx	edx, cl
		shr	eax, 8
		movzx	eax, ds:_NlsOemLeadByteInfoTable[eax*2]
		test	ax, ax
		jz	short loc_9D40AA
		lea	ecx, [edx+eax]
		mov	eax, ds:_NlsMbOemCodePageTables
		movzx	ecx, word ptr [eax+ecx*2]
		jmp	short loc_9D40B3
; 

loc_9D40AA:				; CODE XREF: RtlIsValidOemCharacter(x)+7Bj
		mov	eax, ds:_NlsOemToUnicodeData
		movzx	ecx, word ptr [eax+edx*2]

loc_9D40B3:				; CODE XREF: RtlIsValidOemCharacter(x)+89j
		call	_NLS_UPCASE@4	; NLS_UPCASE(x)
		movzx	ecx, ax
		movzx	eax, word ptr [esi+ecx*2]

loc_9D40BF:				; CODE XREF: RtlIsValidOemCharacter(x)+5Cj
		pop	esi
		cmp	ax, ds:_OemDefaultChar
		jnz	short loc_9D40CD

loc_9D40C9:				; CODE XREF: RtlIsValidOemCharacter(x)+1Aj
		xor	al, al
		jmp	short loc_9D40D2
; 

loc_9D40CD:				; CODE XREF: RtlIsValidOemCharacter(x)+A8j
		mov	[edi], cx

loc_9D40D0:				; CODE XREF: RtlIsValidOemCharacter(x)+28j
		mov	al, 1

loc_9D40D2:				; CODE XREF: RtlIsValidOemCharacter(x)+ACj
		pop	edi
		pop	ebp
		retn	4
_RtlIsValidOemCharacter@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpGetNtProductTypeFromRegistry(x)
_RtlpGetNtProductTypeFromRegistry@4 proc near ;	CODE XREF: RtlGetNtProductType(x)+2Ep
					; PspSiloInitializeUserSharedData(x)+ACp

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	16h
		pop	eax
		push	18h
		pop	edx
		push	10h
		mov	word ptr [ebp+var_48], ax
		mov	edi, ecx
		pop	ecx
		push	12h
		pop	eax
		push	0Ah
		mov	word ptr [ebp+var_58+2], ax
		xor	ebx, ebx
		mov	word ptr [ebp+var_60+2], ax
		xor	esi, esi
		pop	eax
		push	0Ch
		mov	word ptr [ebp+var_50], ax
		inc	ebx
		pop	eax
		mov	word ptr [ebp+var_50+2], ax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_70], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	ebx
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_40], 840082h
		push	eax
		mov	[ebp+var_3C], offset ??_C@_1IE@CPEFALAA@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		mov	[ebp+var_38], esi
		mov	word ptr [ebp+var_48+2], dx
		mov	[ebp+var_44], offset ??_C@_1BI@JPCMFPH@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAT?$AAy?$AAp?$AAe@NNGAKEGL@
		mov	word ptr [ebp+var_58], cx
		mov	[ebp+var_54], (offset loc_8BF02D+1)
		mov	word ptr [ebp+var_60], cx
		mov	[ebp+var_5C], offset ??_C@_1BC@GNJGMHML@?$AAS?$AAe?$AAr?$AAv?$AAe?$AAr?$AAN?$AAt@NNGAKEGL@
		mov	[ebp+var_4C], offset ??_C@_1M@PFFFELPH@?$AAW?$AAi?$AAn?$AAN?$AAt@NNGAKEGL@ ; "W"
		mov	[ebp+var_2C], esi
		mov	[ebp+var_78], edx
		mov	[ebp+var_74], esi
		mov	[ebp+var_6C], 240h
		mov	[ebp+var_68], esi
		mov	[ebp+var_64], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9D4211
		lea	eax, [ebp+var_38]
		push	eax
		push	24h
		lea	eax, [ebp+var_28]
		push	eax
		push	2
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_2C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D4211
		cmp	[ebp+var_24], ebx
		jnz	short loc_9D420C
		mov	ecx, [ebp+var_20]
		cmp	ecx, 2
		jb	short loc_9D420C
		lea	eax, [ebp+var_1C]
		mov	word ptr [ebp+var_34+2], cx
		mov	[ebp+var_30], eax
		lea	eax, [ecx-2]
		mov	word ptr [ebp+var_34], ax
		lea	eax, [ebp+var_50]
		push	ebx
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_9D41D8
		mov	[edi], ebx
		jmp	short loc_9D4211
; 

loc_9D41D8:				; CODE XREF: RtlpGetNtProductTypeFromRegistry(x)+FBj
		push	ebx
		lea	eax, [ebp+var_58]
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_9D41F2
		mov	dword ptr [edi], 2
		jmp	short loc_9D4211
; 

loc_9D41F2:				; CODE XREF: RtlpGetNtProductTypeFromRegistry(x)+111j
		push	ebx
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_9D420C
		mov	dword ptr [edi], 3
		jmp	short loc_9D4211
; 

loc_9D420C:				; CODE XREF: RtlpGetNtProductTypeFromRegistry(x)+D0j
					; RtlpGetNtProductTypeFromRegistry(x)+D8j ...
		mov	esi, 0C000090Bh

loc_9D4211:				; CODE XREF: RtlpGetNtProductTypeFromRegistry(x)+A9j
					; RtlpGetNtProductTypeFromRegistry(x)+CBj ...
		cmp	[ebp+var_2C], 0
		jz	short loc_9D421F
		push	[ebp+var_2C]
		call	_ZwClose@4	; ZwClose(x)

loc_9D421F:				; CODE XREF: RtlpGetNtProductTypeFromRegistry(x)+13Ej
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_RtlpGetNtProductTypeFromRegistry@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2147. RtlIdnToAscii

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIdnToAscii(x, x,	x, x, x)
		public _RtlIdnToAscii@20
_RtlIdnToAscii@20 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	1		; char
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		push	[ebp+arg_8]	; int
		call	_RtlpNameprepAsciiWorker@24 ; RtlpNameprepAsciiWorker(x,x,x,x,x,x)
		pop	ebp
		retn	14h
_RtlIdnToAscii@20 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2148. RtlIdnToNameprepUnicode

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIdnToNameprepUnicode(x, x, x, x,	x)
		public _RtlIdnToNameprepUnicode@20
_RtlIdnToNameprepUnicode@20 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0		; char
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		push	[ebp+arg_8]	; int
		call	_RtlpNameprepAsciiWorker@24 ; RtlpNameprepAsciiWorker(x,x,x,x,x,x)
		pop	ebp
		retn	14h
_RtlIdnToNameprepUnicode@20 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2149. RtlIdnToUnicode

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlIdnToUnicode(int,int,int,void *,int)
		public _RtlIdnToUnicode@20
_RtlIdnToUnicode@20 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	ecx, 3FEh
		call	_IdnaMemAlloc@4	; IdnaMemAlloc(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9D429A
		mov	eax, 0C0000017h
		jmp	short loc_9D42BE
; 

loc_9D429A:				; CODE XREF: RtlIdnToUnicode(x,x,x,x,x)+14j
		mov	edx, [ebp+arg_4]
		push	esi
		push	ecx		; int
		mov	ecx, [ebp+arg_0]
		push	edi		; void *
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		push	[ebp+arg_8]	; int
		call	_RtlpIdnToUnicodeWorker@28 ; RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)
		push	0
		push	edi
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		pop	esi

loc_9D42BE:				; CODE XREF: RtlIdnToUnicode(x,x,x,x,x)+1Bj
		pop	edi
		pop	ebp
		retn	14h
_RtlIdnToUnicode@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlpNameprepAsciiWorker(int,void *,int,char)
_RtlpNameprepAsciiWorker@24 proc near	; CODE XREF: RtlIdnToAscii(x,x,x,x,x)+16p
					; RtlIdnToNameprepUnicode(x,x,x,x,x)+16p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	[ebp+var_4], ecx
		mov	ebx, edx
		push	edi
		mov	ecx, 3FEh
		call	_IdnaMemAlloc@4	; IdnaMemAlloc(x)
		mov	ecx, 406h
		mov	edi, eax
		call	_IdnaMemAlloc@4	; IdnaMemAlloc(x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_9D430F
		test	esi, esi
		jz	short loc_9D430F
		push	ecx		; int
		push	esi		; int
		push	ecx		; int
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		push	edi		; void *
		push	dword ptr [ebp+arg_C] ;	char
		push	[ebp+arg_8]	; int
		push	[ebp+arg_4]	; void *
		push	[ebp+arg_0]	; int
		call	_RtlpNameprepAsciiRealWorker@40	; RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		jmp	short loc_9D4314
; 

loc_9D430F:				; CODE XREF: RtlpNameprepAsciiWorker(x,x,x,x,x,x)+28j
					; RtlpNameprepAsciiWorker(x,x,x,x,x,x)+2Cj
		mov	ebx, 0C0000017h

loc_9D4314:				; CODE XREF: RtlpNameprepAsciiWorker(x,x,x,x,x,x)+4Aj
		test	edi, edi
		jz	short loc_9D4320
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9D4320:				; CODE XREF: RtlpNameprepAsciiWorker(x,x,x,x,x,x)+53j
		test	esi, esi
		jz	short loc_9D432C
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9D432C:				; CODE XREF: RtlpNameprepAsciiWorker(x,x,x,x,x,x)+5Fj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
_RtlpNameprepAsciiWorker@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpValidateAsciiStd3AndLength(x, x, x, x)
_RtlpValidateAsciiStd3AndLength@16 proc	near
					; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+BFp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		push	2Eh
		pop	eax
		mov	edi, eax
		mov	al, [ebp+arg_0]
		lea	ecx, [ebx-2]
		mov	[ebp+var_4], ecx
		lea	esi, [ebx+edx*2]
		test	al, al
		jz	short loc_9D436C
		mov	ecx, ebx
		call	_FindEmailAt@8	; FindEmailAt(x,x)
		lea	ecx, [ebx-2]
		lea	eax, [ebx+eax*2]
		mov	[ebp+var_8], eax
		mov	al, [ebp+arg_0]
		jmp	short loc_9D436F
; 

loc_9D436C:				; CODE XREF: RtlpValidateAsciiStd3AndLength(x,x,x,x)+20j
		mov	[ebp+var_8], ecx

loc_9D436F:				; CODE XREF: RtlpValidateAsciiStd3AndLength(x,x,x,x)+35j
		cmp	[ebp+var_8], esi
		jz	short loc_9D43DC
		test	edx, edx
		jle	short loc_9D43DC
		mov	[ebp+var_C], 2Dh
		mov	edx, ebx
		cmp	ebx, esi
		jz	loc_9D4443
		jmp	short loc_9D438E
; 

loc_9D438B:				; CODE XREF: RtlpValidateAsciiStd3AndLength(x,x,x,x)+108j
		mov	al, [ebp+arg_0]

loc_9D438E:				; CODE XREF: RtlpValidateAsciiStd3AndLength(x,x,x,x)+54j
		movzx	edi, word ptr [edx]
		cmp	edi, 7Fh
		jnb	short loc_9D43DC
		xor	ecx, ecx
		test	al, al
		mov	eax, edi
		setnz	cl
		dec	ecx
		and	ecx, 0FFFFFFEEh
		add	ecx, 40h
		cmp	eax, ecx
		jnz	short loc_9D4402
		mov	cl, [ebp+arg_0]
		test	cl, cl
		jnz	short loc_9D43E5
		mov	ecx, [ebp+var_4]
		lea	eax, [ecx+2]
		cmp	edx, eax
		jz	short loc_9D43DC
		mov	eax, edx
		sub	eax, ecx
		and	eax, 0FFFFFFFEh
		cmp	eax, 80h
		jg	short loc_9D43DC
		cmp	[ebp+arg_4], 0
		jz	short loc_9D43FB
		cmp	edx, ebx
		jbe	short loc_9D43FB
		mov	eax, [ebp+var_C]
		cmp	[edx-2], ax
		jnz	short loc_9D43FB

loc_9D43DC:				; CODE XREF: RtlpValidateAsciiStd3AndLength(x,x,x,x)+3Dj
					; RtlpValidateAsciiStd3AndLength(x,x,x,x)+41j ...
		xor	al, al

loc_9D43DE:				; CODE XREF: RtlpValidateAsciiStd3AndLength(x,x,x,x)+151j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_9D43E5:				; CODE XREF: RtlpValidateAsciiStd3AndLength(x,x,x,x)+7Aj
		cmp	edx, ebx
		jz	short loc_9D43DC
		mov	eax, [ebp+var_8]
		add	eax, 0FFFFFFFEh
		cmp	edx, eax
		setz	al
		dec	al
		and	al, cl
		mov	[ebp+arg_0], al

loc_9D43FB:				; CODE XREF: RtlpValidateAsciiStd3AndLength(x,x,x,x)+98j
					; RtlpValidateAsciiStd3AndLength(x,x,x,x)+9Cj ...
		mov	ecx, edx
		mov	[ebp+var_4], ecx
		jmp	short loc_9D4438
; 

loc_9D4402:				; CODE XREF: RtlpValidateAsciiStd3AndLength(x,x,x,x)+73j
		cmp	[ebp+arg_0], 0
		jnz	short loc_9D4430
		cmp	[ebp+arg_4], 0
		jz	short loc_9D4429
		cmp	di, word ptr [ebp+var_C]
		jnz	short loc_9D441E
		mov	eax, [ebp+var_4]
		add	eax, 2
		cmp	edx, eax
		jz	short loc_9D43DC

loc_9D441E:				; CODE XREF: RtlpValidateAsciiStd3AndLength(x,x,x,x)+DDj
		mov	ecx, edi
		call	_ValidateStd3Range@4 ; ValidateStd3Range(x)
		test	al, al
		jz	short loc_9D43DC

loc_9D4429:				; CODE XREF: RtlpValidateAsciiStd3AndLength(x,x,x,x)+D7j
		cmp	edi, 20h
		jb	short loc_9D43DC
		jmp	short loc_9D4435
; 

loc_9D4430:				; CODE XREF: RtlpValidateAsciiStd3AndLength(x,x,x,x)+D1j
		test	di, di
		jz	short loc_9D43DC

loc_9D4435:				; CODE XREF: RtlpValidateAsciiStd3AndLength(x,x,x,x)+F9j
		mov	ecx, [ebp+var_4]

loc_9D4438:				; CODE XREF: RtlpValidateAsciiStd3AndLength(x,x,x,x)+CBj
		add	edx, 2
		cmp	edx, esi
		jnz	loc_9D438B

loc_9D4443:				; CODE XREF: RtlpValidateAsciiStd3AndLength(x,x,x,x)+4Ej
		cmp	[ebp+arg_0], 0
		jnz	short loc_9D4484
		mov	eax, esi
		sub	eax, ecx
		and	eax, 0FFFFFFFEh
		cmp	eax, 80h
		jg	short loc_9D43DC
		sub	esi, [ebp+var_8]
		xor	eax, eax
		push	2Eh
		sar	esi, 1
		pop	ecx
		cmp	di, cx
		setz	al
		add	eax, 0FFh
		cmp	esi, eax
		jg	loc_9D43DC
		cmp	[ebp+arg_4], 0
		jz	short loc_9D4484
		cmp	di, word ptr [ebp+var_C]
		jz	loc_9D43DC

loc_9D4484:				; CODE XREF: RtlpValidateAsciiStd3AndLength(x,x,x,x)+112j
					; RtlpValidateAsciiStd3AndLength(x,x,x,x)+143j
		mov	al, 1
		jmp	loc_9D43DE
_RtlpValidateAsciiStd3AndLength@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall punycode_decode(x, x, x, x,	x, x, x, x)
_punycode_decode@32 proc near		; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+C0p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		push	ebx
		mov	ebx, ecx
		mov	eax, edx
		mov	ecx, [ebp+arg_4]
		push	esi
		push	edi
		mov	[ebp+var_4C], eax
		mov	esi, [ecx]
		and	dword ptr [ecx], 0
		mov	ecx, [ebp+arg_10]
		mov	[ebp+var_30], ebx
		mov	byte ptr [ecx],	1
		test	eax, eax
		jle	loc_9D49AA
		mov	edi, [ebp+arg_0]
		lea	edx, [ebx+eax*2]
		mov	ecx, ebx
		mov	eax, edi
		add	ebx, 0FFFFFFFEh
		mov	[ebp+var_10], eax
		mov	[ebp+var_34], ebx
		mov	ebx, eax
		mov	[ebp+var_4], ecx
		mov	[ebp+var_50], ebx
		lea	eax, [ebx+esi*2]
		mov	esi, [ebp+arg_14]
		mov	[ebp+var_C], eax
		lea	eax, [ebx-2]
		mov	[esi], eax
		cmp	ecx, edx
		jnb	loc_9D49AA
		mov	esi, ebx
		mov	[ebp+var_38], 20h
		mov	[ebp+var_3C], 7Fh
		mov	[ebp+var_40], 80h

loc_9D44FE:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+4DCj
		push	[ebp+arg_8]
		call	_FindLabelEnd@12 ; FindLabelEnd(x,x,x)
		mov	ebx, eax
		cmp	ebx, [ebp+var_4]
		jz	loc_9D496F
		mov	cl, byte ptr [ebp+arg_8]
		mov	esi, [ebp+var_4]
		test	cl, cl
		jnz	short loc_9D454B
		cmp	[ebp+arg_C], cl
		jz	short loc_9D453B
		push	2Dh
		pop	eax
		cmp	[esi], ax
		jz	loc_9D49AA
		cmp	ebx, [ebp+var_30]
		jbe	short loc_9D453B
		cmp	[ebx-2], ax
		jz	loc_9D49AA

loc_9D453B:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+93j
					; punycode_decode(x,x,x,x,x,x,x,x)+A4j
		mov	eax, ebx
		sub	eax, esi
		and	eax, 0FFFFFFFEh
		cmp	eax, 7Eh
		jg	loc_9D49AA

loc_9D454B:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+8Ej
		mov	eax, edx
		sub	eax, esi
		and	eax, 0FFFFFFFEh
		cmp	eax, 8
		jl	loc_9D486F
		mov	eax, offset _M_strAceEmailPrefix
		test	cl, cl
		jnz	short loc_9D4569
		mov	eax, offset _M_strAceIdnPrefix

loc_9D4569:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+D7j
		push	4		; size_t
		push	eax		; wchar_t *
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_9D486F
		mov	eax, [ebp+arg_10]
		lea	edx, [ebx-2]
		add	esi, 8
		mov	[ebp+var_4], esi
		mov	byte ptr [eax],	0
		cmp	edx, esi
		jb	short loc_9D459F
		push	2Dh
		pop	eax

loc_9D4593:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+112j
		cmp	[edx], ax
		jz	short loc_9D45A1
		sub	edx, 2
		cmp	edx, esi
		jnb	short loc_9D4593

loc_9D459F:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+103j
		xor	edx, edx

loc_9D45A1:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+10Bj
		lea	eax, [ebx-2]
		cmp	edx, eax
		jz	loc_9D49AA
		test	edx, edx
		jz	loc_9D4656
		cmp	edx, esi
		jbe	loc_9D4656
		mov	eax, edx
		mov	[ebp+var_2C], esi
		sub	eax, esi
		mov	ecx, esi
		sar	eax, 1
		mov	[ebp+var_28], eax

loc_9D45CA:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+1BCj
		cmp	edi, [ebp+var_C]
		jnb	short loc_9D4649
		cmp	byte ptr [ebp+arg_8], 0
		jnz	short loc_9D4605
		cmp	[ebp+arg_C], 0
		jz	short loc_9D45EE
		mov	cx, [ecx]
		call	_ValidateStd3Range@4 ; ValidateStd3Range(x)
		test	al, al
		jz	loc_9D49AA
		mov	ecx, [ebp+var_2C]

loc_9D45EE:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+14Ej
		movzx	eax, word ptr [ecx]
		cmp	ax, word ptr [ebp+var_38]
		jb	loc_9D49AA
		cmp	ax, word ptr [ebp+var_3C]
		jz	loc_9D49AA

loc_9D4605:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+148j
		movzx	eax, word ptr [ecx]
		mov	[ebp+arg_0], eax
		test	ax, ax
		jz	loc_9D49AA
		cmp	ax, word ptr [ebp+var_40]
		jnb	loc_9D49AA
		cmp	byte ptr [ebp+arg_8], 0
		jnz	short loc_9D4633
		add	eax, 0FFFFFFBFh
		cmp	ax, 19h
		mov	eax, [ebp+arg_0]
		ja	short loc_9D4633
		add	eax, 20h

loc_9D4633:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+197j
					; punycode_decode(x,x,x,x,x,x,x,x)+1A3j
		movzx	eax, ax
		add	ecx, 2
		mov	[edi], ax
		add	edi, 2
		mov	[ebp+arg_0], edi
		mov	[ebp+var_2C], ecx
		cmp	ecx, edx
		jnz	short loc_9D45CA

loc_9D4649:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+142j
		cmp	ecx, edx
		jnz	loc_9D49AA
		mov	eax, [ebp+var_28]
		jmp	short loc_9D4658
; 

loc_9D4656:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+123j
					; punycode_decode(x,x,x,x,x,x,x,x)+12Bj
		xor	eax, eax

loc_9D4658:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+1C9j
		test	eax, eax
		jle	short loc_9D4665
		lea	eax, ds:2[eax*2]
		jmp	short loc_9D4667
; 

loc_9D4665:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+1CFj
		xor	eax, eax

loc_9D4667:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+1D8j
		and	[ebp+var_8], 0
		lea	ecx, [eax+esi]
		and	[ebp+var_1C], 0
		mov	eax, 80h
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], eax
		push	48h
		pop	edx
		mov	[ebp+var_2C], edx
		cmp	ecx, ebx
		jnb	loc_9D48ED
		mov	esi, [ebp+var_8]

loc_9D468E:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+3DAj
		push	24h
		pop	eax
		mov	[ebp+var_24], eax
		sub	eax, edx
		mov	[ebp+var_48], esi
		mov	[ebp+var_44], esi
		mov	[ebp+var_14], 1
		mov	[ebp+var_28], eax

loc_9D46A6:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+2A2j
		cmp	ecx, ebx
		jnb	loc_9D49AA
		mov	cx, [ecx]
		call	_decode_digit@4	; decode_digit(x)
		add	[ebp+var_20], 2
		mov	ecx, eax
		test	ecx, ecx
		js	loc_9D49AA
		mov	eax, 7FFFFFFh
		sub	eax, esi
		cdq
		idiv	[ebp+var_14]
		cmp	ecx, eax
		jg	loc_9D49AA
		mov	edx, [ebp+var_24]
		mov	eax, ecx
		imul	eax, [ebp+var_14]
		add	esi, eax
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_8], esi
		cmp	edx, eax
		jg	short loc_9D46F1
		xor	eax, eax
		inc	eax
		jmp	short loc_9D4700
; 

loc_9D46F1:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+25Fj
		add	eax, 1Ah
		cmp	edx, eax
		jl	short loc_9D46FD
		push	1Ah
		pop	eax
		jmp	short loc_9D4700
; 

loc_9D46FD:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+26Bj
		mov	eax, [ebp+var_28]

loc_9D4700:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+264j
					; punycode_decode(x,x,x,x,x,x,x,x)+270j
		cmp	ecx, eax
		jl	short loc_9D4732
		push	24h
		pop	ecx
		sub	ecx, eax
		mov	eax, 7FFFFFFh
		cdq
		idiv	ecx
		mov	edx, [ebp+var_14]
		cmp	edx, eax
		jg	loc_9D49AA
		add	[ebp+var_24], 24h
		imul	ecx, edx
		add	[ebp+var_28], 24h
		mov	[ebp+var_14], ecx
		mov	ecx, [ebp+var_20]
		jmp	loc_9D46A6
; 

loc_9D4732:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+277j
		mov	esi, edi
		sub	esi, [ebp+var_10]
		sar	esi, 1
		sub	esi, [ebp+var_1C]
		inc	esi
		cmp	[ebp+var_44], 0
		mov	edx, esi
		setz	cl
		movzx	ecx, cl
		push	ecx
		mov	ecx, [ebp+var_8]
		sub	ecx, [ebp+var_48]
		call	_adapt@12	; adapt(x,x,x)
		mov	[ebp+var_2C], eax
		mov	ecx, 7FFFFFFh
		mov	eax, [ebp+var_8]
		cdq
		idiv	esi
		sub	ecx, [ebp+var_18]
		mov	esi, edx
		mov	[ebp+var_8], esi
		cmp	eax, ecx
		jg	loc_9D49AA
		mov	ecx, [ebp+var_18]
		add	ecx, eax
		mov	[ebp+var_18], ecx
		lea	eax, [ecx-80h]
		cmp	eax, 10FF7Fh
		ja	loc_9D49AA
		cmp	ecx, 0D800h
		jl	short loc_9D479D
		cmp	ecx, 0DFFFh
		jle	loc_9D49AA

loc_9D479D:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+304j
		cmp	[ebp+var_1C], 0
		jle	short loc_9D47DD
		mov	edx, [ebp+var_10]
		mov	[ebp+var_24], esi
		mov	[ebp+var_28], edx
		test	esi, esi
		jle	short loc_9D47E6

loc_9D47B0:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+34Bj
		cmp	edx, edi
		jnb	loc_9D49AA
		mov	cx, [edx]
		call	_IsSurrogate@4	; IsSurrogate(x)
		test	al, al
		jz	short loc_9D47C7
		add	edx, 2

loc_9D47C7:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+337j
		mov	eax, [ebp+var_24]
		add	edx, 2
		dec	eax
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], eax
		test	eax, eax
		jg	short loc_9D47B0
		mov	ecx, [ebp+var_18]
		jmp	short loc_9D47E6
; 

loc_9D47DD:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+316j
		mov	eax, [ebp+var_10]
		lea	edx, [eax+esi*2]
		mov	[ebp+var_28], edx

loc_9D47E6:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+323j
					; punycode_decode(x,x,x,x,x,x,x,x)+350j
		cmp	ecx, 10000h
		jge	short loc_9D4804
		cmp	edi, [ebp+var_C]
		jnb	loc_9D49AA
		cmp	edx, edi
		ja	loc_9D49AA
		movzx	ecx, cx
		jmp	short loc_9D484E
; 

loc_9D4804:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+361j
		mov	eax, [ebp+var_C]
		add	eax, 0FFFFFFFEh
		cmp	edi, eax
		jnb	loc_9D49AA
		cmp	edx, edi
		ja	loc_9D49AA
		lea	eax, [ecx-10000h]
		mov	ecx, 400h
		cdq
		idiv	ecx
		lea	ecx, [ebp+arg_0]
		push	ecx
		mov	esi, edx
		mov	edx, [ebp+var_28]
		lea	ecx, [eax-2800h]
		call	_InsertChar@12	; InsertChar(x,x,x)
		inc	[ebp+var_1C]
		lea	eax, [esi-2400h]
		mov	esi, [ebp+var_8]
		add	edx, 2
		movzx	ecx, ax

loc_9D484E:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+377j
		lea	eax, [ebp+arg_0]
		push	eax
		call	_InsertChar@12	; InsertChar(x,x,x)
		mov	ecx, [ebp+var_20]
		inc	esi
		mov	edi, [ebp+arg_0]
		cmp	ecx, ebx
		jnb	short loc_9D486A
		mov	edx, [ebp+var_2C]
		jmp	loc_9D468E
; 

loc_9D486A:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+3D5j
		mov	esi, [ebp+var_4]
		jmp	short loc_9D48ED
; 

loc_9D486F:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+CAj
					; punycode_decode(x,x,x,x,x,x,x,x)+ECj
		mov	eax, [ebp+var_C]
		mov	ecx, ebx
		sub	ecx, esi
		sub	eax, edi
		and	ecx, 0FFFFFFFEh
		and	eax, 0FFFFFFFEh
		cmp	eax, ecx
		jl	loc_9D49AA
		mov	edx, esi
		cmp	esi, ebx
		jnb	short loc_9D48ED

loc_9D488C:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+460j
		cmp	byte ptr [ebp+arg_8], 0
		jnz	short loc_9D48C3
		cmp	[ebp+arg_C], 0
		jz	short loc_9D48A8
		mov	cx, [edx]
		call	_ValidateStd3Range@4 ; ValidateStd3Range(x)
		test	al, al
		jz	loc_9D49AA

loc_9D48A8:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+40Bj
		movzx	eax, word ptr [edx]
		push	20h
		pop	ecx
		cmp	ax, cx
		jb	loc_9D49AA
		push	7Fh
		pop	ecx
		cmp	ax, cx
		jz	loc_9D49AA

loc_9D48C3:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+405j
		movzx	eax, word ptr [edx]
		test	ax, ax
		jz	loc_9D49AA
		mov	ecx, 80h
		cmp	ax, cx
		jnb	loc_9D49AA
		mov	[edi], ax
		add	edx, 2
		add	edi, 2
		mov	[ebp+arg_0], edi
		cmp	edx, ebx
		jb	short loc_9D488C

loc_9D48ED:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+1FAj
					; punycode_decode(x,x,x,x,x,x,x,x)+3E2j ...
		cmp	byte ptr [ebp+arg_8], 0
		jnz	short loc_9D490C
		mov	eax, ebx
		sub	eax, esi
		and	eax, 0FFFFFFFEh
		cmp	eax, 7Eh
		jg	loc_9D49AA
		cmp	edi, [ebp+var_10]
		jz	loc_9D49AA

loc_9D490C:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+466j
		mov	eax, [ebp+var_4C]
		mov	ecx, [ebp+var_30]
		lea	edx, [ecx+eax*2]
		cmp	ebx, edx
		jz	short loc_9D492E
		cmp	edi, [ebp+var_C]
		jnb	loc_9D49AA
		mov	ax, [ebx]
		mov	[edi], ax
		add	edi, 2
		mov	[ebp+arg_0], edi

loc_9D492E:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+48Cj
		mov	al, byte ptr [ebp+arg_8]
		test	al, al
		jz	short loc_9D495A
		mov	ecx, ebx
		mov	byte ptr [ebp+arg_8], 0
		sub	ecx, edx
		mov	[ebp+var_34], ebx
		neg	ecx
		mov	eax, edi
		sbb	ecx, ecx
		and	ecx, 2
		sub	eax, ecx
		mov	ecx, [ebp+arg_14]
		mov	[ecx], eax
		lea	eax, [edx-2]
		cmp	ebx, eax
		jz	short loc_9D49AA
		mov	al, byte ptr [ebp+arg_8]

loc_9D495A:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+4A8j
		lea	ecx, [ebx+2]
		mov	esi, edi
		mov	[ebp+var_4], ecx
		mov	[ebp+var_10], esi
		cmp	ebx, edx
		jb	loc_9D44FE
		jmp	short loc_9D497A
; 

loc_9D496F:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+80j
		mov	al, byte ptr [ebp+arg_8]
		test	al, al
		jnz	short loc_9D49AA
		cmp	ebx, edx
		jnz	short loc_9D49AA

loc_9D497A:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+4E2j
		mov	ecx, [ebp+var_50]
		cmp	esi, ecx
		jz	short loc_9D49AA
		test	al, al
		jnz	short loc_9D499D
		xor	eax, eax
		cmp	word ptr [edx-2], 2Eh
		setz	al
		sub	edx, [ebp+var_34]
		add	eax, 0FFh
		sar	edx, 1
		cmp	edx, eax
		jg	short loc_9D49AA

loc_9D499D:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+4F8j
		mov	eax, [ebp+arg_4]
		sub	esi, ecx
		sar	esi, 1
		mov	[eax], esi
		xor	eax, eax
		jmp	short loc_9D49AF
; 

loc_9D49AA:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+25j
					; punycode_decode(x,x,x,x,x,x,x,x)+56j	...
		mov	eax, 0C0000716h

loc_9D49AF:				; CODE XREF: punycode_decode(x,x,x,x,x,x,x,x)+51Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_punycode_decode@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall punycode_encode(x, x, x, x,	x, x)
_punycode_encode@24 proc near		; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+1EEp

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	[ebp+var_8], ecx
		mov	eax, ecx
		mov	[ebp+var_30], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		lea	edi, [eax+edx*2]
		mov	eax, ebx
		mov	[ebp+var_40], eax
		mov	esi, eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_18], edi
		mov	[ebp+var_4C], esi
		mov	eax, [eax]
		lea	eax, [esi+eax*2]
		mov	[ebp+var_10], eax
		test	edx, edx
		jle	loc_9D4E0A
		mov	eax, esi
		cmp	ecx, edi
		jnb	loc_9D4DBD
		mov	[ebp+var_2C], eax
		mov	[ebp+var_44], 19h

loc_9D4A03:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+401j
		push	[ebp+arg_8]
		mov	edx, edi
		call	_FindLabelEnd@12 ; FindLabelEnd(x,x,x)
		mov	edi, eax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_38], edi
		cmp	edi, eax
		jz	loc_9D4DFF
		cmp	byte ptr [ebp+arg_8], 0
		jnz	short loc_9D4A4B
		cmp	[ebp+arg_C], 0
		jz	short loc_9D4A44
		push	2Dh
		pop	ecx
		cmp	[eax], cx
		jz	loc_9D4E0A
		cmp	edi, [ebp+var_30]
		jbe	short loc_9D4A44
		cmp	[edi-2], cx
		jz	loc_9D4E0A

loc_9D4A44:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+71j
					; punycode_encode(x,x,x,x,x,x)+82j
		mov	eax, offset _M_strAceIdnPrefix
		jmp	short loc_9D4A50
; 

loc_9D4A4B:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+6Bj
		mov	eax, offset _M_strAceEmailPrefix

loc_9D4A50:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+93j
		mov	edx, [ebp+var_10]
		lea	ecx, [ebp+arg_0]
		push	0
		push	0
		push	ecx
		push	4
		sub	edx, ebx
		mov	ecx, ebx
		push	eax
		sar	edx, 1
		call	RtlStringCchCopyNExW
		test	eax, eax
		js	loc_9D4DF8
		mov	ecx, [ebp+var_8]
		xor	esi, esi
		mov	ebx, [ebp+arg_0]
		mov	edx, ecx
		mov	[ebp+var_1C], esi
		mov	[ebp+var_14], ebx
		cmp	ecx, edi
		jnb	loc_9D4B20

loc_9D4A89:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+161j
		movzx	ecx, word ptr [edx]
		mov	eax, 80h
		cmp	cx, ax
		jnb	short loc_9D4AFF
		mov	al, byte ptr [ebp+arg_8]
		test	al, al
		jnz	short loc_9D4AC4
		cmp	[ebp+arg_C], al
		jz	short loc_9D4AB2
		call	_ValidateStd3Range@4 ; ValidateStd3Range(x)
		test	al, al
		jz	loc_9D4E0A
		mov	al, byte ptr [ebp+arg_8]

loc_9D4AB2:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+EAj
		cmp	ecx, 20h
		jb	loc_9D4E0A
		cmp	ecx, 7Fh
		jz	loc_9D4E0A

loc_9D4AC4:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+E5j
		test	cx, cx
		jz	loc_9D4E0A
		cmp	ebx, [ebp+var_10]
		jnb	loc_9D4DF8
		test	al, al
		jnz	short loc_9D4AEB
		lea	eax, [ecx-41h]
		cmp	ax, word ptr [ebp+var_44]
		ja	short loc_9D4AEB
		lea	eax, [ecx+20h]
		movzx	eax, ax
		jmp	short loc_9D4AED
; 

loc_9D4AEB:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+122j
					; punycode_encode(x,x,x,x,x,x)+12Bj
		mov	eax, ecx

loc_9D4AED:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+133j
		mov	[ebx], ax
		add	ebx, 2
		inc	esi
		mov	[ebp+var_14], ebx
		mov	[ebp+arg_0], ebx
		mov	[ebp+var_1C], esi
		jmp	short loc_9D4B12
; 

loc_9D4AFF:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+DEj
		lea	eax, [ecx+2800h]
		mov	ecx, 3FFh
		cmp	ax, cx
		ja	short loc_9D4B12
		add	edx, 2

loc_9D4B12:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+147j
					; punycode_encode(x,x,x,x,x,x)+157j
		add	edx, 2
		cmp	edx, edi
		jb	loc_9D4A89
		mov	ecx, [ebp+var_8]

loc_9D4B20:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+CDj
		mov	eax, edi
		mov	[ebp+var_48], esi
		sub	eax, ecx
		sar	eax, 1
		mov	[ebp+var_3C], eax
		cmp	esi, eax
		jnz	short loc_9D4B56
		mov	eax, [ebp+var_2C]
		lea	ecx, [ebx-8]
		cmp	eax, ecx
		jnb	short loc_9D4B4B
		sub	ecx, eax
		lea	esi, [eax+8]
		dec	ecx
		mov	edi, eax
		shr	ecx, 1
		inc	ecx
		rep movsw
		mov	edi, [ebp+var_38]

loc_9D4B4B:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+182j
		sub	ebx, 8
		mov	[ebp+arg_0], ebx
		jmp	loc_9D4D62
; 

loc_9D4B56:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+178j
		mov	eax, [ebp+var_18]
		sub	eax, ecx
		and	eax, 0FFFFFFFEh
		cmp	eax, 8
		jl	short loc_9D4B8A
		cmp	byte ptr [ebp+arg_8], 0
		mov	eax, offset _M_strAceEmailPrefix
		jnz	short loc_9D4B73
		mov	eax, offset _M_strAceIdnPrefix

loc_9D4B73:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+1B6j
		push	4		; size_t
		push	eax		; wchar_t *
		push	ecx		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_9D4E0A
		mov	ecx, [ebp+var_8]

loc_9D4B8A:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+1ABj
		and	[ebp+var_20], 0
		test	esi, esi
		jle	short loc_9D4BAA
		cmp	ebx, [ebp+var_10]
		jnb	loc_9D4DF8
		push	2Dh
		pop	eax
		mov	[ebx], ax
		add	ebx, 2
		mov	[ebp+var_14], ebx
		mov	[ebp+arg_0], ebx

loc_9D4BAA:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+1DAj
		push	48h
		pop	eax
		mov	[ebp+var_28], 80h
		xor	edx, edx
		mov	[ebp+var_24], eax
		jmp	loc_9D4D56
; 

loc_9D4BBE:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+3A6j
		mov	[ebp+var_38], ecx
		mov	eax, 7FFFFFFh
		mov	[ebp+var_C], eax
		cmp	ecx, edi
		jnb	short loc_9D4C09
		mov	esi, ecx
		mov	ebx, eax

loc_9D4BD1:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+242j
		mov	ecx, esi
		call	_GetUTF32@4	; GetUTF32(x)
		mov	ecx, eax
		cmp	ecx, [ebp+var_28]
		jl	short loc_9D4BE5
		cmp	ecx, ebx
		jge	short loc_9D4BE5
		mov	ebx, ecx

loc_9D4BE5:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+227j
					; punycode_encode(x,x,x,x,x,x)+22Bj
		xor	eax, eax
		cmp	ecx, 10000h
		setnl	al
		lea	esi, [esi+eax*2]
		add	esi, 2
		cmp	esi, edi
		jb	short loc_9D4BD1
		mov	esi, [ebp+var_1C]
		mov	edx, [ebp+var_4]
		mov	[ebp+var_C], ebx
		mov	ebx, [ebp+var_14]
		mov	eax, [ebp+var_C]

loc_9D4C09:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+215j
		sub	eax, [ebp+var_28]
		mov	ecx, esi
		sub	ecx, [ebp+var_20]
		inc	ecx
		imul	ecx, eax
		add	edx, ecx
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_4], edx
		mov	eax, ecx
		mov	[ebp+var_28], eax
		cmp	ecx, edi
		jnb	loc_9D4D4E

loc_9D4C2A:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+38Fj
		mov	ecx, eax
		call	_GetUTF32@4	; GetUTF32(x)
		mov	edx, [ebp+var_4]
		mov	ecx, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_38], ecx
		cmp	ecx, eax
		jge	short loc_9D4C46
		inc	edx
		cmp	ecx, eax
		mov	[ebp+var_4], edx

loc_9D4C46:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+288j
		jnz	loc_9D4D2B
		push	24h
		mov	eax, edx
		pop	edx
		push	edx
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_24]
		pop	ecx
		sub	ecx, eax

loc_9D4C5B:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+313j
		mov	[ebp+var_34], ecx
		mov	[ebp+var_14], edx
		cmp	edx, eax
		jg	short loc_9D4C6A
		xor	eax, eax
		inc	eax
		jmp	short loc_9D4C74
; 

loc_9D4C6A:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+2ADj
		add	eax, 1Ah
		cmp	edx, eax
		jl	short loc_9D4C79
		push	1Ah
		pop	eax

loc_9D4C74:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+2B2j
		mov	[ebp+arg_0], eax
		jmp	short loc_9D4C7E
; 

loc_9D4C79:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+2B9j
		mov	eax, ecx
		mov	[ebp+arg_0], ecx

loc_9D4C7E:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+2C1j
		mov	edx, [ebp+var_1C]
		cmp	edx, eax
		jl	short loc_9D4CCB
		cmp	ebx, [ebp+var_10]
		jnb	loc_9D4DF8
		sub	edx, eax
		push	24h
		pop	ecx
		sub	ecx, eax
		mov	eax, edx
		cdq
		idiv	ecx
		xor	ecx, ecx
		add	edx, [ebp+arg_0]
		mov	[ebp+var_1C], eax
		push	19h
		pop	eax
		cmp	edx, eax
		mov	eax, [ebp+var_24]
		setnle	cl
		dec	ecx
		and	ecx, 4Bh
		add	ecx, 16h
		add	cx, dx
		mov	edx, [ebp+var_14]
		mov	[ebx], cx
		add	edx, 24h
		mov	ecx, [ebp+var_34]
		add	ebx, 2
		add	ecx, 24h
		jmp	short loc_9D4C5B
; 

loc_9D4CCB:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+2CDj
		cmp	ebx, [ebp+var_10]
		jnb	loc_9D4DF8
		xor	eax, eax
		push	19h
		pop	ecx
		cmp	edx, ecx
		mov	ecx, [ebp+var_4]
		setnle	al
		dec	eax
		and	eax, 4Bh
		add	eax, 16h
		add	ax, dx
		mov	edx, esi
		mov	[ebx], ax
		add	ebx, 2
		cmp	esi, [ebp+var_48]
		mov	[ebp+var_14], ebx
		setz	al
		mov	[ebp+arg_0], ebx
		sub	edx, [ebp+var_20]
		movzx	eax, al
		inc	edx
		push	eax
		call	_adapt@12	; adapt(x,x,x)
		mov	ecx, [ebp+var_38]
		xor	edx, edx
		inc	esi
		mov	[ebp+var_24], eax
		cmp	[ebp+var_C], 10000h
		mov	[ebp+var_4], edx
		mov	[ebp+var_1C], esi
		jl	short loc_9D4D2B
		inc	esi
		inc	[ebp+var_20]
		mov	[ebp+var_1C], esi

loc_9D4D2B:				; CODE XREF: punycode_encode(x,x,x,x,x,x):loc_9D4C46j
					; punycode_encode(x,x,x,x,x,x)+36Cj
		xor	eax, eax
		cmp	ecx, 10000h
		setnl	al
		lea	eax, ds:2[eax*2]
		add	[ebp+var_28], eax
		mov	eax, [ebp+var_28]
		cmp	eax, edi
		jb	loc_9D4C2A
		mov	ecx, [ebp+var_8]

loc_9D4D4E:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+26Ej
		mov	eax, [ebp+var_C]
		inc	edx
		inc	eax
		mov	[ebp+var_28], eax

loc_9D4D56:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+203j
		mov	[ebp+var_4], edx
		cmp	esi, [ebp+var_3C]
		jl	loc_9D4BBE

loc_9D4D62:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+19Bj
		mov	dl, byte ptr [ebp+arg_8]
		test	dl, dl
		jnz	short loc_9D4D7A
		mov	eax, ebx
		sub	eax, [ebp+var_2C]
		and	eax, 0FFFFFFFEh
		cmp	eax, 7Eh
		jg	loc_9D4E0A

loc_9D4D7A:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+3B1j
		cmp	edi, [ebp+var_18]
		jz	short loc_9D4DA4
		cmp	ebx, [ebp+var_10]
		jnb	short loc_9D4DF8
		mov	ax, [edi]
		mov	[ebx], ax
		add	ebx, 2
		mov	[ebp+arg_0], ebx
		test	dl, dl
		jz	short loc_9D4DA4
		push	40h
		pop	eax
		cmp	[edi], ax
		jnz	short loc_9D4DA4
		xor	dl, dl
		mov	[ebp+var_40], ebx
		mov	byte ptr [ebp+arg_8], dl

loc_9D4DA4:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+3C7j
					; punycode_encode(x,x,x,x,x,x)+3DCj ...
		cmp	edi, [ebp+var_18]
		lea	ecx, [edi+2]
		mov	edi, [ebp+var_18]
		mov	eax, ebx
		mov	[ebp+var_8], ecx
		mov	esi, eax
		mov	[ebp+var_2C], ebx
		jb	loc_9D4A03

loc_9D4DBD:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+3Dj
		cmp	byte ptr [ebp+arg_8], 0
		mov	esi, eax
		mov	ecx, esi
		jnz	short loc_9D4DE1

loc_9D4DC7:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+452j
		mov	ecx, esi
		xor	eax, eax
		sub	esi, [ebp+var_40]
		sar	esi, 1
		cmp	word ptr [ebx-2], 2Eh
		setz	al
		add	eax, 0FEh
		cmp	esi, eax
		jg	short loc_9D4E0A

loc_9D4DE1:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+40Fj
		push	40h
		pop	eax
		cmp	[ebx-2], ax
		jz	short loc_9D4E0A
		mov	eax, [ebp+arg_4]
		sub	ecx, [ebp+var_4C]
		sar	ecx, 1
		mov	[eax], ecx
		xor	eax, eax
		jmp	short loc_9D4E15
; 

loc_9D4DF8:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+B5j
					; punycode_encode(x,x,x,x,x,x)+11Aj ...
		mov	eax, 0C0000023h
		jmp	short loc_9D4E0F
; 

loc_9D4DFF:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+61j
		cmp	byte ptr [ebp+arg_8], 0
		jnz	short loc_9D4E0A
		cmp	edi, [ebp+var_18]
		jz	short loc_9D4DC7

loc_9D4E0A:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+33j
					; punycode_encode(x,x,x,x,x,x)+79j ...
		mov	eax, 0C0000716h

loc_9D4E0F:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+447j
		mov	ecx, [ebp+arg_4]
		and	dword ptr [ecx], 0

loc_9D4E15:				; CODE XREF: punycode_encode(x,x,x,x,x,x)+440j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_punycode_encode@24 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2218. RtlIsPartialPlaceholder

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIsPartialPlaceholder(x, x)
		public _RtlIsPartialPlaceholder@8
_RtlIsPartialPlaceholder@8 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_0], offset loc_440000
		setnz	al
		pop	ebp
		retn	8
_RtlIsPartialPlaceholder@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2219. RtlIsPartialPlaceholderFileHandle

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIsPartialPlaceholderFileHandle(x, x)
		public _RtlIsPartialPlaceholderFileHandle@8
_RtlIsPartialPlaceholderFileHandle@8 proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	23h		; int
		push	8		; size_t
		lea	eax, [ebp+var_8]
		xor	ebx, ebx
		push	eax		; int
		lea	eax, [ebp+var_10]
		mov	[ebp+var_10], ebx
		push	eax		; int
		push	[ebp+arg_0]	; int
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	_NtQueryInformationFile@20 ; NtQueryInformationFile(x,x,x,x,x)
		test	eax, eax
		jns	short loc_9D4E76
		cmp	eax, 0C000000Dh
		jnz	short loc_9D4E87
		mov	eax, [ebp+arg_4]
		mov	[eax], bl
		jmp	short loc_9D4E85
; 

loc_9D4E76:				; CODE XREF: RtlIsPartialPlaceholderFileHandle(x,x)+2Dj
		test	[ebp+var_8], offset loc_440000
		mov	eax, [ebp+arg_4]
		setnz	cl
		mov	[eax], cl

loc_9D4E85:				; CODE XREF: RtlIsPartialPlaceholderFileHandle(x,x)+3Bj
		mov	eax, ebx

loc_9D4E87:				; CODE XREF: RtlIsPartialPlaceholderFileHandle(x,x)+34j
		pop	ebx
		leave
		retn	8
_RtlIsPartialPlaceholderFileHandle@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2220. RtlIsPartialPlaceholderFileInfo

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIsPartialPlaceholderFileInfo(x, x, x)
		public _RtlIsPartialPlaceholderFileInfo@12
_RtlIsPartialPlaceholderFileInfo@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		cmp	eax, 3Ch
		jg	short loc_9D4EDB
		jz	short loc_9D4EB9
		cmp	eax, 2
		jl	short loc_9D4EED
		cmp	eax, 3
		jle	short loc_9D4EB9
		cmp	eax, 23h
		jz	short loc_9D4ED4
		cmp	eax, 24h
		jle	short loc_9D4EED
		cmp	eax, 26h
		jg	short loc_9D4EED

loc_9D4EB9:				; CODE XREF: RtlIsPartialPlaceholderFileInfo(x,x,x)+Dj
					; RtlIsPartialPlaceholderFileInfo(x,x,x)+17j ...
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+38h]

loc_9D4EBF:				; CODE XREF: RtlIsPartialPlaceholderFileInfo(x,x,x)+48j
		test	eax, offset loc_440000
		mov	eax, [ebp+arg_8]
		setnz	cl
		mov	[eax], cl
		xor	ecx, ecx

loc_9D4ECE:				; CODE XREF: RtlIsPartialPlaceholderFileInfo(x,x,x)+71j
		mov	eax, ecx
		pop	ebp
		retn	0Ch
; 

loc_9D4ED4:				; CODE XREF: RtlIsPartialPlaceholderFileInfo(x,x,x)+1Cj
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		jmp	short loc_9D4EBF
; 

loc_9D4EDB:				; CODE XREF: RtlIsPartialPlaceholderFileInfo(x,x,x)+Bj
		mov	ecx, eax
		sub	ecx, 3Fh
		jz	short loc_9D4EB9
		sub	ecx, 5
		jz	short loc_9D4EB9
		dec	ecx
		sub	ecx, 1
		jz	short loc_9D4EB9

loc_9D4EED:				; CODE XREF: RtlIsPartialPlaceholderFileInfo(x,x,x)+12j
					; RtlIsPartialPlaceholderFileInfo(x,x,x)+21j ...
		xor	ecx, ecx
		cmp	eax, 4Ch
		setl	cl
		dec	ecx
		and	ecx, 0FFFFFF48h
		add	ecx, 0C00000BBh
		jmp	short loc_9D4ECE
_RtlIsPartialPlaceholderFileInfo@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2295. RtlQueryProcessPlaceholderCompatibilityMode

;  S U B	R O U T	I N E 


; __stdcall RtlQueryProcessPlaceholderCompatibilityMode()
		public _RtlQueryProcessPlaceholderCompatibilityMode@0
_RtlQueryProcessPlaceholderCompatibilityMode@0 proc near
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+17Ch]
		test	eax, eax
		jnz	short loc_9D4F22
		mov	al, 0FDh
		retn
; 

loc_9D4F22:				; CODE XREF: RtlQueryProcessPlaceholderCompatibilityMode()+14j
		mov	al, [eax+468h]
		retn
_RtlQueryProcessPlaceholderCompatibilityMode@0 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2299. RtlQueryThreadPlaceholderCompatibilityMode

;  S U B	R O U T	I N E 


; __stdcall RtlQueryThreadPlaceholderCompatibilityMode()
		public _RtlQueryThreadPlaceholderCompatibilityMode@0
_RtlQueryThreadPlaceholderCompatibilityMode@0 proc near
		mov	eax, large fs:124h
		test	dword ptr [eax+58h], 400h
		jnz	short loc_9D4F4E
		cmp	byte ptr [eax+16Ah], 1
		jz	short loc_9D4F4E
		mov	eax, [eax+0A8h]
		jmp	short loc_9D4F50
; 

loc_9D4F4E:				; CODE XREF: RtlQueryThreadPlaceholderCompatibilityMode()+Dj
					; RtlQueryThreadPlaceholderCompatibilityMode()+16j
		xor	eax, eax

loc_9D4F50:				; CODE XREF: RtlQueryThreadPlaceholderCompatibilityMode()+1Ej
		test	eax, eax
		jnz	short loc_9D4F57
		mov	al, 0FEh
		retn
; 

loc_9D4F57:				; CODE XREF: RtlQueryThreadPlaceholderCompatibilityMode()+24j
		mov	al, [eax+174h]
		retn
_RtlQueryThreadPlaceholderCompatibilityMode@0 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 2337. RtlSetProcessPlaceholderCompatibilityMode

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSetProcessPlaceholderCompatibilityMode(x)
		public _RtlSetProcessPlaceholderCompatibilityMode@4
_RtlSetProcessPlaceholderCompatibilityMode@4 proc near

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	cl, [ebp+arg_0]
		cmp	cl, 3
		ja	short loc_9D4F98
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	edx, [eax+17Ch]
		test	edx, edx
		jnz	short loc_9D4F8A
		mov	al, 0FDh
		jmp	short loc_9D4F9A
; 

loc_9D4F8A:				; CODE XREF: RtlSetProcessPlaceholderCompatibilityMode(x)+21j
		mov	al, [edx+468h]
		mov	[edx+468h], cl
		jmp	short loc_9D4F9A
; 

loc_9D4F98:				; CODE XREF: RtlSetProcessPlaceholderCompatibilityMode(x)+Bj
		or	al, 0FFh

loc_9D4F9A:				; CODE XREF: RtlSetProcessPlaceholderCompatibilityMode(x)+25j
					; RtlSetProcessPlaceholderCompatibilityMode(x)+33j
		pop	ebp
		retn	4
_RtlSetProcessPlaceholderCompatibilityMode@4 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 2341. RtlSetThreadPlaceholderCompatibilityMode

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlSetThreadPlaceholderCompatibilityMode(x)
		public _RtlSetThreadPlaceholderCompatibilityMode@4
_RtlSetThreadPlaceholderCompatibilityMode@4 proc near

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	dl, [ebp+arg_0]
		cmp	dl, 3
		ja	short loc_9D4FE9
		mov	ecx, large fs:124h
		test	dword ptr [ecx+58h], 400h
		jnz	short loc_9D4FD1
		cmp	byte ptr [ecx+16Ah], 1
		jz	short loc_9D4FD1
		mov	ecx, [ecx+0A8h]
		jmp	short loc_9D4FD3
; 

loc_9D4FD1:				; CODE XREF: RtlSetThreadPlaceholderCompatibilityMode(x)+1Bj
					; RtlSetThreadPlaceholderCompatibilityMode(x)+24j
		xor	ecx, ecx

loc_9D4FD3:				; CODE XREF: RtlSetThreadPlaceholderCompatibilityMode(x)+2Cj
		test	ecx, ecx
		jnz	short loc_9D4FDB
		mov	al, 0FEh
		jmp	short loc_9D4FEB
; 

loc_9D4FDB:				; CODE XREF: RtlSetThreadPlaceholderCompatibilityMode(x)+32j
		mov	al, [ecx+174h]
		mov	[ecx+174h], dl
		jmp	short loc_9D4FEB
; 

loc_9D4FE9:				; CODE XREF: RtlSetThreadPlaceholderCompatibilityMode(x)+Bj
		or	al, 0FFh

loc_9D4FEB:				; CODE XREF: RtlSetThreadPlaceholderCompatibilityMode(x)+36j
					; RtlSetThreadPlaceholderCompatibilityMode(x)+44j
		pop	ebp
		retn	4
_RtlSetThreadPlaceholderCompatibilityMode@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Normalization__AppendDecomposedChar(x, x, x)
_Normalization__AppendDecomposedChar@12	proc near
					; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+71Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	eax, edi
		cdq
		idiv	dword ptr [ebx+20h]
		mov	eax, [ebx+24h]
		movzx	esi, word ptr [eax+edx*2]
		test	esi, 0E000h
		jnz	short loc_9D5038
		mov	ecx, [ebx+28h]
		add	esi, esi
		movzx	edx, di
		jmp	short loc_9D5024
; 

loc_9D501C:				; CODE XREF: Normalization__AppendDecomposedChar(x,x,x)+3Fj
		cmp	ax, dx
		jz	short loc_9D5030
		add	esi, 2

loc_9D5024:				; CODE XREF: Normalization__AppendDecomposedChar(x,x,x)+2Bj
		movzx	eax, si
		movzx	eax, word ptr [ecx+eax*2]
		test	ax, ax
		jnz	short loc_9D501C

loc_9D5030:				; CODE XREF: Normalization__AppendDecomposedChar(x,x,x)+30j
		movzx	eax, si
		movzx	esi, word ptr [ecx+eax*2+2]

loc_9D5038:				; CODE XREF: Normalization__AppendDecomposedChar(x,x,x)+21j
		movzx	edi, si
		shr	edi, 0Dh
		cmp	edi, 7
		jnz	short loc_9D5046
		push	64h
		pop	edi

loc_9D5046:				; CODE XREF: Normalization__AppendDecomposedChar(x,x,x)+52j
		and	esi, 1FFFh
		test	edi, edi
		jz	short loc_9D50AC

loc_9D5050:				; CODE XREF: Normalization__AppendDecomposedChar(x,x,x)+BBj
		mov	ecx, [ebx+2Ch]
		movzx	eax, si
		movzx	eax, word ptr [ecx+eax*2]
		test	ax, ax
		jz	short loc_9D50AC
		mov	edx, eax
		mov	[ebp+var_4], edx
		lea	eax, [edx-0D800h]
		cmp	eax, 7FFh
		ja	short loc_9D5087
		inc	esi
		dec	edi
		movzx	eax, si
		movzx	edx, word ptr [ecx+eax*2]
		mov	eax, [ebp+var_4]
		add	eax, 0FFFF2809h
		shl	eax, 0Ah
		add	edx, eax

loc_9D5087:				; CODE XREF: Normalization__AppendDecomposedChar(x,x,x)+80j
		mov	eax, [ebx+14h]
		mov	ecx, edx
		push	[ebp+arg_0]
		sar	ecx, 7
		mov	al, [ecx+eax]
		mov	ecx, ebx
		mov	byte ptr [ebp+var_8], al
		push	[ebp+var_8]
		call	_Normalization__NormalizeCharacter@16 ;	Normalization__NormalizeCharacter(x,x,x,x)
		test	eax, eax
		jnz	short loc_9D50AE
		dec	edi
		inc	esi
		test	edi, edi
		jg	short loc_9D5050

loc_9D50AC:				; CODE XREF: Normalization__AppendDecomposedChar(x,x,x)+5Fj
					; Normalization__AppendDecomposedChar(x,x,x)+6Ej
		xor	eax, eax

loc_9D50AE:				; CODE XREF: Normalization__AppendDecomposedChar(x,x,x)+B5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_Normalization__AppendDecomposedChar@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Normalization__CanCombinableCharactersCombine(x, x,	x)
_Normalization__CanCombinableCharactersCombine@12 proc near
					; CODE XREF: NormBuffer__LastStartBasePair(x)+24p
					; NormBuffer__RecheckStartCombinations(x)+67p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	ebx, 1F0000h
		mov	[ebp+var_4], edx
		mov	esi, edx
		and	esi, ebx
		neg	esi
		push	edi
		sbb	esi, esi
		mov	edi, ecx
		mov	ecx, [ebp+arg_0]
		inc	esi
		mov	eax, ecx
		and	eax, ebx
		neg	eax
		sbb	eax, eax
		inc	eax
		cmp	esi, eax
		jnz	loc_9D51AD
		mov	esi, [edi+30h]
		test	esi, esi
		jz	loc_9D51AD
		imul	eax, ecx, 30FDh
		add	eax, edx
		cdq
		idiv	esi
		mov	eax, [edi+34h]
		movzx	ecx, dx
		movzx	ebx, word ptr [eax+ecx*2]
		movzx	eax, word ptr [eax+ecx*2+2]
		mov	[ebp+var_10], eax
		cmp	bx, ax
		jnb	loc_9D51AD
		mov	edi, [edi+38h]
		mov	edx, [ebp+var_4]
		mov	[ebp+var_8], 400h

loc_9D5125:				; CODE XREF: Normalization__CanCombinableCharactersCombine(x,x,x)+F2j
		movzx	esi, bx
		movzx	ecx, word ptr [edi+esi*2]
		movzx	eax, cx
		mov	[ebp+var_C], ecx
		cmp	edx, eax
		jnz	short loc_9D5140
		movzx	eax, word ptr [edi+esi*2+2]
		cmp	[ebp+arg_0], eax
		jz	short loc_9D51B6

loc_9D5140:				; CODE XREF: Normalization__CanCombinableCharactersCombine(x,x,x)+7Fj
		call	_IsSurrogate@4	; IsSurrogate(x)
		test	al, al
		jz	short loc_9D51A0
		mov	ecx, [ebp+var_4]
		cmp	ecx, 0FFFFh
		jle	short loc_9D519A
		lea	eax, [ecx-10000h]
		cdq
		idiv	[ebp+var_8]
		sub	eax, 2800h
		cmp	word ptr [ebp+var_C], ax
		jnz	short loc_9D519A
		call	_GetSurrogateLow@4 ; GetSurrogateLow(x)
		cmp	[edi+esi*2+2], ax
		jnz	short loc_9D519A
		mov	ecx, [ebp+arg_0]
		lea	eax, [ecx-10000h]
		cdq
		idiv	[ebp+var_8]
		sub	eax, 2800h
		cmp	[edi+esi*2+4], ax
		jnz	short loc_9D519A
		call	_GetSurrogateLow@4 ; GetSurrogateLow(x)
		cmp	[edi+esi*2+6], ax
		jz	short loc_9D51BD

loc_9D519A:				; CODE XREF: Normalization__CanCombinableCharactersCombine(x,x,x)+9Dj
					; Normalization__CanCombinableCharactersCombine(x,x,x)+B2j ...
		mov	edx, [ebp+var_4]
		add	ebx, 3

loc_9D51A0:				; CODE XREF: Normalization__CanCombinableCharactersCombine(x,x,x)+92j
		add	ebx, 3
		cmp	bx, word ptr [ebp+var_10]
		jb	loc_9D5125

loc_9D51AD:				; CODE XREF: Normalization__CanCombinableCharactersCombine(x,x,x)+2Cj
					; Normalization__CanCombinableCharactersCombine(x,x,x)+37j ...
		xor	eax, eax

loc_9D51AF:				; CODE XREF: Normalization__CanCombinableCharactersCombine(x,x,x)+106j
					; Normalization__CanCombinableCharactersCombine(x,x,x)+11Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_9D51B6:				; CODE XREF: Normalization__CanCombinableCharactersCombine(x,x,x)+89j
		movzx	eax, word ptr [edi+esi*2+4]
		jmp	short loc_9D51AF
; 

loc_9D51BD:				; CODE XREF: Normalization__CanCombinableCharactersCombine(x,x,x)+E3j
		movzx	eax, word ptr [edi+esi*2+8]
		movzx	ecx, word ptr [edi+esi*2+0Ah]
		sub	eax, 0D7F7h
		shl	eax, 0Ah
		add	eax, ecx
		jmp	short loc_9D51AF
_Normalization__CanCombinableCharactersCombine@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Normalization__CanCombineWithStartBase(x, x, x, x)
_Normalization__CanCombineWithStartBase@16 proc	near
					; CODE XREF: Normalization__IsNormalized(x,x,x,x)+311p
					; Normalization__IsNormalized(x,x,x,x)+37Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_9D51EE
		mov	edx, [ebp+arg_0]
		call	_Normalization__GetFirstDecomposedCharPlane0@8 ; Normalization__GetFirstDecomposedCharPlane0(x,x)
		mov	[esi], eax

loc_9D51EE:				; CODE XREF: Normalization__CanCombineWithStartBase(x,x,x,x)+Fj
		push	[ebp+arg_4]
		mov	edx, eax
		mov	ecx, edi
		call	_Normalization__CanCombinableCharactersCombine@12 ; Normalization__CanCombinableCharactersCombine(x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_Normalization__CanCombineWithStartBase@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Normalization__CanCombineWithStartFirstPair(x, x, x, x, x)
_Normalization__CanCombineWithStartFirstPair@20	proc near
					; CODE XREF: Normalization__IsNormalized(x,x,x,x)+2E6p
					; Normalization__IsNormalized(x,x,x,x)+363p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, edx
		mov	[ebp+var_4], eax
		push	edi
		mov	edi, ecx
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_9D5246
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ebx]
		test	esi, esi
		jnz	short loc_9D522B
		mov	edx, [ebp+arg_4]
		call	_Normalization__GetFirstDecomposedCharPlane0@8 ; Normalization__GetFirstDecomposedCharPlane0(x,x)
		mov	esi, eax
		mov	[ebx], esi

loc_9D522B:				; CODE XREF: Normalization__CanCombineWithStartFirstPair(x,x,x,x,x)+1Dj
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		call	_Normalization__GetSecondDecomposedCharPlane0@8	; Normalization__GetSecondDecomposedCharPlane0(x,x)
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	_Normalization__CanCombinableCharactersCombine@12 ; Normalization__CanCombinableCharactersCombine(x,x,x)
		mov	ecx, [ebp+var_4]
		pop	esi
		pop	ebx
		mov	[ecx], eax

loc_9D5246:				; CODE XREF: Normalization__CanCombineWithStartFirstPair(x,x,x,x,x)+12j
		push	[ebp+arg_8]
		mov	edx, eax
		mov	ecx, edi
		call	_Normalization__CanCombinableCharactersCombine@12 ; Normalization__CanCombinableCharactersCombine(x,x,x)
		pop	edi
		leave
		retn	0Ch
_Normalization__CanCombineWithStartFirstPair@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Normalization__GetCharacterInfo(x, x, x, x)
_Normalization__GetCharacterInfo@16 proc near
					; CODE XREF: NormBuffer__AppendAndSortDecomposed(x,x)+20p
					; NormBuffer__RecheckStartCombinations(x)+4Dp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+14h]
		push	esi
		mov	esi, edx
		and	edx, 7Fh
		sar	esi, 7
		movzx	esi, byte ptr [eax+esi]
		mov	eax, [ecx+18h]
		shl	esi, 7
		add	esi, edx
		mov	dl, [esi+eax-80h]
		mov	eax, [ebp+arg_4]
		mov	cl, dl
		and	cl, 0C0h
		and	dl, 3Fh
		pop	esi
		mov	[eax], cl
		mov	eax, [ebp+arg_0]
		mov	[eax], dl
		pop	ebp
		retn	8
_Normalization__GetCharacterInfo@16 endp


;  S U B	R O U T	I N E 


; __stdcall Normalization__GetFirstDecomposedCharPlane0(x, x)
_Normalization__GetFirstDecomposedCharPlane0@8 proc near
					; CODE XREF: NormBuffer__LastStartBase(x)+12p
					; Normalization__CanCombineWithStartBase(x,x,x,x)+14p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		mov	eax, ebx
		cdq
		idiv	dword ptr [edi+20h]
		mov	eax, [edi+24h]
		movzx	esi, word ptr [eax+edx*2]
		test	esi, 0E000h
		jnz	short loc_9D52D2
		mov	ecx, [edi+28h]
		add	esi, esi
		jmp	short loc_9D52BE
; 

loc_9D52B4:				; CODE XREF: Normalization__GetFirstDecomposedCharPlane0(x,x)+39j
		movzx	eax, ax
		cmp	eax, ebx
		jz	short loc_9D52CA
		add	esi, 2

loc_9D52BE:				; CODE XREF: Normalization__GetFirstDecomposedCharPlane0(x,x)+23j
		movzx	eax, si
		movzx	eax, word ptr [ecx+eax*2]
		test	ax, ax
		jnz	short loc_9D52B4

loc_9D52CA:				; CODE XREF: Normalization__GetFirstDecomposedCharPlane0(x,x)+2Aj
		movzx	eax, si
		movzx	esi, word ptr [ecx+eax*2+2]

loc_9D52D2:				; CODE XREF: Normalization__GetFirstDecomposedCharPlane0(x,x)+1Cj
		mov	eax, [edi+2Ch]
		and	esi, 1FFFh
		pop	edi
		movzx	eax, word ptr [eax+esi*2]
		pop	esi
		pop	ebx
		retn
_Normalization__GetFirstDecomposedCharPlane0@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Normalization__GetLastChar(x, x, x,	x, x, x)
_Normalization__GetLastChar@24 proc near
					; CODE XREF: Normalization__IsNormalized(x,x,x,x)+229p
					; Normalization__IsNormalized(x,x,x,x)+3EEp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		sub	edx, 2
		push	ebx
		push	esi
		push	edi
		mov	esi, [eax]
		mov	ebx, ecx
		mov	eax, [ebp+arg_4]
		mov	edi, [eax]
		cmp	esi, edx
		jz	loc_9D5385
		mov	eax, 2800h
		mov	ecx, 7FFh
		add	ax, [edx]
		cmp	ax, cx
		ja	short loc_9D531B
		sub	edx, 2
		cmp	esi, edx
		jz	short loc_9D5385

loc_9D531B:				; CODE XREF: Normalization__GetLastChar(x,x,x,x,x,x)+2Fj
		movzx	esi, word ptr [edx]
		cmp	esi, 0D800h
		jb	short loc_9D533C
		cmp	esi, 0DFFFh
		ja	short loc_9D533C
		movzx	eax, word ptr [edx-2]
		sub	eax, 0D7F7h
		shl	eax, 0Ah
		add	esi, eax

loc_9D533C:				; CODE XREF: Normalization__GetLastChar(x,x,x,x,x,x)+41j
					; Normalization__GetLastChar(x,x,x,x,x,x)+49j
		mov	eax, [ebx+14h]
		mov	ecx, esi
		sar	ecx, 7
		mov	al, [ecx+eax]
		test	al, al
		jnz	short loc_9D5351
		xor	ebx, ebx
		mov	cl, bl
		jmp	short loc_9D536D
; 

loc_9D5351:				; CODE XREF: Normalization__GetLastChar(x,x,x,x,x,x)+66j
		movzx	ecx, al
		mov	eax, esi
		shl	ecx, 7
		and	eax, 7Fh
		add	ecx, eax
		mov	eax, [ebx+18h]
		mov	cl, [ecx+eax-80h]
		mov	bl, cl
		and	bl, 3Fh
		and	cl, 0C0h

loc_9D536D:				; CODE XREF: Normalization__GetLastChar(x,x,x,x,x,x)+6Cj
		mov	eax, [ebp+arg_C]
		mov	[eax], cl
		mov	eax, [ebp+arg_8]
		mov	[eax], bl
		mov	eax, [ebp+arg_0]
		mov	[eax], edx
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		mov	eax, esi
		jmp	short loc_9D5387
; 

loc_9D5385:				; CODE XREF: Normalization__GetLastChar(x,x,x,x,x,x)+19j
					; Normalization__GetLastChar(x,x,x,x,x,x)+36j
		mov	eax, edi

loc_9D5387:				; CODE XREF: Normalization__GetLastChar(x,x,x,x,x,x)+A0j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
_Normalization__GetLastChar@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Normalization__GetSecondAndThirdDecomposedCharPlane0(x, x, x, x)
_Normalization__GetSecondAndThirdDecomposedCharPlane0@16 proc near
					; CODE XREF: NormBuffer__ReplaceLastStartBase(x,x,x,x)+3Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		and	dword ptr [eax], 0
		mov	edi, edx
		mov	esi, ecx
		mov	ebx, [ebp+arg_4]
		mov	eax, edi
		cdq
		idiv	dword ptr [esi+20h]
		mov	eax, [esi+24h]
		and	dword ptr [ebx], 0
		movzx	ecx, word ptr [eax+edx*2]
		test	ecx, 0E000h
		jnz	short loc_9D53E0
		mov	edx, [esi+28h]
		add	ecx, ecx
		jmp	short loc_9D53CC
; 

loc_9D53C2:				; CODE XREF: Normalization__GetSecondAndThirdDecomposedCharPlane0(x,x,x,x)+48j
		movzx	eax, ax
		cmp	eax, edi
		jz	short loc_9D53D8
		add	ecx, 2

loc_9D53CC:				; CODE XREF: Normalization__GetSecondAndThirdDecomposedCharPlane0(x,x,x,x)+32j
		movzx	eax, cx
		movzx	eax, word ptr [edx+eax*2]
		test	ax, ax
		jnz	short loc_9D53C2

loc_9D53D8:				; CODE XREF: Normalization__GetSecondAndThirdDecomposedCharPlane0(x,x,x,x)+39j
		movzx	eax, cx
		movzx	ecx, word ptr [edx+eax*2+2]

loc_9D53E0:				; CODE XREF: Normalization__GetSecondAndThirdDecomposedCharPlane0(x,x,x,x)+2Bj
		movzx	edx, cx
		shr	edx, 0Dh
		cmp	edx, 1
		jbe	short loc_9D5412
		mov	esi, [esi+2Ch]
		and	ecx, 1FFFh
		mov	edi, [ebp+arg_0]
		inc	ecx
		movzx	ecx, cx
		movzx	eax, word ptr [esi+ecx*2]
		mov	[edi], eax
		cmp	edx, 2
		jz	short loc_9D5412
		lea	eax, [ecx+1]
		movzx	eax, ax
		movzx	eax, word ptr [esi+eax*2]
		mov	[ebx], eax

loc_9D5412:				; CODE XREF: Normalization__GetSecondAndThirdDecomposedCharPlane0(x,x,x,x)+5Bj
					; Normalization__GetSecondAndThirdDecomposedCharPlane0(x,x,x,x)+76j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_Normalization__GetSecondAndThirdDecomposedCharPlane0@16 endp


;  S U B	R O U T	I N E 


; __stdcall Normalization__GetSecondDecomposedCharPlane0(x, x)
_Normalization__GetSecondDecomposedCharPlane0@8	proc near
					; CODE XREF: NormBuffer__LastStartBasePair(x)+12p
					; Normalization__CanCombineWithStartFirstPair(x,x,x,x,x)+30p
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		mov	eax, ebx
		cdq
		idiv	dword ptr [edi+20h]
		mov	eax, [edi+24h]
		movzx	esi, word ptr [eax+edx*2]
		test	esi, 0E000h
		jnz	short loc_9D545C
		mov	ecx, [edi+28h]
		add	esi, esi
		jmp	short loc_9D5448
; 

loc_9D543E:				; CODE XREF: Normalization__GetSecondDecomposedCharPlane0(x,x)+39j
		movzx	eax, ax
		cmp	eax, ebx
		jz	short loc_9D5454
		add	esi, 2

loc_9D5448:				; CODE XREF: Normalization__GetSecondDecomposedCharPlane0(x,x)+23j
		movzx	eax, si
		movzx	eax, word ptr [ecx+eax*2]
		test	ax, ax
		jnz	short loc_9D543E

loc_9D5454:				; CODE XREF: Normalization__GetSecondDecomposedCharPlane0(x,x)+2Aj
		movzx	eax, si
		movzx	esi, word ptr [ecx+eax*2+2]

loc_9D545C:				; CODE XREF: Normalization__GetSecondDecomposedCharPlane0(x,x)+1Cj
		mov	eax, [edi+2Ch]
		and	esi, 1FFFh
		inc	esi
		movzx	ecx, si
		pop	edi
		pop	esi
		pop	ebx
		movzx	eax, word ptr [eax+ecx*2]
		retn
_Normalization__GetSecondDecomposedCharPlane0@8	endp


;  S U B	R O U T	I N E 


; __stdcall Normalization__GetThirdAndLastDecomposedCharPlane0(x, x)
_Normalization__GetThirdAndLastDecomposedCharPlane0@8 proc near
					; CODE XREF: NormBuffer__ReplaceLastStartBasePair(x,x,x,x)+12p
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		mov	eax, ebx
		cdq
		idiv	dword ptr [edi+20h]
		mov	eax, [edi+24h]
		movzx	esi, word ptr [eax+edx*2]
		test	esi, 0E000h
		jnz	short loc_9D54B4
		mov	ecx, [edi+28h]
		add	esi, esi
		jmp	short loc_9D54A0
; 

loc_9D5496:				; CODE XREF: Normalization__GetThirdAndLastDecomposedCharPlane0(x,x)+39j
		movzx	eax, ax
		cmp	eax, ebx
		jz	short loc_9D54AC
		add	esi, 2

loc_9D54A0:				; CODE XREF: Normalization__GetThirdAndLastDecomposedCharPlane0(x,x)+23j
		movzx	eax, si
		movzx	eax, word ptr [ecx+eax*2]
		test	ax, ax
		jnz	short loc_9D5496

loc_9D54AC:				; CODE XREF: Normalization__GetThirdAndLastDecomposedCharPlane0(x,x)+2Aj
		movzx	eax, si
		movzx	esi, word ptr [ecx+eax*2+2]

loc_9D54B4:				; CODE XREF: Normalization__GetThirdAndLastDecomposedCharPlane0(x,x)+1Cj
		mov	eax, [edi+2Ch]
		and	esi, 1FFFh
		add	esi, 2
		movzx	ecx, si
		pop	edi
		pop	esi
		pop	ebx
		movzx	eax, word ptr [eax+ecx*2]
		retn
_Normalization__GetThirdAndLastDecomposedCharPlane0@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Normalization__GuessBetterCharCount(x, x, x, x)
_Normalization__GuessBetterCharCount@16	proc near
					; CODE XREF: Normalization__Normalize(x,x,x,x,x,x)+FAp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, edx
		test	edi, edi
		jnz	short loc_9D54DF
		inc	edi
		add	esi, [ecx+0Ch]

loc_9D54DF:				; CODE XREF: Normalization__GuessBetterCharCount(x,x,x,x)+Ej
		mov	edx, [ebp+arg_0]
		call	_Normalization__GuessCharCountBySize@8 ; Normalization__GuessCharCountBySize(x,x)
		imul	edx, esi
		mov	ecx, eax
		mov	eax, edx
		cdq
		idiv	edi
		cmp	eax, ecx
		jle	short loc_9D54F7
		mov	ecx, eax

loc_9D54F7:				; CODE XREF: Normalization__GuessBetterCharCount(x,x,x,x)+28j
		mov	eax, ecx
		sar	eax, 3
		add	eax, ecx
		pop	edi
		add	eax, esi
		pop	esi
		pop	ebp
		retn	8
_Normalization__GuessBetterCharCount@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Normalization__GuessCharCount(x, x,	x, x)
_Normalization__GuessCharCount@16 proc near
					; CODE XREF: RtlpNormalizeStringWorker(x,x,x,x,x)+6Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		test	edx, edx
		jz	short loc_9D552C
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_9D552C
		mov	edx, [ebp+arg_0]
		test	edx, edx
		js	short loc_9D552C
		and	dword ptr [esi], 0
		call	_Normalization__GuessCharCountBySize@8 ; Normalization__GuessCharCountBySize(x,x)
		mov	[esi], eax
		xor	eax, eax
		jmp	short loc_9D5531
; 

loc_9D552C:				; CODE XREF: Normalization__GuessCharCount(x,x,x,x)+8j
					; Normalization__GuessCharCount(x,x,x,x)+Fj ...
		mov	eax, 0C000000Dh

loc_9D5531:				; CODE XREF: Normalization__GuessCharCount(x,x,x,x)+24j
		pop	esi
		pop	ebp
		retn	8
_Normalization__GuessCharCount@16 endp


;  S U B	R O U T	I N E 


; __stdcall Normalization__GuessCharCountBySize(x, x)
_Normalization__GuessCharCountBySize@8 proc near
					; CODE XREF: Normalization__GuessBetterCharCount(x,x,x,x)+17p
					; Normalization__GuessCharCount(x,x,x,x)+1Bp
		mov	eax, edx
		sar	eax, 3
		add	eax, edx
		cmp	eax, 40h
		jge	short locret_9D5550
		mov	eax, [ecx+0Ch]
		imul	eax, edx
		cmp	eax, 40h
		jle	short locret_9D5550
		push	40h
		pop	eax

locret_9D5550:				; CODE XREF: Normalization__GuessCharCountBySize(x,x)+Aj
					; Normalization__GuessCharCountBySize(x,x)+15j
		retn
_Normalization__GuessCharCountBySize@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Normalization__IsNormalized(x, x, x, x)
_Normalization__IsNormalized@16	proc near ; CODE XREF: RtlIsNormalizedString(x,x,x,x)+59p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_6		= byte ptr -6
var_5		= byte ptr -5
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	[ebp+var_C], edx
		push	edi
		mov	edi, ecx
		test	edx, edx
		jnz	short loc_9D556D
		mov	eax, 0C000000Dh
		jmp	loc_9D59B0
; 

loc_9D556D:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+10j
		xor	ecx, ecx
		lea	eax, [edx-2]
		push	ebx
		push	esi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_3], cl
		mov	[ebp+var_2], cl
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_6], cl
		mov	[ebp+var_5], cl
		cmp	[ebp+arg_0], ecx
		jle	loc_9D59A6
		mov	eax, [edi+10h]
		mov	[ebp+var_20], eax

loc_9D559E:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+44Fj
		movzx	esi, word ptr [edx]
		cmp	esi, eax
		jl	loc_9D5991
		mov	ebx, [edi+14h]
		mov	eax, esi
		shr	eax, 7
		mov	al, [eax+ebx]
		test	al, al
		jz	loc_9D598E
		cmp	al, 0FBh
		jnz	short loc_9D55CA
		cmp	byte ptr [edi+3Dh], 0
		jnz	loc_9D598E

loc_9D55CA:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+6Dj
					; Normalization__IsNormalized(x,x,x,x)+E6j ...
		movzx	ecx, al
		mov	eax, ecx
		sub	eax, 0
		jz	loc_9D5980
		sub	eax, 0FBh
		jz	loc_9D597A
		sub	eax, 1
		jz	loc_9D59BF
		sub	eax, 1
		jz	loc_9D5844
		sub	eax, 1
		jz	short loc_9D5675
		sub	eax, 1
		jnz	loc_9D56EC
		cmp	esi, 0AC00h
		jl	short loc_9D5639
		mov	ecx, esi
		call	_IsHangulS@4	; IsHangulS(x)
		test	al, al
		jnz	loc_9D56BD
		cmp	esi, 0D7B0h
		jl	short loc_9D562A
		cmp	esi, 0D7C6h
		jle	short loc_9D566E

loc_9D562A:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+CFj
		lea	eax, [esi-0D7CBh]
		cmp	eax, 30h
		jbe	short loc_9D566E

loc_9D5635:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+11Bj
		mov	al, 0FBh
		jmp	short loc_9D55CA
; 

loc_9D5639:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+B8j
		cmp	[ebp+arg_0], 1
		jle	short loc_9D5655
		movzx	edx, word ptr [edx+2]
		mov	ecx, esi
		call	_CanComposeHangul@8 ; CanComposeHangul(x,x)
		test	al, al
		jnz	loc_9D5844
		mov	edx, [ebp+var_C]

loc_9D5655:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+ECj
		mov	eax, [edi]
		cmp	eax, 10Dh
		jz	short loc_9D5663
		cmp	eax, 0Dh
		jnz	short loc_9D566E

loc_9D5663:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+10Bj
		lea	eax, [esi-115Fh]
		cmp	eax, 1
		jbe	short loc_9D5635

loc_9D566E:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+D7j
					; Normalization__IsNormalized(x,x,x,x)+E2j ...
		xor	al, al
		jmp	loc_9D55CA
; 

loc_9D5675:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+A7j
		mov	eax, [ebp+arg_0]
		cmp	eax, 1
		jle	loc_9D59BF
		add	edx, 2
		mov	[ebp+var_28], 3FFh
		dec	eax
		mov	[ebp+var_C], edx
		mov	[ebp+arg_0], eax
		movzx	ecx, word ptr [edx]
		lea	eax, [ecx+2400h]
		cmp	ax, word ptr [ebp+var_28]
		ja	loc_9D59BF
		add	esi, 0FFFF2809h
		shl	esi, 0Ah
		add	esi, ecx
		mov	eax, esi
		sar	eax, 7
		mov	al, [eax+ebx]
		jmp	loc_9D55CA
; 

loc_9D56BD:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+C3j
		cmp	byte ptr [edi+3Ch], 1
		jz	loc_9D5844
		cmp	[ebp+arg_0], 1
		jle	loc_9D5980
		movzx	edx, word ptr [edx+2]
		mov	ecx, esi
		call	_CanComposeHangul@8 ; CanComposeHangul(x,x)
		test	al, al
		jnz	loc_9D5844
		mov	edx, [ebp+var_C]
		jmp	loc_9D5980
; 

loc_9D56EC:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+ACj
		mov	eax, esi
		shl	ecx, 7
		and	eax, 7Fh
		add	ecx, eax
		mov	eax, [edi+18h]
		mov	al, [ecx+eax-80h]
		test	al, al
		jz	loc_9D5980
		mov	ah, al
		mov	bh, al
		and	ah, 3Fh
		and	bh, 0C0h
		mov	[ebp+var_4], ah
		mov	[ebp+var_1], bh
		test	ah, ah
		jz	short loc_9D571E
		cmp	ah, 3Fh
		jnz	short loc_9D5757

loc_9D571E:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+1C6j
		movzx	eax, al
		sub	eax, 40h
		jz	loc_9D5964
		sub	eax, 3Fh
		jz	loc_9D597A
		sub	eax, 1
		jz	loc_9D5964
		sub	eax, 3Fh
		jz	loc_9D5844
		sub	eax, 1
		jz	loc_9D592D
		sub	eax, 3Fh
		jz	loc_9D59B5

loc_9D5757:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+1CBj
		test	bh, bh
		jz	loc_9D5927
		cmp	bh, 40h
		jz	loc_9D5927
		lea	eax, [ebp+var_2]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_3]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	_Normalization__GetLastChar@24 ; Normalization__GetLastChar(x,x,x,x,x,x)
		mov	bl, [ebp+var_3]
		test	bl, bl
		jz	loc_9D58F5
		cmp	bl, 3Fh
		jz	loc_9D58F5
		mov	bh, [ebp+var_2]
		test	bh, bh
		jz	loc_9D5869
		cmp	bh, 40h
		jz	loc_9D5869
		mov	bh, [ebp+var_4]
		cmp	bl, bh
		ja	loc_9D5844
		cmp	[ebp+var_1], 0C0h
		jnz	loc_9D58E4
		cmp	bl, bh
		jz	loc_9D58E4
		mov	cl, [ebp+var_5]
		mov	bl, [ebp+var_6]
		mov	al, cl
		or	al, bl
		cmp	al, 40h
		jz	short loc_9D57E4
		cmp	al, 80h
		jz	short loc_9D57E4
		cmp	cl, 40h
		jnz	short loc_9D57F6
		test	bl, bl
		jz	short loc_9D57E4
		cmp	bl, 3Fh
		jnz	short loc_9D57F6

loc_9D57E4:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+27Fj
					; Normalization__IsNormalized(x,x,x,x)+283j ...
		mov	edx, [ebp+var_18]
		mov	ecx, edi
		push	esi
		call	_Normalization__CanCombinableCharactersCombine@12 ; Normalization__CanCombinableCharactersCombine(x,x,x)
		test	eax, eax
		jnz	short loc_9D5844
		mov	cl, [ebp+var_5]

loc_9D57F6:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+288j
					; Normalization__IsNormalized(x,x,x,x)+291j
		cmp	bh, bl
		jnb	loc_9D58E4
		cmp	cl, 40h
		jz	short loc_9D580B
		test	cl, cl
		jnz	loc_9D58E4

loc_9D580B:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+2B0j
		mov	al, bl
		dec	al
		cmp	al, 3Dh
		ja	loc_9D58E4
		cmp	bl, [edi+40h]
		jnz	short loc_9D584F
		cmp	bh, [edi+3Eh]
		jb	short loc_9D5859
		cmp	bh, [edi+3Fh]
		jnz	loc_9D58E4

loc_9D582A:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+306j
		push	esi
		push	[ebp+var_18]
		lea	eax, [ebp+var_14]
		mov	ecx, edi
		push	eax
		lea	edx, [ebp+var_24]
		call	_Normalization__CanCombineWithStartFirstPair@20	; Normalization__CanCombineWithStartFirstPair(x,x,x,x,x)

loc_9D583C:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+316j
		test	eax, eax
		jz	loc_9D58E4

loc_9D5844:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+9Ej
					; Normalization__IsNormalized(x,x,x,x)+FBj ...
		mov	eax, [ebp+arg_4]
		mov	byte ptr [eax],	0
		jmp	loc_9D59AC
; 

loc_9D584F:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+2C9j
		cmp	bl, [edi+42h]
		jnz	short loc_9D5859
		cmp	bh, [edi+41h]
		jz	short loc_9D582A

loc_9D5859:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+2CEj
					; Normalization__IsNormalized(x,x,x,x)+301j
		push	esi
		push	[ebp+var_18]
		lea	edx, [ebp+var_14]
		mov	ecx, edi
		call	_Normalization__CanCombineWithStartBase@16 ; Normalization__CanCombineWithStartBase(x,x,x,x)
		jmp	short loc_9D583C
; 

loc_9D5869:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+247j
					; Normalization__IsNormalized(x,x,x,x)+250j
		and	[ebp+var_14], 0
		and	[ebp+var_24], 0
		cmp	[ebp+var_1], 0C0h
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_18], ecx
		jnz	short loc_9D58D9
		cmp	bh, 40h
		jnz	short loc_9D5893
		mov	edx, ecx
		mov	ecx, edi
		push	esi
		call	_Normalization__CanCombinableCharactersCombine@12 ; Normalization__CanCombinableCharactersCombine(x,x,x)
		test	eax, eax
		jnz	short loc_9D5844
		mov	ecx, [ebp+var_18]

loc_9D5893:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+32Fj
		mov	al, [ebp+var_4]
		cmp	bl, al
		jbe	short loc_9D58D9
		cmp	bl, [edi+40h]
		jnz	short loc_9D58BB
		cmp	al, [edi+3Eh]
		jb	short loc_9D58C5
		cmp	al, [edi+3Fh]
		jnz	short loc_9D58D9

loc_9D58A9:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+372j
		push	esi
		push	ecx
		lea	eax, [ebp+var_14]
		mov	ecx, edi
		push	eax
		lea	edx, [ebp+var_24]
		call	_Normalization__CanCombineWithStartFirstPair@20	; Normalization__CanCombineWithStartFirstPair(x,x,x,x,x)
		jmp	short loc_9D58D1
; 

loc_9D58BB:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+34Cj
		cmp	bl, [edi+42h]
		jnz	short loc_9D58C5
		cmp	al, [edi+41h]
		jz	short loc_9D58A9

loc_9D58C5:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+351j
					; Normalization__IsNormalized(x,x,x,x)+36Dj
		push	esi
		push	ecx
		lea	edx, [ebp+var_14]
		mov	ecx, edi
		call	_Normalization__CanCombineWithStartBase@16 ; Normalization__CanCombineWithStartBase(x,x,x,x)

loc_9D58D1:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+368j
		test	eax, eax
		jnz	loc_9D5844

loc_9D58D9:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+32Aj
					; Normalization__IsNormalized(x,x,x,x)+347j ...
		mov	cl, bh
		mov	[ebp+var_6], bl
		mov	[ebp+var_5], cl

loc_9D58E1:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+3BBj
					; Normalization__IsNormalized(x,x,x,x)+3C0j ...
		mov	bh, [ebp+var_4]

loc_9D58E4:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+265j
					; Normalization__IsNormalized(x,x,x,x)+26Dj ...
		mov	edx, [ebp+var_C]
		mov	al, [ebp+var_1]

loc_9D58EA:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+424j
		mov	[ebp+var_3], bh
		mov	[ebp+var_2], al
		jmp	loc_9D5988
; 

loc_9D58F5:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+233j
					; Normalization__IsNormalized(x,x,x,x)+23Cj
		mov	cl, [ebp+var_2]
		mov	eax, [ebp+var_10]
		mov	[ebp+var_18], eax
		mov	[ebp+var_6], bl
		mov	[ebp+var_5], cl
		cmp	cl, 40h
		jz	short loc_9D590E
		cmp	cl, 80h
		jnz	short loc_9D58E1

loc_9D590E:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+3B6j
		cmp	bh, 0C0h
		jnz	short loc_9D58E1
		push	esi
		mov	edx, eax
		mov	ecx, edi
		call	_Normalization__CanCombinableCharactersCombine@12 ; Normalization__CanCombinableCharactersCombine(x,x,x)
		test	eax, eax
		jnz	loc_9D5844
		jmp	short loc_9D58E1
; 

loc_9D5927:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+208j
					; Normalization__IsNormalized(x,x,x,x)+211j
		and	[ebp+var_14], 0
		jmp	short loc_9D5964
; 

loc_9D592D:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+1F7j
		lea	eax, [ebp+var_2]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_3]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	_Normalization__GetLastChar@24 ; Normalization__GetLastChar(x,x,x,x,x,x)
		mov	al, [ebp+var_2]
		or	al, [ebp+var_3]
		cmp	al, 80h
		jnz	short loc_9D5961
		mov	edx, [ebp+var_10]
		mov	ecx, edi
		push	esi
		call	_Normalization__CanCombinableCharactersCombine@12 ; Normalization__CanCombinableCharactersCombine(x,x,x)
		test	eax, eax
		jnz	loc_9D5844

loc_9D5961:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+3FBj
		mov	edx, [ebp+var_C]

loc_9D5964:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+1D3j
					; Normalization__IsNormalized(x,x,x,x)+1E5j ...
		mov	bh, [ebp+var_4]
		mov	al, [ebp+var_1]
		mov	bl, bh
		mov	[ebp+var_18], esi
		mov	[ebp+var_6], bl
		mov	[ebp+var_5], al
		jmp	loc_9D58EA
; 

loc_9D597A:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+8Cj
					; Normalization__IsNormalized(x,x,x,x)+1DCj
		cmp	byte ptr [edi+3Dh], 0
		jz	short loc_9D59BF

loc_9D5980:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+81j
					; Normalization__IsNormalized(x,x,x,x)+17Aj ...
		mov	[ebp+var_3], 0
		mov	[ebp+var_2], 0

loc_9D5988:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+39Fj
		mov	[ebp+var_10], esi
		mov	[ebp+var_1C], edx

loc_9D598E:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+65j
					; Normalization__IsNormalized(x,x,x,x)+73j
		mov	eax, [ebp+var_20]

loc_9D5991:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+52j
		mov	esi, [ebp+arg_0]
		add	edx, 2
		dec	esi
		mov	[ebp+var_C], edx
		mov	[ebp+arg_0], esi
		test	esi, esi
		jg	loc_9D559E

loc_9D59A6:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+41j
					; Normalization__IsNormalized(x,x,x,x)+46Cj
		mov	eax, [ebp+arg_4]
		mov	byte ptr [eax],	1

loc_9D59AC:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+2F9j
		xor	eax, eax

loc_9D59AE:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+473j
		pop	esi
		pop	ebx

loc_9D59B0:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+17j
		pop	edi
		leave
		retn	8
; 

loc_9D59B5:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+200j
		test	esi, esi
		jnz	short loc_9D59BF
		cmp	[ebp+arg_0], 1
		jle	short loc_9D59A6

loc_9D59BF:				; CODE XREF: Normalization__IsNormalized(x,x,x,x)+95j
					; Normalization__IsNormalized(x,x,x,x)+12Aj ...
		mov	eax, 0C0000717h
		jmp	short loc_9D59AE
_Normalization__IsNormalized@16	endp


;  S U B	R O U T	I N E 


; __stdcall Normalization__LoadClassMapExceptions(x)
_Normalization__LoadClassMapExceptions@4 proc near
					; CODE XREF: Normalization__LoadTables(x,x,x,x)+122p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, [ecx+1Ch]
		xor	dl, dl
		mov	dword ptr [ecx+3Eh], 0FFFFFFFFh
		mov	byte ptr [ecx+42h], 0FFh
		mov	al, [esi]

loc_9D59DC:				; CODE XREF: Normalization__LoadClassMapExceptions(x)+4Aj
		mov	bl, al
		cmp	al, 0D8h
		jnz	short loc_9D59E7
		mov	[ecx+3Eh], dl
		jmp	short loc_9D5A09
; 

loc_9D59E7:				; CODE XREF: Normalization__LoadClassMapExceptions(x)+1Aj
		cmp	al, 0DCh
		jnz	short loc_9D59F0
		mov	[ecx+3Fh], dl
		jmp	short loc_9D5A09
; 

loc_9D59F0:				; CODE XREF: Normalization__LoadClassMapExceptions(x)+23j
		cmp	al, 0DDh
		jnz	short loc_9D59F9
		mov	[ecx+40h], dl
		jmp	short loc_9D5A09
; 

loc_9D59F9:				; CODE XREF: Normalization__LoadClassMapExceptions(x)+2Cj
		cmp	al, 0E6h
		jnz	short loc_9D5A02
		mov	[ecx+41h], dl
		jmp	short loc_9D5A09
; 

loc_9D5A02:				; CODE XREF: Normalization__LoadClassMapExceptions(x)+35j
		cmp	al, 0E7h
		jnz	short loc_9D5A09
		mov	[ecx+42h], dl

loc_9D5A09:				; CODE XREF: Normalization__LoadClassMapExceptions(x)+1Fj
					; Normalization__LoadClassMapExceptions(x)+28j	...
		inc	dl
		inc	esi
		mov	al, [esi]
		cmp	al, bl
		jnb	short loc_9D59DC
		pop	esi
		pop	ebx
		retn
_Normalization__LoadClassMapExceptions@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	Normalization__LoadTables(int,void *)
_Normalization__LoadTables@16 proc near	; CODE XREF: RtlpGetNormalization(x,x)+97p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, edx
		push	44h		; size_t
		push	0		; int
		push	edi		; void *
		mov	ebx, ecx
		call	_memset
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		movzx	eax, word ptr [esi+34h]
		shr	ecx, 1
		cmp	ecx, eax
		jb	loc_9D5B4B
		movzx	eax, word ptr [esi+36h]
		mov	[ebp+arg_4], eax
		cmp	ecx, eax
		jb	loc_9D5B4B
		movzx	edx, word ptr [esi+38h]
		cmp	ecx, edx
		jb	loc_9D5B4B
		movzx	eax, word ptr [esi+3Ah]
		cmp	ecx, eax
		jb	loc_9D5B4B
		movzx	eax, word ptr [esi+3Ch]
		cmp	ecx, eax
		jb	loc_9D5B4B
		movzx	eax, word ptr [esi+3Eh]
		cmp	ecx, eax
		jb	loc_9D5B4B
		movzx	eax, word ptr [esi+40h]
		cmp	ecx, eax
		jb	loc_9D5B4B
		movzx	eax, word ptr [esi+42h]
		cmp	ecx, eax
		jb	loc_9D5B4B
		sub	edx, [ebp+arg_4]
		cmp	edx, 1100h
		jnz	loc_9D5B4B
		mov	eax, [ebp+arg_0]
		mov	[edi+8], eax
		mov	[edi+4], esi
		movzx	eax, word ptr [esi+28h]
		mov	[edi], eax
		movzx	eax, word ptr [esi+2Ah]
		mov	[edi+0Ch], eax
		movzx	eax, word ptr [esi+2Ch]
		mov	[edi+10h], eax
		movzx	eax, word ptr [esi+36h]
		lea	eax, [esi+eax*2]
		mov	[edi+14h], eax
		movzx	eax, word ptr [esi+38h]
		lea	eax, [esi+eax*2]
		mov	[edi+18h], eax
		movzx	eax, word ptr [esi+2Eh]
		mov	[edi+20h], eax
		movzx	eax, word ptr [esi+3Ah]
		lea	eax, [esi+eax*2]
		mov	[edi+24h], eax
		movzx	eax, word ptr [esi+3Ch]
		lea	eax, [esi+eax*2]
		mov	[edi+28h], eax
		movzx	eax, word ptr [esi+3Eh]
		lea	eax, [esi+eax*2]
		mov	[edi+2Ch], eax
		movzx	eax, word ptr [esi+30h]
		mov	[edi+30h], eax
		test	eax, eax
		jnz	short loc_9D5B12
		mov	byte ptr [edi+3Ch], 1
		mov	[edi+34h], eax
		jmp	short loc_9D5B28
; 

loc_9D5B12:				; CODE XREF: Normalization__LoadTables(x,x,x,x)+F2j
		xor	eax, eax
		mov	[edi+3Ch], al
		movzx	eax, word ptr [esi+40h]
		lea	eax, [esi+eax*2]
		mov	[edi+34h], eax
		movzx	eax, word ptr [esi+42h]
		lea	eax, [esi+eax*2]

loc_9D5B28:				; CODE XREF: Normalization__LoadTables(x,x,x,x)+FBj
		mov	[edi+38h], eax
		mov	ecx, edi
		movzx	eax, word ptr [esi+34h]
		lea	eax, [esi+eax*2]
		mov	[edi+1Ch], eax
		call	_Normalization__LoadClassMapExceptions@4 ; Normalization__LoadClassMapExceptions(x)
		shr	ebx, 8
		not	bl
		and	bl, 1
		xor	eax, eax
		mov	[edi+3Dh], bl
		jmp	short loc_9D5B50
; 

loc_9D5B4B:				; CODE XREF: Normalization__LoadTables(x,x,x,x)+27j
					; Normalization__LoadTables(x,x,x,x)+36j ...
		mov	eax, 0C0000098h

loc_9D5B50:				; CODE XREF: Normalization__LoadTables(x,x,x,x)+134j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_Normalization__LoadTables@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Normalization__Normalize(x,	x, x, x, x, x)
_Normalization__Normalize@24 proc near	; CODE XREF: RtlpNormalizeStringWorker(x,x,x,x,x)+64p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		push	48h		; size_t
		xor	esi, esi
		lea	eax, [esp+5Ch+var_48]
		mov	ebx, edx
		mov	edi, ecx
		push	esi		; int
		push	eax		; void *
		mov	[esp+64h+var_4C], ebx
		call	_memset
		add	esp, 0Ch
		test	ebx, ebx
		jz	loc_9D5C67
		cmp	[ebp+arg_4], esi
		jz	loc_9D5C67
		mov	ebx, [ebp+arg_C]
		test	ebx, ebx
		jz	loc_9D5C67
		mov	edx, [esp+58h+var_4C]
		lea	ecx, [esp+58h+var_48]
		push	edi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_NormBuffer__Construct@24 ; NormBuffer__Construct(x,x,x,x,x,x)
		mov	[ebx], esi

loc_9D5BB4:				; CODE XREF: Normalization__Normalize(x,x,x,x,x,x)+ABj
					; Normalization__Normalize(x,x,x,x,x,x)+B8j
		mov	ecx, [esp+58h+var_40]
		mov	edx, [esp+58h+var_44]
		cmp	ecx, edx
		jz	short loc_9D5C1E
		test	esi, esi
		jnz	short loc_9D5C2E
		movzx	edx, word ptr [ecx]
		add	ecx, 2
		mov	[esp+58h+var_40], ecx
		cmp	edx, [edi+10h]
		jl	short loc_9D5C04
		mov	eax, [edi+14h]
		mov	ecx, edx
		shr	ecx, 7
		mov	al, [ecx+eax]
		mov	byte ptr [esp+58h+var_4C], al
		test	al, al
		jz	short loc_9D5C04
		cmp	al, 0FBh
		jnz	short loc_9D5BF0
		cmp	byte ptr [edi+3Dh], 0
		jnz	short loc_9D5C04

loc_9D5BF0:				; CODE XREF: Normalization__Normalize(x,x,x,x,x,x)+91j
		lea	eax, [esp+58h+var_48]
		mov	ecx, edi
		push	eax
		push	[esp+5Ch+var_4C]
		call	_Normalization__NormalizeCharacter@16 ;	Normalization__NormalizeCharacter(x,x,x,x)
		mov	esi, eax
		jmp	short loc_9D5BB4
; 

loc_9D5C04:				; CODE XREF: Normalization__Normalize(x,x,x,x,x,x)+7Aj
					; Normalization__Normalize(x,x,x,x,x,x)+8Dj ...
		lea	ecx, [esp+58h+var_48]
		call	_NormBuffer__Append@8 ;	NormBuffer__Append(x,x)
		test	al, al
		jnz	short loc_9D5BB4
		mov	ecx, [esp+58h+var_40]
		mov	esi, 0C0000023h
		mov	edx, [esp+58h+var_44]

loc_9D5C1E:				; CODE XREF: Normalization__Normalize(x,x,x,x,x,x)+67j
		test	esi, esi
		jnz	short loc_9D5C2E
		mov	ecx, [esp+58h+var_34]
		sub	ecx, [esp+58h+var_3C]
		sar	ecx, 1
		jmp	short loc_9D5C61
; 

loc_9D5C2E:				; CODE XREF: Normalization__Normalize(x,x,x,x,x,x)+6Bj
					; Normalization__Normalize(x,x,x,x,x,x)+C9j
		cmp	esi, 0C0000023h
		jnz	short loc_9D5C5A
		mov	eax, [esp+58h+var_34]
		sub	edx, ecx
		sub	eax, [esp+58h+var_3C]
		sub	ecx, [esp+58h+var_48]
		sar	eax, 1
		sar	edx, 1
		inc	edx
		sar	ecx, 1
		push	eax
		push	edx
		mov	edx, ecx
		mov	ecx, edi
		call	_Normalization__GuessBetterCharCount@16	; Normalization__GuessBetterCharCount(x,x,x,x)
		mov	ecx, eax
		jmp	short loc_9D5C61
; 

loc_9D5C5A:				; CODE XREF: Normalization__Normalize(x,x,x,x,x,x)+DDj
		sub	ecx, [esp+58h+var_48]
		sar	ecx, 1
		dec	ecx

loc_9D5C61:				; CODE XREF: Normalization__Normalize(x,x,x,x,x,x)+D5j
					; Normalization__Normalize(x,x,x,x,x,x)+101j
		mov	[ebx], ecx
		mov	eax, esi
		jmp	short loc_9D5C6C
; 

loc_9D5C67:				; CODE XREF: Normalization__Normalize(x,x,x,x,x,x)+2Aj
					; Normalization__Normalize(x,x,x,x,x,x)+33j ...
		mov	eax, 0C000000Dh

loc_9D5C6C:				; CODE XREF: Normalization__Normalize(x,x,x,x,x,x)+10Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_Normalization__Normalize@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Normalization__NormalizeCharacter(x, x, x, x)
_Normalization__NormalizeCharacter@16 proc near
					; CODE XREF: Normalization__AppendDecomposedChar(x,x,x)+AEp
					; Normalization__Normalize(x,x,x,x,x,x)+A4p

var_10		= dword	ptr -10h
var_9		= dword	ptr -9
var_5		= dword	ptr -5
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, ecx
		push	edi
		mov	edi, edx

loc_9D5C87:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+D3j
		mov	al, byte ptr [ebp+arg_0]
		jmp	loc_9D5E24
; 

loc_9D5C8F:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+114j
					; Normalization__NormalizeCharacter(x,x,x,x)+1B1j
		movzx	ecx, al
		mov	eax, ecx
		sub	eax, 0
		jz	loc_9D63AD
		sub	eax, 0FBh
		jz	loc_9D639D
		sub	eax, 1
		jz	loc_9D63A3
		sub	eax, 1
		jz	loc_9D638E
		sub	eax, 1
		jz	loc_9D5DE2
		sub	eax, 1
		jz	loc_9D5D4D
		mov	eax, edi
		shl	ecx, 7
		and	eax, 7Fh
		add	ecx, eax
		mov	eax, [ebx+18h]
		mov	dl, [ecx+eax-80h]
		test	dl, dl
		jz	loc_9D61F7
		mov	cl, dl
		mov	al, dl
		and	cl, 0C0h
		and	al, 3Fh
		mov	[ebp+var_1], cl
		mov	byte ptr [ebp+var_5], cl
		mov	byte ptr [ebp+arg_4+3],	al
		mov	byte ptr [ebp+var_9], al
		jz	short loc_9D5D04
		cmp	al, 3Fh
		jnz	loc_9D5E2E

loc_9D5D04:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+85j
		movzx	eax, dl
		sub	eax, 7Fh
		jz	loc_9D61ED
		sub	eax, 40h
		jz	loc_9D638E
		sub	eax, 1
		jnz	loc_9D61B3
		push	edi
		mov	ecx, esi
		call	_NormBuffer__GetLastChar@4 ; NormBuffer__GetLastChar(x)
		mov	edx, eax
		mov	ecx, ebx
		call	_Normalization__CanCombinableCharactersCombine@12 ; Normalization__CanCombinableCharactersCombine(x,x,x)
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	loc_9D61CC
		mov	ecx, esi
		call	_NormBuffer__RewindOutputCharacter@4 ; NormBuffer__RewindOutputCharacter(x)
		mov	edi, [ebp+arg_4]
		jmp	loc_9D5C87
; 

loc_9D5D4D:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+51j
		cmp	edi, 0AC00h
		jl	short loc_9D5D8E
		mov	ecx, edi
		call	_IsHangulS@4	; IsHangulS(x)
		test	al, al
		jnz	loc_9D621A
		cmp	edi, 0D7B0h
		jl	short loc_9D5D74
		cmp	edi, 0D7C6h
		jle	short loc_9D5DD4

loc_9D5D74:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+F5j
		cmp	edi, 0D7CBh
		jl	short loc_9D5D84
		cmp	edi, 0D7FBh
		jle	short loc_9D5DD4

loc_9D5D84:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+105j
					; Normalization__NormalizeCharacter(x,x,x,x)+15Dj
		mov	al, 0FBh
		mov	byte ptr [ebp+arg_0], al
		jmp	loc_9D5C8F
; 

loc_9D5D8E:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+DEj
		lea	eax, [edi-1100h]
		cmp	eax, 12h
		jbe	loc_9D6336
		lea	eax, [edi-1161h]
		cmp	eax, 14h
		jbe	loc_9D6307
		lea	eax, [edi-11A8h]
		cmp	eax, 1Ah
		jbe	loc_9D62DD
		mov	eax, [ebx]
		cmp	eax, 10Dh
		jz	short loc_9D5DC9
		cmp	eax, 0Dh
		jnz	short loc_9D5DD4

loc_9D5DC9:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+14Dj
		lea	eax, [edi-115Fh]
		cmp	eax, 1
		jbe	short loc_9D5D84

loc_9D5DD4:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+FDj
					; Normalization__NormalizeCharacter(x,x,x,x)+10Dj ...
		mov	edx, edi
		mov	ecx, esi
		call	_NormBuffer__Append@8 ;	NormBuffer__Append(x,x)
		jmp	loc_9D61DB
; 

loc_9D5DE2:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+48j
		mov	ecx, [esi+8]
		cmp	ecx, [esi+4]
		jz	loc_9D63A3
		lea	eax, [ecx+2]
		mov	edx, 3FFh
		movzx	ecx, word ptr [ecx]
		mov	[esi+8], eax
		lea	eax, [ecx+2400h]
		cmp	ax, dx
		ja	loc_9D63A3
		mov	eax, [ebx+14h]
		add	edi, 0FFFF2809h
		shl	edi, 0Ah
		add	edi, ecx
		mov	ecx, edi
		sar	ecx, 7
		mov	al, [ecx+eax]
		mov	byte ptr [ebp+arg_0], al

loc_9D5E24:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+15j
		test	al, al
		jnz	loc_9D5C8F
		jmp	short loc_9D5DD4
; 

loc_9D5E2E:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+89j
		test	cl, cl
		jz	loc_9D6186
		cmp	cl, 40h
		jz	loc_9D6186
		mov	ecx, esi
		call	_NormBuffer__GetLastChar@4 ; NormBuffer__GetLastChar(x)
		mov	ecx, esi
		call	_NormBuffer__VerifyLastStart@4 ; NormBuffer__VerifyLastStart(x)
		cmp	[ebp+var_1], 80h
		jz	loc_9D6179
		mov	al, [esi+35h]
		or	al, [esi+34h]
		jz	loc_9D6179
		cmp	al, 0C0h
		jz	loc_9D6179
		mov	cl, [esi+28h]
		mov	byte ptr [ebp+arg_0+3],	cl
		test	cl, cl
		jz	loc_9D612D
		cmp	cl, 3Fh
		jz	loc_9D612D
		mov	al, [esi+29h]
		test	al, al
		jz	loc_9D603C
		cmp	al, 40h
		jz	loc_9D5FB4
		mov	dl, byte ptr [ebp+arg_4+3]
		mov	ecx, esi
		call	_NormBuffer__IsBlocked@8 ; NormBuffer__IsBlocked(x,x)
		test	al, al
		jnz	loc_9D5F99
		mov	cl, [esi+34h]
		mov	byte ptr [ebp+arg_0+3],	cl
		test	cl, cl
		jz	short loc_9D5EBC
		cmp	cl, 3Fh
		jz	short loc_9D5EBC
		cmp	byte ptr [esi+35h], 40h
		jnz	short loc_9D5F1E

loc_9D5EBC:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+23Aj
					; Normalization__NormalizeCharacter(x,x,x,x)+23Fj
		mov	edx, [esi+30h]
		mov	ecx, ebx
		push	edi
		call	_Normalization__CanCombinableCharactersCombine@12 ; Normalization__CanCombinableCharactersCombine(x,x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	short loc_9D5F0E
		mov	ecx, [ebx+14h]
		mov	edx, eax
		mov	edi, [ebp+var_10]
		sar	edx, 7
		mov	[esi+30h], edi
		movzx	edx, byte ptr [edx+ecx]
		mov	ecx, eax
		mov	eax, [ebx+18h]
		and	ecx, 7Fh
		shl	edx, 7
		add	edx, ecx
		mov	cl, [edx+eax-80h]
		mov	eax, [esi+2Ch]
		mov	dl, cl
		and	dl, 0C0h
		and	cl, 3Fh
		mov	[esi+34h], cl
		cmp	dl, 40h
		mov	[esi+35h], dl
		mov	[eax-2], di
		jmp	loc_9D611B
; 

loc_9D5F0E:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+257j
		mov	cl, byte ptr [ebp+arg_0+3]
		test	cl, cl
		jz	loc_9D5F99
		cmp	cl, 3Fh
		jz	short loc_9D5F99

loc_9D5F1E:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+245j
		mov	al, byte ptr [ebp+arg_4+3]
		cmp	cl, al
		jbe	short loc_9D5F99
		cmp	cl, [ebx+40h]
		jnz	short loc_9D5F36
		cmp	al, [ebx+3Eh]
		jb	short loc_9D5F7D
		cmp	al, [ebx+3Fh]
		jnz	short loc_9D5F99
		jmp	short loc_9D5F40
; 

loc_9D5F36:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+2B3j
		cmp	cl, [ebx+42h]
		jnz	short loc_9D5F7D
		cmp	al, [ebx+41h]
		jnz	short loc_9D5F7D

loc_9D5F40:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+2BFj
		mov	ecx, esi
		call	_NormBuffer__LastStartBasePair@4 ; NormBuffer__LastStartBasePair(x)
		push	edi
		mov	edx, eax
		mov	ecx, ebx
		call	_Normalization__CanCombinableCharactersCombine@12 ; Normalization__CanCombinableCharactersCombine(x,x,x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_9D5F99
		mov	ecx, [ebx+14h]
		mov	edx, eax
		sar	edx, 7
		movzx	edx, byte ptr [edx+ecx]
		mov	ecx, eax
		mov	eax, [ebx+18h]
		and	ecx, 7Fh
		shl	edx, 7
		add	edx, ecx
		mov	al, [edx+eax-80h]
		mov	edx, [ebp+arg_0]
		jmp	loc_9D60A2
; 

loc_9D5F7D:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+2B8j
					; Normalization__NormalizeCharacter(x,x,x,x)+2C4j ...
		push	edi
		mov	ecx, esi
		call	_NormBuffer__LastStartBase@4 ; NormBuffer__LastStartBase(x)
		mov	edx, eax
		mov	ecx, ebx
		call	_Normalization__CanCombinableCharactersCombine@12 ; Normalization__CanCombinableCharactersCombine(x,x,x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		jnz	loc_9D60D8

loc_9D5F99:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+22Cj
					; Normalization__NormalizeCharacter(x,x,x,x)+29Ej ...
		mov	eax, [esi+40h]
		mov	ecx, esi
		mov	edx, edi
		cmp	eax, [esi+14h]
		jz	loc_9D61D0
		push	eax
		call	_NormBuffer__Insert@12 ; NormBuffer__Insert(x,x,x)
		jmp	loc_9D61DB
; 

loc_9D5FB4:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+21Aj
		mov	edx, [esi+30h]
		mov	ecx, ebx
		push	edi
		call	_Normalization__CanCombinableCharactersCombine@12 ; Normalization__CanCombinableCharactersCombine(x,x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	short loc_9D6039
		mov	ecx, esi
		call	_NormBuffer__RewindOutputCharacter@4 ; NormBuffer__RewindOutputCharacter(x)
		mov	edi, [ebp+var_10]
		mov	edx, edi
		mov	ecx, [ebx+14h]
		mov	eax, edi
		sar	edx, 7
		and	eax, 7Fh
		movzx	ecx, byte ptr [edx+ecx]
		mov	edx, edi
		shl	ecx, 7
		add	ecx, eax
		mov	eax, [ebx+18h]
		mov	cl, [ecx+eax-80h]
		mov	al, cl
		and	cl, 3Fh
		and	al, 0C0h
		movzx	eax, al
		push	eax
		movzx	eax, cl
		mov	ecx, esi
		push	eax
		call	_NormBuffer__AppendEx@16 ; NormBuffer__AppendEx(x,x,x,x)
		test	al, al
		jz	loc_9D61E3
		mov	eax, [esi+24h]
		and	dword ptr [esi+3Ch], 0
		add	eax, 2
		and	dword ptr [esi+38h], 0
		mov	[esi+2Ch], eax
		mov	eax, [esi+20h]
		mov	[esi+30h], eax
		mov	al, [esi+28h]
		mov	[esi+34h], al
		mov	al, [esi+29h]
		mov	[esi+35h], al

loc_9D6030:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x):loc_9D611Bj
					; Normalization__NormalizeCharacter(x,x,x,x)+4B3j ...
		xor	eax, eax

loc_9D6032:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+573j
					; Normalization__NormalizeCharacter(x,x,x,x)+723j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_9D6039:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+34Fj
		mov	cl, byte ptr [ebp+arg_0+3]

loc_9D603C:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+212j
		mov	al, byte ptr [ebp+arg_4+3]
		cmp	cl, al
		jbe	loc_9D61CC
		cmp	cl, [ebx+40h]
		jnz	short loc_9D605C
		cmp	al, [ebx+3Eh]
		jb	short loc_9D60BC
		cmp	al, [ebx+3Fh]
		jnz	loc_9D61CC
		jmp	short loc_9D6066
; 

loc_9D605C:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+3D5j
		cmp	cl, [ebx+42h]
		jnz	short loc_9D60BC
		cmp	al, [ebx+41h]
		jnz	short loc_9D60BC

loc_9D6066:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+3E5j
		mov	ecx, esi
		call	_NormBuffer__LastStartBasePair@4 ; NormBuffer__LastStartBasePair(x)
		push	edi
		mov	edx, eax
		mov	ecx, ebx
		call	_Normalization__CanCombinableCharactersCombine@12 ; Normalization__CanCombinableCharactersCombine(x,x,x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	loc_9D61CC
		mov	ecx, [ebx+14h]
		mov	edx, eax
		sar	edx, 7
		movzx	edx, byte ptr [edx+ecx]
		mov	ecx, eax
		mov	eax, [ebx+18h]
		and	ecx, 7Fh
		shl	edx, 7
		add	edx, ecx
		mov	al, [edx+eax-80h]
		mov	edx, [ebp+arg_0]

loc_9D60A2:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+303j
		mov	bl, al
		mov	ecx, esi
		and	bl, 0C0h
		and	al, 3Fh
		mov	byte ptr [ebp+var_5], bl
		push	[ebp+var_5]
		movzx	eax, al
		push	eax
		call	_NormBuffer__ReplaceLastStartBasePair@16 ; NormBuffer__ReplaceLastStartBasePair(x,x,x,x)
		jmp	short loc_9D6110
; 

loc_9D60BC:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+3DAj
					; Normalization__NormalizeCharacter(x,x,x,x)+3EAj ...
		push	edi
		mov	ecx, esi
		call	_NormBuffer__LastStartBase@4 ; NormBuffer__LastStartBase(x)
		mov	edx, eax
		mov	ecx, ebx
		call	_Normalization__CanCombinableCharactersCombine@12 ; Normalization__CanCombinableCharactersCombine(x,x,x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	loc_9D61CC

loc_9D60D8:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+31Ej
		mov	ecx, [ebx+14h]
		mov	edx, eax
		sar	edx, 7
		movzx	edx, byte ptr [edx+ecx]
		mov	ecx, eax
		mov	eax, [ebx+18h]
		and	ecx, 7Fh
		shl	edx, 7
		add	edx, ecx
		mov	ecx, esi
		mov	al, [edx+eax-80h]
		mov	edx, [ebp+arg_0]
		mov	bl, al
		and	bl, 0C0h
		and	al, 3Fh
		mov	byte ptr [ebp+var_5], bl
		push	[ebp+var_5]
		movzx	eax, al
		push	eax
		call	_NormBuffer__ReplaceLastStartBase@16 ; NormBuffer__ReplaceLastStartBase(x,x,x,x)

loc_9D6110:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+445j
		test	al, al
		jz	loc_9D61E3
		cmp	bl, 40h

loc_9D611B:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+294j
		jnz	loc_9D6030
		mov	ecx, esi
		call	_NormBuffer__RecheckStartCombinations@4	; NormBuffer__RecheckStartCombinations(x)
		jmp	loc_9D6030
; 

loc_9D612D:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+1FEj
					; Normalization__NormalizeCharacter(x,x,x,x)+207j
		mov	edx, [esi+30h]
		mov	ecx, ebx
		push	edi
		call	_Normalization__CanCombinableCharactersCombine@12 ; Normalization__CanCombinableCharactersCombine(x,x,x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	loc_9D61CC
		mov	ecx, esi
		call	_NormBuffer__RewindOutputCharacter@4 ; NormBuffer__RewindOutputCharacter(x)
		mov	eax, [ebp+arg_0]
		mov	edi, eax
		mov	ecx, [ebx+14h]
		mov	edx, eax
		sar	edx, 7
		and	eax, 7Fh
		movzx	ecx, byte ptr [edx+ecx]
		shl	ecx, 7
		add	ecx, eax
		mov	eax, [ebx+18h]
		mov	cl, [ecx+eax-80h]
		mov	al, cl
		and	al, 0C0h
		and	cl, 3Fh
		mov	byte ptr [ebp+var_5], al
		mov	byte ptr [ebp+var_9], cl
		jmp	short loc_9D61CC
; 

loc_9D6179:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+1DCj
					; Normalization__NormalizeCharacter(x,x,x,x)+1E8j ...
		mov	dl, byte ptr [ebp+arg_4+3]
		call	_NormBuffer__IsBlocked@8 ; NormBuffer__IsBlocked(x,x)
		jmp	loc_9D5F99
; 

loc_9D6186:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+1BBj
					; Normalization__NormalizeCharacter(x,x,x,x)+1C4j
		push	[ebp+var_5]
		mov	edx, edi
		mov	ecx, esi
		push	[ebp+var_9]
		call	_NormBuffer__AppendEx@16 ; NormBuffer__AppendEx(x,x,x,x)
		test	al, al
		jz	short loc_9D61E3
		mov	eax, [esi+14h]
		mov	[esi+2Ch], eax
		mov	al, byte ptr [ebp+arg_4+3]
		mov	[esi+34h], al
		mov	al, [ebp+var_1]
		mov	[esi+30h], edi
		mov	[esi+35h], al
		jmp	loc_9D6030
; 

loc_9D61B3:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+A7j
		sub	eax, 3Fh
		jnz	short loc_9D61CC
		test	edi, edi
		jnz	loc_9D63A3
		mov	eax, [esi+8]
		cmp	eax, [esi+4]
		jnz	loc_9D63A3

loc_9D61CC:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+C3j
					; Normalization__NormalizeCharacter(x,x,x,x)+3CCj ...
		mov	ecx, esi
		mov	edx, edi

loc_9D61D0:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+32Ej
		push	[ebp+var_5]
		push	[ebp+var_9]
		call	_NormBuffer__AppendEx@16 ; NormBuffer__AppendEx(x,x,x,x)

loc_9D61DB:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+168j
					; Normalization__NormalizeCharacter(x,x,x,x)+33Aj
		test	al, al
		jnz	loc_9D6030

loc_9D61E3:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+392j
					; Normalization__NormalizeCharacter(x,x,x,x)+49Dj ...
		mov	eax, 0C0000023h
		jmp	loc_9D6032
; 

loc_9D61ED:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+95j
		cmp	byte ptr [ebx+3Dh], 0
		jz	loc_9D63A3

loc_9D61F7:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+6Aj
		xor	ebx, ebx
		mov	edx, edi
		push	ebx
		push	ebx
		mov	ecx, esi
		call	_NormBuffer__AppendEx@16 ; NormBuffer__AppendEx(x,x,x,x)
		test	al, al
		jz	short loc_9D61E3
		mov	eax, [esi+14h]
		mov	[esi+2Ch], eax
		mov	[esi+30h], edi
		mov	[esi+34h], bx
		jmp	loc_9D6030
; 

loc_9D621A:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+E9j
		cmp	byte ptr [ebx+3Ch], 1
		jz	short loc_9D6250
		mov	ecx, edi
		call	_IsHangulLV@4	; IsHangulLV(x)
		test	al, al
		jz	loc_9D5DD4
		mov	ebx, [esi+8]
		cmp	ebx, [esi+4]
		jz	loc_9D5DD4
		lea	eax, [ebx+2]
		mov	ecx, edi
		mov	[esi+8], eax
		jmp	loc_9D6371
; 

loc_9D6248:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+706j
		mov	[esi+8], ebx
		jmp	loc_9D5DD4
; 

loc_9D6250:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+5A9j
		lea	eax, [edi-0AC00h]
		mov	ecx, 24Ch
		cdq
		idiv	ecx
		push	0
		add	eax, 1100h
		mov	ebx, edx
		push	0
		movzx	edx, ax
		mov	ecx, esi
		call	_NormBuffer__AppendEx@16 ; NormBuffer__AppendEx(x,x,x,x)
		test	al, al
		jz	loc_9D61E3
		push	1Ch
		pop	ecx
		mov	eax, ebx
		cdq
		idiv	ecx
		push	0
		add	eax, 1161h
		mov	ecx, esi
		movzx	ebx, ax
		push	0
		mov	edx, ebx
		call	_NormBuffer__AppendEx@16 ; NormBuffer__AppendEx(x,x,x,x)
		test	al, al
		jz	loc_9D61E3
		mov	ecx, edi
		call	_GetHangulT@4	; GetHangulT(x)
		movzx	edi, ax
		test	di, di
		jz	short loc_9D62C6
		push	0
		push	0
		mov	edx, edi
		mov	ecx, esi
		call	_NormBuffer__AppendEx@16 ; NormBuffer__AppendEx(x,x,x,x)
		test	al, al
		jz	loc_9D61E3
		mov	ebx, edi

loc_9D62C6:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+638j
		mov	eax, [esi+14h]
		mov	[esi+2Ch], eax
		movzx	eax, bx
		mov	[esi+30h], eax

loc_9D62D2:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+752j
		mov	word ptr [esi+34h], 0
		jmp	loc_9D6030
; 

loc_9D62DD:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+140j
		mov	ecx, esi
		call	_NormBuffer__GetLastChar@4 ; NormBuffer__GetLastChar(x)
		mov	ebx, eax
		mov	ecx, ebx
		call	_IsHangulLV@4	; IsHangulLV(x)
		test	al, al
		jz	loc_9D5DD4
		mov	ecx, esi
		call	_NormBuffer__RewindOutputCharacter@4 ; NormBuffer__RewindOutputCharacter(x)
		mov	edx, edi
		mov	ecx, ebx
		call	_ComposeHangulLVT@8 ; ComposeHangulLVT(x,x)
		jmp	short loc_9D632F
; 

loc_9D6307:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+131j
		mov	ecx, esi
		call	_NormBuffer__GetLastChar@4 ; NormBuffer__GetLastChar(x)
		mov	ebx, eax
		lea	ecx, [ebx-1100h]
		cmp	ecx, 12h
		ja	loc_9D5DD4
		mov	ecx, esi
		call	_NormBuffer__RewindOutputCharacter@4 ; NormBuffer__RewindOutputCharacter(x)
		mov	edx, edi
		mov	ecx, ebx
		call	_ComposeHangulLV@8 ; ComposeHangulLV(x,x)

loc_9D632F:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+690j
					; Normalization__NormalizeCharacter(x,x,x,x)+70Cj
		mov	edi, eax
		jmp	loc_9D5DD4
; 

loc_9D6336:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+122j
		mov	eax, [esi+8]
		mov	ecx, [esi+4]
		mov	[ebp+arg_4], eax
		mov	[ebp+arg_0], ecx
		cmp	eax, ecx
		jz	loc_9D5DD4
		movzx	edx, word ptr [eax]
		lea	ebx, [eax+2]
		mov	ecx, edi
		mov	[esi+8], ebx
		call	_ComposeHangulLV@8 ; ComposeHangulLV(x,x)
		test	eax, eax
		jz	short loc_9D6383
		mov	edi, eax
		cmp	ebx, [ebp+arg_0]
		jz	loc_9D5DD4
		lea	ecx, [ebx+2]
		mov	[esi+8], ecx
		mov	ecx, eax

loc_9D6371:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+5CEj
		movzx	edx, word ptr [ebx]
		call	_ComposeHangulLVT@8 ; ComposeHangulLVT(x,x)
		test	eax, eax
		jz	loc_9D6248
		jmp	short loc_9D632F
; 

loc_9D6383:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+6E7j
		mov	eax, [ebp+arg_4]
		mov	[esi+8], eax
		jmp	loc_9D5DD4
; 

loc_9D638E:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+3Fj
					; Normalization__NormalizeCharacter(x,x,x,x)+9Ej
		push	esi
		mov	edx, edi
		mov	ecx, ebx
		call	_Normalization__AppendDecomposedChar@12	; Normalization__AppendDecomposedChar(x,x,x)
		jmp	loc_9D6032
; 

loc_9D639D:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+2Dj
		cmp	byte ptr [ebx+3Dh], 0
		jnz	short loc_9D63AD

loc_9D63A3:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+36j
					; Normalization__NormalizeCharacter(x,x,x,x)+173j ...
		mov	eax, 0C0000717h
		jmp	loc_9D6032
; 

loc_9D63AD:				; CODE XREF: Normalization__NormalizeCharacter(x,x,x,x)+22j
					; Normalization__NormalizeCharacter(x,x,x,x)+72Cj
		mov	edx, edi
		mov	ecx, esi
		call	_NormBuffer__Append@8 ;	NormBuffer__Append(x,x)
		test	al, al
		jz	loc_9D61E3
		mov	eax, [esi+14h]
		mov	[esi+2Ch], eax
		mov	[esi+30h], edi
		jmp	loc_9D62D2
_Normalization__NormalizeCharacter@16 endp


;  S U B	R O U T	I N E 


; __stdcall Normalization__PageLookup(x, x)
_Normalization__PageLookup@8 proc near	; CODE XREF: NormBuffer__GetLastChar(x)+48p
					; NormBuffer__IsBlocked(x,x)+3Fp ...
		mov	eax, [ecx+14h]
		sar	edx, 7
		mov	al, [edx+eax]
		retn
_Normalization__PageLookup@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Normalization__TableLookup(x, x, x)
_Normalization__TableLookup@12 proc near ; CODE	XREF: NormBuffer__GetLastChar(x)+5Dp
					; NormBuffer__IsBlocked(x,x)+4Dp ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+18h]
		and	edx, 7Fh
		push	esi
		movzx	esi, [ebp+arg_0]
		shl	esi, 7
		add	esi, edx
		mov	al, [esi+eax-80h]
		pop	esi
		pop	ebp
		retn	4
_Normalization__TableLookup@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2216. RtlIsNormalizedString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlIsNormalizedString(x, x,	x, x)
		public _RtlIsNormalizedString@16
_RtlIsNormalizedString@16 proc near	; CODE XREF: RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+11Ep
					; RtlpIdnToUnicodeWorker(x,x,x,x,x,x,x)+1CEp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	[ebp+var_4], ebx
		cmp	[ebp+arg_4], ebx
		jz	short loc_9D6459
		cmp	[ebp+arg_C], ebx
		jz	short loc_9D6459
		mov	esi, [ebp+arg_8]
		cmp	esi, 0FFFFFFFFh
		jl	short loc_9D6459
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_9D6459
		lea	edx, [ebp+var_4]
		call	_RtlpGetNormalization@8	; RtlpGetNormalization(x,x)
		test	eax, eax
		js	short loc_9D645E
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_9D6448
		mov	ecx, [ebp+arg_4]
		lea	edx, [ecx+2]

loc_9D6436:				; CODE XREF: RtlIsNormalizedString(x,x,x,x)+46j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_9D6436
		sub	ecx, edx
		sar	ecx, 1
		lea	esi, [ecx+1]

loc_9D6448:				; CODE XREF: RtlIsNormalizedString(x,x,x,x)+35j
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_4]
		push	esi
		call	_Normalization__IsNormalized@16	; Normalization__IsNormalized(x,x,x,x)
		jmp	short loc_9D645E
; 

loc_9D6459:				; CODE XREF: RtlIsNormalizedString(x,x,x,x)+10j
					; RtlIsNormalizedString(x,x,x,x)+15j ...
		mov	eax, 0C000000Dh

loc_9D645E:				; CODE XREF: RtlIsNormalizedString(x,x,x,x)+30j
					; RtlIsNormalizedString(x,x,x,x)+5Ej
		pop	esi
		pop	ebx
		leave
		retn	10h
_RtlIsNormalizedString@16 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2259. RtlNormalizeString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlNormalizeString(x, x, x,	x, x)
		public _RtlNormalizeString@20
_RtlNormalizeString@20 proc near	; CODE XREF: RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+147p
					; RtlpNameprepAsciiRealWorker(x,x,x,x,x,x,x,x,x,x)+194p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		cmp	[ebp+arg_4], 0
		push	esi
		jz	short loc_9D64AF
		cmp	[ebp+arg_8], 0FFFFFFFFh
		jl	short loc_9D64AF
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_9D64AF
		mov	esi, [ebp+arg_10]
		cmp	dword ptr [esi], 0
		jl	short loc_9D64AF
		lea	edx, [ebp+var_4]
		call	_RtlpGetNormalization@8	; RtlpGetNormalization(x,x)
		test	eax, eax
		js	short loc_9D64B4
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_4]
		push	esi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_RtlpNormalizeStringWorker@20 ;	RtlpNormalizeStringWorker(x,x,x,x,x)
		jmp	short loc_9D64B4
; 

loc_9D64AF:				; CODE XREF: RtlNormalizeString(x,x,x,x,x)+Fj
					; RtlNormalizeString(x,x,x,x,x)+15j ...
		mov	eax, 0C000000Dh

loc_9D64B4:				; CODE XREF: RtlNormalizeString(x,x,x,x,x)+30j
					; RtlNormalizeString(x,x,x,x,x)+44j
		pop	esi
		leave
		retn	14h
_RtlNormalizeString@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpNormalizeStringWorker(x, x, x, x, x)
_RtlpNormalizeStringWorker@20 proc near	; CODE XREF: RtlNormalizeString(x,x,x,x,x)+3Fp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, ecx
		push	edi
		mov	edi, [ebp+arg_8]
		xor	ecx, ecx
		mov	[ebp+var_4], eax
		mov	[ebp+arg_8], ecx
		mov	ebx, [edi]
		mov	[edi], ecx
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_9D64F6
		mov	ecx, edx
		lea	esi, [ecx+2]

loc_9D64E0:				; CODE XREF: RtlpNormalizeStringWorker(x,x,x,x,x)+31j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+arg_8]
		jnz	short loc_9D64E0
		mov	eax, [ebp+var_4]
		sub	ecx, esi
		sar	ecx, 1
		lea	esi, [ecx+1]

loc_9D64F6:				; CODE XREF: RtlpNormalizeStringWorker(x,x,x,x,x)+20j
		test	ebx, ebx
		jle	short loc_9D6524
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_9D6524
		lea	eax, [edx+esi*2]
		cmp	ecx, eax
		jnb	short loc_9D6516
		lea	eax, [ecx+ebx*2]
		cmp	eax, edx
		jbe	short loc_9D6516
		mov	eax, 0C000000Dh
		jmp	short loc_9D652D
; 

loc_9D6516:				; CODE XREF: RtlpNormalizeStringWorker(x,x,x,x,x)+4Dj
					; RtlpNormalizeStringWorker(x,x,x,x,x)+54j
		push	edi
		push	ebx
		push	ecx
		mov	ecx, [ebp+var_4]
		push	esi
		call	_Normalization__Normalize@24 ; Normalization__Normalize(x,x,x,x,x,x)
		jmp	short loc_9D652D
; 

loc_9D6524:				; CODE XREF: RtlpNormalizeStringWorker(x,x,x,x,x)+3Fj
					; RtlpNormalizeStringWorker(x,x,x,x,x)+46j
		push	edi
		push	esi
		mov	ecx, eax
		call	_Normalization__GuessCharCount@16 ; Normalization__GuessCharCount(x,x,x,x)

loc_9D652D:				; CODE XREF: RtlpNormalizeStringWorker(x,x,x,x,x)+5Bj
					; RtlpNormalizeStringWorker(x,x,x,x,x)+69j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_RtlpNormalizeStringWorker@20 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2284. RtlQueryAllFeatureConfigurations

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlQueryAllFeatureConfigurations(int,int,void *,int)
		public _RtlQueryAllFeatureConfigurations@16
_RtlQueryAllFeatureConfigurations@16 proc near

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_4]
		mov	ebx, offset unk_6CE168
		mov	[ebp+var_C], edi
		push	eax
		lea	edx, [ebp+var_C]
		mov	[ebp+var_8], edi
		mov	ecx, ebx
		mov	[ebp+var_4], edi
		call	_RtlpFcBufferManagerReferenceBuffers@12	; RtlpFcBufferManagerReferenceBuffers(x,x,x)
		mov	ecx, [ebp+arg_0]
		call	_RtlpFcValidateFeatureConfigurationType@4 ; RtlpFcValidateFeatureConfigurationType(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D65A9
		push	[ebp+arg_C]	; int
		mov	edx, [ebp+arg_8] ; void	*
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], 1
		mov	ecx, [ebp+ecx*4+var_14]
		shl	ecx, 4
		add	ecx, [ebp+var_4] ; int
		call	_RtlpFcQueryAllFeatureConfigurationsFromBuffers@12 ; RtlpFcQueryAllFeatureConfigurationsFromBuffers(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D65A9
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_9D65A7
		mov	eax, [ebp+var_C]
		mov	[esi], eax
		mov	eax, [ebp+var_8]
		mov	[esi+4], eax

loc_9D65A7:				; CODE XREF: RtlQueryAllFeatureConfigurations(x,x,x,x)+61j
		mov	esi, edi

loc_9D65A9:				; CODE XREF: RtlQueryAllFeatureConfigurations(x,x,x,x)+35j
					; RtlQueryAllFeatureConfigurations(x,x,x,x)+5Aj
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		call	_RtlpFcBufferManagerDereferenceBuffers@8 ; RtlpFcBufferManagerDereferenceBuffers(x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_RtlQueryAllFeatureConfigurations@16 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2387. RtlUnregisterFeatureConfigurationChangeNotification

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlUnregisterFeatureConfigurationChangeNotification(x)
		public _RtlUnregisterFeatureConfigurationChangeNotification@4
_RtlUnregisterFeatureConfigurationChangeNotification@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		call	_CmFcManagerUnregisterFeatureConfigurationChangeNotification@8 ; CmFcManagerUnregisterFeatureConfigurationChangeNotification(x,x)
		pop	ebp
		retn	4
_RtlUnregisterFeatureConfigurationChangeNotification@4 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpFcGetBufferManager()
_RtlpFcGetBufferManager@0 proc near	; CODE XREF: RtlQueryFeatureConfiguration(x,x,x,x):loc_5094E0p
		mov	eax, offset unk_6CE168
		retn
_RtlpFcGetBufferManager@0 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2276. RtlOsDeploymentState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlOsDeploymentState(x)
		public _RtlOsDeploymentState@4
_RtlOsDeploymentState@4	proc near

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
ms_exc		= CPPEH_RECORD ptr -18h

		push	54h
		push	offset dword_6A92A0
		call	__SEH_prolog4_GS
		xor	ebx, ebx
		mov	[ebp+var_34], ebx
		xor	esi, esi
		inc	esi
		mov	[ebp+var_38], esi
		mov	[ebp+var_3C], ebx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_64]
		rep stosd
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+ms_exc.disabled], ebx
		push	offset ??_C@_1DO@PGOAJPNE@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		lea	eax, [ebp+var_44]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_64], 18h
		mov	[ebp+var_60], ebx
		mov	[ebp+var_58], 240h
		lea	eax, [ebp+var_44]
		mov	[ebp+var_5C], eax
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], ebx
		lea	eax, [ebp+var_64]
		push	eax
		push	20019h
		lea	eax, [ebp+var_34]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_9D6692
		push	(offset	loc_8BF051+1)
		lea	eax, [ebp+var_4C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_3C]
		push	eax
		push	14h
		lea	eax, [ebp+var_30]
		push	eax
		push	2
		lea	eax, [ebp+var_4C]
		push	eax
		push	[ebp+var_34]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9D6692
		cmp	[ebp+var_2C], 4
		jnz	short loc_9D6692
		cmp	[ebp+var_28], 4
		jnz	short loc_9D6692
		cmp	[ebp+var_24], ebx
		jz	short loc_9D6692
		push	2
		pop	esi
		mov	[ebp+var_38], esi

loc_9D6692:				; CODE XREF: RtlOsDeploymentState(x)+72j
					; RtlOsDeploymentState(x)+9Cj ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_9D66B5
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_RtlOsDeploymentState@4	endp


;  S U B	R O U T	I N E 


sub_9D66B2	proc near		; DATA XREF: .text:006A92B8o
		mov	esi, [ebp-38h]
sub_9D66B2	endp


;  S U B	R O U T	I N E 


sub_9D66B5	proc near		; CODE XREF: RtlOsDeploymentState(x)+BCp
		cmp	dword ptr [ebp-34h], 0
		jz	short locret_9D66C3
		push	dword ptr [ebp-34h]
		call	_ZwClose@4	; ZwClose(x)

locret_9D66C3:				; CODE XREF: sub_9D66B5+4j
		retn
sub_9D66B5	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2280. RtlPcToFilePath

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlPcToFilePath(x, x)
		public _RtlPcToFilePath@8
_RtlPcToFilePath@8 proc	near		; CODE XREF: KitLogFeatureUsage(x,x,x)+DEp
					; EtwpLocateBinaryForRegEntry(x,x,x)+1Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	ebx, offset _PsLoadedModuleResource
		push	ebx
		call	ExAcquireResourceSharedLite
		mov	ecx, _PsLoadedModuleList
		test	ecx, ecx
		jz	short loc_9D6718
		mov	edi, offset _PsLoadedModuleList
		jmp	short loc_9D6714
; 

loc_9D66FE:				; CODE XREF: RtlPcToFilePath(x,x)+4Dj
		lea	edx, [ecx]
		mov	ecx, [ecx]
		mov	esi, [edx+18h]
		cmp	[ebp+arg_0], esi
		jb	short loc_9D6714
		mov	eax, [edx+20h]
		add	eax, esi
		cmp	[ebp+arg_0], eax
		jb	short loc_9D6733

loc_9D6714:				; CODE XREF: RtlPcToFilePath(x,x)+33j
					; RtlPcToFilePath(x,x)+3Fj
		cmp	ecx, edi
		jnz	short loc_9D66FE

loc_9D6718:				; CODE XREF: RtlPcToFilePath(x,x)+2Cj
		mov	esi, 0C0000225h

loc_9D671D:				; CODE XREF: RtlPcToFilePath(x,x)+78j
		mov	ecx, ebx
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
; 

loc_9D6733:				; CODE XREF: RtlPcToFilePath(x,x)+49j
		lea	eax, [edx+24h]
		push	eax
		push	[ebp+arg_4]
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		xor	esi, esi
		jmp	short loc_9D671D
_RtlPcToFilePath@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LdrProcessRelocationBlockLongLong(x, x, x, x, x, x)
_LdrProcessRelocationBlockLongLong@24 proc near
					; CODE XREF: LdrRelocateImageWithBias(x,x,x,x,x,x,x)+BCp

var_2		= word ptr -2
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, edx
		mov	dx, cx
		mov	[ebp+var_2], dx
		lea	ebx, [esi+eax*2]
		cmp	esi, ebx
		jnb	short loc_9D67D0

loc_9D6762:				; CODE XREF: LdrProcessRelocationBlockLongLong(x,x,x,x,x,x)+87j
		movzx	ecx, word ptr [esi]
		xor	eax, eax
		shr	ecx, 0Ch
		inc	eax
		shl	eax, cl
		test	eax, 3A0h
		jnz	short loc_9D6785
		push	[ebp+arg_C]
		mov	edx, edi
		mov	ecx, esi
		push	[ebp+arg_8]
		call	_LdrpGenericProcessRelocation@16 ; LdrpGenericProcessRelocation(x,x,x,x)
		jmp	short loc_9D67BB
; 

loc_9D6785:				; CODE XREF: LdrProcessRelocationBlockLongLong(x,x,x,x,x,x)+2Fj
		movzx	eax, dx
		sub	eax, 1C0h
		jz	short loc_9D67AC
		dec	eax
		sub	eax, 1
		jz	short loc_9D679B
		dec	eax
		sub	eax, 1
		jnz	short loc_9D67CC

loc_9D679B:				; CODE XREF: LdrProcessRelocationBlockLongLong(x,x,x,x,x,x)+50j
		push	[ebp+arg_C]
		mov	edx, edi
		mov	ecx, esi
		push	[ebp+arg_8]
		call	_LdrpThumbProcessRelocation@16 ; LdrpThumbProcessRelocation(x,x,x,x)
		jmp	short loc_9D67BB
; 

loc_9D67AC:				; CODE XREF: LdrProcessRelocationBlockLongLong(x,x,x,x,x,x)+4Aj
		push	[ebp+arg_C]
		mov	edx, edi
		mov	ecx, esi
		push	[ebp+arg_8]
		call	_LdrpArmProcessRelocation@16 ; LdrpArmProcessRelocation(x,x,x,x)

loc_9D67BB:				; CODE XREF: LdrProcessRelocationBlockLongLong(x,x,x,x,x,x)+40j
					; LdrProcessRelocationBlockLongLong(x,x,x,x,x,x)+67j
		test	eax, eax
		jz	short loc_9D67CC
		lea	esi, [esi+eax*2]
		cmp	esi, ebx
		jnb	short loc_9D67D0
		mov	dx, [ebp+var_2]
		jmp	short loc_9D6762
; 

loc_9D67CC:				; CODE XREF: LdrProcessRelocationBlockLongLong(x,x,x,x,x,x)+56j
					; LdrProcessRelocationBlockLongLong(x,x,x,x,x,x)+7Aj
		xor	eax, eax
		jmp	short loc_9D67D2
; 

loc_9D67D0:				; CODE XREF: LdrProcessRelocationBlockLongLong(x,x,x,x,x,x)+1Dj
					; LdrProcessRelocationBlockLongLong(x,x,x,x,x,x)+81j
		mov	eax, esi

loc_9D67D2:				; CODE XREF: LdrProcessRelocationBlockLongLong(x,x,x,x,x,x)+8Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_LdrProcessRelocationBlockLongLong@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LdrRelocateImageWithBias(x,	x, x, x, x, x, x)
_LdrRelocateImageWithBias@28 proc near	; CODE XREF: MiMapSystemImageWithLargePage(x,x,x,x)+16Bp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		xor	esi, esi
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_8], esi
		push	ebx
		push	1
		mov	[ebp+var_4], esi
		call	RtlImageNtHeaderEx
		test	eax, eax
		jns	short loc_9D6809
		mov	esi, 0C000007Bh
		jmp	loc_9D68C6
; 

loc_9D6809:				; CODE XREF: LdrRelocateImageWithBias(x,x,x,x,x,x,x)+24j
		push	edi
		mov	edi, [ebp+var_4]
		mov	ecx, 10Bh
		movzx	eax, word ptr [edi+18h]
		cmp	ax, cx
		jz	short loc_9D6837
		mov	ecx, 20Bh
		cmp	ax, cx
		jnz	loc_9D68AC
		mov	eax, [edi+30h]
		mov	[ebp+var_C], eax
		mov	eax, [edi+34h]
		mov	[ebp+var_10], eax
		jmp	short loc_9D6840
; 

loc_9D6837:				; CODE XREF: LdrRelocateImageWithBias(x,x,x,x,x,x,x)+40j
		mov	eax, [edi+34h]
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], esi

loc_9D6840:				; CODE XREF: LdrRelocateImageWithBias(x,x,x,x,x,x,x)+5Cj
		lea	eax, [ebp+var_8]
		push	eax
		push	5
		push	1
		push	ebx
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	edx, eax
		mov	[ebp+var_14], edx
		test	edx, edx
		jz	short loc_9D68B3
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_9D68B3
		and	[ebp+var_4], esi
		mov	ecx, ebx
		sub	ecx, [ebp+var_C]
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+var_4]
		sbb	ecx, [ebp+var_10]
		mov	[ebp+var_4], ecx

loc_9D6872:				; CODE XREF: LdrRelocateImageWithBias(x,x,x,x,x,x,x)+CFj
		mov	ecx, [edx+4]
		sub	eax, ecx
		push	[ebp+var_4]
		mov	edx, [edx]
		push	[ebp+var_C]
		mov	[ebp+var_10], eax
		add	edx, ebx
		mov	eax, [ebp+var_14]
		add	eax, 8
		push	eax
		lea	eax, [ecx-8]
		mov	cx, [edi+4]
		shr	eax, 1
		push	eax
		call	_LdrProcessRelocationBlockLongLong@24 ;	LdrProcessRelocationBlockLongLong(x,x,x,x,x,x)
		mov	edx, eax
		mov	[ebp+var_14], eax
		test	edx, edx
		jz	short loc_9D68AC
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	short loc_9D6872
		jmp	short loc_9D68C5
; 

loc_9D68AC:				; CODE XREF: LdrRelocateImageWithBias(x,x,x,x,x,x,x)+4Aj
					; LdrRelocateImageWithBias(x,x,x,x,x,x,x)+C8j
		mov	esi, 0C000007Bh
		jmp	short loc_9D68C5
; 

loc_9D68B3:				; CODE XREF: LdrRelocateImageWithBias(x,x,x,x,x,x,x)+7Cj
					; LdrRelocateImageWithBias(x,x,x,x,x,x,x)+83j
		mov	al, [edi+16h]
		and	al, 1
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 0C0000018h

loc_9D68C5:				; CODE XREF: LdrRelocateImageWithBias(x,x,x,x,x,x,x)+D1j
					; LdrRelocateImageWithBias(x,x,x,x,x,x,x)+D8j
		pop	edi

loc_9D68C6:				; CODE XREF: LdrRelocateImageWithBias(x,x,x,x,x,x,x)+2Bj
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
_LdrRelocateImageWithBias@28 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpCtAllocateMemory(x)
_RtlpCtAllocateMemory@4	proc near	; CODE XREF: RtlRaiseCustomSystemEventTrigger(x)+AFp
		push	67744364h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		retn
_RtlpCtAllocateMemory@4	endp


;  S U B	R O U T	I N E 


; __stdcall RtlpCtContextFree(x)
_RtlpCtContextFree@4 proc near		; CODE XREF: RtlRaiseCustomSystemEventTrigger(x)+1D6p
					; RtlpCtContextInit(x,x)+75p ...
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_9D690F
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edx, ds:_PsInitialSystemProcess
		call	ExpWnfDeleteSubscription
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_9D690F:				; CODE XREF: RtlpCtContextFree(x)+Cj
		mov	eax, [esi+8]
		mov	edi, 67744364h
		test	eax, eax
		jz	short loc_9D6926
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+8], 0

loc_9D6926:				; CODE XREF: RtlpCtContextFree(x)+3Dj
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_9D6933
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9D6933:				; CODE XREF: RtlpCtContextFree(x)+4Ej
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ecx
		retn
_RtlpCtContextFree@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpCtContextInit(x, x)
_RtlpCtContextInit@8 proc near		; CODE XREF: RtlRaiseCustomSystemEventTrigger(x)+195p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	67744364h
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	0Ch
		push	1
		and	dword ptr [ebx], 0
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9D696A
		mov	edi, 0C000009Ah
		jmp	short loc_9D69B8
; 

loc_9D696A:				; CODE XREF: RtlpCtContextInit(x,x)+23j
		mov	edi, esi
		lea	ecx, [esi+8]
		xor	eax, eax
		stosd
		stosd
		stosd
		call	_RtlpCtInitializeNotificationEvent@8 ; RtlpCtInitializeNotificationEvent(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9D69B1
		mov	edx, esi
		mov	ecx, esi
		call	_RtlpCtInitializeWorkItem@8 ; RtlpCtInitializeWorkItem(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9D69B1
		push	esi
		push	offset _RtlpRtlpCtSelfSubscribeCallback@24 ; RtlpRtlpCtSelfSubscribeCallback(x,x,x,x,x,x)
		push	[ebp+var_4]
		lea	eax, [esi+4]
		push	8
		push	offset _WNF_SEB_DEV_MNF_CUSTOM_NOTIFICATION_RECEIVED
		push	eax
		call	_ExSubscribeWnfStateChange@24 ;	ExSubscribeWnfStateChange(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9D69B1
		mov	[ebx], esi
		jmp	short loc_9D69B8
; 

loc_9D69B1:				; CODE XREF: RtlpCtContextInit(x,x)+3Fj
					; RtlpCtContextInit(x,x)+4Ej ...
		mov	ecx, esi
		call	_RtlpCtContextFree@4 ; RtlpCtContextFree(x)

loc_9D69B8:				; CODE XREF: RtlpCtContextInit(x,x)+2Aj
					; RtlpCtContextInit(x,x)+71j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_RtlpCtContextInit@8 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpCtFreeMemory(x)
_RtlpCtFreeMemory@4 proc near		; CODE XREF: RtlRaiseCustomSystemEventTrigger(x)+1EAp
		push	67744364h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		retn
_RtlpCtFreeMemory@4 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpCtInitializeNotificationEvent(x, x)
_RtlpCtInitializeNotificationEvent@8 proc near ; CODE XREF: RtlpCtContextInit(x,x)+36p
		mov	edi, edi
		push	esi
		push	67744364h
		push	10h
		push	200h
		mov	esi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi], eax
		pop	esi
		test	eax, eax
		jnz	short loc_9D69EE
		mov	eax, 0C000009Ah
		retn
; 

loc_9D69EE:				; CODE XREF: RtlpCtInitializeNotificationEvent(x,x)+1Bj
		push	0
		push	0
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	eax, eax
		retn
_RtlpCtInitializeNotificationEvent@8 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpCtInitializeWorkItem(x,	x)
_RtlpCtInitializeWorkItem@8 proc near	; CODE XREF: RtlpCtContextInit(x,x)+45p
		mov	edi, edi
		push	esi
		push	edi
		push	67744364h
		push	10h
		push	200h
		mov	edi, edx
		mov	esi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi], eax
		test	eax, eax
		jnz	short loc_9D6A21
		mov	eax, 0C000009Ah
		jmp	short loc_9D6A30
; 

loc_9D6A21:				; CODE XREF: RtlpCtInitializeWorkItem(x,x)+1Dj
		and	dword ptr [eax], 0
		mov	dword ptr [eax+8], offset _RtlpRtlpCtWaitForWnfQuiescentWorker@4 ; RtlpRtlpCtWaitForWnfQuiescentWorker(x)
		mov	[eax+0Ch], edi
		xor	eax, eax

loc_9D6A30:				; CODE XREF: RtlpCtInitializeWorkItem(x,x)+24j
		pop	edi
		pop	esi
		retn
_RtlpCtInitializeWorkItem@8 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpCtQueueWorkItem(x)
_RtlpCtQueueWorkItem@4 proc near	; CODE XREF: RtlRaiseCustomSystemEventTrigger(x)+1C7p
		push	1
		push	ecx
		call	ExQueueWorkItem
		retn
_RtlpCtQueueWorkItem@4 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpCtSelfSubscribe(x)
_RtlpCtSelfSubscribe@4 proc near	; CODE XREF: RtlpRtlpCtSelfSubscribeCallback(x,x,x,x,x,x)+11p
		push	0
		push	1
		push	dword ptr [ecx+8]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		xor	eax, eax
		retn
_RtlpCtSelfSubscribe@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpRtlpCtWaitForWnfQuiescentWorker(x)
_RtlpRtlpCtWaitForWnfQuiescentWorker@4 proc near
					; DATA XREF: RtlpCtInitializeWorkItem(x,x)+29o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	dword ptr [esi+8]
		call	KeWaitForSingleObject
		mov	ecx, esi
		call	_RtlpCtContextFree@4 ; RtlpCtContextFree(x)
		xor	eax, eax
		mov	ecx, offset _RtlpCtPublishInProgress
		xchg	eax, [ecx]
		pop	esi
		pop	ebp
		retn	4
_RtlpRtlpCtWaitForWnfQuiescentWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpRunOnceWaitForInit(x, x)
_RtlpRunOnceWaitForInit@8 proc near	; CODE XREF: RtlRunOnceExecuteOnce+12F28Ap

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		xor	eax, eax
		push	esi
		lea	esi, [ebp+var_20]
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		and	esi, 0FFFFFFFDh
		mov	[ebp+var_10], eax
		or	esi, 1
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	eax, large fs:124h
		push	edi
		mov	edi, edx
		mov	[ebp+var_14], eax

loc_9D6ABB:				; CODE XREF: RtlpRunOnceWaitForInit(x,x)+5Ej
		mov	eax, ecx
		mov	edx, esi
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_20], eax
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jz	short loc_9D6AD7
		mov	ecx, eax
		and	al, 3
		cmp	al, 1
		jz	short loc_9D6ABB

loc_9D6AD7:				; CODE XREF: RtlpRunOnceWaitForInit(x,x)+56j
		mov	eax, ecx
		and	al, 3
		cmp	al, 1
		jnz	short loc_9D6AF2

loc_9D6ADF:				; CODE XREF: RtlpRunOnceWaitForInit(x,x)+79j
		push	edi
		xor	edx, edx
		xor	cl, cl
		call	KeWaitForAlertByThreadId
		mov	ecx, [edi]
		mov	eax, [ebp+var_C]
		test	al, 4
		jz	short loc_9D6ADF

loc_9D6AF2:				; CODE XREF: RtlpRunOnceWaitForInit(x,x)+66j
		pop	edi
		mov	eax, ecx
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_RtlpRunOnceWaitForInit@8 endp ; sp =  4

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2370. RtlUTF8StringToUnicodeString

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlUTF8StringToUnicodeString(x, x, x)
		public _RtlUTF8StringToUnicodeString@12
_RtlUTF8StringToUnicodeString@12 proc near ; CODE XREF:	PiGetDefaultMessageString+8DE63p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		and	[ebp+var_8], 0
		push	edi
		mov	edi, [ebp+arg_4]
		push	eax
		movzx	edx, word ptr [edi]
		mov	ecx, [edi+4]
		inc	edx
		call	_CountUTF8ToUnicode@12 ; CountUTF8ToUnicode(x,x,x)
		test	eax, eax
		js	loc_9D6BD0
		mov	eax, [ebp+var_4]
		cmp	eax, 0FFFEh
		jbe	short loc_9D6B41
		mov	eax, 0C00000F0h
		jmp	loc_9D6BD0
; 

loc_9D6B41:				; CODE XREF: RtlUTF8StringToUnicodeString(x,x,x)+33j
		push	ebx
		mov	bl, [ebp+arg_8]
		lea	ecx, [eax-2]
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[esi], cx
		test	bl, bl
		jz	short loc_9D6B70
		push	eax
		mov	[esi+2], ax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[esi+4], eax
		test	eax, eax
		jnz	short loc_9D6B6B
		mov	eax, 0C0000017h
		jmp	short loc_9D6BCE
; 

loc_9D6B6B:				; CODE XREF: RtlUTF8StringToUnicodeString(x,x,x)+60j
		movzx	ecx, word ptr [esi]
		jmp	short loc_9D6B86
; 

loc_9D6B70:				; CODE XREF: RtlUTF8StringToUnicodeString(x,x,x)+4Fj
		movzx	eax, word ptr [esi+2]
		movzx	edx, cx
		add	edx, 2
		cmp	edx, eax
		ja	short loc_9D6BC9
		movzx	ecx, cx
		cmp	edx, 2
		jb	short loc_9D6BC9

loc_9D6B86:				; CODE XREF: RtlUTF8StringToUnicodeString(x,x,x)+6Cj
		movzx	eax, word ptr [edi]
		push	eax
		push	dword ptr [edi+4]
		lea	eax, [ebp+var_8]
		push	eax
		movzx	eax, cx
		push	eax
		push	dword ptr [esi+4]
		call	RtlUTF8ToUnicodeN
		mov	edi, eax
		test	edi, edi
		js	short loc_9D6BB5
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		mov	eax, [esi+4]
		shr	ecx, 1
		xor	edi, edi
		mov	[eax+ecx*2], dx
		jmp	short loc_9D6BC5
; 

loc_9D6BB5:				; CODE XREF: RtlUTF8StringToUnicodeString(x,x,x)+9Fj
		test	bl, bl
		jz	short loc_9D6BC5
		push	dword ptr [esi+4]
		call	_ExFreePool@4	; ExFreePool(x)
		and	dword ptr [esi+4], 0

loc_9D6BC5:				; CODE XREF: RtlUTF8StringToUnicodeString(x,x,x)+B1j
					; RtlUTF8StringToUnicodeString(x,x,x)+B5j
		mov	eax, edi
		jmp	short loc_9D6BCE
; 

loc_9D6BC9:				; CODE XREF: RtlUTF8StringToUnicodeString(x,x,x)+7Aj
					; RtlUTF8StringToUnicodeString(x,x,x)+82j
		mov	eax, 80000005h

loc_9D6BCE:				; CODE XREF: RtlUTF8StringToUnicodeString(x,x,x)+67j
					; RtlUTF8StringToUnicodeString(x,x,x)+C5j
		pop	esi
		pop	ebx

loc_9D6BD0:				; CODE XREF: RtlUTF8StringToUnicodeString(x,x,x)+25j
					; RtlUTF8StringToUnicodeString(x,x,x)+3Aj
		pop	edi
		leave
		retn	0Ch
_RtlUTF8StringToUnicodeString@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2380. RtlUnicodeStringToUTF8String

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlUnicodeStringToUTF8String(x, x, x)
		public _RtlUnicodeStringToUTF8String@12
_RtlUnicodeStringToUTF8String@12 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	edi
		mov	edi, [ebp+arg_4]
		xor	eax, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_4]
		movzx	edx, word ptr [edi]
		mov	ecx, [edi+4]
		add	edx, 2
		push	eax
		call	CountUnicodeToUTF8
		test	eax, eax
		js	loc_9D6CB4
		mov	eax, [ebp+var_4]
		cmp	eax, 0FFFFh
		jbe	short loc_9D6C1F
		mov	eax, 0C00000F0h
		jmp	loc_9D6CB4
; 

loc_9D6C1F:				; CODE XREF: RtlUnicodeStringToUTF8String(x,x,x)+39j
		push	ebx
		mov	bl, [ebp+arg_8]
		lea	ecx, [eax-1]
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[esi], cx
		test	bl, bl
		jz	short loc_9D6C4E
		push	eax
		mov	[esi+2], ax
		call	_ExpAllocateStringRoutine@4 ; ExpAllocateStringRoutine(x)
		mov	[esi+4], eax
		test	eax, eax
		jnz	short loc_9D6C49
		mov	eax, 0C0000017h
		jmp	short loc_9D6CB2
; 

loc_9D6C49:				; CODE XREF: RtlUnicodeStringToUTF8String(x,x,x)+66j
		movzx	edx, word ptr [esi]
		jmp	short loc_9D6C74
; 

loc_9D6C4E:				; CODE XREF: RtlUnicodeStringToUTF8String(x,x,x)+55j
		movzx	eax, word ptr [esi+2]
		movzx	edx, cx
		cmp	cx, ax
		jb	short loc_9D6C74
		test	ax, ax
		jnz	short loc_9D6C66
		mov	eax, 80000005h
		jmp	short loc_9D6CB2
; 

loc_9D6C66:				; CODE XREF: RtlUnicodeStringToUTF8String(x,x,x)+83j
		dec	eax
		mov	[ebp+var_C], 80000005h
		mov	[esi], ax
		movzx	edx, ax

loc_9D6C74:				; CODE XREF: RtlUnicodeStringToUTF8String(x,x,x)+72j
					; RtlUnicodeStringToUTF8String(x,x,x)+7Ej
		movzx	eax, word ptr [edi]
		push	eax
		push	dword ptr [edi+4]
		lea	eax, [ebp+var_8]
		push	eax
		movzx	eax, dx
		push	eax
		push	dword ptr [esi+4]
		call	RtlUnicodeToUTF8N
		mov	edi, eax
		test	edi, edi
		js	short loc_9D6CA0
		mov	ecx, [esi+4]
		mov	eax, [ebp+var_8]
		mov	edi, [ebp+var_C]
		mov	byte ptr [eax+ecx], 0
		jmp	short loc_9D6CB0
; 

loc_9D6CA0:				; CODE XREF: RtlUnicodeStringToUTF8String(x,x,x)+B5j
		test	bl, bl
		jz	short loc_9D6CB0
		push	dword ptr [esi+4]
		call	_ExFreePool@4	; ExFreePool(x)
		and	dword ptr [esi+4], 0

loc_9D6CB0:				; CODE XREF: RtlUnicodeStringToUTF8String(x,x,x)+C4j
					; RtlUnicodeStringToUTF8String(x,x,x)+C8j
		mov	eax, edi

loc_9D6CB2:				; CODE XREF: RtlUnicodeStringToUTF8String(x,x,x)+6Dj
					; RtlUnicodeStringToUTF8String(x,x,x)+8Aj
		pop	esi
		pop	ebx

loc_9D6CB4:				; CODE XREF: RtlUnicodeStringToUTF8String(x,x,x)+2Bj
					; RtlUnicodeStringToUTF8String(x,x,x)+40j
		pop	edi
		leave
		retn	0Ch
_RtlUnicodeStringToUTF8String@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFcNotifyFeatureUsageTarget(x, x)
_RtlpFcNotifyFeatureUsageTarget@8 proc near
					; CODE XREF: RtlpFcSendFeatureUsageNotifications(x,x,x)+4Bp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [edx]
		push	ebx
		push	esi
		push	edi
		push	6E6F6346h
		push	1000h
		mov	[ebp+var_C], eax
		mov	ebx, ecx
		mov	eax, [edx+4]
		push	1
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9D6CFC
		mov	esi, 0C0000017h
		jmp	loc_9D6DA7
; 

loc_9D6CFC:				; CODE XREF: RtlpFcNotifyFeatureUsageTarget(x,x)+37j
					; RtlpFcNotifyFeatureUsageTarget(x,x)+E0j
		and	[ebp+var_14], 0
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], 1000h
		push	eax
		push	0
		push	0
		lea	eax, [ebp+var_C]
		push	eax
		call	_ZwQueryWnfStateData@24	; ZwQueryWnfStateData(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D6D93
		mov	al, byte ptr [ebp+var_10]
		and	al, 7
		movzx	ecx, al
		neg	ecx
		sbb	ecx, ecx
		xor	edx, edx
		not	ecx
		and	ecx, [ebp+var_10]
		mov	esi, ecx
		mov	[ebp+var_10], ecx
		shr	esi, 3
		test	esi, esi
		jz	short loc_9D6D5F
		mov	eax, [ebx]
		mov	[ebp+var_18], eax

loc_9D6D47:				; CODE XREF: RtlpFcNotifyFeatureUsageTarget(x,x)+A4j
		cmp	[edi+edx*8], eax
		jnz	short loc_9D6D5A
		mov	ax, [edi+edx*8+4]
		cmp	ax, [ebx+4]
		jz	short loc_9D6D7D
		mov	eax, [ebp+var_18]

loc_9D6D5A:				; CODE XREF: RtlpFcNotifyFeatureUsageTarget(x,x)+91j
		inc	edx
		cmp	edx, esi
		jb	short loc_9D6D47

loc_9D6D5F:				; CODE XREF: RtlpFcNotifyFeatureUsageTarget(x,x)+87j
		lea	edx, [ecx+8]
		cmp	edx, 1000h
		ja	short loc_9D6D7D
		mov	eax, [ebx]
		mov	ecx, edx
		mov	[edi+esi*8], eax
		mov	ax, [ebx+4]
		mov	[edi+esi*8+4], ax
		mov	[ebp+var_10], ecx

loc_9D6D7D:				; CODE XREF: RtlpFcNotifyFeatureUsageTarget(x,x)+9Cj
					; RtlpFcNotifyFeatureUsageTarget(x,x)+AFj
		push	1
		push	[ebp+var_14]
		lea	eax, [ebp+var_C]
		push	0
		push	0
		push	ecx
		push	edi
		push	eax
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	esi, eax

loc_9D6D93:				; CODE XREF: RtlpFcNotifyFeatureUsageTarget(x,x)+68j
		cmp	esi, 0C0000001h
		jz	loc_9D6CFC
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9D6DA7:				; CODE XREF: RtlpFcNotifyFeatureUsageTarget(x,x)+3Ej
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_RtlpFcNotifyFeatureUsageTarget@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFcSendFeatureUsageNotifications(x, x, x)
_RtlpFcSendFeatureUsageNotifications@12	proc near
					; CODE XREF: CmFcpManagerDrainUsageNotifications+87AA6p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	[ebp+arg_0], 0
		mov	eax, edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		mov	ebx, 0C0000225h
		mov	[ebp+var_4], ecx
		jz	short loc_9D6E1C
		xor	edi, edi
		cmp	[eax], edi
		jbe	short loc_9D6E1C
		lea	esi, [eax+0Ah]

loc_9D6DDE:				; CODE XREF: RtlpFcSendFeatureUsageNotifications(x,x,x)+62j
		mov	eax, [esi-6]
		cmp	eax, [ecx]
		jnz	short loc_9D6E11
		mov	ax, [esi-2]
		cmp	ax, [ecx+4]
		jnz	short loc_9D6E11
		mov	ax, [ecx+6]
		and	ax, 1
		test	byte ptr [esi],	1
		jz	short loc_9D6E00
		test	al, al
		jz	short loc_9D6E11

loc_9D6E00:				; CODE XREF: RtlpFcSendFeatureUsageNotifications(x,x,x)+42j
		lea	edx, [esi+2]
		call	_RtlpFcNotifyFeatureUsageTarget@8 ; RtlpFcNotifyFeatureUsageTarget(x,x)
		mov	ecx, [ebp+var_4]
		test	eax, eax
		js	short loc_9D6E11
		mov	ebx, eax

loc_9D6E11:				; CODE XREF: RtlpFcSendFeatureUsageNotifications(x,x,x)+2Bj
					; RtlpFcSendFeatureUsageNotifications(x,x,x)+35j ...
		mov	eax, [ebp+var_8]
		inc	edi
		add	esi, 10h
		cmp	edi, [eax]
		jb	short loc_9D6DDE

loc_9D6E1C:				; CODE XREF: RtlpFcSendFeatureUsageNotifications(x,x,x)+1Bj
					; RtlpFcSendFeatureUsageNotifications(x,x,x)+21j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
_RtlpFcSendFeatureUsageNotifications@12	endp


;  S U B	R O U T	I N E 


; __stdcall RtlGetSwapReferenceIndex(x)
_RtlGetSwapReferenceIndex@4 proc near	; CODE XREF: CmFcManagerStartRuntimePhase(x)+1E8p
		mov	eax, [ecx]
		and	eax, 1
		retn
_RtlGetSwapReferenceIndex@4 endp


;  S U B	R O U T	I N E 


; __fastcall RtlFcpCompareFeatureIdToFeatureUsageSubscription(x, x)
@RtlFcpCompareFeatureIdToFeatureUsageSubscription@8 proc near
					; DATA XREF: RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+24o
					; RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+9Ao
		mov	eax, [ecx]
		cmp	eax, [edx]
		jbe	short loc_9D6E35
		xor	eax, eax
		inc	eax
		retn
; 

loc_9D6E35:				; CODE XREF: RtlFcpCompareFeatureIdToFeatureUsageSubscription(x,x)+4j
		sbb	eax, eax
		retn
@RtlFcpCompareFeatureIdToFeatureUsageSubscription@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFcAddUsageSubscriptionFromUpdate(x, x, x)
_RtlpFcAddUsageSubscriptionFromUpdate@12 proc near
					; CODE XREF: RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)+101p
					; RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)+193p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dword ptr [ecx], 0
		jnz	short loc_9D6E73
		mov	eax, [ecx+4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, [edi]
		mov	[esi], eax
		mov	ax, [ecx+8]
		mov	[esi+4], ax
		mov	ax, [ecx+0Ah]
		mov	[esi+6], ax
		mov	eax, [ecx+0Ch]
		mov	[esi+8], eax
		mov	eax, [ecx+10h]
		mov	[esi+0Ch], eax
		lea	eax, [esi+10h]
		inc	dword ptr [edx]
		mov	[edi], eax
		pop	edi
		pop	esi

loc_9D6E73:				; CODE XREF: RtlpFcAddUsageSubscriptionFromUpdate(x,x,x)+8j
		pop	ebp
		retn	4
_RtlpFcAddUsageSubscriptionFromUpdate@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFcApplyUpdateAndAddFeature(x, x, x, x)
_RtlpFcApplyUpdateAndAddFeature@16 proc	near
					; CODE XREF: RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+E2p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		test	byte ptr [ecx+1Ch], 4
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_14], eax
		jnz	short loc_9D6ECB
		push	esi
		push	edi
		mov	esi, edx
		lea	edi, [ebp+var_10]
		mov	edx, ecx
		lea	ecx, [ebp+var_10]
		movsd
		movsd
		movsd
		call	_RtlpFcUpdateFeature@8 ; RtlpFcUpdateFeature(x,x)
		lea	ecx, [ebp+var_10]
		call	_RtlpFcDoesFeatureHaveUniqueState@4 ; RtlpFcDoesFeatureHaveUniqueState(x)
		test	al, al
		jz	short loc_9D6EC9
		mov	edi, [ebx]
		lea	esi, [ebp+var_10]
		mov	eax, [ebp+var_14]
		movsd
		movsd
		movsd
		add	dword ptr [ebx], 0Ch
		inc	dword ptr [eax]

loc_9D6EC9:				; CODE XREF: RtlpFcApplyUpdateAndAddFeature(x,x,x,x)+40j
		pop	edi
		pop	esi

loc_9D6ECB:				; CODE XREF: RtlpFcApplyUpdateAndAddFeature(x,x,x,x)+20j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_RtlpFcApplyUpdateAndAddFeature@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFcApplyUsageSubscriptionUpdate(x, x, x,	x)
_RtlpFcApplyUsageSubscriptionUpdate@16 proc near
					; CODE XREF: RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)+D0p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, edx
		push	esi
		mov	esi, ecx
		cmp	dword ptr [eax], 0
		jnz	short loc_9D6F08
		mov	edx, [ebp+arg_4]
		push	edi
		mov	ecx, [edx]
		mov	edi, ecx
		movsd
		movsd
		movsd
		movsd
		mov	ax, [eax+0Ah]
		mov	[ecx+6], ax
		lea	eax, [ecx+10h]
		mov	[edx], eax
		mov	eax, [ebp+arg_0]
		pop	edi
		inc	dword ptr [eax]

loc_9D6F08:				; CODE XREF: RtlpFcApplyUsageSubscriptionUpdate(x,x,x,x)+Dj
		pop	esi
		pop	ebp
		retn	8
_RtlpFcApplyUsageSubscriptionUpdate@16 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpFcAreSortedFeatureUpdatesValid(x, x)
_RtlpFcAreSortedFeatureUpdatesValid@8 proc near
					; CODE XREF: RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+30p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, edx
		inc	edi
		cmp	ebx, edi
		jbe	short loc_9D6F34
		mov	esi, ecx

loc_9D6F1D:				; CODE XREF: RtlpFcAreSortedFeatureUpdatesValid(x,x)+25j
		mov	eax, [esi+20h]
		cmp	eax, [esi]
		jnz	short loc_9D6F2C
		mov	eax, [esi+24h]
		cmp	eax, [esi+4]
		jz	short loc_9D6F9C

loc_9D6F2C:				; CODE XREF: RtlpFcAreSortedFeatureUpdatesValid(x,x)+15j
		inc	edi
		add	esi, 20h
		cmp	edi, ebx
		jb	short loc_9D6F1D

loc_9D6F34:				; CODE XREF: RtlpFcAreSortedFeatureUpdatesValid(x,x)+Cj
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_9D6F96
		lea	edx, [ecx+4]

loc_9D6F3D:				; CODE XREF: RtlpFcAreSortedFeatureUpdatesValid(x,x)+87j
		mov	eax, [edx+18h]
		test	al, 4
		jz	short loc_9D6F49
		cmp	eax, 4
		jnz	short loc_9D6F9C

loc_9D6F49:				; CODE XREF: RtlpFcAreSortedFeatureUpdatesValid(x,x)+35j
		mov	ecx, [edx]
		call	_RtlpIsValidFeatureConfigurationPriority@4 ; RtlpIsValidFeatureConfigurationPriority(x)
		test	al, al
		jz	short loc_9D6F9C
		call	_RtlpIsImmutableFeatureConfigurationPriority@4 ; RtlpIsImmutableFeatureConfigurationPriority(x)
		test	al, al
		jnz	short loc_9D6F9C
		mov	ecx, [edx+4]
		call	_RtlpIsValidFeatureEnabledState@4 ; RtlpIsValidFeatureEnabledState(x)
		test	al, al
		jz	short loc_9D6F9C
		mov	ecx, [edx+8]
		call	_RtlpIsValidFeatureEnabledStateOptions@4 ; RtlpIsValidFeatureEnabledStateOptions(x)
		test	al, al
		jz	short loc_9D6F9C
		movzx	ecx, byte ptr [edx+0Ch]
		call	_RtlpIsValidFeatureVariant@4 ; RtlpIsValidFeatureVariant(x)
		test	al, al
		jz	short loc_9D6F9C
		mov	ecx, [edx+10h]
		call	_RtlpIsValidFeatureVariantPayloadKind@4	; RtlpIsValidFeatureVariantPayloadKind(x)
		test	al, al
		jz	short loc_9D6F9C
		inc	esi
		add	edx, 20h
		cmp	esi, ebx
		jb	short loc_9D6F3D

loc_9D6F96:				; CODE XREF: RtlpFcAreSortedFeatureUpdatesValid(x,x)+2Bj
		mov	al, 1

loc_9D6F98:				; CODE XREF: RtlpFcAreSortedFeatureUpdatesValid(x,x)+91j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_9D6F9C:				; CODE XREF: RtlpFcAreSortedFeatureUpdatesValid(x,x)+1Dj
					; RtlpFcAreSortedFeatureUpdatesValid(x,x)+3Aj ...
		xor	al, al
		jmp	short loc_9D6F98
_RtlpFcAreSortedFeatureUpdatesValid@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFcCalculateRequiredSizeForNewFeatureTable(x, x,	x, x)
_RtlpFcCalculateRequiredSizeForNewFeatureTable@16 proc near
					; CODE XREF: RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+4Dp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	eax, eax
		mov	[ebp+var_28], esi
		xor	ebx, ebx
		xor	esi, esi
		mov	[ebp+var_2C], edx
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], eax
		push	edi
		test	ecx, ecx
		jz	loc_9D707C
		mov	ebx, [ecx]
		mov	edi, ebx
		add	ecx, 4
		mov	[ebp+var_24], edi
		mov	[ebp+var_18], ecx
		test	edi, edi
		jz	loc_9D707C
		mov	[ebp+var_14], edx

loc_9D6FEA:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)+D3j
		cmp	eax, [ebp+arg_0]
		jnb	loc_9D709E
		call	_RtlpFcCompareFeatureToUpdate@8	; RtlpFcCompareFeatureToUpdate(x,x)
		test	eax, eax
		jnz	short loc_9D703E
		test	byte ptr [edx+1Ch], 4
		jnz	short loc_9D702A
		mov	esi, ecx
		lea	edi, [ebp+var_10]
		lea	ecx, [ebp+var_10]
		movsd
		movsd
		movsd
		call	_RtlpFcUpdateFeature@8 ; RtlpFcUpdateFeature(x,x)
		lea	ecx, [ebp+var_10]
		call	_RtlpFcDoesFeatureHaveUniqueState@4 ; RtlpFcDoesFeatureHaveUniqueState(x)
		mov	edx, [ebp+var_14]
		mov	ecx, [ebp+var_18]
		mov	esi, [ebp+var_20]
		mov	edi, [ebp+var_24]
		test	al, al
		jnz	short loc_9D702B

loc_9D702A:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)+60j
		dec	ebx

loc_9D702B:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)+88j
		mov	eax, [ebp+var_1C]
		inc	esi
		add	ecx, 0Ch
		inc	eax
		add	edx, 20h
		mov	[ebp+var_1C], eax
		mov	[ebp+var_14], edx
		jmp	short loc_9D706B
; 

loc_9D703E:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)+5Aj
		cmp	eax, 1
		jnz	short loc_9D7064
		mov	ecx, edx
		call	_RtlpFcIsUpdateModifyingOrAddingFeature@4 ; RtlpFcIsUpdateModifyingOrAddingFeature(x)
		test	al, al
		jz	short loc_9D704F
		inc	ebx

loc_9D704F:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)+ACj
		mov	eax, [ebp+var_1C]
		mov	edx, [ebp+var_14]
		inc	eax
		mov	ecx, [ebp+var_18]
		add	edx, 20h
		mov	[ebp+var_1C], eax
		mov	[ebp+var_14], edx
		jmp	short loc_9D7071
; 

loc_9D7064:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)+A1j
		mov	eax, [ebp+var_1C]
		inc	esi
		add	ecx, 0Ch

loc_9D706B:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)+9Cj
		mov	[ebp+var_18], ecx
		mov	[ebp+var_20], esi

loc_9D7071:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)+C2j
		cmp	esi, edi
		jb	loc_9D6FEA
		mov	edx, [ebp+var_2C]

loc_9D707C:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)+2Cj
					; RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)+41j
		mov	esi, [ebp+arg_0]
		cmp	eax, esi
		jnb	short loc_9D709E
		mov	ecx, eax
		shl	ecx, 5
		add	ecx, edx
		sub	esi, eax

loc_9D708C:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)+FCj
		call	_RtlpFcIsUpdateModifyingOrAddingFeature@4 ; RtlpFcIsUpdateModifyingOrAddingFeature(x)
		test	al, al
		jz	short loc_9D7096
		inc	ebx

loc_9D7096:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)+F3j
		add	ecx, 20h
		sub	esi, 1
		jnz	short loc_9D708C

loc_9D709E:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)+4Dj
					; RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)+E1j
		test	ebx, ebx
		jnz	short loc_9D70AB
		mov	eax, [ebp+var_28]
		and	[eax], ebx
		xor	eax, eax
		jmp	short loc_9D70CB
; 

loc_9D70AB:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)+100j
		mov	esi, [ebp+var_28]
		mov	ecx, esi
		push	0Ch
		pop	eax
		mul	ebx
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_9D70CB
		mov	ecx, [esi]
		push	esi
		push	4
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)

loc_9D70CB:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)+109j
					; RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)+11Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_RtlpFcCalculateRequiredSizeForNewFeatureTable@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable(x, x, x, x)
_RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable@16 proc near
					; CODE XREF: RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)+34p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		mov	[ebp+var_10], edx
		and	[ebp+var_4], esi
		push	edi
		xor	edi, edi
		test	ecx, ecx
		jz	loc_9D7182
		mov	esi, [ecx]
		mov	eax, esi
		add	ecx, 4
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_9D7182
		lea	eax, [edx+4]
		mov	[ebp+var_8], edx
		mov	[ebp+arg_0], eax

loc_9D7113:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable(x,x,x,x)+A1j
		cmp	edi, ebx
		jnb	loc_9D719B
		mov	edx, eax
		call	_RtlpFcCompareUsageSubscriptionToUsageSubscription@8 ; RtlpFcCompareUsageSubscriptionToUsageSubscription(x,x)
		test	eax, eax
		jnz	short loc_9D7148
		mov	eax, [ebp+var_8]
		cmp	dword ptr [eax], 0
		jz	short loc_9D712F
		dec	esi

loc_9D712F:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable(x,x,x,x)+50j
		mov	edx, [ebp+var_4]
		add	eax, 14h
		mov	[ebp+var_8], eax
		inc	edx
		mov	eax, [ebp+arg_0]
		add	ecx, 10h
		inc	edi
		add	eax, 14h
		mov	[ebp+arg_0], eax
		jmp	short loc_9D7177
; 

loc_9D7148:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable(x,x,x,x)+48j
		cmp	eax, 1
		jnz	short loc_9D716B
		mov	eax, [ebp+var_8]
		cmp	dword ptr [eax], 0
		jnz	short loc_9D7156
		inc	esi

loc_9D7156:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable(x,x,x,x)+77j
		mov	edx, [ebp+var_4]
		add	eax, 14h
		mov	[ebp+var_8], eax
		inc	edi
		mov	eax, [ebp+arg_0]
		add	eax, 14h
		mov	[ebp+arg_0], eax
		jmp	short loc_9D717A
; 

loc_9D716B:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable(x,x,x,x)+6Fj
		mov	edx, [ebp+var_4]
		push	10h
		pop	eax
		inc	edx
		add	ecx, eax
		mov	eax, [ebp+arg_0]

loc_9D7177:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable(x,x,x,x)+6Aj
		mov	[ebp+var_4], edx

loc_9D717A:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable(x,x,x,x)+8Dj
		cmp	edx, [ebp+var_C]
		jb	short loc_9D7113
		mov	edx, [ebp+var_10]

loc_9D7182:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable(x,x,x,x)+1Aj
					; RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable(x,x,x,x)+2Cj
		cmp	edi, ebx
		jnb	short loc_9D719B
		imul	eax, edi, 14h
		add	eax, edx
		sub	ebx, edi

loc_9D718D:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable(x,x,x,x)+BDj
		cmp	dword ptr [eax], 0
		jnz	short loc_9D7193
		inc	esi

loc_9D7193:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable(x,x,x,x)+B4j
		add	eax, 14h
		sub	ebx, 1
		jnz	short loc_9D718D

loc_9D719B:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable(x,x,x,x)+39j
					; RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable(x,x,x,x)+A8j
		test	esi, esi
		jnz	short loc_9D71A8
		mov	eax, [ebp+arg_4]
		and	[eax], esi
		xor	eax, eax
		jmp	short loc_9D71C8
; 

loc_9D71A8:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable(x,x,x,x)+C1j
		push	10h
		pop	ecx
		mov	eax, esi
		mul	ecx
		mov	ecx, [ebp+arg_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_9D71C8
		push	ecx
		mov	ecx, [ecx]
		push	4
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)

loc_9D71C8:				; CODE XREF: RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable(x,x,x,x)+CAj
					; RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable(x,x,x,x)+DFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable@16 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpFcCompareFeatureToUpdate(x, x)
_RtlpFcCompareFeatureToUpdate@8	proc near
					; CODE XREF: RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)+53p
					; RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+D0p
		mov	eax, [ecx]
		push	esi
		cmp	eax, [edx]
		ja	short loc_9D71EE
		jb	short loc_9D71E9
		mov	eax, [ecx+4]
		and	eax, 0Fh
		cmp	eax, [edx+4]
		jb	short loc_9D71EE
		ja	short loc_9D71E9
		xor	eax, eax
		pop	esi
		retn
; 

loc_9D71E9:				; CODE XREF: RtlpFcCompareFeatureToUpdate(x,x)+7j
					; RtlpFcCompareFeatureToUpdate(x,x)+14j
		or	eax, 0FFFFFFFFh
		pop	esi
		retn
; 

loc_9D71EE:				; CODE XREF: RtlpFcCompareFeatureToUpdate(x,x)+5j
					; RtlpFcCompareFeatureToUpdate(x,x)+12j
		xor	eax, eax
		inc	eax
		pop	esi
		retn
_RtlpFcCompareFeatureToUpdate@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl RtlpFcCompareUpdates(const void *,const void *)
_RtlpFcCompareUpdates proc near		; DATA XREF: RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+Eo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		push	esi
		mov	esi, [ebp+arg_4]
		mov	eax, [edx]
		cmp	eax, [esi]
		ja	short loc_9D721A
		jb	short loc_9D7215
		mov	eax, [edx+4]
		cmp	eax, [esi+4]
		jl	short loc_9D721A
		jg	short loc_9D7215
		xor	eax, eax
		jmp	short loc_9D721D
; 

loc_9D7215:				; CODE XREF: _RtlpFcCompareUpdates+12j
					; _RtlpFcCompareUpdates+1Cj
		or	eax, 0FFFFFFFFh
		jmp	short loc_9D721D
; 

loc_9D721A:				; CODE XREF: _RtlpFcCompareUpdates+10j
					; _RtlpFcCompareUpdates+1Aj
		xor	eax, eax
		inc	eax

loc_9D721D:				; CODE XREF: _RtlpFcCompareUpdates+20j
					; _RtlpFcCompareUpdates+25j
		pop	esi
		pop	ebp
		retn
_RtlpFcCompareUpdates endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl RtlpFcCompareUsageSubscriptionUpdates(const void *,const void *)
_RtlpFcCompareUsageSubscriptionUpdates proc near
					; DATA XREF: RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)+17o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		push	esi
		mov	edx, [eax+4]
		cmp	edx, [ecx+4]
		ja	short loc_9D7264
		jb	short loc_9D725F
		movzx	edx, word ptr [eax+8]
		movzx	esi, word ptr [ecx+8]
		cmp	dx, si
		ja	short loc_9D7264
		jb	short loc_9D725F
		mov	edx, [eax+0Ch]
		cmp	edx, [ecx+0Ch]
		ja	short loc_9D7264
		jb	short loc_9D725F
		mov	eax, [eax+10h]
		mov	ecx, [ecx+10h]
		cmp	eax, ecx
		ja	short loc_9D7264
		jb	short loc_9D725F
		xor	eax, eax
		jmp	short loc_9D7267
; 

loc_9D725F:				; CODE XREF: _RtlpFcCompareUsageSubscriptionUpdates+14j
					; _RtlpFcCompareUsageSubscriptionUpdates+23j ...
		or	eax, 0FFFFFFFFh
		jmp	short loc_9D7267
; 

loc_9D7264:				; CODE XREF: _RtlpFcCompareUsageSubscriptionUpdates+12j
					; _RtlpFcCompareUsageSubscriptionUpdates+21j ...
		xor	eax, eax
		inc	eax

loc_9D7267:				; CODE XREF: _RtlpFcCompareUsageSubscriptionUpdates+3Dj
					; _RtlpFcCompareUsageSubscriptionUpdates+42j
		pop	esi
		pop	ebp
		retn
_RtlpFcCompareUsageSubscriptionUpdates endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFcCreateAndAddFeatureFromUpdate(x, x, x)
_RtlpFcCreateAndAddFeatureFromUpdate@12	proc near
					; CODE XREF: RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+109p
					; RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+195p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		call	_RtlpFcIsUpdateModifyingOrAddingFeature@4 ; RtlpFcIsUpdateModifyingOrAddingFeature(x)
		test	al, al
		jz	short loc_9D72BE
		mov	ecx, [ebx]
		xor	eax, eax
		push	edi
		mov	edi, ecx
		stosd
		stosd
		stosd
		mov	eax, [esi]
		mov	[ecx], eax
		mov	edx, [esi+4]
		mov	eax, [ecx+4]
		and	edx, 0Fh
		and	eax, 0FFFFFF70h
		or	edx, eax
		mov	[ecx+4], edx
		mov	edx, esi
		call	_RtlpFcUpdateFeature@8 ; RtlpFcUpdateFeature(x,x)
		mov	esi, [ebx]
		mov	ecx, esi
		call	_RtlpFcDoesFeatureHaveUniqueState@4 ; RtlpFcDoesFeatureHaveUniqueState(x)
		pop	edi
		test	al, al
		jz	short loc_9D72BE
		lea	eax, [esi+0Ch]
		mov	[ebx], eax
		mov	eax, [ebp+arg_0]
		inc	dword ptr [eax]

loc_9D72BE:				; CODE XREF: RtlpFcCreateAndAddFeatureFromUpdate(x,x,x)+12j
					; RtlpFcCreateAndAddFeatureFromUpdate(x,x,x)+48j
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_RtlpFcCreateAndAddFeatureFromUpdate@12	endp


;  S U B	R O U T	I N E 


; __stdcall RtlpFcDoesFeatureHaveUniqueState(x)
_RtlpFcDoesFeatureHaveUniqueState@4 proc near
					; CODE XREF: RtlpFcApplyUpdateAndAddFeature(x,x,x,x)+39p
					; RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)+75p ...
		cmp	dword ptr [ecx], 0
		jz	short loc_9D72F8
		mov	ecx, [ecx+4]
		mov	edx, ecx
		shr	edx, 0Ah
		mov	eax, ecx
		or	edx, ecx
		and	dl, 30h
		neg	dl
		sbb	dl, dl
		and	eax, 3F00h
		inc	dl
		neg	eax
		sbb	al, al
		inc	al
		and	dl, al
		test	cl, 40h
		setz	al
		test	dl, al
		jnz	short loc_9D72F8
		mov	al, 1
		retn
; 

loc_9D72F8:				; CODE XREF: RtlpFcDoesFeatureHaveUniqueState(x)+3j
					; RtlpFcDoesFeatureHaveUniqueState(x)+2Fj
		xor	al, al
		retn
_RtlpFcDoesFeatureHaveUniqueState@4 endp


;  S U B	R O U T	I N E 


; int __fastcall RtlpFcInitializeDelayedUsageReportBuffer(void *)
_RtlpFcInitializeDelayedUsageReportBuffer@4 proc near
					; CODE XREF: CmFcManagerStartRuntimePhase(x)+22Ep
		push	310h		; size_t
		push	0		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		retn
_RtlpFcInitializeDelayedUsageReportBuffer@4 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpFcIsUpdateModifyingOrAddingFeature(x)
_RtlpFcIsUpdateModifyingOrAddingFeature@4 proc near
					; CODE XREF: RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)+A5p
					; RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x):loc_9D708Cp ...
		mov	edx, [ecx+1Ch]
		xor	eax, eax
		test	dl, 1
		jz	short loc_9D7320
		cmp	[ecx+8], eax
		jnz	short loc_9D732F
		cmp	[ecx+0Ch], eax
		jnz	short loc_9D732F

loc_9D7320:				; CODE XREF: RtlpFcIsUpdateModifyingOrAddingFeature(x)+8j
		test	dl, 2
		jz	short locret_9D7331
		cmp	[ecx+10h], al
		jnz	short loc_9D732F
		cmp	[ecx+14h], eax
		jz	short locret_9D7331

loc_9D732F:				; CODE XREF: RtlpFcIsUpdateModifyingOrAddingFeature(x)+Dj
					; RtlpFcIsUpdateModifyingOrAddingFeature(x)+12j ...
		mov	al, 1

locret_9D7331:				; CODE XREF: RtlpFcIsUpdateModifyingOrAddingFeature(x)+17j
					; RtlpFcIsUpdateModifyingOrAddingFeature(x)+21j
		retn
_RtlpFcIsUpdateModifyingOrAddingFeature@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFcLinearSearchInSortedArray(x, x, x, x,	x)
_RtlpFcLinearSearchInSortedArray@20 proc near
					; CODE XREF: RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x):loc_9D7464p
					; RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x):loc_9D74DBp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, edx
		mov	ebx, ecx
		cmp	[ebp+arg_0], edi
		jbe	short loc_9D735B

loc_9D7345:				; CODE XREF: RtlpFcLinearSearchInSortedArray(x,x,x,x,x)+27j
		mov	edx, esi
		mov	ecx, ebx
		call	[ebp+arg_8]
		test	eax, eax
		js	short loc_9D735B
		jz	short loc_9D7364
		add	esi, [ebp+arg_4]
		inc	edi
		cmp	edi, [ebp+arg_0]
		jb	short loc_9D7345

loc_9D735B:				; CODE XREF: RtlpFcLinearSearchInSortedArray(x,x,x,x,x)+11j
					; RtlpFcLinearSearchInSortedArray(x,x,x,x,x)+1Cj
		xor	eax, eax

loc_9D735D:				; CODE XREF: RtlpFcLinearSearchInSortedArray(x,x,x,x,x)+34j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_9D7364:				; CODE XREF: RtlpFcLinearSearchInSortedArray(x,x,x,x,x)+1Ej
		mov	eax, esi
		jmp	short loc_9D735D
_RtlpFcLinearSearchInSortedArray@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFcLowerBounds(x, x, x, x, x)
_RtlpFcLowerBounds@20 proc near		; CODE XREF: RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+33p
					; RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+A9p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		push	esi
		mov	[ebp+var_8], ecx
		mov	esi, eax
		mov	ecx, [ebp+arg_4]
		imul	esi, ecx
		push	edi
		mov	edi, edx
		add	esi, edi
		cmp	edi, esi
		jnb	short loc_9D73C2
		push	ebx

loc_9D7388:				; CODE XREF: RtlpFcLowerBounds(x,x,x,x,x)+57j
		shr	eax, 1
		mov	ebx, eax
		mov	[ebp+var_4], eax
		imul	ebx, ecx
		mov	ecx, [ebp+var_8]
		add	ebx, edi
		mov	edx, ebx
		call	[ebp+arg_8]
		test	eax, eax
		jg	short loc_9D73A7
		mov	eax, [ebp+var_4]
		mov	esi, ebx
		jmp	short loc_9D73B7
; 

loc_9D73A7:				; CODE XREF: RtlpFcLowerBounds(x,x,x,x,x)+36j
		mov	edi, [ebp+arg_4]
		or	ecx, 0FFFFFFFFh
		sub	ecx, [ebp+var_4]
		add	edi, ebx
		mov	eax, [ebp+arg_0]
		add	eax, ecx

loc_9D73B7:				; CODE XREF: RtlpFcLowerBounds(x,x,x,x,x)+3Dj
		mov	ecx, [ebp+arg_4]
		mov	[ebp+arg_0], eax
		cmp	edi, esi
		jb	short loc_9D7388
		pop	ebx

loc_9D73C2:				; CODE XREF: RtlpFcLowerBounds(x,x,x,x,x)+1Dj
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn	0Ch
_RtlpFcLowerBounds@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall RtlpFcQueryAllFeatureConfigurationsFromBuffers(int,void *,int)
_RtlpFcQueryAllFeatureConfigurationsFromBuffers@12 proc	near
					; CODE XREF: RtlQueryAllFeatureConfigurations(x,x,x,x)+51p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, [ecx+8]
		push	edi
		mov	edi, edx
		test	esi, esi
		jnz	short loc_9D73E3
		xor	ecx, ecx
		mov	[eax], ecx
		jmp	short loc_9D7407
; 

loc_9D73E3:				; CODE XREF: RtlpFcQueryAllFeatureConfigurationsFromBuffers(x,x,x)+11j
		mov	edx, [esi]
		mov	ecx, [eax]
		mov	[eax], edx
		cmp	edx, ecx
		jbe	short loc_9D73F4
		mov	ecx, 80000005h
		jmp	short loc_9D7407
; 

loc_9D73F4:				; CODE XREF: RtlpFcQueryAllFeatureConfigurationsFromBuffers(x,x,x)+21j
		imul	eax, [esi], 0Ch
		push	eax		; size_t
		lea	eax, [esi+4]
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	ecx, ecx

loc_9D7407:				; CODE XREF: RtlpFcQueryAllFeatureConfigurationsFromBuffers(x,x,x)+17j
					; RtlpFcQueryAllFeatureConfigurationsFromBuffers(x,x,x)+28j
		pop	edi
		mov	eax, ecx
		pop	esi
		pop	ebp
		retn	4
_RtlpFcQueryAllFeatureConfigurationsFromBuffers@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFcQueryFeatureConfigurationFromBuffers(x, x, x,	x)
_RtlpFcQueryFeatureConfigurationFromBuffers@16 proc near
					; CODE XREF: RtlQueryFeatureConfigurationFromBuffers(x,x,x,x)+49p
					; RtlpFcQueryFeatureConfigurationFromBufferSet+11D556p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [edx+8]
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], eax
		mov	esi, ebx
		push	edi
		mov	edi, [ebp+arg_4]
		test	eax, eax
		jz	short loc_9D7483
		mov	ecx, [eax]
		lea	edx, [eax+4]
		push	offset @RtlFcpCompareFeatureIdToFeatureUsageSubscription@8 ; RtlFcpCompareFeatureIdToFeatureUsageSubscription(x,x)
		push	0Ch
		push	ecx
		test	ecx, ecx
		lea	ecx, [ebp+var_4]
		jz	short loc_9D7464
		call	_RtlpFcLowerBounds@20 ;	RtlpFcLowerBounds(x,x,x,x,x)
		mov	edx, [ebp+var_C]
		mov	[ebp+var_8], eax
		imul	ecx, [edx], 0Ch
		add	ecx, 4
		add	ecx, edx
		cmp	eax, ecx
		mov	ecx, [ebp+var_4]
		jz	short loc_9D7460
		cmp	[eax], ecx
		jz	short loc_9D746F

loc_9D7460:				; CODE XREF: RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+4Bj
		mov	eax, ebx
		jmp	short loc_9D746C
; 

loc_9D7464:				; CODE XREF: RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+31j
		call	_RtlpFcLinearSearchInSortedArray@20 ; RtlpFcLinearSearchInSortedArray(x,x,x,x,x)
		mov	ecx, [ebp+var_4]

loc_9D746C:				; CODE XREF: RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+53j
		mov	[ebp+var_8], eax

loc_9D746F:				; CODE XREF: RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+4Fj
		test	eax, eax
		jz	short loc_9D7480
		mov	esi, eax
		movsd
		movsd
		movsd
		mov	edi, [ebp+arg_4]
		mov	esi, [ebp+var_8]
		jmp	short loc_9D748B
; 

loc_9D7480:				; CODE XREF: RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+62j
		mov	esi, [ebp+var_8]

loc_9D7483:				; CODE XREF: RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+1Dj
		mov	[edi+4], ebx
		mov	[edi+8], ebx
		mov	[edi], ecx

loc_9D748B:				; CODE XREF: RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+6Fj
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+8]
		mov	[ebp+arg_4], eax
		test	eax, eax
		jnz	short loc_9D74A4
		and	dword ptr [edi+4], 0FFFFFF7Fh
		mov	eax, [edi+4]
		jmp	short loc_9D7510
; 

loc_9D74A4:				; CODE XREF: RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+87j
		mov	ecx, [eax]
		lea	edx, [eax+4]
		push	offset @RtlFcpCompareFeatureIdToFeatureUsageSubscription@8 ; RtlFcpCompareFeatureIdToFeatureUsageSubscription(x,x)
		push	10h
		push	ecx
		test	ecx, ecx
		lea	ecx, [ebp+var_4]
		jz	short loc_9D74DB
		call	_RtlpFcLowerBounds@20 ;	RtlpFcLowerBounds(x,x,x,x,x)
		mov	edx, eax
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		shl	ecx, 4
		add	ecx, 4
		add	ecx, eax
		cmp	edx, ecx
		jz	short loc_9D74D7
		mov	ecx, [edx]
		cmp	ecx, [ebp+var_4]
		jz	short loc_9D74E2

loc_9D74D7:				; CODE XREF: RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+BFj
		mov	edx, ebx
		jmp	short loc_9D74E2
; 

loc_9D74DB:				; CODE XREF: RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+A7j
		call	_RtlpFcLinearSearchInSortedArray@20 ; RtlpFcLinearSearchInSortedArray(x,x,x,x,x)
		mov	edx, eax

loc_9D74E2:				; CODE XREF: RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+C6j
					; RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+CAj
		mov	eax, [edi+4]
		test	edx, edx
		jz	short loc_9D7508
		or	eax, 80h
		mov	[edi+4], eax
		mov	ecx, eax
		test	al, 40h
		jnz	short loc_9D7510
		movzx	eax, word ptr [edx+6]
		and	ecx, 0FFFFFFBFh
		and	eax, 1
		shl	eax, 6
		or	eax, ecx
		jmp	short loc_9D750D
; 

loc_9D7508:				; CODE XREF: RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+D8j
		and	eax, 0FFFFFF7Fh

loc_9D750D:				; CODE XREF: RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+F7j
		mov	[edi+4], eax

loc_9D7510:				; CODE XREF: RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+93j
					; RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+E6j
		test	esi, esi
		jnz	short loc_9D752D
		test	al, 40h
		jnz	short loc_9D752D
		and	al, 80h
		movzx	ebx, al
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 3FFFFEF2h
		add	ebx, 0C0000225h

loc_9D752D:				; CODE XREF: RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+103j
					; RtlpFcQueryFeatureConfigurationFromBuffers(x,x,x,x)+107j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_RtlpFcQueryFeatureConfigurationFromBuffers@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpFcSectionTypeToBufferType(x)
_RtlpFcSectionTypeToBufferType@4 proc near ; CODE XREF:	CmFcManagerStartRuntimePhase(x)+130p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_10], 0
		mov	[ebp+var_C], 1
		mov	[ebp+var_8], 2
		mov	eax, [ebp+ecx*4+var_10]
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_RtlpFcSectionTypeToBufferType@4 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpFcUpdateFeature(x, x)
_RtlpFcUpdateFeature@8 proc near	; CODE XREF: RtlpFcApplyUpdateAndAddFeature(x,x,x,x)+31p
					; RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)+6Dp ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	eax, [edi+1Ch]
		test	al, 1
		jz	short loc_9D758B
		mov	eax, [edi+8]
		shl	eax, 4
		xor	eax, [esi+4]
		and	eax, 30h
		xor	[esi+4], eax
		mov	eax, [edi+1Ch]

loc_9D758B:				; CODE XREF: RtlpFcUpdateFeature(x,x)+Dj
		test	al, 2
		jz	short loc_9D75BF
		movzx	eax, byte ptr [edi+10h]
		shl	eax, 8
		xor	eax, [esi+4]
		and	eax, 3F00h
		xor	[esi+4], eax
		mov	eax, [edi+18h]
		mov	ecx, [esi+4]
		mov	[esi+8], eax
		mov	edx, [edi+14h]
		shl	edx, 0Eh
		xor	edx, ecx
		and	edx, 0C000h
		xor	edx, ecx
		mov	[esi+4], edx
		jmp	short loc_9D75C2
; 

loc_9D75BF:				; CODE XREF: RtlpFcUpdateFeature(x,x)+23j
		mov	edx, [esi+4]

loc_9D75C2:				; CODE XREF: RtlpFcUpdateFeature(x,x)+53j
		mov	eax, [edi+0Ch]
		shl	eax, 6
		xor	eax, edx
		and	eax, 40h
		xor	eax, edx
		pop	edi
		mov	[esi+4], eax
		pop	esi
		retn
_RtlpFcUpdateFeature@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlpFcUpdateFeatureConfiguration(void *,size_t,void *,size_t)
_RtlpFcUpdateFeatureConfiguration@24 proc near
					; CODE XREF: CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+102p
					; CmFcManagerUpdateFeatureConfigurations(x,x,x,x,x,x,x)+17Ap

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		push	offset _RtlpFcCompareUpdates ; int __cdecl (*)(const void *,const void *)
		push	20h		; size_t
		push	ebx		; size_t
		push	[ebp+arg_0]	; void *
		mov	esi, ecx
		xor	edi, edi
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], edi
		call	_qsort
		mov	ecx, [ebp+arg_0]
		add	esp, 10h
		mov	edx, ebx
		call	_RtlpFcAreSortedFeatureUpdatesValid@8 ;	RtlpFcAreSortedFeatureUpdatesValid(x,x)
		test	al, al
		jnz	short loc_9D7618
		mov	eax, 0C000000Dh
		jmp	loc_9D7779
; 

loc_9D7618:				; CODE XREF: RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+37j
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_10]
		push	eax
		push	ebx
		mov	ecx, esi
		call	_RtlpFcCalculateRequiredSizeForNewFeatureTable@16 ; RtlpFcCalculateRequiredSizeForNewFeatureTable(x,x,x,x)
		test	eax, eax
		js	loc_9D7779
		mov	ecx, [ebp+var_10]
		test	ecx, ecx
		jnz	short loc_9D7640
		mov	ecx, [ebp+arg_C]
		mov	[ecx], edi
		jmp	loc_9D7779
; 

loc_9D7640:				; CODE XREF: RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+5Fj
		mov	eax, [ebp+arg_C]
		cmp	ecx, [eax]
		jbe	short loc_9D7653
		mov	[eax], ecx
		mov	eax, 80000005h
		jmp	loc_9D7779
; 

loc_9D7653:				; CODE XREF: RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+70j
		push	ecx		; size_t
		push	edi		; int
		mov	edi, [ebp+arg_8]
		push	edi		; void *
		call	_memset
		and	dword ptr [edi], 0
		lea	eax, [edi+4]
		xor	edx, edx
		mov	[ebp+arg_C], eax
		xor	ecx, ecx
		mov	[ebp+var_8], edx
		add	esp, 0Ch
		mov	[ebp+var_4], ecx
		test	esi, esi
		jz	loc_9D7756
		lea	eax, [esi+4]
		mov	[ebp+var_14], eax
		mov	eax, [esi]
		test	eax, eax
		jz	loc_9D7726
		mov	esi, [ebp+var_14]
		mov	[ebp+var_C], esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_10], esi

loc_9D7698:				; CODE XREF: RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+14Bj
		cmp	ecx, ebx
		jnb	loc_9D7726
		mov	ecx, [ebp+var_C]
		mov	edx, esi
		call	_RtlpFcCompareFeatureToUpdate@8	; RtlpFcCompareFeatureToUpdate(x,x)
		test	eax, eax
		jnz	short loc_9D76D3
		push	edi
		lea	eax, [ebp+arg_C]
		mov	edx, ecx
		push	eax
		mov	ecx, esi
		call	_RtlpFcApplyUpdateAndAddFeature@16 ; RtlpFcApplyUpdateAndAddFeature(x,x,x,x)
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		inc	edx
		add	[ebp+var_C], 0Ch
		inc	ecx
		add	esi, 20h
		mov	[ebp+var_4], ecx
		mov	[ebp+var_10], esi
		jmp	short loc_9D7716
; 

loc_9D76D3:				; CODE XREF: RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+D7j
		cmp	eax, 1
		jnz	short loc_9D76F5
		push	edi
		lea	edx, [ebp+arg_C]
		mov	ecx, esi
		call	_RtlpFcCreateAndAddFeatureFromUpdate@12	; RtlpFcCreateAndAddFeatureFromUpdate(x,x,x)
		mov	ecx, [ebp+var_4]
		mov	edx, [ebp+var_8]
		inc	ecx
		add	esi, 20h
		mov	[ebp+var_4], ecx
		mov	[ebp+var_10], esi
		jmp	short loc_9D7719
; 

loc_9D76F5:				; CODE XREF: RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+101j
		mov	edi, [ebp+arg_C]
		mov	esi, ecx
		add	[ebp+arg_C], 0Ch
		mov	edx, [ebp+var_8]
		movsd
		movsd
		movsd
		mov	edi, [ebp+arg_8]
		mov	esi, [ebp+var_10]
		inc	dword ptr [edi]
		inc	edx
		add	ecx, 0Ch
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+var_4]

loc_9D7716:				; CODE XREF: RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+FCj
		mov	[ebp+var_8], edx

loc_9D7719:				; CODE XREF: RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+11Ej
		mov	eax, [ebp+var_18]
		mov	eax, [eax]
		cmp	edx, eax
		jb	loc_9D7698

loc_9D7726:				; CODE XREF: RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+B1j
					; RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+C5j
		cmp	edx, eax
		jnb	short loc_9D7756
		mov	eax, [ebp+arg_C]
		mov	ebx, [ebp+var_18]
		imul	ecx, edx, 0Ch
		add	ecx, [ebp+var_14]

loc_9D7736:				; CODE XREF: RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+176j
		mov	esi, ecx
		mov	edi, eax
		add	eax, 0Ch
		add	ecx, 0Ch
		movsd
		movsd
		movsd
		mov	edi, [ebp+arg_8]
		inc	dword ptr [edi]
		inc	edx
		cmp	edx, [ebx]
		jb	short loc_9D7736
		mov	ebx, [ebp+arg_4]
		mov	ecx, [ebp+var_4]
		mov	[ebp+arg_C], eax

loc_9D7756:				; CODE XREF: RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+A1j
					; RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+153j
		cmp	ecx, ebx
		jnb	short loc_9D7777
		mov	esi, ecx
		shl	esi, 5
		add	esi, [ebp+arg_0]
		sub	ebx, ecx

loc_9D7764:				; CODE XREF: RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+1A0j
		push	edi
		lea	edx, [ebp+arg_C]
		mov	ecx, esi
		call	_RtlpFcCreateAndAddFeatureFromUpdate@12	; RtlpFcCreateAndAddFeatureFromUpdate(x,x,x)
		add	esi, 20h
		sub	ebx, 1
		jnz	short loc_9D7764

loc_9D7777:				; CODE XREF: RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+183j
		xor	eax, eax

loc_9D7779:				; CODE XREF: RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+3Ej
					; RtlpFcUpdateFeatureConfiguration(x,x,x,x,x,x)+54j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_RtlpFcUpdateFeatureConfiguration@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	RtlpFcUpdateUsageTriggers(void *,size_t,int,int)
_RtlpFcUpdateUsageTriggers@24 proc near	; CODE XREF: CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+A9p
					; CmFcManagerUpdateFeatureUsageSubscriptions(x,x,x,x)+117p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_14], 0
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, ecx
		push	offset _RtlpFcCompareUsageSubscriptionUpdates ;	int __cdecl (*)(const void *,const void	*)
		push	14h		; size_t
		push	ebx		; size_t
		push	edi		; void *
		mov	[ebp+var_18], esi
		call	_qsort
		add	esp, 10h
		lea	eax, [ebp+var_14]
		mov	edx, edi
		mov	ecx, esi
		push	eax
		push	ebx
		call	_RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable@16 ; RtlpFcCalculateRequiredSizeForNewUsageSubscriptionTable(x,x,x,x)
		test	eax, eax
		js	loc_9D7922
		mov	ecx, [ebp+var_14]
		test	ecx, ecx
		jnz	short loc_9D77D3
		mov	ecx, [ebp+arg_C]
		and	dword ptr [ecx], 0
		jmp	loc_9D7922
; 

loc_9D77D3:				; CODE XREF: RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)+46j
		mov	eax, [ebp+arg_C]
		cmp	ecx, [eax]
		jbe	short loc_9D77E6
		mov	[eax], ecx
		mov	eax, 80000005h
		jmp	loc_9D7922
; 

loc_9D77E6:				; CODE XREF: RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)+58j
		mov	esi, [ebp+arg_8]
		xor	ecx, ecx
		mov	eax, [ebp+var_18]
		xor	edx, edx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_10], edx
		and	dword ptr [esi], 0
		lea	edi, [esi+4]
		mov	[ebp+arg_C], edi
		test	eax, eax
		jz	loc_9D7901
		lea	edi, [eax+4]
		mov	eax, [eax]
		mov	[ebp+var_1C], edi
		mov	edi, [ebp+arg_C]
		test	eax, eax
		jz	loc_9D78D3
		mov	esi, [ebp+var_1C]
		mov	[ebp+var_C], esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_14], esi
		add	esi, 4
		mov	[ebp+var_4], esi
		mov	esi, [ebp+arg_8]

loc_9D782F:				; CODE XREF: RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)+14Dj
		cmp	edx, ebx
		jnb	loc_9D78D3
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_C]
		call	_RtlpFcCompareUsageSubscriptionToUsageSubscription@8 ; RtlpFcCompareUsageSubscriptionToUsageSubscription(x,x)
		test	eax, eax
		jnz	short loc_9D7873
		mov	edi, [ebp+var_14]
		lea	eax, [ebp+arg_C]
		push	eax
		push	esi
		mov	edx, edi
		call	_RtlpFcApplyUsageSubscriptionUpdate@16 ; RtlpFcApplyUsageSubscriptionUpdate(x,x,x,x)
		mov	ecx, [ebp+var_8]
		add	edi, 14h
		mov	edx, [ebp+var_10]
		inc	ecx
		add	[ebp+var_C], 10h
		inc	edx
		add	[ebp+var_4], 14h
		mov	[ebp+var_14], edi
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_10], edx
		jmp	short loc_9D78C3
; 

loc_9D7873:				; CODE XREF: RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)+C4j
		cmp	eax, 1
		jnz	short loc_9D789F
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+arg_C]
		push	eax
		mov	edx, esi
		call	_RtlpFcAddUsageSubscriptionFromUpdate@12 ; RtlpFcAddUsageSubscriptionFromUpdate(x,x,x)
		mov	edx, [ebp+var_10]
		add	ecx, 14h
		mov	edi, [ebp+arg_C]
		inc	edx
		add	[ebp+var_4], 14h
		mov	[ebp+var_14], ecx
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_10], edx
		jmp	short loc_9D78C6
; 

loc_9D789F:				; CODE XREF: RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)+F6j
		mov	eax, [ebp+var_C]
		mov	esi, eax
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_10]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+arg_8]
		mov	edi, [ebp+arg_C]
		add	edi, 10h
		mov	[ebp+arg_C], edi
		inc	dword ptr [esi]
		inc	ecx
		add	eax, 10h
		mov	[ebp+var_C], eax

loc_9D78C3:				; CODE XREF: RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)+F1j
		mov	[ebp+var_8], ecx

loc_9D78C6:				; CODE XREF: RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)+11Dj
		mov	eax, [ebp+var_18]
		mov	eax, [eax]
		cmp	ecx, eax
		jb	loc_9D782F

loc_9D78D3:				; CODE XREF: RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)+94j
					; RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)+B1j
		cmp	ecx, eax
		jnb	short loc_9D7901
		mov	ebx, [ebp+var_18]
		mov	eax, ecx
		shl	eax, 4
		add	eax, [ebp+var_1C]

loc_9D78E2:				; CODE XREF: RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)+17Cj
		mov	esi, eax
		add	eax, 10h
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+arg_8]
		mov	edi, [ebp+arg_C]
		add	edi, 10h
		mov	[ebp+arg_C], edi
		inc	dword ptr [esi]
		inc	ecx
		cmp	ecx, [ebx]
		jb	short loc_9D78E2
		mov	ebx, [ebp+arg_4]

loc_9D7901:				; CODE XREF: RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)+81j
					; RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)+155j
		cmp	edx, ebx
		jnb	short loc_9D7920
		imul	ecx, edx, 14h
		add	ecx, [ebp+arg_0]
		sub	ebx, edx

loc_9D790D:				; CODE XREF: RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)+19Ej
		lea	eax, [ebp+arg_C]
		mov	edx, esi
		push	eax
		call	_RtlpFcAddUsageSubscriptionFromUpdate@12 ; RtlpFcAddUsageSubscriptionFromUpdate(x,x,x)
		add	ecx, 14h
		sub	ebx, 1
		jnz	short loc_9D790D

loc_9D7920:				; CODE XREF: RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)+183j
		xor	eax, eax

loc_9D7922:				; CODE XREF: RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)+3Bj
					; RtlpFcUpdateUsageTriggers(x,x,x,x,x,x)+4Ej ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_RtlpFcUpdateUsageTriggers@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LZNT1FindMatchMaximum(x, x)
_LZNT1FindMatchMaximum@8 proc near	; DATA XREF: RtlCompressBufferLZNT1+DAB0o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		push	edi
		mov	[ebp+var_8], edx
		mov	ecx, [eax+4]
		mov	edi, [eax+8]
		mov	[ebp+var_C], ecx
		mov	ecx, [eax]
		mov	[ebp+var_4], edi
		cmp	ecx, [ebp+arg_0]
		jnb	short loc_9D7999
		push	ebx
		mov	ebx, ecx
		sub	ebx, [ebp+arg_0]
		push	esi

loc_9D7954:				; CODE XREF: LZNT1FindMatchMaximum(x,x)+63j
		xor	esi, esi
		test	edi, edi
		jz	short loc_9D797B
		mov	edi, [ebp+arg_0]
		mov	edx, [ebp+var_C]

loc_9D7960:				; CODE XREF: LZNT1FindMatchMaximum(x,x)+47j
		cmp	edi, edx
		jnb	short loc_9D7972
		mov	al, [edi]
		cmp	al, [ebx+edi]
		jnz	short loc_9D7972
		inc	esi
		inc	edi
		cmp	esi, [ebp+var_4]
		jb	short loc_9D7960

loc_9D7972:				; CODE XREF: LZNT1FindMatchMaximum(x,x)+39j
					; LZNT1FindMatchMaximum(x,x)+40j
		mov	edx, [ebp+var_8]
		mov	eax, [ebp+arg_4]
		mov	edi, [ebp+var_4]

loc_9D797B:				; CODE XREF: LZNT1FindMatchMaximum(x,x)+2Fj
		cmp	esi, edx
		jb	short loc_9D7987
		mov	edx, esi
		mov	[eax+0Ch], ecx
		mov	[ebp+var_8], edx

loc_9D7987:				; CODE XREF: LZNT1FindMatchMaximum(x,x)+54j
		inc	ecx
		inc	ebx
		cmp	ecx, [ebp+arg_0]
		jb	short loc_9D7954
		pop	esi
		pop	ebx
		cmp	edx, 3
		jb	short loc_9D7999
		mov	eax, edx
		jmp	short loc_9D799B
; 

loc_9D7999:				; CODE XREF: LZNT1FindMatchMaximum(x,x)+22j
					; LZNT1FindMatchMaximum(x,x)+6Aj
		xor	eax, eax

loc_9D799B:				; CODE XREF: LZNT1FindMatchMaximum(x,x)+6Ej
		pop	edi
		leave
		retn	8
_LZNT1FindMatchMaximum@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlDescribeChunkLZNT1(x, x,	x, x)
_RtlDescribeChunkLZNT1@16 proc near	; CODE XREF: RtlReserveChunkLZNT1(x,x,x,x)+2Cp
					; DATA XREF: PAGE:00A40868o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, [ebp+arg_C]
		xor	eax, eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, 8000001Ah
		push	edi
		mov	edi, [ebp+arg_8]
		mov	word ptr [ebp+var_4], ax
		mov	eax, [esi]
		mov	[edi], eax
		mov	eax, [ebp+arg_4]
		and	dword ptr [edx], 0
		add	eax, 0FFFFFFFCh
		mov	ecx, [esi]
		cmp	ecx, eax
		ja	loc_9D7A60
		test	cl, 1
		jz	short loc_9D79EA
		mov	al, [ecx]
		mov	byte ptr [ebp+var_4], al
		mov	al, [ecx+1]
		mov	byte ptr [ebp+var_4+1],	al
		mov	ax, word ptr [ebp+var_4]
		jmp	short loc_9D79F1
; 

loc_9D79EA:				; CODE XREF: RtlDescribeChunkLZNT1(x,x,x,x)+37j
		mov	ax, [ecx]
		mov	word ptr [ebp+var_4], ax

loc_9D79F1:				; CODE XREF: RtlDescribeChunkLZNT1(x,x,x,x)+48j
		test	ax, ax
		jz	short loc_9D7A60
		mov	eax, [ebp+var_4]
		xor	ebx, ebx
		and	eax, 0FFFh
		add	eax, 3
		mov	[edx], eax
		add	[esi], eax
		mov	ecx, [esi]
		cmp	ecx, [ebp+arg_4]
		ja	short loc_9D7A57
		mov	eax, [ebp+var_4]
		and	eax, 7000h
		mov	[ebp+arg_4], 3000h
		cmp	ax, word ptr [ebp+arg_4]
		jnz	short loc_9D7A57
		test	[ebp+var_4], 8000h
		mov	eax, [edx]
		jnz	short loc_9D7A41
		cmp	eax, 1002h
		jz	short loc_9D7A39
		sub	ecx, eax
		jmp	short loc_9D7A59
; 

loc_9D7A39:				; CODE XREF: RtlDescribeChunkLZNT1(x,x,x,x)+93j
		add	dword ptr [edi], 2
		add	dword ptr [edx], 0FFFFFFFEh
		jmp	short loc_9D7A60
; 

loc_9D7A41:				; CODE XREF: RtlDescribeChunkLZNT1(x,x,x,x)+8Cj
		cmp	eax, 6
		jnz	short loc_9D7A60
		mov	eax, [edi]
		cmp	byte ptr [eax+2], 2
		jnz	short loc_9D7A60
		cmp	[eax+3], bl
		jnz	short loc_9D7A60
		and	[edx], ebx
		jmp	short loc_9D7A60
; 

loc_9D7A57:				; CODE XREF: RtlDescribeChunkLZNT1(x,x,x,x)+6Cj
					; RtlDescribeChunkLZNT1(x,x,x,x)+81j
		sub	ecx, [edx]

loc_9D7A59:				; CODE XREF: RtlDescribeChunkLZNT1(x,x,x,x)+97j
		mov	ebx, 0C0000242h
		mov	[esi], ecx

loc_9D7A60:				; CODE XREF: RtlDescribeChunkLZNT1(x,x,x,x)+2Ej
					; RtlDescribeChunkLZNT1(x,x,x,x)+54j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
_RtlDescribeChunkLZNT1@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlReserveChunkLZNT1(x, x, x, x)
_RtlReserveChunkLZNT1@16 proc near	; DATA XREF: PAGE:00A40854o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	ebx, [esi]
		mov	edi, ebx
		mov	[ebp+var_8], ebx

loc_9D7A86:				; CODE XREF: RtlReserveChunkLZNT1(x,x,x,x)+39j
					; RtlReserveChunkLZNT1(x,x,x,x)+3Ej
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+arg_4]
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlDescribeChunkLZNT1@16 ; RtlDescribeChunkLZNT1(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_9D7AA9
		cmp	edi, ebx
		jnz	short loc_9D7A86
		mov	edi, [ebp+var_8]
		jmp	short loc_9D7A86
; 

loc_9D7AA9:				; CODE XREF: RtlReserveChunkLZNT1(x,x,x,x)+35j
		cmp	ecx, 8000001Ah
		jnz	loc_9D7BC3
		mov	eax, [ebp+var_8]
		mov	ecx, 0C0000023h
		mov	edx, [ebp+arg_4]
		sub	eax, edi
		add	eax, 2
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		mov	[eax], ebx
		mov	eax, [esi]
		mov	ebx, [ebp+arg_C]
		mov	[ebp+var_4], eax
		mov	eax, edx
		sub	eax, ebx
		cmp	[ebp+var_4], eax
		ja	loc_9D7BC3
		mov	eax, [ebp+var_4]
		add	eax, [ebp+var_8]
		cmp	ebx, 1000h
		jnz	short loc_9D7B39
		add	eax, 1002h
		add	ebx, 2
		cmp	eax, edx
		ja	loc_9D7BC1
		push	[ebp+var_8]	; size_t
		mov	eax, [ebp+var_4]
		add	eax, 1002h
		push	edi		; void *
		push	eax		; void *
		call	_memmove
		mov	eax, [esi]
		add	esp, 0Ch
		test	al, 1
		jz	short loc_9D7B26
		mov	byte ptr [eax],	0FFh
		mov	eax, [esi]
		mov	byte ptr [eax+1], 3Fh
		jmp	short loc_9D7B2E
; 

loc_9D7B26:				; CODE XREF: RtlReserveChunkLZNT1(x,x,x,x)+B0j
		mov	ecx, 3FFFh
		mov	[eax], cx

loc_9D7B2E:				; CODE XREF: RtlReserveChunkLZNT1(x,x,x,x)+BBj
		mov	eax, [ebp+arg_8]
		add	dword ptr [eax], 2
		jmp	loc_9D7BBF
; 

loc_9D7B39:				; CODE XREF: RtlReserveChunkLZNT1(x,x,x,x)+85j
		test	ebx, ebx
		jnz	short loc_9D7BA7
		push	6
		pop	ebx
		add	eax, ebx
		cmp	eax, edx
		ja	short loc_9D7BC1
		push	[ebp+var_8]	; size_t
		mov	eax, [ebp+var_4]
		add	eax, ebx
		push	edi		; void *
		push	eax		; void *
		call	_memmove
		mov	eax, [esi]
		add	esp, 0Ch
		test	al, 1
		jz	short loc_9D7B69
		mov	byte ptr [eax],	3
		mov	eax, [esi]
		mov	byte ptr [eax+1], 0B0h
		jmp	short loc_9D7B71
; 

loc_9D7B69:				; CODE XREF: RtlReserveChunkLZNT1(x,x,x,x)+F3j
		mov	ecx, 0B003h
		mov	[eax], cx

loc_9D7B71:				; CODE XREF: RtlReserveChunkLZNT1(x,x,x,x)+FEj
		mov	eax, [esi]
		test	al, 1
		jz	short loc_9D7B83
		mov	byte ptr [eax+2], 2
		mov	eax, [esi]
		mov	byte ptr [eax+3], 0
		jmp	short loc_9D7B8A
; 

loc_9D7B83:				; CODE XREF: RtlReserveChunkLZNT1(x,x,x,x)+10Cj
		push	2
		pop	ecx
		mov	[eax+2], cx

loc_9D7B8A:				; CODE XREF: RtlReserveChunkLZNT1(x,x,x,x)+118j
		mov	eax, [esi]
		test	al, 1
		jz	short loc_9D7B9C
		mov	byte ptr [eax+4], 0FCh
		mov	eax, [esi]
		mov	byte ptr [eax+5], 0Fh
		jmp	short loc_9D7BBF
; 

loc_9D7B9C:				; CODE XREF: RtlReserveChunkLZNT1(x,x,x,x)+125j
		mov	ecx, 0FFCh
		mov	[eax+4], cx
		jmp	short loc_9D7BBF
; 

loc_9D7BA7:				; CODE XREF: RtlReserveChunkLZNT1(x,x,x,x)+D2j
		add	eax, ebx
		cmp	eax, edx
		ja	short loc_9D7BC1
		push	[ebp+var_8]	; size_t
		mov	eax, [ebp+var_4]
		add	eax, ebx
		push	edi		; void *
		push	eax		; void *
		call	_memmove
		add	esp, 0Ch

loc_9D7BBF:				; CODE XREF: RtlReserveChunkLZNT1(x,x,x,x)+CBj
					; RtlReserveChunkLZNT1(x,x,x,x)+131j ...
		xor	ecx, ecx

loc_9D7BC1:				; CODE XREF: RtlReserveChunkLZNT1(x,x,x,x)+91j
					; RtlReserveChunkLZNT1(x,x,x,x)+DBj ...
		add	[esi], ebx

loc_9D7BC3:				; CODE XREF: RtlReserveChunkLZNT1(x,x,x,x)+46j
					; RtlReserveChunkLZNT1(x,x,x,x)+73j
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	10h
_RtlReserveChunkLZNT1@16 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpCapChkTelemetryRunOnce(x, x, x)
_RtlpCapChkTelemetryRunOnce@12 proc near
					; DATA XREF: RtlpLogCapabilityCheckLatency(x,x,x,x,x,x)+1Eo
		push	0
		xor	edx, edx
		mov	ecx, offset dword_6B36A0
		call	_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 ; TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)
		push	offset _RtlpPerformanceCounterFrequency
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		xor	eax, eax
		inc	eax
		retn	0Ch
_RtlpCapChkTelemetryRunOnce@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpLogCapabilityCheckLatency(x, x,	x, x, x, x)
_RtlpLogCapabilityCheckLatency@24 proc near ; CODE XREF: RtlCapabilityCheck(x,x,x)+39Ep

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	esi, edx
		push	ebx
		push	ebx
		push	offset _RtlpCapChkTelemetryRunOnce@12 ;	RtlpCapChkTelemetryRunOnce(x,x,x)
		push	offset _RtlpCapChkTelemetryRunOnceCtx
		mov	edi, ecx
		call	RtlRunOnceExecuteOnce
		test	edi, edi
		jz	loc_9D7D56
		test	esi, esi
		jz	loc_9D7D56
		mov	eax, [edi]
		or	eax, [edi+4]
		jz	loc_9D7D56
		mov	eax, [esi]
		or	eax, [esi+4]
		jz	loc_9D7D56
		mov	eax, _RtlpPerformanceCounterFrequency
		or	eax, dword_6FE0EC
		jz	loc_9D7D56
		or	ax, 0FFFFh
		lock xadd _TelemetryEventThrottle, ax
		dec	ax
		movzx	eax, ax
		test	ax, ax
		jnz	loc_9D7D56
		cmp	dword_6B36A0, 5
		jbe	loc_9D7D4B
		push	2000h
		push	ebx
		mov	ecx, offset dword_6B36A0
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9D7D4B
		mov	ecx, [esi]
		sub	ecx, [edi]
		mov	eax, [esi+4]
		sbb	eax, [edi+4]
		push	ebx
		push	0F4240h
		push	eax
		push	ecx
		call	__allmul
		push	dword_6FE0EC
		push	_RtlpPerformanceCounterFrequency
		push	edx
		push	eax
		call	__alldiv
		mov	[ebp+var_88], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_88]
		mov	[ebp+var_84], edx
		mov	[ebp+var_58], eax
		inc	ecx
		mov	al, [ebp+arg_0]
		mov	byte ptr [ebp+var_7C+3], al
		lea	eax, [ebp+var_7C+3]
		mov	[ebp+var_48], eax
		mov	al, [ebp+arg_4]
		mov	byte ptr [ebp+var_7C+2], al
		lea	eax, [ebp+var_7C+2]
		mov	[ebp+var_38], eax
		mov	al, [ebp+arg_8]
		mov	byte ptr [ebp+var_7C+1], al
		lea	eax, [ebp+var_7C+1]
		mov	[ebp+var_28], eax
		mov	al, [ebp+arg_C]
		mov	byte ptr [ebp+var_7C], al
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	7
		push	ebx
		push	ebx
		push	offset loc_422A7B
		push	offset dword_6B36A0
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], 8
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9D7D4B:				; CODE XREF: RtlpLogCapabilityCheckLatency(x,x,x,x,x,x)+88j
					; RtlpLogCapabilityCheckLatency(x,x,x,x,x,x)+A0j
		push	64h
		pop	eax
		mov	ecx, offset _TelemetryEventThrottle
		xchg	ax, [ecx]

loc_9D7D56:				; CODE XREF: RtlpLogCapabilityCheckLatency(x,x,x,x,x,x)+31j
					; RtlpLogCapabilityCheckLatency(x,x,x,x,x,x)+39j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_RtlpLogCapabilityCheckLatency@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpGetNormalization(x, x)
_RtlpGetNormalization@8	proc near	; CODE XREF: RtlIsNormalizedString(x,x,x,x)+29p
					; RtlNormalizeString(x,x,x,x,x)+29p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, edx
		mov	[ebp+var_10], eax
		push	edi
		mov	edi, ecx
		test	eax, eax
		jnz	short loc_9D7D85
		mov	eax, 0C00000F0h
		jmp	loc_9D7E36
; 

loc_9D7D85:				; CODE XREF: RtlpGetNormalization(x,x)+12j
		push	ebx
		push	esi
		call	_NormalizationList__Lock@0 ; NormalizationList__Lock()
		mov	ecx, edi
		call	_NormalizationList__Lookup@4 ; NormalizationList__Lookup(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_9D7E28
		xor	ecx, 100h
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	_NormalizationList__Lookup@4 ; NormalizationList__Lookup(x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_9D7DD4
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		mov	eax, edi
		and	eax, 0FFFFFEFFh
		push	eax
		push	0Ch
		call	_ZwGetNlsSectionPtr@20 ; ZwGetNlsSectionPtr(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9D7DE0
		jmp	short loc_9D7E15
; 

loc_9D7DD4:				; CODE XREF: RtlpGetNormalization(x,x)+4Bj
		mov	eax, [ecx+4]
		mov	[ebp+var_8], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_4], eax

loc_9D7DE0:				; CODE XREF: RtlpGetNormalization(x,x)+69j
		call	_NormalizationListEntry_Alloc@0	; NormalizationListEntry_Alloc()
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9D7DF2
		mov	esi, 0C0000017h
		jmp	short loc_9D7E15
; 

loc_9D7DF2:				; CODE XREF: RtlpGetNormalization(x,x)+82j
		mov	edx, [ebp+var_8]
		lea	ebx, [esi+0Ch]
		push	ebx		; void *
		push	[ebp+var_4]	; int
		mov	ecx, edi
		call	_Normalization__LoadTables@16 ;	Normalization__LoadTables(x,x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jns	short loc_9D7E1E
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_C]

loc_9D7E15:				; CODE XREF: RtlpGetNormalization(x,x)+6Bj
					; RtlpGetNormalization(x,x)+89j
		call	_NormalizationList__Unlock@0 ; NormalizationList__Unlock()
		mov	eax, esi
		jmp	short loc_9D7E34
; 

loc_9D7E1E:				; CODE XREF: RtlpGetNormalization(x,x)+A1j
		mov	ecx, esi
		mov	[esi+8], edi
		call	_NormalizationList__InsertTail@4 ; NormalizationList__InsertTail(x)

loc_9D7E28:				; CODE XREF: RtlpGetNormalization(x,x)+30j
		call	_NormalizationList__Unlock@0 ; NormalizationList__Unlock()
		mov	eax, [ebp+var_10]
		mov	[eax], ebx
		xor	eax, eax

loc_9D7E34:				; CODE XREF: RtlpGetNormalization(x,x)+B5j
		pop	esi
		pop	ebx

loc_9D7E36:				; CODE XREF: RtlpGetNormalization(x,x)+19j
		pop	edi
		leave
		retn
_RtlpGetNormalization@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PdcpPortReleaseResources(x)
_PdcpPortReleaseResources@4 proc near	; CODE XREF: PdcPortOpenCommon+112p

var_310		= dword	ptr -310h
var_2F8		= dword	ptr -2F8h
var_2F4		= dword	ptr -2F4h
var_2E8		= dword	ptr -2E8h
var_2E4		= dword	ptr -2E4h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 310h
		lea	eax, [ebp+var_310]
		push	ebx
		push	esi
		mov	ebx, 310h
		mov	esi, ecx
		push	ebx		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		and	dword ptr [esi], 0
		add	esp, 0Ch
		mov	ecx, [esi+10h]
		test	ecx, ecx
		jz	short loc_9D7E9B
		mov	eax, [esi+8]
		mov	[ebp+var_2E8], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_2E4], eax
		lea	eax, [ebp+var_310]
		push	ebx
		push	eax
		push	ecx
		mov	[ebp+var_2F8], 1
		mov	[ebp+var_2F4], 5
		call	dword ptr [esi+14h]

loc_9D7E9B:				; CODE XREF: PdcpPortReleaseResources(x)+2Ej
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		pop	ebx
		leave
		retn
_PdcpPortReleaseResources@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PdcTaskClientRequest(x, x)
_PdcTaskClientRequest@8	proc near	; CODE XREF: PopPowerAggregatorSessionSwitchWorker(x)+82p
					; PopPowerAggregatorSessionSwitchWorker(x)+8Fp

var_318		= dword	ptr -318h
var_300		= dword	ptr -300h
var_2F0		= byte ptr -2F0h
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 31Ch
		push	ebx
		push	esi
		mov	esi, _PopSleepStudyTaskClientActivator
		lea	eax, [ebp+var_318]
		push	edi
		push	310h		; size_t
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_1], dl
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		jnz	short loc_9D7EE2

loc_9D7ED8:				; CODE XREF: PdcTaskClientRequest(x,x)+41j
		mov	ebx, 0C00000EFh
		jmp	loc_9D7FD0
; 

loc_9D7EE2:				; CODE XREF: PdcTaskClientRequest(x,x)+2Fj
		cmp	dword ptr [esi], 63636450h
		jnz	short loc_9D7ED8
		mov	eax, large fs:124h
		lea	edi, [esi+4]
		dec	word ptr [eax+13Ch]
		nop
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	ebx, eax
		lock bts dword ptr [edi], 0
		jnb	short loc_9D7F19
		push	edi
		mov	edx, ebx
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_9D7F19:				; CODE XREF: PdcTaskClientRequest(x,x)+66j
		test	ebx, ebx
		jz	short loc_9D7F21
		or	byte ptr [ebx+0Eh], 1

loc_9D7F21:				; CODE XREF: PdcTaskClientRequest(x,x)+74j
		mov	eax, large fs:124h
		xor	edx, edx
		mov	[edi+4], eax
		inc	edx
		mov	al, [ebp+var_1]
		test	al, al
		jnz	short loc_9D7F41
		cmp	dword ptr [esi+18h], 0
		jnz	short loc_9D7F41
		mov	ebx, 0C0000001h
		jmp	short loc_9D7F90
; 

loc_9D7F41:				; CODE XREF: PdcTaskClientRequest(x,x)+8Bj
					; PdcTaskClientRequest(x,x)+91j
		mov	ecx, [esi+18h]
		xor	ebx, ebx
		test	al, al
		jnz	short loc_9D7F50
		cmp	ecx, edx
		jz	short loc_9D7F54
		jmp	short loc_9D7F80
; 

loc_9D7F50:				; CODE XREF: PdcTaskClientRequest(x,x)+A1j
		test	ecx, ecx
		jnz	short loc_9D7F80

loc_9D7F54:				; CODE XREF: PdcTaskClientRequest(x,x)+A5j
		test	al, al
		mov	[ebp+var_300], 7
		push	ecx
		setnz	[ebp+var_2F0]
		lea	edx, [ebp+var_318]
		mov	ecx, [esi+14h]
		call	_PdcPortSendMessageSynchronously@12 ; PdcPortSendMessageSynchronously(x,x,x)
		mov	ebx, [esi+1Ch]
		test	ebx, ebx
		js	short loc_9D7F90
		mov	al, [ebp+var_1]

loc_9D7F80:				; CODE XREF: PdcTaskClientRequest(x,x)+A7j
					; PdcTaskClientRequest(x,x)+ABj
		mov	ecx, [esi+18h]
		test	al, al
		lea	eax, [ecx-1]
		jz	short loc_9D7F8D
		lea	eax, [ecx+1]

loc_9D7F8D:				; CODE XREF: PdcTaskClientRequest(x,x)+E1j
		mov	[esi+18h], eax

loc_9D7F90:				; CODE XREF: PdcTaskClientRequest(x,x)+98j
					; PdcTaskClientRequest(x,x)+D4j
		and	dword ptr [edi+4], 0
		mov	edx, [edi]
		mov	ecx, edx
		shr	ecx, 4
		test	dl, 2
		jnz	short loc_9D7FB6
		xor	esi, esi
		lea	eax, [edx-10h]
		inc	esi
		cmp	esi, ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_9D7FBD

loc_9D7FB6:				; CODE XREF: PdcTaskClientRequest(x,x)+F7j
		mov	ecx, edi
		call	@ExfReleasePushLock@4 ;	ExfReleasePushLock(x)

loc_9D7FBD:				; CODE XREF: PdcTaskClientRequest(x,x)+10Dj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_9D7FD0:				; CODE XREF: PdcTaskClientRequest(x,x)+36j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_PdcTaskClientRequest@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	NtQuerySecurityPolicy(int,int,int,int,void *,int)
_NtQuerySecurityPolicy@24 proc near	; DATA XREF: .text:00580E0Co

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		push	30h
		push	offset dword_6A9300
		call	__SEH_prolog4
		xor	eax, eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_30], eax
		mov	edi, eax
		mov	[ebp+var_28], edi
		mov	[ebp+var_34], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_38], eax
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_19], al
		mov	byte ptr [ebp+var_24], al
		lea	eax, [ebp+var_2C]
		push	eax
		push	[ebp+var_24]
		xor	ebx, ebx
		inc	ebx
		mov	edx, ebx
		mov	ecx, [ebp+arg_0]
		call	SepCaptureUnicodeStringArray
		mov	esi, eax
		test	esi, esi
		js	loc_9D80EA
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_24]
		mov	edx, ebx
		mov	ecx, [ebp+arg_4]
		call	SepCaptureUnicodeStringArray
		mov	esi, eax
		test	esi, esi
		js	loc_9D80EA
		lea	eax, [ebp+var_34]
		push	eax
		push	[ebp+var_24]
		mov	edx, ebx
		mov	ecx, [ebp+arg_8]
		call	SepCaptureUnicodeStringArray
		mov	esi, eax
		test	esi, esi
		js	loc_9D80EA
		cmp	[ebp+var_19], bl
		jnz	loc_9D8184
		and	[ebp+ms_exc.disabled], edi
		push	4
		pop	esi
		push	esi
		push	esi
		push	[ebp+arg_C]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	ecx, [ebp+arg_14]
		test	cl, 3
		jz	short loc_9D8085
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9D8085:				; CODE XREF: NtQuerySecurityPolicy(x,x,x,x,x,x)+A7j
		lea	eax, [ecx+4]
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	short loc_9D8096
		cmp	eax, ecx
		jnb	short loc_9D8099

loc_9D8096:				; CODE XREF: NtQuerySecurityPolicy(x,x,x,x,x,x)+B9j
		mov	byte ptr [edx],	0

loc_9D8099:				; CODE XREF: NtQuerySecurityPolicy(x,x,x,x,x,x)+BDj
		mov	eax, [ecx]
		mov	[ebp+var_20], eax
		push	esi
		push	esi
		push	ecx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_9D80BA
		push	ebx
		push	[ebp+var_20]
		push	eax
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	eax, [ebp+arg_10]

loc_9D80BA:				; CODE XREF: NtQuerySecurityPolicy(x,x,x,x,x,x)+D4j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	eax, eax
		jz	loc_9D8192
		push	20206553h
		push	[ebp+var_20]
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	edi, eax
		mov	[ebp+var_28], edi
		test	edi, edi
		jnz	loc_9D8192
		mov	esi, 0C000009Ah

loc_9D80EA:				; CODE XREF: NtQuerySecurityPolicy(x,x,x,x,x,x)+4Cj
					; NtQuerySecurityPolicy(x,x,x,x,x,x)+67j ...
		mov	al, [ebp+var_19]

loc_9D80ED:				; CODE XREF: NtQuerySecurityPolicy(x,x,x,x,x,x)+1A8j
					; NtQuerySecurityPolicy(x,x,x,x,x,x)+21Ej
		cmp	al, bl
		jnz	short loc_9D8132
		cmp	[ebp+var_2C], 0
		jz	short loc_9D8104
		push	0
		push	[ebp+var_2C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	al, [ebp+var_19]

loc_9D8104:				; CODE XREF: NtQuerySecurityPolicy(x,x,x,x,x,x)+11Ej
		cmp	al, bl
		jnz	short loc_9D8132
		cmp	[ebp+var_30], 0
		jz	short loc_9D811B
		push	0
		push	[ebp+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	al, [ebp+var_19]

loc_9D811B:				; CODE XREF: NtQuerySecurityPolicy(x,x,x,x,x,x)+135j
		cmp	al, bl
		jnz	short loc_9D8132
		cmp	[ebp+var_34], 0
		jz	short loc_9D8132
		push	0
		push	[ebp+var_34]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	al, [ebp+var_19]

loc_9D8132:				; CODE XREF: NtQuerySecurityPolicy(x,x,x,x,x,x)+118j
					; NtQuerySecurityPolicy(x,x,x,x,x,x)+12Fj ...
		test	edi, edi
		jz	short loc_9D8142
		cmp	al, bl
		jnz	short loc_9D8142
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9D8142:				; CODE XREF: NtQuerySecurityPolicy(x,x,x,x,x,x)+15Dj
					; NtQuerySecurityPolicy(x,x,x,x,x,x)+161j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_9D8156:				; DATA XREF: .text:006A9314o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_3C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_9D8166:				; DATA XREF: .text:006A9318o
		mov	esi, [ebp+var_3C]

loc_9D8169:				; CODE XREF: sub_9D820A+3j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		inc	ebx
		mov	edi, [ebp+var_28]
		mov	al, byte ptr [ebp+var_24]
		mov	[ebp+var_19], al
		jmp	loc_9D80ED
; 

loc_9D8184:				; CODE XREF: NtQuerySecurityPolicy(x,x,x,x,x,x)+8Bj
		mov	edi, [ebp+arg_10]
		mov	[ebp+var_28], edi
		mov	eax, [ebp+arg_14]
		mov	eax, [eax]
		mov	[ebp+var_20], eax

loc_9D8192:				; CODE XREF: NtQuerySecurityPolicy(x,x,x,x,x,x)+ECj
					; NtQuerySecurityPolicy(x,x,x,x,x,x)+108j
		lea	eax, [ebp+var_20]
		push	eax
		push	edi
		lea	eax, [ebp+var_38]
		push	eax
		push	[ebp+var_34]
		mov	edx, [ebp+var_30]
		mov	ecx, [ebp+var_2C]
		call	_SeQuerySecurityPolicy@24 ; SeQuerySecurityPolicy(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9D81BB
		cmp	esi, 0C0000023h
		jnz	loc_9D80EA

loc_9D81BB:				; CODE XREF: NtQuerySecurityPolicy(x,x,x,x,x,x)+1D6j
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+var_38]
		mov	ecx, [ebp+arg_C]
		mov	[ecx], eax
		mov	edx, [ebp+var_20]
		mov	eax, [ebp+arg_14]
		mov	[eax], edx
		mov	ecx, [ebp+arg_10]
		mov	al, [ebp+var_19]
		test	ecx, ecx
		jz	short loc_9D81EE
		cmp	al, bl
		jnz	short loc_9D81EE
		test	esi, esi
		js	short loc_9D81EE
		push	edx		; size_t
		push	edi		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	al, [ebp+var_19]

loc_9D81EE:				; CODE XREF: NtQuerySecurityPolicy(x,x,x,x,x,x)+1FFj
					; NtQuerySecurityPolicy(x,x,x,x,x,x)+203j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_9D80ED
_NtQuerySecurityPolicy@24 endp


;  S U B	R O U T	I N E 


sub_9D81FA	proc near		; DATA XREF: .text:006A9320o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_9D81FA	endp


;  S U B	R O U T	I N E 


sub_9D820A	proc near		; DATA XREF: .text:006A9324o
		mov	esi, [ebp-40h]
		jmp	loc_9D8169
sub_9D820A	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeCodeIntegritySetInformation(x, x,	x)
_SeCodeIntegritySetInformation@12 proc near ; CODE XREF: PAGE:007B4AB8p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, dword_6BEA74
		test	eax, eax
		jnz	short loc_9D8227
		mov	eax, 0C00000BBh
		jmp	short loc_9D822E
; 

loc_9D8227:				; CODE XREF: SeCodeIntegritySetInformation(x,x,x)+Cj
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	eax

loc_9D822E:				; CODE XREF: SeCodeIntegritySetInformation(x,x,x)+13j
		pop	ebp
		retn	4
_SeCodeIntegritySetInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SeCodeIntegritySetInformationProcess(void *,size_t)
_SeCodeIntegritySetInformationProcess@16 proc near ; CODE XREF:	PAGE:007AAD13p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	10h
		push	offset dword_6A9328
		call	__SEH_prolog4
		mov	edi, edx
		mov	ebx, ecx
		cmp	dword_6BEA78, 0
		jnz	short loc_9D8252
		mov	eax, 0C00000BBh
		jmp	short loc_9D82C5
; 

loc_9D8252:				; CODE XREF: SeCodeIntegritySetInformationProcess(x,x,x,x)+17j
		push	20206553h
		push	[ebp+arg_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		jnz	short loc_9D8271
		mov	eax, 0C0000017h
		jmp	short loc_9D82C5
; 

loc_9D8271:				; CODE XREF: SeCodeIntegritySetInformationProcess(x,x,x,x)+36j
		and	[ebp+ms_exc.disabled], 0
		push	[ebp+arg_4]	; size_t
		push	[ebp+arg_0]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	[ebp+arg_4]
		push	esi
		push	edi
		push	ebx
		call	dword_6BEA78
		mov	edi, eax
		jmp	short loc_9D82BB
; 

loc_9D829B:				; DATA XREF: .text:006A933Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_9D82AB:				; DATA XREF: .text:006A9340o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_1C]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+var_20]

loc_9D82BB:				; CODE XREF: SeCodeIntegritySetInformationProcess(x,x,x,x)+67j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi

loc_9D82C5:				; CODE XREF: SeCodeIntegritySetInformationProcess(x,x,x,x)+1Ej
					; SeCodeIntegritySetInformationProcess(x,x,x,x)+3Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_SeCodeIntegritySetInformationProcess@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeQuerySecurityPolicy(x, x,	x, x, x, x)
_SeQuerySecurityPolicy@24 proc near	; CODE XREF: NtQuerySecurityPolicy(x,x,x,x,x,x)+1CDp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, dword_6BEA6C
		test	esi, esi
		jnz	short loc_9D82EE
		mov	eax, 0C00000BBh
		jmp	short loc_9D8311
; 

loc_9D82EE:				; CODE XREF: SeQuerySecurityPolicy(x,x,x,x,x,x)+Ej
		cmp	[ebp+arg_8], 0
		mov	eax, [ebp+arg_C]
		jz	short loc_9D8303
		cmp	dword ptr [eax], 0
		jnz	short loc_9D8303
		mov	eax, 0C000000Dh
		jmp	short loc_9D8311
; 

loc_9D8303:				; CODE XREF: SeQuerySecurityPolicy(x,x,x,x,x,x)+1Ej
					; SeQuerySecurityPolicy(x,x,x,x,x,x)+23j
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	esi

loc_9D8311:				; CODE XREF: SeQuerySecurityPolicy(x,x,x,x,x,x)+15j
					; SeQuerySecurityPolicy(x,x,x,x,x,x)+2Aj
		pop	esi
		pop	ebp
		retn	10h
_SeQuerySecurityPolicy@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeValidateFileAsImageType(x, x, x)
_SeValidateFileAsImageType@12 proc near	; CODE XREF: ExpQueryElamCertInfo(x)+135p
					; ExpQueryElamCertInfo(x)+181p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, dword_6BEA44
		test	eax, eax
		jnz	short loc_9D832B
		mov	eax, 0C00000BBh
		jmp	short loc_9D8332
; 

loc_9D832B:				; CODE XREF: SeValidateFileAsImageType(x,x,x)+Cj
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	eax

loc_9D8332:				; CODE XREF: SeValidateFileAsImageType(x,x,x)+13j
		pop	ebp
		retn	4
_SeValidateFileAsImageType@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepIsLockedDown(x, x)
_SepIsLockedDown@8 proc	near		; CODE XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+152p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edi, edx
		mov	byte ptr [ebp+var_1], bl
		mov	esi, ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	byte ptr [edi],	1
		cmp	cl, 2
		jb	short loc_9D83AE
		lea	ecx, [ebp+var_1]
		call	_KIsSideloadingEnabled@4 ; KIsSideloadingEnabled(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D83B0
		movzx	eax, byte ptr [ebp+var_1]
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	short loc_9D83AE
		lea	eax, [ebp+var_C]
		push	eax
		push	4
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	offset unk_6B36D0
		call	_ZwQueryLicenseValue@20	; ZwQueryLicenseValue(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_9D839A
		mov	[ebp+var_8], ebx
		mov	esi, ebx
		jmp	short loc_9D83A5
; 

loc_9D839A:				; CODE XREF: SepIsLockedDown(x,x)+5Bj
		test	esi, esi
		js	short loc_9D83B0
		mov	eax, [ebp+var_8]
		test	eax, eax
		jnz	short loc_9D83AE

loc_9D83A5:				; CODE XREF: SepIsLockedDown(x,x)+62j
		call	ExQueryFastCacheDevLicense
		test	al, al
		jz	short loc_9D83B0

loc_9D83AE:				; CODE XREF: SepIsLockedDown(x,x)+20j
					; SepIsLockedDown(x,x)+39j ...
		mov	[edi], bl

loc_9D83B0:				; CODE XREF: SepIsLockedDown(x,x)+2Ej
					; SepIsLockedDown(x,x)+66j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_SepIsLockedDown@8 endp


;  S U B	R O U T	I N E 


; __stdcall SeRmCleanupSiloState(x)
_SeRmCleanupSiloState@4	proc near	; CODE XREF: PspDeleteServerSiloGlobals(x)+1Fp
		xor	eax, eax
		cmp	[ecx+4], eax
		jnz	short loc_9D83C7
		cmp	[ecx+0Ch], eax
		jnz	short loc_9D83C7
		cmp	[ecx], eax
		jz	short locret_9D83DA

loc_9D83C7:				; CODE XREF: SeRmCleanupSiloState(x)+5j
					; SeRmCleanupSiloState(x)+Aj
		push	eax
		push	6D1h
		push	offset ??_C@_0BL@ELDGEOIE@minkernel?2ntos?2se?2rmmain?4c@NNGAKEGL@ ; "minkernel\\ntos\\se\\rmmain.c"
		push	ecx
		push	29h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

locret_9D83DA:				; CODE XREF: SeRmCleanupSiloState(x)+Ej
		retn
_SeRmCleanupSiloState@4	endp ; sp = -14h


;  S U B	R O U T	I N E 


; __stdcall SepRmCleanupRmLsaState(x)
_SepRmCleanupRmLsaState@4 proc near	; CODE XREF: SepRmLsaConnectRequest+1F8p
					; SepRmCommandServerThread+8CAEEp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_9D83F1
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		and	dword ptr [esi+4], 0

loc_9D83F1:				; CODE XREF: SepRmCleanupRmLsaState(x)+Aj
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_9D8402
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		and	dword ptr [esi+0Ch], 0

loc_9D8402:				; CODE XREF: SepRmCleanupRmLsaState(x)+1Bj
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_9D8411
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		and	dword ptr [esi], 0

loc_9D8411:				; CODE XREF: SepRmCleanupRmLsaState(x)+2Bj
		pop	esi
		retn
_SepRmCleanupRmLsaState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeInitServerSilo(x)
_SeInitServerSilo@4 proc near		; CODE XREF: PspInitializeServerSiloDeferred(x)+82p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		push	edi
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jz	short loc_9D8435
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	33h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_9D8435:				; CODE XREF: SeInitServerSilo(x)+13j
		mov	ecx, edi
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		push	edi
		mov	ebx, eax
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	ecx, offset _SeSystemAuthenticationId
		mov	[ebp+var_4], eax
		call	SepCreateLogonSessionTrack
		mov	esi, eax
		test	esi, esi
		js	short loc_9D84BF
		lea	edx, [ebx+1A4h]
		mov	ecx, offset _SeSystemAuthenticationId
		push	edx
		mov	edx, edi
		call	_SepReferenceLogonSessionSilo@12 ; SepReferenceLogonSessionSilo(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9D847E

loc_9D8470:				; CODE XREF: SeInitServerSilo(x)+92j
		xor	dl, dl
		mov	ecx, offset _SeSystemAuthenticationId
		call	SepDeleteLogonSessionTrack
		jmp	short loc_9D84BF
; 

loc_9D847E:				; CODE XREF: SeInitServerSilo(x)+5Bj
		mov	ecx, offset _SeAnonymousAuthenticationId
		call	SepCreateLogonSessionTrack
		mov	esi, eax
		test	esi, esi
		js	short loc_9D84BF
		lea	eax, [ebx+1A8h]
		mov	edx, edi
		push	eax
		mov	ecx, offset _SeAnonymousAuthenticationId
		call	_SepReferenceLogonSessionSilo@12 ; SepReferenceLogonSessionSilo(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D8470
		call	_SepInitializationPhase1@0 ; SepInitializationPhase1()
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 3FFFFFFFh
		add	esi, 0C0000001h

loc_9D84BF:				; CODE XREF: SeInitServerSilo(x)+42j
					; SeInitServerSilo(x)+69j ...
		push	[ebp+var_4]
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_SeInitServerSilo@4 endp


;  S U B	R O U T	I N E 


; __stdcall SeShutdownServerSilo(x, x)
_SeShutdownServerSilo@8	proc near	; CODE XREF: PspDeleteExternalServerSiloState(x)+39p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, edx
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_9D84E8
		call	ObfDereferenceObject
		mov	[esi+8], ebx

loc_9D84E8:				; CODE XREF: SeShutdownServerSilo(x,x)+10j
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_9D84F7
		call	ObfDereferenceObject
		mov	[esi+0Ch], ebx

loc_9D84F7:				; CODE XREF: SeShutdownServerSilo(x,x)+1Fj
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_9D8504
		call	_SepDeReferenceLogonSessionDirect@4 ; SepDeReferenceLogonSessionDirect(x)
		mov	[esi], ebx

loc_9D8504:				; CODE XREF: SeShutdownServerSilo(x,x)+2Dj
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_9D8513
		call	_SepDeReferenceLogonSessionDirect@4 ; SepDeReferenceLogonSessionDirect(x)
		mov	[esi+4], ebx

loc_9D8513:				; CODE XREF: SeShutdownServerSilo(x,x)+3Bj
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_9D8528
		push	63734943h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+14h], ebx

loc_9D8528:				; CODE XREF: SeShutdownServerSilo(x,x)+4Aj
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_9D853D
		push	63734943h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+10h], ebx

loc_9D853D:				; CODE XREF: SeShutdownServerSilo(x,x)+5Fj
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_SepDeleteUnreferencedLogonSessionsInSilo@4 ; SepDeleteUnreferencedLogonSessionsInSilo(x)
_SeShutdownServerSilo@8	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2432. SeAuditingAnyFileEventsWithContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAuditingAnyFileEventsWithContext(x, x)
		public _SeAuditingAnyFileEventsWithContext@8
_SeAuditingAnyFileEventsWithContext@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_SeAuditingAnyFileEventsWithContextEx@12 ; SeAuditingAnyFileEventsWithContextEx(x,x,x)
		pop	ebp
		retn	8
_SeAuditingAnyFileEventsWithContext@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2434. SeAuditingFileEvents

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAuditingFileEvents(x, x)
		public _SeAuditingFileEvents@8
_SeAuditingFileEvents@8	proc near

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	byte_6BE6C4, 0
		mov	al, [ebp+arg_0]
		jz	short loc_9D857C
		test	al, al
		jnz	short loc_9D85A3

loc_9D857C:				; CODE XREF: SeAuditingFileEvents(x,x)+Fj
		cmp	byte_6BE6C5, 0
		jz	short loc_9D8589
		test	al, al
		jz	short loc_9D85A3

loc_9D8589:				; CODE XREF: SeAuditingFileEvents(x,x)+1Cj
		cmp	byte_6BE6C6, 0
		jz	short loc_9D8596
		test	al, al
		jnz	short loc_9D85A3

loc_9D8596:				; CODE XREF: SeAuditingFileEvents(x,x)+29j
		cmp	byte_6BE6C7, 0
		jz	short loc_9D85A7
		test	al, al
		jnz	short loc_9D85A7

loc_9D85A3:				; CODE XREF: SeAuditingFileEvents(x,x)+13j
					; SeAuditingFileEvents(x,x)+20j ...
		mov	al, 1
		jmp	short loc_9D85A9
; 

loc_9D85A7:				; CODE XREF: SeAuditingFileEvents(x,x)+36j
					; SeAuditingFileEvents(x,x)+3Aj
		xor	al, al

loc_9D85A9:				; CODE XREF: SeAuditingFileEvents(x,x)+3Ej
		pop	ebp
		retn	8
_SeAuditingFileEvents@8	endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2435. SeAuditingFileEventsWithContext

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAuditingFileEventsWithContext(x, x, x)
		public _SeAuditingFileEventsWithContext@12
_SeAuditingFileEventsWithContext@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_SeAuditingFileEventsWithContextEx@16 ;	SeAuditingFileEventsWithContextEx(x,x,x,x)
		pop	ebp
		retn	0Ch
_SeAuditingFileEventsWithContext@12 endp

; 
		align 10h
; Exported entry 2437. SeAuditingFileOrGlobalEvents

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAuditingFileOrGlobalEvents(x, x, x)
		public _SeAuditingFileOrGlobalEvents@12
_SeAuditingFileOrGlobalEvents@12 proc near

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10h
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	eax, [esp+18h+var_8]
		push	offset ??_C@_19DDLLJDOO@?$AAF?$AAi?$AAl?$AAe@NNGAKEGL@
		push	eax
		mov	[esp+20h+var_C], ebx
		mov	[esp+20h+var_8], ebx
		mov	[esp+20h+var_4], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	1
		lea	eax, [esp+1Ch+var_8]
		xor	edx, edx
		push	eax
		lea	ecx, [esp+20h+var_C]
		call	_SepRmGlobalSaclFind@16	; SepRmGlobalSaclFind(x,x,x,x)
		cmp	eax, 0C0000034h
		jnz	short loc_9D8639
		mov	edx, [ebp+arg_4]
		movzx	eax, word ptr [edx+2]
		mov	ecx, eax
		test	al, 10h
		jz	short loc_9D8635
		test	cx, cx
		mov	ecx, [edx+0Ch]
		jns	short loc_9D8631
		lea	eax, [ecx+edx]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_9D8631:				; CODE XREF: SeAuditingFileOrGlobalEvents(x,x,x)+56j
		test	ecx, ecx
		jnz	short loc_9D8639

loc_9D8635:				; CODE XREF: SeAuditingFileOrGlobalEvents(x,x,x)+4Ej
		xor	al, al
		jmp	short loc_9D8687
; 

loc_9D8639:				; CODE XREF: SeAuditingFileOrGlobalEvents(x,x,x)+41j
					; SeAuditingFileOrGlobalEvents(x,x,x)+63j
		mov	cl, [ebp+arg_0]
		push	[ebp+arg_8]
		test	cl, cl
		mov	dl, cl
		setz	al
		push	eax
		push	75h
		pop	ecx
		mov	[esp+20h+var_C], eax
		call	SepAdtAuditThisEventWithContext
		test	al, al
		jnz	short loc_9D8683
		push	[ebp+arg_8]
		mov	esi, [esp+1Ch+var_C]
		mov	ecx, 82h
		mov	dl, [ebp+arg_0]
		push	esi
		call	SepAdtAuditThisEventWithContext
		test	al, al
		jnz	short loc_9D8683
		push	[ebp+arg_8]
		mov	dl, [ebp+arg_0]
		push	esi
		push	3
		pop	ecx
		call	SepAdtAuditThisEventWithContext
		test	al, al
		jz	short loc_9D8685

loc_9D8683:				; CODE XREF: SeAuditingFileOrGlobalEvents(x,x,x)+85j
					; SeAuditingFileOrGlobalEvents(x,x,x)+9Ej
		mov	bl, 1

loc_9D8685:				; CODE XREF: SeAuditingFileOrGlobalEvents(x,x,x)+B1j
		mov	al, bl

loc_9D8687:				; CODE XREF: SeAuditingFileOrGlobalEvents(x,x,x)+67j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_SeAuditingFileOrGlobalEvents@12 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2438. SeAuditingHardLinkEvents

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAuditingHardLinkEvents(x,	x)
		public _SeAuditingHardLinkEvents@8
_SeAuditingHardLinkEvents@8 proc near

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		movzx	eax, word ptr [edx+2]
		mov	ecx, eax
		test	al, 10h
		jz	short loc_9D86E3
		test	cx, cx
		mov	ecx, [edx+0Ch]
		jns	short loc_9D86B7
		lea	eax, [ecx+edx]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_9D86B7:				; CODE XREF: SeAuditingHardLinkEvents(x,x)+18j
		test	ecx, ecx
		jz	short loc_9D86E3
		xor	eax, eax
		cmp	ax, [ecx+4]
		jz	short loc_9D86E3
		cmp	byte_6BE6C4, al
		mov	al, [ebp+arg_0]
		jz	short loc_9D86D2
		test	al, al
		jnz	short loc_9D86DF

loc_9D86D2:				; CODE XREF: SeAuditingHardLinkEvents(x,x)+38j
		cmp	byte_6BE6C5, 0
		jz	short loc_9D86E3
		test	al, al
		jnz	short loc_9D86E3

loc_9D86DF:				; CODE XREF: SeAuditingHardLinkEvents(x,x)+3Cj
		mov	al, 1
		jmp	short loc_9D86E5
; 

loc_9D86E3:				; CODE XREF: SeAuditingHardLinkEvents(x,x)+10j
					; SeAuditingHardLinkEvents(x,x)+25j ...
		xor	al, al

loc_9D86E5:				; CODE XREF: SeAuditingHardLinkEvents(x,x)+4Dj
		pop	ebp
		retn	8
_SeAuditingHardLinkEvents@8 endp


;  S U B	R O U T	I N E 


; __stdcall SeAuditingPlugAndPlayEvents()
_SeAuditingPlugAndPlayEvents@0 proc near ; CODE	XREF: PipProcessStartPhase3+BEp
		mov	edi, edi
		push	ecx
		xor	edx, edx
		mov	ecx, 8Ah
		call	SeAuditingWithTokenForSubcategory
		pop	ecx
		retn
_SeAuditingPlugAndPlayEvents@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdtClassifyObjectIntoSubCategory(x, x, x, x)
_SepAdtClassifyObjectIntoSubCategory@16	proc near ; CODE XREF: PAGE:008176B1p
					; SepAdtAuditObjectAccessWithContext+14A4F6p ...

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		test	edi, edi
		jz	loc_9D8792
		lea	eax, [edi-18h]
		shr	eax, 8
		movzx	esi, al
		movzx	eax, byte ptr [edi-0Ch]
		xor	esi, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	esi, eax
		mov	eax, ds:_ObTypeIndexTable[esi*4]
		cmp	eax, ds:_CmKeyObjectType
		jz	loc_9D87BC
		cmp	eax, ds:_IoFileObjectType
		jnz	short loc_9D8764
		push	[ebp+arg_4]
		mov	dl, [ebp+arg_0]
		mov	esi, 81h
		mov	ecx, esi
		call	_SepAuditingEnabledForSubcategory@12 ; SepAuditingEnabledForSubcategory(x,x,x)
		cmp	al, 1
		jnz	short loc_9D87A7
		mov	ecx, [edi+4]
		call	_SepIsRemovableStorageDevice@4 ; SepIsRemovableStorageDevice(x)
		cmp	al, 1
		jnz	short loc_9D87A7
		jmp	short loc_9D878D
; 

loc_9D8764:				; CODE XREF: SepAdtClassifyObjectIntoSubCategory(x,x,x,x)+44j
		cmp	eax, ds:_IoDeviceObjectType
		jnz	short loc_9D87C0
		push	[ebp+arg_4]
		mov	dl, [ebp+arg_0]
		mov	esi, 81h
		mov	ecx, esi
		call	_SepAuditingEnabledForSubcategory@12 ; SepAuditingEnabledForSubcategory(x,x,x)
		cmp	al, 1
		jnz	short loc_9D87C0
		mov	ecx, edi
		call	_SepIsRemovableStorageDevice@4 ; SepIsRemovableStorageDevice(x)
		cmp	al, 1
		jnz	short loc_9D87C0

loc_9D878D:				; CODE XREF: SepAdtClassifyObjectIntoSubCategory(x,x,x,x)+68j
		mov	ax, si
		jmp	short loc_9D87C3
; 

loc_9D8792:				; CODE XREF: SepAdtClassifyObjectIntoSubCategory(x,x,x,x)+Dj
		test	esi, esi
		jz	short loc_9D87C0
		push	0
		push	offset _SepFileTypeName
		push	esi
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jnz	short loc_9D87AB

loc_9D87A7:				; CODE XREF: SepAdtClassifyObjectIntoSubCategory(x,x,x,x)+5Aj
					; SepAdtClassifyObjectIntoSubCategory(x,x,x,x)+66j
		push	75h
		jmp	short loc_9D87C2
; 

loc_9D87AB:				; CODE XREF: SepAdtClassifyObjectIntoSubCategory(x,x,x,x)+ABj
		push	0
		push	(offset	loc_404E38+4)
		push	esi
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jnz	short loc_9D87C0

loc_9D87BC:				; CODE XREF: SepAdtClassifyObjectIntoSubCategory(x,x,x,x)+38j
		push	76h
		jmp	short loc_9D87C2
; 

loc_9D87C0:				; CODE XREF: SepAdtClassifyObjectIntoSubCategory(x,x,x,x)+70j
					; SepAdtClassifyObjectIntoSubCategory(x,x,x,x)+86j ...
		push	77h

loc_9D87C2:				; CODE XREF: SepAdtClassifyObjectIntoSubCategory(x,x,x,x)+AFj
					; SepAdtClassifyObjectIntoSubCategory(x,x,x,x)+C4j
		pop	eax

loc_9D87C3:				; CODE XREF: SepAdtClassifyObjectIntoSubCategory(x,x,x,x)+96j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_SepAdtClassifyObjectIntoSubCategory@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdtIncorporatePerUserPolicy(x, x, x, x, x)
_SepAdtIncorporatePerUserPolicy@20 proc	near
					; CODE XREF: SepAdtAuditPrivilegeUseWithContext+14A86Fp
					; SepAdtAuditPrivilegeUseWithContext+14A8F7p ...

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		cmp	byte ptr [esi+77h], 2
		jnz	short loc_9D881F
		mov	eax, ecx
		and	cl, 1
		shr	eax, 1
		shl	cl, 2
		movzx	eax, byte ptr [eax+esi+58h]
		shr	eax, cl
		and	eax, 0Fh
		jz	short loc_9D881F
		test	dl, dl
		jz	short loc_9D87F6
		test	al, 1
		jnz	short loc_9D8801

loc_9D87F6:				; CODE XREF: SepAdtIncorporatePerUserPolicy(x,x,x,x,x)+27j
		mov	cl, [ebp+arg_0]
		test	cl, cl
		jz	short loc_9D8809
		test	al, 4
		jz	short loc_9D8809

loc_9D8801:				; CODE XREF: SepAdtIncorporatePerUserPolicy(x,x,x,x,x)+2Bj
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	1
		jmp	short loc_9D881F
; 

loc_9D8809:				; CODE XREF: SepAdtIncorporatePerUserPolicy(x,x,x,x,x)+32j
					; SepAdtIncorporatePerUserPolicy(x,x,x,x,x)+36j
		test	dl, dl
		jz	short loc_9D8811
		test	al, 2
		jnz	short loc_9D8819

loc_9D8811:				; CODE XREF: SepAdtIncorporatePerUserPolicy(x,x,x,x,x)+42j
		test	cl, cl
		jz	short loc_9D881F
		test	al, 8
		jz	short loc_9D881F

loc_9D8819:				; CODE XREF: SepAdtIncorporatePerUserPolicy(x,x,x,x,x)+46j
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	0

loc_9D881F:				; CODE XREF: SepAdtIncorporatePerUserPolicy(x,x,x,x,x)+Dj
					; SepAdtIncorporatePerUserPolicy(x,x,x,x,x)+23j ...
		pop	esi
		pop	ebp
		retn	0Ch
_SepAdtIncorporatePerUserPolicy@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BCryptGenerateSymmetricKey(x, x, x,	x, x, x, x)
_BCryptGenerateSymmetricKey@28 proc near
					; CODE XREF: SecureDump_SymmetricEncryptionSetup()+84p
					; SmCrEncStart(x,x,x,x)+126p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	esi, 0C0000002h
		mov	ecx, _SepBCryptExtensionHost
		push	edi
		mov	edi, edx
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_9D8864
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edi
		push	ebx
		call	dword ptr [eax+4Ch]
		mov	ecx, _SepBCryptExtensionHost
		mov	esi, eax
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_9D8864:				; CODE XREF: BCryptGenerateSymmetricKey(x,x,x,x,x,x,x)+1Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
_BCryptGenerateSymmetricKey@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BCryptImportKeyPair(x, x, x, x, x, x, x)
_BCryptImportKeyPair@28	proc near	; CODE XREF: SecureDump_EncryptSymmetricKeyWithPublicKey()+D3p

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, 0C0000002h
		mov	ecx, _SepBCryptExtensionHost
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_9D88AD
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	offset ??_C@_1BM@BJJGGDHH@?$AAR?$AAS?$AAA?$AAP?$AAU?$AAB?$AAL?$AAI?$AAC?$AAB?$AAL?$AAO?$AAB@FNODOBFM@
		push	0
		push	edi
		call	dword ptr [eax+60h]
		mov	ecx, _SepBCryptExtensionHost
		mov	esi, eax
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_9D88AD:				; CODE XREF: BCryptImportKeyPair(x,x,x,x,x,x,x)+1Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	14h
_BCryptImportKeyPair@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BCryptSetProperty(x, x, x, x, x)
_BCryptSetProperty@20 proc near		; CODE XREF: SecureDump_SymmetricEncryptionSetup()+DCp
					; SmCrEncStart(x,x,x,x)+10Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	esi, 0C0000002h
		mov	ecx, _SepBCryptExtensionHost
		push	edi
		mov	edi, edx
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_9D88EF
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edi
		push	ebx
		call	dword ptr [eax+74h]
		mov	ecx, _SepBCryptExtensionHost
		mov	esi, eax
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_9D88EF:				; CODE XREF: BCryptSetProperty(x,x,x,x,x)+1Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_BCryptSetProperty@20 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1356. LsaCallAuthenticationPackage

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; NTSTATUS __stdcall LsaCallAuthenticationPackage(HANDLE LsaHandle,ULONG AuthenticationPackage,PVOID ProtocolSubmitBuffer,ULONG	SubmitBufferLength,PVOID *ProtocolReturnBuffer,PULONG ReturnBufferLength,PNTSTATUS ProtocolStatus)
		public _LsaCallAuthenticationPackage@28
_LsaCallAuthenticationPackage@28 proc near

LsaHandle	= dword	ptr  8
AuthenticationPackage= dword ptr  0Ch
ProtocolSubmitBuffer= dword ptr	 10h
SubmitBufferLength= dword ptr  14h
ProtocolReturnBuffer= dword ptr	 18h
ReturnBufferLength= dword ptr  1Ch
ProtocolStatus	= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, _SepAuthExtensionHost
		push	esi
		mov	esi, 0C0000002h
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_9D893B
		push	[ebp+ProtocolStatus]
		push	[ebp+ReturnBufferLength]
		push	[ebp+ProtocolReturnBuffer]
		push	[ebp+SubmitBufferLength]
		push	[ebp+ProtocolSubmitBuffer]
		push	[ebp+AuthenticationPackage]
		push	[ebp+LsaHandle]
		call	dword ptr [eax]
		mov	ecx, _SepAuthExtensionHost
		mov	esi, eax
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_9D893B:				; CODE XREF: LsaCallAuthenticationPackage(x,x,x,x,x,x,x)+18j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	1Ch
_LsaCallAuthenticationPackage@28 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1357. LsaDeregisterLogonProcess

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; NTSTATUS __stdcall LsaDeregisterLogonProcess(HANDLE LsaHandle)
		public _LsaDeregisterLogonProcess@4
_LsaDeregisterLogonProcess@4 proc near

LsaHandle	= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, _SepAuthExtensionHost
		push	esi
		mov	esi, 0C0000002h
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_9D8974
		push	[ebp+LsaHandle]
		call	dword ptr [eax+4]
		mov	ecx, _SepAuthExtensionHost
		mov	esi, eax
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_9D8974:				; CODE XREF: LsaDeregisterLogonProcess(x)+18j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_LsaDeregisterLogonProcess@4 endp

; 
		align 10h
; Exported entry 1359. LsaLogonUser

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; NTSTATUS __stdcall LsaLogonUser(HANDLE LsaHandle,PLSA_STRING OriginName,SECURITY_LOGON_TYPE LogonType,ULONG AuthenticationPackage,PVOID AuthenticationInformation,ULONG AuthenticationInformationLength,PTOKEN_GROUPS	LocalGroups,PTOKEN_SOURCE SourceContext,PVOID *ProfileBuffer,PULONG ProfileBufferLength,PLUID LogonId,PHANDLE Token,PQUOTA_LIMITS Quotas,PNTSTATUS SubStatus)
		public _LsaLogonUser@56
_LsaLogonUser@56 proc near

LsaHandle	= dword	ptr  8
OriginName	= dword	ptr  0Ch
LogonType	= dword	ptr  10h
AuthenticationPackage= dword ptr  14h
AuthenticationInformation= dword ptr  18h
AuthenticationInformationLength= dword ptr  1Ch
LocalGroups	= dword	ptr  20h
SourceContext	= dword	ptr  24h
ProfileBuffer	= dword	ptr  28h
ProfileBufferLength= dword ptr	2Ch
LogonId		= dword	ptr  30h
Token		= dword	ptr  34h
Quotas		= dword	ptr  38h
SubStatus	= dword	ptr  3Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, _SepAuthExtensionHost
		push	esi
		mov	esi, 0C0000002h
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_9D89D4
		push	[ebp+SubStatus]
		push	[ebp+Quotas]
		push	[ebp+Token]
		push	[ebp+LogonId]
		push	[ebp+ProfileBufferLength]
		push	[ebp+ProfileBuffer]
		push	[ebp+SourceContext]
		push	[ebp+LocalGroups]
		push	[ebp+AuthenticationInformationLength]
		push	[ebp+AuthenticationInformation]
		push	[ebp+AuthenticationPackage]
		push	[ebp+LogonType]
		push	[ebp+OriginName]
		push	[ebp+LsaHandle]
		call	dword ptr [eax+0Ch]
		mov	ecx, _SepAuthExtensionHost
		mov	esi, eax
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_9D89D4:				; CODE XREF: LsaLogonUser(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+18j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	38h
_LsaLogonUser@56 endp


;  S U B	R O U T	I N E 


; __stdcall NtAdjustTokenClaimsAndDeviceGroups(x, x, x,	x, x, x, x, x, x, x, x,	x, x, x, x, x)
_NtAdjustTokenClaimsAndDeviceGroups@64 proc near ; DATA	XREF: .text:0058127Co
		mov	eax, 0C0000002h
		retn	40h
_NtAdjustTokenClaimsAndDeviceGroups@64 endp


;  S U B	R O U T	I N E 


; __stdcall NtFilterTokenEx(x, x, x, x,	x, x, x, x, x, x, x, x,	x, x)
_NtFilterTokenEx@56 proc near		; DATA XREF: .text:0058105Co
		mov	eax, 0C0000002h
		retn	38h
_NtFilterTokenEx@56 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepCopyAnonymousTokenAndSetSilo(x, x)
_SepCopyAnonymousTokenAndSetSilo@8 proc	near
					; CODE XREF: PspAddSchedulingGroupToJobChain+21Ap

var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_124		= dword	ptr -124h
var_D0		= dword	ptr -0D0h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 154h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_14C], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_150], ecx
		lea	edx, [ebp+var_14C]
		xor	ecx, ecx
		call	_SepGetAnonymousToken@8	; SepGetAnonymousToken(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9D8B20
		push	74h		; size_t
		xor	esi, esi
		lea	eax, [ebp+var_148]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_D0]
		push	0C4h		; size_t
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	ebx, [ebp+var_14C]
		add	esp, 0Ch
		lea	eax, [ebx-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [ebx-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		mov	eax, ds:_ObTypeIndexTable[edx*4]
		add	eax, 34h
		push	eax		; int
		push	esi		; int
		lea	eax, [ebp+var_D0]
		push	eax		; void *
		lea	eax, [ebp+var_148]
		push	eax		; void *
		call	SeCreateAccessState
		call	_PsGetCurrentProcess@0 ; PsGetCurrentProcess()
		mov	edx, [ebp+var_124]
		lea	ecx, [eax+12Ch]
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		mov	ecx, ds:_SeAnonymousLogonTokenNoEveryone
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, ds:_SeAnonymousLogonTokenNoEveryone
		push	esi
		push	esi
		push	esi
		mov	[ebp+var_124], eax
		lea	eax, [ebp+var_148]
		push	esi
		push	eax
		push	ebx
		call	_ObInsertObject@24 ; ObInsertObject(x,x,x,x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_148]
		push	eax
		call	SeDeleteAccessState
		test	esi, esi
		js	short loc_9D8B20
		mov	ecx, ebx
		call	_SepFinalizeTokenAcls@4	; SepFinalizeTokenAcls(x)
		push	[ebp+var_150]
		mov	[edi], ebx
		call	_PsGetServerSiloServiceSessionId@4 ; PsGetServerSiloServiceSessionId(x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9D8B02
		mov	edx, eax
		mov	ecx, ebx
		call	SeSetSessionIdToken
		mov	esi, eax

loc_9D8B02:				; CODE XREF: SepCopyAnonymousTokenAndSetSilo(x,x)+10Aj
		test	esi, esi
		js	short loc_9D8B19
		mov	edx, [ebp+var_150]
		mov	ecx, [edi]
		call	_SepSetServerSiloToken@8 ; SepSetServerSiloToken(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9D8B23

loc_9D8B19:				; CODE XREF: SepCopyAnonymousTokenAndSetSilo(x,x)+119j
		mov	ecx, [edi]
		call	ObfDereferenceObject

loc_9D8B20:				; CODE XREF: SepCopyAnonymousTokenAndSetSilo(x,x)+38j
					; SepCopyAnonymousTokenAndSetSilo(x,x)+F1j
		and	dword ptr [edi], 0

loc_9D8B23:				; CODE XREF: SepCopyAnonymousTokenAndSetSilo(x,x)+12Cj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_SepCopyAnonymousTokenAndSetSilo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepCopyClientTokenAndSetSilo(x, x, x, x)
_SepCopyClientTokenAndSetSilo@16 proc near ; CODE XREF:	SepCreateClientSecurityEx+FD007p
					; SepUpdateSiloInClientSecurity(x,x)+61p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		push	edi
		push	0
		push	0
		push	ecx
		call	SeCopyClientToken
		mov	esi, eax
		test	esi, esi
		js	short loc_9D8B87
		push	[ebp+arg_0]
		call	_PsGetServerSiloServiceSessionId@4 ; PsGetServerSiloServiceSessionId(x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9D8B67
		mov	ecx, [edi]
		mov	edx, eax
		call	SeSetSessionIdToken
		mov	esi, eax

loc_9D8B67:				; CODE XREF: SepCopyClientTokenAndSetSilo(x,x,x,x)+26j
		test	esi, esi
		js	short loc_9D8B7B
		mov	edx, [ebp+arg_0]
		mov	ecx, [edi]
		call	_SepSetServerSiloToken@8 ; SepSetServerSiloToken(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9D8B85

loc_9D8B7B:				; CODE XREF: SepCopyClientTokenAndSetSilo(x,x,x,x)+35j
		mov	ecx, [edi]
		call	ObfDereferenceObject
		and	dword ptr [edi], 0

loc_9D8B85:				; CODE XREF: SepCopyClientTokenAndSetSilo(x,x,x,x)+45j
		mov	eax, esi

loc_9D8B87:				; CODE XREF: SepCopyClientTokenAndSetSilo(x,x,x,x)+19j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_SepCopyClientTokenAndSetSilo@16 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2473. SeIsParentOfChildAppContainer

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeIsParentOfChildAppContainer(x, x,	x)
		public _SeIsParentOfChildAppContainer@12
_SeIsParentOfChildAppContainer@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	_SepIsParentOfChildAppContainer@12 ; SepIsParentOfChildAppContainer(x,x,x)
		pop	ebp
		retn	0Ch
_SeIsParentOfChildAppContainer@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeSetPrivateNameSpaceToken(x, x)
_SeSetPrivateNameSpaceToken@8 proc near	; CODE XREF: PAGE:007EA0FAp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, edx
		dec	word ptr [eax+13Ch]
		mov	esi, ecx
		nop
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceExclusiveLite
		and	[ebp+var_4], edi
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		lock or	[eax], ecx
		cmp	[esi+0B4h], cl
		jz	short loc_9D8BEB
		mov	edi, 0C000012Bh
		jmp	short loc_9D8C07
; 

loc_9D8BEB:				; CODE XREF: SeSetPrivateNameSpaceToken(x,x)+39j
		mov	eax, [esi+0B0h]
		test	ebx, ebx
		jz	short loc_9D8BFC
		or	eax, 10000h
		jmp	short loc_9D8C01
; 

loc_9D8BFC:				; CODE XREF: SeSetPrivateNameSpaceToken(x,x)+4Aj
		and	eax, 0FFFEFFFFh

loc_9D8C01:				; CODE XREF: SeSetPrivateNameSpaceToken(x,x)+51j
		mov	[esi+0B0h], eax

loc_9D8C07:				; CODE XREF: SeSetPrivateNameSpaceToken(x,x)+40j
		lea	ecx, [esi+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SeSetPrivateNameSpaceToken@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2506. SeSetSecurityAttributesToken

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeSetSecurityAttributesToken(x, x, x, x)
		public _SeSetSecurityAttributesToken@16
_SeSetSecurityAttributesToken@16 proc near

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		mov	dl, [ebp+arg_4]
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		push	0
		call	_SepInternalSetSecurityAttributesToken@20 ; SepInternalSetSecurityAttributesToken(x,x,x,x,x)
		pop	ebp
		retn	10h
_SeSetSecurityAttributesToken@16 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2510. SeSetSessionIdTokenWithLinked

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeSetSessionIdTokenWithLinked(x, x)
		public _SeSetSessionIdTokenWithLinked@8
_SeSetSessionIdTokenWithLinked@8 proc near

var_1E		= dword	ptr -1Eh
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, large fs:124h
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		mov	al, [eax+15Ah]
		xor	ebx, ebx
		push	edi
		mov	byte ptr [esp+30h+var_10], al
		lea	eax, [esp+30h+var_C]
		push	eax
		lea	eax, [esp+34h+var_1E+1]
		mov	[esp+34h+var_1E+2], ebx
		push	eax
		lea	eax, [esp+38h+var_1E+2]
		mov	[esp+38h+var_18], ebx
		push	eax
		push	[esp+3Ch+var_10]
		mov	[esp+40h+var_14], ebx
		push	8
		pop	edx
		call	SepReferenceTokenByHandle
		mov	esi, eax
		test	esi, esi
		js	loc_9D8D65
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [esp+30h+var_1E+2]
		push	1
		push	dword ptr [edi+30h]
		call	ExAcquireResourceSharedLite
		cmp	[edi+0B4h], bl
		jz	short loc_9D8CDE
		mov	esi, 0C000012Bh
		jmp	loc_9D8D69
; 

loc_9D8CDE:				; CODE XREF: SeSetSessionIdTokenWithLinked(x,x)+76j
		mov	edx, [edi+0C0h]
		lea	eax, [esp+30h+var_18]
		push	eax
		lea	ecx, [edx+4]
		mov	edx, [edx+58h]
		call	_SepReferenceLogonSessionSilo@12 ; SepReferenceLogonSessionSilo(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D8D69
		mov	eax, [esp+30h+var_18]
		mov	edx, [edi+0C0h]
		mov	eax, [eax+20h]
		mov	ecx, [edx+0Ch]
		mov	[esp+30h+var_10], eax
		mov	eax, [edx+10h]
		mov	[esp+30h+var_4], eax
		or	eax, ecx
		mov	[esp+30h+var_8], ecx
		jz	short loc_9D8D3B
		mov	edx, [edx+58h]
		lea	eax, [esp+30h+var_14]
		push	eax
		lea	ecx, [esp+34h+var_8]
		call	_SepReferenceLogonSessionSilo@12 ; SepReferenceLogonSessionSilo(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9D8D69
		mov	eax, [esp+30h+var_14]
		mov	ebx, [eax+20h]

loc_9D8D3B:				; CODE XREF: SeSetSessionIdTokenWithLinked(x,x)+BFj
		mov	eax, [esp+30h+var_10]
		test	eax, eax
		jz	short loc_9D8D53
		mov	edx, [ebp+arg_4]
		mov	ecx, eax
		call	SeSetSessionIdToken
		mov	esi, eax
		test	esi, esi
		js	short loc_9D8D69

loc_9D8D53:				; CODE XREF: SeSetSessionIdTokenWithLinked(x,x)+E5j
		test	ebx, ebx
		jz	short loc_9D8D69
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		call	SeSetSessionIdToken
		mov	esi, eax
		jmp	short loc_9D8D69
; 

loc_9D8D65:				; CODE XREF: SeSetSessionIdTokenWithLinked(x,x)+4Ej
		mov	edi, [esp+30h+var_1E+2]

loc_9D8D69:				; CODE XREF: SeSetSessionIdTokenWithLinked(x,x)+7Dj
					; SeSetSessionIdTokenWithLinked(x,x)+9Cj ...
		test	edi, edi
		jz	short loc_9D8D8A
		mov	ecx, [edi+30h]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [esp+30h+var_1E+2]
		call	ObfDereferenceObject

loc_9D8D8A:				; CODE XREF: SeSetSessionIdTokenWithLinked(x,x)+10Fj
		mov	ecx, [esp+30h+var_18]
		test	ecx, ecx
		jz	short loc_9D8D97
		call	_SepDeReferenceLogonSessionDirect@4 ; SepDeReferenceLogonSessionDirect(x)

loc_9D8D97:				; CODE XREF: SeSetSessionIdTokenWithLinked(x,x)+134j
		mov	ecx, [esp+30h+var_14]
		test	ecx, ecx
		jz	short loc_9D8DA4
		call	_SepDeReferenceLogonSessionDirect@4 ; SepDeReferenceLogonSessionDirect(x)

loc_9D8DA4:				; CODE XREF: SeSetSessionIdTokenWithLinked(x,x)+141j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_SeSetSessionIdTokenWithLinked@8 endp


;  S U B	R O U T	I N E 


; __stdcall SepAppendPrimaryGroup(x, x)
_SepAppendPrimaryGroup@8 proc near	; CODE XREF: PAGE:007E9925p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, [edi+0A4h]
		test	eax, eax
		jz	short loc_9D8DCC
		movzx	ebx, word ptr [eax+2]
		add	ebx, [edi+0A0h]
		jmp	short loc_9D8DD2
; 

loc_9D8DCC:				; CODE XREF: SepAppendPrimaryGroup(x,x)+Fj
		mov	ebx, [edi+0A0h]

loc_9D8DD2:				; CODE XREF: SepAppendPrimaryGroup(x,x)+1Bj
		movzx	eax, byte ptr [edx+1]
		lea	esi, ds:8[eax*4]
		push	esi		; size_t
		push	edx		; void *
		push	ebx		; void *
		call	_memcpy
		sub	[edi+8Ch], esi
		add	esp, 0Ch
		mov	[edi+9Ch], ebx
		pop	edi
		pop	esi
		pop	ebx
		retn
_SepAppendPrimaryGroup@8 endp


;  S U B	R O U T	I N E 


; __stdcall SepFreePrimaryGroup(x)
_SepFreePrimaryGroup@4 proc near	; CODE XREF: PAGE:007E991Bp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+9Ch]
		mov	ecx, [esi+0A4h]
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:8[eax*4]
		add	[esi+8Ch], eax
		test	ecx, ecx
		jz	short loc_9D8E43
		mov	edx, [esi+0A0h]
		cmp	edx, ecx
		jz	short loc_9D8E43
		movzx	eax, word ptr [ecx+2]
		push	eax		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memmove
		mov	eax, [esi+0A0h]
		add	esp, 0Ch
		mov	[esi+0A4h], eax

loc_9D8E43:				; CODE XREF: SepFreePrimaryGroup(x)+24j
					; SepFreePrimaryGroup(x)+2Ej
		pop	esi
		retn
_SepFreePrimaryGroup@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepModifyTokenPolicyCounter(x, x)
_SepModifyTokenPolicyCounter@8 proc near ; CODE	XREF: PAGE:007E9EA6p
					; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+363p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		and	[ebp+var_8], 0
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_1C], ecx
		test	dl, dl
		mov	[ebp+var_14], 9
		push	esi
		setnz	bl
		mov	edx, offset _AdtpPerCategoryCount
		push	edi
		mov	edi, offset _SepTokenPolicyCounterByCategory
		mov	[ebp+var_10], edi
		lea	ebx, ds:0FFFFFFFFh[ebx*2]
		mov	[ebp+var_20], ebx

loc_9D8E7C:				; CODE XREF: SepModifyTokenPolicyCounter(x,x)+B9j
		xor	al, al
		xor	ecx, ecx
		and	[ebp+var_18], ecx
		mov	[ebp+var_1], al
		movzx	eax, word ptr [edx]
		mov	esi, eax
		mov	[ebp+var_C], ecx
		cmp	word ptr [ebp+var_18], ax
		jnb	short loc_9D8EEB
		mov	edi, [ebp+var_1C]

loc_9D8E97:				; CODE XREF: SepModifyTokenPolicyCounter(x,x)+92j
		mov	ebx, [ebp+var_8]
		movzx	esi, cx
		add	cl, bl
		add	esi, ebx
		and	cl, 1
		mov	ebx, [ebp+var_20]
		mov	eax, esi
		shr	eax, 1
		shl	cl, 2
		mov	al, [eax+edi]
		shr	al, cl
		test	al, 0Fh
		jz	short loc_9D8EC8
		mov	ecx, ebx
		lea	eax, _SepTokenPolicyCounter[esi*4]
		lock xadd [eax], ecx
		mov	[ebp+var_1], 1

loc_9D8EC8:				; CODE XREF: SepModifyTokenPolicyCounter(x,x)+70j
		mov	ecx, [ebp+var_C]
		movzx	eax, word ptr [edx]
		inc	ecx
		mov	[ebp+var_C], ecx
		mov	esi, eax
		cmp	cx, ax
		jb	short loc_9D8E97
		cmp	[ebp+var_1], 0
		mov	edi, [ebp+var_10]
		jz	short loc_9D8EEB
		mov	eax, ebx
		lock xadd [edi], eax
		movzx	esi, word ptr [edx]

loc_9D8EEB:				; CODE XREF: SepModifyTokenPolicyCounter(x,x)+4Dj
					; SepModifyTokenPolicyCounter(x,x)+9Bj
		movzx	eax, si
		add	edi, 4
		add	[ebp+var_8], eax
		add	edx, 2
		sub	[ebp+var_14], 1
		mov	[ebp+var_10], edi
		jnz	loc_9D8E7C
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SepModifyTokenPolicyCounter@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSetServerSiloToken(x, x)
_SepSetServerSiloToken@8 proc near	; CODE XREF: SepCopyAnonymousTokenAndSetSilo(x,x)+123p
					; SepCopyClientTokenAndSetSilo(x,x,x,x)+3Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, large fs:124h
		and	[ebp+var_4], 0
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	edi, edx
		mov	esi, ecx
		nop
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceExclusiveLite
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		lock or	[eax], ecx
		test	byte ptr [esi+0B0h], 20h
		jnz	short loc_9D8F92
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		lea	ecx, [esi+18h]
		call	_SepReferenceLogonSessionSilo@12 ; SepReferenceLogonSessionSilo(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9D8FA3
		cmp	ds:_SeTokenLeakTracking, 0
		jz	short loc_9D8F6C
		mov	ecx, esi
		call	_SepRemoveTokenLogonSession@4 ;	SepRemoveTokenLogonSession(x)

loc_9D8F6C:				; CODE XREF: SepSetServerSiloToken(x,x)+5Aj
		mov	ecx, [esi+0C0h]
		call	_SepDeReferenceLogonSessionDirect@4 ; SepDeReferenceLogonSessionDirect(x)
		mov	eax, [ebp+var_4]
		mov	[esi+0C0h], eax
		cmp	ds:_SeTokenLeakTracking, 0
		jz	short loc_9D8F97
		mov	ecx, esi
		call	_SepAddTokenLogonSession@4 ; SepAddTokenLogonSession(x)
		jmp	short loc_9D8F97
; 

loc_9D8F92:				; CODE XREF: SepSetServerSiloToken(x,x)+3Dj
		mov	edi, 0C0000008h

loc_9D8F97:				; CODE XREF: SepSetServerSiloToken(x,x)+7Ej
					; SepSetServerSiloToken(x,x)+87j
		test	edi, edi
		js	short loc_9D8FA3
		lea	ecx, [esi+34h]
		call	_ExAllocateLocallyUniqueId@4 ; ExAllocateLocallyUniqueId(x)

loc_9D8FA3:				; CODE XREF: SepSetServerSiloToken(x,x)+51j
					; SepSetServerSiloToken(x,x)+90j
		and	[ebp+var_C], 0
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn
_SepSetServerSiloToken@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2423. SeAdjustAccessStateForTrustLabel

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAdjustAccessStateForTrustLabel(x,	x, x)
		public _SeAdjustAccessStateForTrustLabel@12
_SeAdjustAccessStateForTrustLabel@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		call	_SepAdjustAccessStateForConstraints@16 ; SepAdjustAccessStateForConstraints(x,x,x,x)
		pop	ebp
		retn	0Ch
_SeAdjustAccessStateForTrustLabel@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdjustAccessStateForConstraints(x, x, x,	x)
_SepAdjustAccessStateForConstraints@16 proc near
					; CODE XREF: CmpSetAccessStateForBackupRestore(x,x,x,x)+7Ep
					; SeAdjustAccessStateForTrustLabel(x,x,x)+10p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		or	[ebp+var_10], 0FFFFFFFFh
		or	[ebp+var_C], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	ebx, ebx
		mov	[ebp+var_8], edx
		mov	byte ptr [ebp+var_1], bl
		mov	[ebp+var_18], ebx
		test	byte ptr [edi+0Ch], 6
		mov	[ebp+var_14], ebx
		jz	loc_9D90D5
		mov	eax, [ecx+2Ch]
		cmp	eax, 1
		jnz	short loc_9D9022
		mov	ebx, 1120089h
		mov	esi, 11F0116h
		jmp	short loc_9D9037
; 

loc_9D9022:				; CODE XREF: SepAdjustAccessStateForConstraints(x,x,x,x)+34j
		cmp	eax, 100h
		jnz	short loc_9D9035
		mov	ebx, 1020019h
		mov	esi, 10F0006h
		jmp	short loc_9D9037
; 

loc_9D9035:				; CODE XREF: SepAdjustAccessStateForConstraints(x,x,x,x)+47j
		mov	esi, ebx

loc_9D9037:				; CODE XREF: SepAdjustAccessStateForConstraints(x,x,x,x)+40j
					; SepAdjustAccessStateForConstraints(x,x,x,x)+53j
		mov	eax, [edi+1Ch]
		test	eax, eax
		jnz	short loc_9D9041
		mov	eax, [edi+24h]

loc_9D9041:				; CODE XREF: SepAdjustAccessStateForConstraints(x,x,x,x)+5Cj
		lea	ecx, [ebp+var_18]
		xor	edx, edx
		push	ecx
		mov	ecx, [ebp+var_8]
		push	1
		push	eax
		call	SepFilterCheck
		cmp	byte ptr [ebp+var_14], 0
		jz	short loc_9D9064
		cmp	byte ptr [ebp+arg_0], 0
		jz	short loc_9D9064
		mov	eax, [ebp+var_18]
		mov	[ebp+var_10], eax

loc_9D9064:				; CODE XREF: SepAdjustAccessStateForConstraints(x,x,x,x)+76j
					; SepAdjustAccessStateForConstraints(x,x,x,x)+7Cj
		mov	ecx, [ebp+var_8]
		call	_SeGetTrustLabelAce@4 ;	SeGetTrustLabelAce(x)
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	short loc_9D90A1
		lea	ecx, [eax+8]
		mov	[ebp+arg_0], ecx
		test	ecx, ecx
		jz	short loc_9D909C
		lea	ecx, [edi+1Ch]
		call	_SepLocateTokenTrustLevel@4 ; SepLocateTokenTrustLevel(x)
		mov	edx, [ebp+arg_0]
		lea	ecx, [ebp+var_1]
		push	ecx
		mov	ecx, eax
		call	_RtlSidDominatesForTrust@12 ; RtlSidDominatesForTrust(x,x,x)
		cmp	byte ptr [ebp+var_1], 0
		jnz	short loc_9D90A1
		mov	eax, [ebp+arg_4]

loc_9D909C:				; CODE XREF: SepAdjustAccessStateForConstraints(x,x,x,x)+9Bj
		mov	edx, [eax+4]
		jmp	short loc_9D90A4
; 

loc_9D90A1:				; CODE XREF: SepAdjustAccessStateForConstraints(x,x,x,x)+91j
					; SepAdjustAccessStateForConstraints(x,x,x,x)+B7j
		mov	edx, [ebp+var_C]

loc_9D90A4:				; CODE XREF: SepAdjustAccessStateForConstraints(x,x,x,x)+BFj
		mov	ecx, [ebp+var_10]
		mov	eax, edx
		and	eax, ecx
		not	eax
		and	ebx, eax
		and	esi, eax
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_9D90BA
		cmp	ecx, edx
		jz	short loc_9D90D5

loc_9D90BA:				; CODE XREF: SepAdjustAccessStateForConstraints(x,x,x,x)+D4j
		mov	ecx, [edi+0Ch]
		mov	eax, [edi+14h]
		test	cl, 2
		jz	short loc_9D90C9
		not	ebx
		and	eax, ebx

loc_9D90C9:				; CODE XREF: SepAdjustAccessStateForConstraints(x,x,x,x)+E3j
		test	cl, 4
		jz	short loc_9D90D2
		not	esi
		and	eax, esi

loc_9D90D2:				; CODE XREF: SepAdjustAccessStateForConstraints(x,x,x,x)+ECj
		mov	[edi+14h], eax

loc_9D90D5:				; CODE XREF: SepAdjustAccessStateForConstraints(x,x,x,x)+28j
					; SepAdjustAccessStateForConstraints(x,x,x,x)+D8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_SepAdjustAccessStateForConstraints@16 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2424. SeAdjustObjectSecurity

;  S U B	R O U T	I N E 


; __stdcall SeAdjustObjectSecurity(x, x, x, x, x, x)
		public _SeAdjustObjectSecurity@24
_SeAdjustObjectSecurity@24 proc	near	; CODE XREF: PAGE:0074BADAp
		mov	eax, 0C0000002h
		retn	18h
_SeAdjustObjectSecurity@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeSecurityModelQueryInformation(x, x, x)
_SeSecurityModelQueryInformation@12 proc near ;	CODE XREF: PAGE:007822B3p

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	0Ch
		push	offset dword_6A9348
		call	__SEH_prolog4
		mov	esi, ecx
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 4
		and	[ebp+ms_exc.disabled], 0
		push	edx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		call	_SepIsAdminlessEnforcementModeEnabled@0	; SepIsAdminlessEnforcementModeEnabled()
		cmp	al, 1
		jz	short loc_9D9122
		call	_SepIsAdminlessAuditModeEnabled@0 ; SepIsAdminlessAuditModeEnabled()
		cmp	al, 1
		jnz	short loc_9D912E

loc_9D9122:				; CODE XREF: SeSecurityModelQueryInformation(x,x,x)+2Ej
		call	_SepIsSModeEnabled@0 ; SepIsSModeEnabled()
		cmp	al, 1
		jnz	short loc_9D912E
		or	dword ptr [esi], 1

loc_9D912E:				; CODE XREF: SeSecurityModelQueryInformation(x,x,x)+37j
					; SeSecurityModelQueryInformation(x,x,x)+40j
		call	_SepIsDeviceOwnerProtectionDowngradeAllowed@0 ;	SepIsDeviceOwnerProtectionDowngradeAllowed()
		test	al, al
		jz	short loc_9D9145
		or	dword ptr [esi], 2
		jmp	short loc_9D9145
; 

loc_9D913C:				; DATA XREF: .text:006A935Co
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_9D9142:				; DATA XREF: .text:006A9360o
		mov	esp, [ebp+ms_exc.old_esp]

loc_9D9145:				; CODE XREF: SeSecurityModelQueryInformation(x,x,x)+4Cj
					; SeSecurityModelQueryInformation(x,x,x)+51j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_SeSecurityModelQueryInformation@12 endp


;  S U B	R O U T	I N E 


; __stdcall SepGetSidManagementActionName(x, x)
_SepGetSidManagementActionName@8 proc near
					; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+F2p
		and	dword ptr [edx], 0
		sub	ecx, 0
		jz	short loc_9D91B8
		sub	ecx, 1
		jz	short loc_9D91AC
		sub	ecx, 1
		jz	short loc_9D91A0
		sub	ecx, 1
		jz	short loc_9D9194
		sub	ecx, 1
		jz	short loc_9D9188
		mov	dword ptr [edx], 18h
		mov	eax, offset aDeallocated ; "Deallocated"
		retn
; 

loc_9D9188:				; CODE XREF: SepGetSidManagementActionName(x,x)+1Aj
		mov	dword ptr [edx], 3Ch
		mov	eax, offset off_6B66F0
		retn
; 

loc_9D9194:				; CODE XREF: SepGetSidManagementActionName(x,x)+15j
		mov	dword ptr [edx], 2Ch
		mov	eax, offset off_6B66C4
		retn
; 

loc_9D91A0:				; CODE XREF: SepGetSidManagementActionName(x,x)+10j
		mov	dword ptr [edx], 32h
		mov	eax, offset aAssignedExisti ; "Assigned	Existing Shared"
		retn
; 

loc_9D91AC:				; CODE XREF: SepGetSidManagementActionName(x,x)+Bj
		mov	dword ptr [edx], 22h
		mov	eax, offset aAssignedNewOwn ; "Assigned	New Own"
		retn
; 

loc_9D91B8:				; CODE XREF: SepGetSidManagementActionName(x,x)+6j
		mov	dword ptr [edx], 28h
		mov	eax, offset aAssignedNewSha ; "Assigned	New Shared"
		retn
_SepGetSidManagementActionName@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepLogTokenSidManagement(x,	x, x, x, x)
_SepLogTokenSidManagement@20 proc near	; CODE XREF: SepDereferenceSidValuesBlock(x,x,x)+2Dp
					; SepSetTokenUserAndGroups(x,x,x,x,x)+13Ep ...

var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 148h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_134], eax
		mov	eax, _EtwKernelProvRegHandle
		mov	[ebp+var_108], ecx
		xor	ecx, ecx
		or	eax, dword_6BC12C
		push	edi
		mov	edi, edx
		mov	[ebp+var_10C], ecx
		mov	[ebp+var_11C], ecx
		mov	[ebp+var_120], ecx
		jz	loc_9D959D
		cmp	_SepTokenSidManagementLoggingEnabled, cl
		jz	loc_9D959D
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_8]
		test	ebx, ebx
		jz	short loc_9D9280
		lea	ecx, [ebx+10h]
		call	_RtlConvertLuidToUlonglong@4 ; RtlConvertLuidToUlonglong(x)
		lea	ecx, [ebx+18h]
		mov	[ebp+var_128], eax
		mov	[ebp+var_124], edx
		call	_RtlConvertLuidToUlonglong@4 ; RtlConvertLuidToUlonglong(x)
		mov	[ebp+var_130], eax
		mov	eax, [ebx+0A8h]
		mov	[ebp+var_110], eax
		mov	eax, [ebx+0ACh]
		mov	[ebp+var_114], eax
		mov	eax, [ebx+0B0h]
		mov	[ebp+var_12C], edx
		mov	[ebp+var_118], eax
		test	al, 20h
		jnz	short loc_9D92AA
		mov	esi, [ebx+0C0h]
		jmp	short loc_9D92AA
; 

loc_9D9280:				; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+62j
		mov	[ebp+var_128], ecx
		mov	[ebp+var_124], ecx
		mov	[ebp+var_130], ecx
		mov	[ebp+var_12C], ecx
		mov	[ebp+var_110], ecx
		mov	[ebp+var_114], ecx
		mov	[ebp+var_118], ecx

loc_9D92AA:				; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+B2j
					; SepLogTokenSidManagement(x,x,x,x,x)+BAj
		mov	ecx, [ebp+var_108]
		lea	edx, [ebp+var_10C]
		call	_SepGetSidManagementActionName@8 ; SepGetSidManagementActionName(x,x)
		mov	[ebp+var_104], eax
		xor	ebx, ebx
		mov	eax, [ebp+var_10C]
		mov	ecx, offset unk_6FE128
		mov	[ebp+var_FC], eax
		mov	eax, large fs:124h
		mov	[ebp+var_100], ebx
		mov	[ebp+var_F8], ebx
		push	2
		mov	eax, [eax+80h]
		pop	edx
		mov	eax, [eax+1C0h]
		test	eax, eax
		jz	short loc_9D9307
		cmp	[eax], bx
		jz	short loc_9D9307
		mov	ebx, [eax+4]
		movzx	eax, word ptr [eax+2]
		jmp	short loc_9D930B
; 

loc_9D9307:				; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+133j
					; SepLogTokenSidManagement(x,x,x,x,x)+138j
		mov	ebx, ecx
		mov	eax, edx

loc_9D930B:				; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+141j
		mov	[ebp+var_F4], ebx
		xor	ebx, ebx
		mov	[ebp+var_F0], ebx
		mov	[ebp+var_EC], eax
		mov	[ebp+var_E8], ebx
		test	esi, esi
		jz	short loc_9D9338
		cmp	[esi+24h], bx
		jz	short loc_9D9338
		mov	eax, [esi+28h]
		movzx	ebx, word ptr [esi+26h]
		jmp	short loc_9D933C
; 

loc_9D9338:				; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+163j
					; SepLogTokenSidManagement(x,x,x,x,x)+169j
		mov	eax, ecx
		mov	ebx, edx

loc_9D933C:				; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+172j
		mov	[ebp+var_E4], eax
		xor	eax, eax
		mov	[ebp+var_DC], ebx
		xor	ebx, ebx
		mov	[ebp+var_E0], eax
		mov	[ebp+var_D8], ebx
		test	esi, esi
		jz	short loc_9D9369
		cmp	[esi+2Ch], bx
		jz	short loc_9D9369
		mov	ecx, [esi+30h]
		movzx	edx, word ptr [esi+2Eh]

loc_9D9369:				; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+196j
					; SepLogTokenSidManagement(x,x,x,x,x)+19Cj
		mov	[ebp+var_D4], ecx
		lea	eax, [ebp+var_128]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_130]
		mov	[ebp+var_B4], eax
		lea	eax, [ebp+var_110]
		mov	[ebp+var_A4], eax
		lea	eax, [ebp+var_114]
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_118]
		mov	[ebp+var_D0], ebx
		mov	[ebp+var_CC], edx
		mov	[ebp+var_C8], ebx
		mov	[ebp+var_C0], ebx
		mov	[ebp+var_B8], ebx
		mov	[ebp+var_B0], ebx
		mov	[ebp+var_A8], ebx
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_98], ebx
		mov	[ebp+var_90], ebx
		mov	[ebp+var_88], ebx
		mov	[ebp+var_84], eax
		mov	[ebp+var_80], ebx
		mov	[ebp+var_78], ebx
		push	8
		pop	ecx
		mov	[ebp+var_BC], ecx
		mov	[ebp+var_AC], ecx
		push	4
		pop	esi
		mov	[ebp+var_9C], esi
		mov	[ebp+var_8C], esi
		mov	[ebp+var_7C], esi
		test	edi, edi
		jz	short loc_9D941E
		mov	eax, [edi+4]
		cdq
		jmp	short loc_9D9422
; 

loc_9D941E:				; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+252j
		mov	eax, ebx
		mov	edx, ebx

loc_9D9422:				; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+258j
		mov	[ebp+var_140], eax
		lea	eax, [ebp+var_140]
		mov	[ebp+var_13C], edx
		mov	[ebp+var_74], eax
		mov	[ebp+var_70], ebx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], ebx
		test	edi, edi
		jz	short loc_9D9449
		mov	eax, [edi+8]
		jmp	short loc_9D944B
; 

loc_9D9449:				; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+27Ej
		mov	eax, ebx

loc_9D944B:				; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+283j
		mov	[ebp+var_5C], esi
		lea	ecx, [ebp+var_108]
		mov	[ebp+var_108], eax
		mov	[ebp+var_64], ecx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_58], ebx
		push	0Bh
		pop	esi
		test	edi, edi
		jz	short loc_9D9496
		test	eax, eax
		jz	short loc_9D9496
		lea	edx, [ebp+var_11C]
		mov	ecx, edi
		call	_SepGetSidValuesDump@8 ; SepGetSidValuesDump(x,x)
		mov	ecx, [ebp+var_11C]
		xor	edx, edx
		mov	ebx, eax
		mov	[ebp+var_50], edx
		push	0Ch
		mov	[ebp+var_54], ebx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edx
		pop	esi
		jmp	short loc_9D9498
; 

loc_9D9496:				; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+2A4j
					; SepLogTokenSidManagement(x,x,x,x,x)+2A8j
		xor	edx, edx

loc_9D9498:				; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+2D0j
		mov	ecx, [ebp+var_134]
		test	ecx, ecx
		jz	short loc_9D94A8
		mov	eax, [ecx+4]
		cdq
		jmp	short loc_9D94AA
; 

loc_9D94A8:				; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+2DCj
		mov	eax, edx

loc_9D94AA:				; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+2E2j
		mov	[ebp+var_148], eax
		mov	eax, esi
		add	eax, eax
		mov	[ebp+var_144], edx
		lea	edx, [ebp+var_148]
		mov	[ebp+eax*8+var_104], edx
		xor	edx, edx
		mov	[ebp+eax*8+var_100], edx
		mov	[ebp+eax*8+var_FC], 8
		mov	[ebp+eax*8+var_F8], edx
		test	ecx, ecx
		jz	short loc_9D94ED
		cmp	edi, ecx
		jz	short loc_9D94ED
		mov	edx, [ecx+8]

loc_9D94ED:				; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+320j
					; SepLogTokenSidManagement(x,x,x,x,x)+324j
		lea	edi, [ebp+var_138]
		mov	[ebp+eax*8+var_EC], 4
		mov	[ebp+eax*8+var_F4], edi
		xor	edi, edi
		mov	[ebp+eax*8+var_F0], edi
		mov	[ebp+eax*8+var_E8], edi
		lea	edi, [esi+2]
		xor	eax, eax
		mov	[ebp+var_138], edx
		mov	esi, eax
		mov	eax, edi
		test	ecx, ecx
		jz	short loc_9D9564
		test	edx, edx
		jz	short loc_9D9564
		lea	edx, [ebp+var_120]
		call	_SepGetSidValuesDump@8 ; SepGetSidValuesDump(x,x)
		mov	ecx, [ebp+var_120]
		mov	edx, edi
		add	edx, edx
		mov	esi, eax
		xor	eax, eax
		mov	[ebp+edx*8+var_100], eax
		mov	[ebp+edx*8+var_F8], eax
		lea	eax, [edi+1]
		mov	[ebp+edx*8+var_104], esi
		mov	[ebp+edx*8+var_FC], ecx

loc_9D9564:				; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+362j
					; SepLogTokenSidManagement(x,x,x,x,x)+366j
		lea	ecx, [ebp+var_104]
		xor	edi, edi
		push	ecx
		push	eax
		push	edi
		push	offset _TokenSidManagementLog
		push	dword_6BC12C
		push	_EtwKernelProvRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		test	ebx, ebx
		jz	short loc_9D9590
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9D9590:				; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+3C3j
		test	esi, esi
		jz	short loc_9D959B
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9D959B:				; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+3CEj
		pop	esi
		pop	ebx

loc_9D959D:				; CODE XREF: SepLogTokenSidManagement(x,x,x,x,x)+46j
					; SepLogTokenSidManagement(x,x,x,x,x)+52j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_SepLogTokenSidManagement@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SeCreateAccessStateFromSubjectContext(void *,int,int)
_SeCreateAccessStateFromSubjectContext@20 proc near
					; CODE XREF: CmpDoBuildVirtualStack(x,x,x,x,x)+11Fp
					; CmKeyBodyRemapToVirtualForEnum(x,x,x,x)+252p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_9D95C2
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_9D95C2:				; CODE XREF: SeCreateAccessStateFromSubjectContext(x,x,x,x,x)+Fj
		mov	ecx, [esi+8]
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		push	[ebp+arg_8]	; int
		mov	edx, edi	; void *
		mov	ecx, esi	; int
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; void *
		call	_SepCreateAccessStateFromSubjectContext@20 ; SepCreateAccessStateFromSubjectContext(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_9D95F5
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_9D95ED
		call	ObfDereferenceObject

loc_9D95ED:				; CODE XREF: SeCreateAccessStateFromSubjectContext(x,x,x,x,x)+3Aj
		mov	ecx, [esi+8]
		call	ObfDereferenceObject

loc_9D95F5:				; CODE XREF: SeCreateAccessStateFromSubjectContext(x,x,x,x,x)+34j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
_SeCreateAccessStateFromSubjectContext@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepConcatenatePrivileges(x,	x, x)
_SepConcatenatePrivileges@12 proc near	; CODE XREF: SeAppendPrivileges+1311A9p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		test	edi, edi
		jnz	short loc_9D960E
		xor	edx, edx
		jmp	short loc_9D961F
; 

loc_9D960E:				; CODE XREF: SepConcatenatePrivileges(x,x,x)+Bj
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_9D961C
		imul	edx, eax, 0Ch
		add	edx, 8
		jmp	short loc_9D961F
; 

loc_9D961C:				; CODE XREF: SepConcatenatePrivileges(x,x,x)+15j
		push	8
		pop	edx

loc_9D961F:				; CODE XREF: SepConcatenatePrivileges(x,x,x)+Fj
					; SepConcatenatePrivileges(x,x,x)+1Dj
		mov	esi, [ebp+arg_0]
		imul	eax, [esi], 0Ch
		push	eax		; size_t
		lea	eax, [esi+8]
		push	eax		; void *
		lea	eax, [edx+edi]
		push	eax		; void *
		call	_memmove
		mov	eax, [esi]
		add	esp, 0Ch
		add	[edi], eax
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_SepConcatenatePrivileges@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SeAssignWorldSecurityDescriptor(void *)
_SeAssignWorldSecurityDescriptor@12 proc near ;	CODE XREF: IopGetSetSecurityObject+11C03Ap

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	ebx, ebx
		jnz	short loc_9D965E
		mov	eax, 0C0000022h
		jmp	loc_9D96F9
; 

loc_9D965E:				; CODE XREF: SeAssignWorldSecurityDescriptor(x,x,x)+12j
		mov	eax, _SeWorldSid
		mov	[ebp+arg_0], eax
		movzx	eax, byte ptr [eax+1]
		lea	edx, ds:8[eax*4]
		mov	eax, [edi]
		lea	ecx, ds:14h[edx*2]
		mov	[ebp+var_4], edx
		mov	[edi], ecx
		cmp	eax, ecx
		jnb	short loc_9D968A
		mov	eax, 0C0000023h
		jmp	short loc_9D96F9
; 

loc_9D968A:				; CODE XREF: SeAssignWorldSecurityDescriptor(x,x,x)+41j
		mov	ecx, esi
		call	_RtlCreateSecurityDescriptorRelative@8 ; RtlCreateSecurityDescriptorRelative(x,x)
		test	eax, eax
		js	short loc_9D96F9
		mov	eax, [ebx]
		lea	edi, [esi+14h]
		test	al, 1
		jz	short loc_9D96B9
		push	edx		; size_t
		push	[ebp+arg_0]	; void *
		push	edi		; void *
		call	_memcpy
		mov	edx, [ebp+var_4]
		add	esp, 0Ch
		mov	dword ptr [esi+4], 14h
		add	edi, edx
		mov	eax, [ebx]

loc_9D96B9:				; CODE XREF: SeAssignWorldSecurityDescriptor(x,x,x)+5Cj
		test	al, 2
		jz	short loc_9D96D1
		push	edx		; size_t
		push	[ebp+arg_0]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		sub	edi, esi
		mov	[esi+8], edi
		mov	eax, [ebx]

loc_9D96D1:				; CODE XREF: SeAssignWorldSecurityDescriptor(x,x,x)+7Bj
		test	al, 4
		jz	short loc_9D96DC
		or	word ptr [esi+2], 4
		mov	eax, [ebx]

loc_9D96DC:				; CODE XREF: SeAssignWorldSecurityDescriptor(x,x,x)+93j
		movzx	ecx, word ptr [esi+2]
		test	al, 8
		jz	short loc_9D96EC
		or	ecx, 10h
		movzx	eax, cx
		jmp	short loc_9D96EE
; 

loc_9D96EC:				; CODE XREF: SeAssignWorldSecurityDescriptor(x,x,x)+A2j
		mov	eax, ecx

loc_9D96EE:				; CODE XREF: SeAssignWorldSecurityDescriptor(x,x,x)+AAj
		or	eax, 8000h
		mov	[esi+2], ax
		xor	eax, eax

loc_9D96F9:				; CODE XREF: SeAssignWorldSecurityDescriptor(x,x,x)+19j
					; SeAssignWorldSecurityDescriptor(x,x,x)+48j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_SeAssignWorldSecurityDescriptor@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAdtRegistryValueChangedAuditAlarm(x, x, x, x, x, x, x, x)
_SeAdtRegistryValueChangedAuditAlarm@32	proc near
					; CODE XREF: CmSetValueKey(x,x,x,x,x,x,x)+9B7p
					; CmDeleteValueKey+1819C0p

var_34C		= dword	ptr -34Ch
var_348		= dword	ptr -348h
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_338		= dword	ptr -338h
var_330		= dword	ptr -330h
var_32C		= dword	ptr -32Ch
var_328		= dword	ptr -328h
var_324		= dword	ptr -324h
var_320		= dword	ptr -320h
var_31C		= dword	ptr -31Ch
var_318		= dword	ptr -318h
var_314		= dword	ptr -314h
var_310		= dword	ptr -310h
var_30C		= dword	ptr -30Ch
var_308		= dword	ptr -308h
var_304		= dword	ptr -304h
var_300		= dword	ptr -300h
var_2FC		= dword	ptr -2FCh
var_2F8		= dword	ptr -2F8h
var_2F4		= dword	ptr -2F4h
var_2F0		= dword	ptr -2F0h
var_2EC		= dword	ptr -2ECh
var_2E8		= dword	ptr -2E8h
var_2E0		= word ptr -2E0h
var_2DE		= word ptr -2DEh
var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2C8		= dword	ptr -2C8h
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1D8		= dword	ptr -1D8h
var_58		= dword	ptr -58h
var_3C		= dword	ptr -3Ch
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_344], eax
		mov	ebx, edx
		mov	eax, [ebp+arg_10]
		push	298h		; size_t
		mov	[ebp+var_32C], eax
		lea	eax, [ebp+var_2F0]
		push	0		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		lea	edi, [ebp+var_340]
		stosd
		xor	ecx, ecx
		add	esp, 0Ch
		mov	[ebp+var_2F8], ecx
		mov	[ebp+var_31C], ecx
		mov	[ebp+var_318], ecx
		stosd
		mov	[ebp+var_324], ecx
		mov	[ebp+var_320], ecx
		mov	[ebp+var_304], ecx
		stosd
		mov	[ebp+var_300], ecx
		mov	[ebp+var_30C], ecx
		mov	[ebp+var_308], ecx
		stosd
		lea	eax, [ebp+var_340]
		push	eax
		mov	eax, large fs:124h
		mov	[ebp+var_314], ecx
		mov	[ebp+var_310], ecx
		mov	[ebp+var_2FC], ecx
		mov	[ebp+var_34C], ecx
		mov	[ebp+var_348], ecx
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		mov	[ebp+var_330], ecx
		mov	byte ptr [ebp+var_2F4+1], cl
		mov	byte ptr [ebp+var_2F4],	cl
		mov	byte ptr [ebp+var_2F4+2], cl
		call	SeCaptureSubjectContextEx
		mov	esi, [ebp+var_340]
		mov	edx, esi
		mov	edi, [ebp+var_338]
		test	esi, esi
		jnz	short loc_9D97EF
		mov	edx, edi

loc_9D97EF:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+EBj
		push	76h
		pop	eax
		mov	ecx, eax
		call	SeAuditingWithTokenForSubcategory
		mov	byte ptr [ebp+var_2F4+3], al
		test	al, al
		jz	loc_9D99CE
		mov	[ebp+var_328], esi
		test	esi, esi
		jnz	short loc_9D9817
		mov	[ebp+var_328], edi

loc_9D9817:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+10Fj
		movzx	eax, word ptr [ebx+2]
		mov	edi, eax
		test	al, 10h
		jnz	short loc_9D9827
		xor	edx, edx
		xor	ecx, ecx
		jmp	short loc_9D9848
; 

loc_9D9827:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+11Fj
		mov	ecx, [ebx+0Ch]
		mov	edx, ecx
		test	di, di
		jns	short loc_9D9848
		neg	edx
		lea	eax, [ebx+ecx]
		sbb	edx, edx
		and	edx, eax
		test	di, di
		jns	short loc_9D9848
		lea	eax, [ebx+ecx]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_9D9848:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+125j
					; SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+12Fj ...
		lea	eax, [ebp+var_2F4+2]
		push	eax
		lea	eax, [ebp-2F1h]
		push	eax
		push	1
		push	2
		push	[ebp+var_328]
		push	edx
		push	ecx
		call	_SeExamineSacl@28 ; SeExamineSacl(x,x,x,x,x,x,x)
		push	offset ??_C@_17KACEIPNC@?$AAK?$AAe?$AAy@NNGAKEGL@ ; "K"
		lea	eax, [ebp+var_34C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, esi
		test	esi, esi
		jnz	short loc_9D9884
		mov	ecx, [ebp+var_338]

loc_9D9884:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+17Cj
		movzx	eax, word ptr [ebx+2]
		mov	edx, eax
		test	al, 10h
		jnz	short loc_9D9892
		xor	edx, edx
		jmp	short loc_9D98A3
; 

loc_9D9892:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+18Cj
		test	dx, dx
		mov	edx, [ebx+0Ch]
		jns	short loc_9D98A3
		lea	eax, [ebx+edx]
		neg	edx
		sbb	edx, edx
		and	edx, eax

loc_9D98A3:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+190j
					; SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+198j
		lea	eax, [ebp+var_2F4+2]
		push	eax
		lea	eax, [ebp+var_2F4+3]
		push	eax
		push	1
		push	2
		push	ecx
		lea	ecx, [ebp+var_34C]
		call	_SeExamineGlobalSacl@28	; SeExamineGlobalSacl(x,x,x,x,x,x,x)
		cmp	byte ptr [ebp+var_2F4+3], 0
		jz	loc_9D99CE
		mov	eax, [ebp+var_344]
		test	eax, eax
		jz	short loc_9D9902
		lea	edx, [ebp+var_2F8]
		mov	ecx, eax
		call	SepQueryNameString
		test	eax, eax
		js	loc_9D9970
		cmp	[ebp+var_2F8], 0
		jz	short loc_9D9902
		mov	eax, [ebp+var_2F8]
		mov	[ebp+var_330], eax

loc_9D9902:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+1D6j
					; SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+1F4j
		mov	edi, [ebp+arg_14]
		mov	ebx, offset ??_C@_13IMODFHAA@?$AA?9@NNGAKEGL@
		mov	eax, 1000h
		test	edi, edi
		jz	loc_9D99EB
		mov	ebx, [ebp+var_32C]
		mov	edx, [ebx+4]
		cmp	edx, eax
		jb	short loc_9D9926
		mov	edx, eax

loc_9D9926:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+222j
		mov	ecx, [ebx]
		lea	eax, [ebp+var_2F4+1]
		push	eax		; int
		lea	eax, [ebp+var_31C]
		push	eax		; int
		push	dword ptr [ebx+8] ; void *
		call	_AdtpBuildRegistryValueString@20 ; AdtpBuildRegistryValueString(x,x,x,x,x)
		test	eax, eax
		js	short loc_9D9970
		mov	ecx, [ebx]
		lea	edx, [ebp+var_304]
		push	1Ah
		pop	eax
		mov	word ptr [ebp+var_304+2], ax
		add	ecx, 750h
		lea	eax, [ebp+var_20]
		mov	[ebp+var_300], eax
		call	_AdtpBuildReplacementString@8 ;	AdtpBuildReplacementString(x,x)
		test	eax, eax
		jns	loc_9D9A0B

loc_9D9970:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+1E7j
					; SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+240j ...
		push	eax
		call	_SepAuditFailed@4 ; SepAuditFailed(x)

loc_9D9976:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+5EFj
		cmp	byte ptr [ebp+var_2F4+1], 0
		jz	short loc_9D998C
		push	0
		push	[ebp+var_318]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9D998C:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+27Dj
		cmp	byte ptr [ebp+var_2F4],	0
		jz	short loc_9D99A2
		push	0
		push	[ebp+var_320]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9D99A2:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+293j
		cmp	[ebp+var_2FC], 0
		jz	short loc_9D99B8
		push	0
		push	[ebp+var_2FC]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9D99B8:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+2A9j
		cmp	[ebp+var_2F8], 0
		jz	short loc_9D99CE
		push	0
		push	[ebp+var_2F8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9D99CE:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+101j
					; SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+1C8j ...
		lea	eax, [ebp+var_340]
		push	eax
		call	SeReleaseSubjectContext
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_9D99EB:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+211j
		push	ebx
		lea	eax, [ebp+var_31C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		lea	eax, [ebp+var_304]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ebx, [ebp+var_32C]

loc_9D9A0B:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+26Aj
		cmp	edi, 2
		jz	short loc_9D9A70
		mov	edx, [ebx+10h]
		mov	eax, 1000h
		cmp	edx, eax
		jb	short loc_9D9A1E
		mov	edx, eax

loc_9D9A1E:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+31Aj
		mov	ecx, [ebx+0Ch]
		lea	eax, [ebp+var_2F4]
		push	eax		; int
		lea	eax, [ebp+var_324]
		push	eax		; int
		push	dword ptr [ebx+14h] ; void *
		call	_AdtpBuildRegistryValueString@20 ; AdtpBuildRegistryValueString(x,x,x,x,x)
		test	eax, eax
		js	loc_9D9970
		mov	ecx, [ebx+0Ch]
		lea	edx, [ebp+var_30C]
		push	1Ah
		pop	eax
		mov	word ptr [ebp+var_30C+2], ax
		add	ecx, 750h
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_308], eax
		call	_AdtpBuildReplacementString@8 ;	AdtpBuildReplacementString(x,x)
		test	eax, eax
		js	loc_9D9970
		jmp	short loc_9D9A8F
; 

loc_9D9A70:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+30Ej
		mov	ebx, offset ??_C@_13IMODFHAA@?$AA?9@NNGAKEGL@
		lea	eax, [ebp+var_324]
		push	ebx
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		lea	eax, [ebp+var_30C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_9D9A8F:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+36Ej
		push	1Ah
		pop	eax
		mov	word ptr [ebp+var_314+2], ax
		lea	ecx, [edi+770h]
		lea	eax, [ebp+var_58]
		lea	edx, [ebp+var_314]
		mov	[ebp+var_310], eax
		call	_AdtpBuildReplacementString@8 ;	AdtpBuildReplacementString(x,x)
		test	eax, eax
		js	loc_9D9970
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		lea	edx, [ebp+var_2FC]
		mov	ecx, eax
		mov	edi, [eax+0E4h]
		call	PsGetAllocatedFullProcessImageNameEx
		test	eax, eax
		js	loc_9D9970
		mov	ecx, [ebp+var_338]
		mov	[ebp+var_2F0], 3
		mov	[ebp+var_2EC], 1231h
		push	76h
		pop	eax
		mov	[ebp+var_2E0], ax
		mov	eax, esi
		push	8
		pop	ebx
		mov	[ebp+var_2DE], bx
		push	4
		pop	edx
		mov	[ebp+var_2D8], edx
		test	esi, esi
		jnz	short loc_9D9B1A
		mov	eax, ecx

loc_9D9B1A:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+416j
		mov	eax, [eax+94h]
		mov	eax, [eax]
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_2D4], eax
		mov	eax, esi
		test	esi, esi
		jnz	short loc_9D9B3B
		mov	eax, ecx

loc_9D9B3B:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+437j
		mov	eax, [eax+94h]
		mov	[ebp+var_2C4], 1
		mov	[ebp+var_2C0], 18h
		mov	[ebp+var_2B4], offset _SeSubsystemName
		mov	eax, [eax]
		mov	[ebp+var_2C8], eax
		mov	[ebp+var_2B0], 5
		mov	[ebp+var_2AC], ebx
		test	esi, esi
		jnz	short loc_9D9B7D
		mov	esi, ecx

loc_9D9B7D:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+479j
		mov	eax, [esi+18h]
		mov	ecx, [ebp+var_330]
		mov	[ebp+var_2A8], eax
		mov	eax, [esi+1Ch]
		xor	esi, esi
		inc	esi
		mov	[ebp+var_2A4], eax
		test	ecx, ecx
		jz	short loc_9D9BB3
		movzx	eax, word ptr [ecx]
		add	eax, ebx
		mov	[ebp+var_29C], esi
		mov	[ebp+var_298], eax
		mov	[ebp+var_28C], ecx

loc_9D9BB3:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+49Aj
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_270], edx
		xor	dl, dl
		mov	[ebp+var_278], ecx
		mov	[ebp+var_288], esi
		movzx	eax, word ptr [ecx]
		mov	ecx, [ebp+arg_C]
		add	eax, ebx
		mov	[ebp+var_284], eax
		mov	[ebp+var_274], 0Bh
		call	_ObpIsKernelHandle@8 ; ObpIsKernelHandle(x,x)
		test	al, al
		jz	short loc_9D9BF1
		xor	ecx, 80000000h

loc_9D9BF1:				; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+4E9j
		movzx	eax, word ptr [ebp+var_314]
		and	ecx, 0FFFFFFFCh
		add	eax, ebx
		mov	[ebp+var_26C], ecx
		mov	[ebp+var_25C], eax
		lea	eax, [ebp+var_314]
		mov	[ebp+var_250], eax
		movzx	eax, word ptr [ebp+var_304]
		add	eax, ebx
		mov	ecx, [ebp+var_2FC]
		mov	[ebp+var_248], eax
		lea	eax, [ebp+var_304]
		mov	[ebp+var_23C], eax
		movzx	eax, word ptr [ebp+var_31C]
		add	eax, ebx
		mov	[ebp+var_1D8], ecx
		mov	[ebp+var_234], eax
		lea	eax, [ebp+var_31C]
		mov	[ebp+var_228], eax
		movzx	eax, word ptr [ebp+var_30C]
		add	eax, ebx
		mov	[ebp+var_260], esi
		mov	[ebp+var_220], eax
		lea	eax, [ebp+var_30C]
		mov	[ebp+var_214], eax
		movzx	eax, word ptr [ebp+var_324]
		add	eax, ebx
		mov	[ebp+var_24C], esi
		mov	[ebp+var_20C], eax
		lea	eax, [ebp+var_324]
		mov	[ebp+var_200], eax
		movzx	eax, word ptr [ecx]
		lea	ecx, [ebp+var_2F0]
		add	eax, ebx
		mov	[ebp+var_238], esi
		mov	[ebp+var_224], esi
		mov	[ebp+var_210], esi
		mov	[ebp+var_1FC], 0Bh
		mov	[ebp+var_1F8], 4
		mov	[ebp+var_1F4], edi
		mov	[ebp+var_1E8], 2
		mov	[ebp+var_1E4], eax
		mov	[ebp+var_2E8], 0Dh
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)
		jmp	loc_9D9976
_SeAdtRegistryValueChangedAuditAlarm@32	endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2428. SeAuditFipsCryptoSelftests

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAuditFipsCryptoSelftests(x, x)
		public _SeAuditFipsCryptoSelftests@8
_SeAuditFipsCryptoSelftests@8 proc near

var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_290		= word ptr -290h
var_28E		= word ptr -28Eh
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2B4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2B4h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[esp+2C0h+var_2AC], 80000000h
		push	298h		; size_t
		lea	eax, [esp+2C4h+var_2A0]
		mov	[esp+2C4h+var_2B0], ebx
		push	ebx		; int
		push	eax		; void *
		mov	[esp+2CCh+var_2A8], ebx
		mov	[esp+2CCh+var_2A4], ebx
		call	_memset
		add	esp, 0Ch
		mov	[esp+2C0h+var_2B4], ebx
		xor	esi, esi
		inc	esi
		mov	[esp+2C0h+var_2A0], esi
		push	66h
		pop	eax
		mov	[esp+2C0h+var_290], ax
		lea	eax, [esp+2C0h+var_2B0]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	eax, [esp+2C0h+var_2B0]
		test	eax, eax
		jnz	short loc_9D9D7D
		mov	eax, [esp+2C0h+var_2A8]

loc_9D9D7D:				; CODE XREF: SeAuditFipsCryptoSelftests(x,x)+7Ej
		mov	eax, [eax+94h]
		mov	[esp+2C0h+var_288], 4
		mov	[esp+2C0h+var_274], esi
		mov	[esp+2C0h+var_270], 18h
		mov	ecx, [eax]
		mov	[esp+2C0h+var_278], ecx
		mov	[esp+2C0h+var_264], offset _SeSubsystemName
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:8[eax*4]
		mov	[esp+2C0h+var_284], eax
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		lea	edx, [esp+2C0h+var_2B4]
		mov	ecx, eax
		mov	edi, [eax+0E4h]
		call	PsGetAllocatedFullProcessImageNameEx
		mov	esi, eax
		test	esi, esi
		js	loc_9D9E5F
		mov	edx, [esp+2C0h+var_2B4]
		push	4
		pop	eax
		push	8
		movzx	ecx, word ptr [edx]
		mov	[esp+2C4h+var_258], edi
		pop	edi
		add	ecx, edi
		mov	[esp+2C0h+var_260], 0Bh
		mov	[esp+2C0h+var_25C], eax
		mov	[esp+2C0h+var_24C], 2
		mov	[esp+2C0h+var_248], ecx
		mov	[esp+2C0h+var_23C], edx
		mov	[esp+2C0h+var_298], eax
		cmp	[ebp+arg_0], bl
		jz	short loc_9D9E1E
		mov	[esp+2C0h+var_29C], 1911h
		mov	[esp+2C0h+var_28E], di
		jmp	short loc_9D9E56
; 

loc_9D9E1E:				; CODE XREF: SeAuditFipsCryptoSelftests(x,x)+114j
		push	10h
		pop	eax
		mov	[esp+2C0h+var_28E], ax
		mov	eax, [ebp+arg_4]
		mov	[esp+2C0h+var_29C], 1912h
		mov	[esp+2C0h+var_238], 0Ah
		mov	[esp+2C0h+var_234], 4
		mov	[esp+2C0h+var_230], eax
		mov	[esp+2C0h+var_298], 5

loc_9D9E56:				; CODE XREF: SeAuditFipsCryptoSelftests(x,x)+123j
		lea	ecx, [esp+2C0h+var_2A0]
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)

loc_9D9E5F:				; CODE XREF: SeAuditFipsCryptoSelftests(x,x)+D5j
		lea	eax, [esp+2C0h+var_2B0]
		push	eax
		call	SeReleaseSubjectContext
		cmp	[esp+2C0h+var_2B4], ebx
		jz	short loc_9D9E79
		push	ebx
		push	[esp+2C4h+var_2B4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9D9E79:				; CODE XREF: SeAuditFipsCryptoSelftests(x,x)+174j
		test	esi, esi
		jns	short loc_9D9E83
		push	esi
		call	_SepAuditFailed@4 ; SepAuditFailed(x)

loc_9D9E83:				; CODE XREF: SeAuditFipsCryptoSelftests(x,x)+182j
		mov	ecx, [esp+2C0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_SeAuditFipsCryptoSelftests@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAuditHandleDuplication(x,	x, x, x)
_SeAuditHandleDuplication@16 proc near	; CODE XREF: ObCompleteObjectDuplication+1446E6p
					; ObDuplicateObject+1445BCp ...

var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2A8		= dword	ptr -2A8h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_290		= word ptr -290h
var_28E		= word ptr -28Eh
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2B4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2B4h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+2C0h+var_2B4], ecx
		lea	edi, [esp+2C0h+var_2B0]
		mov	ebx, edx
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esp+2C0h+var_2B0]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	edi, [esp+2C0h+var_2B0]
		mov	eax, edi
		test	edi, edi
		jnz	short loc_9D9EF4
		mov	eax, [esp+2C0h+var_2A8]

loc_9D9EF4:				; CODE XREF: SeAuditHandleDuplication(x,x,x,x)+54j
		mov	eax, [eax+94h]
		push	298h		; size_t
		push	0		; int
		mov	esi, [eax]
		lea	eax, [esp+2C8h+var_2A0]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+2C0h+var_2A0], 3
		mov	[esp+2C0h+var_29C], 1252h
		mov	[esp+2C0h+var_278], esi
		mov	[esp+2C0h+var_274], 1
		mov	[esp+2C0h+var_270], 18h
		mov	[esp+2C0h+var_264], offset _SeSubsystemName
		mov	[esp+2C0h+var_260], 5
		push	7Ch
		pop	eax
		mov	[esp+2C0h+var_290], ax
		movzx	eax, byte ptr [esi+1]
		push	8
		pop	ecx
		mov	[esp+2C0h+var_28E], cx
		mov	[esp+2C0h+var_25C], ecx
		lea	eax, ds:8[eax*4]
		mov	[esp+2C0h+var_284], eax
		push	4
		pop	edx
		mov	[esp+2C0h+var_288], edx
		test	edi, edi
		jnz	short loc_9D9F76
		mov	edi, [esp+2C0h+var_2A8]

loc_9D9F76:				; CODE XREF: SeAuditHandleDuplication(x,x,x,x)+D6j
		mov	eax, [edi+18h]
		mov	ecx, [esp+2C0h+var_2B4]
		mov	[esp+2C0h+var_258], eax
		mov	eax, [edi+1Ch]
		push	0Bh
		pop	edi
		mov	[esp+2C0h+var_248], edx
		xor	dl, dl
		mov	[esp+2C0h+var_254], eax
		mov	[esp+2C0h+var_24C], edi
		call	_ObpIsKernelHandle@8 ; ObpIsKernelHandle(x,x)
		test	al, al
		jz	short loc_9D9FA4
		xor	ecx, 80000000h

loc_9D9FA4:				; CODE XREF: SeAuditHandleDuplication(x,x,x,x)+102j
		mov	eax, [ebp+arg_0]
		and	ecx, 0FFFFFFFCh
		push	4
		pop	esi
		mov	[esp+2C0h+var_244], ecx
		xor	dl, dl
		mov	eax, [eax+0E4h]
		mov	ecx, ebx
		mov	[esp+2C0h+var_238], edi
		mov	[esp+2C0h+var_234], esi
		mov	[esp+2C0h+var_230], eax
		mov	[esp+2C0h+var_224], edi
		mov	[esp+2C0h+var_220], esi
		call	_ObpIsKernelHandle@8 ; ObpIsKernelHandle(x,x)
		test	al, al
		jz	short loc_9D9FED
		xor	ebx, 80000000h

loc_9D9FED:				; CODE XREF: SeAuditHandleDuplication(x,x,x,x)+14Bj
		mov	eax, [ebp+arg_4]
		lea	ecx, [esp+2C0h+var_2A0]
		and	ebx, 0FFFFFFFCh
		mov	[esp+2C0h+var_210], edi
		mov	[esp+2C0h+var_21C], ebx
		mov	[esp+2C0h+var_20C], esi
		mov	eax, [eax+0E4h]
		mov	[esp+2C0h+var_208], eax
		mov	[esp+2C0h+var_298], 7
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)
		lea	eax, [esp+2C0h+var_2B0]
		push	eax
		call	SeReleaseSubjectContext
		mov	ecx, [esp+2C0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_SeAuditHandleDuplication@16 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 2429. SeAuditHardLinkCreation

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAuditHardLinkCreation(x, x, x)
		public _SeAuditHardLinkCreation@12
_SeAuditHardLinkCreation@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_SeAuditHardLinkCreationWithTransaction@16 ; SeAuditHardLinkCreationWithTransaction(x,x,x,x)
		pop	ebp
		retn	0Ch
_SeAuditHardLinkCreation@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2430. SeAuditHardLinkCreationWithTransaction

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAuditHardLinkCreationWithTransaction(x, x, x, x)
		public _SeAuditHardLinkCreationWithTransaction@16
_SeAuditHardLinkCreationWithTransaction@16 proc	near
					; CODE XREF: SeAuditHardLinkCreation(x,x,x)+10p

var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A0		= word ptr -2A0h
var_29E		= word ptr -29Eh
var_298		= dword	ptr -298h
var_294		= dword	ptr -294h
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_224		= dword	ptr -224h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2C4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2C4h+var_4], eax
		push	ebx
		push	esi
		xor	eax, eax
		mov	[esp+2CCh+var_2BC], 80000000h
		push	edi
		push	298h		; size_t
		push	eax		; int
		mov	[esp+2D8h+var_2C0], eax
		mov	[esp+2D8h+var_2B8], eax
		mov	[esp+2D8h+var_2B4], eax
		lea	eax, [esp+2D8h+var_2B0]
		push	eax		; void *
		call	_memset
		mov	esi, [ebp+arg_C]
		lea	edi, [esp+2DCh+var_14]
		xor	eax, eax
		add	esp, 0Ch
		stosd
		stosd
		stosd
		stosd
		test	esi, esi
		jnz	short loc_9DA0CD
		lea	esi, [esp+2D0h+var_14]

loc_9DA0CD:				; CODE XREF: SeAuditHardLinkCreationWithTransaction(x,x,x,x)+5Aj
		cmp	[ebp+arg_8], 0
		push	75h
		pop	eax
		push	10h
		pop	ebx
		push	8
		pop	edi
		mov	[esp+2D0h+var_2B0], 3
		mov	[esp+2D0h+var_2A0], ax
		mov	[esp+2D0h+var_2AC], 1238h
		mov	[esp+2D0h+var_29E], di
		jnz	short loc_9DA0FB
		mov	[esp+2D0h+var_29E], bx

loc_9DA0FB:				; CODE XREF: SeAuditHardLinkCreationWithTransaction(x,x,x,x)+8Aj
		lea	eax, [esp+2D0h+var_2C0]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	ecx, [esp+2D0h+var_2C0]
		mov	eax, ecx
		test	ecx, ecx
		jnz	short loc_9DA126
		mov	eax, [esp+2D0h+var_2B8]

loc_9DA126:				; CODE XREF: SeAuditHardLinkCreationWithTransaction(x,x,x,x)+B6j
		mov	eax, [eax+94h]
		mov	edx, [eax]
		test	ecx, ecx
		jnz	short loc_9DA136
		mov	ecx, [esp+2D0h+var_2B8]

loc_9DA136:				; CODE XREF: SeAuditHardLinkCreationWithTransaction(x,x,x,x)+C6j
		movzx	eax, byte ptr [edx+1]
		push	2
		mov	[esp+2D4h+var_288], edx
		pop	edx
		lea	eax, ds:8[eax*4]
		mov	[esp+2D0h+var_298], 4
		mov	[esp+2D0h+var_294], eax
		mov	eax, [ecx+18h]
		mov	[esp+2D0h+var_268], eax
		mov	eax, [ecx+1Ch]
		mov	ecx, [ebp+arg_0]
		mov	[esp+2D0h+var_264], eax
		mov	[esp+2D0h+var_24C], ecx
		mov	[esp+2D0h+var_284], 1
		movzx	eax, word ptr [ecx]
		mov	ecx, [ebp+arg_4]
		add	eax, edi
		mov	[esp+2D0h+var_258], eax
		mov	[esp+2D0h+var_238], ecx
		mov	[esp+2D0h+var_280], 18h
		movzx	eax, word ptr [ecx]
		lea	ecx, [esp+2D0h+var_2B0]
		add	eax, edi
		mov	[esp+2D0h+var_274], offset _SeSubsystemName
		mov	[esp+2D0h+var_270], 5
		mov	[esp+2D0h+var_26C], edi
		mov	[esp+2D0h+var_25C], edx
		mov	[esp+2D0h+var_248], edx
		mov	[esp+2D0h+var_244], eax
		mov	[esp+2D0h+var_234], 0Dh
		mov	[esp+2D0h+var_230], ebx
		mov	[esp+2D0h+var_224], esi
		mov	[esp+2D0h+var_2A8], 6
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)
		lea	eax, [esp+2D0h+var_2C0]
		push	eax
		call	SeReleaseSubjectContext
		mov	ecx, [esp+2D0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_SeAuditHardLinkCreationWithTransaction@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAuditPlugAndPlay(x, x, x,	x, x, x, x, x, x)
_SeAuditPlugAndPlay@36 proc near	; CODE XREF: PiAuditDeviceOperation(x,x,x)+4FEp

var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2AD		= dword	ptr -2ADh
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_298		= word ptr -298h
var_296		= word ptr -296h
var_290		= dword	ptr -290h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= byte ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2C8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_2C4], ecx
		push	edi
		push	29Ch		; size_t
		push	eax		; int
		mov	[ebp+var_2C0], eax
		mov	ebx, edx
		mov	[ebp+var_2B8], eax
		mov	[ebp+var_2B4], eax
		lea	eax, [ebp+var_2AD+1]
		push	eax		; void *
		mov	[ebp+var_2BC], 80000000h
		call	_memset
		mov	eax, [ebp+arg_14]
		add	esp, 0Ch
		mov	byte ptr [ebp+var_2AD],	0
		sub	eax, 0
		jz	short loc_9DA2B5
		sub	eax, 1
		jz	short loc_9DA2AC
		sub	eax, 1
		jz	short loc_9DA2A5
		sub	eax, 1
		jz	short loc_9DA29E
		sub	eax, 1
		jz	short loc_9DA297
		sub	eax, 1
		jz	short loc_9DA290
		sub	eax, 1
		jnz	loc_9DA5CC
		mov	eax, 1918h
		jmp	short loc_9DA2B1
; 

loc_9DA290:				; CODE XREF: SeAuditPlugAndPlay(x,x,x,x,x,x,x,x,x)+79j
		mov	eax, 1917h
		jmp	short loc_9DA2B1
; 

loc_9DA297:				; CODE XREF: SeAuditPlugAndPlay(x,x,x,x,x,x,x,x,x)+74j
		mov	eax, 1916h
		jmp	short loc_9DA2B1
; 

loc_9DA29E:				; CODE XREF: SeAuditPlugAndPlay(x,x,x,x,x,x,x,x,x)+6Fj
		mov	eax, 1915h
		jmp	short loc_9DA2B1
; 

loc_9DA2A5:				; CODE XREF: SeAuditPlugAndPlay(x,x,x,x,x,x,x,x,x)+6Aj
		mov	eax, 1914h
		jmp	short loc_9DA2B1
; 

loc_9DA2AC:				; CODE XREF: SeAuditPlugAndPlay(x,x,x,x,x,x,x,x,x)+65j
		mov	eax, 1913h

loc_9DA2B1:				; CODE XREF: SeAuditPlugAndPlay(x,x,x,x,x,x,x,x,x)+89j
					; SeAuditPlugAndPlay(x,x,x,x,x,x,x,x,x)+90j ...
		xor	ecx, ecx
		jmp	short loc_9DA2BD
; 

loc_9DA2B5:				; CODE XREF: SeAuditPlugAndPlay(x,x,x,x,x,x,x,x,x)+60j
		xor	ecx, ecx
		mov	eax, 1910h
		inc	ecx

loc_9DA2BD:				; CODE XREF: SeAuditPlugAndPlay(x,x,x,x,x,x,x,x,x)+AEj
		push	10h
		mov	[ebp+var_2A8], eax
		mov	edx, 8Ah
		mov	[ebp+var_2A4], ecx
		xor	eax, eax
		cmp	[ebp+arg_18], 0
		pop	ecx
		push	8
		mov	[ebp+var_2A0], eax
		pop	eax
		mov	[ebp+var_2AD+1], 5
		mov	[ebp+var_298], dx
		mov	[ebp+var_296], ax
		jnz	short loc_9DA301
		mov	[ebp+var_296], cx

loc_9DA301:				; CODE XREF: SeAuditPlugAndPlay(x,x,x,x,x,x,x,x,x)+F3j
		lea	eax, [ebp+var_2C0]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	esi, [ebp+var_2C0]
		mov	eax, esi
		test	esi, esi
		jnz	short loc_9DA332
		mov	eax, [ebp+var_2B8]

loc_9DA332:				; CODE XREF: SeAuditPlugAndPlay(x,x,x,x,x,x,x,x,x)+125j
		mov	eax, [eax+94h]
		mov	edi, [eax]
		test	esi, esi
		jnz	short loc_9DA344
		mov	esi, [ebp+var_2B8]

loc_9DA344:				; CODE XREF: SeAuditPlugAndPlay(x,x,x,x,x,x,x,x,x)+137j
		imul	eax, [ebp+var_2A0], arg_C
		mov	edx, [esi+18h]
		mov	esi, [esi+1Ch]
		push	8
		mov	[ebp+eax+var_290], 4
		movzx	eax, byte ptr [edi+1]
		lea	ecx, ds:8[eax*4]
		imul	eax, [ebp+var_2A0], arg_C
		mov	[ebp+eax+var_28C], ecx
		imul	eax, [ebp+var_2A0], arg_C
		mov	[ebp+eax+var_280], edi
		mov	eax, [ebp+var_2A0]
		inc	eax
		mov	[ebp+var_2A0], eax
		imul	eax, 14h
		pop	edi
		mov	[ebp+eax+var_290], 1
		imul	eax, [ebp+var_2A0], arg_C
		mov	[ebp+eax+var_28C], 18h
		imul	eax, [ebp+var_2A0], arg_C
		mov	[ebp+eax+var_280], offset _SeSubsystemName
		mov	eax, [ebp+var_2A0]
		inc	eax
		mov	[ebp+var_2A0], eax
		imul	eax, 14h
		mov	[ebp+eax+var_290], 5
		imul	eax, [ebp+var_2A0], arg_C
		mov	[ebp+eax+var_28C], edi
		imul	eax, [ebp+var_2A0], arg_C
		mov	[ebp+eax+var_288], edx
		mov	[ebp+eax+var_284], esi
		xor	esi, esi
		mov	eax, [ebp+var_2A0]
		inc	esi
		mov	edx, [ebp+var_2C4]
		inc	eax
		mov	[ebp+var_2A0], eax
		imul	eax, 14h
		movzx	ecx, word ptr [edx]
		add	ecx, edi
		mov	[ebp+eax+var_290], esi
		imul	eax, [ebp+var_2A0], arg_C
		mov	[ebp+eax+var_28C], ecx
		imul	eax, [ebp+var_2A0], arg_C
		movzx	ecx, word ptr [ebx]
		add	ecx, edi
		mov	[ebp+eax+var_280], edx
		mov	eax, [ebp+var_2A0]
		inc	eax
		mov	edx, [ebp+arg_10]
		mov	[ebp+var_2A0], eax
		imul	eax, 14h
		mov	[ebp+eax+var_290], esi
		imul	eax, [ebp+var_2A0], arg_C
		mov	[ebp+eax+var_28C], ecx
		imul	eax, [ebp+var_2A0], arg_C
		mov	[ebp+eax+var_280], ebx
		mov	eax, [ebp+var_2A0]
		inc	eax
		mov	[ebp+var_2A0], eax
		imul	eax, 14h
		mov	[ebp+eax+var_290], 0Dh
		imul	eax, [ebp+var_2A0], arg_C
		mov	[ebp+eax+var_28C], 10h
		imul	ecx, [ebp+var_2A0], arg_C
		mov	eax, [ebp+arg_C]
		mov	[ebp+ecx+var_280], eax
		mov	eax, [ebp+var_2A0]
		movzx	ecx, word ptr [edx]
		inc	eax
		mov	[ebp+var_2A0], eax
		add	ecx, edi
		imul	eax, 14h
		mov	[ebp+eax+var_290], esi
		imul	eax, [ebp+var_2A0], arg_C
		mov	[ebp+eax+var_28C], ecx
		imul	eax, [ebp+var_2A0], arg_C
		mov	[ebp+eax+var_280], edx
		mov	eax, [ebp+var_2A0]
		inc	eax
		mov	[ebp+var_2A0], eax
		mov	edx, [ebp+arg_0]
		imul	eax, 14h
		push	22h
		pop	esi
		movzx	ecx, word ptr [edx]
		add	ecx, edi
		mov	[ebp+eax+var_290], esi
		imul	eax, [ebp+var_2A0], arg_C
		mov	[ebp+eax+var_28C], ecx
		imul	eax, [ebp+var_2A0], arg_C
		mov	[ebp+eax+var_280], edx
		mov	eax, [ebp+var_2A0]
		mov	edx, [ebp+arg_4]
		inc	eax
		mov	[ebp+var_2A0], eax
		imul	eax, 14h
		movzx	ecx, word ptr [edx]
		add	ecx, edi
		mov	[ebp+eax+var_290], esi
		imul	eax, [ebp+var_2A0], arg_C
		mov	[ebp+eax+var_28C], ecx
		imul	eax, [ebp+var_2A0], arg_C
		mov	[ebp+eax+var_280], edx
		mov	eax, [ebp+var_2A0]
		mov	edx, [ebp+arg_8]
		inc	eax
		mov	[ebp+var_2A0], eax
		imul	eax, 14h
		movzx	ecx, word ptr [edx]
		add	ecx, edi
		mov	[ebp+eax+var_290], esi
		imul	eax, [ebp+var_2A0], arg_C
		mov	[ebp+eax+var_28C], ecx
		lea	ecx, [ebp+var_2AD+1]
		imul	eax, [ebp+var_2A0], arg_C
		mov	[ebp+eax+var_280], edx
		lea	edx, [ebp+var_2AD]
		inc	[ebp+var_2A0]
		call	_AdtpWriteToEtwEx@8 ; AdtpWriteToEtwEx(x,x)
		lea	eax, [ebp+var_2C0]
		push	eax
		call	SeReleaseSubjectContext

loc_9DA5CC:				; CODE XREF: SeAuditPlugAndPlay(x,x,x,x,x,x,x,x,x)+7Ej
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
_SeAuditPlugAndPlay@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAuditProcessExit(x, x)
_SeAuditProcessExit@8 proc near		; CODE XREF: PspExitThread+1686B6p

var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_290		= word ptr -290h
var_28E		= word ptr -28Eh
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_214		= dword	ptr -214h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2A4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2A4h+var_4], eax
		and	[esp+2A4h+var_2A4], 0
		lea	eax, [esp+2A4h+var_2A0]
		push	ebx
		push	esi
		push	edi
		push	298h		; size_t
		push	0		; int
		push	eax		; void *
		mov	ebx, edx
		mov	edi, ecx
		call	_memset
		add	esp, 0Ch
		lea	edx, [esp+2B0h+var_2A4]
		mov	ecx, edi
		call	PsGetAllocatedFullProcessImageNameEx
		test	eax, eax
		js	loc_9DA710
		push	edi
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	esi, eax
		mov	[esp+2B0h+var_29C], 1251h
		push	5
		pop	edx
		push	8
		mov	ecx, [esi+94h]
		mov	eax, 87h
		mov	[esp+2B4h+var_290], ax
		pop	eax
		mov	[esp+2B0h+var_28E], ax
		mov	ecx, [ecx]
		push	8
		mov	[esp+2B4h+var_2A0], edx
		mov	[esp+2B4h+var_260], edx
		movzx	eax, byte ptr [ecx+1]
		pop	edx
		mov	[esp+2B0h+var_278], ecx
		mov	ecx, [esp+2B0h+var_2A4]
		lea	eax, ds:8[eax*4]
		mov	[esp+2B0h+var_214], ecx
		mov	[esp+2B0h+var_284], eax
		mov	eax, [esi+18h]
		mov	[esp+2B0h+var_258], eax
		mov	eax, [esi+1Ch]
		mov	[esp+2B0h+var_254], eax
		push	4
		pop	eax
		mov	[esp+2B0h+var_248], eax
		mov	[esp+2B0h+var_234], eax
		mov	eax, [edi+0E4h]
		mov	[esp+2B0h+var_230], eax
		movzx	eax, word ptr [ecx]
		lea	ecx, [esp+2B0h+var_2A0]
		add	eax, edx
		mov	[esp+2B0h+var_288], 4
		mov	[esp+2B0h+var_274], 1
		mov	[esp+2B0h+var_270], 18h
		mov	[esp+2B0h+var_264], offset _SeSubsystemName
		mov	[esp+2B0h+var_25C], edx
		mov	[esp+2B0h+var_24C], 0Ah
		mov	[esp+2B0h+var_244], ebx
		mov	[esp+2B0h+var_238], 0Bh
		mov	[esp+2B0h+var_224], 2
		mov	[esp+2B0h+var_220], eax
		mov	[esp+2B0h+var_298], 6
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	short loc_9DA716
; 

loc_9DA710:				; CODE XREF: SeAuditProcessExit(x,x)+48j
		push	eax
		call	_SepAuditFailed@4 ; SepAuditFailed(x)

loc_9DA716:				; CODE XREF: SeAuditProcessExit(x,x)+131j
		cmp	[esp+2B0h+var_2A4], 0
		jz	short loc_9DA728
		push	0
		push	[esp+2B4h+var_2A4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DA728:				; CODE XREF: SeAuditProcessExit(x,x)+13Ej
		mov	ecx, [esp+2B0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_SeAuditProcessExit@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAuditSystemTimeChange(x, x, x, x)
_SeAuditSystemTimeChange@16 proc near	; CODE XREF: NtSetSystemTime(x,x)+163p

var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2A8		= dword	ptr -2A8h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_290		= word ptr -290h
var_28E		= word ptr -28Eh
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_200		= dword	ptr -200h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2BCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2BCh+var_4], eax
		push	ebx
		and	[esp+2C0h+var_2B8], 0
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [esp+2C8h+var_2B0]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esp+2C8h+var_2B0]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	esi, [esp+2C8h+var_2B0]
		mov	eax, esi
		mov	edi, [esp+2C8h+var_2A8]
		test	esi, esi
		jnz	short loc_9DA798
		mov	eax, edi

loc_9DA798:				; CODE XREF: SeAuditSystemTimeChange(x,x,x,x)+57j
		mov	eax, [eax+94h]
		mov	ebx, [eax]
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		push	298h		; size_t
		mov	[esp+2CCh+var_2B4], eax
		lea	eax, [esp+2CCh+var_2A0]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [esp+2D4h+var_2B4]
		lea	edx, [esp+2D4h+var_2B8]
		add	esp, 0Ch
		call	PsGetAllocatedFullProcessImageNameEx
		test	eax, eax
		js	loc_9DA8EA
		push	64h
		pop	eax
		mov	[esp+2C8h+var_290], ax
		xor	ecx, ecx
		movzx	eax, byte ptr [ebx+1]
		inc	ecx
		mov	[esp+2C8h+var_2A0], ecx
		mov	[esp+2C8h+var_29C], 1208h
		mov	[esp+2C8h+var_288], 4
		mov	[esp+2C8h+var_278], ebx
		lea	eax, ds:8[eax*4]
		mov	[esp+2C8h+var_284], eax
		mov	[esp+2C8h+var_274], ecx
		mov	[esp+2C8h+var_270], 18h
		mov	[esp+2C8h+var_264], offset _SeSubsystemName
		mov	[esp+2C8h+var_260], 5
		push	8
		pop	edx
		mov	[esp+2C8h+var_28E], dx
		mov	[esp+2C8h+var_25C], edx
		test	esi, esi
		jz	short loc_9DA83C
		mov	eax, [esi+18h]
		mov	[esp+2C8h+var_258], eax
		mov	eax, [esi+1Ch]
		jmp	short loc_9DA846
; 

loc_9DA83C:				; CODE XREF: SeAuditSystemTimeChange(x,x,x,x)+F1j
		mov	eax, [edi+18h]
		mov	[esp+2C8h+var_258], eax
		mov	eax, [edi+1Ch]

loc_9DA846:				; CODE XREF: SeAuditSystemTimeChange(x,x,x,x)+FDj
		mov	[esp+2C8h+var_254], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+2C8h+var_244], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+2C8h+var_240], eax
		mov	eax, [ebp+arg_8]
		mov	[esp+2C8h+var_230], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+2C8h+var_22C], eax
		mov	eax, [esp+2C8h+var_2B4]
		push	0Ch
		pop	ecx
		mov	[esp+2C8h+var_24C], ecx
		mov	eax, [eax+0E4h]
		mov	[esp+2C8h+var_238], ecx
		mov	ecx, [esp+2C8h+var_2B8]
		mov	[esp+2C8h+var_21C], eax
		mov	[esp+2C8h+var_200], ecx
		mov	[esp+2C8h+var_248], edx
		movzx	eax, word ptr [ecx]
		lea	ecx, [esp+2C8h+var_2A0]
		add	eax, edx
		mov	[esp+2C8h+var_234], edx
		mov	[esp+2C8h+var_224], 0Bh
		mov	[esp+2C8h+var_220], 4
		mov	[esp+2C8h+var_210], 2
		mov	[esp+2C8h+var_20C], eax
		mov	[esp+2C8h+var_298], 7
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)
		jmp	short loc_9DA8F0
; 

loc_9DA8EA:				; CODE XREF: SeAuditSystemTimeChange(x,x,x,x)+8Fj
		push	eax
		call	_SepAuditFailed@4 ; SepAuditFailed(x)

loc_9DA8F0:				; CODE XREF: SeAuditSystemTimeChange(x,x,x,x)+1ABj
		cmp	[esp+2C8h+var_2B8], 0
		jz	short loc_9DA902
		push	0
		push	[esp+2CCh+var_2B8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DA902:				; CODE XREF: SeAuditSystemTimeChange(x,x,x,x)+1B8j
		lea	eax, [esp+2C8h+var_2B0]
		push	eax
		call	SeReleaseSubjectContext
		mov	ecx, [esp+2C8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_SeAuditSystemTimeChange@16 endp

; 
		align 8
; Exported entry 2431. SeAuditTransactionStateChange

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeAuditTransactionStateChange(x, x,	x)
		public _SeAuditTransactionStateChange@12
_SeAuditTransactionStateChange@12 proc near

var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_2CC		= dword	ptr -2CCh
var_2C8		= dword	ptr -2C8h
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A0		= word ptr -2A0h
var_29E		= word ptr -29Eh
var_298		= dword	ptr -298h
var_294		= dword	ptr -294h
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_1FC		= dword	ptr -1FCh
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2DCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2DCh+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[esp+2E8h+var_2C8], 80000000h
		push	298h		; size_t
		lea	eax, [esp+2ECh+var_2B0]
		mov	[esp+2ECh+var_2CC], ebx
		push	ebx		; int
		push	eax		; void *
		mov	[esp+2F4h+var_2C4], ebx
		mov	[esp+2F4h+var_2C0], ebx
		call	_memset
		xor	eax, eax
		mov	[esp+2F4h+var_2D8], ebx
		lea	edi, [esp+2F4h+var_14]
		mov	[esp+2F4h+var_2D4], ebx
		stosd
		add	esp, 0Ch
		mov	[esp+2E8h+var_2D0], ebx
		stosd
		stosd
		stosd
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	short loc_9DA997
		lea	edi, [esp+2E8h+var_14]

loc_9DA997:				; CODE XREF: SeAuditTransactionStateChange(x,x,x)+66j
		mov	ebx, [ebp+arg_8]
		mov	[esp+2E8h+var_2B0], 3
		mov	[esp+2E8h+var_2AC], 1379h
		push	75h
		pop	eax
		mov	[esp+2E8h+var_2A0], ax
		push	10h
		pop	ecx
		push	8
		pop	eax
		mov	[esp+2E8h+var_29E], ax
		cmp	ebx, 6
		jnz	short loc_9DA9C7
		mov	[esp+2E8h+var_29E], cx

loc_9DA9C7:				; CODE XREF: SeAuditTransactionStateChange(x,x,x)+98j
		lea	eax, [esp+2E8h+var_2CC]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	ecx, [esp+2E8h+var_2CC]
		mov	eax, ecx
		test	ecx, ecx
		jnz	short loc_9DA9F2
		mov	eax, [esp+2E8h+var_2C4]

loc_9DA9F2:				; CODE XREF: SeAuditTransactionStateChange(x,x,x)+C4j
		mov	eax, [eax+94h]
		mov	eax, [eax]
		mov	[esp+2E8h+var_2BC], eax
		test	ecx, ecx
		jnz	short loc_9DAA06
		mov	ecx, [esp+2E8h+var_2C4]

loc_9DAA06:				; CODE XREF: SeAuditTransactionStateChange(x,x,x)+D8j
		mov	eax, [ecx+18h]
		mov	[esp+2E8h+var_2B8], eax
		mov	eax, [ecx+1Ch]
		mov	[esp+2E8h+var_2B4], eax
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		lea	edx, [esp+2E8h+var_2D8]
		mov	ecx, eax
		call	PsGetAllocatedFullProcessImageNameEx
		test	eax, eax
		js	short loc_9DAA30
		mov	esi, [esp+2E8h+var_2D8]
		test	esi, esi
		jnz	short loc_9DAA47

loc_9DAA30:				; CODE XREF: SeAuditTransactionStateChange(x,x,x)+FEj
		push	offset ??_C@_13HGPDMIBE@?$AA?$DP@NNGAKEGL@
		lea	eax, [esp+2ECh+var_2D4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	esi, [esp+2E8h+var_2D4]
		mov	[esp+2E8h+var_2D8], esi

loc_9DAA47:				; CODE XREF: SeAuditTransactionStateChange(x,x,x)+106j
		mov	ecx, [esp+2E8h+var_2BC]
		push	4
		pop	edx
		push	0Dh
		movzx	eax, byte ptr [ecx+1]
		mov	[esp+2ECh+var_288], ecx
		pop	ecx
		mov	[esp+2E8h+var_298], edx
		lea	eax, ds:8[eax*4]
		mov	[esp+2E8h+var_284], 1
		mov	[esp+2E8h+var_294], eax
		mov	eax, [esp+2E8h+var_2B8]
		mov	[esp+2E8h+var_268], eax
		mov	eax, [esp+2E8h+var_2B4]
		mov	[esp+2E8h+var_264], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+2E8h+var_280], 18h
		mov	[esp+2E8h+var_274], offset _SeSubsystemName
		mov	[esp+2E8h+var_270], 5
		mov	[esp+2E8h+var_26C], 8
		mov	[esp+2E8h+var_25C], ecx
		mov	[esp+2E8h+var_258], 10h
		mov	[esp+2E8h+var_24C], eax
		mov	[esp+2E8h+var_248], 3
		mov	[esp+2E8h+var_244], edx
		mov	[esp+2E8h+var_240], ebx
		mov	[esp+2E8h+var_234], ecx
		mov	[esp+2E8h+var_230], 10h
		mov	[esp+2E8h+var_224], edi
		mov	[esp+2E8h+var_220], 0Bh
		mov	[esp+2E8h+var_21C], edx
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		push	8
		pop	ecx
		mov	[esp+2E8h+var_2A8], ecx
		mov	eax, [eax+0E4h]
		mov	[esp+2E8h+var_218], eax
		movzx	eax, word ptr [esi]
		add	eax, ecx
		mov	[esp+2E8h+var_20C], 2
		lea	ecx, [esp+2E8h+var_2B0]
		mov	[esp+2E8h+var_208], eax
		mov	[esp+2E8h+var_1FC], esi
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)
		lea	eax, [esp+2E8h+var_2CC]
		push	eax
		call	SeReleaseSubjectContext
		mov	eax, [esp+2E8h+var_2D8]
		test	eax, eax
		jz	short loc_9DAB68
		lea	ecx, [esp+2E8h+var_2D4]
		cmp	eax, ecx
		jz	short loc_9DAB68
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DAB68:				; CODE XREF: SeAuditTransactionStateChange(x,x,x)+22Ej
					; SeAuditTransactionStateChange(x,x,x)+236j
		mov	ecx, [esp+2E8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_SeAuditTransactionStateChange@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeOperationAuditAlarm(x, x,	x, x, x, x, x)
_SeOperationAuditAlarm@28 proc near	; CODE XREF: ObpAuditObjectAccess(x,x,x,x,x)+BDp

var_2D4		= dword	ptr -2D4h
var_2CC		= dword	ptr -2CCh
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A5		= dword	ptr -2A5h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_294		= word ptr -294h
var_292		= word ptr -292h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_27C		= dword	ptr -27Ch
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2D8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_10]
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_2AC], eax
		lea	edi, [ebp+var_2D4]
		xor	eax, eax
		mov	[ebp+var_2B8], ecx
		stosd
		mov	ebx, edx
		mov	edx, ecx
		mov	[ebp+var_2BC], ebx
		mov	ecx, ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		push	eax
		push	1
		mov	[ebp+var_2B0], eax
		mov	[ebp+var_2B4], eax
		mov	[ebp+var_2C4], eax
		mov	byte ptr [ebp+var_2A5],	al
		call	_SepAdtClassifyObjectIntoSubCategory@16	; SepAdtClassifyObjectIntoSubCategory(x,x,x,x)
		movzx	ebx, ax
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		lea	edx, [ebp+var_2B0]
		mov	ecx, [eax+0E4h]
		mov	[ebp+var_2C0], ecx
		mov	ecx, eax
		call	PsGetAllocatedFullProcessImageNameEx
		mov	edi, eax
		test	edi, edi
		js	loc_9DAEDC
		push	298h		; size_t
		lea	eax, [ebp+var_2A5+1]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_2A5+1], 3
		mov	[ebp+var_294], bx
		mov	[ebp+var_2A0], 1237h
		push	8
		pop	eax
		mov	[ebp+var_292], ax
		lea	eax, [ebp+var_2D4]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	edx, [ebp+var_2D4]
		mov	eax, edx
		mov	esi, [ebp+var_2CC]
		test	edx, edx
		jnz	short loc_9DAC7C
		mov	eax, esi

loc_9DAC7C:				; CODE XREF: SeOperationAuditAlarm(x,x,x,x,x,x,x)+F9j
		mov	eax, [eax+94h]
		mov	[ebp+var_28C], 4
		mov	[ebp+var_274], 18h
		mov	[ebp+var_268], offset _SeSubsystemName
		mov	ecx, [eax]
		mov	[ebp+var_27C], ecx
		mov	[ebp+var_264], 5
		push	8
		movzx	eax, byte ptr [ecx+1]
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_278], ecx
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_288], eax
		test	edx, edx
		jz	short loc_9DACE7
		mov	eax, [edx+18h]
		pop	esi
		mov	[ebp+var_25C], eax
		mov	eax, [edx+1Ch]
		mov	[ebp+var_260], esi
		jmp	short loc_9DACFE
; 

loc_9DACE7:				; CODE XREF: SeOperationAuditAlarm(x,x,x,x,x,x,x)+151j
		mov	eax, [esi+18h]
		mov	[ebp+var_25C], eax
		mov	eax, [esi+1Ch]
		mov	[ebp+var_260], 8
		pop	esi

loc_9DACFE:				; CODE XREF: SeOperationAuditAlarm(x,x,x,x,x,x,x)+166j
		mov	edx, [ebp+var_2B8]
		mov	[ebp+var_258], eax
		mov	[ebp+var_250], ecx
		mov	[ebp+var_23C], ecx
		movzx	eax, word ptr [edx]
		mov	ecx, [ebp+var_2BC]
		add	eax, esi
		mov	[ebp+var_22C], edx
		lea	edx, [ebp+var_2B4]
		mov	[ebp+var_24C], 18h
		mov	[ebp+var_240], offset _SeSubsystemName
		mov	[ebp+var_238], eax
		call	SepQueryNameString
		mov	ecx, [ebp+var_2B4]
		push	75h
		pop	eax
		test	ecx, ecx
		jz	short loc_9DAD8B
		cmp	bx, ax
		jz	short loc_9DAD70
		add	eax, 0Ch
		mov	[ebp+var_228], 1
		cmp	bx, ax
		jnz	short loc_9DAD7A

loc_9DAD70:				; CODE XREF: SeOperationAuditAlarm(x,x,x,x,x,x,x)+1DDj
		mov	[ebp+var_228], 2

loc_9DAD7A:				; CODE XREF: SeOperationAuditAlarm(x,x,x,x,x,x,x)+1EFj
		movzx	eax, word ptr [ecx]
		add	eax, esi
		mov	[ebp+var_218], ecx
		mov	[ebp+var_224], eax

loc_9DAD8B:				; CODE XREF: SeOperationAuditAlarm(x,x,x,x,x,x,x)+1D8j
		mov	ecx, [ebp+arg_0]
		xor	dl, dl
		mov	[ebp+var_214], 0Bh
		mov	[ebp+var_210], 4
		call	_ObpIsKernelHandle@8 ; ObpIsKernelHandle(x,x)
		test	al, al
		jz	short loc_9DADB3
		xor	ecx, 80000000h

loc_9DADB3:				; CODE XREF: SeOperationAuditAlarm(x,x,x,x,x,x,x)+22Cj
		mov	eax, [ebp+arg_8]
		and	ecx, 0FFFFFFFCh
		push	4
		mov	[ebp+var_20C], ecx
		pop	ecx
		mov	[ebp+var_1F8], eax
		mov	[ebp+var_1E4], eax
		mov	eax, [ebp+var_2C0]
		mov	[ebp+var_1FC], ecx
		mov	[ebp+var_1F4], ecx
		mov	[ebp+var_1E8], ecx
		mov	[ebp+var_1D4], ecx
		mov	ecx, [ebp+var_2B0]
		mov	[ebp+var_1D0], eax
		push	0Ch
		mov	[ebp+var_200], 7
		movzx	eax, word ptr [ecx]
		add	eax, esi
		mov	[ebp+var_1EC], 0Ah
		mov	[ebp+var_1C0], eax
		mov	eax, ebx
		mov	[ebp+var_1D8], 0Bh
		mov	[ebp+var_1C4], 2
		mov	[ebp+var_1B4], ecx
		pop	ebx
		sub	eax, 75h
		jz	short loc_9DAE47
		sub	eax, ebx
		jz	short loc_9DAE47
		mov	esi, [ebp+var_2AC]
		jmp	short loc_9DAEA6
; 

loc_9DAE47:				; CODE XREF: SeOperationAuditAlarm(x,x,x,x,x,x,x)+2BAj
					; SeOperationAuditAlarm(x,x,x,x,x,x,x)+2BEj
		mov	esi, [ebp+var_2AC]
		test	esi, esi
		jz	short loc_9DAEA6
		lea	eax, [ebp+var_2A5]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_2C4]
		push	eax
		lea	edx, [ebp+var_2AC]
		call	_SepCheckAndCopySelfRelativeSD@16 ; SepCheckAndCopySelfRelativeSD(x,x,x,x)
		mov	esi, [ebp+var_2AC]
		mov	edi, eax
		test	edi, edi
		js	short loc_9DAEC3
		mov	ecx, esi
		mov	[ebp+var_1B0], 1Fh
		call	_SepSecurityDescriptorStrictLength@4 ; SepSecurityDescriptorStrictLength(x)
		and	[ebp+var_1A4], 0
		mov	[ebp+var_1AC], eax
		mov	[ebp+var_1A0], esi
		mov	[ebp+var_1A8], 20h

loc_9DAEA6:				; CODE XREF: SeOperationAuditAlarm(x,x,x,x,x,x,x)+2C6j
					; SeOperationAuditAlarm(x,x,x,x,x,x,x)+2D0j
		lea	ecx, [ebp+var_2A5+1]
		mov	[ebp+var_29C], ebx
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)
		lea	eax, [ebp+var_2D4]
		push	eax
		call	SeReleaseSubjectContext

loc_9DAEC3:				; CODE XREF: SeOperationAuditAlarm(x,x,x,x,x,x,x)+2F7j
		cmp	byte ptr [ebp+var_2A5],	0
		jz	short loc_9DAED8
		test	esi, esi
		jz	short loc_9DAED8
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DAED8:				; CODE XREF: SeOperationAuditAlarm(x,x,x,x,x,x,x)+34Bj
					; SeOperationAuditAlarm(x,x,x,x,x,x,x)+34Fj
		test	edi, edi
		jns	short loc_9DAEE2

loc_9DAEDC:				; CODE XREF: SeOperationAuditAlarm(x,x,x,x,x,x,x)+89j
		push	edi
		call	_SepAuditFailed@4 ; SepAuditFailed(x)

loc_9DAEE2:				; CODE XREF: SeOperationAuditAlarm(x,x,x,x,x,x,x)+35Bj
		cmp	[ebp+var_2B0], 0
		jz	short loc_9DAEF8
		push	0
		push	[ebp+var_2B0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DAEF8:				; CODE XREF: SeOperationAuditAlarm(x,x,x,x,x,x,x)+36Aj
		cmp	[ebp+var_2B4], 0
		jz	short loc_9DAF0E
		push	0
		push	[ebp+var_2B4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DAF0E:				; CODE XREF: SeOperationAuditAlarm(x,x,x,x,x,x,x)+380j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_SeOperationAuditAlarm@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdtCloseObjectAuditAlarm(x, x, x, x, x)
_SepAdtCloseObjectAuditAlarm@20	proc near ; CODE XREF: NtCloseObjectAuditAlarm+1271D3p
					; SeCloseObjectAuditAlarm(x,x,x)+4Bp ...

var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_290		= word ptr -290h
var_28E		= word ptr -28Eh
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_200		= dword	ptr -200h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2ACh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2ACh+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, [esp+2B8h+var_2A8]
		push	eax
		push	[ebp+arg_8]
		mov	esi, edx
		mov	ebx, ecx
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		push	edi
		push	edx
		mov	[esp+2C8h+var_2AC], edx
		mov	[esp+2C8h+var_2A8], edx
		mov	edx, ebx
		push	1
		call	SepAdtAuditObjectAccessWithContext
		test	al, al
		jz	loc_9DB108
		push	edi
		push	0
		push	7Ch
		mov	dl, 1
		pop	ecx
		call	SepAdtAuditThisEventWithContext
		test	al, al
		jz	loc_9DB108
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		lea	edx, [esp+2B8h+var_2AC]
		mov	ecx, [eax+0E4h]
		mov	[esp+2B8h+var_2A4], ecx
		mov	ecx, eax
		call	PsGetAllocatedFullProcessImageNameEx
		test	eax, eax
		js	loc_9DB0F0
		push	298h		; size_t
		lea	eax, [esp+2BCh+var_2A0]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ax, word ptr [esp+2C4h+var_2A8]
		add	esp, 0Ch
		mov	[esp+2B8h+var_290], ax
		mov	[esp+2B8h+var_2A0], 3
		mov	[esp+2B8h+var_29C], 1232h
		push	8
		pop	eax
		mov	[esp+2B8h+var_28E], ax
		test	ebx, ebx
		jnz	short loc_9DAFE3
		mov	ebx, offset _SeSubsystemName

loc_9DAFE3:				; CODE XREF: SepAdtCloseObjectAuditAlarm(x,x,x,x,x)+BDj
		mov	ecx, [edi]
		mov	eax, ecx
		mov	[esp+2B8h+var_288], 4
		test	ecx, ecx
		jnz	short loc_9DAFF6
		mov	eax, [edi+8]

loc_9DAFF6:				; CODE XREF: SepAdtCloseObjectAuditAlarm(x,x,x,x,x)+D2j
		mov	eax, [eax+94h]
		mov	eax, [eax]
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:8[eax*4]
		mov	[esp+2B8h+var_284], eax
		mov	eax, ecx
		test	ecx, ecx
		jnz	short loc_9DB016
		mov	eax, [edi+8]

loc_9DB016:				; CODE XREF: SepAdtCloseObjectAuditAlarm(x,x,x,x,x)+F2j
		mov	eax, [eax+94h]
		movzx	edx, word ptr [ebx]
		add	edx, 8
		mov	[esp+2B8h+var_274], 1
		mov	[esp+2B8h+var_270], edx
		mov	eax, [eax]
		mov	[esp+2B8h+var_278], eax
		mov	[esp+2B8h+var_264], ebx
		mov	[esp+2B8h+var_260], 5
		mov	[esp+2B8h+var_25C], 8
		test	ecx, ecx
		jnz	short loc_9DB04F
		mov	ecx, [edi+8]

loc_9DB04F:				; CODE XREF: SepAdtCloseObjectAuditAlarm(x,x,x,x,x)+12Bj
		mov	eax, [ecx+18h]
		push	0Bh
		mov	[esp+2BCh+var_23C], ebx
		pop	ebx
		push	4
		mov	[esp+2BCh+var_258], eax
		mov	eax, [ecx+1Ch]
		mov	ecx, esi
		pop	edi
		mov	[esp+2B8h+var_248], edx
		xor	dl, dl
		mov	[esp+2B8h+var_254], eax
		mov	[esp+2B8h+var_24C], 1
		mov	[esp+2B8h+var_238], ebx
		mov	[esp+2B8h+var_234], edi
		call	_ObpIsKernelHandle@8 ; ObpIsKernelHandle(x,x)
		test	al, al
		jz	short loc_9DB097
		xor	esi, 80000000h

loc_9DB097:				; CODE XREF: SepAdtCloseObjectAuditAlarm(x,x,x,x,x)+170j
		mov	ecx, [esp+2B8h+var_2AC]
		and	esi, 0FFFFFFFCh
		mov	eax, [esp+2B8h+var_2A4]
		mov	[esp+2B8h+var_21C], eax
		mov	[esp+2B8h+var_200], ecx
		movzx	eax, word ptr [ecx]
		lea	ecx, [esp+2B8h+var_2A0]
		add	eax, 8
		mov	[esp+2B8h+var_230], esi
		mov	[esp+2B8h+var_224], ebx
		mov	[esp+2B8h+var_220], edi
		mov	[esp+2B8h+var_210], 2
		mov	[esp+2B8h+var_20C], eax
		mov	[esp+2B8h+var_298], 7
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)
		jmp	short loc_9DB0F6
; 

loc_9DB0F0:				; CODE XREF: SepAdtCloseObjectAuditAlarm(x,x,x,x,x)+7Fj
		push	eax
		call	_SepAuditFailed@4 ; SepAuditFailed(x)

loc_9DB0F6:				; CODE XREF: SepAdtCloseObjectAuditAlarm(x,x,x,x,x)+1CFj
		cmp	[esp+2B8h+var_2AC], 0
		jz	short loc_9DB108
		push	0
		push	[esp+2BCh+var_2AC]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DB108:				; CODE XREF: SepAdtCloseObjectAuditAlarm(x,x,x,x,x)+48j
					; SepAdtCloseObjectAuditAlarm(x,x,x,x,x)+5Dj ...
		mov	ecx, [esp+2B8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_SepAdtCloseObjectAuditAlarm@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdtDeleteObjectAuditAlarm(x, x, x, x, x,	x)
_SepAdtDeleteObjectAuditAlarm@24 proc near ; CODE XREF:	NtDeleteObjectAuditAlarm(x,x,x)+C3p
					; SeDeleteObjectAuditAlarmWithTransaction(x,x,x)+48p

var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A0		= word ptr -2A0h
var_29E		= word ptr -29Eh
var_298		= dword	ptr -298h
var_294		= dword	ptr -294h
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_1FC		= dword	ptr -1FCh
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2BCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2BCh+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+2C8h+var_14]
		stosd
		mov	esi, edx
		xor	edx, edx
		mov	ebx, ecx
		mov	ecx, [ebp+arg_4]
		mov	[esp+2C8h+var_2B8], edx
		stosd
		mov	[esp+2C8h+var_2B4], edx
		stosd
		stosd
		lea	eax, [esp+2C8h+var_2B4]
		push	eax
		push	[ebp+arg_C]
		push	edx
		push	edx
		push	1
		mov	edx, ebx
		call	SepAdtAuditObjectAccessWithContext
		test	al, al
		jz	loc_9DB32F
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		lea	edx, [esp+2C8h+var_2B8]
		mov	ecx, eax
		call	PsGetAllocatedFullProcessImageNameEx
		test	eax, eax
		js	loc_9DB317
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jnz	short loc_9DB19D
		lea	edi, [esp+2C8h+var_14]

loc_9DB19D:				; CODE XREF: SepAdtDeleteObjectAuditAlarm(x,x,x,x,x,x)+75j
		push	298h		; size_t
		lea	eax, [esp+2CCh+var_2B0]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ax, word ptr [esp+2D4h+var_2B4]
		add	esp, 0Ch
		mov	[esp+2C8h+var_2A0], ax
		mov	[esp+2C8h+var_2B0], 3
		mov	[esp+2C8h+var_2AC], 1234h
		push	8
		pop	eax
		mov	[esp+2C8h+var_29E], ax
		test	ebx, ebx
		jnz	short loc_9DB1DC
		mov	ebx, offset _SeSubsystemName

loc_9DB1DC:				; CODE XREF: SepAdtDeleteObjectAuditAlarm(x,x,x,x,x,x)+B6j
		mov	edx, [ebp+arg_0]
		mov	[esp+2C8h+var_298], 4
		mov	ecx, [edx]
		mov	eax, ecx
		test	ecx, ecx
		jnz	short loc_9DB1F2
		mov	eax, [edx+8]

loc_9DB1F2:				; CODE XREF: SepAdtDeleteObjectAuditAlarm(x,x,x,x,x,x)+CEj
		mov	eax, [eax+94h]
		mov	eax, [eax]
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:8[eax*4]
		mov	[esp+2C8h+var_294], eax
		mov	eax, ecx
		test	ecx, ecx
		jnz	short loc_9DB212
		mov	eax, [edx+8]

loc_9DB212:				; CODE XREF: SepAdtDeleteObjectAuditAlarm(x,x,x,x,x,x)+EEj
		mov	eax, [eax+94h]
		mov	[esp+2C8h+var_284], 1
		mov	[esp+2C8h+var_274], ebx
		mov	[esp+2C8h+var_270], 5
		mov	eax, [eax]
		mov	[esp+2C8h+var_288], eax
		movzx	eax, word ptr [ebx]
		add	eax, 8
		mov	[esp+2C8h+var_26C], 8
		mov	[esp+2C8h+var_280], eax
		test	ecx, ecx
		jnz	short loc_9DB24B
		mov	ecx, [edx+8]

loc_9DB24B:				; CODE XREF: SepAdtDeleteObjectAuditAlarm(x,x,x,x,x,x)+127j
		mov	eax, [ecx+18h]
		xor	dl, dl
		mov	[esp+2C8h+var_268], eax
		mov	eax, [ecx+1Ch]
		mov	ecx, esi
		push	4
		mov	[esp+2CCh+var_264], eax
		mov	eax, [esp+2CCh+var_280]
		mov	[esp+2CCh+var_24C], ebx
		pop	ebx
		mov	[esp+2C8h+var_25C], 1
		mov	[esp+2C8h+var_258], eax
		mov	[esp+2C8h+var_248], 0Bh
		mov	[esp+2C8h+var_244], ebx
		call	_ObpIsKernelHandle@8 ; ObpIsKernelHandle(x,x)
		test	al, al
		jz	short loc_9DB298
		xor	esi, 80000000h

loc_9DB298:				; CODE XREF: SepAdtDeleteObjectAuditAlarm(x,x,x,x,x,x)+171j
		and	esi, 0FFFFFFFCh
		mov	[esp+2C8h+var_234], 0Bh
		mov	[esp+2C8h+var_240], esi
		mov	[esp+2C8h+var_230], ebx
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		mov	ecx, [esp+2C8h+var_2B8]
		push	8
		pop	edx
		mov	eax, [eax+0E4h]
		mov	[esp+2C8h+var_22C], eax
		movzx	eax, word ptr [ecx]
		add	eax, edx
		mov	[esp+2C8h+var_210], ecx
		lea	ecx, [esp+2C8h+var_2B0]
		mov	[esp+2C8h+var_220], 2
		mov	[esp+2C8h+var_21C], eax
		mov	[esp+2C8h+var_20C], 0Dh
		mov	[esp+2C8h+var_208], 10h
		mov	[esp+2C8h+var_1FC], edi
		mov	[esp+2C8h+var_2A8], edx
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)
		jmp	short loc_9DB31D
; 

loc_9DB317:				; CODE XREF: SepAdtDeleteObjectAuditAlarm(x,x,x,x,x,x)+6Aj
		push	eax
		call	_SepAuditFailed@4 ; SepAuditFailed(x)

loc_9DB31D:				; CODE XREF: SepAdtDeleteObjectAuditAlarm(x,x,x,x,x,x)+1F6j
		cmp	[esp+2C8h+var_2B8], 0
		jz	short loc_9DB32F
		push	0
		push	[esp+2CCh+var_2B8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DB32F:				; CODE XREF: SepAdtDeleteObjectAuditAlarm(x,x,x,x,x,x)+52j
					; SepAdtDeleteObjectAuditAlarm(x,x,x,x,x,x)+203j
		mov	ecx, [esp+2C8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_SepAdtDeleteObjectAuditAlarm@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdtGenerateDiscardAudit(x)
_SepAdtGenerateDiscardAudit@4 proc near	; CODE XREF: SepAdtDetermineInsertQueue+7F0BBp
					; DATA XREF: SepAdtDetermineInsertQueue+7F0E1o

var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_290		= word ptr -290h
var_28E		= word ptr -28Eh
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2A0h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2A0h+var_4], eax
		push	esi
		mov	esi, _SeLocalSystemSid
		lea	eax, [esp+2A4h+var_2A0]
		push	edi
		mov	edi, [ebp+arg_0]
		push	298h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esp+2A8h+var_29C], 1204h
		xor	edx, edx
		mov	[esp+2A8h+var_278], esi
		inc	edx
		mov	[esp+2A8h+var_270], 18h
		mov	[esp+2A8h+var_2A0], edx
		push	66h
		pop	eax
		mov	[esp+2A8h+var_290], ax
		push	8
		pop	eax
		mov	[esp+2A8h+var_28E], ax
		movzx	eax, byte ptr [esi+1]
		push	4
		pop	ecx
		mov	[esp+2A8h+var_288], ecx
		lea	eax, ds:8[eax*4]
		mov	[esp+2A8h+var_25C], ecx
		mov	[esp+2A8h+var_284], eax
		lea	ecx, [esp+2A8h+var_2A0]
		mov	eax, [edi+10h]
		mov	[esp+2A8h+var_274], edx
		mov	[esp+2A8h+var_264], offset _SeSubsystemName
		mov	[esp+2A8h+var_260], 1Bh
		mov	[esp+2A8h+var_258], eax
		mov	[esp+2A8h+var_298], 3
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)
		cmp	byte ptr [edi+14h], 0
		jz	short loc_9DB400
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DB400:				; CODE XREF: SepAdtGenerateDiscardAudit(x)+B0j
		mov	ecx, [esp+2A8h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_SepAdtGenerateDiscardAudit@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdtLogAuditFailureEvent(x, x)
_SepAdtLogAuditFailureEvent@8 proc near	; CODE XREF: SepAdtLogAuditRecord(x)+20Cp
					; SepAuditFailed(x)+3Cp

var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_290		= word ptr -290h
var_28E		= word ptr -28Eh
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_278		= dword	ptr -278h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2A4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	298h		; size_t
		lea	eax, [ebp+var_2A0]
		mov	bl, dl
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		add	esp, 0Ch
		cmp	_SepAdtAuditFailureEventLogged,	0
		jz	short loc_9DB462
		test	bl, bl
		jnz	short loc_9DB462
		cmp	_SepAdtAuditFailureCount, 32h
		jb	loc_9DB5F0

loc_9DB462:				; CODE XREF: SepAdtLogAuditFailureEvent(x,x)+39j
					; SepAdtLogAuditFailureEvent(x,x)+3Dj
		mov	_SepAdtAuditFailureEventLogged,	1
		xor	edx, edx
		mov	eax, offset _SepAdtAuditFailureCount
		xchg	edx, [eax]
		mov	esi, _SeLocalSystemSid
		mov	[ebp+var_2A0], 1
		mov	[ebp+var_29C], 209h
		mov	[ebp+var_28C], 2
		push	66h
		pop	eax
		mov	[ebp+var_290], ax
		push	8
		pop	eax
		mov	[ebp+var_28E], ax
		test	bl, bl
		jz	short loc_9DB4BA
		mov	[ebp+var_28C], 12h
		jmp	short loc_9DB4C2
; 

loc_9DB4BA:				; CODE XREF: SepAdtLogAuditFailureEvent(x,x)+96j
		test	edx, edx
		jz	loc_9DB5F0

loc_9DB4C2:				; CODE XREF: SepAdtLogAuditFailureEvent(x,x)+A2j
		imul	eax, [ebp+var_298], 14h
		push	4
		pop	ebx
		push	3
		mov	[ebp+eax+var_288], ebx
		movzx	eax, byte ptr [esi+1]
		lea	ecx, ds:8[eax*4]
		imul	eax, [ebp+var_298], 14h
		mov	[ebp+eax+var_284], ecx
		xor	ecx, ecx
		imul	eax, [ebp+var_298], 14h
		inc	ecx
		mov	[ebp+eax+var_278], esi
		mov	eax, [ebp+var_298]
		inc	eax
		mov	[ebp+var_298], eax
		imul	eax, 14h
		pop	esi
		mov	[ebp+eax+var_288], ecx
		imul	eax, [ebp+var_298], 14h
		mov	[ebp+eax+var_284], 18h
		imul	eax, [ebp+var_298], 14h
		mov	[ebp+eax+var_278], offset _SeSubsystemName
		mov	eax, [ebp+var_298]
		inc	eax
		mov	[ebp+var_298], eax
		imul	eax, 14h
		mov	[ebp+eax+var_288], 0Ah
		imul	eax, [ebp+var_298], 14h
		mov	[ebp+eax+var_284], ebx
		imul	eax, [ebp+var_298], 14h
		mov	[ebp+eax+var_280], edi
		mov	eax, [ebp+var_298]
		inc	eax
		mov	[ebp+var_298], eax
		imul	eax, 14h
		mov	[ebp+eax+var_288], esi
		imul	eax, [ebp+var_298], 14h
		mov	[ebp+eax+var_284], ecx
		imul	eax, [ebp+var_298], 14h
		movzx	ecx, _SepCrashOnAuditFail
		mov	[ebp+eax+var_280], ecx
		lea	ecx, [ebp+var_2A0]
		mov	eax, [ebp+var_298]
		inc	eax
		mov	[ebp+var_298], eax
		imul	eax, 14h
		mov	[ebp+eax+var_288], esi
		imul	eax, [ebp+var_298], 14h
		mov	[ebp+eax+var_284], ebx
		imul	eax, [ebp+var_298], 14h
		mov	[ebp+eax+var_280], edx
		inc	[ebp+var_298]
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)

loc_9DB5F0:				; CODE XREF: SepAdtLogAuditFailureEvent(x,x)+46j
					; SepAdtLogAuditFailureEvent(x,x)+A6j
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_SepAdtLogAuditFailureEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdtObjectReferenceAuditAlarm(x, x, x, x)
_SepAdtObjectReferenceAuditAlarm@16 proc near
					; CODE XREF: SeObjectReferenceAuditAlarm+14AA3Bp

var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_290		= word ptr -290h
var_28E		= word ptr -28Eh
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2BCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_2A4], 0
		mov	eax, edx
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax]
		xor	esi, esi
		mov	[ebp+var_2BC], eax
		mov	ebx, ecx
		mov	eax, [eax+8]
		mov	[ebp+var_2AC], ebx
		mov	[ebp+var_2A8], esi
		test	edi, edi
		jz	short loc_9DB649
		mov	ecx, [edi+94h]
		jmp	short loc_9DB64F
; 

loc_9DB649:				; CODE XREF: SepAdtObjectReferenceAuditAlarm(x,x,x,x)+3Ej
		mov	ecx, [eax+94h]

loc_9DB64F:				; CODE XREF: SepAdtObjectReferenceAuditAlarm(x,x,x,x)+46j
		mov	ecx, [ecx]
		mov	[ebp+var_2B0], ecx
		mov	ecx, [eax+18h]
		mov	eax, [eax+1Ch]
		push	298h		; size_t
		mov	[ebp+var_2B8], eax
		lea	eax, [ebp+var_2A0]
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_2B4], ecx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_2A0], 3
		cmp	[ebp+arg_4], 0
		mov	[ebp+var_29C], 1253h
		push	79h
		pop	eax
		push	8
		mov	[ebp+var_290], ax
		pop	eax
		jnz	short loc_9DB6A9
		push	10h
		pop	eax

loc_9DB6A9:				; CODE XREF: SepAdtObjectReferenceAuditAlarm(x,x,x,x)+A3j
		lea	edx, [ebp+var_2A4]
		mov	[ebp+var_28E], ax
		mov	ecx, ebx
		call	SepQueryNameString
		mov	ebx, eax
		test	ebx, ebx
		js	loc_9DB81D
		mov	ecx, [ebp+var_2AC]
		lea	edx, [ebp+var_2A8]
		call	_SepQueryTypeString@8 ;	SepQueryTypeString(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_9DB817
		mov	ecx, [ebp+var_2B0]
		mov	[ebp+var_278], ecx
		push	8
		pop	edx
		movzx	eax, byte ptr [ecx+1]
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_288], 4
		mov	[ebp+var_274], ecx
		mov	[ebp+var_270], 18h
		mov	[ebp+var_264], offset _SeSubsystemName
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_284], eax
		mov	[ebp+var_260], 5
		mov	[ebp+var_25C], edx
		test	edi, edi
		jz	short loc_9DB74B
		mov	eax, [edi+18h]
		mov	[ebp+var_258], eax
		mov	eax, [edi+1Ch]
		jmp	short loc_9DB75D
; 

loc_9DB74B:				; CODE XREF: SepAdtObjectReferenceAuditAlarm(x,x,x,x)+13Aj
		mov	eax, [ebp+var_2B4]
		mov	[ebp+var_258], eax
		mov	eax, [ebp+var_2B8]

loc_9DB75D:				; CODE XREF: SepAdtObjectReferenceAuditAlarm(x,x,x,x)+148j
		mov	esi, [ebp+var_2A8]
		mov	[ebp+var_254], eax
		test	esi, esi
		jz	short loc_9DB784
		movzx	eax, word ptr [esi]
		add	eax, edx
		mov	[ebp+var_24C], ecx
		mov	[ebp+var_248], eax
		mov	[ebp+var_23C], esi

loc_9DB784:				; CODE XREF: SepAdtObjectReferenceAuditAlarm(x,x,x,x)+16Aj
		mov	ecx, [ebp+var_2A4]
		test	ecx, ecx
		jz	short loc_9DB7A9
		movzx	eax, word ptr [ecx]
		add	eax, edx
		mov	[ebp+var_238], 1
		mov	[ebp+var_234], eax
		mov	[ebp+var_228], ecx

loc_9DB7A9:				; CODE XREF: SepAdtObjectReferenceAuditAlarm(x,x,x,x)+18Bj
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_21C], eax
		mov	[ebp+var_208], eax
		mov	eax, [ebp+var_2BC]
		push	4
		pop	ecx
		mov	[ebp+var_220], ecx
		mov	eax, [eax+0Ch]
		mov	[ebp+var_20C], ecx
		mov	[ebp+var_1F8], ecx
		lea	ecx, [ebp+var_2A0]
		mov	[ebp+var_224], 7
		mov	[ebp+var_218], 3
		mov	[ebp+var_210], 0Ah
		mov	[ebp+var_1FC], 0Bh
		mov	[ebp+var_1F4], eax
		mov	[ebp+var_298], edx
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)
		jmp	short loc_9DB81D
; 

loc_9DB817:				; CODE XREF: SepAdtObjectReferenceAuditAlarm(x,x,x,x)+DBj
		mov	esi, [ebp+var_2A8]

loc_9DB81D:				; CODE XREF: SepAdtObjectReferenceAuditAlarm(x,x,x,x)+C0j
					; SepAdtObjectReferenceAuditAlarm(x,x,x,x)+214j
		cmp	[ebp+var_2A4], 0
		jz	short loc_9DB833
		push	0
		push	[ebp+var_2A4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DB833:				; CODE XREF: SepAdtObjectReferenceAuditAlarm(x,x,x,x)+223j
		test	esi, esi
		jz	short loc_9DB83F
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DB83F:				; CODE XREF: SepAdtObjectReferenceAuditAlarm(x,x,x,x)+234j
		test	ebx, ebx
		jns	short loc_9DB849
		push	ebx
		call	_SepAuditFailed@4 ; SepAuditFailed(x)

loc_9DB849:				; CODE XREF: SepAdtObjectReferenceAuditAlarm(x,x,x,x)+240j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_SepAdtObjectReferenceAuditAlarm@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdtOpenObjectAuditAlarm(x, x, x,	x, x, x, x, x, x, x, x,	x, x, x, x, x, x, x, x)
_SepAdtOpenObjectAuditAlarm@76 proc near ; CODE	XREF: PAGE:00817721p
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14AEE2p ...

var_30A		= byte ptr -30Ah
var_309		= byte ptr -309h
var_308		= byte ptr -308h
var_307		= byte ptr -307h
var_306		= word ptr -306h
var_304		= dword	ptr -304h
var_300		= dword	ptr -300h
var_2FC		= dword	ptr -2FCh
var_2F8		= dword	ptr -2F8h
var_2F4		= dword	ptr -2F4h
var_2F0		= dword	ptr -2F0h
var_2EC		= dword	ptr -2ECh
var_2E8		= dword	ptr -2E8h
var_2E4		= dword	ptr -2E4h
var_2E0		= dword	ptr -2E0h
var_2DC		= dword	ptr -2DCh
var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_2CC		= dword	ptr -2CCh
var_2C8		= dword	ptr -2C8h
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2B8		= dword	ptr -2B8h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A0		= word ptr -2A0h
var_29E		= word ptr -29Eh
var_298		= dword	ptr -298h
var_294		= dword	ptr -294h
var_290		= dword	ptr -290h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= byte ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch
arg_38		= dword	ptr  40h
arg_3C		= dword	ptr  44h
arg_40		= dword	ptr  48h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 30Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+30Ch+var_4], eax
		mov	eax, [ebp+arg_C]
		mov	[esp+30Ch+var_2F8], eax
		mov	[esp+30Ch+var_2D8], eax
		mov	eax, [ebp+arg_40]
		mov	[esp+30Ch+var_2F0], eax
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+318h+var_2C0]
		mov	esi, [ebp+arg_10]
		stosd
		mov	[esp+318h+var_306], cx
		mov	ecx, [ebp+arg_14]
		mov	[esp+318h+var_2DC], ecx
		stosd
		mov	[esp+318h+var_2D0], edx
		xor	edx, edx
		mov	[esp+318h+var_300], edx
		mov	[esp+318h+var_2F4], edx
		stosd
		mov	[esp+318h+var_2D4], edx
		mov	[esp+318h+var_2EC], edx
		mov	[esp+318h+var_2FC], edx
		stosd
		xor	eax, eax
		lea	edi, [esp+318h+var_14]
		mov	[esp+318h+var_2B8], ecx
		mov	cl, [ebp+arg_24]
		stosd
		test	cl, cl
		mov	[esp+318h+var_304], edx
		mov	[esp+318h+var_2E8], edx
		mov	[esp+318h+var_2E4], edx
		stosd
		mov	[esp+318h+var_308], dl
		mov	[esp+318h+var_307], dl
		mov	[esp+318h+var_309], dl
		mov	dl, cl
		stosd
		mov	[esp+318h+var_2C0], esi
		stosd
		lea	eax, [esp+318h+var_2C0]
		push	eax
		setz	al
		movzx	eax, al
		push	eax
		push	7Ch
		pop	ecx
		call	SepAdtAuditThisEventWithContext
		test	al, al
		jnz	short loc_9DB911
		inc	al
		jmp	loc_9DC02A
; 

loc_9DB911:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+AEj
		mov	edi, [ebp+arg_3C]
		test	edi, edi
		jnz	short loc_9DB91F
		lea	edi, [esp+318h+var_14]

loc_9DB91F:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+BCj
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		lea	edx, [esp+318h+var_2EC]
		mov	ecx, eax
		call	PsGetAllocatedFullProcessImageNameEx
		mov	ebx, eax
		mov	[esp+318h+var_2E0], ebx
		test	ebx, ebx
		js	loc_9DBFC1
		mov	ecx, [esp+318h+var_2DC]
		test	esi, esi
		jz	short loc_9DB95B
		mov	eax, [esi+18h]
		mov	[esp+318h+var_300], eax
		mov	eax, [esi+1Ch]
		mov	[esp+318h+var_2F4], eax
		mov	eax, [esi+94h]
		jmp	short loc_9DB961
; 

loc_9DB95B:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+E9j
		mov	eax, [ecx+94h]

loc_9DB961:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+FFj
		mov	eax, [eax]
		mov	[esp+318h+var_2CC], eax
		mov	eax, [ecx+18h]
		mov	[esp+318h+var_2C8], eax
		mov	eax, [ecx+1Ch]
		push	298h		; size_t
		mov	[esp+31Ch+var_2C4], eax
		lea	eax, [esp+31Ch+var_2B0]
		push	0		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		mov	[esp+324h+var_2AC], 1230h
		add	esp, 0Ch
		cmp	[ebp+arg_2C], 2
		setnz	al
		dec	eax
		push	8
		and	eax, 0FFFFFFFBh
		pop	ecx
		add	eax, ecx
		mov	[esp+318h+var_29E], cx
		cmp	[ebp+arg_24], 0
		mov	[esp+318h+var_2B0], eax
		mov	ax, [esp+318h+var_306]
		push	10h
		mov	[esp+31Ch+var_2A0], ax
		pop	eax
		jnz	short loc_9DB9C4
		mov	[esp+318h+var_29E], ax

loc_9DB9C4:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+163j
		mov	ecx, [esp+318h+var_2D0]
		test	ecx, ecx
		jnz	short loc_9DB9D1
		mov	ecx, offset _SeSubsystemName

loc_9DB9D1:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+170j
		mov	edx, [esp+318h+var_2CC]
		push	8
		mov	[esp+31Ch+var_298], 4
		mov	[esp+31Ch+var_288], edx
		movzx	eax, byte ptr [edx+1]
		mov	[esp+31Ch+var_284], 1
		mov	[esp+31Ch+var_274], ecx
		mov	[esp+31Ch+var_270], 5
		lea	eax, ds:8[eax*4]
		mov	[esp+31Ch+var_294], eax
		movzx	eax, word ptr [ecx]
		add	eax, 8
		test	esi, esi
		pop	esi
		mov	[esp+318h+var_280], eax
		mov	[esp+318h+var_26C], esi
		jz	short loc_9DBA42
		mov	edx, [esp+318h+var_300]
		mov	[esp+318h+var_268], edx
		mov	edx, [esp+318h+var_2F4]
		jmp	short loc_9DBA51
; 

loc_9DBA42:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1D5j
		mov	edx, [esp+318h+var_2C8]
		mov	[esp+318h+var_268], edx
		mov	edx, [esp+318h+var_2C4]

loc_9DBA51:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1E6j
		mov	[esp+318h+var_264], edx
		xor	edx, edx
		inc	edx
		mov	[esp+318h+var_24C], ecx
		mov	ecx, [ebp+arg_4]
		mov	[esp+318h+var_25C], edx
		mov	[esp+318h+var_258], eax
		test	ecx, ecx
		jnz	short loc_9DBA81
		mov	ebx, 0C000000Dh
		jmp	loc_9DBFC1
; 

loc_9DBA81:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+21Bj
		movzx	eax, word ptr [ecx]
		add	eax, esi
		mov	[esp+318h+var_238], ecx
		mov	ecx, [ebp+arg_8]
		mov	[esp+318h+var_248], edx
		mov	[esp+318h+var_244], eax
		push	75h
		pop	edx
		test	ecx, ecx
		jz	short loc_9DBAE0
		mov	ax, [esp+318h+var_306]
		cmp	ax, dx
		jz	short loc_9DBAC2
		add	edx, 0Ch
		mov	[esp+318h+var_234], 1
		cmp	ax, dx
		jnz	short loc_9DBACD

loc_9DBAC2:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+253j
		mov	[esp+318h+var_234], 2

loc_9DBACD:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+266j
		movzx	eax, word ptr [ecx]
		add	eax, esi
		mov	[esp+318h+var_224], ecx
		mov	[esp+318h+var_230], eax

loc_9DBAE0:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+249j
		mov	ecx, [ebp+arg_0]
		mov	[esp+318h+var_220], 0Bh
		test	ecx, ecx
		jz	short loc_9DBB1F
		mov	ecx, [ecx]
		xor	dl, dl
		mov	[esp+318h+var_21C], 4
		call	_ObpIsKernelHandle@8 ; ObpIsKernelHandle(x,x)
		test	al, al
		jz	short loc_9DBB10
		xor	ecx, 80000000h

loc_9DBB10:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2AEj
		and	ecx, 0FFFFFFFCh
		push	4
		mov	[esp+31Ch+var_218], ecx
		pop	ecx
		jmp	short loc_9DBB31
; 

loc_9DBB1F:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+296j
		and	[esp+318h+var_218], 0
		push	4
		pop	ecx
		mov	[esp+318h+var_21C], ecx

loc_9DBB31:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+2C3j
		cmp	[ebp+arg_24], 0
		mov	eax, [ebp+arg_1C]
		mov	[esp+318h+var_20C], 0Dh
		mov	[esp+318h+var_208], 10h
		mov	[esp+318h+var_1FC], edi
		mov	[esp+318h+var_1F8], 7
		mov	[esp+318h+var_1F4], ecx
		mov	[esp+318h+var_1EC], ecx
		jnz	short loc_9DBB73
		mov	eax, [ebp+arg_18]

loc_9DBB73:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+314j
		mov	esi, [esp+318h+var_2F0]
		mov	[esp+318h+var_1F0], eax
		test	esi, esi
		jz	short loc_9DBBE3
		mov	ecx, [esi+30h]
		test	ecx, ecx
		jz	short loc_9DBBE3
		mov	ecx, [ecx+30h]
		lea	eax, [esp+318h+var_308]
		push	eax
		lea	eax, [esp+31Ch+var_2FC]
		push	eax
		lea	edx, [esp+320h+var_2E8]
		call	_SepCheckAndCopySelfRelativeSD@16 ; SepCheckAndCopySelfRelativeSD(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_9DBFC1
		mov	ecx, [esi+30h]
		lea	eax, [esp+11h]
		push	eax
		lea	eax, [esp+31Ch+var_304]
		push	eax
		mov	ecx, [ecx+34h]
		lea	edx, [esp+320h+var_2E4]
		call	_SepCheckAndCopySelfRelativeSD@16 ; SepCheckAndCopySelfRelativeSD(x,x,x,x)
		mov	ebx, eax
		mov	[esp+318h+var_2E0], ebx
		test	ebx, ebx
		js	loc_9DBFC1
		cmp	[esp+318h+var_2E8], 0
		jnz	short loc_9DBBDE
		cmp	[esp+318h+var_2E4], 0
		jz	short loc_9DBBE3

loc_9DBBDE:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+37Bj
		push	4
		pop	ecx
		jmp	short loc_9DBBE5
; 

loc_9DBBE3:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+326j
					; SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+32Dj ...
		xor	ecx, ecx

loc_9DBBE5:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+387j
		mov	eax, [esp+318h+var_304]
		mov	esi, [esp+318h+var_2FC]
		sub	eax, ecx
		add	esi, 90h
		add	esi, eax
		push	70416553h
		push	esi
		push	1
		mov	[esp+324h+var_2F4], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+318h+var_300], edi
		test	edi, edi
		jnz	short loc_9DBC1C
		mov	ebx, 0C000009Ah
		jmp	loc_9DBFC1
; 

loc_9DBC1C:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3B6j
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	cl, [ebp+arg_24]
		add	esp, 0Ch
		movzx	eax, cl
		mov	[edi+88h], eax
		mov	eax, [ebp+arg_1C]
		mov	dword ptr [edi+84h], 4
		test	cl, cl
		jnz	short loc_9DBC48
		mov	eax, [ebp+arg_18]

loc_9DBC48:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3E9j
		and	eax, 0FDFFFFFFh
		mov	[edi], eax
		mov	eax, [esp+318h+var_2F0]
		test	eax, eax
		jz	short loc_9DBC71
		mov	esi, [eax+30h]
		test	esi, esi
		jz	short loc_9DBC6D
		add	esi, 40h
		add	edi, 4
		push	20h
		pop	ecx
		rep movsd
		mov	edi, [esp+318h+var_300]

loc_9DBC6D:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+402j
		mov	esi, [esp+318h+var_2F4]

loc_9DBC71:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+3FBj
		mov	eax, [esp+318h+var_2E8]
		test	eax, eax
		jz	short loc_9DBC8D
		push	[esp+318h+var_2FC] ; size_t
		push	eax		; void *
		lea	eax, [edi+8Ch]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_9DBC8D:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+41Dj
		mov	eax, [esp+318h+var_2E4]
		test	eax, eax
		jz	short loc_9DBCAE
		push	[esp+318h+var_304] ; size_t
		push	eax		; void *
		mov	eax, [esp+320h+var_2FC]
		add	eax, 8Ch
		add	eax, edi
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_9DBCAE:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+439j
		mov	dl, [ebp+arg_24]
		mov	eax, [ebp+arg_1C]
		mov	[esp+318h+var_1E4], 1Dh
		mov	[esp+318h+var_1E0], esi
		mov	[esp+318h+var_1D4], edi
		mov	[esp+318h+var_1D0], 0Ah
		mov	[esp+318h+var_1CC], 4
		test	dl, dl
		jnz	short loc_9DBCEA
		mov	eax, [ebp+arg_18]

loc_9DBCEA:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+48Bj
		mov	ecx, [ebp+arg_20]
		mov	[esp+318h+var_1C8], eax
		test	ecx, ecx
		jz	short loc_9DBD1B
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_9DBD1B
		imul	eax, 0Ch
		push	8
		pop	esi
		mov	[esp+318h+var_1BC], esi
		mov	[esp+318h+var_1AC], ecx
		add	eax, esi
		mov	[esp+318h+var_1B8], eax

loc_9DBD1B:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+49Cj
					; SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4A2j
		cmp	[ebp+arg_34], 0
		push	0Ch
		pop	esi
		mov	[esp+318h+var_2A8], esi
		jz	loc_9DBE45
		xor	eax, eax
		test	dl, dl
		setz	al
		xor	ecx, ecx
		inc	eax
		xor	edx, edx
		movzx	eax, ax
		mov	[esp+318h+var_2F0], eax
		cmp	[ebp+arg_34], ecx
		jbe	loc_9DBE45
		mov	edi, [ebp+arg_30]
		mov	ebx, eax

loc_9DBD4D:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+506j
		test	edx, edx
		jz	short loc_9DBD5B
		imul	eax, edx, 2Ch
		test	[eax+edi+2], bx
		jz	short loc_9DBD5C

loc_9DBD5B:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4F5j
		inc	ecx

loc_9DBD5C:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4FFj
		inc	edx
		cmp	edx, [ebp+arg_34]
		jb	short loc_9DBD4D
		mov	ebx, [esp+318h+var_2E0]
		mov	edi, [esp+318h+var_300]
		test	ecx, ecx
		jz	loc_9DBE45
		imul	eax, ecx, 18h
		push	70416553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+318h+var_2D4], eax
		test	eax, eax
		jz	loc_9DC041
		and	[esp+318h+var_304], 0
		lea	edx, [eax+10h]
		mov	ebx, [ebp+arg_38]
		xor	ecx, ecx

loc_9DBD9B:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+5A7j
		mov	esi, [ebp+arg_30]
		test	ecx, ecx
		jz	short loc_9DBDB0
		mov	edi, [esp+318h+var_2F0]
		imul	eax, ecx, 2Ch
		test	[eax+esi+2], di
		jz	short loc_9DBDF9

loc_9DBDB0:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+546j
		imul	eax, ecx, 2Ch
		lea	edi, [edx-10h]
		add	esi, 4
		add	esi, eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+arg_30]
		mov	ax, [eax+esi]
		mov	[edx+2], ax
		xor	eax, eax
		test	ecx, ecx
		jnz	short loc_9DBDD9
		inc	eax
		and	[edx+4], ecx
		mov	[edx], ax
		jmp	short loc_9DBDEB
; 

loc_9DBDD9:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+574j
		mov	[edx], ax
		test	ebx, ebx
		jz	short loc_9DBDEB
		cmp	[ebp+arg_24], al
		jz	short loc_9DBDEB
		mov	eax, [ebx+ecx*4]
		mov	[edx+4], eax

loc_9DBDEB:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+57Dj
					; SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+584j ...
		mov	eax, [esp+318h+var_304]
		inc	eax
		add	edx, 18h
		mov	[esp+318h+var_304], eax
		jmp	short loc_9DBDFD
; 

loc_9DBDF9:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+554j
		mov	eax, [esp+318h+var_304]

loc_9DBDFD:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+59Dj
		inc	ecx
		cmp	ecx, [ebp+arg_34]
		jb	short loc_9DBD9B
		mov	ebx, [esp+318h+var_2E0]
		mov	edi, [esp+318h+var_300]
		imul	eax, 18h
		push	0Dh
		pop	esi
		mov	[esp+318h+var_1A8], 9
		mov	[esp+318h+var_19C], 4
		mov	[esp+318h+var_1A4], eax
		mov	eax, [esp+318h+var_2D4]
		mov	[esp+318h+var_198], eax
		mov	[esp+318h+var_2A8], esi
		mov	[esp+318h+var_2AC], 1235h

loc_9DBE45:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4CCj
					; SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+4E8j ...
		imul	eax, esi, 14h
		push	4
		pop	esi
		mov	edx, [esp+318h+var_2EC]
		mov	[esp+eax+318h+var_298],	1Bh
		imul	eax, [esp+318h+var_2A8], arg_C
		mov	[esp+eax+318h+var_294],	esi
		imul	ecx, [esp+318h+var_2A8], arg_C
		mov	eax, [esp+318h+var_2DC]
		mov	eax, [eax+80h]
		mov	[esp+ecx+318h+var_290],	eax
		mov	eax, [esp+318h+var_2A8]
		inc	eax
		mov	[esp+318h+var_2A8], eax
		imul	eax, 14h
		mov	[esp+eax+318h+var_298],	0Bh
		imul	eax, [esp+318h+var_2A8], arg_C
		mov	[esp+eax+318h+var_294],	esi
		imul	ecx, [esp+318h+var_2A8], arg_C
		mov	eax, [ebp+arg_28]
		mov	[esp+ecx+318h+var_290],	eax
		mov	eax, [esp+318h+var_2A8]
		movzx	ecx, word ptr [edx]
		inc	eax
		mov	[esp+318h+var_2A8], eax
		add	ecx, 8
		imul	eax, 14h
		mov	[esp+eax+318h+var_298],	2
		imul	eax, [esp+318h+var_2A8], arg_C
		mov	[esp+eax+318h+var_294],	ecx
		imul	eax, [esp+318h+var_2A8], arg_C
		mov	[esp+eax+318h+var_288],	edx
		mov	esi, [esp+318h+var_2A8]
		movzx	eax, [esp+318h+var_306]
		inc	esi
		mov	[esp+318h+var_2A8], esi
		sub	eax, 75h
		jz	short loc_9DBEFF
		sub	eax, 0Ch
		jnz	loc_9DBF9B

loc_9DBEFF:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+69Aj
		mov	eax, [esp+318h+var_2F8]
		test	eax, eax
		jz	loc_9DBF9B
		cmp	[esp+318h+var_2AC], 1230h
		jnz	loc_9DBF9B
		mov	ecx, eax
		call	_SepSDContainsAttributeACE@4 ; SepSDContainsAttributeACE(x)
		test	al, al
		jz	short loc_9DBF9B
		mov	ecx, [esp+318h+var_2F8]
		lea	eax, [esp+0Fh]
		push	eax
		lea	eax, [esp+31Ch+var_2FC]
		push	eax
		lea	edx, [esp+320h+var_2D8]
		call	_SepCheckAndCopySelfRelativeSD@16 ; SepCheckAndCopySelfRelativeSD(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_9DC04B
		imul	eax, esi, 14h
		mov	esi, [esp+318h+var_2D8]
		mov	ecx, esi
		mov	[esp+318h+var_2F8], esi
		mov	[esp+eax+318h+var_298],	1Fh
		call	_SepSecurityDescriptorStrictLength@4 ; SepSecurityDescriptorStrictLength(x)
		imul	ecx, [esp+318h+var_2A8], arg_C
		mov	[esp+ecx+318h+var_294],	eax
		imul	eax, [esp+318h+var_2A8], arg_C
		mov	[esp+eax+318h+var_288],	esi
		imul	eax, [esp+318h+var_2A8], arg_C
		mov	[esp+eax+318h+var_290],	20h
		imul	eax, [esp+318h+var_2A8], arg_C
		and	[esp+eax+318h+var_28C],	0
		mov	esi, [esp+318h+var_2A8]

loc_9DBF9B:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+69Fj
					; SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+6ABj ...
		inc	esi
		lea	ecx, [esp+318h+var_2B0]
		mov	[esp+318h+var_2A8], esi
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)

loc_9DBFA9:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7F9j
		mov	eax, [esp+318h+var_2D4]
		test	eax, eax
		jz	short loc_9DBFB9
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DBFB9:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+755j
					; SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7ECj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DBFC1:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+DDj
					; SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+222j ...
		cmp	[esp+318h+var_2EC], 0
		jz	short loc_9DBFD3
		push	0
		push	[esp+31Ch+var_2EC]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DBFD3:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+76Cj
		cmp	[esp+318h+var_309], 0
		jz	short loc_9DBFEA
		mov	eax, [esp+318h+var_2F8]
		test	eax, eax
		jz	short loc_9DBFEA
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DBFEA:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+77Ej
					; SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+786j
		cmp	[esp+318h+var_308], 0
		jz	short loc_9DC001
		mov	eax, [esp+318h+var_2E8]
		test	eax, eax
		jz	short loc_9DC001
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DC001:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+795j
					; SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+79Dj
		cmp	[esp+318h+var_307], 0
		jz	short loc_9DC018
		mov	eax, [esp+318h+var_2E4]
		test	eax, eax
		jz	short loc_9DC018
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DC018:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7ACj
					; SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7B4j
		test	ebx, ebx
		jns	short loc_9DC022
		push	ebx
		call	_SepAuditFailed@4 ; SepAuditFailed(x)

loc_9DC022:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+7C0j
		shr	ebx, 1Fh
		xor	bl, 1
		mov	al, bl

loc_9DC02A:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+B2j
		mov	ecx, [esp+318h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	44h
; 

loc_9DC041:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+52Ej
		mov	ebx, 0C000009Ah
		jmp	loc_9DBFB9
; 

loc_9DC04B:				; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+6E5j
		mov	eax, [esp+318h+var_2D8]
		mov	[esp+318h+var_2F8], eax
		jmp	loc_9DBFA9
_SepAdtOpenObjectAuditAlarm@76 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdtOpenObjectForDeleteAuditAlarm(x, x, x, x, x, x, x, x,	x, x, x, x, x)
_SepAdtOpenObjectForDeleteAuditAlarm@52	proc near
					; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+27Ep

var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B6		= word ptr -2B6h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A4		= word ptr -2A4h
var_2A2		= word ptr -2A2h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2C0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, [ebp+arg_28]
		xor	eax, eax
		mov	[ebp+var_2B6], cx
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		stosd
		test	ebx, ebx
		jnz	short loc_9DC08A
		lea	ebx, [ebp+var_18]

loc_9DC08A:				; CODE XREF: SepAdtOpenObjectForDeleteAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x)+2Dj
		mov	edi, [ebp+arg_C]
		mov	eax, [ebp+arg_10]
		test	edi, edi
		jz	short loc_9DC09C
		mov	esi, [edi+94h]
		jmp	short loc_9DC0A2
; 

loc_9DC09C:				; CODE XREF: SepAdtOpenObjectForDeleteAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x)+3Aj
		mov	esi, [eax+94h]

loc_9DC0A2:				; CODE XREF: SepAdtOpenObjectForDeleteAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x)+42j
		mov	ecx, [eax+18h]
		mov	esi, [esi]
		mov	eax, [eax+1Ch]
		push	298h		; size_t
		mov	[ebp+var_2C0], eax
		lea	eax, [ebp+var_2B4]
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_2BC], ecx
		call	_memset
		mov	dx, [ebp+var_2B6]
		add	esp, 0Ch
		xor	ecx, ecx
		mov	[ebp+var_28C], esi
		inc	ecx
		mov	[ebp+var_2B4], 3
		mov	[ebp+var_2A4], dx
		mov	[ebp+var_2B0], 1233h
		mov	[ebp+var_29C], 4
		mov	[ebp+var_288], ecx
		mov	[ebp+var_284], 18h
		mov	[ebp+var_278], offset _SeSubsystemName
		mov	[ebp+var_274], 5
		push	8
		pop	eax
		mov	[ebp+var_2A2], ax
		movzx	eax, byte ptr [esi+1]
		push	8
		pop	esi
		mov	[ebp+var_270], esi
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_298], eax
		test	edi, edi
		jz	short loc_9DC15B
		mov	eax, [edi+18h]
		mov	[ebp+var_26C], eax
		mov	eax, [edi+1Ch]
		jmp	short loc_9DC16D
; 

loc_9DC15B:				; CODE XREF: SepAdtOpenObjectForDeleteAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x)+F3j
		mov	eax, [ebp+var_2BC]
		mov	[ebp+var_26C], eax
		mov	eax, [ebp+var_2C0]

loc_9DC16D:				; CODE XREF: SepAdtOpenObjectForDeleteAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x)+101j
		mov	[ebp+var_260], ecx
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_268], eax
		mov	[ebp+var_25C], 18h
		mov	[ebp+var_250], offset _SeSubsystemName
		test	ecx, ecx
		jz	short loc_9DC1AF
		movzx	eax, word ptr [ecx]
		add	eax, esi
		mov	[ebp+var_24C], 1
		mov	[ebp+var_248], eax
		mov	[ebp+var_23C], ecx

loc_9DC1AF:				; CODE XREF: SepAdtOpenObjectForDeleteAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x)+13Aj
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_9DC1EB
		cmp	dx, 75h
		jz	short loc_9DC1D0
		mov	eax, 81h
		mov	[ebp+var_238], 1
		cmp	dx, ax
		jnz	short loc_9DC1DA

loc_9DC1D0:				; CODE XREF: SepAdtOpenObjectForDeleteAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x)+162j
		mov	[ebp+var_238], 2

loc_9DC1DA:				; CODE XREF: SepAdtOpenObjectForDeleteAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x)+176j
		movzx	eax, word ptr [ecx]
		add	eax, esi
		mov	[ebp+var_228], ecx
		mov	[ebp+var_234], eax

loc_9DC1EB:				; CODE XREF: SepAdtOpenObjectForDeleteAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x)+15Cj
		and	[ebp+var_21C], 0
		mov	eax, [ebp+arg_18]
		mov	ecx, [ebp+arg_1C]
		mov	[ebp+var_210], 0Dh
		mov	[ebp+var_20C], 10h
		mov	[ebp+var_200], ebx
		mov	[ebp+var_1FC], 7
		mov	[ebp+var_1F4], eax
		mov	[ebp+var_1E8], 0Ah
		mov	[ebp+var_1E0], eax
		push	0Bh
		pop	edi
		mov	[ebp+var_224], edi
		push	4
		pop	edx
		mov	[ebp+var_220], edx
		mov	[ebp+var_1F8], edx
		mov	[ebp+var_1F0], edx
		mov	[ebp+var_1E4], edx
		test	ecx, ecx
		jz	short loc_9DC277
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_9DC277
		imul	eax, 0Ch
		mov	[ebp+var_1D4], esi
		mov	[ebp+var_1C4], ecx
		add	eax, esi
		mov	[ebp+var_1D0], eax

loc_9DC277:				; CODE XREF: SepAdtOpenObjectForDeleteAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x)+200j
					; SepAdtOpenObjectForDeleteAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x)+206j
		mov	ecx, [ebp+arg_24]
		mov	[ebp+var_1B8], ecx
		lea	ecx, [ebp+var_2B4]
		mov	[ebp+var_1C0], edi
		mov	[ebp+var_1BC], edx
		mov	[ebp+var_2AC], 0Ch
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)
		mov	ecx, [ebp+var_8]
		mov	al, 1
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	2Ch
_SepAdtOpenObjectForDeleteAuditAlarm@52	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdtSecurityDescriptorChangedAuditAlarm(x, x, x, x, x, x,	x, x, x)
_SepAdtSecurityDescriptorChangedAuditAlarm@36 proc near
					; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+12650Bp
					; SeSecurityDescriptorChangedAuditAlarm+126530p ...

var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_294		= word ptr -294h
var_292		= word ptr -292h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_27C		= dword	ptr -27Ch
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1B4		= dword	ptr -1B4h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2B8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_10]
		and	[ebp+var_2A8], 0
		push	ebx
		push	esi
		mov	[ebp+var_2B0], eax
		mov	eax, [ebp+arg_18]
		push	edi
		mov	edi, edx
		mov	[ebp+var_2AC], ecx
		mov	[ebp+var_2B4], eax
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		lea	edx, [ebp+var_2A8]
		mov	ecx, [eax+0E4h]
		mov	[ebp+var_2B8], ecx
		mov	ecx, eax
		call	PsGetAllocatedFullProcessImageNameEx
		mov	esi, eax
		test	esi, esi
		js	loc_9DC544
		push	298h		; size_t
		lea	eax, [ebp+var_2A4]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ebx, [ebp+arg_14]
		add	esp, 0Ch
		test	bl, 8
		jz	short loc_9DC34E
		mov	[ebp+var_2A4], 6
		mov	eax, 8Ch
		mov	[ebp+var_2A0], 132Bh
		jmp	short loc_9DC387
; 

loc_9DC34E:				; CODE XREF: SepAdtSecurityDescriptorChangedAuditAlarm(x,x,x,x,x,x,x,x,x)+7Dj
		test	bl, 20h
		jz	short loc_9DC35F
		mov	[ebp+var_2A0], 132Fh
		jmp	short loc_9DC378
; 

loc_9DC35F:				; CODE XREF: SepAdtSecurityDescriptorChangedAuditAlarm(x,x,x,x,x,x,x,x,x)+9Dj
		mov	[ebp+var_2A0], 1331h
		test	bl, 40h
		jnz	short loc_9DC378
		mov	[ebp+var_2A0], 123Eh

loc_9DC378:				; CODE XREF: SepAdtSecurityDescriptorChangedAuditAlarm(x,x,x,x,x,x,x,x,x)+A9j
					; SepAdtSecurityDescriptorChangedAuditAlarm(x,x,x,x,x,x,x,x,x)+B8j
		mov	[ebp+var_2A4], 3
		mov	eax, 8Eh

loc_9DC387:				; CODE XREF: SepAdtSecurityDescriptorChangedAuditAlarm(x,x,x,x,x,x,x,x,x)+98j
		mov	ecx, [ebp+arg_C]
		movzx	edx, word ptr [edi]
		mov	[ebp+var_294], ax
		add	edx, 8
		push	8
		pop	eax
		mov	[ebp+var_292], ax
		movzx	eax, byte ptr [ecx+1]
		mov	[ebp+var_27C], ecx
		mov	[ebp+var_28C], 4
		mov	[ebp+var_278], 1
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_274], edx
		mov	[ebp+var_288], eax
		mov	eax, [ebp+var_2AC]
		mov	[ebp+var_268], edi
		mov	[ebp+var_264], 5
		mov	[ebp+var_260], 8
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	short loc_9DC3FB
		mov	ecx, [eax+8]

loc_9DC3FB:				; CODE XREF: SepAdtSecurityDescriptorChangedAuditAlarm(x,x,x,x,x,x,x,x,x)+142j
		mov	eax, [ecx+18h]
		mov	[ebp+var_25C], eax
		mov	eax, [ecx+1Ch]
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_258], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_22C], ecx
		mov	[ebp+var_250], eax
		mov	[ebp+var_23C], eax
		movzx	eax, word ptr [ecx]
		mov	ecx, [ebp+arg_4]
		add	eax, 8
		mov	[ebp+var_24C], edx
		mov	[ebp+var_240], edi
		mov	[ebp+var_238], eax
		test	ecx, ecx
		jz	short loc_9DC460
		movzx	eax, word ptr [ecx]
		add	eax, 8
		mov	[ebp+var_228], 2
		mov	[ebp+var_224], eax
		mov	[ebp+var_218], ecx

loc_9DC460:				; CODE XREF: SepAdtSecurityDescriptorChangedAuditAlarm(x,x,x,x,x,x,x,x,x)+18Ej
		mov	ecx, [ebp+arg_8]
		xor	dl, dl
		mov	[ebp+var_214], 0Bh
		mov	[ebp+var_210], 4
		call	_ObpIsKernelHandle@8 ; ObpIsKernelHandle(x,x)
		test	al, al
		jz	short loc_9DC488
		xor	ecx, 80000000h

loc_9DC488:				; CODE XREF: SepAdtSecurityDescriptorChangedAuditAlarm(x,x,x,x,x,x,x,x,x)+1CCj
		mov	edi, [ebp+var_2B0]
		and	ecx, 0FFFFFFFCh
		mov	[ebp+var_20C], ecx
		mov	ecx, edi
		mov	[ebp+var_200], 18h
		call	_SepSecurityDescriptorStrictLength@4 ; SepSecurityDescriptorStrictLength(x)
		mov	[ebp+var_1F0], edi
		mov	edi, [ebp+var_2B4]
		mov	ecx, edi
		mov	[ebp+var_1FC], eax
		mov	[ebp+var_1F8], ebx
		mov	[ebp+var_1F4], 4
		mov	[ebp+var_1EC], 18h
		call	_SepSecurityDescriptorStrictLength@4 ; SepSecurityDescriptorStrictLength(x)
		mov	ecx, [ebp+var_2A8]
		mov	[ebp+var_1E8], eax
		push	4
		pop	eax
		mov	[ebp+var_1E0], eax
		mov	[ebp+var_1D4], eax
		mov	eax, [ebp+var_2B8]
		mov	[ebp+var_1D0], eax
		movzx	eax, word ptr [ecx]
		push	0Bh
		pop	edx
		add	eax, 8
		mov	[ebp+var_1B4], ecx
		lea	ecx, [ebp+var_2A4]
		mov	[ebp+var_1DC], edi
		mov	[ebp+var_1E4], ebx
		mov	[ebp+var_1D8], edx
		mov	[ebp+var_1C4], 2
		mov	[ebp+var_1C0], eax
		mov	[ebp+var_29C], edx
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)

loc_9DC544:				; CODE XREF: SepAdtSecurityDescriptorChangedAuditAlarm(x,x,x,x,x,x,x,x,x)+5Bj
		cmp	[ebp+var_2A8], 0
		jz	short loc_9DC55A
		push	0
		push	[ebp+var_2A8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DC55A:				; CODE XREF: SepAdtSecurityDescriptorChangedAuditAlarm(x,x,x,x,x,x,x,x,x)+297j
		test	esi, esi
		jns	short loc_9DC564
		push	esi
		call	_SepAuditFailed@4 ; SepAuditFailed(x)

loc_9DC564:				; CODE XREF: SepAdtSecurityDescriptorChangedAuditAlarm(x,x,x,x,x,x,x,x,x)+2A8j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
_SepAdtSecurityDescriptorChangedAuditAlarm@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdtStagingEvent(x, x, x,	x, x, x, x, x, x, x, x,	x)
_SepAdtStagingEvent@48 proc near	; CODE XREF: PAGE:00817754p
					; PfSnGetCompletedTrace+121DD0p ...

var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_2CC		= dword	ptr -2CCh
var_2C8		= dword	ptr -2C8h
var_2C4		= dword	ptr -2C4h
var_2BE		= word ptr -2BEh
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A2		= dword	ptr -2A2h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_290		= word ptr -290h
var_28E		= word ptr -28Eh
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= byte ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2DCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_24]
		mov	edx, [ebp+arg_4]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_2BE], cx
		mov	eax, [eax+30h]
		mov	[ebp+var_2D8], edx
		mov	[ebp+var_2B0], ebx
		mov	[ebp+var_2B4], ebx
		mov	[ebp+var_2BC], ebx
		mov	[ebp+var_2B8], ebx
		mov	[ebp+var_2C4], ebx
		mov	byte ptr [ebp+var_2A2+1], bl
		mov	byte ptr [ebp+var_2A2],	bl
		mov	[ebp+var_2C8], eax
		push	esi
		mov	esi, ebx
		mov	[ebp+var_2A8], esi
		push	edi
		mov	edi, ebx
		mov	[ebp+var_2AC], edi
		test	eax, eax
		jz	loc_9DCA5E
		cmp	[eax+0C0h], bl
		jz	loc_9DCA5E
		push	75h
		pop	eax
		cmp	cx, ax
		jz	short loc_9DC61D
		add	eax, 0Ch
		cmp	cx, ax
		jz	short loc_9DC61D
		push	ebx
		push	offset _SepFileTypeName
		push	edx
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jnz	loc_9DCA5E

loc_9DC61D:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+8Aj
					; SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+92j
		call	_PsGetCurrentThreadProcess@0 ; PsGetCurrentThreadProcess()
		lea	edx, [ebp+var_2BC]
		mov	ecx, eax
		call	PsGetAllocatedFullProcessImageNameEx
		mov	ebx, eax
		test	ebx, ebx
		js	loc_9DCA0A
		mov	ebx, [ebp+arg_C]
		mov	eax, [ebp+arg_10]
		test	ebx, ebx
		jz	short loc_9DC65D
		mov	ecx, [ebx+18h]
		mov	[ebp+var_2B0], ecx
		mov	ecx, [ebx+1Ch]
		mov	[ebp+var_2B4], ecx
		mov	ecx, [ebx+94h]
		jmp	short loc_9DC663
; 

loc_9DC65D:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+CCj
		mov	ecx, [eax+94h]

loc_9DC663:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+E6j
		mov	ecx, [ecx]
		mov	[ebp+var_2CC], ecx
		mov	ecx, [eax+18h]
		mov	eax, [eax+1Ch]
		push	298h		; size_t
		mov	[ebp+var_2D4], eax
		lea	eax, [ebp+var_2A2+2]
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_2D0], ecx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_2A2+2], 3
		test	[ebp+arg_14], 2000000h
		mov	eax, 82h
		mov	[ebp+var_29C], 12D2h
		mov	[ebp+var_290], ax
		push	8
		pop	edx
		jnz	short loc_9DC6CE
		cmp	[ebp+arg_1C], 0
		jz	short loc_9DC6CE
		mov	[ebp+var_28E], dx
		jmp	short loc_9DC6D8
; 

loc_9DC6CE:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+148j
					; SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+14Ej
		push	10h
		pop	eax
		mov	[ebp+var_28E], ax

loc_9DC6D8:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+157j
		mov	ecx, [ebp+var_2CC]
		mov	[ebp+var_278], ecx
		mov	[ebp+var_288], 4
		mov	[ebp+var_270], 18h
		movzx	eax, byte ptr [ecx+1]
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_264], offset _SeSubsystemName
		mov	[ebp+var_274], ecx
		mov	[ebp+var_260], 5
		mov	[ebp+var_25C], edx
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_284], eax
		test	ebx, ebx
		jz	short loc_9DC744
		mov	eax, [ebp+var_2B0]
		mov	[ebp+var_258], eax
		mov	eax, [ebp+var_2B4]
		jmp	short loc_9DC756
; 

loc_9DC744:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+1B9j
		mov	eax, [ebp+var_2D0]
		mov	[ebp+var_258], eax
		mov	eax, [ebp+var_2D4]

loc_9DC756:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+1CDj
		mov	[ebp+var_24C], ecx
		mov	ecx, [ebp+var_2D8]
		mov	[ebp+var_254], eax
		mov	[ebp+var_248], 18h
		mov	[ebp+var_23C], offset _SeSubsystemName
		test	ecx, ecx
		jnz	short loc_9DC78A
		mov	ebx, 0C000000Dh
		jmp	loc_9DCA0A
; 

loc_9DC78A:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+209j
		movzx	eax, word ptr [ecx]
		xor	ebx, ebx
		inc	ebx
		mov	[ebp+var_228], ecx
		mov	ecx, [ebp+arg_8]
		add	eax, edx
		mov	[ebp+var_238], ebx
		mov	[ebp+var_234], eax
		test	ecx, ecx
		jz	short loc_9DC7E3
		mov	ax, [ebp+var_2BE]
		push	75h
		pop	edi
		cmp	ax, di
		jz	short loc_9DC7C8
		add	edi, 0Ch
		mov	[ebp+var_224], ebx
		cmp	ax, di
		jnz	short loc_9DC7D2

loc_9DC7C8:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+243j
		mov	[ebp+var_224], 2

loc_9DC7D2:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+251j
		movzx	eax, word ptr [ecx]
		add	eax, edx
		mov	[ebp+var_214], ecx
		mov	[ebp+var_220], eax

loc_9DC7E3:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+234j
		mov	ecx, [ebp+arg_0]
		push	0Bh
		pop	ebx
		mov	[ebp+var_210], ebx
		push	4
		pop	edi
		mov	[ebp+var_20C], edi
		test	ecx, ecx
		jz	short loc_9DC81D
		mov	ecx, [ecx]
		xor	dl, dl
		call	_ObpIsKernelHandle@8 ; ObpIsKernelHandle(x,x)
		test	al, al
		jz	short loc_9DC80F
		xor	ecx, 80000000h

loc_9DC80F:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+292j
		and	ecx, 0FFFFFFFCh
		push	8
		mov	[ebp+var_208], ecx
		pop	edx
		jmp	short loc_9DC823
; 

loc_9DC81D:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+285j
		and	[ebp+var_208], esi

loc_9DC823:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+2A6j
		mov	ecx, [ebp+var_2BC]
		mov	eax, [ebp+arg_20]
		mov	[ebp+var_1F4], eax
		mov	[ebp+var_1F8], edi
		movzx	eax, word ptr [ecx]
		mov	edi, [ebp+var_2C8]
		add	eax, edx
		mov	[ebp+var_1E4], eax
		lea	edx, [ebp+var_2AC]
		lea	eax, [ebp+var_2A2+1]
		mov	[ebp+var_1D8], ecx
		push	eax
		mov	ecx, [edi+30h]
		lea	eax, [ebp+var_2B8]
		push	eax
		mov	[ebp+var_1FC], ebx
		mov	[ebp+var_1E8], 2
		call	_SepCheckAndCopySelfRelativeSD@16 ; SepCheckAndCopySelfRelativeSD(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_9DCA04
		mov	ecx, [edi+34h]
		lea	eax, [ebp+var_2A2]
		push	eax
		lea	eax, [ebp+var_2C4]
		push	eax
		lea	edx, [ebp+var_2A8]
		call	_SepCheckAndCopySelfRelativeSD@16 ; SepCheckAndCopySelfRelativeSD(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_9DC9FE
		cmp	[ebp+var_2AC], esi
		mov	esi, [ebp+var_2A8]
		jnz	short loc_9DC8C1
		test	esi, esi
		jnz	short loc_9DC8C1
		xor	ecx, ecx
		jmp	short loc_9DC8C4
; 

loc_9DC8C1:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+342j
					; SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+346j
		push	4
		pop	ecx

loc_9DC8C4:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+34Aj
		mov	eax, [ebp+var_2C4]
		sub	eax, ecx
		mov	ecx, [ebp+var_2B8]
		add	ecx, 90h
		add	eax, ecx
		push	70416553h
		push	eax
		push	1
		mov	[ebp+var_2B0], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_2B4], edi
		test	edi, edi
		jnz	short loc_9DC903
		mov	ebx, 0C000009Ah
		jmp	loc_9DCA04
; 

loc_9DC903:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+382j
		push	[ebp+var_2B0]	; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	cl, [ebp+arg_1C]
		add	esp, 0Ch
		movzx	eax, cl
		mov	[edi+88h], eax
		mov	eax, [ebp+arg_18]
		mov	dword ptr [edi+84h], 4
		test	cl, cl
		jnz	short loc_9DC934
		mov	eax, [ebp+arg_14]

loc_9DC934:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+3BAj
		mov	esi, [ebp+var_2C8]
		and	eax, 0FDFFFFFFh
		mov	[edi], eax
		add	esi, 40h
		add	edi, 4
		push	20h
		pop	ecx
		rep movsd
		mov	edi, [ebp+var_2AC]
		mov	esi, [ebp+var_2B4]
		test	edi, edi
		jz	short loc_9DC972
		push	[ebp+var_2B8]	; size_t
		lea	eax, [esi+8Ch]
		push	edi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_9DC972:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+3E5j
		mov	eax, [ebp+var_2A8]
		test	eax, eax
		jz	short loc_9DC999
		push	[ebp+var_2C4]	; size_t
		push	eax		; void *
		mov	eax, [ebp+var_2B8]
		add	eax, 8Ch
		add	eax, esi
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_9DC999:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+405j
		mov	eax, [ebp+var_2B0]
		lea	ecx, [ebp+var_2A2+2]
		and	[ebp+var_1B8], 0
		and	[ebp+var_1B4], 0
		mov	[ebp+var_1D4], 1Dh
		mov	[ebp+var_1D0], eax
		mov	[ebp+var_1C4], esi
		mov	[ebp+var_1C0], 1Eh
		mov	[ebp+var_1BC], eax
		mov	[ebp+var_1B0], esi
		mov	[ebp+var_298], 0Bh
		call	_SepAdtLogAuditRecord@4	; SepAdtLogAuditRecord(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_2A8]
		jmp	short loc_9DCA0A
; 

loc_9DC9FE:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+330j
		mov	esi, [ebp+var_2A8]

loc_9DCA04:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+30Aj
					; SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+389j
		mov	edi, [ebp+var_2AC]

loc_9DCA0A:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+BEj
					; SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+210j ...
		cmp	[ebp+var_2BC], 0
		jz	short loc_9DCA20
		push	0
		push	[ebp+var_2BC]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DCA20:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+49Cj
		cmp	byte ptr [ebp+var_2A2+1], 0
		jz	short loc_9DCA35
		test	edi, edi
		jz	short loc_9DCA35
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DCA35:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+4B2j
					; SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+4B6j
		cmp	byte ptr [ebp+var_2A2],	0
		jz	short loc_9DCA4A
		test	esi, esi
		jz	short loc_9DCA4A
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DCA4A:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+4C7j
					; SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+4CBj
		test	ebx, ebx
		jns	short loc_9DCA54
		push	ebx
		call	_SepAuditFailed@4 ; SepAuditFailed(x)

loc_9DCA54:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+4D7j
		shr	ebx, 1Fh
		xor	bl, 1
		mov	al, bl
		jmp	short loc_9DCA60
; 

loc_9DCA5E:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+72j
					; SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+7Ej ...
		mov	al, 1

loc_9DCA60:				; CODE XREF: SepAdtStagingEvent(x,x,x,x,x,x,x,x,x,x,x,x)+4E7j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	28h
_SepAdtStagingEvent@48 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepQueryTypeString(x, x)
_SepQueryTypeString@8 proc near		; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+125FC5p
					; SeTokenDefaultDaclChangedAuditAlarm+11B11Bp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		lea	eax, [ebp+var_4]
		xor	ebx, ebx
		lea	edx, [ebp+var_C]
		push	eax
		push	ebx
		mov	edi, ecx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		mov	[esi], ebx
		call	_ObQueryTypeName@16 ; ObQueryTypeName(x,x,x,x)
		cmp	eax, 0C0000004h
		jnz	short loc_9DCADD
		push	6E546553h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi], eax
		test	eax, eax
		jz	short loc_9DCAD8
		lea	ecx, [ebp+var_4]
		mov	edx, eax
		push	ecx
		push	[ebp+var_4]
		mov	ecx, edi
		call	_ObQueryTypeName@16 ; ObQueryTypeName(x,x,x,x)
		test	eax, eax
		jns	short loc_9DCADD
		push	ebx
		push	dword ptr [esi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi], ebx
		mov	eax, ebx
		jmp	short loc_9DCADD
; 

loc_9DCAD8:				; CODE XREF: SepQueryTypeString(x,x)+43j
		mov	eax, 0C000009Ah

loc_9DCADD:				; CODE XREF: SepQueryTypeString(x,x)+2Ej
					; SepQueryTypeString(x,x)+57j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SepQueryTypeString@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepCaptureAuditPolicy(x, x,	x, x, x, x, x)
_SepCaptureAuditPolicy@28 proc near	; CODE XREF: PAGE:007E9E2Ap

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_10		= dword	ptr  18h

		push	10h
		push	offset dword_6A93E0
		call	__SEH_prolog4
		mov	ebx, ecx
		test	dl, dl
		jz	short loc_9DCB1C
		and	[ebp+ms_exc.disabled], 0
		test	bl, 3
		jz	short loc_9DCB02
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9DCB02:				; CODE XREF: SepCaptureAuditPolicy(x,x,x,x,x,x,x)+19j
		lea	ecx, [ebx+1Fh]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_9DCB12
		cmp	ecx, ebx
		jnb	short loc_9DCB15

loc_9DCB12:				; CODE XREF: SepCaptureAuditPolicy(x,x,x,x,x,x,x)+2Aj
		mov	byte ptr [eax],	0

loc_9DCB15:				; CODE XREF: SepCaptureAuditPolicy(x,x,x,x,x,x,x)+2Ej
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9DCB1C:				; CODE XREF: SepCaptureAuditPolicy(x,x,x,x,x,x,x)+10j
		push	61506553h
		push	1Fh
		xor	esi, esi
		inc	esi
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+arg_10]
		mov	[ecx], eax
		test	eax, eax
		jnz	short loc_9DCB59
		mov	eax, 0C000009Ah
		jmp	short loc_9DCB9D
; 

loc_9DCB3C:				; DATA XREF: .text:006A93F4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9DCB4A:				; DATA XREF: .text:006A93F8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]
		jmp	short loc_9DCB9D
; 

loc_9DCB59:				; CODE XREF: SepCaptureAuditPolicy(x,x,x,x,x,x,x)+51j
		mov	[ebp+ms_exc.disabled], esi
		push	7
		pop	ecx
		mov	esi, ebx
		mov	edi, eax
		rep movsd
		movsw
		movsb
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	short loc_9DCB9D
; 

loc_9DCB73:				; DATA XREF: .text:006A9400o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9DCB81:				; DATA XREF: .text:006A9404o
		mov	esp, [ebp+ms_exc.old_esp]
		push	0
		mov	esi, [ebp+arg_10]
		push	dword ptr [esi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi], 0
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_20]

loc_9DCB9D:				; CODE XREF: SepCaptureAuditPolicy(x,x,x,x,x,x,x)+58j
					; SepCaptureAuditPolicy(x,x,x,x,x,x,x)+75j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_SepCaptureAuditPolicy@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepCaptureFqbnArray(x, x, x, x)
_SepCaptureFqbnArray@16	proc near	; CODE XREF: SepCaptureTokenSecurityAttributesInformation+1245DBp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch

		push	40h
		push	offset dword_6A93B8
		call	__SEH_prolog4
		mov	eax, edx
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], ecx
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		push	10h
		pop	ecx
		mul	ecx
		push	edx
		push	eax
		lea	ecx, [ebp+var_1C]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_9DCDDC
		push	74416553h
		mov	esi, [ebp+var_1C]
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_34], edi
		test	edi, edi
		jnz	short loc_9DCC02
		mov	eax, 0C000009Ah
		jmp	loc_9DCDDC
; 

loc_9DCC02:				; CODE XREF: SepCaptureFqbnArray(x,x,x,x)+47j
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+var_24]
		test	esi, esi
		jz	short loc_9DCC28
		test	al, 3
		jz	short loc_9DCC15

loc_9DCC10:				; CODE XREF: SepCaptureFqbnArray(x,x,x,x)+145j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9DCC15:				; CODE XREF: SepCaptureFqbnArray(x,x,x,x)+5Fj
		lea	ecx, [esi+eax]
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		ja	short loc_9DCC26
		cmp	ecx, eax
		jnb	short loc_9DCC28

loc_9DCC26:				; CODE XREF: SepCaptureFqbnArray(x,x,x,x)+71j
		mov	[edx], bl

loc_9DCC28:				; CODE XREF: SepCaptureFqbnArray(x,x,x,x)+5Bj
					; SepCaptureFqbnArray(x,x,x,x)+75j
		push	esi		; size_t
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	0FFFFFFFEh
		pop	ecx
		mov	[ebp+ms_exc.disabled], ecx
		lea	eax, [esi+1]
		and	eax, ecx
		cmp	eax, esi
		jb	loc_9DCDA7
		mov	[ebp+var_1C], eax
		mov	esi, ebx
		lea	ecx, [edi+8]

loc_9DCC4E:				; CODE XREF: SepCaptureFqbnArray(x,x,x,x)+C7j
		mov	[ebp+var_24], ecx
		cmp	esi, [ebp+var_28]
		jnb	short loc_9DCC78
		lea	edx, [ebp+var_1C]
		push	edx
		movzx	edx, word ptr [ecx]
		mov	ecx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_9DCDA7
		inc	esi
		mov	ecx, [ebp+var_24]
		add	ecx, 10h
		mov	eax, [ebp+var_1C]
		jmp	short loc_9DCC4E
; 

loc_9DCC78:				; CODE XREF: SepCaptureFqbnArray(x,x,x,x)+A5j
		push	74416553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	short loc_9DCC96
		mov	esi, 0C000009Ah
		jmp	loc_9DCDAC
; 

loc_9DCC96:				; CODE XREF: SepCaptureFqbnArray(x,x,x,x)+DBj
		mov	esi, [ebp+var_28]
		shl	esi, 4
		push	esi		; size_t
		push	edi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [ebp+var_24]
		inc	ecx
		add	ecx, esi
		and	ecx, 0FFFFFFFEh
		mov	[ebp+var_20], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+ms_exc.disabled], 1
		mov	esi, ebx

loc_9DCCBF:				; CODE XREF: SepCaptureFqbnArray(x,x,x,x)+1AFj
		mov	[ebp+var_48], esi
		cmp	esi, [ebp+var_28]
		jnb	loc_9DCD63
		mov	edx, esi
		shl	edx, 4
		mov	[ebp+var_40], edx
		movzx	eax, word ptr [edx+edi+8]
		mov	[ebp+var_2C], eax
		movzx	eax, ax
		mov	[ebp+var_38], eax
		movzx	eax, ax
		cmp	word ptr [ebp+var_2C], 0
		jz	short loc_9DCD32
		mov	eax, [edx+edi+0Ch]
		mov	[ebp+var_30], eax
		test	al, 1
		jnz	loc_9DCC10
		mov	eax, [ebp+var_2C]
		movzx	eax, ax
		mov	ecx, [ebp+var_30]
		add	ecx, eax
		mov	[ebp+var_2C], ecx
		mov	eax, ds:_MmUserProbeAddress
		mov	[ebp+var_3C], eax
		cmp	ecx, eax
		mov	ecx, [ebp+var_20]
		ja	short loc_9DCD2B
		mov	eax, [ebp+var_38]
		movzx	eax, ax
		mov	ecx, [ebp+var_2C]
		cmp	ecx, [ebp+var_30]
		mov	ecx, [ebp+var_20]
		jnb	short loc_9DCD32
		mov	eax, [ebp+var_3C]

loc_9DCD2B:				; CODE XREF: SepCaptureFqbnArray(x,x,x,x)+166j
		mov	[eax], bl
		movzx	eax, word ptr [edx+edi+8]

loc_9DCD32:				; CODE XREF: SepCaptureFqbnArray(x,x,x,x)+13Aj
					; SepCaptureFqbnArray(x,x,x,x)+177j
		movzx	eax, ax
		push	eax		; size_t
		push	dword ptr [edx+edi+0Ch]	; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+var_24]
		mov	edx, [ebp+var_40]
		mov	[edx+eax+0Ch], ecx
		movzx	eax, word ptr [edx+edi+8]
		add	ecx, eax
		mov	[ebp+var_20], ecx
		mov	[ebp+var_44], ecx
		inc	esi
		jmp	loc_9DCCBF
; 

loc_9DCD63:				; CODE XREF: SepCaptureFqbnArray(x,x,x,x)+116j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+var_24]
		mov	[eax], ecx
		xor	eax, eax
		jmp	short loc_9DCDDC
; 

loc_9DCD7D:				; DATA XREF: .text:006A93D8o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_4C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9DCD8B:				; DATA XREF: .text:006A93DCo
		mov	esp, [ebp+ms_exc.old_esp]
		xor	ebx, ebx
		push	ebx
		push	[ebp+var_34]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	ebx
		push	[ebp+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_4C]
		jmp	short loc_9DCDD5
; 

loc_9DCDA7:				; CODE XREF: SepCaptureFqbnArray(x,x,x,x)+91j
					; SepCaptureFqbnArray(x,x,x,x)+B7j
		mov	esi, 0C0000095h

loc_9DCDAC:				; CODE XREF: SepCaptureFqbnArray(x,x,x,x)+E2j
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		jmp	short loc_9DCDDC
; 

loc_9DCDB7:				; DATA XREF: .text:006A93CCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_50], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9DCDC5:				; DATA XREF: .text:006A93D0o
		mov	esp, [ebp+ms_exc.old_esp]
		push	0
		push	[ebp+var_34]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_50]

loc_9DCDD5:				; CODE XREF: SepCaptureFqbnArray(x,x,x,x)+1F6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9DCDDC:				; CODE XREF: SepCaptureFqbnArray(x,x,x,x)+2Aj
					; SepCaptureFqbnArray(x,x,x,x)+4Ej ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_SepCaptureFqbnArray@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepCaptureOctetStringArray(x, x, x,	x)
_SepCaptureOctetStringArray@16 proc near
					; CODE XREF: SepCaptureTokenSecurityAttributesInformation+1245C5p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch

		push	34h
		push	offset dword_6A9390
		call	__SEH_prolog4
		mov	eax, edx
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], ecx
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		push	8
		pop	ecx
		mul	ecx
		push	edx
		push	eax
		lea	ecx, [ebp+var_1C]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_9DCFBD
		push	74416553h
		mov	esi, [ebp+var_1C]
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_30], edi
		test	edi, edi
		jnz	short loc_9DCE41
		mov	eax, 0C000009Ah
		jmp	loc_9DCFBD
; 

loc_9DCE41:				; CODE XREF: SepCaptureOctetStringArray(x,x,x,x)+47j
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+var_24]
		test	esi, esi
		jz	short loc_9DCE67
		test	al, 3
		jz	short loc_9DCE54
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9DCE54:				; CODE XREF: SepCaptureOctetStringArray(x,x,x,x)+5Fj
		lea	ecx, [esi+eax]
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		ja	short loc_9DCE65
		cmp	ecx, eax
		jnb	short loc_9DCE67

loc_9DCE65:				; CODE XREF: SepCaptureOctetStringArray(x,x,x,x)+71j
		mov	[edx], bl

loc_9DCE67:				; CODE XREF: SepCaptureOctetStringArray(x,x,x,x)+5Bj
					; SepCaptureOctetStringArray(x,x,x,x)+75j
		push	esi		; size_t
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, ebx
		lea	ecx, [edi+4]

loc_9DCE7E:				; CODE XREF: SepCaptureOctetStringArray(x,x,x,x)+BBj
		mov	[ebp+var_20], ecx
		mov	[ebp+var_24], eax
		cmp	eax, [ebp+var_28]
		jnb	short loc_9DCEAB
		lea	eax, [ebp+var_1C]
		push	eax
		mov	edx, [ecx]
		mov	ecx, esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9DCEC4
		mov	eax, [ebp+var_24]
		inc	eax
		mov	ecx, [ebp+var_20]
		add	ecx, 8
		mov	esi, [ebp+var_1C]
		jmp	short loc_9DCE7E
; 

loc_9DCEAB:				; CODE XREF: SepCaptureOctetStringArray(x,x,x,x)+99j
		push	74416553h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	short loc_9DCED2
		mov	esi, 0C000009Ah

loc_9DCEC4:				; CODE XREF: SepCaptureOctetStringArray(x,x,x,x)+ACj
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		jmp	loc_9DCFBD
; 

loc_9DCED2:				; CODE XREF: SepCaptureOctetStringArray(x,x,x,x)+CFj
		mov	esi, [ebp+var_28]
		shl	esi, 3
		push	esi		; size_t
		push	edi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [ebp+var_24]
		add	ecx, esi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+ms_exc.disabled], 1
		mov	esi, ebx

loc_9DCEF7:				; CODE XREF: SepCaptureOctetStringArray(x,x,x,x)+164j
		mov	[ebp+var_3C], esi
		cmp	esi, [ebp+var_28]
		jnb	short loc_9DCF54
		mov	eax, [edi+esi*8+4]
		test	eax, eax
		jz	short loc_9DCF31
		mov	edx, [edi+esi*8]
		mov	[ebp+var_34], edx
		add	edx, eax
		mov	[ebp+var_2C], edx
		mov	edx, ds:_MmUserProbeAddress
		cmp	[ebp+var_2C], edx
		mov	ecx, [ebp+var_20]
		ja	short loc_9DCF2B
		mov	ecx, [ebp+var_2C]
		cmp	ecx, [ebp+var_34]
		mov	ecx, [ebp+var_20]
		jnb	short loc_9DCF31

loc_9DCF2B:				; CODE XREF: SepCaptureOctetStringArray(x,x,x,x)+130j
		mov	[edx], bl
		mov	eax, [edi+esi*8+4]

loc_9DCF31:				; CODE XREF: SepCaptureOctetStringArray(x,x,x,x)+117j
					; SepCaptureOctetStringArray(x,x,x,x)+13Bj
		push	eax		; size_t
		push	dword ptr [edi+esi*8] ;	void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_24]
		mov	ecx, [ebp+var_20]
		mov	[eax+esi*8], ecx
		add	ecx, [edi+esi*8+4]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_38], ecx
		inc	esi
		jmp	short loc_9DCEF7
; 

loc_9DCF54:				; CODE XREF: SepCaptureOctetStringArray(x,x,x,x)+10Fj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+var_24]
		mov	[eax], ecx
		xor	eax, eax
		jmp	short loc_9DCFBD
; 

loc_9DCF6E:				; DATA XREF: .text:006A93B0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_40], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9DCF7C:				; DATA XREF: .text:006A93B4o
		mov	esp, [ebp+ms_exc.old_esp]
		xor	ebx, ebx
		push	ebx
		push	[ebp+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	ebx
		push	[ebp+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_40]
		jmp	short loc_9DCFB6
; 

loc_9DCF98:				; DATA XREF: .text:006A93A4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_44], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9DCFA6:				; DATA XREF: .text:006A93A8o
		mov	esp, [ebp+ms_exc.old_esp]
		push	0
		push	[ebp+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_44]

loc_9DCFB6:				; CODE XREF: SepCaptureOctetStringArray(x,x,x,x)+1A8j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9DCFBD:				; CODE XREF: SepCaptureOctetStringArray(x,x,x,x)+2Aj
					; SepCaptureOctetStringArray(x,x,x,x)+4Ej ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_SepCaptureOctetStringArray@16 endp


;  S U B	R O U T	I N E 


; __stdcall SepReleaseAuditPolicy(x, x,	x)
_SepReleaseAuditPolicy@12 proc near	; CODE XREF: PAGE:007E9EB9p
					; PAGE:007E9EE6p
		test	ecx, ecx
		jz	short locret_9DCFE4
		test	dl, dl
		jz	short loc_9DCFDC
		cmp	dl, 1
		jnz	short locret_9DCFE4

loc_9DCFDC:				; CODE XREF: SepReleaseAuditPolicy(x,x,x)+6j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

locret_9DCFE4:				; CODE XREF: SepReleaseAuditPolicy(x,x,x)+2j
					; SepReleaseAuditPolicy(x,x,x)+Bj
		retn	4
_SepReleaseAuditPolicy@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepGetDefaultsSubjectContext(x, x, x, x, x,	x, x, x)
_SepGetDefaultsSubjectContext@32 proc near ; CODE XREF:	RtlpSetSecurityObject+EE952p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, [ebx]
		mov	esi, [ebx+8]
		test	edi, edi
		jnz	short loc_9DCFFC
		mov	edi, esi

loc_9DCFFC:				; CODE XREF: SepGetDefaultsSubjectContext(x,x,x,x,x,x,x,x)+11j
		mov	ecx, [edi+90h]
		mov	eax, [edi+94h]
		mov	eax, [eax+ecx*8]
		mov	ecx, [edi+9Ch]
		mov	[edx], eax
		mov	eax, [ebp+arg_0]
		mov	edx, [edi+0A4h]
		mov	[eax], ecx
		mov	ecx, edi
		mov	eax, [ebp+arg_14]
		mov	[eax], edx
		mov	eax, [esi+94h]
		mov	edx, [esi+90h]
		mov	edx, [eax+edx*8]
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		mov	eax, [ebp+arg_8]
		mov	edx, [esi+9Ch]
		mov	[eax], edx
		call	_SepLocateTokenIntegrity@4 ; SepLocateTokenIntegrity(x)
		test	eax, eax
		jz	short loc_9DD056
		mov	ecx, [eax]
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		jmp	short loc_9DD060
; 

loc_9DD056:				; CODE XREF: SepGetDefaultsSubjectContext(x,x,x,x,x,x,x,x)+64j
		mov	ecx, [ebp+arg_C]
		mov	eax, _SepDefaultMandatorySid
		mov	[ecx], eax

loc_9DD060:				; CODE XREF: SepGetDefaultsSubjectContext(x,x,x,x,x,x,x,x)+6Dj
		mov	ecx, ebx
		call	_SepLocateTokenTrustLevel@4 ; SepLocateTokenTrustLevel(x)
		mov	ecx, [ebp+arg_10]
		pop	edi
		pop	esi
		pop	ebx
		mov	[ecx], eax
		pop	ebp
		retn	18h
_SepGetDefaultsSubjectContext@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepIdAssignableAsGroup(x, x)
_SepIdAssignableAsGroup@8 proc near	; CODE XREF: PAGE:007E987Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	eax, edx
		xor	ebx, ebx
		mov	[ebp+var_8], eax
		push	esi
		mov	esi, ecx
		mov	[ebp+var_10], esi
		test	eax, eax
		jnz	short loc_9DD091
		xor	al, al
		jmp	short loc_9DD0EF
; 

loc_9DD091:				; CODE XREF: SepIdAssignableAsGroup(x,x)+18j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	dword ptr [esi+30h]
		call	ExAcquireResourceSharedLite
		mov	eax, [esi+7Ch]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_9DD0D9
		push	edi
		mov	edi, [esi+94h]
		mov	esi, ebx

loc_9DD0BC:				; CODE XREF: SepIdAssignableAsGroup(x,x)+60j
		push	dword ptr [edi]
		push	[ebp+var_8]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		mov	bl, al
		test	bl, bl
		jnz	short loc_9DD0D5
		inc	esi
		add	edi, 8
		cmp	esi, [ebp+var_C]
		jb	short loc_9DD0BC

loc_9DD0D5:				; CODE XREF: SepIdAssignableAsGroup(x,x)+57j
		mov	esi, [ebp+var_10]
		pop	edi

loc_9DD0D9:				; CODE XREF: SepIdAssignableAsGroup(x,x)+3Ej
		mov	ecx, [esi+30h]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	al, bl

loc_9DD0EF:				; CODE XREF: SepIdAssignableAsGroup(x,x)+1Cj
		pop	esi
		pop	ebx
		leave
		retn
_SepIdAssignableAsGroup@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAccessCheckByTypeResultListAndAuditAlarm(x, x, x,	x, x, x, x, x, x, x, x,	x, x, x, x, x)
_NtAccessCheckByTypeResultListAndAuditAlarm@64 proc near ; DATA	XREF: .text:00581298o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_34		= dword	ptr  3Ch
arg_38		= dword	ptr  40h
arg_3C		= dword	ptr  44h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	1
		push	[ebp+arg_3C]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_38]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_34]
		push	[ebp+arg_2C]
		push	[ebp+arg_28]
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	0
		call	_SepAccessCheckAndAuditAlarm@68	; SepAccessCheckAndAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	40h
_NtAccessCheckByTypeResultListAndAuditAlarm@64 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAccessCheckByTypeResultListAndAuditAlarmByHandle(x, x, x,	x, x, x, x, x, x, x, x,	x, x, x, x, x, x)
_NtAccessCheckByTypeResultListAndAuditAlarmByHandle@68 proc near
					; DATA XREF: .text:00581294o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h
arg_38		= dword	ptr  40h
arg_3C		= dword	ptr  44h
arg_40		= dword	ptr  48h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	1
		push	[ebp+arg_40]
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+arg_8]
		push	[ebp+arg_3C]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_38]
		push	[ebp+arg_30]
		push	[ebp+arg_2C]
		push	[ebp+arg_28]
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	eax
		call	_SepAccessCheckAndAuditAlarm@68	; SepAccessCheckAndAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	44h
_NtAccessCheckByTypeResultListAndAuditAlarmByHandle@68 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtDeleteObjectAuditAlarm(x,	x, x)
_NtDeleteObjectAuditAlarm@12 proc near	; DATA XREF: .text:005810ACo

var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		push	24h
		push	offset dword_6A9408
		call	__SEH_prolog4
		xor	eax, eax
		lea	edi, [ebp+var_34]
		stosd
		stosd
		stosd
		stosd
		xor	edi, edi
		mov	[ebp+var_1C], edi
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		cmp	[ebp+arg_8], 0
		jnz	short loc_9DD1A6
		xor	eax, eax
		jmp	loc_9DD264
; 

loc_9DD1A6:				; CODE XREF: NtDeleteObjectAuditAlarm(x,x,x)+2Aj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, large fs:124h
		lea	edx, [ebp+var_34]
		push	edx
		push	eax
		push	ecx
		call	SeCaptureSubjectContextEx
		cmp	[ebp+var_2C], edi
		jnz	short loc_9DD1D4
		mov	esi, 0C000007Ch
		push	esi
		jmp	loc_9DD25D
; 

loc_9DD1D4:				; CODE XREF: NtDeleteObjectAuditAlarm(x,x,x)+54j
		mov	dl, bl
		lea	ecx, [ebp+var_34]
		call	_SeCheckAuditPrivilege@8 ; SeCheckAuditPrivilege(x,x)
		test	al, al
		jnz	short loc_9DD1E9
		mov	esi, 0C0000061h
		jmp	short loc_9DD23B
; 

loc_9DD1E9:				; CODE XREF: NtDeleteObjectAuditAlarm(x,x,x)+6Dj
		mov	[ebp+ms_exc.disabled], edi
		lea	edx, [ebp+var_1C]
		mov	ecx, [ebp+arg_0]
		call	SepProbeAndCaptureString_U
		mov	esi, eax
		mov	[ebp+var_24], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9DD225
; 

loc_9DD205:				; DATA XREF: .text:006A941Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9DD213:				; DATA XREF: .text:006A9420o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_20]
		mov	[ebp+var_24], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	edi, edi

loc_9DD225:				; CODE XREF: NtDeleteObjectAuditAlarm(x,x,x)+90j
		test	esi, esi
		js	short loc_9DD23B
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_34]
		push	eax
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_1C]
		call	_SepAdtDeleteObjectAuditAlarm@24 ; SepAdtDeleteObjectAuditAlarm(x,x,x,x,x,x)

loc_9DD23B:				; CODE XREF: NtDeleteObjectAuditAlarm(x,x,x)+74j
					; NtDeleteObjectAuditAlarm(x,x,x)+B4j
		lea	eax, [ebp+var_34]
		push	eax
		call	SeReleaseSubjectContext
		cmp	[ebp+var_1C], 0
		jz	short loc_9DD253
		push	edi
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DD253:				; CODE XREF: NtDeleteObjectAuditAlarm(x,x,x)+D5j
		mov	eax, 0C000009Ah
		cmp	esi, eax
		jnz	short loc_9DD262
		push	eax

loc_9DD25D:				; CODE XREF: NtDeleteObjectAuditAlarm(x,x,x)+5Cj
		call	_SepAuditFailed@4 ; SepAuditFailed(x)

loc_9DD262:				; CODE XREF: NtDeleteObjectAuditAlarm(x,x,x)+E7j
		mov	eax, esi

loc_9DD264:				; CODE XREF: NtDeleteObjectAuditAlarm(x,x,x)+2Ej
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_NtDeleteObjectAuditAlarm@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2444. SeCloseObjectAuditAlarm

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeCloseObjectAuditAlarm(x, x, x)
		public _SeCloseObjectAuditAlarm@12
_SeCloseObjectAuditAlarm@12 proc near	; CODE XREF: PAGE:00810234p

var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		xor	eax, eax
		cmp	[ebp+arg_8], 0
		push	edi
		lea	edi, [esp+18h+var_10]
		stosd
		stosd
		stosd
		stosd
		jz	short loc_9DD2D5
		lea	eax, [esp+18h+var_10]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	edx, [ebp+arg_4]
		lea	eax, [esp+18h+var_10]
		push	1
		push	[ebp+arg_0]
		mov	ecx, offset _SeSubsystemName
		push	eax
		call	_SepAdtCloseObjectAuditAlarm@20	; SepAdtCloseObjectAuditAlarm(x,x,x,x,x)
		lea	eax, [esp+18h+var_10]
		push	eax
		call	SeReleaseSubjectContext

loc_9DD2D5:				; CODE XREF: SeCloseObjectAuditAlarm(x,x,x)+1Aj
		pop	edi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_SeCloseObjectAuditAlarm@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2445. SeCloseObjectAuditAlarmForNonObObject

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeCloseObjectAuditAlarmForNonObObject(x, x,	x, x)
		public _SeCloseObjectAuditAlarmForNonObObject@16
_SeCloseObjectAuditAlarmForNonObObject@16 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 0
		jz	short loc_9DD2FE
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	1
		push	0
		push	[ebp+arg_8]
		call	_SepAdtCloseObjectAuditAlarm@20	; SepAdtCloseObjectAuditAlarm(x,x,x,x,x)

loc_9DD2FE:				; CODE XREF: SeCloseObjectAuditAlarmForNonObObject(x,x,x,x)+9j
		pop	ebp
		retn	10h
_SeCloseObjectAuditAlarmForNonObObject@16 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2460. SeDeleteObjectAuditAlarm

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeDeleteObjectAuditAlarm(x,	x)
		public _SeDeleteObjectAuditAlarm@8
_SeDeleteObjectAuditAlarm@8 proc near	; CODE XREF: NtDeleteKey+18213Ap
					; NtMakeTemporaryObject+119499p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_SeDeleteObjectAuditAlarmWithTransaction@12 ; SeDeleteObjectAuditAlarmWithTransaction(x,x,x)
		pop	ebp
		retn	8
_SeDeleteObjectAuditAlarm@8 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2461. SeDeleteObjectAuditAlarmWithTransaction

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeDeleteObjectAuditAlarmWithTransaction(x, x, x)
		public _SeDeleteObjectAuditAlarmWithTransaction@12
_SeDeleteObjectAuditAlarmWithTransaction@12 proc near ;	CODE XREF: NtDeleteKey+182176p
					; SeDeleteObjectAuditAlarm(x,x)+Dp

var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		xor	eax, eax
		push	edi
		lea	edi, [esp+18h+var_10]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esp+18h+var_10]
		push	eax
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		mov	eax, large fs:124h
		push	eax
		call	SeCaptureSubjectContextEx
		mov	edx, [ebp+arg_4]
		lea	eax, [esp+18h+var_10]
		push	1
		push	[ebp+arg_8]
		mov	ecx, offset _SeSubsystemName
		push	[ebp+arg_0]
		push	eax
		call	_SepAdtDeleteObjectAuditAlarm@24 ; SepAdtDeleteObjectAuditAlarm(x,x,x,x,x,x)
		lea	eax, [esp+18h+var_10]
		push	eax
		call	SeReleaseSubjectContext
		pop	edi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_SeDeleteObjectAuditAlarmWithTransaction@12 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2463. SeExamineSacl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeExamineSacl(x, x,	x, x, x, x, x)
		public _SeExamineSacl@28
_SeExamineSacl@28 proc near		; CODE XREF: SeObjectReferenceAuditAlarm+14A9B6p
					; NtOpenObjectAuditAlarm+AB940p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= byte ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, [ebp+arg_14]
		xor	ecx, ecx
		or	[ebp+var_8], 0FFFFFFFFh
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[eax], cl
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_4], ecx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], edi
		mov	[eax], cl
		test	esi, esi
		jz	loc_9DD643
		movzx	eax, word ptr [esi+4]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	loc_9DD643
		test	[ebp+arg_C], 2000000h
		mov	bl, cl
		jz	short loc_9DD3DB
		cmp	[ebp+arg_10], cl
		setz	bl
		dec	bl
		and	bl, 0C0h
		add	bl, 80h

loc_9DD3DB:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+46j
		mov	eax, [ebp+arg_8]
		mov	ecx, ds:_SeAnonymousLogonSid
		mov	eax, [eax+94h]
		mov	edx, [eax]
		mov	ax, [edx]
		cmp	ax, [ecx]
		jnz	short loc_9DD421
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9DD421
		mov	eax, _SeWorldSid
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_4], eax

loc_9DD421:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+6Dj
					; SeExamineSacl(x,x,x,x,x,x,x)+87j
		xor	ecx, ecx
		add	esi, 8
		mov	[ebp+arg_18], ecx
		cmp	[ebp+var_1C], ecx
		jbe	loc_9DD643

loc_9DD432:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+2A5j
		mov	eax, [ebp+arg_14]
		cmp	byte ptr [eax],	0
		jnz	loc_9DD630
		mov	bh, [esi+1]
		test	bh, 8
		jnz	loc_9DD61D
		mov	al, [esi]
		cmp	al, 2
		jnz	loc_9DD4E5
		mov	ecx, [ebp+arg_8]
		lea	eax, [esi+8]
		push	0
		push	0
		push	0
		push	1
		push	eax
		xor	edx, edx
		call	_SepSidInToken@28 ; SepSidInToken(x,x,x,x,x,x,x)
		test	al, al
		jnz	short loc_9DD4A2
		cmp	[ebp+var_4], 0
		jz	loc_9DD61A
		mov	edx, _SeWorldSid
		lea	ecx, [esi+8]
		mov	ax, [edx]
		cmp	ax, [ecx]
		jnz	loc_9DD61A
		push	[ebp+var_4]	; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_9DD61A

loc_9DD4A2:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+E7j
		mov	eax, [ebp+arg_C]
		test	[esi+4], eax
		jz	short loc_9DD4CF

loc_9DD4AA:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+285j
		mov	al, [ebp+arg_10]
		test	bh, 40h
		jz	short loc_9DD4BA
		test	al, al
		jnz	loc_9DD614

loc_9DD4BA:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+12Bj
		test	bh, bh
		jns	loc_9DD61A
		test	al, al
		jnz	loc_9DD61A
		jmp	loc_9DD614
; 

loc_9DD4CF:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+123j
		mov	ecx, [ebp+arg_18]
		test	bl, bh
		jz	loc_9DD61D
		mov	eax, [ebp+arg_14]
		mov	byte ptr [eax],	1
		jmp	loc_9DD61D
; 

loc_9DD4E5:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+C9j
		cmp	al, 0Dh
		jnz	loc_9DD61D
		cmp	[ebp+arg_4], 0
		lea	edx, [esi+8]
		movzx	eax, byte ptr [edx+1]
		lea	eax, ds:8[eax*4]
		mov	[ebp+arg_0], eax
		mov	eax, [esi+4]
		mov	[ebp+var_24], eax
		jz	short loc_9DD522
		test	edi, edi
		jnz	short loc_9DD522
		mov	ecx, [ebp+arg_4]
		lea	edx, [ebp+var_C]
		call	AuthzBasepInitializeResourceClaimsFromSacl
		mov	edi, [ebp+var_C]
		lea	edx, [esi+8]
		mov	ecx, [ebp+arg_18]

loc_9DD522:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+183j
					; SeExamineSacl(x,x,x,x,x,x,x)+187j
		movzx	eax, word ptr [esi+2]
		sub	eax, [ebp+arg_0]
		mov	[ebp+var_20], eax
		add	eax, 0FFFFFFF8h
		test	eax, eax
		jle	loc_9DD61D
		mov	eax, [ebp+arg_8]
		mov	eax, [eax+27Ch]
		test	eax, eax
		jz	short loc_9DD54F
		mov	ecx, [eax+12Ch]
		mov	[ebp+var_10], ecx
		jmp	short loc_9DD553
; 

loc_9DD54F:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+1BDj
		and	[ebp+var_10], 0

loc_9DD553:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+1C8j
		test	eax, eax
		jz	short loc_9DD562
		mov	ecx, [eax+124h]
		mov	[ebp+var_14], ecx
		jmp	short loc_9DD566
; 

loc_9DD562:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+1D0j
		and	[ebp+var_14], 0

loc_9DD566:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+1DBj
		test	eax, eax
		jz	short loc_9DD575
		mov	ecx, [eax+128h]
		mov	[ebp+var_18], ecx
		jmp	short loc_9DD579
; 

loc_9DD575:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+1E3j
		and	[ebp+var_18], 0

loc_9DD579:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+1EEj
		test	eax, eax
		jz	short loc_9DD585
		mov	ecx, [eax+120h]
		jmp	short loc_9DD587
; 

loc_9DD585:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+1F6j
		xor	ecx, ecx

loc_9DD587:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+1FEj
		lea	eax, [ebp+var_8]
		push	eax
		mov	eax, [ebp+var_20]
		push	0
		push	1
		add	eax, 0FFFFFFF8h
		push	eax
		mov	eax, [ebp+arg_0]
		add	eax, edx
		push	eax
		push	[ebp+var_10]
		mov	eax, [ebp+arg_8]
		push	[ebp+var_14]
		push	[ebp+var_18]
		mov	edx, [eax+1DCh]
		push	ecx
		push	edi
		mov	ecx, eax
		call	AuthzBasepEvaluateAceCondition
		cmp	[ebp+var_8], 1
		jz	short loc_9DD5C3
		cmp	[ebp+var_8], 0FFFFFFFFh
		jnz	short loc_9DD61A

loc_9DD5C3:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+236j
		mov	ecx, [ebp+arg_8]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	1
		lea	eax, [esi+8]
		xor	edx, edx
		push	eax
		call	_SepSidInToken@28 ; SepSidInToken(x,x,x,x,x,x,x)
		test	al, al
		jnz	short loc_9DD604
		cmp	[ebp+var_4], 0
		jz	short loc_9DD61A
		mov	ecx, _SeWorldSid
		lea	edx, [esi+8]
		mov	ax, [ecx]
		cmp	ax, [edx]
		jnz	short loc_9DD61A
		push	[ebp+var_4]	; size_t
		push	edx		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9DD61A

loc_9DD604:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+255j
		mov	eax, [ebp+arg_C]
		test	[ebp+var_24], eax
		jnz	loc_9DD4AA
		test	bl, bh
		jz	short loc_9DD61A

loc_9DD614:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+12Fj
					; SeExamineSacl(x,x,x,x,x,x,x)+145j
		mov	eax, [ebp+arg_14]
		mov	byte ptr [eax],	1

loc_9DD61A:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+EDj
					; SeExamineSacl(x,x,x,x,x,x,x)+102j ...
		mov	ecx, [ebp+arg_18]

loc_9DD61D:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+BFj
					; SeExamineSacl(x,x,x,x,x,x,x)+14Fj ...
		movzx	eax, word ptr [esi+2]
		inc	ecx
		add	esi, eax
		mov	[ebp+arg_18], ecx
		cmp	ecx, [ebp+var_1C]
		jb	loc_9DD432

loc_9DD630:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+B3j
		test	edi, edi
		jz	short loc_9DD643
		mov	ecx, edi
		call	AuthzBasepFreeSecurityAttributesList
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DD643:				; CODE XREF: SeExamineSacl(x,x,x,x,x,x,x)+28j
					; SeExamineSacl(x,x,x,x,x,x,x)+37j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_SeExamineSacl@28 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2481. SeOpenObjectForDeleteAuditAlarm

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeOpenObjectForDeleteAuditAlarm(x, x, x, x,	x, x, x, x, x)
		public _SeOpenObjectForDeleteAuditAlarm@36
_SeOpenObjectForDeleteAuditAlarm@36 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	byte ptr [ebp+arg_1C], 0
		jz	short loc_9DD67C
		push	[ebp+arg_20]
		push	0
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_SeOpenObjectForDeleteAuditAlarmWithTransaction@40 ; SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)

loc_9DD67C:				; CODE XREF: SeOpenObjectForDeleteAuditAlarm(x,x,x,x,x,x,x,x,x)+9j
		pop	ebp
		retn	24h
_SeOpenObjectForDeleteAuditAlarm@36 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2482. SeOpenObjectForDeleteAuditAlarmWithTransaction

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeOpenObjectForDeleteAuditAlarmWithTransaction(x, x, x, x, x, x, x,	x, x, x)
		public _SeOpenObjectForDeleteAuditAlarmWithTransaction@40
_SeOpenObjectForDeleteAuditAlarmWithTransaction@40 proc	near
					; CODE XREF: SeOpenObjectForDeleteAuditAlarm(x,x,x,x,x,x,x,x,x)+28p

var_2A		= dword	ptr -2Ah
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h
arg_1C		= byte ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		xor	ecx, ecx
		mov	[esp+2Ch+var_1C], 3E7h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_10]
		mov	eax, ecx
		mov	bl, cl
		mov	bh, cl
		push	edi
		mov	edi, ecx
		mov	byte ptr [esp+38h+var_2A], bl
		mov	byte ptr [esp+38h+var_2A+1], bh
		mov	[esp+38h+var_20], ecx
		mov	[esp+38h+var_10], eax
		mov	[esp+38h+var_2A+2], ecx
		mov	[esp+38h+var_18], edi
		mov	[esp+38h+var_C], ecx
		cmp	[ebp+arg_1C], al
		jz	loc_9DD9E3
		mov	eax, [esi+30h]
		lea	edx, [esi+1Ch]
		mov	[esp+38h+var_24], eax
		mov	eax, [edx]
		mov	[esp+38h+var_14], eax
		test	eax, eax
		jnz	short loc_9DD6E8
		mov	eax, [esi+24h]
		mov	[esp+38h+var_14], eax

loc_9DD6E8:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+5Aj
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_9DD6FA
		xor	eax, eax
		cmp	[ecx], ax
		jz	short loc_9DD6FA
		mov	edi, ecx
		jmp	short loc_9DD729
; 

loc_9DD6FA:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+68j
					; SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+6Fj
		cmp	[ebp+arg_4], edi
		jz	short loc_9DD72D
		mov	ecx, [ebp+arg_4]
		lea	edx, [esp+38h+var_10]
		call	_SepQueryTypeString@8 ;	SepQueryTypeString(x,x)
		mov	edx, eax
		mov	[esp+38h+var_C], edx
		test	edx, edx
		js	loc_9DD9B4
		mov	eax, [esp+38h+var_10]
		lea	edx, [esi+1Ch]
		mov	ecx, [ebp+arg_0]
		test	eax, eax
		jz	short loc_9DD72D
		mov	edi, eax

loc_9DD729:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+73j
		mov	[esp+38h+var_18], edi

loc_9DD72D:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+78j
					; SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+A0j
		cmp	[ebp+arg_C], 0
		jz	loc_9DD814
		cmp	byte ptr [ebp+arg_18], 0
		lea	eax, [esp+38h+var_1C]
		push	eax
		push	1
		push	edx
		setz	al
		mov	edx, ecx
		mov	ecx, [ebp+arg_4]
		movzx	eax, al
		push	eax
		push	[ebp+arg_18]
		call	SepAdtAuditObjectAccessWithContext
		test	al, al
		jz	loc_9DD814
		mov	eax, [esi+14h]
		or	eax, [esi+10h]
		mov	ebx, [ebp+arg_C]
		mov	[esp+38h+var_8], eax
		movzx	eax, word ptr [ebx+2]
		mov	ecx, eax
		mov	[esp+38h+var_4], ecx
		test	al, 10h
		jnz	short loc_9DD782
		xor	eax, eax
		mov	edx, eax
		mov	ecx, eax
		jmp	short loc_9DD7A6
; 

loc_9DD782:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+F3j
		test	cx, cx
		mov	ecx, [ebx+0Ch]
		mov	edx, ecx
		jns	short loc_9DD795
		neg	edx
		lea	eax, [ecx+ebx]
		sbb	edx, edx
		and	edx, eax

loc_9DD795:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+105j
		cmp	word ptr [esp+38h+var_4], 0
		jge	short loc_9DD7A6
		lea	eax, [ecx+ebx]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_9DD7A6:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+FBj
					; SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+116j
		lea	eax, [esp+38h+var_2A+1]
		push	eax
		lea	eax, [esp+3Ch+var_2A]
		push	eax
		push	[ebp+arg_18]
		push	[esp+44h+var_8]
		push	[esp+48h+var_14]
		push	edx
		push	ecx
		call	_SeExamineSacl@28 ; SeExamineSacl(x,x,x,x,x,x,x)
		movzx	eax, word ptr [ebx+2]
		mov	ecx, eax
		test	al, 10h
		jnz	short loc_9DD7D2
		xor	eax, eax
		mov	edx, eax
		jmp	short loc_9DD7E3
; 

loc_9DD7D2:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+145j
		mov	edx, [ebx+0Ch]
		test	cx, cx
		jns	short loc_9DD7E3
		lea	eax, [edx+ebx]
		neg	edx
		sbb	edx, edx
		and	edx, eax

loc_9DD7E3:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+14Bj
					; SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+153j
		mov	ecx, [ebp+arg_0]
		lea	eax, [esp+38h+var_2A+1]
		push	eax
		lea	eax, [esp+3Ch+var_2A]
		push	eax
		push	[ebp+arg_18]
		push	[esp+44h+var_8]
		push	[esp+48h+var_14]
		call	_SeExamineGlobalSacl@28	; SeExamineGlobalSacl(x,x,x,x,x,x,x)
		mov	bl, byte ptr [esp+38h+var_2A]
		test	bl, bl
		jz	short loc_9DD810
		mov	eax, [ebp+arg_24]
		mov	byte ptr [eax],	1
		jmp	short loc_9DD851
; 

loc_9DD810:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+181j
		mov	bh, byte ptr [esp+38h+var_2A+1]

loc_9DD814:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+ACj
					; SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+D4j
		cmp	byte ptr [ebp+arg_18], 0
		jz	short loc_9DD845
		mov	ecx, [esp+38h+var_24]
		mov	ecx, [ecx]
		test	ecx, ecx
		jz	short loc_9DD845
		xor	edx, edx
		cmp	[ecx], edx
		jbe	short loc_9DD845
		lea	eax, [esp+38h+var_1C]
		push	eax
		lea	eax, [esi+1Ch]
		push	eax
		push	edx
		mov	dl, byte ptr [ebp+arg_18]
		call	SepAdtAuditPrivilegeUseWithContext
		test	al, al
		jz	short loc_9DD845
		mov	bl, 1
		mov	[esi+60h], bl

loc_9DD845:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+193j
					; SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+19Dj ...
		test	bl, bl
		jnz	short loc_9DD851
		test	bh, bh
		jz	loc_9DD9D5

loc_9DD851:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+189j
					; SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+1C2j
		mov	eax, [ebp+arg_8]
		xor	ebx, ebx
		mov	byte ptr [esi+9], 1
		test	eax, eax
		jz	short loc_9DD86B
		cmp	[eax], bx
		jz	short loc_9DD86B
		mov	ecx, eax

loc_9DD865:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+20Fj
		mov	[esp+38h+var_2A+2], ecx
		jmp	short loc_9DD89A
; 

loc_9DD86B:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+1D7j
					; SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+1DCj
		cmp	[ebp+arg_4], 0
		jz	short loc_9DD896
		mov	ecx, [ebp+arg_4]
		lea	edx, [esp+38h+var_20]
		call	SepQueryNameString
		mov	[esp+38h+var_C], eax
		test	eax, eax
		js	loc_9DD9B4
		cmp	[esp+38h+var_20], 0
		jz	short loc_9DD896
		mov	ecx, [esp+38h+var_20]
		jmp	short loc_9DD865
; 

loc_9DD896:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+1EAj
					; SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+209j
		mov	ecx, [esp+38h+var_2A+2]

loc_9DD89A:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+1E4j
		cmp	byte ptr [ebp+arg_18], 0
		jnz	short loc_9DD8E4
		mov	eax, [ebp+arg_20]
		test	eax, eax
		jnz	short loc_9DD8AE
		mov	eax, [esp+38h+var_24]
		add	eax, 1Ch

loc_9DD8AE:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+220j
		push	esi
		push	eax
		mov	eax, [esp+40h+var_24]
		mov	edx, offset _SeSubsystemName
		push	ebx
		push	ebx
		push	ebx
		push	2
		push	dword ptr [esi+28h]
		push	ebx
		push	dword ptr [eax]
		push	dword ptr [esi+14h]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+24h]
		push	dword ptr [esi+1Ch]
		push	[ebp+arg_C]
		push	ecx
		mov	ecx, [esp+74h+var_1C]
		push	edi
		push	ebx
		call	_SepAdtOpenObjectAuditAlarm@76 ; SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		jmp	loc_9DD9B4
; 

loc_9DD8E4:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+219j
		mov	ebx, [ebp+arg_20]
		mov	eax, [esp+38h+var_24]
		push	ebx
		push	dword ptr [esi+28h]
		push	ecx
		push	dword ptr [eax]
		push	dword ptr [esi+14h]
		push	ecx
		push	dword ptr [esi+24h]
		push	dword ptr [esi+1Ch]
		push	ecx
		push	edi
		push	ecx
		mov	ecx, [esp+64h+var_1C]
		call	_SepAdtOpenObjectForDeleteAuditAlarm@52	; SepAdtOpenObjectForDeleteAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x)
		cmp	[esp+38h+var_2A+2], 0
		jz	short loc_9DD955
		mov	eax, [esi+68h]
		test	eax, eax
		jz	short loc_9DD923
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[esi+64h], eax

loc_9DD923:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+28Fj
		mov	eax, [esp+38h+var_2A+2]
		push	20206553h
		movzx	eax, word ptr [eax+2]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+68h], eax
		test	eax, eax
		jz	short loc_9DD955
		mov	ecx, [esp+38h+var_2A+2]
		push	ecx
		mov	ax, [ecx+2]
		mov	[esi+66h], ax
		lea	eax, [esi+64h]
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)

loc_9DD955:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+288j
					; SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+2B8j
		test	edi, edi
		jz	short loc_9DD9A3
		mov	eax, [esi+70h]
		lea	edi, [esi+6Ch]
		test	eax, eax
		jz	short loc_9DD974
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[edi], ax
		mov	[esi+6Eh], ax

loc_9DD974:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+2DCj
		mov	eax, [esp+38h+var_18]
		push	20206553h
		movzx	eax, word ptr [eax+2]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+70h], eax
		test	eax, eax
		jz	short loc_9DD9A3
		mov	ecx, [esp+38h+var_18]
		push	ecx
		push	edi
		mov	ax, [ecx+2]
		mov	[esi+6Eh], ax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)

loc_9DD9A3:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+2D2j
					; SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+309j
		test	ebx, ebx
		jz	short loc_9DD9B4
		mov	edi, [esp+38h+var_24]
		mov	esi, ebx
		lea	edi, [edi+1Ch]
		movsd
		movsd
		movsd
		movsd

loc_9DD9B4:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+8Ej
					; SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+1FEj ...
		xor	ebx, ebx
		cmp	[esp+38h+var_20], ebx
		jz	short loc_9DD9C6
		push	ebx
		push	[esp+3Ch+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DD9C6:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+335j
		mov	eax, [esp+38h+var_10]
		test	eax, eax
		jz	short loc_9DD9D5
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DD9D5:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+1C6j
					; SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+347j
		mov	eax, [esp+38h+var_C]
		test	eax, eax
		jns	short loc_9DD9E3
		push	eax
		call	_SepAuditFailed@4 ; SepAuditFailed(x)

loc_9DD9E3:				; CODE XREF: SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+42j
					; SeOpenObjectForDeleteAuditAlarmWithTransaction(x,x,x,x,x,x,x,x,x,x)+356j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	28h
_SeOpenObjectForDeleteAuditAlarmWithTransaction@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAuditTypeList(x,	x, x, x, x, x)
_SepAuditTypeList@24 proc near		; CODE XREF: SepSetAuditInfoForObjectType(x,x,x,x,x,x,x,x,x,x,x)+9Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		mov	edx, [ebx+eax*4]
		lea	esi, [eax+1]
		shr	edx, 1Fh
		mov	[ebp+var_8], edi
		cmp	esi, edi
		jnb	short loc_9DDA64
		imul	eax, 2Ch
		add	ecx, 2
		mov	[ebp+arg_4], eax
		imul	eax, esi, 2Ch
		add	ecx, eax

loc_9DDA1F:				; CODE XREF: SepAuditTypeList(x,x,x,x,x,x)+76j
		mov	ebx, [ebp+var_4]
		mov	edi, [ebp+arg_4]
		mov	ax, [ecx-2]
		cmp	ax, [edi+ebx]
		mov	edi, [ebp+var_8]
		mov	ebx, [ebp+arg_0]
		jbe	short loc_9DDA64
		mov	eax, [ebx+esi*4]
		test	dl, dl
		jnz	short loc_9DDA4C
		test	eax, eax
		jns	short loc_9DDA5C
		mov	eax, [ebp+arg_C]
		mov	byte ptr [eax],	1
		or	word ptr [ecx],	2
		jmp	short loc_9DDA5C
; 

loc_9DDA4C:				; CODE XREF: SepAuditTypeList(x,x,x,x,x,x)+4Ej
		test	eax, eax
		js	short loc_9DDA5C
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	1
		xor	eax, eax
		inc	eax
		or	[ecx], ax

loc_9DDA5C:				; CODE XREF: SepAuditTypeList(x,x,x,x,x,x)+52j
					; SepAuditTypeList(x,x,x,x,x,x)+5Ej ...
		inc	esi
		add	ecx, 2Ch
		cmp	esi, edi
		jb	short loc_9DDA1F

loc_9DDA64:				; CODE XREF: SepAuditTypeList(x,x,x,x,x,x)+23j
					; SepAuditTypeList(x,x,x,x,x,x)+47j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_SepAuditTypeList@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepExamineSaclEx(x,	x, x, x, x, x, x, x, x,	x, x, x, x)
_SepExamineSaclEx@52 proc near		; CODE XREF: SepExamineGlobalSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+98p
					; SepAccessCheckAndAuditAlarmWithAdminlessChecks+14ADE1p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		or	[ebp+var_24], 0FFFFFFFFh
		push	ebx
		push	esi
		mov	[ebp+var_30], edx
		mov	esi, ecx
		mov	ecx, [ebp+arg_24]
		xor	edx, edx
		mov	[ebp+var_14], edx
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], edi
		mov	edi, [ebp+arg_28]
		mov	[ecx], dl
		mov	[edi], dl
		test	esi, esi
		jz	loc_9DDF25
		movzx	eax, word ptr [esi+4]
		mov	[ebp+var_2C], eax
		test	eax, eax
		jz	loc_9DDF25
		test	[ebp+arg_4], 2000000h
		mov	bl, dl
		jz	short loc_9DDAC5
		mov	eax, [ebp+arg_14]
		cmp	[eax], edx
		setl	bl
		dec	bl
		and	bl, 0C0h
		add	bl, 80h

loc_9DDAC5:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+48j
		mov	eax, [ebp+arg_0]
		mov	ecx, ds:_SeAnonymousLogonSid
		mov	eax, [eax+94h]
		mov	edx, [eax]
		mov	ax, [edx]
		cmp	ax, [ecx]
		jnz	short loc_9DDB0B
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:8[eax*4]
		push	eax		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9DDB0B
		mov	eax, _SeWorldSid
		movzx	eax, byte ptr [eax+1]
		lea	edx, ds:8[eax*4]
		mov	[ebp+var_14], edx

loc_9DDB0B:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+71j
					; SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+8Bj
		xor	edx, edx
		add	esi, 8
		mov	[ebp+var_C], edx
		mov	[ebp+var_4], esi
		cmp	[ebp+var_2C], edx
		jbe	loc_9DDF25
		jmp	short loc_9DDB24
; 

loc_9DDB21:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+167j
		mov	edi, [ebp+arg_28]

loc_9DDB24:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+B4j
		mov	eax, [ebp+arg_24]
		cmp	byte ptr [eax],	0
		jnz	short loc_9DDB31
		cmp	byte ptr [edi],	0
		jz	short loc_9DDB3B

loc_9DDB31:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+BFj
		cmp	[ebp+arg_C], 1
		jbe	loc_9DDF0F

loc_9DDB3B:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+C4j
		mov	bh, [esi+1]
		test	bh, 8
		jnz	short loc_9DDBBF
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_28], eax
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_4]
		mov	al, [eax]
		cmp	al, 2
		jnz	loc_9DDC17
		mov	esi, [ebp+var_4]
		mov	edx, [ebp+arg_1C]
		add	esi, 8
		mov	ecx, [ebp+arg_0]
		push	0
		push	[ebp+arg_20]
		push	0
		push	1
		push	esi
		call	_SepSidInToken@28 ; SepSidInToken(x,x,x,x,x,x,x)
		test	al, al
		jnz	short loc_9DDB9C
		mov	edx, [ebp+var_14]
		test	edx, edx
		jz	short loc_9DDBB9
		mov	ecx, _SeWorldSid
		mov	ax, [ecx]
		cmp	ax, [esi]
		jnz	short loc_9DDBB9
		push	edx		; size_t
		push	esi		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9DDBB9

loc_9DDB9C:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+10Bj
		cmp	[ebp+arg_C], 0
		mov	edi, [ebp+var_4]
		mov	edi, [edi+4]
		jnz	short loc_9DDBE6
		mov	eax, [ebp+arg_14]
		cmp	dword ptr [eax], 0
		jl	short loc_9DDBDD
		test	bh, 40h
		jnz	loc_9DDE68

loc_9DDBB9:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+112j
					; SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+120j ...
		mov	edx, [ebp+var_C]

loc_9DDBBC:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+313j
		mov	esi, [ebp+var_4]

loc_9DDBBF:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+D6j
					; SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+2CDj
		mov	edi, [ebp+var_8]

loc_9DDBC2:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+49Fj
		movzx	eax, word ptr [esi+2]
		inc	edx
		add	esi, eax
		mov	[ebp+var_C], edx
		mov	[ebp+var_4], esi
		cmp	edx, [ebp+var_2C]
		jb	loc_9DDB21
		jmp	loc_9DDF12
; 

loc_9DDBDD:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+143j
		test	bh, bh
		jns	short loc_9DDBB9
		jmp	loc_9DDE8E
; 

loc_9DDBE6:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+13Bj
		xor	esi, esi
		cmp	[ebp+arg_C], esi
		jbe	short loc_9DDBB9

loc_9DDBED:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+1A8j
		push	[ebp+arg_28]
		mov	edx, edi
		mov	cl, bh
		push	[ebp+arg_24]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	esi
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_SepSetAuditInfoForObjectType@44 ; SepSetAuditInfoForObjectType(x,x,x,x,x,x,x,x,x,x,x)
		inc	esi
		cmp	esi, [ebp+arg_C]
		jb	short loc_9DDBED
		jmp	short loc_9DDBB9
; 

loc_9DDC17:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+E8j
		cmp	al, 7
		jnz	loc_9DDD33
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+arg_1C]
		push	0
		push	[ebp+arg_20]
		mov	ecx, [eax+4]
		mov	[ebp+var_10], ecx
		mov	ecx, [eax+8]
		mov	esi, ecx
		and	esi, 1
		add	eax, 0Ch
		mov	edi, esi
		neg	edi
		push	0
		sbb	edi, edi
		and	ecx, 2
		shl	ecx, 3
		or	ecx, 0Ch
		shl	esi, 4
		add	ecx, [ebp+var_4]
		add	esi, ecx
		mov	ecx, [ebp+arg_0]
		push	1
		push	esi
		and	edi, eax
		jnz	short loc_9DDCD2
		call	_SepSidInToken@28 ; SepSidInToken(x,x,x,x,x,x,x)
		test	al, al
		jnz	short loc_9DDC97
		mov	edx, [ebp+var_14]
		test	edx, edx
		jz	loc_9DDBB9
		mov	ecx, _SeWorldSid
		mov	ax, [ecx]
		cmp	ax, [esi]
		jnz	loc_9DDBB9
		push	edx		; size_t
		push	esi		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_9DDBB9

loc_9DDC97:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+1FAj
		xor	esi, esi
		cmp	[ebp+arg_C], esi
		jbe	loc_9DDBB9
		mov	edi, [ebp+var_10]

loc_9DDCA5:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+260j
		push	[ebp+arg_28]
		mov	edx, edi
		mov	cl, bh
		push	[ebp+arg_24]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	esi
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_SepSetAuditInfoForObjectType@44 ; SepSetAuditInfoForObjectType(x,x,x,x,x,x,x,x,x,x,x)
		inc	esi
		cmp	esi, [ebp+arg_C]
		jb	short loc_9DDCA5
		jmp	loc_9DDBB9
; 

loc_9DDCD2:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+1F1j
		call	_SepSidInToken@28 ; SepSidInToken(x,x,x,x,x,x,x)
		test	al, al
		jnz	short loc_9DDD0B
		mov	edx, [ebp+var_14]
		test	edx, edx
		jz	loc_9DDBB9
		mov	ecx, _SeWorldSid
		mov	ax, [ecx]
		cmp	ax, [esi]
		jnz	loc_9DDBB9
		push	edx		; size_t
		push	esi		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_9DDBB9

loc_9DDD0B:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+26Ej
		mov	edx, [ebp+arg_8]
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+arg_C]
		mov	ecx, edi
		call	_AuthzBasepObjectInTypeList@16 ; AuthzBasepObjectInTypeList(x,x,x,x)
		mov	edi, [ebp+var_10]
		test	al, al
		jnz	short loc_9DDD2B
		or	eax, 0FFFFFFFFh
		jmp	loc_9DDED3
; 

loc_9DDD2B:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+2B6j
		mov	eax, [ebp+var_18]
		jmp	loc_9DDED3
; 

loc_9DDD33:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+1AEj
		mov	esi, [ebp+var_4]
		cmp	al, 0Dh
		jnz	loc_9DDBBF
		mov	edi, [ebp+var_4]
		add	esi, 8
		movzx	eax, byte ptr [esi+1]
		mov	ecx, [edi+4]
		mov	[ebp+var_10], ecx
		mov	ecx, [ebp+var_30]
		lea	eax, ds:8[eax*4]
		mov	[ebp+var_18], eax
		test	ecx, ecx
		jz	short loc_9DDD73
		cmp	[ebp+var_8], 0
		jnz	short loc_9DDD73
		lea	edx, [ebp+var_8]
		call	AuthzBasepInitializeResourceClaimsFromSacl
		mov	eax, [ebp+var_18]
		mov	edx, [ebp+var_C]

loc_9DDD73:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+2F2j
					; SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+2F8j
		movzx	edi, word ptr [edi+2]
		sub	edi, eax
		lea	eax, [edi-8]
		test	eax, eax
		jle	loc_9DDBBC
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+27Ch]
		test	eax, eax
		jz	short loc_9DDD9C
		mov	ecx, [eax+12Ch]
		mov	[ebp+var_1C], ecx
		jmp	short loc_9DDDA0
; 

loc_9DDD9C:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+324j
		and	[ebp+var_1C], 0

loc_9DDDA0:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+32Fj
		test	eax, eax
		jz	short loc_9DDDAF
		mov	ecx, [eax+124h]
		mov	[ebp+var_20], ecx
		jmp	short loc_9DDDB3
; 

loc_9DDDAF:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+337j
		and	[ebp+var_20], 0

loc_9DDDB3:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+342j
		test	eax, eax
		jz	short loc_9DDDBF
		mov	edx, [eax+128h]
		jmp	short loc_9DDDC1
; 

loc_9DDDBF:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+34Aj
		xor	edx, edx

loc_9DDDC1:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+352j
		test	eax, eax
		jz	short loc_9DDDCD
		mov	ecx, [eax+120h]
		jmp	short loc_9DDDCF
; 

loc_9DDDCD:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+358j
		xor	ecx, ecx

loc_9DDDCF:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+360j
		lea	eax, [ebp+var_24]
		push	eax
		push	0
		push	1
		lea	eax, [edi-8]
		mov	edi, [ebp+var_8]
		push	eax
		mov	eax, [ebp+var_18]
		add	eax, esi
		push	eax
		push	[ebp+var_1C]
		mov	eax, [ebp+arg_0]
		push	[ebp+var_20]
		push	edx
		mov	edx, [eax+1DCh]
		push	ecx
		push	edi
		mov	ecx, eax
		call	AuthzBasepEvaluateAceCondition
		cmp	[ebp+var_24], 1
		jnz	loc_9DDF04
		mov	edx, [ebp+arg_1C]
		xor	edi, edi
		mov	ecx, [ebp+arg_0]
		push	edi
		push	[ebp+arg_20]
		push	edi
		push	1
		push	esi
		call	_SepSidInToken@28 ; SepSidInToken(x,x,x,x,x,x,x)
		test	al, al
		jnz	short loc_9DDE50
		mov	edx, [ebp+var_14]
		test	edx, edx
		jz	loc_9DDBB9
		mov	ecx, _SeWorldSid
		mov	ax, [ecx]
		cmp	ax, [esi]
		jnz	loc_9DDBB9
		push	edx		; size_t
		push	esi		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_9DDBB9

loc_9DDE50:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+3B3j
		cmp	[ebp+arg_C], edi
		jnz	short loc_9DDEA1
		mov	eax, [ebp+arg_14]
		cmp	[eax], edi
		jl	short loc_9DDE83
		test	bh, 40h
		jz	loc_9DDBB9
		mov	edi, [ebp+var_10]

loc_9DDE68:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+148j
		mov	eax, [ebp+arg_18]
		test	[eax], edi
		jnz	short loc_9DDE78
		cmp	bl, 40h
		jnz	loc_9DDBB9

loc_9DDE78:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+402j
		mov	eax, [ebp+arg_24]

loc_9DDE7B:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+434j
		mov	byte ptr [eax],	1
		jmp	loc_9DDBB9
; 

loc_9DDE83:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+3EFj
		test	bh, bh
		jns	loc_9DDBB9
		mov	edi, [ebp+var_10]

loc_9DDE8E:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+176j
		test	[ebp+arg_4], edi
		jnz	short loc_9DDE9C
		cmp	bl, 80h
		jnz	loc_9DDBB9

loc_9DDE9C:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+426j
		mov	eax, [ebp+arg_28]
		jmp	short loc_9DDE7B
; 

loc_9DDEA1:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+3E8j
		mov	esi, edi
		mov	edi, [ebp+var_10]
		jbe	short loc_9DDED0

loc_9DDEA8:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+463j
		push	[ebp+arg_28]
		mov	edx, edi
		mov	cl, bh
		push	[ebp+arg_24]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	esi
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_SepSetAuditInfoForObjectType@44 ; SepSetAuditInfoForObjectType(x,x,x,x,x,x,x,x,x,x,x)
		inc	esi
		cmp	esi, [ebp+arg_C]
		jb	short loc_9DDEA8

loc_9DDED0:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+43Bj
		mov	eax, [ebp+var_28]

loc_9DDED3:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+2BBj
					; SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+2C3j
		cmp	eax, 0FFFFFFFFh
		jz	loc_9DDBB9
		push	[ebp+arg_28]
		mov	ecx, [ebp+arg_24]
		mov	edx, edi
		push	ecx
		push	[ebp+arg_18]
		mov	cl, bh
		push	[ebp+arg_14]
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	_SepSetAuditInfoForObjectType@44 ; SepSetAuditInfoForObjectType(x,x,x,x,x,x,x,x,x,x,x)
		jmp	loc_9DDBB9
; 

loc_9DDF04:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+396j
		mov	esi, [ebp+var_4]
		mov	edx, [ebp+var_C]
		jmp	loc_9DDBC2
; 

loc_9DDF0F:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+CAj
		mov	edi, [ebp+var_8]

loc_9DDF12:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+16Dj
		test	edi, edi
		jz	short loc_9DDF25
		mov	ecx, edi
		call	AuthzBasepFreeSecurityAttributesList
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DDF25:				; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+2Aj
					; SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+39j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	2Ch
_SepExamineSaclEx@52 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSetAuditInfoForObjectType(x, x, x, x, x,	x, x, x, x, x, x)
_SepSetAuditInfoForObjectType@44 proc near
					; CODE XREF: SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+19Fp
					; SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+257p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_10]
		xor	bl, bl
		test	[ebp+arg_0], 2000000h
		push	edi
		mov	edi, [ebp+arg_14]
		jz	short loc_9DDF54
		cmp	dword ptr [edi+esi*4], 0
		setl	bl
		dec	bl
		and	bl, 0C0h
		sub	bl, 80h

loc_9DDF54:				; CODE XREF: SepSetAuditInfoForObjectType(x,x,x,x,x,x,x,x,x,x,x)+17j
		mov	eax, [ebp+arg_18]
		mov	eax, [eax+esi*4]
		or	eax, [ebp+arg_0]
		test	eax, edx
		jz	short loc_9DDFCD
		test	cl, 40h
		jz	short loc_9DDF95
		cmp	dword ptr [edi+esi*4], 0
		jl	short loc_9DDF95
		mov	ebx, [ebp+arg_1C]
		xor	edx, edx
		inc	edx
		cmp	[ebp+arg_8], 0
		mov	[ebx], dl
		jz	loc_9DE009
		mov	ecx, [ebp+arg_4]
		imul	eax, esi, 2Ch
		or	[eax+ecx+2], dx
		cmp	[ebp+arg_C], 0
		jz	short loc_9DE009
		push	[ebp+arg_20]
		push	ebx
		jmp	short loc_9DDFC1
; 

loc_9DDF95:				; CODE XREF: SepSetAuditInfoForObjectType(x,x,x,x,x,x,x,x,x,x,x)+38j
					; SepSetAuditInfoForObjectType(x,x,x,x,x,x,x,x,x,x,x)+3Ej
		test	cl, cl
		jns	short loc_9DE009
		cmp	dword ptr [edi+esi*4], 0
		jge	short loc_9DE009
		cmp	[ebp+arg_8], 0
		mov	edx, [ebp+arg_20]
		mov	byte ptr [edx],	1
		jz	short loc_9DE009
		mov	ecx, [ebp+arg_4]
		imul	eax, esi, 2Ch
		or	word ptr [eax+ecx+2], 2
		cmp	[ebp+arg_C], 0
		jz	short loc_9DE009
		push	edx
		push	[ebp+arg_1C]

loc_9DDFC1:				; CODE XREF: SepSetAuditInfoForObjectType(x,x,x,x,x,x,x,x,x,x,x)+67j
		mov	edx, [ebp+arg_8]
		push	esi
		push	edi
		call	_SepAuditTypeList@24 ; SepAuditTypeList(x,x,x,x,x,x)
		jmp	short loc_9DE009
; 

loc_9DDFCD:				; CODE XREF: SepSetAuditInfoForObjectType(x,x,x,x,x,x,x,x,x,x,x)+33j
		test	bl, cl
		jz	short loc_9DE009
		cmp	bl, 80h
		jnz	short loc_9DDFF0
		cmp	[ebp+arg_8], 0
		mov	eax, [ebp+arg_20]
		mov	byte ptr [eax],	1
		jz	short loc_9DE009
		mov	eax, [ebp+arg_4]
		imul	ecx, esi, 2Ch
		or	word ptr [ecx+eax+2], 2
		jmp	short loc_9DE009
; 

loc_9DDFF0:				; CODE XREF: SepSetAuditInfoForObjectType(x,x,x,x,x,x,x,x,x,x,x)+A8j
		mov	eax, [ebp+arg_1C]
		xor	edx, edx
		inc	edx
		cmp	[ebp+arg_8], 0
		mov	[eax], dl
		jz	short loc_9DE009
		mov	eax, [ebp+arg_4]
		imul	ecx, esi, 2Ch
		or	[ecx+eax+2], dx

loc_9DE009:				; CODE XREF: SepSetAuditInfoForObjectType(x,x,x,x,x,x,x,x,x,x,x)+4Cj
					; SepSetAuditInfoForObjectType(x,x,x,x,x,x,x,x,x,x,x)+61j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	24h
_SepSetAuditInfoForObjectType@44 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2471. SeImpersonateClient

;  S U B	R O U T	I N E 


; __stdcall SeImpersonateClient(x, x)
		public _SeImpersonateClient@8
_SeImpersonateClient@8 proc near
		jmp	_SeImpersonateClientEx@8 ; SeImpersonateClientEx(x,x)
_SeImpersonateClient@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepUpdateSiloInClientSecurity(x, x)
_SepUpdateSiloInClientSecurity@8 proc near ; CODE XREF:	SeCreateClientSecurityEx+FD0DEp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_4], 0
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_14], edx
		mov	esi, [edi+0Ch]
		mov	[ebp+var_18], esi
		mov	eax, [esi+18h]
		mov	[ebp+var_C], eax
		mov	eax, [esi+1Ch]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		call	_SeQueryServerSiloToken@8 ; SeQueryServerSiloToken(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9DE0A2
		push	[ebp+var_4]
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jz	short loc_9DE0A2
		cmp	[ebp+var_C], 3E7h
		jnz	short loc_9DE0A2
		cmp	[ebp+var_10], 0
		jnz	short loc_9DE0A2
		mov	edx, [edi+4]
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_14]
		mov	ecx, esi
		call	_SepCopyClientTokenAndSetSilo@16 ; SepCopyClientTokenAndSetSilo(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9DE0A2
		mov	esi, [ebp+var_8]
		mov	ecx, [ebp+var_18]
		mov	[edi+0Ch], esi
		mov	byte ptr [edi+10h], 0
		call	ObfDereferenceObject
		lea	edx, [edi+14h]
		mov	ecx, esi
		call	_SeGetTokenControlInformation@8	; SeGetTokenControlInformation(x,x)

loc_9DE0A2:				; CODE XREF: SepUpdateSiloInClientSecurity(x,x)+38j
					; SepUpdateSiloInClientSecurity(x,x)+44j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_SepUpdateSiloInClientSecurity@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCreateToken(x, x,	x, x, x, x, x, x, x, x,	x, x, x)
_NtCreateToken@52 proc near		; DATA XREF: .text:005810F0o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_30]
		xor	eax, eax
		push	[ebp+arg_2C]
		push	[ebp+arg_28]
		push	[ebp+arg_24]
		push	eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	NtCreateTokenEx
		pop	ebp
		retn	34h
_NtCreateToken@52 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeDuplicateTokenAndAddOriginClaim(x, x, x, x)
_SeDuplicateTokenAndAddOriginClaim@16 proc near	; CODE XREF: PAGE:007A2EE9p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		xor	esi, esi
		mov	[esp+24h+var_18], 18h
		push	edi
		lea	eax, [esp+28h+var_1C]
		mov	[esp+28h+var_1C], esi
		push	eax		; int
		push	esi		; int
		push	esi		; int
		push	esi		; size_t
		push	1		; int
		mov	ebx, edx
		mov	[esp+3Ch+var_14], esi
		push	esi		; char
		lea	edx, [esp+40h+var_18]
		mov	[esp+40h+var_C], esi
		mov	[esp+40h+var_10], esi
		mov	[esp+40h+var_8], esi
		mov	[esp+40h+var_4], esi
		call	_SepDuplicateToken@32 ;	SepDuplicateToken(x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_9DE136
		mov	[esp+28h+var_1C], esi
		jmp	short loc_9DE153
; 

loc_9DE136:				; CODE XREF: SeDuplicateTokenAndAddOriginClaim(x,x,x,x)+4Aj
		push	[esp+28h+var_1C]
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	_SepAddTokenOriginClaim@12 ; SepAddTokenOriginClaim(x,x,x)
		mov	esi, [esp+28h+var_1C]
		mov	edi, eax
		test	edi, edi
		js	short loc_9DE157
		mov	eax, [ebp+arg_4]
		mov	[eax], esi

loc_9DE153:				; CODE XREF: SeDuplicateTokenAndAddOriginClaim(x,x,x,x)+50j
		test	edi, edi
		jns	short loc_9DE162

loc_9DE157:				; CODE XREF: SeDuplicateTokenAndAddOriginClaim(x,x,x,x)+68j
		test	esi, esi
		jz	short loc_9DE162
		mov	ecx, esi
		call	ObfDereferenceObject

loc_9DE162:				; CODE XREF: SeDuplicateTokenAndAddOriginClaim(x,x,x,x)+71j
					; SeDuplicateTokenAndAddOriginClaim(x,x,x,x)+75j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_SeDuplicateTokenAndAddOriginClaim@16 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2468. SeGetLinkedToken

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeGetLinkedToken(x,	x, x)
		public _SeGetLinkedToken@12
_SeGetLinkedToken@12 proc near

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		push	6
		xor	eax, eax
		lea	edi, [esp+2Ch+var_18]
		pop	ecx
		rep stosd
		mov	eax, [ebp+arg_8]
		xor	esi, esi
		mov	edi, [ebp+arg_0]
		mov	[esp+28h+var_1C], esi
		and	[eax], esi
		cmp	edi, 3
		jz	short loc_9DE1AD
		cmp	edi, 2
		jz	short loc_9DE1AD
		mov	eax, 0C000000Dh
		jmp	loc_9DE24A
; 

loc_9DE1AD:				; CODE XREF: SeGetLinkedToken(x,x,x)+2Aj
					; SeGetLinkedToken(x,x,x)+2Fj
		mov	ebx, [ebp+arg_4]
		mov	eax, [ebx+0C0h]
		test	byte ptr [eax+18h], 4
		jz	short loc_9DE1D1
		cmp	edi, 2
		jnz	short loc_9DE1D1
		call	SeIsSModeAdminlessEnabled
		test	al, al
		jz	short loc_9DE1D1
		mov	edi, 0C000005Fh
		jmp	short loc_9DE248
; 

loc_9DE1D1:				; CODE XREF: SeGetLinkedToken(x,x,x)+48j
					; SeGetLinkedToken(x,x,x)+4Dj ...
		mov	edx, [ebx+0C0h]
		mov	eax, [edx+18h]
		test	al, 4
		jz	short loc_9DE1E3
		cmp	edi, 2
		jz	short loc_9DE1EC

loc_9DE1E3:				; CODE XREF: SeGetLinkedToken(x,x,x)+6Aj
		test	al, 2
		jz	short loc_9DE209
		cmp	edi, 3
		jnz	short loc_9DE209

loc_9DE1EC:				; CODE XREF: SeGetLinkedToken(x,x,x)+6Fj
		lea	eax, [esp+28h+var_1C]
		lea	ecx, [edx+0Ch]
		mov	edx, [edx+58h]
		push	eax
		call	_SepReferenceLogonSessionSilo@12 ; SepReferenceLogonSessionSilo(x,x,x)
		mov	esi, [esp+28h+var_1C]
		mov	edi, eax
		test	edi, edi
		js	short loc_9DE23D
		mov	ebx, [esi+20h]

loc_9DE209:				; CODE XREF: SeGetLinkedToken(x,x,x)+73j
					; SeGetLinkedToken(x,x,x)+78j
		push	[ebp+arg_8]	; int
		xor	eax, eax
		mov	[esp+2Ch+var_18], 18h
		push	eax		; int
		push	eax		; int
		push	eax		; size_t
		push	1		; int
		push	eax		; char
		lea	edx, [esp+40h+var_18]
		mov	[esp+40h+var_14], eax
		mov	ecx, ebx
		mov	[esp+40h+var_C], eax
		mov	[esp+40h+var_10], eax
		mov	[esp+40h+var_8], eax
		mov	[esp+40h+var_4], eax
		call	_SepDuplicateToken@32 ;	SepDuplicateToken(x,x,x,x,x,x,x,x)
		mov	edi, eax

loc_9DE23D:				; CODE XREF: SeGetLinkedToken(x,x,x)+92j
		test	esi, esi
		jz	short loc_9DE248
		mov	ecx, esi
		call	_SepDeReferenceLogonSessionDirect@4 ; SepDeReferenceLogonSessionDirect(x)

loc_9DE248:				; CODE XREF: SeGetLinkedToken(x,x,x)+5Dj
					; SeGetLinkedToken(x,x,x)+CDj
		mov	eax, edi

loc_9DE24A:				; CODE XREF: SeGetLinkedToken(x,x,x)+36j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_SeGetLinkedToken@12 endp

; 
		align 8
; Exported entry 2469. SeGetLogonSessionToken

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeGetLogonSessionToken(x, x, x)
		public _SeGetLogonSessionToken@12
_SeGetLogonSessionToken@12 proc	near

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ds:_SeTokenObjectType
		lea	ecx, [esp+24h+var_24]
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		push	ebx
		push	ecx
		push	[ebp+arg_4]
		mov	[esp+3Ch+var_1C], ebx
		push	eax
		push	8
		push	[ebp+arg_0]
		mov	[esp+48h+var_20], ebx
		mov	[esp+48h+var_24], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	loc_9DE326
		mov	edi, [esp+30h+var_24]
		mov	eax, [edi+0C0h]
		cmp	[eax+20h], ebx
		jnz	short loc_9DE2AA
		mov	esi, 0C000007Ch
		jmp	short loc_9DE31D
; 

loc_9DE2AA:				; CODE XREF: SeGetLogonSessionToken(x,x,x)+49j
		mov	[esp+30h+var_18], 18h
		mov	[esp+30h+var_14], ebx
		mov	[esp+30h+var_C], 200h
		cmp	byte ptr [ebp+arg_4], bl
		jz	short loc_9DE2C7
		mov	[esp+30h+var_C], ebx

loc_9DE2C7:				; CODE XREF: SeGetLogonSessionToken(x,x,x)+69j
		lea	eax, [esp+30h+var_20]
		mov	[esp+30h+var_10], ebx
		push	eax		; int
		push	ebx		; int
		push	ebx		; int
		mov	[esp+3Ch+var_8], ebx
		lea	edx, [esp+3Ch+var_18]
		mov	[esp+3Ch+var_4], ebx
		mov	ecx, [edi+0C0h]
		push	ebx		; size_t
		push	1		; int
		push	ebx		; char
		mov	ecx, [ecx+20h]
		call	_SepDuplicateToken@32 ;	SepDuplicateToken(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9DE31D
		mov	ecx, [esp+30h+var_20]
		lea	eax, [esp+30h+var_1C]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	0F01FFh
		xor	edx, edx
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9DE31D
		mov	edx, [ebp+arg_8]
		mov	eax, [esp+30h+var_1C]
		mov	[edx], eax

loc_9DE31D:				; CODE XREF: SeGetLogonSessionToken(x,x,x)+50j
					; SeGetLogonSessionToken(x,x,x)+9Cj ...
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, esi

loc_9DE326:				; CODE XREF: SeGetLogonSessionToken(x,x,x)+36j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_SeGetLogonSessionToken@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeGetTokenControlInformation(x, x)
_SeGetTokenControlInformation@8	proc near ; CODE XREF: SepCreateClientSecurityEx+FD02Dp
					; AlpcpQueryTokenModifiedIdMessage(x,x,x,x,x)+68p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+18h]
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebx+8], eax
		lea	edi, [ebx+18h]
		mov	eax, [ecx+1Ch]
		mov	[ebx+0Ch], eax
		mov	eax, [ecx+10h]
		mov	[ebx], eax
		mov	eax, [ecx+14h]
		mov	[ebx+4], eax
		mov	eax, large fs:124h
		movsd
		movsd
		movsd
		movsd
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	dword ptr [ecx+30h]
		call	ExAcquireResourceSharedLite
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+34h]
		mov	[ebx+10h], eax
		mov	eax, [ecx+38h]
		mov	[ebx+14h], eax
		mov	ecx, [ecx+30h]
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SeGetTokenControlInformation@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAddTokenOriginClaim(x, x, x)
_SepAddTokenOriginClaim@12 proc	near	; CODE XREF: SeSubProcessToken+14A9A8p
					; SeDuplicateTokenAndAddOriginClaim(x,x,x,x)+5Bp

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= word ptr -44h
var_42		= word ptr -42h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		push	ebx
		push	esi
		push	edi
		push	1Ch
		xor	ebx, ebx
		mov	[ebp+var_24], offset ??_C@_1BO@HJJIOICK@?$AAP?$AAO?$AAL?$AAI?$AAC?$AAY?$AAA?$AAP?$AAP?$AAI?$AAD?$AA?3?$AA?1?$AA?1@NNGAKEGL@
		mov	[ebp+var_18], ebx
		mov	esi, ebx
		mov	[ebp+var_8], ebx
		mov	edi, ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_10], 1
		pop	eax
		mov	word ptr [ebp+var_28], ax
		push	1Eh
		pop	eax
		mov	word ptr [ebp+var_28+2], ax
		mov	eax, ebx
		mov	[ebp+var_14], eax
		cmp	edx, 210h
		jnz	short loc_9DE3EB
		mov	edi, ecx
		cmp	[ecx], ebx
		jz	short loc_9DE45F
		mov	[ebp+var_1C], 20Ch
		jmp	short loc_9DE3EE
; 

loc_9DE3EB:				; CODE XREF: SepAddTokenOriginClaim(x,x,x)+44j
		mov	[ebp+var_1C], edx

loc_9DE3EE:				; CODE XREF: SepAddTokenOriginClaim(x,x,x)+53j
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	short loc_9DE45F
		mov	esi, [ebp+var_10]
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		mov	word ptr [ebp+var_34+2], ax
		lea	eax, [ebp+var_4C]
		push	(offset	??_C@_13IMODFHAA@?$AA?9@NNGAKEGL@+4)
		push	eax
		mov	word ptr [ebp+var_34], si
		mov	[ebp+var_30], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_C]
		push	10h
		pop	eax
		mov	[ebp+var_44], ax
		lea	eax, [ebp+var_20]
		mov	ecx, [ecx+1DCh]
		mov	[ebp+var_38], eax
		xor	eax, eax
		mov	[ebp+var_42], ax
		lea	eax, [ebp+var_34]
		push	eax
		mov	[ebp+var_3C], esi
		mov	[ebp+var_40], 41h
		mov	[ebp+var_C], 4
		call	AuthzBasepSetSecurityAttributesToken
		mov	esi, eax
		test	esi, esi
		js	loc_9DE582
		mov	eax, [ebp+var_14]

loc_9DE45F:				; CODE XREF: SepAddTokenOriginClaim(x,x,x)+4Aj
					; SepAddTokenOriginClaim(x,x,x)+5Dj
		test	edi, edi
		jz	loc_9DE585
		mov	edi, [edi+20Ch]
		lea	eax, [ebp+var_18]
		push	ebx
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	loc_9DE57A
; 

loc_9DE47C:				; CODE XREF: SepAddTokenOriginClaim(x,x,x)+1E6j
		lea	eax, [ebp+var_8]
		push	eax
		push	1Ch
		lea	ebx, [edi-10h]
		mov	dx, [ebx]
		pop	ecx
		call	_RtlUShortAdd@12 ; RtlUShortAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9DE582
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_8]
		push	eax
		push	2
		pop	edx
		call	_RtlUShortAdd@12 ; RtlUShortAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9DE582
		mov	esi, [ebp+var_8]
		xor	eax, eax
		mov	word ptr [ebp+var_18], ax
		cmp	si, word ptr [ebp+var_18+2]
		jbe	short loc_9DE4FA
		cmp	[ebp+var_14], eax
		jz	short loc_9DE4D6
		push	434F6553h
		push	[ebp+var_14]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[ebp+var_14], 0

loc_9DE4D6:				; CODE XREF: SepAddTokenOriginClaim(x,x,x)+12Dj
		push	434F6553h
		movzx	eax, si
		push	eax
		push	0
		push	102h
		mov	word ptr [ebp+var_18+2], si
		call	_ExAllocatePool2@16 ; ExAllocatePool2(x,x,x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_9DE59D

loc_9DE4FA:				; CODE XREF: SepAddTokenOriginClaim(x,x,x)+128j
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		push	ebx
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9DE582
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_2C], eax
		lea	edx, [ebp+var_C]
		xor	eax, eax
		mov	word ptr [ebp+var_34], cx
		mov	word ptr [ebp+var_34+2], ax
		mov	eax, [ebp+var_18]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+var_14]
		mov	[ebp+var_48], eax
		push	3
		pop	eax
		mov	[ebp+var_44], ax
		lea	eax, [ebx+8]
		mov	[ebp+var_38], eax
		xor	eax, eax
		mov	[ebp+var_42], ax
		lea	eax, [ebp+var_34]
		push	eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_30], ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_40], 41h
		mov	ecx, [eax+1DCh]
		mov	[ebp+var_C], 4
		call	AuthzBasepSetSecurityAttributesToken
		mov	esi, eax
		test	esi, esi
		js	short loc_9DE582
		mov	edi, [edi]

loc_9DE57A:				; CODE XREF: SepAddTokenOriginClaim(x,x,x)+E1j
		test	edi, edi
		jnz	loc_9DE47C

loc_9DE582:				; CODE XREF: SepAddTokenOriginClaim(x,x,x)+C0j
					; SepAddTokenOriginClaim(x,x,x)+FCj ...
		mov	eax, [ebp+var_14]

loc_9DE585:				; CODE XREF: SepAddTokenOriginClaim(x,x,x)+CBj
					; SepAddTokenOriginClaim(x,x,x)+20Cj
		test	eax, eax
		jz	short loc_9DE594
		push	434F6553h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DE594:				; CODE XREF: SepAddTokenOriginClaim(x,x,x)+1F1j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_9DE59D:				; CODE XREF: SepAddTokenOriginClaim(x,x,x)+15Ej
		mov	esi, 0C000009Ah
		jmp	short loc_9DE585
_SepAddTokenOriginClaim@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepCompareSidValuesBlocks(x, x)
_SepCompareSidValuesBlocks@8 proc near	; CODE XREF: SepSetTokenUserAndGroups(x,x,x,x,x)+117p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	ecx, edx
		jnz	short loc_9DE5B2
		mov	al, 1
		leave
		retn
; 

loc_9DE5B2:				; CODE XREF: SepCompareSidValuesBlocks(x,x)+8j
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	short loc_9DE60D
		test	edx, edx
		jz	short loc_9DE60D
		mov	esi, [ecx+8]
		cmp	esi, [edx+8]
		jnz	short loc_9DE60D
		and	[ebp+var_4], 0
		lea	edi, [ecx+0Ch]
		lea	ebx, [edx+0Ch]
		test	esi, esi
		jz	short loc_9DE609

loc_9DE5D3:				; CODE XREF: SepCompareSidValuesBlocks(x,x)+63j
		push	ebx
		push	edi
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	short loc_9DE60D
		movzx	eax, byte ptr [edi+1]
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	edi, eax
		movzx	eax, byte ptr [ebx+1]
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	ebx, eax
		mov	eax, [ebp+var_4]
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, esi
		jb	short loc_9DE5D3

loc_9DE609:				; CODE XREF: SepCompareSidValuesBlocks(x,x)+2Dj
		mov	al, 1
		jmp	short loc_9DE60F
; 

loc_9DE60D:				; CODE XREF: SepCompareSidValuesBlocks(x,x)+13j
					; SepCompareSidValuesBlocks(x,x)+17j ...
		xor	al, al

loc_9DE60F:				; CODE XREF: SepCompareSidValuesBlocks(x,x)+67j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SepCompareSidValuesBlocks@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SepCreateSidValuesBlock(void *,int,int,int)
_SepCreateSidValuesBlock@24 proc near	; CODE XREF: SepSetTokenUserAndGroups(x,x,x,x,x)+5Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ecx
		mov	[ebp+var_4], edx
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	short loc_9DE632
		mov	eax, 0C000000Dh
		jmp	locret_9DE72D
; 

loc_9DE632:				; CODE XREF: SepCreateSidValuesBlock(x,x,x,x,x,x)+12j
		mov	edx, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], ebx
		mov	[eax], esi
		mov	eax, [ebp+arg_C]
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	eax, ebx
		jnb	short loc_9DE664
		lfence	eax
		mov	eax, [edi+eax*8]
		lea	ecx, [ebx-1]
		mov	[ebp+var_8], ecx
		movzx	eax, byte ptr [eax+1]
		shl	eax, 2
		sub	edx, eax
		sub	edx, 8

loc_9DE664:				; CODE XREF: SepCreateSidValuesBlock(x,x,x,x,x,x)+36j
		mov	eax, [ebp+var_4]
		push	76536553h
		mov	eax, [eax]
		movzx	eax, byte ptr [eax+1]
		lea	ecx, ds:0Bh[eax*4]
		and	ecx, 0FFFFFFFCh
		lea	eax, [edx+3]
		and	eax, 0FFFFFFFCh
		add	ecx, 0Fh
		add	eax, ecx
		and	eax, 0FFFFFFFCh
		push	eax
		push	1
		mov	[ebp+arg_0], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_C], edi
		test	edi, edi
		jnz	short loc_9DE6A8
		mov	eax, 0C000009Ah
		jmp	loc_9DE72A
; 

loc_9DE6A8:				; CODE XREF: SepCreateSidValuesBlock(x,x,x,x,x,x)+88j
		push	[ebp+arg_0]	; size_t
		push	esi		; int
		push	edi		; void *
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	[edi], eax
		lea	eax, [edi+0Ch]
		mov	[ebp+arg_0], eax
		lea	eax, [ebx+1]
		mov	dword ptr [edi+4], 1
		mov	[ebp+arg_8], eax
		test	eax, eax
		jz	short loc_9DE71C
		mov	ebx, [ebp+arg_C]
		mov	edi, [ebp+arg_0]

loc_9DE6D7:				; CODE XREF: SepCreateSidValuesBlock(x,x,x,x,x,x)+103j
		test	esi, esi
		jnz	short loc_9DE6E2
		mov	eax, [ebp+var_4]
		mov	eax, [eax]
		jmp	short loc_9DE6F0
; 

loc_9DE6E2:				; CODE XREF: SepCreateSidValuesBlock(x,x,x,x,x,x)+C5j
		lea	eax, [esi-1]
		cmp	eax, ebx
		jz	short loc_9DE713
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+esi*8-8]

loc_9DE6F0:				; CODE XREF: SepCreateSidValuesBlock(x,x,x,x,x,x)+CCj
		push	eax		; void *
		movzx	eax, byte ptr [eax+1]
		push	edi		; void *
		lea	eax, ds:8[eax*4]
		push	eax		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		movzx	eax, byte ptr [edi+1]
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	edi, eax

loc_9DE713:				; CODE XREF: SepCreateSidValuesBlock(x,x,x,x,x,x)+D3j
		inc	esi
		cmp	esi, [ebp+arg_8]
		jb	short loc_9DE6D7
		mov	edi, [ebp+var_C]

loc_9DE71C:				; CODE XREF: SepCreateSidValuesBlock(x,x,x,x,x,x)+BBj
		mov	eax, [ebp+var_8]
		inc	eax
		mov	[edi+8], eax
		mov	eax, [ebp+var_10]
		mov	[eax], edi
		xor	eax, eax

loc_9DE72A:				; CODE XREF: SepCreateSidValuesBlock(x,x,x,x,x,x)+8Fj
		pop	edi
		pop	esi
		pop	ebx

locret_9DE72D:				; CODE XREF: SepCreateSidValuesBlock(x,x,x,x,x,x)+19j
		leave
		retn	10h
_SepCreateSidValuesBlock@24 endp


;  S U B	R O U T	I N E 


; __stdcall SepDeleteLogonSessionSidValues(x)
_SepDeleteLogonSessionSidValues@4 proc near ; CODE XREF: SepDeReferenceLogonSession+177p
					; SepDeleteLogonSessionTrack+A65D0p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+44h]
		test	ecx, ecx
		jz	short loc_9DE749
		push	esi
		xor	edx, edx
		call	_SepDereferenceSidValuesBlock@12 ; SepDereferenceSidValuesBlock(x,x,x)
		and	dword ptr [esi+44h], 0

loc_9DE749:				; CODE XREF: SepDeleteLogonSessionSidValues(x)+Aj
		pop	esi
		retn
_SepDeleteLogonSessionSidValues@4 endp


;  S U B	R O U T	I N E 


; __stdcall SepDeleteTokenUserAndGroups(x)
_SepDeleteTokenUserAndGroups@4 proc near ; CODE	XREF: SepTokenDeleteMethod+FE91Bp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	eax, [esi+288h]
		test	eax, eax
		jz	short loc_9DE78B
		mov	ecx, [esi+0B8h]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_9DE77E
		mov	eax, [esi+94h]
		mov	[eax+ecx*8], edi
		or	dword ptr [esi+0B8h], 0FFFFFFFFh
		mov	eax, [esi+288h]

loc_9DE77E:				; CODE XREF: SepDeleteTokenUserAndGroups(x)+1Bj
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+288h], edi

loc_9DE78B:				; CODE XREF: SepDeleteTokenUserAndGroups(x)+10j
		mov	ecx, [esi+28Ch]
		test	ecx, ecx
		jz	short loc_9DE7A3
		push	edi
		mov	edx, esi
		call	_SepDereferenceSidValuesBlock@12 ; SepDereferenceSidValuesBlock(x,x,x)
		mov	[esi+28Ch], edi

loc_9DE7A3:				; CODE XREF: SepDeleteTokenUserAndGroups(x)+48j
		mov	[esi+94h], edi
		mov	[esi+7Ch], edi
		pop	edi
		pop	esi
		retn
_SepDeleteTokenUserAndGroups@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepDereferenceSidValuesBlock(x, x, x)
_SepDereferenceSidValuesBlock@12 proc near ; CODE XREF:	SepDeleteLogonSessionSidValues(x)+Fp
					; SepDeleteTokenUserAndGroups(x)+4Dp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_9DE7E9
		or	eax, 0FFFFFFFFh
		lock xadd [esi+4], eax
		dec	eax
		test	eax, eax
		jg	short loc_9DE7E9
		jz	short loc_9DE7D1
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_9DE7E9
; 

loc_9DE7D1:				; CODE XREF: SepDereferenceSidValuesBlock(x,x,x)+19j
		push	[ebp+arg_0]
		push	edx
		push	0
		push	5
		mov	edx, esi
		pop	ecx
		call	_SepLogTokenSidManagement@20 ; SepLogTokenSidManagement(x,x,x,x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DE7E9:				; CODE XREF: SepDereferenceSidValuesBlock(x,x,x)+Aj
					; SepDereferenceSidValuesBlock(x,x,x)+17j ...
		pop	esi
		pop	ebp
		retn	4
_SepDereferenceSidValuesBlock@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepDuplicateTokenUserAndGroups(x, x)
_SepDuplicateTokenUserAndGroups@8 proc near
					; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+537p
					; SepDuplicateToken(x,x,x,x,x,x,x,x)+57Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	ebx, ecx
		xor	esi, esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], esi
		mov	edx, esi
		mov	eax, [ebx+0B8h]
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9DE838
		mov	ecx, [ebx+94h]
		lea	edx, [ebp+var_4]
		mov	ecx, [ecx+eax*8]
		call	_SepDuplicateSid@8 ; SepDuplicateSid(x,x)
		mov	edx, eax
		mov	[ebp+var_8], edx
		test	edx, edx
		js	short loc_9DE8A7
		mov	eax, [ebp+var_4]
		mov	[edi+288h], eax

loc_9DE838:				; CODE XREF: SepDuplicateTokenUserAndGroups(x,x)+25j
		mov	ecx, [ebx+28Ch]
		xor	eax, eax
		inc	eax
		lock xadd [ecx+4], eax
		inc	eax
		cmp	eax, 1
		jg	short loc_9DE851
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9DE851:				; CODE XREF: SepDuplicateTokenUserAndGroups(x,x)+5Cj
		mov	eax, [ebx+28Ch]
		mov	[edi+28Ch], eax
		mov	eax, [ebx+7Ch]
		mov	[edi+7Ch], eax
		test	eax, eax
		jz	short loc_9DE8A5
		mov	edx, [ebp+var_C]

loc_9DE86A:				; CODE XREF: SepDuplicateTokenUserAndGroups(x,x)+B2j
		mov	ecx, [edi+94h]
		cmp	esi, edx
		jz	short loc_9DE87F
		mov	eax, [ebx+94h]
		mov	eax, [eax+esi*8]
		jmp	short loc_9DE885
; 

loc_9DE87F:				; CODE XREF: SepDuplicateTokenUserAndGroups(x,x)+84j
		mov	eax, [edi+288h]

loc_9DE885:				; CODE XREF: SepDuplicateTokenUserAndGroups(x,x)+8Fj
		mov	[ecx+esi*8], eax
		mov	eax, [ebx+94h]
		mov	ecx, [edi+94h]
		mov	eax, [eax+esi*8+4]
		mov	[ecx+esi*8+4], eax
		inc	esi
		cmp	esi, [edi+7Ch]
		jb	short loc_9DE86A
		mov	edx, [ebp+var_8]

loc_9DE8A5:				; CODE XREF: SepDuplicateTokenUserAndGroups(x,x)+77j
		mov	eax, edx

loc_9DE8A7:				; CODE XREF: SepDuplicateTokenUserAndGroups(x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SepDuplicateTokenUserAndGroups@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SepSetTokenUserAndGroups(void *,int,int)
_SepSetTokenUserAndGroups@20 proc near	; CODE XREF: SepCreateTokenEx+D50FBp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_10], edx
		xor	ebx, ebx
		or	eax, 0FFFFFFFFh
		push	edi
		mov	edi, eax
		mov	[ebp+var_8], ebx
		mov	ecx, [esi+0B8h]
		cmp	ecx, eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_C], ebx
		mov	[ebp+var_1], bl
		jz	short loc_9DE8FB
		lea	edi, [ecx-1]
		mov	ecx, [eax+edi*8]
		lea	edx, [ebp+var_C]
		call	_SepDuplicateSid@8 ; SepDuplicateSid(x,x)
		test	eax, eax
		js	loc_9DEAAA
		mov	eax, [ebp+var_C]
		mov	[esi+288h], eax
		mov	eax, [ebp+arg_4]

loc_9DE8FB:				; CODE XREF: SepSetTokenUserAndGroups(x,x,x,x,x)+2Bj
		mov	edx, [ebp+var_10]
		lea	ecx, [ebp+var_8]
		push	edi		; int
		push	[ebp+arg_8]	; int
		push	eax		; int
		push	[ebp+arg_0]	; void *
		call	_SepCreateSidValuesBlock@24 ; SepCreateSidValuesBlock(x,x,x,x,x,x)
		mov	[ebp+arg_8], eax
		test	eax, eax
		js	loc_9DEAAA
		mov	eax, [esi+0C0h]
		cmp	[eax+44h], ebx
		jnz	loc_9DE9B8
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [esi+0C0h]
		xor	edx, edx
		add	ecx, 3Ch
		call	ExAcquirePushLockExclusiveEx
		mov	edi, [esi+0C0h]
		cmp	[edi+44h], ebx
		jnz	short loc_9DE97A
		mov	edx, [ebp+var_8]
		xor	eax, eax
		inc	eax
		lock xadd [edx+4], eax
		inc	eax
		cmp	eax, 1
		jg	short loc_9DE967
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9DE967:				; CODE XREF: SepSetTokenUserAndGroups(x,x,x,x,x)+B4j
		mov	eax, [esi+0C0h]
		mov	[ebp+var_1], 1
		mov	[eax+44h], edx
		mov	edi, [esi+0C0h]

loc_9DE97A:				; CODE XREF: SepSetTokenUserAndGroups(x,x,x,x,x)+A3j
		add	edi, 3Ch
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9DE991
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9DE991:				; CODE XREF: SepSetTokenUserAndGroups(x,x,x,x,x)+DCj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	cl, [ebp+var_1]
		mov	eax, [esi+0C0h]
		test	cl, cl
		jz	short loc_9DE9B8
		mov	edi, [ebp+var_8]
		mov	dl, bl
		jmp	short loc_9DE9D0
; 

loc_9DE9B8:				; CODE XREF: SepSetTokenUserAndGroups(x,x,x,x,x)+76j
					; SepSetTokenUserAndGroups(x,x,x,x,x)+103j
		mov	edi, [ebp+var_8]
		mov	ecx, edi
		mov	edx, [eax+44h]
		mov	[ebp+var_C], eax
		call	_SepCompareSidValuesBlocks@8 ; SepCompareSidValuesBlocks(x,x)
		mov	cl, [ebp+var_1]
		mov	dl, al
		mov	eax, [ebp+var_C]

loc_9DE9D0:				; CODE XREF: SepSetTokenUserAndGroups(x,x,x,x,x)+10Aj
		push	ebx
		push	esi
		test	cl, cl
		jz	short loc_9DE9DD
		push	dword ptr [eax+44h]
		xor	ecx, ecx
		jmp	short loc_9DEA29
; 

loc_9DE9DD:				; CODE XREF: SepSetTokenUserAndGroups(x,x,x,x,x)+128j
		mov	eax, [eax+44h]
		push	eax
		test	dl, dl
		jz	short loc_9DEA26
		push	2
		mov	edx, edi
		pop	ecx
		call	_SepLogTokenSidManagement@20 ; SepLogTokenSidManagement(x,x,x,x,x)
		mov	eax, [esi+0C0h]
		xor	edx, edx
		inc	edx
		mov	eax, [eax+44h]
		lock xadd [eax+4], edx
		inc	edx
		cmp	edx, 1
		jg	short loc_9DEA0B
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9DEA0B:				; CODE XREF: SepSetTokenUserAndGroups(x,x,x,x,x)+158j
		mov	eax, [esi+0C0h]
		mov	edx, esi
		push	ebx
		mov	ecx, edi
		mov	eax, [eax+44h]
		mov	[esi+28Ch], eax
		call	_SepDereferenceSidValuesBlock@12 ; SepDereferenceSidValuesBlock(x,x,x)
		jmp	short loc_9DEA36
; 

loc_9DEA26:				; CODE XREF: SepSetTokenUserAndGroups(x,x,x,x,x)+137j
		xor	ecx, ecx
		inc	ecx

loc_9DEA29:				; CODE XREF: SepSetTokenUserAndGroups(x,x,x,x,x)+12Fj
		mov	edx, edi
		call	_SepLogTokenSidManagement@20 ; SepLogTokenSidManagement(x,x,x,x,x)
		mov	[esi+28Ch], edi

loc_9DEA36:				; CODE XREF: SepSetTokenUserAndGroups(x,x,x,x,x)+178j
		mov	ecx, [esi+28Ch]
		lea	eax, [esi+2A0h]
		mov	[esi+94h], eax
		add	ecx, 0Ch
		mov	eax, [ebp+arg_0]
		inc	eax
		mov	[esi+7Ch], eax
		test	eax, eax
		jz	short loc_9DEAA7

loc_9DEA56:				; CODE XREF: SepSetTokenUserAndGroups(x,x,x,x,x)+1F9j
		mov	edi, ebx
		mov	edx, [esi+94h]
		cmp	ebx, [esi+0B8h]
		jz	short loc_9DEA7B
		mov	[edx+edi*8], ecx
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	ecx, eax
		jmp	short loc_9DEA84
; 

loc_9DEA7B:				; CODE XREF: SepSetTokenUserAndGroups(x,x,x,x,x)+1B8j
		mov	eax, [esi+288h]
		mov	[edx+edi*8], eax

loc_9DEA84:				; CODE XREF: SepSetTokenUserAndGroups(x,x,x,x,x)+1CDj
		mov	edx, [esi+94h]
		test	ebx, ebx
		jnz	short loc_9DEA96
		mov	eax, [ebp+var_10]
		mov	eax, [eax+4]
		jmp	short loc_9DEA9D
; 

loc_9DEA96:				; CODE XREF: SepSetTokenUserAndGroups(x,x,x,x,x)+1E0j
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+edi*8-4]

loc_9DEA9D:				; CODE XREF: SepSetTokenUserAndGroups(x,x,x,x,x)+1E8j
		inc	ebx
		mov	[edx+edi*8+4], eax
		cmp	ebx, [esi+7Ch]
		jb	short loc_9DEA56

loc_9DEAA7:				; CODE XREF: SepSetTokenUserAndGroups(x,x,x,x,x)+1A8j
		mov	eax, [ebp+arg_8]

loc_9DEAAA:				; CODE XREF: SepSetTokenUserAndGroups(x,x,x,x,x)+3Dj
					; SepSetTokenUserAndGroups(x,x,x,x,x)+67j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_SepSetTokenUserAndGroups@20 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2497. SeRegisterLogonSessionTerminatedRoutine

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeRegisterLogonSessionTerminatedRoutine(x)
		public _SeRegisterLogonSessionTerminatedRoutine@4
_SeRegisterLogonSessionTerminatedRoutine@4 proc	near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jnz	short loc_9DEACA
		mov	eax, 0C000000Dh
		jmp	short loc_9DEB28
; 

loc_9DEACA:				; CODE XREF: SeRegisterLogonSessionTerminatedRoutine(x)+Bj
		push	esi
		push	53466553h
		push	8
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9DEAE6
		mov	eax, 0C000009Ah
		jmp	short loc_9DEB27
; 

loc_9DEAE6:				; CODE XREF: SeRegisterLogonSessionTerminatedRoutine(x)+27j
		mov	eax, large fs:124h
		push	ebx
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _SepRmNotifyMutex
		mov	ecx, ebx
		call	ExAcquireFastMutexUnsafe
		mov	eax, ds:_SeFileSystemNotifyRoutinesHead
		mov	ecx, ebx
		mov	[esi], eax
		mov	[esi+4], edi
		mov	ds:_SeFileSystemNotifyRoutinesHead, esi
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	eax, eax
		pop	ebx

loc_9DEB27:				; CODE XREF: SeRegisterLogonSessionTerminatedRoutine(x)+2Ej
		pop	esi

loc_9DEB28:				; CODE XREF: SeRegisterLogonSessionTerminatedRoutine(x)+12j
		pop	edi
		pop	ebp
		retn	4
_SeRegisterLogonSessionTerminatedRoutine@4 endp

; 
		align 10h
		db 2 dup(0CCh)
; Exported entry 2525. SeUnregisterLogonSessionTerminatedRoutine

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeUnregisterLogonSessionTerminatedRoutine(x)
		public _SeUnregisterLogonSessionTerminatedRoutine@4
_SeUnregisterLogonSessionTerminatedRoutine@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jnz	short loc_9DEB46
		mov	eax, 0C000000Dh
		jmp	short loc_9DEBC0
; 

loc_9DEB46:				; CODE XREF: SeUnregisterLogonSessionTerminatedRoutine(x)+Bj
		mov	eax, large fs:124h
		push	ebx
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _SepRmNotifyMutex
		mov	ecx, ebx
		call	ExAcquireFastMutexUnsafe
		mov	esi, ds:_SeFileSystemNotifyRoutinesHead
		mov	ecx, offset _SeFileSystemNotifyRoutinesHead
		test	esi, esi
		jz	short loc_9DEBA4

loc_9DEB71:				; CODE XREF: SeUnregisterLogonSessionTerminatedRoutine(x)+4Aj
		cmp	[esi+4], edi
		jz	short loc_9DEB7E
		mov	ecx, esi
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_9DEB71

loc_9DEB7E:				; CODE XREF: SeUnregisterLogonSessionTerminatedRoutine(x)+42j
		test	esi, esi
		jz	short loc_9DEBA4
		mov	eax, [esi]
		mov	[ecx], eax
		mov	ecx, ebx
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	edi, edi
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9DEBBC
; 

loc_9DEBA4:				; CODE XREF: SeUnregisterLogonSessionTerminatedRoutine(x)+3Dj
					; SeUnregisterLogonSessionTerminatedRoutine(x)+4Ej
		mov	ecx, ebx
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	edi, 0C0000225h

loc_9DEBBC:				; CODE XREF: SeUnregisterLogonSessionTerminatedRoutine(x)+70j
		pop	esi
		mov	eax, edi
		pop	ebx

loc_9DEBC0:				; CODE XREF: SeUnregisterLogonSessionTerminatedRoutine(x)+12j
		pop	edi
		pop	ebp
		retn	4
_SeUnregisterLogonSessionTerminatedRoutine@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2526. SeUnregisterLogonSessionTerminatedRoutineEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeUnregisterLogonSessionTerminatedRoutineEx(x, x)
		public _SeUnregisterLogonSessionTerminatedRoutineEx@8
_SeUnregisterLogonSessionTerminatedRoutineEx@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jnz	short loc_9DEBE1
		mov	eax, 0C000000Dh
		jmp	loc_9DEC63
; 

loc_9DEBE1:				; CODE XREF: SeUnregisterLogonSessionTerminatedRoutineEx(x,x)+Bj
		mov	eax, large fs:124h
		push	ebx
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _SepRmNotifyMutex
		mov	ecx, ebx
		call	ExAcquireFastMutexUnsafe
		mov	esi, ds:_SeFileSystemNotifyRoutinesExHead
		mov	ecx, offset _SeFileSystemNotifyRoutinesExHead
		test	esi, esi
		jz	short loc_9DEC47
		mov	eax, [ebp+arg_4]

loc_9DEC0F:				; CODE XREF: SeUnregisterLogonSessionTerminatedRoutineEx(x,x)+55j
		cmp	[esi+4], edi
		jnz	short loc_9DEC19
		cmp	[esi+8], eax
		jz	short loc_9DEC21

loc_9DEC19:				; CODE XREF: SeUnregisterLogonSessionTerminatedRoutineEx(x,x)+48j
		mov	ecx, esi
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_9DEC0F

loc_9DEC21:				; CODE XREF: SeUnregisterLogonSessionTerminatedRoutineEx(x,x)+4Dj
		test	esi, esi
		jz	short loc_9DEC47
		mov	eax, [esi]
		mov	[ecx], eax
		mov	ecx, ebx
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	edi, edi
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9DEC5F
; 

loc_9DEC47:				; CODE XREF: SeUnregisterLogonSessionTerminatedRoutineEx(x,x)+40j
					; SeUnregisterLogonSessionTerminatedRoutineEx(x,x)+59j
		mov	ecx, ebx
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	edi, 0C0000225h

loc_9DEC5F:				; CODE XREF: SeUnregisterLogonSessionTerminatedRoutineEx(x,x)+7Bj
		pop	esi
		mov	eax, edi
		pop	ebx

loc_9DEC63:				; CODE XREF: SeUnregisterLogonSessionTerminatedRoutineEx(x,x)+12j
		pop	edi
		pop	ebp
		retn	8
_SeUnregisterLogonSessionTerminatedRoutineEx@8 endp


;  S U B	R O U T	I N E 


; __stdcall SepAddTokenLogonSession(x)
_SepAddTokenLogonSession@4 proc	near	; CODE XREF: SepCreateTokenEx+D50DCp
					; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+4C3p ...
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		imul	esi, [edi+18h],	5B250A24h
		shr	esi, 1Ch
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, esi
		and	eax, 3
		imul	eax, 38h
		push	1
		lea	ebx, _SepRmDbLock[eax]
		push	ebx
		call	ExAcquireResourceExclusiveLite
		mov	eax, ds:_SepLogonSessions
		mov	esi, [eax+esi*4]
		test	esi, esi
		jz	short loc_9DED02
		mov	ecx, [edi+18h]

loc_9DECAA:				; CODE XREF: SepAddTokenLogonSession(x)+61j
		cmp	ecx, [esi+4]
		jnz	short loc_9DECC5
		mov	eax, [edi+1Ch]
		cmp	eax, [esi+8]
		jnz	short loc_9DECC5
		mov	eax, [edi+0C0h]
		mov	eax, [eax+58h]
		cmp	eax, [esi+58h]
		jz	short loc_9DECCD

loc_9DECC5:				; CODE XREF: SepAddTokenLogonSession(x)+45j
					; SepAddTokenLogonSession(x)+4Dj
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_9DECAA
		jmp	short loc_9DED02
; 

loc_9DECCD:				; CODE XREF: SepAddTokenLogonSession(x)+5Bj
		push	734C6553h
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_9DED02
		and	dword ptr [eax], 0
		add	esi, 64h
		and	dword ptr [eax+4], 0
		mov	[eax+8], edi
		mov	edx, [esi+4]
		cmp	[edx], esi
		jz	short loc_9DECF8
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9DECF8:				; CODE XREF: SepAddTokenLogonSession(x)+89j
		mov	[eax], esi
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[esi+4], eax

loc_9DED02:				; CODE XREF: SepAddTokenLogonSession(x)+3Dj
					; SepAddTokenLogonSession(x)+63j ...
		mov	ecx, ebx
		call	ExReleaseResourceLite
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_SepAddTokenLogonSession@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepDeleteUnreferencedLogonSessionsInSilo(x)
_SepDeleteUnreferencedLogonSessionsInSilo@4 proc near
					; CODE XREF: SeShutdownServerSilo(x,x)+74j

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	eax, ecx
		push	edi
		push	eax
		mov	[esp+24h+var_10], eax
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	[esp+20h+var_C], eax
		xor	edi, edi

loc_9DED31:				; CODE XREF: SepDeleteUnreferencedLogonSessionsInSilo(x)+B1j
		mov	esi, ds:_SepLogonSessions
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	eax, edi
		and	eax, 3
		imul	eax, 38h
		push	1
		lea	ebx, _SepRmDbLock[eax]
		push	ebx
		call	ExAcquireResourceExclusiveLite
		mov	ecx, [esi+edi*4]
		jmp	short loc_9DEDAE
; 

loc_9DED57:				; CODE XREF: SepDeleteUnreferencedLogonSessionsInSilo(x)+9Fj
		mov	eax, [esp+20h+var_10]
		cmp	[ecx+58h], eax
		jnz	short loc_9DEDAC
		mov	eax, [ecx+14h]
		test	eax, eax
		jz	short loc_9DED72
		test	byte ptr [ecx+18h], 8
		jnz	short loc_9DEDAC
		cmp	eax, 1
		jnz	short loc_9DEDAC

loc_9DED72:				; CODE XREF: SepDeleteUnreferencedLogonSessionsInSilo(x)+54j
		mov	eax, [ecx+4]
		mov	[esp+20h+var_8], eax
		mov	eax, [ecx+8]
		mov	ecx, ebx
		mov	[esp+20h+var_4], eax
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	dl, dl
		lea	ecx, [esp+20h+var_8]
		call	SepDeleteLogonSessionTrack
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	ebx
		call	ExAcquireResourceExclusiveLite
		mov	eax, ds:_SepLogonSessions
		lea	ecx, [eax+edi*4]

loc_9DEDAC:				; CODE XREF: SepDeleteUnreferencedLogonSessionsInSilo(x)+4Dj
					; SepDeleteUnreferencedLogonSessionsInSilo(x)+5Aj ...
		mov	ecx, [ecx]

loc_9DEDAE:				; CODE XREF: SepDeleteUnreferencedLogonSessionsInSilo(x)+44j
		test	ecx, ecx
		jnz	short loc_9DED57
		mov	ecx, ebx
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		inc	edi
		cmp	edi, 10h
		jb	loc_9DED31
		push	[esp+20h+var_C]
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_SepDeleteUnreferencedLogonSessionsInSilo@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepMakeLogonSessionsSiblings(x, x)
_SepMakeLogonSessionsSiblings@8	proc near
					; CODE XREF: SepRmMakeLogonSessionsSiblingsWrkr(x,x)+29p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, edx
		mov	eax, ecx
		push	esi
		mov	[ebp+var_4], eax
		push	edi
		imul	edi, [eax], 5B250A24h
		imul	esi, [ebx], 5B250A24h
		mov	eax, ds:_SepLogonSessions
		mov	[ebp+var_10], eax
		shr	edi, 1Ch
		shr	esi, 1Ch
		lea	eax, [eax+esi*4]
		mov	[ebp+var_14], eax
		mov	eax, edi
		and	eax, 3
		imul	eax, 38h
		lea	ecx, _SepRmDbLock[eax]
		mov	eax, large fs:124h
		mov	[ebp+var_8], ecx
		dec	word ptr [eax+13Ch]
		nop
		push	1
		cmp	edi, esi
		jnb	short loc_9DEE55
		push	ecx
		call	ExAcquireResourceExclusiveLite
		mov	eax, large fs:124h
		and	esi, 3
		dec	word ptr [eax+13Ch]
		imul	eax, esi, 38h
		lea	esi, _SepRmDbLock[eax]
		mov	[ebp+var_C], esi
		mov	eax, esi
		jmp	short loc_9DEE7A
; 

loc_9DEE55:				; CODE XREF: SepMakeLogonSessionsSiblings(x,x)+55j
		and	esi, 3
		imul	eax, esi, 38h
		lea	eax, _SepRmDbLock[eax]
		push	eax
		mov	[ebp+var_C], eax
		call	ExAcquireResourceExclusiveLite
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		mov	eax, [ebp+var_8]

loc_9DEE7A:				; CODE XREF: SepMakeLogonSessionsSiblings(x,x)+7Bj
		nop
		push	1
		push	eax
		call	ExAcquireResourceExclusiveLite
		mov	eax, [ebp+var_10]
		mov	edi, [eax+edi*4]
		test	edi, edi
		jz	short loc_9DEEAF
		mov	esi, [ebp+var_4]

loc_9DEE90:				; CODE XREF: SepMakeLogonSessionsSiblings(x,x)+D5j
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		cmp	[edi+58h], eax
		jnz	short loc_9DEEA9
		mov	eax, [esi]
		cmp	eax, [edi+4]
		jnz	short loc_9DEEA9
		mov	eax, [esi+4]
		cmp	eax, [edi+8]
		jz	short loc_9DEEAF

loc_9DEEA9:				; CODE XREF: SepMakeLogonSessionsSiblings(x,x)+C0j
					; SepMakeLogonSessionsSiblings(x,x)+C7j
		mov	edi, [edi]
		test	edi, edi
		jnz	short loc_9DEE90

loc_9DEEAF:				; CODE XREF: SepMakeLogonSessionsSiblings(x,x)+B3j
					; SepMakeLogonSessionsSiblings(x,x)+CFj
		mov	esi, [ebp+var_14]
		jmp	short loc_9DEECD
; 

loc_9DEEB4:				; CODE XREF: SepMakeLogonSessionsSiblings(x,x)+F9j
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		cmp	[esi+58h], eax
		jnz	short loc_9DEECD
		mov	eax, [ebx]
		cmp	eax, [esi+4]
		jnz	short loc_9DEECD
		mov	eax, [ebx+4]
		cmp	eax, [esi+8]
		jz	short loc_9DEED3

loc_9DEECD:				; CODE XREF: SepMakeLogonSessionsSiblings(x,x)+DAj
					; SepMakeLogonSessionsSiblings(x,x)+E4j ...
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_9DEEB4

loc_9DEED3:				; CODE XREF: SepMakeLogonSessionsSiblings(x,x)+F3j
		test	edi, edi
		jz	short loc_9DEF00
		test	esi, esi
		jz	short loc_9DEF00
		mov	ecx, [ebp+var_4]
		mov	eax, [ebx]
		or	dword ptr [edi+18h], 40h
		mov	[edi+5Ch], eax
		mov	eax, [ebx+4]
		mov	[edi+60h], eax
		mov	eax, [ecx]
		or	dword ptr [esi+18h], 40h
		mov	[esi+5Ch], eax
		mov	eax, [ecx+4]
		mov	[esi+60h], eax
		xor	esi, esi
		jmp	short loc_9DEF05
; 

loc_9DEF00:				; CODE XREF: SepMakeLogonSessionsSiblings(x,x)+FDj
					; SepMakeLogonSessionsSiblings(x,x)+101j
		mov	esi, 0C000005Fh

loc_9DEF05:				; CODE XREF: SepMakeLogonSessionsSiblings(x,x)+126j
		mov	ecx, [ebp+var_8]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [ebp+var_C]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_SepMakeLogonSessionsSiblings@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepRemoveTokenLogonSession(x)
_SepRemoveTokenLogonSession@4 proc near	; CODE XREF: SepLinkLogonSessions+8207Bp
					; SepLinkLogonSessions+82084p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		test	byte ptr [edi+0B0h], 20h
		jnz	loc_9DEFD0
		imul	esi, [edi+18h],	5B250A24h
		mov	eax, large fs:124h
		shr	esi, 1Ch
		dec	word ptr [eax+13Ch]
		nop
		mov	eax, esi
		and	eax, 3
		imul	eax, 38h
		push	1
		lea	ebx, _SepRmDbLock[eax]
		push	ebx
		call	ExAcquireResourceExclusiveLite
		mov	eax, ds:_SepLogonSessions
		mov	ecx, [eax+esi*4]
		test	ecx, ecx
		jz	short loc_9DEFC4
		mov	eax, [edi+18h]
		mov	[ebp+var_4], eax

loc_9DEF8C:				; CODE XREF: SepRemoveTokenLogonSession(x)+8Ej
		cmp	eax, [ecx+4]
		jnz	short loc_9DEFBE
		mov	eax, [edi+1Ch]
		cmp	eax, [ecx+8]
		jnz	short loc_9DEFBB
		mov	eax, [edi+0C0h]
		mov	eax, [eax+58h]
		cmp	eax, [ecx+58h]
		jnz	short loc_9DEFBB
		lea	edx, [ecx+64h]
		mov	esi, [edx]

loc_9DEFAC:				; CODE XREF: SepRemoveTokenLogonSession(x)+85j
		cmp	esi, edx
		jz	short loc_9DEFBB
		mov	eax, [esi]
		cmp	[esi+8], edi
		jz	short loc_9DEFD5
		mov	esi, eax
		jmp	short loc_9DEFAC
; 

loc_9DEFBB:				; CODE XREF: SepRemoveTokenLogonSession(x)+63j
					; SepRemoveTokenLogonSession(x)+71j ...
		mov	eax, [ebp+var_4]

loc_9DEFBE:				; CODE XREF: SepRemoveTokenLogonSession(x)+5Bj
		mov	ecx, [ecx]
		test	ecx, ecx
		jnz	short loc_9DEF8C

loc_9DEFC4:				; CODE XREF: SepRemoveTokenLogonSession(x)+50j
		mov	ecx, ebx
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9DEFD0:				; CODE XREF: SepRemoveTokenLogonSession(x)+12j
					; SepRemoveTokenLogonSession(x)+C6j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_9DEFD5:				; CODE XREF: SepRemoveTokenLogonSession(x)+81j
		cmp	[eax+4], esi
		jnz	short loc_9DEFFC
		mov	edx, [esi+4]
		cmp	[edx], esi
		jnz	short loc_9DEFFC
		mov	[edx], eax
		mov	ecx, ebx
		mov	[eax+4], edx
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9DEFD0
; 

loc_9DEFFC:				; CODE XREF: SepRemoveTokenLogonSession(x)+A4j
					; SepRemoveTokenLogonSession(x)+ABj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall SepRmDeleteLogonSessionWrkr(x, x)
_SepRmDeleteLogonSessionWrkr@8:		; DATA XREF: PAGE:00A40D08o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		xor	dl, dl
		mov	eax, [ecx+1Ch]
		mov	[ebp+var_8], eax
		mov	eax, [ecx+20h]
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_4], eax
		call	SepDeleteLogonSessionTrack
		mov	ecx, [ebp+arg_4]
		mov	[ecx+18h], eax
		leave
		retn	8
_SepRemoveTokenLogonSession@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepRmMakeLogonSessionsSiblingsWrkr(x, x)
_SepRmMakeLogonSessionsSiblingsWrkr@8 proc near	; DATA XREF: PAGE:00A40D24o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_8]
		mov	eax, [ecx+1Ch]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+20h]
		mov	[ebp+var_C], eax
		mov	eax, [ecx+24h]
		mov	[ebp+var_8], eax
		mov	eax, [ecx+28h]
		lea	ecx, [ebp+var_10]
		mov	[ebp+var_4], eax
		call	_SepMakeLogonSessionsSiblings@8	; SepMakeLogonSessionsSiblings(x,x)
		mov	ecx, [ebp+arg_4]
		mov	[ecx+18h], eax
		leave
		retn	8
_SepRmMakeLogonSessionsSiblingsWrkr@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepRmSetSharedUserSessionWrkr(x, x)
_SepRmSetSharedUserSessionWrkr@8 proc near ; DATA XREF:	PAGE:00A40D2Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, [eax+1Ch]
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	eax, [eax+28Ch]
		mov	[eax+18h], esi
		mov	eax, [ebp+arg_4]
		pop	esi
		and	dword ptr [eax+18h], 0
		pop	ebp
		retn	8
_SepRmSetSharedUserSessionWrkr@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepRmValidateProcUniqueLuidWrkr(x, x)
_SepRmValidateProcUniqueLuidWrkr@8 proc	near ; DATA XREF: PAGE:00A40D28o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+1Ch]
		mov	[ebp+var_8], eax
		mov	eax, [ecx+20h]
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_4], eax
		call	_SepIsValidProcUniqueLuid@4 ; SepIsValidProcUniqueLuid(x)
		mov	ecx, [ebp+arg_4]
		mov	[ecx+18h], eax
		leave
		retn	8
_SepRmValidateProcUniqueLuidWrkr@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	NtFilterBootOption(int,int,int,void *,size_t)
_NtFilterBootOption@20 proc near	; DATA XREF: .text:00581060o

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	20h
		push	offset dword_6A9428
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		call	_SepSecureBootHasPermission@0 ;	SepSecureBootHasPermission()
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	loc_9DF2F4
		cmp	dword_6FDDF4, ebx
		jnz	short loc_9DF0EC
		mov	esi, 80430006h
		jmp	loc_9DF2F4
; 

loc_9DF0EC:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+2Fj
		mov	eax, [ebp+arg_0]
		sub	eax, ebx
		jz	loc_9DF2B8
		sub	eax, 1
		jz	short loc_9DF14C
		sub	eax, 1
		jz	short loc_9DF10B
		mov	esi, 0C00000EFh
		jmp	loc_9DF2F4
; 

loc_9DF10B:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+4Ej
		cmp	[ebp+arg_4], ebx
		jz	loc_9DF2EF
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	loc_9DF2EF
		cmp	[ebp+arg_C], ebx
		jnz	loc_9DF2EF
		cmp	[ebp+arg_10], ebx
		jnz	loc_9DF2EF
		mov	ecx, edi
		shr	ecx, 18h
		and	ecx, 0Fh
		xor	eax, eax
		inc	eax
		shl	eax, cl
		test	dword_6FE130, eax
		jnz	loc_9DF21B
		jmp	short loc_9DF189
; 

loc_9DF14C:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+49j
		cmp	[ebp+arg_4], ebx
		jz	loc_9DF2EF
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	loc_9DF2EF
		cmp	[ebp+arg_C], ebx
		jz	loc_9DF2EF
		mov	edx, [ebp+arg_10]
		test	edx, edx
		jz	loc_9DF2EF
		mov	ecx, edi
		shr	ecx, 18h
		and	ecx, 0Fh
		xor	eax, eax
		inc	eax
		shl	eax, cl
		test	dword_6FE130, eax
		jnz	short loc_9DF190

loc_9DF189:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+99j
		mov	esi, ebx
		jmp	loc_9DF2F4
; 

loc_9DF190:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+D6j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	short loc_9DF218
		mov	[ebp+ms_exc.disabled], ebx
		mov	esi, [ebp+arg_C]
		lea	eax, [esi+edx]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_9DF1B7
		cmp	eax, esi
		jnb	short loc_9DF1B9

loc_9DF1B7:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+100j
		mov	[ecx], bl

loc_9DF1B9:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+104j
		cmp	edx, 8
		ja	short loc_9DF1D1
		push	edx		; size_t
		push	esi		; void *
		lea	eax, [ebp+var_30]
		push	eax		; void *
		call	_memcpy
		lea	eax, [ebp+var_30]
		mov	[ebp+arg_C], eax
		jmp	short loc_9DF20E
; 

loc_9DF1D1:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+10Bj
		push	62536553h
		push	edx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_20], edi
		test	edi, edi
		jnz	short loc_9DF1FB
		mov	esi, 0C0000017h

loc_9DF1EC:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+1E8j
		mov	[ebp+var_1C], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_9DF2F4
; 

loc_9DF1FB:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+134j
		push	[ebp+arg_10]	; size_t
		push	esi		; void *
		mov	edi, [ebp+var_20]
		push	edi		; void *
		call	_memcpy
		mov	[ebp+arg_C], edi
		mov	edi, [ebp+arg_8]

loc_9DF20E:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+11Ej
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9DF218:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+EDj
		mov	esi, [ebp+var_1C]

loc_9DF21B:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+93j
		mov	eax, dword_6FDDF4
		movzx	ecx, word ptr [eax+24h]
		mov	[ebp+arg_8], ecx
		test	ecx, ecx
		jz	loc_9DF2F4
		mov	ecx, dword_6FE13C
		mov	eax, [ebp+arg_8]

loc_9DF238:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+1D0j
		cmp	[ecx+4], edi
		jnz	short loc_9DF27B
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_9DF248
		cmp	eax, [ebp+arg_4]
		jnz	short loc_9DF278

loc_9DF248:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+190j
		mov	eax, [ecx+8]
		mov	edx, dword_6FE12C
		movzx	eax, word ptr [edx+eax]
		mov	[ebp+var_28], eax
		test	al, 20h
		mov	edx, [ebp+arg_10]
		jz	short loc_9DF26B
		mov	eax, dword_6D710C
		test	al, 4
		jz	short loc_9DF278
		mov	eax, [ebp+var_28]

loc_9DF26B:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+1ACj
		test	al, 40h
		jz	short loc_9DF29E
		mov	eax, dword_6D710C
		test	al, 10h
		jnz	short loc_9DF29E

loc_9DF278:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+195j
					; NtFilterBootOption(x,x,x,x,x)+1B5j
		mov	eax, [ebp+arg_8]

loc_9DF27B:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+18Aj
		inc	ebx
		add	ecx, 0Ch
		cmp	ebx, eax
		jb	short loc_9DF238
		jmp	short loc_9DF2F4
; 

loc_9DF285:				; DATA XREF: .text:006A943Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9DF293:				; DATA XREF: .text:006A9440o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_24]
		jmp	loc_9DF1EC
; 

loc_9DF29E:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+1BCj
					; NtFilterBootOption(x,x,x,x,x)+1C5j
		cmp	[ebp+arg_0], 1
		jnz	short loc_9DF2B1
		push	edx
		mov	edx, [ebp+arg_C]
		call	_SepSecureBootValidateBcdDataAgainstBcdRule@12 ; SepSecureBootValidateBcdDataAgainstBcdRule(x,x,x)

loc_9DF2AD:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+205j
		mov	esi, eax
		jmp	short loc_9DF2F4
; 

loc_9DF2B1:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+1F1j
		call	_SepSecureBootFilterBootOptionDelete@4 ; SepSecureBootFilterBootOptionDelete(x)
		jmp	short loc_9DF2AD
; 

loc_9DF2B8:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+40j
		cmp	[ebp+arg_4], ebx
		jnz	short loc_9DF2EF
		cmp	[ebp+arg_8], ebx
		jnz	short loc_9DF2EF
		cmp	[ebp+arg_C], ebx
		jnz	short loc_9DF2EF
		cmp	[ebp+arg_10], ebx
		jnz	short loc_9DF2EF
		xor	ecx, ecx
		mov	edi, offset unk_6FE134
		xor	eax, eax
		lock cmpxchg [edi], ecx
		test	eax, eax
		jnz	short loc_9DF2F4
		call	_SepSecureBootCorrectBcd@0 ; SepSecureBootCorrectBcd()
		mov	esi, eax
		test	esi, esi
		js	short loc_9DF2F4
		xor	eax, eax
		inc	eax
		xchg	eax, [edi]
		jmp	short loc_9DF2F4
; 

loc_9DF2EF:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+5Dj
					; NtFilterBootOption(x,x,x,x,x)+68j ...
		mov	esi, 0C000000Dh

loc_9DF2F4:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+23j
					; NtFilterBootOption(x,x,x,x,x)+36j ...
		mov	edi, [ebp+var_20]
		test	edi, edi
		jz	short loc_9DF306
		push	62536553h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DF306:				; CODE XREF: NtFilterBootOption(x,x,x,x,x)+248j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_NtFilterBootOption@20 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 2488. SeQuerySecureBootPlatformManifest

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeQuerySecureBootPlatformManifest(x, x)
		public _SeQuerySecureBootPlatformManifest@8
_SeQuerySecureBootPlatformManifest@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, _g_SecureBootActivePlatformManifest
		test	eax, eax
		jnz	short loc_9DF334
		mov	eax, 0C0EB0006h
		jmp	short loc_9DF376
; 

loc_9DF334:				; CODE XREF: SeQuerySecureBootPlatformManifest(x,x)+Cj
		cmp	[ebp+arg_0], 0
		jnz	short loc_9DF341
		mov	eax, 0C0000225h
		jmp	short loc_9DF376
; 

loc_9DF341:				; CODE XREF: SeQuerySecureBootPlatformManifest(x,x)+19j
		cmp	[ebp+arg_4], 20h
		jz	short loc_9DF34E
		mov	eax, 0C000000Dh
		jmp	short loc_9DF376
; 

loc_9DF34E:				; CODE XREF: SeQuerySecureBootPlatformManifest(x,x)+26j
		push	0
		push	offset SepSecureBootManifestCompareElements
		push	20h
		push	dword ptr [eax+4]
		push	dword ptr [eax+10h]
		push	[ebp+arg_0]
		call	_bsearch_s
		add	esp, 18h
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFDDBh
		add	eax, 0C0000225h

loc_9DF376:				; CODE XREF: SeQuerySecureBootPlatformManifest(x,x)+13j
					; SeQuerySecureBootPlatformManifest(x,x)+20j ...
		pop	ebp
		retn	8
_SeQuerySecureBootPlatformManifest@8 endp


;  S U B	R O U T	I N E 


; __stdcall SepEqualAsciiWideStringCaseInSensitive(x, x)
_SepEqualAsciiWideStringCaseInSensitive@8 proc near
					; CODE XREF: SepSecureBootFindMatchingRegistryRule(x,x,x)+56p
					; SepSecureBootFindMatchingRegistryRule(x,x,x)+82p
		movzx	eax, word ptr [edx]
		push	ebx
		push	esi
		movzx	esi, word ptr [ecx]
		push	edi
		cmp	esi, eax
		jnz	short loc_9DF3E5
		mov	ecx, [ecx+4]
		mov	edi, [edx+4]
		push	4
		pop	edx
		lea	ebx, [esi+ecx]
		jmp	short loc_9DF3A3
; 

loc_9DF395:				; CODE XREF: SepEqualAsciiWideStringCaseInSensitive(x,x)+2Bj
		mov	eax, [ecx]
		cmp	eax, [edi]
		jnz	short loc_9DF3A7
		sub	esi, edx
		jz	short loc_9DF3E1
		add	ecx, edx
		add	edi, edx

loc_9DF3A3:				; CODE XREF: SepEqualAsciiWideStringCaseInSensitive(x,x)+19j
		cmp	esi, edx
		jnb	short loc_9DF395

loc_9DF3A7:				; CODE XREF: SepEqualAsciiWideStringCaseInSensitive(x,x)+1Fj
		cmp	ecx, ebx
		jnb	short loc_9DF3E1
		sub	edi, ecx

loc_9DF3AD:				; CODE XREF: SepEqualAsciiWideStringCaseInSensitive(x,x)+65j
		movzx	edx, word ptr [ecx]
		movzx	esi, word ptr [edi+ecx]
		cmp	edx, esi
		jz	short loc_9DF3DA
		cmp	edx, 61h
		jb	short loc_9DF3C7
		cmp	edx, 7Ah
		ja	short loc_9DF3C7
		lea	eax, [edx-20h]
		mov	edx, eax

loc_9DF3C7:				; CODE XREF: SepEqualAsciiWideStringCaseInSensitive(x,x)+41j
					; SepEqualAsciiWideStringCaseInSensitive(x,x)+46j
		cmp	esi, 61h
		jb	short loc_9DF3D6
		cmp	esi, 7Ah
		ja	short loc_9DF3D6
		lea	eax, [esi-20h]
		mov	esi, eax

loc_9DF3D6:				; CODE XREF: SepEqualAsciiWideStringCaseInSensitive(x,x)+50j
					; SepEqualAsciiWideStringCaseInSensitive(x,x)+55j
		cmp	edx, esi
		jnz	short loc_9DF3E5

loc_9DF3DA:				; CODE XREF: SepEqualAsciiWideStringCaseInSensitive(x,x)+3Cj
		add	ecx, 2
		cmp	ecx, ebx
		jb	short loc_9DF3AD

loc_9DF3E1:				; CODE XREF: SepEqualAsciiWideStringCaseInSensitive(x,x)+23j
					; SepEqualAsciiWideStringCaseInSensitive(x,x)+2Fj
		mov	al, 1
		jmp	short loc_9DF3E7
; 

loc_9DF3E5:				; CODE XREF: SepEqualAsciiWideStringCaseInSensitive(x,x)+Bj
					; SepEqualAsciiWideStringCaseInSensitive(x,x)+5Ej
		xor	al, al

loc_9DF3E7:				; CODE XREF: SepEqualAsciiWideStringCaseInSensitive(x,x)+69j
		pop	edi
		pop	esi
		pop	ebx
		retn
_SepEqualAsciiWideStringCaseInSensitive@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSecureBootCorrectBcd()
_SepSecureBootCorrectBcd@0 proc	near	; CODE XREF: NtFilterBootOption(x,x,x,x,x)+22Cp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	ecx, [esp+30h+var_14]
		mov	[esp+30h+var_1C], edi
		mov	[esp+30h+var_20], edi
		mov	[esp+30h+var_18], edi
		mov	[esp+30h+var_14], edi
		call	_BcdOpenSystemStore@4 ;	BcdOpenSystemStore(x)
		mov	ebx, [esp+30h+var_14]
		mov	esi, eax
		test	esi, esi
		js	loc_9DF5A9
		lea	eax, [esp+30h+var_20]
		mov	[esp+30h+var_C], 1
		push	eax
		lea	eax, [esp+34h+var_18]
		mov	[esp+34h+var_8], edi
		push	eax
		push	edi
		lea	edx, [esp+3Ch+var_C]
		mov	ecx, ebx
		call	_BcdEnumerateObjects@20	; BcdEnumerateObjects(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_9DF5A9
		cmp	esi, 0C0000023h
		jnz	loc_9DF5A9
		push	62536553h
		push	[esp+34h+var_18]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+30h+var_4], eax
		test	eax, eax
		jnz	short loc_9DF47A
		add	esi, 0FFFFFFF4h
		jmp	loc_9DF5A9
; 

loc_9DF47A:				; CODE XREF: SepSecureBootCorrectBcd()+85j
		lea	ecx, [esp+30h+var_20]
		push	ecx
		lea	ecx, [esp+34h+var_18]
		push	ecx
		push	eax
		lea	edx, [esp+3Ch+var_C]
		mov	ecx, ebx
		call	_BcdEnumerateObjects@20	; BcdEnumerateObjects(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9DF59B
		mov	[esp+30h+var_C], edi
		cmp	[esp+30h+var_20], edi
		jbe	loc_9DF59B
		mov	eax, [esp+30h+var_4]
		mov	[esp+30h+var_14], eax
		jmp	short loc_9DF4B4
; 

loc_9DF4B2:				; CODE XREF: SepSecureBootCorrectBcd()+199j
		xor	edi, edi

loc_9DF4B4:				; CODE XREF: SepSecureBootCorrectBcd()+C5j
		lea	ecx, [esp+30h+var_1C]
		mov	edx, eax
		push	ecx
		mov	ecx, ebx
		call	BcdOpenObject
		mov	esi, eax
		test	esi, esi
		js	loc_9DF58C
		mov	edx, dword_6FDDF4
		xor	eax, eax
		mov	[esp+30h+var_18], edi
		mov	edi, [esp+30h+var_1C]
		cmp	ax, [edx+24h]
		jnb	short loc_9DF55F
		xor	ecx, ecx
		mov	[esp+30h+var_10], ecx

loc_9DF4E8:				; CODE XREF: SepSecureBootCorrectBcd()+172j
		mov	eax, dword_6FE13C
		add	eax, ecx
		mov	[esp+30h+var_1C], eax
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_9DF509
		mov	eax, [esp+30h+var_14]
		mov	eax, [eax+10h]
		cmp	ecx, [eax+4]
		jnz	short loc_9DF546
		mov	eax, [esp+30h+var_1C]

loc_9DF509:				; CODE XREF: SepSecureBootCorrectBcd()+10Cj
		mov	ecx, [eax+8]
		mov	eax, dword_6FE12C
		movzx	eax, word ptr [eax+ecx]
		test	al, 20h
		jz	short loc_9DF522
		test	byte ptr dword_6D710C, 4
		jz	short loc_9DF546

loc_9DF522:				; CODE XREF: SepSecureBootCorrectBcd()+12Cj
		test	al, 40h
		jz	short loc_9DF52F
		test	byte ptr dword_6D710C, 10h
		jz	short loc_9DF546

loc_9DF52F:				; CODE XREF: SepSecureBootCorrectBcd()+139j
		mov	ecx, [esp+30h+var_1C]
		mov	edx, edi
		call	_SepSecureBootUpdateBcdDataForRule@8 ; SepSecureBootUpdateBcdDataForRule(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9DF590
		mov	edx, dword_6FDDF4

loc_9DF546:				; CODE XREF: SepSecureBootCorrectBcd()+118j
					; SepSecureBootCorrectBcd()+135j ...
		mov	ecx, [esp+30h+var_10]
		movzx	eax, word ptr [edx+24h]
		add	ecx, 0Ch
		inc	[esp+30h+var_18]
		mov	[esp+30h+var_10], ecx
		cmp	[esp+30h+var_18], eax
		jb	short loc_9DF4E8

loc_9DF55F:				; CODE XREF: SepSecureBootCorrectBcd()+F5j
		mov	ecx, edi
		call	_BcdCloseObject@4 ; BcdCloseObject(x)
		mov	ecx, [esp+30h+var_C]
		xor	edi, edi
		mov	eax, [esp+30h+var_14]
		inc	ecx
		add	eax, 14h
		mov	[esp+30h+var_1C], edi
		mov	[esp+30h+var_C], ecx
		mov	[esp+30h+var_14], eax
		cmp	ecx, [esp+30h+var_20]
		jb	loc_9DF4B2
		jmp	short loc_9DF590
; 

loc_9DF58C:				; CODE XREF: SepSecureBootCorrectBcd()+DBj
		mov	edi, [esp+30h+var_1C]

loc_9DF590:				; CODE XREF: SepSecureBootCorrectBcd()+153j
					; SepSecureBootCorrectBcd()+19Fj
		test	edi, edi
		jz	short loc_9DF59B
		mov	ecx, edi
		call	_BcdCloseObject@4 ; BcdCloseObject(x)

loc_9DF59B:				; CODE XREF: SepSecureBootCorrectBcd()+A9j
					; SepSecureBootCorrectBcd()+B7j ...
		push	62536553h
		push	[esp+34h+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DF5A9:				; CODE XREF: SepSecureBootCorrectBcd()+31j
					; SepSecureBootCorrectBcd()+5Dj ...
		test	ebx, ebx
		jz	short loc_9DF5B4
		mov	ecx, ebx
		call	BcdCloseStore

loc_9DF5B4:				; CODE XREF: SepSecureBootCorrectBcd()+1C0j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_SepSecureBootCorrectBcd@0 endp


;  S U B	R O U T	I N E 


; __stdcall SepSecureBootFilterBootOptionDelete(x)
_SepSecureBootFilterBootOptionDelete@4 proc near
					; CODE XREF: NtFilterBootOption(x,x,x,x,x):loc_9DF2B1p
		mov	ecx, [ecx+8]
		xor	edx, edx
		add	ecx, dword_6FE12C
		mov	al, [ecx]
		and	al, 1Fh
		cmp	al, 8
		jnz	short loc_9DF5D6
		cmp	[ecx+2], dx
		jz	short loc_9DF5DB

loc_9DF5D6:				; CODE XREF: SepSecureBootFilterBootOptionDelete(x)+11j
		mov	edx, 0C0430002h

loc_9DF5DB:				; CODE XREF: SepSecureBootFilterBootOptionDelete(x)+17j
		mov	eax, edx
		retn
_SepSecureBootFilterBootOptionDelete@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSecureBootFindMatchingRegistryRule(x, x,	x)
_SepSecureBootFindMatchingRegistryRule@12 proc near
					; CODE XREF: SeQuerySecureBootPolicyValue+82D9Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, dword_6FDDF4
		and	[ebp+var_C], 0
		and	[ebp+var_8], 0
		push	esi
		mov	esi, dword_6FE138
		push	edi
		movzx	edi, word ptr [eax+26h]
		shl	edi, 4
		mov	[ebp+var_4], edx
		add	edi, esi
		jmp	short loc_9DF66C
; 

loc_9DF609:				; CODE XREF: SepSecureBootFindMatchingRegistryRule(x,x,x)+90j
		cmp	dword ptr [esi], 81000000h
		jnz	short loc_9DF669
		mov	ecx, [esi+4]
		lea	edx, [ebp+var_C]
		add	ecx, dword_6FE12C
		lea	eax, [ecx+2]
		mov	[ebp+var_8], eax
		movzx	eax, word ptr [ecx]
		mov	ecx, [ebp+var_4]
		mov	word ptr [ebp+var_C], ax
		add	eax, 2
		mov	word ptr [ebp+var_C+2],	ax
		call	_SepEqualAsciiWideStringCaseInSensitive@8 ; SepEqualAsciiWideStringCaseInSensitive(x,x)
		test	al, al
		jz	short loc_9DF669
		mov	ecx, [esi+8]
		lea	edx, [ebp+var_C]
		add	ecx, dword_6FE12C
		lea	eax, [ecx+2]
		mov	[ebp+var_8], eax
		movzx	eax, word ptr [ecx]
		mov	ecx, [ebp+arg_0]
		mov	word ptr [ebp+var_C], ax
		add	eax, 2
		mov	word ptr [ebp+var_C+2],	ax
		call	_SepEqualAsciiWideStringCaseInSensitive@8 ; SepEqualAsciiWideStringCaseInSensitive(x,x)
		test	al, al
		jnz	short loc_9DF678

loc_9DF669:				; CODE XREF: SepSecureBootFindMatchingRegistryRule(x,x,x)+31j
					; SepSecureBootFindMatchingRegistryRule(x,x,x)+5Dj
		add	esi, 10h

loc_9DF66C:				; CODE XREF: SepSecureBootFindMatchingRegistryRule(x,x,x)+29j
		cmp	esi, edi
		jb	short loc_9DF609
		xor	eax, eax

loc_9DF672:				; CODE XREF: SepSecureBootFindMatchingRegistryRule(x,x,x)+9Cj
		pop	edi
		pop	esi
		leave
		retn	4
; 

loc_9DF678:				; CODE XREF: SepSecureBootFindMatchingRegistryRule(x,x,x)+89j
		mov	eax, esi
		jmp	short loc_9DF672
_SepSecureBootFindMatchingRegistryRule@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSecureBootGetPolicyDefaultValue(x, x, x,	x)
_SepSecureBootGetPolicyDefaultValue@16 proc near
					; CODE XREF: SepSecureBootUpdateBcdDataForRule(x,x)+103p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, word ptr [ecx]
		xor	edx, edx
		and	eax, 1Fh
		push	esi
		sub	eax, edx
		jz	short loc_9DF6C2
		sub	eax, 1
		jz	short loc_9DF6BD
		sub	eax, 4
		jz	short loc_9DF6B5
		sub	eax, 1
		jz	short loc_9DF6B5
		sub	eax, 1
		jz	short loc_9DF6B5
		sub	eax, 1
		jz	short loc_9DF6AE
		mov	edx, 0C0430003h
		jmp	short loc_9DF6D3
; 

loc_9DF6AE:				; CODE XREF: SepSecureBootGetPolicyDefaultValue(x,x,x,x)+29j
		mov	edx, 0C0000225h
		jmp	short loc_9DF6D3
; 

loc_9DF6B5:				; CODE XREF: SepSecureBootGetPolicyDefaultValue(x,x,x,x)+1Aj
					; SepSecureBootGetPolicyDefaultValue(x,x,x,x)+1Fj ...
		push	8
		pop	eax

loc_9DF6B8:				; CODE XREF: SepSecureBootGetPolicyDefaultValue(x,x,x,x)+44j
		lea	esi, [ecx+2]
		jmp	short loc_9DF6C9
; 

loc_9DF6BD:				; CODE XREF: SepSecureBootGetPolicyDefaultValue(x,x,x,x)+15j
		xor	eax, eax
		inc	eax
		jmp	short loc_9DF6B8
; 

loc_9DF6C2:				; CODE XREF: SepSecureBootGetPolicyDefaultValue(x,x,x,x)+10j
		movzx	eax, word ptr [ecx+2]
		lea	esi, [ecx+4]

loc_9DF6C9:				; CODE XREF: SepSecureBootGetPolicyDefaultValue(x,x,x,x)+3Fj
		mov	ecx, [ebp+arg_0]
		mov	[ecx], esi
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax

loc_9DF6D3:				; CODE XREF: SepSecureBootGetPolicyDefaultValue(x,x,x,x)+30j
					; SepSecureBootGetPolicyDefaultValue(x,x,x,x)+37j
		mov	eax, edx
		pop	esi
		pop	ebp
		retn	8
_SepSecureBootGetPolicyDefaultValue@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSecureBootGetPolicyValueByRef(x,	x, x, x)
_SepSecureBootGetPolicyValueByRef@16 proc near
					; CODE XREF: SeQuerySecureBootPolicyValue+82DC3p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		movzx	eax, word ptr [esi]
		cmp	edx, eax
		jz	short loc_9DF6F6
		mov	eax, 0C0000034h
		jmp	loc_9DF777
; 

loc_9DF6F6:				; CODE XREF: SepSecureBootGetPolicyValueByRef(x,x,x,x)+10j
		and	eax, 1Fh
		sub	eax, edi
		jz	short loc_9DF764
		dec	eax
		sub	eax, 1
		jz	short loc_9DF751
		dec	eax
		sub	eax, 1
		jz	short loc_9DF73B
		sub	eax, 1
		jz	short loc_9DF728
		sub	eax, 5
		jz	short loc_9DF71A
		mov	edi, 0C0000002h
		jmp	short loc_9DF775
; 

loc_9DF71A:				; CODE XREF: SepSecureBootGetPolicyValueByRef(x,x,x,x)+37j
		mov	eax, [ebp+arg_0]
		lea	ecx, [esi+4]
		mov	[eax], ecx
		movzx	ecx, word ptr [esi+2]
		jmp	short loc_9DF74A
; 

loc_9DF728:				; CODE XREF: SepSecureBootGetPolicyValueByRef(x,x,x,x)+32j
		mov	eax, [ebp+arg_0]
		lea	ecx, [esi+2]
		mov	[eax], ecx
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 8
		jmp	short loc_9DF775
; 

loc_9DF73B:				; CODE XREF: SepSecureBootGetPolicyValueByRef(x,x,x,x)+2Dj
		mov	eax, [ebp+arg_0]
		lea	ecx, [esi+8]
		mov	[eax], ecx
		movzx	ecx, word ptr [esi+6]
		shl	ecx, 2

loc_9DF74A:				; CODE XREF: SepSecureBootGetPolicyValueByRef(x,x,x,x)+4Cj
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		jmp	short loc_9DF775
; 

loc_9DF751:				; CODE XREF: SepSecureBootGetPolicyValueByRef(x,x,x,x)+27j
		mov	eax, [ebp+arg_0]
		lea	ecx, [esi+2]
		mov	[eax], ecx
		mov	eax, [ebp+arg_4]
		mov	dword ptr [eax], 4
		jmp	short loc_9DF775
; 

loc_9DF764:				; CODE XREF: SepSecureBootGetPolicyValueByRef(x,x,x,x)+21j
		mov	ecx, [ebp+arg_0]
		lea	edx, [esi+4]
		mov	[ecx], edx
		mov	ecx, [ebp+arg_4]
		movzx	edx, word ptr [esi+2]
		mov	[ecx], edx

loc_9DF775:				; CODE XREF: SepSecureBootGetPolicyValueByRef(x,x,x,x)+3Ej
					; SepSecureBootGetPolicyValueByRef(x,x,x,x)+5Fj ...
		mov	eax, edi

loc_9DF777:				; CODE XREF: SepSecureBootGetPolicyValueByRef(x,x,x,x)+17j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_SepSecureBootGetPolicyValueByRef@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSecureBootGetQWordPolicyValue(x,	x)
_SepSecureBootGetQWordPolicyValue@8 proc near
					; CODE XREF: SepSecureBootValidateBcdDataAgainstBcdRule(x,x,x)+91p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, edx
		movzx	eax, word ptr [esi]
		and	eax, 1Fh
		sub	eax, 5
		jz	loc_9DF82D
		sub	eax, 1
		jz	short loc_9DF803
		sub	eax, 1
		jz	short loc_9DF7B1
		mov	ebx, 0C0430003h
		jmp	loc_9DF838
; 

loc_9DF7B1:				; CODE XREF: SepSecureBootGetQWordPolicyValue(x,x)+28j
		movzx	eax, word ptr [esi+0Ah]
		mov	ecx, ebx
		cdq
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], eax
		mov	[ebp+var_14], edx
		cmp	edx, ebx
		jb	short loc_9DF820
		ja	short loc_9DF7CB
		cmp	eax, ebx
		jbe	short loc_9DF820

loc_9DF7CB:				; CODE XREF: SepSecureBootGetQWordPolicyValue(x,x)+48j
		mov	eax, [edi]
		mov	edx, [ebp+var_8]
		mov	[ebp+var_C], eax
		mov	eax, [edi+4]
		mov	[ebp+var_10], eax

loc_9DF7D9:				; CODE XREF: SepSecureBootGetQWordPolicyValue(x,x)+7Cj
					; SepSecureBootGetQWordPolicyValue(x,x)+82j
		mov	eax, [esi+ecx*8+0Ch]
		cmp	eax, [ebp+var_C]
		jnz	short loc_9DF7EB
		mov	eax, [esi+ecx*8+10h]
		cmp	eax, [ebp+var_10]
		jz	short loc_9DF838

loc_9DF7EB:				; CODE XREF: SepSecureBootGetQWordPolicyValue(x,x)+63j
		mov	eax, [ebp+var_4]
		add	ecx, 1
		adc	eax, ebx
		mov	[ebp+var_4], eax
		cmp	eax, [ebp+var_14]
		jb	short loc_9DF7D9
		ja	short loc_9DF820
		cmp	ecx, edx
		jb	short loc_9DF7D9
		jmp	short loc_9DF820
; 

loc_9DF803:				; CODE XREF: SepSecureBootGetQWordPolicyValue(x,x)+23j
		mov	ecx, [edi+4]
		mov	eax, [edi]
		cmp	ecx, [esi+0Eh]
		jb	short loc_9DF820
		ja	short loc_9DF814
		cmp	eax, [esi+0Ah]
		jb	short loc_9DF820

loc_9DF814:				; CODE XREF: SepSecureBootGetQWordPolicyValue(x,x)+90j
		cmp	ecx, [esi+16h]
		jb	short loc_9DF838
		ja	short loc_9DF820
		cmp	eax, [esi+12h]
		jbe	short loc_9DF838

loc_9DF820:				; CODE XREF: SepSecureBootGetQWordPolicyValue(x,x)+46j
					; SepSecureBootGetQWordPolicyValue(x,x)+4Cj ...
		mov	eax, [esi+2]
		mov	[edi], eax
		mov	eax, [esi+6]
		mov	[edi+4], eax
		jmp	short loc_9DF838
; 

loc_9DF82D:				; CODE XREF: SepSecureBootGetQWordPolicyValue(x,x)+1Aj
		mov	ecx, [esi+2]
		mov	[edi], ecx
		mov	ecx, [esi+6]
		mov	[edi+4], ecx

loc_9DF838:				; CODE XREF: SepSecureBootGetQWordPolicyValue(x,x)+2Fj
					; SepSecureBootGetQWordPolicyValue(x,x)+6Cj ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_SepSecureBootGetQWordPolicyValue@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSecureBootHasPermission()
_SepSecureBootHasPermission@0 proc near	; CODE XREF: NtFilterBootOption(x,x,x,x,x)+17p

var_6		= byte ptr -6
var_5		= dword	ptr -5
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_5], al
		push	[ebp+var_5]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		mov	byte ptr [ebp+var_1], al
		test	al, al
		jnz	short loc_9DF892
		lea	eax, [ebp+var_1]
		push	eax
		push	ds:_SeAliasAdminsSid
		push	0
		call	_RtlCheckTokenMembership@12 ; RtlCheckTokenMembership(x,x,x)
		test	eax, eax
		js	short loc_9DF88B
		cmp	byte ptr [ebp+var_1], 0
		jnz	short loc_9DF892

loc_9DF88B:				; CODE XREF: SepSecureBootHasPermission()+44j
		mov	eax, 0C0000022h
		leave
		retn
; 

loc_9DF892:				; CODE XREF: SepSecureBootHasPermission()+2Fj
					; SepSecureBootHasPermission()+4Aj
		xor	eax, eax
		leave
		retn
_SepSecureBootHasPermission@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl SepSecureBootManifestCompareElements(int,void *,void *)
SepSecureBootManifestCompareElements proc near
					; DATA XREF: SeQuerySecureBootPlatformManifest(x,x)+31o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	20h		; size_t
		push	[ebp+arg_8]	; void *
		push	[ebp+arg_4]	; void *
		call	_memcmp
		add	esp, 0Ch
		pop	ebp
		retn
SepSecureBootManifestCompareElements endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSecureBootUpdateBcdDataForRule(x, x)
_SepSecureBootUpdateBcdDataForRule@8 proc near ; CODE XREF: SepSecureBootCorrectBcd()+14Ap

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		mov	ebx, ecx
		mov	[esp+28h+var_1C], edx
		push	esi
		push	edi
		xor	edi, edi
		mov	ecx, [ebx+8]
		mov	esi, edi
		add	ecx, dword_6FE12C
		mov	[esp+30h+var_8], edi
		mov	[esp+30h+var_4], edi
		mov	[esp+30h+var_10], edi
		mov	al, [ecx]
		and	al, 1Fh
		mov	[esp+30h+var_14], edi
		mov	[esp+30h+var_C], ecx
		cmp	al, 8
		jnz	short loc_9DF916
		cmp	[ecx+2], di
		jnz	loc_9DF9E1
		mov	edx, [ebx+4]
		push	ecx
		mov	ecx, [esp+34h+var_1C]
		call	BiDeleteElement
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	loc_9DF9E1
		mov	esi, edi
		jmp	loc_9DF9E1
; 

loc_9DF916:				; CODE XREF: SepSecureBootUpdateBcdDataForRule(x,x)+3Bj
		mov	edx, [ebx+4]
		lea	eax, [esp+30h+var_8]
		mov	[esp+30h+var_18], eax
		lea	eax, [esp+30h+var_20]
		push	eax
		lea	eax, [esp+34h+var_8]
		mov	[esp+34h+var_20], 8
		push	eax
		push	ecx
		mov	ecx, [esp+3Ch+var_1C]
		call	BcdGetElementDataWithFlags
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_9DF94F
		cmp	esi, 80000005h
		jnz	short loc_9DF989

loc_9DF94F:				; CODE XREF: SepSecureBootUpdateBcdDataForRule(x,x)+98j
		push	62536553h
		push	[esp+34h+var_20]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9DF96C
		mov	esi, 0C000009Ah
		jmp	short loc_9DF9E1
; 

loc_9DF96C:				; CODE XREF: SepSecureBootUpdateBcdDataForRule(x,x)+B6j
		mov	edx, [ebx+4]
		lea	eax, [esp+30h+var_20]
		push	eax
		push	edi
		push	ecx
		mov	ecx, [esp+3Ch+var_1C]
		mov	[esp+3Ch+var_18], edi
		call	BcdGetElementDataWithFlags
		mov	esi, eax
		test	esi, esi
		js	short loc_9DF9D2

loc_9DF989:				; CODE XREF: SepSecureBootUpdateBcdDataForRule(x,x)+A0j
		test	esi, esi
		js	short loc_9DF9A2
		push	[esp+30h+var_20]
		mov	edx, [esp+34h+var_18]
		mov	ecx, ebx
		call	_SepSecureBootValidateBcdDataAgainstBcdRule@12 ; SepSecureBootValidateBcdDataAgainstBcdRule(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9DF9D2

loc_9DF9A2:				; CODE XREF: SepSecureBootUpdateBcdDataForRule(x,x)+DEj
		mov	ecx, [esp+30h+var_C]
		lea	eax, [esp+30h+var_14]
		push	eax
		lea	eax, [esp+34h+var_10]
		push	eax
		call	_SepSecureBootGetPolicyDefaultValue@16 ; SepSecureBootGetPolicyDefaultValue(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9DF9D2
		push	[esp+30h+var_14]
		mov	edx, [ebx+4]
		push	[esp+34h+var_10]
		push	ecx
		mov	ecx, [esp+3Ch+var_1C]
		call	BcdSetElementDataWithFlags
		mov	esi, eax

loc_9DF9D2:				; CODE XREF: SepSecureBootUpdateBcdDataForRule(x,x)+DAj
					; SepSecureBootUpdateBcdDataForRule(x,x)+F3j ...
		test	edi, edi
		jz	short loc_9DF9E1
		push	62536553h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DF9E1:				; CODE XREF: SepSecureBootUpdateBcdDataForRule(x,x)+41j
					; SepSecureBootUpdateBcdDataForRule(x,x)+5Cj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_SepSecureBootUpdateBcdDataForRule@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSecureBootValidateBcdDataAgainstBcdRule(x, x, x)
_SepSecureBootValidateBcdDataAgainstBcdRule@12 proc near
					; CODE XREF: NtFilterBootOption(x,x,x,x,x)+1F7p
					; SepSecureBootUpdateBcdDataForRule(x,x)+EAp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	ebx, ecx
		xor	esi, esi
		push	edi
		push	8
		mov	edi, [ebx+8]
		add	edi, dword_6FE12C
		mov	ax, [edi]
		and	ax, 1Fh
		movzx	ecx, ax
		pop	eax
		cmp	cx, ax
		jnz	short loc_9DFA22
		cmp	[edi+2], si
		jnz	loc_9DFAD4
		jmp	loc_9DFACF
; 

loc_9DFA22:				; CODE XREF: SepSecureBootValidateBcdDataAgainstBcdRule(x,x,x)+27j
		movzx	eax, byte ptr [ebx+7]
		and	eax, 0Fh
		dec	eax
		sub	eax, 1
		jz	short loc_9DFA93
		sub	eax, 3
		jz	short loc_9DFA62
		sub	eax, 1
		jnz	loc_9DFAD4
		xor	ebx, ebx
		inc	ebx
		cmp	cx, bx
		jnz	loc_9DFACF
		mov	eax, [ebp+arg_0]
		dec	eax
		cmp	eax, ebx
		ja	short loc_9DFACF
		cmp	[edi+2], si
		setnz	cl
		cmp	byte ptr [edx],	0
		setnz	al
		cmp	cl, al
		jmp	short loc_9DFACD
; 

loc_9DFA62:				; CODE XREF: SepSecureBootValidateBcdDataAgainstBcdRule(x,x,x)+48j
		cmp	[ebp+arg_0], 8
		jnz	short loc_9DFACF
		mov	eax, [edx]
		mov	ecx, edi
		mov	ebx, [edx+4]
		lea	edx, [ebp+var_8]
		mov	[ebp+arg_0], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], ebx
		call	_SepSecureBootGetQWordPolicyValue@8 ; SepSecureBootGetQWordPolicyValue(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9DFAD4
		mov	eax, [ebp+arg_0]
		cmp	eax, [ebp+var_8]
		jnz	short loc_9DFACF
		cmp	ebx, [ebp+var_4]
		jmp	short loc_9DFACD
; 

loc_9DFA93:				; CODE XREF: SepSecureBootValidateBcdDataAgainstBcdRule(x,x,x)+43j
		test	cx, cx
		jnz	short loc_9DFACF
		mov	ecx, [ebp+arg_0]
		test	cl, 1
		jnz	short loc_9DFACF
		test	ecx, ecx
		jz	short loc_9DFAB5

loc_9DFAA4:				; CODE XREF: SepSecureBootValidateBcdDataAgainstBcdRule(x,x,x)+C9j
		mov	eax, ecx
		shr	eax, 1
		cmp	[edx+eax*2-2], si
		jnz	short loc_9DFAB5
		dec	ecx
		sub	ecx, 1
		jnz	short loc_9DFAA4

loc_9DFAB5:				; CODE XREF: SepSecureBootValidateBcdDataAgainstBcdRule(x,x,x)+B8j
					; SepSecureBootValidateBcdDataAgainstBcdRule(x,x,x)+C3j
		movzx	eax, word ptr [edi+2]
		cmp	ecx, eax
		jnz	short loc_9DFACF
		push	ecx		; size_t
		lea	eax, [edi+4]
		push	eax		; void *
		push	edx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax

loc_9DFACD:				; CODE XREF: SepSecureBootValidateBcdDataAgainstBcdRule(x,x,x)+76j
					; SepSecureBootValidateBcdDataAgainstBcdRule(x,x,x)+A7j
		jz	short loc_9DFAD4

loc_9DFACF:				; CODE XREF: SepSecureBootValidateBcdDataAgainstBcdRule(x,x,x)+33j
					; SepSecureBootValidateBcdDataAgainstBcdRule(x,x,x)+59j ...
		mov	esi, 0C0430002h

loc_9DFAD4:				; CODE XREF: SepSecureBootValidateBcdDataAgainstBcdRule(x,x,x)+2Dj
					; SepSecureBootValidateBcdDataAgainstBcdRule(x,x,x)+4Dj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_SepSecureBootValidateBcdDataAgainstBcdRule@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepFindMatchingLuidEntry(x,	x, x)
_SepFindMatchingLuidEntry@12 proc near	; CODE XREF: SepIsValidProcUniqueLuid(x)+3Dp

var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_8], ecx
		lea	edi, [ebp+var_14]
		mov	esi, edx
		stosd
		xor	ebx, ebx
		mov	[ebp+var_1], bl
		stosd
		stosd
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_9DFB01
		inc	eax

loc_9DFB01:				; CODE XREF: SepFindMatchingLuidEntry(x,x,x)+21j
		lea	edx, [ebp+var_14]
		push	edx
		push	eax
		push	ecx
		call	_RtlLookupEntryHashTable@12 ; RtlLookupEntryHashTable(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_9DFB52
		mov	edi, [ebp+var_8]

loc_9DFB15:				; CODE XREF: SepFindMatchingLuidEntry(x,x,x)+57j
		mov	ecx, [esi]
		mov	ebx, edx
		cmp	ecx, [edx+10h]
		jnz	short loc_9DFB26
		mov	eax, [esi+4]
		cmp	eax, [edx+14h]
		jz	short loc_9DFB4E

loc_9DFB26:				; CODE XREF: SepFindMatchingLuidEntry(x,x,x)+3Fj
		lea	eax, [ebp+var_14]
		push	eax
		push	edi
		call	RtlGetNextEntryHashTable
		mov	edx, eax
		test	edx, edx
		jnz	short loc_9DFB15
		mov	al, [ebp+var_1]

loc_9DFB39:				; CODE XREF: SepFindMatchingLuidEntry(x,x,x)+73j
					; SepFindMatchingLuidEntry(x,x,x)+77j
		movzx	ecx, al
		mov	eax, [ebp+arg_0]
		neg	ecx
		pop	edi
		sbb	ecx, ecx
		and	ecx, ebx
		pop	esi
		mov	[eax], ecx
		pop	ebx
		leave
		retn	4
; 

loc_9DFB4E:				; CODE XREF: SepFindMatchingLuidEntry(x,x,x)+47j
		mov	al, 1
		jmp	short loc_9DFB39
; 

loc_9DFB52:				; CODE XREF: SepFindMatchingLuidEntry(x,x,x)+33j
		mov	al, bl
		jmp	short loc_9DFB39
_SepFindMatchingLuidEntry@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepIsValidProcUniqueLuid(x)
_SepIsValidProcUniqueLuid@4 proc near	; CODE XREF: SepRmValidateProcUniqueLuidWrkr(x,x)+19p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		and	[ebp+var_4], 0
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	esi, ecx
		mov	edi, 0C0000225h
		nop
		mov	ecx, ds:_SeLuidToIndexMapping
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		mov	ecx, ds:_SeLuidToIndexMapping
		lea	eax, [ebp+var_4]
		push	eax
		mov	edx, esi
		mov	ecx, [ecx+4]
		call	_SepFindMatchingLuidEntry@12 ; SepFindMatchingLuidEntry(x,x,x)
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_9DFBA9
		movzx	eax, byte ptr [eax+20h]
		neg	eax
		sbb	eax, eax
		and	edi, eax

loc_9DFBA9:				; CODE XREF: SepIsValidProcUniqueLuid(x)+47j
		mov	esi, ds:_SeLuidToIndexMapping
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_9DFBC4
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9DFBC4:				; CODE XREF: SepIsValidProcUniqueLuid(x)+65j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn
_SepIsValidProcUniqueLuid@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeExamineGlobalSacl(x, x, x, x, x, x, x)
_SeExamineGlobalSacl@28	proc near	; CODE XREF: SeObjectReferenceAuditAlarm+14AA1Bp
					; SeOpenObjectAuditAlarmWithTransaction+11092Bp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		mov	[ebp+var_C], ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	loc_9DFC8C
		cmp	byte ptr [esi],	0
		jnz	loc_9DFC8C
		mov	eax, large fs:124h
		xor	ebx, ebx
		mov	[ebp+var_8], ebx
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _SepRmGlobalSaclLock
		call	ExAcquireResourceSharedLite
		push	ebx
		push	[ebp+var_C]
		xor	edx, edx
		lea	ecx, [ebp+var_8]
		call	_SepRmGlobalSaclFind@16	; SepRmGlobalSaclFind(x,x,x,x)
		test	eax, eax
		js	short loc_9DFC7D
		mov	eax, [ebp+var_8]
		mov	eax, [eax+0Ch]
		test	eax, eax
		jz	short loc_9DFC7D
		lea	ecx, [ebp-1]
		mov	byte ptr [ebp+arg_C+3],	bl
		push	ecx
		lea	ecx, [ebp+arg_C+3]
		mov	[ebp+var_1], bl
		push	ecx
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edi
		push	eax
		call	_SeExamineSacl@28 ; SeExamineSacl(x,x,x,x,x,x,x)
		cmp	[esi], bl
		jnz	short loc_9DFC65
		mov	al, bl
		cmp	byte ptr [ebp+arg_C+3],	bl
		jz	short loc_9DFC67

loc_9DFC65:				; CODE XREF: SeExamineGlobalSacl(x,x,x,x,x,x,x)+7Fj
		mov	al, 1

loc_9DFC67:				; CODE XREF: SeExamineGlobalSacl(x,x,x,x,x,x,x)+86j
		mov	[esi], al
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_9DFC7D
		cmp	[eax], bl
		jnz	short loc_9DFC79
		cmp	[ebp+var_1], bl
		jz	short loc_9DFC7B

loc_9DFC79:				; CODE XREF: SeExamineGlobalSacl(x,x,x,x,x,x,x)+95j
		mov	bl, 1

loc_9DFC7B:				; CODE XREF: SeExamineGlobalSacl(x,x,x,x,x,x,x)+9Aj
		mov	[eax], bl

loc_9DFC7D:				; CODE XREF: SeExamineGlobalSacl(x,x,x,x,x,x,x)+53j
					; SeExamineGlobalSacl(x,x,x,x,x,x,x)+5Dj ...
		mov	ecx, offset _SepRmGlobalSaclLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9DFC8C:				; CODE XREF: SeExamineGlobalSacl(x,x,x,x,x,x,x)+15j
					; SeExamineGlobalSacl(x,x,x,x,x,x,x)+1Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_SeExamineGlobalSacl@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeMaximumAuditMaskFromGlobalSacl(x,	x, x, x)
_SeMaximumAuditMaskFromGlobalSacl@16 proc near
					; CODE XREF: SeSecurityDescriptorChangedAuditAlarm+12602Fp
					; SeOpenObjectAuditAlarmWithTransaction+110989p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	short loc_9DFD08
		xor	ebx, ebx
		cmp	[esi+4], ebx
		jz	short loc_9DFD08
		mov	eax, large fs:124h
		mov	[ebp+var_4], ebx
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _SepRmGlobalSaclLock
		call	ExAcquireResourceSharedLite
		push	ebx
		push	esi
		xor	edx, edx
		lea	ecx, [ebp+var_4]
		call	_SepRmGlobalSaclFind@16	; SepRmGlobalSaclFind(x,x,x,x)
		test	eax, eax
		js	short loc_9DFCF9
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_0]
		mov	edx, edi
		mov	[ebp+var_8], ebx
		mov	ecx, [ecx+0Ch]
		call	_SeMaximumAuditMask@16 ; SeMaximumAuditMask(x,x,x,x)
		mov	edx, [ebp+arg_4]
		mov	eax, [ebp+var_8]
		or	[edx], eax

loc_9DFCF9:				; CODE XREF: SeMaximumAuditMaskFromGlobalSacl(x,x,x,x)+45j
		mov	ecx, offset _SepRmGlobalSaclLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9DFD08:				; CODE XREF: SeMaximumAuditMaskFromGlobalSacl(x,x,x,x)+11j
					; SeMaximumAuditMaskFromGlobalSacl(x,x,x,x)+18j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_SeMaximumAuditMaskFromGlobalSacl@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepRmGlobalSaclFind(x, x, x, x)
_SepRmGlobalSaclFind@16	proc near	; CODE XREF: SepExamineGlobalSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+59p
					; NtSetSecurityObject+12619Bp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		cmp	_SepRmGlobalSaclHead, 0
		mov	eax, 0C0000034h
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	byte ptr [ebp+var_4], 0
		mov	ebx, ecx
		mov	[ebp+var_8], eax
		jz	short loc_9DFDAD
		cmp	[ebp+arg_4], 0
		jz	short loc_9DFD58
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	eax, eax
		inc	eax
		push	eax
		push	offset _SepRmGlobalSaclLock
		mov	[ebp+var_4], eax
		call	ExAcquireResourceSharedLite

loc_9DFD58:				; CODE XREF: SepRmGlobalSaclFind(x,x,x,x)+28j
		mov	eax, _SepRmGlobalSaclHead
		mov	[ebx], eax
		test	esi, esi
		jz	short loc_9DFD66
		and	dword ptr [esi], 0

loc_9DFD66:				; CODE XREF: SepRmGlobalSaclFind(x,x,x,x)+52j
		mov	edi, eax
		jmp	short loc_9DFD86
; 

loc_9DFD6A:				; CODE XREF: SepRmGlobalSaclFind(x,x,x,x)+79j
		push	0
		lea	eax, [edi+4]
		push	eax
		push	[ebp+arg_0]
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jz	short loc_9DFDB4
		test	esi, esi
		jz	short loc_9DFD82
		mov	[esi], edi

loc_9DFD82:				; CODE XREF: SepRmGlobalSaclFind(x,x,x,x)+6Fj
		mov	edi, [edi]
		mov	[ebx], edi

loc_9DFD86:				; CODE XREF: SepRmGlobalSaclFind(x,x,x,x)+59j
		test	edi, edi
		jnz	short loc_9DFD6A
		mov	eax, 0C0000034h
		test	esi, esi
		jz	short loc_9DFD95
		and	[esi], edi

loc_9DFD95:				; CODE XREF: SepRmGlobalSaclFind(x,x,x,x)+82j
					; SepRmGlobalSaclFind(x,x,x,x)+AAj
		cmp	byte ptr [ebp+var_4], 0
		jz	short loc_9DFDAD
		mov	ecx, offset _SepRmGlobalSaclLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+var_8]

loc_9DFDAD:				; CODE XREF: SepRmGlobalSaclFind(x,x,x,x)+22j
					; SepRmGlobalSaclFind(x,x,x,x)+8Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_9DFDB4:				; CODE XREF: SepRmGlobalSaclFind(x,x,x,x)+6Bj
		xor	eax, eax
		mov	[ebp+var_8], eax
		jmp	short loc_9DFD95
_SepRmGlobalSaclFind@16	endp


;  S U B	R O U T	I N E 


; __stdcall SepIsAclEqual(x, x)
_SepIsAclEqual@8 proc near		; CODE XREF: SeSecurityDescriptorChangedAuditAlarm:loc_8F37E5p
					; SeTokenDefaultDaclChangedAuditAlarm+11B100p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jnz	short loc_9DFDCC
		test	edx, edx
		jz	short loc_9DFDEA

loc_9DFDC8:				; CODE XREF: SepIsAclEqual(x,x)+13j
					; SepIsAclEqual(x,x)+1Dj ...
		xor	al, al
		pop	esi
		retn
; 

loc_9DFDCC:				; CODE XREF: SepIsAclEqual(x,x)+7j
		test	edx, edx
		jz	short loc_9DFDC8
		movzx	eax, word ptr [esi+2]
		cmp	ax, [edx+2]
		jnz	short loc_9DFDC8
		push	eax		; Length
		push	edx		; Source2
		push	esi		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		movzx	ecx, word ptr [esi+2]
		cmp	eax, ecx
		jnz	short loc_9DFDC8

loc_9DFDEA:				; CODE XREF: SepIsAclEqual(x,x)+Bj
		mov	al, 1
		pop	esi
		retn
_SepIsAclEqual@8 endp


;  S U B	R O U T	I N E 


; __stdcall SepIsRemovableStorageDevice(x)
_SepIsRemovableStorageDevice@4 proc near
					; CODE XREF: SepAdtClassifyObjectIntoSubCategory(x,x,x,x)+5Fp
					; SepAdtClassifyObjectIntoSubCategory(x,x,x,x)+8Ap
		test	ecx, ecx
		jz	short loc_9DFE1B
		mov	eax, [ecx+2Ch]
		dec	eax
		sub	eax, 1
		jz	short loc_9DFE18
		sub	eax, 1Dh
		jz	short loc_9DFE18
		sub	eax, 0Eh
		jz	short loc_9DFE18
		sub	eax, 6
		jz	short loc_9DFE18
		sub	eax, 0Dh
		jz	short loc_9DFE18
		test	dword ptr [ecx+20h], 40001h
		jz	short loc_9DFE1B

loc_9DFE18:				; CODE XREF: SepIsRemovableStorageDevice(x)+Bj
					; SepIsRemovableStorageDevice(x)+10j ...
		mov	al, 1
		retn
; 

loc_9DFE1B:				; CODE XREF: SepIsRemovableStorageDevice(x)+2j
					; SepIsRemovableStorageDevice(x)+28j
		xor	al, al
		retn
_SepIsRemovableStorageDevice@4 endp


;  S U B	R O U T	I N E 


; __stdcall SepIsSidEqual(x, x)
_SepIsSidEqual@8 proc near		; CODE XREF: SeSecurityDescriptorChangedAuditAlarm:loc_8F3751p
					; SeSecurityDescriptorChangedAuditAlarm:loc_8F3789p
		test	ecx, ecx
		jnz	short loc_9DFE29
		test	edx, edx
		jz	short loc_9DFE38

loc_9DFE26:				; CODE XREF: SepIsSidEqual(x,x)+Dj
					; SepIsSidEqual(x,x)+18j
		xor	al, al
		retn
; 

loc_9DFE29:				; CODE XREF: SepIsSidEqual(x,x)+2j
		test	edx, edx
		jz	short loc_9DFE26
		push	edx
		push	ecx
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jz	short loc_9DFE26

loc_9DFE38:				; CODE XREF: SepIsSidEqual(x,x)+6j
		mov	al, 1
		retn
_SepIsSidEqual@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSDContainsAttributeACE(x)
_SepSDContainsAttributeACE@4 proc near	; CODE XREF: SepAdtOpenObjectAuditAlarm(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+6C1p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		lea	eax, [ebp-2]
		xor	ebx, ebx
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], ebx
		push	eax
		lea	eax, [ebp-1]
		mov	[ebp+var_1], bl
		push	eax
		push	ecx
		mov	[ebp+var_C], ebx
		call	_RtlGetSaclSecurityDescriptor@16 ; RtlGetSaclSecurityDescriptor(x,x,x,x)
		test	eax, eax
		js	short loc_9DFE7D
		cmp	[ebp+var_1], bl
		jz	short loc_9DFE7D
		lea	eax, [ebp+var_C]
		push	eax
		push	12h
		push	[ebp+var_8]
		call	_RtlFindAceByType@12 ; RtlFindAceByType(x,x,x)
		test	eax, eax
		setnz	bl

loc_9DFE7D:				; CODE XREF: SepSDContainsAttributeACE(x)+28j
					; SepSDContainsAttributeACE(x)+2Dj
		mov	al, bl
		pop	ebx
		leave
		retn
_SepSDContainsAttributeACE@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSecurityDescriptorStrictLength(x)
_SepSecurityDescriptorStrictLength@4 proc near
					; CODE XREF: RtlLengthSecurityDescriptorStrict(x)j
					; SepCheckAndCopySelfRelativeSD(x,x,x,x)+83p ...

var_8		= dword	ptr -8
var_2		= word ptr -2

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		movzx	eax, word ptr [esi+2]
		lea	edx, [esi+14h]
		mov	ecx, [esi+4]
		movzx	ebx, ax
		mov	[ebp+var_8], eax
		mov	ax, bx
		shr	ax, 0Fh
		mov	[ebp+var_2], ax
		test	bx, bx
		jns	short loc_9DFEB7
		lea	eax, [ecx+esi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_9DFEB7:				; CODE XREF: SepSecurityDescriptorStrictLength(x)+2Aj
		push	14h
		pop	edi
		test	ecx, ecx
		jz	short loc_9DFED2
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		lea	edi, [eax+14h]
		lea	edx, [ecx+eax]

loc_9DFED2:				; CODE XREF: SepSecurityDescriptorStrictLength(x)+3Aj
		mov	ecx, [esi+8]
		test	bx, bx
		jns	short loc_9DFEE3
		lea	eax, [ecx+esi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_9DFEE3:				; CODE XREF: SepSecurityDescriptorStrictLength(x)+56j
		test	ecx, ecx
		jz	short loc_9DFEFF
		movzx	eax, byte ptr [ecx+1]
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	ecx, eax
		add	edi, eax
		cmp	ecx, edx
		jbe	short loc_9DFEFF
		mov	edx, ecx

loc_9DFEFF:				; CODE XREF: SepSecurityDescriptorStrictLength(x)+63j
					; SepSecurityDescriptorStrictLength(x)+79j
		test	byte ptr [ebp+var_8], 4
		jz	short loc_9DFF2E
		mov	ecx, [esi+10h]
		test	bx, bx
		jns	short loc_9DFF16
		lea	eax, [ecx+esi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_9DFF16:				; CODE XREF: SepSecurityDescriptorStrictLength(x)+89j
		test	ecx, ecx
		jz	short loc_9DFF2E
		movzx	eax, word ptr [ecx+2]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		add	ecx, eax
		add	edi, eax
		cmp	ecx, edx
		jbe	short loc_9DFF2E
		mov	edx, ecx

loc_9DFF2E:				; CODE XREF: SepSecurityDescriptorStrictLength(x)+81j
					; SepSecurityDescriptorStrictLength(x)+96j ...
		test	byte ptr [ebp+var_8], 10h
		jz	short loc_9DFF5D
		mov	ecx, [esi+0Ch]
		test	bx, bx
		jns	short loc_9DFF45
		lea	eax, [ecx+esi]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_9DFF45:				; CODE XREF: SepSecurityDescriptorStrictLength(x)+B8j
		test	ecx, ecx
		jz	short loc_9DFF5D
		movzx	eax, word ptr [ecx+2]
		add	eax, 3
		and	eax, 0FFFFFFFCh
		add	ecx, eax
		add	edi, eax
		cmp	ecx, edx
		jbe	short loc_9DFF5D
		mov	edx, ecx

loc_9DFF5D:				; CODE XREF: SepSecurityDescriptorStrictLength(x)+B0j
					; SepSecurityDescriptorStrictLength(x)+C5j ...
		cmp	byte ptr [ebp+var_2], 1
		jnz	short loc_9DFF67
		sub	edx, esi
		jmp	short loc_9DFF69
; 

loc_9DFF67:				; CODE XREF: SepSecurityDescriptorStrictLength(x)+DFj
		mov	edx, edi

loc_9DFF69:				; CODE XREF: SepSecurityDescriptorStrictLength(x)+E3j
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn
_SepSecurityDescriptorStrictLength@4 endp


;  S U B	R O U T	I N E 


; __stdcall SepComputeSidSignature(x)
_SepComputeSidSignature@4 proc near	; CODE XREF: SepRmReferenceFindCap(x,x)+3Dp
		movzx	eax, byte ptr [ecx+1]
		mov	eax, [ecx+eax*4+4]
		test	eax, eax
		jnz	short locret_9DFF7D
		inc	eax

locret_9DFF7D:				; CODE XREF: SepComputeSidSignature(x)+Aj
		retn
_SepComputeSidSignature@4 endp

; 
		align 10h
		db 0CCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepDeReferenceSharedSidEntries(x, x)
_SepDeReferenceSharedSidEntries@8 proc near ; CODE XREF: SepFreeTokenCapabilities+D59B5p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		mov	edi, ecx
		mov	ebx, edx
		mov	[ebp+var_4], edi
		nop
		mov	ecx, ds:_g_SepSidMapping
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		xor	esi, esi
		or	eax, 0FFFFFFFFh
		test	ebx, ebx
		jz	short loc_9DFFFE

loc_9DFFB5:				; CODE XREF: SepDeReferenceSharedSidEntries(x,x)+7Bj
		mov	ecx, [edi+esi*8]
		call	_SepFindSharedSidEntry@4 ; SepFindSharedSidEntry(x)
		mov	edi, eax
		or	eax, 0FFFFFFFFh
		mov	ecx, eax
		lock xadd [edi+0Ch], ecx
		dec	ecx
		test	ecx, ecx
		jg	short loc_9DFFF6
		jz	short loc_9DFFD7
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_9DFFF6
; 

loc_9DFFD7:				; CODE XREF: SepDeReferenceSharedSidEntries(x,x)+4Dj
		mov	eax, ds:_g_SepSidMapping
		push	0
		push	edi
		push	dword ptr [eax+4]
		call	RtlRemoveEntryHashTable
		test	al, al
		jz	short loc_9DFFF3
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9DFFF3:				; CODE XREF: SepDeReferenceSharedSidEntries(x,x)+68j
		or	eax, 0FFFFFFFFh

loc_9DFFF6:				; CODE XREF: SepDeReferenceSharedSidEntries(x,x)+4Bj
					; SepDeReferenceSharedSidEntries(x,x)+54j
		mov	edi, [ebp+var_4]
		inc	esi
		cmp	esi, ebx
		jb	short loc_9DFFB5

loc_9DFFFE:				; CODE XREF: SepDeReferenceSharedSidEntries(x,x)+32j
		mov	esi, ds:_g_SepSidMapping
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9E0015
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9E0015:				; CODE XREF: SepDeReferenceSharedSidEntries(x,x)+8Bj
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SepDeReferenceSharedSidEntries@8 endp


;  S U B	R O U T	I N E 


; __stdcall SepDeleteClaimAttributes(x)
_SepDeleteClaimAttributes@4 proc near	; CODE XREF: SepSetTokenClaims+11B1A4p
					; SepDeleteLogonSessionTrack+A65BCp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_9E008D
		mov	ecx, [esi+120h]
		push	edi
		xor	edi, edi
		test	ecx, ecx
		jz	short loc_9E0053
		call	AuthzBasepFreeSecurityAttributesList
		push	edi
		push	dword ptr [esi+120h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+120h], edi

loc_9E0053:				; CODE XREF: SepDeleteClaimAttributes(x)+14j
		mov	ecx, [esi+124h]
		test	ecx, ecx
		jz	short loc_9E0074
		call	AuthzBasepFreeSecurityAttributesList
		push	edi
		push	dword ptr [esi+124h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+124h], edi

loc_9E0074:				; CODE XREF: SepDeleteClaimAttributes(x)+35j
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_9E0085
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+4], edi

loc_9E0085:				; CODE XREF: SepDeleteClaimAttributes(x)+53j
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi

loc_9E008D:				; CODE XREF: SepDeleteClaimAttributes(x)+7j
		pop	esi
		retn
_SepDeleteClaimAttributes@4 endp


;  S U B	R O U T	I N E 


; __stdcall SepDeleteTokenClaims(x)
_SepDeleteTokenClaims@4	proc near	; CODE XREF: SepTokenDeleteMethod+FE90Fp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	dword ptr [esi+0B0h], 8000h
		jz	short loc_9E00AB
		mov	ecx, [esi+27Ch]
		call	_SepDeleteClaimAttributes@4 ; SepDeleteClaimAttributes(x)

loc_9E00AB:				; CODE XREF: SepDeleteTokenClaims(x)+Fj
		and	dword ptr [esi+27Ch], 0
		pop	esi
		retn
_SepDeleteTokenClaims@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepDuplicateClaimAttributes(x, x)
_SepDuplicateClaimAttributes@8 proc near ; CODE	XREF: SepConvertToOwnTokenClaims+DF3FEp
					; SepDuplicateTokenClaims(x,x)+2Ap

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		xor	ecx, ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_C], ecx
		mov	esi, ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_1], cl
		mov	[ebp+var_2], cl
		mov	[ebp+var_8], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_18], ecx
		test	ebx, ebx
		jnz	short loc_9E00ED
		mov	eax, 0C000000Dh
		jmp	loc_9E0255
; 

loc_9E00ED:				; CODE XREF: SepDuplicateClaimAttributes(x,x)+2Dj
		mov	[ebx], ecx
		test	edi, edi
		jnz	short loc_9E00FA
		xor	eax, eax
		jmp	loc_9E0255
; 

loc_9E00FA:				; CODE XREF: SepDuplicateClaimAttributes(x,x)+3Dj
		call	_AuthzBasepAllocateClaimCollectionNoLists@0 ; AuthzBasepAllocateClaimCollectionNoLists()
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9E010F
		mov	esi, 0C000009Ah
		jmp	loc_9E0253
; 

loc_9E010F:				; CODE XREF: SepDuplicateClaimAttributes(x,x)+4Fj
		cmp	[edi+120h], esi
		jz	short loc_9E0153
		call	_AuthzBasepAllocateSecurityAttributesList@0 ; AuthzBasepAllocateSecurityAttributesList()
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	short loc_9E012D
		mov	esi, 0C000009Ah
		jmp	loc_9E024B
; 

loc_9E012D:				; CODE XREF: SepDuplicateClaimAttributes(x,x)+6Dj
		mov	ecx, [edi+120h]
		mov	edx, eax
		push	0
		call	AuthzBasepDuplicateSecurityAttributes
		mov	esi, eax
		test	esi, esi
		js	loc_9E0204
		mov	eax, [ebp+var_C]
		mov	[ebp+var_1], 1
		mov	[ebx+120h], eax

loc_9E0153:				; CODE XREF: SepDuplicateClaimAttributes(x,x)+61j
		cmp	dword ptr [edi+124h], 0
		jz	short loc_9E0194
		call	_AuthzBasepAllocateSecurityAttributesList@0 ; AuthzBasepAllocateSecurityAttributesList()
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	short loc_9E0172

loc_9E0168:				; CODE XREF: SepDuplicateClaimAttributes(x,x)+110j
		mov	esi, 0C000009Ah
		jmp	loc_9E0204
; 

loc_9E0172:				; CODE XREF: SepDuplicateClaimAttributes(x,x)+B2j
		mov	ecx, [edi+124h]
		mov	edx, eax
		push	0
		call	AuthzBasepDuplicateSecurityAttributes
		mov	esi, eax
		test	esi, esi
		js	short loc_9E0204
		mov	eax, [ebp+var_10]
		mov	[ebp+var_2], 1
		mov	[ebx+124h], eax

loc_9E0194:				; CODE XREF: SepDuplicateClaimAttributes(x,x)+A6j
		mov	ecx, [edi+4]
		test	ecx, ecx
		jz	short loc_9E01FB
		mov	edx, [edi]
		test	edx, edx
		jz	short loc_9E01FB
		lea	eax, [ebp+var_8]
		push	eax
		call	_SepLengthSidAndAttributesArray@12 ; SepLengthSidAndAttributesArray(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E0204
		push	64546553h
		push	[ebp+var_8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	short loc_9E0168
		mov	edx, [edi]	; int
		lea	ecx, [ebp+var_20]
		push	ecx		; int
		lea	ecx, [ebp+var_18]
		push	ecx		; int
		push	ecx		; int
		push	ecx		; int
		push	[ebp+var_8]	; int
		mov	ecx, [edi+4]	; void *
		push	eax		; void *
		push	0		; char
		call	SeCaptureSidAndAttributesArray
		mov	esi, eax
		test	esi, esi
		js	short loc_9E0204
		mov	ecx, [edi]
		lea	eax, [ebx+10h]
		mov	edx, [ebp+var_14]
		push	eax		; void *
		push	ecx		; int
		push	edx		; int
		mov	[ebx], ecx
		mov	[ebx+4], edx
		call	RtlSidHashInitialize

loc_9E01FB:				; CODE XREF: SepDuplicateClaimAttributes(x,x)+E5j
					; SepDuplicateClaimAttributes(x,x)+EBj
		mov	eax, [ebp+var_1C]
		mov	[eax], ebx
		test	esi, esi
		jns	short loc_9E0253

loc_9E0204:				; CODE XREF: SepDuplicateClaimAttributes(x,x)+8Cj
					; SepDuplicateClaimAttributes(x,x)+B9j	...
		mov	edi, [ebp+var_C]
		test	edi, edi
		jz	short loc_9E0220
		cmp	[ebp+var_1], 0
		jz	short loc_9E0218
		mov	ecx, edi
		call	AuthzBasepFreeSecurityAttributesList

loc_9E0218:				; CODE XREF: SepDuplicateClaimAttributes(x,x)+15Bj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E0220:				; CODE XREF: SepDuplicateClaimAttributes(x,x)+155j
		mov	edi, [ebp+var_10]
		test	edi, edi
		jz	short loc_9E023C
		cmp	[ebp+var_2], 0
		jz	short loc_9E0234
		mov	ecx, edi
		call	AuthzBasepFreeSecurityAttributesList

loc_9E0234:				; CODE XREF: SepDuplicateClaimAttributes(x,x)+177j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E023C:				; CODE XREF: SepDuplicateClaimAttributes(x,x)+171j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_9E024B
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E024B:				; CODE XREF: SepDuplicateClaimAttributes(x,x)+74j
					; SepDuplicateClaimAttributes(x,x)+18Dj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E0253:				; CODE XREF: SepDuplicateClaimAttributes(x,x)+56j
					; SepDuplicateClaimAttributes(x,x)+14Ej
		mov	eax, esi

loc_9E0255:				; CODE XREF: SepDuplicateClaimAttributes(x,x)+34j
					; SepDuplicateClaimAttributes(x,x)+41j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SepDuplicateClaimAttributes@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepDuplicateTokenClaims(x, x)
_SepDuplicateTokenClaims@8 proc	near	; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+453p
					; SepDuplicateToken(x,x,x,x,x,x,x,x)+779p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	edi, 8000h
		mov	esi, edx
		test	[ecx+0B0h], edi
		jz	short loc_9E02A2
		mov	eax, [ecx+27Ch]
		test	eax, eax
		jz	short loc_9E02A2
		lea	edx, [ebp+var_4]
		mov	ecx, eax
		call	_SepDuplicateClaimAttributes@8 ; SepDuplicateClaimAttributes(x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_9E02B0
		mov	eax, [ebp+var_4]
		or	[esi+0B0h], edi
		mov	[esi+27Ch], eax
		mov	eax, ecx
		jmp	short loc_9E02B0
; 

loc_9E02A2:				; CODE XREF: SepDuplicateTokenClaims(x,x)+19j
					; SepDuplicateTokenClaims(x,x)+23j
		mov	eax, [ecx+27Ch]
		mov	[esi+27Ch], eax
		xor	eax, eax

loc_9E02B0:				; CODE XREF: SepDuplicateTokenClaims(x,x)+33j
					; SepDuplicateTokenClaims(x,x)+46j
		pop	edi
		pop	esi
		leave
		retn
_SepDuplicateTokenClaims@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepFindMatchingLowBoxNumberEntries(x, x, x,	x, x)
_SepFindMatchingLowBoxNumberEntries@20 proc near
					; CODE XREF: SepIsParentOfChildAppContainer(x,x,x)+9Dp

var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_8], edx
		lea	edi, [ebp+var_1C]
		xor	ebx, ebx
		stosd
		mov	esi, ecx
		mov	[ebp+var_1], bl
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_8]
		mov	edi, [ebp+arg_4]
		mov	[eax], ebx
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		mov	[edi], ebx
		call	_RtlInitEnumerationHashTable@8 ; RtlInitEnumerationHashTable(x,x)
		test	al, al
		jnz	short loc_9E031B

loc_9E02EB:				; CODE XREF: SepFindMatchingLowBoxNumberEntries(x,x,x,x,x)+82j
					; SepFindMatchingLowBoxNumberEntries(x,x,x,x,x)+87j
		mov	eax, 0C0000225h

loc_9E02F0:				; CODE XREF: SepFindMatchingLowBoxNumberEntries(x,x,x,x,x)+8Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_9E02F7:				; CODE XREF: SepFindMatchingLowBoxNumberEntries(x,x,x,x,x)+73j
		mov	ecx, [eax+14h]
		cmp	ecx, [ebp+var_8]
		jnz	short loc_9E0308
		mov	bl, 1
		mov	[edi], eax
		cmp	[ebp+var_1], bl
		jmp	short loc_9E0319
; 

loc_9E0308:				; CODE XREF: SepFindMatchingLowBoxNumberEntries(x,x,x,x,x)+49j
		cmp	ecx, [ebp+arg_0]
		jnz	short loc_9E031B
		mov	ecx, [ebp+arg_8]
		cmp	bl, 1
		mov	[ebp+var_1], 1
		mov	[ecx], eax

loc_9E0319:				; CODE XREF: SepFindMatchingLowBoxNumberEntries(x,x,x,x,x)+52j
		jz	short loc_9E0329

loc_9E031B:				; CODE XREF: SepFindMatchingLowBoxNumberEntries(x,x,x,x,x)+35j
					; SepFindMatchingLowBoxNumberEntries(x,x,x,x,x)+57j
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		call	RtlEnumerateEntryHashTable
		test	eax, eax
		jnz	short loc_9E02F7

loc_9E0329:				; CODE XREF: SepFindMatchingLowBoxNumberEntries(x,x,x,x,x):loc_9E0319j
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		call	_RtlEndEnumerationHashTable@8 ;	RtlEndEnumerationHashTable(x,x)
		cmp	bl, 1
		jnz	short loc_9E02EB
		cmp	[ebp+var_1], bl
		jnz	short loc_9E02EB
		xor	eax, eax
		jmp	short loc_9E02F0
_SepFindMatchingLowBoxNumberEntries@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepFindSharedSidEntry(x)
_SepFindSharedSidEntry@4 proc near	; CODE XREF: SepDeReferenceSharedSidEntries(x,x)+37p
					; SepInsertOrReferenceSharedSidEntries(x,x,x)+53p ...

var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_4], ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		movzx	eax, byte ptr [ecx+1]
		xor	edi, edi
		mov	eax, [ecx+eax*4+4]
		test	eax, eax
		jnz	short loc_9E0366
		inc	eax

loc_9E0366:				; CODE XREF: SepFindSharedSidEntry(x)+22j
		mov	ebx, ds:_g_SepSidMapping
		lea	ecx, [ebp+var_10]
		push	ecx
		push	eax
		push	dword ptr [ebx+4]
		call	_RtlLookupEntryHashTable@12 ; RtlLookupEntryHashTable(x,x,x)
		jmp	short loc_9E0396
; 

loc_9E037B:				; CODE XREF: SepFindSharedSidEntry(x)+59j
		push	dword ptr [esi+10h]
		push	[ebp+var_4]
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	short loc_9E039E
		lea	eax, [ebp+var_10]
		push	eax
		push	dword ptr [ebx+4]
		call	RtlGetNextEntryHashTable

loc_9E0396:				; CODE XREF: SepFindSharedSidEntry(x)+38j
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9E037B
		jmp	short loc_9E03A0
; 

loc_9E039E:				; CODE XREF: SepFindSharedSidEntry(x)+47j
		mov	edi, esi

loc_9E03A0:				; CODE XREF: SepFindSharedSidEntry(x)+5Bj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SepFindSharedSidEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepInsertOrReferenceSharedSidEntries(x, x, x)
_SepInsertOrReferenceSharedSidEntries@12 proc near ; CODE XREF:	NtCreateTokenEx+1274F7p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		xor	edi, edi
		mov	[ebp+var_4], ebx
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, ds:_g_SepSidMapping
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		xor	esi, esi
		or	eax, 0FFFFFFFFh
		cmp	[ebp+arg_0], esi
		jz	loc_9E04AB
		mov	ecx, [ebp+var_8]
		mov	eax, ebx
		sub	eax, ecx
		mov	[ebp+var_10], eax
		lea	edi, [ecx+4]

loc_9E03F2:				; CODE XREF: SepInsertOrReferenceSharedSidEntries(x,x,x)+F9j
		mov	eax, [eax+edi]
		mov	[edi], eax
		mov	ecx, [ebx+esi*8]
		call	_SepFindSharedSidEntry@4 ; SepFindSharedSidEntry(x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_9E041D
		xor	eax, eax
		inc	eax
		lock xadd [edx+0Ch], eax
		inc	eax
		cmp	eax, 1
		jg	short loc_9E0418
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9E0418:				; CODE XREF: SepInsertOrReferenceSharedSidEntries(x,x,x)+6Aj
		mov	eax, [edx+10h]
		jmp	short loc_9E0493
; 

loc_9E041D:				; CODE XREF: SepInsertOrReferenceSharedSidEntries(x,x,x)+5Cj
		mov	eax, [ebx+esi*8]
		push	73536553h
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:38h[eax*8]
		push	eax
		push	1
		mov	[ebp+var_C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9E04EC
		mov	ecx, [ebp+var_4]
		lea	eax, [ebx+14h]
		mov	[ebx+10h], eax
		mov	dword ptr [ebx+0Ch], 1
		push	dword ptr [ecx+esi*8] ;	void *
		push	eax		; void *
		mov	eax, [ebp+var_C]
		add	eax, 0FFFFFFECh
		push	eax		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		mov	eax, [ebp+var_4]
		mov	ecx, [eax+esi*8]
		movzx	eax, byte ptr [ecx+1]
		mov	eax, [ecx+eax*4+4]
		test	eax, eax
		jnz	short loc_9E0478
		inc	eax

loc_9E0478:				; CODE XREF: SepInsertOrReferenceSharedSidEntries(x,x,x)+CEj
		push	0
		push	eax
		mov	eax, ds:_g_SepSidMapping
		push	ebx
		push	dword ptr [eax+4]
		call	RtlInsertEntryHashTable
		test	al, al
		jz	short loc_9E04D7
		mov	eax, [ebx+10h]
		mov	ebx, [ebp+var_4]

loc_9E0493:				; CODE XREF: SepInsertOrReferenceSharedSidEntries(x,x,x)+74j
		mov	[edi-4], eax
		inc	esi
		mov	eax, [ebp+var_10]
		add	edi, 8
		cmp	esi, [ebp+arg_0]
		jb	loc_9E03F2
		xor	edi, edi

loc_9E04A8:				; CODE XREF: SepInsertOrReferenceSharedSidEntries(x,x,x)+151j
		or	eax, 0FFFFFFFFh

loc_9E04AB:				; CODE XREF: SepInsertOrReferenceSharedSidEntries(x,x,x)+38j
					; SepInsertOrReferenceSharedSidEntries(x,x,x)+1A4j
		mov	esi, ds:_g_SepSidMapping
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9E04C2
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9E04C2:				; CODE XREF: SepInsertOrReferenceSharedSidEntries(x,x,x)+112j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_9E04D7:				; CODE XREF: SepInsertOrReferenceSharedSidEntries(x,x,x)+E4j
		push	73536553h
		mov	edi, 0C0000001h
		push	ebx
		mov	[ebp+arg_0], edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9E04F4
; 

loc_9E04EC:				; CODE XREF: SepInsertOrReferenceSharedSidEntries(x,x,x)+98j
		mov	edi, 0C0000017h
		mov	[ebp+arg_0], edi

loc_9E04F4:				; CODE XREF: SepInsertOrReferenceSharedSidEntries(x,x,x)+143j
		xor	ebx, ebx
		test	esi, esi
		jz	short loc_9E04A8
		mov	edi, [ebp+var_8]

loc_9E04FD:				; CODE XREF: SepInsertOrReferenceSharedSidEntries(x,x,x)+19Fj
		mov	ecx, [edi+ebx*8]
		call	_SepFindSharedSidEntry@4 ; SepFindSharedSidEntry(x)
		mov	edx, eax
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_10], edx
		mov	ecx, eax
		lock xadd [edx+0Ch], ecx
		dec	ecx
		test	ecx, ecx
		jg	short loc_9E0543
		jz	short loc_9E0522
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		jmp	short loc_9E0543
; 

loc_9E0522:				; CODE XREF: SepInsertOrReferenceSharedSidEntries(x,x,x)+172j
		mov	eax, ds:_g_SepSidMapping
		push	0
		push	edx
		push	dword ptr [eax+4]
		call	RtlRemoveEntryHashTable
		test	al, al
		jz	short loc_9E0540
		push	0
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E0540:				; CODE XREF: SepInsertOrReferenceSharedSidEntries(x,x,x)+18Dj
		or	eax, 0FFFFFFFFh

loc_9E0543:				; CODE XREF: SepInsertOrReferenceSharedSidEntries(x,x,x)+170j
					; SepInsertOrReferenceSharedSidEntries(x,x,x)+179j
		inc	ebx
		cmp	ebx, esi
		jb	short loc_9E04FD
		mov	edi, [ebp+arg_0]
		jmp	loc_9E04AB
_SepInsertOrReferenceSharedSidEntries@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepIsParentOfChildAppContainer(x, x, x)
_SepIsParentOfChildAppContainer@12 proc	near
					; CODE XREF: SeIsParentOfChildAppContainer(x,x,x)+Ep

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_1], bl
		test	edi, edi
		jz	loc_9E0676
		cmp	[ebp+arg_0], ebx
		jz	loc_9E0676
		mov	ecx, offset _LowboxSessionMapLock
		cmp	esi, 5
		jnb	short loc_9E0595
		imul	eax, esi, 14h
		add	eax, offset _g_SessionLowboxArray
		mov	[ebp+var_8], eax
		jmp	short loc_9E05C3
; 

loc_9E0595:				; CODE XREF: SepIsParentOfChildAppContainer(x,x,x)+36j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		lea	eax, [ebp+var_8]
		mov	[ebp+var_1], 1
		push	eax
		xor	dl, dl
		mov	ecx, esi
		call	_SepGetTokenSessionMapEntry@12 ; SepGetTokenSessionMapEntry(x,x,x)
		test	eax, eax
		js	loc_9E0645

loc_9E05C3:				; CODE XREF: SepIsParentOfChildAppContainer(x,x,x)+43j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+var_8]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esi+0Ch]
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_10]
		mov	edx, edi
		push	eax
		push	[ebp+arg_0]
		call	_SepFindMatchingLowBoxNumberEntries@20 ; SepFindMatchingLowBoxNumberEntries(x,x,x,x,x)
		test	eax, eax
		jns	short loc_9E0603
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jmp	short loc_9E0623
; 

loc_9E0603:				; CODE XREF: SepIsParentOfChildAppContainer(x,x,x)+A4j
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		mov	edx, [edx+10h]
		mov	ecx, [ecx+10h]
		call	_RtlIsParentOfChildAppContainer@8 ; RtlIsParentOfChildAppContainer(x,x)
		mov	bl, al
		or	ecx, 0FFFFFFFFh
		lock xadd [esi], ecx
		and	cl, 6
		cmp	cl, 2

loc_9E0623:				; CODE XREF: SepIsParentOfChildAppContainer(x,x,x)+B1j
		jnz	short loc_9E062C
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9E062C:				; CODE XREF: SepIsParentOfChildAppContainer(x,x,x):loc_9E0623j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	[ebp+var_1], 0
		jz	short loc_9E0672

loc_9E0645:				; CODE XREF: SepIsParentOfChildAppContainer(x,x,x)+6Dj
		push	11h
		xor	edx, edx
		mov	esi, offset _LowboxSessionMapLock
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_9E065F
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9E065F:				; CODE XREF: SepIsParentOfChildAppContainer(x,x,x)+106j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_9E0672:				; CODE XREF: SepIsParentOfChildAppContainer(x,x,x)+F3j
		mov	al, bl
		jmp	short loc_9E0678
; 

loc_9E0676:				; CODE XREF: SepIsParentOfChildAppContainer(x,x,x)+1Fj
					; SepIsParentOfChildAppContainer(x,x,x)+28j
		xor	al, al

loc_9E0678:				; CODE XREF: SepIsParentOfChildAppContainer(x,x,x)+124j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_SepIsParentOfChildAppContainer@12 endp


;  S U B	R O U T	I N E 


; __stdcall SepReferenceLowBoxNumberEntry(x)
_SepReferenceLowBoxNumberEntry@4 proc near
					; CODE XREF: SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+736p
					; SepFilterToken(x,x,x,x,x,x,x,x,x,x,x)+751p ...
		xor	eax, eax
		inc	eax
		lock xadd [ecx+0Ch], eax
		inc	eax
		cmp	eax, 1
		jg	short locret_9E0692
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

locret_9E0692:				; CODE XREF: SepReferenceLowBoxNumberEntry(x)+Cj
		retn
_SepReferenceLowBoxNumberEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdtCopyToLsaSharedMemory(x, x, x, x)
_SepAdtCopyToLsaSharedMemory@16	proc near ; CODE XREF: SepRmDispatchDataToLsa+81FF0p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, [ebp+arg_0]
		push	4
		push	1000h
		push	eax
		mov	ebx, ecx
		mov	[ebp+var_C], edx
		xor	ecx, ecx
		mov	[ebp+arg_0], edi
		push	ecx
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ecx
		push	eax
		push	ebx
		mov	[ebp+var_8], ecx
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E0705
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		push	[ebp+var_C]
		push	[ebp+var_4]
		push	ebx
		call	_ZwWriteVirtualMemory@20 ; ZwWriteVirtualMemory(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E06EE
		cmp	edi, [ebp+var_8]
		jz	short loc_9E070E
		mov	esi, 0C0000001h

loc_9E06EE:				; CODE XREF: SepAdtCopyToLsaSharedMemory(x,x,x,x)+4Fj
		and	[ebp+arg_0], 0
		lea	eax, [ebp+arg_0]
		push	8000h
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		call	_ZwFreeVirtualMemory@16	; ZwFreeVirtualMemory(x,x,x,x)

loc_9E0705:				; CODE XREF: SepAdtCopyToLsaSharedMemory(x,x,x,x)+38j
					; SepAdtCopyToLsaSharedMemory(x,x,x,x)+83j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_9E070E:				; CODE XREF: SepAdtCopyToLsaSharedMemory(x,x,x,x)+54j
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_4]
		mov	[ecx], eax
		jmp	short loc_9E0705
_SepAdtCopyToLsaSharedMemory@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAuditFailed(x)
_SepAuditFailed@4 proc near		; CODE XREF: SepRmCallLsa+82140p
					; SepRmDispatchDataToLsa+81FFCp ...

var_2E0		= dword	ptr -2E0h
var_2DC		= dword	ptr -2DCh
var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_2CC		= dword	ptr -2CCh
var_2C8		= dword	ptr -2C8h
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= word ptr -2B8h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		xor	ebx, ebx
		push	esi
		push	edi
		mov	[esp+18h+var_8], ebx
		mov	[esp+18h+var_4], ebx
		cmp	_SepCrashOnAuditFail, bl
		jz	short loc_9E0746
		cmp	ds:_SepAdtRegNotifyHandle, ebx
		jnz	short loc_9E074F
		mov	_SepCrashOnAuditFail, bl

loc_9E0746:				; CODE XREF: SepAuditFailed(x)+1Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_9E074F:				; CODE XREF: SepAuditFailed(x)+26j
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		call	_SepAdtLogAuditFailureEvent@8 ;	SepAdtLogAuditFailureEvent(x,x)
		push	offset ??_C@_1CC@LOHLDOPL@?$AAC?$AAr?$AAa?$AAs?$AAh?$AAO?$AAn?$AAA?$AAu?$AAd?$AAi?$AAt?$AAF?$AAa?$AAi@NNGAKEGL@
		lea	eax, [esp+1Ch+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[esp+18h+var_C], 2
		mov	edi, 0C000009Ah
		mov	esi, 0C0000017h

loc_9E077A:				; CODE XREF: SepAuditFailed(x)+7Ej
					; SepAuditFailed(x)+82j
		push	4
		lea	eax, [esp+1Ch+var_C]
		push	eax
		push	4
		push	ebx
		lea	eax, [esp+28h+var_8]
		push	eax
		push	ds:_SepAdtRegNotifyHandle
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		cmp	eax, edi
		jz	short loc_9E077A
		cmp	eax, esi
		jz	short loc_9E077A
		test	eax, eax
		js	short loc_9E07B3

loc_9E07A0:				; CODE XREF: SepAuditFailed(x)+95j
					; SepAuditFailed(x)+99j
		push	ds:_SepAdtRegNotifyHandle
		call	_ZwFlushKey@4	; ZwFlushKey(x)
		cmp	eax, edi
		jz	short loc_9E07A0
		cmp	eax, esi
		jz	short loc_9E07A0

loc_9E07B3:				; CODE XREF: SepAuditFailed(x)+86j
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+arg_0]
		push	0C0000244h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

; __stdcall SepReadAndInsertCaps(x, x, x)
_SepReadAndInsertCaps@12:		; CODE XREF: SepBuildCapPolicyTable+82D69p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2E0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		lea	esi, [edx+32h]
		mov	[ebp+var_2C8], ecx
		mov	ecx, [eax+2Ch]
		xor	ebx, ebx
		and	[ebp+var_2C0], ebx
		and	[ebp+var_2BC], ebx
		push	70536553h
		push	esi
		mov	[ebp+var_2DC], eax
		mov	eax, [eax+28h]
		push	1
		mov	[ebp+var_2CC], ebx
		mov	[ebp+var_2D4], ecx
		mov	[ebp+var_2D8], eax
		mov	[ebp+var_2C4], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9E0837

loc_9E082D:				; CODE XREF: SepAuditFailed(x)+160j
					; SepAuditFailed(x)+1EEj ...
		mov	esi, 0C000009Ah
		jmp	loc_9E0AAF
; 

loc_9E0837:				; CODE XREF: SepAuditFailed(x)+113j
		lea	eax, [ebp+var_2BC]
		push	eax
		push	esi
		push	edi
		push	2
		push	[ebp+var_2C8]
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9E08A6
		cmp	esi, 80000005h
		jz	short loc_9E0867
		cmp	esi, 0C0000023h
		jnz	loc_9E0A9C

loc_9E0867:				; CODE XREF: SepAuditFailed(x)+141j
		mov	edx, [ebp+var_2BC]
		mov	ecx, edi
		call	_SepRmCapPoolExpand@8 ;	SepRmCapPoolExpand(x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_9E082D
		mov	eax, [ebp+var_2BC]
		lea	ecx, [ebp+var_2BC]
		push	ecx
		push	eax
		push	edi
		push	2
		push	[ebp+var_2C8]
		mov	[ebp+var_2C4], eax
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E0AAF

loc_9E08A6:				; CODE XREF: SepAuditFailed(x)+139j
		mov	ecx, [edi+14h]
		xor	eax, eax
		mov	[ebp+var_2E0], ecx
		mov	[ebp+var_2D0], eax
		test	ecx, ecx
		jz	loc_9E0A9C

loc_9E08BF:				; CODE XREF: SepAuditFailed(x)+377j
		lea	ecx, [ebp+var_2BC]
		push	ecx
		push	[ebp+var_2C4]
		push	edi
		push	0
		push	eax
		push	[ebp+var_2C8]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9E093E
		cmp	esi, 80000005h
		jz	short loc_9E08F5
		cmp	esi, 0C0000023h
		jnz	loc_9E0A9C

loc_9E08F5:				; CODE XREF: SepAuditFailed(x)+1CFj
		mov	edx, [ebp+var_2BC]
		mov	ecx, edi
		call	_SepRmCapPoolExpand@8 ;	SepRmCapPoolExpand(x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9E082D
		mov	eax, [ebp+var_2BC]
		lea	ecx, [ebp+var_2BC]
		push	ecx
		push	eax
		push	edi
		push	0
		push	[ebp+var_2D0]
		mov	[ebp+var_2C4], eax
		push	[ebp+var_2C8]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E0AAF

loc_9E093E:				; CODE XREF: SepAuditFailed(x)+1C7j
		mov	eax, [edi+0Ch]
		xor	ecx, ecx
		shr	eax, 1
		mov	[edi+eax*2+10h], cx
		lea	eax, [edi+10h]
		push	eax
		push	offset ??_C@_1KM@DMAJKNMF@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; char
		push	offset ??_C@_1M@DFKENGJN@?$AA?$CF?$AAs?$AA?2?$AA?$CF?$AAs@NNGAKEGL@ ; "%s\\%s"
		lea	eax, [ebp+var_2B8]
		push	156h		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		mov	esi, eax
		add	esp, 14h
		test	esi, esi
		js	loc_9E0AAF
		lea	eax, [ebp+var_2C0]
		mov	edx, 201h
		push	eax
		lea	ecx, [ebp+var_2B8]
		call	_SepRegOpenKey@12 ; SepRegOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E0AAF
		lea	eax, [ebp+var_2BC]
		push	eax
		push	[ebp+var_2C4]
		push	edi
		push	2
		push	[ebp+var_2C0]
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9E0A0F
		cmp	esi, 80000005h
		jz	short loc_9E09CC
		cmp	esi, 0C0000023h
		jnz	loc_9E0A9C

loc_9E09CC:				; CODE XREF: SepAuditFailed(x)+2A6j
		mov	edx, [ebp+var_2BC]
		mov	ecx, edi
		call	_SepRmCapPoolExpand@8 ;	SepRmCapPoolExpand(x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9E082D
		mov	eax, [ebp+var_2BC]
		lea	ecx, [ebp+var_2BC]
		push	ecx
		push	eax
		push	edi
		push	2
		push	[ebp+var_2C0]
		mov	[ebp+var_2C4], eax
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E0AAF

loc_9E0A0F:				; CODE XREF: SepAuditFailed(x)+29Ej
		mov	edx, [edi+28h]
		lea	eax, [ebp+var_2CC]
		mov	ecx, [ebp+var_2C0]
		push	eax
		push	[ebp+var_2D4]
		push	[ebp+var_2D8]
		call	_SepReadSingleCap@20 ; SepReadSingleCap(x,x,x,x,x)
		mov	ebx, [ebp+var_2CC]
		mov	esi, eax
		test	esi, esi
		js	short loc_9E0AA0
		mov	edx, [ebp+var_2DC]
		mov	[ebx+10h], edx
		mov	ecx, [ebx+0Ch]
		movzx	eax, byte ptr [ecx+1]
		mov	eax, [ecx+eax*4+4]
		test	eax, eax
		jnz	short loc_9E0A55
		inc	eax

loc_9E0A55:				; CODE XREF: SepAuditFailed(x)+33Aj
		push	0
		push	eax
		push	ebx
		push	edx
		call	RtlInsertEntryHashTable
		test	al, al
		jz	short loc_9E0A97
		push	[ebp+var_2C0]
		xor	ebx, ebx
		mov	[ebp+var_2CC], ebx
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [ebp+var_2D0]
		and	[ebp+var_2C0], ebx
		inc	eax
		mov	[ebp+var_2D0], eax
		cmp	eax, [ebp+var_2E0]
		jb	loc_9E08BF
		jmp	short loc_9E0A9C
; 

loc_9E0A97:				; CODE XREF: SepAuditFailed(x)+349j
		mov	esi, 0C000009Ah

loc_9E0A9C:				; CODE XREF: SepAuditFailed(x)+149j
					; SepAuditFailed(x)+1A1j ...
		test	esi, esi
		jns	short loc_9E0AC3

loc_9E0AA0:				; CODE XREF: SepAuditFailed(x)+322j
		test	ebx, ebx
		jz	short loc_9E0AAF
		push	70536553h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E0AAF:				; CODE XREF: SepAuditFailed(x)+11Aj
					; SepAuditFailed(x)+188j ...
		cmp	[ebp+var_2C0], 0
		jz	short loc_9E0AC3
		push	[ebp+var_2C0]
		call	_ZwClose@4	; ZwClose(x)

loc_9E0AC3:				; CODE XREF: SepAuditFailed(x)+386j
					; SepAuditFailed(x)+39Ej
		test	edi, edi
		jz	short loc_9E0AD2
		push	70536553h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E0AD2:				; CODE XREF: SepAuditFailed(x)+3ADj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_SepAuditFailed@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepReadSingleCap(x,	x, x, x, x)
_SepReadSingleCap@20 proc near		; CODE XREF: SepAuditFailed(x)+313p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		lea	ebx, [edx+12h]
		xor	eax, eax
		push	70536553h
		push	ebx
		mov	esi, ecx
		mov	[ebp+var_18], eax
		push	1
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9E0B20
		mov	esi, 0C000009Ah
		jmp	loc_9E0D25
; 

loc_9E0B20:				; CODE XREF: SepReadSingleCap(x,x,x,x,x)+2Fj
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		push	edi
		push	2
		push	offset _ContainedCapes
		push	esi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E0D1A
		mov	ecx, [edi+8]
		mov	eax, ecx
		shr	eax, 2
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		push	edi
		push	2
		push	offset _CapeName
		push	[ebp+var_8]
		mov	[ebp+var_10], ecx
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E0D1A
		mov	eax, [ebp+var_10]
		lea	eax, ds:29h[eax*4]
		and	eax, 0FFFFFFFEh
		add	eax, [edi+8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		push	edi
		push	2
		push	offset _CapSid
		push	[ebp+var_8]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E0D1A
		mov	esi, [ebp+var_14]
		add	esi, [edi+8]
		push	70536553h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9E0BC2
		mov	esi, 0C000009Ah
		jmp	loc_9E0D1A
; 

loc_9E0BC2:				; CODE XREF: SepReadSingleCap(x,x,x,x,x)+D1j
		lea	eax, [ebx+esi]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_C]
		push	edi
		push	2
		push	offset _CapeFlags
		push	[ebp+var_8]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E0D1A
		cmp	dword ptr [edi+8], 4
		jz	short loc_9E0BF9
		mov	esi, 0C000000Dh
		jmp	loc_9E0D1A
; 

loc_9E0BF9:				; CODE XREF: SepReadSingleCap(x,x,x,x,x)+108j
		mov	eax, [edi+0Ch]
		mov	[ebx+1Ch], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_C]
		push	edi
		push	2
		push	offset _CapeName
		push	[ebp+var_8]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E0D1A
		mov	eax, [ebp+var_10]
		lea	esi, ds:29h[eax*4]
		mov	eax, [edi+8]
		add	esi, ebx
		and	esi, 0FFFFFFFEh
		add	eax, esi
		cmp	eax, [ebp+var_14]
		jbe	short loc_9E0C43

loc_9E0C39:				; CODE XREF: SepReadSingleCap(x,x,x,x,x)+1AFj
					; SepReadSingleCap(x,x,x,x,x)+1F9j
		mov	esi, 0C0000023h
		jmp	loc_9E0D1A
; 

loc_9E0C43:				; CODE XREF: SepReadSingleCap(x,x,x,x,x)+152j
		movzx	eax, word ptr [edi+8]
		mov	[ebx+16h], ax
		mov	[ebx+14h], ax
		lea	eax, [edi+0Ch]
		mov	[ebx+18h], esi
		push	dword ptr [edi+8] ; size_t
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esi, [edi+8]
		lea	eax, [ebp+var_4]
		add	esp, 0Ch
		mov	[ebp+var_1C], esi
		push	eax
		push	[ebp+var_C]
		push	edi
		push	2
		push	offset _CapSid
		push	[ebp+var_8]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E0D1A
		mov	eax, [edi+8]
		mov	ecx, [ebp+var_1C]
		add	eax, ecx
		cmp	eax, [ebp+var_14]
		ja	short loc_9E0C39
		mov	[ebx+0Ch], ecx
		lea	eax, [edi+0Ch]
		push	dword ptr [edi+8] ; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_C]
		push	edi
		push	2
		push	offset _ContainedCapes
		push	[ebp+var_8]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E0D1A
		mov	ecx, [ebp+var_10]
		mov	[ebx+20h], ecx
		test	ecx, ecx
		jz	short loc_9E0D02
		lea	eax, [ebx+24h]
		mov	[ebp+var_C], eax
		lea	edx, [edi+0Ch]

loc_9E0CD9:				; CODE XREF: SepReadSingleCap(x,x,x,x,x)+21Bj
		mov	eax, [edx]
		cmp	eax, [ebp+arg_0]
		jnb	loc_9E0C39
		mov	ecx, [ebp+var_C]
		add	edx, 4
		add	[ebp+var_C], 4
		imul	eax, 1Ch
		add	eax, [ebp+arg_4]
		mov	[ecx], eax
		mov	eax, [ebp+var_18]
		inc	eax
		mov	[ebp+var_18], eax
		cmp	eax, [ebp+var_10]
		jb	short loc_9E0CD9

loc_9E0D02:				; CODE XREF: SepReadSingleCap(x,x,x,x,x)+1E9j
		push	dword ptr [ebx+0Ch]
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jnz	short loc_9E0D15
		mov	esi, 0C0000078h
		jmp	short loc_9E0D1A
; 

loc_9E0D15:				; CODE XREF: SepReadSingleCap(x,x,x,x,x)+227j
		mov	eax, [ebp+arg_8]
		mov	[eax], ebx

loc_9E0D1A:				; CODE XREF: SepReadSingleCap(x,x,x,x,x)+52j
					; SepReadSingleCap(x,x,x,x,x)+82j ...
		push	70536553h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E0D25:				; CODE XREF: SepReadSingleCap(x,x,x,x,x)+36j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_SepReadSingleCap@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepRmDestroyCapTable(x)
_SepRmDestroyCapTable@4	proc near	; CODE XREF: SeAccessCheckWithHintWithAdminlessChecks:loc_5EB3A5p
					; SeAccessCheckWithHintWithAdminlessChecks:loc_5EB4E6p	...

var_14		= dword	ptr -14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		mov	esi, ecx
		stosd
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		call	_RtlInitEnumerationHashTable@8 ; RtlInitEnumerationHashTable(x,x)
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		call	RtlEnumerateEntryHashTable
		mov	ebx, 70536553h
		jmp	short loc_9E0D7E
; 

loc_9E0D60:				; CODE XREF: SepRmDestroyCapTable(x)+54j
		push	0
		push	edi
		push	esi
		call	RtlRemoveEntryHashTable
		and	dword ptr [edi+10h], 0
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		call	RtlEnumerateEntryHashTable

loc_9E0D7E:				; CODE XREF: SepRmDestroyCapTable(x)+30j
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9E0D60
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		call	_RtlEndEnumerationHashTable@8 ;	RtlEndEnumerationHashTable(x,x)
		push	esi
		call	RtlDeleteHashTable
		mov	eax, [esi+2Ch]
		test	eax, eax
		jz	short loc_9E0DA2
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E0DA2:				; CODE XREF: SepRmDestroyCapTable(x)+6Bj
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SepRmDestroyCapTable@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	LocalGetStringForSid(int,int,int,size_t)
_LocalGetStringForSid@24 proc near	; CODE XREF: LocalConvertSDToStringSD_Rev1+124148p
					; LocalConvertSDToStringSD_Rev1+124165p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	eax, ecx
		mov	esi, edx
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], edi
		test	eax, eax
		jz	loc_9E0E57
		test	esi, esi
		jz	loc_9E0E57
		push	ebx
		lea	ecx, [ebp+var_4]
		mov	edx, eax
		push	ecx		; int
		push	[ebp+arg_C]	; size_t
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_0]	; int
		xor	ecx, ecx
		call	LookupSidInTable
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9E0E15
		cmp	[ebp+var_4], edi
		jnz	short loc_9E0E10
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	LocalConvertSidToStringSidW
		test	eax, eax
		jns	short loc_9E0E52
		push	eax
		call	RtlNtStatusToDosError
		mov	edi, eax
		jmp	short loc_9E0E52
; 

loc_9E0E10:				; CODE XREF: LocalGetStringForSid(x,x,x,x,x,x)+48j
		push	2
		pop	esi
		jmp	short loc_9E0E18
; 

loc_9E0E15:				; CODE XREF: LocalGetStringForSid(x,x,x,x,x,x)+43j
		mov	esi, [ebx+0Ch]

loc_9E0E18:				; CODE XREF: LocalGetStringForSid(x,x,x,x,x,x)+65j
		lea	esi, ds:2[esi*2]
		push	ecx
		mov	ecx, esi
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+var_C]
		mov	[eax], ecx
		test	ecx, ecx
		jnz	short loc_9E0E37
		push	8
		pop	edi
		jmp	short loc_9E0E52
; 

loc_9E0E37:				; CODE XREF: LocalGetStringForSid(x,x,x,x,x,x)+82j
		shr	esi, 1
		test	ebx, ebx
		jz	short loc_9E0E43
		lea	eax, [ebx+2]
		push	eax
		jmp	short loc_9E0E48
; 

loc_9E0E43:				; CODE XREF: LocalGetStringForSid(x,x,x,x,x,x)+8Dj
		push	offset ??_C@_15OHIPBLFN@?$AAS?$AAA@NNGAKEGL@

loc_9E0E48:				; CODE XREF: LocalGetStringForSid(x,x,x,x,x,x)+93j
		push	esi
		push	ecx
		call	_wcscpy_s
		add	esp, 0Ch

loc_9E0E52:				; CODE XREF: LocalGetStringForSid(x,x,x,x,x,x)+56j
					; LocalGetStringForSid(x,x,x,x,x,x)+60j ...
		mov	eax, edi
		pop	ebx
		jmp	short loc_9E0E5A
; 

loc_9E0E57:				; CODE XREF: LocalGetStringForSid(x,x,x,x,x,x)+1Bj
					; LocalGetStringForSid(x,x,x,x,x,x)+23j
		push	57h
		pop	eax

loc_9E0E5A:				; CODE XREF: LocalGetStringForSid(x,x,x,x,x,x)+A7j
		pop	edi
		pop	esi
		leave
		retn	10h
_LocalGetStringForSid@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SddlAddAccessFilterAce(x, x, x, x, x, x, x,	x)
_SddlAddAccessFilterAce@32 proc	near	; CODE XREF: LocalGetAclForString+AEC72p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= word ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= word ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_10]
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], 100h
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], 1300h
		test	edi, edi
		jz	loc_9E1023
		push	edi
		call	RtlValidAcl
		test	al, al
		jz	loc_9E1023
		test	ebx, ebx
		jz	short loc_9E0F12
		mov	bx, [ebp+arg_14]
		mov	eax, 0FFFFh
		cmp	bx, ax
		jz	short loc_9E0F12
		push	6
		pop	eax
		cmp	bx, ax
		jb	short loc_9E0F12
		mov	eax, [ebp+var_20]
		cmp	dword ptr [eax], 78747261h
		jnz	short loc_9E0F12
		push	esi
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jnz	short loc_9E0EE6
		mov	eax, 0C0000078h
		jmp	loc_9E1028
; 

loc_9E0EE6:				; CODE XREF: SddlAddAccessFilterAce(x,x,x,x,x,x,x,x)+7Aj
		test	byte ptr [ebp+arg_0], 40h
		jz	short loc_9E0F1C
		cmp	byte ptr [esi+1], 2
		jnz	short loc_9E0F12
		push	6		; size_t
		lea	eax, [ebp+var_14]
		push	eax		; void *
		lea	eax, [esi+2]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9E0F12
		cmp	[esi+8], eax
		jnz	short loc_9E0F3D
		cmp	[esi+0Ch], eax
		jz	short loc_9E0F3D

loc_9E0F12:				; CODE XREF: SddlAddAccessFilterAce(x,x,x,x,x,x,x,x)+4Fj
					; SddlAddAccessFilterAce(x,x,x,x,x,x,x,x)+5Dj ...
		mov	eax, 0C000000Dh
		jmp	loc_9E1028
; 

loc_9E0F1C:				; CODE XREF: SddlAddAccessFilterAce(x,x,x,x,x,x,x,x)+8Aj
		push	6		; size_t
		lea	eax, [ebp+var_C]
		push	eax		; void *
		lea	eax, [esi+2]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9E0F12
		cmp	byte ptr [esi+1], 1
		jnz	short loc_9E0F12
		cmp	[esi+8], eax
		jnz	short loc_9E0F12

loc_9E0F3D:				; CODE XREF: SddlAddAccessFilterAce(x,x,x,x,x,x,x,x)+ABj
					; SddlAddAccessFilterAce(x,x,x,x,x,x,x,x)+B0j
		mov	al, [edi]
		mov	[ebp+var_15], al
		cmp	al, 4
		ja	loc_9E101C
		cmp	al, 2
		ja	short loc_9E0F52
		mov	[ebp+var_15], 2

loc_9E0F52:				; CODE XREF: SddlAddAccessFilterAce(x,x,x,x,x,x,x,x)+ECj
		test	[ebp+arg_0], 0FFFFFFA0h
		jnz	short loc_9E0F12
		test	[ebp+arg_C], 0FF000000h
		jnz	short loc_9E0F12
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		call	_RtlFirstFreeAce@8 ; RtlFirstFreeAce(x,x)
		test	al, al
		jz	loc_9E1023
		push	esi
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		movzx	ecx, bx
		lea	edx, [ebp+var_C]
		mov	[ebp+var_14], ecx
		add	eax, 8
		add	ecx, 3
		mov	[ebp+var_C], eax
		push	edx
		and	ecx, 0FFFFFFFCh
		mov	edx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jns	short loc_9E0FA7
		mov	eax, 216h
		jmp	loc_9E1028
; 

loc_9E0FA7:				; CODE XREF: SddlAddAccessFilterAce(x,x,x,x,x,x,x,x)+13Bj
		mov	edx, [ebp+var_C]
		cmp	edx, 0FFFFh
		ja	loc_9E0F12
		mov	ebx, [ebp+var_1C]
		test	ebx, ebx
		jz	short loc_9E1015
		movzx	ecx, word ptr [edi+2]
		lea	eax, [edx+ebx]
		add	ecx, edi
		cmp	eax, ecx
		ja	short loc_9E1015
		mov	eax, [ebp+arg_0]
		mov	[ebx+1], al
		mov	eax, [ebp+arg_C]
		mov	[ebx+4], eax
		lea	eax, [ebx+8]
		push	esi		; void *
		push	eax		; void *
		push	esi
		mov	byte ptr [ebx],	15h
		mov	[ebx+2], dx
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	eax		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		push	[ebp+var_14]	; size_t
		push	[ebp+var_20]	; void *
		push	esi
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	eax, 8
		add	eax, ebx
		push	eax		; void *
		call	_memcpy
		mov	al, [ebp+var_15]
		add	esp, 0Ch
		inc	word ptr [edi+4]
		mov	[edi], al
		xor	eax, eax
		jmp	short loc_9E1028
; 

loc_9E1015:				; CODE XREF: SddlAddAccessFilterAce(x,x,x,x,x,x,x,x)+15Bj
					; SddlAddAccessFilterAce(x,x,x,x,x,x,x,x)+168j
		mov	eax, 0C0000099h
		jmp	short loc_9E1028
; 

loc_9E101C:				; CODE XREF: SddlAddAccessFilterAce(x,x,x,x,x,x,x,x)+E4j
		mov	eax, 0C0000059h
		jmp	short loc_9E1028
; 

loc_9E1023:				; CODE XREF: SddlAddAccessFilterAce(x,x,x,x,x,x,x,x)+39j
					; SddlAddAccessFilterAce(x,x,x,x,x,x,x,x)+47j ...
		mov	eax, 0C0000077h

loc_9E1028:				; CODE XREF: SddlAddAccessFilterAce(x,x,x,x,x,x,x,x)+81j
					; SddlAddAccessFilterAce(x,x,x,x,x,x,x,x)+B7j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_SddlAddAccessFilterAce@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SddlAddMandatoryAce(x, x, x, x, x, x)
_SddlAddMandatoryAce@24	proc near	; CODE XREF: LocalGetAclForString+AEDD5p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_8], 1000h
		mov	esi, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		push	edi
		mov	edi, [ebp+arg_4]
		test	esi, esi
		jz	loc_9E1142
		push	edi
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jnz	short loc_9E107D
		mov	eax, 0C0000078h
		jmp	loc_9E1147
; 

loc_9E107D:				; CODE XREF: SddlAddMandatoryAce(x,x,x,x,x,x)+38j
		push	6		; size_t
		lea	eax, [ebp+var_C]
		push	eax		; void *
		lea	eax, [edi+2]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_9E113B
		mov	bl, [esi]
		cmp	bl, 4
		ja	loc_9E1134
		cmp	bl, 2
		ja	short loc_9E10A9
		mov	bl, 2

loc_9E10A9:				; CODE XREF: SddlAddMandatoryAce(x,x,x,x,x,x)+6Cj
		test	[ebp+arg_0], 0FFFFFFE0h
		jnz	loc_9E113B
		test	[ebp+arg_C], 0FFFFFFF8h
		jnz	short loc_9E113B
		push	esi
		call	RtlValidAcl
		test	al, al
		jz	short loc_9E1142
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	_RtlFirstFreeAce@8 ; RtlFirstFreeAce(x,x)
		test	al, al
		jz	short loc_9E1142
		push	edi
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		mov	edx, [ebp+var_10]
		add	eax, 8
		movzx	eax, ax
		mov	[ebp+var_C], eax
		test	edx, edx
		jz	short loc_9E112D
		movzx	ecx, word ptr [esi+2]
		movzx	eax, ax
		add	ecx, esi
		add	eax, edx
		cmp	eax, ecx
		ja	short loc_9E112D
		mov	eax, [ebp+arg_0]
		mov	[edx+1], al
		mov	eax, [ebp+var_C]
		mov	[edx+2], ax
		mov	eax, [ebp+arg_C]
		mov	[edx+4], eax
		lea	eax, [edx+8]
		push	edi		; void *
		push	eax		; void *
		push	edi
		mov	byte ptr [edx],	11h
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	eax		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		inc	word ptr [esi+4]
		xor	eax, eax
		mov	[esi], bl
		jmp	short loc_9E1147
; 

loc_9E112D:				; CODE XREF: SddlAddMandatoryAce(x,x,x,x,x,x)+B2j
					; SddlAddMandatoryAce(x,x,x,x,x,x)+C1j
		mov	eax, 0C0000099h
		jmp	short loc_9E1147
; 

loc_9E1134:				; CODE XREF: SddlAddMandatoryAce(x,x,x,x,x,x)+63j
		mov	eax, 0C0000059h
		jmp	short loc_9E1147
; 

loc_9E113B:				; CODE XREF: SddlAddMandatoryAce(x,x,x,x,x,x)+58j
					; SddlAddMandatoryAce(x,x,x,x,x,x)+77j	...
		mov	eax, 0C000000Dh
		jmp	short loc_9E1147
; 

loc_9E1142:				; CODE XREF: SddlAddMandatoryAce(x,x,x,x,x,x)+2Aj
					; SddlAddMandatoryAce(x,x,x,x,x,x)+8Ej	...
		mov	eax, 0C0000077h

loc_9E1147:				; CODE XREF: SddlAddMandatoryAce(x,x,x,x,x,x)+3Fj
					; SddlAddMandatoryAce(x,x,x,x,x,x)+F2j	...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_SddlAddMandatoryAce@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SddlAddProcessTrustLabelAce(x, x, x, x, x, x)
_SddlAddProcessTrustLabelAce@24	proc near ; CODE XREF: LocalGetAclForString+AEC95p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_8], 1300h
		mov	esi, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		push	edi
		mov	edi, [ebp+arg_4]
		test	esi, esi
		jz	loc_9E1261
		push	esi
		call	RtlValidAcl
		test	al, al
		jz	loc_9E1261
		push	edi
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jnz	short loc_9E11AA
		mov	eax, 0C0000078h
		jmp	loc_9E1266
; 

loc_9E11AA:				; CODE XREF: SddlAddProcessTrustLabelAce(x,x,x,x,x,x)+46j
		push	6		; size_t
		lea	eax, [ebp+var_C]
		push	eax		; void *
		lea	eax, [edi+2]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_9E125A
		mov	bl, [esi]
		cmp	bl, 4
		ja	loc_9E1253
		cmp	bl, 2
		ja	short loc_9E11D6
		mov	bl, 2

loc_9E11D6:				; CODE XREF: SddlAddProcessTrustLabelAce(x,x,x,x,x,x)+7Aj
		test	[ebp+arg_0], 0FFFFFFE0h
		jnz	short loc_9E125A
		test	[ebp+arg_C], 0FF000000h
		jnz	short loc_9E125A
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	_RtlFirstFreeAce@8 ; RtlFirstFreeAce(x,x)
		test	al, al
		jz	short loc_9E1261
		push	edi
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		mov	edx, [ebp+var_10]
		add	eax, 8
		movzx	eax, ax
		mov	[ebp+var_C], eax
		test	edx, edx
		jz	short loc_9E124C
		movzx	ecx, word ptr [esi+2]
		movzx	eax, ax
		add	ecx, esi
		add	eax, edx
		cmp	eax, ecx
		ja	short loc_9E124C
		mov	eax, [ebp+arg_0]
		mov	[edx+1], al
		mov	eax, [ebp+var_C]
		mov	[edx+2], ax
		mov	eax, [ebp+arg_C]
		mov	[edx+4], eax
		lea	eax, [edx+8]
		push	edi		; void *
		push	eax		; void *
		push	edi
		mov	byte ptr [edx],	14h
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	eax		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		inc	word ptr [esi+4]
		xor	eax, eax
		mov	[esi], bl
		jmp	short loc_9E1266
; 

loc_9E124C:				; CODE XREF: SddlAddProcessTrustLabelAce(x,x,x,x,x,x)+B2j
					; SddlAddProcessTrustLabelAce(x,x,x,x,x,x)+C1j
		mov	eax, 0C0000099h
		jmp	short loc_9E1266
; 

loc_9E1253:				; CODE XREF: SddlAddProcessTrustLabelAce(x,x,x,x,x,x)+71j
		mov	eax, 0C0000059h
		jmp	short loc_9E1266
; 

loc_9E125A:				; CODE XREF: SddlAddProcessTrustLabelAce(x,x,x,x,x,x)+66j
					; SddlAddProcessTrustLabelAce(x,x,x,x,x,x)+85j	...
		mov	eax, 0C000000Dh
		jmp	short loc_9E1266
; 

loc_9E1261:				; CODE XREF: SddlAddProcessTrustLabelAce(x,x,x,x,x,x)+2Aj
					; SddlAddProcessTrustLabelAce(x,x,x,x,x,x)+38j	...
		mov	eax, 0C0000077h

loc_9E1266:				; CODE XREF: SddlAddProcessTrustLabelAce(x,x,x,x,x,x)+4Dj
					; SddlAddProcessTrustLabelAce(x,x,x,x,x,x)+F2j	...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_SddlAddProcessTrustLabelAce@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SddlAddScopedPolicyIDAce(x,	x, x, x, x)
_SddlAddScopedPolicyIDAce@20 proc near	; CODE XREF: LocalGetAclForString+AECB7p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_8], 1100h
		mov	esi, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		push	edi
		mov	edi, [ebp+arg_8]
		test	esi, esi
		jz	loc_9E137B
		push	edi
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jnz	short loc_9E12BB
		mov	eax, 0C0000078h
		jmp	loc_9E1380
; 

loc_9E12BB:				; CODE XREF: SddlAddScopedPolicyIDAce(x,x,x,x,x)+38j
		push	6		; size_t
		lea	eax, [ebp+var_C]
		push	eax		; void *
		lea	eax, [edi+2]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_9E1374
		mov	bl, [esi]
		cmp	bl, 4
		ja	loc_9E136D
		cmp	bl, 2
		ja	short loc_9E12E7
		mov	bl, 2

loc_9E12E7:				; CODE XREF: SddlAddScopedPolicyIDAce(x,x,x,x,x)+6Cj
		test	[ebp+arg_0], 0FFFFFFE0h
		jnz	loc_9E1374
		cmp	[ebp+arg_4], 0
		jnz	short loc_9E1374
		push	esi
		call	RtlValidAcl
		test	al, al
		jz	short loc_9E137B
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	_RtlFirstFreeAce@8 ; RtlFirstFreeAce(x,x)
		test	al, al
		jz	short loc_9E137B
		push	edi
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		mov	edx, [ebp+var_10]
		add	eax, 8
		movzx	eax, ax
		mov	[ebp+var_C], eax
		test	edx, edx
		jz	short loc_9E1366
		movzx	ecx, word ptr [esi+2]
		movzx	eax, ax
		add	ecx, esi
		add	eax, edx
		cmp	eax, ecx
		ja	short loc_9E1366
		mov	eax, [ebp+arg_0]
		and	dword ptr [edx+4], 0
		mov	[edx+1], al
		mov	eax, [ebp+var_C]
		mov	[edx+2], ax
		lea	eax, [edx+8]
		push	edi		; void *
		push	eax		; void *
		push	edi
		mov	byte ptr [edx],	13h
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	eax		; int
		call	_RtlCopySid@12	; RtlCopySid(x,x,x)
		inc	word ptr [esi+4]
		xor	eax, eax
		mov	[esi], bl
		jmp	short loc_9E1380
; 

loc_9E1366:				; CODE XREF: SddlAddScopedPolicyIDAce(x,x,x,x,x)+AFj
					; SddlAddScopedPolicyIDAce(x,x,x,x,x)+BEj
		mov	eax, 0C0000099h
		jmp	short loc_9E1380
; 

loc_9E136D:				; CODE XREF: SddlAddScopedPolicyIDAce(x,x,x,x,x)+63j
		mov	eax, 0C0000059h
		jmp	short loc_9E1380
; 

loc_9E1374:				; CODE XREF: SddlAddScopedPolicyIDAce(x,x,x,x,x)+58j
					; SddlAddScopedPolicyIDAce(x,x,x,x,x)+77j ...
		mov	eax, 0C000000Dh
		jmp	short loc_9E1380
; 

loc_9E137B:				; CODE XREF: SddlAddScopedPolicyIDAce(x,x,x,x,x)+2Aj
					; SddlAddScopedPolicyIDAce(x,x,x,x,x)+8Bj ...
		mov	eax, 0C0000077h

loc_9E1380:				; CODE XREF: SddlAddScopedPolicyIDAce(x,x,x,x,x)+3Fj
					; SddlAddScopedPolicyIDAce(x,x,x,x,x)+EDj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_SddlAddScopedPolicyIDAce@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SddlFilterSacl(x, x, x, x)
_SddlFilterSacl@16 proc	near		; CODE XREF: LocalConvertSDToStringSD_Rev1+12410Ep
					; LocalConvertSDToStringSD_Rev1+124133p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	eax, ecx
		push	esi
		push	edi
		push	8
		pop	ecx
		mov	esi, ecx
		mov	[ebp+var_8], edx
		movzx	ecx, word ptr [eax+4]
		lea	edx, [eax+8]
		mov	[ebp+var_4], eax
		mov	edi, edx
		mov	[ebp+var_C], edx
		test	ecx, ecx
		jz	short loc_9E1408

loc_9E13BC:				; CODE XREF: SddlFilterSacl(x,x,x,x)+75j
		movzx	eax, byte ptr [edi]
		add	eax, 0FFFFFFFEh
		cmp	eax, 13h
		ja	short loc_9E13F2
		movzx	eax, ds:byte_9E1511[eax]
		jmp	ds:off_9E14F5[eax*4]

loc_9E13D5:				; DATA XREF: PAGE:009E14FDo
		test	bl, 20h
		jmp	short loc_9E13F5
; 

loc_9E13DA:				; CODE XREF: SddlFilterSacl(x,x,x,x)+3Dj
					; DATA XREF: PAGE:009E1501o
		test	bl, 40h
		jmp	short loc_9E13F5
; 

loc_9E13DF:				; CODE XREF: SddlFilterSacl(x,x,x,x)+3Dj
					; DATA XREF: PAGE:009E14F9o
		test	bl, 10h
		jmp	short loc_9E13F5
; 

loc_9E13E4:				; CODE XREF: SddlFilterSacl(x,x,x,x)+3Dj
					; DATA XREF: PAGE:009E1505o
		test	bl, bl
		jns	short loc_9E13FD
		jmp	short loc_9E13F7
; 

loc_9E13EA:				; CODE XREF: SddlFilterSacl(x,x,x,x)+3Dj
					; DATA XREF: PAGE:009E1509o
		test	ebx, 100h
		jmp	short loc_9E13F5
; 

loc_9E13F2:				; CODE XREF: SddlFilterSacl(x,x,x,x)+34j
					; SddlFilterSacl(x,x,x,x)+3Dj
					; DATA XREF: ...
		test	bl, 8

loc_9E13F5:				; CODE XREF: SddlFilterSacl(x,x,x,x)+47j
					; SddlFilterSacl(x,x,x,x)+4Cj ...
		jz	short loc_9E13FD

loc_9E13F7:				; CODE XREF: SddlFilterSacl(x,x,x,x)+57j
		movzx	eax, word ptr [edi+2]
		add	esi, eax

loc_9E13FD:				; CODE XREF: SddlFilterSacl(x,x,x,x)+55j
					; SddlFilterSacl(x,x,x,x):loc_9E13F5j
		movzx	eax, word ptr [edi+2]
		add	edi, eax
		sub	ecx, 1
		jnz	short loc_9E13BC

loc_9E1408:				; CODE XREF: SddlFilterSacl(x,x,x,x)+29j
		mov	eax, [ebp+arg_0]
		add	esi, 3
		and	esi, 0FFFFFFFCh
		cmp	[eax], esi
		jnb	short loc_9E141C
		mov	[eax], esi
		jmp	loc_9E14EB
; 

loc_9E141C:				; CODE XREF: SddlFilterSacl(x,x,x,x)+82j
		mov	edi, [ebp+var_8]
		xor	esi, esi
		mov	ecx, [ebp+var_4]
		push	8
		mov	eax, [ecx]
		mov	[edi], eax
		mov	eax, [ecx+4]
		lea	ecx, [edi+8]
		mov	[edi+4], eax
		xor	eax, eax
		mov	[edi+4], ax
		pop	eax
		mov	[edi+2], ax
		xor	edi, edi
		mov	eax, [ebp+var_4]
		mov	[ebp+arg_4], ecx
		cmp	di, [eax+4]
		mov	edi, [ebp+var_8]
		jnb	loc_9E14EB

loc_9E1453:				; CODE XREF: SddlFilterSacl(x,x,x,x)+154j
		movzx	eax, byte ptr [edx]
		add	eax, 0FFFFFFFEh
		cmp	eax, 13h
		ja	short loc_9E1498
		movzx	eax, ds:byte_9E1541[eax]
		jmp	ds:off_9E1525[eax*4]

loc_9E146C:				; DATA XREF: PAGE:off_9E1525o
		mov	eax, ebx
		shr	eax, 3

loc_9E1471:				; CODE XREF: SddlFilterSacl(x,x,x,x)+E9j
					; SddlFilterSacl(x,x,x,x)+F0j ...
		and	al, 1
		jmp	short loc_9E149F
; 

loc_9E1475:				; CODE XREF: SddlFilterSacl(x,x,x,x)+D4j
					; DATA XREF: PAGE:009E152Do
		mov	eax, ebx
		shr	eax, 5
		jmp	short loc_9E1471
; 

loc_9E147C:				; CODE XREF: SddlFilterSacl(x,x,x,x)+D4j
					; DATA XREF: PAGE:009E1531o
		mov	eax, ebx
		shr	eax, 6
		jmp	short loc_9E1471
; 

loc_9E1483:				; CODE XREF: SddlFilterSacl(x,x,x,x)+D4j
					; DATA XREF: PAGE:009E1529o
		mov	eax, ebx
		shr	eax, 4
		jmp	short loc_9E1471
; 

loc_9E148A:				; CODE XREF: SddlFilterSacl(x,x,x,x)+D4j
					; DATA XREF: PAGE:009E1535o
		mov	eax, ebx
		shr	eax, 7
		jmp	short loc_9E1471
; 

loc_9E1491:				; CODE XREF: SddlFilterSacl(x,x,x,x)+D4j
					; DATA XREF: PAGE:009E1539o
		mov	eax, ebx
		shr	eax, 8
		jmp	short loc_9E1471
; 

loc_9E1498:				; CODE XREF: SddlFilterSacl(x,x,x,x)+CBj
					; SddlFilterSacl(x,x,x,x)+D4j
					; DATA XREF: ...
		test	bl, 8
		jz	short loc_9E14CF
		mov	al, 1

loc_9E149F:				; CODE XREF: SddlFilterSacl(x,x,x,x)+E2j
		test	al, al
		jz	short loc_9E14CF
		movzx	eax, word ptr [edx+2]
		push	eax		; size_t
		push	edx		; void *
		push	ecx		; void *
		call	_memcpy
		mov	edx, [ebp+var_C]
		add	esp, 0Ch
		inc	word ptr [edi+4]
		mov	ax, [edx+2]
		add	[edi+2], ax
		movzx	ecx, word ptr [edx+2]
		add	[ebp+arg_4], ecx
		mov	eax, ecx
		mov	ecx, [ebp+arg_4]
		jmp	short loc_9E14D3
; 

loc_9E14CF:				; CODE XREF: SddlFilterSacl(x,x,x,x)+10Aj
					; SddlFilterSacl(x,x,x,x)+110j
		movzx	eax, word ptr [edx+2]

loc_9E14D3:				; CODE XREF: SddlFilterSacl(x,x,x,x)+13Cj
		movzx	eax, ax
		inc	esi
		add	edx, eax
		mov	eax, [ebp+var_4]
		mov	[ebp+var_C], edx
		movzx	eax, word ptr [eax+4]
		cmp	esi, eax
		jb	loc_9E1453

loc_9E14EB:				; CODE XREF: SddlFilterSacl(x,x,x,x)+86j
					; SddlFilterSacl(x,x,x,x)+BCj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_SddlFilterSacl@16 endp

; 
		dw 498Dh
		db 0
off_9E14F5	dd offset loc_9E13F2	; DATA XREF: SddlFilterSacl(x,x,x,x)+3Dr
		dd offset loc_9E13DF
		dd offset loc_9E13D5
		dd offset loc_9E13DA
		dd offset loc_9E13E4
		dd offset loc_9E13EA
		dd offset loc_9E13F2
byte_9E1511	db 0			; DATA XREF: SddlFilterSacl(x,x,x,x)+36r
		dw 600h
		dd 606h, 6060606h, 0
		dd 4030201h
		db 5
off_9E1525	dd offset loc_9E146C	; DATA XREF: SddlFilterSacl(x,x,x,x)+D4r
		dd offset loc_9E1483
		dd offset loc_9E1475
		dd offset loc_9E147C
		dd offset loc_9E148A
		dd offset loc_9E1491
		dd offset loc_9E1498
byte_9E1541	db 0			; DATA XREF: SddlFilterSacl(x,x,x,x)+CDr
		dw 600h
		dd 606h, 6060606h, 0
		dd 4030201h
		db 5

;  S U B	R O U T	I N E 


; __stdcall SddlpFree(x)
_SddlpFree@4	proc near		; CODE XREF: SeConvertStringSidToSid+8430Dp
					; SeConvertStringSidToSid+84350p ...
		test	ecx, ecx
		jz	short locret_9E1561
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

locret_9E1561:				; CODE XREF: SddlpFree(x)+2j
		retn
_SddlpFree@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SddlpReAlloc(void *,int,int)
_SddlpReAlloc@20 proc near		; CODE XREF: GetPrintableOperandValue+123EF1p
					; GetOperandValue(x,x,x,x,x,x,x,x,x)+1AEp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	64536553h
		mov	edi, edx
		mov	ebx, ecx
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9E1597
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		push	ebx		; size_t
		push	[ebp+arg_0]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 18h

loc_9E1597:				; CODE XREF: SddlpReAlloc(x,x,x,x,x)+1Dj
		push	0
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_SddlpReAlloc@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SddlpUuidFromString(x, x)
_SddlpUuidFromString@8 proc near	; CODE XREF: LocalGetAclForString+AE713p
					; LocalGetAclForString+AE72Ap

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	ebx, ebx
		push	7Bh
		pop	eax
		mov	edi, edx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], ebx
		cmp	[esi], ax
		jz	short loc_9E163F
		lea	edx, [ecx+2]

loc_9E15D6:				; CODE XREF: SddlpUuidFromString(x,x)+35j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_9E15D6
		sub	ecx, edx
		sar	ecx, 1
		cmp	word ptr [esi+ecx*2-2],	7Dh
		jz	short loc_9E163F
		push	4Ah		; size_t
		lea	eax, [ebp+var_54]
		mov	[ebp+var_58], 7Bh
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	ecx, esi
		add	esp, 0Ch
		lea	edx, [ecx+2]

loc_9E1608:				; CODE XREF: SddlpUuidFromString(x,x)+67j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_9E1608
		sub	ecx, edx
		lea	eax, [ebp+var_58]
		sar	ecx, 1
		push	ecx
		push	esi
		push	27h
		push	eax
		call	_wcsncat_s
		push	2
		push	offset ??_C@_13EHOOFIKC@?$AA?$HN@NNGAKEGL@
		lea	eax, [ebp+var_58]
		push	27h
		push	eax
		call	_wcsncat_s
		add	esp, 20h
		lea	eax, [ebp+var_58]
		push	eax
		jmp	short loc_9E1640
; 

loc_9E163F:				; CODE XREF: SddlpUuidFromString(x,x)+27j
					; SddlpUuidFromString(x,x)+41j
		push	esi

loc_9E1640:				; CODE XREF: SddlpUuidFromString(x,x)+93j
		lea	eax, [ebp+var_60]
		push	eax
		call	dword ptr ds:__imp__RtlInitUnicodeString@8 ; RtlInitUnicodeString(x,x)
		push	edi
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		xor	ecx, ecx
		test	eax, eax
		pop	edi
		setns	cl
		mov	eax, ecx
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_SddlpUuidFromString@8 endp


;  S U B	R O U T	I N E 


; __stdcall SddlpUuidToString(x, x)
_SddlpUuidToString@8 proc near		; CODE XREF: LocalConvertAclToString+12417Fp
					; LocalConvertAclToString+1241D3p
		mov	edi, edi
		push	esi
		push	edi
		push	64536553h
		push	4Ah
		push	1
		mov	esi, edx
		mov	edi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[esi], edx
		test	edx, edx
		jz	short loc_9E16D1
		movzx	eax, byte ptr [edi+0Fh]
		push	eax
		movzx	eax, byte ptr [edi+0Eh]
		push	eax
		movzx	eax, byte ptr [edi+0Dh]
		movzx	ecx, word ptr [edi+6]
		push	eax
		movzx	eax, byte ptr [edi+0Ch]
		push	eax
		movzx	eax, byte ptr [edi+0Bh]
		push	eax
		movzx	eax, byte ptr [edi+0Ah]
		push	eax
		movzx	eax, byte ptr [edi+9]
		push	eax
		movzx	eax, byte ptr [edi+8]
		push	eax
		push	ecx
		movzx	ecx, word ptr [edi+4]
		push	ecx
		push	dword ptr [edi]
		push	offset _SddlGuidFormat
		push	25h
		push	edx
		call	_swprintf_s
		xor	eax, eax
		add	esp, 38h
		inc	eax

loc_9E16D1:				; CODE XREF: SddlpUuidToString(x,x)+1Cj
		pop	edi
		pop	esi
		retn
_SddlpUuidToString@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	AppendCondition(int,void *,size_t)
_AppendCondition@20 proc near		; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+211p
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+3E4p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	eax, ecx
		mov	esi, edx
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], edi
		test	eax, eax
		jz	loc_9E1790
		test	esi, esi
		jz	loc_9E1790
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jz	loc_9E1790
		mov	edx, [ebp+arg_8]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebx]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jns	short loc_9E171F
		mov	edi, 216h
		jmp	short loc_9E178C
; 

loc_9E171F:				; CODE XREF: AppendCondition(x,x,x,x,x)+42j
		mov	eax, [ebp+var_4]
		cmp	eax, [esi]
		jbe	short loc_9E176D
		push	ecx
		mov	ecx, eax
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jnz	short loc_9E173C
		push	8
		pop	edi
		jmp	short loc_9E178C
; 

loc_9E173C:				; CODE XREF: AppendCondition(x,x,x,x,x)+61j
		mov	eax, [ebp+var_8]
		push	dword ptr [esi]	; size_t
		mov	eax, [eax]
		push	eax		; void *
		push	ecx		; void *
		mov	[ebp+arg_0], eax
		call	_memcpy
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_9E175E
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E175E:				; CODE XREF: AppendCondition(x,x,x,x,x)+81j
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		mov	[eax], ecx
		mov	ecx, [ebp+var_4]
		mov	[esi], ecx
		jmp	short loc_9E1770
; 

loc_9E176D:				; CODE XREF: AppendCondition(x,x,x,x,x)+50j
		mov	eax, [ebp+var_8]

loc_9E1770:				; CODE XREF: AppendCondition(x,x,x,x,x)+97j
		push	[ebp+arg_8]	; size_t
		mov	ecx, [eax]
		mov	esi, [ebx]
		add	ecx, esi
		push	[ebp+arg_4]	; void *
		push	ecx		; void *
		call	_memcpy
		mov	ecx, [ebp+arg_8]
		add	esp, 0Ch
		add	ecx, esi
		mov	[ebx], ecx

loc_9E178C:				; CODE XREF: AppendCondition(x,x,x,x,x)+49j
					; AppendCondition(x,x,x,x,x)+66j
		mov	eax, edi
		jmp	short loc_9E1793
; 

loc_9E1790:				; CODE XREF: AppendCondition(x,x,x,x,x)+19j
					; AppendCondition(x,x,x,x,x)+21j ...
		push	57h
		pop	eax

loc_9E1793:				; CODE XREF: AppendCondition(x,x,x,x,x)+BAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_AppendCondition@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DecodeAttributeName(x, x, x)
_DecodeAttributeName@12	proc near	; CODE XREF: GetAttributeName(x,x,x)+1A3p
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+10Ap

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_20], ebx
		mov	eax, edx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_28], ebx
		mov	byte ptr [ebp+var_4+3],	bl
		mov	byte ptr [ebp+var_4+2],	bl
		mov	byte ptr [ebp+var_4+1],	bl
		mov	byte ptr [ebp+var_4], bl
		test	ecx, ecx
		jz	loc_9E1956
		test	eax, eax
		jz	loc_9E1956
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	loc_9E1956
		test	al, 1
		jz	short loc_9E17E8
		mov	ebx, 538h
		jmp	loc_9E1942
; 

loc_9E17E8:				; CODE XREF: DecodeAttributeName(x,x,x)+42j
		push	ecx
		lea	ecx, [eax+2]
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	short loc_9E1800
		push	8
		pop	ebx
		jmp	loc_9E1942
; 

loc_9E1800:				; CODE XREF: DecodeAttributeName(x,x,x)+5Cj
		push	esi
		mov	esi, [ebp+var_1C]
		shr	esi, 1
		push	edi
		mov	edi, ebx
		jz	loc_9E193B
		mov	eax, [ebp+var_18]
		push	4
		pop	edx
		mov	[ebp+var_1C], edx
		lea	edx, [eax+6]
		mov	[ebp+var_10], edx
		lea	ecx, [eax+8]
		lea	edx, [eax+4]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], edx
		mov	edx, [ebp+var_1C]

loc_9E182D:				; CODE XREF: DecodeAttributeName(x,x,x)+199j
		cmp	word ptr [eax+edi*2], 25h
		mov	[ebp+var_5], bl
		jnz	loc_9E18D9
		cmp	edx, esi
		jnb	loc_9E1946
		mov	cx, [eax+edi*2+2]
		lea	edx, [ebp+var_4+3]
		call	_GetDigitFromChar2@8 ; GetDigitFromChar2(x,x)
		test	al, al
		jz	loc_9E1946
		mov	eax, [ebp+var_C]
		lea	edx, [ebp+var_4+2]
		mov	cx, [eax]
		call	_GetDigitFromChar2@8 ; GetDigitFromChar2(x,x)
		test	al, al
		jz	loc_9E1946
		mov	eax, [ebp+var_10]
		lea	edx, [ebp+var_4+1]
		mov	cx, [eax]
		call	_GetDigitFromChar2@8 ; GetDigitFromChar2(x,x)
		test	al, al
		jz	loc_9E1946
		mov	eax, [ebp+var_14]
		lea	edx, [ebp+var_4]
		mov	cx, [eax]
		call	_GetDigitFromChar2@8 ; GetDigitFromChar2(x,x)
		test	al, al
		jz	loc_9E1946
		movzx	ecx, byte ptr [ebp+var_4+3]
		movzx	eax, byte ptr [ebp+var_4+2]
		shl	cx, 4
		or	cx, ax
		movzx	eax, byte ptr [ebp+var_4+1]
		shl	cx, 4
		or	cx, ax
		movzx	eax, byte ptr [ebp+var_4]
		shl	cx, 4
		or	cx, ax
		movzx	eax, cx
		mov	ecx, eax	; wint_t
		mov	[ebp+var_28], eax
		call	_IsEncodedAttributeChar@4 ; IsEncodedAttributeChar(x)
		mov	[ebp+var_5], al
		test	al, al
		jz	short loc_9E1946
		mov	eax, [ebp+var_18]
		mov	edx, [ebp+var_1C]

loc_9E18D9:				; CODE XREF: DecodeAttributeName(x,x,x)+9Bj
		mov	ecx, [ebp+var_20]
		inc	ecx
		cmp	[ebp+var_5], 0
		mov	[ebp+var_2C], ecx
		jz	short loc_9E1900
		add	[ebp+var_C], 8
		add	edi, 4
		add	[ebp+var_10], 8
		add	edx, 4
		mov	eax, [ebp+var_28]
		add	[ebp+var_14], 8
		movzx	ecx, ax
		jmp	short loc_9E1904
; 

loc_9E1900:				; CODE XREF: DecodeAttributeName(x,x,x)+14Aj
		movzx	ecx, word ptr [eax+edi*2]

loc_9E1904:				; CODE XREF: DecodeAttributeName(x,x,x)+164j
		mov	ebx, [ebp+var_20]
		inc	edi
		add	[ebp+var_C], 2
		inc	edx
		add	[ebp+var_10], 2
		add	[ebp+var_14], 2
		mov	[ebp+var_1C], ecx
		mov	ecx, [ebp+var_24]
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_1C], edx
		push	0
		mov	[ecx+ebx*2], ax
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+var_18]
		pop	ebx
		cmp	edi, esi
		jb	loc_9E182D
		mov	eax, ecx

loc_9E193B:				; CODE XREF: DecodeAttributeName(x,x,x)+6Fj
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax

loc_9E1940:				; CODE XREF: DecodeAttributeName(x,x,x)+1BAj
		pop	edi
		pop	esi

loc_9E1942:				; CODE XREF: DecodeAttributeName(x,x,x)+49j
					; DecodeAttributeName(x,x,x)+61j
		mov	eax, ebx
		jmp	short loc_9E1959
; 

loc_9E1946:				; CODE XREF: DecodeAttributeName(x,x,x)+A3j
					; DecodeAttributeName(x,x,x)+B8j ...
		push	ebx
		push	[ebp+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, 538h
		jmp	short loc_9E1940
; 

loc_9E1956:				; CODE XREF: DecodeAttributeName(x,x,x)+27j
					; DecodeAttributeName(x,x,x)+2Fj ...
		push	57h
		pop	eax

loc_9E1959:				; CODE XREF: DecodeAttributeName(x,x,x)+1AAj
		pop	ebx
		leave
		retn	4
_DecodeAttributeName@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EncodeAttributeName(x, x, x)
_EncodeAttributeName@12	proc near	; CODE XREF: GetPrintableAttributeName+124086p
					; LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+121p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], esi
		mov	ebx, edx
		push	edi
		test	ecx, ecx
		jz	loc_9E1A49
		test	ebx, ebx
		jz	loc_9E1A49
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	loc_9E1A49
		test	bl, 1
		jz	short loc_9E199C
		mov	esi, 538h
		jmp	loc_9E1A45
; 

loc_9E199C:				; CODE XREF: EncodeAttributeName(x,x,x)+32j
		push	ecx
		imul	ecx, ebx, 5
		add	ecx, 2
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	[edi], eax
		test	eax, eax
		jnz	short loc_9E19B6
		push	8
		pop	esi
		jmp	loc_9E1A45
; 

loc_9E19B6:				; CODE XREF: EncodeAttributeName(x,x,x)+4Ej
		shr	ebx, 1
		mov	edi, esi
		jz	loc_9E1A45
		mov	ecx, [ebp+var_4]

loc_9E19C3:				; CODE XREF: EncodeAttributeName(x,x,x)+E2j
		mov	cx, [ecx+edi*2]	; wint_t
		call	_IsEncodedAttributeChar@4 ; IsEncodedAttributeChar(x)
		mov	ecx, [ebp+arg_0]
		mov	edx, [ecx]
		mov	ecx, [ebp+var_4]
		test	al, al
		jz	short loc_9E1A34
		push	25h
		pop	eax
		mov	[edx+esi*2], ax
		movzx	eax, word ptr [ecx+edi*2]
		shr	eax, 0Ch
		mov	ax, ds:word_42E340[eax*2]
		mov	[edx+esi*2+2], ax
		movzx	eax, byte ptr [ecx+edi*2+1]
		and	eax, 0Fh
		mov	ax, ds:word_42E340[eax*2]
		mov	[edx+esi*2+4], ax
		movzx	eax, word ptr [ecx+edi*2]
		shr	ax, 4
		and	eax, 0Fh
		mov	ax, ds:word_42E340[eax*2]
		mov	[edx+esi*2+6], ax
		add	esi, 4
		movzx	eax, byte ptr [ecx+edi*2]
		and	eax, 0Fh
		mov	ax, ds:word_42E340[eax*2]
		jmp	short loc_9E1A38
; 

loc_9E1A34:				; CODE XREF: EncodeAttributeName(x,x,x)+78j
		mov	ax, [ecx+edi*2]

loc_9E1A38:				; CODE XREF: EncodeAttributeName(x,x,x)+D4j
		inc	edi
		mov	[edx+esi*2], ax
		inc	esi
		cmp	edi, ebx
		jb	short loc_9E19C3
		mov	esi, [ebp+var_8]

loc_9E1A45:				; CODE XREF: EncodeAttributeName(x,x,x)+39j
					; EncodeAttributeName(x,x,x)+53j ...
		mov	eax, esi
		jmp	short loc_9E1A4C
; 

loc_9E1A49:				; CODE XREF: EncodeAttributeName(x,x,x)+16j
					; EncodeAttributeName(x,x,x)+1Ej ...
		push	57h
		pop	eax

loc_9E1A4C:				; CODE XREF: EncodeAttributeName(x,x,x)+E9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EncodeAttributeName@12	endp


;  S U B	R O U T	I N E 


; __stdcall FreeOperandValue(x)
_FreeOperandValue@4 proc near		; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+56p
					; GetOperandValue(x,x,x,x,x,x,x,x,x)+6Bp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_9E1A78
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_9E1A70
		cmp	byte ptr [esi],	0
		jnz	short loc_9E1A70
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E1A70:				; CODE XREF: FreeOperandValue(x)+Ej
					; FreeOperandValue(x)+13j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E1A78:				; CODE XREF: FreeOperandValue(x)+7j
		pop	esi
		retn
_FreeOperandValue@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall GetAttributeName(wchar_t *,int,int)
_GetAttributeName@12 proc near		; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+52Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		push	1		; size_t
		xor	eax, eax
		mov	[ebp+var_4], edx
		mov	edi, ecx
		mov	[ebp+var_8], eax
		push	(offset	loc_8BF7BB+1) ;	wchar_t	*
		push	edi		; wchar_t *
		mov	ebx, eax
		mov	esi, eax
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9E1ABC

loc_9E1AA7:				; CODE XREF: GetAttributeName(x,x,x)+40j
		movzx	ecx, word ptr [edi+esi*2]
		call	_IsLegalAttributeChar2@4 ; IsLegalAttributeChar2(x)
		test	al, al
		jz	short loc_9E1AD4
		test	cx, cx
		jz	short loc_9E1AD4
		inc	esi
		jmp	short loc_9E1AA7
; 

loc_9E1ABC:				; CODE XREF: GetAttributeName(x,x,x)+2Bj
		xor	ebx, ebx

loc_9E1ABE:				; CODE XREF: GetAttributeName(x,x,x)+58j
		mov	cx, [edi+esi*2]	; wint_t
		call	_IsLegalAttributeChar@4	; IsLegalAttributeChar(x)
		test	al, al
		jz	short loc_9E1AD4
		cmp	[edi+esi*2], bx
		jz	short loc_9E1AD4
		inc	esi
		jmp	short loc_9E1ABE
; 

loc_9E1AD4:				; CODE XREF: GetAttributeName(x,x,x)+38j
					; GetAttributeName(x,x,x)+3Dj ...
		cmp	esi, 8
		jb	short loc_9E1B0E
		push	8		; size_t
		push	offset ??_C@_1BC@BELPDGGJ@?$AA?$EA?$AAD?$AAE?$AAV?$AAI?$AAC?$AAE?$AA?4@NNGAKEGL@ ; wchar_t *
		push	edi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9E1B0E
		cmp	esi, 8
		jz	loc_9E1C4F
		mov	eax, [ebp+var_4]
		add	edi, 10h
		mov	ecx, [eax]
		lea	eax, ds:0FFFFFFF0h[esi*2]
		mov	byte ptr [ecx+1], 0FBh
		jmp	loc_9E1BDE
; 

loc_9E1B0E:				; CODE XREF: GetAttributeName(x,x,x)+5Dj
					; GetAttributeName(x,x,x)+71j
		cmp	esi, 0Ah
		jb	short loc_9E1B48
		push	0Ah		; size_t
		push	offset ??_C@_1BG@ILPAMDME@?$AA?$EA?$AAR?$AAE?$AAS?$AAO?$AAU?$AAR?$AAC?$AAE?$AA?4@NNGAKEGL@ ; "@RESOURCE."
		push	edi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9E1B48
		cmp	esi, 0Ah
		jz	loc_9E1C4F
		mov	eax, [ebp+var_4]
		add	edi, 14h
		mov	ecx, [eax]
		lea	eax, ds:0FFFFFFECh[esi*2]
		mov	byte ptr [ecx+1], 0FAh
		jmp	loc_9E1BDE
; 

loc_9E1B48:				; CODE XREF: GetAttributeName(x,x,x)+97j
					; GetAttributeName(x,x,x)+ABj
		cmp	esi, 6
		jb	short loc_9E1B7F
		push	6		; size_t
		push	offset ??_C@_1O@PJNANMOG@?$AA?$EA?$AAU?$AAS?$AAE?$AAR?$AA?4@NNGAKEGL@ ;	wchar_t	*
		push	edi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9E1B7F
		cmp	esi, 6
		jz	loc_9E1C4F
		mov	eax, [ebp+var_4]
		add	edi, 0Ch
		mov	ecx, [eax]
		lea	eax, ds:0FFFFFFF4h[esi*2]
		mov	byte ptr [ecx+1], 0F9h
		jmp	short loc_9E1BDE
; 

loc_9E1B7F:				; CODE XREF: GetAttributeName(x,x,x)+D1j
					; GetAttributeName(x,x,x)+E5j
		cmp	esi, 7
		jb	short loc_9E1BB6
		push	7		; size_t
		push	offset ??_C@_1BA@DDPCKNJI@?$AA?$EA?$AAT?$AAO?$AAK?$AAE?$AAN?$AA?4@NNGAKEGL@ ; wchar_t *
		push	edi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9E1BB6
		cmp	esi, 7
		jz	loc_9E1C4F
		mov	eax, [ebp+var_4]
		add	edi, 0Eh
		mov	ecx, [eax]
		lea	eax, ds:0FFFFFFF2h[esi*2]
		mov	byte ptr [ecx+1], 0FCh
		jmp	short loc_9E1BDE
; 

loc_9E1BB6:				; CODE XREF: GetAttributeName(x,x,x)+108j
					; GetAttributeName(x,x,x)+11Cj
		test	esi, esi
		jz	loc_9E1C4F
		push	1		; size_t
		push	(offset	loc_8BF7BB+1) ;	wchar_t	*
		push	edi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_9E1C4F
		mov	eax, [ebp+var_4]
		mov	ecx, [eax]
		lea	eax, [esi+esi]
		mov	byte ptr [ecx+1], 0F8h

loc_9E1BDE:				; CODE XREF: GetAttributeName(x,x,x)+8Fj
					; GetAttributeName(x,x,x)+C9j ...
		mov	[ecx+4], eax
		cmp	byte ptr [ecx+1], 0F8h
		mov	eax, [ebp+arg_0]
		mov	edx, [ecx+4]
		mov	[eax], esi
		jnz	short loc_9E1C17
		push	ecx
		mov	ecx, edx
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	ecx, [ebp+var_4]
		mov	ecx, [ecx]
		mov	[ecx+8], eax
		test	eax, eax
		jnz	short loc_9E1C08
		push	8
		pop	ebx
		jmp	short loc_9E1C54
; 

loc_9E1C08:				; CODE XREF: GetAttributeName(x,x,x)+187j
		push	dword ptr [ecx+4] ; size_t
		push	edi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_9E1C54
; 

loc_9E1C17:				; CODE XREF: GetAttributeName(x,x,x)+173j
		lea	eax, [ebp+var_8]
		mov	ecx, edi
		push	eax
		call	_DecodeAttributeName@12	; DecodeAttributeName(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9E1C54
		mov	eax, [ebp+var_4]
		xor	edi, edi
		mov	ecx, [ebp+var_8]
		mov	edx, [eax]
		lea	esi, [ecx+2]
		mov	[edx+8], ecx

loc_9E1C38:				; CODE XREF: GetAttributeName(x,x,x)+1C7j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_9E1C38
		sub	ecx, esi
		sar	ecx, 1
		lea	eax, [ecx+ecx]
		mov	[edx+4], eax
		jmp	short loc_9E1C54
; 

loc_9E1C4F:				; CODE XREF: GetAttributeName(x,x,x)+76j
					; GetAttributeName(x,x,x)+B0j ...
		mov	ebx, 538h

loc_9E1C54:				; CODE XREF: GetAttributeName(x,x,x)+18Cj
					; GetAttributeName(x,x,x)+19Bj	...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
_GetAttributeName@12 endp


;  S U B	R O U T	I N E 


; __stdcall GetBinaryOperandLen(x, x)
_GetBinaryOperandLen@8 proc near	; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+36Dp
		mov	edi, edi
		push	ebx
		push	esi
		push	20h
		xor	esi, esi
		pop	ebx
		mov	[edx], esi
		cmp	[ecx], bx
		jz	short loc_9E1C9E
		push	edi

loc_9E1C6E:				; CODE XREF: GetBinaryOperandLen(x,x)+3Ej
		lea	edi, [esi+esi]
		movzx	eax, word ptr [edi+ecx]
		cmp	eax, 29h
		jz	short loc_9E1C9D
		cmp	eax, 7Dh
		jz	short loc_9E1C9D
		cmp	eax, 7Ch
		jz	short loc_9E1C9D
		cmp	eax, 26h
		jz	short loc_9E1C9D
		cmp	eax, 2Ch
		jz	short loc_9E1C9D
		test	ax, ax
		jz	short loc_9E1C9D
		inc	esi
		mov	[edx], esi
		cmp	[edi+ecx+2], bx
		jnz	short loc_9E1C6E

loc_9E1C9D:				; CODE XREF: GetBinaryOperandLen(x,x)+1Bj
					; GetBinaryOperandLen(x,x)+20j	...
		pop	edi

loc_9E1C9E:				; CODE XREF: GetBinaryOperandLen(x,x)+Ej
		pop	esi
		pop	ebx
		retn
_GetBinaryOperandLen@8 endp


;  S U B	R O U T	I N E 


; __stdcall GetConditionToken(x, x)
_GetConditionToken@8 proc near		; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+16Dp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, edx
		xor	eax, eax
		mov	bl, al
		mov	[esi], eax
		movzx	eax, word ptr [ecx]
		cmp	eax, 28h
		jnz	short loc_9E1CB9
		mov	bl, 0FEh
		jmp	short loc_9E1CCD
; 

loc_9E1CB9:				; CODE XREF: GetConditionToken(x,x)+12j
		cmp	eax, 7Bh
		jz	short loc_9E1CCD
		cmp	eax, 29h
		jnz	short loc_9E1CC8
		or	bl, 0FFh
		jmp	short loc_9E1CCD
; 

loc_9E1CC8:				; CODE XREF: GetConditionToken(x,x)+20j
		cmp	eax, 7Dh
		jnz	short loc_9E1CD5

loc_9E1CCD:				; CODE XREF: GetConditionToken(x,x)+16j
					; GetConditionToken(x,x)+1Bj ...
		mov	dword ptr [esi], 1
		jmp	short loc_9E1D06
; 

loc_9E1CD5:				; CODE XREF: GetConditionToken(x,x)+2Aj
		call	_GetOperatorIndexByName@4 ; GetOperatorIndexByName(x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9E1D06
		imul	eax, 14h
		push	edi
		xor	edi, edi
		mov	ecx, ds:_Operators[eax]
		mov	bl, ds:byte_403FDC[eax]
		lea	edx, [ecx+2]

loc_9E1CF4:				; CODE XREF: GetConditionToken(x,x)+5Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_9E1CF4
		sub	ecx, edx
		sar	ecx, 1
		mov	[esi], ecx
		pop	edi

loc_9E1D06:				; CODE XREF: GetConditionToken(x,x)+32j
					; GetConditionToken(x,x)+3Cj
		pop	esi
		mov	al, bl
		pop	ebx
		retn
_GetConditionToken@8 endp


;  S U B	R O U T	I N E 


; __stdcall GetDigitFromChar2(x, x)
_GetDigitFromChar2@8 proc near		; CODE XREF: DecodeAttributeName(x,x,x)+B1p
					; DecodeAttributeName(x,x,x)+C7p ...
		cmp	cx, 30h
		jb	short loc_9E1D1F
		cmp	cx, 39h
		ja	short loc_9E1D1F
		sub	cl, 30h

loc_9E1D1A:				; CODE XREF: GetDigitFromChar2(x,x)+23j
					; GetDigitFromChar2(x,x)+34j
		mov	[edx], cl
		mov	al, 1
		retn
; 

loc_9E1D1F:				; CODE XREF: GetDigitFromChar2(x,x)+4j
					; GetDigitFromChar2(x,x)+Aj
		cmp	cx, 41h
		jb	short loc_9E1D30
		cmp	cx, 46h
		ja	short loc_9E1D30
		sub	cl, 37h
		jmp	short loc_9E1D1A
; 

loc_9E1D30:				; CODE XREF: GetDigitFromChar2(x,x)+18j
					; GetDigitFromChar2(x,x)+1Ej
		cmp	cx, 61h
		jb	short loc_9E1D41
		cmp	cx, 66h
		ja	short loc_9E1D41
		sub	cl, 57h
		jmp	short loc_9E1D1A
; 

loc_9E1D41:				; CODE XREF: GetDigitFromChar2(x,x)+29j
					; GetDigitFromChar2(x,x)+2Fj
		xor	al, al
		retn
_GetDigitFromChar2@8 endp


;  S U B	R O U T	I N E 


; __stdcall GetDigitFromChar(x,	x)
_GetDigitFromChar@8 proc near		; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+3BEp
					; GetOperandValue(x,x,x,x,x,x,x,x,x)+3D6p ...
		cmp	cx, 30h
		jb	short loc_9E1D58
		cmp	cx, 39h
		ja	short loc_9E1D58
		sub	cl, 30h

loc_9E1D53:				; CODE XREF: GetDigitFromChar(x,x)+23j
					; GetDigitFromChar(x,x)+34j
		mov	[edx], cl

loc_9E1D55:				; CODE XREF: GetDigitFromChar(x,x)+3Fj
		mov	al, 1
		retn
; 

loc_9E1D58:				; CODE XREF: GetDigitFromChar(x,x)+4j
					; GetDigitFromChar(x,x)+Aj
		cmp	cx, 41h
		jb	short loc_9E1D69
		cmp	cx, 46h
		ja	short loc_9E1D69
		sub	cl, 37h
		jmp	short loc_9E1D53
; 

loc_9E1D69:				; CODE XREF: GetDigitFromChar(x,x)+18j
					; GetDigitFromChar(x,x)+1Ej
		cmp	cx, 61h
		jb	short loc_9E1D7A
		cmp	cx, 66h
		ja	short loc_9E1D7A
		sub	cl, 57h
		jmp	short loc_9E1D53
; 

loc_9E1D7A:				; CODE XREF: GetDigitFromChar(x,x)+29j
					; GetDigitFromChar(x,x)+2Fj
		cmp	cx, 23h
		jnz	short loc_9E1D85
		mov	byte ptr [edx],	0
		jmp	short loc_9E1D55
; 

loc_9E1D85:				; CODE XREF: GetDigitFromChar(x,x)+3Aj
		xor	al, al
		retn
_GetDigitFromChar@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall GetFlags(x,	x, x)
_GetFlags@12	proc near		; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+204p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, ecx
		xor	esi, esi
		mov	[ebp+var_4], eax
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], esi
		push	eax
		mov	ebx, edx
		mov	[ebp+var_8], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		mov	[edi], esi
		call	dword ptr ds:__imp__RtlInitUnicodeString@8 ; RtlInitUnicodeString(x,x)
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlUnicodeStringToInt64@16 ; RtlUnicodeStringToInt64(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_9E1DD2
		mov	eax, [ebp+var_14]
		mov	[edi], eax

loc_9E1DD2:				; CODE XREF: GetFlags(x,x,x)+43j
		mov	eax, [ebp+var_4]
		cmp	[ebx], eax
		jnz	short loc_9E1DE4
		cmp	[edi], esi
		jnz	short loc_9E1DE4
		mov	esi, 538h
		jmp	short loc_9E1DF1
; 

loc_9E1DE4:				; CODE XREF: GetFlags(x,x,x)+4Fj
					; GetFlags(x,x,x)+53j
		cmp	ecx, 0C0000095h
		jnz	short loc_9E1DF1
		mov	esi, 216h

loc_9E1DF1:				; CODE XREF: GetFlags(x,x,x)+5Aj
					; GetFlags(x,x,x)+62j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_GetFlags@12	endp


;  S U B	R O U T	I N E 


; __stdcall GetNextNoneWhiteSpace(x, x)
_GetNextNoneWhiteSpace@8 proc near	; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+F1p
					; GetOperandValue(x,x,x,x,x,x,x,x,x)+24Ap ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		xor	eax, eax
		mov	esi, eax
		mov	ecx, [edi]
		cmp	[ebx+ecx*2], ax
		jz	short loc_9E1E31

loc_9E1E0F:				; CODE XREF: GetNextNoneWhiteSpace(x,x)+33j
		lea	eax, [ecx+esi]
		movzx	eax, word ptr [ebx+eax*2]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jz	short loc_9E1E2F
		mov	ecx, [edi]
		inc	esi
		xor	edx, edx
		lea	eax, [ecx+esi]
		cmp	[ebx+eax*2], dx
		jnz	short loc_9E1E0F

loc_9E1E2F:				; CODE XREF: GetNextNoneWhiteSpace(x,x)+25j
		xor	eax, eax

loc_9E1E31:				; CODE XREF: GetNextNoneWhiteSpace(x,x)+13j
		cmp	[ebx+esi*2], ax
		jnz	short loc_9E1E3E
		mov	eax, 538h
		jmp	short loc_9E1E42
; 

loc_9E1E3E:				; CODE XREF: GetNextNoneWhiteSpace(x,x)+3Bj
		add	[edi], esi
		xor	eax, eax

loc_9E1E42:				; CODE XREF: GetNextNoneWhiteSpace(x,x)+42j
		pop	edi
		pop	esi
		pop	ebx
		retn
_GetNextNoneWhiteSpace@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall GetOperandValue(x, x, x, x,	x, x, x, x, x)
_GetOperandValue@36 proc near		; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+122p
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+515p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
var_4		= byte ptr -4
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_5], dl
		xor	ecx, ecx
		mov	eax, ecx
		mov	[ebp+var_C], ecx
		push	edi
		mov	[ebp+var_10], eax
		mov	ebx, ecx
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_8]
		push	ecx
		push	0Ch
		mov	[ebp+var_4], cl
		mov	[ebp+var_3], cl
		mov	[ebp+var_20], ecx
		mov	byte ptr [ebp+var_1], cl
		mov	[ebp+var_14], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_2], cl
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx
		mov	[eax], ecx
		pop	ecx
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	edi, [ebp+arg_4]
		mov	[edi], eax
		test	eax, eax
		jnz	short loc_9E1ED0

loc_9E1E97:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+1BAj
					; GetOperandValue(x,x,x,x,x,x,x,x,x)+1E4j ...
		push	8
		pop	ebx

loc_9E1E9A:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+C3j
					; GetOperandValue(x,x,x,x,x,x,x,x,x)+FAj ...
		mov	ecx, [edi]
		call	_FreeOperandValue@4 ; FreeOperandValue(x)
		xor	eax, eax
		mov	[edi], eax

loc_9E1EA5:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+C5j
					; GetOperandValue(x,x,x,x,x,x,x,x,x)+E6j ...
		mov	esi, [ebp+var_10]
		xor	edi, edi

loc_9E1EAA:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+366j
		mov	ecx, [ebp+var_14]
		test	ecx, ecx
		jz	short loc_9E1EB6
		call	_FreeOperandValue@4 ; FreeOperandValue(x)

loc_9E1EB6:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+69j
		test	esi, esi
		jz	short loc_9E1EC7
		cmp	byte ptr [ebp+var_1], 0
		jz	short loc_9E1EC7
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E1EC7:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+72j
					; GetOperandValue(x,x,x,x,x,x,x,x,x)+78j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	1Ch
; 

loc_9E1ED0:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+4Fj
		cmp	[ebp+var_5], bl
		jnz	loc_9E236E
		push	1		; size_t
		push	(offset	loc_8BF7BB+1) ;	wchar_t	*
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_9E236E
		movzx	eax, word ptr [esi]
		cmp	eax, 22h
		jnz	short loc_9E1F0D
		push	[ebp+arg_8]
		mov	edx, edi
		mov	ecx, esi
		call	_GetStringOperandValue@12 ; GetStringOperandValue(x,x,x)

loc_9E1F05:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+534j
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9E1E9A
		jmp	short loc_9E1EA5
; 

loc_9E1F0D:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+B1j
		push	7Bh
		pop	ecx
		cmp	ax, cx
		jnz	loc_9E20E4
		mov	eax, [edi]
		xor	ecx, ecx
		mov	[ebp+var_C], 1
		mov	byte ptr [eax+1], 50h
		cmp	[esi+2], cx
		jz	loc_9E1EA5

loc_9E1F32:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+26Dj
		lea	edx, [ebp+var_C]
		mov	ecx, esi
		call	_GetNextNoneWhiteSpace@8 ; GetNextNoneWhiteSpace(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_9E1E9A
		mov	eax, [ebp+var_C]
		push	7Bh
		lea	ecx, [esi+eax*2]
		pop	eax
		cmp	[ecx], ax
		jz	loc_9E20DA
		xor	edx, edx
		lea	eax, [ebp+var_14]
		push	edx
		push	edx
		push	edx
		push	edx
		push	[ebp+arg_8]
		push	eax
		push	edx
		xor	dl, dl
		call	_GetOperandValue@36 ; GetOperandValue(x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_9E1E9A
		mov	edx, [ebp+var_14]
		cmp	byte ptr [ebp+arg_0], al
		jz	short loc_9E1F95
		mov	al, [ebp+var_2]
		test	al, al
		jz	short loc_9E1F8F
		cmp	al, [edx+1]
		jnz	loc_9E20DA

loc_9E1F8F:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+13Ej
		mov	al, [edx+1]
		mov	[ebp+var_2], al

loc_9E1F95:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+137j
		mov	cl, [edx+1]
		call	_IsValueSizeFixed@4 ; IsValueSizeFixed(x)
		mov	ecx, [edi]
		xor	ebx, ebx
		mov	edx, [edx+4]
		test	al, al
		mov	byte ptr [ebp+arg_4+3],	al
		setz	bl
		xor	eax, eax
		cmp	[ecx+8], eax
		lea	eax, [ebp+var_18]
		push	eax
		lea	ebx, ds:1[ebx*4]
		mov	[ebp+var_28], ebx
		jz	short loc_9E2008
		mov	ecx, [ecx+4]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_9E20BE
		mov	ecx, [ebp+var_18]
		lea	eax, [ebp+var_18]
		push	eax
		mov	edx, ebx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_9E20BE
		mov	ecx, [edi]
		mov	edx, [ebp+var_18]
		push	ecx		; int
		push	ecx		; int
		push	dword ptr [ecx+8] ; void *
		mov	ecx, [ecx+4]
		call	_SddlpReAlloc@20 ; SddlpReAlloc(x,x,x,x,x)
		mov	ebx, [edi]
		mov	[ebx+8], eax
		test	eax, eax
		jz	loc_9E1E97
		jmp	short loc_9E2025
; 

loc_9E2008:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+179j
		mov	ecx, ebx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_9E20BE
		mov	ebx, [edi]
		push	ecx
		mov	ecx, [ebp+var_18]
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	[ebx+8], eax

loc_9E2025:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+1C0j
		mov	edx, [ebx+8]
		test	edx, edx
		jz	loc_9E1E97
		cmp	byte ptr [ebp+arg_4+3],	0
		mov	eax, [ebp+var_14]
		mov	ecx, [ebx+4]
		mov	al, [eax+1]
		mov	[edx+ecx], al
		jnz	short loc_9E2052
		mov	eax, [ebp+var_14]
		mov	edx, [ebx+4]
		mov	ecx, [ebx+8]
		mov	eax, [eax+4]
		mov	[edx+ecx+1], eax

loc_9E2052:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+1FAj
		mov	eax, [ebp+var_14]
		push	dword ptr [eax+4] ; size_t
		push	dword ptr [eax+8] ; void *
		mov	eax, [ebx+4]
		add	eax, [ebx+8]
		add	eax, [ebp+var_28]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_18]
		add	esp, 0Ch
		mov	[ebx+4], eax
		mov	ecx, [ebp+var_14]
		call	_FreeOperandValue@4 ; FreeOperandValue(x)
		mov	ecx, [ebp+var_C]
		lea	edx, [ebp+var_C]
		xor	eax, eax
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_8]
		add	ecx, [eax]
		mov	[ebp+var_C], ecx
		mov	ecx, esi
		call	_GetNextNoneWhiteSpace@8 ; GetNextNoneWhiteSpace(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_9E1E9A
		mov	eax, [ebp+var_C]
		cmp	word ptr [esi+eax*2], 2Ch
		jnz	short loc_9E20C8
		inc	eax
		xor	ecx, ecx
		mov	[ebp+var_C], eax
		cmp	[esi+eax*2], cx
		jnz	loc_9E1F32
		jmp	loc_9E1EA5
; 

loc_9E20BE:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+185j
					; GetOperandValue(x,x,x,x,x,x,x,x,x)+19Bj ...
		mov	ebx, 216h
		jmp	loc_9E1E9A
; 

loc_9E20C8:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+261j
		cmp	word ptr [esi+eax*2], 7Dh
		jnz	short loc_9E20DA
		mov	ecx, [ebp+arg_8]
		inc	eax
		mov	[ecx], eax
		jmp	loc_9E1EA5
; 

loc_9E20DA:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+10Cj
					; GetOperandValue(x,x,x,x,x,x,x,x,x)+143j ...
		mov	ebx, 538h
		jmp	loc_9E1E9A
; 

loc_9E20E4:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+CDj
		push	3
		pop	eax
		push	eax		; size_t
		push	offset ??_C@_17HNFFEAHN@?$AAS?$AAI?$AAD@NNGAKEGL@ ; wchar_t *
		push	esi		; wchar_t *
		mov	[ebp+arg_4], eax
		call	__wcsnicmp
		add	esp, 0Ch
		lea	edx, [ebp+var_C]
		test	eax, eax
		jnz	loc_9E21B1
		push	3
		pop	ecx
		mov	[ebp+var_C], ecx
		mov	ecx, esi
		call	_GetNextNoneWhiteSpace@8 ; GetNextNoneWhiteSpace(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_9E1E9A
		mov	eax, [ebp+var_C]
		cmp	word ptr [esi+eax*2], 28h
		jnz	short loc_9E20DA
		sub	esp, 10h
		lea	ecx, [ebp+var_1]
		inc	eax
		lea	edx, [ebp+var_1C]
		mov	[ebp+arg_4], eax
		add	eax, eax
		mov	[ebp+arg_0], eax
		push	ecx
		lea	ecx, [ebp+var_28]
		push	ecx
		lea	ecx, [eax+esi]
		call	LocalGetSidForString
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9E2179
		mov	eax, [ebp+var_28]
		lea	edx, [ebp+var_C]
		sub	eax, [ebp+arg_0]
		mov	ecx, esi
		sub	eax, esi
		sar	eax, 1
		add	eax, [ebp+arg_4]
		mov	[ebp+var_C], eax
		call	_GetNextNoneWhiteSpace@8 ; GetNextNoneWhiteSpace(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9E2179
		mov	eax, [ebp+var_C]
		cmp	word ptr [esi+eax*2], 29h
		jz	short loc_9E2184
		mov	ebx, 538h

loc_9E2179:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+302j
					; GetOperandValue(x,x,x,x,x,x,x,x,x)+322j
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_10], eax
		jmp	loc_9E1E9A
; 

loc_9E2184:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+32Cj
		mov	ecx, [ebp+arg_8]
		inc	eax
		mov	edi, [edi]
		mov	esi, [ebp+var_1C]
		push	esi
		mov	[ecx], eax
		mov	byte ptr [edi+1], 51h
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		cmp	byte ptr [ebp+var_1], 0
		mov	[edi+4], eax
		mov	[edi+8], esi
		setz	al
		mov	[edi], al
		xor	edi, edi
		mov	esi, edi
		jmp	loc_9E1EAA
; 

loc_9E21B1:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+2B8j
		mov	ecx, esi
		call	_GetBinaryOperandLen@8 ; GetBinaryOperandLen(x,x)
		cmp	word ptr [esi],	23h
		mov	ecx, [ebp+var_C]
		jnz	loc_9E2255
		cmp	ecx, 2
		jb	loc_9E20DA
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		mov	eax, [edi]
		shr	ecx, 1
		push	ecx
		mov	[ebp+arg_8], ecx
		mov	byte ptr [eax+1], 18h
		mov	[eax+4], ecx
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	ecx, [edi]
		mov	[ebp+arg_4], ecx
		mov	[ecx+8], eax
		test	eax, eax
		jz	loc_9E1E97
		mov	eax, [ebp+var_C]
		dec	eax
		jmp	short loc_9E2248
; 

loc_9E21FD:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+408j
		mov	cx, [esi+eax*2]
		lea	edx, [ebp+var_4]
		call	_GetDigitFromChar@8 ; GetDigitFromChar(x,x)
		test	al, al
		jz	loc_9E1E97
		mov	eax, [ebp+arg_0]
		lea	edx, [ebp-3]
		mov	cx, [esi+eax*2-2]
		call	_GetDigitFromChar@8 ; GetDigitFromChar(x,x)
		test	al, al
		jz	loc_9E1E97
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_8]
		mov	cl, [ebp+var_3]
		dec	edx
		shl	cl, 4
		mov	eax, [eax+8]
		or	cl, [ebp+var_4]
		mov	[ebp+arg_8], edx
		mov	[edx+eax], cl
		mov	eax, [ebp+arg_0]
		sub	eax, 2

loc_9E2248:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+3B5j
		mov	[ebp+arg_0], eax
		cmp	eax, 1
		jge	short loc_9E21FD
		jmp	loc_9E1EA5
; 

loc_9E2255:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+379j
		test	ecx, ecx
		jz	loc_9E20DA
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		lea	eax, [ebp+var_24]
		push	eax
		push	1
		xor	ecx, ecx
		lea	eax, [ebp+var_20]
		push	ecx
		push	eax
		push	esi
		push	ecx
		call	_wcstoxq
		mov	[ebp+arg_0], edx
		add	esp, 18h
		mov	edx, [ebp+var_20]
		mov	[ebp+var_28], eax
		cmp	edx, esi
		jnz	short loc_9E2291
		mov	ecx, eax
		or	ecx, [ebp+arg_0]
		jz	loc_9E20DA

loc_9E2291:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+43Ej
		mov	eax, [ebp+var_C]
		lea	eax, [esi+eax*2]
		cmp	edx, eax
		jnz	loc_9E20DA
		cmp	[ebp+var_24], ebx
		jnz	loc_9E20DA
		movzx	eax, word ptr [esi]
		cmp	eax, 2Dh
		jnz	short loc_9E22ED
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		push	eax
		push	1
		push	ecx
		lea	eax, [ebp+var_20]
		add	esi, 2
		push	eax
		push	esi
		push	ecx
		call	_wcstoxq
		add	esp, 18h
		cmp	edx, [ebp+arg_0]
		jb	short loc_9E22DE
		ja	short loc_9E22D6
		cmp	eax, [ebp+var_28]
		jb	short loc_9E22DE

loc_9E22D6:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+489j
		or	eax, edx
		jnz	loc_9E20DA

loc_9E22DE:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+487j
					; GetOperandValue(x,x,x,x,x,x,x,x,x)+48Ej
		movzx	eax, word ptr [esi]
		mov	edx, [ebp+var_20]
		mov	[ebp+arg_8], 2
		jmp	short loc_9E2308
; 

loc_9E22ED:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+468j
		cmp	eax, 2Bh
		jnz	short loc_9E2301
		add	esi, 2
		mov	[ebp+arg_8], 1
		movzx	eax, word ptr [esi]
		jmp	short loc_9E2308
; 

loc_9E2301:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+4AAj
		mov	[ebp+arg_8], 3

loc_9E2308:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+4A5j
					; GetOperandValue(x,x,x,x,x,x,x,x,x)+4B9j
		cmp	ax, 30h
		jnz	short loc_9E2328
		add	esi, 2
		cmp	esi, edx
		jnb	short loc_9E2322
		movzx	eax, word ptr [esi]
		cmp	eax, 78h
		jz	short loc_9E232C
		cmp	eax, 58h
		jz	short loc_9E232C

loc_9E2322:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+4CDj
		mov	byte ptr [ebp+arg_4], 1
		jmp	short loc_9E232C
; 

loc_9E2328:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+4C6j
		mov	byte ptr [ebp+arg_4], 2

loc_9E232C:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+4D5j
					; GetOperandValue(x,x,x,x,x,x,x,x,x)+4DAj ...
		mov	eax, [edi]
		push	0Ah
		pop	ecx
		push	ecx
		mov	byte ptr [eax+1], 4
		mov	[eax+4], ecx
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	ecx, [edi]
		mov	[ecx+8], eax
		test	eax, eax
		jz	loc_9E1E97
		mov	edx, [ebp+var_28]
		mov	[eax], edx
		mov	edx, [ebp+arg_0]
		mov	[eax+4], edx
		mov	eax, [ecx+8]
		mov	edx, [ebp+arg_8]
		mov	[eax+8], dx
		mov	eax, [ecx+8]
		mov	ecx, [ebp+arg_4]
		mov	[eax+9], cl
		jmp	loc_9E1EA5
; 

loc_9E236E:				; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+8Dj
					; GetOperandValue(x,x,x,x,x,x,x,x,x)+A5j
		push	[ebp+arg_8]	; int
		mov	edx, edi	; int
		mov	ecx, esi	; wchar_t *
		call	_GetAttributeName@12 ; GetAttributeName(x,x,x)
		jmp	loc_9E1F05
_GetOperandValue@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall GetOperatorIndexByName(x)
_GetOperatorIndexByName@4 proc near	; CODE XREF: GetConditionToken(x,x):loc_9E1CD5p

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, offset ??_C@_1M@NOBIFNHC@?$AA?5?$AA?$CI?$AA?$CJ?$AA?$HL?$AA?$HN@NNGAKEGL@
		lea	edi, [ebp+var_10]
		mov	eax, ecx
		lea	ebx, [ebp+var_90]
		xor	edx, edx
		mov	[ebp+var_94], eax
		mov	[ebp+var_9C], edx
		movsd
		mov	[ebp+var_98], edx
		mov	[ebp+var_A0], edx
		mov	[ebp+var_A4], edx
		movsd
		movsd
		mov	esi, eax
		lea	ecx, [esi+2]

loc_9E23CF:				; CODE XREF: GetOperatorIndexByName(x)+59j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, dx
		jnz	short loc_9E23CF
		sub	esi, ecx
		sar	esi, 1
		lea	ecx, [esi+esi]
		cmp	ecx, 80h
		jbe	short loc_9E23F9
		push	ecx
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9E24EE

loc_9E23F9:				; CODE XREF: GetOperatorIndexByName(x)+68j
		push	0FFFFFFFFh
		push	[ebp+var_94]
		push	esi
		push	ebx
		call	_wcsncpy_s
		lea	eax, [ebp+var_A4]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	ebx
		call	_wcstok_s
		add	esp, 1Ch
		mov	[ebp+var_A8], eax
		test	eax, eax
		jz	loc_9E24EE
		mov	esi, eax
		xor	edx, edx
		lea	ecx, [esi+2]

loc_9E2431:				; CODE XREF: GetOperatorIndexByName(x)+BBj
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, dx
		jnz	short loc_9E2431
		sub	esi, ecx
		mov	[ebp+var_98], edx
		sar	esi, 1
		mov	edi, edx

loc_9E2448:				; CODE XREF: GetOperatorIndexByName(x)+169j
		mov	edx, ds:_Operators[edi]
		mov	ecx, edx
		lea	eax, [ecx+2]
		mov	[ebp+var_94], eax

loc_9E2459:				; CODE XREF: GetOperatorIndexByName(x)+E7j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_9C]
		jnz	short loc_9E2459
		sub	ecx, [ebp+var_94]
		sar	ecx, 1
		cmp	esi, ecx
		jbe	short loc_9E2478
		mov	ecx, esi
		jmp	short loc_9E249A
; 

loc_9E2478:				; CODE XREF: GetOperatorIndexByName(x)+F3j
		mov	ecx, edx
		lea	eax, [ecx+2]
		mov	[ebp+var_94], eax

loc_9E2483:				; CODE XREF: GetOperatorIndexByName(x)+111j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_9C]
		jnz	short loc_9E2483
		sub	ecx, [ebp+var_94]
		sar	ecx, 1

loc_9E249A:				; CODE XREF: GetOperatorIndexByName(x)+F7j
		cmp	ds:byte_403FE8[edi], 0
		jnz	short loc_9E24C5
		mov	ecx, edx
		lea	eax, [ecx+2]
		mov	[ebp+var_94], eax

loc_9E24AE:				; CODE XREF: GetOperatorIndexByName(x)+13Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_9C]
		jnz	short loc_9E24AE
		sub	ecx, [ebp+var_94]
		sar	ecx, 1

loc_9E24C5:				; CODE XREF: GetOperatorIndexByName(x)+122j
		push	ecx		; size_t
		push	edx		; wchar_t *
		push	[ebp+var_A8]	; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_9E251A
		inc	[ebp+var_98]
		add	edi, 14h
		cmp	edi, 1E0h
		jb	loc_9E2448

loc_9E24EE:				; CODE XREF: GetOperatorIndexByName(x)+74j
					; GetOperatorIndexByName(x)+A5j
		mov	esi, [ebp+var_A0]

loc_9E24F4:				; CODE XREF: GetOperatorIndexByName(x)+19Ej
		lea	eax, [ebp+var_90]
		cmp	ebx, eax
		jz	short loc_9E250B
		test	ebx, ebx
		jz	short loc_9E250B
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E250B:				; CODE XREF: GetOperatorIndexByName(x)+17Dj
					; GetOperatorIndexByName(x)+181j
		pop	edi
		test	esi, esi
		pop	esi
		pop	ebx
		jz	short loc_9E251F
		mov	eax, [ebp+var_98]
		jmp	short loc_9E2522
; 

loc_9E251A:				; CODE XREF: GetOperatorIndexByName(x)+158j
		xor	esi, esi
		inc	esi
		jmp	short loc_9E24F4
; 

loc_9E251F:				; CODE XREF: GetOperatorIndexByName(x)+191j
		or	eax, 0FFFFFFFFh

loc_9E2522:				; CODE XREF: GetOperatorIndexByName(x)+199j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_GetOperatorIndexByName@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall GetStringOperandValue(x, x,	x)
_GetStringOperandValue@12 proc near	; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+BAp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edx
		lea	ebx, [ecx+2]
		mov	[ebp+var_4], 22h
		movzx	eax, word ptr [ebx]
		xor	esi, esi
		inc	edi
		jmp	short loc_9E2559
; 

loc_9E254F:				; CODE XREF: GetStringOperandValue(x,x,x)+2Fj
		test	ax, ax
		jz	short loc_9E255F
		inc	edi
		movzx	eax, word ptr [ecx+edi*2]

loc_9E2559:				; CODE XREF: GetStringOperandValue(x,x,x)+1Fj
		cmp	ax, word ptr [ebp+var_4]
		jnz	short loc_9E254F

loc_9E255F:				; CODE XREF: GetStringOperandValue(x,x,x)+24j
		cmp	[ecx+edi*2], si
		jnz	short loc_9E256C
		mov	esi, 538h
		jmp	short loc_9E25B9
; 

loc_9E256C:				; CODE XREF: GetStringOperandValue(x,x,x)+35j
		mov	eax, [edx]
		mov	byte ptr [eax+1], 10h
		cmp	edi, 1
		jbe	short loc_9E25AB
		lea	ecx, ds:0FFFFFFFEh[edi*2]
		mov	[eax+4], ecx
		test	ecx, ecx
		jz	short loc_9E25B1
		push	ecx
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	ecx, [ebp+var_8]
		mov	ecx, [ecx]
		mov	[ecx+8], eax
		test	eax, eax
		jnz	short loc_9E259C
		push	8
		pop	esi
		jmp	short loc_9E25B9
; 

loc_9E259C:				; CODE XREF: GetStringOperandValue(x,x,x)+67j
		push	dword ptr [ecx+4] ; size_t
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_9E25B1
; 

loc_9E25AB:				; CODE XREF: GetStringOperandValue(x,x,x)+47j
		mov	[eax+4], esi
		mov	[eax+8], esi

loc_9E25B1:				; CODE XREF: GetStringOperandValue(x,x,x)+55j
					; GetStringOperandValue(x,x,x)+7Bj
		mov	ecx, [ebp+arg_0]
		lea	edx, [edi+1]
		mov	[ecx], edx

loc_9E25B9:				; CODE XREF: GetStringOperandValue(x,x,x)+3Cj
					; GetStringOperandValue(x,x,x)+6Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_GetStringOperandValue@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall GetValueType(wchar_t *,int,int)
_GetValueType@12 proc near		; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+1C3p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		xor	edi, edi
		cmp	[esi], di
		jz	loc_9E2688
		cmp	[esi+2], di
		jz	loc_9E2688
		push	2
		pop	eax
		push	eax		; size_t
		push	offset ??_C@_15DPDOADAK@?$AAT?$AAI@NNGAKEGL@ ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9E25FE
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_9E267B
; 

loc_9E25FE:				; CODE XREF: GetValueType(x,x,x)+35j
		push	2
		pop	eax
		push	eax		; size_t
		push	offset ??_C@_15CFPBOLCN@?$AAT?$AAU@NNGAKEGL@ ; "TU"
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		push	2
		test	eax, eax
		jz	short loc_9E267A
		pop	eax
		push	eax		; size_t
		push	offset ??_C@_15MNFENLNH@?$AAT?$AAD@NNGAKEGL@ ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9E262E
		push	5
		jmp	short loc_9E267A
; 

loc_9E262E:				; CODE XREF: GetValueType(x,x,x)+66j
		push	2
		pop	eax
		push	eax		; size_t
		push	offset ??_C@_15JKLEPB@?$AAT?$AAS@NNGAKEGL@ ; "TS"
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9E2648
		push	3
		jmp	short loc_9E267A
; 

loc_9E2648:				; CODE XREF: GetValueType(x,x,x)+80j
		push	2
		pop	eax
		push	eax		; size_t
		push	offset ??_C@_15NHJLDDPA@?$AAT?$AAX@NNGAKEGL@ ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9E2662
		push	10h
		jmp	short loc_9E267A
; 

loc_9E2662:				; CODE XREF: GetValueType(x,x,x)+9Aj
		push	2
		pop	eax
		push	eax		; size_t
		push	offset ??_C@_15OIDPIEAL@?$AAT?$AAB@NNGAKEGL@ ; wchar_t *
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9E2688
		push	6

loc_9E267A:				; CODE XREF: GetValueType(x,x,x)+52j
					; GetValueType(x,x,x)+6Aj ...
		pop	ecx

loc_9E267B:				; CODE XREF: GetValueType(x,x,x)+3Aj
		mov	eax, [ebp+arg_0]
		mov	[eax], cx
		lea	eax, [esi+4]
		mov	[ebx], eax
		jmp	short loc_9E268D
; 

loc_9E2688:				; CODE XREF: GetValueType(x,x,x)+11j
					; GetValueType(x,x,x)+1Bj ...
		mov	edi, 538h

loc_9E268D:				; CODE XREF: GetValueType(x,x,x)+C4j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_GetValueType@12 endp


;  S U B	R O U T	I N E 


; __stdcall IsArrayType(x)
_IsArrayType@4	proc near		; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+4D5p
		xor	al, al
		cmp	cl, 86h
		jz	short loc_9E26AF
		cmp	cl, 87h
		jbe	short locret_9E26B1
		cmp	cl, 8Ch
		jbe	short loc_9E26AF
		add	cl, 72h
		cmp	cl, 5
		ja	short locret_9E26B1

loc_9E26AF:				; CODE XREF: IsArrayType(x)+5j
					; IsArrayType(x)+Fj
		mov	al, 1

locret_9E26B1:				; CODE XREF: IsArrayType(x)+Aj
					; IsArrayType(x)+17j
		retn
_IsArrayType@4	endp


;  S U B	R O U T	I N E 


; int __fastcall IsEncodedAttributeChar(wint_t)
_IsEncodedAttributeChar@4 proc near	; CODE XREF: DecodeAttributeName(x,x,x)+12Dp
					; EncodeAttributeName(x,x,x)+69p
		mov	edi, edi
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, ecx
		inc	ebx
		cmp	si, 7Fh
		jnb	short loc_9E26E1
		push	esi		; wint_t
		call	_iswalnum
		pop	ecx
		test	eax, eax
		jnz	short loc_9E26DF

loc_9E26CC:				; CODE XREF: IsEncodedAttributeChar(x)+29j
		cmp	ds:_NotEncodedAttributeChar[eax], si
		jz	short loc_9E26DF
		add	eax, 2
		cmp	eax, 2Ah
		jb	short loc_9E26CC
		jmp	short loc_9E26E1
; 

loc_9E26DF:				; CODE XREF: IsEncodedAttributeChar(x)+18j
					; IsEncodedAttributeChar(x)+21j
		xor	bl, bl

loc_9E26E1:				; CODE XREF: IsEncodedAttributeChar(x)+Dj
					; IsEncodedAttributeChar(x)+2Bj
		pop	esi
		mov	al, bl
		pop	ebx
		retn
_IsEncodedAttributeChar@4 endp


;  S U B	R O U T	I N E 


; __stdcall IsLegalAttributeChar2(x)
_IsLegalAttributeChar2@4 proc near	; CODE XREF: GetAttributeName(x,x,x)+31p
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+B9p
		mov	dl, 1
		cmp	cx, 7Fh
		jnb	short loc_9E2705
		xor	eax, eax

loc_9E26F0:				; CODE XREF: IsLegalAttributeChar2(x)+19j
		cmp	word ptr ds:_LegalAttributeCharEnd[eax], cx
		jz	short loc_9E2703
		add	eax, 2
		cmp	eax, 14h
		jb	short loc_9E26F0
		jmp	short loc_9E2705
; 

loc_9E2703:				; CODE XREF: IsLegalAttributeChar2(x)+11j
		xor	dl, dl

loc_9E2705:				; CODE XREF: IsLegalAttributeChar2(x)+6j
					; IsLegalAttributeChar2(x)+1Bj
		mov	al, dl
		retn
_IsLegalAttributeChar2@4 endp


;  S U B	R O U T	I N E 


; int __fastcall IsLegalAttributeChar(wint_t)
_IsLegalAttributeChar@4	proc near	; CODE XREF: GetAttributeName(x,x,x)+48p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		mov	ecx, 0FFh
		mov	al, bl
		cmp	si, cx
		ja	short loc_9E273E
		push	esi		; wint_t
		call	_iswalnum
		pop	ecx
		test	eax, eax
		jnz	short loc_9E273C
		mov	al, bl

loc_9E2729:				; CODE XREF: IsLegalAttributeChar(x)+30j
		cmp	word ptr ds:_LegalAttributeChar[ebx], si
		jz	short loc_9E273C
		add	ebx, 2
		cmp	ebx, 0Ah
		jb	short loc_9E2729
		jmp	short loc_9E273E
; 

loc_9E273C:				; CODE XREF: IsLegalAttributeChar(x)+1Dj
					; IsLegalAttributeChar(x)+28j
		mov	al, 1

loc_9E273E:				; CODE XREF: IsLegalAttributeChar(x)+12j
					; IsLegalAttributeChar(x)+32j
		pop	esi
		pop	ebx
		retn
_IsLegalAttributeChar@4	endp


;  S U B	R O U T	I N E 


; __stdcall IsValueSizeFixed(x)
_IsValueSizeFixed@4 proc near		; CODE XREF: GetOperandValue(x,x,x,x,x,x,x,x,x)+152p
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+588p
		xor	eax, eax
		cmp	cl, 18h
		ja	short locret_9E2755
		jz	short locret_9E2755
		test	cl, cl
		jz	short locret_9E2755
		cmp	cl, 4
		ja	short locret_9E2755
		mov	al, 1

locret_9E2755:				; CODE XREF: IsValueSizeFixed(x)+5j
					; IsValueSizeFixed(x)+7j ...
		retn
_IsValueSizeFixed@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LocalGetConditionForString(x, x, x,	x, x, x, x, x, x)
_LocalGetConditionForString@36 proc near ; CODE	XREF: LocalGetAclForString+AE830p

var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_10D		= byte ptr -10Dh
var_10C		= dword	ptr -10Ch
var_107		= byte ptr -107h
var_106		= byte ptr -106h
var_105		= dword	ptr -105h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 138h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	eax, ecx
		mov	[ebp+var_130], edx
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	[ebp+var_11C], ecx
		mov	ebx, edx
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_118], eax
		mov	[ebp+var_10C], ecx
		mov	[ebp+var_12C], edx
		mov	[ebp+var_128], edx
		mov	[ebp+var_114], edx
		mov	[ebp+var_120], edx
		mov	[ebp+var_10D], dl
		mov	[ebp+var_107], dl
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, edx
		test	eax, eax
		jz	loc_9E2E61
		cmp	[ebp+var_130], edx
		jz	loc_9E2E61
		mov	edx, [ebp+var_11C]
		test	edx, edx
		jz	loc_9E2E61
		test	ecx, ecx
		jz	loc_9E2E61
		and	[edx], ebx
		xor	edx, edx
		mov	[ecx], edx
		mov	edx, eax
		lea	ecx, [edx+2]

loc_9E27EF:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+A6j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [ebp+var_12C]
		jnz	short loc_9E27EF
		sub	edx, ecx
		sar	edx, 1
		cmp	edx, 3
		jnb	short loc_9E2817

loc_9E2807:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+CBj
		mov	ebx, [ebp+var_10C]
		mov	esi, 538h
		jmp	loc_9E2DEC
; 

loc_9E2817:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+AFj
		mov	eax, [ebp+var_118]
		cmp	word ptr [eax],	28h
		jnz	short loc_9E2807
		mov	ecx, [ebp+var_10C]
		push	ecx
		xor	ecx, ecx
		inc	ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jns	short loc_9E2840

loc_9E2836:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+100j
		mov	esi, 216h
		jmp	loc_9E2DDD
; 

loc_9E2840:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+DEj
		mov	ecx, [ebp+var_10C]
		push	2
		pop	edx
		mov	eax, [ecx]
		mul	edx
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_9E2836
		push	ecx
		mov	ecx, [ecx]
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	ecx, [ebp+var_11C]
		mov	[ecx], eax
		test	eax, eax
		jnz	short loc_9E2874
		push	8
		pop	esi
		jmp	loc_9E2DCE
; 

loc_9E2874:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+114j
		mov	dword ptr [eax], 78747261h
		mov	eax, [ebp+var_118]
		mov	[ebp+var_124], 4
		movzx	eax, word ptr [eax]
		test	ax, ax
		jz	loc_9E2DB2
		mov	ecx, eax

loc_9E2898:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+629j
		push	ecx		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jz	short loc_9E28AB
		push	2
		pop	eax
		jmp	loc_9E2D69
; 

loc_9E28AB:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+14Bj
		cmp	edi, 0FFh
		jz	loc_9E2E57
		mov	ecx, [ebp+var_118]
		lea	edx, [ebp+var_128]
		call	_GetConditionToken@8 ; GetConditionToken(x,x)
		mov	[ebp+var_106], al
		test	al, al
		jz	loc_9E2B65
		cmp	al, 0FEh
		jnz	short loc_9E28FD
		cmp	ebx, 3
		jz	short loc_9E28EC
		cmp	ebx, 1
		jz	short loc_9E28EC
		test	ebx, ebx
		jnz	loc_9E2D96

loc_9E28EC:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+187j
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+18Cj
		mov	byte ptr [ebp+edi+var_105+1], 0FEh
		xor	ebx, ebx
		inc	edi
		inc	ebx
		jmp	loc_9E2D61
; 

loc_9E28FD:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+182j
		cmp	al, 0FFh
		jnz	loc_9E29C9
		test	edi, edi
		jz	loc_9E2D96
		cmp	ebx, 3
		jz	loc_9E2D96
		cmp	ebx, 1
		jz	loc_9E2D96
		lea	ebx, [ebp+var_105+1]
		mov	ch, [ebx+edi-1]
		cmp	ch, 0FEh
		mov	[ebp+var_106], ch
		setz	[ebp+var_10D]

loc_9E2939:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+222j
		mov	al, byte ptr [ebp+edi+var_105]
		dec	edi
		mov	byte ptr [ebp+var_105],	al
		cmp	al, 0FEh
		jz	short loc_9E2987
		mov	edx, [ebp+var_10C]
		lea	eax, [ebp+var_105]
		mov	ecx, [ebp+var_11C]
		push	1		; size_t
		push	eax		; void *
		lea	eax, [ebp+var_124]
		push	eax		; int
		call	_AppendCondition@20 ; AppendCondition(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_9E2DCE
		test	edi, edi
		jnz	short loc_9E2939
		cmp	byte ptr [ebp+var_105],	0FEh
		jnz	loc_9E2D96

loc_9E2987:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+1F3j
		test	edi, edi
		jz	loc_9E2D9D
		mov	cl, [ebx+edi-1]
		call	_GetOperatorIndexByToken@4 ; GetOperatorIndexByToken(x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9E29BF
		cmp	[ebp+var_106], 0FEh
		jz	short loc_9E29BF
		imul	eax, 14h
		cmp	ds:byte_403FE7[eax], 0
		jz	short loc_9E29BF
		cmp	ds:byte_403FDC[eax], 0A2h
		jnz	loc_9E2D96

loc_9E29BF:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+245j
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+24Ej ...
		push	2
		pop	eax
		mov	ebx, eax
		jmp	loc_9E2D61
; 

loc_9E29C9:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+1A9j
		mov	cl, al
		call	_GetOperatorIndexByToken@4 ; GetOperatorIndexByToken(x)
		imul	eax, 14h
		mov	[ebp+var_134], eax
		cmp	ds:byte_403FE6[eax], 0
		mov	ecx, ds:dword_403FE0[eax]
		mov	[ebp+var_138], ecx
		jz	short loc_9E2A0B
		cmp	ebx, 4
		jz	short loc_9E2A0B
		push	2
		pop	ecx
		cmp	ebx, ecx
		jnz	loc_9E2D96
		cmp	[ebp+var_10D], 0
		jz	loc_9E2D96

loc_9E2A0B:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+296j
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+29Bj
		mov	cl, ds:byte_403FE4[eax]
		mov	byte ptr [ebp+var_105],	cl
		test	cl, cl
		jz	short loc_9E2A4F
		test	ebx, ebx
		jz	short loc_9E2A4F
		cmp	ebx, 1
		jz	short loc_9E2A4F
		cmp	ebx, 3
		jnz	loc_9E2D96
		mov	cl, byte ptr [ebp+edi+var_105]
		call	_GetOperatorIndexByToken@4 ; GetOperatorIndexByToken(x)
		imul	eax, 14h
		cmp	ds:byte_403FE7[eax], 0
		jnz	loc_9E2D96
		mov	eax, [ebp+var_134]

loc_9E2A4F:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+2C3j
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+2C7j ...
		mov	ch, ds:byte_403FE7[eax]
		test	ch, ch
		jnz	short loc_9E2A73
		cmp	ebx, 1
		jz	loc_9E2D96
		cmp	ebx, 3
		jz	loc_9E2D96
		test	ebx, ebx
		jz	loc_9E2D96

loc_9E2A73:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+301j
		mov	eax, [ebp+var_114]
		cmp	eax, 4
		jz	loc_9E2D96
		cmp	eax, 5
		jz	loc_9E2D96
		test	edi, edi
		jz	short loc_9E2AD0
		test	ch, ch
		jz	short loc_9E2AD0
		lea	ebx, [edi-1]
		test	ebx, ebx
		js	short loc_9E2AD0

loc_9E2A9A:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+358j
		mov	cl, byte ptr [ebp+ebx+var_105+1]
		call	_GetOperatorIndexByToken@4 ; GetOperatorIndexByToken(x)
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_9E2AB2
		sub	ebx, 1
		jns	short loc_9E2A9A
		jmp	short loc_9E2AD0
; 

loc_9E2AB2:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+353j
		call	_GetOperatorIndexByToken@4 ; GetOperatorIndexByToken(x)
		imul	eax, 14h
		cmp	ds:byte_403FE7[eax], 0
		jz	short loc_9E2AD0
		cmp	ds:byte_403FDC[eax], 0A2h
		jnz	loc_9E2D96

loc_9E2AD0:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+337j
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+33Bj ...
		cmp	byte ptr [ebp+var_105],	0
		jnz	short loc_9E2AE9
		test	ch, ch
		jz	short loc_9E2AE9
		mov	[ebp+var_114], 5
		jmp	short loc_9E2AF1
; 

loc_9E2AE9:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+381j
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+385j
		xor	eax, eax
		mov	[ebp+var_114], eax

loc_9E2AF1:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+391j
		test	edi, edi
		jz	short loc_9E2B5D
		mov	ebx, [ebp+var_138]

loc_9E2AFB:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+3F5j
		mov	cl, byte ptr [ebp+edi+var_105]
		cmp	cl, 0FEh
		jz	short loc_9E2B4F
		mov	byte ptr [ebp+var_105],	cl
		call	_GetOperatorIndexByToken@4 ; GetOperatorIndexByToken(x)
		imul	eax, 14h
		cmp	ebx, ds:dword_403FE0[eax]
		jg	short loc_9E2B4F
		mov	edx, [ebp+var_10C]
		lea	eax, [ebp+var_105]
		mov	ecx, [ebp+var_11C]
		dec	edi
		push	1		; size_t
		push	eax		; void *
		lea	eax, [ebp+var_124]
		push	eax		; int
		call	_AppendCondition@20 ; AppendCondition(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_9E2DCE
		test	edi, edi
		jnz	short loc_9E2AFB
		jmp	short loc_9E2B5D
; 

loc_9E2B4F:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+3AFj
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+3C5j
		mov	al, [ebp+var_106]
		mov	byte ptr [ebp+edi+var_105+1], al
		inc	edi

loc_9E2B5D:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+39Dj
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+3F7j
		push	3
		pop	ebx
		jmp	loc_9E2D61
; 

loc_9E2B65:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+17Aj
		cmp	ebx, 3
		jz	short loc_9E2B77
		test	ebx, ebx
		jz	short loc_9E2B77
		cmp	ebx, 1
		jnz	loc_9E2D96

loc_9E2B77:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+412j
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+416j
		mov	ebx, [ebp+var_114]
		cmp	ebx, 3
		jz	loc_9E2D96
		test	ebx, ebx
		jnz	loc_9E2C15
		push	5
		pop	ebx
		mov	[ebp+var_114], ebx
		test	edi, edi
		jz	short loc_9E2C0C
		lea	esi, [edi-1]
		test	esi, esi
		js	short loc_9E2C0C

loc_9E2BA2:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+460j
		mov	cl, byte ptr [ebp+esi+var_105+1]
		call	_GetOperatorIndexByToken@4 ; GetOperatorIndexByToken(x)
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_9E2BBA
		sub	esi, 1
		jns	short loc_9E2BA2
		jmp	short loc_9E2C08
; 

loc_9E2BBA:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+45Bj
		imul	ecx, eax, 14h
		mov	al, ds:byte_403FDC[ecx]
		cmp	al, 89h
		jz	short loc_9E2BF0
		cmp	al, 8Ah
		jz	short loc_9E2BF0
		cmp	al, 8Bh
		jz	short loc_9E2BF0
		cmp	al, 8Ch
		jz	short loc_9E2BF0
		cmp	al, 90h
		jz	short loc_9E2BF0
		cmp	al, 91h
		jz	short loc_9E2BF0
		cmp	al, 92h
		jz	short loc_9E2BF0
		cmp	al, 93h
		jz	short loc_9E2BF0
		cmp	ds:byte_403FE5[ecx], 0
		jz	short loc_9E2BF9
		push	4
		jmp	short loc_9E2BF2
; 

loc_9E2BF0:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+46Fj
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+473j ...
		push	5

loc_9E2BF2:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+498j
		pop	ebx
		mov	[ebp+var_114], ebx

loc_9E2BF9:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+494j
		cmp	al, 87h
		jz	short loc_9E2C01
		cmp	al, 8Dh
		jnz	short loc_9E2C08

loc_9E2C01:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+4A5j
		mov	[ebp+var_107], 1

loc_9E2C08:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+462j
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+4A9j
		test	esi, esi
		jns	short loc_9E2C15

loc_9E2C0C:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+443j
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+44Aj
		push	4
		pop	ebx
		mov	[ebp+var_114], ebx

loc_9E2C15:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+432j
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+4B4j
		mov	edx, [ebp+var_114]
		cmp	edx, 3
		jnz	short loc_9E2C3F
		test	edi, edi
		jz	short loc_9E2C3F
		mov	cl, byte ptr [ebp+edi+var_105]
		call	_IsArrayType@4	; IsArrayType(x)
		test	al, al
		jz	short loc_9E2C3F
		mov	byte ptr [ebp+var_12C],	1
		xor	eax, eax
		jmp	short loc_9E2C47
; 

loc_9E2C3F:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+4C8j
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+4CCj ...
		xor	eax, eax
		mov	byte ptr [ebp+var_12C],	al

loc_9E2C47:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+4E7j
		mov	ecx, [ebp+var_118]
		cmp	edx, 4
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_128]
		setz	dl
		push	eax
		lea	eax, [ebp+var_120]
		push	eax
		push	[ebp+var_12C]
		call	_GetOperandValue@36 ; GetOperandValue(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_9E2DCE
		cmp	[ebp+var_107], al
		jz	short loc_9E2CA9
		mov	[ebp+var_107], al
		mov	eax, [ebp+var_120]
		mov	al, [eax+1]
		cmp	al, 0F9h
		jz	loc_9E2D96
		cmp	al, 0FBh
		jz	loc_9E2D96
		cmp	al, 0FCh
		jz	loc_9E2D96

loc_9E2CA9:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+52Aj
		mov	eax, [ebp+var_120]
		mov	edx, [ebp+var_10C]
		inc	eax
		mov	ecx, [ebp+var_11C]
		push	1		; size_t
		push	eax		; void *
		lea	eax, [ebp+var_124]
		push	eax		; int
		call	_AppendCondition@20 ; AppendCondition(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_9E2DCE
		mov	edx, [ebp+var_120]
		mov	cl, [edx+1]
		call	_IsValueSizeFixed@4 ; IsValueSizeFixed(x)
		test	al, al
		jnz	short loc_9E2D15
		mov	ecx, [ebp+var_11C]
		lea	eax, [edx+4]
		mov	edx, [ebp+var_10C]
		push	4		; size_t
		push	eax		; void *
		lea	eax, [ebp+var_124]
		push	eax		; int
		call	_AppendCondition@20 ; AppendCondition(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_9E2DCE
		mov	edx, [ebp+var_120]

loc_9E2D15:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+58Fj
		mov	eax, [edx+4]
		test	eax, eax
		jz	short loc_9E2D48
		mov	ecx, [ebp+var_11C]
		push	eax		; size_t
		push	dword ptr [edx+8] ; void *
		mov	edx, [ebp+var_10C]
		lea	eax, [ebp+var_124]
		push	eax		; int
		call	_AppendCondition@20 ; AppendCondition(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_9E2DCE
		mov	edx, [ebp+var_120]

loc_9E2D48:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+5C4j
		mov	ecx, edx
		call	_FreeOperandValue@4 ; FreeOperandValue(x)
		xor	eax, eax
		mov	[ebp+var_114], 3
		mov	[ebp+var_120], eax

loc_9E2D61:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+1A2j
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+26Ej ...
		mov	eax, [ebp+var_128]
		add	eax, eax

loc_9E2D69:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+150j
		mov	ecx, [ebp+var_118]
		add	ecx, eax
		mov	[ebp+var_118], ecx
		movzx	eax, word ptr [ecx]
		mov	ecx, eax
		test	ax, ax
		jnz	loc_9E2898
		mov	eax, [ebp+var_118]
		mov	[ebp+var_118], eax
		jmp	loc_9E2E44
; 

loc_9E2D96:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+190j
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+1B1j ...
		mov	esi, 538h
		jmp	short loc_9E2DCE
; 

loc_9E2D9D:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+233j
		mov	ecx, [ebp+var_118]
		mov	eax, [ebp+var_128]
		lea	ecx, [ecx+eax*2]
		mov	[ebp+var_118], ecx

loc_9E2DB2:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+13Aj
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+6F2j ...
		mov	ecx, [ebp+var_10C]
		mov	eax, [ebp+var_124]
		mov	[ecx], eax
		mov	ecx, [ebp+var_130]
		mov	eax, [ebp+var_118]
		mov	[ecx], eax

loc_9E2DCE:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+119j
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+21Aj ...
		mov	ecx, [ebp+var_120]
		test	ecx, ecx
		jz	short loc_9E2DDD
		call	_FreeOperandValue@4 ; FreeOperandValue(x)

loc_9E2DDD:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+E5j
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+680j
		mov	ebx, [ebp+var_10C]
		cmp	dword ptr [ebx], 4
		jz	short loc_9E2DEC
		test	esi, esi
		jz	short loc_9E2E07

loc_9E2DEC:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+BCj
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+690j
		mov	edi, [ebp+var_11C]
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_9E2E07
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[edi], eax
		mov	[ebx], eax

loc_9E2E07:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+694j
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+6A0j
		mov	eax, esi
		jmp	short loc_9E2E64
; 

loc_9E2E0B:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+6F0j
		mov	al, byte ptr [ebp+edi+var_105]
		dec	edi
		mov	byte ptr [ebp+var_105],	al
		cmp	al, 0FEh
		jz	short loc_9E2E4D
		mov	edx, [ebp+var_10C]
		lea	eax, [ebp+var_105]
		mov	ecx, [ebp+var_11C]
		push	1		; size_t
		push	eax		; void *
		lea	eax, [ebp+var_124]
		push	eax		; int
		call	_AppendCondition@20 ; AppendCondition(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9E2DCE

loc_9E2E44:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+63Bj
		test	edi, edi
		jnz	short loc_9E2E0B
		jmp	loc_9E2DB2
; 

loc_9E2E4D:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+6C5j
		mov	esi, 538h
		jmp	loc_9E2DB2
; 

loc_9E2E57:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+15Bj
		mov	esi, 3E9h
		jmp	loc_9E2DCE
; 

loc_9E2E61:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+66j
					; LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+72j ...
		push	57h
		pop	eax

loc_9E2E64:				; CODE XREF: LocalGetConditionForString(x,x,x,x,x,x,x,x,x)+6B3j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
_LocalGetConditionForString@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LocalGetRelativeAttributeForString(x, x, x,	x, x, x, x, x)
_LocalGetRelativeAttributeForString@32 proc near ; CODE	XREF: LocalGetAclForString+AE811p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= word ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		mov	eax, edx
		mov	[ebp+var_10], 14h
		xor	edx, edx
		mov	[ebp+var_44], eax
		mov	[ebp+var_14], edx
		mov	ebx, edx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_2], dl
		mov	byte ptr [ebp+var_1], dl
		mov	[ebp+var_3], dl
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], edx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_28], edi
		test	ecx, ecx
		jz	loc_9E3BE0
		test	eax, eax
		jz	loc_9E3BE0
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	loc_9E3BE0
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	loc_9E3BE0
		cmp	word ptr [ecx],	28h
		mov	[eax], ebx
		mov	[edx], ebx
		jz	short loc_9E2EF0

loc_9E2EE6:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+B0j
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+F3j ...
		mov	esi, 538h
		jmp	loc_9E2FE5
; 

loc_9E2EF0:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+6Fj
		lea	esi, [ecx+2]
		movzx	eax, word ptr [esi]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		push	2
		pop	ecx
		test	eax, eax
		jz	short loc_9E2F1C
		push	ecx
		pop	edi

loc_9E2F06:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+9Fj
		add	esi, edi
		movzx	eax, word ptr [esi]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jnz	short loc_9E2F06
		mov	edi, [ebp+var_28]
		push	2
		pop	ecx

loc_9E2F1C:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+8Dj
		push	22h
		pop	eax
		mov	[ebp+var_38], eax
		cmp	[esi], ax
		jnz	short loc_9E2EE6
		add	esi, ecx
		mov	ebx, esi

loc_9E2F2B:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+E1j
		movzx	ecx, word ptr [ebx]
		call	_IsLegalAttributeChar2@4 ; IsLegalAttributeChar2(x)
		test	al, al
		jz	short loc_9E2F62
		test	cx, cx
		jz	short loc_9E2F62
		push	2
		pop	eax
		add	ebx, eax
		xor	edx, edx
		lea	eax, [ebp+var_28]
		inc	edx
		push	eax
		mov	ecx, edi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_9E2F58
		mov	edi, [ebp+var_28]
		jmp	short loc_9E2F2B
; 

loc_9E2F58:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+DCj
		mov	esi, 216h
		jmp	loc_9E2FE5
; 

loc_9E2F62:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+C0j
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+C5j
		push	22h
		pop	eax
		cmp	cx, ax
		jnz	loc_9E2EE6
		test	edi, edi
		jz	loc_9E2EE6
		lea	eax, [ebp+var_30]
		mov	ecx, esi
		push	eax
		lea	edx, [edi+edi]
		call	_DecodeAttributeName@12	; DecodeAttributeName(x,x,x)
		mov	esi, eax
		xor	edi, edi
		test	esi, esi
		jnz	loc_9E3BD8
		mov	edx, [ebp+var_30]
		lea	ecx, [edx+2]

loc_9E2F96:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+12Aj
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, di
		jnz	short loc_9E2F96
		sub	edx, ecx
		sar	edx, 1
		lea	eax, ds:2[edx*2]
		lea	edx, [ebp+var_10]
		mov	[ebp+var_40], eax
		push	edx
		push	14h
		mov	edx, eax
		pop	ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jns	short loc_9E2FEE
		mov	esi, 216h

loc_9E2FC6:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+1A8j
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+1CCj ...
		mov	ebx, edi

loc_9E2FC8:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+22Cj
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+D66j
		mov	eax, [ebp+var_30]
		test	eax, eax
		jz	short loc_9E2FD6
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E2FD6:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+158j
		test	esi, esi
		jz	short loc_9E2FE5
		test	ebx, ebx
		jz	short loc_9E2FE5
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E2FE5:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+76j
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+E8j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_9E2FEE:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+14Aj
		lea	esi, [ebx+2]
		movzx	eax, word ptr [esi]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		push	2
		pop	ebx

loc_9E2FFE:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+199j
		test	eax, eax
		jz	short loc_9E3010
		add	esi, ebx
		movzx	eax, word ptr [esi]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		jmp	short loc_9E2FFE
; 

loc_9E3010:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+18Bj
		push	2Ch
		pop	eax
		cmp	[esi], ax
		jz	short loc_9E301F

loc_9E3018:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+1E9j
		mov	esi, 538h
		jmp	short loc_9E2FC6
; 

loc_9E301F:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+1A1j
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+1B8j
		add	esi, ebx
		movzx	eax, word ptr [esi]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jnz	short loc_9E301F
		lea	eax, [ebp+var_2C]
		mov	ecx, esi	; wchar_t *
		push	eax		; int
		lea	edx, [ebp+var_14] ; int
		call	_GetValueType@12 ; GetValueType(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9E2FC6
		mov	esi, [ebp+var_14]
		jmp	short loc_9E304A
; 

loc_9E3048:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+1E1j
		add	esi, ebx

loc_9E304A:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+1D1j
		movzx	eax, word ptr [esi]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jnz	short loc_9E3048
		push	2Ch
		pop	eax
		cmp	[esi], ax
		jnz	short loc_9E3018

loc_9E3060:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+1F9j
		add	esi, ebx
		movzx	eax, word ptr [esi]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jnz	short loc_9E3060
		lea	eax, [ebp+var_34]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_14]
		call	_GetFlags@12	; GetFlags(x,x,x)
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		jnz	loc_9E2FC6
		test	[ebp+var_34], 0FFC0h
		mov	edi, [ebp+var_14]
		jz	short loc_9E30A8

loc_9E3097:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+247j
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+287j ...
		mov	esi, 538h

loc_9E309C:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+2F3j
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+3C4j ...
		mov	ebx, [ebp+var_8]

loc_9E309F:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+9ACj
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+D5Ej ...
		xor	edi, edi
		jmp	loc_9E2FC8
; 

loc_9E30A6:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+23Fj
		add	edi, ebx

loc_9E30A8:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+220j
		movzx	eax, word ptr [edi]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jnz	short loc_9E30A6
		push	2Ch
		pop	eax
		cmp	[edi], ax
		jnz	short loc_9E3097
		mov	eax, [ebp+var_2C]
		add	edi, ebx
		movzx	eax, ax
		mov	ebx, edi
		mov	[ebp+var_28], edi
		sub	eax, 1
		jz	loc_9E35A9
		sub	eax, 1
		jz	loc_9E34AA
		sub	eax, 1
		jz	loc_9E336C
		dec	eax
		sub	eax, 1
		jz	loc_9E31E7
		sub	eax, 1
		jz	loc_9E34AA
		sub	eax, 0Ah
		jnz	short loc_9E3097
		and	[ebp+var_C], eax
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		push	29h
		pop	edx
		test	ax, ax
		jz	loc_9E32EC

loc_9E3112:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+367j
		push	ecx		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jz	short loc_9E3133
		push	2
		pop	esi

loc_9E3120:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+2B9j
		add	ebx, esi
		movzx	eax, word ptr [ebx]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jnz	short loc_9E3120
		mov	esi, [ebp+var_1C]

loc_9E3133:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+2A6j
		and	[ebp+var_C], 0

loc_9E3137:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+2ECj
		movzx	eax, word ptr [ebx]
		lea	edx, [ebp-4]
		mov	ecx, eax
		mov	dword ptr [ebp+var_3C],	eax
		call	_GetDigitFromChar@8 ; GetDigitFromChar(x,x)
		test	al, al
		jz	short loc_9E316D
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		push	2
		pop	eax
		add	ebx, eax
		inc	edx
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jns	short loc_9E3137

loc_9E3163:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+311j
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+326j ...
		mov	esi, 216h
		jmp	loc_9E309C
; 

loc_9E316D:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+2D4j
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		mov	ecx, [ebp+var_10]
		inc	[ebp+var_18]
		push	eax
		lea	edx, [edx+1]
		shr	edx, 1
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_9E3163
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_10]
		push	eax
		push	4
		pop	eax
		mov	edx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_9E3163
		push	dword ptr [ebp+var_3C] ; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jz	short loc_9E31C0
		push	2
		pop	esi

loc_9E31AD:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+346j
		add	ebx, esi
		movzx	eax, word ptr [ebx]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jnz	short loc_9E31AD
		mov	esi, [ebp+var_1C]

loc_9E31C0:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+333j
		movzx	eax, word ptr [ebx]
		push	2Ch
		pop	ecx
		cmp	ax, cx
		jnz	loc_9E32DE
		push	2
		pop	eax
		add	ebx, eax
		movzx	eax, word ptr [ebx]
		mov	ecx, eax
		test	ax, ax
		jnz	loc_9E3112
		jmp	loc_9E3097
; 

loc_9E31E7:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+275j
		movzx	eax, word ptr [edi]
		and	[ebp+var_C], 0
		mov	ecx, eax
		push	29h
		pop	edx
		test	ax, ax
		jz	loc_9E32EC

loc_9E31FC:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+45Ej
		push	ecx		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jz	short loc_9E321D
		push	2
		pop	edi

loc_9E320A:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+3A3j
		add	ebx, edi
		movzx	eax, word ptr [ebx]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jnz	short loc_9E320A
		mov	edi, [ebp+var_28]

loc_9E321D:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+390j
		sub	esp, 10h
		lea	eax, [ebp+var_2]
		lea	edx, [ebp+var_24]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	LocalGetSidForString
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		jnz	loc_9E309C
		cmp	[ebp+var_24], eax
		jz	loc_9E309C
		mov	ebx, [ebp+var_14]
		lea	eax, [ebp+var_10]
		inc	[ebp+var_18]
		push	eax
		push	[ebp+var_24]
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		mov	ecx, [ebp+var_10]
		mov	edx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_9E3163
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_10]
		push	eax
		push	4
		pop	eax
		mov	edx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_9E3163
		cmp	[ebp+var_2], 0
		jz	short loc_9E3297
		push	esi
		push	[ebp+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[ebp+var_24], esi

loc_9E3297:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+414j
		movzx	eax, word ptr [ebx]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jz	short loc_9E32BB
		push	2
		pop	esi

loc_9E32A8:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+441j
		add	ebx, esi
		movzx	eax, word ptr [ebx]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jnz	short loc_9E32A8
		mov	esi, [ebp+var_1C]

loc_9E32BB:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+42Ej
		movzx	eax, word ptr [ebx]
		push	2Ch
		pop	ecx
		cmp	ax, cx
		jnz	short loc_9E32DE
		push	2
		pop	eax
		add	ebx, eax
		movzx	eax, word ptr [ebx]
		mov	ecx, eax
		test	ax, ax
		jnz	loc_9E31FC
		jmp	loc_9E3097
; 

loc_9E32DE:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+354j
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+44Fj
		push	29h
		pop	edx
		mov	ecx, eax
		cmp	ax, dx
		jnz	loc_9E3097

loc_9E32EC:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+297j
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+381j
		cmp	cx, dx
		jnz	loc_9E3097

loc_9E32F5:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+62Aj
		mov	ebx, [ebp+var_18]

loc_9E32F8:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+729j
		push	4
		pop	ecx
		lea	eax, [ebx-1]
		mul	ecx
		lea	ecx, [ebp+var_C]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_9E3163
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		mov	ecx, [ebp+var_10]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_9E3163
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_10]
		push	eax
		push	3
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jns	short loc_9E3344
		mov	esi, 216h
		mov	[ebp+var_1C], esi

loc_9E3344:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+4C5j
		mov	eax, [ebp+var_10]
		and	eax, 0FFFFFFFCh
		push	ecx
		mov	ecx, eax
		mov	dword ptr [ebp+var_3C],	eax
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	edx, eax
		mov	[ebp+var_8], edx
		test	edx, edx
		jnz	loc_9E3645
		push	8
		pop	eax
		mov	esi, eax
		jmp	loc_9E309C
; 

loc_9E336C:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+26Bj
		movzx	eax, word ptr [edi]
		and	[ebp+var_C], 0
		mov	ecx, eax
		push	29h
		pop	edx
		test	ax, ax
		jz	loc_9E346B

loc_9E3381:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+5DDj
		push	ecx		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jz	short loc_9E33A2
		push	2
		pop	esi

loc_9E338F:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+528j
		add	ebx, esi
		movzx	eax, word ptr [ebx]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jnz	short loc_9E338F
		mov	esi, [ebp+var_1C]

loc_9E33A2:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+515j
		push	22h
		pop	ecx
		cmp	[ebx], cx
		jnz	loc_9E3097
		push	2
		pop	edx
		add	ebx, edx
		movzx	eax, word ptr [ebx]
		cmp	ax, cx
		jz	short loc_9E33EB
		mov	ecx, eax

loc_9E33BD:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+574j
		test	cx, cx
		jz	short loc_9E33EB
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_C]
		add	ebx, edx
		xor	edx, edx
		push	eax
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_9E3163
		movzx	eax, word ptr [ebx]
		push	22h
		pop	edx
		push	2
		cmp	ax, dx
		mov	ecx, eax
		pop	edx
		jnz	short loc_9E33BD

loc_9E33EB:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+544j
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+54Bj
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_C]
		xor	edx, edx
		push	eax
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_9E3163
		push	22h
		pop	eax
		cmp	[ebx], ax
		jnz	loc_9E3097
		push	2
		pop	eax
		add	ebx, eax
		inc	[ebp+var_18]
		movzx	eax, word ptr [ebx]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jz	short loc_9E343A
		push	2
		pop	esi

loc_9E3427:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+5C0j
		add	ebx, esi
		movzx	eax, word ptr [ebx]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jnz	short loc_9E3427
		mov	esi, [ebp+var_1C]

loc_9E343A:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+5ADj
		movzx	eax, word ptr [ebx]
		push	2Ch
		pop	ecx
		cmp	ax, cx
		jnz	short loc_9E345D
		push	2
		pop	eax
		add	ebx, eax
		movzx	eax, word ptr [ebx]
		mov	ecx, eax
		test	ax, ax
		jnz	loc_9E3381
		jmp	loc_9E3097
; 

loc_9E345D:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+5CEj
		push	29h
		pop	edx
		mov	ecx, eax
		cmp	ax, dx
		jnz	loc_9E3097

loc_9E346B:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+506j
		cmp	cx, dx
		jnz	loc_9E3097
		mov	eax, [ebp+var_C]
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_C]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_9E3163
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		mov	ecx, [ebp+var_10]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jns	loc_9E32F5
		jmp	loc_9E3163
; 

loc_9E34AA:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+262j
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+27Ej
		movzx	eax, word ptr [edi]
		and	[ebp+var_C], 0
		mov	ecx, eax
		push	29h
		pop	edx
		test	ax, ax
		jz	loc_9E3568
		xor	ecx, ecx

loc_9E34C1:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+6DAj
		lea	eax, [ebp+var_20]
		mov	[ebp+var_20], ecx
		push	eax
		push	1
		push	ecx
		lea	eax, [ebp+var_14]
		push	eax
		push	ebx
		push	ecx
		call	_wcstoxq
		mov	ecx, eax
		add	esp, 18h
		mov	eax, [ebp+var_14]
		cmp	eax, ebx
		jnz	short loc_9E34EF
		mov	eax, ecx
		or	eax, edx
		jz	loc_9E3097
		mov	eax, [ebp+var_14]

loc_9E34EF:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+66Bj
		cmp	[ebp+var_20], 0
		jnz	loc_9E3163
		cmp	word ptr [ebp+var_2C], 6
		jnz	short loc_9E3511
		cmp	ecx, 1
		jnz	short loc_9E3509
		test	edx, edx
		jz	short loc_9E3511

loc_9E3509:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+68Ej
		or	ecx, edx
		jnz	loc_9E3097

loc_9E3511:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+689j
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+692j
		inc	[ebp+var_18]
		mov	ebx, eax
		movzx	eax, word ptr [eax]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jz	short loc_9E353A
		push	2
		pop	esi

loc_9E3527:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+6C0j
		add	ebx, esi
		movzx	eax, word ptr [ebx]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jnz	short loc_9E3527
		mov	esi, [ebp+var_1C]

loc_9E353A:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+6ADj
		movzx	eax, word ptr [ebx]
		push	2Ch
		pop	ecx
		cmp	ax, cx
		jnz	short loc_9E355A
		push	2
		pop	eax
		add	ebx, eax
		xor	ecx, ecx
		cmp	[ebx], cx
		jnz	loc_9E34C1
		jmp	loc_9E3097
; 

loc_9E355A:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+6CEj
		push	29h
		pop	edx
		mov	ecx, eax
		cmp	ax, dx
		jnz	loc_9E3097

loc_9E3568:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+644j
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+744j ...
		cmp	cx, dx
		jnz	loc_9E3097
		mov	ebx, [ebp+var_18]
		mov	eax, ebx
		push	8
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_C]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_9E3163
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		mov	ecx, [ebp+var_10]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jns	loc_9E32F8
		jmp	loc_9E3163
; 

loc_9E35A9:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+259j
		xor	eax, eax
		mov	[ebp+var_C], eax
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		push	29h
		pop	edx
		test	ax, ax
		jz	short loc_9E3568
		xor	ecx, ecx

loc_9E35BD:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+7B6j
		lea	eax, [ebp+var_20]
		mov	[ebp+var_20], ecx
		push	eax
		push	ecx
		push	ecx
		lea	eax, [ebp+var_14]
		push	eax
		push	ebx
		push	ecx
		call	_wcstoxq
		mov	ecx, [ebp+var_14]
		add	esp, 18h
		cmp	ecx, ebx
		jnz	short loc_9E35E3
		or	eax, edx
		jz	loc_9E3097

loc_9E35E3:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+764j
		cmp	[ebp+var_20], 0
		jnz	loc_9E3163
		movzx	eax, word ptr [ecx]
		mov	ebx, ecx
		inc	[ebp+var_18]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jz	short loc_9E3616
		push	2
		pop	esi

loc_9E3603:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+79Cj
		add	ebx, esi
		movzx	eax, word ptr [ebx]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jnz	short loc_9E3603
		mov	esi, [ebp+var_1C]

loc_9E3616:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+789j
		movzx	eax, word ptr [ebx]
		push	2Ch
		pop	ecx
		cmp	ax, cx
		jnz	short loc_9E3632
		push	2
		pop	eax
		add	ebx, eax
		xor	ecx, ecx
		cmp	[ebx], cx
		jnz	short loc_9E35BD
		jmp	loc_9E3097
; 

loc_9E3632:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+7AAj
		push	29h
		pop	edx
		mov	ecx, eax
		cmp	ax, dx
		jz	loc_9E3568
		jmp	loc_9E3097
; 

loc_9E3645:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+4E7j
		mov	eax, [ebp+var_2C]
		mov	ecx, [ebp+var_40]
		mov	[edx+4], ax
		xor	eax, eax
		mov	[edx+6], ax
		mov	eax, [ebp+var_34]
		mov	[edx+8], eax
		mov	eax, [ebp+var_18]
		push	ecx		; size_t
		push	[ebp+var_30]	; void *
		mov	[edx+0Ch], eax
		lea	ebx, ds:10h[eax*4]
		lea	eax, [ebx+edx]
		mov	[edx], ebx
		add	ebx, ecx
		push	eax		; void *
		mov	[ebp+var_10], ebx
		call	_memcpy
		mov	edx, [ebp+var_8]
		add	esp, 0Ch
		mov	ecx, [ebp+var_2C]
		lea	eax, [ebx+edx]
		mov	[ebp+var_18], eax
		movzx	eax, cx
		sub	eax, 1
		jz	loc_9E3AF3
		sub	eax, 1
		jz	loc_9E3A41
		sub	eax, 1
		jz	loc_9E3920
		push	2
		pop	ecx
		sub	eax, ecx
		jz	loc_9E3837
		sub	eax, 1
		jz	loc_9E3A41
		sub	eax, 0Ah
		jnz	loc_9E3097
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		test	ax, ax
		jz	loc_9E3826
		lea	eax, [edx+10h]
		mov	[ebp+var_34], eax

loc_9E36DA:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+995j
		push	ecx		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jz	short loc_9E36FB
		push	2
		pop	esi

loc_9E36E8:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+881j
		add	edi, esi
		movzx	eax, word ptr [edi]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jnz	short loc_9E36E8
		mov	[ebp+var_28], edi

loc_9E36FB:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+86Ej
		xor	eax, eax
		mov	ebx, edi
		mov	esi, eax
		mov	edi, eax

loc_9E3703:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+8A5j
		mov	cx, [ebx]
		lea	edx, [ebp-4]
		call	_GetDigitFromChar@8 ; GetDigitFromChar(x,x)
		test	al, al
		jz	short loc_9E371C
		push	2
		pop	eax
		add	ebx, eax
		inc	esi
		mov	edi, esi
		jmp	short loc_9E3703
; 

loc_9E371C:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+89Bj
		mov	eax, [ebp+var_34]
		mov	ecx, [ebp+var_10]
		mov	edx, [ebp+var_18]
		mov	esi, [ebp+var_1C]
		mov	[eax], ecx
		push	4
		pop	eax
		add	ecx, eax
		mov	[ebp+var_24], ebx
		lea	eax, [edi+1]
		add	ebx, 0FFFFFFFEh
		mov	edi, [ebp+var_28]
		shr	eax, 1
		mov	[edx], eax
		mov	edx, [ebp+var_8]
		add	edx, ecx
		add	ecx, eax
		mov	[ebp+var_40], edx
		mov	[ebp+var_10], ecx
		cmp	ebx, edi
		jbe	short loc_9E3798
		dec	eax
		add	eax, edx
		mov	[ebp+var_2C], eax

loc_9E3756:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+921j
		mov	cx, [ebx]
		lea	edx, [ebp-1]
		call	_GetDigitFromChar@8 ; GetDigitFromChar(x,x)
		test	al, al
		jz	loc_9E3097
		mov	cx, [ebx-2]
		lea	edx, [ebp+var_3]
		call	_GetDigitFromChar@8 ; GetDigitFromChar(x,x)
		test	al, al
		jz	loc_9E3097
		mov	al, [ebp+var_3]
		mov	ecx, [ebp+var_2C]
		shl	al, 4
		or	al, byte ptr [ebp+var_1]
		push	4
		mov	[ecx], al
		pop	eax
		sub	ebx, eax
		dec	ecx
		mov	[ebp+var_2C], ecx
		cmp	ebx, edi
		ja	short loc_9E3756

loc_9E3798:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+8D9j
		jnz	short loc_9E37B5
		mov	cx, [ebx]
		lea	edx, [ebp+var_1]
		call	_GetDigitFromChar@8 ; GetDigitFromChar(x,x)
		test	al, al
		jz	loc_9E3097
		mov	ecx, [ebp+var_40]
		mov	al, byte ptr [ebp+var_1]
		mov	[ecx], al

loc_9E37B5:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x):loc_9E3798j
		mov	eax, [ebp+var_10]
		mov	ebx, [ebp+var_8]
		add	eax, ebx
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_24]
		mov	edi, eax
		push	4
		pop	ecx
		add	[ebp+var_34], ecx
		movzx	eax, word ptr [eax]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jz	short loc_9E37EF
		push	2
		pop	ebx

loc_9E37DC:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+975j
		add	edi, ebx
		movzx	eax, word ptr [edi]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jnz	short loc_9E37DC
		mov	ebx, [ebp+var_8]

loc_9E37EF:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+962j
		movzx	eax, word ptr [edi]
		push	2Ch
		pop	ecx
		cmp	ax, cx
		jnz	short loc_9E3812
		push	2
		pop	eax
		add	edi, eax
		mov	[ebp+var_28], edi
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		test	ax, ax
		jnz	loc_9E36DA
		jmp	short loc_9E381C
; 

loc_9E3812:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+983j
		push	29h
		pop	edx
		mov	ecx, eax
		cmp	ax, dx
		jz	short loc_9E382C

loc_9E381C:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+99Bj
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+9C0j
		mov	esi, 538h
		jmp	loc_9E309F
; 

loc_9E3826:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+859j
		mov	ebx, [ebp+var_8]
		push	29h
		pop	edx

loc_9E382C:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+9A5j
		cmp	cx, dx
		jz	loc_9E3BBE
		jmp	short loc_9E381C
; 

loc_9E3837:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+839j
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		test	ax, ax
		jz	loc_9E3BAF
		lea	eax, [edx+10h]
		push	2
		mov	[ebp+var_34], eax
		pop	ebx

loc_9E384E:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+AA0j
		push	ecx
		jmp	short loc_9E3857
; 

loc_9E3851:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+9EAj
		add	edi, ebx
		movzx	eax, word ptr [edi]
		push	eax		; wint_t

loc_9E3857:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+9DAj
		call	_iswspace
		pop	ecx
		test	eax, eax
		jnz	short loc_9E3851
		sub	esp, 10h
		lea	eax, [ebp-2]
		lea	edx, [ebp+var_24]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	LocalGetSidForString
		mov	esi, eax
		test	esi, esi
		jnz	loc_9E309C
		mov	ebx, [ebp+var_24]
		test	ebx, ebx
		jz	loc_9E309C
		push	ebx
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		mov	ecx, [ebp+var_34]
		mov	edi, [ebp+var_10]
		mov	edx, [ebp+var_18]
		push	4
		mov	[ecx], edi
		pop	ecx
		add	edi, ecx
		mov	[edx], eax
		mov	ecx, [ebp+var_8]
		push	eax		; size_t
		add	ecx, edi
		add	edi, eax
		push	ebx		; void *
		push	ecx		; void *
		mov	[ebp+var_10], edi
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		add	eax, edi
		mov	edi, [ebp+var_14]
		mov	[ebp+var_18], eax
		push	4
		pop	eax
		add	[ebp+var_34], eax
		cmp	[ebp+var_2], 0
		jz	short loc_9E38DD
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[ebp+var_24], eax

loc_9E38DD:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+A58j
		movzx	eax, word ptr [edi]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		push	2
		pop	ebx

loc_9E38EA:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+A85j
		test	eax, eax
		jz	short loc_9E38FC
		add	edi, ebx
		movzx	eax, word ptr [edi]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		jmp	short loc_9E38EA
; 

loc_9E38FC:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+A77j
		movzx	eax, word ptr [edi]
		push	2Ch
		pop	ecx
		cmp	ax, cx
		jnz	loc_9E3BA0
		add	edi, ebx
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		test	ax, ax
		jnz	loc_9E384E
		jmp	loc_9E3097
; 

loc_9E3920:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+82Ej
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		test	ax, ax
		jz	loc_9E3BAF
		lea	eax, [edx+10h]
		mov	[ebp+var_24], eax

loc_9E3934:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+BC1j
		push	ecx		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jz	short loc_9E3955
		push	2
		pop	ebx

loc_9E3942:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+ADBj
		add	edi, ebx
		movzx	eax, word ptr [edi]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jnz	short loc_9E3942
		mov	ebx, [ebp+var_10]

loc_9E3955:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+AC8j
		push	22h
		pop	eax
		cmp	[edi], ax
		jnz	loc_9E3097
		push	2
		pop	eax
		add	edi, eax
		xor	ecx, ecx
		mov	[ebp+var_28], edi
		mov	[ebp+var_2C], edi
		mov	[ebp+var_34], ecx
		movzx	eax, word ptr [edi]
		mov	edx, eax
		cmp	ax, word ptr [ebp+var_38]
		jz	short loc_9E39B0
		mov	ebx, eax
		mov	esi, edi
		xor	eax, eax
		mov	edi, ecx

loc_9E3984:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+B2Aj
		movzx	edx, bx
		test	bx, bx
		jz	short loc_9E39A1
		push	2
		pop	eax
		add	esi, eax
		inc	edi
		mov	ecx, edi
		movzx	eax, word ptr [esi]
		mov	ebx, eax
		mov	edx, eax
		cmp	ax, word ptr [ebp+var_38]
		jnz	short loc_9E3984

loc_9E39A1:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+B15j
		mov	ebx, [ebp+var_10]
		mov	[ebp+var_34], edi
		mov	edi, [ebp+var_28]
		mov	[ebp+var_2C], esi
		mov	esi, [ebp+var_1C]

loc_9E39B0:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+B05j
		push	22h
		pop	eax
		cmp	dx, ax
		jnz	loc_9E3097
		mov	eax, [ebp+var_24]
		mov	[eax], ebx
		lea	eax, [ecx+ecx]
		push	eax		; size_t
		add	ebx, 2
		push	edi		; void *
		mov	edi, [ebp+var_18]
		add	ebx, eax
		push	edi		; void *
		mov	[ebp+var_10], ebx
		call	_memcpy
		mov	eax, [ebp+var_34]
		xor	ecx, ecx
		push	4
		mov	[edi+eax*2], cx
		mov	eax, [ebp+var_8]
		mov	edi, [ebp+var_2C]
		add	eax, ebx
		mov	[ebp+var_18], eax
		add	edi, 2
		pop	eax
		add	[ebp+var_24], eax
		movzx	eax, word ptr [edi]
		push	eax		; wint_t
		call	_iswspace
		add	esp, 10h
		test	eax, eax
		jz	short loc_9E3A1A
		push	2
		pop	ebx

loc_9E3A07:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+BA0j
		add	edi, ebx
		movzx	eax, word ptr [edi]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jnz	short loc_9E3A07
		mov	ebx, [ebp+var_10]

loc_9E3A1A:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+B8Dj
		movzx	eax, word ptr [edi]
		push	2Ch
		pop	ecx
		cmp	ax, cx
		jnz	loc_9E3BA0
		push	2
		pop	eax
		add	edi, eax
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		test	ax, ax
		jnz	loc_9E3934
		jmp	loc_9E3097
; 

loc_9E3A41:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+825j
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+842j
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		test	ax, ax
		jz	loc_9E3BAF
		lea	eax, [edx+10h]
		xor	ecx, ecx
		mov	[ebp+var_38], eax

loc_9E3A57:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+C73j
		lea	eax, [ebp+var_20]
		mov	[ebp+var_20], ecx
		push	eax
		push	1
		push	ecx
		lea	eax, [ebp+var_14]
		push	eax
		push	edi
		push	ecx
		call	_wcstoxq
		add	esp, 18h
		cmp	[ebp+var_14], edi
		jnz	short loc_9E3A7E
		mov	ecx, eax
		or	ecx, edx
		jz	loc_9E3097

loc_9E3A7E:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+BFDj
		cmp	[ebp+var_20], 0
		jnz	loc_9E3163
		mov	ecx, [ebp+var_38]
		mov	edi, [ebp+var_18]
		push	4
		mov	[ecx], ebx
		add	ebx, 8
		mov	[edi], eax
		mov	eax, [ebp+var_8]
		add	eax, ebx
		mov	[edi+4], edx
		mov	edi, [ebp+var_14]
		mov	[ebp+var_18], eax
		pop	eax
		add	ecx, eax
		movzx	eax, word ptr [edi]
		push	eax		; wint_t
		mov	[ebp+var_38], ecx
		call	_iswspace
		pop	ecx
		test	eax, eax
		jz	short loc_9E3ACF
		push	2
		pop	esi

loc_9E3ABC:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+C55j
		add	edi, esi
		movzx	eax, word ptr [edi]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jnz	short loc_9E3ABC
		mov	esi, [ebp+var_1C]

loc_9E3ACF:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+C42j
		movzx	eax, word ptr [edi]
		push	2Ch
		pop	ecx
		cmp	ax, cx
		jnz	loc_9E3BA0
		push	2
		pop	eax
		add	edi, eax
		xor	ecx, ecx
		cmp	[edi], cx
		jnz	loc_9E3A57
		jmp	loc_9E3097
; 

loc_9E3AF3:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+81Cj
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		test	ax, ax
		jz	loc_9E3BAF
		lea	eax, [edx+10h]
		xor	ecx, ecx
		mov	[ebp+var_38], eax

loc_9E3B09:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+D20j
		lea	eax, [ebp+var_20]
		mov	[ebp+var_20], ecx
		push	eax
		push	ecx
		push	ecx
		lea	eax, [ebp+var_14]
		push	eax
		push	edi
		push	ecx
		call	_wcstoxq
		add	esp, 18h
		cmp	[ebp+var_14], edi
		jnz	short loc_9E3B2F
		mov	ecx, eax
		or	ecx, edx
		jz	loc_9E3097

loc_9E3B2F:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+CAEj
		cmp	[ebp+var_20], 0
		jnz	loc_9E3163
		mov	ecx, [ebp+var_38]
		mov	edi, [ebp+var_18]
		push	4
		mov	[ecx], ebx
		add	ebx, 8
		mov	[edi], eax
		mov	eax, [ebp+var_8]
		add	eax, ebx
		mov	[edi+4], edx
		mov	edi, [ebp+var_14]
		mov	[ebp+var_18], eax
		pop	eax
		add	ecx, eax
		movzx	eax, word ptr [edi]
		push	eax		; wint_t
		mov	[ebp+var_38], ecx
		call	_iswspace
		pop	ecx
		test	eax, eax
		jz	short loc_9E3B80
		push	2
		pop	esi

loc_9E3B6D:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+D06j
		add	edi, esi
		movzx	eax, word ptr [edi]
		push	eax		; wint_t
		call	_iswspace
		pop	ecx
		test	eax, eax
		jnz	short loc_9E3B6D
		mov	esi, [ebp+var_1C]

loc_9E3B80:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+CF3j
		movzx	eax, word ptr [edi]
		push	2Ch
		pop	ecx
		cmp	ax, cx
		jnz	short loc_9E3BA0
		push	2
		pop	eax
		add	edi, eax
		xor	ecx, ecx
		cmp	[edi], cx
		jnz	loc_9E3B09
		jmp	loc_9E3097
; 

loc_9E3BA0:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+A90j
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+BAEj ...
		push	29h
		pop	edx
		mov	ecx, eax
		cmp	ax, dx
		jz	short loc_9E3BB2
		jmp	loc_9E3097
; 

loc_9E3BAF:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+9CAj
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+AB3j ...
		push	29h
		pop	edx

loc_9E3BB2:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+D33j
		cmp	cx, dx
		jnz	loc_9E3097
		mov	ebx, [ebp+var_8]

loc_9E3BBE:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+9BAj
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	[eax], ebx
		mov	eax, dword ptr [ebp+var_3C]
		mov	[ecx], eax
		lea	eax, [edi+2]
		mov	ecx, [ebp+var_44]
		mov	[ecx], eax
		jmp	loc_9E309F
; 

loc_9E3BD8:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+115j
		mov	ebx, [ebp+var_8]
		jmp	loc_9E2FC8
; 

loc_9E3BE0:				; CODE XREF: LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+43j
					; LocalGetRelativeAttributeForString(x,x,x,x,x,x,x,x)+4Bj ...
		push	57h
		pop	esi
		jmp	loc_9E309F
_LocalGetRelativeAttributeForString@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	LocalGetStringForRelativeAttribute(int,int,int,size_t,int)
_LocalGetStringForRelativeAttribute@28 proc near ; CODE	XREF: LocalGetAceCondition+123B33p

var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_90		= dword	ptr -90h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 114h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	[ebp+var_EC], eax
		mov	ebx, ecx
		mov	eax, [ebp+arg_10]
		push	edi
		mov	[ebp+var_114], eax
		mov	edi, edx
		xor	eax, eax
		mov	[ebp+var_104], edi
		push	46h		; size_t
		push	eax		; int
		mov	[ebp+var_FC], eax
		mov	esi, eax
		mov	[ebp+var_110], eax
		lea	eax, [ebp+var_D8]
		push	eax		; void *
		mov	[ebp+var_100], ebx
		call	_memset
		xor	eax, eax
		push	8Ch		; size_t
		push	eax		; int
		lea	eax, [ebp+var_90]
		push	eax		; void *
		call	_memset
		xor	eax, eax
		add	esp, 18h
		mov	[ebp+var_E0], eax
		mov	[ebp+var_F8], eax
		mov	[ebp+var_F4], eax
		mov	[ebp+var_DC], eax
		mov	[ebp+var_E4], eax
		test	ebx, ebx
		jz	loc_9E4695
		test	edi, edi
		jz	loc_9E4695
		cmp	[ebp+var_114], eax
		jz	loc_9E4695
		cmp	edi, 14h
		jnb	short loc_9E3CA3

loc_9E3C99:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+D0j
					; LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+ECj ...
		mov	edi, 538h
		jmp	loc_9E46C9
; 

loc_9E3CA3:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+AFj
		mov	esi, [ebx+0Ch]
		movzx	eax, word ptr [ebx+4]
		mov	[ebp+var_F0], eax
		mov	[ebp+var_E8], esi
		test	esi, esi
		jz	short loc_9E3C99
		push	10h
		push	23h
		lea	eax, [ebp+var_D8]
		push	eax
		push	dword ptr [ebx+8]
		call	__ultow_s
		mov	eax, [ebx]
		add	esp, 10h
		cmp	edi, eax
		jb	short loc_9E3C99
		mov	edx, edi
		push	4
		sub	edx, eax
		pop	ecx
		cmp	edx, ecx
		jb	short loc_9E3C99
		lea	edi, [ebx+eax]
		lea	eax, [ebp+var_DC]
		mov	ecx, edi
		push	eax
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		test	eax, eax
		js	short loc_9E3C99
		mov	edx, [ebp+var_DC]
		test	edx, edx
		jz	short loc_9E3C99
		lea	eax, [ebp+var_110]
		mov	ecx, edi
		push	eax
		call	_EncodeAttributeName@12	; EncodeAttributeName(x,x,x)
		mov	edi, eax
		mov	[ebp+var_108], edi
		test	edi, edi
		jnz	loc_9E46A3
		mov	ecx, [ebp+var_110]
		lea	edx, [ecx+2]

loc_9E3D27:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+14Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_FC]
		jnz	short loc_9E3D27
		sub	ecx, edx
		sar	ecx, 1
		push	2
		lea	eax, [ecx+ecx]
		pop	ecx
		mov	[ebp+var_10C], eax
		mov	eax, esi
		mul	ecx
		lea	ecx, [ebp+var_F8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		jns	short loc_9E3D65

loc_9E3D5B:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+194j
					; LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+1B0j ...
		mov	edi, 216h
		jmp	loc_9E46A3
; 

loc_9E3D65:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+171j
		mov	edx, [ebp+var_F8]
		lea	eax, [ebp+var_E0]
		push	eax
		push	18h
		pop	ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_9E3D5B
		mov	edx, [ebp+var_10C]
		lea	eax, [ebp+var_E0]
		mov	ecx, [ebp+var_E0]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_9E3D5B
		lea	edx, [ebp+var_D8]
		lea	ecx, [edx+2]

loc_9E3DA3:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+1C8j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [ebp+var_FC]
		jnz	short loc_9E3DA3
		sub	edx, ecx
		lea	eax, [ebp+var_E0]
		mov	ecx, [ebp+var_E0]
		sar	edx, 1
		push	eax
		add	edx, edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_9E3D5B
		push	4
		pop	ecx
		mov	eax, esi
		mul	ecx
		lea	ecx, [ebp+var_E4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_9E3D5B
		mov	edx, [ebp+var_104]
		lea	eax, [edx-10h]
		cmp	eax, [ebp+var_E4]
		jb	short loc_9E3E3E
		mov	eax, [ebp+var_F0]
		movzx	eax, ax
		mov	[ebp+var_F0], eax
		sub	eax, 1
		jz	loc_9E414A
		sub	eax, 1
		jz	loc_9E4099
		sub	eax, 1
		jz	loc_9E4004
		push	2
		pop	ecx
		sub	eax, ecx
		jz	loc_9E3EEB
		sub	eax, 1
		jz	loc_9E4099
		sub	eax, 0Ah
		jz	short loc_9E3E48

loc_9E3E3E:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+211j
					; LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+27Dj ...
		mov	edi, 538h
		jmp	loc_9E46A3
; 

loc_9E3E48:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+254j
		xor	ecx, ecx
		mov	[ebp+var_E4], ecx
		test	esi, esi
		jz	loc_9E41F6
		lea	eax, [ebx+10h]
		mov	[ebp+var_DC], eax

loc_9E3E61:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+2F8j
		mov	eax, [eax]
		cmp	edx, eax
		jb	short loc_9E3E3E
		push	4
		sub	edx, eax
		pop	ecx
		cmp	edx, ecx
		jb	short loc_9E3E3E
		mov	ecx, [ebx+eax]
		lea	eax, [edx-4]
		mov	[ebp+var_F8], ecx
		cmp	eax, ecx
		jb	short loc_9E3E3E
		push	4
		mov	eax, ecx
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_F8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_9E3D5B
		mov	edx, [ebp+var_F8]
		lea	eax, [ebp+var_E0]
		mov	ecx, [ebp+var_E0]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_9E3D5B
		mov	ecx, [ebp+var_E4]
		mov	eax, [ebp+var_DC]
		inc	ecx
		mov	edx, [ebp+var_104]
		add	eax, 4
		mov	[ebp+var_E4], ecx
		mov	[ebp+var_DC], eax
		cmp	ecx, esi
		jb	loc_9E3E61
		jmp	loc_9E41F6
; 

loc_9E3EEB:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+242j
		xor	eax, eax
		mov	[ebp+var_E4], eax
		test	esi, esi
		jz	loc_9E41F6
		lea	eax, [ebx+10h]
		mov	[ebp+var_DC], eax

loc_9E3F04:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+411j
		mov	ecx, [eax]
		cmp	edx, ecx
		jb	loc_9E3E3E
		mov	eax, edx
		sub	eax, ecx
		cmp	eax, 4
		jb	loc_9E3E3E
		mov	edi, [ebx+ecx]
		push	4
		pop	eax
		add	ecx, eax
		test	edi, edi
		jz	loc_9E3E3E
		mov	eax, edx
		sub	eax, ecx
		cmp	eax, edi
		jb	loc_9E3E3E
		cmp	eax, 8
		jb	loc_9E3E3E
		add	ecx, ebx
		movzx	edx, byte ptr [ecx+1]
		test	edx, edx
		jz	loc_9E3E3E
		shl	edx, 2
		add	eax, 0FFFFFFF8h
		cmp	eax, edx
		jb	loc_9E3E3E
		push	[ebp+arg_C]	; size_t
		lea	edx, [ebp+var_F4]
		push	ecx		; int
		push	ecx		; int
		push	[ebp+var_EC]	; int
		call	_LocalGetStringForSid@24 ; LocalGetStringForSid(x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_108], eax
		test	edi, edi
		jnz	loc_9E46A3
		mov	edx, [ebp+var_F4]
		lea	ecx, [edx+2]

loc_9E3F8B:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+3B0j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [ebp+var_FC]
		jnz	short loc_9E3F8B
		sub	edx, ecx
		lea	eax, [ebp+var_E0]
		mov	ecx, [ebp+var_E0]
		sar	edx, 1
		push	eax
		add	edx, edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_9E3D5B
		mov	eax, [ebp+var_F4]
		test	eax, eax
		jz	short loc_9E3FD5
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[ebp+var_F4], eax

loc_9E3FD5:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+3DAj
		mov	ecx, [ebp+var_E4]
		mov	eax, [ebp+var_DC]
		inc	ecx
		mov	edx, [ebp+var_104]
		add	eax, 4
		mov	[ebp+var_E4], ecx
		mov	[ebp+var_DC], eax
		cmp	ecx, esi
		jb	loc_9E3F04
		jmp	loc_9E41F6
; 

loc_9E4004:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+237j
		xor	eax, eax
		mov	[ebp+var_E4], eax
		test	esi, esi
		jz	loc_9E41F6
		lea	eax, [ebx+10h]
		mov	[ebp+var_F8], eax

loc_9E401D:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+4AAj
		mov	eax, [eax]
		cmp	edx, eax
		jb	loc_9E3E3E
		push	2
		sub	edx, eax
		pop	ecx
		cmp	edx, ecx
		jb	loc_9E3E3E
		lea	ecx, [ebp+var_DC]
		push	ecx
		lea	ecx, [ebx+eax]
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		test	eax, eax
		js	loc_9E3E3E
		mov	edx, [ebp+var_DC]
		lea	eax, [ebp+var_E0]
		mov	ecx, [ebp+var_E0]
		push	eax
		lea	edx, [edx+4]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_9E3D5B
		mov	ecx, [ebp+var_E4]
		mov	eax, [ebp+var_F8]
		inc	ecx
		mov	edx, [ebp+var_104]
		add	eax, 4
		mov	[ebp+var_E4], ecx
		mov	[ebp+var_F8], eax
		cmp	ecx, esi
		jb	short loc_9E401D
		jmp	loc_9E41F6
; 

loc_9E4099:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+22Ej
					; LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+24Bj
		xor	eax, eax
		mov	[ebp+var_E4], eax
		test	esi, esi
		jz	loc_9E41F6
		lea	eax, [ebx+10h]
		mov	[ebp+var_DC], eax

loc_9E40B2:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+557j
		mov	ecx, [eax]
		cmp	edx, ecx
		jb	loc_9E3E3E
		mov	eax, edx
		sub	eax, ecx
		cmp	eax, 8
		jb	loc_9E3E3E
		push	0Ah
		push	46h
		lea	eax, [ebp+var_90]
		push	eax
		push	dword ptr [ebx+ecx+4]
		push	dword ptr [ebx+ecx]
		call	__ui64tow_s
		lea	edx, [ebp+var_90]
		add	esp, 14h
		lea	ecx, [edx+2]

loc_9E40EC:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+511j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [ebp+var_FC]
		jnz	short loc_9E40EC
		sub	edx, ecx
		lea	eax, [ebp+var_E0]
		mov	ecx, [ebp+var_E0]
		sar	edx, 1
		push	eax
		add	edx, edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_9E3D5B
		mov	ecx, [ebp+var_E4]
		mov	eax, [ebp+var_DC]
		inc	ecx
		mov	edx, [ebp+var_104]
		add	eax, 4
		mov	[ebp+var_E4], ecx
		mov	[ebp+var_DC], eax
		cmp	ecx, esi
		jb	loc_9E40B2
		jmp	loc_9E41F6
; 

loc_9E414A:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+225j
		xor	eax, eax
		mov	[ebp+var_E4], eax
		test	esi, esi
		jz	loc_9E41F6
		lea	eax, [ebx+10h]
		mov	[ebp+var_DC], eax

loc_9E4163:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+608j
		mov	ecx, [eax]
		cmp	edx, ecx
		jb	loc_9E3E3E
		mov	eax, edx
		sub	eax, ecx
		cmp	eax, 8
		jb	loc_9E3E3E
		push	0Ah
		push	46h
		lea	eax, [ebp+var_90]
		push	eax
		push	dword ptr [ebx+ecx+4]
		push	dword ptr [ebx+ecx]
		call	__i64tow_s
		lea	edx, [ebp+var_90]
		add	esp, 14h
		lea	ecx, [edx+2]

loc_9E419D:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+5C2j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [ebp+var_FC]
		jnz	short loc_9E419D
		sub	edx, ecx
		lea	eax, [ebp+var_E0]
		mov	ecx, [ebp+var_E0]
		sar	edx, 1
		push	eax
		add	edx, edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_9E3D5B
		mov	ecx, [ebp+var_E4]
		mov	eax, [ebp+var_DC]
		inc	ecx
		mov	edx, [ebp+var_104]
		add	eax, 4
		mov	[ebp+var_E4], ecx
		mov	[ebp+var_DC], eax
		cmp	ecx, esi
		jb	loc_9E4163

loc_9E41F6:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+26Aj
					; LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+2FEj ...
		mov	ecx, [ebp+var_E0]
		lea	eax, [ebp+var_E0]
		push	eax
		push	3
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_9E3D5B
		mov	ecx, [ebp+var_E0]
		and	ecx, 0FFFFFFFCh
		push	ecx
		call	_SddlpAlloc@12	; SddlpAlloc(x,x,x)
		mov	[ebp+var_DC], eax
		test	eax, eax
		jnz	short loc_9E4234
		push	8
		pop	edi
		jmp	loc_9E46A3
; 

loc_9E4234:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+642j
		mov	ebx, [ebp+var_10C]
		lea	esi, [eax+2]
		push	28h
		pop	ecx
		push	22h
		mov	[eax], cx
		pop	eax
		push	2
		mov	[esi], ax
		pop	eax
		push	ebx		; size_t
		push	[ebp+var_110]	; void *
		add	esi, eax
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		shr	ebx, 1
		push	22h
		pop	eax
		push	2
		lea	ebx, [esi+ebx*2]
		mov	[ebx], ax
		mov	eax, [ebp+var_F0]
		pop	ecx
		add	ebx, ecx
		push	2Ch
		pop	edx
		mov	[ebx], dx
		sub	eax, 1
		jz	short loc_9E42D6
		sub	eax, 1
		jz	short loc_9E42CD
		sub	eax, 1
		jz	short loc_9E42C4
		sub	eax, ecx
		jz	short loc_9E42BB
		sub	eax, 1
		jz	short loc_9E42B2
		sub	eax, 0Ah
		jz	short loc_9E42A9

loc_9E4297:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+776j
		mov	edi, 538h

loc_9E429C:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+861j
		mov	esi, [ebp+var_DC]
		xor	eax, eax
		jmp	loc_9E4698
; 

loc_9E42A9:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+6ADj
		mov	dword ptr [ebx+2], offset loc_580054
		jmp	short loc_9E42DD
; 

loc_9E42B2:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+6A8j
		mov	dword ptr [ebx+2], (offset loc_420053+1)
		jmp	short loc_9E42DD
; 

loc_9E42BB:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+6A3j
		mov	dword ptr [ebx+2], offset loc_440054
		jmp	short loc_9E42DD
; 

loc_9E42C4:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+69Fj
		mov	dword ptr [ebx+2], offset loc_530054
		jmp	short loc_9E42DD
; 

loc_9E42CD:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+69Aj
		mov	dword ptr [ebx+2], 550054h
		jmp	short loc_9E42DD
; 

loc_9E42D6:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+695j
		mov	dword ptr [ebx+2], 490054h

loc_9E42DD:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+6C8j
					; LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+6D1j ...
		mov	[ebx+6], dx
		lea	esi, [ebp+var_D8]
		add	ebx, 8
		lea	ecx, [esi+2]
		xor	edx, edx

loc_9E42EF:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+710j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, dx
		jnz	short loc_9E42EF
		push	30h
		pop	eax
		push	2
		sub	esi, ecx
		mov	[ebx], ax
		pop	ecx
		add	ebx, ecx
		sar	esi, 1
		push	78h
		pop	eax
		add	esi, esi
		mov	[ebx], ax
		add	ebx, ecx
		push	esi		; size_t
		lea	eax, [ebp+var_D8]
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		mov	eax, [ebp+var_F0]
		add	esp, 0Ch
		add	ebx, esi
		sub	eax, 1
		jz	loc_9E45E5
		sub	eax, 1
		jz	loc_9E4551
		sub	eax, 1
		jz	loc_9E44CF
		push	2
		pop	edx
		sub	eax, edx
		jz	loc_9E43FD
		sub	eax, 1
		jz	loc_9E4554
		sub	eax, 0Ah
		jnz	loc_9E4297
		mov	edx, [ebp+var_E8]
		test	edx, edx
		jz	loc_9E4677
		mov	ecx, [ebp+var_100]
		lea	esi, [ecx+10h]
		mov	[ebp+var_F0], esi

loc_9E4381:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+80Ej
		push	2Ch
		pop	eax
		mov	[ebx], ax
		push	2
		pop	eax
		add	ebx, eax
		mov	eax, [esi]
		mov	edi, [ecx+eax]
		add	eax, 4
		add	eax, ecx
		mov	[ebp+var_EC], eax
		test	edi, edi
		jz	short loc_9E43E2
		push	2
		mov	edx, eax
		pop	esi

loc_9E43A5:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+7E6j
		movzx	ecx, byte ptr [edx]
		mov	eax, ecx
		and	ecx, 0Fh
		shr	eax, 4
		mov	ax, ds:word_42E340[eax*2]
		mov	[ebx], ax
		add	ebx, esi
		mov	ax, ds:word_42E340[ecx*2]
		mov	[ebx], ax
		add	ebx, esi
		inc	edx
		sub	edi, 1
		jnz	short loc_9E43A5
		mov	ecx, [ebp+var_100]
		mov	edx, [ebp+var_E8]
		mov	esi, [ebp+var_F0]

loc_9E43E2:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+7B6j
		push	4
		pop	eax
		add	esi, eax
		sub	edx, 1
		mov	[ebp+var_F0], esi
		mov	[ebp+var_E8], edx
		jnz	short loc_9E4381
		jmp	loc_9E4671
; 

loc_9E43FD:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+764j
		xor	ecx, ecx
		mov	[ebp+var_F0], ecx
		cmp	[ebp+var_E8], ecx
		jbe	loc_9E4679
		mov	ecx, [ebp+var_100]
		lea	eax, [ecx+10h]
		mov	[ebp+var_10C], eax

loc_9E4420:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+8DCj
		push	2Ch
		pop	esi
		push	[ebp+arg_C]	; size_t
		mov	[ebx], si
		add	ebx, edx
		mov	eax, [eax]
		lea	edx, [ebp+var_F4]
		add	eax, 4
		add	ecx, eax
		push	ecx		; int
		push	ecx		; int
		push	[ebp+var_EC]	; int
		call	_LocalGetStringForSid@24 ; LocalGetStringForSid(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_9E429C
		mov	edx, [ebp+var_F4]
		mov	esi, edx
		lea	ecx, [esi+2]

loc_9E445A:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+87Fj
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, word ptr [ebp+var_FC]
		jnz	short loc_9E445A
		sub	esi, ecx
		sar	esi, 1
		add	esi, esi
		push	esi		; size_t
		push	edx		; void *
		push	ebx		; void *
		call	_memcpy
		mov	edx, [ebp+var_F4]
		add	esp, 0Ch
		add	ebx, esi
		test	edx, edx
		jz	short loc_9E4497
		xor	esi, esi
		push	esi
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, esi
		mov	[ebp+var_F4], edx

loc_9E4497:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+89Cj
		mov	esi, [ebp+var_F0]
		mov	eax, [ebp+var_10C]
		inc	esi
		push	4
		pop	ecx
		add	eax, ecx
		mov	[ebp+var_F0], esi
		mov	ecx, [ebp+var_100]
		push	2
		mov	[ebp+var_10C], eax
		pop	edx
		cmp	esi, [ebp+var_E8]
		jb	loc_9E4420
		jmp	loc_9E4677
; 

loc_9E44CF:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+759j
		cmp	[ebp+var_E8], 0
		jbe	loc_9E4677
		mov	edi, [ebp+var_100]
		push	2
		pop	ecx
		lea	eax, [edi+10h]
		mov	[ebp+var_EC], eax

loc_9E44EE:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+962j
		push	2Ch
		pop	edx
		mov	[ebx], dx
		add	ebx, ecx
		push	22h
		pop	edx
		mov	[ebx], dx
		add	ebx, ecx
		mov	ecx, [eax]
		add	ecx, edi
		mov	esi, ecx
		lea	edx, [esi+2]

loc_9E4507:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+92Cj
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, word ptr [ebp+var_FC]
		jnz	short loc_9E4507
		sub	esi, edx
		sar	esi, 1
		add	esi, esi
		push	esi		; size_t
		push	ecx		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		add	ebx, esi
		push	22h
		pop	eax
		mov	[ebx], ax
		mov	eax, [ebp+var_EC]
		push	2
		pop	ecx
		add	eax, 4
		add	ebx, ecx
		sub	[ebp+var_E8], 1
		mov	[ebp+var_EC], eax
		jnz	short loc_9E44EE
		jmp	loc_9E4671
; 

loc_9E4551:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+750j
		push	2
		pop	edx

loc_9E4554:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+76Dj
		cmp	[ebp+var_E8], 0
		jbe	loc_9E4677
		mov	edi, [ebp+var_100]
		lea	eax, [edi+10h]
		mov	[ebp+var_EC], eax

loc_9E4570:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+9F6j
		push	2Ch
		pop	ecx
		mov	[ebx], cx
		add	ebx, edx
		mov	eax, [eax]
		lea	ecx, [ebp+var_90]
		push	0Ah
		push	46h
		push	ecx
		push	dword ptr [edi+eax+4]
		push	dword ptr [edi+eax]
		call	__ui64tow_s
		lea	esi, [ebp+var_90]
		add	esp, 14h
		lea	ecx, [esi+2]
		xor	edx, edx

loc_9E459F:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+9C0j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, dx
		jnz	short loc_9E459F
		sub	esi, ecx
		lea	eax, [ebp+var_90]
		sar	esi, 1
		add	esi, esi
		push	esi		; size_t
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		mov	eax, [ebp+var_EC]
		add	esp, 0Ch
		add	ebx, esi
		push	4
		pop	ecx
		add	eax, ecx
		sub	[ebp+var_E8], 1
		push	2
		mov	[ebp+var_EC], eax
		pop	edx
		jnz	short loc_9E4570
		jmp	loc_9E4671
; 

loc_9E45E5:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+747j
		cmp	[ebp+var_E8], 0
		jbe	loc_9E4677
		mov	edi, [ebp+var_100]
		lea	eax, [edi+10h]
		mov	[ebp+var_EC], eax

loc_9E4601:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+A87j
		push	2Ch
		pop	ecx
		mov	[ebx], cx
		mov	eax, [eax]
		push	2
		pop	ecx
		push	0Ah
		add	ebx, ecx
		lea	ecx, [ebp+var_90]
		push	46h
		push	ecx
		push	dword ptr [edi+eax+4]
		push	dword ptr [edi+eax]
		call	__i64tow_s
		lea	esi, [ebp+var_90]
		add	esp, 14h
		lea	ecx, [esi+2]
		xor	edx, edx

loc_9E4633:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+A54j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, dx
		jnz	short loc_9E4633
		sub	esi, ecx
		lea	eax, [ebp+var_90]
		sar	esi, 1
		add	esi, esi
		push	esi		; size_t
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		mov	eax, [ebp+var_EC]
		add	esp, 0Ch
		add	ebx, esi
		push	4
		pop	ecx
		add	eax, ecx
		sub	[ebp+var_E8], 1
		mov	[ebp+var_EC], eax
		jnz	short loc_9E4601

loc_9E4671:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+810j
					; LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+964j ...
		mov	edi, [ebp+var_108]

loc_9E4677:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+784j
					; LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+8E2j ...
		xor	ecx, ecx

loc_9E4679:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+823j
		mov	esi, [ebp+var_DC]
		push	29h
		pop	eax
		mov	[ebx], ax
		xor	eax, eax
		mov	[ebx+2], ax
		mov	eax, [ebp+var_114]
		mov	[eax], esi
		jmp	short loc_9E46A5
; 

loc_9E4695:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+92j
					; LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+9Aj ...
		push	57h
		pop	edi

loc_9E4698:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+6BCj
		test	esi, esi
		jz	short loc_9E46A3
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E46A3:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+130j
					; LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+178j ...
		xor	ecx, ecx

loc_9E46A5:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+AABj
		mov	eax, [ebp+var_110]
		test	eax, eax
		jz	short loc_9E46B6
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E46B6:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+AC5j
		mov	eax, [ebp+var_F4]
		test	eax, eax
		jz	short loc_9E46C9
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E46C9:				; CODE XREF: LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+B6j
					; LocalGetStringForRelativeAttribute(x,x,x,x,x,x,x)+AD6j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_LocalGetStringForRelativeAttribute@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmProcessDeleteRequest(x, x, x, x)
_SmProcessDeleteRequest@16 proc	near	; CODE XREF: SmSetStoreInformation+135F10p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		push	18h
		push	offset dword_6A95B8
		call	__SEH_prolog4
		mov	esi, ecx
		cmp	[ebp+arg_0], 8
		jz	short loc_9E46F7
		mov	eax, 0C0000206h
		jmp	short loc_9E4768
; 

loc_9E46F7:				; CODE XREF: SmProcessDeleteRequest(x,x,x,x)+12j
		and	[ebp+ms_exc.disabled], 0
		cmp	[ebp+arg_4], 0
		jz	short loc_9E471C
		mov	eax, edx
		test	dl, 3
		jz	short loc_9E470D
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9E470D:				; CODE XREF: SmProcessDeleteRequest(x,x,x,x)+2Aj
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		jb	short loc_9E4719
		mov	eax, ecx

loc_9E4719:				; CODE XREF: SmProcessDeleteRequest(x,x,x,x)+39j
		nop
		mov	al, [eax]

loc_9E471C:				; CODE XREF: SmProcessDeleteRequest(x,x,x,x)+23j
		mov	eax, [edx]
		mov	[ebp+var_24], eax
		mov	edx, [edx+4]
		mov	[ebp+var_20], edx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	al, 1
		jnz	short loc_9E4746
		test	eax, 0FFFFFF00h
		jnz	short loc_9E4746
		push	ecx
		push	dword ptr [ebp+arg_4]
		mov	ecx, esi
		call	SmKmStoreDelete
		jmp	short loc_9E4768
; 

loc_9E4746:				; CODE XREF: SmProcessDeleteRequest(x,x,x,x)+54j
					; SmProcessDeleteRequest(x,x,x,x)+5Bj
		mov	eax, 0C000000Dh
		jmp	short loc_9E4768
; 

loc_9E474D:				; DATA XREF: .text:006A95CCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E475B:				; DATA XREF: .text:006A95D0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_1C]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9E4768:				; CODE XREF: SmProcessDeleteRequest(x,x,x,x)+19j
					; SmProcessDeleteRequest(x,x,x,x)+68j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_SmProcessDeleteRequest@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmProcessListRequest(x, x, x, x, x)
_SmProcessListRequest@20 proc near	; CODE XREF: SmQueryStoreInformation+12052Fp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		push	20h
		push	offset dword_6A9590
		call	__SEH_prolog4
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], ecx
		and	[ebp+var_1C], 0
		mov	edx, 524C6D73h
		mov	esi, 1084h
		mov	ecx, esi
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		mov	ebx, eax
		mov	[ebp+var_28], ebx
		test	ebx, ebx
		jnz	short loc_9E47B4
		mov	esi, 0C0000454h
		jmp	loc_9E48DE
; 

loc_9E47B4:				; CODE XREF: SmProcessListRequest(x,x,x,x,x)+2Ej
		and	[ebp+var_1C], 0
		push	esi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		cmp	[ebp+arg_0], 84h
		jnb	short loc_9E47D7

loc_9E47CD:				; CODE XREF: SmProcessListRequest(x,x,x,x,x)+CCj
		mov	esi, 0C0000206h
		jmp	loc_9E48DE
; 

loc_9E47D7:				; CODE XREF: SmProcessListRequest(x,x,x,x,x)+51j
		and	[ebp+ms_exc.disabled], 0
		mov	al, [ebp+arg_8]
		mov	edx, [ebp+var_20]
		test	al, al
		jz	short loc_9E480E
		test	dl, 3
		jz	short loc_9E47EF
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9E47EF:				; CODE XREF: SmProcessListRequest(x,x,x,x,x)+6Ej
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_9E47FB
		mov	byte ptr [eax],	0

loc_9E47FB:				; CODE XREF: SmProcessListRequest(x,x,x,x,x)+7Cj
		mov	al, [edx]
		mov	[edx], al
		mov	al, [edx+80h]
		mov	[edx+80h], al
		mov	al, [ebp+arg_8]

loc_9E480E:				; CODE XREF: SmProcessListRequest(x,x,x,x,x)+69j
		push	21h
		pop	ecx
		mov	esi, edx
		mov	edi, ebx
		rep movsd
		nop
		test	dword ptr [ebx], 10000h
		jz	short loc_9E4834
		mov	edi, 1084h
		test	al, al
		jz	short loc_9E4839
		push	4
		push	edi
		push	edx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		jmp	short loc_9E4839
; 

loc_9E4834:				; CODE XREF: SmProcessListRequest(x,x,x,x,x)+A4j
		mov	edi, 84h

loc_9E4839:				; CODE XREF: SmProcessListRequest(x,x,x,x,x)+ADj
					; SmProcessListRequest(x,x,x,x,x)+B8j
		mov	[ebp+var_1C], edi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+arg_0], edi
		jnz	short loc_9E47CD
		mov	eax, [ebx]
		cmp	al, 2
		jnz	short loc_9E48B9
		cmp	byte ptr [ebx+1], 0
		jnz	short loc_9E48B9
		cmp	eax, 20000h
		jnb	short loc_9E48B9
		mov	edx, ebx
		mov	ecx, [ebp+var_24]
		call	_SmKmGetStoreList@8 ; SmKmGetStoreList(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E48DE
		test	dword ptr [ebx], 10000h
		jz	short loc_9E4883
		mov	edx, ebx
		mov	ecx, [ebp+var_24]
		call	_SmProcessListRequestExtended@8	; SmProcessListRequestExtended(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E48DE

loc_9E4883:				; CODE XREF: SmProcessListRequest(x,x,x,x,x)+F7j
		mov	[ebp+ms_exc.disabled], 1
		push	edi		; size_t
		push	ebx		; void *
		mov	edx, [ebp+var_20]
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+arg_4]
		mov	[eax], edi
		jmp	short loc_9E48DE
; 

loc_9E48A6:				; DATA XREF: .text:006A95B0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E48B4:				; DATA XREF: .text:006A95B4o
		mov	esi, [ebp+var_2C]
		jmp	short loc_9E48D1
; 

loc_9E48B9:				; CODE XREF: SmProcessListRequest(x,x,x,x,x)+D2j
					; SmProcessListRequest(x,x,x,x,x)+D8j ...
		mov	esi, 0C000000Dh
		jmp	short loc_9E48DE
; 

loc_9E48C0:				; DATA XREF: .text:006A95A4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E48CE:				; DATA XREF: .text:006A95A8o
		mov	esi, [ebp+var_30]

loc_9E48D1:				; CODE XREF: SmProcessListRequest(x,x,x,x,x)+13Dj
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_28]

loc_9E48DE:				; CODE XREF: SmProcessListRequest(x,x,x,x,x)+35j
					; SmProcessListRequest(x,x,x,x,x)+58j ...
		test	ebx, ebx
		jz	short loc_9E48E9
		mov	ecx, ebx
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_9E48E9:				; CODE XREF: SmProcessListRequest(x,x,x,x,x)+166j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_SmProcessListRequest@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmProcessListRequestExtended(x, x)
_SmProcessListRequestExtended@8	proc near ; CODE XREF: SmProcessListRequest(x,x,x,x,x)+FEp

var_16		= byte ptr -16h
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	[esp+24h+var_8], ecx
		push	edi
		xor	edi, edi
		and	[esp+28h+var_14], edi
		cmp	byte ptr [esi+1], 0
		jbe	loc_9E4A35
		lea	eax, [esi+8]
		lea	edx, [esi+4]
		mov	[esp+28h+var_C], eax
		lea	ebx, [esi+84h]
		mov	[esp+28h+var_10], edx
		jmp	short loc_9E493B
; 

loc_9E4937:				; CODE XREF: SmProcessListRequestExtended(x,x)+132j
		mov	ecx, [esp+28h+var_8]

loc_9E493B:				; CODE XREF: SmProcessListRequestExtended(x,x)+38j
		mov	edx, [edx]
		call	SmKmStoreReference
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9E498C
		movzx	ecx, byte ptr [esi+1]
		sub	ecx, [esp+28h+var_14]
		lea	ecx, ds:0FFFFFFFCh[ecx*4]
		push	ecx		; size_t
		push	[esp+2Ch+var_C]	; void *
		push	[esp+30h+var_10] ; void	*
		call	_memmove
		mov	edx, [esp+34h+var_10]
		add	esp, 0Ch
		mov	eax, [esp+28h+var_C]
		sub	edx, 4
		dec	[esp+28h+var_14]
		sub	eax, 4
		add	ebx, 0FFFFFF80h
		dec	byte ptr [esi+1]
		mov	cl, [esi+1]
		mov	[esp+28h+var_15], cl
		jmp	loc_9E4A0E
; 

loc_9E498C:				; CODE XREF: SmProcessListRequestExtended(x,x)+49j
		cmp	byte ptr [edi+10F4h], 1
		jnz	short loc_9E49DB
		push	80h		; size_t
		lea	ecx, [edi+1184h]
		mov	edx, ebx
		call	_SmKmFileInfoGetPath@12	; SmKmFileInfoGetPath(x,x,x)
		mov	[esp+28h+var_4], eax
		test	eax, eax
		jns	short loc_9E49E0
		mov	esi, eax

loc_9E49B1:				; CODE XREF: SmProcessListRequestExtended(x,x)+13Aj
		test	edi, edi
		jz	short loc_9E49D2
		mov	edx, [edi+10F0h]
		mov	ecx, [esp+28h+var_8]
		and	edx, 3FFh
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_9E49D2:				; CODE XREF: SmProcessListRequestExtended(x,x)+B6j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_9E49DB:				; CODE XREF: SmProcessListRequestExtended(x,x)+96j
		xor	eax, eax
		mov	[ebx], ax

loc_9E49E0:				; CODE XREF: SmProcessListRequestExtended(x,x)+B0j
		mov	edx, [edi+10F0h]
		mov	ecx, [esp+28h+var_8]
		and	edx, 3FFh
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		lea	ecx, [eax+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	al, [esi+1]
		xor	edi, edi
		mov	edx, [esp+28h+var_10]
		mov	[esp+28h+var_15], al
		mov	eax, [esp+28h+var_C]

loc_9E4A0E:				; CODE XREF: SmProcessListRequestExtended(x,x)+8Aj
		mov	ecx, [esp+28h+var_14]
		add	eax, 4
		inc	ecx
		mov	[esp+28h+var_C], eax
		movzx	eax, [esp+28h+var_15]
		add	edx, 4
		sub	ebx, 0FFFFFF80h
		mov	[esp+28h+var_14], ecx
		mov	[esp+28h+var_10], edx
		cmp	ecx, eax
		jb	loc_9E4937

loc_9E4A35:				; CODE XREF: SmProcessListRequestExtended(x,x)+1Ej
		xor	esi, esi
		jmp	loc_9E49B1
_SmProcessListRequestExtended@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmProcessResizeRequest(x, x, x, x)
_SmProcessResizeRequest@16 proc	near	; CODE XREF: SmSetStoreInformation+135F88p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 38h
		push	esi
		xor	eax, eax
		mov	esi, edx
		cmp	[ebp+arg_0], 10h
		push	edi
		mov	edi, ecx
		mov	[esp+40h+var_38], eax
		mov	[esp+40h+var_34], eax
		jz	short loc_9E4A67
		mov	eax, 0C0000206h
		jmp	loc_9E4B05
; 

loc_9E4A67:				; CODE XREF: SmProcessResizeRequest(x,x,x,x)+1Fj
		cmp	[ebp+arg_4], al
		jz	short loc_9E4A76
		mov	eax, 0C000000Dh
		jmp	loc_9E4B05
; 

loc_9E4A76:				; CODE XREF: SmProcessResizeRequest(x,x,x,x)+2Ej
		cmp	byte ptr [esi],	6
		jz	short loc_9E4A85
		mov	eax, 0C0000059h
		jmp	loc_9E4B05
; 

loc_9E4A85:				; CODE XREF: SmProcessResizeRequest(x,x,x,x)+3Dj
		push	eax
		push	eax
		lea	eax, [esp+48h+var_30]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	eax, eax
		test	dword ptr [esi], 100h
		push	4
		pop	ecx
		mov	[esp+40h+var_10], eax
		mov	[esp+40h+var_C], eax
		mov	[esp+40h+var_8], eax
		mov	[esp+40h+var_4], eax
		mov	[esp+40h+var_20], ecx
		jz	short loc_9E4AB9
		and	eax, 0FFFFFFFCh
		or	eax, ecx
		jmp	short loc_9E4ABF
; 

loc_9E4AB9:				; CODE XREF: SmProcessResizeRequest(x,x,x,x)+74j
		and	eax, 0FFFFFFFDh
		or	eax, 5

loc_9E4ABF:				; CODE XREF: SmProcessResizeRequest(x,x,x,x)+7Bj
		mov	edx, [esi+4]
		mov	ecx, edi
		mov	[esp+40h+var_1C], eax
		mov	eax, [esi+8]
		mov	[esp+40h+var_14], eax
		mov	eax, [esi+0Ch]
		mov	[esp+40h+var_18], eax
		lea	eax, [esp+40h+var_38]
		push	eax
		lea	eax, [esp+44h+var_30]
		push	eax
		lea	eax, [esp+48h+var_20]
		push	eax
		call	SMKM_STORE_MGR_SM_TRAITS___SmStoreRequest
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+50h+var_30]
		push	eax
		call	KeWaitForSingleObject
		mov	ecx, [esp+40h+var_14]
		mov	eax, [esp+40h+var_38]
		mov	[esi+8], ecx

loc_9E4B05:				; CODE XREF: SmProcessResizeRequest(x,x,x,x)+26j
					; SmProcessResizeRequest(x,x,x,x)+35j ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
_SmProcessResizeRequest@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmProcessStatsRequest(x, x,	x, x, x)
_SmProcessStatsRequest@20 proc near	; CODE XREF: SmQueryStoreInformation+120545p

var_68		= dword	ptr -68h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	0FFFFFFFEh
		push	offset dword_6A95D8
		push	offset __except_handler4
		mov	eax, large fs:0
		push	eax
		push	ecx
		push	ecx
		push	ebx
		sub	esp, 50h
		push	esi
		push	edi
		mov	eax, ___security_cookie
		xor	[ebp+var_8], eax
		xor	eax, ebp
		push	eax
		lea	eax, [ebp+var_10]
		mov	large fs:0, eax
		mov	[ebp+var_18], esp
		mov	esi, edx
		mov	[ebp+var_34], esi
		xor	ecx, ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], ecx
		mov	edi, ecx
		mov	[ebp+var_28], edi
		mov	eax, ecx
		mov	[ebp+var_24], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_38], eax
		push	ecx
		push	ecx
		lea	eax, [ebp+var_68]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		cmp	dword ptr [ebx+8], 0Ch
		jz	short loc_9E4B93
		mov	esi, 0C0000206h

loc_9E4B8C:				; CODE XREF: SmProcessStatsRequest(x,x,x,x,x)+286j
		mov	ecx, edi
		jmp	loc_9E4C3A
; 

loc_9E4B93:				; CODE XREF: SmProcessStatsRequest(x,x,x,x,x)+78j
		and	[ebp+var_4], edi
		cmp	byte ptr [ebx+10h], 0
		jz	short loc_9E4BBC
		mov	eax, [ebp+var_34]
		mov	ecx, eax
		test	al, 3
		jz	short loc_9E4BAA
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9E4BAA:				; CODE XREF: SmProcessStatsRequest(x,x,x,x,x)+96j
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		jb	short loc_9E4BB6
		mov	ecx, edx

loc_9E4BB6:				; CODE XREF: SmProcessStatsRequest(x,x,x,x,x)+A5j
		nop
		mov	al, [ecx]
		mov	esi, [ebp+var_34]

loc_9E4BBC:				; CODE XREF: SmProcessStatsRequest(x,x,x,x,x)+8Dj
		lea	edi, [ebp+var_54]
		movsd
		movsd
		movsd
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	eax, [ebp+var_54]
		cmp	al, 2
		jnz	loc_9E4D8B
		shr	eax, 8
		movzx	eax, al
		mov	[ebp+var_34], eax
		cmp	eax, 4
		jnb	loc_9E4D8B
		cmp	eax, 1
		jbe	short loc_9E4C0D
		push	dword ptr [ebx+10h]
		push	ds:dword_A949EC
		push	ds:_SeProfileSingleProcessPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_9E4C0D
		mov	esi, 0C0000022h
		jmp	loc_9E4D90
; 

loc_9E4C0D:				; CODE XREF: SmProcessStatsRequest(x,x,x,x,x)+DCj
					; SmProcessStatsRequest(x,x,x,x,x)+F4j
		mov	eax, [ebp+var_50]
		test	eax, eax
		jz	short loc_9E4C72
		push	eax
		push	[ebp+var_4C]
		call	_MmSizeOfMdl@8	; MmSizeOfMdl(x,x)
		mov	edx, 444D6D73h
		mov	ecx, eax
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		mov	edi, eax
		mov	[ebp+var_28], edi
		test	edi, edi
		jnz	short loc_9E4C75

loc_9E4C32:				; CODE XREF: SmProcessStatsRequest(x,x,x,x,x)+17Fj
		mov	esi, 0C000009Ah

loc_9E4C37:				; CODE XREF: SmProcessStatsRequest(x,x,x,x,x)+224j
					; SmProcessStatsRequest(x,x,x,x,x)+247j
		mov	ecx, [ebp+var_24]

loc_9E4C3A:				; CODE XREF: SmProcessStatsRequest(x,x,x,x,x)+81j
					; SmProcessStatsRequest(x,x,x,x,x)+279j ...
		test	ecx, ecx
		jz	short loc_9E4C43
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_9E4C43:				; CODE XREF: SmProcessStatsRequest(x,x,x,x,x)+12Fj
		cmp	[ebp+var_2C], 0
		jz	short loc_9E4C4F
		push	edi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)

loc_9E4C4F:				; CODE XREF: SmProcessStatsRequest(x,x,x,x,x)+13Aj
		test	edi, edi
		jz	short loc_9E4C5A
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_9E4C5A:				; CODE XREF: SmProcessStatsRequest(x,x,x,x,x)+144j
		mov	eax, esi
		mov	ecx, [ebp+var_10]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	0Ch
; 

loc_9E4C72:				; CODE XREF: SmProcessStatsRequest(x,x,x,x,x)+105j
		mov	edi, [ebp+var_28]

loc_9E4C75:				; CODE XREF: SmProcessStatsRequest(x,x,x,x,x)+123j
		mov	edx, 69576D73h
		push	20h
		pop	ecx
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		mov	esi, eax
		mov	[ebp+var_24], esi
		mov	[ebp+var_30], esi
		test	esi, esi
		jz	short loc_9E4C32
		push	8
		pop	ecx
		xor	eax, eax
		mov	edi, esi
		rep stosd
		xor	ecx, ecx
		mov	eax, [ebp+var_50]
		mov	edi, [ebp+var_28]
		test	eax, eax
		jz	short loc_9E4D00
		and	[edi], ecx
		mov	ecx, [ebp+var_4C]
		mov	edx, ecx
		and	edx, 0FFFh
		add	eax, 0FFFh
		add	eax, edx
		shr	eax, 0Ch
		lea	eax, ds:1Ch[eax*4]
		mov	[edi+4], ax
		xor	eax, eax
		mov	[edi+6], ax
		and	ecx, 0FFFFF000h
		mov	[edi+10h], ecx
		mov	[edi+18h], edx
		mov	eax, [ebp+var_50]
		mov	[edi+14h], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_4], eax
		push	eax
		push	dword ptr [ebx+10h]
		push	edi
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	[ebp+var_4], 0FFFFFFFEh
		mov	[ebp+var_2C], 1
		mov	ecx, [esi]
		mov	eax, [ebp+var_50]

loc_9E4D00:				; CODE XREF: SmProcessStatsRequest(x,x,x,x,x)+194j
		and	ecx, 0FFFFFFFBh
		or	ecx, 3
		mov	[esi], ecx
		mov	ecx, [ebp+var_34]
		mov	[esi+4], ecx
		mov	[esi+8], eax
		mov	[esi+0Ch], edi
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_68]
		push	eax
		push	esi
		mov	edx, [ebp+var_54]
		shr	edx, 10h
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	SMKM_STORE_MGR_SM_TRAITS___SmStoreRequest
		mov	esi, eax
		test	esi, esi
		js	loc_9E4C37
		xor	eax, eax
		mov	[ebp+var_24], eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_68]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [ebp+var_48]
		mov	ecx, [ebx+0Ch]
		mov	eax, [ebp+var_44]
		mov	[ecx], eax
		jmp	loc_9E4C37
; 

loc_9E4D59:				; DATA XREF: .text:006A95F8o
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-3Ch], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E4D6A:				; DATA XREF: .text:006A95FCo
		mov	ebx, [ebp-1Ch]
		mov	esp, [ebp-18h]
		mov	esi, [ebp-3Ch]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-30h]
		mov	eax, [ebp-38h]
		mov	[ebp-2Ch], eax
		mov	edi, [ebp-28h]
		jmp	loc_9E4C3A
; 

loc_9E4D8B:				; CODE XREF: SmProcessStatsRequest(x,x,x,x,x)+C1j
					; SmProcessStatsRequest(x,x,x,x,x)+D3j
		mov	esi, 0C000000Dh

loc_9E4D90:				; CODE XREF: SmProcessStatsRequest(x,x,x,x,x)+FBj
		mov	edi, [ebp+var_28]
		jmp	loc_9E4B8C
_SmProcessStatsRequest@20 endp


;  S U B	R O U T	I N E 


sub_9E4D98	proc near		; DATA XREF: .text:006A95ECo
		mov	ebx, [ebp-1Ch]
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-40h], eax
		xor	eax, eax
		inc	eax
		retn
sub_9E4D98	endp


;  S U B	R O U T	I N E 


sub_9E4DA9	proc near		; DATA XREF: .text:006A95F0o
		mov	ebx, [ebp-1Ch]
		mov	esp, [ebp-18h]
		mov	esi, [ebp-40h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ecx, [ebp-30h]
		mov	eax, ecx
		mov	[ebp-2Ch], eax
		mov	edi, eax
		jmp	loc_9E4C3A
sub_9E4DA9	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmProcessSystemStoreTrimRequest(x, x, x)
_SmProcessSystemStoreTrimRequest@12 proc near ;	CODE XREF: SmSetStoreInformation+135F52p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8

		push	14h
		push	offset dword_6A9570
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ebx
		cmp	edx, 8
		jz	short loc_9E4DEB
		mov	eax, 0C0000206h
		jmp	loc_9E4E9A
; 

loc_9E4DEB:				; CODE XREF: SmProcessSystemStoreTrimRequest(x,x,x)+17j
		mov	[ebp+ms_exc.disabled], ebx
		cmp	[ebp+arg_0], 0
		jz	short loc_9E4E13
		test	cl, 3
		jz	short loc_9E4DFE
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9E4DFE:				; CODE XREF: SmProcessSystemStoreTrimRequest(x,x,x)+2Fj
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_9E4E09
		mov	[eax], bl

loc_9E4E09:				; CODE XREF: SmProcessSystemStoreTrimRequest(x,x,x)+3Dj
		mov	al, [ecx]
		mov	[ecx], al
		mov	al, [ecx+4]
		mov	[ecx+4], al

loc_9E4E13:				; CODE XREF: SmProcessSystemStoreTrimRequest(x,x,x)+2Aj
		mov	eax, [ecx]
		mov	[ebp+var_24], eax
		mov	ecx, [ecx+4]
		mov	[ebp+var_20], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	al, 1
		jz	short loc_9E4E30
		mov	eax, 0C0000059h
		jmp	short loc_9E4E9A
; 

loc_9E4E30:				; CODE XREF: SmProcessSystemStoreTrimRequest(x,x,x)+5Fj
		test	eax, 0FFFFFF00h
		jz	short loc_9E4E3E

loc_9E4E37:				; CODE XREF: SmProcessSystemStoreTrimRequest(x,x,x)+78j
		mov	eax, 0C000000Dh
		jmp	short loc_9E4E9A
; 

loc_9E4E3E:				; CODE XREF: SmProcessSystemStoreTrimRequest(x,x,x)+6Dj
		test	ecx, ecx
		jz	short loc_9E4E37
		mov	edx, ds:dword_718490
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_9E4E54
		mov	eax, 0C0000225h
		jmp	short loc_9E4E9A
; 

loc_9E4E54:				; CODE XREF: SmProcessSystemStoreTrimRequest(x,x,x)+83j
		and	edx, 3FFh
		mov	ecx, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		mov	ecx, [eax]
		test	dword ptr [ecx], 40000h
		jnz	short loc_9E4E75
		mov	eax, 0C00000BBh
		jmp	short loc_9E4E9A
; 

loc_9E4E75:				; CODE XREF: SmProcessSystemStoreTrimRequest(x,x,x)+A4j
		mov	edx, [ebp+var_20]
		call	SMKM_STORE_SM_TRAITS___SmStTrimWsStore
		jmp	short loc_9E4E9A
; 

loc_9E4E7F:				; DATA XREF: .text:006A9584o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E4E8D:				; DATA XREF: .text:006A9588o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_1C]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9E4E9A:				; CODE XREF: SmProcessSystemStoreTrimRequest(x,x,x)+1Ej
					; SmProcessSystemStoreTrimRequest(x,x,x)+66j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_SmProcessSystemStoreTrimRequest@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmStoreCreate(x, x,	x)
_SmStoreCreate@12 proc near		; CODE XREF: SmcStoreCreate(x,x,x,x,x)+1F9p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		and	[ebp+var_C], 0
		mov	eax, ecx
		and	[ebp+var_44], 0
		lea	ecx, [ebp+var_40]
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_40], 6
		mov	[ebp+var_54], 1
		mov	[ebp+var_50], 3
		mov	[ebp+var_48], 38h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, edx
		push	edi
		lea	edi, [ebp+var_3C]
		push	0Ch
		pop	ecx
		rep movsd
		test	eax, eax
		jnz	short loc_9E4F1F
		mov	ecx, ds:dword_718440
		lea	eax, [ebp+var_44]
		push	eax
		push	0
		push	38h
		lea	eax, [ebp+var_40]
		mov	edx, 228198h
		push	eax
		call	_SmStorePhysicalRequestIssue@24	; SmStorePhysicalRequestIssue(x,x,x,x,x,x)
		mov	ecx, [ebp+var_44]
		jmp	short loc_9E4F34
; 

loc_9E4F1F:				; CODE XREF: SmStoreCreate(x,x,x)+50j
		cmp	eax, 1
		jnz	short loc_9E4F3E
		push	10h
		lea	eax, [ebp+var_54]
		push	eax
		push	6Dh
		call	_ZwSetSystemInformation@12 ; ZwSetSystemInformation(x,x,x)
		mov	ecx, [ebp+var_C]

loc_9E4F34:				; CODE XREF: SmStoreCreate(x,x,x)+71j
		test	eax, eax
		js	short loc_9E4F43
		mov	[ebx], ecx
		xor	eax, eax
		jmp	short loc_9E4F43
; 

loc_9E4F3E:				; CODE XREF: SmStoreCreate(x,x,x)+76j
		mov	eax, 0C000000Dh

loc_9E4F43:				; CODE XREF: SmStoreCreate(x,x,x)+8Aj
					; SmStoreCreate(x,x,x)+90j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_SmStoreCreate@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmStoreDelete(x, x)
_SmStoreDelete@8 proc near		; CODE XREF: SmcCacheCleanup(x,x)+25p
					; SmcStoreDelete(x,x,x,x)+9Ep

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		and	[esp+1Ch+var_1C], 0
		lea	eax, [esp+1Ch+var_18]
		push	esi
		xor	esi, esi
		mov	[esp+20h+var_C], 4
		inc	esi
		mov	[esp+20h+var_8], eax
		mov	[esp+20h+var_10], esi
		mov	[esp+20h+var_4], 8
		mov	[esp+20h+var_18], esi
		mov	[esp+20h+var_14], edx
		test	ecx, ecx
		jnz	short loc_9E4FAE
		lea	eax, [esp+20h+var_1C]
		mov	edx, 22819Ch
		push	eax
		push	ecx
		mov	ecx, ds:dword_718440
		lea	eax, [esp+28h+var_18]
		push	8
		push	eax
		call	_SmStorePhysicalRequestIssue@24	; SmStorePhysicalRequestIssue(x,x,x,x,x,x)
		jmp	short loc_9E4FC0
; 

loc_9E4FAE:				; CODE XREF: SmStoreDelete(x,x)+39j
		cmp	ecx, esi
		jnz	short loc_9E4FC0
		push	10h
		lea	eax, [esp+24h+var_10]
		push	eax
		push	6Dh
		call	_ZwSetSystemInformation@12 ; ZwSetSystemInformation(x,x,x)

loc_9E4FC0:				; CODE XREF: SmStoreDelete(x,x)+58j
					; SmStoreDelete(x,x)+5Cj
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_SmStoreDelete@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmStorePhysicalRequestIssue(x, x, x, x, x, x)
_SmStorePhysicalRequestIssue@24	proc near ; CODE XREF: SmStoreCreate(x,x,x)+69p
					; SmStoreDelete(x,x)+53p ...

var_28		= dword	ptr -28h
var_1C		= dword	ptr -1Ch
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	0
		push	0
		lea	eax, [ebp+var_1C]
		mov	ebx, ecx
		push	eax
		mov	edi, edx
		mov	[ebp+var_C], ebx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	bl, [ebx+30h]
		movsx	ax, bl
		movzx	eax, ax
		imul	eax, 24h
		add	ax, 70h
		movzx	esi, ax
		mov	eax, esi
		call	__alloca_probe_16
		mov	[ebp+var_8], esp
		push	ebx		; char
		mov	ebx, [ebp+var_8]
		push	esi		; __int16
		push	ebx		; void *
		call	IoInitializeIrp
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_1C]
		mov	esi, [ebp+var_C]
		mov	edx, ebx
		mov	[ebx+0Ch], eax
		mov	eax, large fs:124h
		mov	[ebx+50h], eax
		lea	eax, [ebx+18h]
		mov	[ebx+28h], eax
		mov	eax, [ebx+60h]
		mov	byte ptr [ebx+20h], 0
		mov	[eax-4], ecx
		mov	dword ptr [eax-8], offset _SmKmGenericCompletion@12 ; SmKmGenericCompletion(x,x,x)
		mov	byte ptr [eax-21h], 0E0h
		mov	ecx, [ebx+60h]
		mov	eax, [ebp+arg_4]
		mov	[ecx-1Ch], eax
		mov	eax, [ebp+arg_8]
		mov	byte ptr [ecx-24h], 0Eh
		mov	[ecx-10h], esi
		mov	[ecx-18h], edi
		mov	[ecx-20h], eax
		mov	ecx, esi
		call	IofCallDriver
		mov	edx, eax
		cmp	edx, 103h
		jnz	short loc_9E5085
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	KeWaitForSingleObject
		mov	edx, [ebx+18h]

loc_9E5085:				; CODE XREF: SmStorePhysicalRequestIssue(x,x,x,x,x,x)+ACj
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebx+1Ch]
		mov	[eax], ecx
		mov	eax, edx
		lea	esp, [ebp-28h]
		pop	edi
		pop	esi
		pop	ebx
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_SmStorePhysicalRequestIssue@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmStoreResize(x, x,	x, x, x)
_SmStoreResize@20 proc near		; CODE XREF: SmcStoreResize(x,x)+1A3p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_18]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_8]
		neg	eax
		mov	[ebp+var_28], 1
		push	esi
		mov	esi, [ebp+arg_4]
		sbb	eax, eax
		and	eax, 100h
		mov	[ebp+var_24], 11h
		add	eax, 6
		mov	[ebp+var_14], edx
		mov	[ebp+var_18], eax
		mov	eax, [esi]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C], eax
		push	edi
		push	10h
		pop	edi
		mov	[ebp+var_1C], edi
		test	ecx, ecx
		jnz	short loc_9E510E
		mov	ecx, ds:dword_718440
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		push	edi
		lea	eax, [ebp+var_18]
		mov	edx, 2281CCh
		push	eax
		call	_SmStorePhysicalRequestIssue@24	; SmStorePhysicalRequestIssue(x,x,x,x,x,x)
		jmp	short loc_9E511F
; 

loc_9E510E:				; CODE XREF: SmStoreResize(x,x,x,x,x)+4Dj
		cmp	ecx, 1
		jnz	short loc_9E5128
		push	edi
		lea	eax, [ebp+var_28]
		push	eax
		push	6Dh
		call	_ZwSetSystemInformation@12 ; ZwSetSystemInformation(x,x,x)

loc_9E511F:				; CODE XREF: SmStoreResize(x,x,x,x,x)+69j
		mov	ecx, eax
		mov	eax, [ebp+var_10]
		mov	[esi], eax
		jmp	short loc_9E512D
; 

loc_9E5128:				; CODE XREF: SmStoreResize(x,x,x,x,x)+6Ej
		mov	ecx, 0C000000Dh

loc_9E512D:				; CODE XREF: SmStoreResize(x,x,x,x,x)+83j
		pop	edi
		mov	eax, ecx
		pop	esi
		leave
		retn	0Ch
_SmStoreResize@20 endp


;  S U B	R O U T	I N E 


; __stdcall SmcCacheCreatePrepare(x)
_SmcCacheCreatePrepare@4 proc near	; CODE XREF: SmcProcessCreateRequest(x,x,x,x)+DDp
		mov	eax, large fs:124h
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, ecx
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset unk_718464
		call	ExAcquirePushLockExclusiveEx
		test	byte ptr ds:dword_718450, 8
		jnz	short loc_9E5175
		mov	ecx, offset dword_7185B0
		call	_SmRegistrationCtxStart@4 ; SmRegistrationCtxStart(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E5175
		or	ds:dword_718450, 8

loc_9E5175:				; CODE XREF: SmcCacheCreatePrepare(x)+27j
					; SmcCacheCreatePrepare(x)+37j
		mov	eax, ds:dword_718450
		test	al, 4
		jnz	short loc_9E519C
		test	al, 8
		jz	short loc_9E519C
		mov	edx, ds:dword_7185B0
		mov	ecx, edi
		call	_SmcCacheManagerStart@8	; SmcCacheManagerStart(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E519C
		or	ds:dword_718450, 4

loc_9E519C:				; CODE XREF: SmcCacheCreatePrepare(x)+47j
					; SmcCacheCreatePrepare(x)+4Bj	...
		or	eax, 0FFFFFFFFh
		mov	edi, offset unk_718464
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9E51B5
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9E51B5:				; CODE XREF: SmcCacheCreatePrepare(x)+77j
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_SmcCacheCreatePrepare@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmcProcessCreateRequest(x, x, x, x)
_SmcProcessCreateRequest@16 proc near	; CODE XREF: SmSetStoreInformation+135EFAp

var_464		= dword	ptr -464h
var_460		= dword	ptr -460h
var_45C		= dword	ptr -45Ch
var_458		= dword	ptr -458h
var_454		= dword	ptr -454h
var_450		= dword	ptr -450h
var_44C		= dword	ptr -44Ch
var_448		= dword	ptr -448h
var_444		= dword	ptr -444h
var_43C		= dword	ptr -43Ch
var_430		= dword	ptr -430h
var_424		= dword	ptr -424h
var_26		= word ptr -26h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		push	458h
		push	offset dword_6A9548
		call	__SEH_prolog4_GS
		mov	[ebp+var_450], edx
		mov	eax, ecx
		mov	[ebp+var_448], eax
		mov	[ebp+var_45C], eax
		xor	ebx, ebx
		mov	edi, ebx
		mov	[ebp+var_460], edi
		mov	[ebp+var_454], edi
		or	[ebp+var_44C], 0FFFFFFFFh
		mov	esi, 420h
		push	esi		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_444]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		cmp	[ebp+arg_0], esi
		jz	short loc_9E5225
		mov	esi, 0C0000206h
		jmp	loc_9E5381
; 

loc_9E5225:				; CODE XREF: SmcProcessCreateRequest(x,x,x,x)+53j
		mov	[ebp+ms_exc.disabled], ebx
		cmp	[ebp+arg_4], 0
		jz	short loc_9E5259
		mov	ecx, [ebp+var_450]
		test	cl, 7
		jz	short loc_9E523E
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9E523E:				; CODE XREF: SmcProcessCreateRequest(x,x,x,x)+71j
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_9E5249
		mov	[eax], bl

loc_9E5249:				; CODE XREF: SmcProcessCreateRequest(x,x,x,x)+7Fj
		mov	al, [ecx]
		mov	[ecx], al
		mov	al, [ecx+418h]
		mov	[ecx+418h], al

loc_9E5259:				; CODE XREF: SmcProcessCreateRequest(x,x,x,x)+66j
		mov	ecx, 108h
		mov	esi, [ebp+var_450]
		lea	edi, [ebp+var_444]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	byte ptr [ebp+var_444],	3
		jnz	loc_9E5376
		test	[ebp+var_444], 0FFFFFF00h
		jnz	loc_9E5376
		cmp	[ebp+var_430], 0
		jnz	loc_9E5376
		mov	ecx, [ebp+var_448]
		call	_SmcCacheCreatePrepare@4 ; SmcCacheCreatePrepare(x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E537B
		mov	edx, 61436D73h
		mov	ecx, 380h
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9E52D1
		mov	esi, 0C000009Ah
		jmp	loc_9E5381
; 

loc_9E52D1:				; CODE XREF: SmcProcessCreateRequest(x,x,x,x)+FFj
		mov	ecx, edi	; void *
		call	_SmcCacheInitialize@4 ;	SmcCacheInitialize(x)
		xor	eax, eax
		mov	[ebp+var_26], ax
		lea	eax, [ebp+var_424]
		push	eax
		lea	edx, [ebp+var_43C]
		mov	ecx, edi
		call	_SmcCacheStart@12 ; SmcCacheStart(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E5381
		lea	eax, [ebp+var_44C]
		push	eax
		mov	edx, edi
		mov	ecx, [ebp+var_448]
		call	_SmcCacheAdd@12	; SmcCacheAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E5381
		mov	edi, ebx
		mov	[ebp+var_454], edi
		xor	eax, eax
		inc	eax
		mov	[ebp+var_458], eax
		mov	esi, ebx
		mov	[ebp+ms_exc.disabled], eax
		mov	eax, [ebp+var_44C]
		mov	ecx, [ebp+var_450]
		mov	[ecx+4], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9E5381
; 

loc_9E5344:				; DATA XREF: .text:006A9568o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_464], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E5355:				; DATA XREF: .text:006A956Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_464]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_454]
		mov	ebx, [ebp+var_458]
		jmp	loc_9E5406
; 

loc_9E5376:				; CODE XREF: SmcProcessCreateRequest(x,x,x,x)+B4j
					; SmcProcessCreateRequest(x,x,x,x)+C4j	...
		mov	esi, 0C000000Dh

loc_9E537B:				; CODE XREF: SmcProcessCreateRequest(x,x,x,x)+E6j
		mov	edi, [ebp+var_460]

loc_9E5381:				; CODE XREF: SmcProcessCreateRequest(x,x,x,x)+5Aj
					; SmcProcessCreateRequest(x,x,x,x)+106j ...
		mov	ecx, [ebp+var_448]

loc_9E5387:				; CODE XREF: sub_9E53EE+24j
		mov	eax, [ebp+var_44C]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9E53A2
		and	eax, 0Fh
		shl	eax, 4
		add	eax, 4
		add	ecx, eax
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_9E53A2:				; CODE XREF: SmcProcessCreateRequest(x,x,x,x)+1CAj
		test	edi, edi
		jz	short loc_9E53B4
		mov	ecx, edi
		call	_SmcCacheCleanup@8 ; SmcCacheCleanup(x,x)
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_9E53B4:				; CODE XREF: SmcProcessCreateRequest(x,x,x,x)+1DEj
		test	ebx, ebx
		jz	short loc_9E53C9
		mov	edx, [ebp+var_44C]
		mov	ecx, [ebp+var_448]
		call	_SmcCacheDelete@8 ; SmcCacheDelete(x,x)

loc_9E53C9:				; CODE XREF: SmcProcessCreateRequest(x,x,x,x)+1F0j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_SmcProcessCreateRequest@16 endp


;  S U B	R O U T	I N E 


sub_9E53DD	proc near		; DATA XREF: .text:006A955Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-468h], eax
		xor	eax, eax
		inc	eax
		retn
sub_9E53DD	endp


;  S U B	R O U T	I N E 


sub_9E53EE	proc near		; DATA XREF: .text:006A9560o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-468h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edi, [ebp-454h]
		mov	ebx, edi

loc_9E5406:				; CODE XREF: SmcProcessCreateRequest(x,x,x,x)+1ABj
		mov	ecx, [ebp-45Ch]
		mov	[ebp-448h], ecx
		jmp	loc_9E5387
sub_9E53EE	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmcProcessDeleteRequest(x, x, x, x)
_SmcProcessDeleteRequest@16 proc near	; CODE XREF: SmSetStoreInformation+135EE4p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		push	18h
		push	offset dword_6A9528
		call	__SEH_prolog4
		mov	esi, ecx
		cmp	[ebp+arg_0], 8
		jz	short loc_9E5432
		mov	eax, 0C0000206h
		jmp	short loc_9E54A5
; 

loc_9E5432:				; CODE XREF: SmcProcessDeleteRequest(x,x,x,x)+12j
		and	[ebp+ms_exc.disabled], 0
		cmp	[ebp+arg_4], 0
		jz	short loc_9E5457
		mov	eax, edx
		test	dl, 3
		jz	short loc_9E5448
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9E5448:				; CODE XREF: SmcProcessDeleteRequest(x,x,x,x)+2Aj
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		jb	short loc_9E5454
		mov	eax, ecx

loc_9E5454:				; CODE XREF: SmcProcessDeleteRequest(x,x,x,x)+39j
		nop
		mov	al, [eax]

loc_9E5457:				; CODE XREF: SmcProcessDeleteRequest(x,x,x,x)+23j
		mov	eax, [edx]
		mov	[ebp+var_24], eax
		mov	edx, [edx+4]
		mov	[ebp+var_20], edx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	al, 1
		jnz	short loc_9E5483
		test	eax, 0FFFFFF00h
		jnz	short loc_9E5483
		mov	ecx, esi
		call	_SmcCacheDelete@8 ; SmcCacheDelete(x,x)
		test	eax, eax
		js	short loc_9E54A5
		xor	eax, eax
		jmp	short loc_9E54A5
; 

loc_9E5483:				; CODE XREF: SmcProcessDeleteRequest(x,x,x,x)+54j
					; SmcProcessDeleteRequest(x,x,x,x)+5Bj
		mov	eax, 0C000000Dh
		jmp	short loc_9E54A5
; 

loc_9E548A:				; DATA XREF: .text:006A953Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E5498:				; DATA XREF: .text:006A9540o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_1C]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9E54A5:				; CODE XREF: SmcProcessDeleteRequest(x,x,x,x)+19j
					; SmcProcessDeleteRequest(x,x,x,x)+66j	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_SmcProcessDeleteRequest@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmcProcessResizeRequest(x, x, x, x)
_SmcProcessResizeRequest@16 proc near	; CODE XREF: SmSetStoreInformation+135F72p

var_38		= dword	ptr -38h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		push	28h
		push	offset dword_6A9490
		call	__SEH_prolog4
		mov	ebx, edx
		mov	[ebp+var_1C], ecx
		xor	eax, eax
		lea	edi, [ebp+var_38]
		stosd
		stosd
		stosd
		stosd
		stosd
		cmp	[ebp+arg_0], 14h
		jz	short loc_9E54E2
		mov	eax, 0C0000206h
		jmp	loc_9E559F
; 

loc_9E54E2:				; CODE XREF: SmcProcessResizeRequest(x,x,x,x)+1Fj
		and	[ebp+ms_exc.disabled], 0
		cmp	[ebp+arg_4], 0
		jz	short loc_9E550C
		test	bl, 3
		jz	short loc_9E54F6
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9E54F6:				; CODE XREF: SmcProcessResizeRequest(x,x,x,x)+38j
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_9E5502
		mov	byte ptr [eax],	0

loc_9E5502:				; CODE XREF: SmcProcessResizeRequest(x,x,x,x)+46j
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+10h]
		mov	[ebx+10h], al

loc_9E550C:				; CODE XREF: SmcProcessResizeRequest(x,x,x,x)+33j
		push	5
		pop	ecx
		mov	esi, ebx
		lea	edi, [ebp+var_38]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	byte ptr [ebp+var_38], 1
		jz	short loc_9E552A
		mov	eax, 0C0000059h
		jmp	short loc_9E559F
; 

loc_9E552A:				; CODE XREF: SmcProcessResizeRequest(x,x,x,x)+6Aj
		test	[ebp+var_38], 0FFFFFE00h
		jnz	short loc_9E557D
		cmp	[ebp+var_28], 0
		jz	short loc_9E557D
		cmp	[ebp+var_2C], 2
		jge	short loc_9E557D
		lea	edx, [ebp+var_38]
		mov	ecx, [ebp+var_1C]
		call	_SmcStoreResize@8 ; SmcStoreResize(x,x)
		test	eax, eax
		js	short loc_9E559F
		mov	[ebp+ms_exc.disabled], 1
		push	5
		pop	ecx
		lea	esi, [ebp+var_38]
		mov	edi, ebx
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	short loc_9E559F
; 

loc_9E556A:				; DATA XREF: .text:006A94B0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E5578:				; DATA XREF: .text:006A94B4o
		mov	eax, [ebp+var_20]
		jmp	short loc_9E5595
; 

loc_9E557D:				; CODE XREF: SmcProcessResizeRequest(x,x,x,x)+7Aj
					; SmcProcessResizeRequest(x,x,x,x)+80j	...
		mov	eax, 0C000000Dh
		jmp	short loc_9E559F
; 

loc_9E5584:				; DATA XREF: .text:006A94A4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E5592:				; DATA XREF: .text:006A94A8o
		mov	eax, [ebp+var_24]

loc_9E5595:				; CODE XREF: SmcProcessResizeRequest(x,x,x,x)+C4j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9E559F:				; CODE XREF: SmcProcessResizeRequest(x,x,x,x)+26j
					; SmcProcessResizeRequest(x,x,x,x)+71j	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_SmcProcessResizeRequest@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmcProcessStatsRequest(x, x, x, x, x)
_SmcProcessStatsRequest@20 proc	near	; CODE XREF: SmQueryStoreInformation+120514p

var_49C		= dword	ptr -49Ch
var_498		= dword	ptr -498h
var_494		= dword	ptr -494h
var_490		= dword	ptr -490h
var_48C		= dword	ptr -48Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		push	48Ch
		push	offset dword_6A9500
		call	__SEH_prolog4_GS
		mov	ebx, edx
		mov	[ebp+var_490], ecx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_494], eax
		mov	esi, 468h
		push	esi		; size_t
		push	0		; int
		lea	eax, [ebp+var_48C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		cmp	[ebp+arg_0], esi
		jz	short loc_9E55F7
		mov	eax, 0C0000206h
		jmp	loc_9E56C7
; 

loc_9E55F7:				; CODE XREF: SmcProcessStatsRequest(x,x,x,x,x)+3Aj
		and	[ebp+ms_exc.disabled], 0
		cmp	[ebp+arg_8], 0
		jz	short loc_9E5627
		test	bl, 7
		jz	short loc_9E560B
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9E560B:				; CODE XREF: SmcProcessStatsRequest(x,x,x,x,x)+53j
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_9E5617
		mov	byte ptr [eax],	0

loc_9E5617:				; CODE XREF: SmcProcessStatsRequest(x,x,x,x,x)+61j
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+460h]
		mov	[ebx+460h], al

loc_9E5627:				; CODE XREF: SmcProcessStatsRequest(x,x,x,x,x)+4Ej
		mov	ecx, 11Ah
		mov	esi, ebx
		lea	edi, [ebp+var_48C]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	byte ptr [ebp+var_48C],	3
		jz	short loc_9E564D
		mov	eax, 0C000000Dh
		jmp	short loc_9E56C7
; 

loc_9E564D:				; CODE XREF: SmcProcessStatsRequest(x,x,x,x,x)+93j
		lea	edx, [ebp+var_48C]
		mov	ecx, [ebp+var_490]
		call	_SmcGetCacheStats@8 ; SmcGetCacheStats(x,x)
		test	eax, eax
		js	short loc_9E56C7
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, 11Ah
		lea	esi, [ebp+var_48C]
		mov	edi, ebx
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_494]
		mov	dword ptr [ecx], 468h
		jmp	short loc_9E56C7
; 

loc_9E568D:				; DATA XREF: .text:006A9520o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_498], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E569E:				; DATA XREF: .text:006A9524o
		mov	eax, [ebp+var_498]
		jmp	short loc_9E56BD
; 

loc_9E56A6:				; DATA XREF: .text:006A9514o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_49C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E56B7:				; DATA XREF: .text:006A9518o
		mov	eax, [ebp+var_49C]

loc_9E56BD:				; CODE XREF: SmcProcessStatsRequest(x,x,x,x,x)+F3j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9E56C7:				; CODE XREF: SmcProcessStatsRequest(x,x,x,x,x)+41j
					; SmcProcessStatsRequest(x,x,x,x,x)+9Aj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_SmcProcessStatsRequest@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmcProcessStoreCreateRequest(x, x, x, x)
_SmcProcessStoreCreateRequest@16 proc near ; CODE XREF:	SmSetStoreInformation+135ECEp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		push	40h
		push	offset dword_6A94D8
		call	__SEH_prolog4
		mov	[ebp+var_28], edx
		mov	[ebp+var_1C], ecx
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		or	[ebp+var_24], 0FFFFFFFFh
		push	8
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_50]
		rep stosd
		cmp	[ebp+arg_0], 20h
		jz	short loc_9E570E
		mov	esi, 0C0000206h
		jmp	loc_9E57E9
; 

loc_9E570E:				; CODE XREF: SmcProcessStoreCreateRequest(x,x,x,x)+29j
		mov	[ebp+ms_exc.disabled], ebx
		cmp	[ebp+arg_4], 0
		jz	short loc_9E5736
		test	dl, 3
		jz	short loc_9E5721
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9E5721:				; CODE XREF: SmcProcessStoreCreateRequest(x,x,x,x)+41j
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_9E572C
		mov	[eax], bl

loc_9E572C:				; CODE XREF: SmcProcessStoreCreateRequest(x,x,x,x)+4Fj
		mov	al, [edx]
		mov	[edx], al
		mov	al, [edx+1Ch]
		mov	[edx+1Ch], al

loc_9E5736:				; CODE XREF: SmcProcessStoreCreateRequest(x,x,x,x)+3Cj
		push	8
		pop	ecx
		mov	esi, edx
		lea	edi, [ebp+var_50]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	byte ptr [ebp+var_50], 2
		jnz	short loc_9E57C4
		test	[ebp+var_50], 0FFFFFF00h
		jnz	short loc_9E57C4
		cmp	[ebp+var_38], 2
		jl	short loc_9E5766
		mov	esi, 0C0000002h
		jmp	loc_9E57E9
; 

loc_9E5766:				; CODE XREF: SmcProcessStoreCreateRequest(x,x,x,x)+81j
		mov	edi, [ebp+var_1C]
		test	[ebp+var_4C], 0FFFEE000h
		jz	short loc_9E5779
		mov	esi, 0C000000Dh
		jmp	short loc_9E57EC
; 

loc_9E5779:				; CODE XREF: SmcProcessStoreCreateRequest(x,x,x,x)+97j
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_3C]
		lea	eax, [ebp+var_4C]
		push	eax
		mov	edx, [ebp+var_38]
		mov	ecx, edi
		call	_SmcStoreCreate@20 ; SmcStoreCreate(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E57EC
		xor	eax, eax
		inc	eax
		mov	[ebp+var_20], eax
		mov	esi, ebx
		mov	[ebp+ms_exc.disabled], eax
		mov	eax, [ebp+var_24]
		mov	ecx, [ebp+var_28]
		mov	[ecx+1Ch], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9E57EC
; 

loc_9E57B1:				; DATA XREF: .text:006A94F8o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E57BF:				; DATA XREF: .text:006A94FCo
		mov	esi, [ebp+var_2C]
		jmp	short loc_9E57DC
; 

loc_9E57C4:				; CODE XREF: SmcProcessStoreCreateRequest(x,x,x,x)+72j
					; SmcProcessStoreCreateRequest(x,x,x,x)+7Bj
		mov	esi, 0C000000Dh
		jmp	short loc_9E57E9
; 

loc_9E57CB:				; DATA XREF: .text:006A94ECo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E57D9:				; DATA XREF: .text:006A94F0o
		mov	esi, [ebp+var_30]

loc_9E57DC:				; CODE XREF: SmcProcessStoreCreateRequest(x,x,x,x)+E9j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_20]

loc_9E57E9:				; CODE XREF: SmcProcessStoreCreateRequest(x,x,x,x)+30j
					; SmcProcessStoreCreateRequest(x,x,x,x)+88j ...
		mov	edi, [ebp+var_1C]

loc_9E57EC:				; CODE XREF: SmcProcessStoreCreateRequest(x,x,x,x)+9Ej
					; SmcProcessStoreCreateRequest(x,x,x,x)+B9j ...
		test	ebx, ebx
		jz	short loc_9E5800
		push	[ebp+var_38]
		push	[ebp+var_24]
		mov	edx, [ebp+var_3C]
		mov	ecx, edi
		call	_SmcStoreDelete@16 ; SmcStoreDelete(x,x,x,x)

loc_9E5800:				; CODE XREF: SmcProcessStoreCreateRequest(x,x,x,x)+115j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_SmcProcessStoreCreateRequest@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmcProcessStoreDeleteRequest(x, x, x, x)
_SmcProcessStoreDeleteRequest@16 proc near ; CODE XREF:	SmSetStoreInformation+135F3Cp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		push	20h
		push	offset dword_6A94B8
		call	__SEH_prolog4
		mov	ebx, ecx
		cmp	[ebp+arg_0], 10h
		jz	short loc_9E5832
		mov	eax, 0C0000206h
		jmp	loc_9E58B7
; 

loc_9E5832:				; CODE XREF: SmcProcessStoreDeleteRequest(x,x,x,x)+12j
		and	[ebp+ms_exc.disabled], 0
		cmp	[ebp+arg_4], 0
		jz	short loc_9E5857
		mov	eax, edx
		test	dl, 3
		jz	short loc_9E5848
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9E5848:				; CODE XREF: SmcProcessStoreDeleteRequest(x,x,x,x)+2Dj
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		jb	short loc_9E5854
		mov	eax, ecx

loc_9E5854:				; CODE XREF: SmcProcessStoreDeleteRequest(x,x,x,x)+3Cj
		nop
		mov	al, [eax]

loc_9E5857:				; CODE XREF: SmcProcessStoreDeleteRequest(x,x,x,x)+26j
		mov	esi, edx
		lea	edi, [ebp+var_30]
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	byte ptr [ebp+var_30], 1
		jnz	short loc_9E5895
		test	[ebp+var_30], 0FFFFFF00h
		jnz	short loc_9E5895
		cmp	[ebp+var_28], 2
		jl	short loc_9E5883
		mov	eax, 0C0000002h
		jmp	short loc_9E58B7
; 

loc_9E5883:				; CODE XREF: SmcProcessStoreDeleteRequest(x,x,x,x)+66j
		push	[ebp+var_28]
		push	[ebp+var_24]
		mov	edx, [ebp+var_2C]
		mov	ecx, ebx
		call	_SmcStoreDelete@16 ; SmcStoreDelete(x,x,x,x)
		jmp	short loc_9E58B7
; 

loc_9E5895:				; CODE XREF: SmcProcessStoreDeleteRequest(x,x,x,x)+57j
					; SmcProcessStoreDeleteRequest(x,x,x,x)+60j
		mov	eax, 0C000000Dh
		jmp	short loc_9E58B7
; 

loc_9E589C:				; DATA XREF: .text:006A94CCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E58AA:				; DATA XREF: .text:006A94D0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_20]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9E58B7:				; CODE XREF: SmcProcessStoreDeleteRequest(x,x,x,x)+19j
					; SmcProcessStoreDeleteRequest(x,x,x,x)+6Dj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_SmcProcessStoreDeleteRequest@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmCleanup(x)
_SmKmCleanup@4	proc near		; CODE XREF: SMKM_STORE_MGR<SM_TRAITS>::SmCleanup(SMKM_STORE_MGR<SM_TRAITS> *)+5p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, ecx
		mov	[ebp+var_4], edi

loc_9E58DB:				; CODE XREF: SmKmCleanup(x)+AAj
		mov	eax, [ebx+edi*4]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_9E596C
		push	20h
		lea	esi, [eax+8]
		pop	edi

loc_9E58EF:				; CODE XREF: SmKmCleanup(x)+96j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esi-8]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_9E5924
		push	7
		push	eax
		push	ebx
		call	dword ptr [ebx+80h]
		lea	ecx, [esi-4]
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		jmp	short loc_9E5928
; 

loc_9E5924:				; CODE XREF: SmKmCleanup(x)+45j
		or	dword ptr [esi-8], 0FFFFFFFFh

loc_9E5928:				; CODE XREF: SmKmCleanup(x)+59j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9E593C
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9E593C:				; CODE XREF: SmKmCleanup(x)+6Aj
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_9E5959
		push	1
		push	eax
		push	ebx
		call	dword ptr [ebx+80h]

loc_9E5959:				; CODE XREF: SmKmCleanup(x)+84j
		add	esi, 14h
		sub	edi, 1
		jnz	short loc_9E58EF
		mov	ecx, [ebp+var_C]
		call	_CmpFreePool@4	; CmpFreePool(x)
		mov	edi, [ebp+var_4]

loc_9E596C:				; CODE XREF: SmKmCleanup(x)+1Aj
		inc	edi
		mov	[ebp+var_4], edi
		cmp	edi, 20h
		jb	loc_9E58DB
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SmKmCleanup@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmEtwLogStoreChange(x, x,	x)
_SmKmEtwLogStoreChange@12 proc near	; CODE XREF: SmKmStoreAdd+14EB4Bp
					; SmKmStoreDelete+14E3DEp ...

var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1A4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1A4h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	130h		; size_t
		mov	[esp+1B4h+var_1A4], eax
		xor	esi, esi
		lea	eax, [esp+1B4h+var_138]
		mov	ebx, edx
		push	esi		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		push	4Ch		; size_t
		lea	eax, [esp+1C0h+var_188]
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	edx, esi
		mov	[esp+1C8h+var_190], esi
		add	esp, 18h
		mov	[esp+1B0h+var_198], edx
		cmp	[esp+1B0h+var_1A4], offset _SmEventStoreDelete
		lea	esi, [esp+1B0h+var_138]
		lea	eax, [esp+1B0h+var_188]
		mov	[esp+1B0h+var_1A0], esi
		mov	[esp+1B0h+var_194], 13h
		mov	[esp+1B0h+var_19C], eax
		mov	[esp+1B0h+var_18C], 4Ch
		jnz	short loc_9E5A2B
		xor	eax, eax
		lea	ecx, [esp+1B0h+var_188]
		mov	eax, ecx
		mov	ecx, edx
		mov	ecx, edx
		mov	[eax], ebx
		mov	[esp+ecx*8+1B0h+var_138], eax
		xor	eax, eax
		mov	[esp+ecx*8+1B0h+var_134], eax
		inc	edx
		mov	[esp+ecx*8+1B0h+var_130], 4
		mov	[esp+ecx*8+1B0h+var_12C], eax
		jmp	short loc_9E5A40
; 

loc_9E5A2B:				; CODE XREF: SmKmEtwLogStoreChange(x,x,x)+7Ej
		lea	edx, [esp+1B0h+var_1A0]
		mov	ecx, ebx
		call	?SmStEtwFillStoreEvent@?$SMKM_STORE@USM_TRAITS@@@@SGXPAU1@PAU_SMKM_EVENT_DESCRIPTOR@@@Z	; SMKM_STORE<SM_TRAITS>::SmStEtwFillStoreEvent(SMKM_STORE<SM_TRAITS> *,_SMKM_EVENT_DESCRIPTOR *)
		mov	edx, [esp+1B0h+var_198]
		xor	eax, eax
		mov	esi, [esp+1B0h+var_1A0]

loc_9E5A40:				; CODE XREF: SmKmEtwLogStoreChange(x,x,x)+ABj
		push	esi
		push	edx
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	[esp+1CCh+var_1A4]
		push	dword ptr [edi+4]
		push	dword ptr [edi]
		call	EtwWriteEx
		mov	ecx, [esp+1B0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_SmKmEtwLogStoreChange@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmEtwLogStoreStats(x, x, x)
_SmKmEtwLogStoreStats@12 proc near	; CODE XREF: SmKmStoreDelete+14E3CFp
					; SmEtwEnableCallback+8D946p

var_5A0		= dword	ptr -5A0h
var_59C		= dword	ptr -59Ch
var_598		= dword	ptr -598h
var_594		= dword	ptr -594h
var_590		= dword	ptr -590h
var_58C		= dword	ptr -58Ch
var_588		= dword	ptr -588h
var_38		= dword	ptr -38h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5A4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+5A4h+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		lea	eax, [esp+5B4h+var_38]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		mov	ebx, 54Ch
		lea	eax, [esp+5BCh+var_588]
		push	ebx		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		and	[esp+5C8h+var_598], 0
		lea	eax, [esp+5C8h+var_38]
		and	[esp+5C8h+var_590], 0
		lea	edx, [esp+5C8h+var_5A0]
		add	esp, 18h
		mov	[esp+5B0h+var_5A0], eax
		lea	eax, [esp+5B0h+var_588]
		mov	[esp+5B0h+var_594], 3
		mov	ecx, esi
		mov	[esp+5B0h+var_59C], eax
		mov	[esp+5B0h+var_58C], ebx
		call	?SmStEtwFillStoreStatsEvent@?$SMKM_STORE@USM_TRAITS@@@@SGKPAU1@PAU_SMKM_EVENT_DESCRIPTOR@@@Z ; SMKM_STORE<SM_TRAITS>::SmStEtwFillStoreStatsEvent(SMKM_STORE<SM_TRAITS> *,_SMKM_EVENT_DESCRIPTOR	*)
		test	eax, eax
		jz	short loc_9E5B0B
		push	[esp+5B0h+var_5A0]
		xor	eax, eax
		push	[esp+5B4h+var_598]
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _SmEventStoreIoStats
		push	dword ptr [edi+4]
		push	dword ptr [edi]
		call	EtwWriteEx

loc_9E5B0B:				; CODE XREF: SmKmEtwLogStoreStats(x,x,x)+7Fj
		mov	ecx, [esp+5B0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_SmKmEtwLogStoreStats@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmFileInfoCleanup(x)
_SmKmFileInfoCleanup@4 proc near	; CODE XREF: SMKM_STORE_SM_TRAITS___SmStCleanup+F7BEFp
					; SmKmFileInfoDuplicate(x,x)+F9p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	0
		mov	esi, ecx
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	byte ptr [ebp+var_4], al
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_9E5B42
		push	eax
		call	_IoUnregisterPlugPlayNotification@4 ; IoUnregisterPlugPlayNotification(x)

loc_9E5B42:				; CODE XREF: SmKmFileInfoCleanup(x)+18j
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_9E5B4E
		call	ObfDereferenceObject

loc_9E5B4E:				; CODE XREF: SmKmFileInfoCleanup(x)+25j
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_9E5B72
		push	0
		push	eax
		call	_IoReuseIrp@8	; IoReuseIrp(x,x)
		mov	edx, [esi+4]
		mov	ecx, [esi+14h]
		push	1
		call	_SmKmSendUsageNotification@12 ;	SmKmSendUsageNotification(x,x,x)
		push	dword ptr [esi+14h]
		call	_IoFreeIrp@4	; IoFreeIrp(x)

loc_9E5B72:				; CODE XREF: SmKmFileInfoCleanup(x)+31j
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_9E5B7E
		call	ObfDereferenceObject

loc_9E5B7E:				; CODE XREF: SmKmFileInfoCleanup(x)+55j
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_9E5B8A
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_9E5B8A:				; CODE XREF: SmKmFileInfoCleanup(x)+60j
		mov	ecx, [esi+18h]
		test	ecx, ecx
		jz	short loc_9E5B96
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_9E5B96:				; CODE XREF: SmKmFileInfoCleanup(x)+6Dj
		push	[ebp+var_4]
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		pop	esi
		leave
		retn
_SmKmFileInfoCleanup@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmFileInfoDuplicate(x, x)
_SmKmFileInfoDuplicate@8 proc near	; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+F8F12p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		and	[ebp+var_4], 0
		lea	edi, [ebp+var_2C]
		push	8
		mov	[ebp+var_C], ecx
		xor	eax, eax
		pop	ecx
		rep stosd
		lea	eax, [ebp+var_4]
		xor	edi, edi
		push	eax
		push	edi
		push	edi
		push	edi
		push	edi
		push	200h
		push	?SmKmGlobals@@3U_SMKM_GLOBALS@@A ; _SMKM_GLOBALS SmKmGlobals
		mov	ebx, edx
		call	ObOpenObjectByPointer
		mov	esi, eax
		test	esi, esi
		js	loc_9E5C89
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_9E5C2A
		push	6
		push	edi
		push	edi
		lea	ecx, [ebp+var_2C]
		push	ecx
		push	[ebp+var_4]
		push	eax
		push	[ebp+var_4]
		call	_ZwDuplicateObject@28 ;	ZwDuplicateObject(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E5C89
		push	edi
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], edi
		push	eax
		push	edi
		push	edi
		push	10003h
		push	[ebp+var_2C]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_28], eax
		test	esi, esi
		js	short loc_9E5C89

loc_9E5C2A:				; CODE XREF: SmKmFileInfoDuplicate(x,x)+46j
		mov	ecx, [ebx+8]
		test	ecx, ecx
		jz	short loc_9E5C3F
		mov	[ebp+var_24], ecx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_20], eax

loc_9E5C3F:				; CODE XREF: SmKmFileInfoDuplicate(x,x)+8Ej
		mov	esi, [ebx+1Ch]
		mov	edx, 74586D73h
		shl	esi, 4
		mov	ecx, esi
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jnz	short loc_9E5C5F
		mov	esi, 0C000009Ah
		jmp	short loc_9E5C89
; 

loc_9E5C5F:				; CODE XREF: SmKmFileInfoDuplicate(x,x)+B5j
		push	esi		; size_t
		push	dword ptr [ebx+18h] ; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebx+1Ch]
		lea	esi, [ebp+var_2C]
		mov	edi, [ebp+var_C]
		add	esp, 0Ch
		mov	[ebp+var_10], eax
		xor	eax, eax
		push	8
		pop	ecx
		rep movsd
		push	8
		pop	ecx
		lea	edi, [ebp+var_2C]
		xor	esi, esi
		rep stosd

loc_9E5C89:				; CODE XREF: SmKmFileInfoDuplicate(x,x)+3Cj
					; SmKmFileInfoDuplicate(x,x)+60j ...
		cmp	[ebp+var_4], 0
		jz	short loc_9E5C97
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_9E5C97:				; CODE XREF: SmKmFileInfoDuplicate(x,x)+ECj
		lea	ecx, [ebp+var_2C]
		call	_SmKmFileInfoCleanup@4 ; SmKmFileInfoCleanup(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_SmKmFileInfoDuplicate@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SmKmFileInfoGetPath(size_t)
_SmKmFileInfoGetPath@12	proc near	; CODE XREF: SmProcessListRequestExtended(x,x)+A5p
					; SmcGetCacheStats(x,x)+8Ep

var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 21Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+21Ch+var_4], eax
		and	[esp+21Ch+var_218], 0
		lea	eax, [esp+21Ch+var_210]
		push	ebx
		push	esi
		push	edi
		mov	ebx, 208h
		mov	edi, edx
		push	ebx		; size_t
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		add	esp, 0Ch
		push	0
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	ecx, [esi+4]
		lea	edx, [esp+228h+var_210]
		mov	byte ptr [esp+228h+var_214], al
		lea	eax, [esp+228h+var_218]
		push	0
		push	eax
		push	ebx
		call	ObQueryNameStringMode
		mov	esi, eax
		test	esi, esi
		js	short loc_9E5D35
		mov	esi, [ebp+arg_0]
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		movzx	eax, word ptr [esp+234h+var_210]
		add	esi, 0FFFFFFFEh
		add	esp, 0Ch
		cmp	eax, esi
		jb	short loc_9E5D25
		mov	eax, esi

loc_9E5D25:				; CODE XREF: SmKmFileInfoGetPath(x,x,x)+7Bj
		push	eax		; size_t
		push	[esp+22Ch+var_20C] ; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	esi, esi

loc_9E5D35:				; CODE XREF: SmKmFileInfoGetPath(x,x,x)+60j
		push	[esp+228h+var_214]
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	ecx, [esp+228h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_SmKmFileInfoGetPath@12	endp


;  S U B	R O U T	I N E 


; __stdcall SmKmFileInfoInit(x)
_SmKmFileInfoInit@4 proc near		; CODE XREF: SMKM_STORE_SM_TRAITS___SmStStart+F8EF8p
		mov	edi, edi
		push	edi
		push	8
		mov	edi, ecx
		xor	eax, eax
		pop	ecx
		rep stosd
		pop	edi
		retn
_SmKmFileInfoInit@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmGetStoreList(x,	x)
_SmKmGetStoreList@8 proc near		; CODE XREF: SmProcessListRequest(x,x,x,x,x)+E6p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	eax, edx
		mov	[ebp+var_4], ecx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_8], eax
		xor	esi, esi
		lea	edi, [eax+4]

loc_9E5D7E:				; CODE XREF: SmKmGetStoreList(x,x)+42j
		mov	edx, esi
		call	_SmKmStoreRefFromStoreIndex@8 ;	SmKmStoreRefFromStoreIndex(x,x)
		test	eax, eax
		jz	short loc_9E5DA0
		cmp	dword ptr [eax], 0
		jz	short loc_9E5DA0
		movzx	eax, word ptr [eax+10h]
		and	eax, 3Fh
		shl	eax, 0Ah
		or	eax, esi
		inc	ebx
		mov	[edi], eax
		add	edi, 4

loc_9E5DA0:				; CODE XREF: SmKmGetStoreList(x,x)+22j
					; SmKmGetStoreList(x,x)+27j
		mov	ecx, [ebp+var_4]
		inc	esi
		cmp	esi, 20h
		jb	short loc_9E5D7E
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		mov	[eax+1], bl
		xor	eax, eax
		pop	ebx
		leave
		retn
_SmKmGetStoreList@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmIsVolumeIoPossible(x, x)
_SmKmIsVolumeIoPossible@8 proc near	; CODE XREF: SmKmStoreFileCreateForIoType(x,x,x,x,x)+150p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		xor	eax, eax
		mov	[ebp+var_8], edx
		push	esi
		push	edi
		push	eax
		mov	ebx, ecx
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	edi, eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_4], eax
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		push	4
		mov	byte ptr [ebp+var_C], al
		lea	eax, [ebp+var_1C]
		push	8
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		push	dword ptr [ebx]
		call	_ZwQueryVolumeInformationFile@20 ; ZwQueryVolumeInformationFile(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 103h
		jnz	short loc_9E5E14
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		mov	eax, [ebx+4]
		add	eax, 5Ch
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [ebp+var_14]

loc_9E5E14:				; CODE XREF: SmKmIsVolumeIoPossible(x,x)+47j
		test	esi, esi
		js	short loc_9E5E64
		test	byte ptr [ebp+var_18], 1
		jz	short loc_9E5E24

loc_9E5E1E:				; CODE XREF: SmKmIsVolumeIoPossible(x,x)+A2j
		xor	esi, esi
		mov	eax, esi
		jmp	short loc_9E5E66
; 

loc_9E5E24:				; CODE XREF: SmKmIsVolumeIoPossible(x,x)+66j
		push	dword ptr [ebx+4]
		call	IoGetRelatedDeviceObject
		push	0
		movzx	eax, byte ptr [eax+30h]
		push	eax
		call	IoAllocateIrp
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9E5E48
		mov	eax, [ebp+var_4]
		mov	esi, 0C000009Ah
		jmp	short loc_9E5E66
; 

loc_9E5E48:				; CODE XREF: SmKmIsVolumeIoPossible(x,x)+86j
		mov	edx, [ebx+4]
		mov	ecx, edi
		push	0
		call	_SmKmSendUsageNotification@12 ;	SmKmSendUsageNotification(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E5E1E
		xor	eax, eax
		mov	[ebx+14h], edi
		inc	eax
		xor	edi, edi
		jmp	short loc_9E5E66
; 

loc_9E5E64:				; CODE XREF: SmKmIsVolumeIoPossible(x,x)+60j
		mov	eax, edi

loc_9E5E66:				; CODE XREF: SmKmIsVolumeIoPossible(x,x)+6Cj
					; SmKmIsVolumeIoPossible(x,x)+90j ...
		mov	ecx, [ebp+var_8]
		mov	[ecx], eax
		test	edi, edi
		jz	short loc_9E5E75
		push	edi
		call	_IoFreeIrp@4	; IoFreeIrp(x)

loc_9E5E75:				; CODE XREF: SmKmIsVolumeIoPossible(x,x)+B7j
		push	[ebp+var_C]
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_SmKmIsVolumeIoPossible@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SmKmKeyGenGenerate(void	*,int)
_SmKmKeyGenGenerate@16 proc near	; CODE XREF: SmcStoreCreate(x,x,x,x,x)+1B4p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	[ebp+var_4], edi

loc_9E5E97:				; CODE XREF: SmKmKeyGenGenerate(x,x,x,x)+6Ej
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		mov	edx, edi
		mov	ecx, esi
		call	_SmKmKeyGenKeyFind@8 ; SmKmKeyGenKeyFind(x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9E5EF4
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_9E5ED2
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9E5ED2:				; CODE XREF: SmKmKeyGenGenerate(x,x,x,x)+45j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		push	ebx
		call	_SmKmKeyGenNewKey@12 ; SmKmKeyGenNewKey(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9E5F57

loc_9E5EEF:				; CODE XREF: SmKmKeyGenGenerate(x,x,x,x)+9Fj
		mov	edi, [ebp+var_4]
		jmp	short loc_9E5E97
; 

loc_9E5EF4:				; CODE XREF: SmKmKeyGenGenerate(x,x,x,x)+37j
		cmp	[edi+10h], ebx
		jz	short loc_9E5F25
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_9E5F0E
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9E5F0E:				; CODE XREF: SmKmKeyGenGenerate(x,x,x,x)+81j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	edx, edi
		mov	ecx, esi
		call	_SmKmKeyGenKeyDelete@8 ; SmKmKeyGenKeyDelete(x,x)
		jmp	short loc_9E5EEF
; 

loc_9E5F25:				; CODE XREF: SmKmKeyGenGenerate(x,x,x,x)+73j
		push	ebx		; size_t
		push	dword ptr [edi+0Ch] ; void *
		push	[ebp+arg_0]	; void *
		call	_memcpy
		add	esp, 0Ch
		xor	edi, edi
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_9E5F4B
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9E5F4B:				; CODE XREF: SmKmKeyGenGenerate(x,x,x,x)+BEj
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9E5F57:				; CODE XREF: SmKmKeyGenGenerate(x,x,x,x)+69j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_SmKmKeyGenGenerate@16 endp


;  S U B	R O U T	I N E 


; __stdcall SmKmKeyGenKeyDelete(x, x)
_SmKmKeyGenKeyDelete@8 proc near	; CODE XREF: SmKmKeyGenGenerate(x,x,x,x)+9Ap
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [edi]
		cmp	[ecx+4], edi
		jnz	short loc_9E5FB7
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	short loc_9E5FB7
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9E5FA9
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9E5FA9:				; CODE XREF: SmKmKeyGenKeyDelete(x,x)+40j
		mov	ecx, esi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
; 

loc_9E5FB7:				; CODE XREF: SmKmKeyGenKeyDelete(x,x)+20j
					; SmKmKeyGenKeyDelete(x,x)+27j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_SmKmKeyGenKeyDelete@8 endp		; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall SmKmKeyGenKeyFind(x, x)
_SmKmKeyGenKeyFind@8 proc near		; CODE XREF: SmKmKeyGenGenerate(x,x,x,x)+2Ep
					; SmKmKeyGenNewKey(x,x,x)+EEp
		mov	edi, edi
		push	ebx
		push	esi
		lea	esi, [ecx+4]
		mov	ebx, edx
		mov	eax, [esi]
		push	edi
		jmp	short loc_9E6000
; 

loc_9E5FCA:				; CODE XREF: SmKmKeyGenKeyFind(x,x)+46j
		mov	edx, [eax+8]
		mov	ecx, ebx

loc_9E5FCF:				; CODE XREF: SmKmKeyGenKeyFind(x,x)+33j
		mov	di, [ecx]
		cmp	di, [edx]
		jnz	short loc_9E5FF5
		test	di, di
		jz	short loc_9E5FF1
		mov	di, [ecx+2]
		cmp	di, [edx+2]
		jnz	short loc_9E5FF5
		add	ecx, 4
		add	edx, 4
		test	di, di
		jnz	short loc_9E5FCF

loc_9E5FF1:				; CODE XREF: SmKmKeyGenKeyFind(x,x)+1Ej
		xor	ecx, ecx
		jmp	short loc_9E5FFA
; 

loc_9E5FF5:				; CODE XREF: SmKmKeyGenKeyFind(x,x)+19j
					; SmKmKeyGenKeyFind(x,x)+28j
		sbb	ecx, ecx
		or	ecx, 1

loc_9E5FFA:				; CODE XREF: SmKmKeyGenKeyFind(x,x)+37j
		test	ecx, ecx
		jz	short loc_9E6006
		mov	eax, [eax]

loc_9E6000:				; CODE XREF: SmKmKeyGenKeyFind(x,x)+Cj
		cmp	eax, esi
		jnz	short loc_9E5FCA
		xor	eax, eax

loc_9E6006:				; CODE XREF: SmKmKeyGenKeyFind(x,x)+40j
		pop	edi
		pop	esi
		pop	ebx
		retn
_SmKmKeyGenKeyFind@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmKeyGenLoadKey(x, x, x)
_SmKmKeyGenLoadKey@12 proc near		; CODE XREF: SmKmKeyGenNewKey(x,x,x)+A0p

var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 148h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		push	10Ch		; size_t
		push	eax		; int
		mov	[ebp+var_12C], eax
		mov	edi, edx
		mov	[ebp+var_128], eax
		mov	esi, ecx
		mov	[ebp+var_124], eax
		lea	eax, [ebp+var_11C]
		push	eax		; void *
		call	_memset
		xor	eax, eax
		mov	[ebp+var_144], 18h
		add	esp, 0Ch
		mov	[ebp+var_120], eax
		mov	[ebp+var_140], eax
		mov	[ebp+var_134], eax
		mov	[ebp+var_130], eax
		lea	eax, [ebp+var_144]
		push	eax
		push	20019h
		lea	eax, [ebp+var_120]
		mov	[ebp+var_138], 240h
		push	eax
		mov	[ebp+var_13C], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E6121
		mov	edx, [edi+8]
		push	ecx
		push	ecx
		lea	ecx, [ebp+var_12C]
		call	sub_673E8F
		lea	eax, [ebp+var_124]
		push	eax
		push	10Ch
		lea	eax, [ebp+var_11C]
		push	eax
		push	4
		lea	eax, [ebp+var_12C]
		push	eax
		push	[ebp+var_120]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E6121
		test	ebx, ebx
		jnz	short loc_9E60E9
		xor	esi, esi
		jmp	short loc_9E6121
; 

loc_9E60E9:				; CODE XREF: SmKmKeyGenLoadKey(x,x,x)+D9j
		cmp	[ebp+var_11C], 3
		jnz	short loc_9E611C
		mov	eax, [edi+10h]
		cmp	[ebp+var_118], eax
		jnz	short loc_9E611C
		push	eax		; size_t
		lea	eax, [ebp+var_114]
		push	eax		; void *
		push	dword ptr [edi+0Ch] ; void *
		call	_memcpy
		mov	eax, [ebp+var_120]
		add	esp, 0Ch
		mov	[ebx], eax
		xor	esi, esi
		jmp	short loc_9E6135
; 

loc_9E611C:				; CODE XREF: SmKmKeyGenLoadKey(x,x,x)+E6j
					; SmKmKeyGenLoadKey(x,x,x)+F1j
		mov	esi, 0C0000034h

loc_9E6121:				; CODE XREF: SmKmKeyGenLoadKey(x,x,x)+98j
					; SmKmKeyGenLoadKey(x,x,x)+D5j	...
		cmp	[ebp+var_120], 0
		jz	short loc_9E6135
		push	[ebp+var_120]
		call	_ZwClose@4	; ZwClose(x)

loc_9E6135:				; CODE XREF: SmKmKeyGenLoadKey(x,x,x)+110j
					; SmKmKeyGenLoadKey(x,x,x)+11Ej
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_SmKmKeyGenLoadKey@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmKeyGenNewKey(x,	x, x)
_SmKmKeyGenNewKey@12 proc near		; CODE XREF: SmKmKeyGenGenerate(x,x,x,x)+60p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		mov	eax, edx
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], eax
		mov	ecx, eax
		mov	[ebp+var_14], ebx
		push	edi
		mov	edi, esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_4], edi
		lea	edx, [ecx+2]

loc_9E616F:				; CODE XREF: SmKmKeyGenNewKey(x,x,x)+30j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_9E616F
		sub	ecx, edx
		mov	edx, [ebp+arg_0]
		sar	ecx, 1
		add	edx, 16h
		mov	[ebp+var_10], ecx
		lea	eax, [edx+ecx*2]
		mov	edx, 474B6D73h
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9E61A9
		mov	ebx, 0C000009Ah
		jmp	loc_9E62AF
; 

loc_9E61A9:				; CODE XREF: SmKmKeyGenNewKey(x,x,x)+55j
		push	[ebp+var_C]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	ecx, [ebp+arg_0]
		lea	eax, [esi+14h]
		add	esp, 0Ch
		mov	[esi+0Ch], eax
		mov	[esi+10h], ecx
		add	ecx, eax
		mov	eax, [ebp+var_10]
		add	eax, eax
		mov	[esi+8], ecx
		push	eax		; size_t
		push	[ebp+var_8]	; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	[ebx+10h], edi
		jz	short loc_9E6202
		lea	eax, [ebp+var_4]
		mov	edx, esi
		push	eax
		lea	ecx, [ebx+0Ch]
		call	_SmKmKeyGenLoadKey@12 ;	SmKmKeyGenLoadKey(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_9E6217
		mov	edi, [ebp+var_4]
		cmp	ebx, 0C0000034h
		jnz	loc_9E629A

loc_9E6202:				; CODE XREF: SmKmKeyGenNewKey(x,x,x)+95j
		mov	edx, [ebp+arg_0]
		mov	ecx, [esi+0Ch]
		call	_SmCrGenRandom@8 ; SmCrGenRandom(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_9E629A

loc_9E6217:				; CODE XREF: SmKmKeyGenNewKey(x,x,x)+A9j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, [ebp+var_14]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [ebp+var_8]
		mov	ecx, ebx
		call	_SmKmKeyGenKeyFind@8 ; SmKmKeyGenKeyFind(x,x)
		mov	edi, [ebp+var_4]
		test	eax, eax
		jnz	short loc_9E6278
		lea	eax, [ebx+4]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jz	short loc_9E6251
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9E6251:				; CODE XREF: SmKmKeyGenNewKey(x,x,x)+102j
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[ecx+4], esi
		mov	[eax], esi
		test	edi, edi
		jz	short loc_9E6276
		mov	edx, [esi+8]
		push	ecx
		push	ecx
		lea	ecx, [ebp+var_1C]
		call	sub_673E8F
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_9E6276:				; CODE XREF: SmKmKeyGenNewKey(x,x,x)+115j
		xor	esi, esi

loc_9E6278:				; CODE XREF: SmKmKeyGenNewKey(x,x,x)+F8j
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9E628C
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9E628C:				; CODE XREF: SmKmKeyGenNewKey(x,x,x)+13Bj
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		xor	ebx, ebx

loc_9E629A:				; CODE XREF: SmKmKeyGenNewKey(x,x,x)+B4j
					; SmKmKeyGenNewKey(x,x,x)+C9j
		test	edi, edi
		jz	short loc_9E62A4
		push	edi
		call	_ZwClose@4	; ZwClose(x)

loc_9E62A4:				; CODE XREF: SmKmKeyGenNewKey(x,x,x)+154j
		test	esi, esi
		jz	short loc_9E62AF
		mov	ecx, esi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_9E62AF:				; CODE XREF: SmKmKeyGenNewKey(x,x,x)+5Cj
					; SmKmKeyGenNewKey(x,x,x)+15Ej
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
_SmKmKeyGenNewKey@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmKeyGenStart(x, x)
_SmKmKeyGenStart@8 proc	near		; CODE XREF: SmcCacheManagerStart(x,x)+ECp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], ecx
		push	edi
		test	esi, esi
		jz	short loc_9E6301
		movzx	edi, word ptr [esi]
		mov	edx, 474B6D73h
		lea	ecx, [edi+2]
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9E62E7
		mov	eax, 0C000009Ah
		jmp	short loc_9E6303
; 

loc_9E62E7:				; CODE XREF: SmKmKeyGenStart(x,x)+26j
		push	esi
		lea	edx, [edi+2]
		mov	ecx, ebx
		call	?RtlStringCbCopyUnicodeString@@YGJPAGIPBU_UNICODE_STRING@@@Z ; RtlStringCbCopyUnicodeString(ushort *,uint,_UNICODE_STRING const	*)
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		add	ecx, 0Ch
		call	sub_673E8F

loc_9E6301:				; CODE XREF: SmKmKeyGenStart(x,x)+10j
		xor	eax, eax

loc_9E6303:				; CODE XREF: SmKmKeyGenStart(x,x)+2Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SmKmKeyGenStart@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmRegParamsLoad(x)
_SmKmRegParamsLoad@4 proc near		; CODE XREF: SmcStoreCreate(x,x,x,x,x)+113p

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_58], offset ??_C@_1BO@PEEFAFOD@?$AAE?$AAn?$AAc?$AAr?$AAy?$AAp?$AAt?$AAi?$AAo?$AAn?$AAM?$AAo?$AAd?$AAe@NNGAKEGL@
		mov	esi, ecx
		mov	[ebp+var_60], edi
		lea	eax, [ebp+var_68]
		mov	[ebp+var_4C], edi
		mov	ecx, 4000000h
		mov	[ebp+var_54], eax
		push	1
		push	ecx
		lea	eax, [ebp+var_64]
		mov	[ebp+var_50], ecx
		mov	edx, 120h
		mov	[ebp+var_38], eax
		push	edi
		lea	eax, [ebp+var_60]
		mov	[ebp+var_5C], edx
		mov	[ebp+var_40], edx
		mov	edx, offset ??_C@_1MK@ENOAMLHH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		mov	[ebp+var_34], ecx
		xor	ecx, ecx
		mov	[esi+4], edi
		and	dword ptr [esi+4], 0FFFFFFFCh
		push	eax
		mov	[ebp+var_48], edi
		mov	[ebp+var_44], edi
		mov	[ebp+var_3C], offset ??_C@_1CA@PIKFPGMG@?$AAE?$AAn?$AAc?$AAr?$AAy?$AAp?$AAt?$AAi?$AAo?$AAn?$AAS?$AAc?$AAo?$AAp?$AAe@NNGAKEGL@
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		mov	dword ptr [esi], 10h
		mov	[ebp+var_68], edi
		mov	[ebp+var_64], edi
		call	RtlpQueryRegistryValues
		test	eax, eax
		jns	short loc_9E63AB
		cmp	eax, 0C0000034h
		jnz	short loc_9E63C7
		jmp	short loc_9E63C5
; 

loc_9E63AB:				; CODE XREF: SmKmRegParamsLoad(x)+98j
		cmp	[ebp+var_68], 1
		jnz	short loc_9E63B3
		shl	dword ptr [esi], 1

loc_9E63B3:				; CODE XREF: SmKmRegParamsLoad(x)+A7j
		cmp	[ebp+var_64], 3
		jnb	short loc_9E63C5
		mov	eax, [esi+4]
		xor	eax, [ebp+var_64]
		and	eax, 3
		xor	[esi+4], eax

loc_9E63C5:				; CODE XREF: SmKmRegParamsLoad(x)+A1j
					; SmKmRegParamsLoad(x)+AFj
		mov	eax, edi

loc_9E63C7:				; CODE XREF: SmKmRegParamsLoad(x)+9Fj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_SmKmRegParamsLoad@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmSendDeviceControl(x, x,	x, x, x, x, x)
_SmKmSendDeviceControl@28 proc near	; CODE XREF: SmKmVolumeQueryUniqueId(x,x,x,x)+20p

var_1C		= dword	ptr -1Ch
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_1C]
		push	edi
		push	edi
		push	eax
		mov	esi, edx
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	edi
		push	edi
		push	esi
		push	4D0000h
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_9E641B
		mov	eax, 0C000009Ah
		jmp	short loc_9E643B
; 

loc_9E641B:				; CODE XREF: SmKmSendDeviceControl(x,x,x,x,x,x,x)+3Dj
		mov	edx, eax
		mov	ecx, esi
		call	IofCallDriver
		cmp	eax, 103h
		jnz	short loc_9E643B
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [ebp+var_C]

loc_9E643B:				; CODE XREF: SmKmSendDeviceControl(x,x,x,x,x,x,x)+44j
					; SmKmSendDeviceControl(x,x,x,x,x,x,x)+54j
		pop	edi
		pop	esi
		leave
		retn	14h
_SmKmSendDeviceControl@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmSendUsageNotification(x, x, x)
_SmKmSendUsageNotification@12 proc near	; CODE XREF: SmKmFileInfoCleanup(x)+43p
					; SmKmIsVolumeIoPossible(x,x)+99p

var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		push	0
		push	0
		lea	eax, [ebp+var_18]
		mov	esi, ecx
		push	eax
		mov	ebx, edx
		mov	[ebp+var_8], esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	esi, [esi+60h]
		push	ebx
		call	IoGetRelatedDeviceObject
		cmp	[ebp+arg_0], 0
		mov	edi, eax
		mov	[esi-0Ch], ebx
		mov	ebx, [ebp+var_8]
		setz	cl
		mov	[esi-20h], cl
		mov	edx, ebx
		mov	word ptr [esi-24h], 161Bh
		lea	ecx, [ebp+var_18]
		mov	dword ptr [esi-1Ch], 1
		mov	eax, [ebx+60h]
		mov	dword ptr [ebx+18h], 0C00000BBh
		mov	[eax-4], ecx
		mov	ecx, edi
		mov	dword ptr [eax-8], offset _SmKmGenericCompletion@12 ; SmKmGenericCompletion(x,x,x)
		mov	byte ptr [eax-21h], 0E0h
		call	IofCallDriver
		cmp	eax, 103h
		jnz	short loc_9E64C5
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [ebx+18h]

loc_9E64C5:				; CODE XREF: SmKmSendUsageNotification(x,x,x)+70j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_SmKmSendUsageNotification@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmStoreFileCreate(x, x, x, x, x, x, x, x,	x, x, x)
_SmKmStoreFileCreate@44	proc near	; CODE XREF: SmcCacheStart(x,x,x)+A9p

var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_44], esi
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_A4], eax
		lea	edi, [ebp+var_24]
		mov	eax, [ebp+arg_18]
		xor	ebx, ebx
		mov	[ebp+var_A8], eax
		mov	eax, [ebp+arg_1C]
		mov	edx, [ebp+arg_10]
		mov	[ebp+var_AC], eax
		mov	eax, [ebp+arg_20]
		push	6
		pop	ecx
		mov	[ebp+var_B8], eax
		mov	eax, _PnpDriverObject
		mov	[ebp+var_A0], eax
		xor	eax, eax
		and	[ebp+var_6C], eax
		rep stosd
		push	6
		pop	ecx
		lea	edi, [ebp+var_3C]
		mov	[ebp+var_54], ebx
		rep stosd
		push	8
		pop	ecx
		mov	[ebp+var_50], ebx
		lea	edi, [ebp+var_8C]
		mov	[ebp+var_94], ebx
		mov	[ebp+var_90], ebx
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_98], ebx
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_68], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_58], ebx
		mov	ebx, [edx]
		rep stosd
		push	eax
		mov	[ebp+var_B0], esi
		mov	[ebp+var_B4], edx
		mov	[ebp+var_5C], ebx
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	byte ptr [ebp+var_BC], al
		mov	eax, [ebp+var_44]
		test	al, 1
		jz	short loc_9E65C9
		and	eax, 0FFFFFFFEh
		xor	esi, esi
		mov	[ebp+var_44], eax
		mov	edi, [ebp+var_44]
		push	8
		mov	edx, [eax+4]
		mov	ecx, [eax]
		mov	eax, [eax+14h]
		mov	[ebp+var_40], ecx
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_78], eax
		xor	eax, eax
		pop	ecx
		rep stosd
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_60], edx
		mov	[ebp+var_88], edx
		mov	edi, edx
		mov	edx, [ebp+var_40]
		or	ecx, eax
		mov	[ebp+var_44], esi
		jmp	short loc_9E65E5
; 

loc_9E65C9:				; CODE XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+BDj
		mov	edx, [ebp+var_88]
		xor	edi, edi
		mov	eax, [esi]
		mov	ecx, [esi+4]
		mov	esi, [ebp+var_44]
		mov	[ebp+var_60], edx
		mov	edx, [ebp+var_8C]
		mov	[ebp+var_40], edx

loc_9E65E5:				; CODE XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+FBj
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_48], ecx
		cmp	eax, [ebp+arg_0]
		jbe	short loc_9E65FD
		mov	esi, 0C000000Dh
		jmp	loc_9E68C0
; 

loc_9E65FD:				; CODE XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+125j
		test	esi, esi
		jz	loc_9E66DD
		push	ecx
		push	ecx
		lea	eax, [ebp+var_5C]
		mov	edx, esi
		push	eax
		lea	ecx, [ebp+var_8C]
		call	_SmKmStoreFileCreateForIoType@20 ; SmKmStoreFileCreateForIoType(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E68C0
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_94], eax
		mov	eax, [ebp+var_48]
		push	14h
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_94]
		push	8
		push	eax
		lea	eax, [ebp+var_54]
		mov	[ebp+var_58], 1
		push	eax
		mov	eax, [ebp+var_8C]
		push	eax
		mov	[ebp+var_40], eax
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		mov	edi, [ebp+var_88]
		mov	esi, eax
		cmp	esi, 103h
		jnz	short loc_9E667B
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [edi+5Ch]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [ebp+var_54]

loc_9E667B:				; CODE XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+19Bj
		test	esi, esi
		js	loc_9E68B5
		mov	ebx, [ebp+var_5C]
		mov	esi, [ebp+var_40]
		test	ebx, ebx
		jz	loc_9E6725
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_9C], eax
		mov	eax, [ebp+var_48]
		push	27h
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_9C]
		push	8
		push	eax
		lea	eax, [ebp+var_54]
		push	eax
		push	esi
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		cmp	eax, 103h
		jnz	short loc_9E66D1
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [edi+5Ch]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [ebp+var_54]

loc_9E66D1:				; CODE XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+1F1j
		test	eax, eax
		jns	short loc_9E6725
		mov	eax, [ebp+var_58]
		mov	[ebp+var_6C], eax
		jmp	short loc_9E6725
; 

loc_9E66DD:				; CODE XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+133j
		push	5
		push	18h
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_54]
		push	eax
		push	edx
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 103h
		jnz	short loc_9E670B
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [edi+5Ch]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [ebp+var_54]

loc_9E670B:				; CODE XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+22Bj
		test	esi, esi
		js	loc_9E68C0
		mov	eax, [ebp+var_1C]
		mov	edi, [ebp+var_60]
		mov	esi, [ebp+var_40]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+var_18]
		mov	[ebp+var_48], eax

loc_9E6725:				; CODE XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+1BFj
					; SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+207j ...
		push	0
		push	[ebp+arg_0]
		push	[ebp+var_48]
		push	[ebp+var_4C]
		call	__alldiv
		test	edx, edx
		jl	short loc_9E674A
		jg	short loc_9E6740
		cmp	eax, 0FFFFFFFFh
		jb	short loc_9E674A

loc_9E6740:				; CODE XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+26Dj
		mov	esi, 0C000000Dh
		jmp	loc_9E68AF
; 

loc_9E674A:				; CODE XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+26Bj
					; SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+272j
		push	3
		push	18h
		lea	eax, [ebp+var_3C]
		push	eax
		lea	eax, [ebp+var_54]
		push	eax
		push	esi
		call	_ZwQueryVolumeInformationFile@20 ; ZwQueryVolumeInformationFile(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 103h
		jnz	short loc_9E6778
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [edi+5Ch]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [ebp+var_54]

loc_9E6778:				; CODE XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+298j
		test	esi, esi
		js	loc_9E68AF
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jz	loc_9E68AA
		lea	eax, [ecx-1]
		test	eax, ecx
		jnz	loc_9E68AA
		mov	eax, [ebp+arg_4]
		cmp	ecx, eax
		ja	loc_9E68AA
		cmp	ecx, [ebp+arg_0]
		ja	loc_9E68AA
		cmp	ecx, 1000h
		ja	loc_9E68AA
		lea	ecx, [ebp+var_70]
		mov	edx, edi
		push	ecx
		lea	ecx, [ebp+var_74]
		push	ecx
		lea	ecx, [ebp+var_68]
		push	ecx
		push	ebx
		push	ecx
		mov	ecx, [ebp+var_40]
		push	eax
		push	[ebp+arg_0]
		lea	eax, [ebp+var_4C]
		push	eax
		call	_SmKmStoreFileGetExtents@40 ; SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E68AF
		test	ebx, ebx
		jnz	short loc_9E6803
		mov	ecx, [ebp+var_88]
		lea	eax, [ebp+var_80]
		push	eax
		lea	edx, [ebp+var_84]
		call	_SmKmStoreFileOpenVolume@12 ; SmKmStoreFileOpenVolume(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E68AF

loc_9E6803:				; CODE XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+316j
		cmp	[ebp+var_44], 0
		jz	short loc_9E6822
		push	ecx
		push	ecx
		mov	edx, ebx
		lea	ecx, [ebp+var_8C]
		call	_SmKmStoreFileWriteHeader@16 ; SmKmStoreFileWriteHeader(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E68AF

loc_9E6822:				; CODE XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+33Bj
		lea	eax, [ebp+var_64]
		push	eax
		push	0
		push	offset _SmcVolumePnpNotification@8 ; SmcVolumePnpNotification(x,x)
		push	[ebp+var_A0]
		push	[ebp+var_88]
		push	0
		push	3
		call	IoRegisterPlugPlayNotification
		mov	esi, eax
		test	esi, esi
		js	short loc_9E68AF
		mov	eax, [ebp+var_64]
		lea	esi, [ebp+var_8C]
		mov	edi, [ebp+var_A4]
		mov	[ebp+var_7C], eax
		xor	eax, eax
		push	8
		pop	ecx
		rep movsd
		push	8
		pop	ecx
		lea	edi, [ebp+var_8C]
		xor	esi, esi
		rep stosd
		mov	ecx, [ebp+var_A8]
		mov	eax, [ebp+var_28]
		mov	[ecx], eax
		mov	ecx, [ebp+var_AC]
		mov	eax, [ebp+var_68]
		mov	[ecx], eax
		mov	ecx, [ebp+var_B0]
		mov	eax, [ebp+var_4C]
		mov	[ecx], eax
		mov	eax, [ebp+var_48]
		mov	[ecx+4], eax
		mov	eax, [ebp+var_B4]
		mov	ecx, [ebp+var_B8]
		mov	[eax], ebx
		mov	eax, [ebp+var_6C]
		mov	[ecx], eax
		jmp	short loc_9E68C0
; 

loc_9E68AA:				; CODE XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+2B9j
					; SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+2C4j ...
		mov	esi, 0C0380015h

loc_9E68AF:				; CODE XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+279j
					; SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+2AEj ...
		cmp	[ebp+var_58], 0
		jz	short loc_9E68C0

loc_9E68B5:				; CODE XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+1B1j
		lea	ecx, [ebp+var_8C]
		call	_SmKmStoreFileDelete@4 ; SmKmStoreFileDelete(x)

loc_9E68C0:				; CODE XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+12Cj
					; SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+150j ...
		lea	ecx, [ebp+var_8C]
		call	_SmKmFileInfoCleanup@4 ; SmKmFileInfoCleanup(x)
		push	[ebp+var_BC]
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	24h
_SmKmStoreFileCreate@44	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmStoreFileCreateForIoType(x, x, x, x, x)
_SmKmStoreFileCreateForIoType@20 proc near
					; CODE XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+147p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_1C], ecx
		push	6
		pop	ecx
		lea	edi, [ebp+var_5C]
		mov	esi, edx
		rep stosd
		lea	edi, [ebp+var_44]
		xor	edx, edx
		stosd
		mov	ebx, edx
		push	8
		pop	ecx
		mov	[ebp+var_30], edx
		stosd
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], edx
		stosd
		mov	[ebp+var_10], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_8], edx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_7C]
		rep stosd
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jnz	short loc_9E6947
		lea	edi, [ebp+var_18]
		mov	[ebp+var_14], 1
		mov	[ebp+arg_0], edi
		jmp	short loc_9E694A
; 

loc_9E6947:				; CODE XREF: SmKmStoreFileCreateForIoType(x,x,x,x,x)+4Dj
		mov	[ebp+var_14], edx

loc_9E694A:				; CODE XREF: SmKmStoreFileCreateForIoType(x,x,x,x,x)+5Cj
		push	edx
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	byte ptr [ebp+var_20], al
		lea	eax, [ebp+var_30]
		push	esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	edx, [ebp+var_8]
		lea	ecx, [ebp+var_44]
		call	_SmKmStoreFileMakeSecurityDescriptor@8 ; SmKmStoreFileMakeSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E6A91
		lea	eax, [ebp+var_30]
		mov	[ebp+var_5C], 18h
		xor	ecx, ecx
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_44]
		mov	[ebp+var_58], ecx
		mov	[ebp+var_50], 240h
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], ecx

loc_9E6994:				; CODE XREF: SmKmStoreFileCreateForIoType(x,x,x,x,x)+192j
		push	ecx		; void *
		xor	eax, eax
		mov	edx, 140003h
		cmp	[edi], ecx
		push	ecx		; int
		setz	al
		lea	eax, ds:108h[eax*2]
		push	eax		; int
		push	ecx		; int
		push	ecx		; int
		push	ecx		; int
		push	ecx		; void *
		push	800Ah		; int
		push	ecx		; int
		push	ecx		; int
		push	2000h		; int
		push	ecx		; int
		lea	eax, [ebp+var_28]
		push	eax		; int
		lea	eax, [ebp+var_5C]
		push	eax		; int
		lea	ecx, [ebp+var_7C]
		call	_IopCreateFile@64 ; IopCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E6A85
		xor	ecx, ecx
		lea	eax, [ebp+var_C]
		push	ecx
		push	eax
		push	ecx
		push	ecx
		push	10003h
		push	[ebp+var_7C]
		mov	[ebp+var_C], ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_78], eax
		test	esi, esi
		js	loc_9E6A85
		cmp	dword ptr [edi], 0
		jz	short loc_9E6A13
		cmp	[ebp+var_24], 2
		jz	short loc_9E6A13
		cmp	[ebp+var_24], 0
		jz	short loc_9E6A13
		xor	ebx, ebx
		jmp	short loc_9E6A16
; 

loc_9E6A13:				; CODE XREF: SmKmStoreFileCreateForIoType(x,x,x,x,x)+118j
					; SmKmStoreFileCreateForIoType(x,x,x,x,x)+11Ej	...
		xor	ebx, ebx
		inc	ebx

loc_9E6A16:				; CODE XREF: SmKmStoreFileCreateForIoType(x,x,x,x,x)+128j
		lea	eax, [ebp+var_44]
		push	eax
		push	4
		push	[ebp+var_7C]
		call	_ZwSetSecurityObject@12	; ZwSetSecurityObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E6A85
		cmp	dword ptr [edi], 0
		jnz	loc_9E6ABA
		lea	edx, [ebp+var_10]
		lea	ecx, [ebp+var_7C]
		call	_SmKmIsVolumeIoPossible@8 ; SmKmIsVolumeIoPossible(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E6A85
		cmp	[ebp+var_10], 0
		jnz	short loc_9E6ABA
		cmp	[ebp+var_14], 0
		jnz	short loc_9E6A80
		mov	dword ptr [edi], 1
		test	ebx, ebx
		jz	short loc_9E6A62
		lea	ecx, [ebp+var_7C]
		call	_SmKmStoreFileDelete@4 ; SmKmStoreFileDelete(x)

loc_9E6A62:				; CODE XREF: SmKmStoreFileCreateForIoType(x,x,x,x,x)+16Fj
		lea	ecx, [ebp+var_7C]
		call	_SmKmFileInfoCleanup@4 ; SmKmFileInfoCleanup(x)
		push	8
		xor	eax, eax
		lea	edi, [ebp+var_7C]
		pop	ecx
		rep stosd
		mov	edi, [ebp+arg_0]
		xor	ecx, ecx
		mov	ebx, ecx
		jmp	loc_9E6994
; 

loc_9E6A80:				; CODE XREF: SmKmStoreFileCreateForIoType(x,x,x,x,x)+165j
		mov	esi, 0C00000BBh

loc_9E6A85:				; CODE XREF: SmKmStoreFileCreateForIoType(x,x,x,x,x)+E6j
					; SmKmStoreFileCreateForIoType(x,x,x,x,x)+10Fj	...
		test	ebx, ebx
		jz	short loc_9E6A91
		lea	ecx, [ebp+var_7C]
		call	_SmKmStoreFileDelete@4 ; SmKmStoreFileDelete(x)

loc_9E6A91:				; CODE XREF: SmKmStoreFileCreateForIoType(x,x,x,x,x)+83j
					; SmKmStoreFileCreateForIoType(x,x,x,x,x)+19Ej	...
		lea	ecx, [ebp+var_7C]
		call	_SmKmFileInfoCleanup@4 ; SmKmFileInfoCleanup(x)
		cmp	[ebp+var_8], 0
		jz	short loc_9E6AA9
		push	0
		push	[ebp+var_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E6AA9:				; CODE XREF: SmKmStoreFileCreateForIoType(x,x,x,x,x)+1B4j
		push	[ebp+var_20]
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_9E6ABA:				; CODE XREF: SmKmStoreFileCreateForIoType(x,x,x,x,x)+144j
					; SmKmStoreFileCreateForIoType(x,x,x,x,x)+15Fj
		mov	edi, [ebp+var_1C]
		lea	esi, [ebp+var_7C]
		push	8
		pop	ecx
		rep movsd
		push	8
		xor	eax, eax
		lea	edi, [ebp+var_7C]
		pop	ecx
		rep stosd
		xor	esi, esi
		jmp	short loc_9E6A91
_SmKmStoreFileCreateForIoType@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmStoreFileDelete(x)
_SmKmStoreFileDelete@4 proc near	; CODE XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+3EFp
					; SmKmStoreFileCreateForIoType(x,x,x,x,x)+174p	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= dword	ptr -5
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edi, ecx
		push	ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		push	0Dh
		mov	byte ptr [ebp+var_5], al
		lea	eax, [ebp-1]
		push	1
		push	eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_1], 1
		push	eax
		push	dword ptr [edi]
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 103h
		jnz	short loc_9E6B25
		mov	eax, [edi+4]
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		add	eax, 5Ch
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [ebp+var_10]

loc_9E6B25:				; CODE XREF: SmKmStoreFileDelete(x)+3Dj
		test	esi, esi
		js	short loc_9E6B2B
		mov	esi, ebx

loc_9E6B2B:				; CODE XREF: SmKmStoreFileDelete(x)+54j
		push	[ebp+var_5]
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_SmKmStoreFileDelete@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmStoreFileGetExtents(x, x, x, x,	x, x, x, x, x, x)
_SmKmStoreFileGetExtents@40 proc near	; CODE XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+305p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_64], eax
		mov	eax, [ebp+arg_18]
		push	ebx
		mov	[ebp+var_68], eax
		mov	eax, [ebp+arg_1C]
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_6C], eax
		xor	eax, eax
		push	edi
		mov	ebx, eax
		mov	[ebp+var_3C], edx
		push	eax
		mov	edi, ecx
		mov	[ebp+var_60], esi
		mov	[ebp+var_54], 10000h
		mov	[ebp+var_78], eax
		mov	[ebp+var_74], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_40], ebx
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	byte ptr [ebp+var_70], al
		cmp	[ebp+arg_10], ebx
		jz	short loc_9E6BB8
		mov	eax, [esi]
		xor	ecx, ecx
		mov	[ebp+var_28], eax
		mov	eax, [esi+4]
		lea	esi, [ebp+var_28]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_24], eax
		mov	[ebp+var_2C], esi
		jmp	short loc_9E6BFF
; 

loc_9E6BB8:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+55j
		push	4
		lea	eax, [ebp+var_2C]
		push	eax
		push	8
		push	esi
		push	9003Bh
		lea	eax, [ebp+var_78]
		xor	esi, esi
		push	eax
		push	esi
		push	esi
		push	esi
		push	edi
		call	_ZwFsControlFile@40 ; ZwFsControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 103h
		jnz	short loc_9E6BF2
		mov	eax, [ebp+var_3C]
		push	esi
		push	esi
		push	esi
		push	esi
		add	eax, 5Ch
		push	eax
		call	KeWaitForSingleObject
		mov	edi, [ebp+var_78]

loc_9E6BF2:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+A3j
		mov	esi, [ebp+var_2C]
		test	edi, edi
		js	loc_9E6D95
		xor	ecx, ecx

loc_9E6BFF:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+7Cj
		mov	edi, [esi]
		mov	edx, ecx
		mov	[ebp+var_50], ecx
		mov	eax, edi
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_58], ecx
		mov	ecx, [esi+4]
		or	eax, ecx
		mov	[ebp+var_44], edx
		jz	loc_9E6D48
		and	[ebp+var_3C], ebx

loc_9E6C22:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+202j
		add	[ebp+var_4C], edi
		mov	edx, [esi+0Ch]
		adc	[ebp+var_48], ecx
		mov	eax, [esi+8]
		mov	[ebp+var_38], eax
		mov	[ebp+var_30], edx
		test	edx, edx
		jl	loc_9E6D6A
		jg	short loc_9E6C46
		test	eax, eax
		jb	loc_9E6D6A

loc_9E6C46:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+102j
		mov	edx, [ebp+var_54]
		test	edx, edx
		jz	short loc_9E6C84
		test	ecx, ecx
		jg	short loc_9E6C5E
		jl	short loc_9E6C57
		cmp	edi, edx
		jnb	short loc_9E6C5E

loc_9E6C57:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+117j
		mov	eax, [esi]
		mov	[ebp+var_34], eax
		jmp	short loc_9E6C63
; 

loc_9E6C5E:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+115j
					; SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+11Bj
		mov	eax, edx
		mov	[ebp+var_34], edx

loc_9E6C63:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+122j
		sub	edx, eax
		add	eax, [ebp+var_38]
		mov	[ebp+var_54], edx
		push	0
		pop	edx
		adc	edx, [ebp+var_30]
		sub	edi, [ebp+var_34]
		mov	[esi+8], eax
		sbb	ecx, 0
		mov	[esi+0Ch], edx
		mov	[esi], edi
		mov	[esi+4], ecx
		jmp	short loc_9E6C87
; 

loc_9E6C84:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+111j
		mov	edx, [ebp+var_30]

loc_9E6C87:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+148j
		mov	[ebp+var_30], edx
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], ecx
		test	ecx, ecx
		jl	loc_9E6D30
		jg	short loc_9E6CA3
		cmp	edi, [ebp+arg_4]
		jb	loc_9E6D30

loc_9E6CA3:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+15Ej
		mov	ecx, [ebp+arg_8]
		add	ecx, eax
		mov	eax, [ebp+arg_8]
		add	ecx, 0FFFFFFFFh
		dec	eax
		and	ecx, eax
		mov	eax, [ebp+arg_8]
		push	0
		pop	edx
		sub	eax, ecx
		push	edx
		pop	ecx
		sbb	ecx, edx
		mov	edx, [ebp+var_38]
		add	eax, edx
		push	0
		adc	ecx, [ebp+var_30]
		add	eax, 0FFFFFFFFh
		push	[ebp+arg_4]
		adc	ecx, 0FFFFFFFFh
		mov	[ebp+var_38], eax
		sub	edx, eax
		mov	[ebp+var_5C], ecx
		mov	eax, [ebp+var_30]
		sbb	eax, ecx
		add	edx, edi
		adc	eax, [ebp+var_34]
		push	eax
		push	edx
		call	__aulldiv
		mov	[ebp+var_34], eax
		test	eax, eax
		jz	short loc_9E6D30
		mov	edi, [ebp+var_50]
		lea	eax, [ebp+var_40]
		push	eax
		lea	eax, [ebp+var_58]
		mov	ecx, edi
		push	eax
		push	10h
		pop	edx
		call	SmArrayGrow
		mov	ebx, [ebp+var_40]
		test	eax, eax
		jz	short loc_9E6D63
		mov	edx, [ebp+var_3C]
		mov	eax, [ebp+var_38]
		mov	[edx+ebx+8], eax
		mov	eax, [ebp+var_5C]
		mov	[edx+ebx+0Ch], eax
		mov	eax, [ebp+var_34]
		add	[ebp+var_44], eax
		inc	edi
		mov	[edx+ebx], eax
		add	edx, 10h
		mov	[ebp+var_50], edi
		mov	[ebp+var_3C], edx

loc_9E6D30:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+158j
					; SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+163j ...
		mov	ecx, [esi+14h]
		add	esi, 10h
		mov	edi, [esi]
		mov	eax, edi
		or	eax, ecx
		jnz	loc_9E6C22
		mov	esi, [ebp+var_2C]
		mov	edx, [ebp+var_44]

loc_9E6D48:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+DFj
		mov	eax, [ebp+var_60]
		mov	ecx, [ebp+var_48]
		cmp	ecx, [eax+4]
		jg	short loc_9E6D74
		jl	short loc_9E6D5C
		mov	ecx, [ebp+var_4C]
		cmp	ecx, [eax]
		jnb	short loc_9E6D74

loc_9E6D5C:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+219j
		mov	edi, 0C0000173h
		jmp	short loc_9E6D95
; 

loc_9E6D63:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+1D0j
		mov	edi, 0C000009Ah
		jmp	short loc_9E6D6F
; 

loc_9E6D6A:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+FCj
					; SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+106j
		mov	edi, 0C0000173h

loc_9E6D6F:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+22Ej
		mov	esi, [ebp+var_2C]
		jmp	short loc_9E6D95
; 

loc_9E6D74:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+217j
					; SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+220j
		test	edx, edx
		jnz	short loc_9E6D7F
		mov	edi, 0C0000098h
		jmp	short loc_9E6D95
; 

loc_9E6D7F:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+23Cj
		mov	eax, [ebp+var_64]
		mov	ecx, [ebp+var_6C]
		mov	[eax], edx
		mov	eax, [ebp+var_68]
		mov	[eax], ebx
		xor	ebx, ebx
		mov	eax, [ebp+var_50]
		xor	edi, edi
		mov	[ecx], eax

loc_9E6D95:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+BDj
					; SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+227j ...
		test	esi, esi
		jz	short loc_9E6DA8
		lea	eax, [ebp+var_28]
		cmp	esi, eax
		jz	short loc_9E6DA8
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E6DA8:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+25Dj
					; SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+264j
		test	ebx, ebx
		jz	short loc_9E6DB3
		mov	ecx, ebx
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_9E6DB3:				; CODE XREF: SmKmStoreFileGetExtents(x,x,x,x,x,x,x,x,x,x)+270j
		push	[ebp+var_70]
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	20h
_SmKmStoreFileGetExtents@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmStoreFileMakeSecurityDescriptor(x, x)
_SmKmStoreFileMakeSecurityDescriptor@8 proc near
					; CODE XREF: SmKmStoreFileCreateForIoType(x,x,x,x,x)+7Ap

var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_10], edx
		push	53446D73h
		push	0Ch
		push	1
		mov	[ebp+var_C], ecx
		mov	ebx, eax
		mov	[ebp+var_20], eax
		mov	edi, eax
		mov	[ebp+var_1C], 100h
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], 500h
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	short loc_9E6E19
		mov	esi, 0C000009Ah
		jmp	loc_9E6FB8
; 

loc_9E6E19:				; CODE XREF: SmKmStoreFileMakeSecurityDescriptor(x,x)+3Fj
		push	1
		lea	ecx, [ebp+var_20]
		push	ecx
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E6F87
		push	53446D73h
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	short loc_9E6E4E

loc_9E6E44:				; CODE XREF: SmKmStoreFileMakeSecurityDescriptor(x,x)+A8j
					; SmKmStoreFileMakeSecurityDescriptor(x,x)+126j
		mov	esi, 0C000009Ah
		jmp	loc_9E6F87
; 

loc_9E6E4E:				; CODE XREF: SmKmStoreFileMakeSecurityDescriptor(x,x)+74j
		push	1
		lea	ecx, [ebp+var_18]
		push	ecx
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E6F87
		push	53446D73h
		push	10h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_9E6E44
		push	2
		lea	eax, [ebp+var_18]
		push	eax
		push	ebx
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E6F87
		xor	esi, esi
		push	esi
		push	[ebp+var_4]
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	edi, [ebp+var_8]
		push	esi
		push	edi
		mov	[eax], esi
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	esi
		push	ebx
		mov	dword ptr [eax], 12h
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	1
		push	ebx
		mov	dword ptr [eax], 20h
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	ebx
		mov	dword ptr [eax], 220h
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	edi
		mov	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	[ebp+var_4]
		add	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	eax, 20h
		push	61446D73h
		add	esi, eax
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9E6E44
		push	2		; int
		push	esi		; size_t
		push	edi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E6F87
		push	0
		push	ebx
		push	1F01FFh
		push	0
		push	2
		pop	edx
		mov	ecx, edi
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	short loc_9E6F87
		push	0
		push	[ebp+var_8]
		mov	ecx, edi
		push	1F01FFh
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	short loc_9E6F87
		push	0
		push	[ebp+var_4]
		mov	ecx, edi
		push	10000h
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	short loc_9E6F87
		push	1
		push	[ebp+var_C]
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E6F87
		push	0
		push	edi
		push	1
		push	[ebp+var_C]
		call	RtlSetDaclSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	short loc_9E6F87
		mov	eax, [ebp+var_10]
		mov	[eax], edi
		xor	edi, edi
		xor	esi, esi

loc_9E6F87:				; CODE XREF: SmKmStoreFileMakeSecurityDescriptor(x,x)+5Bj
					; SmKmStoreFileMakeSecurityDescriptor(x,x)+7Bj	...
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_9E6FA0
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E6FA0:				; CODE XREF: SmKmStoreFileMakeSecurityDescriptor(x,x)+1C8j
		test	ebx, ebx
		jz	short loc_9E6FAC
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E6FAC:				; CODE XREF: SmKmStoreFileMakeSecurityDescriptor(x,x)+1D4j
		test	edi, edi
		jz	short loc_9E6FB8
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E6FB8:				; CODE XREF: SmKmStoreFileMakeSecurityDescriptor(x,x)+46j
					; SmKmStoreFileMakeSecurityDescriptor(x,x)+1E0j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_SmKmStoreFileMakeSecurityDescriptor@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmStoreFileOpenVolume(x, x, x)
_SmKmStoreFileOpenVolume@12 proc near	; CODE XREF: SmKmEtwAppendProductName(x,x)+33p
					; SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+328p ...

var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 240h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	6
		mov	esi, ecx
		mov	[ebp+var_21C], eax
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_240]
		rep stosd
		mov	ebx, edx
		lea	eax, [ebp+var_20C]
		xor	edx, edx
		mov	edi, 1FCh
		push	edi		; size_t
		push	edx		; int
		push	eax		; void *
		mov	[ebp+var_228], edx
		mov	[ebp+var_224], edx
		mov	[ebp+var_218], edx
		call	_memset
		and	[ebp+var_210], 0
		add	esp, 0Ch
		push	0
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	byte ptr [ebp+var_220],	al
		lea	eax, [ebp+var_218]
		push	eax
		push	edi
		lea	eax, [ebp+var_20C]
		push	eax
		push	dword ptr [esi+4]
		call	_ObQueryNameString@16 ;	ObQueryNameString(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9E70F9
		xor	esi, esi
		mov	[ebp+var_240], 18h
		push	esi
		push	esi
		push	20h
		push	1
		push	7
		push	esi
		lea	eax, [ebp+var_20C]
		mov	[ebp+var_23C], esi
		mov	[ebp+var_238], eax
		lea	eax, [ebp+var_228]
		push	esi
		push	eax
		lea	eax, [ebp+var_240]
		mov	[ebp+var_234], 240h
		push	eax
		push	100080h
		lea	eax, [ebp+var_210]
		mov	[ebp+var_230], esi
		push	eax
		mov	[ebp+var_22C], esi
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9E70F9
		push	esi
		lea	eax, [ebp+var_214]
		mov	[ebp+var_214], esi
		push	eax
		push	esi
		push	esi
		push	3
		push	[ebp+var_210]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, [ebp+var_214]
		mov	edi, eax
		test	edi, edi
		js	short loc_9E70EE
		push	esi
		call	IoGetRelatedDeviceObject
		mov	ecx, [ebp+var_21C]
		mov	[ebx], esi
		xor	esi, esi
		mov	[ecx], eax

loc_9E70EE:				; CODE XREF: SmKmStoreFileOpenVolume(x,x,x)+11Bj
		test	esi, esi
		jz	short loc_9E70F9
		mov	ecx, esi
		call	ObfDereferenceObject

loc_9E70F9:				; CODE XREF: SmKmStoreFileOpenVolume(x,x,x)+8Bj
					; SmKmStoreFileOpenVolume(x,x,x)+F2j ...
		cmp	[ebp+var_210], 0
		jz	short loc_9E710D
		push	[ebp+var_210]
		call	_ZwClose@4	; ZwClose(x)

loc_9E710D:				; CODE XREF: SmKmStoreFileOpenVolume(x,x,x)+141j
		push	[ebp+var_220]
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	ecx, [ebp+var_8]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_SmKmStoreFileOpenVolume@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmStoreFileWriteHeader(x,	x, x, x)
_SmKmStoreFileWriteHeader@16 proc near	; CODE XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+347p

var_50		= dword	ptr -50h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_30], edx
		xor	edx, edx
		mov	[ebp+var_24], esi
		push	6
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_2C], edx
		lea	edi, [ebp+var_20]
		mov	[ebp+var_28], edx
		rep stosd
		push	edx
		mov	[ebp+var_40], edx
		mov	ebx, edx
		mov	[ebp+var_3C], edx
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	edx, 68466D73h
		mov	byte ptr [ebp+var_34], al
		mov	ecx, 10000h
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9E718A
		mov	esi, 0C000009Ah
		jmp	loc_9E72BD
; 

loc_9E718A:				; CODE XREF: SmKmStoreFileWriteHeader(x,x,x,x)+53j
		cmp	[ebp+var_30], ebx
		jnz	short loc_9E71BA
		push	10000h
		push	edi
		push	0
		call	_MmCreateMdl@12	; MmCreateMdl(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9E71AC
		mov	esi, 0C000009Ah
		jmp	loc_9E72AA
; 

loc_9E71AC:				; CODE XREF: SmKmStoreFileWriteHeader(x,x,x,x)+75j
		push	ebx
		call	MmBuildMdlForNonPagedPool
		push	1
		push	ebx
		call	_MmMdlPageContentsState@8 ; MmMdlPageContentsState(x,x)

loc_9E71BA:				; CODE XREF: SmKmStoreFileWriteHeader(x,x,x,x)+62j
		push	10000h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [edi], 45634D67h
		mov	dword ptr [edi+4], 3
		mov	dword ptr [edi+28h], 1
		push	30h
		push	edi
		push	0
		call	_RtlComputeCrc32@12 ; RtlComputeCrc32(x,x,x)
		cmp	[ebp+var_30], 0
		mov	[edi+8], eax
		mov	eax, [esi]
		jnz	short loc_9E7257
		push	5
		push	18h
		lea	ecx, [ebp+var_20]
		push	ecx
		lea	ecx, [ebp+var_2C]
		push	ecx
		push	eax
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 103h
		jnz	short loc_9E7227
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		mov	eax, [ebp+var_24]
		mov	eax, [eax+4]
		add	eax, 5Ch
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [ebp+var_2C]

loc_9E7227:				; CODE XREF: SmKmStoreFileWriteHeader(x,x,x,x)+E2j
		test	esi, esi
		js	short loc_9E72AA
		push	0
		push	0
		lea	eax, [ebp+var_50]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_50]
		push	eax
		lea	eax, [ebp+var_40]
		push	eax
		mov	eax, [ebp+var_24]
		push	ebx
		push	dword ptr [eax+4]
		call	_IoSynchronousPageWrite@20 ; IoSynchronousPageWrite(x,x,x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_50]
		jmp	short loc_9E727C
; 

loc_9E7257:				; CODE XREF: SmKmStoreFileWriteHeader(x,x,x,x)+C6j
		xor	edx, edx
		lea	ecx, [ebp+var_40]
		push	edx
		push	ecx
		push	10000h
		push	edi
		lea	ecx, [ebp+var_2C]
		push	ecx
		push	edx
		push	edx
		push	edx
		push	eax
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_24]
		mov	eax, [eax+4]
		add	eax, 5Ch

loc_9E727C:				; CODE XREF: SmKmStoreFileWriteHeader(x,x,x,x)+12Aj
		cmp	esi, 103h
		jnz	short loc_9E7293
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [ebp+var_2C]

loc_9E7293:				; CODE XREF: SmKmStoreFileWriteHeader(x,x,x,x)+157j
		test	esi, esi
		js	short loc_9E72AA
		mov	esi, [ebp+var_28]
		sub	esi, 10000h
		neg	esi
		sbb	esi, esi
		and	esi, 0C000016Ah

loc_9E72AA:				; CODE XREF: SmKmStoreFileWriteHeader(x,x,x,x)+7Cj
					; SmKmStoreFileWriteHeader(x,x,x,x)+FEj ...
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)
		test	ebx, ebx
		jz	short loc_9E72BD
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9E72BD:				; CODE XREF: SmKmStoreFileWriteHeader(x,x,x,x)+5Aj
					; SmKmStoreFileWriteHeader(x,x,x,x)+188j
		push	[ebp+var_34]
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_SmKmStoreFileWriteHeader@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmKmVolumeQueryUniqueId(x, x, x, x)
_SmKmVolumeQueryUniqueId@16 proc near	; CODE XREF: SmKmEtwAppendProductName(x,x)+68p
					; SmcCacheStart(x,x,x)+134p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		push	0
		mov	edi, edx
		mov	esi, ecx
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		push	ecx
		push	[ebp+arg_0]
		mov	edx, esi
		mov	byte ptr [ebp+var_4], al
		push	edi
		push	ecx
		push	ecx
		call	_SmKmSendDeviceControl@28 ; SmKmSendDeviceControl(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E732F
		movzx	esi, word ptr [edi]
		cmp	esi, 2
		jnb	short loc_9E7312
		mov	esi, 0C0000446h
		jmp	short loc_9E732F
; 

loc_9E7312:				; CODE XREF: SmKmVolumeQueryUniqueId(x,x,x,x)+31j
		push	esi		; size_t
		lea	eax, [edi+2]
		push	eax		; void *
		push	edi		; void *
		call	_memmove
		and	esi, 0FFFFFFFEh
		add	esp, 0Ch
		mov	ecx, edi
		lea	edx, [esi+2]
		call	_SmSanitizeString@8 ; SmSanitizeString(x,x)
		xor	esi, esi

loc_9E732F:				; CODE XREF: SmKmVolumeQueryUniqueId(x,x,x,x)+29j
					; SmKmVolumeQueryUniqueId(x,x,x,x)+38j
		push	[ebp+var_4]
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	8
_SmKmVolumeQueryUniqueId@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmCrEncStart(x, x, x, x)
_SmCrEncStart@16 proc near		; CODE XREF: ST_STORE_SM_TRAITS___StStart+F8879p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_C], edx
		push	1
		push	eax
		mov	edx, (offset loc_8BF9DF+1)
		mov	[ebp+var_8], eax
		mov	esi, ecx
		mov	[ebp+var_4], eax
		call	_BCryptOpenAlgorithmProvider@16	; BCryptOpenAlgorithmProvider(x,x,x,x)
		test	eax, eax
		js	loc_9E7478
		push	edi
		push	ecx
		lea	eax, [ebp+var_8]
		mov	edx, offset ??_C@_1BI@JJDKEEML@?$AAB?$AAl?$AAo?$AAc?$AAk?$AAL?$AAe?$AAn?$AAg?$AAt?$AAh@NNGAKEGL@
		push	eax
		push	ecx
		mov	ecx, [esi]
		lea	edi, [esi+4]
		push	edi
		call	_BCryptGetProperty@24 ;	BCryptGetProperty(x,x,x,x,x,x)
		test	eax, eax
		js	loc_9E7477
		mov	ecx, [edi]
		test	ecx, ecx
		jz	loc_9E7472
		lea	eax, [ecx-1]
		test	eax, ecx
		jnz	loc_9E7472
		mov	ebx, [ebp+arg_0]
		mov	edx, 52436D73h
		mov	ecx, ebx
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		mov	[esi+8], eax
		test	eax, eax
		jz	short loc_9E7428
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jz	short loc_9E73C9
		push	ebx		; size_t
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_9E73DA
; 

loc_9E73C9:				; CODE XREF: SmCrEncStart(x,x,x,x)+7Bj
		mov	edx, ebx
		mov	ecx, eax
		call	_SmCrGenRandom@8 ; SmCrGenRandom(x,x)
		test	eax, eax
		js	loc_9E7477

loc_9E73DA:				; CODE XREF: SmCrEncStart(x,x,x,x)+88j
		mov	ecx, [edi]
		mov	[esi+0Ch], ebx
		mov	ebx, 52436D73h
		mov	edx, ebx
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		mov	[esi+18h], eax
		test	eax, eax
		jz	short loc_9E7428
		push	dword ptr [edi]	; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		pop	ecx
		pop	ecx
		lea	eax, [ebp+var_8]
		mov	edx, offset ??_C@_1BK@GPNIFMAA@?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAL?$AAe?$AAn?$AAg?$AAt?$AAh@NNGAKEGL@ ;	"ObjectLength"
		push	eax
		push	ecx
		mov	ecx, [esi]
		lea	eax, [ebp+var_4]
		push	eax
		call	_BCryptGetProperty@24 ;	BCryptGetProperty(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9E7477
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		mov	[esi+14h], eax
		test	eax, eax
		jnz	short loc_9E742F

loc_9E7428:				; CODE XREF: SmCrEncStart(x,x,x,x)+74j
					; SmCrEncStart(x,x,x,x)+B1j
		mov	eax, 0C000009Ah
		jmp	short loc_9E7477
; 

loc_9E742F:				; CODE XREF: SmCrEncStart(x,x,x,x)+E7j
		push	[ebp+var_4]	; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		pop	ecx
		pop	ecx
		mov	ecx, [esi]
		mov	edx, offset ??_C@_1BK@BCJKEJJO@?$AAC?$AAh?$AAa?$AAi?$AAn?$AAi?$AAn?$AAg?$AAM?$AAo?$AAd?$AAe@NNGAKEGL@ ;	"ChainingMode"
		push	20h
		push	offset ??_C@_1CA@PIHAAGPJ@?$AAC?$AAh?$AAa?$AAi?$AAn?$AAi?$AAn?$AAg?$AAM?$AAo?$AAd?$AAe?$AAC?$AAC?$AAM@NNGAKEGL@
		call	_BCryptSetProperty@20 ;	BCryptSetProperty(x,x,x,x,x)
		test	eax, eax
		js	short loc_9E7477
		push	ecx
		push	dword ptr [esi+0Ch]
		mov	ecx, [esi]
		lea	edx, [esi+10h]
		push	dword ptr [esi+8]
		push	[ebp+var_4]
		push	dword ptr [esi+14h]
		call	_BCryptGenerateSymmetricKey@28 ; BCryptGenerateSymmetricKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9E7477
		xor	eax, eax
		jmp	short loc_9E7477
; 

loc_9E7472:				; CODE XREF: SmCrEncStart(x,x,x,x)+4Fj
					; SmCrEncStart(x,x,x,x)+5Aj
		mov	eax, 0C0000173h

loc_9E7477:				; CODE XREF: SmCrEncStart(x,x,x,x)+45j
					; SmCrEncStart(x,x,x,x)+95j ...
		pop	edi

loc_9E7478:				; CODE XREF: SmCrEncStart(x,x,x,x)+26j
		pop	esi
		pop	ebx
		leave
		retn	8
_SmCrEncStart@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmcCacheAdd(x, x, x)
_SmcCacheAdd@12	proc near		; CODE XREF: SmcProcessCreateRequest(x,x,x,x)+145p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	eax, ecx
		mov	[ebp+var_4], edx
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], eax
		mov	ebx, edi
		lea	esi, [eax+8]

loc_9E7497:				; CODE XREF: SmcCacheAdd(x,x,x)+A9j
		cmp	[esi-8], edi
		jnz	loc_9E7520
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		cmp	[esi-8], edi
		jnz	short loc_9E74FB
		mov	edx, [ebp+var_4]
		mov	[esi-8], edx

loc_9E74C2:				; CODE XREF: SmcCacheAdd(x,x,x)+67j
		mov	eax, [esi+4]
		lea	ecx, [eax+1]
		xor	ecx, eax
		and	ecx, 0FFFh
		xor	ecx, eax
		mov	[esi+4], ecx
		and	ecx, 0FFFh
		shl	ecx, 4
		or	ecx, ebx
		mov	[edx], ecx
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_9E74C2
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4], edi
		mov	[eax], ecx
		lea	ecx, [esi-4]
		xor	eax, eax
		xchg	eax, [ecx]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)

loc_9E74FB:				; CODE XREF: SmcCacheAdd(x,x,x)+3Cj
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9E750F
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9E750F:				; CODE XREF: SmcCacheAdd(x,x,x)+88j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	[ebp+var_4], edi
		jz	short loc_9E753B

loc_9E7520:				; CODE XREF: SmcCacheAdd(x,x,x)+1Cj
		inc	ebx
		add	esi, 10h
		cmp	ebx, 10h
		jb	loc_9E7497
		mov	edi, 0C0000099h

loc_9E7532:				; CODE XREF: SmcCacheAdd(x,x,x)+CDj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_9E753B:				; CODE XREF: SmcCacheAdd(x,x,x)+A0j
		mov	eax, [ebp+var_8]
		push	edi
		push	edi
		push	dword ptr [eax+114h]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_9E7532
_SmcCacheAdd@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmcCacheCleanup(x, x)
_SmcCacheCleanup@8 proc	near		; CODE XREF: SmcProcessCreateRequest(x,x,x,x)+1E2p
					; SmcCacheDelete(x,x)+1Ap
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		push	10h
		pop	ebx
		lea	esi, [edi+84h]

loc_9E7564:				; CODE XREF: SmcCacheCleanup(x,x)+37j
		mov	edx, [esi-8]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_9E757E
		mov	ecx, [esi-4]
		and	ecx, 3
		call	_SmStoreDelete@8 ; SmStoreDelete(x,x)
		mov	ecx, [esi]
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_9E757E:				; CODE XREF: SmcCacheCleanup(x,x)+1Dj
		add	esi, 10h
		sub	ebx, 1
		jnz	short loc_9E7564
		lea	esi, [edi+28h]
		cmp	[esi], ebx
		jz	short loc_9E7599
		cmp	[edi+2Ch], ebx
		jz	short loc_9E7599
		mov	ecx, esi
		call	_SmKmStoreFileDelete@4 ; SmKmStoreFileDelete(x)

loc_9E7599:				; CODE XREF: SmcCacheCleanup(x,x)+3Ej
					; SmcCacheCleanup(x,x)+43j
		mov	ecx, esi
		call	_SmKmFileInfoCleanup@4 ; SmKmFileInfoCleanup(x)
		lea	ecx, [edi+48h]
		call	_StEtaCleanup@4	; StEtaCleanup(x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_SmcCacheCleanup@8 endp


;  S U B	R O U T	I N E 


; __stdcall SmcCacheDelete(x, x)
_SmcCacheDelete@8 proc near		; CODE XREF: SmcProcessCreateRequest(x,x,x,x)+1FEp
					; SmcProcessDeleteRequest(x,x,x,x)+5Fp	...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		call	_SmcCacheRemove@8 ; SmcCacheRemove(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9E75C7
		mov	eax, 0C0000059h
		jmp	short loc_9E75E6
; 

loc_9E75C7:				; CODE XREF: SmcCacheDelete(x,x)+Fj
		mov	ecx, esi
		call	_SmcCacheCleanup@8 ; SmcCacheCleanup(x,x)
		mov	ecx, esi
		call	_CmpFreePool@4	; CmpFreePool(x)
		push	0
		push	0
		push	dword ptr [edi+114h]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		xor	eax, eax

loc_9E75E6:				; CODE XREF: SmcCacheDelete(x,x)+16j
		pop	edi
		pop	esi
		retn
_SmcCacheDelete@8 endp


;  S U B	R O U T	I N E 


; int __fastcall SmcCacheInitialize(void *)
_SmcCacheInitialize@4 proc near		; CODE XREF: SmcProcessCreateRequest(x,x,x,x)+10Dp
		mov	edi, edi
		push	ebx
		push	esi
		push	380h		; size_t
		mov	esi, ecx
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [esi+48h]	; void *
		call	_RtlpFcInitializeBuffers@4 ; RtlpFcInitializeBuffers(x)
		and	dword ptr [esi+78h], 0
		add	esi, 7Ch
		lea	ebx, [esi+100h]
		cmp	esi, ebx
		jnb	short loc_9E7638
		push	edi
		lea	edi, [esi+0Ch]

loc_9E761C:				; CODE XREF: SmcCacheInitialize(x)+4Cj
		or	dword ptr [esi], 0FFFFFFFFh
		mov	ecx, edi
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		mov	ecx, edi
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		add	esi, 10h
		add	edi, 10h
		cmp	esi, ebx
		jb	short loc_9E761C
		pop	edi

loc_9E7638:				; CODE XREF: SmcCacheInitialize(x)+2Dj
		pop	esi
		pop	ebx
		retn
_SmcCacheInitialize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmcCacheManagerStart(x, x)
_SmcCacheManagerStart@8	proc near	; CODE XREF: SmcCacheCreatePrepare(x)+55p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[esp+38h+var_24], edx
		mov	ebx, ecx
		mov	[esp+38h+var_20], esi
		push	6
		pop	ecx
		xor	eax, eax
		mov	[esp+38h+var_1C], esi
		lea	edi, [esp+38h+var_18]
		mov	[esp+38h+var_28], esi
		rep stosd

loc_9E7668:				; CODE XREF: SmcCacheManagerStart(x,x)+75j
		imul	edi, esi, 0Ch
		add	edi, offset unk_718438
		mov	eax, [edi]
		test	al, 1
		jnz	short loc_9E76AC
		test	esi, esi
		jnz	short loc_9E7693
		lea	eax, [edi+8]
		push	eax
		lea	edx, [edi+4]
		call	_SmpUtilsGetControlDevice@12 ; SmpUtilsGetControlDevice(x,x,x)
		test	eax, eax
		js	loc_9E773C
		mov	eax, [edi]
		jmp	short loc_9E7698
; 

loc_9E7693:				; CODE XREF: SmcCacheManagerStart(x,x)+3Ej
		cmp	esi, 1
		jnz	short loc_9E769F

loc_9E7698:				; CODE XREF: SmcCacheManagerStart(x,x)+56j
		or	eax, 1
		mov	[edi], eax
		jmp	short loc_9E76AC
; 

loc_9E769F:				; CODE XREF: SmcCacheManagerStart(x,x)+5Bj
		mov	eax, 0C000000Dh
		test	eax, eax
		js	loc_9E773C

loc_9E76AC:				; CODE XREF: SmcCacheManagerStart(x,x)+3Aj
					; SmcCacheManagerStart(x,x)+62j
		inc	esi
		cmp	esi, 2
		jb	short loc_9E7668
		push	ecx
		push	ecx
		mov	edx, offset ??_C@_1MK@ENOAMLHH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		lea	ecx, [esp+40h+var_20]
		call	sub_673E8F
		xor	esi, esi
		mov	[esp+38h+var_18], 18h
		push	esi
		push	esi
		push	esi
		lea	eax, [esp+44h+var_20]
		mov	[esp+44h+var_14], esi
		mov	[esp+44h+var_10], eax
		lea	eax, [esp+44h+var_18]
		push	esi
		push	eax
		push	20006h
		lea	eax, [esp+50h+var_28]
		mov	[esp+50h+var_C], 240h
		push	eax
		mov	[esp+54h+var_8], esi
		mov	[esp+54h+var_4], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9E773C
		push	[esp+38h+var_28]
		call	_ZwClose@4	; ZwClose(x)
		push	ecx
		push	ecx
		mov	edx, offset ??_C@_1NO@EEHJNDKA@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		lea	ecx, [esp+40h+var_20]
		call	sub_673E8F
		lea	ecx, [ebx+100h]
		lea	edx, [esp+38h+var_20]
		call	_SmKmKeyGenStart@8 ; SmKmKeyGenStart(x,x)
		test	eax, eax
		js	short loc_9E773C
		mov	eax, [esp+38h+var_24]
		mov	[ebx+114h], eax
		mov	eax, esi

loc_9E773C:				; CODE XREF: SmcCacheManagerStart(x,x)+4Ej
					; SmcCacheManagerStart(x,x)+6Bj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_SmcCacheManagerStart@8	endp


;  S U B	R O U T	I N E 


; __stdcall SmcCacheReference(x, x)
_SmcCacheReference@8 proc near		; CODE XREF: SmcGetCacheStats(x,x)+2Dp
					; SmcStoreCreate(x,x,x,x,x)+44p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	ebx, ebx
		mov	esi, edi
		and	esi, 0Fh
		shl	esi, 4
		add	esi, ecx
		lea	ecx, [esi+4]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		mov	dl, al
		test	dl, dl
		jz	short loc_9E7783
		mov	eax, [esi+0Ch]
		and	eax, 0FFFh
		shr	edi, 4
		cmp	eax, edi
		jnz	short loc_9E7777
		mov	ebx, [esi]
		xor	dl, dl

loc_9E7777:				; CODE XREF: SmcCacheReference(x,x)+2Ej
		test	dl, dl
		jz	short loc_9E7783
		lea	ecx, [esi+4]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_9E7783:				; CODE XREF: SmcCacheReference(x,x)+1Fj
					; SmcCacheReference(x,x)+36j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		retn
_SmcCacheReference@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmcCacheRemove(x, x)
_SmcCacheRemove@8 proc near		; CODE XREF: SmcCacheDelete(x,x)+6p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, esi
		and	edi, 0Fh
		shl	edi, 4
		add	edi, ecx
		dec	word ptr [eax+13Ch]
		nop
		lea	ebx, [edi+8]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [edi+0Ch]
		and	eax, 0FFFh
		shr	esi, 4
		cmp	esi, eax
		jnz	short loc_9E77DF
		cmp	dword ptr [edi], 0
		jz	short loc_9E77DF
		lea	ecx, [edi+4]
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	esi, [edi]
		and	dword ptr [edi], 0
		jmp	short loc_9E77E2
; 

loc_9E77DF:				; CODE XREF: SmcCacheRemove(x,x)+40j
					; SmcCacheRemove(x,x)+45j
		mov	esi, [ebp+var_4]

loc_9E77E2:				; CODE XREF: SmcCacheRemove(x,x)+54j
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9E77F6
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9E77F6:				; CODE XREF: SmcCacheRemove(x,x)+64j
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_SmcCacheRemove@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmcCacheStart(x, x,	x)
_SmcCacheStart@12 proc near		; CODE XREF: SmcProcessCreateRequest(x,x,x,x)+127p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		and	[esp+1Ch+var_18], 0
		and	[esp+1Ch+var_10], 0
		push	ebx
		mov	ebx, ecx
		mov	[esp+20h+var_C], edx
		mov	ecx, [edx+8]
		push	esi
		push	edi
		test	ecx, ecx
		jz	loc_9E795D
		lea	eax, [ecx-1]
		test	eax, ecx
		jnz	loc_9E795D
		mov	esi, [edx]
		mov	eax, esi
		mov	ecx, [edx+4]
		or	eax, ecx
		jnz	short loc_9E7852
		mov	esi, 0C000000Dh
		jmp	loc_9E796F
; 

loc_9E7852:				; CODE XREF: SmcCacheStart(x,x,x)+3Dj
		cmp	ecx, 8
		jb	short loc_9E7867
		ja	short loc_9E785D
		test	esi, esi
		jz	short loc_9E7867

loc_9E785D:				; CODE XREF: SmcCacheStart(x,x,x)+4Ej
		mov	esi, 0C0000904h
		jmp	loc_9E796F
; 

loc_9E7867:				; CODE XREF: SmcCacheStart(x,x,x)+4Cj
					; SmcCacheStart(x,x,x)+52j
		push	6
		pop	ecx
		mov	esi, edx
		lea	edi, [ebx+10h]
		rep movsd
		mov	eax, [edx+0Ch]
		mov	ecx, [ebx+18h]
		and	eax, 1
		mov	[esp+28h+var_14], eax
		mov	eax, [edx]
		mov	edi, [ebp+arg_0]
		mov	[esp+28h+var_8], eax
		and	edi, 1
		mov	eax, [edx+4]
		mov	edx, [ebp+arg_0]
		mov	[esp+28h+var_4], eax
		lea	eax, [esp+28h+var_18]
		push	eax
		lea	eax, [ebx+8]
		push	eax
		lea	eax, [ebx+4]
		push	eax
		lea	eax, [ebx+28h]
		push	eax
		lea	eax, [esp+38h+var_14]
		push	eax
		push	ecx
		lea	eax, [esp+40h+var_8]
		push	eax
		push	ecx
		push	ecx
		call	_SmKmStoreFileCreate@44	; SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E796F
		mov	eax, [ebp+arg_0]
		and	eax, 0FFFFFFFEh
		neg	edi
		sbb	edi, edi
		test	edi, eax
		jz	short loc_9E78EE
		mov	ecx, [esp+28h+var_C]
		mov	eax, [esp+28h+var_8]
		cmp	eax, [ecx]
		jnz	short loc_9E78E4
		mov	eax, [esp+28h+var_4]
		cmp	eax, [ecx+4]
		jz	short loc_9E78EE

loc_9E78E4:				; CODE XREF: SmcCacheStart(x,x,x)+D0j
		mov	esi, 0C0000020h
		jmp	loc_9E796F
; 

loc_9E78EE:				; CODE XREF: SmcCacheStart(x,x,x)+C4j
					; SmcCacheStart(x,x,x)+D9j
		mov	ecx, [esp+28h+var_18]
		mov	eax, [ebx+1Ch]
		and	ecx, 1
		add	ecx, ecx
		and	eax, 0FFFFFFFCh
		or	ecx, eax
		mov	eax, [esp+28h+var_14]
		and	eax, 1
		or	ecx, eax
		mov	[ebx+1Ch], ecx
		mov	ecx, [ebx+34h]
		mov	[esp+28h+var_14], ecx
		test	ecx, ecx
		jnz	short loc_9E7931
		mov	ecx, [ebx+2Ch]
		lea	eax, [esp+28h+var_14]
		push	eax
		lea	edx, [esp+2Ch+var_10]
		call	_SmKmStoreFileOpenVolume@12 ; SmKmStoreFileOpenVolume(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E7962
		mov	ecx, [esp+28h+var_14]

loc_9E7931:				; CODE XREF: SmcCacheStart(x,x,x)+10Bj
		push	ecx
		push	200h
		lea	edx, [ebx+17Ch]
		call	_SmKmVolumeQueryUniqueId@16 ; SmKmVolumeQueryUniqueId(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E7962
		mov	edx, [ebx+18h]
		lea	ecx, [ebx+48h]
		call	StEtaHelper__StartHelper
		mov	esi, eax
		test	esi, esi
		js	short loc_9E7962
		xor	esi, esi
		jmp	short loc_9E7962
; 

loc_9E795D:				; CODE XREF: SmcCacheStart(x,x,x)+23j
					; SmcCacheStart(x,x,x)+2Ej
		mov	esi, 0C000000Dh

loc_9E7962:				; CODE XREF: SmcCacheStart(x,x,x)+122j
					; SmcCacheStart(x,x,x)+13Dj ...
		mov	ecx, [esp+28h+var_10]
		test	ecx, ecx
		jz	short loc_9E796F
		call	ObfDereferenceObject

loc_9E796F:				; CODE XREF: SmcCacheStart(x,x,x)+44j
					; SmcCacheStart(x,x,x)+59j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_SmcCacheStart@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmcGetCacheStats(x,	x)
_SmcGetCacheStats@8 proc near		; CODE XREF: SmcProcessStatsRequest(x,x,x,x,x)+A8p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		push	460h		; size_t
		push	0		; int
		mov	[ebp+var_8], ebx
		lea	esi, [ebx+8]
		mov	[ebp+var_C], edi
		push	esi		; void *
		call	_memset
		mov	edx, [ebx+4]
		add	esp, 0Ch
		mov	ecx, edi
		call	_SmcCacheReference@8 ; SmcCacheReference(x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9E79BC
		mov	ebx, 0C0000098h
		jmp	loc_9E7AA2
; 

loc_9E79BC:				; CODE XREF: SmcGetCacheStats(x,x)+36j
		mov	ecx, [esi+14h]
		and	ecx, 0FFFFFFC1h
		or	ecx, 1
		mov	[esi+14h], ecx
		mov	eax, [edi+10h]
		mov	[esi], eax
		mov	eax, [edi+14h]
		mov	[esi+4], eax
		mov	eax, [edi+8]
		mov	[esi+0Ch], eax
		mov	eax, [edi+18h]
		mov	[esi+10h], eax
		mov	eax, [edi+20h]
		mov	[esi+5Ch], eax
		mov	eax, [edi+1Ch]
		shl	eax, 6
		xor	eax, ecx
		and	eax, 40h
		xor	eax, ecx
		mov	[esi+14h], eax
		test	dword ptr [ebx], 100h
		jnz	short loc_9E7A13
		push	400h		; size_t
		lea	edx, [esi+60h]
		lea	ecx, [edi+28h]
		call	_SmKmFileInfoGetPath@12	; SmKmFileInfoGetPath(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9E7A89

loc_9E7A13:				; CODE XREF: SmcGetCacheStats(x,x)+81j
		mov	eax, large fs:124h
		xor	ebx, ebx
		and	[esi+58h], ebx
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [edi+78h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	ExAcquirePushLockSharedEx
		push	10h
		lea	ecx, [esi+18h]
		add	edi, 7Ch
		pop	edx

loc_9E7A3E:				; CODE XREF: SmcGetCacheStats(x,x)+E6j
		mov	eax, [edi]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9E7A5A
		mov	[ecx], eax
		test	byte ptr [edi+4], 3
		jnz	short loc_9E7A56
		mov	eax, [esi+58h]
		bts	eax, ebx
		mov	[esi+58h], eax

loc_9E7A56:				; CODE XREF: SmcGetCacheStats(x,x)+D1j
		inc	ebx
		add	ecx, 4

loc_9E7A5A:				; CODE XREF: SmcGetCacheStats(x,x)+C9j
		add	edi, 10h
		sub	edx, 1
		jnz	short loc_9E7A3E
		mov	edi, [ebp+var_4]
		push	11h
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_9E7A78
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9E7A78:				; CODE XREF: SmcGetCacheStats(x,x)+F5j
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	[esi+8], ebx
		xor	ebx, ebx

loc_9E7A89:				; CODE XREF: SmcGetCacheStats(x,x)+97j
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		add	ecx, 4
		mov	eax, [eax+4]
		and	eax, 0Fh
		shl	eax, 4
		add	ecx, eax
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_9E7AA2:				; CODE XREF: SmcGetCacheStats(x,x)+3Dj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_SmcGetCacheStats@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmcStoreCreate(x, x, x, x, x)
_SmcStoreCreate@20 proc	near		; CODE XREF: SmcProcessStoreCreateRequest(x,x,x,x)+B0p

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+80h+var_6C], edx
		mov	edx, [ebp+arg_4]
		lea	edi, [esp+80h+var_50]
		mov	ebx, ecx
		mov	[esp+80h+var_60], eax
		push	8
		pop	ecx
		rep stosd
		mov	ecx, ebx
		mov	[esp+80h+var_64], ebx
		mov	[esp+80h+var_5C], eax
		mov	[esp+80h+var_58], eax
		mov	[esp+80h+var_54], eax
		mov	[esp+80h+var_1C], eax
		mov	[esp+80h+var_70], eax
		mov	[esp+80h+var_68], eax
		call	_SmcCacheReference@8 ; SmcCacheReference(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9E7B02
		mov	esi, 0C0000098h
		jmp	loc_9E7C40
; 

loc_9E7B02:				; CODE XREF: SmcStoreCreate(x,x,x,x,x)+4Dj
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jnz	short loc_9E7B16
		mov	esi, 0C000000Dh
		jmp	loc_9E7C1A
; 

loc_9E7B16:				; CODE XREF: SmcStoreCreate(x,x,x,x,x)+61j
		mov	eax, [ebx+18h]
		cmp	eax, [esi+8]
		jz	short loc_9E7B28

loc_9E7B1E:				; CODE XREF: SmcStoreCreate(x,x,x,x,x)+82j
		mov	esi, 0C00000BBh
		jmp	loc_9E7C1A
; 

loc_9E7B28:				; CODE XREF: SmcStoreCreate(x,x,x,x,x)+73j
		cmp	byte ptr [esi],	1
		jnz	short loc_9E7B1E
		push	ecx
		mov	ecx, ebx
		call	_SmcStoreSlotReserve@12	; SmcStoreSlotReserve(x,x,x)
		mov	[esp+80h+var_74], eax
		test	eax, eax
		jnz	short loc_9E7B47
		mov	esi, 0C000007Fh
		jmp	loc_9E7C1A
; 

loc_9E7B47:				; CODE XREF: SmcStoreCreate(x,x,x,x,x)+92j
		mov	eax, [ebx+8]
		lea	edi, [esp+80h+var_30]
		movsd
		lea	ecx, [esp+80h+var_60]
		movsd
		movsd
		movsd
		mov	edi, [ebx+1Ch]
		mov	[esp+80h+var_24], eax
		mov	eax, [ebx+4]
		mov	[esp+80h+var_18], eax
		mov	eax, [ebx+20h]
		and	[esp+80h+var_40], 0
		and	[esp+80h+var_3C], 0
		mov	[esp+80h+var_20], eax
		mov	eax, [ebx+28h]
		mov	[esp+80h+var_50], eax
		mov	eax, [ebx+2Ch]
		mov	[esp+80h+var_4C], eax
		mov	eax, [ebx+30h]
		mov	[esp+80h+var_48], eax
		mov	eax, [ebx+34h]
		shl	edi, 0Dh
		xor	edi, [esp+80h+var_30]
		mov	[esp+80h+var_44], eax
		and	edi, 6000h
		mov	eax, [ebx+40h]
		xor	edi, [esp+80h+var_30]
		mov	[esp+80h+var_38], eax
		mov	eax, [ebx+44h]
		mov	[esp+80h+var_34], eax
		lea	eax, [esp+80h+var_50]
		mov	[esp+80h+var_30], edi
		mov	[esp+80h+var_C], eax
		call	_SmKmRegParamsLoad@4 ; SmKmRegParamsLoad(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E7C07
		test	byte ptr [ebx+1Ch], 1
		jnz	short loc_9E7BEA
		mov	eax, [esp+80h+var_5C]
		and	eax, 3
		cmp	eax, 2
		jz	short loc_9E7BE6
		cmp	eax, 1
		jnz	short loc_9E7BEA
		test	edi, 800h
		jz	short loc_9E7BEA

loc_9E7BE6:				; CODE XREF: SmcStoreCreate(x,x,x,x,x)+12Ej
		xor	edi, edi
		jmp	short loc_9E7C68
; 

loc_9E7BEA:				; CODE XREF: SmcStoreCreate(x,x,x,x,x)+122j
					; SmcStoreCreate(x,x,x,x,x)+133j ...
		mov	edi, [esp+80h+var_60]
		mov	edx, 4B456D73h
		mov	ecx, edi
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		mov	[esp+80h+var_70], eax
		test	eax, eax
		jnz	short loc_9E7C4B
		mov	esi, 0C000009Ah

loc_9E7C07:				; CODE XREF: SmcStoreCreate(x,x,x,x,x)+11Cj
					; SmcStoreCreate(x,x,x,x,x)+1BDj
		mov	edi, [esp+80h+var_74]

loc_9E7C0B:				; CODE XREF: SmcStoreCreate(x,x,x,x,x)+202j
					; SmcStoreCreate(x,x,x,x,x)+223j
		test	edi, edi
		jz	short loc_9E7C1A
		push	0
		mov	edx, edi
		mov	ecx, ebx
		call	_SmcStoreSlotAbort@12 ;	SmcStoreSlotAbort(x,x,x)

loc_9E7C1A:				; CODE XREF: SmcStoreCreate(x,x,x,x,x)+68j
					; SmcStoreCreate(x,x,x,x,x)+7Aj ...
		mov	eax, [ebp+arg_4]
		mov	ecx, [esp+80h+var_64]
		and	eax, 0Fh
		shl	eax, 4
		add	ecx, 4
		add	ecx, eax
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	eax, [esp+80h+var_70]
		test	eax, eax
		jz	short loc_9E7C40
		mov	ecx, eax
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_9E7C40:				; CODE XREF: SmcStoreCreate(x,x,x,x,x)+54j
					; SmcStoreCreate(x,x,x,x,x)+18Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_9E7C4B:				; CODE XREF: SmcStoreCreate(x,x,x,x,x)+157j
		mov	ecx, [esp+80h+var_64]
		lea	edx, [ebx+17Ch]
		push	edi		; int
		push	eax		; void *
		lea	ecx, [ecx+100h]
		call	_SmKmKeyGenGenerate@16 ; SmKmKeyGenGenerate(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E7C07

loc_9E7C68:				; CODE XREF: SmcStoreCreate(x,x,x,x,x)+13Fj
		mov	eax, [esp+80h+var_70]
		lea	edx, [esp+80h+var_30]
		mov	[esp+80h+var_10], edi
		mov	edi, [esp+80h+var_74]
		mov	[esp+80h+var_14], eax
		mov	eax, [ebx+8]
		mov	ecx, [edi+8]
		mov	[esp+80h+var_58], eax
		lea	eax, [esp+80h+var_58]
		mov	[esp+80h+var_4], eax
		lea	eax, [ebx+48h]
		mov	[esp+80h+var_8], eax
		lea	eax, [esp+80h+var_68]
		mov	[esp+80h+var_54], ecx
		mov	ecx, [esp+80h+var_6C]
		push	eax
		call	_SmStoreCreate@12 ; SmStoreCreate(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E7C0B
		push	[esp+80h+var_6C]
		mov	esi, [esp+84h+var_68]
		mov	edx, edi
		push	esi
		mov	ecx, ebx
		call	_SmcStoreSlotCommit@16 ; SmcStoreSlotCommit(x,x,x,x)
		mov	eax, [ebp+arg_8]
		xor	edi, edi
		mov	[eax], esi
		xor	esi, esi
		jmp	loc_9E7C0B
_SmcStoreCreate@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmcStoreDelete(x, x, x, x)
_SmcStoreDelete@16 proc	near		; CODE XREF: SmcProcessStoreCreateRequest(x,x,x,x)+122p
					; SmcProcessStoreDeleteRequest(x,x,x,x)+7Ap

var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ecx
		xor	ecx, ecx
		push	ebx
		push	esi
		mov	[ebp+var_4], ecx
		mov	ecx, eax
		push	edi
		mov	edi, edx
		mov	[ebp+var_C], eax
		call	_SmcCacheReference@8 ; SmcCacheReference(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9E7CFF
		mov	esi, 0C0000098h
		jmp	loc_9E7DDD
; 

loc_9E7CFF:				; CODE XREF: SmcStoreDelete(x,x,x,x)+22j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ebx, [esi+78h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_SmcStoreEntryFind@12 ;	SmcStoreEntryFind(x,x,x)
		mov	esi, eax
		or	eax, 0FFFFFFFFh
		test	esi, esi
		jnz	short loc_9E7D36
		mov	esi, 0C0000098h
		jmp	short loc_9E7D9F
; 

loc_9E7D36:				; CODE XREF: SmcStoreDelete(x,x,x,x)+5Cj
		or	dword ptr [esi+4], 4
		mov	[esi], eax
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9E7D4D
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9E7D4D:				; CODE XREF: SmcStoreDelete(x,x,x,x)+73j
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		lea	ecx, [esi+0Ch]
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		lea	ecx, [esi+0Ch]
		call	@ExRundownCompleted@4 ;	ExRundownCompleted(x)
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		call	_SmStoreDelete@8 ; SmStoreDelete(x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, esi
		xor	esi, esi
		mov	ecx, [eax+8]
		and	dword ptr [eax+4], 0FFFFFFFBh
		mov	[eax+8], esi
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_4], ecx

loc_9E7D9F:				; CODE XREF: SmcStoreDelete(x,x,x,x)+63j
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9E7DB0
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9E7DB0:				; CODE XREF: SmcStoreDelete(x,x,x,x)+D6j
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, [ebp+var_C]
		and	edi, 0Fh
		add	ecx, 4
		shl	edi, 4
		add	ecx, edi
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_9E7DDD
		mov	ecx, eax
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_9E7DDD:				; CODE XREF: SmcStoreDelete(x,x,x,x)+29j
					; SmcStoreDelete(x,x,x,x)+103j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_SmcStoreDelete@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmcStoreEntryFind(x, x, x)
_SmcStoreEntryFind@12 proc near		; CODE XREF: SmcStoreDelete(x,x,x,x)+50p
					; SmcStoreResize(x,x)+E2p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		lea	esi, [ecx+7Ch]
		add	ecx, 17Ch
		jmp	short loc_9E7E10
; 

loc_9E7DF7:				; CODE XREF: SmcStoreEntryFind(x,x,x)+2Cj
		mov	eax, [esi]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9E7E0D
		cmp	eax, edx
		jnz	short loc_9E7E0D
		mov	eax, [esi+4]
		and	eax, 3
		cmp	eax, [ebp+arg_0]
		jz	short loc_9E7E16

loc_9E7E0D:				; CODE XREF: SmcStoreEntryFind(x,x,x)+16j
					; SmcStoreEntryFind(x,x,x)+1Aj
		add	esi, 10h

loc_9E7E10:				; CODE XREF: SmcStoreEntryFind(x,x,x)+Fj
		cmp	esi, ecx
		jb	short loc_9E7DF7
		xor	esi, esi

loc_9E7E16:				; CODE XREF: SmcStoreEntryFind(x,x,x)+25j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_SmcStoreEntryFind@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmcStorePlacementGet(x, x, x)
_SmcStorePlacementGet@12 proc near	; CODE XREF: SmcStoreResize(x,x)+121p
					; SmcStoreSlotReserve(x,x,x)+8Cp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, [ecx+8]
		mov	ebx, edx
		push	edi
		mov	edi, [ebp+arg_0]
		add	ecx, 7Ch
		mov	[ebp+var_1C], esi
		mov	[ebp+var_C], ebx
		mov	eax, [edi+8]
		mov	[ebp+var_18], eax
		lea	eax, [esi+1Fh]
		lea	esi, [ecx+100h]
		shr	eax, 5
		mov	[ebp+var_4], esi
		xor	esi, esi
		mov	[ebp+var_8], eax
		cmp	ecx, [ebp+var_4]
		jnb	short loc_9E7EA3
		mov	ebx, [ebp+var_4]

loc_9E7E5B:				; CODE XREF: SmcStorePlacementGet(x,x,x)+81j
		cmp	ecx, edi
		jz	short loc_9E7E99
		mov	edx, [ecx+8]
		test	edx, edx
		jz	short loc_9E7E99
		mov	edi, [edi+8]
		lea	eax, [edx+eax*4]
		cmp	eax, edx
		mov	[ebp+var_14], esi
		sbb	eax, eax
		not	eax
		and	eax, [ebp+var_8]
		mov	[ebp+var_10], eax
		jbe	short loc_9E7E93
		mov	ebx, eax

loc_9E7E7F:				; CODE XREF: SmcStorePlacementGet(x,x,x)+6Fj
		mov	eax, [edx]
		lea	edx, [edx+4]
		xor	[edi], eax
		inc	esi
		lea	edi, [edi+4]
		cmp	esi, ebx
		jb	short loc_9E7E7F
		mov	ebx, [ebp+var_4]
		xor	esi, esi

loc_9E7E93:				; CODE XREF: SmcStorePlacementGet(x,x,x)+5Ej
		mov	eax, [ebp+var_8]
		mov	edi, [ebp+arg_0]

loc_9E7E99:				; CODE XREF: SmcStorePlacementGet(x,x,x)+40j
					; SmcStorePlacementGet(x,x,x)+47j
		add	ecx, 10h
		cmp	ecx, ebx
		jb	short loc_9E7E5B
		mov	ebx, [ebp+var_C]

loc_9E7EA3:				; CODE XREF: SmcStorePlacementGet(x,x,x)+39j
		push	esi
		push	ebx
		lea	eax, [ebp+var_1C]
		push	eax
		call	RtlFindSetBits
		mov	edi, eax
		lea	eax, [ebp+var_1C]
		cmp	edi, 0FFFFFFFFh
		jz	short loc_9E7ED4
		push	edi
		push	esi
		push	eax
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		add	edi, ebx

loc_9E7EC2:				; CODE XREF: SmcStorePlacementGet(x,x,x)+CDj
		mov	eax, [ebp+var_1C]
		sub	eax, edi
		push	eax
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		jmp	short loc_9E7F01
; 

loc_9E7ED4:				; CODE XREF: SmcStorePlacementGet(x,x,x)+99j
		push	esi
		push	1
		push	eax
		mov	ebx, esi
		call	RtlFindSetBits
		test	eax, eax
		js	short loc_9E7EFC

loc_9E7EE3:				; CODE XREF: SmcStorePlacementGet(x,x,x)+DDj
		inc	ebx
		lea	edi, [eax+1]
		cmp	ebx, [ebp+var_C]
		jz	short loc_9E7EC2
		push	edi
		push	1
		lea	eax, [ebp+var_1C]
		push	eax
		call	RtlFindSetBits
		cmp	eax, edi
		jge	short loc_9E7EE3

loc_9E7EFC:				; CODE XREF: SmcStorePlacementGet(x,x,x)+C4j
		mov	esi, 0C000007Fh

loc_9E7F01:				; CODE XREF: SmcStorePlacementGet(x,x,x)+B5j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_SmcStorePlacementGet@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmcStoreResize(x, x)
_SmcStoreResize@8 proc near		; CODE XREF: SmcProcessResizeRequest(x,x,x,x)+8Ep

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+48h+var_1C], ecx
		lea	edi, [esp+48h+var_10]
		mov	ebx, edx
		stosd
		mov	[esp+48h+var_24], ebx
		mov	edx, [ebx+4]
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	[esp+48h+var_18], eax
		mov	edi, eax
		mov	[esp+48h+var_14], eax
		mov	[esp+48h+var_20], eax
		call	_SmcCacheReference@8 ; SmcCacheReference(x,x)
		mov	esi, eax
		mov	[esp+48h+var_30], esi
		test	esi, esi
		jnz	short loc_9E7F58
		mov	esi, 0C0000098h
		jmp	loc_9E8168
; 

loc_9E7F58:				; CODE XREF: SmcStoreResize(x,x)+42j
		mov	eax, [esi+8]
		cmp	[ebx+10h], eax
		jbe	short loc_9E7F6A
		mov	esi, 0C000000Dh
		jmp	loc_9E8146
; 

loc_9E7F6A:				; CODE XREF: SmcStoreResize(x,x)+54j
		add	eax, 1Fh
		mov	edx, 72436D73h
		shr	eax, 5
		mov	[esp+48h+var_28], eax
		shl	eax, 2
		mov	ecx, eax
		mov	[esp+48h+var_2C], eax
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9E7F97
		mov	esi, 0C000009Ah
		jmp	loc_9E8146
; 

loc_9E7F97:				; CODE XREF: SmcStoreResize(x,x)+81j
		test	dword ptr [ebx], 100h
		mov	eax, [esi+8]
		mov	[esp+48h+var_18], eax
		lea	eax, [esp+48h+var_18]
		mov	[esp+48h+var_14], edi
		push	eax
		jz	short loc_9E7FBF
		call	_RtlSetAllBits@4 ; RtlSetAllBits(x)
		or	[esp+48h+var_C], 4
		mov	[esp+48h+var_8], edi
		jmp	short loc_9E7FC4
; 

loc_9E7FBF:				; CODE XREF: SmcStoreResize(x,x)+A3j
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)

loc_9E7FC4:				; CODE XREF: SmcStoreResize(x,x)+B3j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		add	esi, 78h
		xor	edx, edx
		mov	ecx, esi
		mov	[esp+48h+var_38], esi
		call	ExAcquirePushLockExclusiveEx
		push	dword ptr [ebx+0Ch]
		mov	ecx, [esp+4Ch+var_30]
		mov	edx, [ebx+8]
		call	_SmcStoreEntryFind@12 ;	SmcStoreEntryFind(x,x,x)
		mov	ecx, eax
		or	eax, 0FFFFFFFFh
		mov	[esp+48h+var_34], ecx
		test	ecx, ecx
		jnz	short loc_9E8008
		mov	esi, 0C0000098h
		jmp	loc_9E8112
; 

loc_9E8008:				; CODE XREF: SmcStoreResize(x,x)+F2j
		add	ecx, 0Ch
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	dword ptr [ebx], 100h
		movzx	eax, al
		mov	[esp+48h+var_20], eax
		jz	short loc_9E8075
		mov	edx, [ebx+10h]
		lea	eax, [esp+48h+var_10]
		mov	ecx, [esp+48h+var_30]
		push	eax
		call	_SmcStorePlacementGet@12 ; SmcStorePlacementGet(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9E810F
		mov	eax, [esp+48h+var_2C]
		mov	esi, edi
		and	[esp+48h+var_30], 0
		add	eax, edi
		mov	edx, [esp+48h+var_34]
		cmp	eax, edi
		sbb	ecx, ecx
		not	ecx
		mov	edx, [edx+8]
		and	ecx, [esp+48h+var_28]
		jbe	short loc_9E8071
		mov	ebx, [esp+48h+var_30]

loc_9E805E:				; CODE XREF: SmcStoreResize(x,x)+161j
		mov	eax, [esi]
		lea	esi, [esi+4]
		or	[edx], eax
		inc	ebx
		lea	edx, [edx+4]
		cmp	ebx, ecx
		jb	short loc_9E805E
		mov	ebx, [esp+48h+var_24]

loc_9E8071:				; CODE XREF: SmcStoreResize(x,x)+14Ej
		mov	esi, [esp+48h+var_38]

loc_9E8075:				; CODE XREF: SmcStoreResize(x,x)+113j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9E8089
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9E8089:				; CODE XREF: SmcStoreResize(x,x)+176j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebx]
		mov	edx, [ebx+8]
		mov	ecx, [ebx+0Ch]
		shr	eax, 8
		and	eax, 1
		push	eax
		lea	eax, [ebx+10h]
		push	eax
		lea	eax, [esp+50h+var_18]
		push	eax
		call	_SmStoreResize@20 ; SmStoreResize(x,x,x,x,x)
		test	dword ptr [ebx], 100h
		jz	short loc_9E80BE

loc_9E80BA:				; CODE XREF: SmcStoreResize(x,x)+1B8j
		xor	esi, esi
		jmp	short loc_9E8133
; 

loc_9E80BE:				; CODE XREF: SmcStoreResize(x,x)+1AEj
		cmp	dword ptr [ebx+10h], 0
		jz	short loc_9E80BA
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [esp+48h+var_34]
		xor	esi, esi
		mov	edx, edi
		mov	ecx, [eax+8]
		mov	eax, [esp+48h+var_2C]
		add	eax, edi
		cmp	eax, edi
		sbb	eax, eax
		not	eax
		and	eax, [esp+48h+var_28]
		jbe	short loc_9E810D
		mov	ebx, eax

loc_9E80FA:				; CODE XREF: SmcStoreResize(x,x)+1FDj
		mov	eax, [edx]
		lea	edx, [edx+4]
		xor	[ecx], eax
		inc	esi
		lea	ecx, [ecx+4]
		cmp	esi, ebx
		jb	short loc_9E80FA
		mov	ebx, [esp+48h+var_24]

loc_9E810D:				; CODE XREF: SmcStoreResize(x,x)+1ECj
		xor	esi, esi

loc_9E810F:				; CODE XREF: SmcStoreResize(x,x)+12Aj
		or	eax, 0FFFFFFFFh

loc_9E8112:				; CODE XREF: SmcStoreResize(x,x)+F9j
		mov	ecx, [esp+48h+var_38]
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9E8129
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [esp+48h+var_38]

loc_9E8129:				; CODE XREF: SmcStoreResize(x,x)+214j
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9E8133:				; CODE XREF: SmcStoreResize(x,x)+1B2j
		cmp	[esp+48h+var_20], 0
		jz	short loc_9E8146
		mov	ecx, [esp+48h+var_34]
		lea	ecx, [ecx+0Ch]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_9E8146:				; CODE XREF: SmcStoreResize(x,x)+5Bj
					; SmcStoreResize(x,x)+88j ...
		mov	eax, [ebx+4]
		mov	ecx, [esp+48h+var_1C]
		and	eax, 0Fh
		shl	eax, 4
		add	ecx, 4
		add	ecx, eax
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		test	edi, edi
		jz	short loc_9E8168
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_9E8168:				; CODE XREF: SmcStoreResize(x,x)+49j
					; SmcStoreResize(x,x)+255j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_SmcStoreResize@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmcStoreSlotAbort(x, x, x)
_SmcStoreSlotAbort@12 proc near		; CODE XREF: SmcStoreCreate(x,x,x,x,x)+16Cp
					; SmcStoreSlotReserve(x,x,x)+A4p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		lea	esi, [ecx+78h]
		jnz	short loc_9E819B
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx

loc_9E819B:				; CODE XREF: SmcStoreSlotAbort(x,x,x)+11j
		mov	ebx, [edi+8]
		or	eax, 0FFFFFFFFh
		and	dword ptr [edi+4], 0FFFFFFFBh
		and	dword ptr [edi+8], 0
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9E81BA
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9E81BA:				; CODE XREF: SmcStoreSlotAbort(x,x,x)+40j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	ecx, ebx
		call	_CmpFreePool@4	; CmpFreePool(x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_SmcStoreSlotAbort@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmcStoreSlotCommit(x, x, x,	x)
_SmcStoreSlotCommit@16 proc near	; CODE XREF: SmcStoreCreate(x,x,x,x,x)+215p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	esi, edx
		dec	word ptr [eax+13Ch]
		nop
		lea	edi, [ecx+78h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		and	dword ptr [esi+4], 0FFFFFFFBh
		mov	[esi], eax
		lea	eax, [esi+0Ch]
		xchg	ecx, [eax]
		mov	eax, [esi+4]
		xor	eax, [ebp+arg_4]
		and	eax, 3
		xor	[esi+4], eax
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9E8227
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9E8227:				; CODE XREF: SmcStoreSlotCommit(x,x,x,x)+4Aj
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_SmcStoreSlotCommit@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmcStoreSlotReserve(x, x, x)
_SmcStoreSlotReserve@12	proc near	; CODE XREF: SmcStoreCreate(x,x,x,x,x)+87p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		mov	edx, 72436D73h
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	esi, [ebx+8]
		add	esi, 1Fh
		shr	esi, 5
		shl	esi, 2
		mov	ecx, esi
		call	_SSHSupportAllocateNonPaged@8 ;	SSHSupportAllocateNonPaged(x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9E8312
		push	0FFFFFFFFh
		push	esi
		push	edi
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		mov	eax, large fs:124h
		lea	esi, [ebx+7Ch]
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [ebx+78h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	ExAcquirePushLockExclusiveEx
		lea	edx, [ebx+17Ch]
		or	eax, 0FFFFFFFFh
		jmp	short loc_9E82AE
; 

loc_9E829F:				; CODE XREF: SmcStoreSlotReserve(x,x,x)+77j
		cmp	[esi], eax
		jnz	short loc_9E82AB
		mov	ecx, [esi+4]
		test	cl, 4
		jz	short loc_9E82B4

loc_9E82AB:				; CODE XREF: SmcStoreSlotReserve(x,x,x)+68j
		add	esi, 10h

loc_9E82AE:				; CODE XREF: SmcStoreSlotReserve(x,x,x)+64j
		cmp	esi, edx
		jb	short loc_9E829F
		jmp	short loc_9E82E7
; 

loc_9E82B4:				; CODE XREF: SmcStoreSlotReserve(x,x,x)+70j
		mov	edx, [ebp+arg_0]
		or	ecx, 4
		mov	[esi+4], ecx
		mov	ecx, ebx
		mov	[esi+8], edi
		xor	edi, edi
		push	esi
		call	_SmcStorePlacementGet@12 ; SmcStorePlacementGet(x,x,x)
		test	eax, eax
		js	short loc_9E82D3
		mov	[ebp+var_4], esi
		xor	esi, esi

loc_9E82D3:				; CODE XREF: SmcStoreSlotReserve(x,x,x)+93j
		test	esi, esi
		jz	short loc_9E82E4
		push	1
		mov	edx, esi
		mov	ecx, ebx
		call	_SmcStoreSlotAbort@12 ;	SmcStoreSlotAbort(x,x,x)
		jmp	short loc_9E8312
; 

loc_9E82E4:				; CODE XREF: SmcStoreSlotReserve(x,x,x)+9Cj
		or	eax, 0FFFFFFFFh

loc_9E82E7:				; CODE XREF: SmcStoreSlotReserve(x,x,x)+79j
		mov	esi, [ebp+var_8]
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9E82FB
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9E82FB:				; CODE XREF: SmcStoreSlotReserve(x,x,x)+B9j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	edi, edi
		jz	short loc_9E8312
		mov	ecx, edi
		call	_CmpFreePool@4	; CmpFreePool(x)

loc_9E8312:				; CODE XREF: SmcStoreSlotReserve(x,x,x)+2Cj
					; SmcStoreSlotReserve(x,x,x)+A9j ...
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_SmcStoreSlotReserve@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmcVolumePnpNotification(x,	x)
_SmcVolumePnpNotification@8 proc near	; DATA XREF: SmKmStoreFileCreate(x,x,x,x,x,x,x,x,x,x,x)+35Co

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	edx, (offset loc_4055E5+3) ; void *
		xor	ebx, ebx
		lea	ecx, [esi+4]	; void *
		call	?IsEqualGUID@@YGHABU_GUID@@0@Z ; IsEqualGUID(_GUID const &,_GUID const &)
		test	eax, eax
		jnz	short loc_9E834B
		mov	edx, offset _GUID_TARGET_DEVICE_REMOVE_COMPLETE	; void *
		lea	ecx, [esi+4]	; void *
		call	?IsEqualGUID@@YGHABU_GUID@@0@Z ; IsEqualGUID(_GUID const &,_GUID const &)
		test	eax, eax
		jz	short loc_9E83B9

loc_9E834B:				; CODE XREF: SmcVolumePnpNotification(x,x)+1Cj
		mov	eax, offset unk_7184A4
		push	edi
		mov	edi, ebx
		mov	[ebp+var_4], eax

loc_9E8356:				; CODE XREF: SmcVolumePnpNotification(x,x)+9Aj
		mov	esi, [eax]
		mov	ecx, offset unk_718498
		and	esi, 0FFFh
		shl	esi, 4
		or	esi, edi
		mov	edx, esi
		call	_SmcCacheReference@8 ; SmcCacheReference(x,x)
		test	eax, eax
		jz	short loc_9E83A9
		mov	ecx, [ebp+arg_0]
		mov	ebx, esi
		mov	esi, [eax+2Ch]
		sub	esi, [ecx+14h]
		mov	ecx, ebx
		neg	esi
		sbb	esi, esi
		and	ecx, 0Fh
		shl	ecx, 4
		not	esi
		add	ecx, offset unk_71849C
		and	esi, eax
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		test	esi, esi
		jz	short loc_9E83A9
		mov	edx, ebx
		mov	ecx, offset unk_718498
		call	_SmcCacheDelete@8 ; SmcCacheDelete(x,x)

loc_9E83A9:				; CODE XREF: SmcVolumePnpNotification(x,x)+55j
					; SmcVolumePnpNotification(x,x)+7Fj
		mov	eax, [ebp+var_4]
		inc	edi
		add	eax, 10h
		mov	[ebp+var_4], eax
		cmp	edi, 10h
		jb	short loc_9E8356
		pop	edi

loc_9E83B9:				; CODE XREF: SmcVolumePnpNotification(x,x)+2Dj
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	8
_SmcVolumePnpNotification@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmpUtilsGetControlDevice(x,	x, x)
_SmpUtilsGetControlDevice@12 proc near	; CODE XREF: SmcCacheManagerStart(x,x)+47p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_14]
		push	offset ??_C@_1CC@MHOEJLNL@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAR?$AAd?$AAy?$AAB?$AAo?$AAo?$AAs@NNGAKEGL@
		push	eax
		mov	ebx, edx
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_8], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		push	edi
		push	20h
		push	1
		push	7
		push	edi
		lea	eax, [ebp+var_14]
		mov	[ebp+var_34], 18h
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_1C]
		push	edi
		push	eax
		lea	eax, [ebp+var_34]
		mov	[ebp+var_30], edi
		push	eax
		push	12019Fh
		lea	eax, [ebp+var_8]
		mov	[ebp+var_28], 240h
		push	eax
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], edi
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E846E
		push	edi
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], edi
		push	eax
		push	edi
		push	edi
		push	3
		push	[ebp+var_8]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [ebp+var_C]
		mov	esi, eax
		test	esi, esi
		js	short loc_9E8463
		push	edi
		call	IoGetRelatedDeviceObject
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		xor	esi, esi
		mov	[ebx], eax

loc_9E8463:				; CODE XREF: SmpUtilsGetControlDevice(x,x,x)+8Aj
		test	edi, edi
		jz	short loc_9E846E
		mov	ecx, edi
		call	ObfDereferenceObject

loc_9E846E:				; CODE XREF: SmpUtilsGetControlDevice(x,x,x)+6Dj
					; SmpUtilsGetControlDevice(x,x,x)+A4j
		cmp	[ebp+var_8], 0
		jz	short loc_9E847C
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_9E847C:				; CODE XREF: SmpUtilsGetControlDevice(x,x,x)+B1j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_SmpUtilsGetControlDevice@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1604. NtVdmControl

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtVdmControl(x, x)
		public _NtVdmControl@8
_NtVdmControl@8	proc near		; DATA XREF: .text:00580BC8o

var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	24h
		push	offset dword_6A9668
		call	__SEH_prolog4
		xor	eax, eax
		lea	edi, [ebp+var_34]
		stosd
		stosd
		stosd
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	esi, [ebp+arg_0]
		cmp	esi, 0Eh
		jnz	short loc_9E84B8
		mov	ecx, [ebp+arg_4]
		call	_VdmpQueryVdmProcess@4 ; VdmpQueryVdmProcess(x)
		jmp	loc_9E8805
; 

loc_9E84B8:				; CODE XREF: NtVdmControl(x,x)+1Fj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+0FCh], 1000000h
		jz	loc_9E8800
		cmp	esi, 3
		jz	short loc_9E84F6
		cmp	esi, 0Fh
		jz	short loc_9E84F6
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	[eax+0F4h], ebx
		jz	loc_9E8800

loc_9E84F6:				; CODE XREF: NtVdmControl(x,x)+4Dj
					; NtVdmControl(x,x)+52j
		lea	ecx, [ebp+var_20]
		call	_VdmpGetVdmTib@4 ; VdmpGetVdmTib(x)
		mov	[ebp+var_1C], eax
		test	eax, eax
		jns	short loc_9E850C
		mov	eax, ebx
		mov	[ebp+var_20], eax
		jmp	short loc_9E850F
; 

loc_9E850C:				; CODE XREF: NtVdmControl(x,x)+79j
		mov	eax, [ebp+var_20]

loc_9E850F:				; CODE XREF: NtVdmControl(x,x)+80j
		mov	[ebp+ms_exc.disabled], ebx
		test	esi, esi
		jnz	short loc_9E8524
		test	eax, eax
		jz	short loc_9E8524
		call	_VdmpStartExecution@0 ;	VdmpStartExecution()
		jmp	loc_9E87F1
; 

loc_9E8524:				; CODE XREF: NtVdmControl(x,x)+8Aj
					; NtVdmControl(x,x)+8Ej
		xor	edi, edi
		inc	edi
		cmp	esi, edi
		jnz	short loc_9E8538
		mov	ecx, [ebp+arg_4]
		call	_VdmpQueueInterrupt@4 ;	VdmpQueueInterrupt(x)
		jmp	loc_9E87F1
; 

loc_9E8538:				; CODE XREF: NtVdmControl(x,x)+9Fj
		cmp	esi, 2
		jnz	short loc_9E854A
		mov	ecx, [ebp+arg_4]
		call	_VdmpDelayInterrupt@4 ;	VdmpDelayInterrupt(x)
		jmp	loc_9E87F1
; 

loc_9E854A:				; CODE XREF: NtVdmControl(x,x)+B1j
		cmp	esi, 3
		jnz	short loc_9E8581
		mov	_VdmpMaxPMCliTime, 0Fh
		mov	esi, [ebp+arg_4]
		lea	ecx, [esi+0Ch]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_9E856C
		cmp	ecx, esi
		jnb	short loc_9E856E

loc_9E856C:				; CODE XREF: NtVdmControl(x,x)+DCj
		mov	[eax], bl

loc_9E856E:				; CODE XREF: NtVdmControl(x,x)+E0j
		lea	edi, [ebp+var_34]
		movsd
		movsd
		movsd
		lea	ecx, [ebp+var_34]
		call	_VdmpInitialize@4 ; VdmpInitialize(x)
		jmp	loc_9E87F1
; 

loc_9E8581:				; CODE XREF: NtVdmControl(x,x)+C3j
		cmp	esi, 0Fh
		jnz	short loc_9E8590
		call	_VdmpPreInitialize@0 ; VdmpPreInitialize()
		jmp	loc_9E87F1
; 

loc_9E8590:				; CODE XREF: NtVdmControl(x,x)+FAj
		cmp	esi, 4
		jnz	short loc_9E85B8
		mov	ecx, [ebp+arg_4]
		mov	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_9E85A5
		mov	edx, eax

loc_9E85A5:				; CODE XREF: NtVdmControl(x,x)+117j
		mov	al, [edx]
		mov	[edx], al
		mov	eax, _KeI386VirtualIntExtensions
		and	eax, 0FFFFFFFDh
		mov	[ecx], eax
		jmp	loc_9E873E
; 

loc_9E85B8:				; CODE XREF: NtVdmControl(x,x)+109j
		cmp	esi, 5
		jnz	short loc_9E85F9
		test	eax, eax
		jz	short loc_9E85F9
		mov	edx, [ebp+arg_4]
		lea	ecx, [edx+0Ch]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_9E85D4
		cmp	ecx, edx
		jnb	short loc_9E85D6

loc_9E85D4:				; CODE XREF: NtVdmControl(x,x)+144j
		mov	[eax], bl

loc_9E85D6:				; CODE XREF: NtVdmControl(x,x)+148j
		mov	ecx, large fs:124h
		movzx	eax, byte ptr [edx+8]
		push	eax
		push	dword ptr [edx+4]
		movzx	eax, word ptr [edx]
		push	eax
		mov	ecx, [ecx+80h]
		call	_Ke386SetVdmInterruptHandler@20	; Ke386SetVdmInterruptHandler(x,x,x,x,x)
		jmp	loc_9E87F1
; 

loc_9E85F9:				; CODE XREF: NtVdmControl(x,x)+131j
					; NtVdmControl(x,x)+135j
		cmp	esi, 7
		jnz	short loc_9E8606
		test	eax, eax
		jnz	loc_9E873E

loc_9E8606:				; CODE XREF: NtVdmControl(x,x)+172j
		cmp	esi, 8
		jnz	short loc_9E861C
		test	eax, eax
		jz	short loc_9E861C
		mov	ecx, [ebp+arg_4]
		call	_VdmpPrinterDirectIoClose@4 ; VdmpPrinterDirectIoClose(x)
		jmp	loc_9E87F1
; 

loc_9E861C:				; CODE XREF: NtVdmControl(x,x)+17Fj
					; NtVdmControl(x,x)+183j
		cmp	esi, 9
		jnz	short loc_9E862F
		test	eax, eax
		jz	short loc_9E862F
		call	_VdmpPrinterInitialize@4 ; VdmpPrinterInitialize(x)
		jmp	loc_9E87F1
; 

loc_9E862F:				; CODE XREF: NtVdmControl(x,x)+195j
					; NtVdmControl(x,x)+199j
		cmp	esi, 0Ah
		jnz	short loc_9E8668
		test	eax, eax
		jz	short loc_9E8668
		mov	ecx, [ebp+arg_4]
		lea	edx, [ecx+18h]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_9E864B
		cmp	edx, ecx
		jnb	short loc_9E864D

loc_9E864B:				; CODE XREF: NtVdmControl(x,x)+1BBj
		mov	[eax], bl

loc_9E864D:				; CODE XREF: NtVdmControl(x,x)+1BFj
		push	dword ptr [ecx+14h] ; int
		push	dword ptr [ecx+10h] ; void *
		push	dword ptr [ecx+0Ch] ; int
		push	dword ptr [ecx+8] ; size_t
		mov	edx, [ecx+4]
		mov	ecx, [ecx]
		call	_PsSetLdtEntries@24 ; PsSetLdtEntries(x,x,x,x,x,x)
		jmp	loc_9E87F1
; 

loc_9E8668:				; CODE XREF: NtVdmControl(x,x)+1A8j
					; NtVdmControl(x,x)+1ACj
		cmp	esi, 0Bh
		jnz	short loc_9E86AC
		test	eax, eax
		jz	short loc_9E86AC
		mov	eax, [ebp+arg_4]
		lea	edx, [eax+8]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		ja	short loc_9E8685
		cmp	edx, eax
		jnb	short loc_9E8687

loc_9E8685:				; CODE XREF: NtVdmControl(x,x)+1F5j
		mov	[ecx], bl

loc_9E8687:				; CODE XREF: NtVdmControl(x,x)+1F9j
		mov	ecx, [eax]
		mov	edx, [eax+4]
		test	edx, edx
		jz	short loc_9E86A2
		lea	esi, [edx+ecx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		ja	short loc_9E86A0
		cmp	esi, ecx
		jnb	short loc_9E86A2

loc_9E86A0:				; CODE XREF: NtVdmControl(x,x)+210j
		mov	[eax], bl

loc_9E86A2:				; CODE XREF: NtVdmControl(x,x)+204j
					; NtVdmControl(x,x)+214j
		call	_PsSetProcessLdtInfo@8 ; PsSetProcessLdtInfo(x,x)
		jmp	loc_9E87F1
; 

loc_9E86AC:				; CODE XREF: NtVdmControl(x,x)+1E1j
					; NtVdmControl(x,x)+1E5j
		cmp	esi, 0Ch
		jnz	loc_9E8746
		test	eax, eax
		jz	loc_9E8746
		mov	ecx, [ebp+arg_4]
		lea	edx, [ecx+0Ah]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_9E86D0
		cmp	edx, ecx
		jnb	short loc_9E86D2

loc_9E86D0:				; CODE XREF: NtVdmControl(x,x)+240j
		mov	[eax], bl

loc_9E86D2:				; CODE XREF: NtVdmControl(x,x)+244j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	edx, [eax+0F4h]
		movzx	eax, word ptr [ecx+8]
		cmp	ax, di
		jnz	short loc_9E86F9
		mov	[ebp+var_1C], 0C0000022h
		jmp	loc_9E87F4
; 

loc_9E86F9:				; CODE XREF: NtVdmControl(x,x)+261j
		mov	[edx+0B8h], ax
		mov	ax, [ecx+4]
		mov	[edx+0B0h], ax
		mov	ax, [ecx+6]
		mov	[edx+0B2h], ax
		mov	ax, [ecx]
		mov	[edx+0B4h], ax
		mov	ax, [ecx+2]
		mov	[edx+0B6h], ax
		xor	eax, eax
		mov	[edx+0AEh], ax
		push	6
		pop	eax
		mov	[edx+0ACh], ax

loc_9E873E:				; CODE XREF: NtVdmControl(x,x)+129j
					; NtVdmControl(x,x)+176j
		mov	[ebp+var_1C], ebx
		jmp	loc_9E87F4
; 

loc_9E8746:				; CODE XREF: NtVdmControl(x,x)+225j
					; NtVdmControl(x,x)+22Dj
		cmp	esi, 0Dh
		jnz	loc_9E87D4
		mov	eax, large fs:124h
		mov	[ebp+arg_0], eax
		mov	eax, [eax+80h]
		mov	ecx, [eax+0F4h]
		mov	[ebp+var_28], ecx
		mov	eax, [ebp+arg_4]
		lea	esi, [eax+4]
		mov	edx, ds:_MmUserProbeAddress
		cmp	esi, edx
		ja	short loc_9E877B
		cmp	esi, eax
		jnb	short loc_9E877D

loc_9E877B:				; CODE XREF: NtVdmControl(x,x)+2EBj
		mov	[edx], bl

loc_9E877D:				; CODE XREF: NtVdmControl(x,x)+2EFj
		mov	[ebp+var_1C], ebx
		mov	eax, [eax]
		sub	eax, ebx
		jz	short loc_9E87C6
		sub	eax, 1
		jz	short loc_9E87AB
		sub	eax, 1
		jz	short loc_9E87A4
		sub	eax, 1
		jz	short loc_9E87A1
		sub	eax, 1
		jnz	short loc_9E87D4
		call	_VdmClearPMCliTimeStamp@0 ; VdmClearPMCliTimeStamp()
		jmp	short loc_9E87F4
; 

loc_9E87A1:				; CODE XREF: NtVdmControl(x,x)+309j
		push	ebx
		jmp	short loc_9E87BF
; 

loc_9E87A4:				; CODE XREF: NtVdmControl(x,x)+304j
		call	_VdmCheckPMCliTimeStamp@0 ; VdmCheckPMCliTimeStamp()
		jmp	short loc_9E87F4
; 

loc_9E87AB:				; CODE XREF: NtVdmControl(x,x)+2FFj
		or	[ecx+0BAh], di
		mov	eax, large ds:714h
		test	eax, 200h
		jnz	short loc_9E87F4
		push	edi

loc_9E87BF:				; CODE XREF: NtVdmControl(x,x)+318j
		call	_VdmSetPMCliTimeStamp@4	; VdmSetPMCliTimeStamp(x)
		jmp	short loc_9E87F4
; 

loc_9E87C6:				; CODE XREF: NtVdmControl(x,x)+2FAj
		mov	eax, 0FFFEh
		and	[ecx+0BAh], ax
		jmp	short loc_9E87F4
; 

loc_9E87D4:				; CODE XREF: NtVdmControl(x,x)+2BFj
					; NtVdmControl(x,x)+30Ej
		mov	[ebp+var_1C], 0C00000EFh
		jmp	short loc_9E87F4
; 

loc_9E87DD:				; DATA XREF: .text:006A967Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E87EB:				; DATA XREF: .text:006A9680o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_24]

loc_9E87F1:				; CODE XREF: NtVdmControl(x,x)+95j
					; NtVdmControl(x,x)+A9j ...
		mov	[ebp+var_1C], eax

loc_9E87F4:				; CODE XREF: NtVdmControl(x,x)+26Aj
					; NtVdmControl(x,x)+2B7j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]
		jmp	short loc_9E8805
; 

loc_9E8800:				; CODE XREF: NtVdmControl(x,x)+44j
					; NtVdmControl(x,x)+66j
		mov	eax, 0C0000022h

loc_9E8805:				; CODE XREF: NtVdmControl(x,x)+29j
					; NtVdmControl(x,x)+374j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_NtVdmControl@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmpQueryVdmProcess(x)
_VdmpQueryVdmProcess@4 proc near	; CODE XREF: NtVdmControl(x,x)+24p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	1Ch
		push	offset dword_6A9620
		call	__SEH_prolog4
		mov	esi, ecx
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	short loc_9E887D
		mov	[ebp+ms_exc.disabled], ebx
		lea	ecx, [esi+4]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_9E884D
		cmp	ecx, esi
		jnb	short loc_9E884F

loc_9E884D:				; CODE XREF: VdmpQueryVdmProcess(x)+30j
		mov	[eax], bl

loc_9E884F:				; CODE XREF: VdmpQueryVdmProcess(x)+34j
		mov	eax, [esi]
		mov	[ebp+var_1C], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9E8882
; 

loc_9E885D:				; DATA XREF: .text:006A9634o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E886B:				; DATA XREF: .text:006A9638o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_24]
		jmp	loc_9E890F
; 

loc_9E887D:				; CODE XREF: VdmpQueryVdmProcess(x)+21j
		mov	eax, [esi]
		mov	[ebp+var_1C], eax

loc_9E8882:				; CODE XREF: VdmpQueryVdmProcess(x)+44j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_28], al
		push	ebx
		lea	eax, [ebp+var_20]
		push	eax
		push	206D6456h
		push	[ebp+var_28]
		push	ds:_PsProcessType
		push	400h
		push	[ebp+var_1C]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9E890F
		mov	ecx, [ebp+var_20]
		test	dword ptr [ecx+0FCh], 1000000h
		jz	short loc_9E88D0
		cmp	[ecx+0F4h], ebx
		jz	short loc_9E88D0
		mov	bl, 1

loc_9E88D0:				; CODE XREF: VdmpQueryVdmProcess(x)+ADj
					; VdmpQueryVdmProcess(x)+B5j
		mov	edx, 206D6456h
		call	ObfDereferenceObjectWithTag
		mov	[ebp+ms_exc.disabled], 1
		add	esi, 4
		push	1
		push	1
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	[esi], bl
		jmp	short loc_9E8906
; 

loc_9E88F2:				; DATA XREF: .text:006A9640o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E8900:				; DATA XREF: .text:006A9644o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_2C]

loc_9E8906:				; CODE XREF: VdmpQueryVdmProcess(x)+D9j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, edi

loc_9E890F:				; CODE XREF: VdmpQueryVdmProcess(x)+61j
					; VdmpQueryVdmProcess(x)+9Ej
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VdmpQueryVdmProcess@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmpGetVdmTib(x)
_VdmpGetVdmTib@4 proc near		; CODE XREF: VdmCheckPMCliTimeStamp()+6Ap
					; VdmpQueueIntApcRoutine(x,x,x,x,x)+B5p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	14h
		push	offset dword_6A9688
		call	__SEH_prolog4
		mov	edx, ecx
		and	[ebp+var_20], 0
		and	[ebp+ms_exc.disabled], 0
		mov	eax, large fs:18h
		mov	eax, [eax+0F18h]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jnz	short loc_9E8951
		mov	[ebp+var_20], 0C0000001h
		jmp	short loc_9E8988
; 

loc_9E8951:				; CODE XREF: VdmpGetVdmTib(x)+27j
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_9E895E
		mov	byte ptr [ecx],	0

loc_9E895E:				; CODE XREF: VdmpGetVdmTib(x)+3Aj
		mov	al, [eax]
		mov	ecx, [ebp+var_1C]
		mov	[ecx], al
		mov	al, [ecx+677h]
		mov	[ecx+677h], al
		mov	eax, [ebp+var_1C]
		cmp	dword ptr [eax], 678h
		jz	short loc_9E8988
		mov	[ebp+var_20], 0C0000001h
		xor	eax, eax
		mov	[ebp+var_1C], eax

loc_9E8988:				; CODE XREF: VdmpGetVdmTib(x)+30j
					; VdmpGetVdmTib(x)+5Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[edx], eax
		mov	eax, [ebp+var_20]
		jmp	short loc_9E89B1
; 

loc_9E8996:				; DATA XREF: .text:006A969Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E89A4:				; DATA XREF: .text:006A96A0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_24]

loc_9E89B1:				; CODE XREF: VdmpGetVdmTib(x)+75j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VdmpGetVdmTib@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmEndExecution(x, x)
_VdmEndExecution@8 proc	near		; CODE XREF: VdmpQueueIntApcRoutine(x,x,x,x,x)+EAp
					; VdmpQueueIntApcRoutine(x,x,x,x,x)+23Cp ...

var_2F0		= dword	ptr -2F0h
var_2E9		= byte ptr -2E9h
var_2E8		= dword	ptr -2E8h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	2E0h
		push	offset dword_6A96C8
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_2F0], eax
		mov	ebx, [ebp+arg_4]
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_2E9], al
		and	[ebp+ms_exc.disabled], 0
		and	dword ptr [ebx+0BCh], 0
		lea	esi, [ebx+0Ch]
		mov	ecx, 0B3h
		lea	edi, [ebp+var_2E8]
		rep movsd
		test	[ebp+var_228], 20000h
		jnz	short loc_9E8A1D
		test	[ebp+var_22C], 0FFF9h
		jz	short loc_9E8A9B

loc_9E8A1D:				; CODE XREF: VdmEndExecution(x,x)+4Ej
		lea	eax, [ebp+var_2E8]
		push	eax
		lea	edx, [ebx+2D8h]
		mov	esi, [ebp+var_2F0]
		mov	ecx, esi
		call	_VdmSwapContexts@12 ; VdmSwapContexts(x,x,x)
		mov	edx, [ebx+398h]
		bt	edx, 11h
		setb	cl
		test	byte ptr _KeI386VirtualIntExtensions, 1
		setnz	al
		test	cl, al
		jz	short loc_9E8A7E
		test	edx, 80000h
		jz	short loc_9E8A62
		or	edx, 200h
		jmp	short loc_9E8A68
; 

loc_9E8A62:				; CODE XREF: VdmEndExecution(x,x)+97j
		and	edx, 0FFFFFDFFh

loc_9E8A68:				; CODE XREF: VdmEndExecution(x,x)+9Fj
		mov	[ebx+398h], edx
		mov	eax, 0FFE7FFFFh
		and	[esi+70h], eax
		and	[ebx+398h], eax
		jmp	short loc_9E8A9B
; 

loc_9E8A7E:				; CODE XREF: VdmEndExecution(x,x)+8Fj
		mov	eax, large ds:714h
		xor	eax, edx
		and	eax, 200h
		xor	eax, edx
		mov	[ebx+398h], eax
		jmp	short loc_9E8A9B
; 

loc_9E8A94:				; DATA XREF: .text:006A96DCo
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E8A98:				; DATA XREF: .text:006A96E0o
		mov	esp, [ebp+ms_exc.old_esp]

loc_9E8A9B:				; CODE XREF: VdmEndExecution(x,x)+5Aj
					; VdmEndExecution(x,x)+BBj ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	cl, [ebp+var_2E9]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_VdmEndExecution@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmSwapContexts(x, x, x)
_VdmSwapContexts@12 proc near		; CODE XREF: VdmEndExecution(x,x)+71p
					; VdmpStartExecution()+18Bp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		push	1Bh
		pop	eax
		test	dword ptr [esi+70h], 20000h
		jz	short loc_9E8AFF
		mov	eax, [esi+88h]
		mov	[edx+8Ch], eax
		mov	eax, [esi+84h]
		mov	[edx+90h], eax
		mov	eax, [esi+7Ch]
		mov	[edx+94h], eax
		mov	eax, [esi+80h]
		jmp	short loc_9E8B23
; 

loc_9E8AFF:				; CODE XREF: VdmSwapContexts(x,x,x)+14j
		cmp	[esi+6Ch], ax
		jz	short loc_9E8B29
		mov	eax, [esi+2Ch]
		mov	[edx+8Ch], eax
		mov	eax, [esi+50h]
		mov	[edx+90h], eax
		mov	eax, [esi+30h]
		mov	[edx+94h], eax
		mov	eax, [esi+34h]

loc_9E8B23:				; CODE XREF: VdmSwapContexts(x,x,x)+3Dj
		mov	[edx+98h], eax

loc_9E8B29:				; CODE XREF: VdmSwapContexts(x,x,x)+43j
		mov	eax, [esi+6Ch]
		mov	[edx+0BCh], eax
		mov	eax, [esi+78h]
		mov	[edx+0C8h], eax
		mov	eax, [esi+40h]
		mov	[edx+0B0h], eax
		mov	eax, [esi+5Ch]
		mov	[edx+0A4h], eax
		mov	eax, [esi+3Ch]
		mov	[edx+0ACh], eax
		mov	eax, [esi+38h]
		mov	edi, [ebp+arg_0]
		mov	[edx+0A8h], eax
		mov	eax, [esi+58h]
		mov	[edx+0A0h], eax
		mov	eax, [esi+54h]
		mov	[edx+9Ch], eax
		mov	eax, [esi+60h]
		mov	[edx+0B4h], eax
		mov	eax, [esi+74h]
		mov	[edx+0C4h], eax
		mov	eax, [esi+68h]
		mov	[edx+0B8h], eax
		mov	eax, [esi+70h]
		mov	[edx+0C0h], eax
		mov	eax, [esi+48h]
		mov	[edx+0E4h], eax
		mov	edx, [edi+0BCh]
		mov	[esi+6Ch], edx
		mov	ebx, [edi+0C8h]
		mov	[esi+78h], ebx
		mov	eax, [edi+0B0h]
		mov	[esi+40h], eax
		mov	eax, [edi+0A4h]
		mov	[esi+5Ch], eax
		mov	eax, [edi+0ACh]
		mov	[esi+3Ch], eax
		mov	eax, [edi+0A8h]
		mov	[esi+38h], eax
		mov	eax, [edi+0A0h]
		mov	[esi+58h], eax
		mov	eax, [edi+9Ch]
		mov	[esi+54h], eax
		mov	eax, [edi+0B4h]
		mov	[esi+60h], eax
		mov	eax, [edi+0C4h]
		mov	[esi+74h], eax
		mov	eax, [edi+0B8h]
		mov	[esi+68h], eax
		mov	eax, [edi+0E4h]
		mov	ecx, [edi+0C0h]
		and	eax, ds:_KiMxCsrMask
		mov	[esi+48h], eax
		test	ecx, 20000h
		jnz	short loc_9E8C39
		or	edx, 3
		or	ebx, 3
		mov	[esi+6Ch], edx
		mov	[esi+78h], ebx
		cmp	edx, 8
		jnb	short loc_9E8C39
		mov	dword ptr [esi+6Ch], 1Bh

loc_9E8C39:				; CODE XREF: VdmSwapContexts(x,x,x)+15Fj
					; VdmSwapContexts(x,x,x)+170j
		mov	eax, [esi+70h]
		and	ecx, 3F4DD7h
		or	ecx, 200h
		mov	ebx, 20000h
		xor	eax, ecx
		mov	[esi+70h], ecx
		test	eax, ebx
		jz	short loc_9E8C90
		push	esi
		call	_Ki386AdjustEsp0@4 ; Ki386AdjustEsp0(x)
		test	[esi+70h], ebx
		jz	short loc_9E8C90
		mov	eax, [edi+8Ch]
		mov	[esi+88h], eax
		mov	eax, [edi+90h]
		mov	[esi+84h], eax
		mov	eax, [edi+94h]
		mov	[esi+7Ch], eax
		mov	eax, [edi+98h]
		mov	[esi+80h], eax
		jmp	short loc_9E8CBC
; 

loc_9E8C90:				; CODE XREF: VdmSwapContexts(x,x,x)+194j
					; VdmSwapContexts(x,x,x)+19Fj
		mov	eax, [edi+8Ch]
		mov	[esi+2Ch], eax
		mov	eax, [edi+90h]
		mov	[esi+50h], eax
		mov	eax, [edi+94h]
		mov	[esi+30h], eax
		mov	eax, [edi+98h]
		mov	[esi+34h], eax
		call	_KeI386GetExceptionChainTerminator@0 ; KeI386GetExceptionChainTerminator()
		mov	[esi+4Ch], eax

loc_9E8CBC:				; CODE XREF: VdmSwapContexts(x,x,x)+1CEj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_VdmSwapContexts@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmpStartExecution()
_VdmpStartExecution@0 proc near		; CODE XREF: NtVdmControl(x,x)+90p

var_2F8		= dword	ptr -2F8h
var_2F4		= dword	ptr -2F4h
var_2F0		= dword	ptr -2F0h
var_2E9		= byte ptr -2E9h
var_2E8		= dword	ptr -2E8h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
ms_exc		= CPPEH_RECORD ptr -18h

		push	2E8h
		push	offset dword_6A96A8
		call	__SEH_prolog4_GS
		xor	esi, esi
		mov	[ebp+var_2F0], esi
		mov	eax, large fs:124h
		mov	ebx, [eax+20h]
		sub	ebx, 8Ch
		lea	ecx, [ebp+var_2F0]
		call	_VdmpGetVdmTib@4 ; VdmpGetVdmTib(x)
		test	eax, eax
		jns	short loc_9E8D02

loc_9E8CF8:				; CODE XREF: VdmpStartExecution()+17Aj
		mov	eax, 0C000001Ch
		jmp	loc_9E8EB6
; 

loc_9E8D02:				; CODE XREF: VdmpStartExecution()+33j
		mov	cl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	cl, al
		mov	[ebp+var_2E9], cl
		mov	[ebp+ms_exc.disabled], esi
		mov	edx, [ebp+var_2F0]
		mov	edi, [edx+398h]
		mov	eax, 200h
		and	edi, eax
		mov	[ebp+var_2F4], edi
		mov	eax, large ds:714h
		test	al, 2
		jz	short loc_9E8D74
		test	edi, edi
		jz	short loc_9E8D74
		mov	eax, large ds:714h
		test	al, 1
		jnz	short loc_9E8D74
		mov	eax, [ebp+var_2F0]
		mov	dword ptr [eax+5A8h], 3
		mov	[eax+5ACh], esi
		mov	[eax+5B0h], esi
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	loc_9E8EB6
; 

loc_9E8D74:				; CODE XREF: VdmpStartExecution()+72j
					; VdmpStartExecution()+76j ...
		mov	esi, [edx+398h]
		bt	esi, 11h
		setb	cl
		test	byte ptr _KeI386VirtualIntExtensions, 1
		setnz	al
		test	cl, al
		jz	short loc_9E8DD8
		test	edi, edi
		jz	short loc_9E8D9B
		or	esi, 80000h
		jmp	short loc_9E8DAE
; 

loc_9E8D9B:				; CODE XREF: VdmpStartExecution()+CEj
		and	esi, 0FFF7FFFFh
		mov	[edx+398h], esi
		mov	edi, 200h
		or	esi, edi

loc_9E8DAE:				; CODE XREF: VdmpStartExecution()+D6j
		mov	[edx+398h], esi
		mov	eax, large ds:714h
		and	eax, 1
		mov	eax, [edx+398h]
		jz	short loc_9E8DCB
		or	eax, 100000h
		jmp	short loc_9E8DD0
; 

loc_9E8DCB:				; CODE XREF: VdmpStartExecution()+FFj
		and	eax, 0FFEFFFFFh

loc_9E8DD0:				; CODE XREF: VdmpStartExecution()+106j
		mov	[edx+398h], eax
		jmp	short loc_9E8DF9
; 

loc_9E8DD8:				; CODE XREF: VdmpStartExecution()+CAj
		mov	edi, 200h
		mov	eax, 714h
		test	esi, edi
		jz	short loc_9E8DEB
		lock or	[eax], edi
		jmp	short loc_9E8DF3
; 

loc_9E8DEB:				; CODE XREF: VdmpStartExecution()+121j
		mov	ecx, 0FFFFFDFFh
		lock and [eax],	ecx

loc_9E8DF3:				; CODE XREF: VdmpStartExecution()+126j
		or	[edx+398h], edi

loc_9E8DF9:				; CODE XREF: VdmpStartExecution()+113j
		mov	edx, [ebp+var_2F0]
		lea	esi, [edx+2D8h]
		mov	ecx, 0B3h
		lea	edi, [ebp+var_2E8]
		rep movsd
		test	[ebp+var_228], 20000h
		jnz	short loc_9E8E42
		test	[ebp+var_22C], 0FFF9h
		jnz	short loc_9E8E42
		mov	cl, [ebp+var_2E9]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_9E8CF8
; 

loc_9E8E42:				; CODE XREF: VdmpStartExecution()+159j
					; VdmpStartExecution()+165j
		lea	eax, [ebp+var_2E8]
		push	eax
		add	edx, 0Ch
		mov	ecx, ebx
		call	_VdmSwapContexts@12 ; VdmSwapContexts(x,x,x)
		cmp	[ebp+var_2F4], 0
		jz	short loc_9E8E71
		mov	eax, large ds:714h
		test	al, 1
		jz	short loc_9E8E71
		push	[ebp+var_2F0]
		push	ebx
		call	_VdmDispatchInterrupts@8 ; VdmDispatchInterrupts(x,x)

loc_9E8E71:				; CODE XREF: VdmpStartExecution()+197j
					; VdmpStartExecution()+1A0j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	cl, [ebp+var_2E9]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebx+40h]
		jmp	short loc_9E8EB6
; 

loc_9E8E89:				; DATA XREF: .text:006A96BCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2F8], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E8E9A:				; DATA XREF: .text:006A96C0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	cl, [ebp+var_2E9]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_2F8]

loc_9E8EB6:				; CODE XREF: VdmpStartExecution()+3Aj
					; VdmpStartExecution()+ACj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VdmpStartExecution@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmDispatchPageFault(x, x, x)
_VdmDispatchPageFault@12 proc near	; CODE XREF: KiPreprocessAccessViolation+E3748p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	10h
		push	offset dword_6A96E8
		call	__SEH_prolog4
		mov	ebx, edx
		mov	edi, ecx
		and	[ebp+var_1C], 0
		lea	ecx, [ebp+var_1C]
		call	_VdmpGetVdmTib@4 ; VdmpGetVdmTib(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9E8F59
		test	dword ptr [edi+70h], 20000h
		jnz	short loc_9E8EF7
		cmp	dword ptr [edi+6Ch], 1Bh
		jz	short loc_9E8F51

loc_9E8EF7:				; CODE XREF: VdmDispatchPageFault(x,x,x)+29j
		mov	ecx, [ebp+arg_0]
		cmp	ecx, 100000h
		jnb	short loc_9E8F4C
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [ebp+var_1C]
		mov	dword ptr [eax+5A8h], 2
		and	dword ptr [eax+5ACh], 0
		mov	[eax+5B0h], ecx
		mov	[eax+5B4h], ebx
		push	eax
		push	edi
		call	_VdmEndExecution@8 ; VdmEndExecution(x,x)

loc_9E8F2D:				; CODE XREF: VdmDispatchPageFault(x,x,x)+84j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9E8F51
; 

loc_9E8F36:				; DATA XREF: .text:006A96FCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E8F44:				; DATA XREF: .text:006A9700o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_20]
		jmp	short loc_9E8F2D
; 

loc_9E8F4C:				; CODE XREF: VdmDispatchPageFault(x,x,x)+3Aj
		mov	esi, 0C000001Dh

loc_9E8F51:				; CODE XREF: VdmDispatchPageFault(x,x,x)+2Fj
					; VdmDispatchPageFault(x,x,x)+6Ej
		test	esi, esi
		js	short loc_9E8F59
		mov	al, 1
		jmp	short loc_9E8F5B
; 

loc_9E8F59:				; CODE XREF: VdmDispatchPageFault(x,x,x)+20j
					; VdmDispatchPageFault(x,x,x)+8Dj
		xor	al, al

loc_9E8F5B:				; CODE XREF: VdmDispatchPageFault(x,x,x)+91j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_VdmDispatchPageFault@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmDispatchBop(x)
_VdmDispatchBop@4 proc near		; CODE XREF: V86_kit6_a+2B6p
					; V86_kit6_a+7F5p ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	20h
		push	offset dword_6A9708
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_28], esi
		mov	ebx, [ebp+arg_0]
		test	dword ptr [ebx+70h], 20000h
		jz	short loc_9E8F9C
		movzx	eax, word ptr [ebx+6Ch]
		movzx	edi, word ptr [ebx+68h]
		shl	eax, 4
		add	edi, eax
		jmp	short loc_9E8FC4
; 

loc_9E8F9C:				; CODE XREF: VdmDispatchBop(x)+1Ej
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		movzx	eax, word ptr [ebx+6Ch]
		push	eax
		call	_Ki386GetSelectorParameters@16 ; Ki386GetSelectorParameters(x,x,x,x)
		test	al, al
		jnz	short loc_9E8FBE
		xor	eax, eax
		inc	eax
		jmp	loc_9E9083
; 

loc_9E8FBE:				; CODE XREF: VdmDispatchBop(x)+47j
		mov	edi, [ebx+68h]
		add	edi, [ebp+var_20]

loc_9E8FC4:				; CODE XREF: VdmDispatchBop(x)+2Dj
		mov	[ebp+var_24], esi
		xor	edx, edx
		inc	edx
		mov	[ebp+var_1C], edx
		mov	[ebp+ms_exc.disabled], esi
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jb	short loc_9E8FDD
		mov	ecx, eax

loc_9E8FDD:				; CODE XREF: VdmDispatchBop(x)+6Cj
		nop
		mov	al, [ecx]
		mov	eax, 0C4C4h
		cmp	[edi], ax
		jz	short loc_9E8FEF
		mov	[ebp+var_1C], esi
		jmp	short loc_9E9053
; 

loc_9E8FEF:				; CODE XREF: VdmDispatchBop(x)+7Bj
		cmp	byte ptr [edi+2], 50h
		jnz	short loc_9E900B
		mov	al, [edi+3]
		cmp	al, 42h
		jz	short loc_9E9000
		cmp	al, 43h
		jnz	short loc_9E900B

loc_9E9000:				; CODE XREF: VdmDispatchBop(x)+8Dj
		movzx	eax, al
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], edx
		jmp	short loc_9E9053
; 

loc_9E900B:				; CODE XREF: VdmDispatchBop(x)+86j
					; VdmDispatchBop(x)+91j
		mov	eax, _VdmBopCount
		inc	eax
		mov	_VdmBopCount, eax
		mov	eax, large fs:18h
		mov	esi, [eax+0F18h]
		push	edx
		push	678h
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	dword ptr [esi+5A8h], 4
		movzx	eax, byte ptr [edi+2]
		mov	[esi+5B0h], eax
		mov	dword ptr [esi+5ACh], 3
		push	esi
		push	ebx
		call	_VdmEndExecution@8 ; VdmEndExecution(x,x)

loc_9E9053:				; CODE XREF: VdmDispatchBop(x)+80j
					; VdmDispatchBop(x)+9Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9E9071
; 

loc_9E905C:				; DATA XREF: .text:006A971Co
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E9060:				; DATA XREF: .text:006A9720o
		mov	esp, [ebp+ms_exc.old_esp]
		and	[ebp+var_1C], 0
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+arg_0]

loc_9E9071:				; CODE XREF: VdmDispatchBop(x)+EDj
		cmp	[ebp+var_24], 0
		jz	short loc_9E9080
		push	[ebp+var_28]
		push	ebx
		call	_NTFastDOSIO@8	; NTFastDOSIO(x,x)

loc_9E9080:				; CODE XREF: VdmDispatchBop(x)+108j
		mov	eax, [ebp+var_1C]

loc_9E9083:				; CODE XREF: VdmDispatchBop(x)+4Cj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_VdmDispatchBop@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmDispatchOpcodeV86_try(x)
_VdmDispatchOpcodeV86_try@4 proc near	; CODE XREF: Ktd_ExceptionHandler+36Ep

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	8
		push	offset dword_6A9768
		call	__SEH_prolog4
		and	[ebp+ms_exc.disabled], 0
		push	[ebp+arg_0]
		call	_Ki386DispatchOpcodeV86@4 ; Ki386DispatchOpcodeV86(x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9E90C6
; 

loc_9E90B6:				; DATA XREF: .text:006A977Co
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E90BA:				; DATA XREF: .text:006A9780o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax

loc_9E90C6:				; CODE XREF: VdmDispatchOpcodeV86_try(x)+1Fj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_VdmDispatchOpcodeV86_try@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmFetchBop1(x)
_VdmFetchBop1@4	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+1Ep

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	8
		push	offset dword_6A9788
		call	__SEH_prolog4
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, [ebp+arg_0]
		mov	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_9E90F8
		mov	edx, eax

loc_9E90F8:				; CODE XREF: VdmFetchBop1(x)+1Cj
		nop
		mov	al, [edx]
		movzx	eax, byte ptr [ecx]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9E9117
; 

loc_9E9107:				; DATA XREF: .text:006A979Co
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E910B:				; DATA XREF: .text:006A97A0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax

loc_9E9117:				; CODE XREF: VdmFetchBop1(x)+2Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_VdmFetchBop1@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmFetchBop4(x)
_VdmFetchBop4@4	proc near		; CODE XREF: sub_59F909+57Bp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	14h
		push	offset dword_6A97C8
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp+var_19], dl
		mov	[ebp+ms_exc.disabled], edx
		mov	ecx, [ebp+arg_0]
		mov	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_9E914D
		mov	edx, eax

loc_9E914D:				; CODE XREF: VdmFetchBop4(x)+20j
		nop
		mov	al, [edx]
		mov	[ebp+var_19], 1
		mov	eax, [ecx]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9E91BB
; 

loc_9E915F:				; DATA XREF: .text:006A97DCo
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E9163:				; DATA XREF: .text:006A97E0o
		mov	esp, [ebp+ms_exc.old_esp]
		cmp	[ebp+var_19], 0
		jnz	short loc_9E9177
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	short loc_9E91BB
; 

loc_9E9177:				; CODE XREF: VdmFetchBop4(x)+41j
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi
		xor	edx, edx
		mov	[ebp+var_20], edx
		mov	[ebp+ms_exc.disabled], 1
		mov	esi, [ebp+arg_0]

loc_9E918C:				; CODE XREF: VdmFetchBop4(x)+7Aj
		mov	[ebp+var_24], edx
		cmp	edx, 4
		jnb	short loc_9E91A5
		movzx	eax, byte ptr [edx+esi]
		mov	ecx, edx
		shl	ecx, 3
		shl	eax, cl
		add	[ebp+var_20], eax
		inc	edx
		jmp	short loc_9E918C
; 

loc_9E91A5:				; CODE XREF: VdmFetchBop4(x)+69j
		mov	[ebp+ms_exc.disabled], edi
		jmp	short loc_9E91B8
; 

loc_9E91AA:				; DATA XREF: .text:006A97E8o
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E91AE:				; DATA XREF: .text:006A97ECo
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9E91B8:				; CODE XREF: VdmFetchBop4(x)+7Fj
		mov	eax, [ebp+var_20]

loc_9E91BB:				; CODE XREF: VdmFetchBop4(x)+34j
					; VdmFetchBop4(x)+4Cj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_VdmFetchBop4@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmFetchULONG(x)
_VdmFetchULONG@4 proc near		; CODE XREF: Ki386VdmReflectException(x)+28p

ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	8
		push	offset dword_6A97A8
		call	__SEH_prolog4
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, [ebp+arg_0]
		mov	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_9E91ED
		mov	edx, eax

loc_9E91ED:				; CODE XREF: VdmFetchULONG(x)+1Cj
		nop
		mov	al, [edx]
		mov	eax, [ecx]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9E920B
; 

loc_9E91FB:				; DATA XREF: .text:006A97BCo
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E91FF:				; DATA XREF: .text:006A97C0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax

loc_9E920B:				; CODE XREF: VdmFetchULONG(x)+2Cj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_VdmFetchULONG@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmTibPass1(x, x, x)
_VdmTibPass1@12	proc near		; CODE XREF: VdmFixEspEbp+66p

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	0Ch
		push	offset dword_6A9728
		call	__SEH_prolog4
		and	[ebp+ms_exc.disabled], 0
		mov	eax, large fs:18h
		mov	esi, [eax+0F18h]
		mov	[ebp+var_1C], esi
		push	1
		push	678h
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	eax, [ebp+arg_8]
		mov	[esi+37Ch], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+390h], eax
		mov	ecx, [ebp+arg_0]
		mov	[esi+394h], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi
		jmp	short loc_9E927F
; 

loc_9E926F:				; DATA XREF: .text:006A973Co
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E9273:				; DATA XREF: .text:006A9740o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax

loc_9E927F:				; CODE XREF: VdmTibPass1(x,x,x)+50j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_VdmTibPass1@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmDispatchIRQ13(x)
_VdmDispatchIRQ13@4 proc near		; CODE XREF: Dr_kit10_a+41Bp
					; Dr_kit13_a+3CCp

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_5C		= dword	ptr -5Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	68h
		push	offset dword_6A97F0
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_78], eax
		push	50h		; size_t
		xor	ebx, ebx
		push	ebx		; int
		lea	eax, [ebp+var_6C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_70], ebx
		lea	ecx, [ebp+var_70]
		call	_VdmpGetVdmTib@4 ; VdmpGetVdmTib(x)
		test	eax, eax
		jns	short loc_9E92C7
		xor	al, al
		jmp	short loc_9E933C
; 

loc_9E92C7:				; CODE XREF: VdmDispatchIRQ13(x)+30j
		mov	cl, 1
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+var_70]
		mov	dword ptr [eax+5A8h], 6
		mov	[eax+5ACh], ebx
		jmp	short loc_9E930B
; 

loc_9E92E1:				; DATA XREF: .text:006A9804o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_74], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E92EF:				; DATA XREF: .text:006A9808o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_74]
		mov	[ebp+var_6C], eax
		xor	ebx, ebx
		mov	[ebp+var_68], ebx
		mov	[ebp+var_5C], ebx
		lea	eax, [ebp+var_6C]
		push	eax
		call	_RtlRaiseException@4 ; RtlRaiseException(x)
		mov	cl, bl

loc_9E930B:				; CODE XREF: VdmDispatchIRQ13(x)+4Ej
		push	0FFFFFFFEh
		pop	esi
		mov	[ebp+ms_exc.disabled], esi
		test	cl, cl
		jz	short loc_9E933A
		mov	[ebp+ms_exc.disabled], 1
		push	[ebp+var_70]
		push	[ebp+var_78]
		call	_VdmEndExecution@8 ; VdmEndExecution(x,x)
		mov	[ebp+ms_exc.disabled], esi
		jmp	short loc_9E933A
; 

loc_9E932C:				; DATA XREF: .text:006A9810o
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E9330:				; DATA XREF: .text:006A9814o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9E933A:				; CODE XREF: VdmDispatchIRQ13(x)+82j
					; VdmDispatchIRQ13(x)+99j
		mov	al, 1

loc_9E933C:				; CODE XREF: VdmDispatchIRQ13(x)+34j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_VdmDispatchIRQ13@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NTFastDOSIO(x, x)
_NTFastDOSIO@8	proc near		; CODE XREF: VdmDispatchBop(x)+10Ep

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	28h
		push	offset dword_6A9818
		call	__SEH_prolog4
		and	[ebp+var_24], 0
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+70h]
		push	0FFFFFFFEh
		pop	ebx
		and	eax, ebx
		mov	[esi+70h], eax
		cmp	[ebp+arg_4], 42h
		jz	short loc_9E9383
		cmp	[ebp+arg_4], 43h
		jz	short loc_9E9383
		or	eax, 1
		mov	[esi+70h], eax
		jmp	loc_9E9610
; 

loc_9E9383:				; CODE XREF: NTFastDOSIO(x,x)+22j
					; NTFastDOSIO(x,x)+28j
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, 200000h
		mov	eax, 714h
		lock or	[eax], ecx
		mov	[ebp+ms_exc.disabled], ebx
		lea	ecx, [ebp+var_24]
		call	_VdmpGetVdmTib@4 ; VdmpGetVdmTib(x)
		test	eax, eax
		jns	short loc_9E93AC

loc_9E93A3:				; CODE XREF: NTFastDOSIO(x,x)+1F1j
					; NTFastDOSIO(x,x)+285j ...
		or	dword ptr [esi+70h], 1
		jmp	loc_9E9610
; 

loc_9E93AC:				; CODE XREF: NTFastDOSIO(x,x)+53j
		mov	eax, [ebp+var_24]
		lea	ecx, [eax+624h]
		mov	[ebp+var_20], ecx
		lea	edi, [eax+62Ch]
		mov	[ebp+ms_exc.disabled], 1
		push	1
		push	8
		push	ecx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	1
		push	8
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	[ebp+ms_exc.disabled], ebx
		movzx	ecx, word ptr [esi+60h]
		mov	eax, [esi+40h]
		shl	eax, 10h
		add	ecx, eax
		mov	[ebp+var_24], ecx
		add	dword ptr [esi+68h], 4
		mov	edx, [esi+70h]
		and	edx, ebx
		mov	[esi+70h], edx
		mov	eax, ecx
		and	eax, 3
		cmp	al, 3
		jz	loc_9E95ED
		cmp	ecx, 0FFFFFFF6h
		jz	loc_9E95ED
		cmp	ecx, 0FFFFFFF5h
		jz	loc_9E95ED
		cmp	ecx, 0FFFFFFF4h
		jz	loc_9E95ED
		mov	ecx, [esi+80h]
		shl	ecx, 4
		movzx	eax, word ptr [esi+38h]
		add	ecx, eax
		mov	[ebp+var_2C], ecx
		movzx	eax, word ptr [esi+3Ch]
		mov	[ebp+var_28], eax
		movzx	eax, word ptr [esi+5Ch]
		mov	[ebp+var_34], eax
		movzx	eax, word ptr [esi+58h]
		mov	[ebp+var_38], eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[ebp+var_19], al
		xor	cl, cl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	byte ptr [esi+70h], 40h
		jnz	short loc_9E94A5
		mov	eax, [ebp+var_34]
		shl	eax, 10h
		add	eax, [ebp+var_38]
		mov	[ebp+ms_exc.disabled], 2
		mov	[edi], eax
		and	dword ptr [edi+4], 0
		mov	[ebp+ms_exc.disabled], ebx
		push	0Eh
		push	8
		push	edi
		push	[ebp+var_20]
		push	[ebp+var_24]
		call	_NtSetInformationFile@20 ; NtSetInformationFile(x,x,x,x,x)
		test	eax, eax
		js	loc_9E9536
		mov	[ebp+ms_exc.disabled], 3
		cmp	dword ptr [edi], 0FFFFFFFFh
		jnz	short loc_9E94A2
		mov	[ebp+ms_exc.disabled], ebx
		jmp	loc_9E9536
; 

loc_9E94A2:				; CODE XREF: NTFastDOSIO(x,x)+14Aj
		mov	[ebp+ms_exc.disabled], ebx

loc_9E94A5:				; CODE XREF: NTFastDOSIO(x,x)+10Dj
		cmp	[ebp+arg_4], 42h
		jnz	short loc_9E94D4
		xor	eax, eax
		push	eax
		push	eax
		push	[ebp+var_28]
		push	[ebp+var_2C]
		push	[ebp+var_20]
		push	eax
		push	eax
		push	eax
		push	[ebp+var_24]
		call	_NtReadFile@36	; NtReadFile(x,x,x,x,x,x,x,x,x)
		jmp	loc_9E955A
; 

loc_9E94C8:				; DATA XREF: .text:006A9850o
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E94CC:				; DATA XREF: .text:006A9854o
		jmp	short loc_9E9529
; 

loc_9E94CE:				; DATA XREF: .text:006A9844o
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E94D2:				; DATA XREF: .text:006A9848o
		jmp	short loc_9E9529
; 

loc_9E94D4:				; CODE XREF: NTFastDOSIO(x,x)+15Bj
		mov	eax, [ebp+var_28]
		test	eax, eax
		jnz	short loc_9E9544
		push	0Eh		; int
		push	8		; size_t
		push	edi		; int
		push	[ebp+var_20]	; int
		push	[ebp+var_24]	; int
		call	_NtQueryInformationFile@20 ; NtQueryInformationFile(x,x,x,x,x)
		test	eax, eax
		js	short loc_9E9536
		mov	[ebp+ms_exc.disabled], 4
		mov	eax, [edi]
		mov	[edi], eax
		mov	eax, [edi+4]
		mov	[edi+4], eax
		mov	[ebp+ms_exc.disabled], ebx
		push	14h
		push	8
		push	edi
		push	[ebp+var_20]
		push	[ebp+var_24]
		call	_NtSetInformationFile@20 ; NtSetInformationFile(x,x,x,x,x)
		test	eax, eax
		js	short loc_9E9536
		mov	cl, [ebp+var_19]
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		jmp	loc_9E9610
; 

loc_9E9525:				; DATA XREF: .text:006A985Co
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E9529:				; CODE XREF: NTFastDOSIO(x,x):loc_9E94CCj
					; NTFastDOSIO(x,x):loc_9E94D2j
					; DATA XREF: ...
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+arg_0]

loc_9E9536:				; CODE XREF: NTFastDOSIO(x,x)+13Aj
					; NTFastDOSIO(x,x)+14Fj ...
		mov	cl, [ebp+var_19]
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		jmp	loc_9E93A3
; 

loc_9E9544:				; CODE XREF: NTFastDOSIO(x,x)+18Bj
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	eax
		push	[ebp+var_2C]
		push	[ebp+var_20]
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+var_24]
		call	_NtWriteFile@36	; NtWriteFile(x,x,x,x,x,x,x,x,x)

loc_9E955A:				; CODE XREF: NTFastDOSIO(x,x)+175j
		mov	edi, eax
		cmp	edi, 103h
		jnz	short loc_9E95A0
		push	0
		push	0
		push	[ebp+var_24]
		call	NtWaitForSingleObject
		mov	edi, eax
		mov	[ebp+var_30], edi
		test	edi, edi
		js	short loc_9E95A0
		mov	[ebp+ms_exc.disabled], 5
		mov	eax, [ebp+var_20]
		mov	edi, [eax]
		mov	[ebp+var_30], edi
		mov	[ebp+ms_exc.disabled], ebx
		jmp	short loc_9E95A0
; 

loc_9E958D:				; DATA XREF: .text:006A9868o
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E9591:				; DATA XREF: .text:006A986Co
		mov	esp, [ebp+ms_exc.old_esp]
		push	0FFFFFFFEh
		pop	ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	esi, [ebp+arg_0]
		mov	edi, [ebp+var_30]

loc_9E95A0:				; CODE XREF: NTFastDOSIO(x,x)+214j
					; NTFastDOSIO(x,x)+229j ...
		mov	cl, [ebp+var_19]
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		test	edi, edi
		js	short loc_9E95CF
		xor	eax, eax
		mov	[esi+40h], ax
		mov	[ebp+ms_exc.disabled], 6
		mov	eax, [ebp+var_20]
		movzx	eax, word ptr [eax+4]
		or	[esi+40h], eax
		mov	[ebp+ms_exc.disabled], ebx
		jmp	short loc_9E9610
; 

loc_9E95C9:				; DATA XREF: .text:006A9874o
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E95CD:				; DATA XREF: .text:006A9878o
		jmp	short loc_9E9606
; 

loc_9E95CF:				; CODE XREF: NTFastDOSIO(x,x)+25Dj
		cmp	[ebp+arg_4], 42h
		jnz	loc_9E93A3
		cmp	edi, 0C0000011h
		jnz	loc_9E93A3
		xor	eax, eax
		mov	[esi+40h], ax
		jmp	short loc_9E9610
; 

loc_9E95ED:				; CODE XREF: NTFastDOSIO(x,x)+B0j
					; NTFastDOSIO(x,x)+B9j	...
		or	edx, 1
		mov	[esi+70h], edx
		jmp	short loc_9E9610
; 

loc_9E95F5:				; DATA XREF: .text:006A9838o
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E95F9:				; DATA XREF: .text:006A983Co
		jmp	short loc_9E95FF
; 

loc_9E95FB:				; DATA XREF: .text:006A982Co
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E95FF:				; CODE XREF: NTFastDOSIO(x,x):loc_9E95F9j
					; DATA XREF: .text:006A9830o
		mov	eax, [ebp+arg_0]
		or	dword ptr [eax+70h], 1

loc_9E9606:				; CODE XREF: NTFastDOSIO(x,x):loc_9E95CDj
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9E9610:				; CODE XREF: NTFastDOSIO(x,x)+30j
					; NTFastDOSIO(x,x)+59j	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_NTFastDOSIO@8	endp


;  S U B	R O U T	I N E 


; __stdcall VdmTraceEvent(x, x,	x, x)
_VdmTraceEvent@16 proc near		; CODE XREF: Ki386DispatchOpcode(x)+83p
					; Ki386DispatchOpcode(x)+99p ...
		retn	10h
_VdmTraceEvent@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmPrinterStatus(x,	x, x)
_VdmPrinterStatus@12 proc near		; CODE XREF: OpcodeINB+2Dp
					; OpcodeINBV86+2Cp

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= word ptr  8
arg_3		= byte ptr  0Bh
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	4Ch
		push	offset dword_6A98C8
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_2C], ebx
		lea	ecx, [ebp+var_2C]
		call	_VdmpGetVdmTib@4 ; VdmpGetVdmTib(x)
		mov	[ebp+var_20], eax
		test	eax, eax
		js	loc_9E9705
		mov	[ebp+var_19], bl
		or	[ebp+var_38], 0FFFFFFFFh
		mov	esi, [ebp+var_2C]
		lea	eax, [esi+624h]
		mov	[ebp+var_3C], eax
		lea	edi, [esi+620h]
		mov	[ebp+var_4C], edi
		mov	[ebp+var_34], ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, 200000h
		mov	eax, 714h
		lock or	[eax], ecx
		movzx	ecx, [ebp+arg_0]
		movzx	eax, word ptr [esi+5D0h]
		inc	eax
		cmp	ecx, eax
		jnz	short loc_9E968C
		mov	eax, ebx
		jmp	short loc_9E96AC
; 

loc_9E968C:				; CODE XREF: VdmPrinterStatus(x,x,x)+61j
		movzx	eax, word ptr [esi+5D2h]
		inc	eax
		cmp	ecx, eax
		jnz	short loc_9E969D
		xor	eax, eax
		inc	eax
		jmp	short loc_9E96AC
; 

loc_9E969D:				; CODE XREF: VdmPrinterStatus(x,x,x)+71j
		movzx	eax, word ptr [esi+5D4h]
		inc	eax
		cmp	ecx, eax
		jnz	short loc_9E96FE
		push	2
		pop	eax

loc_9E96AC:				; CODE XREF: VdmPrinterStatus(x,x,x)+65j
					; VdmPrinterStatus(x,x,x)+76j
		mov	[ebp+var_28], eax
		movzx	edx, ax
		mov	[ebp+var_44], edx
		mov	al, [edx+esi+5E4h]
		mov	[ebp+arg_3], al
		mov	eax, large fs:124h
		mov	[ebp+var_54], eax
		mov	eax, [eax+80h]
		mov	ecx, [eax+0F4h]
		mov	[ebp+var_30], ecx
		mov	eax, [ecx+0A4h]
		add	eax, edx
		mov	[ebp+var_24], eax
		mov	eax, [ecx+9Ch]
		add	eax, edx
		mov	[ebp+var_58], eax
		mov	cl, [ebp+arg_3]
		cmp	cl, 2
		jnz	loc_9E9779
		cmp	byte ptr [eax],	0
		jz	short loc_9E9719

loc_9E96FE:				; CODE XREF: VdmPrinterStatus(x,x,x)+82j
					; VdmPrinterStatus(x,x,x)+126j	...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9E9705:				; CODE XREF: VdmPrinterStatus(x,x,x)+1Ej
					; VdmPrinterStatus(x,x,x)+245j
		xor	al, al

loc_9E9707:				; CODE XREF: VdmPrinterStatus(x,x,x)+24Dj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_9E9719:				; CODE XREF: VdmPrinterStatus(x,x,x)+D7j
		mov	eax, [ebp+var_30]
		mov	eax, [eax+0A8h]
		add	eax, edx
		mov	[ebp+var_40], eax
		mov	eax, [ebp+var_24]
		mov	al, [eax]
		test	al, al
		js	short loc_9E9753
		mov	eax, [ebp+var_40]
		mov	al, [eax]
		test	al, 1
		jnz	short loc_9E9753
		mov	eax, [ebp+var_30]
		mov	eax, [eax+0A0h]
		add	eax, edx
		mov	[ebp+var_5C], eax
		mov	al, [eax]
		test	al, 10h
		jnz	short loc_9E96FE
		mov	eax, [ebp+var_24]
		or	byte ptr [eax],	80h

loc_9E9753:				; CODE XREF: VdmPrinterStatus(x,x,x)+109j
					; VdmPrinterStatus(x,x,x)+112j
		mov	eax, [ebp+var_24]
		movzx	eax, byte ptr [eax]
		or	eax, 7
		mov	[edi], eax
		mov	edx, [ebp+arg_8]
		and	dword ptr [edx+40h], 0FFFFFF00h
		movzx	ecx, byte ptr [edi]
		or	ecx, [edx+40h]
		mov	[edx+40h], ecx
		mov	eax, [ebp+arg_4]
		add	[edx+68h], eax
		jmp	short loc_9E97B8
; 

loc_9E9779:				; CODE XREF: VdmPrinterStatus(x,x,x)+CEj
		cmp	cl, 3
		jnz	short loc_9E96FE
		cmp	[esi+edx*2+5E8h], bx
		jz	short loc_9E9796
		mov	ecx, [ebp+var_28]
		call	_VdmpFlushPrinterWriteData@4 ; VdmpFlushPrinterWriteData(x)
		mov	[ebp+var_20], eax
		mov	edx, [ebp+var_44]

loc_9E9796:				; CODE XREF: VdmPrinterStatus(x,x,x)+161j
		mov	eax, [esi+edx*4+5D8h]
		mov	[ebp+var_38], eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[ebp+var_19], al
		xor	cl, cl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	[ebp+var_34], 1

loc_9E97B8:				; CODE XREF: VdmPrinterStatus(x,x,x)+152j
		push	0FFFFFFFEh
		pop	esi
		mov	[ebp+ms_exc.disabled], esi
		jmp	short loc_9E97E2
; 

loc_9E97C0:				; DATA XREF: .text:006A98DCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_48], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E97CE:				; DATA XREF: .text:006A98E0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_48]
		mov	[ebp+var_20], eax
		push	0FFFFFFFEh
		pop	esi
		mov	[ebp+ms_exc.disabled], esi
		xor	ebx, ebx
		mov	edi, [ebp+var_4C]

loc_9E97E2:				; CODE XREF: VdmPrinterStatus(x,x,x)+199j
		cmp	[ebp+var_34], 1
		jnz	short loc_9E9866
		push	1
		push	4
		push	edi
		push	ebx
		push	ebx
		push	2C000Ch
		push	[ebp+var_3C]
		push	ebx
		push	ebx
		xor	edx, edx
		mov	ecx, [ebp+var_38]
		call	_IopXxxControlFile@44 ;	IopXxxControlFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_20], eax
		mov	[ebp+ms_exc.disabled], 1
		test	eax, eax
		js	short loc_9E9818
		mov	eax, [ebp+var_3C]
		cmp	[eax], ebx
		jge	short loc_9E9821

loc_9E9818:				; CODE XREF: VdmPrinterStatus(x,x,x)+1EAj
		mov	dword ptr [edi], 7Fh
		mov	[ebp+var_20], ebx

loc_9E9821:				; CODE XREF: VdmPrinterStatus(x,x,x)+1F1j
		mov	edx, [ebp+arg_8]
		and	dword ptr [edx+40h], 0FFFFFF00h
		movzx	ecx, byte ptr [edi]
		or	ecx, [edx+40h]
		mov	[edx+40h], ecx
		mov	eax, [ebp+arg_4]
		add	[edx+68h], eax
		mov	[ebp+ms_exc.disabled], esi
		jmp	short loc_9E985D
; 

loc_9E983F:				; DATA XREF: .text:006A98E8o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_50], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E984D:				; DATA XREF: .text:006A98ECo
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_50]
		mov	[ebp+var_20], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9E985D:				; CODE XREF: VdmPrinterStatus(x,x,x)+218j
		mov	cl, [ebp+var_19]
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)

loc_9E9866:				; CODE XREF: VdmPrinterStatus(x,x,x)+1C1j
		cmp	[ebp+var_20], 0
		jl	loc_9E9705
		mov	al, 1
		jmp	loc_9E9707
_VdmPrinterStatus@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmPrinterWriteData(x, x, x)
_VdmPrinterWriteData@12	proc near	; CODE XREF: OpcodeOUTB+2Dp
					; OpcodeOUTBV86+2Cp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	14h
		push	offset dword_6A98A8
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		lea	ecx, [ebp+var_1C]
		call	_VdmpGetVdmTib@4 ; VdmpGetVdmTib(x)
		mov	edi, eax
		test	edi, edi
		js	loc_9E9920
		mov	ecx, [ebp+var_1C]
		add	ecx, 5C0h
		mov	[ebp+ms_exc.disabled], ebx
		mov	edx, 200000h
		mov	eax, 714h
		lock or	[eax], edx
		movzx	eax, word ptr [ebp+arg_0]
		cmp	ax, [ecx+10h]
		jz	short loc_9E98CF
		cmp	ax, [ecx+12h]
		jnz	short loc_9E98C6
		inc	ebx
		jmp	short loc_9E98CF
; 

loc_9E98C6:				; CODE XREF: VdmPrinterWriteData(x,x,x)+4Aj
		cmp	ax, [ecx+14h]
		jnz	short loc_9E9919
		push	2
		pop	ebx

loc_9E98CF:				; CODE XREF: VdmPrinterWriteData(x,x,x)+44j
					; VdmPrinterWriteData(x,x,x)+4Dj
		movzx	eax, bx
		cmp	byte ptr [eax+ecx+24h],	3
		jnz	short loc_9E9912
		lea	esi, [ecx+eax*2]
		shl	eax, 4
		movzx	edx, word ptr [esi+28h]
		add	eax, ecx
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+arg_8]
		mov	al, [eax+40h]
		mov	ecx, [ebp+arg_0]
		mov	[edx+ecx+2Eh], al
		inc	word ptr [esi+28h]
		cmp	word ptr [esi+28h], 10h
		jb	short loc_9E9907
		mov	ecx, ebx
		call	_VdmpFlushPrinterWriteData@4 ; VdmpFlushPrinterWriteData(x)

loc_9E9907:				; CODE XREF: VdmPrinterWriteData(x,x,x)+87j
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		add	[ecx+68h], eax
		jmp	short loc_9E994B
; 

loc_9E9912:				; CODE XREF: VdmPrinterWriteData(x,x,x)+60j
		mov	edi, 0C000001Dh
		jmp	short loc_9E9948
; 

loc_9E9919:				; CODE XREF: VdmPrinterWriteData(x,x,x)+53j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9E9920:				; CODE XREF: VdmPrinterWriteData(x,x,x)+1Dj
					; VdmPrinterWriteData(x,x,x)+DDj
		xor	al, al

loc_9E9922:				; CODE XREF: VdmPrinterWriteData(x,x,x)+E1j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_9E9934:				; DATA XREF: .text:006A98BCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E9942:				; DATA XREF: .text:006A98C0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_20]

loc_9E9948:				; CODE XREF: VdmPrinterWriteData(x,x,x)+A0j
		mov	[ebp+var_24], edi

loc_9E994B:				; CODE XREF: VdmPrinterWriteData(x,x,x)+99j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	edi, edi
		js	short loc_9E9920
		mov	al, 1
		jmp	short loc_9E9922
_VdmPrinterWriteData@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmpFlushPrinterWriteData(x)
_VdmpFlushPrinterWriteData@4 proc near	; CODE XREF: VdmPrinterStatus(x,x,x)+166p
					; VdmPrinterWriteData(x,x,x)+8Bp ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= word ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

		push	30h
		push	offset dword_6A9880
		call	__SEH_prolog4
		mov	[ebp+var_20], cx
		xor	edi, edi
		mov	[ebp+var_28], edi
		lea	ecx, [ebp+var_28]
		call	_VdmpGetVdmTib@4 ; VdmpGetVdmTib(x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9E9984
		xor	eax, eax
		jmp	loc_9E9A86
; 

loc_9E9984:				; CODE XREF: VdmpFlushPrinterWriteData(x)+21j
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edi
		or	[ebp+var_34], 0FFFFFFFFh
		mov	eax, [ebp+var_28]
		lea	ebx, [eax+5C0h]
		mov	[ebp+var_3C], ebx
		add	eax, 624h
		mov	[ebp+var_28], eax
		mov	[ebp+ms_exc.disabled], edi
		movzx	eax, [ebp+var_20]
		mov	ecx, [ebx+eax*4+18h]
		test	ecx, ecx
		jz	short loc_9E99D7
		movzx	edx, word ptr [ebx+eax*2+28h]
		test	dx, dx
		jz	short loc_9E99D7
		cmp	byte ptr [eax+ebx+24h],	3
		jnz	short loc_9E99D7
		mov	[ebp+var_34], ecx
		shl	eax, 4
		add	eax, 2Eh
		add	eax, ebx
		mov	[ebp+var_30], eax
		mov	eax, edx
		mov	[ebp+var_2C], eax
		jmp	short loc_9E99DF
; 

loc_9E99D7:				; CODE XREF: VdmpFlushPrinterWriteData(x)+55j
					; VdmpFlushPrinterWriteData(x)+5Fj ...
		mov	esi, 0C000000Dh
		mov	[ebp+var_24], esi

loc_9E99DF:				; CODE XREF: VdmpFlushPrinterWriteData(x)+7Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9E9A0B
; 

loc_9E99E8:				; DATA XREF: .text:006A9894o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_38], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E99F6:				; DATA XREF: .text:006A9898o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_38]
		mov	[ebp+var_24], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	edi, edi
		mov	ebx, [ebp+var_3C]

loc_9E9A0B:				; CODE XREF: VdmpFlushPrinterWriteData(x)+8Cj
		test	esi, esi
		js	short loc_9E9A84
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[ebp+var_19], al
		xor	cl, cl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	1
		push	edi
		push	edi
		push	[ebp+var_2C]
		push	[ebp+var_30]
		push	2C0004h
		push	[ebp+var_28]
		push	edi
		push	edi
		xor	edx, edx
		mov	ecx, [ebp+var_34]
		call	_IopXxxControlFile@44 ;	IopXxxControlFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+ms_exc.disabled], 1
		movzx	eax, [ebp+var_20]
		xor	ecx, ecx
		mov	[ebx+eax*2+28h], cx
		test	esi, esi
		jns	short loc_9E9A74
		mov	eax, [ebp+var_28]
		mov	esi, [eax]
		jmp	short loc_9E9A71
; 

loc_9E9A5D:				; DATA XREF: .text:006A98A0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_40], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E9A6B:				; DATA XREF: .text:006A98A4o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_40]

loc_9E9A71:				; CODE XREF: VdmpFlushPrinterWriteData(x)+101j
		mov	[ebp+var_24], esi

loc_9E9A74:				; CODE XREF: VdmpFlushPrinterWriteData(x)+FAj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	cl, [ebp+var_19]
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)

loc_9E9A84:				; CODE XREF: VdmpFlushPrinterWriteData(x)+B3j
		mov	eax, esi

loc_9E9A86:				; CODE XREF: VdmpFlushPrinterWriteData(x)+25j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VdmpFlushPrinterWriteData@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmpPrinterDirectIoClose(x)
_VdmpPrinterDirectIoClose@4 proc near	; CODE XREF: NtVdmControl(x,x)+188p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	24h
		push	offset dword_6A9910
		call	__SEH_prolog4
		mov	edi, ecx
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		test	edi, edi
		jnz	short loc_9E9AB7

loc_9E9AAD:				; CODE XREF: VdmpPrinterDirectIoClose(x)+41j
		mov	eax, 0C0000005h
		jmp	loc_9E9B8B
; 

loc_9E9AB7:				; CODE XREF: VdmpPrinterDirectIoClose(x)+15j
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, large fs:18h
		mov	eax, [eax+0F18h]
		mov	[ebp+var_24], eax
		mov	[ebp+var_34], eax
		test	eax, eax
		jnz	short loc_9E9AD9
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9E9AAD
; 

loc_9E9AD9:				; CODE XREF: VdmpPrinterDirectIoClose(x)+38j
		xor	esi, esi
		inc	esi
		push	esi
		push	678h
		push	eax
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		lea	ecx, [edi+2]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_9E9AF8
		cmp	ecx, edi
		jnb	short loc_9E9AFA

loc_9E9AF8:				; CODE XREF: VdmpPrinterDirectIoClose(x)+5Cj
		mov	[eax], bl

loc_9E9AFA:				; CODE XREF: VdmpPrinterDirectIoClose(x)+60j
		movzx	eax, word ptr [edi]
		mov	[ebp+var_20], eax
		push	0FFFFFFFEh
		pop	edx
		mov	[ebp+ms_exc.disabled], edx
		mov	[ebp+var_1C], ebx
		mov	[ebp+ms_exc.disabled], esi
		cmp	eax, 3
		jnb	short loc_9E9B2F
		mov	ecx, eax
		mov	eax, [ebp+var_24]
		cmp	byte ptr [ecx+eax+5E4h], 3
		jnz	short loc_9E9B37
		cmp	[eax+ecx*2+5E8h], bx
		jz	short loc_9E9B37
		mov	[ebp+var_1C], esi
		jmp	short loc_9E9B37
; 

loc_9E9B2F:				; CODE XREF: VdmpPrinterDirectIoClose(x)+79j
		mov	ebx, 0C000000Dh
		mov	[ebp+var_2C], ebx

loc_9E9B37:				; CODE XREF: VdmpPrinterDirectIoClose(x)+88j
					; VdmpPrinterDirectIoClose(x)+92j ...
		mov	[ebp+ms_exc.disabled], edx
		jmp	short loc_9E9B5D
; 

loc_9E9B3C:				; DATA XREF: .text:006A9930o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E9B4A:				; DATA XREF: .text:006A9934o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_28]
		mov	[ebp+var_2C], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	esi, esi
		inc	esi

loc_9E9B5D:				; CODE XREF: VdmpPrinterDirectIoClose(x)+A4j
		cmp	[ebp+var_1C], esi
		jnz	short loc_9E9B6C
		mov	ecx, [ebp+var_20]
		call	_VdmpFlushPrinterWriteData@4 ; VdmpFlushPrinterWriteData(x)
		mov	ebx, eax

loc_9E9B6C:				; CODE XREF: VdmpPrinterDirectIoClose(x)+CAj
		mov	eax, ebx
		jmp	short loc_9E9B8B
; 

loc_9E9B70:				; DATA XREF: .text:006A9924o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E9B7E:				; DATA XREF: .text:006A9928o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_30]

loc_9E9B8B:				; CODE XREF: VdmpPrinterDirectIoClose(x)+1Cj
					; VdmpPrinterDirectIoClose(x)+D8j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VdmpPrinterDirectIoClose@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmpPrinterInitialize(x)
_VdmpPrinterInitialize@4 proc near	; CODE XREF: NtVdmControl(x,x)+19Bp

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	24h
		push	offset dword_6A98F0
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+var_1C], esi
		lea	ecx, [ebp+var_1C]
		call	_VdmpGetVdmTib@4 ; VdmpGetVdmTib(x)
		mov	[ebp+var_30], eax
		test	eax, eax
		jns	short loc_9E9BC2
		xor	eax, eax
		jmp	loc_9E9C85
; 

loc_9E9BC2:				; CODE XREF: VdmpPrinterInitialize(x)+1Ej
		mov	[ebp+ms_exc.disabled], esi
		mov	eax, [ebp+var_1C]
		mov	ecx, [eax+5C0h]
		mov	[ebp+var_20], ecx
		mov	esi, [eax+5C8h]
		mov	[ebp+var_24], esi
		mov	edi, [eax+5C4h]
		mov	[ebp+var_28], edi
		mov	ebx, [eax+5CCh]
		mov	[ebp+var_2C], ebx
		push	1
		push	3
		push	ecx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	1
		push	3
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	1
		push	3
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	1
		push	3
		push	ebx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edx, [ebp+var_30]
		jmp	short loc_9E9C49
; 

loc_9E9C20:				; DATA XREF: .text:006A9904o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E9C2E:				; DATA XREF: .text:006A9908o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edx, [ebp+var_34]
		xor	esi, esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_2C], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9E9C49:				; CODE XREF: VdmpPrinterInitialize(x)+83j
		test	edx, edx
		js	short loc_9E9C83
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, [eax+0F4h]
		mov	eax, [ebp+var_20]
		mov	[ecx+9Ch], eax
		mov	eax, [ebp+var_24]
		mov	[ecx+0A4h], eax
		mov	eax, [ebp+var_28]
		mov	[ecx+0A0h], eax
		mov	eax, [ebp+var_2C]
		mov	[ecx+0A8h], eax

loc_9E9C83:				; CODE XREF: VdmpPrinterInitialize(x)+B0j
		mov	eax, edx

loc_9E9C85:				; CODE XREF: VdmpPrinterInitialize(x)+22j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VdmpPrinterInitialize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall GetIretHookAddress(x, x, x)
_GetIretHookAddress@12 proc near	; CODE XREF: VdmDispatchInterrupts(x,x)+160p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, edx
		xor	esi, esi
		inc	esi
		mov	edx, ecx
		mov	ecx, [ebp+arg_0]
		shl	esi, cl
		mov	eax, [edi+18h]
		test	[eax], esi
		jz	short loc_9E9CE3
		mov	eax, [edi+1Ch]
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_9E9CE3
		mov	edx, [edx+70h]
		and	edx, 20000h
		jnz	short loc_9E9CC8
		mov	ecx, 1470006h

loc_9E9CC8:				; CODE XREF: GetIretHookAddress(x,x,x)+2Cj
		mov	eax, [edi+14h]
		or	[eax], esi
		xor	eax, eax
		test	edx, edx
		setz	al
		lea	eax, ds:4[eax*4]
		imul	eax, [ebp+arg_0]
		add	eax, ecx
		jmp	short loc_9E9CE5
; 

loc_9E9CE3:				; CODE XREF: GetIretHookAddress(x,x,x)+18j
					; GetIretHookAddress(x,x,x)+21j
		xor	eax, eax

loc_9E9CE5:				; CODE XREF: GetIretHookAddress(x,x,x)+4Cj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_GetIretHookAddress@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PushPmInterrupt(x, x, x, x)
_PushPmInterrupt@16 proc near		; CODE XREF: VdmDispatchInterrupts(x,x):loc_9EA361p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	34h
		push	offset dword_6A9978
		call	__SEH_prolog4
		mov	[ebp+var_24], edx
		mov	esi, ecx
		xor	eax, eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_1A], al
		mov	[ebp+ms_exc.disabled], eax
		mov	edi, [ebp+arg_0]
		mov	al, [edi+636h]
		mov	[ebp+var_19], al
		mov	[ebp+var_1A], al
		movzx	ecx, word ptr [edi+634h]
		lea	eax, [ecx+1]
		mov	[edi+634h], ax
		test	cx, cx
		jnz	short loc_9E9D66
		mov	eax, [esi+74h]
		mov	[edi+63Ch], eax
		mov	eax, [esi+68h]
		mov	[edi+640h], eax
		mov	ax, [esi+78h]
		mov	[edi+63Ah], ax
		mov	dword ptr [esi+74h], 1000h
		movzx	eax, word ptr [edi+638h]
		or	eax, 7
		mov	[esi+78h], eax

loc_9E9D66:				; CODE XREF: PushPmInterrupt(x,x,x,x)+48j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		movzx	eax, word ptr [esi+78h]
		push	eax
		call	_Ki386GetSelectorParameters@16 ; Ki386GetSelectorParameters(x,x,x,x)
		test	al, al
		jz	loc_9EA00E
		mov	ebx, [ebp+var_2C]
		mov	edx, [ebp+var_28]
		test	bl, 20h
		jz	short loc_9E9D9F
		shl	edx, 0Ch
		or	edx, 0FFFh

loc_9E9D9F:				; CODE XREF: PushPmInterrupt(x,x,x,x)+A9j
		cmp	edx, 0FFFFFFFFh
		jz	short loc_9E9DA5
		inc	edx

loc_9E9DA5:				; CODE XREF: PushPmInterrupt(x,x,x,x)+B7j
		mov	eax, ebx
		push	8
		pop	ecx
		mov	[ebp+var_38], ecx
		and	eax, ecx
		mov	[ebp+var_34], eax
		jz	short loc_9E9DB9
		mov	ecx, [esi+74h]
		jmp	short loc_9E9DBD
; 

loc_9E9DB9:				; CODE XREF: PushPmInterrupt(x,x,x,x)+C7j
		movzx	ecx, word ptr [esi+74h]

loc_9E9DBD:				; CODE XREF: PushPmInterrupt(x,x,x,x)+CCj
		mov	eax, [ebp+var_30]
		add	eax, ecx
		mov	[ebp+var_28], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_2C], ecx
		mov	al, [ebp+var_19]
		cmp	[ebp+var_24], 0
		jz	short loc_9E9DE0
		test	al, al
		jz	short loc_9E9DDD
		sub	ecx, 0Ch
		jmp	short loc_9E9DE0
; 

loc_9E9DDD:				; CODE XREF: PushPmInterrupt(x,x,x,x)+EBj
		sub	ecx, 6

loc_9E9DE0:				; CODE XREF: PushPmInterrupt(x,x,x,x)+E7j
					; PushPmInterrupt(x,x,x,x)+F0j
		test	al, al
		jz	short loc_9E9DE9
		sub	ecx, 18h
		jmp	short loc_9E9DEC
; 

loc_9E9DE9:				; CODE XREF: PushPmInterrupt(x,x,x,x)+F7j
		sub	ecx, 0Ch

loc_9E9DEC:				; CODE XREF: PushPmInterrupt(x,x,x,x)+FCj
		cmp	[ebp+var_34], 0
		jz	short loc_9E9DF7
		mov	[ebp+var_30], ecx
		jmp	short loc_9E9DFD
; 

loc_9E9DF7:				; CODE XREF: PushPmInterrupt(x,x,x,x)+105j
		movzx	edi, cx
		mov	[ebp+var_30], edi

loc_9E9DFD:				; CODE XREF: PushPmInterrupt(x,x,x,x)+10Aj
		mov	edi, [ebp+var_30]
		mov	[esi+74h], edi
		cmp	ecx, [ebp+var_2C]
		mov	edi, [ebp+arg_0]
		jnb	loc_9EA00E
		and	ebx, 10h
		jnz	short loc_9E9E1D
		cmp	[ebp+var_2C], edx
		ja	loc_9EA00E

loc_9E9E1D:				; CODE XREF: PushPmInterrupt(x,x,x,x)+127j
		test	ebx, ebx
		jz	short loc_9E9E29
		cmp	ecx, edx
		jb	loc_9EA00E

loc_9E9E29:				; CODE XREF: PushPmInterrupt(x,x,x,x)+134j
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, ds:_MmUserProbeAddress
		test	al, al
		mov	eax, [ebp+var_28]
		jz	short loc_9E9E9D
		add	eax, 0FFFFFFE8h
		cmp	eax, ecx
		jb	short loc_9E9E46
		mov	eax, ecx

loc_9E9E46:				; CODE XREF: PushPmInterrupt(x,x,x,x)+157j
		nop
		mov	al, [eax]
		mov	ecx, [ebp+var_20]
		push	4
		pop	ebx
		sub	ecx, ebx
		mov	[ebp+var_20], ecx
		mov	eax, [esi+70h]
		mov	[ecx], eax
		sub	ecx, ebx
		mov	[ebp+var_20], ecx
		mov	ax, [esi+6Ch]
		mov	[ecx], ax
		sub	ecx, ebx
		mov	[ebp+var_20], ecx
		mov	eax, [esi+68h]
		mov	[ecx], eax
		sub	ecx, ebx
		mov	[ebp+var_20], ecx
		mov	eax, [esi+70h]
		and	eax, 0FFFFFEFFh
		mov	[ecx], eax
		sub	ecx, ebx
		mov	[ebp+var_20], ecx
		movzx	eax, word ptr [edi+64Ah]
		mov	[ecx], eax
		sub	ecx, ebx
		mov	[ebp+var_20], ecx
		movzx	eax, word ptr [edi+648h]
		push	2
		pop	edx
		jmp	short loc_9E9EF5
; 

loc_9E9E9D:				; CODE XREF: PushPmInterrupt(x,x,x,x)+150j
		add	eax, 0FFFFFFF4h
		cmp	eax, ecx
		jb	short loc_9E9EA6
		mov	eax, ecx

loc_9E9EA6:				; CODE XREF: PushPmInterrupt(x,x,x,x)+1B7j
		nop
		mov	al, [eax]
		mov	ecx, [ebp+var_20]
		push	2
		pop	edx
		sub	ecx, edx
		mov	[ebp+var_20], ecx
		mov	ax, [esi+70h]
		mov	[ecx], ax
		sub	ecx, edx
		mov	[ebp+var_20], ecx
		mov	ax, [esi+6Ch]
		mov	[ecx], ax
		sub	ecx, edx
		mov	[ebp+var_20], ecx
		mov	ax, [esi+68h]
		mov	[ecx], ax
		sub	ecx, edx
		mov	[ebp+var_20], ecx
		mov	ax, [esi+70h]
		mov	ebx, 0FEFFh
		and	ax, bx
		mov	[ecx], ax
		push	4
		pop	ebx
		sub	ecx, ebx
		mov	[ebp+var_20], ecx
		mov	eax, [edi+644h]

loc_9E9EF5:				; CODE XREF: PushPmInterrupt(x,x,x,x)+1B0j
		mov	[ecx], eax
		mov	ecx, [edi+4]
		mov	eax, [ebp+arg_4]
		lea	eax, [ecx+eax*8]
		mov	[ebp+arg_0], eax
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_9E9F0F
		mov	eax, ecx

loc_9E9F0F:				; CODE XREF: PushPmInterrupt(x,x,x,x)+220j
		nop
		mov	al, [eax]
		mov	edi, [ebp+arg_0]
		mov	ax, [edi]
		push	7
		pop	ecx
		or	ax, cx
		movzx	eax, ax
		mov	ecx, [esi+70h]
		test	ecx, 20000h
		jnz	short loc_9E9F38
		or	eax, 3
		cmp	ax, word ptr [ebp+var_38]
		jnb	short loc_9E9F38
		push	1Bh
		pop	eax

loc_9E9F38:				; CODE XREF: PushPmInterrupt(x,x,x,x)+23Fj
					; PushPmInterrupt(x,x,x,x)+248j
		movzx	eax, ax
		mov	[esi+6Ch], eax
		mov	eax, [edi+4]
		mov	[esi+68h], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		and	ecx, 0FFFFFEFFh
		mov	[esi+70h], ecx
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	short loc_9E9FDA
		mov	edi, eax
		shr	edi, 10h
		mov	[ebp+ms_exc.disabled], edx
		mov	eax, [ebp+var_20]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	[ebp+var_1A], 0
		jz	short loc_9E9FA2
		add	eax, 0FFFFFFF4h
		cmp	eax, ecx
		jb	short loc_9E9F7B
		mov	eax, ecx

loc_9E9F7B:				; CODE XREF: PushPmInterrupt(x,x,x,x)+28Cj
		nop
		mov	al, [eax]
		mov	ecx, [ebp+var_20]
		sub	ecx, ebx
		mov	[ebp+var_20], ecx
		mov	eax, [esi+70h]
		mov	[ecx], eax
		sub	ecx, ebx
		mov	[ebp+var_20], ecx
		mov	[ecx], di
		sub	ecx, ebx
		mov	[ebp+var_20], ecx
		mov	edx, [ebp+var_24]
		movzx	eax, dx
		mov	[ecx], eax
		jmp	short loc_9E9FD3
; 

loc_9E9FA2:				; CODE XREF: PushPmInterrupt(x,x,x,x)+285j
		add	eax, 0FFFFFFFAh
		cmp	eax, ecx
		jb	short loc_9E9FAB
		mov	eax, ecx

loc_9E9FAB:				; CODE XREF: PushPmInterrupt(x,x,x,x)+2BCj
		nop
		mov	al, [eax]
		mov	ecx, [ebp+var_20]
		sub	ecx, edx
		mov	[ebp+var_20], ecx
		mov	ax, [esi+70h]
		mov	[ecx], ax
		sub	ecx, edx
		mov	[ebp+var_20], ecx
		mov	[ecx], di
		sub	ecx, edx
		mov	[ebp+var_20], ecx
		mov	edx, [ebp+var_24]
		movzx	eax, dx
		mov	[ecx], ax

loc_9E9FD3:				; CODE XREF: PushPmInterrupt(x,x,x,x)+2B5j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9E9FDA:				; CODE XREF: PushPmInterrupt(x,x,x,x)+26Ej
		xor	eax, eax
		jmp	short loc_9EA030
; 

loc_9E9FDE:				; DATA XREF: .text:006A99A4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_3C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E9FEC:				; DATA XREF: .text:006A99A8o
		mov	eax, [ebp+var_3C]
		jmp	short loc_9EA002
; 

loc_9E9FF1:				; DATA XREF: .text:006A9998o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_40], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9E9FFF:				; DATA XREF: .text:006A999Co
		mov	eax, [ebp+var_40]

loc_9EA002:				; CODE XREF: PushPmInterrupt(x,x,x,x)+304j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9EA030
; 

loc_9EA00E:				; CODE XREF: PushPmInterrupt(x,x,x,x)+9Aj
					; PushPmInterrupt(x,x,x,x)+11Ej ...
		mov	eax, 0C0000005h
		jmp	short loc_9EA030
; 

loc_9EA015:				; DATA XREF: .text:006A998Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_44], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9EA023:				; DATA XREF: .text:006A9990o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_44]

loc_9EA030:				; CODE XREF: PushPmInterrupt(x,x,x,x)+2F1j
					; PushPmInterrupt(x,x,x,x)+321j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PushPmInterrupt@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PushRmInterrupt(x, x, x, x)
_PushRmInterrupt@16 proc near		; CODE XREF: VdmDispatchInterrupts(x,x)+176p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	1Ch
		push	offset dword_6A99B0
		call	__SEH_prolog4
		mov	[ebp+var_28], edx
		mov	esi, ecx
		mov	edi, [esi+78h]
		shl	edi, 4
		movzx	eax, word ptr [esi+74h]
		and	[ebp+ms_exc.disabled], 0
		mov	edx, eax
		lea	eax, [edi-6]
		add	eax, edx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_9EA074
		mov	eax, ecx

loc_9EA074:				; CODE XREF: PushRmInterrupt(x,x,x,x)+2Ej
		nop
		mov	al, [eax]
		lea	eax, [edx-2]
		movzx	eax, ax
		mov	[ebp+var_1C], eax
		mov	ecx, eax
		mov	ax, [esi+70h]
		mov	[ecx+edi], ax
		lea	eax, [ecx-2]
		movzx	eax, ax
		mov	[ebp+var_1C], eax
		mov	ecx, eax
		mov	ax, [esi+6Ch]
		mov	[ecx+edi], ax
		lea	eax, [ecx-2]
		movzx	eax, ax
		mov	[ebp+var_1C], eax
		mov	ebx, eax
		mov	ax, [esi+68h]
		mov	[ebx+edi], ax
		mov	edx, [ebp+var_28]
		test	edx, edx
		jz	short loc_9EA109
		lea	eax, [edi-6]
		add	eax, ebx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_9EA0C8
		mov	eax, ecx

loc_9EA0C8:				; CODE XREF: PushRmInterrupt(x,x,x,x)+82j
		nop
		mov	al, [eax]
		lea	eax, [ebx-2]
		movzx	eax, ax
		mov	[ebp+var_1C], eax
		mov	ecx, eax
		mov	ax, [esi+70h]
		mov	ebx, 0FEFFh
		and	ax, bx
		mov	[ecx+edi], ax
		lea	eax, [ecx-2]
		movzx	eax, ax
		mov	[ebp+var_1C], eax
		mov	ecx, eax
		mov	eax, edx
		shr	eax, 10h
		mov	[ecx+edi], ax
		lea	eax, [ecx-2]
		movzx	eax, ax
		mov	[ebp+var_1C], eax
		mov	ebx, eax
		mov	[ebx+edi], dx

loc_9EA109:				; CODE XREF: PushRmInterrupt(x,x,x,x)+73j
		mov	edi, [ebp+arg_0]
		mov	eax, [edi+4]
		mov	edx, [ebp+arg_4]
		lea	eax, [eax+edx*8]
		mov	[ebp+var_2C], eax
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_9EA124
		mov	eax, ecx

loc_9EA124:				; CODE XREF: PushRmInterrupt(x,x,x,x)+DEj
		nop
		mov	al, [eax]
		mov	eax, [ebp+var_2C]
		test	byte ptr [eax+2], 4
		jz	short loc_9EA153
		movzx	ecx, word ptr [edi+656h]
		mov	[ebp+var_24], ecx
		movzx	eax, word ptr [edi+654h]
		mov	[ebp+var_20], eax
		sub	ecx, edx
		mov	[ebp+var_24], ecx
		shl	edx, 4
		add	eax, edx
		mov	[ebp+var_20], eax
		jmp	short loc_9EA176
; 

loc_9EA153:				; CODE XREF: PushRmInterrupt(x,x,x,x)+ECj
		mov	ecx, edx
		shl	ecx, 2
		mov	eax, ecx
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		jb	short loc_9EA166
		mov	eax, edx

loc_9EA166:				; CODE XREF: PushRmInterrupt(x,x,x,x)+120j
		nop
		mov	al, [eax]
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_20], eax
		movzx	ecx, word ptr [ecx+2]
		mov	[ebp+var_24], ecx

loc_9EA176:				; CODE XREF: PushRmInterrupt(x,x,x,x)+10Fj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[esi+74h], ebx
		movzx	eax, ax
		mov	[esi+68h], eax
		test	dword ptr [esi+70h], 20000h
		jnz	short loc_9EA19B
		or	ecx, 3
		cmp	cx, 8
		jnb	short loc_9EA19B
		push	1Bh
		pop	ecx

loc_9EA19B:				; CODE XREF: PushRmInterrupt(x,x,x,x)+14Bj
					; PushRmInterrupt(x,x,x,x)+154j
		movzx	eax, cx
		mov	[esi+6Ch], eax
		jmp	short loc_9EA1B1
; 

loc_9EA1A3:				; DATA XREF: .text:006A99C4o
		xor	eax, eax
		inc	eax
		retn
; 

loc_9EA1A7:				; DATA XREF: .text:006A99C8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9EA1B1:				; CODE XREF: PushRmInterrupt(x,x,x,x)+15Fj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_PushRmInterrupt@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmDispatchInterrupts(x, x)
_VdmDispatchInterrupts@8 proc near	; CODE XREF: VdmpQueueIntApcRoutine(x,x,x,x,x)+247p
					; VdmpStartExecution()+1A9p ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	20h
		push	offset dword_6A9A58
		call	__SEH_prolog4
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_28], 9
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+0F4h]
		mov	esi, [eax+90h]
		and	[ebp+ms_exc.disabled], 0
		mov	edx, [esi+24h]
		mov	ecx, [esi]
		call	_VdmpEnterIcaLock@8 ; VdmpEnterIcaLock(x,x)
		mov	[ebp+var_1C], eax
		test	eax, eax
		jns	short loc_9EA20C

loc_9EA206:				; CODE XREF: VdmDispatchInterrupts(x,x)+FEj
		push	eax

loc_9EA207:				; CODE XREF: VdmDispatchInterrupts(x,x)+1B4j
					; VdmDispatchInterrupts(x,x)+1F2j
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_9EA20C:				; CODE XREF: VdmDispatchInterrupts(x,x)+41j
		mov	eax, [esi+10h]
		cmp	dword ptr [eax], 0
		jz	short loc_9EA21B
		mov	ecx, esi
		call	_VdmpRestartDelayedInterrupts@4	; VdmpRestartDelayedInterrupts(x)

loc_9EA21B:				; CODE XREF: VdmDispatchInterrupts(x,x)+4Fj
					; VdmDispatchInterrupts(x,x)+ECj
		push	0FFFFFFFEh
		pop	edi
		mov	edx, [ebx+70h]
		bt	edx, 11h
		setb	cl
		test	byte ptr _KeI386VirtualIntExtensions, 1
		setnz	al
		test	cl, al
		jz	short loc_9EA23F
		and	edx, 0FFEFFFFFh
		mov	[ebx+70h], edx

loc_9EA23F:				; CODE XREF: VdmDispatchInterrupts(x,x)+71j
		mov	eax, 714h
		lock and [eax],	edi
		mov	edi, [esi+4]
		mov	[ebp+var_20], edi
		mov	[ebp+var_2C], edi
		mov	edx, edi
		mov	ecx, esi
		call	_VdmpIcaAccept@8 ; VdmpIcaAccept(x,x)
		mov	edx, eax
		mov	[ebp+var_24], edx
		test	edx, edx
		js	short loc_9EA29D
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		mov	byte ptr [ebp+arg_0+3],	al
		mov	ecx, [esi+4]
		test	[ecx+32h], al
		jz	short loc_9EA299
		mov	edi, [esi+8]
		mov	[ebp+var_20], edi
		mov	[ebp+var_2C], edi
		mov	edx, edi
		mov	ecx, esi
		call	_VdmpIcaAccept@8 ; VdmpIcaAccept(x,x)
		mov	edx, eax
		mov	[ebp+var_24], edx
		test	edx, edx
		jns	short loc_9EA2D3
		mov	eax, [esi+4]
		mov	cl, byte ptr [ebp+arg_0+3]
		not	cl
		and	[eax+30h], cl

loc_9EA299:				; CODE XREF: VdmDispatchInterrupts(x,x)+AEj
		test	edx, edx
		jns	short loc_9EA2D3

loc_9EA29D:				; CODE XREF: VdmDispatchInterrupts(x,x)+9Dj
		mov	eax, [esi+10h]
		cmp	dword ptr [eax], 0
		jz	short loc_9EA2B5
		mov	ecx, esi
		call	_VdmpRestartDelayedInterrupts@4	; VdmpRestartDelayedInterrupts(x)
		cmp	eax, 0FFFFFFFFh
		jnz	loc_9EA21B

loc_9EA2B5:				; CODE XREF: VdmDispatchInterrupts(x,x)+E0j
		mov	ecx, [esi]
		call	_VdmpLeaveIcaLock@4 ; VdmpLeaveIcaLock(x)
		mov	[ebp+var_1C], eax
		test	eax, eax
		js	loc_9EA206
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_9EA3FA
; 

loc_9EA2D3:				; CODE XREF: VdmDispatchInterrupts(x,x)+C9j
					; VdmDispatchInterrupts(x,x)+D8j
		test	byte ptr [edi+2Ch], 20h
		jz	short loc_9EA301
		mov	[ebp+var_28], 3
		mov	edi, [ebp+arg_4]
		mov	dword ptr [edi+5B0h], 20000h
		mov	eax, [ebp+var_20]
		cmp	eax, [esi+8]
		jnz	short loc_9EA307
		mov	dword ptr [edi+5B0h], 30000h
		jmp	short loc_9EA307
; 

loc_9EA301:				; CODE XREF: VdmDispatchInterrupts(x,x)+114j
		mov	edi, [ebp+arg_4]
		mov	eax, [ebp+var_20]

loc_9EA307:				; CODE XREF: VdmDispatchInterrupts(x,x)+130j
					; VdmDispatchInterrupts(x,x)+13Cj
		movzx	ecx, word ptr [eax+28h]
		add	ecx, edx
		mov	[ebp+arg_4], ecx
		mov	[ebp+arg_0], ecx
		cmp	eax, [esi+8]
		jnz	short loc_9EA31E
		add	edx, 8
		mov	[ebp+var_24], edx

loc_9EA31E:				; CODE XREF: VdmDispatchInterrupts(x,x)+153j
		push	edx
		mov	edx, esi
		mov	ecx, ebx
		call	_GetIretHookAddress@12 ; GetIretHookAddress(x,x,x)
		push	[ebp+arg_4]
		mov	edx, eax
		mov	ecx, ebx
		push	edi
		test	dword ptr [ebx+70h], 20000h
		jz	short loc_9EA361
		call	_PushRmInterrupt@16 ; PushRmInterrupt(x,x,x,x)

loc_9EA33E:				; CODE XREF: VdmDispatchInterrupts(x,x)+1A8j
		mov	edx, [ebx+70h]
		bt	edx, 11h
		setb	cl
		test	byte ptr _KeI386VirtualIntExtensions, 1
		setnz	al
		test	cl, al
		jz	short loc_9EA37C
		and	edx, 0FFF7FFFFh
		mov	[ebx+70h], edx
		jmp	short loc_9EA38C
; 

loc_9EA361:				; CODE XREF: VdmDispatchInterrupts(x,x)+174j
		call	_PushPmInterrupt@16 ; PushPmInterrupt(x,x,x,x)
		mov	[ebp+var_1C], eax
		test	eax, eax
		jns	short loc_9EA33E
		mov	ecx, [esi]
		call	_VdmpLeaveIcaLock@4 ; VdmpLeaveIcaLock(x)
		push	[ebp+var_1C]
		jmp	loc_9EA207
; 

loc_9EA37C:				; CODE XREF: VdmDispatchInterrupts(x,x)+191j
		mov	eax, 0FFFFFDFFh
		mov	ecx, 714h
		lock and [ecx],	eax
		mov	edx, [ebx+70h]

loc_9EA38C:				; CODE XREF: VdmDispatchInterrupts(x,x)+19Cj
		and	edx, 0FFFFBEFFh
		mov	[ebx+70h], edx
		mov	ecx, large fs:124h
		xor	edx, edx
		inc	edx
		call	KeBoostPriorityThread
		mov	ecx, [esi]
		call	_VdmpLeaveIcaLock@4 ; VdmpLeaveIcaLock(x)
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		jns	short loc_9EA3BA
		push	esi
		jmp	loc_9EA207
; 

loc_9EA3BA:				; CODE XREF: VdmDispatchInterrupts(x,x)+1EFj
		cmp	[ebp+var_28], 9
		jz	short loc_9EA3F1
		mov	dword ptr [edi+5A8h], 3
		and	dword ptr [edi+5ACh], 0
		push	edi
		push	ebx
		call	_VdmEndExecution@8 ; VdmEndExecution(x,x)
		jmp	short loc_9EA3F1
; 

loc_9EA3DA:				; DATA XREF: .text:006A9A6Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9EA3E8:				; DATA XREF: .text:006A9A70o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_30]
		mov	[ebp+var_1C], esi

loc_9EA3F1:				; CODE XREF: VdmDispatchInterrupts(x,x)+1FBj
					; VdmDispatchInterrupts(x,x)+215j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi

loc_9EA3FA:				; CODE XREF: VdmDispatchInterrupts(x,x)+10Bj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_VdmDispatchInterrupts@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmpDispatchableIntPending(x)
_VdmpDispatchableIntPending@4 proc near	; CODE XREF: VdmpQueueIntApcRoutine(x,x,x,x,x)+171p

ms_exc		= CPPEH_RECORD ptr -18h

		push	8
		push	offset dword_6A9938
		call	__SEH_prolog4
		and	[ebp+ms_exc.disabled], 0
		test	ecx, 20000h
		jz	short loc_9EA44C
		test	byte ptr _KeI386VirtualIntExtensions, 1
		jz	short loc_9EA440
		test	ecx, 80000h

loc_9EA433:				; CODE XREF: VdmpDispatchableIntPending(x)+3Ej
					; VdmpDispatchableIntPending(x)+5Aj
		jz	short loc_9EA46F
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	al, 1
		jmp	short loc_9EA478
; 

loc_9EA440:				; CODE XREF: VdmpDispatchableIntPending(x)+1Fj
		mov	eax, large ds:714h
		test	eax, 200h
		jmp	short loc_9EA433
; 

loc_9EA44C:				; CODE XREF: VdmpDispatchableIntPending(x)+16j
		mov	eax, large ds:714h
		mov	esi, 200h
		test	eax, esi
		jnz	short loc_9EA45F
		call	_VdmCheckPMCliTimeStamp@0 ; VdmCheckPMCliTimeStamp()

loc_9EA45F:				; CODE XREF: VdmpDispatchableIntPending(x)+4Cj
		mov	eax, large ds:714h
		test	eax, esi
		jmp	short loc_9EA433
; 

loc_9EA468:				; DATA XREF: .text:006A994Co
		xor	eax, eax
		inc	eax
		retn
; 

loc_9EA46C:				; DATA XREF: .text:006A9950o
		mov	esp, [ebp+ms_exc.old_esp]

loc_9EA46F:				; CODE XREF: VdmpDispatchableIntPending(x):loc_9EA433j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	al, al

loc_9EA478:				; CODE XREF: VdmpDispatchableIntPending(x)+32j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VdmpDispatchableIntPending@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmpEnterIcaLock(x,	x)
_VdmpEnterIcaLock@8 proc near		; CODE XREF: VdmDispatchInterrupts(x,x)+37p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:18h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		mov	ebx, [eax+24h]
		cmp	dword ptr [esi+10h], 0
		jnz	short loc_9EA4B0
		mov	eax, 0C0000008h
		jmp	loc_9EA54E
; 

loc_9EA4B0:				; CODE XREF: VdmpEnterIcaLock(x,x)+1Cj
		xor	eax, eax
		mov	[ebp+var_C], 4
		push	edi
		inc	eax
		lea	edi, [esi+4]

loc_9EA4BE:				; CODE XREF: VdmpEnterIcaLock(x,x)+B2j
		mov	[ebp+var_4], eax

loc_9EA4C1:				; CODE XREF: VdmpEnterIcaLock(x,x)+61j
					; VdmpEnterIcaLock(x,x)+7Cj
		mov	edx, [edi]
		test	dl, 1
		jz	short loc_9EA4DF

loc_9EA4C8:				; CODE XREF: VdmpEnterIcaLock(x,x)+55j
		mov	ecx, eax
		mov	eax, edx
		xor	ecx, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_9EA53C
		mov	edx, eax
		test	al, 1
		mov	eax, [ebp+var_4]
		jnz	short loc_9EA4C8

loc_9EA4DF:				; CODE XREF: VdmpEnterIcaLock(x,x)+3Ej
		cmp	[esi+0Ch], ebx
		jz	short loc_9EA548
		mov	edx, [edi]
		test	dl, 1
		jnz	short loc_9EA4C1

loc_9EA4EB:				; CODE XREF: VdmpEnterIcaLock(x,x)+77j
		mov	ecx, edx
		mov	eax, edx
		sub	ecx, [ebp+var_C]
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_9EA51F
		mov	edx, [edi]
		test	dl, 1
		jz	short loc_9EA4EB
		mov	eax, [ebp+var_4]
		jmp	short loc_9EA4C1
; 

loc_9EA506:				; CODE XREF: VdmpEnterIcaLock(x,x)+A6j
		js	short loc_9EA54D
		mov	ecx, ebx
		call	_VdmpIsThreadTerminating@4 ; VdmpIsThreadTerminating(x)
		test	eax, eax
		jnz	short loc_9EA54D
		mov	ecx, [esi+0Ch]
		call	_VdmpIsThreadTerminating@4 ; VdmpIsThreadTerminating(x)
		test	eax, eax
		jnz	short loc_9EA54D

loc_9EA51F:				; CODE XREF: VdmpEnterIcaLock(x,x)+70j
		push	[ebp+var_8]
		push	0
		push	dword ptr [esi+10h]
		call	NtWaitForSingleObject
		test	eax, eax
		jnz	short loc_9EA506
		push	3
		pop	eax
		mov	[ebp+var_C], 2
		jmp	short loc_9EA4BE
; 

loc_9EA53C:				; CODE XREF: VdmpEnterIcaLock(x,x)+4Cj
		mov	[esi+0Ch], ebx
		mov	dword ptr [esi+8], 1
		jmp	short loc_9EA54B
; 

loc_9EA548:				; CODE XREF: VdmpEnterIcaLock(x,x)+5Aj
		inc	dword ptr [esi+8]

loc_9EA54B:				; CODE XREF: VdmpEnterIcaLock(x,x)+BEj
		xor	eax, eax

loc_9EA54D:				; CODE XREF: VdmpEnterIcaLock(x,x):loc_9EA506j
					; VdmpEnterIcaLock(x,x)+89j ...
		pop	edi

loc_9EA54E:				; CODE XREF: VdmpEnterIcaLock(x,x)+23j
		pop	esi
		pop	ebx
		leave
		retn
_VdmpEnterIcaLock@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmpIcaAccept(x, x)
_VdmpIcaAccept@8 proc near		; CODE XREF: VdmDispatchInterrupts(x,x)+91p
					; VdmDispatchInterrupts(x,x)+BDp

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	0Ch
		push	offset dword_6A99D0
		call	__SEH_prolog4
		mov	esi, edx
		and	dword ptr [esi+24h], 0
		and	[ebp+ms_exc.disabled], 0
		call	_VdmpIcaScan@8	; VdmpIcaScan(x,x)
		mov	ecx, eax
		mov	[ebp+var_1C], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	ecx, ecx
		js	short loc_9EA5A9
		mov	dl, 1
		shl	dl, cl
		or	[esi+30h], dl
		dec	dword ptr [esi+ecx*4]
		mov	eax, [esi+ecx*4]
		test	eax, eax
		jg	short loc_9EA597
		not	dl
		and	[esi+2Fh], dl
		and	dword ptr [esi+ecx*4], 0

loc_9EA597:				; CODE XREF: VdmpIcaAccept(x,x)+3Aj
		mov	eax, ecx
		jmp	short loc_9EA5AC
; 

loc_9EA59B:				; DATA XREF: .text:006A99E4o
		xor	eax, eax
		inc	eax
		retn
; 

loc_9EA59F:				; DATA XREF: .text:006A99E8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9EA5A9:				; CODE XREF: VdmpIcaAccept(x,x)+29j
		or	eax, 0FFFFFFFFh

loc_9EA5AC:				; CODE XREF: VdmpIcaAccept(x,x)+47j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VdmpIcaAccept@8 endp


;  S U B	R O U T	I N E 


; __stdcall VdmpIcaScan(x, x)
_VdmpIcaScan@8	proc near		; CODE XREF: VdmpIcaAccept(x,x)+16p
					; VdmpRestartDelayedInterrupts(x)+1Dp ...
		mov	eax, [ecx+14h]
		push	ebx
		push	esi
		mov	esi, [ecx+0Ch]
		mov	eax, [eax]
		push	edi
		mov	edi, edx
		or	eax, [esi]
		cmp	edi, [ecx+8]
		jnz	short loc_9EA5D3
		shr	eax, 8

loc_9EA5D3:				; CODE XREF: VdmpIcaScan(x,x)+12j
		movzx	edx, byte ptr [edi+31h]
		movzx	eax, al
		or	edx, eax
		movzx	eax, byte ptr [edi+2Fh]
		not	edx
		and	edx, eax
		jz	short loc_9EA618
		mov	eax, 300h
		xor	esi, esi
		mov	ebx, esi
		test	[edi+2Ch], ax
		jnz	short loc_9EA5F9
		movzx	ebx, byte ptr [edi+30h]

loc_9EA5F9:				; CODE XREF: VdmpIcaScan(x,x)+37j
		movzx	edi, word ptr [edi+2Ah]

loc_9EA5FD:				; CODE XREF: VdmpIcaScan(x,x)+5Aj
		mov	ecx, edi
		mov	al, 1
		and	ecx, 7
		shl	al, cl
		movzx	eax, al
		test	eax, ebx
		jnz	short loc_9EA618
		test	eax, edx
		jnz	short loc_9EA61F
		inc	esi
		inc	edi
		cmp	esi, 8
		jl	short loc_9EA5FD

loc_9EA618:				; CODE XREF: VdmpIcaScan(x,x)+28j
					; VdmpIcaScan(x,x)+4Fj
		or	eax, 0FFFFFFFFh

loc_9EA61B:				; CODE XREF: VdmpIcaScan(x,x)+65j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_9EA61F:				; CODE XREF: VdmpIcaScan(x,x)+53j
		mov	eax, ecx
		jmp	short loc_9EA61B
_VdmpIcaScan@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmpIsThreadTerminating(x)
_VdmpIsThreadTerminating@4 proc	near	; CODE XREF: VdmpEnterIcaLock(x,x)+82p
					; VdmpEnterIcaLock(x,x)+8Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		test	ecx, ecx
		jnz	short loc_9EA637
		xor	eax, eax
		leave
		retn
; 

loc_9EA637:				; CODE XREF: VdmpIsThreadTerminating(x)+Ej
		mov	eax, large fs:18h
		mov	[ebp+var_8], ecx
		mov	eax, [eax+20h]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		lea	eax, [ebp+var_C]
		push	eax
		call	PsLookupProcessThreadByCid
		test	eax, eax
		js	short locret_9EA680
		mov	eax, [ebp+var_4]
		mov	edx, 496D6456h
		push	ebx
		mov	ebx, [eax+2FCh]
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObjectWithTag
		and	bl, 1
		movzx	eax, bl
		neg	eax
		pop	ebx
		sbb	eax, eax
		and	eax, 0C000004Bh

locret_9EA680:				; CODE XREF: VdmpIsThreadTerminating(x)+34j
		leave
		retn
_VdmpIsThreadTerminating@4 endp


;  S U B	R O U T	I N E 


; __stdcall VdmpLeaveIcaLock(x)
_VdmpLeaveIcaLock@4 proc near		; CODE XREF: VdmDispatchInterrupts(x,x)+F4p
					; VdmDispatchInterrupts(x,x)+1ACp ...
		mov	edx, large fs:18h
		push	esi
		mov	esi, ecx
		mov	eax, [esi+0Ch]
		cmp	eax, [edx+24h]
		jz	short loc_9EA69B
		mov	eax, 0C000005Ah
		pop	esi
		retn
; 

loc_9EA69B:				; CODE XREF: VdmpLeaveIcaLock(x)+10j
		sub	dword ptr [esi+8], 1
		push	edi
		jnz	short loc_9EA6CC
		and	dword ptr [esi+0Ch], 0
		lea	edi, [esi+4]

loc_9EA6A9:				; CODE XREF: VdmpLeaveIcaLock(x)+3Ej
					; VdmpLeaveIcaLock(x)+5Aj
		mov	edx, [edi]
		cmp	edx, 0FFFFFFFEh
		jz	short loc_9EA6D1
		test	dl, 2
		jz	short loc_9EA6D1
		lea	ecx, [edx+3]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_9EA6A9
		push	0
		push	dword ptr [esi+10h]
		call	NtSetEvent

loc_9EA6CC:				; CODE XREF: VdmpLeaveIcaLock(x)+1Ej
					; VdmpLeaveIcaLock(x)+5Cj
		pop	edi
		xor	eax, eax
		pop	esi
		retn
; 

loc_9EA6D1:				; CODE XREF: VdmpLeaveIcaLock(x)+2Cj
					; VdmpLeaveIcaLock(x)+31j
		lea	ecx, [edx+1]
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jnz	short loc_9EA6A9
		jmp	short loc_9EA6CC
_VdmpLeaveIcaLock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmpQueueIntNormalRoutine(x, x, x)
_VdmpQueueIntNormalRoutine@12 proc near	; DATA XREF: VdmpDelayIntDpcRoutine(x,x,x,x)+78o
					; VdmpDelayIntDpcRoutine(x,x,x,x)+9Bo ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	10h
		push	offset dword_6A9A10
		call	__SEH_prolog4
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+0F4h]
		xor	esi, esi
		mov	[ebp+ms_exc.disabled], esi
		mov	eax, [eax+90h]
		mov	eax, [eax+20h]
		mov	ecx, [eax]
		mov	[ebp+var_20], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, ds:_ExEventObjectType
		mov	[ebp+var_1C], esi
		push	esi
		lea	edx, [ebp+var_1C]
		push	edx
		push	1
		push	eax
		push	2
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9EA757
		push	esi
		push	1
		push	[ebp+var_1C]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObject
		jmp	short loc_9EA757
; 

loc_9EA749:				; DATA XREF: .text:006A9A24o
		xor	eax, eax
		inc	eax
		retn
; 

loc_9EA74D:				; DATA XREF: .text:006A9A28o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9EA757:				; CODE XREF: VdmpQueueIntNormalRoutine(x,x,x)+52j
					; VdmpQueueIntNormalRoutine(x,x,x)+67j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_VdmpQueueIntNormalRoutine@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmpRestartDelayedInterrupts(x)
_VdmpRestartDelayedInterrupts@4	proc near ; CODE XREF: VdmDispatchInterrupts(x,x)+53p
					; VdmDispatchInterrupts(x,x)+E4p

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	0Ch
		push	offset dword_6A99F0
		call	__SEH_prolog4
		mov	esi, ecx
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [esi+10h]
		and	dword ptr [eax], 0
		mov	edi, [esi+8]
		mov	edx, edi
		call	_VdmpIcaScan@8	; VdmpIcaScan(x,x)
		mov	[ebp+var_1C], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9EA7BE
		mov	[edi+20h], eax
		mov	eax, [esi+8]
		xor	edi, edi
		inc	edi
		mov	[eax+24h], edi
		mov	eax, [esi+8]
		movzx	edx, byte ptr [eax+32h]
		mov	[ebp+var_1C], edx
		mov	ecx, [esi+4]
		movzx	eax, byte ptr [ecx+2Fh]
		bts	eax, edx
		mov	[ecx+2Fh], al
		mov	eax, [esi+4]
		inc	dword ptr [eax+edx*4]
		jmp	short loc_9EA7C1
; 

loc_9EA7BE:				; CODE XREF: VdmpRestartDelayedInterrupts(x)+28j
		xor	edi, edi
		inc	edi

loc_9EA7C1:				; CODE XREF: VdmpRestartDelayedInterrupts(x)+53j
		mov	ebx, [esi+4]
		mov	edx, ebx
		mov	ecx, esi
		call	_VdmpIcaScan@8	; VdmpIcaScan(x,x)
		mov	[ebp+var_1C], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9EA7ED
		mov	[ebx+24h], edi
		mov	ecx, [esi+4]
		mov	[ecx+20h], edi
		jmp	short loc_9EA7ED
; 

loc_9EA7E0:				; DATA XREF: .text:006A9A04o
		xor	eax, eax
		inc	eax
		retn
; 

loc_9EA7E4:				; DATA XREF: .text:006A9A08o
		mov	esp, [ebp+ms_exc.old_esp]
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_1C], eax

loc_9EA7ED:				; CODE XREF: VdmpRestartDelayedInterrupts(x)+6Aj
					; VdmpRestartDelayedInterrupts(x)+75j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VdmpRestartDelayedInterrupts@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmpRundownRoutine(x)
_VdmpRundownRoutine@4 proc near		; DATA XREF: KeVdmInsertQueueApc(x,x,x,x,x,x,x,x)+DDo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_0]
		call	_VdmpDelayIntApcRoutine@20 ; VdmpDelayIntApcRoutine(x,x,x,x,x)
		mov	esp, ebp
		pop	ebp
		retn	4
_VdmpRundownRoutine@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmpInitialize(x)
_VdmpInitialize@4 proc near		; CODE XREF: NtVdmControl(x,x)+EDp

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	60h
		push	offset dword_6A9AB8
		call	__SEH_prolog4
		mov	edx, ecx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_70]
		rep stosd
		xor	ebx, ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ebx
		mov	eax, large fs:124h
		mov	esi, [eax+80h]
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		mov	eax, large fs:18h
		mov	[eax+0F18h], ebx
		cmp	[esi+0F4h], ebx
		jz	short loc_9EA87F

loc_9EA875:				; CODE XREF: VdmpInitialize(x)+45Cj
		mov	eax, 0C0000001h
		jmp	loc_9EACE0
; 

loc_9EA87F:				; CODE XREF: VdmpInitialize(x)+53j
		mov	eax, [edx+4]
		mov	[ebp+var_1C], eax
		mov	eax, [edx]
		mov	[ebp+var_44], eax
		cmp	[edx+8], bl
		jnz	loc_9EAA0D
		push	offset ??_C@_1CO@GCKPAJAM@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAP?$AAh?$AAy?$AAs?$AAi?$AAc?$AAa@NNGAKEGL@ ; "\\Device\\PhysicalMemory"
		lea	eax, [ebp+var_58]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_70], 18h
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_64], 240h
		lea	eax, [ebp+var_58]
		mov	[ebp+var_68], eax
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], ebx
		lea	eax, [ebp+var_70]
		push	eax
		push	4
		lea	eax, [ebp+var_20]
		push	eax
		call	_ZwOpenSection@12 ; ZwOpenSection(x,x,x)
		test	eax, eax
		js	loc_9EACE0
		mov	ecx, 1000h
		mov	[ebp+var_28], ecx
		push	2
		push	ebx
		push	2
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_50]
		push	eax
		push	ecx
		push	ebx
		lea	eax, [ebp+var_24]
		push	eax
		push	0FFFFFFFFh
		push	[ebp+var_20]
		call	_ZwMapViewOfSection@40 ; ZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_9EA90F

loc_9EA900:				; CODE XREF: VdmpInitialize(x)+182j
		push	[ebp+var_20]
		call	_ZwClose@4	; ZwClose(x)

loc_9EA908:				; CODE XREF: VdmpInitialize(x)+221j
					; VdmpInitialize(x)+229j
		mov	eax, edi
		jmp	loc_9EACE0
; 

loc_9EA90F:				; CODE XREF: VdmpInitialize(x)+DEj
		mov	edi, ebx
		mov	[ebp+ms_exc.disabled], ebx
		push	[ebp+var_28]	; size_t
		push	[ebp+var_24]	; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9EA94F
; 

loc_9EA92C:				; DATA XREF: .text:006A9ACCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_3C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9EA93A:				; DATA XREF: .text:006A9AD0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_3C]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp+var_2C]
		mov	[ebp+var_30], esi

loc_9EA94F:				; CODE XREF: VdmpInitialize(x)+10Aj
		push	[ebp+var_24]
		push	0FFFFFFFFh
		call	_ZwUnmapViewOfSection@8	; ZwUnmapViewOfSection(x,x)
		mov	[ebp+var_38], eax
		test	eax, eax
		js	loc_9EAA34
		test	edi, edi
		js	loc_9EAA34
		mov	[ebp+var_24], ebx
		mov	ecx, 40000h
		mov	[ebp+var_28], ecx
		mov	[ebp+var_50], 0C0000h
		mov	[ebp+var_4C], ebx
		push	2
		push	ebx
		push	2
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_50]
		push	eax
		push	ecx
		push	ebx
		lea	eax, [ebp+var_24]
		push	eax
		push	0FFFFFFFFh
		push	[ebp+var_20]
		call	_ZwMapViewOfSection@40 ; ZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9EA900
		mov	edi, ebx
		mov	[ebp+ms_exc.disabled], 1
		push	[ebp+var_28]	; size_t
		push	[ebp+var_24]	; void *
		push	0C0000h		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9EA9F0
; 

loc_9EA9CD:				; DATA XREF: .text:006A9AD8o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_40], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9EA9DB:				; DATA XREF: .text:006A9ADCo
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_40]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp+var_2C]
		mov	[ebp+var_30], esi

loc_9EA9F0:				; CODE XREF: VdmpInitialize(x)+1ABj
		push	[ebp+var_24]
		push	0FFFFFFFFh
		call	_ZwUnmapViewOfSection@8	; ZwUnmapViewOfSection(x,x)
		mov	[ebp+var_38], eax
		test	eax, eax
		js	short loc_9EAA34
		test	edi, edi
		js	short loc_9EAA34
		push	[ebp+var_20]
		call	_ZwClose@4	; ZwClose(x)

loc_9EAA0D:				; CODE XREF: VdmpInitialize(x)+6Dj
		push	204D4456h
		push	0C0h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_38], edi
		test	edi, edi
		jnz	short loc_9EAA4E
		mov	eax, 0C0000017h
		jmp	loc_9EACE0
; 

loc_9EAA34:				; CODE XREF: VdmpInitialize(x)+13Ej
					; VdmpInitialize(x)+146j ...
		push	[ebp+var_20]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [ebp+var_38]
		test	eax, eax
		jns	loc_9EA908
		mov	edi, eax
		jmp	loc_9EA908
; 

loc_9EAA4E:				; CODE XREF: VdmpInitialize(x)+208j
		push	0C0h
		push	200h
		push	esi
		call	_PsChargeProcessPoolQuota@12 ; PsChargeProcessPoolQuota(x,x,x)
		mov	[ebp+var_34], eax
		test	eax, eax
		js	loc_9EAAFC
		push	0C0h		; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		inc	eax
		mov	[edi+64h], eax
		mov	[edi+68h], ebx
		mov	[edi+6Ch], ebx
		push	ebx
		push	eax
		lea	eax, [edi+70h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	[edi+84h], ebx
		lea	eax, [edi+88h]
		mov	[eax+4], eax
		mov	[eax], eax
		push	204D4456h
		push	2Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi+90h], eax
		test	eax, eax
		jnz	short loc_9EAACF
		push	0C0h
		push	200h
		push	esi
		call	_PsReturnPoolQuota@12 ;	PsReturnPoolQuota(x,x,x)
		mov	esi, 0C0000017h
		jmp	short loc_9EAAFF
; 

loc_9EAACF:				; CODE XREF: VdmpInitialize(x)+296j
		push	2Ch
		push	1
		push	esi
		call	_PsChargeProcessPoolQuota@12 ; PsChargeProcessPoolQuota(x,x,x)
		mov	[ebp+var_34], eax
		test	eax, eax
		jns	short loc_9EAB0D
		push	0C0h
		push	200h
		push	esi
		call	_PsReturnPoolQuota@12 ;	PsReturnPoolQuota(x,x,x)
		push	ebx
		push	dword ptr [edi+90h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9EAAFC:				; CODE XREF: VdmpInitialize(x)+243j
		mov	esi, [ebp+var_34]

loc_9EAAFF:				; CODE XREF: VdmpInitialize(x)+2ADj
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		jmp	loc_9EACE0
; 

loc_9EAB0D:				; CODE XREF: VdmpInitialize(x)+2BEj
		mov	[ebp+ms_exc.disabled], 2
		mov	ecx, [ebp+var_1C]
		lea	edx, [ecx+2Ch]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_9EAB27
		cmp	edx, ecx
		jnb	short loc_9EAB29

loc_9EAB27:				; CODE XREF: VdmpInitialize(x)+301j
		mov	[eax], bl

loc_9EAB29:				; CODE XREF: VdmpInitialize(x)+305j
		push	0Bh
		pop	ecx
		mov	esi, [ebp+var_1C]
		mov	edi, [edi+90h]
		rep movsd
		mov	edi, [ebp+var_38]
		mov	eax, [edi+90h]
		mov	[ebp+var_1C], eax
		mov	ecx, [eax+20h]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_9EAB51
		mov	ecx, eax

loc_9EAB51:				; CODE XREF: VdmpInitialize(x)+32Dj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, [ebp+var_1C]
		mov	ecx, [eax+28h]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_9EAB66
		mov	ecx, eax

loc_9EAB66:				; CODE XREF: VdmpInitialize(x)+342j
		mov	eax, [ecx]
		mov	[ecx], eax
		push	1
		push	18h
		mov	esi, [ebp+var_1C]
		push	dword ptr [esi]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	1
		push	34h
		push	dword ptr [esi+4]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	1
		push	34h
		push	dword ptr [esi+8]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	ecx, [esi+18h]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_9EAB9E
		mov	ecx, eax

loc_9EAB9E:				; CODE XREF: VdmpInitialize(x)+37Aj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, [ebp+var_1C]
		mov	ecx, [eax+0Ch]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_9EABB3
		mov	ecx, eax

loc_9EABB3:				; CODE XREF: VdmpInitialize(x)+38Fj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, [ebp+var_1C]
		mov	ecx, [eax+10h]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_9EABC8
		mov	ecx, eax

loc_9EABC8:				; CODE XREF: VdmpInitialize(x)+3A4j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, [ebp+var_1C]
		mov	ecx, [eax+14h]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_9EABDD
		mov	ecx, eax

loc_9EABDD:				; CODE XREF: VdmpInitialize(x)+3B9j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, [ebp+var_1C]
		mov	ecx, [eax+1Ch]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_9EABF2
		mov	ecx, eax

loc_9EABF2:				; CODE XREF: VdmpInitialize(x)+3CEj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+24h]
		test	al, 3
		jz	short loc_9EAC05
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9EAC05:				; CODE XREF: VdmpInitialize(x)+3DEj
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		jb	short loc_9EAC11
		mov	eax, ecx

loc_9EAC11:				; CODE XREF: VdmpInitialize(x)+3EDj
		nop
		mov	al, [eax]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, large fs:124h
		mov	[ebp+var_38], esi
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	[edi+94h], esi
		mov	edx, edi
		mov	esi, [ebp+var_30]
		lea	ecx, [esi+0F4h]
		xor	eax, eax
		lock cmpxchg [ecx], edx
		test	eax, eax
		jz	short loc_9EAC81
		push	0C0h
		push	200h
		push	esi
		call	_PsReturnPoolQuota@12 ;	PsReturnPoolQuota(x,x,x)
		push	2Ch
		push	1
		push	esi
		call	_PsReturnPoolQuota@12 ;	PsReturnPoolQuota(x,x,x)
		push	ebx
		push	dword ptr [edi+90h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_38]
		call	ObfDereferenceObject
		jmp	loc_9EA875
; 

loc_9EAC81:				; CODE XREF: VdmpInitialize(x)+425j
		mov	eax, [ebp+var_44]
		mov	[esi+0A8h], eax
		mov	eax, [ebp+var_34]
		jmp	short loc_9EACE0
; 

loc_9EAC8F:				; DATA XREF: .text:006A9AE4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_48], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9EAC9D:				; DATA XREF: .text:006A9AE8o
		mov	esp, [ebp+ms_exc.old_esp]
		push	0C0h
		push	200h
		push	[ebp+var_2C]
		call	_PsReturnPoolQuota@12 ;	PsReturnPoolQuota(x,x,x)
		push	2Ch
		push	1
		push	[ebp+var_2C]
		call	_PsReturnPoolQuota@12 ;	PsReturnPoolQuota(x,x,x)
		xor	ebx, ebx
		push	ebx
		mov	esi, [ebp+var_38]
		push	dword ptr [esi+90h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_48]

loc_9EACE0:				; CODE XREF: VdmpInitialize(x)+5Aj
					; VdmpInitialize(x)+AFj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VdmpInitialize@4 endp


;  S U B	R O U T	I N E 


; __stdcall VmCheckLargePageInswap(x)
_VmCheckLargePageInswap@4 proc near	; CODE XREF: MmInSwapWorkingSet+F7613p
					; MmOutSwapWorkingSet:loc_5C8576p
		mov	eax, [ecx+3E4h]
		test	eax, eax
		jz	short loc_9EAD04
		test	byte ptr [eax+2Ch], 1
		jz	short loc_9EAD04
		xor	eax, eax
		inc	eax
		retn
; 

loc_9EAD04:				; CODE XREF: VmCheckLargePageInswap(x)+8j
					; VmCheckLargePageInswap(x)+Ej
		xor	eax, eax
		retn
_VmCheckLargePageInswap@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmPrefetchVirtualAddresses(x, x, x)
_VmPrefetchVirtualAddresses@12 proc near ; CODE	XREF: MmInSwapWorkingSet+F762Fp
					; NtSetInformationVirtualMemory+12FB6Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		push	esi
		mov	eax, [eax+80h]
		push	edi
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], eax
		mov	ecx, [eax+3E4h]
		test	ecx, ecx
		jnz	short loc_9EAD3B
		mov	esi, 0C000009Dh
		jmp	loc_9EADBD
; 

loc_9EAD3B:				; CODE XREF: VmPrefetchVirtualAddresses(x,x,x)+28j
		cmp	[ebp+arg_0], 0
		jz	short loc_9EAD4B
		push	ebx
		call	_VmpPrefetchVirtualAddresses@12	; VmpPrefetchVirtualAddresses(x,x,x)
		mov	esi, eax
		jmp	short loc_9EADBD
; 

loc_9EAD4B:				; CODE XREF: VmPrefetchVirtualAddresses(x,x,x)+38j
		push	63506D56h
		lea	eax, ds:20h[ebx*8]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9EAD6F
		mov	esi, 0C000009Ah
		jmp	short loc_9EADBD
; 

loc_9EAD6F:				; CODE XREF: VmPrefetchVirtualAddresses(x,x,x)+5Fj
		mov	ecx, [ebp+var_4]
		xor	esi, esi
		mov	[edi+4], esi
		mov	[edi+10h], esi
		mov	[edi+14h], esi
		mov	[edi+18h], esi
		mov	dword ptr [edi+8], offset _VmpPrefetchWorker@4 ; VmpPrefetchWorker(x)
		mov	[edi+0Ch], edi
		mov	[edi], esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [ebp+var_4]
		lea	ecx, [edi+1Fh]
		mov	[edi+10h], eax
		and	ecx, 0FFFFFFFCh
		mov	eax, ebx
		mov	[edi+18h], ebx
		shl	eax, 3
		push	eax		; size_t
		push	[ebp+var_8]	; void *
		mov	[edi+14h], ecx
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	1
		push	edi
		call	ExQueueWorkItem

loc_9EADBD:				; CODE XREF: VmPrefetchVirtualAddresses(x,x,x)+2Fj
					; VmPrefetchVirtualAddresses(x,x,x)+42j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_VmPrefetchVirtualAddresses@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmAccessFault(x, x,	x, x, x, x, x)
_VmAccessFault@28 proc near

var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_210		= dword	ptr -210h
var_208		= dword	ptr -208h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 23Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+23Ch+var_4], eax
		mov	ecx, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		mov	[esp+244h+var_224], ecx
		test	[ebp+arg_C], 0FFFFFF80h
		push	edi
		mov	edi, [ebp+arg_8]
		jz	short loc_9EADFF
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_9EADFF:				; CODE XREF: VmAccessFault(x,x,x,x,x,x,x)+35j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+3E4h]
		mov	[esp+248h+var_210], eax
		test	eax, eax
		jnz	short loc_9EAE25
		int	2Ch		; Internal routine for MSDOS (IRET)
		mov	edi, 0C0000088h
		jmp	loc_9EB063
; 

loc_9EAE25:				; CODE XREF: VmAccessFault(x,x,x,x,x,x,x)+51j
		mov	eax, [ebp+arg_C]
		and	al, 38h
		cmp	al, 20h
		jnz	short loc_9EAE38
		mov	edx, ecx
		mov	ecx, ebx
		push	edi
		call	_VmpPrefetchForVirtualFault@12 ; VmpPrefetchForVirtualFault(x,x,x)

loc_9EAE38:				; CODE XREF: VmAccessFault(x,x,x,x,x,x,x)+66j
		xor	eax, eax
		lea	edx, [esp+248h+var_208]
		push	10h
		mov	[esp+24Ch+var_230], eax
		pop	eax
		mov	[esp+248h+var_21C], eax
		mov	[esp+248h+var_220], edx
		cmp	edi, eax
		ja	short loc_9EAE56
		cmp	[ebx+8], eax
		jbe	short loc_9EAEB6

loc_9EAE56:				; CODE XREF: VmAccessFault(x,x,x,x,x,x,x)+89j
		inc	dword_6FCC8C
		mov	ecx, offset _VmpLargeFaultBatchLookasideList
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9EAE95
		inc	dword_6FCC90
		push	offset _VmpLargeFaultBatchLookasideList
		push	dword_6FCCA0
		push	dword_6FCCA4
		push	dword_6FCC9C
		call	dword_6FCCA8
		mov	esi, eax
		test	esi, esi
		jz	short loc_9EAEB6

loc_9EAE95:				; CODE XREF: VmAccessFault(x,x,x,x,x,x,x)+A4j
		mov	eax, 200h
		lea	ecx, [esi+10h]
		mov	[esp+258h+var_22C], eax
		mov	[esi], eax
		lea	eax, [ecx+4000h]
		mov	[esp+258h+var_230], ecx
		mov	[esi+4], ecx
		mov	[esi+8], eax
		mov	[esi+0Ch], eax

loc_9EAEB6:				; CODE XREF: VmAccessFault(x,x,x,x,x,x,x)+8Ej
					; VmAccessFault(x,x,x,x,x,x,x)+CDj
		shl	edi, 4
		add	edi, ebx
		mov	[esp+258h+var_224], edi
		cmp	ebx, edi
		jnb	loc_9EB028

loc_9EAEC7:				; CODE XREF: VmAccessFault(x,x,x,x,x,x,x)+233j
		mov	eax, [ebx+8]
		and	[esp+258h+var_238], 0
		mov	ecx, [ebx]
		mov	edx, [ebx+4]
		mov	[esp+258h+var_21C], eax
		add	eax, ecx
		mov	[esp+258h+var_228], eax
		mov	eax, [esp+258h+var_234]
		adc	[esp+258h+var_238], edx
		mov	[esp+258h+var_248], ecx
		mov	[esp+258h+var_244], edx
		mov	eax, [eax]
		mov	[esp+258h+var_23C], eax
		mov	eax, _VmpTraceLoggingProvider
		test	eax, eax
		jz	short loc_9EAF37
		cmp	dword ptr [eax], 0
		jbe	short loc_9EAF37
		push	0
		push	8
		mov	ecx, eax
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9EAF2F
		push	[ebp+arg_14]
		mov	edx, [esp+25Ch+var_23C]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[esp+264h+var_21C]
		push	[esp+268h+var_244]
		push	[esp+26Ch+var_248]
		call	_VmpLogAccessFault@32 ;	VmpLogAccessFault(x,x,x,x,x,x,x,x)

loc_9EAF2F:				; CODE XREF: VmAccessFault(x,x,x,x,x,x,x)+149j
		mov	edx, [esp+258h+var_244]
		mov	ecx, [esp+258h+var_248]

loc_9EAF37:				; CODE XREF: VmAccessFault(x,x,x,x,x,x,x)+135j
					; VmAccessFault(x,x,x,x,x,x,x)+13Aj
		cmp	edx, [esp+258h+var_238]
		ja	loc_9EAFEF
		jb	short loc_9EAF4D
		cmp	ecx, [esp+258h+var_228]
		jnb	loc_9EAFEF

loc_9EAF4D:				; CODE XREF: VmAccessFault(x,x,x,x,x,x,x)+17Bj
					; VmAccessFault(x,x,x,x,x,x,x)+213j ...
		mov	eax, ds:_MmHighestUserAddress
		mov	edx, [esp+258h+var_23C]
		shr	eax, 0Ch
		cmp	edx, eax
		jbe	short loc_9EAF5F
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_9EAF5F:				; CODE XREF: VmAccessFault(x,x,x,x,x,x,x)+195j
		mov	ecx, [esp+258h+var_240]
		mov	eax, edx
		mov	edx, [esp+258h+var_230]
		mov	edi, 0FFFFFh
		shl	ecx, 5
		and	eax, edi
		mov	[ecx+edx+0Ch], eax
		mov	eax, [esp+258h+var_244]
		and	eax, edi
		mov	edi, [esp+258h+var_248]
		mov	[ecx+edx+10h], edi
		mov	edi, [esp+258h+var_240]
		inc	edi
		mov	[ecx+edx+14h], eax
		mov	[esp+258h+var_240], edi
		cmp	edi, [esp+258h+var_22C]
		jnz	short loc_9EAFBB
		push	[ebp+arg_18]
		mov	ecx, [esp+25Ch+var_220]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	esi
		push	edi
		call	_VmpAccessFaultBatch@32	; VmpAccessFaultBatch(x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9EB02A
		xor	eax, eax
		mov	[esp+258h+var_240], eax

loc_9EAFBB:				; CODE XREF: VmAccessFault(x,x,x,x,x,x,x)+1D0j
		mov	ecx, [esp+258h+var_248]
		mov	edx, [esp+258h+var_244]
		add	ecx, 1
		mov	[esp+258h+var_248], ecx
		adc	edx, 0
		inc	[esp+258h+var_23C]
		mov	[esp+258h+var_244], edx
		cmp	edx, [esp+258h+var_238]
		jb	loc_9EAF4D
		ja	short loc_9EAFEB
		cmp	ecx, [esp+258h+var_228]
		jb	loc_9EAF4D

loc_9EAFEB:				; CODE XREF: VmAccessFault(x,x,x,x,x,x,x)+219j
		mov	edi, [esp+258h+var_224]

loc_9EAFEF:				; CODE XREF: VmAccessFault(x,x,x,x,x,x,x)+175j
					; VmAccessFault(x,x,x,x,x,x,x)+181j
		add	[esp+258h+var_234], 4
		add	ebx, 10h
		cmp	ebx, edi
		jb	loc_9EAEC7
		mov	eax, [esp+258h+var_240]
		test	eax, eax
		jz	short loc_9EB028
		push	[ebp+arg_18]
		mov	edx, [esp+25Ch+var_230]
		push	[ebp+arg_14]
		mov	ecx, [esp+260h+var_220]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	esi
		push	eax
		call	_VmpAccessFaultBatch@32	; VmpAccessFaultBatch(x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9EB02A

loc_9EB028:				; CODE XREF: VmAccessFault(x,x,x,x,x,x,x)+FBj
					; VmAccessFault(x,x,x,x,x,x,x)+23Fj
		xor	edi, edi

loc_9EB02A:				; CODE XREF: VmAccessFault(x,x,x,x,x,x,x)+1EDj
					; VmAccessFault(x,x,x,x,x,x,x)+260j
		test	esi, esi
		jz	short loc_9EB063
		mov	ax, word_6FCC84
		inc	dword_6FCC94
		cmp	ax, word_6FCC88
		jb	short loc_9EB057
		inc	dword_6FCC98
		push	offset _VmpLargeFaultBatchLookasideList
		push	esi
		call	dword_6FCCAC
		jmp	short loc_9EB063
; 

loc_9EB057:				; CODE XREF: VmAccessFault(x,x,x,x,x,x,x)+27Bj
		mov	edx, esi
		mov	ecx, offset _VmpLargeFaultBatchLookasideList
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_9EB063:				; CODE XREF: VmAccessFault(x,x,x,x,x,x,x)+5Aj
					; VmAccessFault(x,x,x,x,x,x,x)+266j ...
		mov	ecx, [esp+258h+var_14]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_VmAccessFault@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmCreateMemoryProcess(x, x,	x, x, x, x)
_VmCreateMemoryProcess@24 proc near

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_C]
		lea	edx, [ebp+var_8]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		push	edi
		mov	al, [ebx+3A6h]
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		mov	byte ptr [ebp+arg_0], al
		call	_VmpMapCreateMemoryProcessFlags@8 ; VmpMapCreateMemoryProcessFlags(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9EB124
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_10]
		mov	eax, ecx
		mov	ecx, ebx
		and	eax, 20h
		push	esi
		or	eax, 40h
		shr	eax, 3
		push	eax
		push	[ebp+var_8]
		push	[ebp+arg_8]
		push	[ebp+arg_0]
		push	esi
		call	PsCreateMinimalProcess
		mov	edi, eax
		test	edi, edi
		js	short loc_9EB117
		test	byte ptr [ebp+arg_C], 8
		mov	edi, [ebp+var_4]
		jnz	short loc_9EB10E
		push	esi
		lea	eax, [ebp+arg_C]
		mov	[ebp+arg_C], esi
		push	eax
		push	esi
		push	ds:_PsProcessType
		push	esi
		push	edi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, 2000h
		lea	eax, [ecx+3A8h]
		lock or	[eax], edx
		call	ObfDereferenceObject

loc_9EB10E:				; CODE XREF: VmCreateMemoryProcess(x,x,x,x,x,x)+64j
		mov	eax, [ebp+arg_14]
		mov	[eax], edi
		mov	edi, esi
		jmp	short loc_9EB11A
; 

loc_9EB117:				; CODE XREF: VmCreateMemoryProcess(x,x,x,x,x,x)+5Bj
		mov	esi, [ebp+var_4]

loc_9EB11A:				; CODE XREF: VmCreateMemoryProcess(x,x,x,x,x,x)+99j
		test	esi, esi
		jz	short loc_9EB124
		push	esi
		call	_ZwClose@4	; ZwClose(x)

loc_9EB124:				; CODE XREF: VmCreateMemoryProcess(x,x,x,x,x,x)+2Dj
					; VmCreateMemoryProcess(x,x,x,x,x,x)+A0j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_VmCreateMemoryProcess@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmCreateMemoryRange(x, x, x, x, x, x)
_VmCreateMemoryRange@24	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	ebx, [eax+80h]
		xor	edi, edi
		cmp	ds:_VmTbFlushEnabled, 0
		jnz	short loc_9EB153
		mov	ds:_VmTbFlushEnabled, 1

loc_9EB153:				; CODE XREF: VmCreateMemoryRange(x,x,x,x,x,x)+1Dj
		add	ebx, 3E4h
		mov	esi, [ebx]
		test	esi, esi
		jnz	short loc_9EB1A7
		push	63506D56h
		push	38h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9EB180

loc_9EB176:				; CODE XREF: VmCreateMemoryRange(x,x,x,x,x,x)+CEj
		mov	esi, 0C000009Ah
		jmp	loc_9EB25D
; 

loc_9EB180:				; CODE XREF: VmCreateMemoryRange(x,x,x,x,x,x)+47j
		mov	edx, [ebp+arg_10]
		mov	ecx, esi	; void *
		call	_VmpProcessContextInitialize@8 ; VmpProcessContextInitialize(x,x)
		mov	ecx, esi
		xor	eax, eax
		lock cmpxchg [ebx], ecx
		test	eax, eax
		jz	short loc_9EB1A7
		mov	ecx, esi
		call	_VmpProcessContextCleanup@4 ; VmpProcessContextCleanup(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebx]

loc_9EB1A7:				; CODE XREF: VmCreateMemoryRange(x,x,x,x,x,x)+30j
					; VmCreateMemoryRange(x,x,x,x,x,x)+67j
		mov	edx, [ebp+arg_14]
		test	edx, edx
		jz	short loc_9EB1B7
		mov	ecx, esi
		call	_VmpDecodePreallocationRangeHandle@8 ; VmpDecodePreallocationRangeHandle(x,x)
		mov	edi, eax

loc_9EB1B7:				; CODE XREF: VmCreateMemoryRange(x,x,x,x,x,x)+7Fj
		push	[ebp+arg_10]
		mov	ebx, [ebp+arg_4]
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+arg_8]
		push	ebx
		push	[ebp+arg_0]
		call	_VmpValidateMemoryRangeParameters@20 ; VmpValidateMemoryRangeParameters(x,x,x,x,x)
		test	eax, eax
		jz	short loc_9EB1D7
		mov	esi, 0C000000Dh
		jmp	short loc_9EB252
; 

loc_9EB1D7:				; CODE XREF: VmCreateMemoryRange(x,x,x,x,x,x)+A1j
		mov	eax, [esi+24h]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9EB1EB
		cmp	eax, [ebp+arg_10]
		jz	short loc_9EB1EB
		mov	esi, 0C0000719h
		jmp	short loc_9EB252
; 

loc_9EB1EB:				; CODE XREF: VmCreateMemoryRange(x,x,x,x,x,x)+B0j
					; VmCreateMemoryRange(x,x,x,x,x,x)+B5j
		test	edi, edi
		jnz	short loc_9EB201
		push	edi
		push	1
		call	_VmpAllocateMemoryRanges@8 ; VmpAllocateMemoryRanges(x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_9EB176

loc_9EB201:				; CODE XREF: VmCreateMemoryRange(x,x,x,x,x,x)+C0j
		mov	eax, [ebp+arg_8]
		mov	edx, [ebp+arg_C]
		mov	ecx, [edi+14h]
		shr	eax, 0Ch
		mov	[edi+0Ch], eax
		dec	eax
		push	[ebp+arg_10]
		add	eax, edx
		mov	[edi+10h], eax
		mov	eax, [ebp+arg_0]
		shrd	eax, ebx, 0Ch
		mov	[ebp+arg_8], eax
		mov	[ecx+18h], eax
		xor	eax, eax
		shr	ebx, 0Ch
		add	edx, [ebp+arg_8]
		mov	[ecx+1Ch], ebx
		adc	eax, ebx
		add	edx, 0FFFFFFFFh
		mov	[ecx+20h], edx
		mov	edx, edi
		adc	eax, 0FFFFFFFFh
		mov	[ecx+24h], eax
		mov	ecx, esi
		call	_VmpInsertMemoryRange@12 ; VmpInsertMemoryRange(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9EB252
		xor	edi, edi
		xor	esi, esi

loc_9EB252:				; CODE XREF: VmCreateMemoryRange(x,x,x,x,x,x)+A8j
					; VmCreateMemoryRange(x,x,x,x,x,x)+BCj	...
		test	edi, edi
		jz	short loc_9EB25D
		mov	ecx, edi
		call	_VmpFreeMemoryRanges@4 ; VmpFreeMemoryRanges(x)

loc_9EB25D:				; CODE XREF: VmCreateMemoryRange(x,x,x,x,x,x)+4Ej
					; VmCreateMemoryRange(x,x,x,x,x,x)+127j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	18h
_VmCreateMemoryRange@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmDeleteMemoryRange(x, x, x, x, x)
_VmDeleteMemoryRange@20	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		push	[ebp+arg_10]
		mov	edi, [ebp+arg_0]
		push	esi
		push	edi
		call	_VmpValidateMemoryRangeParameters@20 ; VmpValidateMemoryRangeParameters(x,x,x,x,x)
		test	eax, eax
		jz	short loc_9EB28E
		mov	eax, 0C000000Dh
		jmp	short loc_9EB2CC
; 

loc_9EB28E:				; CODE XREF: VmDeleteMemoryRange(x,x,x,x,x)+1Fj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+3E4h]
		test	eax, eax
		jnz	short loc_9EB2AB
		mov	eax, 0C0000088h
		jmp	short loc_9EB2CC
; 

loc_9EB2AB:				; CODE XREF: VmDeleteMemoryRange(x,x,x,x,x)+3Cj
		push	[ebp+arg_10]
		shrd	edi, esi, 0Ch
		push	[ebp+arg_C]
		shr	ecx, 0Ch
		shr	esi, 0Ch
		mov	edx, ecx
		push	esi
		push	edi
		mov	ecx, eax
		call	_VmpRemoveMemoryRange@24 ; VmpRemoveMemoryRange(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9EB2CC
		xor	eax, eax

loc_9EB2CC:				; CODE XREF: VmDeleteMemoryRange(x,x,x,x,x)+26j
					; VmDeleteMemoryRange(x,x,x,x,x)+43j ...
		pop	edi
		pop	esi
		pop	ebp
		retn	14h
_VmDeleteMemoryRange@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmFreePreallocationForRangeCreate(x)
_VmFreePreallocationForRangeCreate@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, [eax+3E4h]
		test	ecx, ecx
		jnz	short loc_9EB2F1
		int	2Ch		; Internal routine for MSDOS (IRET)
		jmp	short loc_9EB300
; 

loc_9EB2F1:				; CODE XREF: VmFreePreallocationForRangeCreate(x)+19j
		mov	edx, [ebp+arg_0]
		call	_VmpDecodePreallocationRangeHandle@8 ; VmpDecodePreallocationRangeHandle(x,x)
		mov	ecx, eax
		call	_VmpFreeMemoryRanges@4 ; VmpFreeMemoryRanges(x)

loc_9EB300:				; CODE XREF: VmFreePreallocationForRangeCreate(x)+1Dj
		pop	ebp
		retn	4
_VmFreePreallocationForRangeCreate@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmMergeMemoryRanges(x, x)
_VmMergeMemoryRanges@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0FFFFFFFFh
		jnz	short loc_9EB316

loc_9EB30F:				; CODE XREF: VmMergeMemoryRanges(x,x)+1Bj
		mov	eax, 0C000000Dh
		jmp	short loc_9EB349
; 

loc_9EB316:				; CODE XREF: VmMergeMemoryRanges(x,x)+9j
		mov	edx, [ebp+arg_0]
		test	edx, 0FFFh
		jnz	short loc_9EB30F
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, [eax+3E4h]
		test	ecx, ecx
		jnz	short loc_9EB33E
		mov	eax, 0C0000088h
		jmp	short loc_9EB349
; 

loc_9EB33E:				; CODE XREF: VmMergeMemoryRanges(x,x)+31j
		push	[ebp+arg_4]
		shr	edx, 0Ch
		call	_VmpMergeMemoryRanges@12 ; VmpMergeMemoryRanges(x,x,x)

loc_9EB349:				; CODE XREF: VmMergeMemoryRanges(x,x)+10j
					; VmMergeMemoryRanges(x,x)+38j
		pop	ebp
		retn	8
_VmMergeMemoryRanges@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmPauseResumeNotify(x)
_VmPauseResumeNotify@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, [eax+3E4h]
		test	ecx, ecx
		jnz	short loc_9EB36F
		mov	eax, 0C0000088h
		jmp	short loc_9EB377
; 

loc_9EB36F:				; CODE XREF: VmPauseResumeNotify(x)+19j
		mov	edx, [ebp+arg_0]
		call	_VmpPauseResumeNotify@8	; VmpPauseResumeNotify(x,x)

loc_9EB377:				; CODE XREF: VmPauseResumeNotify(x)+20j
		pop	ebp
		retn	4
_VmPauseResumeNotify@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmPreallocateForRangeCreate(x)
_VmPreallocateForRangeCreate@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	eax, [eax+80h]
		mov	edi, [eax+3E4h]
		test	edi, edi
		jnz	short loc_9EB3A1
		int	2Ch		; Internal routine for MSDOS (IRET)
		mov	esi, 0C00000BBh
		jmp	short loc_9EB3C1
; 

loc_9EB3A1:				; CODE XREF: VmPreallocateForRangeCreate(x)+1Bj
		xor	esi, esi
		push	esi
		push	1
		call	_VmpAllocateMemoryRanges@8 ; VmpAllocateMemoryRanges(x,x)
		test	eax, eax
		jnz	short loc_9EB3B6
		mov	esi, 0C000009Ah
		jmp	short loc_9EB3C1
; 

loc_9EB3B6:				; CODE XREF: VmPreallocateForRangeCreate(x)+32j
		lock inc dword ptr [edi+28h]
		mov	ecx, [ebp+arg_0]
		xor	eax, edi
		mov	[ecx], eax

loc_9EB3C1:				; CODE XREF: VmPreallocateForRangeCreate(x)+24j
					; VmPreallocateForRangeCreate(x)+39j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_VmPreallocateForRangeCreate@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmSecureBackingMemory(x, x)
_VmSecureBackingMemory@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, 0FFFh
		test	[ebp+arg_0], ecx
		jnz	short loc_9EB3F2
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_9EB3F2
		test	eax, ecx
		jnz	short loc_9EB3F2
		push	0Eh
		push	1
		push	eax
		push	[ebp+arg_0]
		call	MmSecureVirtualMemoryEx
		jmp	short loc_9EB3F4
; 

loc_9EB3F2:				; CODE XREF: VmSecureBackingMemory(x,x)+Dj
					; VmSecureBackingMemory(x,x)+14j ...
		xor	eax, eax

loc_9EB3F4:				; CODE XREF: VmSecureBackingMemory(x,x)+27j
		pop	ebp
		retn	8
_VmSecureBackingMemory@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmSetVpHostProcess(x)
_VmSetVpHostProcess@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_PsSetVmProcessorHostProcess@4 ; PsSetVmProcessorHostProcess(x)
		pop	ebp
		retn	4
_VmSetVpHostProcess@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmSplitMemoryRange(x, x)
_VmSplitMemoryRange@8 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0FFFFFFFFh
		jnz	short loc_9EB41B

loc_9EB414:				; CODE XREF: VmSplitMemoryRange(x,x)+1Bj
		mov	eax, 0C000000Dh
		jmp	short loc_9EB44E
; 

loc_9EB41B:				; CODE XREF: VmSplitMemoryRange(x,x)+9j
		mov	edx, [ebp+arg_0]
		test	edx, 0FFFh
		jnz	short loc_9EB414
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	ecx, [eax+3E4h]
		test	ecx, ecx
		jnz	short loc_9EB443
		mov	eax, 0C0000088h
		jmp	short loc_9EB44E
; 

loc_9EB443:				; CODE XREF: VmSplitMemoryRange(x,x)+31j
		push	[ebp+arg_4]
		shr	edx, 0Ch
		call	_VmpSplitMemoryRange@12	; VmpSplitMemoryRange(x,x,x)

loc_9EB44E:				; CODE XREF: VmSplitMemoryRange(x,x)+10j
					; VmSplitMemoryRange(x,x)+38j
		pop	ebp
		retn	8
_VmSplitMemoryRange@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmTerminateMemoryProcess(x,	x)
_VmTerminateMemoryProcess@8 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_PsProcessType
		lea	ecx, [ebp+var_4]
		xor	edx, edx
		push	edx
		push	ecx
		push	edx
		push	eax
		push	edx
		push	[ebp+arg_0]
		mov	[ebp+var_4], edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short locret_9EB48B
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_4]
		call	_PsTerminateMinimalProcess@8 ; PsTerminateMinimalProcess(x,x)
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject
		xor	eax, eax

locret_9EB48B:				; CODE XREF: VmTerminateMemoryProcess(x,x)+22j
		leave
		retn	8
_VmTerminateMemoryProcess@8 endp


;  S U B	R O U T	I N E 


; __stdcall VmUnsecureBackingMemory(x)
_VmUnsecureBackingMemory@4 proc	near
		jmp	_MmUnsecureVirtualMemory@4 ; MmUnsecureVirtualMemory(x)
_VmUnsecureBackingMemory@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpAccessFaultBatchResolve(x, x, x,	x, x, x)
_VmpAccessFaultBatchResolve@24 proc near
					; CODE XREF: VmpAccessFaultBatch(x,x,x,x,x,x,x,x)+39p

var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_A8], 0
		and	[ebp+var_A4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		test	eax, eax
		jz	short loc_9EB4D6
		mov	ecx, [eax+8]
		mov	eax, [eax]
		mov	[ebp+var_98], ecx
		mov	[ebp+var_9C], eax
		jmp	short loc_9EB4EC
; 

loc_9EB4D6:				; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+2Dj
		lea	eax, [ebp+var_88]
		mov	[ebp+var_9C], 10h
		mov	[ebp+var_98], eax

loc_9EB4EC:				; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+40j
		mov	ebx, [ebp+arg_4]
		mov	esi, ebx
		and	esi, 1
		mov	[ebp+var_90], esi
		test	bl, 2
		jz	short loc_9EB508
		or	esi, 2
		mov	[ebp+var_90], esi

loc_9EB508:				; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+69j
		test	bl, 4
		jz	short loc_9EB516
		or	esi, 1
		mov	[ebp+var_90], esi

loc_9EB516:				; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+77j
		test	bl, 8
		jz	short loc_9EB524
		or	esi, 8
		mov	[ebp+var_90], esi

loc_9EB524:				; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+85j
		test	bl, 10h
		jz	short loc_9EB532
		or	esi, 10h
		mov	[ebp+var_90], esi

loc_9EB532:				; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+93j
		mov	eax, ebx
		and	eax, 20h
		mov	[ebp+var_AC], eax
		jz	short loc_9EB548
		or	esi, 20h
		mov	[ebp+var_90], esi

loc_9EB548:				; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+A9j
		shl	edx, 5
		xor	ecx, ecx
		add	edx, edi
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_A0], edx
		cmp	edi, edx
		jnb	loc_9EB6D9

loc_9EB563:				; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+23Fj
		mov	eax, [edi+0Ch]
		and	eax, 0FFFFFh
		mov	[ebp+var_94], eax
		shl	eax, 0Ch
		mov	[ebp+var_A8], eax
		test	ecx, ecx
		jnz	loc_9EB603
		inc	ecx
		lea	edx, [edi+20h]
		mov	[ebp+var_8C], ecx
		cmp	edx, [ebp+var_A0]
		jnb	short loc_9EB5D5
		mov	eax, [ebp+var_94]
		mov	ebx, [ebp+var_9C]

loc_9EB5A0:				; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+130j
		cmp	ecx, ebx
		jnb	short loc_9EB5C6
		mov	esi, [edx+0Ch]
		and	esi, 0FFFFFh
		inc	eax
		mov	[ebp+var_94], esi
		cmp	esi, eax
		jnz	short loc_9EB5C6
		add	edx, 20h
		mov	eax, esi
		inc	ecx
		cmp	edx, [ebp+var_A0]
		jb	short loc_9EB5A0

loc_9EB5C6:				; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+10Ej
					; VmpAccessFaultBatchResolve(x,x,x,x,x,x)+122j
		mov	esi, [ebp+var_90]
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_8C], ecx

loc_9EB5D5:				; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+FEj
		test	bl, 40h
		jz	short loc_9EB603
		cmp	ecx, 200h
		jnz	short loc_9EB603
		mov	edx, [ebp+arg_C]
		dec	edx
		push	ecx
		call	_MmGetNodeFastLargePageCounts@12 ; MmGetNodeFastLargePageCounts(x,x,x)
		test	eax, eax
		jnz	short loc_9EB5FD
		mov	edx, [ebp+arg_C]
		push	ecx
		push	ecx
		lea	edx, [edx-1]
		call	_MmBuildLargePages@16 ;	MmBuildLargePages(x,x,x,x)

loc_9EB5FD:				; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+15Aj
		mov	ecx, [ebp+var_8C]

loc_9EB603:				; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+E8j
					; VmpAccessFaultBatchResolve(x,x,x,x,x,x)+144j	...
		mov	eax, ecx
		shl	eax, 0Ch
		mov	[ebp+var_A4], eax
		mov	eax, ecx
		shl	eax, 3
		push	eax		; size_t
		push	0		; int
		push	[ebp+var_98]	; void *
		mov	[ebp+var_94], eax
		call	_memset
		mov	edx, [ebp+var_98]
		lea	ecx, [ebp+var_A8]
		add	esp, 0Ch
		push	esi
		call	_MmVirtualAccessFault@12 ; MmVirtualAccessFault(x,x,x)
		test	eax, eax
		jns	short loc_9EB671
		cmp	[ebp+var_AC], 0
		jz	loc_9EB6DB
		mov	eax, [edi+10h]
		or	dword ptr [edi+14h], 1000000h
		mov	[edi+10h], eax
		add	edi, 20h
		xor	ecx, ecx
		mov	[ebp+var_9C], 1
		mov	[ebp+var_8C], ecx
		jmp	short loc_9EB6CD
; 

loc_9EB671:				; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+1AAj
		mov	ecx, [ebp+var_98]
		mov	edx, ecx
		mov	eax, [ebp+var_94]
		add	eax, ecx
		mov	[ebp+var_94], eax
		cmp	ecx, eax
		jnb	short loc_9EB6C7
		mov	esi, [ebp+var_8C]

loc_9EB691:				; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+225j
		mov	ecx, [edx+4]
		xor	eax, eax
		and	ecx, 100000h
		or	eax, ecx
		jz	short loc_9EB6BB
		push	[ebp+arg_8]
		push	ebx
		push	ecx
		mov	ecx, edi
		call	_VmpFillValidFaultInfo@20 ; VmpFillValidFaultInfo(x,x,x,x,x)
		add	edx, 8
		add	edi, 20h
		dec	esi
		cmp	edx, [ebp+var_94]
		jb	short loc_9EB691

loc_9EB6BB:				; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+20Aj
		mov	[ebp+var_8C], esi
		mov	esi, [ebp+var_90]

loc_9EB6C7:				; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+1F5j
		mov	ecx, [ebp+var_8C]

loc_9EB6CD:				; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+1DBj
		cmp	edi, [ebp+var_A0]
		jb	loc_9EB563

loc_9EB6D9:				; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+C9j
		xor	eax, eax

loc_9EB6DB:				; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+1B3j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_VmpAccessFaultBatchResolve@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpAllocateMemoryRanges(x, x)
_VmpAllocateMemoryRanges@8 proc	near	; CODE XREF: VmpSplitMemoryRange(x,x,x)+ADp
					; VmCreateMemoryRange(x,x,x,x,x,x)+C5p	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	72566D56h
		push	1Ch
		push	200h
		xor	ebx, ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_9EB7B6
		xor	edx, edx
		mov	[esi], edx
		mov	[esi+4], edx
		mov	[esi+0Ch], edx
		mov	[esi+10h], edx
		mov	[esi+18h], edx
		or	dword ptr [esi+8], 0FFFFFFFFh
		push	edi
		lea	edi, [esi+14h]
		mov	[ebp+var_4], edx
		mov	[edi+4], edi
		mov	[edi], edi
		mov	[ebp+var_8], edx
		cmp	[ebp+arg_4], edx
		jb	short loc_9EB7A6
		mov	eax, [ebp+arg_0]
		ja	short loc_9EB743
		cmp	eax, edx
		jbe	short loc_9EB7A6

loc_9EB743:				; CODE XREF: VmpAllocateMemoryRanges(x,x)+51j
					; VmpAllocateMemoryRanges(x,x)+B3j ...
		push	72476D56h
		push	28h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_9EB7AA
		xor	edx, edx
		mov	[eax], edx
		mov	[eax+4], edx
		mov	[eax+0Ch], edx
		mov	[eax+10h], edx
		mov	[eax+18h], edx
		mov	[eax+1Ch], edx
		mov	[eax+20h], edx
		mov	[eax+24h], edx
		or	dword ptr [eax+14h], 0FFFFFFFFh
		mov	[eax+8], esi
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	short loc_9EB7BE
		mov	[eax+4], ecx
		mov	[eax], edi
		mov	[ecx], eax
		mov	ecx, [ebp+var_8]
		mov	[edi+4], eax
		mov	eax, [ebp+var_4]
		add	eax, 1
		mov	[ebp+var_4], eax
		adc	ecx, edx
		mov	[ebp+var_8], ecx
		cmp	ecx, [ebp+arg_4]
		ja	short loc_9EB7A6
		jb	short loc_9EB743
		cmp	eax, [ebp+arg_0]
		jb	short loc_9EB743

loc_9EB7A6:				; CODE XREF: VmpAllocateMemoryRanges(x,x)+4Cj
					; VmpAllocateMemoryRanges(x,x)+55j ...
		mov	ebx, esi
		mov	esi, edx

loc_9EB7AA:				; CODE XREF: VmpAllocateMemoryRanges(x,x)+6Aj
		pop	edi
		test	esi, esi
		jz	short loc_9EB7B6
		mov	ecx, esi
		call	_VmpFreeMemoryRanges@4 ; VmpFreeMemoryRanges(x)

loc_9EB7B6:				; CODE XREF: VmpAllocateMemoryRanges(x,x)+20j
					; VmpAllocateMemoryRanges(x,x)+C1j
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
; 

loc_9EB7BE:				; CODE XREF: VmpAllocateMemoryRanges(x,x)+91j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_VmpAllocateMemoryRanges@8 endp		; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall VmpDecodePreallocationRangeHandle(x, x)
_VmpDecodePreallocationRangeHandle@8 proc near
					; CODE XREF: VmCreateMemoryRange(x,x,x,x,x,x)+83p
					; VmFreePreallocationForRangeCreate(x)+22p
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+28h], eax
		dec	eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_9EB7D3
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_9EB7D3:				; CODE XREF: VmpDecodePreallocationRangeHandle(x,x)+Cj
		xor	ecx, edx
		cmp	dword ptr [ecx+8], 0FFFFFFFFh
		jz	short loc_9EB7DD
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_9EB7DD:				; CODE XREF: VmpDecodePreallocationRangeHandle(x,x)+16j
		cmp	dword ptr [ecx+0Ch], 0
		jz	short loc_9EB7E5
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_9EB7E5:				; CODE XREF: VmpDecodePreallocationRangeHandle(x,x)+1Ej
		cmp	dword ptr [ecx+10h], 0
		jz	short loc_9EB7ED
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_9EB7ED:				; CODE XREF: VmpDecodePreallocationRangeHandle(x,x)+26j
		lea	eax, [ecx+14h]
		mov	edx, [eax]
		cmp	edx, eax
		jnz	short loc_9EB7F8
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_9EB7F8:				; CODE XREF: VmpDecodePreallocationRangeHandle(x,x)+31j
		cmp	[edx], eax
		jz	short loc_9EB7FE
		int	2Ch		; Internal routine for MSDOS (IRET)

loc_9EB7FE:				; CODE XREF: VmpDecodePreallocationRangeHandle(x,x)+37j
		mov	eax, ecx
		retn
_VmpDecodePreallocationRangeHandle@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpFillValidFaultInfo(x, x,	x, x, x)
_VmpFillValidFaultInfo@20 proc near	; CODE XREF: VmpAccessFaultBatchResolve(x,x,x,x,x,x)+213p

arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [edx]
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, 200000h
		push	edi
		xor	edi, edi
		test	[ebp+arg_4], 2
		mov	[esi+18h], eax
		jnz	short loc_9EB82E
		mov	ecx, [edx+4]
		mov	eax, edi
		and	ecx, ebx
		or	eax, ecx
		jz	short loc_9EB83B
		test	[ebp+arg_8], 2
		jz	short loc_9EB83B

loc_9EB82E:				; CODE XREF: VmpFillValidFaultInfo(x,x,x,x,x)+1Aj
		mov	eax, [esi+10h]
		or	dword ptr [esi+14h], 100000h
		mov	[esi+10h], eax

loc_9EB83B:				; CODE XREF: VmpFillValidFaultInfo(x,x,x,x,x)+25j
					; VmpFillValidFaultInfo(x,x,x,x,x)+2Bj
		test	[ebp+arg_4], 4
		jz	short loc_9EB84A
		mov	eax, [esi+10h]
		or	[esi+14h], ebx
		mov	[esi+10h], eax

loc_9EB84A:				; CODE XREF: VmpFillValidFaultInfo(x,x,x,x,x)+3Ej
		mov	eax, [edx+4]
		and	eax, 800000h
		or	edi, eax
		jz	short loc_9EB863
		mov	eax, [esi+10h]
		or	dword ptr [esi+14h], 400000h
		mov	[esi+10h], eax

loc_9EB863:				; CODE XREF: VmpFillValidFaultInfo(x,x,x,x,x)+53j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_VmpFillValidFaultInfo@20 endp


;  S U B	R O U T	I N E 


; __stdcall VmpFreeMemoryRanges(x)
_VmpFreeMemoryRanges@4 proc near	; CODE XREF: VmpInsertMemoryRange(x,x,x)+2A5p
					; VmpMergeMemoryRanges(x,x,x)+1B5p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		lea	esi, [edi+14h]

loc_9EB873:				; CODE XREF: VmpFreeMemoryRanges(x)+28j
		mov	eax, [esi]
		cmp	eax, esi
		jz	short loc_9EB899
		cmp	[eax+4], esi
		jnz	short loc_9EB894
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_9EB894
		push	0
		mov	[esi], ecx
		push	eax
		mov	[ecx+4], esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9EB873
; 

loc_9EB894:				; CODE XREF: VmpFreeMemoryRanges(x)+12j
					; VmpFreeMemoryRanges(x)+19j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9EB899:				; CODE XREF: VmpFreeMemoryRanges(x)+Dj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
_VmpFreeMemoryRanges@4 endp


;  S U B	R O U T	I N E 


; __stdcall VmpMapCreateMemoryProcessFlags(x, x)
_VmpMapCreateMemoryProcessFlags@8 proc near
					; CODE XREF: VmCreateMemoryProcess(x,x,x,x,x,x)+24p
		test	ecx, 0FFFFFFC0h
		jz	short loc_9EB8B2
		mov	eax, 0C000000Dh
		retn
; 

loc_9EB8B2:				; CODE XREF: VmpMapCreateMemoryProcessFlags(x,x)+6j
		mov	eax, ecx
		and	eax, 1
		shl	eax, 0Dh
		test	cl, 2
		jz	short loc_9EB8C4
		or	eax, 4000h

loc_9EB8C4:				; CODE XREF: VmpMapCreateMemoryProcessFlags(x,x)+19j
		test	cl, 4
		jz	short loc_9EB8CE
		or	eax, 20000h

loc_9EB8CE:				; CODE XREF: VmpMapCreateMemoryProcessFlags(x,x)+23j
		test	cl, 10h
		jz	short loc_9EB8D8
		or	eax, 400h

loc_9EB8D8:				; CODE XREF: VmpMapCreateMemoryProcessFlags(x,x)+2Dj
		mov	[edx], eax
		xor	eax, eax
		retn
_VmpMapCreateMemoryProcessFlags@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpPauseResumeNotify(x, x)
_VmpPauseResumeNotify@8	proc near	; CODE XREF: VmPauseResumeNotify(x)+25p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		push	4
		pop	eax
		mov	[esp+28h+var_14], eax
		mov	edi, edx
		mov	eax, large fs:124h
		mov	esi, ecx
		mov	[esp+28h+var_10], edi
		mov	[esp+28h+var_18], esi
		dec	word ptr [eax+13Ch]
		nop
		lea	ebx, [esi+30h]
		xor	edx, edx
		mov	ecx, ebx
		mov	[esp+28h+var_1C], ebx
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [esi+34h]
		or	eax, 0FFFFFFFFh
		test	dl, 1
		jz	short loc_9EB931
		mov	edi, 0C0000476h
		jmp	loc_9EBACE
; 

loc_9EB931:				; CODE XREF: VmpPauseResumeNotify(x,x)+48j
		mov	esi, edx
		shr	esi, 1
		and	esi, 3
		test	edi, edi
		jnz	short loc_9EB94A
		test	esi, esi
		jnz	short loc_9EB958
		mov	edi, 40190034h
		jmp	loc_9EBACE
; 

loc_9EB94A:				; CODE XREF: VmpPauseResumeNotify(x,x)+5Dj
		cmp	esi, edi
		jl	short loc_9EB958
		mov	edi, 0C000000Dh
		jmp	loc_9EBACE
; 

loc_9EB958:				; CODE XREF: VmpPauseResumeNotify(x,x)+61j
					; VmpPauseResumeNotify(x,x)+6Fj
		mov	ecx, [esp+28h+var_18]
		or	edx, 1
		mov	[ecx+34h], edx
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9EB973
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9EB973:				; CODE XREF: VmpPauseResumeNotify(x,x)+8Dj
		mov	ecx, ebx
		call	KeAbPostRelease
		xor	ecx, ecx
		mov	[esp+28h+var_C], 3
		mov	[esp+28h+var_8], ecx
		mov	[esp+28h+var_4], ecx
		test	edi, edi
		jnz	short loc_9EB9B8
		push	ecx
		mov	[esp+2Ch+var_8], ecx
		lea	edx, [esp+2Ch+var_C]
		or	esi, 0FFFFFFFFh
		mov	[esp+2Ch+var_4], 1
		push	0Ch
		mov	ecx, esi
		call	MmProcessWorkingSetControl
		xor	ecx, ecx
		mov	[esp+28h+var_14], ecx
		jmp	loc_9EBA98
; 

loc_9EB9B8:				; CODE XREF: VmpPauseResumeNotify(x,x)+B1j
		lea	ebx, [esi+1]
		cmp	ebx, edi
		jg	loc_9EBA90
		or	esi, 0FFFFFFFFh

loc_9EB9C6:				; CODE XREF: VmpPauseResumeNotify(x,x)+1ADj
		cmp	ebx, 1
		jz	short loc_9EBA45
		lea	eax, [ebx-2]
		cmp	eax, 1
		ja	loc_9EBA87
		call	_MiGetControlAreaPartition@4 ; MiGetControlAreaPartition(x)
		cmp	[eax+2C0h], ecx
		jnz	short loc_9EB9ED
		cmp	ebx, 3
		jnz	loc_9EBA87

loc_9EB9ED:				; CODE XREF: VmpPauseResumeNotify(x,x)+105j
		mov	eax, [esp+28h+var_18]
		mov	[esp+28h+var_8], 1
		mov	[esp+28h+var_4], 3
		mov	edi, [eax+2Ch]
		and	edi, 1
		jz	short loc_9EBA11
		mov	[esp+28h+var_4], 23h

loc_9EBA11:				; CODE XREF: VmpPauseResumeNotify(x,x)+12Aj
		mov	eax, large fs:124h
		shl	edi, 5
		add	edi, 3
		mov	ecx, [eax+80h]
		call	_SmStoreExistsForProcess@4 ; SmStoreExistsForProcess(x)
		test	eax, eax
		jz	short loc_9EBA41
		mov	eax, edi
		or	eax, 8
		mov	[esp+28h+var_4], eax
		cmp	ebx, 3
		jnz	short loc_9EBA41
		or	edi, 18h
		mov	[esp+28h+var_4], edi

loc_9EBA41:				; CODE XREF: VmpPauseResumeNotify(x,x)+14Dj
					; VmpPauseResumeNotify(x,x)+15Bj
		push	0
		jmp	short loc_9EBA6E
; 

loc_9EBA45:				; CODE XREF: VmpPauseResumeNotify(x,x)+ECj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+284h]
		shl	eax, 0Ch
		shr	eax, 14h
		cmp	eax, ds:_VmPauseOutswapSizeCapMB
		ja	short loc_9EBA87
		mov	[esp+28h+var_8], ecx
		mov	[esp+28h+var_4], ecx
		push	ecx

loc_9EBA6E:				; CODE XREF: VmpPauseResumeNotify(x,x)+166j
		push	0Ch
		lea	edx, [esp+30h+var_C]
		mov	ecx, esi
		call	MmProcessWorkingSetControl
		mov	edi, eax
		test	edi, edi
		js	short loc_9EBA9C
		mov	edi, [esp+28h+var_10]
		xor	ecx, ecx

loc_9EBA87:				; CODE XREF: VmpPauseResumeNotify(x,x)+F4j
					; VmpPauseResumeNotify(x,x)+10Aj ...
		inc	ebx
		cmp	ebx, edi
		jle	loc_9EB9C6

loc_9EBA90:				; CODE XREF: VmpPauseResumeNotify(x,x)+E0j
		mov	ebx, [esp+28h+var_1C]
		mov	[esp+28h+var_14], edi

loc_9EBA98:				; CODE XREF: VmpPauseResumeNotify(x,x)+D6j
		mov	edi, ecx
		jmp	short loc_9EBAA0
; 

loc_9EBA9C:				; CODE XREF: VmpPauseResumeNotify(x,x)+1A2j
		mov	ebx, [esp+28h+var_1C]

loc_9EBAA0:				; CODE XREF: VmpPauseResumeNotify(x,x)+1BDj
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [esp+28h+var_18]
		mov	eax, [esp+28h+var_14]
		mov	ecx, [edx+34h]
		and	ecx, 0FFFFFFFEh
		mov	[edx+34h], ecx
		cmp	eax, 4
		jz	short loc_9EBACB
		add	eax, eax
		xor	eax, ecx
		and	eax, 6
		xor	eax, ecx
		mov	[edx+34h], eax

loc_9EBACB:				; CODE XREF: VmpPauseResumeNotify(x,x)+1E0j
		or	eax, 0FFFFFFFFh

loc_9EBACE:				; CODE XREF: VmpPauseResumeNotify(x,x)+4Fj
					; VmpPauseResumeNotify(x,x)+68j ...
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9EBADF
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9EBADF:				; CODE XREF: VmpPauseResumeNotify(x,x)+1F9j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_VmpPauseResumeNotify@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpPrefetchForVirtualFault(x, x, x)
_VmpPrefetchForVirtualFault@12 proc near ; CODE	XREF: VmAccessFault(x,x,x,x,x,x,x)+6Dp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	76506D56h
		lea	eax, ds:14h[ebx*8]
		mov	[ebp+var_4], edx
		push	eax
		push	200h
		mov	edi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9EBB31
		mov	edi, 0C000009Ah
		jmp	short loc_9EBB88
; 

loc_9EBB31:				; CODE XREF: VmpPrefetchForVirtualFault(x,x,x)+2Dj
		and	dword ptr [esi+4], 0
		lea	ecx, [esi+17h]
		and	dword ptr [esi+4], 0FFFFFFF9h
		and	ecx, 0FFFFFFFCh
		or	dword ptr [esi+8], 0FFFFFFFFh
		mov	[esi+0Ch], ebx
		shl	ebx, 4
		add	ebx, edi
		mov	dword ptr [esi], 1
		mov	[esi+10h], ecx
		cmp	edi, ebx
		jnb	short loc_9EBB78
		mov	edx, [ebp+var_4]

loc_9EBB5B:				; CODE XREF: VmpPrefetchForVirtualFault(x,x,x)+7Bj
		mov	eax, [edx]
		lea	edx, [edx+4]
		shl	eax, 0Ch
		mov	[ecx], eax
		lea	ecx, [ecx+8]
		mov	eax, [edi+8]
		add	edi, 10h
		shl	eax, 0Ch
		mov	[ecx-4], eax
		cmp	edi, ebx
		jb	short loc_9EBB5B

loc_9EBB78:				; CODE XREF: VmpPrefetchForVirtualFault(x,x,x)+5Bj
		push	esi
		call	MmPrefetchVirtualAddresses
		mov	edi, eax
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9EBB88:				; CODE XREF: VmpPrefetchForVirtualFault(x,x,x)+34j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_VmpPrefetchForVirtualFault@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpPrefetchWorker(x)
_VmpPrefetchWorker@4 proc near		; DATA XREF: VmPrefetchVirtualAddresses(x,x,x)+79o

var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+20h+var_4], eax
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+28h+var_1C]
		xor	edx, edx
		rep stosd
		mov	ecx, [esi+10h]
		lea	eax, [esp+28h+var_1C]
		push	eax
		call	KiStackAttachProcess
		mov	ecx, [esi+10h]
		push	dword ptr [esi+18h]
		mov	edx, [esi+14h]
		mov	ecx, [ecx+3E4h]
		call	_VmpPrefetchVirtualAddresses@12	; VmpPrefetchVirtualAddresses(x,x,x)
		xor	edx, edx
		lea	ecx, [esp+28h+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [esi+10h]
		call	ObfDereferenceObject
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [esp+28h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_VmpPrefetchWorker@4 endp


;  S U B	R O U T	I N E 


; __stdcall VmpProcessContextCleanup(x)
_VmpProcessContextCleanup@4 proc near	; CODE XREF: PspProcessDelete:loc_8D1112p
					; VmCreateMemoryRange(x,x,x,x,x,x)+6Bp
		mov	eax, [ecx+28h]
		test	eax, eax
		jz	short locret_9EBC11
		int	2Ch		; Internal routine for MSDOS (IRET)

locret_9EBC11:				; CODE XREF: VmpProcessContextCleanup(x)+5j
		retn
_VmpProcessContextCleanup@4 endp


;  S U B	R O U T	I N E 


; int __fastcall VmpProcessContextInitialize(void *)
_VmpProcessContextInitialize@8 proc near ; CODE	XREF: VmCreateMemoryRange(x,x,x,x,x,x)+58p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	38h		; size_t
		xor	ebx, ebx
		mov	edi, ecx
		push	ebx		; int
		push	edi		; void *
		mov	esi, edx
		call	_memset
		mov	[edi+24h], esi
		add	esp, 0Ch
		mov	[edi+8], ebx
		mov	[edi+0Ch], ebx
		mov	[edi+10h], ebx
		mov	[edi+18h], ebx
		mov	[edi+1Ch], ebx
		pop	edi
		pop	esi
		pop	ebx
		retn
_VmpProcessContextInitialize@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmpValidateMemoryRangeParameters(x,	x, x, x, x)
_VmpValidateMemoryRangeParameters@20 proc near
					; CODE XREF: VmCreateMemoryRange(x,x,x,x,x,x)+9Ap
					; VmDeleteMemoryRange(x,x,x,x,x)+18p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_8], 0FFFFFFFFh
		jnz	short loc_9EBC4F
		push	0Ah

loc_9EBC4C:				; CODE XREF: VmpValidateMemoryRangeParameters(x,x,x,x,x)+16j
					; VmpValidateMemoryRangeParameters(x,x,x,x,x)+22j
		pop	eax
		jmp	short loc_9EBCB1
; 

loc_9EBC4F:				; CODE XREF: VmpValidateMemoryRangeParameters(x,x,x,x,x)+9j
		test	edx, edx
		jnz	short loc_9EBC57
		push	14h
		jmp	short loc_9EBC4C
; 

loc_9EBC57:				; CODE XREF: VmpValidateMemoryRangeParameters(x,x,x,x,x)+12j
		cmp	edx, 0FFFFFh
		jbe	short loc_9EBC63
		push	1Eh
		jmp	short loc_9EBC4C
; 

loc_9EBC63:				; CODE XREF: VmpValidateMemoryRangeParameters(x,x,x,x,x)+1Ej
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, 0FFFh
		and	eax, esi
		or	eax, 0
		jnz	short loc_9EBCAD
		test	ecx, esi
		jnz	short loc_9EBCAD
		shl	edx, 0Ch
		lea	esi, [edx+ecx]
		cmp	esi, ecx
		ja	short loc_9EBC85
		push	32h
		jmp	short loc_9EBCAF
; 

loc_9EBC85:				; CODE XREF: VmpValidateMemoryRangeParameters(x,x,x,x,x)+40j
		xor	eax, eax
		add	edx, [ebp+arg_0]
		adc	eax, [ebp+arg_4]
		cmp	eax, [ebp+arg_4]
		ja	short loc_9EBC9D
		jb	short loc_9EBC99
		cmp	edx, [ebp+arg_0]
		ja	short loc_9EBC9D

loc_9EBC99:				; CODE XREF: VmpValidateMemoryRangeParameters(x,x,x,x,x)+53j
		push	3Ch
		jmp	short loc_9EBCAF
; 

loc_9EBC9D:				; CODE XREF: VmpValidateMemoryRangeParameters(x,x,x,x,x)+51j
					; VmpValidateMemoryRangeParameters(x,x,x,x,x)+58j
		lea	eax, [esi-1]
		cmp	ds:_MmHighestUserAddress, eax
		sbb	eax, eax
		and	eax, 46h
		jmp	short loc_9EBCB0
; 

loc_9EBCAD:				; CODE XREF: VmpValidateMemoryRangeParameters(x,x,x,x,x)+32j
					; VmpValidateMemoryRangeParameters(x,x,x,x,x)+36j
		push	28h

loc_9EBCAF:				; CODE XREF: VmpValidateMemoryRangeParameters(x,x,x,x,x)+44j
					; VmpValidateMemoryRangeParameters(x,x,x,x,x)+5Cj
		pop	eax

loc_9EBCB0:				; CODE XREF: VmpValidateMemoryRangeParameters(x,x,x,x,x)+6Cj
		pop	esi

loc_9EBCB1:				; CODE XREF: VmpValidateMemoryRangeParameters(x,x,x,x,x)+Ej
		pop	ebp
		retn	0Ch
_VmpValidateMemoryRangeParameters@20 endp


;  S U B	R O U T	I N E 


; __stdcall WdipSemUpdate()
_WdipSemUpdate@0 proc near		; CODE XREF: WdiUpdateSem()+Cp
		mov	edi, edi
		push	ecx
		cmp	_WdipSemInitialized, 0
		push	esi
		push	edi
		jnz	short loc_9EBCC8
		call	_WdipSemInitializeGlobalState@0	; WdipSemInitializeGlobalState()

loc_9EBCC8:				; CODE XREF: WdipSemUpdate()+Cj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _WdipSemPushLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		cmp	_WdipSemEnabled, 0
		jz	short loc_9EBCF2
		call	_WdipSemShutdown@0 ; WdipSemShutdown()

loc_9EBCF2:				; CODE XREF: WdipSemUpdate()+36j
		call	_WdipSemCleanStart@0 ; WdipSemCleanStart()
		mov	esi, eax
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ecx
		retn
_WdipSemUpdate@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PerfDiagpSecondaryLogonProxyCallback(x, x, x, x, x,	x, x, x, x)
_PerfDiagpSecondaryLogonProxyCallback@36 proc near ; DATA XREF:	PerfDiagInitialize()+57o

arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		jz	short loc_9EBD29
		cmp	[ebp+arg_8], 55h
		jnz	short loc_9EBD31
		push	5
		jmp	short loc_9EBD2B
; 

loc_9EBD29:				; CODE XREF: PerfDiagpSecondaryLogonProxyCallback(x,x,x,x,x,x,x,x,x)+9j
		push	6

loc_9EBD2B:				; CODE XREF: PerfDiagpSecondaryLogonProxyCallback(x,x,x,x,x,x,x,x,x)+13j
		pop	ecx
		call	_PerfDiagpRequestState@4 ; PerfDiagpRequestState(x)

loc_9EBD31:				; CODE XREF: PerfDiagpSecondaryLogonProxyCallback(x,x,x,x,x,x,x,x,x)+Fj
		pop	ebp
		retn	24h
_PerfDiagpSecondaryLogonProxyCallback@36 endp


;  S U B	R O U T	I N E 


; __stdcall WdipSemRollBackProviderTable(x)
_WdipSemRollBackProviderTable@4	proc near ; CODE XREF: WdipSemLoadScenarioTable+94D00p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edi
		cmp	edi, dword_6BDB80
		jnb	short loc_9EBD6B

loc_9EBD45:				; CODE XREF: WdipSemRollBackProviderTable(x)+34j
		mov	edx, _WdipSemProviderTable[esi*4]
		test	edx, edx
		jz	short loc_9EBD5A
		mov	ecx, offset unk_6BDBE8
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_9EBD5A:				; CODE XREF: WdipSemRollBackProviderTable(x)+19j
		and	_WdipSemProviderTable[esi*4], 0
		inc	esi
		cmp	esi, dword_6BDB80
		jb	short loc_9EBD45

loc_9EBD6B:				; CODE XREF: WdipSemRollBackProviderTable(x)+Ej
		mov	dword_6BDB80, edi
		pop	edi
		pop	esi
		retn
_WdipSemRollBackProviderTable@4	endp


;  S U B	R O U T	I N E 


; __stdcall WdipSemShutdown()
_WdipSemShutdown@0 proc	near		; CODE XREF: WdipSemCleanStart():loc_898B1Fp
					; WdipSemDisableScenario+11CF67p ...
		mov	edi, edi
		push	ebx
		xor	ebx, ebx
		mov	_WdipSemTimeoutValue, 258h
		mov	_WdipSemEnabled, bl
		mov	_WdipSemTimeoutEnabled,	bl
		mov	_WdipSemDisabledScenarioTable, ebx
		call	_WdipSemDisableAllProviders@0 ;	WdipSemDisableAllProviders()
		push	104h		; size_t
		push	ebx		; int
		push	offset _WdipSemScenarioTable ; void *
		mov	_WdipDiagLoggerId, ebx
		mov	_WdipContextLoggerId, ebx
		call	_memset
		add	esp, 0Ch
		push	1004h		; size_t
		push	ebx		; int
		push	offset _WdipSemProviderTable ; void *
		call	_memset
		add	esp, 0Ch
		mov	dword_6BDB84, ebx
		mov	eax, offset _WdipSemEnabledInstanceTable
		mov	dword_6BDB98, ebx
		mov	dword_6BDB94, eax
		mov	_WdipSemEnabledInstanceTable, eax
		mov	dword_6BDB9C, ebx
		call	_WdipSemClearFrequentScenarioTable@0 ; WdipSemClearFrequentScenarioTable()
		pop	ebx
		jmp	_WdipSemFreePool@0 ; WdipSemFreePool()
_WdipSemShutdown@0 endp


;  S U B	R O U T	I N E 


; __stdcall WdipSemFreeInflightScenarioTable(x)
_WdipSemFreeInflightScenarioTable@4 proc near
					; CODE XREF: WdipSemLogInflightLimitExceededInformation(x,x,x)+EEp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_9EBE37
		push	edi
		xor	edi, edi
		cmp	[esi+1F4h], edi
		jbe	short loc_9EBE26

loc_9EBE0C:				; CODE XREF: WdipSemFreeInflightScenarioTable(x)+2Cj
		mov	edx, [esi+edi*4]
		test	edx, edx
		jz	short loc_9EBE1D
		mov	ecx, offset unk_6BDC00
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_9EBE1D:				; CODE XREF: WdipSemFreeInflightScenarioTable(x)+19j
		inc	edi
		cmp	edi, [esi+1F4h]
		jb	short loc_9EBE0C

loc_9EBE26:				; CODE XREF: WdipSemFreeInflightScenarioTable(x)+12j
		push	1F8h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		pop	edi

loc_9EBE37:				; CODE XREF: WdipSemFreeInflightScenarioTable(x)+7j
		pop	esi
		retn
_WdipSemFreeInflightScenarioTable@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemLogInflightLimitExceededInformation(x, x, x)
_WdipSemLogInflightLimitExceededInformation@12 proc near
					; CODE XREF: WdipSemReserveInstanceTableEntry+9E94Cp

var_204		= dword	ptr -204h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 208h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_C], edx
		push	1F8h		; size_t
		lea	eax, [ebp+var_204]
		mov	[ebp+var_8], esi
		push	esi		; int
		push	eax		; void *
		mov	ebx, ecx
		call	_memset
		add	esp, 0Ch
		test	ebx, ebx
		jnz	short loc_9EBE74

loc_9EBE6A:				; CODE XREF: WdipSemLogInflightLimitExceededInformation(x,x,x)+3Ej
		mov	esi, 0C000000Dh
		jmp	loc_9EBF21
; 

loc_9EBE74:				; CODE XREF: WdipSemLogInflightLimitExceededInformation(x,x,x)+2Fj
		cmp	[ebp+arg_0], esi
		jz	short loc_9EBE6A
		push	offset _WDI_SEM_EVENT_SCENARIO_INFLIGHT_MAX
		push	dword_6BCB74
		push	_WdipSemRegHandle
		call	EtwEventEnabled
		test	al, al
		jnz	short loc_9EBEA0
		call	_WdipSemSqmEnabled@0 ; WdipSemSqmEnabled()
		test	al, al
		jz	loc_9EBF21

loc_9EBEA0:				; CODE XREF: WdipSemLogInflightLimitExceededInformation(x,x,x)+58j
		mov	edi, _WdipSemEnabledInstanceTable
		cmp	edi, offset _WdipSemEnabledInstanceTable
		jz	short loc_9EBF1C

loc_9EBEAE:				; CODE XREF: WdipSemLogInflightLimitExceededInformation(x,x,x)+9Aj
		mov	ecx, [edi+18h]
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_204]
		push	eax
		mov	dx, [ecx+10h]
		call	_WdipSemUpdateInflightScenarioTable@16 ; WdipSemUpdateInflightScenarioTable(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9EBF21
		mov	edi, [edi]
		cmp	edi, offset _WdipSemEnabledInstanceTable
		jnz	short loc_9EBEAE
		cmp	[ebp+var_8], 0
		jz	short loc_9EBF1C
		push	offset _WDI_SEM_EVENT_SCENARIO_INFLIGHT_MAX
		push	dword_6BCB74
		push	_WdipSemRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9EBF09
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_204]
		push	eax
		push	[ebp+arg_0]
		mov	ecx, ebx
		call	_WdipSemWriteInflightLimitExceededEvent@16 ; WdipSemWriteInflightLimitExceededEvent(x,x,x,x)

loc_9EBF09:				; CODE XREF: WdipSemLogInflightLimitExceededInformation(x,x,x)+BAj
		call	_WdipSemSqmEnabled@0 ; WdipSemSqmEnabled()
		test	al, al
		jz	short loc_9EBF21
		mov	ecx, [ebp+var_8]
		call	_WdipSemUpdateFrequentScenarioTable@4 ;	WdipSemUpdateFrequentScenarioTable(x)
		jmp	short loc_9EBF21
; 

loc_9EBF1C:				; CODE XREF: WdipSemLogInflightLimitExceededInformation(x,x,x)+73j
					; WdipSemLogInflightLimitExceededInformation(x,x,x)+A0j
		mov	esi, 0C0000001h

loc_9EBF21:				; CODE XREF: WdipSemLogInflightLimitExceededInformation(x,x,x)+36j
					; WdipSemLogInflightLimitExceededInformation(x,x,x)+61j ...
		lea	ecx, [ebp+var_204]
		call	_WdipSemFreeInflightScenarioTable@4 ; WdipSemFreeInflightScenarioTable(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_WdipSemLogInflightLimitExceededInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall WdipSemQueryInflightScenarioTable(void	*,int,int)
_WdipSemQueryInflightScenarioTable@12 proc near
					; CODE XREF: WdipSemUpdateInflightScenarioTable(x,x,x,x)+38p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= word ptr -2
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	[ebp+var_2], dx
		mov	edx, ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], edx
		test	edx, edx
		jz	short loc_9EBF94
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_9EBF94
		mov	ecx, [eax+1F4h]
		mov	[ebp+var_8], ecx
		push	edi
		mov	edi, esi
		test	ecx, ecx
		jz	short loc_9EBF93
		push	ebx

loc_9EBF65:				; CODE XREF: WdipSemQueryInflightScenarioTable(x,x,x)+59j
		mov	ebx, [eax+edi*4]
		push	10h		; size_t
		push	ebx		; void *
		push	edx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9EBF82
		mov	ax, [ebp+var_2]
		cmp	ax, [ebx+10h]
		jz	short loc_9EBF90

loc_9EBF82:				; CODE XREF: WdipSemQueryInflightScenarioTable(x,x,x)+41j
		inc	edi
		cmp	edi, [ebp+var_8]
		jnb	short loc_9EBF92
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+var_C]
		jmp	short loc_9EBF65
; 

loc_9EBF90:				; CODE XREF: WdipSemQueryInflightScenarioTable(x,x,x)+4Bj
		mov	esi, ebx

loc_9EBF92:				; CODE XREF: WdipSemQueryInflightScenarioTable(x,x,x)+51j
		pop	ebx

loc_9EBF93:				; CODE XREF: WdipSemQueryInflightScenarioTable(x,x,x)+2Dj
		pop	edi

loc_9EBF94:				; CODE XREF: WdipSemQueryInflightScenarioTable(x,x,x)+16j
					; WdipSemQueryInflightScenarioTable(x,x,x)+1Dj
		mov	eax, esi
		pop	esi
		leave
		retn	4
_WdipSemQueryInflightScenarioTable@12 endp


;  S U B	R O U T	I N E 


; __stdcall WdipSemUpdateFrequentScenarioTable(x)
_WdipSemUpdateFrequentScenarioTable@4 proc near
					; CODE XREF: WdipSemLogInflightLimitExceededInformation(x,x,x)+DCp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset dword_6BCA44
		call	ExAcquirePushLockExclusiveEx
		test	esi, esi
		jnz	short loc_9EBFC6
		mov	ebx, 0C000000Dh
		jmp	short loc_9EC016
; 

loc_9EBFC6:				; CODE XREF: WdipSemUpdateFrequentScenarioTable(x)+22j
		cmp	dword_6BCA40, 80h
		jb	short loc_9EBFD9
		mov	ebx, 0C0000001h
		jmp	short loc_9EC016
; 

loc_9EBFD9:				; CODE XREF: WdipSemUpdateFrequentScenarioTable(x)+35j
		mov	ecx, offset unk_6BDC00
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jnz	short loc_9EBFFA
		push	18h
		pop	ecx
		call	_WdipSemAllocatePool@4 ; WdipSemAllocatePool(x)
		test	eax, eax
		jnz	short loc_9EBFFA
		mov	ebx, 0C000009Ah
		jmp	short loc_9EC016
; 

loc_9EBFFA:				; CODE XREF: WdipSemUpdateFrequentScenarioTable(x)+4Aj
					; WdipSemUpdateFrequentScenarioTable(x)+56j
		push	edi
		push	6
		pop	ecx
		mov	edi, eax
		rep movsd
		mov	edx, dword_6BCA40
		pop	edi
		mov	_WdipSemFrequentScenarioTable[edx*4], eax
		inc	dword_6BCA40

loc_9EC016:				; CODE XREF: WdipSemUpdateFrequentScenarioTable(x)+29j
					; WdipSemUpdateFrequentScenarioTable(x)+3Cj ...
		xor	edx, edx
		mov	ecx, offset dword_6BCA44
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	esi
		mov	eax, ebx
		pop	ebx
		retn
_WdipSemUpdateFrequentScenarioTable@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemUpdateInflightScenarioTable(x, x, x,	x)
_WdipSemUpdateInflightScenarioTable@16 proc near
					; CODE XREF: WdipSemLogInflightLimitExceededInformation(x,x,x)+87p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ecx
		mov	[ebp+var_8], edx
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	short loc_9EC053
		mov	ebx, 0C000000Dh
		jmp	loc_9EC0F8
; 

loc_9EC053:				; CODE XREF: WdipSemUpdateInflightScenarioTable(x,x,x,x)+14j
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_9EC060
		cmp	[ebp+arg_4], ebx
		jnz	short loc_9EC06A

loc_9EC060:				; CODE XREF: WdipSemUpdateInflightScenarioTable(x,x,x,x)+26j
		mov	ebx, 0C000000Dh
		jmp	loc_9EC0F7
; 

loc_9EC06A:				; CODE XREF: WdipSemUpdateInflightScenarioTable(x,x,x,x)+2Bj
		push	esi		; int
		call	_WdipSemQueryInflightScenarioTable@12 ;	WdipSemQueryInflightScenarioTable(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_9EC07B
		inc	dword ptr [edx+14h]
		jmp	short loc_9EC0E4
; 

loc_9EC07B:				; CODE XREF: WdipSemUpdateInflightScenarioTable(x,x,x,x)+41j
		cmp	dword ptr [esi+1F4h], 7Dh
		jb	short loc_9EC08B
		mov	ebx, 0C0000001h
		jmp	short loc_9EC0F7
; 

loc_9EC08B:				; CODE XREF: WdipSemUpdateInflightScenarioTable(x,x,x,x)+4Fj
		mov	ecx, offset unk_6BDC00
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_9EC0B0
		push	18h
		pop	ecx
		call	_WdipSemAllocatePool@4 ; WdipSemAllocatePool(x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_9EC0B0
		mov	ebx, 0C000009Ah
		jmp	short loc_9EC0F7
; 

loc_9EC0B0:				; CODE XREF: WdipSemUpdateInflightScenarioTable(x,x,x,x)+66j
					; WdipSemUpdateInflightScenarioTable(x,x,x,x)+74j
		mov	esi, [ebp+var_4]
		xor	eax, eax
		push	edi
		push	6
		pop	ecx
		mov	edi, edx
		rep stosd
		mov	ecx, [ebp+arg_0]
		mov	edi, edx
		mov	eax, [ebp+var_8]
		movsd
		movsd
		movsd
		movsd
		mov	[edx+10h], ax
		mov	dword ptr [edx+14h], 1
		mov	eax, [ecx+1F4h]
		pop	edi
		mov	[ecx+eax*4], edx
		inc	dword ptr [ecx+1F4h]

loc_9EC0E4:				; CODE XREF: WdipSemUpdateInflightScenarioTable(x,x,x,x)+46j
		mov	eax, [ebp+arg_4]
		mov	esi, [eax]
		test	esi, esi
		jz	short loc_9EC0F5
		mov	ecx, [edx+14h]
		cmp	ecx, [esi+14h]
		jbe	short loc_9EC0F7

loc_9EC0F5:				; CODE XREF: WdipSemUpdateInflightScenarioTable(x,x,x,x)+B8j
		mov	[eax], edx

loc_9EC0F7:				; CODE XREF: WdipSemUpdateInflightScenarioTable(x,x,x,x)+32j
					; WdipSemUpdateInflightScenarioTable(x,x,x,x)+56j ...
		pop	esi

loc_9EC0F8:				; CODE XREF: WdipSemUpdateInflightScenarioTable(x,x,x,x)+1Bj
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_WdipSemUpdateInflightScenarioTable@16 endp


;  S U B	R O U T	I N E 


; __stdcall WdipSemFreePool()
_WdipSemFreePool@0 proc	near		; CODE XREF: WdipSemShutdown()+7Fj

var_10		= dword	ptr -10h

		mov	eax, _WdipSemPool
		push	esi
		push	edi
		mov	edi, offset _WdipSemPool
		mov	ecx, [eax]
		cmp	[eax+4], edi
		jnz	short loc_9EC15F
		cmp	[ecx+4], eax
		jnz	short loc_9EC15F
		xor	esi, esi
		jmp	short loc_9EC133
; 

loc_9EC11B:				; CODE XREF: WdipSemFreePool()+3Fj
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, _WdipSemPool
		cmp	[eax+4], edi
		jnz	short loc_9EC15F
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_9EC15F

loc_9EC133:				; CODE XREF: WdipSemFreePool()+1Aj
		mov	_WdipSemPool, ecx
		mov	[ecx+4], edi
		cmp	eax, edi
		jnz	short loc_9EC11B
		push	30h		; size_t
		push	esi		; int
		push	offset unk_6BDBD8 ; void *
		mov	dword_6BDBC8, esi
		mov	dword_6BDBCC, esi
		call	_memset
		add	esp, 0Ch
		pop	edi
		pop	esi
		retn
; 

loc_9EC15F:				; CODE XREF: WdipSemFreePool()+11j
					; WdipSemFreePool()+16j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall WdipSemLoadLocalGroupPolicy(x)
_WdipSemLoadLocalGroupPolicy@4:		; CODE XREF: WdipSemLoadGroupPolicy+95256p
		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+14h+var_10], ebp
		mov	ebp, esp
		sub	esp, 0D0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp-0C4h], ecx
		lea	edi, [ebp-0B0h]
		xor	esi, esi
		stosd
		mov	[ebp-0BCh], esi
		mov	[ebp-0B8h], esi
		mov	[ebp-0CCh], esi
		stosd
		mov	[ebp-0C8h], esi
		mov	[ebp-0C0h], esi
		stosd
		stosd
		mov	eax, esi
		mov	[ebp-0B4h], eax
		test	ecx, ecx
		jnz	short loc_9EC1D5
		mov	esi, 0C000000Dh
		jmp	loc_9EC361
; 

loc_9EC1D5:				; CODE XREF: WdipSemFreePool()+CAj
		mov	edi, ecx

loc_9EC1D7:				; CODE XREF: WdipSemFreePool()+1CAj
					; WdipSemFreePool()+236j
		test	eax, eax
		jz	short loc_9EC1E7
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		mov	[ebp-0B4h], esi

loc_9EC1E7:				; CODE XREF: WdipSemFreePool()+DAj
		push	98h		; size_t
		lea	eax, [ebp-0A0h]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp-0BCh]
		push	eax
		push	96h
		lea	eax, [ebp-0A0h]
		push	eax
		push	esi
		push	dword ptr [ebp-0B8h]
		push	edi
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		inc	dword ptr [ebp-0B8h]
		cmp	eax, 8000001Ah
		jz	loc_9EC34D
		test	eax, eax
		js	loc_9EC2C3
		mov	eax, [ebp-94h]
		cmp	eax, 80h
		jnb	loc_9EC348
		shr	eax, 1
		xor	ecx, ecx
		mov	[ebp+eax*2-90h], cx
		lea	eax, [ebp-90h]
		push	eax
		lea	eax, [ebp-0CCh]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp-0B0h]
		push	eax
		lea	eax, [ebp-0CCh]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		test	eax, eax
		js	short loc_9EC2C3
		lea	eax, [ebp-0B4h]
		mov	edx, edi
		push	eax
		lea	ecx, [ebp-90h]
		call	_WdipSemOpenRegistryKey@12 ; WdipSemOpenRegistryKey(x,x,x)
		test	eax, eax
		js	short loc_9EC2C3
		mov	ecx, [ebp-0B4h]
		lea	eax, [ebp-0BCh]
		push	eax
		lea	eax, [ebp-0C0h]
		mov	edx, offset ??_C@_1DC@HIPLPNKJ@?$AAS?$AAc?$AAe?$AAn?$AAa?$AAr?$AAi?$AAo?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAi@NNGAKEGL@
		push	eax
		push	4
		push	4
		call	WdipSemQueryValueFromRegistry
		test	eax, eax
		js	short loc_9EC2C3
		cmp	dword ptr [ebp-0C0h], 0
		jz	short loc_9EC2CE

loc_9EC2C3:				; CODE XREF: WdipSemFreePool()+130j
					; WdipSemFreePool()+17Bj ...
		mov	eax, [ebp-0B4h]
		jmp	loc_9EC1D7
; 

loc_9EC2CE:				; CODE XREF: WdipSemFreePool()+1C2j
		mov	edi, _WdipSemDisabledScenarioTable
		test	edi, edi
		jnz	short loc_9EC304
		push	73494457h
		push	404h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	_WdipSemDisabledScenarioTable, edi
		test	edi, edi
		jz	short loc_9EC33A
		push	404h		; size_t
		push	esi		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch

loc_9EC304:				; CODE XREF: WdipSemFreePool()+1D7j
		mov	ecx, [edi+400h]
		cmp	ecx, 40h
		jnb	short loc_9EC341
		lea	eax, [ecx+1]
		shl	ecx, 4
		mov	[edi+400h], eax
		lea	esi, [ebp-0B0h]
		add	edi, ecx
		movsd
		movsd
		movsd
		movsd
		mov	eax, [ebp-0B4h]
		xor	esi, esi
		mov	edi, [ebp-0C4h]
		jmp	loc_9EC1D7
; 

loc_9EC33A:				; CODE XREF: WdipSemFreePool()+1F4j
		mov	esi, 0C000009Ah
		jmp	short loc_9EC34D
; 

loc_9EC341:				; CODE XREF: WdipSemFreePool()+20Ej
		mov	esi, 0C0000001h
		jmp	short loc_9EC34D
; 

loc_9EC348:				; CODE XREF: WdipSemFreePool()+141j
		mov	esi, 80000005h

loc_9EC34D:				; CODE XREF: WdipSemFreePool()+128j
					; WdipSemFreePool()+240j ...
		cmp	dword ptr [ebp-0B4h], 0
		jz	short loc_9EC361
		push	dword ptr [ebp-0B4h]
		call	_ZwClose@4	; ZwClose(x)

loc_9EC361:				; CODE XREF: WdipSemFreePool()+D1j
					; WdipSemFreePool()+255j
		mov	ecx, [ebp-4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_WdipSemFreePool@0 endp	; sp =	8


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemLogTimeoutInformation(x, x, x)
_WdipSemLogTimeoutInformation@12 proc near ; CODE XREF:	WdipTimeoutCheckRoutine+11BB89p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	offset _WDI_SEM_EVENT_SCENARIO_TIMEOUT
		push	dword_6BCB74
		mov	edi, edx
		mov	ebx, ecx
		push	_WdipSemRegHandle
		xor	esi, esi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9EC3B2
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, ebx
		call	_WdipSemWriteTimeoutEvent@12 ; WdipSemWriteTimeoutEvent(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9EC3B2
		xor	esi, esi

loc_9EC3B2:				; CODE XREF: WdipSemLogTimeoutInformation(x,x,x)+26j
					; WdipSemLogTimeoutInformation(x,x,x)+38j
		call	_WdipSemSqmEnabled@0 ; WdipSemSqmEnabled()
		test	al, al
		jz	short loc_9EC3CD
		movzx	edx, di
		mov	ecx, ebx
		call	_WdipSemSqmLogTimeoutDataPoints@8 ; WdipSemSqmLogTimeoutDataPoints(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9EC3CD
		xor	esi, esi

loc_9EC3CD:				; CODE XREF: WdipSemLogTimeoutInformation(x,x,x)+43j
					; WdipSemLogTimeoutInformation(x,x,x)+53j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_WdipSemLogTimeoutInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemWriteInflightLimitExceededEvent(x, x, x, x)
_WdipSemWriteInflightLimitExceededEvent@16 proc	near
					; CODE XREF: WdipSemLogInflightLimitExceededInformation(x,x,x)+CBp

var_80C		= dword	ptr -80Ch
var_808		= dword	ptr -808h
var_804		= dword	ptr -804h
var_800		= dword	ptr -800h
var_7FC		= dword	ptr -7FCh
var_7F8		= dword	ptr -7F8h
var_7F4		= dword	ptr -7F4h
var_7F0		= dword	ptr -7F0h
var_7EC		= dword	ptr -7ECh
var_7E8		= dword	ptr -7E8h
var_7E4		= dword	ptr -7E4h
var_7E0		= dword	ptr -7E0h
var_7DC		= dword	ptr -7DCh
var_7D8		= dword	ptr -7D8h
var_7C8		= dword	ptr -7C8h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	word ptr [ebp+var_808],	dx
		push	ebx
		mov	ebx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_9EC404

loc_9EC3FA:				; CODE XREF: WdipSemWriteInflightLimitExceededEvent(x,x,x,x)+30j
					; WdipSemWriteInflightLimitExceededEvent(x,x,x,x)+37j
		mov	eax, 0C000000Dh
		jmp	loc_9EC4D0
; 

loc_9EC404:				; CODE XREF: WdipSemWriteInflightLimitExceededEvent(x,x,x,x)+22j
		test	ebx, ebx
		jz	short loc_9EC3FA
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_9EC3FA
		lea	eax, [edx+1F4h]
		push	esi
		mov	esi, [eax]
		cmp	esi, 7Dh
		jbe	short loc_9EC427
		mov	eax, 0C000000Dh
		jmp	loc_9EC4CF
; 

loc_9EC427:				; CODE XREF: WdipSemWriteInflightLimitExceededEvent(x,x,x,x)+45j
		push	edi
		lea	edi, [esi+3]
		mov	[ebp+var_804], ecx
		mov	[ebp+var_80C], edi
		lea	ecx, [ebp+var_808]
		xor	edi, edi
		mov	[ebp+var_7FC], 10h
		mov	[ebp+var_800], edi
		mov	[ebp+var_7F8], edi
		mov	[ebp+var_7F4], ecx
		mov	[ebp+var_7F0], edi
		mov	[ebp+var_7EC], 2
		mov	[ebp+var_7E8], edi
		mov	[ebp+var_7E4], eax
		mov	[ebp+var_7E0], edi
		mov	[ebp+var_7DC], 4
		mov	[ebp+var_7D8], edi
		test	esi, esi
		jz	short loc_9EC4B3
		lea	ecx, [ebp+var_7C8]

loc_9EC497:				; CODE XREF: WdipSemWriteInflightLimitExceededEvent(x,x,x,x)+DBj
		and	dword ptr [ecx-8], 0
		and	dword ptr [ecx], 0
		mov	eax, [edx+edi*4]
		inc	edi
		mov	[ecx-0Ch], eax
		mov	dword ptr [ecx-4], 18h
		add	ecx, 10h
		cmp	edi, esi
		jb	short loc_9EC497

loc_9EC4B3:				; CODE XREF: WdipSemWriteInflightLimitExceededEvent(x,x,x,x)+B9j
		lea	eax, [ebp+var_804]
		mov	edx, ebx
		push	eax
		push	[ebp+var_80C]
		push	ecx
		push	ecx
		mov	ecx, offset _WDI_SEM_EVENT_SCENARIO_INFLIGHT_MAX
		call	_WdipSemWriteEvent@24 ;	WdipSemWriteEvent(x,x,x,x,x,x)
		pop	edi

loc_9EC4CF:				; CODE XREF: WdipSemWriteInflightLimitExceededEvent(x,x,x,x)+4Cj
		pop	esi

loc_9EC4D0:				; CODE XREF: WdipSemWriteInflightLimitExceededEvent(x,x,x,x)+29j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_WdipSemWriteInflightLimitExceededEvent@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemWriteMisconfigEvent(x, x, x)
_WdipSemWriteMisconfigEvent@12 proc near ; CODE	XREF: WdipSemLoadScenarioTable+94CF4p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	word ptr [ebp+var_38], dx
		test	ecx, ecx
		jnz	short loc_9EC500
		mov	eax, 0C000000Dh
		jmp	short loc_9EC54C
; 

loc_9EC500:				; CODE XREF: WdipSemWriteMisconfigEvent(x,x,x)+18j
		lea	eax, [ebp+var_38]
		mov	[ebp+var_34], ecx
		mov	[ebp+var_24], eax
		xor	ecx, ecx
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_30], ecx
		mov	[ebp+var_14], eax
		xor	edx, edx
		lea	eax, [ebp+var_34]
		mov	[ebp+var_28], ecx
		push	eax
		push	3
		push	ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		push	ecx
		mov	ecx, offset _WDI_SEM_EVENT_INIT_MISCONFIG
		mov	[ebp+var_2C], 10h
		mov	[ebp+var_1C], 2
		mov	[ebp+var_C], 4
		call	_WdipSemWriteEvent@24 ;	WdipSemWriteEvent(x,x,x,x,x,x)

loc_9EC54C:				; CODE XREF: WdipSemWriteMisconfigEvent(x,x,x)+1Fj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_WdipSemWriteMisconfigEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemWriteProviderLimitExceededEvent(x)
_WdipSemWriteProviderLimitExceededEvent@4 proc near
					; CODE XREF: WdipSemUpdateProviderTableWithEvent+9418Dp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		test	ecx, ecx
		jnz	short loc_9EC577
		mov	eax, 0C000000Dh
		jmp	short loc_9EC59D
; 

loc_9EC577:				; CODE XREF: WdipSemWriteProviderLimitExceededEvent(x)+14j
		and	[ebp+var_10], 0
		lea	eax, [ebp+var_14]
		and	[ebp+var_8], 0
		xor	edx, edx
		push	eax
		push	1
		push	ecx
		mov	[ebp+var_14], ecx
		push	ecx
		mov	ecx, offset _WDI_SEM_EVENT_INIT_PROVIDER_MAX
		mov	[ebp+var_C], 10h
		call	_WdipSemWriteEvent@24 ;	WdipSemWriteEvent(x,x,x,x,x,x)

loc_9EC59D:				; CODE XREF: WdipSemWriteProviderLimitExceededEvent(x)+1Bj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_WdipSemWriteProviderLimitExceededEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemWriteScenarioLimitExceededEvent(x, x, x)
_WdipSemWriteScenarioLimitExceededEvent@12 proc	near
					; CODE XREF: WdipSemLoadScenarioTable+94D3Ap
					; WdipSemLoadNextScenario+9496Bp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		test	ecx, ecx
		jnz	short loc_9EC5C6

loc_9EC5BF:				; CODE XREF: WdipSemWriteScenarioLimitExceededEvent(x,x,x)+1Fj
		mov	eax, 0C000000Dh
		jmp	short loc_9EC5FE
; 

loc_9EC5C6:				; CODE XREF: WdipSemWriteScenarioLimitExceededEvent(x,x,x)+14j
		test	edx, edx
		jz	short loc_9EC5BF
		push	esi
		push	2
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_24], edx
		pop	edx
		mov	[ebp+var_14], eax
		xor	esi, esi
		lea	eax, [ebp+var_24]
		mov	[ebp+var_C], edx
		push	eax
		push	edx
		push	ecx
		push	ecx
		xor	edx, edx
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], 10h
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_8], esi
		call	_WdipSemWriteEvent@24 ;	WdipSemWriteEvent(x,x,x,x,x,x)
		pop	esi

loc_9EC5FE:				; CODE XREF: WdipSemWriteScenarioLimitExceededEvent(x,x,x)+1Bj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_WdipSemWriteScenarioLimitExceededEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemWriteSemFailureEvent(x, x, x, x, x)
_WdipSemWriteSemFailureEvent@20	proc near ; CODE XREF: WdipSemDisableScenario+11CF31p
					; WdipSemEnableScenario+9EBC0p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		test	ecx, ecx
		jnz	short loc_9EC62C

loc_9EC625:				; CODE XREF: WdipSemWriteSemFailureEvent(x,x,x,x,x)+22j
					; WdipSemWriteSemFailureEvent(x,x,x,x,x)+26j
		mov	eax, 0C000000Dh
		jmp	short loc_9EC67D
; 

loc_9EC62C:				; CODE XREF: WdipSemWriteSemFailureEvent(x,x,x,x,x)+17j
		test	edx, edx
		jz	short loc_9EC625
		test	eax, eax
		jz	short loc_9EC625
		mov	[ebp+var_34], edx
		lea	edx, [ebp+arg_0]
		mov	[ebp+var_24], edx
		lea	edx, [ebp+arg_8]
		push	esi
		mov	[ebp+var_14], edx
		xor	esi, esi
		lea	edx, [ebp+var_34]
		mov	[ebp+var_30], esi
		push	edx
		push	3
		push	ecx
		push	ecx
		mov	edx, eax
		mov	[ebp+var_2C], 10h
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], 2
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], esi
		call	_WdipSemWriteEvent@24 ;	WdipSemWriteEvent(x,x,x,x,x,x)
		pop	esi

loc_9EC67D:				; CODE XREF: WdipSemWriteSemFailureEvent(x,x,x,x,x)+1Ej
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_WdipSemWriteSemFailureEvent@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemWriteTimeoutEvent(x,	x, x)
_WdipSemWriteTimeoutEvent@12 proc near	; CODE XREF: WdipSemLogTimeoutInformation(x,x,x)+2Fp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	word ptr [ebp+var_28], dx
		mov	edx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_9EC6AF

loc_9EC6A8:				; CODE XREF: WdipSemWriteTimeoutEvent(x,x,x)+26j
		mov	eax, 0C000000Dh
		jmp	short loc_9EC6EA
; 

loc_9EC6AF:				; CODE XREF: WdipSemWriteTimeoutEvent(x,x,x)+1Bj
		test	edx, edx
		jz	short loc_9EC6A8
		push	esi
		push	2
		lea	eax, [ebp+var_28]
		mov	[ebp+var_24], ecx
		pop	ecx
		mov	[ebp+var_14], eax
		xor	esi, esi
		lea	eax, [ebp+var_24]
		mov	[ebp+var_C], ecx
		push	eax
		push	ecx
		push	ecx
		push	ecx
		mov	ecx, offset _WDI_SEM_EVENT_SCENARIO_TIMEOUT
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], 10h
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_8], esi
		call	_WdipSemWriteEvent@24 ;	WdipSemWriteEvent(x,x,x,x,x,x)
		pop	esi

loc_9EC6EA:				; CODE XREF: WdipSemWriteTimeoutEvent(x,x,x)+22j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_WdipSemWriteTimeoutEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemGetGuidKey(x, x)
_WdipSemGetGuidKey@8 proc near		; CODE XREF: WdipSemSqmLogInflightLimitExceededDataPoints+11BAF0p
					; WdipSemSqmLogTimeoutDataPoints(x,x)+1Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	edi
		mov	ebx, ecx
		xor	edi, edi
		mov	[ebp+var_C], edi
		mov	eax, edx
		mov	[ebp+var_8], eax
		test	ebx, ebx
		jnz	short loc_9EC71C

loc_9EC712:				; CODE XREF: WdipSemGetGuidKey(x,x)+26j
		mov	edi, 0C000000Dh
		jmp	loc_9EC7C3
; 

loc_9EC71C:				; CODE XREF: WdipSemGetGuidKey(x,x)+18j
		test	eax, eax
		jz	short loc_9EC712
		movzx	ecx, word ptr [ebx+4]
		movzx	edx, word ptr [ebx+6]
		imul	eax, ecx, 1778D6CDh
		push	esi
		mov	esi, 3039h
		sub	esi, eax
		imul	eax, ecx, 131915D3h
		shr	esi, 10h
		mov	ecx, 3039h
		inc	eax
		and	eax, 0FFFF0000h
		or	esi, eax
		imul	eax, edx, 1778D6CDh
		sub	ecx, eax
		imul	eax, edx, 131915D3h
		shr	ecx, 10h
		inc	eax
		and	eax, 0FFFF0000h
		or	ecx, eax
		add	esi, ecx
		add	esi, [ebx]

loc_9EC769:				; CODE XREF: WdipSemGetGuidKey(x,x)+9Aj
		movzx	ecx, byte ptr [ebx+edi+8]
		mov	edx, 3039h
		imul	eax, ecx, 1778D6CDh
		sub	edx, eax
		imul	eax, ecx, 131915D3h
		shr	edx, 10h
		inc	eax
		and	eax, 0FFFF0000h
		or	edx, eax
		add	esi, edx
		inc	edi
		cmp	edi, 8
		jb	short loc_9EC769
		imul	eax, esi, 41C64E6Dh
		xor	edx, edx
		imul	ecx, esi, 10DCDh
		mov	edi, [ebp+var_C]
		pop	esi
		add	eax, 3039h
		shr	eax, 10h
		inc	ecx
		and	ecx, 0FFFF0000h
		or	eax, ecx
		mov	ecx, 7FFFFFFFh
		div	ecx
		mov	eax, [ebp+var_8]
		mov	[eax], edx

loc_9EC7C3:				; CODE XREF: WdipSemGetGuidKey(x,x)+1Fj
		mov	eax, edi
		pop	edi
		pop	ebx
		leave
		retn
_WdipSemGetGuidKey@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemDisableAllProviders()
_WdipSemDisableAllProviders@0 proc near	; CODE XREF: WdipSemShutdown()+21p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		mov	ebx, _WdipDiagLoggerId
		mov	eax, offset _WdipDiagLoggerId
		push	esi
		push	edi
		xchg	ebx, [eax]
		mov	ecx, _WdipContextLoggerId
		mov	eax, offset _WdipContextLoggerId
		xchg	ecx, [eax]
		xor	edx, edx
		mov	[esp+10h+var_4], ecx
		mov	edi, edx
		cmp	dword_6BDB80, edx
		jz	short loc_9EC84A

loc_9EC7FF:				; CODE XREF: WdipSemDisableAllProviders()+7Fj
		mov	esi, _WdipSemProviderTable[edi*4]
		cmp	byte ptr [esi+25h], 0
		jz	short loc_9EC824
		test	ebx, ebx
		jz	short loc_9EC824
		push	edx
		push	edx
		push	edx
		push	edx
		push	edx
		mov	edx, esi
		mov	ecx, ebx
		call	_WdipSemEnableDisableTrace@28 ;	WdipSemEnableDisableTrace(x,x,x,x,x,x,x)
		mov	ecx, [esp+10h+var_4]
		xor	edx, edx

loc_9EC824:				; CODE XREF: WdipSemDisableAllProviders()+41j
					; WdipSemDisableAllProviders()+45j
		cmp	byte ptr [esi+45h], 0
		jz	short loc_9EC83A
		test	ecx, ecx
		jz	short loc_9EC83A
		push	edx
		push	edx
		push	edx
		push	edx
		push	edx
		mov	edx, esi
		call	_WdipSemEnableDisableTrace@28 ;	WdipSemEnableDisableTrace(x,x,x,x,x,x,x)

loc_9EC83A:				; CODE XREF: WdipSemDisableAllProviders()+5Fj
					; WdipSemDisableAllProviders()+63j
		mov	ecx, [esp+10h+var_4]
		inc	edi
		push	0
		pop	edx
		cmp	edi, dword_6BDB80
		jb	short loc_9EC7FF

loc_9EC84A:				; CODE XREF: WdipSemDisableAllProviders()+34j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_WdipSemDisableAllProviders@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemSqmAddToStream(x, x,	x)
_WdipSemSqmAddToStream@12 proc near	; CODE XREF: WdipSemSqmLogInflightLimitExceededDataPoints+11BB18p
					; WdipSemSqmLogTimeoutDataPoints(x,x)+3Ap

var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1A8		= dword	ptr -1A8h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		imul	esi, edx, 3
		push	4
		pop	ebx
		mov	[ebp+var_204], edx
		mov	[ebp+var_1FC], ecx
		add	esi, ebx
		mov	[ebp+var_1F8], 1
		mov	[ebp+var_20C], esi
		mov	[ebp+var_208], 30h
		mov	[ebp+var_200], 0Bh
		test	edi, edi
		jz	loc_9EC9B3
		test	edx, edx
		jz	loc_9EC9B3
		cmp	edx, 9
		ja	loc_9EC9B3
		xor	ecx, ecx
		mov	[ebp+var_1DC], ebx
		mov	[ebp+var_1CC], ebx
		lea	eax, [ebp+var_1FC]
		mov	[ebp+var_1E4], eax
		lea	eax, [ebp+var_200]
		mov	[ebp+var_1D4], eax
		lea	eax, [ebp+var_204]
		mov	[ebp+var_1BC], ebx
		mov	ebx, ecx
		mov	[ebp+var_1F4], offset _WinSqmGlobalSession
		mov	[ebp+var_1F0], ecx
		mov	[ebp+var_1EC], 10h
		mov	[ebp+var_1E8], ecx
		mov	[ebp+var_1E0], ecx
		mov	[ebp+var_1D8], ecx
		mov	[ebp+var_1D0], ecx
		mov	[ebp+var_1C8], ecx
		mov	[ebp+var_1C4], eax
		mov	[ebp+var_1C0], ecx
		mov	[ebp+var_1B8], ecx
		test	edx, edx
		jz	short loc_9EC99B
		lea	ecx, [ebp+var_1A8]
		xor	eax, eax
		lea	esi, [ebp+var_1F8]

loc_9EC94D:				; CODE XREF: WdipSemSqmAddToStream(x,x,x)+142j
		mov	[ecx-8], eax
		mov	[ecx], eax
		lea	eax, [edi+ebx*4]
		mov	[ecx-0Ch], esi
		lea	esi, [ebp+var_208]
		mov	dword ptr [ecx-4], 4
		mov	[ecx+4], eax
		xor	eax, eax
		mov	[ecx+8], eax
		inc	ebx
		mov	dword ptr [ecx+0Ch], 4
		mov	[ecx+10h], eax
		mov	[ecx+14h], esi
		lea	esi, [ebp+var_1F8]
		mov	[ecx+18h], eax
		mov	dword ptr [ecx+1Ch], 4
		mov	[ecx+20h], eax
		add	ecx, 30h
		cmp	ebx, edx
		jb	short loc_9EC94D
		mov	esi, [ebp+var_20C]

loc_9EC99B:				; CODE XREF: WdipSemSqmAddToStream(x,x,x)+ECj
		lea	eax, [ebp+var_1F4]
		xor	edx, edx
		push	eax
		push	esi
		push	ecx
		push	ecx
		mov	ecx, offset _WDI_SEM_EVENT_SQM_ADD_TO_STREAM
		call	_WdipSemWriteEvent@24 ;	WdipSemWriteEvent(x,x,x,x,x,x)
		jmp	short loc_9EC9B8
; 

loc_9EC9B3:				; CODE XREF: WdipSemSqmAddToStream(x,x,x)+55j
					; WdipSemSqmAddToStream(x,x,x)+5Dj ...
		mov	eax, 0C000000Dh

loc_9EC9B8:				; CODE XREF: WdipSemSqmAddToStream(x,x,x)+160j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_WdipSemSqmAddToStream@12 endp


;  S U B	R O U T	I N E 


; __stdcall WdipSemSqmEnabled()
_WdipSemSqmEnabled@0 proc near		; CODE XREF: WdipSemLogInflightLimitExceededInformation(x,x,x)+5Ap
					; WdipSemLogInflightLimitExceededInformation(x,x,x):loc_9EBF09p ...
		mov	edi, edi
		push	esi
		mov	esi, dword_6BCB74
		push	edi
		mov	edi, _WdipSemRegHandle
		push	offset _WDI_SEM_EVENT_SQM_INCREMENT_DWORD
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9EC9FD
		push	offset _WDI_SEM_EVENT_SQM_ADD_TO_STREAM
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9EC9FD
		mov	al, 1
		jmp	short loc_9EC9FF
; 

loc_9EC9FD:				; CODE XREF: WdipSemSqmEnabled()+1Ej
					; WdipSemSqmEnabled()+2Ej
		xor	al, al

loc_9EC9FF:				; CODE XREF: WdipSemSqmEnabled()+32j
		pop	edi
		pop	esi
		retn
_WdipSemSqmEnabled@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemSqmIncrementDword(x,	x)
_WdipSemSqmIncrementDword@8 proc near	; CODE XREF: WdipSemSqmLogInflightLimitExceededDataPoints+11BACDp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_50], edx
		xor	edx, edx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_4C], 1C2h
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_48], 6
		mov	[ebp+var_44], offset _WinSqmGlobalSession
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], 10h
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		mov	ecx, offset _WDI_SEM_EVENT_SQM_INCREMENT_DWORD
		call	_WdipSemWriteEvent@24 ;	WdipSemWriteEvent(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_WdipSemSqmIncrementDword@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdipSemSqmLogTimeoutDataPoints(x, x)
_WdipSemSqmLogTimeoutDataPoints@8 proc near
					; CODE XREF: WdipSemLogTimeoutInformation(x,x,x)+4Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, edx
		test	ecx, ecx
		jnz	short loc_9ECAA1
		mov	eax, 0C000000Dh
		jmp	short loc_9ECAC7
; 

loc_9ECAA1:				; CODE XREF: WdipSemSqmLogTimeoutDataPoints(x,x)+10j
		lea	edx, [ebp+var_4]
		call	_WdipSemGetGuidKey@8 ; WdipSemGetGuidKey(x,x)
		test	eax, eax
		js	short loc_9ECAC7
		mov	eax, [ebp+var_4]
		mov	ecx, 41Eh
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	2
		pop	edx
		mov	[ebp+var_4], esi
		call	_WdipSemSqmAddToStream@12 ; WdipSemSqmAddToStream(x,x,x)

loc_9ECAC7:				; CODE XREF: WdipSemSqmLogTimeoutDataPoints(x,x)+17j
					; WdipSemSqmLogTimeoutDataPoints(x,x)+23j
		pop	esi
		leave
		retn
_WdipSemSqmLogTimeoutDataPoints@8 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1045. IoWMIAllocateInstanceIds

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IoWMIAllocateInstanceIds(void *,int,int)
		public _IoWMIAllocateInstanceIds@12
_IoWMIAllocateInstanceIds@12 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	edi
		xor	edi, edi
		cmp	_WmipServiceDeviceObject, edi
		jnz	short loc_9ECAEA
		mov	eax, 0C0000001h
		jmp	loc_9ECBCD
; 

loc_9ECAEA:				; CODE XREF: IoWMIAllocateInstanceIds(x,x,x)+Fj
		push	ebx
		push	esi
		push	0
		push	0
		push	0
		push	0
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		mov	esi, _WmipInstIdChunkHead
		jmp	short loc_9ECB35
; 

loc_9ECB06:				; CODE XREF: IoWMIAllocateInstanceIds(x,x,x)+68j
		xor	edi, edi
		lea	ebx, [esi+4]

loc_9ECB0B:				; CODE XREF: IoWMIAllocateInstanceIds(x,x,x)+60j
		mov	eax, [ebx+10h]
		mov	[ebp+var_4], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9ECB95
		push	10h		; size_t
		push	ebx		; void *
		push	[ebp+arg_0]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_9ECB74
		inc	edi
		add	ebx, 14h
		cmp	edi, 8
		jb	short loc_9ECB0B
		mov	edi, esi
		mov	esi, [esi]

loc_9ECB35:				; CODE XREF: IoWMIAllocateInstanceIds(x,x,x)+35j
		test	esi, esi
		jnz	short loc_9ECB06
		push	69696D57h
		push	0A4h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_9ECBBA
		push	0A0h		; size_t
		lea	ecx, [ebx+4]
		push	0FFh		; int
		push	ecx		; void *
		call	_memset
		and	[ebx], esi
		add	esp, 0Ch
		test	edi, edi
		jnz	short loc_9ECB90
		mov	_WmipInstIdChunkHead, ebx
		jmp	short loc_9ECB92
; 

loc_9ECB74:				; CODE XREF: IoWMIAllocateInstanceIds(x,x,x)+57j
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_4]
		push	0
		push	offset _WmipSMMutex
		mov	[eax], ecx
		mov	eax, [ebp+arg_4]
		add	[ebx+10h], eax
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		jmp	short loc_9ECBB6
; 

loc_9ECB90:				; CODE XREF: IoWMIAllocateInstanceIds(x,x,x)+9Bj
		mov	[edi], ebx

loc_9ECB92:				; CODE XREF: IoWMIAllocateInstanceIds(x,x,x)+A3j
		add	ebx, 4

loc_9ECB95:				; CODE XREF: IoWMIAllocateInstanceIds(x,x,x)+45j
		mov	esi, [ebp+arg_0]
		mov	edi, ebx
		mov	eax, [ebp+arg_4]
		push	0
		push	offset _WmipSMMutex
		movsd
		movsd
		movsd
		movsd
		mov	[ebx+10h], eax
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, [ebp+arg_8]
		and	dword ptr [eax], 0

loc_9ECBB6:				; CODE XREF: IoWMIAllocateInstanceIds(x,x,x)+BFj
		xor	eax, eax
		jmp	short loc_9ECBCB
; 

loc_9ECBBA:				; CODE XREF: IoWMIAllocateInstanceIds(x,x,x)+7Fj
		push	0
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, 0C000009Ah

loc_9ECBCB:				; CODE XREF: IoWMIAllocateInstanceIds(x,x,x)+E9j
		pop	esi
		pop	ebx

loc_9ECBCD:				; CODE XREF: IoWMIAllocateInstanceIds(x,x,x)+16j
		pop	edi
		leave
		retn	0Ch
_IoWMIAllocateInstanceIds@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1047. IoWMIExecuteMethod

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IoWMIExecuteMethod(int,int,int,size_t,int,void *)
		public _IoWMIExecuteMethod@24
_IoWMIExecuteMethod@24 proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	ecx, [ebp+arg_C]
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_10]
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	eax, [ebx]
		push	esi
		push	edi
		cmp	ecx, eax
		jbe	short loc_9ECBFE
		mov	eax, ecx

loc_9ECBFE:				; CODE XREF: IoWMIExecuteMethod(x,x,x,x,x,x)+23j
		mov	edx, [ebp+arg_4]
		lea	ecx, [ebp+var_8]
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		lea	ecx, [ebp+var_4]
		push	ecx
		lea	ecx, [ebp+var_10]
		push	ecx
		push	eax
		push	44h
		pop	ecx
		call	_WmipAllocateSingleInstanceWnode@28 ; WmipAllocateSingleInstanceWnode(x,x,x,x,x,x,x)
		mov	edi, [ebp+var_8]
		mov	esi, eax
		test	esi, esi
		js	loc_9ECCBE
		mov	esi, [ebp+var_C]
		mov	eax, [ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	dword ptr [edi+2Ch], 8000h
		and	dword ptr [edi+10h], 0
		mov	[edi], esi
		and	dword ptr [edi+0Ch], 0
		mov	[edi+38h], eax
		mov	eax, [ebp+var_10]
		mov	[edi+30h], eax
		mov	eax, [ebp+var_4]
		mov	[edi+3Ch], eax
		mov	eax, [ebp+arg_C]
		mov	[edi+40h], eax
		mov	ecx, [edi+30h]
		mov	ax, [edx]
		mov	[ecx+edi], ax
		movzx	eax, word ptr [edx]
		push	eax		; size_t
		push	dword ptr [edx+4] ; void *
		lea	eax, [edi+2]
		add	eax, ecx
		push	eax		; void *
		call	_memcpy
		push	[ebp+arg_C]	; size_t
		mov	eax, [edi+3Ch]
		push	[ebp+arg_14]	; void *
		add	eax, edi
		push	eax		; void *
		call	_memcpy
		mov	eax, [edi]
		add	esp, 18h
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	[ebp+arg_C], eax
		lea	eax, [ebp+arg_C]
		push	eax
		push	esi
		push	edi
		push	9
		push	0
		call	WmipQuerySetExecuteSI
		mov	esi, eax
		test	esi, esi
		js	short loc_9ECCBE
		test	byte ptr [edi+2Ch], 20h
		jz	short loc_9ECCD3
		mov	eax, [edi+30h]
		sub	eax, [ebp+var_4]

loc_9ECCB1:				; CODE XREF: IoWMIExecuteMethod(x,x,x,x,x,x)+101j
		add	eax, 7
		mov	esi, 0C0000023h
		and	eax, 0FFFFFFF8h
		mov	[ebx], eax

loc_9ECCBE:				; CODE XREF: IoWMIExecuteMethod(x,x,x,x,x,x)+4Aj
					; IoWMIExecuteMethod(x,x,x,x,x,x)+CCj ...
		test	edi, edi
		jz	short loc_9ECCCA
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9ECCCA:				; CODE XREF: IoWMIExecuteMethod(x,x,x,x,x,x)+E9j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_9ECCD3:				; CODE XREF: IoWMIExecuteMethod(x,x,x,x,x,x)+D2j
		mov	eax, [edi+40h]
		cmp	[ebx], eax
		jb	short loc_9ECCB1
		mov	[ebx], eax
		push	dword ptr [edi+40h] ; size_t
		mov	eax, [edi+3Ch]
		add	eax, edi
		push	eax		; void *
		push	[ebp+arg_14]	; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_9ECCBE
_IoWMIExecuteMethod@24 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1051. IoWMIQueryAllDataMultiple

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoWMIQueryAllDataMultiple(x, x, x, x)
		public _IoWMIQueryAllDataMultiple@16
_IoWMIQueryAllDataMultiple@16 proc near

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		lea	eax, [esp+58h+var_50]
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		mov	edi, [ebp+arg_8]
		push	48h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		and	[esp+6Ch+var_54], 0
		add	esp, 0Ch
		test	ebx, ebx
		jz	short loc_9ECD8B
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_9ECD8B
		test	edi, edi
		jz	short loc_9ECD8B
		mov	eax, [edi]
		test	esi, esi
		jz	short loc_9ECD49
		cmp	eax, 48h
		jnb	short loc_9ECD50

loc_9ECD49:				; CODE XREF: IoWMIQueryAllDataMultiple(x,x,x,x)+4Bj
		push	48h
		lea	esi, [esp+64h+var_50]
		pop	eax

loc_9ECD50:				; CODE XREF: IoWMIQueryAllDataMultiple(x,x,x,x)+50j
		lea	edx, [esp+60h+var_54]
		push	edx
		xor	edx, edx
		push	edx
		push	eax
		push	esi
		push	edx
		push	edx
		mov	edx, ebx
		call	_WmipQueryAllDataMultiple@32 ; WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_9ECD90
		test	byte ptr [esi+2Ch], 20h
		jz	short loc_9ECD7B
		mov	eax, [esi+30h]
		mov	[edi], eax

loc_9ECD74:				; CODE XREF: IoWMIQueryAllDataMultiple(x,x,x,x)+92j
		mov	ecx, 0C0000023h
		jmp	short loc_9ECD90
; 

loc_9ECD7B:				; CODE XREF: IoWMIQueryAllDataMultiple(x,x,x,x)+76j
		mov	eax, [esp+60h+var_54]
		mov	[edi], eax
		lea	eax, [esp+60h+var_50]
		cmp	esi, eax
		jnz	short loc_9ECD90
		jmp	short loc_9ECD74
; 

loc_9ECD8B:				; CODE XREF: IoWMIQueryAllDataMultiple(x,x,x,x)+3Aj
					; IoWMIQueryAllDataMultiple(x,x,x,x)+41j ...
		mov	ecx, 0C000000Dh

loc_9ECD90:				; CODE XREF: IoWMIQueryAllDataMultiple(x,x,x,x)+70j
					; IoWMIQueryAllDataMultiple(x,x,x,x)+82j ...
		pop	edi
		mov	eax, ecx
		mov	ecx, [esp+5Ch+var_4]
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_IoWMIQueryAllDataMultiple@16 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1053. IoWMIQuerySingleInstanceMultiple

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoWMIQuerySingleInstanceMultiple(x,	x, x, x, x)
		public _IoWMIQuerySingleInstanceMultiple@20
_IoWMIQuerySingleInstanceMultiple@20 proc near

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		and	[esp+4Ch+var_48], 0
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_10]
		push	edi
		mov	edi, [ebp+arg_C]
		push	38h		; size_t
		mov	[esp+5Ch+var_44], eax
		lea	eax, [esp+5Ch+var_40]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [esp+64h+var_44]
		add	esp, 0Ch
		test	ecx, ecx
		jz	short loc_9ECE51
		test	ebx, ebx
		jz	short loc_9ECE51
		cmp	[ebp+arg_8], 0
		jz	short loc_9ECE51
		test	edi, edi
		jz	short loc_9ECE51
		mov	eax, [edi]
		test	esi, esi
		jz	short loc_9ECE0B
		cmp	eax, 38h
		jnb	short loc_9ECE12

loc_9ECE0B:				; CODE XREF: IoWMIQuerySingleInstanceMultiple(x,x,x,x,x)+59j
		push	38h
		lea	esi, [esp+5Ch+var_40]
		pop	eax

loc_9ECE12:				; CODE XREF: IoWMIQuerySingleInstanceMultiple(x,x,x,x,x)+5Ej
		lea	edx, [esp+58h+var_48]
		push	edx
		push	ebx
		push	ecx
		push	[ebp+arg_8]
		xor	dl, dl
		xor	ecx, ecx
		push	0
		push	eax
		push	esi
		call	_WmipQuerySingleMultiple@36 ; WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_9ECE56
		test	byte ptr [esi+2Ch], 20h
		jz	short loc_9ECE41
		mov	eax, [esi+30h]
		mov	[edi], eax

loc_9ECE3A:				; CODE XREF: IoWMIQuerySingleInstanceMultiple(x,x,x,x,x)+A4j
		mov	ecx, 0C0000023h
		jmp	short loc_9ECE56
; 

loc_9ECE41:				; CODE XREF: IoWMIQuerySingleInstanceMultiple(x,x,x,x,x)+88j
		mov	eax, [esp+58h+var_48]
		mov	[edi], eax
		lea	eax, [esp+58h+var_40]
		cmp	esi, eax
		jnz	short loc_9ECE56
		jmp	short loc_9ECE3A
; 

loc_9ECE51:				; CODE XREF: IoWMIQuerySingleInstanceMultiple(x,x,x,x,x)+45j
					; IoWMIQuerySingleInstanceMultiple(x,x,x,x,x)+49j ...
		mov	ecx, 0C000000Dh

loc_9ECE56:				; CODE XREF: IoWMIQuerySingleInstanceMultiple(x,x,x,x,x)+82j
					; IoWMIQuerySingleInstanceMultiple(x,x,x,x,x)+94j ...
		pop	edi
		mov	eax, ecx
		mov	ecx, [esp+54h+var_4]
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
_IoWMIQuerySingleInstanceMultiple@20 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1056. IoWMISetSingleInstance

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IoWMISetSingleInstance(int,int,int,size_t,void *)
		public _IoWMISetSingleInstance@20
_IoWMISetSingleInstance@20 proc	near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	eax, eax
		push	esi
		mov	[ebp+var_4], eax
		mov	edx, ebx
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+arg_C]
		push	40h
		pop	ecx
		call	_WmipAllocateSingleInstanceWnode@28 ; WmipAllocateSingleInstanceWnode(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9ECF2B
		mov	ecx, [ebp+var_C]
		mov	esi, [ebp+var_8]
		mov	eax, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+var_4]
		mov	dword ptr [edi+2Ch], 2
		and	dword ptr [edi+10h], 0
		mov	[edi], esi
		and	dword ptr [edi+0Ch], 0
		mov	[edi+8], eax
		mov	[edi+30h], ecx
		mov	ax, [ebx]
		mov	[ecx+edi], ax
		movzx	eax, word ptr [ebx]
		push	eax		; size_t
		push	dword ptr [ebx+4] ; void *
		lea	eax, [ecx+2]
		add	eax, edi
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+arg_C]
		mov	eax, [ebp+var_10]
		push	ecx		; size_t
		push	[ebp+arg_10]	; void *
		mov	[edi+3Ch], ecx
		mov	[edi+38h], eax
		add	eax, edi
		push	eax		; void *
		call	_memcpy
		mov	eax, [edi]
		add	esp, 18h
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	[ebp+arg_C], eax
		lea	eax, [ebp+arg_C]
		push	eax
		push	esi
		push	edi
		push	2
		push	0
		call	WmipQuerySetExecuteSI
		push	0
		push	edi
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi

loc_9ECF2B:				; CODE XREF: IoWMISetSingleInstance(x,x,x,x,x)+3Cj
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
_IoWMISetSingleInstance@20 endp

; 
		align 8
; Exported entry 1057. IoWMISetSingleItem

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IoWMISetSingleItem(int,int,int,int,size_t,void *)
		public _IoWMISetSingleItem@24
_IoWMISetSingleItem@24 proc near

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	eax, eax
		push	esi
		mov	[ebp+var_4], eax
		mov	edx, ebx
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+arg_10]
		push	44h
		pop	ecx
		call	_WmipAllocateSingleInstanceWnode@28 ; WmipAllocateSingleInstanceWnode(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9ECFFC
		mov	esi, [ebp+var_8]
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+var_C]
		push	edi
		mov	edi, [ebp+var_4]
		mov	dword ptr [edi+2Ch], 4
		and	dword ptr [edi+10h], 0
		mov	[edi], esi
		and	dword ptr [edi+0Ch], 0
		mov	[edi+8], eax
		mov	eax, [ebp+arg_8]
		mov	[edi+38h], eax
		mov	[edi+30h], ecx
		mov	ax, [ebx]
		mov	[ecx+edi], ax
		movzx	eax, word ptr [ebx]
		push	eax		; size_t
		push	dword ptr [ebx+4] ; void *
		lea	eax, [ecx+2]
		add	eax, edi
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+arg_10]
		mov	eax, [ebp+var_10]
		push	ecx		; size_t
		push	[ebp+arg_14]	; void *
		mov	[edi+40h], ecx
		mov	[edi+3Ch], eax
		add	eax, edi
		push	eax		; void *
		call	_memcpy
		mov	eax, [edi]
		add	esp, 18h
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	[ebp+arg_10], eax
		lea	eax, [ebp+arg_10]
		push	eax
		push	esi
		push	edi
		push	3
		push	0
		call	WmipQuerySetExecuteSI
		push	0
		push	edi
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi

loc_9ECFFC:				; CODE XREF: IoWMISetSingleItem(x,x,x,x,x,x)+3Cj
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
_IoWMISetSingleItem@24 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1058. IoWMISuggestInstanceName

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoWMISuggestInstanceName(x,	x, x, x)
		public _IoWMISuggestInstanceName@16
_IoWMISuggestInstanceName@16 proc near

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		xor	ecx, ecx
		push	ebx
		push	esi
		mov	esi, 0C0000030h
		mov	[esp+24h+var_14], ecx
		push	edi
		mov	[esp+28h+var_18], ecx
		mov	[esp+28h+var_8], ecx
		mov	[esp+28h+var_4], ecx
		cmp	_WmipServiceDeviceObject, ecx
		jnz	short loc_9ED03E
		lea	eax, [esi-2Fh]
		jmp	loc_9ED24D
; 

loc_9ED03E:				; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+2Bj
		mov	ebx, [ebp+arg_0]
		mov	edx, ecx
		mov	[esp+28h+var_1C], edx
		mov	edi, ecx
		test	ebx, ebx
		jz	short loc_9ED0AC
		lea	eax, [esp+28h+var_1C]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	ebx
		call	IoGetDeviceProperty
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_9ED0A0
		push	70696D57h
		push	[esp+2Ch+var_1C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9ED083
		lea	eax, [esi+77h]
		jmp	loc_9ED24D
; 

loc_9ED083:				; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+70j
		lea	eax, [esp+28h+var_1C]
		push	eax
		push	edi
		push	[esp+30h+var_1C]
		push	0
		push	ebx
		call	IoGetDeviceProperty
		mov	esi, eax
		test	esi, esi
		jns	short loc_9ED0A8
		jmp	loc_9ED223
; 

loc_9ED0A0:				; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+5Aj
		test	esi, esi
		js	loc_9ED24D

loc_9ED0A8:				; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+90j
		mov	edx, [esp+28h+var_1C]

loc_9ED0AC:				; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+42j
		cmp	[ebp+arg_4], 0
		jz	loc_9ED22D
		lea	eax, [esp+28h+var_14]
		push	eax
		push	0F003Fh
		push	[ebp+arg_4]
		call	IoOpenDeviceInterfaceRegistryKey
		mov	esi, eax
		test	esi, esi
		js	loc_9ED21B
		lea	eax, [esp+28h+var_18]
		push	eax
		push	0
		push	0
		push	1
		lea	eax, [esp+38h+var_8]
		push	eax
		push	[esp+3Ch+var_14]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 80000005h
		jz	short loc_9ED101
		cmp	esi, 0C0000023h
		jnz	loc_9ED212

loc_9ED101:				; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+EAj
		push	70696D57h
		push	[esp+2Ch+var_18]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9ED20D
		lea	eax, [esp+28h+var_18]
		push	eax
		push	[esp+2Ch+var_18]
		lea	eax, [esp+30h+var_8]
		push	ebx
		push	1
		push	eax
		push	[esp+3Ch+var_14]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9ED203
		mov	eax, [ebx+8]
		add	eax, ebx
		cmp	[ebp+arg_8], 0
		mov	[esp+28h+var_10], eax
		jz	short loc_9ED1BE
		mov	eax, [esp+28h+var_1C]
		add	eax, 2
		add	eax, [ebx+0Ch]
		push	70696D57h
		push	eax
		push	1
		mov	[esp+34h+var_C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_9ED176
		mov	esi, 0C000009Ah
		jmp	short loc_9ED1AE
; 

loc_9ED176:				; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+164j
		mov	eax, [ebp+arg_C]
		mov	[eax+4], ecx
		xor	ecx, ecx
		mov	[eax], cx
		mov	ecx, [esp+28h+var_C]
		mov	[eax+2], cx
		test	edi, edi
		jz	short loc_9ED197
		push	edi		; void *
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	eax, [ebp+arg_C]

loc_9ED197:				; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+182j
		push	offset ??_C@_13ENNFDPBH@?$AA_@NNGAKEGL@	; void *
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		push	[esp+28h+var_10] ; void	*
		push	[ebp+arg_C]	; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)

loc_9ED1AE:				; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+16Bj
		test	edi, edi
		jz	short loc_9ED203
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edi, edi
		jmp	short loc_9ED203
; 

loc_9ED1BE:				; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+143j
		test	edi, edi
		jz	short loc_9ED1CC
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edi, edi

loc_9ED1CC:				; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+1B7j
		push	70696D57h
		push	dword ptr [ebx+0Ch]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_9ED1E6
		mov	esi, 0C000009Ah
		jmp	short loc_9ED203
; 

loc_9ED1E6:				; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+1D4j
		mov	ecx, [ebp+arg_C]
		push	[esp+28h+var_10] ; void	*
		push	ecx		; int
		mov	[ecx+4], eax
		xor	eax, eax
		mov	[ecx], ax
		mov	ax, [ebx+0Ch]
		mov	[ecx+2], ax
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)

loc_9ED203:				; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+130j
					; IoWMISuggestInstanceName(x,x,x,x)+1A7j ...
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9ED212
; 

loc_9ED20D:				; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+10Cj
		mov	esi, 0C000009Ah

loc_9ED212:				; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+F2j
					; IoWMISuggestInstanceName(x,x,x,x)+202j
		push	[esp+28h+var_14]
		call	_ZwClose@4	; ZwClose(x)

loc_9ED21B:				; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+C3j
		test	edi, edi
		jz	short loc_9ED24B
		test	esi, esi
		jns	short loc_9ED24B

loc_9ED223:				; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+92j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9ED24B
; 

loc_9ED22D:				; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+A7j
		mov	ecx, [ebp+arg_C]
		test	edi, edi
		jz	short loc_9ED243
		lea	eax, [edx-2]
		mov	[ecx+4], edi
		mov	[ecx], ax
		mov	[ecx+2], dx
		jmp	short loc_9ED24B
; 

loc_9ED243:				; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+229j
		and	dword ptr [ecx+4], 0
		xor	eax, eax
		mov	[ecx], eax

loc_9ED24B:				; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+214j
					; IoWMISuggestInstanceName(x,x,x,x)+218j ...
		mov	eax, esi

loc_9ED24D:				; CODE XREF: IoWMISuggestInstanceName(x,x,x,x)+30j
					; IoWMISuggestInstanceName(x,x,x,x)+75j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_IoWMISuggestInstanceName@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipAllocateSingleInstanceWnode(x, x, x, x,	x, x, x)
_WmipAllocateSingleInstanceWnode@28 proc near
					; CODE XREF: IoWMIExecuteMethod(x,x,x,x,x,x)+3Ep
					; IoWMISetSingleInstance(x,x,x,x,x)+33p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	2
		mov	[ebp+arg_0], ecx
		mov	esi, edx
		lea	edx, [ebp+arg_0]
		mov	edi, 0C000009Ah
		pop	ecx
		call	_WmipAlign@8	; WmipAlign(x,x)
		test	al, al
		jz	short loc_9ED2EF
		mov	edx, [ebp+arg_0]
		mov	eax, edx
		movzx	ecx, word ptr [esi]
		not	eax
		add	ecx, 2
		mov	[ebp+var_4], edx
		cmp	ecx, eax
		ja	short loc_9ED2EF
		lea	eax, [ecx+edx]
		push	8
		lea	edx, [ebp+arg_0]
		mov	[ebp+arg_0], eax
		pop	ecx
		call	_WmipAlign@8	; WmipAlign(x,x)
		test	al, al
		jz	short loc_9ED2EF
		mov	esi, [ebp+arg_0]
		mov	eax, esi
		not	eax
		cmp	ebx, eax
		ja	short loc_9ED2EF
		push	70696D57h
		add	ebx, esi
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_9ED2EF
		push	ebx		; size_t
		xor	edi, edi
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		mov	ecx, [ebp+var_4]
		mov	[eax], ecx
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebp+arg_0]
		mov	[ecx], esi
		mov	ecx, [ebp+arg_C]
		mov	[ecx], ebx
		mov	ecx, [ebp+arg_10]
		mov	[ecx], eax

loc_9ED2EF:				; CODE XREF: WmipAllocateSingleInstanceWnode(x,x,x,x,x,x,x)+23j
					; WmipAllocateSingleInstanceWnode(x,x,x,x,x,x,x)+37j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_WmipAllocateSingleInstanceWnode@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipFindSMBiosStructure(x, x, x, x)
_WmipFindSMBiosStructure@16 proc near	; CODE XREF: WmipGetSMBiosEventlog(x,x)+28p
					; WmipGetSysIds(x,x,x,x)+122p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	18h
		push	offset dword_6A9C60
		call	__SEH_prolog4
		mov	ebx, edx
		mov	[ebp+var_19], cl
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	edi, offset _WmipSMBiosLock
		push	edi
		call	ExAcquireResourceSharedLite
		xor	esi, esi
		mov	[ebp+var_20], esi
		mov	ecx, ds:_WmipSMBiosTablePhysicalAddress
		mov	eax, ecx
		mov	edx, ds:dword_A93DB4
		or	eax, edx
		jz	short loc_9ED369
		push	4
		push	ds:_WmipSMBiosTableLength
		push	edx
		push	ecx
		call	_MmMapIoSpaceEx@16 ; MmMapIoSpaceEx(x,x,x,x)
		mov	edx, [ebp+arg_0]
		mov	[edx], eax
		test	eax, eax
		jz	short loc_9ED362
		mov	ecx, ds:_WmipSMBiosTableLength
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		mov	ecx, [edx]
		jmp	short loc_9ED373
; 

loc_9ED362:				; CODE XREF: WmipFindSMBiosStructure(x,x,x,x)+59j
		mov	esi, 0C000009Ah
		jmp	short loc_9ED36E
; 

loc_9ED369:				; CODE XREF: WmipFindSMBiosStructure(x,x,x,x)+41j
		mov	esi, 0C0000001h

loc_9ED36E:				; CODE XREF: WmipFindSMBiosStructure(x,x,x,x)+6Fj
		xor	ecx, ecx
		mov	[ebp+var_20], esi

loc_9ED373:				; CODE XREF: WmipFindSMBiosStructure(x,x,x,x)+68j
		test	esi, esi
		js	short loc_9ED3F0
		xor	esi, esi
		mov	[ebx], esi
		mov	edx, ds:_WmipSMBiosTableLength
		add	edx, ecx
		mov	[ebp+var_20], 0C0000001h
		mov	[ebp+ms_exc.disabled], esi

loc_9ED38D:				; CODE XREF: WmipFindSMBiosStructure(x,x,x,x)+C9j
		cmp	ecx, edx
		jnb	short loc_9ED39D
		mov	al, [ebp+var_19]
		cmp	[ecx], al
		jnz	short loc_9ED3A6
		mov	[ebx], ecx
		mov	[ebp+var_20], esi

loc_9ED39D:				; CODE XREF: WmipFindSMBiosStructure(x,x,x,x)+97j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9ED3D6
; 

loc_9ED3A6:				; CODE XREF: WmipFindSMBiosStructure(x,x,x,x)+9Ej
		movzx	eax, byte ptr [ecx+1]
		add	ecx, eax

loc_9ED3AC:				; CODE XREF: WmipFindSMBiosStructure(x,x,x,x)+C1j
		mov	[ebp+var_24], ecx
		cmp	[ecx], si
		jz	short loc_9ED3BB
		cmp	ecx, edx
		jnb	short loc_9ED3BB
		inc	ecx
		jmp	short loc_9ED3AC
; 

loc_9ED3BB:				; CODE XREF: WmipFindSMBiosStructure(x,x,x,x)+BAj
					; WmipFindSMBiosStructure(x,x,x,x)+BEj
		add	ecx, 2
		mov	[ebp+var_24], ecx
		jmp	short loc_9ED38D
; 

loc_9ED3C3:				; DATA XREF: .text:006A9C74o
		xor	eax, eax
		inc	eax
		retn
; 

loc_9ED3C7:				; DATA XREF: .text:006A9C78o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, offset _WmipSMBiosLock

loc_9ED3D6:				; CODE XREF: WmipFindSMBiosStructure(x,x,x,x)+ACj
		cmp	[ebp+var_20], 0
		jge	short loc_9ED403
		mov	eax, [ebp+arg_0]
		mov	edx, [eax]
		test	edx, edx
		jz	short loc_9ED3F0
		mov	eax, [ebp+arg_4]
		push	dword ptr [eax]
		push	edx
		call	MmUnmapIoSpace

loc_9ED3F0:				; CODE XREF: WmipFindSMBiosStructure(x,x,x,x)+7Dj
					; WmipFindSMBiosStructure(x,x,x,x)+EBj
		mov	ecx, edi
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_9ED403:				; CODE XREF: WmipFindSMBiosStructure(x,x,x,x)+E2j
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_WmipFindSMBiosStructure@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipFindSysIdTable(x, x, x)
_WmipFindSysIdTable@12 proc near	; CODE XREF: WmipGetSysIds(x,x,x,x)+41p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	24h
		push	offset dword_6A9C40
		call	__SEH_prolog4
		mov	[ebp+var_28], edx
		mov	edi, ecx
		xor	ebx, ebx
		push	4
		push	20000h
		push	ebx
		push	0E0000h
		call	_MmMapIoSpaceEx@16 ; MmMapIoSpaceEx(x,x,x,x)
		mov	edx, eax
		mov	[ebp+var_20], edx
		test	edx, edx
		jnz	short loc_9ED450
		mov	ebx, 0C000009Ah
		jmp	loc_9ED4EB
; 

loc_9ED450:				; CODE XREF: WmipFindSysIdTable(x,x,x)+2Cj
		mov	ecx, edx
		lea	esi, [edx+1FFEFh]
		mov	[ebp+ms_exc.disabled], ebx

loc_9ED45B:				; CODE XREF: WmipFindSysIdTable(x,x,x)+88j
		cmp	ecx, esi
		ja	short loc_9ED4A6
		cmp	dword ptr [ecx], 5359535Fh
		jnz	short loc_9ED49A
		mov	eax, 4449h
		cmp	[ecx+4], ax
		jnz	short loc_9ED49A
		cmp	byte ptr [ecx+6], 5Fh
		jnz	short loc_9ED49A
		mov	[ebp+var_19], bl
		mov	eax, ebx

loc_9ED47D:				; CODE XREF: WmipFindSysIdTable(x,x,x)+7Aj
		mov	[ebp+var_24], eax
		cmp	eax, 11h
		jnb	short loc_9ED494
		mov	dl, [ebp+var_19]
		add	dl, [eax+ecx]
		mov	[ebp+var_19], dl
		mov	edx, [ebp+var_20]
		inc	eax
		jmp	short loc_9ED47D
; 

loc_9ED494:				; CODE XREF: WmipFindSysIdTable(x,x,x)+6Bj
		cmp	[ebp+var_19], 0
		jz	short loc_9ED4A2

loc_9ED49A:				; CODE XREF: WmipFindSysIdTable(x,x,x)+4Dj
					; WmipFindSysIdTable(x,x,x)+58j ...
		add	ecx, 10h
		mov	[ebp+var_30], ecx
		jmp	short loc_9ED45B
; 

loc_9ED4A2:				; CODE XREF: WmipFindSysIdTable(x,x,x)+80j
		cmp	ecx, esi
		jbe	short loc_9ED4B7

loc_9ED4A6:				; CODE XREF: WmipFindSysIdTable(x,x,x)+45j
		mov	ebx, 0C0000001h
		mov	[ebp+var_2C], ebx

loc_9ED4AE:				; CODE XREF: WmipFindSysIdTable(x,x,x)+B8j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9ED4EB
; 

loc_9ED4B7:				; CODE XREF: WmipFindSysIdTable(x,x,x)+8Cj
		mov	[edi+4], ebx
		mov	eax, [ecx+0Ah]
		mov	[edi], eax
		mov	al, [ecx+10h]
		mov	esi, [ebp+var_28]
		mov	[esi], al
		movzx	ecx, word ptr [ecx+0Eh]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		jmp	short loc_9ED4AE
; 

loc_9ED4D2:				; DATA XREF: .text:006A9C54o
		xor	eax, eax
		inc	eax
		retn
; 

loc_9ED4D6:				; DATA XREF: .text:006A9C58o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, 0C0000001h
		mov	[ebp+var_2C], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edx, [ebp+var_20]

loc_9ED4EB:				; CODE XREF: WmipFindSysIdTable(x,x,x)+33j
					; WmipFindSysIdTable(x,x,x)+9Dj
		test	edx, edx
		jz	short loc_9ED4FA
		push	20000h
		push	edx
		call	MmUnmapIoSpace

loc_9ED4FA:				; CODE XREF: WmipFindSysIdTable(x,x,x)+D5j
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_WmipFindSysIdTable@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipGetSMBiosEventlog(x, x)
_WmipGetSMBiosEventlog@8 proc near	; CODE XREF: WmipQueryWmiDataBlock+12FFFDp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_3		= byte ptr -3
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_18], edx
		push	esi
		mov	[ebp+var_8], eax
		lea	edx, [ebp+var_10]
		mov	[ebp+var_10], eax
		mov	ebx, ecx
		mov	[ebp+var_C], eax
		mov	cl, 0Fh
		push	edi
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_WmipFindSMBiosStructure@16 ; WmipFindSMBiosStructure(x,x,x,x)
		test	eax, eax
		js	loc_9ED6D7
		mov	edx, [ebp+var_10]
		movzx	eax, word ptr [edx+4]
		mov	[ebp+var_14], eax
		mov	al, [edx+0Ah]
		mov	[ebp+var_3], al
		mov	eax, [edx+10h]
		mov	[ebp+var_1C], eax
		mov	al, [edx+1]
		mov	[ebp+var_1], al
		cmp	al, 17h
		jb	short loc_9ED5B1
		movzx	eax, byte ptr [edx+15h]
		movzx	ecx, byte ptr [edx+16h]
		imul	ecx, eax
		movzx	eax, [ebp+var_1]
		mov	[ebp+var_2], 1
		movzx	esi, cx
		lea	ecx, [esi+17h]
		cmp	eax, ecx
		jz	short loc_9ED5B7
		cmp	[ebp+var_8], 0
		jz	short loc_9ED591
		push	[ebp+var_C]
		push	[ebp+var_8]
		call	MmUnmapIoSpace

loc_9ED591:				; CODE XREF: WmipGetSMBiosEventlog(x,x)+76j
		mov	ecx, offset _WmipSMBiosLock
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, 0C0000001h
		jmp	loc_9ED6D7
; 

loc_9ED5B1:				; CODE XREF: WmipGetSMBiosEventlog(x,x)+53j
		xor	esi, esi
		xor	al, al
		jmp	short loc_9ED5BA
; 

loc_9ED5B7:				; CODE XREF: WmipGetSMBiosEventlog(x,x)+70j
		mov	al, [ebp+var_2]

loc_9ED5BA:				; CODE XREF: WmipGetSMBiosEventlog(x,x)+A7j
		mov	ecx, [ebp+var_14]
		movzx	edi, si
		mov	[ebp+var_10], edi
		movzx	edi, cx
		mov	ecx, [ebp+var_10]
		add	ecx, 17h
		mov	[ebp+var_14], edi
		add	ecx, edi
		mov	edi, [ebp+var_18]
		mov	[ebp+var_24], ecx
		cmp	[edi], ecx
		lea	ecx, [edx+4]
		mov	edi, [ebp+var_14]
		jb	loc_9ED6A3
		mov	[ebx], si
		mov	esi, [ebp+var_10]
		add	esi, 17h
		mov	[ebx+2], al
		add	esi, ebx
		mov	byte ptr [ebx+3], 0
		mov	[ebp+var_20], esi
		lea	esi, [ebx+4]
		cmp	al, 1
		jnz	short loc_9ED615
		movzx	eax, byte ptr [edx+1]
		sub	eax, 4
		push	eax		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_9ED62A
; 

loc_9ED615:				; CODE XREF: WmipGetSMBiosEventlog(x,x)+F1j
		mov	esi, ecx
		lea	edi, [ebx+4]
		xor	eax, eax
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_14]
		mov	[ebx+14h], ax
		mov	[ebx+16h], al

loc_9ED62A:				; CODE XREF: WmipGetSMBiosEventlog(x,x)+105j
		cmp	[ebp+var_8], 0
		jz	short loc_9ED63B
		push	[ebp+var_C]
		push	[ebp+var_8]
		call	MmUnmapIoSpace

loc_9ED63B:				; CODE XREF: WmipGetSMBiosEventlog(x,x)+120j
		mov	ecx, offset _WmipSMBiosLock
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		movzx	eax, [ebp+var_3]
		sub	eax, 0
		jz	short loc_9ED66C
		sub	eax, 1
		jz	short loc_9ED66C
		sub	eax, 1
		jz	short loc_9ED66C
		sub	eax, 1
		jz	short loc_9ED673
		sub	eax, 1

loc_9ED66C:				; CODE XREF: WmipGetSMBiosEventlog(x,x)+14Aj
					; WmipGetSMBiosEventlog(x,x)+14Fj ...
		mov	eax, 0C0000001h
		jmp	short loc_9ED6CF
; 

loc_9ED673:				; CODE XREF: WmipGetSMBiosEventlog(x,x)+159j
		push	4
		push	edi
		push	0
		push	[ebp+var_1C]
		call	_MmMapIoSpaceEx@16 ; MmMapIoSpaceEx(x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_9ED66C
		test	esi, esi
		jz	short loc_9ED66C
		push	edi		; size_t
		push	esi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		push	edi
		push	esi
		call	MmUnmapIoSpace
		xor	eax, eax
		jmp	short loc_9ED6CF
; 

loc_9ED6A3:				; CODE XREF: WmipGetSMBiosEventlog(x,x)+D1j
		cmp	[ebp+var_8], 0
		jz	short loc_9ED6B4
		push	[ebp+var_C]
		push	[ebp+var_8]
		call	MmUnmapIoSpace

loc_9ED6B4:				; CODE XREF: WmipGetSMBiosEventlog(x,x)+199j
		mov	ecx, offset _WmipSMBiosLock
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, 0C0000023h

loc_9ED6CF:				; CODE XREF: WmipGetSMBiosEventlog(x,x)+163j
					; WmipGetSMBiosEventlog(x,x)+193j
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_24]
		mov	[edx], ecx

loc_9ED6D7:				; CODE XREF: WmipGetSMBiosEventlog(x,x)+2Fj
					; WmipGetSMBiosEventlog(x,x)+9Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_WmipGetSMBiosEventlog@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipGetSysIds(x, x,	x, x)
_WmipGetSysIds@16 proc near		; CODE XREF: WmipQueryWmiDataBlock+130037p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	38h
		push	offset dword_6A9C20
		call	__SEH_prolog4
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		xor	ebx, ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_2C], ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		cmp	_WmipSysIdRead,	bl
		jnz	loc_9ED8D0
		lea	eax, [ebp+var_2C]
		push	eax
		lea	edx, [ebp-19h]
		lea	ecx, [ebp+var_48]
		call	_WmipFindSysIdTable@12 ; WmipFindSysIdTable(x,x,x)
		test	eax, eax
		js	loc_9ED7E8
		mov	[ebp+var_20], ebx
		mov	[ebp+var_24], ebx
		push	[ebp+var_44]
		push	[ebp+var_48]
		lea	eax, [ebp+var_24]
		push	eax
		push	ebx
		lea	eax, [ebp+var_20]
		push	eax
		xor	edx, edx
		mov	ecx, [ebp+var_2C]
		call	_WmipParseSysIdTable@28	; WmipParseSysIdTable(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9ED8BD
		mov	eax, [ebp+var_20]
		shl	eax, 4
		mov	[ebp+var_38], eax
		mov	ecx, [ebp+var_24]
		lea	eax, [eax+ecx*8]
		test	eax, eax
		jz	loc_9ED8BD
		push	73696D57h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9ED792
		push	ebx
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, 0C000009Ah
		jmp	loc_9ED913
; 

loc_9ED792:				; CODE XREF: WmipGetSysIds(x,x,x,x)+9Fj
		mov	eax, [ebp+var_38]
		add	eax, edi
		mov	[ebp+var_38], eax
		push	[ebp+var_44]
		push	[ebp+var_48]
		lea	ecx, [ebp+var_24]
		push	ecx
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		mov	edx, edi
		mov	ecx, [ebp+var_2C]
		call	_WmipParseSysIdTable@28	; WmipParseSysIdTable(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9ED7DC
		mov	_WmipSysIdUuid,	edi
		mov	eax, [ebp+var_20]
		mov	_WmipSysIdUuidCount, eax
		mov	eax, [ebp+var_38]
		mov	_WmipSysId1394,	eax
		mov	eax, [ebp+var_24]
		mov	_WmipSysId1394Count, eax
		jmp	loc_9ED8BD
; 

loc_9ED7DC:				; CODE XREF: WmipGetSysIds(x,x,x,x)+DBj
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_9ED8BD
; 

loc_9ED7E8:				; CODE XREF: WmipGetSysIds(x,x,x,x)+48j
		mov	[ebp+var_30], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_38], ebx
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		lea	edx, [ebp+var_34]
		mov	cl, 1
		call	_WmipFindSMBiosStructure@16 ; WmipFindSMBiosStructure(x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_28], esi
		test	esi, esi
		js	loc_9ED8BD
		mov	_WmipSysId1394,	ebx
		mov	_WmipSysId1394Count, ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	esi, [ebp+var_34]
		cmp	byte ptr [esi+1], 8
		jbe	short loc_9ED867
		push	73696D57h
		push	10h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_9ED857
		add	esi, 8
		mov	edi, eax
		movsd
		movsd
		movsd
		movsd
		mov	_WmipSysIdUuidCount, 1
		mov	_WmipSysIdUuid,	eax
		mov	[ebp+var_28], ebx
		jmp	short loc_9ED873
; 

loc_9ED857:				; CODE XREF: WmipGetSysIds(x,x,x,x)+15Cj
		push	ebx
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+var_28], 0C0000001h
		jmp	short loc_9ED873
; 

loc_9ED867:				; CODE XREF: WmipGetSysIds(x,x,x,x)+14Aj
		mov	_WmipSysIdUuid,	ebx
		mov	_WmipSysIdUuidCount, ebx

loc_9ED873:				; CODE XREF: WmipGetSysIds(x,x,x,x)+179j
					; WmipGetSysIds(x,x,x,x)+189j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9ED893
; 

loc_9ED87C:				; DATA XREF: .text:006A9C34o
		xor	eax, eax
		inc	eax
		retn
; 

loc_9ED880:				; DATA XREF: .text:006A9C38o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+var_28], 0C0000001h
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx

loc_9ED893:				; CODE XREF: WmipGetSysIds(x,x,x,x)+19Ej
		cmp	[ebp+var_30], 0
		jz	short loc_9ED8A4
		push	[ebp+var_38]
		push	[ebp+var_30]
		call	MmUnmapIoSpace

loc_9ED8A4:				; CODE XREF: WmipGetSysIds(x,x,x,x)+1BBj
		mov	ecx, offset _WmipSMBiosLock
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	esi, [ebp+var_28]

loc_9ED8BD:				; CODE XREF: WmipGetSysIds(x,x,x,x)+71j
					; WmipGetSysIds(x,x,x,x)+88j ...
		cmp	esi, 0C000009Ah
		setnz	_WmipSysIdRead
		mov	_WmipSysIdStatus, esi

loc_9ED8D0:				; CODE XREF: WmipGetSysIds(x,x,x,x)+31j
		push	ebx
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	esi, _WmipSysIdStatus
		test	esi, esi
		js	short loc_9ED911
		mov	ecx, _WmipSysIdUuid
		mov	eax, [ebp+var_3C]
		mov	[eax], ecx
		mov	edx, _WmipSysIdUuidCount
		mov	ecx, [ebp+var_40]
		mov	[ecx], edx
		mov	edx, [ebp+arg_0]
		mov	ecx, _WmipSysId1394
		mov	[edx], ecx
		mov	edx, [ebp+arg_4]
		mov	ecx, _WmipSysId1394Count
		mov	[edx], ecx

loc_9ED911:				; CODE XREF: WmipGetSysIds(x,x,x,x)+207j
		mov	eax, esi

loc_9ED913:				; CODE XREF: WmipGetSysIds(x,x,x,x)+B1j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_WmipGetSysIds@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipParseSysIdTable(x, x, x, x, x, x, x)
_WmipParseSysIdTable@28	proc near	; CODE XREF: WmipGetSysIds(x,x,x,x)+68p
					; WmipGetSysIds(x,x,x,x)+D2p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		mov	eax, ecx
		mov	[ebp+var_8], edx
		push	edi
		mov	[ebp+var_1C], eax
		imul	eax, 19h
		push	4
		push	eax
		push	[ebp+arg_10]
		mov	[ebp+var_28], eax
		push	[ebp+arg_C]
		call	_MmMapIoSpaceEx@16 ; MmMapIoSpaceEx(x,x,x,x)
		mov	[ebp+var_30], eax
		test	eax, eax
		jz	loc_9EDACD
		mov	ecx, [ebp+arg_0]
		xor	ebx, ebx
		mov	edi, ebx
		mov	edx, [ebp+var_28]
		mov	esi, eax
		mov	[ebp+arg_10], edi
		mov	[ebp+var_4], ebx
		mov	ecx, [ecx]
		mov	[ebp+var_20], ecx
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_10], esi
		mov	[ebp+var_14], edx
		mov	[ebp+var_18], ebx
		mov	ecx, [ecx]
		mov	[ebp+var_24], ecx
		mov	ecx, [ebp+arg_4]
		cmp	[ebp+var_1C], ebx
		jbe	loc_9EDA9A
		mov	[ebp+arg_4], ecx

loc_9ED98E:				; CODE XREF: WmipParseSysIdTable(x,x,x,x,x,x,x)+162j
		cmp	edx, 0Ah
		jb	loc_9EDA92
		movzx	edi, word ptr [esi+7]
		push	6		; Length
		push	offset ??_C@_06LHBCBDBA@_UUID_@NNGAKEGL@ ; Source2
		push	esi		; Source1
		mov	[ebp+var_2C], edi
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 6
		jnz	short loc_9ED9BE
		cmp	edi, 19h
		jnz	short loc_9ED9BE
		mov	[ebp+var_C], 1
		jmp	short loc_9ED9E4
; 

loc_9ED9BE:				; CODE XREF: WmipParseSysIdTable(x,x,x,x,x,x,x)+89j
					; WmipParseSysIdTable(x,x,x,x,x,x,x)+8Ej
		push	6		; Length
		push	offset ??_C@_06NMLBEHN@_1394_@NNGAKEGL@	; Source2
		push	esi		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 6
		jnz	loc_9EDA8F
		cmp	edi, 11h
		jnz	loc_9EDA8F
		mov	[ebp+var_C], 2

loc_9ED9E4:				; CODE XREF: WmipParseSysIdTable(x,x,x,x,x,x,x)+97j
		mov	edx, [ebp+var_14]
		cmp	edx, edi
		jb	loc_9EDA8F
		mov	cl, bl
		mov	eax, ebx
		test	edi, edi
		jz	short loc_9EDA07

loc_9ED9F7:				; CODE XREF: WmipParseSysIdTable(x,x,x,x,x,x,x)+D8j
		add	cl, [esi+eax]
		inc	eax
		cmp	eax, edi
		jb	short loc_9ED9F7
		test	cl, cl
		jnz	loc_9EDA8F

loc_9EDA07:				; CODE XREF: WmipParseSysIdTable(x,x,x,x,x,x,x)+D0j
		mov	eax, [ebp+var_C]
		cmp	eax, 1
		jnz	short loc_9EDA41
		cmp	edx, 19h
		jb	short loc_9EDA8F
		mov	ecx, [ebp+arg_10]
		mov	eax, [ebp+var_8]
		inc	ecx
		mov	[ebp+arg_10], ecx
		test	eax, eax
		jz	short loc_9EDA70
		cmp	[ebp+var_20], ecx
		mov	ecx, [ebp+arg_4]
		jb	short loc_9EDA73
		add	esi, 9
		mov	edi, eax
		add	eax, 10h
		mov	[ebp+var_8], eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_10]
		mov	edi, [ebp+var_2C]
		jmp	short loc_9EDA73
; 

loc_9EDA41:				; CODE XREF: WmipParseSysIdTable(x,x,x,x,x,x,x)+E8j
		cmp	eax, 2
		jnz	short loc_9EDA8F
		mov	ecx, [ebp+arg_4]
		cmp	edx, 11h
		jb	short loc_9EDA92
		inc	[ebp+var_4]
		test	ecx, ecx
		jz	short loc_9EDA73
		mov	eax, [ebp+var_24]
		cmp	eax, [ebp+var_4]
		jb	short loc_9EDA73
		mov	eax, [esi+9]
		mov	[ecx], eax
		mov	eax, [esi+0Dh]
		mov	[ecx+4], eax
		add	ecx, 8
		mov	[ebp+arg_4], ecx
		jmp	short loc_9EDA73
; 

loc_9EDA70:				; CODE XREF: WmipParseSysIdTable(x,x,x,x,x,x,x)+FBj
		mov	ecx, [ebp+arg_4]

loc_9EDA73:				; CODE XREF: WmipParseSysIdTable(x,x,x,x,x,x,x)+103j
					; WmipParseSysIdTable(x,x,x,x,x,x,x)+11Aj ...
		mov	eax, [ebp+var_18]
		add	esi, edi
		sub	edx, edi
		mov	[ebp+var_10], esi
		inc	eax
		mov	[ebp+var_14], edx
		mov	[ebp+var_18], eax
		cmp	eax, [ebp+var_1C]
		jb	loc_9ED98E
		jmp	short loc_9EDA97
; 

loc_9EDA8F:				; CODE XREF: WmipParseSysIdTable(x,x,x,x,x,x,x)+A9j
					; WmipParseSysIdTable(x,x,x,x,x,x,x)+B2j ...
		mov	ecx, [ebp+arg_4]

loc_9EDA92:				; CODE XREF: WmipParseSysIdTable(x,x,x,x,x,x,x)+6Cj
					; WmipParseSysIdTable(x,x,x,x,x,x,x)+127j
		mov	ebx, 0C0000001h

loc_9EDA97:				; CODE XREF: WmipParseSysIdTable(x,x,x,x,x,x,x)+168j
		mov	edi, [ebp+arg_10]

loc_9EDA9A:				; CODE XREF: WmipParseSysIdTable(x,x,x,x,x,x,x)+60j
		cmp	[ebp+var_8], 0
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_8]
		mov	[eax], edi
		mov	eax, [ebp+var_4]
		mov	[edx], eax
		jz	short loc_9EDAB2
		cmp	[ebp+var_20], edi
		jb	short loc_9EDABB

loc_9EDAB2:				; CODE XREF: WmipParseSysIdTable(x,x,x,x,x,x,x)+186j
		test	ecx, ecx
		jz	short loc_9EDAC0
		cmp	[ebp+var_24], eax
		jnb	short loc_9EDAC0

loc_9EDABB:				; CODE XREF: WmipParseSysIdTable(x,x,x,x,x,x,x)+18Bj
		mov	ebx, 0C0000023h

loc_9EDAC0:				; CODE XREF: WmipParseSysIdTable(x,x,x,x,x,x,x)+18Fj
					; WmipParseSysIdTable(x,x,x,x,x,x,x)+194j
		push	[ebp+var_28]
		push	[ebp+var_30]
		call	MmUnmapIoSpace
		jmp	short loc_9EDAD2
; 

loc_9EDACD:				; CODE XREF: WmipParseSysIdTable(x,x,x,x,x,x,x)+2Cj
		mov	ebx, 0C000009Ah

loc_9EDAD2:				; CODE XREF: WmipParseSysIdTable(x,x,x,x,x,x,x)+1A6j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	14h
_WmipParseSysIdTable@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipSMBiosFindStringAndZero(x, x, x)
_WmipSMBiosFindStringAndZero@12	proc near ; CODE XREF: WmipSMBiosHideMachine(x,x)+70p
					; WmipSMBiosHideMachine(x,x)+8Bp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, edx
		add	edi, ecx
		test	esi, esi
		jz	short loc_9EDB33
		movzx	eax, byte ptr [ecx+1]
		add	eax, ecx
		xor	ecx, ecx
		mov	ebx, ecx
		sub	esi, 1
		jz	short loc_9EDB2F

loc_9EDAFD:				; CODE XREF: WmipSMBiosFindStringAndZero(x,x,x)+40j
		push	ecx		; int
		push	eax		; char *
		call	_strchr
		pop	ecx
		pop	ecx
		mov	ecx, eax
		lea	eax, [ecx+1]
		cmp	eax, edi
		jnb	short loc_9EDB1F
		xor	edx, edx
		cmp	[ecx], dx
		jz	short loc_9EDB1F
		inc	ebx
		push	edx
		pop	ecx
		cmp	ebx, esi
		jb	short loc_9EDAFD
		jmp	short loc_9EDB2F
; 

loc_9EDB1F:				; CODE XREF: WmipSMBiosFindStringAndZero(x,x,x)+32j
					; WmipSMBiosFindStringAndZero(x,x,x)+39j
		mov	eax, 0C0000034h
		jmp	short loc_9EDB35
; 

loc_9EDB26:				; CODE XREF: WmipSMBiosFindStringAndZero(x,x,x)+56j
		cmp	byte ptr [eax],	0
		jz	short loc_9EDB33
		mov	byte ptr [eax],	5Fh
		inc	eax

loc_9EDB2F:				; CODE XREF: WmipSMBiosFindStringAndZero(x,x,x)+20j
					; WmipSMBiosFindStringAndZero(x,x,x)+42j
		cmp	eax, edi
		jb	short loc_9EDB26

loc_9EDB33:				; CODE XREF: WmipSMBiosFindStringAndZero(x,x,x)+11j
					; WmipSMBiosFindStringAndZero(x,x,x)+4Ej
		xor	eax, eax

loc_9EDB35:				; CODE XREF: WmipSMBiosFindStringAndZero(x,x,x)+49j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_WmipSMBiosFindStringAndZero@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipSMBiosFindStructure(x, x, x, x,	x, x)
_WmipSMBiosFindStructure@24 proc near	; CODE XREF: WmipSMBiosHideMachine(x,x)+47p
					; WmipSMBiosHideMachine(x,x)+AAp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	bl, cl
		push	edi
		mov	edi, [ebp+arg_C]
		add	edi, esi
		xor	eax, eax
		mov	ecx, eax
		jmp	short loc_9EDB76
; 

loc_9EDB54:				; CODE XREF: WmipSMBiosFindStructure(x,x,x,x,x,x)+3Cj
		cmp	[esi], bl
		jnz	short loc_9EDB5D
		inc	ecx
		cmp	ecx, edx
		ja	short loc_9EDB86

loc_9EDB5D:				; CODE XREF: WmipSMBiosFindStructure(x,x,x,x,x,x)+1Aj
		movzx	eax, byte ptr [esi+1]
		add	esi, eax
		cmp	esi, edi
		jnb	short loc_9EDB73
		xor	eax, eax

loc_9EDB69:				; CODE XREF: WmipSMBiosFindStructure(x,x,x,x,x,x)+35j
		cmp	[esi], ax
		jz	short loc_9EDB73
		inc	esi
		cmp	esi, edi
		jb	short loc_9EDB69

loc_9EDB73:				; CODE XREF: WmipSMBiosFindStructure(x,x,x,x,x,x)+29j
					; WmipSMBiosFindStructure(x,x,x,x,x,x)+30j
		add	esi, 2

loc_9EDB76:				; CODE XREF: WmipSMBiosFindStructure(x,x,x,x,x,x)+16j
		cmp	esi, edi
		jb	short loc_9EDB54
		mov	eax, 0C0000034h

loc_9EDB7F:				; CODE XREF: WmipSMBiosFindStructure(x,x,x,x,x,x)+71j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_9EDB86:				; CODE XREF: WmipSMBiosFindStructure(x,x,x,x,x,x)+1Fj
		mov	eax, [ebp+arg_0]
		movzx	ecx, byte ptr [esi+1]
		add	ecx, esi
		mov	[eax], esi
		cmp	ecx, edi
		jnb	short loc_9EDBA1
		xor	eax, eax

loc_9EDB97:				; CODE XREF: WmipSMBiosFindStructure(x,x,x,x,x,x)+63j
		cmp	[ecx], ax
		jz	short loc_9EDBA1
		inc	ecx
		cmp	ecx, edi
		jb	short loc_9EDB97

loc_9EDBA1:				; CODE XREF: WmipSMBiosFindStructure(x,x,x,x,x,x)+57j
					; WmipSMBiosFindStructure(x,x,x,x,x,x)+5Ej
		mov	eax, [ebp+arg_4]
		sub	ecx, esi
		add	ecx, 2
		mov	[eax], ecx
		xor	eax, eax
		jmp	short loc_9EDB7F
_WmipSMBiosFindStructure@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipSMBiosHideMachine(x, x)
_WmipSMBiosHideMachine@8 proc near	; CODE XREF: WmipGetSMBiosTableData+1300FEp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	esi
		xor	esi, esi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_24], esi
		mov	eax, edx
		mov	[ebp+var_C], eax
		mov	[ebp+var_1C], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_8], esi
		test	ecx, ecx
		jz	loc_9EDD69
		test	eax, eax
		jz	loc_9EDD69
		push	edi
		mov	edi, esi
		push	ebx

loc_9EDBE8:				; CODE XREF: WmipSMBiosHideMachine(x,x)+80j
					; WmipSMBiosHideMachine(x,x)+96j
		push	eax
		push	ecx
		lea	eax, [ebp+var_8]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_14]
		xor	cl, cl
		push	eax
		call	_WmipSMBiosFindStructure@24 ; WmipSMBiosFindStructure(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9EDC47
		cmp	edi, 1
		jnb	loc_9EDD67
		mov	ebx, [ebp+var_14]
		inc	edi
		mov	al, [ebx+1]
		mov	[ebp+var_1], al
		cmp	al, 4
		jbe	short loc_9EDC27
		push	[ebp+var_8]
		movzx	edx, byte ptr [ebx+4]
		mov	ecx, ebx
		call	_WmipSMBiosFindStringAndZero@12	; WmipSMBiosFindStringAndZero(x,x,x)
		mov	al, [ebp+var_1]

loc_9EDC27:				; CODE XREF: WmipSMBiosHideMachine(x,x)+65j
		mov	ecx, [ebp+var_10]
		cmp	al, 5
		mov	eax, [ebp+var_C]
		jbe	short loc_9EDBE8
		push	[ebp+var_8]
		movzx	edx, byte ptr [ebx+5]
		mov	ecx, ebx
		call	_WmipSMBiosFindStringAndZero@12	; WmipSMBiosFindStringAndZero(x,x,x)
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		jmp	short loc_9EDBE8
; 

loc_9EDC47:				; CODE XREF: WmipSMBiosHideMachine(x,x)+4Ej
		mov	edx, esi

loc_9EDC49:				; CODE XREF: WmipSMBiosHideMachine(x,x)+105j
					; WmipSMBiosHideMachine(x,x)+118j
		push	[ebp+var_C]
		lea	eax, [ebp+var_8]
		mov	cl, 1
		push	[ebp+var_10]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_WmipSMBiosFindStructure@24 ; WmipSMBiosFindStructure(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9EDCC9
		cmp	edx, 1
		jnb	loc_9EDD67
		mov	edi, [ebp+var_18]
		inc	edx
		mov	[ebp+var_14], edx
		mov	bl, [edi+1]
		cmp	bl, 4
		jbe	short loc_9EDC88
		push	[ebp+var_8]
		movzx	edx, byte ptr [edi+4]
		mov	ecx, edi
		call	_WmipSMBiosFindStringAndZero@12	; WmipSMBiosFindStringAndZero(x,x,x)

loc_9EDC88:				; CODE XREF: WmipSMBiosHideMachine(x,x)+C9j
		cmp	bl, 5
		jbe	short loc_9EDC9B
		push	[ebp+var_8]
		movzx	edx, byte ptr [edi+5]
		mov	ecx, edi
		call	_WmipSMBiosFindStringAndZero@12	; WmipSMBiosFindStringAndZero(x,x,x)

loc_9EDC9B:				; CODE XREF: WmipSMBiosHideMachine(x,x)+DCj
		cmp	bl, 1Ah
		jbe	short loc_9EDCAE
		push	[ebp+var_8]
		movzx	edx, byte ptr [edi+1Ah]
		mov	ecx, edi
		call	_WmipSMBiosFindStringAndZero@12	; WmipSMBiosFindStringAndZero(x,x,x)

loc_9EDCAE:				; CODE XREF: WmipSMBiosHideMachine(x,x)+EFj
		mov	edx, [ebp+var_14]
		cmp	bl, 19h
		jbe	short loc_9EDC49
		push	[ebp+var_8]
		movzx	edx, byte ptr [edi+19h]
		mov	ecx, edi
		call	_WmipSMBiosFindStringAndZero@12	; WmipSMBiosFindStringAndZero(x,x,x)
		mov	edx, [ebp+var_14]
		jmp	short loc_9EDC49
; 

loc_9EDCC9:				; CODE XREF: WmipSMBiosHideMachine(x,x)+B1j
		mov	ebx, esi
		mov	esi, [ebp+var_C]

loc_9EDCCE:				; CODE XREF: WmipSMBiosHideMachine(x,x)+159j
					; WmipSMBiosHideMachine(x,x)+169j
		push	esi
		push	[ebp+var_10]
		lea	eax, [ebp+var_8]
		mov	edx, ebx
		push	eax
		lea	eax, [ebp+var_1C]
		mov	cl, 2
		push	eax
		call	_WmipSMBiosFindStructure@24 ; WmipSMBiosFindStructure(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9EDD1A
		mov	edi, [ebp+var_1C]
		inc	ebx
		mov	al, [edi+1]
		mov	[ebp+var_1], al
		cmp	al, 4
		jbe	short loc_9EDD06
		push	[ebp+var_8]
		movzx	edx, byte ptr [edi+4]
		mov	ecx, edi
		call	_WmipSMBiosFindStringAndZero@12	; WmipSMBiosFindStringAndZero(x,x,x)
		mov	al, [ebp+var_1]

loc_9EDD06:				; CODE XREF: WmipSMBiosHideMachine(x,x)+144j
		cmp	al, 5
		jbe	short loc_9EDCCE
		push	[ebp+var_8]
		movzx	edx, byte ptr [edi+5]
		mov	ecx, edi
		call	_WmipSMBiosFindStringAndZero@12	; WmipSMBiosFindStringAndZero(x,x,x)
		jmp	short loc_9EDCCE
; 

loc_9EDD1A:				; CODE XREF: WmipSMBiosHideMachine(x,x)+136j
		mov	esi, [ebp+var_24]

loc_9EDD1D:				; CODE XREF: WmipSMBiosHideMachine(x,x)+1A6j
					; WmipSMBiosHideMachine(x,x)+1B6j
		push	[ebp+var_C]
		lea	eax, [ebp+var_8]
		mov	edx, esi
		push	[ebp+var_10]
		mov	cl, 4
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_WmipSMBiosFindStructure@24 ; WmipSMBiosFindStructure(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9EDD67
		mov	edi, [ebp+var_20]
		inc	esi
		mov	bl, [edi+1]
		cmp	bl, 7
		jbe	short loc_9EDD52
		push	[ebp+var_8]
		movzx	edx, byte ptr [edi+7]
		mov	ecx, edi
		call	_WmipSMBiosFindStringAndZero@12	; WmipSMBiosFindStringAndZero(x,x,x)

loc_9EDD52:				; CODE XREF: WmipSMBiosHideMachine(x,x)+193j
		cmp	bl, 10h
		jbe	short loc_9EDD1D
		push	[ebp+var_8]
		movzx	edx, byte ptr [edi+10h]
		mov	ecx, edi
		call	_WmipSMBiosFindStringAndZero@12	; WmipSMBiosFindStringAndZero(x,x,x)
		jmp	short loc_9EDD1D
; 

loc_9EDD67:				; CODE XREF: WmipSMBiosHideMachine(x,x)+53j
					; WmipSMBiosHideMachine(x,x)+B6j ...
		pop	ebx
		pop	edi

loc_9EDD69:				; CODE XREF: WmipSMBiosHideMachine(x,x)+27j
					; WmipSMBiosHideMachine(x,x)+2Fj
		pop	esi
		leave
		retn
_WmipSMBiosHideMachine@8 endp


;  S U B	R O U T	I N E 


; __stdcall WmipDeregisterDevice(x)
_WmipDeregisterDevice@4	proc near	; CODE XREF: IoWMIRegistrationControl+9D956p
					; IoWMIRegistrationControl+9D977p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		push	edi
		push	edi
		push	edi
		push	edi
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		mov	ecx, esi
		call	WmipFindRegEntryByDevice
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_9EDDB1
		mov	esi, _WmipRegWorkList
		jmp	short loc_9EDDA9
; 

loc_9EDD98:				; CODE XREF: WmipDeregisterDevice(x)+43j
		cmp	[esi+0Ch], ebx
		jnz	short loc_9EDDA7
		mov	ecx, ebx
		mov	[esi+0Ch], edi
		call	WmipUnreferenceRegEntry

loc_9EDDA7:				; CODE XREF: WmipDeregisterDevice(x)+2Fj
		mov	esi, [esi]

loc_9EDDA9:				; CODE XREF: WmipDeregisterDevice(x)+2Aj
		cmp	esi, offset _WmipRegWorkList
		jnz	short loc_9EDD98

loc_9EDDB1:				; CODE XREF: WmipDeregisterDevice(x)+22j
		push	edi
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		test	ebx, ebx
		jnz	short loc_9EDDC7
		mov	edi, 0C000000Dh
		jmp	short loc_9EDDD5
; 

loc_9EDDC7:				; CODE XREF: WmipDeregisterDevice(x)+52j
		mov	ecx, ebx
		call	WmipUnreferenceRegEntry
		mov	ecx, ebx
		call	_WmipDeregisterRegEntry@4 ; WmipDeregisterRegEntry(x)

loc_9EDDD5:				; CODE XREF: WmipDeregisterDevice(x)+59j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_WmipDeregisterDevice@4	endp


;  S U B	R O U T	I N E 


; __stdcall WmipRemoveDS(x)
_WmipRemoveDS@4	proc near		; CODE XREF: .text:0067B07Ap
		mov	edi, edi
		push	esi
		mov	esi, [ecx+10h]
		test	esi, esi
		jz	short loc_9EDE00
		push	2
		pop	edx
		mov	ecx, esi
		call	WmipGenerateRegistrationNotification
		or	dword ptr [esi+8], 1
		mov	edx, esi
		mov	ecx, offset _WmipDSChunkInfo
		pop	esi
		jmp	WmipUnreferenceEntry
; 

loc_9EDE00:				; CODE XREF: WmipRemoveDS(x)+8j
		pop	esi
		retn
_WmipRemoveDS@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipDereferenceEvent(x)
_WmipDereferenceEvent@4	proc near	; CODE XREF: WmipProcessEvent:loc_90B49Dp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		push	edi
		mov	[esp+40h+var_10], esi
		xor	ebx, ebx
		mov	[esp+40h+var_28], eax
		mov	ecx, [esi+4]
		call	_WmipFindDSByProviderId@4 ; WmipFindDSByProviderId(x)
		mov	[esp+40h+var_14], eax
		test	eax, eax
		jz	loc_9EDFDC
		mov	eax, [esi+2Ch]
		and	eax, 80h
		mov	[esp+40h+var_30], 40h
		mov	[esp+40h+var_C], eax
		jnz	short loc_9EDE84
		movzx	edi, word ptr [esi+44h]
		lea	edx, [esp+40h+var_30]
		push	2
		add	edi, 2
		pop	ecx
		mov	[esp+40h+var_2C], edi
		call	_WmipAlign@8	; WmipAlign(x,x)
		test	al, al
		jz	loc_9EDFCE
		mov	ecx, [esp+40h+var_30]
		mov	eax, ecx
		not	eax
		mov	[esp+40h+var_20], ecx
		cmp	edi, eax
		ja	loc_9EDFCE
		lea	eax, [ecx+edi]
		mov	[esp+40h+var_30], eax
		jmp	short loc_9EDE8C
; 

loc_9EDE84:				; CODE XREF: WmipDereferenceEvent(x)+44j
		and	[esp+40h+var_2C], ebx
		and	[esp+40h+var_20], ebx

loc_9EDE8C:				; CODE XREF: WmipDereferenceEvent(x)+80j
		push	8
		lea	edx, [esp+44h+var_30]
		pop	ecx
		call	_WmipAlign@8	; WmipAlign(x,x)
		test	al, al
		jz	loc_9EDFCE
		mov	edx, [esp+40h+var_30]
		mov	eax, edx
		mov	ecx, [esi+40h]
		not	eax
		cmp	ecx, eax
		ja	loc_9EDFCE
		and	[esp+40h+var_18], ebx
		lea	edi, [edx+ecx]
		mov	[esp+40h+var_1C], edi
		mov	[esp+40h+var_24], edi

loc_9EDEC2:				; CODE XREF: WmipDereferenceEvent(x)+1B4j
		push	70696D57h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9EDFCE
		push	[esp+40h+var_24] ; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	[ebx], edi
		add	esp, 0Ch
		mov	eax, [esi+4]
		lea	edi, [ebx+18h]
		add	esi, 30h
		mov	ecx, [esp+40h+var_C]
		mov	[ebx+4], eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, [esp+40h+var_10]
		mov	eax, [esi+8]
		mov	[ebx+8], eax
		mov	eax, ecx
		or	eax, 2
		mov	[ebx+2Ch], eax
		mov	eax, [esp+40h+var_30]
		mov	[ebx+38h], eax
		test	ecx, ecx
		jz	short loc_9EDF26
		mov	eax, [esi+44h]
		mov	[ebx+34h], eax
		jmp	short loc_9EDF4F
; 

loc_9EDF26:				; CODE XREF: WmipDereferenceEvent(x)+11Aj
		mov	ecx, [esp+40h+var_20]
		lea	eax, [esi+46h]
		mov	edi, [esp+40h+var_2C]
		sub	edi, 2
		mov	[ebx+30h], ecx
		push	edi		; size_t
		push	eax		; void *
		lea	eax, [ecx+2]
		mov	[esp+48h+var_2C], edi
		add	eax, ebx
		mov	[ecx+ebx], di
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_9EDF4F:				; CODE XREF: WmipDereferenceEvent(x)+122j
		lea	eax, [esp+40h+var_8]
		mov	cl, 1
		push	eax
		push	ebx
		push	[esp+48h+var_1C]
		lea	eax, [ebx+18h]
		push	eax
		mov	eax, [esp+50h+var_14]
		mov	edx, [eax+1Ch]
		call	_WmipSendWmiIrp@24 ; WmipSendWmiIrp(x,x,x,x,x,x)
		mov	[esp+40h+var_1C], eax
		test	eax, eax
		js	short loc_9EDF84
		mov	ecx, [ebx+2Ch]
		test	cl, 20h
		jz	short loc_9EDFBE
		mov	edi, [ebx+30h]
		mov	[esp+40h+var_28], edi
		jmp	short loc_9EDF88
; 

loc_9EDF84:				; CODE XREF: WmipDereferenceEvent(x)+16Fj
		mov	edi, [esp+40h+var_28]

loc_9EDF88:				; CODE XREF: WmipDereferenceEvent(x)+180j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ebx, ebx
		cmp	[esp+40h+var_1C], ebx
		jl	short loc_9EDFCE
		cmp	edi, [esp+40h+var_24]
		jbe	short loc_9EDFCE
		mov	ecx, [esp+40h+var_18]
		mov	eax, [esp+40h+var_28]
		inc	ecx
		mov	[esp+40h+var_1C], edi
		mov	[esp+40h+var_18], ecx
		mov	[esp+40h+var_24], eax
		cmp	ecx, 2
		jb	loc_9EDEC2
		jmp	short loc_9EDFCE
; 

loc_9EDFBE:				; CODE XREF: WmipDereferenceEvent(x)+177j
		mov	eax, [esi+2Ch]
		and	eax, 0FF000008h
		or	eax, ecx
		or	eax, 8
		mov	[ebx+2Ch], eax

loc_9EDFCE:				; CODE XREF: WmipDereferenceEvent(x)+5Fj
					; WmipDereferenceEvent(x)+73j ...
		mov	edx, [esp+40h+var_14]
		mov	ecx, offset _WmipDSChunkInfo
		call	WmipUnreferenceEntry

loc_9EDFDC:				; CODE XREF: WmipDereferenceEvent(x)+2Aj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_WmipDereferenceEvent@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipEnumerateGuids(x, x, x,	x)
_WmipEnumerateGuids@16 proc near	; CODE XREF: WmipIoControl+1334EEp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], 24h
		add	eax, 0FFFFFFF8h
		mov	[ebp+var_10], ecx
		xor	edx, edx
		mov	[ebp+var_18], edi
		div	[ebp+var_4]
		xor	ecx, ecx
		add	edi, 8
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	offset _WmipSMMutex
		mov	esi, ecx
		mov	[ebp+arg_0], eax
		mov	ebx, ecx
		mov	[ebp+var_C], edi
		call	KeWaitForSingleObject
		mov	eax, _WmipGEHeadPtr
		mov	[ebp+var_14], eax
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_9EE05E
		mov	edx, edi
		mov	edi, [ebp+arg_0]

loc_9EE03A:				; CODE XREF: WmipEnumerateGuids(x,x,x,x)+74j
		inc	esi
		mov	[ebp+var_8], esi
		cmp	ebx, edi
		jnb	short loc_9EE055
		mov	edi, edx
		lea	esi, [ecx+28h]
		inc	ebx
		add	edx, [ebp+var_4]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_8]
		mov	edi, [ebp+arg_0]

loc_9EE055:				; CODE XREF: WmipEnumerateGuids(x,x,x,x)+5Bj
		mov	ecx, [ecx]
		cmp	ecx, eax
		jnz	short loc_9EE03A
		mov	edi, [ebp+var_C]

loc_9EE05E:				; CODE XREF: WmipEnumerateGuids(x,x,x,x)+4Ej
		cmp	[ebp+var_10], 224160h
		jnz	short loc_9EE090
		mov	edx, [eax]
		xor	esi, esi
		xor	ebx, ebx
		cmp	edx, eax
		jz	short loc_9EE090
		mov	ecx, [ebp+arg_0]

loc_9EE074:				; CODE XREF: WmipEnumerateGuids(x,x,x,x)+A9j
		inc	esi
		cmp	ebx, ecx
		jnb	short loc_9EE08A
		mov	ecx, edi
		call	_WmipGetGuidPropertiesFromGuidEntry@8 ;	WmipGetGuidPropertiesFromGuidEntry(x,x)
		mov	eax, [ebp+var_14]
		inc	ebx
		add	edi, [ebp+var_4]
		mov	ecx, [ebp+arg_0]

loc_9EE08A:				; CODE XREF: WmipEnumerateGuids(x,x,x,x)+92j
		mov	edx, [edx]
		cmp	edx, eax
		jnz	short loc_9EE074

loc_9EE090:				; CODE XREF: WmipEnumerateGuids(x,x,x,x)+80j
					; WmipEnumerateGuids(x,x,x,x)+8Aj
		push	0
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, [ebp+var_18]
		imul	ecx, ebx, 24h
		pop	edi
		mov	[eax], esi
		mov	[eax+4], ebx
		mov	eax, [ebp+arg_4]
		add	ecx, 8
		pop	esi
		pop	ebx
		mov	[eax], ecx
		xor	eax, eax
		leave
		retn	8
_WmipEnumerateGuids@16 endp


;  S U B	R O U T	I N E 


; __stdcall WmipGetGuidPropertiesFromGuidEntry(x, x)
_WmipGetGuidPropertiesFromGuidEntry@8 proc near	; CODE XREF: WmipEnumerateGuids(x,x,x,x)+96p
		mov	edi, edi
		push	ebx
		xor	ebx, ebx
		mov	dword ptr [ecx+10h], 2
		push	edi
		lea	edi, [edx+20h]
		mov	[ecx+20h], bl
		mov	[ecx+14h], ebx
		mov	[ecx+18h], ebx
		mov	[ecx+1Ch], ebx
		mov	eax, [edi]
		cmp	eax, edi
		jz	short loc_9EE119
		push	esi

loc_9EE0DB:				; CODE XREF: WmipGetGuidPropertiesFromGuidEntry(x,x)+59j
		mov	esi, [eax+8]
		test	esi, 8000h
		jz	short loc_9EE0F0
		mov	dword ptr [ecx+10h], 3
		mov	esi, [eax+8]

loc_9EE0F0:				; CODE XREF: WmipGetGuidPropertiesFromGuidEntry(x,x)+2Cj
		test	esi, 6000h
		jz	short loc_9EE0FF
		mov	byte ptr [ecx+20h], 1
		mov	esi, [eax+8]

loc_9EE0FF:				; CODE XREF: WmipGetGuidPropertiesFromGuidEntry(x,x)+3Ej
		and	esi, 81000h
		cmp	esi, 81000h
		jz	short loc_9EE115
		mov	eax, [eax]
		cmp	eax, edi
		jnz	short loc_9EE0DB
		jmp	short loc_9EE118
; 

loc_9EE115:				; CODE XREF: WmipGetGuidPropertiesFromGuidEntry(x,x)+53j
		mov	[ecx+10h], ebx

loc_9EE118:				; CODE XREF: WmipGetGuidPropertiesFromGuidEntry(x,x)+5Bj
		pop	esi

loc_9EE119:				; CODE XREF: WmipGetGuidPropertiesFromGuidEntry(x,x)+20j
		cmp	dword ptr [edx+50h], 0FFFFFFFFh
		pop	edi
		pop	ebx
		jnz	short locret_9EE141
		mov	eax, [edx+58h]
		or	eax, [edx+5Ch]
		jz	short locret_9EE141
		mov	byte ptr [ecx+20h], 1
		movzx	eax, word ptr [edx+58h]
		mov	[ecx+14h], eax
		movzx	eax, byte ptr [edx+5Ah]
		mov	[ecx+18h], eax
		mov	eax, [edx+5Ch]
		mov	[ecx+1Ch], eax

locret_9EE141:				; CODE XREF: WmipGetGuidPropertiesFromGuidEntry(x,x)+67j
					; WmipGetGuidPropertiesFromGuidEntry(x,x)+6Fj
		retn
_WmipGetGuidPropertiesFromGuidEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipIncludeStaticNames(x, x)
_WmipIncludeStaticNames@8 proc near	; CODE XREF: WmipProcessEvent+9E73Ap

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_18], edx
		xor	ecx, ecx
		mov	ebx, ecx
		test	byte ptr [edi+2Ch], 7
		jz	loc_9EE3AB
		lea	ecx, [edi+18h]
		xor	dl, dl
		call	_WmipFindGEByGuid@8 ; WmipFindGEByGuid(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_9EE3A6
		mov	eax, [edi+4]
		mov	[ebp+var_20], eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		lea	eax, [esi+20h]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_9EE1B4
		mov	edx, [ebp+var_20]

loc_9EE1A0:				; CODE XREF: WmipIncludeStaticNames(x,x)+67j
		cmp	[ecx+2Ch], edx
		jz	short loc_9EE1AD
		mov	ecx, [ecx]
		cmp	ecx, eax
		jnz	short loc_9EE1A0
		jmp	short loc_9EE1B4
; 

loc_9EE1AD:				; CODE XREF: WmipIncludeStaticNames(x,x)+61j
		mov	ebx, ecx
		call	WmipReferenceEntry

loc_9EE1B4:				; CODE XREF: WmipIncludeStaticNames(x,x)+59j
					; WmipIncludeStaticNames(x,x)+69j
		xor	eax, eax
		push	eax
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	edx, esi
		mov	ecx, offset _WmipGEChunkInfo
		call	WmipUnreferenceEntry
		test	ebx, ebx
		jz	loc_9EE3A6
		mov	eax, [ebx+8]
		test	al, 3
		jz	loc_9EE3A6
		test	byte ptr [edi+2Ch], 1
		mov	ecx, [ebx+24h]
		jz	short loc_9EE253
		mov	eax, [ebp+var_18]
		lea	edx, [ebp+var_1C]
		push	4
		pop	ecx
		mov	[ebp+var_1C], eax
		call	_WmipAlign@8	; WmipAlign(x,x)
		test	al, al
		jz	loc_9EE3A6
		mov	ecx, ebx
		call	_WmipStaticInstanceNameSize@4 ;	WmipStaticInstanceNameSize(x)
		mov	ecx, [ebp+var_1C]
		mov	edx, eax
		or	eax, 0FFFFFFFFh
		sub	eax, ecx
		cmp	edx, eax
		ja	loc_9EE3A6
		add	ecx, edx
		push	70696D57h
		push	ecx
		push	1
		mov	[ebp+var_20], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_9EE3A6
		push	dword ptr [edi]	; size_t
		push	edi		; void *
		push	esi		; void *
		call	_memcpy
		mov	edx, [ebp+var_20]
		add	esp, 0Ch
		mov	ecx, esi
		push	ebx
		call	WmipInsertStaticNames
		jmp	loc_9EE3A2
; 

loc_9EE253:				; CODE XREF: WmipIncludeStaticNames(x,x)+A5j
		mov	edx, [edi+34h]
		mov	[ebp+var_2C], edx
		cmp	edx, ecx
		jnb	loc_9EE3A6
		mov	ecx, [ebx+30h]
		test	al, 2
		jz	short loc_9EE28D
		mov	eax, [ecx+edx*4]
		mov	esi, eax
		mov	[ebp+var_20], eax
		xor	edx, edx
		lea	ecx, [esi+2]

loc_9EE275:				; CODE XREF: WmipIncludeStaticNames(x,x)+13Cj
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, dx
		jnz	short loc_9EE275
		sub	esi, ecx
		sar	esi, 1
		lea	esi, ds:4[esi*2]
		jmp	short loc_9EE2B0
; 

loc_9EE28D:				; CODE XREF: WmipIncludeStaticNames(x,x)+124j
		lea	eax, [ecx+4]
		xor	edx, edx
		mov	esi, eax
		mov	[ebp+var_20], eax
		lea	ecx, [esi+2]

loc_9EE29A:				; CODE XREF: WmipIncludeStaticNames(x,x)+161j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, dx
		jnz	short loc_9EE29A
		sub	esi, ecx
		sar	esi, 1
		lea	esi, ds:10h[esi*2]

loc_9EE2B0:				; CODE XREF: WmipIncludeStaticNames(x,x)+149j
		mov	eax, [ebp+var_18]
		lea	edx, [ebp+var_1C]
		push	2
		pop	ecx
		mov	[ebp+var_24], esi
		mov	[ebp+var_1C], eax
		call	_WmipAlign@8	; WmipAlign(x,x)
		test	al, al
		jz	loc_9EE3A6
		mov	ecx, [ebp+var_1C]
		mov	eax, ecx
		not	eax
		cmp	esi, eax
		ja	loc_9EE3A6
		lea	eax, [ecx+esi]
		push	70696D57h
		push	eax
		push	1
		mov	[ebp+var_28], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_9EE3A6
		push	dword ptr [edi]	; size_t
		push	edi		; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+var_28]
		add	esp, 0Ch
		mov	edi, [ebp+var_1C]
		mov	[esi], eax
		mov	eax, [ebp+var_24]
		mov	[esi+30h], edi
		sub	eax, 2
		mov	ecx, [ebx+8]
		mov	[ebp+var_24], eax
		test	cl, 2
		jz	short loc_9EE335
		push	[ebp+var_20]
		lea	ecx, [edi+2]
		mov	[edi+esi], ax
		add	ecx, esi
		mov	edx, eax
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		jmp	short loc_9EE3A2
; 

loc_9EE335:				; CODE XREF: WmipIncludeStaticNames(x,x)+1DCj
		test	ecx, 20000h
		jz	short loc_9EE344
		or	dword ptr [esi+2Ch], 10000h

loc_9EE344:				; CODE XREF: WmipIncludeStaticNames(x,x)+1F9j
		mov	eax, [ebx+30h]
		mov	eax, [eax]
		add	eax, [ebp+var_2C]
		push	eax		; char
		push	offset ??_C@_15KNBIKKIN@?$AA?$CF?$AAd@NNGAKEGL@	; wchar_t *
		lea	eax, [ebp+var_14]
		push	0Eh		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	edx, [ebp+var_24]
		add	esp, 10h
		add	edi, 2
		add	edi, esi
		mov	ecx, edi
		push	[ebp+var_20]
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_14]
		push	eax
		mov	ecx, edi
		call	_RtlStringCbCatW@12 ; RtlStringCbCatW(x,x,x)
		lea	ecx, [edi+2]
		xor	edx, edx

loc_9EE385:				; CODE XREF: WmipIncludeStaticNames(x,x)+24Cj
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, dx
		jnz	short loc_9EE385
		sub	edi, ecx
		mov	ecx, [ebp+var_1C]
		sar	edi, 1
		lea	eax, ds:2[edi*2]
		mov	[ecx+esi], ax

loc_9EE3A2:				; CODE XREF: WmipIncludeStaticNames(x,x)+10Cj
					; WmipIncludeStaticNames(x,x)+1F1j
		mov	edi, esi
		jmp	short loc_9EE3C8
; 

loc_9EE3A6:				; CODE XREF: WmipIncludeStaticNames(x,x)+36j
					; WmipIncludeStaticNames(x,x)+8Dj ...
		mov	edx, [ebp+var_18]
		xor	ecx, ecx

loc_9EE3AB:				; CODE XREF: WmipIncludeStaticNames(x,x)+22j
		mov	eax, [edi+2Ch]
		test	al, 1
		jz	short loc_9EE3BC
		cmp	edx, 3Ch
		jb	short loc_9EE3BC
		mov	[edi+38h], ecx
		jmp	short loc_9EE3C8
; 

loc_9EE3BC:				; CODE XREF: WmipIncludeStaticNames(x,x)+26Ej
					; WmipIncludeStaticNames(x,x)+273j
		test	al, 6
		jz	short loc_9EE3C8
		cmp	edx, 34h
		jb	short loc_9EE3C8
		mov	[edi+30h], ecx

loc_9EE3C8:				; CODE XREF: WmipIncludeStaticNames(x,x)+262j
					; WmipIncludeStaticNames(x,x)+278j ...
		test	ebx, ebx
		jz	short loc_9EE3D8
		mov	edx, ebx
		mov	ecx, offset _WmipISChunkInfo
		call	WmipUnreferenceEntry

loc_9EE3D8:				; CODE XREF: WmipIncludeStaticNames(x,x)+288j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_WmipIncludeStaticNames@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipQueryAllDataMultiple(x,	x, x, x, x, x, x, x)
_WmipQueryAllDataMultiple@32 proc near	; CODE XREF: WmipIoControl+1335ADp
					; IoWMIQueryAllDataMultiple(x,x,x,x)+67p

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_51		= byte ptr -51h
var_50		= dword	ptr -50h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_14]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_10]
		xor	ebx, ebx
		mov	[ebp+var_8C], eax
		mov	eax, [ebp+arg_0]
		push	edi
		mov	[ebp+var_88], eax
		mov	eax, [ebp+arg_8]
		push	48h		; size_t
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_50]
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_60], edx
		mov	[ebp+var_68], ecx
		call	_memset
		mov	ecx, [ebp+var_60]
		add	esp, 0Ch
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_78], ebx
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], ebx
		test	ecx, ecx
		jnz	loc_9EE4CB
		mov	edi, [esi]
		mov	eax, edi
		push	70696D57h
		shl	eax, 2
		push	eax
		push	1
		mov	[ebp+var_68], edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_7C], ebx
		test	ebx, ebx
		jz	short loc_9EE4C1
		xor	ecx, ecx
		test	edi, edi
		jz	short loc_9EE480
		lea	edx, [esi+8]

loc_9EE473:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+95j
		mov	eax, [edx]
		lea	edx, [edx+8]
		mov	[ebx+ecx*4], eax
		inc	ecx
		cmp	ecx, edi
		jb	short loc_9EE473

loc_9EE480:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+85j
		mov	ecx, [ebp+var_60]

loc_9EE483:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+E5j
		mov	edx, [ebp+var_80]
		xor	edi, edi
		and	[ebp+var_58], edi
		mov	esi, edx
		mov	[ebp+var_5C], edx
		mov	[ebp+var_51], 0
		cmp	[ebp+var_68], edi
		jbe	loc_9EE568
		sub	ebx, ecx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_84], ebx
		mov	ebx, [ebp+var_58]

loc_9EE4AB:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+176j
		lea	eax, [ebp+var_50]
		cmp	esi, eax
		jz	short loc_9EE4D0
		mov	eax, [ebp+arg_C]
		cmp	eax, 48h
		jb	short loc_9EE4D0
		mov	esi, edx
		mov	[ebp+var_58], eax
		jmp	short loc_9EE4DC
; 

loc_9EE4C1:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+7Fj
		mov	eax, 0C000009Ah
		jmp	loc_9EE5F7
; 

loc_9EE4CB:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+5Bj
		mov	[ebp+var_7C], ebx
		jmp	short loc_9EE483
; 

loc_9EE4D0:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+C7j
					; WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+CFj
		lea	esi, [ebp+var_50]
		mov	[ebp+var_58], 48h
		xor	ebx, ebx

loc_9EE4DC:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+D6j
		push	48h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_64]
		add	esp, 0Ch
		cmp	[ebp+var_60], 0
		mov	dword ptr [esi+2Ch], 1
		mov	dword ptr [esi], 30h
		jnz	short loc_9EE510
		mov	ecx, [ebp+var_84]
		mov	eax, [ecx+eax]
		mov	[esi+10h], eax
		mov	eax, [ebp+var_74]
		jmp	short loc_9EE515
; 

loc_9EE510:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+114j
		mov	eax, [eax]
		mov	[ebp+var_74], eax

loc_9EE515:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+125j
		mov	edx, [ebp+var_88]
		lea	ecx, [ebp+var_6C]
		push	ecx
		push	[ebp+var_58]
		mov	ecx, eax
		push	esi
		push	[ebp+arg_4]
		call	WmipQueryAllData
		test	eax, eax
		js	short loc_9EE554
		mov	eax, [esi+2Ch]
		test	eax, 100h
		jnz	short loc_9EE554
		inc	[ebp+var_70]
		test	al, 20h
		jz	short loc_9EE581
		mov	eax, [esi+30h]
		lea	esi, [ebp+var_50]

loc_9EE548:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+1A2j
		add	eax, 7
		mov	[ebp+var_51], 1
		and	eax, 0FFFFFFF8h
		add	edi, eax

loc_9EE554:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+146j
					; WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+150j
		mov	edx, [ebp+var_5C]

loc_9EE557:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+1E6j
		add	[ebp+var_64], 4
		sub	[ebp+var_68], 1
		jnz	loc_9EE4AB
		mov	ebx, [ebp+var_7C]

loc_9EE568:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+AEj
		test	ebx, ebx
		jz	short loc_9EE574
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9EE574:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+181j
		cmp	[ebp+var_70], 0
		jnz	short loc_9EE5D1
		mov	eax, 0C0000295h
		jmp	short loc_9EE5F7
; 

loc_9EE581:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+157j
		lea	eax, [ebp+var_50]
		cmp	esi, eax
		jnz	short loc_9EE58D
		mov	eax, [ebp+var_6C]
		jmp	short loc_9EE548
; 

loc_9EE58D:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+19Dj
		test	ebx, ebx
		jz	short loc_9EE597
		mov	eax, [ebp+var_78]
		mov	[ebx+0Ch], eax

loc_9EE597:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+1A6j
		mov	eax, [esi+0Ch]
		mov	ecx, esi
		mov	[ebp+var_58], esi
		test	eax, eax
		jz	short loc_9EE5AF

loc_9EE5A3:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+1C1j
		add	ecx, eax
		mov	eax, [ecx+0Ch]
		test	eax, eax
		jnz	short loc_9EE5A3
		mov	[ebp+var_58], ecx

loc_9EE5AF:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+1B8j
		mov	eax, [ebp+var_6C]
		mov	edx, [ebp+var_5C]
		add	eax, 7
		mov	ebx, [ebp+var_58]
		and	eax, 0FFFFFFF8h
		sub	[ebp+arg_C], eax
		add	edx, eax
		add	edi, eax
		mov	[ebp+var_5C], edx
		mov	eax, edx
		sub	eax, ecx
		mov	[ebp+var_78], eax
		jmp	short loc_9EE557
; 

loc_9EE5D1:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+18Fj
		cmp	[ebp+var_51], 0
		jz	short loc_9EE5EB
		mov	ecx, [ebp+var_80]
		push	38h
		pop	eax
		mov	[ecx], eax
		mov	dword ptr [ecx+2Ch], 20h
		mov	[ecx+30h], edi
		jmp	short loc_9EE5ED
; 

loc_9EE5EB:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+1ECj
		mov	eax, edi

loc_9EE5ED:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+200j
		mov	ecx, [ebp+var_8C]
		mov	[ecx], eax
		xor	eax, eax

loc_9EE5F7:				; CODE XREF: WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+DDj
					; WmipQueryAllDataMultiple(x,x,x,x,x,x,x,x)+196j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_WmipQueryAllDataMultiple@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipQueryGuidInfo(x)
_WmipQueryGuidInfo@4 proc near		; CODE XREF: WmipIoControl+13346Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	edx, [eax]
		lea	ecx, [ebp+var_4]
		push	0
		push	ecx
		push	1
		mov	[ebp+var_8], eax
		mov	eax, ds:_WmipGuidObjectType
		push	eax
		push	1
		push	edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9EE686
		mov	edi, [ebp+var_4]
		mov	ebx, [edi+28h]
		test	ebx, ebx
		jz	short loc_9EE67A
		mov	eax, [ebp+var_8]
		mov	byte ptr [eax+8], 0
		call	_WmipEnterSMCritSection@0 ; WmipEnterSMCritSection()
		add	ebx, 20h
		mov	eax, [ebx]
		jmp	short loc_9EE65F
; 

loc_9EE657:				; CODE XREF: WmipQueryGuidInfo(x)+59j
		test	byte ptr [eax+8], 4
		jnz	short loc_9EE665
		mov	eax, [eax]

loc_9EE65F:				; CODE XREF: WmipQueryGuidInfo(x)+4Dj
		cmp	eax, ebx
		jnz	short loc_9EE657
		jmp	short loc_9EE66C
; 

loc_9EE665:				; CODE XREF: WmipQueryGuidInfo(x)+53j
		mov	eax, [ebp+var_8]
		mov	byte ptr [eax+8], 1

loc_9EE66C:				; CODE XREF: WmipQueryGuidInfo(x)+5Bj
		push	0
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		jmp	short loc_9EE67F
; 

loc_9EE67A:				; CODE XREF: WmipQueryGuidInfo(x)+3Aj
		mov	esi, 0C0000301h

loc_9EE67F:				; CODE XREF: WmipQueryGuidInfo(x)+70j
		mov	ecx, edi
		call	ObfDereferenceObject

loc_9EE686:				; CODE XREF: WmipQueryGuidInfo(x)+30j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_WmipQueryGuidInfo@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipQuerySingleMultiple(x, x, x, x,	x, x, x, x, x)
_WmipQuerySingleMultiple@36 proc near	; CODE XREF: WmipIoControl+133565p
					; IoWMIQuerySingleInstanceMultiple(x,x,x,x,x)+79p

var_2E4		= dword	ptr -2E4h
var_2E0		= dword	ptr -2E0h
var_2DC		= dword	ptr -2DCh
var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_2CC		= dword	ptr -2CCh
var_2C8		= dword	ptr -2C8h
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_294		= dword	ptr -294h
var_290		= dword	ptr -290h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_27C		= dword	ptr -27Ch
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= word ptr -270h
var_26D		= byte ptr -26Dh
var_26C		= dword	ptr -26Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		push	2D4h
		push	offset dword_6A9C80
		call	__SEH_prolog4_GS
		mov	[ebp+var_2BC], edx
		mov	[ebp+var_2DC], ecx
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_2C8], eax
		mov	[ebp+var_2E4], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_2A8], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_29C], eax
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_2D4], edi
		mov	esi, [ebp+arg_10]
		mov	[ebp+var_2AC], esi
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_2D8], eax
		xor	ebx, ebx
		mov	[ebp+var_288], ebx
		mov	[ebp+var_2C0], ebx
		push	248h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_26C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, ebx
		mov	[ebp+var_274], ecx
		mov	[ebp+var_2A4], ebx
		test	esi, esi
		jnz	short loc_9EE75A
		imul	edi, 18h
		push	70696D57h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_2C4], esi
		test	esi, esi
		jz	short loc_9EE74D
		push	edi		; size_t
		mov	eax, [ebp+var_29C]
		add	eax, 8
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, ebx
		jmp	short loc_9EE762
; 

loc_9EE74D:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+A6j
		mov	ecx, 0C000009Ah
		mov	[ebp+var_274], ecx
		jmp	short loc_9EE762
; 

loc_9EE75A:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+8Aj
		mov	esi, ebx
		mov	[ebp+var_2C4], ebx

loc_9EE762:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+BEj
					; WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+CBj
		test	ecx, ecx
		js	loc_9EEB60
		mov	edi, ebx
		mov	[ebp+var_294], edi
		mov	dl, bl
		mov	[ebp+var_26D], dl
		mov	[ebp+var_284], ebx
		mov	eax, [ebp+var_2A8]
		mov	[ebp+var_28C], eax
		lea	ecx, [ebp+var_26C]
		mov	[ebp+var_278], ecx
		mov	[ebp+var_2B0], 244h
		mov	eax, ebx
		mov	[ebp+var_290], ebx
		mov	[ebp+var_29C], ebx

loc_9EE7B0:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+41Bj
		cmp	eax, [ebp+var_2D4]
		jnb	loc_9EEAF4
		cmp	[ebp+var_2AC], 0
		jnz	short loc_9EE7F6
		imul	eax, 18h
		mov	cx, [eax+esi+8]
		mov	[ebp+var_270], cx
		mov	ecx, [eax+esi+10h]
		mov	[ebp+var_280], ecx
		mov	[ebp+var_2CC], ecx
		mov	eax, [eax+esi]
		mov	[ebp+var_298], eax
		mov	ax, [ebp+var_270]
		jmp	short loc_9EE844
; 

loc_9EE7F6:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+136j
		mov	ecx, [ebp+var_2D8]
		mov	eax, [ecx+eax*8]
		mov	[ebp+var_2D0], eax
		mov	eax, [ebp+var_290]
		mov	eax, [ecx+eax*8+4]
		mov	[ebp+var_280], eax
		mov	[ebp+var_2CC], eax
		mov	eax, [ebp+var_290]
		mov	ecx, [ebp+var_2AC]
		mov	eax, [ecx+eax*4]
		mov	[ebp+var_29C], eax
		mov	[ebp+var_298], ebx
		mov	ax, word ptr [ebp+var_2D0]
		mov	[ebp+var_270], ax

loc_9EE844:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+167j
		mov	ecx, [ebp+var_278]
		movzx	eax, ax
		mov	[ebp+var_2B4], eax
		add	eax, 49h
		and	eax, 0FFFFFFF8h
		mov	[ebp+var_2A0], eax
		test	dl, dl
		jnz	short loc_9EE878
		mov	edx, [ebp+arg_4]
		cmp	edx, eax
		jb	short loc_9EE878
		mov	ecx, [ebp+var_28C]
		mov	[ebp+var_2B8], edx
		jmp	short loc_9EE8E1
; 

loc_9EE878:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+1D4j
					; WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+1DBj
		cmp	eax, [ebp+var_2B0]
		jbe	short loc_9EE8CE
		lea	edx, [ebp+var_26C]
		cmp	ecx, edx
		jz	short loc_9EE897
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_2A0]

loc_9EE897:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+1FBj
		push	70696D57h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_278], ecx
		test	ecx, ecx
		jnz	short loc_9EE8C2
		mov	[ebp+var_274], 0C000009Ah
		jmp	loc_9EEAF4
; 

loc_9EE8C2:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+224j
		mov	eax, [ebp+var_2A0]
		mov	[ebp+var_2B0], eax

loc_9EE8CE:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+1F1j
		mov	[ebp+var_2B8], eax
		mov	[ebp+var_284], ebx
		mov	[ebp+var_26D], 1

loc_9EE8E1:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+1E9j
		mov	[ebp+var_27C], ecx
		push	40h		; size_t
		push	ebx		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, [ebp+var_27C]
		mov	dword ptr [ecx+2Ch], 2
		mov	eax, [ebp+var_2A0]
		mov	[ecx], eax
		mov	edx, [ebp+var_298]
		mov	[ecx+10h], edx
		mov	dword ptr [ecx+30h], 40h
		mov	[ecx+38h], eax
		lea	edx, [ecx+40h]
		mov	ax, [ebp+var_270]
		mov	[edx], ax
		add	edx, 2
		mov	[ebp+var_298], edx
		mov	[ebp+ms_exc.disabled], ebx
		cmp	byte ptr [ebp+var_2BC],	1
		jnz	short loc_9EE970
		test	ax, ax
		jz	short loc_9EE970
		test	byte ptr [ebp+var_2CC],	1
		jz	short loc_9EE950
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9EE950:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+2BCj
		mov	edx, [ebp+var_280]
		mov	eax, [ebp+var_2B4]
		add	eax, edx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_9EE96C
		cmp	eax, edx
		jnb	short loc_9EE976

loc_9EE96C:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+2D9j
		mov	[ecx], bl
		jmp	short loc_9EE976
; 

loc_9EE970:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+2AEj
					; WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+2B3j
		mov	edx, [ebp+var_280]

loc_9EE976:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+2DDj
					; WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+2E1j
		push	[ebp+var_2B4]	; size_t
		push	edx		; void *
		push	[ebp+var_298]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_27C]
		mov	eax, [ecx]
		mov	[ebp+var_288], eax
		lea	eax, [ebp+var_288]
		push	eax
		push	[ebp+var_2B8]
		push	ecx
		push	1
		push	[ebp+var_2BC]
		mov	edx, [ebp+var_2DC]
		mov	ecx, [ebp+var_29C]
		call	WmipQuerySetExecuteSI
		test	eax, eax
		js	loc_9EEA8F
		mov	eax, [ebp+var_27C]
		mov	ecx, [eax+2Ch]
		test	ecx, 100h
		jnz	loc_9EEA8F
		inc	[ebp+var_2A4]
		test	cl, 20h
		jz	short loc_9EEA0D
		mov	eax, [eax+30h]
		add	eax, 7
		and	eax, 0FFFFFFF8h
		add	edi, eax
		mov	[ebp+var_294], edi
		mov	dl, 1
		mov	[ebp+var_26D], dl
		jmp	loc_9EEA95
; 

loc_9EEA0D:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+360j
		mov	dl, [ebp+var_26D]
		test	dl, dl
		jz	short loc_9EEA2D
		mov	eax, [ebp+var_288]
		add	eax, 7
		and	eax, 0FFFFFFF8h
		add	edi, eax
		mov	[ebp+var_294], edi
		jmp	short loc_9EEA95
; 

loc_9EEA2D:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+388j
		mov	ecx, [ebp+var_284]
		test	ecx, ecx
		jz	short loc_9EEA46
		mov	eax, [ebp+var_2C0]
		mov	[ecx+0Ch], eax
		mov	eax, [ebp+var_27C]

loc_9EEA46:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+3A8j
		mov	ecx, eax
		mov	[ebp+var_284], eax
		mov	eax, [eax+0Ch]
		jmp	short loc_9EEA5E
; 

loc_9EEA53:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+3D3j
		add	ecx, eax
		mov	[ebp+var_284], ecx
		mov	eax, [ecx+0Ch]

loc_9EEA5E:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+3C4j
		test	eax, eax
		jnz	short loc_9EEA53
		mov	eax, [ebp+var_288]
		add	eax, 7
		and	eax, 0FFFFFFF8h
		add	edi, eax
		mov	[ebp+var_294], edi
		sub	[ebp+arg_4], eax
		add	[ebp+var_28C], eax
		mov	eax, [ebp+var_28C]
		sub	eax, ecx
		mov	[ebp+var_2C0], eax
		jmp	short loc_9EEA95
; 

loc_9EEA8F:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+33Cj
					; WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+351j
		mov	dl, [ebp+var_26D]

loc_9EEA95:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+37Bj
					; WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+39Ej ...
		mov	eax, [ebp+var_290]
		inc	eax
		mov	[ebp+var_290], eax
		mov	ecx, [ebp+var_278]
		jmp	loc_9EE7B0
; 

loc_9EEAAD:				; DATA XREF: .text:006A9C94o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2E0], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9EEABE:				; DATA XREF: .text:006A9C98o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_2E0]
		mov	[ebp+var_274], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	esi, [ebp+var_2C4]
		mov	edi, [ebp+var_294]
		mov	eax, [ebp+var_2E4]
		mov	[ebp+var_2C8], eax
		mov	ecx, [ebp+var_278]

loc_9EEAF4:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+129j
					; WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+230j
		lea	eax, [ebp+var_26C]
		cmp	ecx, eax
		jz	short loc_9EEB05
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9EEB05:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+46Fj
		cmp	[ebp+var_2A4], 0
		jnz	short loc_9EEB1B
		mov	ecx, 0C0000295h
		mov	[ebp+var_274], ecx
		jmp	short loc_9EEB21
; 

loc_9EEB1B:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+47Fj
		mov	ecx, [ebp+var_274]

loc_9EEB21:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+48Cj
		test	ecx, ecx
		js	short loc_9EEB45
		cmp	[ebp+var_26D], 0
		jz	short loc_9EEB45
		push	38h
		pop	eax
		mov	edx, [ebp+var_2A8]
		mov	[edx], eax
		mov	dword ptr [edx+2Ch], 20h
		mov	[edx+30h], edi
		jmp	short loc_9EEB47
; 

loc_9EEB45:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+496j
					; WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+49Fj
		mov	eax, edi

loc_9EEB47:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+4B6j
		mov	edx, [ebp+var_2C8]
		mov	[edx], eax
		test	esi, esi
		jz	short loc_9EEB60
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_274]

loc_9EEB60:				; CODE XREF: WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+D7j
					; WmipQuerySingleMultiple(x,x,x,x,x,x,x,x,x)+4C4j
		mov	eax, ecx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_WmipQuerySingleMultiple@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipDSCleanup(x)
_WmipDSCleanup@4 proc near		; DATA XREF: .data:006B2B48o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		test	byte ptr [edi+8], 1
		jnz	short loc_9EEB96
		xor	esi, esi
		push	esi
		push	esi
		push	edi
		push	1
		push	14Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_9EEB96:				; CODE XREF: WmipDSCleanup(x)+Fj
		push	ebx
		call	_WmipEnterSMCritSection@0 ; WmipEnterSMCritSection()
		lea	ecx, [edi+14h]
		xor	esi, esi
		mov	eax, [ecx]
		mov	[ebp+arg_0], eax
		jmp	loc_9EEC2E
; 

loc_9EEBAB:				; CODE XREF: WmipDSCleanup(x)+BCj
		lea	ebx, [eax-14h]
		cmp	[ebx], esi
		jz	short loc_9EEBBC
		mov	ecx, ebx
		call	_WmipUnlinkInstanceSetFromGuidEntry@4 ;	WmipUnlinkInstanceSetFromGuidEntry(x)
		mov	[ebx+20h], esi

loc_9EEBBC:				; CODE XREF: WmipDSCleanup(x)+3Cj
		mov	eax, [ebx+1Ch]
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_9EEC11
		test	byte ptr [ebx+8], 8
		jnz	short loc_9EEC11
		push	10h		; size_t
		add	eax, 28h
		push	offset _WmipBinaryMofGuid ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9EEC04
		push	esi
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	edx, offset _GUID_MOF_RESOURCE_REMOVED_NOTIFICATION
		mov	ecx, ebx
		call	_WmipGenerateBinaryMofNotification@8 ; WmipGenerateBinaryMofNotification(x,x)
		call	_WmipEnterSMCritSection@0 ; WmipEnterSMCritSection()
		mov	edx, [ebx+1Ch]
		jmp	short loc_9EEC07
; 

loc_9EEC04:				; CODE XREF: WmipDSCleanup(x)+6Dj
		mov	edx, [ebp+var_4]

loc_9EEC07:				; CODE XREF: WmipDSCleanup(x)+8Ej
		mov	ecx, offset _WmipGEChunkInfo
		call	WmipUnreferenceEntry

loc_9EEC11:				; CODE XREF: WmipDSCleanup(x)+50j
					; WmipDSCleanup(x)+56j
		mov	eax, [ebp+arg_0]
		mov	edx, ebx
		mov	[ebx+1Ch], esi
		mov	ecx, offset _WmipISChunkInfo
		mov	eax, [eax]
		mov	[ebp+arg_0], eax
		call	WmipUnreferenceEntry
		mov	eax, [ebp+arg_0]
		lea	ecx, [edi+14h]

loc_9EEC2E:				; CODE XREF: WmipDSCleanup(x)+32j
		cmp	eax, ecx
		jnz	loc_9EEBAB
		push	esi
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	ebx, esi
		cmp	[edi+24h], esi
		jbe	short loc_9EEC62

loc_9EEC48:				; CODE XREF: WmipDSCleanup(x)+ECj
		mov	eax, [edi+28h]
		mov	edx, [eax+ebx*4]
		test	edx, edx
		jz	short loc_9EEC5C
		mov	ecx, offset _WmipMRChunkInfo
		call	WmipUnreferenceEntry

loc_9EEC5C:				; CODE XREF: WmipDSCleanup(x)+DCj
		inc	ebx
		cmp	ebx, [edi+24h]
		jb	short loc_9EEC48

loc_9EEC62:				; CODE XREF: WmipDSCleanup(x)+D2j
		mov	ecx, [edi+28h]
		lea	eax, [edi+2Ch]
		pop	ebx
		cmp	ecx, eax
		jz	short loc_9EEC77
		push	esi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[edi+28h], esi

loc_9EEC77:				; CODE XREF: WmipDSCleanup(x)+F7j
		pop	edi
		pop	esi
		leave
		retn	4
_WmipDSCleanup@4 endp


;  S U B	R O U T	I N E 


; __stdcall WmipFindDSByProviderId(x)
_WmipFindDSByProviderId@4 proc near	; CODE XREF: WmipDereferenceEvent(x)+1Fp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edi, ecx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		mov	eax, _WmipDSHeadPtr
		mov	esi, [eax]
		jmp	short loc_9EECA4
; 

loc_9EEC9D:				; CODE XREF: WmipFindDSByProviderId(x)+29j
		cmp	[esi+1Ch], edi
		jz	short loc_9EECBB
		mov	esi, [esi]

loc_9EECA4:				; CODE XREF: WmipFindDSByProviderId(x)+1Ej
		cmp	esi, eax
		jnz	short loc_9EEC9D
		mov	esi, ebx

loc_9EECAA:				; CODE XREF: WmipFindDSByProviderId(x)+45j
		push	ebx
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_9EECBB:				; CODE XREF: WmipFindDSByProviderId(x)+23j
		mov	ecx, esi
		call	WmipReferenceEntry
		jmp	short loc_9EECAA
_WmipFindDSByProviderId@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipGECleanup(x)
_WmipGECleanup@4 proc near		; DATA XREF: .data:006B29F4o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, [esi+48h]
		mov	eax, ecx
		mov	edx, [esi+4Ch]
		or	eax, edx
		jz	short loc_9EECE0
		push	edx
		push	ecx
		call	EtwUnregister

loc_9EECE0:				; CODE XREF: WmipGECleanup(x)+13j
		push	70696D57h
		push	dword ptr [esi+40h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		pop	ebp
		retn	4
_WmipGECleanup@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipMRCleanup(x)
_WmipMRCleanup@4 proc near		; DATA XREF: .data:006B2A08o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	ecx, [esi+14h]
		mov	eax, ecx
		test	ecx, ecx
		jz	short loc_9EED21
		mov	edx, [esi+18h]
		test	edx, edx
		jz	short loc_9EED21
		test	byte ptr [esi+8], 1
		jnz	short loc_9EED21
		push	1
		push	offset _GUID_MOF_RESOURCE_REMOVED_NOTIFICATION
		call	_WmipGenerateMofResourceNotification@16	; WmipGenerateMofResourceNotification(x,x,x,x)
		mov	eax, [esi+14h]

loc_9EED21:				; CODE XREF: WmipMRCleanup(x)+11j
					; WmipMRCleanup(x)+18j	...
		xor	edi, edi
		test	eax, eax
		jz	short loc_9EED31
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+14h], edi

loc_9EED31:				; CODE XREF: WmipMRCleanup(x)+33j
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_9EED42
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+18h], edi

loc_9EED42:				; CODE XREF: WmipMRCleanup(x)+44j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_WmipMRCleanup@4 endp


;  S U B	R O U T	I N E 


; __stdcall WmipProbeWnodeSingleItem(x,	x)
_WmipProbeWnodeSingleItem@8 proc near	; CODE XREF: WmipIoControl+13347Dp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		push	44h
		pop	edx
		cmp	edi, edx
		jb	short loc_9EED86
		push	1
		push	0
		push	0
		push	edi
		push	dword ptr [esi+40h]
		push	dword ptr [esi+3Ch]
		push	dword ptr [esi+30h]
		call	_WmipProbeWnodeWorker@36 ; WmipProbeWnodeWorker(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9EED8B
		mov	eax, [esi+2Ch]
		test	al, 4
		jz	short loc_9EED86
		cmp	edi, [esi]
		jnz	short loc_9EED86
		test	eax, 0FFFFFF7Bh
		jnz	short loc_9EED86
		xor	eax, eax
		jmp	short loc_9EED8B
; 

loc_9EED86:				; CODE XREF: WmipProbeWnodeSingleItem(x,x)+Dj
					; WmipProbeWnodeSingleItem(x,x)+2Dj ...
		mov	eax, 0C0000001h

loc_9EED8B:				; CODE XREF: WmipProbeWnodeSingleItem(x,x)+26j
					; WmipProbeWnodeSingleItem(x,x)+3Cj
		pop	edi
		pop	esi
		retn
_WmipProbeWnodeSingleItem@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipTranslateFileHandle(x, x)
_WmipTranslateFileHandle@8 proc	near	; CODE XREF: WmipIoControl+13350Dp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10], edx
		xor	ebx, ebx
		lea	eax, [ebp+var_8]
		push	eax
		mov	dl, 1
		mov	[ebp+var_C], ebx
		mov	ecx, [edi]
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_8], ebx
		call	_WmipGetFilePDO@12 ; WmipGetFilePDO(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9EEE88
		mov	eax, ds:_WmipGuidObjectType
		lea	edx, [ebp+var_4]
		mov	ecx, [edi+8]
		push	ebx
		push	edx
		push	1
		push	eax
		push	1
		push	ecx
		mov	[ebp+var_4], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, [ebp+var_8]
		mov	esi, eax
		test	esi, esi
		js	loc_9EEE7D
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_18]
		mov	edx, ebx
		push	eax
		call	WmipGetGuidObjectInstanceInfo
		mov	esi, eax
		test	esi, esi
		js	short loc_9EEE6F
		mov	eax, [ebp+var_18]
		mov	ecx, [ebp+var_10]
		movzx	eax, ax
		add	eax, 1Ah
		mov	[ebp+var_8], eax
		mov	edx, [ecx]
		cmp	edx, eax
		jnb	short loc_9EEE2C
		push	4
		pop	esi
		cmp	edx, esi
		jb	short loc_9EEE25
		mov	[edi], eax
		mov	[ecx], esi
		jmp	short loc_9EEE5E
; 

loc_9EEE25:				; CODE XREF: WmipTranslateFileHandle(x,x)+8Fj
		mov	esi, 0C0000001h
		jmp	short loc_9EEE60
; 

loc_9EEE2C:				; CODE XREF: WmipTranslateFileHandle(x,x)+88j
		mov	ecx, [ebp+var_18]
		lea	esi, [edi+16h]
		mov	eax, [ebp+var_C]
		mov	[edi+10h], eax
		lea	eax, [ecx+4]
		mov	[edi+14h], ax
		movzx	edi, cx
		push	edi		; size_t
		push	[ebp+var_14]	; void *
		push	esi		; void *
		call	_memcpy
		mov	ecx, [ebp+var_10]
		add	esp, 0Ch
		shr	edi, 1
		xor	eax, eax
		mov	[esi+edi*2], eax
		mov	eax, [ebp+var_8]
		mov	[ecx], eax

loc_9EEE5E:				; CODE XREF: WmipTranslateFileHandle(x,x)+95j
		xor	esi, esi

loc_9EEE60:				; CODE XREF: WmipTranslateFileHandle(x,x)+9Cj
		cmp	[ebp+var_14], 0
		jz	short loc_9EEE6F
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_9EEE6F:				; CODE XREF: WmipTranslateFileHandle(x,x)+73j
					; WmipTranslateFileHandle(x,x)+D6j
		cmp	[ebp+var_4], 0
		jz	short loc_9EEE7D
		mov	ecx, [ebp+var_4]
		call	ObfDereferenceObject

loc_9EEE7D:				; CODE XREF: WmipTranslateFileHandle(x,x)+57j
					; WmipTranslateFileHandle(x,x)+E5j
		test	ebx, ebx
		jz	short loc_9EEE88
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_9EEE88:				; CODE XREF: WmipTranslateFileHandle(x,x)+2Fj
					; WmipTranslateFileHandle(x,x)+F1j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_WmipTranslateFileHandle@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmiSetNetworkNotify(x)
_WmiSetNetworkNotify@4 proc near	; CODE XREF: EtwpEnableKernelTrace+129AB5p
					; EtwpDisableKernelTrace+1299C4p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		lea	edx, [ebp+var_4]
		push	esi
		mov	[ebp+var_C], ecx
		mov	ecx, 200000h
		push	eax
		call	WmipBuildTraceDeviceList
		mov	esi, eax
		test	esi, esi
		js	short loc_9EEED5
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		mov	ecx, [ebp+var_4]
		push	eax
		push	4
		push	0Ah
		call	WmipSendWmiIrpToTraceDeviceList
		mov	esi, eax
		test	esi, esi
		js	short loc_9EEED5
		xor	esi, esi

loc_9EEED5:				; CODE XREF: WmiSetNetworkNotify(x)+29j
					; WmiSetNetworkNotify(x)+42j
		cmp	[ebp+var_4], 0
		jz	short loc_9EEEE6
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		call	_WmipFreeTraceDeviceList@8 ; WmipFreeTraceDeviceList(x,x)

loc_9EEEE6:				; CODE XREF: WmiSetNetworkNotify(x)+4Aj
		mov	eax, esi
		pop	esi
		leave
		retn
_WmiSetNetworkNotify@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipLegacyEtwCallback(x, x,	x, x)
_WmipLegacyEtwCallback@16 proc near	; DATA XREF: WmipProcessLegacyEtwRegister(x,x)+66o

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	bl, byte ptr [ebp+arg_4]
		xor	eax, eax
		push	esi
		mov	esi, eax
		cmp	bl, 1
		jz	short loc_9EEF07
		test	bl, bl
		jnz	loc_9EF01F

loc_9EEF07:				; CODE XREF: WmipLegacyEtwCallback(x,x,x,x)+12j
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		mov	eax, [ebp+arg_C]
		cmp	[eax+50h], esi
		jz	loc_9EF013
		push	edi
		mov	edi, [ebp+arg_8]
		test	bl, bl
		jz	short loc_9EEF30
		mov	ecx, [edi]
		mov	edx, [edi+4]
		jmp	short loc_9EEF34
; 

loc_9EEF30:				; CODE XREF: WmipLegacyEtwCallback(x,x,x,x)+3Cj
		xor	ecx, ecx
		xor	edx, edx

loc_9EEF34:				; CODE XREF: WmipLegacyEtwCallback(x,x,x,x)+43j
		mov	[eax+58h], ecx
		lea	ecx, [eax+20h]
		mov	[eax+5Ch], edx
		mov	eax, [ecx]
		mov	[ebp+arg_4], ecx
		cmp	eax, ecx
		jz	loc_9EF012

loc_9EEF4A:				; CODE XREF: WmipLegacyEtwCallback(x,x,x,x)+7Bj
		mov	edx, [eax+8]
		test	edx, 100000h
		jz	short loc_9EEF62
		test	bl, bl
		jnz	short loc_9EEF61
		test	edx, 200000h
		jz	short loc_9EEF62

loc_9EEF61:				; CODE XREF: WmipLegacyEtwCallback(x,x,x,x)+6Cj
		inc	esi

loc_9EEF62:				; CODE XREF: WmipLegacyEtwCallback(x,x,x,x)+68j
					; WmipLegacyEtwCallback(x,x,x,x)+74j
		mov	eax, [eax]
		cmp	eax, ecx
		jnz	short loc_9EEF4A
		test	esi, esi
		jz	loc_9EF012
		push	70696D57h
		lea	eax, ds:20h[esi*4]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_9EF012
		mov	dword ptr [eax+8], 2
		mov	ecx, [edi]
		mov	[eax+10h], ecx
		mov	ecx, [edi+4]
		mov	[eax+14h], ecx
		mov	ecx, [ebp+arg_4]
		mov	[eax+1Ch], bl
		mov	[eax+18h], esi
		mov	edi, [ecx]
		cmp	edi, ecx
		jz	short loc_9EF006
		add	eax, 20h
		mov	[ebp+arg_8], eax
		mov	eax, ecx

loc_9EEFB8:				; CODE XREF: WmipLegacyEtwCallback(x,x,x,x)+116j
		mov	ecx, [edi+8]
		test	ecx, 100000h
		jz	short loc_9EEFFD
		test	bl, bl
		jnz	short loc_9EEFCF
		test	ecx, 200000h
		jz	short loc_9EEFFD

loc_9EEFCF:				; CODE XREF: WmipLegacyEtwCallback(x,x,x,x)+DAj
		mov	esi, [edi+20h]
		mov	ecx, esi
		call	WmipReferenceEntry
		mov	edx, [ebp+arg_8]
		mov	[edx], esi
		add	edx, 4
		mov	eax, [edi+8]
		mov	[ebp+arg_8], edx
		test	bl, bl
		jz	short loc_9EEFF2
		or	eax, 200000h
		jmp	short loc_9EEFF7
; 

loc_9EEFF2:				; CODE XREF: WmipLegacyEtwCallback(x,x,x,x)+FEj
		and	eax, 0FFDFFFFFh

loc_9EEFF7:				; CODE XREF: WmipLegacyEtwCallback(x,x,x,x)+105j
		mov	[edi+8], eax
		mov	eax, [ebp+arg_4]

loc_9EEFFD:				; CODE XREF: WmipLegacyEtwCallback(x,x,x,x)+D6j
					; WmipLegacyEtwCallback(x,x,x,x)+E2j
		mov	edi, [edi]
		cmp	edi, eax
		jnz	short loc_9EEFB8
		mov	eax, [ebp+var_4]

loc_9EF006:				; CODE XREF: WmipLegacyEtwCallback(x,x,x,x)+C3j
		mov	edx, [ebp+arg_C]
		mov	ecx, eax
		push	0
		call	WmipQueueLegacyEtwWork

loc_9EF012:				; CODE XREF: WmipLegacyEtwCallback(x,x,x,x)+59j
					; WmipLegacyEtwCallback(x,x,x,x)+7Fj ...
		pop	edi

loc_9EF013:				; CODE XREF: WmipLegacyEtwCallback(x,x,x,x)+30j
		push	0
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)

loc_9EF01F:				; CODE XREF: WmipLegacyEtwCallback(x,x,x,x)+16j
		pop	esi
		pop	ebx
		leave
		retn	10h
_WmipLegacyEtwCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipProcessLegacyEtwCallback(x, x)
_WmipProcessLegacyEtwCallback@8	proc near ; CODE XREF: WmipLegacyEtwWorker+88BA8p

var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		cmp	byte ptr [ebx+1Ch], 0
		setz	al
		xor	ecx, ecx
		add	al, 4
		mov	[ebp+var_50], ecx
		mov	[ebp+var_49], al
		cmp	[ebx+18h], ecx
		jbe	loc_9EF0DD
		lea	eax, [edx+28h]
		lea	edx, [ebx+20h]
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], edx

loc_9EF062:				; CODE XREF: WmipProcessLegacyEtwCallback(x,x)+B6j
		mov	esi, eax
		mov	[ebp+var_44], ecx
		mov	eax, [ebx+10h]
		lea	edi, [ebp+var_30]
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		movsd
		mov	ecx, [ebx+14h]
		push	40h
		movsd
		movsd
		movsd
		mov	esi, [edx]
		mov	[ebp+var_40], eax
		pop	edi
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_3C], ecx
		push	eax
		mov	[ebp+var_14], ecx
		lea	eax, [ebp+var_30]
		mov	cl, [ebp+var_49]
		push	edi
		mov	[ebp+var_48], edi
		mov	[ebp+var_1C], 20000h
		mov	edx, [esi+1Ch]
		push	eax
		call	_WmipSendWmiIrp@24 ; WmipSendWmiIrp(x,x,x,x,x,x)
		mov	edx, esi
		mov	ecx, offset _WmipDSChunkInfo
		call	WmipUnreferenceEntry
		mov	eax, [ebp+var_50]
		mov	edx, [ebp+var_54]
		inc	eax
		add	edx, 4
		mov	[ebp+var_50], eax
		cmp	eax, [ebx+18h]
		mov	eax, [ebp+var_58]
		push	0
		mov	[ebp+var_54], edx
		pop	ecx
		jb	short loc_9EF062

loc_9EF0DD:				; CODE XREF: WmipProcessLegacyEtwCallback(x,x)+2Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_WmipProcessLegacyEtwCallback@8	endp


;  S U B	R O U T	I N E 


; __stdcall WmipProcessLegacyEtwUnregister(x)
_WmipProcessLegacyEtwUnregister@4 proc near ; CODE XREF: WmipLegacyEtwWorker+88BB4p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	esi, ecx
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		mov	edi, [esi+48h]
		xor	eax, eax
		mov	ebx, [esi+4Ch]
		push	eax
		push	offset _WmipSMMutex
		mov	[esi+48h], eax
		mov	[esi+4Ch], eax
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, edi
		or	eax, ebx
		jz	short loc_9EF129
		push	ebx
		push	edi
		call	EtwUnregister

loc_9EF129:				; CODE XREF: WmipProcessLegacyEtwUnregister(x)+34j
		pop	edi
		pop	esi
		pop	ebx
		retn
_WmipProcessLegacyEtwUnregister@4 endp


;  S U B	R O U T	I N E 


; __stdcall WmipUnregisterEtwProvider(x)
_WmipUnregisterEtwProvider@4 proc near	; CODE XREF: WmipUnlinkInstanceSetFromGuidEntry(x)+29p
		mov	edi, edi
		push	esi
		mov	esi, [ecx+1Ch]
		sub	dword ptr [esi+6Ch], 1
		jnz	short loc_9EF169
		push	edi
		push	70696D57h
		xor	edi, edi
		push	0Ch
		push	1
		mov	[esi+50h], edi
		mov	[esi+58h], edi
		mov	[esi+5Ch], edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_9EF168
		push	edi
		mov	edx, esi
		mov	dword ptr [eax+8], 1
		mov	ecx, eax
		call	WmipQueueLegacyEtwWork

loc_9EF168:				; CODE XREF: WmipUnregisterEtwProvider(x)+28j
		pop	edi

loc_9EF169:				; CODE XREF: WmipUnregisterEtwProvider(x)+Aj
		pop	esi
		retn
_WmipUnregisterEtwProvider@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipDisableCollectionForRemovedGuid(x, x)
_WmipDisableCollectionForRemovedGuid@8 proc near ; CODE	XREF: WmipUpdateDataSource+9D6DDp
					; WmipGenerateRegistrationNotification+9D052p

var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		lea	eax, [ebp+var_38]
		mov	esi, edx
		mov	edi, ecx
		mov	[ebp+var_40], esi
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_3C], edi
		call	_memset
		add	esp, 0Ch
		xor	dl, dl
		mov	ecx, edi
		call	_WmipFindGEByGuid@8 ; WmipFindGEByGuid(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9EF314
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		cmp	dword ptr [ebx+38h], 0
		jbe	loc_9EF260
		mov	ecx, [esi+8]
		mov	eax, ecx
		and	eax, 82000h
		cmp	eax, 2000h
		jnz	loc_9EF260
		and	ecx, 0FFFFDFFFh
		mov	[esi+8], ecx
		xor	esi, esi
		or	dword ptr [ebx+8], 2
		push	esi
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	[ebp+var_34], esi
		lea	eax, [ebp+var_48]
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		mov	esi, edi
		lea	edi, [ebp+var_20]
		push	30h
		pop	ecx
		movsd
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		movsd
		lea	eax, [ebp+var_20]
		push	ecx
		push	eax
		movsd
		movsd
		mov	esi, [ebp+var_40]
		mov	[ebp+var_38], ecx
		mov	cl, 5
		mov	edx, [esi+20h]
		mov	edx, [edx+1Ch]
		call	_WmipSendWmiIrp@24 ; WmipSendWmiIrp(x,x,x,x,x,x)
		xor	edi, edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		cmp	[ebx+38h], edi
		jnz	short loc_9EF259
		push	2
		mov	dl, 1
		mov	ecx, ebx
		call	WmipDoDisableRequest
		jmp	short loc_9EF25D
; 

loc_9EF259:				; CODE XREF: WmipDisableCollectionForRemovedGuid(x,x)+DFj
		and	dword ptr [ebx+8], 0FFFFFFFDh

loc_9EF25D:				; CODE XREF: WmipDisableCollectionForRemovedGuid(x,x)+ECj
		mov	edi, [ebp+var_3C]

loc_9EF260:				; CODE XREF: WmipDisableCollectionForRemovedGuid(x,x)+56j
					; WmipDisableCollectionForRemovedGuid(x,x)+6Bj
		cmp	dword ptr [ebx+3Ch], 0
		jbe	loc_9EF2FC
		test	dword ptr [esi+8], 4000h
		jz	loc_9EF2FC
		or	dword ptr [ebx+8], 4
		and	dword ptr [esi+8], 0FFFFBFFFh
		xor	esi, esi
		push	esi
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	edx, [ebp+var_40]
		lea	eax, [ebp+var_48]
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		mov	edx, [edx+20h]
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		mov	esi, edi
		lea	edi, [ebp+var_20]
		push	30h
		pop	ecx
		movsd
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		movsd
		lea	eax, [ebp+var_20]
		push	ecx
		push	eax
		movsd
		movsd
		mov	[ebp+var_38], ecx
		mov	cl, 7
		mov	edx, [edx+1Ch]
		call	_WmipSendWmiIrp@24 ; WmipSendWmiIrp(x,x,x,x,x,x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WmipSMMutex
		call	KeWaitForSingleObject
		cmp	dword ptr [ebx+3Ch], 0
		mov	ecx, ebx
		jnz	short loc_9EF2F3
		push	4
		xor	dl, dl
		call	WmipDoDisableRequest
		jmp	short loc_9EF2FC
; 

loc_9EF2F3:				; CODE XREF: WmipDisableCollectionForRemovedGuid(x,x)+17Bj
		and	dword ptr [ebx+8], 0FFFFFFFBh
		call	WmipReleaseCollectionEnabled

loc_9EF2FC:				; CODE XREF: WmipDisableCollectionForRemovedGuid(x,x)+F9j
					; WmipDisableCollectionForRemovedGuid(x,x)+106j ...
		mov	edx, ebx
		mov	ecx, offset _WmipGEChunkInfo
		call	WmipUnreferenceEntry
		push	0
		push	offset _WmipSMMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)

loc_9EF314:				; CODE XREF: WmipDisableCollectionForRemovedGuid(x,x)+3Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_WmipDisableCollectionForRemovedGuid@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipGenerateBinaryMofNotification(x, x)
_WmipGenerateBinaryMofNotification@8 proc near ; CODE XREF: WmipUpdateDataSource+9D6C4p
					; WmipUpdateDataSource+9D793p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_14], edx
		push	esi
		push	edi
		mov	eax, [ebx+24h]
		test	eax, eax
		jz	loc_9EF4D8
		xor	edi, edi
		mov	ecx, edi
		mov	[ebp+var_4], ecx
		test	eax, eax
		jz	loc_9EF4D8
		lea	eax, [ebx+30h]

loc_9EF350:				; CODE XREF: WmipGenerateBinaryMofNotification(x,x)+1AFj
		mov	edx, [ebx+8]
		mov	[ebp+var_10], eax
		test	dl, 2
		jz	short loc_9EF390
		mov	eax, [ebx+30h]
		mov	ecx, [eax+ecx*4]
		lea	edx, [ecx+2]

loc_9EF364:				; CODE XREF: WmipGenerateBinaryMofNotification(x,x)+4Aj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_9EF364
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, ds:2[ecx*2]
		lea	eax, ds:6[ecx*2]
		mov	[ebp+var_8], edi
		mov	[ebp+var_C], eax
		lea	edi, ds:4Eh[ecx*2]
		jmp	short loc_9EF3CB
; 

loc_9EF390:				; CODE XREF: WmipGenerateBinaryMofNotification(x,x)+36j
		test	dl, 1
		jz	loc_9EF4D8
		mov	ecx, [eax]
		add	ecx, 4
		lea	edx, [ecx+2]

loc_9EF3A1:				; CODE XREF: WmipGenerateBinaryMofNotification(x,x)+87j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_9EF3A1
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, ds:10h[ecx*2]
		mov	[ebp+var_C], eax
		lea	edi, ds:58h[ecx*2]
		lea	eax, ds:0Ch[ecx*2]
		mov	[ebp+var_8], eax

loc_9EF3CB:				; CODE XREF: WmipGenerateBinaryMofNotification(x,x)+6Bj
		push	70696D57h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_18], esi
		test	esi, esi
		jz	loc_9EF4C3
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		and	dword ptr [esi+0Ch], 0
		add	esp, 0Ch
		mov	[esi], edi
		lea	edi, [esi+18h]
		mov	dword ptr [esi+4], 3
		mov	dword ptr [esi+8], 1
		mov	dword ptr [esi+2Ch], 0Ah
		mov	esi, [ebp+var_14]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_18]
		lea	eax, [esi+10h]
		push	eax
		call	KeQuerySystemTime
		mov	eax, [ebp+var_C]
		xor	ecx, ecx
		mov	[esi+3Ch], eax
		xor	eax, eax
		mov	[esi+40h], ax
		lea	eax, [esi+48h]
		mov	dword ptr [esi+30h], 40h
		mov	dword ptr [esi+38h], 48h
		mov	[eax], cx
		add	eax, 2
		mov	ecx, [ebx+8]
		mov	[ebp+var_C], eax
		test	cl, 2
		jz	short loc_9EF470
		mov	ecx, [ebp+var_10]
		mov	edx, [ebp+var_8]
		mov	edi, [ebp+var_4]
		mov	[eax], dx
		mov	eax, [ecx]
		mov	ecx, [ebp+var_C]
		push	dword ptr [eax+edi*4]
		lea	ecx, [ecx+2]
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		jmp	short loc_9EF4AB
; 

loc_9EF470:				; CODE XREF: WmipGenerateBinaryMofNotification(x,x)+12Dj
		test	cl, 1
		jz	short loc_9EF4AB
		mov	ecx, [ebp+var_10]
		mov	edi, [ebp+var_8]
		mov	ecx, [ecx]
		mov	eax, [ecx]
		add	eax, [ebp+var_4]
		push	eax
		lea	eax, [ecx+4]
		push	eax		; char
		mov	eax, [ebp+var_C]
		push	offset ??_C@_1M@NBNHGJDL@?$AA?$CF?$AAw?$AAs?$AA?$CF?$AAd@NNGAKEGL@ ; wchar_t *
		push	200h		; int
		push	0		; int
		push	0		; int
		add	eax, 2
		push	edi		; size_t
		push	eax		; int
		call	RtlStringCbPrintfExW
		mov	eax, [ebp+var_C]
		add	esp, 20h
		mov	[eax], di

loc_9EF4AB:				; CODE XREF: WmipGenerateBinaryMofNotification(x,x)+14Bj
					; WmipGenerateBinaryMofNotification(x,x)+150j
		xor	edi, edi
		mov	dl, 1
		push	edi
		mov	ecx, esi
		call	WmipProcessEvent
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lea	eax, [ebx+30h]
		jmp	short loc_9EF4C8
; 

loc_9EF4C3:				; CODE XREF: WmipGenerateBinaryMofNotification(x,x)+BCj
		mov	eax, [ebp+var_10]
		xor	edi, edi

loc_9EF4C8:				; CODE XREF: WmipGenerateBinaryMofNotification(x,x)+19Ej
		mov	ecx, [ebp+var_4]
		inc	ecx
		mov	[ebp+var_4], ecx
		cmp	ecx, [ebx+24h]
		jb	loc_9EF350

loc_9EF4D8:				; CODE XREF: WmipGenerateBinaryMofNotification(x,x)+15j
					; WmipGenerateBinaryMofNotification(x,x)+24j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_WmipGenerateBinaryMofNotification@8 endp


;  S U B	R O U T	I N E 


; __stdcall WmipUnlinkInstanceSetFromGuidEntry(x)
_WmipUnlinkInstanceSetFromGuidEntry@4 proc near	; CODE XREF: WmipUpdateDataSource+9D6EEp
					; WmipDSCleanup(x)+40p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+1Ch]
		dec	dword ptr [eax+14h]
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_9EF514
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_9EF514
		mov	[eax], ecx
		mov	[ecx+4], eax
		test	dword ptr [esi+8], 80000h
		jz	short loc_9EF512
		mov	ecx, esi
		call	_WmipUnregisterEtwProvider@4 ; WmipUnregisterEtwProvider(x)
		and	dword ptr [esi+8], 0FFCFFFFFh

loc_9EF512:				; CODE XREF: WmipUnlinkInstanceSetFromGuidEntry(x)+25j
		pop	esi
		retn
; 

loc_9EF514:				; CODE XREF: WmipUnlinkInstanceSetFromGuidEntry(x)+10j
					; WmipUnlinkInstanceSetFromGuidEntry(x)+17j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_WmipUnlinkInstanceSetFromGuidEntry@4 endp ; AL	= character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipUpdateAddGuid(x, x, x, x, x)
_WmipUpdateAddGuid@20 proc near		; CODE XREF: WmipUpdateModifyGuid+9D737p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	ecx, offset _WmipISChunkInfo
		call	_WmipAllocEntry@4 ; WmipAllocEntry(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9EF539

loc_9EF535:				; CODE XREF: WmipUpdateAddGuid(x,x,x,x,x)+67j
		xor	eax, eax
		jmp	short loc_9EF59B
; 

loc_9EF539:				; CODE XREF: WmipUpdateAddGuid(x,x,x,x,x)+1Aj
		or	dword ptr [esi+8], 8
		lea	ecx, [edi+14h]
		mov	[esi+1Ch], ebx
		lea	eax, [esi+14h]
		mov	[esi+20h], edi
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jz	short loc_9EF555
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9EF555:				; CODE XREF: WmipUpdateAddGuid(x,x,x,x,x)+35j
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[edx+4], eax
		mov	edx, [ebp+arg_0]
		mov	[ecx], eax
		mov	ecx, ebx
		push	dword ptr [edi+1Ch]
		push	esi
		push	[ebp+arg_4]
		call	WmipBuildInstanceSet
		test	eax, eax
		jns	short loc_9EF582
		mov	edx, esi
		mov	ecx, offset _WmipISChunkInfo
		call	WmipUnreferenceEntry
		jmp	short loc_9EF535
; 

loc_9EF582:				; CODE XREF: WmipUpdateAddGuid(x,x,x,x,x)+59j
		push	0
		xor	dl, dl
		mov	ecx, edi
		call	WmipLinkDataSourceToList
		mov	ecx, [ebp+arg_8]
		mov	[ecx], esi
		xor	ecx, ecx
		test	eax, eax
		setns	cl
		mov	eax, ecx

loc_9EF59B:				; CODE XREF: WmipUpdateAddGuid(x,x,x,x,x)+1Ej
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_WmipUpdateAddGuid@20 endp


;  S U B	R O U T	I N E 


; __stdcall WmipWaitForCollectionEnabled(x)
_WmipWaitForCollectionEnabled@4	proc near ; CODE XREF: WmipSendEnableRequest+131DFDp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		test	byte ptr [esi+8], 8
		jnz	short loc_9EF5BF
		push	ebx
		push	ebx
		push	dword ptr [esi+40h]
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		or	dword ptr [esi+8], 8

loc_9EF5BF:				; CODE XREF: WmipWaitForCollectionEnabled(x)+Dj
		push	ebx
		mov	edi, offset _WmipSMMutex
		push	edi
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	dword ptr [esi+40h]
		call	KeWaitForSingleObject
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	edi
		call	KeWaitForSingleObject
		pop	edi
		pop	esi
		pop	ebx
		retn
_WmipWaitForCollectionEnabled@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpIncrementTraceFile(x, x)
_EtwpIncrementTraceFile@8 proc near	; CODE XREF: NtTraceControl(x,x,x,x,x,x)+28Bp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		and	[esp+4+var_4], 0
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		push	edi
		mov	ecx, ebx
		call	@EtwpValidateLoggerInfo@4 ; EtwpValidateLoggerInfo(x)
		test	eax, eax
		js	loc_9EF695
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [esp+10h+var_4]
		mov	ecx, esi
		push	eax
		call	EtwpAcquireLoggerContext
		mov	edi, eax
		test	edi, edi
		js	short loc_9EF687
		mov	esi, [esp+10h+var_4]
		test	byte ptr [esi+0Ch], 8
		jnz	short loc_9EF639
		mov	edi, 0C000000Dh
		jmp	short loc_9EF67E
; 

loc_9EF639:				; CODE XREF: EtwpIncrementTraceFile(x,x)+4Bj
		mov	eax, [esi+25Ch]
		mov	esi, [esp+10h+var_4]
		test	al, 1
		jnz	short loc_9EF66F
		push	4
		pop	edx
		mov	ecx, esi
		call	EtwpSynchronizeWithLogger
		lea	eax, [esi+74h]
		push	eax
		lea	edx, [esi+0DCh]
		lea	ecx, [esi+6Ch]
		call	EtwpGenerateFileName
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	EtwpSynchronizeWithLogger
		mov	edi, eax

loc_9EF66F:				; CODE XREF: EtwpIncrementTraceFile(x,x)+60j
		test	edi, edi
		js	short loc_9EF67E
		mov	edx, esi
		mov	ecx, ebx
		call	EtwpGetLoggerInfoFromContext
		mov	edi, eax

loc_9EF67E:				; CODE XREF: EtwpIncrementTraceFile(x,x)+52j
					; EtwpIncrementTraceFile(x,x)+8Cj
		mov	dl, 1
		mov	ecx, esi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_9EF687:				; CODE XREF: EtwpIncrementTraceFile(x,x)+41j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi

loc_9EF695:				; CODE XREF: EtwpIncrementTraceFile(x,x)+1Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_EtwpIncrementTraceFile@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpQueryReferenceTime(x, x, x)
_EtwpQueryReferenceTime@12 proc	near	; CODE XREF: NtTraceControl(x,x,x,x,x,x)+5AAp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		cmp	edx, 0FFFFh
		jnz	short loc_9EF6B3
		movzx	edx, byte ptr [ecx+914h]

loc_9EF6B3:				; CODE XREF: EtwpQueryReferenceTime(x,x,x)+Ej
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	ebx, ebx
		push	ebx
		call	EtwpAcquireLoggerContextByLoggerId
		test	eax, eax
		jz	short loc_9EF6E5
		mov	edi, [ebp+arg_0]
		lea	esi, [eax+0E8h]
		xor	dl, dl
		mov	ecx, eax
		movsd
		movsd
		movsd
		movsd
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		jmp	short loc_9EF6EA
; 

loc_9EF6E5:				; CODE XREF: EtwpQueryReferenceTime(x,x,x)+2Fj
		mov	ebx, 0C0000296h

loc_9EF6EA:				; CODE XREF: EtwpQueryReferenceTime(x,x,x)+47j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	4
_EtwpQueryReferenceTime@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpGetPsmKeyExtendedHeaderItem(x)
_EtwpGetPsmKeyExtendedHeaderItem@4 proc	near
					; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+725p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, large fs:124h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	eax, [eax+80h]
		push	edi
		push	8
		pop	ebx
		push	eax
		mov	edi, ecx
		mov	byte ptr [ebp+var_1], 0
		mov	[ebp+var_C], eax
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		mov	esi, eax
		lea	eax, [ebp-2]
		push	eax
		lea	eax, [ebp+var_1]
		mov	[ebp+var_10], esi
		push	eax
		push	esi
		call	_PsQueryProcessAttributesByToken@12 ; PsQueryProcessAttributesByToken(x,x,x)
		cmp	byte ptr [ebp+var_1], 0
		jz	short loc_9EF76A
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], 1D2h
		push	eax
		lea	edx, [edi+8]
		mov	ecx, esi
		call	_EtwpQueryPsmKey@12 ; EtwpQueryPsmKey(x,x,x)
		test	eax, eax
		jns	short loc_9EF762
		xor	esi, esi
		jmp	short loc_9EF765
; 

loc_9EF762:				; CODE XREF: EtwpGetPsmKeyExtendedHeaderItem(x)+5Dj
		mov	esi, [ebp+var_8]

loc_9EF765:				; CODE XREF: EtwpGetPsmKeyExtendedHeaderItem(x)+61j
		lea	ebx, [esi+8]
		jmp	short loc_9EF76D
; 

loc_9EF76A:				; CODE XREF: EtwpGetPsmKeyExtendedHeaderItem(x)+44j
		mov	esi, [ebp+var_8]

loc_9EF76D:				; CODE XREF: EtwpGetPsmKeyExtendedHeaderItem(x)+69j
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+var_10]
		add	ecx, 12Ch
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		push	9
		lea	eax, [ebx+7]
		mov	[edi+6], si
		and	eax, 0FFFFFFF8h
		pop	ecx
		mov	[edi], ax
		sub	eax, ebx
		push	eax		; size_t
		mov	[edi+2], cx
		lea	eax, [ebx+edi]
		xor	ecx, ecx
		push	ecx		; int
		push	eax		; void *
		mov	[edi+4], cx
		call	_memset
		add	esp, 0Ch
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpGetPsmKeyExtendedHeaderItem@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpQueryPsmKey(x, x, x)
_EtwpQueryPsmKey@12 proc near		; CODE XREF: EtwpGetPsmKeyExtendedHeaderItem(x)+56p

var_2F8		= dword	ptr -2F8h
var_2F4		= dword	ptr -2F4h
var_2EC		= dword	ptr -2ECh
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2F8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, [ebp+var_2F4]
		xor	ebx, ebx
		mov	esi, edx
		push	ebx
		push	ebx
		push	eax
		mov	[ebp+var_2F8], ebx
		call	RtlpQueryPackageIdentityAttributes
		test	eax, eax
		js	short loc_9EF858
		mov	ecx, [ebp+var_2EC]
		cmp	dword ptr [ecx+10h], 2
		mov	ecx, [ecx+14h]
		jbe	short loc_9EF81F
		lea	eax, [ecx+10h]
		push	eax
		push	23h
		lea	eax, [ecx+8]
		push	eax
		push	2Bh
		push	ecx		; char
		push	offset ??_C@_1CA@LCLGDEEM@?$AA?$CF?$AAw?$AAZ?$AA?$CF?$AAw?$AAc?$AA?$CF?$AAw?$AAZ?$AA?$CF?$AAw?$AAc?$AA?$CF?$AAw?$AAZ@NNGAKEGL@ ; wchar_t *
		push	800h		; int
		push	ebx		; int
		lea	eax, [ebp+var_2F8]
		push	eax		; int
		push	dword ptr [edi]	; size_t
		push	esi		; int
		call	RtlStringCbPrintfExW
		add	esp, 2Ch
		jmp	short loc_9EF843
; 

loc_9EF81F:				; CODE XREF: EtwpQueryPsmKey(x,x,x)+44j
		lea	eax, [ecx+8]
		push	eax
		push	2Bh
		push	ecx		; char
		push	offset ??_C@_1BE@PFDEHHDC@?$AA?$CF?$AAw?$AAZ?$AA?$CF?$AAw?$AAc?$AA?$CF?$AAw?$AAZ@NNGAKEGL@ ; wchar_t *
		push	800h		; int
		push	ebx		; int
		lea	eax, [ebp+var_2F8]
		push	eax		; int
		push	dword ptr [edi]	; size_t
		push	esi		; int
		call	RtlStringCbPrintfExW
		add	esp, 24h

loc_9EF843:				; CODE XREF: EtwpQueryPsmKey(x,x,x)+70j
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_9EF856
		mov	eax, [ebp+var_2F8]
		sub	eax, esi
		add	eax, 2
		mov	[edi], eax

loc_9EF856:				; CODE XREF: EtwpQueryPsmKey(x,x,x)+9Aj
		mov	eax, ecx

loc_9EF858:				; CODE XREF: EtwpQueryPsmKey(x,x,x)+35j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_EtwpQueryPsmKey@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpDisallowedGuidAddition(x, x)
_EtwpDisallowedGuidAddition@8 proc near	; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+33Cp

var_2E		= byte ptr -2Eh
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_0]
		push	ebx
		push	esi
		mov	ecx, [eax+2E4h]
		xor	ebx, ebx
		push	edi
		push	ebx
		mov	[esp+44h+var_2C], ebx
		call	_EtwpFindGuidEntryByGuid@12 ; EtwpFindGuidEntryByGuid(x,x,x)
		mov	esi, eax
		mov	[esp+40h+var_18], esi
		test	esi, esi
		jz	loc_9EFB3F
		mov	ecx, large fs:124h
		dec	word ptr [ecx+13Ch]
		nop
		lea	edi, [esi+16Ch]
		xor	edx, edx
		mov	ecx, edi
		mov	[esp+40h+var_4], edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	edx, edx
		mov	[esi+170h], eax
		mov	ecx, esi
		lea	eax, [esp+40h+var_2C]
		push	eax
		push	ebx
		call	EtwpBuildNotificationPacket
		mov	ebx, [esp+40h+var_2C]
		or	ecx, 0FFFFFFFFh
		test	eax, eax
		jnz	loc_9EFB08
		mov	esi, [ebp+arg_0]
		lea	edi, [ebx+28h]
		mov	dword ptr [ebx], 3
		movsd
		movsd
		movsd
		movsd
		call	_PsGetCurrentThreadProcessId@0 ; PsGetCurrentThreadProcessId()
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	[ebx+24h], eax
		call	EtwpIsGuidAllowed
		mov	esi, [esp+40h+var_18]
		cmp	al, 1
		jz	loc_9EFB01
		xor	edi, edi
		mov	[esp+40h+var_24], edi
		cmp	[esi+168h], edi
		jnz	short loc_9EF936
		lea	eax, [esi+8]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_9EF936
		lea	edi, [ecx-8]
		mov	[esp+40h+var_24], edi

loc_9EF936:				; CODE XREF: EtwpDisallowedGuidAddition(x,x)+BBj
					; EtwpDisallowedGuidAddition(x,x)+C4j
		mov	eax, esi
		mov	byte ptr [esp+40h+var_1C], 0
		mov	[esp+40h+var_20], eax

loc_9EF941:				; CODE XREF: EtwpDisallowedGuidAddition(x,x)+28Bj
		lea	edx, [eax+24h]
		mov	ecx, [edx]
		mov	[esp+40h+var_14], edx
		cmp	ecx, edx
		jz	loc_9EFA7C
		mov	esi, edx

loc_9EF954:				; CODE XREF: EtwpDisallowedGuidAddition(x,x)+201j
		mov	eax, ecx
		mov	[esp+40h+var_10], ecx
		mov	ecx, [ecx]
		mov	[esp+40h+var_8], eax
		mov	[esp+40h+var_28], ecx
		mov	edx, [eax+14h]
		test	edx, edx
		jz	loc_9EFA68
		mov	al, byte ptr [esp+40h+var_1C]
		test	al, al
		jz	short loc_9EF97D
		mov	edx, [edx+168h]

loc_9EF97D:				; CODE XREF: EtwpDisallowedGuidAddition(x,x)+10Cj
		mov	edi, [esp+40h+var_10]
		movzx	eax, al
		mov	[esp+40h+var_4], eax
		mov	al, [edi+eax*2+35h]
		mov	[esp+40h+var_2D], al
		test	al, al
		jz	loc_9EFA68
		xor	al, al
		mov	[esp+40h+var_2E], al

loc_9EF99E:				; CODE XREF: EtwpDisallowedGuidAddition(x,x)+16Bj
		movzx	eax, al
		mov	[esp+40h+var_10], eax
		add	eax, 3
		shl	eax, 5
		cmp	dword ptr [eax+edx], 0
		jz	short loc_9EF9C8
		mov	eax, [esp+40h+var_10]
		mov	esi, [ebp+arg_4]
		shl	eax, 5
		movzx	eax, word ptr [eax+edx+66h]
		cmp	eax, [esi]
		mov	esi, [esp+40h+var_14]
		jz	short loc_9EF9DB

loc_9EF9C8:				; CODE XREF: EtwpDisallowedGuidAddition(x,x)+146j
		mov	al, [esp+40h+var_2E]
		inc	al
		mov	[esp+40h+var_2E], al
		cmp	al, 8
		jb	short loc_9EF99E
		jmp	loc_9EFA68
; 

loc_9EF9DB:				; CODE XREF: EtwpDisallowedGuidAddition(x,x)+15Dj
		mov	ecx, [esp+40h+var_10]
		mov	dl, 1
		shl	dl, cl
		test	dl, dl
		jz	short loc_9EFA64
		mov	cl, [esp+40h+var_2D]
		test	cl, dl
		jz	short loc_9EFA64
		mov	al, dl
		mov	byte ptr [esp+40h+var_C], cl
		not	al
		and	al, cl
		mov	ecx, [esp+40h+var_4]
		mov	[esp+40h+var_4], ebx
		mov	[edi+ecx*2+35h], al
		lea	eax, [esp+40h+var_2C]
		mov	ecx, [esp+40h+var_8]
		push	eax
		push	0
		push	[esp+48h+var_1C]
		push	2
		push	[esp+50h+var_C]
		push	[esp+54h+var_C]
		call	EtwpCalculateUpdateNotification
		mov	ebx, [esp+40h+var_2C]
		mov	ecx, [esp+40h+var_4]
		mov	[esp+40h+var_2D], al
		cmp	ecx, ebx
		jz	short loc_9EFA52
		test	ebx, ebx
		jnz	short loc_9EFA3F
		mov	ebx, ecx
		mov	[esp+40h+var_2C], ebx
		jmp	short loc_9EFA52
; 

loc_9EFA3F:				; CODE XREF: EtwpDisallowedGuidAddition(x,x)+1CCj
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+8], eax
		dec	eax
		jnz	short loc_9EFA52
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9EFA52:				; CODE XREF: EtwpDisallowedGuidAddition(x,x)+1C8j
					; EtwpDisallowedGuidAddition(x,x)+1D4j	...
		cmp	[esp+40h+var_2D], 0
		jz	short loc_9EFA64
		mov	ecx, [esp+40h+var_8]
		mov	edx, ebx
		call	EtwpSendDataBlock

loc_9EFA64:				; CODE XREF: EtwpDisallowedGuidAddition(x,x)+17Cj
					; EtwpDisallowedGuidAddition(x,x)+184j	...
		mov	ecx, [esp+40h+var_28]

loc_9EFA68:				; CODE XREF: EtwpDisallowedGuidAddition(x,x)+100j
					; EtwpDisallowedGuidAddition(x,x)+129j	...
		cmp	ecx, esi
		jnz	loc_9EF954
		mov	esi, [esp+40h+var_18]
		mov	edi, [esp+40h+var_24]
		mov	eax, [esp+40h+var_20]

loc_9EFA7C:				; CODE XREF: EtwpDisallowedGuidAddition(x,x)+E3j
		cmp	eax, esi
		jz	short loc_9EFAA4
		and	dword ptr [eax+170h], 0
		lea	ecx, [eax+16Ch]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ebx, [esp+40h+var_2C]

loc_9EFAA4:				; CODE XREF: EtwpDisallowedGuidAddition(x,x)+215j
		test	edi, edi
		jz	short loc_9EFAF9
		mov	eax, large fs:124h
		mov	byte ptr [esp+40h+var_1C], 1
		mov	[esp+40h+var_20], edi
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [edi+16Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[edi+170h], eax
		mov	edi, [edi+8]
		sub	edi, 8
		mov	[esp+40h+var_24], edi
		cmp	edi, esi
		jnz	short loc_9EFAEC
		xor	edi, edi
		mov	[esp+40h+var_24], edi

loc_9EFAEC:				; CODE XREF: EtwpDisallowedGuidAddition(x,x)+27Bj
		mov	ebx, [esp+40h+var_2C]
		mov	eax, [esp+40h+var_20]
		jmp	loc_9EF941
; 

loc_9EFAF9:				; CODE XREF: EtwpDisallowedGuidAddition(x,x)+23Dj
		lea	edi, [esi+16Ch]
		jmp	short loc_9EFB05
; 

loc_9EFB01:				; CODE XREF: EtwpDisallowedGuidAddition(x,x)+A9j
		mov	edi, [esp+40h+var_4]

loc_9EFB05:				; CODE XREF: EtwpDisallowedGuidAddition(x,x)+296j
		or	ecx, 0FFFFFFFFh

loc_9EFB08:				; CODE XREF: EtwpDisallowedGuidAddition(x,x)+7Aj
		test	ebx, ebx
		jz	short loc_9EFB1C
		lock xadd [ebx+8], ecx
		dec	ecx
		jnz	short loc_9EFB1C
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9EFB1C:				; CODE XREF: EtwpDisallowedGuidAddition(x,x)+2A1j
					; EtwpDisallowedGuidAddition(x,x)+2A9j
		and	dword ptr [esi+170h], 0
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, esi
		call	EtwpUnreferenceGuidEntry

loc_9EFB3F:				; CODE XREF: EtwpDisallowedGuidAddition(x,x)+2Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_EtwpDisallowedGuidAddition@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpDisallowedGuidRemoval(x, x)
_EtwpDisallowedGuidRemoval@8 proc near	; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+41Ep

var_32		= byte ptr -32h
var_31		= byte ptr -31h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, [ebp+arg_4]
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	ecx, [eax+2E4h]
		mov	dl, bl
		push	edi
		mov	byte ptr [esp+40h+var_20], dl
		mov	edx, [ebp+arg_0]
		push	ebx
		mov	[esp+44h+var_30], ebx
		call	_EtwpFindGuidEntryByGuid@12 ; EtwpFindGuidEntryByGuid(x,x,x)
		mov	esi, eax
		mov	[esp+40h+var_14], esi
		test	esi, esi
		jz	loc_9EFE31
		mov	ecx, large fs:124h
		dec	word ptr [ecx+13Ch]
		nop
		lea	edi, [esi+16Ch]
		xor	edx, edx
		mov	ecx, edi
		mov	[esp+40h+var_4], edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	edx, edx
		mov	[esi+170h], eax
		mov	ecx, esi
		lea	eax, [esp+40h+var_30]
		push	eax
		push	ebx
		call	EtwpBuildNotificationPacket
		mov	ebx, [esp+40h+var_30]
		or	ecx, 0FFFFFFFFh
		test	eax, eax
		jnz	loc_9EFDFA
		mov	esi, [ebp+arg_0]
		lea	edi, [ebx+28h]
		mov	dword ptr [ebx], 3
		movsd
		movsd
		movsd
		movsd
		call	_PsGetCurrentThreadProcessId@0 ; PsGetCurrentThreadProcessId()
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	[ebx+24h], eax
		call	EtwpIsGuidAllowed
		mov	esi, [esp+40h+var_14]
		cmp	al, 1
		jnz	loc_9EFDF3
		xor	edi, edi
		mov	[esp+40h+var_1C], edi
		cmp	[esi+168h], edi
		jnz	short loc_9EFC1B
		lea	eax, [esi+8]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_9EFC1B
		lea	edi, [ecx-8]
		mov	[esp+40h+var_1C], edi

loc_9EFC1B:				; CODE XREF: EtwpDisallowedGuidRemoval(x,x)+C1j
					; EtwpDisallowedGuidRemoval(x,x)+CAj
		mov	ecx, esi
		xor	dl, dl
		mov	[esp+40h+var_18], ecx
		mov	byte ptr [esp+40h+var_2C], dl

loc_9EFC27:				; CODE XREF: EtwpDisallowedGuidRemoval(x,x)+29Ej
		lea	eax, [ecx+24h]
		mov	[esp+40h+var_28], eax
		mov	eax, [eax]
		mov	[esp+40h+var_24], eax
		cmp	eax, [esp+40h+var_28]
		jz	loc_9EFD6A
		mov	esi, eax
		mov	eax, [esp+40h+var_28]

loc_9EFC44:				; CODE XREF: EtwpDisallowedGuidRemoval(x,x)+210j
		mov	edi, esi
		mov	[esp+40h+var_8], esi
		mov	esi, [esi]
		mov	[esp+40h+var_24], esi
		mov	ecx, [edi+14h]
		test	ecx, ecx
		jz	loc_9EFD56
		test	dl, dl
		jz	short loc_9EFC65
		mov	ecx, [ecx+168h]

loc_9EFC65:				; CODE XREF: EtwpDisallowedGuidRemoval(x,x)+115j
		cmp	dword ptr [ecx+40h], 0
		movzx	esi, dl
		mov	[esp+40h+var_C], esi
		mov	esi, [esp+40h+var_24]
		jz	loc_9EFD56
		xor	dl, dl

loc_9EFC7C:				; CODE XREF: EtwpDisallowedGuidRemoval(x,x)+163j
		movzx	eax, dl
		mov	[esp+40h+var_10], eax
		add	eax, 3
		shl	eax, 5
		cmp	dword ptr [eax+ecx], 0
		jz	short loc_9EFCA6
		mov	eax, [esp+40h+var_10]
		mov	esi, [ebp+arg_4]
		shl	eax, 5
		movzx	eax, word ptr [eax+ecx+66h]
		cmp	eax, [esi]
		mov	esi, [esp+40h+var_24]
		jz	short loc_9EFD1D

loc_9EFCA6:				; CODE XREF: EtwpDisallowedGuidRemoval(x,x)+145j
		inc	dl
		cmp	dl, 8
		jb	short loc_9EFC7C
		mov	al, byte ptr [esp+40h+var_20]

loc_9EFCB1:				; CODE XREF: EtwpDisallowedGuidRemoval(x,x)+1E1j
		test	al, al
		jz	loc_9EFD4E
		mov	eax, [esp+40h+var_C]
		mov	ecx, [esp+40h+var_8]
		mov	edx, [ebp+arg_4]
		push	1
		push	[esp+44h+var_2C]
		mov	al, [ecx+eax*2+35h]
		mov	ecx, edi
		push	2
		push	[esp+4Ch+var_20]
		mov	byte ptr [esp+50h+var_4], al
		call	EtwpUpdateRegEntryEnableMask
		mov	dl, byte ptr [esp+40h+var_20]
		lea	eax, [esp+40h+var_30]
		push	eax
		push	1
		push	[esp+48h+var_2C]
		mov	ecx, edi
		mov	[esp+4Ch+var_8], ebx
		push	2
		push	0
		push	[esp+54h+var_4]
		call	EtwpCalculateUpdateNotification
		mov	ebx, [esp+40h+var_30]
		mov	ecx, [esp+40h+var_8]
		mov	[esp+40h+var_31], al
		cmp	ecx, ebx
		jz	short loc_9EFD3E
		test	ebx, ebx
		jnz	short loc_9EFD2B
		mov	ebx, ecx
		mov	[esp+40h+var_30], ebx
		jmp	short loc_9EFD3E
; 

loc_9EFD1D:				; CODE XREF: EtwpDisallowedGuidRemoval(x,x)+15Cj
		mov	ecx, [esp+40h+var_10]
		mov	al, 1
		shl	al, cl
		mov	byte ptr [esp+40h+var_20], al
		jmp	short loc_9EFCB1
; 

loc_9EFD2B:				; CODE XREF: EtwpDisallowedGuidRemoval(x,x)+1CBj
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+8], eax
		dec	eax
		jnz	short loc_9EFD3E
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9EFD3E:				; CODE XREF: EtwpDisallowedGuidRemoval(x,x)+1C7j
					; EtwpDisallowedGuidRemoval(x,x)+1D3j ...
		cmp	[esp+40h+var_31], 0
		jz	short loc_9EFD4E
		mov	edx, ebx
		mov	ecx, edi
		call	EtwpSendDataBlock

loc_9EFD4E:				; CODE XREF: EtwpDisallowedGuidRemoval(x,x)+16Bj
					; EtwpDisallowedGuidRemoval(x,x)+1FBj
		mov	dl, byte ptr [esp+40h+var_2C]
		mov	eax, [esp+40h+var_28]

loc_9EFD56:				; CODE XREF: EtwpDisallowedGuidRemoval(x,x)+10Dj
					; EtwpDisallowedGuidRemoval(x,x)+12Cj
		cmp	esi, eax
		jnz	loc_9EFC44
		mov	esi, [esp+40h+var_14]
		mov	edi, [esp+40h+var_1C]
		mov	ecx, [esp+40h+var_18]

loc_9EFD6A:				; CODE XREF: EtwpDisallowedGuidRemoval(x,x)+F0j
		cmp	ecx, esi
		jz	short loc_9EFD92
		and	dword ptr [ecx+170h], 0
		xor	edx, edx
		add	ecx, 16Ch
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ebx, [esp+40h+var_30]

loc_9EFD92:				; CODE XREF: EtwpDisallowedGuidRemoval(x,x)+224j
		test	edi, edi
		jz	short loc_9EFDEB
		mov	eax, large fs:124h
		mov	byte ptr [esp+40h+var_2C], 1
		mov	[esp+40h+var_18], edi
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [edi+16Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[edi+170h], eax
		mov	edi, [edi+8]
		sub	edi, 8
		mov	[esp+40h+var_1C], edi
		cmp	edi, esi
		jnz	short loc_9EFDDA
		xor	edi, edi
		mov	[esp+40h+var_1C], edi

loc_9EFDDA:				; CODE XREF: EtwpDisallowedGuidRemoval(x,x)+28Aj
		mov	ebx, [esp+40h+var_30]
		mov	ecx, [esp+40h+var_18]
		mov	dl, byte ptr [esp+40h+var_2C]
		jmp	loc_9EFC27
; 

loc_9EFDEB:				; CODE XREF: EtwpDisallowedGuidRemoval(x,x)+24Cj
		lea	edi, [esi+16Ch]
		jmp	short loc_9EFDF7
; 

loc_9EFDF3:				; CODE XREF: EtwpDisallowedGuidRemoval(x,x)+AFj
		mov	edi, [esp+40h+var_4]

loc_9EFDF7:				; CODE XREF: EtwpDisallowedGuidRemoval(x,x)+2A9j
		or	ecx, 0FFFFFFFFh

loc_9EFDFA:				; CODE XREF: EtwpDisallowedGuidRemoval(x,x)+80j
		test	ebx, ebx
		jz	short loc_9EFE0E
		lock xadd [ebx+8], ecx
		dec	ecx
		jnz	short loc_9EFE0E
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9EFE0E:				; CODE XREF: EtwpDisallowedGuidRemoval(x,x)+2B4j
					; EtwpDisallowedGuidRemoval(x,x)+2BCj
		and	dword ptr [esi+170h], 0
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, esi
		call	EtwpUnreferenceGuidEntry

loc_9EFE31:				; CODE XREF: EtwpDisallowedGuidRemoval(x,x)+34j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_EtwpDisallowedGuidRemoval@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpEnableDisableUMGL(x, x,	x, x, x)
_EtwpEnableDisableUMGL@20 proc near	; CODE XREF: EtwpEnableDisableSpecialGuids+1200DDp

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= word ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_1], dl
		mov	edi, ecx
		xor	edx, edx
		mov	ebx, edx
		cmp	edi, ds:_EtwpHostSiloState
		jz	short loc_9EFE66
		mov	eax, [edi+4]
		mov	esi, [eax+28Ch]
		add	esi, 226h
		jmp	short loc_9EFE6B
; 

loc_9EFE66:				; CODE XREF: EtwpEnableDisableUMGL(x,x,x,x,x)+19j
		mov	esi, 0FFDF0380h

loc_9EFE6B:				; CODE XREF: EtwpEnableDisableUMGL(x,x,x,x,x)+2Aj
		mov	cx, [ebp+arg_0]
		movzx	eax, cx
		cmp	eax, [edi+8]
		jnb	short loc_9EFED3
		test	cx, cx
		jz	short loc_9EFED3
		push	edx
		push	edx
		push	edx
		push	edx
		mov	edi, offset _EtwpGlobalMutex
		push	edi
		call	KeWaitForSingleObject
		mov	ecx, [ebp+arg_8]
		mov	ax, [ebp+arg_0]
		cmp	[ebp+var_1], bl
		jz	short loc_9EFEA6
		mov	byte ptr [ebp+arg_0], al
		mov	al, [ebp+arg_4]
		mov	byte ptr [ebp+arg_0+1],	al
		mov	ax, [ebp+arg_0]
		jmp	short loc_9EFEAF
; 

loc_9EFEA6:				; CODE XREF: EtwpEnableDisableUMGL(x,x,x,x,x)+5Bj
		mov	dl, [esi+ecx*2]
		cmp	dl, al
		jnz	short loc_9EFEB5
		xor	eax, eax

loc_9EFEAF:				; CODE XREF: EtwpEnableDisableUMGL(x,x,x,x,x)+6Aj
		mov	[esi+ecx*2], ax
		jmp	short loc_9EFEC9
; 

loc_9EFEB5:				; CODE XREF: EtwpEnableDisableUMGL(x,x,x,x,x)+71j
		xor	ebx, ebx
		test	dl, dl
		setnz	bl
		dec	ebx
		and	ebx, 2A8h
		add	ebx, 0C000005Ah

loc_9EFEC9:				; CODE XREF: EtwpEnableDisableUMGL(x,x,x,x,x)+79j
		push	0
		push	edi
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		jmp	short loc_9EFED8
; 

loc_9EFED3:				; CODE XREF: EtwpEnableDisableUMGL(x,x,x,x,x)+3Bj
					; EtwpEnableDisableUMGL(x,x,x,x,x)+40j
		mov	ebx, 0C0000008h

loc_9EFED8:				; CODE XREF: EtwpEnableDisableUMGL(x,x,x,x,x)+97j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
_EtwpEnableDisableUMGL@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUMGLEnabled(x, x)
_EtwpUMGLEnabled@8 proc	near		; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+649p

var_40		= dword	ptr -40h
var_39		= byte ptr -39h
var_38		= dword	ptr -38h
ms_exc		= CPPEH_RECORD ptr -18h

		push	30h
		push	offset dword_6A9D10
		call	__SEH_prolog4_GS
		mov	ebx, ecx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_38]
		rep stosd
		mov	[ebp+var_39], al
		mov	esi, [ebx+17Ch]
		test	esi, esi
		jz	short loc_9EFF5C
		lea	ecx, [ebx+0F0h]
		mov	[ebp+var_40], ecx
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_9EFF5C
		lea	eax, [ebp+var_38]
		push	eax
		xor	edx, edx
		mov	ecx, ebx
		call	KiStackAttachProcess
		and	[ebp+ms_exc.disabled], 0
		bt	dword ptr [esi+240h], 0
		setb	[ebp+var_39]
		jmp	short loc_9EFF3E
; 

loc_9EFF37:				; DATA XREF: .text:006A9D24o
		xor	eax, eax
		inc	eax
		retn
; 

loc_9EFF3B:				; DATA XREF: .text:006A9D28o
		mov	esp, [ebp+ms_exc.old_esp]

loc_9EFF3E:				; CODE XREF: EtwpUMGLEnabled(x,x)+54j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	edx, edx
		lea	ecx, [ebp+var_38]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [ebp+var_40]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	al, [ebp+var_39]
		jmp	short loc_9EFF5E
; 

loc_9EFF5C:				; CODE XREF: EtwpUMGLEnabled(x,x)+23j
					; EtwpUMGLEnabled(x,x)+35j
		xor	al, al

loc_9EFF5E:				; CODE XREF: EtwpUMGLEnabled(x,x)+79j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpUMGLEnabled@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUpdateDisallowList(x, x, x, x)
_EtwpUpdateDisallowList@16 proc	near	; CODE XREF: NtTraceControl(x,x,x,x,x,x)+63Fp
					; EtwStartAutoLogger+A0CCEp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	0
		call	EtwpAcquireLoggerContextByLoggerId
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9EFF89
		mov	esi, 0C000000Dh
		jmp	short loc_9EFFA5
; 

loc_9EFF89:				; CODE XREF: EtwpUpdateDisallowList(x,x,x,x)+12j
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	edi		; int
		sub	esp, 0Ch	; int
		push	[ebp+arg_4]	; void *
		call	_EtwpUpdateDisallowedGuids@28 ;	EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)
		mov	esi, eax
		xor	dl, dl
		mov	ecx, edi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_9EFFA5:				; CODE XREF: EtwpUpdateDisallowList(x,x,x,x)+19j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_EtwpUpdateDisallowList@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUpdatePerProcessTracing(x, x, x, x)
_EtwpUpdatePerProcessTracing@16	proc near ; CODE XREF: EtwpUpdateTrace+89023p
					; EtwpStartLogger+120B89p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_10], edx
		push	edi
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _EtwpGlobalMutex
		mov	esi, ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ebx
		call	KeWaitForSingleObject
		push	2
		pop	edx
		mov	ecx, esi
		call	_EtwpGetFlagExtension@8	; EtwpGetFlagExtension(x,x)
		mov	edi, [ebp+arg_4]
		test	eax, eax
		jz	short loc_9F003E
		mov	cx, [eax]
		xor	esi, esi
		shl	cx, 2
		sub	cx, 4
		mov	[ebp+var_18], edi
		movzx	ebx, cx
		shr	ebx, 2
		mov	byte ptr [ebp+var_14], 1
		test	ebx, ebx
		jz	short loc_9F003C
		mov	edi, eax

loc_9F000A:				; CODE XREF: EtwpUpdatePerProcessTracing(x,x,x,x)+8Aj
		lea	eax, [ebp+var_4]
		push	eax
		push	dword ptr [edi+esi*4+4]
		call	PsLookupProcessByProcessId
		test	eax, eax
		js	short loc_9F0034
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+var_4]
		call	_EtwpUpdateProcessTracingCallback@8 ; EtwpUpdateProcessTracingCallback(x,x)
		mov	ecx, [ebp+var_4]
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag

loc_9F0034:				; CODE XREF: EtwpUpdatePerProcessTracing(x,x,x,x)+6Cj
		inc	esi
		cmp	esi, ebx
		jb	short loc_9F000A
		mov	edi, [ebp+arg_4]

loc_9F003C:				; CODE XREF: EtwpUpdatePerProcessTracing(x,x,x,x)+59j
		xor	ebx, ebx

loc_9F003E:				; CODE XREF: EtwpUpdatePerProcessTracing(x,x,x,x)+3Bj
		mov	al, [ebp+arg_0]
		mov	byte ptr [ebp+var_8], al
		mov	eax, [ebp+var_10]
		cmp	eax, ds:_EtwpHostSiloState
		jz	short loc_9F0066
		mov	eax, [eax+4]
		mov	ecx, [eax+28Ch]
		mov	ax, word ptr [ebp+var_8]
		mov	[ecx+edi*2+226h], ax
		jmp	short loc_9F0072
; 

loc_9F0066:				; CODE XREF: EtwpUpdatePerProcessTracing(x,x,x,x)+A0j
		mov	ax, word ptr [ebp+var_8]
		mov	ds:0FFDF0380h[edi*2], ax

loc_9F0072:				; CODE XREF: EtwpUpdatePerProcessTracing(x,x,x,x)+B7j
		push	ebx
		push	offset _EtwpGlobalMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_EtwpUpdatePerProcessTracing@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUpdateProcessTracingCallback(x,	x)
_EtwpUpdateProcessTracingCallback@8 proc near
					; CODE XREF: EtwpUpdatePerProcessTracing(x,x,x,x)+75p
					; DATA XREF: EtwpDisableTraceProviders+128FE0o

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	28h
		push	offset dword_6A9CF0
		call	__SEH_prolog4_GS
		mov	esi, [ebp+arg_0]
		mov	ebx, [ebp+arg_4]
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		mov	edi, [esi+17Ch]
		test	edi, edi
		jz	short loc_9F0108
		lea	ecx, [esi+0F0h]
		mov	[ebp+var_38], ecx
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_9F0108
		lea	eax, [ebp+var_34]
		push	eax
		xor	edx, edx
		mov	ecx, esi
		call	KiStackAttachProcess
		mov	dl, [ebx+4]
		mov	ecx, [ebx]
		and	[ebp+ms_exc.disabled], 0
		lea	eax, [edi+240h]
		test	dl, dl
		jz	short loc_9F00E2
		lock bts [eax],	ecx
		jmp	short loc_9F00EF
; 

loc_9F00E2:				; CODE XREF: EtwpUpdateProcessTracingCallback(x,x)+56j
		lock btr [eax],	ecx
		jmp	short loc_9F00EF
; 

loc_9F00E8:				; DATA XREF: .text:006A9D04o
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F00EC:				; DATA XREF: .text:006A9D08o
		mov	esp, [ebp+ms_exc.old_esp]

loc_9F00EF:				; CODE XREF: EtwpUpdateProcessTracingCallback(x,x)+5Cj
					; EtwpUpdateProcessTracingCallback(x,x)+62j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		mov	ecx, [ebp+var_38]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_9F0108:				; CODE XREF: EtwpUpdateProcessTracingCallback(x,x)+24j
					; EtwpUpdateProcessTracingCallback(x,x)+36j
		xor	eax, eax
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_EtwpUpdateProcessTracingCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwpGetDisallowList(void *,int)
_EtwpGetDisallowList@16	proc near	; CODE XREF: NtTraceControl(x,x,x,x,x,x)+54Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		movzx	edx, word ptr [edx]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		xor	esi, esi
		mov	eax, [ebx]
		push	esi
		mov	[ebp+var_8], eax
		call	EtwpAcquireLoggerContextByLoggerId
		mov	edi, eax
		mov	[ebp+var_4], edi
		test	edi, edi
		jnz	short loc_9F014A
		mov	esi, 0C000000Dh
		jmp	short loc_9F01BD
; 

loc_9F014A:				; CODE XREF: EtwpGetDisallowList(x,x,x,x)+25j
		push	dword ptr [ebx]	; size_t
		push	esi		; int
		push	[ebp+arg_0]	; void *
		call	_memset
		add	esp, 0Ch
		lea	ebx, [edi+1F0h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		movzx	edi, word ptr [edi+2D4h]
		shl	edi, 4
		cmp	edi, [ebp+var_8]
		ja	short loc_9F018D
		mov	eax, [ebp+var_4]
		push	edi		; size_t
		push	dword ptr [eax+2D8h] ; void *
		push	[ebp+arg_0]	; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_9F0192
; 

loc_9F018D:				; CODE XREF: EtwpGetDisallowList(x,x,x,x)+58j
		mov	esi, 0C0000023h

loc_9F0192:				; CODE XREF: EtwpGetDisallowList(x,x,x,x)+6Fj
		mov	eax, [ebp+arg_4]
		mov	[eax], edi
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_9F01AC
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9F01AC:				; CODE XREF: EtwpGetDisallowList(x,x,x,x)+87j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [ebp+var_4]
		xor	dl, dl
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_9F01BD:				; CODE XREF: EtwpGetDisallowList(x,x,x,x)+2Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_EtwpGetDisallowList@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwpGetTraceGroupInfo(void *,int)
_EtwpGetTraceGroupInfo@16 proc near	; CODE XREF: NtTraceControl(x,x,x,x,x,x)+52Dp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		and	[ebp+var_14], 0
		xor	eax, eax
		and	[ebp+var_10], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		push	2
		mov	[ebp+var_4], eax
		mov	edi, [esi]
		mov	[ebp+var_18], edi
		call	_EtwpFindGuidEntryByGuid@12 ; EtwpFindGuidEntryByGuid(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_20], ebx
		test	ebx, ebx
		jnz	short loc_9F0200
		mov	eax, 0C0000295h
		jmp	loc_9F03EE
; 

loc_9F0200:				; CODE XREF: EtwpGetTraceGroupInfo(x,x,x,x)+2Ej
		push	dword ptr [esi]	; size_t
		mov	esi, [ebp+arg_0]
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [ebx+16Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		push	4
		mov	[ebx+170h], eax
		pop	eax
		push	8
		pop	ecx
		cmp	edi, eax
		jb	short loc_9F0243
		mov	[esi], ecx

loc_9F0243:				; CODE XREF: EtwpGetTraceGroupInfo(x,x,x,x)+79j
		lea	edx, [esi+4]
		mov	[ebp+var_C], ecx
		add	ebx, 60h

loc_9F024C:				; CODE XREF: EtwpGetTraceGroupInfo(x,x,x,x)+A8j
		add	eax, 20h
		cmp	eax, edi
		ja	short loc_9F0265
		push	8
		mov	edi, edx
		mov	esi, ebx
		pop	ecx
		rep movsd
		mov	edi, [ebp+var_18]
		add	edx, 20h
		mov	ecx, [ebp+var_C]

loc_9F0265:				; CODE XREF: EtwpGetTraceGroupInfo(x,x,x,x)+8Bj
		add	ebx, 20h
		sub	ecx, 1
		mov	[ebp+var_C], ecx
		jnz	short loc_9F024C
		mov	ecx, [ebp+var_20]
		mov	ebx, [ebp+arg_0]
		add	ecx, 24h
		mov	[ebp+var_28], eax
		add	eax, 4
		add	ebx, eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], ebx
		mov	esi, [ecx]
		cmp	esi, ecx
		mov	[ebp+var_24], ecx
		jmp	loc_9F0326
; 

loc_9F0293:				; CODE XREF: EtwpGetTraceGroupInfo(x,x,x,x)+163j
		lea	ecx, [ebp+var_8]
		push	ecx
		push	10h
		pop	edx
		mov	ecx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_9F0341
		inc	[ebp+var_10]
		mov	eax, [ebp+var_8]
		cmp	eax, edi
		ja	short loc_9F0321
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [esi+8]
		xor	edx, edx
		add	ecx, 16Ch
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, large fs:124h
		xor	edx, edx
		mov	eax, [esi+8]
		mov	edi, [ebp+var_C]
		mov	[eax+170h], ecx
		mov	esi, [esi+8]
		add	esi, 14h
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_1C]
		mov	eax, [esi+8]
		and	dword ptr [eax+170h], 0
		mov	ecx, [esi+8]
		add	ecx, 16Ch
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		add	[ebp+var_C], 10h
		mov	eax, [ebp+var_8]
		mov	edi, [ebp+var_18]

loc_9F0321:				; CODE XREF: EtwpGetTraceGroupInfo(x,x,x,x)+EBj
		mov	esi, [esi]
		cmp	esi, [ebp+var_24]

loc_9F0326:				; CODE XREF: EtwpGetTraceGroupInfo(x,x,x,x)+C8j
		mov	[ebp+var_1C], esi
		jnz	loc_9F0293
		cmp	eax, edi
		ja	short loc_9F03B2
		mov	esi, [ebp+var_10]
		xor	edi, edi
		inc	edi
		cmp	esi, edi
		jnz	short loc_9F034A
		mov	eax, edi
		jmp	short loc_9F03A7
; 

loc_9F0341:				; CODE XREF: EtwpGetTraceGroupInfo(x,x,x,x)+DDj
		mov	[ebp+var_14], 80000005h
		jmp	short loc_9F03B9
; 

loc_9F034A:				; CODE XREF: EtwpGetTraceGroupInfo(x,x,x,x)+175j
		jbe	short loc_9F03A4
		push	offset _EtwpCompareGuid	; int __cdecl (*)(const	void *,const void *)
		push	10h		; size_t
		push	esi		; size_t
		push	ebx		; void *
		call	_qsort
		add	esp, 10h
		lea	edx, [ebx+10h]
		mov	eax, edi
		dec	esi
		mov	[ebp+var_4], eax
		mov	[ebp+var_1C], esi

loc_9F0369:				; CODE XREF: EtwpGetTraceGroupInfo(x,x,x,x)+1DAj
		xor	ecx, ecx

loc_9F036B:				; CODE XREF: EtwpGetTraceGroupInfo(x,x,x,x)+1B1j
		mov	eax, [edx+ecx*4]
		cmp	eax, [ebx+ecx*4]
		jnz	short loc_9F037E
		inc	ecx
		cmp	ecx, 4
		jnz	short loc_9F036B
		mov	eax, [ebp+var_4]
		jmp	short loc_9F0397
; 

loc_9F037E:				; CODE XREF: EtwpGetTraceGroupInfo(x,x,x,x)+1ABj
		add	ebx, 10h
		cmp	ebx, edx
		jz	short loc_9F0390
		mov	esi, edx
		mov	edi, ebx
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_1C]

loc_9F0390:				; CODE XREF: EtwpGetTraceGroupInfo(x,x,x,x)+1BDj
		mov	eax, [ebp+var_4]
		inc	eax
		mov	[ebp+var_4], eax

loc_9F0397:				; CODE XREF: EtwpGetTraceGroupInfo(x,x,x,x)+1B6j
		add	edx, 10h
		sub	esi, 1
		mov	[ebp+var_1C], esi
		jnz	short loc_9F0369
		jmp	short loc_9F03A7
; 

loc_9F03A4:				; CODE XREF: EtwpGetTraceGroupInfo(x,x,x,x):loc_9F034Aj
		mov	eax, [ebp+var_4]

loc_9F03A7:				; CODE XREF: EtwpGetTraceGroupInfo(x,x,x,x)+179j
					; EtwpGetTraceGroupInfo(x,x,x,x)+1DCj
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+var_28]
		mov	[edx+ecx], eax
		jmp	short loc_9F03B9
; 

loc_9F03B2:				; CODE XREF: EtwpGetTraceGroupInfo(x,x,x,x)+16Bj
		mov	[ebp+var_14], 0C0000023h

loc_9F03B9:				; CODE XREF: EtwpGetTraceGroupInfo(x,x,x,x)+182j
					; EtwpGetTraceGroupInfo(x,x,x,x)+1EAj
		mov	ebx, [ebp+var_20]
		xor	edx, edx
		and	dword ptr [ebx+170h], 0
		lea	ecx, [ebx+16Ch]
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, ebx
		call	EtwpUnreferenceGuidEntry
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+var_8]
		mov	[eax], ecx
		mov	eax, [ebp+var_14]

loc_9F03EE:				; CODE XREF: EtwpGetTraceGroupInfo(x,x,x,x)+35j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_EtwpGetTraceGroupInfo@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpGetTraceGroupList(x, x,	x)
_EtwpGetTraceGroupList@12 proc near	; CODE XREF: NtTraceControl(x,x,x,x,x,x)+50Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax]
		xor	esi, esi
		mov	[ebp+var_4], edx
		mov	ebx, esi
		shr	edi, 4
		xor	edx, edx
		push	2
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edi
		call	_EtwpGetNextGuidEntry@12 ; EtwpGetNextGuidEntry(x,x,x)
		test	eax, eax
		jz	short loc_9F045D

loc_9F0422:				; CODE XREF: EtwpGetTraceGroupList(x,x,x)+5Dj
		inc	ebx
		cmp	ebx, 0FFFFFFFh
		ja	short loc_9F0458
		cmp	ebx, edi
		ja	short loc_9F0444
		mov	ecx, [ebp+var_4]
		lea	esi, [eax+14h]
		mov	edi, ecx
		add	ecx, 10h
		mov	[ebp+var_4], ecx
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_8]

loc_9F0444:				; CODE XREF: EtwpGetTraceGroupList(x,x,x)+38j
		mov	ecx, [ebp+var_C]
		mov	edx, eax
		push	2
		call	_EtwpGetNextGuidEntry@12 ; EtwpGetNextGuidEntry(x,x,x)
		test	eax, eax
		jnz	short loc_9F0422
		xor	esi, esi
		jmp	short loc_9F045D
; 

loc_9F0458:				; CODE XREF: EtwpGetTraceGroupList(x,x,x)+34j
		mov	esi, 80000005h

loc_9F045D:				; CODE XREF: EtwpGetTraceGroupList(x,x,x)+2Bj
					; EtwpGetTraceGroupList(x,x,x)+61j
		mov	ecx, [ebp+arg_0]
		mov	eax, ebx
		shl	eax, 4
		mov	[ecx], eax
		test	esi, esi
		js	short loc_9F0474
		cmp	ebx, edi
		jbe	short loc_9F0474
		mov	esi, 0C0000023h

loc_9F0474:				; CODE XREF: EtwpGetTraceGroupList(x,x,x)+74j
					; EtwpGetTraceGroupList(x,x,x)+78j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpGetTraceGroupList@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpGetTraceGuidList(x, x, x)
_EtwpGetTraceGuidList@12 proc near	; CODE XREF: NtTraceControl(x,x,x,x,x,x)+4D1p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ecx
		mov	[ebp+var_4], edx
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx]
		xor	esi, esi
		shr	edi, 4
		mov	ebx, esi
		mov	[ebp+var_C], eax
		xor	edx, edx
		mov	[ebp+var_8], edi
		mov	ecx, eax
		jmp	short loc_9F04EC
; 

loc_9F04A5:				; CODE XREF: EtwpGetTraceGuidList(x,x,x)+79j
		lea	eax, [edx+14h]
		mov	ecx, esi

loc_9F04AA:				; CODE XREF: EtwpGetTraceGuidList(x,x,x)+44j
		mov	eax, [eax+ecx*4]
		mov	edi, offset _PrivateLoggerNotificationGuid
		cmp	eax, [edi+ecx*4]
		mov	edi, [ebp+var_8]
		jnz	short loc_9F04C5
		inc	ecx
		lea	eax, [edx+14h]
		cmp	ecx, 4
		jnz	short loc_9F04AA
		jmp	short loc_9F04E9
; 

loc_9F04C5:				; CODE XREF: EtwpGetTraceGuidList(x,x,x)+3Bj
		inc	ebx
		cmp	ebx, 0FFFFFFFh
		ja	short loc_9F052B
		cmp	ebx, edi
		ja	short loc_9F04E9
		mov	eax, [ebp+var_4]
		lea	esi, [edx+14h]
		mov	edi, eax
		add	eax, 10h
		mov	[ebp+var_4], eax
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_8]
		xor	esi, esi

loc_9F04E9:				; CODE XREF: EtwpGetTraceGuidList(x,x,x)+46j
					; EtwpGetTraceGuidList(x,x,x)+53j
		mov	ecx, [ebp+var_C]

loc_9F04EC:				; CODE XREF: EtwpGetTraceGuidList(x,x,x)+26j
		push	esi
		call	_EtwpGetNextGuidEntry@12 ; EtwpGetNextGuidEntry(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_9F04A5
		mov	eax, esi

loc_9F04FA:				; CODE XREF: EtwpGetTraceGuidList(x,x,x)+A8j
		inc	ebx
		cmp	ebx, 0FFFFFFFh
		ja	short loc_9F052B
		cmp	ebx, edi
		ja	short loc_9F051F
		mov	esi, ds:_EtwpUmglProviders[eax]
		mov	ecx, [ebp+var_4]
		mov	edi, ecx
		add	ecx, 10h
		mov	[ebp+var_4], ecx
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_8]

loc_9F051F:				; CODE XREF: EtwpGetTraceGuidList(x,x,x)+88j
		add	eax, 8
		cmp	eax, 50h
		jb	short loc_9F04FA
		xor	ecx, ecx
		jmp	short loc_9F0530
; 

loc_9F052B:				; CODE XREF: EtwpGetTraceGuidList(x,x,x)+4Fj
					; EtwpGetTraceGuidList(x,x,x)+84j
		mov	ecx, 80000005h

loc_9F0530:				; CODE XREF: EtwpGetTraceGuidList(x,x,x)+ACj
		mov	edx, [ebp+arg_0]
		mov	eax, ebx
		shl	eax, 4
		mov	[edx], eax
		test	ecx, ecx
		js	short loc_9F0547
		cmp	ebx, edi
		jbe	short loc_9F0547
		mov	ecx, 0C0000023h

loc_9F0547:				; CODE XREF: EtwpGetTraceGuidList(x,x,x)+BFj
					; EtwpGetTraceGuidList(x,x,x)+C3j
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	4
_EtwpGetTraceGuidList@12 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpUseDescriptorTypeKm(x, x)
_EtwpUseDescriptorTypeKm@8 proc	near	; CODE XREF: EtwSetInformation+BCE0Ap
		cmp	dl, 1
		jnz	short loc_9F0563
		mov	edx, 200h
		lea	eax, [ecx+32h]
		lock or	[eax], dx
		jmp	short loc_9F0573
; 

loc_9F0563:				; CODE XREF: EtwpUseDescriptorTypeKm(x,x)+3j
		test	dl, dl
		jnz	short loc_9F0576
		mov	edx, 0FFFFFDFFh
		lea	eax, [ecx+32h]
		lock and [eax],	dx

loc_9F0573:				; CODE XREF: EtwpUseDescriptorTypeKm(x,x)+11j
		xor	eax, eax
		retn
; 

loc_9F0576:				; CODE XREF: EtwpUseDescriptorTypeKm(x,x)+15j
		mov	eax, 0C000000Dh
		retn
_EtwpUseDescriptorTypeKm@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUseDescriptorTypeUm(x)
_EtwpUseDescriptorTypeUm@4 proc	near	; CODE XREF: NtTraceControl(x,x,x,x,x,x)+689p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_EtwpRegistrationObjectType
		and	[ebp+var_4], 0
		push	esi
		push	edi
		push	0
		mov	edi, ecx
		lea	ecx, [ebp+var_4]
		push	ecx
		push	1
		push	eax
		mov	edx, [edi]
		push	800h
		push	edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9F05E1
		mov	al, [edi+8]
		mov	ecx, [ebp+var_4]
		cmp	al, 1
		jnz	short loc_9F05C3
		mov	edx, 200h
		lea	eax, [ecx+32h]
		lock or	[eax], dx
		jmp	short loc_9F05DA
; 

loc_9F05C3:				; CODE XREF: EtwpUseDescriptorTypeUm(x)+37j
		test	al, al
		jnz	short loc_9F05D5
		mov	edx, 0FFFFFDFFh
		lea	eax, [ecx+32h]
		lock and [eax],	dx
		jmp	short loc_9F05DA
; 

loc_9F05D5:				; CODE XREF: EtwpUseDescriptorTypeUm(x)+49j
		mov	esi, 0C000000Dh

loc_9F05DA:				; CODE XREF: EtwpUseDescriptorTypeUm(x)+45j
					; EtwpUseDescriptorTypeUm(x)+57j
		call	ObfDereferenceObject
		mov	eax, esi

loc_9F05E1:				; CODE XREF: EtwpUseDescriptorTypeUm(x)+2Dj
		pop	edi
		pop	esi
		leave
		retn
_EtwpUseDescriptorTypeUm@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwQueryProcessTelemetryCoverage(size_t,int)
_EtwQueryProcessTelemetryCoverage@16 proc near ; CODE XREF: PAGE:0083F3F3p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	1Ch
		push	offset dword_6A9D30
		call	__SEH_prolog4
		mov	ebx, edx
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	ecx, eax
		jz	short loc_9F060F
		mov	[ebp+var_1C], 0C00000BBh
		jmp	loc_9F0734
; 

loc_9F060F:				; CODE XREF: EtwQueryProcessTelemetryCoverage(x,x,x,x)+1Cj
		cmp	_EtwpCoverageContext, 0
		jnz	short loc_9F0624
		mov	[ebp+var_1C], 0C00000B7h
		jmp	loc_9F0734
; 

loc_9F0624:				; CODE XREF: EtwQueryProcessTelemetryCoverage(x,x,x,x)+31j
		call	_EtwpCoverageUserIsAdmin@0 ; EtwpCoverageUserIsAdmin()
		test	al, al
		jnz	short loc_9F0639
		mov	[ebp+var_1C], 0C0000022h
		jmp	loc_9F0734
; 

loc_9F0639:				; CODE XREF: EtwQueryProcessTelemetryCoverage(x,x,x,x)+46j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _EtwpCoverageLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	_EtwpCoverageLockOwner,	eax
		mov	edi, _EtwpCoverageContext
		mov	eax, [edi+8]
		mov	edx, [eax+10h]
		lea	esi, [edi+20h]
		mov	[ebp+var_28], esi
		mov	ecx, [esi]

loc_9F0672:				; CODE XREF: EtwQueryProcessTelemetryCoverage(x,x,x,x)+9Dj
		cmp	ecx, esi
		jz	short loc_9F0684
		mov	eax, [ecx+0Ch]
		sub	eax, ecx
		add	edx, 0FFFFFFECh
		add	edx, eax
		mov	ecx, [ecx]
		jmp	short loc_9F0672
; 

loc_9F0684:				; CODE XREF: EtwQueryProcessTelemetryCoverage(x,x,x,x)+8Fj
		mov	[ebp+var_20], edx
		and	[ebp+ms_exc.disabled], 0
		mov	esi, offset _EtwpCoverageLock
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_9F0699
		mov	[eax], edx

loc_9F0699:				; CODE XREF: EtwQueryProcessTelemetryCoverage(x,x,x,x)+B0j
		mov	[ebp+var_24], ebx
		mov	eax, [edi+8]
		mov	edi, [eax+10h]
		cmp	[ebp+arg_0], edi
		jnb	short loc_9F06AA
		mov	edi, [ebp+arg_0]

loc_9F06AA:				; CODE XREF: EtwQueryProcessTelemetryCoverage(x,x,x,x)+C0j
		test	edi, edi
		jz	short loc_9F06C1
		push	edi		; size_t
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		add	ebx, edi
		mov	[ebp+var_24], ebx
		mov	edx, [ebp+var_20]

loc_9F06C1:				; CODE XREF: EtwQueryProcessTelemetryCoverage(x,x,x,x)+C7j
		cmp	[ebp+arg_0], edx
		jb	short loc_9F0704
		mov	eax, [ebp+var_28]
		mov	edi, [eax]

loc_9F06CB:				; CODE XREF: EtwQueryProcessTelemetryCoverage(x,x,x,x)+110j
		cmp	edi, eax
		jz	short loc_9F06F7
		mov	eax, [edi+0Ch]
		sub	eax, edi
		sub	eax, 14h
		mov	[ebp+arg_0], eax
		jz	short loc_9F06F0
		push	eax		; size_t
		lea	eax, [edi+14h]
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		add	ebx, [ebp+arg_0]
		mov	[ebp+var_24], ebx

loc_9F06F0:				; CODE XREF: EtwQueryProcessTelemetryCoverage(x,x,x,x)+F5j
		mov	edi, [edi]
		mov	eax, [ebp+var_28]
		jmp	short loc_9F06CB
; 

loc_9F06F7:				; CODE XREF: EtwQueryProcessTelemetryCoverage(x,x,x,x)+E8j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		and	[ebp+var_1C], 0
		jmp	short loc_9F0739
; 

loc_9F0704:				; CODE XREF: EtwQueryProcessTelemetryCoverage(x,x,x,x)+DFj
		mov	[ebp+var_1C], 80000005h
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9F0739
; 

loc_9F0714:				; DATA XREF: .text:006A9D44o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_9F0724:				; DATA XREF: .text:006A9D48o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_1C], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9F0734:				; CODE XREF: EtwQueryProcessTelemetryCoverage(x,x,x,x)+25j
					; EtwQueryProcessTelemetryCoverage(x,x,x,x)+3Aj ...
		mov	esi, offset _EtwpCoverageLock

loc_9F0739:				; CODE XREF: EtwQueryProcessTelemetryCoverage(x,x,x,x)+11Dj
					; EtwQueryProcessTelemetryCoverage(x,x,x,x)+12Dj
		mov	eax, _EtwpCoverageLockOwner
		cmp	eax, large fs:124h
		jnz	short loc_9F0775
		and	_EtwpCoverageLockOwner,	0
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9F0762
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9F0762:				; CODE XREF: EtwQueryProcessTelemetryCoverage(x,x,x,x)+174j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_9F0775:				; CODE XREF: EtwQueryProcessTelemetryCoverage(x,x,x,x)+160j
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_EtwQueryProcessTelemetryCoverage@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageCheckCP(x, x)
_EtwpCoverageCheckCP@8 proc near	; CODE XREF: EtwSetProcessTelemetryCoverage+AEF3Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ecx
		xor	ebx, ebx
		lea	edx, [ebp+var_4]
		and	[ebp+var_4], ebx
		mov	ecx, edi
		call	_EtwpCoverageValidateCP@8 ; EtwpCoverageValidateCP(x,x)
		mov	esi, offset _EtwpCoverageLock
		test	eax, eax
		jz	short loc_9F0801
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	esi, [edi+4]
		mov	edx, esi
		mov	_EtwpCoverageLockOwner,	eax
		mov	eax, [ebp+var_8]
		mov	eax, [eax+8]
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	TelemetryCoverageTableLocateInternal
		cmp	[eax], esi
		mov	esi, offset _EtwpCoverageLock
		jnz	short loc_9F07FE
		mov	eax, [ebp+var_8]
		inc	ebx
		mov	eax, [eax+18h]
		mov	[edi+8], eax
		jmp	short loc_9F0801
; 

loc_9F07FE:				; CODE XREF: EtwpCoverageCheckCP(x,x)+66j
		and	[edi+8], ebx

loc_9F0801:				; CODE XREF: EtwpCoverageCheckCP(x,x)+26j
					; EtwpCoverageCheckCP(x,x)+72j
		mov	eax, _EtwpCoverageLockOwner
		cmp	eax, large fs:124h
		jnz	short loc_9F083D
		and	_EtwpCoverageLockOwner,	0
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9F082A
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9F082A:				; CODE XREF: EtwpCoverageCheckCP(x,x)+97j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_9F083D:				; CODE XREF: EtwpCoverageCheckCP(x,x)+83j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_EtwpCoverageCheckCP@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageFreeStringBuffers(x, x)
_EtwpCoverageFreeStringBuffers@8 proc near ; CODE XREF:	EtwpCoverageEnsureContext()+406p
					; EtwpCoverageReset(x,x)+120p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		lea	eax, [ecx+20h]
		mov	[ebp+var_8], edx
		push	ebx
		mov	ebx, [eax]
		mov	[ebp+var_4], ecx
		cmp	ebx, eax
		jz	short loc_9F08BB
		push	esi
		push	edi

loc_9F085D:				; CODE XREF: EtwpCoverageFreeStringBuffers(x,x)+6Ej
		mov	edi, ebx
		mov	ebx, [ebx]
		test	edx, edx
		jz	short loc_9F0889
		cmp	edi, [ecx+1Ch]
		jnz	short loc_9F0889
		mov	eax, [edi+8]
		lea	esi, [edi+14h]
		sub	eax, edi
		sub	eax, 14h
		push	eax		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[edi+0Ch], esi
		mov	[edi+10h], esi
		jmp	short loc_9F08A5
; 

loc_9F0889:				; CODE XREF: EtwpCoverageFreeStringBuffers(x,x)+1Fj
					; EtwpCoverageFreeStringBuffers(x,x)+24j
		cmp	[ebx+4], edi
		jnz	short loc_9F08B4
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	short loc_9F08B4
		push	56777445h
		mov	[eax], ebx
		push	edi
		mov	[ebx+4], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F08A5:				; CODE XREF: EtwpCoverageFreeStringBuffers(x,x)+43j
		mov	ecx, [ebp+var_4]
		lea	eax, [ecx+20h]
		cmp	ebx, eax
		jz	short loc_9F08B9
		mov	edx, [ebp+var_8]
		jmp	short loc_9F085D
; 

loc_9F08B4:				; CODE XREF: EtwpCoverageFreeStringBuffers(x,x)+48j
					; EtwpCoverageFreeStringBuffers(x,x)+4Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9F08B9:				; CODE XREF: EtwpCoverageFreeStringBuffers(x,x)+69j
		pop	edi
		pop	esi

loc_9F08BB:				; CODE XREF: EtwpCoverageFreeStringBuffers(x,x)+15j
		pop	ebx
		leave
		retn
_EtwpCoverageFreeStringBuffers@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageReset(x, x)
_EtwpCoverageReset@8 proc near		; CODE XREF: EtwpCoverageFlushWorkItemCallback(x)+23p
					; EtwSetProcessTelemetryCoverage+AEF83p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	[esp+18h+var_C], esi
		mov	edi, offset _EtwpCoverageLock
		mov	eax, [esi+8]
		cmp	dword ptr [eax+20h], 0
		jz	loc_9F0A74
		mov	eax, dword_6B3750
		cmp	eax, ds:0FFDF037Ch
		jnb	short loc_9F091A
		cmp	dword_6B374C, 0
		jnz	short loc_9F0910
		mov	ecx, off_6B3748
		lea	edx, [esp+18h+var_4]
		call	_TelemetryCoverageStringHashInternal@8 ; TelemetryCoverageStringHashInternal(x,x)
		mov	dword_6B374C, eax

loc_9F0910:				; CODE XREF: EtwpCoverageReset(x,x)+3Cj
		push	offset off_6B3748
		call	_EtwTelemetryCoverageReport@4 ;	EtwTelemetryCoverageReport(x)

loc_9F091A:				; CODE XREF: EtwpCoverageReset(x,x)+33j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	_EtwpCoverageLockOwner,	eax
		test	bl, 4
		jz	short loc_9F094B
		test	byte ptr [esi+18h], 1
		jz	loc_9F0A74

loc_9F094B:				; CODE XREF: EtwpCoverageReset(x,x)+81j
		mov	edi, 0FFDF0324h
		lea	eax, [edi-4]
		lea	ecx, [edi+4]
		test	bl, 1
		jnz	short loc_9F09B6
		mov	edi, [edi]
		mov	edx, [eax]
		mov	eax, [ecx]
		mov	ebx, ds:0FFDF0004h
		mov	[esp+18h+var_8], ebx
		cmp	edi, eax
		jz	short loc_9F098E
		lea	esi, [ecx-4]
		lea	ebx, [ecx-8]

loc_9F0975:				; CODE XREF: EtwpCoverageReset(x,x)+C6j
		pause
		mov	edi, [esi]
		mov	edx, [ebx]
		mov	ecx, [ecx]
		cmp	edi, ecx
		mov	ecx, 0FFDF0328h
		jnz	short loc_9F0975
		mov	esi, [esp+18h+var_C]
		mov	ebx, [esp+18h+var_8]

loc_9F098E:				; CODE XREF: EtwpCoverageReset(x,x)+AFj
		mov	eax, edx
		shl	edi, 8
		mul	ebx
		imul	edi, ebx
		shrd	eax, edx, 18h
		add	eax, edi
		sub	eax, [esi+0Ch]
		cmp	eax, 927C0h
		ja	short loc_9F09B1
		or	dword ptr [esi+18h], 1
		jmp	loc_9F0A6F
; 

loc_9F09B1:				; CODE XREF: EtwpCoverageReset(x,x)+E8j
		mov	edi, 0FFDF0324h

loc_9F09B6:				; CODE XREF: EtwpCoverageReset(x,x)+9Bj
		and	dword ptr [esi+18h], 0FFFFFFFEh
		mov	ecx, esi
		call	_EtwpCoverageFlushPending@4 ; EtwpCoverageFlushPending(x)
		mov	ecx, [esi+8]
		mov	eax, [ecx+4]
		shl	eax, 2
		push	eax		; size_t
		lea	eax, [ecx+34h]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	edx, edx
		inc	edx
		mov	ecx, esi
		call	_EtwpCoverageFreeStringBuffers@8 ; EtwpCoverageFreeStringBuffers(x,x)
		mov	eax, [esi]
		and	dword ptr [eax+4], 0
		mov	eax, [esi+8]
		inc	dword ptr [eax+18h]
		mov	eax, [esi+8]
		mov	ecx, [esi]
		mov	eax, [eax+18h]
		mov	[ecx], eax
		mov	eax, [esi+8]
		test	byte ptr [eax+2], 1
		jnz	short loc_9F0A0A
		mov	eax, [eax+18h]
		mov	ds:0FFDF037Ch, eax

loc_9F0A0A:				; CODE XREF: EtwpCoverageReset(x,x)+142j
		mov	edi, [edi]
		mov	edx, 0FFDF0320h
		mov	ebx, ds:0FFDF0004h
		mov	eax, 0FFDF0328h
		mov	[esp+18h+var_8], ebx
		mov	edx, [edx]
		mov	eax, [eax]
		cmp	edi, eax
		jz	short loc_9F0A47
		mov	eax, 0FFDF0324h
		lea	esi, [eax-4]
		lea	ebx, [eax+4]

loc_9F0A33:				; CODE XREF: EtwpCoverageReset(x,x)+17Fj
		pause
		mov	edi, [eax]
		mov	edx, [esi]
		mov	ecx, [ebx]
		cmp	edi, ecx
		jnz	short loc_9F0A33
		mov	esi, [esp+18h+var_C]
		mov	ebx, [esp+18h+var_8]

loc_9F0A47:				; CODE XREF: EtwpCoverageReset(x,x)+168j
		mov	ecx, [esi+8]
		mov	eax, edx
		mul	ebx
		shl	edi, 8
		shrd	eax, edx, 18h
		imul	edi, ebx
		add	eax, edi
		mov	[ecx+14h], eax
		mov	eax, [esi+8]
		mov	ecx, [esi]
		mov	eax, [eax+14h]
		mov	[ecx+14h], eax
		mov	eax, [esi+8]
		and	dword ptr [eax+20h], 0

loc_9F0A6F:				; CODE XREF: EtwpCoverageReset(x,x)+EEj
		mov	edi, offset _EtwpCoverageLock

loc_9F0A74:				; CODE XREF: EtwpCoverageReset(x,x)+22j
					; EtwpCoverageReset(x,x)+87j
		mov	eax, _EtwpCoverageLockOwner
		cmp	eax, large fs:124h
		jnz	short loc_9F0AB0
		and	_EtwpCoverageLockOwner,	0
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9F0A9D
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9F0A9D:				; CODE XREF: EtwpCoverageReset(x,x)+1D6j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_9F0AB0:				; CODE XREF: EtwpCoverageReset(x,x)+1C2j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_EtwpCoverageReset@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageResetCP(x, x)
_EtwpCoverageResetCP@8 proc near	; CODE XREF: EtwSetProcessTelemetryCoverage+AEF4Ap

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		xor	eax, eax
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_10], ebx
		mov	esi, eax
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], eax
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], eax
		mov	[edi+8], eax
		mov	eax, dword_6B3770
		cmp	eax, ds:0FFDF037Ch
		jnb	short loc_9F0B0E
		cmp	dword_6B376C, esi
		jnz	short loc_9F0B04
		mov	ecx, off_6B3768
		lea	edx, [ebp+var_24]
		call	_TelemetryCoverageStringHashInternal@8 ; TelemetryCoverageStringHashInternal(x,x)
		mov	dword_6B376C, eax

loc_9F0B04:				; CODE XREF: EtwpCoverageResetCP(x,x)+38j
		push	offset off_6B3768
		call	_EtwTelemetryCoverageReport@4 ;	EtwTelemetryCoverageReport(x)

loc_9F0B0E:				; CODE XREF: EtwpCoverageResetCP(x,x)+30j
		lea	edx, [ebp+var_14]
		mov	ecx, edi
		call	_EtwpCoverageValidateCP@8 ; EtwpCoverageValidateCP(x,x)
		or	ecx, 0FFFFFFFFh
		mov	edx, offset _EtwpCoverageLock
		test	eax, eax
		jz	loc_9F0D32
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _EtwpCoverageLock
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	_EtwpCoverageLockOwner,	eax
		mov	eax, 0FFDF0324h
		mov	esi, ds:0FFDF0004h
		mov	[ebp+var_1C], esi
		mov	ecx, [eax]
		add	eax, 0FFFFFFFCh
		mov	edx, [eax]
		mov	eax, 0FFDF0328h
		mov	eax, [eax]
		cmp	ecx, eax
		jz	short loc_9F0B8D
		mov	ebx, 0FFDF0324h
		lea	edi, [ebx-4]
		lea	esi, [ebx+4]

loc_9F0B78:				; CODE XREF: EtwpCoverageResetCP(x,x)+CBj
		pause
		mov	ecx, [ebx]
		mov	edx, [edi]
		mov	eax, [esi]
		cmp	ecx, eax
		jnz	short loc_9F0B78
		mov	ebx, [ebp+var_10]
		mov	esi, [ebp+var_1C]
		mov	edi, [ebp+var_18]

loc_9F0B8D:				; CODE XREF: EtwpCoverageResetCP(x,x)+B4j
		mov	eax, edx
		shl	ecx, 8
		mul	esi
		imul	ecx, esi
		shrd	eax, edx, 18h
		add	eax, ecx
		mov	ecx, [ebx+8]
		mov	[ebx+0Ch], eax
		mov	esi, [edi+4]
		mov	edx, esi
		call	TelemetryCoverageTableLocateInternal
		mov	[ebp+var_24], eax
		cmp	[eax], esi
		jnz	loc_9F0D27
		mov	ecx, ebx
		call	_EtwpCoverageFlushPending@4 ; EtwpCoverageFlushPending(x)
		mov	eax, [ebx+8]
		push	56777445h
		mov	eax, [eax+20h]
		shl	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_8], esi
		test	esi, esi
		jz	short loc_9F0C5D
		lea	eax, [ebx+20h]
		mov	esi, [eax]
		jmp	short loc_9F0C56
; 

loc_9F0BE5:				; CODE XREF: EtwpCoverageResetCP(x,x)+1A1j
		mov	edx, [esi+0Ch]
		lea	ecx, [esi+14h]
		mov	[ebp+var_1C], edx
		cmp	ecx, edx
		jnb	short loc_9F0C54

loc_9F0BF2:				; CODE XREF: EtwpCoverageResetCP(x,x)+198j
		mov	edx, ecx
		lea	eax, [edx+1]
		mov	[ebp+var_20], eax

loc_9F0BFA:				; CODE XREF: EtwpCoverageResetCP(x,x)+148j
		mov	al, [edx]
		inc	edx
		test	al, al
		jnz	short loc_9F0BFA
		sub	edx, [ebp+var_20]
		cmp	edx, [ebp+var_14]
		jnz	short loc_9F0C49
		mov	edi, [edi]
		mov	eax, ecx

loc_9F0C0D:				; CODE XREF: EtwpCoverageResetCP(x,x)+180j
		mov	bl, [eax]
		cmp	bl, [edi]
		mov	[ebp+var_1], bl
		mov	ebx, [ebp+var_10]
		jnz	short loc_9F0C3D
		cmp	[ebp+var_1], 0
		jz	short loc_9F0C39
		mov	bl, [eax+1]
		cmp	bl, [edi+1]
		mov	[ebp+var_1], bl
		mov	ebx, [ebp+var_10]
		jnz	short loc_9F0C3D
		add	eax, 2
		add	edi, 2
		cmp	[ebp+var_1], 0
		jnz	short loc_9F0C0D

loc_9F0C39:				; CODE XREF: EtwpCoverageResetCP(x,x)+166j
		xor	eax, eax
		jmp	short loc_9F0C42
; 

loc_9F0C3D:				; CODE XREF: EtwpCoverageResetCP(x,x)+160j
					; EtwpCoverageResetCP(x,x)+174j
		sbb	eax, eax
		or	eax, 1

loc_9F0C42:				; CODE XREF: EtwpCoverageResetCP(x,x)+184j
		test	eax, eax
		jz	short loc_9F0C6D
		mov	edi, [ebp+var_18]

loc_9F0C49:				; CODE XREF: EtwpCoverageResetCP(x,x)+150j
		inc	ecx
		add	ecx, edx
		cmp	ecx, [ebp+var_1C]
		jb	short loc_9F0BF2
		lea	eax, [ebx+20h]

loc_9F0C54:				; CODE XREF: EtwpCoverageResetCP(x,x)+139j
		mov	esi, [esi]

loc_9F0C56:				; CODE XREF: EtwpCoverageResetCP(x,x)+12Cj
		cmp	esi, eax
		jnz	short loc_9F0BE5
		mov	esi, [ebp+var_8]

loc_9F0C5D:				; CODE XREF: EtwpCoverageResetCP(x,x)+125j
		mov	ebx, [ebp+var_C]

loc_9F0C60:				; CODE XREF: EtwpCoverageResetCP(x,x)+26Bj
		or	ecx, 0FFFFFFFFh
		mov	edx, offset _EtwpCoverageLock
		jmp	loc_9F0D34
; 

loc_9F0C6D:				; CODE XREF: EtwpCoverageResetCP(x,x)+18Dj
		mov	edi, [ebp+var_14]
		mov	edx, [ebp+var_1C]
		lea	eax, [edi+1]
		add	eax, ecx
		sub	edx, eax
		push	edx		; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memmove
		or	eax, 0FFFFFFFFh
		add	esp, 0Ch
		sub	eax, edi
		xor	edi, edi
		add	[esi+0Ch], eax
		mov	eax, [esi+0Ch]
		mov	[esi+10h], eax
		xor	esi, esi
		mov	eax, [ebx+8]
		inc	dword ptr [eax+0Ch]
		mov	eax, [ebp+var_24]
		and	dword ptr [eax], 0
		mov	eax, [ebx+8]
		dec	dword ptr [eax+20h]
		mov	ecx, [ebx+8]
		cmp	[ecx+4], esi
		jbe	short loc_9F0CD9
		push	34h
		mov	eax, ecx
		pop	edx

loc_9F0CB6:				; CODE XREF: EtwpCoverageResetCP(x,x)+220j
		mov	ecx, [edx+eax]
		test	ecx, ecx
		jz	short loc_9F0CCE
		mov	eax, [ebp+var_8]
		mov	[eax+esi*4], ecx
		inc	esi
		mov	ecx, [ebx+8]
		mov	eax, ecx
		cmp	esi, [ecx+20h]
		jnb	short loc_9F0CD9

loc_9F0CCE:				; CODE XREF: EtwpCoverageResetCP(x,x)+204j
		inc	edi
		add	edx, 4
		mov	ecx, eax
		cmp	edi, [eax+4]
		jb	short loc_9F0CB6

loc_9F0CD9:				; CODE XREF: EtwpCoverageResetCP(x,x)+1F8j
					; EtwpCoverageResetCP(x,x)+215j
		mov	eax, [ecx+4]
		shl	eax, 2
		push	eax		; size_t
		lea	eax, [ecx+34h]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebx+8]
		xor	edi, edi
		add	esp, 0Ch
		cmp	[eax+20h], edi
		jbe	short loc_9F0D13

loc_9F0CF8:				; CODE XREF: EtwpCoverageResetCP(x,x)+25Aj
		mov	eax, [ebp+var_8]
		mov	ecx, [ebx+8]
		mov	esi, [eax+edi*4]
		mov	edx, esi
		call	TelemetryCoverageTableLocateInternal
		inc	edi
		mov	[eax], esi
		mov	eax, [ebx+8]
		cmp	edi, [eax+20h]
		jb	short loc_9F0CF8

loc_9F0D13:				; CODE XREF: EtwpCoverageResetCP(x,x)+23Fj
		mov	ecx, [ebp+var_18]
		xor	ebx, ebx
		mov	eax, [eax+18h]
		inc	ebx
		mov	esi, [ebp+var_8]
		mov	[ecx+8], eax
		jmp	loc_9F0C60
; 

loc_9F0D27:				; CODE XREF: EtwpCoverageResetCP(x,x)+FBj
		mov	esi, [ebp+var_8]
		or	ecx, 0FFFFFFFFh
		mov	edx, offset _EtwpCoverageLock

loc_9F0D32:				; CODE XREF: EtwpCoverageResetCP(x,x)+6Bj
		mov	ebx, esi

loc_9F0D34:				; CODE XREF: EtwpCoverageResetCP(x,x)+1B1j
		mov	eax, _EtwpCoverageLockOwner
		cmp	eax, large fs:124h
		jnz	short loc_9F0D74
		and	_EtwpCoverageLockOwner,	0
		lock xadd [edx], ecx
		and	cl, 6
		cmp	cl, 2
		jnz	short loc_9F0D61
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, offset _EtwpCoverageLock

loc_9F0D61:				; CODE XREF: EtwpCoverageResetCP(x,x)+29Cj
		mov	ecx, edx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_9F0D74:				; CODE XREF: EtwpCoverageResetCP(x,x)+289j
		test	esi, esi
		jz	short loc_9F0D83
		push	56777445h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F0D83:				; CODE XREF: EtwpCoverageResetCP(x,x)+2BFj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_EtwpCoverageResetCP@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageResetWorkItemCallback(x)
_EtwpCoverageResetWorkItemCallback@4 proc near ; DATA XREF: EtwpCoverageEnsureContext()+19Do

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, _EtwpCoverageNonPagedContext
		mov	ecx, [ebp+arg_0]
		push	2
		pop	edx
		and	dword ptr [eax+8], 0
		call	_EtwpCoverageReset@8 ; EtwpCoverageReset(x,x)
		pop	ebp
		retn	4
_EtwpCoverageResetWorkItemCallback@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpInitializeStackTracing(x)
_EtwpInitializeStackTracing@4 proc near	; CODE XREF: EtwpUpdateStackTracing(x,x,x)+4Dp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		push	0FFFFh
		lea	eax, [esi+290h]
		mov	[ebp+var_4], edi
		and	[eax], edi
		and	[eax+4], edi
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	ecx, eax
		push	10h
		shl	ecx, 2
		pop	eax
		mov	[esi+29Ch], ecx
		cmp	ecx, eax
		jnb	short loc_9F0DE6
		mov	[esi+29Ch], eax
		jmp	short loc_9F0DE8
; 

loc_9F0DE6:				; CODE XREF: EtwpInitializeStackTracing(x)+35j
		mov	eax, ecx

loc_9F0DE8:				; CODE XREF: EtwpInitializeStackTracing(x)+3Dj
		imul	eax, 30h
		push	50777445h
		push	eax
		push	204h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+298h], eax
		test	eax, eax
		jz	loc_9F0EB1
		xor	ebx, ebx
		cmp	[esi+29Ch], ebx
		jbe	short loc_9F0E37
		xor	edi, edi

loc_9F0E15:				; CODE XREF: EtwpInitializeStackTracing(x)+8Bj
		mov	edx, [esi+298h]
		lea	ecx, [esi+290h]
		add	edx, edi
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		inc	ebx
		add	edi, 30h
		cmp	ebx, [esi+29Ch]
		jb	short loc_9F0E15
		mov	edi, [ebp+var_4]

loc_9F0E37:				; CODE XREF: EtwpInitializeStackTracing(x)+6Aj
		push	0
		push	offset _EtwpStackWalkDpc@16 ; EtwpStackWalkDpc(x,x,x,x)
		lea	eax, [esi+26Ch]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	6D777445h
		push	400h
		push	200h
		mov	byte ptr [esi+26Dh], 2
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_9F0EB1
		push	400h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	edx, 2000h
		mov	[esi+2B4h], ebx
		mov	[esi+2B0h], edx
		add	esp, 0Ch
		add	esi, 258h
		mov	eax, [esi]

loc_9F0E94:				; CODE XREF: EtwpInitializeStackTracing(x)+F5j
		mov	ecx, eax
		or	ecx, edx
		lock cmpxchg [esi], ecx
		jnz	short loc_9F0E94
		test	eax, edx
		jnz	short loc_9F0EA7
		call	_EtwpReferenceStackLookasideList@0 ; EtwpReferenceStackLookasideList()

loc_9F0EA7:				; CODE XREF: EtwpInitializeStackTracing(x)+F9j
		mov	eax, 80h
		lock or	[esi], eax
		jmp	short loc_9F0EC8
; 

loc_9F0EB1:				; CODE XREF: EtwpInitializeStackTracing(x)+5Cj
					; EtwpInitializeStackTracing(x)+C2j
		mov	eax, [esi+298h]
		mov	edi, 0C0000017h
		test	eax, eax
		jz	short loc_9F0EC8
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F0EC8:				; CODE XREF: EtwpInitializeStackTracing(x)+108j
					; EtwpInitializeStackTracing(x)+117j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpInitializeStackTracing@4 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpReferenceStackLookasideList()
_EtwpReferenceStackLookasideList@0 proc	near ; CODE XREF: EtwpEnableGuid+11FB2Dp
					; EtwpInitializeStackTracing(x)+FBp
		mov	eax, ds:_KeNumberProcessors
		push	esi
		xor	esi, esi
		inc	esi
		lock xadd dword_6BC448,	esi
		inc	esi
		imul	esi, eax
		add	esi, esi

loc_9F0EE6:				; CODE XREF: EtwpReferenceStackLookasideList()+49j
		push	6C777445h
		push	414h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_9F0F1A
		mov	edx, eax
		mov	ecx, offset _EtwpStackLookAsideList
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		xor	eax, eax
		inc	eax
		lock xadd dword_6BC44C,	eax
		inc	eax
		cmp	eax, esi
		jl	short loc_9F0EE6

loc_9F0F1A:				; CODE XREF: EtwpReferenceStackLookasideList()+2Dj
		pop	esi
		retn
_EtwpReferenceStackLookasideList@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUpdateStackTracing(x, x, x)
_EtwpUpdateStackTracing@12 proc	near	; CODE XREF: EtwpCheckForStackTracingExtension+12A255p
					; EtwSetPerformanceTraceInformation(x,x,x)+365p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	18h
		push	offset dword_6A9D50
		call	__SEH_prolog4
		mov	[ebp+var_1C], edx
		mov	edi, ecx
		mov	[ebp+var_24], edi
		xor	esi, esi
		mov	ebx, esi
		cmp	[ebp+arg_0], ebx
		jnz	short loc_9F0F57
		test	byte ptr [edi+258h], 80h
		jz	loc_9F0FE3
		lea	eax, [edi+2B0h]
		push	eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		jmp	loc_9F0FE3
; 

loc_9F0F57:				; CODE XREF: EtwpUpdateStackTracing(x,x,x)+1Bj
		cmp	[ebp+arg_0], 100h
		ja	short loc_9F0FDE
		test	byte ptr [edi+258h], 80h
		jnz	short loc_9F0F76
		call	_EtwpInitializeStackTracing@4 ;	EtwpInitializeStackTracing(x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9F0FE3
		jmp	short loc_9F0F82
; 

loc_9F0F76:				; CODE XREF: EtwpUpdateStackTracing(x,x,x)+4Bj
		lea	eax, [edi+2B0h]
		push	eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)

loc_9F0F82:				; CODE XREF: EtwpUpdateStackTracing(x,x,x)+58j
		mov	[ebp+ms_exc.disabled], esi

loc_9F0F85:				; CODE XREF: EtwpUpdateStackTracing(x,x,x)+95j
		mov	[ebp+var_20], esi
		cmp	esi, [ebp+arg_0]
		jnb	short loc_9F0FD5
		mov	eax, [ebp+var_1C]
		movzx	edx, word ptr [eax+esi*4]
		and	edx, 1FFFh
		mov	ecx, edx
		shr	ecx, 3
		add	ecx, [edi+2B4h]
		and	edx, 7
		movsx	eax, byte ptr [ecx]
		bts	eax, edx
		mov	[ecx], al
		inc	esi
		jmp	short loc_9F0F85
; 

loc_9F0FB3:				; DATA XREF: .text:006A9D64o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F0FC1:				; DATA XREF: .text:006A9D68o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_24]
		add	eax, 2B0h
		push	eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		mov	ebx, [ebp+var_28]

loc_9F0FD5:				; CODE XREF: EtwpUpdateStackTracing(x,x,x)+6Fj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9F0FE3
; 

loc_9F0FDE:				; CODE XREF: EtwpUpdateStackTracing(x,x,x)+42j
		mov	ebx, 0C000000Dh

loc_9F0FE3:				; CODE XREF: EtwpUpdateStackTracing(x,x,x)+24j
					; EtwpUpdateStackTracing(x,x,x)+36j ...
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpUpdateStackTracing@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall EtwTraceJob(x, x, x, x)
@EtwTraceJob@16	proc near		; CODE XREF: NtOpenJobObject+18C1FCp
					; NtTerminateJobObject+11FE9Ap	...

var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_30]
		push	7
		pop	ecx
		xor	eax, eax
		mov	ebx, edx
		rep stosd
		mov	edx, esi
		lea	ecx, [ebp+var_30]
		call	_EtwpCopyJobGuidSafe@8 ; EtwpCopyJobGuidSafe(x,x)
		xor	ecx, ecx
		test	esi, esi
		jz	short loc_9F1035
		mov	eax, [esi+2D4h]
		mov	[ebp+var_20], eax
		jmp	short loc_9F1038
; 

loc_9F1035:				; CODE XREF: EtwTraceJob(x,x,x,x)+31j
		mov	[ebp+var_20], ecx

loc_9F1038:				; CODE XREF: EtwTraceJob(x,x,x,x)+3Cj
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_30]
		mov	[ebp+var_1C], ebx
		mov	edi, 80000h
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], 1Ch
		mov	[ebp+var_8], ecx
		test	esi, esi
		jz	short loc_9F1077
		mov	eax, ds:_EtwpHostSiloState
		add	eax, 0A48h
		jz	short loc_9F1077
		test	[eax], edi
		jz	short loc_9F1077
		push	[ebp+arg_4]
		mov	ecx, esi
		call	_EtwpPsProvTraceJob@12 ; EtwpPsProvTraceJob(x,x,x)

loc_9F1077:				; CODE XREF: EtwTraceJob(x,x,x,x)+64j
					; EtwTraceJob(x,x,x,x)+70j ...
		push	(offset	loc_501902+2)
		push	[ebp+arg_4]
		xor	edx, edx
		lea	ecx, [ebp+var_14]
		push	edi
		inc	edx
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
@EtwTraceJob@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwKernelMemoryRundown()
_EtwKernelMemoryRundown@0 proc near	; CODE XREF: PAGELK:00720AA0p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	8
		pop	edx
		xor	eax, eax
		lea	edi, [ebp+var_24]
		mov	ecx, edx
		rep stosd
		mov	eax, ds:_EtwpHostSiloState
		xor	edi, edi
		mov	[ebp+var_20], edx
		mov	esi, [eax+924h]
		jmp	short loc_9F1101
; 

loc_9F10CE:				; CODE XREF: EtwKernelMemoryRundown()+68j
		mov	edx, ds:_EtwpHostSiloState
		lea	eax, [esi-1]
		and	esi, eax
		mov	eax, ecx
		shl	eax, 5
		add	eax, 948h
		add	eax, edx
		jz	short loc_9F1101
		test	byte ptr [eax+14h], 1
		jz	short loc_9F1101
		movzx	eax, byte ptr [edx+ecx*2+914h]
		lea	ecx, [ebp+var_24]
		push	edi
		push	edi
		push	edi
		push	eax
		call	EtwpKernelTraceRundown

loc_9F1101:				; CODE XREF: EtwKernelMemoryRundown()+30j
					; EtwKernelMemoryRundown()+49j	...
		bsf	ecx, esi
		jnz	short loc_9F10CE
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwKernelMemoryRundown@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceDuplicateHandle(x, x, x, x,	x, x)
_EtwTraceDuplicateHandle@24 proc near	; CODE XREF: ObInheritObjectHandle+153DEEp
					; ObCompleteObjectDuplication+14475Fp ...

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= word ptr -38h
var_36		= dword	ptr -36h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		and	[ebp+var_20], 0
		mov	[ebp+var_30], eax
		push	ebx
		mov	eax, [eax+84h]
		mov	[ebp+var_24], eax
		mov	eax, ds:_EtwpHostSiloState
		push	esi
		mov	[ebp+var_28], ecx
		xor	esi, esi
		mov	[ebp+var_2C], edx
		mov	ecx, [eax+924h]
		bsf	ebx, ecx
		jz	loc_9F121E
		push	edi

loc_9F1158:				; CODE XREF: EtwTraceDuplicateHandle(x,x,x,x,x,x)+AFj
		lea	eax, [ecx-1]
		and	ecx, eax
		mov	eax, ds:_EtwpHostSiloState
		mov	[ebp+var_20], ecx
		add	eax, 948h
		mov	ecx, ebx
		shl	ecx, 5
		add	eax, ecx
		jz	short loc_9F11BD
		test	byte ptr [eax+10h], 40h
		jz	short loc_9F11BD
		and	[ebp+var_18], 0
		xor	eax, eax
		imul	edi, ebx, 14h
		add	edi, offset _EtwpObjectTypeFilter
		cmp	ax, [edi]
		jnb	short loc_9F11BD
		lea	ecx, [edi+4]
		mov	[ebp+var_1C], ecx

loc_9F1193:				; CODE XREF: EtwTraceDuplicateHandle(x,x,x,x,x,x)+A2j
		mov	edx, [ecx]
		mov	ecx, [ebp+var_24]
		call	_ExCheckSingleFilter@8 ; ExCheckSingleFilter(x,x)
		test	eax, eax
		jnz	short loc_9F11BA
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_1C]
		inc	edx
		movzx	eax, word ptr [edi]
		add	ecx, 4
		mov	[ebp+var_18], edx
		mov	[ebp+var_1C], ecx
		cmp	edx, eax
		jb	short loc_9F1193
		jmp	short loc_9F11BD
; 

loc_9F11BA:				; CODE XREF: EtwTraceDuplicateHandle(x,x,x,x,x,x)+8Bj
		bts	esi, ebx

loc_9F11BD:				; CODE XREF: EtwTraceDuplicateHandle(x,x,x,x,x,x)+5Dj
					; EtwTraceDuplicateHandle(x,x,x,x,x,x)+63j ...
		mov	ecx, [ebp+var_20]
		bsf	ebx, ecx
		jnz	short loc_9F1158
		pop	edi
		test	esi, esi
		jz	short loc_9F121E
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_14]
		and	[ebp+var_10], 0
		xor	edx, edx
		and	[ebp+var_8], 0
		inc	edx
		mov	[ebp+var_48], eax
		mov	eax, [ebp+var_28]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_40], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_36], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+var_30]
		push	10501903h
		push	1122h
		push	esi
		movzx	eax, byte ptr [eax+14h]
		mov	[ebp+var_38], ax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], 16h
		call	_EtwpTraceKernelEventWithFilter@20 ; EtwpTraceKernelEventWithFilter(x,x,x,x,x)

loc_9F121E:				; CODE XREF: EtwTraceDuplicateHandle(x,x,x,x,x,x)+3Dj
					; EtwTraceDuplicateHandle(x,x,x,x,x,x)+B4j
		mov	ecx, [ebp+var_4]
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_EtwTraceDuplicateHandle@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceFreezeThawProcess(x, x)
_EtwTraceFreezeThawProcess@8 proc near	; CODE XREF: PsThawProcess+14B27Ap
					; PsFreezeProcess+14B13Fp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ecx+0E4h]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_24], eax
		lea	eax, [ecx+100h]
		mov	[ebp+var_14], eax
		mov	eax, ds:_EtwpHostSiloState
		push	ebx
		mov	bl, dl
		mov	[ebp+var_1C], 4
		xor	edx, edx
		mov	[ebp+var_C], 8
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], edx
		add	eax, 0A48h
		jz	short loc_9F12B0
		test	byte ptr [eax+8], 2
		jz	short loc_9F12B0
		mov	eax, offset _ProcessFreezeEvent
		test	bl, bl
		jnz	short loc_9F1297
		mov	eax, offset _ProcessThawEvent

loc_9F1297:				; CODE XREF: EtwTraceFreezeThawProcess(x,x)+62j
		lea	ecx, [ebp+var_24]
		push	ecx
		push	2
		push	edx
		push	eax
		push	dword_6BC18C
		push	_EtwpPsProvRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9F12B0:				; CODE XREF: EtwTraceFreezeThawProcess(x,x)+53j
					; EtwTraceFreezeThawProcess(x,x)+59j
		xor	eax, eax
		lea	ecx, [ebp+var_24]
		test	bl, bl
		push	offset loc_501902
		setz	al
		xor	edx, edx
		add	eax, 324h
		inc	edx
		push	eax
		push	40000002h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwTraceFreezeThawProcess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceJobAssignProcess(x,	x, x)
_EtwTraceJobAssignProcess@12 proc near	; CODE XREF: sub_90E819+5p
					; PspAssignProcessToJobList(x,x,x)+4Bp

var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		lea	edi, [ebp+var_30]
		mov	edx, ecx
		xor	eax, eax
		push	7
		pop	ecx
		rep stosd
		xor	edi, edi
		mov	esi, edi
		test	ebx, ebx
		jz	short loc_9F1310
		mov	esi, [ebx+0E4h]

loc_9F1310:				; CODE XREF: EtwTraceJobAssignProcess(x,x,x)+29j
		lea	ecx, [ebp+var_30]
		call	_EtwpCopyJobGuidSafe@8 ; EtwpCopyJobGuidSafe(x,x)
		test	edx, edx
		jz	short loc_9F1327
		mov	eax, [edx+2D4h]
		mov	[ebp+var_20], eax
		jmp	short loc_9F132A
; 

loc_9F1327:				; CODE XREF: EtwTraceJobAssignProcess(x,x,x)+3Bj
		mov	[ebp+var_20], edi

loc_9F132A:				; CODE XREF: EtwTraceJobAssignProcess(x,x,x)+46j
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_14]
		push	501904h
		mov	[ebp+var_18], eax
		xor	edx, edx
		push	723h
		lea	eax, [ebp+var_30]
		mov	[ebp+var_1C], esi
		push	80000h
		inc	edx
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], 1Ch
		mov	[ebp+var_8], edi
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_EtwTraceJobAssignProcess@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceJobRemoveProcess(x,	x, x)
_EtwTraceJobRemoveProcess@12 proc near	; CODE XREF: PspRemoveProcessFromJobChain+17CCD2p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_3C], edi
		mov	esi, edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], edi
		test	ecx, ecx
		jz	short loc_9F13B4
		mov	eax, [ecx+158h]
		mov	esi, [ecx+0E4h]
		test	eax, eax
		jz	short loc_9F13B4
		mov	eax, [eax+2D4h]
		mov	[ebp+var_2C], eax
		jmp	short loc_9F13B7
; 

loc_9F13B4:				; CODE XREF: EtwTraceJobRemoveProcess(x,x,x)+26j
					; EtwTraceJobRemoveProcess(x,x,x)+36j
		mov	[ebp+var_2C], edi

loc_9F13B7:				; CODE XREF: EtwTraceJobRemoveProcess(x,x,x)+41j
		mov	eax, [ebp+arg_0]
		lea	ecx, [ebp+var_1C]
		push	(offset	loc_501902+2)
		mov	[ebp+var_24], edx
		xor	edx, edx
		mov	[ebp+var_20], eax
		inc	edx
		push	724h
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_28], esi
		push	80000h
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], 20h
		mov	[ebp+var_10], edi
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_8]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_EtwTraceJobRemoveProcess@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceJobSendNotification(x, x)
_EtwTraceJobSendNotification@8 proc near ; CODE	XREF: PspSendReliableJobNotification+13C790p

var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	6
		mov	esi, edx
		lea	edi, [ebp+var_30]
		mov	edx, ecx
		xor	eax, eax
		pop	ecx
		rep stosd
		lea	ecx, [ebp+var_30]
		call	_EtwpCopyJobGuidSafe@8 ; EtwpCopyJobGuidSafe(x,x)
		xor	ecx, ecx
		test	edx, edx
		jz	short loc_9F143B
		mov	eax, [edx+2D4h]
		mov	[ebp+var_20], eax
		jmp	short loc_9F143E
; 

loc_9F143B:				; CODE XREF: EtwTraceJobSendNotification(x,x)+2Ej
		mov	[ebp+var_20], ecx

loc_9F143E:				; CODE XREF: EtwTraceJobSendNotification(x,x)+39j
		push	(offset	loc_501902+2)
		push	72Ah
		xor	edx, edx
		mov	[ebp+var_14], ecx
		lea	eax, [ebp+var_30]
		mov	[ebp+var_C], ecx
		push	80000h
		inc	edx
		mov	[ebp+var_1C], esi
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], 18h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwTraceJobSendNotification@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceJobServerSiloStateChange(x,	x)
_EtwTraceJobServerSiloStateChange@8 proc near
					; CODE XREF: PspConvertSiloToServerSilo(x,x,x,x)+141p
					; PspMarkServerSiloAsTerminating(x)+7Dp ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, dword_6BC18C
		mov	ebx, ecx
		push	edi
		mov	edi, _EtwpPsProvRegHandle
		push	offset _JobServerSiloStateChange
		push	esi
		push	edi
		mov	[ebp+var_38], edx
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9F1501
		lea	eax, [ebx+2D8h]
		mov	[ebp+var_2C], 10h
		mov	[ebp+var_34], eax
		xor	edx, edx
		push	4
		pop	ecx
		lea	eax, [ebx+2D4h]
		mov	[ebp+var_30], edx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	edx
		push	offset _JobServerSiloStateChange
		push	esi
		push	edi
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9F1501:				; CODE XREF: EtwTraceJobServerSiloStateChange(x,x)+34j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwTraceJobServerSiloStateChange@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceJobSetQuery(x, x, x, x, x, x)
_EtwTraceJobSetQuery@24	proc near	; CODE XREF: PAGE:008D27DAp
					; sub_759647+17A515p ...

var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 19Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+19Ch+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, edx
		push	edi
		movzx	eax, ax
		lea	edi, [esp+1A8h+var_150]
		mov	edx, ecx
		mov	[esp+1A8h+var_198], eax
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd
		lea	ecx, [esp+1A8h+var_150]
		mov	[esp+1A8h+var_190], eax
		mov	[esp+1A8h+var_158], eax
		mov	[esp+1A8h+var_154], eax
		mov	[esp+1A8h+var_160], eax
		mov	[esp+1A8h+var_15C], eax
		call	_EtwpCopyJobGuidSafe@8 ; EtwpCopyJobGuidSafe(x,x)
		test	edx, edx
		jz	short loc_9F157A
		mov	eax, [edx+2D4h]
		xor	edx, edx
		mov	[esp+1A8h+var_140], eax
		jmp	short loc_9F1580
; 

loc_9F157A:				; CODE XREF: EtwTraceJobSetQuery(x,x,x,x,x,x)+5Aj
		xor	edx, edx
		mov	[esp+1A8h+var_140], edx

loc_9F1580:				; CODE XREF: EtwTraceJobSetQuery(x,x,x,x,x,x)+68j
		lea	eax, [esp+1A8h+var_150]
		mov	[esp+1A8h+var_13C], ebx
		mov	[esp+1A8h+var_138], eax
		mov	ecx, 725h
		mov	eax, [esp+1A8h+var_198]
		mov	[esp+1A8h+var_134], edx
		mov	[esp+1A8h+var_130], 18h
		mov	[esp+1A8h+var_12C], edx
		cmp	ax, cx
		jz	loc_9F1849
		inc	ecx
		cmp	ax, cx
		jz	short loc_9F15F6
		jbe	loc_9F1B5A
		mov	eax, [ebp+arg_C]
		mov	ecx, 728h
		cmp	ax, cx
		ja	loc_9F1B5A
		lea	ecx, [ebp+arg_8]
		mov	[esp+1A8h+var_124], edx
		push	2
		mov	[esp+1ACh+var_128], ecx
		mov	[esp+1ACh+var_120], 4
		mov	[esp+1ACh+var_11C], edx
		pop	ebx
		jmp	loc_9F1B44
; 

loc_9F15F6:				; CODE XREF: EtwTraceJobSetQuery(x,x,x,x,x,x)+A2j
		cmp	ebx, 0Dh
		jnz	loc_9F1B5A
		lea	eax, [esi+4]
		mov	[esp+1A8h+var_128], esi
		mov	[esp+1A8h+var_118], eax
		xor	ecx, ecx
		lea	eax, [esi+8]
		mov	[esp+1A8h+var_124], ecx
		mov	[esp+1A8h+var_108], eax
		lea	eax, [esi+10h]
		mov	[esp+1A8h+var_F8], eax
		lea	eax, [esi+18h]
		mov	[esp+1A8h+var_E8], eax
		lea	eax, [esi+20h]
		mov	[esp+1A8h+var_D8], eax
		lea	eax, [esi+28h]
		mov	[esp+1A8h+var_C8], eax
		lea	eax, [esi+30h]
		mov	[esp+1A8h+var_B8], eax
		lea	eax, [esi+38h]
		mov	[esp+1A8h+var_A8], eax
		lea	eax, [esi+50h]
		mov	[esp+1A8h+var_98], eax
		lea	eax, [esi+40h]
		mov	[esp+1A8h+var_88], eax
		lea	eax, [esi+48h]
		mov	[esp+1A8h+var_78], eax
		lea	eax, [esi+4Ch]
		mov	[esp+1A8h+var_68], eax
		lea	eax, [esi+58h]
		push	4
		pop	edx
		mov	[esp+1A8h+var_58], eax
		lea	eax, [esi+5Ch]
		push	8
		pop	edi
		mov	[esp+1A8h+var_48], eax
		lea	eax, [esi+60h]
		mov	[esp+1A8h+var_120], edx
		mov	[esp+1A8h+var_11C], ecx
		mov	[esp+1A8h+var_114], ecx
		mov	[esp+1A8h+var_110], edx
		mov	[esp+1A8h+var_10C], ecx
		mov	[esp+1A8h+var_104], ecx
		mov	[esp+1A8h+var_100], edi
		mov	[esp+1A8h+var_FC], ecx
		mov	[esp+1A8h+var_F4], ecx
		mov	[esp+1A8h+var_F0], edi
		mov	[esp+1A8h+var_EC], ecx
		mov	[esp+1A8h+var_E4], ecx
		mov	[esp+1A8h+var_E0], edi
		mov	[esp+1A8h+var_DC], ecx
		mov	[esp+1A8h+var_D4], ecx
		mov	[esp+1A8h+var_D0], edi
		mov	[esp+1A8h+var_CC], ecx
		mov	[esp+1A8h+var_C4], ecx
		mov	[esp+1A8h+var_C0], edi
		mov	[esp+1A8h+var_BC], ecx
		mov	[esp+1A8h+var_B4], ecx
		mov	[esp+1A8h+var_B0], edi
		mov	[esp+1A8h+var_AC], ecx
		mov	[esp+1A8h+var_A4], ecx
		mov	[esp+1A8h+var_A0], edi
		mov	[esp+1A8h+var_9C], ecx
		mov	[esp+1A8h+var_94], ecx
		mov	[esp+1A8h+var_90], edi
		mov	[esp+1A8h+var_8C], ecx
		mov	[esp+1A8h+var_84], ecx
		mov	[esp+1A8h+var_80], edi
		mov	[esp+1A8h+var_7C], ecx
		mov	[esp+1A8h+var_74], ecx
		mov	[esp+1A8h+var_70], edx
		mov	[esp+1A8h+var_6C], ecx
		mov	[esp+1A8h+var_64], ecx
		mov	[esp+1A8h+var_60], edx
		mov	[esp+1A8h+var_5C], ecx
		mov	[esp+1A8h+var_54], ecx
		mov	[esp+1A8h+var_50], edx
		mov	[esp+1A8h+var_4C], ecx
		mov	[esp+1A8h+var_44], ecx
		mov	[esp+1A8h+var_40], edx
		mov	[esp+1A8h+var_3C], ecx
		mov	[esp+1A8h+var_38], eax
		lea	eax, [esi+64h]
		mov	[esp+1A8h+var_34], ecx
		mov	[esp+1A8h+var_28], eax
		mov	eax, [ebp+arg_4]
		push	13h
		mov	[esp+1ACh+var_30], edx
		mov	[esp+1ACh+var_2C], ecx
		mov	eax, [eax]
		mov	[esp+1ACh+var_190], eax
		lea	eax, [esp+1ACh+var_190]
		mov	[esp+1ACh+var_18], eax
		mov	eax, 72Bh
		mov	[esp+1ACh+var_24], ecx
		mov	[esp+1ACh+var_20], edx
		mov	[esp+1ACh+var_1C], ecx
		mov	[esp+1ACh+var_14], ecx
		mov	[esp+1ACh+var_10], edx
		mov	[esp+1ACh+var_C], ecx
		pop	ebx
		jmp	loc_9F1B44
; 

loc_9F1849:				; CODE XREF: EtwTraceJobSetQuery(x,x,x,x,x,x)+98j
		push	4
		pop	edx
		push	8
		pop	edi
		cmp	ebx, 0Ch
		jz	loc_9F199E
		cmp	ebx, 0Fh
		jz	loc_9F1951
		cmp	ebx, 20h
		jnz	loc_9F1B5A
		lea	eax, [esi+10h]
		mov	[esp+1A8h+var_128], esi
		mov	[esp+1A8h+var_108], eax
		lea	ecx, [esi+8]
		lea	eax, [esp+1A8h+var_F8]
		mov	[esp+1A8h+var_120], edx
		mov	[esp+1A8h+var_194], eax
		xor	ebx, ebx
		lea	eax, [esp+1A8h+var_E8]
		mov	[esp+1A8h+var_124], ebx
		mov	[esp+1A8h+var_18C], eax
		lea	eax, [esp+1A8h+var_D8]
		mov	[esp+1A8h+var_184], eax
		lea	eax, [esp+1A8h+var_C8]
		mov	[esp+1A8h+var_180], eax
		lea	eax, [esp+1A8h+var_B8]
		mov	[esp+1A8h+var_17C], eax
		lea	eax, [esp+1A8h+var_A8]
		mov	[esp+1A8h+var_178], eax
		lea	eax, [esp+1A8h+var_98]
		mov	[esp+1A8h+var_174], eax
		lea	eax, [esp+1A8h+var_88]
		mov	[esp+1A8h+var_170], eax
		lea	eax, [esp+1A8h+var_78]
		mov	[esp+1A8h+var_16C], eax
		lea	eax, [esp+1A8h+var_68]
		mov	[esp+1A8h+var_168], eax
		lea	eax, [esp+1A8h+var_58]
		mov	[esp+1A8h+var_164], eax
		lea	eax, [esp+1A8h+var_48]
		mov	[esp+1A8h+var_11C], ebx
		mov	[esp+1A8h+var_118], ecx
		mov	[esp+1A8h+var_114], ebx
		mov	[esp+1A8h+var_110], edi
		mov	[esp+1A8h+var_10C], ebx
		mov	[esp+1A8h+var_104], ebx
		mov	[esp+1A8h+var_100], 1
		mov	[esp+1A8h+var_FC], ebx
		push	10h
		jmp	loc_9F1A23
; 

loc_9F1951:				; CODE XREF: EtwTraceJobSetQuery(x,x,x,x,x,x)+34Bj
		push	4
		pop	edx
		xor	ecx, ecx
		mov	[esp+1A8h+var_128], esi
		lea	eax, [esi+4]
		mov	[esp+1A8h+var_124], ecx
		push	3
		mov	[esp+1ACh+var_118], eax
		mov	eax, 72Ch
		mov	[esp+1ACh+var_120], edx
		mov	[esp+1ACh+var_11C], ecx
		mov	[esp+1ACh+var_114], ecx
		mov	[esp+1ACh+var_110], edx
		mov	[esp+1ACh+var_10C], ecx
		pop	ebx
		jmp	loc_9F1B44
; 

loc_9F199E:				; CODE XREF: EtwTraceJobSetQuery(x,x,x,x,x,x)+342j
		lea	eax, [esp+1A8h+var_128]
		mov	[esp+1A8h+var_194], eax
		lea	ecx, [esi+8]
		lea	eax, [esp+1A8h+var_118]
		mov	[esp+1A8h+var_18C], eax
		lea	eax, [esp+1A8h+var_108]
		mov	[esp+1A8h+var_184], eax
		lea	eax, [esp+1A8h+var_F8]
		mov	[esp+1A8h+var_180], eax
		lea	eax, [esp+1A8h+var_E8]
		mov	[esp+1A8h+var_17C], eax
		lea	eax, [esp+1A8h+var_D8]
		mov	[esp+1A8h+var_178], eax
		lea	eax, [esp+1A8h+var_C8]
		mov	[esp+1A8h+var_174], eax
		lea	eax, [esp+1A8h+var_B8]
		mov	[esp+1A8h+var_170], eax
		lea	eax, [esp+1A8h+var_A8]
		mov	[esp+1A8h+var_16C], eax
		lea	eax, [esp+1A8h+var_98]
		mov	[esp+1A8h+var_168], eax
		lea	eax, [esp+1A8h+var_88]
		mov	[esp+1A8h+var_164], eax
		lea	eax, [esp+1A8h+var_78]
		push	0Dh

loc_9F1A23:				; CODE XREF: EtwTraceJobSetQuery(x,x,x,x,x,x)+43Cj
		mov	[esp+1ACh+var_198], eax
		lea	eax, [esi+28h]
		mov	[esp+1ACh+var_188], esi
		mov	esi, [esp+1ACh+var_194]
		pop	ebx
		mov	[esi], eax
		mov	eax, esi
		mov	esi, [esp+1A8h+var_188]
		and	dword ptr [eax+4], 0
		and	dword ptr [eax+0Ch], 0
		mov	[eax+8], edx
		mov	eax, [esp+1A8h+var_18C]
		and	dword ptr [eax+4], 0
		mov	[eax], esi
		xor	esi, esi
		mov	[eax+8], edi
		mov	[eax+0Ch], esi
		mov	eax, [esp+1A8h+var_184]
		mov	[eax], ecx
		mov	[eax+4], esi
		mov	[eax+0Ch], esi
		mov	esi, [ebp+arg_0]
		mov	[eax+8], edi
		mov	ecx, [esp+1A8h+var_180]
		lea	eax, [esi+10h]
		and	dword ptr [ecx+4], 0
		and	dword ptr [ecx+0Ch], 0
		mov	[ecx], eax
		mov	[ecx+8], edi
		mov	eax, [esi+30h]
		mov	ecx, [esi+34h]
		shrd	eax, ecx, 0Ch
		shr	ecx, 0Ch
		mov	[esp+1A8h+var_160], eax
		mov	eax, [esp+1A8h+var_17C]
		mov	[esp+1A8h+var_15C], ecx
		lea	ecx, [esp+1A8h+var_160]
		and	dword ptr [eax+4], 0
		and	dword ptr [eax+0Ch], 0
		mov	[eax], ecx
		mov	ecx, [esi+1Ch]
		mov	[eax+8], edi
		mov	eax, [esi+18h]
		shrd	eax, ecx, 0Ch
		shr	ecx, 0Ch
		mov	[esp+1A8h+var_158], eax
		mov	eax, [esp+1A8h+var_178]
		mov	[esp+1A8h+var_154], ecx
		lea	ecx, [esp+1A8h+var_158]
		and	dword ptr [eax+4], 0
		mov	[eax], ecx
		mov	ecx, [esp+1A8h+var_174]
		mov	[eax+8], edi
		xor	edi, edi
		mov	[eax+0Ch], edi
		lea	eax, [esi+20h]
		mov	[ecx], eax
		lea	eax, [esi+24h]
		mov	[ecx+4], edi
		mov	[ecx+8], edx
		mov	[ecx+0Ch], edi
		mov	ecx, [esp+1A8h+var_170]
		mov	[ecx], eax
		lea	eax, [esi+2Ch]
		mov	[ecx+4], edi
		mov	[ecx+8], edx
		mov	[ecx+0Ch], edi
		mov	ecx, [esp+1A8h+var_16C]
		mov	[ecx], eax
		lea	eax, [esi+38h]
		mov	[ecx+4], edi
		mov	[ecx+8], edx
		mov	[ecx+0Ch], edi
		mov	ecx, [esp+1A8h+var_168]
		mov	[ecx], eax
		lea	eax, [esi+3Ch]
		mov	[ecx+4], edi
		mov	[ecx+8], edx
		mov	[ecx+0Ch], edi
		mov	ecx, [esp+1A8h+var_164]
		mov	[ecx], eax
		mov	[ecx+4], edi
		lea	eax, [esi+40h]
		mov	[ecx+8], edx
		mov	[ecx+0Ch], edi
		mov	ecx, [esp+1A8h+var_198]
		mov	[ecx], eax
		mov	eax, 729h
		mov	[ecx+4], edi
		mov	[ecx+8], edx
		mov	[ecx+0Ch], edi

loc_9F1B44:				; CODE XREF: EtwTraceJobSetQuery(x,x,x,x,x,x)+E1j
					; EtwTraceJobSetQuery(x,x,x,x,x,x)+334j ...
		push	501904h
		push	eax
		push	80000h
		mov	edx, ebx
		lea	ecx, [esp+1B4h+var_138]
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_9F1B5A:				; CODE XREF: EtwTraceJobSetQuery(x,x,x,x,x,x)+A4j
					; EtwTraceJobSetQuery(x,x,x,x,x,x)+B5j	...
		mov	ecx, [esp+1A8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_EtwTraceJobSetQuery@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceLeapSecondDataParseFailure(x)
_EtwTraceLeapSecondDataParseFailure@4 proc near	; CODE XREF: ExpReadLeapSecondData(x,x)+15Cp
					; INIT:00AC2E8Dp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		cmp	dword_6B2A40, 5
		push	4
		mov	[ebp+var_50], esi
		pop	ebx
		jbe	short loc_9F1BD6
		push	4000h
		push	edi
		mov	ecx, offset dword_6B2A40
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9F1BD6
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_4C], esi
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	3
		push	edi
		push	edi
		push	offset loc_422FC0
		push	offset dword_6B2A40
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9F1BD6:				; CODE XREF: EtwTraceLeapSecondDataParseFailure(x)+26j
					; EtwTraceLeapSecondDataParseFailure(x)+3Aj
		mov	ecx, _EtwKernelProvRegHandle
		mov	eax, ecx
		mov	edx, dword_6BC12C
		or	eax, edx
		jz	short loc_9F1C0A
		lea	eax, [ebp+var_50]
		mov	[ebp+var_14], edi
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	1
		push	edi
		push	offset _KernelLeapSecondDataParseFailure
		push	edx
		push	ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9F1C0A:				; CODE XREF: EtwTraceLeapSecondDataParseFailure(x)+75j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwTraceLeapSecondDataParseFailure@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceObject(x, x)
_EtwTraceObject@8 proc near		; CODE XREF: ObpDeregisterObject(x)+15p
					; ObpRegisterObject(x)+19p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, edx
		mov	[ebp+var_38], ecx
		shr	eax, 8
		xor	al, [edx+0Ch]
		xor	al, byte ptr ds:_ObHeaderCookie
		mov	[ebp+var_34], eax
		movzx	eax, al
		push	ebx
		push	esi
		push	edi
		mov	eax, ds:_ObTypeIndexTable[eax*4]
		xor	edi, edi
		mov	[ebp+var_28], edi
		mov	esi, edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_30], edx
		mov	eax, [eax+84h]
		mov	[ebp+var_2C], eax
		mov	eax, ds:_EtwpHostSiloState
		mov	[ebp+var_20], edi
		mov	ecx, [eax+924h]
		bsf	ebx, ecx
		jz	loc_9F1D26

loc_9F1C79:				; CODE XREF: EtwTraceObject(x,x)+CBj
		lea	eax, [ecx-1]
		and	ecx, eax
		mov	eax, ds:_EtwpHostSiloState
		mov	[ebp+var_20], ecx
		add	eax, 948h
		mov	ecx, ebx
		shl	ecx, 5
		add	eax, ecx
		jz	short loc_9F1CDE
		test	byte ptr [eax+10h], 80h
		jz	short loc_9F1CDE
		and	[ebp+var_18], 0
		xor	eax, eax
		imul	edi, ebx, 14h
		add	edi, offset _EtwpObjectTypeFilter
		cmp	ax, [edi]
		jnb	short loc_9F1CDE
		lea	ecx, [edi+4]
		mov	[ebp+var_1C], ecx

loc_9F1CB4:				; CODE XREF: EtwTraceObject(x,x)+BEj
		mov	edx, [ecx]
		mov	ecx, [ebp+var_2C]
		call	_ExCheckSingleFilter@8 ; ExCheckSingleFilter(x,x)
		test	eax, eax
		jnz	short loc_9F1CDB
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_1C]
		inc	edx
		movzx	eax, word ptr [edi]
		add	ecx, 4
		mov	[ebp+var_18], edx
		mov	[ebp+var_1C], ecx
		cmp	edx, eax
		jb	short loc_9F1CB4
		jmp	short loc_9F1CDE
; 

loc_9F1CDB:				; CODE XREF: EtwTraceObject(x,x)+A7j
		bts	esi, ebx

loc_9F1CDE:				; CODE XREF: EtwTraceObject(x,x)+79j
					; EtwTraceObject(x,x)+7Fj ...
		mov	ecx, [ebp+var_20]
		bsf	ebx, ecx
		jnz	short loc_9F1C79
		test	esi, esi
		jz	short loc_9F1D26
		mov	eax, [ebp+var_30]
		lea	ecx, [ebp+var_14]
		and	[ebp+var_10], 0
		add	eax, 18h
		and	[ebp+var_8], 0
		xor	edx, edx
		mov	[ebp+var_28], eax
		inc	edx
		mov	eax, [ebp+var_34]
		push	10501902h
		push	[ebp+var_38]
		movzx	eax, al
		mov	word ptr [ebp+var_24], ax
		lea	eax, [ebp+var_28]
		push	esi
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], 8
		call	_EtwpTraceKernelEventWithFilter@20 ; EtwpTraceKernelEventWithFilter(x,x,x,x,x)

loc_9F1D26:				; CODE XREF: EtwTraceObject(x,x)+5Aj
					; EtwTraceObject(x,x)+CFj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwTraceObject@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceTimeZoneBiasChange(x, x)
_EtwTraceTimeZoneBiasChange@8 proc near	; CODE XREF: ExpRefreshTimeZoneInformation(x)+559p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		xor	ebx, ebx
		mov	[ebp+var_78], esi
		cmp	dword_6B2A40, 5
		mov	[ebp+var_74], edi
		jbe	short loc_9F1DB2
		push	4000h
		push	ebx
		mov	ecx, offset dword_6B2A40
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9F1DB2
		push	4
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_6C], edi
		pop	edi
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_68]
		push	eax
		push	edi
		push	ebx
		push	ebx
		push	offset loc_422FF9
		push	offset dword_6B2A40
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_70], esi
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	short loc_9F1DB5
; 

loc_9F1DB2:				; CODE XREF: EtwTraceTimeZoneBiasChange(x,x)+28j
					; EtwTraceTimeZoneBiasChange(x,x)+3Cj
		push	4
		pop	edi

loc_9F1DB5:				; CODE XREF: EtwTraceTimeZoneBiasChange(x,x)+7Bj
		mov	ecx, _EtwKernelProvRegHandle
		mov	eax, ecx
		mov	edx, dword_6BC12C
		or	eax, edx
		jz	short loc_9F1DF8
		lea	eax, [ebp+var_74]
		mov	[ebp+var_24], ebx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	2
		push	ebx
		push	offset _KernelTimeZoneBiasChange
		push	edx
		push	ecx
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9F1DF8:				; CODE XREF: EtwTraceTimeZoneBiasChange(x,x)+90j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwTraceTimeZoneBiasChange@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceWakeCounter(x, x, x, x, x, x)
_EtwTraceWakeCounter@24	proc near	; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+2B1p
					; PspChargeJobWakeCounter+17AD28p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	[ebp+arg_4], 0
		push	esi
		push	edi
		movzx	esi, dx
		mov	edi, ecx
		mov	edx, [ebp+arg_0]
		jl	short loc_9F1E36
		jg	short loc_9F1E2F
		test	edx, edx
		jz	short loc_9F1E36

loc_9F1E2F:				; CODE XREF: EtwTraceWakeCounter(x,x,x,x,x,x)+22j
		mov	eax, 330h
		jmp	short loc_9F1E4E
; 

loc_9F1E36:				; CODE XREF: EtwTraceWakeCounter(x,x,x,x,x,x)+20j
					; EtwTraceWakeCounter(x,x,x,x,x,x)+26j
		mov	eax, edx
		or	eax, [ebp+arg_4]
		jnz	short loc_9F1E49
		mov	ecx, 80000200h
		mov	eax, 350h
		jmp	short loc_9F1E53
; 

loc_9F1E49:				; CODE XREF: EtwTraceWakeCounter(x,x,x,x,x,x)+34j
		mov	eax, 340h

loc_9F1E4E:				; CODE XREF: EtwTraceWakeCounter(x,x,x,x,x,x)+2Dj
		mov	ecx, 80002000h

loc_9F1E53:				; CODE XREF: EtwTraceWakeCounter(x,x,x,x,x,x)+40j
		add	eax, esi
		mov	[ebp+var_28], edi
		movzx	esi, ax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_1C], edx
		test	eax, eax
		jz	short loc_9F1E76
		mov	eax, [eax+0E4h]
		mov	[ebp+var_20], eax
		jmp	short loc_9F1E7A
; 

loc_9F1E76:				; CODE XREF: EtwTraceWakeCounter(x,x,x,x,x,x)+62j
		or	[ebp+var_20], 0FFFFFFFFh

loc_9F1E7A:				; CODE XREF: EtwTraceWakeCounter(x,x,x,x,x,x)+6Dj
		and	[ebp+var_14], 0
		lea	eax, [ebp+var_28]
		and	[ebp+var_C], 0
		xor	edx, edx
		push	offset loc_501902
		push	esi
		push	ecx
		inc	edx
		mov	[ebp+var_18], eax
		lea	ecx, [ebp+var_18]
		mov	[ebp+var_10], 10h
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_EtwTraceWakeCounter@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceWakeEvent(x, x)
_EtwTraceWakeEvent@8 proc near		; CODE XREF: PspChargeProcessWakeCounter(x,x,x,x,x,x,x)+247p
					; PspSendWakeNotification+12771Cp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_10], 0
		lea	eax, [ebp+var_18]
		and	[ebp+var_8], 0
		mov	[ebp+var_14], eax
		lea	eax, [edx+360h]
		push	offset loc_501902
		push	eax
		xor	edx, edx
		mov	[ebp+var_18], ecx
		push	80000400h
		inc	edx
		mov	[ebp+var_C], 4
		lea	ecx, [ebp+var_14]
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwTraceWakeEvent@8 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCopyJobGuidSafe(x, x)
_EtwpCopyJobGuidSafe@8 proc near	; CODE XREF: EtwTraceJobServerSiloMonitorCallback+80C58p
					; EtwTraceJob(x,x,x,x)+28p ...
		mov	edi, edi
		push	edi
		mov	edi, ecx
		test	edx, edx
		jz	short loc_9F1F1A
		push	esi
		lea	esi, [edx+2D8h]
		movsd
		movsd
		movsd
		movsd
		pop	esi
		pop	edi
		retn
; 

loc_9F1F1A:				; CODE XREF: EtwpCopyJobGuidSafe(x,x)+7j
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		pop	edi
		retn
_EtwpCopyJobGuidSafe@8 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCopyJobIdSafe(x, x)
_EtwpCopyJobIdSafe@8 proc near		; CODE XREF: EtwTraceJobServerSiloMonitorCallback+80C77p
		test	edx, edx
		jz	short loc_9F1F2E
		mov	eax, [edx+2D4h]
		jmp	short loc_9F1F30
; 

loc_9F1F2E:				; CODE XREF: EtwpCopyJobIdSafe(x,x)+2j
		xor	eax, eax

loc_9F1F30:				; CODE XREF: EtwpCopyJobIdSafe(x,x)+Aj
		mov	[ecx], eax
		retn
_EtwpCopyJobIdSafe@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpLogMemInfoWs(x,	x)
_EtwpLogMemInfoWs@8 proc near		; CODE XREF: EtwpPerfMemInfoWork(x)+18p
					; EtwpLogMemInfoRundown(x)+35p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+5Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[esp+68h+var_50], edx
		lea	edi, [esp+68h+var_34]
		mov	edx, ecx
		mov	[esp+68h+var_10], 51h
		push	9
		xor	eax, eax
		mov	[esp+6Ch+var_38], edx
		and	[esp+6Ch+var_40], eax
		and	[esp+6Ch+var_3C], eax
		pop	ecx
		rep stosd
		mov	ecx, edx
		mov	[esp+68h+var_C], 77h
		mov	[esp+68h+var_8], 78h
		call	_EtwpLogSessionWorkingSetInfo@4	; EtwpLogSessionWorkingSetInfo(x)
		or	[esp+68h+var_4C], 0FFFFFFFFh
		push	40h
		pop	eax
		mov	[esp+68h+var_58], eax
		mov	eax, 904h
		push	74777445h
		push	eax
		push	200h
		mov	[esp+74h+var_48], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9F21C3
		and	dword ptr [ebx], 0
		lea	esi, [ebx+4]
		lea	eax, [esi+900h]
		xor	edi, edi
		mov	[esp+68h+var_44], eax

loc_9F1FC9:				; CODE XREF: EtwpLogMemInfoWs(x,x)+101j
		mov	eax, [esp+edi*4+68h+var_10]
		lea	ecx, [esp+68h+var_34]
		push	0
		push	24h
		push	ecx
		push	eax
		mov	[esp+78h+var_54], eax
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		jnz	loc_9F21BB
		mov	ecx, [esp+68h+var_4C]
		mov	[esi], ecx
		mov	eax, [esp+68h+var_34]
		and	dword ptr [esi+20h], 0
		and	dword ptr [esi+18h], 0
		and	dword ptr [esi+14h], 0
		and	dword ptr [esi+1Ch], 0
		shr	eax, 0Ch
		cmp	[esp+68h+var_54], 77h
		mov	[esi+4], eax
		mov	[esi+10h], eax
		mov	[esi+8], eax
		mov	[esi+0Ch], eax
		jnz	short loc_9F2026
		mov	edx, [esp+68h+var_50]
		cmp	edx, eax
		jbe	short loc_9F2026
		mov	[esi+8], edx
		mov	[esi+0Ch], edx

loc_9F2026:				; CODE XREF: EtwpLogMemInfoWs(x,x)+E3j
					; EtwpLogMemInfoWs(x,x)+EBj
		add	esi, 24h
		inc	dword ptr [ebx]
		dec	ecx
		inc	edi
		mov	[esp+68h+var_4C], ecx
		cmp	edi, 3
		jb	short loc_9F1FC9
		mov	edi, ds:_PsIdleProcess
		jmp	loc_9F21A8
; 

loc_9F2041:				; CODE XREF: EtwpLogMemInfoWs(x,x)+277j
		mov	eax, [edi+0FCh]
		test	eax, 4000000h
		jz	loc_9F2193
		test	al, 4
		jz	short loc_9F2070
		cmp	dword ptr [edi+4], 0
		jz	short loc_9F2070
		cmp	dword ptr [edi+1D8h], 0
		jnz	short loc_9F2070
		lea	eax, [edi+2Ch]
		cmp	[eax], eax
		jz	loc_9F2193

loc_9F2070:				; CODE XREF: EtwpLogMemInfoWs(x,x)+121j
					; EtwpLogMemInfoWs(x,x)+127j ...
		cmp	esi, [esp+68h+var_44]
		jnz	loc_9F20FE
		mov	ecx, [esp+68h+var_58]
		cmp	ecx, 100h
		jb	short loc_9F2099
		mov	ecx, [esp+68h+var_38]
		mov	edx, ebx
		call	_EtwpLogMemInfoWsHelper@8 ; EtwpLogMemInfoWsHelper(x,x)
		and	dword ptr [ebx], 0
		lea	esi, [ebx+4]
		jmp	short loc_9F20FE
; 

loc_9F2099:				; CODE XREF: EtwpLogMemInfoWs(x,x)+151j
		mov	edx, [esp+68h+var_48]
		imul	eax, ecx, 24h
		add	ecx, ecx
		mov	[esp+68h+var_50], edx
		push	74777445h
		mov	[esp+6Ch+var_58], ecx
		add	edx, eax
		push	edx
		push	200h
		mov	[esp+74h+var_48], edx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[esp+68h+var_54], esi
		test	esi, esi
		jz	loc_9F21D5
		push	[esp+68h+var_50] ; size_t
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		imul	eax, [esi], 24h
		mov	ebx, esi
		mov	ecx, ebx
		add	ecx, 4
		add	eax, 4
		add	esi, eax
		imul	eax, [esp+68h+var_58], 24h
		add	eax, ecx
		mov	[esp+68h+var_44], eax

loc_9F20FE:				; CODE XREF: EtwpLogMemInfoWs(x,x)+141j
					; EtwpLogMemInfoWs(x,x)+164j
		mov	eax, [edi+0E4h]
		mov	[esi], eax
		mov	eax, [edi+280h]
		mov	[esi+4], eax
		mov	eax, [edi+284h]
		mov	[esi+10h], eax
		mov	eax, [edi+224h]
		mov	[esi+8], eax
		mov	eax, [edi+418h]
		mov	[esi+20h], eax
		mov	eax, [edi+11Ch]
		shr	eax, 0Ch
		mov	[esi+0Ch], eax
		nop
		mov	eax, [esi+8]
		mov	ecx, [esi+0Ch]
		cmp	eax, ecx
		jb	short loc_9F2143
		mov	eax, ecx

loc_9F2143:				; CODE XREF: EtwpLogMemInfoWs(x,x)+20Cj
		mov	ecx, [esi+4]
		mov	[esi+8], eax
		mov	eax, [esi+10h]
		cmp	eax, ecx
		jb	short loc_9F2152
		mov	eax, ecx

loc_9F2152:				; CODE XREF: EtwpLogMemInfoWs(x,x)+21Bj
		and	dword ptr [esi+14h], 0
		lea	edx, [esp+68h+var_40]
		and	dword ptr [esi+18h], 0
		mov	ecx, edi
		mov	[esi+10h], eax
		mov	eax, [edi+2C8h]
		mov	[esi+1Ch], eax
		lea	eax, [esp+68h+var_3C]
		push	eax
		call	SmProcessQueryStoreStats
		test	eax, eax
		js	short loc_9F218E
		mov	eax, [esp+68h+var_40]
		shr	eax, 0Ch
		mov	[esi+14h], eax
		mov	eax, [esp+68h+var_3C]
		shr	eax, 0Ch
		mov	[esi+18h], eax

loc_9F218E:				; CODE XREF: EtwpLogMemInfoWs(x,x)+245j
		add	esi, 24h
		inc	dword ptr [ebx]

loc_9F2193:				; CODE XREF: EtwpLogMemInfoWs(x,x)+119j
					; EtwpLogMemInfoWs(x,x)+137j
		mov	ecx, edi
		sub	ecx, ds:_PsIdleProcess
		neg	ecx
		sbb	ecx, ecx
		and	ecx, edi
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	edi, eax

loc_9F21A8:				; CODE XREF: EtwpLogMemInfoWs(x,x)+109j
		test	edi, edi
		jnz	loc_9F2041
		mov	ecx, [esp+68h+var_38]
		mov	edx, ebx
		call	_EtwpLogMemInfoWsHelper@8 ; EtwpLogMemInfoWsHelper(x,x)

loc_9F21BB:				; CODE XREF: EtwpLogMemInfoWs(x,x)+AFj
					; EtwpLogMemInfoWs(x,x)+2AEj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F21C3:				; CODE XREF: EtwpLogMemInfoWs(x,x)+7Ej
		mov	ecx, [esp+68h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_9F21D5:				; CODE XREF: EtwpLogMemInfoWs(x,x)+195j
		mov	edx, 6E457350h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		jmp	short loc_9F21BB
_EtwpLogMemInfoWs@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpLogMemInfoWsHelper(x, x)
_EtwpLogMemInfoWsHelper@8 proc near	; CODE XREF: EtwpLogMemInfoWs(x,x)+159p
					; EtwpLogMemInfoWs(x,x)+283p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		lea	eax, [edx+4]
		mov	[ebp+var_24], edx
		mov	[ebp+var_14], eax
		imul	eax, [edx], 24h
		push	esi
		xor	esi, esi
		mov	[ebp+var_1C], 4
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], esi
		push	offset dword_401804
		push	27Dh
		test	ecx, ecx
		jnz	short loc_9F226C
		push	20800000h
		push	2
		pop	edx
		lea	ecx, [ebp+var_24]
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)
		mov	eax, ds:_EtwpHostSiloState
		add	eax, 0A48h
		jz	short loc_9F227E
		test	dword ptr [eax+4], (offset loc_7FFFFF+1)
		jz	short loc_9F227E
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	esi
		push	offset _KERNEL_MEM_EVENT_MEMINFO_WS
		push	dword_6BC304
		push	_EtwpMemoryProvRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	short loc_9F227E
; 

loc_9F226C:				; CODE XREF: EtwpLogMemInfoWsHelper(x,x)+43j
		mov	edx, [ecx+2E4h]
		push	2
		push	dword ptr [ecx]
		lea	ecx, [ebp+var_24]
		call	EtwpLogKernelEvent

loc_9F227E:				; CODE XREF: EtwpLogMemInfoWsHelper(x,x)+5Fj
					; EtwpLogMemInfoWsHelper(x,x)+68j ...
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpLogMemInfoWsHelper@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpLogProcessPerfCtrs(x)
_EtwpLogProcessPerfCtrs@4 proc near	; CODE XREF: EtwTraceProcess+177AAFp

var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	3Ch		; size_t
		lea	eax, [ebp+var_54]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [esi+0E4h]
		add	esp, 0Ch
		mov	[ebp+var_54], eax
		mov	eax, [esi+118h]
		mov	[ebp+var_44], eax
		mov	eax, [esi+294h]
		shl	eax, 0Ch
		mov	[ebp+var_40], eax
		mov	eax, [esi+228h]
		shl	eax, 0Ch
		push	501802h
		mov	[ebp+var_3C], eax
		mov	eax, [esi+114h]
		push	320h
		mov	[ebp+var_38], eax
		mov	eax, [esi+110h]
		and	[ebp+var_14], 0
		and	[ebp+var_C], 0
		push	1
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_54]
		push	1
		push	esi
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], 3Ch
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		lea	edx, [ebp+var_18]
		mov	ecx, eax
		call	EtwTraceSiloKernelEvent
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpLogProcessPerfCtrs@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpLogRegistryEvent(x, x, x, x, x,	x, x)
_EtwpLogRegistryEvent@28 proc near	; CODE XREF: EtwpTraceRegistry(x,x,x,x,x,x)+66p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		movzx	eax, dl
		xor	ebx, ebx
		mov	edx, [ebp+arg_C]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_40], ebx
		mov	ecx, 900h
		mov	[ebp+var_38], ebx
		or	ax, cx
		mov	[ebp+var_34], 14h
		mov	ecx, [ebp+arg_10]
		push	edi
		movzx	edi, ax
		mov	eax, [edx]
		mov	[ebp+var_54], eax
		mov	eax, [edx+4]
		xor	edx, edx
		mov	[ebp+var_50], eax
		inc	edx
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_48], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_54]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_30], ebx
		test	ecx, ecx
		jz	short loc_9F23B3
		movzx	eax, word ptr [ecx]
		mov	ecx, [ecx+4]
		and	eax, 0FFFFFFFEh
		test	ecx, ecx
		jz	short loc_9F23B3
		test	eax, eax
		jz	short loc_9F23B3
		push	2
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], ebx
		pop	edx

loc_9F23B3:				; CODE XREF: EtwpLogRegistryEvent(x,x,x,x,x,x,x)+65j
					; EtwpLogRegistryEvent(x,x,x,x,x,x,x)+72j ...
		mov	eax, edx
		add	eax, eax
		push	ecx
		push	offset loc_501902
		push	edi
		mov	[ebp+eax*8+var_3C], offset _EtwpNull
		mov	[ebp+eax*8+var_38], ebx
		mov	[ebp+eax*8+var_34], 2
		mov	[ebp+eax*8+var_30], ebx
		lea	eax, [edx+1]
		push	eax
		mov	eax, large fs:124h
		lea	edx, [ebp+var_3C]
		mov	ecx, ds:_EtwpHostSiloState
		push	esi
		push	eax
		call	EtwpLogSystemEventUnsafe
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_EtwpLogRegistryEvent@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpLogSessionWorkingSetInfo(x)
_EtwpLogSessionWorkingSetInfo@4	proc near ; CODE XREF: EtwpLogMemInfoWs(x,x)+50p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_28], 0Ah
		push	edi
		mov	[ebp+var_34], ebx
		xor	esi, esi
		mov	edi, 74777445h

loc_9F2429:				; CODE XREF: EtwpLogSessionWorkingSetInfo(x)+5Dj
		test	esi, esi
		jz	short loc_9F2435
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F2435:				; CODE XREF: EtwpLogSessionWorkingSetInfo(x)+2Aj
		imul	eax, [ebp+var_28], 14h
		push	edi
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_9F2587
		lea	edx, [ebp+var_28]
		mov	ecx, esi
		call	_MmQuerySessionWorkingSetInformation@8 ; MmQuerySessionWorkingSetInformation(x,x)
		cmp	eax, 0C0000004h
		jz	short loc_9F2429
		mov	eax, [ebp+var_28]
		test	eax, eax
		jz	loc_9F257F
		imul	eax, 24h
		push	edi
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_30], edi
		test	edi, edi
		jz	loc_9F257F
		and	[ebp+var_2C], 0
		mov	edx, [ebp+var_28]
		test	edx, edx
		jz	short loc_9F24D9
		lea	ecx, [edi+8]
		mov	edi, [ebp+var_2C]
		lea	ebx, [esi+8]

loc_9F249B:				; CODE XREF: EtwpLogSessionWorkingSetInfo(x)+D0j
		mov	eax, [ebx-8]
		xor	edx, edx
		mov	[ecx-8], eax
		inc	edi
		mov	eax, [ebx-4]
		mov	[ecx-4], eax
		mov	eax, [ebx]
		lea	ebx, [ebx+14h]
		mov	[ecx], eax
		lea	ecx, [ecx+24h]
		mov	[ecx-0Ch], edx
		mov	eax, [ebx-10h]
		mov	[ecx-20h], eax
		mov	eax, [ebx-0Ch]
		mov	[ecx-1Ch], eax
		mov	[ecx-14h], edx
		mov	[ecx-18h], edx
		mov	[ecx-10h], edx
		mov	edx, [ebp+var_28]
		cmp	edi, edx
		jb	short loc_9F249B
		mov	edi, [ebp+var_30]
		mov	ebx, [ebp+var_34]

loc_9F24D9:				; CODE XREF: EtwpLogSessionWorkingSetInfo(x)+8Fj
		and	[ebp+var_20], 0
		lea	eax, [ebp+var_28]
		and	[ebp+var_18], 0
		and	[ebp+var_10], 0
		and	[ebp+var_8], 0
		mov	[ebp+var_24], eax
		imul	eax, edx, 24h
		mov	[ebp+var_1C], 4
		mov	[ebp+var_14], edi
		mov	[ebp+var_C], eax
		test	ebx, ebx
		jnz	short loc_9F255B
		mov	ebx, 800000h
		test	dword ptr ds:byte_70EFC4, ebx
		jz	short loc_9F252A
		push	offset dword_401804
		push	27Eh
		push	20800000h
		push	2
		pop	edx
		lea	ecx, [ebp+var_24]
		call	_EtwTraceKernelEvent@20	; EtwTraceKernelEvent(x,x,x,x,x)

loc_9F252A:				; CODE XREF: EtwpLogSessionWorkingSetInfo(x)+10Dj
		mov	eax, ds:_EtwpHostSiloState
		add	eax, 0A48h
		jz	short loc_9F2577
		test	[eax+4], ebx
		jz	short loc_9F2577
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	0
		push	offset _KERNEL_MEM_EVENT_MEMINFO_SESSIONWS
		push	dword_6BC304
		push	_EtwpMemoryProvRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	short loc_9F2577
; 

loc_9F255B:				; CODE XREF: EtwpLogSessionWorkingSetInfo(x)+100j
		mov	edx, [ebx+2E4h]
		lea	ecx, [ebp+var_24]
		push	offset dword_401804
		push	27Eh
		push	2
		push	dword ptr [ebx]
		call	EtwpLogKernelEvent

loc_9F2577:				; CODE XREF: EtwpLogSessionWorkingSetInfo(x)+133j
					; EtwpLogSessionWorkingSetInfo(x)+138j	...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F257F:				; CODE XREF: EtwpLogSessionWorkingSetInfo(x)+64j
					; EtwpLogSessionWorkingSetInfo(x)+80j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F2587:				; CODE XREF: EtwpLogSessionWorkingSetInfo(x)+48j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpLogSessionWorkingSetInfo@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpLogTxREvent(x, x, x, x,	x, x, x)
_EtwpLogTxREvent@28 proc near		; CODE XREF: EtwpTraceRegistryTransaction(x,x,x,x,x,x)+66p

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		and	[ebp+var_44], 0
		and	[ebp+var_40], 0
		push	ebx
		movzx	eax, dl
		mov	ebx, ecx
		mov	edx, [ebp+arg_C]
		mov	ecx, 900h
		or	ax, cx
		mov	[ebp+var_34], 20h
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ecx, ecx
		movzx	eax, ax
		inc	ecx
		mov	[ebp+var_68], eax
		mov	eax, [edx]
		mov	[ebp+var_64], eax
		mov	eax, [edx+4]
		push	edi
		mov	[ebp+var_60], eax
		lea	edi, [ebp+var_5C]
		mov	eax, [ebp+arg_4]
		movsd
		push	2
		movsd
		movsd
		movsd
		mov	[ebp+var_4C], eax
		xor	esi, esi
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_38], esi
		mov	[ebp+var_30], esi
		pop	edi
		movzx	edx, word ptr [eax]
		and	edx, 0FFFFFFFEh
		jbe	short loc_9F2621
		mov	eax, [eax+4]
		mov	ecx, edi
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], esi

loc_9F2621:				; CODE XREF: EtwpLogTxREvent(x,x,x,x,x,x,x)+78j
		mov	edx, ds:_EtwpHostSiloState
		mov	eax, ecx
		add	eax, eax
		push	offset loc_501902
		push	[ebp+var_68]
		mov	[ebp+eax*8+var_3C], offset _EtwpNull
		mov	[ebp+eax*8+var_38], esi
		mov	[ebp+eax*8+var_34], edi
		mov	[ebp+eax*8+var_30], esi
		lea	eax, [ecx+1]
		push	eax
		push	ebx
		lea	ecx, [ebp+var_3C]
		call	EtwpLogKernelEvent
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_EtwpLogTxREvent@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpPerfMemInfoWork(x)
_EtwpPerfMemInfoWork@4 proc near	; DATA XREF: EtwpQueuePerfMemInfoWorkItem(x)+23o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		push	0
		push	eax
		mov	esi, [eax+10h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, esi
		xor	ecx, ecx
		call	_EtwpLogMemInfoWs@8 ; EtwpLogMemInfoWs(x,x)
		pop	esi
		pop	ebp
		retn	4
_EtwpPerfMemInfoWork@4 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpPmcProfileInit()
_EtwpPmcProfileInit@0 proc near		; CODE XREF: EtwpEnableKernelTrace:loc_90D257p
		mov	edi, edi
		push	esi
		xor	esi, esi
		push	edi
		cmp	_EtwpPmcProfile, esi
		jbe	short loc_9F26B1
		mov	edi, esi

loc_9F2697:				; CODE XREF: EtwpPmcProfileInit()+28j
		mov	ecx, dword_6BC3A4
		lea	ecx, [edi+ecx]
		call	_KeStartProfile@4 ; KeStartProfile(x)
		inc	esi
		lea	edi, [edi+34h]
		cmp	esi, _EtwpPmcProfile
		jb	short loc_9F2697

loc_9F26B1:				; CODE XREF: EtwpPmcProfileInit()+Cj
		pop	edi
		pop	esi
		retn
_EtwpPmcProfileInit@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpPsProvTraceJob(x, x, x)
_EtwpPsProvTraceJob@12 proc near	; CODE XREF: EtwTraceJob(x,x,x,x)+7Bp

var_368		= dword	ptr -368h
var_364		= dword	ptr -364h
var_360		= dword	ptr -360h
var_35C		= dword	ptr -35Ch
var_358		= dword	ptr -358h
var_354		= dword	ptr -354h
var_350		= dword	ptr -350h
var_34C		= dword	ptr -34Ch
var_348		= dword	ptr -348h
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_33C		= dword	ptr -33Ch
var_338		= dword	ptr -338h
var_4		= dword	ptr -4
arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 368h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		movzx	eax, [ebp+arg_0]
		mov	[ebp+var_368], edx
		mov	edx, ecx
		sub	eax, 720h
		jz	short loc_9F26EC
		sub	eax, 1
		jnz	loc_9F2772
		mov	ecx, offset _JobTerminate
		jmp	short loc_9F26F1
; 

loc_9F26EC:				; CODE XREF: EtwpPsProvTraceJob(x,x,x)+26j
		mov	ecx, offset _JobStart

loc_9F26F1:				; CODE XREF: EtwpPsProvTraceJob(x,x,x)+36j
		push	esi
		lea	eax, [edx+2D8h]
		mov	[ebp+var_35C], 10h
		mov	[ebp+var_364], eax
		xor	esi, esi
		lea	eax, [edx+2D4h]
		mov	[ebp+var_360], esi
		push	4
		pop	edx
		mov	[ebp+var_354], eax
		lea	eax, [ebp+var_368]
		mov	[ebp+var_344], eax
		lea	eax, [ebp+var_364]
		push	eax
		push	3
		push	esi
		push	ecx
		push	dword_6BC18C
		mov	[ebp+var_358], esi
		push	_EtwpPsProvRegHandle
		mov	[ebp+var_350], esi
		mov	[ebp+var_34C], edx
		mov	[ebp+var_348], esi
		mov	[ebp+var_340], esi
		mov	[ebp+var_33C], edx
		mov	[ebp+var_338], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		pop	esi

loc_9F2772:				; CODE XREF: EtwpPsProvTraceJob(x,x,x)+2Bj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_EtwpPsProvTraceJob@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpSetMark(x, x, x, x, x)
_EtwpSetMark@20	proc near		; CODE XREF: .text:005ADEA2p
					; EtwpLogRefSetAutoMark(x,x)+66p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h

		push	44h
		push	offset dword_6A9D70
		call	__SEH_prolog4_GS
		mov	ebx, edx
		mov	[ebp+var_4C], ecx
		xor	edx, edx
		mov	esi, edx
		mov	edi, [ebp+arg_0]
		cmp	edi, 4
		ja	short loc_9F27A7
		mov	esi, 0C000000Dh
		jmp	loc_9F28A4
; 

loc_9F27A7:				; CODE XREF: EtwpSetMark(x,x,x,x,x)+1Bj
		cmp	edi, 0FFDDh
		jbe	short loc_9F27B9
		mov	esi, 0C0000095h
		jmp	loc_9F28A4
; 

loc_9F27B9:				; CODE XREF: EtwpSetMark(x,x,x,x,x)+2Dj
		mov	[ebp+ms_exc.disabled], edx
		cmp	[ebp+arg_8], 0
		jz	short loc_9F27DF
		test	bl, 3
		jz	short loc_9F27CC
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_9F27CC:				; CODE XREF: EtwpSetMark(x,x,x,x,x)+45j
		lea	eax, [ebx+edi]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_9F27DD
		cmp	eax, ebx
		jnb	short loc_9F27DF

loc_9F27DD:				; CODE XREF: EtwpSetMark(x,x,x,x,x)+57j
		mov	[ecx], dl

loc_9F27DF:				; CODE XREF: EtwpSetMark(x,x,x,x,x)+40j
					; EtwpSetMark(x,x,x,x,x)+5Bj
		mov	eax, [ebx]
		mov	[ebp+var_54], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+var_45], dl
		test	al, 1
		jz	short loc_9F2822
		cmp	[ebp+arg_4], 0
		jz	short loc_9F2822
		push	dword ptr [ebp+arg_8]
		push	ds:dword_A94A14
		push	ds:_SeDebugPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	short loc_9F281B
		mov	[ebp+var_45], 1
		call	_MmEmptyAllWorkingSets@0 ; MmEmptyAllWorkingSets()
		jmp	short loc_9F2820
; 

loc_9F281B:				; CODE XREF: EtwpSetMark(x,x,x,x,x)+8Ej
		mov	esi, 0C0000061h

loc_9F2820:				; CODE XREF: EtwpSetMark(x,x,x,x,x)+99j
		xor	edx, edx

loc_9F2822:				; CODE XREF: EtwpSetMark(x,x,x,x,x)+70j
					; EtwpSetMark(x,x,x,x,x)+76j
		lea	eax, [ebx+4]
		mov	[ebp+var_44], eax
		mov	[ebp+var_40], edx
		lea	eax, [edi-4]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], offset _EtwpNull
		mov	[ebp+var_30], edx
		push	2
		pop	eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], edx
		push	ecx
		push	3100h
		push	0F22h
		push	eax
		mov	ebx, [ebp+var_4C]
		push	dword ptr [ebx]
		mov	eax, large fs:124h
		push	eax
		lea	edx, [ebp+var_44]
		mov	ecx, [ebx+2E4h]
		call	EtwpLogSystemEventUnsafe
		cmp	[ebp+var_45], 0
		jz	short loc_9F28A4
		push	1
		push	275h
		mov	edx, [ebx]
		mov	ecx, [ebx+2E4h]
		call	_MmIdentifyPhysicalMemory@16 ; MmIdentifyPhysicalMemory(x,x,x,x)
		jmp	short loc_9F28A4
; 

loc_9F2889:				; DATA XREF: .text:006A9D84o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_50], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F2897:				; DATA XREF: .text:006A9D88o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_50]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9F28A4:				; CODE XREF: EtwpSetMark(x,x,x,x,x)+22j
					; EtwpSetMark(x,x,x,x,x)+34j ...
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_EtwpSetMark@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpSetPmcProfileSource(x, x)
_EtwpSetPmcProfileSource@8 proc	near	; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+AA0p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_8], ecx
		xor	edi, edi
		mov	[ebp+var_C], edi
		test	esi, esi
		jz	loc_9F2984
		cmp	esi, ds:_EtwpMaxProfilingSources
		ja	loc_9F2984
		push	edi
		push	edi
		push	edi
		push	edi
		push	offset _EtwpGroupMaskMutex
		call	KeWaitForSingleObject
		test	dword ptr ds:byte_70EFC4, 400h
		jz	short loc_9F2902
		mov	edi, 0C0000303h
		jmp	short loc_9F2974
; 

loc_9F2902:				; CODE XREF: EtwpSetPmcProfileSource(x,x)+41j
		mov	eax, dword_6BC3A4
		test	eax, eax
		jz	short loc_9F291F
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword_6BC3A4, edi
		and	_EtwpPmcProfile, edi

loc_9F291F:				; CODE XREF: EtwpSetPmcProfileSource(x,x)+51j
		imul	eax, esi, 34h
		push	58777445h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	dword_6BC3A4, ebx
		test	ebx, ebx
		jnz	short loc_9F2945
		mov	edi, 0C0000017h
		jmp	short loc_9F2974
; 

loc_9F2945:				; CODE XREF: EtwpSetPmcProfileSource(x,x)+84j
		and	[ebp+var_4], edi
		mov	_EtwpPmcProfile, esi
		test	esi, esi
		jz	short loc_9F2974
		mov	edi, [ebp+var_4]

loc_9F2955:				; CODE XREF: EtwpSetPmcProfileSource(x,x)+B7j
		mov	eax, [ebp+var_8]
		mov	edx, offset @EtwpPmcInterrupt@8	; int
		mov	ecx, ebx	; void *
		mov	eax, [eax+edi*4]
		push	eax		; __int16
		push	eax		; int
		call	_KeInitializeProfileCallback@16	; KeInitializeProfileCallback(x,x,x,x)
		inc	edi
		add	ebx, 34h
		cmp	edi, esi
		jb	short loc_9F2955
		mov	edi, [ebp+var_C]

loc_9F2974:				; CODE XREF: EtwpSetPmcProfileSource(x,x)+48j
					; EtwpSetPmcProfileSource(x,x)+8Bj ...
		push	0
		push	offset _EtwpGroupMaskMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, edi
		jmp	short loc_9F2989
; 

loc_9F2984:				; CODE XREF: EtwpSetPmcProfileSource(x,x)+17j
					; EtwpSetPmcProfileSource(x,x)+23j
		mov	eax, 0C000000Dh

loc_9F2989:				; CODE XREF: EtwpSetPmcProfileSource(x,x)+CAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpSetPmcProfileSource@8 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpTimeProfileInit()
_EtwpTimeProfileInit@0 proc near	; CODE XREF: EtwpEnableKernelTrace:loc_90D241p
		mov	ecx, _EtwpProfileInterval
		xor	edx, edx
		push	esi
		call	_KeSetIntervalProfile@8	; KeSetIntervalProfile(x,x)
		push	0		; __int16
		mov	esi, offset _EtwpProfileObject
		mov	edx, offset @EtwpProfileInterrupt@8 ; int
		push	0		; int
		mov	ecx, esi	; void *
		call	_KeInitializeProfileCallback@16	; KeInitializeProfileCallback(x,x,x,x)
		mov	ecx, esi
		pop	esi
		jmp	_KeStartProfile@4 ; KeStartProfile(x)
_EtwpTimeProfileInit@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceHandle(x, x, x, x)
_EtwpTraceHandle@16 proc near		; CODE XREF: PAGE:008100F7p
					; PAGE:00817931p

var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= word ptr -164h
var_162		= word ptr -162h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_10C		= dword	ptr -10Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 16Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_140], 0
		mov	[ebp+var_14C], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_160], eax
		mov	[ebp+var_150], ecx
		xor	ecx, ecx
		and	[ebp+var_154], ecx
		mov	eax, [eax+84h]
		mov	[ebp+var_158], eax
		mov	eax, ds:_EtwpHostSiloState
		push	ebx
		mov	[ebp+var_162], cx
		xor	ebx, ebx
		push	edi
		mov	ecx, [eax+924h]
		bsf	edi, ecx
		mov	[ebp+var_15C], edx
		jz	loc_9F2C0B
		push	esi

loc_9F2A27:				; CODE XREF: EtwpTraceHandle(x,x,x,x)+F4j
		lea	eax, [ecx-1]
		and	ecx, eax
		mov	eax, ds:_EtwpHostSiloState
		mov	[ebp+var_154], ecx
		add	eax, 948h
		mov	ecx, edi
		shl	ecx, 5
		add	eax, ecx
		jz	short loc_9F2AA4
		test	byte ptr [eax+10h], 40h
		jz	short loc_9F2AA4
		and	[ebp+var_144], 0
		xor	eax, eax
		imul	esi, edi, 14h
		add	esi, offset _EtwpObjectTypeFilter
		cmp	ax, [esi]
		jnb	short loc_9F2AA4
		lea	ecx, [esi+4]
		mov	[ebp+var_148], ecx

loc_9F2A6B:				; CODE XREF: EtwpTraceHandle(x,x,x,x)+E4j
		mov	edx, [ecx]
		mov	ecx, [ebp+var_158]
		call	_ExCheckSingleFilter@8 ; ExCheckSingleFilter(x,x)
		test	eax, eax
		jnz	short loc_9F2AA1
		mov	edx, [ebp+var_144]
		mov	ecx, [ebp+var_148]
		inc	edx
		movzx	eax, word ptr [esi]
		add	ecx, 4
		mov	[ebp+var_144], edx
		mov	[ebp+var_148], ecx
		cmp	edx, eax
		jb	short loc_9F2A6B
		jmp	short loc_9F2AA4
; 

loc_9F2AA1:				; CODE XREF: EtwpTraceHandle(x,x,x,x)+C1j
		bts	ebx, edi

loc_9F2AA4:				; CODE XREF: EtwpTraceHandle(x,x,x,x)+8Aj
					; EtwpTraceHandle(x,x,x,x)+90j	...
		mov	ecx, [ebp+var_154]
		bsf	edi, ecx
		jnz	loc_9F2A27
		test	ebx, ebx
		jz	loc_9F2C0A
		mov	eax, [ebp+var_15C]
		lea	esi, [ebp+var_10C]
		and	[ebp+var_138], 0
		xor	edi, edi
		and	[ebp+var_130], 0
		inc	edi
		mov	ecx, [ebp+var_14C]
		mov	[ebp+var_168], eax
		mov	eax, [ebp+var_160]
		mov	[ebp+var_16C], ecx
		mov	[ebp+var_134], 0Ah
		movzx	eax, byte ptr [eax+14h]
		mov	[ebp+var_164], ax
		lea	eax, [ebp+var_16C]
		mov	[ebp+var_13C], eax
		mov	eax, 1121h
		cmp	word ptr [ebp+var_150],	ax
		jnz	loc_9F2BB0
		mov	eax, 108h
		mov	[ebp+var_140], eax

loc_9F2B2E:				; CODE XREF: EtwpTraceHandle(x,x,x,x)+1C2j
		push	0
		lea	edx, [ebp+var_140]
		push	edx
		push	eax
		mov	edx, esi
		call	ObQueryNameStringMode
		cmp	eax, 0C0000004h
		jnz	short loc_9F2B7D
		lea	eax, [ebp+var_10C]
		cmp	esi, eax
		jz	short loc_9F2B58
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F2B58:				; CODE XREF: EtwpTraceHandle(x,x,x,x)+195j
		push	74777445h
		push	[ebp+var_140]
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9F2BB0
		mov	eax, [ebp+var_140]
		mov	ecx, [ebp+var_14C]
		jmp	short loc_9F2B2E
; 

loc_9F2B7D:				; CODE XREF: EtwpTraceHandle(x,x,x,x)+18Bj
		test	eax, eax
		jnz	short loc_9F2BB0
		movzx	eax, word ptr [esi]
		mov	ecx, 2000h
		cmp	ax, cx
		jnb	short loc_9F2B90
		mov	ecx, eax

loc_9F2B90:				; CODE XREF: EtwpTraceHandle(x,x,x,x)+1D3j
		mov	eax, [esi+4]
		and	[ebp+var_128], 0
		and	[ebp+var_120], 0
		push	2
		mov	[ebp+var_12C], eax
		mov	[ebp+var_124], ecx
		pop	edi

loc_9F2BB0:				; CODE XREF: EtwpTraceHandle(x,x,x,x)+164j
					; EtwpTraceHandle(x,x,x,x)+1B4j ...
		push	10501902h
		push	[ebp+var_150]
		mov	eax, edi
		lea	edx, [edi+1]
		add	eax, eax
		lea	ecx, [ebp+var_13C]
		push	ebx
		and	[ebp+eax*8+var_138], 0
		and	[ebp+eax*8+var_130], 0
		mov	[ebp+eax*8+var_13C], offset _EtwpNull
		mov	[ebp+eax*8+var_134], 2
		call	_EtwpTraceKernelEventWithFilter@20 ; EtwpTraceKernelEventWithFilter(x,x,x,x,x)
		test	esi, esi
		jz	short loc_9F2C0A
		lea	eax, [ebp+var_10C]
		cmp	esi, eax
		jz	short loc_9F2C0A
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F2C0A:				; CODE XREF: EtwpTraceHandle(x,x,x,x)+FCj
					; EtwpTraceHandle(x,x,x,x)+23Dj ...
		pop	esi

loc_9F2C0B:				; CODE XREF: EtwpTraceHandle(x,x,x,x)+67j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwpTraceHandle@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceRegistry(x, x, x, x, x, x)
_EtwpTraceRegistry@24 proc near		; DATA XREF: EtwpEnableKernelTrace+129A67o

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, ds:_EtwpHostSiloState
		push	ebx
		push	esi
		push	edi
		mov	esi, [eax+924h]
		bsf	ecx, esi
		jz	short loc_9F2C8B
		mov	edi, [ebp+arg_4]
		mov	bl, [ebp+arg_0]

loc_9F2C3D:				; CODE XREF: EtwpTraceRegistry(x,x,x,x,x,x)+6Ej
		mov	edx, ds:_EtwpHostSiloState
		lea	eax, [esi-1]
		and	esi, eax
		mov	eax, ecx
		shl	eax, 5
		add	eax, 948h
		add	eax, edx
		jz	short loc_9F2C86
		test	dword ptr [eax], 20000h
		jz	short loc_9F2C86
		movzx	eax, byte ptr [edx+ecx*2+915h]
		push	[ebp+arg_14]
		movzx	ecx, byte ptr [edx+ecx*2+914h]
		dec	eax
		mov	dl, bl
		lea	eax, [edi+eax*8]
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_EtwpLogRegistryEvent@28 ; EtwpLogRegistryEvent(x,x,x,x,x,x,x)

loc_9F2C86:				; CODE XREF: EtwpTraceRegistry(x,x,x,x,x,x)+39j
					; EtwpTraceRegistry(x,x,x,x,x,x)+41j
		bsf	ecx, esi
		jnz	short loc_9F2C3D

loc_9F2C8B:				; CODE XREF: EtwpTraceRegistry(x,x,x,x,x,x)+1Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
_EtwpTraceRegistry@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceRegistryTransaction(x, x, x, x, x,	x)
_EtwpTraceRegistryTransaction@24 proc near ; DATA XREF:	EtwpEnableKernelTrace+129A73o

arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, ds:_EtwpHostSiloState
		push	ebx
		push	esi
		push	edi
		mov	esi, [eax+924h]
		bsf	ecx, esi
		jz	short loc_9F2D04
		mov	edi, [ebp+arg_4]
		mov	bl, [ebp+arg_0]

loc_9F2CB6:				; CODE XREF: EtwpTraceRegistryTransaction(x,x,x,x,x,x)+6Ej
		mov	edx, ds:_EtwpHostSiloState
		lea	eax, [esi-1]
		and	esi, eax
		mov	eax, ecx
		shl	eax, 5
		add	eax, 948h
		add	eax, edx
		jz	short loc_9F2CFF
		test	dword ptr [eax], 20000h
		jz	short loc_9F2CFF
		movzx	eax, byte ptr [edx+ecx*2+915h]
		push	[ebp+arg_14]
		movzx	ecx, byte ptr [edx+ecx*2+914h]
		dec	eax
		mov	dl, bl
		lea	eax, [edi+eax*8]
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_EtwpLogTxREvent@28 ; EtwpLogTxREvent(x,x,x,x,x,x,x)

loc_9F2CFF:				; CODE XREF: EtwpTraceRegistryTransaction(x,x,x,x,x,x)+39j
					; EtwpTraceRegistryTransaction(x,x,x,x,x,x)+41j
		bsf	ecx, esi
		jnz	short loc_9F2CB6

loc_9F2D04:				; CODE XREF: EtwpTraceRegistryTransaction(x,x,x,x,x,x)+1Aj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
_EtwpTraceRegistryTransaction@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceSystemShutdown()
_EtwpTraceSystemShutdown@0 proc	near	; CODE XREF: EtwShutdown+A62CFp

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_60]
		xor	esi, esi
		push	eax
		mov	[ebp+var_60], esi
		mov	[ebp+var_5C], esi
		call	_KeQuerySystemTimePrecise@4 ; KeQuerySystemTimePrecise(x)
		cmp	dword_6B2A40, 5
		push	8
		pop	ebx
		jbe	short loc_9F2D9B
		push	4000h
		mov	edi, offset dword_6B2A40
		push	esi
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	short loc_9F2D9B
		lea	eax, [ebp+var_64]
		mov	[ebp+var_64], 2
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_60]
		push	4
		mov	[ebp+var_70], eax
		mov	eax, [ebp+var_5C]
		pop	ecx
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_58]
		push	eax
		push	ecx
		push	esi
		push	esi
		push	offset loc_4238AD
		push	edi
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9F2D9B:				; CODE XREF: EtwpTraceSystemShutdown()+30j
					; EtwpTraceSystemShutdown()+46j
		mov	ecx, _EtwKernelProvRegHandle
		mov	eax, ecx
		mov	edx, dword_6BC12C
		or	eax, edx
		jz	short loc_9F2DCF
		lea	eax, [ebp+var_60]
		mov	[ebp+var_14], esi
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	1
		push	esi
		push	offset _KernelSystemStop
		push	edx
		push	ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9F2DCF:				; CODE XREF: EtwpTraceSystemShutdown()+9Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpTraceSystemShutdown@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpWriteAppStateChangeWithStats proc near ; CODE XREF:	EtwTraceAppStateChange+17DC68p

var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 100h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		cmp	dword_6B2A18, 5
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		jbe	loc_9F2FCA
		push	2000h
		push	3
		mov	ecx, offset dword_6B2A18
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9F2FCA
		mov	eax, [esi+0E4h]
		xor	ebx, ebx
		push	4
		mov	[ebp+var_BC], edi
		mov	ecx, esi
		mov	[ebp+var_E4], eax
		lea	eax, [ebp+var_E4]
		pop	edi
		mov	[ebp+var_B8], ebx
		mov	[ebp+var_B4], 62h
		mov	[ebp+var_B0], ebx
		mov	[ebp+var_AC], eax
		mov	[ebp+var_A8], ebx
		mov	[ebp+var_A4], edi
		mov	[ebp+var_A0], ebx
		call	_EtwpGetProcessStartKey@4 ; EtwpGetProcessStartKey(x)
		mov	[ebp+var_F4], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_F4]
		and	[ebp+var_68], 0
		mov	[ebp+var_9C], eax
		mov	eax, [esi+34Ch]
		mov	[ebp+var_E8], eax
		lea	eax, [ebp+var_E8]
		mov	[ebp+var_8C], eax
		mov	eax, [esi+3A8h]
		shr	eax, 2
		and	al, 1
		and	[ebp+var_60], 0
		mov	byte ptr [ebp+var_E0+3], al
		lea	eax, [ebp+var_E0+3]
		mov	[ebp+var_7C], eax
		and	[ebp+var_58], 0
		and	[ebp+var_50], 0
		mov	[ebp+var_90], ecx
		mov	[ebp+var_88], ecx
		mov	[ebp+var_80], ecx
		mov	[ebp+var_78], ecx
		mov	[ebp+var_70], ecx
		mov	cl, [esi+3A7h]
		mov	al, cl
		mov	[ebp+var_F0], edx
		and	al, 7
		mov	[ebp+var_98], ebx
		mov	byte ptr [ebp+var_E0+2], al
		xor	edx, edx
		lea	eax, [ebp+var_E0+2]
		mov	[ebp+var_84], edi
		mov	[ebp+var_6C], eax
		inc	edx
		mov	al, cl
		mov	[ebp+var_74], edx
		shr	al, 3
		and	al, 7
		shr	cl, 6
		mov	byte ptr [ebp+var_E0+1], al
		and	cl, dl
		lea	eax, [ebp+var_E0+1]
		mov	byte ptr [ebp+var_E0], cl
		mov	[ebp+var_5C], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_E0]
		mov	[ebp+var_64], edx
		mov	[ebp+var_4C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_3C], eax
		mov	eax, [esi+298h]
		push	8
		mov	[ebp+var_EC], eax
		lea	eax, [ebp+var_EC]
		pop	ebx
		mov	[ebp+var_94], ebx
		mov	[ebp+var_54], edx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], edx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], 2Ch
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], ecx
		mov	eax, [esi+418h]
		mov	[ebp+var_20], ecx
		mov	ecx, 1000h
		mul	ecx
		xor	ecx, ecx
		mov	[ebp+var_24], edi
		mov	[ebp+var_FC], eax
		lea	eax, [ebp+var_FC]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_DC]
		push	eax
		push	0Dh
		push	ecx
		push	ecx
		push	(offset	loc_423028+6)
		push	offset dword_6B2A18
		mov	[ebp+var_F8], edx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9F2FCA:				; CODE XREF: EtwpWriteAppStateChangeWithStats+23j
					; EtwpWriteAppStateChangeWithStats+3Cj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
EtwpWriteAppStateChangeWithStats endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PerfInfoLogVirtualAlloc(x, x, x, x,	x, x)
_PerfInfoLogVirtualAlloc@24 proc near	; CODE XREF: MiAllocateVirtualMemory+1605F7p
					; MiFinishPlaceholderVadReplacement(x,x,x)+5Cp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h
arg_C		= word ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		push	offset loc_501902
		push	262h
		mov	eax, [esi+0E4h]
		mov	edi, ecx
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_4]
		push	20008000h
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_30]
		push	1
		push	esi
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edx
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], 10h
		mov	[ebp+var_C], ebx
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		lea	edx, [ebp+var_18]
		mov	ecx, eax
		call	EtwTraceSiloKernelEvent
		mov	ax, [ebp+arg_C]
		cmp	[ebp+arg_8], ax
		jz	short loc_9F308B
		push	offset loc_501902
		push	289h
		push	20008000h
		mov	word ptr [ebp+var_1C], ax
		lea	eax, [ebp+var_20]
		push	1
		push	esi
		mov	[ebp+var_20], edi
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], 8
		mov	[ebp+var_C], ebx
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		lea	edx, [ebp+var_18]
		mov	ecx, eax
		call	EtwTraceSiloKernelEvent

loc_9F308B:				; CODE XREF: PerfInfoLogVirtualAlloc(x,x,x,x,x,x)+73j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_PerfInfoLogVirtualAlloc@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PerfInfoLogVirtualFree(x, x, x, x)
_PerfInfoLogVirtualFree@16 proc	near	; CODE XREF: MiFreeVadRange+10B044p
					; MmFreeVirtualMemory(x,x,x,x,x,x)+5DBp ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_14], 0
		and	[ebp+var_C], 0
		push	esi
		mov	esi, [ebp+arg_0]
		push	offset loc_501902
		push	263h
		push	20008000h
		mov	eax, [esi+0E4h]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_28]
		push	1
		push	esi
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], edx
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], 10h
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		lea	edx, [ebp+var_18]
		mov	ecx, eax
		call	EtwTraceSiloKernelEvent
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_PerfInfoLogVirtualFree@16 endp


;  S U B	R O U T	I N E 


; __stdcall EtwDeleteProcessor(x)
_EtwDeleteProcessor@4 proc near		; CODE XREF: KiStartDynamicProcessor(x,x,x,x)+49Cp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+4054h]
		test	ecx, ecx
		jz	short loc_9F3134
		call	_EtwpCCSwapDeleteProcessor@4 ; EtwpCCSwapDeleteProcessor(x)
		push	0
		push	dword ptr [esi+4054h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+4054h], 0

loc_9F3134:				; CODE XREF: EtwDeleteProcessor(x)+Dj
		pop	esi
		retn
_EtwDeleteProcessor@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwDeleteSiloState(x)
_EtwDeleteSiloState@4 proc near		; CODE XREF: PspDeleteServerSiloGlobals(x)+3Bp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		test	esi, esi
		jz	loc_9F3229
		mov	edx, [esi+8]
		xor	edi, edi
		mov	ecx, edi
		test	edx, edx
		jz	short loc_9F316A
		mov	eax, [esi+18Ch]

loc_9F3159:				; CODE XREF: EtwDeleteSiloState(x)+32j
		cmp	dword ptr [eax], 1
		jnz	loc_9F3229
		inc	ecx
		add	eax, 4
		cmp	ecx, edx
		jb	short loc_9F3159

loc_9F316A:				; CODE XREF: EtwDeleteSiloState(x)+1Bj
		push	ebx
		mov	[ebp+var_4], edi
		lea	ebx, [esi+1A8h]

loc_9F3174:				; CODE XREF: EtwDeleteSiloState(x)+99j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	ecx, edi
		lea	eax, [ebx-18h]

loc_9F3190:				; CODE XREF: EtwDeleteSiloState(x)+69j
		cmp	[eax], eax
		jnz	loc_9F3229
		inc	ecx
		add	eax, 8
		cmp	ecx, 3
		jb	short loc_9F3190
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [ebx], ecx
		cmp	eax, 11h
		jz	short loc_9F31B6
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9F31B6:				; CODE XREF: EtwDeleteSiloState(x)+77j
		mov	ecx, ebx
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, [ebp+var_4]
		add	ebx, 1Ch
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, 40h
		jb	short loc_9F3174
		pop	ebx
		cmp	[esi+8], edi
		jbe	short loc_9F31F0

loc_9F31D7:				; CODE XREF: EtwDeleteSiloState(x)+B8j
		mov	eax, [esi+188h]
		mov	eax, [eax+edi*4]
		test	eax, eax
		jz	short loc_9F31EA
		push	eax
		call	_ExFreeCacheAwareRundownProtection@4 ; ExFreeCacheAwareRundownProtection(x)

loc_9F31EA:				; CODE XREF: EtwDeleteSiloState(x)+ACj
		inc	edi
		cmp	edi, [esi+8]
		jb	short loc_9F31D7

loc_9F31F0:				; CODE XREF: EtwDeleteSiloState(x)+9Fj
		mov	edi, 61777445h
		push	edi
		push	dword ptr [esi+8D8h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	edi
		push	dword ptr [esi+188h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi+908h]
		test	eax, eax
		jz	short loc_9F321E
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F321E:				; CODE XREF: EtwDeleteSiloState(x)+DFj
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		leave
		retn
; 

loc_9F3229:				; CODE XREF: EtwDeleteSiloState(x)+Cj
					; EtwDeleteSiloState(x)+26j ...
		push	11Dh
		call	_KeBugCheck@4	; KeBugCheck(x)
		int	3		; Trap to Debugger
_EtwDeleteSiloState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwQueryPerformanceTraceInformation(x, x, x, x)
_EtwQueryPerformanceTraceInformation@16	proc near ; CODE XREF: PAGE:007802C7p

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	80h
		push	offset dword_6A9E88
		call	__SEH_prolog4
		mov	ebx, edx
		mov	esi, ecx
		mov	[ebp+var_44], esi
		xor	eax, eax
		mov	[ebp+var_20], eax
		mov	edi, eax
		mov	[ebp+var_24], edi
		cmp	ebx, 4
		jnb	short loc_9F3263
		mov	eax, 0C000000Dh
		jmp	loc_9F39AC
; 

loc_9F3263:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+23j
		mov	[ebp+ms_exc.disabled], eax
		mov	eax, [esi]
		mov	[ebp+var_28], eax
		mov	[ebp+var_74], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, [eax+1F0h]
		mov	[ebp+var_1C], ecx
		mov	eax, [ebp+var_28]
		cmp	eax, 12h
		jg	loc_9F396C
		jz	loc_9F395E
		cmp	eax, 0Dh	; switch 14 cases
		ja	loc_9F3971	; default
		jmp	ds:off_9F39C0[eax*4] ; switch jump

loc_9F32A5:				; DATA XREF: PAGE:off_9F39C0o
		push	8		; case 0x0
		pop	ecx
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		cmp	ebx, ecx
		jnz	loc_9F390E
		mov	[ebp+ms_exc.disabled], 1
		mov	dword ptr [esi+4], 50h

loc_9F32C3:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+1DEj
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+218j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_9F37A0
; 

loc_9F32CF:				; DATA XREF: .text:006A9EA8o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F32DD:				; DATA XREF: .text:006A9EACo
		mov	eax, [ebp+var_2C]
		jmp	loc_9F382C
; 

loc_9F32E5:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+6Aj
					; DATA XREF: PAGE:off_9F39C0o
		push	30h		; case 0x1
		pop	edx
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		cmp	ebx, edx
		jnz	loc_9F390E
		mov	[ebp+ms_exc.disabled], 2
		mov	edx, [esi+8]
		mov	[ebp+var_48], edx
		mov	eax, [esi+0Ch]
		mov	[ebp+var_44], eax
		push	0FFFFFFFEh
		pop	ebx
		mov	[ebp+ms_exc.disabled], ebx
		movzx	edi, dx
		cmp	edi, 0FFFFh
		jnz	short loc_9F3320
		movzx	edi, byte ptr [ecx+914h]

loc_9F3320:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+E3j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	edx, edi
		mov	edi, [ebp+var_1C]
		mov	ecx, edi
		call	EtwpAcquireLoggerContextByLoggerId
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	loc_9F3763
		test	dword ptr [eax+0Ch], 2000000h
		jnz	short loc_9F334E
		mov	ecx, eax
		jmp	loc_9F3775
; 

loc_9F334E:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+111j
		movzx	ecx, byte ptr [eax+25Ah]
		mov	[ebp+ms_exc.disabled], 3
		lea	eax, [esi+10h]
		shl	ecx, 5
		lea	esi, [edi+948h]
		add	esi, ecx
		push	8
		pop	ecx
		mov	edi, eax
		rep movsd
		xor	dl, dl
		mov	ecx, eax
		call	_EtwpMapEnableFlags@8 ;	EtwpMapEnableFlags(x,x)
		mov	[ebp+ms_exc.disabled], ebx
		mov	edi, [ebp+var_24]
		jmp	short loc_9F339D
; 

loc_9F3382:				; DATA XREF: .text:006A9EC0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F3390:				; DATA XREF: .text:006A9EC4o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_30]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9F339D:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+14Cj
		mov	ecx, [ebp+arg_4]
		jmp	loc_9F3794
; 

loc_9F33A5:				; DATA XREF: .text:006A9EB4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F33B3:				; DATA XREF: .text:006A9EB8o
		mov	eax, [ebp+var_34]
		jmp	loc_9F382C
; 

loc_9F33BB:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+6Aj
					; DATA XREF: PAGE:off_9F39C0o
		push	10h		; case 0x2
		pop	ecx
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		cmp	ebx, ecx
		jnz	loc_9F390E
		mov	[ebp+ms_exc.disabled], 4
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	eax, [eax+1F0h]
		add	eax, 8D0h
		mov	[ebp+arg_4], eax

loc_9F33E5:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+1D2j
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+1D6j
		mov	ebx, [eax]
		mov	[ebp+var_1C], ebx
		mov	ecx, [eax+4]
		mov	eax, ebx
		mov	edx, ecx
		nop
		mov	edi, [ebp+arg_4]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, edx
		mov	edx, [ebp+var_1C]
		cmp	eax, edx
		mov	edi, [ebp+var_24]
		mov	eax, [ebp+arg_4]
		jnz	short loc_9F33E5
		cmp	ebx, ecx
		jnz	short loc_9F33E5
		mov	[esi+8], edx
		mov	[esi+0Ch], ecx
		jmp	loc_9F32C3
; 

loc_9F3417:				; DATA XREF: .text:006A9ECCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_38], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F3425:				; DATA XREF: .text:006A9ED0o
		mov	eax, [ebp+var_38]
		jmp	loc_9F382C
; 

loc_9F342D:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+6Aj
					; DATA XREF: PAGE:off_9F39C0o
		push	8		; case 0x3
		pop	ecx
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		cmp	ebx, ecx
		jnz	loc_9F390E
		mov	[ebp+ms_exc.disabled], 5
		mov	eax, _EtwpProfileInterval
		mov	[esi+4], eax
		jmp	loc_9F32C3
; 

loc_9F3451:				; DATA XREF: .text:006A9ED8o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_3C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F345F:				; DATA XREF: .text:006A9EDCo
		mov	eax, [ebp+var_3C]
		jmp	loc_9F382C
; 

loc_9F3467:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+6Aj
					; DATA XREF: PAGE:off_9F39C0o
		push	18h		; case 0x4
		pop	edx
		mov	eax, [ebp+arg_4]
		mov	[eax], edx
		cmp	ebx, edx
		jb	loc_9F390E
		mov	[ebp+ms_exc.disabled], 6
		mov	edx, [esi+8]
		mov	[ebp+var_80], edx
		mov	eax, [esi+0Ch]
		mov	[ebp+var_7C], eax
		mov	eax, [esi+4]
		mov	[ebp+var_4C], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		movzx	esi, dx
		cmp	esi, 0FFFFh
		jnz	short loc_9F34A9
		movzx	esi, byte ptr [ecx+914h]

loc_9F34A9:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+26Cj
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	edx, edx
		push	edx
		mov	edx, esi
		mov	ecx, [ebp+var_1C]
		call	EtwpAcquireLoggerContextByLoggerId
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	loc_9F3763
		mov	ecx, eax
		call	EtwpReferenceLoggerSecurityDescriptor
		mov	esi, eax
		mov	[ebp+var_40], esi
		lea	eax, [ebx-10h]
		mov	[ebp+arg_0], eax
		lea	eax, [ebp+var_40]
		push	eax		; void *
		lea	eax, [ebp+arg_0]
		push	eax		; int
		mov	eax, [ebp+var_44]
		add	eax, 10h
		push	eax		; int
		lea	eax, [ebp+var_4C]
		push	eax		; int
		call	SeQuerySecurityDescriptorInfo
		mov	edi, eax
		mov	ecx, [ebp+arg_0]
		add	ecx, 10h
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		mov	edx, esi
		mov	ecx, [ebp+var_28]
		call	_EtwpDereferenceLoggerSecurityDescriptor@8 ; EtwpDereferenceLoggerSecurityDescriptor(x,x)
		xor	dl, dl
		mov	ecx, [ebp+var_28]
		jmp	loc_9F3796
; 

loc_9F3511:				; DATA XREF: .text:006A9EE4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_50], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F351F:				; DATA XREF: .text:006A9EE8o
		mov	eax, [ebp+var_50]
		jmp	loc_9F382C
; 

loc_9F3527:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+6Aj
					; DATA XREF: PAGE:off_9F39C0o
		push	14h		; case 0x5
		pop	ecx
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		cmp	ebx, 10h
		jz	short loc_9F353C
		cmp	ebx, ecx
		jnz	loc_9F390E

loc_9F353C:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+2FEj
		mov	[ebp+ms_exc.disabled], 7
		mov	eax, ds:_EtwpSpinLockSpinThreshold
		mov	[esi+4], eax
		mov	eax, ds:_EtwpSpinLockAcquireSampleRate
		mov	[esi+8], eax
		mov	eax, ds:_EtwpSpinLockContentionSampleRate
		mov	[esi+0Ch], eax
		cmp	ebx, ecx
		jnz	loc_9F32C3
		mov	eax, ds:_EtwpSpinLockHoldThreshold
		mov	[esi+10h], eax
		jmp	loc_9F32C3
; 

loc_9F3570:				; DATA XREF: .text:006A9EF0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_54], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F357E:				; DATA XREF: .text:006A9EF4o
		mov	eax, [ebp+var_54]
		jmp	loc_9F382C
; 

loc_9F3586:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+6Aj
					; DATA XREF: PAGE:off_9F39C0o
		push	10h		; case 0x7
		pop	ecx
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		cmp	ebx, ecx
		jnz	loc_9F390E
		mov	[ebp+ms_exc.disabled], 8
		mov	eax, _EtwpExecutiveResourceReleaseSampleRate
		mov	[esi+4], eax
		mov	eax, _EtwpExecutiveResourceContentionSampleRate
		mov	[esi+8], eax
		mov	eax, _EtwpExecutiveResourceTimeout
		mov	[esi+0Ch], eax
		jmp	loc_9F32C3
; 

loc_9F35BA:				; DATA XREF: .text:006A9EFCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_58], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F35C8:				; DATA XREF: .text:006A9F00o
		mov	eax, [ebp+var_58]
		jmp	loc_9F382C
; 

loc_9F35D0:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+6Aj
					; DATA XREF: PAGE:off_9F39C0o
		xor	eax, eax	; case 0x6
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], eax
		lea	eax, [esi+10h]
		mov	[ebp+var_4C], eax
		cmp	ebx, 10h
		jb	loc_9F390E
		mov	[ebp+ms_exc.disabled], 9
		mov	edx, [esi+8]
		mov	[ebp+var_88], edx
		mov	eax, [esi+0Ch]
		mov	[ebp+var_84], eax
		push	0FFFFFFFEh
		pop	esi
		mov	[ebp+ms_exc.disabled], esi
		movzx	edi, dx
		cmp	edi, 0FFFFh
		jnz	short loc_9F3618
		movzx	edi, byte ptr [ecx+914h]

loc_9F3618:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+3DBj
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	edx, edi
		mov	ecx, [ebp+var_1C]
		call	EtwpAcquireLoggerContextByLoggerId
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	loc_9F3763
		mov	edx, eax
		xor	ecx, ecx
		inc	ecx
		call	_EtwpCheckLoggerControlAccess@8	; EtwpCheckLoggerControlAccess(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9F3791
		mov	eax, [ebp+arg_0]
		test	byte ptr [eax+258h], 80h
		jz	short loc_9F3662
		add	eax, 2B0h
		push	eax
		call	_RtlNumberOfSetBits@4 ;	RtlNumberOfSetBits(x)
		mov	[ebp+var_20], eax

loc_9F3662:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+41Ej
		mov	eax, [ebp+var_20]
		lea	ecx, ds:10h[eax*4]
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		cmp	ecx, ebx
		mov	ebx, [ebp+arg_0]
		ja	short loc_9F36D4
		xor	edx, edx
		mov	[ebp+arg_4], edx

loc_9F367D:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+49Ej
		mov	eax, [ebp+arg_4]
		cmp	eax, [ebp+var_20]
		jnb	short loc_9F36D9
		mov	eax, [ebp+var_24]
		inc	eax
		push	eax
		push	1
		lea	eax, [ebx+2B0h]
		push	eax
		call	RtlFindSetBits
		mov	edx, eax
		mov	[ebp+var_24], edx
		mov	[ebp+ms_exc.disabled], 0Ah
		mov	ecx, [ebp+var_4C]
		mov	eax, [ebp+arg_4]
		mov	[ecx+eax*4], edx
		mov	[ebp+ms_exc.disabled], esi
		jmp	short loc_9F36CF
; 

loc_9F36B2:				; DATA XREF: .text:006A9F14o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_5C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F36C0:				; DATA XREF: .text:006A9F18o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_5C]
		push	0FFFFFFFEh
		pop	esi
		mov	[ebp+ms_exc.disabled], esi
		mov	ebx, [ebp+arg_0]

loc_9F36CF:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+47Cj
		inc	[ebp+arg_4]
		jmp	short loc_9F367D
; 

loc_9F36D4:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+442j
		mov	edi, 0C0000023h

loc_9F36D9:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+44Fj
		mov	ecx, ebx
		jmp	loc_9F3794
; 

loc_9F36E0:				; DATA XREF: .text:006A9F08o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_60], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F36EE:				; DATA XREF: .text:006A9F0Co
		mov	eax, [ebp+var_60]
		jmp	loc_9F382C
; 

loc_9F36F6:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+6Aj
					; DATA XREF: PAGE:off_9F39C0o
		lea	eax, [esi+10h]	; case 0xA
		mov	[ebp+var_4C], eax
		cmp	ebx, 10h
		jb	loc_9F390E
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_9F3846
		mov	[ebp+ms_exc.disabled], 0Bh
		mov	ecx, [esi+8]
		mov	[ebp+var_90], ecx
		mov	eax, [esi+0Ch]
		mov	[ebp+var_8C], eax
		push	0FFFFFFFEh
		pop	esi
		mov	[ebp+ms_exc.disabled], esi
		movzx	eax, cx
		mov	[ebp+arg_0], eax
		mov	edi, [ebp+var_1C]
		cmp	eax, 0FFFFh
		jnz	short loc_9F374B
		movzx	eax, byte ptr [edi+914h]
		mov	[ebp+arg_0], eax

loc_9F374B:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+50Bj
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	EtwpAcquireLoggerContextByLoggerId
		mov	[ebp+arg_0], eax
		test	eax, eax
		jnz	short loc_9F376A

loc_9F3763:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+104j
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+28Cj ...
		mov	edi, 0C0000296h
		jmp	short loc_9F379B
; 

loc_9F376A:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+52Dj
		mov	ecx, eax
		test	dword ptr [eax+0Ch], 2000000h
		jnz	short loc_9F3783

loc_9F3775:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+115j
		mov	dl, 1
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		mov	edi, 0C000000Dh
		jmp	short loc_9F379B
; 

loc_9F3783:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+53Fj
		xor	edx, edx
		inc	edx
		call	EtwpCheckSystemTraceAccess
		mov	edi, eax
		test	edi, edi
		jns	short loc_9F37A7

loc_9F3791:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+40Ej
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+5BEj ...
		mov	ecx, [ebp+arg_0]

loc_9F3794:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+16Cj
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+4A7j
		mov	dl, 1

loc_9F3796:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+2D8j
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_9F379B:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+534j
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+54Dj
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9F37A0:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+96j
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+6C8j ...
		mov	eax, edi
		jmp	loc_9F39AC
; 

loc_9F37A7:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+55Bj
		mov	eax, [ebp+arg_0]
		movzx	eax, byte ptr [eax+25Ah]
		imul	edx, eax, 14h
		movzx	eax, _EtwpPoolTagFilter[edx]
		lea	ecx, ds:10h[eax*4]
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		cmp	ecx, ebx
		ja	short loc_9F3811
		mov	[ebp+ms_exc.disabled], 0Ch
		movzx	eax, _EtwpPoolTagFilter[edx]
		shl	eax, 2
		push	eax		; size_t
		lea	eax, dword_6BC264[edx]
		push	eax		; void *
		push	[ebp+var_4C]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], esi
		jmp	short loc_9F3791
; 

loc_9F37F4:				; DATA XREF: .text:006A9F2Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_64], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F3802:				; DATA XREF: .text:006A9F30o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_64]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9F3791
; 

loc_9F3811:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+595j
		mov	edi, 0C0000023h
		jmp	loc_9F3791
; 

loc_9F381B:				; DATA XREF: .text:006A9F20o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_68], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F3829:				; DATA XREF: .text:006A9F24o
		mov	eax, [ebp+var_68]

loc_9F382C:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+ACj
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+182j ...
		mov	esp, [ebp+ms_exc.old_esp]
		jmp	loc_9F38D6
; 

loc_9F3834:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+6Aj
					; DATA XREF: PAGE:off_9F39C0o
		cmp	ebx, 8		; case 0x8
		jb	loc_9F390E
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jz	short loc_9F3850

loc_9F3846:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+4D8j
		mov	eax, 0C0000022h
		jmp	loc_9F39AC
; 

loc_9F3850:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+610j
		lea	eax, [ebx-4]
		shr	eax, 2
		mov	[ebp+var_24], eax
		xor	ecx, ecx
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	edi, [ebp+var_28]

loc_9F3863:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+67Fj
		mov	ebx, eax
		mov	[ebp+arg_0], ebx
		test	ebx, ebx
		jz	short loc_9F38E2
		push	ebx
		call	_PsIsSystemProcess@4 ; PsIsSystemProcess(x)
		test	al, al
		jnz	short loc_9F38AC
		cmp	edi, 9
		jz	short loc_9F3886
		mov	ecx, ebx
		call	_EtwpUMGLEnabled@8 ; EtwpUMGLEnabled(x,x)
		test	al, al
		jz	short loc_9F38AC

loc_9F3886:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+645j
		push	ebx
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		mov	ecx, eax
		mov	eax, [ebp+var_20]
		cmp	eax, [ebp+var_24]
		jnb	short loc_9F38A8
		mov	[ebp+ms_exc.disabled], 0Dh
		mov	[esi+eax*4+4], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9F38A8:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+660j
		inc	eax
		mov	[ebp+var_20], eax

loc_9F38AC:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+640j
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+650j
		mov	ecx, ebx
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		jmp	short loc_9F3863
; 

loc_9F38B5:				; DATA XREF: .text:006A9F38o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_6C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F38C3:				; DATA XREF: .text:006A9F3Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edx, 6E457350h
		mov	ecx, [ebp+arg_0]
		call	ObfDereferenceObjectWithTag
		mov	eax, [ebp+var_6C]

loc_9F38D6:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+5FBj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_9F39AC
; 

loc_9F38E2:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+636j
		mov	edx, [ebp+var_20]
		lea	ecx, ds:4[edx*4]
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		cmp	[ebp+var_24], edx
		sbb	edi, edi
		and	edi, 0C0000023h
		jmp	loc_9F37A0
; 

loc_9F3901:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+6Aj
					; DATA XREF: PAGE:off_9F39C0o
		xor	eax, eax	; case 0xD
		mov	[ebp+var_28], eax
		mov	[ebp+var_20], eax
		cmp	ebx, 28h
		jnb	short loc_9F3918

loc_9F390E:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+7Bj
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+BBj ...
		mov	eax, 0C0000004h
		jmp	loc_9F39AC
; 

loc_9F3918:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+6D8j
		add	ebx, 0FFFFFFF8h
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	1
		push	[ebp+arg_0]
		lea	ecx, [esi+8]
		mov	edx, ebx
		call	ExLockUserBuffer
		test	eax, eax
		js	short loc_9F39AC
		push	[ebp+arg_4]
		push	[ebp+var_20]
		push	ebx
		push	14h
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		mov	edi, eax
		cmp	[ebp+var_20], 0
		jz	loc_9F37A0
		mov	ecx, [ebp+var_28]
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)
		jmp	loc_9F37A0
; 

loc_9F395E:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+5Bj
		push	[ebp+arg_4]
		mov	edx, ebx
		mov	ecx, esi
		call	_EtwpGetSoftRestartInformation@12 ; EtwpGetSoftRestartInformation(x,x,x)
		jmp	short loc_9F398A
; 

loc_9F396C:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+55j
		cmp	eax, 19h
		jz	short loc_9F397B

loc_9F3971:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+64j
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+6Aj
					; DATA XREF: ...
		mov	edi, 0C0000002h	; default
		jmp	loc_9F37A0
; 

loc_9F397B:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+73Bj
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		mov	edx, ebx
		mov	ecx, esi
		call	_EtwpQueryCoverageSamplerInformation@16	; EtwpQueryCoverageSamplerInformation(x,x,x,x)

loc_9F398A:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+736j
		mov	edi, eax
		jmp	loc_9F37A0
; 

loc_9F3991:				; DATA XREF: .text:006A9E9Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_70], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F399F:				; DATA XREF: .text:006A9EA0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_70]

loc_9F39AC:				; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+2Aj
					; EtwQueryPerformanceTraceInformation(x,x,x,x)+56Ej ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_EtwQueryPerformanceTraceInformation@16	endp

; 
		align 10h
off_9F39C0	dd offset loc_9F32A5	; DATA XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+6Ar
		dd offset loc_9F32E5	; jump table for switch	statement
		dd offset loc_9F33BB
		dd offset loc_9F342D
		dd offset loc_9F3467
		dd offset loc_9F3527
		dd offset loc_9F35D0
		dd offset loc_9F3586
		dd offset loc_9F3834
		dd offset loc_9F3834
		dd offset loc_9F36F6
		dd offset loc_9F3971
		dd offset loc_9F3971
		dd offset loc_9F3901

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwSetPerformanceTraceInformation(x, x, x)
_EtwSetPerformanceTraceInformation@12 proc near	; CODE XREF: PAGE:007B42D8p

var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_7F		= byte ptr -7Fh
var_7E		= byte ptr -7Eh
var_7D		= byte ptr -7Dh
var_7C		= dword	ptr -7Ch
var_75		= byte ptr -75h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_40		= dword	ptr -40h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8

		push	0E4h
		push	offset dword_6A9DD0
		call	__SEH_prolog4_GS
		mov	esi, edx
		mov	[ebp+var_7C], esi
		mov	ebx, ecx
		push	4
		pop	eax
		cmp	esi, eax
		jb	loc_9F3AD1
		xor	edi, edi
		mov	[ebp+ms_exc.disabled], edi
		mov	eax, [ebx]
		mov	[ebp+var_68], eax
		mov	[ebp+var_D0], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	edx, [eax+1F0h]
		mov	[ebp+var_6C], edx
		mov	eax, [ebp+var_68]
		dec	eax
		cmp	eax, 18h
		ja	loc_9F45B0
		movzx	eax, ds:byte_9F4624[eax]
		jmp	ds:off_9F45E4[eax*4]

loc_9F3A59:				; DATA XREF: PAGE:off_9F45E4o
		cmp	esi, 30h
		jnz	loc_9F44D4
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebx+8]
		mov	[ebp+var_68], eax
		mov	[ebp+var_74], eax
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_70], eax
		lea	esi, [ebx+10h]
		push	8
		pop	ecx
		lea	edi, [ebp+var_64]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_68]
		movzx	esi, ax
		cmp	esi, 0FFFFh
		jnz	short loc_9F3A9F
		movzx	esi, byte ptr [edx+914h]

loc_9F3A9F:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+9Ej
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	edx, esi
		mov	ecx, [ebp+var_6C]
		call	EtwpAcquireLoggerContextByLoggerId
		mov	edi, eax
		test	edi, edi
		jz	loc_9F437B
		mov	ecx, edi
		test	dword ptr [edi+0Ch], 2000000h
		jnz	short loc_9F3AE8

loc_9F3AC5:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+7C9j
		mov	dl, 1
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9F3AD1:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+1Bj
					; EtwSetPerformanceTraceInformation(x,x,x)+214j ...
		mov	eax, 0C000000Dh

loc_9F3AD6:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+1BBj
					; EtwSetPerformanceTraceInformation(x,x,x)+1E2j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_9F3AE8:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+CBj
		mov	edx, 80h
		call	EtwpCheckSystemTraceAccess
		mov	esi, eax
		test	esi, esi
		js	short loc_9F3B04
		lea	edx, [ebp+var_64]
		mov	ecx, edi
		call	EtwpUpdateGroupMasks

loc_9F3B02:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+42Fj
					; EtwSetPerformanceTraceInformation(x,x,x)+709j ...
		mov	esi, eax

loc_9F3B04:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+FEj
					; EtwSetPerformanceTraceInformation(x,x,x)+41Fj ...
		mov	ecx, edi

loc_9F3B06:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+399j
		mov	dl, 1
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_9F3B0D:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+3A3j
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_9F45B5
; 

loc_9F3B17:				; DATA XREF: .text:006A9DF0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_84], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F3B28:				; DATA XREF: .text:006A9DF4o
		mov	eax, [ebp+var_84]
		jmp	short loc_9F3BA9
; 

loc_9F3B30:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+5Aj
					; DATA XREF: PAGE:009F45E8o
		cmp	esi, 8
		jnz	loc_9F44D4
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_9F442C
		mov	[ebp+ms_exc.disabled], 2
		mov	esi, [ebx+4]
		mov	[ebp+var_68], esi
		mov	[ebp+var_D4], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		mov	edi, offset _EtwpGroupMaskMutex
		push	edi
		call	KeWaitForSingleObject
		push	ebx
		push	esi
		call	_NtSetIntervalProfile@8	; NtSetIntervalProfile(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9F3B86
		mov	eax, [ebp+var_68]
		mov	_EtwpProfileInterval, eax

loc_9F3B86:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+184j
					; EtwSetPerformanceTraceInformation(x,x,x)+2A0j ...
		push	ebx
		push	edi
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		jmp	loc_9F45B5
; 

loc_9F3B92:				; DATA XREF: .text:006A9DFCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_88], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F3BA3:				; DATA XREF: .text:006A9E00o
		mov	eax, [ebp+var_88]

loc_9F3BA9:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+136j
					; EtwSetPerformanceTraceInformation(x,x,x)+2BCj ...
		mov	esp, [ebp+ms_exc.old_esp]

loc_9F3BAC:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+583j
					; EtwSetPerformanceTraceInformation(x,x,x)+AD2j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_9F3AD6
; 

loc_9F3BB8:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+5Aj
					; DATA XREF: PAGE:009F45ECo
		cmp	esi, 10h
		jz	short loc_9F3BC6
		cmp	esi, 14h
		jnz	loc_9F44D4

loc_9F3BC6:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+1C3j
		push	edi
		mov	edx, 80h
		mov	ecx, offset _SystemTraceControlGuid
		call	_EtwpCheckGuidAccess@12	; EtwpCheckGuidAccess(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9F3AD6
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_9F442C
		mov	[ebp+ms_exc.disabled], 3
		mov	eax, [ebx+4]
		mov	[ebp+var_6C], eax
		mov	[ebp+var_D8], eax
		cmp	eax, 1
		jnb	short loc_9F3C11

loc_9F3C05:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+22Aj
					; EtwSetPerformanceTraceInformation(x,x,x)+23Bj ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_9F3AD1
; 

loc_9F3C11:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+20Bj
		mov	eax, [ebx+8]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_DC], eax
		cmp	eax, 3E8h
		jb	short loc_9F3C05
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_70], eax
		mov	[ebp+var_E0], eax
		cmp	eax, 1
		jb	short loc_9F3C05
		mov	eax, ds:_EtwpSpinLockHoldThreshold
		mov	[ebp+var_68], eax
		mov	[ebp+var_8C], eax
		cmp	[ebp+var_7C], 14h
		jnz	short loc_9F3C60
		mov	eax, [ebx+10h]
		mov	[ebp+var_68], eax
		mov	[ebp+var_8C], eax
		cmp	eax, 0F4240h
		jnb	short loc_9F3C60
		test	eax, eax
		jnz	short loc_9F3C05

loc_9F3C60:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+24Fj
					; EtwSetPerformanceTraceInformation(x,x,x)+262j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		mov	edi, offset _EtwpGroupMaskMutex
		push	edi
		call	KeWaitForSingleObject
		mov	eax, [ebp+var_68]
		mov	ds:_EtwpSpinLockHoldThreshold, eax
		mov	eax, [ebp+var_6C]
		mov	ds:_EtwpSpinLockSpinThreshold, eax
		mov	eax, [ebp+var_2C]
		mov	ds:_EtwpSpinLockAcquireSampleRate, eax
		mov	eax, [ebp+var_70]
		mov	ds:_EtwpSpinLockContentionSampleRate, eax
		jmp	loc_9F3B86
; 

loc_9F3C9D:				; DATA XREF: .text:006A9E08o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_90], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F3CAE:				; DATA XREF: .text:006A9E0Co
		mov	eax, [ebp+var_90]
		jmp	loc_9F3BA9
; 

loc_9F3CB9:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+5Aj
					; DATA XREF: PAGE:009F45F0o
		cmp	esi, 10h
		jb	loc_9F44D4
		lea	eax, [esi-10h]
		test	al, 3
		jnz	loc_9F3AD1
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		mov	edi, [ebp+var_68]
		test	al, al
		jz	short loc_9F3CEB
		cmp	edi, 0Eh
		jz	loc_9F442C
		cmp	edi, 0Fh
		jz	loc_9F442C

loc_9F3CEB:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+2DFj
		lea	eax, [esi-10h]
		shr	eax, 2
		mov	[ebp+var_7C], eax
		lea	eax, [ebx+10h]
		mov	[ebp+var_68], eax
		push	4
		pop	eax
		mov	[ebp+ms_exc.disabled], eax
		mov	ecx, [ebx+8]
		mov	[ebp+var_74], ecx
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_70], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		movzx	ebx, cx
		mov	esi, [ebp+var_6C]
		cmp	ebx, 0FFFFh
		jnz	short loc_9F3D28
		movzx	ebx, byte ptr [esi+914h]

loc_9F3D28:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+327j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	edx, ebx
		mov	ecx, esi
		call	EtwpAcquireLoggerContextByLoggerId
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_9F3D96
		mov	edx, ebx
		mov	ecx, 80h
		call	_EtwpCheckLoggerControlAccess@8	; EtwpCheckLoggerControlAccess(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9F3D8F
		push	[ebp+var_7C]
		mov	edx, [ebp+var_68]
		mov	ecx, ebx
		cmp	edi, 6
		jnz	short loc_9F3D64
		call	_EtwpUpdateStackTracing@12 ; EtwpUpdateStackTracing(x,x,x)
		jmp	short loc_9F3D8D
; 

loc_9F3D64:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+363j
		cmp	edi, 0Fh
		jnz	short loc_9F3D70
		call	_EtwpUpdatePmcCounters@12 ; EtwpUpdatePmcCounters(x,x,x)
		jmp	short loc_9F3D8D
; 

loc_9F3D70:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+36Fj
		cmp	edi, 0Eh
		jnz	short loc_9F3D7C
		call	_EtwpUpdatePmcEvents@12	; EtwpUpdatePmcEvents(x,x,x)
		jmp	short loc_9F3D8D
; 

loc_9F3D7C:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+37Bj
		cmp	edi, 14h
		jnz	short loc_9F3D88
		call	_EtwpUpdateLastBranchTracingEvents@12 ;	EtwpUpdateLastBranchTracingEvents(x,x,x)
		jmp	short loc_9F3D8F
; 

loc_9F3D88:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+387j
		call	_EtwpUpdateProcessorTraceEvents@12 ; EtwpUpdateProcessorTraceEvents(x,x,x)

loc_9F3D8D:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+36Aj
					; EtwSetPerformanceTraceInformation(x,x,x)+376j ...
		mov	esi, eax

loc_9F3D8F:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+356j
					; EtwSetPerformanceTraceInformation(x,x,x)+38Ej
		mov	ecx, ebx
		jmp	loc_9F3B06
; 

loc_9F3D96:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+344j
					; EtwSetPerformanceTraceInformation(x,x,x)+40Dj ...
		mov	esi, 0C0000296h
		jmp	loc_9F3B0D
; 

loc_9F3DA0:				; DATA XREF: .text:006A9E14o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_94], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F3DB1:				; DATA XREF: .text:006A9E18o
		mov	eax, [ebp+var_94]
		jmp	loc_9F3BA9
; 

loc_9F3DBC:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+5Aj
					; DATA XREF: PAGE:009F460Co
		cmp	esi, 18h
		jb	loc_9F44D4
		mov	[ebp+ms_exc.disabled], 5
		push	6
		pop	ecx
		mov	esi, ebx
		lea	edi, [ebp+var_5C]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		movzx	esi, word ptr [ebp+var_54]
		cmp	esi, 0FFFFh
		jnz	short loc_9F3DF0
		movzx	esi, byte ptr [edx+914h]

loc_9F3DF0:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+3EFj
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	edx, esi
		mov	ecx, [ebp+var_6C]
		call	EtwpAcquireLoggerContextByLoggerId
		mov	edi, eax
		test	edi, edi
		jz	short loc_9F3D96
		mov	edx, edi
		mov	ecx, 80h
		call	_EtwpCheckLoggerControlAccess@8	; EtwpCheckLoggerControlAccess(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9F3B04
		lea	edx, [ebp+var_5C]
		mov	ecx, edi
		call	_EtwpUpdateLastBranchTracingConfiguration@8 ; EtwpUpdateLastBranchTracingConfiguration(x,x)
		jmp	loc_9F3B02
; 

loc_9F3E2C:				; DATA XREF: .text:006A9E20o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_98], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F3E3D:				; DATA XREF: .text:006A9E24o
		mov	eax, [ebp+var_98]
		jmp	loc_9F3BA9
; 

loc_9F3E48:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+5Aj
					; DATA XREF: PAGE:009F4610o
		cmp	[ebp+arg_0], 0
		jz	short loc_9F3E5B
		call	_EtwpUserInAdminOrLogUsersGroup@0 ; EtwpUserInAdminOrLogUsersGroup()
		test	al, al
		jz	loc_9F442C

loc_9F3E5B:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+454j
		cmp	esi, 24h
		jb	loc_9F44D4
		cmp	byte ptr [ebx+4], 2
		jnz	loc_9F44D4
		cmp	esi, 220h
		ja	loc_9F44D4
		add	esi, 0FFFFFFDEh
		lea	eax, [esi+18h]
		mov	[ebp+var_70], eax
		shr	esi, 1
		push	50777445h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_68], ecx
		test	ecx, ecx
		jz	loc_9F4466
		mov	[ebp+ms_exc.disabled], 6
		push	esi
		lea	eax, [ebx+22h]
		push	eax
		push	esi
		lea	eax, [ecx+18h]
		push	eax
		call	_wcsncpy_s
		add	esp, 10h
		lea	esi, [ebx+10h]
		lea	edi, [ebp+var_34]
		movsd
		movsd
		movsd
		mov	eax, [ebx+1Ch]
		mov	edi, [ebp+var_68]
		mov	[edi+8], eax
		mov	al, [ebx+20h]
		mov	[ebp+var_75], al
		mov	[ebp+var_7D], al
		call	KiGetCpuVendor
		cmp	eax, 1
		jnz	short loc_9F3F02
		mov	al, [ebx+8]
		mov	[edi], al
		mov	al, [ebx+9]
		mov	[edi+1], al
		mov	al, [ebx+0Ah]
		mov	[edi+2], al
		mov	al, [ebx+0Bh]
		mov	[edi+3], al
		mov	al, [ebx+0Ch]
		mov	[edi+4], al
		mov	al, [ebx+0Dh]
		mov	[edi+5], al
		jmp	short loc_9F3F12
; 

loc_9F3F02:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+4E3j
		cmp	eax, 2
		jnz	short loc_9F3F12
		mov	al, [ebx+8]
		mov	[edi], al
		mov	al, [ebx+9]
		mov	[edi+1], al

loc_9F3F12:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+508j
					; EtwSetPerformanceTraceInformation(x,x,x)+50Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		lea	edx, [edi+0Ch]
		lea	ecx, [ebp+var_34]
		call	_EtwpGetMicroarchitecturalPmcAffinity@8	; EtwpGetMicroarchitecturalPmcAffinity(x,x)
		push	edi
		push	[ebp+var_70]
		push	14h
		call	off_6B2BC8	; xHalSetSystemInformation(x,x,x)
		mov	esi, eax
		cmp	[ebp+var_75], 0
		jz	short loc_9F3F44
		lea	edx, [ebp+var_34]
		mov	ecx, edi
		call	_EtwpAddMicroarchitecturalPmcToRegistry@8 ; EtwpAddMicroarchitecturalPmcToRegistry(x,x)
		mov	esi, eax

loc_9F3F44:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+53Ej
		push	50777445h

loc_9F3F49:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+679j
		push	edi

loc_9F3F4A:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+AA9j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_9F45B5
; 

loc_9F3F54:				; DATA XREF: .text:006A9E2Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_9C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F3F65:				; DATA XREF: .text:006A9E30o
		mov	esp, [ebp+ms_exc.old_esp]
		push	50777445h
		push	[ebp+var_68]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_9C]
		jmp	loc_9F3BAC
; 

loc_9F3F80:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+5Aj
					; DATA XREF: PAGE:009F4614o
		xor	eax, eax
		lea	edi, [ebp+var_CC]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_54]
		stosd
		stosd
		stosd
		stosd
		and	[ebp+var_70], 0
		cmp	[ebp+arg_0], 0
		jz	short loc_9F3FAC
		call	_EtwpUserInAdminOrLogUsersGroup@0 ; EtwpUserInAdminOrLogUsersGroup()
		test	al, al
		jz	loc_9F442C

loc_9F3FAC:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+5A5j
		cmp	esi, 14h
		jnz	loc_9F44D4
		mov	[ebp+ms_exc.disabled], 7
		lea	esi, [ebx+8]
		lea	edi, [ebp+var_40]
		movsd
		movsd
		movsd
		mov	eax, [ebx+4]
		mov	[ebp+var_CC], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		lea	eax, [ebp+var_70]
		push	eax
		lea	eax, [ebp+var_CC]
		push	eax
		push	10h
		push	1
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9F45B5
		mov	eax, [ebp+var_CC]
		mov	[ebp+var_54], eax
		lea	edx, [ebp+var_50]
		lea	ecx, [ebp+var_40]
		call	_EtwpGetMicroarchitecturalPmcAffinity@8	; EtwpGetMicroarchitecturalPmcAffinity(x,x)
		push	0FFh
		push	[ebp+var_C0]
		call	_wcsnlen
		pop	ecx
		pop	ecx
		mov	edi, eax
		mov	ebx, 50777445h
		push	ebx
		lea	ecx, ds:2[edi*2]
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_2C], eax
		test	eax, eax
		jz	loc_9F4466
		push	edi
		push	[ebp+var_C0]
		lea	ecx, [edi+1]
		push	ecx
		push	eax
		call	_wcsncpy_s
		add	esp, 10h
		lea	eax, [ebp+var_54]
		push	eax
		push	10h
		push	15h
		call	off_6B2BC8	; xHalSetSystemInformation(x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_40]
		push	eax		; void *
		mov	edx, edi
		mov	edi, [ebp+var_2C]
		mov	ecx, edi
		call	_EtwpRemoveMicroarchitecturalPmcFromRegistry@12	; EtwpRemoveMicroarchitecturalPmcFromRegistry(x,x,x)
		push	ebx
		jmp	loc_9F3F49
; 

loc_9F4076:				; DATA XREF: .text:006A9E38o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_A0], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F4087:				; DATA XREF: .text:006A9E3Co
		mov	eax, [ebp+var_A0]
		jmp	loc_9F3BA9
; 

loc_9F4092:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+5Aj
					; DATA XREF: PAGE:009F4618o
		cmp	esi, 18h
		jb	loc_9F44D4
		mov	[ebp+ms_exc.disabled], 8
		push	6
		pop	ecx
		mov	esi, ebx
		lea	edi, [ebp+var_5C]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		movzx	esi, word ptr [ebp+var_54]
		cmp	esi, 0FFFFh
		jnz	short loc_9F40C6
		movzx	esi, byte ptr [edx+914h]

loc_9F40C6:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+6C5j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	edx, esi
		mov	ecx, [ebp+var_6C]
		call	EtwpAcquireLoggerContextByLoggerId
		mov	edi, eax
		test	edi, edi
		jz	loc_9F3D96
		mov	edx, edi
		mov	ecx, 80h
		call	_EtwpCheckLoggerControlAccess@8	; EtwpCheckLoggerControlAccess(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9F3B04
		lea	edx, [ebp+var_5C]
		mov	ecx, edi
		call	_EtwpUpdateProcessorTraceConfiguration@8 ; EtwpUpdateProcessorTraceConfiguration(x,x)
		jmp	loc_9F3B02
; 

loc_9F4106:				; DATA XREF: .text:006A9E44o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_B8], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F4117:				; DATA XREF: .text:006A9E48o
		mov	eax, [ebp+var_B8]
		jmp	loc_9F3BA9
; 

loc_9F4122:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+5Aj
					; DATA XREF: PAGE:009F45F8o
		cmp	esi, 10h
		jb	loc_9F44D4
		lea	eax, [esi-10h]
		test	al, 3
		jnz	loc_9F3AD1
		shr	eax, 2
		movzx	esi, ax
		mov	[ebp+var_70], esi
		push	4
		pop	eax
		cmp	si, ax
		ja	loc_9F3AD1
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_9F442C
		mov	[ebp+ms_exc.disabled], 9
		mov	edi, [ebx+8]
		mov	[ebp+var_34], edi
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_30], eax
		movzx	eax, si
		shl	eax, 2
		push	eax		; size_t
		lea	eax, [ebx+10h]
		push	eax		; void *
		lea	eax, [ebp+var_54]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		movzx	edi, di
		mov	esi, [ebp+var_6C]
		cmp	edi, 0FFFFh
		jnz	short loc_9F419E
		movzx	edi, byte ptr [esi+914h]

loc_9F419E:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+79Dj
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	edx, edi
		mov	ecx, esi
		call	EtwpAcquireLoggerContextByLoggerId
		mov	edi, eax
		test	edi, edi
		jz	loc_9F437B
		mov	ecx, edi
		test	dword ptr [edi+0Ch], 2000000h
		jz	loc_9F3AC5
		mov	edx, 80h
		call	EtwpCheckSystemTraceAccess
		mov	esi, eax
		test	esi, esi
		js	loc_9F3B04
		movzx	eax, byte ptr [edi+25Ah]
		imul	ecx, eax, 14h
		cmp	[ebp+var_68], 0Ah
		mov	eax, offset _EtwpPoolTagFilter
		jz	short loc_9F41F5
		mov	eax, offset _EtwpObjectTypeFilter

loc_9F41F5:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+7F6j
		add	eax, ecx
		push	eax
		mov	edx, [ebp+var_70]
		lea	ecx, [ebp+var_54]
		call	EtwpUpdateTagFilter
		jmp	loc_9F3B04
; 

loc_9F4208:				; DATA XREF: .text:006A9E50o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_BC], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F4219:				; DATA XREF: .text:006A9E54o
		mov	eax, [ebp+var_BC]
		jmp	loc_9F3BA9
; 

loc_9F4224:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+5Aj
					; DATA XREF: PAGE:009F45F4o
		cmp	esi, 10h
		jnz	loc_9F44D4
		push	edi
		lea	edx, [esi+70h]
		mov	ecx, offset _SystemTraceControlGuid
		call	_EtwpCheckGuidAccess@12	; EtwpCheckGuidAccess(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9F3AD6
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_9F442C
		mov	[ebp+ms_exc.disabled], 0Ah
		mov	eax, [ebx+4]
		mov	[ebp+var_70], eax
		mov	[ebp+var_E4], eax
		mov	eax, [ebx+8]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_E8], eax
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_68], eax
		mov	[ebp+var_EC], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		mov	edi, offset _EtwpGroupMaskMutex
		push	edi
		call	KeWaitForSingleObject
		mov	eax, [ebp+var_70]
		mov	_EtwpExecutiveResourceReleaseSampleRate, eax
		mov	eax, [ebp+var_2C]
		mov	_EtwpExecutiveResourceContentionSampleRate, eax
		mov	eax, [ebp+var_68]
		mov	_EtwpExecutiveResourceTimeout, eax
		jmp	loc_9F3B86
; 

loc_9F42B2:				; DATA XREF: .text:006A9E5Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_A4], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F42C3:				; DATA XREF: .text:006A9E60o
		mov	eax, [ebp+var_A4]
		jmp	loc_9F3BA9
; 

loc_9F42CE:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+5Aj
					; DATA XREF: PAGE:009F45FCo
		cmp	esi, 10h
		jb	loc_9F44D4
		lea	ecx, [esi-10h]
		test	cl, 3
		jnz	loc_9F3AD1
		shr	ecx, 2
		cmp	ecx, 1
		ja	loc_9F3AD1
		mov	[ebp+ms_exc.disabled], 0Bh
		mov	esi, [ebx+8]
		mov	[ebp+var_74], esi
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_70], eax
		test	ecx, ecx
		jz	short loc_9F431A
		cmp	dword ptr [ebx+10h], 524h
		jnz	loc_9F3C05
		mov	bl, 1
		mov	[ebp+var_7E], bl
		jmp	short loc_9F431C
; 

loc_9F431A:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+90Cj
		xor	ebx, ebx

loc_9F431C:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+920j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	dword ptr [ebp+arg_0]
		push	ds:dword_A94C9C
		push	ds:_SeSystemProfilePrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jz	loc_9F4419
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_9F442C
		movzx	esi, si
		cmp	esi, 0FFFFh
		jnz	short loc_9F4361
		mov	esi, [ebp+var_6C]
		movzx	esi, byte ptr [esi+914h]

loc_9F4361:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+95Dj
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	edx, esi
		mov	ecx, ds:_EtwpHostSiloState
		call	EtwpAcquireLoggerContextByLoggerId
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9F438A

loc_9F437B:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+BCj
					; EtwSetPerformanceTraceInformation(x,x,x)+7BAj
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, 0C0000296h
		jmp	loc_9F3AD6
; 

loc_9F438A:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+981j
		mov	edx, edi
		mov	ecx, 80h
		call	_EtwpCheckLoggerControlAccess@8	; EtwpCheckLoggerControlAccess(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9F3B04
		lea	eax, [edi+258h]
		test	bl, bl
		jz	short loc_9F43B7
		mov	ecx, 400h
		lock or	[eax], ecx
		jmp	loc_9F3B04
; 

loc_9F43B7:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+9B0j
		mov	ecx, 0FFFFFBFFh
		lock and [eax],	ecx
		jmp	loc_9F3B04
; 

loc_9F43C4:				; DATA XREF: .text:006A9E68o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_A8], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F43D5:				; DATA XREF: .text:006A9E6Co
		mov	eax, [ebp+var_A8]
		jmp	loc_9F3BA9
; 

loc_9F43E0:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+5Aj
					; DATA XREF: PAGE:009F4600o
		cmp	esi, 10h
		jb	loc_9F44D4
		push	edi
		mov	edx, 80h
		mov	ecx, offset _SystemTraceControlGuid
		call	_EtwpCheckGuidAccess@12	; EtwpCheckGuidAccess(x,x,x)
		test	eax, eax
		js	loc_9F3AD6
		push	dword ptr [ebp+arg_0]
		push	ds:dword_A94C9C
		push	ds:_SeSystemProfilePrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_9F4423

loc_9F4419:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+941j
		mov	eax, 0C0000061h
		jmp	loc_9F3AD6
; 

loc_9F4423:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+A1Fj
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jz	short loc_9F4436

loc_9F442C:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+148j
					; EtwSetPerformanceTraceInformation(x,x,x)+1EFj ...
		mov	eax, 0C0000022h
		jmp	loc_9F3AD6
; 

loc_9F4436:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+A32j
		add	esi, 0FFFFFFF0h
		shr	esi, 2
		cmp	esi, ds:_EtwpMaxProfilingSources
		ja	loc_9F3AD1
		mov	eax, esi
		shl	eax, 2
		push	58777445h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_68], ecx
		test	ecx, ecx
		jnz	short loc_9F4470

loc_9F4466:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+4A1j
					; EtwSetPerformanceTraceInformation(x,x,x)+63Ej
		mov	eax, 0C0000017h
		jmp	loc_9F3AD6
; 

loc_9F4470:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+A6Cj
		mov	[ebp+ms_exc.disabled], 0Ch
		mov	eax, esi
		shl	eax, 2
		push	eax		; size_t
		lea	eax, [ebx+10h]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edx, esi
		mov	ebx, [ebp+var_68]
		mov	ecx, ebx
		call	_EtwpSetPmcProfileSource@8 ; EtwpSetPmcProfileSource(x,x)
		mov	esi, eax
		push	edi
		push	ebx
		jmp	loc_9F3F4A
; 

loc_9F44A6:				; DATA XREF: .text:006A9E74o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_AC], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F44B7:				; DATA XREF: .text:006A9E78o
		mov	esp, [ebp+ms_exc.old_esp]
		push	0
		push	[ebp+var_68]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_AC]
		jmp	loc_9F3BAC
; 

loc_9F44CF:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+5Aj
					; DATA XREF: PAGE:009F4604o
		cmp	esi, 20h
		jz	short loc_9F44DE

loc_9F44D4:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+64j
					; EtwSetPerformanceTraceInformation(x,x,x)+13Bj ...
		mov	eax, 0C0000004h
		jmp	loc_9F3AD6
; 

loc_9F44DE:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+ADAj
		mov	[ebp+ms_exc.disabled], 0Dh
		mov	ecx, [ebx+8]
		mov	[ebp+var_74], ecx
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_70], eax
		mov	eax, [ebx+14h]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_F0], eax
		mov	eax, [ebx+18h]
		mov	[ebp+var_70], eax
		mov	[ebp+var_F4], eax
		mov	al, [ebx+10h]
		mov	[ebp+var_7F], al
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	al, al
		jnz	short loc_9F4524
		mov	eax, 0C00000BBh
		jmp	loc_9F3AD6
; 

loc_9F4524:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+B20j
		movzx	esi, cx
		cmp	esi, 0FFFFh
		jnz	short loc_9F4536
		movzx	esi, byte ptr [edx+914h]

loc_9F4536:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+B35j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		mov	edx, esi
		mov	ecx, [ebp+var_6C]
		call	EtwpAcquireLoggerContextByLoggerId
		mov	edi, eax
		test	edi, edi
		jz	loc_9F3D96
		mov	edx, edi
		mov	ecx, 80h
		call	_EtwpCheckLoggerControlAccess@8	; EtwpCheckLoggerControlAccess(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9F3B04
		push	[ebp+var_70]
		mov	edx, [ebp+var_2C]
		mov	ecx, edi
		call	_EtwpEnableStackCaching@12 ; EtwpEnableStackCaching(x,x,x)
		jmp	loc_9F3B02
; 

loc_9F4579:				; DATA XREF: .text:006A9E80o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_B0], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F458A:				; DATA XREF: .text:006A9E84o
		mov	eax, [ebp+var_B0]
		jmp	loc_9F3BA9
; 

loc_9F4595:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+5Aj
					; DATA XREF: PAGE:009F4608o
		mov	edx, esi
		mov	ecx, ebx
		call	_EtwpSetSoftRestartInformation@8 ; EtwpSetSoftRestartInformation(x,x)

loc_9F459E:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+BB6j
		mov	esi, eax
		jmp	short loc_9F45B5
; 

loc_9F45A2:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+5Aj
					; DATA XREF: PAGE:009F461Co
		push	dword ptr [ebp+arg_0]
		mov	edx, esi
		mov	ecx, ebx
		call	_EtwpSetCoverageSamplerInformation@12 ;	EtwpSetCoverageSamplerInformation(x,x,x)
		jmp	short loc_9F459E
; 

loc_9F45B0:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+4Dj
					; EtwSetPerformanceTraceInformation(x,x,x)+5Aj
					; DATA XREF: ...
		mov	esi, 0C0000002h

loc_9F45B5:				; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+11Aj
					; EtwSetPerformanceTraceInformation(x,x,x)+195j ...
		mov	eax, esi
		jmp	loc_9F3AD6
_EtwSetPerformanceTraceInformation@12 endp


;  S U B	R O U T	I N E 


sub_9F45BC	proc near		; DATA XREF: .text:006A9DE4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-0B4h], eax
		xor	eax, eax
		inc	eax
		retn
sub_9F45BC	endp


;  S U B	R O U T	I N E 


sub_9F45CD	proc near		; DATA XREF: .text:006A9DE8o
		mov	esp, [ebp-18h]
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-0B4h]
		jmp	loc_9F3AD6
sub_9F45CD	endp

; 
		align 4
off_9F45E4	dd offset loc_9F3A59	; DATA XREF: EtwSetPerformanceTraceInformation(x,x,x)+5Ar
		dd offset loc_9F3B30
		dd offset loc_9F3BB8
		dd offset loc_9F3CB9
		dd offset loc_9F4224
		dd offset loc_9F4122
		dd offset loc_9F42CE
		dd offset loc_9F43E0
		dd offset loc_9F44CF
		dd offset loc_9F4595
		dd offset loc_9F3DBC
		dd offset loc_9F3E48
		dd offset loc_9F3F80
		dd offset loc_9F4092
		dd offset loc_9F45A2
		dd offset loc_9F45B0
byte_9F4624	db 0			; DATA XREF: EtwSetPerformanceTraceInformation(x,x,x)+53r
		db 0Fh,	1, 0Fh
		dd 0F040302h, 706050Fh,	803030Fh, 30A0905h, 30D0C0Bh
; 
		push	cs

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpAddMicroarchitecturalPmcToPmcGroup(x, x)
_EtwpAddMicroarchitecturalPmcToPmcGroup@8 proc near
					; CODE XREF: EtwpAddMicroarchitecturalPmcToRegistry(x,x)+1D8p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		xor	edx, edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], edx
		lea	esi, [edi+18h]
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edx
		lea	ecx, [esi+2]

loc_9F4660:				; CODE XREF: EtwpAddMicroarchitecturalPmcToPmcGroup(x,x)+2Cj
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, dx
		jnz	short loc_9F4660
		sub	esi, ecx
		sar	esi, 1
		cmp	esi, 0FFh
		jb	short loc_9F4681
		mov	eax, 0C0000004h
		jmp	loc_9F48A0
; 

loc_9F4681:				; CODE XREF: EtwpAddMicroarchitecturalPmcToPmcGroup(x,x)+38j
		mov	esi, ebx
		lea	ecx, [esi+2]

loc_9F4686:				; CODE XREF: EtwpAddMicroarchitecturalPmcToPmcGroup(x,x)+52j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, dx
		jnz	short loc_9F4686
		sub	esi, ecx
		sar	esi, 1
		push	50777445h
		lea	esi, ds:200h[esi*2]
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		lea	ecx, [edi+18h]
		mov	[ebp+var_C], eax
		push	ecx
		push	ebx		; char
		push	offset ??_C@_1BA@NPEHGALP@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; wchar_t *
		push	esi		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 14h
		lea	eax, [ebp+var_14]
		push	[ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	ebx, ebx
		mov	[ebp+var_2C], 18h
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		push	ebx
		push	eax
		push	20006h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_20], 240h
		push	eax
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9F4891
		push	offset ??_C@_1BC@KKEAFNKD@?$AAI?$AAn?$AAt?$AAe?$AAr?$AAv?$AAa?$AAl@NNGAKEGL@ ; "Interval"
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [edi+8]
		push	eax
		push	4
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9F4891
		call	KiGetCpuVendor
		mov	ebx, eax
		cmp	ebx, 1
		jz	short loc_9F4749
		cmp	ebx, 2
		jnz	short loc_9F4787

loc_9F4749:				; CODE XREF: EtwpAddMicroarchitecturalPmcToPmcGroup(x,x)+105j
		movzx	eax, byte ptr [edi]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_14]
		push	offset ??_C@_1M@JJBFPLJB@?$AAE?$AAv?$AAe?$AAn?$AAt@NNGAKEGL@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		push	0
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9F4891
		cmp	ebx, 1
		jz	short loc_9F4791
		cmp	ebx, 2
		jz	short loc_9F4791

loc_9F4787:				; CODE XREF: EtwpAddMicroarchitecturalPmcToPmcGroup(x,x)+10Aj
		mov	esi, 0C0000002h
		jmp	loc_9F4891
; 

loc_9F4791:				; CODE XREF: EtwpAddMicroarchitecturalPmcToPmcGroup(x,x)+143j
					; EtwpAddMicroarchitecturalPmcToPmcGroup(x,x)+148j
		movzx	eax, byte ptr [edi+1]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_14]
		push	offset ??_C@_19ENIPABFF@?$AAU?$AAn?$AAi?$AAt@NNGAKEGL@ ; "Unit"
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		push	0
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9F4891
		cmp	ebx, 1
		jnz	loc_9F4891
		movzx	eax, byte ptr [edi+2]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_14]
		push	offset ??_C@_1M@NFEDHPMI@?$AAC?$AAM?$AAa?$AAs?$AAk@NNGAKEGL@ ; "CMask"
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [ebp+var_4]
		xor	ebx, ebx
		push	eax
		push	4
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9F4891
		movzx	eax, byte ptr [edi+3]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_14]
		push	offset ??_C@_1BI@PPAIMHKI@?$AAC?$AAM?$AAa?$AAs?$AAk?$AAI?$AAn?$AAv?$AAe?$AAr?$AAt@NNGAKEGL@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9F4891
		movzx	eax, byte ptr [edi+4]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_14]
		push	offset ??_C@_1BE@FBOMIBJN@?$AAA?$AAn?$AAy?$AAT?$AAh?$AAr?$AAe?$AAa?$AAd@NNGAKEGL@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9F4891
		movzx	eax, byte ptr [edi+5]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_14]
		push	offset ??_C@_1BG@BHHFLBAJ@?$AAE?$AAd?$AAg?$AAe?$AAD?$AAe?$AAt?$AAe?$AAc?$AAt@NNGAKEGL@ ; "E"
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax

loc_9F4891:				; CODE XREF: EtwpAddMicroarchitecturalPmcToPmcGroup(x,x)+C8j
					; EtwpAddMicroarchitecturalPmcToPmcGroup(x,x)+F5j ...
		push	50777445h
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi

loc_9F48A0:				; CODE XREF: EtwpAddMicroarchitecturalPmcToPmcGroup(x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpAddMicroarchitecturalPmcToPmcGroup@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpAddMicroarchitecturalPmcToRegistry(x, x)
_EtwpAddMicroarchitecturalPmcToRegistry@8 proc near
					; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+545p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+44h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[esp+50h+var_2C], ecx
		lea	edi, [esp+50h+var_28]
		push	6
		xor	esi, esi
		mov	[esp+54h+var_10], offset ??_C@_1O@KGHEAOHP@?$AAF?$AAa?$AAm?$AAi?$AAl?$AAy@NNGAKEGL@ ; "Family"
		pop	ecx
		xor	eax, eax
		mov	[esp+50h+var_40], esi
		rep stosd
		mov	ebx, edx
		mov	[esp+50h+var_38], esi
		mov	[esp+50h+var_34], esi
		mov	[esp+50h+var_C], offset	??_C@_1M@HHGCKIGA@?$AAM?$AAo?$AAd?$AAe?$AAl@NNGAKEGL@ ;	"Model"
		mov	[esp+50h+var_8], offset	??_C@_1BC@GMMNMBBO@?$AAS?$AAt?$AAe?$AAp?$AAp?$AAi?$AAn?$AAg@NNGAKEGL@
		call	KiGetCpuVendor
		mov	ecx, offset ??_C@_1IK@FCPDDGMM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		mov	[esp+50h+var_3C], eax
		lea	edx, [ecx+2]

loc_9F4906:				; CODE XREF: EtwpAddMicroarchitecturalPmcToRegistry(x,x)+6Aj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_9F4906
		sub	ecx, edx
		sar	ecx, 1
		push	50777445h
		lea	esi, ds:202h[ecx*2]
		push	esi
		push	1
		mov	[esp+5Ch+var_44], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+50h+var_30], edi
		test	edi, edi
		jnz	short loc_9F4941
		mov	eax, 0C0000017h
		jmp	loc_9F4A8F
; 

loc_9F4941:				; CODE XREF: EtwpAddMicroarchitecturalPmcToRegistry(x,x)+90j
		mov	edx, [esp+50h+var_3C]
		push	edi		; int
		push	esi		; int
		push	ebx		; void *
		call	_EtwpFindMatchingPmcRegistryGroup@20 ; EtwpFindMatchingPmcRegistryGroup(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_9F4A77
		push	[esp+50h+var_3C]
		push	offset ??_C@_1BK@NGNFGMBN@?$AAA?$AAr?$AAc?$AAh?$AAi?$AAt?$AAe?$AAc?$AAt?$AAu?$AAr?$AAe@NNGAKEGL@ ; "Architecture"
		push	offset ??_C@_1IK@FCPDDGMM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; char
		push	offset ??_C@_1BG@FJAHPAA@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAs?$AA?3?$AA?$CF?$AAd@NNGAKEGL@ ; wchar_t *
		push	[esp+60h+var_44] ; int
		push	edi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 18h
		xor	esi, esi

loc_9F4979:				; CODE XREF: EtwpAddMicroarchitecturalPmcToRegistry(x,x)+F8j
		mov	eax, [ebx+esi*4]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_9F4999
		push	eax
		push	[esp+esi*4+54h+var_10]
		push	edi		; char
		push	offset ??_C@_1BG@HEJOFNII@?$AA?$CF?$AAw?$AAs?$AA?9?$AA?$CF?$AAw?$AAs?$AA?3?$AA?$CF?$AAd@NNGAKEGL@ ; wchar_t *
		push	[esp+60h+var_44] ; int
		push	edi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 18h

loc_9F4999:				; CODE XREF: EtwpAddMicroarchitecturalPmcToRegistry(x,x)+DAj
		inc	esi
		cmp	esi, 3
		jb	short loc_9F4979
		push	edi
		lea	eax, [esp+54h+var_38]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	ecx, ecx
		mov	[esp+50h+var_28], 18h
		push	ecx
		push	ecx
		push	ecx
		lea	eax, [esp+5Ch+var_38]
		mov	[esp+5Ch+var_24], ecx
		mov	[esp+5Ch+var_20], eax
		lea	eax, [esp+5Ch+var_28]
		push	ecx
		push	eax
		push	2001Fh
		lea	eax, [esp+68h+var_40]
		mov	[esp+68h+var_1C], 240h
		push	eax
		mov	[esp+6Ch+var_18], ecx
		mov	[esp+6Ch+var_14], ecx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9F4A82
		push	offset ??_C@_1BK@NGNFGMBN@?$AAA?$AAr?$AAc?$AAh?$AAi?$AAt?$AAe?$AAc?$AAt?$AAu?$AAr?$AAe@NNGAKEGL@ ; "Architecture"
		lea	eax, [esp+54h+var_38]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [esp+54h+var_3C]
		push	eax
		push	4
		push	0
		lea	eax, [esp+60h+var_38]
		push	eax
		push	[esp+64h+var_40]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		lea	edi, [esp+50h+var_10]
		xor	eax, eax
		sub	edi, ebx
		mov	[esp+50h+var_44], eax

loc_9F4A28:				; CODE XREF: EtwpAddMicroarchitecturalPmcToRegistry(x,x)+1BFj
		cmp	dword ptr [ebx], 0FFFFFFFFh
		jz	short loc_9F4A59
		push	dword ptr [edi+ebx]
		lea	eax, [esp+54h+var_38]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		push	ebx
		push	4
		push	0
		lea	eax, [esp+60h+var_38]
		push	eax
		push	[esp+64h+var_40]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9F4A66
		mov	eax, [esp+50h+var_44]

loc_9F4A59:				; CODE XREF: EtwpAddMicroarchitecturalPmcToRegistry(x,x)+186j
		inc	eax
		add	ebx, 4
		mov	[esp+50h+var_44], eax
		cmp	eax, 3
		jb	short loc_9F4A28

loc_9F4A66:				; CODE XREF: EtwpAddMicroarchitecturalPmcToRegistry(x,x)+1AEj
		push	[esp+50h+var_40]
		call	_ZwClose@4	; ZwClose(x)
		mov	edi, [esp+50h+var_30]
		test	esi, esi
		js	short loc_9F4A82

loc_9F4A77:				; CODE XREF: EtwpAddMicroarchitecturalPmcToRegistry(x,x)+ACj
		mov	edx, [esp+50h+var_2C]
		mov	ecx, edi
		call	_EtwpAddMicroarchitecturalPmcToPmcGroup@8 ; EtwpAddMicroarchitecturalPmcToPmcGroup(x,x)

loc_9F4A82:				; CODE XREF: EtwpAddMicroarchitecturalPmcToRegistry(x,x)+147j
					; EtwpAddMicroarchitecturalPmcToRegistry(x,x)+1D0j
		push	50777445h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi

loc_9F4A8F:				; CODE XREF: EtwpAddMicroarchitecturalPmcToRegistry(x,x)+97j
		mov	ecx, [esp+50h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_EtwpAddMicroarchitecturalPmcToRegistry@8 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpAllocatePmcData(x)
_EtwpAllocatePmcData@4 proc near	; CODE XREF: EtwpUpdatePmcCounters(x,x,x)+45p
					; EtwpUpdatePmcEvents(x,x,x)+33p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	0FFFFh
		mov	edi, ecx
		call	KeQueryMaximumProcessorCountEx
		push	58777445h
		lea	ebx, ds:14h[eax*4]
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9F4AD6

loc_9F4ACF:				; CODE XREF: EtwpAllocatePmcData(x)+66j
		mov	eax, 0C0000017h
		jmp	short loc_9F4B11
; 

loc_9F4AD6:				; CODE XREF: EtwpAllocatePmcData(x)+2Cj
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, ds:_EtwpMaxPmcCounter
		add	esp, 0Ch
		shl	eax, 2
		push	58777445h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi], eax
		test	eax, eax
		jnz	short loc_9F4B09
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9F4ACF
; 

loc_9F4B09:				; CODE XREF: EtwpAllocatePmcData(x)+5Dj
		mov	[edi+2BCh], esi
		xor	eax, eax

loc_9F4B11:				; CODE XREF: EtwpAllocatePmcData(x)+33j
		pop	edi
		pop	esi
		pop	ebx
		retn
_EtwpAllocatePmcData@4 endp ; sp = -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpEventWriteEnableInfo(x,	x, x, x)
_EtwpEventWriteEnableInfo@16 proc near	; CODE XREF: EtwpTracingProvEnableCallback+82D50p
					; EtwpTracingProvEnableCallback+82E33p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 78h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		mov	byte ptr [ebp+var_78], dl
		movzx	ecx, dl
		xor	ebx, ebx
		shl	ecx, 5
		push	edi
		lea	eax, [esi+14h]
		mov	[ebp+var_70], ebx
		mov	[ebp+var_74], eax
		xor	edi, edi
		lea	eax, [ebp+var_78]
		mov	[ebp+var_6C], 10h
		mov	[ebp+var_64], eax
		inc	edi
		lea	eax, [esi+66h]
		mov	[ebp+var_68], ebx
		add	eax, ecx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_54], eax
		lea	eax, [esi+70h]
		add	eax, ecx
		mov	[ebp+var_5C], edi
		mov	[ebp+var_44], eax
		lea	eax, [esi+78h]
		add	eax, ecx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_34], eax
		lea	eax, [esi+64h]
		add	eax, ecx
		mov	[ebp+var_50], ebx
		push	8
		mov	[ebp+var_24], eax
		lea	eax, [esi+68h]
		pop	edx
		add	eax, ecx
		mov	[ebp+var_4C], 2
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	7
		push	ebx
		push	offset _ETW_EVENT_ENABLE_INFO
		push	dword_6BC30C
		mov	[ebp+var_48], ebx
		push	_EtwpEventTracingProvRegHandle
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwpEventWriteEnableInfo@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpEventWriteGroupJoin(x, x, x, x)
_EtwpEventWriteGroupJoin@16 proc near	; CODE XREF: EtwpAddRegEntryToGroup+EF27Ep

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [edx+10h]
		push	esi
		add	eax, 14h
		xor	esi, esi
		mov	[ebp+var_24], eax
		mov	eax, [edx+14h]
		push	10h
		pop	ecx
		add	eax, 14h
		mov	[ebp+var_20], esi
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	esi
		push	offset _ETW_EVENT_GROUP_JOIN
		push	dword_6BC30C
		mov	[ebp+var_1C], ecx
		push	_EtwpEventTracingProvRegHandle
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwpEventWriteGroupJoin@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpEventWriteGuidEntry(x, x, x, x)
_EtwpEventWriteGuidEntry@16 proc near	; CODE XREF: EtwpTracingProvEnableCallback+82D21p
					; EtwpTracingProvEnableCallback+82E04p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		lea	eax, [edx+14h]
		mov	[ebp+var_2C], 10h
		mov	[ebp+var_34], eax
		mov	eax, [edx+160h]
		push	esi
		mov	[ebp+var_24], eax
		xor	esi, esi
		lea	eax, [edx+38h]
		mov	[ebp+var_30], esi
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	3
		push	esi
		push	ecx
		push	dword_6BC30C
		mov	[ebp+var_28], esi
		push	_EtwpEventTracingProvRegHandle
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], 4
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], 2
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwpEventWriteGuidEntry@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpEventWriteProviderEnabled(x, x,	x, x, x, x, x, x, x, x,	x, x)
_EtwpEventWriteProviderEnabled@48 proc near ; CODE XREF: EtwpEnableGuid+11FDB5p

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		mov	edx, ecx
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_74], eax
		push	esi
		xor	esi, esi
		mov	[ebp+var_6C], 10h
		mov	eax, [ecx+4]
		mov	[ebp+var_64], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+arg_10]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_18]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_20]
		push	8
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_24]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	7
		push	esi
		push	edx
		push	dword_6BC30C
		mov	[ebp+var_70], esi
		push	_EtwpEventTracingProvRegHandle
		mov	[ebp+var_68], esi
		mov	[ebp+var_60], esi
		mov	[ebp+var_58], esi
		mov	[ebp+var_54], offset _EtwpNull
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], 2
		mov	[ebp+var_48], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], 4
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], 1
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	28h
_EtwpEventWriteProviderEnabled@48 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpEventWriteRegEntry(x, x, x)
_EtwpEventWriteRegEntry@12 proc	near	; CODE XREF: EtwpTracingProvEnableCallback+82E66p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 78h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, _EtwpEventTracingProvRegHandle
		lea	edx, [ecx+32h]
		xor	ebx, ebx
		test	byte ptr [edx],	2
		push	edi
		mov	edi, dword_6BC30C
		mov	[ebp+var_78], ebx
		jz	short loc_9F4DCB
		mov	eax, [ecx+28h]
		test	eax, eax
		jz	short loc_9F4DCB
		mov	eax, [eax+0E4h]
		mov	[ebp+var_78], eax

loc_9F4DCB:				; CODE XREF: EtwpEventWriteRegEntry(x,x,x)+2Cj
					; EtwpEventWriteRegEntry(x,x,x)+33j
		mov	eax, [ecx+10h]
		add	eax, 14h
		mov	[ebp+var_60], ebx
		mov	[ebp+var_64], eax
		mov	eax, [ecx+14h]
		mov	[ebp+var_5C], 10h
		mov	[ebp+var_58], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], 10h
		mov	[ebp+var_48], ebx
		test	eax, eax
		jz	short loc_9F4DFA
		add	eax, 14h
		jmp	short loc_9F4DFD
; 

loc_9F4DFA:				; CODE XREF: EtwpEventWriteRegEntry(x,x,x)+66j
		lea	eax, [ebp+var_74]

loc_9F4DFD:				; CODE XREF: EtwpEventWriteRegEntry(x,x,x)+6Bj
		mov	[ebp+var_54], eax
		lea	eax, [ecx+34h]
		mov	[ebp+var_34], eax
		lea	eax, [ecx+35h]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	6
		push	ebx
		mov	[ebp+var_44], edx
		xor	edx, edx
		push	offset _ETW_EVENT_REG_ENTRY_INFO
		inc	edx
		mov	[ebp+var_40], ebx
		push	edi
		push	esi
		mov	[ebp+var_3C], 2
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwpEventWriteRegEntry@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpEventWriteRegistrationStatus(x,	x, x, x, x, x)
_EtwpEventWriteRegistrationStatus@24 proc near
					; CODE XREF: EtwpSetProviderTraitsUm(x,x,x)+177p
					; EtwpSetProviderTraitsKm(x,x,x)+A5p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], 10h
		mov	[ebp+var_18], ecx
		mov	eax, [eax+10h]
		add	eax, 14h
		mov	[ebp+var_10], ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_C]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	ecx
		push	offset _ETW_EVENT_SET_TRAITS_FAILED
		push	dword_6BC30C
		mov	[ebp+var_C], 4
		push	_EtwpEventTracingProvRegHandle
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_EtwpEventWriteRegistrationStatus@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpEventWriteTemplateAdmin(x, x, x, x, x, x, x, x)
_EtwpEventWriteTemplateAdmin@32	proc near ; CODE XREF: EtwpLogger(x)+239p
					; EtwpRealtimeSaveBuffer+AB1E1p ...

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, [ebp+arg_8]
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		mov	eax, [edx+4]
		mov	ecx, [ebp+arg_C]
		mov	[ebp+var_64], eax
		movzx	eax, word ptr [edx]
		push	edi
		mov	[ebp+var_5C], eax
		mov	edi, offset _EtwpNull
		mov	eax, [ecx+4]
		push	2
		pop	edx
		mov	[ebp+var_44], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+arg_10]
		push	4
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_14]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	6
		push	ebx
		push	esi
		push	dword_6BC30C
		mov	[ebp+var_60], ebx
		push	_EtwpEventTracingProvRegHandle
		mov	[ebp+var_58], ebx
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_EtwpEventWriteTemplateAdmin@32	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpEventWriteTemplateBackingFile(x, x, x, x, x, x,	x)
_EtwpEventWriteTemplateBackingFile@28 proc near	; CODE XREF: EtwpRealtimeSaveBuffer+AB14Ep
					; EtwpRealtimeSaveBuffer+AB193p ...

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, [ebp+arg_8]
		xor	edx, edx
		push	4
		mov	[ebp+var_48], 0C0000188h
		mov	[ebp+var_40], edx
		mov	eax, [ecx+4]
		mov	[ebp+var_44], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_48]
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_10]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	ecx
		push	edx
		push	offset _ETW_EVENT_BACKING_FILE_FULL
		push	dword_6BC30C
		mov	[ebp+var_38], edx
		push	_EtwpEventTracingProvRegHandle
		mov	[ebp+var_34], offset _EtwpNull
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], 2
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_EtwpEventWriteTemplateBackingFile@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpEventWriteTemplateMaxFileSize(x, x, x, x, x, x,	x, x, x, x)
_EtwpEventWriteTemplateMaxFileSize@40 proc near
					; CODE XREF: EtwpFlushBufferToLogfile+11E883p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 78h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, [ebp+arg_8]
		push	esi
		push	edi
		push	2
		mov	eax, [ecx+4]
		xor	edi, edi
		mov	[ebp+var_74], eax
		mov	esi, offset _EtwpNull
		movzx	eax, word ptr [ecx]
		mov	ecx, [ebp+arg_C]
		mov	[ebp+var_6C], eax
		pop	edx
		push	4
		mov	eax, [ecx+4]
		mov	[ebp+var_54], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_14]
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_18]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	7
		push	edi
		push	offset _ETW_EVENT_MAX_FILE_SIZE_REACHED
		push	dword_6BC30C
		mov	[ebp+var_78], 0C0000188h
		push	_EtwpEventTracingProvRegHandle
		mov	[ebp+var_70], edi
		mov	[ebp+var_68], edi
		mov	[ebp+var_64], esi
		mov	[ebp+var_60], edi
		mov	[ebp+var_5C], edx
		mov	[ebp+var_58], edi
		mov	[ebp+var_50], edi
		mov	[ebp+var_48], edi
		mov	[ebp+var_44], esi
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], 8
		mov	[ebp+var_8], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	20h
_EtwpEventWriteTemplateMaxFileSize@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpEventWriteTemplateSessAndProv(x, x, x, x, x, x,	x)
_EtwpEventWriteTemplateSessAndProv@28 proc near	; CODE XREF: EtwUnregister+AF222p
					; EtwpCloseRegistrationObject+11CDA9p ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= word ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, dword_6BC30C
		xor	edx, edx
		push	ebx
		mov	ebx, _EtwpEventTracingProvRegHandle
		push	esi
		push	edi
		push	2
		pop	esi
		mov	edi, ecx
		mov	ecx, [ebp+arg_C]
		mov	[ebp+var_38], eax
		cmp	[ebp+arg_8], si
		jnz	short loc_9F5138
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_34], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_24], eax
		movzx	eax, word ptr [ecx]
		push	3
		mov	[ebp+var_C], esi
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], offset _EtwpNull
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], edx
		pop	esi
		jmp	short loc_9F5169
; 

loc_9F5138:				; CODE XREF: EtwpEventWriteTemplateSessAndProv(x,x,x,x,x,x,x)+31j
		test	ecx, ecx
		jz	short loc_9F515A
		mov	eax, [ecx+4]
		mov	[ebp+var_34], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_24], offset _EtwpNull
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], edx
		jmp	short loc_9F5170
; 

loc_9F515A:				; CODE XREF: EtwpEventWriteTemplateSessAndProv(x,x,x,x,x,x,x)+62j
		mov	eax, [ebp+arg_10]
		mov	esi, edx
		test	eax, eax
		jz	short loc_9F5176
		xor	esi, esi
		mov	[ebp+var_34], eax
		inc	esi

loc_9F5169:				; CODE XREF: EtwpEventWriteTemplateSessAndProv(x,x,x,x,x,x,x)+5Ej
		mov	[ebp+var_2C], 10h

loc_9F5170:				; CODE XREF: EtwpEventWriteTemplateSessAndProv(x,x,x,x,x,x,x)+80j
		mov	[ebp+var_30], edx
		mov	[ebp+var_28], edx

loc_9F5176:				; CODE XREF: EtwpEventWriteTemplateSessAndProv(x,x,x,x,x,x,x)+89j
		lea	eax, [ebp+var_34]
		push	eax
		push	esi
		push	edx
		push	edi
		push	[ebp+var_38]
		push	ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_EtwpEventWriteTemplateSessAndProv@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpEventWriteTemplateSession(x, x,	x, x)
_EtwpEventWriteTemplateSession@16 proc near ; CODE XREF: EtwpTransitionToRealtime(x,x)+12Ep
					; EtwpLogger(x)+41Ap ...

var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 110h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_C8], 0
		lea	eax, [edx+0C8h]
		and	[ebp+var_C0], 0
		and	[ebp+var_B8], 0
		and	[ebp+var_B0], 0
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_104], eax
		push	esi
		mov	esi, _EtwpEventTracingProvRegHandle
		lea	eax, [edx+0Ch]
		mov	[ebp+var_F4], eax
		mov	eax, [edx+60h]
		push	edi
		mov	edi, dword_6BC30C
		mov	[ebp+var_E4], eax
		movzx	eax, word ptr [edx+5Ch]
		push	2
		mov	[ebp+var_DC], eax
		mov	eax, [edx+68h]
		mov	[ebp+var_10C], ebx
		mov	[ebp+var_110], ebx
		mov	[ebp+var_108], ebx
		mov	[ebp+var_100], ebx
		mov	[ebp+var_F8], ebx
		mov	[ebp+var_F0], ebx
		mov	[ebp+var_E8], ebx
		mov	[ebp+var_E0], ebx
		mov	[ebp+var_D8], ebx
		mov	[ebp+var_D0], ebx
		pop	ebx
		mov	[ebp+var_C4], eax
		movzx	eax, word ptr [edx+64h]
		mov	[ebp+var_CC], ebx
		mov	[ebp+var_AC], ebx
		xor	ebx, ebx
		mov	[ebp+var_BC], eax
		mov	[ebp+var_FC], 10h
		mov	[ebp+var_EC], 4
		mov	[ebp+var_D4], offset _EtwpNull
		mov	[ebp+var_B4], offset _EtwpNull
		mov	[ebp+var_A8], ebx
		push	6
		pop	eax
		cmp	ecx, offset _ETW_EVENT_START_TRACE
		jz	short loc_9F52AE
		cmp	ecx, (offset loc_40756C+4)
		jz	short loc_9F52AE
		cmp	ecx, offset _ETW_EVENT_SESSION_INFO
		jnz	loc_9F53C9

loc_9F52AE:				; CODE XREF: EtwpEventWriteTemplateSession(x,x,x,x)+101j
					; EtwpEventWriteTemplateSession(x,x,x,x)+109j
		mov	[ebp+var_A0], ebx
		lea	eax, [edx+98h]
		mov	[ebp+var_A4], eax
		lea	eax, [edx+0A4h]
		mov	[ebp+var_94], eax
		lea	eax, [edx+4]
		mov	[ebp+var_84], eax
		mov	eax, [edx+0ACh]
		mov	[ebp+var_108], eax
		mov	eax, [edx+0A0h]
		mov	[ebp+var_10C], eax
		lea	eax, [ebp+var_108]
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_10C]
		mov	[ebp+var_64], eax
		lea	eax, [edx+88h]
		mov	[ebp+var_54], eax
		mov	[ebp+var_9C], 4
		mov	[ebp+var_98], ebx
		mov	[ebp+var_90], ebx
		mov	[ebp+var_8C], 4
		mov	[ebp+var_88], ebx
		mov	[ebp+var_80], ebx
		mov	[ebp+var_7C], 4
		mov	[ebp+var_78], ebx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_6C], 4
		mov	[ebp+var_68], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], 4
		mov	[ebp+var_58], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], 4
		mov	[ebp+var_48], ebx
		push	0Ch
		pop	eax
		cmp	ecx, offset _ETW_EVENT_START_TRACE
		jz	short loc_9F53C9
		mov	eax, [edx+0A8h]
		mov	[ebp+var_110], eax
		lea	eax, [ebp+var_110]
		mov	[ebp+var_44], eax
		lea	eax, [edx+0B4h]
		mov	[ebp+var_34], eax
		lea	eax, [edx+0BCh]
		push	4
		mov	[ebp+var_24], eax
		pop	eax
		push	10h
		mov	[ebp+var_1C], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], 4
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], 4
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		pop	eax

loc_9F53C9:				; CODE XREF: EtwpEventWriteTemplateSession(x,x,x,x)+111j
					; EtwpEventWriteTemplateSession(x,x,x,x)+1D4j
		lea	edx, [ebp+var_104]
		push	edx
		push	eax
		push	ebx
		push	ecx
		push	edi
		push	esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwpEventWriteTemplateSession@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpEventWriteTemplateSessionEnd(x,	x, x, x, x, x, x, x, x)
_EtwpEventWriteTemplateSessionEnd@36 proc near ; CODE XREF: EtwpLogger(x)+316p

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	ecx, [ebp+arg_8]
		push	esi
		push	edi
		push	2
		mov	eax, [ecx+4]
		xor	edi, edi
		mov	[ebp+var_74], eax
		mov	esi, offset _EtwpNull
		movzx	eax, word ptr [ecx]
		mov	ecx, [ebp+arg_C]
		mov	[ebp+var_6C], eax
		pop	edx
		push	4
		mov	eax, [ecx+4]
		mov	[ebp+var_54], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+arg_10]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_14]
		pop	ecx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_18]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	7
		push	edi
		push	offset _ETW_EVENT_SESSION_END_FAILED
		push	dword_6BC30C
		mov	[ebp+var_70], edi
		push	_EtwpEventTracingProvRegHandle
		mov	[ebp+var_68], edi
		mov	[ebp+var_64], esi
		mov	[ebp+var_60], edi
		mov	[ebp+var_5C], edx
		mov	[ebp+var_58], edi
		mov	[ebp+var_50], edi
		mov	[ebp+var_48], edi
		mov	[ebp+var_44], esi
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
_EtwpEventWriteTemplateSessionEnd@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwpFindMatchingPmcRegistryGroup(void *,int,int)
_EtwpFindMatchingPmcRegistryGroup@20 proc near
					; CODE XREF: EtwpAddMicroarchitecturalPmcToRegistry(x,x)+A3p
					; EtwpRemoveMicroarchitecturalPmcFromRegistry(x,x,x)+5Cp

var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 268h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_238], eax
		push	218h		; size_t
		lea	eax, [ebp+var_22C]
		mov	[ebp+var_264], edx
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_230], ebx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_244], ebx
		lea	eax, [ebp+var_244]
		mov	[ebp+var_240], ebx
		mov	[ebp+var_23C], ebx
		mov	[ebp+var_260], ebx
		push	offset ??_C@_1IK@FCPDDGMM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		push	eax
		mov	[ebp+var_234], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	esi, esi
		mov	[ebp+var_25C], 18h
		push	esi
		push	esi
		push	esi
		lea	eax, [ebp+var_244]
		mov	[ebp+var_258], esi
		mov	[ebp+var_254], eax
		lea	eax, [ebp+var_25C]
		push	esi
		push	eax
		push	20019h
		lea	eax, [ebp+var_234]
		mov	[ebp+var_250], 240h
		push	eax
		mov	[ebp+var_24C], esi
		mov	[ebp+var_248], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		or	edi, 0FFFFFFFFh

loc_9F556E:				; CODE XREF: EtwpFindMatchingPmcRegistryGroup(x,x,x,x,x)+202j
		lea	eax, [ebp+var_260]
		inc	edi
		push	eax
		push	216h
		lea	eax, [ebp+var_22C]
		push	eax
		push	esi
		push	edi
		push	[ebp+var_234]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9F5692
		mov	eax, [ebp+var_220]
		cmp	eax, 0FFh
		jnb	loc_9F5692
		shr	eax, 1
		xor	ecx, ecx
		mov	word ptr [ebp+eax*2+var_21C], cx
		lea	eax, [ebp+var_21C]
		push	eax
		push	offset ??_C@_1IK@FCPDDGMM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; char
		push	offset ??_C@_1BA@NPEHGALP@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; wchar_t *
		push	[ebp+arg_4]	; int
		push	[ebp+var_238]	; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 14h
		lea	eax, [ebp+var_244]
		push	[ebp+var_238]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_244]
		mov	[ebp+var_25C], 18h
		mov	[ebp+var_254], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_25C]
		mov	[ebp+var_258], ecx
		push	eax
		push	20019h
		lea	eax, [ebp+var_230]
		mov	[ebp+var_250], 240h
		push	eax
		mov	[ebp+var_24C], ecx
		mov	[ebp+var_248], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_9F56A4
		mov	ecx, [ebp+var_230]
		lea	eax, [ebp+var_14]
		push	eax
		lea	edx, [ebp+var_23C]
		call	_EtwpGetPmcCpuHierarchyRegistry@12 ; EtwpGetPmcCpuHierarchyRegistry(x,x,x)
		push	[ebp+var_230]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [ebp+var_264]
		cmp	[ebp+var_23C], eax
		jnz	short loc_9F56A4
		push	0Ch		; size_t
		push	[ebp+arg_0]	; void *
		lea	eax, [ebp+var_14]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9F56A4
		mov	bl, 1

loc_9F567F:				; CODE XREF: EtwpFindMatchingPmcRegistryGroup(x,x,x,x,x)+1FEj
		push	[ebp+var_234]
		call	_ZwClose@4	; ZwClose(x)
		test	bl, bl
		jz	short loc_9F56AF
		xor	eax, eax
		jmp	short loc_9F56C7
; 

loc_9F5692:				; CODE XREF: EtwpFindMatchingPmcRegistryGroup(x,x,x,x,x)+EBj
					; EtwpFindMatchingPmcRegistryGroup(x,x,x,x,x)+FCj
		cmp	esi, 0C0000023h
		jz	short loc_9F56A2
		cmp	esi, 80000005h
		jnz	short loc_9F56A4

loc_9F56A2:				; CODE XREF: EtwpFindMatchingPmcRegistryGroup(x,x,x,x,x)+1F0j
		xor	esi, esi

loc_9F56A4:				; CODE XREF: EtwpFindMatchingPmcRegistryGroup(x,x,x,x,x)+190j
					; EtwpFindMatchingPmcRegistryGroup(x,x,x,x,x)+1BEj ...
		test	esi, esi
		js	short loc_9F567F
		xor	esi, esi
		jmp	loc_9F556E
; 

loc_9F56AF:				; CODE XREF: EtwpFindMatchingPmcRegistryGroup(x,x,x,x,x)+1E4j
		push	[ebp+arg_4]	; size_t
		push	0		; int
		push	[ebp+var_238]	; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, 0C0000001h

loc_9F56C7:				; CODE XREF: EtwpFindMatchingPmcRegistryGroup(x,x,x,x,x)+1E8j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_EtwpFindMatchingPmcRegistryGroup@20 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpFreePmcData(x)
_EtwpFreePmcData@4 proc	near		; CODE XREF: NtQueryPerformanceCounter+27Dp
		mov	edi, edi
		push	ebx
		push	edi
		mov	edi, ds:_KeNumberProcessors
		mov	ebx, [ecx+2BCh]
		test	edi, edi
		jz	short loc_9F5706
		push	esi
		lea	esi, [ebx+14h]

loc_9F56F0:				; CODE XREF: EtwpFreePmcData(x)+2Bj
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_9F56FD
		push	eax
		call	off_6B1338	; PopPdcCallback(x)

loc_9F56FD:				; CODE XREF: EtwpFreePmcData(x)+1Cj
		add	esi, 4
		sub	edi, 1
		jnz	short loc_9F56F0
		pop	esi

loc_9F5706:				; CODE XREF: EtwpFreePmcData(x)+12j
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_9F5714
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F5714:				; CODE XREF: EtwpFreePmcData(x)+32j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	ebx
		retn
_EtwpFreePmcData@4 endp	; sp = -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpGetMicroarchitecturalPmcAffinity(x, x)
_EtwpGetMicroarchitecturalPmcAffinity@8	proc near
					; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+527p
					; EtwSetPerformanceTraceInformation(x,x,x)+60Bp ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_14], ecx
		push	edi
		call	_KeQueryActiveProcessorAffinity@4 ; KeQueryActiveProcessorAffinity(x)
		mov	ebx, eax
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_9F578C

loc_9F5747:				; CODE XREF: EtwpGetMicroarchitecturalPmcAffinity(x,x)+6Bj
		mov	edx, ds:_KiProcessorBlock[esi*4]
		movzx	eax, byte ptr [edx+17h]
		movsx	ecx, byte ptr [edx+14h]
		mov	[ebp+var_C], eax
		movzx	eax, byte ptr [edx+16h]
		mov	[ebp+var_8], eax
		xor	eax, eax
		mov	[ebp+var_10], ecx

loc_9F5765:				; CODE XREF: EtwpGetMicroarchitecturalPmcAffinity(x,x)+5Bj
		mov	ecx, [ebp+var_14]
		mov	ecx, [ecx+eax*4]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_9F5787
		cmp	ecx, [ebp+eax*4+var_10]
		jnz	short loc_9F577E
		inc	eax
		cmp	eax, 3
		jb	short loc_9F5765
		jmp	short loc_9F5787
; 

loc_9F577E:				; CODE XREF: EtwpGetMicroarchitecturalPmcAffinity(x,x)+55j
		mov	eax, [edi+8]
		btr	eax, esi
		mov	[edi+8], eax

loc_9F5787:				; CODE XREF: EtwpGetMicroarchitecturalPmcAffinity(x,x)+4Fj
					; EtwpGetMicroarchitecturalPmcAffinity(x,x)+5Dj
		inc	esi
		cmp	esi, ebx
		jb	short loc_9F5747

loc_9F578C:				; CODE XREF: EtwpGetMicroarchitecturalPmcAffinity(x,x)+26j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpGetMicroarchitecturalPmcAffinity@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpGetPmcCpuHierarchyRegistry(x, x, x)
_EtwpGetPmcCpuHierarchyRegistry@12 proc	near
					; CODE XREF: EtwpFindMatchingPmcRegistryGroup(x,x,x,x,x)+1A2p
					; EtwpLoadMicroarchitecturalProfileGroup(x,x)+9Dp

var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_BC		= dword	ptr -0BCh
var_74		= dword	ptr -74h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_38		= dword	ptr -38h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, [ebp+var_C8]
		push	8Ch		; size_t
		push	0		; int
		push	eax		; void *
		mov	ebx, edx
		mov	[ebp+var_D0], ecx
		mov	[ebp+var_CC], edi
		mov	[ebp+var_10], offset ??_C@_1O@KGHEAOHP@?$AAF?$AAa?$AAm?$AAi?$AAl?$AAy@NNGAKEGL@	; "Family"
		mov	[ebp+var_C], offset ??_C@_1M@HHGCKIGA@?$AAM?$AAo?$AAd?$AAe?$AAl@NNGAKEGL@ ; "Model"
		mov	[ebp+var_8], offset ??_C@_1BC@GMMNMBBO@?$AAS?$AAt?$AAe?$AAp?$AAp?$AAi?$AAn?$AAg@NNGAKEGL@
		call	_memset
		add	esp, 0Ch
		lea	esi, [ebp+var_38]
		xor	edx, edx
		lea	ecx, [ebp+var_BC]
		or	eax, 0FFFFFFFFh
		stosd
		stosd
		stosd
		mov	edi, [ebp+var_CC]

loc_9F5806:				; CODE XREF: EtwpGetPmcCpuHierarchyRegistry(x,x,x)+93j
		mov	eax, [ebp+edx*4+var_10]
		mov	[ecx-4], eax
		push	4
		pop	eax
		mov	[ecx+4], eax
		mov	[esi], eax
		lea	eax, [edi+edx*4]
		mov	[ecx], esi
		inc	edx
		mov	dword ptr [ecx-0Ch], offset EtwpQueryRegistryCallback
		add	ecx, 1Ch
		mov	[esi+4], eax
		add	esi, 8
		cmp	edx, 3
		jb	short loc_9F5806
		mov	edx, [ebp+var_D0]
		lea	eax, [ebp+var_20]
		or	dword ptr [ebx], 0FFFFFFFFh
		push	4
		mov	[ebp+var_68], eax
		pop	eax
		push	1
		push	ecx
		mov	[ebp+var_64], eax
		mov	ecx, 40000000h
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_C8]
		push	0
		push	eax
		mov	[ebp+var_74], offset EtwpQueryRegistryCallback
		mov	[ebp+var_6C], offset ??_C@_1BK@NGNFGMBN@?$AAA?$AAr?$AAc?$AAh?$AAi?$AAt?$AAe?$AAc?$AAt?$AAu?$AAr?$AAe@NNGAKEGL@ ; "Architecture"
		mov	[ebp+var_1C], ebx
		call	RtlpQueryRegistryValues
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_EtwpGetPmcCpuHierarchyRegistry@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpLoadMicroarchitecturalProfileGroup(x, x)
_EtwpLoadMicroarchitecturalProfileGroup@8 proc near
					; CODE XREF: EtwpLoadMicroarchitecturalPmcs+83B11p

var_30C		= dword	ptr -30Ch
var_308		= dword	ptr -308h
var_304		= dword	ptr -304h
var_300		= dword	ptr -300h
var_2FC		= dword	ptr -2FCh
var_2F8		= dword	ptr -2F8h
var_2F4		= dword	ptr -2F4h
var_2EC		= dword	ptr -2ECh
var_2E8		= dword	ptr -2E8h
var_2E4		= dword	ptr -2E4h
var_2E0		= dword	ptr -2E0h
var_2DC		= dword	ptr -2DCh
var_2D8		= byte ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_2CC		= dword	ptr -2CCh
var_2C8		= dword	ptr -2C8h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_B0		= dword	ptr -0B0h
var_A4		= dword	ptr -0A4h
var_3C		= dword	ptr -3Ch
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	dword ptr [ebp+var_2D8], edx
		push	218h		; size_t
		lea	eax, [ebp+var_2C8]
		mov	[ebp+var_2D0], esi
		mov	ebx, ecx
		push	esi		; int
		push	eax		; void *
		mov	[ebp+var_2D4], ebx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_2E8], esi
		xor	eax, eax
		mov	[ebp+var_2E4], esi
		lea	edi, [ebp+var_30C]
		mov	[ebp+var_10], offset ??_C@_1O@KGHEAOHP@?$AAF?$AAa?$AAm?$AAi?$AAl?$AAy@NNGAKEGL@	; "Family"
		mov	[ebp+var_C], offset ??_C@_1M@HHGCKIGA@?$AAM?$AAo?$AAd?$AAe?$AAl@NNGAKEGL@ ; "Model"
		push	6
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_2F4]
		mov	[ebp+var_8], offset ??_C@_1BC@GMMNMBBO@?$AAS?$AAt?$AAe?$AAp?$AAp?$AAi?$AAn?$AAg@NNGAKEGL@
		stosd
		mov	[ebp+var_2CC], esi
		mov	[ebp+var_2E0], esi
		stosd
		stosd
		call	KiGetCpuVendor
		mov	[ebp+var_2DC], eax
		lea	edx, [ebp+var_2D0]
		lea	eax, [ebp+var_1C]
		mov	ecx, ebx
		push	eax
		call	_EtwpGetPmcCpuHierarchyRegistry@12 ; EtwpGetPmcCpuHierarchyRegistry(x,x,x)
		push	70h		; size_t
		lea	eax, [ebp+var_B0]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	edi, [ebp+var_1C]
		or	ebx, 0FFFFFFFFh
		lea	edx, [ebp+var_3C]
		mov	eax, ebx
		lea	ecx, [ebp+var_A4]
		stosd
		push	4
		stosd
		stosd
		pop	edi

loc_9F594B:				; CODE XREF: EtwpLoadMicroarchitecturalProfileGroup(x,x)+F3j
		mov	eax, [ebp+esi+var_10]
		mov	[ecx-4], eax
		lea	eax, [ebp+var_1C]
		add	eax, esi
		mov	[ecx], edx
		mov	dword ptr [ecx-0Ch], offset EtwpQueryRegistryCallback
		add	esi, edi
		mov	[ecx+4], edi
		add	ecx, 1Ch
		mov	[edx], edi
		mov	[edx+4], eax
		add	edx, 8
		cmp	esi, 0Ch
		jb	short loc_9F594B
		mov	edx, [ebp+var_2D4]
		lea	eax, [ebp+var_B0]
		push	1
		push	ecx
		xor	esi, esi
		mov	ecx, 40000000h
		push	esi
		push	eax
		call	RtlpQueryRegistryValues
		test	eax, eax
		js	loc_9F5AEC
		mov	eax, [ebp+var_2DC]
		cmp	[ebp+var_2D0], eax
		jnz	loc_9F5AEC
		lea	edx, [ebp+var_2F4]
		lea	ecx, [ebp+var_1C]
		call	_EtwpGetMicroarchitecturalPmcAffinity@8	; EtwpGetMicroarchitecturalPmcAffinity(x,x)
		cmp	[ebp+var_2EC], esi
		jz	loc_9F5AEC
		mov	ecx, dword ptr [ebp+var_2D8]
		lea	edx, [ecx+2]

loc_9F59CF:				; CODE XREF: EtwpLoadMicroarchitecturalProfileGroup(x,x)+158j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_9F59CF
		sub	ecx, edx
		sar	ecx, 1
		push	50777445h
		lea	edi, ds:200h[ecx*2]
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax

loc_9F59F4:				; CODE XREF: EtwpLoadMicroarchitecturalProfileGroup(x,x)+1ABj
					; EtwpLoadMicroarchitecturalProfileGroup(x,x)+1D5j ...
		lea	eax, [ebp+var_2E0]
		inc	ebx
		push	eax
		push	216h
		lea	eax, [ebp+var_2C8]
		push	eax
		push	0
		push	ebx
		push	[ebp+var_2D4]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_9F5AE1
		mov	eax, [ebp+var_2BC]
		shr	eax, 1
		cmp	eax, 0FEh
		ja	short loc_9F59F4
		xor	ecx, ecx
		mov	word ptr [ebp+eax*2+var_2B8], cx
		lea	eax, [ebp+var_2B8]
		push	eax
		push	dword ptr [ebp+var_2D8]	; char
		push	offset ??_C@_1BA@NPEHGALP@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; wchar_t *
		push	edi		; int
		push	esi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 14h
		test	eax, eax
		js	short loc_9F59F4
		push	esi
		lea	eax, [ebp+var_2E8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_2E8]
		mov	[ebp+var_30C], 18h
		mov	[ebp+var_304], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_30C]
		mov	[ebp+var_308], ecx
		push	eax
		push	20019h
		lea	eax, [ebp+var_2CC]
		mov	[ebp+var_300], 240h
		push	eax
		mov	[ebp+var_2FC], ecx
		mov	[ebp+var_2F8], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_9F59F4
		mov	ecx, [ebp+var_2CC]
		lea	eax, [ebp+var_2B8]
		push	eax
		lea	edx, [ebp+var_2F4]
		call	_EtwpLoadMicroarchitecturalProfileSource@12 ; EtwpLoadMicroarchitecturalProfileSource(x,x,x)
		lea	eax, [ebp+var_2CC]
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_9F59F4
; 

loc_9F5AE1:				; CODE XREF: EtwpLoadMicroarchitecturalProfileGroup(x,x)+198j
		push	50777445h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F5AEC:				; CODE XREF: EtwpLoadMicroarchitecturalProfileGroup(x,x)+114j
					; EtwpLoadMicroarchitecturalProfileGroup(x,x)+126j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpLoadMicroarchitecturalProfileGroup@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpLoadMicroarchitecturalProfileSource(x, x, x)
_EtwpLoadMicroarchitecturalProfileSource@12 proc near
					; CODE XREF: EtwpLoadMicroarchitecturalProfileGroup(x,x)+24Bp

var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_134		= dword	ptr -134h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_118		= dword	ptr -118h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_FC		= dword	ptr -0FCh
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E0		= dword	ptr -0E0h
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_C4		= dword	ptr -0C4h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_A8		= dword	ptr -0A8h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 178h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, ecx
		mov	[ebp+var_174], edx
		push	edi
		test	esi, esi
		jz	loc_9F5DE0
		push	0FEh
		push	esi
		call	_wcsnlen
		or	[ebp+var_154], 0FFFFFFFFh
		or	[ebp+var_158], 0FFFFFFFFh
		push	0FCh		; size_t
		lea	edi, [eax+1]
		mov	[ebp+var_16C], 10000h
		xor	eax, eax
		mov	[ebp+var_178], edi
		push	eax		; int
		mov	[ebp+var_170], eax
		mov	[ebp+var_164], eax
		mov	[ebp+var_15C], eax
		mov	[ebp+var_160], eax
		mov	[ebp+var_168], eax
		lea	eax, [ebp+var_150]
		push	eax		; void *
		call	_memset
		lea	eax, [ebp+var_50]
		mov	[ebp+var_148], offset ??_C@_1M@JJBFPLJB@?$AAE?$AAv?$AAe?$AAn?$AAt@NNGAKEGL@
		mov	[ebp+var_144], eax
		add	esp, 14h
		lea	eax, [ebp+var_154]
		mov	[ebp+var_12C], offset ??_C@_19ENIPABFF@?$AAU?$AAn?$AAi?$AAt@NNGAKEGL@ ;	"Unit"
		mov	[ebp+var_4C], eax
		mov	ecx, offset EtwpQueryRegistryCallback
		lea	eax, [ebp+var_48]
		mov	[ebp+var_150], ecx
		mov	[ebp+var_128], eax
		lea	eax, [ebp+var_158]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_10C], eax
		lea	eax, [ebp+var_16C]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_38]
		mov	[ebp+var_F0], eax
		lea	eax, [ebp+var_170]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_30]
		mov	[ebp+var_D4], eax
		lea	eax, [ebp+var_15C]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_168]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_20]
		mov	[ebp+var_9C], eax
		lea	eax, [ebp+var_164]
		push	4
		pop	edx
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_140], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_134], ecx
		mov	[ebp+var_124], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_118], ecx
		mov	[ebp+var_110], offset ??_C@_1BC@KKEAFNKD@?$AAI?$AAn?$AAt?$AAe?$AAr?$AAv?$AAa?$AAl@NNGAKEGL@ ; "Interval"
		mov	[ebp+var_108], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_FC], ecx
		mov	[ebp+var_F4], offset ??_C@_1BG@OMCKMKBD@?$AAA?$AAl?$AAl?$AAo?$AAw?$AAs?$AAH?$AAa?$AAl?$AAt@NNGAKEGL@ ; "A"
		mov	[ebp+var_EC], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_E0], ecx
		mov	[ebp+var_D8], offset ??_C@_1M@NFEDHPMI@?$AAC?$AAM?$AAa?$AAs?$AAk@NNGAKEGL@ ; "CMask"
		mov	[ebp+var_D0], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_C4], ecx
		mov	[ebp+var_BC], offset ??_C@_1BG@BHHFLBAJ@?$AAE?$AAd?$AAg?$AAe?$AAD?$AAe?$AAt?$AAe?$AAc?$AAt@NNGAKEGL@ ; "E"
		mov	[ebp+var_B4], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_A8], ecx
		mov	[ebp+var_A0], offset ??_C@_1BE@FBOMIBJN@?$AAA?$AAn?$AAy?$AAT?$AAh?$AAr?$AAe?$AAa?$AAd@NNGAKEGL@
		mov	[ebp+var_98], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_8C], ecx
		push	1
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_160]
		push	ecx
		mov	[ebp+var_14], eax
		mov	ecx, 40000000h
		push	0
		lea	eax, [ebp+var_150]
		mov	[ebp+var_7C], edx
		mov	[ebp+var_18], edx
		mov	edx, ebx
		push	eax
		mov	[ebp+var_84], offset ??_C@_1BI@PPAIMHKI@?$AAC?$AAM?$AAa?$AAs?$AAk?$AAI?$AAn?$AAv?$AAe?$AAr?$AAt@NNGAKEGL@
		call	RtlpQueryRegistryValues
		test	eax, eax
		js	loc_9F5DE5
		cmp	[ebp+var_154], 0FFFFFFFFh
		jz	loc_9F5DE0
		cmp	[ebp+var_158], 0FFFFFFFFh
		jz	loc_9F5DE0
		push	50777445h
		lea	eax, ds:18h[edi*2]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9F5D3F
		mov	eax, 0C0000017h
		jmp	loc_9F5DE5
; 

loc_9F5D3F:				; CODE XREF: EtwpLoadMicroarchitecturalProfileSource(x,x,x)+238j
		push	edi
		push	esi
		lea	eax, [ebx+18h]
		push	edi
		push	eax
		call	_wcsncpy_s
		mov	esi, [ebp+var_174]
		lea	edi, [ebx+0Ch]
		add	esp, 10h
		movsd
		movsd
		movsd
		call	KiGetCpuVendor
		cmp	eax, 1
		jnz	short loc_9F5D9B
		mov	al, byte ptr [ebp+var_154]
		mov	[ebx], al
		mov	al, byte ptr [ebp+var_158]
		mov	[ebx+1], al
		mov	al, byte ptr [ebp+var_15C]
		mov	[ebx+2], al
		mov	al, byte ptr [ebp+var_160]
		mov	[ebx+3], al
		mov	al, byte ptr [ebp+var_164]
		mov	[ebx+4], al
		mov	al, byte ptr [ebp+var_168]
		mov	[ebx+5], al
		jmp	short loc_9F5DB1
; 

loc_9F5D9B:				; CODE XREF: EtwpLoadMicroarchitecturalProfileSource(x,x,x)+267j
		cmp	eax, 2
		jnz	short loc_9F5DB1
		mov	al, byte ptr [ebp+var_154]
		mov	[ebx], al
		mov	al, byte ptr [ebp+var_158]
		mov	[ebx+1], al

loc_9F5DB1:				; CODE XREF: EtwpLoadMicroarchitecturalProfileSource(x,x,x)+29Ej
					; EtwpLoadMicroarchitecturalProfileSource(x,x,x)+2A3j
		mov	ecx, [ebp+var_178]
		mov	eax, [ebp+var_16C]
		mov	[ebx+8], eax
		push	ebx
		lea	eax, ds:18h[ecx*2]
		push	eax
		push	14h
		call	off_6B2BC8	; xHalSetSystemInformation(x,x,x)
		push	50777445h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		jmp	short loc_9F5DE5
; 

loc_9F5DE0:				; CODE XREF: EtwpLoadMicroarchitecturalProfileSource(x,x,x)+25j
					; EtwpLoadMicroarchitecturalProfileSource(x,x,x)+20Dj ...
		mov	eax, 0C0000001h

loc_9F5DE5:				; CODE XREF: EtwpLoadMicroarchitecturalProfileSource(x,x,x)+200j
					; EtwpLoadMicroarchitecturalProfileSource(x,x,x)+23Fj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_EtwpLoadMicroarchitecturalProfileSource@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpRemoveMicroarchitecturalPmcFromPmcGroup(x, x, x)
_EtwpRemoveMicroarchitecturalPmcFromPmcGroup@12	proc near
					; CODE XREF: EtwpRemoveMicroarchitecturalPmcFromRegistry(x,x,x)+71p

var_288		= dword	ptr -288h
var_284		= byte ptr -284h
var_280		= dword	ptr -280h
var_27C		= dword	ptr -27Ch
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_240		= dword	ptr -240h
var_23C		= word ptr -23Ch
var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 288h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		push	0Ah
		mov	esi, ecx
		mov	[ebp+var_280], edx
		pop	ecx
		lea	edi, [ebp+var_34]
		mov	dword ptr [ebp+var_284], esi
		rep stosd
		push	218h		; size_t
		xor	edi, edi
		mov	[ebp+var_27C], ebx
		lea	eax, [ebp+var_24C]
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	ecx, esi
		mov	[ebp+var_260], edi
		add	esp, 0Ch
		mov	[ebp+var_25C], edi
		mov	[ebp+var_250], edi
		mov	[ebp+var_254], edi
		mov	[ebp+var_258], edi
		lea	edx, [ecx+2]

loc_9F5E69:				; CODE XREF: EtwpRemoveMicroarchitecturalPmcFromPmcGroup(x,x,x)+7Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_9F5E69
		sub	ecx, edx
		sar	ecx, 1
		push	50777445h
		lea	eax, [ebx+ecx]
		lea	eax, ds:4[eax*2]
		push	eax
		push	1
		mov	[ebp+var_288], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9F5EA5
		mov	eax, 0C0000017h
		jmp	loc_9F6057
; 

loc_9F5EA5:				; CODE XREF: EtwpRemoveMicroarchitecturalPmcFromPmcGroup(x,x,x)+A3j
		push	esi
		lea	eax, [ebp+var_260]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_260]
		mov	[ebp+var_278], 18h
		mov	[ebp+var_270], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_278]
		mov	[ebp+var_274], ecx
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_250]
		mov	[ebp+var_26C], 240h
		push	eax
		mov	[ebp+var_268], ecx
		mov	[ebp+var_264], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9F604A
		or	ebx, 0FFFFFFFFh

loc_9F5F0B:				; CODE XREF: EtwpRemoveMicroarchitecturalPmcFromPmcGroup(x,x,x)+286j
		lea	eax, [ebp+var_258]
		inc	ebx
		push	eax
		push	216h
		lea	eax, [ebp+var_24C]
		push	eax
		push	0
		push	ebx
		push	[ebp+var_250]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9F6068
		mov	ecx, [ebp+var_27C]
		lea	eax, [ecx+ecx]
		cmp	[ebp+var_240], eax
		jnz	loc_9F6068
		xor	edx, edx
		mov	[ebp+eax+var_23C], dx
		lea	eax, [ebp+var_23C]
		push	ecx		; size_t
		push	eax		; wchar_t *
		push	[ebp+var_280]	; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_9F607A
		lea	eax, [ebp+var_23C]
		push	eax
		push	dword ptr [ebp+var_284]	; char
		push	offset ??_C@_1BA@NPEHGALP@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; wchar_t *
		push	[ebp+var_288]	; int
		push	edi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 14h
		lea	eax, [ebp+var_260]
		push	edi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_260]
		mov	[ebp+var_278], 18h
		mov	[ebp+var_270], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_278]
		mov	[ebp+var_274], ecx
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_254]
		mov	[ebp+var_26C], 240h
		push	eax
		mov	[ebp+var_268], ecx
		mov	[ebp+var_264], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9F603F
		push	[ebp+var_254]
		call	_ZwDeleteKey@4	; ZwDeleteKey(x)
		push	[ebp+var_254]
		call	_ZwClose@4	; ZwClose(x)

loc_9F600A:				; CODE XREF: EtwpRemoveMicroarchitecturalPmcFromPmcGroup(x,x,x)+28Cj
		test	esi, esi
		js	short loc_9F603F
		lea	eax, [ebp+var_258]
		push	eax
		push	28h
		lea	eax, [ebp+var_34]
		push	eax
		push	4
		push	[ebp+var_250]
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9F603F
		cmp	[ebp+var_28], 0
		jnz	short loc_9F603F
		push	[ebp+var_250]
		call	_ZwDeleteKey@4	; ZwDeleteKey(x)

loc_9F603F:				; CODE XREF: EtwpRemoveMicroarchitecturalPmcFromPmcGroup(x,x,x)+1FCj
					; EtwpRemoveMicroarchitecturalPmcFromPmcGroup(x,x,x)+216j ...
		push	[ebp+var_250]
		call	_ZwClose@4	; ZwClose(x)

loc_9F604A:				; CODE XREF: EtwpRemoveMicroarchitecturalPmcFromPmcGroup(x,x,x)+10Cj
		push	50777445h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi

loc_9F6057:				; CODE XREF: EtwpRemoveMicroarchitecturalPmcFromPmcGroup(x,x,x)+AAj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_9F6068:				; CODE XREF: EtwpRemoveMicroarchitecturalPmcFromPmcGroup(x,x,x)+13Bj
					; EtwpRemoveMicroarchitecturalPmcFromPmcGroup(x,x,x)+150j
		cmp	esi, 0C0000023h
		jz	short loc_9F6078
		cmp	esi, 80000005h
		jnz	short loc_9F607A

loc_9F6078:				; CODE XREF: EtwpRemoveMicroarchitecturalPmcFromPmcGroup(x,x,x)+278j
		xor	esi, esi

loc_9F607A:				; CODE XREF: EtwpRemoveMicroarchitecturalPmcFromPmcGroup(x,x,x)+178j
					; EtwpRemoveMicroarchitecturalPmcFromPmcGroup(x,x,x)+280j
		test	esi, esi
		jns	loc_9F5F0B
		jmp	short loc_9F600A
_EtwpRemoveMicroarchitecturalPmcFromPmcGroup@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwpRemoveMicroarchitecturalPmcFromRegistry(void *)
_EtwpRemoveMicroarchitecturalPmcFromRegistry@12	proc near
					; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+673p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	[esp+18h+var_8], edx
		mov	[esp+18h+var_4], ecx
		call	KiGetCpuVendor
		mov	esi, offset ??_C@_1IK@FCPDDGMM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		mov	ebx, eax
		lea	eax, [esi+2]

loc_9F60A9:				; CODE XREF: EtwpRemoveMicroarchitecturalPmcFromRegistry(x,x,x)+2Ej
		mov	cx, [esi]
		add	esi, 2
		test	cx, cx
		jnz	short loc_9F60A9
		sub	esi, eax
		sar	esi, 1
		push	50777445h
		lea	edi, ds:202h[esi*2]
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9F60D9
		mov	eax, 0C0000017h
		jmp	short loc_9F6109
; 

loc_9F60D9:				; CODE XREF: EtwpRemoveMicroarchitecturalPmcFromRegistry(x,x,x)+4Cj
		push	esi		; int
		push	edi		; int
		push	[ebp+arg_0]	; void *
		mov	edx, ebx
		call	_EtwpFindMatchingPmcRegistryGroup@20 ; EtwpFindMatchingPmcRegistryGroup(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9F60FC
		push	[esp+18h+var_8]
		mov	edx, [esp+1Ch+var_4]
		mov	ecx, esi
		call	_EtwpRemoveMicroarchitecturalPmcFromPmcGroup@12	; EtwpRemoveMicroarchitecturalPmcFromPmcGroup(x,x,x)
		mov	edi, eax

loc_9F60FC:				; CODE XREF: EtwpRemoveMicroarchitecturalPmcFromRegistry(x,x,x)+65j
		push	50777445h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi

loc_9F6109:				; CODE XREF: EtwpRemoveMicroarchitecturalPmcFromRegistry(x,x,x)+53j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_EtwpRemoveMicroarchitecturalPmcFromRegistry@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUpdatePmcCounters(x, x,	x)
_EtwpUpdatePmcCounters@12 proc near	; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+371p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	20h
		push	offset dword_6A9D90
		call	__SEH_prolog4
		mov	ebx, edx
		mov	esi, ecx
		mov	eax, ds:_KeNumberProcessors
		mov	[ebp+var_28], eax
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	loc_9F6236
		cmp	edi, ds:_EtwpMaxPmcCounter
		ja	loc_9F6236
		cmp	dword ptr [esi+0E0h], 1
		jz	loc_9F6236
		cmp	dword ptr [esi+2BCh], 0
		jnz	short loc_9F6164
		call	_EtwpAllocatePmcData@4 ; EtwpAllocatePmcData(x)
		test	eax, eax
		jnz	loc_9F623B

loc_9F6164:				; CODE XREF: EtwpUpdatePmcCounters(x,x,x)+43j
		mov	eax, [esi+2BCh]
		mov	[ebp+arg_0], eax
		cmp	dword ptr [eax+10h], 0
		jz	short loc_9F617D
		mov	eax, 0C0000303h
		jmp	loc_9F623B
; 

loc_9F617D:				; CODE XREF: EtwpUpdatePmcCounters(x,x,x)+5Fj
		and	[ebp+ms_exc.disabled], 0
		xor	edx, edx

loc_9F6183:				; CODE XREF: EtwpUpdatePmcCounters(x,x,x)+84j
		mov	[ebp+var_24], edx
		cmp	edx, edi
		jnb	short loc_9F6198
		mov	ecx, [ebx+edx*4]
		mov	eax, [eax]
		mov	[eax+edx*4], ecx
		inc	edx
		mov	eax, [ebp+arg_0]
		jmp	short loc_9F6183
; 

loc_9F6198:				; CODE XREF: EtwpUpdatePmcCounters(x,x,x)+76j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ecx, ecx
		mov	[ebp+var_20], ecx
		xor	ebx, ebx
		push	14h
		pop	edx

loc_9F61A9:				; CODE XREF: EtwpUpdatePmcCounters(x,x,x)+C2j
		mov	[ebp+var_1C], edx
		cmp	ebx, [ebp+var_28]
		jnb	short loc_9F61D6
		add	eax, edx
		push	eax
		push	edi
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax]
		push	ebx
		call	off_6B1330	; xHalAllocatePmcCounterSet(x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		mov	eax, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_9F61F8
		inc	ebx
		mov	edx, [ebp+var_1C]
		add	edx, 4
		jmp	short loc_9F61A9
; 

loc_9F61D6:				; CODE XREF: EtwpUpdatePmcCounters(x,x,x)+9Dj
		test	ecx, ecx
		jnz	short loc_9F61F8
		mov	[eax+10h], edi
		and	[ebp+var_2C], ecx
		xor	edx, edx
		lea	eax, [ebp+var_2C]
		lock or	[eax], edx
		mov	edx, 800h
		lea	eax, [esi+258h]
		lock or	[eax], edx
		jmp	short loc_9F6215
; 

loc_9F61F8:				; CODE XREF: EtwpUpdatePmcCounters(x,x,x)+B9j
					; EtwpUpdatePmcCounters(x,x,x)+C6j
		xor	edi, edi
		lea	esi, [eax+14h]

loc_9F61FD:				; CODE XREF: EtwpUpdatePmcCounters(x,x,x)+FEj
		cmp	edi, ebx
		jnb	short loc_9F6212
		push	dword ptr [esi]
		call	off_6B1338	; PopPdcCallback(x)
		and	dword ptr [esi], 0
		inc	edi
		add	esi, 4
		jmp	short loc_9F61FD
; 

loc_9F6212:				; CODE XREF: EtwpUpdatePmcCounters(x,x,x)+EDj
		mov	ecx, [ebp+var_20]

loc_9F6215:				; CODE XREF: EtwpUpdatePmcCounters(x,x,x)+E4j
		mov	eax, ecx
		jmp	short loc_9F623B
; 

loc_9F6219:				; DATA XREF: .text:006A9DA4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F6227:				; DATA XREF: .text:006A9DA8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_30]
		jmp	short loc_9F623B
; 

loc_9F6236:				; CODE XREF: EtwpUpdatePmcCounters(x,x,x)+1Dj
					; EtwpUpdatePmcCounters(x,x,x)+29j ...
		mov	eax, 0C000000Dh

loc_9F623B:				; CODE XREF: EtwpUpdatePmcCounters(x,x,x)+4Cj
					; EtwpUpdatePmcCounters(x,x,x)+66j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpUpdatePmcCounters@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUpdatePmcEvents(x, x, x)
_EtwpUpdatePmcEvents@12	proc near	; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+37Dp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	14h
		push	offset dword_6A9DB0
		call	__SEH_prolog4
		mov	eax, edx
		mov	[ebp+var_1C], eax
		mov	edi, ecx
		xor	esi, esi
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jnz	short loc_9F6273

loc_9F6269:				; CODE XREF: EtwpUpdatePmcEvents(x,x,x)+29j
		mov	esi, 0C000000Dh
		jmp	loc_9F62FA
; 

loc_9F6273:				; CODE XREF: EtwpUpdatePmcEvents(x,x,x)+1Aj
		cmp	ebx, 4
		ja	short loc_9F6269
		cmp	[edi+2BCh], esi
		jnz	short loc_9F628E
		call	_EtwpAllocatePmcData@4 ; EtwpAllocatePmcData(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9F62FA
		mov	eax, [ebp+var_1C]

loc_9F628E:				; CODE XREF: EtwpUpdatePmcEvents(x,x,x)+31j
		mov	ecx, [edi+2BCh]
		cmp	dword ptr [ecx+4], 0
		jbe	short loc_9F629F
		mov	esi, 0C0000303h

loc_9F629F:				; CODE XREF: EtwpUpdatePmcEvents(x,x,x)+4Bj
		and	[ebp+ms_exc.disabled], 0
		xor	edx, edx

loc_9F62A5:				; CODE XREF: EtwpUpdatePmcEvents(x,x,x)+72j
		mov	[ebp+var_20], edx
		cmp	edx, ebx
		jnb	short loc_9F62C1
		mov	cx, [eax+edx*4]
		mov	eax, [edi+2BCh]
		mov	[eax+edx*2+8], cx
		inc	edx
		mov	eax, [ebp+var_1C]
		jmp	short loc_9F62A5
; 

loc_9F62C1:				; CODE XREF: EtwpUpdatePmcEvents(x,x,x)+5Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		and	[ebp+arg_0], 0
		xor	ecx, ecx
		lea	eax, [ebp+arg_0]
		lock or	[eax], ecx
		mov	eax, [edi+2BCh]
		mov	[eax+4], ebx
		jmp	short loc_9F62FA
; 

loc_9F62DF:				; DATA XREF: .text:006A9DC4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F62ED:				; DATA XREF: .text:006A9DC8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_24]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9F62FA:				; CODE XREF: EtwpUpdatePmcEvents(x,x,x)+21j
					; EtwpUpdatePmcEvents(x,x,x)+3Cj ...
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpUpdatePmcEvents@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUserInAdminOrLogUsersGroup()
_EtwpUserInAdminOrLogUsersGroup@0 proc near
					; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+456p
					; EtwSetPerformanceTraceInformation(x,x,x)+5A7p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= word ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		lea	eax, [ebp-1]
		mov	[ebp+var_C], 500h
		push	eax
		push	ds:_SeAliasAdminsSid
		xor	ebx, ebx
		push	ebx
		mov	byte ptr [ebp+var_1], bl
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		call	_RtlCheckTokenMembership@12 ; RtlCheckTokenMembership(x,x,x)
		test	eax, eax
		js	short loc_9F6342
		cmp	byte ptr [ebp+var_1], bl
		jnz	short loc_9F6385

loc_9F6342:				; CODE XREF: EtwpUserInAdminOrLogUsersGroup()+2Dj
		lea	eax, [ebp+var_8]
		mov	[ebp+var_18], 20h
		push	eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_14], 22Eh
		push	eax
		lea	ecx, [ebp+var_10]
		call	_RtlAllocateAndInitializeSidEx@16 ; RtlAllocateAndInitializeSidEx(x,x,x,x)
		test	eax, eax
		js	short loc_9F6389
		lea	eax, [ebp+var_1]
		push	eax
		push	[ebp+var_8]
		push	ebx
		call	_RtlCheckTokenMembership@12 ; RtlCheckTokenMembership(x,x,x)
		push	ebx
		push	[ebp+var_8]
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		js	short loc_9F6389
		cmp	byte ptr [ebp+var_1], bl
		jz	short loc_9F6389

loc_9F6385:				; CODE XREF: EtwpUserInAdminOrLogUsersGroup()+32j
		mov	al, 1
		jmp	short loc_9F638B
; 

loc_9F6389:				; CODE XREF: EtwpUserInAdminOrLogUsersGroup()+54j
					; EtwpUserInAdminOrLogUsersGroup()+70j	...
		xor	al, al

loc_9F638B:				; CODE XREF: EtwpUserInAdminOrLogUsersGroup()+79j
		pop	esi
		pop	ebx
		leave
		retn
_EtwpUserInAdminOrLogUsersGroup@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCapturePreviousRegistryData(x)
_EtwpCapturePreviousRegistryData@4 proc	near ; CODE XREF: EtwpRegTraceCallback(x,x,x)+1B7p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, ecx
		xor	ecx, ecx
		push	esi
		push	edi
		mov	[ebp+var_4], ecx
		mov	edi, ecx
		mov	edx, [ebx+4]
		mov	esi, [ebx]
		mov	[ebp+var_8], ecx
		mov	eax, [edx]
		mov	[ebp+var_10], eax
		mov	eax, [edx+4]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	ecx
		push	ds:_CmKeyObjectType
		push	20019h
		push	ecx
		push	200h
		push	esi
		call	ObOpenObjectByPointer
		mov	esi, [ebp+var_8]
		test	eax, eax
		js	short loc_9F643A

loc_9F63D9:				; CODE XREF: EtwpCapturePreviousRegistryData(x)+8Dj
					; EtwpCapturePreviousRegistryData(x)+94j
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_9F6405
		test	edi, edi
		jz	short loc_9F63EF
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_4]

loc_9F63EF:				; CODE XREF: EtwpCapturePreviousRegistryData(x)+53j
		push	31777445h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_9F643A
		mov	eax, [ebp+var_4]

loc_9F6405:				; CODE XREF: EtwpCapturePreviousRegistryData(x)+4Fj
		lea	ecx, [ebp+var_4]
		push	ecx
		push	eax
		push	edi
		push	2
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		cmp	eax, 80000005h
		jz	short loc_9F63D9
		cmp	eax, 0C0000023h
		jz	short loc_9F63D9
		test	eax, eax
		js	short loc_9F642E
		mov	[ebx+18h], edi
		jmp	short loc_9F643A
; 

loc_9F642E:				; CODE XREF: EtwpCapturePreviousRegistryData(x)+98j
		test	edi, edi
		jz	short loc_9F643A
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F643A:				; CODE XREF: EtwpCapturePreviousRegistryData(x)+48j
					; EtwpCapturePreviousRegistryData(x)+71j ...
		test	esi, esi
		jz	short loc_9F6444
		push	esi
		call	_ZwClose@4	; ZwClose(x)

loc_9F6444:				; CODE XREF: EtwpCapturePreviousRegistryData(x)+ADj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpCapturePreviousRegistryData@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCaptureRegistryData(x, x, x)
_EtwpCaptureRegistryData@12 proc near	; CODE XREF: EtwpRegTraceCallback(x,x,x)+102p
					; EtwpRegTraceCallback(x,x,x)+256p

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	0Ch
		push	offset dword_6A9F60
		call	__SEH_prolog4
		mov	ebx, edx
		mov	[ebp+var_1C], ecx
		xor	edi, edi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_9F64B5
		mov	eax, 800h
		cmp	esi, eax
		jbe	short loc_9F646E
		mov	esi, eax

loc_9F646E:				; CODE XREF: EtwpCaptureRegistryData(x,x,x)+21j
		push	31777445h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+arg_0], edi
		test	edi, edi
		jnz	short loc_9F6488
		xor	esi, esi
		jmp	short loc_9F64B5
; 

loc_9F6488:				; CODE XREF: EtwpCaptureRegistryData(x,x,x)+39j
		and	[ebp+ms_exc.disabled], 0
		push	esi		; size_t
		push	ebx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_9F64AE
; 

loc_9F6499:				; DATA XREF: .text:006A9F74o
		xor	eax, eax
		inc	eax
		retn
; 

loc_9F649D:				; DATA XREF: .text:006A9F78o
		mov	esp, [ebp+ms_exc.old_esp]
		push	0
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi
		xor	edi, edi

loc_9F64AE:				; CODE XREF: EtwpCaptureRegistryData(x,x,x)+4Ej
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_9F64B5:				; CODE XREF: EtwpCaptureRegistryData(x,x,x)+18j
					; EtwpCaptureRegistryData(x,x,x)+3Dj
		mov	ecx, [ebp+var_1C]
		mov	[ecx], edi
		mov	ax, si
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpCaptureRegistryData@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpRegTraceCallback(x, x, x)
_EtwpRegTraceCallback@12 proc near	; DATA XREF: EtwpRegTraceEnableCallback(x,x,x,x,x,x,x,x,x)+63o

var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_141		= byte ptr -141h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= byte ptr -104h
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 154h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+154h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_8]
		xor	eax, eax
		push	esi
		push	edi
		xor	edx, edx
		lea	edi, [esp+160h+var_108]
		stosd
		mov	ecx, edx
		and	[esp+160h+var_124], ecx
		push	2
		mov	[esp+164h+var_12C], ecx
		stosd
		mov	[esp+164h+var_120], ecx
		mov	[esp+164h+var_154], edx
		mov	[esp+164h+var_118], edx
		stosd
		mov	[esp+164h+var_130], edx
		mov	[esp+164h+var_128], edx
		mov	[esp+164h+var_114], edx
		stosd
		mov	eax, [ebp+arg_4]
		mov	[esp+164h+var_134], edx
		mov	[esp+164h+var_13C], edx
		mov	[esp+164h+var_14C], edx
		mov	[esp+164h+var_11C], edx
		mov	[esp+164h+var_140], edx
		mov	[esp+164h+var_10C], edx
		mov	[esp+164h+var_110], edx
		mov	[esp+164h+var_150], edx
		mov	[esp+164h+var_138], edx
		pop	ecx
		cmp	eax, 16h
		jg	loc_9F67B0
		jz	loc_9F678C
		cmp	eax, 11h
		jg	loc_9F66B4
		jz	loc_9F6690
		sub	eax, 1
		jz	loc_9F6673
		sub	eax, 0Dh
		jz	loc_9F665A
		sub	eax, 1
		jz	short loc_9F65F1
		sub	eax, 1
		jnz	loc_9F6C1E
		mov	edx, [ebx+8]
		lea	edi, [esp+160h+var_108]
		mov	esi, offset _ETW_REGISTRY_EVENT_SET_VALUE_KEY
		mov	[esp+160h+var_148], ebx
		movsd
		movsd
		movsd
		movsd
		mov	edi, [edx+4]
		mov	eax, [edx+0Ch]
		mov	[esp+160h+var_134], eax
		mov	eax, [ebx]
		mov	[esp+160h+var_14C], eax
		mov	eax, ds:_EtwpRegTraceOptions
		mov	ecx, [edx+14h]
		and	eax, 2
		or	eax, 0
		mov	[esp+160h+var_130], edi
		mov	[esp+160h+var_13C], ecx
		jz	short loc_9F65DF
		cmp	dword ptr [ebx+4], 0
		jl	short loc_9F65DF
		mov	edx, [edx+10h]
		push	ecx
		lea	ecx, [esp+164h+var_140]
		call	_EtwpCaptureRegistryData@12 ; EtwpCaptureRegistryData(x,x,x)
		movzx	esi, ax
		mov	[esp+160h+var_138], esi
		jmp	short loc_9F65E3
; 

loc_9F65DF:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+F2j
					; EtwpRegTraceCallback(x,x,x)+F8j
		mov	esi, [esp+160h+var_150]

loc_9F65E3:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+10Ej
		mov	eax, [ebx+10h]
		mov	ebx, 0F1h
		mov	[esp+160h+var_118], eax
		jmp	short loc_9F6613
; 

loc_9F65F1:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+ADj
		mov	eax, [ebx+8]
		lea	edi, [esp+160h+var_108]
		mov	esi, offset _ETW_REGISTRY_EVENT_DELETE_KEY
		mov	[esp+160h+var_148], ebx
		movsd
		movsd
		movsd
		movsd
		mov	eax, [eax]

loc_9F6607:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+1A2j
		mov	[esp+160h+var_14C], eax

loc_9F660B:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+248j
					; EtwpRegTraceCallback(x,x,x)+2B2j
		mov	esi, [esp+160h+var_150]

loc_9F660F:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+262j
		mov	ebx, [esp+160h+var_154]

loc_9F6613:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+120j
					; EtwpRegTraceCallback(x,x,x)+3A1j
		mov	eax, ds:_EtwpRegTraceOptions
		and	eax, 1
		or	eax, 0
		jz	loc_9F6901
		cmp	[esp+160h+var_14C], 0
		mov	[esp+160h+var_141], 1
		jz	loc_9F6906
		lea	eax, [esp+160h+var_120]
		push	eax
		push	0
		push	[esp+168h+var_14C]
		push	offset _EtwpRegTraceCookie
		call	_CmCallbackGetKeyObjectID@16 ; CmCallbackGetKeyObjectID(x,x,x,x)
		mov	eax, [esp+160h+var_120]
		mov	esi, [esp+160h+var_138]
		mov	[esp+160h+var_12C], eax
		jmp	loc_9F6906
; 

loc_9F665A:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+A4j
		mov	[esp+160h+var_148], 1
		mov	esi, offset _ETW_REGISTRY_EVENT_CLOSE_KEY

loc_9F6667:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+316j
					; EtwpRegTraceCallback(x,x,x)+324j ...
		lea	edi, [esp+160h+var_108]
		movsd
		movsd
		movsd
		movsd

loc_9F666F:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+1E3j
		mov	eax, [ebx]
		jmp	short loc_9F6607
; 

loc_9F6673:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+9Bj
		mov	eax, ds:_EtwpRegTraceOptions
		and	eax, 4
		or	eax, 0
		jz	loc_9F6C1E
		mov	ecx, ebx
		call	_EtwpCapturePreviousRegistryData@4 ; EtwpCapturePreviousRegistryData(x)
		jmp	loc_9F6C1E
; 

loc_9F6690:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+92j
		mov	esi, offset _ETW_REGISTRY_EVENT_DELETE_VALUE_KEY
		mov	[esp+160h+var_148], ebx
		lea	edi, [esp+160h+var_108]
		xor	eax, eax
		inc	eax
		mov	[esp+160h+var_154], eax
		mov	eax, [ebx+8]
		movsd
		movsd
		movsd
		movsd
		mov	edi, [eax+4]
		mov	[esp+160h+var_130], edi
		jmp	short loc_9F666F
; 

loc_9F66B4:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+8Cj
		sub	eax, 12h
		jz	loc_9F673D
		sub	eax, ecx
		jz	short loc_9F6736
		sub	eax, 1
		jnz	loc_9F6C1E
		mov	esi, offset _ETW_REGISTRY_EVENT_ENUMERATE_VALUE_KEY

loc_9F66CF:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+26Cj
		mov	edx, [ebx+8]
		lea	edi, [esp+160h+var_108]
		mov	eax, [ebx]
		movsd
		mov	[esp+160h+var_14C], eax
		push	78h
		mov	[esp+164h+var_148], ebx
		movsd
		movsd
		movsd
		mov	eax, [edx+4]
		mov	[esp+164h+var_128], eax
		mov	eax, [edx+8]
		mov	[esp+164h+var_134], eax
		mov	eax, [edx+14h]
		mov	ecx, [eax]
		pop	eax
		mov	[esp+160h+var_154], eax
		mov	eax, ds:_EtwpRegTraceOptions
		and	eax, 2
		mov	[esp+160h+var_13C], ecx
		or	eax, 0
		jz	loc_9F68FA

loc_9F6713:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+417j
		cmp	dword ptr [ebx+4], 0
		jl	loc_9F660B
		mov	edx, [edx+0Ch]

loc_9F6720:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+2BBj
		push	ecx
		lea	ecx, [esp+164h+var_140]
		call	_EtwpCaptureRegistryData@12 ; EtwpCaptureRegistryData(x,x,x)
		movzx	esi, ax
		mov	[esp+160h+var_138], esi
		jmp	loc_9F660F
; 

loc_9F6736:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+1F0j
		mov	esi, offset _ETW_REGISTRY_EVENT_ENUMERATE_KEY
		jmp	short loc_9F66CF
; 

loc_9F673D:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+1E8j
		mov	edx, [ebx+8]
		lea	edi, [esp+160h+var_108]
		mov	eax, [ebx]
		mov	esi, offset _ETW_REGISTRY_EVENT_SET_INFORMATION_KEY
		mov	[esp+160h+var_14C], eax
		movsd
		movsd
		movsd
		movsd
		mov	eax, [edx+4]
		mov	[esp+160h+var_134], eax
		mov	ecx, [edx+0Ch]

loc_9F675D:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+2DFj
		push	70h
		pop	eax
		mov	[esp+160h+var_154], eax
		mov	eax, ds:_EtwpRegTraceOptions
		and	eax, 2
		mov	[esp+160h+var_148], ebx
		or	eax, 0
		mov	[esp+160h+var_13C], ecx
		jz	loc_9F68F3
		cmp	dword ptr [ebx+4], 0
		jl	loc_9F660B
		mov	edx, [edx+8]
		jmp	short loc_9F6720
; 

loc_9F678C:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+83j
		mov	edx, [ebx+8]
		lea	edi, [esp+160h+var_108]
		mov	eax, [ebx]
		mov	esi, offset _ETW_REGISTRY_EVENT_QUERY_KEY
		mov	[esp+160h+var_14C], eax
		movsd
		movsd
		movsd
		movsd
		mov	eax, [edx+4]
		mov	[esp+160h+var_134], eax
		mov	eax, [edx+10h]
		mov	ecx, [eax]
		jmp	short loc_9F675D
; 

loc_9F67B0:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+7Dj
		sub	eax, 17h
		jz	loc_9F68A3
		sub	eax, 1
		jz	loc_9F6875
		sub	eax, 3
		jz	short loc_9F6834
		sub	eax, ecx
		jz	short loc_9F6806
		sub	eax, ecx
		jz	short loc_9F67F8
		sub	eax, 6
		jz	short loc_9F67EA
		sub	eax, ecx
		jnz	loc_9F6C1E
		mov	[esp+160h+var_148], ebx
		mov	esi, offset _ETW_REGISTRY_EVENT_SET_SECURITY_KEY
		jmp	loc_9F6667
; 

loc_9F67EA:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+303j
		mov	[esp+160h+var_148], ebx
		mov	esi, offset _ETW_REGISTRY_EVENT_QUERY_SECURITY_KEY
		jmp	loc_9F6667
; 

loc_9F67F8:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+2FEj
		mov	[esp+160h+var_148], ebx
		mov	esi, offset _ETW_REGISTRY_EVENT_FLUSH_KEY
		jmp	loc_9F6667
; 

loc_9F6806:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+2FAj
		lea	edi, [esp+160h+var_108]
		mov	eax, [ebx+8]
		mov	esi, offset _ETW_REGISTRY_EVENT_OPEN_KEY
		mov	[esp+160h+var_148], ebx
		movsd
		movsd
		movsd
		movsd
		mov	ecx, [eax+4]
		mov	[esp+160h+var_14C], ecx
		cmp	[ebx+4], edx
		jl	short loc_9F682C
		mov	ecx, [ebx]
		mov	[esp+160h+var_11C], ecx

loc_9F682C:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+355j
		mov	edi, [eax]
		mov	[esp+160h+var_130], edi
		jmp	short loc_9F6869
; 

loc_9F6834:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+2F6j
		lea	edi, [esp+160h+var_108]
		mov	eax, [ebx+8]
		mov	esi, offset _ETW_REGISTRY_EVENT_CREATE_KEY
		mov	[esp+160h+var_148], ebx
		movsd
		movsd
		movsd
		movsd
		mov	ecx, [eax+4]
		mov	[esp+160h+var_14C], ecx
		cmp	[ebx+4], edx
		jl	short loc_9F6863
		mov	ecx, [eax+24h]
		mov	ecx, [ecx]
		mov	[esp+160h+var_114], ecx
		mov	ecx, [ebx]
		mov	[esp+160h+var_11C], ecx

loc_9F6863:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+383j
		mov	eax, [eax]
		mov	[esp+160h+var_130], eax

loc_9F6869:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+363j
		push	7

loc_9F686B:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+3D2j
					; EtwpRegTraceCallback(x,x,x)+41Fj ...
		mov	esi, [esp+164h+var_150]
		pop	ebx
		jmp	loc_9F6613
; 

loc_9F6875:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+2EDj
		mov	eax, [ebx+8]
		lea	edi, [esp+160h+var_108]
		mov	ecx, [ebx]
		mov	esi, offset _ETW_REGISTRY_EVENT_QUERY_MULTIPLE_VALUE_KEY
		mov	[esp+160h+var_14C], ecx
		mov	[esp+160h+var_148], ebx
		push	28h
		movsd
		movsd
		movsd
		movsd
		mov	ecx, [eax+8]
		mov	[esp+164h+var_128], ecx
		mov	eax, [eax+10h]
		mov	eax, [eax]
		mov	[esp+164h+var_13C], eax
		jmp	short loc_9F686B
; 

loc_9F68A3:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+2E4j
		mov	edx, [ebx+8]
		lea	edi, [esp+160h+var_108]
		mov	esi, offset _ETW_REGISTRY_EVENT_QUERY_VALUE_KEY
		mov	[esp+160h+var_148], ebx
		push	71h
		movsd
		movsd
		movsd
		movsd
		mov	eax, [edx+4]
		mov	[esp+164h+var_130], eax
		mov	eax, [ebx]
		mov	[esp+164h+var_14C], eax
		mov	eax, [edx+8]
		mov	[esp+164h+var_134], eax
		mov	eax, [edx+14h]
		mov	ecx, [eax]
		pop	eax
		mov	[esp+160h+var_154], eax
		mov	eax, ds:_EtwpRegTraceOptions
		and	eax, 2
		mov	[esp+160h+var_13C], ecx
		or	eax, 0
		jnz	loc_9F6713
		push	71h
		jmp	loc_9F686B
; 

loc_9F68F3:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+2A8j
		push	70h
		jmp	loc_9F686B
; 

loc_9F68FA:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+23Ej
		push	78h
		jmp	loc_9F686B
; 

loc_9F6901:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+14Fj
		mov	[esp+160h+var_141], 0

loc_9F6906:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+15Fj
					; EtwpRegTraceCallback(x,x,x)+186j
		and	[esp+160h+var_F4], 0
		lea	eax, [esp+160h+var_14C]
		and	[esp+160h+var_EC], 0
		push	4
		pop	ecx
		mov	[esp+160h+var_F8], eax
		mov	[esp+160h+var_F0], ecx
		test	bl, cl
		jnz	short loc_9F692B
		push	2
		lea	eax, [esp+164h+var_E8]
		jmp	short loc_9F6950
; 

loc_9F692B:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+452j
		and	[esp+160h+var_E4], 0
		lea	eax, [esp+160h+var_11C]
		and	[esp+160h+var_DC], 0
		mov	[esp+160h+var_E8], eax
		lea	eax, [esp+160h+var_D8]
		mov	[esp+160h+var_E0], ecx
		push	3

loc_9F6950:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+45Aj
		mov	edi, [esp+164h+var_148]
		pop	edx
		lea	ecx, [edi+4]
		cmp	edi, 1
		jnz	short loc_9F6962
		mov	ecx, offset _EtwpNull

loc_9F6962:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+48Cj
		mov	[eax], ecx
		and	dword ptr [eax+4], 0
		mov	dword ptr [eax+8], 4
		and	dword ptr [eax+0Ch], 0
		test	bl, 8
		jz	short loc_9F6997
		mov	eax, edx
		lea	ecx, [esp+160h+var_128]
		add	eax, eax
		and	[esp+eax*8+160h+var_F4], 0
		and	[esp+eax*8+160h+var_EC], 0
		inc	edx
		mov	[esp+eax*8+160h+var_F8], ecx
		mov	[esp+eax*8+160h+var_F0], 4

loc_9F6997:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+4A7j
		test	bl, 10h
		jz	short loc_9F69BB
		mov	eax, edx
		lea	ecx, [esp+160h+var_134]
		add	eax, eax
		and	[esp+eax*8+160h+var_F4], 0
		and	[esp+eax*8+160h+var_EC], 0
		inc	edx
		mov	[esp+eax*8+160h+var_F8], ecx
		mov	[esp+eax*8+160h+var_F0], 4

loc_9F69BB:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+4CBj
		test	bl, 2
		jz	short loc_9F69DF
		mov	eax, edx
		lea	ecx, [esp+160h+var_114]
		add	eax, eax
		and	[esp+eax*8+160h+var_F4], 0
		and	[esp+eax*8+160h+var_EC], 0
		inc	edx
		mov	[esp+eax*8+160h+var_F8], ecx
		mov	[esp+eax*8+160h+var_F0], 4

loc_9F69DF:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+4EFj
		test	bl, 20h
		jz	short loc_9F6A03
		mov	eax, edx
		lea	ecx, [esp+160h+var_13C]
		add	eax, eax
		and	[esp+eax*8+160h+var_F4], 0
		and	[esp+eax*8+160h+var_EC], 0
		inc	edx
		mov	[esp+eax*8+160h+var_F8], ecx
		mov	[esp+eax*8+160h+var_F0], 4

loc_9F6A03:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+513j
		cmp	[esp+160h+var_141], 1
		jnz	short loc_9F6A46
		mov	ecx, [esp+160h+var_12C]
		test	ecx, ecx
		jz	short loc_9F6A46
		mov	eax, [ecx+4]
		mov	[esp+160h+var_12C], eax
		test	eax, eax
		jz	short loc_9F6A46
		movzx	eax, word ptr [ecx]
		test	ax, ax
		jz	short loc_9F6A46
		mov	edi, [esp+160h+var_12C]
		mov	ecx, eax
		mov	eax, edx
		add	eax, eax
		and	[esp+eax*8+160h+var_F4], 0
		and	[esp+eax*8+160h+var_EC], 0
		inc	edx
		mov	[esp+eax*8+160h+var_F8], edi
		mov	edi, [esp+160h+var_148]
		mov	[esp+eax*8+160h+var_F0], ecx

loc_9F6A46:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+539j
					; EtwpRegTraceCallback(x,x,x)+541j ...
		mov	eax, edx
		add	eax, eax
		and	[esp+eax*8+160h+var_F4], 0
		and	[esp+eax*8+160h+var_EC], 0
		inc	edx
		mov	[esp+eax*8+160h+var_F8], offset	_EtwpNull
		mov	[esp+eax*8+160h+var_F0], 2
		test	bl, 1
		jz	short loc_9F6ACC
		mov	ecx, [esp+160h+var_130]
		test	ecx, ecx
		jz	short loc_9F6AAD
		mov	eax, [ecx+4]
		mov	[esp+160h+var_12C], eax
		test	eax, eax
		jz	short loc_9F6AAD
		movzx	eax, word ptr [ecx]
		mov	ecx, eax
		mov	[esp+160h+var_120], ecx
		test	ax, ax
		jz	short loc_9F6AAD
		mov	eax, [esp+160h+var_12C]
		mov	ecx, edx
		add	ecx, ecx
		and	[esp+ecx*8+160h+var_F4], 0
		and	[esp+ecx*8+160h+var_EC], 0
		inc	edx
		mov	[esp+ecx*8+160h+var_F8], eax
		mov	eax, [esp+160h+var_120]
		movzx	eax, ax
		mov	[esp+ecx*8+160h+var_F0], eax

loc_9F6AAD:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+5A1j
					; EtwpRegTraceCallback(x,x,x)+5ACj ...
		mov	eax, edx
		add	eax, eax
		and	[esp+eax*8+160h+var_F4], 0
		and	[esp+eax*8+160h+var_EC], 0
		inc	edx
		mov	[esp+eax*8+160h+var_F8], offset	_EtwpNull
		mov	[esp+eax*8+160h+var_F0], 2

loc_9F6ACC:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+599j
		test	bl, 40h
		jz	short loc_9F6B13
		mov	eax, edx
		lea	ecx, [esp+160h+var_138]
		add	eax, eax
		and	[esp+eax*8+160h+var_F4], 0
		and	[esp+eax*8+160h+var_EC], 0
		inc	edx
		mov	[esp+eax*8+160h+var_F8], ecx
		mov	[esp+eax*8+160h+var_F0], 2
		test	si, si
		jz	short loc_9F6B13
		mov	eax, [esp+160h+var_140]
		mov	ecx, edx
		add	ecx, ecx
		and	[esp+ecx*8+160h+var_F4], 0
		and	[esp+ecx*8+160h+var_EC], 0
		inc	edx
		mov	[esp+ecx*8+160h+var_F8], eax
		movzx	eax, si
		mov	[esp+ecx*8+160h+var_F0], eax

loc_9F6B13:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+600j
					; EtwpRegTraceCallback(x,x,x)+624j
		test	bl, bl
		mov	ebx, [esp+160h+var_118]
		jns	loc_9F6BCD
		test	ebx, ebx
		jz	short loc_9F6B41
		mov	ecx, [ebx+8]
		mov	[esp+160h+var_10C], ecx
		mov	eax, [ebx+4]
		mov	[esp+160h+var_110], eax
		mov	eax, 800h
		cmp	ecx, eax
		ja	short loc_9F6B3D
		movzx	eax, cx

loc_9F6B3D:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+669j
		mov	[esp+160h+var_124], eax

loc_9F6B41:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+652j
		mov	eax, edx
		lea	ecx, [esp+160h+var_110]
		add	eax, eax
		push	4
		pop	esi
		and	[esp+eax*8+160h+var_F4], 0
		and	[esp+eax*8+160h+var_EC], 0
		mov	[esp+eax*8+160h+var_F8], ecx
		lea	ecx, [esp+160h+var_10C]
		mov	[esp+eax*8+160h+var_F0], esi
		and	[esp+eax*8+160h+var_E4], 0
		and	[esp+eax*8+160h+var_DC], 0
		mov	[esp+eax*8+160h+var_E8], ecx
		lea	ecx, [esp+160h+var_124]
		mov	[esp+eax*8+160h+var_E0], esi
		mov	eax, edx
		mov	esi, [esp+160h+var_124]
		add	eax, eax
		add	edx, 3
		and	[esp+eax*8+160h+var_D4], 0
		and	[esp+eax*8+160h+var_CC], 0
		mov	[esp+eax*8+160h+var_D8], ecx
		mov	[esp+eax*8+160h+var_D0], 2
		test	si, si
		jz	short loc_9F6BCD
		mov	ecx, edx
		lea	eax, [ebx+0Ch]
		add	ecx, ecx
		and	[esp+ecx*8+160h+var_F4], 0
		and	[esp+ecx*8+160h+var_EC], 0
		inc	edx
		mov	[esp+ecx*8+160h+var_F8], eax
		movzx	eax, si
		mov	[esp+ecx*8+160h+var_F0], eax

loc_9F6BCD:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+64Aj
					; EtwpRegTraceCallback(x,x,x)+6DFj
		cmp	edi, 1
		jz	short loc_9F6BDD
		cmp	dword ptr [edi+4], 0
		mov	[esp+160h+var_104], 1
		jl	short loc_9F6BE2

loc_9F6BDD:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+701j
		mov	[esp+160h+var_104], 2

loc_9F6BE2:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+70Cj
		lea	eax, [esp+160h+var_F8]
		push	eax
		push	edx
		push	0
		lea	eax, [esp+16Ch+var_108]
		push	eax
		push	ds:dword_A93DD4
		push	ds:_EtwpRegTraceHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		cmp	[esp+160h+var_140], 0
		jz	short loc_9F6C12
		push	0
		push	[esp+164h+var_140]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F6C12:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+736j
		test	ebx, ebx
		jz	short loc_9F6C1E
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F6C1E:				; CODE XREF: EtwpRegTraceCallback(x,x,x)+B2j
					; EtwpRegTraceCallback(x,x,x)+1AFj ...
		mov	ecx, [esp+160h+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_EtwpRegTraceCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpRegTraceEnableCallback(x, x, x,	x, x, x, x, x, x)
_EtwpRegTraceEnableCallback@36 proc near ; DATA	XREF: EtwpInitialize+2BCo

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	eax, [ebp+arg_1C]
		push	ebx
		xor	ebx, ebx
		mov	[esp+10h+var_8], ebx
		mov	[esp+10h+var_4], ebx
		test	eax, eax
		jz	short loc_9F6C69
		cmp	dword ptr [eax+8], 4
		jnz	short loc_9F6C69
		mov	eax, [eax]
		mov	ds:dword_A93DE4, ebx
		mov	eax, [eax]
		mov	ds:_EtwpRegTraceOptions, eax

loc_9F6C69:				; CODE XREF: EtwpRegTraceEnableCallback(x,x,x,x,x,x,x,x,x)+1Bj
					; EtwpRegTraceEnableCallback(x,x,x,x,x,x,x,x,x)+21j
		mov	eax, [ebp+arg_4]
		sub	eax, ebx
		jz	short loc_9F6CB1
		sub	eax, 1
		jnz	short loc_9F6CD0
		cmp	ds:_EtwpRegTracingEnabled, bl
		jnz	short loc_9F6CD0
		push	offset ??_C@_1O@NDIKAOGF@?$AA4?$AA2?$AA5?$AA5?$AA0?$AA0@NNGAKEGL@
		lea	eax, [esp+14h+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset _EtwpRegTraceCookie
		push	ebx
		push	ebx
		lea	eax, [esp+1Ch+var_8]
		xor	edx, edx
		push	eax
		mov	ecx, offset _EtwpRegTraceCallback@12 ; EtwpRegTraceCallback(x,x,x)
		call	CmpRegisterCallbackInternal
		test	eax, eax
		js	short loc_9F6CD0
		mov	ds:_EtwpRegTracingEnabled, 1
		jmp	short loc_9F6CD0
; 

loc_9F6CB1:				; CODE XREF: EtwpRegTraceEnableCallback(x,x,x,x,x,x,x,x,x)+37j
		cmp	ds:_EtwpRegTracingEnabled, bl
		jz	short loc_9F6CD0
		push	ds:dword_A93DDC
		push	ds:_EtwpRegTraceCookie
		call	CmUnRegisterCallback
		mov	ds:_EtwpRegTracingEnabled, bl

loc_9F6CD0:				; CODE XREF: EtwpRegTraceEnableCallback(x,x,x,x,x,x,x,x,x)+3Cj
					; EtwpRegTraceEnableCallback(x,x,x,x,x,x,x,x,x)+44j ...
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	24h
_EtwpRegTraceEnableCallback@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTiLogSetContextThread(x,	x, x, x)
_EtwTiLogSetContextThread@16 proc near	; CODE XREF: PspSetContextThreadInternal+169788p

var_2B8		= dword	ptr -2B8h
var_2B0		= dword	ptr -2B0h
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_299		= byte ptr -299h
var_298		= byte ptr -298h
var_294		= dword	ptr -294h
var_290		= dword	ptr -290h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_27C		= dword	ptr -27Ch
var_278		= dword	ptr -278h
var_34		= dword	ptr -34h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2B8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	0
		push	0C000h
		push	0
		push	dword_6BC124
		mov	ebx, edx
		mov	[ebp+var_299], cl
		push	_EtwThreatIntProvRegHandle
		mov	dword ptr [ebp+var_298], ebx
		call	EtwProviderEnabled
		test	al, al
		jz	loc_9F6F6C
		mov	eax, large fs:124h
		mov	ebx, [ebx+150h]
		push	esi
		mov	[ebp+var_2A8], ebx
		mov	esi, [eax+80h]
		cmp	esi, ebx
		jz	loc_9F6F6B
		cmp	[ebp+var_299], 0
		push	edi
		mov	edi, offset _THREATINT_SETTHREADCONTEXT_REMOTE_KERNEL_CALLER
		jz	short loc_9F6D52
		mov	edi, offset _THREATINT_SETTHREADCONTEXT_REMOTE

loc_9F6D52:				; CODE XREF: EtwTiLogSetContextThread(x,x,x,x)+74j
		push	edi
		push	dword_6BC124
		push	_EtwThreatIntProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_9F6F6A
		lea	eax, [ebp+var_2B8]
		mov	edx, esi
		push	eax
		lea	ecx, [ebp+var_294]
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		mov	edx, large fs:124h
		mov	esi, eax
		mov	ecx, esi
		lea	eax, [ebp+var_294]
		shl	ecx, 4
		add	ecx, eax
		call	_EtwpTiFillThreadIdentity@8 ; EtwpTiFillThreadIdentity(x,x)
		add	esi, eax
		lea	ecx, [ebp+var_294]
		lea	eax, [ebp+var_2B0]
		mov	edx, ebx
		push	eax
		mov	eax, esi
		shl	eax, 4
		add	ecx, eax
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		mov	edx, dword ptr [ebp+var_298]
		lea	ecx, [ebp+var_294]
		add	esi, eax
		mov	eax, esi
		shl	eax, 4
		add	ecx, eax
		call	_EtwpTiFillThreadIdentity@8 ; EtwpTiFillThreadIdentity(x,x)
		push	0
		add	esi, eax
		push	4000000h
		push	0
		push	dword_6BC124
		mov	[ebp+var_2A4], esi
		add	esi, esi
		mov	ebx, [ebp+var_2A4]
		mov	eax, ebx
		push	_EtwThreatIntProvRegHandle
		shl	eax, 4
		mov	dword ptr [ebp+var_298], eax
		call	EtwProviderEnabled
		test	al, al
		jz	loc_9F6EBB
		push	[ebp+arg_0]	; int
		mov	edx, [ebp+arg_4] ; int
		lea	ecx, [ebp+var_34] ; void *
		call	_EtwpTiParseContextRecord@12 ; EtwpTiParseContextRecord(x,x,x)
		movzx	eax, ax
		lea	ecx, [ebp+var_2A0]
		mov	[ebp+var_2A0], eax
		xor	edx, edx
		lea	eax, [ebp+arg_4]
		mov	[ebp+esi*8+var_290], edx
		mov	[ebp+esi*8+var_294], eax
		mov	eax, dword ptr [ebp+var_298]
		mov	[ebp+esi*8+var_288], edx
		push	4
		pop	ebx
		mov	[ebp+esi*8+var_28C], ebx
		mov	esi, edx
		mov	[ebp+eax+var_284], ecx
		mov	ecx, [ebp+var_2A4]
		mov	[ebp+eax+var_280], edx
		mov	[ebp+eax+var_278], edx
		lea	edx, [ebp+var_288]
		mov	[ebp+eax+var_27C], 2
		lea	eax, [ecx+2]
		shl	eax, 4
		add	edx, eax
		add	ecx, 0Eh
		mov	dword ptr [ebp+var_298], ecx

loc_9F6E95:				; CODE XREF: EtwTiLogSetContextThread(x,x,x,x)+1D8j
		and	dword ptr [edx-8], 0
		lea	eax, [ebp+var_34]
		and	dword ptr [edx], 0
		lea	eax, [eax+esi*4]
		inc	esi
		mov	[edx-0Ch], eax
		mov	[edx-4], ebx
		lea	edx, [edx+10h]
		cmp	esi, 0Ch
		jb	short loc_9F6E95
		mov	esi, dword ptr [ebp+var_298]
		xor	edx, edx
		jmp	short loc_9F6F15
; 

loc_9F6EBB:				; CODE XREF: EtwTiLogSetContextThread(x,x,x,x)+132j
		mov	eax, dword ptr [ebp+var_298]
		lea	ecx, [ebp+var_278]
		xor	edx, edx
		mov	[ebp+esi*8+var_294], offset dword_42E400
		push	0Ch
		add	eax, ecx
		mov	[ebp+esi*8+var_290], edx
		pop	ecx
		mov	[ebp+esi*8+var_28C], 2
		mov	[ebp+esi*8+var_288], edx
		lea	esi, [ebx+0Dh]
		push	4
		mov	[ebp+var_2A0], edx
		pop	ebx

loc_9F6EFE:				; CODE XREF: EtwTiLogSetContextThread(x,x,x,x)+23Cj
		mov	dword ptr [eax-0Ch], offset dword_42E400
		mov	[eax-8], edx
		mov	[eax-4], ebx
		mov	[eax], edx
		lea	eax, [eax+10h]
		sub	ecx, 1
		jnz	short loc_9F6EFE

loc_9F6F15:				; CODE XREF: EtwTiLogSetContextThread(x,x,x,x)+1E2j
		test	byte ptr [ebp+var_2A0],	1
		jz	short loc_9F6F41
		push	edx
		push	8000000h
		push	edx
		push	dword_6BC124
		push	_EtwThreatIntProvRegHandle
		call	EtwProviderEnabled
		mov	[ebp+var_298], 1
		test	al, al
		jnz	short loc_9F6F48

loc_9F6F41:				; CODE XREF: EtwTiLogSetContextThread(x,x,x,x)+245j
		mov	[ebp+var_298], 0

loc_9F6F48:				; CODE XREF: EtwTiLogSetContextThread(x,x,x,x)+268j
		push	dword ptr [ebp+var_298]	; char
		lea	eax, [ebp+var_34]
		push	edi		; int
		push	1		; int
		push	eax		; void *
		push	[ebp+var_2A8]	; int
		lea	ecx, [ebp+var_294]
		push	esi		; int
		push	26h
		pop	edx
		call	_EtwpTiVadQueryEventWrite@32 ; EtwpTiVadQueryEventWrite(x,x,x,x,x,x,x,x)

loc_9F6F6A:				; CODE XREF: EtwTiLogSetContextThread(x,x,x,x)+8Fj
		pop	edi

loc_9F6F6B:				; CODE XREF: EtwTiLogSetContextThread(x,x,x,x)+61j
		pop	esi

loc_9F6F6C:				; CODE XREF: EtwTiLogSetContextThread(x,x,x,x)+40j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwTiLogSetContextThread@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTiLogSuspendResumeProcess(x, x, x, x)
_EtwTiLogSuspendResumeProcess@16 proc near ; CODE XREF:	PsThawProcess+14B264p
					; PsFreezeProcess+14B131p ...

var_114		= dword	ptr -114h
var_10C		= dword	ptr -10Ch
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 114h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_F8], ecx
		mov	[ebp+var_104], eax
		push	edi
		mov	edi, edx
		mov	[ebp+var_100], edi
		test	ecx, ecx
		js	loc_9F70D1
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 1
		jnz	loc_9F70D1
		push	ebx
		mov	ebx, _EtwThreatIntProvRegHandle
		push	esi
		mov	esi, dword_6BC124
		push	0
		push	0C00000h
		push	0
		push	esi
		push	ebx
		call	EtwProviderEnabled
		test	al, al
		jz	loc_9F70CF
		mov	eax, [edi+150h]
		mov	[ebp+var_FC], eax
		mov	eax, [ebp+arg_4]
		sub	eax, 0
		jz	short loc_9F7025
		sub	eax, 1
		jz	short loc_9F701E
		sub	eax, 1
		jz	short loc_9F7017
		sub	eax, 1
		jnz	loc_9F70CF
		mov	edi, offset _THREATINT_THAW_PROCESS
		jmp	short loc_9F702A
; 

loc_9F7017:				; CODE XREF: EtwTiLogSuspendResumeProcess(x,x,x,x)+8Aj
		mov	edi, offset _THREATINT_FREEZE_PROCESS
		jmp	short loc_9F702A
; 

loc_9F701E:				; CODE XREF: EtwTiLogSuspendResumeProcess(x,x,x,x)+85j
		mov	edi, offset _THREATINT_RESUME_PROCESS
		jmp	short loc_9F702A
; 

loc_9F7025:				; CODE XREF: EtwTiLogSuspendResumeProcess(x,x,x,x)+80j
		mov	edi, offset _THREATINT_SUSPEND_PROCESS

loc_9F702A:				; CODE XREF: EtwTiLogSuspendResumeProcess(x,x,x,x)+9Aj
					; EtwTiLogSuspendResumeProcess(x,x,x,x)+A1j ...
		push	edi
		push	esi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jz	loc_9F70CF
		mov	edx, [ebp+var_FC]
		lea	eax, [ebp+var_F8]
		mov	[ebp+var_F4], eax
		lea	ecx, [ebp+var_E4]
		lea	eax, [ebp+var_114]
		mov	[ebp+var_EC], 4
		xor	ebx, ebx
		push	eax
		mov	[ebp+var_F0], ebx
		mov	[ebp+var_E8], ebx
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		mov	edx, [ebp+var_100]
		lea	esi, [eax+1]
		mov	ecx, esi
		lea	eax, [ebp+var_F4]
		shl	ecx, 4
		add	ecx, eax
		call	_EtwpTiFillThreadIdentity@8 ; EtwpTiFillThreadIdentity(x,x)
		mov	edx, [ebp+var_104]
		lea	ecx, [ebp+var_F4]
		add	esi, eax
		lea	eax, [ebp+var_10C]
		push	eax
		mov	eax, esi
		shl	eax, 4
		add	ecx, eax
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		add	esi, eax
		lea	eax, [ebp+var_F4]
		push	eax
		push	esi
		push	ebx
		push	edi
		push	dword_6BC124
		push	_EtwThreatIntProvRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9F70CF:				; CODE XREF: EtwTiLogSuspendResumeProcess(x,x,x,x)+68j
					; EtwTiLogSuspendResumeProcess(x,x,x,x)+8Fj ...
		pop	esi
		pop	ebx

loc_9F70D1:				; CODE XREF: EtwTiLogSuspendResumeProcess(x,x,x,x)+2Fj
					; EtwTiLogSuspendResumeProcess(x,x,x,x)+42j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwTiLogSuspendResumeProcess@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTiLogSuspendResumeThread(x, x, x, x)
_EtwTiLogSuspendResumeThread@16	proc near ; CODE XREF: PsResumeThread+167935p
					; PsSuspendThread+1245C4p

var_134		= dword	ptr -134h
var_12C		= dword	ptr -12Ch
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 134h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_118], ecx
		mov	[ebp+var_124], eax
		push	edi
		mov	edi, edx
		mov	[ebp+var_120], edi
		test	ecx, ecx
		js	loc_9F722E
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 1
		jnz	loc_9F722E
		push	ebx
		mov	ebx, _EtwThreatIntProvRegHandle
		push	esi
		mov	esi, dword_6BC124
		push	0
		push	300000h
		push	0
		push	esi
		push	ebx
		call	EtwProviderEnabled
		test	al, al
		jz	loc_9F722C
		cmp	[ebp+arg_4], 0
		mov	eax, [edi+150h]
		mov	edi, offset _THREATINT_SUSPEND_THREAD
		mov	[ebp+var_11C], eax
		jnz	short loc_9F716A
		mov	edi, offset _THREATINT_RESUME_THREAD

loc_9F716A:				; CODE XREF: EtwTiLogSuspendResumeThread(x,x,x,x)+83j
		push	edi
		push	esi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jz	loc_9F722C
		mov	edx, [ebp+var_11C]
		lea	eax, [ebp+var_118]
		and	[ebp+var_110], 0
		lea	ecx, [ebp+var_104]
		and	[ebp+var_108], 0
		mov	[ebp+var_114], eax
		lea	eax, [ebp+var_134]
		push	eax
		mov	[ebp+var_10C], 4
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		mov	edx, [ebp+var_120]
		lea	esi, [eax+1]
		mov	ecx, esi
		lea	eax, [ebp+var_114]
		shl	ecx, 4
		add	ecx, eax
		call	_EtwpTiFillThreadIdentity@8 ; EtwpTiFillThreadIdentity(x,x)
		mov	ebx, [ebp+var_124]
		lea	ecx, [ebp+var_114]
		add	esi, eax
		lea	eax, [ebp+var_12C]
		push	eax
		mov	eax, esi
		mov	edx, [ebx+150h]
		shl	eax, 4
		add	ecx, eax
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		add	esi, eax
		lea	ecx, [ebp+var_114]
		mov	eax, esi
		mov	edx, ebx
		shl	eax, 4
		add	ecx, eax
		call	_EtwpTiFillThreadIdentity@8 ; EtwpTiFillThreadIdentity(x,x)
		add	esi, eax
		lea	eax, [ebp+var_114]
		push	eax
		push	esi
		push	0
		push	edi
		push	dword_6BC124
		push	_EtwThreatIntProvRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9F722C:				; CODE XREF: EtwTiLogSuspendResumeThread(x,x,x,x)+68j
					; EtwTiLogSuspendResumeThread(x,x,x,x)+94j
		pop	esi
		pop	ebx

loc_9F722E:				; CODE XREF: EtwTiLogSuspendResumeThread(x,x,x,x)+2Fj
					; EtwTiLogSuspendResumeThread(x,x,x,x)+42j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwTiLogSuspendResumeThread@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTimLogProhibitChildProcessCreation(x, x,	x, x)
_EtwTimLogProhibitChildProcessCreation@16 proc near ; CODE XREF: SeSubProcessToken+14A8FCp

var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_294		= dword	ptr -294h
var_290		= dword	ptr -290h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_27C		= dword	ptr -27Ch
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_269		= byte ptr -269h
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_168		= dword	ptr -168h
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_28C], ecx
		mov	eax, edx
		mov	[ebp+var_2A0], ebx
		push	esi
		push	edi
		mov	[ebp+var_278], eax
		mov	edi, [eax+1C0h]
		mov	[ebp+var_29C], ebx
		mov	[ebp+var_280], ebx
		mov	[ebp+var_27C], ebx
		mov	[ebp+var_2AC], ebx
		mov	[ebp+var_2A8], ebx
		mov	[ebp+var_2B4], ebx
		mov	[ebp+var_2B0], ebx
		mov	[ebp+var_269], 1
		mov	[ebp+var_274], edi
		test	edi, edi
		jnz	short loc_9F72B7
		mov	edi, (offset loc_403A20+4)
		mov	[ebp+var_274], edi

loc_9F72B7:				; CODE XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+6Dj
		lea	edx, [ebp+var_280]
		mov	ecx, eax
		call	EtwpQueryProcessCommandLine
		mov	esi, [ebp+var_280]
		test	si, si
		jnz	short loc_9F72EC
		push	(offset	loc_8B7595+1)
		lea	eax, [ebp+var_280]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	esi, [ebp+var_280]
		mov	[ebp+var_269], bl

loc_9F72EC:				; CODE XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+90j
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jz	short loc_9F72FA
		xor	ecx, ecx
		cmp	[ebx], cx
		jnz	short loc_9F7319

loc_9F72FA:				; CODE XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+B4j
		push	(offset	loc_8B7595+1)
		lea	eax, [ebp+var_2AC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	esi, [ebp+var_280]
		lea	ebx, [ebp+var_2AC]
		xor	ecx, ecx

loc_9F7319:				; CODE XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+BBj
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_284], eax
		test	eax, eax
		jz	short loc_9F732B
		cmp	[eax], cx
		jnz	short loc_9F734E

loc_9F732B:				; CODE XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+E7j
		push	(offset	loc_8B7595+1)
		lea	eax, [ebp+var_2B4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	esi, [ebp+var_280]
		lea	eax, [ebp+var_2B4]
		mov	[ebp+var_284], eax

loc_9F734E:				; CODE XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+ECj
		cmp	[ebp+var_28C], 2
		jnz	loc_9F749F
		cmp	dword_6B2A18, 5
		jbe	loc_9F749F
		push	2000h
		push	1
		mov	ecx, offset dword_6B2A18
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9F749F
		lea	eax, [ebp+var_130]
		xor	edx, edx
		mov	[ebp+var_148], eax
		mov	eax, [edi+4]
		mov	[ebp+var_138], eax
		movzx	eax, word ptr [edi]
		mov	[ebp+var_130], eax
		lea	eax, [ebp+var_110]
		mov	[ebp+var_128], eax
		mov	eax, [ebp+var_27C]
		mov	[ebp+var_118], eax
		push	2
		pop	ecx
		movzx	eax, si
		mov	[ebp+var_110], eax
		lea	eax, [ebp+var_F0]
		mov	[ebp+var_108], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_F8], eax
		movzx	eax, word ptr [ebx]
		mov	[ebp+var_F0], eax
		lea	eax, [ebp+var_D0]
		mov	[ebp+var_140], ecx
		mov	[ebp+var_120], ecx
		mov	[ebp+var_100], ecx
		mov	[ebp+var_E0], ecx
		mov	ecx, [ebp+var_284]
		mov	[ebp+var_E8], eax
		mov	[ebp+var_144], edx
		mov	[ebp+var_13C], edx
		mov	eax, [ecx+4]
		mov	[ebp+var_D8], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_D0], eax
		lea	eax, [ebp+var_168]
		push	eax
		push	0Ah
		push	edx
		push	edx
		push	offset loc_423EC5
		push	offset dword_6B2A18
		mov	[ebp+var_134], edx
		mov	[ebp+var_12C], edx
		mov	[ebp+var_124], edx
		mov	[ebp+var_11C], edx
		mov	[ebp+var_114], edx
		mov	[ebp+var_10C], edx
		mov	[ebp+var_104], edx
		mov	[ebp+var_FC], edx
		mov	[ebp+var_F4], edx
		mov	[ebp+var_EC], edx
		mov	[ebp+var_E4], edx
		mov	[ebp+var_DC], edx
		mov	[ebp+var_D4], edx
		mov	[ebp+var_CC], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		mov	esi, [ebp+var_280]

loc_9F749F:				; CODE XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+118j
					; EtwTimLogProhibitChildProcessCreation(x,x,x,x)+125j ...
		mov	ecx, offset ??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@NNGAKEGL@ ; "(null)"
		mov	[ebp+var_298], ecx
		push	6
		pop	edx
		test	edi, edi
		jz	short loc_9F750D
		movzx	eax, word ptr [edi]
		test	ax, ax
		jz	short loc_9F750D
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_288], eax
		lea	eax, [ebp+var_288]
		mov	[ebp+var_268], eax
		xor	eax, eax
		mov	[ebp+var_264], eax
		mov	[ebp+var_25C], eax
		mov	[ebp+var_260], 2
		movzx	ecx, word ptr [edi]
		mov	eax, [edi+4]
		and	[ebp+var_254], 0
		mov	[ebp+var_258], eax
		mov	eax, ecx
		mov	[ebp+var_250], eax
		mov	ecx, offset ??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@NNGAKEGL@ ; "(null)"
		xor	eax, eax
		jmp	short loc_9F754D
; 

loc_9F750D:				; CODE XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+272j
					; EtwTimLogProhibitChildProcessCreation(x,x,x,x)+27Aj
		lea	eax, [ebp+var_288]
		mov	[ebp+var_288], edx
		mov	[ebp+var_268], eax
		xor	eax, eax
		mov	[ebp+var_264], eax
		mov	[ebp+var_260], 2
		mov	[ebp+var_25C], eax
		mov	[ebp+var_258], ecx
		mov	[ebp+var_254], eax
		mov	[ebp+var_250], 0Ch

loc_9F754D:				; CODE XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+2CEj
		mov	[ebp+var_24C], eax
		mov	[ebp+var_244], eax
		mov	[ebp+var_240], 2
		mov	[ebp+var_23C], eax
		test	si, si
		jz	short loc_9F758B
		mov	edx, [ebp+var_27C]
		lea	ecx, [ebp+var_294]
		mov	[ebp+var_248], ecx
		movzx	ecx, si
		shr	si, 1
		movzx	esi, si
		jmp	short loc_9F75AB
; 

loc_9F758B:				; CODE XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+32Fj
		lea	esi, [ebp+var_294]
		mov	[ebp+var_270], 0Ch
		mov	[ebp+var_248], esi
		mov	esi, edx
		mov	edx, ecx
		mov	ecx, [ebp+var_270]

loc_9F75AB:				; CODE XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+34Cj
		and	[ebp+var_234], 0
		and	[ebp+var_22C], 0
		movzx	eax, si
		mov	[ebp+var_294], eax
		lea	eax, [ebp+var_2A0]
		mov	[ebp+var_238], edx
		mov	edx, [ebp+var_278]
		mov	[ebp+var_230], ecx
		lea	ecx, [ebp+var_228]
		push	eax
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		mov	edx, large fs:124h
		lea	esi, [eax+4]
		mov	ecx, esi
		lea	eax, [ebp+var_268]
		shl	ecx, 4
		add	ecx, eax
		call	_EtwpTiFillThreadIdentity@8 ; EtwpTiFillThreadIdentity(x,x)
		mov	edi, [ebp+var_274]
		add	esi, eax
		mov	[ebp+var_278], esi
		test	ebx, ebx
		jz	short loc_9F7633
		movzx	eax, word ptr [ebx]
		test	ax, ax
		jz	short loc_9F7633
		mov	ecx, [ebx+4]
		mov	[ebp+var_270], eax
		shr	ax, 1
		mov	[ebp+var_274], ecx
		movzx	eax, ax
		jmp	short loc_9F764A
; 

loc_9F7633:				; CODE XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+3D5j
					; EtwTimLogProhibitChildProcessCreation(x,x,x,x)+3DDj
		push	6
		mov	[ebp+var_270], 0Ch
		mov	[ebp+var_274], offset ??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@NNGAKEGL@ ; "(null)"
		pop	eax

loc_9F764A:				; CODE XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+3F4j
		movzx	eax, ax
		mov	edx, esi
		mov	[ebp+var_2A4], eax
		mov	ecx, esi
		mov	eax, [ebp+var_278]
		add	esi, esi
		shl	edx, 4
		add	eax, eax
		mov	[ebp+var_290], edx
		add	ecx, ecx
		lea	edx, [ebp+var_2A4]
		mov	[ebp+eax*8+var_268], edx
		and	[ebp+eax*8+var_264], 0
		mov	edx, [ebp+var_290]
		mov	eax, [ebp+var_274]
		mov	[ebp+edx+var_260], 2
		and	[ebp+ecx*8+var_25C], 0
		xor	ecx, ecx
		mov	edx, [ebp+var_278]
		mov	[ebp+esi*8+var_258], eax
		inc	edx
		and	[ebp+esi*8+var_254], 0
		mov	eax, [ebp+var_270]
		mov	[ebp+esi*8+var_250], eax
		mov	[ebp+esi*8+var_24C], ecx
		mov	esi, [ebp+var_284]
		test	esi, esi
		jz	short loc_9F76F5
		movzx	eax, word ptr [esi]
		test	ax, ax
		jz	short loc_9F76F5
		mov	ecx, [esi+4]
		mov	[ebp+var_270], eax
		shr	ax, 1
		mov	[ebp+var_298], ecx
		movzx	eax, ax
		jmp	short loc_9F7702
; 

loc_9F76F5:				; CODE XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+497j
					; EtwTimLogProhibitChildProcessCreation(x,x,x,x)+49Fj
		push	6
		mov	[ebp+var_270], 0Ch
		pop	eax

loc_9F7702:				; CODE XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+4B6j
		movzx	eax, ax
		lea	esi, [ebp+var_290]
		mov	[ebp+var_290], eax
		mov	ecx, edx
		mov	eax, edx
		shl	ecx, 4
		add	eax, eax
		mov	[ebp+var_278], ecx
		mov	ecx, edx
		shl	ecx, 4
		mov	[ebp+var_274], ecx
		mov	ecx, edx
		mov	[ebp+eax*8+var_258], esi
		add	ecx, ecx
		xor	esi, esi
		add	edx, 3
		mov	[ebp+eax*8+var_254], esi
		mov	eax, [ebp+var_278]
		mov	[ebp+eax+var_250], 2
		mov	eax, [ebp+var_274]
		mov	[ebp+eax+var_24C], esi
		mov	eax, [ebp+var_298]
		mov	[ebp+ecx*8+var_248], eax
		and	[ebp+ecx*8+var_244], esi
		cmp	[ebp+var_28C], 1
		mov	eax, [ebp+var_270]
		mov	[ebp+ecx*8+var_240], eax
		mov	eax, offset _MITIGATION_AUDIT_PROHIBIT_CHILD_PROCESS_CREATION
		mov	[ebp+ecx*8+var_23C], esi
		jz	short loc_9F779B
		mov	eax, offset _MITIGATION_ENFORCE_PROHIBIT_CHILD_PROCESS_CREATION

loc_9F779B:				; CODE XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+557j
		lea	ecx, [ebp+var_268]
		push	ecx
		push	edx
		push	esi
		push	eax
		push	dword_6BC324
		push	_EtwSecurityMitigationsRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		cmp	dword_6B2A40, 5
		mov	esi, [ebp+var_284]
		jbe	loc_9F78FA
		push	4000h
		push	0
		mov	ecx, offset dword_6B2A40
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9F78FA
		mov	eax, [ebp+var_28C]
		xor	ecx, ecx
		mov	[ebp+var_270], eax
		lea	eax, [ebp+var_270]
		mov	[ebp+var_A8], eax
		lea	eax, [ebp+var_80]
		mov	[ebp+var_98], eax
		mov	eax, [edi+4]
		mov	[ebp+var_88], eax
		movzx	eax, word ptr [edi]
		mov	[ebp+var_80], eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_78], eax
		mov	eax, [ebp+var_27C]
		mov	[ebp+var_68], eax
		movzx	eax, word ptr [ebp+var_280]
		mov	[ebp+var_60], eax
		mov	eax, [ebp+var_2A0]
		mov	[ebp+var_2C0], eax
		mov	eax, [ebp+var_29C]
		mov	[ebp+var_2BC], eax
		lea	eax, [ebp+var_2C0]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_30]
		mov	[ebp+var_48], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_38], eax
		movzx	eax, word ptr [ebx]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_10]
		push	2
		pop	edx
		mov	[ebp+var_28], eax
		mov	eax, [esi+4]
		mov	[ebp+var_18], eax
		movzx	eax, word ptr [esi]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_C8]
		push	eax
		push	0Ch
		push	ecx
		push	ecx
		push	(offset	loc_423F2F+6)
		push	offset dword_6B2A40
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_A0], 4
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_94], ecx
		mov	[ebp+var_90], edx
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_84], ecx
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_70], edx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], 8
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9F78FA:				; CODE XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+586j
					; EtwTimLogProhibitChildProcessCreation(x,x,x,x)+59Fj
		cmp	[ebp+var_269], 0
		jz	short loc_9F7910
		push	0
		push	[ebp+var_27C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F7910:				; CODE XREF: EtwTimLogProhibitChildProcessCreation(x,x,x,x)+6C4j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwTimLogProhibitChildProcessCreation@16 endp


;  S U B	R O U T	I N E 


; __stdcall EtwTimLogProhibitDynamicCode(x, x)
_EtwTimLogProhibitDynamicCode@8	proc near ; CODE XREF: MiArbitraryCodeBlocked+1672EFp
					; MiArbitraryCodeBlocked+16730Cp
		mov	edi, edi
		push	esi
		lea	esi, [edx+490h]
		test	dword ptr [esi], 800h
		jz	short loc_9F7954
		mov	eax, offset _MITIGATION_AUDIT_PROHIBIT_DYNAMIC_CODE
		cmp	ecx, 1
		jz	short loc_9F7941
		mov	eax, offset _MITIGATION_ENFORCE_PROHIBIT_DYNAMIC_CODE

loc_9F7941:				; CODE XREF: EtwTimLogProhibitDynamicCode(x,x)+19j
		push	edx
		mov	edx, ecx
		xor	ecx, ecx
		push	eax
		call	_EtwpTimLogMitigationForProcess@16 ; EtwpTimLogMitigationForProcess(x,x,x,x)
		mov	eax, 0FFFFF7FFh
		lock and [esi],	eax

loc_9F7954:				; CODE XREF: EtwTimLogProhibitDynamicCode(x,x)+Fj
		pop	esi
		retn
_EtwTimLogProhibitDynamicCode@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTimLogProhibitLowILImageMap(x, x, x)
_EtwTimLogProhibitLowILImageMap@12 proc	near ; CODE XREF: MiAllowImageMap(x,x,x,x)+15Dp

var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_AC		= dword	ptr -0ACh
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1C8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, edx
		mov	[ebp+var_1AC], ecx
		push	ebx
		xor	edx, edx
		mov	[ebp+var_190], eax
		push	esi
		push	edi
		mov	edi, [eax+1C0h]
		mov	[ebp+var_1B4], edx
		mov	[ebp+var_1B0], edx
		mov	[ebp+var_19C], edx
		mov	[ebp+var_198], edx
		test	edi, edi
		jnz	short loc_9F79A5
		mov	edi, (offset loc_403A20+4)

loc_9F79A5:				; CODE XREF: EtwTimLogProhibitLowILImageMap(x,x,x)+48j
		movzx	eax, word ptr [edi]
		lea	ebx, [ebp+var_1A0]
		mov	[ebp+var_18C], ebx
		mov	ecx, offset ??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@NNGAKEGL@ ; "(null)"
		mov	[ebp+var_1A4], ecx
		mov	[ebp+var_188], edx
		mov	[ebp+var_180], edx
		push	0Ch
		pop	esi
		mov	[ebp+var_1A8], esi
		push	2
		pop	ebx
		mov	[ebp+var_184], ebx
		test	ax, ax
		jz	short loc_9F7A04
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_1A0], eax
		movzx	ecx, word ptr [edi]
		mov	eax, [edi+4]
		mov	[ebp+var_17C], eax
		mov	eax, ecx
		mov	[ebp+var_174], eax
		jmp	short loc_9F7A1A
; 

loc_9F7A04:				; CODE XREF: EtwTimLogProhibitLowILImageMap(x,x,x)+8Aj
		mov	[ebp+var_1A0], 6
		mov	[ebp+var_17C], ecx
		mov	[ebp+var_174], esi

loc_9F7A1A:				; CODE XREF: EtwTimLogProhibitLowILImageMap(x,x,x)+ACj
		mov	ecx, [ebp+var_190]
		mov	[ebp+var_170], edx
		mov	[ebp+var_178], edx
		lea	edx, [ebp+var_19C]
		call	EtwpQueryProcessCommandLine
		mov	eax, [ebp+var_19C]
		lea	ecx, [ebp+var_1B8]
		and	[ebp+var_168], 0
		xor	edx, edx
		and	[ebp+var_160], 0
		mov	[ebp+var_16C], ecx
		mov	[ebp+var_164], ebx
		test	ax, ax
		jz	short loc_9F7A75
		mov	ecx, [ebp+var_198]
		movzx	esi, ax
		shr	ax, 1
		movzx	eax, ax
		jmp	short loc_9F7A7D
; 

loc_9F7A75:				; CODE XREF: EtwTimLogProhibitLowILImageMap(x,x,x)+10Cj
		push	6
		mov	ecx, offset ??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@NNGAKEGL@ ; "(null)"
		pop	eax

loc_9F7A7D:				; CODE XREF: EtwTimLogProhibitLowILImageMap(x,x,x)+11Dj
		and	[ebp+var_150], 0
		movzx	eax, ax
		mov	[ebp+var_1B8], eax
		lea	eax, [ebp+var_1B4]
		mov	[ebp+var_15C], ecx
		lea	ecx, [ebp+var_14C]
		mov	[ebp+var_158], edx
		mov	edx, [ebp+var_190]
		push	eax
		mov	[ebp+var_154], esi
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		mov	edx, large fs:124h
		lea	esi, [eax+4]
		mov	ecx, esi
		lea	eax, [ebp+var_18C]
		shl	ecx, 4
		add	ecx, eax
		call	_EtwpTiFillThreadIdentity@8 ; EtwpTiFillThreadIdentity(x,x)
		mov	edx, [ebp+arg_0]
		add	esi, eax
		mov	[ebp+var_190], esi
		test	edx, edx
		jz	short loc_9F7B01
		movzx	eax, word ptr [edx]
		test	ax, ax
		jz	short loc_9F7B01
		mov	ecx, [edx+4]
		mov	[ebp+var_1A8], eax
		shr	ax, 1
		mov	[ebp+var_1A4], ecx
		movzx	eax, ax
		jmp	short loc_9F7B04
; 

loc_9F7B01:				; CODE XREF: EtwTimLogProhibitLowILImageMap(x,x,x)+18Aj
					; EtwTimLogProhibitLowILImageMap(x,x,x)+192j
		push	6
		pop	eax

loc_9F7B04:				; CODE XREF: EtwTimLogProhibitLowILImageMap(x,x,x)+1A9j
		movzx	eax, ax
		mov	edx, esi
		mov	[ebp+var_1BC], eax
		mov	ecx, esi
		mov	eax, [ebp+var_190]
		add	ecx, ecx
		add	eax, eax
		shl	edx, 4
		mov	[ebp+var_194], edx
		add	esi, esi
		lea	edx, [ebp+var_1BC]
		mov	[ebp+eax*8+var_18C], edx
		and	[ebp+eax*8+var_188], 0
		mov	edx, [ebp+var_194]
		mov	eax, [ebp+var_1A4]
		mov	[ebp+edx+var_184], ebx
		and	[ebp+ecx*8+var_180], 0
		mov	ecx, [ebp+var_190]
		mov	[ebp+esi*8+var_17C], eax
		add	ecx, 2
		and	[ebp+esi*8+var_178], 0
		mov	eax, [ebp+var_1A8]
		mov	[ebp+esi*8+var_174], eax
		mov	eax, offset _MITIGATION_AUDIT_PROHIBIT_LOWIL_IMAGE_MAP
		and	[ebp+esi*8+var_170], 0
		cmp	[ebp+var_1AC], 1
		jz	short loc_9F7B96
		mov	eax, offset _MITIGATION_ENFORCE_PROHIBIT_LOWIL_IMAGE_MAP

loc_9F7B96:				; CODE XREF: EtwTimLogProhibitLowILImageMap(x,x,x)+239j
		lea	edx, [ebp+var_18C]
		push	edx
		push	ecx
		push	0
		push	eax
		push	dword_6BC324
		push	_EtwSecurityMitigationsRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		cmp	dword_6B2A40, 5
		mov	esi, [ebp+var_198]
		jbe	loc_9F7CBA
		push	4000h
		push	0
		mov	ecx, offset dword_6B2A40
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9F7CBA
		mov	eax, [ebp+var_1AC]
		xor	edx, edx
		mov	[ebp+var_194], eax
		lea	eax, [ebp+var_194]
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_7C], eax
		mov	eax, [edi+4]
		mov	[ebp+var_6C], eax
		movzx	eax, word ptr [edi]
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_44]
		mov	[ebp+var_5C], eax
		movzx	eax, word ptr [ebp+var_19C]
		mov	[ebp+var_44], eax
		mov	eax, [ebp+var_1B4]
		mov	[ebp+var_1C4], eax
		mov	eax, [ebp+var_1B0]
		mov	[ebp+var_1C0], eax
		lea	eax, [ebp+var_1C4]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_2C], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_1C], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_AC]
		push	eax
		push	0Ah
		push	edx
		push	edx
		push	(offset	loc_423FC7+6)
		push	offset dword_6B2A40
		mov	[ebp+var_88], edx
		mov	[ebp+var_84], 4
		mov	[ebp+var_80], edx
		mov	[ebp+var_78], edx
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], edx
		mov	[ebp+var_68], edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_58], edx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], esi
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], 8
		mov	[ebp+var_30], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9F7CBA:				; CODE XREF: EtwTimLogProhibitLowILImageMap(x,x,x)+269j
					; EtwTimLogProhibitLowILImageMap(x,x,x)+282j
		test	esi, esi
		jz	short loc_9F7CC6
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F7CC6:				; CODE XREF: EtwTimLogProhibitLowILImageMap(x,x,x)+366j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_EtwTimLogProhibitLowILImageMap@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTimLogProhibitNonMicrosoftBinaries(x, x,	x, x, x)
_EtwTimLogProhibitNonMicrosoftBinaries@20 proc near
					; CODE XREF: MiValidateSectionSigningPolicy(x,x,x,x,x,x,x,x,x,x,x)+F7p

var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E4		= dword	ptr -1E4h
var_1E0		= dword	ptr -1E0h
var_1DC		= dword	ptr -1DCh
var_1D8		= dword	ptr -1D8h
var_1D4		= dword	ptr -1D4h
var_1CE		= dword	ptr -1CEh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_CC		= dword	ptr -0CCh
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 218h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_1F8], ecx
		xor	edx, edx
		push	esi
		push	edi
		mov	edi, [ebx+1C0h]
		mov	[ebp+var_204], edx
		mov	[ebp+var_200], edx
		mov	[ebp+var_1E4], edx
		mov	[ebp+var_1E0], edx
		test	edi, edi
		jnz	short loc_9F7D20
		mov	edi, (offset loc_403A20+4)

loc_9F7D20:				; CODE XREF: EtwTimLogProhibitNonMicrosoftBinaries(x,x,x,x,x)+42j
		movzx	eax, word ptr [edi]
		lea	ecx, [ebp+var_1E8]
		mov	[ebp+var_1CE+2], ecx
		mov	[ebp+var_1C8], edx
		mov	[ebp+var_1C0], edx
		push	2
		pop	esi
		mov	[ebp+var_1C4], esi
		test	ax, ax
		jz	short loc_9F7D6B
		shr	ax, 1
		movzx	eax, ax
		mov	[ebp+var_1E8], eax
		movzx	ecx, word ptr [edi]
		mov	eax, [edi+4]
		mov	[ebp+var_1BC], eax
		mov	eax, ecx
		mov	[ebp+var_1B4], eax
		jmp	short loc_9F7D89
; 

loc_9F7D6B:				; CODE XREF: EtwTimLogProhibitNonMicrosoftBinaries(x,x,x,x,x)+70j
		mov	[ebp+var_1E8], 6
		mov	[ebp+var_1BC], offset ??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@NNGAKEGL@ ; "(null)"
		mov	[ebp+var_1B4], 0Ch

loc_9F7D89:				; CODE XREF: EtwTimLogProhibitNonMicrosoftBinaries(x,x,x,x,x)+92j
		mov	[ebp+var_1B0], edx
		mov	ecx, ebx
		mov	[ebp+var_1B8], edx
		lea	edx, [ebp+var_1E4]
		call	EtwpQueryProcessCommandLine
		mov	eax, [ebp+var_1E4]
		lea	ecx, [ebp+var_208]
		mov	[ebp+var_1AC], ecx
		mov	[ebp+var_1A4], esi
		test	ax, ax
		jz	short loc_9F7DE5
		and	[ebp+var_1A8], 0
		and	[ebp+var_1A0], 0
		and	[ebp+var_1D4], 0
		mov	edx, [ebp+var_1E0]
		movzx	ecx, ax
		shr	ax, 1
		movzx	eax, ax
		jmp	short loc_9F7E04
; 

loc_9F7DE5:				; CODE XREF: EtwTimLogProhibitNonMicrosoftBinaries(x,x,x,x,x)+E6j
		push	0Ch
		xor	eax, eax
		mov	edx, offset ??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@NNGAKEGL@ ; "(null)"
		pop	ecx
		push	6
		mov	[ebp+var_1A8], eax
		mov	[ebp+var_1A0], eax
		mov	[ebp+var_1D4], eax
		pop	eax

loc_9F7E04:				; CODE XREF: EtwTimLogProhibitNonMicrosoftBinaries(x,x,x,x,x)+10Cj
		and	[ebp+var_190], 0
		movzx	eax, ax
		mov	[ebp+var_208], eax
		mov	eax, [ebp+var_1D4]
		mov	[ebp+var_198], eax
		lea	eax, [ebp+var_204]
		mov	[ebp+var_19C], edx
		mov	edx, ebx
		mov	[ebp+var_194], ecx
		lea	ecx, [ebp+var_18C]
		push	eax
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		mov	edx, large fs:124h
		lea	ebx, [eax+4]
		mov	ecx, ebx
		lea	eax, [ebp+var_1CE+2]
		shl	ecx, 4
		add	ecx, eax
		call	_EtwpTiFillThreadIdentity@8 ; EtwpTiFillThreadIdentity(x,x)
		add	ebx, eax
		xor	ecx, ecx
		mov	[ebp+var_1D4], ebx
		lea	eax, [ebp+arg_0]
		shl	ebx, 4
		xor	edx, edx
		inc	edx
		mov	[ebp+var_1DC], ebx
		mov	[ebp+ebx+var_1CE+2], eax
		lea	eax, [ebp+arg_4]
		mov	[ebp+ebx+var_1C8], ecx
		mov	[ebp+ebx+var_1C0], ecx
		mov	[ebp+ebx+var_1C4], edx
		mov	[ebp+ebx+var_1B8], ecx
		mov	[ebp+ebx+var_1B0], ecx
		mov	ecx, [ebp+arg_8]
		mov	[ebp+ebx+var_1BC], eax
		mov	[ebp+ebx+var_1B4], edx
		test	ecx, ecx
		jz	short loc_9F7EE7
		movzx	eax, word ptr [ecx]
		test	ax, ax
		jz	short loc_9F7EE7
		mov	edx, [ebp+var_1D4]
		and	[ebp+var_1F4], 0
		add	edx, 3
		and	[ebp+var_1F0], 0
		mov	ecx, [ecx+4]
		mov	[ebp+var_1D8], eax
		shr	ax, 1
		movzx	eax, ax
		jmp	short loc_9F7F10
; 

loc_9F7EE7:				; CODE XREF: EtwTimLogProhibitNonMicrosoftBinaries(x,x,x,x,x)+1DEj
					; EtwTimLogProhibitNonMicrosoftBinaries(x,x,x,x,x)+1E6j
		mov	edx, [ebp+var_1D4]
		mov	ecx, offset ??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@NNGAKEGL@ ; "(null)"
		and	[ebp+var_1F4], 0
		add	edx, 3
		and	[ebp+var_1F0], 0
		push	6
		mov	[ebp+var_1D8], 0Ch
		pop	eax

loc_9F7F10:				; CODE XREF: EtwTimLogProhibitNonMicrosoftBinaries(x,x,x,x,x)+20Ej
		movzx	eax, ax
		add	edx, edx
		mov	[ebp+var_1DC], eax
		lea	eax, [ebp+var_1DC]
		mov	[ebp+ebx+var_1AC], eax
		and	[ebp+ebx+var_1A8], 0
		mov	[ebp+var_1EC], esi
		mov	eax, [ebp+var_1EC]
		mov	[ebp+ebx+var_1A4], eax
		mov	eax, [ebp+var_1F0]
		mov	[ebp+ebx+var_1A0], eax
		mov	eax, [ebp+var_1F4]
		mov	ebx, [ebp+var_1D4]
		mov	[ebp+edx*8+var_1CE+2], ecx
		add	ebx, 4
		mov	[ebp+edx*8+var_1C8], eax
		mov	eax, [ebp+var_1D8]
		mov	[ebp+edx*8+var_1C4], eax
		mov	eax, offset _MITIGATION_AUDIT_PROHIBIT_NON_MICROSOFT_BINARIES
		and	[ebp+edx*8+var_1C0], 0
		cmp	[ebp+var_1F8], 1
		jz	short loc_9F7F95
		mov	eax, offset _MITIGATION_ENFORCE_PROHIBIT_NON_MICROSOFT_BINARIES

loc_9F7F95:				; CODE XREF: EtwTimLogProhibitNonMicrosoftBinaries(x,x,x,x,x)+2B7j
		lea	ecx, [ebp+var_1CE+2]
		push	ecx
		push	ebx
		push	0
		push	eax
		push	dword_6BC324
		push	_EtwSecurityMitigationsRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		cmp	dword_6B2A40, 5
		mov	ebx, [ebp+var_1E0]
		jbe	loc_9F810D
		push	4000h
		push	0
		mov	ecx, offset dword_6B2A40
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9F810D
		mov	eax, [ebp+var_1F8]
		xor	edx, edx
		mov	[ebp+var_1D8], eax
		lea	eax, [ebp+var_1D8]
		mov	[ebp+var_AC], eax
		lea	eax, [ebp+var_84]
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_9C], eax
		mov	eax, [edi+4]
		mov	[ebp+var_8C], eax
		movzx	eax, word ptr [edi]
		mov	[ebp+var_84], eax
		lea	eax, [ebp+var_64]
		mov	[ebp+var_7C], eax
		movzx	eax, word ptr [ebp+var_1E4]
		mov	[ebp+var_64], eax
		mov	eax, [ebp+var_204]
		mov	[ebp+var_214], eax
		mov	eax, [ebp+var_200]
		mov	[ebp+var_210], eax
		lea	eax, [ebp+var_214]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_34]
		mov	[ebp+var_4C], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_3C], eax
		movzx	eax, word ptr [ecx]
		xor	ecx, ecx
		mov	[ebp+var_34], eax
		inc	ecx
		mov	al, byte ptr [ebp+arg_0]
		mov	byte ptr [ebp+var_1CE+1], al
		lea	eax, [ebp+var_1CE+1]
		mov	[ebp+var_2C], eax
		mov	al, byte ptr [ebp+arg_4]
		mov	byte ptr [ebp+var_1CE],	al
		lea	eax, [ebp+var_1CE]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_CC]
		push	eax
		push	0Ch
		push	edx
		push	edx
		push	(offset	loc_423D75+2)
		push	offset dword_6B2A40
		mov	[ebp+var_A8], edx
		mov	[ebp+var_A4], 4
		mov	[ebp+var_A0], edx
		mov	[ebp+var_98], edx
		mov	[ebp+var_94], esi
		mov	[ebp+var_90], edx
		mov	[ebp+var_88], edx
		mov	[ebp+var_80], edx
		mov	[ebp+var_78], edx
		mov	[ebp+var_74], esi
		mov	[ebp+var_70], edx
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_68], edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_58], edx
		mov	[ebp+var_54], 8
		mov	[ebp+var_50], edx
		mov	[ebp+var_48], edx
		mov	[ebp+var_44], esi
		mov	[ebp+var_40], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9F810D:				; CODE XREF: EtwTimLogProhibitNonMicrosoftBinaries(x,x,x,x,x)+2E7j
					; EtwTimLogProhibitNonMicrosoftBinaries(x,x,x,x,x)+300j
		test	ebx, ebx
		jz	short loc_9F8119
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F8119:				; CODE XREF: EtwTimLogProhibitNonMicrosoftBinaries(x,x,x,x,x)+438j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_EtwTimLogProhibitNonMicrosoftBinaries@20 endp


;  S U B	R O U T	I N E 


; __stdcall EtwTimLogProhibitRemoteImageMap(x, x)
_EtwTimLogProhibitRemoteImageMap@8 proc	near ; CODE XREF: MiAllowImageMap(x,x,x,x)+44p
		mov	eax, offset _MITIGATION_AUDIT_PROHIBIT_REMOTE_IMAGE_MAP
		cmp	ecx, 1
		jz	short loc_9F8139
		mov	eax, offset _MITIGATION_ENFORCE_PROHIBIT_REMOTE_IMAGE_MAP

loc_9F8139:				; CODE XREF: EtwTimLogProhibitRemoteImageMap(x,x)+8j
		push	edx
		mov	edx, ecx
		xor	ecx, ecx
		push	eax
		inc	ecx
		call	_EtwpTimLogMitigationForProcess@16 ; EtwpTimLogMitigationForProcess(x,x,x,x)
		retn
_EtwTimLogProhibitRemoteImageMap@8 endp


;  S U B	R O U T	I N E 


; __stdcall EtwTimLogProhibitWin32kSystemCalls(x, x)
_EtwTimLogProhibitWin32kSystemCalls@8 proc near	; CODE XREF: PsConvertToGuiThread+128F13p
		mov	edi, edi
		push	esi
		lea	esi, [edx+490h]
		test	dword ptr [esi], 2000h
		jz	short loc_9F817A
		mov	eax, offset _MITIGATION_AUDIT_PROHIBIT_WIN32K_SYSTEM_CALLS
		cmp	ecx, 1
		jz	short loc_9F8166
		mov	eax, offset _MITIGATION_ENFORCE_PROHIBIT_WIN32K_SYSTEM_CALLS

loc_9F8166:				; CODE XREF: EtwTimLogProhibitWin32kSystemCalls(x,x)+19j
		push	edx
		push	eax
		push	2
		mov	edx, ecx
		pop	ecx
		call	_EtwpTimLogMitigationForProcess@16 ; EtwpTimLogMitigationForProcess(x,x,x,x)
		mov	eax, 0FFFFDFFFh
		lock and [esi],	eax

loc_9F817A:				; CODE XREF: EtwTimLogProhibitWin32kSystemCalls(x,x)+Fj
		pop	esi
		retn
_EtwTimLogProhibitWin32kSystemCalls@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall EtwpTiParseContextRecord(void *,int,int)
_EtwpTiParseContextRecord@12 proc near	; CODE XREF: EtwTiLogSetContextThread(x,x,x,x)+141p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		xor	edi, edi
		mov	esi, ecx
		push	edi		; int
		push	esi		; void *
		mov	ebx, edx
		call	_memset
		mov	edx, [ebp+arg_0]
		mov	ecx, 10001h
		mov	eax, ebx
		add	esp, 0Ch
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_9F81C1
		mov	eax, [edx+0B8h]
		inc	edi
		mov	[esi], eax
		mov	eax, [edx+0C4h]
		mov	[esi+4], eax
		mov	eax, [edx+0B4h]
		mov	[esi+0Ch], eax

loc_9F81C1:				; CODE XREF: EtwpTiParseContextRecord(x,x,x)+28j
		mov	eax, 10002h
		and	ebx, eax
		cmp	ebx, eax
		jnz	short loc_9F820D
		mov	eax, [edx+0B0h]
		or	edi, 2
		mov	[esi+10h], eax
		mov	eax, [edx+0ACh]
		mov	[esi+14h], eax
		mov	eax, [edx+0A8h]
		mov	[esi+18h], eax
		mov	ecx, [edx+0A4h]
		mov	[esi+1Ch], ecx
		mov	ecx, [edx+0A0h]
		mov	[esi+20h], ecx
		mov	ecx, [edx+9Ch]
		and	dword ptr [esi+28h], 0
		and	dword ptr [esi+2Ch], 0
		mov	[esi+24h], ecx

loc_9F820D:				; CODE XREF: EtwpTiParseContextRecord(x,x,x)+4Ej
		mov	ax, di
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_EtwpTiParseContextRecord@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTiQueryCodeIntegrityOptions(x)
_EtwpTiQueryCodeIntegrityOptions@4 proc	near ; CODE XREF: EtwTiLogDriverObjectLoad+AF3A6p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		xor	eax, eax
		mov	esi, ecx
		push	8
		pop	ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], ecx
		push	eax
		push	67h
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_9F824D
		mov	eax, [ebp+var_8]
		mov	[esi], eax
		mov	eax, ecx

loc_9F824D:				; CODE XREF: EtwpTiQueryCodeIntegrityOptions(x)+2Dj
		pop	esi
		leave
		retn
_EtwpTiQueryCodeIntegrityOptions@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTiQueryVad(x, x, x, x, x)
_EtwpTiQueryVad@20 proc	near		; CODE XREF: EtwpTiVadQueryEventWriteCallback(x)+55p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_20], eax
		mov	edx, ecx
		lea	edi, [ebp+var_1C]
		push	6
		xor	eax, eax
		mov	[ebp+var_28], edx
		pop	ecx
		rep stosd
		mov	eax, large fs:124h
		cmp	esi, [eax+80h]
		jz	short loc_9F82A3
		lea	eax, [ebp+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, esi
		call	KiStackAttachProcess
		mov	edx, [ebp+var_28]
		mov	[ebp+var_24], 1
		jmp	short loc_9F82A7
; 

loc_9F82A3:				; CODE XREF: EtwpTiQueryVad(x,x,x,x,x)+38j
		and	[ebp+var_24], 0

loc_9F82A7:				; CODE XREF: EtwpTiQueryVad(x,x,x,x,x)+51j
		xor	ebx, ebx
		xor	edi, edi
		cmp	[ebp+arg_4], ebx
		jbe	short loc_9F8321
		lea	esi, [edx+20h]

loc_9F82B3:				; CODE XREF: EtwpTiQueryVad(x,x,x,x,x)+CFj
		push	0
		push	1Ch
		lea	eax, [esi-1Ch]
		push	eax
		mov	eax, [ebp+var_20]
		push	3
		push	dword ptr [eax+edi*4]
		push	0FFFFFFFFh
		call	_ZwQueryVirtualMemory@24 ; ZwQueryVirtualMemory(x,x,x,x,x,x)
		mov	[esi-20h], eax
		test	eax, eax
		js	short loc_9F8318
		bts	ebx, edi
		cmp	[ebp+arg_8], 0
		jz	short loc_9F8315
		push	6E734954h
		push	200h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi], eax
		test	eax, eax
		jz	short loc_9F8318
		push	0
		push	200h
		push	eax
		mov	eax, [ebp+var_20]
		push	2
		push	dword ptr [eax+edi*4]
		push	0FFFFFFFFh
		call	_ZwQueryVirtualMemory@24 ; ZwQueryVirtualMemory(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_9F8318
		push	0
		push	dword ptr [esi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F8315:				; CODE XREF: EtwpTiQueryVad(x,x,x,x,x)+88j
		and	dword ptr [esi], 0

loc_9F8318:				; CODE XREF: EtwpTiQueryVad(x,x,x,x,x)+7Fj
					; EtwpTiQueryVad(x,x,x,x,x)+9Fj ...
		inc	edi
		add	esi, 24h
		cmp	edi, [ebp+arg_4]
		jb	short loc_9F82B3

loc_9F8321:				; CODE XREF: EtwpTiQueryVad(x,x,x,x,x)+5Ej
		cmp	[ebp+var_24], 0
		jz	short loc_9F8331
		xor	edx, edx
		lea	ecx, [ebp+var_1C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_9F8331:				; CODE XREF: EtwpTiQueryVad(x,x,x,x,x)+D5j
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_EtwpTiQueryVad@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTiVadQueryEventWriteCallback(x)
_EtwpTiVadQueryEventWriteCallback@4 proc near
					; DATA XREF: EtwpTiAsyncVadQueryEventWrite(x,x,x,x,x,x,x)+2Fo

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		push	6E734954h
		mov	[ebp+var_4], ebx
		imul	eax, [esi+1Ch],	24h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_8], edi
		test	edi, edi
		jz	short loc_9F83A3
		push	ebx
		push	10000000h
		push	ebx
		push	dword_6BC124
		push	_EtwThreatIntProvRegHandle
		call	EtwProviderEnabled
		mov	edx, [esi+24h]
		mov	ecx, edi
		mov	byte ptr [ebp+arg_0], al
		push	[ebp+arg_0]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+28h]
		call	_EtwpTiQueryVad@20 ; EtwpTiQueryVad(x,x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_4], eax

loc_9F83A3:				; CODE XREF: EtwpTiVadQueryEventWriteCallback(x)+2Aj
		push	dword ptr [esi+20h]
		mov	edx, [esi+18h]
		push	dword ptr [esi+1Ch]
		mov	ecx, [esi+10h]
		push	ebx
		push	edi
		push	1
		call	_EtwpTiFillVadEventWrite@28 ; EtwpTiFillVadEventWrite(x,x,x,x,x,x,x)
		xor	ebx, ebx
		cmp	[esi+1Ch], ebx
		jbe	short loc_9F83F3
		lea	edx, [edi+20h]
		mov	edi, [ebp+var_4]
		mov	[ebp+arg_0], edx

loc_9F83C8:				; CODE XREF: EtwpTiVadQueryEventWriteCallback(x)+AAj
		xor	eax, eax
		mov	ecx, ebx
		inc	eax
		shl	eax, cl
		test	eax, edi
		jz	short loc_9F83E4
		mov	eax, [edx]
		test	eax, eax
		jz	short loc_9F83E4
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, [ebp+arg_0]

loc_9F83E4:				; CODE XREF: EtwpTiVadQueryEventWriteCallback(x)+8Dj
					; EtwpTiVadQueryEventWriteCallback(x)+93j
		inc	ebx
		add	edx, 24h
		mov	[ebp+arg_0], edx
		cmp	ebx, [esi+1Ch]
		jb	short loc_9F83C8
		mov	edi, [ebp+var_8]

loc_9F83F3:				; CODE XREF: EtwpTiVadQueryEventWriteCallback(x)+79j
		test	edi, edi
		jz	short loc_9F83FF
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F83FF:				; CODE XREF: EtwpTiVadQueryEventWriteCallback(x)+B1j
		mov	ecx, [esi+24h]
		test	ecx, ecx
		jz	short loc_9F8410
		mov	edx, 69547445h
		call	ObfDereferenceObjectWithTag

loc_9F8410:				; CODE XREF: EtwpTiVadQueryEventWriteCallback(x)+C0j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpTiVadQueryEventWriteCallback@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTimLogMitigationForProcess(x, x, x, x)
_EtwpTimLogMitigationForProcess@16 proc	near
					; CODE XREF: EtwTimLogProhibitFsctlSystemCalls(x,x)+24p
					; EtwTimLogProhibitDynamicCode(x,x)+26p ...

var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+18Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[esp+190h+var_16C], eax
		mov	eax, [ebp+arg_4]
		push	esi
		push	edi
		mov	[esp+198h+var_164], edx
		xor	edx, edx
		mov	edi, [eax+1C0h]
		mov	[esp+198h+var_168], ecx
		mov	[esp+198h+var_188], eax
		mov	[esp+198h+var_178], edx
		mov	[esp+198h+var_174], edx
		mov	[esp+198h+var_184], edx
		mov	[esp+198h+var_180], edx
		test	edi, edi
		jnz	short loc_9F8475
		mov	edi, (offset loc_403A20+4)

loc_9F8475:				; CODE XREF: EtwpTimLogMitigationForProcess(x,x,x,x)+4Fj
		movzx	eax, word ptr [edi]
		lea	ecx, [esp+198h+var_17C]
		mov	[esp+198h+var_C8], ecx
		mov	esi, offset ??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ@NNGAKEGL@ ; "(null)"
		mov	[esp+198h+var_C4], edx
		mov	[esp+198h+var_BC], edx
		mov	[esp+198h+var_18C], edx
		push	2
		pop	ebx
		mov	[esp+198h+var_C0], ebx
		test	ax, ax
		jz	short loc_9F84CB
		shr	ax, 1
		movzx	eax, ax
		mov	[esp+198h+var_17C], eax
		movzx	ecx, word ptr [edi]
		mov	eax, [edi+4]
		mov	[esp+198h+var_B8], eax
		mov	eax, ecx
		mov	[esp+198h+var_B0], eax
		jmp	short loc_9F84E5
; 

loc_9F84CB:				; CODE XREF: EtwpTimLogMitigationForProcess(x,x,x,x)+88j
		mov	[esp+198h+var_17C], 6
		mov	[esp+198h+var_B8], esi
		mov	[esp+198h+var_B0], 0Ch

loc_9F84E5:				; CODE XREF: EtwpTimLogMitigationForProcess(x,x,x,x)+AAj
		mov	ecx, [esp+198h+var_188]
		mov	[esp+198h+var_AC], edx
		mov	[esp+198h+var_B4], edx
		lea	edx, [esp+198h+var_184]
		call	EtwpQueryProcessCommandLine
		mov	eax, [esp+198h+var_184]
		lea	ecx, [esp+198h+var_170]
		and	[esp+198h+var_A4], 0
		and	[esp+198h+var_9C], 0
		mov	[esp+198h+var_A8], ecx
		mov	[esp+198h+var_A0], ebx
		test	ax, ax
		jz	short loc_9F853C
		mov	esi, [esp+198h+var_180]
		xor	edx, edx
		movzx	ecx, ax
		shr	ax, 1
		movzx	eax, ax
		jmp	short loc_9F8546
; 

loc_9F853C:				; CODE XREF: EtwpTimLogMitigationForProcess(x,x,x,x)+10Aj
		mov	edx, [esp+198h+var_18C]
		push	0Ch
		pop	ecx
		push	6
		pop	eax

loc_9F8546:				; CODE XREF: EtwpTimLogMitigationForProcess(x,x,x,x)+11Bj
		and	[esp+198h+var_8C], 0
		movzx	eax, ax
		mov	[esp+198h+var_170], eax
		lea	eax, [esp+198h+var_178]
		mov	[esp+198h+var_94], edx
		mov	edx, [esp+198h+var_188]
		mov	[esp+198h+var_90], ecx
		lea	ecx, [esp+198h+var_88]
		push	eax
		mov	[esp+19Ch+var_98], esi
		call	_EtwpTiFillProcessIdentity@12 ;	EtwpTiFillProcessIdentity(x,x,x)
		mov	edx, large fs:124h
		lea	esi, [eax+4]
		mov	ecx, esi
		lea	eax, [esp+19Ch+var_CC]
		shl	ecx, 4
		add	ecx, eax
		call	_EtwpTiFillThreadIdentity@8 ; EtwpTiFillThreadIdentity(x,x)
		add	esi, eax
		lea	eax, [esp+19Ch+var_CC]
		push	eax
		push	esi
		push	0
		push	[esp+1A8h+var_170]
		push	dword_6BC324
		push	_EtwSecurityMitigationsRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		cmp	dword_6B2A40, 5
		mov	esi, [esp+19Ch+var_184]
		jbe	loc_9F8709
		push	2000h
		push	0
		mov	ecx, offset dword_6B2A40
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9F8709
		mov	eax, [esp+19Ch+var_16C]
		xor	ecx, ecx
		mov	[esp+19Ch+var_18C], eax
		lea	eax, [esp+19Ch+var_18C]
		mov	[esp+19Ch+var_13C], eax
		mov	eax, [esp+19Ch+var_168]
		mov	[esp+19Ch+var_190], eax
		lea	eax, [esp+19Ch+var_190]
		mov	[esp+19Ch+var_12C], eax
		lea	eax, [esp+19Ch+var_104]
		mov	[esp+19Ch+var_11C], eax
		mov	eax, [edi+4]
		mov	[esp+19Ch+var_10C], eax
		movzx	eax, word ptr [edi]
		mov	[esp+19Ch+var_104], eax
		lea	eax, [esp+19Ch+var_E4]
		mov	[esp+19Ch+var_FC], eax
		movzx	eax, word ptr [esp+19Ch+var_188]
		mov	[esp+19Ch+var_E4], eax
		mov	eax, [esp+19Ch+var_17C]
		push	4
		mov	[esp+1A0h+var_164], eax
		mov	eax, [esp+1A0h+var_178]
		pop	edx
		mov	[esp+19Ch+var_160], eax
		lea	eax, [esp+19Ch+var_164]
		mov	[esp+19Ch+var_DC], eax
		lea	eax, [esp+19Ch+var_15C]
		push	eax
		push	9
		push	ecx
		push	ecx
		push	offset loc_423D05
		push	offset dword_6B2A40
		mov	[esp+1B4h+var_138], ecx
		mov	[esp+1B4h+var_134], edx
		mov	[esp+1B4h+var_130], ecx
		mov	[esp+1B4h+var_128], ecx
		mov	[esp+1B4h+var_124], edx
		mov	[esp+1B4h+var_120], ecx
		mov	[esp+1B4h+var_118], ecx
		mov	[esp+1B4h+var_114], ebx
		mov	[esp+1B4h+var_110], ecx
		mov	[esp+1B4h+var_108], ecx
		mov	[esp+1B4h+var_100], ecx
		mov	[esp+1B4h+var_F8], ecx
		mov	[esp+1B4h+var_F4], ebx
		mov	[esp+1B4h+var_F0], ecx
		mov	[esp+1B4h+var_EC], esi
		mov	[esp+1B4h+var_E8], ecx
		mov	[esp+1B4h+var_E0], ecx
		mov	[esp+1B4h+var_D8], ecx
		mov	[esp+1B4h+var_D4], 8
		mov	[esp+1B4h+var_D0], ecx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_9F8709:				; CODE XREF: EtwpTimLogMitigationForProcess(x,x,x,x)+1AAj
					; EtwpTimLogMitigationForProcess(x,x,x,x)+1C3j
		test	esi, esi
		jz	short loc_9F8715
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F8715:				; CODE XREF: EtwpTimLogMitigationForProcess(x,x,x,x)+2ECj
		mov	ecx, [esp+19Ch+var_8]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_EtwpTimLogMitigationForProcess@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwWmitraceWorker()
_EtwWmitraceWorker@0 proc near		; CODE XREF: KdRegisterDebuggerDataBlock:loc_A4AAD7p

var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B0		= word ptr -0B0h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi		; char
		push	0B0h		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_B8]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	ecx, dword_6BC464
		add	esp, 0Ch
		mov	[ebp+var_BC], ebx
		mov	[ebp+var_C4], ebx
		mov	[ebp+var_C0], ebx
		test	ecx, ecx
		jnz	short loc_9F877F
		mov	edi, ds:_EtwpHostSiloState
		jmp	short loc_9F87AE
; 

loc_9F877F:				; CODE XREF: EtwWmitraceWorker()+49j
		lea	edx, [ebp+var_BC]
		call	_PsGetSiloBySessionId@8	; PsGetSiloBySessionId(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9F89F2
		mov	eax, [ebp+var_BC]
		test	eax, eax
		jz	loc_9F89F2
		mov	eax, [eax+2F8h]
		mov	edi, [eax+1F0h]

loc_9F87AE:				; CODE XREF: EtwWmitraceWorker()+51j
		mov	al, _EtwWmitraceWork
		cmp	al, 1
		jz	loc_9F8916
		cmp	al, 2
		jz	loc_9F88C1
		cmp	al, 3
		jz	loc_9F887D
		sub	al, 4
		cmp	al, 2
		ja	loc_9F8862
		lea	ecx, [ebp+var_B8] ; void *
		call	_EtwpPrepareWmitraceLoggerInfo@4 ; EtwpPrepareWmitraceLoggerInfo(x)
		lea	edx, [ebp+var_B8]
		mov	ecx, edi
		call	_EtwpQueryTrace@8 ; EtwpQueryTrace(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_9F88DF
		movzx	eax, _EtwWmitraceWork
		sub	eax, 4
		jz	short loc_9F8811
		sub	eax, 1
		jz	short loc_9F880D
		push	2
		pop	ecx
		jmp	short loc_9F8814
; 

loc_9F880D:				; CODE XREF: EtwWmitraceWorker()+DAj
		mov	ecx, ebx
		jmp	short loc_9F8814
; 

loc_9F8811:				; CODE XREF: EtwWmitraceWorker()+D5j
		xor	ecx, ecx
		inc	ecx

loc_9F8814:				; CODE XREF: EtwWmitraceWorker()+DFj
					; EtwWmitraceWorker()+E3j
		push	dword_6BC478
		movzx	eax, byte_6BC48C
		push	dword_6BC474
		push	dword_6BC470
		push	dword_6BC46C
		push	dword_6BC468
		push	eax
		push	ecx
		push	ebx
		push	_EtwpWmitraceParams
		push	ebx
		push	offset unk_6BC47C
		call	_EtwEnableTrace@44 ; EtwEnableTrace(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_9F89F2
		push	esi
		push	offset ??_C@_0CK@GHJJALFO@wmitrace?3?5EtwpEnableTraceEx?5fai@NNGAKEGL@
		jmp	loc_9F88E5
; 

loc_9F8862:				; CODE XREF: EtwWmitraceWorker()+A3j
		push	offset ??_C@_0CO@JHHBNHEL@Unknown?5command?5passed?5to?5EtwWm@NNGAKEGL@	; char *
		push	3		; int
		push	17h		; int
		mov	esi, 0C00000BBh
		call	_DbgPrintEx
		add	esp, 0Ch
		jmp	loc_9F89F2
; 

loc_9F887D:				; CODE XREF: EtwWmitraceWorker()+99j
		lea	ecx, [ebp+var_B8] ; void *
		call	_EtwpPrepareWmitraceLoggerInfo@4 ; EtwpPrepareWmitraceLoggerInfo(x)
		lea	edx, [ebp+var_B8]
		mov	ecx, edi
		call	_EtwpQueryTrace@8 ; EtwpQueryTrace(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9F88DF
		or	[ebp+var_78], 80000h
		lea	edx, [ebp+var_B8]
		mov	ecx, edi
		call	EtwpUpdateTrace
		mov	esi, eax
		test	esi, esi
		jns	loc_9F89F2
		push	esi
		push	offset ??_C@_0CL@HDKKLBEP@wmitrace?3?5failed?5to?5enable?5KD_F@NNGAKEGL@ ; "wmitrace: failed to	enable KD_FILTER 0x"...
		jmp	short loc_9F88E5
; 

loc_9F88C1:				; CODE XREF: EtwWmitraceWorker()+91j
		lea	ecx, [ebp+var_B8] ; void *
		call	_EtwpPrepareWmitraceLoggerInfo@4 ; EtwpPrepareWmitraceLoggerInfo(x)
		lea	edx, [ebp+var_B8]
		mov	ecx, edi
		call	_EtwpQueryTrace@8 ; EtwpQueryTrace(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9F88F6

loc_9F88DF:				; CODE XREF: EtwWmitraceWorker()+C5j
					; EtwWmitraceWorker()+16Dj
		push	esi		; char
		push	offset ??_C@_0CH@NNKBILGH@wmitrace?3?5EtwpQueryTrace?5failed@NNGAKEGL@ ; "wmitrace: EtwpQueryTrace failed: 0x%x\n"

loc_9F88E5:				; CODE XREF: EtwWmitraceWorker()+131j
					; EtwWmitraceWorker()+193j ...
		push	3		; int
		push	17h		; int
		call	_DbgPrintEx
		add	esp, 10h
		jmp	loc_9F89F2
; 

loc_9F88F6:				; CODE XREF: EtwWmitraceWorker()+1B1j
		push	ebx
		lea	edx, [ebp+var_B8]
		mov	ecx, edi
		call	EtwpStopTrace
		mov	esi, eax
		test	esi, esi
		jns	loc_9F89F2
		push	esi
		push	offset ??_C@_0CG@CANMAEPM@wmitrace?3?5EtwpStopTrace?5failed?3@NNGAKEGL@	; "wmitrace: EtwpStopTrace failed: 0x%x\n"
		jmp	short loc_9F88E5
; 

loc_9F8916:				; CODE XREF: EtwWmitraceWorker()+89j
		lea	ecx, [ebp+var_B8] ; void *
		call	_EtwpPrepareWmitraceLoggerInfo@4 ; EtwpPrepareWmitraceLoggerInfo(x)
		push	offset dword_6BC468
		lea	eax, [ebp+var_C4]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_C4]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		call	RtlAnsiStringToUnicodeString
		mov	eax, dword_6BC530
		mov	[ebp+var_84], eax
		mov	eax, dword_6BC534
		mov	[ebp+var_80], eax
		mov	eax, dword_6BC538
		mov	[ebp+var_88], eax
		mov	eax, dword_6BC53C
		mov	[ebp+var_78], eax
		mov	eax, dword_6BC540
		mov	[ebp+var_74], eax
		mov	eax, dword_6BC52C
		mov	[ebp+var_7C], eax
		cmp	byte_6BC4A9, bl
		jz	short loc_9F89A5
		push	offset byte_6BC4A9
		lea	eax, [ebp+var_C4]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_C4]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		call	RtlAnsiStringToUnicodeString

loc_9F89A5:				; CODE XREF: EtwWmitraceWorker()+254j
		lea	edx, [ebp+var_B8]
		mov	ecx, edi
		call	_EtwpStartTrace@8 ; EtwpStartTrace(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_9F89CC
		push	esi		; char
		push	offset ??_C@_0CH@GEGPOHNN@wmitrace?3?5EtwpStartTrace?5failed@NNGAKEGL@ ; "wmitrace: EtwpStartTrace failed: 0x%x\n"
		push	3		; int
		push	17h		; int
		call	_DbgPrintEx
		add	esp, 10h
		jmp	short loc_9F89D8
; 

loc_9F89CC:				; CODE XREF: EtwWmitraceWorker()+28Aj
		movzx	eax, [ebp+var_B0]
		mov	_EtwpWmitraceParams, eax

loc_9F89D8:				; CODE XREF: EtwWmitraceWorker()+29Ej
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	byte_6BC4A9, bl
		jz	short loc_9F89F2
		lea	eax, [ebp+var_38]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_9F89F2:				; CODE XREF: EtwWmitraceWorker()+62j
					; EtwWmitraceWorker()+70j ...
		mov	dword_6BC548, esi
		mov	_EtwWmitraceWork, bl
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwWmitraceWorker@0 endp


;  S U B	R O U T	I N E 


; int __fastcall EtwpPrepareWmitraceLoggerInfo(void *)
_EtwpPrepareWmitraceLoggerInfo@4 proc near ; CODE XREF:	EtwWmitraceWorker()+AFp
					; EtwWmitraceWorker()+157p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, 0B0h
		mov	esi, ecx
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	[esi], edi
		add	esp, 0Ch
		mov	dword ptr [esi+2Ch], 20000h
		mov	eax, _EtwpWmitraceParams
		test	eax, eax
		movzx	eax, ax
		jnz	short loc_9F8A3E
		mov	eax, 0FFFFh

loc_9F8A3E:				; CODE XREF: EtwpPrepareWmitraceLoggerInfo(x)+2Aj
		pop	edi
		mov	[esi+8], ax
		pop	esi
		retn
_EtwpPrepareWmitraceLoggerInfo@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpSendBufferToDebugger(x)
_EtwpSendBufferToDebugger@4 proc near	; CODE XREF: EtwpSendDbgId(x)+ADp

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_18		= dword	ptr -18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, ds:_KdTransportMaxPacketSize
		and	[esp+64h+var_64], 0
		add	eax, 0FFFFFFC0h
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	ecx, [ebx+30h]
		cmp	ecx, eax
		ja	short loc_9F8A81
		xor	edx, edx
		mov	[esp+70h+var_54], ecx
		inc	edx
		mov	[esp+70h+var_58], ebx
		lea	ecx, [esp+70h+var_58]
		call	_KdSendTraceData@8 ; KdSendTraceData(x,x)
		jmp	loc_9F8B25
; 

loc_9F8A81:				; CODE XREF: EtwpSendBufferToDebugger(x)+21j
		push	12h
		pop	ecx
		mov	esi, ebx
		lea	edi, [esp+70h+var_48]
		rep movsd
		push	48h
		pop	esi
		lea	ecx, [esp+70h+var_48]
		mov	[esp+70h+var_54], esi
		sub	eax, esi
		mov	[esp+70h+var_58], ecx
		mov	edi, eax

loc_9F8A9F:				; CODE XREF: EtwpSendBufferToDebugger(x)+DAj
		xor	eax, eax
		mov	edx, esi
		mov	[esp+70h+var_60], eax
		mov	ecx, ebx
		lea	eax, [esi+ebx]
		mov	[esp+70h+var_50], eax
		lea	eax, [esp+70h+var_64]
		push	eax
		call	_EtwpGetNextEventOffsetType@12 ; EtwpGetNextEventOffsetType(x,x,x)
		mov	edx, eax
		mov	[esp+70h+var_5C], edx
		test	edx, edx
		jz	short loc_9F8B25

loc_9F8AC4:				; CODE XREF: EtwpSendBufferToDebugger(x)+A8j
		mov	ecx, [esp+70h+var_64]
		mov	eax, [esp+70h+var_60]
		lea	edx, [eax+ecx]
		cmp	edx, edi
		ja	short loc_9F8AF5
		add	esi, ecx
		mov	[esp+70h+var_60], edx
		lea	eax, [esp+70h+var_64]
		mov	edx, esi
		push	eax
		mov	ecx, ebx
		call	_EtwpGetNextEventOffsetType@12 ; EtwpGetNextEventOffsetType(x,x,x)
		mov	[esp+70h+var_5C], eax
		test	eax, eax
		jnz	short loc_9F8AC4
		mov	eax, [esp+70h+var_60]
		jmp	short loc_9F8AFB
; 

loc_9F8AF5:				; CODE XREF: EtwpSendBufferToDebugger(x)+8Cj
		cmp	ecx, edi
		jbe	short loc_9F8AFB
		add	esi, ecx

loc_9F8AFB:				; CODE XREF: EtwpSendBufferToDebugger(x)+AEj
					; EtwpSendBufferToDebugger(x)+B2j
		test	eax, eax
		jz	short loc_9F8B1A
		mov	[esp+70h+var_4C], eax
		lea	ecx, [esp+70h+var_58]
		add	eax, 48h
		push	2
		pop	edx
		mov	[esp+70h+var_18], eax
		mov	[esp+70h+var_48], eax
		call	_KdSendTraceData@8 ; KdSendTraceData(x,x)

loc_9F8B1A:				; CODE XREF: EtwpSendBufferToDebugger(x)+B8j
		cmp	[esp+70h+var_5C], 0
		jnz	loc_9F8A9F

loc_9F8B25:				; CODE XREF: EtwpSendBufferToDebugger(x)+37j
					; EtwpSendBufferToDebugger(x)+7Dj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_EtwpSendBufferToDebugger@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpSendDbgId(x)
_EtwpSendDbgId@4 proc near		; CODE XREF: EtwpSendTraceEvent(x,x)+39p
					; EtwpProviderArrivalCallback+123ECEp ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, 800h
		lea	edx, [edi+25Ch]
		mov	eax, [edx]
		test	eax, ebx
		jz	loc_9F8BE6
		mov	esi, 0FFFFF7FFh
		mov	eax, [edx]

loc_9F8B53:				; CODE XREF: EtwpSendDbgId(x)+2Fj
		mov	ecx, eax
		and	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_9F8B53
		test	eax, ebx
		jz	loc_9F8BE6
		lea	ebx, [edi+1F0h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, edi
		call	EtwpGetMaxTrackingEventBufferSize
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	short loc_9F8B86
		xor	esi, esi
		jmp	short loc_9F8BB8
; 

loc_9F8B86:				; CODE XREF: EtwpSendDbgId(x)+54j
		push	62777445h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9F8BB8
		push	[ebp+var_4]
		mov	edx, esi
		mov	ecx, edi
		call	EtwpInitializeProviderInfoBuffer
		push	0
		push	0
		push	[ebp+var_4]
		mov	edx, esi
		mov	ecx, edi
		call	EtwpAddDebugInfoEvents

loc_9F8BB8:				; CODE XREF: EtwpSendDbgId(x)+58j
					; EtwpSendDbgId(x)+6Ej
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9F8BCC
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9F8BCC:				; CODE XREF: EtwpSendDbgId(x)+97j
		mov	ecx, ebx
		call	KeAbPostRelease
		test	esi, esi
		jz	short loc_9F8BE6
		mov	ecx, esi
		call	_EtwpSendBufferToDebugger@4 ; EtwpSendBufferToDebugger(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F8BE6:				; CODE XREF: EtwpSendDbgId(x)+1Aj
					; EtwpSendDbgId(x)+33j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpSendDbgId@4 endp


;  S U B	R O U T	I N E 


; __stdcall EtwDereferenceSpinLockCounters()
_EtwDereferenceSpinLockCounters@0 proc near
					; CODE XREF: KiSynchCounterSetCallback(x,x,x):loc_98FCE2p
					; KiSynchNumaCounterSetCallback(x,x,x):loc_98FF4Cp
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, offset _EtwpCrimsonMaskMutex
		push	esi
		push	esi
		push	esi
		push	esi
		push	edi
		call	KeWaitForSingleObject
		sub	ds:_EtwpSpinLockCountersCount, 1
		jnz	short loc_9F8C23
		mov	ecx, ds:_EtwpHostSiloState
		xor	edx, edx
		push	8
		and	dword ptr [ecx+0A4Ch], 0FFDFFFFFh
		call	EtwpUpdateGlobalGroupMasks

loc_9F8C23:				; CODE XREF: EtwDereferenceSpinLockCounters()+1Dj
		push	esi
		push	edi
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		pop	edi
		pop	esi
		pop	ecx
		retn
_EtwDereferenceSpinLockCounters@0 endp


;  S U B	R O U T	I N E 


; __stdcall EtwReferenceSpinLockCounters()
_EtwReferenceSpinLockCounters@0	proc near
					; CODE XREF: KiSynchCounterSetCallback(x,x,x):loc_98FCE9p
					; KiSynchNumaCounterSetCallback(x,x,x):loc_98FF53p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, offset _EtwpCrimsonMaskMutex
		push	esi
		push	esi
		push	esi
		push	esi
		push	edi
		call	KeWaitForSingleObject
		mov	eax, ds:_EtwpSpinLockCountersCount
		inc	eax
		mov	ds:_EtwpSpinLockCountersCount, eax
		cmp	eax, 1
		jnz	short loc_9F8C6D
		mov	ecx, ds:_EtwpHostSiloState
		xor	edx, edx
		push	8
		or	dword ptr [ecx+0A4Ch], 200000h
		call	EtwpUpdateGlobalGroupMasks

loc_9F8C6D:				; CODE XREF: EtwReferenceSpinLockCounters()+24j
		push	esi
		push	edi
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		pop	edi
		pop	esi
		pop	ecx
		retn
_EtwReferenceSpinLockCounters@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwpAddBinaryInfoEvents(void *,size_t)
_EtwpAddBinaryInfoEvents@16 proc near	; CODE XREF: EtwpFinalizeHeader+134C06p
					; EtwpAddLogHeader+134819p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_C], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		sub	ebx, [edx+30h]
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	eax, edi
		and	eax, 2
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_10], eax
		jz	short loc_9F8CB3
		add	ecx, 1F0h
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_4]

loc_9F8CB3:				; CODE XREF: EtwpAddBinaryInfoEvents(x,x,x,x)+26j
		lea	eax, [ecx+2C8h]
		mov	esi, [eax]
		cmp	esi, eax
		jz	loc_9F8D6F
		and	edi, 4

loc_9F8CC6:				; CODE XREF: EtwpAddBinaryInfoEvents(x,x,x,x)+ECj
		test	edi, edi
		jz	short loc_9F8CCF
		mov	eax, [esi+10h]
		jmp	short loc_9F8CD2
; 

loc_9F8CCF:				; CODE XREF: EtwpAddBinaryInfoEvents(x,x,x,x)+50j
		mov	eax, [esi+0Ch]

loc_9F8CD2:				; CODE XREF: EtwpAddBinaryInfoEvents(x,x,x,x)+55j
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_9F8D57
		mov	ecx, eax
		mov	eax, [esi+8]
		shl	ecx, 4
		mov	[ebp+arg_4], ecx
		add	ecx, 4
		add	eax, ecx
		lea	ecx, [ebp+var_C]
		push	ecx		; int
		mov	ecx, [ebp+var_4]
		push	ebx		; int
		push	eax		; size_t
		push	0		; void *
		lea	eax, [edx+58h]
		push	eax		; int
		push	43h
		pop	edx
		call	_EtwpAddEventToBuffer@28 ; EtwpAddEventToBuffer(x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_9F8D6C
		mov	edx, [ebp+arg_0]
		push	[ebp+arg_4]	; size_t
		mov	[eax], edx
		add	eax, 4
		mov	[ebp+arg_0], eax
		mov	eax, [esi+0Ch]
		sub	eax, edx
		shl	eax, 4
		add	eax, 14h
		add	eax, esi
		push	eax		; void *
		push	[ebp+arg_0]	; void *
		call	_memcpy
		mov	eax, [esi+0Ch]
		add	esp, 0Ch
		shl	eax, 4
		add	eax, 14h
		add	eax, esi
		push	dword ptr [esi+8] ; size_t
		push	eax		; void *
		mov	eax, [ebp+arg_0]
		add	eax, [ebp+arg_4]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		test	edi, edi
		jz	short loc_9F8D51
		and	dword ptr [esi+10h], 0

loc_9F8D51:				; CODE XREF: EtwpAddBinaryInfoEvents(x,x,x,x)+D3j
		sub	ebx, [ebp+var_C]
		mov	ecx, [ebp+var_8]

loc_9F8D57:				; CODE XREF: EtwpAddBinaryInfoEvents(x,x,x,x)+5Fj
		mov	esi, [esi]
		lea	eax, [ecx+2C8h]
		mov	edx, [ebp+var_4]
		cmp	esi, eax
		jnz	loc_9F8CC6
		jmp	short loc_9F8D6F
; 

loc_9F8D6C:				; CODE XREF: EtwpAddBinaryInfoEvents(x,x,x,x)+8Aj
		mov	ecx, [ebp+var_8]

loc_9F8D6F:				; CODE XREF: EtwpAddBinaryInfoEvents(x,x,x,x)+45j
					; EtwpAddBinaryInfoEvents(x,x,x,x)+F2j
		cmp	[ebp+var_10], 0
		jz	short loc_9F8D96
		lea	esi, [ecx+1F0h]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9F8D8F
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9F8D8F:				; CODE XREF: EtwpAddBinaryInfoEvents(x,x,x,x)+10Ej
		mov	ecx, esi
		call	KeAbPostRelease

loc_9F8D96:				; CODE XREF: EtwpAddBinaryInfoEvents(x,x,x,x)+FBj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	8
_EtwpAddBinaryInfoEvents@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpBufferingModeFlush(x)
_EtwpBufferingModeFlush@4 proc near	; CODE XREF: EtwpFlushTrace+12986Fp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10], edi
		mov	eax, [edi+4]
		mov	esi, [edi]
		mov	[ebp+var_30], eax
		mov	eax, [edi+0A0h]
		mov	[ebp+var_2C], esi
		call	EtwpQueryUsedProcessorCount
		cmp	ds:_EtwpFileSystemReady, 0
		mov	ebx, eax
		push	4
		mov	[ebp+var_20], ebx
		pop	ecx
		jz	short loc_9F8DE3
		lea	eax, [edi+258h]
		lock or	[eax], ecx

loc_9F8DE3:				; CODE XREF: EtwpBufferingModeFlush(x)+39j
		cmp	dword ptr [edi+78h], 0
		jz	loc_9F93BF
		xor	dl, dl
		mov	ecx, edi
		call	EtwpCreateLogFile
		mov	[ebp+var_4], eax
		test	eax, eax
		js	loc_9F939F
		test	ebx, ebx
		jz	loc_9F8E96
		xor	edx, edx
		mov	[ebp+var_C], edx

loc_9F8E0E:				; CODE XREF: EtwpBufferingModeFlush(x)+F1j
		test	dword ptr [edi+0Ch], 10000000h
		jz	short loc_9F8E1C
		lea	ebx, [edi+58h]
		jmp	short loc_9F8E2E
; 

loc_9F8E1C:				; CODE XREF: EtwpBufferingModeFlush(x)+76j
		mov	eax, [edi+2E4h]
		mov	eax, [eax+8D8h]
		mov	eax, [eax+edx]
		lea	ebx, [eax+esi*4]

loc_9F8E2E:				; CODE XREF: EtwpBufferingModeFlush(x)+7Bj
		mov	esi, [ebx]
		and	esi, 0FFFFFFF8h
		jz	short loc_9F8E83
		mov	ecx, [ebp+var_30]
		lea	eax, [esi+8]
		lock xadd [eax], ecx
		cmp	ecx, [ebp+var_30]
		ja	short loc_9F8E47
		mov	[esi+4], ecx

loc_9F8E47:				; CODE XREF: EtwpBufferingModeFlush(x)+A3j
		mov	ecx, [ebx]

loc_9F8E49:				; CODE XREF: EtwpBufferingModeFlush(x)+C1j
		mov	eax, ecx
		xor	eax, esi
		cmp	eax, 7
		ja	short loc_9F8E62
		xor	edx, edx
		mov	eax, ecx
		lock cmpxchg [ebx], edx
		cmp	eax, ecx
		jz	short loc_9F8E62
		mov	ecx, eax
		jmp	short loc_9F8E49
; 

loc_9F8E62:				; CODE XREF: EtwpBufferingModeFlush(x)+B1j
					; EtwpBufferingModeFlush(x)+BDj
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		cmp	eax, esi
		jnz	short loc_9F8E80
		and	ecx, 7
		add	eax, 0Ch
		neg	ecx
		lock xadd [eax], ecx
		mov	edx, esi
		mov	ecx, edi
		call	EtwpPrepareDirtyBuffer

loc_9F8E80:				; CODE XREF: EtwpBufferingModeFlush(x)+CAj
		mov	edx, [ebp+var_C]

loc_9F8E83:				; CODE XREF: EtwpBufferingModeFlush(x)+94j
		mov	esi, [ebp+var_2C]
		add	edx, 40h
		sub	[ebp+var_20], 1
		mov	[ebp+var_C], edx
		jnz	loc_9F8E0E

loc_9F8E96:				; CODE XREF: EtwpBufferingModeFlush(x)+64j
		mov	ecx, edi
		call	EtwpLockUnlockBufferList
		test	dword ptr [edi+0Ch], 4000000h
		lea	esi, [edi+250h]
		mov	ecx, edi
		jz	loc_9F908A
		call	_EtwpBufferingModeCompressionFlush@4 ; EtwpBufferingModeCompressionFlush(x)
		mov	edi, esi

loc_9F8EB9:				; CODE XREF: EtwpBufferingModeFlush(x)+134j
					; EtwpBufferingModeFlush(x)+138j
		mov	ecx, [edi]
		mov	eax, ecx
		mov	esi, [edi+4]
		mov	edx, esi
		mov	[ebp+var_C], ecx
		nop
		mov	ebx, ecx
		mov	ecx, esi
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [ebp+var_C]
		cmp	eax, ebx
		jnz	short loc_9F8EB9
		cmp	edx, esi
		jnz	short loc_9F8EB9
		mov	edi, [ebp+var_10]
		add	ebx, 1
		adc	esi, 0
		js	loc_9F9381
		jg	short loc_9F8EF2
		test	ebx, ebx
		jb	loc_9F9381

loc_9F8EF2:				; CODE XREF: EtwpBufferingModeFlush(x)+149j
		mov	eax, esi

loc_9F8EF4:				; CODE XREF: EtwpBufferingModeFlush(x)+2D2j
					; EtwpBufferingModeFlush(x)+2E0j
		xor	esi, esi
		mov	ecx, edi
		add	ebx, 0FFFFFFFFh
		mov	[ebp+var_C], ebx
		adc	eax, 0FFFFFFFFh
		mov	[ebp+var_8], eax
		call	_EtwpGetFirstBuffer@4 ;	EtwpGetFirstBuffer(x)
		mov	edx, eax
		test	edx, edx
		jz	loc_9F9381

loc_9F8F13:				; CODE XREF: EtwpBufferingModeFlush(x)+1C3j
		mov	ecx, [edx+8]
		mov	eax, [ecx+18h]
		mov	[ebp+var_14], eax
		mov	eax, [ecx+1Ch]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_8]
		cmp	[ebp+var_14], ebx
		jnz	short loc_9F8F2F
		cmp	[ebp+var_10], eax
		jz	short loc_9F8F66

loc_9F8F2F:				; CODE XREF: EtwpBufferingModeFlush(x)+189j
		cmp	[ebp+var_10], eax
		jg	short loc_9F8F53
		jl	short loc_9F8F3B
		cmp	[ebp+var_14], ebx
		jnb	short loc_9F8F53

loc_9F8F3B:				; CODE XREF: EtwpBufferingModeFlush(x)+195j
		test	esi, esi
		jz	short loc_9F8F51
		mov	eax, [ebp+var_10]
		cmp	eax, [esi+1Ch]
		jl	short loc_9F8F53
		jg	short loc_9F8F51
		mov	eax, [ebp+var_14]
		cmp	eax, [esi+18h]
		jbe	short loc_9F8F53

loc_9F8F51:				; CODE XREF: EtwpBufferingModeFlush(x)+19Ej
					; EtwpBufferingModeFlush(x)+1A8j
		mov	esi, ecx

loc_9F8F53:				; CODE XREF: EtwpBufferingModeFlush(x)+193j
					; EtwpBufferingModeFlush(x)+19Aj ...
		mov	ecx, [edx]
		lea	eax, [edi+40h]
		mov	edx, ecx
		sub	edx, eax
		neg	edx
		sbb	edx, edx
		and	edx, ecx
		jnz	short loc_9F8F13
		jmp	short loc_9F8F68
; 

loc_9F8F66:				; CODE XREF: EtwpBufferingModeFlush(x)+18Ej
		mov	esi, ecx

loc_9F8F68:				; CODE XREF: EtwpBufferingModeFlush(x)+1C5j
		test	esi, esi
		jz	loc_9F9381
		lea	edx, [esi+2Ch]
		mov	ebx, [edx]
		mov	[ebp+var_20], edx
		cmp	ebx, 5
		jz	short loc_9F8F86
		cmp	ebx, 4
		jnz	loc_9F9069

loc_9F8F86:				; CODE XREF: EtwpBufferingModeFlush(x)+1DCj
		push	3
		pop	ecx
		mov	eax, ebx
		lock cmpxchg [edx], ecx
		mov	[ebp+var_30], eax
		cmp	eax, ebx
		jnz	loc_9F9069
		mov	ecx, [esi+18h]
		cmp	ecx, [ebp+var_C]
		jnz	loc_9F9062
		mov	ecx, [esi+1Ch]
		cmp	ecx, [ebp+var_8]
		jnz	loc_9F9062
		mov	ecx, esi
		call	EtwpWaitForBufferReferenceCount
		mov	eax, [ebp+var_30]
		cmp	eax, 5
		jnz	short loc_9F9031
		cmp	dword ptr [esi+8], 48h
		jnz	short loc_9F8FD3
		mov	ecx, [ebp+var_20]
		xor	eax, eax
		xchg	eax, [ecx]
		jmp	loc_9F9069
; 

loc_9F8FD3:				; CODE XREF: EtwpBufferingModeFlush(x)+226j
		mov	ecx, [esi+8]
		add	ecx, esi
		add	esi, 48h
		and	dword ptr [esi+20h], 0
		jmp	short loc_9F8FE8
; 

loc_9F8FE1:				; CODE XREF: EtwpBufferingModeFlush(x)+250j
		mov	eax, esi
		add	esi, edx
		mov	[esi+20h], eax

loc_9F8FE8:				; CODE XREF: EtwpBufferingModeFlush(x)+240j
		mov	edx, [esi]
		lea	eax, [edx+esi]
		cmp	eax, ecx
		jb	short loc_9F8FE1

loc_9F8FF1:				; CODE XREF: EtwpBufferingModeFlush(x)+27Cj
		push	40h
		mov	edx, esi
		mov	ecx, edi
		call	_EtwpPrepareHeader@12 ;	EtwpPrepareHeader(x,x,x)
		cmp	eax, 80000022h
		jz	short loc_9F9013
		mov	edx, esi
		mov	ecx, edi
		call	EtwpFlushBufferToLogfile
		mov	edx, eax
		mov	[ebp+var_4], edx
		jmp	short loc_9F9016
; 

loc_9F9013:				; CODE XREF: EtwpBufferingModeFlush(x)+262j
		mov	edx, [ebp+var_4]

loc_9F9016:				; CODE XREF: EtwpBufferingModeFlush(x)+272j
		mov	esi, [esi+20h]
		test	esi, esi
		jnz	short loc_9F8FF1
		mov	ecx, [ebp+var_20]
		push	5

loc_9F9022:				; CODE XREF: EtwpBufferingModeFlush(x)+2C1j
		pop	eax
		lock cmpxchg [ecx], ebx
		test	edx, edx
		js	loc_9F9381
		jmp	short loc_9F9069
; 

loc_9F9031:				; CODE XREF: EtwpBufferingModeFlush(x)+220j
		cmp	eax, 4
		jnz	short loc_9F9069
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	_EtwpPrepareHeader@12 ;	EtwpPrepareHeader(x,x,x)
		cmp	eax, 80000022h
		jz	short loc_9F9058
		mov	edx, esi
		mov	ecx, edi
		call	EtwpFlushBufferToLogfile
		mov	edx, eax
		mov	[ebp+var_4], edx
		jmp	short loc_9F905B
; 

loc_9F9058:				; CODE XREF: EtwpBufferingModeFlush(x)+2A7j
		mov	edx, [ebp+var_4]

loc_9F905B:				; CODE XREF: EtwpBufferingModeFlush(x)+2B7j
		push	4
		lea	ecx, [esi+2Ch]
		jmp	short loc_9F9022
; 

loc_9F9062:				; CODE XREF: EtwpBufferingModeFlush(x)+201j
					; EtwpBufferingModeFlush(x)+20Dj
		push	3
		pop	eax
		lock cmpxchg [edx], ebx

loc_9F9069:				; CODE XREF: EtwpBufferingModeFlush(x)+1E1j
					; EtwpBufferingModeFlush(x)+1F5j ...
		mov	eax, [ebp+var_8]
		mov	ebx, [ebp+var_C]
		test	eax, eax
		jg	loc_9F8EF4
		jl	loc_9F9381
		test	ebx, ebx
		jnb	loc_9F8EF4
		jmp	loc_9F9381
; 

loc_9F908A:				; CODE XREF: EtwpBufferingModeFlush(x)+10Dj
		call	EtwpQueryUsedProcessorCount
		and	[ebp+var_20], 0
		and	[ebp+var_1C], 0
		mov	[ebp+var_30], eax
		lea	eax, [edi+370h]
		mov	[ebp+var_C], eax
		or	eax, 0FFFFFFFFh
		or	edx, eax
		nop
		mov	ebx, [esi]
		mov	ecx, [esi+4]
		mov	esi, [ebp+var_C]
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, 0FFFFFFFFh
		jnz	loc_9F93C7
		cmp	edx, eax
		jnz	loc_9F93C7
		cmp	dword ptr [edi+364h], 0
		jz	loc_9F918B
		xor	eax, eax
		mov	[ebp+var_2C], eax
		cmp	[ebp+var_30], eax
		jbe	loc_9F918B

loc_9F90E1:				; CODE XREF: EtwpBufferingModeFlush(x)+3E3j
		mov	esi, [edi+364h]
		shl	eax, 3
		mov	[ebp+var_24], eax
		add	esi, eax

loc_9F90EF:				; CODE XREF: EtwpBufferingModeFlush(x)+367j
					; EtwpBufferingModeFlush(x)+36Bj
		mov	ebx, [esi]
		mov	eax, ebx
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_18], ecx
		nop
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, [ebp+var_8]
		jnz	short loc_9F90EF
		cmp	edx, ecx
		jnz	short loc_9F90EF
		mov	esi, [edi+368h]
		add	esi, [ebp+var_24]

loc_9F9115:				; CODE XREF: EtwpBufferingModeFlush(x)+38Fj
					; EtwpBufferingModeFlush(x)+393j
		mov	ebx, [esi]
		mov	eax, ebx
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_28], ecx
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, [ebp+var_14]
		cmp	eax, ebx
		jnz	short loc_9F9115
		cmp	edx, ecx
		jnz	short loc_9F9115
		cmp	[ebp+var_18], ecx
		jl	short loc_9F9178
		jg	short loc_9F9140
		cmp	[ebp+var_8], ebx
		jbe	short loc_9F9178

loc_9F9140:				; CODE XREF: EtwpBufferingModeFlush(x)+39Aj
					; EtwpBufferingModeFlush(x)+3D0j ...
		mov	esi, [edi+368h]
		mov	eax, ebx
		add	esi, [ebp+var_24]
		mov	edx, ecx
		nop
		mov	ebx, [ebp+var_8]
		mov	ecx, [ebp+var_18]
		lock cmpxchg8b qword ptr [esi]
		cmp	eax, [ebp+var_14]
		jnz	short loc_9F9162
		cmp	edx, [ebp+var_28]
		jz	short loc_9F9178

loc_9F9162:				; CODE XREF: EtwpBufferingModeFlush(x)+3BCj
		mov	ebx, eax
		mov	ecx, edx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_28], ecx
		cmp	[ebp+var_18], edx
		jg	short loc_9F9140
		jl	short loc_9F9178
		cmp	[ebp+var_8], eax
		ja	short loc_9F9140

loc_9F9178:				; CODE XREF: EtwpBufferingModeFlush(x)+398j
					; EtwpBufferingModeFlush(x)+39Fj ...
		mov	eax, [ebp+var_2C]
		inc	eax
		mov	[ebp+var_2C], eax
		cmp	eax, [ebp+var_30]
		jb	loc_9F90E1
		mov	esi, [ebp+var_C]

loc_9F918B:				; CODE XREF: EtwpBufferingModeFlush(x)+32Ej
					; EtwpBufferingModeFlush(x)+33Cj
		push	dword ptr [esi+4]
		mov	ecx, edi
		push	dword ptr [esi]
		call	_EtwpFindAndLockBufferForFlushing@12 ; EtwpFindAndLockBufferForFlushing(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_30], ebx
		jmp	loc_9F9226
; 

loc_9F91A1:				; CODE XREF: EtwpBufferingModeFlush(x)+489j
		mov	ecx, ebx
		call	EtwpWaitForBufferReferenceCount
		push	0
		mov	edx, ebx
		mov	ecx, edi
		call	_EtwpPrepareHeader@12 ;	EtwpPrepareHeader(x,x,x)
		cmp	eax, 80000022h
		jz	short loc_9F91DA
		mov	edx, ebx
		mov	ecx, edi
		call	EtwpFlushBufferToLogfile
		mov	[ebp+var_4], eax
		mov	eax, [ebp+var_20]
		or	eax, [ebp+var_1C]
		jnz	short loc_9F91DA
		mov	eax, [ebx+10h]
		mov	[ebp+var_20], eax
		mov	eax, [ebx+14h]
		mov	[ebp+var_1C], eax

loc_9F91DA:				; CODE XREF: EtwpBufferingModeFlush(x)+419j
					; EtwpBufferingModeFlush(x)+42Dj
		mov	edi, [ebp+var_C]

loc_9F91DD:				; CODE XREF: EtwpBufferingModeFlush(x)+459j
					; EtwpBufferingModeFlush(x)+45Ej
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		sub	ebx, 1
		mov	ecx, edx
		mov	[ebp+var_2C], edx
		sbb	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_9F91DD
		cmp	edx, [ebp+var_2C]
		jnz	short loc_9F91DD
		mov	eax, [ebp+var_30]
		xor	ecx, ecx
		mov	edi, [ebp+var_10]
		add	eax, 2Ch
		xchg	ecx, [eax]
		cmp	[ebp+var_4], 0
		jl	short loc_9F922E
		mov	eax, [ebp+var_C]
		mov	ecx, edi
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		call	_EtwpFindAndLockBufferForFlushing@12 ; EtwpFindAndLockBufferForFlushing(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_30], eax

loc_9F9226:				; CODE XREF: EtwpBufferingModeFlush(x)+3FDj
		test	ebx, ebx
		jnz	loc_9F91A1

loc_9F922E:				; CODE XREF: EtwpBufferingModeFlush(x)+471j
		cmp	dword ptr [edi+368h], 0
		jz	loc_9F9381
		mov	ecx, edi
		call	_EtwpGetFirstBuffer@4 ;	EtwpGetFirstBuffer(x)
		mov	ecx, eax
		test	ecx, ecx
		jmp	loc_9F9378
; 

loc_9F924B:				; CODE XREF: EtwpBufferingModeFlush(x)+5DCj
		mov	esi, [ecx+8]
		movzx	eax, word ptr [esi+28h]
		lea	edi, [esi+10h]
		mov	[ebp+var_2C], eax

loc_9F9258:				; CODE XREF: EtwpBufferingModeFlush(x)+4D4j
					; EtwpBufferingModeFlush(x)+4D8j
		mov	ebx, [edi]
		mov	eax, ebx
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_14], ecx
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, edx
		mov	edx, [ebp+var_8]
		cmp	eax, edx
		jnz	short loc_9F9258
		cmp	ebx, ecx
		jnz	short loc_9F9258
		mov	edi, [ebp+var_10]
		cmp	ecx, [ebp+var_1C]
		jg	loc_9F9366
		jl	short loc_9F9290
		cmp	edx, [ebp+var_20]
		jnb	loc_9F9366

loc_9F9290:				; CODE XREF: EtwpBufferingModeFlush(x)+4E6j
		lea	edi, [esi+18h]

loc_9F9293:				; CODE XREF: EtwpBufferingModeFlush(x)+50Fj
					; EtwpBufferingModeFlush(x)+513j
		mov	ecx, [edi]
		mov	eax, ecx
		mov	esi, [edi+4]
		mov	edx, esi
		mov	[ebp+var_30], ecx
		mov	[ebp+var_18], esi
		nop
		mov	ebx, ecx
		mov	ecx, esi
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, [ebp+var_30]
		jnz	short loc_9F9293
		cmp	edx, esi
		jnz	short loc_9F9293
		mov	edi, [ebp+var_10]
		mov	esi, [ebp+var_C]

loc_9F92BA:				; CODE XREF: EtwpBufferingModeFlush(x)+533j
					; EtwpBufferingModeFlush(x)+537j
		mov	ebx, [esi]
		mov	eax, ebx
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[ebp+var_24], ebx
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, edx
		mov	edx, [ebp+var_24]
		cmp	eax, edx
		jnz	short loc_9F92BA
		cmp	ebx, ecx
		jnz	short loc_9F92BA
		cmp	[ebp+var_18], ecx
		jg	loc_9F9366
		jl	short loc_9F92E8
		cmp	[ebp+var_30], edx
		ja	short loc_9F9366

loc_9F92E8:				; CODE XREF: EtwpBufferingModeFlush(x)+542j
		mov	eax, [ebp+var_2C]
		mov	esi, [edi+368h]
		shl	eax, 3
		add	esi, eax

loc_9F92F6:				; CODE XREF: EtwpBufferingModeFlush(x)+572j
					; EtwpBufferingModeFlush(x)+576j
		mov	ebx, [esi]
		mov	eax, ebx
		mov	ecx, [esi+4]
		mov	edx, ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_30], ecx
		nop
		lock cmpxchg8b qword ptr [esi]
		mov	ebx, edx
		mov	edx, [ebp+var_18]
		cmp	eax, edx
		jnz	short loc_9F92F6
		cmp	ebx, ecx
		jnz	short loc_9F92F6
		cmp	[ebp+var_14], ecx
		jl	short loc_9F9366
		mov	ebx, [ebp+var_8]
		jg	short loc_9F9325
		cmp	ebx, edx
		jbe	short loc_9F9366

loc_9F9325:				; CODE XREF: EtwpBufferingModeFlush(x)+580j
					; EtwpBufferingModeFlush(x)+5BFj ...
		mov	eax, [ebp+var_2C]
		mov	esi, [edi+368h]
		shl	eax, 3
		add	esi, eax
		mov	eax, edx
		mov	edx, ecx
		nop
		mov	ecx, [ebp+var_14]
		lock cmpxchg8b qword ptr [esi]
		mov	esi, edx
		mov	edi, [ebp+var_10]
		cmp	eax, [ebp+var_18]
		jnz	short loc_9F934E
		cmp	esi, [ebp+var_30]
		jz	short loc_9F9366

loc_9F934E:				; CODE XREF: EtwpBufferingModeFlush(x)+5A8j
		mov	edx, eax
		mov	ebx, [ebp+var_8]
		mov	ecx, esi
		mov	[ebp+var_18], edx
		mov	[ebp+var_30], ecx
		cmp	[ebp+var_14], esi
		jg	short loc_9F9325
		jl	short loc_9F9366
		cmp	ebx, eax
		ja	short loc_9F9325

loc_9F9366:				; CODE XREF: EtwpBufferingModeFlush(x)+4E0j
					; EtwpBufferingModeFlush(x)+4EBj ...
		mov	eax, [ebp+var_28]
		lea	edx, [edi+40h]
		mov	eax, [eax]
		mov	ecx, eax
		sub	ecx, edx
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax

loc_9F9378:				; CODE XREF: EtwpBufferingModeFlush(x)+4A7j
		mov	[ebp+var_28], ecx
		jnz	loc_9F924B

loc_9F9381:				; CODE XREF: EtwpBufferingModeFlush(x)+143j
					; EtwpBufferingModeFlush(x)+14Dj ...
		xor	dl, dl
		mov	ecx, edi
		call	EtwpFinalizeHeader
		and	dword ptr [edi+0B0h], 0
		or	dword ptr [edi+370h], 0FFFFFFFFh
		or	dword ptr [edi+374h], 0FFFFFFFFh

loc_9F939F:				; CODE XREF: EtwpBufferingModeFlush(x)+5Cj
		mov	eax, [edi+248h]
		test	eax, eax
		jz	short loc_9F93B6
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		and	dword ptr [edi+248h], 0

loc_9F93B6:				; CODE XREF: EtwpBufferingModeFlush(x)+608j
		lea	eax, [edi+64h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_9F93BF:				; CODE XREF: EtwpBufferingModeFlush(x)+48j
		mov	eax, [ebp+var_4]

loc_9F93C2:				; CODE XREF: EtwpBufferingModeFlush(x)+62Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_9F93C7:				; CODE XREF: EtwpBufferingModeFlush(x)+319j
					; EtwpBufferingModeFlush(x)+321j
		mov	eax, 0C0000043h
		jmp	short loc_9F93C2
_EtwpBufferingModeFlush@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpFindAndLockBufferForFlushing(x,	x, x)
_EtwpFindAndLockBufferForFlushing@12 proc near ; CODE XREF: EtwpBufferingModeFlush(x)+3F3p
					; EtwpBufferingModeFlush(x)+47Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, [edi+0A0h]
		call	_EtwpGetFirstBuffer@4 ;	EtwpGetFirstBuffer(x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_9F9436

loc_9F93E8:				; CODE XREF: EtwpFindAndLockBufferForFlushing(x,x,x)+3Cj
		mov	esi, [edx+8]
		mov	eax, [esi+18h]
		cmp	eax, [ebp+arg_0]
		jnz	short loc_9F93FB
		mov	eax, [esi+1Ch]
		cmp	eax, [ebp+arg_4]
		jz	short loc_9F940E

loc_9F93FB:				; CODE XREF: EtwpFindAndLockBufferForFlushing(x,x,x)+23j
		mov	ecx, [edx]
		lea	eax, [edi+40h]
		mov	edx, ecx
		sub	edx, eax
		neg	edx
		sbb	edx, edx
		and	edx, ecx
		jnz	short loc_9F93E8
		jmp	short loc_9F9436
; 

loc_9F940E:				; CODE XREF: EtwpFindAndLockBufferForFlushing(x,x,x)+2Bj
		push	3
		lea	edx, [esi+2Ch]
		xor	eax, eax
		pop	ecx
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	short loc_9F9436
		mov	ecx, [esi+18h]
		cmp	ecx, [ebp+arg_0]
		jnz	short loc_9F9432
		mov	ecx, [esi+1Ch]
		cmp	ecx, [ebp+arg_4]
		jnz	short loc_9F9432
		mov	eax, esi
		jmp	short loc_9F9438
; 

loc_9F9432:				; CODE XREF: EtwpFindAndLockBufferForFlushing(x,x,x)+56j
					; EtwpFindAndLockBufferForFlushing(x,x,x)+5Ej
		xor	eax, eax
		xchg	eax, [edx]

loc_9F9436:				; CODE XREF: EtwpFindAndLockBufferForFlushing(x,x,x)+18j
					; EtwpFindAndLockBufferForFlushing(x,x,x)+3Ej ...
		xor	eax, eax

loc_9F9438:				; CODE XREF: EtwpFindAndLockBufferForFlushing(x,x,x)+62j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_EtwpFindAndLockBufferForFlushing@12 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpSynchronizeWithElevatedIrqlLogging()
_EtwpSynchronizeWithElevatedIrqlLogging@0 proc near
					; CODE XREF: NtQueryPerformanceCounter+161p
		push	0
		push	offset _KeAbCrossThreadDeleteNopDpcRoutine@16 ;	KeAbCrossThreadDeleteNopDpcRoutine(x,x,x,x)
		call	_KeGenericCallDpc@8 ; KeGenericCallDpc(x,x)
		retn
_EtwpSynchronizeWithElevatedIrqlLogging@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwLogPfnInfoRundown(x, x, x, x)
_EtwLogPfnInfoRundown@16 proc near	; CODE XREF: MmLogSystemShareablePfnInfo(x,x)+F4p
					; EtwpEnumerateWorkingSet(x,x)+90p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_38], edx
		test	ecx, ecx
		jz	short loc_9F946F
		mov	ecx, [ecx+0E4h]
		jmp	short loc_9F9472
; 

loc_9F946F:				; CODE XREF: EtwLogPfnInfoRundown(x,x,x,x)+1Aj
		or	ecx, 0FFFFFFFFh

loc_9F9472:				; CODE XREF: EtwLogPfnInfoRundown(x,x,x,x)+22j
		push	ebx
		mov	[eax], ecx
		xor	ebx, ebx
		push	esi
		push	edi
		lea	edi, [eax+4]
		mov	[ebp+var_30], ebx
		mov	esi, [edi]
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], ebx
		lea	ebx, [eax+8]
		mov	[ebp+var_34], eax
		mov	[ebp+var_24], edi
		push	4
		pop	ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_1C], ecx
		test	esi, esi
		jz	short loc_9F94E7

loc_9F94A0:				; CODE XREF: EtwLogPfnInfoRundown(x,x,x,x)+9Aj
		mov	eax, 0AA6h
		cmp	esi, 0AA6h
		ja	short loc_9F94AF
		mov	eax, esi

loc_9F94AF:				; CODE XREF: EtwLogPfnInfoRundown(x,x,x,x)+60j
		and	[ebp+var_10], 0
		lea	ecx, [ebp+var_34]
		and	[ebp+var_8], 0
		push	offset byte_401802
		mov	[edi], eax
		push	284h
		imul	eax, 18h
		push	3
		push	[ebp+arg_0]
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], eax
		call	EtwpLogKernelEvent
		mov	ecx, [edi]
		mov	edx, [ebp+var_38]
		imul	eax, ecx, 18h
		add	ebx, eax
		sub	esi, ecx
		jnz	short loc_9F94A0

loc_9F94E7:				; CODE XREF: EtwLogPfnInfoRundown(x,x,x,x)+53j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwLogPfnInfoRundown@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCheckGuidAccessAndDoRundown(x, x, x, x,	x, x)
_EtwpCheckGuidAccessAndDoRundown@24 proc near
					; CODE XREF: EtwpEnableDisableSpecialGuids+120052p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_C]
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_8]
		mov	edx, 80h
		push	edi
		mov	[ebp+var_28], ecx
		lea	edi, [ebp+var_24]
		push	8
		pop	ecx
		rep stosd
		push	eax
		mov	ecx, offset _SystemTraceControlGuid
		call	_EtwpCheckGuidAccess@12	; EtwpCheckGuidAccess(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_9F95DF
		mov	eax, [esi+0Ch]
		cmp	eax, 80000001h
		jnz	short loc_9F95AD
		mov	edx, [esi+8]
		cmp	edx, 20h
		ja	short loc_9F95BA
		test	dl, 3
		jnz	short loc_9F95BA
		xor	eax, eax
		inc	eax
		mov	ecx, eax
		cmp	ebx, eax
		jbe	short loc_9F9573
		lea	eax, [esi+18h]

loc_9F955D:				; CODE XREF: EtwpCheckGuidAccessAndDoRundown(x,x,x,x,x,x)+79j
		cmp	dword ptr [eax+4], 80000004h
		jnz	short loc_9F956B
		test	byte ptr [eax],	3
		jnz	short loc_9F95BA

loc_9F956B:				; CODE XREF: EtwpCheckGuidAccessAndDoRundown(x,x,x,x,x,x)+6Cj
		inc	ecx
		add	eax, 10h
		cmp	ecx, ebx
		jb	short loc_9F955D

loc_9F9573:				; CODE XREF: EtwpCheckGuidAccessAndDoRundown(x,x,x,x,x,x)+60j
		push	edx		; size_t
		push	dword ptr [esi]	; void *
		lea	eax, [ebp+var_24]
		push	eax		; void *
		call	_memcpy
		xor	edx, edx
		lea	ecx, [ebx-1]
		add	esp, 0Ch
		inc	edx
		cmp	edx, ebx
		sbb	eax, eax
		and	eax, ecx
		cmp	edx, ebx
		mov	edx, [ebp+arg_0]
		lea	ecx, [esi+10h]
		push	eax
		sbb	eax, eax
		and	eax, ecx
		mov	ecx, [ebp+var_28]
		push	eax
		push	[ebp+arg_4]
		lea	eax, [ebp+var_24]
		push	eax
		call	_EtwpLogKernelTraceRundown@24 ;	EtwpLogKernelTraceRundown(x,x,x,x,x,x)
		jmp	short loc_9F95DD
; 

loc_9F95AD:				; CODE XREF: EtwpCheckGuidAccessAndDoRundown(x,x,x,x,x,x)+4Aj
		cmp	eax, 80000002h
		jnz	short loc_9F95D8
		cmp	dword ptr [esi+8], 8
		jz	short loc_9F95C1

loc_9F95BA:				; CODE XREF: EtwpCheckGuidAccessAndDoRundown(x,x,x,x,x,x)+52j
					; EtwpCheckGuidAccessAndDoRundown(x,x,x,x,x,x)+57j ...
		mov	eax, 0C000000Dh
		jmp	short loc_9F95DF
; 

loc_9F95C1:				; CODE XREF: EtwpCheckGuidAccessAndDoRundown(x,x,x,x,x,x)+C0j
		mov	eax, [esi]
		push	[ebp+arg_4]
		mov	ecx, [ebp+var_28]
		push	[ebp+arg_0]
		movzx	edx, word ptr [eax]
		call	_EtwpCheckLoggerAccessAndDoRundown@16 ;	EtwpCheckLoggerAccessAndDoRundown(x,x,x,x)
		mov	edi, eax
		jmp	short loc_9F95DD
; 

loc_9F95D8:				; CODE XREF: EtwpCheckGuidAccessAndDoRundown(x,x,x,x,x,x)+BAj
		mov	edi, 0C000000Dh

loc_9F95DD:				; CODE XREF: EtwpCheckGuidAccessAndDoRundown(x,x,x,x,x,x)+B3j
					; EtwpCheckGuidAccessAndDoRundown(x,x,x,x,x,x)+DEj
		mov	eax, edi

loc_9F95DF:				; CODE XREF: EtwpCheckGuidAccessAndDoRundown(x,x,x,x,x,x)+3Cj
					; EtwpCheckGuidAccessAndDoRundown(x,x,x,x,x,x)+C7j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_EtwpCheckGuidAccessAndDoRundown@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCheckLoggerAccessAndDoRundown(x, x, x, x)
_EtwpCheckLoggerAccessAndDoRundown@16 proc near
					; CODE XREF: EtwpEnableDisableSpecialGuids+1200BFp
					; EtwpCheckGuidAccessAndDoRundown(x,x,x,x,x,x)+D7p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	1
		mov	ebx, ecx
		call	EtwpAcquireLoggerContextByLoggerId
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9F960F
		mov	edi, 0C0000296h
		jmp	short loc_9F968A
; 

loc_9F960F:				; CODE XREF: EtwpCheckLoggerAccessAndDoRundown(x,x,x,x)+16j
		mov	edx, esi
		mov	ecx, 80h
		call	_EtwpCheckLoggerControlAccess@8	; EtwpCheckLoggerControlAccess(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9F9681
		test	dword ptr [esi+0Ch], 2000000h
		jz	short loc_9F964D
		movzx	eax, byte ptr [esi+25Ah]
		mov	ecx, ebx
		mov	edx, [ebp+arg_0]
		push	0
		shl	eax, 5
		push	0
		push	[ebp+arg_4]
		add	eax, 948h
		add	eax, ebx
		push	eax
		call	_EtwpLogKernelTraceRundown@24 ;	EtwpLogKernelTraceRundown(x,x,x,x,x,x)

loc_9F964D:				; CODE XREF: EtwpCheckLoggerAccessAndDoRundown(x,x,x,x)+38j
		mov	eax, [esi+258h]
		test	eax, 800h
		jz	short loc_9F966A
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_EtwpLogPmcCounterRundown@8 ; EtwpLogPmcCounterRundown(x,x)
		mov	eax, [esi+258h]

loc_9F966A:				; CODE XREF: EtwpCheckLoggerAccessAndDoRundown(x,x,x,x)+68j
		test	eax, 1000000h
		jz	short loc_9F9681
		push	[ebp+arg_0]
		mov	ecx, [esi+2B8h]
		mov	edx, ebx
		call	_EtwpStackRundown@12 ; EtwpStackRundown(x,x,x)

loc_9F9681:				; CODE XREF: EtwpCheckLoggerAccessAndDoRundown(x,x,x,x)+2Fj
					; EtwpCheckLoggerAccessAndDoRundown(x,x,x,x)+7Fj
		mov	dl, 1
		mov	ecx, esi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_9F968A:				; CODE XREF: EtwpCheckLoggerAccessAndDoRundown(x,x,x,x)+1Dj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
_EtwpCheckLoggerAccessAndDoRundown@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpClockSourceRunDown(x, x)
_EtwpClockSourceRunDown@8 proc near	; CODE XREF: EtwpKernelTraceRundown+129FE7p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_48]
		push	8
		xor	eax, eax
		pop	ecx
		rep stosd
		test	dl, dl
		jz	short loc_9F970A
		lea	eax, [ebp+var_48]
		push	eax
		call	off_6B1380	; KeSetDmaIoCoherency(x)
		mov	eax, [ebp+var_44]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_40]
		mov	[ebp+var_20], eax
		call	_KeGetDynamicTickDisableReason@0 ; KeGetDynamicTickDisableReason()
		mov	edx, [esi+2E4h]
		lea	ecx, [ebp+var_18]
		and	[ebp+var_14], 0
		and	[ebp+var_C], 0
		push	offset byte_401802
		push	0F5Ah
		movzx	eax, al
		push	1
		push	dword ptr [esi]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_18], eax
		mov	[ebp+var_10], 0Ch
		call	EtwpLogKernelEvent

loc_9F970A:				; CODE XREF: EtwpClockSourceRunDown(x,x)+22j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpClockSourceRunDown@8 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpEnumerateWorkingSet(x, x)
_EtwpEnumerateWorkingSet@8 proc	near	; CODE XREF: EtwpProcessEnumCallback+129EEEp
					; EtwpProcessEnumCallback+129EFCp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		mov	edi, 1000h
		mov	eax, [esi+1Ch]

loc_9F9729:				; CODE XREF: EtwpEnumerateWorkingSet(x,x)+76j
		test	eax, eax
		jnz	short loc_9F974D
		imul	eax, edi, 18h
		push	74777445h
		add	eax, 8
		push	eax
		push	200h
		mov	[esi+20h], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+1Ch], eax
		test	eax, eax
		jz	short loc_9F97AD

loc_9F974D:				; CODE XREF: EtwpEnumerateWorkingSet(x,x)+13j
		push	dword ptr [esi+20h] ; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [esi+20h]
		add	esp, 0Ch
		mov	ecx, [esi+1Ch]
		xor	edx, edx
		push	eax
		push	ecx
		lea	ecx, [ebx+240h]
		call	MiGetWorkingSetInfoEx
		mov	ecx, [esi+1Ch]
		cmp	eax, 0C0000004h
		jnz	short loc_9F9790
		mov	edi, [ecx+4]
		push	0
		push	ecx
		add	edi, 40h
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+1Ch], 0
		xor	eax, eax
		jmp	short loc_9F9729
; 

loc_9F9790:				; CODE XREF: EtwpEnumerateWorkingSet(x,x)+60j
		test	eax, eax
		js	short loc_9F97AD
		cmp	dword ptr [ecx+4], 0
		jz	short loc_9F97AD
		mov	edx, [esi+10h]
		push	ecx
		mov	ecx, ebx
		push	dword ptr [edx]
		mov	edx, [edx+2E4h]
		call	_EtwLogPfnInfoRundown@16 ; EtwLogPfnInfoRundown(x,x,x,x)

loc_9F97AD:				; CODE XREF: EtwpEnumerateWorkingSet(x,x)+33j
					; EtwpEnumerateWorkingSet(x,x)+7Aj ...
		pop	edi
		pop	esi
		pop	ebx
		retn
_EtwpEnumerateWorkingSet@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpExecutiveResourceConfigRunDown(x, x)
_EtwpExecutiveResourceConfigRunDown@8 proc near	; CODE XREF: EtwpKernelTraceRundown+129FB1p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, _EtwpExecutiveResourceReleaseSampleRate
		and	[ebp+var_10], 0
		and	[ebp+var_8], 0
		mov	[ebp+var_20], eax
		mov	eax, _EtwpExecutiveResourceContentionSampleRate
		mov	[ebp+var_1C], eax
		mov	eax, _EtwpExecutiveResourceTimeout
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_20]
		mov	[ebp+var_14], eax
		xor	eax, eax
		test	dl, dl
		mov	[ebp+var_C], 0Ch
		mov	edx, [ecx+2E4h]
		push	(offset	off_401900+2)
		setz	al
		add	eax, 0F4Dh
		push	eax
		push	1
		push	dword ptr [ecx]
		lea	ecx, [ebp+var_14]
		call	EtwpLogKernelEvent
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpExecutiveResourceConfigRunDown@8 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpLogFileNameRundown(x, x)
_EtwpLogFileNameRundown@8 proc near	; CODE XREF: EtwpEnableDisableSpecialGuids+12008Bp
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		push	0
		mov	edx, 80h
		mov	ecx, offset _FileProvGuid
		call	_EtwpCheckGuidAccess@12	; EtwpCheckGuidAccess(x,x,x)
		test	eax, eax
		js	short loc_9F984E
		push	ecx
		mov	ecx, [edi]
		mov	edx, esi
		call	_WmiTraceRundownNotify@12 ; WmiTraceRundownNotify(x,x,x)
		test	eax, eax
		js	short loc_9F984E
		xor	eax, eax

loc_9F984E:				; CODE XREF: EtwpLogFileNameRundown(x,x)+1Cj
					; EtwpLogFileNameRundown(x,x)+2Aj
		pop	edi
		pop	esi
		pop	ecx
		retn
_EtwpLogFileNameRundown@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpLogKernelTraceRundown(x, x, x, x, x, x)
_EtwpLogKernelTraceRundown@24 proc near	; CODE XREF: EtwpCheckGuidAccessAndDoRundown(x,x,x,x,x,x)+AEp
					; EtwpCheckLoggerAccessAndDoRundown(x,x,x,x)+58p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	20h
		push	[ebp+arg_0]
		mov	esi, edx
		mov	edi, ecx
		call	_EtwpLogGroupMask@16 ; EtwpLogGroupMask(x,x,x,x)
		push	[ebp+arg_C]
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	EtwpKernelTraceRundown
		mov	edx, esi
		mov	ecx, edi
		call	EtwpLogAlwaysPresentRundown
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
_EtwpLogKernelTraceRundown@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpLogMemInfoRundown(x)
_EtwpLogMemInfoRundown@4 proc near	; CODE XREF: EtwpKernelTraceRundown+12A016p

var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		mov	esi, ecx
		lea	ecx, [ebp+var_14]
		stosd
		stosd
		stosd
		call	_MmQuerySystemMemoryInformation@8 ; MmQuerySystemMemoryInformation(x,x)
		mov	edx, ecx
		mov	ecx, esi
		call	_EtwpLogMemInfo@8 ; EtwpLogMemInfo(x,x)
		mov	edx, [ebp+var_14]
		mov	ecx, esi
		call	_EtwpLogMemInfoWs@8 ; EtwpLogMemInfoWs(x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpLogMemInfoRundown@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpLogPmcCounterRundown(x,	x)
_EtwpLogPmcCounterRundown@8 proc near	; CODE XREF: EtwpStopLoggerInstance(x)+100p
					; EtwpCheckLoggerAccessAndDoRundown(x,x,x,x)+6Fp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ds:_EtwpMaxPmcCounter
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_1C], edx
		inc	eax
		mov	[ebp+var_10], edi
		push	74777445h
		shl	eax, 4
		mov	ebx, ecx
		push	eax
		push	200h
		mov	[ebp+var_8], edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_18], esi
		test	esi, esi
		jz	loc_9F9A0E
		mov	ecx, ds:_EtwpMaxPmcCounter
		push	74777445h
		shl	ecx, 4
		push	ecx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jnz	short loc_9F9939
		push	edi
		push	esi
		jmp	loc_9F9A09
; 

loc_9F9939:				; CODE XREF: EtwpLogPmcCounterRundown(x,x)+5Ej
		mov	ebx, [ebx+2BCh]
		cmp	[ebx+10h], edi
		jz	loc_9F9A0E
		mov	eax, [ebx+10h]
		mov	edx, edi
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		mov	[esi], eax
		mov	[esi+4], edi
		mov	dword ptr [esi+8], 4
		mov	[esi+0Ch], edi
		mov	eax, [ebp+var_4]
		mov	[ebp+var_C], edx
		test	eax, eax
		jz	short loc_9F99E2
		lea	eax, [esi+1Ch]
		mov	edi, ecx
		mov	esi, eax

loc_9F9973:				; CODE XREF: EtwpLogPmcCounterRundown(x,x)+109j
		xor	eax, eax
		mov	[ebp+var_8], eax
		mov	eax, [ebx]
		mov	eax, [eax+edx*4]
		mov	[edi], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		push	10h
		push	1
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_9F9997
		mov	edx, [edi+0Ch]
		jmp	short loc_9F999C
; 

loc_9F9997:				; CODE XREF: EtwpLogPmcCounterRundown(x,x)+BEj
		mov	edx, (offset loc_8B7595+1)

loc_9F999C:				; CODE XREF: EtwpLogPmcCounterRundown(x,x)+C3j
		mov	ecx, edx
		lea	eax, [ecx+2]
		mov	[ebp+var_14], eax

loc_9F99A4:				; CODE XREF: EtwpLogPmcCounterRundown(x,x)+DCj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_10]
		jnz	short loc_9F99A4
		sub	ecx, [ebp+var_14]
		add	edi, 10h
		mov	[esi-0Ch], edx
		xor	edx, edx
		sar	ecx, 1
		mov	[esi-8], edx
		mov	[esi], edx
		mov	edx, [ebp+var_C]
		lea	eax, ds:2[ecx*2]
		inc	edx
		mov	[esi-4], eax
		add	esi, 10h
		mov	eax, [ebp+var_4]
		mov	[ebp+var_C], edx
		cmp	edx, eax
		jb	short loc_9F9973
		mov	esi, [ebp+var_18]
		xor	edi, edi

loc_9F99E2:				; CODE XREF: EtwpLogPmcCounterRundown(x,x)+98j
		mov	edx, ds:_EtwpHostSiloState
		inc	eax
		push	offset byte_401802
		push	0F30h
		push	eax
		push	[ebp+var_1C]
		mov	ecx, esi
		call	EtwpLogKernelEvent
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	edi
		push	[ebp+var_20]

loc_9F9A09:				; CODE XREF: EtwpLogPmcCounterRundown(x,x)+62j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F9A0E:				; CODE XREF: EtwpLogPmcCounterRundown(x,x)+38j
					; EtwpLogPmcCounterRundown(x,x)+70j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpLogPmcCounterRundown@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpLogRefSetAutoMark(x, x)
_EtwpLogRefSetAutoMark@8 proc near	; CODE XREF: EtwpKernelTraceRundown+129F49p
					; EtwpKernelTraceRundown+12A0A3p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	bl, cl
		mov	[ebp+var_1C], edi
		mov	esi, edx
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		test	bl, bl
		jz	short loc_9F9A52
		mov	eax, offset _RefSetStartString ; "RefSetStart::AutoMark"
		mov	[ebp+var_20], 1
		jmp	short loc_9F9A5A
; 

loc_9F9A52:				; CODE XREF: EtwpLogRefSetAutoMark(x,x)+2Fj
		mov	eax, offset _RefSetStopString ;	"RefSetStop::AutoMark"
		mov	[ebp+var_20], edi

loc_9F9A5A:				; CODE XREF: EtwpLogRefSetAutoMark(x,x)+3Dj
		push	eax
		push	16h
		pop	edx
		lea	ecx, [ebp+var_1C]
		call	_RtlStringCbCopyA@12 ; RtlStringCbCopyA(x,x,x)
		xor	eax, eax
		lea	edx, [ebp+var_20]
		test	bl, bl
		mov	ecx, esi
		push	edi
		setnz	al
		push	1
		add	eax, 19h
		push	eax
		call	_EtwpSetMark@20	; EtwpSetMark(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpLogRefSetAutoMark@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpObjectHandleEnumCallback(x, x, x, x)
_EtwpObjectHandleEnumCallback@16 proc near ; DATA XREF:	EtwpObjectHandleRundown(x,x)+29o

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= word ptr -58h
var_56		= word ptr -56h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		push	ebx
		push	esi
		mov	[ebp+var_4C], eax
		xor	esi, esi
		xor	eax, eax
		mov	[ebp+var_48], ecx
		mov	ecx, [ecx]
		push	edi
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_56], ax
		mov	[ebp+var_40], esi
		cmp	[edi+24h], al
		setz	al
		and	ecx, 0FFFFFFF8h
		add	eax, 1126h
		cmp	byte ptr [edi+28h], 0
		movzx	eax, ax
		mov	[ebp+var_54], eax
		lea	eax, [ecx+18h]
		mov	[ebp+var_44], eax
		mov	[ebp+var_64], eax
		mov	eax, [edi+18h]
		mov	[ebp+var_60], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_5C], eax
		jz	short loc_9F9AF5
		or	eax, 80000000h
		mov	[ebp+var_5C], eax

loc_9F9AF5:				; CODE XREF: EtwpObjectHandleEnumCallback(x,x,x,x)+5Ej
		mov	bl, byte ptr ds:_ObHeaderCookie
		mov	edx, ecx
		mov	al, [ecx+0Ch]
		xor	al, bl
		shr	edx, 8
		xor	al, dl
		mov	[ebp+var_35], bl
		mov	ebx, [edi+4]
		movzx	eax, al
		mov	[ebp+var_58], ax
		test	ebx, ebx
		jz	short loc_9F9B8D
		movzx	eax, word ptr [ebx]
		mov	[ebp+var_50], eax
		test	eax, eax
		jz	short loc_9F9B5D
		movzx	ecx, byte ptr [ecx+0Ch]
		movzx	eax, [ebp+var_35]
		xor	ecx, eax
		movzx	eax, dl
		xor	ecx, eax
		add	ebx, 4
		mov	eax, ds:_ObTypeIndexTable[ecx*4]
		mov	eax, [eax+84h]
		mov	[ebp+var_3C], eax

loc_9F9B44:				; CODE XREF: EtwpObjectHandleEnumCallback(x,x,x,x)+CEj
		mov	edx, [ebx]
		mov	ecx, eax
		call	_ExCheckSingleFilter@8 ; ExCheckSingleFilter(x,x)
		test	eax, eax
		jnz	short loc_9F9B8B
		mov	eax, [ebp+var_3C]
		inc	esi
		add	ebx, 4
		cmp	esi, [ebp+var_50]
		jb	short loc_9F9B44

loc_9F9B5D:				; CODE XREF: EtwpObjectHandleEnumCallback(x,x,x,x)+93j
		mov	ecx, [ebp+var_48]
		xor	eax, eax
		inc	eax
		lock xadd [ecx], eax
		mov	ecx, [ebp+var_4C]
		lea	eax, [ebp+var_3C]
		and	[ebp+var_3C], 0
		add	ecx, 20h
		xor	edx, edx
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	loc_9F9CA0
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)
		jmp	loc_9F9CA0
; 

loc_9F9B8B:				; CODE XREF: EtwpObjectHandleEnumCallback(x,x,x,x)+C2j
		xor	esi, esi

loc_9F9B8D:				; CODE XREF: EtwpObjectHandleEnumCallback(x,x,x,x)+89j
		mov	ecx, [ebp+var_44]
		mov	edx, 54777445h
		call	ObfReferenceObjectWithTag
		mov	ecx, [ebp+var_48]
		xor	ebx, ebx
		inc	ebx
		mov	eax, ebx
		lock xadd [ecx], eax
		mov	ecx, [ebp+var_4C]
		lea	eax, [ebp+var_3C]
		add	ecx, 20h
		mov	[ebp+var_3C], esi
		xor	edx, edx
		lock or	[eax], edx
		cmp	[ecx], esi
		jz	short loc_9F9BC0
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)

loc_9F9BC0:				; CODE XREF: EtwpObjectHandleEnumCallback(x,x,x,x)+12Cj
		lea	eax, [ebp+var_64]
		mov	[ebp+var_30], esi
		mov	[ebp+var_34], eax
		movzx	eax, word ptr [edi+0Ch]
		mov	[ebp+var_28], esi
		mov	esi, [edi+8]
		mov	[ebp+var_2C], 0Eh
		mov	[ebp+var_40], eax

loc_9F9BDD:				; CODE XREF: EtwpObjectHandleEnumCallback(x,x,x,x)+18Fj
		push	0
		lea	ecx, [ebp+var_40]
		mov	edx, esi
		push	ecx
		mov	ecx, [ebp+var_44]
		push	eax
		call	ObQueryNameStringMode
		mov	[ebp+var_3C], eax
		cmp	eax, 0C0000004h
		jnz	short loc_9F9C1E
		cmp	esi, [edi+8]
		jz	short loc_9F9C05
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F9C05:				; CODE XREF: EtwpObjectHandleEnumCallback(x,x,x,x)+16Ej
		push	74777445h
		push	[ebp+var_40]
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9F9C1E
		mov	eax, [ebp+var_40]
		jmp	short loc_9F9BDD
; 

loc_9F9C1E:				; CODE XREF: EtwpObjectHandleEnumCallback(x,x,x,x)+169j
					; EtwpObjectHandleEnumCallback(x,x,x,x)+18Aj
		mov	ecx, [ebp+var_44]
		mov	edx, 54777445h
		call	ObfDereferenceObjectWithTag
		cmp	[ebp+var_3C], 0
		push	2
		pop	edx
		jnz	short loc_9F9C56
		movzx	eax, word ptr [esi]
		mov	ecx, 2000h
		cmp	ax, cx
		jnb	short loc_9F9C43
		mov	ecx, eax

loc_9F9C43:				; CODE XREF: EtwpObjectHandleEnumCallback(x,x,x,x)+1B2j
		mov	eax, [esi+4]
		mov	ebx, edx
		and	[ebp+var_20], 0
		and	[ebp+var_18], 0
		mov	[ebp+var_24], eax
		mov	[ebp+var_1C], ecx

loc_9F9C56:				; CODE XREF: EtwpObjectHandleEnumCallback(x,x,x,x)+1A5j
		mov	eax, ebx
		lea	ecx, [ebp+var_34]
		add	eax, eax
		push	offset byte_401802
		push	[ebp+var_54]
		and	[ebp+eax*8+var_30], 0
		and	[ebp+eax*8+var_28], 0
		mov	[ebp+eax*8+var_2C], edx
		mov	edx, [edi+10h]
		mov	[ebp+eax*8+var_34], offset _EtwpNull
		lea	eax, [ebx+1]
		push	eax
		push	dword ptr [edx]
		mov	edx, [edx+2E4h]
		call	EtwpLogKernelEvent
		test	esi, esi
		jz	short loc_9F9CA0
		cmp	esi, [edi+8]
		jz	short loc_9F9CA0
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F9CA0:				; CODE XREF: EtwpObjectHandleEnumCallback(x,x,x,x)+EEj
					; EtwpObjectHandleEnumCallback(x,x,x,x)+F9j ...
		mov	ecx, [ebp+var_4]
		xor	al, al
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_EtwpObjectHandleEnumCallback@16 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpObjectHandleRundown(x, x)
_EtwpObjectHandleRundown@8 proc	near	; CODE XREF: EtwpProcessEnumCallback+129F16p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_ObReferenceProcessHandleTable@4 ; ObReferenceProcessHandleTable(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_9F9CFB
		push	esi
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		push	0
		mov	[edi+18h], eax
		mov	ecx, [esi+3A8h]
		push	edi
		shr	ecx, 0Ch
		push	offset _EtwpObjectHandleEnumCallback@16	; EtwpObjectHandleEnumCallback(x,x,x,x)
		and	cl, 1
		push	ebx
		mov	[edi+28h], cl
		call	ExEnumHandleTable
		lea	ecx, [esi+0F0h]
		pop	edi
		pop	esi
		pop	ebx
		jmp	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
; 

loc_9F9CFB:				; CODE XREF: EtwpObjectHandleRundown(x,x)+12j
		pop	edi
		pop	esi
		pop	ebx
		retn
_EtwpObjectHandleRundown@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpObjectTypeRundown(x, x)
_EtwpObjectTypeRundown@8 proc near	; CODE XREF: EtwpKernelTraceRundown+12A064p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= word ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_34], ecx
		mov	bl, dl
		mov	[ebp+var_2C], edi
		mov	[ebp+var_28], di
		mov	esi, edi
		mov	[ebp+var_30], 400h

loc_9F9D2B:				; CODE XREF: EtwpObjectTypeRundown(x,x)+65j
		test	esi, esi
		jz	short loc_9F9D36
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F9D36:				; CODE XREF: EtwpObjectTypeRundown(x,x)+2Ej
		push	74777445h
		push	[ebp+var_30]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_9F9DFA
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_30]
		push	esi
		push	3
		push	edi
		call	_ZwQueryObject@20 ; ZwQueryObject(x,x,x,x,x)
		cmp	eax, 0C0000004h
		jz	short loc_9F9D2B
		test	eax, eax
		js	loc_9F9DF3
		xor	eax, eax
		mov	[ebp+var_20], edi
		test	bl, bl
		mov	[ebp+var_18], edi
		mov	[ebp+var_1C], 4
		lea	edi, [esi+4]
		setz	al
		xor	ebx, ebx
		add	eax, 1124h
		movzx	edx, ax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_24], eax
		mov	[ebp+var_38], edx
		cmp	[esi], ebx
		jbe	short loc_9F9DF1

loc_9F9D9C:				; CODE XREF: EtwpObjectTypeRundown(x,x)+F0j
		test	ebx, ebx
		jz	short loc_9F9DDD
		movzx	eax, byte ptr [edi+52h]
		mov	word ptr [ebp+var_2C], ax
		movzx	ecx, word ptr [edi]
		mov	eax, [edi+4]
		add	ecx, 2
		and	[ebp+var_10], 0
		and	[ebp+var_8], 0
		push	offset byte_401802
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_34]
		push	edx
		push	2
		mov	[ebp+var_C], ecx
		lea	ecx, [ebp+var_24]
		push	dword ptr [eax]
		mov	edx, [eax+2E4h]
		call	EtwpLogKernelEvent
		mov	edx, [ebp+var_38]

loc_9F9DDD:				; CODE XREF: EtwpObjectTypeRundown(x,x)+9Fj
		movzx	eax, word ptr [edi+2]
		add	edi, 60h
		add	eax, 3
		and	eax, 0FFFFFFFCh
		add	edi, eax
		inc	ebx
		cmp	ebx, [esi]
		jb	short loc_9F9D9C

loc_9F9DF1:				; CODE XREF: EtwpObjectTypeRundown(x,x)+9Bj
		xor	edi, edi

loc_9F9DF3:				; CODE XREF: EtwpObjectTypeRundown(x,x)+69j
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F9DFA:				; CODE XREF: EtwpObjectTypeRundown(x,x)+4Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpObjectTypeRundown@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpPoolRunDown(x, x)
_EtwpPoolRunDown@8 proc	near		; CODE XREF: EtwpKernelTraceRundown+129FD9p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_51		= byte ptr -51h
var_50		= dword	ptr -50h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_68], ecx
		push	6
		pop	ecx
		xor	ebx, ebx
		mov	[ebp+var_51], dl
		lea	edi, [ebp+var_50]
		mov	[ebp+var_74], ebx
		rep stosd
		lea	eax, [ebp+var_58]
		mov	[ebp+var_58], ebx
		mov	[ebp+var_38], eax
		mov	esi, ebx
		xor	eax, eax
		mov	[ebp+var_6C], ebx
		test	dl, dl
		mov	[ebp+var_34], ebx
		push	20h
		setz	al
		mov	[ebp+var_30], 4
		add	eax, 0E28h
		mov	[ebp+var_2C], ebx
		movzx	eax, ax
		pop	edi
		mov	[ebp+var_64], eax
		mov	[ebp+var_5C], edi

loc_9F9E66:				; CODE XREF: EtwpPoolRunDown(x,x)+95j
		test	esi, esi
		jz	short loc_9F9E71
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F9E71:				; CODE XREF: EtwpPoolRunDown(x,x)+5Fj
		push	74777445h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_60], esi
		test	esi, esi
		jz	short loc_9F9EFB
		lea	eax, [ebp+var_5C]
		mov	edx, edi
		push	eax
		mov	ecx, esi
		call	ExGetPoolTagInfo
		cmp	eax, 0C0000004h
		jnz	short loc_9F9EA0
		mov	edi, [ebp+var_5C]
		jmp	short loc_9F9E66
; 

loc_9F9EA0:				; CODE XREF: EtwpPoolRunDown(x,x)+90j
		test	eax, eax
		js	short loc_9F9EFB
		mov	edi, [esi]
		lea	ebx, [esi+4]
		test	edi, edi
		jz	short loc_9F9EF9
		mov	esi, [ebp+var_64]

loc_9F9EB0:				; CODE XREF: EtwpPoolRunDown(x,x)+EBj
		cmp	edi, 64h
		jbe	short loc_9F9EBA
		push	64h
		pop	eax
		jmp	short loc_9F9EBC
; 

loc_9F9EBA:				; CODE XREF: EtwpPoolRunDown(x,x)+AAj
		mov	eax, edi

loc_9F9EBC:				; CODE XREF: EtwpPoolRunDown(x,x)+AFj
		and	[ebp+var_24], 0
		lea	ecx, [ebp+var_38]
		and	[ebp+var_1C], 0
		mov	[ebp+var_58], eax
		imul	eax, 1Ch
		push	offset byte_401802
		push	esi
		push	2
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], eax
		mov	eax, [ebp+var_68]
		push	dword ptr [eax]
		mov	edx, [eax+2E4h]
		call	EtwpLogKernelEvent
		imul	eax, [ebp+var_58], 1Ch
		add	ebx, eax
		sub	edi, [ebp+var_58]
		jnz	short loc_9F9EB0
		mov	esi, [ebp+var_60]

loc_9F9EF9:				; CODE XREF: EtwpPoolRunDown(x,x)+A2j
		xor	ebx, ebx

loc_9F9EFB:				; CODE XREF: EtwpPoolRunDown(x,x)+7Cj
					; EtwpPoolRunDown(x,x)+99j
		xor	eax, eax
		cmp	[ebp+var_51], al
		push	10h
		setz	al
		add	eax, 0E2Ah
		movzx	eax, ax
		pop	edi
		mov	[ebp+var_64], eax
		mov	[ebp+var_5C], edi

loc_9F9F14:				; CODE XREF: EtwpPoolRunDown(x,x)+145j
		test	esi, esi
		jz	short loc_9F9F1F
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F9F1F:				; CODE XREF: EtwpPoolRunDown(x,x)+10Dj
		push	74777445h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_60], esi
		test	esi, esi
		jz	short loc_9F9FA9
		lea	eax, [ebp+var_5C]
		mov	edx, edi
		push	eax
		push	1
		mov	ecx, esi
		call	_ExGetBigPoolInfo@16 ; ExGetBigPoolInfo(x,x,x,x)
		cmp	eax, 0C0000004h
		jnz	short loc_9F9F50
		mov	edi, [ebp+var_5C]
		jmp	short loc_9F9F14
; 

loc_9F9F50:				; CODE XREF: EtwpPoolRunDown(x,x)+140j
		test	eax, eax
		js	short loc_9F9FA9
		mov	edi, [esi]
		lea	ebx, [esi+4]
		test	edi, edi
		jz	short loc_9F9FA9
		mov	esi, [ebp+var_64]

loc_9F9F60:				; CODE XREF: EtwpPoolRunDown(x,x)+19Bj
		cmp	edi, 64h
		jbe	short loc_9F9F6A
		push	64h
		pop	eax
		jmp	short loc_9F9F6C
; 

loc_9F9F6A:				; CODE XREF: EtwpPoolRunDown(x,x)+15Aj
		mov	eax, edi

loc_9F9F6C:				; CODE XREF: EtwpPoolRunDown(x,x)+15Fj
		and	[ebp+var_24], 0
		lea	ecx, [ebp+var_38]
		and	[ebp+var_1C], 0
		mov	[ebp+var_58], eax
		imul	eax, 0Ch
		push	offset byte_401802
		push	esi
		push	2
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], eax
		mov	eax, [ebp+var_68]
		push	dword ptr [eax]
		mov	edx, [eax+2E4h]
		call	EtwpLogKernelEvent
		imul	eax, [ebp+var_58], 0Ch
		add	ebx, eax
		sub	edi, [ebp+var_58]
		jnz	short loc_9F9F60
		mov	esi, [ebp+var_60]

loc_9F9FA9:				; CODE XREF: EtwpPoolRunDown(x,x)+12Aj
					; EtwpPoolRunDown(x,x)+149j ...
		xor	ecx, ecx
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		mov	ebx, eax
		mov	[ebp+var_64], ebx
		jmp	loc_9FA18B
; 

loc_9F9FBA:				; CODE XREF: EtwpPoolRunDown(x,x)+384j
		lea	edx, [ebp+var_50]
		mov	ecx, ebx
		call	MmAttachSession
		test	eax, eax
		js	loc_9FA17F
		mov	ecx, ebx
		call	_MmGetSessionId@4 ; MmGetSessionId(x)
		mov	[ebp+var_6C], eax
		mov	edi, 0AF0h
		xor	eax, eax
		cmp	[ebp+var_51], al
		setz	al
		add	eax, 0E2Ch
		movzx	eax, ax
		mov	[ebp+var_70], eax

loc_9F9FEE:				; CODE XREF: EtwpPoolRunDown(x,x)+225j
		test	esi, esi
		jz	short loc_9F9FFA
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9F9FFA:				; CODE XREF: EtwpPoolRunDown(x,x)+1E7j
		push	74777445h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_60], esi
		test	esi, esi
		jz	loc_9FA0A4
		lea	eax, [ebp+var_74]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_58]
		mov	ecx, esi
		push	eax
		call	ExGetSessionPoolTagInfo
		imul	edi, [ebp+var_74], 1Ch
		cmp	eax, 0C0000004h
		jz	short loc_9F9FEE
		test	eax, eax
		js	short loc_9FA0A4
		and	[ebp+var_24], 0
		lea	eax, [ebp+var_6C]
		and	[ebp+var_1C], 0
		mov	edi, [ebp+var_58]
		mov	[ebp+var_28], eax
		mov	[ebp+var_20], 4
		mov	[ebp+var_5C], esi
		test	edi, edi
		jz	short loc_9FA0A4
		mov	ebx, esi
		mov	esi, [ebp+var_70]

loc_9FA058:				; CODE XREF: EtwpPoolRunDown(x,x)+293j
		cmp	edi, 64h
		jbe	short loc_9FA062
		push	64h
		pop	eax
		jmp	short loc_9FA064
; 

loc_9FA062:				; CODE XREF: EtwpPoolRunDown(x,x)+252j
		mov	eax, edi

loc_9FA064:				; CODE XREF: EtwpPoolRunDown(x,x)+257j
		and	[ebp+var_14], 0
		lea	ecx, [ebp+var_38]
		and	[ebp+var_C], 0
		mov	[ebp+var_58], eax
		imul	eax, 1Ch
		push	offset byte_401802
		push	esi
		push	3
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_68]
		push	dword ptr [eax]
		mov	edx, [eax+2E4h]
		call	EtwpLogKernelEvent
		imul	eax, [ebp+var_58], 1Ch
		add	ebx, eax
		sub	edi, [ebp+var_58]
		jnz	short loc_9FA058
		mov	esi, [ebp+var_60]
		mov	ebx, [ebp+var_64]

loc_9FA0A4:				; CODE XREF: EtwpPoolRunDown(x,x)+205j
					; EtwpPoolRunDown(x,x)+229j ...
		xor	eax, eax
		cmp	[ebp+var_51], al
		push	18h
		setz	al
		add	eax, 0E2Eh
		movzx	eax, ax
		pop	edi
		mov	[ebp+var_78], eax
		mov	[ebp+var_5C], edi

loc_9FA0BD:				; CODE XREF: EtwpPoolRunDown(x,x)+2F3j
		test	esi, esi
		jz	short loc_9FA0C9
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9FA0C9:				; CODE XREF: EtwpPoolRunDown(x,x)+2B6j
		push	74777445h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_60], esi
		test	esi, esi
		jz	loc_9FA175
		lea	eax, [ebp+var_5C]
		mov	edx, edi
		push	eax
		push	0
		mov	ecx, esi
		call	_ExGetBigPoolInfo@16 ; ExGetBigPoolInfo(x,x,x,x)
		cmp	eax, 0C0000004h
		jnz	short loc_9FA0FE
		mov	edi, [ebp+var_5C]
		jmp	short loc_9FA0BD
; 

loc_9FA0FE:				; CODE XREF: EtwpPoolRunDown(x,x)+2EEj
		test	eax, eax
		js	short loc_9FA175
		and	[ebp+var_24], 0
		lea	eax, [ebp+var_6C]
		and	[ebp+var_1C], 0
		mov	[ebp+var_28], eax
		lea	eax, [esi+0Ch]
		mov	[ebp+var_20], 4
		mov	edi, [esi+8]
		mov	[ebp+var_70], eax
		test	edi, edi
		jz	short loc_9FA175
		mov	esi, [ebp+var_78]
		mov	ebx, eax

loc_9FA129:				; CODE XREF: EtwpPoolRunDown(x,x)+364j
		cmp	edi, 64h
		jbe	short loc_9FA133
		push	64h
		pop	eax
		jmp	short loc_9FA135
; 

loc_9FA133:				; CODE XREF: EtwpPoolRunDown(x,x)+323j
		mov	eax, edi

loc_9FA135:				; CODE XREF: EtwpPoolRunDown(x,x)+328j
		and	[ebp+var_14], 0
		lea	ecx, [ebp+var_38]
		and	[ebp+var_C], 0
		mov	[ebp+var_58], eax
		imul	eax, 0Ch
		push	offset byte_401802
		push	esi
		push	3
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_68]
		push	dword ptr [eax]
		mov	edx, [eax+2E4h]
		call	EtwpLogKernelEvent
		imul	eax, [ebp+var_58], 0Ch
		add	ebx, eax
		sub	edi, [ebp+var_58]
		jnz	short loc_9FA129
		mov	esi, [ebp+var_60]
		mov	ebx, [ebp+var_64]

loc_9FA175:				; CODE XREF: EtwpPoolRunDown(x,x)+2D4j
					; EtwpPoolRunDown(x,x)+2F7j ...
		lea	edx, [ebp+var_50]
		mov	ecx, ebx
		call	MmDetachSession

loc_9FA17F:				; CODE XREF: EtwpPoolRunDown(x,x)+1BDj
		mov	ecx, ebx
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		mov	ebx, eax
		mov	[ebp+var_64], eax

loc_9FA18B:				; CODE XREF: EtwpPoolRunDown(x,x)+1ACj
		test	ebx, ebx
		jnz	loc_9F9FBA
		test	esi, esi
		jz	short loc_9FA19E
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9FA19E:				; CODE XREF: EtwpPoolRunDown(x,x)+38Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpPoolRunDown@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpProcessPerfCtrsRundown(x, x)
_EtwpProcessPerfCtrsRundown@8 proc near	; CODE XREF: EtwpProcessEnumCallback+129F26p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_44], 0
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		xor	edx, edx
		mov	eax, [esi+0E4h]
		mov	[ebp+var_50], eax
		call	_ObGetProcessHandleCount@8 ; ObGetProcessHandleCount(x,x)
		mov	[ebp+var_48], eax
		lea	ecx, [ebp+var_14]
		mov	eax, [esi+244h]
		mov	[ebp+var_4C], eax
		mov	eax, [esi+11Ch]
		mov	[ebp+var_2C], eax
		mov	eax, [esi+118h]
		mov	[ebp+var_40], eax
		mov	eax, [esi+280h]
		shl	eax, 0Ch
		mov	[ebp+var_28], eax
		mov	eax, [esi+294h]
		shl	eax, 0Ch
		mov	[ebp+var_3C], eax
		mov	eax, [esi+10Ch]
		mov	[ebp+var_20], eax
		mov	eax, [esi+114h]
		mov	[ebp+var_34], eax
		mov	eax, [esi+108h]
		mov	[ebp+var_1C], eax
		mov	eax, [esi+110h]
		mov	[ebp+var_30], eax
		mov	eax, [esi+224h]
		shl	eax, 0Ch
		mov	[ebp+var_24], eax
		mov	eax, [esi+228h]
		mov	edx, [edi+2E4h]
		and	[ebp+var_10], 0
		and	[ebp+var_8], 0
		push	offset byte_401802
		shl	eax, 0Ch
		push	321h
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_24]
		push	1
		push	dword ptr [edi]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], 3Ch
		call	EtwpLogKernelEvent
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpProcessPerfCtrsRundown@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpProcessorRundown(x, x)
_EtwpProcessorRundown@8	proc near	; CODE XREF: EtwpKernelTraceRundown+12A070p

var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0FCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	0C0h		; size_t
		lea	eax, [ebp+var_E8]
		mov	ebx, ecx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_F4], ebx
		call	_memset
		add	esp, 0Ch
		lea	esi, [ebp+var_E8]
		push	0FFFFh
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	[ebp+var_EC], eax
		cmp	eax, 20h
		jbe	short loc_9FA2FD
		push	74777445h
		shl	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9FA374
		mov	eax, [ebp+var_EC]

loc_9FA2FD:				; CODE XREF: EtwpProcessorRundown(x,x)+4Fj
		xor	edi, edi
		test	eax, eax
		jz	short loc_9FA320
		mov	ebx, esi

loc_9FA305:				; CODE XREF: EtwpProcessorRundown(x,x)+88j
		push	ebx
		push	edi
		call	_KeGetProcessorNumberFromIndex@8 ; KeGetProcessorNumberFromIndex(x,x)
		mov	eax, [ebp+var_EC]
		inc	edi
		add	ebx, 4
		cmp	edi, eax
		jb	short loc_9FA305
		mov	ebx, [ebp+var_F4]

loc_9FA320:				; CODE XREF: EtwpProcessorRundown(x,x)+71j
		mov	edx, [ebx+2E4h]
		lea	ecx, [ebp+var_EC]
		push	offset byte_401802
		push	0B1Bh
		xor	edi, edi
		mov	[ebp+var_28], ecx
		push	2
		push	dword ptr [ebx]
		shl	eax, 2
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], 4
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], edi
		call	EtwpLogKernelEvent
		lea	eax, [ebp+var_E8]
		cmp	esi, eax
		jz	short loc_9FA374
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9FA374:				; CODE XREF: EtwpProcessorRundown(x,x)+65j
					; EtwpProcessorRundown(x,x)+DBj
		call	_KeQueryActiveGroupCount@0 ; KeQueryActiveGroupCount()
		movzx	edi, ax
		xor	esi, esi
		mov	[ebp+var_F8], edi
		test	edi, edi
		jz	short loc_9FA39A

loc_9FA388:				; CODE XREF: EtwpProcessorRundown(x,x)+108j
		push	esi
		call	_KeQueryGroupAffinity@4	; KeQueryGroupAffinity(x)
		mov	[ebp+esi*4+var_E8], eax
		inc	esi
		cmp	esi, edi
		jb	short loc_9FA388

loc_9FA39A:				; CODE XREF: EtwpProcessorRundown(x,x)+F6j
		mov	edx, [ebx+2E4h]
		lea	eax, [ebp+var_F8]
		and	[ebp+var_24], 0
		lea	ecx, [ebp+var_28]
		and	[ebp+var_1C], 0
		and	[ebp+var_14], 0
		and	[ebp+var_C], 0
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_E8]
		push	offset byte_401802
		push	0B1Ah
		mov	[ebp+var_18], eax
		mov	eax, edi
		push	2
		push	dword ptr [ebx]
		shl	eax, 2
		mov	[ebp+var_20], 4
		mov	[ebp+var_10], eax
		call	EtwpLogKernelEvent
		call	_KeQueryHighestNodeNumber@0 ; KeQueryHighestNodeNumber()
		movzx	eax, ax
		xor	esi, esi
		add	eax, 1
		mov	[ebp+var_F0], eax
		jz	short loc_9FA419
		lea	edi, [ebp+var_E8]

loc_9FA402:				; CODE XREF: EtwpProcessorRundown(x,x)+187j
		push	0
		push	edi
		push	esi
		call	_KeQueryNodeActiveAffinity@12 ;	KeQueryNodeActiveAffinity(x,x,x)
		mov	eax, [ebp+var_F0]
		inc	esi
		add	edi, 0Ch
		cmp	esi, eax
		jb	short loc_9FA402

loc_9FA419:				; CODE XREF: EtwpProcessorRundown(x,x)+16Aj
		mov	edx, [ebx+2E4h]
		lea	ecx, [ebp+var_F0]
		and	[ebp+var_24], 0
		and	[ebp+var_1C], 0
		and	[ebp+var_14], 0
		and	[ebp+var_C], 0
		push	offset byte_401802
		push	0B18h
		mov	[ebp+var_28], ecx
		lea	ecx, [ebp+var_E8]
		imul	eax, 0Ch
		push	2
		push	dword ptr [ebx]
		mov	[ebp+var_18], ecx
		lea	ecx, [ebp+var_28]
		mov	[ebp+var_20], 4
		mov	[ebp+var_10], eax
		call	EtwpLogKernelEvent
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpProcessorRundown@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpPsProvCaptureState(x, x, x)
_EtwpPsProvCaptureState@12 proc	near	; CODE XREF: EtwpCrimsonProvEnableCallback+8511Bp
					; EtwpTraceLoggingProvEnableCallback+84EAEp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_F		= byte ptr -0Fh
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1Ch+var_4], eax
		push	edi
		xor	eax, eax
		lea	edi, [esp+20h+var_18]
		stosd
		cmp	ecx, offset _PsProvTraceLoggingGuid
		push	0
		stosd
		stosd
		stosd
		setz	[esp+24h+var_F]
		mov	eax, [ebp+arg_0]
		mov	[esp+24h+var_18], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+24h+var_14], eax
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	byte ptr [esp+20h+var_1C], al
		lea	eax, [esp+20h+var_18]
		push	eax
		push	ds:_PsIdleProcess
		call	_EtwpPsProvProcessEnumCallback@8 ; EtwpPsProvProcessEnumCallback(x,x)
		lea	edx, [esp+20h+var_18]
		mov	ecx, offset _EtwpPsProvProcessEnumCallback@8 ; EtwpPsProvProcessEnumCallback(x,x)
		call	PsEnumProcesses
		push	[esp+20h+var_1C]
		call	_IoSetThreadHardErrorMode@4 ; IoSetThreadHardErrorMode(x)
		mov	ecx, [esp+20h+var_4]
		pop	edi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_EtwpPsProvCaptureState@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpPsProvProcessEnumCallback(x, x)
_EtwpPsProvProcessEnumCallback@8 proc near ; CODE XREF:	EtwpPsProvCaptureState(x,x,x)+50p
					; DATA XREF: EtwpPsProvCaptureState(x,x,x)+59o

var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_198		= dword	ptr -198h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1C4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1C4h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	6
		pop	ecx
		push	18Ch		; size_t
		lea	edi, [esp+1D4h+var_1B0]
		mov	byte ptr [esp+1D4h+var_1BC], al
		push	eax		; int
		rep stosd
		mov	[esp+1D8h+var_1B8], eax
		mov	[esp+1D8h+var_1B4], eax
		lea	eax, [esp+1D8h+var_198]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, esi
		call	_EtwpIsProcessZombie@4 ; EtwpIsProcessZombie(x)
		test	eax, eax
		jnz	loc_9FA648
		cmp	[ebx+9], al
		jz	short loc_9FA58B
		mov	eax, [ebx]
		and	eax, 1
		or	eax, 0
		jz	loc_9FA648
		cmp	esi, ds:_PsIdleProcess
		jz	loc_9FA648
		test	dword ptr [esi+3A8h], 1000h
		jnz	loc_9FA648
		push	5
		pop	edx
		call	PsSetProcessTelemetryAppState
		jmp	loc_9FA648
; 

loc_9FA58B:				; CODE XREF: EtwpPsProvProcessEnumCallback(x,x)+61j
		mov	byte ptr [ebx+8], 0
		cmp	esi, ds:_PsIdleProcess
		jz	short loc_9FA5CC
		mov	eax, large fs:124h
		cmp	[eax+80h], esi
		jz	short loc_9FA5CC
		lea	ecx, [esi+0F0h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_9FA5CC
		lea	eax, [esp+1D0h+var_1B0]
		xor	edx, edx
		push	eax
		mov	ecx, esi
		call	KiStackAttachProcess
		xor	eax, eax
		inc	eax
		mov	[esp+1D0h+var_1BC], eax
		mov	[ebx+8], al

loc_9FA5CC:				; CODE XREF: EtwpPsProvProcessEnumCallback(x,x)+A4j
					; EtwpPsProvProcessEnumCallback(x,x)+B2j ...
		mov	eax, [ebx]
		and	eax, 10h
		or	eax, 0
		jz	short loc_9FA62B
		push	esi
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		and	[esp+1D0h+var_1C0], 0
		lea	edx, [esp+1D0h+var_198]
		mov	edi, eax
		lea	eax, [esp+1D0h+var_1C0]
		push	eax
		mov	ecx, edi
		call	_EtwpQueryTokenPackageInfo@12 ;	EtwpQueryTokenPackageInfo(x,x,x)
		cmp	byte ptr [ebx+8], 0
		jz	short loc_9FA604
		lea	edx, [esp+1D0h+var_1B8]
		mov	ecx, esi
		call	EtwpQueryProcessOtherInfo

loc_9FA604:				; CODE XREF: EtwpPsProvProcessEnumCallback(x,x)+106j
		lea	ecx, [esi+12Ch]
		mov	edx, edi
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		mov	edx, [esp+1D0h+var_1C0]
		lea	eax, [esp+1D0h+var_1B8]
		push	303h
		push	eax
		lea	eax, [esp+1D8h+var_198]
		mov	ecx, esi
		push	eax
		call	EtwpPsProvTraceProcess

loc_9FA62B:				; CODE XREF: EtwpPsProvProcessEnumCallback(x,x)+E3j
		cmp	byte ptr [esp+1D0h+var_1BC], 0
		jz	short loc_9FA648
		xor	edx, edx
		lea	ecx, [esp+1D0h+var_1B0]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		lea	ecx, [esi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_9FA648:				; CODE XREF: EtwpPsProvProcessEnumCallback(x,x)+58j
					; EtwpPsProvProcessEnumCallback(x,x)+6Bj ...
		mov	ecx, [esp+1D0h+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_EtwpPsProvProcessEnumCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpSampledProfileRunDown(x, x, x)
_EtwpSampledProfileRunDown@12 proc near	; CODE XREF: EtwpKernelTraceRundown+129F7Cp
					; EtwpKernelTraceRundown+129F8Fp

var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		xor	eax, eax
		mov	[ebp+var_48], ecx
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_38]
		xor	ecx, ecx
		stosd
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ecx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_58]
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		test	dl, dl
		setz	al
		add	eax, 0F49h
		movzx	eax, ax
		mov	[ebp+var_44], eax
		cmp	[ebp+arg_0], cl
		jz	short loc_9FA6B3
		xor	esi, esi
		mov	eax, offset _EtwpProfileObject
		inc	esi
		jmp	short loc_9FA6D6
; 

loc_9FA6B3:				; CODE XREF: EtwpSampledProfileRunDown(x,x,x)+46j
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		push	offset _EtwpGroupMaskMutex
		call	KeWaitForSingleObject
		mov	esi, _EtwpPmcProfile
		mov	eax, dword_6BC3A4
		test	esi, esi
		jz	loc_9FA78B
		xor	ecx, ecx

loc_9FA6D6:				; CODE XREF: EtwpSampledProfileRunDown(x,x,x)+50j
		lea	ebx, [eax+30h]
		jmp	short loc_9FA6DD
; 

loc_9FA6DB:				; CODE XREF: EtwpSampledProfileRunDown(x,x,x)+11Ej
		xor	ecx, ecx

loc_9FA6DD:				; CODE XREF: EtwpSampledProfileRunDown(x,x,x)+78j
		movsx	edi, word ptr [ebx]
		lea	eax, [ebp+var_3C]
		push	eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_3C], ecx
		push	eax
		push	10h
		push	1
		mov	[ebp+var_58], edi
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		xor	ecx, ecx
		test	eax, eax
		js	short loc_9FA706
		mov	eax, [ebp+var_50]
		mov	edx, [ebp+var_4C]
		jmp	short loc_9FA70D
; 

loc_9FA706:				; CODE XREF: EtwpSampledProfileRunDown(x,x,x)+9Bj
		mov	eax, ecx
		mov	edx, (offset loc_8B7595+1)

loc_9FA70D:				; CODE XREF: EtwpSampledProfileRunDown(x,x,x)+A3j
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		test	edx, edx
		jnz	short loc_9FA71F
		mov	edx, (offset loc_8B7595+1)

loc_9FA71F:				; CODE XREF: EtwpSampledProfileRunDown(x,x,x)+B7j
		mov	[ebp+var_28], ecx
		lea	eax, [ebp+var_38]
		mov	[ebp+var_20], ecx
		mov	ecx, edx
		mov	[ebp+var_2C], eax
		mov	[ebp+var_24], 0Ch
		lea	edi, [ecx+2]

loc_9FA737:				; CODE XREF: EtwpSampledProfileRunDown(x,x,x)+E0j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_40]
		jnz	short loc_9FA737
		sub	ecx, edi
		mov	[ebp+var_1C], edx
		sar	ecx, 1
		xor	edx, edx
		push	(offset	off_401900+3)
		push	[ebp+var_44]
		mov	[ebp+var_18], edx
		lea	eax, ds:2[ecx*2]
		mov	[ebp+var_10], edx
		mov	[ebp+var_14], eax
		lea	ecx, [ebp+var_2C]
		mov	eax, [ebp+var_48]
		push	2
		push	dword ptr [eax]
		mov	edx, [eax+2E4h]
		call	EtwpLogKernelEvent
		add	ebx, 34h
		sub	esi, 1
		jnz	loc_9FA6DB
		cmp	[ebp+arg_0], 0
		jnz	short loc_9FA798

loc_9FA78B:				; CODE XREF: EtwpSampledProfileRunDown(x,x,x)+6Dj
		xor	eax, eax
		push	eax
		push	offset _EtwpGroupMaskMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)

loc_9FA798:				; CODE XREF: EtwpSampledProfileRunDown(x,x,x)+128j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_EtwpSampledProfileRunDown@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpSpinLockConfigRunDown(x, x)
_EtwpSpinLockConfigRunDown@8 proc near	; CODE XREF: EtwpKernelTraceRundown+129FA0p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ds:_EtwpSpinLockSpinThreshold
		and	[ebp+var_14], 0
		and	[ebp+var_C], 0
		mov	[ebp+var_28], eax
		mov	eax, ds:_EtwpSpinLockAcquireSampleRate
		mov	[ebp+var_20], eax
		mov	eax, ds:_EtwpSpinLockContentionSampleRate
		mov	[ebp+var_24], eax
		mov	eax, ds:_EtwpSpinLockHoldThreshold
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_18], eax
		xor	eax, eax
		test	dl, dl
		mov	[ebp+var_10], 10h
		mov	edx, [ecx+2E4h]
		push	501903h
		setz	al
		add	eax, 0F4Bh
		push	eax
		push	1
		push	dword ptr [ecx]
		lea	ecx, [ebp+var_18]
		call	EtwpLogKernelEvent
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwpSpinLockConfigRunDown@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpDeleteSessionDemuxObject(x)
_EtwpDeleteSessionDemuxObject@4	proc near
					; DATA XREF: EtwpInitializePrivateSessionDemuxObject()+5Do

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= word ptr -2
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [esi+10h]
		test	edi, edi
		jz	short loc_9FA8A8
		push	ebx
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, [eax+1F0h]
		mov	eax, large fs:124h
		mov	[ebp+arg_0], ecx
		dec	word ptr [eax+13Ch]
		nop
		lea	ebx, [ecx+8B4h]
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_9FA8AE
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_9FA8AE
		mov	[eax], ecx
		mov	[ecx+4], eax
		lea	eax, [edi+10h]
		and	dword ptr [esi+10h], 0
		cmp	[eax], eax
		jnz	short loc_9FA892
		mov	eax, [ebp+arg_0]
		push	edi
		add	eax, 8ACh
		push	eax
		call	RtlRbRemoveNode
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9FA892:				; CODE XREF: EtwpDeleteSessionDemuxObject(x)+59j
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	ebx

loc_9FA8A8:				; CODE XREF: EtwpDeleteSessionDemuxObject(x)+Fj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_9FA8AE:				; CODE XREF: EtwpDeleteSessionDemuxObject(x)+42j
					; EtwpDeleteSessionDemuxObject(x)+49j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall EtwpDemuxPrivateTraceHandle(x, x, x)
_EtwpDemuxPrivateTraceHandle@12:	; CODE XREF: EtwpNotifyGuid(x,x,x)+290p
					; EtwpEnableGuid+11FC4Ap
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	[ebp+var_2], dx
		push	edi
		mov	edi, ecx
		cmp	dx, 40h
		jnb	short loc_9FA8D5
		mov	eax, [ebp+arg_0]
		mov	[eax], dx
		xor	eax, eax
		jmp	loc_9FA98F
; 

loc_9FA8D5:				; CODE XREF: EtwpDeleteSessionDemuxObject(x)+A6j
		push	ebx
		push	esi
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	esi, [eax+1F0h]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [esi+8B4h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	ExAcquirePushLockExclusiveEx
		lea	eax, [esi+8ACh]
		mov	[ebp+var_8], edi
		mov	esi, [eax]
		xor	ebx, ebx
		test	byte ptr [eax+4], 1
		jz	short loc_9FA91F
		test	esi, esi
		jz	short loc_9FA91D
		xor	esi, eax
		jmp	short loc_9FA91F
; 

loc_9FA91D:				; CODE XREF: EtwpDeleteSessionDemuxObject(x)+F7j
		mov	esi, ebx

loc_9FA91F:				; CODE XREF: EtwpDeleteSessionDemuxObject(x)+F3j
					; EtwpDeleteSessionDemuxObject(x)+FBj
		movzx	edi, byte ptr [eax+4]
		and	edi, 1
		test	esi, esi
		jz	short loc_9FA970

loc_9FA92A:				; CODE XREF: EtwpDeleteSessionDemuxObject(x)+131j
		push	esi
		lea	eax, [ebp+var_8]
		push	eax
		call	_PidNodeCompare@8 ; PidNodeCompare(x,x)
		test	eax, eax
		jns	short loc_9FA93C
		mov	eax, [esi]
		jmp	short loc_9FA941
; 

loc_9FA93C:				; CODE XREF: EtwpDeleteSessionDemuxObject(x)+116j
		jle	short loc_9FA953
		mov	eax, [esi+4]

loc_9FA941:				; CODE XREF: EtwpDeleteSessionDemuxObject(x)+11Aj
		test	edi, edi
		jz	short loc_9FA94D
		test	eax, eax
		jz	short loc_9FA94D
		xor	esi, eax
		jmp	short loc_9FA94F
; 

loc_9FA94D:				; CODE XREF: EtwpDeleteSessionDemuxObject(x)+123j
					; EtwpDeleteSessionDemuxObject(x)+127j
		mov	esi, eax

loc_9FA94F:				; CODE XREF: EtwpDeleteSessionDemuxObject(x)+12Bj
		test	esi, esi
		jnz	short loc_9FA92A

loc_9FA953:				; CODE XREF: EtwpDeleteSessionDemuxObject(x):loc_9FA93Cj
		test	esi, esi
		jz	short loc_9FA970
		add	esi, 10h
		mov	eax, [esi]
		cmp	eax, esi
		jz	short loc_9FA970
		mov	cx, [ebp+var_2]

loc_9FA964:				; CODE XREF: EtwpDeleteSessionDemuxObject(x)+14Ej
		cmp	[eax+0Ah], cx
		jz	short loc_9FA994
		mov	eax, [eax]
		cmp	eax, esi
		jnz	short loc_9FA964

loc_9FA970:				; CODE XREF: EtwpDeleteSessionDemuxObject(x)+108j
					; EtwpDeleteSessionDemuxObject(x)+135j	...
		mov	ebx, 0C0000296h

loc_9FA975:				; CODE XREF: EtwpDeleteSessionDemuxObject(x)+17Ej
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	esi
		mov	eax, ebx
		pop	ebx

loc_9FA98F:				; CODE XREF: EtwpDeleteSessionDemuxObject(x)+B0j
		pop	edi
		leave
		retn	4
; 

loc_9FA994:				; CODE XREF: EtwpDeleteSessionDemuxObject(x)+148j
		mov	cx, [eax+8]
		mov	eax, [ebp+arg_0]
		mov	[eax], cx
		jmp	short loc_9FA975
_EtwpDeleteSessionDemuxObject@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpGetPidDemuxList(x, x)
_EtwpGetPidDemuxList@8 proc near	; CODE XREF: EtwpGetPrivateSessionTraceHandle(x,x,x)+F0p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	byte ptr [edx+4], 1
		push	esi
		mov	esi, [edx]
		push	edi
		mov	[ebp+var_4], ecx
		jz	short loc_9FA9BD
		test	esi, esi
		jz	short loc_9FA9BB
		xor	esi, edx
		jmp	short loc_9FA9BD
; 

loc_9FA9BB:				; CODE XREF: EtwpGetPidDemuxList(x,x)+15j
		xor	esi, esi

loc_9FA9BD:				; CODE XREF: EtwpGetPidDemuxList(x,x)+11j
					; EtwpGetPidDemuxList(x,x)+19j
		movzx	edi, byte ptr [edx+4]
		and	edi, 1
		jmp	short loc_9FA9EB
; 

loc_9FA9C6:				; CODE XREF: EtwpGetPidDemuxList(x,x)+4Dj
		push	esi
		lea	eax, [ebp+var_4]
		push	eax
		call	_PidNodeCompare@8 ; PidNodeCompare(x,x)
		test	eax, eax
		jns	short loc_9FA9D8
		mov	eax, [esi]
		jmp	short loc_9FA9DD
; 

loc_9FA9D8:				; CODE XREF: EtwpGetPidDemuxList(x,x)+32j
		jle	short loc_9FA9EF
		mov	eax, [esi+4]

loc_9FA9DD:				; CODE XREF: EtwpGetPidDemuxList(x,x)+36j
		test	edi, edi
		jz	short loc_9FA9E9
		test	eax, eax
		jz	short loc_9FA9E9
		xor	esi, eax
		jmp	short loc_9FA9EB
; 

loc_9FA9E9:				; CODE XREF: EtwpGetPidDemuxList(x,x)+3Fj
					; EtwpGetPidDemuxList(x,x)+43j
		mov	esi, eax

loc_9FA9EB:				; CODE XREF: EtwpGetPidDemuxList(x,x)+24j
					; EtwpGetPidDemuxList(x,x)+47j
		test	esi, esi
		jnz	short loc_9FA9C6

loc_9FA9EF:				; CODE XREF: EtwpGetPidDemuxList(x,x):loc_9FA9D8j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_EtwpGetPidDemuxList@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpGetPrivateSessionTraceHandle(x,	x, x)
_EtwpGetPrivateSessionTraceHandle@12 proc near ; CODE XREF: NtTraceControl(x,x,x,x,x,x)+785p

var_16		= byte ptr -16h
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[esp+28h+var_14], edx
		mov	[esp+28h+var_C], edi
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		xor	ebx, ebx
		mov	[esp+28h+var_10], ebx
		mov	[esp+28h+var_15], bl
		mov	esi, [eax+1F0h]
		add	esi, 8ACh
		mov	[esp+28h+var_8], esi
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		lea	ecx, [esi+8]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	esi, ebx
		cmp	[esp+28h+var_14], ebx
		jbe	short loc_9FAA7E

loc_9FAA43:				; CODE XREF: EtwpGetPrivateSessionTraceHandle(x,x,x)+87j
		lea	eax, [esp+28h+var_10]
		push	eax
		push	dword ptr [edi+esi*8]
		call	PsLookupProcessByProcessId
		test	eax, eax
		jz	short loc_9FAA59
		mov	[edi+esi*8], ebx
		jmp	short loc_9FAA77
; 

loc_9FAA59:				; CODE XREF: EtwpGetPrivateSessionTraceHandle(x,x,x)+5Dj
		mov	ecx, [esp+28h+var_10]
		call	_EtwpCheckCurrentUserProcessAccess@4 ; EtwpCheckCurrentUserProcessAccess(x)
		test	eax, eax
		jz	short loc_9FAA69
		mov	[edi+esi*8], ebx

loc_9FAA69:				; CODE XREF: EtwpGetPrivateSessionTraceHandle(x,x,x)+6Fj
		mov	ecx, [esp+28h+var_10]
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag

loc_9FAA77:				; CODE XREF: EtwpGetPrivateSessionTraceHandle(x,x,x)+62j
		inc	esi
		cmp	esi, [esp+28h+var_14]
		jb	short loc_9FAA43

loc_9FAA7E:				; CODE XREF: EtwpGetPrivateSessionTraceHandle(x,x,x)+4Cj
					; EtwpGetPrivateSessionTraceHandle(x,x,x)+13Bj
		mov	eax, 0FFDF0320h
		lea	edx, [eax+4]

loc_9FAA86:				; CODE XREF: EtwpGetPrivateSessionTraceHandle(x,x,x)+D6j
		mov	ecx, [edx]
		mov	eax, [eax]
		mov	eax, 0FFDF0328h
		mov	eax, [eax]
		cmp	ecx, eax
		jz	short loc_9FAAAD
		mov	esi, 0FFDF0320h
		lea	edi, [esi+8]

loc_9FAA9D:				; CODE XREF: EtwpGetPrivateSessionTraceHandle(x,x,x)+B2j
		pause
		mov	ecx, [edx]
		mov	eax, [esi]
		mov	eax, [edi]
		cmp	ecx, eax
		jnz	short loc_9FAA9D
		mov	edi, [esp+28h+var_C]

loc_9FAAAD:				; CODE XREF: EtwpGetPrivateSessionTraceHandle(x,x,x)+9Ej
		lea	eax, [esp+28h+var_4]
		push	eax
		call	_RtlRandomEx@4	; RtlRandomEx(x)
		mov	esi, eax
		mov	edx, 0FFDF0324h
		and	esi, 7FFFh
		lea	eax, [edx-4]
		cmp	si, 40h
		jb	short loc_9FAA86
		mov	eax, [esp+28h+var_14]
		mov	ecx, ebx

loc_9FAAD3:				; CODE XREF: EtwpGetPrivateSessionTraceHandle(x,x,x)+135j
		mov	[esp+28h+var_10], ecx
		cmp	ecx, eax
		jnb	short loc_9FAB35
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_9FAB22
		mov	edx, [esp+28h+var_8]
		call	_EtwpGetPidDemuxList@8 ; EtwpGetPidDemuxList(x,x)
		test	eax, eax
		jz	short loc_9FAB1E
		lea	edx, [eax+10h]
		mov	ecx, [edx]

loc_9FAAF3:				; CODE XREF: EtwpGetPrivateSessionTraceHandle(x,x,x)+127j
		cmp	ecx, edx
		jz	short loc_9FAB1E
		cmp	[ecx+0Ah], si
		jz	short loc_9FAB2C
		mov	ax, [ecx+8]
		cmp	ax, [edi+4]
		jnz	short loc_9FAB1A
		mov	ax, [ecx+0Ch]
		cmp	ax, [edi+6]
		jnz	short loc_9FAB1E
		mov	[ecx+0Ah], si
		mov	[esp+28h+var_15], 1

loc_9FAB1A:				; CODE XREF: EtwpGetPrivateSessionTraceHandle(x,x,x)+110j
		mov	ecx, [ecx]
		jmp	short loc_9FAAF3
; 

loc_9FAB1E:				; CODE XREF: EtwpGetPrivateSessionTraceHandle(x,x,x)+F7j
					; EtwpGetPrivateSessionTraceHandle(x,x,x)+100j	...
		mov	eax, [esp+28h+var_14]

loc_9FAB22:				; CODE XREF: EtwpGetPrivateSessionTraceHandle(x,x,x)+EAj
		mov	ecx, [esp+28h+var_10]
		inc	ecx
		add	edi, 8
		jmp	short loc_9FAAD3
; 

loc_9FAB2C:				; CODE XREF: EtwpGetPrivateSessionTraceHandle(x,x,x)+106j
		mov	edi, [esp+28h+var_C]
		jmp	loc_9FAA7E
; 

loc_9FAB35:				; CODE XREF: EtwpGetPrivateSessionTraceHandle(x,x,x)+E4j
		mov	ecx, [esp+28h+var_8]
		xor	edx, edx
		lea	ecx, [ecx+8]
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	[esp+28h+var_15], bl
		jz	short loc_9FAB56
		mov	eax, [ebp+arg_0]
		mov	[eax], si
		jmp	short loc_9FAB5B
; 

loc_9FAB56:				; CODE XREF: EtwpGetPrivateSessionTraceHandle(x,x,x)+157j
		mov	ebx, 0C0000225h

loc_9FAB5B:				; CODE XREF: EtwpGetPrivateSessionTraceHandle(x,x,x)+15Fj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_EtwpGetPrivateSessionTraceHandle@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpQuerySessionDemuxObject(x, x)
_EtwpQuerySessionDemuxObject@8 proc near ; CODE	XREF: NtTraceControl(x,x,x,x,x,x)+7F9p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, ds:_EtwpSessionDemuxObjectType
		and	[ebp+var_4], 0
		push	esi
		push	edi
		push	0
		mov	edi, edx
		lea	edx, [ebp+var_4]
		push	edx
		push	1
		push	eax
		push	0
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	short loc_9FABA8
		movzx	eax, word ptr [ecx+0Ah]
		test	ax, ax
		jz	short loc_9FABA3
		mov	[edi], ax
		xor	esi, esi
		jmp	short loc_9FABA8
; 

loc_9FABA3:				; CODE XREF: EtwpQuerySessionDemuxObject(x,x)+34j
		mov	esi, 0C0000296h

loc_9FABA8:				; CODE XREF: EtwpQuerySessionDemuxObject(x,x)+2Bj
					; EtwpQuerySessionDemuxObject(x,x)+3Bj
		test	ecx, ecx
		jz	short loc_9FABB1
		call	ObfDereferenceObject

loc_9FABB1:				; CODE XREF: EtwpQuerySessionDemuxObject(x,x)+44j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_EtwpQuerySessionDemuxObject@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpRegisterPrivateSession(x, x, x,	x)
_EtwpRegisterPrivateSession@16 proc near ; CODE	XREF: NtTraceControl(x,x,x,x,x,x)+7C8p

var_36		= word ptr -36h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		mov	eax, ecx
		mov	[esp+40h+var_36], dx
		push	esi
		push	edi
		mov	[esp+48h+var_24], eax
		lea	edi, [esp+48h+var_18]
		lea	ebx, [eax+8ACh]
		xor	eax, eax
		push	6
		pop	ecx
		mov	[esp+48h+var_28], eax
		mov	[esp+48h+var_20], eax
		mov	[esp+48h+var_34], eax
		rep stosd
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 1
		jz	short loc_9FAC06
		mov	eax, 0C00000BBh
		jmp	loc_9FADE5
; 

loc_9FAC06:				; CODE XREF: EtwpRegisterPrivateSession(x,x,x,x)+43j
		test	dx, dx
		js	loc_9FADE0
		cmp	dx, 8
		ja	loc_9FADE0
		call	_PsGetCurrentThreadProcessId@0 ; PsGetCurrentThreadProcessId()
		mov	[esp+48h+var_2C], eax
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		lea	eax, [ebx+8]
		xor	edx, edx
		mov	ecx, eax
		mov	[esp+48h+var_1C], eax
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [ebx]
		mov	byte ptr [esp+48h+var_30], 0
		test	esi, esi
		jz	short loc_9FAC5D

loc_9FAC42:				; CODE XREF: EtwpRegisterPrivateSession(x,x,x,x)+D2j
		push	esi
		lea	eax, [esp+4Ch+var_2C]
		push	eax
		call	_PidNodeCompare@8 ; PidNodeCompare(x,x)
		test	eax, eax
		jle	short loc_9FAC7F
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_9FAC87
		mov	byte ptr [esp+48h+var_30], 1

loc_9FAC5D:				; CODE XREF: EtwpRegisterPrivateSession(x,x,x,x)+89j
					; EtwpRegisterPrivateSession(x,x,x,x)+D9j
		push	48777445h
		push	18h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9FAC96
		mov	esi, [esp+48h+var_34]
		mov	ebx, 0C0000017h
		jmp	loc_9FADC1
; 

loc_9FAC7F:				; CODE XREF: EtwpRegisterPrivateSession(x,x,x,x)+98j
		jns	short loc_9FAC92
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_9FAC8B

loc_9FAC87:				; CODE XREF: EtwpRegisterPrivateSession(x,x,x,x)+9Fj
		mov	esi, eax
		jmp	short loc_9FAC42
; 

loc_9FAC8B:				; CODE XREF: EtwpRegisterPrivateSession(x,x,x,x)+CEj
		mov	byte ptr [esp+48h+var_30], 0
		jmp	short loc_9FAC5D
; 

loc_9FAC92:				; CODE XREF: EtwpRegisterPrivateSession(x,x,x,x):loc_9FAC7Fj
		mov	edi, esi
		jmp	short loc_9FACB1
; 

loc_9FAC96:				; CODE XREF: EtwpRegisterPrivateSession(x,x,x,x)+B8j
		mov	eax, [esp+48h+var_2C]
		push	edi
		push	[esp+4Ch+var_30]
		mov	[edi+0Ch], eax
		lea	eax, [edi+10h]
		push	esi
		push	ebx
		mov	[eax+4], eax
		mov	[eax], eax
		call	RtlRbInsertNodeEx

loc_9FACB1:				; CODE XREF: EtwpRegisterPrivateSession(x,x,x,x)+DDj
		lea	eax, [edi+10h]
		mov	ebx, [eax]
		cmp	ebx, eax
		jz	short loc_9FACD4
		mov	cx, [esp+48h+var_36]

loc_9FACBF:				; CODE XREF: EtwpRegisterPrivateSession(x,x,x,x)+11Bj
		movzx	edx, word ptr [ebx+8]
		cmp	dx, cx
		jz	loc_9FAD93
		ja	short loc_9FACD4
		mov	ebx, [ebx]
		cmp	ebx, eax
		jnz	short loc_9FACBF

loc_9FACD4:				; CODE XREF: EtwpRegisterPrivateSession(x,x,x,x)+101j
					; EtwpRegisterPrivateSession(x,x,x,x)+115j
		mov	edx, ds:_EtwpSessionDemuxObjectType
		lea	eax, [esp+48h+var_34]
		xor	ecx, ecx
		mov	[esp+48h+var_18], 18h
		push	ecx
		push	eax
		push	ecx
		push	ecx
		push	14h
		push	ecx
		push	1
		lea	eax, [esp+64h+var_18]
		mov	[esp+64h+var_14], ecx
		mov	[esp+64h+var_10], ecx
		mov	[esp+64h+var_8], ecx
		mov	[esp+64h+var_4], ecx
		xor	cl, cl
		push	eax
		mov	[esp+68h+var_C], 40h
		call	ObCreateObjectEx
		mov	esi, [esp+48h+var_34]
		mov	[esp+48h+var_30], eax
		test	eax, eax
		jnz	short loc_9FAD9E
		mov	ax, [esp+48h+var_36]
		mov	[esi+8], ax
		mov	eax, [esp+48h+var_24]
		inc	word ptr [eax+8B8h]
		mov	ax, [eax+8B8h]
		mov	[esi+0Ch], ax
		mov	[esi+10h], edi
		mov	eax, [ebx+4]
		mov	[ebx+4], esi
		mov	[eax], esi
		mov	[esi+4], eax
		mov	eax, ebx
		xor	ebx, ebx
		mov	[esi], eax
		push	ebx
		push	ds:_EtwpSessionDemuxObjectType
		push	ebx
		push	esi
		call	ObReferenceObjectByPointer
		lea	eax, [esp+48h+var_28]
		xor	edx, edx
		push	eax
		lea	eax, [esp+4Ch+var_20]
		mov	ecx, esi
		push	eax
		push	ebx
		push	ebx
		push	ebx
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9FADA2
		mov	eax, [ebp+arg_0]
		mov	cx, [esi+0Ch]
		mov	[eax], cx
		mov	ecx, [ebp+arg_4]
		mov	eax, [esp+48h+var_28]
		mov	[ecx], eax
		jmp	short loc_9FADC1
; 

loc_9FAD93:				; CODE XREF: EtwpRegisterPrivateSession(x,x,x,x)+10Fj
		mov	esi, [esp+48h+var_34]
		mov	ebx, 0C000000Dh
		jmp	short loc_9FADA5
; 

loc_9FAD9E:				; CODE XREF: EtwpRegisterPrivateSession(x,x,x,x)+168j
		mov	ebx, [esp+48h+var_30]

loc_9FADA2:				; CODE XREF: EtwpRegisterPrivateSession(x,x,x,x)+1C5j
		lea	eax, [edi+10h]

loc_9FADA5:				; CODE XREF: EtwpRegisterPrivateSession(x,x,x,x)+1E5j
		cmp	[eax], eax
		jnz	short loc_9FADC1
		mov	eax, [esp+48h+var_24]
		push	edi
		add	eax, 8ACh
		push	eax
		call	RtlRbRemoveNode
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9FADC1:				; CODE XREF: EtwpRegisterPrivateSession(x,x,x,x)+C3j
					; EtwpRegisterPrivateSession(x,x,x,x)+1DAj ...
		mov	ecx, [esp+48h+var_1C]
		xor	edx, edx
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	esi, esi
		jz	short loc_9FADDC
		mov	ecx, esi
		call	ObfDereferenceObject

loc_9FADDC:				; CODE XREF: EtwpRegisterPrivateSession(x,x,x,x)+21Cj
		mov	eax, ebx
		jmp	short loc_9FADE5
; 

loc_9FADE0:				; CODE XREF: EtwpRegisterPrivateSession(x,x,x,x)+52j
					; EtwpRegisterPrivateSession(x,x,x,x)+5Cj
		mov	eax, 0C000000Dh

loc_9FADE5:				; CODE XREF: EtwpRegisterPrivateSession(x,x,x,x)+4Aj
					; EtwpRegisterPrivateSession(x,x,x,x)+227j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_EtwpRegisterPrivateSession@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUpdatePeriodicCaptureState(x, x, x, x)
_EtwpUpdatePeriodicCaptureState@16 proc	near ; CODE XREF: NtTraceControl(x,x,x,x,x,x)+74Cp

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		movzx	eax, [ebp+arg_0]
		push	ebx
		mov	[esp+38h+var_34], eax
		xor	ebx, ebx
		mov	eax, [ebp+arg_4]
		push	esi
		push	edi
		mov	[esp+40h+var_24], eax
		lea	edi, [esp+40h+var_18]
		xor	eax, eax
		mov	[esp+40h+var_1C], edx
		stosd
		mov	esi, ecx
		stosd
		stosd
		stosd
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		push	ebx
		mov	edx, esi
		mov	ecx, [eax+1F0h]
		call	EtwpAcquireLoggerContextByLoggerId
		mov	edi, eax
		mov	[esp+40h+var_20], edi
		test	edi, edi
		jnz	short loc_9FAE4F
		mov	ebx, 0C000000Dh
		jmp	loc_9FB037
; 

loc_9FAE4F:				; CODE XREF: EtwpUpdatePeriodicCaptureState(x,x,x,x)+55j
		test	byte ptr [edi+258h], 40h
		jz	short loc_9FAE62
		mov	ebx, 0C0000296h
		jmp	loc_9FB02E
; 

loc_9FAE62:				; CODE XREF: EtwpUpdatePeriodicCaptureState(x,x,x,x)+68j
		mov	eax, [esp+40h+var_34]
		and	[esp+40h+var_28], ebx
		movzx	esi, ax
		mov	[esp+40h+var_2C], esi
		test	esi, esi
		jz	short loc_9FAEAE
		mov	ecx, [esp+40h+var_24]
		lea	eax, [edi+0C8h]
		mov	[esp+40h+var_30], ecx

loc_9FAE83:				; CODE XREF: EtwpUpdatePeriodicCaptureState(x,x,x,x)+BEj
		mov	edx, eax
		call	EtwpCheckNotificationAccess
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_9FAF00
		mov	eax, [esp+40h+var_28]
		mov	ecx, [esp+40h+var_30]
		inc	eax
		add	ecx, 10h
		mov	[esp+40h+var_28], eax
		cmp	eax, esi
		mov	[esp+40h+var_30], ecx
		lea	eax, [edi+0C8h]
		jl	short loc_9FAE83

loc_9FAEAE:				; CODE XREF: EtwpUpdatePeriodicCaptureState(x,x,x,x)+85j
		lea	eax, [edi+1F0h]
		xor	edx, edx
		mov	ecx, eax
		mov	[esp+40h+var_30], eax
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [edi+2DCh]
		or	eax, 0FFFFFFFFh
		test	esi, esi
		jnz	short loc_9FAF1D
		cmp	word ptr [esp+40h+var_34], si
		jz	loc_9FB012
		push	55777445h
		push	28h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[edi+2DCh], edx
		test	edx, edx
		jnz	short loc_9FAF0A

loc_9FAEF6:				; CODE XREF: EtwpUpdatePeriodicCaptureState(x,x,x,x)+187j
					; EtwpUpdatePeriodicCaptureState(x,x,x,x)+1D3j
		mov	ebx, 0C0000017h
		jmp	loc_9FB00F
; 

loc_9FAF00:				; CODE XREF: EtwpUpdatePeriodicCaptureState(x,x,x,x)+A0j
		mov	ebx, 0C0000022h
		jmp	loc_9FB02E
; 

loc_9FAF0A:				; CODE XREF: EtwpUpdatePeriodicCaptureState(x,x,x,x)+106j
		push	0Ah
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd
		mov	edi, [esp+40h+var_20]
		mov	esi, [edi+2DCh]

loc_9FAF1D:				; CODE XREF: EtwpUpdatePeriodicCaptureState(x,x,x,x)+DEj
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_9FAF4C
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_9FAF3A
		push	0
		push	ecx
		call	_ExCancelTimer@8 ; ExCancelTimer(x,x)
		and	dword ptr [esi+24h], 0
		mov	eax, [esi+10h]

loc_9FAF3A:				; CODE XREF: EtwpUpdatePeriodicCaptureState(x,x,x,x)+13Bj
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+10h], 0
		xor	eax, eax
		mov	[esi+0Ch], ax

loc_9FAF4C:				; CODE XREF: EtwpUpdatePeriodicCaptureState(x,x,x,x)+134j
		cmp	word ptr [esp+40h+var_34], 0
		jz	loc_9FB00F
		mov	eax, [esp+40h+var_2C]
		shl	eax, 4
		push	55777445h
		push	eax
		push	1
		mov	[esp+4Ch+var_2C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+10h], eax
		test	eax, eax
		jz	loc_9FAEF6
		push	[esp+40h+var_2C] ; size_t
		mov	ecx, [esp+44h+var_34]
		push	[esp+44h+var_24] ; void	*
		mov	[esi+0Ch], cx
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	dword ptr [esi+8], 0
		jnz	short loc_9FAFD4
		push	8
		push	edi
		push	offset _PeriodicCaptureStateTimerCallback@8 ; PeriodicCaptureStateTimerCallback(x,x)
		call	ExAllocateTimer
		mov	[esi+8], eax
		test	eax, eax
		jnz	short loc_9FAFC6
		push	eax
		push	dword ptr [esi+10h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+10h], 0
		xor	eax, eax
		mov	[esi+0Ch], ax
		jmp	loc_9FAEF6
; 

loc_9FAFC6:				; CODE XREF: EtwpUpdatePeriodicCaptureState(x,x,x,x)+1BEj
		and	dword ptr [esi+14h], 0
		mov	dword ptr [esi+1Ch], offset _SendCaptureStateNotificationsWorker@4 ; SendCaptureStateNotificationsWorker(x)
		mov	[esi+20h], edi

loc_9FAFD4:				; CODE XREF: EtwpUpdatePeriodicCaptureState(x,x,x,x)+1AAj
		or	eax, 0FFFFFFFFh
		push	eax
		push	0FF676980h
		push	0
		push	[esp+4Ch+var_1C]
		mov	[esp+50h+var_10], eax
		mov	[esp+50h+var_C], eax
		call	__allmul
		lea	ecx, [esp+40h+var_18]
		mov	[esi], eax
		push	ecx
		push	0
		push	0
		push	edx
		push	eax
		push	dword ptr [esi+8]
		mov	[esi+4], edx
		call	ExSetTimer
		mov	dword ptr [esi+24h], 1

loc_9FB00F:				; CODE XREF: EtwpUpdatePeriodicCaptureState(x,x,x,x)+10Dj
					; EtwpUpdatePeriodicCaptureState(x,x,x,x)+164j
		or	eax, 0FFFFFFFFh

loc_9FB012:				; CODE XREF: EtwpUpdatePeriodicCaptureState(x,x,x,x)+E5j
		mov	esi, [esp+40h+var_30]
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9FB027
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9FB027:				; CODE XREF: EtwpUpdatePeriodicCaptureState(x,x,x,x)+230j
		mov	ecx, esi
		call	KeAbPostRelease

loc_9FB02E:				; CODE XREF: EtwpUpdatePeriodicCaptureState(x,x,x,x)+6Fj
					; EtwpUpdatePeriodicCaptureState(x,x,x,x)+117j
		xor	dl, dl
		mov	ecx, edi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_9FB037:				; CODE XREF: EtwpUpdatePeriodicCaptureState(x,x,x,x)+5Cj
		mov	ecx, [esp+40h+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_EtwpUpdatePeriodicCaptureState@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PeriodicCaptureStateTimerCallback(x, x)
_PeriodicCaptureStateTimerCallback@8 proc near
					; DATA XREF: EtwpUpdatePeriodicCaptureState(x,x,x,x)+1AFo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	edx, edx
		inc	edx
		mov	eax, [edi+2E4h]
		mov	esi, [edi]
		mov	ecx, [eax+188h]
		mov	ecx, [ecx+esi*4]
		call	@ExAcquireRundownProtectionCacheAwareEx@8 ; ExAcquireRundownProtectionCacheAwareEx(x,x)
		test	al, al
		jz	short loc_9FB085
		mov	eax, [edi+2DCh]
		push	3
		add	eax, 14h
		push	eax
		call	ExQueueWorkItem

loc_9FB085:				; CODE XREF: PeriodicCaptureStateTimerCallback(x,x)+25j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_PeriodicCaptureStateTimerCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PidNodeCompare(x, x)
_PidNodeCompare@8 proc near		; CODE XREF: EtwpDeleteSessionDemuxObject(x)+10Fp
					; EtwpGetPidDemuxList(x,x)+2Bp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+0Ch]
		cmp	eax, ecx
		jbe	short loc_9FB0A4
		or	eax, 0FFFFFFFFh
		jmp	short loc_9FB0A8
; 

loc_9FB0A4:				; CODE XREF: PidNodeCompare(x,x)+12j
		sbb	eax, eax
		neg	eax

loc_9FB0A8:				; CODE XREF: PidNodeCompare(x,x)+17j
		pop	ebp
		retn	8
_PidNodeCompare@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SendCaptureStateNotificationsWorker(x)
_SendCaptureStateNotificationsWorker@4 proc near
					; DATA XREF: EtwpUpdatePeriodicCaptureState(x,x,x,x)+1DCo

var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_68		= dword	ptr -68h
var_48		= dword	ptr -48h
var_42		= word ptr -42h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0B4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0B4h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		lea	edi, [esp+0C0h+var_18]
		mov	[esp+0C0h+var_A4], esi
		stosd
		push	70h		; size_t
		stosd
		stosd
		stosd
		xor	eax, eax
		push	eax		; int
		mov	[esp+0C8h+var_AC], eax
		lea	eax, [esp+0C8h+var_88]
		push	eax		; void *
		call	_memset
		mov	ebx, [esi+2DCh]
		lea	edi, [esi+1F0h]
		add	esp, 0Ch
		mov	[esp+0C0h+var_98], ebx
		xor	edx, edx
		mov	[esp+0C0h+var_94], edi
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		and	dword ptr [ebx+24h], 0
		or	eax, 0FFFFFFFFh
		mov	ecx, [esi+0F8h]
		test	ecx, ecx
		jz	loc_9FB35A
		movzx	ecx, word ptr [ebx+0Ch]
		mov	edx, ecx
		mov	[esp+0C0h+var_B4], edx
		test	cx, cx
		jz	loc_9FB35A
		mov	eax, ecx
		mov	esi, ecx
		mov	[esp+0C0h+var_9C], eax
		push	74777445h
		shl	esi, 4
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+0C0h+var_A8], eax
		test	eax, eax
		jz	loc_9FB357
		push	esi		; size_t
		push	dword ptr [ebx+10h] ; void *
		push	eax		; void *
		call	_memcpy
		or	esi, 0FFFFFFFFh
		add	esp, 0Ch
		mov	eax, esi
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9FB181
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9FB181:				; CODE XREF: SendCaptureStateNotificationsWorker(x)+CCj
		mov	ecx, edi
		call	KeAbPostRelease
		xor	eax, eax
		mov	[esp+0C0h+var_90], 3
		mov	[esp+0C0h+var_8C], 78h
		cmp	ax, word ptr [esp+0C0h+var_B4]
		jnb	loc_9FB307
		mov	ebx, [esp+0C0h+var_A4]
		mov	esi, [esp+0C0h+var_A8]

loc_9FB1AD:				; CODE XREF: SendCaptureStateNotificationsWorker(x)+24Aj
		mov	ecx, [ebx+2E4h]
		mov	edx, esi
		push	0
		call	_EtwpFindGuidEntryByGuid@12 ; EtwpFindGuidEntryByGuid(x,x,x)
		mov	edi, eax
		mov	[esp+0C0h+var_B4], edi
		test	edi, edi
		jz	loc_9FB2EA
		mov	ecx, large fs:124h
		dec	word ptr [ecx+13Ch]
		nop
		lea	ecx, [edi+16Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[edi+170h], eax
		lea	edi, [esp+0C0h+var_68]
		movsd
		movsd
		movsd
		movsd
		mov	edi, [esp+0C0h+var_B4]
		lea	eax, [edi+24h]
		mov	esi, [eax]
		jmp	loc_9FB2B7
; 

loc_9FB208:				; CODE XREF: SendCaptureStateNotificationsWorker(x)+20Dj
		test	byte ptr [esi+32h], 1
		jnz	loc_9FB2B5
		xor	ecx, ecx
		lea	edx, [edi+66h]
		mov	[esp+0C0h+var_B4], ecx
		mov	[esp+0C0h+var_B0], edx

loc_9FB21F:				; CODE XREF: SendCaptureStateNotificationsWorker(x)+200j
		mov	al, [esi+34h]
		mov	[esp+0C0h+var_A0], eax
		xor	eax, eax
		inc	eax
		shl	eax, cl
		mov	ecx, [esp+0C0h+var_A0]
		test	al, cl
		jz	short loc_9FB299
		cmp	dword ptr [edx-6], 0
		jz	short loc_9FB299
		movzx	eax, word ptr [edx]
		cmp	eax, [ebx]
		jnz	short loc_9FB299
		lea	edx, [esp+0C0h+var_48]
		mov	ecx, esi
		call	EtwpComputeRegEntryEnableInfo
		mov	ax, [ebx]
		lea	edx, [esp+0C0h+var_90]
		mov	[esp+0C0h+var_42], ax
		mov	ecx, edi
		lea	eax, [esp+0C0h+var_AC]
		mov	[esp+0C0h+var_48], 2
		push	eax
		push	[esp+0C4h+var_A0]
		call	EtwpBuildNotificationPacket
		test	eax, eax
		js	short loc_9FB295
		mov	edx, [esp+0C0h+var_AC]
		mov	ecx, esi
		call	EtwpSendDataBlock
		mov	ecx, [esp+0C0h+var_AC]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx+8], eax
		dec	eax
		jnz	short loc_9FB295
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9FB295:				; CODE XREF: SendCaptureStateNotificationsWorker(x)+1C5j
					; SendCaptureStateNotificationsWorker(x)+1DFj
		mov	edx, [esp+0C0h+var_B0]

loc_9FB299:				; CODE XREF: SendCaptureStateNotificationsWorker(x)+185j
					; SendCaptureStateNotificationsWorker(x)+18Bj ...
		mov	ecx, [esp+0C0h+var_B4]
		add	edx, 20h
		inc	ecx
		mov	[esp+0C0h+var_B0], edx
		mov	[esp+0C0h+var_B4], ecx
		cmp	ecx, 8
		jl	loc_9FB21F
		lea	eax, [edi+24h]

loc_9FB2B5:				; CODE XREF: SendCaptureStateNotificationsWorker(x)+160j
		mov	esi, [esi]

loc_9FB2B7:				; CODE XREF: SendCaptureStateNotificationsWorker(x)+157j
		cmp	esi, eax
		jnz	loc_9FB208
		and	dword ptr [edi+170h], 0
		lea	ecx, [edi+16Ch]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, edi
		call	EtwpUnreferenceGuidEntry
		mov	esi, [esp+0C0h+var_A8]

loc_9FB2EA:				; CODE XREF: SendCaptureStateNotificationsWorker(x)+118j
		add	esi, 10h
		sub	[esp+0C0h+var_9C], 1
		mov	[esp+0C0h+var_A8], esi
		jnz	loc_9FB1AD
		mov	ebx, [esp+0C0h+var_98]
		or	esi, 0FFFFFFFFh
		mov	edi, [esp+0C0h+var_94]

loc_9FB307:				; CODE XREF: SendCaptureStateNotificationsWorker(x)+F3j
		mov	eax, [esp+0C0h+var_A4]
		mov	eax, [eax+0F8h]
		test	eax, eax
		jz	short loc_9FB372
		xor	edx, edx
		mov	[esp+0C0h+var_10], esi
		mov	ecx, edi
		mov	[esp+0C0h+var_C], esi
		call	ExAcquirePushLockExclusiveEx
		xor	ecx, ecx
		cmp	[ebx+0Ch], cx
		jz	short loc_9FB357
		cmp	[ebx+24h], ecx
		jnz	short loc_9FB357
		lea	eax, [esp+0C0h+var_18]
		push	eax
		push	ecx
		push	ecx
		push	dword ptr [ebx+4]
		push	dword ptr [ebx]
		push	dword ptr [ebx+8]
		call	ExSetTimer
		mov	dword ptr [ebx+24h], 1

loc_9FB357:				; CODE XREF: SendCaptureStateNotificationsWorker(x)+ACj
					; SendCaptureStateNotificationsWorker(x)+286j ...
		or	eax, 0FFFFFFFFh

loc_9FB35A:				; CODE XREF: SendCaptureStateNotificationsWorker(x)+75j
					; SendCaptureStateNotificationsWorker(x)+88j
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9FB36B
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9FB36B:				; CODE XREF: SendCaptureStateNotificationsWorker(x)+2B6j
		mov	ecx, edi
		call	KeAbPostRelease

loc_9FB372:				; CODE XREF: SendCaptureStateNotificationsWorker(x)+267j
		mov	ecx, [esp+0C0h+var_A4]
		xor	dl, dl
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		mov	ecx, [esp+0C0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_SendCaptureStateNotificationsWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceAdminlessAccessFailure(x, x, x, x)
_EtwTraceAdminlessAccessFailure@16 proc	near
					; CODE XREF: NtQueryInformationToken(x,x,x,x,x)+194Fp

var_18A		= byte ptr -18Ah
var_189		= byte ptr -189h
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+18Ch+var_4], eax
		push	ebx
		push	esi
		xor	eax, eax
		mov	[esp+194h+var_188], ecx
		push	edi
		mov	word ptr [esp+198h+var_168], ax
		xor	ecx, ecx
		push	2
		pop	eax
		mov	word ptr [esp+198h+var_168+2], ax
		mov	eax, large fs:124h
		mov	[esp+198h+var_160], ecx
		mov	[esp+198h+var_15C], ecx
		mov	[esp+198h+var_189], dl
		mov	eax, [eax+80h]
		mov	[esp+198h+var_164], offset ??_C@_11LOCGONAA@@NNGAKEGL@
		mov	edi, [eax+1C0h]
		test	edi, edi
		jnz	short loc_9FB3F6
		lea	edi, [esp+198h+var_168]

loc_9FB3F6:				; CODE XREF: EtwTraceAdminlessAccessFailure(x,x,x,x)+5Cj
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jz	loc_9FB500
		cmp	dword_6B2A40, 5
		jbe	loc_9FB6C5
		push	4000h
		push	ecx
		mov	esi, offset dword_6B2A40
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9FB6C5
		movzx	eax, [esp+198h+var_189]
		xor	ecx, ecx
		mov	[esp+198h+var_184], eax
		lea	eax, [esp+198h+var_184]
		mov	[esp+198h+var_118], eax
		lea	eax, [esp+198h+var_F0]
		mov	[esp+198h+var_108], eax
		mov	eax, [edi+4]
		mov	[esp+198h+var_F8], eax
		movzx	eax, word ptr [edi]
		mov	[esp+198h+var_F0], eax
		mov	eax, [esp+198h+var_188]
		mov	[esp+198h+var_180], eax
		lea	eax, [esp+198h+var_180]
		push	4
		pop	edx
		mov	[esp+198h+var_E8], eax
		lea	eax, [esp+198h+var_17C]
		mov	[esp+198h+var_D8], eax
		lea	eax, [esp+198h+var_138]
		push	eax
		push	7
		mov	[esp+1A0h+var_17C], ebx
		xor	ebx, ebx
		push	ebx
		push	ebx
		mov	[esp+1A8h+var_114], ecx
		mov	[esp+1A8h+var_110], edx
		mov	[esp+1A8h+var_10C], ecx
		mov	[esp+1A8h+var_104], ecx
		mov	[esp+1A8h+var_100], 2
		mov	[esp+1A8h+var_FC], ecx
		mov	[esp+1A8h+var_F4], ecx
		mov	[esp+1A8h+var_EC], ecx
		mov	[esp+1A8h+var_E4], ecx
		mov	[esp+1A8h+var_E0], edx
		mov	[esp+1A8h+var_DC], ecx
		mov	[esp+1A8h+var_D4], ebx
		mov	[esp+1A8h+var_D0], edx
		mov	[esp+1A8h+var_CC], ebx
		push	offset loc_4240CF
		jmp	loc_9FB5E0
; 

loc_9FB500:				; CODE XREF: EtwTraceAdminlessAccessFailure(x,x,x,x)+67j
		xor	ebx, ebx
		cmp	[ebp+arg_4], cl
		jnz	loc_9FB5EB
		cmp	dword_6B2A40, 5
		jbe	loc_9FB6C7
		push	4000h
		mov	esi, offset dword_6B2A40
		push	ebx
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9FB6C7
		movzx	eax, [esp+198h+var_189]
		mov	[esp+198h+var_178], eax
		lea	eax, [esp+198h+var_178]
		mov	[esp+198h+var_A8], eax
		lea	eax, [esp+198h+var_80]
		mov	[esp+198h+var_98], eax
		mov	eax, [edi+4]
		mov	[esp+198h+var_88], eax
		movzx	eax, word ptr [edi]
		mov	[esp+198h+var_80], eax
		mov	eax, [esp+198h+var_188]
		push	4
		pop	ecx
		mov	[esp+198h+var_174], eax
		lea	eax, [esp+198h+var_174]
		mov	[esp+198h+var_78], eax
		lea	eax, [esp+198h+var_C8]
		push	eax
		push	6
		push	ebx
		push	ebx
		mov	[esp+1A8h+var_A4], ebx
		mov	[esp+1A8h+var_A0], ecx
		mov	[esp+1A8h+var_9C], ebx
		mov	[esp+1A8h+var_94], ebx
		mov	[esp+1A8h+var_90], 2
		mov	[esp+1A8h+var_8C], ebx
		mov	[esp+1A8h+var_84], ebx
		mov	[esp+1A8h+var_7C], ebx
		mov	[esp+1A8h+var_74], ebx
		mov	[esp+1A8h+var_70], ecx
		mov	[esp+1A8h+var_6C], ebx
		push	offset loc_42413B

loc_9FB5E0:				; CODE XREF: EtwTraceAdminlessAccessFailure(x,x,x,x)+167j
					; EtwTraceAdminlessAccessFailure(x,x,x,x)+32Cj
		push	esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_9FB6C7
; 

loc_9FB5EB:				; CODE XREF: EtwTraceAdminlessAccessFailure(x,x,x,x)+171j
		cmp	dword_6B2A40, 5
		jbe	loc_9FB6C7
		push	4000h
		mov	esi, offset dword_6B2A40
		push	ebx
		mov	ecx, esi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_9FB6C7
		movzx	eax, [esp+198h+var_189]
		mov	[esp+198h+var_170], eax
		lea	eax, [esp+198h+var_170]
		mov	[esp+198h+var_48], eax
		lea	eax, [esp+198h+var_20]
		mov	[esp+198h+var_38], eax
		mov	eax, [edi+4]
		mov	[esp+198h+var_28], eax
		movzx	eax, word ptr [edi]
		mov	[esp+198h+var_20], eax
		mov	eax, [esp+198h+var_188]
		push	4
		pop	ecx
		mov	[esp+198h+var_16C], eax
		lea	eax, [esp+198h+var_16C]
		mov	[esp+198h+var_18], eax
		lea	eax, [esp+198h+var_68]
		push	eax
		push	6
		push	ebx
		push	ebx
		mov	[esp+1A8h+var_44], ebx
		mov	[esp+1A8h+var_40], ecx
		mov	[esp+1A8h+var_3C], ebx
		mov	[esp+1A8h+var_34], ebx
		mov	[esp+1A8h+var_30], 2
		mov	[esp+1A8h+var_2C], ebx
		mov	[esp+1A8h+var_24], ebx
		mov	[esp+1A8h+var_1C], ebx
		mov	[esp+1A8h+var_14], ebx
		mov	[esp+1A8h+var_10], ecx
		mov	[esp+1A8h+var_C], ebx
		push	offset loc_424087
		jmp	loc_9FB5E0
; 

loc_9FB6C5:				; CODE XREF: EtwTraceAdminlessAccessFailure(x,x,x,x)+74j
					; EtwTraceAdminlessAccessFailure(x,x,x,x)+8Ej
		xor	ebx, ebx

loc_9FB6C7:				; CODE XREF: EtwTraceAdminlessAccessFailure(x,x,x,x)+17Ej
					; EtwTraceAdminlessAccessFailure(x,x,x,x)+198j	...
		mov	eax, _EtwAdminlessProvRegHandle
		or	eax, dword_6BC32C
		jz	short loc_9FB735
		cmp	_SeAdminlessEnableEventLogging,	0
		jz	short loc_9FB735
		lea	eax, [esp+198h+var_160]
		push	eax
		call	_KeQuerySystemTimePrecise@4 ; KeQuerySystemTimePrecise(x)
		lea	eax, [esp+198h+var_160]
		mov	[esp+198h+var_154], ebx
		mov	[esp+198h+var_158], eax
		lea	eax, [esp+198h+var_188]
		mov	[esp+198h+var_148], eax
		lea	eax, [esp+198h+var_158]
		push	eax
		push	2
		push	ebx
		push	offset _AdminlessAccessFailureLog
		push	dword_6BC32C
		mov	[esp+1ACh+var_150], 8
		push	_EtwAdminlessProvRegHandle
		mov	[esp+1B0h+var_14C], ebx
		mov	[esp+1B0h+var_144], ebx
		mov	[esp+1B0h+var_140], 4
		mov	[esp+1B0h+var_13C], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9FB735:				; CODE XREF: EtwTraceAdminlessAccessFailure(x,x,x,x)+33Ej
					; EtwTraceAdminlessAccessFailure(x,x,x,x)+347j
		mov	ecx, [esp+198h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_EtwTraceAdminlessAccessFailure@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwTraceLpacAccessFailure(x)
_EtwTraceLpacAccessFailure@4 proc near	; CODE XREF: SepLogLpacAccessFailure(x)+51p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, _EtwLpacProvRegHandle
		push	esi
		xor	esi, esi
		mov	[ebp+var_28], ecx
		or	eax, dword_6BC334
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		jz	short loc_9FB7C3
		lea	eax, [ebp+var_30]
		push	eax
		call	_KeQuerySystemTimePrecise@4 ; KeQuerySystemTimePrecise(x)
		lea	eax, [ebp+var_30]
		mov	[ebp+var_20], esi
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	2
		push	esi
		push	offset _AdminlessAccessFailureLog
		push	dword_6BC334
		mov	[ebp+var_1C], 8
		push	_EtwLpacProvRegHandle
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], esi
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_9FB7C3:				; CODE XREF: EtwTraceLpacAccessFailure(x)+29j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_EtwTraceLpacAccessFailure@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpParsePoolTagFilter(x, x)
_EtwpParsePoolTagFilter@8 proc near	; CODE XREF: EtwStartAutoLogger+A0B16p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ecx+4]
		xor	eax, eax
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], edx
		movzx	ecx, word ptr [ebx]
		inc	edi
		xor	esi, esi
		mov	[ebp+var_4], eax
		xor	edx, edx
		test	cx, cx
		jz	short loc_9FB86B
		mov	[ebp+var_8], 4

loc_9FB7FC:				; CODE XREF: EtwpParsePoolTagFilter(x,x)+80j
		cmp	edi, 1
		jnz	short loc_9FB822
		cmp	cx, 2Ah
		jnz	short loc_9FB80A
		push	2
		pop	edi

loc_9FB80A:				; CODE XREF: EtwpParsePoolTagFilter(x,x)+35j
		mov	al, [ebx]
		movsx	ecx, dx
		inc	edx
		mov	byte ptr [ebp+ecx+var_4], al
		mov	eax, [ebp+var_4]
		cmp	dx, word ptr [ebp+var_8]
		jnz	short loc_9FB847
		push	2
		pop	edi
		jmp	short loc_9FB847
; 

loc_9FB822:				; CODE XREF: EtwpParsePoolTagFilter(x,x)+2Fj
		cmp	edi, 2
		jnz	short loc_9FB847
		cmp	cx, 3Bh
		jnz	short loc_9FB86B
		cmp	si, word ptr [ebp+var_8]
		jnb	short loc_9FB86B
		mov	edx, [ebp+var_C]
		xor	edi, edi
		movzx	ecx, si
		inc	esi
		mov	[edx+ecx*4], eax
		xor	eax, eax
		xor	edx, edx
		mov	[ebp+var_4], eax
		inc	edi

loc_9FB847:				; CODE XREF: EtwpParsePoolTagFilter(x,x)+4Bj
					; EtwpParsePoolTagFilter(x,x)+50j ...
		add	ebx, 2
		movzx	ecx, word ptr [ebx]
		test	cx, cx
		jnz	short loc_9FB7FC
		cmp	edi, 2
		jnz	short loc_9FB86B
		cmp	si, word ptr [ebp+var_8]
		jnb	short loc_9FB86B
		mov	edx, [ebp+var_C]
		movzx	ecx, si
		mov	[edx+ecx*4], eax
		lea	eax, [esi+1]
		jmp	short loc_9FB86D
; 

loc_9FB86B:				; CODE XREF: EtwpParsePoolTagFilter(x,x)+23j
					; EtwpParsePoolTagFilter(x,x)+5Bj ...
		xor	eax, eax

loc_9FB86D:				; CODE XREF: EtwpParsePoolTagFilter(x,x)+99j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpParsePoolTagFilter@8 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCheckCurrentUserGuidAccess(x, x)
_EtwpCheckCurrentUserGuidAccess@8 proc near ; CODE XREF: EtwpNotifyGuid(x,x,x)+EAp
		mov	edi, edi
		push	ecx
		push	0
		call	_EtwpCheckGuidAccess@12	; EtwpCheckGuidAccess(x,x,x)
		pop	ecx
		retn
_EtwpCheckCurrentUserGuidAccess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCheckCurrentUserProcessAccess(x)
_EtwpCheckCurrentUserProcessAccess@4 proc near ; CODE XREF: EtwpNotifyGuid(x,x,x)+24Cp
					; EtwpIsRegEntryAllowed+11F5F4p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	eax, [ebp+var_8]
		push	ebx
		push	eax
		lea	edx, [ebp+var_4]
		mov	byte ptr [ebp+var_8], bl
		mov	[ebp+var_4], ebx
		call	ObpGetObjectSecurity
		mov	ecx, [ebp+var_4]
		mov	edx, 1FFFFFh
		push	ebx
		call	_EtwpAccessCheck@12 ; EtwpAccessCheck(x,x,x)
		push	[ebp+var_8]
		mov	esi, eax
		push	[ebp+var_4]
		call	_ObReleaseObjectSecurity@8 ; ObReleaseObjectSecurity(x,x)
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpCheckCurrentUserProcessAccess@4 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpDereferenceLoggerSecurityDescriptor(x, x)
_EtwpDereferenceLoggerSecurityDescriptor@8 proc	near
					; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+2CEp
		mov	edi, edi
		push	esi
		push	edi
		lea	edi, [ecx+238h]
		mov	esi, edx
		mov	ecx, [edi]
		mov	eax, ecx
		jmp	short loc_9FB8DE
; 

loc_9FB8CF:				; CODE XREF: EtwpDereferenceLoggerSecurityDescriptor(x,x)+26j
		lea	edx, [ecx+1]
		mov	eax, ecx
		lock cmpxchg [edi], edx
		cmp	eax, ecx
		jz	short loc_9FB8ED
		mov	ecx, eax

loc_9FB8DE:				; CODE XREF: EtwpDereferenceLoggerSecurityDescriptor(x,x)+10j
		xor	eax, esi
		cmp	eax, 7
		jb	short loc_9FB8CF
		push	1
		push	esi
		call	ObDereferenceSecurityDescriptor

loc_9FB8ED:				; CODE XREF: EtwpDereferenceLoggerSecurityDescriptor(x,x)+1Dj
		pop	edi
		pop	esi
		retn
_EtwpDereferenceLoggerSecurityDescriptor@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUpdateLoggerSecurityDescriptor(x, x)
_EtwpUpdateLoggerSecurityDescriptor@8 proc near	; CODE XREF: EtwpUpdateTrace+890FBp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		push	esi
		push	edi
		push	8
		push	eax
		push	edx
		mov	ebx, ecx
		call	ObLogSecurityDescriptor
		mov	edi, eax
		test	edi, edi
		js	loc_9FB9A1
		mov	esi, [ebp+var_4]
		lea	edx, [ebx+238h]
		mov	ecx, esi
		or	ecx, 7
		neg	esi
		sbb	esi, esi
		and	esi, ecx
		xchg	esi, [edx]
		mov	eax, esi
		and	eax, 0FFFFFFF8h
		mov	[ebp+var_C], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, _EtwpSecurityLock
		test	al, 1
		jz	short loc_9FB962
		mov	ecx, offset _EtwpSecurityLock
		call	@ExfAcquireReleasePushLockExclusive@4 ;	ExfAcquireReleasePushLockExclusive(x)

loc_9FB962:				; CODE XREF: EtwpUpdateLoggerSecurityDescriptor(x,x)+66j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		and	esi, 7
		inc	esi
		push	esi
		push	[ebp+var_C]
		call	ObDereferenceSecurityDescriptor
		mov	esi, offset _ETW_EVENT_CHANGE_SESSION_SD
		push	esi
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	EtwEventEnabled
		test	al, al
		jz	short loc_9FB9A1
		push	ecx
		push	ecx
		mov	edx, ebx
		mov	ecx, esi
		call	_EtwpEventWriteTemplateSession@16 ; EtwpEventWriteTemplateSession(x,x,x,x)

loc_9FB9A1:				; CODE XREF: EtwpUpdateLoggerSecurityDescriptor(x,x)+21j
					; EtwpUpdateLoggerSecurityDescriptor(x,x)+A4j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpUpdateLoggerSecurityDescriptor@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpFreeUserBufferSpace(x, x, x)
_EtwpFreeUserBufferSpace@12 proc near	; CODE XREF: sub_911F0E+11p

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	0Ch
		push	offset dword_6A9F80
		call	__SEH_prolog4
		mov	[ebp+var_1C], edx
		mov	edi, [ecx+3Ch]
		mov	esi, [ebp+arg_0]
		cmp	esi, edi
		jb	short loc_9FBA09
		mov	eax, [ecx+40h]
		add	eax, edi
		cmp	esi, eax
		jnb	short loc_9FBA09
		lea	ebx, [edx+0FFFh]
		and	ebx, 0FFFFF000h
		mov	[ebp+var_1C], ebx
		shr	ebx, 0Ch
		sub	esi, edi
		mov	eax, esi
		cdq
		mov	esi, 1000h
		idiv	esi
		and	[ebp+ms_exc.disabled], 0
		push	ebx
		push	eax
		lea	eax, [ecx+34h]
		push	eax
		call	RtlInterlockedClearBitRun

loc_9FB9F7:				; CODE XREF: EtwpFreeUserBufferSpace(x,x,x)+5Fj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9FBA1E
; 

loc_9FBA00:				; DATA XREF: .text:006A9F94o
		xor	eax, eax
		inc	eax
		retn
; 

loc_9FBA04:				; DATA XREF: .text:006A9F98o
		mov	esp, [ebp+ms_exc.old_esp]
		jmp	short loc_9FB9F7
; 

loc_9FBA09:				; CODE XREF: EtwpFreeUserBufferSpace(x,x,x)+17j
					; EtwpFreeUserBufferSpace(x,x,x)+20j
		push	8000h
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+arg_0]
		push	eax
		push	dword ptr [ecx+8]
		call	_ZwFreeVirtualMemory@16	; ZwFreeVirtualMemory(x,x,x,x)

loc_9FBA1E:				; CODE XREF: EtwpFreeUserBufferSpace(x,x,x)+56j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpFreeUserBufferSpace@12 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpRealtimeResetReferenceTime(x)
_EtwpRealtimeResetReferenceTime@4 proc near ; CODE XREF: EtwpRealtimeCreateLogfile+11F513p
					; EtwpRealtimeFlushSavedBuffers+11CBDFp
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		lea	edx, [ecx+150h]
		xor	eax, eax
		lea	esi, [ecx+0E8h]
		mov	edi, edx
		movsd
		movsd
		movsd
		movsd
		cmp	[ecx+108h], eax
		jbe	short loc_9FBA56
		call	_EtwpRealtimeUpdateReferenceTime@8 ; EtwpRealtimeUpdateReferenceTime(x,x)

loc_9FBA56:				; CODE XREF: EtwpRealtimeResetReferenceTime(x)+1Fj
		pop	edi
		pop	esi
		pop	ecx
		retn
_EtwpRealtimeResetReferenceTime@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AddDecodeGuidToSessions	proc near	; CODE XREF: EtwpSetProviderTraitsCommon+234p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	bl, 1
		mov	bh, [edi+34h]

loc_9FBA6A:				; CODE XREF: AddDecodeGuidToSessions+4Ej
		movzx	eax, bh
		bsf	edx, eax
		jz	short loc_9FBAAA
		mov	ecx, [edi+10h]
		mov	al, bh
		shl	edx, 5
		dec	al
		push	0
		and	bh, al
		movzx	edx, word ptr [edx+ecx+66h]
		mov	ecx, [ecx+164h]
		call	EtwpAcquireLoggerContextByLoggerId
		mov	esi, eax
		mov	edx, edi
		mov	ecx, esi
		call	_EtwpTrackDecodeGuidForSession@8 ; EtwpTrackDecodeGuidForSession(x,x)
		xor	dl, dl
		mov	ecx, esi
		mov	bl, al
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		test	bl, bl
		jnz	short loc_9FBA6A

loc_9FBAAA:				; CODE XREF: AddDecodeGuidToSessions+16j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
AddDecodeGuidToSessions	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpLocateBinaryForRegEntry(x, x, x)
_EtwpLocateBinaryForRegEntry@12	proc near ; CODE XREF: EtwpProviderArrivalCallback+123E63p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	al, cl
		push	ecx
		mov	ecx, [edx+2Ch]
		test	ecx, ecx
		jnz	short loc_9FBAC7
		mov	eax, 0C0000141h
		jmp	short loc_9FBADE
; 

loc_9FBAC7:				; CODE XREF: EtwpLocateBinaryForRegEntry(x,x,x)+Dj
		test	al, al
		jnz	short loc_9FBAD6
		push	[ebp+arg_0]
		push	ecx
		call	_RtlPcToFilePath@8 ; RtlPcToFilePath(x,x)
		jmp	short loc_9FBADE
; 

loc_9FBAD6:				; CODE XREF: EtwpLocateBinaryForRegEntry(x,x,x)+18j
		mov	edx, [ebp+arg_0]
		call	_MmGetFileNameForAddress@8 ; MmGetFileNameForAddress(x,x)

loc_9FBADE:				; CODE XREF: EtwpLocateBinaryForRegEntry(x,x,x)+14j
					; EtwpLocateBinaryForRegEntry(x,x,x)+23j
		pop	ecx
		pop	ebp
		retn	4
_EtwpLocateBinaryForRegEntry@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpSetProviderBinaryTracking(x, x,	x)
_EtwpSetProviderBinaryTracking@12 proc near ; CODE XREF: NtTraceControl(x,x,x,x,x,x)+820p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		xor	esi, esi
		push	esi
		mov	[esp+1Ch+var_4], ebx
		call	EtwpAcquireLoggerContextByLoggerId
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9FBB0C
		mov	esi, 0C000000Dh
		jmp	short loc_9FBB88
; 

loc_9FBB0C:				; CODE XREF: EtwpSetProviderBinaryTracking(x,x,x)+20j
		cmp	[ebp+arg_0], 0
		lea	eax, [edi+258h]
		jz	short loc_9FBB77
		mov	ecx, 2000000h
		lock or	[eax], ecx
		xor	edx, edx
		jmp	short loc_9FBB32
; 

loc_9FBB24:				; CODE XREF: EtwpSetProviderBinaryTracking(x,x,x)+5Dj
		push	esi
		mov	edx, eax
		mov	ecx, edi
		call	_EtwpTrackGuidEntryRegistrations@12 ; EtwpTrackGuidEntryRegistrations(x,x,x)
		mov	edx, [esp+18h+var_8]

loc_9FBB32:				; CODE XREF: EtwpSetProviderBinaryTracking(x,x,x)+3Fj
		push	esi
		mov	ecx, ebx
		call	_EtwpGetNextGuidEntry@12 ; EtwpGetNextGuidEntry(x,x,x)
		mov	[esp+18h+var_8], eax
		test	eax, eax
		jnz	short loc_9FBB24
		push	2
		xor	edx, edx
		mov	ecx, ebx
		call	_EtwpGetNextGuidEntry@12 ; EtwpGetNextGuidEntry(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_9FBB7F
		mov	esi, [esp+18h+var_4]

loc_9FBB57:				; CODE XREF: EtwpSetProviderBinaryTracking(x,x,x)+8Ej
		push	2
		mov	edx, ebx
		mov	ecx, edi
		call	_EtwpTrackGuidEntryRegistrations@12 ; EtwpTrackGuidEntryRegistrations(x,x,x)
		push	2
		mov	edx, ebx
		mov	ecx, esi
		call	_EtwpGetNextGuidEntry@12 ; EtwpGetNextGuidEntry(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9FBB57
		xor	esi, esi
		jmp	short loc_9FBB7F
; 

loc_9FBB77:				; CODE XREF: EtwpSetProviderBinaryTracking(x,x,x)+33j
		mov	ecx, 0FDFFFFFFh
		lock and [eax],	ecx

loc_9FBB7F:				; CODE XREF: EtwpSetProviderBinaryTracking(x,x,x)+6Ej
					; EtwpSetProviderBinaryTracking(x,x,x)+92j
		xor	dl, dl
		mov	ecx, edi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_9FBB88:				; CODE XREF: EtwpSetProviderBinaryTracking(x,x,x)+27j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_EtwpSetProviderBinaryTracking@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwpTrackBinaryForSession(void *)
_EtwpTrackBinaryForSession@12 proc near	; CODE XREF: EtwpProviderArrivalCallback+123E7Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		xor	edx, edx
		mov	[ebp+var_8], ebx
		lea	eax, [ebx+1F0h]
		mov	ecx, eax
		mov	[ebp+var_10], eax
		call	ExAcquirePushLockExclusiveEx
		mov	edx, [ebp+var_4]
		mov	eax, [ebx+0FCh]
		movzx	edi, word ptr [edx]
		mov	ecx, edi
		add	eax, ecx
		cmp	eax, [ebx+4]
		ja	loc_9FBDAA
		lea	esi, [ebx+2C8h]
		mov	eax, edi
		mov	ebx, [esi]
		cmp	ebx, esi
		jz	short loc_9FBC21

loc_9FBBDF:				; CODE XREF: EtwpTrackBinaryForSession(x,x,x)+89j
		lea	eax, [ecx+2]
		cmp	[ebx+8], eax
		jnz	short loc_9FBC15
		movzx	edi, word ptr [edx]
		mov	eax, edi
		push	eax		; Length
		push	dword ptr [edx+4] ; Source2
		mov	[ebp+var_C], eax
		mov	eax, [ebx+0Ch]
		shl	eax, 4
		add	eax, 14h
		add	eax, ebx
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		mov	ecx, edi
		cmp	eax, ecx
		jz	loc_9FBCA7
		mov	edx, [ebp+var_4]
		mov	eax, edi
		jmp	short loc_9FBC18
; 

loc_9FBC15:				; CODE XREF: EtwpTrackBinaryForSession(x,x,x)+52j
		movzx	eax, di

loc_9FBC18:				; CODE XREF: EtwpTrackBinaryForSession(x,x,x)+80j
		mov	ebx, [ebx]
		cmp	ebx, esi
		jnz	short loc_9FBBDF
		movzx	eax, ax

loc_9FBC21:				; CODE XREF: EtwpTrackBinaryForSession(x,x,x)+4Aj
		movzx	eax, ax
		xor	esi, esi
		push	62777445h
		add	eax, 26h
		inc	esi
		push	eax
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9FBDAA
		mov	[ebx+0Ch], esi
		lea	edi, [ebx+14h]
		mov	[ebx+10h], esi
		mov	esi, [ebp+arg_0]
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_4]
		mov	esi, [ebx+0Ch]
		shl	esi, 4
		add	esi, 14h
		movzx	eax, word ptr [edi]
		add	esi, ebx
		add	eax, 2
		mov	[ebx+8], eax
		movzx	eax, word ptr [edi]
		push	eax		; size_t
		push	dword ptr [edi+4] ; void *
		push	esi		; void *
		call	_memcpy
		movzx	eax, word ptr [edi]
		xor	ecx, ecx
		shr	eax, 1
		add	esp, 0Ch
		mov	[esi+eax*2], cx
		mov	eax, [ebx+8]
		mov	ecx, [ebp+var_8]
		add	eax, 10h
		add	[ecx+0FCh], eax

loc_9FBC91:				; CODE XREF: EtwpTrackBinaryForSession(x,x,x)+1FAj
		lea	eax, [ecx+2C8h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jz	loc_9FBD92

loc_9FBCA2:				; CODE XREF: EtwpTrackBinaryForSession(x,x,x)+1D6j
					; EtwpTrackBinaryForSession(x,x,x)+1E1j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9FBCA7:				; CODE XREF: EtwpTrackBinaryForSession(x,x,x)+75j
		and	[ebp+var_4], 0
		mov	esi, [ebx+0Ch]
		test	esi, esi
		jz	short loc_9FBCD9
		lea	edi, [ebx+14h]

loc_9FBCB5:				; CODE XREF: EtwpTrackBinaryForSession(x,x,x)+144j
		push	10h		; size_t
		push	edi		; void *
		push	[ebp+arg_0]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_9FBDAA
		mov	eax, [ebp+var_4]
		add	edi, 10h
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, esi
		jb	short loc_9FBCB5

loc_9FBCD9:				; CODE XREF: EtwpTrackBinaryForSession(x,x,x)+11Dj
		cmp	esi, 10h
		jnb	loc_9FBDAA
		mov	eax, [ebx+8]
		add	eax, 24h
		shl	esi, 4
		push	62777445h
		add	eax, esi
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	loc_9FBDAA
		mov	eax, [ebx+0Ch]
		shl	eax, 4
		push	eax		; size_t
		lea	eax, [ebx+14h]
		push	eax		; void *
		lea	eax, [ecx+14h]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebx+0Ch]
		mov	edx, [ebp+var_4]
		mov	esi, [ebp+arg_0]
		shl	eax, 4
		lea	edi, [edx+14h]
		add	edi, eax
		movsd
		movsd
		movsd
		movsd
		mov	ecx, [ebx+0Ch]
		inc	ecx
		mov	[edx+0Ch], ecx
		mov	eax, [ebx+10h]
		inc	eax
		shl	ecx, 4
		mov	[edx+10h], eax
		mov	eax, [ebx+8]
		mov	[edx+8], eax
		mov	eax, [ebx+0Ch]
		push	dword ptr [ebx+8] ; size_t
		shl	eax, 4
		add	eax, 14h
		add	eax, ebx
		push	eax		; void *
		lea	eax, [edx+14h]
		add	eax, ecx
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebx]
		add	esp, 18h
		cmp	[ecx+4], ebx
		jnz	loc_9FBCA2
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jnz	loc_9FBCA2
		push	0
		mov	[eax], ecx
		push	ebx
		mov	[ecx+4], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		jmp	loc_9FBC91
; 

loc_9FBD92:				; CODE XREF: EtwpTrackBinaryForSession(x,x,x)+109j
		mov	[ebx], edx
		mov	[ebx+4], eax
		mov	[edx+4], ebx
		mov	edx, 0C0h
		mov	[eax], ebx
		lea	eax, [ecx+25Ch]
		lock or	[eax], edx

loc_9FBDAA:				; CODE XREF: EtwpTrackBinaryForSession(x,x,x)+38j
					; EtwpTrackBinaryForSession(x,x,x)+A7j	...
		mov	esi, [ebp+var_10]
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9FBDC1
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9FBDC1:				; CODE XREF: EtwpTrackBinaryForSession(x,x,x)+225j
		mov	ecx, esi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpTrackBinaryForSession@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTrackDecodeGuidForSession(x, x)
_EtwpTrackDecodeGuidForSession@8 proc near ; CODE XREF:	EtwpUpdateRegEntryEnableMask+11FF15p
					; AddDecodeGuidToSessions+3Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [edx+38h]
		push	ebx
		mov	ebx, ecx
		add	eax, 16h
		push	esi
		mov	[ebp+var_4], eax
		mov	eax, [edx+10h]
		xor	edx, edx
		push	edi
		lea	edi, [ebx+1F0h]
		add	eax, 14h
		mov	ecx, edi
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], edi
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [ebx+50h]
		jmp	short loc_9FBE1C
; 

loc_9FBE05:				; CODE XREF: EtwpTrackDecodeGuidForSession(x,x)+4Fj
		push	10h		; size_t
		lea	eax, [esi+4]
		push	eax		; void *
		push	[ebp+var_4]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_9FBE88
		mov	esi, [esi]

loc_9FBE1C:				; CODE XREF: EtwpTrackDecodeGuidForSession(x,x)+34j
		test	esi, esi
		jnz	short loc_9FBE05
		mov	eax, [ebx+0FCh]
		add	eax, 800h
		cmp	eax, [ebx+4]
		ja	short loc_9FBEA0
		cmp	eax, 10000h
		ja	short loc_9FBEA0
		push	62777445h
		push	28h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_9FBEA0
		mov	ecx, [ebx+50h]
		lea	edi, [eax+4]
		mov	esi, [ebp+var_4]
		mov	[eax], ecx
		mov	ecx, 8C0h
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_8]
		lea	edi, [eax+14h]
		movsd
		movsd
		movsd
		movsd
		mov	byte ptr [eax+24h], 0
		inc	dword ptr [ebx+54h]
		add	dword ptr [ebx+0FCh], 20h
		mov	[ebx+50h], eax
		lea	eax, [ebx+25Ch]
		lock or	[eax], ecx
		mov	edi, [ebp+var_C]
		mov	bl, 1
		jmp	short loc_9FBEA2
; 

loc_9FBE88:				; CODE XREF: EtwpTrackDecodeGuidForSession(x,x)+49j
		push	10h		; size_t
		lea	eax, [esi+14h]
		push	eax		; void *
		push	[ebp+var_8]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		setz	bl
		jmp	short loc_9FBEA2
; 

loc_9FBEA0:				; CODE XREF: EtwpTrackDecodeGuidForSession(x,x)+5Fj
					; EtwpTrackDecodeGuidForSession(x,x)+66j ...
		xor	ebx, ebx

loc_9FBEA2:				; CODE XREF: EtwpTrackDecodeGuidForSession(x,x)+B7j
					; EtwpTrackDecodeGuidForSession(x,x)+CFj
		or	edx, 0FFFFFFFFh
		lock xadd [edi], edx
		and	dl, 6
		cmp	dl, 2
		jnz	short loc_9FBEB8
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9FBEB8:				; CODE XREF: EtwpTrackDecodeGuidForSession(x,x)+E0j
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_EtwpTrackDecodeGuidForSession@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTrackGuidEntryRegistrations(x, x, x)
_EtwpTrackGuidEntryRegistrations@12 proc near
					; CODE XREF: EtwpSetProviderBinaryTracking(x,x,x)+46p
					; EtwpSetProviderBinaryTracking(x,x,x)+7Ap

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_8		= dword	ptr -8
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, large fs:124h
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		push	edi
		mov	[ebp+var_30], ebx
		mov	[ebp+var_24], esi
		nop
		lea	ecx, [ebx+16Ch]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		lea	ecx, [ebx+60h]
		mov	[ebx+170h], eax
		xor	edx, edx

loc_9FBF11:				; CODE XREF: EtwpTrackGuidEntryRegistrations(x,x,x)+5Fj
		cmp	dword ptr [ecx], 0
		jz	short loc_9FBF1E
		movzx	eax, word ptr [ecx+6]
		cmp	eax, [esi]
		jz	short loc_9FBF2C

loc_9FBF1E:				; CODE XREF: EtwpTrackGuidEntryRegistrations(x,x,x)+4Ej
		inc	edx
		add	ecx, 20h
		cmp	edx, 8
		jb	short loc_9FBF11
		jmp	loc_9FC037
; 

loc_9FBF2C:				; CODE XREF: EtwpTrackGuidEntryRegistrations(x,x,x)+56j
		lea	edi, [ebx+24h]
		mov	esi, [edi]
		mov	[ebp+var_2C], edi
		mov	[ebp+var_28], esi
		cmp	esi, edi
		jz	loc_9FC037
		mov	al, [ebp+arg_0]

loc_9FBF42:				; CODE XREF: EtwpTrackGuidEntryRegistrations(x,x,x)+168j
		cmp	al, 2
		jnz	short loc_9FBF79
		mov	eax, large fs:124h
		lea	ebx, [esi-8]
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [ebx+10h]
		xor	edx, edx
		add	ecx, 16Ch
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, large fs:124h
		mov	eax, [ebx+10h]
		mov	[eax+170h], ecx
		jmp	short loc_9FBF7B
; 

loc_9FBF79:				; CODE XREF: EtwpTrackGuidEntryRegistrations(x,x,x)+7Ej
		mov	ebx, esi

loc_9FBF7B:				; CODE XREF: EtwpTrackGuidEntryRegistrations(x,x,x)+B1j
		test	byte ptr [ebx+32h], 1
		jz	short loc_9FBF8E
		mov	ecx, [ebp+var_24]
		xor	dl, dl
		push	ebx
		call	EtwpProviderArrivalCallback
		jmp	short loc_9FBFF7
; 

loc_9FBF8E:				; CODE XREF: EtwpTrackGuidEntryRegistrations(x,x,x)+B9j
		mov	ecx, [ebx+28h]
		add	ecx, 0F0h
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	short loc_9FBFF7
		push	6
		pop	ecx
		push	dword ptr [ebx+28h]
		xor	eax, eax
		lea	edi, [ebp+var_20]
		rep stosd
		call	_PsGetProcessServerSilo@4 ; PsGetProcessServerSilo(x)
		push	eax
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	ecx, [ebx+28h]
		mov	esi, eax
		lea	eax, [ebp+var_20]
		xor	edx, edx
		push	eax
		call	KiStackAttachProcess
		mov	ecx, [ebp+var_24]
		mov	dl, 1
		push	ebx
		call	EtwpProviderArrivalCallback
		xor	edx, edx
		lea	ecx, [ebp+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		push	esi
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		mov	ecx, [ebx+28h]
		add	ecx, 0F0h
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		mov	esi, [ebp+var_28]
		mov	edi, [ebp+var_2C]

loc_9FBFF7:				; CODE XREF: EtwpTrackGuidEntryRegistrations(x,x,x)+C6j
					; EtwpTrackGuidEntryRegistrations(x,x,x)+D8j
		mov	al, [ebp+arg_0]
		cmp	al, 2
		jnz	short loc_9FC027
		mov	eax, [ebx+10h]
		xor	edx, edx
		and	dword ptr [eax+170h], 0
		mov	ecx, [ebx+10h]
		add	ecx, 16Ch
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	al, [ebp+arg_0]

loc_9FC027:				; CODE XREF: EtwpTrackGuidEntryRegistrations(x,x,x)+136j
		mov	esi, [esi]
		mov	[ebp+var_28], esi
		cmp	esi, edi
		jnz	loc_9FBF42
		mov	ebx, [ebp+var_30]

loc_9FC037:				; CODE XREF: EtwpTrackGuidEntryRegistrations(x,x,x)+61j
					; EtwpTrackGuidEntryRegistrations(x,x,x)+73j
		and	dword ptr [ebx+170h], 0
		lea	ecx, [ebx+16Ch]
		xor	edx, edx
		call	ExReleasePushLockEx
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [ebp+var_8]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_EtwpTrackGuidEntryRegistrations@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpAllocateEventNameFilter(x, x)
_EtwpAllocateEventNameFilter@8 proc near ; CODE	XREF: EtwpAllocateFilter+90F3Ap

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, [ecx+8]
		mov	[ebp+var_2C], edx
		push	ebx
		push	esi
		push	edi
		cmp	eax, 18h
		jb	loc_9FC331
		mov	esi, [ecx]
		movzx	edx, word ptr [esi+12h]
		mov	[ebp+var_18], edx
		test	edx, edx
		jz	loc_9FC331
		lea	ecx, [eax-14h]
		lea	eax, [edx+edx]
		mov	[ebp+var_4], ecx
		cmp	ecx, eax
		jb	loc_9FC331
		imul	eax, edx, 0Ch
		add	ecx, 28h
		mov	edi, 46777445h
		push	edi
		mov	[ebp+var_14], eax
		add	eax, ecx
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_20], ebx
		test	ebx, ebx
		jnz	short loc_9FC0D5

loc_9FC0CB:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+88j
		mov	eax, 0C0000017h
		jmp	loc_9FC336
; 

loc_9FC0D5:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+5Fj
		push	edi
		push	80h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9FC0F4
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9FC0CB
; 

loc_9FC0F4:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+7Fj
		mov	al, [esi+11h]
		mov	[ebx], al
		mov	al, [esi+10h]
		test	al, al
		jnz	short loc_9FC102
		or	al, 0FFh

loc_9FC102:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+94j
		mov	[ebx+1], al
		mov	ecx, [esi]
		mov	eax, ecx
		mov	edx, [esi+4]
		or	eax, edx
		jnz	short loc_9FC116
		or	ecx, 0FFFFFFFFh
		or	edx, 0FFFFFFFFh

loc_9FC116:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+A4j
		push	[ebp+var_4]	; size_t
		mov	[ebx+8], ecx
		lea	ecx, [ebx+28h]
		mov	[ebx+0Ch], edx
		mov	eax, [esi+8]
		mov	[ebx+10h], eax
		mov	eax, [esi+0Ch]
		mov	[ebx+14h], eax
		lea	eax, [esi+14h]
		mov	[ebp+var_8], ecx
		add	ecx, [ebp+var_14]
		push	eax		; void *
		push	ecx		; void *
		mov	[ebp+var_1C], ecx
		call	_memcpy
		lea	eax, [ebx+18h]
		xor	edx, edx
		lea	ecx, [edi+80h]
		mov	[eax], edx
		add	esp, 0Ch
		mov	[eax+8], edi
		mov	dword ptr [eax+4], 400h
		mov	esi, edx
		or	eax, 1
		cmp	ecx, edi
		sbb	ecx, ecx
		and	ecx, 0FFFFFFE0h
		add	ecx, 20h
		jz	short loc_9FC176

loc_9FC16C:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+10Aj
		inc	esi
		mov	[edi], eax
		lea	edi, [edi+4]
		cmp	esi, ecx
		jb	short loc_9FC16C

loc_9FC176:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+100j
		mov	ecx, edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_14], edx
		cmp	[ebp+var_18], ecx
		jbe	loc_9FC315
		mov	eax, [ebp+var_4]
		lea	edx, [eax-1]

loc_9FC18D:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+2A3j
		cmp	ecx, edx
		jnb	loc_9FC31A
		mov	edi, [ebp+var_1C]
		mov	esi, eax
		sub	esi, ecx
		add	edi, ecx
		mov	edx, esi
		mov	[ebp+var_24], edi
		mov	ecx, edi
		call	strnlen_s
		inc	eax
		mov	[ebp+var_28], eax
		cmp	eax, esi
		ja	loc_9FC31A
		test	eax, eax
		jz	loc_9FC31A
		lea	esi, [eax-1]
		mov	edx, edi
		mov	edi, 4CB2Fh
		cmp	esi, 8
		jl	short loc_9FC234
		mov	eax, esi
		shr	eax, 3
		mov	[ebp+var_C], eax
		mov	ebx, eax
		imul	eax, -8
		add	esi, eax

loc_9FC1DC:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+1C5j
		movzx	eax, byte ptr [edx+1]
		imul	ecx, eax, 25h
		movzx	eax, byte ptr [edx+2]
		add	ecx, eax
		movzx	eax, byte ptr [edx+3]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx+4]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx+5]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx+6]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx]
		imul	ecx, 25h
		imul	eax, 1A617D0Dh
		add	ecx, eax
		imul	eax, edi, 2FE8ED1Fh
		movzx	edi, byte ptr [edx+7]
		add	edx, 8
		sub	ecx, eax
		add	edi, ecx
		sub	ebx, 1
		jnz	short loc_9FC1DC
		mov	ebx, [ebp+var_20]

loc_9FC234:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+161j
		sub	esi, 1
		jz	short loc_9FC28D
		sub	esi, 1
		jz	short loc_9FC284
		sub	esi, 1
		jz	short loc_9FC27B
		sub	esi, 1
		jz	short loc_9FC272
		sub	esi, 1
		jz	short loc_9FC269
		sub	esi, 1
		jz	short loc_9FC260
		sub	esi, 1
		jnz	short loc_9FC295
		movzx	eax, byte ptr [edx]
		imul	edi, 25h
		add	edi, eax
		inc	edx

loc_9FC260:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+1E6j
		movzx	eax, byte ptr [edx]
		imul	edi, 25h
		add	edi, eax
		inc	edx

loc_9FC269:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+1E1j
		movzx	eax, byte ptr [edx]
		imul	edi, 25h
		add	edi, eax
		inc	edx

loc_9FC272:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+1DCj
		movzx	eax, byte ptr [edx]
		imul	edi, 25h
		add	edi, eax
		inc	edx

loc_9FC27B:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+1D7j
		movzx	eax, byte ptr [edx]
		imul	edi, 25h
		add	edi, eax
		inc	edx

loc_9FC284:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+1D2j
		movzx	eax, byte ptr [edx]
		imul	edi, 25h
		add	edi, eax
		inc	edx

loc_9FC28D:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+1CDj
		movzx	eax, byte ptr [edx]
		imul	edi, 25h
		add	edi, eax

loc_9FC295:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+1EBj
		mov	ecx, [ebp+var_8]
		or	edx, 0FFFFFFFFh
		mov	eax, [ebp+var_24]
		mov	[ecx+8], eax
		mov	[ecx+4], edi
		mov	ecx, [ebx+1Ch]
		mov	esi, ecx
		and	ecx, 1Fh
		shr	esi, 5
		shl	edx, cl
		and	edx, edi
		mov	edi, [ebp+var_8]
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	[ebp+var_C], edx
		imul	ecx, eax, 25h
		movzx	eax, dh
		lea	edx, [esi-1]
		mov	esi, [ebp+var_14]
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_C+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_C+3]
		imul	ecx, 25h
		add	ecx, eax
		and	edx, ecx
		mov	ecx, [ebx+20h]
		mov	eax, [ecx+edx*4]
		mov	[edi], eax
		mov	eax, [ebp+var_4]
		mov	[ecx+edx*4], edi
		add	edi, 0Ch
		mov	ecx, [ebp+var_10]
		add	ecx, [ebp+var_28]
		inc	dword ptr [ebx+18h]
		lea	edx, [eax-1]
		inc	esi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_14], esi
		mov	[ebp+var_8], edi
		cmp	esi, [ebp+var_18]
		jb	loc_9FC18D
		xor	edx, edx

loc_9FC315:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+117j
		cmp	ecx, [ebp+var_4]
		jz	short loc_9FC328

loc_9FC31A:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+125j
					; EtwpAllocateEventNameFilter(x,x)+146j ...
		mov	ecx, ebx
		call	_EtwpFreeEventNameFilter@4 ; EtwpFreeEventNameFilter(x)
		mov	edx, 0C000000Dh
		jmp	short loc_9FC32D
; 

loc_9FC328:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+2AEj
		mov	eax, [ebp+var_2C]
		mov	[eax], ebx

loc_9FC32D:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+2BCj
		mov	eax, edx
		jmp	short loc_9FC336
; 

loc_9FC331:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+14j
					; EtwpAllocateEventNameFilter(x,x)+25j	...
		mov	eax, 0C000000Dh

loc_9FC336:				; CODE XREF: EtwpAllocateEventNameFilter(x,x)+66j
					; EtwpAllocateEventNameFilter(x,x)+2C5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpAllocateEventNameFilter@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpAllocatePayloadFilterData(x, x,	x)
_EtwpAllocatePayloadFilterData@12 proc near ; CODE XREF: EtwpAllocateFilter+90F70p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	esi, [ebx+8]
		mov	edx, [ebx]
		push	esi
		call	_EtwpValidatePayloadFilter@12 ;	EtwpValidatePayloadFilter(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_9FC394
		push	46777445h
		lea	eax, [esi+8]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9FC376
		mov	eax, 0C0000017h
		jmp	short loc_9FC394
; 

loc_9FC376:				; CODE XREF: EtwpAllocatePayloadFilterData(x,x,x)+32j
		push	dword ptr [ebx+8] ; size_t
		lea	eax, [esi+8]
		mov	dword ptr [esi], 1
		push	dword ptr [ebx]	; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	[eax], esi
		mov	eax, edi

loc_9FC394:				; CODE XREF: EtwpAllocatePayloadFilterData(x,x,x)+19j
					; EtwpAllocatePayloadFilterData(x,x,x)+39j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_EtwpAllocatePayloadFilterData@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpAllocateStringFilterData(x, x)
_EtwpAllocateStringFilterData@8	proc near ; CODE XREF: EtwpAllocateFilter+90EA6p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_1C], edx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, [ebx+8]
		lea	eax, [esi-2]
		cmp	eax, 3FEh
		ja	loc_9FC4CE
		shr	esi, 1
		mov	eax, [ebx]
		push	1
		pop	ecx
		mov	edx, ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_14], ecx
		mov	eax, edi
		mov	[ebp+var_8], edx
		mov	[ebp+var_10], 3Bh
		jz	short loc_9FC3F9
		mov	ecx, [ebp+var_C]

loc_9FC3DE:				; CODE XREF: EtwpAllocateStringFilterData(x,x)+56j
		movzx	ebx, word ptr [ecx+eax*2]
		test	bx, bx
		jz	short loc_9FC3F3
		cmp	bx, word ptr [ebp+var_10]
		jnz	short loc_9FC3EE
		inc	edx

loc_9FC3EE:				; CODE XREF: EtwpAllocateStringFilterData(x,x)+50j
		inc	eax
		cmp	eax, esi
		jb	short loc_9FC3DE

loc_9FC3F3:				; CODE XREF: EtwpAllocateStringFilterData(x,x)+4Aj
		xor	ecx, ecx
		mov	[ebp+var_8], edx
		inc	ecx

loc_9FC3F9:				; CODE XREF: EtwpAllocateStringFilterData(x,x)+3Ej
		inc	eax
		cmp	esi, eax
		jbe	short loc_9FC400
		mov	esi, eax

loc_9FC400:				; CODE XREF: EtwpAllocateStringFilterData(x,x)+61j
		movzx	eax, dx
		mov	[ebp+var_18], eax
		push	46777445h
		lea	eax, [esi+eax*4]
		lea	eax, ds:0Ch[eax*2]
		push	eax
		push	ecx
		mov	[ebp+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_9FC42F
		mov	edi, 0C0000017h
		jmp	loc_9FC4D3
; 

loc_9FC42F:				; CODE XREF: EtwpAllocateStringFilterData(x,x)+88j
		push	[ebp+var_4]	; size_t
		push	edi		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [ebp+var_8]
		mov	[ebx], ax
		mov	eax, [ebp+var_18]
		lea	ecx, ds:0Ch[eax*8]
		lea	eax, [esi+esi]
		add	ecx, ebx
		push	eax		; size_t
		push	[ebp+var_C]	; void *
		mov	[ebp+var_4], ecx
		push	ecx		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	esp, 18h
		mov	[ebp+var_8], edi
		mov	edx, edi
		mov	[ebx+8], eax
		test	esi, esi
		jz	short loc_9FC4B8
		xor	edi, edi
		inc	edi

loc_9FC470:				; CODE XREF: EtwpAllocateStringFilterData(x,x)+116j
		movzx	ecx, word ptr [eax+edx*2]
		test	cx, cx
		jz	short loc_9FC4B3
		cmp	di, [ebx]
		jnb	short loc_9FC4B3
		cmp	cx, word ptr [ebp+var_10]
		jnz	short loc_9FC4AE
		xor	ecx, ecx
		mov	[eax+edx*2], cx
		mov	eax, edx
		sub	eax, [ebp+var_8]
		movzx	ecx, di
		mov	[ebx+ecx*8-4], ax
		mov	eax, [ebp+var_4]
		lea	eax, [eax+edx*2]
		add	eax, 2
		inc	edi
		mov	[ebx+ecx*8+8], eax
		lea	eax, [edx+1]
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_4]

loc_9FC4AE:				; CODE XREF: EtwpAllocateStringFilterData(x,x)+E7j
		inc	edx
		cmp	edx, esi
		jb	short loc_9FC470

loc_9FC4B3:				; CODE XREF: EtwpAllocateStringFilterData(x,x)+DCj
					; EtwpAllocateStringFilterData(x,x)+E1j
		mov	[ebp+var_14], edi
		xor	edi, edi

loc_9FC4B8:				; CODE XREF: EtwpAllocateStringFilterData(x,x)+D0j
		mov	eax, [ebp+var_14]
		sub	esi, [ebp+var_8]
		movzx	eax, ax
		dec	esi
		mov	[ebx+eax*8-4], si
		mov	eax, [ebp+var_1C]
		mov	[eax], ebx
		jmp	short loc_9FC4D3
; 

loc_9FC4CE:				; CODE XREF: EtwpAllocateStringFilterData(x,x)+1Dj
		mov	edi, 0C000000Dh

loc_9FC4D3:				; CODE XREF: EtwpAllocateStringFilterData(x,x)+8Fj
					; EtwpAllocateStringFilterData(x,x)+131j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpAllocateStringFilterData@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpApplyContainerFilter(x,	x)
_EtwpApplyContainerFilter@8 proc near	; CODE XREF: EtwpApplyScopeFilters+EF12Cp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ecx+10h]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_8], edx
		push	esi
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	esi, [eax+164h]
		cmp	esi, ds:_EtwpHostSiloState
		jnz	short loc_9FC514
		push	offset ??_C@_19PBDICKGO@?$AAH?$AAo?$AAs?$AAt@NNGAKEGL@ ; "Host"
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ax, word ptr [ebp+var_18]
		jmp	short loc_9FC579
; 

loc_9FC514:				; CODE XREF: EtwpApplyContainerFilter(x,x)+24j
		movzx	eax, word ptr [esi+90Ch]
		push	46777445h
		mov	[ebp+var_4], ebx
		lea	eax, ds:2[eax*2]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_14], edx
		test	edx, edx
		jnz	short loc_9FC545
		mov	al, 1
		jmp	loc_9FC5DE
; 

loc_9FC545:				; CODE XREF: EtwpApplyContainerFilter(x,x)+62j
		mov	cx, [esi+90Ch]
		inc	cx
		add	cx, cx
		mov	word ptr [ebp+var_18+2], cx
		movzx	eax, word ptr [esi+90Ch]
		push	eax
		push	dword ptr [esi+908h]
		lea	eax, [ebp+var_4]
		push	eax
		movzx	eax, cx
		push	eax
		push	edx
		call	RtlUTF8ToUnicodeN
		mov	ax, word ptr [ebp+var_4]
		mov	word ptr [ebp+var_18], ax

loc_9FC579:				; CODE XREF: EtwpApplyContainerFilter(x,x)+38j
		mov	ecx, [ebp+var_8]
		movzx	edx, ax
		mov	eax, [ebp+var_14]
		mov	[ebp+var_4], eax
		xor	eax, eax
		shr	edx, 1
		push	edi
		mov	edi, ebx
		mov	[ebp+var_10], edx
		cmp	ax, [ecx]
		jnb	short loc_9FC5CA

loc_9FC594:				; CODE XREF: EtwpApplyContainerFilter(x,x)+EAj
		movzx	eax, di
		mov	[ebp+var_C], eax
		movzx	eax, word ptr [ecx+eax*8+4]
		cmp	eax, edx
		jnz	short loc_9FC5C0
		mov	eax, [ebp+var_C]
		push	edx		; size_t
		push	[ebp+var_4]	; wchar_t *
		push	dword ptr [ecx+eax*8+8]	; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_9FC5C8
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_10]

loc_9FC5C0:				; CODE XREF: EtwpApplyContainerFilter(x,x)+C7j
		inc	edi
		cmp	di, [ecx]
		jb	short loc_9FC594
		jmp	short loc_9FC5CA
; 

loc_9FC5C8:				; CODE XREF: EtwpApplyContainerFilter(x,x)+DEj
		mov	bl, 1

loc_9FC5CA:				; CODE XREF: EtwpApplyContainerFilter(x,x)+B8j
					; EtwpApplyContainerFilter(x,x)+ECj
		pop	edi
		cmp	esi, ds:_EtwpHostSiloState
		jz	short loc_9FC5DC
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_9FC5DC:				; CODE XREF: EtwpApplyContainerFilter(x,x)+F7j
		mov	al, bl

loc_9FC5DE:				; CODE XREF: EtwpApplyContainerFilter(x,x)+66j
		pop	esi
		pop	ebx
		leave
		retn
_EtwpApplyContainerFilter@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpApplyExeFilter(x, x)
_EtwpApplyExeFilter@8 proc near		; CODE XREF: EtwpApplyTransientFilters:loc_8FA920p
					; EtwpApplyScopeFilters+EF0F5p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx+28h]
		mov	[ebp+var_4], edx
		mov	ecx, [eax+1C0h]
		test	ecx, ecx
		jnz	short loc_9FC5FC
		mov	al, 1
		leave
		retn
; 

loc_9FC5FC:				; CODE XREF: EtwpApplyExeFilter(x,x)+14j
		push	ebx
		push	esi
		push	edi
		movzx	edi, word ptr [ecx]
		mov	ecx, [ecx+4]
		shr	edi, 1
		lea	esi, [ecx+edi*2]
		jmp	short loc_9FC617
; 

loc_9FC60C:				; CODE XREF: EtwpApplyExeFilter(x,x)+37j
		mov	eax, esi
		sub	esi, 2
		cmp	word ptr [esi],	5Ch
		jz	short loc_9FC61D

loc_9FC617:				; CODE XREF: EtwpApplyExeFilter(x,x)+28j
		cmp	esi, ecx
		jnz	short loc_9FC60C
		jmp	short loc_9FC61F
; 

loc_9FC61D:				; CODE XREF: EtwpApplyExeFilter(x,x)+33j
		mov	esi, eax

loc_9FC61F:				; CODE XREF: EtwpApplyExeFilter(x,x)+39j
		mov	eax, esi
		sub	eax, ecx
		xor	ecx, ecx
		sar	eax, 1
		sub	edi, eax
		xor	eax, eax
		mov	ebx, eax
		cmp	cx, [edx]
		jnb	short loc_9FC65B

loc_9FC632:				; CODE XREF: EtwpApplyExeFilter(x,x)+75j
		movzx	ecx, bx
		movzx	eax, word ptr [edx+ecx*8+4]
		cmp	eax, edi
		jnz	short loc_9FC653
		push	edi		; size_t
		push	esi		; wchar_t *
		push	dword ptr [edx+ecx*8+8]	; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_9FC660
		mov	edx, [ebp+var_4]

loc_9FC653:				; CODE XREF: EtwpApplyExeFilter(x,x)+5Aj
		inc	ebx
		cmp	bx, [edx]
		jb	short loc_9FC632
		xor	eax, eax

loc_9FC65B:				; CODE XREF: EtwpApplyExeFilter(x,x)+4Ej
					; EtwpApplyExeFilter(x,x)+80j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_9FC660:				; CODE XREF: EtwpApplyExeFilter(x,x)+6Cj
		mov	al, 1
		jmp	short loc_9FC65B
_EtwpApplyExeFilter@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpApplyPackageIdFilter(x,	x, x)
_EtwpApplyPackageIdFilter@12 proc near	; CODE XREF: EtwpApplyTransientFilters+118747p
					; EtwpApplyScopeFilters+EF115p

var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19A		= byte ptr -19Ah
var_199		= dword	ptr -199h
var_194		= dword	ptr -194h
var_190		= word ptr -190h
var_90		= word ptr -90h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1B0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [ebp+var_199+1]
		push	edi
		push	18Ch		; size_t
		xor	ebx, ebx
		mov	[ebp+var_1A8], ecx
		push	ebx		; int
		push	eax		; void *
		mov	edi, edx
		mov	[ebp+var_1A4], esi
		call	_memset
		mov	eax, [ebp+var_1A8]
		add	esp, 0Ch
		test	esi, esi
		mov	byte ptr [ebp+var_199],	bl
		setz	[ebp+var_19A]
		push	dword ptr [eax+28h]
		call	_PsReferencePrimaryToken@4 ; PsReferencePrimaryToken(x)
		lea	ecx, [ebp-19Bh]
		mov	[ebp+var_1AC], eax
		push	ecx
		lea	ecx, [ebp+var_199]
		push	ecx
		push	eax
		call	_PsQueryProcessAttributesByToken@12 ; PsQueryProcessAttributesByToken(x,x,x)
		cmp	byte ptr [ebp+var_199],	bl
		jz	loc_9FC7F7
		push	ebx
		lea	eax, [ebp+var_194]
		mov	[ebp+var_199+1], 100h
		push	eax
		lea	eax, [ebp+var_90]
		mov	[ebp+var_194], 82h
		push	eax
		lea	eax, [ebp+var_199+1]
		push	eax
		lea	eax, [ebp+var_190]
		push	eax
		push	[ebp+var_1AC]
		call	_RtlQueryPackageIdentity@24 ; RtlQueryPackageIdentity(x,x,x,x,x,x)
		test	eax, eax
		js	loc_9FC7F7
		test	edi, edi
		setz	byte ptr [ebp+var_199]
		test	edi, edi
		jz	short loc_9FC786
		mov	esi, [ebp+var_199+1]
		xor	ecx, ecx
		shr	esi, 1
		mov	eax, ebx
		dec	esi
		cmp	cx, [edi]
		jmp	short loc_9FC778
; 

loc_9FC74A:				; CODE XREF: EtwpApplyPackageIdFilter(x,x,x)+11Aj
		movzx	ecx, ax
		movzx	eax, word ptr [edi+ecx*8+4]
		cmp	eax, esi
		jnz	short loc_9FC76E
		push	esi		; size_t
		lea	eax, [ebp+var_190]
		push	eax		; wchar_t *
		push	dword ptr [edi+ecx*8+8]	; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_9FC7D6

loc_9FC76E:				; CODE XREF: EtwpApplyPackageIdFilter(x,x,x)+F0j
		mov	eax, [ebp+var_1A0]
		inc	eax
		cmp	ax, [edi]

loc_9FC778:				; CODE XREF: EtwpApplyPackageIdFilter(x,x,x)+E4j
		mov	[ebp+var_1A0], eax
		jb	short loc_9FC74A
		mov	byte ptr [ebp+var_199],	bl

loc_9FC786:				; CODE XREF: EtwpApplyPackageIdFilter(x,x,x)+D2j
					; EtwpApplyPackageIdFilter(x,x,x)+179j
		mov	ecx, [ebp+var_1A4]
		test	ecx, ecx
		jz	short loc_9FC7E3
		mov	esi, [ebp+var_194]
		xor	eax, eax
		shr	esi, 1
		mov	edi, ebx
		dec	esi
		cmp	ax, [ecx]
		jnb	short loc_9FC7D2

loc_9FC7A2:				; CODE XREF: EtwpApplyPackageIdFilter(x,x,x)+16Cj
		movzx	edx, di
		movzx	eax, word ptr [ecx+edx*8+4]
		cmp	eax, esi
		jnz	short loc_9FC7CC
		push	esi		; size_t
		lea	eax, [ebp+var_90]
		push	eax		; wchar_t *
		push	dword ptr [ecx+edx*8+8]	; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_9FC7DF
		mov	ecx, [ebp+var_1A4]

loc_9FC7CC:				; CODE XREF: EtwpApplyPackageIdFilter(x,x,x)+148j
		inc	edi
		cmp	di, [ecx]
		jb	short loc_9FC7A2

loc_9FC7D2:				; CODE XREF: EtwpApplyPackageIdFilter(x,x,x)+13Cj
		mov	al, bl
		jmp	short loc_9FC7E9
; 

loc_9FC7D6:				; CODE XREF: EtwpApplyPackageIdFilter(x,x,x)+108j
		mov	byte ptr [ebp+var_199],	1
		jmp	short loc_9FC786
; 

loc_9FC7DF:				; CODE XREF: EtwpApplyPackageIdFilter(x,x,x)+160j
		mov	al, 1
		jmp	short loc_9FC7E9
; 

loc_9FC7E3:				; CODE XREF: EtwpApplyPackageIdFilter(x,x,x)+12Aj
		mov	al, [ebp+var_19A]

loc_9FC7E9:				; CODE XREF: EtwpApplyPackageIdFilter(x,x,x)+170j
					; EtwpApplyPackageIdFilter(x,x,x)+17Dj
		cmp	byte ptr [ebp+var_199],	bl
		jz	short loc_9FC7F7
		test	al, al
		jz	short loc_9FC7F7
		mov	bl, 1

loc_9FC7F7:				; CODE XREF: EtwpApplyPackageIdFilter(x,x,x)+7Dj
					; EtwpApplyPackageIdFilter(x,x,x)+C1j ...
		mov	eax, [ebp+var_1A8]
		mov	edx, [ebp+var_1AC]
		mov	ecx, [eax+28h]
		add	ecx, 12Ch
		call	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
		mov	ecx, [ebp+var_4]
		mov	al, bl
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_EtwpApplyPackageIdFilter@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpApplyStackWalkFilterOnUserEvent(x, x, x)
_EtwpApplyStackWalkFilterOnUserEvent@12	proc near
					; CODE XREF: EtwpWriteUserEvent(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+582p

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	0Ch
		push	offset dword_6A9FE8
		call	__SEH_prolog4
		and	[ebp+ms_exc.disabled], 0
		movzx	ecx, word ptr [ecx+28h]
		mov	[ebp+var_1C], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	1
		push	[ebp+arg_0]
		call	_EtwpApplyStackWalkIdFilter@16 ; EtwpApplyStackWalkIdFilter(x,x,x,x)
		jmp	short loc_9FC85E
; 

loc_9FC84E:				; DATA XREF: .text:006A9FFCo
		xor	eax, eax
		inc	eax
		retn
; 

loc_9FC852:				; DATA XREF: .text:006AA000o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	al, 1

loc_9FC85E:				; CODE XREF: EtwpApplyStackWalkFilterOnUserEvent(x,x,x)+28j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpApplyStackWalkFilterOnUserEvent@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCopySchematizedFilters(x, x, x)
_EtwpCopySchematizedFilters@12 proc near
					; CODE XREF: EtwpClearSessionAndUnreferenceEntry+128F00p
					; EtwpBuildNotificationPacket+1219A8p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	eax, edx
		mov	[ebp+var_4], ecx
		push	esi
		xor	edx, edx
		mov	[ebp+var_8], eax
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], edx
		xor	esi, esi
		lea	ebx, [eax+60h]

loc_9FC88F:				; CODE XREF: EtwpCopySchematizedFilters(x,x,x)+7Fj
		cmp	dword ptr [ebx], 0
		jz	short loc_9FC8DF
		mov	eax, [eax+160h]
		mov	eax, [eax+esi+2Ch]
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	short loc_9FC8DC
		xor	eax, eax
		mov	cl, dl
		inc	eax
		shl	eax, cl
		test	[ebp+arg_0], al
		jz	short loc_9FC8DC
		mov	edi, [ebp+var_10]
		push	dword ptr [edi+10h] ; size_t
		push	edi		; void *
		push	[ebp+var_4]	; void *
		call	_memcpy
		mov	eax, [edi+10h]
		add	esp, 0Ch
		mov	ecx, [ebp+var_4]
		add	eax, 7
		mov	edx, [ebp+var_C]
		and	eax, 0FFFFFFF8h
		mov	edi, ecx
		mov	[ecx+14h], eax
		add	ecx, eax
		mov	[ebp+var_4], ecx

loc_9FC8DC:				; CODE XREF: EtwpCopySchematizedFilters(x,x,x)+33j
					; EtwpCopySchematizedFilters(x,x,x)+3Fj
		mov	eax, [ebp+var_8]

loc_9FC8DF:				; CODE XREF: EtwpCopySchematizedFilters(x,x,x)+22j
		inc	edx
		add	esi, 34h
		add	ebx, 20h
		mov	[ebp+var_C], edx
		cmp	esi, 1A0h
		jb	short loc_9FC88F
		test	edi, edi
		jz	short loc_9FC8F9
		and	dword ptr [edi+14h], 0

loc_9FC8F9:				; CODE XREF: EtwpCopySchematizedFilters(x,x,x)+83j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpCopySchematizedFilters@12 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpFreeEventNameFilter(x)
_EtwpFreeEventNameFilter@4 proc	near	; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+6EEp
					; EtwpUpdateFilterData(x,x,x,x,x)+6F9p	...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+20h]
		test	eax, eax
		jz	short loc_9FC914
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9FC914:				; CODE XREF: EtwpFreeEventNameFilter(x)+Aj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
_EtwpFreeEventNameFilter@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUpdatePidFilterData(x, x, x)
_EtwpUpdatePidFilterData@12 proc near	; CODE XREF: EtwpUpdateFilterData(x,x,x,x,x)+98p
					; EtwpUpdateFilterData(x,x,x,x,x)+35Dp	...

var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	eax, edx
		xor	esi, esi
		cmp	[ebp+arg_0], 0
		mov	ebx, ecx
		mov	[ebp+var_4], eax
		jz	short loc_9FC943
		push	esi
		push	dword ptr [ebx+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebx+4], esi
		jmp	short loc_9FC993
; 

loc_9FC943:				; CODE XREF: EtwpUpdatePidFilterData(x,x,x)+15j
		push	edi
		mov	edi, [eax+8]
		shr	edi, 2
		cmp	edi, 8
		jbe	short loc_9FC956
		mov	esi, 0C000000Dh
		jmp	short loc_9FC992
; 

loc_9FC956:				; CODE XREF: EtwpUpdatePidFilterData(x,x,x)+2Fj
		mov	eax, [ebx+4]
		test	eax, eax
		jnz	short loc_9FC979
		push	46777445h
		push	24h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_9FC976
		mov	esi, 0C0000017h
		jmp	short loc_9FC992
; 

loc_9FC976:				; CODE XREF: EtwpUpdatePidFilterData(x,x,x)+4Fj
		mov	[ebx+4], eax

loc_9FC979:				; CODE XREF: EtwpUpdatePidFilterData(x,x,x)+3Dj
		mov	ecx, edi
		mov	[eax], edi
		shl	ecx, 2
		push	ecx		; size_t
		mov	ecx, [ebp+var_4]
		push	dword ptr [ecx]	; void *
		lea	ecx, [eax+4]
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_9FC992:				; CODE XREF: EtwpUpdatePidFilterData(x,x,x)+36j
					; EtwpUpdatePidFilterData(x,x,x)+56j
		pop	edi

loc_9FC993:				; CODE XREF: EtwpUpdatePidFilterData(x,x,x)+23j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpUpdatePidFilterData@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUpdateStringFilterData(x, x, x)
_EtwpUpdateStringFilterData@12 proc near ; CODE	XREF: EtwpUpdateFilterData(x,x,x,x,x)+BAp
					; EtwpUpdateFilterData(x,x,x,x,x)+DCp ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	esi
		mov	esi, [ecx]
		jz	short loc_9FC9AE
		and	dword ptr [ecx], 0
		jmp	short loc_9FC9B5
; 

loc_9FC9AE:				; CODE XREF: EtwpUpdateStringFilterData(x,x,x)+Cj
		mov	eax, [edx]
		mov	[ecx], eax
		and	dword ptr [edx], 0

loc_9FC9B5:				; CODE XREF: EtwpUpdateStringFilterData(x,x,x)+11j
		test	esi, esi
		jz	short loc_9FC9C1
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9FC9C1:				; CODE XREF: EtwpUpdateStringFilterData(x,x,x)+1Cj
		pop	esi
		pop	ebp
		retn	4
_EtwpUpdateStringFilterData@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpValidateTraceControlFilterDescriptors(x, x, x, x)
_EtwpValidateTraceControlFilterDescriptors@16 proc near
					; CODE XREF: EtwpNotifyGuid(x,x,x)+9Fp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_1C], edx
		lea	edi, [ebp+var_30]
		mov	ebx, ecx
		stosd
		mov	[ebp+var_18], ebx
		stosd
		stosd
		stosd
		cmp	ebx, 0Dh
		ja	loc_9FCB14
		mov	esi, ebx
		xor	eax, eax
		shl	esi, 4
		mov	[ebp+var_8], eax
		cmp	esi, [ebp+arg_0]
		ja	loc_9FCB14
		and	[ebp+var_14], eax
		test	ebx, ebx
		jz	loc_9FCB09
		mov	edi, edx

loc_9FCA0B:				; CODE XREF: EtwpValidateTraceControlFilterDescriptors(x,x,x,x)+13Dj
		mov	ecx, [edi+4]
		mov	eax, [edi]
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jb	loc_9FCB14
		ja	loc_9FCB14
		cmp	eax, esi
		jb	loc_9FCB14
		test	ecx, ecx
		ja	loc_9FCB14
		jb	short loc_9FCA3F
		cmp	eax, [ebp+arg_0]
		jnb	loc_9FCB14

loc_9FCA3F:				; CODE XREF: EtwpValidateTraceControlFilterDescriptors(x,x,x,x)+6Ej
		mov	ecx, [edi+0Ch]
		cmp	ecx, 80001000h
		jz	loc_9FCB14
		cmp	ecx, 80000200h
		jz	loc_9FCB14
		cmp	ecx, 80000400h
		jz	loc_9FCB14
		cmp	ecx, 80000100h
		jz	loc_9FCB14
		cmp	ecx, 80000000h
		jz	loc_9FCB14
		cmp	ecx, 80000002h
		jz	loc_9FCB14
		mov	edx, [edi+8]
		cmp	edx, 400h
		ja	short loc_9FCB14
		mov	ebx, [ebp+var_C]
		xor	eax, eax
		mov	[ebp+var_4], edx
		add	[ebp+var_4], ebx
		mov	ebx, [ebp+var_18]
		adc	eax, [ebp+var_10]
		test	eax, eax
		ja	short loc_9FCB14
		jb	short loc_9FCAB4
		mov	eax, [ebp+var_4]
		cmp	eax, [ebp+arg_0]
		ja	short loc_9FCB14

loc_9FCAB4:				; CODE XREF: EtwpValidateTraceControlFilterDescriptors(x,x,x,x)+E4j
		mov	eax, [ebp+var_8]
		add	eax, edx
		mov	[ebp+var_8], eax
		cmp	ecx, 80000004h
		jnz	short loc_9FCACC
		mov	ecx, [ebp+arg_4]
		mov	[ecx+28h], edi
		jmp	short loc_9FCAF7
; 

loc_9FCACC:				; CODE XREF: EtwpValidateTraceControlFilterDescriptors(x,x,x,x)+FCj
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_28], edx
		xor	edx, edx
		add	eax, [ebp+var_C]
		push	0
		adc	edx, [ebp+var_10]
		push	[ebp+arg_4]
		mov	[ebp+var_2C], edx
		lea	edx, [ebp+var_30]
		mov	[ebp+var_24], ecx
		mov	[ebp+var_30], eax
		call	EtwpAllocateFilter
		test	eax, eax
		js	short loc_9FCB19
		mov	eax, [ebp+var_8]

loc_9FCAF7:				; CODE XREF: EtwpValidateTraceControlFilterDescriptors(x,x,x,x)+104j
		mov	ecx, [ebp+var_14]
		add	edi, 10h
		inc	ecx
		mov	[ebp+var_14], ecx
		cmp	ecx, ebx
		jb	loc_9FCA0B

loc_9FCB09:				; CODE XREF: EtwpValidateTraceControlFilterDescriptors(x,x,x,x)+3Dj
		add	eax, esi
		cmp	eax, [ebp+arg_0]
		ja	short loc_9FCB14
		xor	eax, eax
		jmp	short loc_9FCB19
; 

loc_9FCB14:				; CODE XREF: EtwpValidateTraceControlFilterDescriptors(x,x,x,x)+1Fj
					; EtwpValidateTraceControlFilterDescriptors(x,x,x,x)+32j ...
		mov	eax, 0C000000Dh

loc_9FCB19:				; CODE XREF: EtwpValidateTraceControlFilterDescriptors(x,x,x,x)+12Cj
					; EtwpValidateTraceControlFilterDescriptors(x,x,x,x)+14Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_EtwpValidateTraceControlFilterDescriptors@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl EtwpCompareGuid(const void *,const void *)
_EtwpCompareGuid proc near		; DATA XREF: EtwpIsGuidAllowed:loc_8F0A93o
					; EtwpGetTraceGroupInfo(x,x,x,x)+186o ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	10h		; size_t
		push	[ebp+arg_4]	; void *
		push	[ebp+arg_0]	; void *
		call	_memcmp
		add	esp, 0Ch
		pop	ebp
		retn
_EtwpCompareGuid endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EtwpUpdateDisallowedGuids(void *,int,int,int,int)
_EtwpUpdateDisallowedGuids@28 proc near	; CODE XREF: EtwpUpdateDisallowList(x,x,x,x)+27p

var_32		= word ptr -32h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		and	[esp+34h+var_28], 0
		mov	eax, 200h
		push	ebx
		push	esi
		mov	si, dx
		mov	ebx, ecx
		mov	[esp+3Ch+var_32], si
		mov	[esp+3Ch+var_20], ebx
		push	edi
		cmp	si, ax
		jbe	short loc_9FCB6C
		mov	eax, 0C000000Dh
		jmp	loc_9FCF92
; 

loc_9FCB6C:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+29j
		lea	eax, [esp+40h+var_10]
		mov	[esp+40h+var_C], eax
		mov	[esp+40h+var_10], eax
		lea	eax, [esp+40h+var_8]
		mov	[esp+40h+var_4], eax
		mov	[esp+40h+var_8], eax
		test	si, si
		jz	loc_9FCC4C
		movzx	ebx, si
		mov	esi, ebx
		push	64777445h
		shl	esi, 4
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+40h+var_1C], edi
		test	edi, edi
		jz	loc_9FCEBD
		push	esi		; size_t
		push	[ebp+arg_0]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	offset _EtwpCompareGuid	; int __cdecl (*)(const	void *,const void *)
		push	10h		; size_t
		push	ebx		; size_t
		push	edi		; void *
		call	_qsort
		and	[esp+50h+var_24], 0
		add	esp, 10h
		sub	ebx, 1
		jz	short loc_9FCBFD
		mov	esi, edi

loc_9FCBDA:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+C4j
		push	10h		; size_t
		lea	eax, [esi+10h]
		push	eax		; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_9FCC37
		mov	eax, [esp+40h+var_24]
		add	esi, 10h
		inc	eax
		mov	[esp+40h+var_24], eax
		cmp	eax, ebx
		jb	short loc_9FCBDA

loc_9FCBFD:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+9Fj
		mov	si, [esp+40h+var_32]
		mov	ebx, [esp+40h+var_20]

loc_9FCC06:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+11Bj
		push	0
		push	0
		push	0
		lea	eax, [ebx+1D0h]
		push	0
		push	eax
		mov	[esp+54h+var_14], eax
		call	KeWaitForSingleObject
		movzx	eax, word ptr [ebx+2D4h]
		test	ax, ax
		jz	short loc_9FCC54
		mov	ebx, [ebx+2D8h]
		shl	eax, 4
		add	eax, ebx
		jmp	short loc_9FCC58
; 

loc_9FCC37:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+B4j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esp+40h+var_28], 0C000000Dh
		jmp	loc_9FCEC5
; 

loc_9FCC4C:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+50j
		xor	edi, edi
		mov	[esp+40h+var_1C], edi
		jmp	short loc_9FCC06
; 

loc_9FCC54:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+F1j
		xor	ebx, ebx
		xor	eax, eax

loc_9FCC58:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+FEj
		mov	[esp+40h+var_24], eax
		test	si, si
		jz	short loc_9FCC6F
		movzx	ecx, [esp+40h+var_32]
		mov	esi, edi
		shl	ecx, 4
		add	ecx, edi
		jmp	short loc_9FCC73
; 

loc_9FCC6F:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+128j
		xor	esi, esi
		xor	ecx, ecx

loc_9FCC73:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+136j
		mov	[esp+40h+var_2C], ecx
		mov	[esp+40h+var_30], esi
		cmp	ebx, eax
		jnb	loc_9FCDF3
		mov	edi, [esp+40h+var_24]

loc_9FCC87:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+215j
		cmp	esi, ecx
		jnb	loc_9FCD59
		push	10h		; size_t
		push	esi		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_9FCCA7
		add	ebx, 10h
		jmp	loc_9FCD39
; 

loc_9FCCA7:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+166j
		push	74777445h
		push	0Ch
		push	1
		jns	short loc_9FCCE2
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_9FCEB1
		mov	[eax+8], ebx
		lea	edx, [esp+40h+var_8]
		mov	ecx, [esp+40h+var_4]
		cmp	[ecx], edx
		jnz	loc_9FCF7A
		mov	[eax], edx
		add	ebx, 10h
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[esp+40h+var_4], eax
		jmp	short loc_9FCD40
; 

loc_9FCCE2:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+179j
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+40h+var_18], edi
		test	edi, edi
		jz	loc_9FCEB1
		push	74777445h
		push	10h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_9FCD51
		mov	eax, [esp+40h+var_18]
		lea	edx, [esp+40h+var_10]
		mov	edi, ecx
		movsd
		movsd
		movsd
		movsd
		mov	[eax+8], ecx
		mov	ecx, [esp+40h+var_C]
		cmp	[ecx], edx
		jnz	loc_9FCF7A
		mov	esi, [esp+40h+var_30]
		mov	edi, [esp+40h+var_24]
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[esp+40h+var_C], eax

loc_9FCD39:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+16Bj
		add	esi, 10h
		mov	[esp+40h+var_30], esi

loc_9FCD40:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+1A9j
		cmp	ebx, edi
		jnb	loc_9FCDF3
		mov	ecx, [esp+40h+var_2C]
		jmp	loc_9FCC87
; 

loc_9FCD51:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+1D0j
		push	0
		push	edi
		jmp	loc_9FCEAC
; 

loc_9FCD59:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+152j
					; EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+25Bj
		push	74777445h
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_9FCEB1
		mov	[eax+8], ebx
		lea	edx, [esp+40h+var_8]
		mov	ecx, [esp+40h+var_4]
		cmp	[ecx], edx
		jnz	loc_9FCF7A
		mov	[eax], edx
		add	ebx, 10h
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[esp+40h+var_4], eax
		cmp	ebx, edi
		jb	short loc_9FCD59
		jmp	short loc_9FCDF3
; 

loc_9FCD96:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+2C0j
		push	74777445h
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9FCEB1
		push	74777445h
		push	10h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_9FCEA9
		mov	edi, eax
		lea	ecx, [esp+40h+var_10]
		movsd
		movsd
		movsd
		movsd
		mov	[ebx+8], eax
		mov	eax, [esp+40h+var_C]
		cmp	[eax], ecx
		jnz	loc_9FCF7A
		mov	esi, [esp+40h+var_30]
		mov	[ebx], ecx
		add	esi, 10h
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	[esp+40h+var_C], ebx
		mov	[esp+40h+var_30], esi

loc_9FCDF3:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+146j
					; EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+20Bj ...
		cmp	esi, [esp+40h+var_2C]
		jb	short loc_9FCD96
		mov	ebx, [esp+40h+var_20]
		xor	edx, edx
		lea	esi, [ebx+1F0h]
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	ax, [esp+40h+var_32]
		mov	[ebx+2D4h], ax
		mov	eax, [ebx+2D8h]
		mov	[esp+40h+var_14], eax
		mov	eax, [esp+40h+var_1C]
		mov	[ebx+2D8h], eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9FCE40
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9FCE40:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+300j
		mov	ecx, esi
		call	KeAbPostRelease
		push	0
		lea	eax, [ebx+1D0h]
		push	eax
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, [esp+40h+var_10]
		xor	ebx, ebx
		mov	edi, eax

loc_9FCE5D:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+370j
		lea	ecx, [esp+40h+var_10]
		cmp	eax, ecx
		jz	loc_9FCF3D
		push	[ebp+arg_10]
		mov	esi, edi
		mov	edi, [edi]
		push	dword ptr [esi+8]
		call	_EtwpDisallowedGuidAddition@8 ;	EtwpDisallowedGuidAddition(x,x)
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_9FCF7A
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_9FCF7A
		mov	[ecx], eax
		push	ebx
		mov	[eax+4], ecx
		push	dword ptr [esi+8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+40h+var_10]
		jmp	short loc_9FCE5D
; 

loc_9FCEA9:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+287j
		push	0
		push	ebx

loc_9FCEAC:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+21Dj
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9FCEB1:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+182j
					; EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+1B8j ...
		mov	eax, [esp+40h+var_14]
		push	0
		push	eax
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)

loc_9FCEBD:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+73j
		mov	[esp+40h+var_28], 0C000009Ah

loc_9FCEC5:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+110j
		mov	eax, [esp+40h+var_10]
		mov	edi, eax

loc_9FCECB:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+3D1j
		lea	ecx, [esp+40h+var_10]
		cmp	eax, ecx
		jz	short loc_9FCF0A
		mov	eax, [edi]
		mov	esi, edi
		mov	edi, eax
		cmp	[eax+4], esi
		jnz	loc_9FCF7A
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_9FCF7A
		mov	[ecx], eax
		push	0
		mov	[eax+4], ecx
		push	dword ptr [esi+8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+40h+var_10]
		jmp	short loc_9FCECB
; 

loc_9FCF0A:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+39Aj
		mov	eax, [esp+40h+var_8]
		mov	esi, eax

loc_9FCF10:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+404j
		lea	ecx, [esp+40h+var_8]
		cmp	eax, ecx
		jz	short loc_9FCF8E
		mov	ecx, [esi]
		mov	eax, esi
		mov	esi, ecx
		cmp	[ecx+4], eax
		jnz	short loc_9FCF7A
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_9FCF7A
		push	0
		mov	[edx], ecx
		push	eax
		mov	[ecx+4], edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+40h+var_8]
		jmp	short loc_9FCF10
; 

loc_9FCF3D:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+32Cj
		mov	eax, [esp+40h+var_8]
		mov	edi, eax

loc_9FCF43:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+441j
		lea	ecx, [esp+40h+var_8]
		cmp	eax, ecx
		jz	short loc_9FCF7F
		push	[ebp+arg_10]
		mov	esi, edi
		mov	edi, [edi]
		push	dword ptr [esi+8]
		call	_EtwpDisallowedGuidRemoval@8 ; EtwpDisallowedGuidRemoval(x,x)
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_9FCF7A
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_9FCF7A
		push	ebx
		mov	[ecx], eax
		push	esi
		mov	[eax+4], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+40h+var_8]
		jmp	short loc_9FCF43
; 

loc_9FCF7A:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+195j
					; EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+1E9j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9FCF7F:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+412j
		mov	eax, [esp+40h+var_14]
		test	eax, eax
		jz	short loc_9FCF8E
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9FCF8E:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+3DFj
					; EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+44Ej
		mov	eax, [esp+40h+var_28]

loc_9FCF92:				; CODE XREF: EtwpUpdateDisallowedGuids(x,x,x,x,x,x,x)+30j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
_EtwpUpdateDisallowedGuids@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpEnableStackCaching(x, x, x)
_EtwpEnableStackCaching@12 proc	near	; CODE XREF: EtwpCheckForStackTracingExtension+12A296p
					; EtwSetPerformanceTraceInformation(x,x,x)+B77p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], ecx
		mov	eax, edx
		mov	[ebp+var_4], eax
		cmp	[ecx+2B8h], esi
		jz	short loc_9FCFBF
		mov	esi, 0C0000303h
		jmp	loc_9FD0A5
; 

loc_9FCFBF:				; CODE XREF: EtwpEnableStackCaching(x,x,x)+18j
		mov	ecx, 300000h
		cmp	eax, ecx
		jnb	short loc_9FCFCD
		mov	eax, ecx
		mov	[ebp+var_4], ecx

loc_9FCFCD:				; CODE XREF: EtwpEnableStackCaching(x,x,x)+2Bj
		mov	ecx, 3200000h
		cmp	eax, ecx
		jbe	short loc_9FCFD9
		mov	[ebp+var_4], ecx

loc_9FCFD9:				; CODE XREF: EtwpEnableStackCaching(x,x,x)+39j
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, 100h
		cmp	edi, eax
		jnb	short loc_9FCFE8
		mov	edi, eax

loc_9FCFE8:				; CODE XREF: EtwpEnableStackCaching(x,x,x)+49j
		mov	eax, 1000h
		cmp	edi, eax
		jbe	short loc_9FCFF3
		mov	edi, eax

loc_9FCFF3:				; CODE XREF: EtwpEnableStackCaching(x,x,x)+54j
		imul	eax, edi, 0Ch
		push	ebx
		push	73777445h
		add	eax, 10h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_9FD0B3
		mov	eax, [ebp+var_8]
		mov	[ebx+4], edi
		mov	[ebx], eax
		mov	[ebx+8], esi
		mov	[ebx+0Ch], esi
		test	edi, edi
		jz	short loc_9FD039
		lea	eax, [ebx+10h]

loc_9FD029:				; CODE XREF: EtwpEnableStackCaching(x,x,x)+9Cj
		mov	[eax+8], esi
		mov	[eax+4], eax
		mov	[eax], eax
		add	eax, 0Ch
		sub	edi, 1
		jnz	short loc_9FD029

loc_9FD039:				; CODE XREF: EtwpEnableStackCaching(x,x,x)+89j
		mov	eax, [ebp+var_4]
		xor	edx, edx
		mov	ecx, 98h
		mov	[ebp+arg_0], esi
		div	ecx
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_9FD081

loc_9FD04F:				; CODE XREF: EtwpEnableStackCaching(x,x,x)+E4j
		push	78777445h
		push	ecx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_9FD0AC
		mov	edx, eax
		mov	[eax+0Ch], esi
		lea	ecx, [ebx+8]
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		mov	eax, [ebp+arg_0]
		mov	ecx, 98h
		inc	eax
		mov	[ebp+arg_0], eax
		cmp	eax, [ebp+var_4]
		jb	short loc_9FD04F

loc_9FD081:				; CODE XREF: EtwpEnableStackCaching(x,x,x)+B2j
		mov	eax, [ebp+var_8]
		lea	ecx, [ebp+arg_0]
		mov	[ebp+arg_0], esi
		xor	edx, edx
		mov	[eax+2B8h], ebx
		lock or	[ecx], edx
		mov	edx, 1000000h
		lea	ecx, [eax+258h]
		lock or	[ecx], edx

loc_9FD0A3:				; CODE XREF: EtwpEnableStackCaching(x,x,x)+11Dj
		pop	ebx
		pop	edi

loc_9FD0A5:				; CODE XREF: EtwpEnableStackCaching(x,x,x)+1Fj
		mov	eax, esi
		pop	esi
		leave
		retn	4
; 

loc_9FD0AC:				; CODE XREF: EtwpEnableStackCaching(x,x,x)+C6j
		mov	ecx, ebx
		call	_EtwpFreeStackCache@4 ;	EtwpFreeStackCache(x)

loc_9FD0B3:				; CODE XREF: EtwpEnableStackCaching(x,x,x)+73j
		mov	esi, 0C0000017h
		jmp	short loc_9FD0A3
_EtwpEnableStackCaching@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpFreeStackCache(x)
_EtwpFreeStackCache@4 proc near		; CODE XREF: NtQueryPerformanceCounter+257p
					; EtwpEnableStackCaching(x,x,x)+113p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		xor	ecx, ecx
		push	esi
		mov	[ebp+var_4], ecx
		cmp	[ebx+4], ecx
		jbe	short loc_9FD10C
		push	edi
		lea	edi, [ebx+10h]

loc_9FD0D2:				; CODE XREF: EtwpFreeStackCache(x)+43j
					; EtwpFreeStackCache(x)+4Fj
		mov	eax, [edi]
		cmp	eax, edi
		jz	short loc_9FD0FF
		cmp	[eax+4], edi
		jnz	short loc_9FD118
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_9FD118
		mov	[edi], ecx
		mov	[ecx+4], edi

loc_9FD0E9:				; CODE XREF: EtwpFreeStackCache(x)+3Ej
		mov	esi, [eax+8]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		test	esi, esi
		jnz	short loc_9FD0E9
		mov	ecx, [ebp+var_4]
		jmp	short loc_9FD0D2
; 

loc_9FD0FF:				; CODE XREF: EtwpFreeStackCache(x)+1Cj
		inc	ecx
		add	edi, 0Ch
		mov	[ebp+var_4], ecx
		cmp	ecx, [ebx+4]
		jb	short loc_9FD0D2
		pop	edi

loc_9FD10C:				; CODE XREF: EtwpFreeStackCache(x)+12j
		lea	ecx, [ebx+8]
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		mov	esi, eax
		jmp	short loc_9FD127
; 

loc_9FD118:				; CODE XREF: EtwpFreeStackCache(x)+21j
					; EtwpFreeStackCache(x)+28j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9FD11D:				; CODE XREF: EtwpFreeStackCache(x)+71j
		mov	ecx, esi
		mov	esi, [esi]
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9FD127:				; CODE XREF: EtwpFreeStackCache(x)+5Cj
		push	0
		test	esi, esi
		jnz	short loc_9FD11D
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		pop	ebx
		leave
		retn
_EtwpFreeStackCache@4 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCovSampAcquireSamplerRundown(x)
_EtwpCovSampAcquireSamplerRundown@4 proc near
					; CODE XREF: EtwpCovSampCaptureBufferMapAddressesAndQueue(x,x)+2Ap
					; EtwpCovSampCaptureBufferProcess(x,x)+14p ...
		mov	eax, large fs:124h
		push	esi
		mov	esi, ecx
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset unk_6BC090
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jnz	short loc_9FD162
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	eax, 0C0000189h
		pop	esi
		retn
; 

loc_9FD162:				; CODE XREF: EtwpCovSampAcquireSamplerRundown(x)+1Dj
		mov	eax, dword_6BC08C
		mov	[esi], eax
		xor	eax, eax
		pop	esi
		retn
_EtwpCovSampAcquireSamplerRundown@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampApplyBounds(x, x, x, x)
_EtwpCovSampApplyBounds@16 proc	near	; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+1A9p
					; EtwpSetCoverageSamplerInformation(x,x,x)+1BCp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_9FD17D
		mov	eax, edx

loc_9FD17D:				; CODE XREF: EtwpCovSampApplyBounds(x,x,x,x)+Cj
		mov	ecx, eax
		cmp	eax, [ebp+arg_0]
		jnb	short loc_9FD187
		mov	eax, [ebp+arg_0]

loc_9FD187:				; CODE XREF: EtwpCovSampApplyBounds(x,x,x,x)+15j
		cmp	ecx, [ebp+arg_0]
		sbb	ecx, ecx
		neg	ecx
		cmp	eax, [ebp+arg_4]
		jbe	short loc_9FD199
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		inc	ecx

loc_9FD199:				; CODE XREF: EtwpCovSampApplyBounds(x,x,x,x)+24j
		mov	[esi], eax
		mov	eax, ecx
		pop	esi
		pop	ebp
		retn	8
_EtwpCovSampApplyBounds@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureAllocateApc(x, x)
_EtwpCovSampCaptureAllocateApc@8 proc near
					; DATA XREF: EtwpCovSampCaptureContextStart(x)+119o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	56777445h
		push	48h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9FD1D9
		push	48h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		mov	dword ptr [esi+4], 0ABCABCACh
		mov	[esi+10h], eax

loc_9FD1D9:				; CODE XREF: EtwpCovSampCaptureAllocateApc(x,x)+1Bj
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_EtwpCovSampCaptureAllocateApc@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureAllocateCaptureBuffer(x, x)
_EtwpCovSampCaptureAllocateCaptureBuffer@8 proc	near
					; DATA XREF: EtwpCovSampCaptureContextStart(x)+133o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	56777445h
		mov	eax, [esi+1D8h]
		lea	eax, ds:20h[eax*8]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_9FD22F
		push	edi
		push	0Ah
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd
		mov	ecx, [ebp+arg_4]
		mov	dword ptr [edx+4], 0CABBB0FFh
		mov	[edx+10h], ecx
		mov	ax, [esi+1D8h]
		mov	[edx+18h], ax
		pop	edi

loc_9FD22F:				; CODE XREF: EtwpCovSampCaptureAllocateCaptureBuffer(x,x)+2Aj
		mov	eax, edx
		pop	esi
		pop	ebp
		retn	8
_EtwpCovSampCaptureAllocateCaptureBuffer@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureAllocateSampleBuffer(x, x)
_EtwpCovSampCaptureAllocateSampleBuffer@8 proc near
					; DATA XREF: EtwpCovSampCaptureContextStart(x)+317o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		push	56777445h
		mov	edi, [eax+1DCh]
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_9FD276
		push	30h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		lea	eax, [edi-20h]
		mov	dword ptr [esi+4], 5001B0FAh
		add	esp, 0Ch
		mov	[esi+1Ch], eax

loc_9FD276:				; CODE XREF: EtwpCovSampCaptureAllocateSampleBuffer(x,x)+24j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_EtwpCovSampCaptureAllocateSampleBuffer@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureApcRundown(x)
_EtwpCovSampCaptureApcRundown@4	proc near ; DATA XREF: EtwpCovSampCaptureQueueApc(x)+B9o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		lea	ecx, [ecx-14h]
		call	_EtwpCovSampCaptureApcRelease@4	; EtwpCovSampCaptureApcRelease(x)
		pop	ebp
		retn	4
_EtwpCovSampCaptureApcRundown@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureBufferMapAddressesAndQueue(x, x)
_EtwpCovSampCaptureBufferMapAddressesAndQueue@8	proc near
					; CODE XREF: EtwpCovSampCaptureUserAddresses(x,x)+2Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		xor	esi, esi
		mov	ecx, edi
		mov	[ebp+var_4], esi
		call	_EtwpCovSampCaptureBufferIsEmpty@4 ; EtwpCovSampCaptureBufferIsEmpty(x)
		test	eax, eax
		jnz	loc_9FD35A
		lea	ecx, [ebp+var_4]
		call	_EtwpCovSampAcquireSamplerRundown@4 ; EtwpCovSampAcquireSamplerRundown(x)
		test	eax, eax
		js	loc_9FD357
		movzx	eax, word ptr [edi+1Ah]
		lea	ecx, [edi+20h]
		push	eax
		push	ecx
		mov	ecx, ebx
		call	_EtwpCovSampStackHashCheck@16 ;	EtwpCovSampStackHashCheck(x,x,x,x)
		test	eax, eax
		jnz	short loc_9FD357
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	eax, [eax+4B0h]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_9FD357
		movzx	eax, word ptr [edi+18h]
		add	eax, 8
		lea	esi, [edi+eax*4]
		movzx	eax, word ptr [edi+1Ah]
		shl	eax, 2
		push	eax		; size_t
		lea	eax, [edi+20h]
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		add	esp, 0Ch
		push	eax
		movzx	eax, word ptr [edi+18h]
		push	eax
		lea	eax, [edi+20h]
		push	eax
		movzx	eax, word ptr [edi+1Ah]
		push	eax
		push	esi
		mov	esi, [ebp+var_4]
		lea	edx, [esi+8]
		call	_EtwpCovSampProcessMapAddresses@28 ; EtwpCovSampProcessMapAddresses(x,x,x,x,x,x,x)
		mov	eax, [ebp+var_8]
		and	dword ptr [edi+14h], 0FFFFFFF4h
		mov	[edi+1Ah], ax
		test	ax, ax
		jz	short loc_9FD34A
		or	dword ptr [edi+14h], 4

loc_9FD34A:				; CODE XREF: EtwpCovSampCaptureBufferMapAddressesAndQueue(x,x)+B2j
		mov	edx, edi
		mov	ecx, ebx
		call	_EtwpCovSampCaptureBufferQueue@8 ; EtwpCovSampCaptureBufferQueue(x,x)
		xor	edi, edi
		jmp	short loc_9FD35A
; 

loc_9FD357:				; CODE XREF: EtwpCovSampCaptureBufferMapAddressesAndQueue(x,x)+31j
					; EtwpCovSampCaptureBufferMapAddressesAndQueue(x,x)+49j ...
		mov	esi, [ebp+var_4]

loc_9FD35A:				; CODE XREF: EtwpCovSampCaptureBufferMapAddressesAndQueue(x,x)+21j
					; EtwpCovSampCaptureBufferMapAddressesAndQueue(x,x)+C3j
		test	edi, edi
		jz	short loc_9FD367
		mov	edx, edi
		mov	ecx, ebx
		call	_EtwpCovSampCaptureBufferRelease@8 ; EtwpCovSampCaptureBufferRelease(x,x)

loc_9FD367:				; CODE XREF: EtwpCovSampCaptureBufferMapAddressesAndQueue(x,x)+CAj
		test	esi, esi
		jz	short loc_9FD37A
		mov	ecx, offset unk_6BC090
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9FD37A:				; CODE XREF: EtwpCovSampCaptureBufferMapAddressesAndQueue(x,x)+D7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpCovSampCaptureBufferMapAddressesAndQueue@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureBufferProcess(x, x)
_EtwpCovSampCaptureBufferProcess@8 proc	near
					; CODE XREF: EtwpCovSampCaptureWorkerThread(x)+95p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	esi, edx
		push	edi
		lea	ecx, [ebp+var_4]
		call	_EtwpCovSampAcquireSamplerRundown@4 ; EtwpCovSampAcquireSamplerRundown(x)
		test	eax, eax
		js	short loc_9FD3E3
		test	byte ptr [esi+14h], 4
		lea	edi, [esi+20h]
		movzx	eax, word ptr [esi+1Ah]
		push	eax
		jz	short loc_9FD3B8
		mov	esi, [ebp+var_4]
		mov	edx, edi
		mov	ecx, esi
		call	_EtwpCovSampContextAddSamples@12 ; EtwpCovSampContextAddSamples(x,x,x)
		jmp	short loc_9FD3E6
; 

loc_9FD3B8:				; CODE XREF: EtwpCovSampCaptureBufferProcess(x,x)+29j
		push	edi
		mov	ecx, ebx
		call	_EtwpCovSampStackHashCheck@16 ;	EtwpCovSampStackHashCheck(x,x,x,x)
		test	eax, eax
		jnz	short loc_9FD3E3
		mov	edx, large fs:124h
		movzx	eax, word ptr [esi+1Ah]
		mov	esi, [ebp+var_4]
		mov	ecx, esi
		push	eax
		mov	edx, [edx+80h]
		push	edi
		call	_EtwpCovSampContextAddAddresses@16 ; EtwpCovSampContextAddAddresses(x,x,x,x)
		jmp	short loc_9FD3E6
; 

loc_9FD3E3:				; CODE XREF: EtwpCovSampCaptureBufferProcess(x,x)+1Bj
					; EtwpCovSampCaptureBufferProcess(x,x)+43j
		mov	esi, [ebp+var_4]

loc_9FD3E6:				; CODE XREF: EtwpCovSampCaptureBufferProcess(x,x)+37j
					; EtwpCovSampCaptureBufferProcess(x,x)+62j
		test	esi, esi
		jz	short loc_9FD3F9
		mov	ecx, offset unk_6BC090
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9FD3F9:				; CODE XREF: EtwpCovSampCaptureBufferProcess(x,x)+69j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpCovSampCaptureBufferProcess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureContextSetPaused(x, x, x)
_EtwpCovSampCaptureContextSetPaused@12 proc near
					; CODE XREF: EtwpCovSampContextAddSamples(x,x,x)+50p
					; EtwpCoverageSamplerQuery(x,x,x,x)+75Dp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, edx
		cmp	[esi+1CCh], eax
		jz	short loc_9FD459
		test	eax, eax
		jz	short loc_9FD439
		test	dword ptr [ecx+0Ch], 100h
		jnz	short loc_9FD440
		push	0
		push	0
		mov	dword ptr [esi+1CCh], 1
		push	dword ptr [ecx+3A8h]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_9FD440
; 

loc_9FD439:				; CODE XREF: EtwpCovSampCaptureContextSetPaused(x,x,x)+15j
		and	dword ptr [esi+1CCh], 0

loc_9FD440:				; CODE XREF: EtwpCovSampCaptureContextSetPaused(x,x,x)+1Ej
					; EtwpCovSampCaptureContextSetPaused(x,x,x)+39j
		lea	edx, [esi+110h]
		mov	ecx, [edx]
		jmp	short loc_9FD455
; 

loc_9FD44A:				; CODE XREF: EtwpCovSampCaptureContextSetPaused(x,x,x)+59j
		mov	eax, [esi+1CCh]
		mov	[ecx+10h], eax
		mov	ecx, [ecx]

loc_9FD455:				; CODE XREF: EtwpCovSampCaptureContextSetPaused(x,x,x)+4Aj
		cmp	ecx, edx
		jnz	short loc_9FD44A

loc_9FD459:				; CODE XREF: EtwpCovSampCaptureContextSetPaused(x,x,x)+11j
		pop	esi
		pop	ebp
		retn	4
_EtwpCovSampCaptureContextSetPaused@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureContextStart(x)
_EtwpCovSampCaptureContextStart@4 proc near ; CODE XREF: EtwpCoverageSamplerStart(x)+132p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+1Ch+var_4], eax
		and	[esp+1Ch+var_18], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, dword_6BC094
		mov	esi, ecx
		or	ebx, 0FFFFFFFFh
		mov	[esp+28h+var_1C], esi
		test	edi, edi
		jnz	loc_9FD551
		push	56777445h
		push	1F8h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_9FD4B7
		mov	esi, 0C000009Ah
		jmp	loc_9FD82D
; 

loc_9FD4B7:				; CODE XREF: EtwpCovSampCaptureContextStart(x)+4Dj
		push	1F8h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		or	dword ptr [edi+4], 0FFFFFFFFh
		lea	eax, [edi+140h]
		add	esp, 0Ch
		push	0
		push	0
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	offset _EtwpCovSampCaptureRebalanceDpc@16 ; EtwpCovSampCaptureRebalanceDpc(x,x,x,x)
		lea	eax, [edi+120h]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		xor	eax, eax
		push	eax
		mov	[edi+158h], eax
		push	eax
		mov	[edi+15Ch], eax
		lea	eax, [edi+168h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	offset _EtwpCovSampCaptureQueueDpc@16 ;	EtwpCovSampCaptureQueueDpc(x,x,x,x)
		lea	eax, [edi+178h]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	edi
		push	offset _EtwpCovSampCaptureCleanupDpc@16	; EtwpCovSampCaptureCleanupDpc(x,x,x,x)
		lea	eax, [edi+198h]
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	0
		push	0
		lea	eax, [edi+1B8h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [esi]
		shr	eax, 0Bh
		and	eax, 1
		mov	[edi+1D4h], eax
		mov	dword_6BC094, edi

loc_9FD551:				; CODE XREF: EtwpCovSampCaptureContextStart(x)+2Fj
		lea	eax, [edi+110h]
		mov	ecx, edi	; int
		mov	[eax+4], eax
		lea	edx, [edi+40h]	; void *
		mov	[eax], eax
		lea	eax, [edi+118h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [esi+24h]
		push	eax		; int
		imul	eax, 3
		shr	eax, 2
		push	eax		; int
		push	offset _EtwpCovSampCaptureAllocateApc@8	; int
		call	_EtwpCovSampLookasideControlInitialize@20 ; EtwpCovSampLookasideControlInitialize(x,x,x,x,x)
		mov	eax, [esi+20h]
		lea	edx, [edi+78h]	; void *
		push	eax		; int
		imul	eax, 3
		mov	ecx, edi	; int
		shr	eax, 2
		push	eax		; int
		push	offset _EtwpCovSampCaptureAllocateCaptureBuffer@8 ; int
		call	_EtwpCovSampLookasideControlInitialize@20 ; EtwpCovSampLookasideControlInitialize(x,x,x,x,x)
		mov	edx, [esi+4Ch]
		test	edx, edx
		jz	short loc_9FD5F0
		lea	esi, [edi+1E8h]
		mov	ecx, esi
		call	_EtwpCovSampStackHashTableAlloc@8 ; EtwpCovSampStackHashTableAlloc(x,x)
		mov	edx, [esp+28h+var_1C]
		lea	ecx, [edi+1ECh]
		mov	edx, [edx+4Ch]
		call	_EtwpCovSampStackHashTableAlloc@8 ; EtwpCovSampStackHashTableAlloc(x,x)
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_9FD5E6
		xor	esi, esi
		cmp	[edi+1ECh], esi
		jz	short loc_9FD5E6
		xor	ecx, ecx
		mov	[edi+1E4h], eax
		call	ExGenRandom
		mov	[edi+1F0h], eax
		jmp	short loc_9FD5F2
; 

loc_9FD5E6:				; CODE XREF: EtwpCovSampCaptureContextStart(x)+167j
					; EtwpCovSampCaptureContextStart(x)+171j ...
		mov	esi, 0C000009Ah
		jmp	loc_9FD820
; 

loc_9FD5F0:				; CODE XREF: EtwpCovSampCaptureContextStart(x)+142j
		xor	esi, esi

loc_9FD5F2:				; CODE XREF: EtwpCovSampCaptureContextStart(x)+186j
		cmp	dword ptr [edi+4], 0FFFFFFFFh
		jnz	short loc_9FD60F
		push	ecx
		xor	edx, edx
		mov	ecx, 118h
		call	_ExSaAllocate@12 ; ExSaAllocate(x,x,x)
		mov	ebx, eax
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_9FD5E6
		mov	[edi+4], ebx

loc_9FD60F:				; CODE XREF: EtwpCovSampCaptureContextStart(x)+198j
		mov	ecx, [edi]
		test	ecx, ecx
		jnz	short loc_9FD686
		push	esi
		push	esi
		push	edi
		push	offset _EtwpCovSampCaptureWorkerThread@4 ; EtwpCovSampCaptureWorkerThread(x)
		push	esi
		push	esi
		push	esi
		push	1FFFFFh
		lea	eax, [esp+48h+var_18]
		push	eax
		call	PsCreateSystemThreadEx
		mov	esi, eax
		or	ebx, 0FFFFFFFFh
		test	esi, esi
		js	loc_9FD820
		xor	ecx, ecx
		lea	eax, [esp+28h+var_14]
		push	ecx
		push	eax
		push	ecx
		push	ds:_PsThreadType
		mov	[esp+38h+var_14], ecx
		push	1FFFFFh
		push	[esp+3Ch+var_18]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	eax, [esp+28h+var_14]
		mov	[edi], eax
		xor	eax, eax
		inc	eax
		push	0Ch
		mov	[esp+2Ch+var_10], eax
		mov	[esp+2Ch+var_C], eax
		mov	[esp+2Ch+var_8], eax
		lea	eax, [esp+2Ch+var_10]
		push	eax
		push	31h
		push	[esp+34h+var_18]
		call	_ZwSetInformationThread@16 ; ZwSetInformationThread(x,x,x,x)
		mov	ecx, [edi]

loc_9FD686:				; CODE XREF: EtwpCovSampCaptureContextStart(x)+1B5j
		mov	ebx, [esp+28h+var_1C]
		push	0
		pop	eax
		mov	esi, [ebx]
		and	esi, 200h
		setnz	al
		dec	eax
		push	eax
		push	ecx
		call	KeSetBasePriorityThread
		xor	eax, eax
		test	esi, esi
		push	0FFFFh
		setnz	al
		mov	[edi+1E0h], eax
		call	KeQueryMaximumProcessorCountEx
		xor	ecx, ecx
		mov	[esp+2Ch+var_18], eax
		mov	[esp+2Ch+var_20], ecx
		test	eax, eax
		jz	loc_9FD75B

loc_9FD6C9:				; CODE XREF: EtwpCovSampCaptureContextStart(x)+2F7j
		mov	edx, ecx
		mov	ecx, [edi+4]
		call	@ExSaDecodeHandleForIndex@8 ; ExSaDecodeHandleForIndex(x,x)
		mov	esi, eax
		push	114h		; size_t
		push	0		; int
		lea	ecx, [esi+4]
		push	ecx		; void *
		call	_memset
		and	dword ptr [esi], 0
		lea	eax, [edi+40h]
		add	esp, 0Ch
		lea	edx, [esi+8]
		mov	ecx, edi
		push	eax
		call	_EtwpCovSampLookasideInitialize@12 ; EtwpCovSampLookasideInitialize(x,x,x)
		lea	eax, [edi+78h]
		mov	ecx, edi
		push	eax
		lea	edx, [esi+30h]
		call	_EtwpCovSampLookasideInitialize@12 ; EtwpCovSampLookasideInitialize(x,x,x)
		push	dword ptr [ebx+2Ch]
		mov	edx, [ebx+28h]
		lea	ecx, [esi+58h]
		call	_EtwpCovSampStrideSamplerInitialize@12 ; EtwpCovSampStrideSamplerInitialize(x,x,x)
		push	dword ptr [ebx+34h]
		mov	edx, [ebx+30h]
		lea	ecx, [esi+80h]
		call	_EtwpCovSampStrideSamplerInitialize@12 ; EtwpCovSampStrideSamplerInitialize(x,x,x)
		push	dword ptr [ebx+3Ch]
		mov	edx, [ebx+38h]
		lea	ecx, [esi+0A8h]
		call	_EtwpCovSampStrideSamplerInitialize@12 ; EtwpCovSampStrideSamplerInitialize(x,x,x)
		push	dword ptr [ebx+44h]
		mov	edx, [ebx+40h]
		lea	ecx, [esi+0D0h]
		call	_EtwpCovSampStrideSamplerInitialize@12 ; EtwpCovSampStrideSamplerInitialize(x,x,x)
		mov	ecx, [esp+2Ch+var_20]
		inc	ecx
		mov	[esp+2Ch+var_20], ecx
		cmp	ecx, [esp+2Ch+var_18]
		jb	loc_9FD6C9

loc_9FD75B:				; CODE XREF: EtwpCovSampCaptureContextStart(x)+265j
		mov	eax, [ebx+1Ch]
		lea	esi, [edi+0B0h]
		imul	eax, [esp+2Ch+var_18]
		mov	edx, esi	; void *
		mov	ecx, edi	; int
		push	eax		; int
		imul	eax, 3
		shr	eax, 2
		push	eax		; int
		push	offset _EtwpCovSampCaptureAllocateSampleBuffer@8 ; int
		call	_EtwpCovSampLookasideControlInitialize@20 ; EtwpCovSampLookasideControlInitialize(x,x,x,x,x)
		push	esi
		lea	edx, [edi+0E8h]
		mov	ecx, edi
		call	_EtwpCovSampLookasideInitialize@12 ; EtwpCovSampLookasideInitialize(x,x,x)
		mov	eax, ds:_KeTickCount
		xor	ecx, ecx
		and	dword ptr [edi+1D0h], 0
		inc	ecx
		mov	[edi+150h], eax
		mov	[edi+154h], eax
		mov	eax, [ebx+48h]
		mov	[edi+1D8h], eax
		mov	eax, [ebx+18h]
		mov	[edi+1DCh], eax
		lea	eax, [edi+1C8h]
		xchg	ecx, [eax]
		and	dword ptr [edi+1CCh], 0
		lea	ecx, [edi+110h]
		mov	eax, [ecx]
		jmp	short loc_9FD80F
; 

loc_9FD7D3:				; CODE XREF: EtwpCovSampCaptureContextStart(x)+3B7j
		lea	ebx, [eax-8]
		xor	ecx, ecx
		inc	ecx
		lea	eax, [ebx+14h]
		xchg	ecx, [eax]
		and	dword ptr [ebx+18h], 0
		jmp	short loc_9FD7F8
; 

loc_9FD7E4:				; CODE XREF: EtwpCovSampCaptureContextStart(x)+3A3j
		cmp	ecx, [ebx+24h]
		jnb	short loc_9FD803
		mov	edx, ebx
		mov	ecx, edi
		call	_EtwpCovSampLookasideGrow@8 ; EtwpCovSampLookasideGrow(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_9FD819

loc_9FD7F8:				; CODE XREF: EtwpCovSampCaptureContextStart(x)+384j
		mov	eax, [ebx+10h]
		mov	ecx, [ebx+20h]
		cmp	ecx, [eax+1Ch]
		jb	short loc_9FD7E4

loc_9FD803:				; CODE XREF: EtwpCovSampCaptureContextStart(x)+389j
		mov	eax, [esp+2Ch+var_20]
		lea	ecx, [edi+110h]
		mov	eax, [eax]

loc_9FD80F:				; CODE XREF: EtwpCovSampCaptureContextStart(x)+373j
		mov	[esp+2Ch+var_20], eax
		cmp	eax, ecx
		jnz	short loc_9FD7D3
		xor	esi, esi

loc_9FD819:				; CODE XREF: EtwpCovSampCaptureContextStart(x)+398j
		or	ebx, 0FFFFFFFFh
		test	esi, esi
		jns	short loc_9FD82D

loc_9FD820:				; CODE XREF: EtwpCovSampCaptureContextStart(x)+18Dj
					; EtwpCovSampCaptureContextStart(x)+1D8j
		cmp	dword ptr [edi+4], 0FFFFFFFFh
		jz	short loc_9FD82D
		mov	ecx, edi
		call	_EtwpCovSampCaptureFreeLookasides@8 ; EtwpCovSampCaptureFreeLookasides(x,x)

loc_9FD82D:				; CODE XREF: EtwpCovSampCaptureContextStart(x)+54j
					; EtwpCovSampCaptureContextStart(x)+3C0j ...
		cmp	[esp+2Ch+var_1C], 0
		jz	short loc_9FD83F
		push	0
		push	[esp+30h+var_1C]
		call	ObCloseHandle

loc_9FD83F:				; CODE XREF: EtwpCovSampCaptureContextStart(x)+3D4j
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_9FD850
		mov	edx, 118h
		mov	ecx, ebx
		call	_ExSaFree@8	; ExSaFree(x,x)

loc_9FD850:				; CODE XREF: EtwpCovSampCaptureContextStart(x)+3E4j
		mov	ecx, [esp+2Ch+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_EtwpCovSampCaptureContextStart@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureFlush(x)
_EtwpCovSampCaptureFlush@4 proc	near	; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+8Dp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 20h
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [esp+28h+var_20]
		push	8
		pop	ecx
		xor	eax, eax
		rep stosd
		mov	ecx, esi
		call	_EtwpCovSampCaptureFlushSampleBuffers@4	; EtwpCovSampCaptureFlushSampleBuffers(x)
		xor	edi, edi
		mov	[esp+28h+var_1C], 0F1A5BFFAh
		push	edi
		push	edi
		lea	eax, [esp+30h+var_10]
		mov	[esp+30h+var_18], edi
		push	eax
		mov	[esp+34h+var_14], edi
		mov	[esp+34h+var_10], edi
		mov	[esp+34h+var_C], edi
		mov	[esp+34h+var_8], edi
		mov	[esp+34h+var_4], edi
		mov	[esp+34h+var_20], 1B1Dh
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	edx, [esp+28h+var_20]
		mov	ecx, esi
		call	_EtwpCovSampCaptureQueueBuffer@8 ; EtwpCovSampCaptureQueueBuffer(x,x)
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [esp+38h+var_10]
		push	eax
		call	KeWaitForSingleObject
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_EtwpCovSampCaptureFlush@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureFlushStats(x, x)
_EtwpCovSampCaptureFlushStats@8	proc near
					; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+69Dp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		push	0FFFFh
		mov	[ebp+var_4], edi
		call	KeQueryMaximumProcessorCountEx
		mov	esi, eax
		xor	edx, edx
		test	esi, esi
		jz	short loc_9FD924

loc_9FD8FC:				; CODE XREF: EtwpCovSampCaptureFlushStats(x,x)+48j
		mov	ecx, [edi+4]
		call	@ExSaDecodeHandleForIndex@8 ; ExSaDecodeHandleForIndex(x,x)
		xor	ecx, ecx
		lea	edi, [eax+0F8h]

loc_9FD90C:				; CODE XREF: EtwpCovSampCaptureFlushStats(x,x)+40j
		xor	eax, eax
		xchg	eax, [edi]
		add	[ebx+ecx*4], eax
		add	edi, 4
		inc	ecx
		cmp	ecx, 8
		jb	short loc_9FD90C
		mov	edi, [ebp+var_4]
		inc	edx
		cmp	edx, esi
		jb	short loc_9FD8FC

loc_9FD924:				; CODE XREF: EtwpCovSampCaptureFlushStats(x,x)+20j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpCovSampCaptureFlushStats@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureFreeLookasides(x,	x)
_EtwpCovSampCaptureFreeLookasides@8 proc near
					; CODE XREF: EtwpCovSampCaptureContextStop(x)+D5p
					; EtwpCovSampCaptureContextStart(x)+3CAp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		lea	edi, [ebx+110h]
		mov	esi, [edi]
		jmp	short loc_9FD948
; 

loc_9FD93E:				; CODE XREF: EtwpCovSampCaptureFreeLookasides(x,x)+21j
		lea	ecx, [esi-8]
		call	_EtwpCovSampLookasideFlushFreeListToCleanupList@4 ; EtwpCovSampLookasideFlushFreeListToCleanupList(x)
		mov	esi, [esi]

loc_9FD948:				; CODE XREF: EtwpCovSampCaptureFreeLookasides(x,x)+13j
		cmp	esi, edi
		jnz	short loc_9FD93E
		lea	edi, [ebx+118h]
		mov	esi, [edi]
		jmp	short loc_9FD995
; 

loc_9FD956:				; CODE XREF: EtwpCovSampCaptureFreeLookasides(x,x)+6Ej
		lea	ecx, [esi-8]
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		mov	ebx, eax
		jmp	short loc_9FD98C
; 

loc_9FD962:				; CODE XREF: EtwpCovSampCaptureFreeLookasides(x,x)+65j
		mov	eax, ebx
		mov	ebx, [ebx]
		mov	[ebp+var_4], eax
		add	eax, 8
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_9FD99E
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_9FD99E
		push	56777445h
		push	[ebp+var_4]
		mov	[ecx], edx
		mov	[edx+4], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9FD98C:				; CODE XREF: EtwpCovSampCaptureFreeLookasides(x,x)+37j
		test	ebx, ebx
		jnz	short loc_9FD962
		and	[esi+24h], ebx
		mov	esi, [esi]

loc_9FD995:				; CODE XREF: EtwpCovSampCaptureFreeLookasides(x,x)+2Bj
		cmp	esi, edi
		jnz	short loc_9FD956
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_9FD99E:				; CODE XREF: EtwpCovSampCaptureFreeLookasides(x,x)+48j
					; EtwpCovSampCaptureFreeLookasides(x,x)+4Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_EtwpCovSampCaptureFreeLookasides@8 endp ; AL =	character to display


;  S U B	R O U T	I N E 


; __stdcall EtwpCovSampCaptureRebalance(x)
_EtwpCovSampCaptureRebalance@4 proc near ; CODE	XREF: EtwpCovSampCaptureWorkerThread(x)+CDp
		mov	edi, edi
		push	edi
		mov	edi, ecx
		mov	ecx, ds:_KeTickCount
		mov	eax, ecx
		sub	eax, [edi+150h]
		cmp	eax, 40h
		jb	short loc_9FD9EF
		push	ebx
		lea	ebx, [edi+110h]
		mov	[edi+150h], ecx
		push	esi
		mov	esi, [ebx]
		mov	[edi+154h], ecx
		jmp	short loc_9FD9E9
; 

loc_9FD9D3:				; CODE XREF: EtwpCovSampCaptureRebalance(x)+48j
		lea	edx, [esi-8]
		cmp	dword ptr [edx+1Ch], 0
		jz	short loc_9FD9E7
		and	dword ptr [edx+1Ch], 0
		mov	ecx, edi
		call	_EtwpCovSampLookasideGrow@8 ; EtwpCovSampLookasideGrow(x,x)

loc_9FD9E7:				; CODE XREF: EtwpCovSampCaptureRebalance(x)+37j
		mov	esi, [esi]

loc_9FD9E9:				; CODE XREF: EtwpCovSampCaptureRebalance(x)+2Ej
		cmp	esi, ebx
		jnz	short loc_9FD9D3
		pop	esi
		pop	ebx

loc_9FD9EF:				; CODE XREF: EtwpCovSampCaptureRebalance(x)+16j
		xor	eax, eax
		pop	edi
		retn
_EtwpCovSampCaptureRebalance@4 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCovSampCaptureUserAddresses(x, x)
_EtwpCovSampCaptureUserAddresses@8 proc	near
					; CODE XREF: EtwpCovSampCaptureApc(x,x,x,x,x)+B3p
					; EtwpCovSampCaptureSample(x,x)+10Cp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		call	_EtwpCovSampCaptureBufferGet@4 ; EtwpCovSampCaptureBufferGet(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_9FDA0E
		mov	eax, 0C000009Ah
		jmp	short loc_9FDA27
; 

loc_9FDA0E:				; CODE XREF: EtwpCovSampCaptureUserAddresses(x,x)+12j
		mov	edx, ebx
		mov	ecx, esi
		call	_EtwpCovSampCaptureBufferAddIP@8 ; EtwpCovSampCaptureBufferAddIP(x,x)
		call	_EtwpCovSampCaptureUserStack@4 ; EtwpCovSampCaptureUserStack(x)
		mov	edx, esi
		mov	ecx, edi
		call	_EtwpCovSampCaptureBufferMapAddressesAndQueue@8	; EtwpCovSampCaptureBufferMapAddressesAndQueue(x,x)
		xor	eax, eax

loc_9FDA27:				; CODE XREF: EtwpCovSampCaptureUserAddresses(x,x)+19j
		pop	edi
		pop	esi
		pop	ebx
		retn
_EtwpCovSampCaptureUserAddresses@8 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCovSampCaptureUserStack(x)
_EtwpCovSampCaptureUserStack@4 proc near
					; CODE XREF: EtwpCovSampCaptureUserAddresses(x,x)+24p
		mov	eax, large fs:124h
		push	esi
		xor	esi, esi
		push	edi
		mov	eax, [eax+80h]
		mov	edi, ecx
		cmp	[eax+3D4h], esi
		jz	short loc_9FDA4C
		mov	esi, 0C00000BBh
		jmp	short loc_9FDA8D
; 

loc_9FDA4C:				; CODE XREF: EtwpCovSampCaptureUserStack(x)+18j
		movzx	eax, word ptr [edi+1Ah]
		movzx	edx, word ptr [edi+18h]
		cmp	dx, ax
		jb	short loc_9FDA88
		mov	ecx, eax
		sub	edx, ecx
		add	ecx, 8
		push	1
		push	edx
		lea	eax, [edi+ecx*4]
		push	eax
		call	RtlWalkFrameChain
		test	eax, eax
		jnz	short loc_9FDA77
		mov	esi, 0C0000225h
		jmp	short loc_9FDA8D
; 

loc_9FDA77:				; CODE XREF: EtwpCovSampCaptureUserStack(x)+43j
		add	[edi+1Ah], ax
		mov	ecx, edi
		or	dword ptr [edi+14h], 2
		call	_EtwpCovSampCaptureBufferOptimizeIP@4 ;	EtwpCovSampCaptureBufferOptimizeIP(x)
		jmp	short loc_9FDA8D
; 

loc_9FDA88:				; CODE XREF: EtwpCovSampCaptureUserStack(x)+2Cj
		mov	esi, 0C00000E5h

loc_9FDA8D:				; CODE XREF: EtwpCovSampCaptureUserStack(x)+1Fj
					; EtwpCovSampCaptureUserStack(x)+4Aj ...
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_EtwpCovSampCaptureUserStack@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCaptureWorkerThread(x)
_EtwpCovSampCaptureWorkerThread@4 proc near
					; DATA XREF: EtwpCovSampCaptureContextStart(x)+1BAo

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		lea	eax, [esi+168h]
		mov	[esp+48h+var_38], eax
		lea	eax, [esi+140h]
		mov	[esp+48h+var_34], eax

loc_9FDAB7:				; CODE XREF: EtwpCovSampCaptureWorkerThread(x)+45j
					; EtwpCovSampCaptureWorkerThread(x)+BDj ...
		lea	eax, [esp+48h+var_30]
		push	eax
		push	0
		push	0
		push	0
		push	0
		push	1
		lea	eax, [esp+60h+var_38]
		push	eax
		push	2
		call	KeWaitForMultipleObjects
		mov	edi, eax
		cmp	edi, 2
		jnb	short loc_9FDAB7
		push	[esp+edi*4+48h+var_38]
		call	_KeResetEvent@4	; KeResetEvent(x)
		test	edi, edi
		jnz	short loc_9FDB54
		lea	ecx, [esi+160h]
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		mov	edi, eax
		jmp	short loc_9FDB4B
; 

loc_9FDAF5:				; CODE XREF: EtwpCovSampCaptureWorkerThread(x)+BBj
		mov	ebx, edi
		mov	edi, [edi]
		mov	eax, [ebx+4]
		cmp	eax, 5001B0FAh
		jnz	short loc_9FDB1C
		mov	edx, ebx
		mov	ecx, esi
		call	_EtwpCovSampSampleBufferProcess@8 ; EtwpCovSampSampleBufferProcess(x,x)
		push	ebx
		lea	edx, [esi+0E8h]
		mov	ecx, esi
		call	_EtwpCovSampCaptureReleaseToLookaside@12 ; EtwpCovSampCaptureReleaseToLookaside(x,x,x)
		jmp	short loc_9FDB4B
; 

loc_9FDB1C:				; CODE XREF: EtwpCovSampCaptureWorkerThread(x)+6Fj
		cmp	eax, 0CABBB0FFh
		jnz	short loc_9FDB37
		mov	edx, ebx
		mov	ecx, esi
		call	_EtwpCovSampCaptureBufferProcess@8 ; EtwpCovSampCaptureBufferProcess(x,x)
		mov	edx, ebx
		mov	ecx, esi
		call	_EtwpCovSampCaptureBufferRelease@8 ; EtwpCovSampCaptureBufferRelease(x,x)
		jmp	short loc_9FDB4B
; 

loc_9FDB37:				; CODE XREF: EtwpCovSampCaptureWorkerThread(x)+8Fj
		cmp	eax, 0F1A5BFFAh
		jnz	short loc_9FDB4B
		push	0
		push	0
		lea	eax, [ebx+10h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_9FDB4B:				; CODE XREF: EtwpCovSampCaptureWorkerThread(x)+61j
					; EtwpCovSampCaptureWorkerThread(x)+88j ...
		test	edi, edi
		jnz	short loc_9FDAF5
		jmp	loc_9FDAB7
; 

loc_9FDB54:				; CODE XREF: EtwpCovSampCaptureWorkerThread(x)+52j
		cmp	edi, 1
		jnz	loc_9FDAB7
		mov	ecx, esi
		call	_EtwpCovSampCaptureRebalance@4 ; EtwpCovSampCaptureRebalance(x)
		jmp	loc_9FDAB7
_EtwpCovSampCaptureWorkerThread@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampCheckForSegments(x, x, x)
_EtwpCovSampCheckForSegments@12	proc near
					; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+2C2p
					; EtwpCovSampContextGetModule(x,x,x,x,x,x)+2F2p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_18], edx
		mov	ebx, ecx
		mov	[ebp+var_10], esi
		push	edi
		mov	[ebp+var_C], ebx
		cmp	[ebp+arg_0], esi
		jbe	short loc_9FDBFF

loc_9FDB86:				; CODE XREF: EtwpCovSampCheckForSegments(x,x,x)+94j
		mov	eax, [ebx+4]
		mov	ecx, [edx+esi*8+4]
		cmp	eax, ecx
		jb	short loc_9FDBF6
		mov	ebx, [ebx]
		sub	eax, ecx
		lea	edi, [ebx+eax*2]
		mov	eax, [edx+esi*8]
		mov	[ebp+var_1C], edi
		lea	ecx, [eax+ecx*2]
		mov	[ebp+var_8], ecx
		cmp	ebx, edi
		ja	short loc_9FDBF3

loc_9FDBA8:				; CODE XREF: EtwpCovSampCheckForSegments(x,x,x)+88j
		mov	edi, [edx+esi*8]
		mov	eax, ebx
		mov	[ebp+var_4], eax
		cmp	edi, ecx
		jnb	short loc_9FDBE9

loc_9FDBB4:				; CODE XREF: EtwpCovSampCheckForSegments(x,x,x)+76j
		movzx	esi, word ptr [edi]
		movzx	edx, word ptr [eax]
		mov	[ebp+var_14], esi
		cmp	dx, si
		jz	short loc_9FDBD4
		push	edx		; wchar_t
		call	_towlower
		pop	ecx
		mov	ecx, [ebp+var_8]
		cmp	ax, si
		jnz	short loc_9FDBE1
		mov	eax, [ebp+var_4]

loc_9FDBD4:				; CODE XREF: EtwpCovSampCheckForSegments(x,x,x)+57j
		add	edi, 2
		add	eax, 2
		mov	[ebp+var_4], eax
		cmp	edi, ecx
		jb	short loc_9FDBB4

loc_9FDBE1:				; CODE XREF: EtwpCovSampCheckForSegments(x,x,x)+66j
		mov	esi, [ebp+var_10]
		cmp	edi, ecx
		mov	edx, [ebp+var_18]

loc_9FDBE9:				; CODE XREF: EtwpCovSampCheckForSegments(x,x,x)+49j
		jz	short loc_9FDC08
		add	ebx, 2
		cmp	ebx, [ebp+var_1C]
		jbe	short loc_9FDBA8

loc_9FDBF3:				; CODE XREF: EtwpCovSampCheckForSegments(x,x,x)+3Dj
		mov	ebx, [ebp+var_C]

loc_9FDBF6:				; CODE XREF: EtwpCovSampCheckForSegments(x,x,x)+26j
		inc	esi
		mov	[ebp+var_10], esi
		cmp	esi, [ebp+arg_0]
		jb	short loc_9FDB86

loc_9FDBFF:				; CODE XREF: EtwpCovSampCheckForSegments(x,x,x)+1Bj
		xor	eax, eax

loc_9FDC01:				; CODE XREF: EtwpCovSampCheckForSegments(x,x,x)+A2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_9FDC08:				; CODE XREF: EtwpCovSampCheckForSegments(x,x,x):loc_9FDBE9j
		xor	eax, eax
		inc	eax
		jmp	short loc_9FDC01
_EtwpCovSampCheckForSegments@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampContextAddAddresses(x, x, x, x)
_EtwpCovSampContextAddAddresses@16 proc	near
					; CODE XREF: EtwpCovSampCaptureBufferProcess(x,x)+5Dp
					; EtwpCovSampSampleBufferProcess(x,x)+DBp

var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 21Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	eax, ecx
		xor	ebx, ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_210], eax
		lea	ecx, [eax+2C8h]
		mov	[ebp+var_218], esi
		push	edi
		mov	eax, [esi]
		mov	[ebp+var_20C], ebx
		cmp	eax, ds:_MmSystemRangeStart
		jb	short loc_9FDC56
		mov	[ebp+var_214], ecx
		jmp	short loc_9FDC66
; 

loc_9FDC56:				; CODE XREF: EtwpCovSampContextAddAddresses(x,x,x,x)+3Fj
		mov	ecx, [edx+4B0h]
		mov	[ebp+var_214], ecx
		test	ecx, ecx
		jz	short loc_9FDCDA

loc_9FDC66:				; CODE XREF: EtwpCovSampContextAddAddresses(x,x,x,x)+47j
		mov	edi, ebx
		cmp	[ebp+arg_4], ebx
		jbe	short loc_9FDCDA

loc_9FDC6D:				; CODE XREF: EtwpCovSampContextAddAddresses(x,x,x,x)+CBj
		mov	esi, [ebp+arg_4]
		sub	esi, edi
		cmp	esi, 40h
		jb	short loc_9FDC7A
		push	40h
		pop	esi

loc_9FDC7A:				; CODE XREF: EtwpCovSampContextAddAddresses(x,x,x,x)+68j
		mov	edx, [ebp+var_210]
		lea	eax, [ebp+var_20C]
		push	eax
		push	40h
		lea	eax, [ebp+var_208]
		push	eax
		mov	eax, [ebp+var_218]
		lea	edx, [edx+8]
		push	esi
		lea	eax, [eax+edi*4]
		push	eax
		call	_EtwpCovSampProcessMapAddresses@28 ; EtwpCovSampProcessMapAddresses(x,x,x,x,x,x,x)
		cmp	[ebp+var_20C], 0
		jz	short loc_9FDCCD
		push	[ebp+var_20C]
		mov	ecx, [ebp+var_210]
		lea	edx, [ebp+var_208]
		call	_EtwpCovSampContextAddSamples@12 ; EtwpCovSampContextAddSamples(x,x,x)
		add	ebx, eax
		cmp	eax, [ebp+var_20C]
		jnz	short loc_9FDCDA

loc_9FDCCD:				; CODE XREF: EtwpCovSampContextAddAddresses(x,x,x,x)+9Dj
		mov	ecx, [ebp+var_214]
		add	edi, esi
		cmp	edi, [ebp+arg_4]
		jb	short loc_9FDC6D

loc_9FDCDA:				; CODE XREF: EtwpCovSampContextAddAddresses(x,x,x,x)+57j
					; EtwpCovSampContextAddAddresses(x,x,x,x)+5Ej ...
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwpCovSampContextAddAddresses@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampContextAddSamples(x, x, x)
_EtwpCovSampContextAddSamples@12 proc near
					; CODE XREF: EtwpCovSampCaptureBufferProcess(x,x)+32p
					; EtwpCovSampContextAddAddresses(x,x,x,x)+B1p ...

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	4Ch
		push	offset dword_6AA008
		call	__SEH_prolog4
		mov	[ebp+var_40], edx
		mov	esi, ecx
		mov	[ebp+var_30], esi
		mov	[ebp+var_44], esi
		mov	[ebp+var_5C], esi
		and	[ebp+var_28], 0
		and	[ebp+var_34], 0
		xor	ebx, ebx
		mov	[ebp+var_24], ebx
		and	[ebp+var_3C], ebx
		mov	eax, dword_6BC094
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_3C]
		push	eax
		mov	edi, [ebp+arg_0]
		mov	edx, edi
		call	_EtwpCovSampHashMakeRoomAndAcquireLock@12 ; EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_1C], ecx
		cmp	ecx, edi
		jnb	short loc_9FDD45
		push	1
		mov	edx, [ebp+var_38]
		mov	ecx, esi
		call	_EtwpCovSampCaptureContextSetPaused@12 ; EtwpCovSampCaptureContextSetPaused(x,x,x)
		mov	ecx, [ebp+var_1C]

loc_9FDD45:				; CODE XREF: EtwpCovSampContextAddSamples(x,x,x)+47j
		xor	eax, eax

loc_9FDD47:				; CODE XREF: EtwpCovSampContextAddSamples(x,x,x)+180j
		mov	[ebp+var_38], eax
		test	ecx, ecx
		jz	loc_9FDE72
		cmp	eax, edi
		jnb	loc_9FDE72
		mov	ecx, [ebp+var_40]
		lea	ecx, [ecx+eax*8]
		mov	[ebp+var_20], ecx
		mov	eax, [esi+3B8h]
		mov	[ebp+var_50], eax
		test	eax, eax
		jz	loc_9FDE0F
		mov	edx, [ecx]
		mov	ecx, [ecx+4]
		mov	eax, [ebp+var_44]
		mov	eax, [eax+10h]
		push	eax
		push	eax
		push	edx
		push	ecx
		call	_EtwCovSampHash@16 ; EtwCovSampHash(x,x,x,x)
		mov	[ebp+var_48], eax
		mov	ecx, edx
		mov	[ebp+var_54], ecx
		xor	edx, edx
		inc	edx
		xor	eax, eax

loc_9FDD95:				; CODE XREF: EtwpCovSampContextAddSamples(x,x,x)+FDj
		mov	[ebp+var_2C], eax
		cmp	eax, [esi+3C4h]
		jnb	short loc_9FDE08
		imul	ecx, eax
		add	ecx, [ebp+var_48]
		and	ecx, [esi+3C0h]
		mov	eax, ecx
		shr	eax, 3
		mov	[ebp+var_4C], eax
		and	ecx, 7
		and	[ebp+ms_exc.disabled], 0
		xor	eax, eax
		inc	eax
		shl	eax, cl
		mov	ecx, [ebp+var_4C]
		mov	esi, [ebp+var_50]
		test	[esi+ecx], al
		mov	esi, [ebp+var_30]
		jnz	short loc_9FDDDC
		xor	edx, edx
		mov	[ebp+var_58], edx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_9FDE08
; 

loc_9FDDDC:				; CODE XREF: EtwpCovSampContextAddSamples(x,x,x)+DFj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_2C]
		inc	eax
		mov	ecx, [ebp+var_54]
		jmp	short loc_9FDD95
; 

loc_9FDDEC:				; DATA XREF: .text:006AA01Co
		xor	eax, eax
		inc	eax
		retn
; 

loc_9FDDF0:				; DATA XREF: .text:006AA020o
		mov	esp, [ebp+ms_exc.old_esp]
		xor	edx, edx
		mov	[ebp+var_58], edx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+arg_0]
		mov	esi, [ebp+var_30]
		mov	ebx, [ebp+var_24]

loc_9FDE08:				; CODE XREF: EtwpCovSampContextAddSamples(x,x,x)+B1j
					; EtwpCovSampContextAddSamples(x,x,x)+EDj
		test	edx, edx
		jnz	short loc_9FDE62
		mov	ecx, [ebp+var_20]

loc_9FDE0F:				; CODE XREF: EtwpCovSampContextAddSamples(x,x,x)+81j
		mov	eax, [esi+3ACh]
		mov	[ebp+var_2C], eax

loc_9FDE18:				; CODE XREF: EtwpCovSampContextAddSamples(x,x,x)+152j
		mov	[ebp+var_54], eax
		lea	edx, [ebp+var_34]
		push	edx
		mov	edx, ecx
		mov	ecx, eax
		call	_EtwpCovSampHashLookupInTable@12 ; EtwpCovSampHashLookupInTable(x,x,x)
		test	eax, eax
		jnz	short loc_9FDE62
		mov	eax, [ebp+var_2C]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		lea	ecx, [esi+3ACh]
		cmp	eax, ecx
		mov	ecx, [ebp+var_20]
		jnz	short loc_9FDE18
		mov	edx, ecx
		mov	eax, [edx]
		mov	ecx, [ebp+var_34]
		mov	[ecx], eax
		mov	eax, [edx+4]
		mov	[ecx+4], eax
		mov	eax, [ebp+var_54]
		inc	dword ptr [eax+8]
		inc	[ebp+var_28]
		mov	ecx, [ebp+var_1C]
		dec	ecx
		mov	[ebp+var_1C], ecx
		jmp	short loc_9FDE69
; 

loc_9FDE62:				; CODE XREF: EtwpCovSampContextAddSamples(x,x,x)+11Dj
					; EtwpCovSampContextAddSamples(x,x,x)+13Dj
		inc	ebx
		mov	ecx, [ebp+var_1C]
		mov	[ebp+var_24], ebx

loc_9FDE69:				; CODE XREF: EtwpCovSampContextAddSamples(x,x,x)+173j
		mov	eax, [ebp+var_38]
		inc	eax
		jmp	loc_9FDD47
; 

loc_9FDE72:				; CODE XREF: EtwpCovSampContextAddSamples(x,x,x)+5Fj
					; EtwpCovSampContextAddSamples(x,x,x)+67j
		mov	eax, large fs:124h
		cmp	[esi+4], eax
		jnz	short loc_9FDEA8
		and	dword ptr [esi+4], 0
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9FDE95
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9FDE95:				; CODE XREF: EtwpCovSampContextAddSamples(x,x,x)+19Fj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_9FDEA8:				; CODE XREF: EtwpCovSampContextAddSamples(x,x,x)+18Ej
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jz	short loc_9FDEB4
		call	_EtwpCoverageSamplerFreeTable@4	; EtwpCoverageSamplerFreeTable(x)

loc_9FDEB4:				; CODE XREF: EtwpCovSampContextAddSamples(x,x,x)+1C0j
		mov	edx, [ebp+var_28]
		mov	ecx, edx
		mov	esi, [ebp+var_5C]
		lea	eax, [esi+25Ch]
		lock xadd [eax], ecx
		mov	ecx, ebx
		lea	eax, [esi+260h]
		lock xadd [eax], ecx
		lea	eax, [ebx+edx]
		cmp	edi, eax
		jbe	short loc_9FDEE7
		sub	edi, ebx
		sub	edi, edx
		lea	ecx, [esi+264h]
		lock xadd [ecx], edi

loc_9FDEE7:				; CODE XREF: EtwpCovSampContextAddSamples(x,x,x)+1EAj
		mov	eax, edx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpCovSampContextAddSamples@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampContextCleanup(x)
_EtwpCovSampContextCleanup@4 proc near	; CODE XREF: EtwpCoverageSamplerCleanup(x)+Ap

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	dl, dl
		push	edi
		lea	ecx, [esi+2C0h]
		call	_EtwpCovSampProcessCleanup@8 ; EtwpCovSampProcessCleanup(x,x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	eax, [esi+290h]
		xor	edx, edx
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+294h], eax
		mov	ebx, [esi+2A0h]
		mov	edx, ebx

loc_9FDF47:				; CODE XREF: EtwpCovSampContextCleanup(x)+E3j
		xor	edi, edi
		test	edx, edx
		jz	short loc_9FDF6D
		mov	ecx, [edx]
		mov	eax, ecx
		and	eax, 80000002h
		cmp	eax, 80000002h
		jnz	short loc_9FDF61
		mov	eax, [edi]
		mov	ecx, [edx]

loc_9FDF61:				; CODE XREF: EtwpCovSampContextCleanup(x)+60j
		test	ecx, 1
		jnz	short loc_9FDF6D
		mov	edx, ecx
		jmp	short loc_9FDF95
; 

loc_9FDF6D:				; CODE XREF: EtwpCovSampContextCleanup(x)+50j
					; EtwpCovSampContextCleanup(x)+6Cj
		mov	ecx, [esi+29Ch]
		lea	edi, [ebx+4]
		mov	eax, [esi+2A0h]
		shr	ecx, 5
		lea	ecx, [eax+ecx*4]
		jmp	short loc_9FDF8D
; 

loc_9FDF84:				; CODE XREF: EtwpCovSampContextCleanup(x)+94j
		mov	eax, [edi]
		test	al, 1
		jz	short loc_9FDFBC
		add	edi, 4

loc_9FDF8D:				; CODE XREF: EtwpCovSampContextCleanup(x)+87j
		cmp	edi, ecx
		jb	short loc_9FDF84
		xor	edi, edi
		mov	ecx, edi

loc_9FDF95:				; CODE XREF: EtwpCovSampContextCleanup(x)+70j
					; EtwpCovSampContextCleanup(x)+C9j
		test	ecx, ecx
		jz	short loc_9FDFE3
		mov	eax, [edx]
		mov	ecx, 80000002h
		and	eax, ecx
		mov	edi, edx
		cmp	eax, ecx
		jnz	short loc_9FDFAC
		xor	eax, eax
		mov	eax, [eax]

loc_9FDFAC:				; CODE XREF: EtwpCovSampContextCleanup(x)+ABj
		mov	ecx, ebx

loc_9FDFAE:				; CODE XREF: EtwpCovSampContextCleanup(x)+BFj
		mov	eax, [ecx]
		test	al, 1
		jnz	short loc_9FDFD6
		cmp	eax, edx
		jz	short loc_9FDFC6
		mov	ecx, eax
		jmp	short loc_9FDFAE
; 

loc_9FDFBC:				; CODE XREF: EtwpCovSampContextCleanup(x)+8Dj
		mov	edx, eax
		mov	ebx, edi
		mov	ecx, edx
		xor	edi, edi
		jmp	short loc_9FDF95
; 

loc_9FDFC6:				; CODE XREF: EtwpCovSampContextCleanup(x)+BBj
		mov	eax, [edx]
		mov	edx, ecx
		mov	[ecx], eax
		dec	dword ptr [esi+298h]
		xor	ecx, ecx
		jmp	short loc_9FDFDC
; 

loc_9FDFD6:				; CODE XREF: EtwpCovSampContextCleanup(x)+B7j
		xor	ecx, ecx
		mov	edi, ecx
		mov	eax, [ecx]

loc_9FDFDC:				; CODE XREF: EtwpCovSampContextCleanup(x)+D9j
		mov	[edi], ecx
		jmp	loc_9FDF47
; 

loc_9FDFE3:				; CODE XREF: EtwpCovSampContextCleanup(x)+9Cj
		mov	ebx, [esi+2ACh]
		mov	edx, ebx

loc_9FDFEB:				; CODE XREF: EtwpCovSampContextCleanup(x)+187j
		test	edx, edx
		jz	short loc_9FE011
		mov	ecx, [edx]
		mov	eax, ecx
		and	eax, 80000002h
		cmp	eax, 80000002h
		jnz	short loc_9FE003
		mov	eax, [edi]
		mov	ecx, [edx]

loc_9FE003:				; CODE XREF: EtwpCovSampContextCleanup(x)+102j
		test	ecx, 1
		jnz	short loc_9FE011
		mov	edx, ecx

loc_9FE00D:				; CODE XREF: EtwpCovSampContextCleanup(x)+16Bj
		xor	eax, eax
		jmp	short loc_9FE039
; 

loc_9FE011:				; CODE XREF: EtwpCovSampContextCleanup(x)+F2j
					; EtwpCovSampContextCleanup(x)+10Ej
		mov	ecx, [esi+2A8h]
		lea	edi, [ebx+4]
		mov	eax, [esi+2ACh]
		shr	ecx, 5
		lea	ecx, [eax+ecx*4]
		jmp	short loc_9FE031
; 

loc_9FE028:				; CODE XREF: EtwpCovSampContextCleanup(x)+138j
		mov	eax, [edi]
		test	al, 1
		jz	short loc_9FE060
		add	edi, 4

loc_9FE031:				; CODE XREF: EtwpCovSampContextCleanup(x)+12Bj
		cmp	edi, ecx
		jb	short loc_9FE028
		xor	eax, eax
		mov	ecx, eax

loc_9FE039:				; CODE XREF: EtwpCovSampContextCleanup(x)+114j
		test	ecx, ecx
		jz	short loc_9FE087
		mov	eax, [edx]
		mov	ecx, 80000002h
		and	eax, ecx
		mov	edi, edx
		cmp	eax, ecx
		jnz	short loc_9FE050
		xor	eax, eax
		mov	eax, [eax]

loc_9FE050:				; CODE XREF: EtwpCovSampContextCleanup(x)+14Fj
		mov	ecx, ebx

loc_9FE052:				; CODE XREF: EtwpCovSampContextCleanup(x)+163j
		mov	eax, [ecx]
		test	al, 1
		jnz	short loc_9FE078
		cmp	eax, edx
		jz	short loc_9FE068
		mov	ecx, eax
		jmp	short loc_9FE052
; 

loc_9FE060:				; CODE XREF: EtwpCovSampContextCleanup(x)+131j
		mov	edx, eax
		mov	ebx, edi
		mov	ecx, edx
		jmp	short loc_9FE00D
; 

loc_9FE068:				; CODE XREF: EtwpCovSampContextCleanup(x)+15Fj
		mov	eax, [edx]
		mov	edx, ecx
		mov	[ecx], eax
		dec	dword ptr [esi+2A4h]
		xor	ecx, ecx
		jmp	short loc_9FE07E
; 

loc_9FE078:				; CODE XREF: EtwpCovSampContextCleanup(x)+15Bj
		xor	ecx, ecx
		mov	edi, ecx
		mov	eax, [ecx]

loc_9FE07E:				; CODE XREF: EtwpCovSampContextCleanup(x)+17Bj
		mov	[edi], ecx
		xor	edi, edi
		jmp	loc_9FDFEB
; 

loc_9FE087:				; CODE XREF: EtwpCovSampContextCleanup(x)+140j
		lea	edi, [esi+2B0h]

loc_9FE08D:				; CODE XREF: EtwpCovSampContextCleanup(x)+1A7j
		mov	edx, [edi]
		cmp	edx, edi
		jz	short loc_9FE0A4
		add	edx, 0FFFFFFD8h
		mov	ecx, esi
		mov	[edx+4Ch], eax
		call	_EtwpCovSampContextRemoveAndFreeModule@8 ; EtwpCovSampContextRemoveAndFreeModule(x,x)
		xor	eax, eax
		jmp	short loc_9FE08D
; 

loc_9FE0A4:				; CODE XREF: EtwpCovSampContextCleanup(x)+196j
		mov	eax, [esi+2A0h]
		test	eax, eax
		jz	short loc_9FE0B9
		push	56777445h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9FE0B9:				; CODE XREF: EtwpCovSampContextCleanup(x)+1B1j
		xor	eax, eax
		mov	[esi+294h], eax
		or	eax, 0FFFFFFFFh
		mov	esi, [ebp+var_4]
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9FE0D8
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9FE0D8:				; CODE XREF: EtwpCovSampContextCleanup(x)+1D4j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpCovSampContextCleanup@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampContextFastFindModule(x,	x, x)
_EtwpCovSampContextFastFindModule@12 proc near
					; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+FCp
					; EtwpCovSampContextGetModule(x,x,x,x,x,x)+62Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax+29Ch]
		mov	esi, edx
		mov	ecx, edi
		mov	[ebp+var_8], eax
		and	ecx, 1Fh
		shr	edi, 5
		or	eax, 0FFFFFFFFh
		mov	ebx, [esi]
		shl	eax, cl
		and	ebx, eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], ebx
		test	edi, edi
		jz	loc_9FE1C0
		movzx	eax, bl
		add	eax, offset unk_B15DCB
		imul	ecx, eax, 25h
		movzx	eax, bh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+3]
		imul	edx, ecx, 25h
		lea	ecx, [edi-1]
		add	edx, eax
		mov	eax, [ebp+var_8]
		and	ecx, edx
		mov	eax, [eax+2A0h]
		lea	edx, [eax+ecx*4]
		mov	ecx, [ebp+var_C]

loc_9FE15D:				; CODE XREF: EtwpCovSampContextFastFindModule(x,x,x)+80j
		mov	edx, [edx]
		xor	edi, edi
		test	edx, 1
		jnz	short loc_9FE174
		mov	eax, [edx+4]
		and	eax, ecx
		cmp	ebx, eax
		jnz	short loc_9FE15D
		jmp	short loc_9FE176
; 

loc_9FE174:				; CODE XREF: EtwpCovSampContextFastFindModule(x,x,x)+77j
		mov	edx, edi

loc_9FE176:				; CODE XREF: EtwpCovSampContextFastFindModule(x,x,x)+82j
		test	edx, edx
		jz	short loc_9FE1C0
		mov	eax, [edx+10h]
		cmp	eax, [esi+8]
		jnz	short loc_9FE1B7
		mov	eax, [edx+14h]
		cmp	eax, [esi+0Ch]
		jnz	short loc_9FE1B7
		mov	eax, [edx+18h]
		cmp	eax, [esi+4]
		jnz	short loc_9FE1B7
		mov	eax, [edx+5Ch]
		cmp	eax, [esi+10h]
		jnz	short loc_9FE1B7
		mov	eax, ds:_KeTickCount
		mov	[edx+50h], eax
		xor	eax, eax
		inc	eax
		lock xadd [edx+24h], eax
		inc	eax
		cmp	eax, 1
		jg	short loc_9FE1B5
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9FE1B5:				; CODE XREF: EtwpCovSampContextFastFindModule(x,x,x)+BEj
		mov	edi, edx

loc_9FE1B7:				; CODE XREF: EtwpCovSampContextFastFindModule(x,x,x)+90j
					; EtwpCovSampContextFastFindModule(x,x,x)+98j ...
		mov	ecx, [ebp+arg_0]
		mov	eax, edx
		mov	[ecx], edi
		jmp	short loc_9FE1C2
; 

loc_9FE1C0:				; CODE XREF: EtwpCovSampContextFastFindModule(x,x,x)+31j
					; EtwpCovSampContextFastFindModule(x,x,x)+88j
		xor	eax, eax

loc_9FE1C2:				; CODE XREF: EtwpCovSampContextFastFindModule(x,x,x)+CEj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpCovSampContextFastFindModule@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampContextGetModule(x, x, x, x, x, x)
_EtwpCovSampContextGetModule@24	proc near ; CODE XREF: EtwpCovSampImageNotify(x,x,x)+85p

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	78h
		push	offset dword_6AA028
		call	__SEH_prolog4
		mov	[ebp+var_4C], edx
		mov	esi, ecx
		mov	[ebp+var_34], esi
		xor	eax, eax
		mov	[ebp+var_28], eax
		mov	ecx, eax
		mov	[ebp+var_2C], ecx
		mov	ebx, eax
		mov	[ebp+var_1C], eax
		mov	ecx, [ebp+arg_C]
		mov	[ecx], eax
		lea	edi, [ebp+var_84]
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	edx, [ebp+arg_8]
		mov	eax, [edx+10h]
		mov	[ebp+var_80], eax
		xor	edi, edi
		mov	[ebp+ms_exc.disabled], edi
		push	dword ptr [edx+8]
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_9FE22B
		mov	[ebp+var_30], 0C00000BBh
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_9FEBF9
; 

loc_9FE22B:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+4Dj
		mov	eax, [ecx+58h]
		mov	[ebp+var_7C], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_78], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+arg_8]
		test	dword ptr [eax+4], 100h
		jz	short loc_9FE24F
		mov	ecx, [eax+8]
		jmp	short loc_9FE265
; 

loc_9FE24F:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+7Fj
		mov	ecx, [eax+18h]
		test	ecx, ecx
		jnz	short loc_9FE262
		mov	[ebp+var_30], 0C00000BBh
		jmp	loc_9FEBF9
; 

loc_9FE262:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+8Bj
		mov	ecx, [ecx+0Ch]

loc_9FE265:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+84j
		mov	[ebp+var_84], ecx
		test	dword ptr [esi+4], 400h
		jz	short loc_9FE29F
		mov	eax, [eax+8]
		mov	edx, [ebp+var_4C]
		cmp	eax, [edx+160h]
		jnz	short loc_9FE28B
		mov	[ebp+var_1C], 1
		jmp	short loc_9FE29F
; 

loc_9FE28B:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+B7j
		mov	[ebp+var_1C], edi
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+18h]
		xor	ecx, eax
		mov	[ebp+var_84], ecx
		mov	[ebp+var_74], eax

loc_9FE29F:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+A9j
					; EtwpCovSampContextGetModule(x,x,x,x,x,x)+C0j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+290h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		push	[ebp+arg_C]
		lea	edx, [ebp+var_84]
		mov	ecx, esi
		call	_EtwpCovSampContextFastFindModule@12 ; EtwpCovSampContextFastFindModule(x,x,x)
		test	eax, eax
		jz	short loc_9FE321
		mov	ecx, [ebp+arg_C]
		mov	ecx, [ecx]
		cmp	eax, ecx
		jnz	short loc_9FE321
		push	[ebp+var_1C]
		push	ecx
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_ProcessForExeModule@16	; ProcessForExeModule(x,x,x,x)
		xor	ecx, ecx
		push	11h
		pop	eax
		lea	edx, [esi+290h]
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jz	short loc_9FE306
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		lea	edx, [esi+290h]

loc_9FE306:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+12Ej
		mov	ecx, edx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_9FE319:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+656j
					; EtwpCovSampContextGetModule(x,x,x,x,x,x)+A01j
		mov	[ebp+var_30], edi
		jmp	loc_9FEBF9
; 

loc_9FE321:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+103j
					; EtwpCovSampContextGetModule(x,x,x,x,x,x)+10Cj
		mov	eax, [esi+29Ch]
		shr	eax, 5
		mov	[ebp+var_50], eax
		lea	ecx, [esi+2A4h]
		mov	[ebp+var_24], ecx
		lea	eax, [esi+298h]
		mov	[ebp+var_20], eax
		mov	edx, [eax]
		mov	[ebp+var_44], edx
		mov	eax, [ecx]
		cmp	edx, eax
		ja	short loc_9FE34D
		mov	[ebp+var_44], eax

loc_9FE34D:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+17Fj
		xor	ecx, ecx
		push	11h
		pop	eax
		lea	ebx, [esi+290h]
		lock cmpxchg [ebx], ecx
		cmp	eax, 11h
		jz	short loc_9FE368
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9FE368:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+196j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	56777445h
		push	68h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_48], ebx
		test	ebx, ebx
		jnz	short loc_9FE39E
		mov	[ebp+var_30], 0C000009Ah
		jmp	loc_9FEBF9
; 

loc_9FE39E:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+1C7j
		push	68h		; size_t
		push	edi		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebx+28h]
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [ebx+30h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[ebx], edi
		mov	[ebx+8], edi
		mov	dword ptr [ebx+24h], 1
		mov	eax, [ebp+var_84]
		mov	[ebx+4], eax
		mov	edx, [ebp+var_80]
		mov	[ebx+18h], edx
		mov	eax, [ebp+var_7C]
		mov	[ebx+10h], eax
		mov	eax, [ebp+var_78]
		mov	[ebx+14h], eax
		mov	ecx, [ebp+arg_8]
		mov	eax, [ecx+4]
		shl	eax, 9
		xor	eax, [ebx+40h]
		and	eax, 20000h
		xor	[ebx+40h], eax
		mov	[ebp+var_70], edi
		mov	[ebp+var_6C], edi
		mov	[ebp+var_68], edi
		mov	[ebp+var_64], edi
		mov	[ebp+var_40], edi
		lea	eax, [ebp+var_70]
		mov	[ebp+var_3C], eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_38], eax
		lea	esi, [ebx+20h]
		mov	[ebp+var_4C], esi
		lea	esi, [ebx+1Ch]
		push	[ebp+var_4C]
		push	esi
		push	eax
		mov	ecx, [ecx+8]
		call	_EtwpFindDebugId@20 ; EtwpFindDebugId(x,x,x,x,x)
		test	eax, eax
		mov	esi, [ebp+var_34]
		js	short loc_9FE446
		mov	eax, [ebx+1Ch]
		cmp	dword ptr [ebx+20h], 400h
		jbe	short loc_9FE492
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebx+1Ch], edi
		mov	[ebx+20h], edi

loc_9FE446:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+262j
		mov	eax, edi
		mov	[ebp+var_38], eax
		mov	ecx, [ebp+var_1C]
		test	ecx, ecx
		jz	short loc_9FE4CC

loc_9FE452:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+2D5j
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_8]
		mov	ecx, ebx
		call	_EtwpCovSampModuleGetName@12 ; EtwpCovSampModuleGetName(x,x,x)
		mov	[ebp+var_30], eax
		test	eax, eax
		js	loc_9FEBF9
		mov	eax, [ebx+3Ch]
		mov	[ebp+var_60], eax
		movzx	eax, word ptr [ebx+40h]
		mov	[ebp+var_5C], eax
		mov	eax, [esi+384h]
		test	eax, eax
		jz	short loc_9FE4A0
		push	eax
		lea	edx, [esi+2E4h]
		lea	ecx, [ebp+var_60]
		call	_EtwpCovSampCheckForSegments@12	; EtwpCovSampCheckForSegments(x,x,x)
		jmp	short loc_9FE4A3
; 

loc_9FE492:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+26Ej
		mov	ecx, [eax+14h]
		mov	[ebp+var_40], ecx
		add	eax, 4
		mov	[ebp+var_3C], eax
		jmp	short loc_9FE452
; 

loc_9FE4A0:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+2B6j
		mov	eax, [ebp+var_38]

loc_9FE4A3:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+2C7j
		test	eax, eax
		jz	short loc_9FE4C9
		mov	ecx, [esi+388h]
		test	ecx, ecx
		jz	short loc_9FE4C9
		push	ecx
		lea	edx, [esi+334h]
		lea	ecx, [ebp+var_60]
		call	_EtwpCovSampCheckForSegments@12	; EtwpCovSampCheckForSegments(x,x,x)
		test	eax, eax
		jnz	short loc_9FE4C7
		inc	eax
		jmp	short loc_9FE4D4
; 

loc_9FE4C7:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+2F9j
		mov	eax, edi

loc_9FE4C9:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+2DCj
					; EtwpCovSampContextGetModule(x,x,x,x,x,x)+2E6j
		mov	ecx, [ebp+var_1C]

loc_9FE4CC:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+287j
		test	eax, eax
		jnz	short loc_9FE4D4
		test	ecx, ecx
		jz	short loc_9FE508

loc_9FE4D4:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+2FCj
					; EtwpCovSampContextGetModule(x,x,x,x,x,x)+305j
		shl	eax, 10h
		xor	eax, [ebx+40h]
		and	eax, 10000h
		xor	[ebx+40h], eax
		push	[ebp+var_3C]
		push	[ebp+var_40]
		push	dword ptr [ebx+18h]
		push	dword ptr [ebx+10h]
		mov	edx, [ebx+14h]
		mov	ecx, [esi+8]
		call	_EtwpCovSampCalculateModuleId@24 ; EtwpCovSampCalculateModuleId(x,x,x,x,x,x)
		cmp	[ebp+var_1C], 0
		jnz	short loc_9FE505
		mov	ecx, [ebp+arg_0]
		xor	eax, [ecx+18h]

loc_9FE505:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+334j
		mov	[ebx+44h], eax

loc_9FE508:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+309j
		mov	ecx, [ebp+var_50]
		add	ecx, ecx
		mov	eax, [ebp+var_44]
		inc	eax
		cmp	eax, ecx
		jbe	short loc_9FE539
		mov	eax, ecx
		mov	[ebp+var_28], ecx
		test	eax, eax
		jnz	short loc_9FE526
		mov	eax, 80h
		mov	[ebp+var_28], eax

loc_9FE526:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+353j
		push	56777445h
		shl	eax, 3
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_2C], eax

loc_9FE539:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+34Aj
		mov	ecx, large fs:124h
		dec	word ptr [ecx+13Ch]
		nop
		xor	edx, edx
		lea	ecx, [esi+290h]
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+294h], eax
		mov	edx, [ebp+var_2C]
		test	edx, edx
		jz	loc_9FE7D5
		mov	eax, [esi+29Ch]
		shr	eax, 5
		mov	ecx, [ebp+var_28]
		cmp	ecx, eax
		jbe	loc_9FE7D5
		lea	edx, [edx+ecx*4]
		mov	[ebp+arg_8], edx
		mov	esi, ecx
		mov	[ebp+arg_4], esi
		lea	eax, [ecx-1]
		and	eax, ecx
		mov	[ebp+var_54], eax
		jz	short loc_9FE5B8
		mov	edx, ecx
		or	eax, 0FFFFFFFFh
		mov	esi, eax
		test	ecx, ecx
		jmp	short loc_9FE5A3
; 

loc_9FE5A0:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+3DDj
		inc	esi
		shr	edx, 1

loc_9FE5A3:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+3D5j
		mov	[ebp+arg_4], esi
		jnz	short loc_9FE5A0
		xor	esi, esi
		inc	esi
		mov	ecx, [ebp+arg_4]
		shl	esi, cl
		mov	[ebp+arg_4], esi
		mov	edx, [ebp+arg_8]
		jmp	short loc_9FE5BB
; 

loc_9FE5B8:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+3CAj
		or	eax, 0FFFFFFFFh

loc_9FE5BB:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+3EDj
		mov	ecx, 4000000h
		cmp	esi, ecx
		jbe	short loc_9FE5C9
		mov	esi, ecx
		mov	[ebp+arg_4], esi

loc_9FE5C9:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+3F9j
		mov	ecx, [ebp+var_24]
		or	ecx, 1
		mov	[ebp+var_50], edx
		lea	edx, [edx+esi*4]
		mov	[ebp+var_38], edi
		lea	esi, ds:3[esi*4]
		shr	esi, 2
		cmp	edx, [ebp+arg_8]
		sbb	edx, edx
		not	edx
		and	edx, esi
		jbe	short loc_9FE5FD
		mov	esi, [ebp+var_50]

loc_9FE5F0:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+432j
		mov	[esi], ecx
		lea	esi, [esi+4]
		inc	[ebp+var_38]
		cmp	[ebp+var_38], edx
		jb	short loc_9FE5F0

loc_9FE5FD:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+422j
		mov	ecx, [ebp+var_24]
		mov	edx, [ecx+4]
		mov	ecx, edx
		and	ecx, 1Fh
		mov	esi, eax
		shl	esi, cl
		mov	[ebp+var_50], esi
		mov	esi, edi
		mov	[ebp+var_44], esi
		test	edx, 0FFFFFFE0h
		jbe	short loc_9FE694

loc_9FE61C:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+4C6j
		mov	ecx, [ebp+var_24]
		mov	ebx, [ecx+8]
		mov	[ebp+var_3C], ebx

loc_9FE625:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+4B5j
		mov	edx, [ebx+esi*4]
		mov	[ebp+var_4C], edx
		test	edx, 1
		jnz	short loc_9FE680
		mov	ecx, [edx]
		mov	[ebx+esi*4], ecx
		mov	ebx, [edx+4]
		and	ebx, [ebp+var_50]
		mov	[ebp+var_40], ebx
		movzx	ecx, bl
		add	ecx, offset unk_B15DCB
		imul	edx, ecx, 25h
		movzx	ecx, bh
		add	edx, ecx
		imul	edx, 25h
		movzx	ecx, byte ptr [ebp+var_40+2]
		add	edx, ecx
		imul	edx, 25h
		movzx	ecx, byte ptr [ebp+var_40+3]
		add	edx, ecx
		mov	esi, [ebp+arg_4]
		dec	esi
		and	esi, edx
		mov	ebx, [ebp+arg_8]
		mov	ecx, [ebx+esi*4]
		mov	edx, [ebp+var_4C]
		mov	[edx], ecx
		mov	[ebx+esi*4], edx
		mov	esi, [ebp+var_44]
		mov	ebx, [ebp+var_3C]
		jmp	short loc_9FE625
; 

loc_9FE680:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+468j
		inc	esi
		mov	[ebp+var_44], esi
		mov	ecx, [ebp+var_24]
		mov	ecx, [ecx+4]
		shr	ecx, 5
		cmp	esi, ecx
		jb	short loc_9FE61C
		mov	ebx, [ebp+var_48]

loc_9FE694:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+451j
		mov	ecx, [ebp+arg_8]
		mov	esi, [ebp+var_24]
		mov	[esi+8], ecx
		mov	ecx, [esi+4]
		and	ecx, 1Fh
		mov	edx, [ebp+arg_4]
		shl	edx, 5
		or	ecx, edx
		mov	[esi+4], ecx
		cmp	[ebp+var_54], 0
		jz	short loc_9FE6CE
		mov	edx, eax
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jz	short loc_9FE6C2

loc_9FE6BD:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+4F7j
		inc	edx
		shr	ecx, 1
		jnz	short loc_9FE6BD

loc_9FE6C2:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+4F2j
		xor	esi, esi
		inc	esi
		mov	ecx, edx
		shl	esi, cl
		mov	[ebp+var_28], esi
		jmp	short loc_9FE6D1
; 

loc_9FE6CE:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+4E9j
		mov	esi, [ebp+var_28]

loc_9FE6D1:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+503j
		mov	ecx, 4000000h
		cmp	esi, ecx
		jbe	short loc_9FE6DF
		mov	esi, ecx
		mov	[ebp+var_28], esi

loc_9FE6DF:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+50Fj
		mov	ecx, [ebp+var_20]
		or	ecx, 1
		mov	edx, [ebp+var_2C]
		mov	[ebp+arg_4], edx
		lea	edx, [edx+esi*4]
		mov	[ebp+arg_8], edi
		lea	esi, ds:3[esi*4]
		shr	esi, 2
		cmp	edx, [ebp+var_2C]
		sbb	edx, edx
		not	edx
		and	edx, esi
		jbe	short loc_9FE716
		mov	esi, [ebp+arg_4]

loc_9FE709:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+54Bj
		mov	[esi], ecx
		lea	esi, [esi+4]
		inc	[ebp+arg_8]
		cmp	[ebp+arg_8], edx
		jb	short loc_9FE709

loc_9FE716:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+53Bj
		mov	ecx, [ebp+var_20]
		mov	edx, [ecx+4]
		mov	ecx, edx
		and	ecx, 1Fh
		mov	esi, eax
		shl	esi, cl
		mov	[ebp+arg_4], esi
		mov	esi, edi
		mov	[ebp+arg_8], esi
		test	edx, 0FFFFFFE0h
		jbe	short loc_9FE7AD

loc_9FE735:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+5DFj
		mov	ecx, [ebp+var_20]
		mov	ebx, [ecx+8]
		mov	[ebp+var_50], ebx

loc_9FE73E:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+5CEj
		mov	edx, [ebx+esi*4]
		mov	[ebp+var_54], edx
		test	edx, 1
		jnz	short loc_9FE799
		mov	ecx, [edx]
		mov	[ebx+esi*4], ecx
		mov	ebx, [edx+4]
		and	ebx, [ebp+arg_4]
		mov	[ebp+var_3C], ebx
		movzx	ecx, bl
		add	ecx, offset unk_B15DCB
		imul	edx, ecx, 25h
		movzx	ecx, bh
		add	edx, ecx
		imul	edx, 25h
		movzx	ecx, byte ptr [ebp+var_3C+2]
		add	edx, ecx
		imul	edx, 25h
		movzx	ecx, byte ptr [ebp+var_3C+3]
		add	edx, ecx
		mov	esi, [ebp+var_28]
		dec	esi
		and	esi, edx
		mov	ebx, [ebp+var_2C]
		mov	ecx, [ebx+esi*4]
		mov	edx, [ebp+var_54]
		mov	[edx], ecx
		mov	[ebx+esi*4], edx
		mov	esi, [ebp+arg_8]
		mov	ebx, [ebp+var_50]
		jmp	short loc_9FE73E
; 

loc_9FE799:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+581j
		inc	esi
		mov	[ebp+arg_8], esi
		mov	ecx, [ebp+var_20]
		mov	ecx, [ecx+4]
		shr	ecx, 5
		cmp	esi, ecx
		jb	short loc_9FE735
		mov	ebx, [ebp+var_48]

loc_9FE7AD:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+56Aj
		mov	ecx, [ebp+var_20]
		mov	edx, [ecx+8]
		mov	esi, [ebp+var_2C]
		mov	[ecx+8], esi
		mov	ecx, [ecx+4]
		and	ecx, 1Fh
		mov	esi, [ebp+var_28]
		shl	esi, 5
		or	ecx, esi
		mov	esi, [ebp+var_20]
		mov	[esi+4], ecx
		mov	[ebp+var_2C], edx
		mov	esi, [ebp+var_34]
		jmp	short loc_9FE7D8
; 

loc_9FE7D5:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+39Dj
					; EtwpCovSampContextGetModule(x,x,x,x,x,x)+3B1j
		or	eax, 0FFFFFFFFh

loc_9FE7D8:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+60Aj
		cmp	dword ptr [esi+29Ch], 20h
		jnb	short loc_9FE7ED
		mov	[ebp+var_30], 0C000009Ah
		jmp	loc_9FEBFC
; 

loc_9FE7ED:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+616j
		push	[ebp+arg_C]
		lea	edx, [ebp+var_84]
		mov	ecx, esi
		call	_EtwpCovSampContextFastFindModule@12 ; EtwpCovSampContextFastFindModule(x,x,x)
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	loc_9FE93E
		mov	ecx, [ebp+arg_C]
		mov	ecx, [ecx]
		cmp	eax, ecx
		jnz	short loc_9FE824
		push	[ebp+var_1C]
		push	ecx
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_ProcessForExeModule@16	; ProcessForExeModule(x,x,x,x)
		jmp	loc_9FE319
; 

loc_9FE824:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+646j
		or	dword ptr [eax+40h], 40000h
		mov	ecx, [ebp+var_20]
		mov	edi, [ecx+4]
		mov	ecx, edi
		and	ecx, 1Fh
		or	esi, 0FFFFFFFFh
		mov	edx, esi
		shl	edx, cl
		and	edx, [eax+4]
		mov	[ebp+arg_8], edx
		shr	edi, 5
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		imul	ecx, eax, 25h
		movzx	eax, dh
		add	ecx, eax
		imul	ecx, 25h
		movzx	eax, byte ptr [ebp+arg_8+2]
		add	ecx, eax
		imul	edx, ecx, 25h
		movzx	eax, byte ptr [ebp+arg_8+3]
		add	edx, eax
		lea	ecx, [edi-1]
		and	ecx, edx
		mov	eax, [ebp+var_20]
		mov	eax, [eax+8]
		lea	edi, [eax+ecx*4]
		mov	edx, [ebp+arg_4]
		mov	eax, [edx]
		mov	ecx, 80000002h
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_9FE88C
		xor	ecx, ecx
		mov	eax, [ecx]
		jmp	short loc_9FE88E
; 

loc_9FE88C:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+6BBj
		xor	ecx, ecx

loc_9FE88E:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+6C1j
					; EtwpCovSampContextGetModule(x,x,x,x,x,x)+6D1j
		mov	eax, [edi]
		test	al, 1
		jnz	short loc_9FE8A7
		cmp	eax, edx
		jz	short loc_9FE89C
		mov	edi, eax
		jmp	short loc_9FE88E
; 

loc_9FE89C:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+6CDj
		mov	eax, [edx]
		mov	[edi], eax
		mov	eax, [ebp+var_20]
		dec	dword ptr [eax]
		jmp	short loc_9FE8A9
; 

loc_9FE8A7:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+6C9j
		mov	eax, [ecx]

loc_9FE8A9:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+6DCj
		mov	[edx], ecx
		lea	eax, [edx+8]
		mov	[ebp+var_54], eax
		mov	ecx, [eax]
		mov	[ebp+arg_4], ecx
		test	ecx, ecx
		jz	loc_9FE941
		mov	ecx, [ebp+var_24]
		mov	edi, [ecx+4]
		mov	ecx, edi
		and	ecx, 1Fh
		mov	edx, esi
		shl	edx, cl
		and	edx, [eax+4]
		mov	[ebp+arg_8], edx
		shr	edi, 5
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		imul	ecx, eax, 25h
		movzx	eax, dh
		add	ecx, eax
		imul	ecx, 25h
		movzx	eax, byte ptr [ebp+arg_8+2]
		add	ecx, eax
		imul	edx, ecx, 25h
		movzx	eax, byte ptr [ebp+arg_8+3]
		add	edx, eax
		lea	ecx, [edi-1]
		and	ecx, edx
		mov	eax, [ebp+var_24]
		mov	eax, [eax+8]
		lea	edi, [eax+ecx*4]
		mov	eax, [ebp+arg_4]
		mov	ecx, 80000002h
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_9FE91A
		xor	ecx, ecx
		mov	eax, [ecx]
		jmp	short loc_9FE91C
; 

loc_9FE91A:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+749j
		xor	ecx, ecx

loc_9FE91C:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+74Fj
		mov	edx, [ebp+var_54]

loc_9FE91F:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+762j
		mov	eax, [edi]
		test	al, 1
		jnz	short loc_9FE938
		cmp	eax, edx
		jz	short loc_9FE92D
		mov	edi, eax
		jmp	short loc_9FE91F
; 

loc_9FE92D:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+75Ej
		mov	eax, [edx]
		mov	[edi], eax
		mov	eax, [ebp+var_24]
		dec	dword ptr [eax]
		jmp	short loc_9FE93A
; 

loc_9FE938:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+75Aj
		mov	eax, [ecx]

loc_9FE93A:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+76Dj
		mov	[edx], ecx
		jmp	short loc_9FE941
; 

loc_9FE93E:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+639j
		or	esi, 0FFFFFFFFh

loc_9FE941:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+6EFj
					; EtwpCovSampContextGetModule(x,x,x,x,x,x)+773j
		mov	ecx, [ebx+40h]
		and	ecx, 0FFEFFFFFh
		mov	eax, [ebp+var_1C]
		shl	eax, 14h
		or	ecx, eax
		mov	[ebx+40h], ecx
		mov	ecx, [ebp+var_34]
		mov	eax, [ecx+38Ch]
		mov	[ebx+48h], eax
		inc	dword ptr [ecx+38Ch]
		mov	ecx, [ecx+29Ch]
		mov	edi, ecx
		shr	edi, 5
		and	ecx, 1Fh
		mov	edx, esi
		shl	edx, cl
		and	edx, [ebx+4]
		mov	[ebp+var_38], edx
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		imul	ecx, eax, 25h
		movzx	eax, dh
		add	ecx, eax
		imul	ecx, 25h
		movzx	eax, byte ptr [ebp+var_38+2]
		add	ecx, eax
		imul	ecx, 25h
		movzx	eax, byte ptr [ebp+var_38+3]
		add	ecx, eax
		lea	edx, [edi-1]
		and	edx, ecx
		mov	edi, [ebp+var_20]
		mov	ecx, [edi+8]
		mov	eax, [ecx+edx*4]
		mov	[ebx], eax
		mov	[ecx+edx*4], ebx
		inc	dword ptr [edi]
		mov	edi, [ebp+var_34]
		lea	eax, [edi+2B0h]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jz	short loc_9FE9CB
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9FE9CB:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+7FBj
		lea	edx, [ebx+28h]
		mov	[edx], ecx
		mov	[edx+4], eax
		mov	[ecx+4], edx
		mov	[eax], edx
		mov	eax, ds:_KeTickCount
		mov	[ebx+50h], eax
		inc	dword ptr [edi+2B8h]
		inc	dword ptr [edi+2BCh]
		mov	eax, [ebx+40h]
		mov	[ebp+var_4C], eax
		test	eax, 10000h
		jnz	short loc_9FEA03
		cmp	[ebp+var_1C], 0
		jz	loc_9FEB6D

loc_9FEA03:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+82Ej
		mov	eax, [ebx+44h]
		mov	[ebx+0Ch], eax
		mov	ecx, [edi+2A8h]
		mov	[ebp+arg_8], ecx
		and	ecx, 1Fh
		mov	edx, esi
		shl	edx, cl
		mov	[ebp+var_50], edx
		and	edx, eax
		mov	[ebp+var_54], edx
		mov	[ebp+arg_4], edx
		mov	eax, [ebp+arg_8]
		shr	eax, 5
		mov	[ebp+arg_8], eax
		test	eax, eax
		jz	loc_9FEAF1
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		imul	ecx, eax, 25h
		movzx	eax, dh
		add	ecx, eax
		imul	ecx, 25h
		movzx	eax, byte ptr [ebp+arg_4+2]
		add	ecx, eax
		imul	edx, ecx, 25h
		movzx	eax, byte ptr [ebp+arg_4+3]
		add	edx, eax
		mov	ecx, [ebp+arg_8]
		dec	ecx
		and	ecx, edx
		mov	eax, [edi+2ACh]
		lea	ecx, [eax+ecx*4]
		mov	edx, [ebp+var_54]
		mov	edi, [ebp+var_50]

loc_9FEA6C:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+8B4j
		mov	ecx, [ecx]
		test	ecx, 1
		jnz	short loc_9FEA83
		mov	eax, [ecx+4]
		and	eax, edi
		cmp	edx, eax
		jnz	short loc_9FEA6C
		xor	edi, edi
		jmp	short loc_9FEA87
; 

loc_9FEA83:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+8ABj
		xor	edi, edi
		mov	ecx, edi

loc_9FEA87:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+8B8j
		test	ecx, ecx
		jz	short loc_9FEAF1
		mov	eax, [ecx+8]
		cmp	eax, [ebx+10h]
		jnz	short loc_9FEAB7
		mov	eax, [ecx+0Ch]
		cmp	eax, [ebx+14h]
		jnz	short loc_9FEAB7
		mov	eax, [ecx+10h]
		cmp	eax, [ebx+18h]
		jnz	short loc_9FEAB7
		mov	edx, [ebx+1Ch]
		mov	ecx, [ecx+14h]
		call	_EtwpCheckDebugInfoEqual@8 ; EtwpCheckDebugInfoEqual(x,x)
		test	eax, eax
		jz	short loc_9FEAB7
		mov	eax, [ebx+40h]
		jmp	short loc_9FEAC2
; 

loc_9FEAB7:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+8C8j
					; EtwpCovSampContextGetModule(x,x,x,x,x,x)+8D0j ...
		mov	[ebx+44h], edi
		mov	eax, [ebp+var_4C]
		and	eax, 0FFFEFFFFh

loc_9FEAC2:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+8ECj
		or	eax, 80000h
		mov	[ebx+40h], eax
		lea	ecx, [ebx+38h]
		call	_EtwpCovSampModuleNameInfoCleanup@4 ; EtwpCovSampModuleNameInfoCleanup(x)
		mov	[ebx+3Ch], edi
		xor	eax, eax
		mov	[ebx+40h], ax
		mov	eax, [ebx+1Ch]
		test	eax, eax
		jz	short loc_9FEAE9
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9FEAE9:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+917j
		mov	[ebx+1Ch], edi
		mov	[ebx+20h], edi
		jmp	short loc_9FEB44
; 

loc_9FEAF1:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+866j
					; EtwpCovSampContextGetModule(x,x,x,x,x,x)+8C0j
		mov	eax, [ebp+var_24]
		mov	ecx, [eax+4]
		mov	edi, ecx
		shr	edi, 5
		and	ecx, 1Fh
		mov	edx, esi
		shl	edx, cl
		and	edx, [ebx+0Ch]
		mov	[ebp+var_4C], edx
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		imul	ecx, eax, 25h
		movzx	eax, dh
		add	ecx, eax
		imul	ecx, 25h
		movzx	eax, byte ptr [ebp+var_4C+2]
		add	ecx, eax
		imul	ecx, 25h
		movzx	eax, byte ptr [ebp+var_4C+3]
		add	ecx, eax
		lea	edx, [edi-1]
		and	edx, ecx
		mov	edi, [ebp+var_24]
		mov	ecx, [edi+8]
		mov	eax, [ecx+edx*4]
		mov	[ebx+8], eax
		lea	eax, [ebx+8]
		mov	[ecx+edx*4], eax
		inc	dword ptr [edi]

loc_9FEB44:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+926j
		mov	edi, [ebp+var_34]
		test	dword ptr [edi+4], 400h
		jz	short loc_9FEB6D
		push	[ebp+var_1C]
		push	ebx
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_ProcessForExeModule@16	; ProcessForExeModule(x,x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx+18h]
		mov	[ebx+5Ch], eax
		mov	eax, [ecx+1Ch]
		mov	[ebx+60h], eax

loc_9FEB6D:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+834j
					; EtwpCovSampContextGetModule(x,x,x,x,x,x)+985j
		xor	eax, eax
		inc	eax
		lea	ecx, [ebx+24h]
		lock xadd [ecx], eax
		inc	eax
		cmp	eax, 1
		jg	short loc_9FEB82
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9FEB82:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+9B2j
		mov	eax, [ebp+arg_C]
		mov	[eax], ebx
		xor	edi, edi
		mov	ebx, edi
		mov	ecx, [ebp+var_34]
		mov	[ecx+294h], edi
		mov	eax, esi
		lea	esi, [ecx+290h]
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9FEBAD
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9FEBAD:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+9DBj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	esi, [ebp+var_34]
		mov	ecx, esi
		call	_EtwpCovSampContextPruneModules@4 ; EtwpCovSampContextPruneModules(x)
		jmp	loc_9FE319
; 

loc_9FEBCF:				; DATA XREF: .text:006AA03Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_58], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_9FEBDD:				; DATA XREF: .text:006AA040o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_58]
		mov	[ebp+var_30], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	edi, edi
		mov	ecx, edi
		mov	[ebp+var_2C], ecx
		mov	ebx, ecx
		mov	esi, [ebp+var_34]

loc_9FEBF9:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+5Dj
					; EtwpCovSampContextGetModule(x,x,x,x,x,x)+94j	...
		or	eax, 0FFFFFFFFh

loc_9FEBFC:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+61Fj
		mov	ecx, large fs:124h
		cmp	[esi+294h], ecx
		jnz	short loc_9FEC3B
		mov	[esi+294h], edi
		add	esi, 290h
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9FEC28
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9FEC28:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+A56j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_9FEC3B:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+A40j
		test	ebx, ebx
		jz	short loc_9FEC54
		mov	[ebx+24h], edi
		mov	ecx, ebx
		call	_EtwpCovSampModuleCleanup@4 ; EtwpCovSampModuleCleanup(x)
		push	56777445h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9FEC54:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+A74j
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jz	short loc_9FEC66
		push	56777445h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9FEC66:				; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+A90j
		mov	eax, [ebp+var_30]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_EtwpCovSampContextGetModule@24	endp


;  S U B	R O U T	I N E 


; int __fastcall EtwpCovSampContextInitialize(void *)
_EtwpCovSampContextInitialize@4	proc near ; CODE XREF: EtwpCoverageSamplerInitialize(x)+1Fp
		mov	edi, edi
		push	esi
		push	edi
		push	39Ch		; size_t
		xor	edi, edi
		mov	esi, ecx
		push	edi		; int
		push	esi		; void *
		call	_memset
		mov	dword ptr [esi+38Ch], 1
		lea	eax, [esi+2B0h]
		mov	[eax+4], eax
		add	esp, 0Ch
		mov	[eax], eax
		mov	[esi+298h], edi
		mov	[esi+2A0h], edi
		mov	[esi+29Ch], edi
		mov	[esi+2A4h], edi
		mov	[esi+2ACh], edi
		mov	[esi+2A8h], edi
		mov	[esi+2C8h], edi
		mov	[esi+2CCh], edi
		mov	[esi+2D0h], edi
		mov	[esi+2D4h], edi
		mov	[esi+2D8h], edi
		mov	[esi+2DCh], edi
		mov	[esi+2E0h], edi
		mov	[esi+2C4h], edi
		pop	edi
		mov	[esi+2C0h], esi
		pop	esi
		retn
_EtwpCovSampContextInitialize@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampContextPruneModules(x)
_EtwpCovSampContextPruneModules@4 proc near
					; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+9FCp
					; EtwpCoverageSamplerQuery(x,x,x,x)+78Fp

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+74h+var_4], eax
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+80h+var_5C], ebx
		mov	eax, [ebx+0Ch]
		shr	eax, 1
		mov	[esp+80h+var_6C], edi
		mov	[esp+80h+var_68], edi
		mov	[esp+80h+var_74], edi
		mov	[esp+80h+var_70], edi
		cmp	[ebx+2BCh], eax
		ja	short loc_9FED4E
		cmp	[ebx+390h], eax
		jle	loc_9FF105

loc_9FED4E:				; CODE XREF: EtwpCovSampContextPruneModules(x)+3Cj
		call	_PsGetCurrentThreadId@0	; PsGetCurrentThreadId()
		mov	ecx, eax
		lea	edx, [ebx+394h]
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	loc_9FF105
		push	8
		lea	eax, [esp+84h+var_48]
		pop	ecx

loc_9FED70:				; CODE XREF: EtwpCovSampContextPruneModules(x)+77j
		mov	[eax+4], eax
		mov	[eax], eax
		add	eax, 8
		sub	ecx, 1
		jnz	short loc_9FED70
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	esi, [ebx+290h]
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockSharedEx
		lea	eax, [ebx+2B0h]
		mov	ecx, [eax]
		jmp	short loc_9FEDFF
; 

loc_9FEDA4:				; CODE XREF: EtwpCovSampContextPruneModules(x)+FDj
		cmp	dword ptr [ecx-4], 1
		jnz	short loc_9FEDFD
		cmp	[ecx+24h], edi
		jnz	short loc_9FEDFD
		mov	eax, ds:_KeTickCount
		sub	eax, [ecx+28h]
		cmp	eax, 100h
		jnb	short loc_9FEDC3
		shr	eax, 6
		jmp	short loc_9FEDCE
; 

loc_9FEDC3:				; CODE XREF: EtwpCovSampContextPruneModules(x)+B8j
		sub	eax, 100h
		shr	eax, 8
		add	eax, 4

loc_9FEDCE:				; CODE XREF: EtwpCovSampContextPruneModules(x)+BDj
		cmp	eax, 8
		jb	short loc_9FEDD6
		push	7
		pop	eax

loc_9FEDD6:				; CODE XREF: EtwpCovSampContextPruneModules(x)+CDj
		lea	edi, [esp+80h+var_48]
		lea	eax, [edi+eax*8]
		mov	edi, [eax+4]
		lea	edx, [ecx+8]
		cmp	[edi], eax
		jnz	loc_9FF0F6
		mov	[edx], eax
		mov	[edx+4], edi
		mov	[edi], edx
		xor	edi, edi
		mov	[eax+4], edx
		lea	eax, [ebx+2B0h]

loc_9FEDFD:				; CODE XREF: EtwpCovSampContextPruneModules(x)+A4j
					; EtwpCovSampContextPruneModules(x)+A9j
		mov	ecx, [ecx]

loc_9FEDFF:				; CODE XREF: EtwpCovSampContextPruneModules(x)+9Ej
		cmp	ecx, eax
		jnz	short loc_9FEDA4
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_9FEE18
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_9FEE18:				; CODE XREF: EtwpCovSampContextPruneModules(x)+10Bj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		lea	eax, [esp+80h+var_6C]
		mov	ecx, eax
		mov	[esp+80h+var_68], eax
		push	8
		mov	[esp+84h+var_6C], ecx
		lea	edx, [esp+84h+var_48]
		pop	edi

loc_9FEE40:				; CODE XREF: EtwpCovSampContextPruneModules(x)+164j
		mov	ecx, [edx]
		cmp	ecx, edx
		jz	short loc_9FEE62
		mov	[eax], ecx
		mov	ecx, [edx]
		mov	eax, [esp+80h+var_68]
		mov	[ecx+4], eax
		lea	ecx, [esp+80h+var_6C]
		mov	eax, [edx+4]
		mov	[esp+80h+var_68], eax
		mov	[eax], ecx
		mov	eax, [esp+80h+var_68]

loc_9FEE62:				; CODE XREF: EtwpCovSampContextPruneModules(x)+140j
		add	edx, 8
		sub	edi, 1
		jnz	short loc_9FEE40
		xor	eax, eax
		mov	[esp+80h+var_60], eax
		lea	eax, [esp+80h+var_74]
		mov	[esp+80h+var_70], eax
		mov	[esp+80h+var_74], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		lea	ecx, [esp+80h+var_6C]
		mov	edi, [esp+80h+var_6C]
		mov	[ebx+294h], eax
		or	eax, 0FFFFFFFFh
		cmp	edi, ecx
		jz	loc_9FF07C

loc_9FEEB2:				; CODE XREF: EtwpCovSampContextPruneModules(x)+36Cj
		mov	ecx, edi
		lea	edx, [edi-30h]
		cmp	dword ptr [edx+24h], 1
		mov	edi, [edi]
		mov	[esp+80h+var_58], edx
		mov	[esp+80h+var_4C], edi
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		jnz	loc_9FF06A
		xor	ecx, ecx
		cmp	[edx+4Ch], ecx
		jnz	loc_9FF06A
		mov	ecx, [esp+80h+var_60]
		inc	ecx
		mov	[esp+80h+var_60], ecx
		cmp	ecx, [ebx+0Ch]
		jbe	loc_9FF06A
		test	dword ptr [edx+40h], 40000h
		jnz	loc_9FEF85
		mov	edi, [ebx+29Ch]
		mov	ecx, edi
		and	ecx, 1Fh
		shr	edi, 5
		mov	ebx, eax
		shl	ebx, cl
		and	ebx, [edx+4]
		movzx	ecx, bl
		add	ecx, offset unk_B15DCB
		mov	[esp+80h+var_64], ebx
		imul	edx, ecx, 25h
		movzx	ecx, bh
		mov	ebx, [esp+80h+var_5C]
		add	edx, ecx
		movzx	ecx, byte ptr [esp+80h+var_64+2]
		imul	edx, 25h
		add	edx, ecx
		movzx	ecx, byte ptr [esp+80h+var_64+3]
		imul	esi, edx, 25h
		lea	edx, [edi-1]
		mov	edi, 80000002h
		add	esi, ecx
		mov	ecx, [ebx+2A0h]
		and	edx, esi
		lea	esi, [ecx+edx*4]
		mov	edx, [esp+80h+var_58]
		mov	ecx, [edx]
		and	ecx, edi
		cmp	ecx, edi
		jnz	short loc_9FEF61
		xor	edi, edi
		mov	ecx, [edi]
		jmp	short loc_9FEF63
; 

loc_9FEF61:				; CODE XREF: EtwpCovSampContextPruneModules(x)+255j
		xor	edi, edi

loc_9FEF63:				; CODE XREF: EtwpCovSampContextPruneModules(x)+25Bj
					; EtwpCovSampContextPruneModules(x)+26Fj
		mov	ecx, [esi]
		test	ecx, 1
		jnz	short loc_9FEF81
		cmp	ecx, edx
		jz	short loc_9FEF75
		mov	esi, ecx
		jmp	short loc_9FEF63
; 

loc_9FEF75:				; CODE XREF: EtwpCovSampContextPruneModules(x)+26Bj
		mov	ecx, [edx]
		mov	[esi], ecx
		dec	dword ptr [ebx+298h]
		jmp	short loc_9FEF83
; 

loc_9FEF81:				; CODE XREF: EtwpCovSampContextPruneModules(x)+267j
		mov	ecx, [edi]

loc_9FEF83:				; CODE XREF: EtwpCovSampContextPruneModules(x)+27Bj
		mov	[edx], edi

loc_9FEF85:				; CODE XREF: EtwpCovSampContextPruneModules(x)+1F0j
		lea	esi, [edx+8]
		mov	ecx, [esi]
		mov	[esp+80h+var_50], esi
		mov	[esp+80h+var_54], ecx
		test	ecx, ecx
		jz	loc_9FF027
		mov	edi, [ebx+2A8h]
		mov	ecx, edi
		and	ecx, 1Fh
		shr	edi, 5
		mov	ebx, eax
		shl	ebx, cl
		and	ebx, [esi+4]
		movzx	ecx, bl
		add	ecx, offset unk_B15DCB
		mov	[esp+80h+var_64], ebx
		imul	edx, ecx, 25h
		movzx	ecx, bh
		mov	ebx, [esp+80h+var_5C]
		add	edx, ecx
		movzx	ecx, byte ptr [esp+80h+var_64+2]
		imul	edx, 25h
		add	edx, ecx
		movzx	ecx, byte ptr [esp+80h+var_64+3]
		imul	esi, edx, 25h
		lea	edx, [edi-1]
		xor	edi, edi
		add	esi, ecx
		mov	ecx, [ebx+2ACh]
		and	edx, esi
		lea	esi, [ecx+edx*4]
		mov	ecx, [esp+80h+var_54]
		mov	edx, 80000002h
		and	ecx, edx
		cmp	ecx, edx
		jnz	short loc_9FEFFD
		mov	ecx, [edi]

loc_9FEFFD:				; CODE XREF: EtwpCovSampContextPruneModules(x)+2F5j
		mov	edx, [esp+80h+var_50]

loc_9FF001:				; CODE XREF: EtwpCovSampContextPruneModules(x)+30Dj
		mov	ecx, [esi]
		test	ecx, 1
		jnz	short loc_9FF01F
		cmp	ecx, edx
		jz	short loc_9FF013
		mov	esi, ecx
		jmp	short loc_9FF001
; 

loc_9FF013:				; CODE XREF: EtwpCovSampContextPruneModules(x)+309j
		mov	ecx, [edx]
		mov	[esi], ecx
		dec	dword ptr [ebx+2A4h]
		jmp	short loc_9FF021
; 

loc_9FF01F:				; CODE XREF: EtwpCovSampContextPruneModules(x)+305j
		mov	ecx, [edi]

loc_9FF021:				; CODE XREF: EtwpCovSampContextPruneModules(x)+319j
		mov	[edx], edi
		mov	edx, [esp+80h+var_58]

loc_9FF027:				; CODE XREF: EtwpCovSampContextPruneModules(x)+290j
		lea	ecx, [edx+28h]
		mov	esi, [ecx]
		cmp	[esi+4], ecx
		jnz	loc_9FF0F6
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_9FF0F6
		mov	[edx], esi
		mov	[esi+4], edx
		lea	esi, [esp+80h+var_74]
		mov	edx, [esp+80h+var_70]
		dec	dword ptr [ebx+2B8h]
		cmp	[edx], esi
		jnz	loc_9FF0F6
		mov	edi, [esp+80h+var_4C]
		mov	[ecx], esi
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[esp+80h+var_70], ecx

loc_9FF06A:				; CODE XREF: EtwpCovSampContextPruneModules(x)+1C6j
					; EtwpCovSampContextPruneModules(x)+1D1j ...
		lea	ecx, [esp+80h+var_6C]
		cmp	edi, ecx
		jnz	loc_9FEEB2
		lea	esi, [ebx+290h]

loc_9FF07C:				; CODE XREF: EtwpCovSampContextPruneModules(x)+1A8j
		xor	edi, edi
		mov	[ebx+2BCh], edi
		mov	[ebx+390h], edi
		mov	[ebx+294h], edi
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9FF0A1
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9FF0A1:				; CODE XREF: EtwpCovSampContextPruneModules(x)+394j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_9FF0B4:				; CODE XREF: EtwpCovSampContextPruneModules(x)+3F0j
		mov	eax, [esp+80h+var_74]
		lea	ecx, [esp+80h+var_74]
		cmp	eax, ecx
		jz	short loc_9FF0FB
		cmp	[eax+4], ecx
		jnz	short loc_9FF0F6
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_9FF0F6
		mov	[esp+80h+var_74], ecx
		lea	edx, [esp+80h+var_74]
		mov	[ecx+4], edx
		lea	esi, [eax-28h]
		mov	ecx, esi
		mov	[esi+24h], edi
		mov	[eax+4], eax
		mov	[eax], eax
		call	_EtwpCovSampModuleCleanup@4 ; EtwpCovSampModuleCleanup(x)
		push	56777445h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_9FF0B4
; 

loc_9FF0F6:				; CODE XREF: EtwpCovSampContextPruneModules(x)+E1j
					; EtwpCovSampContextPruneModules(x)+32Bj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9FF0FB:				; CODE XREF: EtwpCovSampContextPruneModules(x)+3BAj
		xor	eax, eax
		lea	ecx, [ebx+394h]
		xchg	eax, [ecx]

loc_9FF105:				; CODE XREF: EtwpCovSampContextPruneModules(x)+44j
					; EtwpCovSampContextPruneModules(x)+5Fj
		mov	ecx, [esp+80h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_EtwpCovSampContextPruneModules@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampContextRemoveAndFreeModule(x, x)
_EtwpCovSampContextRemoveAndFreeModule@8 proc near
					; CODE XREF: EtwpCovSampContextCleanup(x)+1A0p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	esi, esi
		or	edx, 0FFFFFFFFh
		mov	ebx, ecx
		mov	eax, [edi]
		mov	[edi+24h], esi
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_9FF1AF
		mov	esi, [ebx+29Ch]
		mov	ecx, esi
		and	ecx, 1Fh
		shr	esi, 5
		shl	edx, cl
		and	edx, [edi+4]
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	[ebp+var_4], edx
		imul	ecx, eax, 25h
		movzx	eax, dh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+3]
		imul	edx, ecx, 25h
		lea	ecx, [esi-1]
		xor	esi, esi
		add	edx, eax
		mov	eax, [ebx+2A0h]
		and	ecx, edx
		mov	edx, 80000002h
		lea	ecx, [eax+ecx*4]
		mov	eax, [ebp+var_8]
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_9FF18E
		mov	eax, [esi]

loc_9FF18E:				; CODE XREF: EtwpCovSampContextRemoveAndFreeModule(x,x)+73j
					; EtwpCovSampContextRemoveAndFreeModule(x,x)+83j
		mov	eax, [ecx]
		test	al, 1
		jnz	short loc_9FF1A8
		cmp	eax, edi
		jz	short loc_9FF19C
		mov	ecx, eax
		jmp	short loc_9FF18E
; 

loc_9FF19C:				; CODE XREF: EtwpCovSampContextRemoveAndFreeModule(x,x)+7Fj
		mov	eax, [edi]
		mov	[ecx], eax
		dec	dword ptr [ebx+298h]
		jmp	short loc_9FF1AA
; 

loc_9FF1A8:				; CODE XREF: EtwpCovSampContextRemoveAndFreeModule(x,x)+7Bj
		mov	eax, [esi]

loc_9FF1AA:				; CODE XREF: EtwpCovSampContextRemoveAndFreeModule(x,x)+8Fj
		mov	[edi], esi
		or	edx, 0FFFFFFFFh

loc_9FF1AF:				; CODE XREF: EtwpCovSampContextRemoveAndFreeModule(x,x)+1Dj
		mov	ecx, [edi+8]
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jz	short loc_9FF232
		mov	esi, [ebx+2A8h]
		mov	ecx, esi
		and	ecx, 1Fh
		shr	esi, 5
		shl	edx, cl
		and	edx, [edi+0Ch]
		movzx	eax, dl
		add	eax, offset unk_B15DCB
		mov	[ebp+var_4], edx
		imul	ecx, eax, 25h
		movzx	eax, dh
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+2]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+3]
		imul	edx, ecx, 25h
		lea	ecx, [esi-1]
		xor	esi, esi
		add	edx, eax
		mov	eax, [ebx+2ACh]
		and	ecx, edx
		lea	edx, [eax+ecx*4]
		mov	eax, [ebp+var_8]
		mov	ecx, 80000002h
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_9FF211
		mov	eax, [esi]

loc_9FF211:				; CODE XREF: EtwpCovSampContextRemoveAndFreeModule(x,x)+F6j
		lea	ecx, [edi+8]

loc_9FF214:				; CODE XREF: EtwpCovSampContextRemoveAndFreeModule(x,x)+109j
		mov	eax, [edx]
		test	al, 1
		jnz	short loc_9FF22E
		cmp	eax, ecx
		jz	short loc_9FF222
		mov	edx, eax
		jmp	short loc_9FF214
; 

loc_9FF222:				; CODE XREF: EtwpCovSampContextRemoveAndFreeModule(x,x)+105j
		mov	eax, [ecx]
		mov	[edx], eax
		dec	dword ptr [ebx+2A4h]
		jmp	short loc_9FF230
; 

loc_9FF22E:				; CODE XREF: EtwpCovSampContextRemoveAndFreeModule(x,x)+101j
		mov	eax, [esi]

loc_9FF230:				; CODE XREF: EtwpCovSampContextRemoveAndFreeModule(x,x)+115j
		mov	[ecx], esi

loc_9FF232:				; CODE XREF: EtwpCovSampContextRemoveAndFreeModule(x,x)+A0j
		lea	eax, [edi+28h]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_9FF26A
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_9FF26A
		mov	[edx], ecx
		mov	[ecx+4], edx
		mov	ecx, edi
		mov	[eax+4], eax
		mov	[eax], eax
		dec	dword ptr [ebx+2B8h]
		call	_EtwpCovSampModuleCleanup@4 ; EtwpCovSampModuleCleanup(x)
		push	56777445h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_9FF26A:				; CODE XREF: EtwpCovSampContextRemoveAndFreeModule(x,x)+123j
					; EtwpCovSampContextRemoveAndFreeModule(x,x)+12Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_EtwpCovSampContextRemoveAndFreeModule@8 endp ;	AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampEnumerateDriver(x, x)
_EtwpCovSampEnumerateDriver@8 proc near	; DATA XREF: EtwpCoverageSamplerStart(x)+192o

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		mov	eax, edx
		mov	[ebp+var_10], edx
		or	eax, 500h
		mov	[ebp+var_8], edx
		mov	[ebp+var_18], eax
		mov	eax, [ecx+18h]
		mov	[ebp+var_14], eax
		mov	eax, [ecx+20h]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	edx
		lea	eax, [ecx+24h]
		mov	[ebp+var_4], edx
		push	eax
		mov	[ebp+var_1C], 1Ch
		call	_EtwpCovSampImageNotify@12 ; EtwpCovSampImageNotify(x,x,x)
		xor	eax, eax
		leave
		retn	8
_EtwpCovSampEnumerateDriver@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampEnumerateProcess(x, x)
_EtwpCovSampEnumerateProcess@8 proc near ; DATA	XREF: EtwpCoverageSamplerStart(x)+186o

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+58h+var_1C]
		xor	ebx, ebx
		rep stosd
		lea	edi, [esp+58h+var_38]
		mov	[esp+58h+var_44], ebx
		push	7
		pop	ecx
		rep stosd
		mov	edi, ebx
		mov	[esp+58h+var_40], ebx
		mov	[esp+58h+var_3C], ebx
		mov	[esp+58h+var_48], ebx
		cmp	esi, ds:_PsInitialSystemProcess
		jz	loc_9FF437
		mov	eax, large fs:124h
		cmp	esi, [eax+80h]
		jz	short loc_9FF33D
		lea	ecx, [esi+0F0h]
		call	@ExAcquireRundownProtection@4 ;	ExAcquireRundownProtection(x)
		test	al, al
		jz	loc_9FF3FD
		lea	eax, [esp+58h+var_1C]
		xor	edx, edx
		push	eax
		mov	ecx, esi
		call	KiStackAttachProcess
		mov	[esp+58h+var_44], 1

loc_9FF33D:				; CODE XREF: EtwpCovSampEnumerateProcess(x,x)+5Cj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	MmEnumerateAddressSpaceAndReferenceImages
		mov	edi, eax
		test	edi, edi
		jz	loc_9FF3FD
		mov	ecx, ebx
		mov	[esp+58h+var_30], ebx
		or	ecx, 400h
		mov	[esp+58h+var_2C], ebx
		mov	[esp+58h+var_28], ebx
		mov	[esp+58h+var_24], ebx
		mov	[esp+58h+var_20], ebx
		mov	ebx, edi
		mov	[esp+58h+var_38], 1Ch
		mov	[esp+58h+var_34], ecx
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_9FF3FD
		mov	eax, [esp+58h+var_48]

loc_9FF385:				; CODE XREF: EtwpCovSampEnumerateProcess(x,x)+143j
		test	cl, 3
		jnz	short loc_9FF3DF
		and	ecx, 0FFFFFFFCh
		mov	[ebx], ecx
		mov	[esp+58h+var_20], ecx
		mov	eax, [ebx+4]
		and	eax, 0FFFF0000h
		mov	[esp+58h+var_30], eax
		mov	eax, [ebx+0Ch]
		mov	[esp+58h+var_28], eax
		mov	eax, _FltMgrCallbacks
		test	eax, eax
		jz	short loc_9FF3DB
		lea	edx, [esp+58h+var_48]
		push	edx
		lea	edx, [esp+5Ch+var_40]
		push	edx
		push	400h
		push	ecx
		call	dword ptr [eax+0Ch]
		test	eax, eax
		js	short loc_9FF3DB
		lea	eax, [esp+68h+var_44]
		push	eax
		push	dword ptr [esi+0E4h]
		lea	eax, [esp+70h+var_50]
		push	eax
		call	_EtwpCovSampImageNotify@12 ; EtwpCovSampImageNotify(x,x,x)

loc_9FF3DB:				; CODE XREF: EtwpCovSampEnumerateProcess(x,x)+F7j
					; EtwpCovSampEnumerateProcess(x,x)+10Ej
		mov	eax, [esp+68h+var_58]

loc_9FF3DF:				; CODE XREF: EtwpCovSampEnumerateProcess(x,x)+D2j
		test	eax, eax
		jz	short loc_9FF3F2
		push	eax
		mov	eax, _FltMgrCallbacks
		call	dword ptr [eax+10h]
		xor	eax, eax
		mov	[esp+6Ch+var_5C], eax

loc_9FF3F2:				; CODE XREF: EtwpCovSampEnumerateProcess(x,x)+12Bj
		add	ebx, 20h
		mov	ecx, [ebx]
		test	ecx, ecx
		jnz	short loc_9FF385
		jmp	short loc_9FF401
; 

loc_9FF3FD:				; CODE XREF: EtwpCovSampEnumerateProcess(x,x)+6Bj
					; EtwpCovSampEnumerateProcess(x,x)+95j	...
		mov	eax, [esp+58h+var_48]

loc_9FF401:				; CODE XREF: EtwpCovSampEnumerateProcess(x,x)+145j
		test	eax, eax
		jz	short loc_9FF40E
		push	eax
		mov	eax, _FltMgrCallbacks
		call	dword ptr [eax+10h]

loc_9FF40E:				; CODE XREF: EtwpCovSampEnumerateProcess(x,x)+14Dj
		test	edi, edi
		jz	short loc_9FF41A
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9FF41A:				; CODE XREF: EtwpCovSampEnumerateProcess(x,x)+15Aj
		cmp	[esp+5Ch+var_48], 0
		jz	short loc_9FF437
		xor	edx, edx
		lea	ecx, [esp+5Ch+var_20]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		lea	ecx, [esi+0F0h]
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)

loc_9FF437:				; CODE XREF: EtwpCovSampEnumerateProcess(x,x)+4Aj
					; EtwpCovSampEnumerateProcess(x,x)+169j
		mov	ecx, [esp+5Ch+var_8]
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_EtwpCovSampEnumerateProcess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampHashLookupInTable(x, x, x)
_EtwpCovSampHashLookupInTable@12 proc near
					; CODE XREF: EtwpCovSampContextAddSamples(x,x,x)+136p
					; EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+19Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		movzx	eax, byte ptr [edx+1]
		push	ebx
		push	esi
		imul	esi, eax, 25h
		xor	ebx, ebx
		movzx	eax, byte ptr [edx+2]
		push	edi
		mov	edi, ecx
		add	esi, eax
		movzx	eax, byte ptr [edx+3]
		imul	esi, 25h
		add	esi, eax
		movzx	eax, byte ptr [edx+4]
		imul	ecx, esi, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx+5]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx+6]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx]
		imul	eax, 1A617D0Dh
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx+7]
		add	eax, 0CBB8E24Fh
		add	ecx, eax
		mov	eax, [edi+0Ch]
		dec	eax
		mov	[ebp+var_8], ecx
		mov	esi, eax
		mov	[ebp+var_C], eax
		mov	eax, [edi+10h]
		and	esi, ecx
		mov	[ebp+var_10], eax
		lea	edi, [eax+esi*8]
		mov	eax, [edx]
		mov	edx, [edx+4]
		mov	[ebp+var_4], eax
		jmp	short loc_9FF4E7
; 

loc_9FF4C7:				; CODE XREF: EtwpCovSampHashLookupInTable(x,x,x)+A2j
					; EtwpCovSampHashLookupInTable(x,x,x)+A6j
		or	eax, ecx
		jz	short loc_9FF4FA
		test	ebx, ebx
		jnz	short loc_9FF4DC
		imul	ebx, [ebp+var_8], 9E3779B1h
		test	bl, 1
		jnz	short loc_9FF4DC
		inc	ebx

loc_9FF4DC:				; CODE XREF: EtwpCovSampHashLookupInTable(x,x,x)+80j
					; EtwpCovSampHashLookupInTable(x,x,x)+8Cj
		mov	eax, [ebp+var_10]
		add	esi, ebx
		and	esi, [ebp+var_C]
		lea	edi, [eax+esi*8]

loc_9FF4E7:				; CODE XREF: EtwpCovSampHashLookupInTable(x,x,x)+78j
		mov	eax, [edi]
		mov	ecx, [edi+4]
		cmp	eax, [ebp+var_4]
		jnz	short loc_9FF4C7
		cmp	ecx, edx
		jnz	short loc_9FF4C7
		xor	eax, eax
		inc	eax
		jmp	short loc_9FF4FC
; 

loc_9FF4FA:				; CODE XREF: EtwpCovSampHashLookupInTable(x,x,x)+7Cj
		xor	eax, eax

loc_9FF4FC:				; CODE XREF: EtwpCovSampHashLookupInTable(x,x,x)+ABj
		mov	ecx, [ebp+arg_0]
		mov	[ecx], edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpCovSampHashLookupInTable@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampHashMakeRoomAndAcquireLock(x, x,	x)
_EtwpCovSampHashMakeRoomAndAcquireLock@12 proc near
					; CODE XREF: EtwpCovSampContextAddSamples(x,x,x)+3Bp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, large fs:124h
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		xor	ecx, ecx
		mov	[ebp+var_10], ebx
		dec	word ptr [eax+13Ch]
		push	edi
		mov	[ebp+var_4], ecx
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		and	[ebp+var_C], 0
		mov	[esi+4], eax
		mov	eax, [esi+3A4h]
		mov	ecx, [eax+8]
		mov	edx, [eax+0Ch]
		add	ecx, ebx
		imul	eax, edx, 7
		shr	eax, 3
		cmp	ecx, eax
		jb	loc_9FF750

loc_9FF563:				; CODE XREF: EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+1DFj
		mov	ebx, [esi+1Ch]
		cmp	edx, ebx
		jb	short loc_9FF57B
		mov	eax, [esi+3B4h]
		cmp	eax, [esi+20h]
		jnb	loc_9FF744
		jmp	short loc_9FF597
; 

loc_9FF57B:				; CODE XREF: EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+60j
		lea	edi, [edx+edx]
		test	edx, edx
		jnz	short loc_9FF589
		mov	edi, [esi+18h]
		jmp	short loc_9FF589
; 

loc_9FF587:				; CODE XREF: EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+89j
		add	edi, edi

loc_9FF589:				; CODE XREF: EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+78j
					; EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+7Dj
		imul	eax, edi, 7
		shr	eax, 3
		cmp	eax, ecx
		jb	short loc_9FF587
		cmp	edi, ebx
		jb	short loc_9FF599

loc_9FF597:				; CODE XREF: EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+71j
		mov	edi, ebx

loc_9FF599:				; CODE XREF: EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+8Dj
		and	dword ptr [esi+4], 0
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9FF5B1
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9FF5B1:				; CODE XREF: EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+A0j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_9FF5D2
		mov	ecx, eax
		call	_EtwpCoverageSamplerFreeTable@4	; EtwpCoverageSamplerFreeTable(x)

loc_9FF5D2:				; CODE XREF: EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+C1j
		mov	ecx, edi
		call	_EtwpCoverageSamplerAllocateTable@4 ; EtwpCoverageSamplerAllocateTable(x)
		mov	[ebp+var_4], eax
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_9FF750
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ebx, [esi+3A4h]
		mov	[esi+4], eax
		mov	edx, [ebx+0Ch]
		mov	ecx, [ebx+8]
		add	ecx, [ebp+var_10]
		imul	eax, edx, 7
		shr	eax, 3
		cmp	ecx, eax
		jb	loc_9FF744
		cmp	edx, edi
		jnb	loc_9FF6EF
		mov	ecx, [ebp+var_4]
		mov	[esi+3A4h], ecx
		mov	ecx, [ebx]
		mov	[ebp+var_4], ebx
		cmp	[ecx+4], ebx
		jnz	loc_9FF71C
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jnz	loc_9FF71C
		mov	[eax], ecx
		mov	[ecx+4], eax
		lea	eax, [esi+3ACh]
		mov	edx, [eax+4]
		mov	ecx, [esi+3A4h]
		cmp	[edx], eax
		jnz	loc_9FF71C
		mov	[ecx], eax
		xor	edi, edi
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		mov	ecx, [esi+3A4h]
		mov	eax, [ebx+8]
		mov	[ecx+8], eax
		cmp	[ebx+0Ch], edi
		jbe	short loc_9FF6C4

loc_9FF687:				; CODE XREF: EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+1BAj
		mov	eax, [ebx+10h]
		lea	ecx, [eax+edi*8]
		mov	eax, [ecx]
		or	eax, [ecx+4]
		mov	[ebp+var_14], ecx
		jz	short loc_9FF6BE
		lea	eax, [ebp+var_8]
		mov	edx, ecx
		mov	ecx, [esi+3A4h]
		push	eax
		call	_EtwpCovSampHashLookupInTable@12 ; EtwpCovSampHashLookupInTable(x,x,x)
		mov	edx, [ebp+var_14]
		mov	ecx, [ebp+var_8]
		mov	eax, [edx]
		mov	[ecx], eax
		mov	eax, [edx+4]
		mov	[ecx+4], eax
		sub	dword ptr [ebx+8], 1
		jz	short loc_9FF6C4

loc_9FF6BE:				; CODE XREF: EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+18Dj
		inc	edi
		cmp	edi, [ebx+0Ch]
		jb	short loc_9FF687

loc_9FF6C4:				; CODE XREF: EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+17Dj
					; EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+1B4j
		mov	edi, [ebp+var_C]
		cmp	edi, 14h
		jnb	short loc_9FF744
		mov	eax, [esi+3A4h]
		inc	edi
		mov	[ebp+var_C], edi
		mov	ecx, [eax+8]
		mov	edx, [eax+0Ch]
		add	ecx, [ebp+var_10]
		imul	eax, edx, 7
		shr	eax, 3
		cmp	ecx, eax
		jnb	loc_9FF563
		jmp	short loc_9FF744
; 

loc_9FF6EF:				; CODE XREF: EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+11Ej
		mov	eax, [esi+3B4h]
		cmp	eax, [esi+20h]
		jnb	short loc_9FF744
		mov	ecx, [ebp+var_4]
		xor	ebx, ebx
		mov	[esi+3A4h], ecx
		inc	eax
		lea	ecx, [esi+3ACh]
		mov	[esi+3B4h], eax
		mov	edx, [ecx+4]
		mov	[ebp+var_4], ebx
		cmp	[edx], ecx
		jz	short loc_9FF721

loc_9FF71C:				; CODE XREF: EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+135j
					; EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+140j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9FF721:				; CODE XREF: EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+212j
		mov	eax, [ebp+var_14]
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		cmp	dword ptr [esi+3B4h], 2
		jnz	short loc_9FF750
		push	ebx
		push	ebx
		push	dword ptr [esi+3A8h]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_9FF744:				; CODE XREF: EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+6Bj
					; EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+116j ...
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_9FF750
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_9FF750:				; CODE XREF: EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+55j
					; EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+D9j ...
		mov	eax, large fs:124h
		cmp	[esi+4], eax
		jz	short loc_9FF77B
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+4], eax

loc_9FF77B:				; CODE XREF: EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+251j
		mov	eax, [esi+3A4h]
		pop	edi
		pop	esi
		pop	ebx
		imul	edx, [eax+0Ch],	7
		mov	eax, [eax+8]
		shr	edx, 3
		mov	ecx, edx
		sub	ecx, eax
		cmp	eax, edx
		sbb	eax, eax
		and	eax, ecx
		leave
		retn	4
_EtwpCovSampHashMakeRoomAndAcquireLock@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampImageNotify(x, x, x)
_EtwpCovSampImageNotify@12 proc	near	; CODE XREF: EtwpCovSampEnumerateDriver(x,x)+3Cp
					; EtwpCovSampEnumerateProcess(x,x)+120p
					; DATA XREF: ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		xor	esi, esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		test	dword ptr [edi], 400h
		jz	loc_9FF85D
		lea	ecx, [ebp+var_8]
		call	_EtwpCovSampAcquireSamplerRundown@4 ; EtwpCovSampAcquireSamplerRundown(x)
		test	eax, eax
		js	short loc_9FF83A
		mov	eax, large fs:124h
		mov	esi, dword_6BC08C
		add	esi, 8
		mov	ebx, [eax+80h]
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_9FF800
		cmp	eax, [ebx+0E4h]
		jnz	short loc_9FF83A
		mov	ecx, ebx
		call	_EtwpCovSampProcessEnsureContext@4 ; EtwpCovSampProcessEnsureContext(x)
		test	eax, eax
		js	short loc_9FF83A
		mov	eax, [ebx+4B0h]
		jmp	short loc_9FF80E
; 

loc_9FF800:				; CODE XREF: EtwpCovSampImageNotify(x,x,x)+47j
		test	dword ptr [edi], 100h
		jz	short loc_9FF83A
		lea	eax, [esi+2C0h]

loc_9FF80E:				; CODE XREF: EtwpCovSampImageNotify(x,x,x)+62j
		lea	ecx, [ebp+var_4]
		mov	[ebp+arg_8], eax
		push	ecx
		lea	ecx, [edi-4]
		mov	edx, ebx
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, esi
		push	eax
		call	_EtwpCovSampContextGetModule@24	; EtwpCovSampContextGetModule(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_9FF83A
		push	dword ptr [edi+4]
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		push	[ebp+var_4]
		call	_EtwpCovSampProcessAddModule@16	; EtwpCovSampProcessAddModule(x,x,x,x)

loc_9FF83A:				; CODE XREF: EtwpCovSampImageNotify(x,x,x)+2Bj
					; EtwpCovSampImageNotify(x,x,x)+4Fj ...
		mov	edx, [ebp+var_4]
		test	edx, edx
		jz	short loc_9FF848
		mov	ecx, esi
		call	_EtwpCovSampModuleDereference@8	; EtwpCovSampModuleDereference(x,x)

loc_9FF848:				; CODE XREF: EtwpCovSampImageNotify(x,x,x)+A3j
		cmp	[ebp+var_8], 0
		jz	short loc_9FF85D
		mov	ecx, offset unk_6BC090
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9FF85D:				; CODE XREF: EtwpCovSampImageNotify(x,x,x)+1Bj
					; EtwpCovSampImageNotify(x,x,x)+B0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_EtwpCovSampImageNotify@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall EtwpCovSampLookasideControlInitialize(int,void	*,int,int,int)
_EtwpCovSampLookasideControlInitialize@20 proc near
					; CODE XREF: EtwpCovSampCaptureContextStart(x)+11Ep
					; EtwpCovSampCaptureContextStart(x)+138p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	38h		; size_t
		mov	edi, edx
		mov	esi, ecx
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	ecx, [esi+11Ch]
		lea	eax, [edi+8]
		add	esi, 118h
		add	esp, 0Ch
		cmp	[ecx], esi
		jz	short loc_9FF894
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9FF894:				; CODE XREF: EtwpCovSampLookasideControlInitialize(x,x,x,x,x)+29j
		mov	[eax], esi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[esi+4], eax
		lea	eax, [edi+10h]
		and	dword ptr [edi], 0
		and	dword ptr [edi+4], 0
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [ebp+arg_0]
		mov	[edi+18h], eax
		mov	eax, [ebp+arg_8]
		mov	[edi+20h], eax
		mov	eax, [ebp+arg_4]
		mov	[edi+1Ch], eax
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
_EtwpCovSampLookasideControlInitialize@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampLookasideInitialize(x, x, x)
_EtwpCovSampLookasideInitialize@12 proc	near
					; CODE XREF: EtwpCovSampCaptureContextStart(x)+296p
					; EtwpCovSampCaptureContextStart(x)+2A4p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	esi, ecx
		xor	eax, eax
		push	0Ah
		add	esi, 110h
		mov	edi, edx
		pop	ecx
		rep stosd
		mov	ecx, [esi+4]
		lea	eax, [edx+8]
		cmp	[ecx], esi
		jz	short loc_9FF8EC
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9FF8EC:				; CODE XREF: EtwpCovSampLookasideInitialize(x,x,x)+20j
		mov	[eax], esi
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	ecx, [ebp+arg_0]
		mov	[esi+4], eax
		and	dword ptr [edx], 0
		and	dword ptr [edx+4], 0
		mov	[edx+10h], ecx
		mov	eax, [ecx+20h]
		mov	[edx+24h], eax
		inc	dword ptr [ecx+24h]
		mov	eax, [ecx+20h]
		add	[ecx+28h], eax
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_EtwpCovSampLookasideInitialize@12 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCovSampModuleCleanup(x)
_EtwpCovSampModuleCleanup@4 proc near	; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+A7Bp
					; EtwpCovSampContextPruneModules(x)+3E0p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		lea	ecx, [esi+38h]
		cmp	[ecx], edi
		jz	short loc_9FF935
		call	_EtwpCovSampModuleNameInfoCleanup@4 ; EtwpCovSampModuleNameInfoCleanup(x)
		xor	eax, eax
		mov	[esi+3Ch], edi
		mov	[esi+40h], ax

loc_9FF935:				; CODE XREF: EtwpCovSampModuleCleanup(x)+Dj
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	short loc_9FF949
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+1Ch], edi
		mov	[esi+20h], edi

loc_9FF949:				; CODE XREF: EtwpCovSampModuleCleanup(x)+22j
		pop	edi
		pop	esi
		retn
_EtwpCovSampModuleCleanup@4 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCovSampModuleDereference(x, x)
_EtwpCovSampModuleDereference@8	proc near ; CODE XREF: EtwpCovSampImageNotify(x,x,x)+A7p
					; EtwpCovSampProcessCleanup(x,x)+20p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		or	eax, 0FFFFFFFFh
		lock xadd [edx+24h], eax
		dec	eax
		test	eax, eax
		jg	short loc_9FF965
		jz	short loc_9FF97B
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9FF965:				; CODE XREF: EtwpCovSampModuleDereference(x,x)+10j
		cmp	eax, 1
		jnz	short loc_9FF97B
		cmp	dword ptr [edx+4Ch], 0
		jnz	short loc_9FF97B
		test	esi, esi
		jz	short loc_9FF97B
		lock inc dword ptr [esi+390h]

loc_9FF97B:				; CODE XREF: EtwpCovSampModuleDereference(x,x)+12j
					; EtwpCovSampModuleDereference(x,x)+1Cj ...
		pop	esi
		retn
_EtwpCovSampModuleDereference@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampModuleGetName(x,	x, x)
_EtwpCovSampModuleGetName@12 proc near	; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+291p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		xor	ebx, ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], ebx
		mov	ecx, [edx+18h]
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		test	ecx, ecx
		jz	short loc_9FF9E1
		mov	eax, _FltMgrCallbacks
		test	eax, eax
		jz	short loc_9FF9E1
		lea	edx, [ebp+var_4]
		push	edx
		lea	edx, [ebp+var_14]
		push	edx
		push	200h
		push	ecx
		call	dword ptr [eax+0Ch]
		test	eax, eax
		js	short loc_9FF9E1
		mov	eax, [ebp+var_10]
		mov	esi, ebx
		mov	[edi+3Ch], eax
		mov	ax, word ptr [ebp+var_14]
		shr	ax, 1
		mov	[edi+40h], ax
		mov	eax, [ebp+var_4]
		or	eax, 1
		mov	[ebp+var_4], ebx
		mov	[edi+38h], eax
		jmp	short loc_9FFA31
; 

loc_9FF9E1:				; CODE XREF: EtwpCovSampModuleGetName(x,x,x)+23j
					; EtwpCovSampModuleGetName(x,x,x)+2Cj ...
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_9FFA1C
		cmp	[eax], bx
		jz	short loc_9FFA1C
		lea	ecx, [ebp+var_C]
		push	ecx
		push	eax
		push	ebx
		call	RtlDuplicateUnicodeString
		mov	esi, eax
		test	esi, esi
		js	short loc_9FFA21
		mov	ax, word ptr [ebp+var_C]
		mov	esi, ebx
		mov	ecx, [ebp+var_8]
		shr	ax, 1
		mov	[edi+3Ch], ecx
		mov	[edi+40h], ax
		mov	[edi+38h], ecx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		jmp	short loc_9FFA21
; 

loc_9FFA1C:				; CODE XREF: EtwpCovSampModuleGetName(x,x,x)+69j
					; EtwpCovSampModuleGetName(x,x,x)+6Ej
		mov	esi, 0C0000225h

loc_9FFA21:				; CODE XREF: EtwpCovSampModuleGetName(x,x,x)+7Fj
					; EtwpCovSampModuleGetName(x,x,x)+9Dj
		cmp	[ebp+var_4], ebx
		jz	short loc_9FFA31
		mov	eax, _FltMgrCallbacks
		push	[ebp+var_4]
		call	dword ptr [eax+10h]

loc_9FFA31:				; CODE XREF: EtwpCovSampModuleGetName(x,x,x)+62j
					; EtwpCovSampModuleGetName(x,x,x)+A7j
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpCovSampModuleGetName@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampModuleNameInfoCleanup(x)
_EtwpCovSampModuleNameInfoCleanup@4 proc near
					; CODE XREF: EtwpCovSampContextGetModule(x,x,x,x,x,x)+904p
					; EtwpCovSampModuleCleanup(x)+Fp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, ecx
		mov	edx, [esi]
		test	edx, edx
		jz	short loc_9FFA82
		mov	eax, edx
		and	eax, 0FFFFFFFCh
		test	dl, 1
		jz	short loc_9FFA68
		push	eax
		mov	eax, _FltMgrCallbacks
		call	dword ptr [eax+10h]
		jmp	short loc_9FFA7F
; 

loc_9FFA68:				; CODE XREF: EtwpCovSampModuleNameInfoCleanup(x)+18j
		mov	[ebp+var_4], eax
		xor	eax, eax
		inc	eax
		mov	word ptr [ebp+var_8], ax
		mov	word ptr [ebp+var_8+2],	ax
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_9FFA7F:				; CODE XREF: EtwpCovSampModuleNameInfoCleanup(x)+23j
		and	dword ptr [esi], 0

loc_9FFA82:				; CODE XREF: EtwpCovSampModuleNameInfoCleanup(x)+Ej
		pop	esi
		leave
		retn
_EtwpCovSampModuleNameInfoCleanup@4 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCovSampModuleReference(x, x)
_EtwpCovSampModuleReference@8 proc near	; CODE XREF: ProcessForExeModule(x,x,x,x)+29p
					; EtwpCovSampProcessAddModule(x,x,x,x)+194p
		mov	edi, edi
		push	esi
		xor	eax, eax
		lea	esi, [edx+24h]
		push	edi
		mov	edi, ecx
		inc	eax
		lock xadd [esi], eax
		inc	eax
		cmp	eax, 1
		jg	short loc_9FFAA0
		push	0Eh
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_9FFAA0:				; CODE XREF: EtwpCovSampModuleReference(x,x)+14j
		cmp	dword ptr [esi], 2
		jnz	short loc_9FFAB2
		cmp	dword ptr [edx+4Ch], 0
		jnz	short loc_9FFAB2
		lock dec dword ptr [edi+390h]

loc_9FFAB2:				; CODE XREF: EtwpCovSampModuleReference(x,x)+1Ej
					; EtwpCovSampModuleReference(x,x)+24j
		pop	edi
		pop	esi
		retn
_EtwpCovSampModuleReference@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampProcessAddModule(x, x, x, x)
_EtwpCovSampProcessAddModule@16	proc near ; CODE XREF: EtwpCovSampImageNotify(x,x,x)+99p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_4], edx
		dec	word ptr [eax+13Ch]
		mov	esi, ecx
		push	edi
		nop
		lea	edi, [esi+4]
		xor	edx, edx
		mov	ecx, edi
		mov	[ebp+var_C], edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+8], eax
		cmp	[esi], ebx
		jnz	short loc_9FFB00
		mov	ecx, [ebp+var_4]
		mov	ecx, [ecx]
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [ebp+var_4]
		mov	[esi], eax

loc_9FFB00:				; CODE XREF: EtwpCovSampProcessAddModule(x,x,x,x)+3Aj
		mov	eax, [ebp+arg_0]
		test	dword ptr [eax+40h], 110000h
		jnz	short loc_9FFB1F
		mov	edx, [ebp+arg_4]
		push	ecx
		push	dword ptr [eax+18h]
		mov	ecx, esi
		call	_EtwpCovSampProcessRemoveModule@16 ; EtwpCovSampProcessRemoveModule(x,x,x,x)
		jmp	loc_9FFC51
; 

loc_9FFB1F:				; CODE XREF: EtwpCovSampProcessAddModule(x,x,x,x)+55j
		and	[ebp+var_8], ebx

loc_9FFB22:				; CODE XREF: EtwpCovSampProcessAddModule(x,x,x,x)+14Dj
		mov	edx, [ebp+arg_4]
		push	ecx
		push	dword ptr [eax+18h]
		mov	ecx, esi
		call	_EtwpCovSampProcessRemoveModule@16 ; EtwpCovSampProcessRemoveModule(x,x,x,x)
		mov	ecx, [esi+10h]
		mov	edx, eax
		mov	eax, [esi+14h]
		cmp	ecx, eax
		jb	loc_9FFC16
		test	eax, eax
		jz	short loc_9FFB4C
		lea	ecx, [eax+eax]
		mov	[ebp+var_4], ecx
		jmp	short loc_9FFB53
; 

loc_9FFB4C:				; CODE XREF: EtwpCovSampProcessAddModule(x,x,x,x)+8Dj
		mov	[ebp+var_4], 10h

loc_9FFB53:				; CODE XREF: EtwpCovSampProcessAddModule(x,x,x,x)+95j
		and	dword ptr [esi+8], 0
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9FFB6B
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9FFB6B:				; CODE XREF: EtwpCovSampProcessAddModule(x,x,x,x)+ADj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	ebx, ebx
		jz	short loc_9FFB8D
		push	56777445h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9FFB8D:				; CODE XREF: EtwpCovSampProcessAddModule(x,x,x,x)+CBj
		mov	eax, [ebp+var_4]
		push	56777445h
		shl	eax, 3
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_9FFC0F
		mov	ecx, large fs:124h
		dec	word ptr [ecx+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[esi+8], eax
		mov	eax, [ebp+var_4]
		cmp	eax, [esi+14h]
		jbe	short loc_9FFBF5
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_9FFBED
		mov	eax, [esi+10h]
		shl	eax, 3
		push	eax		; size_t
		push	ecx		; void *
		push	ebx		; void *
		call	_memcpy
		mov	ecx, [esi+0Ch]
		add	esp, 0Ch
		mov	eax, [ebp+var_4]

loc_9FFBED:				; CODE XREF: EtwpCovSampProcessAddModule(x,x,x,x)+11Fj
		mov	[esi+0Ch], ebx
		mov	ebx, ecx
		mov	[esi+14h], eax

loc_9FFBF5:				; CODE XREF: EtwpCovSampProcessAddModule(x,x,x,x)+118j
		mov	eax, [ebp+var_8]
		inc	eax
		mov	[ebp+var_8], eax
		cmp	eax, 14h
		mov	eax, [ebp+arg_0]
		jb	loc_9FFB22
		mov	edi, 0C0000001h
		jmp	short loc_9FFC53
; 

loc_9FFC0F:				; CODE XREF: EtwpCovSampProcessAddModule(x,x,x,x)+EFj
		mov	edi, 0C000009Ah
		jmp	short loc_9FFC53
; 

loc_9FFC16:				; CODE XREF: EtwpCovSampProcessAddModule(x,x,x,x)+85j
		mov	eax, [esi+0Ch]
		lea	edi, [eax+edx*8]
		cmp	ecx, edx
		jbe	short loc_9FFC36
		sub	ecx, edx
		lea	eax, [edi+8]
		shl	ecx, 3
		push	ecx		; size_t
		push	edi		; void *
		push	eax		; void *
		call	_memmove
		mov	ecx, [esi+10h]
		add	esp, 0Ch

loc_9FFC36:				; CODE XREF: EtwpCovSampProcessAddModule(x,x,x,x)+169j
		mov	edx, [ebp+arg_0]
		lea	eax, [ecx+1]
		mov	[esi+10h], eax
		mov	eax, [edx+18h]
		add	eax, [ebp+arg_4]
		mov	[edi], eax
		mov	ecx, [esi]
		call	_EtwpCovSampModuleReference@8 ;	EtwpCovSampModuleReference(x,x)
		mov	[edi+4], edx

loc_9FFC51:				; CODE XREF: EtwpCovSampProcessAddModule(x,x,x,x)+65j
		xor	edi, edi

loc_9FFC53:				; CODE XREF: EtwpCovSampProcessAddModule(x,x,x,x)+158j
					; EtwpCovSampProcessAddModule(x,x,x,x)+15Fj
		mov	eax, large fs:124h
		cmp	[esi+8], eax
		jnz	short loc_9FFC8C
		and	dword ptr [esi+8], 0
		or	eax, 0FFFFFFFFh
		mov	esi, [ebp+var_C]
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9FFC79
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_9FFC79:				; CODE XREF: EtwpCovSampProcessAddModule(x,x,x,x)+1BBj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_9FFC8C:				; CODE XREF: EtwpCovSampProcessAddModule(x,x,x,x)+1A7j
		test	ebx, ebx
		jz	short loc_9FFC9B
		push	56777445h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9FFC9B:				; CODE XREF: EtwpCovSampProcessAddModule(x,x,x,x)+1D9j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_EtwpCovSampProcessAddModule@16	endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCovSampProcessCleanup(x, x)
_EtwpCovSampProcessCleanup@8 proc near	; CODE XREF: EtwExitProcess+17E2B6p
					; EtwpCovSampContextCleanup(x)+13p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	bl, dl
		push	edi
		xor	edi, edi
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_9FFCE8
		cmp	[esi+10h], edi
		jbe	short loc_9FFCD2

loc_9FFCBB:				; CODE XREF: EtwpCovSampProcessCleanup(x,x)+29j
		mov	edx, [esi+0Ch]
		mov	ecx, [esi]
		mov	edx, [edx+edi*8+4]
		call	_EtwpCovSampModuleDereference@8	; EtwpCovSampModuleDereference(x,x)
		inc	edi
		cmp	edi, [esi+10h]
		jb	short loc_9FFCBB
		mov	eax, [esi+0Ch]

loc_9FFCD2:				; CODE XREF: EtwpCovSampProcessCleanup(x,x)+15j
		push	56777445h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edi, edi
		mov	[esi+0Ch], edi
		mov	[esi+10h], edi
		mov	[esi+14h], edi

loc_9FFCE8:				; CODE XREF: EtwpCovSampProcessCleanup(x,x)+10j
		mov	edx, [esi+20h]
		test	edx, edx
		jz	short loc_9FFCF9
		mov	ecx, [esi]
		call	_EtwpCovSampModuleDereference@8	; EtwpCovSampModuleDereference(x,x)
		mov	[esi+20h], edi

loc_9FFCF9:				; CODE XREF: EtwpCovSampProcessCleanup(x,x)+49j
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_9FFD0C
		test	bl, bl
		jz	short loc_9FFD0A
		mov	ecx, [ecx]
		call	ObfDereferenceObject

loc_9FFD0A:				; CODE XREF: EtwpCovSampProcessCleanup(x,x)+5Dj
		mov	[esi], edi

loc_9FFD0C:				; CODE XREF: EtwpCovSampProcessCleanup(x,x)+59j
		pop	edi
		pop	esi
		pop	ebx
		retn
_EtwpCovSampProcessCleanup@8 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCovSampProcessEnsureContext(x)
_EtwpCovSampProcessEnsureContext@4 proc	near ; CODE XREF: EtwpCovSampImageNotify(x,x,x)+53p
		mov	edi, edi
		push	ebx
		push	esi
		lea	ebx, [ecx+4B0h]
		xor	esi, esi
		cmp	[ebx], esi
		jnz	short loc_9FFD7A
		test	byte ptr [ecx+3A8h], 1
		jz	short loc_9FFD30
		mov	esi, 0C00000BBh
		jmp	short loc_9FFD7A
; 

loc_9FFD30:				; CODE XREF: EtwpCovSampProcessEnsureContext(x)+17j
		push	56777445h
		push	24h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_9FFD4B
		mov	esi, 0C000009Ah
		jmp	short loc_9FFD7A
; 

loc_9FFD4B:				; CODE XREF: EtwpCovSampProcessEnsureContext(x)+32j
		push	edi
		push	9
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd
		mov	ecx, edx
		lock cmpxchg [ebx], ecx
		mov	edi, eax
		neg	edi
		sbb	edi, edi
		and	edi, edx
		jz	short loc_9FFD79
		mov	dl, 1
		mov	ecx, edi
		call	_EtwpCovSampProcessCleanup@8 ; EtwpCovSampProcessCleanup(x,x)
		push	56777445h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_9FFD79:				; CODE XREF: EtwpCovSampProcessEnsureContext(x)+53j
		pop	edi

loc_9FFD7A:				; CODE XREF: EtwpCovSampProcessEnsureContext(x)+Ej
					; EtwpCovSampProcessEnsureContext(x)+1Ej ...
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_EtwpCovSampProcessEnsureContext@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampProcessMapAddresses(x, x, x, x, x, x, x)
_EtwpCovSampProcessMapAddresses@28 proc	near
					; CODE XREF: EtwpCovSampCaptureBufferMapAddressesAndQueue(x,x)+9Fp
					; EtwpCovSampContextAddAddresses(x,x,x,x)+91p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_10]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, edx
		and	dword ptr [eax], 0
		mov	eax, ds:_KeTickCount
		mov	[ebp+var_14], eax
		mov	eax, large fs:124h
		push	edi
		mov	[ebp+var_18], ebx
		mov	edi, ecx
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [edi+4]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[edi+8], eax
		cmp	ebx, [edi]
		jnz	loc_9FFE8B
		cmp	[ebp+arg_C], 0
		jz	loc_9FFE8B
		xor	ecx, ecx
		xor	eax, eax
		and	[ebp+var_10], ecx
		and	[ebp+var_4], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], eax
		test	esi, esi
		jz	loc_9FFE86
		mov	ebx, [ebp+var_10]

loc_9FFDF0:				; CODE XREF: EtwpCovSampProcessMapAddresses(x,x,x,x,x,x,x)+FEj
		mov	ecx, [ebp+arg_0]
		mov	edx, [ecx+eax*4]
		xor	ecx, ecx
		mov	[ebp+var_10], edx
		test	ebx, ebx
		jz	short loc_9FFE13
		cmp	edx, [ebp+var_4]
		jb	short loc_9FFE0D
		cmp	edx, [ebx]
		jnb	short loc_9FFE0D
		mov	ecx, [ebx+4]
		jmp	short loc_9FFE0F
; 

loc_9FFE0D:				; CODE XREF: EtwpCovSampProcessMapAddresses(x,x,x,x,x,x,x)+83j
					; EtwpCovSampProcessMapAddresses(x,x,x,x,x,x,x)+87j
		xor	ebx, ebx

loc_9FFE0F:				; CODE XREF: EtwpCovSampProcessMapAddresses(x,x,x,x,x,x,x)+8Cj
		test	ecx, ecx
		jnz	short loc_9FFE3A

loc_9FFE13:				; CODE XREF: EtwpCovSampProcessMapAddresses(x,x,x,x,x,x,x)+7Ej
		mov	ecx, edi
		call	_EtwpCovSampProcessUpperBoundModule@8 ;	EtwpCovSampProcessUpperBoundModule(x,x)
		cmp	eax, [edi+10h]
		jnb	short loc_9FFE71
		mov	ecx, [edi+0Ch]
		lea	eax, [ecx+eax*8]
		mov	ecx, [eax+4]
		mov	edx, [eax]
		sub	edx, [ecx+18h]
		mov	[ebp+var_4], edx
		mov	edx, [ebp+var_10]
		cmp	edx, [ebp+var_4]
		jb	short loc_9FFE71
		mov	ebx, eax

loc_9FFE3A:				; CODE XREF: EtwpCovSampProcessMapAddresses(x,x,x,x,x,x,x)+92j
		cmp	dword ptr [ecx+4Ch], 0
		mov	eax, [ebp+var_14]
		mov	[ecx+50h], eax
		jnz	short loc_9FFE4E
		xor	eax, eax
		lea	esi, [ecx+4Ch]
		inc	eax
		xchg	eax, [esi]

loc_9FFE4E:				; CODE XREF: EtwpCovSampProcessMapAddresses(x,x,x,x,x,x,x)+C5j
		mov	eax, [ecx+44h]
		mov	ecx, [ebp+var_8]
		mov	esi, [ebp+arg_8]
		sub	edx, [ebp+var_4]
		mov	[esi+ecx*8], eax
		mov	eax, esi
		mov	esi, [ebp+arg_4]
		mov	[eax+ecx*8+4], edx
		inc	ecx
		mov	[ebp+var_8], ecx
		cmp	ecx, [ebp+arg_C]
		jnb	short loc_9FFE83
		jmp	short loc_9FFE74
; 

loc_9FFE71:				; CODE XREF: EtwpCovSampProcessMapAddresses(x,x,x,x,x,x,x)+9Ej
					; EtwpCovSampProcessMapAddresses(x,x,x,x,x,x,x)+B7j
		mov	ecx, [ebp+var_8]

loc_9FFE74:				; CODE XREF: EtwpCovSampProcessMapAddresses(x,x,x,x,x,x,x)+F0j
		mov	eax, [ebp+var_C]
		inc	eax
		mov	[ebp+var_C], eax
		cmp	eax, esi
		jb	loc_9FFDF0

loc_9FFE83:				; CODE XREF: EtwpCovSampProcessMapAddresses(x,x,x,x,x,x,x)+EEj
		mov	ebx, [ebp+var_18]

loc_9FFE86:				; CODE XREF: EtwpCovSampProcessMapAddresses(x,x,x,x,x,x,x)+68j
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx

loc_9FFE8B:				; CODE XREF: EtwpCovSampProcessMapAddresses(x,x,x,x,x,x,x)+46j
					; EtwpCovSampProcessMapAddresses(x,x,x,x,x,x,x)+50j
		mov	eax, large fs:124h
		cmp	[edi+8], eax
		jnz	short loc_9FFEBC
		and	dword ptr [edi+8], 0
		lea	ecx, [edi+4]
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_9FFEB2
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [edi+4]

loc_9FFEB2:				; CODE XREF: EtwpCovSampProcessMapAddresses(x,x,x,x,x,x,x)+129j
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_9FFEBC:				; CODE XREF: EtwpCovSampProcessMapAddresses(x,x,x,x,x,x,x)+115j
		lea	eax, [ebx+2C0h]
		cmp	edi, eax
		jnz	short loc_9FFED3
		mov	eax, 26Ch
		lea	ecx, [ebx+268h]
		jmp	short loc_9FFEDE
; 

loc_9FFED3:				; CODE XREF: EtwpCovSampProcessMapAddresses(x,x,x,x,x,x,x)+145j
		mov	eax, 264h
		lea	ecx, [ebx+260h]

loc_9FFEDE:				; CODE XREF: EtwpCovSampProcessMapAddresses(x,x,x,x,x,x,x)+152j
		lock xadd [ecx], esi
		mov	ecx, [ebp+arg_10]
		add	eax, ebx
		mov	ecx, [ecx]
		lock xadd [eax], ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_EtwpCovSampProcessMapAddresses@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampProcessRemoveModule(x, x, x, x)
_EtwpCovSampProcessRemoveModule@16 proc	near
					; CODE XREF: EtwpCovSampProcessAddModule(x,x,x,x)+60p
					; EtwpCovSampProcessAddModule(x,x,x,x)+76p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		call	_EtwpCovSampProcessUpperBoundModule@8 ;	EtwpCovSampProcessUpperBoundModule(x,x)
		mov	esi, eax
		cmp	esi, [edi+10h]
		jnb	short loc_9FFF67
		mov	ecx, [ebp+arg_0]
		shl	eax, 3
		add	ecx, ebx
		mov	[ebp+arg_0], ecx

loc_9FFF17:				; CODE XREF: EtwpCovSampProcessRemoveModule(x,x,x,x)+71j
		mov	ebx, [edi+0Ch]
		add	ebx, eax
		mov	edx, [ebx+4]
		mov	eax, [ebx]
		sub	eax, [edx+18h]
		cmp	eax, ecx
		jnb	short loc_9FFF67
		mov	ecx, [edi]
		call	_EtwpCovSampModuleDereference@8	; EtwpCovSampModuleDereference(x,x)
		mov	ecx, [edi+10h]
		lea	eax, [esi+1]
		cmp	ecx, eax
		jbe	short loc_9FFF53
		sub	ecx, esi
		lea	eax, ds:0FFFFFFF8h[ecx*8]
		push	eax		; size_t
		lea	eax, [ebx+8]
		push	eax		; void *
		push	ebx		; void *
		call	_memmove
		mov	ecx, [edi+10h]
		add	esp, 0Ch

loc_9FFF53:				; CODE XREF: EtwpCovSampProcessRemoveModule(x,x,x,x)+43j
		lea	eax, [ecx-1]
		mov	ecx, [ebp+arg_0]
		mov	[edi+10h], eax
		cmp	esi, eax
		lea	eax, ds:0[esi*8]
		jb	short loc_9FFF17

loc_9FFF67:				; CODE XREF: EtwpCovSampProcessRemoveModule(x,x,x,x)+16j
					; EtwpCovSampProcessRemoveModule(x,x,x,x)+32j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_EtwpCovSampProcessRemoveModule@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampProcessUpperBoundModule(x, x)
_EtwpCovSampProcessUpperBoundModule@8 proc near
					; CODE XREF: EtwpCovSampProcessMapAddresses(x,x,x,x,x,x,x)+96p
					; EtwpCovSampProcessRemoveModule(x,x,x,x)+Cp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ecx+10h]
		push	edi
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_4], edx
		test	esi, esi
		jz	short loc_9FFFAA
		push	ebx
		mov	ebx, [ecx+0Ch]

loc_9FFF89:				; CODE XREF: EtwpCovSampProcessUpperBoundModule(x,x)+37j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		sub	eax, edi
		cdq
		sub	eax, edx
		sar	eax, 1
		add	eax, edi
		cmp	ecx, [ebx+eax*8]
		jnb	short loc_9FFFA0
		mov	esi, eax
		jmp	short loc_9FFFA2
; 

loc_9FFFA0:				; CODE XREF: EtwpCovSampProcessUpperBoundModule(x,x)+2Aj
		mov	edi, eax

loc_9FFFA2:				; CODE XREF: EtwpCovSampProcessUpperBoundModule(x,x)+2Ej
		lea	ecx, [edi+1]
		cmp	ecx, esi
		jnz	short loc_9FFF89
		pop	ebx

loc_9FFFAA:				; CODE XREF: EtwpCovSampProcessUpperBoundModule(x,x)+13j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_EtwpCovSampProcessUpperBoundModule@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampSampleBufferProcess(x, x)
_EtwpCovSampSampleBufferProcess@8 proc near
					; CODE XREF: EtwpCovSampCaptureWorkerThread(x)+75p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	[ebp+var_20], ecx
		xor	esi, esi
		push	edi
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_14], edx
		mov	[ebp+var_4], esi
		call	_EtwpCovSampAcquireSamplerRundown@4 ; EtwpCovSampAcquireSamplerRundown(x)
		test	eax, eax
		js	loc_A000B1
		mov	ecx, [ebp+var_14]
		mov	[ebp+var_10], esi
		lea	ebx, [ecx+20h]
		cmp	[ecx+14h], esi
		jle	loc_A000B1
		mov	edi, [ebp+var_4]

loc_9FFFEB:				; CODE XREF: EtwpCovSampSampleBufferProcess(x,x)+F9j
		lea	eax, [esi+10h]
		cmp	eax, [ecx+1Ch]
		jg	loc_A000B4
		mov	eax, [ebx+4]
		mov	edx, eax
		mov	[ebp+var_8], eax

loc_9FFFFF:				; DATA XREF: EtwpStartLogger+68Eo
		xor	eax, eax
		shr	edx, 10h
		and	edx, 7FFFh
		cmp	[ebp+var_8], eax
		setl	al
		lea	eax, ds:4[eax*4]
		mov	[ebp+var_18], eax
		mov	eax, [ebx]
		mov	[ebp+var_1C], eax
		cmp	eax, esi
		jnz	loc_A000B4
		mov	eax, [ebp+var_8]
		movzx	eax, ax
		mov	[ebp+var_C], eax
		mov	eax, edx
		imul	eax, [ebp+var_18]
		cmp	[ebp+var_C], eax
		jb	short loc_A000B4
		mov	eax, [ebp+var_C]
		add	eax, [ebp+var_1C]
		mov	edi, [ebp+var_4]
		cmp	eax, [ecx+18h]
		ja	short loc_A000B4
		cmp	[ebp+var_8], 0
		lea	eax, [ebx+8]
		push	edx
		jge	short loc_A0005E
		mov	edx, eax
		mov	ecx, edi
		call	_EtwpCovSampContextAddSamples@12 ; EtwpCovSampContextAddSamples(x,x,x)
		jmp	short loc_A00090
; 

loc_A0005E:				; CODE XREF: EtwpCovSampSampleBufferProcess(x,x)+A1j
		mov	ecx, [ebp+var_20]
		push	eax
		call	_EtwpCovSampStackHashCheck@16 ;	EtwpCovSampStackHashCheck(x,x,x,x)
		test	eax, eax
		jnz	short loc_A00090
		movzx	eax, word ptr [ebx+6]
		mov	edx, large fs:124h
		and	eax, 7FFFh
		mov	edi, [ebp+var_4]
		mov	ecx, edi
		push	eax
		lea	eax, [ebx+8]
		mov	edx, [edx+80h]
		push	eax
		call	_EtwpCovSampContextAddAddresses@16 ; EtwpCovSampContextAddAddresses(x,x,x,x)

loc_A00090:				; CODE XREF: EtwpCovSampSampleBufferProcess(x,x)+ACj
					; EtwpCovSampSampleBufferProcess(x,x)+B9j
		mov	eax, [ebx+4]
		mov	edx, [ebp+var_10]
		and	eax, 0FFFFh
		mov	ecx, [ebp+var_14]

loc_A0009E:				; DATA XREF: PAGE:_PspQuotaKeyNameso
		add	esi, eax
		add	ebx, eax
		inc	edx
		mov	[ebp+var_10], edx
		cmp	edx, [ecx+14h]
		jl	loc_9FFFEB
		jmp	short loc_A000B4
; 

loc_A000B1:				; CODE XREF: EtwpCovSampSampleBufferProcess(x,x)+20j
					; EtwpCovSampSampleBufferProcess(x,x)+32j
		mov	edi, [ebp+var_4]

loc_A000B4:				; CODE XREF: EtwpCovSampSampleBufferProcess(x,x)+41j
					; EtwpCovSampSampleBufferProcess(x,x)+71j ...
		test	edi, edi
		jz	short loc_A000C7
		mov	ecx, offset unk_6BC090
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_A000C7:				; CODE XREF: EtwpCovSampSampleBufferProcess(x,x)+106j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpCovSampSampleBufferProcess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall EtwpCovSampSplitSegments(wchar_t *,int,int)
_EtwpCovSampSplitSegments@12 proc near	; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+422p
					; EtwpSetCoverageSamplerInformation(x,x,x)+437p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		push	esi		; wchar_t *
		call	__wcslwr
		xor	eax, eax
		mov	edi, eax
		mov	[ebp+var_4], eax
		pop	ecx
		cmp	[esi], ax
		jz	short loc_A00137

loc_A000EC:				; CODE XREF: EtwpCovSampSplitSegments(x,x,x)+69j
		push	3Ah		; wchar_t
		push	esi		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A00114
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_A000FF:				; CODE XREF: EtwpCovSampSplitSegments(x,x,x)+3Dj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_4]
		jnz	short loc_A000FF
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, [esi+ecx*2]
		jmp	short loc_A0011D
; 

loc_A00114:				; CODE XREF: EtwpCovSampSplitSegments(x,x,x)+2Cj
		mov	ecx, eax
		sub	ecx, esi
		sar	ecx, 1
		add	eax, 2

loc_A0011D:				; CODE XREF: EtwpCovSampSplitSegments(x,x,x)+46j
		test	ecx, ecx
		jz	short loc_A0012E
		mov	[ebx+edi*8], esi
		mov	[ebx+edi*8+4], ecx
		inc	edi
		cmp	edi, 0Ah
		jnb	short loc_A00137

loc_A0012E:				; CODE XREF: EtwpCovSampSplitSegments(x,x,x)+53j
		xor	ecx, ecx
		mov	esi, eax
		cmp	[eax], cx
		jnz	short loc_A000EC

loc_A00137:				; CODE XREF: EtwpCovSampSplitSegments(x,x,x)+1Ej
					; EtwpCovSampSplitSegments(x,x,x)+60j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpCovSampSplitSegments@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampStackHashCheck(x, x, x, x)
_EtwpCovSampStackHashCheck@16 proc near	; CODE XREF: EtwpCovSampCaptureBufferMapAddressesAndQueue(x,x)+42p
					; EtwpCovSampCaptureBufferProcess(x,x)+3Cp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		xor	edx, edx
		lea	eax, [ecx+1E4h]
		mov	[ebp+var_8], edx
		mov	[ebp+var_18], eax
		cmp	[eax], edx
		jnz	short loc_A00161
		xor	eax, eax
		jmp	locret_A00303
; 

loc_A00161:				; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+18j
		mov	eax, [eax]
		push	ebx
		mov	ebx, [ecx+1E8h]
		mov	[ebp+var_4], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], ebx
		push	esi
		push	edi
		cmp	eax, ebx
		jnz	short loc_A00185
		mov	ebx, [ecx+1ECh]
		mov	[ebp+var_C], ebx

loc_A00185:				; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+3Aj
		mov	edi, [ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	esi, [ecx+1F0h]
		shl	edi, 2
		cmp	edi, 8
		jl	short loc_A00200
		mov	eax, edi
		shr	eax, 3
		mov	[ebp+arg_0], eax
		mov	ebx, eax
		imul	eax, -8
		add	edi, eax

loc_A001A8:				; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+BBj
		movzx	eax, byte ptr [edx+1]
		imul	ecx, eax, 25h
		movzx	eax, byte ptr [edx+2]
		add	ecx, eax
		movzx	eax, byte ptr [edx+3]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx+4]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx+5]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx+6]
		imul	ecx, 25h
		add	ecx, eax
		movzx	eax, byte ptr [edx]
		imul	ecx, 25h
		imul	eax, 1A617D0Dh
		add	ecx, eax
		imul	eax, esi, 2FE8ED1Fh
		movzx	esi, byte ptr [edx+7]
		add	edx, 8
		sub	ecx, eax
		add	esi, ecx
		sub	ebx, 1
		jnz	short loc_A001A8
		mov	ebx, [ebp+var_C]

loc_A00200:				; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+57j
		sub	edi, 1
		jz	short loc_A00259
		sub	edi, 1
		jz	short loc_A00250
		sub	edi, 1
		jz	short loc_A00247
		sub	edi, 1
		jz	short loc_A0023E
		sub	edi, 1
		jz	short loc_A00235
		sub	edi, 1
		jz	short loc_A0022C
		sub	edi, 1
		jnz	short loc_A00261
		movzx	eax, byte ptr [edx]
		imul	esi, 25h
		add	esi, eax
		inc	edx

loc_A0022C:				; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+DCj
		movzx	eax, byte ptr [edx]
		imul	esi, 25h
		add	esi, eax
		inc	edx

loc_A00235:				; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+D7j
		movzx	eax, byte ptr [edx]
		imul	esi, 25h
		add	esi, eax
		inc	edx

loc_A0023E:				; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+D2j
		movzx	eax, byte ptr [edx]
		imul	esi, 25h
		add	esi, eax
		inc	edx

loc_A00247:				; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+CDj
		movzx	eax, byte ptr [edx]
		imul	esi, 25h
		add	esi, eax
		inc	edx

loc_A00250:				; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+C8j
		movzx	eax, byte ptr [edx]
		imul	esi, 25h
		add	esi, eax
		inc	edx

loc_A00259:				; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+C3j
		movzx	eax, byte ptr [edx]
		imul	esi, 25h
		add	esi, eax

loc_A00261:				; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+E1j
		mov	edi, [ebp+var_14]
		lea	eax, [ebp+var_8]
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	_EtwpCovSampStackHashLookup@12 ; EtwpCovSampStackHashLookup(x,x,x)
		test	eax, eax
		jz	short loc_A0027D
		xor	eax, eax
		inc	eax
		jmp	loc_A00300
; 

loc_A0027D:				; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+133j
		imul	eax, [edi+4], 7
		shr	eax, 3
		cmp	[edi], eax
		ja	short loc_A002FD
		xor	edx, edx
		inc	edx
		mov	ecx, edx
		lock xadd [edi], ecx
		inc	ecx
		cmp	ecx, eax
		jnz	short loc_A00299
		mov	[ebp+var_10], edx

loc_A00299:				; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+154j
		imul	eax, [edi+4], 7
		shr	eax, 3
		cmp	ecx, eax
		jnb	short loc_A002D7
		jmp	short loc_A002B7
; 

loc_A002A6:				; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+184j
		lea	eax, [ebp+var_8]
		mov	edx, esi
		push	eax
		mov	ecx, edi
		call	_EtwpCovSampStackHashLookup@12 ; EtwpCovSampStackHashLookup(x,x,x)
		test	eax, eax
		jnz	short loc_A00307

loc_A002B7:				; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+164j
		mov	ecx, [ebp+var_8]
		xor	eax, eax
		mov	edx, esi
		lock cmpxchg [ecx], edx
		test	eax, eax
		jnz	short loc_A002A6
		lea	eax, [ebp+var_8]
		mov	edx, esi
		push	eax
		mov	ecx, ebx
		call	_EtwpCovSampStackHashLookup@12 ; EtwpCovSampStackHashLookup(x,x,x)
		test	eax, eax
		jnz	short loc_A00307

loc_A002D7:				; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+162j
		mov	eax, [ebp+var_4]

loc_A002DA:				; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+1CDj
		cmp	[ebp+var_10], 0
		jz	short loc_A00300
		mov	eax, [ebx+4]
		shl	eax, 2
		push	eax		; size_t
		lea	eax, [ebx+8]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_18]
		add	esp, 0Ch
		and	dword ptr [ebx], 0
		xchg	ebx, [eax]

loc_A002FD:				; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+146j
		mov	eax, [ebp+var_4]

loc_A00300:				; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+138j
					; EtwpCovSampStackHashCheck(x,x,x,x)+19Ej
		pop	edi
		pop	esi
		pop	ebx

locret_A00303:				; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+1Cj
		leave
		retn	8
; 

loc_A00307:				; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+175j
					; EtwpCovSampStackHashCheck(x,x,x,x)+195j
		xor	eax, eax
		inc	eax
		mov	[ebp+var_4], eax
		jmp	short loc_A002DA
_EtwpCovSampStackHashCheck@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampStackHashLookup(x, x, x)
_EtwpCovSampStackHashLookup@12 proc near
					; CODE XREF: EtwpCovSampStackHashCheck(x,x,x,x)+12Cp
					; EtwpCovSampStackHashCheck(x,x,x,x)+16Ep ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, edx
		mov	edx, ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], edx
		push	edi
		mov	eax, [edx+4]
		mov	ecx, esi
		dec	eax
		mov	[ebp+var_4], eax
		and	eax, ebx
		jmp	short loc_A0034B
; 

loc_A0032F:				; CODE XREF: EtwpCovSampStackHashLookup(x,x,x)+46j
		test	edi, edi
		jz	short loc_A0035A
		test	ecx, ecx
		jnz	short loc_A00343
		imul	ecx, ebx, 9E3779B1h
		test	cl, 1
		jnz	short loc_A00343
		inc	ecx

loc_A00343:				; CODE XREF: EtwpCovSampStackHashLookup(x,x,x)+26j
					; EtwpCovSampStackHashLookup(x,x,x)+31j
		mov	edx, [ebp+var_8]
		add	eax, ecx
		and	eax, [ebp+var_4]

loc_A0034B:				; CODE XREF: EtwpCovSampStackHashLookup(x,x,x)+1Ej
		lea	edx, [edx+eax*4]
		add	edx, 8
		mov	edi, [edx]
		cmp	edi, ebx
		jnz	short loc_A0032F
		xor	esi, esi
		inc	esi

loc_A0035A:				; CODE XREF: EtwpCovSampStackHashLookup(x,x,x)+22j
		mov	ecx, [ebp+arg_0]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		mov	[ecx], edx
		leave
		retn	4
_EtwpCovSampStackHashLookup@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampStackHashTableAlloc(x, x)
_EtwpCovSampStackHashTableAlloc@8 proc near
					; CODE XREF: EtwpCovSampCaptureContextStart(x)+14Cp
					; EtwpCovSampCaptureContextStart(x)+15Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		xor	esi, esi
		mov	eax, [ebx]
		mov	[ebp+var_8], edi
		test	eax, eax
		jz	short loc_A0038E
		push	56777445h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebx], esi

loc_A0038E:				; CODE XREF: EtwpCovSampStackHashTableAlloc(x,x)+17j
		lea	eax, ds:8[edi*4]
		push	56777445h
		push	eax
		push	1
		mov	[ebp+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A003B2
		mov	esi, 0C000009Ah
		jmp	short loc_A003C7
; 

loc_A003B2:				; CODE XREF: EtwpCovSampStackHashTableAlloc(x,x)+41j
		push	[ebp+var_4]	; size_t
		push	esi		; int
		push	edi		; void *
		call	_memset
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		mov	[edi+4], eax
		mov	[ebx], edi

loc_A003C7:				; CODE XREF: EtwpCovSampStackHashTableAlloc(x,x)+48j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpCovSampStackHashTableAlloc@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCovSampStrideSamplerInitialize(x, x, x)
_EtwpCovSampStrideSamplerInitialize@12 proc near
					; CODE XREF: EtwpCovSampCaptureContextStart(x)+2B2p
					; EtwpCovSampCaptureContextStart(x)+2C3p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	ebx, edx
		push	0Ah
		pop	eax
		mov	ecx, eax
		mov	edi, esi
		xor	eax, eax
		rep stosd
		xor	ecx, ecx
		call	ExGenRandom
		mov	[esi+24h], eax
		xor	edx, edx
		imul	eax, ebx, 0Ah
		div	ds:_KeMaximumIncrement
		mov	[esi+8], eax
		mov	eax, ds:_KeTickCount
		mov	ecx, [esi+8]
		sub	eax, ecx
		dec	eax
		mov	[esi+4], eax
		test	ecx, ecx
		jnz	short loc_A00439
		test	ebx, ebx
		jz	short loc_A00439
		mov	eax, ds:_KeMaximumIncrement
		xor	edx, edx
		push	0Ah
		pop	ecx
		div	ecx
		xor	edx, edx
		mov	ecx, 10000000h
		div	ebx
		mul	[ebp+arg_0]
		test	edx, edx
		ja	short loc_A00435
		jb	short loc_A0043C
		cmp	eax, ecx
		jb	short loc_A0043C

loc_A00435:				; CODE XREF: EtwpCovSampStrideSamplerInitialize(x,x,x)+5Fj
		mov	eax, ecx
		jmp	short loc_A0043C
; 

loc_A00439:				; CODE XREF: EtwpCovSampStrideSamplerInitialize(x,x,x)+3Fj
					; EtwpCovSampStrideSamplerInitialize(x,x,x)+43j
		mov	eax, [ebp+arg_0]

loc_A0043C:				; CODE XREF: EtwpCovSampStrideSamplerInitialize(x,x,x)+61j
					; EtwpCovSampStrideSamplerInitialize(x,x,x)+65j ...
		mov	[esi], eax
		shl	eax, 2
		pop	edi
		mov	[esi+0Ch], eax
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_EtwpCovSampStrideSamplerInitialize@12 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCoverageSamplerAllocateTable(x)
_EtwpCoverageSamplerAllocateTable@4 proc near
					; CODE XREF: EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+CCp
					; EtwpCoverageSamplerStart(x)+2Ep
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	56777445h
		push	14h
		push	1
		mov	ebx, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A004A6
		xor	eax, eax
		mov	edi, esi
		push	56777445h
		stosd
		stosd
		stosd
		stosd
		stosd
		mov	edi, ebx
		shl	edi, 3
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+10h], eax
		test	eax, eax
		jnz	short loc_A00497
		push	56777445h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		jmp	short loc_A004A8
; 

loc_A00497:				; CODE XREF: EtwpCoverageSamplerAllocateTable(x)+3Bj
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+0Ch], ebx

loc_A004A6:				; CODE XREF: EtwpCoverageSamplerAllocateTable(x)+19j
		mov	eax, esi

loc_A004A8:				; CODE XREF: EtwpCoverageSamplerAllocateTable(x)+4Aj
		pop	edi
		pop	esi
		pop	ebx
		retn
_EtwpCoverageSamplerAllocateTable@4 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCoverageSamplerCleanup(x)
_EtwpCoverageSamplerCleanup@4 proc near	; CODE XREF: EtwpCoverageSamplerDelete(x)+8p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		lea	ecx, [esi+8]
		call	_EtwpCovSampContextCleanup@4 ; EtwpCovSampContextCleanup(x)
		lea	edi, [esi+3ACh]
		xor	ebx, ebx

loc_A004C3:				; CODE XREF: EtwpCoverageSamplerCleanup(x)+41j
		mov	ecx, [edi]
		cmp	ecx, edi
		jz	short loc_A004F4
		cmp	[ecx+4], edi
		jnz	short loc_A004EF
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_A004EF
		mov	[edi], eax
		mov	[eax+4], edi
		cmp	ecx, [esi+3A4h]
		jnz	short loc_A004E8
		mov	[esi+3A4h], ebx

loc_A004E8:				; CODE XREF: EtwpCoverageSamplerCleanup(x)+34j
		call	_EtwpCoverageSamplerFreeTable@4	; EtwpCoverageSamplerFreeTable(x)
		jmp	short loc_A004C3
; 

loc_A004EF:				; CODE XREF: EtwpCoverageSamplerCleanup(x)+20j
					; EtwpCoverageSamplerCleanup(x)+27j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A004F4:				; CODE XREF: EtwpCoverageSamplerCleanup(x)+1Bj
		mov	eax, [esi+3B8h]
		mov	[esi+3B4h], ebx
		test	eax, eax
		jz	short loc_A00522
		push	eax
		call	_MmUnmapViewInSystemSpace@4 ; MmUnmapViewInSystemSpace(x)
		mov	[esi+3B8h], ebx
		mov	[esi+3C0h], ebx
		mov	[esi+3BCh], ebx
		mov	[esi+3C4h], ebx

loc_A00522:				; CODE XREF: EtwpCoverageSamplerCleanup(x)+56j
		mov	ecx, [esi+3A8h]
		test	ecx, ecx
		jz	short loc_A00537
		call	ObfDereferenceObject
		mov	[esi+3A8h], ebx

loc_A00537:				; CODE XREF: EtwpCoverageSamplerCleanup(x)+7Ej
		pop	edi
		pop	esi
		pop	ebx
		retn
_EtwpCoverageSamplerCleanup@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageSamplerClose(x,	x, x, x)
_EtwpCoverageSamplerClose@16 proc near	; DATA XREF: EtwpInitializeCoverageSampler+83o

arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_C], 1
		jnz	loc_A005CA
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	bl, bl
		dec	word ptr [eax+13Ch]
		push	edi
		nop
		mov	edi, offset _EtwpCovSampGlobals
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [ebp+arg_4]
		mov	eax, large fs:124h
		mov	dword_6BC084, eax
		mov	eax, [esi+3CCh]
		test	al, 1
		jnz	short loc_A0058E
		or	eax, 1
		inc	bl
		mov	[esi+3CCh], eax

loc_A0058E:				; CODE XREF: EtwpCoverageSamplerClose(x,x,x,x)+46j
		and	dword_6BC084, 0
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A005A9
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A005A9:				; CODE XREF: EtwpCoverageSamplerClose(x,x,x,x)+65j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	bl, bl
		jz	short loc_A005C7
		mov	ecx, esi
		call	_EtwpCoverageSamplerStop@4 ; EtwpCoverageSamplerStop(x)

loc_A005C7:				; CODE XREF: EtwpCoverageSamplerClose(x,x,x,x)+83j
		pop	edi
		pop	esi
		pop	ebx

loc_A005CA:				; CODE XREF: EtwpCoverageSamplerClose(x,x,x,x)+9j
		pop	ebp
		retn	10h
_EtwpCoverageSamplerClose@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageSamplerDelete(x)
_EtwpCoverageSamplerDelete@4 proc near	; DATA XREF: EtwpInitializeCoverageSampler+8Ao

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_EtwpCoverageSamplerCleanup@4 ;	EtwpCoverageSamplerCleanup(x)
		pop	ebp
		retn	4
_EtwpCoverageSamplerDelete@4 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCoverageSamplerFreeTable(x)
_EtwpCoverageSamplerFreeTable@4	proc near
					; CODE XREF: EtwpCovSampContextAddSamples(x,x,x)+1C2p
					; EtwpCovSampHashMakeRoomAndAcquireLock(x,x,x)+C5p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, 56777445h
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_A005FC
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+10h], 0

loc_A005FC:				; CODE XREF: EtwpCoverageSamplerFreeTable(x)+10j
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		retn
_EtwpCoverageSamplerFreeTable@4	endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCoverageSamplerInitialize(x)
_EtwpCoverageSamplerInitialize@4 proc near
					; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+400p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		push	3CCh		; size_t
		push	0		; int
		lea	eax, [edi+4]
		push	eax		; void *
		call	_memset
		and	dword ptr [edi], 0
		lea	ecx, [edi+8]
		add	esp, 0Ch
		call	_EtwpCovSampContextInitialize@4	; EtwpCovSampContextInitialize(x)
		lea	eax, [edi+3ACh]
		mov	[edi+8], edi
		mov	dword ptr [edi+3C8h], 1
		pop	edi
		mov	[eax+4], eax
		mov	[eax], eax
		pop	esi
		retn
_EtwpCoverageSamplerInitialize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageSamplerQuery(x,	x, x, x)
_EtwpCoverageSamplerQuery@16 proc near	; CODE XREF: EtwpQueryCoverageSamplerInformation(x,x,x,x)+F1p

var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	0B8h
		push	offset dword_6AA048
		call	__SEH_prolog4_GS
		mov	[ebp+var_9C], edx
		mov	edi, ecx
		mov	[ebp+var_88], edi
		mov	[ebp+var_B0], edi
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_AC], eax
		xor	ebx, ebx
		mov	[ebp+var_90], ebx
		mov	eax, dword_6BC094
		mov	[ebp+var_74], eax
		lea	eax, [edi+8]
		mov	[ebp+var_64], eax
		mov	[ebp+var_48], ebx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_68], ebx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_80], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_84], ebx
		lea	ecx, [ebp+var_90]
		call	_EtwpCovSampAcquireSamplerRundown@4 ; EtwpCovSampAcquireSamplerRundown(x)
		mov	esi, eax
		mov	[ebp+var_40], esi
		test	esi, esi
		js	loc_A00E39
		cmp	[ebp+var_90], edi
		jz	short loc_A006CF
		mov	esi, 0C0000189h

loc_A006C7:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+2EFj
					; EtwpCoverageSamplerQuery(x,x,x,x)+319j ...
		mov	[ebp+var_40], esi
		jmp	loc_A00E39
; 

loc_A006CF:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+7Bj
		mov	ecx, [ebp+var_74]
		call	_EtwpCovSampCaptureFlush@4 ; EtwpCovSampCaptureFlush(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[edi+4], eax
		mov	[ebp+var_4C], 2CCh
		mov	ecx, ebx
		lea	edx, [edi+3ACh]
		mov	[ebp+var_B4], edx
		mov	eax, [edx]

loc_A0070E:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+D2j
		cmp	eax, edx
		jz	short loc_A00719
		add	ecx, [eax+8]
		mov	eax, [eax]
		jmp	short loc_A0070E
; 

loc_A00719:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+CBj
		mov	[ebp+var_58], ecx
		mov	eax, ecx
		push	8
		pop	ecx
		mul	ecx
		push	edx
		push	eax
		lea	ecx, [ebp+var_54]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		mov	[ebp+var_40], esi
		test	esi, esi
		js	loc_A00E39
		lea	eax, [ebp+var_4C]
		push	eax
		mov	edx, 2CCh
		mov	ecx, [ebp+var_54]
		call	RtlUIntAdd
		mov	esi, eax
		mov	[ebp+var_40], esi
		test	esi, esi
		js	loc_A00E39
		mov	eax, ebx
		mov	[ebp+var_5C], eax
		mov	[ebp+var_8C], eax
		mov	[ebp+var_60], ebx
		mov	[ebp+var_7C], ebx
		mov	[ebp+var_50], ebx
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_68], eax
		mov	[ebp+var_6C], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+var_64]
		lea	eax, [esi+290h]
		mov	[ebp+var_98], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockSharedEx
		mov	ecx, [esi+2B0h]

loc_A007A1:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+234j
		mov	eax, [ebp+var_68]
		mov	[ebp+var_44], eax

loc_A007A7:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+18Bj
					; EtwpCoverageSamplerQuery(x,x,x,x)+21Ej
		mov	eax, ecx
		mov	[ebp+var_78], eax
		lea	edx, [esi+2B0h]
		cmp	ecx, edx
		jz	loc_A0087E
		mov	ecx, [ecx]
		mov	[ebp+var_94], ecx
		lea	edx, [eax+24h]
		cmp	[edx], ebx
		jnz	short loc_A007D2
		test	dword ptr [eax+18h], 100000h
		jz	short loc_A007A7

loc_A007D2:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+182j
		cmp	[eax+10h], ebx
		jz	loc_A00868
		mov	ecx, [ebp+var_5C]
		inc	ecx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_8C], ecx
		inc	[ebp+var_60]
		lea	ecx, [ebp+var_7C]
		push	ecx
		movzx	eax, word ptr [eax+18h]
		lea	ecx, ds:2[eax*2]
		mov	edx, [ebp+var_7C]
		call	RtlUIntAdd
		mov	esi, eax
		mov	[ebp+var_40], esi
		test	esi, esi
		js	loc_A00E39
		mov	ecx, [ebp+var_78]
		mov	ecx, [ecx-8]
		lea	eax, [ebp+var_50]
		push	eax
		lea	eax, [ecx-1]
		and	eax, 3
		sub	ecx, eax
		add	ecx, 3
		mov	edx, [ebp+var_50]
		call	RtlUIntAdd
		mov	esi, eax
		mov	[ebp+var_40], esi
		test	esi, esi
		js	loc_A00E39
		mov	ecx, [ebp+var_78]
		add	ecx, 2Ch
		lea	edx, [ebp+var_6C]
		mov	eax, [ebp+var_44]
		cmp	[eax], edx
		jnz	loc_A00D91
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_68], ecx
		mov	esi, [ebp+var_64]
		mov	ecx, [ebp+var_94]
		jmp	loc_A007A7
; 

loc_A00868:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+190j
		cmp	dword ptr [eax-4], 1
		jnz	short loc_A00875
		lock inc dword ptr [esi+390h]

loc_A00875:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+227j
		xor	eax, eax
		xchg	eax, [edx]
		jmp	loc_A007A1
; 

loc_A0087E:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+16Fj
		xor	ecx, ecx
		push	11h
		pop	eax
		mov	esi, [ebp+var_98]
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_A00899
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_A00899:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+24Bj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, [ebp+var_60]
		push	30h
		pop	ecx
		mul	ecx
		push	edx
		push	eax
		lea	ecx, [ebp+var_54]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		mov	[ebp+var_40], esi
		test	esi, esi
		js	loc_A00E39
		lea	eax, [ebp+var_4C]
		push	eax
		mov	edx, [ebp+var_54]
		mov	ecx, [ebp+var_4C]
		call	RtlUIntAdd
		mov	esi, eax
		mov	[ebp+var_40], esi
		test	esi, esi
		js	loc_A00E39
		lea	eax, [ebp+var_4C]
		push	eax
		mov	edx, [ebp+var_7C]
		mov	ecx, [ebp+var_4C]
		call	RtlUIntAdd
		mov	esi, eax
		mov	[ebp+var_40], esi
		test	esi, esi
		js	loc_A00E39
		lea	eax, [ebp+var_4C]
		push	eax
		mov	edx, [ebp+var_50]
		mov	ecx, [ebp+var_4C]
		call	RtlUIntAdd
		mov	esi, eax
		mov	[ebp+var_40], eax
		test	esi, esi
		js	loc_A00E39
		mov	eax, [ebp+var_4C]
		cmp	[ebp+arg_0], eax
		jnb	short loc_A00939
		mov	ecx, [ebp+var_AC]
		mov	[ecx], eax
		mov	esi, 0C0000023h
		jmp	loc_A006C7
; 

loc_A00939:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+2E0j
		mov	eax, [ebp+var_5C]
		test	eax, eax
		jz	short loc_A0096E
		mov	esi, eax
		shl	esi, 2
		push	56777445h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_80], eax
		test	eax, eax
		jnz	short loc_A00963
		mov	esi, 0C000009Ah
		jmp	loc_A006C7
; 

loc_A00963:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+312j
		push	esi		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_A0096E:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+2F9j
		mov	[ebp+ms_exc.disabled], ebx
		mov	esi, [ebp+var_9C]
		test	byte ptr [esi+10h], 1
		jz	short loc_A009BF
		mov	eax, [ebp+var_74]
		mov	ecx, [eax+1E8h]
		test	ecx, ecx
		jz	short loc_A009A1
		mov	eax, [ecx+4]
		shl	eax, 2
		push	eax		; size_t
		push	ebx		; int
		lea	eax, [ecx+8]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, [ebp+var_74]

loc_A009A1:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+343j
		mov	ecx, [eax+1ECh]
		test	ecx, ecx
		jz	short loc_A009BF
		mov	eax, [ecx+4]
		shl	eax, 2
		push	eax		; size_t
		push	ebx		; int
		lea	eax, [ecx+8]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_A009BF:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+336j
					; EtwpCoverageSamplerQuery(x,x,x,x)+364j
		mov	[ebp+var_48], esi
		lea	eax, [esi+14h]
		mov	[ebp+var_48], eax
		mov	esi, eax
		mov	[ebp+var_70], esi
		add	eax, 2Ch
		mov	[ebp+var_9C], eax
		mov	[ebp+var_48], eax
		push	2Ch		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		push	2Ch
		pop	ecx
		mov	[esi], ecx
		mov	eax, [edi+3C8h]
		mov	[esi+8], eax
		mov	eax, 250h
		mov	[esi+10h], eax
		mov	[esi+0Ch], ecx
		mov	edx, [ebp+var_9C]
		mov	edi, edx
		add	edx, eax
		mov	[ebp+var_48], edx
		mov	esi, [ebp+var_64]
		add	esi, 4
		add	ecx, 68h
		rep movsd
		push	3Ch
		pop	ecx
		mov	edi, [ebp+var_70]
		mov	[edi+18h], ecx
		mov	eax, edx
		sub	eax, edi
		mov	[edi+14h], eax
		mov	[ebp+var_84], edx
		add	edx, ecx
		mov	[ebp+var_48], edx
		mov	ecx, [ebp+var_58]
		mov	[edi+20h], ecx
		mov	eax, edx
		sub	eax, edi
		mov	[edi+1Ch], eax
		mov	[ebp+var_B8], edx
		lea	esi, [edx+ecx*8]
		mov	[ebp+var_48], esi
		mov	edi, [ebp+var_B4]
		mov	edi, [edi]
		mov	[ebp+var_54], edi
		mov	ecx, [ebp+var_88]

loc_A00A5B:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+474j
		lea	eax, [ecx+3ACh]
		cmp	edi, eax
		jz	short loc_A00ABB
		mov	edi, ebx

loc_A00A67:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+468j
		mov	[ebp+var_BC], edi
		mov	eax, [ebp+var_54]
		cmp	edi, [eax+0Ch]
		jnb	short loc_A00AB2
		mov	eax, [eax+10h]
		mov	[ebp+var_44], eax
		mov	eax, [eax+edi*8]
		mov	ecx, [ebp+var_44]
		or	eax, [ecx+edi*8+4]
		mov	ecx, [ebp+var_88]
		jz	short loc_A00AAC
		cmp	edx, esi
		jnb	short loc_A00AAF
		mov	eax, [ebp+var_44]
		mov	eax, [eax+edi*8]
		mov	[edx], eax
		mov	eax, [ebp+var_44]
		mov	eax, [eax+edi*8+4]
		mov	[edx+4], eax
		add	edx, 8
		mov	[ebp+var_B8], edx

loc_A00AAC:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+446j
		inc	edi
		jmp	short loc_A00A67
; 

loc_A00AAF:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+44Aj
		mov	eax, [ebp+var_54]

loc_A00AB2:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+42Ej
		mov	eax, [eax]
		mov	[ebp+var_54], eax
		mov	edi, eax
		jmp	short loc_A00A5B
; 

loc_A00ABB:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+41Ej
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_70]
		mov	edx, [ebp+var_60]
		mov	[ecx+28h], edx
		mov	eax, esi
		sub	eax, ecx
		mov	[ecx+24h], eax
		mov	ecx, esi
		mov	[ebp+var_A4], ecx
		imul	eax, edx, 30h
		add	esi, eax
		mov	[ebp+var_48], esi
		push	eax		; size_t
		push	ebx		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, esi
		add	esi, [ebp+var_50]
		mov	[ebp+var_48], esi
		mov	[ebp+var_98], esi
		mov	[ebp+var_50], esi
		add	esi, [ebp+var_7C]
		mov	[ebp+var_58], esi
		mov	[ebp+var_48], esi
		mov	[ebp+var_78], esi
		mov	[ebp+var_A8], ebx
		mov	esi, [ebp+var_6C]
		mov	edi, [ebp+var_64]

loc_A00B1D:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+669j
		mov	[ebp+var_44], ecx
		lea	eax, [ebp+var_6C]
		cmp	esi, eax
		jz	loc_A00CB3
		mov	eax, [esi]
		mov	[ebp+var_C0], eax
		sub	ecx, [ebp+var_70]
		mov	edx, [ebp+var_A4]
		mov	[edx+8], ecx
		mov	eax, [esi-34h]
		mov	[edx+0Ch], eax
		mov	eax, [ebp+var_50]
		sub	eax, [ebp+var_70]
		mov	[edx], eax
		movzx	eax, word ptr [esi-14h]
		mov	[edx+4], eax
		mov	eax, [esi-40h]
		mov	[edx+10h], eax
		mov	eax, [esi-44h]
		mov	[edx+14h], eax
		mov	eax, [esi-3Ch]
		mov	[edx+18h], eax
		mov	eax, [esi-10h]
		mov	[edx+1Ch], eax
		mov	eax, [esi-0Ch]
		mov	[edx+20h], eax
		mov	eax, [esi+8]
		mov	[edx+24h], eax
		mov	eax, [esi+0Ch]
		mov	[edx+28h], eax
		mov	eax, [esi+10h]
		mov	[edx+2Ch], eax
		add	edx, 30h
		mov	[ebp+var_A4], edx
		push	dword ptr [esi-34h] ; size_t
		push	dword ptr [esi-38h] ; void *
		push	[ebp+var_44]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [esi-34h]
		mov	ecx, [ebp+var_44]
		add	ecx, 3
		add	eax, ecx
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_94], eax
		cmp	eax, [ebp+var_98]
		ja	loc_A00CB3
		movzx	eax, word ptr [esi-14h]
		push	eax
		push	dword ptr [esi-18h]
		mov	edx, [ebp+var_78]
		sub	edx, [ebp+var_50]
		sar	edx, 1
		mov	ecx, [ebp+var_50]
		call	RtlStringCchCopyNW
		movzx	eax, word ptr [esi-14h]
		mov	ecx, [ebp+var_50]
		add	ecx, 2
		lea	eax, [ecx+eax*2]
		mov	[ebp+var_A0], eax
		cmp	eax, [ebp+var_78]
		ja	loc_A00CB3
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [edi+290h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	[edi+294h], eax
		mov	eax, [esi-1Ch]
		mov	ecx, [ebp+var_A8]
		mov	edx, [ebp+var_80]
		mov	[edx+ecx*4], eax
		inc	ecx
		mov	[ebp+var_A8], ecx
		mov	[esi-1Ch], ebx
		mov	[esi-18h], ebx
		and	dword ptr [esi-14h], 0FFFF0000h
		mov	eax, [esi-14h]
		or	eax, 80000h
		mov	[esi-14h], eax
		mov	[edi+294h], ebx
		or	eax, 0FFFFFFFFh
		lea	ecx, [edi+290h]
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A00C6B
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [edi+290h]

loc_A00C6B:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+619j
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		dec	[ebp+var_60]
		cmp	dword ptr [esi-30h], 1
		jnz	short loc_A00C8C
		lock inc dword ptr [edi+390h]

loc_A00C8C:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+63Ej
		xor	ecx, ecx
		lea	eax, [esi-8]
		xchg	ecx, [eax]
		mov	eax, [ebp+var_48]
		mov	[ebp+var_58], eax
		mov	ecx, [ebp+var_94]
		mov	esi, [ebp+var_C0]
		mov	eax, [ebp+var_A0]
		mov	[ebp+var_50], eax
		jmp	loc_A00B1D
; 

loc_A00CB3:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+4E0j
					; EtwpCoverageSamplerQuery(x,x,x,x)+573j ...
		lea	eax, [edi+254h]
		push	0Fh
		pop	ecx
		mov	esi, eax
		mov	edi, [ebp+var_84]
		rep movsd
		push	3Ch		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	8
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_3C]
		rep stosd
		lea	edx, [ebp+var_3C]
		mov	ecx, [ebp+var_74]
		call	_EtwpCovSampCaptureFlushStats@8	; EtwpCovSampCaptureFlushStats(x,x)
		mov	eax, [ebp+var_3C]
		mov	ecx, [ebp+var_84]
		mov	[ecx+1Ch], eax
		mov	eax, [ebp+var_38]
		mov	[ecx+20h], eax
		mov	eax, [ebp+var_34]
		mov	[ecx+24h], eax
		mov	eax, [ebp+var_30]
		mov	[ecx+28h], eax
		mov	eax, [ebp+var_2C]
		mov	[ecx+2Ch], eax
		mov	eax, [ebp+var_28]
		mov	[ecx+30h], eax
		mov	eax, [ebp+var_24]
		mov	[ecx+34h], eax
		mov	eax, [ebp+var_20]
		mov	[ecx+38h], eax
		mov	eax, [ebp+var_58]
		mov	ecx, [ebp+var_70]
		sub	eax, ecx
		mov	[ecx+4], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_88]
		lea	ecx, [edi+3ACh]
		mov	eax, [ecx]

loc_A00D3D:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+74Aj
		cmp	eax, ecx
		jz	short loc_A00D96
		mov	esi, eax
		mov	eax, [eax]
		mov	[ebp+var_58], eax
		cmp	esi, [edi+3A4h]
		jnz	short loc_A00D68
		mov	eax, [esi+0Ch]
		shl	eax, 3
		push	eax		; size_t
		push	ebx		; int
		push	dword ptr [esi+10h] ; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+8], ebx
		jmp	short loc_A00D86
; 

loc_A00D68:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+709j
		mov	ecx, [esi+4]
		cmp	[eax+4], esi
		jnz	short loc_A00D91
		cmp	[ecx], esi
		jnz	short loc_A00D91
		mov	[ecx], eax
		mov	[eax+4], ecx
		dec	dword ptr [edi+3B4h]
		mov	ecx, esi
		call	_EtwpCoverageSamplerFreeTable@4	; EtwpCoverageSamplerFreeTable(x)

loc_A00D86:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+721j
		mov	eax, [ebp+var_58]
		lea	ecx, [edi+3ACh]
		jmp	short loc_A00D3D
; 

loc_A00D91:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+202j
					; EtwpCoverageSamplerQuery(x,x,x,x)+729j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A00D96:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+6FAj
		inc	dword ptr [edi+3C8h]
		push	ebx
		mov	edx, [ebp+var_74]
		mov	ecx, edi
		call	_EtwpCovSampCaptureContextSetPaused@12 ; EtwpCovSampCaptureContextSetPaused(x,x,x)
		mov	[edi+4], ebx
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A00DBE
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A00DBE:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+770j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [ebp+var_64]
		call	_EtwpCovSampContextPruneModules@4 ; EtwpCovSampContextPruneModules(x)
		mov	eax, [ebp+var_4C]
		mov	ecx, [ebp+var_AC]
		mov	[ecx], eax
		mov	esi, ebx
		jmp	loc_A006C7
; 

loc_A00DEB:				; DATA XREF: .text:006AA068o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_C4], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A00DFC:				; DATA XREF: .text:006AA06Co
		mov	esi, [ebp+var_C4]
		jmp	short loc_A00E1B
; 

loc_A00E04:				; DATA XREF: .text:006AA05Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_C8], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A00E15:				; DATA XREF: .text:006AA060o
		mov	esi, [ebp+var_C8]

loc_A00E1B:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+7BDj
		mov	[ebp+var_40], esi
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_8C]
		mov	edi, [ebp+var_B0]
		mov	[ebp+var_5C], ecx
		xor	ebx, ebx

loc_A00E39:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+6Fj
					; EtwpCoverageSamplerQuery(x,x,x,x)+85j ...
		or	eax, 0FFFFFFFFh
		mov	ecx, large fs:124h
		mov	edx, [ebp+var_64]
		cmp	[edx+294h], ecx
		jnz	short loc_A00E86
		mov	[edx+294h], ebx
		lea	ecx, [edx+290h]
		mov	[ebp+var_A0], ecx
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A00E75
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_A0]

loc_A00E75:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+823j
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_A00E86:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+807j
		mov	eax, large fs:124h
		cmp	[edi+4], eax
		jnz	short loc_A00EBB
		mov	[edi+4], ebx
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A00EA8
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A00EA8:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+85Aj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_A00EBB:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+84Aj
		mov	eax, [ebp+var_80]
		test	eax, eax
		jz	short loc_A00EE8
		mov	edi, eax
		mov	esi, [ebp+var_5C]

loc_A00EC7:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+891j
		cmp	ebx, esi
		jnb	short loc_A00ED8
		mov	ecx, edi
		call	_EtwpCovSampModuleNameInfoCleanup@4 ; EtwpCovSampModuleNameInfoCleanup(x)
		inc	ebx
		add	edi, 4
		jmp	short loc_A00EC7
; 

loc_A00ED8:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+884j
		push	56777445h
		push	[ebp+var_80]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_40]

loc_A00EE8:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+87Bj
		cmp	[ebp+var_90], 0
		jz	short loc_A00F00
		mov	ecx, offset unk_6BC090
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_A00F00:				; CODE XREF: EtwpCoverageSamplerQuery(x,x,x,x)+8AAj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_EtwpCoverageSamplerQuery@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageSamplerQueryStatusInformation(x)
_EtwpCoverageSamplerQueryStatusInformation@4 proc near
					; CODE XREF: EtwpQueryCoverageSamplerInformation(x,x,x,x)+A3p

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	0Ch
		push	offset dword_6AA070
		call	__SEH_prolog4
		cmp	dword_6BC08C, 0
		setnz	dl
		xor	eax, eax
		mov	[ebp+ms_exc.disabled], eax
		mov	[ecx], dl
		jmp	short loc_A00F47
; 

loc_A00F33:				; DATA XREF: .text:006AA084o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A00F41:				; DATA XREF: .text:006AA088o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_1C]

loc_A00F47:				; CODE XREF: EtwpCoverageSamplerQueryStatusInformation(x)+1Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpCoverageSamplerQueryStatusInformation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageSamplerSetBloomFilter(x, x, x)
_EtwpCoverageSamplerSetBloomFilter@12 proc near
					; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+10Cp
					; EtwpSetCoverageSamplerInformation(x,x,x)+452p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		xor	edx, edx
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], edx
		mov	eax, [edi+0Ch]
		cmp	eax, [ebx+10h]
		jz	short loc_A00F87

loc_A00F7D:				; CODE XREF: EtwpCoverageSamplerSetBloomFilter(x,x,x)+35j
					; EtwpCoverageSamplerSetBloomFilter(x,x,x)+3Cj	...
		mov	esi, 0C000000Dh
		jmp	loc_A010B5
; 

loc_A00F87:				; CODE XREF: EtwpCoverageSamplerSetBloomFilter(x,x,x)+1Dj
		mov	eax, [edi]
		or	eax, [edi+4]
		mov	ecx, [edi+8]
		jz	short loc_A0100E
		test	ecx, ecx
		jz	short loc_A00F7D
		lea	eax, [ecx-1]
		test	eax, ecx
		jnz	short loc_A00F7D
		cmp	ecx, 8000000h
		ja	short loc_A00F7D
		mov	eax, [edi+10h]
		test	eax, eax
		jz	short loc_A00F7D
		cmp	eax, 0Ah
		ja	short loc_A00F7D
		mov	eax, ds:_MmSectionObjectType
		mov	ecx, [edi]
		push	edx
		mov	[ebp+var_C], edx
		lea	edx, [ebp+var_C]
		push	edx
		push	[ebp+arg_0]
		push	eax
		push	4
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, [ebp+var_C]
		mov	esi, eax
		mov	[ebp+var_8], ecx
		test	esi, esi
		js	loc_A010AC
		mov	eax, [edi+8]
		mov	[ebp+arg_0], eax
		lea	eax, [ebp+arg_0]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		call	_MmMapViewInSystemSpace@12 ; MmMapViewInSystemSpace(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A0109B
		mov	eax, [edi+8]
		cmp	[ebp+arg_0], eax
		jnz	loc_A01096
		lea	esi, ds:0FFFFFFFFh[eax*8]
		jmp	short loc_A0101D
; 

loc_A0100E:				; CODE XREF: EtwpCoverageSamplerSetBloomFilter(x,x,x)+31j
		test	ecx, ecx
		jnz	loc_A01096
		cmp	[edi+10h], edx
		jnz	short loc_A01096
		mov	esi, edx

loc_A0101D:				; CODE XREF: EtwpCoverageSamplerSetBloomFilter(x,x,x)+AEj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ecx, [ebx+3B8h]
		mov	[ebx+4], eax
		mov	eax, [ebp+var_4]
		mov	[ebx+3B8h], eax
		mov	eax, [edi+8]
		mov	[ebx+3BCh], eax
		mov	[ebx+3C0h], esi
		mov	eax, [edi+10h]
		and	dword ptr [ebx+4], 0
		mov	[ebx+3C4h], eax
		or	eax, 0FFFFFFFFh
		mov	[ebp+var_4], ecx
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A0107F
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A0107F:				; CODE XREF: EtwpCoverageSamplerSetBloomFilter(x,x,x)+118j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	esi, esi
		jmp	short loc_A0109B
; 

loc_A01096:				; CODE XREF: EtwpCoverageSamplerSetBloomFilter(x,x,x)+A1j
					; EtwpCoverageSamplerSetBloomFilter(x,x,x)+B2j	...
		mov	esi, 0C000000Dh

loc_A0109B:				; CODE XREF: EtwpCoverageSamplerSetBloomFilter(x,x,x)+95j
					; EtwpCoverageSamplerSetBloomFilter(x,x,x)+136j
		cmp	[ebp+var_4], 0
		jz	short loc_A010A9
		push	[ebp+var_4]
		call	_MmUnmapViewInSystemSpace@4 ; MmUnmapViewInSystemSpace(x)

loc_A010A9:				; CODE XREF: EtwpCoverageSamplerSetBloomFilter(x,x,x)+141j
		mov	ecx, [ebp+var_8]

loc_A010AC:				; CODE XREF: EtwpCoverageSamplerSetBloomFilter(x,x,x)+77j
		test	ecx, ecx
		jz	short loc_A010B5
		call	ObfDereferenceObject

loc_A010B5:				; CODE XREF: EtwpCoverageSamplerSetBloomFilter(x,x,x)+24j
					; EtwpCoverageSamplerSetBloomFilter(x,x,x)+150j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpCoverageSamplerSetBloomFilter@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageSamplerStart(x)
_EtwpCoverageSamplerStart@4 proc near	; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+4A6p

var_2C		= dword	ptr -2Ch
var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+30h+var_10]
		stosd
		mov	ebx, ecx
		mov	ecx, [ebx+18h]
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	[esp+30h+var_20], eax
		lea	edi, [ebx+8]
		mov	dword ptr [esp+30h+var_1C], eax
		mov	[esp+30h+var_18], eax
		call	_EtwpCoverageSamplerAllocateTable@4 ; EtwpCoverageSamplerAllocateTable(x)
		mov	[ebx+3A4h], eax
		mov	ecx, offset _EtwpCovSampGlobals
		test	eax, eax
		jnz	short loc_A0110A
		mov	esi, 0C000009Ah
		jmp	loc_A012F0
; 

loc_A0110A:				; CODE XREF: EtwpCoverageSamplerStart(x)+40j
		inc	dword ptr [ebx+3B4h]
		lea	ecx, [ebx+3ACh]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jz	short loc_A01122
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A01122:				; CODE XREF: EtwpCoverageSamplerStart(x)+5Dj
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		mov	ecx, [ebx+38h]
		mov	esi, [ebx+34h]
		test	ecx, ecx
		jz	short loc_A0113E
		mov	eax, esi
		xor	edx, edx
		div	ecx
		mov	esi, eax

loc_A0113E:				; CODE XREF: EtwpCoverageSamplerStart(x)+76j
		mov	eax, [ebx+0Ch]
		test	al, 4
		jnz	short loc_A011B5
		test	al, 2
		jnz	short loc_A0119C
		lea	eax, [esp+30h+var_18]
		mov	[esp+30h+var_10], 2
		push	eax
		lea	eax, [esp+34h+var_10]
		push	eax
		push	10h
		push	1
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_A0118C
		cmp	byte ptr [esp+40h+var_1C], 0
		jz	short loc_A0118C
		mov	eax, _EtwCPUSpeedInMHz
		mul	esi
		push	0
		push	5
		push	edx
		push	eax
		mov	[esp+50h+var_2C], 2
		call	__aulldiv
		jmp	short loc_A011B1
; 

loc_A0118C:				; CODE XREF: EtwpCoverageSamplerStart(x)+A9j
					; EtwpCoverageSamplerStart(x)+B0j
		test	byte ptr [ebx+0Ch], 1
		jz	short loc_A0119C
		mov	esi, 0C00000BBh
		jmp	loc_A012EB
; 

loc_A0119C:				; CODE XREF: EtwpCoverageSamplerStart(x)+89j
					; EtwpCoverageSamplerStart(x)+D2j
		imul	esi, 0Ah
		test	ds:byte_70EFC4,	2
		mov	[esp+30h+var_20], esi
		jz	short loc_A011B5
		mov	eax, _EtwpProfileInterval

loc_A011B1:				; CODE XREF: EtwpCoverageSamplerStart(x)+CCj
		mov	[esp+30h+var_20], eax

loc_A011B5:				; CODE XREF: EtwpCoverageSamplerStart(x)+85j
					; EtwpCoverageSamplerStart(x)+ECj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _EtwpCovSampGlobals
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		cmp	dword_6BC08C, 0
		mov	dword_6BC084, eax
		jz	short loc_A011ED
		mov	esi, 0C0000718h
		jmp	loc_A012EB
; 

loc_A011ED:				; CODE XREF: EtwpCoverageSamplerStart(x)+123j
		lea	ecx, [edi+4]
		call	_EtwpCovSampCaptureContextStart@4 ; EtwpCovSampCaptureContextStart(x)
		mov	esi, eax
		test	esi, esi
		js	loc_A012EB
		mov	eax, dword_6BC094
		mov	ecx, ebx
		mov	[esp+30h+var_14], eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	dword_6BC08C, ebx
		xor	eax, eax
		mov	ecx, offset unk_6BC090
		xchg	eax, [ecx]
		or	dword ptr [edi+398h], 1
		push	0
		push	offset _EtwpCovSampImageNotify@12 ; EtwpCovSampImageNotify(x,x,x)
		call	PsSetLoadImageNotifyRoutineEx
		mov	esi, eax
		test	esi, esi
		js	loc_A012EB
		or	dword ptr [edi+398h], 2
		mov	edx, edi
		mov	ecx, offset _EtwpCovSampEnumerateProcess@8 ; EtwpCovSampEnumerateProcess(x,x)
		call	PsEnumProcesses
		mov	edx, edi
		mov	ecx, offset _EtwpCovSampEnumerateDriver@8 ; EtwpCovSampEnumerateDriver(x,x)
		call	MmEnumerateSystemImages
		mov	ecx, ds:_EtwpHostSiloState
		mov	edx, [ecx+0A68h]
		or	edx, 4
		mov	[ecx+0A68h], edx
		mov	eax, [ebx+0Ch]
		test	al, 8
		jnz	short loc_A01280
		or	dword ptr [ecx+0A6Ch], 4
		mov	eax, [ebx+0Ch]

loc_A01280:				; CODE XREF: EtwpCoverageSamplerStart(x)+1B6j
		test	al, 10h
		jnz	short loc_A01291
		or	dword ptr [ecx+0A6Ch], 200h
		mov	eax, [ebx+0Ch]

loc_A01291:				; CODE XREF: EtwpCoverageSamplerStart(x)+1C4j
		test	al, 20h
		jnz	short loc_A012A1
		or	edx, 1000h
		mov	[ecx+0A68h], edx

loc_A012A1:				; CODE XREF: EtwpCoverageSamplerStart(x)+1D5j
		push	9
		xor	edx, edx
		call	EtwpUpdateGlobalGroupMasks
		or	dword ptr [edi+398h], 4
		test	byte ptr [ebx+0Ch], 4
		jnz	short loc_A012E9
		mov	ebx, [esp+30h+var_14]
		mov	edx, offset @EtwpCovSampProfileInterrupt@8 ; int
		push	dword ptr [esp+30h+var_1C] ; __int16
		push	ebx		; int
		lea	ecx, [ebx+8]	; void *
		call	_KeInitializeProfileCallback@16	; KeInitializeProfileCallback(x,x,x,x)
		movsx	edx, word ptr [ebx+38h]
		mov	ecx, [esp+30h+var_20]
		call	_KeSetIntervalProfile@8	; KeSetIntervalProfile(x,x)
		lea	ecx, [ebx+8]
		call	_KeStartProfile@4 ; KeStartProfile(x)
		or	dword ptr [edi+398h], 8

loc_A012E9:				; CODE XREF: EtwpCoverageSamplerStart(x)+1F7j
		xor	esi, esi

loc_A012EB:				; CODE XREF: EtwpCoverageSamplerStart(x)+D9j
					; EtwpCoverageSamplerStart(x)+12Aj ...
		mov	ecx, offset _EtwpCovSampGlobals

loc_A012F0:				; CODE XREF: EtwpCoverageSamplerStart(x)+47j
		mov	eax, dword_6BC084
		cmp	eax, large fs:124h
		jnz	short loc_A0132D
		and	dword_6BC084, 0
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A0131C
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, offset _EtwpCovSampGlobals

loc_A0131C:				; CODE XREF: EtwpCoverageSamplerStart(x)+252j
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_A0132D:				; CODE XREF: EtwpCoverageSamplerStart(x)+23Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_EtwpCoverageSamplerStart@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageSamplerStop(x)
_EtwpCoverageSamplerStop@4 proc	near	; CODE XREF: EtwpCoverageSamplerClose(x,x,x,x)+87p
					; EtwpSetCoverageSamplerInformation(x,x,x)+5A1p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	ebx, ebx
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	edi, offset _EtwpCovSampGlobals
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	dword_6BC084, eax
		or	eax, 0FFFFFFFFh
		cmp	dword_6BC08C, esi
		jnz	loc_A014E2
		mov	ecx, [esi+3CCh]
		test	cl, 2
		jnz	loc_A014E2
		or	ecx, 2
		mov	[esi+3CCh], ecx
		and	dword_6BC084, ebx
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A013A1
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A013A1:				; CODE XREF: EtwpCoverageSamplerStop(x)+62j
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		mov	edi, offset unk_6BC090
		mov	ecx, edi
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	ecx, edi
		call	@ExRundownCompleted@4 ;	ExRundownCompleted(x)
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		xor	edx, edx
		mov	ecx, offset _EtwpCovSampGlobals
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	ebx, dword_6BC08C
		and	dword_6BC08C, 0
		mov	ecx, dword_6BC094
		mov	dword_6BC084, eax
		mov	eax, [esi+3A0h]
		mov	[ebp+var_C], ecx
		test	al, 8
		jz	short loc_A01411
		add	ecx, 8
		call	_KeStopProfile@4 ; KeStopProfile(x)
		and	dword ptr [esi+3A0h], 0FFFFFFF7h
		mov	eax, [esi+3A0h]

loc_A01411:				; CODE XREF: EtwpCoverageSamplerStop(x)+C4j
		test	al, 2
		jz	short loc_A0142C
		push	offset _EtwpCovSampImageNotify@12 ; EtwpCovSampImageNotify(x,x,x)
		call	PsRemoveLoadImageNotifyRoutine
		and	dword ptr [esi+3A0h], 0FFFFFFFDh
		mov	eax, [esi+3A0h]

loc_A0142C:				; CODE XREF: EtwpCoverageSamplerStop(x)+DDj
		test	al, 4
		jz	short loc_A0145A
		mov	ecx, ds:_EtwpHostSiloState
		xor	edx, edx
		push	9
		and	dword ptr [ecx+0A6Ch], 0FFFFFDFBh
		and	dword ptr [ecx+0A68h], 0FFFFEFFBh
		call	EtwpUpdateGlobalGroupMasks
		and	dword ptr [esi+3A0h], 0FFFFFFFBh

loc_A0145A:				; CODE XREF: EtwpCoverageSamplerStop(x)+F8j
		xor	ecx, ecx
		jmp	short loc_A014C0
; 

loc_A0145E:				; CODE XREF: EtwpCoverageSamplerStop(x)+193j
		mov	eax, [edi+4B0h]
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_A014BE
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	eax, [ebp+var_4]
		xor	edx, edx
		add	eax, 4
		mov	ecx, eax
		mov	[ebp+var_8], eax
		call	ExAcquirePushLockExclusiveEx
		mov	ecx, [ebp+var_4]
		mov	dl, 1
		mov	eax, large fs:124h
		mov	[ecx+8], eax
		call	_EtwpCovSampProcessCleanup@8 ; EtwpCovSampProcessCleanup(x,x)
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		and	dword ptr [eax+8], 0
		or	eax, 0FFFFFFFFh
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A014B4
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+var_8]

loc_A014B4:				; CODE XREF: EtwpCoverageSamplerStop(x)+174j
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_A014BE:				; CODE XREF: EtwpCoverageSamplerStop(x)+133j
		mov	ecx, edi

loc_A014C0:				; CODE XREF: EtwpCoverageSamplerStop(x)+126j
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A0145E
		mov	ecx, [ebp+var_C]
		call	_EtwpCovSampCaptureContextStop@4 ; EtwpCovSampCaptureContextStop(x)
		and	dword ptr [esi+3A0h], 0FFFFFFFEh
		mov	edi, offset _EtwpCovSampGlobals
		or	eax, 0FFFFFFFFh

loc_A014E2:				; CODE XREF: EtwpCoverageSamplerStop(x)+36j
					; EtwpCoverageSamplerStop(x)+45j
		mov	ecx, dword_6BC084
		cmp	ecx, large fs:124h
		jnz	short loc_A01515
		and	dword_6BC084, 0
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A01509
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A01509:				; CODE XREF: EtwpCoverageSamplerStop(x)+1CAj
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_A01515:				; CODE XREF: EtwpCoverageSamplerStop(x)+1B9j
		test	ebx, ebx
		jz	short loc_A01520
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_A01520:				; CODE XREF: EtwpCoverageSamplerStop(x)+1E1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpCoverageSamplerStop@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpCoverageSamplerUnloadImage(x, x, x)
_EtwpCoverageSamplerUnloadImage@12 proc	near ; CODE XREF: PerfLogImageUnload+165DA5p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		lea	ecx, [ebp+var_4]
		call	_EtwpCovSampAcquireSamplerRundown@4 ; EtwpCovSampAcquireSamplerRundown(x)
		test	eax, eax
		js	short loc_A015B7
		cmp	ebx, ds:_MmSystemRangeStart
		jb	short loc_A01557
		mov	esi, dword_6BC08C
		add	esi, 2C8h
		jmp	short loc_A01561
; 

loc_A01557:				; CODE XREF: EtwpCoverageSamplerUnloadImage(x,x,x)+22j
		mov	esi, [esi+4B0h]
		test	esi, esi
		jz	short loc_A015B7

loc_A01561:				; CODE XREF: EtwpCoverageSamplerUnloadImage(x,x,x)+30j
		mov	eax, large fs:124h
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		lea	edi, [esi+4]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		mov	edx, ebx
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, esi
		mov	[esi+8], eax
		call	_EtwpCovSampProcessRemoveModule@16 ; EtwpCovSampProcessRemoveModule(x,x,x,x)
		and	dword ptr [esi+8], 0
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A015AA
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A015AA:				; CODE XREF: EtwpCoverageSamplerUnloadImage(x,x,x)+7Cj
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		pop	edi

loc_A015B7:				; CODE XREF: EtwpCoverageSamplerUnloadImage(x,x,x)+1Aj
					; EtwpCoverageSamplerUnloadImage(x,x,x)+3Aj
		cmp	[ebp+var_4], 0
		pop	esi
		pop	ebx
		jz	short locret_A015CE
		mov	ecx, offset unk_6BC090
		call	@ExReleaseRundownProtection@4 ;	ExReleaseRundownProtection(x)
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

locret_A015CE:				; CODE XREF: EtwpCoverageSamplerUnloadImage(x,x,x)+98j
		leave
		retn	4
_EtwpCoverageSamplerUnloadImage@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpQueryCoverageSamplerInformation(x, x, x, x)
_EtwpQueryCoverageSamplerInformation@16	proc near
					; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+751p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	28h
		push	offset dword_6AA090
		call	__SEH_prolog4
		mov	eax, edx
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], ecx
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		cmp	eax, 10h
		jnb	short loc_A015FA
		mov	esi, 0C0000004h
		jmp	loc_A016F0
; 

loc_A015FA:				; CODE XREF: EtwpQueryCoverageSamplerInformation(x,x,x,x)+1Cj
		and	[ebp+ms_exc.disabled], ebx
		mov	esi, ecx
		lea	edi, [ebp+var_38]
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_34]
		mov	eax, ecx
		shr	eax, 8
		cmp	al, 0CFh
		jz	short loc_A01623

loc_A01619:				; CODE XREF: EtwpQueryCoverageSamplerInformation(x,x,x,x)+5Dj
					; EtwpQueryCoverageSamplerInformation(x,x,x,x)+72j ...
		mov	esi, 0C00000BBh
		jmp	loc_A016F0
; 

loc_A01623:				; CODE XREF: EtwpQueryCoverageSamplerInformation(x,x,x,x)+45j
		movzx	eax, cl
		sub	eax, 1
		jz	short loc_A0167E
		dec	eax
		sub	eax, 1
		jz	short loc_A01619
		sub	eax, 1
		jz	short loc_A01640
		mov	esi, 0C0000003h
		jmp	loc_A016F0
; 

loc_A01640:				; CODE XREF: EtwpQueryCoverageSamplerInformation(x,x,x,x)+62j
		cmp	byte ptr [ebp+arg_0], 0
		jz	short loc_A01619
		mov	cl, byte ptr [ebp+arg_0]
		call	ExCheckFullProcessInformationAccess
		mov	esi, eax
		test	esi, esi
		js	loc_A016F0
		push	18h
		pop	ecx
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		cmp	[ebp+var_20], ecx
		jnb	short loc_A0166F
		mov	esi, 0C0000023h
		jmp	loc_A016F0
; 

loc_A0166F:				; CODE XREF: EtwpQueryCoverageSamplerInformation(x,x,x,x)+91j
		mov	ecx, [ebp+var_24]
		lea	ecx, [ecx+10h]
		call	_EtwpCoverageSamplerQueryStatusInformation@4 ; EtwpCoverageSamplerQueryStatusInformation(x)
		mov	esi, eax
		jmp	short loc_A016F0
; 

loc_A0167E:				; CODE XREF: EtwpQueryCoverageSamplerInformation(x,x,x,x)+57j
		cmp	byte ptr [ebp+arg_0], 0
		jz	short loc_A01619
		mov	cl, byte ptr [ebp+arg_0]
		call	ExCheckFullProcessInformationAccess
		mov	esi, eax
		test	esi, esi
		js	short loc_A016F0
		mov	eax, dword_6BC088
		and	[ebp+var_1C], 0
		push	0
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+arg_0]
		push	eax
		push	1
		push	[ebp+var_30]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	ebx, [ebp+var_1C]
		test	esi, esi
		js	short loc_A016F0
		push	[ebp+arg_4]
		push	[ebp+var_20]
		mov	edx, [ebp+var_24]
		mov	ecx, ebx
		call	_EtwpCoverageSamplerQuery@16 ; EtwpCoverageSamplerQuery(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A016F0
		xor	esi, esi
		jmp	short loc_A016F0
; 

loc_A016D2:				; DATA XREF: .text:006AA0A4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A016E0:				; DATA XREF: .text:006AA0A8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_28]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_1C]

loc_A016F0:				; CODE XREF: EtwpQueryCoverageSamplerInformation(x,x,x,x)+23j
					; EtwpQueryCoverageSamplerInformation(x,x,x,x)+4Cj ...
		test	ebx, ebx
		jz	short loc_A016FB
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_A016FB:				; CODE XREF: EtwpQueryCoverageSamplerInformation(x,x,x,x)+120j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_EtwpQueryCoverageSamplerInformation@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpSetCoverageSamplerInformation(x, x, x)
_EtwpSetCoverageSamplerInformation@12 proc near
					; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+BB1p

var_30C		= dword	ptr -30Ch
var_2FC		= dword	ptr -2FCh
var_2E4		= dword	ptr -2E4h
var_2E0		= dword	ptr -2E0h
var_2DC		= dword	ptr -2DCh
var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_2C8		= dword	ptr -2C8h
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A5		= byte ptr -2A5h
var_2A4		= dword	ptr -2A4h
var_29E		= byte ptr -29Eh
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_294		= dword	ptr -294h
var_28C		= dword	ptr -28Ch
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_27C		= dword	ptr -27Ch
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_146		= word ptr -146h
var_46		= word ptr -46h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_2C		= dword	ptr -2Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8

		push	2FCh
		push	offset dword_6AA0B0
		call	__SEH_prolog4_GS
		mov	eax, edx
		mov	[ebp+var_2B8], eax
		mov	[ebp+var_2B0], ecx
		xor	edx, edx
		mov	ebx, edx
		mov	[ebp+var_2AC], ebx
		mov	[ebp+var_2B4], edx
		mov	[ebp+var_2A5], dl
		cmp	eax, 10h
		jnb	short loc_A01751

loc_A01747:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+AAj
					; EtwpSetCoverageSamplerInformation(x,x,x)+165j
		mov	esi, 0C0000004h
		jmp	loc_A01C89
; 

loc_A01751:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+36j
		mov	[ebp+ms_exc.disabled], edx
		mov	esi, ecx
		lea	edi, [ebp+var_2DC]
		movsd
		movsd
		movsd
		movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_2D8]
		mov	eax, ecx
		shr	eax, 8
		cmp	al, 0CFh
		jz	short loc_A01780

loc_A01776:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+85j
					; EtwpSetCoverageSamplerInformation(x,x,x)+142j
		mov	esi, 0C00000BBh
		jmp	loc_A01C89
; 

loc_A01780:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+65j
		movzx	eax, cl
		sub	eax, edx
		jz	loc_A0184D
		dec	eax
		sub	eax, 1
		jz	short loc_A017A0
		sub	eax, 1
		jz	short loc_A01776
		mov	esi, 0C0000003h
		jmp	loc_A01C89
; 

loc_A017A0:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+80j
		mov	cl, [ebp+arg_0]
		call	ExCheckFullProcessInformationAccess
		mov	esi, eax
		test	esi, esi
		js	loc_A01C89
		cmp	[ebp+var_2B8], 28h
		jnz	short loc_A01747
		mov	[ebp+ms_exc.disabled], 3
		push	0Ah
		pop	ecx
		mov	esi, [ebp+var_2B0]
		lea	edi, [ebp+var_30C]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, dword_6BC088
		xor	edi, edi
		mov	[ebp+var_2B0], edi
		push	edi
		lea	ecx, [ebp+var_2B0]
		push	ecx
		push	dword ptr [ebp+arg_0]
		push	eax
		push	1
		push	[ebp+var_2D4]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	ebx, [ebp+var_2B0]
		test	esi, esi
		js	loc_A01C89
		push	dword ptr [ebp+arg_0]
		lea	edx, [ebp+var_2FC]
		mov	ecx, ebx
		call	_EtwpCoverageSamplerSetBloomFilter@12 ;	EtwpCoverageSamplerSetBloomFilter(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A01C89
		mov	esi, edi
		jmp	loc_A01C89
; 

loc_A01831:				; DATA XREF: .text:006AA0E8o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2BC], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A01842:				; DATA XREF: .text:006AA0ECo
		mov	esi, [ebp+var_2BC]
		jmp	loc_A01C79
; 

loc_A0184D:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+76j
		cmp	[ebp+arg_0], 0
		jz	loc_A01776
		mov	cl, [ebp+arg_0]
		call	ExCheckFullProcessInformationAccess
		mov	esi, eax
		test	esi, esi
		js	loc_A01C89
		mov	eax, [ebp+var_2B8]
		cmp	eax, 280h
		jb	loc_A01747
		mov	[ebp+ms_exc.disabled], 1
		push	4
		push	eax
		mov	ebx, [ebp+var_2B0]
		push	ebx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	ecx, 0A0h
		mov	esi, ebx
		lea	edi, [ebp+var_2A4]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	4000h
		push	10h
		mov	edx, 400h
		lea	ecx, [ebp+var_28C]
		call	_EtwpCovSampApplyBounds@16 ; EtwpCovSampApplyBounds(x,x,x,x)
		push	edx
		push	10h
		mov	edx, 100h
		lea	ecx, [ebp+var_24C]
		call	_EtwpCovSampApplyBounds@16 ; EtwpCovSampApplyBounds(x,x,x,x)
		push	10000h
		push	edx
		mov	edx, 800h
		lea	ecx, [ebp+var_248]
		call	_EtwpCovSampApplyBounds@16 ; EtwpCovSampApplyBounds(x,x,x,x)
		mov	edx, [ebp+var_248]
		lea	eax, [edx-1]
		or	edi, 0FFFFFFFFh
		test	eax, edx
		jz	short loc_A0190A
		mov	ecx, edi
		test	edx, edx
		jz	short loc_A01901

loc_A018FC:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+1F0j
		inc	ecx
		shr	edx, 1
		jnz	short loc_A018FC

loc_A01901:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+1EBj
		xor	ebx, ebx
		inc	ebx
		mov	edx, ebx
		shl	edx, cl
		jmp	short loc_A0190D
; 

loc_A0190A:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+1E5j
		xor	ebx, ebx
		inc	ebx

loc_A0190D:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+1F9j
		mov	al, byte ptr [ebp+var_294]
		and	al, 40h
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	eax, edx
		mov	[ebp+var_248], eax
		mov	esi, 6B49D200h
		push	esi
		push	ebx
		mov	edx, 3E8h
		lea	ecx, [ebp+var_26C]
		call	_EtwpCovSampApplyBounds@16 ; EtwpCovSampApplyBounds(x,x,x,x)
		push	esi
		push	ebx
		mov	edx, ebx
		lea	ecx, [ebp+var_264]
		call	_EtwpCovSampApplyBounds@16 ; EtwpCovSampApplyBounds(x,x,x,x)
		push	esi
		push	ebx
		lea	ecx, [ebp+var_25C]
		call	_EtwpCovSampApplyBounds@16 ; EtwpCovSampApplyBounds(x,x,x,x)
		push	esi
		push	ebx
		lea	ecx, [ebp+var_254]
		call	_EtwpCovSampApplyBounds@16 ; EtwpCovSampApplyBounds(x,x,x,x)
		push	esi
		xor	ebx, ebx
		push	ebx
		xor	edx, edx
		lea	ecx, [ebp+var_268]
		call	_EtwpCovSampApplyBounds@16 ; EtwpCovSampApplyBounds(x,x,x,x)
		push	esi
		push	ebx
		lea	ecx, [ebp+var_260]
		call	_EtwpCovSampApplyBounds@16 ; EtwpCovSampApplyBounds(x,x,x,x)
		push	esi
		push	ebx
		lea	ecx, [ebp+var_258]
		call	_EtwpCovSampApplyBounds@16 ; EtwpCovSampApplyBounds(x,x,x,x)
		push	esi
		push	ebx
		lea	ecx, [ebp+var_250]
		call	_EtwpCovSampApplyBounds@16 ; EtwpCovSampApplyBounds(x,x,x,x)
		push	80h
		push	1
		push	8
		pop	edx
		lea	ecx, [ebp+var_280]
		call	_EtwpCovSampApplyBounds@16 ; EtwpCovSampApplyBounds(x,x,x,x)
		push	100000h
		push	4000h
		mov	edx, 20000h
		lea	ecx, [ebp+var_27C]
		call	_EtwpCovSampApplyBounds@16 ; EtwpCovSampApplyBounds(x,x,x,x)
		mov	esi, 100h
		push	esi
		push	2
		push	4
		pop	edx
		lea	ecx, [ebp+var_278]
		call	_EtwpCovSampApplyBounds@16 ; EtwpCovSampApplyBounds(x,x,x,x)
		mov	al, byte ptr [ebp+var_294]
		and	al, 80h
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		not	eax
		and	[ebp+var_278], eax
		push	esi
		push	2
		lea	ecx, [ebp+var_274]
		call	_EtwpCovSampApplyBounds@16 ; EtwpCovSampApplyBounds(x,x,x,x)
		push	esi
		push	edx
		push	10h
		pop	edx
		lea	ecx, [ebp+var_270]
		call	_EtwpCovSampApplyBounds@16 ; EtwpCovSampApplyBounds(x,x,x,x)
		mov	esi, 8000000h
		push	esi
		push	edx
		mov	edx, 400h
		lea	ecx, [ebp+var_288]
		call	_EtwpCovSampApplyBounds@16 ; EtwpCovSampApplyBounds(x,x,x,x)
		push	esi
		push	10h
		mov	edx, 10000h
		lea	ecx, [ebp+var_284]
		call	_EtwpCovSampApplyBounds@16 ; EtwpCovSampApplyBounds(x,x,x,x)
		mov	eax, [ebp+var_24C]
		shl	eax, 2
		mov	edx, [ebp+var_288]
		cmp	edx, eax
		jnb	short loc_A01A57
		mov	edx, eax

loc_A01A57:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+344j
		lea	eax, [edx-1]
		test	eax, edx
		jz	short loc_A01A6E
		mov	ecx, edi
		test	edx, edx
		jz	short loc_A01A69

loc_A01A64:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+358j
		inc	ecx
		shr	edx, 1
		jnz	short loc_A01A64

loc_A01A69:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+353j
		xor	edx, edx
		inc	edx
		shl	edx, cl

loc_A01A6E:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+34Dj
		mov	[ebp+var_288], edx
		mov	esi, [ebp+var_284]
		lea	eax, [esi-1]
		test	eax, esi
		jz	short loc_A01A91
		test	esi, esi
		jz	short loc_A01A8A

loc_A01A85:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+379j
		inc	edi
		shr	esi, 1
		jnz	short loc_A01A85

loc_A01A8A:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+374j
		xor	esi, esi
		inc	esi
		mov	ecx, edi
		shl	esi, cl

loc_A01A91:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+370j
		mov	[ebp+var_284], esi
		cmp	esi, edx
		jnb	short loc_A01AA1
		mov	[ebp+var_284], edx

loc_A01AA1:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+38Aj
		xor	eax, eax
		mov	[ebp+var_46], ax
		mov	[ebp+var_146], ax
		mov	[ebp+var_2E4], 18h
		mov	[ebp+var_2E0], ebx
		mov	[ebp+var_2D8], ebx
		mov	[ebp+var_2DC], ebx
		mov	[ebp+var_2D4], ebx
		mov	[ebp+var_2D0], ebx
		mov	edx, dword_6BC088
		push	ebx
		lea	eax, [ebp+var_2AC]
		push	eax
		push	ebx
		push	ebx
		push	3D0h
		push	ecx
		push	dword ptr [ebp+arg_0]
		lea	eax, [ebp+var_2E4]
		push	eax
		xor	cl, cl
		call	ObCreateObjectEx
		mov	esi, eax
		mov	ebx, [ebp+var_2AC]
		test	esi, esi
		js	loc_A01C89
		mov	ecx, ebx
		call	_EtwpCoverageSamplerInitialize@4 ; EtwpCoverageSamplerInitialize(x)
		lea	edi, [ebx+0Ch]
		mov	ecx, 94h
		lea	esi, [ebp+var_294]
		rep movsd
		push	ecx		; int
		lea	edx, [ebx+33Ch]	; int
		lea	ecx, [ebx+15Ch]	; wchar_t *
		call	_EtwpCovSampSplitSegments@12 ; EtwpCovSampSplitSegments(x,x,x)
		mov	[ebx+390h], eax
		push	ecx		; int
		lea	edx, [ebx+2ECh]	; int
		lea	ecx, [ebx+5Ch]	; wchar_t *
		call	_EtwpCovSampSplitSegments@12 ; EtwpCovSampSplitSegments(x,x,x)
		mov	[ebx+38Ch], eax
		mov	eax, [ebp+var_44]
		or	eax, [ebp+var_40]
		jz	short loc_A01B70
		push	dword ptr [ebp+arg_0]
		lea	edx, [ebp+var_44]
		mov	ecx, ebx
		call	_EtwpCoverageSamplerSetBloomFilter@12 ;	EtwpCoverageSamplerSetBloomFilter(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A01C89

loc_A01B70:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+448j
		mov	eax, ds:_ExEventObjectType
		xor	edi, edi
		mov	[ebp+var_2B8], edi
		push	edi
		lea	ecx, [ebp+var_2B8]
		push	ecx
		push	dword ptr [ebp+arg_0]
		push	eax
		push	1F0003h
		push	[ebp+var_2C]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_2B8]
		mov	[ebx+3A8h], eax
		test	esi, esi
		js	loc_A01C89
		mov	[ebp+var_2A5], 1
		mov	ecx, ebx
		call	_EtwpCoverageSamplerStart@4 ; EtwpCoverageSamplerStart(x)
		mov	esi, eax
		test	esi, esi
		js	loc_A01C89
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		lea	eax, [ebp+var_2B4]
		push	eax
		push	edi
		push	edi
		push	edi
		push	1
		xor	edx, edx
		mov	ecx, ebx
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A01C89
		mov	eax, [ebp+var_2B4]
		cdq
		mov	[ebp+var_29C], eax
		mov	[ebp+var_298], edx
		mov	[ebp+var_29E], 0
		mov	[ebp+ms_exc.disabled], 2
		mov	ecx, 0A0h
		lea	esi, [ebp+var_2A4]
		mov	edi, [ebp+var_2B0]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		and	[ebp+var_2B4], 0
		xor	esi, esi
		jmp	short loc_A01C89
; 

loc_A01C30:				; DATA XREF: .text:006AA0DCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C0], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A01C41:				; DATA XREF: .text:006AA0E0o
		mov	esi, [ebp+var_2C0]
		jmp	short loc_A01C79
; 

loc_A01C49:				; DATA XREF: .text:006AA0D0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C4], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A01C5A:				; DATA XREF: .text:006AA0D4o
		mov	esi, [ebp+var_2C4]
		jmp	short loc_A01C79
; 

loc_A01C62:				; DATA XREF: .text:006AA0C4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C8], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A01C73:				; DATA XREF: .text:006AA0C8o
		mov	esi, [ebp+var_2C8]

loc_A01C79:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+139j
					; EtwpSetCoverageSamplerInformation(x,x,x)+538j ...
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_2AC]

loc_A01C89:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+3Dj
					; EtwpSetCoverageSamplerInformation(x,x,x)+6Cj	...
		cmp	[ebp+var_2B4], 0
		jz	short loc_A01C9D
		push	[ebp+var_2B4]
		call	NtClose

loc_A01C9D:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+581j
		test	ebx, ebx
		jz	short loc_A01CBC
		test	esi, esi
		jns	short loc_A01CB5
		cmp	[ebp+var_2A5], 0
		jz	short loc_A01CB5
		mov	ecx, ebx
		call	_EtwpCoverageSamplerStop@4 ; EtwpCoverageSamplerStop(x)

loc_A01CB5:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+594j
					; EtwpSetCoverageSamplerInformation(x,x,x)+59Dj
		mov	ecx, ebx
		call	ObfDereferenceObject

loc_A01CBC:				; CODE XREF: EtwpSetCoverageSamplerInformation(x,x,x)+590j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpSetCoverageSamplerInformation@12 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpAllocateLbrData(x)
_EtwpAllocateLbrData@4 proc near	; CODE XREF: EtwpUpdateLastBranchTracingConfiguration(x,x)+4Dp
					; EtwpUpdateLastBranchTracingEvents(x,x,x)+3Fp
		mov	edi, edi
		push	esi
		push	78777445h
		push	14h
		push	200h
		mov	esi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_A01CF3
		mov	eax, 0C0000017h
		pop	esi
		retn
; 

loc_A01CF3:				; CODE XREF: EtwpAllocateLbrData(x)+1Aj
		push	edi
		xor	eax, eax
		mov	edi, edx
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		pop	edi
		mov	[esi+2C0h], edx
		pop	esi
		retn
_EtwpAllocateLbrData@4 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpFreeLbrData(x)
_EtwpFreeLbrData@4 proc	near		; CODE XREF: NtQueryPerformanceCounter+28Cp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	dword ptr [esi+258h], 8000h
		jz	short loc_A01D20
		lock dec dword_6BC458

loc_A01D20:				; CODE XREF: EtwpFreeLbrData(x)+Fj
		mov	eax, [esi+2C0h]
		test	eax, eax
		jz	short loc_A01D4C
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_A01D3D
		push	ecx
		call	off_6B1424	; ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig(x)
		mov	eax, [esi+2C0h]

loc_A01D3D:				; CODE XREF: EtwpFreeLbrData(x)+26j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+2C0h], 0

loc_A01D4C:				; CODE XREF: EtwpFreeLbrData(x)+20j
		pop	esi
		retn
_EtwpFreeLbrData@4 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpReferenceLastBranchLookasideList()
_EtwpReferenceLastBranchLookasideList@0	proc near
					; CODE XREF: EtwpUpdateLastBranchTracingConfiguration(x,x)+78p
		mov	eax, ds:_KeNumberProcessors
		push	esi
		push	edi
		imul	edi, ds:_EtwpLastBranchStackSize, 0Ch
		xor	esi, esi
		inc	esi
		add	edi, 4
		lock xadd dword_6BC458,	esi
		inc	esi
		imul	esi, eax
		add	esi, esi

loc_A01D70:				; CODE XREF: EtwpReferenceLastBranchLookasideList()+50j
		push	78777445h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_A01DA0
		mov	edx, eax
		mov	ecx, offset _EtwpLastBranchLookAsideList
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		xor	eax, eax
		inc	eax
		lock xadd dword_6BC45C,	eax
		inc	eax
		cmp	eax, esi
		jl	short loc_A01D70

loc_A01DA0:				; CODE XREF: EtwpReferenceLastBranchLookasideList()+34j
		pop	edi
		pop	esi
		retn
_EtwpReferenceLastBranchLookasideList@0	endp


;  S U B	R O U T	I N E 


; __stdcall EtwpUpdateLastBranchTracingConfiguration(x,	x)
_EtwpUpdateLastBranchTracingConfiguration@8 proc near
					; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+42Ap
		mov	eax, ds:_EtwpLastBranchSupportedOptions
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		test	eax, eax
		jnz	short loc_A01DB8
		mov	esi, 0C00000BBh
		jmp	short loc_A01E37
; 

loc_A01DB8:				; CODE XREF: EtwpUpdateLastBranchTracingConfiguration(x,x)+Cj
		mov	ebx, [edx+10h]
		not	eax
		test	eax, ebx
		jz	short loc_A01DC8

loc_A01DC1:				; CODE XREF: EtwpUpdateLastBranchTracingConfiguration(x,x)+2Cj
		mov	esi, 0C000000Dh
		jmp	short loc_A01E37
; 

loc_A01DC8:				; CODE XREF: EtwpUpdateLastBranchTracingConfiguration(x,x)+1Cj
		mov	eax, ebx
		and	eax, 3
		cmp	al, 3
		jz	short loc_A01DC1
		mov	ecx, 8000h
		test	[edi+258h], ecx
		jz	short loc_A01DE5
		mov	eax, 0C0000303h
		jmp	short loc_A01E39
; 

loc_A01DE5:				; CODE XREF: EtwpUpdateLastBranchTracingConfiguration(x,x)+39j
		cmp	dword ptr [edi+2C0h], 0
		jnz	short loc_A01DFB
		mov	ecx, edi
		call	_EtwpAllocateLbrData@4 ; EtwpAllocateLbrData(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A01E37

loc_A01DFB:				; CODE XREF: EtwpUpdateLastBranchTracingConfiguration(x,x)+49j
		mov	eax, [edi+2C0h]
		cmp	dword ptr [eax], 0
		jz	short loc_A01E0D
		mov	esi, 0C0000303h
		jmp	short loc_A01E37
; 

loc_A01E0D:				; CODE XREF: EtwpUpdateLastBranchTracingConfiguration(x,x)+61j
		push	eax
		push	ebx
		call	off_6B1420	; ext_ms_win_ntos_tm_l1_1_0_TmRollbackEnlistment(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A01E37
		call	_EtwpReferenceLastBranchLookasideList@0	; EtwpReferenceLastBranchLookasideList()
		mov	eax, [edi+2C0h]
		mov	ecx, 8000h
		mov	[eax+4], ebx
		lea	eax, [edi+258h]
		lock or	[eax], ecx

loc_A01E37:				; CODE XREF: EtwpUpdateLastBranchTracingConfiguration(x,x)+13j
					; EtwpUpdateLastBranchTracingConfiguration(x,x)+23j ...
		mov	eax, esi

loc_A01E39:				; CODE XREF: EtwpUpdateLastBranchTracingConfiguration(x,x)+40j
		pop	edi
		pop	esi
		pop	ebx
		retn
_EtwpUpdateLastBranchTracingConfiguration@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUpdateLastBranchTracingEvents(x, x, x)
_EtwpUpdateLastBranchTracingEvents@12 proc near
					; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+389p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	10h
		push	offset dword_6AA0F0
		call	__SEH_prolog4
		mov	ebx, edx
		mov	edi, ecx
		cmp	ds:_EtwpLastBranchSupportedOptions, 0
		jnz	short loc_A01E60
		mov	eax, 0C00000BBh
		jmp	loc_A01EE8
; 

loc_A01E60:				; CODE XREF: EtwpUpdateLastBranchTracingEvents(x,x,x)+17j
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jnz	short loc_A01E6E

loc_A01E67:				; CODE XREF: EtwpUpdateLastBranchTracingEvents(x,x,x)+34j
		mov	eax, 0C000000Dh
		jmp	short loc_A01EE8
; 

loc_A01E6E:				; CODE XREF: EtwpUpdateLastBranchTracingEvents(x,x,x)+28j
		cmp	esi, 4
		ja	short loc_A01E67
		cmp	dword ptr [edi+2C0h], 0
		jnz	short loc_A01E85
		call	_EtwpAllocateLbrData@4 ; EtwpAllocateLbrData(x)
		test	eax, eax
		js	short loc_A01EE8

loc_A01E85:				; CODE XREF: EtwpUpdateLastBranchTracingEvents(x,x,x)+3Dj
		mov	eax, [edi+2C0h]
		mov	eax, [eax+8]
		and	[ebp+ms_exc.disabled], 0
		xor	edx, edx

loc_A01E94:				; CODE XREF: EtwpUpdateLastBranchTracingEvents(x,x,x)+6Ej
		mov	[ebp+var_1C], edx
		cmp	edx, esi
		jnb	short loc_A01EAD
		mov	cx, [ebx+edx*4]
		mov	eax, [edi+2C0h]
		mov	[eax+edx*2+0Ch], cx
		inc	edx
		jmp	short loc_A01E94
; 

loc_A01EAD:				; CODE XREF: EtwpUpdateLastBranchTracingEvents(x,x,x)+5Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		and	[ebp+arg_0], 0
		xor	ecx, ecx
		lea	eax, [ebp+arg_0]
		lock or	[eax], ecx
		mov	eax, [edi+2C0h]
		mov	[eax+8], esi
		xor	eax, eax
		jmp	short loc_A01EE8
; 

loc_A01ECD:				; DATA XREF: .text:006AA104o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A01EDB:				; DATA XREF: .text:006AA108o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_20]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A01EE8:				; CODE XREF: EtwpUpdateLastBranchTracingEvents(x,x,x)+1Ej
					; EtwpUpdateLastBranchTracingEvents(x,x,x)+2Fj	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpUpdateLastBranchTracingEvents@12 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpConstructIptData(x)
_EtwpConstructIptData@4	proc near	; CODE XREF: EtwpUpdateProcessorTraceConfiguration(x,x)+2Cp
		mov	edi, edi
		push	ebx
		push	offset off_6B3778
		mov	ebx, ecx
		call	_ZwLoadDriver@4	; ZwLoadDriver(x)
		test	eax, eax
		jns	short loc_A01F1B
		cmp	eax, 0C000010Eh
		jz	short loc_A01F1B
		mov	eax, 0C000026Ch
		pop	ebx
		retn
; 

loc_A01F1B:				; CODE XREF: EtwpConstructIptData(x)+11j
					; EtwpConstructIptData(x)+18j
		push	esi
		push	69777445h
		push	20h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A01F3A
		mov	eax, 0C0000017h
		jmp	short loc_A01F6D
; 

loc_A01F3A:				; CODE XREF: EtwpConstructIptData(x)+37j
		push	edi
		push	8
		pop	ecx
		xor	eax, eax
		mov	edi, esi
		rep stosd
		mov	ecx, _EtwpHwTraceExtensionHost
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		mov	[esi+10h], eax
		pop	edi
		test	eax, eax
		jnz	short loc_A01F65
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C000026Ch
		jmp	short loc_A01F6D
; 

loc_A01F65:				; CODE XREF: EtwpConstructIptData(x)+5Bj
		mov	[ebx+2C4h], esi
		xor	eax, eax

loc_A01F6D:				; CODE XREF: EtwpConstructIptData(x)+3Ej
					; EtwpConstructIptData(x)+69j
		pop	esi
		pop	ebx
		retn
_EtwpConstructIptData@4	endp


;  S U B	R O U T	I N E 


; __stdcall EtwpDestructIptData(x)
_EtwpDestructIptData@4 proc near	; CODE XREF: NtQueryPerformanceCounter+29Bp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+2C4h]
		test	esi, esi
		jz	short loc_A01FB7
		push	ebx
		xor	ebx, ebx
		cmp	[esi+10h], ebx
		jz	short loc_A01FA9
		cmp	[esi], ebx
		jz	short loc_A01F9E
		mov	eax, offset _KiCpuTracingFlags
		lock btr dword ptr [eax], 2
		mov	eax, [esi+10h]
		push	dword ptr [esi]
		call	dword ptr [eax+4]

loc_A01F9E:				; CODE XREF: EtwpDestructIptData(x)+1Aj
		mov	ecx, _EtwpHwTraceExtensionHost
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_A01FA9:				; CODE XREF: EtwpDestructIptData(x)+16j
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[edi+2C4h], ebx
		pop	ebx

loc_A01FB7:				; CODE XREF: EtwpDestructIptData(x)+Ej
		pop	edi
		pop	esi
		retn
_EtwpDestructIptData@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUpdateProcessorTraceConfiguration(x, x)
_EtwpUpdateProcessorTraceConfiguration@8 proc near
					; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+704p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [edx+10h]
		mov	eax, 4000000h
		mov	edx, [edx+14h]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		lea	edi, [esi+258h]
		test	[edi], eax
		jnz	short loc_A0204B
		cmp	dword ptr [esi+2C4h], 0
		jnz	short loc_A01FF4
		call	_EtwpConstructIptData@4	; EtwpConstructIptData(x)
		test	eax, eax
		js	short loc_A02050
		mov	edx, [ebp+var_4]

loc_A01FF4:				; CODE XREF: EtwpUpdateProcessorTraceConfiguration(x,x)+2Aj
		mov	eax, [esi+2C4h]
		cmp	dword ptr [eax], 0
		jnz	short loc_A0204B
		mov	eax, offset _KiCpuTracingFlags
		lock bts dword ptr [eax], 2
		mov	eax, [esi+2C4h]
		push	eax
		push	edx
		push	ebx
		mov	ecx, [eax+10h]
		call	dword ptr [ecx]
		test	eax, eax
		jns	short loc_A02030
		mov	ecx, offset _KiCpuTracingFlags
		lock btr dword ptr [ecx], 2
		mov	ecx, [esi+2C4h]
		and	dword ptr [ecx], 0
		jmp	short loc_A02050
; 

loc_A02030:				; CODE XREF: EtwpUpdateProcessorTraceConfiguration(x,x)+5Dj
		mov	eax, [esi+2C4h]
		mov	ecx, [ebp+var_4]
		mov	[eax+8], ebx
		mov	[eax+0Ch], ecx
		mov	eax, 4000000h
		lock or	[edi], eax
		xor	eax, eax
		jmp	short loc_A02050
; 

loc_A0204B:				; CODE XREF: EtwpUpdateProcessorTraceConfiguration(x,x)+21j
					; EtwpUpdateProcessorTraceConfiguration(x,x)+41j
		mov	eax, 0C0000303h

loc_A02050:				; CODE XREF: EtwpUpdateProcessorTraceConfiguration(x,x)+33j
					; EtwpUpdateProcessorTraceConfiguration(x,x)+72j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpUpdateProcessorTraceConfiguration@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpUpdateProcessorTraceEvents(x, x, x)
_EtwpUpdateProcessorTraceEvents@12 proc	near
					; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x):loc_9F3D88p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	10h
		push	offset dword_6AA110
		call	__SEH_prolog4
		mov	ebx, edx
		mov	edi, ecx
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_A020DC
		cmp	esi, 4
		ja	short loc_A020DC
		mov	eax, [edi+2C4h]
		test	eax, eax
		jz	short loc_A020DC
		cmp	dword ptr [eax], 0
		jz	short loc_A020DC
		and	[ebp+ms_exc.disabled], 0
		xor	edx, edx

loc_A02086:				; CODE XREF: EtwpUpdateProcessorTraceEvents(x,x,x)+48j
		mov	[ebp+var_1C], edx
		cmp	edx, esi
		jnb	short loc_A0209F
		mov	cx, [ebx+edx*4]
		mov	eax, [edi+2C4h]
		mov	[eax+edx*2+18h], cx
		inc	edx
		jmp	short loc_A02086
; 

loc_A0209F:				; CODE XREF: EtwpUpdateProcessorTraceEvents(x,x,x)+36j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		and	[ebp+arg_0], 0
		xor	ecx, ecx
		lea	eax, [ebp+arg_0]
		lock or	[eax], ecx
		mov	eax, [edi+2C4h]
		mov	[eax+14h], esi
		xor	eax, eax
		jmp	short loc_A020E1
; 

loc_A020BF:				; DATA XREF: .text:006AA124o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A020CD:				; DATA XREF: .text:006AA128o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_20]
		jmp	short loc_A020E1
; 

loc_A020DC:				; CODE XREF: EtwpUpdateProcessorTraceEvents(x,x,x)+15j
					; EtwpUpdateProcessorTraceEvents(x,x,x)+1Aj ...
		mov	eax, 0C000000Dh

loc_A020E1:				; CODE XREF: EtwpUpdateProcessorTraceEvents(x,x,x)+68j
					; EtwpUpdateProcessorTraceEvents(x,x,x)+85j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpUpdateProcessorTraceEvents@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpBuildMdlForTraceBuffer(x, x, x)
_EtwpBuildMdlForTraceBuffer@12 proc near ; CODE	XREF: EtwpPreserveLogger(x)+F6p
					; EtwpPreserveLogger(x)+129p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_4], ecx
		push	esi
		mov	eax, edx
		push	esi
		push	esi
		mov	[ebp+var_8], eax
		mov	ebx, [eax]
		push	ebx
		push	eax
		call	IoAllocateMdl
		mov	edi, eax
		mov	[ebp+var_C], edi
		test	edi, edi
		jnz	short loc_A02124
		mov	esi, 0C000009Ah
		jmp	short loc_A0216E
; 

loc_A02124:				; CODE XREF: EtwpBuildMdlForTraceBuffer(x,x,x)+28j
		mov	eax, [ebp+var_4]
		test	dword ptr [eax+258h], 20000000h
		jnz	short loc_A0213B
		push	edi
		call	MmBuildMdlForNonPagedPool
		jmp	short loc_A02169
; 

loc_A0213B:				; CODE XREF: EtwpBuildMdlForTraceBuffer(x,x,x)+3Ej
		shr	ebx, 0Ch
		lea	eax, [edi+1Ch]
		test	ebx, ebx
		jz	short loc_A02169
		mov	esi, [ebp+var_8]
		mov	edi, eax

loc_A0214A:				; CODE XREF: EtwpBuildMdlForTraceBuffer(x,x,x)+6Fj
		push	esi
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		shrd	eax, edx, 0Ch
		add	esi, 1000h
		mov	[edi], eax
		lea	edi, [edi+4]
		sub	ebx, 1
		jnz	short loc_A0214A
		mov	edi, [ebp+var_C]
		xor	esi, esi

loc_A02169:				; CODE XREF: EtwpBuildMdlForTraceBuffer(x,x,x)+46j
					; EtwpBuildMdlForTraceBuffer(x,x,x)+50j
		mov	ecx, [ebp+arg_0]
		mov	[ecx], edi

loc_A0216E:				; CODE XREF: EtwpBuildMdlForTraceBuffer(x,x,x)+2Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpBuildMdlForTraceBuffer@12 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpCancelMemoryPreservation(x)
_EtwpCancelMemoryPreservation@4	proc near
					; CODE XREF: EtwpFreeSoftRestartContext:loc_8EFFAEp
					; EtwpKsrCallback(x,x,x)+9Cp ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi+2E0h]
		cmp	byte ptr [esi+15h], 0
		jz	short loc_A021B7
		push	ebx
		xor	ebx, ebx
		push	ebx
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		push	offset _EtwpKsrGuid
		call	ds:__imp__KsrFreePersistedMemoryBlock@16 ; KsrFreePersistedMemoryBlock(x,x,x,x)
		mov	edx, [esi+8]
		mov	[esi], ebx
		mov	[esi+4], ebx
		test	edx, edx
		jz	short loc_A021B3
		mov	ecx, edi
		call	EtwpFreeTraceBuffer
		mov	[esi+8], ebx

loc_A021B3:				; CODE XREF: EtwpCancelMemoryPreservation(x)+30j
		mov	[esi+15h], bl
		pop	ebx

loc_A021B7:				; CODE XREF: EtwpCancelMemoryPreservation(x)+10j
		pop	edi
		pop	esi
		retn
_EtwpCancelMemoryPreservation@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpGetSoftRestartInformation(x, x,	x)
_EtwpGetSoftRestartInformation@12 proc near
					; CODE XREF: EtwQueryPerformanceTraceInformation(x,x,x,x)+731p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	24h
		push	offset dword_6AA130
		call	__SEH_prolog4
		mov	edi, edx
		mov	esi, ecx
		mov	[ebp+var_1C], esi
		xor	ebx, ebx
		cmp	ds:_EtwpKsrCallbackObject, ebx
		jz	loc_A022DB
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_A022DB
		push	18h
		pop	ecx
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		cmp	edi, ecx
		jnb	short loc_A021FE
		mov	eax, 0C0000004h
		jmp	loc_A022E0
; 

loc_A021FE:				; CODE XREF: EtwpGetSoftRestartInformation(x,x,x)+38j
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, [esi+8]
		mov	[ebp+var_30], ecx
		mov	eax, [esi+0Ch]
		mov	[ebp+var_2C], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		movzx	edx, cx
		cmp	edx, 0FFFFh
		jnz	short loc_A0222B
		mov	eax, ds:_EtwpHostSiloState
		movzx	edx, byte ptr [eax+914h]

loc_A0222B:				; CODE XREF: EtwpGetSoftRestartInformation(x,x,x)+63j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	ecx, ds:_EtwpHostSiloState
		call	EtwpAcquireLoggerContextByLoggerId
		mov	edi, eax
		test	edi, edi
		jz	short loc_A02274
		mov	edx, edi
		xor	ecx, ecx
		inc	ecx
		call	_EtwpCheckLoggerControlAccess@8	; EtwpCheckLoggerControlAccess(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A02269
		mov	eax, [edi+2E0h]
		test	eax, eax
		jz	short loc_A02269
		mov	bl, [eax+14h]

loc_A02269:				; CODE XREF: EtwpGetSoftRestartInformation(x,x,x)+A0j
					; EtwpGetSoftRestartInformation(x,x,x)+AAj
		mov	dl, 1
		mov	ecx, edi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		jmp	short loc_A02279
; 

loc_A02274:				; CODE XREF: EtwpGetSoftRestartInformation(x,x,x)+90j
		mov	esi, 0C0000296h

loc_A02279:				; CODE XREF: EtwpGetSoftRestartInformation(x,x,x)+B8j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		js	short loc_A0229D
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_1C]
		mov	[eax+10h], bl
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A0229D:				; CODE XREF: EtwpGetSoftRestartInformation(x,x,x)+CDj
		mov	eax, esi
		jmp	short loc_A022E0
; 

loc_A022A1:				; DATA XREF: .text:006AA150o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A022AF:				; DATA XREF: .text:006AA154o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_20]
		jmp	short loc_A022E0
; 

loc_A022BE:				; DATA XREF: .text:006AA144o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A022CC:				; DATA XREF: .text:006AA148o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_24]
		jmp	short loc_A022E0
; 

loc_A022DB:				; CODE XREF: EtwpGetSoftRestartInformation(x,x,x)+1Bj
					; EtwpGetSoftRestartInformation(x,x,x)+28j
		mov	eax, 0C00000BBh

loc_A022E0:				; CODE XREF: EtwpGetSoftRestartInformation(x,x,x)+3Fj
					; EtwpGetSoftRestartInformation(x,x,x)+E5j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpGetSoftRestartInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpInitializeCompressedWriter(x, x, x)
_EtwpInitializeCompressedWriter@12 proc	near
					; CODE XREF: EtwpSavePersistedLogger(x,x,x)+1C4p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_8]
		xor	esi, esi
		push	eax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_8], esi
		push	eax
		push	3
		mov	ebx, edx
		mov	[ebp+var_4], esi
		mov	edi, ecx
		call	_RtlGetCompressionWorkSpaceSize@12 ; RtlGetCompressionWorkSpaceSize(x,x,x)
		push	5A777445h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi+1Ch], eax
		test	eax, eax
		jnz	short loc_A02334

loc_A0232D:				; CODE XREF: EtwpInitializeCompressedWriter(x,x,x)+5Cj
		mov	esi, 0C0000017h
		jmp	short loc_A02360
; 

loc_A02334:				; CODE XREF: EtwpInitializeCompressedWriter(x,x,x)+39j
		mov	[edi+10h], ebx
		add	ebx, ebx
		push	5A777445h
		push	ebx
		push	1
		mov	[edi+24h], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi+20h], eax
		test	eax, eax
		jz	short loc_A0232D
		push	ebx		; size_t
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		mov	[edi], ecx

loc_A02360:				; CODE XREF: EtwpInitializeCompressedWriter(x,x,x)+40j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpInitializeCompressedWriter@12 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpIsSoftRestartSupported()
_EtwpIsSoftRestartSupported@0 proc near	; CODE XREF: EtwpStartLogger:loc_911218p
		cmp	ds:_EtwpKsrCallbackObject, 0
		setnz	al
		retn
_EtwpIsSoftRestartSupported@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpKsrCallback(x, x, x)
_EtwpKsrCallback@12 proc near		; DATA XREF: EtwpInitialize+205FAo

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	eax, esi
		sub	eax, 0
		jz	short loc_A023A8
		sub	eax, 1
		jz	short loc_A023AD
		sub	eax, 1
		jz	short loc_A0239E
		sub	eax, 1
		jz	short loc_A023A8
		sub	eax, 1
		jz	short loc_A023AD
		jmp	loc_A0243E
; 

loc_A0239E:				; CODE XREF: EtwpKsrCallback(x,x,x)+19j
		call	_EtwpSavePersistedLoggers@0 ; EtwpSavePersistedLoggers()
		jmp	loc_A0243E
; 

loc_A023A8:				; CODE XREF: EtwpKsrCallback(x,x,x)+Fj
					; EtwpKsrCallback(x,x,x)+1Ej
		call	_EtwpSavePersistedLoggers@0 ; EtwpSavePersistedLoggers()

loc_A023AD:				; CODE XREF: EtwpKsrCallback(x,x,x)+14j
					; EtwpKsrCallback(x,x,x)+23j
		test	esi, esi
		jz	short loc_A023BA
		cmp	esi, 3
		jz	short loc_A023BA
		xor	al, al
		jmp	short loc_A023BC
; 

loc_A023BA:				; CODE XREF: EtwpKsrCallback(x,x,x)+3Bj
					; EtwpKsrCallback(x,x,x)+40j
		mov	al, 1

loc_A023BC:				; CODE XREF: EtwpKsrCallback(x,x,x)+44j
		mov	ds:_EtwpKsrPrepared, al
		mov	eax, ds:_EtwpHostSiloState
		push	ebx
		xor	ebx, ebx
		cmp	[eax+8], ebx
		jbe	short loc_A0243D
		push	edi

loc_A023CF:				; CODE XREF: EtwpKsrCallback(x,x,x)+C6j
		push	0
		mov	edx, ebx
		mov	ecx, eax
		call	EtwpAcquireLoggerContextByLoggerId
		mov	edi, eax
		test	edi, edi
		jz	short loc_A02431
		mov	eax, [edi+2E0h]
		xor	ecx, ecx
		mov	[ebp+var_4], eax
		mov	dl, cl
		test	eax, eax
		jz	short loc_A0242A
		push	ecx
		push	ecx
		push	ecx
		push	ecx
		lea	eax, [edi+1D0h]
		mov	byte ptr [ebp+arg_4+3],	1
		push	eax
		call	KeWaitForSingleObject
		test	esi, esi
		jz	short loc_A02417
		cmp	esi, 3
		jz	short loc_A02417
		mov	ecx, edi
		call	_EtwpCancelMemoryPreservation@4	; EtwpCancelMemoryPreservation(x)
		jmp	short loc_A02427
; 

loc_A02417:				; CODE XREF: EtwpKsrCallback(x,x,x)+93j
					; EtwpKsrCallback(x,x,x)+98j
		mov	eax, [ebp+var_4]
		cmp	byte ptr [eax+14h], 0
		jz	short loc_A02427
		mov	ecx, edi
		call	_EtwpPreserveLogger@4 ;	EtwpPreserveLogger(x)

loc_A02427:				; CODE XREF: EtwpKsrCallback(x,x,x)+A1j
					; EtwpKsrCallback(x,x,x)+AAj
		mov	dl, byte ptr [ebp+arg_4+3]

loc_A0242A:				; CODE XREF: EtwpKsrCallback(x,x,x)+7Bj
		mov	ecx, edi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_A02431:				; CODE XREF: EtwpKsrCallback(x,x,x)+6Aj
		mov	eax, ds:_EtwpHostSiloState
		inc	ebx
		cmp	ebx, [eax+8]
		jb	short loc_A023CF
		pop	edi

loc_A0243D:				; CODE XREF: EtwpKsrCallback(x,x,x)+58j
		pop	ebx

loc_A0243E:				; CODE XREF: EtwpKsrCallback(x,x,x)+25j
					; EtwpKsrCallback(x,x,x)+2Fj
		pop	esi
		leave
		retn	0Ch
_EtwpKsrCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpKsrMemoryEnumCallback(x, x, x, x)
_EtwpKsrMemoryEnumCallback@16 proc near	; DATA XREF: EtwpSavePersistedLoggersWorker()+3Co

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_C]
		mov	eax, ds:_EtwpHostSiloState
		push	esi
		mov	esi, [edx]
		cmp	esi, [eax+8]
		jb	short loc_A0245F
		mov	eax, 0C0000023h
		jmp	short loc_A02473
; 

loc_A0245F:				; CODE XREF: EtwpKsrMemoryEnumCallback(x,x,x,x)+13j
		mov	ecx, [edx+4]
		mov	eax, [ebp+arg_4]
		mov	[ecx+esi*8], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+esi*8+4], eax
		inc	dword ptr [edx]
		xor	eax, eax

loc_A02473:				; CODE XREF: EtwpKsrMemoryEnumCallback(x,x,x,x)+1Aj
		pop	esi
		pop	ebp
		retn	10h
_EtwpKsrMemoryEnumCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpPreserveLogger(x)
_EtwpPreserveLogger@4 proc near		; CODE XREF: EtwpKsrCallback(x,x,x)+AEp
					; EtwpSetSoftRestartInformation(x,x)+189p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	eax, [ebx+2E0h]
		mov	[ebp+var_14], eax
		cmp	byte ptr [eax+15h], 0
		jz	short loc_A0249F
		xor	eax, eax
		jmp	loc_A02617
; 

loc_A0249F:				; CODE XREF: EtwpPreserveLogger(x)+1Ej
		mov	ecx, [eax+0Ch]
		mov	eax, [eax+10h]
		and	[ebp+var_C], 0
		mov	[ebp+var_10], eax
		mov	eax, [ebx+4]
		movzx	esi, cx
		mov	[ebp+var_8], eax
		add	esi, 2
		mov	eax, [ebx+0A0h]
		push	4B777445h
		mov	[ebp+var_1C], ecx
		lea	eax, [esi+10h]
		push	eax
		push	1
		mov	[ebp+var_20], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_18], edi
		test	edi, edi
		jnz	short loc_A024E7
		mov	esi, 0C000009Ah
		jmp	loc_A02615
; 

loc_A024E7:				; CODE XREF: EtwpPreserveLogger(x)+63j
		lea	eax, [esi+10h]
		push	eax		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	eax, [ebx+4]
		add	esp, 0Ch
		mov	[edi+8], eax
		lea	eax, [edi+10h]
		mov	dword ptr [edi+0Ch], 10h
		push	esi		; size_t
		push	[ebp+var_10]	; void *
		push	eax		; void *
		call	_memcpy
		mov	edx, [ebp+var_8]
		add	esp, 0Ch
		mov	ecx, ebx
		call	EtwpAllocateTraceBuffer
		mov	esi, eax
		mov	[ebp+var_8], esi
		test	esi, esi
		jnz	short loc_A02530
		mov	esi, 0C0000017h
		jmp	loc_A0260D
; 

loc_A02530:				; CODE XREF: EtwpPreserveLogger(x)+ACj
		mov	edx, esi
		mov	ecx, ebx
		call	EtwpInitializeBufferHeader
		push	4
		pop	edx
		mov	ecx, esi
		call	@EtwpResetBufferHeader@8 ; EtwpResetBufferHeader(x,x)
		mov	esi, [ebx+64h]
		mov	ecx, ebx
		mov	eax, [ebp+var_1C]
		mov	edi, [ebx+68h]
		mov	edx, [ebp+var_8]
		mov	[ebx+64h], eax
		mov	eax, [ebp+var_10]
		mov	[ebx+68h], eax
		call	EtwpAddLogHeader
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, ebx
		mov	[ebx+64h], esi
		mov	[ebx+68h], edi
		call	_EtwpBuildMdlForTraceBuffer@12 ; EtwpBuildMdlForTraceBuffer(x,x,x)
		mov	edi, [ebp+var_18]
		mov	esi, eax
		test	esi, esi
		js	short loc_A025F4
		mov	eax, [ebp+var_4]
		mov	ecx, ebx
		inc	dword ptr [edi+4]
		mov	[ebp+var_C], eax
		call	_EtwpGetFirstBuffer@4 ;	EtwpGetFirstBuffer(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A025CC
		mov	eax, [ebp+var_C]
		mov	[ebp+var_10], eax

loc_A02598:				; CODE XREF: EtwpPreserveLogger(x)+152j
		mov	edx, [esi+8]
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, ebx
		call	_EtwpBuildMdlForTraceBuffer@12 ; EtwpBuildMdlForTraceBuffer(x,x,x)
		mov	[ebp+var_1C], eax
		test	eax, eax
		js	short loc_A025F1
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_4]
		mov	[ebp+var_10], eax
		mov	[ecx], eax
		lea	eax, [ebx+40h]
		inc	dword ptr [edi+4]
		mov	ecx, [esi]
		mov	esi, ecx
		sub	esi, eax
		neg	esi
		sbb	esi, esi
		and	esi, ecx
		jnz	short loc_A02598

loc_A025CC:				; CODE XREF: EtwpPreserveLogger(x)+118j
		push	[ebp+var_14]
		mov	ecx, [ebp+var_C]
		mov	edx, edi
		push	[ebp+var_20]
		call	_EtwpPreserveMdlList@16	; EtwpPreserveMdlList(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A025F4
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+var_8]
		mov	[eax+8], ecx
		mov	byte ptr [eax+15h], 1
		jmp	short loc_A025FE
; 

loc_A025F1:				; CODE XREF: EtwpPreserveLogger(x)+133j
		mov	esi, [ebp+var_1C]

loc_A025F4:				; CODE XREF: EtwpPreserveLogger(x)+102j
					; EtwpPreserveLogger(x)+168j
		mov	edx, [ebp+var_8]
		mov	ecx, ebx
		call	EtwpFreeTraceBuffer

loc_A025FE:				; CODE XREF: EtwpPreserveLogger(x)+177j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_A0260D
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0260D:				; CODE XREF: EtwpPreserveLogger(x)+B3j
					; EtwpPreserveLogger(x)+18Bj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A02615:				; CODE XREF: EtwpPreserveLogger(x)+6Aj
		mov	eax, esi

loc_A02617:				; CODE XREF: EtwpPreserveLogger(x)+22j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpPreserveLogger@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpPreserveMdlList(x, x, x, x)
_EtwpPreserveMdlList@16	proc near	; CODE XREF: EtwpPreserveLogger(x)+15Fp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_18], edx
		push	edi
		xor	esi, esi
		mov	edi, ebx

loc_A02634:				; CODE XREF: EtwpPreserveMdlList(x,x,x,x)+2Ej
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		push	0
		push	edi
		call	ds:__imp__KsrMdlToMemoryRuns@16	; KsrMdlToMemoryRuns(x,x,x,x)
		add	esi, [ebp+var_4]
		mov	edi, [edi]
		test	edi, edi
		jnz	short loc_A02634
		push	4B777445h
		mov	eax, esi
		mov	[ebp+var_10], esi
		shl	eax, 3
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_14], edi
		test	edi, edi
		jnz	short loc_A02671
		mov	esi, 0C0000017h
		jmp	short loc_A026BC
; 

loc_A02671:				; CODE XREF: EtwpPreserveMdlList(x,x,x,x)+4Cj
		mov	[ebp+var_8], edi
		mov	[ebp+var_C], esi
		test	ebx, ebx
		jz	short loc_A0269C

loc_A0267B:				; CODE XREF: EtwpPreserveMdlList(x,x,x,x)+78j
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		push	edi
		push	ebx
		call	ds:__imp__KsrMdlToMemoryRuns@16	; KsrMdlToMemoryRuns(x,x,x,x)
		mov	eax, [ebp+var_4]
		sub	esi, eax
		mov	ebx, [ebx]
		lea	edi, [edi+eax*8]
		test	ebx, ebx
		jnz	short loc_A0267B
		mov	esi, [ebp+var_10]
		mov	edi, [ebp+var_14]

loc_A0269C:				; CODE XREF: EtwpPreserveMdlList(x,x,x,x)+5Dj
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	[ebp+var_18]
		push	esi
		push	edi
		push	offset _EtwpKsrGuid
		call	ds:__imp__KsrPersistMemoryWithMetadata@24 ; KsrPersistMemoryWithMetadata(x,x,x,x,x,x)
		mov	esi, eax
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A026BC:				; CODE XREF: EtwpPreserveMdlList(x,x,x,x)+53j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_EtwpPreserveMdlList@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpQueryPersistedMemory(x,	x, x, x, x)
_EtwpQueryPersistedMemory@20 proc near	; CODE XREF: EtwpSavePersistedLogger(x,x,x)+F4p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		xor	ecx, ecx
		mov	[ebp+var_8], edx
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ecx
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	offset _EtwpKsrGuid
		call	ds:__imp__KsrClaimPersistedMemory@28 ; KsrClaimPersistedMemory(x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_A02702
		test	esi, esi
		js	short loc_A0275F
		mov	esi, 0C0000001h
		jmp	short loc_A0275F
; 

loc_A02702:				; CODE XREF: EtwpQueryPersistedMemory(x,x,x,x,x)+30j
		mov	eax, [ebp+var_4]
		push	edi
		push	4B777445h
		shl	eax, 3
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A02726
		mov	esi, 0C000009Ah
		jmp	short loc_A0275E
; 

loc_A02726:				; CODE XREF: EtwpQueryPersistedMemory(x,x,x,x,x)+58j
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		push	[ebp+var_4]
		push	edi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	offset _EtwpKsrGuid
		call	ds:__imp__KsrClaimPersistedMemory@28 ; KsrClaimPersistedMemory(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A02756
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+arg_8]
		mov	[eax], edi
		mov	eax, [ebp+var_4]
		mov	[ecx], eax
		jmp	short loc_A0275E
; 

loc_A02756:				; CODE XREF: EtwpQueryPersistedMemory(x,x,x,x,x)+80j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0275E:				; CODE XREF: EtwpQueryPersistedMemory(x,x,x,x,x)+5Fj
					; EtwpQueryPersistedMemory(x,x,x,x,x)+8Fj
		pop	edi

loc_A0275F:				; CODE XREF: EtwpQueryPersistedMemory(x,x,x,x,x)+34j
					; EtwpQueryPersistedMemory(x,x,x,x,x)+3Bj
		mov	eax, esi
		pop	esi
		leave
		retn	0Ch
_EtwpQueryPersistedMemory@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpSavePersistedLogger(x, x, x)
_EtwpSavePersistedLogger@12 proc near	; CODE XREF: EtwpSavePersistedLoggersWorker()+93p

var_C0		= dword	ptr -0C0h
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_51		= dword	ptr -51h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	[ebp+var_60], ecx
		lea	edi, [ebp+var_30]
		xor	eax, eax
		pop	ecx
		rep stosd
		xor	ecx, ecx
		mov	[ebp+var_38], eax
		mov	[ebp+var_70], eax
		mov	ebx, ecx
		push	ecx
		lea	eax, [ebp+var_78]
		mov	[ebp+var_88], ecx
		mov	esi, ecx
		mov	[ebp+var_84], ecx
		push	eax
		mov	[ebp+var_78], ecx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_80], ecx
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_58], ecx
		mov	[ebp+var_44], esi
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], ecx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	38h		; size_t
		lea	eax, [ebp+var_C0]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	offset _ETW_EVENT_SAVE_PERSISTED_LOGGER_START
		push	dword_6BC30C
		push	_EtwpEventTracingProvRegHandle
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	eax, [ebp+var_60]
		mov	edi, [eax+8]
		mov	[ebp+var_4C], edi
		test	edi, edi
		jz	loc_A02B7B
		test	edi, 0FFFh
		jnz	loc_A02B7B
		push	ebx
		push	4B777445h
		push	edi
		call	MmAllocateMappingAddressEx
		mov	[ebp+var_6C], eax
		test	eax, eax
		jnz	short loc_A02835

loc_A0282B:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+E0j
		mov	edi, 0C000009Ah
		jmp	loc_A02B80
; 

loc_A02835:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+C3j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	edi
		push	eax
		call	IoAllocateMdl
		mov	[ebp+var_48], eax
		test	eax, eax
		jz	short loc_A0282B
		or	word ptr [eax+6], 2
		lea	edx, [ebp+var_68]
		lea	eax, [ebp+var_58]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_EtwpQueryPersistedMemory@20 ; EtwpQueryPersistedMemory(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_A02B80
		mov	ecx, [ebp+var_60]
		mov	eax, [ecx+0Ch]
		add	eax, ecx
		push	eax
		lea	eax, [ebp+var_78]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		mov	ecx, eax
		mov	edi, eax
		mov	edx, eax
		cmp	[ebp+var_58], eax
		jbe	short loc_A028C1
		mov	eax, [ebp+var_68]

loc_A0288B:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+159j
		mov	esi, [eax+edx*8]
		mov	[ebp+var_3C], esi
		mov	esi, [eax+edx*8+4]
		cmp	esi, 100h
		mov	[ebp+var_51+1],	esi
		mov	esi, [ebp+var_44]
		jb	loc_A029A8
		ja	short loc_A028B2
		cmp	[ebp+var_3C], ebx
		jb	loc_A029A8

loc_A028B2:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+141j
		shr	[ebp+var_51+1],	8
		add	ecx, [ebp+var_51+1]
		adc	edi, ebx
		inc	edx
		cmp	edx, [ebp+var_58]
		jb	short loc_A0288B

loc_A028C1:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+120j
		mov	edx, [ebp+var_60]
		mov	eax, [ebp+var_4C]
		shld	edi, ecx, 0Ch
		mul	dword ptr [edx+4]
		shl	ecx, 0Ch
		cmp	ecx, eax
		jnz	loc_A029A8
		cmp	edi, edx
		jnz	loc_A029A8
		xor	eax, eax
		lea	edx, [ebp+var_78]
		push	1
		push	eax
		mov	byte ptr [ebp+var_51], al
		lea	ecx, [ebp+var_44]
		push	1
		lea	eax, [ebp+var_51]
		push	eax
		call	EtwpDelayCreate
		mov	esi, [ebp+var_44]
		mov	edi, eax
		test	edi, edi
		js	loc_A02B80
		push	4
		push	28h
		lea	eax, [ebp+var_30]
		mov	[ebp+var_10], 2000h
		push	eax
		lea	eax, [ebp+var_80]
		push	eax
		push	esi
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		mov	edx, [ebp+var_4C]
		lea	ecx, [ebp+var_C0]
		push	esi
		call	_EtwpInitializeCompressedWriter@12 ; EtwpInitializeCompressedWriter(x,x,x)
		mov	edi, eax
		mov	[ebp+var_51+1],	edi
		test	edi, edi
		js	loc_A02B80
		xor	eax, eax
		xor	esi, esi
		mov	edx, eax
		mov	[ebp+var_38], eax
		mov	ecx, eax
		mov	[ebp+var_64], edx
		mov	eax, [ebp+var_60]
		mov	[ebp+var_34], ecx
		cmp	[eax+4], esi
		jbe	loc_A02A97
		mov	eax, [ebp+var_4C]
		shr	eax, 0Ch
		mov	[ebp+var_3C], eax

loc_A02962:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+31Ej
		mov	[ebp+var_58], esi
		mov	esi, [ebp+var_48]
		test	eax, eax
		jz	short loc_A029C1
		mov	edi, [ebp+var_68]
		mov	ebx, [ebp+var_58]

loc_A02972:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+253j
		mov	eax, [edi+edx*8]
		add	eax, ecx
		inc	ecx
		mov	[esi+ebx*4+1Ch], eax
		mov	eax, [edi+edx*8]
		mov	edx, [edi+edx*8+4]
		mov	[ebp+var_34], ecx
		mov	cl, 28h
		call	__aullshr
		mov	ecx, [ebp+var_34]
		cmp	ecx, eax
		jnz	short loc_A029B2
		xor	eax, eax
		cmp	eax, edx
		mov	edx, [ebp+var_64]
		jnz	short loc_A029B5
		inc	edx
		mov	ecx, eax
		mov	[ebp+var_64], edx
		mov	[ebp+var_34], ecx
		jmp	short loc_A029B5
; 

loc_A029A8:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+13Bj
					; EtwpSavePersistedLogger(x,x,x)+146j ...
		mov	edi, 0C0190030h
		jmp	loc_A02B80
; 

loc_A029B2:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+22Cj
		mov	edx, [ebp+var_64]

loc_A029B5:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+235j
					; EtwpSavePersistedLogger(x,x,x)+240j
		inc	ebx
		cmp	ebx, [ebp+var_3C]
		jb	short loc_A02972
		mov	edi, [ebp+var_51+1]
		mov	ebx, [ebp+var_5C]

loc_A029C1:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+204j
		push	1
		push	esi
		push	4B777445h
		push	[ebp+var_6C]
		call	MmMapLockedPagesWithReservedMapping
		mov	ecx, [ebp+var_4C]
		mov	esi, eax
		cmp	[esi], ecx
		jz	short loc_A029E8

loc_A029DA:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+29Ej
		inc	ebx
		mov	edi, 0C0000206h
		mov	[ebp+var_40], ebx
		mov	[ebp+var_51+1],	edi
		jmp	short loc_A02A51
; 

loc_A029E8:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+272j
		mov	eax, [esi+8]
		cmp	eax, [esi]
		jbe	short loc_A029F7
		mov	eax, [esi+4]
		mov	[esi+30h], eax
		jmp	short loc_A029FD
; 

loc_A029F7:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+287j
		mov	eax, [esi+8]
		mov	[esi+30h], eax

loc_A029FD:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+28Fj
		cmp	eax, ecx
		jbe	short loc_A02A06
		mov	ebx, [ebp+var_40]
		jmp	short loc_A029DA
; 

loc_A02A06:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+299j
		cmp	eax, 48h
		jbe	short loc_A02A4E
		mov	edx, ecx
		sub	edx, eax
		jz	short loc_A02A25
		push	edx		; size_t
		add	eax, esi
		push	0FFh		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+var_4C]
		add	esp, 0Ch

loc_A02A25:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+2A9j
		cmp	[ebp+var_38], 0
		jnz	short loc_A02A3C
		add	[ebp+var_B8], ecx
		push	0
		pop	eax
		adc	[ebp+var_B4], eax
		jmp	short loc_A02A4E
; 

loc_A02A3C:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+2C3j
		mov	edx, esi
		lea	ecx, [ebp+var_C0]
		call	_EtwpWriteBufferCompressed@8 ; EtwpWriteBufferCompressed(x,x)
		mov	edi, eax
		mov	[ebp+var_51+1],	edi

loc_A02A4E:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+2A3j
					; EtwpSavePersistedLogger(x,x,x)+2D4j
		mov	ebx, [ebp+var_40]

loc_A02A51:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+280j
		mov	[ebp+var_5C], ebx
		push	[ebp+var_48]
		push	4B777445h
		push	esi
		call	_MmUnmapReservedMapping@12 ; MmUnmapReservedMapping(x,x,x)
		mov	eax, [ebp+var_38]
		test	edi, edi
		jns	short loc_A02A6D
		test	eax, eax
		jz	short loc_A02A89

loc_A02A6D:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+301j
		mov	ecx, [ebp+var_60]
		inc	eax
		xor	esi, esi
		mov	[ebp+var_38], eax
		cmp	eax, [ecx+4]
		jnb	short loc_A02A97
		mov	ecx, [ebp+var_34]
		mov	eax, [ebp+var_3C]
		mov	edx, [ebp+var_64]
		jmp	loc_A02962
; 

loc_A02A89:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+305j
		mov	eax, [ebp+var_70]
		mov	esi, [ebp+var_44]
		mov	[ebp+var_38], eax
		jmp	loc_A02B80
; 

loc_A02A97:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+1EDj
					; EtwpSavePersistedLogger(x,x,x)+313j
		lea	eax, [ebp+var_40]
		push	eax
		lea	edx, [ebp+var_70]
		lea	ecx, [ebp+var_C0]
		call	_EtwpWriteRemainingCompressedData@12 ; EtwpWriteRemainingCompressedData(x,x,x)
		mov	edi, [ebp+var_4C]
		mov	ecx, esi
		mov	eax, edi
		mov	[ebp+var_3C], ecx
		shr	eax, 0Ch
		test	eax, eax
		jz	short loc_A02B00
		mov	ebx, [ebp+var_68]
		mov	edi, eax
		mov	esi, [ebp+var_48]
		mov	edx, [ebp+var_34]

loc_A02AC5:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+395j
		mov	eax, [ebx]
		add	eax, edx
		inc	edx
		mov	[esi+ecx*4+1Ch], eax
		mov	cl, 28h
		mov	eax, [ebx]
		mov	[ebp+var_34], edx
		mov	edx, [ebx+4]
		call	__aullshr
		cmp	[ebp+var_34], eax
		jnz	short loc_A02AEF
		xor	eax, eax
		cmp	eax, edx
		jnz	short loc_A02AEF
		add	ebx, 8
		mov	edx, eax
		jmp	short loc_A02AF2
; 

loc_A02AEF:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+37Aj
					; EtwpSavePersistedLogger(x,x,x)+380j
		mov	edx, [ebp+var_34]

loc_A02AF2:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+387j
		mov	ecx, [ebp+var_3C]
		inc	ecx
		mov	[ebp+var_3C], ecx
		cmp	ecx, edi
		jb	short loc_A02AC5
		mov	edi, [ebp+var_4C]

loc_A02B00:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+352j
		push	1
		push	[ebp+var_48]
		push	4B777445h
		push	[ebp+var_6C]
		call	MmMapLockedPagesWithReservedMapping
		mov	esi, eax
		mov	ebx, [ebp+var_40]
		mov	eax, [ebp+var_70]
		xor	ecx, ecx
		push	ecx
		mov	[ebp+var_38], eax
		or	dword ptr [esi+88h], 4000000h
		inc	eax
		add	[esi+174h], ebx
		mov	[ebp+var_3C], eax
		mov	[esi+8Ch], eax
		lea	eax, [ebp+var_88]
		push	eax
		push	edi
		push	esi
		lea	eax, [ebp+var_80]
		mov	dword ptr [esi+2Ch], 3
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+var_44]
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		push	[ebp+var_48]
		mov	edi, eax
		push	4B777445h
		push	esi
		call	_MmUnmapReservedMapping@12 ; MmUnmapReservedMapping(x,x,x)
		mov	esi, [ebp+var_44]
		test	edi, edi
		jns	short loc_A02B73
		inc	ebx
		jmp	short loc_A02B80
; 

loc_A02B73:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+408j
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_38], eax
		jmp	short loc_A02B80
; 

loc_A02B7B:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+A0j
					; EtwpSavePersistedLogger(x,x,x)+ACj
		mov	edi, 0C01A000Dh

loc_A02B80:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+CAj
					; EtwpSavePersistedLogger(x,x,x)+FDj ...
		xor	eax, eax
		cmp	[ebp+var_A4], eax
		jz	short loc_A02B9E
		push	eax
		push	[ebp+var_A4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[ebp+var_A4], eax

loc_A02B9E:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+422j
		cmp	[ebp+var_A0], 0
		jz	short loc_A02BBB
		push	eax
		push	[ebp+var_A0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	[ebp+var_A0], eax

loc_A02BBB:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+43Fj
		test	esi, esi
		jz	short loc_A02BC5
		push	esi
		call	_ZwClose@4	; ZwClose(x)

loc_A02BC5:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+457j
		mov	eax, [ebp+var_6C]
		test	eax, eax
		jz	short loc_A02BD7
		push	4B777445h
		push	eax
		call	MmFreeMappingAddress

loc_A02BD7:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+464j
		mov	eax, [ebp+var_48]
		xor	esi, esi
		test	eax, eax
		jz	short loc_A02BE7
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A02BE7:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+478j
		mov	eax, [ebp+var_68]
		test	eax, eax
		jz	short loc_A02BF5
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A02BF5:				; CODE XREF: EtwpSavePersistedLogger(x,x,x)+486j
		push	1
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	offset _EtwpKsrGuid
		call	ds:__imp__KsrFreePersistedMemoryBlock@16 ; KsrFreePersistedMemoryBlock(x,x,x,x)
		mov	eax, [ebp+var_60]
		lea	ecx, [ebp+var_78]
		mov	edx, [ebp+var_4C]
		push	edi
		push	ebx
		push	[ebp+var_38]
		push	dword ptr [eax+4]
		call	_EtwpTraceSavePersistedLoggerStop@24 ; EtwpTraceSavePersistedLoggerStop(x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_EtwpSavePersistedLogger@12 endp


;  S U B	R O U T	I N E 


; __stdcall EtwpSavePersistedLoggers()
_EtwpSavePersistedLoggers@0 proc near	; CODE XREF: EtwpKsrCallback(x,x,x):loc_A0239Ep
					; EtwpKsrCallback(x,x,x):loc_A023A8p
		call	_ExIsSoftBoot@0	; ExIsSoftBoot()
		test	al, al
		jz	short locret_A02C50
		xor	ecx, ecx
		mov	edx, offset _EtwpLoggerSaveState
		inc	ecx
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	_EtwpSavePersistedLoggersWorker@0 ; EtwpSavePersistedLoggersWorker()

locret_A02C50:				; CODE XREF: EtwpSavePersistedLoggers()+7j
		retn
_EtwpSavePersistedLoggers@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpSavePersistedLoggersWorker()
_EtwpSavePersistedLoggersWorker@0 proc near ; CODE XREF: EtwpSavePersistedLoggers()+19j

var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, ds:_EtwpHostSiloState
		and	[esp+4+var_4], 0
		push	ebx
		push	esi
		mov	eax, [eax+8]
		push	edi
		push	4B777445h
		lea	eax, ds:1008h[eax*8]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A02CFD
		and	dword ptr [esi], 0
		lea	ecx, [esi+1008h]
		push	esi
		push	offset _EtwpKsrMemoryEnumCallback@16 ; EtwpKsrMemoryEnumCallback(x,x,x,x)
		push	offset _EtwpKsrGuid
		mov	[esi+4], ecx
		call	ds:__imp__KsrEnumeratePersistedMemory@12 ; KsrEnumeratePersistedMemory(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A02CF1
		xor	edi, edi
		lea	eax, [esi+8]
		cmp	[esi], edi
		jbe	short loc_A02CF1

loc_A02CAF:				; CODE XREF: EtwpSavePersistedLoggersWorker()+9Ej
		lea	ecx, [esp+1Ch+var_10]
		push	ecx
		push	1000h
		push	eax
		mov	eax, [esi+4]
		push	dword ptr [eax+edi*8+4]
		push	dword ptr [eax+edi*8]
		push	offset _EtwpKsrGuid
		call	ds:__imp__KsrQueryMetadata@24 ;	KsrQueryMetadata(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_A02CD7
		mov	ebx, eax
		jmp	short loc_A02CE9
; 

loc_A02CD7:				; CODE XREF: EtwpSavePersistedLoggersWorker()+80j
		mov	eax, [esi+4]
		lea	ecx, [esi+8]
		push	dword ptr [eax+edi*8+4]
		push	dword ptr [eax+edi*8]
		call	_EtwpSavePersistedLogger@12 ; EtwpSavePersistedLogger(x,x,x)

loc_A02CE9:				; CODE XREF: EtwpSavePersistedLoggersWorker()+84j
		inc	edi
		lea	eax, [esi+8]
		cmp	edi, [esi]
		jb	short loc_A02CAF

loc_A02CF1:				; CODE XREF: EtwpSavePersistedLoggersWorker()+53j
					; EtwpSavePersistedLoggersWorker()+5Cj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		jns	short loc_A02D0A

loc_A02CFD:				; CODE XREF: EtwpSavePersistedLoggersWorker()+30j
		push	1
		push	offset _EtwpKsrGuid
		call	ds:__imp__KsrFreePersistedMemory@8 ; KsrFreePersistedMemory(x,x)

loc_A02D0A:				; CODE XREF: EtwpSavePersistedLoggersWorker()+AAj
		push	2
		pop	eax
		mov	ecx, offset _EtwpLoggerSaveState
		xchg	eax, [ecx]
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_EtwpSavePersistedLoggersWorker@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpSetSoftRestartInformation(x, x)
_EtwpSetSoftRestartInformation@8 proc near
					; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+BA1p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

		push	28h
		push	offset dword_6AA158
		call	__SEH_prolog4
		mov	edi, edx
		mov	esi, ecx
		xor	ebx, ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ebx
		cmp	ds:_EtwpKsrCallbackObject, ebx
		jz	loc_A02F36
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jnz	loc_A02F36
		cmp	edi, 18h
		jnb	short loc_A02D61
		mov	eax, 0C000000Dh
		jmp	loc_A02F3B
; 

loc_A02D61:				; CODE XREF: EtwpSetSoftRestartInformation(x,x)+3Aj
		push	ebx
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esi+12h]
		mov	[ebp+var_20], eax
		lea	eax, [edi-12h]
		mov	word ptr [ebp+var_24], ax
		mov	word ptr [ebp+var_24+2], ax
		test	ax, ax
		jz	short loc_A02D94
		lea	edx, [ebp+var_30]
		lea	ecx, [ebp+var_24]
		call	EtwpCaptureString
		test	eax, eax
		js	loc_A02F3B

loc_A02D94:				; CODE XREF: EtwpSetSoftRestartInformation(x,x)+64j
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, [esi+8]
		mov	[ebp+var_38], ecx
		mov	eax, [esi+0Ch]
		mov	[ebp+var_34], eax
		mov	al, [esi+10h]
		mov	[ebp+var_19], al
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		movzx	edx, cx
		cmp	edx, 0FFFFh
		jnz	short loc_A02DC7
		mov	eax, ds:_EtwpHostSiloState
		movzx	edx, byte ptr [eax+914h]

loc_A02DC7:				; CODE XREF: EtwpSetSoftRestartInformation(x,x)+9Ej
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		mov	ecx, ds:_EtwpHostSiloState
		call	EtwpAcquireLoggerContextByLoggerId
		mov	edi, eax
		mov	[ebp+var_20], edi
		test	edi, edi
		jz	loc_A02EEE
		mov	edx, edi
		mov	ecx, 80h
		call	_EtwpCheckLoggerControlAccess@8	; EtwpCheckLoggerControlAccess(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A02EF3
		mov	ebx, [edi+2E0h]
		cmp	[ebp+var_19], 0
		jz	loc_A02EC5
		test	ebx, ebx
		jnz	short loc_A02E49
		push	4B777445h
		push	18h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A02E37
		mov	esi, 0C0000017h
		jmp	loc_A02EF3
; 

loc_A02E37:				; CODE XREF: EtwpSetSoftRestartInformation(x,x)+110j
		push	6
		pop	ecx
		xor	eax, eax
		mov	edi, ebx
		rep stosd
		mov	edi, [ebp+var_20]
		mov	[edi+2E0h], ebx

loc_A02E49:				; CODE XREF: EtwpSetSoftRestartInformation(x,x)+FCj
		cmp	byte ptr [ebx+14h], 0
		jz	short loc_A02E59
		mov	esi, 0C0000303h
		jmp	loc_A02EF3
; 

loc_A02E59:				; CODE XREF: EtwpSetSoftRestartInformation(x,x)+132j
		mov	eax, [ebp+var_30]
		test	ax, ax
		jnz	short loc_A02E6B
		mov	esi, 0C0000098h
		jmp	loc_A02EF3
; 

loc_A02E6B:				; CODE XREF: EtwpSetSoftRestartInformation(x,x)+144j
		test	dword ptr [edi+0Ch], 400h
		jz	short loc_A02EBE
		cmp	dword ptr [edi+0E0h], 1
		jz	short loc_A02EBE
		test	dword ptr [edi+4], 0FFFh
		jnz	short loc_A02EBE
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+var_2C]
		mov	[ebx+10h], eax
		and	[ebp+var_2C], 0
		mov	byte ptr [ebx+14h], 1
		xor	esi, esi
		cmp	ds:_EtwpKsrPrepared, 0
		jz	short loc_A02EF3
		mov	ecx, edi
		call	_EtwpPreserveLogger@4 ;	EtwpPreserveLogger(x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A02EF3
		mov	byte ptr [ebx+14h], 0
		lea	eax, [ebx+0Ch]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		jmp	short loc_A02EF3
; 

loc_A02EBE:				; CODE XREF: EtwpSetSoftRestartInformation(x,x)+157j
					; EtwpSetSoftRestartInformation(x,x)+160j ...
		mov	esi, 0C00000BBh
		jmp	short loc_A02EF3
; 

loc_A02EC5:				; CODE XREF: EtwpSetSoftRestartInformation(x,x)+F4j
		test	ebx, ebx
		jz	short loc_A02EE7
		cmp	byte ptr [ebx+14h], 0
		jz	short loc_A02EE7
		mov	ecx, edi
		call	_EtwpCancelMemoryPreservation@4	; EtwpCancelMemoryPreservation(x)
		lea	eax, [ebx+0Ch]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	byte ptr [ebx+14h], 0
		xor	esi, esi
		jmp	short loc_A02EF3
; 

loc_A02EE7:				; CODE XREF: EtwpSetSoftRestartInformation(x,x)+1ACj
					; EtwpSetSoftRestartInformation(x,x)+1B2j
		mov	esi, 0C0000302h
		jmp	short loc_A02EF3
; 

loc_A02EEE:				; CODE XREF: EtwpSetSoftRestartInformation(x,x)+CEj
		mov	esi, 0C0000296h

loc_A02EF3:				; CODE XREF: EtwpSetSoftRestartInformation(x,x)+E4j
					; EtwpSetSoftRestartInformation(x,x)+117j ...
		test	edi, edi
		jz	short loc_A02F00
		mov	dl, 1
		mov	ecx, edi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)

loc_A02F00:				; CODE XREF: EtwpSetSoftRestartInformation(x,x)+1DAj
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi
		jmp	short loc_A02F3B
; 

loc_A02F19:				; DATA XREF: .text:006AA16Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A02F27:				; DATA XREF: .text:006AA170o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_28]
		jmp	short loc_A02F3B
; 

loc_A02F36:				; CODE XREF: EtwpSetSoftRestartInformation(x,x)+24j
					; EtwpSetSoftRestartInformation(x,x)+31j
		mov	eax, 0C00000BBh

loc_A02F3B:				; CODE XREF: EtwpSetSoftRestartInformation(x,x)+41j
					; EtwpSetSoftRestartInformation(x,x)+73j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpSetSoftRestartInformation@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpTraceSavePersistedLoggerStop(x,	x, x, x, x, x)
_EtwpTraceSavePersistedLoggerStop@24 proc near
					; CODE XREF: EtwpSavePersistedLogger(x,x,x)+4B3p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	[ebp+arg_C], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_7C], edx
		mov	esi, offset _ETW_EVENT_SAVE_PERSISTED_LOGGER_STOP
		mov	[ebp+var_78], ecx
		jge	short loc_A02F76
		mov	esi, offset _ETW_EVENT_SAVE_PERSISTED_LOGGER_ERROR

loc_A02F76:				; CODE XREF: EtwpTraceSavePersistedLoggerStop(x,x,x,x,x,x)+24j
		mov	edi, dword_6BC30C
		mov	ebx, _EtwpEventTracingProvRegHandle
		push	esi
		push	edi
		push	ebx
		call	EtwEventEnabled
		test	al, al
		jz	loc_A0301A
		mov	ecx, [ebp+var_78]
		xor	edx, edx
		push	4
		mov	[ebp+var_70], edx
		mov	[ebp+var_68], edx
		mov	eax, [ecx+4]
		mov	[ebp+var_74], eax
		movzx	eax, word ptr [ecx]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+arg_4]
		pop	ecx
		mov	[ebp+var_34], eax
		lea	eax, [ebp+arg_C]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	7
		push	edx
		push	esi
		push	edi
		push	ebx
		mov	[ebp+var_64], offset _EtwpNull
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], 2
		mov	[ebp+var_58], edx
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_48], edx
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], edx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_A0301A:				; CODE XREF: EtwpTraceSavePersistedLoggerStop(x,x,x,x,x,x)+41j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_EtwpTraceSavePersistedLoggerStop@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpWriteBufferCompressed(x, x)
_EtwpWriteBufferCompressed@8 proc near	; CODE XREF: EtwpSavePersistedLogger(x,x,x)+2DEp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], eax
		push	esi
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	esi, [ebx+28h]
		mov	eax, [ebx+24h]
		mov	ecx, [ebx+10h]
		sub	eax, esi
		push	edi
		mov	edi, edx
		sub	eax, 48h
		mov	edx, [ebx+20h]
		add	edx, 48h
		mov	[ebp+var_8], edi
		add	edx, esi
		cmp	eax, ecx
		jb	short loc_A03064
		mov	eax, ecx

loc_A03064:				; CODE XREF: EtwpWriteBufferCompressed(x,x)+35j
		push	dword ptr [ebx+1Ch]
		lea	ecx, [ebp+var_4]
		push	ecx
		push	0
		push	eax
		mov	eax, [edi+30h]
		push	edx
		sub	eax, 48h
		push	eax
		lea	eax, [edi+48h]
		push	eax
		push	3
		call	_RtlCompressBuffer@32 ;	RtlCompressBuffer(x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_C], esi
		cmp	esi, 0C0000023h
		jnz	short loc_A030AA
		mov	eax, [edi+30h]
		mov	ecx, [ebx+20h]
		add	ecx, [ebx+28h]
		push	eax		; size_t
		push	edi		; void *
		push	ecx		; void *
		mov	[ebp+var_8], eax
		call	_memcpy
		mov	edx, [ebp+var_8]
		add	esp, 0Ch
		jmp	short loc_A030D2
; 

loc_A030AA:				; CODE XREF: EtwpWriteBufferCompressed(x,x)+61j
		test	esi, esi
		jns	short loc_A030B6
		inc	dword ptr [ebx+18h]
		jmp	loc_A0317E
; 

loc_A030B6:				; CODE XREF: EtwpWriteBufferCompressed(x,x)+81j
		or	word ptr [edi+34h], 40h
		mov	edi, [ebx+20h]
		add	edi, [ebx+28h]
		mov	esi, [ebp+var_8]
		push	12h
		pop	ecx
		rep movsd
		mov	edx, [ebp+var_4]
		mov	esi, [ebp+var_C]
		add	edx, 48h

loc_A030D2:				; CODE XREF: EtwpWriteBufferCompressed(x,x)+7Dj
		mov	eax, [ebx+28h]
		mov	ecx, [ebx+20h]
		mov	[ecx+eax], edx
		mov	eax, [ebx+28h]
		inc	dword ptr [ebx+2Ch]
		add	eax, edx
		mov	ecx, [ebx+10h]
		mov	[ebx+28h], eax
		cmp	eax, ecx
		jb	loc_A0317E
		xor	edx, edx
		lea	edi, [ebx+8]
		push	edx
		push	edi
		push	ecx
		push	dword ptr [ebx+20h]
		lea	eax, [ebp+var_14]
		push	eax
		push	edx
		push	edx
		push	edx
		push	dword ptr [ebx]
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebx+2Ch]
		mov	esi, eax
		mov	[ebp+var_C], ecx
		test	esi, esi
		jns	short loc_A03137
		mov	eax, [ebx+18h]
		mov	ecx, [ebx+30h]
		add	eax, [ebp+var_C]
		mov	[ebx+28h], ecx
		test	ecx, ecx
		jz	short loc_A03127
		dec	eax

loc_A03127:				; CODE XREF: EtwpWriteBufferCompressed(x,x)+F9j
		mov	[ebx+18h], eax
		xor	eax, eax
		cmp	eax, ecx
		sbb	eax, eax
		neg	eax
		mov	[ebx+2Ch], eax
		jmp	short loc_A0317E
; 

loc_A03137:				; CODE XREF: EtwpWriteBufferCompressed(x,x)+E9j
		mov	eax, [ebx+10h]
		add	[edi], eax
		mov	edx, [ebx+28h]
		adc	dword ptr [edi+4], 0
		sub	edx, eax
		mov	[ebp+var_C], eax
		mov	eax, [ebx+14h]
		add	eax, ecx
		mov	[ebx+28h], edx
		mov	[ebx+30h], edx
		test	edx, edx
		jz	short loc_A03177
		mov	ecx, [ebx+20h]
		dec	eax
		mov	[ebx+14h], eax
		mov	eax, [ebp+var_C]
		push	edx		; size_t
		add	eax, ecx
		mov	dword ptr [ebx+2Ch], 1
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_A0317E
; 

loc_A03177:				; CODE XREF: EtwpWriteBufferCompressed(x,x)+12Aj
		and	dword ptr [ebx+2Ch], 0
		mov	[ebx+14h], eax

loc_A0317E:				; CODE XREF: EtwpWriteBufferCompressed(x,x)+86j
					; EtwpWriteBufferCompressed(x,x)+C0j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpWriteBufferCompressed@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpWriteRemainingCompressedData(x,	x, x)
_EtwpWriteRemainingCompressedData@12 proc near
					; CODE XREF: EtwpSavePersistedLogger(x,x,x)+33Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		xor	edx, edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edx
		mov	ecx, [esi+28h]
		test	ecx, ecx
		jz	short loc_A031EF
		mov	eax, [esi+10h]
		sub	eax, ecx
		push	edi
		push	eax		; size_t
		mov	eax, [esi+20h]
		push	edx		; int
		add	eax, ecx
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	edi, [esi+8]
		xor	ecx, ecx
		lea	eax, [ebp+var_8]
		push	ecx
		push	edi
		push	dword ptr [esi+10h]
		push	dword ptr [esi+20h]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	dword ptr [esi]
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		mov	ecx, [esi+2Ch]
		mov	edx, eax
		test	edx, edx
		jns	short loc_A031E0
		add	[esi+18h], ecx
		jmp	short loc_A031EE
; 

loc_A031E0:				; CODE XREF: EtwpWriteRemainingCompressedData(x,x,x)+54j
		mov	eax, [esi+28h]
		add	[edi], eax
		adc	dword ptr [edi+4], 0
		add	[esi+14h], ecx
		xor	edx, edx

loc_A031EE:				; CODE XREF: EtwpWriteRemainingCompressedData(x,x,x)+59j
		pop	edi

loc_A031EF:				; CODE XREF: EtwpWriteRemainingCompressedData(x,x,x)+1Aj
		mov	eax, [esi+14h]
		add	[ebx], eax
		mov	eax, [ebp+arg_0]
		mov	ecx, [esi+18h]
		pop	esi
		pop	ebx
		add	[eax], ecx
		mov	eax, edx
		leave
		retn	4
_EtwpWriteRemainingCompressedData@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpValidatePayloadFilter(x, x, x)
_EtwpValidatePayloadFilter@12 proc near	; CODE XREF: EtwpAllocatePayloadFilterData(x,x,x)+10p

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_40], esi
		push	edi
		cmp	edx, 50h
		jb	loc_A036A2
		movzx	eax, word ptr [esi+2]
		cmp	eax, edx
		jnz	loc_A036A2
		mov	eax, 1000h
		cmp	edx, eax
		ja	loc_A036A2
		movzx	ecx, word ptr [esi]
		mov	edi, 0A66h
		mov	eax, ecx
		and	eax, 0FFFh
		cmp	ax, di
		jnz	loc_A036A2
		and	ecx, 0F000h
		mov	eax, 1000h
		cmp	cx, ax
		jnz	loc_A036A2
		movzx	edi, word ptr [esi+4]
		mov	eax, 0AAh
		cmp	di, ax
		ja	loc_A036A2
		xor	eax, eax
		cmp	[esi+6], ax
		jnz	loc_A036A2
		mov	ecx, eax

loc_A03287:				; CODE XREF: EtwpValidatePayloadFilter(x,x,x)+94j
		mov	eax, [ebx+ecx*4]
		cmp	eax, [esi+ecx*4+10h]
		jnz	loc_A036A2
		inc	ecx
		cmp	ecx, 4
		jnz	short loc_A03287
		movzx	ebx, word ptr [esi+20h]
		mov	eax, edi
		imul	ecx, eax, 18h
		mov	[ebp+var_58], eax
		mov	eax, ebx
		mov	[ebp+var_24], eax
		add	ecx, 38h
		cmp	eax, ecx
		jnz	loc_A036A2
		movzx	edi, word ptr [esi+24h]
		movzx	eax, word ptr [esi+22h]
		mov	[ebp+var_34], edi
		add	ecx, eax
		movzx	edi, di
		mov	[ebp+var_20], edi
		cmp	edi, ecx
		jnz	loc_A036A2
		movzx	edi, word ptr [esi+26h]
		mov	[ebp+var_50], edi
		movzx	edi, di
		add	ecx, edi
		mov	[ebp+arg_0], edi
		movzx	edi, word ptr [esi+28h]
		mov	[ebp+var_30], edi
		movzx	edi, di
		mov	[ebp+var_18], edi
		cmp	edi, ecx
		jnz	loc_A036A2
		movzx	edi, word ptr [esi+2Ah]
		mov	[ebp+var_4C], edi
		movzx	edi, di
		add	ecx, edi
		mov	[ebp+var_1C], edi
		movzx	edi, word ptr [esi+2Ch]
		mov	[ebp+var_2C], edi
		movzx	edi, di
		mov	[ebp+var_38], edi
		cmp	edi, ecx
		jnz	loc_A036A2
		movzx	edi, word ptr [esi+2Eh]
		mov	[ebp+var_48], edi
		movzx	edi, di
		add	ecx, edi
		mov	[ebp+var_3C], edi
		movzx	edi, word ptr [esi+30h]
		mov	[ebp+var_44], edi
		cmp	edi, ecx
		jnz	loc_A036A2
		movzx	edi, word ptr [esi+32h]
		add	ecx, edi
		mov	[ebp+var_5C], edi
		cmp	edx, ecx
		jnz	loc_A036A2
		push	0Ch
		xor	edx, edx
		pop	ecx
		div	ecx
		mov	[ebp+var_54], eax
		test	edx, edx
		jnz	loc_A036A2
		push	3
		pop	eax
		test	byte ptr [ebp+var_50], al
		jnz	loc_A036A2
		test	byte ptr [ebp+var_4C], al
		jnz	loc_A036A2
		test	byte ptr [ebp+var_48], 1
		jnz	loc_A036A2
		test	bl, al
		jnz	loc_A036A2
		test	byte ptr [ebp+var_34], al
		jnz	loc_A036A2
		test	byte ptr [ebp+var_30], al
		jnz	loc_A036A2
		test	byte ptr [ebp+var_2C], al
		jnz	loc_A036A2
		xor	eax, eax
		mov	ecx, [ebp+arg_0]
		mov	edx, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_34], eax
		lea	ebx, [esi+38h]
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_3C]
		shr	eax, 1
		mov	edi, [ebp+var_24]
		shr	[ebp+var_1C], 2
		add	edi, esi
		mov	[ebp+var_6C], eax
		mov	eax, [ebp+var_20]
		add	eax, esi
		shr	ecx, 2
		mov	[ebp+var_20], eax
		mov	eax, [ebp+var_18]
		add	eax, esi
		mov	[ebp+var_28], edx
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_38]
		add	eax, esi
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_44]
		add	eax, esi
		mov	[ebp+var_24], edi
		mov	[ebp+var_14], eax
		xor	eax, eax
		and	[ebp+var_30], eax
		and	[ebp+var_50], eax
		mov	[ebp+var_2C], eax
		cmp	[ebp+var_54], eax
		jbe	loc_A0366F
		push	3Fh
		pop	ecx

loc_A03406:				; CODE XREF: EtwpValidatePayloadFilter(x,x,x)+45Cj
		movzx	eax, word ptr [edi]
		xor	edx, edx
		div	ecx
		xor	eax, eax
		mov	ecx, edx
		inc	eax
		xor	edx, edx
		call	__allshl
		or	[ebp+var_2C], eax
		or	[ebp+var_30], edx
		movzx	eax, word ptr [edi+4]
		mov	edx, [ebp+var_34]
		cmp	eax, edx
		jnz	loc_A036A2
		movzx	eax, word ptr [edi+6]
		movzx	ecx, ax
		mov	[ebp+var_60], eax
		mov	eax, [ebp+arg_0]
		sub	eax, edx
		cmp	ecx, eax
		ja	loc_A036A2
		mov	eax, [ebp+var_20]
		add	edx, ecx
		mov	[ebp+var_34], edx
		xor	edx, edx
		mov	[ebp+var_64], eax
		test	ecx, ecx
		jz	short loc_A0348D

loc_A03456:				; CODE XREF: EtwpValidatePayloadFilter(x,x,x)+287j
		cmp	word ptr [eax+2], 40h
		jnb	loc_A036A2
		cmp	byte ptr [eax+1], 40h
		jnb	loc_A036A2
		mov	al, [eax]
		cmp	al, 40h
		jnb	loc_A036A2
		and	al, 0Fh
		cmp	al, 9
		jnb	loc_A036A2
		mov	eax, [ebp+var_20]
		inc	edx
		add	eax, 4
		mov	[ebp+var_20], eax
		cmp	edx, ecx
		jb	short loc_A03456

loc_A0348D:				; CODE XREF: EtwpValidatePayloadFilter(x,x,x)+250j
		movzx	eax, word ptr [edi+8]
		mov	edx, [ebp+var_28]
		cmp	eax, edx
		jnz	loc_A036A2
		mov	eax, [ebp+var_1C]
		movzx	ecx, word ptr [edi+0Ah]
		sub	eax, edx
		mov	[ebp+var_68], ecx
		cmp	ecx, eax
		ja	loc_A036A2
		add	edx, ecx
		xor	eax, eax
		mov	[ebp+var_28], edx
		mov	edx, eax
		mov	[ebp+var_4C], edx
		test	ecx, ecx
		jz	loc_A0364D
		mov	eax, [ebp+var_18]

loc_A034C7:				; CODE XREF: EtwpValidatePayloadFilter(x,x,x)+440j
		movzx	edi, word ptr [eax]
		mov	eax, edi
		and	eax, 0FCh
		cmp	ax, 20h
		ja	loc_A036A2
		mov	eax, [ebp+var_18]
		movzx	eax, word ptr [eax+2]
		cmp	eax, [ebp+var_4]
		jnz	loc_A036A2
		mov	eax, [ebp+var_58]
		sub	eax, [ebp+var_4]
		shr	edi, 2
		and	edi, 3Fh
		cmp	edi, eax
		ja	loc_A036A2
		add	[ebp+var_4], edi
		xor	eax, eax
		mov	[ebp+var_48], eax
		test	edi, edi
		jz	loc_A03635

loc_A0350F:				; CODE XREF: EtwpValidatePayloadFilter(x,x,x)+425j
		movzx	ecx, word ptr [ebx]
		mov	edx, ecx
		cmp	edx, [ebp+arg_0]
		jnb	loc_A036A2
		cmp	cx, word ptr [ebp+var_60]
		jnb	loc_A036A2
		mov	eax, [ebp+var_24]
		movzx	eax, byte ptr [eax+3]
		cmp	cx, ax
		ja	loc_A036A2
		mov	eax, [ebp+var_64]
		movzx	eax, byte ptr [eax+edx*4]
		and	eax, 0Fh
		sub	eax, 3
		jz	short loc_A035BF
		sub	eax, 1
		jnz	loc_A0361D
		mov	eax, [ebx+8]
		cmp	eax, [ebp+var_8]
		jnz	loc_A036A2
		xor	ecx, ecx
		cmp	[ebx+0Ch], ecx
		jnz	loc_A036A2
		mov	eax, [ebx+10h]
		or	eax, [ebx+14h]
		jnz	loc_A036A2
		mov	eax, [ebp+var_38]
		add	eax, [ebp+var_3C]
		mov	ecx, [ebp+var_10]
		add	eax, esi
		mov	edx, ecx
		xor	esi, esi
		cmp	[edx], si
		mov	esi, [ebp+var_40]
		mov	edx, [ebp+var_8]
		jz	short loc_A035A3
		lea	edx, [eax-2]
		xor	esi, esi

loc_A03591:				; CODE XREF: EtwpValidatePayloadFilter(x,x,x)+397j
		cmp	ecx, edx
		jnb	short loc_A0359D
		add	ecx, 2
		cmp	[ecx], si
		jnz	short loc_A03591

loc_A0359D:				; CODE XREF: EtwpValidatePayloadFilter(x,x,x)+38Fj
		mov	esi, [ebp+var_40]
		mov	edx, [ebp+var_8]

loc_A035A3:				; CODE XREF: EtwpValidatePayloadFilter(x,x,x)+386j
		add	ecx, 2
		cmp	ecx, eax
		ja	loc_A036A2
		mov	eax, ecx
		sub	eax, [ebp+var_10]
		sar	eax, 1
		add	edx, eax
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], edx
		jmp	short loc_A0361D
; 

loc_A035BF:				; CODE XREF: EtwpValidatePayloadFilter(x,x,x)+340j
		mov	eax, [ebx+8]
		cmp	eax, [ebp+var_C]
		jnz	loc_A036A2
		xor	ecx, ecx
		cmp	[ebx+0Ch], ecx
		jnz	loc_A036A2
		mov	eax, [ebx+10h]
		or	eax, [ebx+14h]
		jnz	loc_A036A2
		mov	ecx, [ebp+var_14]
		mov	edx, ecx
		mov	eax, [ebp+var_5C]
		add	eax, [ebp+var_44]
		add	eax, esi
		cmp	byte ptr [edx],	0
		mov	edx, [ebp+var_C]
		jz	short loc_A03607
		lea	edx, [eax-1]

loc_A035FA:				; CODE XREF: EtwpValidatePayloadFilter(x,x,x)+3FEj
		cmp	ecx, edx
		jnb	short loc_A03604
		inc	ecx
		cmp	byte ptr [ecx],	0
		jnz	short loc_A035FA

loc_A03604:				; CODE XREF: EtwpValidatePayloadFilter(x,x,x)+3F8j
		mov	edx, [ebp+var_C]

loc_A03607:				; CODE XREF: EtwpValidatePayloadFilter(x,x,x)+3F1j
		inc	ecx
		cmp	ecx, eax
		ja	loc_A036A2
		mov	eax, ecx
		sub	eax, [ebp+var_14]
		add	edx, eax
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], edx

loc_A0361D:				; CODE XREF: EtwpValidatePayloadFilter(x,x,x)+345j
					; EtwpValidatePayloadFilter(x,x,x)+3B9j
		mov	eax, [ebp+var_48]
		add	ebx, 18h
		inc	eax
		mov	[ebp+var_48], eax
		cmp	eax, edi
		jb	loc_A0350F
		mov	ecx, [ebp+var_68]
		mov	edx, [ebp+var_4C]

loc_A03635:				; CODE XREF: EtwpValidatePayloadFilter(x,x,x)+305j
		mov	eax, [ebp+var_18]
		inc	edx
		add	eax, 4
		mov	[ebp+var_4C], edx
		mov	[ebp+var_18], eax
		cmp	edx, ecx
		jb	loc_A034C7
		mov	edi, [ebp+var_24]

loc_A0364D:				; CODE XREF: EtwpValidatePayloadFilter(x,x,x)+2BAj
		mov	eax, [ebp+var_50]
		add	edi, 0Ch
		inc	eax
		mov	[ebp+var_24], edi
		push	3Fh
		mov	[ebp+var_50], eax
		pop	ecx
		cmp	eax, [ebp+var_54]
		jb	loc_A03406
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+var_28]
		mov	eax, [ebp+var_2C]

loc_A0366F:				; CODE XREF: EtwpValidatePayloadFilter(x,x,x)+1F9j
		cmp	eax, [esi+8]
		jnz	short loc_A036A2
		mov	eax, [ebp+var_30]
		cmp	eax, [esi+0Ch]
		jnz	short loc_A036A2
		mov	eax, [ebp+var_58]
		cmp	[ebp+var_4], eax
		jnz	short loc_A036A2
		cmp	[ebp+var_34], ecx
		jnz	short loc_A036A2
		cmp	edx, [ebp+var_1C]
		jnz	short loc_A036A2
		mov	eax, [ebp+var_6C]
		cmp	[ebp+var_8], eax
		jnz	short loc_A036A2
		mov	eax, [ebp+var_5C]
		cmp	[ebp+var_C], eax
		jnz	short loc_A036A2
		xor	eax, eax
		jmp	short loc_A036A7
; 

loc_A036A2:				; CODE XREF: EtwpValidatePayloadFilter(x,x,x)+18j
					; EtwpValidatePayloadFilter(x,x,x)+24j	...
		mov	eax, 0C000000Dh

loc_A036A7:				; CODE XREF: EtwpValidatePayloadFilter(x,x,x)+49Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_EtwpValidatePayloadFilter@12 endp

; 
		align 10h
		db 3 dup(0CCh)
; Exported entry 353. ExEnumerateSystemFirmwareTables

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExEnumerateSystemFirmwareTables(x, x, x, x)
		public _ExEnumerateSystemFirmwareTables@16
_ExEnumerateSystemFirmwareTables@16 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_8]
		test	ebx, ebx
		jnz	short loc_A036D7
		test	edi, edi
		jz	short loc_A036D7
		mov	eax, 0C000000Dh
		jmp	loc_A0375A
; 

loc_A036D7:				; CODE XREF: ExEnumerateSystemFirmwareTables(x,x,x,x)+14j
					; ExEnumerateSystemFirmwareTables(x,x,x,x)+18j
		push	esi
		push	54465241h
		lea	eax, [edi+10h]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A03752
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		and	dword ptr [esi+4], 0
		xor	dl, dl
		and	dword ptr [esi+8], 0
		push	eax
		lea	eax, [edi+10h]
		mov	[esi], ecx
		push	eax
		mov	ecx, esi
		mov	[esi+0Ch], edi
		call	ExpGetSystemFirmwareTableInformation
		mov	edi, eax
		test	edi, edi
		jns	short loc_A0371D
		cmp	edi, 0C0000023h
		jnz	short loc_A03729

loc_A0371D:				; CODE XREF: ExEnumerateSystemFirmwareTables(x,x,x,x)+60j
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	short loc_A03729
		mov	eax, [esi+0Ch]
		mov	[ecx], eax

loc_A03729:				; CODE XREF: ExEnumerateSystemFirmwareTables(x,x,x,x)+68j
					; ExEnumerateSystemFirmwareTables(x,x,x,x)+6Fj
		test	edi, edi
		js	short loc_A03745
		test	ebx, ebx
		jz	short loc_A03745
		mov	eax, [ebp+var_4]
		add	eax, 0FFFFFFF0h
		push	eax		; size_t
		lea	eax, [esi+10h]
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_A03745:				; CODE XREF: ExEnumerateSystemFirmwareTables(x,x,x,x)+78j
					; ExEnumerateSystemFirmwareTables(x,x,x,x)+7Cj
		push	54465241h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A03757
; 

loc_A03752:				; CODE XREF: ExEnumerateSystemFirmwareTables(x,x,x,x)+39j
		mov	edi, 0C000009Ah

loc_A03757:				; CODE XREF: ExEnumerateSystemFirmwareTables(x,x,x,x)+9Dj
		mov	eax, edi
		pop	esi

loc_A0375A:				; CODE XREF: ExEnumerateSystemFirmwareTables(x,x,x,x)+1Fj
		pop	edi
		pop	ebx
		leave
		retn	10h
_ExEnumerateSystemFirmwareTables@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExGetSessionBigPoolInformation(x, x, x, x)
_ExGetSessionBigPoolInformation@16 proc	near ; CODE XREF: PAGE:0077F64Ep

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		mov	esi, ecx
		mov	[esp+48h+var_20], ebx
		push	6
		pop	ecx
		lea	edi, [esp+48h+var_1C]
		mov	[esp+48h+var_24], edx
		rep stosd
		xor	ecx, ecx
		mov	[esp+48h+var_3C], eax
		mov	[ebx], ecx
		mov	edi, ecx
		mov	[esp+48h+var_28], ecx
		mov	ebx, ecx
		mov	[esp+48h+var_30], ecx
		mov	[esp+48h+var_2C], ecx
		inc	ecx
		mov	[esp+48h+var_38], ecx
		test	edx, edx
		jz	short loc_A037E0
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+48h+var_34], al
		lea	eax, [esp+48h+var_28]
		push	eax
		lea	eax, [esp+4Ch+var_3C]
		push	eax
		push	ecx
		push	[esp+54h+var_34]
		mov	ecx, esi
		call	ExLockUserBuffer
		test	eax, eax
		js	loc_A038F7

loc_A037E0:				; CODE XREF: ExGetSessionBigPoolInformation(x,x,x,x)+50j
		xor	ecx, ecx
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_A038DF

loc_A037F1:				; CODE XREF: ExGetSessionBigPoolInformation(x,x,x,x)+156j
		mov	ecx, esi
		call	_MmGetSessionId@4 ; MmGetSessionId(x)
		mov	ecx, [ebp+arg_4]
		mov	[esp+48h+var_34], eax
		mov	ecx, [ecx]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_A0380E
		cmp	eax, ecx
		jnz	loc_A038AB

loc_A0380E:				; CODE XREF: ExGetSessionBigPoolInformation(x,x,x,x)+A4j
		lea	edx, [esp+48h+var_1C]
		mov	ecx, esi
		call	MmAttachSession
		test	eax, eax
		js	loc_A038A3
		lea	eax, [ebx+18h]
		cmp	eax, 18h
		jb	loc_A0390B
		mov	edx, [esp+48h+var_24]
		cmp	eax, edx
		ja	short loc_A03846
		cmp	[esp+48h+var_38], 0
		jz	short loc_A03846
		mov	eax, [esp+48h+var_3C]
		add	eax, ebx
		sub	edx, ebx
		jmp	short loc_A03854
; 

loc_A03846:				; CODE XREF: ExGetSessionBigPoolInformation(x,x,x,x)+D3j
					; ExGetSessionBigPoolInformation(x,x,x,x)+DAj
		and	[esp+48h+var_38], 0
		xor	eax, eax
		mov	edi, 0C0000004h
		xor	edx, edx

loc_A03854:				; CODE XREF: ExGetSessionBigPoolInformation(x,x,x,x)+E4j
		lea	ecx, [esp+48h+var_30]
		push	ecx
		push	0
		mov	ecx, eax
		call	_ExGetBigPoolInfo@16 ; ExGetBigPoolInfo(x,x,x,x)
		test	eax, eax
		jns	short loc_A0386F
		mov	edi, eax
		cmp	eax, 0C0000004h
		jnz	short loc_A038BE

loc_A0386F:				; CODE XREF: ExGetSessionBigPoolInformation(x,x,x,x)+104j
		cmp	[esp+48h+var_38], 1
		jnz	short loc_A03894
		test	eax, eax
		js	short loc_A03894
		mov	ecx, [esp+48h+var_3C]
		mov	edx, [esp+48h+var_34]
		add	ecx, ebx
		mov	[esp+48h+var_2C], ecx
		mov	eax, [ecx+8]
		inc	eax
		mov	[ecx+4], edx
		imul	eax, 0Ch
		mov	[ecx], eax

loc_A03894:				; CODE XREF: ExGetSessionBigPoolInformation(x,x,x,x)+114j
					; ExGetSessionBigPoolInformation(x,x,x,x)+118j
		add	ebx, [esp+48h+var_30]
		lea	edx, [esp+48h+var_1C]
		mov	ecx, esi
		call	MmDetachSession

loc_A038A3:				; CODE XREF: ExGetSessionBigPoolInformation(x,x,x,x)+BBj
		mov	eax, [ebp+arg_4]
		cmp	dword ptr [eax], 0FFFFFFFFh
		jnz	short loc_A038C9

loc_A038AB:				; CODE XREF: ExGetSessionBigPoolInformation(x,x,x,x)+A8j
		mov	ecx, esi
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_A037F1
		jmp	short loc_A038D0
; 

loc_A038BE:				; CODE XREF: ExGetSessionBigPoolInformation(x,x,x,x)+10Dj
		lea	edx, [esp+48h+var_1C]
		mov	ecx, esi
		call	MmDetachSession

loc_A038C9:				; CODE XREF: ExGetSessionBigPoolInformation(x,x,x,x)+149j
		mov	ecx, esi
		call	ObfDereferenceObject

loc_A038D0:				; CODE XREF: ExGetSessionBigPoolInformation(x,x,x,x)+15Cj
		test	edi, edi
		js	short loc_A038DF
		mov	eax, [esp+48h+var_2C]
		test	eax, eax
		jz	short loc_A038DF
		and	dword ptr [eax], 0

loc_A038DF:				; CODE XREF: ExGetSessionBigPoolInformation(x,x,x,x)+8Bj
					; ExGetSessionBigPoolInformation(x,x,x,x)+172j	...
		cmp	[esp+48h+var_3C], 0
		jz	short loc_A038EF
		mov	ecx, [esp+48h+var_28]
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)

loc_A038EF:				; CODE XREF: ExGetSessionBigPoolInformation(x,x,x,x)+184j
		mov	eax, [esp+48h+var_20]
		mov	[eax], ebx
		mov	eax, edi

loc_A038F7:				; CODE XREF: ExGetSessionBigPoolInformation(x,x,x,x)+7Aj
		mov	ecx, [esp+48h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_A0390B:				; CODE XREF: ExGetSessionBigPoolInformation(x,x,x,x)+C7j
		lea	edx, [esp+48h+var_1C]
		mov	ecx, esi
		mov	edi, 0C0000095h
		call	MmDetachSession
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	short loc_A038DF
_ExGetSessionBigPoolInformation@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpGetDeviceDataInformation(x, x, x)
_ExpGetDeviceDataInformation@12	proc near ; CODE XREF: PAGE:0077ECAAp

var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	44h
		push	offset dword_6AA358
		call	__SEH_prolog4
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], ecx
		push	7
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_54]
		rep stosd
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_28], ebx
		test	edx, edx
		jz	loc_A03AD3
		cmp	[ebp+arg_0], 1Ch
		jnz	loc_A03AD3
		mov	[ebp+ms_exc.disabled], ebx
		test	dl, 3
		jz	short loc_A0396A
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_A0396A:				; CODE XREF: ExpGetDeviceDataInformation(x,x,x)+3Fj
		lea	esi, [edx+1Ch]
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		ja	short loc_A0397A
		cmp	esi, edx
		jnb	short loc_A0397C

loc_A0397A:				; CODE XREF: ExpGetDeviceDataInformation(x,x,x)+50j
		mov	[eax], bl

loc_A0397C:				; CODE XREF: ExpGetDeviceDataInformation(x,x,x)+54j
		push	7
		pop	ecx
		mov	esi, edx
		lea	edi, [ebp+var_54]
		rep movsd
		lea	edx, [ebp+var_54]
		lea	ecx, [ebp+var_1C]
		call	_ExpStringCapture@8 ; ExpStringCapture(x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		jns	short loc_A039A6

loc_A0399A:				; CODE XREF: ExpGetDeviceDataInformation(x,x,x)+9Fj
					; ExpGetDeviceDataInformation(x,x,x)+B6j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_A03A9A
; 

loc_A039A6:				; CODE XREF: ExpGetDeviceDataInformation(x,x,x)+74j
		mov	edi, [ebp+var_2C]
		cmp	edi, 88h
		jnz	short loc_A039C5
		lea	edx, [ebp+var_4C]
		lea	ecx, [ebp+var_24]
		call	_ExpStringCapture@8 ; ExpStringCapture(x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		js	short loc_A0399A

loc_A039C5:				; CODE XREF: ExpGetDeviceDataInformation(x,x,x)+8Bj
		mov	esi, [ebp+var_40]
		test	esi, esi
		jz	short loc_A03A04
		cmp	[ebp+var_3C], 0
		jnz	short loc_A039DC
		mov	esi, 0C000000Dh

loc_A039D7:				; CODE XREF: ExpGetDeviceDataInformation(x,x,x)+DEj
		mov	[ebp+var_20], esi
		jmp	short loc_A0399A
; 

loc_A039DC:				; CODE XREF: ExpGetDeviceDataInformation(x,x,x)+ACj
		push	2
		push	esi
		push	[ebp+var_3C]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	4E494444h
		push	esi
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	ebx, eax
		mov	[ebp+var_28], ebx
		test	ebx, ebx
		jnz	short loc_A03A04
		mov	esi, 0C0000017h
		jmp	short loc_A039D7
; 

loc_A03A04:				; CODE XREF: ExpGetDeviceDataInformation(x,x,x)+A6j
					; ExpGetDeviceDataInformation(x,x,x)+D7j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		lea	eax, [ebp+var_40]
		cmp	edi, 88h
		jnz	short loc_A03A29
		push	ebx		; void *
		push	eax		; int
		lea	eax, [ebp+var_44]
		push	eax		; int
		push	[ebp+var_24]	; int
		push	[ebp+var_1C]	; int
		call	KseQueryDeviceData
		jmp	short loc_A03A34
; 

loc_A03A29:				; CODE XREF: ExpGetDeviceDataInformation(x,x,x)+F0j
		push	eax
		push	esi
		push	ebx
		push	[ebp+var_1C]
		call	_KseQueryDeviceDataList@16 ; KseQueryDeviceDataList(x,x,x,x)

loc_A03A34:				; CODE XREF: ExpGetDeviceDataInformation(x,x,x)+103j
		mov	esi, eax
		mov	[ebp+ms_exc.disabled], 1
		mov	edx, [ebp+var_40]
		mov	ecx, [ebp+var_30]
		mov	[ecx+14h], edx
		mov	eax, [ebp+var_44]
		mov	[ecx+10h], eax
		test	esi, esi
		js	loc_A0399A
		push	edx		; size_t
		push	ebx		; void *
		push	[ebp+var_3C]	; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_A0399A
; 

loc_A03A66:				; DATA XREF: .text:006AA378o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A03A74:				; DATA XREF: .text:006AA37Co
		mov	esi, [ebp+var_34]
		jmp	short loc_A03A8D
; 

loc_A03A79:				; DATA XREF: .text:006AA36Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_38], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A03A87:				; DATA XREF: .text:006AA370o
		mov	esi, [ebp+var_38]
		mov	[ebp+var_20], esi

loc_A03A8D:				; CODE XREF: ExpGetDeviceDataInformation(x,x,x)+153j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_28]

loc_A03A9A:				; CODE XREF: ExpGetDeviceDataInformation(x,x,x)+7Dj
		cmp	[ebp+var_1C], 0
		jz	short loc_A03AAD
		push	50535845h
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A03AAD:				; CODE XREF: ExpGetDeviceDataInformation(x,x,x)+17Aj
		cmp	[ebp+var_24], 0
		jz	short loc_A03AC0
		push	50535845h
		push	[ebp+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A03AC0:				; CODE XREF: ExpGetDeviceDataInformation(x,x,x)+18Dj
		test	ebx, ebx
		jz	short loc_A03ACF
		push	4E494444h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A03ACF:				; CODE XREF: ExpGetDeviceDataInformation(x,x,x)+19Ej
		mov	eax, esi
		jmp	short loc_A03AD8
; 

loc_A03AD3:				; CODE XREF: ExpGetDeviceDataInformation(x,x,x)+29j
					; ExpGetDeviceDataInformation(x,x,x)+33j
		mov	eax, 0C0000004h

loc_A03AD8:				; CODE XREF: ExpGetDeviceDataInformation(x,x,x)+1ADj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ExpGetDeviceDataInformation@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpGetHandleInformation(x, x, x)
_ExpGetHandleInformation@12 proc near	; CODE XREF: PAGE:0077F0DFp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	eax, eax
		mov	[ebp+var_4], eax
		mov	esi, edx
		mov	[ebp+var_8], eax
		mov	[edi], eax
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_0], al
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	ExLockUserBuffer
		test	eax, eax
		js	short loc_A03B3F
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		push	edi
		call	_ObGetHandleInformation@12 ; ObGetHandleInformation(x,x,x)
		mov	ecx, [ebp+var_8]
		mov	esi, eax
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)
		mov	eax, esi

loc_A03B3F:				; CODE XREF: ExpGetHandleInformation(x,x,x)+3Cj
		pop	edi
		pop	esi
		leave
		retn	4
_ExpGetHandleInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpGetHandleInformationEx(x, x, x)
_ExpGetHandleInformationEx@12 proc near	; CODE XREF: PAGE:0077F16Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	eax, eax
		mov	[ebp+var_4], eax
		mov	esi, edx
		mov	[ebp+var_8], eax
		mov	[edi], eax
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_0], al
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	ExLockUserBuffer
		test	eax, eax
		js	short loc_A03B9A
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		push	edi
		call	_ObGetHandleInformationEx@12 ; ObGetHandleInformationEx(x,x,x)
		mov	ecx, [ebp+var_8]
		mov	esi, eax
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)
		mov	eax, esi

loc_A03B9A:				; CODE XREF: ExpGetHandleInformationEx(x,x,x)+3Cj
		pop	edi
		pop	esi
		leave
		retn	4
_ExpGetHandleInformationEx@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpGetInstemulInformation(x)
_ExpGetInstemulInformation@4 proc near	; CODE XREF: PAGE:0077F79Ep

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	98h
		push	offset dword_6AA2E8
		call	__SEH_prolog4
		mov	edi, ecx
		mov	eax, ds:dword_A93190
		mov	[ebp+var_A4], eax
		mov	eax, ds:dword_A93194
		mov	[ebp+var_A0], eax
		mov	eax, ds:dword_A93198
		mov	[ebp+var_9C], eax
		mov	eax, ds:dword_A9319C
		mov	[ebp+var_98], eax
		mov	eax, ds:dword_A931A0
		mov	[ebp+var_94], eax
		mov	eax, ds:dword_A931A4
		mov	[ebp+var_90], eax
		mov	eax, ds:dword_A931A8
		mov	[ebp+var_8C], eax
		mov	eax, ds:dword_A931AC
		mov	[ebp+var_88], eax
		mov	eax, ds:dword_A931B0
		mov	[ebp+var_84], eax
		mov	eax, ds:dword_A931B4
		mov	[ebp+var_80], eax
		mov	eax, ds:dword_A931B8
		mov	[ebp+var_7C], eax
		mov	eax, ds:dword_A931BC
		mov	[ebp+var_78], eax
		mov	eax, ds:dword_A931C0
		mov	[ebp+var_74], eax
		mov	eax, ds:dword_A931C4
		mov	[ebp+var_70], eax
		mov	eax, ds:dword_A931C8
		mov	[ebp+var_6C], eax
		mov	eax, ds:dword_A931CC
		mov	[ebp+var_68], eax
		mov	eax, ds:dword_A931D0
		mov	[ebp+var_64], eax
		mov	eax, ds:dword_A931D4
		mov	[ebp+var_60], eax
		mov	eax, ds:dword_A931DC
		mov	[ebp+var_5C], eax
		mov	eax, ds:dword_A931E0
		mov	[ebp+var_58], eax
		mov	eax, ds:dword_A931E4
		mov	[ebp+var_54], eax
		mov	eax, ds:dword_A931E8
		mov	[ebp+var_50], eax
		mov	eax, ds:dword_A931EC
		mov	[ebp+var_4C], eax
		mov	eax, ds:dword_A931F0
		mov	[ebp+var_48], eax
		mov	eax, ds:dword_A931F4
		mov	[ebp+var_44], eax
		mov	eax, ds:dword_A931F8
		mov	[ebp+var_40], eax
		mov	eax, ds:dword_A931FC
		mov	[ebp+var_3C], eax
		mov	eax, ds:dword_A93200
		mov	[ebp+var_38], eax
		mov	eax, ds:dword_A93204
		mov	[ebp+var_34], eax
		mov	eax, ds:dword_A93210
		mov	[ebp+var_30], eax
		mov	eax, ds:dword_A93208
		mov	[ebp+var_2C], eax
		mov	eax, ds:dword_A9320C
		mov	[ebp+var_28], eax
		mov	eax, _VdmBopCount
		mov	[ebp+var_24], eax
		mov	eax, ds:_ExVdmSegmentNotPresent
		mov	[ebp+var_A8], eax
		and	[ebp+ms_exc.disabled], 0
		push	22h
		pop	ecx
		lea	esi, [ebp+var_A8]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	short loc_A03D16
; 

loc_A03CF9:				; DATA XREF: .text:006AA2FCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A03D09:				; DATA XREF: .text:006AA300o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]

loc_A03D16:				; CODE XREF: ExpGetInstemulInformation(x)+157j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpGetInstemulInformation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpGetLockInformation(x, x,	x)
_ExpGetLockInformation@12 proc near	; CODE XREF: PAGE:0077EFCBp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	eax, eax
		mov	[ebp+var_4], eax
		mov	esi, edx
		mov	[ebp+var_8], eax
		mov	[edi], eax
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_0], al
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	ExLockUserBuffer
		test	eax, eax
		js	short loc_A03D7B
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		push	edi
		call	_ExQuerySystemLockInformation@12 ; ExQuerySystemLockInformation(x,x,x)
		mov	ecx, [ebp+var_8]
		mov	esi, eax
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)
		mov	eax, esi

loc_A03D7B:				; CODE XREF: ExpGetLockInformation(x,x,x)+3Cj
		pop	edi
		pop	esi
		leave
		retn	4
_ExpGetLockInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpGetObjectInformation(x, x, x)
_ExpGetObjectInformation@12 proc near	; CODE XREF: PAGE:0077F1EAp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		push	esi
		mov	[ebx], eax
		mov	esi, edx
		mov	eax, large fs:124h
		push	edi
		mov	edi, ecx
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_0], al
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	ExLockUserBuffer
		test	eax, eax
		js	short loc_A03DD9
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		push	ebx
		push	esi
		call	_ObGetObjectInformation@16 ; ObGetObjectInformation(x,x,x,x)
		mov	ecx, [ebp+var_8]
		mov	esi, eax
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)
		mov	eax, esi

loc_A03DD9:				; CODE XREF: ExpGetObjectInformation(x,x,x)+3Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ExpGetObjectInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpGetSystemProcessorFeaturesInformation(x)
_ExpGetSystemProcessorFeaturesInformation@4 proc near ;	CODE XREF: PAGE:0078191Cp

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	0Ch
		push	offset dword_6AA3A0
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp+ms_exc.disabled], edx
		mov	eax, ds:_KeFeatureBits
		mov	[ecx], eax
		mov	eax, ds:dword_70E754
		mov	[ecx+4], eax
		mov	[ecx+8], edx
		mov	[ecx+0Ch], edx
		mov	[ecx+10h], edx
		mov	[ecx+14h], edx
		mov	[ecx+18h], edx
		mov	[ecx+1Ch], edx
		jmp	short loc_A03E2A
; 

loc_A03E14:				; DATA XREF: .text:006AA3B4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A03E24:				; DATA XREF: .text:006AA3B8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edx, [ebp+var_1C]

loc_A03E2A:				; CODE XREF: ExpGetSystemProcessorFeaturesInformation(x)+32j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, edx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpGetSystemProcessorFeaturesInformation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpQueryChannelInformation(x, x, x)
_ExpQueryChannelInformation@12 proc near ; CODE	XREF: PAGE:007808CBp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	1Ch
		push	offset dword_6AA330
		call	__SEH_prolog4	; struct _exception *
		mov	ebx, edx
		mov	edi, ecx
		and	[ebp+var_20], 0
		and	[ebp+var_1C], 0
		cmp	ebx, 4
		jnb	short loc_A03E6A
		mov	esi, 0C0000206h
		jmp	loc_A03EF9
; 

loc_A03E6A:				; CODE XREF: ExpQueryChannelInformation(x,x,x)+1Bj
		and	[ebp+ms_exc.disabled], 0
		mov	edx, [edi]
		mov	[ebp+var_2C], edx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		movzx	ecx, ax
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	_MmGetChannelInformation@16 ; MmGetChannelInformation(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A03EF9
		mov	ecx, [ebp+var_20]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		cmp	ebx, ecx
		jnb	short loc_A03EA8
		mov	esi, 0C0000023h
		jmp	short loc_A03EF9
; 

loc_A03EA8:				; CODE XREF: ExpQueryChannelInformation(x,x,x)+5Cj
		mov	[ebp+ms_exc.disabled], 1
		push	ecx		; size_t
		push	[ebp+var_1C]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	esi, esi
		jmp	short loc_A03EF9
; 

loc_A03EC7:				; DATA XREF: .text:006AA350o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A03ED7:				; DATA XREF: .text:006AA354o
		mov	esi, [ebp+var_24]
		jmp	short loc_A03EEF
; 

loc_A03EDC:				; DATA XREF: .text:006AA344o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A03EEC:				; DATA XREF: .text:006AA348o
		mov	esi, [ebp+var_28]

loc_A03EEF:				; CODE XREF: ExpQueryChannelInformation(x,x,x)+97j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A03EF9:				; CODE XREF: ExpQueryChannelInformation(x,x,x)+22j
					; ExpQueryChannelInformation(x,x,x)+50j ...
		cmp	[ebp+var_1C], 0
		jz	short loc_A03F09
		push	0
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A03F09:				; CODE XREF: ExpQueryChannelInformation(x,x,x)+BAj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ExpQueryChannelInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpQueryCodeIntegrityCertificateInfo(x, x)
_ExpQueryCodeIntegrityCertificateInfo@8	proc near ; CODE XREF: PAGE:00781F6Bp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		push	6
		mov	esi, ecx
		lea	edi, [esp+4Ch+var_18]
		pop	ecx
		xor	eax, eax
		rep stosd
		xor	ecx, ecx
		mov	[esp+48h+var_20], ecx
		mov	ebx, ecx
		mov	[esp+48h+var_1C], ecx
		mov	edi, ecx
		mov	[esp+48h+var_24], ecx
		mov	[esp+48h+var_2C], ebx
		mov	[esp+48h+var_34], ecx
		mov	[esp+48h+var_38], ecx
		push	2
		pop	eax
		test	edx, edx
		jnz	short loc_A03F67
		mov	[esp+48h+var_30], 1
		jmp	short loc_A03F82
; 

loc_A03F67:				; CODE XREF: ExpQueryCodeIntegrityCertificateInfo(x,x)+3Ej
		cmp	edx, 1
		jnz	short loc_A03F72
		mov	[esp+48h+var_30], eax
		jmp	short loc_A03F82
; 

loc_A03F72:				; CODE XREF: ExpQueryCodeIntegrityCertificateInfo(x,x)+4Dj
		cmp	edx, eax
		jnz	loc_A040B0
		mov	[esp+48h+var_30], 3

loc_A03F82:				; CODE XREF: ExpQueryCodeIntegrityCertificateInfo(x,x)+48j
					; ExpQueryCodeIntegrityCertificateInfo(x,x)+53j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+48h+var_28], al
		lea	eax, [esp+48h+var_2C]
		push	eax
		push	ecx
		push	1
		push	[esp+54h+var_28]
		push	esi
		call	_IoConvertFileHandleToKernelHandle@20 ;	IoConvertFileHandleToKernelHandle(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A03FB1
		xor	ebx, ebx
		jmp	loc_A040B5
; 

loc_A03FB1:				; CODE XREF: ExpQueryCodeIntegrityCertificateInfo(x,x)+8Bj
		mov	eax, ds:_IoFileObjectType
		lea	ecx, [esp+48h+var_28]
		mov	ebx, [esp+48h+var_2C]
		xor	edx, edx
		push	edx
		push	ecx
		push	edx
		push	eax
		push	1
		push	ebx
		mov	[esp+60h+var_28], edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [esp+48h+var_28]
		mov	esi, eax
		test	esi, esi
		jns	short loc_A03FE1
		xor	edi, edi
		jmp	loc_A040B5
; 

loc_A03FE1:				; CODE XREF: ExpQueryCodeIntegrityCertificateInfo(x,x)+BBj
		cmp	byte ptr [edi+2Ah], 0
		jnz	loc_A040A9
		cmp	byte ptr [edi+27h], 0
		jnz	loc_A040A9
		lea	eax, [esp+48h+var_20]
		push	eax
		push	edi
		call	FsRtlGetFileSize
		mov	esi, eax
		test	esi, esi
		js	loc_A040B5
		push	ebx
		xor	eax, eax
		mov	[esp+4Ch+var_18], 18h
		push	8000000h
		push	2
		push	eax
		mov	[esp+58h+var_14], eax
		mov	[esp+58h+var_10], eax
		mov	[esp+58h+var_8], eax
		mov	[esp+58h+var_4], eax
		lea	eax, [esp+58h+var_18]
		push	eax
		push	4
		lea	eax, [esp+60h+var_34]
		mov	[esp+60h+var_C], 240h
		push	eax
		call	_ZwCreateSection@28 ; ZwCreateSection(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A04053
		and	[esp+48h+var_34], 0
		jmp	short loc_A040B5
; 

loc_A04053:				; CODE XREF: ExpQueryCodeIntegrityCertificateInfo(x,x)+12Dj
		mov	eax, [esp+48h+var_20]
		xor	ecx, ecx
		push	2
		push	ecx
		push	1
		mov	[esp+54h+var_24], eax
		lea	eax, [esp+54h+var_24]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		lea	eax, [esp+64h+var_38]
		push	eax
		push	0FFFFFFFFh
		push	[esp+6Ch+var_34]
		call	_ZwMapViewOfSection@40 ; ZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A04087
		and	[esp+48h+var_38], 0
		jmp	short loc_A040C7
; 

loc_A04087:				; CODE XREF: ExpQueryCodeIntegrityCertificateInfo(x,x)+161j
		mov	eax, dword_6BEA44
		test	eax, eax
		jnz	short loc_A04097
		mov	esi, 0C00000BBh
		jmp	short loc_A040B5
; 

loc_A04097:				; CODE XREF: ExpQueryCodeIntegrityCertificateInfo(x,x)+171j
		push	[esp+48h+var_20]
		push	[esp+4Ch+var_38]
		push	[esp+50h+var_30]
		call	eax
		mov	esi, eax
		jmp	short loc_A040B5
; 

loc_A040A9:				; CODE XREF: ExpQueryCodeIntegrityCertificateInfo(x,x)+C8j
					; ExpQueryCodeIntegrityCertificateInfo(x,x)+D2j
		mov	esi, 0C0000043h
		jmp	short loc_A040B5
; 

loc_A040B0:				; CODE XREF: ExpQueryCodeIntegrityCertificateInfo(x,x)+57j
		mov	esi, 0C000000Dh

loc_A040B5:				; CODE XREF: ExpQueryCodeIntegrityCertificateInfo(x,x)+8Fj
					; ExpQueryCodeIntegrityCertificateInfo(x,x)+BFj ...
		cmp	[esp+48h+var_38], 0
		jz	short loc_A040C7
		push	[esp+48h+var_38]
		push	0FFFFFFFFh
		call	_ZwUnmapViewOfSection@8	; ZwUnmapViewOfSection(x,x)

loc_A040C7:				; CODE XREF: ExpQueryCodeIntegrityCertificateInfo(x,x)+168j
					; ExpQueryCodeIntegrityCertificateInfo(x,x)+19Dj
		cmp	[esp+48h+var_34], 0
		jz	short loc_A040D7
		push	[esp+48h+var_34]
		call	_ZwClose@4	; ZwClose(x)

loc_A040D7:				; CODE XREF: ExpQueryCodeIntegrityCertificateInfo(x,x)+1AFj
		test	edi, edi
		jz	short loc_A040E2
		mov	ecx, edi
		call	ObfDereferenceObject

loc_A040E2:				; CODE XREF: ExpQueryCodeIntegrityCertificateInfo(x,x)+1BCj
		test	ebx, ebx
		jz	short loc_A040EC
		push	ebx
		call	_ZwClose@4	; ZwClose(x)

loc_A040EC:				; CODE XREF: ExpQueryCodeIntegrityCertificateInfo(x,x)+1C7j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_ExpQueryCodeIntegrityCertificateInfo@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpQueryElamCertInfo(x)
_ExpQueryElamCertInfo@4	proc near	; CODE XREF: PAGE:007B4733p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	48h
		push	offset dword_6AA248
		call	__SEH_prolog4
		mov	edx, ecx
		and	[ebp+var_24], 0
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_58]
		rep stosd
		xor	edi, edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_20], edi
		mov	ebx, edi
		mov	[ebp+var_1C], edi
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_30], al
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		push	1
		push	[ebp+var_30]
		push	edx
		call	_IoConvertFileHandleToKernelHandle@20 ;	IoConvertFileHandleToKernelHandle(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A04157
		mov	[ebp+var_2C], edi

loc_A0414F:				; CODE XREF: ExpQueryElamCertInfo(x)+1BEj
		mov	edi, [ebp+var_28]
		jmp	loc_A042BD
; 

loc_A04157:				; CODE XREF: ExpQueryElamCertInfo(x)+55j
		mov	eax, ds:_IoFileObjectType
		mov	[ebp+var_30], edi
		push	edi
		lea	ecx, [ebp+var_30]
		push	ecx
		push	edi
		push	eax
		push	1
		mov	eax, [ebp+var_24]
		mov	[ebp+var_2C], eax
		push	eax
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	edi, [ebp+var_30]
		mov	[ebp+var_28], edi
		test	esi, esi
		jns	short loc_A04187
		xor	edi, edi
		jmp	loc_A042BD
; 

loc_A04187:				; CODE XREF: ExpQueryElamCertInfo(x)+89j
		cmp	[edi+2Ah], bl
		jnz	loc_A042B8
		cmp	[edi+27h], bl
		jnz	loc_A042B8
		lea	eax, [ebp+var_40]
		push	eax
		push	edi
		call	FsRtlGetFileSize
		mov	esi, eax
		test	esi, esi
		js	loc_A042BD
		mov	[ebp+var_58], 18h
		xor	ecx, ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_4C], 240h
		mov	[ebp+var_50], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], ecx
		mov	eax, [ebp+var_24]
		push	eax
		push	8000000h
		push	2
		push	ecx
		lea	eax, [ebp+var_58]
		push	eax
		push	4
		lea	eax, [ebp+var_20]
		push	eax
		call	_ZwCreateSection@28 ; ZwCreateSection(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A041F2
		and	[ebp+var_20], ebx
		jmp	loc_A042BD
; 

loc_A041F2:				; CODE XREF: ExpQueryElamCertInfo(x)+F3j
		mov	eax, [ebp+var_40]
		mov	[ebp+var_34], eax
		push	2
		xor	ecx, ecx
		push	ecx
		push	1
		lea	eax, [ebp+var_34]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		lea	eax, [ebp+var_1C]
		push	eax
		push	0FFFFFFFFh
		push	[ebp+var_20]
		call	_ZwMapViewOfSection@40 ; ZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A04222
		and	[ebp+var_1C], ebx
		jmp	loc_A042BD
; 

loc_A04222:				; CODE XREF: ExpQueryElamCertInfo(x)+123j
		push	[ebp+var_40]
		mov	edx, [ebp+var_1C]
		xor	ecx, ecx
		call	_SeValidateFileAsImageType@12 ;	SeValidateFileAsImageType(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A042BD
		push	4D414C45h
		mov	esi, [ebp+var_40]
		push	esi
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	ebx, eax
		mov	[ebp+var_30], ebx
		test	ebx, ebx
		jnz	short loc_A04259
		mov	esi, 0C000009Ah
		jmp	short loc_A042BD
; 

loc_A04259:				; CODE XREF: ExpQueryElamCertInfo(x)+15Bj
		and	[ebp+ms_exc.disabled], 0
		push	esi		; size_t
		push	[ebp+var_1C]	; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	esi
		mov	edx, ebx
		xor	ecx, ecx
		call	_SeValidateFileAsImageType@12 ;	SeValidateFileAsImageType(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A042BD
		push	ecx
		push	1
		mov	ecx, ebx
		call	_SeRegisterElamCertResources@16	; SeRegisterElamCertResources(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A042BD
		xor	esi, esi
		jmp	short loc_A042BD
; 

loc_A04295:				; DATA XREF: .text:006AA25Co
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0429B:				; DATA XREF: .text:006AA260o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, 0C000000Dh
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_30]
		mov	eax, [ebp+var_24]
		mov	[ebp+var_2C], eax
		jmp	loc_A0414F
; 

loc_A042B8:				; CODE XREF: ExpQueryElamCertInfo(x)+95j
					; ExpQueryElamCertInfo(x)+9Ej
		mov	esi, 0C0000043h

loc_A042BD:				; CODE XREF: ExpQueryElamCertInfo(x)+5Dj
					; ExpQueryElamCertInfo(x)+8Dj ...
		test	ebx, ebx
		jz	short loc_A042CC
		push	4D414C45h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A042CC:				; CODE XREF: ExpQueryElamCertInfo(x)+1CAj
		cmp	[ebp+var_1C], 0
		jz	short loc_A042DC
		push	[ebp+var_1C]
		push	0FFFFFFFFh
		call	_ZwUnmapViewOfSection@8	; ZwUnmapViewOfSection(x,x)

loc_A042DC:				; CODE XREF: ExpQueryElamCertInfo(x)+1DBj
		cmp	[ebp+var_20], 0
		jz	short loc_A042EA
		push	[ebp+var_20]
		call	_ZwClose@4	; ZwClose(x)

loc_A042EA:				; CODE XREF: ExpQueryElamCertInfo(x)+1EBj
		test	edi, edi
		jz	short loc_A042F5
		mov	ecx, edi
		call	ObfDereferenceObject

loc_A042F5:				; CODE XREF: ExpQueryElamCertInfo(x)+1F7j
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jz	short loc_A04302
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_A04302:				; CODE XREF: ExpQueryElamCertInfo(x)+205j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpQueryElamCertInfo@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpQueryLegacyDriverInformation(x, x)
_ExpQueryLegacyDriverInformation@8 proc	near ; CODE XREF: PAGE:007802A8p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	28h
		push	offset dword_6AA2A8
		call	__SEH_prolog4
		mov	[ebp+var_24], edx
		mov	ebx, ecx
		xor	esi, esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], esi
		lea	edx, [ebp+var_20]
		lea	ecx, [ebp+var_1C]
		call	IoGetLegacyVetoList
		mov	edi, eax
		test	edi, edi
		js	loc_A043D3
		push	[ebp+var_1C]
		lea	eax, [ebp+var_38]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, [ebp+var_38]
		movzx	eax, dx
		mov	[ebp+var_28], eax
		lea	ecx, [eax+0Ch]
		mov	[ebp+var_30], ecx
		mov	eax, [ebp+var_24]
		cmp	ecx, [eax]
		jbe	short loc_A04371
		mov	edi, 80000005h
		jmp	short loc_A043BA
; 

loc_A04371:				; CODE XREF: ExpQueryLegacyDriverInformation(x,x)+54j
		mov	[ebp+ms_exc.disabled], esi
		mov	eax, [ebp+var_20]
		mov	[ebx], eax
		mov	[ebx+4], dx
		lea	eax, [ebx+0Ch]
		mov	[ebx+8], eax
		push	[ebp+var_28]	; size_t
		push	[ebp+var_34]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A043BA
; 

loc_A0439B:				; DATA XREF: .text:006AA2BCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A043AB:				; DATA XREF: .text:006AA2C0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_2C]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	esi, esi

loc_A043BA:				; CODE XREF: ExpQueryLegacyDriverInformation(x,x)+5Bj
					; ExpQueryLegacyDriverInformation(x,x)+85j
		cmp	[ebp+var_1C], 0
		jz	short loc_A043C9
		push	esi
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A043C9:				; CODE XREF: ExpQueryLegacyDriverInformation(x,x)+AAj
		mov	ecx, [ebp+var_24]
		mov	eax, [ebp+var_30]
		mov	[ecx], eax
		mov	eax, edi

loc_A043D3:				; CODE XREF: ExpQueryLegacyDriverInformation(x,x)+2Ej
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpQueryLegacyDriverInformation@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpQueryNumaAvailableMemory(x, x, x)
_ExpQueryNumaAvailableMemory@12	proc near ; CODE XREF: PAGE:0078036Cp

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	34h
		push	offset dword_6AA3C0
		call	__SEH_prolog4	; struct _exception *
		mov	esi, edx
		mov	edx, ecx
		mov	[ebp+var_34], edx
		xor	ecx, ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_20], ecx
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		movzx	eax, ax
		mov	[ebp+var_2C], eax
		mov	[ebp+ms_exc.disabled], ecx
		push	4
		pop	ecx
		cmp	esi, ecx
		jnb	short loc_A0442D
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_A0441C
		mov	[eax], ecx

loc_A0441C:				; CODE XREF: ExpQueryNumaAvailableMemory(x,x,x)+35j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000004h
		jmp	loc_A04570
; 

loc_A0442D:				; CODE XREF: ExpQueryNumaAvailableMemory(x,x,x)+2Ej
		mov	bx, ds:_KeNumberNodes
		movzx	ecx, bx
		lea	eax, [ecx-1]
		mov	[edx], eax
		lea	edi, [esi-8]
		shr	edi, 3
		mov	[ebp+var_24], edi
		cmp	edi, ecx
		jbe	short loc_A0444E
		mov	edi, ecx
		mov	[ebp+var_24], edi

loc_A0444E:				; CODE XREF: ExpQueryNumaAvailableMemory(x,x,x)+64j
		cmp	esi, 8
		jb	loc_A0453F
		test	edi, edi
		jz	loc_A0453F
		lea	ecx, ds:8[edi*8]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		cmp	bx, 1
		jbe	loc_A04526
		xor	esi, esi

loc_A04477:				; CODE XREF: ExpQueryNumaAvailableMemory(x,x,x)+13Ej
		mov	[ebp+var_38], esi
		cmp	esi, edi
		jnb	loc_A04548
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		mov	edx, esi
		mov	ecx, [ebp+var_2C]
		call	_MmGetChannelInformation@16 ; MmGetChannelInformation(x,x,x,x)
		test	eax, eax
		jns	short loc_A044A4
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_A04570
; 

loc_A044A4:				; CODE XREF: ExpQueryNumaAvailableMemory(x,x,x)+B3j
		xor	ebx, ebx
		mov	[ebp+var_44], ebx
		xor	eax, eax
		mov	[ebp+arg_0], eax
		mov	[ebp+var_40], eax
		mov	eax, [ebp+var_20]
		xor	edx, edx
		push	28h
		pop	ecx
		div	ecx
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		xor	eax, eax
		mov	[ebp+var_28], eax

loc_A044C5:				; CODE XREF: ExpQueryNumaAvailableMemory(x,x,x)+11Cj
		cmp	eax, ecx
		jnb	short loc_A04501
		imul	edx, eax, 28h
		mov	ecx, [ebp+var_1C]
		mov	eax, [edx+ecx+18h]
		add	eax, [edx+ecx+10h]
		mov	ecx, [edx+ecx+1Ch]
		mov	edi, [ebp+var_1C]
		adc	ecx, [edx+edi+14h]
		add	ebx, eax
		mov	[ebp+var_44], ebx
		mov	eax, [ebp+arg_0]
		adc	eax, ecx
		mov	[ebp+arg_0], eax
		mov	[ebp+var_40], eax
		mov	edi, [ebp+var_24]
		mov	eax, [ebp+var_28]
		inc	eax
		mov	[ebp+var_28], eax
		mov	ecx, [ebp+var_30]
		jmp	short loc_A044C5
; 

loc_A04501:				; CODE XREF: ExpQueryNumaAvailableMemory(x,x,x)+E4j
		push	0
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_0]
		shld	eax, ebx, 0Ch
		shl	ebx, 0Ch
		mov	edx, [ebp+var_34]
		mov	[edx+esi*8+8], ebx
		mov	[edx+esi*8+0Ch], eax
		inc	esi
		jmp	loc_A04477
; 

loc_A04526:				; CODE XREF: ExpQueryNumaAvailableMemory(x,x,x)+8Cj
		mov	ecx, [ebp+var_2C]
		call	_MmGetAvailablePages@4 ; MmGetAvailablePages(x)
		xor	ecx, ecx
		shld	ecx, eax, 0Ch
		shl	eax, 0Ch
		mov	[edx+8], eax
		mov	[edx+0Ch], ecx
		jmp	short loc_A04548
; 

loc_A0453F:				; CODE XREF: ExpQueryNumaAvailableMemory(x,x,x)+6Ej
					; ExpQueryNumaAvailableMemory(x,x,x)+76j
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 4

loc_A04548:				; CODE XREF: ExpQueryNumaAvailableMemory(x,x,x)+99j
					; ExpQueryNumaAvailableMemory(x,x,x)+15Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	short loc_A04570
; 

loc_A04553:				; DATA XREF: .text:006AA3D4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_3C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A04563:				; DATA XREF: .text:006AA3D8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_3C]

loc_A04570:				; CODE XREF: ExpQueryNumaAvailableMemory(x,x,x)+45j
					; ExpQueryNumaAvailableMemory(x,x,x)+BCj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ExpQueryNumaAvailableMemory@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpQueryNumaProximityNode(x, x, x)
_ExpQueryNumaProximityNode@12 proc near	; CODE XREF: PAGE:0078033Ap

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	18h
		push	offset dword_6AA3E0
		call	__SEH_prolog4
		mov	edi, ecx
		cmp	edx, 8
		jnb	short loc_A0459F
		mov	ecx, 0C0000004h
		jmp	loc_A04656
; 

loc_A0459F:				; CODE XREF: ExpQueryNumaProximityNode(x,x,x)+11j
		xor	esi, esi
		mov	[ebp+ms_exc.disabled], esi
		mov	eax, [edi]
		mov	[ebp+var_28], eax
		push	0FFFFFFFEh
		pop	ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, esi
		mov	[ebp+var_1C], esi
		mov	edx, _PnpQueryProximityNode
		test	edx, edx
		jz	short loc_A0460C
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	eax
		call	edx
		mov	ecx, eax
		test	ecx, ecx
		js	loc_A04656
		xor	eax, eax
		mov	dx, ds:_KeNumberNodes
		cmp	ax, dx
		jnb	short loc_A04602

loc_A045DD:				; CODE XREF: ExpQueryNumaProximityNode(x,x,x)+76j
		movzx	eax, si
		mov	eax, ds:_KeNodeBlock[eax*4]
		mov	ax, [eax+8Ah]
		cmp	ax, word ptr [ebp+var_1C]
		jz	short loc_A045FC
		inc	esi
		cmp	si, dx
		jb	short loc_A045DD
		jmp	short loc_A04602
; 

loc_A045FC:				; CODE XREF: ExpQueryNumaProximityNode(x,x,x)+70j
		movzx	eax, si
		mov	[ebp+var_1C], eax

loc_A04602:				; CODE XREF: ExpQueryNumaProximityNode(x,x,x)+59j
					; ExpQueryNumaProximityNode(x,x,x)+78j
		cmp	si, dx
		jb	short loc_A0460C
		mov	ecx, 0C00000E5h

loc_A0460C:				; CODE XREF: ExpQueryNumaProximityNode(x,x,x)+3Aj
					; ExpQueryNumaProximityNode(x,x,x)+83j
		test	ecx, ecx
		js	short loc_A04656
		mov	[ebp+ms_exc.disabled], 1
		mov	ax, word ptr [ebp+var_1C]
		mov	[edi+4], ax
		mov	[ebp+ms_exc.disabled], ebx
		jmp	short loc_A04656
; 

loc_A04624:				; DATA XREF: .text:006AA400o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A04634:				; DATA XREF: .text:006AA404o
		mov	ecx, [ebp+var_20]
		jmp	short loc_A0464C
; 

loc_A04639:				; DATA XREF: .text:006AA3F4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A04649:				; DATA XREF: .text:006AA3F8o
		mov	ecx, [ebp+var_24]

loc_A0464C:				; CODE XREF: ExpQueryNumaProximityNode(x,x,x)+B5j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A04656:				; CODE XREF: ExpQueryNumaProximityNode(x,x,x)+18j
					; ExpQueryNumaProximityNode(x,x,x)+47j	...
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_A04663
		mov	dword ptr [eax], 8

loc_A04663:				; CODE XREF: ExpQueryNumaProximityNode(x,x,x)+D9j
		mov	eax, ecx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ExpQueryNumaProximityNode@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpQueryPortableWorkspaceEfiLauncherInformation(x, x, x)
_ExpQueryPortableWorkspaceEfiLauncherInformation@12 proc near ;	CODE XREF: PAGE:007817BAp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	28h
		push	offset dword_6AA268
		call	__SEH_prolog4
		mov	[ebp+var_30], ecx
		xor	ecx, ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_20], ecx
		mov	edi, ecx
		mov	[ebp+var_24], edi
		mov	ebx, ecx
		mov	[ebp+var_28], ebx
		cmp	dword_6BBFD0, 2
		jz	short loc_A046D8
		mov	esi, 0C0000003h

loc_A046A6:				; CODE XREF: ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+72j
					; ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+91j ...
		test	edi, edi
		jz	short loc_A046B5
		push	6F666E49h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A046B5:				; CODE XREF: ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+31j
		test	ebx, ebx
		jz	short loc_A046C4
		push	6F666E49h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A046C4:				; CODE XREF: ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+40j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_A046D8:				; CODE XREF: ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+28j
		xor	esi, esi
		inc	esi
		cmp	edx, esi
		jz	short loc_A046EB
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		mov	esi, 0C0000004h
		jmp	short loc_A046A6
; 

loc_A046EB:				; CODE XREF: ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+66j
		lea	eax, [ebp+var_1C]
		push	eax
		push	ecx
		call	_ZwEnumerateBootEntries@8 ; ZwEnumerateBootEntries(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A04702

loc_A046FB:				; CODE XREF: ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+D8j
					; ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+14Aj
		xor	al, al
		jmp	loc_A047CF
; 

loc_A04702:				; CODE XREF: ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+82j
		cmp	esi, 0C0000023h
		jnz	short loc_A046A6
		push	6F666E49h
		push	[ebp+var_1C]
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	edi, eax
		mov	[ebp+var_24], edi
		test	edi, edi
		jnz	short loc_A0472C

loc_A04722:				; CODE XREF: ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+100j
		mov	esi, 0C000009Ah
		jmp	loc_A046A6
; 

loc_A0472C:				; CODE XREF: ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+A9j
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		call	_ZwEnumerateBootEntries@8 ; ZwEnumerateBootEntries(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A046A6
		lea	eax, [ebp+var_20]
		push	eax
		push	0
		call	_ZwQueryBootEntryOrder@8 ; ZwQueryBootEntryOrder(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A046FB
		cmp	esi, 0C0000023h
		jnz	loc_A046A6
		push	6F666E49h
		mov	eax, [ebp+var_20]
		shl	eax, 2
		push	eax
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	ebx, eax
		mov	[ebp+var_28], ebx
		test	ebx, ebx
		jz	short loc_A04722
		lea	eax, [ebp+var_20]
		push	eax
		push	ebx
		call	_ZwQueryBootEntryOrder@8 ; ZwQueryBootEntryOrder(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A046A6
		xor	eax, eax
		mov	[ebp+var_2C], eax
		mov	esi, edi

loc_A04794:				; CODE XREF: ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+1A8j
		cmp	dword ptr [esi+1Ch], 10h
		jnz	short loc_A047B9
		push	10h		; size_t
		push	offset _PORTABLE_WORKSPACE_LAUNCHER_EFI_ENTRY_ID ; void	*
		lea	eax, [esi+20h]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A047B6
		lea	eax, [esi+4]
		jmp	short loc_A047BF
; 

loc_A047B6:				; CODE XREF: ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+138j
		mov	eax, [ebp+var_2C]

loc_A047B9:				; CODE XREF: ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+121j
		mov	ecx, [esi]
		test	ecx, ecx
		jnz	short loc_A0481D

loc_A047BF:				; CODE XREF: ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+13Dj
		test	eax, eax
		jz	loc_A046FB
		mov	eax, [eax+8]
		cmp	eax, [ebx]
		setz	al

loc_A047CF:				; CODE XREF: ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+86j
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, [ebp+var_30]
		mov	[ecx], al
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 1
		xor	esi, esi
		mov	[ebp+var_38], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_A046A6
; 

loc_A047F2:				; DATA XREF: .text:006AA27Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A04802:				; DATA XREF: .text:006AA280o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_34]
		mov	[ebp+var_38], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_24]
		mov	ebx, [ebp+var_28]
		jmp	loc_A046A6
; 

loc_A0481D:				; CODE XREF: ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+146j
		add	esi, ecx
		jmp	loc_A04794
_ExpQueryPortableWorkspaceEfiLauncherInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpQuerySingleModuleInformation(x, x, x, x)
_ExpQuerySingleModuleInformation@16 proc near ;	CODE XREF: PAGE:0077EF50p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	esi, esi
		cmp	byte ptr [ebp+arg_0], 0
		mov	eax, ecx
		mov	[ebp+var_4], eax
		mov	[edi], esi
		jz	short loc_A04849
		mov	eax, 0C0000022h
		jmp	loc_A048EB
; 

loc_A04849:				; CODE XREF: ExpQuerySingleModuleInformation(x,x,x,x)+19j
		cmp	edx, 130h
		jb	loc_A048E6
		mov	eax, [eax]
		mov	[ebp+arg_0], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceExclusiveLite
		mov	ecx, _PsLoadedModuleList
		mov	edx, esi
		test	ecx, ecx
		jz	short loc_A048AA
		cmp	ecx, offset _PsLoadedModuleList
		jz	short loc_A048AA
		mov	eax, [ebp+arg_0]

loc_A0488B:				; CODE XREF: ExpQuerySingleModuleInformation(x,x,x,x)+84j
		mov	ebx, [ecx+18h]
		cmp	eax, ebx
		jb	short loc_A0489F
		mov	eax, [ecx+20h]
		add	eax, ebx
		cmp	[ebp+arg_0], eax
		jb	short loc_A048D3
		mov	eax, [ebp+arg_0]

loc_A0489F:				; CODE XREF: ExpQuerySingleModuleInformation(x,x,x,x)+6Cj
		mov	ecx, [ecx]
		inc	edx
		cmp	ecx, offset _PsLoadedModuleList
		jnz	short loc_A0488B

loc_A048AA:				; CODE XREF: ExpQuerySingleModuleInformation(x,x,x,x)+5Aj
					; ExpQuerySingleModuleInformation(x,x,x,x)+62j
		mov	esi, 0C0000225h

loc_A048AF:				; CODE XREF: ExpQuerySingleModuleInformation(x,x,x,x)+C0j
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	esi, esi
		js	short loc_A048CF
		mov	dword ptr [edi], 130h

loc_A048CF:				; CODE XREF: ExpQuerySingleModuleInformation(x,x,x,x)+A3j
		mov	eax, esi
		jmp	short loc_A048EB
; 

loc_A048D3:				; CODE XREF: ExpQuerySingleModuleInformation(x,x,x,x)+76j
		mov	eax, [ebp+var_4]
		xor	ebx, ebx
		add	eax, 4
		push	eax
		mov	[eax], bx
		call	_ExpConvertLdrEntryToModuleInfo@12 ; ExpConvertLdrEntryToModuleInfo(x,x,x)
		jmp	short loc_A048AF
; 

loc_A048E6:				; CODE XREF: ExpQuerySingleModuleInformation(x,x,x,x)+2Bj
		mov	eax, 0C0000004h

loc_A048EB:				; CODE XREF: ExpQuerySingleModuleInformation(x,x,x,x)+20j
					; ExpQuerySingleModuleInformation(x,x,x,x)+ADj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_ExpQuerySingleModuleInformation@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpReadComPlusPackage()
_ExpReadComPlusPackage@0 proc near	; CODE XREF: PAGE:0078045Ep

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		and	[ebp+var_20], 0
		lea	edi, [ebp+var_18]
		and	[ebp+var_1C], 0
		xor	eax, eax
		stosd
		push	offset unk_6B3798
		push	1
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_1C]
		push	eax
		xor	edi, edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A04966
		lea	eax, [ebp+var_20]
		push	eax
		push	14h
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		push	offset unk_6B37B0
		push	[ebp+var_1C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A0495E
		cmp	[ebp+var_14], 4
		jnz	short loc_A0495E
		cmp	[ebp+var_10], 4
		jnz	short loc_A0495E
		mov	edi, [ebp+var_C]

loc_A0495E:				; CODE XREF: ExpReadComPlusPackage()+5Bj
					; ExpReadComPlusPackage()+61j ...
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_A04966:				; CODE XREF: ExpReadComPlusPackage()+3Cj
		mov	ecx, 0FFDF02E0h
		or	eax, 0FFFFFFFFh
		lock cmpxchg [ecx], edi
		test	esi, esi
		jns	short loc_A0497E
		cmp	esi, 0C0000034h
		jnz	short loc_A04980

loc_A0497E:				; CODE XREF: ExpReadComPlusPackage()+82j
		xor	esi, esi

loc_A04980:				; CODE XREF: ExpReadComPlusPackage()+8Aj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_ExpReadComPlusPackage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSetProcessorMicrocodeUpdateInformation(x, x, x)
_ExpSetProcessorMicrocodeUpdateInformation@12 proc near	; CODE XREF: PAGE:007B42EAp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8

		push	10h
		push	offset dword_6AA288
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+var_1C], esi
		cmp	edx, 4
		jnb	short loc_A049AD
		mov	esi, 0C0000004h
		jmp	short loc_A04A06
; 

loc_A049AD:				; CODE XREF: ExpSetProcessorMicrocodeUpdateInformation(x,x,x)+14j
		cmp	[ebp+arg_0], 0
		jz	short loc_A049DA
		mov	[ebp+ms_exc.disabled], esi
		mov	eax, [ecx]
		mov	[ebp+var_1C], eax

loc_A049BB:				; CODE XREF: ExpSetProcessorMicrocodeUpdateInformation(x,x,x)+48j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A049DF
; 

loc_A049C4:				; DATA XREF: .text:006AA29Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A049D2:				; DATA XREF: .text:006AA2A0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_20]
		jmp	short loc_A049BB
; 

loc_A049DA:				; CODE XREF: ExpSetProcessorMicrocodeUpdateInformation(x,x,x)+21j
		mov	eax, [ecx]
		mov	[ebp+var_1C], eax

loc_A049DF:				; CODE XREF: ExpSetProcessorMicrocodeUpdateInformation(x,x,x)+32j
		test	esi, esi
		js	short loc_A04A06
		cmp	[ebp+var_1C], 1
		jnz	short loc_A049F1
		call	ds:__imp__ExpMicrocodeInformationLoad@0	; ExpMicrocodeInformationLoad()
		jmp	short loc_A049FD
; 

loc_A049F1:				; CODE XREF: ExpSetProcessorMicrocodeUpdateInformation(x,x,x)+57j
		cmp	[ebp+var_1C], 2
		jnz	short loc_A04A01
		call	ds:__imp__ExpMicrocodeInformationUnload@0 ; ExpMicrocodeInformationUnload()

loc_A049FD:				; CODE XREF: ExpSetProcessorMicrocodeUpdateInformation(x,x,x)+5Fj
		mov	esi, eax
		jmp	short loc_A04A06
; 

loc_A04A01:				; CODE XREF: ExpSetProcessorMicrocodeUpdateInformation(x,x,x)+65j
		mov	esi, 0C000000Dh

loc_A04A06:				; CODE XREF: ExpSetProcessorMicrocodeUpdateInformation(x,x,x)+1Bj
					; ExpSetProcessorMicrocodeUpdateInformation(x,x,x)+51j	...
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ExpSetProcessorMicrocodeUpdateInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSetTimeZoneInformation(x, x)
_ExpSetTimeZoneInformation@8 proc near	; CODE XREF: PAGE:007B3649p

var_390		= dword	ptr -390h
var_38C		= dword	ptr -38Ch
var_385		= byte ptr -385h
var_384		= dword	ptr -384h
var_1D4		= dword	ptr -1D4h
var_128		= dword	ptr -128h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	380h
		push	offset dword_6AA308
		call	__SEH_prolog4_GS
		mov	esi, edx
		mov	ebx, ecx
		mov	edi, 1B0h
		push	edi		; size_t
		push	0		; int
		lea	eax, [ebp+var_1D4]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	edx, edx
		mov	[ebp+var_385], dl
		cmp	esi, 0ACh
		jnz	short loc_A04AC0
		mov	[ebp+ms_exc.disabled], edx
		test	bl, 3
		jnz	loc_A04BD8
		lea	ecx, [ebx+0ACh]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_A04A73
		cmp	ecx, ebx
		jnb	short loc_A04A75

loc_A04A73:				; CODE XREF: ExpSetTimeZoneInformation(x,x)+53j
		mov	[eax], dl

loc_A04A75:				; CODE XREF: ExpSetTimeZoneInformation(x,x)+57j
		push	2Bh
		pop	ecx
		mov	esi, ebx
		lea	edi, [ebp+var_1D4]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	100h		; size_t
		push	edx		; int
		lea	eax, [ebp+var_128]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	byte ptr [ebp+var_28], 1
		jmp	short loc_A04B01
; 

loc_A04AA4:				; DATA XREF: .text:006AA31Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_38C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A04AB5:				; DATA XREF: .text:006AA320o
		mov	eax, [ebp+var_38C]
		jmp	loc_A04BB7
; 

loc_A04AC0:				; CODE XREF: ExpSetTimeZoneInformation(x,x)+38j
		cmp	esi, edi
		jnz	loc_A04BC3
		mov	[ebp+ms_exc.disabled], 1
		test	bl, 3
		jnz	loc_A04BD8
		lea	ecx, [ebx+1B0h]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_A04AEB
		cmp	ecx, ebx
		jnb	short loc_A04AED

loc_A04AEB:				; CODE XREF: ExpSetTimeZoneInformation(x,x)+CBj
		mov	[eax], dl

loc_A04AED:				; CODE XREF: ExpSetTimeZoneInformation(x,x)+CFj
		push	6Ch
		pop	ecx
		mov	esi, ebx
		lea	edi, [ebp+var_1D4]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A04B01:				; CODE XREF: ExpSetTimeZoneInformation(x,x)+88j
		mov	cl, 1
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		push	6Ch
		pop	ecx
		mov	esi, [eax+268h]
		lea	edi, [ebp+var_384]
		rep movsd
		mov	ecx, offset _ExpTimeRefreshLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jz	short loc_A04B4E
		call	_ExpReadSiloTimeZoneMarker@0 ; ExpReadSiloTimeZoneMarker()
		mov	bl, al
		test	bl, bl
		jnz	short loc_A04B54
		mov	cl, 1
		call	_ExpWriteSiloTimeZoneMarker@4 ;	ExpWriteSiloTimeZoneMarker(x)
		test	eax, eax
		jns	short loc_A04B54
		jmp	short loc_A04BC8
; 

loc_A04B4E:				; CODE XREF: ExpSetTimeZoneInformation(x,x)+11Aj
		mov	bl, [ebp+var_385]

loc_A04B54:				; CODE XREF: ExpSetTimeZoneInformation(x,x)+125j
					; ExpSetTimeZoneInformation(x,x)+130j
		mov	edi, 1B0h
		mov	edx, edi
		lea	ecx, [ebp+var_1D4]
		call	_RtlpSetTimeZoneInformationWorker@8 ; RtlpSetTimeZoneInformationWorker(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A04B7B
		push	0
		push	0
		call	_NtSetSystemTime@8 ; NtSetSystemTime(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A04B9C

loc_A04B7B:				; CODE XREF: ExpSetTimeZoneInformation(x,x)+150j
		mov	edx, edi
		lea	ecx, [ebp+var_384]
		call	_RtlpSetTimeZoneInformationWorker@8 ; RtlpSetTimeZoneInformationWorker(x,x)
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jz	short loc_A04B9C
		test	bl, bl
		jnz	short loc_A04B9C
		xor	cl, cl
		call	_ExpWriteSiloTimeZoneMarker@4 ;	ExpWriteSiloTimeZoneMarker(x)

loc_A04B9C:				; CODE XREF: ExpSetTimeZoneInformation(x,x)+15Fj
					; ExpSetTimeZoneInformation(x,x)+175j ...
		mov	eax, esi
		jmp	short loc_A04BC8
; 

loc_A04BA0:				; DATA XREF: .text:006AA328o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_390], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A04BB1:				; DATA XREF: .text:006AA32Co
		mov	eax, [ebp+var_390]

loc_A04BB7:				; CODE XREF: ExpSetTimeZoneInformation(x,x)+A1j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A04BC8
; 

loc_A04BC3:				; CODE XREF: ExpSetTimeZoneInformation(x,x)+A8j
		mov	eax, 0C0000004h

loc_A04BC8:				; CODE XREF: ExpSetTimeZoneInformation(x,x)+132j
					; ExpSetTimeZoneInformation(x,x)+184j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_A04BD8:				; CODE XREF: ExpSetTimeZoneInformation(x,x)+40j
					; ExpSetTimeZoneInformation(x,x)+B8j
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger

; __stdcall ExpStringCapture(x,	x)
_ExpStringCapture@8:			; CODE XREF: ExpGetDeviceDataInformation(x,x,x)+68p
					; ExpGetDeviceDataInformation(x,x,x)+93p
		push	18h
		push	offset dword_6AA380
		call	__SEH_prolog4
		mov	eax, edx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_20], ecx
		xor	ebx, ebx
		mov	esi, ebx
		movzx	eax, word ptr [eax]
		test	al, 1
		jnz	loc_A04C9F
		test	ax, ax
		jz	loc_A04C9F
		mov	edi, eax
		push	50535845h
		lea	eax, [edi+2]
		push	eax
		push	9
		call	ExAllocatePoolWithQuotaTag
		mov	esi, eax
		mov	[ebp+var_28], esi
		test	esi, esi
		jnz	short loc_A04C2C
		mov	ebx, 0C0000017h
		jmp	short loc_A04CA4
; 

loc_A04C2C:				; CODE XREF: ExpSetTimeZoneInformation(x,x)+209j
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, [ebp+var_1C]
		test	edi, edi
		jz	short loc_A04C5A
		mov	eax, [ecx+4]
		test	al, 1
		jz	short loc_A04C42
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_A04C42:				; CODE XREF: ExpSetTimeZoneInformation(x,x)+221j
		lea	edx, [eax+edi]
		mov	[ebp+var_1C], edx
		mov	edx, ds:_MmUserProbeAddress
		cmp	[ebp+var_1C], edx
		ja	short loc_A04C58
		cmp	[ebp+var_1C], eax
		jnb	short loc_A04C5A

loc_A04C58:				; CODE XREF: ExpSetTimeZoneInformation(x,x)+237j
		mov	[edx], bl

loc_A04C5A:				; CODE XREF: ExpSetTimeZoneInformation(x,x)+21Aj
					; ExpSetTimeZoneInformation(x,x)+23Cj
		push	edi		; size_t
		push	dword ptr [ecx+4] ; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		shr	edi, 1
		xor	eax, eax
		mov	[esi+edi*2], ax
		mov	eax, [ebp+var_20]
		mov	[eax], esi
		mov	esi, ebx
		jmp	short loc_A04CA4
; 

loc_A04C7F:				; DATA XREF: .text:006AA394o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A04C8D:				; DATA XREF: .text:006AA398o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_24]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+var_28]
		jmp	short loc_A04CA4
; 

loc_A04C9F:				; CODE XREF: ExpSetTimeZoneInformation(x,x)+1E1j
					; ExpSetTimeZoneInformation(x,x)+1EAj
		mov	ebx, 0C000000Dh

loc_A04CA4:				; CODE XREF: ExpSetTimeZoneInformation(x,x)+210j
					; ExpSetTimeZoneInformation(x,x)+263j ...
		test	esi, esi
		jz	short loc_A04CB3
		push	50535845h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A04CB3:				; CODE XREF: ExpSetTimeZoneInformation(x,x)+28Cj
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpSetTimeZoneInformation@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpUpdateComPlusPackage(x)
_ExpUpdateComPlusPackage@4 proc	near	; CODE XREF: PAGE:007B3EA3p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, offset unk_6B3780
		mov	[ebp+var_C], ecx
		push	ebx
		push	40000000h
		lea	eax, [ebp+var_4]
		xor	edi, edi
		push	eax
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_A04D11
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		push	edi
		push	edi
		push	ebx
		push	40000000h
		lea	eax, [ebp+var_4]
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax

loc_A04D11:				; CODE XREF: ExpUpdateComPlusPackage(x)+32j
		test	esi, esi
		js	short loc_A04D35
		push	4
		lea	eax, [ebp+var_C]
		push	eax
		push	4
		push	edi
		push	offset unk_6B37B0
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)

loc_A04D35:				; CODE XREF: ExpUpdateComPlusPackage(x)+4Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_ExpUpdateComPlusPackage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExSetLeapSecondEnabled(x)
_ExSetLeapSecondEnabled@4 proc near	; CODE XREF: PAGE:007B340Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		mov	bl, cl
		lea	ecx, [ebp+var_4]
		push	edi
		call	_ExpGetLeapSecondDataRegistryKeyHandle@4 ; ExpGetLeapSecondDataRegistryKeyHandle(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A04D80
		xor	eax, eax
		test	bl, bl
		push	4
		setnz	al
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	4
		push	0
		push	(offset	loc_403D2F+1)
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	edi, eax

loc_A04D80:				; CODE XREF: ExSetLeapSecondEnabled(x)+1Fj
		cmp	[ebp+var_4], 0
		jz	short loc_A04D8E
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A04D8E:				; CODE XREF: ExSetLeapSecondEnabled(x)+48j
		mov	eax, edi
		pop	edi
		pop	ebx
		leave
		retn
_ExSetLeapSecondEnabled@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpExpirationThread(x)
_ExpExpirationThread@4 proc near	; DATA XREF: ExpWatchProductTypeWork+11E754o
					; ExpWatchLicenseInfoWork+3BFo

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		xor	ecx, ecx
		mov	[ebp+var_4], ecx
		cmp	[ebp+arg_0], ecx
		jz	short locret_A04DBB
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	1		; int
		push	ecx		; void *
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_0]	; int
		call	_ExRaiseHardError@24 ; ExRaiseHardError(x,x,x,x,x,x)
		push	eax
		call	PsTerminateSystemThread

locret_A04DBB:				; CODE XREF: ExpExpirationThread(x)+Ej
		leave
		retn	4
_ExpExpirationThread@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExpLeapSecondDataRegistryNotifyHandler(x)
_ExpLeapSecondDataRegistryNotifyHandler@4 proc near
					; DATA XREF: ExpReadLeapSecondData(x,x)+95o
		mov	ecx, _ExLeapSecondData
		mov	dl, 1
		call	_ExpReadLeapSecondData@8 ; ExpReadLeapSecondData(x,x)
		retn	4
_ExpLeapSecondDataRegistryNotifyHandler@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpLogRefreshTimeZoneInformationCutoverFail(x, x, x, x)
_ExpLogRefreshTimeZoneInformationCutoverFail@16	proc near
					; CODE XREF: ExpRefreshTimeZoneInformation(x)+32Ep
					; ExpRefreshTimeZoneInformation(x)+392p

var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= byte ptr -10Ch
var_10A		= dword	ptr -10Ah
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 134h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	bl, dl
		mov	esi, ecx
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		cmp	dword_6B2A90, 5
		mov	ecx, [eax+268h]
		jbe	loc_A04FF3
		mov	al, [ebp+arg_4]
		xor	edx, edx
		mov	byte ptr [ebp+var_10A+1], al
		xor	edi, edi
		lea	eax, [ebp+var_10A+1]
		and	[ebp+var_CC], 0
		mov	[ebp+var_E8], eax
		inc	edi
		mov	eax, [ecx+310h]
		mov	[ebp+var_110], eax
		lea	eax, [ebp+var_110]
		mov	[ebp+var_D8], eax
		mov	eax, [ecx+1B4h]
		mov	[ebp+var_114], eax
		lea	eax, [ebp+var_114]
		and	[ebp+var_C4], 0
		and	[ebp+var_BC], 0
		mov	[ebp+var_C8], eax
		mov	eax, [ecx+1B0h]
		xor	ecx, ecx
		mov	[ebp+var_118], eax
		lea	eax, [ebp+var_118]
		mov	[ebp+var_B8], eax
		mov	al, byte ptr _ExpRealTimeIsUniversal
		mov	byte ptr [ebp+var_10A],	al
		lea	eax, [ebp+var_10A]
		mov	[ebp+var_B4], ecx
		mov	[ebp+var_AC], ecx
		mov	[ebp+var_A8], eax
		lea	eax, [ebp-10Bh]
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_9C], ecx
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_98], eax
		mov	[ebp+var_E4], edx
		mov	[ebp+var_DC], edx
		mov	eax, [ecx]
		mov	[ebp+var_D4], edx
		push	4
		pop	edx
		mov	[ebp+var_130], eax
		mov	eax, [ecx+4]
		lea	ecx, [ebp+var_78]
		mov	[ebp+var_12C], eax
		lea	eax, [ebp+var_130]
		mov	[ebp+var_D0], edx
		mov	[ebp+var_C0], edx
		mov	[ebp+var_B0], edx
		lea	edx, [esi+0ACh]
		mov	[ebp-10Bh], bl
		xor	ebx, ebx
		mov	[ebp+var_E0], edi
		mov	[ebp+var_A0], edi
		mov	[ebp+var_94], ebx
		mov	[ebp+var_90], edi
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_88], eax
		mov	[ebp+var_84], ebx
		mov	[ebp+var_80], 8
		mov	[ebp+var_7C], ebx
		call	_tlgCreate1Sz_wchar_t
		mov	al, [esi+1ACh]
		mov	[ebp+var_10C], al
		lea	eax, [ebp+var_10C]
		mov	[ebp+var_68], eax
		mov	eax, [esi]
		mov	[ebp+var_11C], eax
		lea	eax, [ebp+var_11C]
		mov	[ebp+var_58], eax
		mov	eax, [esi+54h]
		push	4
		mov	[ebp+var_120], eax
		lea	eax, [ebp+var_120]
		pop	ecx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], edi
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_48], eax
		mov	eax, [esi+0A8h]
		mov	[ebp+var_124], eax
		lea	eax, [ebp+var_124]
		mov	[ebp+var_38], eax
		lea	eax, [esi+44h]
		push	10h
		mov	[ebp+var_28], eax
		lea	eax, [esi+98h]
		mov	[ebp+var_40], ecx
		mov	[ebp+var_30], ecx
		pop	ecx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_10A+2]
		push	eax
		push	ecx
		push	ebx
		push	ebx
		push	offset loc_424747
		push	offset dword_6B2A90
		mov	[ebp+var_44], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_A04FF3:				; CODE XREF: ExpLogRefreshTimeZoneInformationCutoverFail(x,x,x,x)+2Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_ExpLogRefreshTimeZoneInformationCutoverFail@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpLogRefreshTimeZoneInformationQueryFail(x, x)
_ExpLogRefreshTimeZoneInformationQueryFail@8 proc near
					; CODE XREF: ExpRefreshTimeZoneInformation(x)+1A9p

var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8A		= byte ptr -8Ah
var_89		= dword	ptr -89h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	bl, dl
		mov	edi, ecx
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		cmp	dword_6B2A90, 5
		mov	esi, [eax+268h]
		jbe	loc_A05101
		lea	eax, [ebp+var_90]
		mov	[ebp+var_90], edi
		mov	[ebp+var_68], eax
		xor	edx, edx
		mov	eax, [esi+310h]
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_94]
		mov	[ebp+var_58], eax
		mov	eax, [esi+1B4h]
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_98]
		mov	[ebp+var_48], eax
		mov	eax, [esi+1B0h]
		mov	[ebp+var_9C], eax
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_38], eax
		mov	al, byte ptr _ExpRealTimeIsUniversal
		mov	byte ptr [ebp+var_89], al
		lea	eax, [ebp+var_89]
		push	4
		pop	ecx
		mov	[ebp+var_28], eax
		lea	eax, [ebp-8Ah]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_89+1]
		push	eax
		push	8
		push	edx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_30], ecx
		xor	ecx, ecx
		push	edx
		inc	ecx
		mov	[ebp+var_64], edx
		push	offset loc_4241C3
		push	offset dword_6B2A90
		mov	[ebp+var_5C], edx
		mov	[ebp+var_54], edx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_44], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_8A], bl
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_A05101:				; CODE XREF: ExpLogRefreshTimeZoneInformationQueryFail(x,x)+2Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_ExpLogRefreshTimeZoneInformationQueryFail@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTimeZoneWork(x)
_ExpTimeZoneWork@4 proc	near		; DATA XREF: ExpInitializeTimeChangeWorker(x,x,x,x,x)+22o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	edi
		push	[ebp+arg_0]
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	ecx, [ebp+arg_0]
		mov	edi, eax
		call	_PsGetServerSiloGlobals@4 ; PsGetServerSiloGlobals(x)
		mov	ebx, [eax+268h]
		add	ebx, 2C8h

loc_A05135:				; CODE XREF: ExpTimeZoneWork(x)+35j
		push	0
		push	0
		call	_ZwSetSystemTime@8 ; ZwSetSystemTime(x,x)
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		jnz	short loc_A05135
		push	edi
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		push	[ebp+arg_0]
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		pop	edi
		pop	ebx
		test	al, al
		jnz	short loc_A05168
		mov	ecx, [ebp+arg_0]
		mov	edx, 53707845h
		call	ObfDereferenceObjectWithTag

loc_A05168:				; CODE XREF: ExpTimeZoneWork(x)+49j
		pop	ebp
		retn	4
_ExpTimeZoneWork@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSetSystemTime(x, x)
_NtSetSystemTime@8 proc	near		; CODE XREF: ExpSetTimeZoneInformation(x,x)+156p
					; DATA XREF: .text:00580C68o

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2E		= byte ptr -2Eh
var_2D		= dword	ptr -2Dh
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	50h
		push	offset dword_6AA408
		call	__SEH_prolog4_GS
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_50], esi
		mov	ebx, [ebp+arg_4]
		xor	ecx, ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_44], ecx
		xor	eax, eax
		lea	edi, [ebp+var_2D+1]
		stosd
		stosd
		stosd
		stosd
		mov	byte ptr [ebp+var_2D], cl
		push	20h
		pop	eax
		mov	word ptr [ebp+var_60], ax
		push	22h
		pop	eax
		mov	word ptr [ebp+var_60+2], ax
		mov	[ebp+var_5C], offset ??_C@_1CC@KMIMNONK@?$AAs?$AAy?$AAs?$AAt?$AAe?$AAm?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAm?$AAe?$AAn@NNGAKEGL@
		test	esi, esi
		jz	loc_A0533F
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_2E], al
		mov	byte ptr [ebp+var_4C], al
		push	[ebp+var_4C]
		push	ds:dword_A94C94
		push	ds:_SeSystemtimePrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A0520A
		call	RtlIsMultiSessionSku
		test	al, al
		jnz	short loc_A05213
		lea	eax, [ebp+var_2D]
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		push	0
		call	_RtlCapabilityCheck@12 ; RtlCapabilityCheck(x,x,x)
		test	eax, eax
		js	short loc_A05213
		cmp	byte ptr [ebp+var_2D], 0
		jz	short loc_A05213

loc_A0520A:				; CODE XREF: NtSetSystemTime(x,x)+7Aj
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		test	al, al
		jz	short loc_A0521D

loc_A05213:				; CODE XREF: NtSetSystemTime(x,x)+83j
					; NtSetSystemTime(x,x)+96j ...
		mov	eax, 0C0000061h
		jmp	loc_A05415
; 

loc_A0521D:				; CODE XREF: NtSetSystemTime(x,x)+A5j
		cmp	[ebp+var_2E], 0
		jz	short loc_A05291
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, [ebp+var_50]
		mov	eax, ecx
		test	cl, 3
		jnz	loc_A05427
		mov	edx, ds:_MmUserProbeAddress
		cmp	ecx, edx
		jb	short loc_A05241
		mov	eax, edx

loc_A05241:				; CODE XREF: NtSetSystemTime(x,x)+D1j
		nop
		mov	al, [eax]
		test	ebx, ebx
		jz	short loc_A05267
		test	bl, 3
		jnz	loc_A05427
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_A0525D
		mov	byte ptr [eax],	0

loc_A0525D:				; CODE XREF: NtSetSystemTime(x,x)+ECj
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+4]
		mov	[ebx+4], al

loc_A05267:				; CODE XREF: NtSetSystemTime(x,x)+DAj
		mov	eax, [ecx]
		mov	[ebp+var_40], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_3C], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A0529C
; 

loc_A0527B:				; DATA XREF: .text:006AA41Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_54], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A05289:				; DATA XREF: .text:006AA420o
		mov	eax, [ebp+var_54]
		jmp	loc_A05316
; 

loc_A05291:				; CODE XREF: NtSetSystemTime(x,x)+B5j
		mov	eax, [esi]
		mov	[ebp+var_40], eax
		mov	eax, [esi+4]
		mov	[ebp+var_3C], eax

loc_A0529C:				; CODE XREF: NtSetSystemTime(x,x)+10Dj
		cmp	eax, 20000000h
		ja	loc_A05335
		mov	cl, 1
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		push	[ebp+var_3C]
		push	[ebp+var_40]
		lea	eax, [ebp+var_38]
		push	eax
		push	1
		xor	dl, dl
		mov	cl, 1
		call	ExpSetSystemTime
		push	[ebp+var_3C]
		push	[ebp+var_40]
		push	[ebp+var_34]
		push	[ebp+var_38]
		call	_SeAuditSystemTimeChange@16 ; SeAuditSystemTimeChange(x,x,x,x)
		call	_ExReleaseTimeRefreshLock@0 ; ExReleaseTimeRefreshLock()
		test	ebx, ebx
		jz	loc_A05411
		cmp	[ebp+var_2E], 0
		jz	short loc_A05325
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_38]
		mov	[ebx], eax
		mov	eax, [ebp+var_34]
		mov	[ebx+4], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_A05411
; 

loc_A05305:				; DATA XREF: .text:006AA428o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_58], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A05313:				; DATA XREF: .text:006AA42Co
		mov	eax, [ebp+var_58]

loc_A05316:				; CODE XREF: NtSetSystemTime(x,x)+120j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_A05415
; 

loc_A05325:				; CODE XREF: NtSetSystemTime(x,x)+179j
		mov	eax, [ebp+var_38]
		mov	[ebx], eax
		mov	eax, [ebp+var_34]
		mov	[ebx+4], eax
		jmp	loc_A05411
; 

loc_A05335:				; CODE XREF: NtSetSystemTime(x,x)+135j
		mov	eax, 0C000000Dh
		jmp	loc_A05415
; 

loc_A0533F:				; CODE XREF: NtSetSystemTime(x,x)+4Cj
		call	_PsIsCurrentThreadInServerSilo@0 ; PsIsCurrentThreadInServerSilo()
		mov	cl, 1
		test	al, al
		jnz	loc_A05400
		mov	esi, 0C000000Dh
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		mov	bl, _ExpSystemIsInCmosMode
		lea	eax, [ebp+var_2D+1]
		push	eax
		call	ds:__imp__HalQueryRealTimeClock@4 ; HalQueryRealTimeClock(x)
		test	al, al
		jz	short loc_A053DD
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_2D+1]
		push	eax
		call	_RtlTimeFieldsToTime@8 ; RtlTimeFieldsToTime(x,x)
		test	al, al
		jz	short loc_A053DD
		xor	cl, cl
		call	_ExpRefreshTimeZoneInformation@4 ; ExpRefreshTimeZoneInformation(x)
		test	al, al
		jz	short loc_A053DD
		lea	eax, [ebp+var_38]
		push	eax
		call	KeQuerySystemTime
		cmp	_ExpRealTimeIsUniversal, 0
		jnz	short loc_A053C2
		test	bl, bl
		jnz	short loc_A053E4
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		call	_ExSystemTimeToLocalTime@8 ; ExSystemTimeToLocalTime(x,x)
		lea	eax, [ebp+var_2D+1]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlTimeToTimeFields@8 ; RtlTimeToTimeFields(x,x)
		lea	eax, [ebp+var_2D+1]
		push	eax
		call	ds:__imp__HalSetRealTimeClock@4	; HalSetRealTimeClock(x)

loc_A053C2:				; CODE XREF: NtSetSystemTime(x,x)+22Cj
		mov	eax, [ebp+var_38]
		mov	[ebp+var_40], eax
		mov	eax, [ebp+var_34]
		mov	[ebp+var_3C], eax

loc_A053CE:				; CODE XREF: NtSetSystemTime(x,x)+292j
		push	3
		lea	edx, [ebp+var_38]
		lea	ecx, [ebp+var_40]
		call	_PoNotifySystemTimeSet@12 ; PoNotifySystemTimeSet(x,x,x)
		xor	esi, esi

loc_A053DD:				; CODE XREF: NtSetSystemTime(x,x)+1FEj
					; NtSetSystemTime(x,x)+20Fj ...
		call	_ExReleaseTimeRefreshLock@0 ; ExReleaseTimeRefreshLock()
		jmp	short loc_A05413
; 

loc_A053E4:				; CODE XREF: NtSetSystemTime(x,x)+230j
		lea	eax, [ebp+var_40]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		call	_ExLocalTimeToSystemTime@8 ; ExLocalTimeToSystemTime(x,x)
		push	0
		lea	edx, [ebp+var_38]
		lea	ecx, [ebp+var_40]
		call	_KeSetSystemTime@12 ; KeSetSystemTime(x,x,x)
		jmp	short loc_A053CE
; 

loc_A05400:				; CODE XREF: NtSetSystemTime(x,x)+1DCj
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		xor	cl, cl
		call	_ExpRefreshTimeZoneInformation@4 ; ExpRefreshTimeZoneInformation(x)
		call	_ExReleaseTimeRefreshLock@0 ; ExReleaseTimeRefreshLock()

loc_A05411:				; CODE XREF: NtSetSystemTime(x,x)+16Fj
					; NtSetSystemTime(x,x)+194j ...
		xor	esi, esi

loc_A05413:				; CODE XREF: NtSetSystemTime(x,x)+276j
		mov	eax, esi

loc_A05415:				; CODE XREF: NtSetSystemTime(x,x)+ACj
					; NtSetSystemTime(x,x)+1B4j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_A05427:				; CODE XREF: NtSetSystemTime(x,x)+C3j
					; NtSetSystemTime(x,x)+DFj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()
		int	3		; Trap to Debugger
_NtSetSystemTime@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWatchLicenseInfoWork	proc near	; DATA XREF: ExpWatchProductTypeInitialization+14BBDo

var_BC		= dword	ptr -0BCh
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_9E		= byte ptr -9Eh
var_9D		= byte ptr -9Dh
var_9C		= dword	ptr -9Ch
var_98		= word ptr -98h
var_96		= word ptr -96h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_7E		= byte ptr -7Eh
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+84h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, [esp+90h+var_38]
		xor	esi, esi
		push	30h		; size_t
		push	esi		; int
		push	eax		; void *
		mov	[esp+9Ch+var_64], esi
		call	_memset
		xor	eax, eax
		add	esp, 0Ch
		mov	[esp+90h+var_68], eax
		mov	[esp+90h+var_78], eax
		mov	[esp+90h+var_74], eax
		mov	[esp+90h+var_6C], eax
		mov	[esp+90h+var_60], eax
		mov	[esp+90h+var_5C], eax
		mov	[esp+13h], al
		cmp	_ExpSetupModeDetected, al
		jnz	loc_A05779
		push	dword ptr [edi+8]
		lea	eax, [esp+94h+var_78]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	dword ptr [edi]
		lea	eax, [esp+94h+var_78]
		mov	[esp+94h+var_58], 18h
		mov	[esp+94h+var_54], esi
		mov	[esp+94h+var_4C], 240h
		mov	[esp+94h+var_50], eax
		mov	[esp+94h+var_48], esi
		mov	[esp+94h+var_44], esi
		call	NtClose
		push	esi
		push	esi
		lea	eax, [esp+98h+var_58]
		mov	edx, 2001Fh
		push	eax
		mov	ecx, edi
		call	CmOpenKey
		test	eax, eax
		jns	short loc_A054ED
		push	esi
		push	esi
		push	eax
		push	12h

loc_A054E3:				; CODE XREF: ExpWatchLicenseInfoWork+DEj
					; ExpWatchLicenseInfoWork+20Dj	...
		push	9Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_A054ED:				; CODE XREF: ExpWatchLicenseInfoWork+AFj
		lea	eax, [esp+0B0h+var_88]
		push	eax
		push	30h
		lea	eax, [esp+0B8h+var_58]
		push	eax
		push	2
		push	dword ptr [edi]
		call	NtQueryKey
		test	eax, eax
		jns	short loc_A0550D
		push	esi
		push	esi
		push	eax
		push	13h
		jmp	short loc_A054E3
; 

loc_A0550D:				; CODE XREF: ExpWatchLicenseInfoWork+D7j
		mov	eax, [esp+0B0h+var_40]
		lea	ebx, ds:38h[eax*2]
		cmp	ebx, eax
		jb	short loc_A05527
		lea	eax, ds:20h[eax*2]
		cmp	ebx, eax
		jnb	short loc_A0552C

loc_A05527:				; CODE XREF: ExpWatchLicenseInfoWork+EDj
		mov	[esp+0B0h+var_9D], 1

loc_A0552C:				; CODE XREF: ExpWatchLicenseInfoWork+F8j
		push	2079654Bh
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+0B0h+var_90], eax
		test	eax, eax
		jz	loc_A057D1
		cmp	[esp+0B0h+var_9D], 0
		jnz	loc_A057D1
		mov	edx, [edi+8]
		add	edx, 20h
		mov	ecx, edx
		lea	eax, [ecx+2]
		mov	[esp+0B0h+var_9C], eax

loc_A05562:				; CODE XREF: ExpWatchLicenseInfoWork+13Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_A05562
		sub	ecx, [esp+0B0h+var_9C]
		mov	eax, [esp+0B0h+var_40]
		sar	ecx, 1
		add	eax, ecx
		add	eax, eax
		movzx	ecx, ax
		mov	[esp+0B0h+var_5C], eax
		mov	[esp+0B0h+var_98], ax
		mov	[esp+0B0h+var_9C], ecx
		cmp	ecx, [esp+0B0h+var_40]
		jb	short loc_A055D7
		mov	ecx, edx
		lea	eax, [ecx+2]
		mov	[esp+0B0h+var_60], eax

loc_A0559A:				; CODE XREF: ExpWatchLicenseInfoWork+176j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_A0559A
		sub	ecx, [esp+0B0h+var_60]
		sar	ecx, 1
		cmp	[esp+0B0h+var_9C], ecx
		jb	short loc_A055D3
		lea	ecx, [edx+2]

loc_A055B4:				; CODE XREF: ExpWatchLicenseInfoWork+190j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, si
		jnz	short loc_A055B4
		mov	eax, [esp+0B0h+var_40]
		sub	edx, ecx
		mov	ecx, [esp+0B0h+var_9C]
		sar	edx, 1
		add	eax, edx
		cmp	ecx, eax
		jnb	short loc_A055DC
		jmp	short loc_A055D7
; 

loc_A055D3:				; CODE XREF: ExpWatchLicenseInfoWork+182j
		mov	ecx, [esp+0B0h+var_9C]

loc_A055D7:				; CODE XREF: ExpWatchLicenseInfoWork+162j
					; ExpWatchLicenseInfoWork+1A4j
		mov	[esp+0B0h+var_9D], 1

loc_A055DC:				; CODE XREF: ExpWatchLicenseInfoWork+1A2j
		mov	eax, [esp+0B0h+var_5C]
		push	2079654Bh
		push	ecx
		push	200h
		mov	[esp+0BCh+var_96], ax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+0B0h+var_94], eax
		test	eax, eax
		jz	loc_A057C1
		cmp	[esp+0B0h+var_9D], 0
		jnz	loc_A057C1
		push	ds:off_A414A0
		lea	eax, [esp+34h]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [edi+4]
		push	eax
		push	4
		push	esi
		lea	eax, [esp+40h]
		push	eax
		push	dword ptr [edi]
		call	NtSetValueKey
		test	eax, eax
		jns	short loc_A0563F
		push	esi
		push	esi
		push	eax
		push	15h
		jmp	loc_A054E3
; 

loc_A0563F:				; CODE XREF: ExpWatchLicenseInfoWork+206j
		lea	eax, [esp+0B0h+var_88]
		mov	[esp+0B0h+var_9C], esi
		push	eax
		mov	eax, [esp+0B4h+var_90]
		push	ebx
		push	eax
		push	esi
		push	esi
		jmp	loc_A05751
; 

loc_A05655:				; CODE XREF: ExpWatchLicenseInfoWork+330j
		test	eax, eax
		js	loc_A0573C
		mov	ecx, [esp+0C4h+var_A4]
		xor	edx, edx
		mov	eax, [ecx+0Ch]
		shr	eax, 1
		mov	[ecx+eax*2+10h], dx
		push	dword ptr [edi+8]
		movzx	eax, word ptr [esp+0C8h+var_AC+2]
		shr	eax, 1
		push	eax
		push	[esp+0CCh+var_A8]
		call	_wcscpy_s
		movzx	eax, word ptr [esp+0D0h+var_AC+2]
		add	esp, 0Ch
		shr	eax, 1
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@
		push	eax
		push	[esp+0CCh+var_A8]
		call	_wcscat_s
		mov	eax, [esp+0D0h+var_A4]
		add	esp, 0Ch
		add	eax, 10h
		push	eax
		movzx	eax, word ptr [esp+0C8h+var_AC+2]
		shr	eax, 1
		push	eax
		push	[esp+0CCh+var_A8]
		call	_wcscat_s
		mov	ecx, [esp+0D0h+var_A8]
		add	esp, 0Ch
		lea	edx, [ecx+2]

loc_A056C0:				; CODE XREF: ExpWatchLicenseInfoWork+29Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_A056C0
		sub	ecx, edx
		mov	[esp+0C4h+var_8C], 18h
		sar	ecx, 1
		mov	edx, 2001Fh
		push	esi
		push	esi
		mov	[esp+0CCh+var_88], esi
		lea	eax, [ecx+ecx]
		mov	dword ptr [esp+4Ch], 240h
		mov	word ptr [esp+0CCh+var_AC], ax
		lea	ecx, [esp+2Ch]
		lea	eax, [esp+0CCh+var_AC]
		mov	[esp+0CCh+var_7C], esi
		mov	[esp+0CCh+var_84], eax
		lea	eax, [esp+0CCh+var_8C]
		push	eax
		mov	[esp+0D0h+var_78], esi
		call	CmOpenKey
		test	eax, eax
		js	loc_A057B7
		push	4
		lea	eax, [edi+4]
		push	eax
		push	4
		push	esi
		lea	eax, [esp+40h]
		push	eax
		push	[esp+0E4h+var_AC]
		call	NtSetValueKey
		test	eax, eax
		js	short loc_A057AD
		push	[esp+0D0h+var_AC]
		call	NtClose

loc_A0573C:				; CODE XREF: ExpWatchLicenseInfoWork+22Aj
		mov	eax, [esp+0D0h+var_BC]
		lea	ecx, [esp+0D0h+var_A8]
		push	ecx
		push	ebx
		push	[esp+0D8h+var_B0]
		inc	eax
		push	esi
		mov	[esp+0E0h+var_BC], eax
		push	eax

loc_A05751:				; CODE XREF: ExpWatchLicenseInfoWork+223j
		push	dword ptr [edi]
		call	NtEnumerateKey
		cmp	eax, 8000001Ah
		jnz	loc_A05655
		push	esi
		push	[esp+0D4h+var_B0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	esi
		push	[esp+0D4h+var_B4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax

loc_A05779:				; CODE XREF: ExpWatchLicenseInfoWork+5Cj
		mov	edx, [edi]
		lea	ecx, [edi+24h]
		push	1
		push	4
		push	ecx
		push	1
		push	10000005h
		lea	ecx, [edi+1Ch]
		push	ecx
		push	1
		lea	ecx, [edi+0Ch]
		push	ecx
		push	eax
		push	eax
		push	eax
		push	edx
		call	NtNotifyChangeMultipleKeys
		test	eax, eax
		jns	short loc_A057D6
		xor	esi, esi
		push	esi
		push	esi
		push	eax
		push	18h
		jmp	loc_A054E3
; 

loc_A057AD:				; CODE XREF: ExpWatchLicenseInfoWork+304j
		push	esi
		push	esi
		push	eax
		push	17h
		jmp	loc_A054E3
; 

loc_A057B7:				; CODE XREF: ExpWatchLicenseInfoWork+2E5j
		push	esi
		push	esi
		push	eax
		push	16h
		jmp	loc_A054E3
; 

loc_A057C1:				; CODE XREF: ExpWatchLicenseInfoWork+1CEj
					; ExpWatchLicenseInfoWork+1D9j
		movzx	eax, [esp+0B0h+var_98]
		push	esi
		push	1
		push	eax

loc_A057CA:				; CODE XREF: ExpWatchLicenseInfoWork+3A7j
		push	14h
		jmp	loc_A054E3
; 

loc_A057D1:				; CODE XREF: ExpWatchLicenseInfoWork+115j
					; ExpWatchLicenseInfoWork+120j
		push	esi
		push	esi
		push	ebx
		jmp	short loc_A057CA
; 

loc_A057D6:				; CODE XREF: ExpWatchLicenseInfoWork+372j
		cmp	_ExpSetupModeDetected, 0
		jnz	short loc_A0580C
		xor	esi, esi
		lea	eax, [esp+0D0h+var_A4]
		push	esi
		push	esi
		push	0C000026Ah
		push	offset _ExpExpirationThread@4 ;	ExpExpirationThread(x)
		push	esi
		push	esi
		push	esi
		push	1FFFFFh
		push	eax
		call	PsCreateSystemThreadEx
		test	eax, eax
		js	short loc_A0580C
		push	[esp+0D0h+var_A4]
		call	_ZwClose@4	; ZwClose(x)

loc_A0580C:				; CODE XREF: ExpWatchLicenseInfoWork+3B0j
					; ExpWatchLicenseInfoWork+3D4j
		mov	ecx, [esp+0D0h+var_44]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
ExpWatchLicenseInfoWork	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtDisplayString(x)
_NtDisplayString@4 proc	near		; DATA XREF: .text:00581090o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	18h
		push	offset dword_6AA458
		call	__SEH_prolog4
		xor	eax, eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jnz	short loc_A05848
		mov	eax, 0C000000Dh
		jmp	loc_A058CD
; 

loc_A05848:				; CODE XREF: NtDisplayString(x)+19j
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+arg_0], bl
		push	[ebp+arg_0]
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A05876
		mov	eax, 0C0000061h
		jmp	short loc_A058CD
; 

loc_A05876:				; CODE XREF: NtDisplayString(x)+4Aj
		test	bl, bl
		jz	loc_A0596C
		xor	edx, edx
		mov	[ebp+ms_exc.disabled], edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_A0588E
		mov	esi, eax

loc_A0588E:				; CODE XREF: NtDisplayString(x)+67j
		nop
		mov	eax, [esi]
		mov	[ebp+arg_0], eax
		mov	[ebp+var_28], eax
		mov	esi, [esi+4]
		mov	[ebp+var_24], esi
		test	esi, esi
		jz	short loc_A058C4
		sar	eax, 10h
		test	ax, ax
		jz	short loc_A058C4
		movzx	ebx, word ptr [ebp+arg_0+2]
		lea	ecx, [ebx+esi]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_A058BD
		cmp	ecx, esi
		jnb	short loc_A058BF

loc_A058BD:				; CODE XREF: NtDisplayString(x)+94j
		mov	[eax], dl

loc_A058BF:				; CODE XREF: NtDisplayString(x)+98j
		cmp	[esi], dx
		jnz	short loc_A058DF

loc_A058C4:				; CODE XREF: NtDisplayString(x)+7Cj
					; NtDisplayString(x)+84j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A058CB:				; CODE XREF: NtDisplayString(x)+14Ej
					; NtDisplayString(x)+15Bj ...
		xor	eax, eax

loc_A058CD:				; CODE XREF: NtDisplayString(x)+20j
					; NtDisplayString(x)+51j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_A058DF:				; CODE XREF: NtDisplayString(x)+9Fj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	67727453h
		lea	eax, [ebx+2]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+arg_0], edi
		test	edi, edi
		jz	loc_A059A8
		mov	[ebp+ms_exc.disabled], 1
		push	ebx		; size_t
		push	esi		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		shr	ebx, 1
		xor	eax, eax
		mov	[edi+ebx*2], ax
		jmp	loc_A059CF
; 

loc_A0592C:				; DATA XREF: .text:006AA478o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A0593A:				; DATA XREF: .text:006AA47Co
		mov	esp, [ebp+ms_exc.old_esp]
		push	0
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_1C]
		jmp	short loc_A05960
; 

loc_A0594C:				; DATA XREF: .text:006AA46Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A0595A:				; DATA XREF: .text:006AA470o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_20]

loc_A05960:				; CODE XREF: NtDisplayString(x)+127j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_A058CD
; 

loc_A0596C:				; CODE XREF: NtDisplayString(x)+55j
		mov	eax, [esi+4]
		test	eax, eax
		jz	loc_A058CB
		movzx	ecx, word ptr [esi+2]
		test	cx, cx
		jz	loc_A058CB
		xor	edx, edx
		cmp	[eax], dx
		jz	loc_A058CB
		push	67727453h
		add	ecx, 2
		push	ecx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A059B2

loc_A059A8:				; CODE XREF: NtDisplayString(x)+DDj
		mov	eax, 0C0000017h
		jmp	loc_A058CD
; 

loc_A059B2:				; CODE XREF: NtDisplayString(x)+183j
		movzx	eax, word ptr [esi+2]
		push	eax		; size_t
		push	dword ptr [esi+4] ; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		movzx	eax, word ptr [esi+2]
		shr	eax, 1
		xor	ecx, ecx
		mov	[edi+eax*2], cx

loc_A059CF:				; CODE XREF: NtDisplayString(x)+104j
		mov	ecx, edi
		call	_BgkDisplayStringEx@4 ;	BgkDisplayStringEx(x)
		mov	bl, al
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	bl, bl
		jnz	loc_A058CB
		mov	eax, 0C0000001h
		jmp	loc_A058CD
_NtDisplayString@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExCreateHandle(x, x)
_ExCreateHandle@8 proc near		; CODE XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+1A85p
					; NtCreateJobObject+1C4p
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		call	ExCreateHandleEx
		retn
_ExCreateHandle@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExDereferenceHandleDebugInfo(x, x)
_ExDereferenceHandleDebugInfo@8	proc near ; CODE XREF: ExDisableHandleTracing(x)+217p
					; ExpFreeHandleTable+92p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		or	eax, 0FFFFFFFFh
		lock xadd [edx], eax
		dec	eax
		jnz	short loc_A05A40
		mov	esi, [edx+4]
		push	6474624Fh
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [edi+0Ch]
		test	ecx, ecx
		jz	short loc_A05A35
		imul	eax, esi, 50h
		add	eax, 30h
		push	eax
		push	ecx
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)

loc_A05A35:				; CODE XREF: ExDereferenceHandleDebugInfo(x,x)+28j
		neg	esi
		mov	eax, offset _ExpTotalTraceBuffers
		lock xadd [eax], esi

loc_A05A40:				; CODE XREF: ExDereferenceHandleDebugInfo(x,x)+13j
		pop	edi
		pop	esi
		leave
		retn
_ExDereferenceHandleDebugInfo@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExEnableHandleTracing(x, x)
_ExEnableHandleTracing@8 proc near	; CODE XREF: PsSetProcessHandleTracingInformation(x,x)+1Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		test	esi, esi
		jnz	short loc_A05A5E
		mov	esi, dword ptr ds:_ExHandleTraceDbDefaultStacks
		jmp	short loc_A05A8D
; 

loc_A05A5E:				; CODE XREF: ExEnableHandleTracing(x,x)+10j
		cmp	esi, ds:_ExHandleTraceDbMinStacks
		jnb	short loc_A05A6E
		mov	esi, ds:_ExHandleTraceDbMinStacks
		jmp	short loc_A05A7C
; 

loc_A05A6E:				; CODE XREF: ExEnableHandleTracing(x,x)+20j
		cmp	esi, ds:_ExHandleTraceDbMaxStacks
		jbe	short loc_A05A7C
		mov	esi, ds:_ExHandleTraceDbMaxStacks

loc_A05A7C:				; CODE XREF: ExEnableHandleTracing(x,x)+28j
					; ExEnableHandleTracing(x,x)+30j
		lea	eax, [esi-1]
		jmp	short loc_A05A89
; 

loc_A05A81:				; CODE XREF: ExEnableHandleTracing(x,x)+47j
		lea	eax, [esi-1]
		or	eax, esi
		lea	esi, [eax+1]

loc_A05A89:				; CODE XREF: ExEnableHandleTracing(x,x)+3Bj
		test	eax, esi
		jnz	short loc_A05A81

loc_A05A8D:				; CODE XREF: ExEnableHandleTracing(x,x)+18j
		imul	ebx, esi, 50h
		mov	ecx, esi
		mov	eax, offset _ExpTotalTraceBuffers
		add	ebx, 30h
		mov	[ebp+var_4], ebx
		lock xadd [eax], ecx
		call	_MmGetMaximumNonPagedPoolInBytes@0 ; MmGetMaximumNonPagedPoolInBytes()
		imul	eax, 5
		push	50h
		shr	eax, 4
		mov	[ebp+var_8], eax
		mov	eax, ecx
		pop	ecx
		mul	ecx
		test	edx, edx
		jb	short loc_A05AC8
		ja	short loc_A05AC1
		cmp	eax, [ebp+var_8]
		jbe	short loc_A05AC8

loc_A05AC1:				; CODE XREF: ExEnableHandleTracing(x,x)+76j
		mov	eax, 0C000009Ah
		jmp	short loc_A05ADD
; 

loc_A05AC8:				; CODE XREF: ExEnableHandleTracing(x,x)+74j
					; ExEnableHandleTracing(x,x)+7Bj
		mov	eax, [edi+0Ch]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_A05AED
		push	ebx
		push	eax
		call	_PsChargeProcessNonPagedPoolQuota@8 ; PsChargeProcessNonPagedPoolQuota(x,x)
		test	eax, eax
		jns	short loc_A05AED

loc_A05ADD:				; CODE XREF: ExEnableHandleTracing(x,x)+82j
		neg	esi
		mov	ecx, offset _ExpTotalTraceBuffers
		lock xadd [ecx], esi
		jmp	loc_A05BD1
; 

loc_A05AED:				; CODE XREF: ExEnableHandleTracing(x,x)+8Cj
					; ExEnableHandleTracing(x,x)+97j
		push	6474624Fh
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A05B28
		neg	esi
		mov	ecx, offset _ExpTotalTraceBuffers
		lock xadd [ecx], esi
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_A05B1E
		push	[ebp+var_4]
		push	eax
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)

loc_A05B1E:				; CODE XREF: ExEnableHandleTracing(x,x)+CFj
		mov	eax, 0C000009Ah
		jmp	loc_A05BD1
; 

loc_A05B28:				; CODE XREF: ExEnableHandleTracing(x,x)+BDj
		push	[ebp+var_4]	; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebx+4], esi
		xor	eax, eax
		xor	ecx, ecx
		inc	eax
		mov	[ebx], eax
		push	ecx
		push	eax
		mov	[ebx+0Ch], eax
		lea	eax, [ebx+18h]
		push	eax
		mov	[ebx+10h], ecx
		mov	[ebx+14h], ecx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		cmp	[ebp+var_8], 0
		jz	short loc_A05B5E
		or	byte ptr [edi+1Ch], 1

loc_A05B5E:				; CODE XREF: ExEnableHandleTracing(x,x)+114j
		mov	eax, large fs:124h
		mov	[ebp+var_8], eax
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [edi+24h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [edi+54h]
		mov	[edi+54h], ebx
		test	esi, esi
		jz	short loc_A05B8B
		test	byte ptr [esi+8], 8
		jnz	short loc_A05B91
		jmp	short loc_A05B98
; 

loc_A05B8B:				; CODE XREF: ExEnableHandleTracing(x,x)+13Dj
		test	byte ptr [edi+1Ch], 2
		jz	short loc_A05B98

loc_A05B91:				; CODE XREF: ExEnableHandleTracing(x,x)+143j
		mov	dword ptr [ebx+8], 8

loc_A05B98:				; CODE XREF: ExEnableHandleTracing(x,x)+145j
					; ExEnableHandleTracing(x,x)+14Bj
		or	byte ptr [edi+1Ch], 2
		lea	ebx, [edi+24h]
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A05BB3
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A05BB3:				; CODE XREF: ExEnableHandleTracing(x,x)+166j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [ebp+var_8]
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		test	esi, esi
		jz	short loc_A05BCF
		mov	edx, esi
		mov	ecx, edi
		call	_ExDereferenceHandleDebugInfo@8	; ExDereferenceHandleDebugInfo(x,x)

loc_A05BCF:				; CODE XREF: ExEnableHandleTracing(x,x)+180j
		xor	eax, eax

loc_A05BD1:				; CODE XREF: ExEnableHandleTracing(x,x)+A4j
					; ExEnableHandleTracing(x,x)+DFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExEnableHandleTracing@8 endp


;  S U B	R O U T	I N E 


; __stdcall ExQueryHandleExceptions(x)
_ExQueryHandleExceptions@4 proc	near	; CODE XREF: PAGE:0083E56Cp
		mov	al, [ecx+1Ch]
		shr	al, 1
		and	al, 1
		retn
_ExQueryHandleExceptions@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExQueryRaiseUMExceptionOnInvalidHandleClose(x)
_ExQueryRaiseUMExceptionOnInvalidHandleClose@4 proc near ; CODE	XREF: PAGE:0083EC82p
		mov	al, [ecx+1Ch]
		shr	al, 4
		and	al, 1
		retn
_ExQueryRaiseUMExceptionOnInvalidHandleClose@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExUnlockHandleTableEntry(x,	x)
_ExUnlockHandleTableEntry@8 proc near	; CODE XREF: ExDupHandleTable+154047p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		xor	eax, eax
		inc	eax
		lock xadd [edx], eax
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		add	ecx, 20h
		xor	edx, edx
		lock or	[eax], edx
		cmp	[ecx], edx
		jz	short locret_A05C0C
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)

locret_A05C0C:				; CODE XREF: ExUnlockHandleTableEntry(x,x)+1Ej
		leave
		retn
_ExUnlockHandleTableEntry@8 endp


;  S U B	R O U T	I N E 


; __stdcall ExpGetHandleExtraInfo(x, x)
_ExpGetHandleExtraInfo@8 proc near	; CODE XREF: PAGE:00810157p
					; ExDupHandleTable+1540C3p ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		and	edx, 0FFFFF803h
		shr	esi, 2
		push	edx
		and	esi, 1FFh
		call	ExpLookupHandleTableEntry
		test	eax, eax
		jz	short loc_A05C37
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_A05C37
		lea	eax, [eax+esi*8]
		pop	esi
		retn
; 

loc_A05C37:				; CODE XREF: ExpGetHandleExtraInfo(x,x)+1Cj
					; ExpGetHandleExtraInfo(x,x)+22j
		xor	eax, eax
		pop	esi
		retn
_ExpGetHandleExtraInfo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSetHandleExtraInfo(x, x,	x)
_ExpSetHandleExtraInfo@12 proc near	; CODE XREF: PAGE:00817487p
					; ExDupHandleTable+1540E5p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, edx
		and	edx, 0FFFFF803h
		push	edi
		shr	ebx, 2
		mov	edi, ecx
		push	edx
		and	ebx, 1FFh
		call	ExpLookupHandleTableEntry
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A05C69
		mov	eax, 0C0000001h
		jmp	short loc_A05CCF
; 

loc_A05C69:				; CODE XREF: ExpSetHandleExtraInfo(x,x,x)+25j
		mov	edx, [esi]
		test	edx, edx
		jnz	short loc_A05CBE
		mov	ecx, [edi+0Ch]
		mov	edx, 1000h
		call	_ExpAllocateTablePagedPool@8 ; ExpAllocateTablePagedPool(x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_A05CB7
		mov	ecx, edx
		xor	eax, eax
		lock cmpxchg [esi], ecx
		test	eax, eax
		jnz	short loc_A05C94
		lock inc dword ptr [edi+4]
		jmp	short loc_A05CB3
; 

loc_A05C94:				; CODE XREF: ExpSetHandleExtraInfo(x,x,x)+51j
		mov	edi, [edi+0Ch]
		push	6274624Fh
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		jz	short loc_A05CB1
		push	1000h
		push	edi
		call	_PsReturnProcessPagedPoolQuota@8 ; PsReturnProcessPagedPoolQuota(x,x)

loc_A05CB1:				; CODE XREF: ExpSetHandleExtraInfo(x,x,x)+69j
		mov	edx, [esi]

loc_A05CB3:				; CODE XREF: ExpSetHandleExtraInfo(x,x,x)+57j
		test	edx, edx
		jnz	short loc_A05CBE

loc_A05CB7:				; CODE XREF: ExpSetHandleExtraInfo(x,x,x)+45j
		mov	eax, 0C000009Ah
		jmp	short loc_A05CCF
; 

loc_A05CBE:				; CODE XREF: ExpSetHandleExtraInfo(x,x,x)+32j
					; ExpSetHandleExtraInfo(x,x,x)+7Aj
		mov	ecx, [ebp+arg_0]
		mov	eax, [ecx]
		mov	[edx+ebx*8], eax
		mov	eax, [ecx+4]
		mov	[edx+ebx*8+4], eax
		xor	eax, eax

loc_A05CCF:				; CODE XREF: ExpSetHandleExtraInfo(x,x,x)+2Cj
					; ExpSetHandleExtraInfo(x,x,x)+81j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_ExpSetHandleExtraInfo@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSnapShotHandleTables(x, x, x, x,	x)
_ExpSnapShotHandleTables@20 proc near	; CODE XREF: ObGetHandleInformation(x,x,x)+26p
					; ObGetHandleInformationEx(x,x,x)+27p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, large fs:124h
		mov	[ebp+var_10], ecx
		xor	ecx, ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edx
		cmp	[ebp+arg_8], cl
		mov	[ebp+var_18], ebx
		setnz	cl
		lea	ecx, ds:4[ecx*4]
		lea	eax, [ecx+edx]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_4]
		mov	[eax], ecx
		and	[edx], edi
		dec	word ptr [ebx+13Ch]
		nop
		xor	edx, edx
		mov	ecx, offset _HandleTableListLock
		call	ExAcquirePushLockSharedEx
		mov	eax, ds:_HandleTableListHead

loc_A05D28:				; CODE XREF: ExpSnapShotHandleTables(x,x,x,x,x)+FAj
		mov	[ebp+var_4], eax
		test	edi, edi
		jns	short loc_A05D3B
		cmp	edi, 0C0000004h
		jnz	loc_A05DD5

loc_A05D3B:				; CODE XREF: ExpSnapShotHandleTables(x,x,x,x,x)+57j
		cmp	eax, offset _HandleTableListHead
		jz	loc_A05DD5
		add	eax, 0FFFFFFF0h
		xor	esi, esi
		mov	dword ptr [ebp+arg_8], eax

loc_A05D4E:				; CODE XREF: ExpSnapShotHandleTables(x,x,x,x,x)+F3j
		test	edi, edi
		jns	short loc_A05D5A
		cmp	edi, 0C0000004h
		jnz	short loc_A05DCB

loc_A05D5A:				; CODE XREF: ExpSnapShotHandleTables(x,x,x,x,x)+7Aj
		push	esi
		mov	ecx, eax
		call	ExpLookupHandleTableEntry
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_A05DCB
		test	esi, 7FCh
		jz	short loc_A05DC3
		cmp	dword ptr [ebx], 0
		jz	short loc_A05DC3
		mov	ecx, dword ptr [ebp+arg_8]
		mov	edx, ebx
		call	_ExLockHandleTableEntry@8 ; ExLockHandleTableEntry(x,x)
		test	al, al
		jz	short loc_A05DC3
		push	[ebp+arg_4]
		mov	eax, [ebp+var_8]
		push	[ebp+arg_0]
		push	esi
		inc	dword ptr [eax]
		mov	eax, dword ptr [ebp+arg_8]
		push	ebx
		push	dword ptr [eax+18h]
		lea	eax, [ebp+var_C]
		push	eax
		call	[ebp+var_10]
		xor	ecx, ecx
		mov	edi, eax
		inc	ecx
		lock xadd [ebx], ecx
		mov	eax, dword ptr [ebp+arg_8]
		lea	edx, [ebp+var_14]
		and	[ebp+var_14], 0
		xor	ebx, ebx
		lea	ecx, [eax+20h]
		lock or	[edx], ebx
		cmp	[ecx], ebx
		jz	short loc_A05DC6
		xor	edx, edx
		call	@ExfUnblockPushLock@8 ;	ExfUnblockPushLock(x,x)

loc_A05DC3:				; CODE XREF: ExpSnapShotHandleTables(x,x,x,x,x)+98j
					; ExpSnapShotHandleTables(x,x,x,x,x)+9Dj ...
		mov	eax, dword ptr [ebp+arg_8]

loc_A05DC6:				; CODE XREF: ExpSnapShotHandleTables(x,x,x,x,x)+E4j
		add	esi, 4
		jmp	short loc_A05D4E
; 

loc_A05DCB:				; CODE XREF: ExpSnapShotHandleTables(x,x,x,x,x)+82j
					; ExpSnapShotHandleTables(x,x,x,x,x)+90j
		mov	eax, [ebp+var_4]
		mov	eax, [eax]
		jmp	loc_A05D28
; 

loc_A05DD5:				; CODE XREF: ExpSnapShotHandleTables(x,x,x,x,x)+5Fj
					; ExpSnapShotHandleTables(x,x,x,x,x)+6Aj
		push	11h
		xor	edx, edx
		mov	ebx, offset _HandleTableListLock
		pop	eax
		lock cmpxchg [ebx], edx
		cmp	eax, 11h
		jz	short loc_A05DEF
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_A05DEF:				; CODE XREF: ExpSnapShotHandleTables(x,x,x,x,x)+110j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, [ebp+var_18]
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_ExpSnapShotHandleTables@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpUpdateDebugInfo(x, x, x,	x)
_ExpUpdateDebugInfo@16 proc near	; CODE XREF: ExHandleLogBadReference+95076p
					; PAGE:00810118p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	20h
		push	offset dword_6AA480
		call	__SEH_prolog4
		mov	[ebp+var_28], edx
		mov	[ebp+var_2C], ecx
		call	_ExReferenceHandleDebugInfo@4 ;	ExReferenceHandleDebugInfo(x)
		mov	ebx, eax
		mov	[ebp+var_20], ebx
		test	ebx, ebx
		jz	loc_A05FC5
		mov	[ebp+var_19], 0
		mov	eax, [ebx+8]
		test	al, 3
		jz	short loc_A05E45
		lea	ecx, [ebx+0Ch]
		call	ExAcquireFastMutex
		mov	[ebp+var_19], 1
		mov	eax, [ebx+8]

loc_A05E45:				; CODE XREF: ExpUpdateDebugInfo(x,x,x,x)+2Dj
		test	al, 1
		jz	short loc_A05E73
		and	eax, 0BFFFFFFEh
		or	eax, 80000000h
		mov	[ebx+8], eax
		and	dword ptr [ebx+2Ch], 0
		imul	eax, [ebx+4], 50h
		add	eax, 30h
		push	eax		; size_t
		push	0		; int
		lea	eax, [ebx+30h]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, [ebx+8]

loc_A05E73:				; CODE XREF: ExpUpdateDebugInfo(x,x,x,x)+40j
		test	al, 2
		jz	short loc_A05EF4
		cmp	[ebp+arg_4], 2
		jnz	short loc_A05EF4
		mov	edi, [ebx+2Ch]
		mov	esi, edi
		test	eax, 40000000h
		jz	short loc_A05E8C
		mov	esi, [ebx+4]

loc_A05E8C:				; CODE XREF: ExpUpdateDebugInfo(x,x,x,x)+80j
		xor	ecx, ecx
		inc	ecx
		cmp	esi, ecx
		jb	loc_A05FAD
		mov	eax, [ebx+4]
		mov	[ebp+arg_4], eax

loc_A05E9D:				; CODE XREF: ExpUpdateDebugInfo(x,x,x,x)+B8j
		mov	eax, ecx
		xor	edx, edx
		div	[ebp+arg_4]
		mov	eax, edx
		mov	[ebp+var_20], eax
		imul	eax, 50h
		cmp	dword ptr [eax+ebx+3Ch], 1
		jnz	short loc_A05EBC
		mov	edx, [ebp+arg_0]
		cmp	[eax+ebx+38h], edx
		jz	short loc_A05EC6

loc_A05EBC:				; CODE XREF: ExpUpdateDebugInfo(x,x,x,x)+AAj
		inc	ecx
		cmp	ecx, esi
		jbe	short loc_A05E9D
		jmp	loc_A05FAD
; 

loc_A05EC6:				; CODE XREF: ExpUpdateDebugInfo(x,x,x,x)+B3j
		lea	eax, [edi-1]
		mov	[ebx+2Ch], eax
		xor	edx, edx
		div	[ebp+arg_4]
		test	edx, edx
		jz	loc_A05FAD
		imul	eax, edx, 50h
		lea	esi, [ebx+30h]
		add	esi, eax
		imul	edi, [ebp+var_20], 50h
		add	edi, 30h
		add	edi, ebx
		push	14h
		pop	ecx
		rep movsd
		jmp	loc_A05FAD
; 

loc_A05EF4:				; CODE XREF: ExpUpdateDebugInfo(x,x,x,x)+6Ej
					; ExpUpdateDebugInfo(x,x,x,x)+74j
		xor	eax, eax
		inc	eax
		lock xadd [ebx+2Ch], eax
		inc	eax
		xor	edx, edx
		div	dword ptr [ebx+4]
		mov	[ebp+var_24], edx
		test	edx, edx
		jnz	short loc_A05F36
		mov	eax, [ebx+8]
		or	eax, 40000000h
		mov	[ebx+8], eax
		test	al, 4
		jz	short loc_A05F36
		and	[ebp+ms_exc.disabled], edx
		int	3		; Trap to Debugger
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A05F36
; 

loc_A05F25:				; DATA XREF: .text:006AA494o
		xor	eax, eax
		inc	eax
		retn
; 

loc_A05F29:				; DATA XREF: .text:006AA498o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_20]

loc_A05F36:				; CODE XREF: ExpUpdateDebugInfo(x,x,x,x)+100j
					; ExpUpdateDebugInfo(x,x,x,x)+10Fj ...
		imul	edi, [ebp+var_24], 50h
		add	edi, 30h
		add	edi, ebx
		mov	ecx, [ebp+var_28]
		mov	eax, [ecx+2ACh]
		mov	[edi], eax
		mov	eax, [ecx+2B0h]
		mov	[edi+4], eax
		mov	eax, [ebp+arg_0]
		mov	[edi+8], eax
		mov	eax, [ebp+arg_4]
		mov	[edi+0Ch], eax
		push	300h
		push	10h
		lea	eax, [edi+10h]
		push	eax
		call	RtlWalkFrameChain
		mov	esi, eax
		cmp	esi, 3
		jbe	short loc_A05F7B
		sub	esi, 3
		jmp	short loc_A05F7D
; 

loc_A05F7B:				; CODE XREF: ExpUpdateDebugInfo(x,x,x,x)+16Dj
		xor	esi, esi

loc_A05F7D:				; CODE XREF: ExpUpdateDebugInfo(x,x,x,x)+172j
		push	1
		push	10h
		pop	eax
		sub	eax, esi
		push	eax
		lea	eax, [esi+4]
		lea	eax, [edi+eax*4]
		push	eax
		call	RtlWalkFrameChain
		lea	ecx, [esi+eax]
		shl	ecx, 2
		push	40h
		pop	eax
		sub	eax, ecx
		push	eax		; size_t
		push	0		; int
		lea	eax, [ecx+10h]
		add	eax, edi
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_A05FAD:				; CODE XREF: ExpUpdateDebugInfo(x,x,x,x)+8Aj
					; ExpUpdateDebugInfo(x,x,x,x)+BAj ...
		cmp	[ebp+var_19], 0
		jz	short loc_A05FBB
		lea	ecx, [ebx+0Ch]
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_A05FBB:				; CODE XREF: ExpUpdateDebugInfo(x,x,x,x)+1AAj
		mov	edx, ebx
		mov	ecx, [ebp+var_2C]
		call	_ExDereferenceHandleDebugInfo@8	; ExDereferenceHandleDebugInfo(x,x)

loc_A05FC5:				; CODE XREF: ExpUpdateDebugInfo(x,x,x,x)+1Ej
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_ExpUpdateDebugInfo@16 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 356. ExFetchLicenseData

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ExFetchLicenseData(void	*,int,int)
		public ExFetchLicenseData
ExFetchLicenseData proc	near

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	10h
		push	offset dword_6AA510
		call	__SEH_prolog4
		and	[ebp+var_1C], 0
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	esi, [eax+204h]
		mov	[ebp+var_20], esi
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jnz	short loc_A0600B
		mov	eax, 0C000000Dh
		jmp	loc_A06093
; 

loc_A0600B:				; CODE XREF: ExFetchLicenseData+23j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+5B80h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		and	[ebp+ms_exc.disabled], 0
		cmp	byte ptr [esi+5C10h], 0
		jz	short loc_A0603C

loc_A06033:				; CODE XREF: ExFetchLicenseData+70j
		mov	[ebp+var_1C], 0C00000E5h
		jmp	short loc_A06084
; 

loc_A0603C:				; CODE XREF: ExFetchLicenseData+55j
		mov	ecx, [esi+5B7Ch]
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_A0604A
		mov	ecx, eax

loc_A0604A:				; CODE XREF: ExFetchLicenseData+6Aj
		test	ecx, ecx
		jz	short loc_A06033
		mov	eax, [ecx]
		mov	[edi], eax
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_A0607D
		cmp	[ebp+arg_4], 0
		jz	short loc_A0607D
		mov	eax, [ecx]
		cmp	[ebp+arg_4], eax
		jb	short loc_A0607D
		push	eax		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	[ebp+arg_4], 14h
		jb	short loc_A06084
		and	dword ptr [edi+0Ch], 0FFFFFFFEh
		jmp	short loc_A06084
; 

loc_A0607D:				; CODE XREF: ExFetchLicenseData+7Bj
					; ExFetchLicenseData+81j ...
		mov	[ebp+var_1C], 0C0000023h

loc_A06084:				; CODE XREF: ExFetchLicenseData+5Ej
					; ExFetchLicenseData+99j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_A060A8
		mov	eax, [ebp+var_1C]

loc_A06093:				; CODE XREF: ExFetchLicenseData+2Aj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
ExFetchLicenseData endp


;  S U B	R O U T	I N E 


sub_A060A5	proc near		; DATA XREF: .text:006AA528o
		mov	esi, [ebp-20h]
sub_A060A5	endp


;  S U B	R O U T	I N E 


sub_A060A8	proc near		; CODE XREF: ExFetchLicenseData+AFp
		add	esi, 5B80h
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_A060C3
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_A060C3:				; CODE XREF: sub_A060A8+12j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		retn
sub_A060A8	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 369. ExGetLicenseTamperState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExGetLicenseTamperState(x)
		public _ExGetLicenseTamperState@4
_ExGetLicenseTamperState@4 proc	near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_4], ebx
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	esi, [eax+204h]
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	edi, [esi+5B80h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	_ExpGetLicenseTamperState@8 ; ExpGetLicenseTamperState(x,x)
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_A06125
		mov	bl, 1

loc_A06125:				; CODE XREF: ExGetLicenseTamperState(x)+45j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_A0612E
		mov	[eax], ecx

loc_A0612E:				; CODE XREF: ExGetLicenseTamperState(x)+4Ej
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_A06143
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_A06143:				; CODE XREF: ExGetLicenseTamperState(x)+5Ej
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	4
_ExGetLicenseTamperState@4 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 431. ExSetLicenseTamperState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExSetLicenseTamperState(x)
		public _ExSetLicenseTamperState@4
_ExSetLicenseTamperState@4 proc	near

var_3A		= byte ptr -3Ah
var_39		= byte ptr -39h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		and	[esp+3Ch+var_38], 0
		push	ebx
		push	esi
		push	edi
		mov	[esp+48h+var_39], 1
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	esi, [ebp+arg_0]
		mov	ebx, [eax+204h]
		mov	[esp+48h+var_34], ebx
		test	esi, esi
		jz	loc_A06232
		cmp	esi, 3
		jz	loc_A06232
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	edi, [ebx+5B80h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		lea	edx, [esp+48h+var_38]
		mov	ecx, ebx
		call	_ExpGetLicenseTamperState@8 ; ExpGetLicenseTamperState(x,x)
		cmp	[esp+48h+var_38], 0
		mov	edx, esi
		mov	esi, [esp+48h+var_34]
		mov	ecx, esi
		setnz	bl
		dec	bl
		and	bl, [esp+48h+var_39]
		call	_ExpSetLicenseTamperState@8 ; ExpSetLicenseTamperState(x,x)
		push	30h		; size_t
		lea	eax, [esp+4Ch+var_30]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+48h+var_30]
		push	0
		push	20h
		push	eax
		push	esi
		call	ExpSetKernelDataProtection
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A06216
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A06216:				; CODE XREF: ExSetLicenseTamperState(x)+A9j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	bl, bl
		jz	short loc_A06232
		call	sub_A06A0E

loc_A06232:				; CODE XREF: ExSetLicenseTamperState(x)+2Cj
					; ExSetLicenseTamperState(x)+35j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_ExSetLicenseTamperState@4 endp

; 
		align 10h
; Exported entry  28.

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExUpdateOsPfnInRegistry(x, x, x, x)
		public _ExUpdateOsPfnInRegistry@16
_ExUpdateOsPfnInRegistry@16 proc near	; DATA XREF: ClipInitHandles()+23o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, 0C0000002h
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, [eax+204h]
		mov	eax, ds:dword_A93F0C
		test	eax, eax
		jz	short loc_A06270
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	ecx
		call	eax
		mov	esi, eax

loc_A06270:				; CODE XREF: ExUpdateOsPfnInRegistry(x,x,x,x)+1Dj
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	10h
_ExUpdateOsPfnInRegistry@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A06277	proc near		; CODE XREF: sub_6860F0+1Dp
					; PAGE:00A0671Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	esi
		push	edi
		push	4
		pop	edi
		xor	esi, esi
		mov	[eax], edi
		cmp	[ebp+arg_0], edi
		jnb	short loc_A06294
		mov	esi, 0C0000023h
		jmp	short loc_A062A3
; 

loc_A06294:				; CODE XREF: sub_A06277+14j
		test	ecx, ecx
		jz	short loc_A0629A
		mov	[ecx], edi

loc_A0629A:				; CODE XREF: sub_A06277+1Fj
		test	edx, edx
		jz	short loc_A062A3
		mov	ecx, [ebp+arg_8]
		mov	[edx], ecx

loc_A062A3:				; CODE XREF: sub_A06277+1Bj
					; sub_A06277+25j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	0Ch
sub_A06277	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCloudbookHardwareIDProvider(x, x, x, x, x, x)
_ExpCloudbookHardwareIDProvider@24 proc	near ; DATA XREF: PAGE:00A46618o

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		mov	edx, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_14]
		push	esi
		mov	esi, [ebp+arg_10]
		push	edi
		push	9
		pop	ecx
		push	ebx		; int
		mov	[ebp+var_2C], eax
		lea	edi, [ebp+var_28]
		push	esi		; int
		push	[ebp+arg_C]	; int
		xor	eax, eax
		mov	[ebp+var_30], edx
		rep stosd
		mov	edi, [ebp+var_2C]
		push	edi		; void *
		push	edx		; int
		mov	edx, offset dword_A418A4
		call	ExpOsProductCacheProviderHelper
		cmp	eax, 0C0000023h
		jz	short loc_A0634E
		test	eax, eax
		jns	short loc_A0634E
		push	0
		push	24h
		lea	eax, [ebp+var_28]
		mov	dword ptr [esi], 20h
		push	eax
		push	0BEh
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_A0634B
		test	byte ptr [ebp+var_28], 4
		jz	short loc_A06346
		cmp	[ebp+arg_C], 20h
		jb	short loc_A0633F
		mov	eax, [ebp+var_30]
		mov	dword ptr [eax], 3
		lea	eax, [ebp+var_24]
		push	dword ptr [esi]	; size_t
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax
		jmp	short loc_A0634B
; 

loc_A0633F:				; CODE XREF: ExpCloudbookHardwareIDProvider(x,x,x,x,x,x)+76j
		mov	eax, 0C0000023h
		jmp	short loc_A0634B
; 

loc_A06346:				; CODE XREF: ExpCloudbookHardwareIDProvider(x,x,x,x,x,x)+70j
		mov	eax, 0C0000034h

loc_A0634B:				; CODE XREF: ExpCloudbookHardwareIDProvider(x,x,x,x,x,x)+6Aj
					; ExpCloudbookHardwareIDProvider(x,x,x,x,x,x)+92j ...
		mov	byte ptr [ebx],	1

loc_A0634E:				; CODE XREF: ExpCloudbookHardwareIDProvider(x,x,x,x,x,x)+4Aj
					; ExpCloudbookHardwareIDProvider(x,x,x,x,x,x)+4Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_ExpCloudbookHardwareIDProvider@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ExpConsumeAddonPolicySetCacheProvider(int,int,void *,int,int,int)
_ExpConsumeAddonPolicySetCacheProvider@24 proc near ; DATA XREF: PAGE:00A46604o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_10]	; int
		mov	eax, [ebp+arg_14]
		mov	edx, offset dword_A418D0
		push	[ebp+arg_C]	; int
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_8]	; void *
		mov	byte ptr [eax],	1
		push	[ebp+arg_4]	; int
		call	ExpQueryLicenseValueFromBlobHelper
		pop	ebp
		retn	18h
_ExpConsumeAddonPolicySetCacheProvider@24 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry  24.

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public ntoskrnl_24
ntoskrnl_24	proc near		; CODE XREF: ExInitLicenseData+84F2Dp
					; ExpLoadAndSortLicensingCacheDescriptors+84AA9p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, _EtwKernelProvRegHandle
		mov	eax, ecx
		mov	edx, dword_6BC12C
		or	eax, edx
		jz	short loc_A063B2
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_A063B2:				; CODE XREF: ntoskrnl_24+15j
		pop	ebp
		retn	4
ntoskrnl_24	endp

; 
unk_A063B6	db  8Bh	; 		; DATA XREF: PAGE:00A46564o
		db 0FFh
; 
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0A4h
		and	dword ptr [esp+0Ch], 0
		lea	eax, [esp+14h]
		push	ebx
		push	esi
		push	edi
		push	30h
		push	0
		push	eax
		call	_memset
		mov	ebx, [ebp+8]
		xor	eax, eax
		add	esp, 0Ch
		mov	[esp+10h], eax
		mov	[esp+14h], eax
		cmp	[ebx], eax
		jnz	loc_A0669D
		cmp	[ebx+5B7Ch], eax
		jz	loc_A06699
		lea	edi, [ebx+5C28h]
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockSharedEx
		mov	esi, [ebx+5C24h]
		test	esi, esi
		push	11h
		setz	byte ptr [esp+13h]
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [edi], ecx
		cmp	eax, 11h
		jz	short loc_A0642F
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_A0642F:				; CODE XREF: PAGE:00A06426j
		mov	ecx, edi
		call	KeAbPostRelease
		test	esi, esi
		jz	loc_A064CB

loc_A0643E:				; DATA XREF: CmpCheckValueList(x,x,x,x,x,x,x,x,x,x)+3D5o
		lea	eax, [esp+20h]
		push	eax
		push	ebx
		call	ExpGetKernelDataProtection
		test	eax, eax
		js	loc_A064D7
		mov	eax, [esp+30h]
		mov	ecx, [esp+34h]
		test	eax, eax
		jnz	short loc_A06461
		test	ecx, ecx
		jz	short loc_A064D7

loc_A06461:				; CODE XREF: PAGE:00A0645Bj
		mov	edx, [ebx+5C2Ch]
		mov	esi, 0DBBA0h
		cmp	edx, esi
		jnb	short loc_A06472
		mov	esi, edx

loc_A06472:				; CODE XREF: PAGE:00A0646Ej
		xor	edx, edx
		add	esi, eax
		adc	edx, ecx
		mov	[esp+1Ch], edx
		cmp	edx, ecx
		jl	short loc_A064D7
		jg	short loc_A06486
		cmp	esi, eax
		jb	short loc_A064D7

loc_A06486:				; CODE XREF: PAGE:00A06480j
		lea	eax, [esp+10h]
		push	eax
		call	KeQueryTickCount
		mov	al, [esp+0Fh]
		mov	[esp+0Fh], al
		call	_KeQueryTimeIncrement@0	; KeQueryTimeIncrement()
		push	dword ptr [esp+14h]
		push	dword ptr [esp+14h]
		push	0
		push	eax
		call	__allmul
		push	0
		push	2710h
		push	edx
		push	eax
		call	__alldiv
		cmp	[esp+1Ch], edx
		jg	short loc_A064CB
		jl	short loc_A064C7
		cmp	esi, eax
		ja	short loc_A064CB

loc_A064C7:				; CODE XREF: PAGE:00A064C1j
		mov	al, 1
		jmp	short loc_A064CF
; 

loc_A064CB:				; CODE XREF: PAGE:00A06438j
					; PAGE:00A064BFj ...
		mov	al, [esp+0Fh]

loc_A064CF:				; CODE XREF: PAGE:00A064C9j
		test	al, al
		jz	loc_A06697

loc_A064D7:				; CODE XREF: PAGE:00A0644Bj
					; PAGE:00A0645Fj ...
		push	30h
		lea	eax, [esp+84h]
		push	0
		push	eax
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+50h]
		push	30h
		push	0
		push	eax
		call	_memset
		xor	eax, eax
		add	esp, 0Ch
		mov	[esp+10h], eax
		mov	[esp+14h], eax
		cmp	[ebx], eax
		jnz	loc_A0669D
		cmp	[ebx+5B7Ch], eax
		jz	loc_A06699
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	esi, [ebx+5C24h]
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A0653D
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A0653D:				; CODE XREF: PAGE:00A06534j
		mov	ecx, edi
		call	KeAbPostRelease
		test	esi, esi
		jnz	short loc_A06557
		push	5
		pop	edx
		mov	ecx, ebx
		call	_ExpSetLicenseTamperState@8 ; ExpSetLicenseTamperState(x,x)
		jmp	loc_A06697
; 

loc_A06557:				; CODE XREF: PAGE:00A06546j
		mov	ecx, [ebx+5B7Ch]
		lea	edi, [ebx+0Ch]
		and	dword ptr [esp+2Ch], 0
		xor	eax, eax
		and	dword ptr [esp+49h], 0
		mov	edx, [ebx+5B74h]
		mov	[esp+4Dh], ax
		mov	[esp+4Fh], al
		push	4
		pop	esi
		test	ecx, ecx
		jz	loc_A06618
		test	edx, edx
		jz	short loc_A06592
		test	edi, edi
		jz	loc_A06699

loc_A06592:				; CODE XREF: PAGE:00A06588j
		mov	[esp+20h], eax
		add	ecx, 14h
		mov	[esp+24h], eax
		mov	[esp+30h], eax
		mov	[esp+34h], eax
		mov	[esp+38h], eax
		mov	[esp+3Ch], eax
		mov	[esp+40h], eax
		mov	[esp+44h], eax
		lea	eax, [esp+20h]
		push	eax
		mov	[esp+2Ch], esi
		mov	byte ptr [esp+4Ch], 1
		call	_ExpLicUpdateChecksum@12 ; ExpLicUpdateChecksum(x,x,x)
		test	eax, eax
		jnz	short loc_A065F6
		test	edx, edx
		jz	short loc_A065F2
		push	8
		pop	ecx
		mov	eax, edx
		mul	ecx
		lea	ecx, [esp+1Ch]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		jnz	short loc_A065F6
		lea	eax, [esp+20h]
		mov	ecx, edi
		push	eax
		call	_ExpLicUpdateChecksum@12 ; ExpLicUpdateChecksum(x,x,x)

loc_A065F2:				; CODE XREF: PAGE:00A065CEj
		test	eax, eax
		jz	short loc_A06604

loc_A065F6:				; CODE XREF: PAGE:00A065CAj
					; PAGE:00A065E4j
		and	dword ptr [esp+20h], 0
		and	dword ptr [esp+24h], 0
		mov	[esp+28h], esi

loc_A06604:				; CODE XREF: PAGE:00A065F4j
		push	0Ch
		pop	ecx
		lea	esi, [esp+20h]
		xor	eax, eax
		lea	edi, [esp+50h]
		rep movsd
		push	4
		pop	esi
		jmp	short loc_A0661D
; 

loc_A06618:				; CODE XREF: PAGE:00A06580j
		mov	eax, 0C000000Dh

loc_A0661D:				; CODE XREF: PAGE:00A06616j
		test	eax, eax
		jnz	short loc_A06697
		lea	eax, [esp+80h]
		push	eax
		push	ebx
		call	ExpGetKernelDataProtection
		test	eax, eax
		js	short loc_A06697
		mov	eax, [esp+80h]
		cmp	eax, [esp+50h]
		jnz	short loc_A0664D
		mov	eax, [esp+84h]
		cmp	eax, [esp+54h]
		jz	short loc_A06654

loc_A0664D:				; CODE XREF: PAGE:00A0663Ej
		push	6
		mov	[esp+5Ch], esi
		pop	esi

loc_A06654:				; CODE XREF: PAGE:00A0664Bj
		lea	eax, [esp+10h]
		push	eax
		call	KeQueryTickCount
		call	_KeQueryTimeIncrement@0	; KeQueryTimeIncrement()
		push	dword ptr [esp+14h]
		push	dword ptr [esp+14h]
		push	0
		push	eax
		call	__allmul
		push	0
		push	2710h
		push	edx
		push	eax
		call	__alldiv
		push	0
		mov	[esp+64h], eax
		lea	eax, [esp+54h]
		push	esi
		push	eax
		push	ebx
		mov	[esp+74h], edx
		call	ExpSetKernelDataProtection

loc_A06697:				; CODE XREF: PAGE:00A064D1j
					; PAGE:00A06552j ...
		xor	eax, eax

loc_A06699:				; CODE XREF: PAGE:00A063F8j
					; PAGE:00A06514j ...
		cmp	[ebx], eax
		jz	short loc_A066EF

loc_A0669D:				; CODE XREF: PAGE:00A063ECj
					; PAGE:00A06508j
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		push	0
		push	989680h
		push	edx
		push	eax
		call	__aulldiv
		test	edx, edx
		jb	short loc_A066EF
		ja	short loc_A066BF
		cmp	eax, 2A30h
		jbe	short loc_A066EF

loc_A066BF:				; CODE XREF: PAGE:00A066B6j
		push	2
		pop	edx
		mov	ecx, ebx
		call	_ExpSetLicenseTamperState@8 ; ExpSetLicenseTamperState(x,x)
		push	30h
		lea	eax, [esp+84h]
		push	0
		push	eax
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+80h]
		push	0
		push	20h
		push	eax
		push	ebx
		call	ExpSetKernelDataProtection

loc_A066EF:				; CODE XREF: PAGE:00A0669Bj
					; PAGE:00A066B4j ...
		lea	edx, [esp+18h]
		mov	ecx, ebx
		call	_ExpGetLicenseTamperState@8 ; ExpGetLicenseTamperState(x,x)
		cmp	dword ptr [esp+18h], 0
		mov	eax, [ebp+1Ch]
		jnz	short loc_A0670E
		mov	ecx, 0C0000034h
		mov	byte ptr [eax],	0
		jmp	short loc_A06726
; 

loc_A0670E:				; CODE XREF: PAGE:00A06702j
		mov	ecx, [ebp+0Ch]
		mov	edx, [ebp+10h]
		push	0
		push	dword ptr [ebp+18h]
		mov	byte ptr [eax],	1
		push	dword ptr [ebp+14h]
		call	sub_A06277
		mov	ecx, eax

loc_A06726:				; CODE XREF: PAGE:00A0670Cj
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpGenuinePolicyPostProcess(x, x, x, x, x, x)
_ExpGenuinePolicyPostProcess@24	proc near ; DATA XREF: PAGE:00A46568o

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_14]
		mov	edx, [ebp+arg_10]
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	[ebp+var_28], eax
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		mov	byte ptr [ecx],	0
		stosd
		xor	esi, esi
		and	[ebp+var_24], esi
		and	[ebp+var_20], esi
		and	[ebp+var_1C], esi
		stosd
		mov	[ebp+var_34], edx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_30], 4
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		xor	edi, edi
		cmp	[eax], esi
		jz	short loc_A0679F
		mov	ecx, [ebp+var_28]
		push	2
		push	edx
		push	[ebp+arg_C]
		mov	edx, ebx
		call	sub_A06277
		mov	esi, eax
		mov	eax, [ebp+var_2C]
		mov	byte ptr [eax],	1
		jmp	loc_A068D8
; 

loc_A0679F:				; CODE XREF: ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+4Fj
		xor	ecx, ecx
		inc	ecx
		test	ebx, ebx
		jz	short loc_A067C8
		mov	eax, [ebp+arg_C]
		sub	eax, ecx
		jz	short loc_A067BF
		sub	eax, ecx
		jz	short loc_A067BA
		cmp	[ebx], ecx
		jnz	short loc_A067C8
		jmp	loc_A068D8
; 

loc_A067BA:				; CODE XREF: ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+7Ej
		cmp	[ebx], cx
		jmp	short loc_A067C2
; 

loc_A067BF:				; CODE XREF: ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+7Aj
		cmp	byte ptr [ebx],	1

loc_A067C2:				; CODE XREF: ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+8Cj
		jz	loc_A068D8

loc_A067C8:				; CODE XREF: ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+73j
					; ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+82j
		lea	eax, [ebp+var_30]
		push	eax
		push	4
		lea	eax, [ebp+var_20]
		push	eax
		push	0
		push	offset dword_A418B4
		call	_ZwQueryLicenseValue@20	; ZwQueryLicenseValue(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A067EE
		cmp	[ebp+var_20], 1
		jz	loc_A068D8

loc_A067EE:				; CODE XREF: ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+B1j
		mov	eax, ds:dword_A93EA4
		test	eax, eax
		jz	short loc_A06801
		lea	ecx, [ebp+var_24]
		push	ecx
		call	eax
		mov	esi, eax
		jmp	short loc_A06806
; 

loc_A06801:				; CODE XREF: ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+C4j
		mov	esi, 0C00000BBh

loc_A06806:				; CODE XREF: ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+CEj
		test	esi, esi
		js	loc_A068D8
		cmp	ds:dword_A93E84, edi
		jz	loc_A068A3
		lea	eax, [ebp-15h]
		mov	edx, (offset loc_A419FB+1)
		push	eax		; int
		lea	eax, [ebp+var_1C]
		push	eax		; int
		xor	eax, eax
		push	eax		; int
		push	eax		; void *
		push	eax		; int
		call	ExpOsProductCacheProviderHelper
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_A06872
		push	20534C53h
		push	[ebp+var_1C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A06858
		add	esi, 0FFFFFFF4h
		jmp	loc_A068D8
; 

loc_A06858:				; CODE XREF: ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+11Dj
		lea	eax, [ebp-15h]
		mov	edx, (offset loc_A419FB+1)
		push	eax		; int
		lea	eax, [ebp+var_1C]
		push	eax		; int
		push	[ebp+var_1C]	; int
		push	edi		; void *
		push	0		; int
		call	ExpOsProductCacheProviderHelper
		mov	esi, eax

loc_A06872:				; CODE XREF: ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+108j
		test	esi, esi
		js	short loc_A068CC
		lea	eax, [ebp+var_14]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	edi
		push	3
		call	ds:dword_A93E84
		mov	esi, eax
		test	esi, esi
		js	short loc_A06899
		test	byte ptr [ebp+var_14], 40h
		jz	short loc_A06899

loc_A06895:				; CODE XREF: ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+170j
		xor	esi, esi
		jmp	short loc_A068AC
; 

loc_A06899:				; CODE XREF: ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+15Cj
					; ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+162j
		cmp	esi, 0C0000272h
		jnz	short loc_A068A8
		jmp	short loc_A06895
; 

loc_A068A3:				; CODE XREF: ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+E3j
		mov	esi, 0C00000BBh

loc_A068A8:				; CODE XREF: ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+16Ej
		test	esi, esi
		js	short loc_A068CC

loc_A068AC:				; CODE XREF: ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+166j
		cmp	[ebp+var_24], 0
		jnz	short loc_A068CC
		mov	ecx, [ebp+var_28]
		mov	edx, ebx
		push	2
		push	[ebp+var_34]
		push	[ebp+arg_C]
		call	sub_A06277
		mov	esi, eax
		mov	eax, [ebp+var_2C]
		mov	byte ptr [eax],	1

loc_A068CC:				; CODE XREF: ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+143j
					; ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+179j ...
		test	edi, edi
		jz	short loc_A068D8
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A068D8:				; CODE XREF: ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+69j
					; ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+84j	...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_ExpGenuinePolicyPostProcess@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ExpOsProductContentIdCacheProvider(int,int,void	*,int,int,int)
_ExpOsProductContentIdCacheProvider@24 proc near ; DATA	XREF: PAGE:00A465DCo

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_14]	; int
		mov	edx, (offset loc_A419F3+1)
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; void *
		push	[ebp+arg_4]	; int
		call	ExpOsProductCacheProviderHelper
		pop	ebp
		retn	18h
_ExpOsProductContentIdCacheProvider@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ExpOsProductPfnCacheProvider(int,int,void *,int,int,int)
_ExpOsProductPfnCacheProvider@24 proc near ; DATA XREF:	PAGE:00A465C8o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_14]	; int
		mov	edx, (offset loc_A419FB+1)
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; void *
		push	[ebp+arg_4]	; int
		call	ExpOsProductCacheProviderHelper
		pop	ebp
		retn	18h
_ExpOsProductPfnCacheProvider@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A0692F	proc near		; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+91Cp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

		push	18h
		push	offset dword_6AA4F0
		call	__SEH_prolog4
		mov	esi, ecx
		mov	[ebp+var_28], esi
		xor	ebx, ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_19], bl
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+5B80h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		cmp	[esi+5B7Ch], ebx
		jz	short loc_A069AF
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset dword_A415C8
		push	20006h
		lea	eax, [ebp+var_20]
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	[ebp+var_24], eax
		test	eax, eax
		js	short loc_A069AF
		mov	[ebp+var_19], 1
		mov	eax, [esi+5B7Ch]
		push	dword ptr [eax]
		push	eax
		push	3
		push	ebx
		push	(offset	loc_A41A03+1)
		push	[ebp+var_20]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	[ebp+var_24], eax

loc_A069AF:				; CODE XREF: sub_A0692F+40j
					; sub_A0692F+5Ej
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_A069DF
		cmp	[ebp+var_19], 1
		jnz	short loc_A069C9
		push	[ebp+var_20]
		call	_ZwClose@4	; ZwClose(x)

loc_A069C9:				; CODE XREF: sub_A0692F+90j
		mov	eax, [ebp+var_24]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
sub_A0692F	endp


;  S U B	R O U T	I N E 


sub_A069DC	proc near		; DATA XREF: .text:006AA508o
		mov	esi, [ebp-28h]
sub_A069DC	endp


;  S U B	R O U T	I N E 


sub_A069DF	proc near		; CODE XREF: sub_A0692F+87p
		add	esi, 5B80h
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_A069FA
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_A069FA:				; CODE XREF: sub_A069DF+12j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		retn
sub_A069DF	endp


;  S U B	R O U T	I N E 


sub_A06A0E	proc near		; CODE XREF: ExSetLicenseTamperState(x)+C9p
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, [eax+204h]
		mov	eax, ds:dword_A93F14
		test	eax, eax
		jz	short locret_A06A25
		push	ecx
		call	eax

locret_A06A25:				; CODE XREF: sub_A06A0E+12j
		retn
sub_A06A0E	endp

; 
unk_A06A26	db  8Bh	; 		; DATA XREF: PAGE:00A46550o
		db 0FFh
; 
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+1Ch]
		xor	edx, edx
		push	10h
		pop	ecx
		mov	byte ptr [eax],	1
		mov	eax, [ebp+18h]
		mov	[eax], ecx
		cmp	[ebp+14h], ecx
		jnb	short loc_A06A47
		mov	edx, 0C0000023h
		jmp	short loc_A06A6C
; 

loc_A06A47:				; CODE XREF: PAGE:00A06A3Ej
		mov	eax, [ebp+0Ch]
		test	eax, eax
		jz	short loc_A06A54
		mov	dword ptr [eax], 3

loc_A06A54:				; CODE XREF: PAGE:00A06A4Cj
		push	edi
		mov	edi, [ebp+10h]
		test	edi, edi
		jz	short loc_A06A6B
		push	esi
		mov	esi, [ebp+8]
		lea	esi, [esi+5C11h]
		movsd
		movsd
		movsd
		movsd
		pop	esi

loc_A06A6B:				; CODE XREF: PAGE:00A06A5Aj
		pop	edi

loc_A06A6C:				; CODE XREF: PAGE:00A06A45j
		mov	eax, edx
		pop	ebp
		retn	18h
; 
unk_A06A72	db  8Bh	; 		; DATA XREF: PAGE:00A4658Co
		db 0FFh
; 
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+8]
		lea	edx, [ebp-4]
		and	dword ptr [ebp-4], 0
		call	_ExpGetLicenseTamperState@8 ; ExpGetLicenseTamperState(x,x)
		cmp	dword ptr [ebp-4], 0
		mov	eax, [ebp+1Ch]
		jnz	short loc_A06A9A
		mov	ecx, 0C0000034h
		mov	byte ptr [eax],	0
		jmp	short loc_A06AB2
; 

loc_A06A9A:				; CODE XREF: PAGE:00A06A8Ej
		mov	ecx, [ebp+0Ch]
		mov	edx, [ebp+10h]
		push	0
		push	dword ptr [ebp+18h]
		mov	byte ptr [eax],	1
		push	dword ptr [ebp+14h]
		call	sub_A06277
		mov	ecx, eax

loc_A06AB2:				; CODE XREF: PAGE:00A06A98j
		mov	eax, ecx
		leave
		retn	18h
; 

loc_A06AB8:				; DATA XREF: PAGE:00A46578o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+8]
		lea	edx, [ebp-4]
		and	dword ptr [ebp-4], 0
		call	_ExpGetLicenseTamperState@8 ; ExpGetLicenseTamperState(x,x)
		cmp	dword ptr [ebp-4], 0
		mov	eax, [ebp+1Ch]
		jnz	short loc_A06AE0
		mov	ecx, 0C0000034h
		mov	byte ptr [eax],	0
		jmp	short loc_A06AF8
; 

loc_A06AE0:				; CODE XREF: PAGE:00A06AD4j
		mov	ecx, [ebp+0Ch]
		mov	edx, [ebp+10h]
		push	4
		push	dword ptr [ebp+18h]
		mov	byte ptr [eax],	1
		push	dword ptr [ebp+14h]
		call	sub_A06277
		mov	ecx, eax

loc_A06AF8:				; CODE XREF: PAGE:00A06ADEj
		mov	eax, ecx
		leave
		retn	18h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SLGetSubscriptionPfn(x, x)
_SLGetSubscriptionPfn@8	proc near	; CODE XREF: SLQueryLicenseValueInternal+84DF7p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h

; FUNCTION CHUNK AT 00A06C53 SIZE 00000083 BYTES

		push	38h
		push	offset dword_6AA4A0
		call	__SEH_prolog4
		mov	[ebp+var_34], edx
		mov	esi, ecx
		mov	[ebp+var_30], esi
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_24], ebx
		mov	edi, ebx
		mov	[ebp+var_28], ebx
		cmp	[esi+5B88h], bl
		jnz	loc_A06C53
		lea	eax, [ebp+var_28]
		push	eax		; int
		push	ebx		; int
		push	ebx		; void *
		push	ebx		; int
		mov	edx, offset dword_A418C0
		call	ExpQueryLicenseValueFromBlobHelper
		mov	[ebp+var_20], eax
		cmp	eax, 0C0000023h
		jnz	short loc_A06B8D
		push	20534C53h
		mov	eax, [ebp+var_28]
		mov	[ebp+var_2C], eax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_24], edi
		test	edi, edi
		jz	loc_A06C19
		mov	eax, [ebp+var_2C]
		cmp	eax, 82h
		ja	loc_A06C19
		lea	ecx, [ebp+var_28]
		push	ecx		; int
		push	eax		; int
		push	edi		; void *
		push	ebx		; int
		mov	edx, offset dword_A418C0
		mov	ecx, esi
		call	ExpQueryLicenseValueFromBlobHelper
		mov	[ebp+var_20], eax
		mov	edi, [ebp+var_2C]

loc_A06B8D:				; CODE XREF: SLGetSubscriptionPfn(x,x)+46j
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+5B80h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		cmp	byte ptr [esi+5B88h], 0
		jnz	short loc_A06BE3
		cmp	[ebp+var_20], 0
		jl	short loc_A06BD3
		push	edi		; size_t
		push	[ebp+var_24]	; void *
		lea	eax, [esi+5B8Ah]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	[ebp+var_20], 0
		jge	short loc_A06BDC

loc_A06BD3:				; CODE XREF: SLGetSubscriptionPfn(x,x)+BAj
		cmp	[ebp+var_20], 0C0000034h
		jnz	short loc_A06BE3

loc_A06BDC:				; CODE XREF: SLGetSubscriptionPfn(x,x)+D3j
		mov	byte ptr [esi+5B88h], 1

loc_A06BE3:				; CODE XREF: SLGetSubscriptionPfn(x,x)+B4j
					; SLGetSubscriptionPfn(x,x)+DCj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_A06C25

loc_A06BEF:				; CODE XREF: SLGetSubscriptionPfn(x,x)+1D3j
		mov	ecx, [ebp+var_24]
		mov	eax, [ebp+var_34]
		mov	[eax], ecx
		mov	edi, ebx
		mov	esi, [ebp+var_20]

loc_A06BFC:				; CODE XREF: SLGetSubscriptionPfn(x,x)+120j
					; SLGetSubscriptionPfn(x,x)+1B5j
		test	edi, edi
		jz	short loc_A06C07
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A06C07:				; CODE XREF: SLGetSubscriptionPfn(x,x)+100j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_A06C19:				; CODE XREF: SLGetSubscriptionPfn(x,x)+62j
					; SLGetSubscriptionPfn(x,x)+70j
		mov	esi, 0C00000E5h
		jmp	short loc_A06BFC
_SLGetSubscriptionPfn@8	endp


;  S U B	R O U T	I N E 


sub_A06C20	proc near		; DATA XREF: .text:006AA4B8o
		xor	ebx, ebx
		mov	esi, [ebp-30h]
sub_A06C20	endp


;  S U B	R O U T	I N E 


sub_A06C25	proc near		; CODE XREF: SLGetSubscriptionPfn(x,x)+ECp
		add	esi, 5B80h
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A06C3F
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A06C3F:				; CODE XREF: sub_A06C25+11j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		retn
sub_A06C25	endp

; 
; START	OF FUNCTION CHUNK FOR _SLGetSubscriptionPfn@8

loc_A06C53:				; CODE XREF: SLGetSubscriptionPfn(x,x)+27j
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	ecx, [esi+5B80h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		cmp	byte ptr [esi+5B88h], 0
		jz	short loc_A06CC5
		push	20534C53h
		push	82h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_24], edi
		test	edi, edi
		jnz	short loc_A06CB8
		mov	esi, 0C00000E5h
		mov	[ebp+var_20], esi
		push	0FFFFFFFEh
		lea	eax, [ebp+ms_exc.prev_er]
		push	eax
		push	offset ___security_cookie
		call	__local_unwind4
		add	esp, 0Ch
		jmp	loc_A06BFC
; 

loc_A06CB8:				; CODE XREF: SLGetSubscriptionPfn(x,x)+198j
		add	esi, 5B8Ah
		push	20h
		pop	ecx
		rep movsd
		movsw

loc_A06CC5:				; CODE XREF: SLGetSubscriptionPfn(x,x)+17Ej
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_A06CD8
		jmp	loc_A06BEF
; END OF FUNCTION CHUNK	FOR _SLGetSubscriptionPfn@8

;  S U B	R O U T	I N E 


sub_A06CD6	proc near		; DATA XREF: .text:006AA4C4o
		xor	ebx, ebx
sub_A06CD6	endp


;  S U B	R O U T	I N E 


sub_A06CD8	proc near		; CODE XREF: SLGetSubscriptionPfn(x,x)+1CEp
		mov	esi, [ebp-30h]
		add	esi, 5B80h
		mov	[ebp-2Ch], esi
		push	11h
		pop	edx
		mov	[ebp-38h], edx
		mov	[ebp-3Ch], edx
		mov	[ebp-40h], ebx
		xor	ecx, ecx
		mov	eax, edx
		lock cmpxchg [esi], ecx
		mov	[ebp-44h], eax
		cmp	eax, edx
		jnz	short loc_A06D05
		mov	byte ptr [ebp-19h], 1
		jmp	short loc_A06D0F
; 

loc_A06D05:				; CODE XREF: sub_A06CD8+25j
		mov	[ebp-19h], bl
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_A06D0F:				; CODE XREF: sub_A06CD8+2Bj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		mov	[ebp-48h], ecx
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		retn
sub_A06CD8	endp


;  S U B	R O U T	I N E 


; __stdcall SLSendPolicyChangeNotifications(x)
_SLSendPolicyChangeNotifications@4 proc	near
					; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+39Dp
					; SLUpdateLicenseDataInternal(x,x,x)+937p ...
		mov	edi, edi
		push	ecx
		mov	eax, [ecx+5B84h]
		test	eax, eax
		jz	short loc_A06D3D
		push	0
		push	0
		push	eax
		call	_ExNotifyCallback@12 ; ExNotifyCallback(x,x,x)

loc_A06D3D:				; CODE XREF: SLSendPolicyChangeNotifications(x)+Bj
		pop	ecx
		retn
_SLSendPolicyChangeNotifications@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SLUpdateLicenseDataInternal(x, x, x)
_SLUpdateLicenseDataInternal@12	proc near ; CODE XREF: ExUpdateLicenseData+15A0B6p
					; ExInitLicenseData+84F3Cp

var_104		= dword	ptr -104h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_A4		= dword	ptr -0A4h
Source2		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= byte ptr -74h
var_73		= dword	ptr -73h
var_6F		= word ptr -6Fh
var_6D		= byte ptr -6Dh
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
Length		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= byte ptr -24h
var_23		= byte ptr -23h
var_22		= byte ptr -22h
var_21		= byte ptr -21h
var_20		= byte ptr -20h
var_1F		= byte ptr -1Fh
var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00A070A7 SIZE 00000430 BYTES
; FUNCTION CHUNK AT 00A07522 SIZE 000002D6 BYTES

		push	0F4h
		push	offset dword_6AA4C8
		call	__SEH_prolog4
		mov	[ebp+Length], edx
		mov	esi, ecx
		mov	[ebp+var_28], esi
		mov	[ebp+var_B8], esi
		xor	ebx, ebx
		mov	[ebp+var_23], bl
		mov	[ebp+var_1E], bl
		mov	[ebp+var_1D], bl
		mov	[ebp+var_1F], bl
		mov	al, bl
		mov	[ebp+var_20], al
		mov	[ebp+var_24], al
		mov	[ebp+var_21], al
		mov	[ebp+var_60], ebx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_D0]
		rep stosd
		mov	[ebp+var_B4], ebx
		mov	[ebp+var_B0], ebx
		mov	[ebp+var_30], eax
		mov	[ebp+var_4C], eax
		mov	[ebp+var_54], eax
		mov	[ebp+var_48], ebx
		mov	[ebp+var_50], eax
		mov	[ebp+var_34], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_64], ebx
		push	30h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_104]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	loc_A07698
		mov	eax, [ebp+Length]
		add	eax, 0FFFFFFE7h
		cmp	eax, 13FE7h
		ja	loc_A07698
		test	cl, 3
		jnz	loc_A07698
		mov	edx, [ecx]
		mov	edi, 14000h
		cmp	edx, edi
		ja	loc_A07691
		mov	eax, [ecx+4]
		cmp	eax, edi
		ja	loc_A07691
		mov	edi, [ecx+8]
		cmp	edi, 14000h
		ja	loc_A07691
		lea	ebx, [ecx+14h]
		mov	[ebp+Source2], ebx
		lea	ebx, [ecx+14h]
		add	ebx, eax
		mov	[ebp+var_A4], ebx
		test	bl, 3
		push	0
		pop	ebx
		jnz	loc_A07698
		add	eax, 14h
		add	eax, edi
		cmp	eax, edx
		jnz	loc_A07698
		cmp	edx, [ebp+Length]
		jnz	loc_A07698
		cmp	dword ptr [ecx+10h], 1
		jnz	loc_A07698
		mov	edi, ebx
		mov	[ebp+var_5C], edi
		mov	[esi+5B88h], bl
		mov	[ebp+ms_exc.disabled], ebx
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		lea	ecx, [esi+5B80h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		cmp	[esi], ebx
		jz	short loc_A06E76
		mov	[ebp+var_1D], 1
		jmp	short loc_A06E7E
; 

loc_A06E76:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+12Fj
		mov	al, 1
		mov	[ebp+var_20], al
		mov	[ebp+var_24], al

loc_A06E7E:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+135j
		call	_ExpReducedLicenseData@0 ; ExpReducedLicenseData()
		test	al, al
		mov	al, [ebp+var_1D]
		jz	short loc_A06E9B
		test	al, al
		jnz	short loc_A06EAF
		mov	edi, 0C0000001h

loc_A06E93:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+16Ej
		mov	[ebp+var_5C], edi
		jmp	loc_A06F37
; 

loc_A06E9B:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+149j
		test	al, al
		jnz	short loc_A06EAF
		mov	edx, [ebp+arg_0]
		test	byte ptr [edx+0Ch], 1
		jz	short loc_A06EB2
		mov	edi, 0C000000Dh
		jmp	short loc_A06E93
; 

loc_A06EAF:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+14Dj
					; SLUpdateLicenseDataInternal(x,x,x)+15Ej
		mov	edx, [ebp+arg_0]

loc_A06EB2:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+167j
		mov	[ebp+var_23], bl
		test	al, al
		jnz	short loc_A06F37
		mov	ecx, [esi+5B7Ch]
		test	ecx, ecx
		jz	short loc_A06F37
		cmp	[esi+5C10h], al
		jnz	short loc_A06F37
		mov	eax, [edx]
		cmp	eax, [ecx]
		jnz	short loc_A06F37
		mov	eax, [edx+4]
		mov	[ebp+Length], eax
		cmp	eax, [ecx+4]
		jnz	short loc_A06F37
		mov	eax, [edx+8]
		cmp	eax, [ecx+8]
		jnz	short loc_A06F37
		mov	eax, [edx+0Ch]
		cmp	eax, [ecx+0Ch]
		jnz	short loc_A06F37
		mov	eax, [edx+10h]
		cmp	eax, [ecx+10h]
		jnz	short loc_A06F37
		push	[ebp+Length]	; Length
		push	[ebp+Source2]	; Source2
		lea	eax, [ecx+14h]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		mov	edx, [ebp+arg_0]
		cmp	eax, [edx+4]
		jnz	short loc_A06F37
		mov	ecx, [esi+5B7Ch]
		push	dword ptr [edx+8] ; Length
		push	[ebp+var_A4]	; Source2
		mov	eax, [ecx+4]
		add	ecx, 14h
		add	eax, ecx
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		mov	ecx, [ebp+arg_0]
		cmp	eax, [ecx+8]
		jnz	short loc_A06F37
		mov	[ebp+var_23], 1

loc_A06F37:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+157j
					; SLUpdateLicenseDataInternal(x,x,x)+178j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_A0707D
		test	edi, edi
		js	loc_A0769D
		cmp	[ebp+var_23], 1
		jnz	loc_A070EB
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		lea	ecx, [esi+5B80h]
		xor	edx, edx
		call	ExAcquirePushLockExclusiveEx
		lea	edx, [ebp+var_44]
		mov	ecx, esi
		call	_ExpGetLicenseTamperState@8 ; ExpGetLicenseTamperState(x,x)
		cmp	[ebp+var_44], 0
		setnz	[ebp+var_22]
		mov	edx, [esi+5B74h]
		add	esi, 0Ch
		mov	[ebp+var_90], ebx
		mov	[ebp+var_73], ebx
		xor	eax, eax
		mov	[ebp+var_6F], ax
		mov	[ebp+var_6D], bl
		test	edx, edx
		jz	short loc_A06FA0
		test	esi, esi
		jz	loc_A070A7

loc_A06FA0:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+257j
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_98], ebx
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_88], ebx
		mov	[ebp+var_94], ebx
		mov	[ebp+var_84], ebx
		mov	[ebp+var_80], ebx
		mov	[ebp+var_7C], 2A30h
		mov	[ebp+var_78], ebx
		mov	[ebp+var_74], 1
		lea	eax, [ebp+var_9C]
		push	eax
		mov	ecx, [ebp+arg_0]
		lea	ecx, [ecx+14h]
		call	_ExpLicUpdateChecksum@12 ; ExpLicUpdateChecksum(x,x,x)
		test	eax, eax
		jnz	short loc_A07016
		test	edx, edx
		jz	short loc_A07012
		mov	eax, edx
		push	8
		pop	ecx
		mul	ecx
		push	edx
		push	eax
		lea	ecx, [ebp+arg_0]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		jnz	short loc_A07016
		lea	eax, [ebp+var_9C]
		push	eax
		mov	ecx, esi
		call	_ExpLicUpdateChecksum@12 ; ExpLicUpdateChecksum(x,x,x)

loc_A07012:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+2AEj
		test	eax, eax
		jz	short loc_A0702C

loc_A07016:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+2AAj
					; SLUpdateLicenseDataInternal(x,x,x)+2C3j
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_98], ebx
		mov	[ebp+var_94], 4

loc_A0702C:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+2D5j
		push	0Ch
		pop	ecx
		lea	esi, [ebp+var_9C]
		lea	edi, [ebp+var_104]
		rep movsd
		mov	edi, [ebp+var_28]
		test	ebx, ebx
		js	short loc_A070AA
		push	1
		push	7
		lea	eax, [ebp+var_104]
		push	eax
		push	edi
		call	ExpSetKernelDataProtection
		jmp	short loc_A070AA
_SLUpdateLicenseDataInternal@12	endp


;  S U B	R O U T	I N E 


sub_A07057	proc near		; DATA XREF: .text:006AA4E0o
		xor	ebx, ebx
		mov	edi, [ebp-5Ch]
		mov	al, bl
		mov	[ebp-1Eh], al
		mov	al, [ebp-24h]
		mov	[ebp-20h], al
		mov	al, bl
		mov	[ebp-21h], al
		mov	eax, [ebp-4Ch]
		mov	[ebp-30h], eax
		mov	eax, ebx
		mov	[ebp-54h], eax
		mov	[ebp-50h], eax
		mov	esi, [ebp-28h]
sub_A07057	endp


;  S U B	R O U T	I N E 


sub_A0707D	proc near		; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+1FFp
		lea	ecx, [esi+5B80h]
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_A0709C
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		lea	ecx, [esi+5B80h]

loc_A0709C:				; CODE XREF: sub_A0707D+12j
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		retn
sub_A0707D	endp

; 
; START	OF FUNCTION CHUNK FOR _SLUpdateLicenseDataInternal@12

loc_A070A7:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+25Bj
		mov	edi, [ebp+var_28]

loc_A070AA:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+303j
					; SLUpdateLicenseDataInternal(x,x,x)+316j
		or	esi, 0FFFFFFFFh
		mov	eax, esi
		lea	ecx, [edi+5B80h]
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A070CA
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [edi+5B80h]

loc_A070CA:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+37Ej
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	[ebp+var_22], 0
		jz	short loc_A070E1
		mov	ecx, edi
		call	_SLSendPolicyChangeNotifications@4 ; SLSendPolicyChangeNotifications(x)

loc_A070E1:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+399j
		mov	edi, 40000000h
		jmp	loc_A076A0
; 

loc_A070EB:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+210j
		mov	[ebp+var_D0], 18h
		mov	[ebp+var_CC], ebx
		mov	[ebp+var_C4], 220h
		mov	[ebp+var_C8], ebx
		mov	[ebp+var_C0], ebx
		mov	[ebp+var_BC], ebx
		mov	esi, [ebp+arg_0]
		mov	eax, [esi]
		mov	[ebp+var_B4], eax
		mov	[ebp+var_B0], ebx
		push	ebx
		push	8000000h
		push	4
		lea	eax, [ebp+var_B4]
		push	eax
		lea	eax, [ebp+var_D0]
		push	eax
		push	0F0007h
		lea	eax, [ebp+var_60]
		push	eax
		call	_ZwCreateSection@28 ; ZwCreateSection(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_A0769D
		mov	[ebp+Length], ebx
		push	ebx
		lea	eax, [ebp+Length]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+var_60]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		mov	eax, [ebp+Length]
		mov	[ebp+var_48], eax
		push	[ebp+var_60]
		call	_ZwClose@4	; ZwClose(x)
		test	edi, edi
		js	loc_A0769D
		mov	[ebp+Length], ebx
		lea	eax, [ebp+Length]
		push	eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	[ebp+var_48]
		call	_MmMapViewInSystemSpace@12 ; MmMapViewInSystemSpace(x,x,x)
		mov	edi, eax
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_30], eax
		test	edi, edi
		js	loc_A0769D
		push	5
		pop	ecx
		mov	edi, eax
		rep movsd
		mov	esi, [ebp+arg_0]
		push	dword ptr [esi+4] ; size_t
		push	[ebp+Source2]	; void *
		mov	edi, eax
		lea	eax, [edi+14h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		push	dword ptr [esi+8] ; size_t
		push	[ebp+var_A4]	; void *
		mov	eax, [esi+4]
		add	eax, 14h
		add	eax, edi
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [edi+4]
		add	eax, 14h
		add	eax, edi
		cmp	dword ptr [edi+8], 4
		jnz	loc_A0768A
		test	eax, eax
		jz	loc_A0768A
		cmp	dword ptr [eax], 45h
		jnz	loc_A0768A
		lea	eax, [ebp+var_34]
		push	eax		; int
		push	ebx		; int
		push	ebx		; void *
		mov	dl, 1
		mov	ecx, edi
		call	sub_8835AA
		mov	edi, eax
		cmp	edi, 0C0000023h
		jnz	loc_A072C0
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	eax, [ebp+var_28]
		add	eax, 5B80h
		mov	[ebp+arg_0], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockSharedEx
		mov	eax, 0B6Dh
		mov	esi, [ebp+var_34]
		cmp	eax, esi
		sbb	edi, edi
		and	edi, 0C000000Dh
		xor	edx, edx
		push	11h
		pop	eax
		mov	ecx, [ebp+arg_0]
		lock cmpxchg [ecx], edx
		cmp	eax, 11h
		jz	short loc_A07263
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	ecx, [ebp+arg_0]

loc_A07263:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+51Aj
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	edi, edi
		js	loc_A0769D
		push	20534C53h
		mov	eax, esi
		shl	eax, 3
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_3C], eax
		test	eax, eax
		jnz	short loc_A07298
		mov	edi, 0C0000017h
		jmp	loc_A0769D
; 

loc_A07298:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+54Dj
		push	ebx		; int
		push	esi		; int
		push	eax		; void *
		xor	dl, dl
		mov	ecx, [ebp+var_30]
		call	sub_8835AA
		mov	edi, eax
		test	edi, edi
		js	short loc_A072C7
		push	offset sub_8986CA ; int	__cdecl	(*)(const void *,const void *)
		push	8		; size_t
		push	esi		; size_t
		push	[ebp+var_3C]	; void *
		call	_qsort
		add	esp, 10h
		jmp	short loc_A072C3
; 

loc_A072C0:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+4DAj
		mov	esi, [ebp+var_34]

loc_A072C3:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+57Fj
		test	edi, edi
		jns	short loc_A072DE

loc_A072C7:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+56Aj
		or	esi, 0FFFFFFFFh
		cmp	edi, 0C000003Eh
		jnz	loc_A076A0
		add	edi, 0FFFFFFCFh
		jmp	loc_A076A0
; 

loc_A072DE:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+586j
		mov	[ebp+ms_exc.disabled], 1
		mov	[ebp+var_1F], bl
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	edi, [ebp+var_28]
		lea	ecx, [edi+5B80h]
		xor	edx, edx
		call	ExAcquirePushLockSharedEx
		cmp	[ebp+var_1D], 0
		jnz	short loc_A07357
		mov	ecx, ebx
		mov	[ebp+var_40], ecx
		mov	eax, ebx
		mov	[ebp+var_58], eax

loc_A0730D:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+720j
		cmp	ecx, esi
		jnb	short loc_A07357
		cmp	eax, [edi+5B74h]
		jnb	loc_A074B8
		mov	edx, [ebp+var_3C]
		lea	esi, [edx+ecx*8]
		lea	eax, ds:0Ch[eax*8]
		add	eax, edi
		push	eax		; void *
		push	esi		; void *
		call	sub_8986CA
		pop	ecx
		pop	ecx
		mov	edx, eax
		mov	ecx, [esi+4]
		mov	eax, [ebp+var_58]
		mov	esi, [edi+eax*8+10h]
		test	edx, edx
		jns	loc_A07464
		test	byte ptr [ecx+8], 2
		jz	loc_A07455

loc_A07353:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+73Ej
					; SLUpdateLicenseDataInternal(x,x,x)+763j ...
		mov	[ebp+var_1F], 1

loc_A07357:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+5C2j
					; SLUpdateLicenseDataInternal(x,x,x)+5D0j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_A074F7
		mov	ecx, [ebp+var_48]
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		lea	eax, [esi+5B80h]
		mov	[ebp+arg_0], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockExclusiveEx
		mov	[ebp+var_90], ebx
		mov	[ebp+var_73], ebx
		xor	eax, eax
		mov	[ebp+var_6F], ax
		mov	[ebp+var_6D], bl
		mov	eax, [ebp+var_30]
		test	eax, eax
		jz	loc_A07522
		mov	edx, [ebp+var_34]
		mov	edi, [ebp+var_3C]
		test	edx, edx
		jz	short loc_A073B1
		test	edi, edi
		jz	loc_A07522

loc_A073B1:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+668j
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_98], ebx
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_88], ebx
		mov	[ebp+var_94], ebx
		mov	[ebp+var_84], ebx
		mov	[ebp+var_80], ebx
		mov	[ebp+var_7C], 2A30h
		mov	[ebp+var_78], ebx
		mov	[ebp+var_74], 1
		lea	ecx, [ebp+var_9C]
		push	ecx
		lea	ecx, [eax+14h]
		call	_ExpLicUpdateChecksum@12 ; ExpLicUpdateChecksum(x,x,x)
		test	eax, eax
		jnz	short loc_A07424
		test	edx, edx
		jz	short loc_A07420
		mov	eax, edx
		push	8
		pop	ecx
		mul	ecx
		push	edx
		push	eax
		lea	ecx, [ebp+var_68]
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		jnz	short loc_A07424
		lea	eax, [ebp+var_9C]
		push	eax
		mov	ecx, edi
		call	_ExpLicUpdateChecksum@12 ; ExpLicUpdateChecksum(x,x,x)

loc_A07420:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+6BCj
		test	eax, eax
		jz	short loc_A0743A

loc_A07424:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+6B8j
					; SLUpdateLicenseDataInternal(x,x,x)+6D1j
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_98], ebx
		mov	[ebp+var_94], 4

loc_A0743A:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+6E3j
		push	0Ch
		pop	ecx
		lea	esi, [ebp+var_9C]
		lea	edi, [ebp+var_104]
		rep movsd
		mov	edi, ebx
		mov	esi, [ebp+var_28]
		jmp	loc_A07527
; 

loc_A07455:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+60Ej
		mov	ecx, [ebp+var_40]
		inc	ecx
		mov	[ebp+var_40], ecx

loc_A0745C:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+72Ej
					; SLUpdateLicenseDataInternal(x,x,x)+777j
		mov	esi, [ebp+var_34]
		jmp	loc_A0730D
; 

loc_A07464:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+604j
		jle	short loc_A0746F
		inc	eax
		mov	[ebp+var_58], eax
		mov	ecx, [ebp+var_40]
		jmp	short loc_A0745C
; 

loc_A0746F:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x):loc_A07464j
		test	byte ptr [ecx+8], 2
		jz	short loc_A074AB
		movzx	eax, word ptr [esi+6]
		cmp	[ecx+6], ax
		jnz	loc_A07353
		push	eax		; size_t
		movzx	eax, word ptr [esi+2]
		add	eax, 10h
		add	eax, esi
		push	eax		; void *
		movzx	eax, word ptr [ecx+2]
		add	ecx, 10h
		add	eax, ecx
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_A07353
		mov	eax, [ebp+var_58]

loc_A074AB:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+734j
		mov	ecx, [ebp+var_40]
		inc	ecx
		mov	[ebp+var_40], ecx
		inc	eax
		mov	[ebp+var_58], eax
		jmp	short loc_A0745C
; 

loc_A074B8:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+5D8j
					; SLUpdateLicenseDataInternal(x,x,x)+796j
		cmp	ecx, esi
		jnb	loc_A07357
		mov	eax, [ebp+var_3C]
		mov	eax, [eax+ecx*8+4]
		test	byte ptr [eax+8], 2
		jnz	loc_A07353
		inc	ecx
		mov	[ebp+var_40], ecx
		jmp	short loc_A074B8
; END OF FUNCTION CHUNK	FOR _SLUpdateLicenseDataInternal@12

;  S U B	R O U T	I N E 


sub_A074D7	proc near		; DATA XREF: .text:006AA4ECo
		xor	ebx, ebx
		mov	al, bl
		mov	[ebp-1Eh], al
		mov	al, [ebp-24h]
		mov	[ebp-20h], al
		mov	al, bl
		mov	[ebp-21h], al
		mov	eax, [ebp-4Ch]
		mov	[ebp-30h], eax
		mov	eax, ebx
		mov	[ebp-54h], eax
		mov	[ebp-50h], eax
sub_A074D7	endp


;  S U B	R O U T	I N E 


sub_A074F7	proc near		; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+61Fp
		mov	esi, [ebp-28h]
		lea	edi, [esi+5B80h]
		xor	edx, edx
		push	11h
		pop	eax
		lock cmpxchg [edi], edx
		cmp	eax, 11h
		jz	short loc_A07515
		mov	ecx, edi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_A07515:				; CODE XREF: sub_A074F7+15j
		mov	ecx, edi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		retn
sub_A074F7	endp

; 
; START	OF FUNCTION CHUNK FOR _SLUpdateLicenseDataInternal@12

loc_A07522:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+65Aj
					; SLUpdateLicenseDataInternal(x,x,x)+66Cj
		mov	edi, 0C000000Dh

loc_A07527:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+711j
		test	edi, edi
		js	loc_A07629
		push	1
		push	7
		lea	eax, [ebp+var_104]
		push	eax
		push	esi
		call	ExpSetKernelDataProtection
		mov	eax, [esi+8]
		mov	[ebp+var_50], eax
		mov	eax, [esi+5B7Ch]
		mov	[ebp+var_54], eax
		mov	eax, [ebp+var_48]
		mov	[esi+8], eax
		mov	eax, [ebp+var_30]
		mov	[esi+5B7Ch], eax
		mov	[ebp+var_30], ebx
		call	_PsGetCurrentServerSilo@0 ; PsGetCurrentServerSilo()
		push	eax
		call	_PsIsHostSilo@4	; PsIsHostSilo(x)
		test	al, al
		jnz	short loc_A07581
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_A07581
		push	69534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A07581:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+82Fj
					; SLUpdateLicenseDataInternal(x,x,x)+835j
		mov	[esi], ebx
		mov	al, [esi+5C10h]
		mov	[ebp+var_21], al
		mov	[esi+5C10h], bl
		lea	ecx, [esi+0Ch]
		mov	eax, [esi+5B74h]
		shl	eax, 3
		push	eax		; size_t
		push	ebx		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+5B74h], ebx
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jz	short loc_A075D3
		mov	eax, [ebp+var_34]
		shl	eax, 3
		push	eax		; size_t
		push	ecx		; void *
		lea	eax, [esi+0Ch]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_34]
		mov	[esi+5B74h], eax

loc_A075D3:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+875j
		mov	byte ptr [esi+5B78h], 1
		lea	edx, [ebp+var_64]
		mov	ecx, esi
		call	_ExpGetLicenseTamperState@8 ; ExpGetLicenseTamperState(x,x)
		mov	eax, [esi+5B7Ch]
		mov	edx, [eax+0Ch]
		xor	eax, eax
		inc	eax
		and	edx, eax
		jz	short loc_A075F7
		mov	[ebp+var_20], al

loc_A075F7:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+8B3j
		add	edx, edx
		mov	ecx, [ebp+var_B8]
		call	_ExpSetLicenseTamperState@8 ; ExpSetLicenseTamperState(x,x)
		lea	edx, [ebp+var_44]
		mov	ecx, esi
		call	_ExpGetLicenseTamperState@8 ; ExpGetLicenseTamperState(x,x)
		mov	eax, [ebp+var_44]
		cmp	[ebp+var_64], eax
		jz	short loc_A07626
		cmp	[ebp+var_64], 0
		jz	short loc_A07620
		test	eax, eax
		jnz	short loc_A07626

loc_A07620:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+8DBj
		mov	[ebp+var_1E], 1
		jmp	short loc_A07629
; 

loc_A07626:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+8D5j
					; SLUpdateLicenseDataInternal(x,x,x)+8DFj
		mov	[ebp+var_1E], bl

loc_A07629:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+7EAj
					; SLUpdateLicenseDataInternal(x,x,x)+8E5j
		or	esi, 0FFFFFFFFh
		mov	eax, esi
		mov	ecx, [ebp+arg_0]
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A07643
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	ecx, [ebp+arg_0]

loc_A07643:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+8FAj
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	edi, edi
		js	short loc_A076A0
		mov	al, [ebp+var_1D]
		test	al, al
		jnz	short loc_A07669
		mov	ecx, [ebp+var_28]
		call	sub_A0692F
		mov	edi, eax
		test	edi, edi
		js	short loc_A076A0
		mov	al, [ebp+var_1D]

loc_A07669:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+917j
		cmp	[ebp+var_1E], 0
		jnz	short loc_A07673
		test	al, al
		jnz	short loc_A0767B

loc_A07673:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+92Ej
		mov	ecx, [ebp+var_28]
		call	_SLSendPolicyChangeNotifications@4 ; SLSendPolicyChangeNotifications(x)

loc_A0767B:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+932j
		mov	edi, ebx
		cmp	[ebp+var_1F], 1
		jnz	short loc_A076A0
		mov	edi, 107h
		jmp	short loc_A076A0
; 

loc_A0768A:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+4ACj
					; SLUpdateLicenseDataInternal(x,x,x)+4B4j ...
		mov	edi, 0C000003Fh
		jmp	short loc_A0769D
; 

loc_A07691:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+ADj
					; SLUpdateLicenseDataInternal(x,x,x)+B8j ...
		mov	edi, 0C0000040h
		jmp	short loc_A0769D
; 

loc_A07698:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+84j
					; SLUpdateLicenseDataInternal(x,x,x)+95j ...
		mov	edi, 0C000000Dh

loc_A0769D:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+206j
					; SLUpdateLicenseDataInternal(x,x,x)+411j ...
		or	esi, 0FFFFFFFFh

loc_A076A0:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+3A7j
					; SLUpdateLicenseDataInternal(x,x,x)+591j ...
		cmp	[ebp+var_21], 0
		jz	short loc_A076BC
		mov	eax, [ebp+var_28]
		cmp	byte ptr [eax+5C10h], 0
		jnz	short loc_A076BC
		push	offset _KernelLicensingCacheCorruptionFixed
		call	ntoskrnl_24

loc_A076BC:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+965j
					; SLUpdateLicenseDataInternal(x,x,x)+971j
		cmp	[ebp+var_20], 0
		jz	short loc_A07721
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	eax, [ebp+var_28]
		add	eax, 5B80h
		mov	[ebp+arg_0], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockExclusiveEx
		push	30h		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_9C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	ebx
		push	20h
		lea	eax, [ebp+var_9C]
		push	eax
		push	[ebp+var_28]
		call	ExpSetKernelDataProtection
		mov	eax, esi
		mov	esi, [ebp+arg_0]
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A07715
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A07715:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+9CDj
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_A07721:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+981j
		mov	eax, [ebp+var_48]
		test	eax, eax
		jz	short loc_A0772F
		mov	ecx, eax
		call	ObfDereferenceObject

loc_A0772F:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+9E7j
		mov	eax, [ebp+var_50]
		test	eax, eax
		jz	short loc_A0773D
		mov	ecx, eax
		call	ObfDereferenceObject

loc_A0773D:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+9F5j
		mov	eax, [ebp+var_30]
		test	eax, eax
		jz	short loc_A0774A
		push	eax
		call	_MmUnmapViewInSystemSpace@4 ; MmUnmapViewInSystemSpace(x)

loc_A0774A:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+A03j
		mov	eax, [ebp+var_54]
		test	eax, eax
		jz	short loc_A07757
		push	eax
		call	_MmUnmapViewInSystemSpace@4 ; MmUnmapViewInSystemSpace(x)

loc_A07757:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+A10j
		mov	eax, [ebp+var_3C]
		test	eax, eax
		jz	short loc_A07765
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A07765:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+A1Dj
		cmp	edi, 0C000000Dh
		jz	short loc_A0777D
		cmp	edi, 0C0000040h
		jz	short loc_A0777D
		cmp	edi, 0C000003Fh
		jnz	short loc_A077E4

loc_A0777D:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+A2Cj
					; SLUpdateLicenseDataInternal(x,x,x)+A34j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	esi, [ebp+var_28]
		lea	eax, [esi+5B80h]
		mov	[ebp+arg_0], eax
		xor	edx, edx
		mov	ecx, eax
		call	ExAcquirePushLockExclusiveEx
		lea	edx, [ebp+var_44]
		mov	ecx, esi
		call	_ExpGetLicenseTamperState@8 ; ExpGetLicenseTamperState(x,x)
		cmp	[ebp+var_44], 0
		jnz	short loc_A077B4
		push	5
		pop	edx
		mov	ecx, esi
		call	_ExpSetLicenseTamperState@8 ; ExpSetLicenseTamperState(x,x)
		xor	ebx, ebx
		inc	ebx

loc_A077B4:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+A66j
		or	eax, 0FFFFFFFFh
		mov	ecx, [ebp+arg_0]
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A077CF
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [esi+5B80h]

loc_A077CF:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+A83j
		call	KeAbPostRelease
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		test	bl, bl
		jz	short loc_A077E4
		mov	ecx, esi
		call	_SLSendPolicyChangeNotifications@4 ; SLSendPolicyChangeNotifications(x)

loc_A077E4:				; CODE XREF: SLUpdateLicenseDataInternal(x,x,x)+A3Cj
					; SLUpdateLicenseDataInternal(x,x,x)+A9Cj
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; END OF FUNCTION CHUNK	FOR _SLUpdateLicenseDataInternal@12

;  S U B	R O U T	I N E 


; __stdcall ExWaitForCallBacks(x)
_ExWaitForCallBacks@4 proc near		; CODE XREF: IoUnregisterPriorityCallback(x)+D3p
					; KeDeregisterBoundCallback(x)+7Cp ...
		jmp	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
_ExWaitForCallBacks@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExStartRecordingIRTimerExpiries()
_ExStartRecordingIRTimerExpiries@0 proc	near
					; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+47Cp
		mov	edi, edi
		push	ebx
		push	esi
		xor	edx, edx
		xor	ecx, ecx
		push	edi

loc_A07806:				; CODE XREF: ExStartRecordingIRTimerExpiries()+1Bj
		movzx	eax, ds:byte_403D40[ecx]
		add	ecx, 0Ch
		add	edx, eax
		cmp	ecx, 0C0h
		jb	short loc_A07806
		mov	edi, edx
		mov	ebx, 69547845h
		push	ebx
		shl	edi, 2
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A07859
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, offset _ExpIRTimerExpiryCounts
		xchg	esi, [eax]
		call	KeQueryInterruptTime
		test	esi, esi
		jz	short loc_A07859
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A07859:				; CODE XREF: ExStartRecordingIRTimerExpiries()+37j
					; ExStartRecordingIRTimerExpiries()+53j
		pop	edi
		pop	esi
		pop	ebx
		retn
_ExStartRecordingIRTimerExpiries@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExStopRecordingIRTimerExpiries()
_ExStopRecordingIRTimerExpiries@0 proc near
					; CODE XREF: PopCaptureSleepStudyStatistics(x,x,x,x)+513p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	eax, offset _ExpIRTimerExpiryCounts
		xchg	esi, [eax]
		test	esi, esi
		jz	short loc_A078C7
		push	10h
		xor	eax, eax
		mov	edi, offset byte_403D40
		pop	ecx
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], ecx

loc_A07884:				; CODE XREF: ExStopRecordingIRTimerExpiries()+5Dj
		xor	ebx, ebx
		cmp	[edi], bl
		jbe	short loc_A078B1

loc_A0788A:				; CODE XREF: ExStopRecordingIRTimerExpiries()+4Fj
		mov	ecx, [esi+eax*4]
		test	ecx, ecx
		jz	short loc_A0789E
		push	dword ptr [edi-8]
		mov	edx, ebx
		call	_PoDiagTraceIRTimerSleepStudyRundown@12	; PoDiagTraceIRTimerSleepStudyRundown(x,x,x)
		mov	eax, [ebp+var_4]

loc_A0789E:				; CODE XREF: ExStopRecordingIRTimerExpiries()+32j
		inc	eax
		inc	ebx
		mov	[ebp+var_4], eax
		movzx	eax, byte ptr [edi]
		cmp	bx, ax
		mov	eax, [ebp+var_4]
		jb	short loc_A0788A
		mov	ecx, [ebp+var_8]

loc_A078B1:				; CODE XREF: ExStopRecordingIRTimerExpiries()+2Bj
		add	edi, 0Ch
		sub	ecx, 1
		mov	[ebp+var_8], ecx
		jnz	short loc_A07884
		push	69547845h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A078C7:				; CODE XREF: ExStopRecordingIRTimerExpiries()+15j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExStopRecordingIRTimerExpiries@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtOpenTimer(x, x, x)
_NtOpenTimer@12	proc near		; DATA XREF: .text:00580EF8o

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	14h
		push	offset dword_6AA580
		call	__SEH_prolog4
		xor	edi, edi
		mov	[ebp+var_1C], edi
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+var_24], bl
		test	bl, bl
		jz	short loc_A0790C
		mov	[ebp+ms_exc.disabled], edi
		mov	ecx, [ebp+arg_0]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_A07901
		mov	ecx, eax

loc_A07901:				; CODE XREF: NtOpenTimer(x,x,x)+31j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A0790C:				; CODE XREF: NtOpenTimer(x,x,x)+22j
		mov	esi, ds:_ExTimerObjectType
		lea	eax, [ebp+var_1C]
		push	eax
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		push	edi
		push	[ebp+arg_4]
		push	edi
		push	[ebp+var_24]
		push	esi
		push	[ebp+arg_8]
		call	ObOpenObjectByNameEx
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	short loc_A0797E
		test	bl, bl
		jz	short loc_A07976
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_A07947:				; CODE XREF: NtOpenTimer(x,x,x)+A8j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A0797E
; 

loc_A07950:				; DATA XREF: .text:006AA594o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A0795E:				; DATA XREF: .text:006AA598o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_20]
		jmp	short loc_A07981
; 

loc_A0796D:				; DATA XREF: .text:006AA5A0o
		xor	eax, eax
		inc	eax
		retn
; 

loc_A07971:				; DATA XREF: .text:006AA5A4o
		mov	esp, [ebp+ms_exc.old_esp]
		jmp	short loc_A07947
; 

loc_A07976:				; CODE XREF: NtOpenTimer(x,x,x)+6Aj
		mov	ecx, [ebp+var_1C]
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_A0797E:				; CODE XREF: NtOpenTimer(x,x,x)+66j
					; NtOpenTimer(x,x,x)+82j
		mov	eax, [ebp+arg_4]

loc_A07981:				; CODE XREF: NtOpenTimer(x,x,x)+9Fj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_NtOpenTimer@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQueryTimer(x, x, x, x, x)
_NtQueryTimer@20 proc near		; DATA XREF: .text:00580DECo

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	1Ch
		push	offset dword_6AA558
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ecx
		cmp	[ebp+arg_4], ecx
		jz	short loc_A079B6
		mov	eax, 0C0000003h
		jmp	loc_A07AE4
; 

loc_A079B6:				; CODE XREF: NtQueryTimer(x,x,x,x,x)+17j
		cmp	[ebp+arg_C], 10h
		jz	short loc_A079C6
		mov	eax, 0C0000004h
		jmp	loc_A07AE4
; 

loc_A079C6:				; CODE XREF: NtQueryTimer(x,x,x,x,x)+27j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+arg_4+3],	al
		mov	byte ptr [ebp+var_20], al
		test	al, al
		jz	short loc_A07A44
		mov	[ebp+ms_exc.disabled], ecx
		mov	ebx, [ebp+arg_8]
		test	bl, 3
		jz	short loc_A079EC
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_A079EC:				; CODE XREF: NtQueryTimer(x,x,x,x,x)+52j
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_A079F7
		mov	[eax], cl

loc_A079F7:				; CODE XREF: NtQueryTimer(x,x,x,x,x)+60j
		mov	al, [ebx]
		mov	[ebx], al
		mov	al, [ebx+0Ch]
		mov	[ebx+0Ch], al
		mov	esi, [ebp+arg_10]
		test	esi, esi
		jz	short loc_A07A1B
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_A07A15
		mov	ecx, eax

loc_A07A15:				; CODE XREF: NtQueryTimer(x,x,x,x,x)+7Ej
		mov	eax, [ecx]
		mov	[ecx], eax
		xor	ecx, ecx

loc_A07A1B:				; CODE XREF: NtQueryTimer(x,x,x,x,x)+73j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A07A4A
; 

loc_A07A24:				; DATA XREF: .text:006AA56Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A07A32:				; DATA XREF: .text:006AA570o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]
		jmp	loc_A07AE4
; 

loc_A07A44:				; CODE XREF: NtQueryTimer(x,x,x,x,x)+47j
		mov	esi, [ebp+arg_10]
		mov	ebx, [ebp+arg_8]

loc_A07A4A:				; CODE XREF: NtQueryTimer(x,x,x,x,x)+8Fj
		mov	eax, ds:_ExTimerObjectType
		mov	[ebp+arg_C], ecx
		push	ecx
		lea	ecx, [ebp+arg_C]
		push	ecx
		push	[ebp+var_20]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], eax
		test	eax, eax
		js	short loc_A07AE1
		mov	eax, [edi+4]
		mov	[ebp+arg_10], eax
		and	[ebp+var_28], 0

loc_A07A7C:				; CODE XREF: NtQueryTimer(x,x,x,x,x)+18Ej
		mov	eax, ds:0FFDF000Ch
		mov	[ebp+arg_0], eax
		mov	ecx, ds:0FFDF0008h
		mov	[ebp+arg_8], ecx
		cmp	eax, ds:0FFDF0010h
		jnz	loc_A07B19
		mov	ecx, edi
		call	_KeQueryTimerDueTime@4 ; KeQueryTimerDueTime(x)
		mov	edi, eax
		mov	eax, edx
		sub	edi, [ebp+arg_8]
		sbb	eax, [ebp+arg_0]
		mov	[ebp+arg_8], eax
		mov	ecx, [ebp+var_24]
		call	ObfDereferenceObject
		cmp	byte ptr [ebp+arg_4+3],	0
		jz	short loc_A07AFF
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+arg_10]
		mov	[ebx+8], al
		mov	[ebx], edi
		mov	eax, [ebp+arg_8]
		mov	[ebx+4], eax
		test	esi, esi
		jz	short loc_A07ADA
		mov	dword ptr [esi], 10h

loc_A07ADA:				; CODE XREF: NtQueryTimer(x,x,x,x,x)+13Fj
					; NtQueryTimer(x,x,x,x,x)+16Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A07AE1:				; CODE XREF: NtQueryTimer(x,x,x,x,x)+DDj
					; NtQueryTimer(x,x,x,x,x)+17Cj	...
		mov	eax, [ebp+var_20]

loc_A07AE4:				; CODE XREF: NtQueryTimer(x,x,x,x,x)+1Ej
					; NtQueryTimer(x,x,x,x,x)+2Ej ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_A07AF6:				; DATA XREF: .text:006AA578o
		xor	eax, eax
		inc	eax
		retn
; 

loc_A07AFA:				; DATA XREF: .text:006AA57Co
		mov	esp, [ebp+ms_exc.old_esp]
		jmp	short loc_A07ADA
; 

loc_A07AFF:				; CODE XREF: NtQueryTimer(x,x,x,x,x)+126j
		mov	eax, [ebp+arg_10]
		mov	[ebx+8], al
		mov	[ebx], edi
		mov	eax, [ebp+arg_8]
		mov	[ebx+4], eax
		test	esi, esi
		jz	short loc_A07AE1
		mov	dword ptr [esi], 10h
		jmp	short loc_A07AE1
; 

loc_A07B19:				; CODE XREF: NtQueryTimer(x,x,x,x,x)+100j
		lea	ecx, [ebp+var_28]
		call	KeYieldProcessorEx
		jmp	loc_A07A7C
_NtQueryTimer@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSetEventBoostPriority(x)
_NtSetEventBoostPriority@4 proc	near	; DATA XREF: .text:00580CE4o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		lea	ecx, [ebp+var_4]
		and	[ebp+var_4], 0
		push	edi
		push	0
		mov	al, [eax+15Ah]
		push	ecx
		mov	byte ptr [ebp+var_8], al
		push	[ebp+var_8]
		mov	eax, ds:_ExEventObjectType
		push	eax
		push	2
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A07B80
		push	esi
		mov	esi, [ebp+var_4]
		test	byte ptr [esi],	7Fh
		jnz	short loc_A07B70
		mov	edi, 0C0000024h
		jmp	short loc_A07B78
; 

loc_A07B70:				; CODE XREF: NtSetEventBoostPriority(x)+41j
		push	0
		push	esi
		call	_KeSetEventBoostPriority@8 ; KeSetEventBoostPriority(x,x)

loc_A07B78:				; CODE XREF: NtSetEventBoostPriority(x)+48j
		mov	ecx, esi
		call	ObfDereferenceObject
		pop	esi

loc_A07B80:				; CODE XREF: NtSetEventBoostPriority(x)+38j
		mov	eax, edi
		pop	edi
		leave
		retn	4
_NtSetEventBoostPriority@4 endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 430. ExSetFirmwareEnvironmentVariable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExSetFirmwareEnvironmentVariable(x,	x, x, x, x)
		public _ExSetFirmwareEnvironmentVariable@20
_ExSetFirmwareEnvironmentVariable@20 proc near
					; CODE XREF: PopCheckpointSystemSleepUnsafe(x)+25p
					; PopClearSystemSleepCheckpoint+A5C2Cp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	dword_6BBFD0, 2
		push	esi
		push	edi
		jz	short loc_A07BA4
		mov	eax, 0C0000002h
		jmp	short loc_A07BE2
; 

loc_A07BA4:				; CODE XREF: ExSetFirmwareEnvironmentVariable(x,x,x,x,x)+Fj
		mov	ecx, [ebp+arg_0]
		call	_ExpUnicodeStringToNonpagedWStr@4 ; ExpUnicodeStringToNonpagedWStr(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A07BB9
		mov	eax, 0C000009Ah
		jmp	short loc_A07BE2
; 

loc_A07BB9:				; CODE XREF: ExSetFirmwareEnvironmentVariable(x,x,x,x,x)+24j
		mov	eax, [ebp+arg_8]
		mov	ecx, edi
		mov	edx, [ebp+arg_4]
		neg	eax
		push	0
		push	[ebp+arg_10]
		sbb	eax, eax
		and	eax, [ebp+arg_C]
		push	eax
		push	[ebp+arg_8]
		call	_ExpSetFirmwareEnvironmentVariable@24 ;	ExpSetFirmwareEnvironmentVariable(x,x,x,x,x,x)
		push	0
		push	edi
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi

loc_A07BE2:				; CODE XREF: ExSetFirmwareEnvironmentVariable(x,x,x,x,x)+16j
					; ExSetFirmwareEnvironmentVariable(x,x,x,x,x)+2Bj
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	14h
_ExSetFirmwareEnvironmentVariable@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCapabilityCheck(x)
_ExpCapabilityCheck@4 proc near		; CODE XREF: PAGE:007B360Dp
					; PAGE:007B366Dp ...

var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		lea	eax, [ebp-1]
		mov	[ebp+var_1], 0
		push	eax
		push	ecx
		push	0
		call	_RtlCapabilityCheck@12 ; RtlCapabilityCheck(x,x,x)
		test	eax, eax
		js	short loc_A07C0D
		cmp	[ebp+var_1], 0
		jz	short loc_A07C0D
		mov	al, 1
		leave
		retn
; 

loc_A07C0D:				; CODE XREF: ExpCapabilityCheck(x)+18j
					; ExpCapabilityCheck(x)+1Ej
		xor	al, al
		leave
		retn
_ExpCapabilityCheck@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExpCheckTestsigningEnabled()
_ExpCheckTestsigningEnabled@0 proc near	; CODE XREF: .text:loc_5F28A8p
		mov	edi, edi
		push	ecx
		push	0
		push	0
		push	offset _ExpInitExpCheckTestSigningInfo@12 ; ExpInitExpCheckTestSigningInfo(x,x,x)
		push	offset _ExpCheckTestSigningInit
		call	RtlRunOnceExecuteOnce
		mov	al, _ExpTestSigningEnabled
		pop	ecx
		retn
_ExpCheckTestsigningEnabled@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpConvertArcName(x, x, x, x, x, x)
_ExpConvertArcName@24 proc near		; CODE XREF: ExpTranslateArcPath(x,x,x,x)+56p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		xor	eax, eax
		push	edi
		add	esi, 0Ah
		mov	[esp+20h+var_8], edx
		push	72766E45h
		mov	[esp+24h+var_4], ecx
		mov	[esp+24h+var_10], eax
		lea	ebx, [esi+esi]
		mov	[esp+24h+var_C], eax
		push	ebx
		push	200h
		mov	[esp+2Ch+var_14], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A07C7B

loc_A07C71:				; CODE XREF: ExpConvertArcName(x,x,x,x,x,x)+FAj
		mov	eax, 0C000009Ah
		jmp	loc_A07DAA
; 

loc_A07C7B:				; CODE XREF: ExpConvertArcName(x,x,x,x,x,x)+41j
		push	offset ??_C@_1BE@HOPMDIJK@?$AA?2?$AAA?$AAr?$AAc?$AAN?$AAa?$AAm?$AAe?$AA?2@NNGAKEGL@
		push	esi
		push	edi
		call	_wcscpy_s
		add	esp, 0Ch
		push	[ebp+arg_C]
		push	[ebp+arg_4]
		push	esi
		push	edi
		call	_wcsncat_s
		xor	eax, eax
		add	esp, 10h
		cmp	[esp+20h+var_4], 3
		mov	[ebx+edi-2], ax
		jnz	short loc_A07CE6
		lea	edx, [esp+20h+var_10]
		mov	ecx, edi
		call	_ExpTranslateSymbolicLink@8 ; ExpTranslateSymbolicLink(x,x)
		xor	ebx, ebx
		mov	esi, eax
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		js	loc_A07DA8
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		lea	eax, [esp+24h+var_10]
		mov	ecx, [esp+24h+var_8]
		push	eax
		call	_ExpCreateOutputNT@16 ;	ExpCreateOutputNT(x,x,x,x)
		push	ebx
		push	[esp+24h+var_C]
		mov	esi, eax
		jmp	loc_A07DA3
; 

loc_A07CE6:				; CODE XREF: ExpConvertArcName(x,x,x,x,x,x)+78j
		lea	esi, [ebx+0Ch]
		cmp	[ebp+arg_8], eax
		jz	short loc_A07D08
		mov	ecx, [ebp+arg_8]
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_A07CF6:				; CODE XREF: ExpConvertArcName(x,x,x,x,x,x)+D1j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A07CF6
		sub	ecx, edx
		sar	ecx, 1
		lea	esi, [esi+ecx*2]

loc_A07D08:				; CODE XREF: ExpConvertArcName(x,x,x,x,x,x)+BEj
		push	72766E45h
		add	esi, 2
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A07D2D
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_A07C71
; 

loc_A07D2D:				; CODE XREF: ExpConvertArcName(x,x,x,x,x,x)+F1j
		lea	eax, [esi-0Ch]
		mov	dword ptr [ebx], 1
		push	edi
		shr	eax, 1
		lea	ecx, [ebx+0Ch]
		push	eax
		push	ecx
		mov	[ebx+4], esi
		mov	dword ptr [ebx+8], 3
		call	_wcscpy_s
		add	esp, 0Ch
		lea	eax, [ebx+0Ch]
		add	eax, [esp+20h+var_14]
		mov	[esp+20h+var_10], eax
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[ebp+arg_8], 0
		mov	eax, [esp+20h+var_10]
		jz	short loc_A07D86
		sub	esi, [esp+20h+var_14]
		push	[ebp+arg_8]
		sub	esi, 0Ch
		shr	esi, 1
		push	esi
		push	eax
		call	_wcscpy_s
		add	esp, 0Ch
		jmp	short loc_A07D8B
; 

loc_A07D86:				; CODE XREF: ExpConvertArcName(x,x,x,x,x,x)+13Ej
		xor	ecx, ecx
		mov	[eax], cx

loc_A07D8B:				; CODE XREF: ExpConvertArcName(x,x,x,x,x,x)+156j
		push	[ebp+arg_0]
		mov	edx, [esp+24h+var_4]
		mov	ecx, ebx
		push	[esp+24h+var_8]
		call	_ExpTranslateNtPath@16 ; ExpTranslateNtPath(x,x,x,x)
		mov	esi, eax
		xor	eax, eax
		push	eax
		push	ebx

loc_A07DA3:				; CODE XREF: ExpConvertArcName(x,x,x,x,x,x)+B3j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A07DA8:				; CODE XREF: ExpConvertArcName(x,x,x,x,x,x)+92j
		mov	eax, esi

loc_A07DAA:				; CODE XREF: ExpConvertArcName(x,x,x,x,x,x)+48j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_ExpConvertArcName@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpConvertSignatureName(x, x, x, x,	x, x)
_ExpConvertSignatureName@24 proc near	; CODE XREF: ExpTranslateArcPath(x,x,x,x)+7Ap

var_5E		= byte ptr -5Eh
var_5D		= byte ptr -5Dh
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+64h+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[esp+64h+var_50], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	[esp+68h+var_54], eax
		mov	ebx, ecx
		push	esi
		push	edi
		xor	eax, eax
		mov	ecx, [ebp+arg_4]
		lea	edi, [esp+70h+var_14]
		mov	esi, edx
		stosd
		mov	edx, [ebp+arg_C]
		mov	[esp+70h+var_3C], esi
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	[esp+70h+var_4C], eax
		mov	[esp+70h+var_58], eax
		mov	[esp+70h+var_40], eax
		mov	[esp+70h+var_38], eax
		mov	[esp+70h+var_34], eax
		mov	[esp+70h+var_20], eax
		mov	[esp+70h+var_1C], eax
		mov	[esp+70h+var_30], eax
		mov	[esp+70h+var_2C], eax
		mov	[esp+70h+var_28], eax
		mov	[esp+70h+var_24], eax
		mov	byte ptr [esp+70h+var_5C], al
		mov	[esp+70h+var_5D], al
		mov	[esp+70h+var_48], eax
		mov	[esp+70h+var_44], eax
		lea	eax, [esp+13h]
		push	eax
		lea	eax, [esp+74h+var_5C]
		push	eax
		lea	eax, [esp+78h+var_30]
		push	eax
		lea	eax, [esp+7Ch+var_38]
		push	eax
		lea	eax, [esp+80h+var_4C]
		push	eax
		lea	eax, [esp+84h+var_14]
		push	eax
		call	_ExpParseSignatureName@32 ; ExpParseSignatureName(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_A07FCD
		cmp	[esp+70h+var_5D], 1
		jnz	short loc_A07E93
		cmp	ebx, 4
		jnz	short loc_A07E93
		push	[esp+70h+var_5C]
		lea	eax, [esp+74h+var_30]
		push	[esp+74h+var_54]
		push	eax
		lea	eax, [esp+7Ch+var_38]
		push	eax
		lea	eax, [esp+80h+var_4C]

loc_A07E7D:				; CODE XREF: ExpConvertSignatureName(x,x,x,x,x,x)+171j
		mov	edx, [esp+80h+var_50]
		mov	ecx, esi
		push	eax
		lea	eax, [esp+84h+var_14]
		push	eax
		call	_ExpCreateOutputEFI@32 ; ExpCreateOutputEFI(x,x,x,x,x,x,x,x)
		jmp	loc_A07FCD
; 

loc_A07E93:				; CODE XREF: ExpConvertSignatureName(x,x,x,x,x,x)+ADj
					; ExpConvertSignatureName(x,x,x,x,x,x)+B2j
		cmp	byte ptr [esp+70h+var_5C], 0
		mov	edi, [esp+70h+var_4C]
		jnz	short loc_A07EA2
		mov	[esp+70h+var_58], edi

loc_A07EA2:				; CODE XREF: ExpConvertSignatureName(x,x,x,x,x,x)+E9j
		push	[esp+70h+var_5C]
		lea	eax, [esp+74h+var_28]
		push	eax
		lea	eax, [esp+78h+var_20]
		push	eax
		lea	eax, [esp+7Ch+var_40]
		push	eax
		lea	edx, [esp+80h+var_58]
		lea	ecx, [esp+80h+var_14]
		call	_ExpFindDiskSignature@24 ; ExpFindDiskSignature(x,x,x,x,x,x)
		test	eax, eax
		js	loc_A07FCD
		cmp	[esp+70h+var_5D], 1
		jnz	short loc_A07F09
		cmp	edi, [esp+70h+var_58]
		jnz	short loc_A07EFF
		mov	eax, [esp+70h+var_38]
		cmp	eax, [esp+70h+var_20]
		jnz	short loc_A07EFF
		mov	eax, [esp+70h+var_34]
		cmp	eax, [esp+70h+var_1C]
		jnz	short loc_A07EFF
		mov	eax, [esp+70h+var_30]
		cmp	eax, [esp+70h+var_28]
		jnz	short loc_A07EFF
		mov	eax, [esp+70h+var_2C]
		cmp	eax, [esp+70h+var_24]
		jz	short loc_A07F09

loc_A07EFF:				; CODE XREF: ExpConvertSignatureName(x,x,x,x,x,x)+122j
					; ExpConvertSignatureName(x,x,x,x,x,x)+12Cj ...
		mov	eax, 0C000000Dh
		jmp	loc_A07FCD
; 

loc_A07F09:				; CODE XREF: ExpConvertSignatureName(x,x,x,x,x,x)+11Cj
					; ExpConvertSignatureName(x,x,x,x,x,x)+14Aj
		cmp	ebx, 4
		jnz	short loc_A07F29
		push	[esp+70h+var_5C]
		lea	eax, [esp+74h+var_28]
		push	[esp+74h+var_54]
		push	eax
		lea	eax, [esp+7Ch+var_20]
		push	eax
		lea	eax, [esp+80h+var_58]
		jmp	loc_A07E7D
; 

loc_A07F29:				; CODE XREF: ExpConvertSignatureName(x,x,x,x,x,x)+159j
		push	72766E45h
		push	5Eh
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A07F4A
		mov	eax, 0C000009Ah
		jmp	loc_A07FCD
; 

loc_A07F4A:				; CODE XREF: ExpConvertSignatureName(x,x,x,x,x,x)+18Bj
		push	[esp+70h+var_58]
		push	[esp+74h+var_40]
		push	offset ??_C@_1EC@CDJBOKNM@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi?$AAs@NNGAKEGL@ ; "\\Device\\Harddisk%lu\\Partition%lu"
		push	2Fh
		push	esi
		call	_swprintf_s
		add	esp, 14h
		lea	edx, [esp+70h+var_48]
		mov	ecx, esi
		call	_ExpTranslateSymbolicLink@8 ; ExpTranslateSymbolicLink(x,x)
		push	0
		push	esi
		mov	edi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		jns	short loc_A07F7F
		mov	eax, edi
		jmp	short loc_A07FCD
; 

loc_A07F7F:				; CODE XREF: ExpConvertSignatureName(x,x,x,x,x,x)+1C6j
		cmp	ebx, 3
		jnz	short loc_A07F9C
		push	[esp+70h+var_54]
		mov	edx, [esp+74h+var_50]
		lea	eax, [esp+74h+var_48]
		mov	ecx, [esp+74h+var_3C]
		push	eax
		call	_ExpCreateOutputNT@16 ;	ExpCreateOutputNT(x,x,x,x)
		jmp	short loc_A07FB7
; 

loc_A07F9C:				; CODE XREF: ExpConvertSignatureName(x,x,x,x,x,x)+1CFj
		cmp	ebx, 1
		jnz	short loc_A07FBB
		push	[esp+70h+var_54]
		mov	edx, [esp+74h+var_50]
		lea	eax, [esp+74h+var_48]
		mov	ecx, [esp+74h+var_3C]
		push	eax
		call	_ExpCreateOutputARC@16 ; ExpCreateOutputARC(x,x,x,x)

loc_A07FB7:				; CODE XREF: ExpConvertSignatureName(x,x,x,x,x,x)+1E7j
		mov	esi, eax
		jmp	short loc_A07FC0
; 

loc_A07FBB:				; CODE XREF: ExpConvertSignatureName(x,x,x,x,x,x)+1ECj
		mov	esi, 0C000000Dh

loc_A07FC0:				; CODE XREF: ExpConvertSignatureName(x,x,x,x,x,x)+206j
		push	0
		push	[esp+74h+var_44]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi

loc_A07FCD:				; CODE XREF: ExpConvertSignatureName(x,x,x,x,x,x)+A2j
					; ExpConvertSignatureName(x,x,x,x,x,x)+DBj ...
		mov	ecx, [esp+70h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_ExpConvertSignatureName@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCreateOutputARC(x, x, x,	x)
_ExpCreateOutputARC@16 proc near	; CODE XREF: ExpConvertSignatureName(x,x,x,x,x,x)+1FFp
					; ExpTranslateEfiPath(x,x,x,x)+354p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	[ebp+var_C], edx
		xor	ebx, ebx
		mov	[ebp+var_8], ecx
		lea	edx, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		push	edi
		mov	[ebp+var_4], ebx
		call	_ExpFindArcName@8 ; ExpFindArcName(x,x)
		test	eax, eax
		js	loc_A080AF
		mov	edi, [ebp+var_4]
		lea	ecx, [edi+2]

loc_A08010:				; CODE XREF: ExpCreateOutputARC(x,x,x,x)+38j
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, bx
		jnz	short loc_A08010
		sub	edi, ecx
		sar	edi, 1
		lea	esi, ds:2[edi*2]
		cmp	[ebp+arg_4], ebx
		jz	short loc_A08043
		mov	ecx, [ebp+arg_4]
		lea	edx, [ecx+2]

loc_A08031:				; CODE XREF: ExpCreateOutputARC(x,x,x,x)+59j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A08031
		sub	ecx, edx
		sar	ecx, 1
		lea	esi, [esi+ecx*2]

loc_A08043:				; CODE XREF: ExpCreateOutputARC(x,x,x,x)+48j
		mov	eax, [ebp+var_C]
		mov	ebx, esi
		add	esi, 0Ch
		shr	ebx, 1
		cmp	[eax], esi
		jnb	short loc_A08064
		push	0
		push	[ebp+var_4]
		mov	[eax], esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C0000023h
		jmp	short loc_A080AF
; 

loc_A08064:				; CODE XREF: ExpCreateOutputARC(x,x,x,x)+6Ej
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		push	[ebp+var_4]
		inc	ecx
		push	ebx
		mov	[eax], ecx
		mov	[eax+4], esi
		mov	[eax+8], ecx
		add	eax, 0Ch
		push	eax
		call	_wcscpy_s
		add	esp, 0Ch
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[ebp+arg_4], 0
		jz	short loc_A080A8
		mov	eax, [ebp+var_8]
		push	[ebp+arg_4]
		add	eax, 0Ch
		push	ebx
		lea	eax, [eax+edi*2]
		push	eax
		call	_wcscpy_s
		add	esp, 0Ch

loc_A080A8:				; CODE XREF: ExpCreateOutputARC(x,x,x,x)+AFj
		mov	edx, [ebp+var_C]
		xor	eax, eax
		mov	[edx], esi

loc_A080AF:				; CODE XREF: ExpCreateOutputARC(x,x,x,x)+23j
					; ExpCreateOutputARC(x,x,x,x)+81j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_ExpCreateOutputARC@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCreateOutputEFI(x, x, x,	x, x, x, x, x)
_ExpCreateOutputEFI@32 proc near	; CODE XREF: ExpConvertSignatureName(x,x,x,x,x,x)+D6p
					; ExpTranslateNtPath(x,x,x,x)+258p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_40], edx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_3C], eax
		mov	[ebp+var_24], ebx
		mov	[ebp+var_28], ebx
		push	36h
		pop	esi
		test	eax, eax
		jz	short loc_A08111
		mov	ecx, eax
		lea	esi, [ecx+2]

loc_A080F1:				; CODE XREF: ExpCreateOutputEFI(x,x,x,x,x,x,x,x)+44j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A080F1
		sub	ecx, esi
		sar	ecx, 1
		lea	eax, ds:2[ecx*2]
		mov	[ebp+var_24], eax
		lea	esi, ds:3Ch[ecx*2]

loc_A08111:				; CODE XREF: ExpCreateOutputEFI(x,x,x,x,x,x,x,x)+34j
		add	esi, 4
		mov	[ebp+var_38], esi
		cmp	[edx], esi
		jnb	short loc_A08125
		mov	eax, 0C0000023h
		jmp	loc_A08250
; 

loc_A08125:				; CODE XREF: ExpCreateOutputEFI(x,x,x,x,x,x,x,x)+63j
		push	6
		pop	ecx
		push	[ebp+arg_14]
		xor	eax, eax
		lea	edi, [ebp+var_20]
		rep stosd
		mov	eax, [ebp+var_2C]
		lea	edx, [ebp+var_30]
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		push	ebx
		push	ebx
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_28]
		push	eax
		call	_ExpFindDiskSignature@24 ; ExpFindDiskSignature(x,x,x,x,x,x)
		test	eax, eax
		js	loc_A08252
		mov	ecx, [ebp+var_28]
		lea	edx, [ebp+var_20]
		call	_ExpGetDriveGeometry@8 ; ExpGetDriveGeometry(x,x)
		test	eax, eax
		js	loc_A08252
		push	esi		; size_t
		push	ebx		; int
		mov	ebx, [ebp+var_34]
		push	ebx		; void *
		call	_memset
		mov	eax, [ebp+var_2C]
		add	esp, 0Ch
		mov	dword ptr [ebx], 1
		xor	ecx, ecx
		mov	[ebx+4], esi
		mov	dword ptr [ebx+8], 4
		add	ebx, 0Ch
		push	ecx
		push	[ebp+var_C]
		mov	dword ptr [ebx], 2A0104h
		mov	eax, [eax]
		mov	[ebx+4], eax
		mov	eax, [ebp+arg_8]
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		call	__aulldiv
		mov	[ebx+8], eax
		mov	eax, [ebp+arg_C]
		push	0
		push	[ebp+var_C]
		mov	[ebx+0Ch], edx
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		call	__aulldiv
		cmp	byte ptr [ebp+arg_14], 1
		mov	[ebx+10h], eax
		mov	[ebx+14h], edx
		jnz	short loc_A081DF
		mov	esi, edi
		lea	edi, [ebx+18h]
		push	2
		pop	eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_38]
		jmp	short loc_A081E6
; 

loc_A081DF:				; CODE XREF: ExpCreateOutputEFI(x,x,x,x,x,x,x,x)+116j
		mov	eax, [edi]
		mov	[ebx+18h], eax
		mov	al, 1

loc_A081E6:				; CODE XREF: ExpCreateOutputEFI(x,x,x,x,x,x,x,x)+127j
		mov	edx, [ebp+var_3C]
		mov	[ebx+28h], al
		mov	[ebx+29h], al
		test	edx, edx
		jz	short loc_A08236
		movzx	ecx, byte ptr [ebx+3]
		movzx	eax, byte ptr [ebx+2]
		shl	ecx, 8
		or	ecx, eax
		add	ebx, ecx
		mov	ecx, [ebp+var_24]
		lea	eax, [ecx+4]
		mov	word ptr [ebx],	404h
		mov	[ebx+2], al
		lea	eax, [ecx+4]
		shr	eax, 8
		mov	[ebx+3], al
		lea	eax, [ecx-2]
		push	eax		; size_t
		push	edx		; void *
		lea	eax, [ebx+4]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_24]
		add	esp, 0Ch
		shr	eax, 1
		xor	ecx, ecx
		mov	[ebx+eax*2+2], cx

loc_A08236:				; CODE XREF: ExpCreateOutputEFI(x,x,x,x,x,x,x,x)+13Bj
		movzx	ecx, byte ptr [ebx+3]
		movzx	eax, byte ptr [ebx+2]
		mov	edx, [ebp+var_40]
		shl	ecx, 8
		or	ecx, eax
		add	ebx, ecx
		xor	eax, eax
		mov	dword ptr [ebx], 4FF7Fh

loc_A08250:				; CODE XREF: ExpCreateOutputEFI(x,x,x,x,x,x,x,x)+6Aj
		mov	[edx], esi

loc_A08252:				; CODE XREF: ExpCreateOutputEFI(x,x,x,x,x,x,x,x)+99j
					; ExpCreateOutputEFI(x,x,x,x,x,x,x,x)+ACj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_ExpCreateOutputEFI@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCreateOutputNT(x, x, x, x)
_ExpCreateOutputNT@16 proc near		; CODE XREF: ExpConvertArcName(x,x,x,x,x,x)+A7p
					; ExpConvertSignatureName(x,x,x,x,x,x)+1E2p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	eax, edx
		mov	ecx, [ebp+arg_0]
		push	edi
		mov	[ebp+var_4], eax
		movzx	edi, word ptr [ecx]
		add	edi, 2
		cmp	[ebp+arg_4], 0
		jz	short loc_A082A0
		mov	ecx, [ebp+arg_4]
		lea	edx, [ecx+2]

loc_A08288:				; CODE XREF: ExpCreateOutputNT(x,x,x,x)+2Ej
		mov	ax, [ecx]
		add	ecx, 2
		test	ax, ax
		jnz	short loc_A08288
		mov	eax, [ebp+var_4]
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		mov	ecx, [ebp+arg_0]

loc_A082A0:				; CODE XREF: ExpCreateOutputNT(x,x,x,x)+1Dj
		lea	ebx, [edi+2]
		add	edi, 0Eh
		shr	ebx, 1
		test	esi, esi
		jz	short loc_A082FE
		cmp	[eax], edi
		jb	short loc_A082FE
		mov	dword ptr [esi], 1
		mov	[esi+4], edi
		mov	dword ptr [esi+8], 3
		add	esi, 0Ch
		push	dword ptr [ecx+4]
		push	ebx
		push	esi
		call	_wcscpy_s
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		movzx	eax, word ptr [eax]
		add	eax, 2
		add	eax, esi
		cmp	[ebp+arg_4], 0
		jz	short loc_A082F0
		push	[ebp+arg_4]
		push	ebx
		push	eax
		call	_wcscpy_s
		add	esp, 0Ch
		jmp	short loc_A082F5
; 

loc_A082F0:				; CODE XREF: ExpCreateOutputNT(x,x,x,x)+7Cj
		xor	ecx, ecx
		mov	[eax], cx

loc_A082F5:				; CODE XREF: ExpCreateOutputNT(x,x,x,x)+8Bj
		mov	eax, [ebp+var_4]
		mov	[eax], edi
		xor	eax, eax
		jmp	short loc_A08305
; 

loc_A082FE:				; CODE XREF: ExpCreateOutputNT(x,x,x,x)+47j
					; ExpCreateOutputNT(x,x,x,x)+4Bj
		mov	[eax], edi
		mov	eax, 0C0000023h

loc_A08305:				; CODE XREF: ExpCreateOutputNT(x,x,x,x)+99j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_ExpCreateOutputNT@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCreateOutputSIGNATURE(x,	x, x, x, x, x, x, x)
_ExpCreateOutputSIGNATURE@32 proc near	; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+33Fp
					; ExpTranslateNtPath(x,x,x,x):loc_A0A946p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		xor	ebx, ebx
		mov	eax, ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], eax
		cmp	[ebp+arg_14], 1
		mov	esi, edx
		mov	[ebp+var_14], esi
		setz	bl
		mov	[ebp+var_1C], edi
		dec	ebx
		mov	[ebp+var_18], edi
		and	ebx, 0FFFFFFE2h
		add	ebx, 5Dh
		cmp	[ebp+arg_10], edi
		jz	short loc_A0835D
		mov	ecx, [ebp+arg_10]
		lea	edx, [ecx+2]

loc_A08344:				; CODE XREF: ExpCreateOutputSIGNATURE(x,x,x,x,x,x,x,x)+41j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_A08344
		mov	eax, [ebp+var_4]
		sub	ecx, edx
		sar	ecx, 1
		mov	[ebp+var_C], ecx
		add	ebx, ecx
		jmp	short loc_A08360
; 

loc_A0835D:				; CODE XREF: ExpCreateOutputSIGNATURE(x,x,x,x,x,x,x,x)+30j
		mov	[ebp+var_C], edi

loc_A08360:				; CODE XREF: ExpCreateOutputSIGNATURE(x,x,x,x,x,x,x,x)+4Fj
		lea	ecx, ds:0Ch[ebx*2]
		mov	[ebp+var_10], ecx
		cmp	[esi], ecx
		jnb	short loc_A08378
		mov	edi, 0C0000023h
		jmp	loc_A0849C
; 

loc_A08378:				; CODE XREF: ExpCreateOutputSIGNATURE(x,x,x,x,x,x,x,x)+60j
		push	offset ??_C@_1BG@LICCKJDG@?$AAs?$AAi?$AAg?$AAn?$AAa?$AAt?$AAu?$AAr?$AAe?$AA?$CI@NNGAKEGL@ ; "signature("
		lea	esi, [eax+0Ch]
		mov	dword ptr [eax], 1
		push	ebx
		push	esi
		mov	[eax+4], ecx
		mov	dword ptr [eax+8], 2
		call	_wcscpy_s
		add	esp, 0Ch
		lea	ecx, [esi+2]

loc_A0839D:				; CODE XREF: ExpCreateOutputSIGNATURE(x,x,x,x,x,x,x,x)+9Aj
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, di
		jnz	short loc_A0839D
		sub	esi, ecx
		sar	esi, 1
		cmp	[ebp+arg_14], 1
		mov	[ebp+var_8], esi
		jnz	short loc_A083F5
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+var_1C]
		push	1
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		test	eax, eax
		js	loc_A084A0
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		push	[ebp+var_18]
		add	ecx, 0Ch
		sub	eax, esi
		push	eax
		lea	eax, [ecx+esi*2]
		push	eax
		call	_wcscat_s
		add	esp, 0Ch
		push	edi
		push	[ebp+var_18]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		movzx	esi, word ptr [ebp+var_1C]
		shr	esi, 1
		jmp	short loc_A08429
; 

loc_A083F5:				; CODE XREF: ExpCreateOutputSIGNATURE(x,x,x,x,x,x,x,x)+A7j
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		add	ecx, 0Ch
		push	dword ptr [eax]
		mov	eax, ebx
		sub	eax, [ebp+var_8]
		lea	esi, [ecx+esi*2]
		push	offset ??_C@_19HGGOABND@?$AA?$CF?$AA0?$AA8?$AAx@NNGAKEGL@ ; "%08x"
		push	eax
		push	esi
		call	_swprintf_s
		add	esp, 10h
		lea	ecx, [esi+2]

loc_A0841A:				; CODE XREF: ExpCreateOutputSIGNATURE(x,x,x,x,x,x,x,x)+117j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, di
		jnz	short loc_A0841A
		sub	esi, ecx
		sar	esi, 1

loc_A08429:				; CODE XREF: ExpCreateOutputSIGNATURE(x,x,x,x,x,x,x,x)+E7j
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+var_8]
		add	ecx, esi
		mov	esi, [ebp+var_4]
		add	esi, 0Ch
		mov	dword ptr [ebp+arg_14],	ecx
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		mov	eax, [ebp+arg_8]
		lea	esi, [esi+ecx*2]
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		mov	eax, [ebp+arg_4]
		push	dword ptr [eax]
		mov	eax, ebx
		push	offset ??_C@_1DC@LDEPDMGP@?$AA?9?$AA?$CF?$AA0?$AA8?$AAx?$AA?9?$AA?$CF?$AA0?$AA1?$AA6?$AAI?$AA6?$AA4?$AAx?$AA?9@NNGAKEGL@
		sub	eax, ecx
		push	eax
		push	esi
		call	_swprintf_s
		add	esp, 20h
		lea	ecx, [esi+2]

loc_A08465:				; CODE XREF: ExpCreateOutputSIGNATURE(x,x,x,x,x,x,x,x)+162j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, di
		jnz	short loc_A08465
		mov	eax, dword ptr [ebp+arg_14]
		sub	esi, ecx
		sar	esi, 1
		add	eax, esi
		cmp	[ebp+var_C], edi
		jz	short loc_A08496
		mov	ecx, [ebp+var_4]
		sub	ebx, eax
		push	[ebp+arg_10]
		push	ebx
		lea	ecx, [ecx+eax*2]
		add	ecx, 0Ch
		push	ecx
		call	_wcscpy_s
		add	esp, 0Ch

loc_A08496:				; CODE XREF: ExpCreateOutputSIGNATURE(x,x,x,x,x,x,x,x)+170j
		mov	ecx, [ebp+var_10]
		mov	esi, [ebp+var_14]

loc_A0849C:				; CODE XREF: ExpCreateOutputSIGNATURE(x,x,x,x,x,x,x,x)+67j
		mov	[esi], ecx
		mov	eax, edi

loc_A084A0:				; CODE XREF: ExpCreateOutputSIGNATURE(x,x,x,x,x,x,x,x)+B8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_ExpCreateOutputSIGNATURE@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpFindArcName(x, x)
_ExpFindArcName@8 proc near		; CODE XREF: ExpCreateOutputARC(x,x,x,x)+1Cp

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_24], edx
		push	72766E45h
		push	12h
		push	200h
		mov	[ebp+var_20], ecx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_1], bl
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A084F3
		mov	eax, 0C000009Ah
		jmp	loc_A086F6
; 

loc_A084F3:				; CODE XREF: ExpFindArcName(x,x)+40j
		push	offset ??_C@_1BC@OAEIEHDI@?$AA?2?$AAA?$AAr?$AAc?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@
		push	9
		push	esi
		call	_wcscpy_s
		add	esp, 0Ch
		lea	eax, [ebp+var_2C]
		push	esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_4C], 18h
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	1
		lea	eax, [ebp+var_C]
		mov	[ebp+var_48], ebx
		push	eax
		mov	[ebp+var_40], 240h
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		call	_ZwOpenDirectoryObject@12 ; ZwOpenDirectoryObject(x,x,x)
		push	ebx
		push	esi
		mov	edi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		jns	short loc_A0854D
		mov	eax, edi
		jmp	loc_A086F6
; 

loc_A0854D:				; CODE XREF: ExpFindArcName(x,x)+9Dj
		push	offset ??_C@_1BK@KDPOKCA@?$AAS?$AAy?$AAm?$AAb?$AAo?$AAl?$AAi?$AAc?$AAL?$AAi?$AAn?$AAk@NNGAKEGL@
		lea	eax, [ebp+var_34]
		mov	[ebp+var_18], ebx
		push	eax
		mov	edi, ebx
		mov	byte ptr [ebp+var_10], 1
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_A08564:				; CODE XREF: ExpFindArcName(x,x)+13Bj
					; ExpFindArcName(x,x)+1DBj
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_10]
		push	1
		push	ebx
		push	edi
		push	[ebp+var_C]
		call	_ZwQueryDirectoryObject@28 ; ZwQueryDirectoryObject(x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_A085C5
		mov	ebx, [ebp+var_8]
		mov	[ebp+var_18], ebx
		test	edi, edi
		jz	short loc_A08594
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A08594:				; CODE XREF: ExpFindArcName(x,x)+E3j
		push	72766E45h
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_A08687
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_10]
		push	1
		push	ebx
		push	edi
		push	[ebp+var_C]
		call	_ZwQueryDirectoryObject@28 ; ZwQueryDirectoryObject(x,x,x,x,x,x,x)

loc_A085C5:				; CODE XREF: ExpFindArcName(x,x)+D9j
		mov	byte ptr [ebp+var_10], 0
		test	eax, eax
		js	loc_A086C5
		push	0
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [edi+8]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_A08564
		movzx	eax, word ptr [edi]
		add	eax, 12h
		mov	[ebp+var_8], eax
		add	eax, 2
		push	72766E45h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_A086BE
		mov	eax, [ebp+var_8]
		movzx	esi, word ptr [edi]
		shr	eax, 1
		shr	esi, 1
		inc	eax
		push	offset ??_C@_1BE@HOPMDIJK@?$AA?2?$AAA?$AAr?$AAc?$AAN?$AAa?$AAm?$AAe?$AA?2@NNGAKEGL@
		push	eax
		push	ebx
		mov	[ebp+var_1C], esi
		call	_wcscpy_s
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		shr	eax, 1
		inc	eax
		push	esi
		push	dword ptr [edi+4]
		push	eax
		push	ebx
		call	_wcsncat_s
		mov	eax, [ebp+var_8]
		lea	edx, [ebp+var_2C]
		shr	eax, 1
		xor	ecx, ecx
		add	esp, 10h
		mov	[ebx+eax*2], cx
		mov	ecx, ebx
		call	_ExpTranslateSymbolicLink@8 ; ExpTranslateSymbolicLink(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A086B4
		push	1
		push	[ebp+var_20]
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		push	0
		push	[ebp+var_28]
		mov	[ebp+var_1], al
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[ebp+var_1], 1
		jz	short loc_A0868E
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, [ebp+var_18]
		jmp	loc_A08564
; 

loc_A08687:				; CODE XREF: ExpFindArcName(x,x)+101j
		mov	esi, 0C000009Ah
		jmp	short loc_A086EC
; 

loc_A0868E:				; CODE XREF: ExpFindArcName(x,x)+1CEj
		push	[ebp+var_1C]
		mov	eax, [ebp+var_8]
		push	dword ptr [edi+4]
		shr	eax, 1
		inc	eax
		push	eax
		push	ebx
		call	_wcsncpy_s
		mov	eax, [ebp+var_1C]
		add	esp, 10h
		xor	ecx, ecx
		mov	[ebx+eax*2], cx
		mov	eax, [ebp+var_24]
		mov	[eax], ebx
		jmp	short loc_A086D1
; 

loc_A086B4:				; CODE XREF: ExpFindArcName(x,x)+1ADj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A086D1
; 

loc_A086BE:				; CODE XREF: ExpFindArcName(x,x)+15Dj
		mov	esi, 0C000009Ah
		jmp	short loc_A086E0
; 

loc_A086C5:				; CODE XREF: ExpFindArcName(x,x)+124j
		lea	esi, [eax+7FFFFFE6h]
		neg	esi
		sbb	esi, esi
		and	esi, eax

loc_A086D1:				; CODE XREF: ExpFindArcName(x,x)+20Bj
					; ExpFindArcName(x,x)+215j
		test	esi, esi
		js	short loc_A086E0
		cmp	[ebp+var_1], 0
		jnz	short loc_A086E0
		mov	esi, 0C000003Ah

loc_A086E0:				; CODE XREF: ExpFindArcName(x,x)+21Cj
					; ExpFindArcName(x,x)+22Cj ...
		test	edi, edi
		jz	short loc_A086EC
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A086EC:				; CODE XREF: ExpFindArcName(x,x)+1E5j
					; ExpFindArcName(x,x)+23Bj
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, esi

loc_A086F6:				; CODE XREF: ExpFindArcName(x,x)+47j
					; ExpFindArcName(x,x)+A1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpFindArcName@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpFindDiskSignature(x, x, x, x, x,	x)
_ExpFindDiskSignature@24 proc near	; CODE XREF: ExpConvertSignatureName(x,x,x,x,x,x)+10Ap
					; ExpCreateOutputEFI(x,x,x,x,x,x,x,x)+92p ...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_48], eax
		lea	edi, [ebp+var_1C]
		mov	eax, [ebp+arg_4]
		xor	esi, esi
		push	6
		mov	[ebp+var_4C], eax
		xor	ebx, ebx
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_34], ecx
		pop	ecx
		mov	[ebp+var_50], eax
		xor	eax, eax
		push	eax
		rep stosd
		mov	[ebp+var_1D], al
		lea	eax, [ebp+var_1C]
		push	18h
		push	eax
		push	7
		mov	[ebp+var_40], edx
		mov	[ebp+var_30], esi
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_A08869
		push	72766E45h
		push	4Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_2C], eax
		test	eax, eax
		jnz	short loc_A08776
		mov	eax, 0C000009Ah
		jmp	loc_A08869
; 

loc_A08776:				; CODE XREF: ExpFindDiskSignature(x,x,x,x,x,x)+6Fj
		xor	ecx, ecx
		cmp	[ebp+arg_C], 1
		setz	cl
		mov	[ebp+var_44], ecx
		xor	ecx, ecx
		mov	[ebp+var_24], ecx
		cmp	[ebp+var_1C], ecx
		jbe	loc_A088DF

loc_A08790:				; CODE XREF: ExpFindDiskSignature(x,x,x,x,x,x)+1D0j
		push	ecx
		push	offset ??_C@_1DO@MBBMDLHJ@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi?$AAs@NNGAKEGL@
		push	26h
		push	eax
		call	_swprintf_s
		mov	ecx, [ebp+var_2C]
		lea	edx, [ebp+var_30]
		add	esp, 10h
		call	_ExpGetPartitionTableInfo@8 ; ExpGetPartitionTableInfo(x,x)
		mov	esi, [ebp+var_30]
		mov	edi, eax
		test	edi, edi
		js	loc_A088BC
		mov	eax, [ebp+var_44]
		cmp	[esi], eax
		jnz	loc_A088B4
		cmp	[ebp+arg_C], 1
		jz	short loc_A087D8
		mov	ecx, [ebp+var_34]
		mov	eax, [esi+8]
		cmp	eax, [ecx]
		jnz	loc_A088B4

loc_A087D8:				; CODE XREF: ExpFindDiskSignature(x,x,x,x,x,x)+CDj
		mov	eax, [esi+4]
		xor	ecx, ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_38], eax
		test	eax, eax
		jz	loc_A088A9
		mov	edx, [ebp+var_38]
		lea	eax, [esi+60h]
		mov	[ebp+var_3C], eax

loc_A087F4:				; CODE XREF: ExpFindDiskSignature(x,x,x,x,x,x)+1A8j
		cmp	[ebp+arg_C], 1
		lea	ebx, [eax-30h]
		jz	short loc_A0887A
		mov	ecx, [ebp+var_40]
		mov	eax, [eax-18h]
		cmp	eax, [ecx]
		mov	ecx, [ebp+var_28]
		jnz	loc_A08892
		mov	al, 1

loc_A08810:				; CODE XREF: ExpFindDiskSignature(x,x,x,x,x,x)+1B3j
		mov	ecx, [ebp+var_24]

loc_A08813:				; CODE XREF: ExpFindDiskSignature(x,x,x,x,x,x)+1DFj
					; ExpFindDiskSignature(x,x,x,x,x,x)+1E6j
		test	edi, edi
		js	short loc_A08820
		test	al, al
		jnz	short loc_A08820
		mov	edi, 0C000003Ah

loc_A08820:				; CODE XREF: ExpFindDiskSignature(x,x,x,x,x,x)+11Aj
					; ExpFindDiskSignature(x,x,x,x,x,x)+11Ej
		cmp	al, 1
		jnz	short loc_A0885D
		mov	edx, [ebp+var_40]
		mov	eax, [ebx+18h]
		mov	[edx], eax
		mov	eax, [ebp+var_48]
		mov	[eax], ecx
		mov	ecx, [ebp+var_4C]
		test	ecx, ecx
		jz	short loc_A08843
		mov	eax, [ebx+8]
		mov	[ecx], eax
		mov	eax, [ebx+0Ch]
		mov	[ecx+4], eax

loc_A08843:				; CODE XREF: ExpFindDiskSignature(x,x,x,x,x,x)+13Bj
		mov	ecx, [ebp+var_50]
		test	ecx, ecx
		jz	short loc_A08855
		mov	eax, [ebx+10h]
		mov	[ecx], eax
		mov	eax, [ebx+14h]
		mov	[ecx+4], eax

loc_A08855:				; CODE XREF: ExpFindDiskSignature(x,x,x,x,x,x)+14Dj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0885D:				; CODE XREF: ExpFindDiskSignature(x,x,x,x,x,x)+127j
		push	0
		push	[ebp+var_2C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi

loc_A08869:				; CODE XREF: ExpFindDiskSignature(x,x,x,x,x,x)+53j
					; ExpFindDiskSignature(x,x,x,x,x,x)+76j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_A0887A:				; CODE XREF: ExpFindDiskSignature(x,x,x,x,x,x)+100j
		push	10h		; size_t
		push	[ebp+var_34]	; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A088D0
		mov	ecx, [ebp+var_28]
		mov	edx, [ebp+var_38]

loc_A08892:				; CODE XREF: ExpFindDiskSignature(x,x,x,x,x,x)+10Dj
		mov	eax, [ebp+var_3C]
		inc	ecx
		add	eax, 90h
		mov	[ebp+var_28], ecx
		mov	[ebp+var_3C], eax
		cmp	ecx, edx
		jb	loc_A087F4

loc_A088A9:				; CODE XREF: ExpFindDiskSignature(x,x,x,x,x,x)+EAj
		mov	al, [ebp+var_1D]

loc_A088AC:				; CODE XREF: ExpFindDiskSignature(x,x,x,x,x,x)+1DAj
		cmp	al, 1
		jz	loc_A08810

loc_A088B4:				; CODE XREF: ExpFindDiskSignature(x,x,x,x,x,x)+C3j
					; ExpFindDiskSignature(x,x,x,x,x,x)+D7j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A088BC:				; CODE XREF: ExpFindDiskSignature(x,x,x,x,x,x)+B8j
		mov	ecx, [ebp+var_24]
		inc	ecx
		mov	[ebp+var_24], ecx
		cmp	ecx, [ebp+var_1C]
		jnb	short loc_A088D7
		mov	eax, [ebp+var_2C]
		jmp	loc_A08790
; 

loc_A088D0:				; CODE XREF: ExpFindDiskSignature(x,x,x,x,x,x)+18Fj
		mov	al, 1
		mov	[ebp+var_1D], al
		jmp	short loc_A088AC
; 

loc_A088D7:				; CODE XREF: ExpFindDiskSignature(x,x,x,x,x,x)+1CBj
		mov	al, [ebp+var_1D]
		jmp	loc_A08813
; 

loc_A088DF:				; CODE XREF: ExpFindDiskSignature(x,x,x,x,x,x)+8Fj
		mov	al, cl
		jmp	loc_A08813
_ExpFindDiskSignature@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpFirmwareAccessAppContainerCheck(x)
_ExpFirmwareAccessAppContainerCheck@4 proc near
					; CODE XREF: NtQuerySystemEnvironmentValueEx+1300E4p
					; ExpGetSystemFirmwareTableInformation+1301DDp	...

var_FA		= byte ptr -0FAh
var_F9		= byte ptr -0F9h
var_F8		= dword	ptr -0F8h
var_F4		= word ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_B8		= dword	ptr -0B8h
var_A8		= dword	ptr -0A8h
var_58		= dword	ptr -58h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0FCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0FCh+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		xor	eax, eax
		mov	[esp+10Ch+var_F4], 500h
		mov	edx, ecx
		mov	[esp+10Ch+var_EC], eax
		pop	ecx
		lea	edi, [esp+108h+var_D0]
		mov	[esp+108h+var_F0], eax
		rep stosd
		mov	esi, offset ??_C@_1O@JECJKAGA@?$AAs?$AAm?$AAb?$AAi?$AAo?$AAs@NNGAKEGL@ ; "smbios"
		mov	[esp+108h+var_F8], eax
		push	0Ch
		pop	eax
		lea	edi, [esp+108h+var_B8]
		mov	word ptr [esp+108h+var_D8], ax
		movsd
		push	0Eh
		pop	eax
		push	12h
		movsd
		pop	ecx
		mov	word ptr [esp+108h+var_D8+2], ax
		lea	eax, [esp+108h+var_B8]
		push	48h
		movsd
		mov	[esp+10Ch+var_D4], eax
		pop	eax
		push	4Ah
		movsw
		mov	esi, offset ??_C@_1EK@PAILGCFE@?$AAM?$AAi?$AAc?$AAr?$AAo?$AAs?$AAo?$AAf?$AAt?$AA?4?$AAf?$AAi?$AAr?$AAm?$AAw@NNGAKEGL@
		mov	word ptr [esp+10Ch+var_E0], ax
		lea	edi, [esp+10Ch+var_A8]
		rep movsd
		pop	ebx
		push	13h
		pop	ecx
		lea	eax, [esp+108h+var_A8]
		movsw
		mov	[esp+108h+var_DC], eax
		lea	edi, [esp+108h+var_58]
		push	4Ch
		pop	eax
		mov	word ptr [esp+108h+var_E0+2], bx
		mov	esi, offset ??_C@_1EM@LIJBLPKM@?$AAM?$AAi?$AAc?$AAr?$AAo?$AAs?$AAo?$AAf?$AAt?$AA?4?$AAf?$AAi?$AAr?$AAm?$AAw@NNGAKEGL@ ;	"Microsoft.firmwareWrite_cw5n1h2txyewy"
		mov	word ptr [esp+108h+var_E8], bx
		xor	ebx, ebx
		mov	word ptr [esp+108h+var_E8+2], ax
		lea	eax, [esp+108h+var_58]
		mov	[esp+108h+var_E4], eax
		rep movsd
		sub	edx, ebx
		jz	loc_A08A8A
		sub	edx, 1
		jz	short loc_A089C4
		sub	edx, 1
		jnz	short loc_A089BD

loc_A089B0:				; CODE XREF: ExpFirmwareAccessAppContainerCheck(x)+E9j
		lea	ecx, [esp+108h+var_E8]
		call	_ExpCapabilityCheck@4 ;	ExpCapabilityCheck(x)
		test	al, al
		jnz	short loc_A089D1

loc_A089BD:				; CODE XREF: ExpFirmwareAccessAppContainerCheck(x)+C8j
					; ExpFirmwareAccessAppContainerCheck(x)+117j ...
		xor	al, al
		jmp	loc_A08A93
; 

loc_A089C4:				; CODE XREF: ExpFirmwareAccessAppContainerCheck(x)+C3j
		lea	ecx, [esp+108h+var_E0]
		call	_ExpCapabilityCheck@4 ;	ExpCapabilityCheck(x)
		test	al, al
		jz	short loc_A089B0

loc_A089D1:				; CODE XREF: ExpFirmwareAccessAppContainerCheck(x)+D5j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	byte ptr [eax+3A6h], 81h
		jz	short loc_A089FF
		push	ebx
		push	ebx
		push	offset _ExpInitExpCheckTestSigningInfo@12 ; ExpInitExpCheckTestSigningInfo(x,x,x)
		push	offset _ExpCheckTestSigningInit
		call	RtlRunOnceExecuteOnce
		cmp	_ExpTestSigningEnabled,	bl
		jz	short loc_A089BD

loc_A089FF:				; CODE XREF: ExpFirmwareAccessAppContainerCheck(x)+FEj
		push	2
		lea	eax, [esp+10Ch+var_F8]
		mov	[esp+10Ch+var_F9], bl
		push	eax
		lea	eax, [esp+110h+var_D0]
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	ebx
		lea	eax, [esp+10Ch+var_D0]
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	1
		mov	dword ptr [eax], 20h
		lea	eax, [esp+10Ch+var_D0]
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	dword ptr [eax], 220h
		lea	eax, [esp+108h+var_F0]
		push	eax
		push	4
		lea	eax, [esp+110h+var_EC]
		push	eax
		push	13h
		push	0FFFFFFFAh
		call	_ZwQueryInformationToken@20 ; ZwQueryInformationToken(x,x,x,x,x)
		test	eax, eax
		js	loc_A089BD
		cmp	[esp+108h+var_F0], 4
		jnz	loc_A089BD
		lea	eax, [esp+0Fh]
		push	eax
		push	1
		lea	ecx, [esp+110h+var_D0]
		push	ecx
		push	[esp+114h+var_EC]
		call	_RtlCheckTokenMembershipEx@16 ;	RtlCheckTokenMembershipEx(x,x,x,x)
		test	eax, eax
		js	loc_A089BD
		cmp	[esp+108h+var_F9], bl
		jz	loc_A089BD
		mov	al, 1
		jmp	short loc_A08A93
; 

loc_A08A8A:				; CODE XREF: ExpFirmwareAccessAppContainerCheck(x)+BAj
		lea	ecx, [esp+108h+var_D8]
		call	_ExpCapabilityCheck@4 ;	ExpCapabilityCheck(x)

loc_A08A93:				; CODE XREF: ExpFirmwareAccessAppContainerCheck(x)+D9j
					; ExpFirmwareAccessAppContainerCheck(x)+1A2j
		mov	ecx, [esp+108h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_ExpFirmwareAccessAppContainerCheck@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpGetDriveGeometry(x, x)
_ExpGetDriveGeometry@8 proc near	; CODE XREF: ExpCreateOutputEFI(x,x,x,x,x,x,x,x)+A5p
					; ExpTranslateEfiPath(x,x,x,x)+1DDp ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		push	72766E45h
		xor	eax, eax
		mov	ebx, edx
		push	4Ch
		push	200h
		mov	esi, ecx
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A08AE3
		mov	esi, 0C000009Ah
		jmp	loc_A08B82
; 

loc_A08AE3:				; CODE XREF: ExpGetDriveGeometry(x,x)+2Fj
		push	esi
		push	offset ??_C@_1DO@MBBMDLHJ@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi?$AAs@NNGAKEGL@
		push	26h
		push	edi
		call	_swprintf_s
		add	esp, 10h
		lea	eax, [ebp+var_C]
		push	edi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	60h
		lea	eax, [ebp+var_C]
		mov	[ebp+var_2C], 18h
		mov	[ebp+var_24], eax
		xor	ecx, ecx
		push	3
		lea	eax, [ebp+var_14]
		mov	[ebp+var_28], ecx
		push	eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_20], 240h
		push	eax
		push	100080h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_1C], ecx
		push	eax
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A08B7A
		push	18h
		push	ebx
		xor	ecx, ecx
		lea	eax, [ebp+var_14]
		push	ecx
		push	ecx
		push	70000h
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+var_4]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_A08B7A
		cmp	dword ptr [ebx+14h], 200h
		jnb	short loc_A08B7A
		mov	esi, 0C0000001h

loc_A08B7A:				; CODE XREF: ExpGetDriveGeometry(x,x)+99j
					; ExpGetDriveGeometry(x,x)+C2j	...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A08B82:				; CODE XREF: ExpGetDriveGeometry(x,x)+36j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_ExpGetDriveGeometry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpGetFirmwareEnvironmentVariable(x, x, x, x, x, x)
_ExpGetFirmwareEnvironmentVariable@24 proc near
					; CODE XREF: NtQuerySystemEnvironmentValueEx+1300CDp
					; NtQuerySystemEnvironmentValueEx+13021Dp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		mov	edx, [esi]
		test	edx, edx
		jz	short loc_A08BC2
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		push	[ebp+arg_C]
		call	ExLockUserBuffer
		test	eax, eax
		js	short loc_A08C10

loc_A08BC2:				; CODE XREF: ExpGetFirmwareEnvironmentVariable(x,x,x,x,x,x)+1Ej
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _ExpEnvironmentLock
		call	ExAcquireFastMutexUnsafe
		push	[ebp+arg_8]
		mov	edx, edi
		mov	ecx, ebx
		push	esi
		push	[ebp+var_4]
		call	_IoGetEnvironmentVariableEx@20 ; IoGetEnvironmentVariableEx(x,x,x,x,x)
		mov	ecx, offset _ExpEnvironmentLock
		mov	esi, eax
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_A08C0E
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)

loc_A08C0E:				; CODE XREF: ExpGetFirmwareEnvironmentVariable(x,x,x,x,x,x)+7Ej
		mov	eax, esi

loc_A08C10:				; CODE XREF: ExpGetFirmwareEnvironmentVariable(x,x,x,x,x,x)+37j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_ExpGetFirmwareEnvironmentVariable@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpGetPartitionTableInfo(x,	x)
_ExpGetPartitionTableInfo@8 proc near	; CODE XREF: ExpFindDiskSignature(x,x,x,x,x,x)+ACp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edx
		push	ecx
		lea	eax, [ebp+var_10]
		mov	[ebp+var_10], edi
		push	eax
		mov	[ebp+var_C], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_4], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	60h
		lea	eax, [ebp+var_10]
		mov	[ebp+var_30], 18h
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_18]
		push	3
		push	eax
		lea	eax, [ebp+var_30]
		mov	[ebp+var_2C], edi
		push	eax
		push	100080h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_24], 240h
		push	eax
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edi
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A08CE8
		push	72766E45h
		mov	ebx, 930h
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		jmp	short loc_A08CD5
; 

loc_A08C92:				; CODE XREF: ExpGetPartitionTableInfo(x,x)+C2j
		push	ebx
		push	esi
		push	edi
		push	edi
		push	70050h
		lea	eax, [ebp+var_18]
		push	eax
		push	edi
		push	edi
		push	edi
		push	[ebp+var_4]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_A08CED
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	edi, 0C0000023h
		jnz	short loc_A08CF2
		push	72766E45h
		add	ebx, ebx
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	0
		pop	edi

loc_A08CD5:				; CODE XREF: ExpGetPartitionTableInfo(x,x)+79j
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A08C92
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, 0C000009Ah

loc_A08CE8:				; CODE XREF: ExpGetPartitionTableInfo(x,x)+62j
					; ExpGetPartitionTableInfo(x,x)+E5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_A08CED:				; CODE XREF: ExpGetPartitionTableInfo(x,x)+97j
		mov	eax, [ebp+var_8]
		mov	[eax], esi

loc_A08CF2:				; CODE XREF: ExpGetPartitionTableInfo(x,x)+A7j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, edi
		jmp	short loc_A08CE8
_ExpGetPartitionTableInfo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ExpIsBootEntry(void *,int)
_ExpIsBootEntry@8 proc near		; DATA XREF: NtEnumerateBootEntries(x,x)+181o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	10h		; size_t
		push	offset _EfiBootVariablesGuid ; void *
		push	[ebp+arg_0]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A08D2C
		mov	ecx, [ebp+arg_4]
		lea	edx, [ebp+arg_0]
		call	_ExpTranslateBootEntryNameToId@8 ; ExpTranslateBootEntryNameToId(x,x)
		test	eax, eax
		jz	short loc_A08D2C
		mov	al, 1
		jmp	short loc_A08D2E
; 

loc_A08D2C:				; CODE XREF: ExpIsBootEntry(x,x)+19j
					; ExpIsBootEntry(x,x)+28j
		xor	al, al

loc_A08D2E:				; CODE XREF: ExpIsBootEntry(x,x)+2Cj
		pop	ebp
		retn	8
_ExpIsBootEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ExpIsDriverEntry(void *,int)
_ExpIsDriverEntry@8 proc near		; DATA XREF: NtEnumerateDriverEntries(x,x)+124o
					; NtEnumerateDriverEntries(x,x)+16Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	10h		; size_t
		push	offset _EfiDriverVariablesGuid ; void *
		push	[ebp+arg_0]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A08D60
		mov	ecx, [ebp+arg_4]
		lea	edx, [ebp+arg_0]
		call	_ExpTranslateDriverEntryNameToId@8 ; ExpTranslateDriverEntryNameToId(x,x)
		test	eax, eax
		jz	short loc_A08D60
		mov	al, 1
		jmp	short loc_A08D62
; 

loc_A08D60:				; CODE XREF: ExpIsDriverEntry(x,x)+19j
					; ExpIsDriverEntry(x,x)+28j
		xor	al, al

loc_A08D62:				; CODE XREF: ExpIsDriverEntry(x,x)+2Cj
		pop	ebp
		retn	8
_ExpIsDriverEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpParseArcPathName(x, x, x, x, x)
_ExpParseArcPathName@20	proc near	; CODE XREF: ExpTranslateArcPath(x,x,x,x)+2Ep

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	[ebp+var_28], eax
		xor	ebx, ebx
		mov	eax, [ebp+arg_4]
		push	edi
		mov	edi, ecx
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_24], edx
		mov	[ebp+var_30], eax
		mov	[ebp+var_1E], bl
		mov	[ebp+var_1D], 1
		test	edi, edi
		jz	loc_A08E4B
		push	offset ??_C@_1BG@LICCKJDG@?$AAs?$AAi?$AAg?$AAn?$AAa?$AAt?$AAu?$AAr?$AAe?$AA?$CI@NNGAKEGL@ ; "signature("
		lea	eax, [ebp+var_1C]
		push	0Bh
		push	eax
		call	_wcscpy_s
		add	esp, 0Ch
		mov	esi, ebx

loc_A08DB8:				; CODE XREF: ExpParseArcPathName(x,x,x,x,x)+68j
		movzx	eax, word ptr [edi+esi*2]
		push	eax		; wchar_t
		call	_towlower
		pop	ecx
		cmp	ax, word ptr [ebp+esi*2+var_1C]
		jnz	short loc_A08DD5
		inc	esi
		cmp	esi, 0Ah
		jb	short loc_A08DB8
		mov	al, [ebp+var_1D]
		jmp	short loc_A08DDA
; 

loc_A08DD5:				; CODE XREF: ExpParseArcPathName(x,x,x,x,x)+62j
		mov	al, bl
		mov	[ebp+var_1D], al

loc_A08DDA:				; CODE XREF: ExpParseArcPathName(x,x,x,x,x)+6Dj
		cmp	al, 1
		jnz	short loc_A08DE1
		add	edi, 14h

loc_A08DE1:				; CODE XREF: ExpParseArcPathName(x,x,x,x,x)+76j
		movzx	ecx, word ptr [edi]
		mov	eax, ebx
		test	cx, cx
		jz	short loc_A08E26
		push	5Ch
		mov	edx, edi
		pop	esi

loc_A08DF0:				; CODE XREF: ExpParseArcPathName(x,x,x,x,x)+BAj
		cmp	cx, si
		jz	short loc_A08E24
		cmp	[ebp+var_1D], 1
		jnz	short loc_A08E16
		cmp	cx, 29h
		jnz	short loc_A08E16
		movzx	ecx, word ptr [edx+2]
		mov	[ebp+var_1E], 1
		mov	[ebp+var_1D], bl
		cmp	cx, si
		jz	short loc_A08E16
		test	cx, cx
		jnz	short loc_A08E4B

loc_A08E16:				; CODE XREF: ExpParseArcPathName(x,x,x,x,x)+93j
					; ExpParseArcPathName(x,x,x,x,x)+99j ...
		inc	eax
		lea	edx, [edi+eax*2]
		movzx	ecx, word ptr [edx]
		test	cx, cx
		jnz	short loc_A08DF0
		jmp	short loc_A08E26
; 

loc_A08E24:				; CODE XREF: ExpParseArcPathName(x,x,x,x,x)+8Dj
		mov	ebx, edx

loc_A08E26:				; CODE XREF: ExpParseArcPathName(x,x,x,x,x)+83j
					; ExpParseArcPathName(x,x,x,x,x)+BCj
		cmp	[ebp+var_1D], 1
		jz	short loc_A08E4B
		test	eax, eax
		jz	short loc_A08E4B
		mov	ecx, [ebp+var_24]
		mov	[ecx], edi
		mov	ecx, [ebp+var_28]
		mov	[ecx], ebx
		mov	ecx, [ebp+var_2C]
		mov	[ecx], eax
		mov	ecx, [ebp+var_30]
		mov	al, [ebp+var_1E]
		mov	[ecx], al
		xor	eax, eax
		jmp	short loc_A08E50
; 

loc_A08E4B:				; CODE XREF: ExpParseArcPathName(x,x,x,x,x)+37j
					; ExpParseArcPathName(x,x,x,x,x)+AEj ...
		mov	eax, 0C000000Dh

loc_A08E50:				; CODE XREF: ExpParseArcPathName(x,x,x,x,x)+E3j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_ExpParseArcPathName@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpParseEfiPath(x, x, x, x)
_ExpParseEfiPath@16 proc near		; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+77p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], edx
		xor	ecx, ecx
		and	[ebp+var_C], ecx
		and	[ebp+var_8], ecx
		push	edi
		mov	[ebp+var_4], ecx
		mov	edi, 0C000000Dh

loc_A08E81:				; CODE XREF: ExpParseEfiPath(x,x,x,x)+45j
		mov	al, [esi]
		and	al, 7Fh
		cmp	al, 7Fh
		jz	loc_A09030
		cmp	al, 4
		jnz	short loc_A08E97
		cmp	byte ptr [esi+1], 1
		jz	short loc_A08EA8

loc_A08E97:				; CODE XREF: ExpParseEfiPath(x,x,x,x)+2Ej
		movzx	ecx, byte ptr [esi+3]
		movzx	eax, byte ptr [esi+2]
		shl	ecx, 8
		or	ecx, eax
		add	esi, ecx
		jmp	short loc_A08E81
; 

loc_A08EA8:				; CODE XREF: ExpParseEfiPath(x,x,x,x)+34j
		movzx	ebx, byte ptr [esi+3]
		xor	ecx, ecx
		movzx	eax, byte ptr [esi+2]
		shl	ebx, 8
		or	ebx, eax
		mov	[ebp+var_10], esi
		lea	eax, [ebp+var_8]
		mov	edx, ebx
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_A09030
		add	esi, ebx
		mov	cl, [esi]
		mov	al, cl
		and	al, 7Fh
		cmp	al, 4
		jnz	short loc_A08F2E
		cmp	[esi+1], al
		jnz	short loc_A08F2E
		mov	[ebp+var_4], esi

loc_A08EE3:				; CODE XREF: ExpParseEfiPath(x,x,x,x)+C7j
		movzx	ebx, byte ptr [esi+3]
		movzx	eax, byte ptr [esi+2]
		mov	ecx, [ebp+var_C]
		shl	ebx, 8
		or	ebx, eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	edx, [ebx-4]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A08F2C
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_8]
		push	eax
		mov	edx, ebx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A08F2C
		add	esi, ebx
		mov	cl, [esi]
		mov	al, cl
		and	al, 7Fh
		cmp	al, 4
		jnz	short loc_A08F2E
		cmp	[esi+1], al
		jz	short loc_A08EE3
		jmp	short loc_A08F2E
; 

loc_A08F2C:				; CODE XREF: ExpParseEfiPath(x,x,x,x)+A2j
					; ExpParseEfiPath(x,x,x,x)+B6j
		mov	cl, [esi]

loc_A08F2E:				; CODE XREF: ExpParseEfiPath(x,x,x,x)+78j
					; ExpParseEfiPath(x,x,x,x)+7Dj	...
		and	cl, 7Fh
		cmp	cl, 7Fh
		jz	short loc_A08F3B
		mov	edi, 0C000000Dh

loc_A08F3B:				; CODE XREF: ExpParseEfiPath(x,x,x,x)+D3j
		test	edi, edi
		js	loc_A09030
		mov	ebx, [ebp+var_10]
		mov	al, [ebx+29h]
		cmp	al, 2
		jnz	short loc_A08F51
		mov	cl, 1
		jmp	short loc_A08F5B
; 

loc_A08F51:				; CODE XREF: ExpParseEfiPath(x,x,x,x)+EAj
		cmp	al, 1
		jnz	loc_A09039
		xor	cl, cl

loc_A08F5B:				; CODE XREF: ExpParseEfiPath(x,x,x,x)+EEj
		mov	eax, [ebp+arg_4]
		mov	[eax], cl
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	loc_A08FFB
		add	eax, 2
		push	72766E45h
		push	eax
		push	200h
		mov	[ebp+arg_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A08FE7
		mov	ebx, [ebp+var_4]
		xor	edx, edx

loc_A08F8C:				; CODE XREF: ExpParseEfiPath(x,x,x,x)+17Cj
		mov	al, [ebx]
		and	al, 7Fh
		mov	[ebp+var_C], edx
		cmp	al, 7Fh
		jz	short loc_A08FEE
		mov	ecx, [ebp+var_4]
		movzx	ebx, byte ptr [ebx+3]
		shl	ebx, 8
		movzx	eax, byte ptr [ecx+2]
		or	ebx, eax
		sub	ebx, 4
		cmp	ebx, [ebp+arg_4]
		jnb	short loc_A08FDF
		lea	eax, [ecx+4]
		push	ebx		; size_t
		push	eax		; void *
		lea	eax, [esi+edx]
		push	eax		; void *
		call	_memcpy
		mov	edx, [ebp+var_C]
		add	esp, 0Ch
		sub	[ebp+arg_4], ebx
		add	edx, ebx
		mov	ebx, [ebp+var_4]
		movzx	ecx, byte ptr [ebx+3]
		movzx	eax, byte ptr [ebx+2]
		shl	ecx, 8
		or	ecx, eax
		add	ebx, ecx
		mov	[ebp+var_4], ebx
		jmp	short loc_A08F8C
; 

loc_A08FDF:				; CODE XREF: ExpParseEfiPath(x,x,x,x)+14Cj
					; ExpParseEfiPath(x,x,x,x)+1BBj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A08FE7:				; CODE XREF: ExpParseEfiPath(x,x,x,x)+124j
					; ExpParseEfiPath(x,x,x,x)+1B9j
		mov	eax, 0C000009Ah
		jmp	short loc_A09032
; 

loc_A08FEE:				; CODE XREF: ExpParseEfiPath(x,x,x,x)+134j
		mov	ebx, [ebp+var_10]
		shr	edx, 1
		xor	eax, eax
		mov	[esi+edx*2], ax
		jmp	short loc_A08FFD
; 

loc_A08FFB:				; CODE XREF: ExpParseEfiPath(x,x,x,x)+104j
		xor	esi, esi

loc_A08FFD:				; CODE XREF: ExpParseEfiPath(x,x,x,x)+198j
		push	72766E45h
		push	[ebp+var_8]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+var_14]
		mov	[ecx], eax
		test	eax, eax
		jnz	short loc_A0901E
		test	esi, esi
		jz	short loc_A08FE7
		jmp	short loc_A08FDF
; 

loc_A0901E:				; CODE XREF: ExpParseEfiPath(x,x,x,x)+1B5j
		push	[ebp+var_8]	; size_t
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	[eax], esi

loc_A09030:				; CODE XREF: ExpParseEfiPath(x,x,x,x)+26j
					; ExpParseEfiPath(x,x,x,x)+68j	...
		mov	eax, edi

loc_A09032:				; CODE XREF: ExpParseEfiPath(x,x,x,x)+18Bj
					; ExpParseEfiPath(x,x,x,x)+1DDj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_A09039:				; CODE XREF: ExpParseEfiPath(x,x,x,x)+F2j
		mov	eax, 0C000000Dh
		jmp	short loc_A09032
_ExpParseEfiPath@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpParseSignatureName(x, x,	x, x, x, x, x, x)
_ExpParseSignatureName@32 proc near	; CODE XREF: ExpConvertSignatureName(x,x,x,x,x,x)+9Bp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_8], edx
		mov	ebx, [ebp+var_8]
		mov	dl, al
		push	edi
		mov	edi, ecx
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_2], al
		push	7Bh
		movzx	ecx, word ptr [edi]
		pop	eax
		cmp	cx, ax
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], edi
		setz	al
		xor	esi, esi
		mov	[ebp+var_1], al
		test	ebx, ebx
		jz	short loc_A090A2

loc_A0907B:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+1BCj
		movzx	eax, word ptr [edi+esi*2]
		push	29h
		pop	ebx
		cmp	ax, bx
		mov	ebx, [ebp+var_8]
		jz	short loc_A0909F
		cmp	cx, word ptr [ebp+var_C]
		jnz	loc_A091EA
		cmp	eax, 7Dh
		jnz	loc_A091F9
		mov	dl, 1

loc_A0909F:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+48j
					; ExpParseSignatureName(x,x,x,x,x,x,x,x)+1B3j ...
		mov	al, [ebp+var_1]

loc_A090A2:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+39j
		cmp	cx, word ptr [ebp+var_C]
		jnz	short loc_A090B0
		test	dl, dl
		jz	loc_A0930B

loc_A090B0:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+66j
		cmp	esi, 8
		jbe	short loc_A090BA
		mov	al, 1
		mov	[ebp+var_1], al

loc_A090BA:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+73j
		cmp	al, 1
		jnz	loc_A09207
		cmp	dl, al
		jnz	loc_A09207
		push	[ebp+arg_0]
		inc	esi
		mov	[ebp+var_14], edi
		lea	eax, [esi+esi]
		mov	word ptr [ebp+var_18], ax
		mov	word ptr [ebp+var_18+2], ax
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)

loc_A090E5:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+227j
		test	eax, eax
		js	loc_A09317
		cmp	esi, ebx
		jnb	loc_A0930B
		push	2Dh
		pop	eax
		cmp	[edi+esi*2], ax
		jnz	loc_A092D1
		inc	esi
		mov	[ebp+var_2], 1
		cmp	esi, ebx
		jnb	loc_A0930B
		push	72766E45h
		push	22h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+arg_0], ebx
		test	ebx, ebx
		jz	loc_A09312
		mov	eax, [ebp+var_8]
		lea	edx, [edi+esi*2]
		push	2Dh
		mov	ecx, esi
		pop	ebx

loc_A09138:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+101j
		cmp	[edi+esi*2], bx
		jz	short loc_A09143
		inc	esi
		cmp	esi, eax
		jb	short loc_A09138

loc_A09143:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+FCj
		mov	ebx, [ebp+arg_0]
		mov	edi, esi
		sub	edi, ecx
		jz	loc_A092FA
		cmp	edi, 8
		ja	loc_A092FA
		push	edi
		push	edx
		push	11h
		push	ebx
		call	_wcsncpy_s
		mov	edx, [ebp+arg_4]
		add	esp, 10h
		xor	eax, eax
		mov	ecx, ebx
		mov	[ebx+edi*2], ax
		call	_ExpTranslateHexStringToULONG@8	; ExpTranslateHexStringToULONG(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_A092FF
		mov	eax, [ebp+var_8]
		inc	esi
		cmp	esi, eax
		jnb	loc_A092FA
		mov	edi, [ebp+var_10]
		mov	ecx, esi
		push	2Dh
		pop	ebx
		lea	edx, [edi+esi*2]

loc_A09197:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+160j
		cmp	[edi+esi*2], bx
		jz	short loc_A091A2
		inc	esi
		cmp	esi, eax
		jb	short loc_A09197

loc_A091A2:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+15Bj
		mov	ebx, [ebp+arg_0]
		mov	eax, esi
		sub	eax, ecx
		mov	[ebp+arg_4], eax
		jz	loc_A092FA
		cmp	eax, 10h
		ja	loc_A092FA
		push	eax
		push	edx
		push	11h
		push	ebx
		call	_wcsncpy_s
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		mov	edx, [ebp+arg_8]
		add	esp, 10h
		mov	[ebx+eax*2], cx
		mov	ecx, ebx
		call	_ExpTranslateHexStringToULONGLONG@8 ; ExpTranslateHexStringToULONGLONG(x,x)
		test	eax, eax
		jns	loc_A0926C
		mov	edi, eax
		jmp	loc_A092FF
; 

loc_A091EA:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+4Ej
		push	2Dh
		pop	edi
		cmp	ax, di
		mov	edi, [ebp+var_10]
		jz	loc_A0909F

loc_A091F9:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+57j
		inc	esi
		cmp	esi, ebx
		jb	loc_A0907B
		jmp	loc_A0909F
; 

loc_A09207:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+7Cj
					; ExpParseSignatureName(x,x,x,x,x,x,x,x)+84j
		push	72766E45h
		lea	eax, ds:2[esi*2]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_A09312
		push	esi
		push	edi
		lea	ecx, [esi+1]
		push	ecx
		push	eax
		call	_wcsncpy_s
		mov	eax, [ebp+var_C]
		xor	ecx, ecx
		mov	edx, [ebp+arg_0]
		add	esp, 10h
		cmp	[ebp+var_1], cl
		mov	[eax+esi*2], cx
		mov	ecx, eax
		jnz	short loc_A09252
		call	_ExpTranslateHexStringToULONG@8	; ExpTranslateHexStringToULONG(x,x)
		jmp	short loc_A09257
; 

loc_A09252:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+209j
		call	_ExpTranslateHexStringToGUID@8 ; ExpTranslateHexStringToGUID(x,x)

loc_A09257:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+210j
		push	0
		push	[ebp+var_C]
		mov	[ebp+arg_0], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_0]
		jmp	loc_A090E5
; 

loc_A0926C:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+19Dj
		mov	eax, [ebp+var_8]
		inc	esi
		cmp	esi, eax
		jnb	loc_A092FA
		push	29h
		mov	ecx, esi
		lea	edx, [edi+esi*2]
		pop	ebx

loc_A09280:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+249j
		cmp	[edi+esi*2], bx
		jz	short loc_A0928B
		inc	esi
		cmp	esi, eax
		jb	short loc_A09280

loc_A0928B:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+244j
		mov	ebx, [ebp+arg_0]
		mov	eax, esi
		sub	eax, ecx
		mov	[ebp+arg_4], eax
		jz	short loc_A092FA
		cmp	eax, 10h
		ja	short loc_A092FA
		push	eax
		push	edx
		push	11h
		push	ebx
		call	_wcsncpy_s
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		mov	edx, [ebp+arg_C]
		add	esp, 10h
		mov	[ebx+eax*2], cx
		mov	ecx, ebx
		call	_ExpTranslateHexStringToULONGLONG@8 ; ExpTranslateHexStringToULONGLONG(x,x)
		push	0
		push	ebx
		mov	[ebp+arg_0], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+arg_0]
		test	eax, eax
		js	short loc_A09317
		mov	ebx, [ebp+var_8]

loc_A092D1:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+BCj
		cmp	esi, ebx
		jnb	short loc_A0930B
		push	29h
		pop	eax
		cmp	[edi+esi*2], ax
		jnz	short loc_A0930B
		mov	cl, [ebp+var_1]
		mov	dl, [ebp+var_2]
		test	cl, cl
		jnz	short loc_A092EC
		test	dl, dl
		jz	short loc_A0930B

loc_A092EC:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+2A6j
		mov	eax, [ebp+arg_10]
		mov	[eax], cl
		mov	eax, [ebp+arg_14]
		mov	[eax], dl
		xor	eax, eax
		jmp	short loc_A09317
; 

loc_A092FA:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+10Aj
					; ExpParseSignatureName(x,x,x,x,x,x,x,x)+113j ...
		mov	edi, 0C000000Dh

loc_A092FF:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+13Aj
					; ExpParseSignatureName(x,x,x,x,x,x,x,x)+1A5j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		jmp	short loc_A09317
; 

loc_A0930B:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+6Aj
					; ExpParseSignatureName(x,x,x,x,x,x,x,x)+AFj ...
		mov	eax, 0C000000Dh
		jmp	short loc_A09317
; 

loc_A09312:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+E7j
					; ExpParseSignatureName(x,x,x,x,x,x,x,x)+1E3j
		mov	eax, 0C000009Ah

loc_A09317:				; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+A7j
					; ExpParseSignatureName(x,x,x,x,x,x,x,x)+28Cj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_ExpParseSignatureName@32 endp


;  S U B	R O U T	I N E 


; __stdcall ExpSafeWcslen(x, x)
_ExpSafeWcslen@8 proc near		; CODE XREF: ExpSetBootEntry(x,x,x)+1F3p
					; ExpSetDriverEntry(x,x,x)+15Cp ...
		mov	eax, ecx
		cmp	ecx, edx
		jnb	short loc_A0933A

loc_A09324:				; CODE XREF: ExpSafeWcslen(x,x)+11j
		cmp	word ptr [eax],	0
		jz	short loc_A09331
		add	eax, 2
		cmp	eax, edx
		jb	short loc_A09324

loc_A09331:				; CODE XREF: ExpSafeWcslen(x,x)+Aj
		cmp	eax, edx
		jnb	short loc_A0933A
		sub	eax, ecx
		sar	eax, 1
		retn
; 

loc_A0933A:				; CODE XREF: ExpSafeWcslen(x,x)+4j
					; ExpSafeWcslen(x,x)+15j
		or	eax, 0FFFFFFFFh
		retn
_ExpSafeWcslen@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSetBootEntry(x, x, x)
_ExpSetBootEntry@12 proc near		; CODE XREF: NtAddBootEntry(x,x)+1Ep
					; NtModifyBootEntry(x)+1Cp

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	70h
		push	offset dword_6AA5D0
		call	__SEH_prolog4_GS
		mov	ebx, edx
		mov	[ebp+var_64], ecx
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_78], edx
		xor	eax, eax
		mov	[ebp+var_48], eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_4C], eax
		mov	[ebp+var_34], eax
		mov	[ebp+ms_exc.disabled], eax
		mov	eax, large fs:124h
		mov	[ebp+var_6C], eax
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_40], al
		lea	esi, [ebx+4]
		test	al, al
		jz	short loc_A093A1
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_A09396
		mov	esi, eax

loc_A09396:				; CODE XREF: ExpSetBootEntry(x,x,x)+54j
		nop
		mov	esi, [esi]
		mov	[ebp+var_68], esi
		mov	al, byte ptr [ebp+var_40]
		jmp	short loc_A093A6
; 

loc_A093A1:				; CODE XREF: ExpSetBootEntry(x,x,x)+4Bj
		mov	esi, [esi]
		mov	[ebp+var_68], esi

loc_A093A6:				; CODE XREF: ExpSetBootEntry(x,x,x)+61j
		cmp	esi, 1Ch
		jnb	short loc_A093BC
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000000Dh
		jmp	loc_A09951
; 

loc_A093BC:				; CODE XREF: ExpSetBootEntry(x,x,x)+6Bj
		test	al, al
		jz	short loc_A0941F
		test	bl, 3
		jz	short loc_A093CA
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_A093CA:				; CODE XREF: ExpSetBootEntry(x,x,x)+85j
		lea	eax, [ebx+esi]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_A093DB
		cmp	eax, ebx
		jnb	short loc_A093DE

loc_A093DB:				; CODE XREF: ExpSetBootEntry(x,x,x)+97j
		mov	byte ptr [ecx],	0

loc_A093DE:				; CODE XREF: ExpSetBootEntry(x,x,x)+9Bj
		test	edx, edx
		jz	short loc_A093F6
		mov	ecx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_A093EF
		mov	ecx, eax

loc_A093EF:				; CODE XREF: ExpSetBootEntry(x,x,x)+ADj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	esi, [ebp+var_68]

loc_A093F6:				; CODE XREF: ExpSetBootEntry(x,x,x)+A2j
		push	[ebp+var_40]
		push	ds:dword_A94CA4
		push	ds:_SeSystemEnvironmentPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A0941F
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000061h
		jmp	loc_A09951
; 

loc_A0941F:				; CODE XREF: ExpSetBootEntry(x,x,x)+80j
					; ExpSetBootEntry(x,x,x)+CEj
		push	72766E45h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_48], edi
		test	edi, edi
		jnz	short loc_A09449
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000009Ah
		jmp	loc_A09951
; 

loc_A09449:				; CODE XREF: ExpSetBootEntry(x,x,x)+F8j
		push	esi		; size_t
		push	ebx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		lea	ecx, [esi+edi]
		mov	[ebp+var_3C], ecx
		mov	eax, [edi]
		test	eax, eax
		jz	loc_A098AD
		cmp	eax, 1
		ja	loc_A098AD
		cmp	[ebp+var_64], 0
		jnz	short loc_A09487
		cmp	dword ptr [edi+8], 0FFFFh
		ja	loc_A098AD

loc_A09487:				; CODE XREF: ExpSetBootEntry(x,x,x)+13Aj
		and	dword ptr [edi+0Ch], 13h
		mov	eax, [edi+10h]
		mov	[ebp+var_60], eax
		test	al, 1
		jnz	loc_A098AD
		mov	eax, [edi+14h]
		mov	[ebp+var_70], eax
		test	al, 3
		jnz	loc_A098AD
		mov	edx, [edi+18h]
		cmp	edx, esi
		ja	loc_A098AD
		lea	eax, [edi+1Ch]
		add	eax, edx
		mov	[ebp+var_74], eax
		cmp	eax, ecx
		jnb	loc_A098AD
		lea	ebx, [edi+1Ch]
		mov	[ebp+var_6C], ebx
		cmp	edx, 8
		jb	short loc_A0951B
		mov	esi, offset ??_C@_07LHJOABLP@WINDOWS@NNGAKEGL@ ; "WINDOWS"
		xor	ecx, ecx

loc_A094D4:				; CODE XREF: ExpSetBootEntry(x,x,x)+1A3j
		movzx	eax, byte ptr [ebx+ecx]
		cmp	al, [esi+ecx]
		jnz	short loc_A094E7
		inc	ecx
		cmp	ecx, 8
		jnz	short loc_A094D4
		xor	eax, eax
		jmp	short loc_A094EC
; 

loc_A094E7:				; CODE XREF: ExpSetBootEntry(x,x,x)+19Dj
		sbb	eax, eax
		or	eax, 1

loc_A094EC:				; CODE XREF: ExpSetBootEntry(x,x,x)+1A7j
		test	eax, eax
		jnz	short loc_A0951B
		cmp	edx, 14h
		jbe	loc_A098AD
		mov	ecx, ebx
		call	_ExpVerifyWindowsOsOptions@8 ; ExpVerifyWindowsOsOptions(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A098B2
		mov	[ebp+var_40], 1
		mov	ebx, [ebx+10h]
		lea	ecx, [edi+1Ch]
		add	ebx, ecx
		jmp	short loc_A09521
; 

loc_A0951B:				; CODE XREF: ExpSetBootEntry(x,x,x)+18Dj
					; ExpSetBootEntry(x,x,x)+1B0j
		and	[ebp+var_40], 0
		xor	ebx, ebx

loc_A09521:				; CODE XREF: ExpSetBootEntry(x,x,x)+1DBj
		mov	[ebp+var_50], ebx
		mov	eax, [ebp+var_60]
		add	eax, edi
		mov	[ebp+var_60], eax
		mov	edx, [ebp+var_3C]
		mov	ecx, eax
		call	_ExpSafeWcslen@8 ; ExpSafeWcslen(x,x)
		cmp	eax, 0FFFFFFFFh
		jz	loc_A098AD
		lea	eax, ds:2[eax*2]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+var_70]
		add	eax, edi
		mov	[ebp+var_58], eax
		mov	ecx, eax
		call	_ExpVerifyFilePath@8 ; ExpVerifyFilePath(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A098B2
		mov	eax, [ebp+var_60]
		cmp	[ebp+var_74], eax
		ja	loc_A098AD
		add	eax, [ebp+var_3C]
		mov	ecx, [ebp+var_58]
		cmp	eax, ecx
		ja	loc_A098AD
		cmp	dword ptr [ecx+8], 4
		jz	short loc_A095F5
		lea	eax, [ebp+var_38]
		push	eax
		push	0
		push	4
		push	ecx
		call	_ZwTranslateFilePath@16	; ZwTranslateFilePath(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	loc_A098B2
		push	72766E45h
		push	[ebp+var_38]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_54], esi
		test	esi, esi
		jnz	short loc_A095C3

loc_A095B9:				; CODE XREF: ExpSetBootEntry(x,x,x)+321j
		mov	esi, 0C000009Ah
		jmp	loc_A098B2
; 

loc_A095C3:				; CODE XREF: ExpSetBootEntry(x,x,x)+279j
		push	[ebp+var_38]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, [ebp+var_38]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	esi
		push	4
		push	[ebp+var_58]
		call	_ZwTranslateFilePath@16	; ZwTranslateFilePath(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A098B2
		mov	eax, [ebp+var_38]
		jmp	short loc_A095FB
; 

loc_A095F5:				; CODE XREF: ExpSetBootEntry(x,x,x)+242j
		mov	eax, [ecx+4]
		mov	[ebp+var_54], ecx

loc_A095FB:				; CODE XREF: ExpSetBootEntry(x,x,x)+2B5j
		sub	eax, 0Ch
		mov	[ebp+var_38], eax
		cmp	[ebp+var_40], 0
		jz	short loc_A0963A
		cmp	dword ptr [ebx+8], 4
		jz	short loc_A0963A
		lea	eax, [ebp+var_4C]
		push	eax
		push	0
		push	4
		push	ebx
		call	_ZwTranslateFilePath@16	; ZwTranslateFilePath(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	loc_A098B2
		mov	ebx, [edi+18h]
		mov	eax, [ebp+var_50]
		sub	ebx, [eax+4]
		add	ebx, [ebp+var_4C]
		mov	eax, [ebp+var_38]
		jmp	short loc_A0963D
; 

loc_A0963A:				; CODE XREF: ExpSetBootEntry(x,x,x)+2C7j
					; ExpSetBootEntry(x,x,x)+2CDj
		mov	ebx, [edi+18h]

loc_A0963D:				; CODE XREF: ExpSetBootEntry(x,x,x)+2FAj
		add	eax, 6
		mov	esi, [ebp+var_3C]
		add	eax, ebx
		add	eax, esi
		mov	[ebp+var_3C], eax
		push	72766E45h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_44], eax
		test	eax, eax
		jz	loc_A095B9
		push	[ebp+var_3C]	; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	edx, [ebp+var_44]
		and	dword ptr [edx], 0
		mov	ecx, [edi+0Ch]
		xor	eax, eax
		test	cl, 1
		jz	short loc_A09689
		inc	eax
		mov	[edx], eax
		mov	ecx, [edi+0Ch]

loc_A09689:				; CODE XREF: ExpSetBootEntry(x,x,x)+343j
		test	cl, 10h
		jz	short loc_A09693
		or	eax, 8
		mov	[edx], eax

loc_A09693:				; CODE XREF: ExpSetBootEntry(x,x,x)+34Ej
		mov	ax, word ptr [ebp+var_38]
		mov	[edx+4], ax
		push	esi		; size_t
		push	[ebp+var_60]	; void *
		lea	eax, [edx+6]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_44]
		add	eax, 6
		add	esi, eax
		push	[ebp+var_38]	; size_t
		mov	eax, [ebp+var_54]
		add	eax, 0Ch
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 18h
		add	esi, [ebp+var_38]
		cmp	[ebp+var_40], 0
		jz	short loc_A0970E
		mov	eax, [ebp+var_50]
		cmp	dword ptr [eax+8], 4
		jz	short loc_A0970E
		lea	eax, [edi+1Ch]
		push	dword ptr [eax+10h] ; size_t
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[esi+0Ch], ebx
		mov	ecx, [edi+2Ch]
		add	ecx, esi
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	ecx
		push	4
		push	[ebp+var_50]
		call	_ZwTranslateFilePath@16	; ZwTranslateFilePath(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_A098B2
		jmp	short loc_A0971B
; 

loc_A0970E:				; CODE XREF: ExpSetBootEntry(x,x,x)+38Cj
					; ExpSetBootEntry(x,x,x)+395j
		push	ebx		; size_t
		push	[ebp+var_6C]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_A0971B:				; CODE XREF: ExpSetBootEntry(x,x,x)+3CEj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _ExpEnvironmentLock
		call	ExAcquireFastMutexUnsafe
		cmp	[ebp+var_64], 0
		jz	loc_A097F3
		xor	ebx, ebx
		mov	[ebp+var_5C], ebx
		mov	edi, offset _EfiBootVariablesGuid

loc_A09747:				; CODE XREF: ExpSetBootEntry(x,x,x)+499j
		push	ebx
		push	offset ??_C@_1BC@HAMKBGJJ@?$AAB?$AAo?$AAo?$AAt?$AA?$CF?$AA0?$AA4?$AAx@NNGAKEGL@	; "Boot%04x"
		push	9
		lea	eax, [ebp+var_30]
		push	eax
		call	_swprintf_s
		add	esp, 10h
		xor	ecx, ecx
		mov	[ebp+var_34], ecx
		push	ecx
		lea	eax, [ebp+var_34]
		push	eax
		push	ecx
		mov	edx, edi
		lea	ecx, [ebp+var_30]
		call	_IoGetEnvironmentVariableEx@20 ; IoGetEnvironmentVariableEx(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000100h
		jnz	short loc_A097BD
		lea	eax, [ebx+ebx]
		or	eax, ebx
		and	eax, 0C4444444h
		add	eax, eax
		test	eax, ebx
		jz	short loc_A097B5
		push	ebx
		push	offset ??_C@_1BC@NAPILJKH@?$AAB?$AAo?$AAo?$AAt?$AA?$CF?$AA0?$AA4?$AAX@NNGAKEGL@
		push	9
		lea	eax, [ebp+var_30]
		push	eax
		call	_swprintf_s
		add	esp, 10h
		xor	ecx, ecx
		mov	[ebp+var_34], ecx
		push	ecx
		lea	eax, [ebp+var_34]
		push	eax
		push	ecx
		mov	edx, edi
		lea	ecx, [ebp+var_30]
		call	_IoGetEnvironmentVariableEx@20 ; IoGetEnvironmentVariableEx(x,x,x,x,x)
		mov	esi, eax

loc_A097B5:				; CODE XREF: ExpSetBootEntry(x,x,x)+44Aj
		cmp	esi, 0C0000100h
		jz	short loc_A097DD

loc_A097BD:				; CODE XREF: ExpSetBootEntry(x,x,x)+43Aj
		test	esi, esi
		jz	short loc_A097CD
		cmp	esi, 0C0000023h
		jnz	loc_A09892

loc_A097CD:				; CODE XREF: ExpSetBootEntry(x,x,x)+481j
		inc	ebx
		mov	[ebp+var_5C], ebx
		cmp	ebx, 0FFFFh
		jbe	loc_A09747

loc_A097DD:				; CODE XREF: ExpSetBootEntry(x,x,x)+47Dj
		cmp	ebx, 0FFFFh
		jbe	loc_A0987E
		mov	esi, 0C000009Ah
		jmp	loc_A09892
; 

loc_A097F3:				; CODE XREF: ExpSetBootEntry(x,x,x)+3F9j
		mov	ebx, [ebp+var_48]
		mov	eax, [ebx+8]
		mov	[ebp+var_5C], eax
		push	eax
		push	offset ??_C@_1BC@NAPILJKH@?$AAB?$AAo?$AAo?$AAt?$AA?$CF?$AA0?$AA4?$AAX@NNGAKEGL@
		push	9
		lea	eax, [ebp+var_30]
		push	eax
		call	_swprintf_s
		add	esp, 10h
		xor	ecx, ecx
		mov	[ebp+var_34], ecx
		push	ecx
		lea	eax, [ebp+var_34]
		push	eax
		push	ecx
		mov	edi, offset _EfiBootVariablesGuid
		mov	edx, edi
		lea	ecx, [ebp+var_30]
		call	_IoGetEnvironmentVariableEx@20 ; IoGetEnvironmentVariableEx(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000100h
		jnz	short loc_A09872
		mov	ecx, [ebx+8]
		lea	eax, [ecx+ecx]
		or	eax, ecx
		and	eax, 0C4444444h
		add	eax, eax
		test	eax, ecx
		jz	short loc_A09872
		push	ecx
		push	offset ??_C@_1BC@HAMKBGJJ@?$AAB?$AAo?$AAo?$AAt?$AA?$CF?$AA0?$AA4?$AAx@NNGAKEGL@	; "Boot%04x"
		push	9
		lea	eax, [ebp+var_30]
		push	eax
		call	_swprintf_s
		add	esp, 10h
		xor	ecx, ecx
		mov	[ebp+var_34], ecx
		push	ecx
		lea	eax, [ebp+var_34]
		push	eax
		push	ecx
		mov	edx, edi
		lea	ecx, [ebp+var_30]
		call	_IoGetEnvironmentVariableEx@20 ; IoGetEnvironmentVariableEx(x,x,x,x,x)
		mov	esi, eax

loc_A09872:				; CODE XREF: ExpSetBootEntry(x,x,x)+4F4j
					; ExpSetBootEntry(x,x,x)+507j
		test	esi, esi
		jz	short loc_A0987E
		cmp	esi, 0C0000023h
		jnz	short loc_A09892

loc_A0987E:				; CODE XREF: ExpSetBootEntry(x,x,x)+4A5j
					; ExpSetBootEntry(x,x,x)+536j
		push	1
		push	[ebp+var_3C]
		push	[ebp+var_44]
		mov	edx, edi
		lea	ecx, [ebp+var_30]
		call	_IoSetEnvironmentVariableEx@20 ; IoSetEnvironmentVariableEx(x,x,x,x,x)
		mov	esi, eax

loc_A09892:				; CODE XREF: ExpSetBootEntry(x,x,x)+489j
					; ExpSetBootEntry(x,x,x)+4B0j ...
		mov	ecx, offset _ExpEnvironmentLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	edi, [ebp+var_48]
		jmp	short loc_A098B2
; 

loc_A098AD:				; CODE XREF: ExpSetBootEntry(x,x,x)+127j
					; ExpSetBootEntry(x,x,x)+130j ...
		mov	esi, 0C000000Dh

loc_A098B2:				; CODE XREF: ExpSetBootEntry(x,x,x)+1C6j
					; ExpSetBootEntry(x,x,x)+21Ej ...
		mov	ebx, [ebp+var_44]
		test	ebx, ebx
		jz	short loc_A098C1
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A098C1:				; CODE XREF: ExpSetBootEntry(x,x,x)+579j
		mov	eax, [ebp+var_54]
		test	eax, eax
		jz	short loc_A098D5
		cmp	eax, [ebp+var_58]
		jz	short loc_A098D5
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A098D5:				; CODE XREF: ExpSetBootEntry(x,x,x)+588j
					; ExpSetBootEntry(x,x,x)+58Dj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+ms_exc.disabled], 1
		cmp	[ebp+var_64], 0
		jz	short loc_A098FA
		mov	ecx, [ebp+var_78]
		test	ecx, ecx
		jz	short loc_A098FA
		test	esi, esi
		js	short loc_A098FA
		mov	eax, [ebp+var_5C]
		mov	[ecx], eax

loc_A098FA:				; CODE XREF: ExpSetBootEntry(x,x,x)+5AAj
					; ExpSetBootEntry(x,x,x)+5B1j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi
		jmp	short loc_A09951
; 

loc_A09905:				; DATA XREF: .text:006AA5F0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_7C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A09915:				; DATA XREF: .text:006AA5F4o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_7C]
		jmp	short loc_A09951
; 

loc_A09924:				; DATA XREF: .text:006AA5E4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_80], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A09934:				; DATA XREF: .text:006AA5E8o
		mov	esp, [ebp+ms_exc.old_esp]
		cmp	[ebp+var_48], 0
		jz	short loc_A09947
		push	0
		push	[ebp+var_48]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A09947:				; CODE XREF: ExpSetBootEntry(x,x,x)+5FDj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_80]

loc_A09951:				; CODE XREF: ExpSetBootEntry(x,x,x)+79j
					; ExpSetBootEntry(x,x,x)+DCj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ExpSetBootEntry@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSetDriverEntry(x, x, x)
_ExpSetDriverEntry@12 proc near		; CODE XREF: NtAddDriverEntry(x,x)+1Ep
					; NtModifyDriverEntry(x)+1Cp

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	60h
		push	offset dword_6AA5A8
		call	__SEH_prolog4_GS
		mov	ebx, edx
		mov	[ebp+var_5C], ecx
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_64], edx
		xor	ecx, ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_40], ecx
		mov	[ebp+ms_exc.disabled], ecx
		mov	eax, large fs:124h
		mov	[ebp+var_70], eax
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_4C], al
		lea	esi, [ebx+4]
		test	al, al
		jz	short loc_A099C3
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_A099B8
		mov	esi, eax

loc_A099B8:				; CODE XREF: ExpSetDriverEntry(x,x,x)+51j
		nop
		mov	esi, [esi]
		mov	[ebp+var_60], esi
		mov	al, byte ptr [ebp+var_4C]
		jmp	short loc_A099C8
; 

loc_A099C3:				; CODE XREF: ExpSetDriverEntry(x,x,x)+48j
		mov	esi, [esi]
		mov	[ebp+var_60], esi

loc_A099C8:				; CODE XREF: ExpSetDriverEntry(x,x,x)+5Ej
		cmp	esi, 14h
		jnb	short loc_A099DE
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000000Dh
		jmp	loc_A09E22
; 

loc_A099DE:				; CODE XREF: ExpSetDriverEntry(x,x,x)+68j
		test	al, al
		jz	short loc_A09A41
		test	bl, 3
		jz	short loc_A099EC
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_A099EC:				; CODE XREF: ExpSetDriverEntry(x,x,x)+82j
		lea	eax, [ebx+esi]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_A099FD
		cmp	eax, ebx
		jnb	short loc_A09A00

loc_A099FD:				; CODE XREF: ExpSetDriverEntry(x,x,x)+94j
		mov	byte ptr [ecx],	0

loc_A09A00:				; CODE XREF: ExpSetDriverEntry(x,x,x)+98j
		test	edx, edx
		jz	short loc_A09A18
		mov	ecx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_A09A11
		mov	ecx, eax

loc_A09A11:				; CODE XREF: ExpSetDriverEntry(x,x,x)+AAj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	esi, [ebp+var_60]

loc_A09A18:				; CODE XREF: ExpSetDriverEntry(x,x,x)+9Fj
		push	[ebp+var_4C]
		push	ds:dword_A94CA4
		push	ds:_SeSystemEnvironmentPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A09A41
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000061h
		jmp	loc_A09E22
; 

loc_A09A41:				; CODE XREF: ExpSetDriverEntry(x,x,x)+7Dj
					; ExpSetDriverEntry(x,x,x)+CBj
		push	72766E45h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_48], edi
		test	edi, edi
		jnz	short loc_A09A6B
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000009Ah
		jmp	loc_A09E22
; 

loc_A09A6B:				; CODE XREF: ExpSetDriverEntry(x,x,x)+F5j
		push	esi		; size_t
		push	ebx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		lea	edx, [esi+edi]
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_A09A9A
		cmp	eax, 1
		ja	short loc_A09A9A
		cmp	[ebp+var_5C], 0
		jnz	short loc_A09AA9
		cmp	dword ptr [edi+8], 0FFFFh
		jbe	short loc_A09AA9

loc_A09A9A:				; CODE XREF: ExpSetDriverEntry(x,x,x)+121j
					; ExpSetDriverEntry(x,x,x)+126j ...
		mov	esi, 0C000000Dh
		mov	ebx, [ebp+var_38]
		mov	eax, ebx
		jmp	loc_A09D87
; 

loc_A09AA9:				; CODE XREF: ExpSetDriverEntry(x,x,x)+12Cj
					; ExpSetDriverEntry(x,x,x)+135j
		mov	eax, [edi+0Ch]
		test	al, 1
		jnz	short loc_A09A9A
		mov	ebx, [edi+10h]
		test	bl, 3
		jnz	short loc_A09A9A
		add	eax, edi
		mov	[ebp+var_4C], eax
		mov	ecx, eax
		call	_ExpSafeWcslen@8 ; ExpSafeWcslen(x,x)
		mov	[ebp+var_58], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_A09A9A
		add	ebx, edi
		mov	[ebp+var_38], ebx
		mov	ecx, ebx
		call	_ExpVerifyFilePath@8 ; ExpVerifyFilePath(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A09D84
		mov	eax, [ebp+var_58]
		lea	ebx, ds:2[eax*2]
		mov	eax, [ebp+var_4C]
		add	eax, ebx
		mov	ecx, [ebp+var_38]
		cmp	eax, ecx
		jbe	short loc_A09B02
		mov	esi, 0C000000Dh
		jmp	loc_A09D81
; 

loc_A09B02:				; CODE XREF: ExpSetDriverEntry(x,x,x)+193j
		cmp	dword ptr [ecx+8], 4
		jz	short loc_A09B7F
		lea	eax, [ebp+var_44]
		push	eax
		push	0
		push	4
		push	ecx
		call	_ZwTranslateFilePath@16	; ZwTranslateFilePath(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	loc_A09D81
		push	72766E45h
		push	[ebp+var_44]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_50], esi
		test	esi, esi
		jnz	short loc_A09B49
		mov	esi, 0C000009Ah
		jmp	loc_A09D81
; 

loc_A09B49:				; CODE XREF: ExpSetDriverEntry(x,x,x)+1DAj
		push	[ebp+var_44]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, [ebp+var_44]
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_40]
		push	eax
		push	esi
		push	4
		mov	eax, [ebp+var_38]
		push	eax
		call	_ZwTranslateFilePath@16	; ZwTranslateFilePath(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A09D81
		mov	eax, [ebp+var_44]
		mov	esi, [ebp+var_50]
		jmp	short loc_A09B87
; 

loc_A09B7F:				; CODE XREF: ExpSetDriverEntry(x,x,x)+1A3j
		mov	eax, [ecx+4]
		mov	esi, ecx
		mov	[ebp+var_50], ecx

loc_A09B87:				; CODE XREF: ExpSetDriverEntry(x,x,x)+21Aj
		sub	eax, 0Ch
		mov	[ebp+var_44], eax
		add	eax, 6
		add	eax, ebx
		mov	[ebp+var_58], eax
		push	72766E45h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_3C], eax
		test	eax, eax
		jnz	short loc_A09BB9
		mov	esi, 0C000009Ah
		mov	ebx, [ebp+var_38]
		jmp	loc_A09D87
; 

loc_A09BB9:				; CODE XREF: ExpSetDriverEntry(x,x,x)+247j
		push	[ebp+var_58]	; size_t
		push	0		; int
		mov	edi, [ebp+var_3C]
		push	edi		; void *
		call	_memset
		mov	ax, word ptr [ebp+var_44]
		mov	[edi+4], ax
		push	ebx		; size_t
		push	[ebp+var_4C]	; void *
		lea	eax, [edi+6]
		push	eax		; void *
		call	_memcpy
		lea	ecx, [edi+6]
		add	ecx, ebx
		push	[ebp+var_44]	; size_t
		lea	eax, [esi+0Ch]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 24h
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _ExpEnvironmentLock
		call	ExAcquireFastMutexUnsafe
		cmp	[ebp+var_5C], 0
		jz	loc_A09CC9
		xor	ebx, ebx
		mov	[ebp+var_54], ebx
		mov	edi, offset _EfiDriverVariablesGuid

loc_A09C1D:				; CODE XREF: ExpSetDriverEntry(x,x,x)+34Aj
		push	ebx
		push	offset ??_C@_1BG@IKNMHBCC@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?$CF?$AA0?$AA4?$AAx@NNGAKEGL@
		push	0Bh
		lea	eax, [ebp+var_34]
		push	eax
		call	_swprintf_s
		add	esp, 10h
		xor	ecx, ecx
		mov	[ebp+var_40], ecx
		push	ecx
		lea	eax, [ebp+var_40]
		push	eax
		push	ecx
		mov	edx, edi
		lea	ecx, [ebp+var_34]
		call	_IoGetEnvironmentVariableEx@20 ; IoGetEnvironmentVariableEx(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000100h
		jnz	short loc_A09C93
		lea	eax, [ebx+ebx]
		or	eax, ebx
		and	eax, 0C4444444h
		add	eax, eax
		test	eax, ebx
		jz	short loc_A09C8B
		push	ebx
		push	offset ??_C@_1BG@CKOONOBM@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?$CF?$AA0?$AA4?$AAX@NNGAKEGL@
		push	0Bh
		lea	eax, [ebp+var_34]
		push	eax
		call	_swprintf_s
		add	esp, 10h
		xor	ecx, ecx
		mov	[ebp+var_40], ecx
		push	ecx
		lea	eax, [ebp+var_40]
		push	eax
		push	ecx
		mov	edx, edi
		lea	ecx, [ebp+var_34]
		call	_IoGetEnvironmentVariableEx@20 ; IoGetEnvironmentVariableEx(x,x,x,x,x)
		mov	esi, eax

loc_A09C8B:				; CODE XREF: ExpSetDriverEntry(x,x,x)+2FBj
		cmp	esi, 0C0000100h
		jz	short loc_A09CB3

loc_A09C93:				; CODE XREF: ExpSetDriverEntry(x,x,x)+2EBj
		test	esi, esi
		jz	short loc_A09CA3
		cmp	esi, 0C0000023h
		jnz	loc_A09D68

loc_A09CA3:				; CODE XREF: ExpSetDriverEntry(x,x,x)+332j
		inc	ebx
		mov	[ebp+var_54], ebx
		cmp	ebx, 0FFFFh
		jbe	loc_A09C1D

loc_A09CB3:				; CODE XREF: ExpSetDriverEntry(x,x,x)+32Ej
		cmp	ebx, 0FFFFh
		jbe	loc_A09D54
		mov	esi, 0C000009Ah
		jmp	loc_A09D68
; 

loc_A09CC9:				; CODE XREF: ExpSetDriverEntry(x,x,x)+2AAj
		mov	ebx, [ebp+var_48]
		mov	eax, [ebx+8]
		mov	[ebp+var_54], eax
		push	eax
		push	offset ??_C@_1BG@CKOONOBM@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?$CF?$AA0?$AA4?$AAX@NNGAKEGL@
		push	0Bh
		lea	eax, [ebp+var_34]
		push	eax
		call	_swprintf_s
		add	esp, 10h
		xor	ecx, ecx
		mov	[ebp+var_40], ecx
		push	ecx
		lea	eax, [ebp+var_40]
		push	eax
		push	ecx
		mov	edi, offset _EfiDriverVariablesGuid
		mov	edx, edi
		lea	ecx, [ebp+var_34]
		call	_IoGetEnvironmentVariableEx@20 ; IoGetEnvironmentVariableEx(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000100h
		jnz	short loc_A09D48
		mov	ecx, [ebx+8]
		lea	eax, [ecx+ecx]
		or	eax, ecx
		and	eax, 0C4444444h
		add	eax, eax
		test	eax, ecx
		jz	short loc_A09D48
		push	ecx
		push	offset ??_C@_1BG@IKNMHBCC@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?$CF?$AA0?$AA4?$AAx@NNGAKEGL@
		push	0Bh
		lea	eax, [ebp+var_34]
		push	eax
		call	_swprintf_s
		add	esp, 10h
		xor	ecx, ecx
		mov	[ebp+var_40], ecx
		push	ecx
		lea	eax, [ebp+var_40]
		push	eax
		push	ecx
		mov	edx, edi
		lea	ecx, [ebp+var_34]
		call	_IoGetEnvironmentVariableEx@20 ; IoGetEnvironmentVariableEx(x,x,x,x,x)
		mov	esi, eax

loc_A09D48:				; CODE XREF: ExpSetDriverEntry(x,x,x)+3A5j
					; ExpSetDriverEntry(x,x,x)+3B8j
		test	esi, esi
		jz	short loc_A09D54
		cmp	esi, 0C0000023h
		jnz	short loc_A09D68

loc_A09D54:				; CODE XREF: ExpSetDriverEntry(x,x,x)+356j
					; ExpSetDriverEntry(x,x,x)+3E7j
		push	1
		push	[ebp+var_58]
		push	[ebp+var_3C]
		mov	edx, edi
		lea	ecx, [ebp+var_34]
		call	_IoSetEnvironmentVariableEx@20 ; IoSetEnvironmentVariableEx(x,x,x,x,x)
		mov	esi, eax

loc_A09D68:				; CODE XREF: ExpSetDriverEntry(x,x,x)+33Aj
					; ExpSetDriverEntry(x,x,x)+361j ...
		mov	ecx, offset _ExpEnvironmentLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	edi, [ebp+var_48]

loc_A09D81:				; CODE XREF: ExpSetDriverEntry(x,x,x)+19Aj
					; ExpSetDriverEntry(x,x,x)+1BBj ...
		mov	ebx, [ebp+var_38]

loc_A09D84:				; CODE XREF: ExpSetDriverEntry(x,x,x)+179j
		mov	eax, [ebp+var_3C]

loc_A09D87:				; CODE XREF: ExpSetDriverEntry(x,x,x)+141j
					; ExpSetDriverEntry(x,x,x)+251j
		test	eax, eax
		jz	short loc_A09D93
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A09D93:				; CODE XREF: ExpSetDriverEntry(x,x,x)+426j
		mov	eax, [ebp+var_50]
		test	eax, eax
		jz	short loc_A09DA6
		cmp	eax, ebx
		jz	short loc_A09DA6
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A09DA6:				; CODE XREF: ExpSetDriverEntry(x,x,x)+435j
					; ExpSetDriverEntry(x,x,x)+439j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+ms_exc.disabled], 1
		cmp	[ebp+var_5C], 0
		jz	short loc_A09DCB
		mov	ecx, [ebp+var_64]
		test	ecx, ecx
		jz	short loc_A09DCB
		test	esi, esi
		js	short loc_A09DCB
		mov	eax, [ebp+var_54]
		mov	[ecx], eax

loc_A09DCB:				; CODE XREF: ExpSetDriverEntry(x,x,x)+456j
					; ExpSetDriverEntry(x,x,x)+45Dj ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi
		jmp	short loc_A09E22
; 

loc_A09DD6:				; DATA XREF: .text:006AA5C8o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_68], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A09DE6:				; DATA XREF: .text:006AA5CCo
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_68]
		jmp	short loc_A09E22
; 

loc_A09DF5:				; DATA XREF: .text:006AA5BCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_6C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A09E05:				; DATA XREF: .text:006AA5C0o
		mov	esp, [ebp+ms_exc.old_esp]
		cmp	[ebp+var_48], 0
		jz	short loc_A09E18
		push	0
		push	[ebp+var_48]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A09E18:				; CODE XREF: ExpSetDriverEntry(x,x,x)+4A9j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_6C]

loc_A09E22:				; CODE XREF: ExpSetDriverEntry(x,x,x)+76j
					; ExpSetDriverEntry(x,x,x)+D9j	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ExpSetDriverEntry@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSetFirmwareEnvironmentVariable(x, x, x, x, x, x)
_ExpSetFirmwareEnvironmentVariable@24 proc near
					; CODE XREF: ExSetFirmwareEnvironmentVariable(x,x,x,x,x)+45p
					; NtSetSystemEnvironmentValueEx(x,x,x,x,x)+1E0p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, ecx
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	short loc_A09E6C
		lea	eax, [ebp+var_8]
		mov	edx, esi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		push	[ebp+arg_C]
		mov	ecx, [ebp+arg_0]
		call	ExLockUserBuffer
		test	eax, eax
		js	short loc_A09EBA

loc_A09E6C:				; CODE XREF: ExpSetFirmwareEnvironmentVariable(x,x,x,x,x,x)+1Cj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _ExpEnvironmentLock
		call	ExAcquireFastMutexUnsafe
		push	[ebp+arg_8]
		mov	edx, edi
		mov	ecx, ebx
		push	esi
		push	[ebp+var_4]
		call	_IoSetEnvironmentVariableEx@20 ; IoSetEnvironmentVariableEx(x,x,x,x,x)
		mov	ecx, offset _ExpEnvironmentLock
		mov	esi, eax
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_A09EB8
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)

loc_A09EB8:				; CODE XREF: ExpSetFirmwareEnvironmentVariable(x,x,x,x,x,x)+7Dj
		mov	eax, esi

loc_A09EBA:				; CODE XREF: ExpSetFirmwareEnvironmentVariable(x,x,x,x,x,x)+36j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_ExpSetFirmwareEnvironmentVariable@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTranslateArcPath(x, x, x, x)
_ExpTranslateArcPath@16	proc near	; CODE XREF: NtTranslateFilePath(x,x,x,x)+266p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		push	esi
		push	edi
		mov	[ebp+var_10], eax
		mov	edi, ecx
		mov	[ebp+var_C], eax
		mov	esi, edx
		mov	[ebp+var_8], eax
		lea	edx, [ebp+var_10]
		mov	byte ptr [ebp+var_1], al
		lea	eax, [ebp+var_1]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	ecx, [edi+0Ch]
		call	_ExpParseArcPathName@20	; ExpParseArcPathName(x,x,x,x,x)
		test	eax, eax
		js	short loc_A09F40
		cmp	byte ptr [ebp+var_1], 0
		mov	eax, [edi+8]
		jnz	short loc_A09F1E
		cmp	eax, 1
		jnz	short loc_A09F23
		push	[ebp+var_8]
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	[ebp+var_C]
		push	[ebp+var_10]
		push	[ebp+arg_4]
		call	_ExpConvertArcName@24 ;	ExpConvertArcName(x,x,x,x,x,x)
		jmp	short loc_A09F40
; 

loc_A09F1E:				; CODE XREF: ExpTranslateArcPath(x,x,x,x)+3Ej
		cmp	eax, 2
		jz	short loc_A09F2A

loc_A09F23:				; CODE XREF: ExpTranslateArcPath(x,x,x,x)+43j
		mov	eax, 0C000000Dh
		jmp	short loc_A09F40
; 

loc_A09F2A:				; CODE XREF: ExpTranslateArcPath(x,x,x,x)+60j
		push	[ebp+var_8]
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	[ebp+var_C]
		push	[ebp+var_10]
		push	[ebp+arg_4]
		call	_ExpConvertSignatureName@24 ; ExpConvertSignatureName(x,x,x,x,x,x)

loc_A09F40:				; CODE XREF: ExpTranslateArcPath(x,x,x,x)+35j
					; ExpTranslateArcPath(x,x,x,x)+5Bj ...
		pop	edi
		pop	esi
		leave
		retn	8
_ExpTranslateArcPath@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTranslateBootEntryNameToId(x, x)
_ExpTranslateBootEntryNameToId@8 proc near ; CODE XREF:	ExpIsBootEntry(x,x)+21p
					; NtEnumerateBootEntries(x,x)+1F8p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		movzx	eax, word ptr [esi]
		push	eax		; wchar_t
		call	_towlower
		pop	ecx
		cmp	ax, 62h
		jnz	loc_A09FED
		movzx	eax, word ptr [esi+2]
		push	eax		; wchar_t
		call	_towlower
		pop	ecx
		push	6Fh
		pop	edi
		cmp	ax, di
		jnz	short loc_A09FED
		movzx	eax, word ptr [esi+4]
		push	eax		; wchar_t
		call	_towlower
		pop	ecx
		cmp	ax, di
		jnz	short loc_A09FED
		movzx	eax, word ptr [esi+6]
		push	eax		; wchar_t
		call	_towlower
		pop	ecx
		cmp	ax, 74h
		jnz	short loc_A09FED
		xor	eax, eax
		push	4
		mov	edi, eax
		pop	ebx

loc_A09FA3:				; CODE XREF: ExpTranslateBootEntryNameToId(x,x)+93j
		movzx	eax, word ptr [esi+ebx*2]
		push	eax		; wchar_t
		call	_towlower
		pop	ecx
		movzx	ecx, ax
		lea	eax, [ecx-30h]
		cmp	ax, 9
		ja	short loc_A09FC2
		shl	edi, 4
		add	edi, 0FFFFFFD0h
		jmp	short loc_A09FD1
; 

loc_A09FC2:				; CODE XREF: ExpTranslateBootEntryNameToId(x,x)+72j
		lea	eax, [ecx-61h]
		cmp	ax, 5
		ja	short loc_A09FED
		shl	edi, 4
		add	edi, 0FFFFFFA9h

loc_A09FD1:				; CODE XREF: ExpTranslateBootEntryNameToId(x,x)+7Aj
		mov	eax, ecx
		add	edi, eax
		inc	ebx
		cmp	ebx, 8
		jb	short loc_A09FA3
		xor	eax, eax
		cmp	[esi+10h], ax
		jnz	short loc_A09FED
		mov	eax, [ebp+var_4]
		mov	[eax], edi
		xor	eax, eax
		inc	eax
		jmp	short loc_A09FEF
; 

loc_A09FED:				; CODE XREF: ExpTranslateBootEntryNameToId(x,x)+1Cj
					; ExpTranslateBootEntryNameToId(x,x)+33j ...
		xor	eax, eax

loc_A09FEF:				; CODE XREF: ExpTranslateBootEntryNameToId(x,x)+A5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpTranslateBootEntryNameToId@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTranslateDriverEntryNameToId(x, x)
_ExpTranslateDriverEntryNameToId@8 proc	near ; CODE XREF: ExpIsDriverEntry(x,x)+21p
					; NtEnumerateDriverEntries(x,x)+1D7p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		movzx	eax, word ptr [esi]
		push	eax		; wchar_t
		call	_towlower
		pop	ecx
		cmp	ax, 64h
		jnz	loc_A0A0C5
		movzx	eax, word ptr [esi+2]
		push	eax		; wchar_t
		call	_towlower
		pop	ecx
		push	72h
		pop	edi
		cmp	ax, di
		jnz	loc_A0A0C5
		movzx	eax, word ptr [esi+4]
		push	eax		; wchar_t
		call	_towlower
		pop	ecx
		cmp	ax, 69h
		jnz	loc_A0A0C5
		movzx	eax, word ptr [esi+6]
		push	eax		; wchar_t
		call	_towlower
		pop	ecx
		cmp	ax, 76h
		jnz	short loc_A0A0C5
		movzx	eax, word ptr [esi+8]
		push	eax		; wchar_t
		call	_towlower
		pop	ecx
		cmp	ax, 65h
		jnz	short loc_A0A0C5
		movzx	eax, word ptr [esi+0Ah]
		push	eax		; wchar_t
		call	_towlower
		pop	ecx
		cmp	ax, di
		jnz	short loc_A0A0C5
		xor	eax, eax
		push	6
		mov	edi, eax
		pop	ebx

loc_A0A07B:				; CODE XREF: ExpTranslateDriverEntryNameToId(x,x)+BDj
		movzx	eax, word ptr [esi+ebx*2]
		push	eax		; wchar_t
		call	_towlower
		pop	ecx
		movzx	ecx, ax
		lea	eax, [ecx-30h]
		cmp	ax, 9
		ja	short loc_A0A09A
		shl	edi, 4
		add	edi, 0FFFFFFD0h
		jmp	short loc_A0A0A9
; 

loc_A0A09A:				; CODE XREF: ExpTranslateDriverEntryNameToId(x,x)+9Cj
		lea	eax, [ecx-61h]
		cmp	ax, 5
		ja	short loc_A0A0C5
		shl	edi, 4
		add	edi, 0FFFFFFA9h

loc_A0A0A9:				; CODE XREF: ExpTranslateDriverEntryNameToId(x,x)+A4j
		mov	eax, ecx
		add	edi, eax
		inc	ebx
		cmp	ebx, 0Ah
		jb	short loc_A0A07B
		xor	eax, eax
		cmp	[esi+14h], ax
		jnz	short loc_A0A0C5
		mov	eax, [ebp+var_4]
		mov	[eax], edi
		xor	eax, eax
		inc	eax
		jmp	short loc_A0A0C7
; 

loc_A0A0C5:				; CODE XREF: ExpTranslateDriverEntryNameToId(x,x)+1Cj
					; ExpTranslateDriverEntryNameToId(x,x)+33j ...
		xor	eax, eax

loc_A0A0C7:				; CODE XREF: ExpTranslateDriverEntryNameToId(x,x)+CFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpTranslateDriverEntryNameToId@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTranslateEfiPath(x, x, x, x)
_ExpTranslateEfiPath@16	proc near	; CODE XREF: NtTranslateFilePath(x,x,x,x)+24Ap

var_64		= dword	ptr -64h
var_5D		= byte ptr -5Dh
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+64h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[esp+70h+var_38], eax
		lea	edi, [esp+70h+var_20]
		mov	eax, [ebp+arg_4]
		mov	esi, ecx
		push	6
		mov	[esp+74h+var_3C], eax
		xor	ebx, ebx
		pop	ecx
		xor	eax, eax
		mov	[esp+70h+var_24], edx
		rep stosd
		lea	eax, [esp+70h+var_54]
		mov	[esp+70h+var_5C], ebx
		push	eax
		lea	eax, [esp+74h+var_64]
		mov	[esp+74h+var_34], ebx
		push	eax
		lea	ecx, [esi+0Ch]
		mov	[esp+78h+var_30], ebx
		lea	edx, [esp+78h+var_5C]
		mov	[esp+78h+var_2C], ebx
		mov	[esp+78h+var_28], ebx
		mov	[esp+78h+var_64], ebx
		mov	byte ptr [esp+78h+var_54], bl
		mov	[esp+78h+var_48], ebx
		mov	[esp+78h+var_44], ebx
		mov	[esp+78h+var_50], ebx
		mov	[esp+78h+var_4C], ebx
		call	_ExpParseEfiPath@16 ; ExpParseEfiPath(x,x,x,x)
		test	eax, eax
		js	loc_A0A463
		push	ebx
		lea	eax, [esp+74h+var_2C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edi, [esp+70h+var_5C]
		mov	[esp+70h+var_58], ebx
		mov	[esp+70h+var_5D], bl
		inc	ebx
		cmp	byte ptr [esp+70h+var_54], 1
		jnz	loc_A0A229
		cmp	[esp+70h+var_24], 2
		jz	loc_A0A229
		lea	ecx, [edi+18h]
		push	ebx
		lea	edx, [esp+74h+var_34]
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A0A255
		movzx	esi, word ptr [esp+70h+var_34]
		push	72766E45h
		add	esi, 16h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A0A1D9
		push	eax
		push	[esp+74h+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0A1BD:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+24Fj
		cmp	[esp+70h+var_64], 0
		jz	short loc_A0A1CF
		push	0
		push	[esp+74h+var_64]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0A1CF:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+F6j
		mov	esi, 0C000009Ah
		jmp	loc_A0A459
; 

loc_A0A1D9:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+E5j
		push	offset ??_C@_1BG@KPDPFBJH@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAV?$AAo?$AAl?$AAu?$AAm?$AAe@NNGAKEGL@
		shr	esi, 1
		push	esi
		push	ebx
		call	_wcscpy_s
		movzx	eax, word ptr [esp+7Ch+var_34]
		add	esp, 0Ch
		push	eax
		push	[esp+74h+var_30]
		push	esi
		push	ebx
		call	_wcsncat_s
		add	esp, 10h
		push	0
		push	[esp+74h+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lea	edx, [esp+70h+var_2C]
		mov	ecx, ebx
		call	_ExpTranslateSymbolicLink@8 ; ExpTranslateSymbolicLink(x,x)
		push	0
		push	ebx
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jns	loc_A0A36B
		xor	ebx, ebx
		inc	ebx

loc_A0A229:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+A1j
					; ExpTranslateEfiPath(x,x,x,x)+ACj
		push	[esp+70h+var_54]
		mov	eax, [edi+4]
		lea	ecx, [esp+74h+var_50]
		push	ecx
		lea	ecx, [esp+78h+var_48]
		mov	[esp+78h+var_5C], eax
		push	ecx
		lea	ecx, [esp+7Ch+var_58]
		push	ecx
		lea	edx, [esp+80h+var_5C]
		lea	ecx, [edi+18h]
		call	_ExpFindDiskSignature@24 ; ExpFindDiskSignature(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A0A270

loc_A0A255:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+C3j
		cmp	[esp+70h+var_64], 0
		jz	loc_A0A459
		push	0
		push	[esp+74h+var_64]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_A0A459
; 

loc_A0A270:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+187j
		mov	eax, [esp+70h+var_5C]
		cmp	[edi+4], eax
		jnz	loc_A0A442
		mov	eax, [edi+8]
		cmp	eax, [esp+70h+var_48]
		jnz	short loc_A0A2A1
		mov	eax, [edi+0Ch]
		cmp	eax, [esp+70h+var_44]
		jnz	short loc_A0A2A1
		mov	eax, [edi+10h]
		cmp	eax, [esp+70h+var_50]
		jnz	short loc_A0A2A1
		mov	eax, [edi+14h]
		cmp	eax, [esp+70h+var_4C]
		jz	short loc_A0A306

loc_A0A2A1:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+1B8j
					; ExpTranslateEfiPath(x,x,x,x)+1C1j ...
		mov	ecx, [esp+70h+var_58]
		lea	edx, [esp+70h+var_20]
		call	_ExpGetDriveGeometry@8 ; ExpGetDriveGeometry(x,x)
		test	eax, eax
		jns	short loc_A0A2BA
		mov	esi, ebx
		mov	[esp+70h+var_C], esi
		jmp	short loc_A0A2BE
; 

loc_A0A2BA:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+1E4j
		mov	esi, [esp+70h+var_C]

loc_A0A2BE:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+1ECj
		push	0
		push	esi
		push	[esp+78h+var_44]
		push	[esp+7Ch+var_48]
		call	__aulldiv
		cmp	[edi+8], eax
		jnz	loc_A0A442
		cmp	[edi+0Ch], edx
		jnz	loc_A0A442
		push	0
		push	esi
		push	[esp+78h+var_4C]
		push	[esp+7Ch+var_50]
		call	__aulldiv
		cmp	[edi+10h], eax
		jnz	loc_A0A442
		cmp	[edi+14h], edx
		jnz	loc_A0A442
		mov	[esp+70h+var_5D], bl

loc_A0A306:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+1D3j
		push	72766E45h
		push	5Eh
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_A0A1BD
		push	[esp+70h+var_5C]
		push	[esp+74h+var_58]
		push	offset ??_C@_1EC@CDJBOKNM@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi?$AAs@NNGAKEGL@ ; "\\Device\\Harddisk%lu\\Partition%lu"
		push	2Fh
		push	esi
		call	_swprintf_s
		add	esp, 14h
		lea	edx, [esp+70h+var_2C]
		mov	ecx, esi
		call	_ExpTranslateSymbolicLink@8 ; ExpTranslateSymbolicLink(x,x)
		push	0
		push	esi
		mov	ebx, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	ebx, ebx
		jns	short loc_A0A36B
		cmp	[esp+70h+var_64], 0
		jz	short loc_A0A364
		push	0
		push	[esp+74h+var_64]

loc_A0A35F:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+371j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0A364:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+28Bj
					; ExpTranslateEfiPath(x,x,x,x)+368j
		mov	esi, ebx
		jmp	loc_A0A459
; 

loc_A0A36B:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+154j
					; ExpTranslateEfiPath(x,x,x,x)+284j
		mov	eax, [esp+70h+var_24]
		mov	esi, [esp+70h+var_64]
		cmp	eax, 3
		jnz	short loc_A0A390
		mov	edx, [esp+70h+var_3C]
		lea	eax, [esp+70h+var_2C]
		mov	ecx, [esp+70h+var_38]
		push	esi
		push	eax
		call	_ExpCreateOutputNT@16 ;	ExpCreateOutputNT(x,x,x,x)
		jmp	loc_A0A425
; 

loc_A0A390:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+2AAj
		cmp	eax, 2
		jnz	short loc_A0A412
		cmp	[esp+70h+var_5D], 1
		jnz	short loc_A0A3B5
		mov	ecx, [esp+70h+var_58]
		lea	edx, [esp+70h+var_20]
		call	_ExpGetDriveGeometry@8 ; ExpGetDriveGeometry(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A0A427
		mov	ebx, [esp+70h+var_C]
		jmp	short loc_A0A3B8
; 

loc_A0A3B5:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+2CEj
		xor	ebx, ebx
		inc	ebx

loc_A0A3B8:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+2E7j
		mov	eax, [edi+4]
		push	0
		push	ebx
		push	dword ptr [edi+0Ch]
		mov	[esp+7Ch+var_5C], eax
		push	dword ptr [edi+8]
		call	__allmul
		push	0
		push	ebx
		push	dword ptr [edi+14h]
		mov	[esp+7Ch+var_48], eax
		push	dword ptr [edi+10h]
		mov	[esp+80h+var_44], edx
		call	__allmul
		push	[esp+70h+var_54]
		mov	ecx, [esp+74h+var_38]
		mov	[esp+74h+var_50], eax
		lea	eax, [esp+74h+var_50]
		push	esi
		push	eax
		lea	eax, [esp+7Ch+var_48]
		mov	[esp+7Ch+var_4C], edx
		mov	edx, [esp+7Ch+var_3C]
		push	eax
		lea	eax, [esp+80h+var_5C]
		push	eax
		lea	eax, [edi+18h]
		push	eax
		call	_ExpCreateOutputSIGNATURE@32 ; ExpCreateOutputSIGNATURE(x,x,x,x,x,x,x,x)
		jmp	short loc_A0A425
; 

loc_A0A412:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+2C7j
		mov	edx, [esp+70h+var_3C]
		lea	eax, [esp+70h+var_2C]
		mov	ecx, [esp+70h+var_38]
		push	esi
		push	eax
		call	_ExpCreateOutputARC@16 ; ExpCreateOutputARC(x,x,x,x)

loc_A0A425:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+2BFj
					; ExpTranslateEfiPath(x,x,x,x)+344j
		mov	ebx, eax

loc_A0A427:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+2E1j
		push	0
		push	[esp+74h+var_28]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jz	loc_A0A364
		push	0
		push	esi
		jmp	loc_A0A35F
; 

loc_A0A442:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+1ABj
					; ExpTranslateEfiPath(x,x,x,x)+205j ...
		cmp	[esp+70h+var_64], 0
		jz	short loc_A0A454
		push	0
		push	[esp+74h+var_64]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0A454:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+37Bj
		mov	esi, 0C000000Dh

loc_A0A459:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+108j
					; ExpTranslateEfiPath(x,x,x,x)+18Ej ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi

loc_A0A463:				; CODE XREF: ExpTranslateEfiPath(x,x,x,x)+7Ej
		mov	ecx, [esp+70h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_ExpTranslateEfiPath@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTranslateHexStringToGUID(x, x)
_ExpTranslateHexStringToGUID@8 proc near
					; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x):loc_A09252p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= word ptr -10h
var_E		= word ptr -0Eh
var_C		= byte ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	eax, ecx
		mov	[ebp+var_24], edx
		push	edi
		mov	edx, eax
		mov	[ebp+var_20], eax
		push	2
		pop	ebx
		xor	ecx, ecx
		lea	esi, [edx+2]

loc_A0A49E:				; CODE XREF: ExpTranslateHexStringToGUID(x,x)+2Fj
		mov	ax, [edx]
		add	edx, ebx
		cmp	ax, cx
		jnz	short loc_A0A49E
		sub	edx, esi
		sar	edx, 1
		cmp	edx, 20h
		jnz	loc_A0A5AF
		xor	eax, eax
		mov	[ebp+var_1C], ecx
		lea	edi, [ebp+var_14]
		mov	[ebp+var_18], ecx
		stosd
		mov	ebx, ecx
		mov	esi, ecx
		stosd
		stosd
		stosd
		mov	edi, ecx

loc_A0A4CA:				; CODE XREF: ExpTranslateHexStringToGUID(x,x)+124j
		mov	eax, [ebp+var_20]
		movzx	eax, word ptr [eax+ecx*2]
		push	eax		; wchar_t
		call	_towlower
		pop	ecx
		movzx	ecx, ax
		lea	eax, [ecx-30h]
		cmp	ax, 9
		ja	short loc_A0A4EC
		shl	ebx, 4
		add	ebx, 0FFFFFFD0h
		jmp	short loc_A0A4FF
; 

loc_A0A4EC:				; CODE XREF: ExpTranslateHexStringToGUID(x,x)+6Bj
		lea	eax, [ecx-61h]
		cmp	ax, 5
		ja	loc_A0A5AF
		shl	ebx, 4
		add	ebx, 0FFFFFFA9h

loc_A0A4FF:				; CODE XREF: ExpTranslateHexStringToGUID(x,x)+73j
		mov	eax, ecx
		mov	ecx, [ebp+var_18]
		add	ebx, eax
		test	cl, 1
		jz	loc_A0A594
		mov	edx, [ebp+var_1C]
		movzx	eax, dx
		sub	eax, 0
		jz	short loc_A0A574
		sub	eax, 1
		jz	short loc_A0A559
		sub	eax, 1
		jz	short loc_A0A53E
		sub	eax, 1
		jnz	loc_A0A5AF
		movzx	eax, si
		inc	esi
		mov	[ebp+eax+var_C], bl
		cmp	si, 8
		jnz	short loc_A0A592
		inc	edx
		jmp	short loc_A0A58F
; 

loc_A0A53E:				; CODE XREF: ExpTranslateHexStringToGUID(x,x)+ABj
		mov	ecx, esi
		shl	ecx, 3
		shl	ebx, cl
		mov	ecx, [ebp+var_18]
		add	edi, ebx
		push	2
		inc	esi
		pop	eax
		cmp	si, ax
		jnz	short loc_A0A592
		mov	[ebp+var_E], di
		jmp	short loc_A0A58A
; 

loc_A0A559:				; CODE XREF: ExpTranslateHexStringToGUID(x,x)+A6j
		mov	ecx, esi
		shl	ecx, 3
		shl	ebx, cl
		mov	ecx, [ebp+var_18]
		add	edi, ebx
		push	2
		inc	esi
		pop	eax
		cmp	si, ax
		jnz	short loc_A0A592
		mov	[ebp+var_10], di
		jmp	short loc_A0A58A
; 

loc_A0A574:				; CODE XREF: ExpTranslateHexStringToGUID(x,x)+A1j
		mov	ecx, esi
		shl	ecx, 3
		shl	ebx, cl
		mov	ecx, [ebp+var_18]
		add	edi, ebx
		inc	esi
		cmp	si, 4
		jnz	short loc_A0A592
		mov	[ebp+var_14], edi

loc_A0A58A:				; CODE XREF: ExpTranslateHexStringToGUID(x,x)+E0j
					; ExpTranslateHexStringToGUID(x,x)+FBj
		inc	edx
		xor	esi, esi
		xor	edi, edi

loc_A0A58F:				; CODE XREF: ExpTranslateHexStringToGUID(x,x)+C5j
		mov	[ebp+var_1C], edx

loc_A0A592:				; CODE XREF: ExpTranslateHexStringToGUID(x,x)+C2j
					; ExpTranslateHexStringToGUID(x,x)+DAj	...
		xor	ebx, ebx

loc_A0A594:				; CODE XREF: ExpTranslateHexStringToGUID(x,x)+92j
		inc	ecx
		mov	[ebp+var_18], ecx
		cmp	ecx, 20h
		jb	loc_A0A4CA
		mov	edi, [ebp+var_24]
		lea	esi, [ebp+var_14]
		xor	eax, eax
		movsd
		movsd
		movsd
		movsd
		jmp	short loc_A0A5B4
; 

loc_A0A5AF:				; CODE XREF: ExpTranslateHexStringToGUID(x,x)+38j
					; ExpTranslateHexStringToGUID(x,x)+7Cj	...
		mov	eax, 0C000000Dh

loc_A0A5B4:				; CODE XREF: ExpTranslateHexStringToGUID(x,x)+136j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_ExpTranslateHexStringToGUID@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTranslateHexStringToULONG(x, x)
_ExpTranslateHexStringToULONG@8	proc near
					; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+131p
					; ExpParseSignatureName(x,x,x,x,x,x,x,x)+20Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	[ebp+var_8], edx
		mov	edx, ecx
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], edx
		push	edi
		xor	edi, edi
		lea	ecx, [esi+2]

loc_A0A5DC:				; CODE XREF: ExpTranslateHexStringToULONG(x,x)+22j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, di
		jnz	short loc_A0A5DC
		sub	esi, ecx
		sar	esi, 1
		cmp	esi, 8
		ja	short loc_A0A639
		mov	ebx, edi
		test	esi, esi
		jz	short loc_A0A630

loc_A0A5F6:				; CODE XREF: ExpTranslateHexStringToULONG(x,x)+6Bj
		movzx	eax, word ptr [edx+ebx*2]
		push	eax		; wchar_t
		call	_towlower
		pop	ecx
		movzx	ecx, ax
		lea	eax, [ecx-30h]
		cmp	ax, 9
		ja	short loc_A0A615
		shl	edi, 4
		add	edi, 0FFFFFFD0h
		jmp	short loc_A0A624
; 

loc_A0A615:				; CODE XREF: ExpTranslateHexStringToULONG(x,x)+48j
		lea	eax, [ecx-61h]
		cmp	ax, 5
		ja	short loc_A0A639
		shl	edi, 4
		add	edi, 0FFFFFFA9h

loc_A0A624:				; CODE XREF: ExpTranslateHexStringToULONG(x,x)+50j
		mov	edx, [ebp+var_4]
		mov	eax, ecx
		add	edi, eax
		inc	ebx
		cmp	ebx, esi
		jb	short loc_A0A5F6

loc_A0A630:				; CODE XREF: ExpTranslateHexStringToULONG(x,x)+31j
		mov	eax, [ebp+var_8]
		mov	[eax], edi
		xor	eax, eax
		jmp	short loc_A0A63E
; 

loc_A0A639:				; CODE XREF: ExpTranslateHexStringToULONG(x,x)+2Bj
					; ExpTranslateHexStringToULONG(x,x)+59j
		mov	eax, 0C000000Dh

loc_A0A63E:				; CODE XREF: ExpTranslateHexStringToULONG(x,x)+74j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpTranslateHexStringToULONG@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTranslateHexStringToULONGLONG(x,	x)
_ExpTranslateHexStringToULONGLONG@8 proc near
					; CODE XREF: ExpParseSignatureName(x,x,x,x,x,x,x,x)+196p
					; ExpParseSignatureName(x,x,x,x,x,x,x,x)+277p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	eax, ecx
		mov	[ebp+var_C], edx
		push	esi
		mov	esi, eax
		mov	[ebp+var_8], eax
		push	edi
		xor	edi, edi
		lea	ecx, [esi+2]

loc_A0A65D:				; CODE XREF: ExpTranslateHexStringToULONGLONG(x,x)+23j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, di
		jnz	short loc_A0A65D
		sub	esi, ecx
		sar	esi, 1
		cmp	esi, 10h
		ja	short loc_A0A6DD
		mov	eax, edi
		mov	ebx, edi
		mov	[ebp+var_4], eax
		test	esi, esi
		jz	short loc_A0A6D4

loc_A0A67C:				; CODE XREF: ExpTranslateHexStringToULONGLONG(x,x)+8Cj
		mov	ecx, [ebp+var_8]
		movzx	eax, word ptr [ecx+eax*2]
		push	eax		; wchar_t
		call	_towlower
		pop	ecx
		movzx	ecx, ax
		lea	eax, [ecx-30h]
		cmp	ax, 9
		ja	short loc_A0A6A9
		shld	ebx, edi, 4
		mov	eax, ecx
		shl	edi, 4
		cdq
		add	edi, eax
		adc	ebx, edx
		add	edi, 0FFFFFFD0h
		jmp	short loc_A0A6C3
; 

loc_A0A6A9:				; CODE XREF: ExpTranslateHexStringToULONGLONG(x,x)+51j
		lea	eax, [ecx-61h]
		cmp	ax, 5
		ja	short loc_A0A6DD
		shld	ebx, edi, 4
		mov	eax, ecx
		shl	edi, 4
		cdq
		add	edi, eax
		adc	ebx, edx
		add	edi, 0FFFFFFA9h

loc_A0A6C3:				; CODE XREF: ExpTranslateHexStringToULONGLONG(x,x)+64j
		mov	eax, [ebp+var_4]
		adc	ebx, 0FFFFFFFFh
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, esi
		jb	short loc_A0A67C
		mov	edx, [ebp+var_C]

loc_A0A6D4:				; CODE XREF: ExpTranslateHexStringToULONGLONG(x,x)+37j
		mov	[edx], edi
		xor	eax, eax
		mov	[edx+4], ebx
		jmp	short loc_A0A6E2
; 

loc_A0A6DD:				; CODE XREF: ExpTranslateHexStringToULONGLONG(x,x)+2Cj
					; ExpTranslateHexStringToULONGLONG(x,x)+6Dj
		mov	eax, 0C000000Dh

loc_A0A6E2:				; CODE XREF: ExpTranslateHexStringToULONGLONG(x,x)+98j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpTranslateHexStringToULONGLONG@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTranslateNtPath(x, x, x,	x)
_ExpTranslateNtPath@16 proc near	; CODE XREF: ExpConvertArcName(x,x,x,x,x,x)+16Ap
					; NtTranslateFilePath(x,x,x,x)+258p

var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_88		= dword	ptr -88h
var_80		= dword	ptr -80h
var_78		= dword	ptr -78h
var_60		= dword	ptr -60h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0D4h
		push	ebx
		xor	ebx, ebx
		mov	[esp+0D8h+var_B4], edx
		push	esi
		push	edi
		push	90h		; size_t
		lea	eax, [esp+0E4h+var_90]
		mov	[esp+0E4h+var_D0], ebx
		push	ebx		; int
		push	eax		; void *
		mov	edi, ecx
		mov	[esp+0ECh+var_BC], ebx
		mov	[esp+0ECh+var_B8], ebx
		mov	[esp+0ECh+var_C4], ebx
		mov	[esp+0ECh+var_C0], ebx
		mov	[esp+0ECh+var_B0], ebx
		mov	[esp+0ECh+var_AC], ebx
		mov	[esp+0ECh+var_CC], ebx
		call	_memset
		add	esp, 0Ch
		mov	[esp+0E0h+var_C8], ebx
		add	edi, 0Ch
		lea	eax, [esp+0E0h+var_BC]
		inc	ebx
		push	edi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	ecx, word ptr [esp+0E0h+var_BC]
		add	ecx, 2
		add	ecx, edi
		mov	esi, ecx
		lea	edx, [esi+2]

loc_A0A755:				; CODE XREF: ExpTranslateNtPath(x,x,x,x)+79j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, word ptr [esp+0E0h+var_D0]
		jnz	short loc_A0A755
		sub	esi, edx
		sar	esi, 1
		neg	esi
		sbb	esi, esi
		and	esi, ecx
		cmp	[esp+0E0h+var_B4], ebx
		jnz	short loc_A0A7DA
		lea	edx, [esp+0E0h+var_C4]
		mov	ecx, edi
		call	_ExpTranslateSymbolicLink@8 ; ExpTranslateSymbolicLink(x,x)
		test	eax, eax
		jns	short loc_A0A7AE
		cmp	eax, 0C0000024h
		jnz	loc_A0A8DE
		mov	ax, word ptr [esp+0E0h+var_BC]
		mov	edi, [esp+0E0h+var_B8]
		mov	word ptr [esp+0E0h+var_C4], ax
		mov	ax, word ptr [esp+0E0h+var_BC+2]
		mov	word ptr [esp+0E0h+var_C4+2], ax
		xor	eax, eax
		mov	[esp+0E0h+var_C0], edi
		mov	bl, al
		jmp	short loc_A0A7B2
; 

loc_A0A7AE:				; CODE XREF: ExpTranslateNtPath(x,x,x,x)+98j
		mov	edi, [esp+0E0h+var_C0]

loc_A0A7B2:				; CODE XREF: ExpTranslateNtPath(x,x,x,x)+C5j
		mov	edx, [ebp+arg_4]
		lea	eax, [esp+0E0h+var_C4]
		mov	ecx, [ebp+arg_0]
		push	esi
		push	eax
		call	_ExpCreateOutputARC@16 ; ExpCreateOutputARC(x,x,x,x)
		mov	esi, eax
		cmp	bl, 1
		jnz	short loc_A0A7D3
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0A7D3:				; CODE XREF: ExpTranslateNtPath(x,x,x,x)+E1j
		mov	eax, esi
		jmp	loc_A0A8DE
; 

loc_A0A7DA:				; CODE XREF: ExpTranslateNtPath(x,x,x,x)+89j
		push	60h
		lea	eax, [esp+0E4h+var_BC]
		mov	[esp+0E4h+var_A8], 18h
		mov	[esp+0E4h+var_A0], eax
		xor	ecx, ecx
		push	3
		lea	eax, [esp+0E8h+var_B0]
		mov	[esp+0E8h+var_A4], ecx
		push	eax
		lea	eax, [esp+0ECh+var_A8]
		mov	[esp+0ECh+var_9C], 240h
		push	eax
		push	100080h
		lea	eax, [esp+0F4h+var_CC]
		mov	[esp+0F4h+var_98], ecx
		push	eax
		mov	[esp+0F8h+var_94], ecx
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		js	loc_A0A8DE
		push	90h
		xor	ecx, ecx
		lea	eax, [esp+0E4h+var_90]
		push	eax
		push	ecx
		push	ecx
		push	70048h
		lea	eax, [esp+0F4h+var_B0]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	[esp+104h+var_CC]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_A0A8D3
		cmp	[esp+0E0h+var_90], 0
		jz	short loc_A0A86B
		cmp	[esp+0E0h+var_90], ebx
		jz	loc_A0A8F7
		mov	edi, 0C0000014h
		jmp	short loc_A0A8D3
; 

loc_A0A86B:				; CODE XREF: ExpTranslateNtPath(x,x,x,x)+171j
		mov	eax, 930h
		jmp	short loc_A0A8B4
; 

loc_A0A872:				; CODE XREF: ExpTranslateNtPath(x,x,x,x)+1E5j
		push	[esp+0E0h+var_D0]
		xor	ecx, ecx
		lea	eax, [esp+0E4h+var_B0]
		push	edi
		push	ecx
		push	ecx
		push	70050h
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	[esp+104h+var_CC]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	[esp+0E0h+var_C8], eax
		test	eax, eax
		jns	short loc_A0A8E7
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [esp+0E0h+var_C8]
		cmp	edi, 0C0000023h
		jnz	short loc_A0A8D3
		mov	eax, [esp+0E0h+var_D0]
		add	eax, eax

loc_A0A8B4:				; CODE XREF: ExpTranslateNtPath(x,x,x,x)+189j
		push	72766E45h
		push	eax
		push	200h
		mov	[esp+0ECh+var_D0], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A0A872
		mov	edi, 0C000009Ah

loc_A0A8D3:				; CODE XREF: ExpTranslateNtPath(x,x,x,x)+166j
					; ExpTranslateNtPath(x,x,x,x)+182j ...
		push	[esp+0E0h+var_CC]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, edi

loc_A0A8DE:				; CODE XREF: ExpTranslateNtPath(x,x,x,x)+9Fj
					; ExpTranslateNtPath(x,x,x,x)+EEj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_A0A8E7:				; CODE XREF: ExpTranslateNtPath(x,x,x,x)+1B0j
		mov	eax, [edi+8]
		mov	[esp+0E0h+var_C8], eax
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0A8F7:				; CODE XREF: ExpTranslateNtPath(x,x,x,x)+177j
		push	[esp+0E0h+var_CC]
		call	_ZwClose@4	; ZwClose(x)
		cmp	[esp+0E0h+var_90], ebx
		jnz	short loc_A0A913
		lea	eax, [esp+0E0h+var_60]
		mov	byte ptr [esp+0E0h+var_D0], bl
		jmp	short loc_A0A91D
; 

loc_A0A913:				; CODE XREF: ExpTranslateNtPath(x,x,x,x)+21Dj
		xor	ecx, ecx
		lea	eax, [esp+0E0h+var_C8]
		mov	byte ptr [esp+0E0h+var_D0], cl

loc_A0A91D:				; CODE XREF: ExpTranslateNtPath(x,x,x,x)+22Aj
		cmp	[esp+0E0h+var_B4], 4
		lea	ecx, [esp+0E0h+var_80]
		push	[esp+0E0h+var_D0]
		mov	edx, [ebp+arg_4]
		push	esi
		push	ecx
		lea	ecx, [esp+0ECh+var_88]
		push	ecx
		lea	ecx, [esp+0F0h+var_78]
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	eax
		jnz	short loc_A0A946
		call	_ExpCreateOutputEFI@32 ; ExpCreateOutputEFI(x,x,x,x,x,x,x,x)
		jmp	short loc_A0A8DE
; 

loc_A0A946:				; CODE XREF: ExpTranslateNtPath(x,x,x,x)+256j
		call	_ExpCreateOutputSIGNATURE@32 ; ExpCreateOutputSIGNATURE(x,x,x,x,x,x,x,x)
		jmp	short loc_A0A8DE
_ExpTranslateNtPath@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTranslateSymbolicLink(x,	x)
_ExpTranslateSymbolicLink@8 proc near	; CODE XREF: ExpConvertArcName(x,x,x,x,x,x)+80p
					; ExpConvertSignatureName(x,x,x,x,x,x)+1B5p ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		push	2
		pop	ebx
		xor	edi, edi
		mov	[ebp+var_C], edx
		push	ecx
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_1C], edi
		push	eax
		mov	[ebp+var_18], edi
		mov	esi, edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_34], 18h
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	1
		lea	eax, [ebp+var_4]
		mov	[ebp+var_30], edi
		push	eax
		mov	[ebp+var_28], 240h
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], edi
		call	_ZwOpenSymbolicLinkObject@12 ; ZwOpenSymbolicLinkObject(x,x,x)
		test	eax, eax
		js	loc_A0AA9C

loc_A0A9AC:				; CODE XREF: ExpTranslateSymbolicLink(x,x)+11Aj
		xor	eax, eax
		mov	word ptr [ebp+var_14], ax
		lea	eax, [ebx-2]
		mov	word ptr [ebp+var_14+2], ax
		jmp	short loc_A0A9F4
; 

loc_A0A9BB:				; CODE XREF: ExpTranslateSymbolicLink(x,x)+C2j
		test	esi, esi
		jz	short loc_A0A9C7
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0A9C7:				; CODE XREF: ExpTranslateSymbolicLink(x,x)+70j
		mov	ebx, [ebp+var_8]
		push	72766E45h
		add	ebx, 2
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_A0AA7F
		xor	eax, eax
		lea	ecx, [ebx-2]
		mov	word ptr [ebp+var_14], ax
		mov	word ptr [ebp+var_14+2], cx

loc_A0A9F4:				; CODE XREF: ExpTranslateSymbolicLink(x,x)+6Cj
		lea	eax, [ebp+var_8]
		mov	[ebp+var_10], esi
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_4]
		call	_ZwQuerySymbolicLinkObject@12 ;	ZwQuerySymbolicLinkObject(x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000023h
		jz	short loc_A0A9BB
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		test	edi, edi
		js	short loc_A0AA8E
		movzx	eax, word ptr [ebp+var_14]
		xor	ecx, ecx
		shr	eax, 1
		push	esi
		mov	[esi+eax*2], cx
		lea	eax, [ebp+var_1C]
		push	eax
		mov	word ptr [ebp+var_14+2], bx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_34], 18h
		mov	[ebp+var_2C], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_34]
		mov	[ebp+var_30], ecx
		push	eax
		push	1
		lea	eax, [ebp+var_4]
		mov	[ebp+var_28], 240h
		push	eax
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ecx
		call	_ZwOpenSymbolicLinkObject@12 ; ZwOpenSymbolicLinkObject(x,x,x)
		test	eax, eax
		jns	loc_A0A9AC
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_14]
		mov	[ecx], eax
		mov	eax, [ebp+var_10]
		mov	[ecx+4], eax
		xor	eax, eax
		jmp	short loc_A0AA9C
; 

loc_A0AA7F:				; CODE XREF: ExpTranslateSymbolicLink(x,x)+94j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, 0C000009Ah
		jmp	short loc_A0AA9C
; 

loc_A0AA8E:				; CODE XREF: ExpTranslateSymbolicLink(x,x)+CEj
		test	esi, esi
		jz	short loc_A0AA9A
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0AA9A:				; CODE XREF: ExpTranslateSymbolicLink(x,x)+143j
		mov	eax, edi

loc_A0AA9C:				; CODE XREF: ExpTranslateSymbolicLink(x,x)+59j
					; ExpTranslateSymbolicLink(x,x)+130j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpTranslateSymbolicLink@8 endp


;  S U B	R O U T	I N E 


; __stdcall ExpUnicodeStringToNonpagedWStr(x)
_ExpUnicodeStringToNonpagedWStr@4 proc near
					; CODE XREF: NtQuerySystemEnvironmentValueEx+1300A9p
					; ExGetFirmwareEnvironmentVariable+1301D2p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		push	72766E45h
		movzx	esi, word ptr [ebx]
		lea	eax, [esi+2]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A0AAD9
		push	esi		; size_t
		push	dword ptr [ebx+4] ; void *
		push	edi		; void *
		call	_memcpy
		shr	esi, 1
		add	esp, 0Ch
		xor	eax, eax
		mov	[edi+esi*2], ax

loc_A0AAD9:				; CODE XREF: ExpUnicodeStringToNonpagedWStr(x)+21j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_ExpUnicodeStringToNonpagedWStr@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExpVerifyFilePath(x, x)
_ExpVerifyFilePath@8 proc near		; CODE XREF: ExpSetBootEntry(x,x,x)+215p
					; ExpSetDriverEntry(x,x,x)+170p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		cmp	ecx, edi
		ja	short loc_A0AB33
		lea	esi, [ecx+0Ch]
		cmp	esi, edi
		ja	short loc_A0AB33
		mov	eax, [ecx+4]
		cmp	eax, 0Ch
		jb	short loc_A0AB33
		lea	edx, [eax+ecx]
		cmp	edx, ecx
		jb	short loc_A0AB33
		cmp	edx, edi
		ja	short loc_A0AB33
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_A0AB33
		cmp	eax, 1
		ja	short loc_A0AB33
		mov	ecx, [ecx+8]
		lea	eax, [ecx-1]
		cmp	eax, 4
		ja	short loc_A0AB33
		cmp	edx, edi
		jnb	short loc_A0AB20
		mov	edi, edx

loc_A0AB20:				; CODE XREF: ExpVerifyFilePath(x,x)+3Dj
		test	ecx, ecx
		jz	short loc_A0AB33
		cmp	ecx, 2
		jbe	short loc_A0AB9D
		cmp	ecx, 3
		jz	short loc_A0AB7B
		cmp	ecx, 4
		jz	short loc_A0AB72

loc_A0AB33:				; CODE XREF: ExpVerifyFilePath(x,x)+9j
					; ExpVerifyFilePath(x,x)+10j ...
		mov	eax, 0C000000Dh

loc_A0AB38:				; CODE XREF: ExpVerifyFilePath(x,x)+BCj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_A0AB3C:				; CODE XREF: ExpVerifyFilePath(x,x)+98j
		movzx	ebx, byte ptr [esi+3]
		movzx	eax, byte ptr [esi+2]
		shl	ebx, 8
		or	ebx, eax
		cmp	ebx, 4
		jb	short loc_A0AB33
		lea	edx, [ebx+esi]
		cmp	edx, edi
		ja	short loc_A0AB33
		mov	al, [esi]
		and	al, 7Fh
		cmp	al, 7Fh
		jz	short loc_A0AB99
		cmp	al, 4
		jnz	short loc_A0AB70
		cmp	[esi+1], al
		jnz	short loc_A0AB70
		call	_ExpSafeWcslen@8 ; ExpSafeWcslen(x,x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_A0AB33

loc_A0AB70:				; CODE XREF: ExpVerifyFilePath(x,x)+80j
					; ExpVerifyFilePath(x,x)+85j
		add	esi, ebx

loc_A0AB72:				; CODE XREF: ExpVerifyFilePath(x,x)+52j
		lea	ecx, [esi+4]
		cmp	ecx, edi
		jbe	short loc_A0AB3C
		jmp	short loc_A0AB33
; 

loc_A0AB7B:				; CODE XREF: ExpVerifyFilePath(x,x)+4Dj
		mov	edx, edi
		mov	ecx, esi
		call	_ExpSafeWcslen@8 ; ExpSafeWcslen(x,x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_A0AB33
		inc	eax
		lea	ecx, [esi+eax*2]

loc_A0AB8D:				; CODE XREF: ExpVerifyFilePath(x,x)+C0j
		mov	edx, edi
		call	_ExpSafeWcslen@8 ; ExpSafeWcslen(x,x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_A0AB33

loc_A0AB99:				; CODE XREF: ExpVerifyFilePath(x,x)+7Cj
		xor	eax, eax
		jmp	short loc_A0AB38
; 

loc_A0AB9D:				; CODE XREF: ExpVerifyFilePath(x,x)+48j
		mov	ecx, esi
		jmp	short loc_A0AB8D
_ExpVerifyFilePath@8 endp


;  S U B	R O U T	I N E 


; __stdcall ExpVerifyWindowsOsOptions(x, x)
_ExpVerifyWindowsOsOptions@8 proc near	; CODE XREF: ExpSetBootEntry(x,x,x)+1BDp
					; NtEnumerateBootEntries(x,x)+3F9p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		lea	ebx, [esi+edi]
		lea	ecx, [esi+14h]
		mov	edx, ebx
		call	_ExpSafeWcslen@8 ; ExpSafeWcslen(x,x)
		mov	edx, eax
		mov	eax, [esi+0Ch]
		cmp	eax, 14h
		jb	short loc_A0ABF8
		cmp	eax, edi
		ja	short loc_A0ABF8
		mov	ecx, [esi+8]
		test	ecx, ecx
		jz	short loc_A0ABF8
		cmp	ecx, 1
		ja	short loc_A0ABF8
		mov	eax, [esi+10h]
		test	al, 3
		jnz	short loc_A0ABF8
		cmp	eax, edi
		jnb	short loc_A0ABF8
		cmp	edx, 0FFFFFFFFh
		jz	short loc_A0ABF8
		lea	ecx, [eax+esi]
		lea	eax, [esi+16h]
		lea	eax, [eax+edx*2]
		cmp	eax, ecx
		ja	short loc_A0ABF8
		pop	edi
		pop	esi
		mov	edx, ebx
		pop	ebx
		jmp	_ExpVerifyFilePath@8 ; ExpVerifyFilePath(x,x)
; 

loc_A0ABF8:				; CODE XREF: ExpVerifyWindowsOsOptions(x,x)+1Ej
					; ExpVerifyWindowsOsOptions(x,x)+22j ...
		pop	edi
		pop	esi
		mov	eax, 0C000000Dh
		pop	ebx
		retn
_ExpVerifyWindowsOsOptions@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAddBootEntry(x, x)
_NtAddBootEntry@8 proc near		; DATA XREF: .text:00581284o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dword_6BBFD0, 2
		jz	short loc_A0AC16
		mov	eax, 0C0000002h
		jmp	short loc_A0AC24
; 

loc_A0AC16:				; CODE XREF: NtAddBootEntry(x,x)+Cj
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		inc	ecx
		call	_ExpSetBootEntry@12 ; ExpSetBootEntry(x,x,x)

loc_A0AC24:				; CODE XREF: NtAddBootEntry(x,x)+13j
		pop	ebp
		retn	8
_NtAddBootEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAddDriverEntry(x,	x)
_NtAddDriverEntry@8 proc near		; DATA XREF: .text:00581280o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dword_6BBFD0, 2
		jz	short loc_A0AC3D
		mov	eax, 0C0000002h
		jmp	short loc_A0AC4B
; 

loc_A0AC3D:				; CODE XREF: NtAddDriverEntry(x,x)+Cj
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		inc	ecx
		call	_ExpSetDriverEntry@12 ;	ExpSetDriverEntry(x,x,x)

loc_A0AC4B:				; CODE XREF: NtAddDriverEntry(x,x)+13j
		pop	ebp
		retn	8
_NtAddDriverEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtDeleteBootEntry(x)
_NtDeleteBootEntry@4 proc near		; DATA XREF: .text:005810BCo

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		cmp	dword_6BBFD0, 2
		push	ebx
		push	esi
		push	edi
		jz	short loc_A0AC7B
		mov	eax, 0C0000002h
		jmp	loc_A0AD92
; 

loc_A0AC7B:				; CODE XREF: NtDeleteBootEntry(x)+20j
		mov	esi, [ebp+arg_0]
		cmp	esi, 0FFFFh
		jbe	short loc_A0AC90
		mov	eax, 0C000000Dh
		jmp	loc_A0AD92
; 

loc_A0AC90:				; CODE XREF: NtDeleteBootEntry(x)+35j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+30h+var_1C], al
		test	al, al
		jz	short loc_A0ACC7
		push	[esp+30h+var_1C]
		push	ds:dword_A94CA4
		push	ds:_SeSystemEnvironmentPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A0ACC7
		mov	eax, 0C0000061h
		jmp	loc_A0AD92
; 

loc_A0ACC7:				; CODE XREF: NtDeleteBootEntry(x)+53j
					; NtDeleteBootEntry(x)+6Cj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _ExpEnvironmentLock
		call	ExAcquireFastMutexUnsafe
		push	esi
		push	offset ??_C@_1BC@NAPILJKH@?$AAB?$AAo?$AAo?$AAt?$AA?$CF?$AA0?$AA4?$AAX@NNGAKEGL@
		lea	eax, [esp+38h+var_18]
		push	9
		push	eax
		call	_swprintf_s
		add	esp, 10h
		lea	eax, [esp+30h+var_20]
		xor	ebx, ebx
		lea	ecx, [esp+30h+var_18]
		mov	edx, offset _EfiBootVariablesGuid
		mov	[esp+30h+var_20], ebx
		push	ebx
		push	eax
		push	ebx
		call	_IoGetEnvironmentVariableEx@20 ; IoGetEnvironmentVariableEx(x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000100h
		jnz	short loc_A0AD5A
		lea	ecx, [esi+esi]
		or	ecx, esi
		and	ecx, 0C4444444h
		add	ecx, ecx
		test	ecx, esi
		jz	short loc_A0AD7A
		push	esi
		push	offset ??_C@_1BC@HAMKBGJJ@?$AAB?$AAo?$AAo?$AAt?$AA?$CF?$AA0?$AA4?$AAx@NNGAKEGL@	; "Boot%04x"
		lea	eax, [esp+38h+var_18]
		push	9
		push	eax
		call	_swprintf_s
		add	esp, 10h
		mov	[esp+30h+var_20], ebx
		lea	eax, [esp+30h+var_20]
		mov	edx, offset _EfiBootVariablesGuid
		lea	ecx, [esp+30h+var_18]
		push	ebx
		push	eax
		push	ebx
		call	_IoGetEnvironmentVariableEx@20 ; IoGetEnvironmentVariableEx(x,x,x,x,x)
		mov	edi, eax

loc_A0AD5A:				; CODE XREF: NtDeleteBootEntry(x)+C8j
		test	edi, edi
		jz	short loc_A0AD66
		cmp	edi, 0C0000023h
		jnz	short loc_A0AD7A

loc_A0AD66:				; CODE XREF: NtDeleteBootEntry(x)+10Dj
		push	1
		push	ebx
		push	ebx
		mov	edx, offset _EfiBootVariablesGuid
		lea	ecx, [esp+3Ch+var_18]
		call	_IoSetEnvironmentVariableEx@20 ; IoSetEnvironmentVariableEx(x,x,x,x,x)
		mov	edi, eax

loc_A0AD7A:				; CODE XREF: NtDeleteBootEntry(x)+D9j
					; NtDeleteBootEntry(x)+115j
		mov	ecx, offset _ExpEnvironmentLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi

loc_A0AD92:				; CODE XREF: NtDeleteBootEntry(x)+27j
					; NtDeleteBootEntry(x)+3Cj ...
		mov	ecx, [esp+30h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_NtDeleteBootEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtDeleteDriverEntry(x)
_NtDeleteDriverEntry@4 proc near	; DATA XREF: .text:005810B8o

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		cmp	dword_6BBFD0, 2
		push	ebx
		push	esi
		push	edi
		jz	short loc_A0ADD2
		mov	eax, 0C0000002h
		jmp	loc_A0AEE9
; 

loc_A0ADD2:				; CODE XREF: NtDeleteDriverEntry(x)+20j
		mov	esi, [ebp+arg_0]
		cmp	esi, 0FFFFh
		jbe	short loc_A0ADE7
		mov	eax, 0C000000Dh
		jmp	loc_A0AEE9
; 

loc_A0ADE7:				; CODE XREF: NtDeleteDriverEntry(x)+35j
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+30h+var_20], al
		test	al, al
		jz	short loc_A0AE1E
		push	[esp+30h+var_20]
		push	ds:dword_A94CA4
		push	ds:_SeSystemEnvironmentPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A0AE1E
		mov	eax, 0C0000061h
		jmp	loc_A0AEE9
; 

loc_A0AE1E:				; CODE XREF: NtDeleteDriverEntry(x)+53j
					; NtDeleteDriverEntry(x)+6Cj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _ExpEnvironmentLock
		call	ExAcquireFastMutexUnsafe
		push	esi
		push	offset ??_C@_1BG@CKOONOBM@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?$CF?$AA0?$AA4?$AAX@NNGAKEGL@
		lea	eax, [esp+38h+var_1C]
		push	0Bh
		push	eax
		call	_swprintf_s
		add	esp, 10h
		lea	eax, [esp+30h+var_24]
		xor	ebx, ebx
		lea	ecx, [esp+30h+var_1C]
		mov	edx, offset _EfiDriverVariablesGuid
		mov	[esp+30h+var_24], ebx
		push	ebx
		push	eax
		push	ebx
		call	_IoGetEnvironmentVariableEx@20 ; IoGetEnvironmentVariableEx(x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000100h
		jnz	short loc_A0AEB1
		lea	ecx, [esi+esi]
		or	ecx, esi
		and	ecx, 0C4444444h
		add	ecx, ecx
		test	ecx, esi
		jz	short loc_A0AED1
		push	esi
		push	offset ??_C@_1BG@IKNMHBCC@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?$CF?$AA0?$AA4?$AAx@NNGAKEGL@
		lea	eax, [esp+38h+var_1C]
		push	0Bh
		push	eax
		call	_swprintf_s
		add	esp, 10h
		mov	[esp+30h+var_24], ebx
		lea	eax, [esp+30h+var_24]
		mov	edx, offset _EfiDriverVariablesGuid
		lea	ecx, [esp+30h+var_1C]
		push	ebx
		push	eax
		push	ebx
		call	_IoGetEnvironmentVariableEx@20 ; IoGetEnvironmentVariableEx(x,x,x,x,x)
		mov	edi, eax

loc_A0AEB1:				; CODE XREF: NtDeleteDriverEntry(x)+C8j
		test	edi, edi
		jz	short loc_A0AEBD
		cmp	edi, 0C0000023h
		jnz	short loc_A0AED1

loc_A0AEBD:				; CODE XREF: NtDeleteDriverEntry(x)+10Dj
		push	1
		push	ebx
		push	ebx
		mov	edx, offset _EfiDriverVariablesGuid
		lea	ecx, [esp+3Ch+var_1C]
		call	_IoSetEnvironmentVariableEx@20 ; IoSetEnvironmentVariableEx(x,x,x,x,x)
		mov	edi, eax

loc_A0AED1:				; CODE XREF: NtDeleteDriverEntry(x)+D9j
					; NtDeleteDriverEntry(x)+115j
		mov	ecx, offset _ExpEnvironmentLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, edi

loc_A0AEE9:				; CODE XREF: NtDeleteDriverEntry(x)+27j
					; NtDeleteDriverEntry(x)+3Cj ...
		mov	ecx, [esp+30h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_NtDeleteDriverEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtEnumerateBootEntries(x, x)
_NtEnumerateBootEntries@8 proc near	; DATA XREF: .text:0058107Co

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	70h
		push	offset dword_6AA720
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_64], ecx
		cmp	dword_6BBFD0, 2
		jz	short loc_A0AF24
		mov	eax, 0C0000002h
		jmp	loc_A0B42D
; 

loc_A0AF24:				; CODE XREF: NtEnumerateBootEntries(x,x)+1Bj
		mov	edi, [ebp+arg_0]
		mov	eax, edi
		and	eax, 0FFFFFFFCh
		cmp	eax, edi
		jz	short loc_A0AF3A
		mov	eax, 0C000000Dh
		jmp	loc_A0B42D
; 

loc_A0AF3A:				; CODE XREF: NtEnumerateBootEntries(x,x)+31j
		mov	[ebp+ms_exc.disabled], ecx
		mov	eax, large fs:124h
		mov	[ebp+arg_0], eax
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_50], al
		test	al, al
		jz	short loc_A0AFAC
		mov	edx, [ebp+arg_4]
		mov	ecx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_A0AF63
		mov	ecx, eax

loc_A0AF63:				; CODE XREF: NtEnumerateBootEntries(x,x)+62j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, [edx]
		mov	[ebp+var_3C], eax
		mov	esi, edi
		neg	esi
		sbb	esi, esi
		and	esi, eax
		mov	[ebp+var_3C], esi
		jz	short loc_A0AF82
		push	4
		push	esi
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_A0AF82:				; CODE XREF: NtEnumerateBootEntries(x,x)+7Aj
		mov	ebx, [ebp+var_50]
		push	ebx
		push	ds:dword_A94CA4
		push	ds:_SeSystemEnvironmentPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A0AFC2
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000061h
		jmp	loc_A0B42D
; 

loc_A0AFAC:				; CODE XREF: NtEnumerateBootEntries(x,x)+54j
		mov	eax, [ebp+arg_4]
		mov	eax, [eax]
		mov	[ebp+var_3C], eax
		mov	esi, edi
		neg	esi
		sbb	esi, esi
		and	esi, eax
		mov	[ebp+var_3C], esi
		mov	ebx, [ebp+var_50]

loc_A0AFC2:				; CODE XREF: NtEnumerateBootEntries(x,x)+9Cj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	esi, esi
		jz	short loc_A0AFE9
		lea	eax, [ebp+var_64]
		push	eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	1
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	ExLockUserBuffer
		test	eax, eax
		js	loc_A0B42D

loc_A0AFE9:				; CODE XREF: NtEnumerateBootEntries(x,x)+CEj
		mov	edi, [ebp+var_4C]
		xor	eax, eax
		test	esi, esi
		setnz	al
		mov	[ebp+var_28], eax
		and	[ebp+var_38], 0
		xor	eax, eax
		mov	[ebp+var_48], eax
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _ExpEnvironmentLock
		call	ExAcquireFastMutexUnsafe
		mov	eax, 2000h
		mov	[ebp+var_1C], eax
		push	72766E45h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_34], eax
		mov	ebx, eax
		neg	ebx
		sbb	ebx, ebx
		and	ebx, [ebp+var_1C]
		mov	[ebp+var_1C], ebx
		jmp	short loc_A0B077
; 

loc_A0B040:				; CODE XREF: NtEnumerateBootEntries(x,x)+194j
		mov	eax, [ebp+var_1C]
		cmp	ebx, eax
		jnb	short loc_A0B093
		mov	ecx, [ebp+var_34]
		test	ecx, ecx
		jz	short loc_A0B059
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_1C]

loc_A0B059:				; CODE XREF: NtEnumerateBootEntries(x,x)+14Fj
		push	72766E45h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_34], eax
		test	eax, eax
		jz	loc_A0B1B1
		mov	ebx, [ebp+var_1C]

loc_A0B077:				; CODE XREF: NtEnumerateBootEntries(x,x)+141j
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	eax
		push	2
		mov	edx, offset _ExpIsBootEntry@8 ;	ExpIsBootEntry(x,x)
		pop	ecx
		call	_IoEnumerateEnvironmentVariablesEx@16 ;	IoEnumerateEnvironmentVariablesEx(x,x,x,x)
		cmp	eax, 0C0000023h
		mov	[ebp+arg_0], eax
		jz	short loc_A0B040

loc_A0B093:				; CODE XREF: NtEnumerateBootEntries(x,x)+148j
		mov	ebx, [ebp+arg_0]

loc_A0B096:				; CODE XREF: NtEnumerateBootEntries(x,x)+2B9j
		mov	ecx, offset _ExpEnvironmentLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	ebx, ebx
		jnz	loc_A0B3A8
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	loc_A0B3A8
		mov	ecx, [ebp+var_34]
		mov	edx, ecx
		lea	eax, [ecx+eax*2]
		mov	[ebp+var_68], eax

loc_A0B0CA:				; CODE XREF: NtEnumerateBootEntries(x,x)+49Aj
		mov	[ebp+var_24], edx
		and	[ebp+var_54], 0
		push	10h		; size_t
		push	offset _EfiBootVariablesGuid ; void *
		lea	eax, [edx+10h]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_A0B389
		mov	ecx, [ebp+var_24]
		add	ecx, 20h
		lea	edx, [ebp+var_54]
		call	_ExpTranslateBootEntryNameToId@8 ; ExpTranslateBootEntryNameToId(x,x)
		test	eax, eax
		jz	loc_A0B389
		mov	eax, [ebp+var_24]
		mov	eax, [eax+8]
		mov	[ebp+var_20], eax
		cmp	eax, 8
		jb	loc_A0B389
		mov	eax, [ebp+var_24]
		mov	ecx, [eax+4]
		add	ecx, eax
		mov	[ebp+var_58], ecx
		movzx	eax, word ptr [ecx+4]
		mov	[ebp+var_30], eax
		lea	eax, [ecx+6]
		mov	[ebp+var_74], eax
		mov	edx, [ebp+var_68]
		mov	ecx, eax
		call	_ExpSafeWcslen@8 ; ExpSafeWcslen(x,x)
		mov	[ebp+var_2C], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_A0B148
		lea	eax, ds:2[eax*2]
		mov	[ebp+var_2C], eax

loc_A0B148:				; CODE XREF: NtEnumerateBootEntries(x,x)+23Fj
		mov	ecx, [ebp+var_30]
		lea	edx, [ecx+6]
		add	edx, eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_A0B389
		mov	eax, [ebp+var_20]
		cmp	ecx, eax
		jnb	loc_A0B389
		cmp	eax, edx
		jb	loc_A0B389
		mov	byte ptr [ebp+arg_0+3],	1
		mov	ecx, [ebp+var_58]
		mov	eax, [ebp+var_2C]
		add	eax, 6
		add	ecx, eax
		mov	[ebp+var_44], ecx
		mov	eax, [ebp+var_30]
		add	eax, ecx
		mov	[ebp+var_70], eax
		sub	[ebp+var_20], edx
		lea	ecx, [edi+3]
		mov	eax, ecx
		and	eax, 0FFFFFFFCh
		cmp	eax, edi
		jz	short loc_A0B1BD
		and	ecx, 0FFFFFFFCh
		mov	eax, ecx
		sub	eax, edi
		mov	edi, ecx
		cmp	esi, eax
		jnb	short loc_A0B1BB
		and	[ebp+var_28], 0
		xor	esi, esi
		mov	[ebp+var_38], 0C0000023h
		jmp	short loc_A0B1BD
; 

loc_A0B1B1:				; CODE XREF: NtEnumerateBootEntries(x,x)+171j
		mov	ebx, 0C000009Ah
		jmp	loc_A0B096
; 

loc_A0B1BB:				; CODE XREF: NtEnumerateBootEntries(x,x)+2A3j
		sub	esi, eax

loc_A0B1BD:				; CODE XREF: NtEnumerateBootEntries(x,x)+296j
					; NtEnumerateBootEntries(x,x)+2B2j
		mov	eax, [ebp+var_30]
		lea	ecx, [eax+0Ch]
		mov	[ebp+var_40], ecx
		cmp	esi, ecx
		jnb	short loc_A0B1D8
		xor	esi, esi
		and	[ebp+var_28], esi
		mov	[ebp+var_38], 0C0000023h
		jmp	short loc_A0B213
; 

loc_A0B1D8:				; CODE XREF: NtEnumerateBootEntries(x,x)+2CBj
		mov	dword ptr [edi], 1
		mov	[edi+4], ecx
		mov	dword ptr [edi+8], 4
		push	eax		; size_t
		push	[ebp+var_44]	; void *
		lea	eax, [edi+0Ch]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	edx, [edi+4]
		add	edx, edi
		mov	ecx, edi
		call	_ExpVerifyFilePath@8 ; ExpVerifyFilePath(x,x)
		test	eax, eax
		jns	short loc_A0B213
		mov	byte ptr [ebp+arg_0+3],	0
		mov	[ebp+var_40], 10h

loc_A0B213:				; CODE XREF: NtEnumerateBootEntries(x,x)+2D9j
					; NtEnumerateBootEntries(x,x)+309j
		mov	ecx, [ebp+var_20]
		add	ecx, 1Fh
		and	ecx, 0FFFFFFFCh
		mov	[ebp+var_5C], ecx
		mov	eax, [ebp+var_2C]
		add	eax, 3
		add	ecx, eax
		and	ecx, 0FFFFFFFCh
		mov	[ebp+var_60], ecx
		add	ecx, [ebp+var_40]
		mov	[ebp+var_6C], ecx
		add	ecx, 4
		mov	[ebp+var_78], ecx
		cmp	esi, ecx
		jnb	short loc_A0B244
		mov	[ebp+var_38], 0C0000023h

loc_A0B244:				; CODE XREF: NtEnumerateBootEntries(x,x)+33Ej
		sbb	eax, eax
		not	eax
		and	eax, [ebp+var_28]
		mov	edx, eax
		mov	[ebp+var_28], edx
		mov	eax, esi
		sub	eax, ecx
		cmp	esi, ecx
		sbb	esi, esi
		not	esi
		and	esi, eax
		test	edx, edx
		jz	loc_A0B387
		push	ecx		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [edi+4], 1
		mov	eax, [ebp+var_6C]
		mov	[edi+8], eax
		mov	eax, [ebp+var_54]
		mov	[edi+0Ch], eax
		and	dword ptr [edi+10h], 0
		mov	eax, [ebp+var_58]
		mov	edx, [eax]
		xor	ecx, ecx
		test	dl, 1
		jz	short loc_A0B299
		inc	ecx
		mov	[edi+10h], ecx
		mov	edx, [eax]

loc_A0B299:				; CODE XREF: NtEnumerateBootEntries(x,x)+394j
		test	dl, 8
		jz	short loc_A0B2A4
		or	ecx, 10h
		mov	[edi+10h], ecx

loc_A0B2A4:				; CODE XREF: NtEnumerateBootEntries(x,x)+39Fj
		mov	eax, [ebp+var_5C]
		mov	[edi+14h], eax
		mov	eax, [ebp+var_60]
		mov	[edi+18h], eax
		mov	eax, [ebp+var_20]
		mov	[edi+1Ch], eax
		lea	ecx, [edi+20h]
		push	eax		; size_t
		push	[ebp+var_70]	; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	[ebp+var_20], 14h
		jbe	short loc_A0B303
		xor	ecx, ecx

loc_A0B2CE:				; CODE XREF: NtEnumerateBootEntries(x,x)+3E7j
		movzx	eax, byte ptr [edi+ecx+20h]
		mov	edx, offset ??_C@_07LHJOABLP@WINDOWS@NNGAKEGL@ ; "WINDOWS"
		cmp	al, [edx+ecx]
		mov	edx, [ebp+var_20]
		jnz	short loc_A0B2EA
		inc	ecx
		cmp	ecx, 8
		jnz	short loc_A0B2CE
		xor	eax, eax
		jmp	short loc_A0B2EF
; 

loc_A0B2EA:				; CODE XREF: NtEnumerateBootEntries(x,x)+3E1j
		sbb	eax, eax
		or	eax, 1

loc_A0B2EF:				; CODE XREF: NtEnumerateBootEntries(x,x)+3EBj
		test	eax, eax
		jnz	short loc_A0B303
		lea	ecx, [edi+20h]
		call	_ExpVerifyWindowsOsOptions@8 ; ExpVerifyWindowsOsOptions(x,x)
		test	eax, eax
		js	short loc_A0B303
		or	dword ptr [edi+10h], 4

loc_A0B303:				; CODE XREF: NtEnumerateBootEntries(x,x)+3CDj
					; NtEnumerateBootEntries(x,x)+3F4j ...
		mov	eax, [ebp+var_5C]
		add	eax, 4
		add	eax, edi
		push	[ebp+var_2C]	; size_t
		push	[ebp+var_74]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_60]
		mov	dword ptr [edi+eax+4], 1
		mov	ecx, [ebp+var_40]
		mov	[edi+eax+8], ecx
		mov	dword ptr [edi+eax+0Ch], 4
		lea	edx, [eax+10h]
		add	edx, edi
		cmp	byte ptr [ebp+arg_0+3],	0
		jz	short loc_A0B361
		mov	eax, [ebp+var_30]
		push	eax		; size_t
		push	[ebp+var_44]	; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ecx, [ebp+var_44]
		call	_ExpIsDevicePathForRemovableMedia@4 ; ExpIsDevicePathForRemovableMedia(x)
		test	eax, eax
		jz	short loc_A0B374
		or	dword ptr [edi+10h], 8
		jmp	short loc_A0B374
; 

loc_A0B361:				; CODE XREF: NtEnumerateBootEntries(x,x)+440j
		or	dword ptr [edi+10h], 20h
		mov	byte ptr [edx],	7Fh
		mov	word ptr [edi+eax+11h],	4FFh
		mov	byte ptr [edi+eax+13h],	0

loc_A0B374:				; CODE XREF: NtEnumerateBootEntries(x,x)+45Cj
					; NtEnumerateBootEntries(x,x)+462j
		mov	ecx, [ebp+var_48]
		test	ecx, ecx
		jz	short loc_A0B381
		mov	eax, edi
		sub	eax, ecx
		mov	[ecx], eax

loc_A0B381:				; CODE XREF: NtEnumerateBootEntries(x,x)+47Cj
		mov	[ebp+var_48], edi
		mov	ecx, [ebp+var_78]

loc_A0B387:				; CODE XREF: NtEnumerateBootEntries(x,x)+361j
		add	edi, ecx

loc_A0B389:				; CODE XREF: NtEnumerateBootEntries(x,x)+1E9j
					; NtEnumerateBootEntries(x,x)+1FFj ...
		mov	eax, [ebp+var_24]
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_A0B39C
		mov	edx, [ebp+var_24]
		add	edx, eax
		jmp	loc_A0B0CA
; 

loc_A0B39C:				; CODE XREF: NtEnumerateBootEntries(x,x)+493j
		mov	eax, [ebp+var_48]
		test	eax, eax
		jz	short loc_A0B3B5
		and	dword ptr [eax], 0
		jmp	short loc_A0B3B5
; 

loc_A0B3A8:				; CODE XREF: NtEnumerateBootEntries(x,x)+1B1j
					; NtEnumerateBootEntries(x,x)+1BCj
		cmp	ebx, 0C0000023h
		jnz	short loc_A0B3B5
		mov	ebx, 0C0000206h

loc_A0B3B5:				; CODE XREF: NtEnumerateBootEntries(x,x)+4A4j
					; NtEnumerateBootEntries(x,x)+4A9j ...
		mov	eax, [ebp+var_34]
		test	eax, eax
		jz	short loc_A0B3C4
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0B3C4:				; CODE XREF: NtEnumerateBootEntries(x,x)+4BDj
		mov	ecx, [ebp+var_64]
		test	ecx, ecx
		jz	short loc_A0B3D0
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)

loc_A0B3D0:				; CODE XREF: NtEnumerateBootEntries(x,x)+4CCj
		test	ebx, ebx
		js	short loc_A0B3D7
		mov	ebx, [ebp+var_38]

loc_A0B3D7:				; CODE XREF: NtEnumerateBootEntries(x,x)+4D5j
		mov	[ebp+ms_exc.disabled], 1
		sub	edi, [ebp+var_4C]
		mov	eax, [ebp+arg_4]
		mov	[eax], edi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, ebx
		jmp	short loc_A0B42D
; 

loc_A0B3F1:				; DATA XREF: .text:006AA740o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_7C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0B401:				; DATA XREF: .text:006AA744o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_7C]
		jmp	short loc_A0B42D
; 

loc_A0B410:				; DATA XREF: .text:006AA734o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_80], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0B420:				; DATA XREF: .text:006AA738o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_80]

loc_A0B42D:				; CODE XREF: NtEnumerateBootEntries(x,x)+22j
					; NtEnumerateBootEntries(x,x)+38j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_NtEnumerateBootEntries@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtEnumerateDriverEntries(x,	x)
_NtEnumerateDriverEntries@8 proc near	; DATA XREF: .text:00581078o

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	58h
		push	offset dword_6AA640
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_30], ecx
		cmp	dword_6BBFD0, 2
		jz	short loc_A0B469
		mov	eax, 0C0000002h
		jmp	loc_A0B80F
; 

loc_A0B469:				; CODE XREF: NtEnumerateDriverEntries(x,x)+1Ej
		mov	edi, [ebp+arg_0]
		mov	eax, edi
		and	eax, 0FFFFFFFCh
		cmp	eax, edi
		jz	short loc_A0B47F
		mov	eax, 0C000000Dh
		jmp	loc_A0B80F
; 

loc_A0B47F:				; CODE XREF: NtEnumerateDriverEntries(x,x)+34j
		mov	[ebp+ms_exc.disabled], ecx
		mov	eax, large fs:124h
		mov	[ebp+var_60], eax
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_3C], al
		test	al, al
		jz	short loc_A0B4F1
		mov	edx, [ebp+arg_4]
		mov	ecx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_A0B4A8
		mov	ecx, eax

loc_A0B4A8:				; CODE XREF: NtEnumerateDriverEntries(x,x)+65j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, [edx]
		mov	[ebp+var_20], eax
		mov	esi, edi
		neg	esi
		sbb	esi, esi
		and	esi, eax
		mov	[ebp+var_20], esi
		jz	short loc_A0B4C7
		push	4
		push	esi
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_A0B4C7:				; CODE XREF: NtEnumerateDriverEntries(x,x)+7Dj
		mov	ebx, [ebp+var_3C]
		push	ebx
		push	ds:dword_A94CA4
		push	ds:_SeSystemEnvironmentPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A0B507
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000061h
		jmp	loc_A0B80F
; 

loc_A0B4F1:				; CODE XREF: NtEnumerateDriverEntries(x,x)+57j
		mov	eax, [ebp+arg_4]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		mov	esi, edi
		neg	esi
		sbb	esi, esi
		and	esi, eax
		mov	[ebp+var_20], esi
		mov	ebx, [ebp+var_3C]

loc_A0B507:				; CODE XREF: NtEnumerateDriverEntries(x,x)+9Fj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	esi, esi
		jz	short loc_A0B52E
		lea	eax, [ebp+var_4C]
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		push	1
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	ExLockUserBuffer
		test	eax, eax
		js	loc_A0B80F

loc_A0B52E:				; CODE XREF: NtEnumerateDriverEntries(x,x)+D1j
		mov	edi, [ebp+var_38]
		xor	ebx, ebx
		mov	[ebp+var_34], ebx
		xor	eax, eax
		test	esi, esi
		setnz	al
		mov	[ebp+var_24], eax
		mov	[ebp+var_2C], ebx
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _ExpEnvironmentLock
		call	ExAcquireFastMutexUnsafe
		mov	[ebp+arg_0], ebx
		lea	eax, [ebp+arg_0]
		push	eax
		push	ebx
		mov	edx, offset _ExpIsDriverEntry@8	; ExpIsDriverEntry(x,x)
		push	2
		pop	ecx
		call	_IoEnumerateEnvironmentVariablesEx@16 ;	IoEnumerateEnvironmentVariablesEx(x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_1C], ebx
		cmp	ebx, 0C0000023h
		jz	short loc_A0B583
		and	[ebp+arg_0], 0
		jmp	short loc_A0B5BD
; 

loc_A0B583:				; CODE XREF: NtEnumerateDriverEntries(x,x)+13Cj
		push	72766E45h
		push	[ebp+arg_0]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_30], eax
		test	eax, eax
		jnz	short loc_A0B5A6
		mov	ebx, 0C000009Ah
		mov	[ebp+var_1C], ebx
		jmp	short loc_A0B5BD
; 

loc_A0B5A6:				; CODE XREF: NtEnumerateDriverEntries(x,x)+15Bj
		lea	ecx, [ebp+arg_0]
		push	ecx
		push	eax
		mov	edx, offset _ExpIsDriverEntry@8	; ExpIsDriverEntry(x,x)
		push	2
		pop	ecx
		call	_IoEnumerateEnvironmentVariablesEx@16 ;	IoEnumerateEnvironmentVariablesEx(x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_1C], eax

loc_A0B5BD:				; CODE XREF: NtEnumerateDriverEntries(x,x)+142j
					; NtEnumerateDriverEntries(x,x)+165j
		mov	ecx, offset _ExpEnvironmentLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	ebx, ebx
		jnz	loc_A0B797
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	loc_A0B797
		mov	eax, [ebp+var_30]
		mov	ebx, eax
		lea	eax, [eax+ecx*2]
		mov	[ebp+var_50], eax

loc_A0B5F1:				; CODE XREF: NtEnumerateDriverEntries(x,x)+346j
		and	[ebp+var_40], 0
		push	10h		; size_t
		push	offset _EfiDriverVariablesGuid ; void *
		lea	eax, [ebx+10h]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_A0B77D
		lea	ecx, [ebx+20h]
		lea	edx, [ebp+var_40]
		call	_ExpTranslateDriverEntryNameToId@8 ; ExpTranslateDriverEntryNameToId(x,x)
		test	eax, eax
		jz	loc_A0B77D
		mov	eax, [ebx+8]
		mov	[ebp+var_48], eax
		cmp	eax, 8
		jb	loc_A0B77D
		mov	eax, [ebx+4]
		add	eax, ebx
		mov	[ebp+var_58], eax
		movzx	ecx, word ptr [eax+4]
		mov	[ebp+var_28], ecx
		add	eax, 6
		mov	[ebp+var_5C], eax
		mov	edx, [ebp+var_50]
		mov	ecx, eax
		call	_ExpSafeWcslen@8 ; ExpSafeWcslen(x,x)
		mov	ecx, eax
		mov	[ebp+var_44], eax
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_A0B665
		lea	ecx, ds:2[ecx*2]
		mov	[ebp+var_44], ecx

loc_A0B665:				; CODE XREF: NtEnumerateDriverEntries(x,x)+21Aj
		mov	edx, [ebp+var_28]
		lea	eax, [edx+6]
		add	eax, ecx
		mov	[ebp+var_54], eax
		cmp	ecx, 0FFFFFFFFh
		jz	loc_A0B77D
		mov	eax, [ebp+var_48]
		cmp	edx, eax
		jnb	loc_A0B77D
		cmp	eax, [ebp+var_54]
		jb	loc_A0B77D
		mov	eax, [ebp+var_58]
		add	eax, 6
		add	eax, ecx
		mov	[ebp+var_54], eax
		lea	edx, [edi+3]
		mov	eax, edx
		and	eax, 0FFFFFFFCh
		cmp	eax, edi
		jz	short loc_A0B6C0
		and	edx, 0FFFFFFFCh
		mov	eax, edx
		sub	eax, edi
		mov	edi, edx
		cmp	esi, eax
		jnb	short loc_A0B6BE
		xor	edx, edx
		xor	esi, esi
		mov	[ebp+var_34], 0C0000023h
		jmp	short loc_A0B6C3
; 

loc_A0B6BE:				; CODE XREF: NtEnumerateDriverEntries(x,x)+270j
		sub	esi, eax

loc_A0B6C0:				; CODE XREF: NtEnumerateDriverEntries(x,x)+263j
		mov	edx, [ebp+var_24]

loc_A0B6C3:				; CODE XREF: NtEnumerateDriverEntries(x,x)+27Dj
		lea	eax, [ecx+17h]
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_48], eax
		mov	ecx, [ebp+var_28]
		add	ecx, 0Ch
		add	ecx, eax
		mov	[ebp+var_58], ecx
		add	ecx, 4
		mov	[ebp+var_60], ecx
		cmp	esi, ecx
		jnb	short loc_A0B6E8
		mov	[ebp+var_34], 0C0000023h

loc_A0B6E8:				; CODE XREF: NtEnumerateDriverEntries(x,x)+2A0j
		sbb	eax, eax
		not	eax
		and	edx, eax
		mov	[ebp+var_24], edx
		mov	eax, esi
		sub	eax, ecx
		cmp	esi, ecx
		sbb	esi, esi
		not	esi
		and	esi, eax
		test	edx, edx
		jz	short loc_A0B77B
		push	ecx		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	dword ptr [edi+4], 1
		mov	eax, [ebp+var_58]
		mov	[edi+8], eax
		mov	eax, [ebp+var_40]
		mov	[edi+0Ch], eax
		mov	dword ptr [edi+10h], 14h
		mov	eax, [ebp+var_48]
		mov	[edi+14h], eax
		lea	eax, [edi+18h]
		push	[ebp+var_44]	; size_t
		push	[ebp+var_5C]	; void *
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+var_48]
		mov	dword ptr [edi+ecx+4], 1
		mov	edx, [ebp+var_28]
		lea	eax, [edx+0Ch]
		mov	[edi+ecx+8], eax
		mov	dword ptr [edi+ecx+0Ch], 4
		push	edx		; size_t
		push	[ebp+var_54]	; void *
		lea	eax, [ecx+10h]
		add	eax, edi
		push	eax		; void *
		call	_memcpy
		add	esp, 24h
		mov	ecx, [ebp+var_2C]
		test	ecx, ecx
		jz	short loc_A0B775
		mov	eax, edi
		sub	eax, ecx
		mov	[ecx], eax

loc_A0B775:				; CODE XREF: NtEnumerateDriverEntries(x,x)+32Ej
		mov	[ebp+var_2C], edi
		mov	ecx, [ebp+var_60]

loc_A0B77B:				; CODE XREF: NtEnumerateDriverEntries(x,x)+2C0j
		add	edi, ecx

loc_A0B77D:				; CODE XREF: NtEnumerateDriverEntries(x,x)+1CBj
					; NtEnumerateDriverEntries(x,x)+1DEj ...
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_A0B78A
		add	ebx, eax
		jmp	loc_A0B5F1
; 

loc_A0B78A:				; CODE XREF: NtEnumerateDriverEntries(x,x)+342j
		mov	eax, [ebp+var_2C]
		mov	ebx, [ebp+var_1C]
		test	eax, eax
		jz	short loc_A0B797
		and	dword ptr [eax], 0

loc_A0B797:				; CODE XREF: NtEnumerateDriverEntries(x,x)+196j
					; NtEnumerateDriverEntries(x,x)+1A1j ...
		mov	eax, [ebp+var_30]
		test	eax, eax
		jz	short loc_A0B7A6
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0B7A6:				; CODE XREF: NtEnumerateDriverEntries(x,x)+35Dj
		mov	ecx, [ebp+var_4C]
		test	ecx, ecx
		jz	short loc_A0B7B2
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)

loc_A0B7B2:				; CODE XREF: NtEnumerateDriverEntries(x,x)+36Cj
		test	ebx, ebx
		js	short loc_A0B7B9
		mov	ebx, [ebp+var_34]

loc_A0B7B9:				; CODE XREF: NtEnumerateDriverEntries(x,x)+375j
		mov	[ebp+ms_exc.disabled], 1
		sub	edi, [ebp+var_38]
		mov	eax, [ebp+arg_4]
		mov	[eax], edi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, ebx
		jmp	short loc_A0B80F
; 

loc_A0B7D3:				; DATA XREF: .text:006AA660o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_64], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0B7E3:				; DATA XREF: .text:006AA664o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_64]
		jmp	short loc_A0B80F
; 

loc_A0B7F2:				; DATA XREF: .text:006AA654o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_68], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0B802:				; DATA XREF: .text:006AA658o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_68]

loc_A0B80F:				; CODE XREF: NtEnumerateDriverEntries(x,x)+25j
					; NtEnumerateDriverEntries(x,x)+3Bj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_NtEnumerateDriverEntries@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtEnumerateSystemEnvironmentValuesEx(x, x, x)
_NtEnumerateSystemEnvironmentValuesEx@12 proc near ; DATA XREF:	.text:00581070o

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	24h
		push	offset dword_6AA748
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_28], edx
		cmp	dword_6BBFD0, 2
		jz	short loc_A0B84B
		mov	eax, 0C0000002h
		jmp	loc_A0B9A1
; 

loc_A0B84B:				; CODE XREF: NtEnumerateSystemEnvironmentValuesEx(x,x,x)+1Ej
		mov	[ebp+ms_exc.disabled], edx
		mov	eax, large fs:124h
		mov	[ebp+var_34], eax
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_20], al
		mov	esi, [ebp+arg_8]
		test	al, al
		jz	short loc_A0B8C4
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_A0B874
		mov	ecx, eax

loc_A0B874:				; CODE XREF: NtEnumerateSystemEnvironmentValuesEx(x,x,x)+4Fj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, [esi]
		mov	[ebp+var_1C], eax
		mov	ecx, eax
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	short loc_A0B88D
		mov	eax, edx
		mov	[ebp+var_1C], eax
		mov	ecx, edx

loc_A0B88D:				; CODE XREF: NtEnumerateSystemEnvironmentValuesEx(x,x,x)+63j
		test	ecx, ecx
		jz	short loc_A0B89A
		push	4
		push	eax
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_A0B89A:				; CODE XREF: NtEnumerateSystemEnvironmentValuesEx(x,x,x)+6Ej
		mov	ebx, [ebp+var_20]
		push	ebx
		push	ds:dword_A94CA4
		push	ds:_SeSystemEnvironmentPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A0B8DA
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000061h
		jmp	loc_A0B9A1
; 

loc_A0B8C4:				; CODE XREF: NtEnumerateSystemEnvironmentValuesEx(x,x,x)+44j
		mov	ecx, [esi]
		mov	[ebp+var_1C], ecx
		mov	edi, [ebp+arg_4]
		mov	eax, edi
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_1C], eax
		mov	ebx, [ebp+var_20]

loc_A0B8DA:				; CODE XREF: NtEnumerateSystemEnvironmentValuesEx(x,x,x)+90j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edx, [ebp+var_1C]
		test	edx, edx
		jz	short loc_A0B902
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		push	1
		push	ebx
		mov	ecx, edi
		call	ExLockUserBuffer
		test	eax, eax
		js	loc_A0B9A1

loc_A0B902:				; CODE XREF: NtEnumerateSystemEnvironmentValuesEx(x,x,x)+C5j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _ExpEnvironmentLock
		mov	ecx, ebx
		call	ExAcquireFastMutexUnsafe
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_24]
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		call	_IoEnumerateEnvironmentVariablesEx@16 ;	IoEnumerateEnvironmentVariablesEx(x,x,x,x)
		mov	edi, eax
		mov	ecx, ebx
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jz	short loc_A0B94E
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)

loc_A0B94E:				; CODE XREF: NtEnumerateSystemEnvironmentValuesEx(x,x,x)+126j
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_1C]
		mov	[esi], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, edi
		jmp	short loc_A0B9A1
; 

loc_A0B965:				; DATA XREF: .text:006AA768o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0B975:				; DATA XREF: .text:006AA76Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_2C]
		jmp	short loc_A0B9A1
; 

loc_A0B984:				; DATA XREF: .text:006AA75Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0B994:				; DATA XREF: .text:006AA760o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_30]

loc_A0B9A1:				; CODE XREF: NtEnumerateSystemEnvironmentValuesEx(x,x,x)+25j
					; NtEnumerateSystemEnvironmentValuesEx(x,x,x)+9Ej ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_NtEnumerateSystemEnvironmentValuesEx@12 endp

; 
		align 8
; Exported entry 1528. NtGetEnvironmentVariableEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtGetEnvironmentVariableEx(x, x, x,	x, x)
		public _NtGetEnvironmentVariableEx@20
_NtGetEnvironmentVariableEx@20 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dword_6BBFD0, 2
		jz	short loc_A0B9CD
		mov	eax, 0C0000002h
		jmp	short loc_A0BA2C
; 

loc_A0B9CD:				; CODE XREF: NtGetEnvironmentVariableEx(x,x,x,x,x)+Cj
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_A0B9E3
		mov	eax, 0C0000061h
		jmp	short loc_A0BA2C
; 

loc_A0B9E3:				; CODE XREF: NtGetEnvironmentVariableEx(x,x,x,x,x)+22j
		mov	eax, large fs:124h
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _ExpEnvironmentLock
		mov	ecx, edi
		call	ExAcquireFastMutexUnsafe
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_C]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_8]
		call	_IoGetEnvironmentVariableEx@20 ; IoGetEnvironmentVariableEx(x,x,x,x,x)
		mov	ecx, edi
		mov	esi, eax
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi

loc_A0BA2C:				; CODE XREF: NtGetEnvironmentVariableEx(x,x,x,x,x)+13j
					; NtGetEnvironmentVariableEx(x,x,x,x,x)+29j
		pop	ebp
		retn	14h
_NtGetEnvironmentVariableEx@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtModifyBootEntry(x)
_NtModifyBootEntry@4 proc near		; DATA XREF: .text:00580F84o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dword_6BBFD0, 2
		jz	short loc_A0BA45
		mov	eax, 0C0000002h
		jmp	short loc_A0BA51
; 

loc_A0BA45:				; CODE XREF: NtModifyBootEntry(x)+Cj
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		push	0
		call	_ExpSetBootEntry@12 ; ExpSetBootEntry(x,x,x)

loc_A0BA51:				; CODE XREF: NtModifyBootEntry(x)+13j
		pop	ebp
		retn	4
_NtModifyBootEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtModifyDriverEntry(x)
_NtModifyDriverEntry@4 proc near	; DATA XREF: .text:00580F80o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dword_6BBFD0, 2
		jz	short loc_A0BA6A
		mov	eax, 0C0000002h
		jmp	short loc_A0BA76
; 

loc_A0BA6A:				; CODE XREF: NtModifyDriverEntry(x)+Cj
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		push	0
		call	_ExpSetDriverEntry@12 ;	ExpSetDriverEntry(x,x,x)

loc_A0BA76:				; CODE XREF: NtModifyDriverEntry(x)+13j
		pop	ebp
		retn	4
_NtModifyDriverEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQueryBootEntryOrder(x, x)
_NtQueryBootEntryOrder@8 proc near	; DATA XREF: .text:00580EB0o

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	24h
		push	offset dword_6AA6F8
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_28], edx
		cmp	dword_6BBFD0, 2
		jz	short loc_A0BAA4
		mov	eax, 0C0000002h
		jmp	loc_A0BC4F
; 

loc_A0BAA4:				; CODE XREF: NtQueryBootEntryOrder(x,x)+1Ej
		mov	[ebp+ms_exc.disabled], edx
		mov	eax, large fs:124h
		mov	[ebp+var_34], eax
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		mov	esi, [ebp+arg_4]
		test	al, al
		jz	short loc_A0BB20
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_A0BACD
		mov	ecx, eax

loc_A0BACD:				; CODE XREF: NtQueryBootEntryOrder(x,x)+4Fj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, [esi]
		shl	eax, 2
		mov	[ebp+var_1C], eax
		mov	ecx, eax
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jnz	short loc_A0BAE9
		mov	eax, edx
		mov	[ebp+var_1C], eax
		mov	ecx, edx

loc_A0BAE9:				; CODE XREF: NtQueryBootEntryOrder(x,x)+66j
		test	ecx, ecx
		jz	short loc_A0BAF6
		push	4
		push	eax
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_A0BAF6:				; CODE XREF: NtQueryBootEntryOrder(x,x)+71j
		mov	ebx, [ebp+var_24]
		push	ebx
		push	ds:dword_A94CA4
		push	ds:_SeSystemEnvironmentPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A0BB39
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000061h
		jmp	loc_A0BC4F
; 

loc_A0BB20:				; CODE XREF: NtQueryBootEntryOrder(x,x)+44j
		mov	ecx, [esi]
		shl	ecx, 2
		mov	[ebp+var_1C], ecx
		mov	edi, [ebp+arg_0]
		mov	eax, edi
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_1C], eax
		mov	ebx, [ebp+var_24]

loc_A0BB39:				; CODE XREF: NtQueryBootEntryOrder(x,x)+93j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edx, [ebp+var_1C]
		test	edx, edx
		jz	short loc_A0BB61
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	1
		push	ebx
		mov	ecx, edi
		call	ExLockUserBuffer
		test	eax, eax
		js	loc_A0BC4F

loc_A0BB61:				; CODE XREF: NtQueryBootEntryOrder(x,x)+CBj
		shr	[ebp+var_1C], 1
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _ExpEnvironmentLock
		mov	ecx, ebx
		call	ExAcquireFastMutexUnsafe
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_20]
		mov	edx, offset _EfiBootVariablesGuid
		mov	ecx, offset ??_C@_1BE@CHCFCNKI@?$AAB?$AAo?$AAo?$AAt?$AAO?$AAr?$AAd?$AAe?$AAr@NNGAKEGL@ ; "BootOrder"
		call	_IoGetEnvironmentVariableEx@20 ; IoGetEnvironmentVariableEx(x,x,x,x,x)
		mov	edi, eax
		mov	ecx, ebx
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	edi, edi
		js	short loc_A0BBD7
		mov	ecx, [ebp+var_1C]
		shr	ecx, 1
		mov	eax, [ebp+var_20]
		lea	edx, [eax-2]
		lea	edx, [edx+ecx*2]
		lea	ebx, [eax-4]
		lea	ebx, [ebx+ecx*4]
		jz	short loc_A0BBE5

loc_A0BBC5:				; CODE XREF: NtQueryBootEntryOrder(x,x)+159j
		movzx	eax, word ptr [edx]
		mov	[ebx], eax
		lea	ebx, [ebx-4]
		lea	edx, [edx-2]
		sub	ecx, 1
		jnz	short loc_A0BBC5
		jmp	short loc_A0BBE5
; 

loc_A0BBD7:				; CODE XREF: NtQueryBootEntryOrder(x,x)+133j
		cmp	edi, 0C0000100h
		jnz	short loc_A0BBE5
		and	[ebp+var_1C], 0
		xor	edi, edi

loc_A0BBE5:				; CODE XREF: NtQueryBootEntryOrder(x,x)+149j
					; NtQueryBootEntryOrder(x,x)+15Bj ...
		mov	eax, [ebp+var_1C]
		add	eax, eax
		mov	[ebp+var_1C], eax
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jz	short loc_A0BBFC
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)
		mov	eax, [ebp+var_1C]

loc_A0BBFC:				; CODE XREF: NtQueryBootEntryOrder(x,x)+178j
		mov	[ebp+ms_exc.disabled], 1
		shr	eax, 2
		mov	[esi], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, edi
		jmp	short loc_A0BC4F
; 

loc_A0BC13:				; DATA XREF: .text:006AA718o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0BC23:				; DATA XREF: .text:006AA71Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_2C]
		jmp	short loc_A0BC4F
; 

loc_A0BC32:				; DATA XREF: .text:006AA70Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0BC42:				; DATA XREF: .text:006AA710o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_30]

loc_A0BC4F:				; CODE XREF: NtQueryBootEntryOrder(x,x)+25j
					; NtQueryBootEntryOrder(x,x)+A1j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_NtQueryBootEntryOrder@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQueryBootOptions(x, x)
_NtQueryBootOptions@8 proc near		; DATA XREF: .text:00580EACo

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	2Ch
		push	offset dword_6AA6B0
		call	__SEH_prolog4
		xor	eax, eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_28], eax
		cmp	dword_6BBFD0, 2
		jz	short loc_A0BC8B
		mov	eax, 0C0000002h
		jmp	loc_A0BED6
; 

loc_A0BC8B:				; CODE XREF: NtQueryBootOptions(x,x)+1Ej
		mov	[ebp+ms_exc.disabled], eax
		mov	eax, large fs:124h
		mov	[ebp+var_3C], eax
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_30], al
		mov	ebx, [ebp+arg_4]
		test	al, al
		jz	short loc_A0BCFF
		mov	ecx, ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ebx, eax
		jb	short loc_A0BCB4
		mov	ecx, eax

loc_A0BCB4:				; CODE XREF: NtQueryBootOptions(x,x)+4Fj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, [ebx]
		mov	[ebp+var_2C], eax
		mov	edi, [ebp+arg_0]
		mov	esi, edi
		neg	esi
		sbb	esi, esi
		and	esi, eax
		mov	[ebp+var_2C], esi
		jz	short loc_A0BCD6
		push	4
		push	esi
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_A0BCD6:				; CODE XREF: NtQueryBootOptions(x,x)+6Aj
		push	[ebp+var_30]
		push	ds:dword_A94CA4
		push	ds:_SeSystemEnvironmentPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A0BD12
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000061h
		jmp	loc_A0BED6
; 

loc_A0BCFF:				; CODE XREF: NtQueryBootOptions(x,x)+44j
		mov	eax, [ebx]
		mov	[ebp+var_2C], eax
		mov	edi, [ebp+arg_0]
		mov	esi, edi
		neg	esi
		sbb	esi, esi
		and	esi, eax
		mov	[ebp+var_2C], esi

loc_A0BD12:				; CODE XREF: NtQueryBootOptions(x,x)+8Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	16h
		pop	ecx
		cmp	esi, ecx
		jnb	short loc_A0BD2A
		mov	esi, 0C0000023h
		jmp	loc_A0BE62
; 

loc_A0BD2A:				; CODE XREF: NtQueryBootOptions(x,x)+BDj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _ExpEnvironmentLock
		call	ExAcquireFastMutexUnsafe
		mov	[ebp+var_20], 4
		push	0
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		mov	edx, offset _EfiBootVariablesGuid
		mov	ecx, offset ??_C@_1BA@BKONPLFM@?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@NNGAKEGL@
		call	_IoGetEnvironmentVariableEx@20 ; IoGetEnvironmentVariableEx(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_A0BDA4
		cmp	esi, 0C0000100h
		jz	short loc_A0BD9E
		test	esi, esi
		jnz	loc_A0BE49
		cmp	[ebp+var_20], 2
		jbe	short loc_A0BD95
		cmp	[ebp+var_1C], 0FFFFFFFFh
		jz	short loc_A0BD9E
		mov	eax, 0FFFEh
		cmp	[ebp+var_1C], eax
		jbe	short loc_A0BD95
		mov	[ebp+var_1C], eax

loc_A0BD95:				; CODE XREF: NtQueryBootOptions(x,x)+11Fj
					; NtQueryBootOptions(x,x)+12Fj
		cmp	[ebp+var_1C], 0FFFFh
		jnz	short loc_A0BDAB

loc_A0BD9E:				; CODE XREF: NtQueryBootOptions(x,x)+111j
					; NtQueryBootOptions(x,x)+125j
		or	[ebp+var_1C], 0FFFFFFFFh
		jmp	short loc_A0BDAB
; 

loc_A0BDA4:				; CODE XREF: NtQueryBootOptions(x,x)+109j
		mov	[ebp+var_1C], 0FFFFFFFEh

loc_A0BDAB:				; CODE XREF: NtQueryBootOptions(x,x)+13Bj
					; NtQueryBootOptions(x,x)+141j
		mov	[ebp+var_20], 4
		push	0
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		mov	edx, offset _EfiBootVariablesGuid
		mov	ecx, offset ??_C@_1BI@LBNGELID@?$AAB?$AAo?$AAo?$AAt?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt@NNGAKEGL@
		call	_IoGetEnvironmentVariableEx@20 ; IoGetEnvironmentVariableEx(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_A0BDF2
		cmp	esi, 0C0000100h
		jz	short loc_A0BDF2
		test	esi, esi
		jnz	short loc_A0BE49
		cmp	[ebp+var_20], 2
		jbe	short loc_A0BDF9
		mov	eax, [ebp+var_24]
		movzx	eax, ax
		mov	[ebp+var_24], eax
		jmp	short loc_A0BDF9
; 

loc_A0BDF2:				; CODE XREF: NtQueryBootOptions(x,x)+172j
					; NtQueryBootOptions(x,x)+17Aj
		mov	[ebp+var_24], 0FFFFFFFEh

loc_A0BDF9:				; CODE XREF: NtQueryBootOptions(x,x)+184j
					; NtQueryBootOptions(x,x)+18Fj
		mov	[ebp+var_20], 2
		push	0
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		mov	edx, offset _EfiBootVariablesGuid
		mov	ecx, offset ??_C@_1BC@HGEHGBBD@?$AAB?$AAo?$AAo?$AAt?$AAN?$AAe?$AAx?$AAt@NNGAKEGL@
		call	_IoGetEnvironmentVariableEx@20 ; IoGetEnvironmentVariableEx(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_A0BE40
		cmp	esi, 0C0000100h
		jz	short loc_A0BE40
		test	esi, esi
		jnz	short loc_A0BE49
		cmp	[ebp+var_20], 2
		jbe	short loc_A0BE49
		mov	eax, [ebp+var_28]
		movzx	eax, ax
		mov	[ebp+var_28], eax
		jmp	short loc_A0BE49
; 

loc_A0BE40:				; CODE XREF: NtQueryBootOptions(x,x)+1C0j
					; NtQueryBootOptions(x,x)+1C8j
		mov	[ebp+var_28], 0FFFFFFFEh
		xor	esi, esi

loc_A0BE49:				; CODE XREF: NtQueryBootOptions(x,x)+115j
					; NtQueryBootOptions(x,x)+17Ej	...
		mov	ecx, offset _ExpEnvironmentLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	16h
		pop	ecx

loc_A0BE62:				; CODE XREF: NtQueryBootOptions(x,x)+C4j
		xor	eax, eax
		inc	eax
		mov	[ebp+ms_exc.disabled], eax
		test	esi, esi
		jnz	short loc_A0BE8D
		test	edi, edi
		jz	short loc_A0BE8D
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	eax, [ebp+var_1C]
		mov	[edi+8], eax
		mov	eax, [ebp+var_24]
		mov	[edi+0Ch], eax
		mov	eax, [ebp+var_28]
		mov	[edi+10h], eax
		xor	eax, eax
		mov	[edi+14h], ax

loc_A0BE8D:				; CODE XREF: NtQueryBootOptions(x,x)+209j
					; NtQueryBootOptions(x,x)+20Dj
		mov	[ebx], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi
		jmp	short loc_A0BED6
; 

loc_A0BE9A:				; DATA XREF: .text:006AA6D0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0BEAA:				; DATA XREF: .text:006AA6D4o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_34]
		jmp	short loc_A0BED6
; 

loc_A0BEB9:				; DATA XREF: .text:006AA6C4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_38], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0BEC9:				; DATA XREF: .text:006AA6C8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_38]

loc_A0BED6:				; CODE XREF: NtQueryBootOptions(x,x)+25j
					; NtQueryBootOptions(x,x)+99j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_NtQueryBootOptions@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQueryDriverEntryOrder(x, x)
_NtQueryDriverEntryOrder@8 proc	near	; DATA XREF: .text:00580E90o

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	24h
		push	offset dword_6AA668
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_28], edx
		cmp	dword_6BBFD0, 2
		jz	short loc_A0BF12
		mov	eax, 0C0000002h
		jmp	loc_A0C0BE
; 

loc_A0BF12:				; CODE XREF: NtQueryDriverEntryOrder(x,x)+1Ej
		mov	[ebp+ms_exc.disabled], edx
		mov	eax, large fs:124h
		mov	[ebp+var_34], eax
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		mov	esi, [ebp+arg_4]
		test	al, al
		jz	short loc_A0BF8E
		mov	ecx, esi
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_A0BF3B
		mov	ecx, eax

loc_A0BF3B:				; CODE XREF: NtQueryDriverEntryOrder(x,x)+4Fj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	eax, [esi]
		shl	eax, 2
		mov	[ebp+var_1C], eax
		mov	ecx, eax
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jnz	short loc_A0BF57
		mov	eax, edx
		mov	[ebp+var_1C], eax
		mov	ecx, edx

loc_A0BF57:				; CODE XREF: NtQueryDriverEntryOrder(x,x)+66j
		test	ecx, ecx
		jz	short loc_A0BF64
		push	4
		push	eax
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_A0BF64:				; CODE XREF: NtQueryDriverEntryOrder(x,x)+71j
		mov	ebx, [ebp+var_24]
		push	ebx
		push	ds:dword_A94CA4
		push	ds:_SeSystemEnvironmentPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A0BFA7
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000061h
		jmp	loc_A0C0BE
; 

loc_A0BF8E:				; CODE XREF: NtQueryDriverEntryOrder(x,x)+44j
		mov	ecx, [esi]
		shl	ecx, 2
		mov	[ebp+var_1C], ecx
		mov	edi, [ebp+arg_0]
		mov	eax, edi
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_1C], eax
		mov	ebx, [ebp+var_24]

loc_A0BFA7:				; CODE XREF: NtQueryDriverEntryOrder(x,x)+93j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edx, [ebp+var_1C]
		test	edx, edx
		jz	short loc_A0BFCF
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		push	1
		push	ebx
		mov	ecx, edi
		call	ExLockUserBuffer
		test	eax, eax
		js	loc_A0C0BE

loc_A0BFCF:				; CODE XREF: NtQueryDriverEntryOrder(x,x)+CBj
		shr	[ebp+var_1C], 1
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _ExpEnvironmentLock
		mov	ecx, ebx
		call	ExAcquireFastMutexUnsafe
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_20]
		push	offset _EfiDriverVariablesGuid
		push	offset ??_C@_1BI@PDMCFEDG@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAO?$AAr?$AAd?$AAe?$AAr@NNGAKEGL@
		call	ds:__imp__HalGetEnvironmentVariableEx@20 ; HalGetEnvironmentVariableEx(x,x,x,x,x)
		mov	edi, eax
		mov	ecx, ebx
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	edi, edi
		js	short loc_A0C046
		mov	ecx, [ebp+var_1C]
		shr	ecx, 1
		mov	eax, [ebp+var_20]
		lea	edx, [eax-2]
		lea	edx, [edx+ecx*2]
		lea	ebx, [eax-4]
		lea	ebx, [ebx+ecx*4]
		jz	short loc_A0C054

loc_A0C034:				; CODE XREF: NtQueryDriverEntryOrder(x,x)+15Aj
		movzx	eax, word ptr [edx]
		mov	[ebx], eax
		lea	ebx, [ebx-4]
		lea	edx, [edx-2]
		sub	ecx, 1
		jnz	short loc_A0C034
		jmp	short loc_A0C054
; 

loc_A0C046:				; CODE XREF: NtQueryDriverEntryOrder(x,x)+134j
		cmp	edi, 0C0000100h
		jnz	short loc_A0C054
		and	[ebp+var_1C], 0
		xor	edi, edi

loc_A0C054:				; CODE XREF: NtQueryDriverEntryOrder(x,x)+14Aj
					; NtQueryDriverEntryOrder(x,x)+15Cj ...
		mov	eax, [ebp+var_1C]
		add	eax, eax
		mov	[ebp+var_1C], eax
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jz	short loc_A0C06B
		call	_ExUnlockUserBuffer@4 ;	ExUnlockUserBuffer(x)
		mov	eax, [ebp+var_1C]

loc_A0C06B:				; CODE XREF: NtQueryDriverEntryOrder(x,x)+179j
		mov	[ebp+ms_exc.disabled], 1
		shr	eax, 2
		mov	[esi], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, edi
		jmp	short loc_A0C0BE
; 

loc_A0C082:				; DATA XREF: .text:006AA688o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0C092:				; DATA XREF: .text:006AA68Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_2C]
		jmp	short loc_A0C0BE
; 

loc_A0C0A1:				; DATA XREF: .text:006AA67Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0C0B1:				; DATA XREF: .text:006AA680o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_30]

loc_A0C0BE:				; CODE XREF: NtQueryDriverEntryOrder(x,x)+25j
					; NtQueryDriverEntryOrder(x,x)+A1j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_NtQueryDriverEntryOrder@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1557. NtQueryEnvironmentVariableInfoEx

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQueryEnvironmentVariableInfoEx(x,	x, x, x)
		public _NtQueryEnvironmentVariableInfoEx@16
_NtQueryEnvironmentVariableInfoEx@16 proc near
					; CODE XREF: PopEnableSystemSleepCheckpoint()+9Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dword_6BBFD0, 2
		push	esi
		push	edi
		jz	short loc_A0C0EC
		mov	eax, 0C0000002h
		jmp	short loc_A0C144
; 

loc_A0C0EC:				; CODE XREF: NtQueryEnvironmentVariableInfoEx(x,x,x,x)+Ej
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 0
		jz	short loc_A0C102
		mov	eax, 0C0000061h
		jmp	short loc_A0C144
; 

loc_A0C102:				; CODE XREF: NtQueryEnvironmentVariableInfoEx(x,x,x,x)+24j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _ExpEnvironmentLock
		mov	ecx, edi
		call	ExAcquireFastMutexUnsafe
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		call	_IoQueryEnvironmentVariableInfoEx@16 ; IoQueryEnvironmentVariableInfoEx(x,x,x,x)
		mov	ecx, edi
		mov	esi, eax
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, esi

loc_A0C144:				; CODE XREF: NtQueryEnvironmentVariableInfoEx(x,x,x,x)+15j
					; NtQueryEnvironmentVariableInfoEx(x,x,x,x)+2Bj
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
_NtQueryEnvironmentVariableInfoEx@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQuerySystemEnvironmentValue(x, x,	x, x)
_NtQuerySystemEnvironmentValue@16 proc near ; DATA XREF: .text:00580E00o

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= word ptr  10h
arg_C		= dword	ptr  14h

		push	2Ch
		push	offset dword_6AA7B0
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, large fs:124h
		mov	[ebp+var_2C], eax
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_1C], al
		mov	ecx, [ebp+arg_0]
		test	al, al
		jz	loc_A0C231
		mov	edx, ecx
		test	cl, 3
		jz	short loc_A0C193

loc_A0C18E:				; CODE XREF: NtQuerySystemEnvironmentValue(x,x,x,x)+7Cj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_A0C193:				; CODE XREF: NtQuerySystemEnvironmentValue(x,x,x,x)+42j
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_A0C19E
		mov	edx, eax

loc_A0C19E:				; CODE XREF: NtQuerySystemEnvironmentValue(x,x,x,x)+50j
		nop
		mov	al, [edx]
		mov	eax, [ecx]
		mov	[ebp+var_34], eax
		mov	ecx, [ecx+4]
		mov	[ebp+var_30], ecx
		test	ax, ax
		jnz	short loc_A0C1C2
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000005h
		jmp	loc_A0C3CD
; 

loc_A0C1C2:				; CODE XREF: NtQuerySystemEnvironmentValue(x,x,x,x)+65j
		test	byte ptr [ebp+var_30], 1
		jnz	short loc_A0C18E
		movzx	edx, ax
		add	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_A0C1DA
		cmp	edx, ecx
		jnb	short loc_A0C1DC

loc_A0C1DA:				; CODE XREF: NtQuerySystemEnvironmentValue(x,x,x,x)+8Aj
		mov	[eax], bl

loc_A0C1DC:				; CODE XREF: NtQuerySystemEnvironmentValue(x,x,x,x)+8Ej
		push	2
		movzx	eax, [ebp+arg_8]
		push	eax
		push	[ebp+arg_4]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	edi, [ebp+arg_C]
		test	edi, edi
		jz	short loc_A0C208
		mov	ecx, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jb	short loc_A0C1FF
		mov	ecx, eax

loc_A0C1FF:				; CODE XREF: NtQuerySystemEnvironmentValue(x,x,x,x)+B1j
		mov	ax, [ecx]
		movzx	eax, ax
		mov	[ecx], ax

loc_A0C208:				; CODE XREF: NtQuerySystemEnvironmentValue(x,x,x,x)+A6j
		push	[ebp+var_1C]
		push	ds:dword_A94CA4
		push	ds:_SeSystemEnvironmentPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A0C23F
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000061h
		jmp	loc_A0C3CD
; 

loc_A0C231:				; CODE XREF: NtQuerySystemEnvironmentValue(x,x,x,x)+37j
		mov	eax, [ecx]
		mov	[ebp+var_34], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_30], eax
		mov	edi, [ebp+arg_C]

loc_A0C23F:				; CODE XREF: NtQuerySystemEnvironmentValue(x,x,x,x)+D4j
		lea	eax, [ebp+var_34]
		push	eax
		call	_RtlxUnicodeStringToAnsiSize@4 ; RtlxUnicodeStringToAnsiSize(x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		push	72766E45h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_38], eax
		test	eax, eax
		jnz	short loc_A0C275
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A0C26B:				; CODE XREF: NtQuerySystemEnvironmentValue(x,x,x,x)+188j
		mov	eax, 0C000009Ah
		jmp	loc_A0C3CD
; 

loc_A0C275:				; CODE XREF: NtQuerySystemEnvironmentValue(x,x,x,x)+118j
		mov	word ptr [ebp+var_3C+2], si
		push	ebx
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		call	RtlUnicodeStringToAnsiString
		mov	esi, eax
		test	esi, esi
		jns	short loc_A0C2A4
		push	ebx
		push	[ebp+var_38]

loc_A0C291:				; CODE XREF: NtQuerySystemEnvironmentValue(x,x,x,x)+228j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi
		jmp	loc_A0C3CD
; 

loc_A0C2A4:				; CODE XREF: NtQuerySystemEnvironmentValue(x,x,x,x)+141j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	72766E45h
		mov	esi, 400h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+arg_0], ebx
		test	ebx, ebx
		jnz	short loc_A0C2D4
		push	eax
		push	[ebp+var_38]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A0C26B
; 

loc_A0C2D4:				; CODE XREF: NtQuerySystemEnvironmentValue(x,x,x,x)+17Dj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _ExpEnvironmentLock
		call	ExAcquireFastMutexUnsafe
		push	ebx
		push	esi
		push	[ebp+var_38]
		call	ds:__imp__HalGetEnvironmentVariable@12 ; HalGetEnvironmentVariable(x,x,x)
		mov	esi, eax
		mov	ecx, offset _ExpEnvironmentLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	0
		push	[ebp+var_38]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jz	short loc_A0C32F
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0C0000001h
		jmp	loc_A0C3CD
; 

loc_A0C32F:				; CODE XREF: NtQuerySystemEnvironmentValue(x,x,x,x)+1D1j
		mov	[ebp+ms_exc.disabled], 1
		push	ebx
		lea	eax, [ebp+var_3C]
		push	eax
		call	_RtlInitString@8 ; RtlInitString(x,x)
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_30], eax
		mov	ax, [ebp+arg_8]
		mov	word ptr [ebp+var_34+2], ax
		xor	eax, eax
		mov	word ptr [ebp+var_34], ax
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		call	RtlAnsiStringToUnicodeString
		mov	esi, eax
		test	edi, edi
		jz	short loc_A0C36F
		mov	cx, word ptr [ebp+var_34]
		mov	[edi], cx

loc_A0C36F:				; CODE XREF: NtQuerySystemEnvironmentValue(x,x,x,x)+21Cj
		push	0
		push	ebx
		jmp	loc_A0C291
; 

loc_A0C377:				; DATA XREF: .text:006AA7D0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0C387:				; DATA XREF: .text:006AA7D4o
		mov	esp, [ebp+ms_exc.old_esp]
		push	0
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_24]
		jmp	short loc_A0C3CD
; 

loc_A0C3A0:				; DATA XREF: .text:006AA7C4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0C3B0:				; DATA XREF: .text:006AA7C8o
		mov	esp, [ebp+ms_exc.old_esp]
		cmp	[ebp+var_38], 0
		jz	short loc_A0C3C3
		push	0
		push	[ebp+var_38]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0C3C3:				; CODE XREF: NtQuerySystemEnvironmentValue(x,x,x,x)+26Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_28]

loc_A0C3CD:				; CODE XREF: NtQuerySystemEnvironmentValue(x,x,x,x)+73j
					; NtQuerySystemEnvironmentValue(x,x,x,x)+E2j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_NtQuerySystemEnvironmentValue@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSetBootEntryOrder(x, x)
_NtSetBootEntryOrder@8 proc near	; DATA XREF: .text:00580D14o

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	10h
		push	offset dword_6AA6D8
		call	__SEH_prolog4
		xor	edi, edi
		cmp	dword_6BBFD0, 2
		jz	short loc_A0C400
		mov	eax, 0C0000002h
		jmp	loc_A0C544
; 

loc_A0C400:				; CODE XREF: NtSetBootEntryOrder(x,x)+15j
		mov	esi, [ebp+arg_4]
		cmp	esi, 3FFFFFFFh
		jbe	short loc_A0C415

loc_A0C40B:				; CODE XREF: NtSetBootEntryOrder(x,x)+EFj
		mov	eax, 0C000000Dh
		jmp	loc_A0C544
; 

loc_A0C415:				; CODE XREF: NtSetBootEntryOrder(x,x)+2Aj
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+arg_4], bl
		test	bl, bl
		jz	short loc_A0C44A
		push	[ebp+arg_4]
		push	ds:dword_A94CA4
		push	ds:_SeSystemEnvironmentPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A0C44A
		mov	eax, 0C0000061h
		jmp	loc_A0C544
; 

loc_A0C44A:				; CODE XREF: NtSetBootEntryOrder(x,x)+47j
					; NtSetBootEntryOrder(x,x)+5Fj
		test	esi, esi
		jz	loc_A0C4E5
		push	72766E45h
		lea	eax, [esi+esi]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+arg_4], edi
		test	edi, edi
		jnz	short loc_A0C478
		mov	eax, 0C000009Ah
		jmp	loc_A0C544
; 

loc_A0C478:				; CODE XREF: NtSetBootEntryOrder(x,x)+8Dj
		and	[ebp+ms_exc.disabled], 0
		test	bl, bl
		jz	short loc_A0C4AA
		mov	eax, esi
		shl	eax, 2
		test	eax, eax
		jz	short loc_A0C4AA
		test	byte ptr [ebp+arg_0], 3
		jz	short loc_A0C494
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_A0C494:				; CODE XREF: NtSetBootEntryOrder(x,x)+AEj
		mov	ecx, [ebp+arg_0]
		lea	edx, [eax+ecx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_A0C4A7
		cmp	edx, ecx
		jnb	short loc_A0C4AA

loc_A0C4A7:				; CODE XREF: NtSetBootEntryOrder(x,x)+C2j
		mov	byte ptr [eax],	0

loc_A0C4AA:				; CODE XREF: NtSetBootEntryOrder(x,x)+9Fj
					; NtSetBootEntryOrder(x,x)+A8j	...
		xor	ecx, ecx

loc_A0C4AC:				; CODE XREF: NtSetBootEntryOrder(x,x)+FDj
		mov	[ebp+var_1C], ecx
		cmp	ecx, esi
		jnb	short loc_A0C4DE
		mov	eax, [ebp+arg_0]
		cmp	dword ptr [eax+ecx*4], 0FFFFh
		jbe	short loc_A0C4D3
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_A0C40B
; 

loc_A0C4D3:				; CODE XREF: NtSetBootEntryOrder(x,x)+DEj
		mov	ax, [eax+ecx*4]
		mov	[edi+ecx*2], ax
		inc	ecx
		jmp	short loc_A0C4AC
; 

loc_A0C4DE:				; CODE XREF: NtSetBootEntryOrder(x,x)+D2j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A0C4E5:				; CODE XREF: NtSetBootEntryOrder(x,x)+6Dj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _ExpEnvironmentLock
		mov	ecx, ebx
		call	ExAcquireFastMutexUnsafe
		push	1
		lea	eax, [esi+esi]
		push	eax
		push	edi
		mov	edx, offset _EfiBootVariablesGuid
		mov	ecx, offset ??_C@_1BE@CHCFCNKI@?$AAB?$AAo?$AAo?$AAt?$AAO?$AAr?$AAd?$AAe?$AAr@NNGAKEGL@ ; "BootOrder"
		call	_IoSetEnvironmentVariableEx@20 ; IoSetEnvironmentVariableEx(x,x,x,x,x)
		mov	esi, eax
		mov	ecx, ebx
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		lea	ebx, [esi+3FFFFF00h]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, esi
		test	edi, edi
		jz	short loc_A0C542
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0C542:				; CODE XREF: NtSetBootEntryOrder(x,x)+159j
		mov	eax, ebx

loc_A0C544:				; CODE XREF: NtSetBootEntryOrder(x,x)+1Cj
					; NtSetBootEntryOrder(x,x)+31j	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_NtSetBootEntryOrder@8 endp


;  S U B	R O U T	I N E 


sub_A0C556	proc near		; DATA XREF: .text:006AA6ECo
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_A0C556	endp


;  S U B	R O U T	I N E 


sub_A0C566	proc near		; DATA XREF: .text:006AA6F0o
		mov	esp, [ebp-18h]
		push	0
		push	dword ptr [ebp+0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	short loc_A0C544
sub_A0C566	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSetBootOptions(x,	x)
_NtSetBootOptions@8 proc near		; DATA XREF: .text:00580D10o

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	20h
		push	offset dword_6AA690
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_24], ebx
		cmp	dword_6BBFD0, 2
		jz	short loc_A0C5A6
		mov	eax, 0C0000002h
		jmp	loc_A0C71C
; 

loc_A0C5A6:				; CODE XREF: NtSetBootOptions(x,x)+1Bj
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, large fs:124h
		mov	[ebp+var_30], eax
		mov	dl, [eax+15Ah]
		mov	byte ptr [ebp+var_20], dl
		mov	ecx, [ebp+arg_0]
		lea	eax, [ecx+4]
		test	dl, dl
		jz	short loc_A0C5D9
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		jb	short loc_A0C5D1
		mov	eax, edx

loc_A0C5D1:				; CODE XREF: NtSetBootOptions(x,x)+4Ej
		nop
		mov	eax, [eax]
		mov	dl, byte ptr [ebp+var_20]
		jmp	short loc_A0C5DB
; 

loc_A0C5D9:				; CODE XREF: NtSetBootOptions(x,x)+44j
		mov	eax, [eax]

loc_A0C5DB:				; CODE XREF: NtSetBootOptions(x,x)+58j
		mov	[ebp+var_28], eax
		cmp	eax, 14h
		jnb	short loc_A0C5F4

loc_A0C5E3:				; CODE XREF: NtSetBootOptions(x,x)+C5j
					; NtSetBootOptions(x,x)+CAj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A0C5EA:				; CODE XREF: NtSetBootOptions(x,x)+ECj
		mov	eax, 0C000000Dh
		jmp	loc_A0C71C
; 

loc_A0C5F4:				; CODE XREF: NtSetBootOptions(x,x)+62j
		test	dl, dl
		jz	short loc_A0C640
		test	cl, 3
		jz	short loc_A0C602
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_A0C602:				; CODE XREF: NtSetBootOptions(x,x)+7Cj
		lea	edx, [eax+ecx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_A0C612
		cmp	edx, ecx
		jnb	short loc_A0C614

loc_A0C612:				; CODE XREF: NtSetBootOptions(x,x)+8Dj
		mov	[eax], bl

loc_A0C614:				; CODE XREF: NtSetBootOptions(x,x)+91j
		push	[ebp+var_20]
		push	ds:dword_A94CA4
		push	ds:_SeSystemEnvironmentPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A0C63D
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000061h
		jmp	loc_A0C71C
; 

loc_A0C63D:				; CODE XREF: NtSetBootOptions(x,x)+ABj
		mov	ecx, [ebp+arg_0]

loc_A0C640:				; CODE XREF: NtSetBootOptions(x,x)+77j
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_A0C5E3
		cmp	eax, 1
		ja	short loc_A0C5E3
		mov	eax, [ecx+8]
		mov	[ebp+var_1C], eax
		mov	eax, [ecx+10h]
		mov	[ebp+var_24], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+arg_4]
		and	esi, 2
		jz	short loc_A0C671
		cmp	eax, 0FFFFh
		ja	loc_A0C5EA

loc_A0C671:				; CODE XREF: NtSetBootOptions(x,x)+E5j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _ExpEnvironmentLock
		call	ExAcquireFastMutexUnsafe
		test	byte ptr [ebp+arg_4], 1
		jz	short loc_A0C6C4
		cmp	[ebp+var_1C], 0FFFFFFFFh
		jnz	short loc_A0C69E
		mov	[ebp+var_1C], 0FFFFh
		jmp	short loc_A0C6AB
; 

loc_A0C69E:				; CODE XREF: NtSetBootOptions(x,x)+114j
		mov	eax, 0FFFEh
		cmp	[ebp+var_1C], eax
		jbe	short loc_A0C6AB
		mov	[ebp+var_1C], eax

loc_A0C6AB:				; CODE XREF: NtSetBootOptions(x,x)+11Dj
					; NtSetBootOptions(x,x)+127j
		push	1
		push	2
		lea	eax, [ebp+var_1C]
		push	eax
		mov	edx, offset _EfiBootVariablesGuid
		mov	ecx, offset ??_C@_1BA@BKONPLFM@?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@NNGAKEGL@
		call	_IoSetEnvironmentVariableEx@20 ; IoSetEnvironmentVariableEx(x,x,x,x,x)
		mov	ebx, eax

loc_A0C6C4:				; CODE XREF: NtSetBootOptions(x,x)+10Ej
		test	ebx, ebx
		js	short loc_A0C6E5
		test	esi, esi
		jz	short loc_A0C6E5
		push	1
		push	2
		lea	eax, [ebp+var_24]
		push	eax
		mov	edx, offset _EfiBootVariablesGuid
		mov	ecx, offset ??_C@_1BC@HGEHGBBD@?$AAB?$AAo?$AAo?$AAt?$AAN?$AAe?$AAx?$AAt@NNGAKEGL@
		call	_IoSetEnvironmentVariableEx@20 ; IoSetEnvironmentVariableEx(x,x,x,x,x)
		mov	ebx, eax

loc_A0C6E5:				; CODE XREF: NtSetBootOptions(x,x)+147j
					; NtSetBootOptions(x,x)+14Bj
		mov	ecx, offset _ExpEnvironmentLock
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	eax, ebx
		jmp	short loc_A0C71C
; 

loc_A0C6FF:				; DATA XREF: .text:006AA6A4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0C70F:				; DATA XREF: .text:006AA6A8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_2C]

loc_A0C71C:				; CODE XREF: NtSetBootOptions(x,x)+22j
					; NtSetBootOptions(x,x)+70j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_NtSetBootOptions@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSetDriverEntryOrder(x, x)
_NtSetDriverEntryOrder@8 proc near	; DATA XREF: .text:00580CF0o

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	10h
		push	offset dword_6AA620
		call	__SEH_prolog4
		xor	edi, edi
		cmp	dword_6BBFD0, 2
		jz	short loc_A0C74F
		mov	eax, 0C0000002h
		jmp	loc_A0C893
; 

loc_A0C74F:				; CODE XREF: NtSetDriverEntryOrder(x,x)+15j
		mov	esi, [ebp+arg_4]
		cmp	esi, 3FFFFFFFh
		jbe	short loc_A0C764

loc_A0C75A:				; CODE XREF: NtSetDriverEntryOrder(x,x)+EFj
		mov	eax, 0C000000Dh
		jmp	loc_A0C893
; 

loc_A0C764:				; CODE XREF: NtSetDriverEntryOrder(x,x)+2Aj
		mov	eax, large fs:124h
		mov	bl, [eax+15Ah]
		mov	byte ptr [ebp+arg_4], bl
		test	bl, bl
		jz	short loc_A0C799
		push	[ebp+arg_4]
		push	ds:dword_A94CA4
		push	ds:_SeSystemEnvironmentPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A0C799
		mov	eax, 0C0000061h
		jmp	loc_A0C893
; 

loc_A0C799:				; CODE XREF: NtSetDriverEntryOrder(x,x)+47j
					; NtSetDriverEntryOrder(x,x)+5Fj
		test	esi, esi
		jz	loc_A0C834
		push	72766E45h
		lea	eax, [esi+esi]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+arg_4], edi
		test	edi, edi
		jnz	short loc_A0C7C7
		mov	eax, 0C000009Ah
		jmp	loc_A0C893
; 

loc_A0C7C7:				; CODE XREF: NtSetDriverEntryOrder(x,x)+8Dj
		and	[ebp+ms_exc.disabled], 0
		test	bl, bl
		jz	short loc_A0C7F9
		mov	eax, esi
		shl	eax, 2
		test	eax, eax
		jz	short loc_A0C7F9
		test	byte ptr [ebp+arg_0], 3
		jz	short loc_A0C7E3
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_A0C7E3:				; CODE XREF: NtSetDriverEntryOrder(x,x)+AEj
		mov	ecx, [ebp+arg_0]
		lea	edx, [eax+ecx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_A0C7F6
		cmp	edx, ecx
		jnb	short loc_A0C7F9

loc_A0C7F6:				; CODE XREF: NtSetDriverEntryOrder(x,x)+C2j
		mov	byte ptr [eax],	0

loc_A0C7F9:				; CODE XREF: NtSetDriverEntryOrder(x,x)+9Fj
					; NtSetDriverEntryOrder(x,x)+A8j ...
		xor	ecx, ecx

loc_A0C7FB:				; CODE XREF: NtSetDriverEntryOrder(x,x)+FDj
		mov	[ebp+var_1C], ecx
		cmp	ecx, esi
		jnb	short loc_A0C82D
		mov	eax, [ebp+arg_0]
		cmp	dword ptr [eax+ecx*4], 0FFFFh
		jbe	short loc_A0C822
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_A0C75A
; 

loc_A0C822:				; CODE XREF: NtSetDriverEntryOrder(x,x)+DEj
		mov	ax, [eax+ecx*4]
		mov	[edi+ecx*2], ax
		inc	ecx
		jmp	short loc_A0C7FB
; 

loc_A0C82D:				; CODE XREF: NtSetDriverEntryOrder(x,x)+D2j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A0C834:				; CODE XREF: NtSetDriverEntryOrder(x,x)+6Dj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _ExpEnvironmentLock
		mov	ecx, ebx
		call	ExAcquireFastMutexUnsafe
		push	1
		lea	eax, [esi+esi]
		push	eax
		push	edi
		mov	edx, offset _EfiDriverVariablesGuid
		mov	ecx, offset ??_C@_1BI@PDMCFEDG@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAO?$AAr?$AAd?$AAe?$AAr@NNGAKEGL@
		call	_IoSetEnvironmentVariableEx@20 ; IoSetEnvironmentVariableEx(x,x,x,x,x)
		mov	esi, eax
		mov	ecx, ebx
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		lea	ebx, [esi+3FFFFF00h]
		neg	ebx
		sbb	ebx, ebx
		and	ebx, esi
		test	edi, edi
		jz	short loc_A0C891
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0C891:				; CODE XREF: NtSetDriverEntryOrder(x,x)+159j
		mov	eax, ebx

loc_A0C893:				; CODE XREF: NtSetDriverEntryOrder(x,x)+1Cj
					; NtSetDriverEntryOrder(x,x)+31j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_NtSetDriverEntryOrder@8 endp


;  S U B	R O U T	I N E 


sub_A0C8A5	proc near		; DATA XREF: .text:006AA634o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-20h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_A0C8A5	endp


;  S U B	R O U T	I N E 


sub_A0C8B5	proc near		; DATA XREF: .text:006AA638o
		mov	esp, [ebp-18h]
		push	0
		push	dword ptr [ebp+0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-20h]
		jmp	short loc_A0C893
sub_A0C8B5	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSetSystemEnvironmentValue(x, x)
_NtSetSystemEnvironmentValue@8 proc near ; DATA	XREF: .text:00580C78o

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	3Ch
		push	offset dword_6AA790
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, large fs:124h
		mov	[ebp+var_2C], eax
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_1C], al
		mov	ecx, [ebp+arg_0]
		test	al, al
		jz	loc_A0C9D2
		mov	edx, ecx
		test	cl, 3
		jnz	short loc_A0C94F
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_A0C926
		mov	edx, eax

loc_A0C926:				; CODE XREF: NtSetSystemEnvironmentValue(x,x)+54j
		nop
		mov	al, [edx]
		mov	eax, [ecx]
		mov	[ebp+var_4C], eax
		mov	ecx, [ecx+4]
		mov	[ebp+var_48], ecx
		test	ax, ax
		jnz	short loc_A0C94A

loc_A0C939:				; CODE XREF: NtSetSystemEnvironmentValue(x,x)+C0j
					; NtSetSystemEnvironmentValue(x,x)+141j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000009Ah
		jmp	loc_A0CB38
; 

loc_A0C94A:				; CODE XREF: NtSetSystemEnvironmentValue(x,x)+69j
		test	cl, 1
		jz	short loc_A0C954

loc_A0C94F:				; CODE XREF: NtSetSystemEnvironmentValue(x,x)+4Bj
					; NtSetSystemEnvironmentValue(x,x)+A2j	...
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_A0C954:				; CODE XREF: NtSetSystemEnvironmentValue(x,x)+7Fj
		movzx	edx, ax
		add	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_A0C966
		cmp	edx, ecx
		jnb	short loc_A0C968

loc_A0C966:				; CODE XREF: NtSetSystemEnvironmentValue(x,x)+92j
		mov	[eax], bl

loc_A0C968:				; CODE XREF: NtSetSystemEnvironmentValue(x,x)+96j
		mov	ecx, [ebp+arg_4]
		mov	edx, ecx
		test	cl, 3
		jnz	short loc_A0C94F
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_A0C97D
		mov	edx, eax

loc_A0C97D:				; CODE XREF: NtSetSystemEnvironmentValue(x,x)+ABj
		nop
		mov	al, [edx]
		mov	eax, [ecx]
		mov	[ebp+var_44], eax
		mov	ecx, [ecx+4]
		mov	[ebp+var_40], ecx
		test	ax, ax
		jz	short loc_A0C939
		test	cl, 1
		jnz	short loc_A0C94F
		movzx	edx, ax
		add	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_A0C9A7
		cmp	edx, ecx
		jnb	short loc_A0C9A9

loc_A0C9A7:				; CODE XREF: NtSetSystemEnvironmentValue(x,x)+D3j
		mov	[eax], bl

loc_A0C9A9:				; CODE XREF: NtSetSystemEnvironmentValue(x,x)+D7j
		push	[ebp+var_1C]
		push	ds:dword_A94CA4
		push	ds:_SeSystemEnvironmentPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A0C9EB
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000061h
		jmp	loc_A0CB38
; 

loc_A0C9D2:				; CODE XREF: NtSetSystemEnvironmentValue(x,x)+40j
		mov	eax, [ecx]
		mov	[ebp+var_4C], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_48], eax
		mov	ecx, [ebp+arg_4]
		mov	eax, [ecx]
		mov	[ebp+var_44], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_40], eax

loc_A0C9EB:				; CODE XREF: NtSetSystemEnvironmentValue(x,x)+F1j
		lea	eax, [ebp+var_4C]
		push	eax
		call	_RtlxUnicodeStringToAnsiSize@4 ; RtlxUnicodeStringToAnsiSize(x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		mov	edi, 72766E45h
		push	edi
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_30], eax
		test	eax, eax
		jz	loc_A0C939
		mov	word ptr [ebp+var_34+2], si
		push	ebx
		lea	eax, [ebp+var_4C]
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		call	RtlUnicodeStringToAnsiString
		mov	esi, eax
		test	esi, esi
		jns	short loc_A0CA44
		push	ebx
		push	[ebp+var_30]

loc_A0CA31:				; CODE XREF: NtSetSystemEnvironmentValue(x,x)+1C9j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A0CA3D:				; CODE XREF: NtSetSystemEnvironmentValue(x,x)+229j
		mov	eax, esi
		jmp	loc_A0CB38
; 

loc_A0CA44:				; CODE XREF: NtSetSystemEnvironmentValue(x,x)+15Dj
		lea	eax, [ebp+var_44]
		push	eax
		call	_RtlxUnicodeStringToAnsiSize@4 ; RtlxUnicodeStringToAnsiSize(x)
		mov	esi, eax
		mov	[ebp+var_24], esi
		push	edi
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_38], eax
		push	ebx
		test	eax, eax
		jnz	short loc_A0CA73
		push	[ebp+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_A0C939
; 

loc_A0CA73:				; CODE XREF: NtSetSystemEnvironmentValue(x,x)+196j
		mov	word ptr [ebp+var_3C+2], si
		lea	eax, [ebp+var_44]
		push	eax
		lea	eax, [ebp+var_3C]
		push	eax
		call	RtlUnicodeStringToAnsiString
		mov	esi, eax
		test	esi, esi
		jns	short loc_A0CA99
		push	ebx
		push	[ebp+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	ebx
		push	[ebp+var_38]
		jmp	short loc_A0CA31
; 

loc_A0CA99:				; CODE XREF: NtSetSystemEnvironmentValue(x,x)+1BAj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _ExpEnvironmentLock
		mov	ecx, edi
		call	ExAcquireFastMutexUnsafe
		push	[ebp+var_38]
		push	[ebp+var_30]
		call	ds:__imp__HalSetEnvironmentVariable@8 ;	HalSetEnvironmentVariable(x,x)
		mov	esi, eax
		mov	ecx, edi
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		push	ebx
		push	[ebp+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	ebx
		push	[ebp+var_38]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		neg	esi
		sbb	esi, esi
		and	esi, 0C000009Ah
		jmp	loc_A0CA3D
; 

loc_A0CAFC:				; DATA XREF: .text:006AA7A4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0CB0C:				; DATA XREF: .text:006AA7A8o
		mov	esp, [ebp+ms_exc.old_esp]
		xor	ebx, ebx
		cmp	[ebp+var_30], ebx
		jz	short loc_A0CB1F
		push	ebx
		push	[ebp+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0CB1F:				; CODE XREF: NtSetSystemEnvironmentValue(x,x)+246j
		cmp	[ebp+var_38], 0
		jz	short loc_A0CB2E
		push	ebx
		push	[ebp+var_38]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0CB2E:				; CODE XREF: NtSetSystemEnvironmentValue(x,x)+255j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_28]

loc_A0CB38:				; CODE XREF: NtSetSystemEnvironmentValue(x,x)+77j
					; NtSetSystemEnvironmentValue(x,x)+FFj	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_NtSetSystemEnvironmentValue@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSetSystemEnvironmentValueEx(x, x,	x, x, x)
_NtSetSystemEnvironmentValueEx@20 proc near ; DATA XREF: .text:00580C74o

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	38h
		push	offset dword_6AA770
		call	__SEH_prolog4_GS
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_38], edx
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_3C], esi
		and	[ebp+var_34], 0
		xor	eax, eax
		lea	edi, [ebp+var_2C]
		stosd
		stosd
		stosd
		stosd
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jnz	short loc_A0CB95
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	esi
		push	edx
		push	ecx
		call	_ExSetFirmwareEnvironmentVariable@20 ; ExSetFirmwareEnvironmentVariable(x,x,x,x,x)
		jmp	loc_A0CD6A
; 

loc_A0CB95:				; CODE XREF: NtSetSystemEnvironmentValueEx(x,x,x,x,x)+36j
		cmp	dword_6BBFD0, 2
		jz	short loc_A0CBA8
		mov	eax, 0C0000002h
		jmp	loc_A0CD6A
; 

loc_A0CBA8:				; CODE XREF: NtSetSystemEnvironmentValueEx(x,x,x,x,x)+52j
		and	[ebp+ms_exc.disabled], 0
		mov	edi, ecx
		test	cl, 3
		jnz	short loc_A0CBE6
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_A0CBBE
		mov	edi, eax

loc_A0CBBE:				; CODE XREF: NtSetSystemEnvironmentValueEx(x,x,x,x,x)+70j
		nop
		mov	al, [edi]
		mov	edi, [ecx]
		mov	[ebp+var_48], edi
		mov	eax, [ecx+4]
		mov	[ebp+var_44], eax
		test	di, di
		jnz	short loc_A0CBE2
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000005h
		jmp	loc_A0CD6A
; 

loc_A0CBE2:				; CODE XREF: NtSetSystemEnvironmentValueEx(x,x,x,x,x)+85j
		test	al, 1
		jz	short loc_A0CBEB

loc_A0CBE6:				; CODE XREF: NtSetSystemEnvironmentValueEx(x,x,x,x,x)+67j
					; NtSetSystemEnvironmentValueEx(x,x,x,x,x)+BDj
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_A0CBEB:				; CODE XREF: NtSetSystemEnvironmentValueEx(x,x,x,x,x)+9Aj
		movzx	ebx, di
		lea	edi, [ebx+eax]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edi, ecx
		ja	short loc_A0CBFF
		cmp	edi, eax
		jnb	short loc_A0CC02

loc_A0CBFF:				; CODE XREF: NtSetSystemEnvironmentValueEx(x,x,x,x,x)+AFj
		mov	byte ptr [ecx],	0

loc_A0CC02:				; CODE XREF: NtSetSystemEnvironmentValueEx(x,x,x,x,x)+B3j
		mov	ecx, edx
		test	dl, 3
		jnz	short loc_A0CBE6
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_A0CC14
		mov	ecx, eax

loc_A0CC14:				; CODE XREF: NtSetSystemEnvironmentValueEx(x,x,x,x,x)+C6j
		nop
		mov	al, [ecx]
		mov	eax, esi
		neg	eax
		sbb	eax, eax
		and	eax, [ebp+arg_C]
		mov	[ebp+arg_C], eax
		jz	short loc_A0CC38
		lea	ecx, [esi+eax]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_A0CC35
		cmp	ecx, esi
		jnb	short loc_A0CC38

loc_A0CC35:				; CODE XREF: NtSetSystemEnvironmentValueEx(x,x,x,x,x)+E5j
		mov	byte ptr [eax],	0

loc_A0CC38:				; CODE XREF: NtSetSystemEnvironmentValueEx(x,x,x,x,x)+D9j
					; NtSetSystemEnvironmentValueEx(x,x,x,x,x)+E9j
		push	1
		push	ds:dword_A94CA4
		push	ds:_SeSystemEnvironmentPrivilege
		call	SeSinglePrivilegeCheck
		mov	[ebp+var_2D], al
		test	al, al
		jnz	short loc_A0CC8A
		mov	ecx, large fs:124h
		mov	ecx, [ecx+80h]
		call	_PsIsProcessAppContainer@4 ; PsIsProcessAppContainer(x)
		test	al, al
		jz	short loc_A0CC73
		push	2
		pop	ecx
		call	_ExpFirmwareAccessAppContainerCheck@4 ;	ExpFirmwareAccessAppContainerCheck(x)
		mov	[ebp+var_2D], al

loc_A0CC73:				; CODE XREF: NtSetSystemEnvironmentValueEx(x,x,x,x,x)+11Cj
		cmp	[ebp+var_2D], 0
		jnz	short loc_A0CC8A
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000061h
		jmp	loc_A0CD6A
; 

loc_A0CC8A:				; CODE XREF: NtSetSystemEnvironmentValueEx(x,x,x,x,x)+106j
					; NtSetSystemEnvironmentValueEx(x,x,x,x,x)+12Dj
		mov	esi, [ebp+var_38]
		lea	edi, [ebp+var_2C]
		movsd
		movsd
		movsd
		movsd
		push	72766E45h
		lea	eax, [ebx+2]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_34], edi
		test	edi, edi
		jnz	short loc_A0CCC1
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000009Ah
		jmp	loc_A0CD6A
; 

loc_A0CCC1:				; CODE XREF: NtSetSystemEnvironmentValueEx(x,x,x,x,x)+164j
		push	ebx		; size_t
		push	[ebp+var_44]	; void *
		push	edi		; void *
		call	_memcpy
		shr	ebx, 1
		xor	eax, eax
		mov	[edi+ebx*2], ax
		push	10h		; size_t
		push	offset _ExpSecureBootVendorGuid	; void *
		lea	eax, [ebp+var_2C]
		push	eax		; void *
		call	_memcmp
		add	esp, 18h
		test	eax, eax
		jnz	short loc_A0CD13
		push	7		; size_t
		push	offset ??_C@_1BA@BMJDNNAL@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA_@NNGAKEGL@	; wchar_t *
		push	edi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A0CD13
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000022h
		jmp	short loc_A0CD6A
; 

loc_A0CD13:				; CODE XREF: NtSetSystemEnvironmentValueEx(x,x,x,x,x)+19Ej
					; NtSetSystemEnvironmentValueEx(x,x,x,x,x)+1B2j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	1
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+var_3C]
		lea	edx, [ebp+var_2C]
		mov	ecx, edi
		call	_ExpSetFirmwareEnvironmentVariable@24 ;	ExpSetFirmwareEnvironmentVariable(x,x,x,x,x,x)
		mov	esi, eax
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		jmp	short loc_A0CD6A
; 

loc_A0CD3D:				; DATA XREF: .text:006AA784o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_40], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0CD4D:				; DATA XREF: .text:006AA788o
		mov	esp, [ebp+ms_exc.old_esp]
		cmp	[ebp+var_34], 0
		jz	short loc_A0CD60
		push	0
		push	[ebp+var_34]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0CD60:				; CODE XREF: NtSetSystemEnvironmentValueEx(x,x,x,x,x)+20Aj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_40]

loc_A0CD6A:				; CODE XREF: NtSetSystemEnvironmentValueEx(x,x,x,x,x)+46j
					; NtSetSystemEnvironmentValueEx(x,x,x,x,x)+59j	...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_NtSetSystemEnvironmentValueEx@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	NtTranslateFilePath(void *,int,void *,int)
_NtTranslateFilePath@16	proc near	; DATA XREF: .text:00580BF8o

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	28h
		push	offset dword_6AA5F8
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_24], ebx
		cmp	dword_6BBFD0, 2
		jz	short loc_A0CDA3
		mov	eax, 0C0000002h
		jmp	short loc_A0CDF7
; 

loc_A0CDA3:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+1Ej
		mov	eax, [ebp+arg_4]
		dec	eax
		cmp	eax, 4
		ja	short loc_A0CDF2
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, large fs:124h
		mov	[ebp+var_28], eax
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_2C], al
		mov	ecx, [ebp+arg_0]
		lea	edi, [ecx+4]
		test	al, al
		jz	short loc_A0CDE1
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jb	short loc_A0CDD6
		mov	edi, eax

loc_A0CDD6:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+56j
		nop
		mov	edi, [edi]
		mov	[ebp+var_30], edi
		mov	al, byte ptr [ebp+var_2C]
		jmp	short loc_A0CDE6
; 

loc_A0CDE1:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+4Dj
		mov	edi, [edi]
		mov	[ebp+var_30], edi

loc_A0CDE6:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+63j
		cmp	edi, 0Ch
		jnb	short loc_A0CE09
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A0CDF2:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+2Ej
		mov	eax, 0C000000Dh

loc_A0CDF7:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+25j
					; NtTranslateFilePath(x,x,x,x)+111j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_A0CE09:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+6Dj
		test	al, al
		jz	loc_A0CE97
		test	cl, 3
		jz	short loc_A0CE1B
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_A0CE1B:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+98j
		lea	edx, [edi+ecx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_A0CE2B
		cmp	edx, ecx
		jnb	short loc_A0CE2D

loc_A0CE2B:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+A9j
		mov	[eax], bl

loc_A0CE2D:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+ADj
		mov	edx, [ebp+arg_C]
		mov	ecx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_A0CE3D
		mov	ecx, eax

loc_A0CE3D:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+BDj
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	esi, [edx]
		mov	[ebp+var_1C], esi
		mov	eax, esi
		mov	[ebp+var_28], eax
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jnz	short loc_A0CE5C
		mov	esi, ebx
		mov	[ebp+var_1C], esi
		mov	eax, ebx
		mov	[ebp+var_28], ebx

loc_A0CE5C:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+D4j
		test	eax, eax
		jz	short loc_A0CE69
		push	4
		push	esi
		push	ecx
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_A0CE69:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+E2j
		push	[ebp+var_2C]
		push	ds:dword_A94CA4
		push	ds:_SeSystemEnvironmentPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A0CE92
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000061h
		jmp	loc_A0CDF7
; 

loc_A0CE92:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+103j
		mov	edi, [ebp+var_30]
		jmp	short loc_A0CEB0
; 

loc_A0CE97:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+8Fj
		mov	esi, [ebp+arg_C]
		mov	esi, [esi]
		mov	[ebp+var_1C], esi
		mov	[ebp+var_28], esi
		cmp	[ebp+arg_8], 0
		jnz	short loc_A0CEB0
		mov	esi, ebx
		mov	[ebp+var_1C], esi
		mov	[ebp+var_28], ebx

loc_A0CEB0:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+119j
					; NtTranslateFilePath(x,x,x,x)+12Aj
		push	72766E45h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_20], ebx
		test	ebx, ebx
		jnz	short loc_A0CEDA

loc_A0CEC9:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+199j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000009Ah
		jmp	loc_A0CDF7
; 

loc_A0CEDA:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+14Bj
		push	edi		; size_t
		push	[ebp+arg_0]	; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebx+4], edi
		cmp	[ebp+var_28], 0
		jz	short loc_A0CF17
		push	72766E45h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_24], ebx
		test	ebx, ebx
		jnz	short loc_A0CF1C
		push	eax
		push	[ebp+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[ebp+var_20], ebx
		jmp	short loc_A0CEC9
; 

loc_A0CF17:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+172j
		xor	ebx, ebx
		mov	[ebp+var_24], ebx

loc_A0CF1C:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+18Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_20]
		mov	edx, [eax+4]
		add	edx, eax
		mov	ecx, eax
		call	_ExpVerifyFilePath@8 ; ExpVerifyFilePath(x,x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		js	short loc_A0CF60
		mov	eax, [ebp+var_20]
		mov	ecx, [eax+8]
		mov	edx, [ebp+arg_4]
		cmp	edx, ecx
		jnz	short loc_A0CFAC
		cmp	esi, edi
		jb	short loc_A0CF57
		push	edi		; size_t
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_A0CF5E
; 

loc_A0CF57:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+1CCj
		mov	[ebp+arg_0], 0C0000023h

loc_A0CF5E:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+1D9j
		mov	esi, edi

loc_A0CF60:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+1BBj
		mov	edi, [ebp+arg_0]

loc_A0CF63:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+270j
					; NtTranslateFilePath(x,x,x,x)+27Aj
		push	0
		push	[ebp+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+ms_exc.disabled], 1
		test	edi, edi
		js	short loc_A0CF89
		test	ebx, ebx
		jz	short loc_A0CF99
		push	esi		; size_t
		push	ebx		; void *
		push	[ebp+arg_8]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_A0CF89:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+1FAj
		test	ebx, ebx
		jz	short loc_A0CF99
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[ebp+var_24], 0

loc_A0CF99:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+1FEj
					; NtTranslateFilePath(x,x,x,x)+20Fj
		mov	eax, [ebp+arg_C]
		mov	[eax], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, edi
		jmp	loc_A0CDF7
; 

loc_A0CFAC:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+1C8j
		test	ecx, ecx
		jz	short loc_A0CFF1
		cmp	ecx, 2
		jbe	short loc_A0CFDB
		cmp	ecx, 3
		jz	short loc_A0CFCD
		cmp	ecx, 4
		jnz	short loc_A0CFF1
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	ebx
		mov	ecx, eax
		call	_ExpTranslateEfiPath@16	; ExpTranslateEfiPath(x,x,x,x)
		jmp	short loc_A0CFE7
; 

loc_A0CFCD:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+23Cj
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	ebx
		mov	ecx, eax
		call	_ExpTranslateNtPath@16 ; ExpTranslateNtPath(x,x,x,x)
		jmp	short loc_A0CFE7
; 

loc_A0CFDB:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+237j
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	ebx
		mov	ecx, eax
		call	_ExpTranslateArcPath@16	; ExpTranslateArcPath(x,x,x,x)

loc_A0CFE7:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+24Fj
					; NtTranslateFilePath(x,x,x,x)+25Dj
		mov	edi, eax
		mov	esi, [ebp+var_1C]
		jmp	loc_A0CF63
; 

loc_A0CFF1:				; CODE XREF: NtTranslateFilePath(x,x,x,x)+232j
					; NtTranslateFilePath(x,x,x,x)+241j
		mov	edi, 0C000000Dh
		jmp	loc_A0CF63
_NtTranslateFilePath@16	endp


;  S U B	R O U T	I N E 


sub_A0CFFB	proc near		; DATA XREF: .text:006AA618o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-34h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
sub_A0CFFB	endp


;  S U B	R O U T	I N E 


sub_A0D00B	proc near		; DATA XREF: .text:006AA61Co
		mov	esp, [ebp-18h]
		cmp	dword ptr [ebp-24h], 0
		jz	short loc_A0D01E
		push	0
		push	dword ptr [ebp-24h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0D01E:				; CODE XREF: sub_A0D00B+7j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-34h]
		jmp	loc_A0CDF7
sub_A0D00B	endp

; 

loc_A0D02D:				; DATA XREF: .text:006AA60Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-38h], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0D03D:				; DATA XREF: .text:006AA610o
		mov	esp, [ebp-18h]
		cmp	dword ptr [ebp-20h], 0
		jz	short loc_A0D050
		push	0
		push	dword ptr [ebp-20h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0D050:				; CODE XREF: PAGE:00A0D044j
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [ebp-38h]
		jmp	loc_A0CDF7

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpIoPoolDeadlockWorker(x)
_ExpIoPoolDeadlockWorker@4 proc	near	; DATA XREF: ExpWorkQueueManagerThread+91F02o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		push	eax		; int
		push	eax		; int
		push	eax		; int
		push	eax		; int
		push	eax		; int
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax+4] ; int
		push	dword ptr [eax]	; int
		push	1C5h		; int
		push	offset ??_C@_1BK@FCNHCKCD@?$AAI?$AAo?$AAT?$AAh?$AAr?$AAe?$AAa?$AAd?$AAp?$AAo?$AAo?$AAl@NNGAKEGL@ ; "IoThreadpool"
		call	_DbgkWerCaptureLiveKernelDump@36 ; DbgkWerCaptureLiveKernelDump(x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	4
_ExpIoPoolDeadlockWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpNodeHotAddProcessorWorker(x)
_ExpNodeHotAddProcessorWorker@4	proc near ; DATA XREF: ExpNodeInitialize(x)+1Do

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		call	KeSynchronizeWithDynamicProcessors
		xor	ecx, ecx
		call	_PsGetNextPartition@4 ;	PsGetNextPartition(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A0D0FA
		push	edi
		mov	edi, [ebp+arg_0]

loc_A0D0A4:				; CODE XREF: ExpNodeHotAddProcessorWorker(x)+42j
		mov	ecx, [esi+8]
		movzx	eax, word ptr [edi+8Ah]
		mov	ecx, [ecx+8]
		mov	ecx, [ecx+eax*4]
		call	_ExpWorkQueueManagerStart@4 ; ExpWorkQueueManagerStart(x)
		mov	ecx, esi
		test	eax, eax
		js	short loc_A0D0CC
		call	_PsGetNextPartition@4 ;	PsGetNextPartition(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A0D0A4
		jmp	short loc_A0D0F9
; 

loc_A0D0CC:				; CODE XREF: ExpNodeHotAddProcessorWorker(x)+37j
		call	_PsQuitNextPartition@4 ; PsQuitNextPartition(x)
		or	[ebp+var_4], 0FFFFFFFFh
		lea	eax, [ebp+var_8]
		push	eax
		xor	esi, esi
		mov	[ebp+var_8], 0FFF85EE0h
		push	esi
		push	esi
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		lea	eax, [edi+140h]
		push	1
		push	eax
		mov	[eax], esi
		call	ExQueueWorkItem

loc_A0D0F9:				; CODE XREF: ExpNodeHotAddProcessorWorker(x)+44j
		pop	edi

loc_A0D0FA:				; CODE XREF: ExpNodeHotAddProcessorWorker(x)+18j
		pop	esi
		leave
		retn	4
_ExpNodeHotAddProcessorWorker@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpPartitionCreatePoolDelayed(x, x,	x)
_ExpPartitionCreatePoolDelayed@12 proc near ; CODE XREF: ExpWorkQueueManagerThread+91F40p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, edx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], eax
		movzx	esi, word ptr [eax+8Ah]
		mov	eax, [edi+4]
		mov	esi, [eax+esi*4]
		mov	edx, [esi+ebx*4]
		shr	edx, 1
		and	edx, 7Fh
		mov	ecx, edx
		call	_KeIsNodeInitialized@4 ; KeIsNodeInitialized(x)
		test	al, al
		jnz	short loc_A0D137
		xor	edx, edx
		jmp	short loc_A0D13E
; 

loc_A0D137:				; CODE XREF: ExpPartitionCreatePoolDelayed(x,x,x)+32j
		mov	edx, ds:_KeNodeBlock[edx*4]

loc_A0D13E:				; CODE XREF: ExpPartitionCreatePoolDelayed(x,x,x)+36j
		push	ebx
		mov	ecx, edi
		call	_ExpPartitionGetQueue@12 ; ExpPartitionGetQueue(x,x,x)
		push	ebx
		push	[ebp+var_4]
		mov	ecx, edi
		mov	edx, [eax+1B0h]
		push	dword ptr [eax+1B4h]
		add	edx, edx
		sar	edx, 1
		call	ExpPartitionCreatePoolInternal
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ExpPartitionCreatePoolDelayed@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpPartitionDestroy(x)
_ExpPartitionDestroy@4 proc near	; CODE XREF: ExpPartitionInitialize+181p
					; PspTeardownPartition(x)+39p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_A0D1C0
		xor	edx, edx
		xor	edi, edi
		cmp	dx, ds:_KeNumberNodes
		jnb	short loc_A0D1B8

loc_A0D18C:				; CODE XREF: ExpPartitionDestroy(x)+4Ej
		mov	eax, [esi+8]
		movzx	ebx, di
		mov	ecx, [eax+ebx*4]
		test	ecx, ecx
		jz	short loc_A0D1AE
		call	_ExpWorkQueueManagerDestroy@4 ;	ExpWorkQueueManagerDestroy(x)
		mov	eax, [esi+8]
		push	0
		push	dword ptr [eax+ebx*4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi+8]

loc_A0D1AE:				; CODE XREF: ExpPartitionDestroy(x)+2Fj
		inc	edi
		cmp	di, ds:_KeNumberNodes
		jb	short loc_A0D18C

loc_A0D1B8:				; CODE XREF: ExpPartitionDestroy(x)+22j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0D1C0:				; CODE XREF: ExpPartitionDestroy(x)+15j
		mov	eax, [esi+4]
		test	eax, eax
		jz	loc_A0D26D
		xor	ecx, ecx
		xor	edi, edi
		cmp	cx, ds:_KeNumberNodes
		jnb	loc_A0D265

loc_A0D1DC:				; CODE XREF: ExpPartitionDestroy(x)+F4j
		mov	eax, [esi+4]
		movzx	edx, di
		mov	[esp+18h+var_4], edx
		cmp	dword ptr [eax+edx*4], 0
		jz	short loc_A0D254
		mov	ecx, edi
		call	_KeIsNodeInitialized@4 ; KeIsNodeInitialized(x)
		test	al, al
		jnz	short loc_A0D1FB
		xor	ecx, ecx
		jmp	short loc_A0D202
; 

loc_A0D1FB:				; CODE XREF: ExpPartitionDestroy(x)+8Dj
		mov	ecx, ds:_KeNodeBlock[edx*4]

loc_A0D202:				; CODE XREF: ExpPartitionDestroy(x)+91j
		xor	eax, eax
		mov	[esp+18h+var_8], ecx
		mov	[esp+18h+var_C], eax

loc_A0D20C:				; CODE XREF: ExpPartitionDestroy(x)+D9j
		mov	edx, ecx
		mov	ecx, esi
		push	eax
		call	_ExpPartitionGetQueue@12 ; ExpPartitionGetQueue(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_A0D231
		cmp	dword ptr [ebx+4], 0
		jnz	short loc_A0D27C
		mov	ecx, ebx
		call	_ExpWorkQueueDestroy@4 ; ExpWorkQueueDestroy(x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0D231:				; CODE XREF: ExpPartitionDestroy(x)+B2j
		mov	eax, [esp+18h+var_C]
		mov	ecx, [esp+18h+var_8]
		inc	eax
		mov	[esp+18h+var_C], eax
		cmp	eax, 8
		jl	short loc_A0D20C
		mov	eax, [esi+4]
		mov	ecx, [esp+18h+var_4]
		push	0
		push	dword ptr [eax+ecx*4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0D254:				; CODE XREF: ExpPartitionDestroy(x)+82j
		inc	edi
		cmp	di, ds:_KeNumberNodes
		jb	loc_A0D1DC
		mov	eax, [esi+4]

loc_A0D265:				; CODE XREF: ExpPartitionDestroy(x)+6Ej
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0D26D:				; CODE XREF: ExpPartitionDestroy(x)+5Dj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_A0D27C:				; CODE XREF: ExpPartitionDestroy(x)+B8j
		push	0
		push	ebx
		push	dword ptr [esi]
		push	2
		push	18Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_ExpPartitionDestroy@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWorkQueueDestroy(x)
_ExpWorkQueueDestroy@4 proc near	; CODE XREF: ExpPartitionCreatePoolInternal+89849p
					; ExpPartitionDestroy(x)+BCp

var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		mov	ebx, ecx
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_10]
		xor	edi, edi
		push	edi
		push	edi
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [ebp+var_10]
		mov	esi, 8000h
		mov	[ebx+1BCh], eax
		lea	edx, [ebx+1ACh]
		mov	eax, [edx]

loc_A0D2C7:				; CODE XREF: ExpWorkQueueDestroy(x)+41j
		mov	ecx, eax
		or	ecx, esi
		lock cmpxchg [edx], ecx
		jnz	short loc_A0D2C7
		mov	esi, eax
		mov	ecx, ebx
		call	_KeRundownPriQueue@4 ; KeRundownPriQueue(x)
		test	esi, 3FFFh
		jbe	short loc_A0D2F1
		push	edi
		push	edi
		push	edi
		push	edi
		push	dword ptr [ebx+1BCh]
		call	KeWaitForSingleObject

loc_A0D2F1:				; CODE XREF: ExpWorkQueueDestroy(x)+52j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpWorkQueueDestroy@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExpWorkQueueManagerDestroy(x)
_ExpWorkQueueManagerDestroy@4 proc near	; CODE XREF: ExpPartitionDestroy(x)+31p
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		cmp	[esi+0A8h], edi
		jz	short loc_A0D334
		push	edi
		push	edi
		lea	eax, [esi+8]
		mov	dword ptr [esi+0ACh], 1
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		push	edi
		push	edi
		push	dword ptr [esi+0A8h]
		call	_ZwWaitForSingleObject@12 ; ZwWaitForSingleObject(x,x,x)
		push	dword ptr [esi+0A8h]
		call	_ZwClose@4	; ZwClose(x)

loc_A0D334:				; CODE XREF: ExpWorkQueueManagerDestroy(x)+Fj
		push	edi
		lea	eax, [esi+50h]
		push	eax
		call	KeCancelTimer2
		lea	eax, [esi+18h]
		push	eax
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		call	KeFlushQueuedDpcs
		pop	edi
		pop	esi
		pop	ecx
		retn
_ExpWorkQueueManagerDestroy@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; 
; Exported entry 405. ExRaiseAccessViolation

; __stdcall ExRaiseAccessViolation()
		public _ExRaiseAccessViolation@0
_ExRaiseAccessViolation@0:		; CODE XREF: NtAlpcQueryInformation:loc_7AFC7Fp
					; PAGE:loc_807252p ...
		push	0C0000005h
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
; 
		db 0CCh
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 408. ExRaiseHardError

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ExRaiseHardError(int,int,int,void *,int,int)
		public _ExRaiseHardError@24
_ExRaiseHardError@24 proc near		; CODE XREF: PAGE:007C5218p
					; PAGE:00888BAEp ...

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_5C		= dword	ptr -5Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		push	80h
		push	offset dword_6AA818
		call	__SEH_prolog4_GS
		mov	edx, [ebp+arg_C]
		mov	[ebp+var_80], edx
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_90], eax
		xor	ebx, ebx
		mov	[ebp+var_74], ebx
		mov	eax, ebx
		mov	[ebp+var_8C], eax
		mov	[ebp+var_7C], ebx
		lea	edi, [ebp+var_70]
		stosd
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_5C]
		stosd
		stosd
		stosd
		stosd
		stosd
		push	0Ah
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_48]
		rep stosd
		cmp	_ExpTooLateForErrors, al
		jz	short loc_A0D3C1
		xor	ecx, ecx
		inc	ecx
		mov	esi, ebx
		jmp	loc_A0D541
; 

loc_A0D3C1:				; CODE XREF: ExRaiseHardError(x,x,x,x,x,x)+50j
		mov	edi, [ebp+arg_4]
		cmp	edi, 5
		jbe	short loc_A0D3D5
		mov	esi, 0C00000F0h

loc_A0D3CE:				; CODE XREF: ExRaiseHardError(x,x,x,x,x,x)+E7j
		mov	ecx, ebx
		jmp	loc_A0D541
; 

loc_A0D3D5:				; CODE XREF: ExRaiseHardError(x,x,x,x,x,x)+62j
		test	edx, edx
		jz	loc_A0D51A
		mov	esi, edi
		shl	esi, 2
		push	esi		; size_t
		push	edx		; void *
		lea	eax, [ebp+var_70]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		push	esi		; size_t
		mov	esi, [ebp+var_80]
		push	esi		; void *
		lea	eax, [ebp+var_5C]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	[ebp+arg_8], ebx
		jz	loc_A0D51A
		push	28h
		pop	edx
		mov	[ebp+var_74], edx
		mov	ecx, ebx
		test	edi, edi
		jz	short loc_A0D431

loc_A0D416:				; CODE XREF: ExRaiseHardError(x,x,x,x,x,x)+CAj
		xor	eax, eax
		inc	eax
		shl	eax, cl
		test	[ebp+arg_8], eax
		jz	short loc_A0D42C
		mov	eax, [esi+ecx*4]
		movzx	eax, word ptr [eax+2]
		add	edx, eax
		mov	[ebp+var_74], edx

loc_A0D42C:				; CODE XREF: ExRaiseHardError(x,x,x,x,x,x)+B9j
		inc	ecx
		cmp	ecx, edi
		jb	short loc_A0D416

loc_A0D431:				; CODE XREF: ExRaiseHardError(x,x,x,x,x,x)+AFj
		push	4
		push	1000h
		lea	eax, [ebp+var_74]
		push	eax
		push	ebx
		lea	eax, [ebp+var_7C]
		push	eax
		push	0FFFFFFFFh
		call	_ZwAllocateVirtualMemory@24 ; ZwAllocateVirtualMemory(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A0D3CE
		mov	eax, [ebp+var_7C]
		mov	[ebp+var_84], eax
		add	eax, 28h
		mov	[ebp+var_78], eax
		mov	esi, ebx
		mov	[ebp+var_88], ebx

loc_A0D465:				; CODE XREF: ExRaiseHardError(x,x,x,x,x,x)+1B0j
		cmp	esi, edi
		jnb	loc_A0D51A
		xor	eax, eax
		inc	eax
		mov	ecx, esi
		shl	eax, cl
		test	[ebp+arg_8], eax
		jz	loc_A0D50E
		mov	eax, [ebp+var_80]
		mov	ecx, [eax+esi*4]
		mov	eax, [ecx]
		mov	[ebp+esi*8+var_48], eax
		mov	eax, [ecx+4]
		mov	[ebp+esi*8+var_44], eax
		mov	[ebp+ms_exc.disabled], ebx
		mov	ecx, [ebp+var_84]
		mov	edx, [ebp+var_78]
		mov	[ecx+esi*8+4], edx
		mov	ax, word ptr [ebp+esi*8+var_48+2]
		mov	[ecx+esi*8+2], ax
		mov	ax, word ptr [ebp+esi*8+var_48]
		mov	[ecx+esi*8], ax
		movzx	eax, word ptr [ebp+esi*8+var_48+2]
		push	eax		; size_t
		push	[ebp+esi*8+var_44] ; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A0D4E8
; 

loc_A0D4CF:				; DATA XREF: .text:006AA82Co
		xor	eax, eax
		inc	eax
		retn
; 

loc_A0D4D3:				; DATA XREF: .text:006AA830o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	ebx, ebx
		mov	edi, [ebp+arg_4]
		mov	esi, [ebp+var_88]

loc_A0D4E8:				; CODE XREF: ExRaiseHardError(x,x,x,x,x,x)+168j
		mov	edx, [ebp+var_78]
		mov	[ebp+esi*8+var_44], edx
		movzx	eax, word ptr [ebp+esi*8+var_48+2]
		add	[ebp+var_78], eax
		mov	eax, [ebp+var_84]
		lea	eax, [eax+esi*8]
		mov	[ebp+esi*4+var_70], eax
		lea	eax, [ebp+var_48]
		lea	eax, [eax+esi*8]
		mov	[ebp+esi*4+var_5C], eax

loc_A0D50E:				; CODE XREF: ExRaiseHardError(x,x,x,x,x,x)+112j
		inc	esi
		mov	[ebp+var_88], esi
		jmp	loc_A0D465
; 

loc_A0D51A:				; CODE XREF: ExRaiseHardError(x,x,x,x,x,x)+72j
					; ExRaiseHardError(x,x,x,x,x,x)+9Fj ...
		lea	eax, [ebp+var_8C]
		push	eax
		push	[ebp+arg_10]
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_70]
		push	eax
		push	[ebp+arg_8]
		mov	edx, edi
		mov	ecx, [ebp+arg_0]
		call	ExpRaiseHardError
		mov	esi, eax
		mov	ecx, [ebp+var_8C]

loc_A0D541:				; CODE XREF: ExRaiseHardError(x,x,x,x,x,x)+57j
					; ExRaiseHardError(x,x,x,x,x,x)+6Bj
		mov	eax, [ebp+var_90]
		mov	[eax], ecx
		cmp	[ebp+var_7C], 0
		jz	short loc_A0D566
		mov	[ebp+var_74], ebx
		push	8000h
		lea	eax, [ebp+var_74]
		push	eax
		lea	eax, [ebp+var_7C]
		push	eax
		push	0FFFFFFFFh
		call	_ZwFreeVirtualMemory@16	; ZwFreeVirtualMemory(x,x,x,x)

loc_A0D566:				; CODE XREF: ExRaiseHardError(x,x,x,x,x,x)+1E8j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_ExRaiseHardError@24 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 452. ExUnregisterExtension

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExUnregisterExtension(x)
		public _ExUnregisterExtension@4
_ExUnregisterExtension@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, [ebp+arg_0]
		xor	edx, edx
		push	0
		lea	edi, [esi+28h]
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	ebx, eax
		lock bts dword ptr [edi], 0
		jnb	short loc_A0D5B9
		push	edi
		mov	edx, ebx
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_A0D5B9:				; CODE XREF: ExUnregisterExtension(x)+2Ej
		test	ebx, ebx
		jz	short loc_A0D5C1
		or	byte ptr [ebx+0Eh], 1

loc_A0D5C1:				; CODE XREF: ExUnregisterExtension(x)+3Cj
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	short loc_A0D5CF
		push	dword ptr [esi+20h]
		push	2
		call	eax

loc_A0D5CF:				; CODE XREF: ExUnregisterExtension(x)+47j
		lea	ecx, [esi+24h]
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		and	dword ptr [esi+2Ch], 0
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	short loc_A0D5E9
		push	dword ptr [esi+20h]
		push	3
		call	eax

loc_A0D5E9:				; CODE XREF: ExUnregisterExtension(x)+61j
		or	ebx, 0FFFFFFFFh
		mov	eax, ebx
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A0D5FF
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A0D5FF:				; CODE XREF: ExUnregisterExtension(x)+77j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		lock xadd [esi+8], ebx
		dec	ebx
		jnz	short loc_A0D622
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0D622:				; CODE XREF: ExUnregisterExtension(x)+99j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_ExUnregisterExtension@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpAssignPasid(x, x)
_ExpAssignPasid@8 proc near		; CODE XREF: ExShareAddressSpaceWithDevice(x,x)+261p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_4], esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	edi, esi
		xor	eax, eax
		lea	esi, [ebx+3ACh]
		lock cmpxchg [esi], edi
		test	eax, eax
		jz	short loc_A0D664
		mov	ecx, [ebp+var_4]
		dec	ecx
		call	_ExpFreeAsid@4	; ExpFreeAsid(x)
		mov	ecx, ebx
		call	ObfDereferenceObject
		xor	eax, eax
		jmp	short loc_A0D667
; 

loc_A0D664:				; CODE XREF: ExpAssignPasid(x,x)+25j
		xor	eax, eax
		inc	eax

loc_A0D667:				; CODE XREF: ExpAssignPasid(x,x)+39j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpAssignPasid@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSetBorrowedTimeOnTimestamp(x, x)
_ExpSetBorrowedTimeOnTimestamp@8 proc near ; CODE XREF:	ExpAllocateUuids+11C537p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, ds:_ExpUuidTimeSequenceNumber
		mov	eax, ecx
		and	eax, 1
		shl	eax, 1Bh
		test	cl, 2
		jz	short loc_A0D68A
		or	eax, 4000000h

loc_A0D68A:				; CODE XREF: ExpSetBorrowedTimeOnTimestamp(x,x)+17j
		test	cl, 4
		jz	short loc_A0D694
		or	eax, 2000000h

loc_A0D694:				; CODE XREF: ExpSetBorrowedTimeOnTimestamp(x,x)+21j
		test	cl, 8
		jz	short loc_A0D69E
		or	eax, 1000000h

loc_A0D69E:				; CODE XREF: ExpSetBorrowedTimeOnTimestamp(x,x)+2Bj
		test	cl, 10h
		jz	short loc_A0D6A8
		or	eax, 800000h

loc_A0D6A8:				; CODE XREF: ExpSetBorrowedTimeOnTimestamp(x,x)+35j
		or	[edx], eax
		leave
		retn
_ExpSetBorrowedTimeOnTimestamp@8 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 1495. NtAddAtom

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtAddAtom(x, x, x)
		public _NtAddAtom@12
_NtAddAtom@12	proc near		; DATA XREF: .text:00581288o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	NtAddAtomEx
		pop	ebp
		retn	0Ch
_NtAddAtom@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpPcwDisabledStatus()
_ExpPcwDisabledStatus@0	proc near	; CODE XREF: PcwAddInstance(x,x,x,x,x):loc_7C9D01p
					; PcwCreateInstance+1282C4p ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ds:_ExpPcwEnableState
		xor	edx, edx
		mov	[ebp+var_4], edx
		push	edi
		test	eax, eax
		jnz	short loc_A0D74A
		or	[ebp+var_8], 0FFFFFFFFh
		lea	eax, [ebp+var_4]
		mov	[ebp+var_34], eax
		lea	edi, [ebp+var_24]
		push	7
		pop	ecx
		lea	eax, [ebp+var_8]
		mov	[ebp+var_40], edx
		mov	[ebp+var_2C], eax
		xor	eax, eax
		mov	[ebp+var_3C], 120h
		mov	[ebp+var_38], offset ??_C@_1M@IOJLKPKK@?$AAS?$AAt?$AAa?$AAr?$AAt@NNGAKEGL@
		mov	[ebp+var_30], 4000004h
		mov	[ebp+var_28], 4
		rep stosd
		xor	ecx, ecx
		lea	eax, [ebp+var_40]
		inc	ecx
		push	ecx
		push	ecx
		push	edx
		push	eax
		mov	edx, offset ??_C@_17EOAFFENH@?$AAp?$AAc?$AAw@NNGAKEGL@
		call	RtlpQueryRegistryValues
		lea	ecx, [eax+3FFFFFCCh]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		jl	short loc_A0D757
		xor	eax, eax
		cmp	[ebp+var_4], eax
		setz	al
		inc	eax
		mov	ds:_ExpPcwEnableState, eax

loc_A0D74A:				; CODE XREF: ExpPcwDisabledStatus()+15j
		dec	eax
		neg	eax
		sbb	eax, eax
		and	eax, 0C0000002h

loc_A0D754:				; CODE XREF: ExpPcwDisabledStatus()+8Fj
		pop	edi
		leave
		retn
; 

loc_A0D757:				; CODE XREF: ExpPcwDisabledStatus()+70j
		mov	eax, ecx
		jmp	short loc_A0D754
_ExpPcwDisabledStatus@0	endp

; 
		align 10h
; Exported entry 1656. PcwUnregister

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PcwUnregister(x)
		public _PcwUnregister@4
_PcwUnregister@4 proc near		; CODE XREF: ExpPcwHostCallback+96570p
					; ExpPcwHostCallback+96585p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, ds:_ExpPcwExtensionHost
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jz	short loc_A0D785
		push	[ebp+arg_0]
		call	dword ptr [eax+4]
		mov	ecx, ds:_ExpPcwExtensionHost
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_A0D785:				; CODE XREF: PcwUnregister(x)+12j
		pop	ebp
		retn	4
_PcwUnregister@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCovCreateUnloadedModuleEntry(x)
_ExpCovCreateUnloadedModuleEntry@4 proc	near ; CODE XREF: MiUnloadSystemImage+14B6C8p
					; MiUnloadSystemImage+14B8A9p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		xor	eax, eax
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_C], eax
		push	esi
		push	edi
		lea	eax, [ebp+var_C]
		mov	ecx, [ebx+48h]
		lea	esi, [ebx+24h]
		push	eax
		mov	edx, esi
		call	_ExpCovReadFriendlyName@12 ; ExpCovReadFriendlyName(x,x,x)
		test	eax, eax
		jns	short loc_A0D7CE
		lea	eax, [ebx+2Ch]
		push	eax		; char
		push	(offset	loc_8C19F1+5) ;	char *
		push	0		; int
		push	7Eh		; int
		call	_DbgPrintEx
		add	esp, 10h
		jmp	loc_A0D989
; 

loc_A0D7CE:				; CODE XREF: ExpCovCreateUnloadedModuleEntry(x)+29j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, offset _ExpCovPushLock
		call	@ExfAcquirePushLockExclusive@4 ; ExfAcquirePushLockExclusive(x)
		mov	ecx, _ExpCovCurrentPagedPoolInUse
		lea	eax, [ecx+20h]
		cmp	eax, ecx
		jb	loc_A0D956
		movzx	edx, word ptr [ebp+var_C]
		add	eax, edx
		cmp	eax, ecx
		jb	loc_A0D956
		cmp	eax, 0FFFFFFFFh
		jz	loc_A0D956
		lea	ecx, [edx+eax]
		cmp	ecx, eax
		jb	loc_A0D953
		add	ecx, [ebx+44h]
		mov	[ebp+var_4], ecx
		cmp	ecx, eax
		jb	loc_A0D953
		cmp	ecx, 0FFFFFFFFh
		jz	loc_A0D953
		mov	eax, _ExCovMaxPagedPoolToUse
		cmp	ecx, eax
		jbe	short loc_A0D851
		push	esi
		push	eax		; char
		push	offset ??_C@_0DO@LNDAPJAM@COV?3?5Max?5paged?5pool?5size?5?$CI?$CFu?$CJ?5r@NNGAKEGL@ ; "COV: Max	paged pool size	(%u) reached, "...

loc_A0D840:				; CODE XREF: ExpCovCreateUnloadedModuleEntry(x)+1A7j
		push	2		; int
		push	7Eh		; int
		call	_DbgPrintEx
		add	esp, 14h
		jmp	loc_A0D96B
; 

loc_A0D851:				; CODE XREF: ExpCovCreateUnloadedModuleEntry(x)+AEj
		push	72766F43h
		push	20h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_A0D935
		push	8
		pop	ecx
		xor	eax, eax
		mov	edi, esi
		rep stosd
		lea	ecx, [esi+10h]
		push	ecx
		lea	eax, [ebp+var_C]
		push	eax
		push	1
		call	RtlDuplicateUnicodeString
		test	eax, eax
		js	loc_A0D935
		cmp	[ebp+var_8], 0
		jz	short loc_A0D898
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_A0D898:				; CODE XREF: ExpCovCreateUnloadedModuleEntry(x)+104j
		mov	ecx, [ebx+48h]
		lea	eax, [ebp+var_C]
		push	eax
		lea	edx, [ebx+2Ch]
		call	_ExpCovReadFriendlyName@12 ; ExpCovReadFriendlyName(x,x,x)
		test	eax, eax
		js	loc_A0D935
		lea	eax, [esi+8]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	1
		call	RtlDuplicateUnicodeString
		test	eax, eax
		js	short loc_A0D935
		mov	eax, [ebx+44h]
		push	72766F43h
		mov	[esi+18h], eax
		push	dword ptr [ebx+44h]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+1Ch], eax
		test	eax, eax
		jz	short loc_A0D935
		push	dword ptr [ebx+44h] ; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	dword ptr [ebx+44h] ; size_t
		push	dword ptr [ebx+48h] ; void *
		push	dword ptr [esi+1Ch] ; void *
		call	_memcpy
		mov	eax, dword_6BB4EC
		mov	ecx, offset _ExpCovUnloadedModuleList
		add	esp, 0Ch
		cmp	[eax], ecx
		jz	short loc_A0D910
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A0D910:				; CODE XREF: ExpCovCreateUnloadedModuleEntry(x)+180j
		mov	[esi+4], eax
		mov	[esi], ecx
		mov	[eax], esi
		mov	eax, [ebp+var_4]
		mov	dword_6BB4EC, esi
		push	dword ptr [ebx+30h]
		mov	_ExpCovCurrentPagedPoolInUse, eax
		push	dword ptr [ebx+2Ch]
		push	offset ??_C@_0DI@BMJCJOBG@COV?3?5Entry?5created?5for?5?$CFwZ?5in?5E@NNGAKEGL@
		jmp	loc_A0D840
; 

loc_A0D935:				; CODE XREF: ExpCovCreateUnloadedModuleEntry(x)+DAj
					; ExpCovCreateUnloadedModuleEntry(x)+FAj ...
		lea	eax, [ebx+2Ch]
		push	eax		; char
		push	(offset	loc_8C19F1+5) ;	char *
		push	0		; int
		push	7Eh		; int
		call	_DbgPrintEx
		add	esp, 10h
		mov	ecx, esi
		call	_ExpCovFreeUnloadedModuleEntry@4 ; ExpCovFreeUnloadedModuleEntry(x)
		jmp	short loc_A0D96B
; 

loc_A0D953:				; CODE XREF: ExpCovCreateUnloadedModuleEntry(x)+8Aj
					; ExpCovCreateUnloadedModuleEntry(x)+98j ...
		push	esi
		jmp	short loc_A0D95A
; 

loc_A0D956:				; CODE XREF: ExpCovCreateUnloadedModuleEntry(x)+68j
					; ExpCovCreateUnloadedModuleEntry(x)+76j ...
		lea	eax, [ebx+2Ch]
		push	eax		; char

loc_A0D95A:				; CODE XREF: ExpCovCreateUnloadedModuleEntry(x)+1CBj
		push	offset ??_C@_0DI@KOLBMLLB@COV?3?5Overflow?5when?5calculating?5@NNGAKEGL@ ; char	*
		push	2		; int
		push	7Eh		; int
		call	_DbgPrintEx
		add	esp, 10h

loc_A0D96B:				; CODE XREF: ExpCovCreateUnloadedModuleEntry(x)+C3j
					; ExpCovCreateUnloadedModuleEntry(x)+1C8j
		mov	ecx, offset _ExpCovPushLock
		call	@ExfReleasePushLock@4 ;	ExfReleasePushLock(x)
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		cmp	[ebp+var_8], 0
		jz	short loc_A0D989
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_A0D989:				; CODE XREF: ExpCovCreateUnloadedModuleEntry(x)+40j
					; ExpCovCreateUnloadedModuleEntry(x)+1F5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpCovCreateUnloadedModuleEntry@4 endp


;  S U B	R O U T	I N E 


; __stdcall ExpCovDeleteUnloadedModuleEntry(x)
_ExpCovDeleteUnloadedModuleEntry@4 proc	near ; CODE XREF: MiUnloadSystemImage+14B6A6p
					; MiUnloadSystemImage+14B887p ...
		test	ecx, ecx
		jnz	short loc_A0D998
		mov	eax, 0C000000Dh
		retn
; 

loc_A0D998:				; CODE XREF: ExpCovDeleteUnloadedModuleEntry(x)+2j
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_A0D9E2
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_A0D9E2
		mov	[edx], eax
		mov	[eax+4], edx
		movzx	edx, word ptr [ecx+8]
		push	esi
		add	edx, 20h
		or	esi, 0FFFFFFFFh
		cmp	edx, 20h
		jb	short loc_A0D9C6
		movzx	eax, word ptr [ecx+10h]
		add	edx, eax
		cmp	edx, 20h
		jnb	short loc_A0D9C8

loc_A0D9C6:				; CODE XREF: ExpCovDeleteUnloadedModuleEntry(x)+2Bj
		mov	edx, esi

loc_A0D9C8:				; CODE XREF: ExpCovDeleteUnloadedModuleEntry(x)+36j
		mov	eax, [ecx+18h]
		add	eax, edx
		cmp	eax, edx
		jb	short loc_A0D9D3
		mov	esi, eax

loc_A0D9D3:				; CODE XREF: ExpCovDeleteUnloadedModuleEntry(x)+41j
		call	_ExpCovFreeUnloadedModuleEntry@4 ; ExpCovFreeUnloadedModuleEntry(x)
		sub	_ExpCovCurrentPagedPoolInUse, esi
		xor	eax, eax
		pop	esi
		retn
; 

loc_A0D9E2:				; CODE XREF: ExpCovDeleteUnloadedModuleEntry(x)+Fj
					; ExpCovDeleteUnloadedModuleEntry(x)+16j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ExpCovDeleteUnloadedModuleEntry@4 endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall ExpCovFreeUnloadedModuleEntry(x)
_ExpCovFreeUnloadedModuleEntry@4 proc near
					; CODE XREF: ExpCovCreateUnloadedModuleEntry(x)+1C3p
					; ExpCovDeleteUnloadedModuleEntry(x):loc_A0D9D3p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_A0DA29
		push	edi
		xor	edi, edi
		cmp	[esi+0Ch], edi
		jz	short loc_A0DA01
		lea	eax, [esi+8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_A0DA01:				; CODE XREF: ExpCovFreeUnloadedModuleEntry(x)+Fj
		cmp	[esi+14h], edi
		jz	short loc_A0DA0F
		lea	eax, [esi+10h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_A0DA0F:				; CODE XREF: ExpCovFreeUnloadedModuleEntry(x)+1Dj
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	short loc_A0DA1D
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0DA1D:				; CODE XREF: ExpCovFreeUnloadedModuleEntry(x)+2Dj
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		xor	eax, eax
		pop	esi
		retn
; 

loc_A0DA29:				; CODE XREF: ExpCovFreeUnloadedModuleEntry(x)+7j
		mov	eax, 0C000000Dh
		pop	esi
		retn
_ExpCovFreeUnloadedModuleEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ExpCovIsModulePresent(int,int,void *Source1)
_ExpCovIsModulePresent@20 proc near	; CODE XREF: ExpCovQueryInfoCallBack(x,x)+2Bp
					; ExpCovQueryInformation(x,x,x)+2F1p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
Source1		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		xor	eax, eax
		push	ebx
		mov	[esp+0Ch+var_8], eax
		xor	ebx, ebx
		mov	eax, [ebp+arg_0]
		mov	[esp+0Ch+var_4], ebx
		push	esi
		mov	esi, edx
		sub	eax, ebx
		jz	short loc_A0DA93
		sub	eax, 1
		jz	short loc_A0DA80
		sub	eax, 1
		jnz	short loc_A0DAA6
		lea	eax, [esp+10h+var_8]
		mov	edx, ecx
		push	eax
		mov	ecx, esi
		call	_ExpCovReadFriendlyName@12 ; ExpCovReadFriendlyName(x,x,x)
		test	eax, eax
		js	short loc_A0DA95
		push	1
		lea	eax, [esp+14h+var_8]
		push	eax
		push	[ebp+arg_4]
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jmp	short loc_A0DA91
; 

loc_A0DA80:				; CODE XREF: ExpCovIsModulePresent(x,x,x,x,x)+24j
		push	10h		; Length
		lea	eax, [esi+8]
		push	eax		; Source2
		push	[ebp+Source1]	; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 10h

loc_A0DA91:				; CODE XREF: ExpCovIsModulePresent(x,x,x,x,x)+4Ej
		jnz	short loc_A0DA95

loc_A0DA93:				; CODE XREF: ExpCovIsModulePresent(x,x,x,x,x)+1Fj
		mov	bl, 1

loc_A0DA95:				; CODE XREF: ExpCovIsModulePresent(x,x,x,x,x)+3Bj
					; ExpCovIsModulePresent(x,x,x,x,x):loc_A0DA91j
		cmp	[esp+10h+var_4], 0
		jz	short loc_A0DAA6
		lea	eax, [esp+10h+var_8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_A0DAA6:				; CODE XREF: ExpCovIsModulePresent(x,x,x,x,x)+29j
					; ExpCovIsModulePresent(x,x,x,x,x)+6Aj
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_ExpCovIsModulePresent@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCovQueryInfoCallBack(x, x)
_ExpCovQueryInfoCallBack@8 proc	near	; DATA XREF: ExpCovQueryInformation(x,x,x)+168o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	edi
		xor	edi, edi
		mov	edx, [ebx+48h]
		test	edx, edx
		jz	short loc_A0DB18
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ecx, [esi+24h]
		lea	eax, [esi+14h]
		push	eax		; Source1
		lea	eax, [esi+0Ch]
		push	eax		; int
		push	ecx		; int
		lea	ecx, [ebx+2Ch]
		call	_ExpCovIsModulePresent@20 ; ExpCovIsModulePresent(x,x,x,x,x)
		cmp	al, 1
		jnz	short loc_A0DB17
		mov	dl, [esi+8]
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [esi+2Ch]
		mov	ecx, ebx
		push	eax
		push	dword ptr [esi]
		push	dword ptr [esi+4]
		call	_ExpCovQueryLoadedModule@24 ; ExpCovQueryLoadedModule(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A0DB09
		cmp	edi, 0C0000004h
		jnz	short loc_A0DB17

loc_A0DB09:				; CODE XREF: ExpCovQueryInfoCallBack(x,x)+4Fj
		inc	dword ptr [esi+28h]
		test	edi, edi
		jnz	short loc_A0DB15
		mov	eax, [ebp+var_4]
		add	[esi], eax

loc_A0DB15:				; CODE XREF: ExpCovQueryInfoCallBack(x,x)+5Ej
		xor	edi, edi

loc_A0DB17:				; CODE XREF: ExpCovQueryInfoCallBack(x,x)+32j
					; ExpCovQueryInfoCallBack(x,x)+57j
		pop	esi

loc_A0DB18:				; CODE XREF: ExpCovQueryInfoCallBack(x,x)+16j
		mov	eax, edi
		pop	edi
		pop	ebx
		leave
		retn	8
_ExpCovQueryInfoCallBack@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCovQueryInformation(x, x, x)
_ExpCovQueryInformation@12 proc	near	; CODE XREF: PAGE:00780DA8p

var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= byte ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5C		= dword	ptr -5Ch
Source1		= dword	ptr -30h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	0CCh
		push	offset dword_6AA888
		call	__SEH_prolog4_GS
		mov	edi, edx
		mov	[ebp+var_C0], edi
		mov	[ebp+var_C8], ecx
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_C4], esi
		push	30h		; size_t
		xor	ebx, ebx
		push	ebx		; int
		lea	eax, [ebp+var_94]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_BC], ebx
		mov	[ebp+var_B8], ebx
		mov	[ebp+var_A8], ebx
		mov	[ebp+var_98], ebx
		mov	[ebp+var_9C], ebx
		push	34h
		pop	eax
		mov	[ebp+var_68], eax
		mov	[ebp+var_90], edi
		cmp	_ExCovMaxPagedPoolToUse, ebx
		jnz	short loc_A0DB96
		mov	eax, 0C0000022h
		jmp	loc_A0E033
; 

loc_A0DB96:				; CODE XREF: ExpCovQueryInformation(x,x,x)+6Aj
		test	esi, esi
		jz	short loc_A0DB9C
		mov	[esi], eax

loc_A0DB9C:				; CODE XREF: ExpCovQueryInformation(x,x,x)+78j
		cmp	edi, eax
		jnb	short loc_A0DBAA
		mov	eax, 0C0000004h
		jmp	loc_A0E033
; 

loc_A0DBAA:				; CODE XREF: ExpCovQueryInformation(x,x,x)+7Ej
		mov	ecx, [ebp+var_C8]
		lea	eax, [ecx+1Ch]
		mov	[ebp+var_98], eax
		and	[ebp+ms_exc.disabled], ebx
		mov	esi, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_A0DBC9
		mov	esi, eax

loc_A0DBC9:				; CODE XREF: ExpCovQueryInformation(x,x,x)+A5j
		push	0Dh
		pop	ecx
		lea	edi, [ebp+var_64]
		rep movsd
		nop
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+var_64], 1
		setz	[ebp+var_8C]
		lea	eax, [ebp+var_A8]
		push	eax
		lea	eax, [ebp+Source1]
		push	eax
		lea	edx, [ebp+var_BC]
		lea	ecx, [ebp+var_5C]
		call	_ExpCovReadRequestBuffer@16 ; ExpCovReadRequestBuffer(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A0DFF8
		mov	eax, [ebp+var_A8]
		mov	[ebp+var_70], eax
		lea	esi, [ebp+Source1]
		lea	edi, [ebp+var_80]
		movsd
		movsd
		movsd
		movsd
		cmp	[ebp+var_B8], 0
		jz	short loc_A0DC42
		lea	eax, [ebp+var_88]
		push	eax
		lea	eax, [ebp+var_BC]
		push	eax
		push	1
		call	RtlDuplicateUnicodeString
		mov	esi, eax
		test	esi, esi
		js	loc_A0DFF8

loc_A0DC42:				; CODE XREF: ExpCovQueryInformation(x,x,x)+101j
		push	72766F43h
		mov	edi, [ebp+var_C0]
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_94], ebx
		test	ebx, ebx
		jnz	short loc_A0DC74
		mov	esi, 0C000009Ah
		jmp	loc_A0DFF8
; 

loc_A0DC74:				; CODE XREF: ExpCovQueryInformation(x,x,x)+148j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	edx, [ebp+var_94]
		mov	ecx, offset _ExpCovQueryInfoCallBack@8 ; ExpCovQueryInfoCallBack(x,x)
		call	MmEnumerateSystemImages
		mov	esi, eax
		test	esi, esi
		jns	short loc_A0DCA9
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_A0DFF8
; 

loc_A0DCA9:				; CODE XREF: ExpCovQueryInformation(x,x,x)+176j
		mov	ecx, [ebp+var_68]
		mov	[ebp+var_B0], ecx
		mov	eax, [ebp+var_6C]
		mov	[ebp+var_A4], eax
		mov	[ebp+var_AC], 18h
		cmp	edi, ecx
		jb	loc_A0DDB6
		mov	eax, [ebp+var_94]
		sub	eax, ebx
		cdq
		idiv	[ebp+var_AC]
		test	eax, eax
		jz	loc_A0DDB2
		mov	edi, ebx
		mov	eax, [ebp+var_A4]
		mov	ecx, [ebp+var_98]

loc_A0DCF2:				; CODE XREF: ExpCovQueryInformation(x,x,x)+262j
		test	eax, eax
		jz	loc_A0DDBB
		mov	eax, [edi+10h]
		add	eax, 18h
		add	eax, ecx
		mov	[ebp+var_A0], eax
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [edi]
		mov	[ecx], eax
		mov	eax, [edi+4]
		mov	[ecx+4], eax
		mov	eax, [edi+10h]
		mov	[ecx+10h], eax
		push	dword ptr [edi+10h] ; size_t
		lea	eax, [edi+14h]
		push	eax		; void *
		lea	eax, [ecx+14h]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ax, [edi+8]
		mov	ecx, [ebp+var_98]
		mov	[ecx+8], ax
		mov	ax, [edi+0Ah]
		mov	[ecx+0Ah], ax
		mov	edx, [ebp+var_A0]
		mov	[ecx+0Ch], edx
		movzx	eax, word ptr [edi+8]
		push	eax		; size_t
		push	dword ptr [edi+0Ch] ; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [edi]
		mov	ecx, [ebp+var_98]
		add	ecx, eax
		mov	[ebp+var_98], ecx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		add	edi, eax
		mov	eax, [ebp+var_6C]
		dec	eax
		mov	[ebp+var_6C], eax
		jmp	loc_A0DCF2
; 

loc_A0DD87:				; DATA XREF: .text:006AA8A8o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_CC], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A0DD98:				; DATA XREF: .text:006AA8ACo
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_CC]

loc_A0DDA1:				; CODE XREF: ExpCovQueryInformation(x,x,x)+44Cj
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_A0DFEB
; 

loc_A0DDB2:				; CODE XREF: ExpCovQueryInformation(x,x,x)+1BEj
		cmp	edi, ecx
		jnb	short loc_A0DDBB

loc_A0DDB6:				; CODE XREF: ExpCovQueryInformation(x,x,x)+1A7j
		mov	esi, 0C0000004h

loc_A0DDBB:				; CODE XREF: ExpCovQueryInformation(x,x,x)+1D4j
					; ExpCovQueryInformation(x,x,x)+294j
		mov	ecx, offset _ExpCovPushLock
		cmp	[ebp+var_64], 1
		jnz	short loc_A0DDCD
		call	@ExfAcquirePushLockExclusive@4 ; ExfAcquirePushLockExclusive(x)
		jmp	short loc_A0DDD2
; 

loc_A0DDCD:				; CODE XREF: ExpCovQueryInformation(x,x,x)+2A4j
		call	@ExfAcquirePushLockShared@4 ; ExfAcquirePushLockShared(x)

loc_A0DDD2:				; CODE XREF: ExpCovQueryInformation(x,x,x)+2ABj
		mov	edi, _ExpCovUnloadedModuleList

loc_A0DDD8:				; CODE XREF: ExpCovQueryInformation(x,x,x)+2D9j
		cmp	edi, offset _ExpCovUnloadedModuleList
		jz	loc_A0DF71
		mov	[ebp+var_D0], edi
		mov	eax, [edi+1Ch]
		mov	[ebp+var_A0], eax
		test	eax, eax
		jnz	short loc_A0DDFB

loc_A0DDF7:				; CODE XREF: ExpCovQueryInformation(x,x,x)+2F8j
					; ExpCovQueryInformation(x,x,x)+360j ...
		mov	edi, [edi]
		jmp	short loc_A0DDD8
; 

loc_A0DDFB:				; CODE XREF: ExpCovQueryInformation(x,x,x)+2D5j
		lea	ecx, [ebp+Source1]
		push	ecx		; Source1
		lea	ecx, [ebp+var_BC]
		push	ecx		; int
		push	[ebp+var_A8]	; int
		lea	ecx, [edi+8]
		mov	edx, eax
		call	_ExpCovIsModulePresent@20 ; ExpCovIsModulePresent(x,x,x,x,x)
		test	al, al
		jz	short loc_A0DDF7
		mov	edx, [edi+18h]
		cmp	[ebp+var_64], 1
		jz	short loc_A0DE2C
		mov	eax, [ebp+var_A0]
		sub	edx, [eax+1Ch]

loc_A0DE2C:				; CODE XREF: ExpCovQueryInformation(x,x,x)+301j
		lea	ecx, [edx+18h]
		mov	ebx, [ebp+var_AC]
		cmp	ecx, ebx
		jb	short loc_A0DE49
		movzx	eax, word ptr [edi+10h]
		add	ecx, eax
		mov	[ebp+var_A0], ecx
		cmp	ecx, ebx
		jnb	short loc_A0DE52

loc_A0DE49:				; CODE XREF: ExpCovQueryInformation(x,x,x)+317j
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_A0], ecx

loc_A0DE52:				; CODE XREF: ExpCovQueryInformation(x,x,x)+327j
		mov	eax, [ebp+var_B0]
		lea	ebx, [ecx+eax]
		mov	[ebp+var_B4], ebx
		cmp	ebx, eax
		mov	ebx, [ebp+var_9C]
		jnb	short loc_A0DE85
		lea	eax, [edi+10h]
		push	eax		; char
		push	offset ??_C@_0DO@OMLOAAAP@COV?3?5Overflow?5when?5calculating?5@NNGAKEGL@ ; "COV: Overflow when calculating total re"...
		push	2		; int
		push	7Eh		; int
		call	_DbgPrintEx
		add	esp, 10h
		jmp	loc_A0DDF7
; 

loc_A0DE85:				; CODE XREF: ExpCovQueryInformation(x,x,x)+349j
		mov	eax, [ebp+var_B4]
		mov	[ebp+var_B0], eax
		cmp	[ebp+var_C0], eax
		jnb	short loc_A0DEAF
		mov	ecx, [ebp+var_C4]
		test	ecx, ecx
		jz	short loc_A0DEA5
		mov	[ecx], eax

loc_A0DEA5:				; CODE XREF: ExpCovQueryInformation(x,x,x)+381j
		mov	esi, 0C0000004h
		jmp	loc_A0DF3D
; 

loc_A0DEAF:				; CODE XREF: ExpCovQueryInformation(x,x,x)+377j
		mov	eax, [ebp+var_98]
		lea	ebx, [eax+18h]
		add	ebx, edx
		mov	[ebp+var_B4], ebx
		mov	[ebp+ms_exc.disabled], 2
		mov	ebx, [ebp+var_9C]
		mov	[eax], ecx
		and	dword ptr [eax+4], 0
		mov	[eax+10h], edx
		push	edx		; size_t
		push	dword ptr [edi+1Ch] ; void *
		add	eax, 14h
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ax, [edi+10h]
		mov	ecx, [ebp+var_98]
		mov	[ecx+8], ax
		mov	ax, [edi+10h]
		mov	[ecx+0Ah], ax
		mov	edx, [ebp+var_B4]
		mov	[ecx+0Ch], edx
		movzx	eax, word ptr [edi+10h]
		push	eax		; size_t
		push	dword ptr [edi+14h] ; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [ebp+var_A0]
		add	[ebp+var_98], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		cmp	[ebp+var_64], 1
		jnz	short loc_A0DF3D
		mov	edi, [edi+4]
		mov	ecx, [ebp+var_D0]
		call	_ExpCovDeleteUnloadedModuleEntry@4 ; ExpCovDeleteUnloadedModuleEntry(x)

loc_A0DF3D:				; CODE XREF: ExpCovQueryInformation(x,x,x)+38Aj
					; ExpCovQueryInformation(x,x,x)+40Dj
		inc	[ebp+var_A4]
		jmp	loc_A0DDF7
; 

loc_A0DF48:				; DATA XREF: .text:006AA8B4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_D4], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A0DF59:				; DATA XREF: .text:006AA8B8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_D4]
		mov	ecx, offset _ExpCovPushLock
		call	@ExfReleasePushLock@4 ;	ExfReleasePushLock(x)
		jmp	loc_A0DDA1
; 

loc_A0DF71:				; CODE XREF: ExpCovQueryInformation(x,x,x)+2BEj
		mov	ecx, offset _ExpCovPushLock
		call	@ExfReleasePushLock@4 ;	ExfReleasePushLock(x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		mov	ecx, [ebp+var_C4]
		test	ecx, ecx
		jz	short loc_A0DF99
		mov	eax, [ebp+var_B0]
		mov	[ecx], eax

loc_A0DF99:				; CODE XREF: ExpCovQueryInformation(x,x,x)+46Fj
		mov	[ebp+ms_exc.disabled], 3
		mov	ecx, [ebp+var_C8]
		mov	eax, [ebp+var_A4]
		mov	[ecx+4], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A0DFF8
; 

loc_A0DFB8:				; DATA XREF: .text:006AA8C0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_D8], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A0DFC9:				; DATA XREF: .text:006AA8C4o
		mov	esi, [ebp+var_D8]
		jmp	short loc_A0DFE8
; 

loc_A0DFD1:				; DATA XREF: .text:006AA89Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_DC], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A0DFE2:				; DATA XREF: .text:006AA8A0o
		mov	esi, [ebp+var_DC]

loc_A0DFE8:				; CODE XREF: ExpCovQueryInformation(x,x,x)+4AFj
		mov	esp, [ebp+ms_exc.old_esp]

loc_A0DFEB:				; CODE XREF: ExpCovQueryInformation(x,x,x)+28Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_9C]

loc_A0DFF8:				; CODE XREF: ExpCovQueryInformation(x,x,x)+E1j
					; ExpCovQueryInformation(x,x,x)+11Cj ...
		cmp	[ebp+var_B8], 0
		jz	short loc_A0E00D
		lea	eax, [ebp+var_BC]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_A0E00D:				; CODE XREF: ExpCovQueryInformation(x,x,x)+4DFj
		cmp	[ebp+var_84], 0
		jz	short loc_A0E022
		lea	eax, [ebp+var_88]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_A0E022:				; CODE XREF: ExpCovQueryInformation(x,x,x)+4F4j
		test	ebx, ebx
		jz	short loc_A0E031
		push	72766F43h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0E031:				; CODE XREF: ExpCovQueryInformation(x,x,x)+504j
		mov	eax, esi

loc_A0E033:				; CODE XREF: ExpCovQueryInformation(x,x,x)+71j
					; ExpCovQueryInformation(x,x,x)+85j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ExpCovQueryInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCovQueryLoadedModule(x, x, x, x,	x, x)
_ExpCovQueryLoadedModule@24 proc near	; CODE XREF: ExpCovQueryInfoCallBack(x,x)+46p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_10], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1], dl
		lea	ecx, [ebp+var_14]
		mov	[ebp+var_8], edi
		push	ecx
		mov	[ebp+var_14], eax
		mov	esi, [edi+48h]
		lea	edx, [edi+24h]
		mov	ecx, esi
		mov	[ebp+var_C], esi
		call	_ExpCovReadFriendlyName@12 ; ExpCovReadFriendlyName(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A0E158
		cmp	[ebp+var_1], 0
		mov	edi, [edi+44h]
		jnz	short loc_A0E08B
		sub	edi, [esi+1Ch]

loc_A0E08B:				; CODE XREF: ExpCovQueryLoadedModule(x,x,x,x,x,x)+41j
		lea	ecx, [edi+18h]
		cmp	ecx, 18h
		jb	short loc_A0E09E
		movzx	eax, word ptr [ebp+var_14]
		add	ecx, eax
		cmp	ecx, 18h
		jnb	short loc_A0E0A1

loc_A0E09E:				; CODE XREF: ExpCovQueryLoadedModule(x,x,x,x,x,x)+4Cj
		or	ecx, 0FFFFFFFFh

loc_A0E0A1:				; CODE XREF: ExpCovQueryLoadedModule(x,x,x,x,x,x)+57j
		mov	eax, [ebp+arg_C]
		mov	[eax], ecx
		cmp	ecx, 0FFFFFFFFh
		jnz	short loc_A0E0CD
		mov	eax, [ebp+var_8]
		add	eax, 24h
		push	eax		; char
		push	offset ??_C@_0EH@MPAFNILB@COV?3?5Overflow?5when?5calculating?5@NNGAKEGL@ ; "COV: Overflow when calculating Required"...

loc_A0E0B7:				; CODE XREF: ExpCovQueryLoadedModule(x,x,x,x,x,x)+A0j
		push	2		; int
		push	7Eh		; int
		call	_DbgPrintEx
		add	esp, 10h
		mov	ebx, 0C0000095h
		jmp	loc_A0E158
; 

loc_A0E0CD:				; CODE XREF: ExpCovQueryLoadedModule(x,x,x,x,x,x)+64j
		mov	esi, [ebp+arg_8]
		mov	eax, [esi]
		lea	edx, [eax+ecx]
		cmp	edx, eax
		jnb	short loc_A0E0E7
		mov	eax, [ebp+var_8]
		add	eax, 24h
		push	eax
		push	offset ??_C@_0DO@OMLOAAAP@COV?3?5Overflow?5when?5calculating?5@NNGAKEGL@ ; "COV: Overflow when calculating total re"...
		jmp	short loc_A0E0B7
; 

loc_A0E0E7:				; CODE XREF: ExpCovQueryLoadedModule(x,x,x,x,x,x)+92j
		mov	[esi], edx
		cmp	[ebp+arg_0], edx
		jnb	short loc_A0E0F5
		mov	ebx, 0C0000004h
		jmp	short loc_A0E158
; 

loc_A0E0F5:				; CODE XREF: ExpCovQueryLoadedModule(x,x,x,x,x,x)+A7j
		mov	esi, [ebp+arg_4]
		push	edi		; size_t
		mov	[esi], ecx
		lea	eax, [esi+14h]
		mov	ecx, [ebp+var_8]
		mov	dword ptr [esi+4], 1
		mov	[esi+10h], edi
		push	dword ptr [ecx+48h] ; void *
		push	eax		; void *
		call	_memcpy
		mov	ax, word ptr [ebp+var_14+2]
		lea	ecx, [esi+18h]
		mov	dx, word ptr [ebp+var_14]
		add	ecx, edi
		mov	[esi+0Ah], ax
		movzx	eax, dx
		push	eax		; size_t
		push	[ebp+var_10]	; void *
		mov	[esi+8], dx
		push	ecx		; void *
		mov	[esi+0Ch], ecx
		call	_memcpy
		add	esp, 18h
		cmp	[ebp+var_1], 0
		jz	short loc_A0E158
		mov	ecx, [ebp+var_C]
		push	dword ptr [ecx+1Ch] ; size_t
		mov	eax, [ecx+20h]
		add	eax, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_A0E158:				; CODE XREF: ExpCovQueryLoadedModule(x,x,x,x,x,x)+34j
					; ExpCovQueryLoadedModule(x,x,x,x,x,x)+83j ...
		cmp	[ebp+var_10], 0
		jz	short loc_A0E167
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_A0E167:				; CODE XREF: ExpCovQueryLoadedModule(x,x,x,x,x,x)+117j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
_ExpCovQueryLoadedModule@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCovReadFriendlyName(x, x, x)
_ExpCovReadFriendlyName@12 proc	near	; CODE XREF: MiUnloadSystemImage+14B5ACp
					; MiUnloadSystemImage+14B756p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ecx+24h]
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		mov	esi, edx
		mov	edx, [eax+ecx]
		cmp	edx, 50000h
		jz	short loc_A0E1B0
		push	esi
		push	edx		; char
		push	(offset	loc_8C1AD1+1) ;	char *
		push	2		; int
		push	7Eh		; int
		call	_DbgPrintEx
		add	esp, 14h
		push	[ebp+arg_0]
		push	esi
		push	1
		call	RtlDuplicateUnicodeString
		jmp	short loc_A0E1D2
; 

loc_A0E1B0:				; CODE XREF: ExpCovReadFriendlyName(x,x,x)+1Ej
		mov	eax, [eax+ecx+0Ch]
		add	eax, ecx
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitAnsiStringEx@8 ; RtlInitAnsiStringEx(x,x)
		test	eax, eax
		js	short loc_A0E1D2
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_0]
		call	RtlAnsiStringToUnicodeString

loc_A0E1D2:				; CODE XREF: ExpCovReadFriendlyName(x,x,x)+3Ej
					; ExpCovReadFriendlyName(x,x,x)+52j
		pop	esi
		leave
		retn	4
_ExpCovReadFriendlyName@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCovReadRequestBuffer(x, x, x, x)
_ExpCovReadRequestBuffer@16 proc near	; CODE XREF: ExpCovQueryInformation(x,x,x)+D8p
					; ExpCovResetInformation(x,x)+77p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	1Ch
		push	offset dword_6AA860
		call	__SEH_prolog4
		mov	[ebp+var_1C], edx
		xor	edx, edx
		mov	ebx, edx
		mov	esi, [ecx]
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		sub	esi, edx
		jz	loc_A0E2FB
		sub	esi, 1
		jz	loc_A0E2F1
		sub	esi, 1
		jnz	loc_A0E2EA
		mov	eax, [ecx+4]
		mov	[ebp+var_2C], eax
		mov	ebx, [ecx+8]
		mov	[ebp+var_28], ebx
		test	ax, ax
		jz	loc_A0E2EA
		test	al, 1
		jnz	loc_A0E2EA
		mov	[ebp+ms_exc.disabled], edx
		test	bl, 1
		jz	short loc_A0E235
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_A0E235:				; CODE XREF: ExpCovReadRequestBuffer(x,x,x,x)+57j
		movzx	edi, ax
		lea	ecx, [edi+ebx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_A0E248
		cmp	ecx, ebx
		jnb	short loc_A0E24A

loc_A0E248:				; CODE XREF: ExpCovReadRequestBuffer(x,x,x,x)+6Bj
		mov	[eax], dl

loc_A0E24A:				; CODE XREF: ExpCovReadRequestBuffer(x,x,x,x)+6Fj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	72766F43h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_28], esi
		test	esi, esi
		jz	short loc_A0E2C6
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 1
		push	edi		; size_t
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	[ebp+var_1C]
		lea	eax, [ebp+var_2C]
		push	eax
		push	1
		call	RtlDuplicateUnicodeString
		mov	ebx, eax
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A0E2FB
; 

loc_A0E2A6:				; DATA XREF: .text:006AA880o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A0E2B4:				; DATA XREF: .text:006AA884o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_20]
		push	0
		push	[ebp+var_28]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A0E2E1
; 

loc_A0E2C6:				; CODE XREF: ExpCovReadRequestBuffer(x,x,x,x)+8Ej
		mov	ebx, 0C000009Ah
		jmp	short loc_A0E2FB
; 

loc_A0E2CD:				; DATA XREF: .text:006AA874o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A0E2DB:				; DATA XREF: .text:006AA878o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_24]

loc_A0E2E1:				; CODE XREF: ExpCovReadRequestBuffer(x,x,x,x)+EDj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A0E2FB
; 

loc_A0E2EA:				; CODE XREF: ExpCovReadRequestBuffer(x,x,x,x)+2Ej
					; ExpCovReadRequestBuffer(x,x,x,x)+43j	...
		mov	ebx, 0C000000Dh
		jmp	short loc_A0E2FB
; 

loc_A0E2F1:				; CODE XREF: ExpCovReadRequestBuffer(x,x,x,x)+25j
		lea	esi, [ecx+4]
		mov	edi, [ebp+arg_0]
		movsd
		movsd
		movsd
		movsd

loc_A0E2FB:				; CODE XREF: ExpCovReadRequestBuffer(x,x,x,x)+1Cj
					; ExpCovReadRequestBuffer(x,x,x,x)+CDj	...
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_ExpCovReadRequestBuffer@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCovResetInfoCallBack(x, x)
_ExpCovResetInfoCallBack@8 proc	near	; DATA XREF: ExpCovResetInformation(x,x)+C6o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, [ebp+arg_0]
		mov	edx, [edi+48h]
		test	edx, edx
		jz	short loc_A0E352
		mov	ecx, [ebp+arg_4]
		push	esi
		mov	esi, [ecx+24h]
		lea	eax, [ecx+14h]
		push	eax		; Source1
		lea	eax, [ecx+0Ch]
		push	eax		; int
		push	esi		; int
		lea	ecx, [edi+2Ch]
		call	_ExpCovIsModulePresent@20 ; ExpCovIsModulePresent(x,x,x,x,x)
		pop	esi
		cmp	al, 1
		jnz	short loc_A0E352
		mov	ecx, [edi+48h]
		push	dword ptr [ecx+1Ch] ; size_t
		mov	eax, [ecx+20h]
		add	eax, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_A0E352:				; CODE XREF: ExpCovResetInfoCallBack(x,x)+Ej
					; ExpCovResetInfoCallBack(x,x)+2Bj
		xor	eax, eax
		pop	edi
		pop	ebp
		retn	8
_ExpCovResetInfoCallBack@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCovResetInformation(x, x)
_ExpCovResetInformation@8 proc near	; CODE XREF: PAGE:007B4205p

var_80		= dword	ptr -80h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_38		= dword	ptr -38h
Source1		= dword	ptr -2Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	70h
		push	offset dword_6AA8C8
		call	__SEH_prolog4_GS
		mov	edi, edx
		mov	esi, ecx
		push	30h		; size_t
		xor	ebx, ebx
		push	ebx		; int
		lea	eax, [ebp+var_5C]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_68], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], ebx
		cmp	_ExCovMaxPagedPoolToUse, ebx
		jnz	short loc_A0E395
		mov	eax, 0C0000022h
		jmp	loc_A0E4CA
; 

loc_A0E395:				; CODE XREF: ExpCovResetInformation(x,x)+30j
		cmp	edi, 14h
		jnb	short loc_A0E3A4
		mov	eax, 0C0000004h
		jmp	loc_A0E4CA
; 

loc_A0E3A4:				; CODE XREF: ExpCovResetInformation(x,x)+3Fj
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		jb	short loc_A0E3B2
		mov	esi, eax

loc_A0E3B2:				; CODE XREF: ExpCovResetInformation(x,x)+55j
		push	5
		pop	ecx
		lea	edi, [ebp+var_80]
		rep movsd
		nop
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+Source1]
		push	eax
		lea	edx, [ebp+var_68]
		lea	ecx, [ebp+var_80]
		call	_ExpCovReadRequestBuffer@16 ; ExpCovReadRequestBuffer(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_A0E4AA
		mov	eax, [ebp+var_60]
		mov	[ebp+var_38], eax
		lea	esi, [ebp+Source1]
		lea	edi, [ebp+var_48]
		movsd
		movsd
		movsd
		movsd
		cmp	[ebp+var_64], 0
		jz	short loc_A0E40E
		lea	eax, [ebp+var_50]
		push	eax
		lea	eax, [ebp+var_68]
		push	eax
		push	1
		call	RtlDuplicateUnicodeString
		mov	edi, eax
		test	edi, edi
		js	loc_A0E4AA

loc_A0E40E:				; CODE XREF: ExpCovResetInformation(x,x)+9Aj
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		lea	edx, [ebp+var_5C]
		mov	ecx, offset _ExpCovResetInfoCallBack@8 ; ExpCovResetInfoCallBack(x,x)
		call	MmEnumerateSystemImages
		mov	edi, eax
		test	edi, edi
		jns	short loc_A0E43D

loc_A0E42F:				; CODE XREF: ExpCovResetInformation(x,x)+134j
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	short loc_A0E4AA
; 

loc_A0E43D:				; CODE XREF: ExpCovResetInformation(x,x)+D4j
		mov	ecx, offset _ExpCovPushLock
		call	@ExfAcquirePushLockExclusive@4 ; ExfAcquirePushLockExclusive(x)
		mov	esi, _ExpCovUnloadedModuleList
		jmp	short loc_A0E47B
; 

loc_A0E44F:				; CODE XREF: ExpCovResetInformation(x,x)+128j
		mov	ebx, esi
		mov	edx, [esi+1Ch]
		test	edx, edx
		jz	short loc_A0E479
		lea	eax, [ebp+Source1]
		push	eax		; Source1
		lea	eax, [ebp+var_68]
		push	eax		; int
		push	[ebp+var_60]	; int
		lea	ecx, [esi+8]
		call	_ExpCovIsModulePresent@20 ; ExpCovIsModulePresent(x,x,x,x,x)
		cmp	al, 1
		jnz	short loc_A0E479
		mov	esi, [esi+4]
		mov	ecx, ebx
		call	_ExpCovDeleteUnloadedModuleEntry@4 ; ExpCovDeleteUnloadedModuleEntry(x)

loc_A0E479:				; CODE XREF: ExpCovResetInformation(x,x)+FDj
					; ExpCovResetInformation(x,x)+114j
		mov	esi, [esi]

loc_A0E47B:				; CODE XREF: ExpCovResetInformation(x,x)+F4j
		cmp	esi, offset _ExpCovUnloadedModuleList
		jnz	short loc_A0E44F
		mov	ecx, offset _ExpCovPushLock
		call	@ExfReleasePushLock@4 ;	ExfReleasePushLock(x)
		jmp	short loc_A0E42F
; 

loc_A0E48F:				; DATA XREF: .text:006AA8DCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_6C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A0E49D:				; DATA XREF: .text:006AA8E0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_6C]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A0E4AA:				; CODE XREF: ExpCovResetInformation(x,x)+80j
					; ExpCovResetInformation(x,x)+AFj ...
		cmp	[ebp+var_64], 0
		jz	short loc_A0E4B9
		lea	eax, [ebp+var_68]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_A0E4B9:				; CODE XREF: ExpCovResetInformation(x,x)+155j
		cmp	[ebp+var_4C], 0
		jz	short loc_A0E4C8
		lea	eax, [ebp+var_50]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_A0E4C8:				; CODE XREF: ExpCovResetInformation(x,x)+164j
		mov	eax, edi

loc_A0E4CA:				; CODE XREF: ExpCovResetInformation(x,x)+37j
					; ExpCovResetInformation(x,x)+46j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpCovResetInformation@8 endp


;  S U B	R O U T	I N E 


; __stdcall NtOpenEventPair(x, x, x)
_NtOpenEventPair@12 proc near		; DATA XREF: .text:00580F58o
					; .text:00581168o
		mov	eax, 0C0000002h
		retn	0Ch
_NtOpenEventPair@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtOpenKeyedEvent(x,	x, x)
_NtOpenKeyedEvent@12 proc near		; DATA XREF: .text:00580F44o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	18h
		push	offset dword_6AA928
		call	__SEH_prolog4
		xor	edi, edi
		mov	[ebp+var_1C], edi
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_20], al
		mov	[ebp+ms_exc.disabled], edi
		test	al, al
		jz	short loc_A0E525
		mov	ebx, [ebp+arg_0]
		test	bl, 3
		jz	short loc_A0E516
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_A0E516:				; CODE XREF: NtOpenKeyedEvent(x,x,x)+2Dj
		mov	eax, ds:_MmUserProbeAddress
		cmp	[ebp+arg_0], eax
		jb	short loc_A0E522
		mov	ebx, eax

loc_A0E522:				; CODE XREF: NtOpenKeyedEvent(x,x,x)+3Cj
		nop
		mov	al, [ebx]

loc_A0E525:				; CODE XREF: NtOpenKeyedEvent(x,x,x)+25j
		mov	ebx, [ebp+arg_0]
		mov	[ebx], edi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, ds:_ExpKeyedEventObjectType
		lea	eax, [ebp+var_1C]
		push	eax
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		push	eax
		push	edi
		push	[ebp+arg_4]
		push	edi
		push	[ebp+var_20]
		push	esi
		push	[ebp+arg_8]
		call	ObOpenObjectByNameEx
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_A0E583
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_1C]
		mov	[ebx], eax
		jmp	short loc_A0E57C
; 

loc_A0E566:				; DATA XREF: .text:006AA948o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0E576:				; DATA XREF: .text:006AA94Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ecx, [ebp+var_24]

loc_A0E57C:				; CODE XREF: NtOpenKeyedEvent(x,x,x)+82j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A0E583:				; CODE XREF: NtOpenKeyedEvent(x,x,x)+74j
		mov	eax, ecx
		jmp	short loc_A0E5A4
; 

loc_A0E587:				; DATA XREF: .text:006AA93Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0E597:				; DATA XREF: .text:006AA940o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_28]

loc_A0E5A4:				; CODE XREF: NtOpenKeyedEvent(x,x,x)+A3j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_NtOpenKeyedEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtReleaseKeyedEvent(x, x, x, x)
_NtReleaseKeyedEvent@16	proc near	; DATA XREF: .text:00580D94o

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	2Ch
		push	offset dword_6AA908
		call	__SEH_prolog4
		xor	edx, edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_28], edx
		test	byte ptr [ebp+arg_4], 1
		jz	short loc_A0E5ED
		mov	eax, 0C00000EFh

loc_A0E5DB:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+AEj
					; NtReleaseKeyedEvent(x,x,x,x)+D9j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_A0E5ED:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+1Ej
		mov	esi, large fs:124h
		mov	al, [esi+15Ah]
		mov	byte ptr [ebp+var_24], al
		mov	ebx, [ebp+arg_C]
		test	ebx, ebx
		jz	short loc_A0E636
		mov	[ebp+ms_exc.disabled], edx
		test	al, al
		jz	short loc_A0E61E
		lea	eax, [ebx+8]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_A0E61C
		cmp	eax, ebx
		jnb	short loc_A0E61E

loc_A0E61C:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+60j
		mov	[ecx], dl

loc_A0E61E:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+53j
					; NtReleaseKeyedEvent(x,x,x,x)+64j
		mov	eax, [ebx]
		mov	[ebp+var_3C], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_38], eax
		lea	ebx, [ebp+var_3C]
		mov	[ebp+arg_C], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A0E636:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+4Cj
		cmp	[ebp+arg_0], 0
		jnz	short loc_A0E669
		mov	ecx, _ExpCritSecOutOfMemoryEvent
		mov	[ebp+var_2C], ecx
		jmp	short loc_A0E697
; 

loc_A0E647:				; DATA XREF: .text:006AA91Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0E657:				; DATA XREF: .text:006AA920o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_30]
		jmp	loc_A0E5DB
; 

loc_A0E669:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+84j
		mov	eax, ds:_ExpKeyedEventObjectType
		mov	[ebp+var_20], edx
		push	edx
		lea	ecx, [ebp+var_20]
		push	ecx
		push	[ebp+var_24]
		push	eax
		push	2
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	[ebp+var_1C], eax
		mov	ecx, [ebp+var_20]
		mov	[ebp+var_2C], ecx
		test	eax, eax
		js	loc_A0E5DB
		xor	edx, edx

loc_A0E697:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+8Fj
		or	dword ptr [esi+300h], 20h
		mov	eax, [esi+80h]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_4]
		shr	eax, 5
		and	eax, 3Fh
		imul	edi, eax, 0Ch
		add	edi, ecx
		dec	word ptr [esi+13Ch]
		nop
		push	edx
		xor	edx, edx
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	[ebp+var_20], eax
		lock bts dword ptr [edi], 0
		jnb	short loc_A0E6DE
		push	edi
		mov	edx, eax
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_20]

loc_A0E6DE:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+119j
		test	eax, eax
		jz	short loc_A0E6E6
		or	byte ptr [eax+0Eh], 1

loc_A0E6E6:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+12Aj
		lea	edx, [edi+4]
		mov	eax, [edx]
		jmp	short loc_A0E714
; 

loc_A0E6ED:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+160j
		lea	ecx, [eax-288h]
		mov	[ebp+var_20], ecx
		mov	edx, [ebp+arg_4]
		cmp	[ecx+29Ch], edx
		lea	edx, [edi+4]
		jnz	short loc_A0E712
		mov	edx, [ebp+var_34]
		cmp	[ecx+150h], edx
		lea	edx, [edi+4]
		jz	short loc_A0E78C

loc_A0E712:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+14Cj
		mov	eax, [eax]

loc_A0E714:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+135j
		cmp	eax, edx
		jnz	short loc_A0E6ED
		mov	eax, [esi+29Ch]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_4]
		or	eax, 1
		mov	[esi+29Ch], eax
		lea	eax, [esi+288h]
		mov	ecx, [edx]
		cmp	[ecx+4], edx
		jnz	loc_A0E88E
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[ecx+4], eax
		mov	[edx], eax
		and	[ebp+var_20], 0

loc_A0E74C:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+1F6j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A0E760
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A0E760:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+1A1j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_A0E7AE
		push	0
		xor	ecx, ecx
		inc	ecx
		push	ecx
		push	ecx
		add	eax, 2B4h
		push	eax
		call	KeReleaseSemaphore
		mov	ecx, esi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		jmp	loc_A0E871
; 

loc_A0E78C:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+15Aj
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_A0E88E
		cmp	[ecx], eax
		jnz	loc_A0E88E
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	[eax+4], eax
		mov	[eax], eax
		jmp	short loc_A0E74C
; 

loc_A0E7AE:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+1B6j
		mov	ecx, esi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		lea	eax, [esi+2B4h]
		push	ebx
		push	[ebp+arg_8]
		push	[ebp+var_24]
		push	15h
		push	eax
		call	KeWaitForSingleObject
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	loc_A0E868
		dec	word ptr [esi+13Ch]
		nop
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	ebx, eax
		lock bts dword ptr [edi], 0
		jnb	short loc_A0E7FB
		push	edi
		mov	edx, ebx
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_A0E7FB:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+239j
		test	ebx, ebx
		jz	short loc_A0E803
		or	byte ptr [ebx+0Eh], 1

loc_A0E803:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+247j
		lea	eax, [esi+288h]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_A0E829
		mov	edx, [eax+4]
		cmp	[ecx+4], eax
		jnz	short loc_A0E88E
		cmp	[edx], eax
		jnz	short loc_A0E88E
		mov	[edx], ecx
		mov	[ecx+4], edx
		mov	[eax+4], eax
		mov	[eax], eax
		xor	bl, bl
		jmp	short loc_A0E82C
; 

loc_A0E829:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+257j
		xor	ebx, ebx
		inc	ebx

loc_A0E82C:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+271j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A0E840
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A0E840:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+281j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
		test	bl, bl
		jz	short loc_A0E868
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	15h
		lea	eax, [esi+2B4h]
		push	eax
		call	KeWaitForSingleObject
		mov	[ebp+var_1C], eax

loc_A0E868:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+219j
					; NtReleaseKeyedEvent(x,x,x,x)+29Aj
		mov	eax, [ebp+var_28]
		mov	[esi+29Ch], eax

loc_A0E871:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+1D1j
		and	dword ptr [esi+300h], 0FFFFFFDFh
		cmp	[ebp+arg_0], 0
		jz	short loc_A0E886
		mov	ecx, [ebp+var_2C]
		call	ObfDereferenceObject

loc_A0E886:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+2C6j
		mov	eax, [ebp+var_1C]
		jmp	loc_A0E5DB
; 

loc_A0E88E:				; CODE XREF: NtReleaseKeyedEvent(x,x,x,x)+182j
					; NtReleaseKeyedEvent(x,x,x,x)+1DEj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_NtReleaseKeyedEvent@16	endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtWaitForKeyedEvent(x, x, x, x)
_NtWaitForKeyedEvent@16	proc near	; DATA XREF: .text:00580BBCo

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	30h
		push	offset dword_6AA8E8
		call	__SEH_prolog4
		xor	eax, eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_28], eax
		xor	ecx, ecx
		inc	ecx
		mov	edx, [ebp+arg_4]
		test	dl, cl
		jz	short loc_A0E8CE
		mov	eax, 0C00000EFh

loc_A0E8BC:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+B4j
					; NtWaitForKeyedEvent(x,x,x,x)+E0j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_A0E8CE:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+22j
		mov	esi, large fs:124h
		mov	al, [esi+15Ah]
		mov	byte ptr [ebp+var_24], al
		mov	ebx, [ebp+arg_C]
		test	ebx, ebx
		jz	short loc_A0E919
		and	[ebp+ms_exc.disabled], 0
		test	al, al
		jz	short loc_A0E901
		lea	eax, [ebx+8]
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		ja	short loc_A0E8FE
		cmp	eax, ebx
		jnb	short loc_A0E901

loc_A0E8FE:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+65j
		mov	byte ptr [edx],	0

loc_A0E901:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+58j
					; NtWaitForKeyedEvent(x,x,x,x)+69j
		mov	eax, [ebx]
		mov	[ebp+var_40], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_3C], eax
		lea	ebx, [ebp+var_40]
		mov	[ebp+arg_C], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A0E919:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+50j
		cmp	[ebp+arg_0], 0
		jnz	short loc_A0E94C
		mov	ecx, _ExpCritSecOutOfMemoryEvent
		mov	[ebp+var_2C], ecx
		jmp	short loc_A0E979
; 

loc_A0E92A:				; DATA XREF: .text:006AA8FCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0E93A:				; DATA XREF: .text:006AA900o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_30]
		jmp	loc_A0E8BC
; 

loc_A0E94C:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+8Aj
		mov	eax, ds:_ExpKeyedEventObjectType
		and	[ebp+var_20], 0
		push	0
		lea	edx, [ebp+var_20]
		push	edx
		push	[ebp+var_24]
		push	eax
		push	ecx
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	[ebp+var_1C], eax
		mov	ecx, [ebp+var_20]
		mov	[ebp+var_2C], ecx
		test	eax, eax
		js	loc_A0E8BC

loc_A0E979:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+95j
		or	dword ptr [esi+300h], 20h
		mov	eax, [esi+80h]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+arg_4]
		shr	eax, 5
		and	eax, 3Fh
		imul	edi, eax, 0Ch
		add	edi, ecx
		dec	word ptr [esi+13Ch]
		nop
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	[ebp+var_20], eax
		lock bts dword ptr [edi], 0
		jnb	short loc_A0E9C1
		push	edi
		mov	edx, eax
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [ebp+var_20]

loc_A0E9C1:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+11Fj
		xor	edx, edx
		inc	edx
		test	eax, eax
		jz	short loc_A0E9CB
		or	[eax+0Eh], dl

loc_A0E9CB:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+133j
		lea	eax, [edi+4]
		mov	ecx, [eax]
		jmp	short loc_A0EA06
; 

loc_A0E9D2:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+175j
		lea	eax, [ecx-288h]
		mov	[ebp+var_20], eax
		mov	eax, [ecx+14h]
		mov	[ebp+var_34], eax
		test	al, dl
		lea	eax, [edi+4]
		jz	short loc_A0EA0A
		mov	eax, [ebp+arg_4]
		or	eax, edx
		cmp	[ebp+var_34], eax
		jnz	short loc_A0EA01
		mov	eax, [ebp+var_38]
		cmp	[ecx-138h], eax
		jz	loc_A0EB2F

loc_A0EA01:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+15Dj
		mov	ecx, [ecx]
		lea	eax, [edi+4]

loc_A0EA06:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+13Dj
		cmp	ecx, eax
		jnz	short loc_A0E9D2

loc_A0EA0A:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+153j
		mov	ecx, [esi+29Ch]
		mov	[ebp+var_28], ecx
		mov	edx, [ebp+arg_4]
		mov	[esi+29Ch], edx
		lea	ecx, [esi+288h]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	loc_A0EB82
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	[eax+4], ecx
		and	[ebp+var_20], 0

loc_A0EA3B:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+2B4j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A0EA4F
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A0EA4F:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+1B3j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	loc_A0EB4C
		mov	ecx, esi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		lea	eax, [esi+2B4h]
		push	ebx
		push	[ebp+arg_8]
		push	[ebp+var_24]
		push	15h
		push	eax
		call	KeWaitForSingleObject
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	loc_A0EB24
		dec	word ptr [esi+13Ch]
		nop
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	[ebp+arg_4], eax
		lock bts dword ptr [edi], 0
		jnb	short loc_A0EAB2
		push	edi
		mov	edx, eax
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [ebp+arg_4]

loc_A0EAB2:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+210j
		xor	ebx, ebx
		inc	ebx
		test	eax, eax
		jz	short loc_A0EABC
		or	[eax+0Eh], bl

loc_A0EABC:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+224j
		lea	eax, [esi+288h]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_A0EAE8
		mov	edx, [eax+4]
		cmp	[ecx+4], eax
		jnz	loc_A0EB82
		cmp	[edx], eax
		jnz	loc_A0EB82
		mov	[edx], ecx
		mov	[ecx+4], edx
		mov	[eax+4], eax
		mov	[eax], eax
		xor	bl, bl

loc_A0EAE8:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+233j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A0EAFC
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A0EAFC:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+260j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, esi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	bl, bl
		jz	short loc_A0EB24
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	15h
		lea	eax, [esi+2B4h]
		push	eax
		call	KeWaitForSingleObject
		mov	[ebp+var_1C], eax

loc_A0EB24:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+1EFj
					; NtWaitForKeyedEvent(x,x,x,x)+279j
		mov	eax, [ebp+var_28]
		mov	[esi+29Ch], eax
		jmp	short loc_A0EB65
; 

loc_A0EB2F:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+168j
		mov	edx, [ecx]
		mov	eax, [ecx+4]
		cmp	[edx+4], ecx
		jnz	short loc_A0EB82
		cmp	[eax], ecx
		jnz	short loc_A0EB82
		mov	[eax], edx
		mov	[edx+4], eax
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		jmp	loc_A0EA3B
; 

loc_A0EB4C:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+1C8j
		push	0
		xor	ebx, ebx
		inc	ebx
		push	ebx
		push	ebx
		add	eax, 2B4h
		push	eax
		call	KeReleaseSemaphore
		mov	ecx, esi
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_A0EB65:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+29Aj
		and	dword ptr [esi+300h], 0FFFFFFDFh
		cmp	[ebp+arg_0], 0
		jz	short loc_A0EB7A
		mov	ecx, [ebp+var_2C]
		call	ObfDereferenceObject

loc_A0EB7A:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+2DDj
		mov	eax, [ebp+var_1C]
		jmp	loc_A0E8BC
; 

loc_A0EB82:				; CODE XREF: NtWaitForKeyedEvent(x,x,x,x)+194j
					; NtWaitForKeyedEvent(x,x,x,x)+23Bj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_NtWaitForKeyedEvent@16	endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpKdPullRemoteFileForUser(x)
_ExpKdPullRemoteFileForUser@4 proc near	; CODE XREF: NtSystemDebugControl+83120p

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= byte ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
ms_exc		= CPPEH_RECORD ptr -18h

		push	58h
		push	offset dword_6AA950
		call	__SEH_prolog4_GS
		xor	ebx, ebx
		mov	dword ptr [ebp+var_50],	ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_58], ebx
		mov	[ebp+var_54], ebx
		mov	eax, large fs:124h
		mov	dl, [eax+15Ah]
		mov	[ebp+ms_exc.disabled], ebx
		mov	ebx, [ecx]
		mov	[ebp+var_60], ebx
		mov	eax, [ecx+4]
		mov	[ebp+var_40], eax
		mov	[ebp+var_5C], eax
		cmp	dl, 1
		jnz	short loc_A0EBE0
		test	al, dl
		jz	short loc_A0EBCC
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_A0EBCC:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+3Ej
		lea	edx, [eax+2]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		ja	short loc_A0EBDD
		cmp	edx, eax
		jnb	short loc_A0EBE0

loc_A0EBDD:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+50j
		mov	byte ptr [ecx],	0

loc_A0EBE0:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+3Aj
					; ExpKdPullRemoteFileForUser(x)+54j
		test	bx, bx
		jz	loc_A0EFD7
		test	bl, 1
		jnz	loc_A0EFD7
		test	byte ptr [ebp+var_60+2], 1
		jnz	loc_A0EFD7
		cmp	word ptr [ebp+var_60+2], bx
		jb	loc_A0EFD7
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi
		movzx	esi, bx
		push	46644B55h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_4C], eax
		test	eax, eax
		jnz	short loc_A0EC30
		mov	eax, 0C000009Ah
		jmp	loc_A0F002
; 

loc_A0EC30:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+9Dj
		mov	word ptr [ebp+var_50], bx
		mov	[ebp-4Eh], bx
		mov	[ebp+ms_exc.disabled], 1
		push	esi		; size_t
		push	[ebp+var_40]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], edi
		push	46644B55h
		movzx	eax, word ptr [ebp+var_50]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_54], eax
		test	eax, eax
		jnz	short loc_A0EC74
		mov	esi, 0C000009Ah
		jmp	loc_A0ED81
; 

loc_A0EC74:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+E1j
		mov	ax, word ptr [ebp+var_50]
		mov	word ptr [ebp+var_58], ax
		mov	ax, [ebp-4Eh]
		mov	word ptr [ebp+var_58+2], ax
		xor	ebx, ebx
		push	ebx
		lea	eax, [ebp+var_50]
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		call	RtlDowncaseUnicodeString
		lea	eax, [ebp+var_3C]
		push	eax
		movzx	edx, word ptr [ebp+var_58]
		mov	ecx, [ebp+var_54]
		call	_KeComputeSha256@12 ; KeComputeSha256(x,x,x)
		push	ebx
		push	[ebp+var_54]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	_ExpSysDbgPulledFileTable, ebx
		jz	loc_A0ED97
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	ebx
		xor	edx, edx
		mov	ebx, offset _ExpSysDbgLock
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	esi, eax
		push	11h
		pop	ecx
		xor	eax, eax
		lock cmpxchg [ebx], ecx
		test	eax, eax
		jz	short loc_A0ECEF
		push	ebx
		mov	edx, esi
		mov	ecx, ebx
		call	ExfAcquirePushLockSharedEx

loc_A0ECEF:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+15Cj
		test	esi, esi
		jz	short loc_A0ECF7
		or	byte ptr [esi+0Eh], 1

loc_A0ECF7:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+16Aj
		xor	edi, edi
		mov	[ebp+var_44], edi
		mov	eax, _ExpSysDbgPulledFileTable
		mov	[ebp+var_40], eax
		test	eax, eax
		jz	short loc_A0ED50
		xor	ecx, ecx
		mov	[ebp+var_48], ecx
		mov	esi, [eax]
		sub	esi, 1
		js	short loc_A0ED50

loc_A0ED14:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+1C4j
		lea	edi, [ecx+esi]
		sar	edi, 1
		push	8		; size_t
		lea	eax, [eax+edi*8]
		add	eax, 8
		push	eax		; void *
		lea	eax, [ebp+var_3C]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jns	short loc_A0ED3E
		test	edi, edi
		jz	short loc_A0ED4D
		lea	esi, [edi-1]
		mov	ecx, [ebp+var_48]
		jmp	short loc_A0ED46
; 

loc_A0ED3E:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+1A9j
		jle	short loc_A0ED92
		lea	ecx, [edi+1]
		mov	[ebp+var_48], ecx

loc_A0ED46:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+1B5j
		cmp	esi, ecx
		mov	eax, [ebp+var_40]
		jge	short loc_A0ED14

loc_A0ED4D:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+1ADj
		mov	edi, [ebp+var_44]

loc_A0ED50:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+17Fj
					; ExpKdPullRemoteFileForUser(x)+18Bj ...
		xor	ecx, ecx
		push	11h
		pop	eax
		lock cmpxchg [ebx], ecx
		cmp	eax, 11h
		jz	short loc_A0ED65
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_A0ED65:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+1D5j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	edi, edi
		jz	short loc_A0ED9C
		mov	esi, 0FFh

loc_A0ED81:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+E8j
					; ExpKdPullRemoteFileForUser(x)+368j
		push	0
		push	[ebp+var_4C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		jmp	loc_A0F002
; 

loc_A0ED92:				; CODE XREF: ExpKdPullRemoteFileForUser(x):loc_A0ED3Ej
		xor	edi, edi
		inc	edi
		jmp	short loc_A0ED50
; 

loc_A0ED97:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+12Cj
		mov	ebx, offset _ExpSysDbgLock

loc_A0ED9C:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+1F3j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	esi, eax
		lock bts dword ptr [ebx], 0
		jnb	short loc_A0EDC8
		push	ebx
		mov	edx, esi
		mov	ecx, ebx
		call	ExfAcquirePushLockExclusiveEx

loc_A0EDC8:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+235j
		test	esi, esi
		jz	short loc_A0EDD0
		or	byte ptr [esi+0Eh], 1

loc_A0EDD0:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+243j
		or	esi, 0FFFFFFFFh
		mov	edi, esi
		mov	eax, _ExpSysDbgPulledFileTable
		test	eax, eax
		jnz	short loc_A0EDEA
		push	66644B55h
		push	4010h
		jmp	short loc_A0EE09
; 

loc_A0EDEA:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+255j
		mov	ecx, [eax]
		cmp	ecx, 1FFFFFFFh
		jge	loc_A0EFA4
		mov	eax, [eax+4]
		cmp	ecx, eax
		jnz	short loc_A0EE12
		push	66644B55h
		inc	eax
		shl	eax, 4
		push	eax

loc_A0EE09:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+261j
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax

loc_A0EE12:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+276j
		test	edi, edi
		jz	loc_A0EFA4
		cmp	edi, esi
		jz	short loc_A0EE5E
		and	dword ptr [edi], 0
		mov	dword ptr [edi+4], 800h
		mov	esi, _ExpSysDbgPulledFileTable
		test	esi, esi
		jz	short loc_A0EE56
		mov	eax, [esi]
		lea	eax, ds:10h[eax*8]
		push	eax		; size_t
		push	esi		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [esi+4]
		add	eax, eax
		mov	[edi+4], eax
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0EE56:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+2A9j
		mov	_ExpSysDbgPulledFileTable, edi
		jmp	short loc_A0EE64
; 

loc_A0EE5E:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+295j
		mov	edi, _ExpSysDbgPulledFileTable

loc_A0EE64:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+2D5j
		xor	ebx, ebx
		mov	ecx, [edi]
		mov	[ebp+var_44], ecx
		lea	edx, [ecx-1]
		mov	[ebp+var_48], edx
		mov	esi, edx
		xor	eax, eax
		mov	[ebp+var_40], eax
		test	esi, esi
		js	short loc_A0EEBA

loc_A0EE7C:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+328j
		lea	eax, [ebx+esi]
		sar	eax, 1
		mov	[ebp+var_5C], eax
		push	8		; size_t
		inc	eax
		lea	eax, [edi+eax*8]
		push	eax		; void *
		lea	eax, [ebp+var_3C]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jns	short loc_A0EEA7
		mov	eax, [ebp+var_5C]
		test	eax, eax
		jz	short loc_A0EEB1
		lea	esi, [eax-1]
		jmp	short loc_A0EEAD
; 

loc_A0EEA7:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+312j
		jle	short loc_A0EEF4
		mov	ebx, [ebp+var_5C]
		inc	ebx

loc_A0EEAD:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+31Ej
		cmp	esi, ebx
		jge	short loc_A0EE7C

loc_A0EEB1:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+319j
		mov	eax, [ebp+var_40]

loc_A0EEB4:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+370j
		mov	ecx, [ebp+var_44]
		mov	edx, [ebp+var_48]

loc_A0EEBA:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+2F3j
		test	eax, eax
		jz	short loc_A0EEF9
		mov	esi, 0FFh

loc_A0EEC3:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+3FDj
					; ExpKdPullRemoteFileForUser(x)+418j
		mov	ebx, offset _ExpSysDbgLock

loc_A0EEC8:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+422j
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A0EEDC
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A0EEDC:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+34Cj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	loc_A0ED81
; 

loc_A0EEF4:				; CODE XREF: ExpKdPullRemoteFileForUser(x):loc_A0EEA7j
		xor	eax, eax
		inc	eax
		jmp	short loc_A0EEB4
; 

loc_A0EEF9:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+335j
		cmp	esi, ebx
		jge	short loc_A0EF15
		xor	ebx, ebx
		mov	esi, edx
		test	ecx, ecx
		jnz	short loc_A0EF15
		mov	eax, [ebp+var_3C]
		mov	[edi+8], eax
		mov	eax, [ebp+var_38]
		mov	[edi+0Ch], eax
		inc	dword ptr [edi]
		xor	edi, edi

loc_A0EF15:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+374j
					; ExpKdPullRemoteFileForUser(x)+37Cj
		test	edi, edi
		jz	short loc_A0EF76
		test	ebx, ebx
		jns	short loc_A0EF1F
		xor	ebx, ebx

loc_A0EF1F:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+394j
		lea	eax, [esi+1]
		mov	[ebp+var_40], eax
		cmp	ebx, eax
		jge	short loc_A0EF4B
		lea	esi, [ebx+1]
		lea	esi, [edi+esi*8]

loc_A0EF2F:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+3C2j
		push	8		; size_t
		push	esi		; void *
		lea	eax, [ebp+var_3C]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		js	short loc_A0EF4B
		inc	ebx
		add	esi, 8
		cmp	ebx, [ebp+var_40]
		jl	short loc_A0EF2F

loc_A0EF4B:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+3A0j
					; ExpKdPullRemoteFileForUser(x)+3B9j
		lea	esi, [ebx+1]
		lea	esi, [edi+esi*8]
		mov	eax, [edi]
		sub	eax, ebx
		shl	eax, 3
		push	eax		; size_t
		push	esi		; void *
		lea	eax, [ebx+2]
		lea	eax, [edi+eax*8]
		push	eax		; void *
		call	_memmove
		add	esp, 0Ch
		inc	dword ptr [edi]
		mov	eax, [ebp+var_3C]
		mov	[esi], eax
		mov	eax, [ebp+var_38]
		mov	[esi+4], eax

loc_A0EF76:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+390j
		push	ecx
		push	ecx
		lea	ecx, [ebp+var_50]
		call	_KdPullRemoteFile@16 ; KdPullRemoteFile(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A0EEC3
		lea	eax, [ebp+var_50]
		push	eax		; char
		push	offset ??_C@_0DA@CJCIDJGH@ExpKdPullRemoteFileForUser?3?5Pul@NNGAKEGL@ ;	char *
		push	2		; int
		push	66h		; int
		call	_DbgPrintEx
		add	esp, 10h
		jmp	loc_A0EEC3
; 

loc_A0EFA4:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+26Bj
					; ExpKdPullRemoteFileForUser(x)+28Dj
		mov	esi, 0C000009Ah
		jmp	loc_A0EEC8
; 

loc_A0EFAE:				; DATA XREF: .text:006AA970o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_64], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0EFBE:				; DATA XREF: .text:006AA974o
		mov	esp, [ebp+ms_exc.old_esp]
		push	0
		push	[ebp+var_4C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_64]
		jmp	short loc_A0F002
; 

loc_A0EFD7:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+5Cj
					; ExpKdPullRemoteFileForUser(x)+65j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C000000Dh
		jmp	short loc_A0F002
; 

loc_A0EFE5:				; DATA XREF: .text:006AA964o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_68], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0EFF5:				; DATA XREF: .text:006AA968o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_68]

loc_A0F002:				; CODE XREF: ExpKdPullRemoteFileForUser(x)+A4j
					; ExpKdPullRemoteFileForUser(x)+206j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpKdPullRemoteFileForUser@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpProfileCreate(x,	x, x, x, x, x, x, x, x,	x, x)
_ExpProfileCreate@44 proc near		; CODE XREF: NtCreateProfile(x,x,x,x,x,x,x,x,x)+6Cp
					; NtCreateProfileEx(x,x,x,x,x,x,x,x,x,x)+25p

var_8C		= dword	ptr -8Ch
var_88		= byte ptr -88h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= byte ptr  28h

		push	7Ch
		push	offset dword_6AA9E8
		call	__SEH_prolog4_GS
		mov	[ebp+var_4C], edx
		mov	[ebp+var_40], ecx
		xor	eax, eax
		lea	edi, [ebp+var_64]
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_58]
		stosd
		stosd
		stosd
		xor	edx, edx
		mov	[ebp+var_3C], edx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_7C]
		rep stosd
		mov	[ebp+var_28], edx
		mov	[ebp+var_38], edx
		lea	edi, [ebp+var_8C]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_30], edx
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	loc_A0F3F0
		mov	ebx, [ebp+arg_8]
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_2C], edi
		test	ebx, ebx
		jnz	short loc_A0F0A7
		cmp	edi, 10000h
		jnb	short loc_A0F0A7
		cmp	eax, 4
		jb	loc_A0F3F0
		mov	[ebp+var_30], edi
		mov	edi, edx
		mov	[ebp+var_2C], edi
		mov	esi, edx
		mov	ecx, eax
		shr	ecx, 2
		mov	eax, [ebp+arg_4]
		div	ecx
		dec	eax
		jmp	short loc_A0F097
; 

loc_A0F096:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+87j
		inc	esi

loc_A0F097:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+82j
		shr	eax, 1
		jnz	short loc_A0F096
		movzx	ebx, si
		inc	ebx
		cmp	ebx, 2
		jnb	short loc_A0F0A7
		push	2
		pop	ebx

loc_A0F0A7:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+5Aj
					; ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+62j ...
		lea	eax, [ebx-2]
		cmp	eax, 1Dh
		ja	loc_A0F3E9
		mov	eax, [ebp+arg_4]
		mov	ecx, ebx
		shr	eax, cl
		mov	[ebp+var_24], eax
		xor	esi, esi
		inc	esi
		shl	esi, cl
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		div	esi
		mov	ecx, [ebp+var_24]
		test	edx, edx
		jz	short loc_A0F0D1
		inc	ecx

loc_A0F0D1:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+BCj
		mov	esi, [ebp+arg_10]
		mov	eax, esi
		shr	eax, 2
		cmp	ecx, eax
		jbe	short loc_A0F0E7
		mov	eax, 0C0000023h
		jmp	loc_A0F3F5
; 

loc_A0F0E7:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+C9j
		mov	edx, [ebp+arg_4]
		lea	eax, [edi+edx]
		cmp	eax, edx
		jnb	short loc_A0F0FB
		mov	eax, 80000005h
		jmp	loc_A0F3F5
; 

loc_A0F0FB:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+DDj
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_8C], eax
		and	[ebp+var_34], 0
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_8C]
		push	eax
		push	10h
		push	1
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	loc_A0F3E2
		cmp	[ebp+var_34], 10h
		jnz	loc_A0F3E2
		cmp	[ebp+var_88], 0
		jz	loc_A0F3E2
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	[ebp+var_1D], al
		mov	byte ptr [ebp+var_24], al
		test	al, al
		jz	short loc_A0F1AE
		and	[ebp+ms_exc.disabled], 0
		mov	edx, [ebp+var_40]
		mov	ecx, edx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_A0F166
		mov	ecx, eax

loc_A0F166:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+150j
		mov	eax, [ecx]
		mov	[ecx], eax
		push	4
		push	esi
		push	[ebp+arg_C]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		cmp	[ebp+arg_20], 0
		jnz	short loc_A0F1A7
		movzx	eax, word ptr [ebp+arg_18]
		imul	eax, 0Ch
		test	eax, eax
		jz	short loc_A0F1A7
		test	byte ptr [ebp+arg_1C], 3
		jz	short loc_A0F191
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_A0F191:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+178j
		mov	ecx, [ebp+arg_1C]
		lea	edx, [eax+ecx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_A0F1A4
		cmp	edx, ecx
		jnb	short loc_A0F1A7

loc_A0F1A4:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+18Cj
		mov	byte ptr [eax],	0

loc_A0F1A7:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+167j
					; ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+172j	...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A0F1AE:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+13Ej
		lea	eax, [ebp+var_64]
		push	eax
		call	_KeInitializeAffinityEx@4 ; KeInitializeAffinityEx(x)

loc_A0F1B7:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+230j
		cmp	word ptr [ebp+arg_18], 0
		jbe	loc_A0F247
		cmp	[ebp+var_1D], 0
		jz	short loc_A0F213
		cmp	[ebp+arg_20], 0
		jnz	short loc_A0F213
		mov	[ebp+ms_exc.disabled], 1
		mov	esi, [ebp+arg_1C]
		lea	edi, [ebp+var_58]
		movsd
		movsd
		movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A0F21C
; 

loc_A0F1E7:				; DATA XREF: .text:006AA9FCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_44], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A0F1F5:				; DATA XREF: .text:006AAA00o
		mov	eax, [ebp+var_44]
		jmp	short loc_A0F20B
; 

loc_A0F1FA:				; DATA XREF: .text:006AAA08o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_48], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A0F208:				; DATA XREF: .text:006AAA0Co
		mov	eax, [ebp+var_48]

loc_A0F20B:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+1E6j
		mov	esp, [ebp+ms_exc.old_esp]
		jmp	loc_A0F3B8
; 

loc_A0F213:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+1B4j
					; ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+1BAj
		mov	esi, [ebp+arg_1C]
		lea	edi, [ebp+var_58]
		movsd
		movsd
		movsd

loc_A0F21C:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+1D3j
		xor	dl, dl
		lea	ecx, [ebp+var_58]
		call	_KeVerifyGroupAffinity@8 ; KeVerifyGroupAffinity(x,x)
		test	al, al
		jz	loc_A0F3E9
		mov	eax, [ebp+var_5C]
		or	eax, [ebp+var_58]
		mov	[ebp+var_5C], eax
		add	[ebp+arg_18], 0FFFFh
		add	[ebp+arg_1C], 0Ch
		jmp	loc_A0F1B7
; 

loc_A0F247:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+1AAj
		mov	eax, [ebp+var_4C]
		test	eax, eax
		jnz	short loc_A0F28F
		cmp	[ebp+var_30], eax
		jnz	loc_A0F3E9
		mov	edi, [ebp+var_2C]
		cmp	edi, ds:_MmHighestUserAddress
		ja	short loc_A0F289
		cmp	[ebp+var_1D], al
		jz	short loc_A0F289
		push	[ebp+var_24]
		push	ds:dword_A94C9C
		push	ds:_SeSystemProfilePrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A0F289
		mov	eax, 0C0000061h
		jmp	loc_A0F3F5
; 

loc_A0F289:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+24Ej
					; ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+253j	...
		and	[ebp+var_28], 0
		jmp	short loc_A0F2B9
; 

loc_A0F28F:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+23Aj
		push	0
		lea	ecx, [ebp+var_28]
		push	ecx
		push	66507845h
		push	[ebp+var_24]
		push	ds:_PsProcessType
		push	400h
		push	eax
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_A0F3F5
		mov	edi, [ebp+var_2C]

loc_A0F2B9:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+27Bj
		mov	cl, [ebp+var_1D]
		call	_ExIsRestrictedCaller@4	; ExIsRestrictedCaller(x)
		test	eax, eax
		jz	short loc_A0F2EE
		mov	[ebp+ms_exc.disabled], 2
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_A0F2E7
		lea	eax, [edi+edx]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_A0F2E4
		cmp	eax, edi
		jnb	short loc_A0F2E7

loc_A0F2E4:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+2CCj
		mov	byte ptr [ecx],	0

loc_A0F2E7:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+2BFj
					; ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+2D0j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A0F2EE:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+2B1j
		mov	[ebp+var_7C], 18h
		xor	ecx, ecx
		mov	[ebp+var_78], ecx
		mov	[ebp+var_70], 20h
		mov	[ebp+var_74], ecx
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_68], ecx
		mov	edx, ds:_ExProfileObjectType
		push	ecx
		lea	eax, [ebp+var_38]
		push	eax
		push	6Ch
		push	ecx
		push	38h
		push	ecx
		push	[ebp+var_24]
		lea	eax, [ebp+var_7C]
		push	eax
		xor	cl, cl
		call	ObCreateObjectEx
		mov	[ebp+var_24], eax
		test	eax, eax
		js	loc_A0F3CC
		mov	ecx, [ebp+var_38]
		mov	eax, [ebp+var_28]
		mov	[ecx], eax
		mov	[ecx+4], edi
		mov	eax, [ebp+arg_4]
		mov	[ecx+8], eax
		mov	eax, [ebp+arg_C]
		mov	[ecx+0Ch], eax
		mov	esi, [ebp+arg_10]
		mov	[ecx+10h], esi
		mov	[ecx+14h], ebx
		xor	edx, edx
		mov	[ecx+1Ch], edx
		mov	eax, [ebp+var_30]
		mov	[ecx+24h], eax
		mov	eax, [ebp+arg_14]
		mov	[ecx+28h], eax
		lea	edi, [ecx+2Ch]
		lea	esi, [ebp+var_64]
		movsd
		movsd
		movsd
		lea	eax, [ebp+var_3C]
		push	eax
		push	edx
		push	edx
		push	edx
		push	1
		call	_ObInsertObjectEx@28 ; ObInsertObjectEx(x,x,x,x,x,x,x)
		mov	[ebp+var_24], eax
		test	eax, eax
		js	short loc_A0F3DD
		mov	[ebp+ms_exc.disabled], 3
		mov	eax, [ebp+var_3C]
		mov	edx, [ebp+var_40]
		mov	[edx], eax

loc_A0F392:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+3B8j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A0F3DD
; 

loc_A0F39B:				; DATA XREF: .text:006AAA14o
		xor	eax, eax
		inc	eax
		retn
; 

loc_A0F39F:				; DATA XREF: .text:006AAA18o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jz	short loc_A0F3B3
		mov	edx, 66507845h
		call	ObfDereferenceObjectWithTag

loc_A0F3B3:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+395j
		mov	eax, 0C0000022h

loc_A0F3B8:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+1FCj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A0F3F5
; 

loc_A0F3C1:				; DATA XREF: .text:006AAA20o
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A0F3C7:				; DATA XREF: .text:006AAA24o
		mov	esp, [ebp+ms_exc.old_esp]
		jmp	short loc_A0F392
; 

loc_A0F3CC:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+31Cj
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jz	short loc_A0F3DD
		mov	edx, 66507845h
		call	ObfDereferenceObjectWithTag

loc_A0F3DD:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+36Fj
					; ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+387j	...
		mov	eax, [ebp+var_24]
		jmp	short loc_A0F3F5
; 

loc_A0F3E2:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+10Dj
					; ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+117j	...
		mov	eax, 0C00000BBh
		jmp	short loc_A0F3F5
; 

loc_A0F3E9:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+9Bj
					; ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+216j	...
		mov	eax, 0C000000Dh
		jmp	short loc_A0F3F5
; 

loc_A0F3F0:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+49j
					; ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+67j
		mov	eax, 0C00000F5h

loc_A0F3F5:				; CODE XREF: ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+D0j
					; ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)+E4j ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
_ExpProfileCreate@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpProfileDelete(x)
_ExpProfileDelete@4 proc near		; DATA XREF: ExpProfileInitialization()+6Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	esi
		mov	esi, [ebp+arg_0]
		cmp	dword ptr [esi+1Ch], 0
		jz	short loc_A0F43F
		mov	ecx, [esi+18h]
		call	_KeStopProfile@4 ; KeStopProfile(x)
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		call	MmUnmapLockedPages
		push	dword ptr [esi+20h]
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	0
		push	dword ptr [esi+18h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0F43F:				; CODE XREF: ExpProfileDelete(x)+11j
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_A0F44F
		mov	edx, 66507845h
		call	ObfDereferenceObjectWithTag

loc_A0F44F:				; CODE XREF: ExpProfileDelete(x)+3Cj
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
_ExpProfileDelete@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(x, x,	x, x)
_NtConvertBetweenAuxiliaryCounterAndPerformanceCounter@16 proc near
					; DATA XREF: .text:00581188o

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	28h
		push	offset dword_6AA978
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ebx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	loc_A0F560
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, [ebp+arg_4]
		test	al, 3
		jz	short loc_A0F493
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_A0F493:				; CODE XREF: NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(x,x,x,x)+36j
		lea	edx, [eax+8]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		ja	short loc_A0F4A4
		cmp	edx, eax
		jnb	short loc_A0F4A6

loc_A0F4A4:				; CODE XREF: NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(x,x,x,x)+48j
		mov	[ecx], bl

loc_A0F4A6:				; CODE XREF: NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(x,x,x,x)+4Cj
		mov	ebx, [eax]
		mov	[ebp+var_38], ebx
		mov	eax, [eax+4]
		mov	[ebp+arg_4], eax
		mov	[ebp+var_34], eax
		push	4
		push	8
		mov	edi, [ebp+arg_8]
		push	edi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jz	short loc_A0F4D2
		push	4
		push	8
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)

loc_A0F4D2:				; CODE XREF: NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(x,x,x,x)+70j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		push	[ebp+arg_4]
		push	ebx
		cmp	[ebp+arg_0], 0
		jz	short loc_A0F4F3
		call	off_6B13DC	; xHalConvertPerformanceCounterToAuxiliaryCounter(x,x,x,x)
		jmp	short loc_A0F4F9
; 

loc_A0F4F3:				; CODE XREF: NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(x,x,x,x)+93j
		call	off_6B13D8	; xHalConvertPerformanceCounterToAuxiliaryCounter(x,x,x,x)

loc_A0F4F9:				; CODE XREF: NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(x,x,x,x)+9Bj
		mov	ecx, eax
		test	ecx, ecx
		js	loc_A0F585
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_28]
		mov	[edi], eax
		mov	eax, [ebp+var_24]
		mov	[edi+4], eax
		test	esi, esi
		jz	short loc_A0F524
		mov	eax, [ebp+var_30]
		mov	[esi], eax
		mov	eax, [ebp+var_2C]
		mov	[esi+4], eax

loc_A0F524:				; CODE XREF: NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(x,x,x,x)+C1j
					; NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(x,x,x,x)+EBj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A0F585
; 

loc_A0F52D:				; DATA XREF: .text:006AA998o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A0F53B:				; DATA XREF: .text:006AA99Co
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ecx, [ebp+var_1C]
		jmp	short loc_A0F524
; 

loc_A0F543:				; DATA XREF: .text:006AA98Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A0F551:				; DATA XREF: .text:006AA990o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_20]
		jmp	short loc_A0F587
; 

loc_A0F560:				; CODE XREF: NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(x,x,x,x)+28j
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		mov	eax, [eax+4]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	eax
		push	ecx
		cmp	[ebp+arg_0], bl
		jz	short loc_A0F57D
		call	off_6B13DC	; xHalConvertPerformanceCounterToAuxiliaryCounter(x,x,x,x)
		jmp	short loc_A0F583
; 

loc_A0F57D:				; CODE XREF: NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(x,x,x,x)+11Dj
		call	off_6B13D8	; xHalConvertPerformanceCounterToAuxiliaryCounter(x,x,x,x)

loc_A0F583:				; CODE XREF: NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(x,x,x,x)+125j
		mov	ecx, eax

loc_A0F585:				; CODE XREF: NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(x,x,x,x)+A7j
					; NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(x,x,x,x)+D5j
		mov	eax, ecx

loc_A0F587:				; CODE XREF: NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(x,x,x,x)+108j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_NtConvertBetweenAuxiliaryCounterAndPerformanceCounter@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCreateProfile(x, x, x, x,	x, x, x, x, x)
_NtCreateProfile@36 proc near		; DATA XREF: .text:00581120o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_14]
		and	[ebp+var_C], 0
		and	[ebp+var_8], 0
		mov	[ebp+var_14], eax
		mov	eax, large fs:20h
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		movzx	eax, byte ptr [eax+3C5h]
		mov	esi, [ebp+arg_0]
		mov	ecx, eax
		mov	word ptr [ebp+var_C], ax
		mov	eax, [ebp+arg_20]
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_A0F5E6
		push	ecx
		call	_KeQueryGroupAffinity@4	; KeQueryGroupAffinity(x)

loc_A0F5E6:				; CODE XREF: NtCreateProfile(x,x,x,x,x,x,x,x,x)+45j
		push	1
		mov	[ebp+var_10], eax
		mov	edx, edi
		lea	eax, [ebp+var_10]
		mov	ecx, esi
		push	eax
		push	1
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+var_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	ebx
		call	_ExpProfileCreate@44 ; ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	24h
_NtCreateProfile@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCreateProfileEx(x, x, x, x, x, x,	x, x, x, x)
_NtCreateProfileEx@40 proc near		; DATA XREF: .text:0058111Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_24]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_20]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_ExpProfileCreate@44 ; ExpProfileCreate(x,x,x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	28h
_NtCreateProfileEx@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtQueryAuxiliaryCounterFrequency(x)
_NtQueryAuxiliaryCounterFrequency@4 proc near ;	DATA XREF: .text:00580DD0o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	18h
		push	offset dword_6AA9A0
		call	__SEH_prolog4
		xor	ecx, ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		test	al, al
		jz	short loc_A0F6E4
		mov	[ebp+ms_exc.disabled], ecx
		push	4
		push	8
		mov	esi, [ebp+arg_0]
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi
		lea	eax, [ebp+var_28]
		push	eax
		call	off_6B13E0	; xKdReleasePciDeviceForDebugging(x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_A0F6EF
		mov	[ebp+ms_exc.disabled], 1
		mov	eax, [ebp+var_28]
		mov	[esi], eax
		mov	eax, [ebp+var_24]
		mov	[esi+4], eax
		mov	[ebp+ms_exc.disabled], edi
		jmp	short loc_A0F6EF
; 

loc_A0F6AA:				; DATA XREF: .text:006AA9C0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A0F6B8:				; DATA XREF: .text:006AA9C4o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ecx, [ebp+var_1C]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A0F6EF
; 

loc_A0F6C7:				; DATA XREF: .text:006AA9B4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A0F6D5:				; DATA XREF: .text:006AA9B8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_20]
		jmp	short loc_A0F6F1
; 

loc_A0F6E4:				; CODE XREF: NtQueryAuxiliaryCounterFrequency(x)+22j
		push	[ebp+arg_0]
		call	off_6B13E0	; xKdReleasePciDeviceForDebugging(x)
		mov	ecx, eax

loc_A0F6EF:				; CODE XREF: NtQueryAuxiliaryCounterFrequency(x)+48j
					; NtQueryAuxiliaryCounterFrequency(x)+5Fj ...
		mov	eax, ecx

loc_A0F6F1:				; CODE XREF: NtQueryAuxiliaryCounterFrequency(x)+99j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_NtQueryAuxiliaryCounterFrequency@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtSetIntervalProfile(x, x)
_NtSetIntervalProfile@8	proc near	; CODE XREF: EtwSetPerformanceTraceInformation(x,x,x)+17Bp
					; DATA XREF: .text:00580CA4o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [esp+8+var_4],	al
		push	[esp+8+var_4]
		push	ds:dword_A94C9C
		push	ds:_SeSystemProfilePrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A0F73D
		mov	eax, 0C0000061h
		jmp	short loc_A0F74A
; 

loc_A0F73D:				; CODE XREF: NtSetIntervalProfile(x,x)+31j
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	_KeSetIntervalProfile@8	; KeSetIntervalProfile(x,x)
		xor	eax, eax

loc_A0F74A:				; CODE XREF: NtSetIntervalProfile(x,x)+38j
		mov	esp, ebp
		pop	ebp
		retn	8
_NtSetIntervalProfile@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtStartProfile(x)
_NtStartProfile@4 proc near		; DATA XREF: .text:00580C34o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	18h
		push	offset dword_6AA9C8
		call	__SEH_prolog4
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_24], al
		mov	eax, ds:_ExProfileObjectType
		xor	edi, edi
		mov	[ebp+var_1C], edi
		push	edi
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	[ebp+var_24]
		push	eax
		push	1
		push	[ebp+arg_0]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	loc_A0F934
		push	edi
		push	edi
		push	edi
		push	edi
		push	offset _ExpProfileStateMutex
		call	KeWaitForSingleObject
		mov	ebx, [ebp+var_1C]
		cmp	[ebx+1Ch], edi
		jz	short loc_A0F7AD
		mov	esi, 0C00000B8h
		jmp	short loc_A0F7F3
; 

loc_A0F7AD:				; CODE XREF: NtStartProfile(x)+54j
		push	0FFFFh
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		shl	eax, 0Dh
		cmp	_ExpCurrentProfileUsage, eax
		jnz	short loc_A0F7C9
		mov	esi, 0C00000D3h
		jmp	short loc_A0F7F3
; 

loc_A0F7C9:				; CODE XREF: NtStartProfile(x)+70j
		push	666F7250h
		push	dword ptr [ebx+10h]
		push	dword ptr [ebx+0Ch]
		call	_MmSizeOfMdl@8	; MmSizeOfMdl(x,x)
		add	eax, 34h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		jnz	short loc_A0F803
		mov	esi, 0C000009Ah

loc_A0F7F3:				; CODE XREF: NtStartProfile(x)+5Bj
					; NtStartProfile(x)+77j
		push	edi
		push	offset _ExpProfileStateMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		jmp	loc_A0F8A5
; 

loc_A0F803:				; CODE XREF: NtStartProfile(x)+9Cj
		lea	ecx, [eax+34h]
		mov	[ebp+arg_0], ecx
		mov	[ebx+20h], ecx
		mov	[ebx+18h], eax
		mov	esi, [ebx+10h]
		mov	edx, [ebx+0Ch]
		mov	[ecx], edi
		mov	ecx, edx
		and	ecx, 0FFFh
		lea	eax, [esi+0FFFh]
		add	eax, ecx
		shr	eax, 0Ch
		lea	eax, ds:1Ch[eax*4]
		mov	ebx, [ebp+arg_0]
		mov	[ebx+4], ax
		xor	ebx, ebx
		mov	eax, [ebp+arg_0]
		mov	[eax+6], bx
		and	edx, 0FFFFF000h
		mov	[eax+10h], edx
		mov	[eax+18h], ecx
		mov	[eax+14h], esi
		mov	[ebp+ms_exc.disabled], edi
		mov	ebx, [ebp+var_1C]
		push	1
		push	[ebp+var_24]
		push	eax
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	40000010h
		push	edi
		push	edi
		push	1
		push	edi
		push	dword ptr [ebx+20h]
		call	MmMapLockedPagesSpecifyCache
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jnz	short loc_A0F8B3
		push	edi
		push	offset _ExpProfileStateMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		push	[ebp+arg_0]
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	edi
		mov	esi, [ebp+var_20]
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, 0C000009Ah

loc_A0F8A5:				; CODE XREF: NtStartProfile(x)+AEj
		mov	ecx, ebx
		call	ObfDereferenceObject
		mov	eax, esi
		jmp	loc_A0F934
; 

loc_A0F8B3:				; CODE XREF: NtStartProfile(x)+131j
		lea	eax, [ebx+2Ch]
		push	eax
		push	dword ptr [ebx+28h]
		push	dword ptr [ebx+24h]
		push	dword ptr [ebx+14h]
		push	dword ptr [ebx+8]
		push	dword ptr [ebx+4]
		push	ecx
		mov	edx, [ebx]
		mov	ecx, [ebp+var_20]
		call	_KeInitializeProfile@36	; KeInitializeProfile(x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_20]
		call	_KeStartProfile@4 ; KeStartProfile(x)
		mov	eax, [ebp+var_24]
		mov	[ebx+1Ch], eax
		inc	_ExpCurrentProfileUsage
		push	edi
		push	offset _ExpProfileStateMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	ecx, ebx
		call	ObfDereferenceObject
		xor	eax, eax
		jmp	short loc_A0F934
; 

loc_A0F8FB:				; DATA XREF: .text:006AA9DCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A0F909:				; DATA XREF: .text:006AA9E0o
		mov	esp, [ebp+ms_exc.old_esp]
		xor	edi, edi
		push	edi
		push	offset _ExpProfileStateMutex
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		push	edi
		push	[ebp+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_1C]
		call	ObfDereferenceObject
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_28]

loc_A0F934:				; CODE XREF: NtStartProfile(x)+3Aj
					; NtStartProfile(x)+15Ej ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_NtStartProfile@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtStopProfile(x)
_NtStopProfile@4 proc near		; DATA XREF: .text:00580C30o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	eax, large fs:124h
		lea	ecx, [esp+0Ch+var_C]
		push	ebx
		push	esi
		push	edi
		mov	al, [eax+15Ah]
		xor	ebx, ebx
		push	ebx
		push	ecx
		mov	byte ptr [esp+20h+var_4], al
		push	[esp+20h+var_4]
		mov	eax, ds:_ExProfileObjectType
		push	eax
		push	1
		push	[ebp+arg_0]
		mov	[esp+30h+var_8], ebx
		mov	[esp+30h+var_C], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A0FA02
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		mov	esi, offset _ExpProfileStateMutex
		push	esi
		call	KeWaitForSingleObject
		mov	edi, [esp+18h+var_C]
		cmp	[edi+1Ch], ebx
		jnz	short loc_A0F9B4
		push	ebx
		push	esi
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	[esp+18h+var_8], 0C00000B7h
		jmp	short loc_A0F9F7
; 

loc_A0F9B4:				; CODE XREF: NtStopProfile(x)+5Bj
		mov	ecx, [edi+18h]
		call	_KeStopProfile@4 ; KeStopProfile(x)
		mov	esi, [edi+1Ch]
		dec	_ExpCurrentProfileUsage
		mov	[edi+1Ch], ebx
		mov	ebx, [esp+18h+var_C]
		mov	edi, [edi+20h]
		push	0
		push	offset _ExpProfileStateMutex
		mov	ebx, [ebx+18h]
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		push	edi
		push	esi
		call	MmUnmapLockedPages
		push	edi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [esp+1Ch+var_10]

loc_A0F9F7:				; CODE XREF: NtStopProfile(x)+6Cj
		mov	ecx, edi
		call	ObfDereferenceObject
		mov	eax, [esp+1Ch+var_C]

loc_A0FA02:				; CODE XREF: NtStopProfile(x)+43j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_NtStopProfile@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CMFAllocFn(x, x)
_CMFAllocFn@8	proc near		; CODE XREF: XpressDecodeCreate(x,x)+4p

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	636D6650h
		push	[ebp+arg_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		pop	ebp
		retn	8
_CMFAllocFn@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CMFCheckAccess(x, x, x)
_CMFCheckAccess@12 proc	near		; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+143p
					; NtMapCMFModule(x,x,x,x,x,x)+60Dp

var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_151		= byte ptr -151h
var_150		= dword	ptr -150h
var_8C		= dword	ptr -8Ch
var_70		= dword	ptr -70h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 168h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	74h		; size_t
		xor	ebx, ebx
		mov	[ebp+var_164], edx
		lea	eax, [ebp+var_8C]
		mov	esi, ecx
		push	ebx		; int
		push	eax		; void *
		call	_memset
		push	0C4h		; size_t
		lea	eax, [ebp+var_150]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 18h
		mov	[ebp+var_158], ebx
		test	esi, esi
		jnz	short loc_A0FA7C
		mov	esi, 0C000000Dh
		jmp	loc_A0FC32
; 

loc_A0FA7C:				; CODE XREF: CMFCheckAccess(x,x,x)+4Dj
		lea	eax, [esi-18h]
		shr	eax, 8
		movzx	edx, al
		movzx	eax, byte ptr [esi-0Ch]
		xor	edx, eax
		movzx	eax, byte ptr ds:_ObHeaderCookie
		xor	edx, eax
		lea	eax, [ebp+var_164]
		push	edi
		mov	edi, ds:_ObTypeIndexTable[edx*4]
		add	edi, 34h
		push	edi
		push	eax
		call	_RtlMapGenericMask@8 ; RtlMapGenericMask(x,x)
		cmp	_CMFSecurityDescriptor,	ebx
		jnz	short loc_A0FAFB
		mov	edx, edi
		mov	[ebp+var_15C], ebx
		lea	ecx, [ebp+var_15C]
		call	_CMFCreateSecurityDescriptor@8 ; CMFCreateSecurityDescriptor(x,x)
		mov	esi, eax
		mov	eax, 0C0000000h
		mov	ecx, esi
		and	ecx, eax
		cmp	ecx, eax
		jz	loc_A0FC31
		mov	ecx, [ebp+var_15C]
		mov	edx, offset _CMFSecurityDescriptor
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	short loc_A0FAFB
		push	ebx
		push	[ebp+var_15C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0FAFB:				; CODE XREF: CMFCheckAccess(x,x,x)+8Fj
					; CMFCheckAccess(x,x,x)+CAj
		mov	eax, large fs:124h
		lea	edx, [ebp+var_150]
		mov	ecx, large fs:124h
		mov	ebx, [ebp+var_164]
		push	edi		; int
		mov	eax, [eax+80h]
		push	ebx		; int
		push	edx		; void *
		lea	edx, [ebp+var_8C]
		push	edx		; void *
		push	eax		; int
		push	ecx		; int
		call	_SeCreateAccessStateEx@24 ; SeCreateAccessStateEx(x,x,x,x,x,x)
		mov	ecx, 0C0000000h
		mov	esi, eax
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_A0FC31
		lea	eax, [ebp+var_70]
		push	eax
		call	_SeLockSubjectContext@4	; SeLockSubjectContext(x)
		push	[ebp+arg_0]
		lea	eax, [ebp+var_70]
		mov	[ebp+var_18], 1
		push	eax
		xor	esi, esi
		mov	[ebp+var_10], 12h
		lea	eax, [ebp+var_18]
		mov	[ebp+var_14], esi
		push	eax
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], esi
		call	_SePrivilegeCheck@12 ; SePrivilegeCheck(x,x,x)
		mov	[ebp+var_151], al
		mov	[ebp+var_168], esi
		mov	[ebp+var_160], esi
		test	al, al
		jnz	short loc_A0FBDD
		lea	eax, [ebp+var_168]
		push	eax
		lea	eax, [ebp+var_160]
		push	eax
		push	[ebp+arg_0]
		lea	eax, [ebp+var_158]
		push	edi
		push	eax
		push	esi
		push	ebx
		push	1
		lea	eax, [ebp+var_70]
		push	eax
		push	_CMFSecurityDescriptor
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_151], al
		cmp	[ebp+var_158], esi
		jz	short loc_A0FBE3
		push	[ebp+var_158]
		lea	eax, [ebp+var_8C]
		push	eax
		call	SeAppendPrivileges
		push	[ebp+var_158]
		call	_SeFreePrivileges@4 ; SeFreePrivileges(x)
		jmp	short loc_A0FBE3
; 

loc_A0FBDD:				; CODE XREF: CMFCheckAccess(x,x,x)+15Fj
		mov	[ebp+var_160], ebx

loc_A0FBE3:				; CODE XREF: CMFCheckAccess(x,x,x)+199j
					; CMFCheckAccess(x,x,x)+1B8j
		lea	eax, [ebp+var_70]
		push	eax
		call	_SeUnlockSubjectContext@4 ; SeUnlockSubjectContext(x)
		mov	esi, [ebp+var_168]
		mov	ecx, 0C0000000h
		mov	eax, esi
		and	eax, ecx
		cmp	eax, ecx
		jz	short loc_A0FC1D
		cmp	[ebp+var_151], 0
		jz	short loc_A0FC18
		mov	eax, [ebp+var_160]
		not	eax
		test	eax, ebx
		jnz	short loc_A0FC18
		xor	esi, esi
		jmp	short loc_A0FC1D
; 

loc_A0FC18:				; CODE XREF: CMFCheckAccess(x,x,x)+1E3j
					; CMFCheckAccess(x,x,x)+1EFj
		mov	esi, 0C0000022h

loc_A0FC1D:				; CODE XREF: CMFCheckAccess(x,x,x)+1DAj
					; CMFCheckAccess(x,x,x)+1F3j
		lea	ecx, [ebp+var_8C]
		call	SepDeleteAccessState
		lea	eax, [ebp+var_70]
		push	eax
		call	SeReleaseSubjectContext

loc_A0FC31:				; CODE XREF: CMFCheckAccess(x,x,x)+B1j
					; CMFCheckAccess(x,x,x)+113j
		pop	edi

loc_A0FC32:				; CODE XREF: CMFCheckAccess(x,x,x)+54j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_CMFCheckAccess@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CMFCreateSecurityDescriptor(x, x)
_CMFCreateSecurityDescriptor@8 proc near ; CODE	XREF: CMFCheckAccess(x,x,x)+9Fp
					; CMFSystemThreadRoutine(x)+334p

var_44		= dword	ptr -44h
var_30		= dword	ptr -30h
var_2C		= word ptr -2Ch
var_28		= dword	ptr -28h
var_24		= word ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= word ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_2C], 500h
		push	esi
		push	edi
		lea	edi, [ebp+var_44]
		mov	[ebp+var_18], 100h
		stosd
		mov	ebx, edx
		mov	edx, ecx
		mov	[ebp+var_24], 0F00h
		xor	ecx, ecx
		mov	[ebp+var_4], edx
		and	[ebp+var_C], ecx
		stosd
		mov	[ebp+var_30], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_28], ecx
		stosd
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		stosd
		stosd
		xor	edi, edi
		test	edx, edx
		jnz	short loc_A0FC96
		mov	esi, 0C000000Dh
		jmp	loc_A10121
; 

loc_A0FC96:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+46j
		and	[edx], ecx
		lea	eax, [ebp+var_44]
		push	1
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	ecx, 0C0000000h
		mov	esi, eax
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_A10109
		push	636D6650h
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		jnz	short loc_A0FCD6
		mov	ebx, [ebp+var_4]
		mov	esi, 0C0000017h
		jmp	loc_A10110
; 

loc_A0FCD6:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+83j
		push	1
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	ecx, 0C0000000h
		mov	esi, eax
		and	eax, ecx
		cmp	eax, ecx
		jz	short loc_A0FD1F
		mov	esi, [ebp+var_20]
		push	0
		push	esi
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	636D6650h
		push	20h
		push	1
		and	[eax], edi
		movzx	eax, byte ptr [esi+1]
		mov	[ebp+var_1C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_C], esi
		test	esi, esi
		jnz	short loc_A0FD6E

loc_A0FD1A:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+1A7j
					; CMFCreateSecurityDescriptor(x,x)+205j ...
		mov	esi, 0C0000017h

loc_A0FD1F:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+A9j
					; CMFCreateSecurityDescriptor(x,x)+1C4j ...
		mov	ebx, [ebp+var_4]

loc_A0FD22:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+429j
		push	0
		push	[ebp+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_A0FD3B
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0FD3B:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+EDj
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_A0FD4A
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0FD4A:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+FCj
		test	edi, edi
		jz	short loc_A0FD56
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A0FD56:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+108j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	loc_A1010C
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_A1010C
; 

loc_A0FD6E:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+D4j
		push	6
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	0
		push	esi
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	1
		push	esi
		mov	dword ptr [eax], 50h
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	2
		push	esi
		mov	dword ptr [eax], 38FB89B5h
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	3
		push	esi
		mov	dword ptr [eax], 0CBC28419h
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	4
		push	esi
		mov	dword ptr [eax], 6D236C5Ch
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	5
		push	esi
		mov	dword ptr [eax], 6E770057h
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	636D6650h
		push	10h
		push	1
		mov	dword ptr [eax], 876402C0h
		movzx	eax, byte ptr [esi+1]
		add	eax, [ebp+var_1C]
		mov	[ebp+var_1C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_A0FD1A
		push	2
		lea	ecx, [ebp+var_28]
		push	ecx
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	ecx, 0C0000000h
		mov	esi, eax
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_A0FD1F
		mov	esi, [ebp+var_10]
		push	0
		push	esi
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		xor	edi, edi
		inc	edi
		push	edi
		push	esi
		mov	dword ptr [eax], 2
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	636D6650h
		push	10h
		push	edi
		mov	[eax], edi
		movzx	eax, byte ptr [esi+1]
		add	eax, [ebp+var_1C]
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_1C], edi
		test	edi, edi
		jz	loc_A0FD1A
		push	2
		lea	eax, [ebp+var_28]
		push	eax
		push	edi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	ecx, 0C0000000h
		mov	esi, eax
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_A0FD1F
		push	0
		push	edi
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	2
		pop	esi
		push	1
		push	edi
		mov	[eax], esi
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	636D6650h
		push	10h
		push	1
		mov	[eax], esi
		movzx	eax, byte ptr [edi+1]
		add	eax, [ebp+var_8]
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_A0FD1A
		push	esi
		lea	ecx, [ebp+var_30]
		push	ecx
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	ecx, 0C0000000h
		mov	esi, eax
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_A0FD1F
		mov	esi, [ebp+var_14]
		push	0
		push	esi
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	1
		push	esi
		mov	dword ptr [eax], 20h
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	636D6650h
		mov	dword ptr [eax], 220h
		movzx	eax, byte ptr [esi+1]
		add	eax, [ebp+var_8]
		lea	esi, ds:6Ch[eax*4]
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A0FF0F
		mov	edi, [ebp+var_1C]
		mov	esi, 0C0000017h
		jmp	loc_A0FD1F
; 

loc_A0FF0F:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+2BCj
		push	2		; int
		push	esi		; size_t
		push	edi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	ecx, 0C0000000h
		mov	esi, eax
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_A1005F
		mov	eax, 10000000h
		mov	[ebp+var_8], eax
		test	ebx, ebx
		jz	short loc_A0FF42
		push	ebx
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlMapGenericMask@8 ; RtlMapGenericMask(x,x)
		mov	eax, [ebp+var_8]

loc_A0FF42:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+2EFj
		push	0
		push	[ebp+var_C]
		mov	ecx, edi
		push	eax
		push	3
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	ecx, 0C0000000h
		mov	esi, eax
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_A1005F
		mov	eax, 10000000h
		mov	[ebp+var_8], eax
		test	ebx, ebx
		jz	short loc_A0FF7E
		push	ebx
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlMapGenericMask@8 ; RtlMapGenericMask(x,x)
		mov	eax, [ebp+var_8]

loc_A0FF7E:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+32Bj
		mov	ecx, [ebp+var_14]
		push	0
		push	ecx
		push	eax
		push	3
		push	2
		pop	edx
		mov	ecx, edi
		call	RtlpAddKnownAce
		mov	ecx, 0C0000000h
		mov	esi, eax
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_A1005F
		mov	eax, 80000000h
		mov	[ebp+var_8], eax
		test	ebx, ebx
		jz	short loc_A0FFBB
		push	ebx
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlMapGenericMask@8 ; RtlMapGenericMask(x,x)
		mov	eax, [ebp+var_8]

loc_A0FFBB:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+368j
		push	0
		push	[ebp+var_20]
		mov	ecx, edi
		push	eax
		push	3
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	ecx, 0C0000000h
		mov	esi, eax
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_A1005F
		mov	eax, 80000000h
		mov	[ebp+var_8], eax
		test	ebx, ebx
		jz	short loc_A0FFF7
		push	ebx
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlMapGenericMask@8 ; RtlMapGenericMask(x,x)
		mov	eax, [ebp+var_8]

loc_A0FFF7:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+3A4j
		mov	ecx, [ebp+var_10]
		push	0
		push	ecx
		push	eax
		push	3
		push	2
		pop	edx
		mov	ecx, edi
		call	RtlpAddKnownAce
		mov	ecx, 0C0000000h
		mov	esi, eax
		and	eax, ecx
		cmp	eax, ecx
		jz	short loc_A1005F
		mov	eax, 80000000h
		mov	[ebp+var_8], eax
		test	ebx, ebx
		jz	short loc_A10030
		push	ebx
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlMapGenericMask@8 ; RtlMapGenericMask(x,x)
		mov	eax, [ebp+var_8]

loc_A10030:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+3DDj
		xor	ebx, ebx
		mov	ecx, edi
		push	ebx
		push	[ebp+var_1C]
		push	eax
		push	3
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	ecx, 0C0000000h
		mov	esi, eax
		and	eax, ecx
		cmp	eax, ecx
		jz	short loc_A1005F
		push	edi
		call	RtlValidAcl
		test	al, al
		jnz	short loc_A10072
		mov	esi, 0C0000077h

loc_A1005F:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+2DFj
					; CMFCreateSecurityDescriptor(x,x)+31Bj ...
		mov	ebx, [ebp+var_4]

loc_A10062:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+4ABj
					; CMFCreateSecurityDescriptor(x,x)+4C0j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [ebp+var_1C]
		jmp	loc_A0FD22
; 

loc_A10072:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+414j
		push	ebx
		push	edi
		push	1
		lea	eax, [ebp+var_44]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	ecx, 0C0000000h
		mov	esi, eax
		and	eax, ecx
		cmp	eax, ecx
		jz	short loc_A1005F
		push	ebx
		push	[ebp+var_C]
		lea	eax, [ebp+var_44]
		push	eax
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		mov	ecx, 0C0000000h
		mov	esi, eax
		and	eax, ecx
		cmp	eax, ecx
		jz	short loc_A1005F
		lea	eax, [ebp+var_44]
		push	eax
		call	_RtlValidSecurityDescriptor@4 ;	RtlValidSecurityDescriptor(x)
		test	al, al
		jnz	short loc_A100BA
		mov	esi, 0C0000079h
		jmp	short loc_A1005F
; 

loc_A100BA:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+46Dj
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], ebx
		push	eax
		push	ebx
		lea	eax, [ebp+var_44]
		push	eax
		call	_RtlAbsoluteToSelfRelativeSD@12	; RtlAbsoluteToSelfRelativeSD(x,x,x)
		mov	esi, eax
		cmp	[ebp+var_8], ebx
		jz	short loc_A1005F
		push	636D6650h
		push	[ebp+var_8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, [ebp+var_4]
		mov	[ebx], eax
		test	eax, eax
		jnz	short loc_A100F4
		mov	esi, 0C0000017h
		jmp	loc_A10062
; 

loc_A100F4:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+4A4j
		lea	ecx, [ebp+var_8]
		push	ecx
		push	eax
		lea	eax, [ebp+var_44]
		push	eax
		call	_RtlAbsoluteToSelfRelativeSD@12	; RtlAbsoluteToSelfRelativeSD(x,x,x)
		mov	esi, eax
		jmp	loc_A10062
; 

loc_A10109:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+6Aj
		mov	ebx, [ebp+var_4]

loc_A1010C:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+117j
					; CMFCreateSecurityDescriptor(x,x)+125j
		test	esi, esi
		jns	short loc_A10121

loc_A10110:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+8Dj
		mov	eax, [ebx]
		test	eax, eax
		jz	short loc_A10121
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [ebx], 0

loc_A10121:				; CODE XREF: CMFCreateSecurityDescriptor(x,x)+4Dj
					; CMFCreateSecurityDescriptor(x,x)+4CAj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_CMFCreateSecurityDescriptor@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CMFFlushHitsFile(x,	x)
_CMFFlushHitsFile@8 proc near		; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+6EBp

var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= word ptr -224h
ms_exc		= CPPEH_RECORD ptr -18h

		push	268h
		push	offset dword_6AAA60
		call	__SEH_prolog4_GS
		mov	[ebp+var_230], edx
		mov	[ebp+var_234], ecx
		xor	esi, esi
		mov	[ebp+var_228], esi
		mov	[ebp+var_23C], esi
		mov	[ebp+var_238], esi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_254]
		rep stosd
		mov	[ebp+var_268], esi
		mov	[ebp+var_264], esi
		mov	[ebp+var_22C], esi
		mov	[ebp+var_278], esi
		mov	[ebp+var_274], esi
		mov	ebx, esi
		mov	eax, [ebp+var_234]
		test	eax, eax
		jnz	short loc_A10198
		mov	eax, 0C000000Dh
		jmp	loc_A10400
; 

loc_A10198:				; CODE XREF: CMFFlushHitsFile(x,x)+64j
		test	_CMFFlagsCache,	8
		jnz	short loc_A101E0
		mov	[ebp+var_25C], eax
		mov	[ebp+var_258], edx
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		lea	eax, [ebp+var_23C]
		push	eax
		lea	eax, [ebp+var_258]
		push	eax
		lea	edx, [ebp+var_25C]
		call	MmFlushVirtualMemory
		cmp	eax, 0C0000088h
		jnz	loc_A10400

loc_A101E0:				; CODE XREF: CMFFlushHitsFile(x,x)+7Aj
		push	_CMFCacheIndex
		push	offset ??_C@_1CK@DHBGEEEI@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAR?$AAe?$AAs@NNGAKEGL@ ; "\\SystemRoot\\Rescache"
		push	offset ??_C@_1CO@FCIFCGHL@?$AA?$CF?$AAs?$AA?2?$AAr?$AAc?$AA?$CF?$AA0?$AA4?$AAu?$AA?2?$AAr?$AAe?$AAs?$AAc?$AAa@NNGAKEGL@	; wchar_t *
		push	104h		; int
		lea	eax, [ebp+var_224]
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 14h
		mov	edi, eax
		test	edi, edi
		js	loc_A103CB
		lea	eax, [ebp+var_224]
		push	eax
		lea	eax, [ebp+var_268]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_254], 18h
		mov	[ebp+var_250], esi
		mov	[ebp+var_248], 240h
		lea	eax, [ebp+var_268]
		mov	[ebp+var_24C], eax
		mov	[ebp+var_244], esi
		mov	[ebp+var_240], esi
		push	esi
		push	7
		lea	eax, [ebp+var_23C]
		push	eax
		lea	eax, [ebp+var_254]
		push	eax
		push	0C0000000h
		lea	eax, [ebp+var_228]
		push	eax
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	edi, eax
		mov	ecx, 0C0000000h
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_A1028D
		mov	[ebp+var_228], esi
		jmp	loc_A103CB
; 

loc_A1028D:				; CODE XREF: CMFFlushHitsFile(x,x)+158j
		mov	[ebp+var_254], 18h
		mov	[ebp+var_250], esi
		mov	[ebp+var_248], 200h
		mov	[ebp+var_24C], esi
		mov	[ebp+var_244], esi
		mov	[ebp+var_240], esi
		push	esi
		push	1
		lea	eax, [ebp+var_254]
		push	eax
		push	1F0003h
		lea	eax, [ebp+var_22C]
		push	eax
		call	_ZwCreateEvent@20 ; ZwCreateEvent(x,x,x,x,x)
		mov	edi, eax
		mov	ecx, 0C0000000h
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_A103CB
		mov	[ebp+var_270], esi
		mov	[ebp+var_26C], esi
		lea	edx, [ebp+var_270]
		mov	ecx, [ebp+var_228]
		call	_CMFGetFileSizeEx@8 ; CMFGetFileSizeEx(x,x)
		mov	edi, eax
		mov	ecx, 0C0000000h
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_A103CB
		mov	edi, [ebp+var_270]
		mov	eax, [ebp+var_230]
		cmp	eax, edi
		jnb	short loc_A10325
		mov	edi, eax

loc_A10325:				; CODE XREF: CMFFlushHitsFile(x,x)+1F9j
		push	636D6650h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_230], ebx
		test	ebx, ebx
		jnz	short loc_A10348
		mov	edi, 0C0000017h
		jmp	loc_A103CB
; 

loc_A10348:				; CODE XREF: CMFFlushHitsFile(x,x)+214j
		mov	[ebp+ms_exc.disabled], esi
		push	edi		; size_t
		mov	ecx, [ebp+var_234]
		push	ecx		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		push	esi
		lea	eax, [ebp+var_278]
		push	eax
		push	edi
		push	ebx
		lea	eax, [ebp+var_23C]
		push	eax
		push	esi
		push	esi
		push	[ebp+var_22C]
		push	[ebp+var_228]
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 103h
		jnz	short loc_A103CB
		push	esi
		push	esi
		push	[ebp+var_22C]
		call	_ZwWaitForSingleObject@12 ; ZwWaitForSingleObject(x,x,x)
		mov	edi, eax
		jmp	short loc_A103CB
; 

loc_A103A2:				; DATA XREF: .text:006AAA74o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_260], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A103B3:				; DATA XREF: .text:006AAA78o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_260]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	esi, esi
		mov	ebx, [ebp+var_230]

loc_A103CB:				; CODE XREF: CMFFlushHitsFile(x,x)+E0j
					; CMFFlushHitsFile(x,x)+160j ...
		test	ebx, ebx
		jz	short loc_A103D6
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A103D6:				; CODE XREF: CMFFlushHitsFile(x,x)+2A5j
		cmp	[ebp+var_22C], 0
		jz	short loc_A103EA
		push	[ebp+var_22C]
		call	_ZwClose@4	; ZwClose(x)

loc_A103EA:				; CODE XREF: CMFFlushHitsFile(x,x)+2B5j
		cmp	[ebp+var_228], 0
		jz	short loc_A103FE
		push	[ebp+var_228]
		call	_ZwClose@4	; ZwClose(x)

loc_A103FE:				; CODE XREF: CMFFlushHitsFile(x,x)+2C9j
		mov	eax, edi

loc_A10400:				; CODE XREF: CMFFlushHitsFile(x,x)+6Bj
					; CMFFlushHitsFile(x,x)+B2j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CMFFlushHitsFile@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CMFGetFileSizeEx(x,	x)
_CMFGetFileSizeEx@8 proc near		; CODE XREF: CMFFlushHitsFile(x,x)+1D5p
					; CMFSystemThreadRoutine(x)+2D0p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		mov	esi, ecx
		lea	edi, [ebp+var_20]
		pop	ecx
		xor	eax, eax
		mov	ebx, edx
		and	[ebp+var_28], eax
		and	[ebp+var_24], eax
		push	5
		rep stosd
		push	18h
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		push	esi
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		mov	edx, 0C0000000h
		mov	ecx, eax
		and	ecx, edx
		cmp	ecx, edx
		jz	short loc_A10465
		mov	eax, [ebp+var_18]
		mov	[ebx], eax
		mov	eax, [ebp+var_14]
		mov	[ebx+4], eax
		xor	eax, eax

loc_A10465:				; CODE XREF: CMFGetFileSizeEx(x,x)+46j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CMFGetFileSizeEx@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CMFGetLargePageSectionSize(x, x)
_CMFGetLargePageSectionSize@8 proc near	; CODE XREF: CMFSystemThreadRoutine(x)+2F4p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, ds:0FFDF0244h
		mov	eax, ecx
		push	esi
		shr	ebx, 0Ch
		mov	[ebp+var_14], eax
		push	edi
		mov	edi, edx
		test	ebx, ebx
		jnz	short loc_A1049D
		mov	esi, 0C00000BBh
		jmp	loc_A10542
; 

loc_A1049D:				; CODE XREF: CMFGetLargePageSectionSize(x,x)+1Dj
		mov	ecx, [eax]
		xor	esi, esi
		mov	eax, [eax+4]
		mov	[ebp+var_4], eax
		mov	eax, ecx
		and	eax, 0FFFh
		mov	[ebp+var_8], ecx
		or	eax, esi
		jz	short loc_A104BA
		xor	edx, edx
		inc	edx
		jmp	short loc_A104BC
; 

loc_A104BA:				; CODE XREF: CMFGetLargePageSectionSize(x,x)+3Fj
		mov	edx, esi

loc_A104BC:				; CODE XREF: CMFGetLargePageSectionSize(x,x)+44j
		mov	eax, [ebp+var_4]
		shrd	ecx, eax, 0Ch
		shr	eax, 0Ch
		add	ecx, edx
		mov	[ebp+var_10], ecx
		adc	eax, esi
		xor	edx, edx
		mov	[ebp+var_C], eax
		mov	eax, ecx
		div	ebx
		test	edx, edx
		jnz	short loc_A104E7
		mov	eax, [ebp+var_8]
		mov	[edi], eax
		mov	eax, [ebp+var_4]
		mov	[edi+4], eax
		jmp	short loc_A10542
; 

loc_A104E7:				; CODE XREF: CMFGetLargePageSectionSize(x,x)+64j
		mov	esi, [ebp+var_10]
		xor	eax, eax
		mov	ecx, ebx
		sub	ecx, edx
		mov	edx, [ebp+var_C]
		shld	eax, ecx, 0Ch
		shld	edx, esi, 0Ch
		shl	ecx, 0Ch
		shl	esi, 0Ch
		add	ecx, esi
		push	0
		adc	eax, edx
		add	ecx, 0FFFFF001h
		mov	[edi], ecx
		adc	eax, 0FFFFFFFFh
		mov	[edi+4], eax
		shrd	ecx, eax, 0Ch
		pop	esi
		shr	eax, 0Ch
		add	ecx, 1
		push	esi
		push	ebx
		adc	eax, esi
		push	eax
		push	ecx
		call	__aullrem
		or	eax, edx
		jnz	short loc_A1053D
		cmp	[edi+4], esi
		jnz	short loc_A1053D
		mov	ecx, [ebp+var_14]
		mov	eax, [edi]
		cmp	eax, [ecx]
		jnb	short loc_A10542

loc_A1053D:				; CODE XREF: CMFGetLargePageSectionSize(x,x)+B9j
					; CMFGetLargePageSectionSize(x,x)+BEj
		mov	esi, 0C0000001h

loc_A10542:				; CODE XREF: CMFGetLargePageSectionSize(x,x)+24j
					; CMFGetLargePageSectionSize(x,x)+71j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_CMFGetLargePageSectionSize@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CMFReadCompressedSegment(void *,int)
_CMFReadCompressedSegment@16 proc near	; CODE XREF: CMFSystemThreadRoutine(x)+4CEp

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_20], edx
		mov	esi, ecx
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		lea	edi, [ebp+var_40]
		mov	[ebp+var_C], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_4], eax
		push	6
		pop	ecx
		rep stosd
		mov	edi, eax
		test	esi, esi
		jz	loc_A10716
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	loc_A10716
		test	edx, edx
		jz	loc_A10716
		cmp	dword ptr [ebx+54h], 400h
		jbe	short loc_A105A2
		mov	esi, 0C000000Dh
		jmp	loc_A10745
; 

loc_A105A2:				; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+4Dj
		call	_XpressDecodeCreate@8 ;	XpressDecodeCreate(x,x)
		mov	edi, eax
		mov	[ebp+arg_4], edi
		test	edi, edi
		jnz	short loc_A105BA
		mov	esi, 0C0000017h
		jmp	loc_A1071B
; 

loc_A105BA:				; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+65j
		push	esi
		xor	eax, eax
		mov	[ebp+var_40], 18h
		push	8000000h
		push	2
		push	eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_40]
		push	eax
		push	4
		lea	eax, [ebp+var_C]
		mov	[ebp+var_34], 240h
		push	eax
		call	_ZwCreateSection@28 ; ZwCreateSection(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A1071B
		push	2
		push	400000h
		push	2
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		push	0
		push	0
		lea	eax, [ebp+var_4]
		push	eax
		push	0FFFFFFFFh
		push	[ebp+var_C]
		call	_ZwMapViewOfSection@40 ; ZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A1062A
		and	[ebp+var_4], 0
		jmp	loc_A1072B
; 

loc_A1062A:				; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+D6j
		mov	esi, [ebp+var_14]
		mov	eax, 1060h
		cmp	esi, eax
		jnb	short loc_A10640

loc_A10636:				; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+FAj
		mov	esi, 0C0000206h
		jmp	loc_A1071B
; 

loc_A10640:				; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+EBj
		cmp	[ebp+arg_0], eax
		jb	short loc_A10636
		mov	edi, [ebp+var_20]
		push	eax		; size_t
		push	ebx		; void *
		push	edi		; void *
		call	_memcpy
		mov	ecx, [ebp+arg_0]
		lea	eax, [esi-1060h]
		mov	[ebp+var_10], eax
		add	ecx, 0FFFFEFA0h
		mov	eax, [ebp+var_4]
		xor	esi, esi
		add	eax, 1060h
		mov	[ebp+var_18], ecx
		mov	[ebp+var_8], eax
		add	esp, 0Ch
		lea	eax, [edi+1060h]
		mov	[ebp+var_1C], esi
		mov	edi, [ebx+50h]
		mov	[ebp+arg_0], eax
		mov	eax, [ebx+54h]
		test	eax, eax
		jz	short loc_A10701
		lea	edx, [ebx+5Ch]
		mov	[ebp+var_20], edx

loc_A10691:				; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+1B6j
		dec	eax
		cmp	esi, eax
		jnz	short loc_A1069B
		mov	esi, [ebx+58h]
		jmp	short loc_A106A0
; 

loc_A1069B:				; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+14Bj
		mov	esi, [edx+4]
		sub	esi, [edx]

loc_A106A0:				; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+150j
		cmp	esi, [ebp+var_10]
		ja	short loc_A1070C
		test	ecx, ecx
		jz	short loc_A1070C
		cmp	edi, ecx
		jbe	short loc_A106AF
		mov	edi, ecx

loc_A106AF:				; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+162j
		cmp	esi, edi
		jnz	short loc_A106C4
		push	edi		; size_t
		push	[ebp+var_8]	; void *
		push	[ebp+arg_0]	; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_A106D9
; 

loc_A106C4:				; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+168j
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		push	esi
		push	[ebp+var_8]
		push	edi
		push	edi
		call	_XpressDecode@24 ; XpressDecode(x,x,x,x,x,x)
		cmp	eax, edi
		jnz	short loc_A10705

loc_A106D9:				; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+179j
		add	[ebp+var_8], esi
		sub	[ebp+var_10], esi
		mov	ecx, [ebp+var_18]
		mov	esi, [ebp+var_1C]
		sub	ecx, edi
		add	[ebp+arg_0], edi
		inc	esi
		mov	edx, [ebp+var_20]
		mov	eax, [ebx+54h]
		add	edx, 4
		mov	[ebp+var_18], ecx
		mov	[ebp+var_1C], esi
		mov	[ebp+var_20], edx
		cmp	esi, eax
		jb	short loc_A10691

loc_A10701:				; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+140j
		xor	esi, esi
		jmp	short loc_A10711
; 

loc_A10705:				; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+18Ej
		mov	esi, 0C000025Fh
		jmp	short loc_A10711
; 

loc_A1070C:				; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+15Aj
					; CMFReadCompressedSegment(x,x,x,x)+15Ej
		mov	esi, 0C0000206h

loc_A10711:				; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+1BAj
					; CMFReadCompressedSegment(x,x,x,x)+1C1j
		mov	edi, [ebp+arg_4]
		jmp	short loc_A1071B
; 

loc_A10716:				; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+2Dj
					; CMFReadCompressedSegment(x,x,x,x)+38j ...
		mov	esi, 0C000000Dh

loc_A1071B:				; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+6Cj
					; CMFReadCompressedSegment(x,x,x,x)+A9j ...
		cmp	[ebp+var_4], 0
		jz	short loc_A1072B
		push	[ebp+var_4]
		push	0FFFFFFFFh
		call	_ZwUnmapViewOfSection@8	; ZwUnmapViewOfSection(x,x)

loc_A1072B:				; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+DCj
					; CMFReadCompressedSegment(x,x,x,x)+1D6j
		cmp	[ebp+var_C], 0
		jz	short loc_A10739
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_A10739:				; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+1E6j
		test	edi, edi
		jz	short loc_A10745
		push	ecx
		mov	ecx, edi
		call	_XpressDecodeClose@12 ;	XpressDecodeClose(x,x,x)

loc_A10745:				; CODE XREF: CMFReadCompressedSegment(x,x,x,x)+54j
					; CMFReadCompressedSegment(x,x,x,x)+1F2j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_CMFReadCompressedSegment@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CMFRegisterEventTime(x)
_CMFRegisterEventTime@4	proc near	; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+211p
					; NtMapCMFModule(x,x,x,x,x,x)+33Ap ...

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+58h+var_4], eax
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [esp+60h+var_40]
		push	offset ??_C@_1HO@HPCDOJBK@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@NNGAKEGL@
		push	eax
		mov	si, cx
		mov	[esp+68h+var_40], edi
		mov	[esp+68h+var_3C], edi
		mov	[esp+68h+var_54], edi
		mov	[esp+68h+var_50], edi
		mov	[esp+68h+var_58], edi
		mov	[esp+68h+var_38], edi
		mov	[esp+68h+var_34], edi
		mov	[esp+68h+var_44], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		push	edi
		push	edi
		lea	eax, [esp+6Ch+var_40]
		mov	[esp+6Ch+var_30], 18h
		mov	[esp+6Ch+var_28], eax
		lea	eax, [esp+6Ch+var_30]
		push	edi
		push	eax
		push	2001Fh
		lea	eax, [esp+78h+var_58]
		mov	[esp+78h+var_2C], edi
		push	eax
		mov	[esp+7Ch+var_24], 240h
		mov	[esp+7Ch+var_20], edi
		mov	[esp+7Ch+var_1C], edi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_A1090D
		lea	eax, [esp+60h+var_38]
		push	eax
		call	KeQuerySystemTime
		movzx	eax, si
		push	0Bh
		pop	esi
		sub	eax, 1
		jz	short loc_A10823
		sub	eax, 1
		jz	short loc_A1080F
		dec	eax
		sub	eax, 1
		jz	short loc_A10808
		mov	eax, 0C000000Dh
		jmp	loc_A1090D
; 

loc_A10808:				; CODE XREF: CMFRegisterEventTime(x)+AEj
		push	offset ??_C@_1BI@OHJGJLDO@?$AAC?$AAM?$AAF?$AAS?$AAt?$AAo?$AAp?$AAT?$AAi?$AAm?$AAe@NNGAKEGL@ ; "CMFStopTime"
		jmp	short loc_A10814
; 

loc_A1080F:				; CODE XREF: CMFRegisterEventTime(x)+A8j
		push	offset ??_C@_1BK@GCJNNPH@?$AAC?$AAM?$AAF?$AAS?$AAt?$AAa?$AAr?$AAt?$AAT?$AAi?$AAm?$AAe@NNGAKEGL@

loc_A10814:				; CODE XREF: CMFRegisterEventTime(x)+BFj
		lea	eax, [esp+64h+var_54]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	loc_A108E9
; 

loc_A10823:				; CODE XREF: CMFRegisterEventTime(x)+A3j
		push	offset ??_C@_1BK@GCJNNPH@?$AAC?$AAM?$AAF?$AAS?$AAt?$AAa?$AAr?$AAt?$AAT?$AAi?$AAm?$AAe@NNGAKEGL@
		lea	eax, [esp+64h+var_54]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+60h+var_44]
		push	eax
		push	14h
		lea	eax, [esp+68h+var_18]
		push	eax
		push	2
		lea	eax, [esp+70h+var_54]
		push	eax
		push	[esp+74h+var_58]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A10886
		cmp	[esp+60h+var_14], esi
		jnz	short loc_A10886
		push	offset ??_C@_1CC@IEGFOIJJ@?$AAC?$AAM?$AAF?$AAL?$AAa?$AAs?$AAt?$AAS?$AAt?$AAa?$AAr?$AAt?$AAT?$AAi?$AAm@NNGAKEGL@	; "CMFLastStartTime"
		lea	eax, [esp+64h+var_4C]
		mov	[esp+64h+var_4C], edi
		push	eax
		mov	[esp+68h+var_48], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	8
		lea	eax, [esp+64h+var_C]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+70h+var_4C]
		push	eax
		push	[esp+74h+var_58]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_A10886:				; CODE XREF: CMFRegisterEventTime(x)+102j
					; CMFRegisterEventTime(x)+108j
		push	offset ??_C@_1CA@HHFNNGD@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAS?$AAt?$AAa?$AAr?$AAt?$AAT?$AAi?$AAm?$AAe@NNGAKEGL@
		lea	eax, [esp+64h+var_54]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+60h+var_44]
		push	eax
		push	14h
		lea	eax, [esp+68h+var_18]
		push	eax
		push	2
		lea	eax, [esp+70h+var_54]
		push	eax
		push	[esp+74h+var_58]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A108E9
		cmp	[esp+60h+var_14], esi
		jnz	short loc_A108E9
		push	offset ??_C@_1CI@GJIDLDKO@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAL?$AAa?$AAs?$AAt?$AAS?$AAt?$AAa?$AAr?$AAt@NNGAKEGL@
		lea	eax, [esp+64h+var_4C]
		mov	[esp+64h+var_4C], edi
		push	eax
		mov	[esp+68h+var_48], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	8
		lea	eax, [esp+64h+var_C]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+70h+var_4C]
		push	eax
		push	[esp+74h+var_58]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_A108E9:				; CODE XREF: CMFRegisterEventTime(x)+D0j
					; CMFRegisterEventTime(x)+165j	...
		push	8
		lea	eax, [esp+64h+var_38]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+70h+var_54]
		push	eax
		push	[esp+74h+var_58]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[esp+60h+var_58]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, esi

loc_A1090D:				; CODE XREF: CMFRegisterEventTime(x)+8Aj
					; CMFRegisterEventTime(x)+B5j
		mov	ecx, [esp+60h+var_4]
		pop	edi
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_CMFRegisterEventTime@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CMFSystemThreadRoutine(x)
_CMFSystemThreadRoutine@4 proc near	; DATA XREF: NtMapCMFModule(x,x,x,x,x,x)+550o

var_290		= dword	ptr -290h
var_28A		= byte ptr -28Ah
var_288		= dword	ptr -288h
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_27A		= byte ptr -27Ah
var_279		= byte ptr -279h
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= word ptr -210h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 284h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+284h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edx, edx
		xor	eax, eax
		mov	ebx, [ebp+arg_0]
		mov	[esp+290h+var_228], edx
		mov	[esp+290h+var_224], edx
		mov	[esp+290h+var_230], edx
		mov	[esp+290h+var_22C], edx
		mov	[esp+290h+var_268], edx
		mov	[esp+290h+var_264], edx
		mov	[esp+290h+var_220], edx
		mov	[esp+290h+var_21C], edx
		mov	[esp+290h+var_250], edx
		mov	[esp+290h+var_218], edx
		mov	[esp+290h+var_214], edx
		mov	[esp+290h+var_279], dl
		mov	[esp+290h+var_260], edx
		mov	[esp+290h+var_26C], edx
		mov	[esp+290h+var_254], edx
		mov	[esp+290h+var_24C], edx
		mov	[esp+290h+var_25C], edx
		mov	[esp+290h+var_270], edx
		lea	edi, [esp+290h+var_248]
		push	6
		pop	ecx
		rep stosd
		mov	edi, edx
		mov	[esp+290h+var_280], edi
		test	ebx, ebx
		jz	loc_A10EE4
		mov	eax, [ebx+28h]
		cmp	eax, 10h
		jnz	short loc_A109C5
		push	dword ptr [ebx+4]
		mov	[esp+294h+var_274], offset aRescdir ; "RESCDIR"
		push	offset ??_C@_1CK@DHBGEEEI@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAR?$AAe?$AAs@NNGAKEGL@ ; "\\SystemRoot\\Rescache"
		push	offset ??_C@_1CO@CAEBGMOI@?$AA?$CF?$AAs?$AA?2?$AAr?$AAc?$AA?$CF?$AA0?$AA4?$AAu?$AA?2?$AAr?$AAe?$AAs?$AAc?$AAa@NNGAKEGL@
		jmp	loc_A10A47
; 

loc_A109C5:				; CODE XREF: CMFSystemThreadRoutine(x)+8Bj
		cmp	eax, 20h
		jnz	short loc_A10A27
		push	636D6650h
		mov	eax, 1060h
		push	eax
		push	1
		mov	[esp+29Ch+var_258], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+290h+var_280], edi
		test	edi, edi
		jnz	short loc_A109F4
		mov	esi, 0C0000017h
		jmp	loc_A10E63
; 

loc_A109F4:				; CODE XREF: CMFSystemThreadRoutine(x)+CAj
		push	dword ptr [ebx+18h]
		lea	eax, [esp+294h+var_210]
		mov	[esp+294h+var_274], offset aRescseg ; "RESCSEG"
		push	dword ptr [ebx+4]
		mov	[esp+298h+var_278], edi
		push	offset ??_C@_1CK@DHBGEEEI@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAR?$AAe?$AAs@NNGAKEGL@ ; "\\SystemRoot\\Rescache"
		push	offset ??_C@_1DA@KEPEHAO@?$AA?$CF?$AAs?$AA?2?$AAr?$AAc?$AA?$CF?$AA0?$AA4?$AAu?$AA?2?$AAs?$AAe?$AAg?$AAm?$AAe@NNGAKEGL@ ; wchar_t *
		push	104h		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 18h
		jmp	short loc_A10A6F
; 

loc_A10A27:				; CODE XREF: CMFSystemThreadRoutine(x)+AAj
		cmp	eax, 100h
		jnz	loc_A10E5E
		push	dword ptr [ebx+4]
		mov	[esp+294h+var_274], offset aReschit ; "RESCHIT"
		push	offset ??_C@_1CK@DHBGEEEI@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAR?$AAe?$AAs@NNGAKEGL@ ; "\\SystemRoot\\Rescache"
		push	offset ??_C@_1CO@FCIFCGHL@?$AA?$CF?$AAs?$AA?2?$AAr?$AAc?$AA?$CF?$AA0?$AA4?$AAu?$AA?2?$AAr?$AAe?$AAs?$AAc?$AAa@NNGAKEGL@	; wchar_t *

loc_A10A47:				; CODE XREF: CMFSystemThreadRoutine(x)+A2j
		lea	eax, [esp+29Ch+var_218]
		mov	[esp+29Ch+var_258], 8
		mov	[esp+29Ch+var_278], eax
		lea	eax, [esp+29Ch+var_210]
		push	104h		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 14h

loc_A10A6F:				; CODE XREF: CMFSystemThreadRoutine(x)+107j
		mov	edi, 0C0000000h
		mov	esi, eax
		and	eax, edi
		cmp	eax, edi
		jz	short loc_A10AD9
		lea	eax, [esp+290h+var_210]
		push	eax
		lea	eax, [esp+294h+var_220]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	ecx, ecx
		mov	[esp+290h+var_248], 18h
		push	ecx
		lea	eax, [esp+294h+var_220]
		mov	[esp+294h+var_244], ecx
		mov	[esp+294h+var_240], eax
		lea	eax, [esp+294h+var_228]
		push	7
		push	eax
		lea	eax, [esp+29Ch+var_248]
		mov	[esp+29Ch+var_23C], 240h
		push	eax
		push	edi
		lea	eax, [esp+2A4h+var_26C]
		mov	[esp+2A4h+var_238], ecx
		push	eax
		mov	[esp+2A8h+var_234], ecx
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	esi, eax
		and	eax, edi
		cmp	eax, edi
		jnz	short loc_A10AE2
		and	[esp+290h+var_26C], 0

loc_A10AD9:				; CODE XREF: CMFSystemThreadRoutine(x)+15Cj
					; CMFSystemThreadRoutine(x)+203j ...
		mov	edi, [esp+290h+var_280]
		jmp	loc_A10E63
; 

loc_A10AE2:				; CODE XREF: CMFSystemThreadRoutine(x)+1B4j
		xor	eax, eax
		mov	[esp+290h+var_248], 18h
		push	eax
		mov	[esp+294h+var_244], eax
		mov	[esp+294h+var_240], eax
		mov	[esp+294h+var_238], eax
		mov	[esp+294h+var_234], eax
		lea	eax, [esp+294h+var_248]
		push	1
		push	eax
		push	1F0003h
		lea	eax, [esp+2A0h+var_260]
		mov	[esp+2A0h+var_23C], 200h
		push	eax
		call	_ZwCreateEvent@20 ; ZwCreateEvent(x,x,x,x,x)
		mov	esi, eax
		and	eax, edi
		cmp	eax, edi
		jz	short loc_A10AD9
		xor	ecx, ecx
		lea	eax, [esp+290h+var_268]
		push	ecx
		push	eax
		push	[esp+298h+var_258]
		lea	eax, [esp+29Ch+var_228]
		push	[esp+29Ch+var_278]
		push	eax
		push	ecx
		push	ecx
		push	[esp+2ACh+var_260]
		push	[esp+2B0h+var_26C]
		call	_ZwReadFile@36	; ZwReadFile(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A10AD9
		push	0
		push	0
		push	[esp+298h+var_260]
		call	_ZwWaitForSingleObject@12 ; ZwWaitForSingleObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A10B74

loc_A10B60:				; CODE XREF: CMFSystemThreadRoutine(x)+4B4j
		mov	edi, [esp+290h+var_280]
		js	loc_A10E63
		mov	esi, 0C0000001h
		jmp	loc_A10E63
; 

loc_A10B74:				; CODE XREF: CMFSystemThreadRoutine(x)+240j
		mov	ecx, [esp+290h+var_278]
		mov	edx, [esp+290h+var_274]
		mov	eax, [ecx]
		cmp	eax, [edx]
		jnz	loc_A10E54
		mov	eax, [ecx+4]
		cmp	eax, [edx+4]
		jnz	loc_A10E54
		mov	esi, [ebx+28h]
		xor	edx, edx
		mov	eax, [esp+290h+var_280]
		cmp	esi, 20h
		jnz	short loc_A10BB2
		cmp	[eax+4Ch], edx
		jz	short loc_A10BB2
		or	dword ptr [ebx+14h], 4
		mov	[esp+290h+var_279], 1
		mov	byte ptr [ebx+0Ch], 1

loc_A10BB2:				; CODE XREF: CMFSystemThreadRoutine(x)+280j
					; CMFSystemThreadRoutine(x)+285j
		cmp	byte ptr [ebx+0Ch], 0
		mov	ecx, [esp+290h+var_26C]
		mov	[esp+290h+var_278], edx
		mov	[esp+290h+var_274], edx
		mov	[esp+290h+var_258], ecx
		jz	short loc_A10C44
		mov	[esp+290h+var_258], edx
		mov	[esp+290h+var_268], edx
		mov	[esp+290h+var_264], edx
		cmp	esi, 10h
		jz	short loc_A10BEA
		cmp	esi, 100h
		jz	short loc_A10BEA
		mov	eax, [eax+20h]
		mov	[esp+290h+var_268], eax
		jmp	short loc_A10C06
; 

loc_A10BEA:				; CODE XREF: CMFSystemThreadRoutine(x)+2B9j
					; CMFSystemThreadRoutine(x)+2C1j
		lea	edx, [esp+290h+var_268]
		call	_CMFGetFileSizeEx@8 ; CMFGetFileSizeEx(x,x)
		mov	esi, eax
		and	eax, edi
		cmp	eax, edi
		jz	loc_A10AD9
		mov	eax, [esp+290h+var_268]
		mov	esi, [ebx+28h]

loc_A10C06:				; CODE XREF: CMFSystemThreadRoutine(x)+2CAj
		lea	edx, [esp+290h+var_230]
		mov	[esp+290h+var_278], eax
		lea	ecx, [esp+290h+var_268]
		call	_CMFGetLargePageSectionSize@8 ;	CMFGetLargePageSectionSize(x,x)
		test	eax, eax
		js	short loc_A10C2E
		cmp	dword ptr [ebx], 0
		jge	short loc_A10C2E
		mov	eax, [esp+290h+var_230]
		lea	ecx, [esp+290h+var_230]
		mov	[esp+290h+var_274], ecx
		jmp	short loc_A10C40
; 

loc_A10C2E:				; CODE XREF: CMFSystemThreadRoutine(x)+2FBj
					; CMFSystemThreadRoutine(x)+300j
		and	dword ptr [ebx], 7FFFFFFFh
		lea	eax, [esp+290h+var_268]
		mov	[esp+290h+var_274], eax
		mov	eax, [esp+290h+var_278]

loc_A10C40:				; CODE XREF: CMFSystemThreadRoutine(x)+30Ej
		mov	[esp+290h+var_250], eax

loc_A10C44:				; CODE XREF: CMFSystemThreadRoutine(x)+2A8j
		cmp	esi, 100h
		jz	short loc_A10C63
		xor	edx, edx
		lea	ecx, [esp+290h+var_24C]
		call	_CMFCreateSecurityDescriptor@8 ; CMFCreateSecurityDescriptor(x,x)
		mov	esi, eax
		and	eax, edi
		cmp	eax, edi
		jz	loc_A10AD9

loc_A10C63:				; CODE XREF: CMFSystemThreadRoutine(x)+32Cj
		push	[esp+290h+var_258]
		mov	eax, [esp+294h+var_24C]
		xor	ecx, ecx
		push	dword ptr [ebx]
		mov	[esp+298h+var_244], ecx
		push	4
		push	[esp+29Ch+var_274]
		mov	[esp+2A0h+var_240], ecx
		mov	[esp+2A0h+var_238], eax
		mov	[esp+2A0h+var_234], ecx
		jmp	short loc_A10CCD
; 

loc_A10C87:				; CODE XREF: CMFSystemThreadRoutine(x)+3D4j
		cmp	byte ptr [ebx+0Ch], 0
		jz	loc_A10D2F
		mov	ecx, [ebx]
		test	ecx, ecx
		jns	loc_A10D2F
		push	[esp+2A0h+var_268]
		mov	eax, [esp+2A4h+var_288]
		and	ecx, 7FFFFFFFh
		mov	[esp+2A4h+var_260], eax
		xor	edx, edx
		mov	eax, [esp+2A4h+var_25C]
		push	ecx
		mov	[esp+2A8h+var_248], eax
		lea	eax, [esp+2A8h+var_278]
		push	4
		mov	[ebx], ecx
		mov	[esp+2ACh+var_254], edx
		mov	[esp+2ACh+var_250], edx
		mov	[esp+2ACh+var_244], edx
		push	eax

loc_A10CCD:				; CODE XREF: CMFSystemThreadRoutine(x)+367j
		lea	eax, [esp+2B0h+var_258]
		mov	[esp+2B0h+var_258], 18h
		push	eax
		push	6
		lea	eax, [esp+2B8h+var_26C]
		mov	[esp+2B8h+var_24C], 240h
		push	eax
		call	_ZwCreateSection@28 ; ZwCreateSection(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A10C87
		mov	eax, ds:_MmSectionObjectType
		lea	ecx, [esp+2A0h+var_284]
		xor	edx, edx
		push	edx
		push	ecx
		push	edx
		push	eax
		push	0F001Fh
		push	[esp+2B4h+var_26C]
		mov	[esp+2B8h+var_284], edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, [esp+2A0h+var_284]
		mov	esi, eax
		and	eax, edi
		mov	[esp+2A0h+var_264], ecx
		cmp	eax, edi
		jnz	short loc_A10D39
		and	[esp+2A0h+var_264], 0
		jmp	loc_A10AD9
; 

loc_A10D2F:				; CODE XREF: CMFSystemThreadRoutine(x)+36Dj
					; CMFSystemThreadRoutine(x)+377j
		and	[esp+2A0h+var_26C], 0
		jmp	loc_A10AD9
; 

loc_A10D39:				; CODE XREF: CMFSystemThreadRoutine(x)+405j
		cmp	byte ptr [ebx+0Ch], 0
		jz	loc_A10E0E
		push	4
		push	400000h
		push	2
		lea	eax, [esp+2ACh+var_260]
		xor	ecx, ecx
		push	eax
		lea	eax, [esp+2B0h+var_278]
		mov	[esp+2B0h+var_278], ecx
		push	eax
		push	ecx
		push	ecx
		lea	eax, [esp+2BCh+var_280]
		mov	[esp+2BCh+var_274], ecx
		push	eax
		push	0FFFFFFFFh
		push	[esp+2C4h+var_26C]
		call	_ZwMapViewOfSection@40 ; ZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		and	eax, edi
		cmp	eax, edi
		jnz	short loc_A10D84
		and	[esp+2A0h+var_280], 0
		jmp	loc_A10AD9
; 

loc_A10D84:				; CODE XREF: CMFSystemThreadRoutine(x)+45Aj
		cmp	byte ptr [esp+17h], 0
		jnz	short loc_A10DD7
		xor	edi, edi
		lea	eax, [esp+2A0h+var_278]
		push	edi
		push	eax
		push	[esp+2A8h+var_288]
		lea	eax, [esp+2ACh+var_238]
		mov	[esp+2ACh+var_278], edi
		push	[esp+2ACh+var_280]
		mov	[esp+2B0h+var_274], edi
		push	eax
		push	edi
		push	edi
		push	[esp+2BCh+var_270]
		push	dword ptr [esp+44h]
		call	_ZwReadFile@36	; ZwReadFile(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A10AD9
		push	edi
		push	edi
		push	[esp+2A8h+var_270]
		call	_ZwWaitForSingleObject@12 ; ZwWaitForSingleObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A10DF7
		jmp	loc_A10B60
; 

loc_A10DD7:				; CODE XREF: CMFSystemThreadRoutine(x)+46Bj
		mov	edi, [esp+2A0h+var_290]
		push	edi		; int
		push	[esp+2A4h+var_288] ; void *
		and	dword ptr [edi+4Ch], 0
		mov	edx, [esp+2A8h+var_280]
		mov	ecx, [esp+2Ch]
		call	_CMFReadCompressedSegment@16 ; CMFReadCompressedSegment(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A10E63

loc_A10DF7:				; CODE XREF: CMFSystemThreadRoutine(x)+4B2j
		push	[esp+2A0h+var_280]
		push	0FFFFFFFFh
		call	_ZwUnmapViewOfSection@8	; ZwUnmapViewOfSection(x,x)
		mov	ecx, [esp+2A0h+var_264]
		xor	edx, edx
		mov	[esp+2A0h+var_280], edx
		jmp	short loc_A10E10
; 

loc_A10E0E:				; CODE XREF: CMFSystemThreadRoutine(x)+41Fj
		xor	edx, edx

loc_A10E10:				; CODE XREF: CMFSystemThreadRoutine(x)+4EEj
		mov	eax, [ebx+24h]
		test	eax, eax
		jz	loc_A10AD9
		mov	[eax], ecx
		cmp	dword ptr [ebx+28h], 10h
		mov	[esp+2A0h+var_264], edx
		jnz	loc_A10AD9
		cmp	_CMFCacheIndex,	2710h
		jnz	loc_A10AD9
		mov	eax, [ebx+14h]
		and	eax, 0Fh
		or	_CMFFlagsCache,	eax
		mov	eax, [ebx+4]
		mov	_CMFCacheIndex,	eax
		jmp	loc_A10AD9
; 

loc_A10E54:				; CODE XREF: CMFSystemThreadRoutine(x)+262j
					; CMFSystemThreadRoutine(x)+26Ej
		mov	esi, 0C000A000h
		jmp	loc_A10AD9
; 

loc_A10E5E:				; CODE XREF: CMFSystemThreadRoutine(x)+10Ej
		mov	esi, 0C000000Dh

loc_A10E63:				; CODE XREF: CMFSystemThreadRoutine(x)+D1j
					; CMFSystemThreadRoutine(x)+1BFj ...
		cmp	[esp+290h+var_260], 0
		jz	short loc_A10E73
		push	[esp+290h+var_260]
		call	_ZwClose@4	; ZwClose(x)

loc_A10E73:				; CODE XREF: CMFSystemThreadRoutine(x)+54Aj
		cmp	[esp+290h+var_270], 0
		jz	short loc_A10E85
		push	[esp+290h+var_270]
		push	0FFFFFFFFh
		call	_ZwUnmapViewOfSection@8	; ZwUnmapViewOfSection(x,x)

loc_A10E85:				; CODE XREF: CMFSystemThreadRoutine(x)+55Aj
		cmp	[esp+290h+var_25C], 0
		jz	short loc_A10E95
		push	[esp+290h+var_25C]
		call	_ZwClose@4	; ZwClose(x)

loc_A10E95:				; CODE XREF: CMFSystemThreadRoutine(x)+56Cj
		cmp	[esp+290h+var_26C], 0
		jz	short loc_A10EA5
		push	[esp+290h+var_26C]
		call	_ZwClose@4	; ZwClose(x)

loc_A10EA5:				; CODE XREF: CMFSystemThreadRoutine(x)+57Cj
		mov	eax, [esp+290h+var_24C]
		test	eax, eax
		jz	short loc_A10EB5
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A10EB5:				; CODE XREF: CMFSystemThreadRoutine(x)+58Dj
		mov	eax, [esp+290h+var_254]
		test	eax, eax
		jz	short loc_A10EC4
		mov	ecx, eax
		call	ObfDereferenceObject

loc_A10EC4:				; CODE XREF: CMFSystemThreadRoutine(x)+59Dj
		test	edi, edi
		jz	short loc_A10ED0
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A10ED0:				; CODE XREF: CMFSystemThreadRoutine(x)+5A8j
		mov	eax, [ebx+10h]
		mov	[ebx+20h], esi
		test	eax, eax
		jz	short loc_A10EE4
		push	0
		push	1
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_A10EE4:				; CODE XREF: CMFSystemThreadRoutine(x)+7Fj
					; CMFSystemThreadRoutine(x)+5BAj
		mov	ecx, [esp+290h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_CMFSystemThreadRoutine@4 endp


;  S U B	R O U T	I N E 


; __stdcall CMFUnmapModules(x)
_CMFUnmapModules@4 proc	near		; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+209p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		test	bl, 20h
		jz	short loc_A10F3B
		push	edi
		mov	edi, _CMFSegmentSectionPointer
		xor	eax, eax
		mov	ecx, offset _CMFSegmentSectionPointer
		xchg	eax, [ecx]
		test	edi, edi
		jz	short loc_A10F3A
		xor	esi, esi

loc_A10F1C:				; CODE XREF: CMFUnmapModules(x)+35j
		mov	ecx, [edi+esi*4]
		test	ecx, ecx
		jz	short loc_A10F2C
		call	ObfDereferenceObject
		and	dword ptr [edi+esi*4], 0

loc_A10F2C:				; CODE XREF: CMFUnmapModules(x)+26j
		inc	esi
		cmp	esi, 1Eh
		jb	short loc_A10F1C
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A10F3A:				; CODE XREF: CMFUnmapModules(x)+1Dj
		pop	edi

loc_A10F3B:				; CODE XREF: CMFUnmapModules(x)+9j
		test	bl, 10h
		jz	short loc_A10F60
		mov	ecx, _CMFDirectorySectionPointer
		test	ecx, ecx
		jz	short loc_A10F60
		xor	edx, edx
		mov	esi, offset _CMFDirectorySectionPointer
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	ecx, eax
		jnz	short loc_A10F60
		call	ObfDereferenceObject

loc_A10F60:				; CODE XREF: CMFUnmapModules(x)+43j
					; CMFUnmapModules(x)+4Dj ...
		test	ebx, 100h
		jz	short loc_A10F88
		mov	ecx, _CMFHitsSectionPointer
		test	ecx, ecx
		jz	short loc_A10F88
		xor	edx, edx
		mov	esi, offset _CMFHitsSectionPointer
		mov	eax, ecx
		lock cmpxchg [esi], edx
		cmp	ecx, eax
		jnz	short loc_A10F88
		call	ObfDereferenceObject

loc_A10F88:				; CODE XREF: CMFUnmapModules(x)+6Bj
					; CMFUnmapModules(x)+75j ...
		pop	esi
		xor	eax, eax
		pop	ebx
		retn
_CMFUnmapModules@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtMapCMFModule(x, x, x, x, x, x)
_NtMapCMFModule@24 proc	near		; DATA XREF: .text:00580F94o

var_C8		= dword	ptr -0C8h
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= byte ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

; FUNCTION CHUNK AT 00A111CD SIZE 0000056F BYTES
; FUNCTION CHUNK AT 00A11770 SIZE 00000031 BYTES

		push	0B8h
		push	offset dword_6AAA28
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_3C], ebx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_B0]
		rep stosd
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ebx
		lea	edi, [ebp+var_C8]
		stosd
		stosd
		stosd
		stosd
		mov	[ebp+var_58], ebx
		push	2Ch		; size_t
		push	ebx		; int
		lea	eax, [ebp+var_98]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_24], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_3C], ebx
		mov	eax, large fs:124h
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_5C], al
		test	al, al
		jnz	short loc_A11002

loc_A10FF5:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+7Bj
		mov	esi, 0C0000001h

loc_A10FFA:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+8Dj
					; NtMapCMFModule(x,x,x,x,x,x)+EAj
		mov	[ebp+var_1C], esi
		jmp	loc_A11770
; 

loc_A11002:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+66j
		cmp	_InitSafeBootMode, ebx
		jnz	short loc_A10FF5
		mov	edi, [ebp+arg_0]
		test	edi, 0FFE0FE81h
		jz	short loc_A1101C

loc_A11015:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+D0j
					; NtMapCMFModule(x,x,x,x,x,x)+D4j
		mov	esi, 0C000000Dh
		jmp	short loc_A10FFA
; 

loc_A1101C:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+86j
		mov	ecx, offset _CMFLock
		call	MUIInitializeResourceLock
		mov	esi, eax
		mov	[ebp+var_1C], esi
		mov	ecx, esi
		mov	eax, 0C0000000h
		and	ecx, eax
		cmp	ecx, eax
		jz	loc_A11770
		test	edi, 20000h
		jz	loc_A111CD
		mov	edx, edi
		mov	esi, 180000h
		and	edx, esi
		setnz	cl
		bt	edi, 12h
		setb	al
		test	cl, al
		jnz	short loc_A11015
		cmp	edx, esi
		jz	short loc_A11015
		mov	esi, 1C0000h
		and	edi, esi
		mov	eax, _CMFFlagsCache
		and	eax, esi
		cmp	edi, eax
		jnz	short loc_A11079

loc_A11075:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+7AAj
		mov	esi, ebx
		jmp	short loc_A10FFA
; 

loc_A11079:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+E6j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	_CMFLock
		call	ExAcquireResourceExclusiveLite
		mov	[ebp+ms_exc.disabled], ebx
		mov	eax, _CMFFlagsCache
		and	eax, esi
		cmp	edi, eax
		jz	loc_A111A3
		mov	ecx, _CMFDirectorySectionPointer
		test	ecx, ecx
		jz	short loc_A110E9
		test	edi, edi
		jnz	short loc_A110B5
		mov	esi, 0C00000BBh
		jmp	loc_A111A5
; 

loc_A110B5:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+11Cj
		test	ecx, ecx
		jz	short loc_A110E9
		mov	edx, 80000000h
		mov	[ebp+var_68], edx
		test	eax, eax
		jz	short loc_A110CD
		mov	edx, 0C0000000h
		mov	[ebp+var_68], edx

loc_A110CD:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+136j
		push	[ebp+var_5C]
		call	_CMFCheckAccess@12 ; CMFCheckAccess(x,x,x)
		mov	esi, eax
		mov	[ebp+var_1C], esi
		mov	ecx, 0C0000000h
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_A111A8

loc_A110E9:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+118j
					; NtMapCMFModule(x,x,x,x,x,x)+12Aj
		mov	eax, _CMFFlagsCache
		and	eax, 0FFE3FFFFh
		mov	_CMFFlagsCache,	eax
		or	eax, edi
		mov	_CMFFlagsCache,	eax
		mov	ecx, _CMFDirectorySectionPointer
		test	ecx, ecx
		jz	loc_A111A3
		test	eax, 180000h
		jz	loc_A111A3
		mov	[ebp+var_24], ebx
		push	68h
		pop	esi
		mov	[ebp+var_2C], esi
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ebx
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		push	ecx
		call	_MmMapViewInSystemSpace@12 ; MmMapViewInSystemSpace(x,x,x)
		mov	[ebp+var_1C], eax
		test	eax, eax
		js	short loc_A1117D
		mov	edx, [ebp+var_24]
		test	edx, edx
		jz	short loc_A1117D
		cmp	[ebp+var_2C], esi
		jb	short loc_A11174
		and	dword ptr [edx+30h], 0FFE3FFFFh
		mov	ecx, _CMFFlagsCache
		and	ecx, 80000h
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 0FFF80000h
		add	ecx, 100000h
		or	ecx, [edx+30h]
		mov	[edx+30h], ecx
		mov	edx, [ebp+var_24]

loc_A11174:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+1B9j
		push	edx
		call	_MmUnmapViewInSystemSpace@4 ; MmUnmapViewInSystemSpace(x)
		mov	[ebp+var_24], ebx

loc_A1117D:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+1ADj
					; NtMapCMFModule(x,x,x,x,x,x)+1B4j
		mov	ecx, _CMFFlagsCache
		and	ecx, 100000h
		neg	ecx
		sbb	ecx, ecx
		and	ecx, 110h
		add	ecx, 20h
		call	_CMFUnmapModules@4 ; CMFUnmapModules(x)
		push	4
		pop	ecx
		call	_CMFRegisterEventTime@4	; CMFRegisterEventTime(x)

loc_A111A3:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+10Aj
					; NtMapCMFModule(x,x,x,x,x,x)+17Aj ...
		mov	esi, ebx

loc_A111A5:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+123j
		mov	[ebp+var_1C], esi

loc_A111A8:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+156j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_A111BC
		jmp	loc_A11770
_NtMapCMFModule@24 endp


;  S U B	R O U T	I N E 


sub_A111B9	proc near		; DATA XREF: .text:006AAA40o
		mov	esi, [ebp-1Ch]
sub_A111B9	endp


;  S U B	R O U T	I N E 


sub_A111BC	proc near		; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+222p
		mov	ecx, _CMFLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		retn
sub_A111BC	endp

; 
; START	OF FUNCTION CHUNK FOR _NtMapCMFModule@24

loc_A111CD:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+B5j
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		push	1
		push	_CMFLock
		call	ExAcquireResourceSharedLite
		xor	edx, edx
		inc	edx
		mov	[ebp+ms_exc.disabled], edx
		mov	eax, _CMFFlagsCache
		test	eax, eax
		jz	short loc_A11254
		mov	ecx, eax
		and	ecx, 0Fh
		jz	short loc_A111FF
		and	edi, 0FFFFFFF0h
		mov	[ebp+arg_0], edi
		or	edi, ecx
		jmp	short loc_A11201
; 

loc_A111FF:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+266j
		or	edi, edx

loc_A11201:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+270j
		mov	[ebp+arg_0], edi
		test	eax, 100000h
		jz	short loc_A11228
		test	edi, 10000h
		jnz	short loc_A11220

loc_A11213:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+2B6j
		mov	esi, 0C0000098h

loc_A11218:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+34Aj
					; NtMapCMFModule(x,x,x,x,x,x)+3B7j ...
		mov	[ebp+var_1C], esi
		jmp	loc_A11693
; 

loc_A11220:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+284j
		or	edi, 100000h
		jmp	short loc_A11256
; 

loc_A11228:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+27Cj
		mov	ecx, 80000h
		test	eax, ecx
		jz	short loc_A11249
		mov	eax, edi
		and	eax, 130h
		cmp	eax, 20h
		jnz	short loc_A11245
		test	edi, 10000h
		jz	short loc_A11213

loc_A11245:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+2AEj
					; NtMapCMFModule(x,x,x,x,x,x)+2C5j
		or	edi, ecx
		jmp	short loc_A11256
; 

loc_A11249:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+2A2j
		mov	ecx, 40000h
		test	eax, ecx
		jz	short loc_A11259
		jmp	short loc_A11245
; 

loc_A11254:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+25Fj
		or	edi, edx

loc_A11256:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+299j
					; NtMapCMFModule(x,x,x,x,x,x)+2BAj
		mov	[ebp+arg_0], edi

loc_A11259:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+2C3j
		mov	ecx, edi
		and	ecx, 0FFFFFECFh
		mov	[ebp+var_54], ecx
		mov	[ebp+var_3C], ecx
		and	edi, 130h
		mov	[ebp+arg_0], edi
		mov	eax, ecx
		and	eax, 40h
		push	0
		pop	edx
		setnz	dl
		lea	edx, ds:2[edx*2]
		mov	[ebp+var_34], edx
		neg	eax
		sbb	eax, eax
		and	eax, 40000000h
		add	eax, 80000000h
		mov	[ebp+var_40], eax
		mov	edx, 2710h
		mov	[ebp+var_30], edx
		mov	[ebp+var_1D], bl
		cmp	edi, 10h
		jnz	loc_A11349
		mov	eax, _CMFCacheIndex
		mov	[ebp+var_38], eax
		cmp	eax, edx
		jb	short loc_A112E2
		cmp	[ebp+arg_4], edx
		jb	short loc_A112DC
		cmp	_CMFFirstAccess, 0
		jz	short loc_A112D2
		xor	ecx, ecx
		inc	ecx
		call	_CMFRegisterEventTime@4	; CMFRegisterEventTime(x)
		mov	_CMFFirstAccess, bl

loc_A112D2:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+335j
					; NtMapCMFModule(x,x,x,x,x,x)+3C9j ...
		mov	esi, 0C000000Dh
		jmp	loc_A11218
; 

loc_A112DC:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+32Cj
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_38], eax

loc_A112E2:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+327j
		mov	[ebp+var_30], eax
		test	cl, 2
		jz	short loc_A112EE
		mov	[ebp+var_1D], 1

loc_A112EE:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+35Bj
		mov	eax, offset _CMFDirectorySectionPointer

loc_A112F3:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+452j
		mov	[ebp+var_28], eax
		mov	eax, [eax]

loc_A112F8:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+485j
		mov	ecx, [ebp+var_28]

loc_A112FB:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+4AFj
		test	eax, eax
		jnz	loc_A11574
		mov	ecx, _CMFLock
		call	ExReleaseResourceLite
		push	1
		push	_CMFLock
		call	ExAcquireResourceExclusiveLite
		mov	ecx, _CMFFlagsCache
		mov	eax, ecx
		mov	edx, [ebp+var_54]
		xor	eax, edx
		test	eax, 1C0000h
		jz	loc_A11441
		test	ecx, 180000h
		jz	loc_A11441

loc_A1133F:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+5A7j
		mov	esi, 0C0000001h
		jmp	loc_A11218
; 

loc_A11349:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+317j
		cmp	edi, 20h
		jnz	loc_A113E4
		cmp	[ebp+arg_4], 1Eh
		jnb	loc_A112D2
		mov	eax, _CMFCacheIndex
		mov	[ebp+var_38], eax
		cmp	eax, edx
		jz	loc_A112D2
		mov	[ebp+var_30], eax
		cmp	_CMFSegmentSectionPointer, 0
		jnz	short loc_A113CA
		push	636D6650h
		push	78h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	short loc_A11397
		mov	esi, 0C0000017h
		jmp	loc_A11218
; 

loc_A11397:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+3FEj
		push	78h		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, [ebp+var_24]
		mov	edx, offset _CMFSegmentSectionPointer
		xor	eax, eax
		lock cmpxchg [edx], ecx
		mov	[ebp+var_B4], eax
		test	eax, eax
		jz	short loc_A113C4
		push	ebx
		push	[ebp+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A113C4:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+42Cj
		mov	[ebp+var_24], ebx
		mov	ecx, [ebp+var_54]

loc_A113CA:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+3E9j
		test	cl, 4
		jz	short loc_A113D3
		mov	[ebp+var_1D], 1

loc_A113D3:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+440j
		mov	ecx, _CMFSegmentSectionPointer
		mov	eax, [ebp+arg_4]
		lea	eax, [ecx+eax*4]
		jmp	loc_A112F3
; 

loc_A113E4:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+3BFj
		cmp	edi, 100h
		jnz	loc_A112D2
		mov	eax, _CMFCacheIndex
		mov	[ebp+var_38], eax
		mov	[ebp+var_30], eax
		test	cl, 8
		jz	short loc_A11404
		mov	[ebp+var_1D], 1

loc_A11404:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+471j
		mov	[ebp+var_28], offset _CMFHitsSectionPointer
		mov	eax, _CMFHitsSectionPointer
		test	eax, eax
		jnz	loc_A112F8
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], ebx
		lea	eax, [ebp+var_64]
		push	eax
		call	KeQuerySystemTime
		mov	eax, [ebp+var_64]
		mov	_CMFHitsLastFlushTime, eax
		mov	eax, [ebp+var_60]
		mov	dword_701314, eax
		mov	ecx, [ebp+var_28]
		mov	eax, [ecx]
		jmp	loc_A112FB
; 

loc_A11441:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+3A0j
					; NtMapCMFModule(x,x,x,x,x,x)+3ACj
		mov	ecx, [ebp+var_28]
		cmp	[ecx], ebx
		jnz	loc_A11566
		mov	[ebp+var_98], 8000000h
		mov	eax, [ebp+var_38]
		mov	[ebp+var_94], eax
		mov	eax, [ebp+var_40]
		mov	[ebp+var_90], eax
		mov	al, [ebp+var_1D]
		mov	[ebp+var_8C], al
		mov	[ebp+var_88], ebx
		mov	[ebp+var_84], edx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_80], eax
		mov	eax, [ebp+var_34]
		mov	[ebp+var_7C], eax
		mov	[ebp+var_74], ecx
		mov	[ebp+var_70], edi
		push	ebx
		push	1
		lea	eax, [ebp+var_C8]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_88], eax
		mov	[ebp+var_B0], 18h
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_A4], 200h
		mov	[ebp+var_A8], ebx
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_9C], ebx
		lea	eax, [ebp+var_98]
		push	eax
		push	offset _CMFSystemThreadRoutine@4 ; CMFSystemThreadRoutine(x)
		push	ebx
		push	ebx
		lea	eax, [ebp+var_B0]
		push	eax
		push	1FFFFFh
		lea	eax, [ebp+var_58]
		push	eax
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_1C], esi
		mov	ecx, 0C0000000h
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_A11693
		push	[ebp+var_58]
		call	_ZwClose@4	; ZwClose(x)
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_C8]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		jz	short loc_A11539
		js	loc_A11693
		jmp	loc_A1133F
; 

loc_A11539:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+59Fj
		mov	eax, [ebp+var_84]
		mov	[ebp+var_3C], eax
		mov	esi, [ebp+var_78]
		mov	[ebp+var_1C], esi
		mov	eax, esi
		mov	ecx, 0C0000000h
		and	eax, ecx
		cmp	eax, ecx
		jz	loc_A11693
		cmp	edi, 10h
		jnz	short loc_A11566
		push	2
		pop	ecx
		call	_CMFRegisterEventTime@4	; CMFRegisterEventTime(x)

loc_A11566:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+4B9j
					; NtMapCMFModule(x,x,x,x,x,x)+5CFj
		push	_CMFLock
		call	ExConvertExclusiveToSharedLite
		mov	ecx, [ebp+var_28]

loc_A11574:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+370j
		mov	[ebp+var_24], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_4C], ebx
		cmp	[ebp+arg_14], 0
		jz	loc_A11693
		cmp	edi, 100h
		jz	short loc_A115B4
		push	[ebp+var_5C]
		mov	edx, [ebp+var_40]
		mov	ecx, [ecx]
		call	_CMFCheckAccess@12 ; CMFCheckAccess(x,x,x)
		mov	esi, eax
		mov	[ebp+var_1C], esi
		and	eax, 0C0000000h
		cmp	eax, 0C0000000h
		jz	loc_A11693

loc_A115B4:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+603j
		mov	eax, large fs:124h
		mov	[ebp+var_B8], eax
		mov	eax, [eax+80h]
		push	[ebp+var_34]
		push	400000h
		push	1
		lea	ecx, [ebp+var_2C]
		push	ecx
		lea	ecx, [ebp+var_50]
		push	ecx
		push	ebx
		push	ebx
		lea	ecx, [ebp+var_24]
		push	ecx
		push	eax
		mov	eax, [ebp+var_28]
		push	dword ptr [eax]
		call	MmMapViewOfSection
		mov	esi, eax
		mov	[ebp+var_1C], esi
		and	eax, 0C0000000h
		cmp	eax, 0C0000000h
		jnz	short loc_A11602
		mov	[ebp+var_24], ebx
		jmp	loc_A11693
; 

loc_A11602:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+66Bj
		cmp	[ebp+arg_0], 100h
		jnz	loc_A11693
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ebx
		mov	eax, _CMFHitsLastFlushTime
		mov	[ebp+arg_4], eax
		mov	edi, dword_701314
		mov	[ebp+var_40], edi
		lea	eax, [ebp+var_48]
		push	eax
		call	KeQuerySystemTime
		mov	edx, [ebp+arg_4]
		mov	ecx, edx
		add	ecx, 61C46800h
		mov	eax, edi
		adc	eax, 8
		cmp	[ebp+var_44], eax
		jl	short loc_A11693
		jg	short loc_A1164B
		cmp	[ebp+var_48], ecx
		jbe	short loc_A11693

loc_A1164B:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+6B7j
		mov	eax, edx
		mov	edx, edi
		mov	[ebp+var_34], offset _CMFHitsLastFlushTime
		nop
		mov	ebx, [ebp+var_48]
		mov	ecx, [ebp+var_44]
		mov	edi, [ebp+var_34]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [ebp+arg_4]
		cmp	ebx, eax
		mov	edi, [ebp+var_40]
		jnz	short loc_A11691
		cmp	edi, edx
		jnz	short loc_A11691
		mov	edx, [ebp+var_2C]
		mov	ecx, [ebp+var_24]
		call	_CMFFlushHitsFile@8 ; CMFFlushHitsFile(x,x)
		test	eax, eax
		jns	short loc_A11691
		mov	eax, [ebp+var_48]
		mov	edx, [ebp+var_44]
		nop
		mov	ecx, edi
		mov	edi, [ebp+var_34]
		lock cmpxchg8b qword ptr [edi]

loc_A11691:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+6DFj
					; NtMapCMFModule(x,x,x,x,x,x)+6E3j ...
		xor	ebx, ebx

loc_A11693:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+28Ej
					; NtMapCMFModule(x,x,x,x,x,x)+57Aj ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		call	sub_A11741
		mov	eax, esi
		and	eax, 0C0000000h
		cmp	eax, 0C0000000h
		jz	loc_A11770
		mov	[ebp+ms_exc.disabled], 2
		mov	ecx, [ebp+arg_14]
		test	ecx, ecx
		jz	short loc_A116D9
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_A116CA
		mov	ecx, eax

loc_A116CA:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+739j
		mov	eax, [ecx]
		mov	[ecx], eax
		mov	ecx, [ebp+var_24]
		mov	eax, [ebp+arg_14]
		mov	[eax], ecx
		mov	[ebp+var_24], ebx

loc_A116D9:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+730j
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	short loc_A116F6
		mov	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_A116ED
		mov	edx, eax

loc_A116ED:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+75Cj
		mov	eax, [edx]
		mov	[edx], eax
		mov	eax, [ebp+var_2C]
		mov	[ecx], eax

loc_A116F6:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+751j
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_A11713
		mov	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_A1170A
		mov	edx, eax

loc_A1170A:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+779j
		mov	eax, [edx]
		mov	[edx], eax
		mov	eax, [ebp+var_30]
		mov	[ecx], eax

loc_A11713:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+76Ej
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	short loc_A11730
		mov	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_A11727
		mov	edx, eax

loc_A11727:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+796j
		mov	eax, [edx]
		mov	[edx], eax
		mov	eax, [ebp+var_3C]
		mov	[ecx], eax

loc_A11730:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+78Bj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_A11075
; END OF FUNCTION CHUNK	FOR _NtMapCMFModule@24

;  S U B	R O U T	I N E 


sub_A1173C	proc near		; DATA XREF: .text:006AAA4Co
		xor	ebx, ebx
		mov	esi, [ebp-1Ch]
sub_A1173C	endp


;  S U B	R O U T	I N E 


sub_A11741	proc near		; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+70Dp
		mov	ecx, _CMFLock
		call	ExReleaseResourceLite
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		retn
sub_A11741	endp


;  S U B	R O U T	I N E 


sub_A11752	proc near		; DATA XREF: .text:006AAA54o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-6Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_A11752	endp


;  S U B	R O U T	I N E 


sub_A11760	proc near		; DATA XREF: .text:006AAA58o
		mov	esp, [ebp-18h]
		mov	esi, [ebp-6Ch]
		mov	[ebp-1Ch], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
sub_A11760	endp

; START	OF FUNCTION CHUNK FOR _NtMapCMFModule@24

loc_A11770:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+70j
					; NtMapCMFModule(x,x,x,x,x,x)+A9j ...
		cmp	[ebp+var_24], 0
		jz	short loc_A1178D
		push	[ebp+var_24]
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_MmUnmapViewOfSection@8	; MmUnmapViewOfSection(x,x)
		mov	esi, [ebp+var_1C]

loc_A1178D:				; CODE XREF: NtMapCMFModule(x,x,x,x,x,x)+7E7j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
; END OF FUNCTION CHUNK	FOR _NtMapCMFModule@24

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtPssCaptureVaSpaceBulk(x, x, x, x,	x)
_NtPssCaptureVaSpaceBulk@20 proc near	; DATA XREF: .text:005812D8o

var_80		= dword	ptr -80h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	70h
		push	offset dword_6AAA80
		call	__SEH_prolog4_GS
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_50], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_54], eax
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_44], esi
		mov	[ebp+var_6C], esi
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_64], eax
		xor	edx, edx
		mov	[ebp+var_58], edx
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_34]
		rep stosd
		mov	[ebp+var_5C], edx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_40], edx
		mov	ebx, edx
		mov	[ebp+var_38], ebx
		mov	ecx, [ebp+var_3C]
		cmp	ecx, 0Ch
		jnb	short loc_A11800
		mov	eax, 0C0000004h
		jmp	loc_A11AD8
; 

loc_A11800:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+53j
		mov	eax, large fs:124h
		mov	[ebp+var_74], eax
		mov	al, [eax+15Ah]
		mov	byte ptr [ebp+var_48], al
		lea	edi, [ebp+var_80]
		test	al, al
		jz	short loc_A11884
		xor	eax, eax
		stosd
		stosd
		stosd
		mov	[ebp+ms_exc.disabled], edx
		push	4
		push	ecx
		push	esi
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	ecx, [ebp+var_64]
		test	ecx, ecx
		jz	short loc_A11840
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		jb	short loc_A1183C
		mov	ecx, eax

loc_A1183C:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+97j
		mov	eax, [ecx]
		mov	[ecx], eax

loc_A11840:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+8Ej
		lea	edi, [ebp+var_80]
		movsd
		movsd
		movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_44]
		jmp	short loc_A11876
; 

loc_A11852:				; DATA XREF: .text:006AAA94o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_68], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A11860:				; DATA XREF: .text:006AAA98o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_68]
		mov	[ebp+var_38], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_6C]
		mov	[ebp+var_44], edi

loc_A11876:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+AFj
		mov	ecx, [ebp+var_3C]
		xor	edx, edx
		test	ebx, ebx
		jns	short loc_A1188A
		jmp	loc_A11AD6
; 

loc_A11884:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+76j
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_44]

loc_A1188A:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+DCj
		cmp	[ebp+var_80], 0
		jnz	short loc_A1189D
		mov	ebx, 0C000000Dh

loc_A11895:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+10Aj
					; NtPssCaptureVaSpaceBulk(x,x,x,x,x)+11Cj ...
		mov	esi, [ebp+var_40]
		jmp	loc_A11A6F
; 

loc_A1189D:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+EDj
		test	[ebp+var_80], 0FFFFFFFCh
		jz	short loc_A118AD
		mov	ebx, 0C00000BBh
		jmp	short loc_A11895
; 

loc_A118AD:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+103j
		mov	eax, [ebp+var_54]
		cmp	eax, ds:_MmHighestUserAddress
		jbe	short loc_A118BF
		mov	ebx, 0C0000141h
		jmp	short loc_A11895
; 

loc_A118BF:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+115j
		cmp	byte ptr [ebp+var_48], 0
		jz	loc_A1195A
		push	edx
		push	edx
		push	edx
		push	ecx
		push	edi
		call	IoAllocateMdl
		mov	esi, eax
		mov	[ebp+var_40], esi
		test	esi, esi
		jnz	short loc_A118E3
		mov	ebx, 0C000009Ah
		jmp	short loc_A11895
; 

loc_A118E3:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+139j
		xor	eax, eax
		inc	eax
		mov	[ebp+ms_exc.disabled], eax
		push	eax
		xor	edi, edi
		push	edi
		push	esi
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		test	byte ptr [esi+6], 5
		jz	short loc_A11908
		mov	edi, [esi+0Ch]
		mov	[ebp+var_44], edi
		jmp	short loc_A1191D
; 

loc_A11908:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+15Dj
		push	40000010h
		push	edi
		push	edi
		push	1
		push	edi
		push	esi
		call	MmMapLockedPagesSpecifyCache
		mov	edi, eax
		mov	[ebp+var_44], eax

loc_A1191D:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+165j
		mov	esi, [ebp+var_40]
		test	edi, edi
		jnz	short loc_A1195E
		mov	ebx, 0C000009Ah
		jmp	loc_A11A6F
; 

loc_A1192E:				; DATA XREF: .text:006AAAA0o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_70], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A1193C:				; DATA XREF: .text:006AAAA4o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_40]
		push	esi
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		mov	ebx, [ebp+var_70]
		mov	[ebp+var_38], ebx
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_A11A72
; 

loc_A1195A:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+122j
		mov	esi, edx
		jmp	short loc_A11960
; 

loc_A1195E:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+181j
		xor	edx, edx

loc_A11960:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+1BBj
		cmp	[ebp+var_50], 0FFFFFFFFh
		jz	short loc_A119C8
		push	edx
		lea	eax, [ebp+var_58]
		push	eax
		push	41737350h
		push	[ebp+var_48]
		push	ds:_PsProcessType
		push	1000h
		push	[ebp+var_50]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		mov	ebx, eax
		mov	[ebp+var_38], ebx
		test	ebx, ebx
		js	loc_A11A72
		mov	ecx, [ebp+var_58]
		test	dword ptr [ecx+3A8h], 1000h
		jz	short loc_A119B6
		mov	edx, 41737350h
		call	ObfDereferenceObjectWithTag
		mov	ebx, 0C0000022h
		jmp	loc_A11A6F
; 

loc_A119B6:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+1FFj
		lea	eax, [ebp+var_34]
		push	eax
		xor	edx, edx
		call	KiStackAttachProcess
		mov	[ebp+var_60], 1

loc_A119C8:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+1C3j
		cmp	byte ptr [ebp+var_48], 0
		jz	short loc_A119E8
		lea	eax, [ebp+var_4C]
		push	eax
		mov	eax, [ebp+var_3C]
		push	eax
		push	edi
		push	[ebp+var_54]
		push	0FFFFFFFFh
		call	_ZwPssCaptureVaSpaceBulk@20 ; ZwPssCaptureVaSpaceBulk(x,x,x,x,x)
		mov	ebx, eax
		jmp	loc_A11A6F
; 

loc_A119E8:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+22Bj
		xor	edi, edi
		mov	ecx, [ebp+var_44]
		mov	[ecx+4], edi
		mov	[ebp+var_4C], 0Ch
		add	[ebp+var_3C], 0FFFFFFF4h
		lea	edx, [ecx+0Ch]
		mov	eax, [ebp+var_54]
		jmp	short loc_A11A4F
; 

loc_A11A03:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+2B8j
		mov	eax, [ebp+var_74]
		mov	eax, [eax+2FCh]
		test	al, 1
		jnz	loc_A11ABE
		push	2
		lea	eax, [ebp+var_5C]
		push	eax
		push	1Ch
		push	edx
		push	edi
		mov	edx, [ebp+var_50]
		or	ecx, 0FFFFFFFFh
		call	MmQueryVirtualMemory
		mov	ebx, eax
		mov	[ebp+var_38], ebx
		mov	ecx, [ebp+var_44]
		test	ebx, ebx
		js	short loc_A11AAE
		mov	eax, [ebp+var_5C]
		sub	[ebp+var_3C], eax
		add	[ebp+var_4C], eax
		mov	edx, [ebp+var_48]
		mov	eax, [edx+0Ch]
		add	eax, [edx]
		add	edx, 1Ch
		inc	dword ptr [ecx+4]
		mov	[ecx+8], eax

loc_A11A4F:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+260j
		cmp	[ebp+var_3C], 1Ch
		mov	[ebp+var_50], eax
		mov	[ebp+var_48], edx
		jnb	short loc_A11A03

loc_A11A5B:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+31Bj
		test	ebx, ebx
		js	short loc_A11A72
		mov	eax, ds:_MmHighestUserAddress
		inc	eax
		cmp	[ecx+8], eax
		jz	short loc_A11A72
		mov	ebx, 105h

loc_A11A6F:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+F7j
					; NtPssCaptureVaSpaceBulk(x,x,x,x,x)+188j ...
		mov	[ebp+var_38], ebx

loc_A11A72:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+1B4j
					; NtPssCaptureVaSpaceBulk(x,x,x,x,x)+1ECj ...
		cmp	[ebp+var_60], 0
		jz	short loc_A11A82
		xor	edx, edx
		lea	ecx, [ebp+var_34]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_A11A82:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+2D5j
		test	esi, esi
		jz	short loc_A11A92
		push	esi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	esi
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_A11A92:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+2E3j
		mov	ecx, [ebp+var_64]
		test	ecx, ecx
		jz	short loc_A11AD6
		mov	[ebp+ms_exc.disabled], 2
		mov	eax, [ebp+var_4C]
		mov	[ecx], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A11AD6
; 

loc_A11AAE:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+292j
		xor	eax, eax
		cmp	eax, [ecx+4]
		sbb	eax, eax
		not	eax
		and	ebx, eax
		mov	[ebp+var_38], ebx
		jmp	short loc_A11A5B
; 

loc_A11ABE:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+26Dj
		mov	ebx, 0C000004Bh
		jmp	short loc_A11A6F
; 

loc_A11AC5:				; DATA XREF: .text:006AAAACo
		xor	eax, eax
		inc	eax
		retn
; 

loc_A11AC9:				; DATA XREF: .text:006AAAB0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_38]

loc_A11AD6:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+DEj
					; NtPssCaptureVaSpaceBulk(x,x,x,x,x)+2F6j ...
		mov	eax, ebx

loc_A11AD8:				; CODE XREF: NtPssCaptureVaSpaceBulk(x,x,x,x,x)+5Aj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_NtPssCaptureVaSpaceBulk@20 endp


;  S U B	R O U T	I N E 


; __stdcall NtDirectGraphicsCall(x, x, x, x, x)
_NtDirectGraphicsCall@20 proc near	; DATA XREF: .text:005812DCo
		mov	eax, 0C0000002h
		retn	14h
_NtDirectGraphicsCall@20 endp


;  S U B	R O U T	I N E 


; __stdcall ExWnfCleanupServerSiloState(x)
_ExWnfCleanupServerSiloState@4 proc near ; CODE	XREF: PspDeleteServerSiloGlobals(x)+2Ap
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	dword ptr [esi], 0
		jz	short loc_A11B35
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	ecx, [esi]
		push	2
		pop	edx
		call	_ExpWnfDeleteScopeInstances@8 ;	ExpWnfDeleteScopeInstances(x,x)
		mov	ecx, [esi]
		xor	edx, edx
		call	_ExpWnfDeleteScopeInstances@8 ;	ExpWnfDeleteScopeInstances(x,x)
		push	20666E57h
		push	dword ptr [esi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_A11B35:				; CODE XREF: ExWnfCleanupServerSiloState(x)+8j
		cmp	dword ptr [esi+4], 0
		jz	short loc_A11B43
		push	dword ptr [esi+4]
		call	_ZwClose@4	; ZwClose(x)

loc_A11B43:				; CODE XREF: ExWnfCleanupServerSiloState(x)+47j
		cmp	dword ptr [esi+8], 0
		jz	short loc_A11B51
		push	dword ptr [esi+8]
		call	_ZwClose@4	; ZwClose(x)

loc_A11B51:				; CODE XREF: ExWnfCleanupServerSiloState(x)+55j
		pop	esi
		retn
_ExWnfCleanupServerSiloState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWnfAllocateNextPersistentNameSequence(x,	x)
_ExpWnfAllocateNextPersistentNameSequence@8 proc near
					; CODE XREF: ExpWnfGenerateStateName+149AF5p

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+5Ch+var_4], eax
		and	[esp+5Ch+var_30], 0
		xor	eax, eax
		and	[esp+5Ch+var_34], eax
		and	[esp+5Ch+var_40], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[esp+68h+var_28], edx
		push	6
		pop	ecx
		lea	edi, [esp+68h+var_20]
		rep stosd
		xor	edi, edi
		push	esi
		mov	[esp+6Ch+var_50], edi
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		mov	[esp+68h+var_24], eax
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		add	eax, 208h
		mov	[esp+68h+var_44], eax
		lea	ecx, [eax+20h]
		mov	eax, [ecx]
		mov	[esp+68h+var_58], eax
		mov	eax, [ecx+4]
		mov	[esp+68h+var_3C], ecx
		mov	[esp+68h+var_54], eax
		cmp	[esp+68h+var_58], edi
		jnz	loc_A11D04
		test	eax, eax
		jnz	loc_A11D04
		xor	ecx, ecx
		lea	edx, [esp+68h+var_40]
		inc	ecx
		call	ExpWnfGetNameStoreRegistryRoot
		mov	edi, eax
		mov	[esp+68h+var_50], edi
		test	edi, edi
		js	loc_A11EBB
		mov	ebx, [esp+68h+var_44]
		xor	edx, edx
		add	ebx, 18h
		push	0
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	esi, eax
		lock bts dword ptr [ebx], 0
		jnb	short loc_A11C0D
		push	ebx
		mov	edx, esi
		mov	ecx, ebx
		call	ExfAcquirePushLockExclusiveEx

loc_A11C0D:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+AEj
		test	esi, esi
		jz	short loc_A11C15
		or	byte ptr [esi+0Eh], 1

loc_A11C15:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+BCj
		mov	ecx, [esp+68h+var_3C]
		mov	[esp+68h+var_34], 1
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		test	eax, eax
		jnz	loc_A11D04
		test	ecx, ecx
		jnz	loc_A11D04
		lea	eax, [esp+68h+var_30]
		push	eax
		push	18h
		lea	eax, [esp+70h+var_20]
		push	eax
		push	2
		push	offset _ExpWnfPermanentNameSequenceNumberValueName
		push	[esp+7Ch+var_40]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	edi, eax
		mov	[esp+68h+var_50], edi
		test	edi, edi
		js	loc_A11CF8
		cmp	[esp+68h+var_18], 8
		jz	short loc_A11C71
		mov	edi, 0C0000001h
		jmp	loc_A11E99
; 

loc_A11C71:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+112j
		mov	eax, [esp+68h+var_10]
		mov	ebx, [esp+68h+var_14]
		mov	[esp+68h+var_38], eax
		mov	[esp+68h+var_54], eax
		mov	eax, [esp+68h+var_44]
		add	eax, 10h
		mov	[esp+68h+var_5C], ebx
		mov	[esp+68h+var_58], ebx
		mov	[esp+68h+var_4C], eax

loc_A11C94:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+163j
					; ExpWnfAllocateNextPersistentNameSequence(x,x)+169j
		mov	esi, [eax]
		mov	ecx, [eax+4]
		mov	eax, esi
		mov	[esp+68h+var_48], ecx
		mov	edx, ecx
		nop
		mov	ecx, [esp+68h+var_38]
		mov	edi, [esp+68h+var_4C]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [esp+68h+var_5C]
		cmp	eax, esi
		mov	eax, edi
		jnz	short loc_A11C94
		cmp	edx, [esp+68h+var_48]
		jnz	short loc_A11C94
		mov	ebx, [esp+68h+var_58]
		mov	eax, [esp+68h+var_54]
		mov	edi, [esp+68h+var_3C]
		mov	[esp+68h+var_5C], ebx
		mov	[esp+68h+var_48], eax

loc_A11CD2:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+19Bj
					; ExpWnfAllocateNextPersistentNameSequence(x,x)+1A1j
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[esp+68h+var_38], ecx
		nop
		mov	ecx, [esp+68h+var_48]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [esp+68h+var_5C]
		cmp	eax, esi
		jnz	short loc_A11CD2
		cmp	edx, [esp+68h+var_38]
		jnz	short loc_A11CD2
		jmp	short loc_A11D04
; 

loc_A11CF8:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+107j
		cmp	edi, 0C0000034h
		jnz	loc_A11E99

loc_A11D04:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+6Dj
					; ExpWnfAllocateNextPersistentNameSequence(x,x)+75j ...
		mov	edi, [esp+68h+var_44]
		add	edi, 10h

loc_A11D0B:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+1D8j
					; ExpWnfAllocateNextPersistentNameSequence(x,x)+1DCj ...
		mov	eax, [edi]
		mov	ebx, eax
		mov	esi, [edi+4]
		add	ebx, 1
		mov	ecx, esi
		mov	[esp+68h+var_4C], eax
		adc	ecx, 0
		mov	edx, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [esp+68h+var_4C]
		cmp	eax, ebx
		jnz	short loc_A11D0B
		cmp	edx, esi
		jnz	short loc_A11D0B
		add	ebx, 1
		mov	[esp+68h+var_4C], ebx
		adc	esi, 0
		mov	[esp+68h+var_2C], esi
		test	ebx, ebx
		jnz	short loc_A11D47
		test	esi, esi
		jz	short loc_A11D0B

loc_A11D47:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+1EEj
		mov	ecx, [esp+68h+var_3C]
		mov	edi, [esp+68h+var_50]
		mov	eax, [ecx]
		mov	[esp+68h+var_58], eax
		mov	eax, [ecx+4]
		mov	[esp+68h+var_54], eax
		cmp	esi, eax
		jb	loc_A11E89
		ja	short loc_A11D70
		cmp	ebx, [esp+68h+var_58]
		jbe	loc_A11E89

loc_A11D70:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+211j
		cmp	[esp+68h+var_40], 0
		jnz	short loc_A11D8D
		xor	ecx, ecx
		lea	edx, [esp+68h+var_40]
		inc	ecx
		call	ExpWnfGetNameStoreRegistryRoot
		mov	edi, eax
		test	edi, edi
		js	loc_A11E92

loc_A11D8D:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+222j
		cmp	[esp+68h+var_34], 0
		jnz	short loc_A11DD2
		mov	ecx, [esp+68h+var_44]
		xor	edx, edx
		add	ecx, 18h
		push	0
		call	KeAbPreAcquire
		mov	ecx, [esp+68h+var_44]
		mov	[esp+68h+var_48], eax
		add	ecx, 18h
		lock bts dword ptr [ecx], 0
		jnb	short loc_A11DC2
		push	ecx
		mov	edx, eax
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [esp+68h+var_48]

loc_A11DC2:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+261j
		test	eax, eax
		jz	short loc_A11DCA
		or	byte ptr [eax+0Eh], 1

loc_A11DCA:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+271j
		mov	[esp+68h+var_34], 1

loc_A11DD2:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+23Fj
		mov	ecx, [esp+68h+var_3C]
		mov	edx, [ecx]
		mov	eax, [ecx+4]
		cmp	esi, eax
		jb	loc_A11E89
		ja	short loc_A11DED
		cmp	ebx, edx
		jbe	loc_A11E89

loc_A11DED:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+290j
		mov	eax, [ecx]
		mov	ecx, [ecx+4]
		add	eax, 64h
		mov	[esp+68h+var_58], eax
		adc	ecx, 0
		mov	[esp+68h+var_54], ecx
		cmp	ecx, esi
		ja	short loc_A11E22
		jb	short loc_A11E0A
		cmp	eax, ebx
		jnb	short loc_A11E22

loc_A11E0A:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+2B1j
					; ExpWnfAllocateNextPersistentNameSequence(x,x)+2BFj ...
		add	eax, 64h
		adc	ecx, 0
		cmp	ecx, esi
		jb	short loc_A11E0A
		ja	short loc_A11E1A
		cmp	eax, ebx
		jb	short loc_A11E0A

loc_A11E1A:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+2C1j
		mov	[esp+68h+var_58], eax
		mov	[esp+68h+var_54], ecx

loc_A11E22:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+2AFj
					; ExpWnfAllocateNextPersistentNameSequence(x,x)+2B5j
		push	8
		lea	eax, [esp+6Ch+var_58]
		push	eax
		push	3
		push	0
		push	offset _ExpWnfPermanentNameSequenceNumberValueName
		push	[esp+7Ch+var_40]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	edi, eax
		mov	[esp+68h+var_50], edi
		test	edi, edi
		js	short loc_A11E92
		mov	ebx, [esp+68h+var_58]
		mov	eax, [esp+68h+var_54]
		mov	edi, [esp+68h+var_3C]
		mov	[esp+68h+var_5C], ebx
		mov	[esp+68h+var_48], eax

loc_A11E59:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+322j
					; ExpWnfAllocateNextPersistentNameSequence(x,x)+328j
		mov	esi, [edi]
		mov	eax, esi
		mov	ecx, [edi+4]
		mov	edx, ecx
		mov	[esp+68h+var_38], ecx
		nop
		mov	ecx, [esp+68h+var_48]
		lock cmpxchg8b qword ptr [edi]
		mov	ebx, [esp+68h+var_5C]
		cmp	eax, esi
		jnz	short loc_A11E59
		cmp	edx, [esp+68h+var_38]
		jnz	short loc_A11E59
		mov	edi, [esp+68h+var_50]
		mov	esi, [esp+68h+var_2C]
		mov	ebx, [esp+68h+var_4C]

loc_A11E89:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+20Bj
					; ExpWnfAllocateNextPersistentNameSequence(x,x)+217j ...
		mov	eax, [esp+68h+var_28]
		mov	[eax], ebx
		mov	[eax+4], esi

loc_A11E92:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+234j
					; ExpWnfAllocateNextPersistentNameSequence(x,x)+2F0j
		cmp	[esp+68h+var_34], 0
		jz	short loc_A11EBB

loc_A11E99:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+119j
					; ExpWnfAllocateNextPersistentNameSequence(x,x)+1ABj
		mov	esi, [esp+68h+var_44]
		or	eax, 0FFFFFFFFh
		add	esi, 18h
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A11EB4
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A11EB4:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+358j
		mov	ecx, esi
		call	KeAbPostRelease

loc_A11EBB:				; CODE XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+8Fj
					; ExpWnfAllocateNextPersistentNameSequence(x,x)+344j
		push	[esp+68h+var_24]
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		mov	ecx, [esp+68h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_ExpWnfAllocateNextPersistentNameSequence@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWnfDeletePermanentStateData(x, x, x)
_ExpWnfDeletePermanentStateData@12 proc	near ; CODE XREF: NtDeleteWnfStateName+14A27Cp
					; ExpNtDeleteWnfStateData+848A8p ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		mov	edi, [ebp+arg_0]
		shrd	esi, eax, 4
		push	22h
		shrd	edi, eax, 6
		pop	eax
		push	[ebp+arg_4]
		mov	[esp+4Ch+var_30], ebx
		and	esi, 3
		push	[ebp+arg_0]
		mov	word ptr [esp+50h+var_30+2], ax
		and	edi, 0Fh
		mov	[esp+50h+var_34], ecx
		lea	eax, [esp+50h+var_28]
		lea	ecx, [esp+50h+var_30]
		mov	[esp+50h+var_38], ebx
		mov	[esp+50h+var_2C], eax
		call	_ExpWnfComposeValueName@12 ; ExpWnfComposeValueName(x,x,x)
		mov	eax, [esp+48h+var_34]
		mov	edx, esi
		test	eax, eax
		jz	short loc_A11F98
		lea	ecx, [esp+48h+var_38]
		push	ecx
		push	ebx
		mov	ecx, eax
		call	ExpWnfGetPermanentDataStoreHandle

loc_A11F4C:				; CODE XREF: ExpWnfDeletePermanentStateData(x,x,x)+CEj
		test	eax, eax
		js	short loc_A11F84

loc_A11F50:				; CODE XREF: ExpWnfDeletePermanentStateData(x,x,x)+A8j
		lea	eax, [esp+48h+var_30]
		push	eax
		push	[esp+4Ch+var_38]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		cmp	[esp+48h+var_34], 0
		jnz	short loc_A11F84
		push	[esp+48h+var_38]
		call	_ZwClose@4	; ZwClose(x)
		lea	eax, [esp+48h+var_38]
		inc	ebx
		push	eax
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	_ExpWnfEnumeratePermanentDataStores@16 ; ExpWnfEnumeratePermanentDataStores(x,x,x,x)
		test	eax, eax
		jns	short loc_A11F50
		xor	eax, eax

loc_A11F84:				; CODE XREF: ExpWnfDeletePermanentStateData(x,x,x)+76j
					; ExpWnfDeletePermanentStateData(x,x,x)+8Bj
		mov	ecx, [esp+50h+var_C]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_A11F98:				; CODE XREF: ExpWnfDeletePermanentStateData(x,x,x)+65j
		lea	eax, [esp+48h+var_38]
		mov	ecx, edi
		push	eax
		push	0
		call	_ExpWnfEnumeratePermanentDataStores@16 ; ExpWnfEnumeratePermanentDataStores(x,x,x,x)
		jmp	short loc_A11F4C
_ExpWnfDeletePermanentStateData@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWnfDeleteScopeInstances(x, x)
_ExpWnfDeleteScopeInstances@8 proc near	; CODE XREF: ExWnfCleanupServerSiloState(x)+1Dp
					; ExWnfCleanupServerSiloState(x)+26p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, edx
		mov	[ebp+var_4], ecx
		push	ebx
		push	esi
		mov	[ebp+var_8], eax
		lea	esi, [ecx+14h]
		imul	eax, 0Ch
		xor	edx, edx
		push	edi
		lea	edi, [ecx+10h]
		push	0
		add	edi, eax
		add	esi, eax
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	ebx, eax
		lock bts dword ptr [edi], 0
		jnb	short loc_A11FE6
		push	edi
		mov	edx, ebx
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_A11FE6:				; CODE XREF: ExpWnfDeleteScopeInstances(x,x)+32j
		test	ebx, ebx
		jz	short loc_A11FEE
		or	byte ptr [ebx+0Eh], 1

loc_A11FEE:				; CODE XREF: ExpWnfDeleteScopeInstances(x,x)+40j
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_A12056
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_A12056
		mov	[esi], ecx
		mov	[ecx+4], esi
		cmp	eax, esi
		jz	short loc_A12036
		mov	ebx, [ebp+var_4]

loc_A12008:				; CODE XREF: ExpWnfDeleteScopeInstances(x,x)+8Cj
		and	dword ptr [eax], 0
		lea	ecx, [eax-14h]
		cmp	[ebp+var_8], 0
		jnz	short loc_A12018
		and	dword ptr [ebx+4], 0

loc_A12018:				; CODE XREF: ExpWnfDeleteScopeInstances(x,x)+6Aj
		mov	dl, 1
		call	_ExpWnfFreeScopeInstance@8 ; ExpWnfFreeScopeInstance(x,x)
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_A12056
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_A12056
		mov	[esi], ecx
		mov	[ecx+4], esi
		cmp	eax, esi
		jnz	short loc_A12008

loc_A12036:				; CODE XREF: ExpWnfDeleteScopeInstances(x,x)+5Bj
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A1204A
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A1204A:				; CODE XREF: ExpWnfDeleteScopeInstances(x,x)+99j
		mov	ecx, edi
		call	KeAbPostRelease
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_A12056:				; CODE XREF: ExpWnfDeleteScopeInstances(x,x)+4Bj
					; ExpWnfDeleteScopeInstances(x,x)+52j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall ExpWnfEnumeratePermanentDataStores(x, x, x,	x)
_ExpWnfEnumeratePermanentDataStores@16:	; CODE XREF: ExpWnfDeletePermanentStateData(x,x,x)+A1p
					; ExpWnfDeletePermanentStateData(x,x,x)+C9p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ecx
		sub	eax, 0
		jz	short loc_A1206D
		dec	eax
		sub	eax, 1
		jz	short loc_A12073

loc_A1206D:				; CODE XREF: ExpWnfDeleteScopeInstances(x,x)+BDj
		cmp	[ebp+arg_0], 0
		jz	short loc_A1207A

loc_A12073:				; CODE XREF: ExpWnfDeleteScopeInstances(x,x)+C3j
		mov	eax, 0C0000034h
		jmp	short loc_A12099
; 

loc_A1207A:				; CODE XREF: ExpWnfDeleteScopeInstances(x,x)+C9j
		cmp	edx, 3
		jz	short loc_A12088
		cmp	edx, 2
		jz	short loc_A12088
		xor	eax, eax
		jmp	short loc_A1208B
; 

loc_A12088:				; CODE XREF: ExpWnfDeleteScopeInstances(x,x)+D5j
					; ExpWnfDeleteScopeInstances(x,x)+DAj
		xor	eax, eax
		inc	eax

loc_A1208B:				; CODE XREF: ExpWnfDeleteScopeInstances(x,x)+DEj
		push	[ebp+arg_4]
		push	0
		push	eax
		push	ecx
		push	0
		call	ExpWnfGetPermanentDataStoreHandleByScopeId

loc_A12099:				; CODE XREF: ExpWnfDeleteScopeInstances(x,x)+D0j
		pop	ebp
		retn	8
_ExpWnfDeleteScopeInstances@8 endp ; sp	= -1Ch


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWnfGetPermanentPerUserDataStoreHandle(x,	x)
_ExpWnfGetPermanentPerUserDataStoreHandle@8 proc near
					; CODE XREF: ExpWnfGetPermanentDataStoreHandleByScopeId+878AAp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_10], edx
		push	6
		xor	eax, eax
		mov	[ebp+var_C], ebx
		and	[ebp+var_4], eax
		lea	edi, [ebp+var_30]
		pop	ecx
		rep stosd
		lea	edx, [ebp+var_4]
		mov	ecx, ebx
		call	_RtlLengthSidAsUnicodeString@8 ; RtlLengthSidAsUnicodeString(x,x)
		test	eax, eax
		js	loc_A12190
		mov	edi, [ebp+var_4]
		push	20666E57h
		lea	ebx, [edi+52h]
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A120F2
		mov	eax, 0C000009Ah
		jmp	loc_A12190
; 

loc_A120F2:				; CODE XREF: ExpWnfGetPermanentPerUserDataStoreHandle(x,x)+49j
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		push	offset ??_C@_1CA@DOEFBOAB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAU?$AAs?$AAe?$AAr?$AA?2@NNGAKEGL@ ; "\\Registry\\User\\"
		push	eax		; int
		mov	word ptr [ebp+var_8+2],	bx
		mov	[ebp+var_4], esi
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		movzx	ecx, word ptr [ebp+var_8]
		xor	ebx, ebx
		mov	eax, [ebp+var_4]
		shr	ecx, 1
		push	ebx
		push	[ebp+var_C]
		mov	word ptr [ebp+var_18+2], di
		lea	eax, [eax+ecx*2]
		mov	[ebp+var_14], eax
		xor	eax, eax
		mov	word ptr [ebp+var_18], ax
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlConvertSidToUnicodeString
		mov	edi, eax
		test	edi, edi
		js	short loc_A12183
		mov	ax, word ptr [ebp+var_18]
		add	word ptr [ebp+var_8], ax
		lea	eax, [ebp+var_8]
		push	offset ??_C@_1DE@CEBLELHA@?$AA_?$AAC?$AAl?$AAa?$AAs?$AAs?$AAe?$AAs?$AA?2?$AAN?$AAo?$AAt?$AAi?$AAf?$AAi@NNGAKEGL@ ; void	*
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_8]
		mov	[ebp+var_30], 18h
		push	ebx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_30]
		push	eax
		push	0F003Fh
		push	[ebp+var_10]
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], 240h
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	edi, eax

loc_A12183:				; CODE XREF: ExpWnfGetPermanentPerUserDataStoreHandle(x,x)+9Aj
		push	20666E57h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi

loc_A12190:				; CODE XREF: ExpWnfGetPermanentPerUserDataStoreHandle(x,x)+2Cj
					; ExpWnfGetPermanentPerUserDataStoreHandle(x,x)+50j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ExpWnfGetPermanentPerUserDataStoreHandle@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ExpWnfPopulateStateDataRemoteCallback(int,int,int,int,void *,int)
_ExpWnfPopulateStateDataRemoteCallback@24 proc near
					; DATA XREF: ExpWnfPopulateStateData+1478B7o

arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, [ebp+arg_C]
		test	edi, edi
		jnz	short loc_A121A6
		xor	eax, eax
		jmp	short loc_A1221E
; 

loc_A121A6:				; CODE XREF: ExpWnfPopulateStateDataRemoteCallback(x,x,x,x,x,x)+Bj
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_14]
		test	ebx, ebx
		jnz	short loc_A121BF
		mov	dword ptr [eax+34h], 1
		mov	[eax+38h], edi
		xor	eax, eax
		jmp	short loc_A1221D
; 

loc_A121BF:				; CODE XREF: ExpWnfPopulateStateDataRemoteCallback(x,x,x,x,x,x)+1Aj
		mov	eax, [eax+24h]
		push	esi
		mov	[ebp+arg_C], eax
		add	eax, 10h
		push	20666E57h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A121E3
		mov	eax, 0C000009Ah
		jmp	short loc_A1221C
; 

loc_A121E3:				; CODE XREF: ExpWnfPopulateStateDataRemoteCallback(x,x,x,x,x,x)+45j
		push	10h
		mov	eax, 904h
		mov	[esi], ax
		pop	eax
		mov	[esi+2], ax
		mov	eax, [ebp+arg_C]
		push	ebx		; size_t
		push	[ebp+arg_10]	; void *
		mov	[esi+4], eax
		lea	eax, [esi+10h]
		push	eax		; void *
		mov	[esi+8], ebx
		mov	[esi+0Ch], edi
		call	_memcpy
		mov	ecx, [ebp+arg_4]
		add	esp, 0Ch
		mov	eax, [esi+0Ch]
		mov	[ecx+38h], eax
		xor	eax, eax
		mov	[ecx+34h], esi

loc_A1221C:				; CODE XREF: ExpWnfPopulateStateDataRemoteCallback(x,x,x,x,x,x)+4Cj
		pop	esi

loc_A1221D:				; CODE XREF: ExpWnfPopulateStateDataRemoteCallback(x,x,x,x,x,x)+28j
		pop	ebx

loc_A1221E:				; CODE XREF: ExpWnfPopulateStateDataRemoteCallback(x,x,x,x,x,x)+Fj
		pop	edi
		pop	ebp
		retn	18h
_ExpWnfPopulateStateDataRemoteCallback@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpCrossVmWnfPush(x, x, x, x, x, x)
_ExpCrossVmWnfPush@24 proc near		; CODE XREF: ExpNtUpdateWnfStateData+149629p
					; ExpNtUpdateWnfStateData+1496DBp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, _ExpCrossVmIntExtensionHostGuest
		push	edi
		mov	edi, edx
		test	edi, edi
		jnz	short loc_A1223C
		mov	esi, _ExpCrossVmIntExtensionHostRoot

loc_A1223C:				; CODE XREF: ExpCrossVmWnfPush(x,x,x,x,x,x)+11j
		mov	ecx, esi
		call	_ExGetExtensionTable@4 ; ExGetExtensionTable(x)
		test	eax, eax
		jnz	short loc_A1224E
		mov	edi, 0C0000002h
		jmp	short loc_A12269
; 

loc_A1224E:				; CODE XREF: ExpCrossVmWnfPush(x,x,x,x,x,x)+22j
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edi
		push	0
		call	dword ptr [eax+38h]
		mov	edi, eax
		mov	ecx, esi
		call	_ExReleaseExtensionTable@4 ; ExReleaseExtensionTable(x)

loc_A12269:				; CODE XREF: ExpCrossVmWnfPush(x,x,x,x,x,x)+29j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
_ExpCrossVmWnfPush@24 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2626. WheaRemoveErrorSource

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaRemoveErrorSource(x)
		public _WheaRemoveErrorSource@4
_WheaRemoveErrorSource@4 proc near	; CODE XREF: WheaRemoveErrorSourceDeviceDriver(x)+EFp

var_408		= dword	ptr -408h
var_404		= dword	ptr -404h
var_400		= dword	ptr -400h
var_3FC		= dword	ptr -3FCh
var_3F8		= dword	ptr -3F8h
var_3F4		= dword	ptr -3F4h
var_3F0		= dword	ptr -3F0h
var_3EC		= dword	ptr -3ECh
var_3E8		= dword	ptr -3E8h
var_3E4		= dword	ptr -3E4h
var_3E0		= dword	ptr -3E0h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 40Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+40Ch+var_4], eax
		mov	edx, [ebp+arg_0]
		mov	ecx, offset _WheapErrorSourceTable
		push	ebx
		push	esi
		push	edi
		call	_WheapGetErrorSource@8 ; WheapGetErrorSource(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_A12394
		mov	ecx, [ebx+58h]
		call	WheapIsNonHestErrorSource
		test	al, al
		jz	loc_A12394
		mov	eax, [ebx+5Ch]
		cmp	eax, 3
		jz	loc_A12394
		push	4
		pop	edx
		cmp	eax, edx
		jz	loc_A12394
		or	[esp+418h+var_404], 0FFFFFFFFh
		lea	esi, [ebx+50h]
		mov	ecx, 0F3h
		mov	[esp+418h+var_408], 0FFFFFC18h
		lea	edi, [esp+418h+var_3E0]
		xor	eax, eax
		rep movsd
		mov	[ebx+5Ch], edx
		lea	esi, [ebx+4Ch]
		or	ecx, 0FFFFFFFFh
		lock cmpxchg [esi], ecx
		xor	edi, edi
		jmp	short loc_A12316
; 

loc_A12301:				; CODE XREF: WheaRemoveErrorSource(x)+A2j
		lea	eax, [esp+418h+var_408]
		push	eax
		push	edi
		push	edi
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		or	ecx, 0FFFFFFFFh
		xor	eax, eax
		lock cmpxchg [esi], ecx

loc_A12316:				; CODE XREF: WheaRemoveErrorSource(x)+89j
		test	eax, eax
		jg	short loc_A12301
		mov	ecx, ebx
		call	_WheapCallErrorSourceUninitialize@4 ; WheapCallErrorSourceUninitialize(x)
		mov	ecx, [ebx+24h]
		mov	esi, eax
		mov	dword ptr [ebx+5Ch], 3
		test	ecx, ecx
		jz	short loc_A1233F
		push	61656857h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebx+24h], edi

loc_A1233F:				; CODE XREF: WheaRemoveErrorSource(x)+B9j
		lea	eax, [esp+418h+var_400]
		mov	[esp+418h+var_400], 674C6857h
		push	eax
		mov	[esp+41Ch+var_3FC], 1
		mov	[esp+41Ch+var_3F8], 3F1h
		mov	[esp+41Ch+var_3F4], edi
		mov	[esp+41Ch+var_3EC], 8000000Ch
		mov	[esp+41Ch+var_3F0], 4C4E524Bh
		mov	[esp+41Ch+var_3E8], 2
		mov	[esp+41Ch+var_3E4], 3D1h
		mov	[esp+41Ch+var_14], esi
		mov	[esp+41Ch+var_10], 1
		call	WheaLogInternalEvent

loc_A12394:				; CODE XREF: WheaRemoveErrorSource(x)+30j
					; WheaRemoveErrorSource(x)+40j	...
		mov	ecx, [esp+418h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_WheaRemoveErrorSource@4 endp

; 
		align 10h
; Exported entry 2627. WheaRemoveErrorSourceDeviceDriver

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaRemoveErrorSourceDeviceDriver(x)
		public _WheaRemoveErrorSourceDeviceDriver@4
_WheaRemoveErrorSourceDeviceDriver@4 proc near

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		push	edi
		push	ebx
		mov	[esp+5Ch+var_28], esi
		mov	[esp+5Ch+var_24], esi
		mov	[esp+5Ch+var_20], esi
		mov	[esp+5Ch+var_1C], esi
		mov	[esp+5Ch+var_18], esi
		mov	[esp+5Ch+var_14], esi
		mov	[esp+5Ch+var_10], esi
		mov	[esp+5Ch+var_C], esi
		call	_WheaGetErrorSource@4 ;	WheaGetErrorSource(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_A124B2
		or	edx, 0FFFFFFFFh
		lea	ecx, [edi+84h]
		xor	eax, eax
		lock cmpxchg [ecx], edx
		cmp	eax, 0FFFFFFFFh
		jz	loc_A124B2
		test	eax, eax
		jz	short loc_A12473
		push	20h
		xor	eax, eax
		mov	[esp+5Ch+var_48], 674C6857h
		pop	edx
		inc	eax
		mov	[esp+58h+var_40], 40h
		push	offset ??_C@_0BO@GODKNNIN@RemoveErrorSourceDeviceDriver@NNGAKEGL@ ; "RemoveErrorSourceDeviceDriver"
		lea	ecx, [esp+5Ch+var_28]
		mov	[esp+5Ch+var_44], eax
		mov	[esp+5Ch+var_3C], eax
		mov	[esp+5Ch+var_34], 8000002Ch
		mov	[esp+5Ch+var_38], 4C4E524Bh
		mov	[esp+5Ch+var_30], 2
		mov	[esp+5Ch+var_2C], edx
		call	_RtlStringCchCopyA@12 ;	RtlStringCchCopyA(x,x,x)
		lea	eax, [esp+58h+var_48]
		push	eax
		call	WheaLogInternalEvent
		mov	esi, 0C0000708h
		jmp	short loc_A124B2
; 

loc_A12473:				; CODE XREF: WheaRemoveErrorSourceDeviceDriver(x)+68j
		mov	eax, [edi+48h]
		test	eax, eax
		jz	short loc_A1249E
		push	41454857h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	41454857h
		push	dword ptr [edi+80h]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[edi+48h], esi
		mov	[edi+80h], esi

loc_A1249E:				; CODE XREF: WheaRemoveErrorSourceDeviceDriver(x)+C8j
		push	ebx
		call	_WheaRemoveErrorSource@4 ; WheaRemoveErrorSource(x)
		mov	dword ptr [edi+4Ch], offset _xKdGetAcpiTablePhase0@8 ; xKdGetAcpiTablePhase0(x,x)
		mov	dword ptr [edi+50h], offset _KeSetDmaIoCoherency@4 ; KeSetDmaIoCoherency(x)

loc_A124B2:				; CODE XREF: WheaRemoveErrorSourceDeviceDriver(x)+48j
					; WheaRemoveErrorSourceDeviceDriver(x)+60j ...
		mov	ecx, [esp+58h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_WheaRemoveErrorSourceDeviceDriver@4 endp

; 
		dd 0CCCCCCCCh
		db 0CCh
; Exported entry 2630. WheaReportHwErrorDeviceDriver

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	WheaReportHwErrorDeviceDriver(int,int,void *,size_t,int,int,int)
		public _WheaReportHwErrorDeviceDriver@28
_WheaReportHwErrorDeviceDriver@28 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_18]	; int
		xor	eax, eax
		push	[ebp+arg_14]	; int
		push	eax		; int
		push	[ebp+arg_10]	; int
		push	eax		; size_t
		push	eax		; void *
		push	[ebp+arg_C]	; size_t
		push	[ebp+arg_8]	; void *
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		call	_WheaReportHwErrorDeviceDriverEx@40 ; WheaReportHwErrorDeviceDriverEx(x,x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	1Ch
_WheaReportHwErrorDeviceDriver@28 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2610. WheaAttemptClearPoison

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaAttemptClearPoison(x, x, x)
		public _WheaAttemptClearPoison@12
_WheaAttemptClearPoison@12 proc	near

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_1B		= word ptr -1Bh
var_19		= dword	ptr -19h
var_14		= dword	ptr -14h
var_D		= dword	ptr -0Dh
var_9		= dword	ptr -9
var_5		= dword	ptr -5
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 38h
		mov	edx, [ebp+arg_0]
		mov	ecx, edx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	ebx, ebx
		mov	eax, esi
		mov	[esp+40h+var_34], ebx
		shrd	ecx, eax, 0Ch
		mov	eax, large fs:124h
		cmp	byte ptr [eax+15Ah], 1
		jnz	short loc_A125A0
		mov	al, [ebp+arg_8]
		push	ebx
		mov	[esp+44h+var_1C], al
		lea	eax, [esp+44h+var_14]
		push	ebx
		push	eax
		mov	[esp+4Ch+var_19], ebx
		mov	[esp+37h], ebx
		mov	[esp+4Ch+var_14+3], ebx
		mov	[esp+4Ch+var_D], ebx
		mov	[esp+4Ch+var_9], ebx
		mov	[esp+4Ch+var_5], ebx
		mov	[esp+4Ch+var_1], bl
		mov	[esp+4Ch+var_28], edx
		mov	[esp+4Ch+var_24], esi
		mov	[esp+4Ch+var_20], ecx
		mov	[esp+4Ch+var_1B], 101h
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+40h+var_28]
		mov	[esp+40h+var_30], offset _WheapAttemptPhysicalPageOfflineWorker@4 ; WheapAttemptPhysicalPageOfflineWorker(x)
		mov	[esp+40h+var_2C], eax
		lea	eax, [esp+40h+var_38]
		push	1
		push	eax
		mov	[esp+48h+var_38], ebx
		call	ExQueueWorkItem
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esp+50h+var_14]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esp+40h+var_19+1]
		jmp	short loc_A125AD
; 

loc_A125A0:				; CODE XREF: WheaAttemptClearPoison(x,x,x)+2Ej
		push	esi
		push	edx
		mov	dl, [ebp+arg_8]
		push	ecx
		push	1
		call	_WheapAttemptPhysicalPageOffline@24 ; WheapAttemptPhysicalPageOffline(x,x,x,x,x,x)

loc_A125AD:				; CODE XREF: WheaAttemptClearPoison(x,x,x)+A4j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_WheaAttemptClearPoison@12 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 2611. WheaAttemptPhysicalPageOffline

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaAttemptPhysicalPageOffline(x, x, x)
		public _WheaAttemptPhysicalPageOffline@12
_WheaAttemptPhysicalPageOffline@12 proc	near ; CODE XREF: WheapPfaMemoryCheck(x,x)+145p
					; WheapPfaRetireExpiredMemoryEntries(x,x)+A8p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_1B		= byte ptr -1Bh
var_1A		= dword	ptr -1Ah
var_15		= dword	ptr -15h
var_11		= dword	ptr -11h
var_D		= dword	ptr -0Dh
var_9		= dword	ptr -9
var_5		= dword	ptr -5
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 40h
		mov	eax, large fs:124h
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	edx, ebx
		mov	ecx, esi
		mov	[esp+48h+var_1A+1], ebx
		shld	edx, ecx, 0Ch
		mov	[esp+48h+var_15], ebx
		mov	[esp+48h+var_11], ebx
		mov	[esp+48h+var_D], ebx
		mov	[esp+48h+var_9], ebx
		mov	[esp+48h+var_5], ebx
		mov	[esp+48h+var_1], bl
		mov	[esp+48h+var_34], ebx
		shl	ecx, 0Ch
		cmp	byte ptr [eax+15Ah], 1
		jnz	short loc_A12680
		mov	al, [ebp+arg_4]
		mov	[esp+48h+var_1C], al
		mov	al, [ebp+arg_8]
		push	ebx
		mov	[esp+4Ch+var_1B], al
		lea	eax, [esp+4Ch+var_15+1]
		push	ebx
		push	eax
		mov	[esp+54h+var_1A+1], ebx
		mov	[esp+54h+var_15], ebx
		mov	[esp+54h+var_11], ebx
		mov	[esp+54h+var_D], ebx
		mov	[esp+54h+var_9], ebx
		mov	[esp+54h+var_5], ebx
		mov	[esp+54h+var_1], bl
		mov	[esp+54h+var_28], ecx
		mov	[esp+54h+var_24], edx
		mov	[esp+54h+var_20], esi
		mov	byte ptr [esp+54h+var_1A], bl
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+48h+var_28]
		mov	[esp+48h+var_30], offset _WheapAttemptPhysicalPageOfflineWorker@4 ; WheapAttemptPhysicalPageOfflineWorker(x)
		mov	[esp+48h+var_2C], eax
		lea	eax, [esp+48h+var_38]
		push	1
		push	eax
		mov	[esp+50h+var_38], ebx
		call	ExQueueWorkItem
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esp+58h+var_15+1]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esp+48h+var_1A+2]
		jmp	short loc_A12690
; 

loc_A12680:				; CODE XREF: WheaAttemptPhysicalPageOffline(x,x,x)+4Aj
		push	edx
		mov	dl, [ebp+arg_4]
		push	ecx
		push	ecx
		push	dword ptr [ebp+arg_8]
		mov	ecx, esi
		call	_WheapAttemptPhysicalPageOffline@24 ; WheapAttemptPhysicalPageOffline(x,x,x,x,x,x)

loc_A12690:				; CODE XREF: WheaAttemptPhysicalPageOffline(x,x,x)+C4j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_WheaAttemptPhysicalPageOffline@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapAttemptPhysicalPageOffline(x, x, x, x,	x, x)
_WheapAttemptPhysicalPageOffline@24 proc near ;	CODE XREF: WheaAttemptClearPoison(x,x,x)+AEp
					; WheaAttemptPhysicalPageOffline(x,x,x)+D1p ...

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_B		= dword	ptr -0Bh
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+54h+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	29h		; size_t
		lea	eax, [esp+64h+var_30]
		mov	[esp+64h+var_40], edx
		mov	ebx, ecx
		push	0		; int
		push	eax		; void *
		mov	[esp+6Ch+var_50], ebx
		call	_memset
		and	[esp+6Ch+var_34], 0
		mov	esi, ebx
		mov	bh, [ebp+arg_0]
		xor	ecx, ecx
		shld	ecx, esi, 0Ch
		xor	edx, edx
		mov	byte ptr [esp+6Ch+var_4C], 0
		shl	esi, 0Ch
		add	esp, 0Ch
		inc	edx
		mov	[esp+60h+var_3C], ecx
		mov	[esp+60h+var_48], esi
		mov	[esp+60h+var_44], ecx
		mov	[esp+60h+var_38], 1000h
		test	bh, bh
		jnz	short loc_A12711
		mov	eax, esi
		mov	[esp+60h+var_44], ecx
		or	eax, edx
		mov	[esp+60h+var_54], edx
		mov	[esp+60h+var_48], eax
		jmp	short loc_A12719
; 

loc_A12711:				; CODE XREF: WheapAttemptPhysicalPageOffline(x,x,x,x,x,x)+65j
		mov	[esp+60h+var_54], 2

loc_A12719:				; CODE XREF: WheapAttemptPhysicalPageOffline(x,x,x,x,x,x)+77j
		lea	eax, [esp+60h+var_38]
		or	bl, 0FFh
		push	eax
		lea	eax, [esp+64h+var_48]
		push	eax
		call	_MmMarkPhysicalMemoryAsBad@8 ; MmMarkPhysicalMemoryAsBad(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A12799
		setz	bl
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		ja	short loc_A12799
		mov	eax, [esp+60h+var_54]
		and	[esp+60h+var_24], 0
		mov	[esp+60h+var_10], eax
		mov	eax, [esp+60h+var_50]
		mov	[esp+60h+var_B], eax
		lea	eax, [esp+60h+var_30]
		push	eax
		mov	[esp+64h+var_30], 674C6857h
		mov	[esp+64h+var_2C], 1
		mov	[esp+64h+var_28], 29h
		mov	[esp+64h+var_1C], 80000006h
		mov	[esp+64h+var_20], 4C4E524Bh
		mov	[esp+64h+var_18], 2
		mov	[esp+64h+var_14], 9
		mov	[esp+64h+var_C], bl
		call	WheaLogInternalEvent

loc_A12799:				; CODE XREF: WheapAttemptPhysicalPageOffline(x,x,x,x,x,x)+97j
					; WheapAttemptPhysicalPageOffline(x,x,x,x,x,x)+A4j
		cmp	_WheapPolicyMemPersistOffline, 0
		jz	short loc_A127B8
		mov	ecx, [esp+60h+var_50]
		call	_WheaPersistBadPageToBcd@4 ; WheaPersistBadPageToBcd(x)
		test	eax, eax
		jns	short loc_A127B3
		mov	edi, eax
		jmp	short loc_A127B8
; 

loc_A127B3:				; CODE XREF: WheapAttemptPhysicalPageOffline(x,x,x,x,x,x)+115j
		mov	byte ptr [esp+60h+var_4C], 1

loc_A127B8:				; CODE XREF: WheapAttemptPhysicalPageOffline(x,x,x,x,x,x)+108j
					; WheapAttemptPhysicalPageOffline(x,x,x,x,x,x)+119j
		mov	eax, 0FFh
		cmp	bl, al
		jz	short loc_A127C6
		test	bl, bl
		setz	al

loc_A127C6:				; CODE XREF: WheapAttemptPhysicalPageOffline(x,x,x,x,x,x)+127j
		push	[esp+60h+var_40]
		mov	dl, bh
		mov	cl, al
		push	[esp+64h+var_4C]
		push	[esp+68h+var_3C]
		push	esi
		call	_WheapLogPageOfflineAttemptEvent@24 ; WheapLogPageOfflineAttemptEvent(x,x,x,x,x,x)
		mov	ecx, [esp+60h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
_WheapAttemptPhysicalPageOffline@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapAttemptPhysicalPageOfflineWorker(x)
_WheapAttemptPhysicalPageOfflineWorker@4 proc near
					; DATA XREF: WheaAttemptClearPoison(x,x,x)+76o
					; WheaAttemptPhysicalPageOffline(x,x,x)+96o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	dword ptr [esi+4]
		movzx	eax, byte ptr [esi+0Dh]
		push	dword ptr [esi]
		mov	dl, [esi+0Ch]
		push	ecx
		mov	ecx, [esi+8]
		push	eax
		call	_WheapAttemptPhysicalPageOffline@24 ; WheapAttemptPhysicalPageOffline(x,x,x,x,x,x)
		push	0
		mov	[esi+10h], eax
		lea	eax, [esi+14h]
		push	0
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	esi
		pop	ebp
		retn	4
_WheapAttemptPhysicalPageOfflineWorker@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapCountBadPageExtents(x,	x)
_WheapCountBadPageExtents@8 proc near	; CODE XREF: WheaPersistBadPageToBcd(x)+14Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		mov	[ebp+var_8], edx
		push	esi
		mov	esi, ecx
		test	edx, edx
		jz	short loc_A12878
		xor	ecx, ecx
		inc	eax
		push	ebx
		mov	ebx, [esi+4]
		inc	ecx
		push	edi
		mov	edi, [esi]
		cmp	edx, ecx
		jbe	short loc_A12876

loc_A12849:				; CODE XREF: WheapCountBadPageExtents(x,x)+4Ej
		mov	edx, [esi+ecx*8]
		add	edi, 1
		mov	[ebp+var_4], edx
		mov	edx, [esi+ecx*8+4]
		adc	ebx, 0
		mov	[ebp+var_C], edx
		cmp	edx, ebx
		mov	edx, [ebp+var_8]
		jb	short loc_A1286B
		ja	short loc_A1286A
		cmp	[ebp+var_4], edi
		jbe	short loc_A1286B

loc_A1286A:				; CODE XREF: WheapCountBadPageExtents(x,x)+3Dj
		inc	eax

loc_A1286B:				; CODE XREF: WheapCountBadPageExtents(x,x)+3Bj
					; WheapCountBadPageExtents(x,x)+42j
		mov	edi, [ebp+var_4]
		inc	ecx
		mov	ebx, [ebp+var_C]
		cmp	ecx, edx
		jb	short loc_A12849

loc_A12876:				; CODE XREF: WheapCountBadPageExtents(x,x)+21j
		pop	edi
		pop	ebx

loc_A12878:				; CODE XREF: WheapCountBadPageExtents(x,x)+12j
		pop	esi
		leave
		retn
_WheapCountBadPageExtents@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapIsPageInList(x, x, x)
_WheapIsPageInList@12 proc near		; CODE XREF: WheaPersistBadPageToBcd(x)+11Dp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		mov	esi, ecx
		test	edx, edx
		jz	short loc_A128A3

loc_A1288C:				; CODE XREF: WheapIsPageInList(x,x,x)+22j
		mov	eax, [edi+esi*8]
		cmp	eax, [ebp+arg_0]
		jnz	short loc_A1289A
		cmp	[edi+esi*8+4], ecx
		jz	short loc_A128A1

loc_A1289A:				; CODE XREF: WheapIsPageInList(x,x,x)+17j
		inc	esi
		cmp	esi, edx
		jb	short loc_A1288C
		jmp	short loc_A128A3
; 

loc_A128A1:				; CODE XREF: WheapIsPageInList(x,x,x)+1Dj
		mov	cl, 1

loc_A128A3:				; CODE XREF: WheapIsPageInList(x,x,x)+Fj
					; WheapIsPageInList(x,x,x)+24j
		pop	edi
		mov	al, cl
		pop	esi
		pop	ebp
		retn	4
_WheapIsPageInList@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapSortBadPages(x, x)
_WheapSortBadPages@8 proc near		; CODE XREF: WheaPersistBadPageToBcd(x)+142p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		cmp	edx, 2
		jb	short locret_A1291F
		push	esi
		xor	esi, esi
		sub	edx, 1
		mov	[ebp+var_10], edx
		jz	short loc_A1291E
		push	ebx
		push	edi

loc_A128C5:				; CODE XREF: WheapSortBadPages(x,x)+6Fj
		mov	eax, edx
		xor	bl, bl
		cmp	eax, esi
		jbe	short loc_A1291C

loc_A128CD:				; CODE XREF: WheapSortBadPages(x,x)+63j
		mov	edx, [ecx+eax*8-4]
		mov	edi, [ecx+eax*8-8]
		mov	[ebp+var_8], edx
		mov	edx, [ecx+eax*8+4]
		mov	[ebp+var_4], edi
		mov	edi, [ecx+eax*8]
		mov	[ebp+var_C], edx
		cmp	[ebp+var_8], edx
		jb	short loc_A1290B
		ja	short loc_A128F1
		cmp	[ebp+var_4], edi
		jbe	short loc_A1290B

loc_A128F1:				; CODE XREF: WheapSortBadPages(x,x)+3Fj
		mov	ebx, [ebp+var_C]
		mov	edx, [ebp+var_8]
		mov	[ecx+eax*8-4], ebx
		mov	ebx, [ebp+var_4]
		mov	[ecx+eax*8], ebx
		mov	bl, 1
		mov	[ecx+eax*8-8], edi
		mov	[ecx+eax*8+4], edx

loc_A1290B:				; CODE XREF: WheapSortBadPages(x,x)+3Dj
					; WheapSortBadPages(x,x)+44j
		dec	eax
		cmp	eax, esi
		ja	short loc_A128CD
		mov	edx, [ebp+var_10]
		test	bl, bl
		jz	short loc_A1291C
		inc	esi
		cmp	esi, edx
		jb	short loc_A128C5

loc_A1291C:				; CODE XREF: WheapSortBadPages(x,x)+20j
					; WheapSortBadPages(x,x)+6Aj
		pop	edi
		pop	ebx

loc_A1291E:				; CODE XREF: WheapSortBadPages(x,x)+16j
		pop	esi

locret_A1291F:				; CODE XREF: WheapSortBadPages(x,x)+Bj
		leave
		retn
_WheapSortBadPages@8 endp

; 

; __stdcall WheapApplyPolicyChanges()
_WheapApplyPolicyChanges@0:		; CODE XREF: WheapPfaReset():loc_A131E1p
		mov	edi, edi
		push	ebx
		push	esi
		xor	ebx, ebx
		push	edi
		mov	edi, ds:__imp__HalWheaUpdateCmciPolicy@8 ; HalWheaUpdateCmciPolicy(x,x)
		mov	esi, ebx

loc_A12930:				; CODE XREF: PAGE:00A12A8Bj
		cmp	ds:_WheaRegPolicyTableChanged[esi], bl
		jz	loc_A12A87
		cmp	esi, 0Dh
		jnb	loc_A12A95
		mov	eax, esi
		mov	ds:_WheaRegPolicyTableChanged[esi], bl
		shl	eax, 4
		mov	ecx, ds:off_A41B9C[eax]
		jmp	ds:off_A12A9D[esi*4]

loc_A1295D:				; DATA XREF: PAGE:off_A12A9Do
		cmp	[ecx], ebx
		setnz	_WheapPolicyDisableOffline
		or	_WheaRegistryKeysPresent, 1
		jmp	loc_A12A87
; 

loc_A12972:				; CODE XREF: PAGE:00A12956j
					; DATA XREF: PAGE:00A12AA1o
		cmp	[ecx], ebx
		setnz	_WheapPolicyMemPersistOffline
		or	_WheaRegistryKeysPresent, 2
		jmp	loc_A12A87
; 

loc_A12987:				; CODE XREF: PAGE:00A12956j
					; DATA XREF: PAGE:00A12AA5o
		cmp	[ecx], ebx
		setnz	_WheapPolicyMemPfaDisable
		or	_WheaRegistryKeysPresent, 4
		jmp	loc_A12A87
; 

loc_A1299C:				; CODE XREF: PAGE:00A12956j
					; DATA XREF: PAGE:00A12AA9o
		mov	eax, [ecx]
		or	_WheaRegistryKeysPresent, 8
		mov	_WheapPolicyMemPfaPageCount, eax
		jmp	loc_A12A87
; 

loc_A129AF:				; CODE XREF: PAGE:00A12956j
					; DATA XREF: PAGE:00A12AADo
		mov	eax, [ecx]
		or	_WheaRegistryKeysPresent, 10h
		mov	_WheapPolicyMemPfaThreshold, eax
		jmp	loc_A12A87
; 

loc_A129C2:				; CODE XREF: PAGE:00A12956j
					; DATA XREF: PAGE:00A12AB1o
		mov	eax, [ecx]
		mov	ecx, (offset loc_98967E+2)
		mul	ecx
		or	_WheaRegistryKeysPresent, 20h
		mov	_WheapPolicyMemPfaTimeout, eax
		mov	dword_6B68EC, edx
		jmp	loc_A12A87
; 

loc_A129E2:				; CODE XREF: PAGE:00A12956j
					; DATA XREF: PAGE:00A12AB5o
		xor	eax, eax
		cmp	[ecx], ebx
		setnz	al
		or	_WheaRegistryKeysPresent, 100h
		mov	_WheaRegPolicyIgnoreDummyWrite,	eax
		jmp	loc_A12A87
; 

loc_A129FD:				; CODE XREF: PAGE:00A12956j
					; DATA XREF: PAGE:00A12AB9o
		cmp	[ecx], ebx
		setnz	al
		or	_WheaRegistryKeysPresent, 200h
		mov	_WheapPolicyRestoreCmciEnabled,	al
		movzx	eax, al
		push	eax
		push	7
		jmp	short loc_A12A85
; 

loc_A12A19:				; CODE XREF: PAGE:00A12956j
					; DATA XREF: PAGE:00A12ABDo
		mov	eax, [ecx]
		or	_WheaRegistryKeysPresent, 400h
		push	eax
		mov	_WheapPolicyRestoreCmciMaxAttempts, eax
		push	8
		jmp	short loc_A12A85
; 

loc_A12A2F:				; CODE XREF: PAGE:00A12956j
					; DATA XREF: PAGE:00A12AC1o
		mov	eax, [ecx]
		or	_WheaRegistryKeysPresent, 800h
		push	eax
		mov	_WheapPolicyRestoreCmciErrorLimit, eax
		push	9
		jmp	short loc_A12A85
; 

loc_A12A45:				; CODE XREF: PAGE:00A12956j
					; DATA XREF: PAGE:00A12AC5o
		mov	eax, [ecx]
		or	_WheaRegistryKeysPresent, 1000h
		push	eax
		mov	_WheapPolicyCmciThresholdCount,	eax
		push	0Ah
		jmp	short loc_A12A85
; 

loc_A12A5B:				; CODE XREF: PAGE:00A12956j
					; DATA XREF: PAGE:00A12AC9o
		mov	eax, [ecx]
		or	_WheaRegistryKeysPresent, 2000h
		push	eax
		mov	_WheapPolicyCmciThresholdTime, eax
		push	0Bh
		jmp	short loc_A12A85
; 

loc_A12A71:				; CODE XREF: PAGE:00A12956j
					; DATA XREF: PAGE:00A12ACDo
		mov	eax, [ecx]
		or	_WheaRegistryKeysPresent, 4000h
		push	eax
		mov	_WheapPolicyCmciThresholdPollCount, eax
		push	0Ch

loc_A12A85:				; CODE XREF: PAGE:00A12A17j
					; PAGE:00A12A2Dj ...
		call	edi

loc_A12A87:				; CODE XREF: PAGE:00A12936j
					; PAGE:00A1296Dj ...
		inc	esi
		cmp	esi, 0Dh
		jb	loc_A12930
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_A12A95:				; CODE XREF: PAGE:00A1293Fj
		call	___report_rangecheckfailure
		lea	ecx, [ecx+0]
; 
off_A12A9D	dd offset loc_A1295D	; DATA XREF: PAGE:00A12956r
		dd offset loc_A12972
		dd offset loc_A12987
		dd offset loc_A1299C
		dd offset loc_A129AF
		dd offset loc_A129C2
		dd offset loc_A129E2
		dd offset loc_A129FD
		dd offset loc_A12A19
		dd offset loc_A12A2F
		dd offset loc_A12A45
		dd offset loc_A12A5B
		dd offset loc_A12A71

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapCommitPolicy()
_WheapCommitPolicy@0 proc near		; CODE XREF: WheapWmiExecutePolicyManagementMethod(x,x,x,x,x)+3Cp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, offset ??_C@_1BI@ICKPNKKL@?$AAW?$AAH?$AAE?$AAA?$AA?2?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@FNODOBFM@
		push	edi
		push	2
		call	_RtlCheckRegistryKey@8 ; RtlCheckRegistryKey(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A12B0C
		push	offset ??_C@_19MBPIHHGH@?$AAW?$AAH?$AAE?$AAA@FNODOBFM@
		push	2
		call	_RtlCreateRegistryKey@8	; RtlCreateRegistryKey(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A12B5F
		push	edi
		push	2
		call	_RtlCreateRegistryKey@8	; RtlCreateRegistryKey(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A12B5F

loc_A12B0C:				; CODE XREF: WheapCommitPolicy()+19j
		xor	eax, eax
		push	ebx
		mov	[ebp+var_4], eax
		mov	edi, eax
		mov	ebx, offset _WheaRegPolicyTable

loc_A12B19:				; CODE XREF: WheapCommitPolicy()+77j
		cmp	ds:_WheaRegPolicyTableChanged[edi], 0
		jz	short loc_A12B41
		push	4
		push	dword ptr [ebx+4]
		mov	byte ptr [ebp+var_4], 1
		push	4
		push	dword ptr [ebx]
		push	offset ??_C@_1BI@ICKPNKKL@?$AAW?$AAH?$AAE?$AAA?$AA?2?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@NNGAKEGL@
		push	2
		call	_RtlWriteRegistryValue@24 ; RtlWriteRegistryValue(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A12B59

loc_A12B41:				; CODE XREF: WheapCommitPolicy()+4Fj
		inc	edi
		add	ebx, 10h
		cmp	edi, 0Dh
		jb	short loc_A12B19
		test	esi, esi
		js	short loc_A12B59
		cmp	byte ptr [ebp+var_4], 0
		jz	short loc_A12B59
		call	_WheapPfaReset@0 ; WheapPfaReset()

loc_A12B59:				; CODE XREF: WheapCommitPolicy()+6Ej
					; WheapCommitPolicy()+7Bj ...
		call	_WheapLogPolicyTelemetry@0 ; WheapLogPolicyTelemetry()
		pop	ebx

loc_A12B5F:				; CODE XREF: WheapCommitPolicy()+2Bj
					; WheapCommitPolicy()+39j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_WheapCommitPolicy@0 endp


;  S U B	R O U T	I N E 


; __stdcall WheapGetAllPolicyBufferSize()
_WheapGetAllPolicyBufferSize@0 proc near
					; CODE XREF: WheapWmiExecutePolicyManagementMethod(x,x,x,x,x):loc_6922E3p
		push	34h
		pop	eax
		retn
_WheapGetAllPolicyBufferSize@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapGetAllPolicyValues(x, x, x)
_WheapGetAllPolicyValues@12 proc near	; CODE XREF: WheapWmiExecutePolicyManagementMethod(x,x,x,x,x)+CDp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	edx, 34h
		jnb	short loc_A12B7A
		mov	eax, 0C0000023h
		jmp	short loc_A12B9F
; 

loc_A12B7A:				; CODE XREF: WheapGetAllPolicyValues(x,x,x)+8j
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		mov	dword ptr [ecx], 0Dh

loc_A12B87:				; CODE XREF: WheapGetAllPolicyValues(x,x,x)+32j
		mov	edx, edi
		mov	ecx, esi
		call	_WheapGetPolicyValue@8 ; WheapGetPolicyValue(x,x)
		test	eax, eax
		js	short loc_A12B9D
		inc	esi
		add	edi, 4
		cmp	esi, 0Dh
		jb	short loc_A12B87

loc_A12B9D:				; CODE XREF: WheapGetAllPolicyValues(x,x,x)+29j
		pop	edi
		pop	esi

loc_A12B9F:				; CODE XREF: WheapGetAllPolicyValues(x,x,x)+Fj
		pop	ebp
		retn	4
_WheapGetAllPolicyValues@12 endp


;  S U B	R O U T	I N E 


; __stdcall WheapGetPolicyValue(x, x)
_WheapGetPolicyValue@8 proc near	; CODE XREF: WheapWmiExecutePolicyManagementMethod(x,x,x,x,x)+8Fp
					; WheapGetAllPolicyValues(x,x,x)+22p
		mov	edi, edi
		push	esi
		mov	esi, edx
		cmp	ecx, 0Dh
		jb	short loc_A12BB4
		mov	eax, 0C000000Dh
		pop	esi
		retn
; 

loc_A12BB4:				; CODE XREF: WheapGetPolicyValue(x,x)+8j
		jmp	ds:off_A12C3F[ecx*4]

loc_A12BBB:				; DATA XREF: PAGE:off_A12C3Fo
		xor	eax, eax
		cmp	_WheapPolicyDisableOffline, al

loc_A12BC3:				; CODE XREF: WheapGetPolicyValue(x,x)+2Dj
					; WheapGetPolicyValue(x,x)+37j	...
		setnz	al
		jmp	short loc_A12C39
; 

loc_A12BC8:				; CODE XREF: WheapGetPolicyValue(x,x):loc_A12BB4j
					; DATA XREF: PAGE:00A12C43o
		xor	eax, eax
		cmp	_WheapPolicyMemPersistOffline, al
		jmp	short loc_A12BC3
; 

loc_A12BD2:				; CODE XREF: WheapGetPolicyValue(x,x):loc_A12BB4j
					; DATA XREF: PAGE:00A12C47o
		xor	eax, eax
		cmp	_WheapPolicyMemPfaDisable, al
		jmp	short loc_A12BC3
; 

loc_A12BDC:				; CODE XREF: WheapGetPolicyValue(x,x):loc_A12BB4j
					; DATA XREF: PAGE:00A12C4Bo
		mov	eax, _WheapPolicyMemPfaPageCount
		jmp	short loc_A12C39
; 

loc_A12BE3:				; CODE XREF: WheapGetPolicyValue(x,x):loc_A12BB4j
					; DATA XREF: PAGE:00A12C4Fo
		mov	eax, _WheapPolicyMemPfaThreshold
		jmp	short loc_A12C39
; 

loc_A12BEA:				; CODE XREF: WheapGetPolicyValue(x,x):loc_A12BB4j
					; DATA XREF: PAGE:00A12C53o
		push	0
		push	(offset	loc_98967E+2)
		push	dword_6B68EC
		push	_WheapPolicyMemPfaTimeout
		call	__aulldiv
		jmp	short loc_A12C39
; 

loc_A12C04:				; CODE XREF: WheapGetPolicyValue(x,x):loc_A12BB4j
					; DATA XREF: PAGE:00A12C57o
		xor	eax, eax
		cmp	_WheaRegPolicyIgnoreDummyWrite,	eax
		jmp	short loc_A12BC3
; 

loc_A12C0E:				; CODE XREF: WheapGetPolicyValue(x,x):loc_A12BB4j
					; DATA XREF: PAGE:00A12C5Bo
		xor	eax, eax
		cmp	_WheapPolicyRestoreCmciEnabled,	al
		jmp	short loc_A12BC3
; 

loc_A12C18:				; CODE XREF: WheapGetPolicyValue(x,x):loc_A12BB4j
					; DATA XREF: PAGE:00A12C5Fo
		mov	eax, _WheapPolicyRestoreCmciMaxAttempts
		jmp	short loc_A12C39
; 

loc_A12C1F:				; CODE XREF: WheapGetPolicyValue(x,x):loc_A12BB4j
					; DATA XREF: PAGE:00A12C63o
		mov	eax, _WheapPolicyRestoreCmciErrorLimit
		jmp	short loc_A12C39
; 

loc_A12C26:				; CODE XREF: WheapGetPolicyValue(x,x):loc_A12BB4j
					; DATA XREF: PAGE:00A12C67o
		mov	eax, _WheapPolicyCmciThresholdCount
		jmp	short loc_A12C39
; 

loc_A12C2D:				; CODE XREF: WheapGetPolicyValue(x,x):loc_A12BB4j
					; DATA XREF: PAGE:00A12C6Bo
		mov	eax, _WheapPolicyCmciThresholdTime
		jmp	short loc_A12C39
; 

loc_A12C34:				; CODE XREF: WheapGetPolicyValue(x,x):loc_A12BB4j
					; DATA XREF: PAGE:00A12C6Fo
		mov	eax, _WheapPolicyCmciThresholdPollCount

loc_A12C39:				; CODE XREF: WheapGetPolicyValue(x,x)+23j
					; WheapGetPolicyValue(x,x)+3Ej	...
		mov	[esi], eax
		xor	eax, eax
		pop	esi
		retn
_WheapGetPolicyValue@8 endp

; 
off_A12C3F	dd offset loc_A12BBB	; DATA XREF: WheapGetPolicyValue(x,x):loc_A12BB4r
		dd offset loc_A12BC8
		dd offset loc_A12BD2
		dd offset loc_A12BDC
		dd offset loc_A12BE3
		dd offset loc_A12BEA
		dd offset loc_A12C04
		dd offset loc_A12C0E
		dd offset loc_A12C18
		dd offset loc_A12C1F
		dd offset loc_A12C26
		dd offset loc_A12C2D
		dd offset loc_A12C34

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapLogPolicyTelemetry()
_WheapLogPolicyTelemetry@0 proc	near	; CODE XREF: WheapCommitPolicy():loc_A12B59p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= byte ptr -14h
var_13		= byte ptr -13h
var_12		= byte ptr -12h
var_11		= dword	ptr -11h
var_D		= dword	ptr -0Dh
var_9		= dword	ptr -9
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, _WheaRegistryKeysPresent
		and	[ebp+var_2C], 0
		mov	[ebp+var_18], eax
		mov	al, _WheapPolicyDisableOffline
		mov	[ebp+var_14], al
		mov	al, _WheapPolicyMemPersistOffline
		push	0
		mov	[ebp+var_13], al
		mov	al, _WheapPolicyMemPfaDisable
		push	989680h
		push	dword_6B68EC
		mov	[ebp+var_12], al
		mov	eax, _WheapPolicyMemPfaPageCount
		push	_WheapPolicyMemPfaTimeout
		mov	[ebp+var_11], eax
		mov	eax, _WheapPolicyMemPfaThreshold
		mov	[ebp+var_38], 674C6857h
		mov	[ebp+var_34], 1
		mov	[ebp+var_30], 33h
		mov	[ebp+var_24], 80000008h
		mov	[ebp+var_28], 4C4E524Bh
		mov	[ebp+var_20], 2
		mov	[ebp+var_1C], 13h
		mov	[ebp+var_D], eax
		call	__aulldiv
		mov	[ebp+var_9], eax
		lea	eax, [ebp+var_38]
		push	eax
		call	WheaLogInternalEvent
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_WheapLogPolicyTelemetry@0 endp


;  S U B	R O U T	I N E 


; __stdcall WheapSetPolicyValue(x, x)
_WheapSetPolicyValue@8 proc near	; CODE XREF: WheapWmiExecutePolicyManagementMethod(x,x,x,x,x)+68p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		cmp	edi, 0Dh
		jnb	loc_A12E09
		mov	esi, [edx]
		mov	eax, edi
		shl	eax, 4
		cmp	esi, ds:dword_A41BA0[eax]
		jb	loc_A12E09
		cmp	esi, ds:dword_A41BA4[eax]
		ja	loc_A12E09
		lfence	eax
		mov	ebx, ds:off_A41B9C[eax]
		cmp	dword ptr [ebx], 0FFFFFFFFh
		jnz	loc_A12DED
		jmp	ds:off_A12E12[edi*4]

loc_A12D62:				; DATA XREF: PAGE:off_A12E12o
		movzx	eax, _WheapPolicyDisableOffline

loc_A12D69:				; CODE XREF: WheapSetPolicyValue(x,x)+64j
					; WheapSetPolicyValue(x,x)+6Dj
		xor	ecx, ecx
		test	esi, esi
		setnz	cl
		cmp	ecx, eax
		jmp	loc_A12DF8
; 

loc_A12D77:				; CODE XREF: WheapSetPolicyValue(x,x)+41j
					; DATA XREF: PAGE:00A12E16o
		movzx	eax, _WheapPolicyMemPersistOffline
		jmp	short loc_A12D69
; 

loc_A12D80:				; CODE XREF: WheapSetPolicyValue(x,x)+41j
					; DATA XREF: PAGE:00A12E1Ao
		movzx	eax, _WheapPolicyMemPfaDisable
		jmp	short loc_A12D69
; 

loc_A12D89:				; CODE XREF: WheapSetPolicyValue(x,x)+41j
					; DATA XREF: PAGE:00A12E1Eo
		cmp	esi, _WheapPolicyMemPfaPageCount
		jmp	short loc_A12DF8
; 

loc_A12D91:				; CODE XREF: WheapSetPolicyValue(x,x)+41j
					; DATA XREF: PAGE:00A12E22o
		cmp	esi, _WheapPolicyMemPfaThreshold
		jmp	short loc_A12DF8
; 

loc_A12D99:				; CODE XREF: WheapSetPolicyValue(x,x)+41j
					; DATA XREF: PAGE:00A12E26o
		push	0
		push	(offset	loc_98967E+2)
		push	dword_6B68EC
		push	_WheapPolicyMemPfaTimeout
		call	__aulldiv
		cmp	esi, eax
		jmp	short loc_A12DF8
; 

loc_A12DB5:				; CODE XREF: WheapSetPolicyValue(x,x)+41j
					; DATA XREF: PAGE:00A12E2Ao
		cmp	esi, _WheaRegPolicyIgnoreDummyWrite
		jmp	short loc_A12DF8
; 

loc_A12DBD:				; CODE XREF: WheapSetPolicyValue(x,x)+41j
					; DATA XREF: PAGE:00A12E2Eo
		cmp	esi, _WheapRegPolicyRestoreCmciEnabled
		jmp	short loc_A12DF8
; 

loc_A12DC5:				; CODE XREF: WheapSetPolicyValue(x,x)+41j
					; DATA XREF: PAGE:00A12E32o
		cmp	esi, _WheapRegPolicyRestoreCmciMaxAttempts
		jmp	short loc_A12DF8
; 

loc_A12DCD:				; CODE XREF: WheapSetPolicyValue(x,x)+41j
					; DATA XREF: PAGE:00A12E36o
		cmp	esi, _WheapRegPolicyRestoreCmciErrorLimit
		jmp	short loc_A12DF8
; 

loc_A12DD5:				; CODE XREF: WheapSetPolicyValue(x,x)+41j
					; DATA XREF: PAGE:00A12E3Ao
		cmp	esi, _WheapRegPolicyCmciThresholdCount
		jmp	short loc_A12DF8
; 

loc_A12DDD:				; CODE XREF: WheapSetPolicyValue(x,x)+41j
					; DATA XREF: PAGE:00A12E3Eo
		cmp	esi, _WheapRegPolicyCmciThresholdTime
		jmp	short loc_A12DF8
; 

loc_A12DE5:				; CODE XREF: WheapSetPolicyValue(x,x)+41j
					; DATA XREF: PAGE:00A12E42o
		cmp	esi, _WheapRegPolicyCmciThresholdPollCount
		jmp	short loc_A12DF8
; 

loc_A12DED:				; CODE XREF: WheapSetPolicyValue(x,x)+3Bj
		lfence	eax
		mov	ebx, ds:off_A41B9C[eax]
		cmp	[ebx], esi

loc_A12DF8:				; CODE XREF: WheapSetPolicyValue(x,x)+58j
					; WheapSetPolicyValue(x,x)+75j	...
		jnz	short loc_A12DFE

loc_A12DFA:				; CODE XREF: WheapSetPolicyValue(x,x)+EDj
		xor	eax, eax
		jmp	short loc_A12E0E
; 

loc_A12DFE:				; CODE XREF: WheapSetPolicyValue(x,x):loc_A12DF8j
		mov	[ebx], esi
		mov	ds:_WheaRegPolicyTableChanged[edi], 1
		jmp	short loc_A12DFA
; 

loc_A12E09:				; CODE XREF: WheapSetPolicyValue(x,x)+Aj
					; WheapSetPolicyValue(x,x)+1Dj	...
		mov	eax, 0C000000Dh

loc_A12E0E:				; CODE XREF: WheapSetPolicyValue(x,x)+E2j
		pop	edi
		pop	esi
		pop	ebx
		retn
_WheapSetPolicyValue@8 endp

; 
off_A12E12	dd offset loc_A12D62	; DATA XREF: WheapSetPolicyValue(x,x)+41r
		dd offset loc_A12D77
		dd offset loc_A12D80
		dd offset loc_A12D89
		dd offset loc_A12D91
		dd offset loc_A12D99
		dd offset loc_A12DB5
		dd offset loc_A12DBD
		dd offset loc_A12DC5
		dd offset loc_A12DCD
		dd offset loc_A12DD5
		dd offset loc_A12DDD
		dd offset loc_A12DE5

;  S U B	R O U T	I N E 


; __stdcall WheapReportDeferredLiveDumps()
_WheapReportDeferredLiveDumps@0	proc near
					; CODE XREF: WheaCrashDumpInitializationComplete():loc_8B5C55p
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, offset _WheapLiveDumpLock
		xor	esi, esi
		push	edi
		mov	ecx, ebx
		call	ExAcquireFastMutex
		mov	eax, _WheapLiveDumpRecordList
		mov	ecx, offset _WheapLiveDumpRecordList
		cmp	eax, ecx
		jz	short loc_A12E81
		mov	esi, eax
		cmp	[esi+4], ecx
		jnz	loc_A12EF5
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_A12EF5
		mov	_WheapLiveDumpRecordList, eax
		mov	[eax+4], ecx

loc_A12E81:				; CODE XREF: WheapReportDeferredLiveDumps()+1Fj
		mov	ecx, ebx
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)
		xor	bl, bl
		xor	edi, edi
		jmp	short loc_A12EEB
; 

loc_A12E8E:				; CODE XREF: WheapReportDeferredLiveDumps()+A7j
		test	bl, bl
		jnz	short loc_A12E9B
		mov	ecx, esi
		call	_WheapReportLiveDump@4 ; WheapReportLiveDump(x)
		mov	edi, eax

loc_A12E9B:				; CODE XREF: WheapReportDeferredLiveDumps()+4Aj
		push	61656857h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	bl, bl
		jnz	short loc_A12EB0
		test	edi, edi
		jz	short loc_A12EB0
		inc	bl

loc_A12EB0:				; CODE XREF: WheapReportDeferredLiveDumps()+62j
					; WheapReportDeferredLiveDumps()+66j
		mov	ecx, offset _WheapLiveDumpLock
		call	ExAcquireFastMutex
		mov	esi, _WheapLiveDumpRecordList
		mov	ecx, offset _WheapLiveDumpRecordList
		cmp	esi, ecx
		jz	short loc_A12EDF
		cmp	[esi+4], ecx
		jnz	short loc_A12EF5
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_A12EF5
		mov	_WheapLiveDumpRecordList, eax
		mov	[eax+4], ecx
		jmp	short loc_A12EE1
; 

loc_A12EDF:				; CODE XREF: WheapReportDeferredLiveDumps()+81j
		xor	esi, esi

loc_A12EE1:				; CODE XREF: WheapReportDeferredLiveDumps()+97j
		mov	ecx, offset _WheapLiveDumpLock
		call	@ExReleaseFastMutex@4 ;	ExReleaseFastMutex(x)

loc_A12EEB:				; CODE XREF: WheapReportDeferredLiveDumps()+46j
		test	esi, esi
		jnz	short loc_A12E8E
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_A12EF5:				; CODE XREF: WheapReportDeferredLiveDumps()+26j
					; WheapReportDeferredLiveDumps()+31j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_WheapReportDeferredLiveDumps@0	endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapReportLiveDump(x)
_WheapReportLiveDump@4 proc near	; CODE XREF: WheapCreateLiveDumpFromPreviousSession(x)+60p
					; WheapReportDeferredLiveDumps()+4Ep

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ecx+8]
		and	[ebp+var_4], 0
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+0Ch]
		xor	ebx, ebx
		mov	[ebp+var_10], eax
		movzx	eax, word ptr [edi+0Ah]
		lea	esi, [edi+80h]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_A12F49

loc_A12F29:				; CODE XREF: WheapReportLiveDump(x)+4Dj
		push	10h		; size_t
		lea	eax, [esi+10h]
		push	(offset	loc_42E096+2) ;	void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A12F67
		add	esi, 48h
		inc	ebx
		cmp	ebx, [ebp+var_C]
		jb	short loc_A12F29

loc_A12F49:				; CODE XREF: WheapReportLiveDump(x)+2Dj
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_4]

loc_A12F4F:				; CODE XREF: WheapReportLiveDump(x)+82j
		push	ecx
		push	eax
		push	edi
		push	[ebp+var_10]
		call	_LkmdTelCreateReport@24	; LkmdTelCreateReport(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A12F7E
		mov	edi, 0C000009Ah
		jmp	short loc_A12FBC
; 

loc_A12F67:				; CODE XREF: WheapReportLiveDump(x)+44j
		mov	esi, [esi]
		mov	cl, 20h
		mov	eax, [esi+edi+28h]
		mov	edx, [esi+edi+2Ch]
		call	__aullshr
		mov	ecx, [esi+edi+28h]
		jmp	short loc_A12F4F
; 

loc_A12F7E:				; CODE XREF: WheapReportLiveDump(x)+64j
		push	dword ptr [edi+14h] ; size_t
		mov	edx, edi
		mov	ecx, esi
		call	_LkmdTelInsertTriageDataBlock@12 ; LkmdTelInsertTriageDataBlock(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A12F99
		mov	ecx, esi
		call	_LkmdTelSubmitReport@4 ; LkmdTelSubmitReport(x)
		mov	edi, eax

loc_A12F99:				; CODE XREF: WheapReportLiveDump(x)+94j
		cmp	dword ptr [esi+4], 0
		mov	ebx, 74614454h
		jbe	short loc_A12FB5
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_A12FB1
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A12FB1:				; CODE XREF: WheapReportLiveDump(x)+AEj
		and	dword ptr [esi+4], 0

loc_A12FB5:				; CODE XREF: WheapReportLiveDump(x)+A8j
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A12FBC:				; CODE XREF: WheapReportLiveDump(x)+6Bj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_WheapReportLiveDump@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapPfaLogPageMonitorRemoval(x, x,	x, x)
_WheapPfaLogPageMonitorRemoval@16 proc near ; CODE XREF: WheapPfaMemoryCheck(x,x)+D4p
					; WheapPfaMemoryCheck(x,x)+13Bp ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_28], 0
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_34], 674C6857h
		mov	ecx, [ebp+arg_0]
		push	0
		push	(offset	loc_98967E+2)
		sub	ecx, [esi+10h]
		mov	[ebp+var_30], 1
		sbb	eax, [esi+14h]
		push	eax
		push	ecx
		mov	[ebp+var_2C], 30h
		mov	[ebp+var_20], 80000007h
		mov	[ebp+var_24], 4C4E524Bh
		mov	[ebp+var_1C], 2
		mov	[ebp+var_18], 10h
		mov	[ebp+var_14], edx
		call	__aulldiv
		mov	[ebp+var_10], eax
		movzx	eax, word ptr [esi+8]
		mov	[ebp+var_C], eax
		mov	eax, [esi+20h]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_34]
		push	eax
		call	WheaLogInternalEvent
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_WheapPfaLogPageMonitorRemoval@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapPfaMemoryCheck(x, x)
_WheapPfaMemoryCheck@8 proc near	; CODE XREF: WheapPredictiveFailureAnalysis(x)+D2p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		cmp	_WheapPolicyMemPfaDisable, 0
		push	ebx
		push	esi
		push	edi
		jnz	short loc_A130D9
		mov	eax, [edx]
		and	eax, 2
		or	eax, 0
		jz	short loc_A130D9
		mov	edi, [edx+10h]
		lea	eax, [ebp+var_8]
		mov	esi, [edx+14h]
		push	eax
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], esi
		call	_MmGetPageBadStatus@4 ;	MmGetPageBadStatus(x)
		test	eax, eax
		jnz	short loc_A130D9
		shrd	edi, esi, 0Ch
		call	KeQueryInterruptTime
		mov	ebx, eax
		mov	eax, edx
		push	eax
		push	ebx
		mov	[ebp+var_4], eax
		call	_WheapPfaRetireExpiredMemoryEntries@8 ;	WheapPfaRetireExpiredMemoryEntries(x,x)
		mov	esi, _WheapPfaList
		xor	ecx, ecx
		mov	edx, offset _WheapPfaList
		jmp	short loc_A130B9
; 

loc_A130AF:				; CODE XREF: WheapPfaMemoryCheck(x,x)+69j
		mov	eax, [esi]
		cmp	[esi+20h], edi
		jz	short loc_A130DE
		inc	ecx
		mov	esi, eax

loc_A130B9:				; CODE XREF: WheapPfaMemoryCheck(x,x)+5Bj
		cmp	esi, edx
		jnz	short loc_A130AF
		cmp	ecx, _WheapPolicyMemPfaPageCount
		jnb	short loc_A130FC
		push	61656857h
		push	28h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A1312B

loc_A130D9:				; CODE XREF: WheapPfaMemoryCheck(x,x)+12j
					; WheapPfaMemoryCheck(x,x)+1Cj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_A130DE:				; CODE XREF: WheapPfaMemoryCheck(x,x)+62j
		cmp	[eax+4], esi
		jnz	loc_A131AC
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_A131AC
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	ecx, [ebp+var_4]
		jmp	short loc_A13153
; 

loc_A130FC:				; CODE XREF: WheapPfaMemoryCheck(x,x)+71j
		mov	esi, dword_6FD8CC
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_A131AC
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_A131AC
		push	[ebp+var_4]
		mov	[ecx], eax
		push	ebx
		push	3
		mov	[eax+4], ecx
		mov	ecx, esi
		pop	edx
		call	_WheapPfaLogPageMonitorRemoval@16 ; WheapPfaLogPageMonitorRemoval(x,x,x,x)

loc_A1312B:				; CODE XREF: WheapPfaMemoryCheck(x,x)+85j
		xor	ecx, ecx
		mov	edx, offset _WheapPfaList
		mov	[esi], ecx
		xor	eax, eax
		mov	[esi+4], ecx
		mov	[esi+0Ah], ecx
		mov	[esi+0Eh], ax
		mov	[esi+24h], ecx
		mov	ecx, [ebp+var_4]
		mov	[esi+8], ax
		mov	[esi+10h], ebx
		mov	[esi+14h], ecx
		mov	[esi+20h], edi

loc_A13153:				; CODE XREF: WheapPfaMemoryCheck(x,x)+A8j
		inc	word ptr [esi+8]
		movzx	eax, word ptr [esi+8]
		mov	[esi+18h], ebx
		mov	[esi+1Ch], ecx
		cmp	eax, _WheapPolicyMemPfaThreshold
		jnb	short loc_A13186
		mov	eax, _WheapPfaList
		cmp	[eax+4], edx
		jnz	short loc_A131AC
		mov	[esi], eax
		mov	[esi+4], edx
		mov	[eax+4], esi
		mov	_WheapPfaList, esi
		jmp	loc_A130D9
; 

loc_A13186:				; CODE XREF: WheapPfaMemoryCheck(x,x)+115j
		push	ecx
		xor	edx, edx
		mov	ecx, esi
		push	ebx
		inc	edx
		call	_WheapPfaLogPageMonitorRemoval@16 ; WheapPfaLogPageMonitorRemoval(x,x,x,x)
		push	0
		push	0
		push	edi
		call	_WheaAttemptPhysicalPageOffline@12 ; WheaAttemptPhysicalPageOffline(x,x,x)
		push	61656857h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_A130D9
; 

loc_A131AC:				; CODE XREF: WheapPfaMemoryCheck(x,x)+8Fj
					; WheapPfaMemoryCheck(x,x)+9Aj	...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_WheapPfaMemoryCheck@8 endp		; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall WheapPfaReset()
_WheapPfaReset@0 proc near		; CODE XREF: WheapCommitPolicy()+83p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, offset _WheapPfaLock
		xor	edx, edx
		push	0
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	esi, eax
		lock bts dword ptr [edi], 0
		jnb	short loc_A131D9
		push	edi
		mov	edx, esi
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_A131D9:				; CODE XREF: WheapPfaReset()+1Cj
		test	esi, esi
		jz	short loc_A131E1
		or	byte ptr [esi+0Eh], 1

loc_A131E1:				; CODE XREF: WheapPfaReset()+2Aj
		call	_WheapApplyPolicyChanges@0 ; WheapApplyPolicyChanges()
		mov	esi, _WheapPfaList
		mov	ebx, offset _WheapPfaList
		jmp	short loc_A13215
; 

loc_A131F3:				; CODE XREF: WheapPfaReset()+66j
		mov	ecx, [esi]
		mov	eax, esi
		mov	esi, ecx
		cmp	[ecx+4], eax
		jnz	short loc_A13237
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_A13237
		push	61656857h
		mov	[edx], ecx
		push	eax
		mov	[ecx+4], edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A13215:				; CODE XREF: WheapPfaReset()+40j
		cmp	esi, ebx
		jnz	short loc_A131F3
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A1322D
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A1322D:				; CODE XREF: WheapPfaReset()+73j
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	KeAbPostRelease
; 

loc_A13237:				; CODE XREF: WheapPfaReset()+4Bj
					; WheapPfaReset()+52j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_WheapPfaReset@0 endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapPfaRetireExpiredMemoryEntries(x, x)
_WheapPfaRetireExpiredMemoryEntries@8 proc near	; CODE XREF: WheapPfaMemoryCheck(x,x)+49p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, _WheapPolicyMemPfaTimeout
		mov	eax, edx
		mov	ecx, dword_6B68EC
		or	eax, ecx
		push	ebx
		push	esi
		push	edi
		jz	short loc_A132BF
		cmp	[ebp+arg_4], ecx
		jb	short loc_A132BF
		ja	short loc_A13263
		cmp	[ebp+arg_0], edx
		jb	short loc_A132BF

loc_A13263:				; CODE XREF: WheapPfaRetireExpiredMemoryEntries(x,x)+20j
		mov	ebx, [ebp+arg_0]
		mov	esi, _WheapPfaList
		sub	ebx, edx
		mov	edx, [ebp+arg_4]
		sbb	edx, ecx
		mov	[ebp+var_4], edx
		jmp	short loc_A132B7
; 

loc_A13278:				; CODE XREF: WheapPfaRetireExpiredMemoryEntries(x,x)+81j
		mov	edi, esi
		mov	esi, [esi]
		cmp	[edi+1Ch], edx
		ja	short loc_A132B7
		jb	short loc_A13288
		cmp	[edi+18h], ebx
		ja	short loc_A132B7

loc_A13288:				; CODE XREF: WheapPfaRetireExpiredMemoryEntries(x,x)+45j
		cmp	[esi+4], edi
		jnz	short loc_A132C6
		mov	eax, [edi+4]
		cmp	[eax], edi
		jnz	short loc_A132C6
		push	[ebp+arg_4]
		mov	[eax], esi
		mov	ecx, edi
		push	[ebp+arg_0]
		mov	[esi+4], eax
		push	2
		pop	edx
		call	_WheapPfaLogPageMonitorRemoval@16 ; WheapPfaLogPageMonitorRemoval(x,x,x,x)
		push	61656857h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, [ebp+var_4]

loc_A132B7:				; CODE XREF: WheapPfaRetireExpiredMemoryEntries(x,x)+3Aj
					; WheapPfaRetireExpiredMemoryEntries(x,x)+43j ...
		cmp	esi, offset _WheapPfaList
		jnz	short loc_A13278

loc_A132BF:				; CODE XREF: WheapPfaRetireExpiredMemoryEntries(x,x)+19j
					; WheapPfaRetireExpiredMemoryEntries(x,x)+1Ej ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_A132C6:				; CODE XREF: WheapPfaRetireExpiredMemoryEntries(x,x)+4Fj
					; WheapPfaRetireExpiredMemoryEntries(x,x)+56j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall WheapPlatformDirectedMemoryOffline(x, x)
_WheapPlatformDirectedMemoryOffline@8:	; CODE XREF: WheapPredictiveFailureAnalysis(x)+A0j
		mov	eax, [edx]
		and	eax, 2
		or	eax, 0
		jz	short locret_A132E9
		mov	ecx, [edx+10h]
		mov	eax, [edx+14h]
		push	0
		shrd	ecx, eax, 0Ch
		push	1
		push	ecx
		call	_WheaAttemptPhysicalPageOffline@12 ; WheaAttemptPhysicalPageOffline(x,x,x)

locret_A132E9:				; CODE XREF: WheapPfaRetireExpiredMemoryEntries(x,x)+97j
		retn
_WheapPfaRetireExpiredMemoryEntries@8 endp ; sp	= -14h


;  S U B	R O U T	I N E 


; __stdcall WheapPredictiveFailureAnalysis(x)
_WheapPredictiveFailureAnalysis@4 proc near ; CODE XREF: WheapProcessWorkQueueItem(x,x)+61p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		lea	esi, [ebx+1Ch]
		push	esi
		call	ds:__imp__PshedDoPfa@4 ; PshedDoPfa(x)
		cmp	eax, 1
		jz	loc_A133DF
		cmp	_WheapPolicyDisableOffline, 0
		jnz	loc_A133DF
		cmp	_WheapPfaInitialized, 0
		jz	loc_A133DF
		movzx	eax, word ptr [esi+0Ah]
		test	ax, ax
		jz	loc_A133DF
		cmp	dword ptr [esi+0Ch], 2
		jnz	loc_A133DF
		test	byte ptr [esi+68h], 1
		jnz	loc_A133DF
		xor	ecx, ecx
		test	eax, eax
		jz	short loc_A13359
		lea	edi, [esi+80h]

loc_A1334B:				; CODE XREF: WheapPredictiveFailureAnalysis(x)+6Dj
		test	byte ptr [edi+0Ch], 1
		jnz	short loc_A1335F
		inc	ecx
		add	edi, 48h
		cmp	ecx, eax
		jb	short loc_A1334B

loc_A13359:				; CODE XREF: WheapPredictiveFailureAnalysis(x)+59j
		lea	edi, [esi+80h]

loc_A1335F:				; CODE XREF: WheapPredictiveFailureAnalysis(x)+65j
		push	10h		; size_t
		lea	eax, [edi+10h]
		push	offset _MEMORY_ERROR_SECTION_GUID ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A133DF
		mov	edi, [edi]
		mov	eax, [ebx+10h]
		add	edi, esi
		test	al, 4
		jz	short loc_A1338F
		test	al, 8
		jz	short loc_A133DF
		mov	edx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_WheapPlatformDirectedMemoryOffline@8 ;	WheapPlatformDirectedMemoryOffline(x,x)
; 

loc_A1338F:				; CODE XREF: WheapPredictiveFailureAnalysis(x)+95j
		mov	ebx, offset _WheapPfaLock
		xor	edx, edx
		push	0
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	esi, eax
		lock bts dword ptr [ebx], 0
		jnb	short loc_A133B2
		push	ebx
		mov	edx, esi
		mov	ecx, ebx
		call	ExfAcquirePushLockExclusiveEx

loc_A133B2:				; CODE XREF: WheapPredictiveFailureAnalysis(x)+BCj
		test	esi, esi
		jz	short loc_A133BA
		or	byte ptr [esi+0Eh], 1

loc_A133BA:				; CODE XREF: WheapPredictiveFailureAnalysis(x)+CAj
		mov	edx, edi
		call	_WheapPfaMemoryCheck@8 ; WheapPfaMemoryCheck(x,x)
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A133D5
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A133D5:				; CODE XREF: WheapPredictiveFailureAnalysis(x)+E2j
		mov	ecx, ebx
		pop	edi
		pop	esi
		pop	ebx
		jmp	KeAbPostRelease
; 

loc_A133DF:				; CODE XREF: WheapPredictiveFailureAnalysis(x)+14j
					; WheapPredictiveFailureAnalysis(x)+21j ...
		pop	edi
		pop	esi
		pop	ebx
		retn
_WheapPredictiveFailureAnalysis@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ApiSetLoadSchemaEx(x, x, x)
_ApiSetLoadSchemaEx@12 proc near	; CODE XREF: ApiSetLoadSchemaWithExtensions(x,x,x)+1Fp
					; ApiSetpLoadSchemaExtension+B4p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_C], edx
		push	eax
		mov	edx, ecx
		call	ApiSetpLoadSchemaImage
		mov	edi, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	short loc_A13464
		push	ecx
		mov	ecx, edi
		call	ApiSetpFindImageSection
		test	eax, eax
		jnz	short loc_A13424
		mov	esi, 0C000007Bh
		jmp	short loc_A13464
; 

loc_A13424:				; CODE XREF: ApiSetLoadSchemaEx(x,x,x)+38j
		mov	ecx, [eax+14h]
		mov	ebx, [eax+10h]
		add	ecx, edi
		push	68635341h
		push	ebx
		push	1
		mov	[ebp+var_8], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	short loc_A1344A
		mov	esi, 0C0000017h
		jmp	short loc_A13464
; 

loc_A1344A:				; CODE XREF: ApiSetLoadSchemaEx(x,x,x)+5Ej
		push	ebx		; size_t
		push	[ebp+var_8]	; void *
		push	eax		; void *
		call	_memcpy
		mov	ecx, [ebp+var_C]
		add	esp, 0Ch
		mov	eax, [ebp+var_4]
		mov	[ecx], eax
		mov	eax, [ebp+arg_0]
		mov	[eax], ebx

loc_A13464:				; CODE XREF: ApiSetLoadSchemaEx(x,x,x)+2Cj
					; ApiSetLoadSchemaEx(x,x,x)+3Fj ...
		test	edi, edi
		jz	short loc_A13470
		push	edi
		push	0FFFFFFFFh
		call	_ZwUnmapViewOfSection@8	; ZwUnmapViewOfSection(x,x)

loc_A13470:				; CODE XREF: ApiSetLoadSchemaEx(x,x,x)+83j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_ApiSetLoadSchemaEx@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ApiSetLoadSchemaWithExtensions(x, x, x)
_ApiSetLoadSchemaWithExtensions@12 proc	near ; CODE XREF: PspSiloLoadApiSets(x)+47p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		lea	eax, [ebp+var_C]
		or	[ebp+var_8], 0FFFFFFFFh
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	edi, edx
		lea	edx, [ebp+var_4]
		push	eax
		call	_ApiSetLoadSchemaEx@12 ; ApiSetLoadSchemaEx(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A134EF
		mov	ecx, [ebp+var_4]
		call	_ApiSetIsSchemaSealed@4	; ApiSetIsSchemaSealed(x)
		test	al, al
		jnz	short loc_A134DA
		lea	ecx, [ebp+var_8]
		call	ApiSetpOpenSchemaExtensionsRootNode
		mov	esi, eax
		test	esi, esi
		jns	short loc_A134C9
		cmp	esi, 0C0000034h
		jnz	short loc_A134DA
		xor	esi, esi
		jmp	short loc_A134DA
; 

loc_A134C9:				; CODE XREF: ApiSetLoadSchemaWithExtensions(x,x,x)+42j
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		push	eax
		lea	edx, [ebp+var_4]
		call	ApiSetpLoadSchemaExtensions
		mov	esi, eax

loc_A134DA:				; CODE XREF: ApiSetLoadSchemaWithExtensions(x,x,x)+34j
					; ApiSetLoadSchemaWithExtensions(x,x,x)+4Aj ...
		test	esi, esi
		js	short loc_A134EF
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		and	[ebp+var_4], 0
		mov	[edi], eax
		mov	eax, [ebp+var_C]
		mov	[ecx], eax

loc_A134EF:				; CODE XREF: ApiSetLoadSchemaWithExtensions(x,x,x)+28j
					; ApiSetLoadSchemaWithExtensions(x,x,x)+63j
		cmp	[ebp+var_8], 0FFFFFFFFh
		jz	short loc_A134FD
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_A134FD:				; CODE XREF: ApiSetLoadSchemaWithExtensions(x,x,x)+7Aj
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_A13509
		call	_ApiSetReleaseSchema@4 ; ApiSetReleaseSchema(x)

loc_A13509:				; CODE XREF: ApiSetLoadSchemaWithExtensions(x,x,x)+89j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	4
_ApiSetLoadSchemaWithExtensions@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ApiSetpConstructPathToExtension	proc near ; CODE XREF: ApiSetpLoadSchemaExtension+96p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [edx+2Ch]
		push	esi
		push	edi
		mov	word ptr [ebp+var_8+2],	ax
		mov	edi, ecx
		push	68635341h
		movzx	eax, ax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	short loc_A13545
		mov	esi, 0C0000017h
		jmp	short loc_A1358A
; 

loc_A13545:				; CODE XREF: ApiSetpConstructPathToExtension+2Bj
		push	offset ??_C@_1CM@JIIAJDGD@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@NNGAKEGL@ ; void *
		lea	eax, [ebp+var_8]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A1357B
		push	edi		; void *
		lea	eax, [ebp+var_8]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A1357B
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_8]
		mov	[ecx], eax
		mov	eax, [ebp+var_4]
		mov	[ecx+4], eax
		xor	eax, eax
		jmp	short loc_A1357E
; 

loc_A1357B:				; CODE XREF: ApiSetpConstructPathToExtension+46j
					; ApiSetpConstructPathToExtension+56j
		mov	eax, [ebp+var_4]

loc_A1357E:				; CODE XREF: ApiSetpConstructPathToExtension+68j
		test	eax, eax
		jz	short loc_A1358A
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1358A:				; CODE XREF: ApiSetpConstructPathToExtension+32j
					; ApiSetpConstructPathToExtension+6Fj
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	4
ApiSetpConstructPathToExtension	endp


;  S U B	R O U T	I N E 


ApiSetpFindImageSection	proc near	; CODE XREF: ApiSetLoadSchemaEx(x,x,x)+31p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	ecx
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A135D6
		movzx	ecx, word ptr [edi+14h]
		lea	esi, [edi+18h]
		xor	eax, eax
		add	esi, ecx
		xor	ebx, ebx
		cmp	ax, [edi+6]
		jnb	short loc_A135D6

loc_A135B6:				; CODE XREF: ApiSetpFindImageSection+42j
		push	8		; size_t
		push	offset ??_C@_07LICFLFBF@?4apiset@NNGAKEGL@ ; char *
		push	esi		; char *
		call	_strncmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A135DE
		movzx	eax, word ptr [edi+6]
		add	esi, 28h
		inc	ebx
		cmp	ebx, eax
		jb	short loc_A135B6

loc_A135D6:				; CODE XREF: ApiSetpFindImageSection+Fj
					; ApiSetpFindImageSection+22j
		xor	eax, eax

loc_A135D8:				; CODE XREF: ApiSetpFindImageSection+4Ej
		pop	edi
		pop	esi
		pop	ebx
		retn	4
; 

loc_A135DE:				; CODE XREF: ApiSetpFindImageSection+36j
		mov	eax, esi
		jmp	short loc_A135D8
ApiSetpFindImageSection	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ApiSetpLoadSchemaExtension proc	near	; CODE XREF: ApiSetpLoadSchemaExtensions+6Dp

var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 140h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, [ebp+arg_0]
		mov	edi, edx
		push	10h
		pop	eax
		push	12h
		mov	word ptr [ebp+var_13C],	ax
		xor	edx, edx
		pop	eax
		mov	word ptr [ebp+var_13C+2], ax
		lea	eax, [ebp+var_134]
		push	eax
		push	114h
		lea	eax, [ebp+var_120]
		mov	[ebp+var_128], edx
		push	eax
		push	2
		lea	eax, [ebp+var_13C]
		mov	[ebp+var_124], edx
		push	eax
		push	ecx
		mov	[ebp+var_130], edx
		mov	[ebp+var_12C], edx
		mov	[ebp+var_138], offset ??_C@_1BC@PKFGPGJB@?$AAF?$AAi?$AAl?$AAe?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@ ; "FileName"
		mov	[ebp+var_134], edx
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A136B8
		mov	edx, [ebp+var_118]
		lea	eax, [ebp+var_130]
		push	eax
		lea	ecx, [ebp+var_114]
		call	ApiSetpConstructPathToExtension
		mov	esi, eax
		test	esi, esi
		js	short loc_A136B8
		lea	eax, [ebp+var_124]
		push	eax
		lea	edx, [ebp+var_128]
		lea	ecx, [ebp+var_130]
		call	_ApiSetLoadSchemaEx@12 ; ApiSetLoadSchemaEx(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A136B8
		push	[ebp+var_124]
		mov	edx, ebx
		mov	ecx, edi
		push	[ebp+var_128]
		call	_ApiSetComposeSchema@16	; ApiSetComposeSchema(x,x,x,x)
		mov	esi, eax

loc_A136B8:				; CODE XREF: ApiSetpLoadSchemaExtension+81j
					; ApiSetpLoadSchemaExtension+9Fj ...
		cmp	[ebp+var_12C], 0
		jz	short loc_A136CE
		push	0
		push	[ebp+var_12C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A136CE:				; CODE XREF: ApiSetpLoadSchemaExtension+DDj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
ApiSetpLoadSchemaExtension endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ApiSetpLoadSchemaExtensions proc near	; CODE XREF: ApiSetLoadSchemaWithExtensions(x,x,x)+5Ap

var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 234h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+234h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[esp+240h+var_228], eax
		mov	ebx, ecx
		lea	eax, [esp+240h+var_22C]
		mov	[esp+240h+var_224], edx
		push	eax
		xor	ecx, ecx
		lea	eax, [esp+244h+var_220]
		push	218h
		push	eax
		push	ecx
		mov	[esp+250h+var_230], ecx
		mov	edi, ecx
		mov	[esp+250h+var_22C], ecx
		push	ecx
		jmp	short loc_A13775
; 

loc_A1372C:				; CODE XREF: ApiSetpLoadSchemaExtensions+9Cj
		lea	eax, [esp+254h+var_244]
		mov	edx, ebx
		push	eax
		lea	ecx, [esp+258h+var_234]
		call	ApiSetpOpenSchemaExtensionNode
		mov	esi, eax
		test	esi, esi
		js	short loc_A1378B
		push	[esp+254h+var_23C]
		mov	edx, [esp+258h+var_238]
		mov	ecx, [esp+258h+var_244]
		call	ApiSetpLoadSchemaExtension
		push	[esp+254h+var_244]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_A1378B
		lea	eax, [esp+254h+var_240]
		inc	edi
		push	eax
		push	218h
		lea	eax, [esp+25Ch+var_234]
		push	eax
		push	0
		push	edi

loc_A13775:				; CODE XREF: ApiSetpLoadSchemaExtensions+49j
		push	ebx
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_A1372C
		lea	esi, [eax+7FFFFFE6h]
		neg	esi
		sbb	esi, esi
		and	esi, eax

loc_A1378B:				; CODE XREF: ApiSetpLoadSchemaExtensions+5Fj
					; ApiSetpLoadSchemaExtensions+7Fj
		mov	ecx, [esp+254h+var_18]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
ApiSetpLoadSchemaExtensions endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ApiSetpLoadSchemaImage proc near	; CODE XREF: ApiSetLoadSchemaEx(x,x,x)+20p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		push	6
		xor	ebx, ebx
		mov	[ebp+var_48], 18h
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_C], ebx
		push	ebx
		push	1
		lea	edi, [ebp+var_30]
		mov	[ebp+var_10], ebx
		rep stosd
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], ebx
		push	eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_14], ebx
		push	eax
		push	80000000h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_44], ebx
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_3C], 240h
		push	eax
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		mov	[ebp+var_40], edx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A13872
		push	[ebp+var_8]
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], 18h
		push	8000000h
		push	2
		push	ebx
		push	eax
		push	4
		lea	eax, [ebp+var_4]
		mov	[ebp+var_2C], ebx
		push	eax
		mov	[ebp+var_24], 240h
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		call	_ZwCreateSection@28 ; ZwCreateSection(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A13872
		push	2
		push	ebx
		push	2
		lea	eax, [ebp+var_10]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_C]
		push	eax
		push	edi
		push	[ebp+var_4]
		call	_ZwMapViewOfSection@40 ; ZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A13872
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_C]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_10]
		mov	[ecx], eax

loc_A13872:				; CODE XREF: ApiSetpLoadSchemaImage+63j
					; ApiSetpLoadSchemaImage+9Dj ...
		cmp	[ebp+var_4], edi
		jz	short loc_A1387F
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A1387F:				; CODE XREF: ApiSetpLoadSchemaImage+D1j
		cmp	[ebp+var_8], edi
		jz	short loc_A1388C
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_A1388C:				; CODE XREF: ApiSetpLoadSchemaImage+DEj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
ApiSetpLoadSchemaImage endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ApiSetpOpenSchemaExtensionNode proc near ; CODE	XREF: ApiSetpLoadSchemaExtensions+56p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		lea	eax, [ecx+10h]
		mov	[ebp+var_24], 18h
		xor	esi, esi
		mov	[ebp+var_8], eax
		mov	ax, [ecx+0Ch]
		mov	[ebp+var_C], esi
		mov	word ptr [ebp+var_C], ax
		mov	word ptr [ebp+var_C+2],	ax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	20019h
		push	[ebp+arg_0]
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], 240h
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		pop	esi
		leave
		retn	4
ApiSetpOpenSchemaExtensionNode endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ApiSetpOpenSchemaExtensionsRootNode proc near
					; CODE XREF: ApiSetLoadSchemaWithExtensions(x,x,x)+39p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], 0B400B2h
		mov	[ebp+var_18], eax
		xor	edx, edx
		lea	eax, [ebp+var_20]
		mov	[ebp+var_4], offset ??_C@_1LE@LDGAKFIO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		push	eax
		push	8
		push	ecx
		mov	[ebp+var_20], 18h
		mov	[ebp+var_1C], edx
		mov	[ebp+var_14], 240h
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		leave
		retn
ApiSetpOpenSchemaExtensionsRootNode endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KIsSideloadingEnabled(x)
_KIsSideloadingEnabled@4 proc near	; CODE XREF: SepIsLockedDown(x,x)+25p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		push	74h
		pop	eax
		push	76h
		mov	word ptr [ebp+var_1C], ax
		mov	edi, ecx
		pop	eax
		push	26h
		mov	word ptr [ebp+var_1C+2], ax
		xor	ecx, ecx
		pop	eax
		push	28h
		mov	word ptr [ebp+var_C], ax
		mov	edx, offset ??_C@_1HG@FBAFABN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		pop	eax
		mov	word ptr [ebp+var_C+2],	ax
		mov	ebx, 0FFFFh
		lea	eax, [ebp+var_14]
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		mov	[edi], cl
		mov	ecx, offset ??_C@_1BK@IJBLJGGE@?$AAA?$AAp?$AAp?$AAx?$AAP?$AAo?$AAl?$AAi?$AAc?$AAi?$AAe?$AAs@NNGAKEGL@ ;	"AppxPolicies"
		push	eax
		mov	[ebp+var_18], edx
		mov	[ebp+var_8], (offset loc_8C2059+1)
		mov	[ebp+var_4], ebx
		call	KGetAppModelStateSeparatedRegKeyPath
		mov	esi, eax
		test	esi, esi
		js	short loc_A139CA
		lea	eax, [ebp+var_4]
		push	eax
		lea	edx, [ebp+var_C]
		lea	ecx, [ebp+var_14]
		call	KGetUnlockSetting
		mov	esi, eax
		test	esi, esi
		js	short loc_A139CA
		call	_CmIsStateSeparationEnabled@0 ;	CmIsStateSeparationEnabled()
		test	al, al
		jz	short loc_A139BD
		cmp	[ebp+var_4], ebx
		jnz	short loc_A139BD
		lea	eax, [ebp+var_4]
		push	eax
		lea	edx, [ebp+var_C]
		lea	ecx, [ebp+var_1C]
		call	KGetUnlockSetting
		mov	esi, eax

loc_A139BD:				; CODE XREF: KIsSideloadingEnabled(x)+7Aj
					; KIsSideloadingEnabled(x)+7Fj
		test	esi, esi
		js	short loc_A139CA
		cmp	[ebp+var_4], 0
		jz	short loc_A139CA
		mov	byte ptr [edi],	1

loc_A139CA:				; CODE XREF: KIsSideloadingEnabled(x)+5Cj
					; KIsSideloadingEnabled(x)+71j	...
		lea	ecx, [ebp+var_14]
		call	_AppModelFreeUnicodeString@4 ; AppModelFreeUnicodeString(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_KIsSideloadingEnabled@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A139D9	proc near		; CODE XREF: sub_785212+206Bp

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	eax, ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_38], edx
		mov	[ebp+var_44], eax
		mov	[ebp+var_60], edi
		mov	[ebp+var_4C], edi
		mov	[ebp+var_48], edi
		mov	[ebp+var_58], edi
		mov	[ebp+var_3C], edi
		mov	[ebp+var_54], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_50], edi
		test	eax, eax
		jnz	short loc_A13A21

loc_A13A17:				; CODE XREF: sub_A139D9+4Aj
					; sub_A139D9+105j ...
		mov	edx, 0C000000Dh
		jmp	loc_A13F4F
; 

loc_A13A21:				; CODE XREF: sub_A139D9+3Cj
		test	edx, edx
		jz	short loc_A13A17
		mov	edx, 0C000000Dh
		test	ebx, ebx
		jz	loc_A13F4F
		mov	ecx, [eax+8]
		mov	esi, edi
		mov	[ebp+var_2C], ecx
		test	ecx, ecx
		jz	loc_A13AD4
		cmp	dword ptr [eax], 3
		jbe	loc_A13AD4
		mov	eax, ecx

loc_A13A4D:				; CODE XREF: sub_A139D9+ACj
		mov	ecx, [eax]
		mov	[ebp+var_40], ecx
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A13A5D
		xor	edx, edx
		jmp	short loc_A13A65
; 

loc_A13A5D:				; CODE XREF: sub_A139D9+7Ej
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A13A65:				; CODE XREF: sub_A139D9+82j
		mov	[ebp+var_28], ecx
		test	edx, edx
		js	short loc_A13AAC
		mov	edx, [ebp+var_40]
		lea	eax, [ebp+var_28]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A13AAC
		mov	eax, [ebp+var_28]
		inc	edi
		cmp	edi, 3
		jb	short loc_A13A4D
		mov	edi, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A13A94
		xor	edx, edx
		jmp	short loc_A13A9C
; 

loc_A13A94:				; CODE XREF: sub_A139D9+B5j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A13A9C:				; CODE XREF: sub_A139D9+B9j
		test	edx, edx
		js	short loc_A13AAC
		mov	esi, edi
		mov	eax, edi
		neg	esi
		sbb	esi, esi
		and	esi, ecx
		jmp	short loc_A13AAE
; 

loc_A13AAC:				; CODE XREF: sub_A139D9+91j
					; sub_A139D9+A3j ...
		mov	eax, esi

loc_A13AAE:				; CODE XREF: sub_A139D9+D1j
		test	edx, edx
		js	short loc_A13ACC
		cmp	eax, 8
		jz	short loc_A13AC1

loc_A13AB7:				; CODE XREF: sub_A139D9+425j
					; sub_A139D9+4B4j ...
		mov	edx, 0C0000023h
		jmp	loc_A13F4F
; 

loc_A13AC1:				; CODE XREF: sub_A139D9+DCj
		mov	eax, [esi]
		mov	[ebp+var_60], eax
		mov	eax, [esi+4]
		mov	[ebp+var_4C], eax

loc_A13ACC:				; CODE XREF: sub_A139D9+D7j
		mov	ecx, [ebp+var_2C]
		xor	edi, edi
		mov	eax, [ebp+var_44]

loc_A13AD4:				; CODE XREF: sub_A139D9+63j
					; sub_A139D9+6Cj
		test	edx, edx
		js	loc_A13F4F
		test	ecx, ecx
		jz	loc_A13A17
		mov	eax, [eax]
		mov	[ebp+var_44], eax
		cmp	eax, 4
		jbe	loc_A13A17
		mov	eax, ecx
		mov	esi, edi

loc_A13AF6:				; CODE XREF: sub_A139D9+159j
		mov	edi, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A13B03
		xor	edx, edx
		jmp	short loc_A13B0B
; 

loc_A13B03:				; CODE XREF: sub_A139D9+124j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A13B0B:				; CODE XREF: sub_A139D9+128j
		mov	[ebp+var_30], ecx
		test	edx, edx
		js	loc_A13F4F
		lea	eax, [ebp+var_30]
		mov	edx, edi
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A13F4F
		mov	eax, [ebp+var_30]
		inc	esi
		cmp	esi, 4
		jb	short loc_A13AF6
		mov	esi, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A13B41
		xor	edx, edx
		jmp	short loc_A13B49
; 

loc_A13B41:				; CODE XREF: sub_A139D9+162j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A13B49:				; CODE XREF: sub_A139D9+166j
		test	edx, edx
		js	loc_A13F4F
		mov	eax, esi
		mov	[ebp+var_58], esi
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_48], eax
		test	edx, edx
		js	loc_A13F4F
		cmp	[ebp+var_44], 5
		jbe	loc_A13A17
		mov	eax, [ebp+var_2C]
		xor	esi, esi

loc_A13B76:				; CODE XREF: sub_A139D9+1D1j
		mov	edi, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A13B83
		xor	edx, edx
		jmp	short loc_A13B8B
; 

loc_A13B83:				; CODE XREF: sub_A139D9+1A4j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A13B8B:				; CODE XREF: sub_A139D9+1A8j
		mov	[ebp+var_30], ecx
		test	edx, edx
		js	short loc_A13BD2
		lea	eax, [ebp+var_30]
		mov	edx, edi
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A13BD2
		mov	eax, [ebp+var_30]
		inc	esi
		cmp	esi, 5
		jb	short loc_A13B76
		mov	esi, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A13BB9
		xor	edx, edx
		jmp	short loc_A13BC1
; 

loc_A13BB9:				; CODE XREF: sub_A139D9+1DAj
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A13BC1:				; CODE XREF: sub_A139D9+1DEj
		test	edx, edx
		js	short loc_A13BD2
		mov	edi, esi
		mov	[ebp+var_54], esi
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A13BD5
; 

loc_A13BD2:				; CODE XREF: sub_A139D9+1B7j
					; sub_A139D9+1C8j ...
		mov	edi, [ebp+var_3C]

loc_A13BD5:				; CODE XREF: sub_A139D9+1F7j
		test	edx, edx
		js	loc_A13F4F
		cmp	[ebp+var_44], 6
		jbe	loc_A13A17
		mov	edx, [ebp+var_2C]
		xor	esi, esi

loc_A13BEC:				; CODE XREF: sub_A139D9+249j
		mov	eax, [edx]
		lea	ecx, [edx+4]
		cmp	ecx, edx
		jb	short loc_A13BF9
		xor	edx, edx
		jmp	short loc_A13C01
; 

loc_A13BF9:				; CODE XREF: sub_A139D9+21Aj
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A13C01:				; CODE XREF: sub_A139D9+21Ej
		mov	[ebp+var_3C], ecx
		test	edx, edx
		js	short loc_A13C4D
		lea	edx, [ebp+var_3C]
		push	edx
		mov	edx, eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A13C4D
		inc	esi
		cmp	esi, 6
		jnb	short loc_A13C24
		mov	edx, [ebp+var_3C]
		jmp	short loc_A13BEC
; 

loc_A13C24:				; CODE XREF: sub_A139D9+244j
		mov	eax, [ebp+var_3C]
		mov	esi, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A13C34
		xor	edx, edx
		jmp	short loc_A13C3C
; 

loc_A13C34:				; CODE XREF: sub_A139D9+255j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A13C3C:				; CODE XREF: sub_A139D9+259j
		test	edx, edx
		js	short loc_A13C4D
		mov	eax, esi
		mov	[ebp+var_50], esi
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		jmp	short loc_A13C50
; 

loc_A13C4D:				; CODE XREF: sub_A139D9+22Dj
					; sub_A139D9+23Ej ...
		mov	eax, [ebp+var_34]

loc_A13C50:				; CODE XREF: sub_A139D9+272j
		test	edx, edx
		js	loc_A13F4F
		cmp	ds:dword_A93EA0, 0
		jz	short loc_A13C7F
		push	20h
		lea	ecx, [ebp+var_24]
		push	ecx
		push	[ebp+var_50]
		push	eax
		push	[ebp+var_54]
		push	edi
		push	[ebp+var_58]
		push	[ebp+var_48]
		call	ds:dword_A93EDC
		mov	esi, eax
		jmp	short loc_A13C84
; 

loc_A13C7F:				; CODE XREF: sub_A139D9+286j
		mov	esi, 0C00000BBh

loc_A13C84:				; CODE XREF: sub_A139D9+2A4j
		mov	edx, esi
		test	esi, esi
		js	loc_A13F4F
		and	[ebp+var_28], 0
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A13F4F
		mov	ecx, [ebp+var_28]
		lea	eax, [ebp+var_28]
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A13F4F
		mov	ecx, [ebp+var_28]
		lea	eax, [ebp+var_28]
		push	eax
		push	24h
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A13F4F
		push	8
		pop	ecx
		xor	edi, edi
		mov	[ebp+var_5C], ecx
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_5C]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A13F4F
		mov	eax, [ebp+var_5C]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_A13D0E
		mov	edx, 0C0000095h
		jmp	short loc_A13D1B
; 

loc_A13D0E:				; CODE XREF: sub_A139D9+32Cj
		lea	edi, [ecx+8]
		cmp	edi, ecx
		jb	loc_A13D9E
		xor	edx, edx

loc_A13D1B:				; CODE XREF: sub_A139D9+333j
		test	edx, edx
		js	loc_A13F4F
		mov	ecx, [ebp+var_38]
		mov	edx, edi
		push	4
		mov	eax, [ecx+10h]
		mov	[ebp+var_40], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_2C]
		pop	ecx
		push	eax
		mov	[ebp+var_2C], ecx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A13F4F
		mov	eax, [ebp+var_2C]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A13D5B
		xor	edx, edx
		jmp	short loc_A13D63
; 

loc_A13D5B:				; CODE XREF: sub_A139D9+37Cj
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A13D63:				; CODE XREF: sub_A139D9+380j
		mov	[ebp+var_2C], ecx
		test	edx, edx
		js	loc_A13F4F
		mov	edx, [ebp+var_38]
		lea	eax, [ebp+var_2C]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A13F4F
		mov	eax, [ebp+var_2C]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A13D9E
		mov	edx, [ebp+var_40]
		lea	eax, [ebp+var_2C]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		jmp	short loc_A13DA3
; 

loc_A13D9E:				; CODE XREF: sub_A139D9+33Aj
					; sub_A139D9+3B3j
		mov	edx, 0C0000095h

loc_A13DA3:				; CODE XREF: sub_A139D9+3C3j
		test	edx, edx
		js	loc_A13F4F
		mov	eax, [ebp+var_28]
		lea	edi, [ebx+4]
		mov	[edi], eax
		test	eax, eax
		jnz	short loc_A13DC1
		mov	edx, 0C000003Eh
		jmp	loc_A13F4F
; 

loc_A13DC1:				; CODE XREF: sub_A139D9+3DCj
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_A13DDE
		mov	edx, 0C0000017h
		jmp	loc_A13F4F
; 

loc_A13DDE:				; CODE XREF: sub_A139D9+3F9j
		mov	[ebx+8], edx
		and	dword ptr [ebx], 0
		or	esi, 10000000h
		lea	eax, [edx+4]
		cmp	eax, edx
		jb	loc_A13F4A
		mov	ecx, [edi]
		lea	eax, [edx+8]
		add	ecx, edx
		cmp	eax, ecx
		ja	loc_A13AB7
		mov	dword ptr [edx], 4
		mov	[edx+4], esi
		inc	dword ptr [ebx]
		mov	ecx, [ebx]
		mov	[ebp+var_38], ecx
		mov	eax, [ebx+8]
		mov	[ebp+var_40], eax
		test	eax, eax
		jnz	short loc_A13E37
		mov	ecx, [edi]
		push	edi
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A13F4F
		inc	dword ptr [ebx]
		jmp	short loc_A13EAF
; 

loc_A13E37:				; CODE XREF: sub_A139D9+443j
		and	[ebp+var_48], 0
		mov	esi, eax
		mov	[ebp+var_34], esi
		test	ecx, ecx
		jz	short loc_A13E76

loc_A13E44:				; CODE XREF: sub_A139D9+49Bj
		mov	edx, [esi]
		add	edx, 4
		cmp	edx, 4
		jb	loc_A13ED4
		lea	eax, [ebp+var_34]
		mov	ecx, esi
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A13F4F
		mov	ecx, [ebp+var_48]
		mov	esi, [ebp+var_34]
		inc	ecx
		mov	[ebp+var_48], ecx
		cmp	ecx, [ebp+var_38]
		jb	short loc_A13E44

loc_A13E76:				; CODE XREF: sub_A139D9+469j
		lea	eax, [esi+4]
		cmp	eax, esi
		jb	loc_A13F4A
		mov	ecx, [edi]
		lea	eax, [esi+0Ch]
		add	ecx, [ebp+var_40]
		xor	edx, edx
		cmp	eax, ecx
		ja	loc_A13AB7
		mov	eax, [ebp+var_60]
		mov	dword ptr [esi], 8
		mov	[esi+4], eax
		mov	eax, [ebp+var_4C]
		mov	[esi+8], eax
		inc	dword ptr [ebx]

loc_A13EA7:				; CODE XREF: sub_A139D9+500j
		test	edx, edx
		js	loc_A13F4F

loc_A13EAF:				; CODE XREF: sub_A139D9+45Cj
		mov	eax, [ebx+8]
		mov	[ebp+var_40], eax
		test	eax, eax
		jnz	short loc_A13EDB
		mov	ecx, [edi]
		push	edi
		push	24h
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A13F4F
		inc	dword ptr [ebx]
		xor	edx, edx
		jmp	short loc_A13F4F
; 

loc_A13ED4:				; CODE XREF: sub_A139D9+473j
		mov	edx, 0C0000095h
		jmp	short loc_A13EA7
; 

loc_A13EDB:				; CODE XREF: sub_A139D9+4DEj
		mov	ecx, [ebx]
		mov	esi, eax
		and	[ebp+var_4C], 0
		mov	[ebp+var_34], esi
		mov	[ebp+var_38], ecx
		test	ecx, ecx
		jz	short loc_A13F1A

loc_A13EED:				; CODE XREF: sub_A139D9+53Cj
		mov	edx, [esi]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A13F4A
		lea	eax, [ebp+var_34]
		mov	ecx, esi
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A13F4F
		mov	ecx, [ebp+var_4C]
		mov	esi, [ebp+var_34]
		inc	ecx
		mov	[ebp+var_4C], ecx
		cmp	ecx, [ebp+var_38]
		jb	short loc_A13EED
		mov	eax, [ebp+var_40]

loc_A13F1A:				; CODE XREF: sub_A139D9+512j
		lea	ecx, [esi+4]
		mov	[ebp+var_38], ecx
		cmp	ecx, esi
		jb	short loc_A13F4A
		mov	ecx, [edi]
		xor	edx, edx
		add	ecx, eax
		lea	eax, [esi+24h]
		cmp	eax, ecx
		ja	loc_A13AB7
		mov	edi, [ebp+var_38]
		mov	dword ptr [esi], 20h
		lea	esi, [ebp+var_24]
		push	8
		pop	ecx
		rep movsd
		inc	dword ptr [ebx]
		jmp	short loc_A13F4F
; 

loc_A13F4A:				; CODE XREF: sub_A139D9+416j
					; sub_A139D9+4A2j ...
		mov	edx, 0C0000095h

loc_A13F4F:				; CODE XREF: sub_A139D9+43j
					; sub_A139D9+53j ...
		mov	ecx, [ebp+var_4]
		mov	eax, edx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
sub_A139D9	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A13F62	proc near		; CODE XREF: sub_785212+2081p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		and	[ebp+var_8], 0
		and	[ebp+var_1C], 0
		and	[ebp+var_20], 0
		and	[ebp+var_10], 0
		mov	eax, [ecx+8]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_28], edx
		and	[ebp+var_4], esi
		mov	[ebp+var_14], ecx
		push	edi
		test	eax, eax
		jnz	short loc_A13F99

loc_A13F8F:				; CODE XREF: sub_A13F62+3Aj
		mov	ebx, 0C000000Dh
		jmp	loc_A1401D
; 

loc_A13F99:				; CODE XREF: sub_A13F62+2Bj
		cmp	dword ptr [ecx], 3
		jbe	short loc_A13F8F
		xor	edi, edi

loc_A13FA0:				; CODE XREF: sub_A13F62+70j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A13FAD
		xor	ebx, ebx
		jmp	short loc_A13FB5
; 

loc_A13FAD:				; CODE XREF: sub_A13F62+45j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A13FB5:				; CODE XREF: sub_A13F62+49j
		mov	[ebp+var_C], ecx
		test	ebx, ebx
		js	short loc_A13FF9
		lea	eax, [ebp+var_C]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A13FF9
		mov	eax, [ebp+var_C]
		inc	edi
		cmp	edi, 3
		jb	short loc_A13FA0
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A13FE1
		xor	ebx, ebx
		jmp	short loc_A13FE9
; 

loc_A13FE1:				; CODE XREF: sub_A13F62+79j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A13FE9:				; CODE XREF: sub_A13F62+7Dj
		test	ebx, ebx
		js	short loc_A13FF9
		mov	esi, edx
		mov	eax, edx
		neg	esi
		sbb	esi, esi
		and	esi, ecx
		jmp	short loc_A13FFC
; 

loc_A13FF9:				; CODE XREF: sub_A13F62+58j
					; sub_A13F62+67j ...
		mov	eax, [ebp+var_4]

loc_A13FFC:				; CODE XREF: sub_A13F62+95j
		test	ebx, ebx
		js	short loc_A1401A
		cmp	eax, 8
		jz	short loc_A1400F

loc_A14005:				; CODE XREF: sub_A13F62+164j
		mov	ebx, 0C0000023h
		jmp	loc_A1453E
; 

loc_A1400F:				; CODE XREF: sub_A13F62+A1j
		mov	eax, [esi]
		mov	[ebp+var_1C], eax
		mov	eax, [esi+4]
		mov	[ebp+var_20], eax

loc_A1401A:				; CODE XREF: sub_A13F62+9Cj
		mov	ecx, [ebp+var_14]

loc_A1401D:				; CODE XREF: sub_A13F62+32j
		test	ebx, ebx
		js	loc_A1453E
		mov	eax, [ecx+8]
		xor	esi, esi
		and	[ebp+var_4], esi
		test	eax, eax
		jnz	short loc_A14058

loc_A14031:				; CODE XREF: sub_A13F62+F9j
		mov	ebx, 0C000000Dh

loc_A14036:				; CODE XREF: sub_A13F62+15Bj
		mov	eax, [ebp+var_10]

loc_A14039:				; CODE XREF: sub_A13F62+16Cj
		test	ebx, ebx
		js	loc_A1453E
		mov	ecx, 800h
		cmp	eax, ecx
		jz	loc_A140D3
		mov	ebx, 0C000003Eh
		jmp	loc_A1453E
; 

loc_A14058:				; CODE XREF: sub_A13F62+CDj
		cmp	dword ptr [ecx], 4
		jbe	short loc_A14031
		xor	edi, edi

loc_A1405F:				; CODE XREF: sub_A13F62+12Fj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1406C
		xor	ebx, ebx
		jmp	short loc_A14074
; 

loc_A1406C:				; CODE XREF: sub_A13F62+104j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A14074:				; CODE XREF: sub_A13F62+108j
		mov	[ebp+var_C], ecx
		test	ebx, ebx
		js	short loc_A140B8
		lea	eax, [ebp+var_C]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A140B8
		mov	eax, [ebp+var_C]
		inc	edi
		cmp	edi, 4
		jb	short loc_A1405F
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A140A0
		xor	ebx, ebx
		jmp	short loc_A140A8
; 

loc_A140A0:				; CODE XREF: sub_A13F62+138j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A140A8:				; CODE XREF: sub_A13F62+13Cj
		test	ebx, ebx
		js	short loc_A140B8
		mov	esi, edx
		mov	eax, edx
		neg	esi
		sbb	esi, esi
		and	esi, ecx
		jmp	short loc_A140BB
; 

loc_A140B8:				; CODE XREF: sub_A13F62+117j
					; sub_A13F62+126j ...
		mov	eax, [ebp+var_4]

loc_A140BB:				; CODE XREF: sub_A13F62+154j
		test	ebx, ebx
		js	loc_A14036
		cmp	eax, 4
		jnz	loc_A14005
		mov	eax, [esi]
		jmp	loc_A14039
; 

loc_A140D3:				; CODE XREF: sub_A13F62+E6j
		push	20534C53h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jnz	short loc_A140F3
		mov	ebx, 0C0000017h
		jmp	loc_A1453E
; 

loc_A140F3:				; CODE XREF: sub_A13F62+185j
		mov	eax, ds:dword_A93ED8
		test	eax, eax
		jz	short loc_A14101
		push	ecx
		call	eax
		jmp	short loc_A14106
; 

loc_A14101:				; CODE XREF: sub_A13F62+198j
		mov	eax, 0C00000BBh

loc_A14106:				; CODE XREF: sub_A13F62+19Dj
		mov	[ebp+var_C], eax
		mov	ebx, eax
		test	eax, eax
		js	loc_A14531
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	eax
		push	8
		pop	edi
		mov	edx, edi
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A14175
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A14175
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		mov	edx, 804h
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A14175
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		mov	edx, edi
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A14175
		mov	eax, [ebp+var_4]
		mov	[ebp+var_8], eax
		jmp	short loc_A14178
; 

loc_A14175:				; CODE XREF: sub_A13F62+1C9j
					; sub_A13F62+1DEj ...
		mov	eax, [ebp+var_8]

loc_A14178:				; CODE XREF: sub_A13F62+211j
		test	ebx, ebx
		js	loc_A14531
		xor	esi, esi
		mov	[ebp+var_18], edi
		lea	ecx, [ebp+var_18]
		mov	edx, eax
		push	ecx
		mov	ecx, edi
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A14531
		mov	eax, [ebp+var_18]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_A141B0
		mov	ebx, 0C0000095h
		jmp	short loc_A141BD
; 

loc_A141B0:				; CODE XREF: sub_A13F62+245j
		lea	esi, [ecx+8]
		cmp	esi, ecx
		jb	loc_A1423C
		xor	ebx, ebx

loc_A141BD:				; CODE XREF: sub_A13F62+24Cj
		test	ebx, ebx
		js	loc_A14531
		mov	edi, [ebp+var_28]
		mov	edx, esi
		push	4
		pop	ecx
		mov	[ebp+var_4], ecx
		mov	eax, [edi+10h]
		mov	edi, [edi+8]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A14531
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A141FA
		xor	ebx, ebx
		jmp	short loc_A14202
; 

loc_A141FA:				; CODE XREF: sub_A13F62+292j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A14202:				; CODE XREF: sub_A13F62+296j
		mov	[ebp+var_4], ecx
		test	ebx, ebx
		js	loc_A14531
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A14531
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1423C
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		jmp	short loc_A14241
; 

loc_A1423C:				; CODE XREF: sub_A13F62+253j
					; sub_A13F62+2C8j
		mov	ebx, 0C0000095h

loc_A14241:				; CODE XREF: sub_A13F62+2D8j
		test	ebx, ebx
		js	loc_A14531
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jnz	short loc_A1425A
		mov	ebx, 0C000000Dh
		jmp	loc_A14531
; 

loc_A1425A:				; CODE XREF: sub_A13F62+2ECj
		mov	eax, [ebp+var_8]
		lea	edi, [esi+4]
		xor	ebx, ebx
		mov	[ebp+var_4], edi
		mov	[edi], eax
		test	eax, eax
		jnz	short loc_A14272
		mov	ebx, 0C000003Eh
		jmp	short loc_A1428F
; 

loc_A14272:				; CODE XREF: sub_A13F62+307j
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_A1428A
		mov	ebx, 0C0000017h
		jmp	short loc_A1428F
; 

loc_A1428A:				; CODE XREF: sub_A13F62+31Fj
		mov	[esi+8], eax
		and	[esi], ebx

loc_A1428F:				; CODE XREF: sub_A13F62+30Ej
					; sub_A13F62+326j
		test	ebx, ebx
		js	loc_A14531
		mov	eax, [esi+8]
		or	[ebp+var_C], 10000000h
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	short loc_A142C4
		mov	ecx, [edi]
		push	edi
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A14531
		inc	dword ptr [esi]
		jmp	loc_A14345
; 

loc_A142C4:				; CODE XREF: sub_A13F62+344j
		mov	ecx, [esi]
		mov	edi, eax
		and	[ebp+var_14], 0
		mov	[ebp+var_10], edi
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		jz	short loc_A14303

loc_A142D6:				; CODE XREF: sub_A13F62+39Cj
		mov	edx, [edi]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A14326
		lea	eax, [ebp+var_10]
		mov	ecx, edi
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A1433A
		mov	ecx, [ebp+var_14]
		mov	edi, [ebp+var_10]
		inc	ecx
		mov	[ebp+var_14], ecx
		cmp	ecx, [ebp+var_28]
		jb	short loc_A142D6
		mov	eax, [ebp+var_8]

loc_A14303:				; CODE XREF: sub_A13F62+372j
		lea	edx, [edi+4]
		cmp	edx, edi
		jb	loc_A1452C
		mov	ecx, [esi+4]
		xor	ebx, ebx
		add	ecx, eax
		lea	eax, [edi+8]
		cmp	eax, ecx
		jbe	short loc_A1432D

loc_A1431C:				; CODE XREF: sub_A13F62+460j
					; sub_A13F62+512j ...
		mov	ebx, 0C0000023h
		jmp	loc_A14531
; 

loc_A14326:				; CODE XREF: sub_A13F62+37Cj
		mov	ebx, 0C0000095h
		jmp	short loc_A1433A
; 

loc_A1432D:				; CODE XREF: sub_A13F62+3B8j
		mov	eax, [ebp+var_C]
		mov	dword ptr [edi], 4
		mov	[edx], eax
		inc	dword ptr [esi]

loc_A1433A:				; CODE XREF: sub_A13F62+38Dj
					; sub_A13F62+3C9j
		lea	edi, [esi+4]
		test	ebx, ebx
		js	loc_A14531

loc_A14345:				; CODE XREF: sub_A13F62+35Dj
		mov	eax, [esi+8]
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	short loc_A14368
		mov	ecx, [edi]
		push	edi
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A14531
		inc	dword ptr [esi]
		jmp	short loc_A143E6
; 

loc_A14368:				; CODE XREF: sub_A13F62+3EBj
		mov	ecx, [esi]
		mov	edi, eax
		and	[ebp+var_14], 0
		mov	[ebp+var_10], edi
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		jz	short loc_A143AB

loc_A1437A:				; CODE XREF: sub_A13F62+444j
		mov	edx, [edi]
		add	edx, 4
		cmp	edx, 4
		jb	loc_A1440E
		lea	eax, [ebp+var_10]
		mov	ecx, edi
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A143DB
		mov	ecx, [ebp+var_14]
		mov	edi, [ebp+var_10]
		inc	ecx
		mov	[ebp+var_14], ecx
		cmp	ecx, [ebp+var_28]
		jb	short loc_A1437A
		mov	eax, [ebp+var_C]

loc_A143AB:				; CODE XREF: sub_A13F62+416j
		lea	edx, [edi+4]
		cmp	edx, edi
		jb	loc_A1452C
		mov	ecx, [esi+4]
		xor	ebx, ebx
		add	ecx, eax
		lea	eax, [edi+0Ch]
		cmp	eax, ecx
		ja	loc_A1431C
		mov	eax, [ebp+var_1C]
		mov	dword ptr [edi], 8
		mov	[edx], eax
		mov	eax, [ebp+var_20]
		mov	[edx+4], eax
		inc	dword ptr [esi]

loc_A143DB:				; CODE XREF: sub_A13F62+435j
					; sub_A13F62+4B1j
		lea	edi, [esi+4]
		test	ebx, ebx
		js	loc_A14531

loc_A143E6:				; CODE XREF: sub_A13F62+404j
		mov	eax, [esi+8]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jnz	short loc_A14415
		mov	ecx, [edi]
		mov	edx, 804h
		push	edi
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A14531
		inc	dword ptr [esi]
		jmp	loc_A1449C
; 

loc_A1440E:				; CODE XREF: sub_A13F62+420j
		mov	ebx, 0C0000095h
		jmp	short loc_A143DB
; 

loc_A14415:				; CODE XREF: sub_A13F62+48Cj
		mov	ecx, [esi]
		mov	edi, eax
		and	[ebp+var_20], 0
		mov	[ebp+var_10], edi
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		jz	short loc_A14458

loc_A14427:				; CODE XREF: sub_A13F62+4F1j
		mov	edx, [edi]
		add	edx, 4
		cmp	edx, 4
		jb	loc_A144BD
		lea	eax, [ebp+var_10]
		mov	ecx, edi
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A14491
		mov	ecx, [ebp+var_20]
		mov	edi, [ebp+var_10]
		inc	ecx
		mov	[ebp+var_20], ecx
		cmp	ecx, [ebp+var_28]
		jb	short loc_A14427
		mov	eax, [ebp+var_1C]

loc_A14458:				; CODE XREF: sub_A13F62+4C3j
		lea	edx, [edi+4]
		cmp	edx, edi
		jb	loc_A1452C
		mov	ecx, [ebp+var_4]
		xor	ebx, ebx
		mov	ecx, [ecx]
		add	ecx, eax
		lea	eax, [edi+804h]
		cmp	eax, ecx
		ja	loc_A1431C
		mov	esi, [ebp+var_24]
		mov	ecx, 200h
		mov	dword ptr [edi], 800h
		mov	edi, edx
		rep movsd
		mov	esi, [ebp+arg_4]
		inc	dword ptr [esi]

loc_A14491:				; CODE XREF: sub_A13F62+4E2j
					; sub_A13F62+560j
		lea	edi, [esi+4]
		test	ebx, ebx
		js	loc_A14531

loc_A1449C:				; CODE XREF: sub_A13F62+4A7j
		mov	eax, [esi+8]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jnz	short loc_A144C4
		mov	ecx, [edi]
		push	edi
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A14531
		inc	dword ptr [esi]
		xor	ebx, ebx
		jmp	short loc_A14531
; 

loc_A144BD:				; CODE XREF: sub_A13F62+4CDj
		mov	ebx, 0C0000095h
		jmp	short loc_A14491
; 

loc_A144C4:				; CODE XREF: sub_A13F62+542j
		mov	ecx, [esi]
		mov	edi, eax
		and	[ebp+var_20], 0
		mov	[ebp+arg_4], edi
		mov	[ebp+var_28], ecx
		test	ecx, ecx
		jz	short loc_A14503

loc_A144D6:				; CODE XREF: sub_A13F62+59Cj
		mov	edx, [edi]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A1452C
		lea	eax, [ebp+arg_4]
		mov	ecx, edi
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A14531
		mov	ecx, [ebp+var_20]
		mov	edi, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_20], ecx
		cmp	ecx, [ebp+var_28]
		jb	short loc_A144D6
		mov	eax, [ebp+var_1C]

loc_A14503:				; CODE XREF: sub_A13F62+572j
		lea	edx, [edi+4]
		cmp	edx, edi
		jb	short loc_A1452C
		mov	ecx, [esi+4]
		xor	ebx, ebx
		add	ecx, eax
		lea	eax, [edi+8]
		cmp	eax, ecx
		ja	loc_A1431C
		mov	dword ptr [edi], 4
		mov	dword ptr [edx], 800h
		inc	dword ptr [esi]
		jmp	short loc_A14531
; 

loc_A1452C:				; CODE XREF: sub_A13F62+3A6j
					; sub_A13F62+44Ej ...
		mov	ebx, 0C0000095h

loc_A14531:				; CODE XREF: sub_A13F62+1ABj
					; sub_A13F62+218j ...
		push	20534C53h
		push	[ebp+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1453E:				; CODE XREF: sub_A13F62+A8j
					; sub_A13F62+BDj ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
sub_A13F62	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A14547	proc near		; CODE XREF: sub_785212+1074p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_4		= dword	ptr  0Ch

		push	48h
		push	offset dword_6AAAB8
		call	__SEH_prolog4
		mov	[ebp+var_3C], edx
		xor	edi, edi
		mov	[ebp+var_58], edi
		mov	[ebp+var_54], edi
		mov	edx, edi
		mov	[ebp+var_28], edx
		mov	[ebp+var_48], edx
		test	ecx, ecx
		jnz	short loc_A14574

loc_A1456A:				; CODE XREF: sub_A14547+30j
					; sub_A14547+35j
		mov	esi, 0C000000Dh
		jmp	loc_A14984
; 

loc_A14574:				; CODE XREF: sub_A14547+21j
		cmp	[ebp+var_3C], edx
		jz	short loc_A1456A
		cmp	[ebp+arg_4], edx
		jz	short loc_A1456A
		mov	ebx, edi
		mov	[ebp+var_44], ebx
		mov	eax, edi
		mov	[ebp+var_40], eax
		mov	[ebp+var_1C], edi
		mov	edx, [ecx+8]
		test	edx, edx
		jnz	short loc_A14599

loc_A14592:				; CODE XREF: sub_A14547+55j
		mov	esi, 0C000000Dh
		jmp	short loc_A14614
; 

loc_A14599:				; CODE XREF: sub_A14547+49j
		cmp	dword ptr [ecx], 3
		jbe	short loc_A14592
		mov	[ebp+var_1C], edx
		mov	[ebp+var_24], edi

loc_A145A4:				; CODE XREF: sub_A14547+95j
		mov	eax, [ebp+var_1C]
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A145B4
		mov	esi, edi
		jmp	short loc_A145BC
; 

loc_A145B4:				; CODE XREF: sub_A14547+67j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A145BC:				; CODE XREF: sub_A14547+6Bj
		mov	[ebp+var_1C], ecx
		test	esi, esi
		js	short loc_A14612
		lea	eax, [ebp+var_1C]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A14612
		mov	edx, [ebp+var_24]
		inc	edx
		mov	[ebp+var_24], edx
		cmp	edx, 3
		jb	short loc_A145A4
		mov	eax, [ebp+var_1C]
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A145EE
		mov	esi, edi
		jmp	short loc_A145F6
; 

loc_A145EE:				; CODE XREF: sub_A14547+A1j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A145F6:				; CODE XREF: sub_A14547+A5j
		mov	[ebp+var_1C], ecx
		test	esi, esi
		js	short loc_A14612
		mov	eax, edx
		mov	[ebp+var_40], eax
		mov	ebx, edx
		neg	ebx
		sbb	ebx, ebx
		and	ebx, ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_44], ebx
		jmp	short loc_A14614
; 

loc_A14612:				; CODE XREF: sub_A14547+7Aj
					; sub_A14547+89j ...
		mov	eax, edi

loc_A14614:				; CODE XREF: sub_A14547+50j
					; sub_A14547+C9j
		test	esi, esi
		js	loc_A14984
		cmp	eax, 8
		jz	short loc_A14628
		mov	esi, 0C0000023h
		jmp	short loc_A14633
; 

loc_A14628:				; CODE XREF: sub_A14547+D8j
		mov	eax, [ebx]
		mov	[ebp+var_58], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_54], eax

loc_A14633:				; CODE XREF: sub_A14547+DFj
		test	esi, esi
		js	loc_A14984
		mov	[ebp+ms_exc.disabled], edi
		push	edi
		push	offset unk_6B72E0
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A14697
; 

loc_A14652:				; DATA XREF: .text:006AAACCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_4C], eax
		mov	[ebp+var_2C], eax
		cmp	[ebp+var_2C], 80h
		jz	short loc_A1467A
		cmp	[ebp+var_2C], 0C0000046h
		jz	short loc_A1467A
		mov	[ebp+var_30], 0
		jmp	short loc_A14681
; 

loc_A1467A:				; CODE XREF: sub_A14547+11Fj
					; sub_A14547+128j
		mov	[ebp+var_30], 1

loc_A14681:				; CODE XREF: sub_A14547+131j
		mov	eax, [ebp+var_30]
		retn
; 

loc_A14685:				; DATA XREF: .text:006AAAD0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	edi, edi
		mov	edx, [ebp+var_48]
		mov	[ebp+var_28], edx

loc_A14697:				; CODE XREF: sub_A14547+109j
		mov	ebx, 0C0000095h
		mov	[ebp+var_34], 8
		lea	eax, [ebp+var_34]
		push	eax
		push	0Ch
		pop	edx
		push	8
		pop	ecx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A146C0
		mov	eax, [ebp+var_34]
		mov	[ebp+var_28], eax
		jmp	short loc_A146C3
; 

loc_A146C0:				; CODE XREF: sub_A14547+16Fj
		mov	eax, [ebp+var_28]

loc_A146C3:				; CODE XREF: sub_A14547+177j
		test	esi, esi
		js	loc_A14984
		push	8
		pop	ecx
		mov	[ebp+var_38], ecx
		lea	edx, [ebp+var_38]
		push	edx
		mov	edx, eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A14984
		mov	esi, edi
		mov	eax, [ebp+var_38]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_A146F9
		mov	esi, ebx
		mov	ecx, edi

loc_A146F9:				; CODE XREF: sub_A14547+1ACj
		test	esi, esi
		js	short loc_A14717
		lea	eax, [ecx+8]
		cmp	eax, ecx
		jb	short loc_A14708
		mov	edx, eax
		jmp	short loc_A1470B
; 

loc_A14708:				; CODE XREF: sub_A14547+1BBj
		or	edx, 0FFFFFFFFh

loc_A1470B:				; CODE XREF: sub_A14547+1BFj
		cmp	eax, ecx
		sbb	esi, esi
		and	esi, ebx
		cmp	eax, ecx
		mov	ecx, edx
		jnb	short loc_A14719

loc_A14717:				; CODE XREF: sub_A14547+1B4j
		mov	ecx, edi

loc_A14719:				; CODE XREF: sub_A14547+1CEj
		test	esi, esi
		js	loc_A14984
		mov	eax, [ebp+var_3C]
		mov	edx, [eax+10h]
		mov	[ebp+var_3C], edx
		mov	eax, [eax+8]
		mov	[ebp+var_48], eax
		push	4
		pop	eax
		mov	[ebp+var_20], eax
		lea	edx, [ebp+var_20]
		push	edx
		mov	edx, ecx
		mov	ecx, eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A14984
		mov	eax, [ebp+var_20]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1475B
		mov	esi, edi
		jmp	short loc_A14760
; 

loc_A1475B:				; CODE XREF: sub_A14547+20Ej
		mov	esi, ebx
		or	ecx, 0FFFFFFFFh

loc_A14760:				; CODE XREF: sub_A14547+212j
		mov	[ebp+var_20], ecx
		test	esi, esi
		js	loc_A14984
		lea	eax, [ebp+var_20]
		push	eax
		mov	edx, [ebp+var_48]
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A14984
		mov	eax, [ebp+var_20]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1478F
		mov	esi, edi
		jmp	short loc_A14794
; 

loc_A1478F:				; CODE XREF: sub_A14547+242j
		mov	esi, ebx
		or	ecx, 0FFFFFFFFh

loc_A14794:				; CODE XREF: sub_A14547+246j
		test	esi, esi
		js	loc_A14984
		lea	eax, [ebp+var_20]
		push	eax
		mov	edx, [ebp+var_3C]
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A14984
		mov	ebx, [ebp+arg_4]
		lea	eax, [ebx+4]
		mov	edx, [ebp+var_28]
		mov	[eax], edx
		mov	esi, edi
		test	edx, edx
		jnz	short loc_A147CA
		mov	esi, 0C000003Eh
		jmp	short loc_A147EA
; 

loc_A147CA:				; CODE XREF: sub_A14547+27Aj
		push	20534C53h
		push	edx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_A147E2
		mov	esi, 0C0000017h
		jmp	short loc_A147E7
; 

loc_A147E2:				; CODE XREF: sub_A14547+292j
		mov	[ebx+8], eax
		mov	[ebx], edi

loc_A147E7:				; CODE XREF: sub_A14547+299j
		lea	eax, [ebx+4]

loc_A147EA:				; CODE XREF: sub_A14547+281j
		test	esi, esi
		js	loc_A14984
		mov	edx, edi
		mov	[ebp+var_3C], edx
		mov	ecx, [ebx+8]
		mov	[ebp+var_34], ecx
		test	ecx, ecx
		jnz	short loc_A1481D
		push	eax
		push	8
		pop	edx
		mov	ecx, [eax]
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A14984
		mov	esi, edi
		jmp	loc_A148B4
; 

loc_A1481D:				; CODE XREF: sub_A14547+2B8j
		mov	[ebp+var_24], ecx
		mov	[ebp+arg_4], edi
		mov	eax, [ebx]
		mov	[ebp+var_48], eax
		test	eax, eax
		jz	short loc_A14874

loc_A1482C:				; CODE XREF: sub_A14547+32Bj
		mov	eax, [ebp+var_24]
		mov	eax, [eax]
		add	eax, 4
		cmp	eax, 4
		jb	short loc_A14842
		mov	edx, eax
		mov	[ebp+var_3C], edx
		mov	esi, edi
		jmp	short loc_A14847
; 

loc_A14842:				; CODE XREF: sub_A14547+2F0j
		mov	esi, 0C0000095h

loc_A14847:				; CODE XREF: sub_A14547+2F9j
		test	esi, esi
		js	loc_A14984
		lea	eax, [ebp+var_24]
		push	eax
		mov	ecx, [ebp+var_24]
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A14984
		mov	ecx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+arg_4], ecx
		cmp	ecx, [ebp+var_48]
		mov	edx, [ebp+var_3C]
		jb	short loc_A1482C

loc_A14874:				; CODE XREF: sub_A14547+2E3j
		mov	eax, [ebp+var_24]
		lea	edx, [eax+4]
		cmp	edx, eax
		jb	short loc_A14882
		mov	esi, edi
		jmp	short loc_A1488A
; 

loc_A14882:				; CODE XREF: sub_A14547+335j
		or	edx, 0FFFFFFFFh
		mov	esi, 0C0000095h

loc_A1488A:				; CODE XREF: sub_A14547+339j
		test	esi, esi
		js	loc_A14984
		mov	ecx, [ebx+4]
		add	ecx, [ebp+var_34]
		mov	eax, [ebp+var_24]
		add	eax, 8
		cmp	eax, ecx
		jbe	short loc_A148A9
		mov	esi, 0C0000023h
		jmp	short loc_A148B6
; 

loc_A148A9:				; CODE XREF: sub_A14547+359j
		mov	eax, [ebp+var_24]
		mov	dword ptr [eax], 4
		mov	[edx], edi

loc_A148B4:				; CODE XREF: sub_A14547+2D1j
		inc	dword ptr [ebx]

loc_A148B6:				; CODE XREF: sub_A14547+360j
		test	esi, esi
		js	loc_A14984
		mov	ecx, edi
		mov	[ebp+var_3C], ecx
		mov	eax, [ebx+8]
		mov	[ebp+var_34], eax
		test	eax, eax
		jnz	short loc_A148EC
		lea	eax, [ebx+4]
		push	eax
		push	0Ch
		pop	edx
		mov	ecx, [eax]
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A14984
		mov	esi, edi
		jmp	loc_A14982
; 

loc_A148EC:				; CODE XREF: sub_A14547+384j
		mov	[ebp+var_28], eax
		mov	[ebp+arg_4], edi
		mov	eax, [ebx]
		mov	[ebp+var_48], eax
		test	eax, eax
		jz	short loc_A1493D

loc_A148FB:				; CODE XREF: sub_A14547+3F4j
		mov	eax, [ebp+var_28]
		mov	eax, [eax]
		add	eax, 4
		cmp	eax, 4
		jb	short loc_A14911
		mov	ecx, eax
		mov	[ebp+var_3C], ecx
		mov	esi, edi
		jmp	short loc_A14916
; 

loc_A14911:				; CODE XREF: sub_A14547+3BFj
		mov	esi, 0C0000095h

loc_A14916:				; CODE XREF: sub_A14547+3C8j
		test	esi, esi
		js	short loc_A14984
		lea	eax, [ebp+var_28]
		push	eax
		mov	edx, ecx
		mov	ecx, [ebp+var_28]
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A14984
		mov	ecx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+arg_4], ecx
		cmp	ecx, [ebp+var_48]
		mov	ecx, [ebp+var_3C]
		jb	short loc_A148FB

loc_A1493D:				; CODE XREF: sub_A14547+3B2j
		mov	eax, [ebp+var_28]
		lea	edx, [eax+4]
		cmp	edx, eax
		jb	short loc_A1494B
		mov	esi, edi
		jmp	short loc_A14953
; 

loc_A1494B:				; CODE XREF: sub_A14547+3FEj
		or	edx, 0FFFFFFFFh
		mov	esi, 0C0000095h

loc_A14953:				; CODE XREF: sub_A14547+402j
		test	esi, esi
		js	short loc_A14984
		mov	ecx, [ebx+4]
		add	ecx, [ebp+var_34]
		mov	eax, [ebp+var_28]
		add	eax, 0Ch
		cmp	eax, ecx
		jbe	short loc_A1496E
		mov	esi, 0C0000023h
		jmp	short loc_A14984
; 

loc_A1496E:				; CODE XREF: sub_A14547+41Ej
		mov	eax, [ebp+var_28]
		mov	dword ptr [eax], 8
		mov	ecx, [ebp+var_58]
		mov	[edx], ecx
		mov	ecx, [ebp+var_54]
		mov	[edx+4], ecx

loc_A14982:				; CODE XREF: sub_A14547+3A0j
		inc	dword ptr [ebx]

loc_A14984:				; CODE XREF: sub_A14547+28j
					; sub_A14547+CFj ...
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
sub_A14547	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A14998	proc near		; CODE XREF: sub_785212+1B4Fp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		mov	eax, edx
		mov	[ebp+var_10], ecx
		xor	edx, edx
		mov	[ebp+var_28], eax
		mov	[ebp+var_8], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_14], edx
		push	esi
		push	edi
		mov	edi, edx
		test	eax, eax
		jnz	short loc_A149C9

loc_A149BF:				; CODE XREF: sub_A14998+36j
					; sub_A14998+EEj ...
		mov	edx, 0C000000Dh
		jmp	loc_A14D0E
; 

loc_A149C9:				; CODE XREF: sub_A14998+25j
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_A149BF
		mov	eax, [ecx+8]
		mov	esi, edx
		mov	[ebp+var_C], edx
		test	eax, eax
		jnz	short loc_A149E6

loc_A149DC:				; CODE XREF: sub_A14998+51j
		mov	edx, 0C000000Dh
		jmp	loc_A14A79
; 

loc_A149E6:				; CODE XREF: sub_A14998+42j
		cmp	dword ptr [ecx], 3
		jbe	short loc_A149DC
		mov	[ebp+var_4], edx

loc_A149EE:				; CODE XREF: sub_A14998+94j
		mov	ecx, [eax]
		mov	[ebp+var_24], ecx
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jnb	short loc_A14A02
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A14A02:				; CODE XREF: sub_A14998+60j
		mov	[ebp+arg_4], ecx
		test	edx, edx
		js	short loc_A14A76
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A14A76
		mov	edx, [ebp+var_4]
		mov	eax, [ebp+arg_4]
		inc	edx
		mov	[ebp+var_4], edx
		cmp	edx, 3
		jnb	short loc_A14A2E
		xor	edx, edx
		jmp	short loc_A149EE
; 

loc_A14A2E:				; CODE XREF: sub_A14998+90j
		mov	ecx, [eax]
		mov	[ebp+arg_4], ecx
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A14A3E
		xor	edx, edx
		jmp	short loc_A14A46
; 

loc_A14A3E:				; CODE XREF: sub_A14998+A0j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A14A46:				; CODE XREF: sub_A14998+A4j
		test	edx, edx
		js	short loc_A14A76
		mov	eax, [ebp+arg_4]
		mov	esi, eax
		neg	esi
		mov	[ebp+var_C], eax
		sbb	esi, esi
		and	esi, ecx
		test	edx, edx
		js	short loc_A14A76
		cmp	eax, 8
		jz	short loc_A14A6B

loc_A14A61:				; CODE XREF: sub_A14998+2D2j
					; sub_A14998+355j
		mov	edx, 0C0000023h
		jmp	loc_A14D0E
; 

loc_A14A6B:				; CODE XREF: sub_A14998+C7j
		mov	eax, [esi]
		mov	[ebp+var_1C], eax
		mov	eax, [esi+4]
		mov	[ebp+var_20], eax

loc_A14A76:				; CODE XREF: sub_A14998+6Fj
					; sub_A14998+81j ...
		mov	ecx, [ebp+var_10]

loc_A14A79:				; CODE XREF: sub_A14998+49j
		test	edx, edx
		js	loc_A14D0E
		mov	eax, [ecx+8]
		test	eax, eax
		jz	loc_A149BF
		cmp	dword ptr [ecx], 4
		jbe	loc_A149BF
		xor	esi, esi

loc_A14A97:				; CODE XREF: sub_A14998+13Fj
		mov	ecx, [eax]
		mov	[ebp+var_24], ecx
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A14AA7
		xor	edx, edx
		jmp	short loc_A14AAF
; 

loc_A14AA7:				; CODE XREF: sub_A14998+109j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A14AAF:				; CODE XREF: sub_A14998+10Dj
		mov	[ebp+arg_4], ecx
		test	edx, edx
		js	loc_A14D0E
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A14D0E
		mov	eax, [ebp+arg_4]
		inc	esi
		cmp	esi, 4
		jb	short loc_A14A97
		mov	esi, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A14AE6
		xor	edx, edx
		jmp	short loc_A14AEE
; 

loc_A14AE6:				; CODE XREF: sub_A14998+148j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A14AEE:				; CODE XREF: sub_A14998+14Cj
		test	edx, edx
		js	loc_A14D0E
		mov	edi, esi
		mov	[ebp+var_14], esi
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		test	edx, edx
		js	loc_A14D0E
		mov	eax, ds:dword_A93EBC
		test	eax, eax
		jz	short loc_A14B18
		push	esi
		push	edi
		call	eax
		jmp	short loc_A14B1D
; 

loc_A14B18:				; CODE XREF: sub_A14998+178j
		mov	eax, 0C00000BBh

loc_A14B1D:				; CODE XREF: sub_A14998+17Ej
		mov	[ebp+var_4], eax
		push	8
		pop	edi
		mov	[ebp+arg_4], edi
		lea	eax, [ebp+arg_4]
		mov	ecx, edi
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A14B42
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_8], eax
		jmp	short loc_A14B45
; 

loc_A14B42:				; CODE XREF: sub_A14998+1A0j
		mov	eax, [ebp+var_8]

loc_A14B45:				; CODE XREF: sub_A14998+1A8j
		test	edx, edx
		js	loc_A14D0E
		xor	esi, esi
		mov	[ebp+var_18], edi
		lea	ecx, [ebp+var_18]
		mov	edx, eax
		push	ecx
		mov	ecx, edi
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A14D0E
		mov	eax, [ebp+var_18]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_A14B7D
		mov	edx, 0C0000095h
		jmp	short loc_A14B8A
; 

loc_A14B7D:				; CODE XREF: sub_A14998+1DCj
		lea	esi, [ecx+8]
		cmp	esi, ecx
		jb	loc_A14C09
		xor	edx, edx

loc_A14B8A:				; CODE XREF: sub_A14998+1E3j
		test	edx, edx
		js	loc_A14D0E
		mov	edi, [ebp+var_28]
		mov	edx, esi
		push	4
		pop	ecx
		mov	[ebp+arg_4], ecx
		mov	eax, [edi+10h]
		mov	edi, [edi+8]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A14D0E
		mov	eax, [ebp+arg_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A14BC7
		xor	edx, edx
		jmp	short loc_A14BCF
; 

loc_A14BC7:				; CODE XREF: sub_A14998+229j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A14BCF:				; CODE XREF: sub_A14998+22Dj
		mov	[ebp+arg_4], ecx
		test	edx, edx
		js	loc_A14D0E
		lea	eax, [ebp+arg_4]
		mov	edx, edi
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A14D0E
		mov	eax, [ebp+arg_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A14C09
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		jmp	short loc_A14C0E
; 

loc_A14C09:				; CODE XREF: sub_A14998+1EAj
					; sub_A14998+25Fj
		mov	edx, 0C0000095h

loc_A14C0E:				; CODE XREF: sub_A14998+26Fj
		test	edx, edx
		js	loc_A14D0E
		mov	eax, [ebp+var_8]
		lea	edi, [ebx+4]
		mov	[edi], eax
		test	eax, eax
		jnz	short loc_A14C2C
		mov	edx, 0C000003Eh
		jmp	loc_A14D0E
; 

loc_A14C2C:				; CODE XREF: sub_A14998+288j
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_A14C49
		mov	edx, 0C0000017h
		jmp	loc_A14D0E
; 

loc_A14C49:				; CODE XREF: sub_A14998+2A5j
		mov	[ebx+8], edx
		and	dword ptr [ebx], 0
		or	[ebp+var_4], 10000000h
		lea	esi, [edx+4]
		cmp	esi, edx
		jb	loc_A14D09
		mov	ecx, [edi]
		lea	eax, [edx+8]
		add	ecx, edx
		cmp	eax, ecx
		ja	loc_A14A61
		mov	eax, [ebp+var_4]
		mov	dword ptr [edx], 4
		mov	[esi], eax
		inc	dword ptr [ebx]
		mov	ecx, [ebx]
		mov	[ebp+var_28], ecx
		mov	eax, [ebx+8]
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	short loc_A14CA3
		mov	ecx, [edi]
		push	edi
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A14D0E
		inc	dword ptr [ebx]
		xor	edx, edx
		jmp	short loc_A14D0E
; 

loc_A14CA3:				; CODE XREF: sub_A14998+2F2j
		and	[ebp+var_14], 0
		mov	esi, eax
		mov	[ebp+arg_4], esi
		test	ecx, ecx
		jz	short loc_A14CDA

loc_A14CB0:				; CODE XREF: sub_A14998+340j
		mov	edx, [esi]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A14D09
		lea	eax, [ebp+arg_4]
		mov	ecx, esi
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A14D0E
		mov	ecx, [ebp+var_14]
		mov	esi, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_14], ecx
		cmp	ecx, [ebp+var_28]
		jb	short loc_A14CB0

loc_A14CDA:				; CODE XREF: sub_A14998+316j
		lea	eax, [esi+4]
		cmp	eax, esi
		jb	short loc_A14D09
		mov	ecx, [edi]
		lea	eax, [esi+0Ch]
		add	ecx, [ebp+var_24]
		xor	edx, edx
		cmp	eax, ecx
		ja	loc_A14A61
		mov	eax, [ebp+var_1C]
		mov	dword ptr [esi], 8
		mov	[esi+4], eax
		mov	eax, [ebp+var_20]
		mov	[esi+8], eax
		inc	dword ptr [ebx]
		jmp	short loc_A14D0E
; 

loc_A14D09:				; CODE XREF: sub_A14998+2C3j
					; sub_A14998+320j ...
		mov	edx, 0C0000095h

loc_A14D0E:				; CODE XREF: sub_A14998+2Cj
					; sub_A14998+CEj ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	8
sub_A14998	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A14D17	proc near		; CODE XREF: sub_785212+1AF7p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [ecx+8]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_1C], edx
		and	[ebp+var_14], ebx
		mov	edx, 0C000000Dh
		and	[ebp+var_18], ebx
		and	[ebp+var_4], ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], ebx
		test	eax, eax
		jnz	short loc_A14D48

loc_A14D41:				; CODE XREF: sub_A14D17+34j
		mov	esi, edx
		jmp	loc_A14DCC
; 

loc_A14D48:				; CODE XREF: sub_A14D17+28j
		cmp	dword ptr [ecx], 3
		jbe	short loc_A14D41
		xor	ebx, ebx

loc_A14D4F:				; CODE XREF: sub_A14D17+6Aj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A14D5C
		xor	esi, esi
		jmp	short loc_A14D64
; 

loc_A14D5C:				; CODE XREF: sub_A14D17+3Fj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A14D64:				; CODE XREF: sub_A14D17+43j
		mov	[ebp+var_C], ecx
		test	esi, esi
		js	short loc_A14DA8
		lea	eax, [ebp+var_C]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A14DA8
		mov	eax, [ebp+var_C]
		inc	ebx
		cmp	ebx, 3
		jb	short loc_A14D4F
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A14D90
		xor	esi, esi
		jmp	short loc_A14D98
; 

loc_A14D90:				; CODE XREF: sub_A14D17+73j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A14D98:				; CODE XREF: sub_A14D17+77j
		test	esi, esi
		js	short loc_A14DA8
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A14DAB
; 

loc_A14DA8:				; CODE XREF: sub_A14D17+52j
					; sub_A14D17+61j ...
		mov	eax, [ebp+var_4]

loc_A14DAB:				; CODE XREF: sub_A14D17+8Fj
		test	esi, esi
		js	short loc_A14DC9
		cmp	eax, 8
		jz	short loc_A14DBE

loc_A14DB4:				; CODE XREF: sub_A14D17+297j
					; sub_A14D17+32Fj
		mov	esi, 0C0000023h
		jmp	loc_A15066
; 

loc_A14DBE:				; CODE XREF: sub_A14D17+9Bj
		mov	eax, [edi]
		mov	[ebp+var_14], eax
		mov	eax, [edi+4]
		mov	[ebp+var_18], eax

loc_A14DC9:				; CODE XREF: sub_A14D17+96j
		mov	ebx, [ebp+var_8]

loc_A14DCC:				; CODE XREF: sub_A14D17+2Cj
		test	esi, esi
		js	loc_A15066
		mov	eax, ds:dword_A93E68
		test	eax, eax
		jz	short loc_A14DE1
		call	eax
		jmp	short loc_A14DE6
; 

loc_A14DE1:				; CODE XREF: sub_A14D17+C4j
		mov	eax, 0C00000BBh

loc_A14DE6:				; CODE XREF: sub_A14D17+C8j
		mov	[ebp+var_C], eax
		mov	esi, eax
		test	eax, eax
		js	loc_A15066
		push	8
		pop	ecx
		mov	[ebp+var_4], ecx
		lea	eax, [ebp+var_4]
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A15066
		mov	ebx, [ebp+var_4]
		mov	[ebp+var_8], ebx
		push	8
		pop	ecx
		xor	edi, edi
		mov	[ebp+var_10], ecx
		lea	eax, [ebp+var_10]
		mov	edx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A15066
		mov	eax, [ebp+var_10]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_A14E46
		mov	esi, 0C0000095h
		jmp	short loc_A14E53
; 

loc_A14E46:				; CODE XREF: sub_A14D17+126j
		lea	edi, [ecx+8]
		cmp	edi, ecx
		jb	loc_A14ED6
		xor	esi, esi

loc_A14E53:				; CODE XREF: sub_A14D17+12Dj
		test	esi, esi
		js	loc_A15066
		mov	ebx, [ebp+var_1C]
		mov	edx, edi
		mov	[ebp+var_4], 4
		mov	eax, [ebx+10h]
		mov	ebx, [ebx+8]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		pop	ecx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A15066
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A14E94
		xor	esi, esi
		jmp	short loc_A14E9C
; 

loc_A14E94:				; CODE XREF: sub_A14D17+177j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A14E9C:				; CODE XREF: sub_A14D17+17Bj
		mov	[ebp+var_4], ecx
		test	esi, esi
		js	loc_A15066
		lea	eax, [ebp+var_4]
		mov	edx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A15066
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A14ED6
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		jmp	short loc_A14EDB
; 

loc_A14ED6:				; CODE XREF: sub_A14D17+134j
					; sub_A14D17+1ADj
		mov	esi, 0C0000095h

loc_A14EDB:				; CODE XREF: sub_A14D17+1BDj
		test	esi, esi
		js	loc_A15066
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	short loc_A14EF4
		mov	esi, 0C000000Dh
		jmp	loc_A15066
; 

loc_A14EF4:				; CODE XREF: sub_A14D17+1D1j
		mov	eax, [ebp+var_8]
		lea	ebx, [edi+4]
		xor	esi, esi
		mov	[ebx], eax
		test	eax, eax
		jnz	short loc_A14F09
		mov	esi, 0C000003Eh
		jmp	short loc_A14F26
; 

loc_A14F09:				; CODE XREF: sub_A14D17+1E9j
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_A14F21
		mov	esi, 0C0000017h
		jmp	short loc_A14F26
; 

loc_A14F21:				; CODE XREF: sub_A14D17+201j
		mov	[edi+8], eax
		and	[edi], esi

loc_A14F26:				; CODE XREF: sub_A14D17+1F0j
					; sub_A14D17+208j
		test	esi, esi
		js	loc_A15066
		mov	eax, [edi+8]
		or	[ebp+var_C], 10000000h
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	short loc_A14F58
		mov	ecx, [ebx]
		push	ebx
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A15066
		inc	dword ptr [edi]
		jmp	short loc_A14FCC
; 

loc_A14F58:				; CODE XREF: sub_A14D17+226j
		mov	ecx, [edi]
		mov	ebx, eax
		and	[ebp+var_8], 0
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_1C], ecx
		test	ecx, ecx
		jz	short loc_A14F97

loc_A14F6A:				; CODE XREF: sub_A14D17+27Bj
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A14FED
		lea	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A14FC1
		mov	ecx, [ebp+var_8]
		mov	ebx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_8], ecx
		cmp	ecx, [ebp+var_1C]
		jb	short loc_A14F6A
		mov	eax, [ebp+var_4]

loc_A14F97:				; CODE XREF: sub_A14D17+251j
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	loc_A15061
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [ebx+8]
		cmp	eax, ecx
		ja	loc_A14DB4
		mov	eax, [ebp+var_C]
		mov	dword ptr [ebx], 4
		mov	[edx], eax
		inc	dword ptr [edi]

loc_A14FC1:				; CODE XREF: sub_A14D17+26Cj
					; sub_A14D17+2DBj
		lea	ebx, [edi+4]
		test	esi, esi
		js	loc_A15066

loc_A14FCC:				; CODE XREF: sub_A14D17+23Fj
		mov	eax, [edi+8]
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	short loc_A14FF4
		mov	ecx, [ebx]
		push	ebx
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A15066
		inc	dword ptr [edi]
		xor	esi, esi
		jmp	short loc_A15066
; 

loc_A14FED:				; CODE XREF: sub_A14D17+25Bj
		mov	esi, 0C0000095h
		jmp	short loc_A14FC1
; 

loc_A14FF4:				; CODE XREF: sub_A14D17+2BDj
		mov	ecx, [edi]
		mov	ebx, eax
		and	[ebp+var_C], 0
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_1C], ecx
		test	ecx, ecx
		jz	short loc_A15033

loc_A15006:				; CODE XREF: sub_A14D17+317j
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A15061
		lea	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A15066
		mov	ecx, [ebp+var_C]
		mov	ebx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_C], ecx
		cmp	ecx, [ebp+var_1C]
		jb	short loc_A15006
		mov	eax, [ebp+var_8]

loc_A15033:				; CODE XREF: sub_A14D17+2EDj
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	short loc_A15061
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [ebx+0Ch]
		cmp	eax, ecx
		ja	loc_A14DB4
		mov	eax, [ebp+var_14]
		mov	dword ptr [ebx], 8
		mov	[edx], eax
		mov	eax, [ebp+var_18]
		mov	[edx+4], eax
		inc	dword ptr [edi]
		jmp	short loc_A15066
; 

loc_A15061:				; CODE XREF: sub_A14D17+285j
					; sub_A14D17+2F7j ...
		mov	esi, 0C0000095h

loc_A15066:				; CODE XREF: sub_A14D17+A2j
					; sub_A14D17+B7j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
sub_A14D17	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1506F	proc near		; CODE XREF: sub_785212+1AE1p

var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 134h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_134], 0
		mov	eax, ecx
		and	[ebp+var_124], 0
		and	[ebp+var_110], 0
		and	[ebp+var_114], 0
		mov	[ebp+var_11C], edx
		mov	[ebp+var_120], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		test	eax, eax
		jnz	short loc_A150C2

loc_A150B8:				; CODE XREF: sub_A1506F+55j
					; sub_A1506F+59j ...
		mov	edx, 0C000000Dh
		jmp	loc_A155C9
; 

loc_A150C2:				; CODE XREF: sub_A1506F+47j
		test	edx, edx
		jz	short loc_A150B8
		test	ebx, ebx
		jz	short loc_A150B8
		mov	esi, [eax+8]
		xor	edi, edi
		and	[ebp+var_12C], edi
		test	esi, esi
		jnz	short loc_A150E3

loc_A150D9:				; CODE XREF: sub_A1506F+77j
		mov	edx, 0C000000Dh
		jmp	loc_A151A6
; 

loc_A150E3:				; CODE XREF: sub_A1506F+68j
		cmp	dword ptr [eax], 3
		jbe	short loc_A150D9
		and	[ebp+var_128], edi
		mov	eax, esi

loc_A150F0:				; CODE XREF: sub_A1506F+D8j
		mov	ecx, [eax]
		mov	[ebp+var_118], ecx
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A15103
		xor	edx, edx
		jmp	short loc_A1510B
; 

loc_A15103:				; CODE XREF: sub_A1506F+8Ej
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1510B:				; CODE XREF: sub_A1506F+92j
		mov	[ebp+var_10C], ecx
		test	edx, edx
		js	loc_A151A0
		mov	edx, [ebp+var_118]
		lea	eax, [ebp+var_10C]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A151A0
		mov	edx, [ebp+var_128]
		mov	eax, [ebp+var_10C]
		inc	edx
		mov	[ebp+var_128], edx
		cmp	edx, 3
		jb	short loc_A150F0
		mov	ecx, [eax]
		mov	[ebp+var_118], ecx
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1515C
		xor	edx, edx
		jmp	short loc_A15164
; 

loc_A1515C:				; CODE XREF: sub_A1506F+E7j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A15164:				; CODE XREF: sub_A1506F+EBj
		test	edx, edx
		js	short loc_A151A0
		mov	eax, [ebp+var_118]
		mov	edi, eax
		neg	edi
		mov	[ebp+var_12C], eax
		sbb	edi, edi
		and	edi, ecx
		test	edx, edx
		js	short loc_A151A0
		cmp	eax, 8
		jz	short loc_A1518F

loc_A15185:				; CODE XREF: sub_A1506F+3B3j
					; sub_A1506F+463j ...
		mov	edx, 0C0000023h
		jmp	loc_A155C9
; 

loc_A1518F:				; CODE XREF: sub_A1506F+114j
		mov	eax, [edi]
		mov	[ebp+var_134], eax
		mov	eax, [edi+4]
		mov	[ebp+var_124], eax

loc_A151A0:				; CODE XREF: sub_A1506F+A4j
					; sub_A1506F+C0j ...
		mov	eax, [ebp+var_120]

loc_A151A6:				; CODE XREF: sub_A1506F+6Fj
		test	edx, edx
		js	loc_A155C9
		test	esi, esi
		jz	loc_A150B8
		cmp	dword ptr [eax], 4
		jbe	loc_A150B8
		xor	edi, edi

loc_A151C1:				; CODE XREF: sub_A1506F+191j
		mov	eax, [esi]
		lea	ecx, [esi+4]
		cmp	ecx, esi
		jb	short loc_A151CE
		xor	edx, edx
		jmp	short loc_A151D6
; 

loc_A151CE:				; CODE XREF: sub_A1506F+159j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A151D6:				; CODE XREF: sub_A1506F+15Dj
		mov	[ebp+var_10C], ecx
		test	edx, edx
		js	short loc_A1522B
		lea	edx, [ebp+var_10C]
		push	edx
		mov	edx, eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A1522B
		inc	edi
		cmp	edi, 4
		jnb	short loc_A15202
		mov	esi, [ebp+var_10C]
		jmp	short loc_A151C1
; 

loc_A15202:				; CODE XREF: sub_A1506F+189j
		mov	eax, [ebp+var_10C]
		mov	esi, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A15215
		xor	edx, edx
		jmp	short loc_A1521D
; 

loc_A15215:				; CODE XREF: sub_A1506F+1A0j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1521D:				; CODE XREF: sub_A1506F+1A4j
		test	edx, edx
		js	short loc_A1522B
		mov	edi, esi
		neg	esi
		sbb	esi, esi
		and	esi, ecx
		jmp	short loc_A15237
; 

loc_A1522B:				; CODE XREF: sub_A1506F+16Fj
					; sub_A1506F+183j ...
		mov	esi, [ebp+var_110]
		mov	edi, [ebp+var_114]

loc_A15237:				; CODE XREF: sub_A1506F+1BAj
		test	edx, edx
		js	loc_A155C9
		mov	eax, ds:dword_A93E9C
		test	eax, eax
		jz	short loc_A1525C
		push	100h
		lea	ecx, [ebp+var_108]
		push	ecx
		push	edi
		push	esi
		call	eax
		mov	esi, eax
		jmp	short loc_A15261
; 

loc_A1525C:				; CODE XREF: sub_A1506F+1D7j
		mov	esi, 0C00000BBh

loc_A15261:				; CODE XREF: sub_A1506F+1EBj
		mov	edx, esi
		test	esi, esi
		js	loc_A155C9
		and	[ebp+var_110], 0
		lea	eax, [ebp+var_110]
		xor	ecx, ecx
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A155C9
		mov	ecx, [ebp+var_110]
		lea	eax, [ebp+var_110]
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A155C9
		mov	ecx, [ebp+var_110]
		lea	eax, [ebp+var_110]
		push	eax
		mov	edx, 104h
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A155C9
		push	8
		pop	ecx
		xor	edi, edi
		mov	[ebp+var_130], ecx
		mov	edx, [ebp+var_110]
		lea	eax, [ebp+var_130]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A155C9
		mov	eax, [ebp+var_130]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_A1530B
		mov	edx, 0C0000095h
		jmp	short loc_A15318
; 

loc_A1530B:				; CODE XREF: sub_A1506F+293j
		lea	edi, [ecx+8]
		cmp	edi, ecx
		jb	loc_A153BF
		xor	edx, edx

loc_A15318:				; CODE XREF: sub_A1506F+29Aj
		test	edx, edx
		js	loc_A155C9
		mov	ecx, [ebp+var_11C]
		mov	edx, edi
		push	4
		mov	eax, [ecx+10h]
		mov	[ebp+var_118], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_11C], eax
		lea	eax, [ebp+var_10C]
		pop	ecx
		push	eax
		mov	[ebp+var_10C], ecx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A155C9
		mov	eax, [ebp+var_10C]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1536A
		xor	edx, edx
		jmp	short loc_A15372
; 

loc_A1536A:				; CODE XREF: sub_A1506F+2F5j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A15372:				; CODE XREF: sub_A1506F+2F9j
		mov	[ebp+var_10C], ecx
		test	edx, edx
		js	loc_A155C9
		mov	edx, [ebp+var_11C]
		lea	eax, [ebp+var_10C]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A155C9
		mov	eax, [ebp+var_10C]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A153BF
		mov	edx, [ebp+var_118]
		lea	eax, [ebp+var_10C]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		jmp	short loc_A153C4
; 

loc_A153BF:				; CODE XREF: sub_A1506F+2A1j
					; sub_A1506F+338j
		mov	edx, 0C0000095h

loc_A153C4:				; CODE XREF: sub_A1506F+34Ej
		test	edx, edx
		js	loc_A155C9
		mov	eax, [ebp+var_110]
		lea	edi, [ebx+4]
		mov	[edi], eax
		test	eax, eax
		jnz	short loc_A153E5
		mov	edx, 0C000003Eh
		jmp	loc_A155C9
; 

loc_A153E5:				; CODE XREF: sub_A1506F+36Aj
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_A15402
		mov	edx, 0C0000017h
		jmp	loc_A155C9
; 

loc_A15402:				; CODE XREF: sub_A1506F+387j
		mov	[ebx+8], edx
		and	dword ptr [ebx], 0
		or	esi, 10000000h
		lea	eax, [edx+4]
		cmp	eax, edx
		jb	loc_A155C4
		mov	ecx, [edi]
		lea	eax, [edx+8]
		add	ecx, edx
		cmp	eax, ecx
		ja	loc_A15185
		mov	dword ptr [edx], 4
		mov	[edx+4], esi
		inc	dword ptr [ebx]
		mov	ecx, [ebx]
		mov	[ebp+var_11C], ecx
		mov	eax, [ebx+8]
		mov	[ebp+var_118], eax
		test	eax, eax
		jnz	short loc_A15464
		mov	ecx, [edi]
		push	edi
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A155C9
		inc	dword ptr [ebx]
		jmp	loc_A154FA
; 

loc_A15464:				; CODE XREF: sub_A1506F+3D7j
		and	[ebp+var_120], 0
		mov	esi, eax
		mov	[ebp+var_114], esi
		test	ecx, ecx
		jz	short loc_A154B8

loc_A15477:				; CODE XREF: sub_A1506F+447j
		mov	edx, [esi]
		add	edx, 4
		cmp	edx, 4
		jb	loc_A15527
		lea	eax, [ebp+var_114]
		mov	ecx, esi
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A155C9
		mov	ecx, [ebp+var_120]
		mov	esi, [ebp+var_114]
		inc	ecx
		mov	[ebp+var_120], ecx
		cmp	ecx, [ebp+var_11C]
		jb	short loc_A15477

loc_A154B8:				; CODE XREF: sub_A1506F+406j
		lea	eax, [esi+4]
		cmp	eax, esi
		jb	loc_A155C4
		mov	ecx, [edi]
		lea	eax, [esi+0Ch]
		add	ecx, [ebp+var_118]
		xor	edx, edx
		cmp	eax, ecx
		ja	loc_A15185
		mov	eax, [ebp+var_134]
		mov	dword ptr [esi], 8
		mov	[esi+4], eax
		mov	eax, [ebp+var_124]
		mov	[esi+8], eax
		inc	dword ptr [ebx]

loc_A154F2:				; CODE XREF: sub_A1506F+4BDj
		test	edx, edx
		js	loc_A155C9

loc_A154FA:				; CODE XREF: sub_A1506F+3F0j
		mov	eax, [ebx+8]
		mov	[ebp+var_118], eax
		test	eax, eax
		jnz	short loc_A1552E
		mov	ecx, [edi]
		mov	edx, 104h
		push	edi
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A155C9
		inc	dword ptr [ebx]
		xor	edx, edx
		jmp	loc_A155C9
; 

loc_A15527:				; CODE XREF: sub_A1506F+410j
		mov	edx, 0C0000095h
		jmp	short loc_A154F2
; 

loc_A1552E:				; CODE XREF: sub_A1506F+496j
		mov	ecx, [ebx]
		mov	esi, eax
		and	[ebp+var_124], 0
		mov	[ebp+var_114], esi
		mov	[ebp+var_11C], ecx
		test	ecx, ecx
		jz	short loc_A15588

loc_A15549:				; CODE XREF: sub_A1506F+511j
		mov	edx, [esi]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A155C4
		lea	eax, [ebp+var_114]
		mov	ecx, esi
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A155C9
		mov	ecx, [ebp+var_124]
		mov	esi, [ebp+var_114]
		inc	ecx
		mov	[ebp+var_124], ecx
		cmp	ecx, [ebp+var_11C]
		jb	short loc_A15549
		mov	eax, [ebp+var_118]

loc_A15588:				; CODE XREF: sub_A1506F+4D8j
		lea	ecx, [esi+4]
		mov	[ebp+var_11C], ecx
		cmp	ecx, esi
		jb	short loc_A155C4
		mov	ecx, [edi]
		xor	edx, edx
		add	ecx, eax
		lea	eax, [esi+104h]
		cmp	eax, ecx
		ja	loc_A15185
		mov	edi, [ebp+var_11C]
		mov	dword ptr [esi], 100h
		lea	esi, [ebp+var_108]
		push	40h
		pop	ecx
		rep movsd
		inc	dword ptr [ebx]
		jmp	short loc_A155C9
; 

loc_A155C4:				; CODE XREF: sub_A1506F+3A4j
					; sub_A1506F+44Ej ...
		mov	edx, 0C0000095h

loc_A155C9:				; CODE XREF: sub_A1506F+4Ej
					; sub_A1506F+11Bj ...
		mov	ecx, [ebp+var_4]
		mov	eax, edx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
sub_A1506F	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A155DC	proc near		; CODE XREF: sub_785212+19FAp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_3C], edx
		xor	ecx, ecx
		mov	[ebp+var_18], ebx
		push	esi
		push	edi
		mov	eax, [ebx+8]
		mov	edi, ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_38], ecx
		test	eax, eax
		jnz	short loc_A15622

loc_A15618:				; CODE XREF: sub_A155DC+49j
		mov	esi, 0C000000Dh
		jmp	loc_A156A7
; 

loc_A15622:				; CODE XREF: sub_A155DC+3Aj
		cmp	dword ptr [ebx], 3
		jbe	short loc_A15618
		mov	ebx, ecx

loc_A15629:				; CODE XREF: sub_A155DC+7Fj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A15636
		xor	esi, esi
		jmp	short loc_A1563E
; 

loc_A15636:				; CODE XREF: sub_A155DC+54j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1563E:				; CODE XREF: sub_A155DC+58j
		mov	[ebp+var_14], ecx
		test	esi, esi
		js	short loc_A15682
		lea	eax, [ebp+var_14]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A15682
		mov	eax, [ebp+var_14]
		inc	ebx
		cmp	ebx, 3
		jb	short loc_A15629
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1566A
		xor	esi, esi
		jmp	short loc_A15672
; 

loc_A1566A:				; CODE XREF: sub_A155DC+88j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A15672:				; CODE XREF: sub_A155DC+8Cj
		test	esi, esi
		js	short loc_A15682
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A15684
; 

loc_A15682:				; CODE XREF: sub_A155DC+67j
					; sub_A155DC+76j ...
		mov	eax, edi

loc_A15684:				; CODE XREF: sub_A155DC+A4j
		test	esi, esi
		js	short loc_A156A2
		cmp	eax, 8
		jz	short loc_A15697

loc_A1568D:				; CODE XREF: sub_A155DC+25Ej
		mov	esi, 0C0000023h
		jmp	loc_A15D1F
; 

loc_A15697:				; CODE XREF: sub_A155DC+AFj
		mov	eax, [edi]
		mov	[ebp+var_30], eax
		mov	eax, [edi+4]
		mov	[ebp+var_34], eax

loc_A156A2:				; CODE XREF: sub_A155DC+AAj
		mov	ebx, [ebp+var_18]
		xor	ecx, ecx

loc_A156A7:				; CODE XREF: sub_A155DC+41j
		test	esi, esi
		js	loc_A15D1F
		mov	eax, [ebx+8]
		test	eax, eax
		jnz	short loc_A156C0

loc_A156B6:				; CODE XREF: sub_A155DC+E7j
					; sub_A155DC+15Fj ...
		mov	esi, 0C000000Dh
		jmp	loc_A15D1F
; 

loc_A156C0:				; CODE XREF: sub_A155DC+D8j
		cmp	dword ptr [ebx], 4
		jbe	short loc_A156B6
		mov	edi, ecx

loc_A156C7:				; CODE XREF: sub_A155DC+125j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A156D4
		xor	esi, esi
		jmp	short loc_A156DC
; 

loc_A156D4:				; CODE XREF: sub_A155DC+F2j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A156DC:				; CODE XREF: sub_A155DC+F6j
		mov	[ebp+var_14], ecx
		test	esi, esi
		js	loc_A15D1F
		lea	eax, [ebp+var_14]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A15D1F
		mov	eax, [ebp+var_14]
		inc	edi
		cmp	edi, 4
		jb	short loc_A156C7
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A15710
		xor	esi, esi
		jmp	short loc_A15718
; 

loc_A15710:				; CODE XREF: sub_A155DC+12Ej
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A15718:				; CODE XREF: sub_A155DC+132j
		test	esi, esi
		js	loc_A15D1F
		mov	eax, edx
		mov	[ebp+var_24], edx
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_28], eax
		test	esi, esi
		js	loc_A15D1F
		mov	eax, [ebx+8]
		test	eax, eax
		jz	loc_A156B6
		cmp	dword ptr [ebx], 5
		jbe	loc_A156B6
		xor	edi, edi

loc_A1574C:				; CODE XREF: sub_A155DC+1AAj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A15759
		xor	esi, esi
		jmp	short loc_A15761
; 

loc_A15759:				; CODE XREF: sub_A155DC+177j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A15761:				; CODE XREF: sub_A155DC+17Bj
		mov	[ebp+var_14], ecx
		test	esi, esi
		js	loc_A15D1F
		lea	eax, [ebp+var_14]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A15D1F
		mov	eax, [ebp+var_14]
		inc	edi
		cmp	edi, 5
		jb	short loc_A1574C
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A15795
		xor	esi, esi
		jmp	short loc_A1579D
; 

loc_A15795:				; CODE XREF: sub_A155DC+1B3j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1579D:				; CODE XREF: sub_A155DC+1B7j
		test	esi, esi
		js	loc_A15D1F
		mov	eax, edx
		mov	[ebp+var_1C], edx
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_20], eax
		test	esi, esi
		js	loc_A15D1F
		mov	eax, [ebx+8]
		xor	edi, edi
		and	[ebp+var_4], edi
		test	eax, eax
		jnz	short loc_A157D0

loc_A157C7:				; CODE XREF: sub_A155DC+1F7j
		mov	esi, 0C000000Dh
		mov	ebx, edi
		jmp	short loc_A1584A
; 

loc_A157D0:				; CODE XREF: sub_A155DC+1E9j
		cmp	dword ptr [ebx], 6
		jbe	short loc_A157C7
		xor	ebx, ebx

loc_A157D7:				; CODE XREF: sub_A155DC+22Dj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A157E4
		xor	esi, esi
		jmp	short loc_A157EC
; 

loc_A157E4:				; CODE XREF: sub_A155DC+202j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A157EC:				; CODE XREF: sub_A155DC+206j
		mov	[ebp+var_14], ecx
		test	esi, esi
		js	short loc_A15830
		lea	eax, [ebp+var_14]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A15830
		mov	eax, [ebp+var_14]
		inc	ebx
		cmp	ebx, 6
		jb	short loc_A157D7
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A15818
		xor	esi, esi
		jmp	short loc_A15820
; 

loc_A15818:				; CODE XREF: sub_A155DC+236j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A15820:				; CODE XREF: sub_A155DC+23Aj
		test	esi, esi
		js	short loc_A15830
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A15833
; 

loc_A15830:				; CODE XREF: sub_A155DC+215j
					; sub_A155DC+224j ...
		mov	eax, [ebp+var_4]

loc_A15833:				; CODE XREF: sub_A155DC+252j
		test	esi, esi
		js	short loc_A15847
		cmp	eax, 4
		jnz	loc_A1568D
		mov	ebx, [edi]
		mov	[ebp+var_8], ebx
		jmp	short loc_A1584A
; 

loc_A15847:				; CODE XREF: sub_A155DC+259j
		mov	ebx, [ebp+var_8]

loc_A1584A:				; CODE XREF: sub_A155DC+1F2j
					; sub_A155DC+269j
		test	esi, esi
		js	loc_A15D1F
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_A15886
		push	20534C53h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_10], edi
		test	edi, edi
		jnz	short loc_A15878
		mov	esi, 0C0000017h
		jmp	loc_A15D1F
; 

loc_A15878:				; CODE XREF: sub_A155DC+290j
		push	ebx		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_A1588A
; 

loc_A15886:				; CODE XREF: sub_A155DC+27Aj
		mov	edi, [ebp+var_10]
		inc	esi

loc_A1588A:				; CODE XREF: sub_A155DC+2A8j
		mov	eax, ds:dword_A93EAC
		test	eax, eax
		jz	short loc_A158B1
		neg	esi
		lea	ecx, [ebp+var_38]
		push	ecx
		sbb	esi, esi
		push	ebx
		not	esi
		and	esi, edi
		push	esi
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	[ebp+var_24]
		push	[ebp+var_28]
		call	eax
		jmp	short loc_A158B6
; 

loc_A158B1:				; CODE XREF: sub_A155DC+2B5j
		mov	eax, 0C00000BBh

loc_A158B6:				; CODE XREF: sub_A155DC+2D3j
		and	[ebp+var_4], 0
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A15922
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A15922
		lea	edx, [ebx+4]
		cmp	edx, 4
		jb	short loc_A1591D
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A15922
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A15922
		mov	eax, [ebp+var_4]
		mov	[ebp+var_C], eax
		jmp	short loc_A15925
; 

loc_A1591D:				; CODE XREF: sub_A155DC+310j
		mov	esi, 0C0000095h

loc_A15922:				; CODE XREF: sub_A155DC+2F3j
					; sub_A155DC+308j ...
		mov	eax, [ebp+var_C]

loc_A15925:				; CODE XREF: sub_A155DC+33Fj
		test	esi, esi
		js	loc_A15D0D
		xor	edi, edi
		mov	[ebp+var_2C], 8
		lea	ecx, [ebp+var_2C]
		mov	edx, eax
		push	ecx
		push	8
		pop	ecx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A15D0D
		mov	eax, [ebp+var_2C]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_A15962
		mov	esi, 0C0000095h
		jmp	short loc_A1596F
; 

loc_A15962:				; CODE XREF: sub_A155DC+37Dj
		lea	edi, [ecx+8]
		cmp	edi, ecx
		jb	loc_A159EE
		xor	esi, esi

loc_A1596F:				; CODE XREF: sub_A155DC+384j
		test	esi, esi
		js	loc_A15D0D
		mov	ebx, [ebp+var_3C]
		mov	edx, edi
		push	4
		pop	ecx
		mov	[ebp+var_4], ecx
		mov	eax, [ebx+10h]
		mov	ebx, [ebx+8]
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A15D0D
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A159AC
		xor	esi, esi
		jmp	short loc_A159B4
; 

loc_A159AC:				; CODE XREF: sub_A155DC+3CAj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A159B4:				; CODE XREF: sub_A155DC+3CEj
		mov	[ebp+var_4], ecx
		test	esi, esi
		js	loc_A15D0D
		lea	eax, [ebp+var_4]
		mov	edx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A15D0D
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A159EE
		mov	edx, [ebp+var_3C]
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		jmp	short loc_A159F3
; 

loc_A159EE:				; CODE XREF: sub_A155DC+38Bj
					; sub_A155DC+400j
		mov	esi, 0C0000095h

loc_A159F3:				; CODE XREF: sub_A155DC+410j
		test	esi, esi
		js	loc_A15D0D
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	short loc_A15A0C
		mov	esi, 0C000000Dh
		jmp	loc_A15D0D
; 

loc_A15A0C:				; CODE XREF: sub_A155DC+424j
		mov	eax, [ebp+var_C]
		lea	ebx, [edi+4]
		xor	esi, esi
		mov	[ebx], eax
		test	eax, eax
		jnz	short loc_A15A21
		mov	esi, 0C000003Eh
		jmp	short loc_A15A3E
; 

loc_A15A21:				; CODE XREF: sub_A155DC+43Cj
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_A15A39
		mov	esi, 0C0000017h
		jmp	short loc_A15A3E
; 

loc_A15A39:				; CODE XREF: sub_A155DC+454j
		mov	[edi+8], eax
		and	[edi], esi

loc_A15A3E:				; CODE XREF: sub_A155DC+443j
					; sub_A155DC+45Bj
		test	esi, esi
		js	loc_A15D0D
		mov	eax, [edi+8]
		or	[ebp+var_14], 10000000h
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	short loc_A15A73
		mov	ecx, [ebx]
		push	ebx
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A15D0D
		inc	dword ptr [edi]
		jmp	loc_A15AF4
; 

loc_A15A73:				; CODE XREF: sub_A155DC+479j
		mov	ecx, [edi]
		mov	ebx, eax
		and	[ebp+var_28], 0
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_3C], ecx
		test	ecx, ecx
		jz	short loc_A15AB2

loc_A15A85:				; CODE XREF: sub_A155DC+4D1j
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A15AD5
		lea	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A15AE9
		mov	ecx, [ebp+var_28]
		mov	ebx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_28], ecx
		cmp	ecx, [ebp+var_3C]
		jb	short loc_A15A85
		mov	eax, [ebp+var_24]

loc_A15AB2:				; CODE XREF: sub_A155DC+4A7j
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	loc_A15D08
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [ebx+8]
		cmp	eax, ecx
		jbe	short loc_A15ADC

loc_A15ACB:				; CODE XREF: sub_A155DC+595j
					; sub_A155DC+6A1j ...
		mov	esi, 0C0000023h
		jmp	loc_A15D0D
; 

loc_A15AD5:				; CODE XREF: sub_A155DC+4B1j
		mov	esi, 0C0000095h
		jmp	short loc_A15AE9
; 

loc_A15ADC:				; CODE XREF: sub_A155DC+4EDj
		mov	eax, [ebp+var_14]
		mov	dword ptr [ebx], 4
		mov	[edx], eax
		inc	dword ptr [edi]

loc_A15AE9:				; CODE XREF: sub_A155DC+4C2j
					; sub_A155DC+4FEj
		lea	ebx, [edi+4]
		test	esi, esi
		js	loc_A15D0D

loc_A15AF4:				; CODE XREF: sub_A155DC+492j
		mov	eax, [edi+8]
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	short loc_A15B17
		mov	ecx, [ebx]
		push	ebx
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A15D0D
		inc	dword ptr [edi]
		jmp	short loc_A15B95
; 

loc_A15B17:				; CODE XREF: sub_A155DC+520j
		mov	ecx, [edi]
		mov	ebx, eax
		and	[ebp+var_28], 0
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_3C], ecx
		test	ecx, ecx
		jz	short loc_A15B5A

loc_A15B29:				; CODE XREF: sub_A155DC+579j
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	loc_A15BE4
		lea	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A15B8A
		mov	ecx, [ebp+var_28]
		mov	ebx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_28], ecx
		cmp	ecx, [ebp+var_3C]
		jb	short loc_A15B29
		mov	eax, [ebp+var_24]

loc_A15B5A:				; CODE XREF: sub_A155DC+54Bj
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	loc_A15D08
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [ebx+0Ch]
		cmp	eax, ecx
		ja	loc_A15ACB
		mov	eax, [ebp+var_30]
		mov	dword ptr [ebx], 8
		mov	[edx], eax
		mov	eax, [ebp+var_34]
		mov	[edx+4], eax
		inc	dword ptr [edi]

loc_A15B8A:				; CODE XREF: sub_A155DC+56Aj
					; sub_A155DC+60Dj
		lea	ebx, [edi+4]
		test	esi, esi
		js	loc_A15D0D

loc_A15B95:				; CODE XREF: sub_A155DC+539j
		cmp	[ebp+var_10], 0
		mov	ecx, [ebp+var_8]
		jnz	short loc_A15BEB
		test	ecx, ecx
		jz	short loc_A15BEF

loc_A15BA2:				; CODE XREF: sub_A155DC+611j
		mov	esi, 0C000000Dh

loc_A15BA7:				; CODE XREF: sub_A155DC+640j
					; sub_A155DC+6C0j
		test	esi, esi
		js	loc_A15D0D
		lea	ebx, [edi+4]

loc_A15BB2:				; CODE XREF: sub_A155DC+639j
		mov	eax, [ebp+var_38]
		mov	[ebp+var_28], eax
		mov	eax, [edi+8]
		mov	[ebp+var_30], eax
		test	eax, eax
		jnz	loc_A15CA1
		mov	ecx, [ebx]
		push	ebx
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A15D0D
		inc	dword ptr [edi]
		xor	esi, esi
		jmp	loc_A15D0D
; 

loc_A15BE4:				; CODE XREF: sub_A155DC+555j
		mov	esi, 0C0000095h
		jmp	short loc_A15B8A
; 

loc_A15BEB:				; CODE XREF: sub_A155DC+5C0j
		test	ecx, ecx
		jz	short loc_A15BA2

loc_A15BEF:				; CODE XREF: sub_A155DC+5C4j
		mov	eax, [edi+8]
		mov	[ebp+var_30], eax
		test	eax, eax
		jnz	short loc_A15C1E
		lea	edx, [ecx+4]
		cmp	edx, 4
		jb	short loc_A15C17
		mov	ecx, [ebx]
		push	ebx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A15D0D
		inc	dword ptr [edi]
		jmp	short loc_A15BB2
; 

loc_A15C17:				; CODE XREF: sub_A155DC+623j
					; sub_A155DC+65Cj
		mov	esi, 0C0000095h
		jmp	short loc_A15BA7
; 

loc_A15C1E:				; CODE XREF: sub_A155DC+61Bj
		mov	ecx, [edi]
		mov	ebx, eax
		and	[ebp+var_34], 0
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_3C], ecx
		test	ecx, ecx
		jz	short loc_A15C61

loc_A15C30:				; CODE XREF: sub_A155DC+680j
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A15C17
		lea	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A15D0D
		mov	ecx, [ebp+var_34]
		mov	ebx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_34], ecx
		cmp	ecx, [ebp+var_3C]
		jb	short loc_A15C30
		mov	eax, [ebp+var_30]

loc_A15C61:				; CODE XREF: sub_A155DC+652j
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	loc_A15D08
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		mov	eax, [ebp+var_8]
		add	eax, 4
		add	eax, ebx
		cmp	eax, ecx
		ja	loc_A15ACB
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_8]
		mov	[ebx], eax
		test	ecx, ecx
		jz	short loc_A15C9A
		push	eax		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_A15C9A:				; CODE XREF: sub_A155DC+6B1j
		inc	dword ptr [edi]
		jmp	loc_A15BA7
; 

loc_A15CA1:				; CODE XREF: sub_A155DC+5E4j
		mov	ecx, [edi]
		mov	ebx, eax
		and	[ebp+var_34], 0
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_3C], ecx
		test	ecx, ecx
		jz	short loc_A15CE0

loc_A15CB3:				; CODE XREF: sub_A155DC+6FFj
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A15D08
		lea	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A15D0D
		mov	ecx, [ebp+var_34]
		mov	ebx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_34], ecx
		cmp	ecx, [ebp+var_3C]
		jb	short loc_A15CB3
		mov	eax, [ebp+var_30]

loc_A15CE0:				; CODE XREF: sub_A155DC+6D5j
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	short loc_A15D08
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [ebx+8]
		cmp	eax, ecx
		ja	loc_A15ACB
		mov	eax, [ebp+var_28]
		mov	dword ptr [ebx], 4
		mov	[edx], eax
		inc	dword ptr [edi]
		jmp	short loc_A15D0D
; 

loc_A15D08:				; CODE XREF: sub_A155DC+4DBj
					; sub_A155DC+583j ...
		mov	esi, 0C0000095h

loc_A15D0D:				; CODE XREF: sub_A155DC+34Bj
					; sub_A155DC+36Cj ...
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_A15D1F
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A15D1F:				; CODE XREF: sub_A155DC+B6j
					; sub_A155DC+CDj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
sub_A155DC	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A15D28	proc near		; CODE XREF: sub_785212+20C3p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, [ecx+8]
		push	ebx
		push	esi
		mov	[ebp+var_40], edx
		xor	edx, edx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_38], edx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_3C], edx
		push	edi
		mov	edi, edx
		test	eax, eax
		jnz	short loc_A15D6F

loc_A15D65:				; CODE XREF: sub_A15D28+4Aj
		mov	esi, 0C000000Dh
		jmp	loc_A15DF4
; 

loc_A15D6F:				; CODE XREF: sub_A15D28+3Bj
		cmp	dword ptr [ecx], 3
		jbe	short loc_A15D65
		mov	ebx, edx

loc_A15D76:				; CODE XREF: sub_A15D28+80j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A15D83
		xor	esi, esi
		jmp	short loc_A15D8B
; 

loc_A15D83:				; CODE XREF: sub_A15D28+55j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A15D8B:				; CODE XREF: sub_A15D28+59j
		mov	[ebp+var_14], ecx
		test	esi, esi
		js	short loc_A15DCF
		lea	eax, [ebp+var_14]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A15DCF
		mov	eax, [ebp+var_14]
		inc	ebx
		cmp	ebx, 3
		jb	short loc_A15D76
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A15DB7
		xor	esi, esi
		jmp	short loc_A15DBF
; 

loc_A15DB7:				; CODE XREF: sub_A15D28+89j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A15DBF:				; CODE XREF: sub_A15D28+8Dj
		test	esi, esi
		js	short loc_A15DCF
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A15DD1
; 

loc_A15DCF:				; CODE XREF: sub_A15D28+68j
					; sub_A15D28+77j ...
		mov	eax, edi

loc_A15DD1:				; CODE XREF: sub_A15D28+A5j
		test	esi, esi
		js	short loc_A15DEF
		cmp	eax, 8
		jz	short loc_A15DE4

loc_A15DDA:				; CODE XREF: sub_A15D28+151j
					; sub_A15D28+2F7j
		mov	esi, 0C0000023h
		jmp	loc_A16504
; 

loc_A15DE4:				; CODE XREF: sub_A15D28+B0j
		mov	eax, [edi]
		mov	[ebp+var_34], eax
		mov	eax, [edi+4]
		mov	[ebp+var_38], eax

loc_A15DEF:				; CODE XREF: sub_A15D28+ABj
		mov	ecx, [ebp+var_4]
		xor	edx, edx

loc_A15DF4:				; CODE XREF: sub_A15D28+42j
		test	esi, esi
		js	loc_A16504
		mov	eax, [ecx+8]
		mov	ebx, edx
		mov	[ebp+var_14], edx
		test	eax, eax
		jnz	short loc_A15E0F

loc_A15E08:				; CODE XREF: sub_A15D28+EAj
		mov	esi, 0C000000Dh
		jmp	short loc_A15E89
; 

loc_A15E0F:				; CODE XREF: sub_A15D28+DEj
		cmp	dword ptr [ecx], 4
		jbe	short loc_A15E08
		mov	edi, edx

loc_A15E16:				; CODE XREF: sub_A15D28+120j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A15E23
		xor	esi, esi
		jmp	short loc_A15E2B
; 

loc_A15E23:				; CODE XREF: sub_A15D28+F5j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A15E2B:				; CODE XREF: sub_A15D28+F9j
		mov	[ebp+var_18], ecx
		test	esi, esi
		js	short loc_A15E6F
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A15E6F
		mov	eax, [ebp+var_18]
		inc	edi
		cmp	edi, 4
		jb	short loc_A15E16
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A15E57
		xor	esi, esi
		jmp	short loc_A15E5F
; 

loc_A15E57:				; CODE XREF: sub_A15D28+129j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A15E5F:				; CODE XREF: sub_A15D28+12Dj
		test	esi, esi
		js	short loc_A15E6F
		mov	ebx, edx
		mov	eax, edx
		neg	ebx
		sbb	ebx, ebx
		and	ebx, ecx
		jmp	short loc_A15E72
; 

loc_A15E6F:				; CODE XREF: sub_A15D28+108j
					; sub_A15D28+117j ...
		mov	eax, [ebp+var_14]

loc_A15E72:				; CODE XREF: sub_A15D28+145j
		test	esi, esi
		js	short loc_A15E84
		cmp	eax, 4
		jnz	loc_A15DDA
		mov	eax, [ebx]
		mov	[ebp+var_2C], eax

loc_A15E84:				; CODE XREF: sub_A15D28+14Cj
		mov	ecx, [ebp+var_4]
		xor	edx, edx

loc_A15E89:				; CODE XREF: sub_A15D28+E5j
		test	esi, esi
		js	loc_A16504
		mov	eax, [ecx+8]
		test	eax, eax
		jnz	short loc_A15EA2

loc_A15E98:				; CODE XREF: sub_A15D28+17Dj
					; sub_A15D28+1F8j ...
		mov	esi, 0C000000Dh
		jmp	loc_A16504
; 

loc_A15EA2:				; CODE XREF: sub_A15D28+16Ej
		cmp	dword ptr [ecx], 5
		jbe	short loc_A15E98
		mov	edi, edx

loc_A15EA9:				; CODE XREF: sub_A15D28+1BBj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A15EB6
		xor	esi, esi
		jmp	short loc_A15EBE
; 

loc_A15EB6:				; CODE XREF: sub_A15D28+188j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A15EBE:				; CODE XREF: sub_A15D28+18Cj
		mov	[ebp+var_18], ecx
		test	esi, esi
		js	loc_A16504
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A16504
		mov	eax, [ebp+var_18]
		inc	edi
		cmp	edi, 5
		jb	short loc_A15EA9
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A15EF2
		xor	esi, esi
		jmp	short loc_A15EFA
; 

loc_A15EF2:				; CODE XREF: sub_A15D28+1C4j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A15EFA:				; CODE XREF: sub_A15D28+1C8j
		test	esi, esi
		js	loc_A16504
		mov	eax, edx
		mov	[ebp+var_24], edx
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_28], eax
		test	esi, esi
		js	loc_A16504
		mov	ebx, [ebp+var_4]
		mov	eax, [ebx+8]
		test	eax, eax
		jz	loc_A15E98
		cmp	dword ptr [ebx], 6
		jbe	loc_A15E98
		xor	edi, edi

loc_A15F31:				; CODE XREF: sub_A15D28+243j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A15F3E
		xor	esi, esi
		jmp	short loc_A15F46
; 

loc_A15F3E:				; CODE XREF: sub_A15D28+210j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A15F46:				; CODE XREF: sub_A15D28+214j
		mov	[ebp+var_18], ecx
		test	esi, esi
		js	loc_A16504
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A16504
		mov	eax, [ebp+var_18]
		inc	edi
		cmp	edi, 6
		jb	short loc_A15F31
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A15F7A
		xor	esi, esi
		jmp	short loc_A15F82
; 

loc_A15F7A:				; CODE XREF: sub_A15D28+24Cj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A15F82:				; CODE XREF: sub_A15D28+250j
		test	esi, esi
		js	loc_A16504
		mov	eax, edx
		mov	[ebp+var_1C], edx
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_20], eax
		test	esi, esi
		js	loc_A16504
		mov	eax, [ebx+8]
		xor	edi, edi
		and	[ebp+var_14], edi
		test	eax, eax
		jnz	short loc_A15FB5

loc_A15FAC:				; CODE XREF: sub_A15D28+290j
		mov	esi, 0C000000Dh
		mov	ebx, edi
		jmp	short loc_A1602F
; 

loc_A15FB5:				; CODE XREF: sub_A15D28+282j
		cmp	dword ptr [ebx], 7
		jbe	short loc_A15FAC
		xor	ebx, ebx

loc_A15FBC:				; CODE XREF: sub_A15D28+2C6j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A15FC9
		xor	esi, esi
		jmp	short loc_A15FD1
; 

loc_A15FC9:				; CODE XREF: sub_A15D28+29Bj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A15FD1:				; CODE XREF: sub_A15D28+29Fj
		mov	[ebp+var_18], ecx
		test	esi, esi
		js	short loc_A16015
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A16015
		mov	eax, [ebp+var_18]
		inc	ebx
		cmp	ebx, 7
		jb	short loc_A15FBC
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A15FFD
		xor	esi, esi
		jmp	short loc_A16005
; 

loc_A15FFD:				; CODE XREF: sub_A15D28+2CFj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A16005:				; CODE XREF: sub_A15D28+2D3j
		test	esi, esi
		js	short loc_A16015
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A16018
; 

loc_A16015:				; CODE XREF: sub_A15D28+2AEj
					; sub_A15D28+2BDj ...
		mov	eax, [ebp+var_14]

loc_A16018:				; CODE XREF: sub_A15D28+2EBj
		test	esi, esi
		js	short loc_A1602C
		cmp	eax, 4
		jnz	loc_A15DDA
		mov	ebx, [edi]
		mov	[ebp+var_8], ebx
		jmp	short loc_A1602F
; 

loc_A1602C:				; CODE XREF: sub_A15D28+2F2j
		mov	ebx, [ebp+var_8]

loc_A1602F:				; CODE XREF: sub_A15D28+28Bj
					; sub_A15D28+302j
		test	esi, esi
		js	loc_A16504
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_A1606B
		push	20534C53h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_10], edi
		test	edi, edi
		jnz	short loc_A1605D
		mov	esi, 0C0000017h
		jmp	loc_A16504
; 

loc_A1605D:				; CODE XREF: sub_A15D28+329j
		push	ebx		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_A1606F
; 

loc_A1606B:				; CODE XREF: sub_A15D28+313j
		mov	edi, [ebp+var_10]
		inc	esi

loc_A1606F:				; CODE XREF: sub_A15D28+341j
		mov	eax, ds:dword_A93EB0
		test	eax, eax
		jz	short loc_A16099
		neg	esi
		lea	ecx, [ebp+var_3C]
		push	ecx
		push	ebx
		sbb	esi, esi
		not	esi
		and	esi, edi
		push	esi
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	[ebp+var_24]
		push	[ebp+var_28]
		push	[ebp+var_2C]
		call	eax
		jmp	short loc_A1609E
; 

loc_A16099:				; CODE XREF: sub_A15D28+34Ej
		mov	eax, 0C00000BBh

loc_A1609E:				; CODE XREF: sub_A15D28+36Fj
		and	[ebp+var_4], 0
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A1610A
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A1610A
		lea	edx, [ebx+4]
		cmp	edx, 4
		jb	short loc_A16105
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A1610A
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A1610A
		mov	eax, [ebp+var_4]
		mov	[ebp+var_C], eax
		jmp	short loc_A1610D
; 

loc_A16105:				; CODE XREF: sub_A15D28+3ACj
		mov	esi, 0C0000095h

loc_A1610A:				; CODE XREF: sub_A15D28+38Fj
					; sub_A15D28+3A4j ...
		mov	eax, [ebp+var_C]

loc_A1610D:				; CODE XREF: sub_A15D28+3DBj
		test	esi, esi
		js	loc_A164F2
		xor	edi, edi
		mov	[ebp+var_30], 8
		lea	ecx, [ebp+var_30]
		mov	edx, eax
		push	ecx
		push	8
		pop	ecx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A164F2
		mov	eax, [ebp+var_30]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_A1614A
		mov	esi, 0C0000095h
		jmp	short loc_A16157
; 

loc_A1614A:				; CODE XREF: sub_A15D28+419j
		lea	edi, [ecx+8]
		cmp	edi, ecx
		jb	loc_A161D6
		xor	esi, esi

loc_A16157:				; CODE XREF: sub_A15D28+420j
		test	esi, esi
		js	loc_A164F2
		mov	ebx, [ebp+var_40]
		mov	edx, edi
		push	4
		pop	ecx
		mov	[ebp+var_4], ecx
		mov	eax, [ebx+10h]
		mov	ebx, [ebx+8]
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A164F2
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A16194
		xor	esi, esi
		jmp	short loc_A1619C
; 

loc_A16194:				; CODE XREF: sub_A15D28+466j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1619C:				; CODE XREF: sub_A15D28+46Aj
		mov	[ebp+var_4], ecx
		test	esi, esi
		js	loc_A164F2
		lea	eax, [ebp+var_4]
		mov	edx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A164F2
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A161D6
		mov	edx, [ebp+var_40]
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		jmp	short loc_A161DB
; 

loc_A161D6:				; CODE XREF: sub_A15D28+427j
					; sub_A15D28+49Cj
		mov	esi, 0C0000095h

loc_A161DB:				; CODE XREF: sub_A15D28+4ACj
		test	esi, esi
		js	loc_A164F2
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	short loc_A161F4
		mov	esi, 0C000000Dh
		jmp	loc_A164F2
; 

loc_A161F4:				; CODE XREF: sub_A15D28+4C0j
		mov	eax, [ebp+var_C]
		lea	ebx, [edi+4]
		xor	esi, esi
		mov	[ebx], eax
		test	eax, eax
		jnz	short loc_A16209
		mov	esi, 0C000003Eh
		jmp	short loc_A16226
; 

loc_A16209:				; CODE XREF: sub_A15D28+4D8j
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_A16221
		mov	esi, 0C0000017h
		jmp	short loc_A16226
; 

loc_A16221:				; CODE XREF: sub_A15D28+4F0j
		mov	[edi+8], eax
		and	[edi], esi

loc_A16226:				; CODE XREF: sub_A15D28+4DFj
					; sub_A15D28+4F7j
		test	esi, esi
		js	loc_A164F2
		mov	eax, [edi+8]
		or	[ebp+var_14], 10000000h
		mov	[ebp+var_28], eax
		test	eax, eax
		jnz	short loc_A16258
		mov	ecx, [ebx]
		push	ebx
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A164F2
		inc	dword ptr [edi]
		jmp	short loc_A162D7
; 

loc_A16258:				; CODE XREF: sub_A15D28+515j
		and	[ebp+var_2C], 0
		mov	ebx, eax
		mov	eax, [edi]
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_40], eax
		test	eax, eax
		jz	short loc_A16294

loc_A1626A:				; CODE XREF: sub_A15D28+56Aj
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A162B8
		lea	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A162CC
		mov	ecx, [ebp+var_2C]
		mov	ebx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_2C], ecx
		cmp	ecx, [ebp+var_40]
		jb	short loc_A1626A

loc_A16294:				; CODE XREF: sub_A15D28+540j
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	loc_A164ED
		mov	ecx, [edi+4]
		lea	eax, [ebx+8]
		add	ecx, [ebp+var_28]
		xor	esi, esi
		cmp	eax, ecx
		jbe	short loc_A162BF

loc_A162AE:				; CODE XREF: sub_A15D28+62Aj
					; sub_A15D28+736j ...
		mov	esi, 0C0000023h
		jmp	loc_A164F2
; 

loc_A162B8:				; CODE XREF: sub_A15D28+54Aj
		mov	esi, 0C0000095h
		jmp	short loc_A162CC
; 

loc_A162BF:				; CODE XREF: sub_A15D28+584j
		mov	eax, [ebp+var_14]
		mov	dword ptr [ebx], 4
		mov	[edx], eax
		inc	dword ptr [edi]

loc_A162CC:				; CODE XREF: sub_A15D28+55Bj
					; sub_A15D28+595j
		lea	ebx, [edi+4]
		test	esi, esi
		js	loc_A164F2

loc_A162D7:				; CODE XREF: sub_A15D28+52Ej
		mov	eax, [edi+8]
		mov	[ebp+var_28], eax
		test	eax, eax
		jnz	short loc_A162FA
		mov	ecx, [ebx]
		push	ebx
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A164F2
		inc	dword ptr [edi]
		jmp	short loc_A16376
; 

loc_A162FA:				; CODE XREF: sub_A15D28+5B7j
		and	[ebp+var_2C], 0
		mov	ebx, eax
		mov	eax, [edi]
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_40], eax
		test	eax, eax
		jz	short loc_A1633A

loc_A1630C:				; CODE XREF: sub_A15D28+610j
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	loc_A163C5
		lea	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A1636B
		mov	ecx, [ebp+var_2C]
		mov	ebx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_2C], ecx
		cmp	ecx, [ebp+var_40]
		jb	short loc_A1630C

loc_A1633A:				; CODE XREF: sub_A15D28+5E2j
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	loc_A164ED
		mov	ecx, [edi+4]
		lea	eax, [ebx+0Ch]
		add	ecx, [ebp+var_28]
		xor	esi, esi
		cmp	eax, ecx
		ja	loc_A162AE
		mov	eax, [ebp+var_34]
		mov	dword ptr [ebx], 8
		mov	[edx], eax
		mov	eax, [ebp+var_38]
		mov	[edx+4], eax
		inc	dword ptr [edi]

loc_A1636B:				; CODE XREF: sub_A15D28+601j
					; sub_A15D28+6A2j
		lea	ebx, [edi+4]
		test	esi, esi
		js	loc_A164F2

loc_A16376:				; CODE XREF: sub_A15D28+5D0j
		cmp	[ebp+var_10], 0
		mov	eax, [ebp+var_8]
		jnz	short loc_A163CC
		test	eax, eax
		jz	short loc_A163D0

loc_A16383:				; CODE XREF: sub_A15D28+6A6j
		mov	esi, 0C000000Dh

loc_A16388:				; CODE XREF: sub_A15D28+6D5j
					; sub_A15D28+758j
		test	esi, esi
		js	loc_A164F2
		lea	ebx, [edi+4]

loc_A16393:				; CODE XREF: sub_A15D28+6CEj
		mov	edx, [edi+8]
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_2C], eax
		mov	[ebp+var_34], edx
		test	edx, edx
		jnz	loc_A16485
		mov	ecx, [ebx]
		push	ebx
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A164F2
		inc	dword ptr [edi]
		xor	esi, esi
		jmp	loc_A164F2
; 

loc_A163C5:				; CODE XREF: sub_A15D28+5ECj
		mov	esi, 0C0000095h
		jmp	short loc_A1636B
; 

loc_A163CC:				; CODE XREF: sub_A15D28+655j
		test	eax, eax
		jz	short loc_A16383

loc_A163D0:				; CODE XREF: sub_A15D28+659j
		mov	edx, [edi+8]
		mov	[ebp+var_34], edx
		test	edx, edx
		jnz	short loc_A163FF
		lea	edx, [eax+4]
		cmp	edx, 4
		jb	short loc_A163F8
		mov	ecx, [ebx]
		push	ebx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A164F2
		inc	dword ptr [edi]
		jmp	short loc_A16393
; 

loc_A163F8:				; CODE XREF: sub_A15D28+6B8j
					; sub_A15D28+6F1j
		mov	esi, 0C0000095h
		jmp	short loc_A16388
; 

loc_A163FF:				; CODE XREF: sub_A15D28+6B0j
		mov	eax, [edi]
		mov	ebx, edx
		and	[ebp+var_38], 0
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_40], eax
		test	eax, eax
		jz	short loc_A16442

loc_A16411:				; CODE XREF: sub_A15D28+715j
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A163F8
		lea	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A164F2
		mov	ecx, [ebp+var_38]
		mov	ebx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_38], ecx
		cmp	ecx, [ebp+var_40]
		jb	short loc_A16411
		mov	edx, [ebp+var_34]

loc_A16442:				; CODE XREF: sub_A15D28+6E7j
		lea	eax, [ebx+4]
		cmp	eax, ebx
		jb	loc_A164ED
		mov	ecx, [ebp+var_8]
		xor	esi, esi
		mov	eax, [edi+4]
		add	ecx, 4
		add	ecx, ebx
		add	eax, edx
		cmp	ecx, eax
		ja	loc_A162AE
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_8]
		mov	[ebx], eax
		test	ecx, ecx
		jz	short loc_A1647E
		push	eax		; size_t
		push	ecx		; void *
		lea	eax, [ebx+4]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_A1647E:				; CODE XREF: sub_A15D28+746j
		inc	dword ptr [edi]
		jmp	loc_A16388
; 

loc_A16485:				; CODE XREF: sub_A15D28+679j
		mov	eax, [edi]
		mov	ebx, edx
		and	[ebp+var_38], 0
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_40], eax
		test	eax, eax
		jz	short loc_A164C4

loc_A16497:				; CODE XREF: sub_A15D28+797j
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A164ED
		lea	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A164F2
		mov	ecx, [ebp+var_38]
		mov	ebx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_38], ecx
		cmp	ecx, [ebp+var_40]
		jb	short loc_A16497
		mov	edx, [ebp+var_34]

loc_A164C4:				; CODE XREF: sub_A15D28+76Dj
		lea	eax, [ebx+4]
		cmp	eax, ebx
		jb	short loc_A164ED
		mov	ecx, [edi+4]
		lea	eax, [ebx+8]
		add	ecx, edx
		xor	esi, esi
		cmp	eax, ecx
		ja	loc_A162AE
		mov	eax, [ebp+var_2C]
		mov	dword ptr [ebx], 4
		mov	[ebx+4], eax
		inc	dword ptr [edi]
		jmp	short loc_A164F2
; 

loc_A164ED:				; CODE XREF: sub_A15D28+571j
					; sub_A15D28+617j ...
		mov	esi, 0C0000095h

loc_A164F2:				; CODE XREF: sub_A15D28+3E7j
					; sub_A15D28+408j ...
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_A16504
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A16504:				; CODE XREF: sub_A15D28+B7j
					; sub_A15D28+CEj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
sub_A15D28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1650D	proc near		; CODE XREF: sub_785212+1B0Dp

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		xor	ebx, ebx
		mov	eax, edx
		mov	[ebp+var_40], eax
		mov	edx, ecx
		mov	[ebp+var_C], edx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_10], ebx
		push	esi
		push	edi
		test	eax, eax
		jnz	short loc_A16547

loc_A1653D:				; CODE XREF: sub_A1650D+3Dj
		mov	esi, 0C000000Dh
		jmp	loc_A16A4F
; 

loc_A16547:				; CODE XREF: sub_A1650D+2Ej
		cmp	[ebp+arg_4], ebx
		jz	short loc_A1653D
		mov	eax, [edx+8]
		mov	edi, ebx
		mov	ecx, 0C000000Dh
		test	eax, eax
		jnz	short loc_A16561

loc_A1655A:				; CODE XREF: sub_A1650D+57j
		mov	esi, ecx
		jmp	loc_A165E4
; 

loc_A16561:				; CODE XREF: sub_A1650D+4Bj
		cmp	dword ptr [edx], 3
		jbe	short loc_A1655A

loc_A16566:				; CODE XREF: sub_A1650D+8Bj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A16573
		xor	esi, esi
		jmp	short loc_A1657B
; 

loc_A16573:				; CODE XREF: sub_A1650D+60j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1657B:				; CODE XREF: sub_A1650D+64j
		mov	[ebp+var_4], ecx
		test	esi, esi
		js	short loc_A165BF
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A165BF
		mov	eax, [ebp+var_4]
		inc	ebx
		cmp	ebx, 3
		jb	short loc_A16566
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A165A7
		xor	esi, esi
		jmp	short loc_A165AF
; 

loc_A165A7:				; CODE XREF: sub_A1650D+94j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A165AF:				; CODE XREF: sub_A1650D+98j
		test	esi, esi
		js	short loc_A165BF
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A165C1
; 

loc_A165BF:				; CODE XREF: sub_A1650D+73j
					; sub_A1650D+82j ...
		mov	eax, edi

loc_A165C1:				; CODE XREF: sub_A1650D+B0j
		test	esi, esi
		js	short loc_A165DF
		cmp	eax, 8
		jz	short loc_A165D4
		mov	esi, 0C0000023h
		jmp	loc_A16A4F
; 

loc_A165D4:				; CODE XREF: sub_A1650D+BBj
		mov	eax, [edi]
		mov	[ebp+var_34], eax
		mov	eax, [edi+4]
		mov	[ebp+var_38], eax

loc_A165DF:				; CODE XREF: sub_A1650D+B6j
		mov	edx, [ebp+var_C]
		xor	ebx, ebx

loc_A165E4:				; CODE XREF: sub_A1650D+4Fj
		test	esi, esi
		js	loc_A16A4F
		mov	eax, [edx+8]
		xor	edi, edi
		and	[ebp+var_24], edi
		mov	ecx, ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_3C], ecx
		test	eax, eax
		jnz	short loc_A1660A

loc_A16600:				; CODE XREF: sub_A1650D+100j
		mov	esi, 0C000000Dh
		jmp	loc_A166DB
; 

loc_A1660A:				; CODE XREF: sub_A1650D+F1j
		cmp	dword ptr [edx], 4
		jbe	short loc_A16600
		and	[ebp+var_20], edi

loc_A16612:				; CODE XREF: sub_A1650D+145j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1661F
		xor	esi, esi
		jmp	short loc_A16627
; 

loc_A1661F:				; CODE XREF: sub_A1650D+10Cj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A16627:				; CODE XREF: sub_A1650D+110j
		mov	[ebp+var_8], ecx
		test	esi, esi
		js	loc_A166D8
		lea	eax, [ebp+var_8]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A166D8
		mov	edx, [ebp+var_20]
		mov	eax, [ebp+var_8]
		inc	edx
		mov	[ebp+var_20], edx
		cmp	edx, 4
		jb	short loc_A16612
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A16661
		xor	esi, esi
		jmp	short loc_A16669
; 

loc_A16661:				; CODE XREF: sub_A1650D+14Ej
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A16669:				; CODE XREF: sub_A1650D+152j
		test	esi, esi
		js	short loc_A166D8
		mov	ebx, edx
		mov	edi, edx
		neg	ebx
		sbb	ebx, ebx
		and	ebx, ecx
		test	esi, esi
		js	short loc_A166D8
		test	edi, edi
		jnz	short loc_A166A4

loc_A1667F:				; CODE XREF: sub_A1650D+19Dj
					; sub_A1650D+1AAj ...
		mov	esi, 0C000003Eh

loc_A16684:				; CODE XREF: sub_A1650D+1FCj
		test	esi, esi
		js	loc_A16A4F

loc_A1668C:				; CODE XREF: sub_A1650D+20Fj
		mov	ebx, [ebp+var_C]
		mov	eax, [ebx+8]
		test	eax, eax
		jnz	loc_A16721

loc_A1669A:				; CODE XREF: sub_A1650D+217j
					; sub_A1650D+293j ...
		mov	esi, 0C000000Dh
		jmp	loc_A16A3D
; 

loc_A166A4:				; CODE XREF: sub_A1650D+170j
		test	edi, 1
		jnz	short loc_A1667F
		mov	eax, edi
		xor	ecx, ecx
		shr	eax, 1
		cmp	cx, [ebx+eax*2-2]
		jnz	short loc_A1667F
		lea	eax, [ebp+var_24]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	_StringCbLengthW@12 ; StringCbLengthW(x,x,x)
		test	eax, eax
		js	short loc_A1667F
		mov	ecx, [ebp+var_24]
		lea	eax, [ecx+2]
		cmp	eax, edi
		jnz	short loc_A1667F
		shr	ecx, 1
		jmp	short loc_A166DE
; 

loc_A166D8:				; CODE XREF: sub_A1650D+11Fj
					; sub_A1650D+132j ...
		mov	ecx, [ebp+var_3C]

loc_A166DB:				; CODE XREF: sub_A1650D+F8j
		mov	ebx, [ebp+var_4]

loc_A166DE:				; CODE XREF: sub_A1650D+1C9j
		test	esi, esi
		js	loc_A16A4F
		lea	edi, ds:2[ecx*2]
		test	edi, edi
		jz	short loc_A1667F
		push	20534C53h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A1670E
		mov	esi, 0C0000017h
		jmp	loc_A16684
; 

loc_A1670E:				; CODE XREF: sub_A1650D+1F5j
		push	edi		; size_t
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_1C], esi
		jmp	loc_A1668C
; 

loc_A16721:				; CODE XREF: sub_A1650D+187j
		cmp	dword ptr [ebx], 5
		jbe	loc_A1669A
		xor	edi, edi

loc_A1672C:				; CODE XREF: sub_A1650D+259j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A16739
		xor	esi, esi
		jmp	short loc_A16741
; 

loc_A16739:				; CODE XREF: sub_A1650D+226j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A16741:				; CODE XREF: sub_A1650D+22Aj
		mov	[ebp+var_C], ecx
		test	esi, esi
		js	loc_A16A3D
		lea	eax, [ebp+var_C]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A16A3D
		mov	eax, [ebp+var_C]
		inc	edi
		cmp	edi, 5
		jb	short loc_A1672C
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A16775
		xor	esi, esi
		jmp	short loc_A1677D
; 

loc_A16775:				; CODE XREF: sub_A1650D+262j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1677D:				; CODE XREF: sub_A1650D+266j
		test	esi, esi
		js	loc_A16A3D
		mov	eax, edx
		mov	[ebp+var_28], edx
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_2C], eax
		test	esi, esi
		js	loc_A16A3D
		mov	eax, [ebx+8]
		test	eax, eax
		jz	loc_A1669A
		cmp	dword ptr [ebx], 6
		jbe	loc_A1669A
		xor	edi, edi

loc_A167B1:				; CODE XREF: sub_A1650D+2D6j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A167BE
		xor	esi, esi
		jmp	short loc_A167C6
; 

loc_A167BE:				; CODE XREF: sub_A1650D+2ABj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A167C6:				; CODE XREF: sub_A1650D+2AFj
		mov	[ebp+var_C], ecx
		test	esi, esi
		js	short loc_A16808
		lea	eax, [ebp+var_C]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A16808
		mov	eax, [ebp+var_C]
		inc	edi
		cmp	edi, 6
		jb	short loc_A167B1
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A167F2
		xor	esi, esi
		jmp	short loc_A167FA
; 

loc_A167F2:				; CODE XREF: sub_A1650D+2DFj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A167FA:				; CODE XREF: sub_A1650D+2E3j
		test	esi, esi
		js	short loc_A16808
		mov	ebx, edx
		neg	edx
		sbb	edx, edx
		and	edx, ecx
		jmp	short loc_A1680D
; 

loc_A16808:				; CODE XREF: sub_A1650D+2BEj
					; sub_A1650D+2CDj ...
		mov	edx, [ebp+var_10]
		mov	ebx, edx

loc_A1680D:				; CODE XREF: sub_A1650D+2F9j
		test	esi, esi
		js	loc_A16A3D
		mov	eax, ds:dword_A93E98
		test	eax, eax
		jz	short loc_A1682F
		push	ebx
		push	edx
		push	[ebp+var_28]
		push	[ebp+var_2C]
		push	[ebp+var_1C]
		call	eax
		mov	edi, eax
		jmp	short loc_A16834
; 

loc_A1682F:				; CODE XREF: sub_A1650D+30Fj
		mov	edi, 0C00000BBh

loc_A16834:				; CODE XREF: sub_A1650D+320j
		mov	esi, edi
		test	edi, edi
		js	loc_A16A3D
		push	8
		pop	ecx
		mov	[ebp+var_2C], ecx
		lea	eax, [ebp+var_2C]
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A1685E
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_18], eax
		jmp	short loc_A16861
; 

loc_A1685E:				; CODE XREF: sub_A1650D+347j
		mov	eax, [ebp+var_18]

loc_A16861:				; CODE XREF: sub_A1650D+34Fj
		test	esi, esi
		js	loc_A16A3D
		push	8
		pop	esi
		xor	ebx, ebx
		mov	[ebp+var_30], esi
		lea	ecx, [ebp+var_30]
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A16A3D
		mov	eax, [ebp+var_30]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_A1689C
		mov	esi, 0C0000095h
		jmp	short loc_A168A9
; 

loc_A1689C:				; CODE XREF: sub_A1650D+386j
		lea	ebx, [ecx+8]
		cmp	ebx, ecx
		jb	loc_A1692C
		xor	esi, esi

loc_A168A9:				; CODE XREF: sub_A1650D+38Dj
		test	esi, esi
		js	loc_A16A3D
		mov	ecx, [ebp+var_40]
		mov	edx, ebx
		push	4
		mov	eax, [ecx+10h]
		mov	[ebp+var_3C], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_4]
		pop	ecx
		push	eax
		mov	[ebp+var_4], ecx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A16A3D
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A168E9
		xor	esi, esi
		jmp	short loc_A168F1
; 

loc_A168E9:				; CODE XREF: sub_A1650D+3D6j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A168F1:				; CODE XREF: sub_A1650D+3DAj
		mov	[ebp+var_4], ecx
		test	esi, esi
		js	loc_A16A3D
		mov	edx, [ebp+var_40]
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A16A3D
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1692C
		mov	edx, [ebp+var_3C]
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		jmp	short loc_A16931
; 

loc_A1692C:				; CODE XREF: sub_A1650D+394j
					; sub_A1650D+40Dj
		mov	esi, 0C0000095h

loc_A16931:				; CODE XREF: sub_A1650D+41Dj
		test	esi, esi
		js	loc_A16A3D
		mov	esi, [ebp+arg_4]
		mov	eax, [ebp+var_18]
		lea	ebx, [esi+4]
		mov	[ebx], eax
		test	eax, eax
		jnz	short loc_A16952
		mov	esi, 0C000003Eh
		jmp	loc_A16A3D
; 

loc_A16952:				; CODE XREF: sub_A1650D+439j
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_A1696F
		mov	esi, 0C0000017h
		jmp	loc_A16A3D
; 

loc_A1696F:				; CODE XREF: sub_A1650D+456j
		mov	[esi+8], edx
		and	dword ptr [esi], 0
		or	edi, 10000000h
		lea	esi, [edx+4]
		cmp	esi, edx
		jb	loc_A16A38
		mov	ecx, [ebx]
		lea	eax, [edx+8]
		add	ecx, edx
		cmp	eax, ecx
		jbe	short loc_A1699B

loc_A16991:				; CODE XREF: sub_A1650D+50Dj
		mov	esi, 0C0000023h
		jmp	loc_A16A3D
; 

loc_A1699B:				; CODE XREF: sub_A1650D+482j
		mov	dword ptr [edx], 4
		mov	[esi], edi
		mov	edi, [ebp+arg_4]
		inc	dword ptr [edi]
		mov	ecx, [edi]
		mov	[ebp+var_40], ecx
		mov	eax, [edi+8]
		mov	[ebp+var_3C], eax
		test	eax, eax
		jnz	short loc_A169CE
		mov	ecx, [ebx]
		push	ebx
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A16A3D
		inc	dword ptr [edi]
		xor	esi, esi
		jmp	short loc_A16A3D
; 

loc_A169CE:				; CODE XREF: sub_A1650D+4A8j
		and	[ebp+var_2C], 0
		mov	edi, eax
		mov	[ebp+var_18], edi
		test	ecx, ecx
		jz	short loc_A16A08

loc_A169DB:				; CODE XREF: sub_A1650D+4F6j
		mov	edx, [edi]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A16A38
		lea	eax, [ebp+var_18]
		mov	ecx, edi
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A16A3D
		mov	ecx, [ebp+var_2C]
		mov	edi, [ebp+var_18]
		inc	ecx
		mov	[ebp+var_2C], ecx
		cmp	ecx, [ebp+var_40]
		jb	short loc_A169DB
		mov	eax, [ebp+var_3C]

loc_A16A08:				; CODE XREF: sub_A1650D+4CCj
		lea	edx, [edi+4]
		cmp	edx, edi
		jb	short loc_A16A38
		mov	ecx, [ebx]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [edi+0Ch]
		cmp	eax, ecx
		ja	loc_A16991
		mov	eax, [ebp+var_34]
		mov	dword ptr [edi], 8
		mov	[edx], eax
		mov	eax, [ebp+var_38]
		mov	[edx+4], eax
		mov	eax, [ebp+arg_4]
		inc	dword ptr [eax]
		jmp	short loc_A16A3D
; 

loc_A16A38:				; CODE XREF: sub_A1650D+473j
					; sub_A1650D+4D6j ...
		mov	esi, 0C0000095h

loc_A16A3D:				; CODE XREF: sub_A1650D+192j
					; sub_A1650D+239j ...
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_A16A4F
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A16A4F:				; CODE XREF: sub_A1650D+35j
					; sub_A1650D+C2j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
sub_A1650D	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A16A58	proc near		; CODE XREF: sub_785212+1A46p

Source2		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		xor	edx, edx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_2C], edx
		mov	[ebp+var_30], edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_4], edx
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jnz	short loc_A16A82

loc_A16A78:				; CODE XREF: sub_A16A58+1A7j
		mov	esi, 0C000000Dh
		jmp	loc_A16F73
; 

loc_A16A82:				; CODE XREF: sub_A16A58+1Ej
		mov	ebx, [ebp+arg_4]
		mov	esi, 0C000000Dh
		test	ebx, ebx
		jz	loc_A16F73
		mov	eax, [ecx+8]
		mov	edi, edx
		test	eax, eax
		jz	loc_A16B2F
		cmp	dword ptr [ecx], 3
		jbe	loc_A16B2F
		mov	[ebp+var_14], edx

loc_A16AAB:				; CODE XREF: sub_A16A58+8Bj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A16AB8
		xor	esi, esi
		jmp	short loc_A16AC0
; 

loc_A16AB8:				; CODE XREF: sub_A16A58+5Aj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A16AC0:				; CODE XREF: sub_A16A58+5Ej
		mov	[ebp+arg_4], ecx
		test	esi, esi
		js	short loc_A16B0A
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A16B0A
		mov	edx, [ebp+var_14]
		mov	eax, [ebp+arg_4]
		inc	edx
		mov	[ebp+var_14], edx
		cmp	edx, 3
		jb	short loc_A16AAB
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A16AF2
		xor	esi, esi
		jmp	short loc_A16AFA
; 

loc_A16AF2:				; CODE XREF: sub_A16A58+94j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A16AFA:				; CODE XREF: sub_A16A58+98j
		test	esi, esi
		js	short loc_A16B0A
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A16B0C
; 

loc_A16B0A:				; CODE XREF: sub_A16A58+6Dj
					; sub_A16A58+7Cj ...
		mov	eax, edi

loc_A16B0C:				; CODE XREF: sub_A16A58+B0j
		test	esi, esi
		js	short loc_A16B2A
		cmp	eax, 8
		jz	short loc_A16B1F

loc_A16B15:				; CODE XREF: sub_A16A58+475j
					; sub_A16A58+501j
		mov	esi, 0C0000023h
		jmp	loc_A16F73
; 

loc_A16B1F:				; CODE XREF: sub_A16A58+BBj
		mov	eax, [edi]
		mov	[ebp+var_2C], eax
		mov	eax, [edi+4]
		mov	[ebp+var_30], eax

loc_A16B2A:				; CODE XREF: sub_A16A58+B6j
		mov	ecx, [ebp+var_8]
		xor	edx, edx

loc_A16B2F:				; CODE XREF: sub_A16A58+41j
					; sub_A16A58+4Aj
		test	esi, esi
		js	loc_A16F73
		mov	eax, [ecx+8]
		mov	edi, edx
		mov	[ebp+var_10], edx
		test	eax, eax
		jnz	short loc_A16B4D

loc_A16B43:				; CODE XREF: sub_A16A58+F8j
		mov	esi, 0C000000Dh
		jmp	loc_A16BD8
; 

loc_A16B4D:				; CODE XREF: sub_A16A58+E9j
		cmp	dword ptr [ecx], 4
		jbe	short loc_A16B43
		mov	[ebp+var_14], edx

loc_A16B55:				; CODE XREF: sub_A16A58+135j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A16B62
		xor	esi, esi
		jmp	short loc_A16B6A
; 

loc_A16B62:				; CODE XREF: sub_A16A58+104j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A16B6A:				; CODE XREF: sub_A16A58+108j
		mov	[ebp+arg_4], ecx
		test	esi, esi
		js	short loc_A16BB4
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A16BB4
		mov	edx, [ebp+var_14]
		mov	eax, [ebp+arg_4]
		inc	edx
		mov	[ebp+var_14], edx
		cmp	edx, 4
		jb	short loc_A16B55
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A16B9C
		xor	esi, esi
		jmp	short loc_A16BA4
; 

loc_A16B9C:				; CODE XREF: sub_A16A58+13Ej
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A16BA4:				; CODE XREF: sub_A16A58+142j
		test	esi, esi
		js	short loc_A16BB4
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A16BB7
; 

loc_A16BB4:				; CODE XREF: sub_A16A58+117j
					; sub_A16A58+126j ...
		mov	eax, [ebp+var_10]

loc_A16BB7:				; CODE XREF: sub_A16A58+15Aj
		test	esi, esi
		js	short loc_A16BD6
		cmp	eax, 8
		jz	short loc_A16BCA

loc_A16BC0:				; CODE XREF: sub_A16A58+438j
		mov	esi, 0C000003Eh
		jmp	loc_A16F73
; 

loc_A16BCA:				; CODE XREF: sub_A16A58+166j
		mov	eax, [edi+4]
		xor	edx, edx
		mov	ecx, [edi]
		mov	[ebp+var_3C], eax
		jmp	short loc_A16BDB
; 

loc_A16BD6:				; CODE XREF: sub_A16A58+161j
		xor	edx, edx

loc_A16BD8:				; CODE XREF: sub_A16A58+F0j
		mov	ecx, [ebp+var_C]

loc_A16BDB:				; CODE XREF: sub_A16A58+17Cj
		test	esi, esi
		js	loc_A16F73
		mov	[ebp+var_10], edx
		mov	edi, edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_24], edx
		mov	[ebp+var_28], edx
		mov	[ebp+Source2], edx
		mov	[ebp+var_3C], edx
		test	ecx, ecx
		jz	loc_A16A78
		mov	eax, ds:_IoFileObjectType
		push	edx
		mov	[ebp+arg_4], edx
		lea	edx, [ebp+arg_4]
		push	edx
		push	1
		push	eax
		push	0
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+arg_4], eax
		test	esi, esi
		js	loc_A16E1D
		push	20534C53h
		push	1Fh
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_14], edi
		test	edi, edi
		jnz	short loc_A16C4E
		mov	esi, 0C0000017h
		jmp	loc_A16E1A
; 

loc_A16C4E:				; CODE XREF: sub_A16A58+1EAj
		xor	ecx, ecx
		xor	eax, eax
		mov	[edi+5], ecx
		mov	[edi+9], ecx
		mov	[edi+0Dh], ecx
		mov	[edi+11h], ecx
		mov	[edi+15h], ecx
		mov	[edi+19h], ecx
		mov	[edi+1Dh], ax
		mov	[edi], ecx
		push	6
		mov	byte ptr [edi+4], 19h
		add	edi, 5
		mov	esi, ds:off_A42124
		pop	ecx
		rep movsd
		push	20534C53h
		push	3Ah
		push	1
		movsb
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_10], esi
		test	esi, esi
		jnz	short loc_A16C9E
		mov	esi, 0C0000017h
		jmp	loc_A16E17
; 

loc_A16C9E:				; CODE XREF: sub_A16A58+23Aj
		push	3Ah		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	edi, [ebp+var_14]
		lea	eax, [ebp+var_C]
		add	esp, 0Ch
		push	eax
		push	1
		push	0
		push	1Fh
		push	edi
		push	1
		push	3Ah
		push	esi
		push	[ebp+arg_4]
		call	FsRtlQueryKernelEaFile
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	short loc_A16CDB
		and	[ebp+var_4], 0

loc_A16CD4:				; CODE XREF: sub_A16A58+2C7j
		xor	esi, esi
		jmp	loc_A16E1A
; 

loc_A16CDB:				; CODE XREF: sub_A16A58+276j
		test	esi, esi
		js	loc_A16E1A
		mov	ecx, [ebp+var_10]
		movzx	eax, byte ptr [ecx+5]
		lea	edx, [ecx+9]
		add	edx, eax
		movzx	eax, word ptr [ecx+6]
		movzx	ecx, ax
		mov	[ebp+var_8], eax
		add	ecx, edx
		mov	eax, [ebp+var_C]
		add	eax, [ebp+var_10]
		mov	[ebp+var_18], edx
		cmp	ecx, eax
		jbe	short loc_A16D12

loc_A16D08:				; CODE XREF: sub_A16A58+2CDj
					; sub_A16A58+2E1j
		mov	esi, 0C000003Eh
		jmp	loc_A16E1A
; 

loc_A16D12:				; CODE XREF: sub_A16A58+2AEj
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		cmp	cx, ax
		jnz	short loc_A16D21
		and	[ebp+var_4], ecx
		jmp	short loc_A16CD4
; 

loc_A16D21:				; CODE XREF: sub_A16A58+2C2j
		cmp	ax, 18h
		jnz	short loc_A16D08
		push	8		; Length
		lea	eax, [ebp+Source2]
		push	eax		; Source2
		lea	eax, [edx+10h]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 8
		jnz	short loc_A16D08
		and	[ebp+var_8], 0
		push	20534C53h
		push	248h
		push	1
		mov	[ebp+var_4], 2
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_A16E17
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	248h		; int
		push	edi		; void *
		push	0		; size_t
		push	0		; void *
		push	900F4h		; int
		push	[ebp+arg_4]	; int
		call	FsRtlKernelFsControlFile
		mov	[ebp+var_C], eax
		test	eax, eax
		js	short loc_A16DDD
		cmp	[ebp+var_8], 40h
		jnb	short loc_A16D92

loc_A16D89:				; CODE XREF: sub_A16A58+36Bj
		mov	[ebp+var_C], 0C000003Eh
		jmp	short loc_A16DDD
; 

loc_A16D92:				; CODE XREF: sub_A16A58+32Fj
		mov	eax, [edi]
		mov	[ebp+var_34], eax
		mov	eax, [edi+4]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	248h		; int
		push	edi		; void *
		push	0		; size_t
		push	0		; void *
		push	900EBh		; int
		push	[ebp+arg_4]	; int
		call	FsRtlKernelFsControlFile
		mov	[ebp+var_C], eax
		test	eax, eax
		js	short loc_A16DDD
		cmp	[ebp+var_8], 40h
		jb	short loc_A16D89
		mov	eax, [edi+18h]
		mov	[ebp+var_24], eax
		mov	eax, [edi+1Ch]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_34]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_38]
		mov	[ebp+var_20], eax

loc_A16DDD:				; CODE XREF: sub_A16A58+329j
					; sub_A16A58+338j ...
		push	20534C53h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[ebp+var_C], 0
		jl	short loc_A16E17
		mov	eax, [ebp+var_18]
		mov	ecx, [ebp+var_1C]
		cmp	ecx, [eax]
		jnz	short loc_A16E17
		mov	ecx, [ebp+var_20]
		cmp	ecx, [eax+4]
		jnz	short loc_A16E17
		mov	ecx, [ebp+var_24]
		cmp	ecx, [eax+8]
		jnz	short loc_A16E17
		mov	ecx, [ebp+var_28]
		cmp	ecx, [eax+0Ch]
		jnz	short loc_A16E17
		mov	[ebp+var_4], 3

loc_A16E17:				; CODE XREF: sub_A16A58+241j
					; sub_A16A58+303j ...
		mov	edi, [ebp+var_14]

loc_A16E1A:				; CODE XREF: sub_A16A58+1F1j
					; sub_A16A58+27Ej ...
		mov	eax, [ebp+arg_4]

loc_A16E1D:				; CODE XREF: sub_A16A58+1CFj
		test	eax, eax
		jz	short loc_A16E28
		mov	ecx, eax
		call	ObfDereferenceObject

loc_A16E28:				; CODE XREF: sub_A16A58+3C7j
		test	edi, edi
		jz	short loc_A16E37
		push	20534C53h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A16E37:				; CODE XREF: sub_A16A58+3D2j
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_A16E49
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A16E49:				; CODE XREF: sub_A16A58+3E4j
		test	esi, esi
		js	loc_A16F73
		and	[ebp+arg_4], 0
		lea	eax, [ebp+arg_4]
		xor	ecx, ecx
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A16F73
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+arg_4]
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A16F73
		mov	eax, [ebp+arg_4]
		lea	esi, [ebx+4]
		mov	[esi], eax
		test	eax, eax
		jz	loc_A16BC0
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_A16EB3
		mov	esi, 0C0000017h
		jmp	loc_A16F73
; 

loc_A16EB3:				; CODE XREF: sub_A16A58+44Fj
		mov	[ebx+8], edx
		and	dword ptr [ebx], 0
		lea	edi, [edx+4]
		cmp	edi, edx
		jb	loc_A16F6E
		mov	ecx, [esi]
		lea	eax, [edx+0Ch]
		add	ecx, edx
		cmp	eax, ecx
		ja	loc_A16B15
		mov	eax, [ebp+var_2C]
		mov	dword ptr [edx], 8
		mov	[edi], eax
		mov	eax, [ebp+var_30]
		mov	[edi+4], eax
		inc	dword ptr [ebx]
		mov	ecx, [ebx]
		mov	[ebp+var_38], ecx
		mov	eax, [ebx+8]
		mov	[ebp+var_34], eax
		test	eax, eax
		jnz	short loc_A16F0C
		mov	ecx, [esi]
		push	esi
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A16F73
		inc	dword ptr [ebx]
		xor	esi, esi
		jmp	short loc_A16F73
; 

loc_A16F0C:				; CODE XREF: sub_A16A58+49Bj
		and	[ebp+var_30], 0
		mov	edi, eax
		mov	[ebp+arg_4], edi
		test	ecx, ecx
		jz	short loc_A16F46

loc_A16F19:				; CODE XREF: sub_A16A58+4E9j
		mov	edx, [edi]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A16F6E
		lea	eax, [ebp+arg_4]
		mov	ecx, edi
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A16F73
		mov	ecx, [ebp+var_30]
		mov	edi, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_30], ecx
		cmp	ecx, [ebp+var_38]
		jb	short loc_A16F19
		mov	eax, [ebp+var_34]

loc_A16F46:				; CODE XREF: sub_A16A58+4BFj
		lea	edx, [edi+4]
		cmp	edx, edi
		jb	short loc_A16F6E
		mov	ecx, [ebx+4]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [edi+8]
		cmp	eax, ecx
		ja	loc_A16B15
		mov	eax, [ebp+var_4]
		mov	dword ptr [edi], 4
		mov	[edx], eax
		inc	dword ptr [ebx]
		jmp	short loc_A16F73
; 

loc_A16F6E:				; CODE XREF: sub_A16A58+466j
					; sub_A16A58+4C9j ...
		mov	esi, 0C0000095h

loc_A16F73:				; CODE XREF: sub_A16A58+25j
					; sub_A16A58+34j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
sub_A16A58	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A16F7C	proc near		; CODE XREF: sub_785212+156Cp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		xor	eax, eax
		mov	[ebp+var_4], ecx
		and	[ebp+var_C], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jnz	short loc_A16FA9

loc_A16F9F:				; CODE XREF: sub_A16F7C+32j
					; sub_A16F7C+210j ...
		mov	esi, 0C000000Dh
		jmp	loc_A175D2
; 

loc_A16FA9:				; CODE XREF: sub_A16F7C+21j
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_A16F9F
		and	[ebp+var_10], eax
		xor	edi, edi
		mov	eax, [ecx+8]
		test	eax, eax
		jnz	short loc_A16FC6

loc_A16FBC:				; CODE XREF: sub_A16F7C+4Dj
		mov	esi, 0C000000Dh
		jmp	loc_A1704B
; 

loc_A16FC6:				; CODE XREF: sub_A16F7C+3Ej
		cmp	dword ptr [ecx], 3
		jbe	short loc_A16FBC
		and	[ebp+var_14], edi

loc_A16FCE:				; CODE XREF: sub_A16F7C+8Aj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A16FDB
		xor	esi, esi
		jmp	short loc_A16FE3
; 

loc_A16FDB:				; CODE XREF: sub_A16F7C+59j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A16FE3:				; CODE XREF: sub_A16F7C+5Dj
		mov	[ebp+arg_4], ecx
		test	esi, esi
		js	short loc_A1702D
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A1702D
		mov	edx, [ebp+var_14]
		mov	eax, [ebp+arg_4]
		inc	edx
		mov	[ebp+var_14], edx
		cmp	edx, 3
		jb	short loc_A16FCE
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A17015
		xor	esi, esi
		jmp	short loc_A1701D
; 

loc_A17015:				; CODE XREF: sub_A16F7C+93j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1701D:				; CODE XREF: sub_A16F7C+97j
		test	esi, esi
		js	short loc_A1702D
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A17030
; 

loc_A1702D:				; CODE XREF: sub_A16F7C+6Cj
					; sub_A16F7C+7Bj ...
		mov	eax, [ebp+var_10]

loc_A17030:				; CODE XREF: sub_A16F7C+AFj
		test	esi, esi
		js	short loc_A17048
		cmp	eax, 8
		jnz	loc_A17585
		mov	eax, [edi]
		mov	[ebp+var_1C], eax
		mov	eax, [edi+4]
		mov	[ebp+var_14], eax

loc_A17048:				; CODE XREF: sub_A16F7C+B6j
		mov	ecx, [ebp+var_4]

loc_A1704B:				; CODE XREF: sub_A16F7C+45j
		test	esi, esi
		js	loc_A175D2
		mov	eax, [ecx+8]
		xor	edi, edi
		and	[ebp+var_10], edi
		test	eax, eax
		jnz	short loc_A17066

loc_A1705F:				; CODE XREF: sub_A16F7C+EDj
		mov	esi, 0C000000Dh
		jmp	short loc_A170E5
; 

loc_A17066:				; CODE XREF: sub_A16F7C+E1j
		cmp	dword ptr [ecx], 4
		jbe	short loc_A1705F
		and	[ebp+var_14], edi

loc_A1706E:				; CODE XREF: sub_A16F7C+12Aj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1707B
		xor	esi, esi
		jmp	short loc_A17083
; 

loc_A1707B:				; CODE XREF: sub_A16F7C+F9j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A17083:				; CODE XREF: sub_A16F7C+FDj
		mov	[ebp+arg_4], ecx
		test	esi, esi
		js	short loc_A170CD
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A170CD
		mov	edx, [ebp+var_14]
		mov	eax, [ebp+arg_4]
		inc	edx
		mov	[ebp+var_14], edx
		cmp	edx, 4
		jb	short loc_A1706E
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A170B5
		xor	esi, esi
		jmp	short loc_A170BD
; 

loc_A170B5:				; CODE XREF: sub_A16F7C+133j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A170BD:				; CODE XREF: sub_A16F7C+137j
		test	esi, esi
		js	short loc_A170CD
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A170D0
; 

loc_A170CD:				; CODE XREF: sub_A16F7C+10Cj
					; sub_A16F7C+11Bj ...
		mov	eax, [ebp+var_10]

loc_A170D0:				; CODE XREF: sub_A16F7C+14Fj
		test	esi, esi
		js	short loc_A170E2
		cmp	eax, 4
		jnz	loc_A17562
		mov	eax, [edi]
		mov	[ebp+var_20], eax

loc_A170E2:				; CODE XREF: sub_A16F7C+156j
		mov	ecx, [ebp+var_4]

loc_A170E5:				; CODE XREF: sub_A16F7C+E8j
		test	esi, esi
		js	loc_A175D2
		mov	eax, [ecx+8]
		xor	edi, edi
		and	[ebp+var_10], edi
		test	eax, eax
		jnz	short loc_A17100

loc_A170F9:				; CODE XREF: sub_A16F7C+187j
		mov	esi, 0C000000Dh
		jmp	short loc_A1717F
; 

loc_A17100:				; CODE XREF: sub_A16F7C+17Bj
		cmp	dword ptr [ecx], 5
		jbe	short loc_A170F9
		and	[ebp+var_14], edi

loc_A17108:				; CODE XREF: sub_A16F7C+1C4j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A17115
		xor	esi, esi
		jmp	short loc_A1711D
; 

loc_A17115:				; CODE XREF: sub_A16F7C+193j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1711D:				; CODE XREF: sub_A16F7C+197j
		mov	[ebp+arg_4], ecx
		test	esi, esi
		js	short loc_A17167
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A17167
		mov	edx, [ebp+var_14]
		mov	eax, [ebp+arg_4]
		inc	edx
		mov	[ebp+var_14], edx
		cmp	edx, 5
		jb	short loc_A17108
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1714F
		xor	esi, esi
		jmp	short loc_A17157
; 

loc_A1714F:				; CODE XREF: sub_A16F7C+1CDj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A17157:				; CODE XREF: sub_A16F7C+1D1j
		test	esi, esi
		js	short loc_A17167
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A1716A
; 

loc_A17167:				; CODE XREF: sub_A16F7C+1A6j
					; sub_A16F7C+1B5j ...
		mov	eax, [ebp+var_10]

loc_A1716A:				; CODE XREF: sub_A16F7C+1E9j
		test	esi, esi
		js	short loc_A1717C
		cmp	eax, 4
		jnz	loc_A17562
		mov	eax, [edi]
		mov	[ebp+var_24], eax

loc_A1717C:				; CODE XREF: sub_A16F7C+1F0j
		mov	ecx, [ebp+var_4]

loc_A1717F:				; CODE XREF: sub_A16F7C+182j
		test	esi, esi
		js	loc_A175D2
		mov	eax, [ecx+8]
		test	eax, eax
		jz	loc_A16F9F
		cmp	dword ptr [ecx], 6
		jbe	loc_A16F9F
		xor	edi, edi

loc_A1719D:				; CODE XREF: sub_A16F7C+253j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A171AA
		xor	esi, esi
		jmp	short loc_A171B2
; 

loc_A171AA:				; CODE XREF: sub_A16F7C+228j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A171B2:				; CODE XREF: sub_A16F7C+22Cj
		mov	[ebp+arg_4], ecx
		test	esi, esi
		js	short loc_A171F7
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A171F7
		mov	eax, [ebp+arg_4]
		inc	edi
		cmp	edi, 6
		jb	short loc_A1719D
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A171DE
		xor	esi, esi
		jmp	short loc_A171E6
; 

loc_A171DE:				; CODE XREF: sub_A16F7C+25Cj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A171E6:				; CODE XREF: sub_A16F7C+260j
		test	esi, esi
		js	short loc_A171F7
		mov	eax, edx
		neg	edx
		sbb	edx, edx
		and	edx, ecx
		mov	[ebp+var_8], edx
		jmp	short loc_A171FD
; 

loc_A171F7:				; CODE XREF: sub_A16F7C+23Bj
					; sub_A16F7C+24Aj ...
		mov	edx, [ebp+var_8]
		mov	eax, [ebp+var_C]

loc_A171FD:				; CODE XREF: sub_A16F7C+279j
		test	esi, esi
		js	loc_A175D2
		cmp	eax, 10h
		jnz	loc_A16F9F
		mov	ecx, [ebp+var_1C]
		lea	edi, [ebp+var_38]
		xor	eax, eax
		xor	esi, esi
		stosd
		mov	[ebp+var_4], esi
		mov	[ebp+var_C], esi
		stosd
		stosd
		stosd
		test	ecx, ecx
		jz	loc_A16F9F
		test	edx, edx
		jz	loc_A16F9F
		mov	eax, ds:_IoFileObjectType
		lea	edx, [ebp+arg_4]
		push	esi
		push	edx
		push	1
		push	eax
		push	esi
		push	ecx
		mov	[ebp+arg_4], esi
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A174AE
		push	20534C53h
		push	248h
		xor	esi, esi
		push	1
		mov	[ebp+var_10], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A17279

loc_A1726F:				; CODE XREF: sub_A16F7C+421j
					; sub_A16F7C+4DDj
		mov	esi, 0C0000017h
		jmp	loc_A174AE
; 

loc_A17279:				; CODE XREF: sub_A16F7C+2F1j
		lea	eax, [ebp+var_10]
		push	eax		; int
		push	248h		; int
		push	edi		; void *
		push	esi		; size_t
		push	esi		; void *
		push	900F4h		; int
		push	[ebp+arg_4]	; int
		call	FsRtlKernelFsControlFile
		mov	esi, eax
		test	esi, esi
		js	short loc_A172EF
		cmp	[ebp+var_10], 40h
		jnb	short loc_A172A5

loc_A1729E:				; CODE XREF: sub_A16F7C+359j
		mov	esi, 0C000003Eh
		jmp	short loc_A172EF
; 

loc_A172A5:				; CODE XREF: sub_A16F7C+320j
		mov	eax, [edi]
		mov	[ebp+var_1C], eax
		mov	eax, [edi+4]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_10]
		push	eax		; int
		push	248h		; int
		push	edi		; void *
		push	0		; size_t
		push	0		; void *
		push	900EBh		; int
		push	[ebp+arg_4]	; int
		call	FsRtlKernelFsControlFile
		mov	esi, eax
		test	esi, esi
		js	short loc_A172EF
		cmp	[ebp+var_10], 40h
		jb	short loc_A1729E
		mov	edx, [ebp+var_1C]
		mov	eax, [edi+18h]
		mov	ecx, [edi+1Ch]
		mov	[ebp+var_38], edx
		mov	edx, [ebp+var_14]
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], ecx

loc_A172EF:				; CODE XREF: sub_A16F7C+31Aj
					; sub_A16F7C+327j ...
		push	20534C53h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		js	loc_A174AE
		mov	edx, [ebp+var_8]
		mov	eax, [ebp+var_38]
		cmp	eax, [edx]
		jnz	loc_A174A9
		mov	eax, [ebp+var_34]
		cmp	eax, [edx+4]
		jnz	loc_A174A9
		mov	eax, [ebp+var_30]
		cmp	eax, [edx+8]
		jnz	loc_A174A9
		mov	eax, [ebp+var_2C]
		cmp	eax, [edx+0Ch]
		jnz	loc_A174A9
		cmp	[ebp+var_20], 0
		push	18h
		pop	edi
		jnz	loc_A17431
		lea	eax, [ebp+var_C]
		xor	esi, esi
		push	eax
		push	esi
		push	ds:_IoFileObjectType
		push	edi
		push	esi
		push	200h
		push	[ebp+arg_4]
		call	ObOpenObjectByPointer
		test	eax, eax
		js	short loc_A17385
		push	[ebp+var_C]
		lea	eax, [ebp+var_C]
		push	1
		push	eax
		mov	eax, [ebp+var_24]
		add	eax, 0FFFFFFFEh
		cmp	eax, 1
		setnbe	al
		dec	al
		and	al, 6
		movzx	eax, al
		push	eax
		push	2
		call	_ZwSetCachedSigningLevel@20 ; ZwSetCachedSigningLevel(x,x,x,x,x)

loc_A17385:				; CODE XREF: sub_A16F7C+3E3j
		push	20534C53h
		push	248h
		push	1
		mov	[ebp+var_10], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_A1726F
		lea	eax, [ebp+var_10]
		push	eax		; int
		push	248h		; int
		push	edi		; void *
		push	esi		; size_t
		push	esi		; void *
		push	900F4h		; int
		push	[ebp+arg_4]	; int
		call	FsRtlKernelFsControlFile
		mov	esi, eax
		test	esi, esi
		js	short loc_A17419
		cmp	[ebp+var_10], 40h
		jnb	short loc_A173CF

loc_A173C8:				; CODE XREF: sub_A16F7C+483j
		mov	esi, 0C000003Eh
		jmp	short loc_A17419
; 

loc_A173CF:				; CODE XREF: sub_A16F7C+44Aj
		mov	eax, [edi]
		mov	[ebp+var_24], eax
		mov	eax, [edi+4]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_10]
		push	eax		; int
		push	248h		; int
		push	edi		; void *
		push	0		; size_t
		push	0		; void *
		push	900EBh		; int
		push	[ebp+arg_4]	; int
		call	FsRtlKernelFsControlFile
		mov	esi, eax
		test	esi, esi
		js	short loc_A17419
		cmp	[ebp+var_10], 40h
		jb	short loc_A173C8
		mov	edx, [ebp+var_24]
		mov	eax, [edi+18h]
		mov	ecx, [edi+1Ch]
		mov	[ebp+var_38], edx
		mov	edx, [ebp+var_20]
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], ecx

loc_A17419:				; CODE XREF: sub_A16F7C+444j
					; sub_A16F7C+451j ...
		push	20534C53h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		js	loc_A174AE
		push	18h
		pop	edi
		jmp	short loc_A17444
; 

loc_A17431:				; CODE XREF: sub_A16F7C+3BFj
		or	[ebp+var_38], 0FFFFFFFFh
		or	[ebp+var_34], 0FFFFFFFFh
		or	[ebp+var_30], 0FFFFFFFFh
		mov	[ebp+var_2C], 7FFFFFFFh

loc_A17444:				; CODE XREF: sub_A16F7C+4B3j
		push	20534C53h
		push	3Ah
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		jz	loc_A1726F
		push	3Ah		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	[esi+6], di
		add	esp, 0Ch
		mov	byte ptr [esi+5], 19h
		lea	edi, [esi+8]
		mov	esi, ds:off_A42124
		push	6
		pop	ecx
		rep movsd
		mov	ecx, [ebp+var_24]
		movsb
		lea	esi, [ebp+var_38]
		lea	edi, [ecx+22h]
		movsd
		movsd
		movsd
		movsd
		and	dword ptr [ecx+32h], 0
		and	dword ptr [ecx+36h], 0
		mov	edi, ecx
		push	3Ah
		push	ecx
		push	[ebp+arg_4]
		call	FsRtlSetKernelEaFile
		mov	esi, eax
		jmp	short loc_A174B1
; 

loc_A174A9:				; CODE XREF: sub_A16F7C+38Ej
					; sub_A16F7C+39Aj ...
		mov	esi, 0C000003Eh

loc_A174AE:				; CODE XREF: sub_A16F7C+2D1j
					; sub_A16F7C+2F8j ...
		mov	edi, [ebp+var_4]

loc_A174B1:				; CODE XREF: sub_A16F7C+52Bj
		cmp	[ebp+var_C], 0
		jz	short loc_A174BF
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_A174BF:				; CODE XREF: sub_A16F7C+539j
		cmp	[ebp+arg_4], 0
		jz	short loc_A174CD
		mov	ecx, [ebp+arg_4]
		call	ObfDereferenceObject

loc_A174CD:				; CODE XREF: sub_A16F7C+547j
		test	edi, edi
		jz	short loc_A174DC
		push	20534C53h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A174DC:				; CODE XREF: sub_A16F7C+553j
		test	esi, esi
		js	loc_A175D2
		mov	eax, [ebx+8]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jnz	short loc_A1750A
		lea	ecx, [ebx+4]
		push	ecx
		mov	ecx, [ecx]
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A175D2
		inc	dword ptr [ebx]
		jmp	short loc_A1757E
; 

loc_A1750A:				; CODE XREF: sub_A16F7C+570j
		mov	ecx, [ebx]
		mov	edi, eax
		and	[ebp+var_24], 0
		mov	[ebp+arg_4], edi
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	short loc_A1754D

loc_A1751C:				; CODE XREF: sub_A16F7C+5CCj
		mov	edx, [edi]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A17569
		lea	eax, [ebp+arg_4]
		mov	ecx, edi
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A175D2
		mov	ecx, [ebp+var_24]
		mov	edi, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_24], ecx
		cmp	ecx, [ebp+var_20]
		jb	short loc_A1751C
		mov	eax, [ebp+var_1C]

loc_A1754D:				; CODE XREF: sub_A16F7C+59Ej
		lea	edx, [edi+4]
		cmp	edx, edi
		jb	short loc_A175CD
		mov	ecx, [ebx+4]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [edi+8]
		cmp	eax, ecx
		jbe	short loc_A17570

loc_A17562:				; CODE XREF: sub_A16F7C+15Bj
					; sub_A16F7C+1F5j ...
		mov	esi, 0C0000023h
		jmp	short loc_A175D2
; 

loc_A17569:				; CODE XREF: sub_A16F7C+5A8j
		mov	esi, 0C0000095h
		jmp	short loc_A1757A
; 

loc_A17570:				; CODE XREF: sub_A16F7C+5E4j
		mov	dword ptr [edi], 4
		and	[edx], esi
		inc	dword ptr [ebx]

loc_A1757A:				; CODE XREF: sub_A16F7C+5F2j
		test	esi, esi
		js	short loc_A175D2

loc_A1757E:				; CODE XREF: sub_A16F7C+58Cj
		mov	eax, [ebx+4]
		test	eax, eax
		jnz	short loc_A1758C

loc_A17585:				; CODE XREF: sub_A16F7C+BBj
		mov	esi, 0C000003Eh
		jmp	short loc_A175D2
; 

loc_A1758C:				; CODE XREF: sub_A16F7C+607j
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_A175A6
		mov	esi, 0C0000017h
		jmp	short loc_A175D2
; 

loc_A175A6:				; CODE XREF: sub_A16F7C+621j
		mov	[ebx+8], edx
		and	dword ptr [ebx], 0
		lea	edi, [edx+4]
		cmp	edi, edx
		jb	short loc_A175CD
		mov	ecx, [ebx+4]
		lea	eax, [edx+8]
		add	ecx, edx
		xor	esi, esi
		cmp	eax, ecx
		ja	short loc_A17562
		mov	dword ptr [edx], 4
		and	[edi], esi
		inc	dword ptr [ebx]
		jmp	short loc_A175D2
; 

loc_A175CD:				; CODE XREF: sub_A16F7C+5D6j
					; sub_A16F7C+635j
		mov	esi, 0C0000095h

loc_A175D2:				; CODE XREF: sub_A16F7C+28j
					; sub_A16F7C+D1j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
sub_A16F7C	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A175DB	proc near		; CODE XREF: sub_785212+149Fp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		and	[ebp+var_1C], 0
		xor	eax, eax
		and	[ebp+var_20], 0
		and	[ebp+var_18], 0
		and	[ebp+var_14], 0
		mov	[ebp+var_4], ecx
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_30]
		stosd
		stosd
		stosd
		stosd
		test	ecx, ecx
		jnz	short loc_A17610

loc_A17606:				; CODE XREF: sub_A175DB+39j
					; sub_A175DB+221j
		mov	ebx, 0C000000Dh
		jmp	loc_A17A2F
; 

loc_A17610:				; CODE XREF: sub_A175DB+29j
		cmp	[ebp+arg_4], 0
		jz	short loc_A17606
		mov	eax, [ecx+8]
		xor	esi, esi
		and	[ebp+var_C], esi
		test	eax, eax
		jnz	short loc_A1762C

loc_A17622:				; CODE XREF: sub_A175DB+54j
		mov	ebx, 0C000000Dh
		jmp	loc_A176B0
; 

loc_A1762C:				; CODE XREF: sub_A175DB+45j
		cmp	dword ptr [ecx], 3
		jbe	short loc_A17622
		xor	edi, edi

loc_A17633:				; CODE XREF: sub_A175DB+8Aj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A17640
		xor	ebx, ebx
		jmp	short loc_A17648
; 

loc_A17640:				; CODE XREF: sub_A175DB+5Fj
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A17648:				; CODE XREF: sub_A175DB+63j
		mov	[ebp+var_8], ecx
		test	ebx, ebx
		js	short loc_A1768C
		lea	eax, [ebp+var_8]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A1768C
		mov	eax, [ebp+var_8]
		inc	edi
		cmp	edi, 3
		jb	short loc_A17633
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A17674
		xor	ebx, ebx
		jmp	short loc_A1767C
; 

loc_A17674:				; CODE XREF: sub_A175DB+93j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1767C:				; CODE XREF: sub_A175DB+97j
		test	ebx, ebx
		js	short loc_A1768C
		mov	esi, edx
		mov	eax, edx
		neg	esi
		sbb	esi, esi
		and	esi, ecx
		jmp	short loc_A1768F
; 

loc_A1768C:				; CODE XREF: sub_A175DB+72j
					; sub_A175DB+81j ...
		mov	eax, [ebp+var_C]

loc_A1768F:				; CODE XREF: sub_A175DB+AFj
		test	ebx, ebx
		js	short loc_A176AD
		cmp	eax, 8
		jz	short loc_A176A2

loc_A17698:				; CODE XREF: sub_A175DB+20Fj
					; sub_A175DB+3A5j ...
		mov	ebx, 0C0000023h
		jmp	loc_A17A2F
; 

loc_A176A2:				; CODE XREF: sub_A175DB+BBj
		mov	eax, [esi]
		mov	[ebp+var_1C], eax
		mov	eax, [esi+4]
		mov	[ebp+var_20], eax

loc_A176AD:				; CODE XREF: sub_A175DB+B6j
		mov	ecx, [ebp+var_4]

loc_A176B0:				; CODE XREF: sub_A175DB+4Cj
		test	ebx, ebx
		js	loc_A17A2F
		mov	eax, [ecx+8]
		xor	esi, esi
		and	[ebp+var_8], esi
		test	eax, eax
		jnz	short loc_A176CB

loc_A176C4:				; CODE XREF: sub_A175DB+F3j
		mov	ebx, 0C000000Dh
		jmp	short loc_A17745
; 

loc_A176CB:				; CODE XREF: sub_A175DB+E7j
		cmp	dword ptr [ecx], 4
		jbe	short loc_A176C4
		xor	edi, edi

loc_A176D2:				; CODE XREF: sub_A175DB+129j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A176DF
		xor	ebx, ebx
		jmp	short loc_A176E7
; 

loc_A176DF:				; CODE XREF: sub_A175DB+FEj
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A176E7:				; CODE XREF: sub_A175DB+102j
		mov	[ebp+var_C], ecx
		test	ebx, ebx
		js	short loc_A1772B
		lea	eax, [ebp+var_C]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A1772B
		mov	eax, [ebp+var_C]
		inc	edi
		cmp	edi, 4
		jb	short loc_A176D2
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A17713
		xor	ebx, ebx
		jmp	short loc_A1771B
; 

loc_A17713:				; CODE XREF: sub_A175DB+132j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1771B:				; CODE XREF: sub_A175DB+136j
		test	ebx, ebx
		js	short loc_A1772B
		mov	esi, edx
		mov	eax, edx
		neg	esi
		sbb	esi, esi
		and	esi, ecx
		jmp	short loc_A1772E
; 

loc_A1772B:				; CODE XREF: sub_A175DB+111j
					; sub_A175DB+120j ...
		mov	eax, [ebp+var_8]

loc_A1772E:				; CODE XREF: sub_A175DB+14Ej
		test	ebx, ebx
		js	short loc_A17742
		cmp	eax, 8
		jnz	short loc_A17772
		mov	eax, [esi]
		mov	[ebp+var_18], eax
		mov	eax, [esi+4]
		mov	[ebp+var_C], eax

loc_A17742:				; CODE XREF: sub_A175DB+155j
		mov	ecx, [ebp+var_4]

loc_A17745:				; CODE XREF: sub_A175DB+EEj
		test	ebx, ebx
		js	loc_A17A2F
		mov	eax, [ecx+8]
		xor	esi, esi
		and	[ebp+var_8], esi
		test	eax, eax
		jnz	short loc_A1777C

loc_A17759:				; CODE XREF: sub_A175DB+1A4j
		mov	ebx, 0C000000Dh

loc_A1775E:				; CODE XREF: sub_A175DB+206j
		mov	eax, [ebp+var_14]

loc_A17761:				; CODE XREF: sub_A175DB+217j
		test	ebx, ebx
		js	loc_A17A2F
		cmp	eax, 10h
		jz	loc_A177F7

loc_A17772:				; CODE XREF: sub_A175DB+15Aj
					; sub_A175DB+368j
		mov	ebx, 0C000003Eh
		jmp	loc_A17A2F
; 

loc_A1777C:				; CODE XREF: sub_A175DB+17Cj
		cmp	dword ptr [ecx], 5
		jbe	short loc_A17759
		xor	edi, edi

loc_A17783:				; CODE XREF: sub_A175DB+1DAj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A17790
		xor	ebx, ebx
		jmp	short loc_A17798
; 

loc_A17790:				; CODE XREF: sub_A175DB+1AFj
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A17798:				; CODE XREF: sub_A175DB+1B3j
		mov	[ebp+var_C], ecx
		test	ebx, ebx
		js	short loc_A177DC
		lea	eax, [ebp+var_C]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A177DC
		mov	eax, [ebp+var_C]
		inc	edi
		cmp	edi, 5
		jb	short loc_A17783
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A177C4
		xor	ebx, ebx
		jmp	short loc_A177CC
; 

loc_A177C4:				; CODE XREF: sub_A175DB+1E3j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A177CC:				; CODE XREF: sub_A175DB+1E7j
		test	ebx, ebx
		js	short loc_A177DC
		mov	esi, edx
		mov	eax, edx
		neg	esi
		sbb	esi, esi
		and	esi, ecx
		jmp	short loc_A177DF
; 

loc_A177DC:				; CODE XREF: sub_A175DB+1C2j
					; sub_A175DB+1D1j ...
		mov	eax, [ebp+var_8]

loc_A177DF:				; CODE XREF: sub_A175DB+1FFj
		test	ebx, ebx
		js	loc_A1775E
		cmp	eax, 4
		jnz	loc_A17698
		mov	eax, [esi]
		jmp	loc_A17761
; 

loc_A177F7:				; CODE XREF: sub_A175DB+191j
		mov	ecx, [ebp+var_18]
		test	ecx, ecx
		jz	loc_A17606
		mov	eax, ds:_IoFileObjectType
		lea	edx, [ebp+var_18]
		and	[ebp+var_18], 0
		push	0
		push	edx
		push	1
		push	eax
		push	0
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, [ebp+var_18]
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A178EE
		and	[ebp+var_4], 0
		mov	ebx, 248h
		push	20534C53h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A1784F
		mov	ebx, 0C0000017h
		jmp	loc_A178EE
; 

loc_A1784F:				; CODE XREF: sub_A175DB+268j
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	ebx		; int
		push	esi		; void *
		push	0		; size_t
		push	0		; void *
		push	900F4h		; int
		push	edi		; int
		call	FsRtlKernelFsControlFile
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A178E3
		cmp	[ebp+var_4], 40h
		jnb	short loc_A17877

loc_A17870:				; CODE XREF: sub_A175DB+2D0j
					; sub_A175DB+2EEj
		mov	ebx, 0C000003Eh
		jmp	short loc_A178E3
; 

loc_A17877:				; CODE XREF: sub_A175DB+293j
		cmp	byte ptr [edi+27h], 0
		mov	eax, [esi]
		mov	[ebp+var_18], eax
		mov	eax, [esi+4]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	248h		; int
		push	esi		; void *
		push	0		; size_t
		push	0		; void *
		jz	short loc_A178B4
		push	900EFh		; int
		push	edi		; int
		call	FsRtlKernelFsControlFile
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A178E3
		cmp	[ebp+var_4], 8
		jb	short loc_A17870
		mov	eax, [esi]
		mov	ecx, [esi+4]
		jmp	short loc_A178D1 ; void	*
; 

loc_A178B4:				; CODE XREF: sub_A175DB+2B9j
		push	900EBh		; int
		push	edi		; int
		call	FsRtlKernelFsControlFile
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A178E3
		cmp	[ebp+var_4], 40h
		jb	short loc_A17870
		mov	eax, [esi+18h]
		mov	ecx, [esi+1Ch]

loc_A178D1:				; CODE XREF: sub_A175DB+2D7j
		mov	edx, [ebp+var_18]
		mov	[ebp+var_30], edx
		mov	edx, [ebp+var_14]
		mov	[ebp+var_2C], edx
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], ecx

loc_A178E3:				; CODE XREF: sub_A175DB+28Dj
					; sub_A175DB+29Aj ...
		push	20534C53h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A178EE:				; CODE XREF: sub_A175DB+248j
					; sub_A175DB+26Fj
		test	edi, edi
		jz	short loc_A178F9
		mov	ecx, edi
		call	ObfDereferenceObject

loc_A178F9:				; CODE XREF: sub_A175DB+315j
		test	ebx, ebx
		js	loc_A17A2F
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A17A2F
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	14h
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A17A2F
		mov	ebx, [ebp+arg_4]
		mov	eax, [ebp+var_4]
		lea	edi, [ebx+4]
		mov	[edi], eax
		test	eax, eax
		jz	loc_A17772
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_A17966
		mov	ebx, 0C0000017h
		jmp	loc_A17A2F
; 

loc_A17966:				; CODE XREF: sub_A175DB+37Fj
		mov	[ebx+8], edx
		and	dword ptr [ebx], 0
		lea	esi, [edx+4]
		cmp	esi, edx
		jb	loc_A17A2A
		mov	ecx, [edi]
		lea	eax, [edx+0Ch]
		add	ecx, edx
		cmp	eax, ecx
		ja	loc_A17698
		mov	eax, [ebp+var_1C]
		mov	dword ptr [edx], 8
		mov	[esi], eax
		mov	eax, [ebp+var_20]
		mov	[esi+4], eax
		inc	dword ptr [ebx]
		mov	ecx, [ebx]
		mov	[ebp+var_1C], ecx
		mov	eax, [ebx+8]
		mov	[ebp+var_18], eax
		test	eax, eax
		jnz	short loc_A179C2
		mov	ecx, [edi]
		push	edi
		push	14h
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A17A2F
		mov	eax, [ebp+arg_4]
		inc	dword ptr [eax]
		xor	ebx, ebx
		jmp	short loc_A17A2F
; 

loc_A179C2:				; CODE XREF: sub_A175DB+3CBj
		and	[ebp+var_20], 0
		mov	esi, eax
		mov	[ebp+var_14], esi
		test	ecx, ecx
		jz	short loc_A179FC

loc_A179CF:				; CODE XREF: sub_A175DB+41Cj
		mov	edx, [esi]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A17A2A
		lea	eax, [ebp+var_14]
		mov	ecx, esi
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A17A2F
		mov	ecx, [ebp+var_20]
		mov	esi, [ebp+var_14]
		inc	ecx
		mov	[ebp+var_20], ecx
		cmp	ecx, [ebp+var_1C]
		jb	short loc_A179CF
		mov	eax, [ebp+var_18]

loc_A179FC:				; CODE XREF: sub_A175DB+3F2j
		lea	edx, [esi+4]
		cmp	edx, esi
		jb	short loc_A17A2A
		mov	ecx, [edi]
		xor	ebx, ebx
		add	ecx, eax
		lea	eax, [esi+14h]
		cmp	eax, ecx
		ja	loc_A17698
		mov	eax, [ebp+arg_4]
		mov	edi, edx
		mov	dword ptr [esi], 10h
		lea	esi, [ebp+var_30]
		movsd
		movsd
		movsd
		movsd
		inc	dword ptr [eax]
		jmp	short loc_A17A2F
; 

loc_A17A2A:				; CODE XREF: sub_A175DB+396j
					; sub_A175DB+3FCj ...
		mov	ebx, 0C0000095h

loc_A17A2F:				; CODE XREF: sub_A175DB+30j
					; sub_A175DB+C2j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
sub_A175DB	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A17A38	proc near		; CODE XREF: sub_785212+1A5Cp

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	[ebp+var_50], edx
		mov	edx, ecx
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_4], edx
		push	esi
		mov	eax, [edx+8]
		mov	[ebp+var_C], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_48], ebx
		push	edi
		mov	edi, ebx
		test	eax, eax
		jnz	short loc_A17A84

loc_A17A7A:				; CODE XREF: sub_A17A38+4Fj
		mov	esi, 0C000000Dh
		jmp	loc_A17B07
; 

loc_A17A84:				; CODE XREF: sub_A17A38+40j
		cmp	dword ptr [edx], 3
		jbe	short loc_A17A7A

loc_A17A89:				; CODE XREF: sub_A17A38+83j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A17A96
		xor	esi, esi
		jmp	short loc_A17A9E
; 

loc_A17A96:				; CODE XREF: sub_A17A38+58j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A17A9E:				; CODE XREF: sub_A17A38+5Cj
		mov	[ebp+var_14], ecx
		test	esi, esi
		js	short loc_A17AE2
		lea	eax, [ebp+var_14]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A17AE2
		mov	eax, [ebp+var_14]
		inc	ebx
		cmp	ebx, 3
		jb	short loc_A17A89
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A17ACA
		xor	esi, esi
		jmp	short loc_A17AD2
; 

loc_A17ACA:				; CODE XREF: sub_A17A38+8Cj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A17AD2:				; CODE XREF: sub_A17A38+90j
		test	esi, esi
		js	short loc_A17AE2
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A17AE4
; 

loc_A17AE2:				; CODE XREF: sub_A17A38+6Bj
					; sub_A17A38+7Aj ...
		mov	eax, edi

loc_A17AE4:				; CODE XREF: sub_A17A38+A8j
		test	esi, esi
		js	short loc_A17B02
		cmp	eax, 8
		jz	short loc_A17AF7

loc_A17AED:				; CODE XREF: sub_A17A38+152j
		mov	esi, 0C0000023h
		jmp	loc_A18359
; 

loc_A17AF7:				; CODE XREF: sub_A17A38+B3j
		mov	eax, [edi]
		mov	[ebp+var_40], eax
		mov	eax, [edi+4]
		mov	[ebp+var_44], eax

loc_A17B02:				; CODE XREF: sub_A17A38+AEj
		mov	edx, [ebp+var_4]
		xor	ebx, ebx

loc_A17B07:				; CODE XREF: sub_A17A38+47j
		test	esi, esi
		js	loc_A18359
		mov	eax, [edx+8]
		mov	edi, ebx
		mov	[ebp+var_14], ebx
		test	eax, eax
		jnz	short loc_A17B22

loc_A17B1B:				; CODE XREF: sub_A17A38+EDj
		mov	esi, 0C000000Dh
		jmp	short loc_A17B9A
; 

loc_A17B22:				; CODE XREF: sub_A17A38+E1j
		cmp	dword ptr [edx], 4
		jbe	short loc_A17B1B

loc_A17B27:				; CODE XREF: sub_A17A38+121j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A17B34
		xor	esi, esi
		jmp	short loc_A17B3C
; 

loc_A17B34:				; CODE XREF: sub_A17A38+F6j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A17B3C:				; CODE XREF: sub_A17A38+FAj
		mov	[ebp+var_18], ecx
		test	esi, esi
		js	short loc_A17B80
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A17B80
		mov	eax, [ebp+var_18]
		inc	ebx
		cmp	ebx, 4
		jb	short loc_A17B27
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A17B68
		xor	esi, esi
		jmp	short loc_A17B70
; 

loc_A17B68:				; CODE XREF: sub_A17A38+12Aj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A17B70:				; CODE XREF: sub_A17A38+12Ej
		test	esi, esi
		js	short loc_A17B80
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A17B83
; 

loc_A17B80:				; CODE XREF: sub_A17A38+109j
					; sub_A17A38+118j ...
		mov	eax, [ebp+var_14]

loc_A17B83:				; CODE XREF: sub_A17A38+146j
		test	esi, esi
		js	short loc_A17B95
		cmp	eax, 4
		jnz	loc_A17AED
		mov	eax, [edi]
		mov	[ebp+var_38], eax

loc_A17B95:				; CODE XREF: sub_A17A38+14Dj
		mov	edx, [ebp+var_4]
		xor	ebx, ebx

loc_A17B9A:				; CODE XREF: sub_A17A38+E8j
		test	esi, esi
		js	loc_A18359
		and	[ebp+var_24], 0
		mov	ecx, ebx
		mov	eax, [edx+8]
		mov	edi, ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_4C], ecx
		test	eax, eax
		jnz	short loc_A17BC1

loc_A17BB7:				; CODE XREF: sub_A17A38+18Cj
		mov	esi, 0C000000Dh
		jmp	loc_A17C95
; 

loc_A17BC1:				; CODE XREF: sub_A17A38+17Dj
		cmp	dword ptr [edx], 5
		jbe	short loc_A17BB7
		and	[ebp+var_20], 0

loc_A17BCA:				; CODE XREF: sub_A17A38+1D2j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A17BD7
		xor	esi, esi
		jmp	short loc_A17BDF
; 

loc_A17BD7:				; CODE XREF: sub_A17A38+199j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A17BDF:				; CODE XREF: sub_A17A38+19Dj
		mov	[ebp+var_18], ecx
		test	esi, esi
		js	loc_A17C92
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A17C92
		mov	edx, [ebp+var_20]
		mov	eax, [ebp+var_18]
		inc	edx
		mov	[ebp+var_20], edx
		cmp	edx, 5
		jb	short loc_A17BCA
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A17C19
		xor	esi, esi
		jmp	short loc_A17C21
; 

loc_A17C19:				; CODE XREF: sub_A17A38+1DBj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A17C21:				; CODE XREF: sub_A17A38+1DFj
		test	esi, esi
		js	short loc_A17C92
		mov	edi, edx
		mov	ebx, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		test	esi, esi
		js	short loc_A17C92
		test	ebx, ebx
		jnz	short loc_A17C5C

loc_A17C37:				; CODE XREF: sub_A17A38+22Aj
					; sub_A17A38+237j ...
		mov	esi, 0C000003Eh

loc_A17C3C:				; CODE XREF: sub_A17A38+28Bj
		test	esi, esi
		js	loc_A18359

loc_A17C44:				; CODE XREF: sub_A17A38+29Ej
		mov	ebx, [ebp+var_4]
		mov	eax, [ebx+8]
		test	eax, eax
		jnz	loc_A17CDB

loc_A17C52:				; CODE XREF: sub_A17A38+2A6j
					; sub_A17A38+322j ...
		mov	esi, 0C000000Dh
		jmp	loc_A18335
; 

loc_A17C5C:				; CODE XREF: sub_A17A38+1FDj
		test	ebx, 1
		jnz	short loc_A17C37
		mov	eax, ebx
		xor	ecx, ecx
		shr	eax, 1
		cmp	cx, [edi+eax*2-2]
		jnz	short loc_A17C37
		lea	eax, [ebp+var_24]
		mov	edx, ebx
		push	eax
		mov	ecx, edi
		call	_StringCbLengthW@12 ; StringCbLengthW(x,x,x)
		test	eax, eax
		js	short loc_A17C37
		mov	ecx, [ebp+var_24]
		lea	eax, [ecx+2]
		cmp	eax, ebx
		jnz	short loc_A17C37
		mov	ebx, edi
		shr	ecx, 1
		jmp	short loc_A17C98
; 

loc_A17C92:				; CODE XREF: sub_A17A38+1ACj
					; sub_A17A38+1BFj ...
		mov	ecx, [ebp+var_4C]

loc_A17C95:				; CODE XREF: sub_A17A38+184j
		mov	ebx, [ebp+var_14]

loc_A17C98:				; CODE XREF: sub_A17A38+258j
		test	esi, esi
		js	loc_A18359
		lea	edi, ds:2[ecx*2]
		test	edi, edi
		jz	short loc_A17C37
		push	20534C53h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A17CC8
		mov	esi, 0C0000017h
		jmp	loc_A17C3C
; 

loc_A17CC8:				; CODE XREF: sub_A17A38+284j
		push	edi		; size_t
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_1C], esi
		jmp	loc_A17C44
; 

loc_A17CDB:				; CODE XREF: sub_A17A38+214j
		cmp	dword ptr [ebx], 6
		jbe	loc_A17C52
		xor	edi, edi

loc_A17CE6:				; CODE XREF: sub_A17A38+2E8j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A17CF3
		xor	esi, esi
		jmp	short loc_A17CFB
; 

loc_A17CF3:				; CODE XREF: sub_A17A38+2B5j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A17CFB:				; CODE XREF: sub_A17A38+2B9j
		mov	[ebp+var_18], ecx
		test	esi, esi
		js	loc_A18335
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A18335
		mov	eax, [ebp+var_18]
		inc	edi
		cmp	edi, 6
		jb	short loc_A17CE6
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A17D2F
		xor	esi, esi
		jmp	short loc_A17D37
; 

loc_A17D2F:				; CODE XREF: sub_A17A38+2F1j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A17D37:				; CODE XREF: sub_A17A38+2F5j
		test	esi, esi
		js	loc_A18335
		mov	eax, edx
		mov	[ebp+var_30], edx
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_34], eax
		test	esi, esi
		js	loc_A18335
		mov	eax, [ebx+8]
		test	eax, eax
		jz	loc_A17C52
		cmp	dword ptr [ebx], 7
		jbe	loc_A17C52
		xor	edi, edi

loc_A17D6B:				; CODE XREF: sub_A17A38+36Dj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A17D78
		xor	esi, esi
		jmp	short loc_A17D80
; 

loc_A17D78:				; CODE XREF: sub_A17A38+33Aj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A17D80:				; CODE XREF: sub_A17A38+33Ej
		mov	[ebp+var_18], ecx
		test	esi, esi
		js	loc_A18335
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A18335
		mov	eax, [ebp+var_18]
		inc	edi
		cmp	edi, 7
		jb	short loc_A17D6B
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A17DB4
		xor	esi, esi
		jmp	short loc_A17DBC
; 

loc_A17DB4:				; CODE XREF: sub_A17A38+376j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A17DBC:				; CODE XREF: sub_A17A38+37Aj
		test	esi, esi
		js	loc_A18335
		mov	eax, edx
		mov	[ebp+var_28], edx
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_2C], eax
		test	esi, esi
		js	loc_A18335
		mov	eax, [ebx+8]
		xor	edi, edi
		and	[ebp+var_14], edi
		test	eax, eax
		jnz	short loc_A17DF2

loc_A17DE6:				; CODE XREF: sub_A17A38+3BDj
		mov	esi, 0C000000Dh
		mov	ebx, edi
		jmp	loc_A17E72
; 

loc_A17DF2:				; CODE XREF: sub_A17A38+3ACj
		cmp	dword ptr [ebx], 8
		jbe	short loc_A17DE6
		xor	ebx, ebx

loc_A17DF9:				; CODE XREF: sub_A17A38+3F3j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A17E06
		xor	esi, esi
		jmp	short loc_A17E0E
; 

loc_A17E06:				; CODE XREF: sub_A17A38+3C8j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A17E0E:				; CODE XREF: sub_A17A38+3CCj
		mov	[ebp+var_18], ecx
		test	esi, esi
		js	short loc_A17E52
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A17E52
		mov	eax, [ebp+var_18]
		inc	ebx
		cmp	ebx, 8
		jb	short loc_A17DF9
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A17E3A
		xor	esi, esi
		jmp	short loc_A17E42
; 

loc_A17E3A:				; CODE XREF: sub_A17A38+3FCj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A17E42:				; CODE XREF: sub_A17A38+400j
		test	esi, esi
		js	short loc_A17E52
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A17E55
; 

loc_A17E52:				; CODE XREF: sub_A17A38+3DBj
					; sub_A17A38+3EAj ...
		mov	eax, [ebp+var_14]

loc_A17E55:				; CODE XREF: sub_A17A38+418j
		test	esi, esi
		js	short loc_A17E6F
		cmp	eax, 4
		jz	short loc_A17E68

loc_A17E5E:				; CODE XREF: sub_A17A38+6BCj
					; sub_A17A38+75Dj ...
		mov	esi, 0C0000023h
		jmp	loc_A18335
; 

loc_A17E68:				; CODE XREF: sub_A17A38+424j
		mov	ebx, [edi]
		mov	[ebp+var_8], ebx
		jmp	short loc_A17E72
; 

loc_A17E6F:				; CODE XREF: sub_A17A38+41Fj
		mov	ebx, [ebp+var_8]

loc_A17E72:				; CODE XREF: sub_A17A38+3B5j
					; sub_A17A38+435j
		test	esi, esi
		js	loc_A18335
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_A17EAE
		push	20534C53h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jnz	short loc_A17EA0
		mov	esi, 0C0000017h
		jmp	loc_A18335
; 

loc_A17EA0:				; CODE XREF: sub_A17A38+45Cj
		push	ebx		; size_t
		push	0		; int
		push	ecx		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_A17EAF
; 

loc_A17EAE:				; CODE XREF: sub_A17A38+446j
		inc	esi

loc_A17EAF:				; CODE XREF: sub_A17A38+474j
		mov	eax, ds:dword_A93E88
		test	eax, eax
		jz	short loc_A17EDD
		neg	esi
		lea	ecx, [ebp+var_48]
		push	ecx
		push	ebx
		sbb	esi, esi
		not	esi
		and	esi, [ebp+var_10]
		push	esi
		push	[ebp+var_28]
		push	[ebp+var_2C]
		push	[ebp+var_30]
		push	[ebp+var_34]
		push	[ebp+var_1C]
		push	[ebp+var_38]
		call	eax
		jmp	short loc_A17EE2
; 

loc_A17EDD:				; CODE XREF: sub_A17A38+47Ej
		mov	eax, 0C00000BBh

loc_A17EE2:				; CODE XREF: sub_A17A38+4A3j
		and	[ebp+var_4], 0
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A17F4E
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A17F4E
		lea	edx, [ebx+4]
		cmp	edx, 4
		jb	short loc_A17F49
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A17F4E
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A17F4E
		mov	eax, [ebp+var_4]
		mov	[ebp+var_C], eax
		jmp	short loc_A17F51
; 

loc_A17F49:				; CODE XREF: sub_A17A38+4E0j
		mov	esi, 0C0000095h

loc_A17F4E:				; CODE XREF: sub_A17A38+4C3j
					; sub_A17A38+4D8j ...
		mov	eax, [ebp+var_C]

loc_A17F51:				; CODE XREF: sub_A17A38+50Fj
		test	esi, esi
		js	loc_A18335
		xor	edi, edi
		mov	[ebp+var_3C], 8
		lea	ecx, [ebp+var_3C]
		mov	edx, eax
		push	ecx
		push	8
		pop	ecx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A18335
		mov	eax, [ebp+var_3C]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_A17F8E
		mov	esi, 0C0000095h
		jmp	short loc_A17F9B
; 

loc_A17F8E:				; CODE XREF: sub_A17A38+54Dj
		lea	edi, [ecx+8]
		cmp	edi, ecx
		jb	loc_A1801A
		xor	esi, esi

loc_A17F9B:				; CODE XREF: sub_A17A38+554j
		test	esi, esi
		js	loc_A18335
		mov	ebx, [ebp+var_50]
		mov	edx, edi
		push	4
		pop	ecx
		mov	[ebp+var_4], ecx
		mov	eax, [ebx+10h]
		mov	ebx, [ebx+8]
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A18335
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A17FD8
		xor	esi, esi
		jmp	short loc_A17FE0
; 

loc_A17FD8:				; CODE XREF: sub_A17A38+59Aj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A17FE0:				; CODE XREF: sub_A17A38+59Ej
		mov	[ebp+var_4], ecx
		test	esi, esi
		js	loc_A18335
		lea	eax, [ebp+var_4]
		mov	edx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A18335
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1801A
		mov	edx, [ebp+var_50]
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		jmp	short loc_A1801F
; 

loc_A1801A:				; CODE XREF: sub_A17A38+55Bj
					; sub_A17A38+5D0j
		mov	esi, 0C0000095h

loc_A1801F:				; CODE XREF: sub_A17A38+5E0j
		test	esi, esi
		js	loc_A18335
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	loc_A17C52
		mov	eax, [ebp+var_C]
		lea	ebx, [edi+4]
		xor	esi, esi
		mov	[ebx], eax
		test	eax, eax
		jnz	short loc_A18047
		mov	esi, 0C000003Eh
		jmp	short loc_A18064
; 

loc_A18047:				; CODE XREF: sub_A17A38+606j
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_A1805F
		mov	esi, 0C0000017h
		jmp	short loc_A18064
; 

loc_A1805F:				; CODE XREF: sub_A17A38+61Ej
		mov	[edi+8], eax
		and	[edi], esi

loc_A18064:				; CODE XREF: sub_A17A38+60Dj
					; sub_A17A38+625j
		test	esi, esi
		js	loc_A18335
		mov	eax, [edi+8]
		or	[ebp+var_14], 10000000h
		mov	[ebp+var_4C], eax
		test	eax, eax
		jnz	short loc_A18096
		mov	ecx, [ebx]
		push	ebx
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A18335
		inc	dword ptr [edi]
		jmp	short loc_A18110
; 

loc_A18096:				; CODE XREF: sub_A17A38+643j
		mov	ecx, [edi]
		mov	edx, eax
		and	[ebp+var_38], 0
		mov	[ebp+arg_4], edx
		mov	[ebp+var_50], ecx
		test	ecx, ecx
		jz	short loc_A180DE

loc_A180A8:				; CODE XREF: sub_A17A38+6A1j
		mov	edx, [edx]
		add	edx, 4
		cmp	edx, 4
		jb	loc_A18136
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A18335
		mov	ecx, [ebp+var_38]
		mov	edx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_38], ecx
		cmp	ecx, [ebp+var_50]
		jb	short loc_A180A8
		mov	eax, [ebp+var_4C]

loc_A180DE:				; CODE XREF: sub_A17A38+66Ej
		lea	ecx, [edx+4]
		cmp	ecx, edx
		jb	loc_A18330
		mov	ecx, [ebx]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [edx+8]
		cmp	eax, ecx
		ja	loc_A17E5E
		mov	eax, [ebp+var_14]
		mov	dword ptr [edx], 4
		mov	[edx+4], eax
		inc	dword ptr [edi]

loc_A18108:				; CODE XREF: sub_A17A38+703j
		test	esi, esi
		js	loc_A18335

loc_A18110:				; CODE XREF: sub_A17A38+65Cj
		mov	eax, [edi+8]
		mov	[ebp+var_4C], eax
		test	eax, eax
		jnz	short loc_A1813D
		mov	ecx, [ebx]
		push	ebx
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A18335
		inc	dword ptr [edi]
		jmp	loc_A181B9
; 

loc_A18136:				; CODE XREF: sub_A17A38+678j
		mov	esi, 0C0000095h
		jmp	short loc_A18108
; 

loc_A1813D:				; CODE XREF: sub_A17A38+6E0j
		and	[ebp+var_38], 0
		mov	ebx, eax
		mov	eax, [edi]
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_50], eax
		test	eax, eax
		jz	short loc_A1817D

loc_A1814F:				; CODE XREF: sub_A17A38+743j
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	loc_A18208
		lea	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A181AE
		mov	ecx, [ebp+var_38]
		mov	ebx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_38], ecx
		cmp	ecx, [ebp+var_50]
		jb	short loc_A1814F

loc_A1817D:				; CODE XREF: sub_A17A38+715j
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	loc_A18330
		mov	ecx, [edi+4]
		lea	eax, [ebx+0Ch]
		add	ecx, [ebp+var_4C]
		xor	esi, esi
		cmp	eax, ecx
		ja	loc_A17E5E
		mov	eax, [ebp+var_40]
		mov	dword ptr [ebx], 8
		mov	[edx], eax
		mov	eax, [ebp+var_44]
		mov	[edx+4], eax
		inc	dword ptr [edi]

loc_A181AE:				; CODE XREF: sub_A17A38+734j
					; sub_A17A38+7D5j
		lea	ebx, [edi+4]
		test	esi, esi
		js	loc_A18335

loc_A181B9:				; CODE XREF: sub_A17A38+6F9j
		cmp	[ebp+var_10], 0
		mov	eax, [ebp+var_8]
		jnz	short loc_A1820F
		test	eax, eax
		jz	short loc_A18213

loc_A181C6:				; CODE XREF: sub_A17A38+7D9j
		mov	esi, 0C000000Dh

loc_A181CB:				; CODE XREF: sub_A17A38+808j
					; sub_A17A38+88Bj
		test	esi, esi
		js	loc_A18335
		lea	ebx, [edi+4]

loc_A181D6:				; CODE XREF: sub_A17A38+801j
		mov	edx, [edi+8]
		mov	eax, [ebp+var_48]
		mov	[ebp+var_40], eax
		mov	[ebp+var_4C], edx
		test	edx, edx
		jnz	loc_A182C8
		mov	ecx, [ebx]
		push	ebx
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A18335
		inc	dword ptr [edi]
		xor	esi, esi
		jmp	loc_A18335
; 

loc_A18208:				; CODE XREF: sub_A17A38+71Fj
		mov	esi, 0C0000095h
		jmp	short loc_A181AE
; 

loc_A1820F:				; CODE XREF: sub_A17A38+788j
		test	eax, eax
		jz	short loc_A181C6

loc_A18213:				; CODE XREF: sub_A17A38+78Cj
		mov	edx, [edi+8]
		mov	[ebp+var_4C], edx
		test	edx, edx
		jnz	short loc_A18242
		lea	edx, [eax+4]
		cmp	edx, 4
		jb	short loc_A1823B
		mov	ecx, [ebx]
		push	ebx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A18335
		inc	dword ptr [edi]
		jmp	short loc_A181D6
; 

loc_A1823B:				; CODE XREF: sub_A17A38+7EBj
					; sub_A17A38+824j
		mov	esi, 0C0000095h
		jmp	short loc_A181CB
; 

loc_A18242:				; CODE XREF: sub_A17A38+7E3j
		mov	eax, [edi]
		mov	ebx, edx
		and	[ebp+var_44], 0
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_50], eax
		test	eax, eax
		jz	short loc_A18285

loc_A18254:				; CODE XREF: sub_A17A38+848j
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A1823B
		lea	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A18335
		mov	ecx, [ebp+var_44]
		mov	ebx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_44], ecx
		cmp	ecx, [ebp+var_50]
		jb	short loc_A18254
		mov	edx, [ebp+var_4C]

loc_A18285:				; CODE XREF: sub_A17A38+81Aj
		lea	eax, [ebx+4]
		cmp	eax, ebx
		jb	loc_A18330
		mov	ecx, [ebp+var_8]
		xor	esi, esi
		mov	eax, [edi+4]
		add	ecx, 4
		add	ecx, ebx
		add	eax, edx
		cmp	ecx, eax
		ja	loc_A17E5E
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_8]
		mov	[ebx], eax
		test	ecx, ecx
		jz	short loc_A182C1
		push	eax		; size_t
		push	ecx		; void *
		lea	eax, [ebx+4]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_A182C1:				; CODE XREF: sub_A17A38+879j
		inc	dword ptr [edi]
		jmp	loc_A181CB
; 

loc_A182C8:				; CODE XREF: sub_A17A38+7ACj
		mov	eax, [edi]
		mov	ebx, edx
		and	[ebp+var_44], 0
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_50], eax
		test	eax, eax
		jz	short loc_A18307

loc_A182DA:				; CODE XREF: sub_A17A38+8CAj
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A18330
		lea	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A18335
		mov	ecx, [ebp+var_44]
		mov	ebx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_44], ecx
		cmp	ecx, [ebp+var_50]
		jb	short loc_A182DA
		mov	edx, [ebp+var_4C]

loc_A18307:				; CODE XREF: sub_A17A38+8A0j
		lea	eax, [ebx+4]
		cmp	eax, ebx
		jb	short loc_A18330
		mov	ecx, [edi+4]
		lea	eax, [ebx+8]
		add	ecx, edx
		xor	esi, esi
		cmp	eax, ecx
		ja	loc_A17E5E
		mov	eax, [ebp+var_40]
		mov	dword ptr [ebx], 4
		mov	[ebx+4], eax
		inc	dword ptr [edi]
		jmp	short loc_A18335
; 

loc_A18330:				; CODE XREF: sub_A17A38+6ABj
					; sub_A17A38+74Aj ...
		mov	esi, 0C0000095h

loc_A18335:				; CODE XREF: sub_A17A38+21Fj
					; sub_A17A38+2C8j ...
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_A18347
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A18347:				; CODE XREF: sub_A17A38+902j
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_A18359
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A18359:				; CODE XREF: sub_A17A38+BAj
					; sub_A17A38+D1j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
sub_A17A38	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A18362	proc near		; CODE XREF: sub_785212+19CDp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_8], 0
		and	[ebp+var_1C], 0
		and	[ebp+var_20], 0
		and	[ebp+var_10], 0
		mov	eax, [ecx+8]
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_24], edx
		and	[ebp+var_4], edi
		mov	[ebp+var_14], ecx
		test	eax, eax
		jnz	short loc_A18399

loc_A1838F:				; CODE XREF: sub_A18362+3Aj
		mov	esi, 0C000000Dh
		jmp	loc_A1841D
; 

loc_A18399:				; CODE XREF: sub_A18362+2Bj
		cmp	dword ptr [ecx], 3
		jbe	short loc_A1838F
		xor	ebx, ebx

loc_A183A0:				; CODE XREF: sub_A18362+70j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A183AD
		xor	esi, esi
		jmp	short loc_A183B5
; 

loc_A183AD:				; CODE XREF: sub_A18362+45j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A183B5:				; CODE XREF: sub_A18362+49j
		mov	[ebp+var_C], ecx
		test	esi, esi
		js	short loc_A183F9
		lea	eax, [ebp+var_C]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A183F9
		mov	eax, [ebp+var_C]
		inc	ebx
		cmp	ebx, 3
		jb	short loc_A183A0
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A183E1
		xor	esi, esi
		jmp	short loc_A183E9
; 

loc_A183E1:				; CODE XREF: sub_A18362+79j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A183E9:				; CODE XREF: sub_A18362+7Dj
		test	esi, esi
		js	short loc_A183F9
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A183FC
; 

loc_A183F9:				; CODE XREF: sub_A18362+58j
					; sub_A18362+67j ...
		mov	eax, [ebp+var_4]

loc_A183FC:				; CODE XREF: sub_A18362+95j
		test	esi, esi
		js	short loc_A1841A
		cmp	eax, 8
		jz	short loc_A1840F

loc_A18405:				; CODE XREF: sub_A18362+164j
		mov	esi, 0C0000023h
		jmp	loc_A18938
; 

loc_A1840F:				; CODE XREF: sub_A18362+A1j
		mov	eax, [edi]
		mov	[ebp+var_1C], eax
		mov	eax, [edi+4]
		mov	[ebp+var_20], eax

loc_A1841A:				; CODE XREF: sub_A18362+9Cj
		mov	ecx, [ebp+var_14]

loc_A1841D:				; CODE XREF: sub_A18362+32j
		test	esi, esi
		js	loc_A18938
		mov	eax, [ecx+8]
		xor	edi, edi
		and	[ebp+var_4], edi
		test	eax, eax
		jnz	short loc_A18458

loc_A18431:				; CODE XREF: sub_A18362+F9j
		mov	esi, 0C000000Dh

loc_A18436:				; CODE XREF: sub_A18362+15Bj
		mov	eax, [ebp+var_10]

loc_A18439:				; CODE XREF: sub_A18362+16Cj
		test	esi, esi
		js	loc_A18938
		mov	ecx, 1008h
		cmp	eax, ecx
		jz	loc_A184D3
		mov	esi, 0C000003Eh
		jmp	loc_A18938
; 

loc_A18458:				; CODE XREF: sub_A18362+CDj
		cmp	dword ptr [ecx], 4
		jbe	short loc_A18431
		xor	ebx, ebx

loc_A1845F:				; CODE XREF: sub_A18362+12Fj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1846C
		xor	esi, esi
		jmp	short loc_A18474
; 

loc_A1846C:				; CODE XREF: sub_A18362+104j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A18474:				; CODE XREF: sub_A18362+108j
		mov	[ebp+var_C], ecx
		test	esi, esi
		js	short loc_A184B8
		lea	eax, [ebp+var_C]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A184B8
		mov	eax, [ebp+var_C]
		inc	ebx
		cmp	ebx, 4
		jb	short loc_A1845F
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A184A0
		xor	esi, esi
		jmp	short loc_A184A8
; 

loc_A184A0:				; CODE XREF: sub_A18362+138j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A184A8:				; CODE XREF: sub_A18362+13Cj
		test	esi, esi
		js	short loc_A184B8
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A184BB
; 

loc_A184B8:				; CODE XREF: sub_A18362+117j
					; sub_A18362+126j ...
		mov	eax, [ebp+var_4]

loc_A184BB:				; CODE XREF: sub_A18362+154j
		test	esi, esi
		js	loc_A18436
		cmp	eax, 4
		jnz	loc_A18405
		mov	eax, [edi]
		jmp	loc_A18439
; 

loc_A184D3:				; CODE XREF: sub_A18362+E6j
		push	20534C53h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jnz	short loc_A184F3
		mov	esi, 0C0000017h
		jmp	loc_A18938
; 

loc_A184F3:				; CODE XREF: sub_A18362+185j
		mov	eax, ds:dword_A93E5C
		test	eax, eax
		jz	short loc_A18501
		push	ecx
		call	eax
		jmp	short loc_A18506
; 

loc_A18501:				; CODE XREF: sub_A18362+198j
		mov	eax, 0C00000BBh

loc_A18506:				; CODE XREF: sub_A18362+19Dj
		mov	[ebp+var_C], eax
		mov	esi, eax
		test	eax, eax
		js	loc_A1892B
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	eax
		push	8
		pop	ebx
		mov	edx, ebx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A18575
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A18575
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		mov	edx, 100Ch
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A18575
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		mov	edx, ebx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A18575
		mov	eax, [ebp+var_4]
		mov	[ebp+var_8], eax
		jmp	short loc_A18578
; 

loc_A18575:				; CODE XREF: sub_A18362+1C9j
					; sub_A18362+1DEj ...
		mov	eax, [ebp+var_8]

loc_A18578:				; CODE XREF: sub_A18362+211j
		test	esi, esi
		js	loc_A1892B
		xor	edi, edi
		mov	[ebp+var_18], ebx
		lea	ecx, [ebp+var_18]
		mov	edx, eax
		push	ecx
		mov	ecx, ebx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A1892B
		mov	eax, [ebp+var_18]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_A185B0
		mov	esi, 0C0000095h
		jmp	short loc_A185BD
; 

loc_A185B0:				; CODE XREF: sub_A18362+245j
		lea	edi, [ecx+8]
		cmp	edi, ecx
		jb	loc_A1863C
		xor	esi, esi

loc_A185BD:				; CODE XREF: sub_A18362+24Cj
		test	esi, esi
		js	loc_A1892B
		mov	ebx, [ebp+var_24]
		mov	edx, edi
		push	4
		pop	ecx
		mov	[ebp+var_4], ecx
		mov	eax, [ebx+10h]
		mov	ebx, [ebx+8]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A1892B
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A185FA
		xor	esi, esi
		jmp	short loc_A18602
; 

loc_A185FA:				; CODE XREF: sub_A18362+292j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A18602:				; CODE XREF: sub_A18362+296j
		mov	[ebp+var_4], ecx
		test	esi, esi
		js	loc_A1892B
		lea	eax, [ebp+var_4]
		mov	edx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A1892B
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1863C
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		jmp	short loc_A18641
; 

loc_A1863C:				; CODE XREF: sub_A18362+253j
					; sub_A18362+2C8j
		mov	esi, 0C0000095h

loc_A18641:				; CODE XREF: sub_A18362+2D8j
		test	esi, esi
		js	loc_A1892B
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	short loc_A1865A
		mov	esi, 0C000000Dh
		jmp	loc_A1892B
; 

loc_A1865A:				; CODE XREF: sub_A18362+2ECj
		mov	eax, [ebp+var_8]
		lea	ebx, [edi+4]
		xor	esi, esi
		mov	[ebx], eax
		test	eax, eax
		jnz	short loc_A1866F
		mov	esi, 0C000003Eh
		jmp	short loc_A1868C
; 

loc_A1866F:				; CODE XREF: sub_A18362+304j
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_A18687
		mov	esi, 0C0000017h
		jmp	short loc_A1868C
; 

loc_A18687:				; CODE XREF: sub_A18362+31Cj
		mov	[edi+8], eax
		and	[edi], esi

loc_A1868C:				; CODE XREF: sub_A18362+30Bj
					; sub_A18362+323j
		test	esi, esi
		js	loc_A1892B
		mov	eax, [edi+8]
		or	[ebp+var_C], 10000000h
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	short loc_A186C1
		mov	ecx, [ebx]
		push	ebx
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A1892B
		inc	dword ptr [edi]
		jmp	loc_A18742
; 

loc_A186C1:				; CODE XREF: sub_A18362+341j
		mov	ecx, [edi]
		mov	ebx, eax
		and	[ebp+var_14], 0
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jz	short loc_A18700

loc_A186D3:				; CODE XREF: sub_A18362+399j
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A18723
		lea	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A18737
		mov	ecx, [ebp+var_14]
		mov	ebx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_14], ecx
		cmp	ecx, [ebp+var_24]
		jb	short loc_A186D3
		mov	eax, [ebp+var_8]

loc_A18700:				; CODE XREF: sub_A18362+36Fj
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	loc_A18926
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [ebx+8]
		cmp	eax, ecx
		jbe	short loc_A1872A

loc_A18719:				; CODE XREF: sub_A18362+45Dj
					; sub_A18362+50Dj ...
		mov	esi, 0C0000023h
		jmp	loc_A1892B
; 

loc_A18723:				; CODE XREF: sub_A18362+379j
		mov	esi, 0C0000095h
		jmp	short loc_A18737
; 

loc_A1872A:				; CODE XREF: sub_A18362+3B5j
		mov	eax, [ebp+var_C]
		mov	dword ptr [ebx], 4
		mov	[edx], eax
		inc	dword ptr [edi]

loc_A18737:				; CODE XREF: sub_A18362+38Aj
					; sub_A18362+3C6j
		lea	ebx, [edi+4]
		test	esi, esi
		js	loc_A1892B

loc_A18742:				; CODE XREF: sub_A18362+35Aj
		mov	eax, [edi+8]
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	short loc_A18765
		mov	ecx, [ebx]
		push	ebx
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A1892B
		inc	dword ptr [edi]
		jmp	short loc_A187E3
; 

loc_A18765:				; CODE XREF: sub_A18362+3E8j
		mov	ecx, [edi]
		mov	ebx, eax
		and	[ebp+var_14], 0
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jz	short loc_A187A8

loc_A18777:				; CODE XREF: sub_A18362+441j
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	loc_A1880B
		lea	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A187D8
		mov	ecx, [ebp+var_14]
		mov	ebx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_14], ecx
		cmp	ecx, [ebp+var_24]
		jb	short loc_A18777
		mov	eax, [ebp+var_C]

loc_A187A8:				; CODE XREF: sub_A18362+413j
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	loc_A18926
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [ebx+0Ch]
		cmp	eax, ecx
		ja	loc_A18719
		mov	eax, [ebp+var_1C]
		mov	dword ptr [ebx], 8
		mov	[edx], eax
		mov	eax, [ebp+var_20]
		mov	[edx+4], eax
		inc	dword ptr [edi]

loc_A187D8:				; CODE XREF: sub_A18362+432j
					; sub_A18362+4AEj
		lea	ebx, [edi+4]
		test	esi, esi
		js	loc_A1892B

loc_A187E3:				; CODE XREF: sub_A18362+401j
		mov	eax, [edi+8]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jnz	short loc_A18812
		mov	ecx, [ebx]
		mov	edx, 100Ch
		push	ebx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A1892B
		inc	dword ptr [edi]
		jmp	loc_A18896
; 

loc_A1880B:				; CODE XREF: sub_A18362+41Dj
		mov	esi, 0C0000095h
		jmp	short loc_A187D8
; 

loc_A18812:				; CODE XREF: sub_A18362+489j
		mov	ecx, [edi]
		mov	ebx, eax
		and	[ebp+var_20], 0
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jz	short loc_A18855

loc_A18824:				; CODE XREF: sub_A18362+4EEj
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	loc_A188B7
		lea	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A1888B
		mov	ecx, [ebp+var_20]
		mov	ebx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_20], ecx
		cmp	ecx, [ebp+var_24]
		jb	short loc_A18824
		mov	eax, [ebp+var_1C]

loc_A18855:				; CODE XREF: sub_A18362+4C0j
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	loc_A18926
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [ebx+100Ch]
		cmp	eax, ecx
		ja	loc_A18719
		mov	eax, 1008h
		push	eax		; size_t
		push	[ebp+var_10]	; void *
		mov	[ebx], eax
		push	edx		; void *
		call	_memcpy
		add	esp, 0Ch
		inc	dword ptr [edi]

loc_A1888B:				; CODE XREF: sub_A18362+4DFj
					; sub_A18362+55Aj
		lea	ebx, [edi+4]
		test	esi, esi
		js	loc_A1892B

loc_A18896:				; CODE XREF: sub_A18362+4A4j
		mov	eax, [edi+8]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jnz	short loc_A188BE
		mov	ecx, [ebx]
		push	ebx
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A1892B
		inc	dword ptr [edi]
		xor	esi, esi
		jmp	short loc_A1892B
; 

loc_A188B7:				; CODE XREF: sub_A18362+4CAj
		mov	esi, 0C0000095h
		jmp	short loc_A1888B
; 

loc_A188BE:				; CODE XREF: sub_A18362+53Cj
		mov	ecx, [edi]
		mov	ebx, eax
		and	[ebp+var_20], 0
		mov	[ebp+arg_4], ebx
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jz	short loc_A188FD

loc_A188D0:				; CODE XREF: sub_A18362+596j
		mov	edx, [ebx]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A18926
		lea	eax, [ebp+arg_4]
		mov	ecx, ebx
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A1892B
		mov	ecx, [ebp+var_20]
		mov	ebx, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_20], ecx
		cmp	ecx, [ebp+var_24]
		jb	short loc_A188D0
		mov	eax, [ebp+var_1C]

loc_A188FD:				; CODE XREF: sub_A18362+56Cj
		lea	edx, [ebx+4]
		cmp	edx, ebx
		jb	short loc_A18926
		mov	ecx, [edi+4]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [ebx+8]
		cmp	eax, ecx
		ja	loc_A18719
		mov	dword ptr [ebx], 4
		mov	dword ptr [edx], 1008h
		inc	dword ptr [edi]
		jmp	short loc_A1892B
; 

loc_A18926:				; CODE XREF: sub_A18362+3A3j
					; sub_A18362+44Bj ...
		mov	esi, 0C0000095h

loc_A1892B:				; CODE XREF: sub_A18362+1ABj
					; sub_A18362+218j ...
		push	20534C53h
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A18938:				; CODE XREF: sub_A18362+A8j
					; sub_A18362+BDj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
sub_A18362	endp


;  S U B	R O U T	I N E 


sub_A18941	proc near		; CODE XREF: sub_785212+1A06p
		mov	edi, edi
		mov	eax, 0C0000002h
		retn	8
sub_A18941	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1894B	proc near		; CODE XREF: sub_785212+14B5p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_10], 0
		mov	eax, edx
		and	[ebp+var_14], 0
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_24], eax
		mov	[ebp+var_4], ebx
		push	esi
		push	edi
		test	ecx, ecx
		jnz	short loc_A18976

loc_A1896C:				; CODE XREF: sub_A1894B+2Dj
					; sub_A1894B+34j
		mov	edx, 0C000000Dh
		jmp	loc_A18C9F
; 

loc_A18976:				; CODE XREF: sub_A1894B+1Fj
		test	eax, eax
		jz	short loc_A1896C
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_A1896C
		and	[ebp+var_8], ebx
		xor	esi, esi
		mov	eax, [ecx+8]
		test	eax, eax
		jnz	short loc_A18997

loc_A1898D:				; CODE XREF: sub_A1894B+4Fj
		mov	edx, 0C000000Dh
		jmp	loc_A18A21
; 

loc_A18997:				; CODE XREF: sub_A1894B+40j
		cmp	dword ptr [ecx], 3
		jbe	short loc_A1898D
		xor	ebx, ebx

loc_A1899E:				; CODE XREF: sub_A1894B+8Bj
		mov	ecx, [eax]
		mov	[ebp+var_1C], ecx
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A189AE
		xor	edx, edx
		jmp	short loc_A189B6
; 

loc_A189AE:				; CODE XREF: sub_A1894B+5Dj
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A189B6:				; CODE XREF: sub_A1894B+61j
		mov	[ebp+arg_4], ecx
		test	edx, edx
		js	short loc_A189FD
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A189FD
		mov	eax, [ebp+arg_4]
		inc	ebx
		cmp	ebx, 3
		jb	short loc_A1899E
		mov	ebx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A189E5
		xor	edx, edx
		jmp	short loc_A189ED
; 

loc_A189E5:				; CODE XREF: sub_A1894B+94j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A189ED:				; CODE XREF: sub_A1894B+98j
		test	edx, edx
		js	short loc_A189FD
		mov	esi, ebx
		mov	eax, ebx
		neg	esi
		sbb	esi, esi
		and	esi, ecx
		jmp	short loc_A18A00
; 

loc_A189FD:				; CODE XREF: sub_A1894B+70j
					; sub_A1894B+82j ...
		mov	eax, [ebp+var_8]

loc_A18A00:				; CODE XREF: sub_A1894B+B0j
		test	edx, edx
		js	short loc_A18A1E
		cmp	eax, 8
		jz	short loc_A18A13

loc_A18A09:				; CODE XREF: sub_A1894B+2AFj
					; sub_A1894B+333j
		mov	edx, 0C0000023h
		jmp	loc_A18C9F
; 

loc_A18A13:				; CODE XREF: sub_A1894B+BCj
		mov	eax, [esi]
		mov	[ebp+var_10], eax
		mov	eax, [esi+4]
		mov	[ebp+var_14], eax

loc_A18A1E:				; CODE XREF: sub_A1894B+B7j
		mov	ebx, [ebp+var_4]

loc_A18A21:				; CODE XREF: sub_A1894B+47j
		test	edx, edx
		js	loc_A18C9F
		or	[ebp+var_1C], 0FFFFFFFFh
		lea	eax, [ebp+var_20]
		push	eax
		xor	esi, esi
		mov	[ebp+var_20], 0EFE82080h
		push	esi
		push	1
		push	6
		push	offset unk_6B72E0
		call	KeWaitForSingleObject
		test	eax, eax
		js	short loc_A18AC3
		cmp	eax, 0C0h
		jz	short loc_A18AC3
		cmp	eax, 102h
		jz	short loc_A18AC3
		cmp	dword_6B72C4, esi
		jnz	short loc_A18A6B
		cmp	ds:dword_A93F64, esi
		jnz	short loc_A18AB8

loc_A18A6B:				; CODE XREF: sub_A1894B+116j
		lea	eax, [ebp+var_20]
		mov	[ebp+var_20], esi
		push	eax
		mov	[ebp+var_1C], esi
		call	KeQueryTickCount
		call	_KeQueryTimeIncrement@0	; KeQueryTimeIncrement()
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	esi
		push	eax
		call	__allmul
		push	esi
		push	2710h
		push	edx
		push	eax
		call	__alldiv
		push	offset unk_6B72C0
		mov	ds:dword_A93F20, eax
		mov	ds:dword_A93F24, edx
		mov	ds:dword_A93F64, 1
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_A18AB8:				; CODE XREF: sub_A1894B+11Ej
		push	esi
		push	offset unk_6B72E0
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)

loc_A18AC3:				; CODE XREF: sub_A1894B+100j
					; sub_A1894B+107j ...
		push	8
		pop	ecx
		mov	[ebp+arg_4], ecx
		lea	eax, [ebp+arg_4]
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A18C9F
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_4], ebx
		push	8
		pop	ecx
		mov	[ebp+var_C], ecx
		lea	eax, [ebp+var_C]
		mov	edx, ebx
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A18C9F
		mov	eax, [ebp+var_C]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_A18B14
		mov	edx, 0C0000095h
		jmp	short loc_A18B21
; 

loc_A18B14:				; CODE XREF: sub_A1894B+1C0j
		lea	esi, [ecx+8]
		cmp	esi, ecx
		jb	loc_A18BA0
		xor	edx, edx

loc_A18B21:				; CODE XREF: sub_A1894B+1C7j
		test	edx, edx
		js	loc_A18C9F
		mov	ebx, [ebp+var_24]
		mov	edx, esi
		push	4
		pop	ecx
		mov	[ebp+arg_4], ecx
		mov	eax, [ebx+10h]
		mov	ebx, [ebx+8]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A18C9F
		mov	eax, [ebp+arg_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A18B5E
		xor	edx, edx
		jmp	short loc_A18B66
; 

loc_A18B5E:				; CODE XREF: sub_A1894B+20Dj
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A18B66:				; CODE XREF: sub_A1894B+211j
		mov	[ebp+arg_4], ecx
		test	edx, edx
		js	loc_A18C9F
		lea	eax, [ebp+arg_4]
		mov	edx, ebx
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A18C9F
		mov	eax, [ebp+arg_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A18BA0
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		jmp	short loc_A18BA5
; 

loc_A18BA0:				; CODE XREF: sub_A1894B+1CEj
					; sub_A1894B+243j
		mov	edx, 0C0000095h

loc_A18BA5:				; CODE XREF: sub_A1894B+253j
		test	edx, edx
		js	loc_A18C9F
		mov	eax, [ebp+var_4]
		lea	ebx, [edi+4]
		mov	[ebx], eax
		test	eax, eax
		jnz	short loc_A18BC3
		mov	edx, 0C000003Eh
		jmp	loc_A18C9F
; 

loc_A18BC3:				; CODE XREF: sub_A1894B+26Cj
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_A18BE0
		mov	edx, 0C0000017h
		jmp	loc_A18C9F
; 

loc_A18BE0:				; CODE XREF: sub_A1894B+289j
		mov	[edi+8], edx
		and	dword ptr [edi], 0
		lea	esi, [edx+4]
		cmp	esi, edx
		jb	loc_A18C9A
		mov	ecx, [ebx]
		lea	eax, [edx+8]
		add	ecx, edx
		cmp	eax, ecx
		ja	loc_A18A09
		mov	dword ptr [edx], 4
		mov	dword ptr [esi], 10000000h
		inc	dword ptr [edi]
		mov	ecx, [edi]
		mov	[ebp+var_24], ecx
		mov	eax, [edi+8]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jnz	short loc_A18C34
		mov	ecx, [ebx]
		push	ebx
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A18C9F
		inc	dword ptr [edi]
		xor	edx, edx
		jmp	short loc_A18C9F
; 

loc_A18C34:				; CODE XREF: sub_A1894B+2D0j
		and	[ebp+var_8], 0
		mov	esi, eax
		mov	[ebp+arg_4], esi
		test	ecx, ecx
		jz	short loc_A18C6B

loc_A18C41:				; CODE XREF: sub_A1894B+31Ej
		mov	edx, [esi]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A18C9A
		lea	eax, [ebp+arg_4]
		mov	ecx, esi
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A18C9F
		mov	ecx, [ebp+var_8]
		mov	esi, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_8], ecx
		cmp	ecx, [ebp+var_24]
		jb	short loc_A18C41

loc_A18C6B:				; CODE XREF: sub_A1894B+2F4j
		lea	eax, [esi+4]
		cmp	eax, esi
		jb	short loc_A18C9A
		mov	ecx, [ebx]
		lea	eax, [esi+0Ch]
		add	ecx, [ebp+var_1C]
		xor	edx, edx
		cmp	eax, ecx
		ja	loc_A18A09
		mov	eax, [ebp+var_10]
		mov	dword ptr [esi], 8
		mov	[esi+4], eax
		mov	eax, [ebp+var_14]
		mov	[esi+8], eax
		inc	dword ptr [edi]
		jmp	short loc_A18C9F
; 

loc_A18C9A:				; CODE XREF: sub_A1894B+2A0j
					; sub_A1894B+2FEj ...
		mov	edx, 0C0000095h

loc_A18C9F:				; CODE XREF: sub_A1894B+26j
					; sub_A1894B+C3j ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	8
sub_A1894B	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A18CA8	proc near		; CODE XREF: sub_785212+19E0p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		push	ebx
		xor	ebx, ebx
		mov	eax, edx
		mov	[ebp+var_50], eax
		mov	edx, ecx
		mov	[ebp+var_4], edx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_3C], ebx
		push	esi
		push	edi
		test	eax, eax
		jnz	short loc_A18CEE

loc_A18CE4:				; CODE XREF: sub_A18CA8+49j
		mov	esi, 0C000000Dh
		jmp	loc_A1945F
; 

loc_A18CEE:				; CODE XREF: sub_A18CA8+3Aj
		cmp	[ebp+arg_4], ebx
		jz	short loc_A18CE4
		mov	eax, [edx+8]
		mov	edi, ebx
		test	eax, eax
		jnz	short loc_A18D06

loc_A18CFC:				; CODE XREF: sub_A18CA8+61j
		mov	esi, 0C000000Dh
		jmp	loc_A18D89
; 

loc_A18D06:				; CODE XREF: sub_A18CA8+52j
		cmp	dword ptr [edx], 3
		jbe	short loc_A18CFC

loc_A18D0B:				; CODE XREF: sub_A18CA8+95j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A18D18
		xor	esi, esi
		jmp	short loc_A18D20
; 

loc_A18D18:				; CODE XREF: sub_A18CA8+6Aj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A18D20:				; CODE XREF: sub_A18CA8+6Ej
		mov	[ebp+var_8], ecx
		test	esi, esi
		js	short loc_A18D64
		lea	eax, [ebp+var_8]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A18D64
		mov	eax, [ebp+var_8]
		inc	ebx
		cmp	ebx, 3
		jb	short loc_A18D0B
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A18D4C
		xor	esi, esi
		jmp	short loc_A18D54
; 

loc_A18D4C:				; CODE XREF: sub_A18CA8+9Ej
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A18D54:				; CODE XREF: sub_A18CA8+A2j
		test	esi, esi
		js	short loc_A18D64
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A18D66
; 

loc_A18D64:				; CODE XREF: sub_A18CA8+7Dj
					; sub_A18CA8+8Cj ...
		mov	eax, edi

loc_A18D66:				; CODE XREF: sub_A18CA8+BAj
		test	esi, esi
		js	short loc_A18D84
		cmp	eax, 8
		jz	short loc_A18D79

loc_A18D6F:				; CODE XREF: sub_A18CA8+164j
		mov	esi, 0C0000023h
		jmp	loc_A1945F
; 

loc_A18D79:				; CODE XREF: sub_A18CA8+C5j
		mov	eax, [edi]
		mov	[ebp+var_44], eax
		mov	eax, [edi+4]
		mov	[ebp+var_48], eax

loc_A18D84:				; CODE XREF: sub_A18CA8+C0j
		mov	edx, [ebp+var_4]
		xor	ebx, ebx

loc_A18D89:				; CODE XREF: sub_A18CA8+59j
		test	esi, esi
		js	loc_A1945F
		mov	eax, [edx+8]
		mov	edi, ebx
		mov	[ebp+var_8], ebx
		test	eax, eax
		jnz	short loc_A18DA4

loc_A18D9D:				; CODE XREF: sub_A18CA8+FFj
		mov	esi, 0C000000Dh
		jmp	short loc_A18E1C
; 

loc_A18DA4:				; CODE XREF: sub_A18CA8+F3j
		cmp	dword ptr [edx], 4
		jbe	short loc_A18D9D

loc_A18DA9:				; CODE XREF: sub_A18CA8+133j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A18DB6
		xor	esi, esi
		jmp	short loc_A18DBE
; 

loc_A18DB6:				; CODE XREF: sub_A18CA8+108j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A18DBE:				; CODE XREF: sub_A18CA8+10Cj
		mov	[ebp+var_C], ecx
		test	esi, esi
		js	short loc_A18E02
		lea	eax, [ebp+var_C]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A18E02
		mov	eax, [ebp+var_C]
		inc	ebx
		cmp	ebx, 4
		jb	short loc_A18DA9
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A18DEA
		xor	esi, esi
		jmp	short loc_A18DF2
; 

loc_A18DEA:				; CODE XREF: sub_A18CA8+13Cj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A18DF2:				; CODE XREF: sub_A18CA8+140j
		test	esi, esi
		js	short loc_A18E02
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A18E05
; 

loc_A18E02:				; CODE XREF: sub_A18CA8+11Bj
					; sub_A18CA8+12Aj ...
		mov	eax, [ebp+var_8]

loc_A18E05:				; CODE XREF: sub_A18CA8+158j
		test	esi, esi
		js	short loc_A18E17
		cmp	eax, 4
		jnz	loc_A18D6F
		mov	eax, [edi]
		mov	[ebp+var_3C], eax

loc_A18E17:				; CODE XREF: sub_A18CA8+15Fj
		mov	edx, [ebp+var_4]
		xor	ebx, ebx

loc_A18E1C:				; CODE XREF: sub_A18CA8+FAj
		test	esi, esi
		js	loc_A1945F
		and	[ebp+var_28], 0
		mov	ecx, ebx
		mov	eax, [edx+8]
		mov	edi, ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4C], ecx
		test	eax, eax
		jnz	short loc_A18E43

loc_A18E39:				; CODE XREF: sub_A18CA8+19Ej
		mov	esi, 0C000000Dh
		jmp	loc_A18F27
; 

loc_A18E43:				; CODE XREF: sub_A18CA8+18Fj
		cmp	dword ptr [edx], 5
		jbe	short loc_A18E39
		and	[ebp+var_24], 0

loc_A18E4C:				; CODE XREF: sub_A18CA8+1E4j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A18E59
		xor	esi, esi
		jmp	short loc_A18E61
; 

loc_A18E59:				; CODE XREF: sub_A18CA8+1ABj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A18E61:				; CODE XREF: sub_A18CA8+1AFj
		mov	[ebp+var_C], ecx
		test	esi, esi
		js	loc_A18F24
		lea	eax, [ebp+var_C]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A18F24
		mov	edx, [ebp+var_24]
		mov	eax, [ebp+var_C]
		inc	edx
		mov	[ebp+var_24], edx
		cmp	edx, 5
		jb	short loc_A18E4C
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A18E9B
		xor	esi, esi
		jmp	short loc_A18EA3
; 

loc_A18E9B:				; CODE XREF: sub_A18CA8+1EDj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A18EA3:				; CODE XREF: sub_A18CA8+1F1j
		test	esi, esi
		js	short loc_A18F24
		mov	edi, edx
		mov	ebx, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		test	esi, esi
		js	short loc_A18F24
		test	ebx, ebx
		jnz	short loc_A18EEE

loc_A18EB9:				; CODE XREF: sub_A18CA8+24Cj
					; sub_A18CA8+259j ...
		mov	esi, 0C000003Eh

loc_A18EBE:				; CODE XREF: sub_A18CA8+2B1j
		test	esi, esi
		js	loc_A1945F

loc_A18EC6:				; CODE XREF: sub_A18CA8+2C4j
		mov	edx, [ebp+var_4]
		xor	ecx, ecx
		and	[ebp+var_8], 0
		xor	edi, edi
		and	[ebp+var_24], ecx
		xor	ebx, ebx
		mov	[ebp+var_4C], ecx
		mov	eax, [edx+8]
		test	eax, eax
		jnz	loc_A18F71

loc_A18EE4:				; CODE XREF: sub_A18CA8+2CCj
		mov	esi, 0C000000Dh
		jmp	loc_A19048
; 

loc_A18EEE:				; CODE XREF: sub_A18CA8+20Fj
		test	ebx, 1
		jnz	short loc_A18EB9
		mov	eax, ebx
		xor	ecx, ecx
		shr	eax, 1
		cmp	cx, [edi+eax*2-2]
		jnz	short loc_A18EB9
		lea	eax, [ebp+var_28]
		mov	edx, ebx
		push	eax
		mov	ecx, edi
		call	_StringCbLengthW@12 ; StringCbLengthW(x,x,x)
		test	eax, eax
		js	short loc_A18EB9
		mov	ecx, [ebp+var_28]
		lea	eax, [ecx+2]
		cmp	eax, ebx
		jnz	short loc_A18EB9
		mov	ebx, edi
		shr	ecx, 1
		jmp	short loc_A18F2A
; 

loc_A18F24:				; CODE XREF: sub_A18CA8+1BEj
					; sub_A18CA8+1D1j ...
		mov	ecx, [ebp+var_4C]

loc_A18F27:				; CODE XREF: sub_A18CA8+196j
		mov	ebx, [ebp+var_8]

loc_A18F2A:				; CODE XREF: sub_A18CA8+27Aj
		test	esi, esi
		js	loc_A1945F
		lea	edi, ds:2[ecx*2]
		test	edi, edi
		jz	loc_A18EB9
		push	20534C53h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A18F5E
		mov	esi, 0C0000017h
		jmp	loc_A18EBE
; 

loc_A18F5E:				; CODE XREF: sub_A18CA8+2AAj
		push	edi		; size_t
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_1C], esi
		jmp	loc_A18EC6
; 

loc_A18F71:				; CODE XREF: sub_A18CA8+236j
		cmp	dword ptr [edx], 6
		jbe	loc_A18EE4
		and	[ebp+var_28], ecx

loc_A18F7D:				; CODE XREF: sub_A18CA8+315j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A18F8A
		xor	esi, esi
		jmp	short loc_A18F92
; 

loc_A18F8A:				; CODE XREF: sub_A18CA8+2DCj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A18F92:				; CODE XREF: sub_A18CA8+2E0j
		mov	[ebp+var_C], ecx
		test	esi, esi
		js	loc_A19045
		lea	eax, [ebp+var_C]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A19045
		mov	edx, [ebp+var_28]
		mov	eax, [ebp+var_C]
		inc	edx
		mov	[ebp+var_28], edx
		cmp	edx, 6
		jb	short loc_A18F7D
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A18FCC
		xor	esi, esi
		jmp	short loc_A18FD4
; 

loc_A18FCC:				; CODE XREF: sub_A18CA8+31Ej
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A18FD4:				; CODE XREF: sub_A18CA8+322j
		test	esi, esi
		js	short loc_A19045
		mov	edi, edx
		mov	ebx, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		test	esi, esi
		js	short loc_A19045
		test	ebx, ebx
		jnz	short loc_A1900F

loc_A18FEA:				; CODE XREF: sub_A18CA8+36Dj
					; sub_A18CA8+37Aj ...
		mov	esi, 0C000003Eh

loc_A18FEF:				; CODE XREF: sub_A18CA8+3CEj
		test	esi, esi
		js	loc_A1943B

loc_A18FF7:				; CODE XREF: sub_A18CA8+3E1j
		mov	ebx, [ebp+var_4]
		mov	eax, [ebx+8]
		test	eax, eax
		jnz	loc_A1908E

loc_A19005:				; CODE XREF: sub_A18CA8+3E9j
					; sub_A18CA8+465j ...
		mov	esi, 0C000000Dh
		jmp	loc_A1943B
; 

loc_A1900F:				; CODE XREF: sub_A18CA8+340j
		test	ebx, 1
		jnz	short loc_A18FEA
		mov	eax, ebx
		xor	ecx, ecx
		shr	eax, 1
		cmp	cx, [edi+eax*2-2]
		jnz	short loc_A18FEA
		lea	eax, [ebp+var_24]
		mov	edx, ebx
		push	eax
		mov	ecx, edi
		call	_StringCbLengthW@12 ; StringCbLengthW(x,x,x)
		test	eax, eax
		js	short loc_A18FEA
		mov	ecx, [ebp+var_24]
		lea	eax, [ecx+2]
		cmp	eax, ebx
		jnz	short loc_A18FEA
		mov	ebx, edi
		shr	ecx, 1
		jmp	short loc_A1904B
; 

loc_A19045:				; CODE XREF: sub_A18CA8+2EFj
					; sub_A18CA8+302j ...
		mov	ecx, [ebp+var_4C]

loc_A19048:				; CODE XREF: sub_A18CA8+241j
		mov	ebx, [ebp+var_8]

loc_A1904B:				; CODE XREF: sub_A18CA8+39Bj
		test	esi, esi
		js	loc_A1943B
		lea	edi, ds:2[ecx*2]
		test	edi, edi
		jz	short loc_A18FEA
		push	20534C53h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A1907B
		mov	esi, 0C0000017h
		jmp	loc_A18FEF
; 

loc_A1907B:				; CODE XREF: sub_A18CA8+3C7j
		push	edi		; size_t
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_20], esi
		jmp	loc_A18FF7
; 

loc_A1908E:				; CODE XREF: sub_A18CA8+357j
		cmp	dword ptr [ebx], 7
		jbe	loc_A19005
		xor	edi, edi

loc_A19099:				; CODE XREF: sub_A18CA8+42Bj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A190A6
		xor	esi, esi
		jmp	short loc_A190AE
; 

loc_A190A6:				; CODE XREF: sub_A18CA8+3F8j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A190AE:				; CODE XREF: sub_A18CA8+3FCj
		mov	[ebp+var_C], ecx
		test	esi, esi
		js	loc_A1943B
		lea	eax, [ebp+var_C]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A1943B
		mov	eax, [ebp+var_C]
		inc	edi
		cmp	edi, 7
		jb	short loc_A19099
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A190E2
		xor	esi, esi
		jmp	short loc_A190EA
; 

loc_A190E2:				; CODE XREF: sub_A18CA8+434j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A190EA:				; CODE XREF: sub_A18CA8+438j
		test	esi, esi
		js	loc_A1943B
		mov	eax, edx
		mov	[ebp+var_34], edx
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_38], eax
		test	esi, esi
		js	loc_A1943B
		mov	eax, [ebx+8]
		test	eax, eax
		jz	loc_A19005
		cmp	dword ptr [ebx], 8
		jbe	loc_A19005
		xor	edi, edi

loc_A1911E:				; CODE XREF: sub_A18CA8+4B0j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1912B
		xor	esi, esi
		jmp	short loc_A19133
; 

loc_A1912B:				; CODE XREF: sub_A18CA8+47Dj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A19133:				; CODE XREF: sub_A18CA8+481j
		mov	[ebp+var_C], ecx
		test	esi, esi
		js	loc_A1943B
		lea	eax, [ebp+var_C]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A1943B
		mov	eax, [ebp+var_C]
		inc	edi
		cmp	edi, 8
		jb	short loc_A1911E
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A19167
		xor	esi, esi
		jmp	short loc_A1916F
; 

loc_A19167:				; CODE XREF: sub_A18CA8+4B9j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1916F:				; CODE XREF: sub_A18CA8+4BDj
		test	esi, esi
		js	loc_A1943B
		mov	eax, edx
		mov	[ebp+var_2C], edx
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		mov	[ebp+var_30], eax
		test	esi, esi
		js	loc_A1943B
		mov	eax, [ebx+8]
		test	eax, eax
		jz	loc_A19005
		cmp	dword ptr [ebx], 9
		jbe	loc_A19005
		xor	edi, edi

loc_A191A3:				; CODE XREF: sub_A18CA8+52Dj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A191B0
		xor	esi, esi
		jmp	short loc_A191B8
; 

loc_A191B0:				; CODE XREF: sub_A18CA8+502j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A191B8:				; CODE XREF: sub_A18CA8+506j
		mov	[ebp+var_C], ecx
		test	esi, esi
		js	short loc_A191FA
		lea	eax, [ebp+var_C]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A191FA
		mov	eax, [ebp+var_C]
		inc	edi
		cmp	edi, 9
		jb	short loc_A191A3
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A191E4
		xor	esi, esi
		jmp	short loc_A191EC
; 

loc_A191E4:				; CODE XREF: sub_A18CA8+536j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A191EC:				; CODE XREF: sub_A18CA8+53Aj
		test	esi, esi
		js	short loc_A191FA
		mov	ebx, edx
		neg	edx
		sbb	edx, edx
		and	edx, ecx
		jmp	short loc_A191FF
; 

loc_A191FA:				; CODE XREF: sub_A18CA8+515j
					; sub_A18CA8+524j ...
		mov	edx, [ebp+var_10]
		mov	ebx, edx

loc_A191FF:				; CODE XREF: sub_A18CA8+550j
		test	esi, esi
		js	loc_A1943B
		mov	eax, ds:dword_A93EB4
		test	eax, eax
		jz	short loc_A1922D
		push	ebx
		push	edx
		push	[ebp+var_2C]
		push	[ebp+var_30]
		push	[ebp+var_34]
		push	[ebp+var_38]
		push	[ebp+var_20]
		push	[ebp+var_1C]
		push	[ebp+var_3C]
		call	eax
		mov	edi, eax
		jmp	short loc_A19232
; 

loc_A1922D:				; CODE XREF: sub_A18CA8+566j
		mov	edi, 0C00000BBh

loc_A19232:				; CODE XREF: sub_A18CA8+583j
		mov	esi, edi
		test	edi, edi
		js	loc_A1943B
		push	8
		pop	ecx
		mov	[ebp+var_3C], ecx
		lea	eax, [ebp+var_3C]
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A1925C
		mov	eax, [ebp+var_3C]
		mov	[ebp+var_18], eax
		jmp	short loc_A1925F
; 

loc_A1925C:				; CODE XREF: sub_A18CA8+5AAj
		mov	eax, [ebp+var_18]

loc_A1925F:				; CODE XREF: sub_A18CA8+5B2j
		test	esi, esi
		js	loc_A1943B
		push	8
		pop	esi
		xor	ebx, ebx
		mov	[ebp+var_40], esi
		lea	ecx, [ebp+var_40]
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A1943B
		mov	eax, [ebp+var_40]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_A1929A
		mov	esi, 0C0000095h
		jmp	short loc_A192A7
; 

loc_A1929A:				; CODE XREF: sub_A18CA8+5E9j
		lea	ebx, [ecx+8]
		cmp	ebx, ecx
		jb	loc_A1932A
		xor	esi, esi

loc_A192A7:				; CODE XREF: sub_A18CA8+5F0j
		test	esi, esi
		js	loc_A1943B
		mov	ecx, [ebp+var_50]
		mov	edx, ebx
		push	4
		mov	eax, [ecx+10h]
		mov	[ebp+var_4C], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_4]
		pop	ecx
		push	eax
		mov	[ebp+var_4], ecx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A1943B
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A192E7
		xor	esi, esi
		jmp	short loc_A192EF
; 

loc_A192E7:				; CODE XREF: sub_A18CA8+639j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A192EF:				; CODE XREF: sub_A18CA8+63Dj
		mov	[ebp+var_4], ecx
		test	esi, esi
		js	loc_A1943B
		mov	edx, [ebp+var_50]
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A1943B
		mov	eax, [ebp+var_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1932A
		mov	edx, [ebp+var_4C]
		lea	eax, [ebp+var_4]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		jmp	short loc_A1932F
; 

loc_A1932A:				; CODE XREF: sub_A18CA8+5F7j
					; sub_A18CA8+670j
		mov	esi, 0C0000095h

loc_A1932F:				; CODE XREF: sub_A18CA8+680j
		test	esi, esi
		js	loc_A1943B
		mov	esi, [ebp+arg_4]
		mov	eax, [ebp+var_18]
		lea	ebx, [esi+4]
		mov	[ebx], eax
		test	eax, eax
		jnz	short loc_A19350
		mov	esi, 0C000003Eh
		jmp	loc_A1943B
; 

loc_A19350:				; CODE XREF: sub_A18CA8+69Cj
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_A1936D
		mov	esi, 0C0000017h
		jmp	loc_A1943B
; 

loc_A1936D:				; CODE XREF: sub_A18CA8+6B9j
		mov	[esi+8], edx
		and	dword ptr [esi], 0
		or	edi, 10000000h
		lea	esi, [edx+4]
		cmp	esi, edx
		jb	loc_A19436
		mov	ecx, [ebx]
		lea	eax, [edx+8]
		add	ecx, edx
		cmp	eax, ecx
		jbe	short loc_A19399

loc_A1938F:				; CODE XREF: sub_A18CA8+770j
		mov	esi, 0C0000023h
		jmp	loc_A1943B
; 

loc_A19399:				; CODE XREF: sub_A18CA8+6E5j
		mov	dword ptr [edx], 4
		mov	[esi], edi
		mov	edi, [ebp+arg_4]
		inc	dword ptr [edi]
		mov	ecx, [edi]
		mov	[ebp+var_50], ecx
		mov	eax, [edi+8]
		mov	[ebp+var_4C], eax
		test	eax, eax
		jnz	short loc_A193CC
		mov	ecx, [ebx]
		push	ebx
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A1943B
		inc	dword ptr [edi]
		xor	esi, esi
		jmp	short loc_A1943B
; 

loc_A193CC:				; CODE XREF: sub_A18CA8+70Bj
		and	[ebp+var_3C], 0
		mov	edi, eax
		mov	[ebp+var_18], edi
		test	ecx, ecx
		jz	short loc_A19406

loc_A193D9:				; CODE XREF: sub_A18CA8+759j
		mov	edx, [edi]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A19436
		lea	eax, [ebp+var_18]
		mov	ecx, edi
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A1943B
		mov	ecx, [ebp+var_3C]
		mov	edi, [ebp+var_18]
		inc	ecx
		mov	[ebp+var_3C], ecx
		cmp	ecx, [ebp+var_50]
		jb	short loc_A193D9
		mov	eax, [ebp+var_4C]

loc_A19406:				; CODE XREF: sub_A18CA8+72Fj
		lea	edx, [edi+4]
		cmp	edx, edi
		jb	short loc_A19436
		mov	ecx, [ebx]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [edi+0Ch]
		cmp	eax, ecx
		ja	loc_A1938F
		mov	eax, [ebp+var_44]
		mov	dword ptr [edi], 8
		mov	[edx], eax
		mov	eax, [ebp+var_48]
		mov	[edx+4], eax
		mov	eax, [ebp+arg_4]
		inc	dword ptr [eax]
		jmp	short loc_A1943B
; 

loc_A19436:				; CODE XREF: sub_A18CA8+6D6j
					; sub_A18CA8+739j ...
		mov	esi, 0C0000095h

loc_A1943B:				; CODE XREF: sub_A18CA8+349j
					; sub_A18CA8+362j ...
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_A1944D
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1944D:				; CODE XREF: sub_A18CA8+798j
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_A1945F
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1945F:				; CODE XREF: sub_A18CA8+41j
					; sub_A18CA8+CCj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
sub_A18CA8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A19468	proc near		; CODE XREF: sub_785212+2097p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	eax, eax
		push	edi
		lea	edi, [ebp+var_14]
		mov	[ebp+var_24], edx
		stosd
		xor	ebx, ebx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], ebx
		stosd
		mov	[ebp+var_54], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_48], ebx
		stosd
		mov	[ebp+var_44], ebx
		stosd
		test	edx, edx
		jnz	short loc_A194B1

loc_A194A7:				; CODE XREF: sub_A19468+4Bj
		mov	ebx, 0C000000Dh
		jmp	loc_A199F6
; 

loc_A194B1:				; CODE XREF: sub_A19468+3Dj
		test	esi, esi
		jz	short loc_A194A7
		mov	eax, [ecx+8]
		mov	edi, ebx
		mov	[ebp+var_2C], eax
		mov	edx, 0C000000Dh
		test	eax, eax
		jnz	short loc_A194CD

loc_A194C6:				; CODE XREF: sub_A19468+68j
		mov	ebx, edx
		jmp	loc_A19557
; 

loc_A194CD:				; CODE XREF: sub_A19468+5Cj
		cmp	dword ptr [ecx], 3
		jbe	short loc_A194C6
		mov	[ebp+var_3C], ebx

loc_A194D5:				; CODE XREF: sub_A19468+A5j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jnb	short loc_A194E6
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A194E6:				; CODE XREF: sub_A19468+74j
		mov	[ebp+var_1C], ecx
		test	ebx, ebx
		js	short loc_A19534
		lea	eax, [ebp+var_1C]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A19534
		mov	edx, [ebp+var_3C]
		mov	eax, [ebp+var_1C]
		inc	edx
		mov	[ebp+var_3C], edx
		cmp	edx, 3
		jnb	short loc_A1950F
		xor	ebx, ebx
		jmp	short loc_A194D5
; 

loc_A1950F:				; CODE XREF: sub_A19468+A1j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1951C
		xor	ebx, ebx
		jmp	short loc_A19524
; 

loc_A1951C:				; CODE XREF: sub_A19468+AEj
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A19524:				; CODE XREF: sub_A19468+B2j
		test	ebx, ebx
		js	short loc_A19534
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A19536
; 

loc_A19534:				; CODE XREF: sub_A19468+83j
					; sub_A19468+92j ...
		mov	eax, edi

loc_A19536:				; CODE XREF: sub_A19468+CAj
		test	ebx, ebx
		js	short loc_A19554
		cmp	eax, 8
		jz	short loc_A19549
		mov	ebx, 0C0000023h
		jmp	loc_A199F6
; 

loc_A19549:				; CODE XREF: sub_A19468+D5j
		mov	eax, [edi]
		mov	[ebp+var_54], eax
		mov	eax, [edi+4]
		mov	[ebp+var_40], eax

loc_A19554:				; CODE XREF: sub_A19468+D0j
		mov	eax, [ebp+var_2C]

loc_A19557:				; CODE XREF: sub_A19468+60j
		test	ebx, ebx
		js	loc_A199F6
		and	[ebp+var_4C], 0
		xor	ecx, ecx
		and	[ebp+var_3C], ecx
		xor	edx, edx
		xor	edi, edi
		mov	[ebp+var_30], ecx
		mov	[ebp+var_18], edx
		test	eax, eax
		jnz	short loc_A19580

loc_A19576:				; CODE XREF: sub_A19468+11Ej
		mov	ebx, 0C000000Dh
		jmp	loc_A19653
; 

loc_A19580:				; CODE XREF: sub_A19468+10Cj
		mov	edx, [ebp+var_28]
		cmp	dword ptr [edx], 4
		jbe	short loc_A19576
		and	[ebp+var_2C], ecx

loc_A1958B:				; CODE XREF: sub_A19468+15Bj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A19598
		xor	ebx, ebx
		jmp	short loc_A195A0
; 

loc_A19598:				; CODE XREF: sub_A19468+12Aj
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A195A0:				; CODE XREF: sub_A19468+12Ej
		mov	[ebp+var_1C], ecx
		test	ebx, ebx
		js	short loc_A195EB
		lea	eax, [ebp+var_1C]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A195EB
		mov	edx, [ebp+var_2C]
		mov	eax, [ebp+var_1C]
		inc	edx
		mov	[ebp+var_2C], edx
		cmp	edx, 4
		jb	short loc_A1958B
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A195D2
		xor	ebx, ebx
		jmp	short loc_A195DA
; 

loc_A195D2:				; CODE XREF: sub_A19468+164j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A195DA:				; CODE XREF: sub_A19468+168j
		test	ebx, ebx
		js	short loc_A195EB
		mov	edi, edx
		mov	[ebp+var_18], edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A195ED
; 

loc_A195EB:				; CODE XREF: sub_A19468+13Dj
					; sub_A19468+14Cj ...
		mov	edx, edi

loc_A195ED:				; CODE XREF: sub_A19468+181j
		test	ebx, ebx
		js	short loc_A19650
		test	edx, edx
		jnz	short loc_A1961A

loc_A195F5:				; CODE XREF: sub_A19468+1B8j
					; sub_A19468+1C5j ...
		mov	ebx, 0C000003Eh

loc_A195FA:				; CODE XREF: sub_A19468+216j
		test	ebx, ebx
		js	loc_A199F6

loc_A19602:				; CODE XREF: sub_A19468+22Bj
		mov	ecx, [ebp+var_28]
		mov	eax, [ecx+8]
		test	eax, eax
		jnz	loc_A19698

loc_A19610:				; CODE XREF: sub_A19468+233j
		mov	ebx, 0C000000Dh
		jmp	loc_A199E4
; 

loc_A1961A:				; CODE XREF: sub_A19468+18Bj
		test	edx, 1
		jnz	short loc_A195F5
		mov	eax, edx
		xor	ecx, ecx
		shr	eax, 1
		cmp	cx, [edi+eax*2-2]
		jnz	short loc_A195F5
		lea	eax, [ebp+var_3C]
		mov	ecx, edi
		push	eax
		call	_StringCbLengthW@12 ; StringCbLengthW(x,x,x)
		test	eax, eax
		js	short loc_A195F5
		mov	ecx, [ebp+var_3C]
		lea	eax, [ecx+2]
		cmp	eax, [ebp+var_18]
		jnz	short loc_A195F5
		mov	[ebp+var_4C], edi
		shr	ecx, 1
		jmp	short loc_A19653
; 

loc_A19650:				; CODE XREF: sub_A19468+187j
		mov	ecx, [ebp+var_30]

loc_A19653:				; CODE XREF: sub_A19468+113j
					; sub_A19468+1E6j
		test	ebx, ebx
		js	loc_A199F6
		lea	ebx, ds:2[ecx*2]
		test	ebx, ebx
		jz	short loc_A195F5
		push	20534C53h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A19683
		mov	ebx, 0C0000017h
		jmp	loc_A195FA
; 

loc_A19683:				; CODE XREF: sub_A19468+20Fj
		push	ebx		; size_t
		push	[ebp+var_4C]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+var_48], edi
		jmp	loc_A19602
; 

loc_A19698:				; CODE XREF: sub_A19468+1A2j
		cmp	dword ptr [ecx], 5
		jbe	loc_A19610
		xor	edi, edi

loc_A196A3:				; CODE XREF: sub_A19468+26Dj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A196B0
		xor	ebx, ebx
		jmp	short loc_A196B8
; 

loc_A196B0:				; CODE XREF: sub_A19468+242j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A196B8:				; CODE XREF: sub_A19468+246j
		mov	[ebp+var_1C], ecx
		test	ebx, ebx
		js	short loc_A196FA
		lea	eax, [ebp+var_1C]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A196FA
		mov	eax, [ebp+var_1C]
		inc	edi
		cmp	edi, 5
		jb	short loc_A196A3
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A196E4
		xor	ebx, ebx
		jmp	short loc_A196EC
; 

loc_A196E4:				; CODE XREF: sub_A19468+276j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A196EC:				; CODE XREF: sub_A19468+27Aj
		test	ebx, ebx
		js	short loc_A196FA
		mov	edi, edx
		neg	edx
		sbb	edx, edx
		and	edx, ecx
		jmp	short loc_A196FF
; 

loc_A196FA:				; CODE XREF: sub_A19468+255j
					; sub_A19468+264j ...
		mov	edx, [ebp+var_44]
		mov	edi, edx

loc_A196FF:				; CODE XREF: sub_A19468+290j
		test	ebx, ebx
		js	loc_A199E4
		mov	eax, ds:dword_A93E90
		test	eax, eax
		jz	short loc_A1971D
		lea	ecx, [ebp+var_14]
		push	ecx
		push	edi
		push	edx
		push	[ebp+var_48]
		call	eax
		jmp	short loc_A19722
; 

loc_A1971D:				; CODE XREF: sub_A19468+2A6j
		mov	eax, 0C000A281h

loc_A19722:				; CODE XREF: sub_A19468+2B3j
		mov	[ebp+var_1C], eax
		push	8
		pop	ecx
		mov	[ebp+var_28], ecx
		lea	eax, [ebp+var_28]
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A19745
		mov	eax, [ebp+var_28]
		mov	[ebp+var_34], eax
		jmp	short loc_A19748
; 

loc_A19745:				; CODE XREF: sub_A19468+2D3j
		mov	eax, [ebp+var_34]

loc_A19748:				; CODE XREF: sub_A19468+2DBj
		test	ebx, ebx
		js	loc_A199E4
		lea	ecx, [ebp+var_34]
		push	ecx
		push	14h
		pop	edx
		mov	ecx, eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A199E4
		push	8
		pop	ecx
		xor	edi, edi
		mov	[ebp+var_50], ecx
		mov	edx, [ebp+var_34]
		lea	eax, [ebp+var_50]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A199E4
		mov	eax, [ebp+var_50]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_A1979A
		mov	ebx, 0C0000095h
		jmp	short loc_A197A7
; 

loc_A1979A:				; CODE XREF: sub_A19468+329j
		lea	edi, [ecx+8]
		cmp	edi, ecx
		jb	loc_A1982A
		xor	ebx, ebx

loc_A197A7:				; CODE XREF: sub_A19468+330j
		test	ebx, ebx
		js	loc_A199E4
		mov	ecx, [ebp+var_24]
		mov	edx, edi
		push	4
		mov	eax, [ecx+10h]
		mov	[ebp+var_30], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_18]
		pop	ecx
		push	eax
		mov	[ebp+var_18], ecx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A199E4
		mov	eax, [ebp+var_18]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A197E7
		xor	ebx, ebx
		jmp	short loc_A197EF
; 

loc_A197E7:				; CODE XREF: sub_A19468+379j
		mov	ebx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A197EF:				; CODE XREF: sub_A19468+37Dj
		mov	[ebp+var_18], ecx
		test	ebx, ebx
		js	loc_A199E4
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A199E4
		mov	eax, [ebp+var_18]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1982A
		mov	edx, [ebp+var_30]
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		jmp	short loc_A1982F
; 

loc_A1982A:				; CODE XREF: sub_A19468+337j
					; sub_A19468+3B0j
		mov	ebx, 0C0000095h

loc_A1982F:				; CODE XREF: sub_A19468+3C0j
		test	ebx, ebx
		js	loc_A199E4
		mov	eax, [ebp+var_34]
		lea	edi, [esi+4]
		mov	[edi], eax
		test	eax, eax
		jnz	short loc_A1984D
		mov	ebx, 0C000003Eh
		jmp	loc_A199E4
; 

loc_A1984D:				; CODE XREF: sub_A19468+3D9j
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_A1986A
		mov	ebx, 0C0000017h
		jmp	loc_A199E4
; 

loc_A1986A:				; CODE XREF: sub_A19468+3F6j
		mov	[esi+8], edx
		and	dword ptr [esi], 0
		or	[ebp+var_1C], 10000000h
		lea	ebx, [edx+4]
		cmp	ebx, edx
		jb	loc_A199DF
		mov	ecx, [edi]
		lea	eax, [edx+8]
		add	ecx, edx
		cmp	eax, ecx
		jbe	short loc_A19897

loc_A1988D:				; CODE XREF: sub_A19468+4B4j
					; sub_A19468+55Dj
		mov	ebx, 0C0000023h
		jmp	loc_A199E4
; 

loc_A19897:				; CODE XREF: sub_A19468+423j
		mov	eax, [ebp+var_1C]
		mov	dword ptr [edx], 4
		mov	[ebx], eax
		inc	dword ptr [esi]
		mov	ecx, [esi]
		mov	[ebp+var_24], ecx
		mov	eax, [esi+8]
		mov	[ebp+var_30], eax
		test	eax, eax
		jnz	short loc_A198CC
		mov	ecx, [edi]
		push	edi
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A199E4
		inc	dword ptr [esi]
		jmp	short loc_A1994A
; 

loc_A198CC:				; CODE XREF: sub_A19468+449j
		and	[ebp+var_28], 0
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	ecx, ecx
		jz	short loc_A19906

loc_A198D9:				; CODE XREF: sub_A19468+499j
		mov	edx, [esi]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A1993A
		lea	eax, [ebp+var_20]
		mov	ecx, esi
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A1993F
		mov	ecx, [ebp+var_28]
		mov	esi, [ebp+var_20]
		inc	ecx
		mov	[ebp+var_28], ecx
		cmp	ecx, [ebp+var_24]
		jb	short loc_A198D9
		mov	eax, [ebp+var_30]

loc_A19906:				; CODE XREF: sub_A19468+46Fj
		lea	edx, [esi+4]
		cmp	edx, esi
		jb	loc_A199DF
		mov	ecx, [edi]
		xor	ebx, ebx
		add	ecx, eax
		lea	eax, [esi+0Ch]
		cmp	eax, ecx
		ja	loc_A1988D
		mov	eax, [ebp+var_54]
		mov	dword ptr [esi], 8
		mov	esi, [ebp+var_38]
		mov	[edx], eax
		mov	eax, [ebp+var_40]
		mov	[edx+4], eax
		inc	dword ptr [esi]
		jmp	short loc_A19942
; 

loc_A1993A:				; CODE XREF: sub_A19468+479j
		mov	ebx, 0C0000095h

loc_A1993F:				; CODE XREF: sub_A19468+48Aj
		mov	esi, [ebp+var_38]

loc_A19942:				; CODE XREF: sub_A19468+4D0j
		test	ebx, ebx
		js	loc_A199E4

loc_A1994A:				; CODE XREF: sub_A19468+462j
		mov	eax, [esi+8]
		mov	[ebp+var_30], eax
		test	eax, eax
		jnz	short loc_A1996B
		mov	ecx, [edi]
		push	edi
		push	14h
		pop	edx
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A199E4
		inc	dword ptr [esi]
		xor	ebx, ebx
		jmp	short loc_A199E4
; 

loc_A1996B:				; CODE XREF: sub_A19468+4EAj
		mov	edx, [ebp+var_38]
		mov	esi, eax
		and	[ebp+var_40], 0
		mov	[ebp+var_20], esi
		mov	ecx, [edx]
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jz	short loc_A199B0

loc_A19980:				; CODE XREF: sub_A19468+540j
		mov	edx, [esi]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A199DF
		lea	eax, [ebp+var_20]
		mov	ecx, esi
		push	eax
		call	RtlUIntAdd
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A199E4
		mov	ecx, [ebp+var_40]
		mov	esi, [ebp+var_20]
		inc	ecx
		mov	[ebp+var_40], ecx
		cmp	ecx, [ebp+var_24]
		jb	short loc_A19980
		mov	edx, [ebp+var_38]
		mov	eax, [ebp+var_30]

loc_A199B0:				; CODE XREF: sub_A19468+516j
		lea	ecx, [esi+4]
		mov	[ebp+var_24], ecx
		cmp	ecx, esi
		jb	short loc_A199DF
		mov	ecx, [edi]
		xor	ebx, ebx
		add	ecx, eax
		lea	eax, [esi+14h]
		cmp	eax, ecx
		ja	loc_A1988D
		mov	edi, [ebp+var_24]
		mov	dword ptr [esi], 10h
		lea	esi, [ebp+var_14]
		movsd
		movsd
		movsd
		movsd
		inc	dword ptr [edx]
		jmp	short loc_A199E4
; 

loc_A199DF:				; CODE XREF: sub_A19468+414j
					; sub_A19468+4A3j ...
		mov	ebx, 0C0000095h

loc_A199E4:				; CODE XREF: sub_A19468+1ADj
					; sub_A19468+299j ...
		mov	eax, [ebp+var_48]
		test	eax, eax
		jz	short loc_A199F6
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A199F6:				; CODE XREF: sub_A19468+44j
					; sub_A19468+DCj ...
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
sub_A19468	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A19A09	proc near		; CODE XREF: sub_785212+1A1Cp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		mov	eax, edx
		mov	[ebp+var_10], ecx
		xor	edx, edx
		mov	[ebp+var_28], eax
		mov	[ebp+var_8], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_14], edx
		push	esi
		push	edi
		mov	edi, edx
		test	eax, eax
		jnz	short loc_A19A3A

loc_A19A30:				; CODE XREF: sub_A19A09+36j
					; sub_A19A09+EEj ...
		mov	edx, 0C000000Dh
		jmp	loc_A19D7F
; 

loc_A19A3A:				; CODE XREF: sub_A19A09+25j
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_A19A30
		mov	eax, [ecx+8]
		mov	esi, edx
		mov	[ebp+var_C], edx
		test	eax, eax
		jnz	short loc_A19A57

loc_A19A4D:				; CODE XREF: sub_A19A09+51j
		mov	edx, 0C000000Dh
		jmp	loc_A19AEA
; 

loc_A19A57:				; CODE XREF: sub_A19A09+42j
		cmp	dword ptr [ecx], 3
		jbe	short loc_A19A4D
		mov	[ebp+var_4], edx

loc_A19A5F:				; CODE XREF: sub_A19A09+94j
		mov	ecx, [eax]
		mov	[ebp+var_24], ecx
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jnb	short loc_A19A73
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A19A73:				; CODE XREF: sub_A19A09+60j
		mov	[ebp+arg_4], ecx
		test	edx, edx
		js	short loc_A19AE7
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A19AE7
		mov	edx, [ebp+var_4]
		mov	eax, [ebp+arg_4]
		inc	edx
		mov	[ebp+var_4], edx
		cmp	edx, 3
		jnb	short loc_A19A9F
		xor	edx, edx
		jmp	short loc_A19A5F
; 

loc_A19A9F:				; CODE XREF: sub_A19A09+90j
		mov	ecx, [eax]
		mov	[ebp+arg_4], ecx
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A19AAF
		xor	edx, edx
		jmp	short loc_A19AB7
; 

loc_A19AAF:				; CODE XREF: sub_A19A09+A0j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A19AB7:				; CODE XREF: sub_A19A09+A4j
		test	edx, edx
		js	short loc_A19AE7
		mov	eax, [ebp+arg_4]
		mov	esi, eax
		neg	esi
		mov	[ebp+var_C], eax
		sbb	esi, esi
		and	esi, ecx
		test	edx, edx
		js	short loc_A19AE7
		cmp	eax, 8
		jz	short loc_A19ADC

loc_A19AD2:				; CODE XREF: sub_A19A09+2D2j
					; sub_A19A09+355j
		mov	edx, 0C0000023h
		jmp	loc_A19D7F
; 

loc_A19ADC:				; CODE XREF: sub_A19A09+C7j
		mov	eax, [esi]
		mov	[ebp+var_1C], eax
		mov	eax, [esi+4]
		mov	[ebp+var_20], eax

loc_A19AE7:				; CODE XREF: sub_A19A09+6Fj
					; sub_A19A09+81j ...
		mov	ecx, [ebp+var_10]

loc_A19AEA:				; CODE XREF: sub_A19A09+49j
		test	edx, edx
		js	loc_A19D7F
		mov	eax, [ecx+8]
		test	eax, eax
		jz	loc_A19A30
		cmp	dword ptr [ecx], 4
		jbe	loc_A19A30
		xor	esi, esi

loc_A19B08:				; CODE XREF: sub_A19A09+13Fj
		mov	ecx, [eax]
		mov	[ebp+var_24], ecx
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A19B18
		xor	edx, edx
		jmp	short loc_A19B20
; 

loc_A19B18:				; CODE XREF: sub_A19A09+109j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A19B20:				; CODE XREF: sub_A19A09+10Dj
		mov	[ebp+arg_4], ecx
		test	edx, edx
		js	loc_A19D7F
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A19D7F
		mov	eax, [ebp+arg_4]
		inc	esi
		cmp	esi, 4
		jb	short loc_A19B08
		mov	esi, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A19B57
		xor	edx, edx
		jmp	short loc_A19B5F
; 

loc_A19B57:				; CODE XREF: sub_A19A09+148j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A19B5F:				; CODE XREF: sub_A19A09+14Cj
		test	edx, edx
		js	loc_A19D7F
		mov	edi, esi
		mov	[ebp+var_14], esi
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		test	edx, edx
		js	loc_A19D7F
		mov	eax, ds:dword_A93E60
		test	eax, eax
		jz	short loc_A19B89
		push	esi
		push	edi
		call	eax
		jmp	short loc_A19B8E
; 

loc_A19B89:				; CODE XREF: sub_A19A09+178j
		mov	eax, 0C00000BBh

loc_A19B8E:				; CODE XREF: sub_A19A09+17Ej
		mov	[ebp+var_4], eax
		push	8
		pop	edi
		mov	[ebp+arg_4], edi
		lea	eax, [ebp+arg_4]
		mov	ecx, edi
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A19BB3
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_8], eax
		jmp	short loc_A19BB6
; 

loc_A19BB3:				; CODE XREF: sub_A19A09+1A0j
		mov	eax, [ebp+var_8]

loc_A19BB6:				; CODE XREF: sub_A19A09+1A8j
		test	edx, edx
		js	loc_A19D7F
		xor	esi, esi
		mov	[ebp+var_18], edi
		lea	ecx, [ebp+var_18]
		mov	edx, eax
		push	ecx
		mov	ecx, edi
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A19D7F
		mov	eax, [ebp+var_18]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_A19BEE
		mov	edx, 0C0000095h
		jmp	short loc_A19BFB
; 

loc_A19BEE:				; CODE XREF: sub_A19A09+1DCj
		lea	esi, [ecx+8]
		cmp	esi, ecx
		jb	loc_A19C7A
		xor	edx, edx

loc_A19BFB:				; CODE XREF: sub_A19A09+1E3j
		test	edx, edx
		js	loc_A19D7F
		mov	edi, [ebp+var_28]
		mov	edx, esi
		push	4
		pop	ecx
		mov	[ebp+arg_4], ecx
		mov	eax, [edi+10h]
		mov	edi, [edi+8]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A19D7F
		mov	eax, [ebp+arg_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A19C38
		xor	edx, edx
		jmp	short loc_A19C40
; 

loc_A19C38:				; CODE XREF: sub_A19A09+229j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A19C40:				; CODE XREF: sub_A19A09+22Dj
		mov	[ebp+arg_4], ecx
		test	edx, edx
		js	loc_A19D7F
		lea	eax, [ebp+arg_4]
		mov	edx, edi
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A19D7F
		mov	eax, [ebp+arg_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A19C7A
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		jmp	short loc_A19C7F
; 

loc_A19C7A:				; CODE XREF: sub_A19A09+1EAj
					; sub_A19A09+25Fj
		mov	edx, 0C0000095h

loc_A19C7F:				; CODE XREF: sub_A19A09+26Fj
		test	edx, edx
		js	loc_A19D7F
		mov	eax, [ebp+var_8]
		lea	edi, [ebx+4]
		mov	[edi], eax
		test	eax, eax
		jnz	short loc_A19C9D
		mov	edx, 0C000003Eh
		jmp	loc_A19D7F
; 

loc_A19C9D:				; CODE XREF: sub_A19A09+288j
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_A19CBA
		mov	edx, 0C0000017h
		jmp	loc_A19D7F
; 

loc_A19CBA:				; CODE XREF: sub_A19A09+2A5j
		mov	[ebx+8], edx
		and	dword ptr [ebx], 0
		or	[ebp+var_4], 10000000h
		lea	esi, [edx+4]
		cmp	esi, edx
		jb	loc_A19D7A
		mov	ecx, [edi]
		lea	eax, [edx+8]
		add	ecx, edx
		cmp	eax, ecx
		ja	loc_A19AD2
		mov	eax, [ebp+var_4]
		mov	dword ptr [edx], 4
		mov	[esi], eax
		inc	dword ptr [ebx]
		mov	ecx, [ebx]
		mov	[ebp+var_28], ecx
		mov	eax, [ebx+8]
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	short loc_A19D14
		mov	ecx, [edi]
		push	edi
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A19D7F
		inc	dword ptr [ebx]
		xor	edx, edx
		jmp	short loc_A19D7F
; 

loc_A19D14:				; CODE XREF: sub_A19A09+2F2j
		and	[ebp+var_14], 0
		mov	esi, eax
		mov	[ebp+arg_4], esi
		test	ecx, ecx
		jz	short loc_A19D4B

loc_A19D21:				; CODE XREF: sub_A19A09+340j
		mov	edx, [esi]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A19D7A
		lea	eax, [ebp+arg_4]
		mov	ecx, esi
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A19D7F
		mov	ecx, [ebp+var_14]
		mov	esi, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_14], ecx
		cmp	ecx, [ebp+var_28]
		jb	short loc_A19D21

loc_A19D4B:				; CODE XREF: sub_A19A09+316j
		lea	eax, [esi+4]
		cmp	eax, esi
		jb	short loc_A19D7A
		mov	ecx, [edi]
		lea	eax, [esi+0Ch]
		add	ecx, [ebp+var_24]
		xor	edx, edx
		cmp	eax, ecx
		ja	loc_A19AD2
		mov	eax, [ebp+var_1C]
		mov	dword ptr [esi], 8
		mov	[esi+4], eax
		mov	eax, [ebp+var_20]
		mov	[esi+8], eax
		inc	dword ptr [ebx]
		jmp	short loc_A19D7F
; 

loc_A19D7A:				; CODE XREF: sub_A19A09+2C3j
					; sub_A19A09+320j ...
		mov	edx, 0C0000095h

loc_A19D7F:				; CODE XREF: sub_A19A09+2Cj
					; sub_A19A09+CEj ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	8
sub_A19A09	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A19D88	proc near		; CODE XREF: sub_785212+1B9Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		test	esi, esi
		jnz	short loc_A19DA3
		mov	edx, 0C000000Dh
		jmp	loc_A19E95
; 

loc_A19DA3:				; CODE XREF: sub_A19D88+Fj
		mov	eax, [esi+8]
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	short loc_A19DC9
		lea	ecx, [esi+4]
		push	ecx
		mov	ecx, [ecx]
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A19E95
		inc	dword ptr [esi]
		jmp	short loc_A19E3D
; 

loc_A19DC9:				; CODE XREF: sub_A19D88+23j
		mov	ecx, [esi]
		mov	edi, eax
		xor	ebx, ebx
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jz	short loc_A19E04

loc_A19DD9:				; CODE XREF: sub_A19D88+77j
		mov	edx, [edi]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A19E24
		lea	eax, [ebp+var_4]
		mov	ecx, edi
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A19E95
		mov	edi, [ebp+var_4]
		inc	ebx
		cmp	ebx, [ebp+var_8]
		jb	short loc_A19DD9
		mov	eax, [ebp+var_C]

loc_A19E04:				; CODE XREF: sub_A19D88+4Fj
		lea	ebx, [edi+4]
		cmp	ebx, edi
		jb	loc_A19E90
		mov	ecx, [esi+4]
		xor	edx, edx
		add	ecx, eax
		lea	eax, [edi+8]
		cmp	eax, ecx
		jbe	short loc_A19E2B

loc_A19E1D:				; CODE XREF: sub_A19D88+F6j
		mov	edx, 0C0000023h
		jmp	short loc_A19E95
; 

loc_A19E24:				; CODE XREF: sub_A19D88+59j
		mov	edx, 0C0000095h
		jmp	short loc_A19E39
; 

loc_A19E2B:				; CODE XREF: sub_A19D88+93j
		mov	dword ptr [edi], 4
		mov	dword ptr [ebx], 80004001h
		inc	dword ptr [esi]

loc_A19E39:				; CODE XREF: sub_A19D88+A1j
		test	edx, edx
		js	short loc_A19E95

loc_A19E3D:				; CODE XREF: sub_A19D88+3Fj
		mov	eax, [esi+4]
		test	eax, eax
		jnz	short loc_A19E4B
		mov	edx, 0C000003Eh
		jmp	short loc_A19E95
; 

loc_A19E4B:				; CODE XREF: sub_A19D88+BAj
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A19E65
		mov	edx, 0C0000017h
		jmp	short loc_A19E95
; 

loc_A19E65:				; CODE XREF: sub_A19D88+D4j
		mov	[esi+8], edi
		and	dword ptr [esi], 0
		lea	ebx, [edi+4]
		cmp	ebx, edi
		jb	short loc_A19E90
		mov	ecx, [esi+4]
		lea	eax, [edi+8]
		add	ecx, edi
		xor	edx, edx
		cmp	eax, ecx
		ja	short loc_A19E1D
		mov	dword ptr [edi], 4
		mov	dword ptr [ebx], 80004001h
		inc	dword ptr [esi]
		jmp	short loc_A19E95
; 

loc_A19E90:				; CODE XREF: sub_A19D88+81j
					; sub_A19D88+E8j
		mov	edx, 0C0000095h

loc_A19E95:				; CODE XREF: sub_A19D88+16j
					; sub_A19D88+37j ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn
sub_A19D88	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A19E9C	proc near		; CODE XREF: sub_785212+1A32p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		mov	eax, edx
		mov	[ebp+var_10], ecx
		xor	edx, edx
		mov	[ebp+var_28], eax
		mov	[ebp+var_8], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_14], edx
		push	esi
		push	edi
		mov	edi, edx
		test	eax, eax
		jnz	short loc_A19ECD

loc_A19EC3:				; CODE XREF: sub_A19E9C+36j
					; sub_A19E9C+EEj ...
		mov	edx, 0C000000Dh
		jmp	loc_A1A212
; 

loc_A19ECD:				; CODE XREF: sub_A19E9C+25j
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_A19EC3
		mov	eax, [ecx+8]
		mov	esi, edx
		mov	[ebp+var_C], edx
		test	eax, eax
		jnz	short loc_A19EEA

loc_A19EE0:				; CODE XREF: sub_A19E9C+51j
		mov	edx, 0C000000Dh
		jmp	loc_A19F7D
; 

loc_A19EEA:				; CODE XREF: sub_A19E9C+42j
		cmp	dword ptr [ecx], 3
		jbe	short loc_A19EE0
		mov	[ebp+var_4], edx

loc_A19EF2:				; CODE XREF: sub_A19E9C+94j
		mov	ecx, [eax]
		mov	[ebp+var_24], ecx
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jnb	short loc_A19F06
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A19F06:				; CODE XREF: sub_A19E9C+60j
		mov	[ebp+arg_4], ecx
		test	edx, edx
		js	short loc_A19F7A
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A19F7A
		mov	edx, [ebp+var_4]
		mov	eax, [ebp+arg_4]
		inc	edx
		mov	[ebp+var_4], edx
		cmp	edx, 3
		jnb	short loc_A19F32
		xor	edx, edx
		jmp	short loc_A19EF2
; 

loc_A19F32:				; CODE XREF: sub_A19E9C+90j
		mov	ecx, [eax]
		mov	[ebp+arg_4], ecx
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A19F42
		xor	edx, edx
		jmp	short loc_A19F4A
; 

loc_A19F42:				; CODE XREF: sub_A19E9C+A0j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A19F4A:				; CODE XREF: sub_A19E9C+A4j
		test	edx, edx
		js	short loc_A19F7A
		mov	eax, [ebp+arg_4]
		mov	esi, eax
		neg	esi
		mov	[ebp+var_C], eax
		sbb	esi, esi
		and	esi, ecx
		test	edx, edx
		js	short loc_A19F7A
		cmp	eax, 8
		jz	short loc_A19F6F

loc_A19F65:				; CODE XREF: sub_A19E9C+2D2j
					; sub_A19E9C+355j
		mov	edx, 0C0000023h
		jmp	loc_A1A212
; 

loc_A19F6F:				; CODE XREF: sub_A19E9C+C7j
		mov	eax, [esi]
		mov	[ebp+var_1C], eax
		mov	eax, [esi+4]
		mov	[ebp+var_20], eax

loc_A19F7A:				; CODE XREF: sub_A19E9C+6Fj
					; sub_A19E9C+81j ...
		mov	ecx, [ebp+var_10]

loc_A19F7D:				; CODE XREF: sub_A19E9C+49j
		test	edx, edx
		js	loc_A1A212
		mov	eax, [ecx+8]
		test	eax, eax
		jz	loc_A19EC3
		cmp	dword ptr [ecx], 4
		jbe	loc_A19EC3
		xor	esi, esi

loc_A19F9B:				; CODE XREF: sub_A19E9C+13Fj
		mov	ecx, [eax]
		mov	[ebp+var_24], ecx
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A19FAB
		xor	edx, edx
		jmp	short loc_A19FB3
; 

loc_A19FAB:				; CODE XREF: sub_A19E9C+109j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A19FB3:				; CODE XREF: sub_A19E9C+10Dj
		mov	[ebp+arg_4], ecx
		test	edx, edx
		js	loc_A1A212
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A1A212
		mov	eax, [ebp+arg_4]
		inc	esi
		cmp	esi, 4
		jb	short loc_A19F9B
		mov	esi, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A19FEA
		xor	edx, edx
		jmp	short loc_A19FF2
; 

loc_A19FEA:				; CODE XREF: sub_A19E9C+148j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A19FF2:				; CODE XREF: sub_A19E9C+14Cj
		test	edx, edx
		js	loc_A1A212
		mov	edi, esi
		mov	[ebp+var_14], esi
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		test	edx, edx
		js	loc_A1A212
		mov	eax, ds:dword_A93E64
		test	eax, eax
		jz	short loc_A1A01C
		push	esi
		push	edi
		call	eax
		jmp	short loc_A1A021
; 

loc_A1A01C:				; CODE XREF: sub_A19E9C+178j
		mov	eax, 0C00000BBh

loc_A1A021:				; CODE XREF: sub_A19E9C+17Ej
		mov	[ebp+var_4], eax
		push	8
		pop	edi
		mov	[ebp+arg_4], edi
		lea	eax, [ebp+arg_4]
		mov	ecx, edi
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A1A046
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_8], eax
		jmp	short loc_A1A049
; 

loc_A1A046:				; CODE XREF: sub_A19E9C+1A0j
		mov	eax, [ebp+var_8]

loc_A1A049:				; CODE XREF: sub_A19E9C+1A8j
		test	edx, edx
		js	loc_A1A212
		xor	esi, esi
		mov	[ebp+var_18], edi
		lea	ecx, [ebp+var_18]
		mov	edx, eax
		push	ecx
		mov	ecx, edi
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A1A212
		mov	eax, [ebp+var_18]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_A1A081
		mov	edx, 0C0000095h
		jmp	short loc_A1A08E
; 

loc_A1A081:				; CODE XREF: sub_A19E9C+1DCj
		lea	esi, [ecx+8]
		cmp	esi, ecx
		jb	loc_A1A10D
		xor	edx, edx

loc_A1A08E:				; CODE XREF: sub_A19E9C+1E3j
		test	edx, edx
		js	loc_A1A212
		mov	edi, [ebp+var_28]
		mov	edx, esi
		push	4
		pop	ecx
		mov	[ebp+arg_4], ecx
		mov	eax, [edi+10h]
		mov	edi, [edi+8]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A1A212
		mov	eax, [ebp+arg_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1A0CB
		xor	edx, edx
		jmp	short loc_A1A0D3
; 

loc_A1A0CB:				; CODE XREF: sub_A19E9C+229j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1A0D3:				; CODE XREF: sub_A19E9C+22Dj
		mov	[ebp+arg_4], ecx
		test	edx, edx
		js	loc_A1A212
		lea	eax, [ebp+arg_4]
		mov	edx, edi
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A1A212
		mov	eax, [ebp+arg_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1A10D
		mov	edx, [ebp+var_28]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		jmp	short loc_A1A112
; 

loc_A1A10D:				; CODE XREF: sub_A19E9C+1EAj
					; sub_A19E9C+25Fj
		mov	edx, 0C0000095h

loc_A1A112:				; CODE XREF: sub_A19E9C+26Fj
		test	edx, edx
		js	loc_A1A212
		mov	eax, [ebp+var_8]
		lea	edi, [ebx+4]
		mov	[edi], eax
		test	eax, eax
		jnz	short loc_A1A130
		mov	edx, 0C000003Eh
		jmp	loc_A1A212
; 

loc_A1A130:				; CODE XREF: sub_A19E9C+288j
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_A1A14D
		mov	edx, 0C0000017h
		jmp	loc_A1A212
; 

loc_A1A14D:				; CODE XREF: sub_A19E9C+2A5j
		mov	[ebx+8], edx
		and	dword ptr [ebx], 0
		or	[ebp+var_4], 10000000h
		lea	esi, [edx+4]
		cmp	esi, edx
		jb	loc_A1A20D
		mov	ecx, [edi]
		lea	eax, [edx+8]
		add	ecx, edx
		cmp	eax, ecx
		ja	loc_A19F65
		mov	eax, [ebp+var_4]
		mov	dword ptr [edx], 4
		mov	[esi], eax
		inc	dword ptr [ebx]
		mov	ecx, [ebx]
		mov	[ebp+var_28], ecx
		mov	eax, [ebx+8]
		mov	[ebp+var_24], eax
		test	eax, eax
		jnz	short loc_A1A1A7
		mov	ecx, [edi]
		push	edi
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A1A212
		inc	dword ptr [ebx]
		xor	edx, edx
		jmp	short loc_A1A212
; 

loc_A1A1A7:				; CODE XREF: sub_A19E9C+2F2j
		and	[ebp+var_14], 0
		mov	esi, eax
		mov	[ebp+arg_4], esi
		test	ecx, ecx
		jz	short loc_A1A1DE

loc_A1A1B4:				; CODE XREF: sub_A19E9C+340j
		mov	edx, [esi]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A1A20D
		lea	eax, [ebp+arg_4]
		mov	ecx, esi
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A1A212
		mov	ecx, [ebp+var_14]
		mov	esi, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_14], ecx
		cmp	ecx, [ebp+var_28]
		jb	short loc_A1A1B4

loc_A1A1DE:				; CODE XREF: sub_A19E9C+316j
		lea	eax, [esi+4]
		cmp	eax, esi
		jb	short loc_A1A20D
		mov	ecx, [edi]
		lea	eax, [esi+0Ch]
		add	ecx, [ebp+var_24]
		xor	edx, edx
		cmp	eax, ecx
		ja	loc_A19F65
		mov	eax, [ebp+var_1C]
		mov	dword ptr [esi], 8
		mov	[esi+4], eax
		mov	eax, [ebp+var_20]
		mov	[esi+8], eax
		inc	dword ptr [ebx]
		jmp	short loc_A1A212
; 

loc_A1A20D:				; CODE XREF: sub_A19E9C+2C3j
					; sub_A19E9C+320j ...
		mov	edx, 0C0000095h

loc_A1A212:				; CODE XREF: sub_A19E9C+2Cj
					; sub_A19E9C+CEj ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	8
sub_A19E9C	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1A21B	proc near		; CODE XREF: sub_785212+1AB5p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_4], ebx
		push	esi
		push	edi
		test	ecx, ecx
		jnz	short loc_A1A248

loc_A1A23E:				; CODE XREF: sub_A1A21B+2Fj
					; sub_A1A21B+34j
		mov	esi, 0C000000Dh
		jmp	loc_A1A714
; 

loc_A1A248:				; CODE XREF: sub_A1A21B+21j
		test	edx, edx
		jz	short loc_A1A23E
		cmp	[ebp+arg_4], ebx
		jz	short loc_A1A23E
		mov	eax, [ecx+8]
		mov	edi, ebx
		mov	edx, 0C000000Dh
		test	eax, eax
		jnz	short loc_A1A266

loc_A1A25F:				; CODE XREF: sub_A1A21B+4Ej
		mov	esi, edx
		jmp	loc_A1A2E6
; 

loc_A1A266:				; CODE XREF: sub_A1A21B+42j
		cmp	dword ptr [ecx], 3
		jbe	short loc_A1A25F

loc_A1A26B:				; CODE XREF: sub_A1A21B+82j
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1A278
		xor	esi, esi
		jmp	short loc_A1A280
; 

loc_A1A278:				; CODE XREF: sub_A1A21B+57j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1A280:				; CODE XREF: sub_A1A21B+5Bj
		mov	[ebp+var_8], ecx
		test	esi, esi
		js	short loc_A1A2C4
		lea	eax, [ebp+var_8]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A1A2C4
		mov	eax, [ebp+var_8]
		inc	ebx
		cmp	ebx, 3
		jb	short loc_A1A26B
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1A2AC
		xor	esi, esi
		jmp	short loc_A1A2B4
; 

loc_A1A2AC:				; CODE XREF: sub_A1A21B+8Bj
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1A2B4:				; CODE XREF: sub_A1A21B+8Fj
		test	esi, esi
		js	short loc_A1A2C4
		mov	edi, edx
		mov	eax, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		jmp	short loc_A1A2C6
; 

loc_A1A2C4:				; CODE XREF: sub_A1A21B+6Aj
					; sub_A1A21B+79j ...
		mov	eax, edi

loc_A1A2C6:				; CODE XREF: sub_A1A21B+A7j
		test	esi, esi
		js	short loc_A1A2E4
		cmp	eax, 8
		jz	short loc_A1A2D9
		mov	esi, 0C0000023h
		jmp	loc_A1A714
; 

loc_A1A2D9:				; CODE XREF: sub_A1A21B+B2j
		mov	eax, [edi]
		mov	[ebp+var_28], eax
		mov	eax, [edi+4]
		mov	[ebp+var_2C], eax

loc_A1A2E4:				; CODE XREF: sub_A1A21B+ADj
		xor	ebx, ebx

loc_A1A2E6:				; CODE XREF: sub_A1A21B+46j
		test	esi, esi
		js	loc_A1A714
		mov	edx, [ebp+var_20]
		mov	ecx, ebx
		and	[ebp+var_1C], 0
		mov	edi, ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_10], ecx
		mov	eax, [edx+8]
		test	eax, eax
		jnz	short loc_A1A310

loc_A1A306:				; CODE XREF: sub_A1A21B+F8j
		mov	esi, 0C000000Dh
		jmp	loc_A1A3FB
; 

loc_A1A310:				; CODE XREF: sub_A1A21B+E9j
		cmp	dword ptr [edx], 4
		jbe	short loc_A1A306
		and	[ebp+var_18], 0

loc_A1A319:				; CODE XREF: sub_A1A21B+13Ej
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1A326
		xor	esi, esi
		jmp	short loc_A1A32E
; 

loc_A1A326:				; CODE XREF: sub_A1A21B+105j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1A32E:				; CODE XREF: sub_A1A21B+109j
		mov	[ebp+var_C], ecx
		test	esi, esi
		js	loc_A1A3F8
		lea	eax, [ebp+var_C]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A1A3F8
		mov	edx, [ebp+var_18]
		mov	eax, [ebp+var_C]
		inc	edx
		mov	[ebp+var_18], edx
		cmp	edx, 4
		jb	short loc_A1A319
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1A368
		xor	esi, esi
		jmp	short loc_A1A370
; 

loc_A1A368:				; CODE XREF: sub_A1A21B+147j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1A370:				; CODE XREF: sub_A1A21B+14Bj
		test	esi, esi
		js	loc_A1A3F8
		mov	edi, edx
		mov	ebx, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		test	esi, esi
		js	short loc_A1A3F8
		test	ebx, ebx
		jnz	short loc_A1A3BF

loc_A1A38A:				; CODE XREF: sub_A1A21B+1AAj
					; sub_A1A21B+1B7j ...
		mov	esi, 0C000003Eh

loc_A1A38F:				; CODE XREF: sub_A1A21B+212j
		test	esi, esi
		js	loc_A1A714

loc_A1A397:				; CODE XREF: sub_A1A21B+22Bj
		mov	edx, [ebp+var_20]
		xor	ecx, ecx
		and	[ebp+var_C], 0
		xor	edi, edi
		and	[ebp+var_1C], ecx
		xor	ebx, ebx
		mov	[ebp+var_8], ecx
		mov	eax, [edx+8]
		test	eax, eax
		jnz	loc_A1A44B

loc_A1A3B5:				; CODE XREF: sub_A1A21B+233j
		mov	esi, 0C000000Dh
		jmp	loc_A1A557
; 

loc_A1A3BF:				; CODE XREF: sub_A1A21B+16Dj
		test	ebx, 1
		jnz	short loc_A1A38A
		mov	eax, ebx
		xor	ecx, ecx
		shr	eax, 1
		cmp	cx, [edi+eax*2-2]
		jnz	short loc_A1A38A
		lea	eax, [ebp+var_1C]
		mov	edx, ebx
		push	eax
		mov	ecx, edi
		call	_StringCbLengthW@12 ; StringCbLengthW(x,x,x)
		test	eax, eax
		js	short loc_A1A38A
		mov	ecx, [ebp+var_1C]
		lea	eax, [ecx+2]
		cmp	eax, ebx
		jnz	short loc_A1A38A
		shr	ecx, 1
		mov	ebx, edi
		mov	[ebp+var_10], ecx
		jmp	short loc_A1A3FE
; 

loc_A1A3F8:				; CODE XREF: sub_A1A21B+118j
					; sub_A1A21B+12Bj ...
		mov	ecx, [ebp+var_10]

loc_A1A3FB:				; CODE XREF: sub_A1A21B+F0j
		mov	ebx, [ebp+var_8]

loc_A1A3FE:				; CODE XREF: sub_A1A21B+1DBj
		test	esi, esi
		js	loc_A1A714
		lea	esi, ds:2[ecx*2]
		test	esi, esi
		jz	loc_A1A38A
		push	20534C53h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A1A432
		mov	esi, 0C0000017h
		jmp	loc_A1A38F
; 

loc_A1A432:				; CODE XREF: sub_A1A21B+20Bj
		push	esi		; size_t
		push	ebx		; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [ebp+var_10]
		add	esp, 0Ch
		mov	[ebp+var_14], edi
		mov	[ebp+var_24], eax
		jmp	loc_A1A397
; 

loc_A1A44B:				; CODE XREF: sub_A1A21B+194j
		cmp	dword ptr [edx], 5
		jbe	loc_A1A3B5
		and	[ebp+var_20], ecx

loc_A1A457:				; CODE XREF: sub_A1A21B+27Cj
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1A464
		xor	esi, esi
		jmp	short loc_A1A46C
; 

loc_A1A464:				; CODE XREF: sub_A1A21B+243j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1A46C:				; CODE XREF: sub_A1A21B+247j
		mov	[ebp+var_10], ecx
		test	esi, esi
		js	loc_A1A554
		lea	eax, [ebp+var_10]
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A1A554
		mov	edx, [ebp+var_20]
		mov	eax, [ebp+var_10]
		inc	edx
		mov	[ebp+var_20], edx
		cmp	edx, 5
		jb	short loc_A1A457
		mov	edx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1A4A6
		xor	esi, esi
		jmp	short loc_A1A4AE
; 

loc_A1A4A6:				; CODE XREF: sub_A1A21B+285j
		mov	esi, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1A4AE:				; CODE XREF: sub_A1A21B+289j
		test	esi, esi
		js	loc_A1A554
		mov	edi, edx
		mov	ebx, edx
		neg	edi
		sbb	edi, edi
		and	edi, ecx
		test	esi, esi
		js	loc_A1A554
		test	ebx, ebx
		jnz	short loc_A1A51B

loc_A1A4CC:				; CODE XREF: sub_A1A21B+306j
					; sub_A1A21B+313j ...
		mov	esi, 0C000003Eh

loc_A1A4D1:				; CODE XREF: sub_A1A21B+36Ej
		test	esi, esi
		js	loc_A1A6F0
		mov	ebx, [ebp+var_4]
		mov	eax, ebx

loc_A1A4DE:				; CODE XREF: sub_A1A21B+386j
		mov	esi, [ebp+var_14]
		lea	eax, ds:2[eax*2]
		push	ebx
		push	eax
		mov	eax, [ebp+var_24]
		push	esi
		lea	eax, ds:2[eax*2]
		push	eax
		call	ds:dword_A93EE8
		mov	edi, eax
		test	edi, edi
		js	loc_A1A5B7
		mov	eax, ds:dword_A93EB8
		test	eax, eax
		jz	loc_A1A5A6
		push	esi
		call	eax
		jmp	loc_A1A5AB
; 

loc_A1A51B:				; CODE XREF: sub_A1A21B+2AFj
		test	ebx, 1
		jnz	short loc_A1A4CC
		mov	eax, ebx
		xor	ecx, ecx
		shr	eax, 1
		cmp	cx, [edi+eax*2-2]
		jnz	short loc_A1A4CC
		lea	eax, [ebp+var_1C]
		mov	edx, ebx
		push	eax
		mov	ecx, edi
		call	_StringCbLengthW@12 ; StringCbLengthW(x,x,x)
		test	eax, eax
		js	short loc_A1A4CC
		mov	ecx, [ebp+var_1C]
		lea	eax, [ecx+2]
		cmp	eax, ebx
		jnz	short loc_A1A4CC
		shr	ecx, 1
		mov	ebx, edi
		mov	[ebp+var_8], ecx
		jmp	short loc_A1A55A
; 

loc_A1A554:				; CODE XREF: sub_A1A21B+256j
					; sub_A1A21B+269j ...
		mov	ecx, [ebp+var_8]

loc_A1A557:				; CODE XREF: sub_A1A21B+19Fj
		mov	ebx, [ebp+var_C]

loc_A1A55A:				; CODE XREF: sub_A1A21B+337j
		test	esi, esi
		js	loc_A1A6F0
		lea	esi, ds:2[ecx*2]
		test	esi, esi
		jz	loc_A1A4CC
		push	20534C53h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A1A58E
		mov	esi, 0C0000017h
		jmp	loc_A1A4D1
; 

loc_A1A58E:				; CODE XREF: sub_A1A21B+367j
		push	esi		; size_t
		push	ebx		; void *
		push	edi		; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		mov	ebx, edi
		mov	[ebp+var_4], edi
		jmp	loc_A1A4DE
; 

loc_A1A5A6:				; CODE XREF: sub_A1A21B+2F2j
		mov	eax, 0C00000BBh

loc_A1A5AB:				; CODE XREF: sub_A1A21B+2FBj
		lea	edi, [eax+3FFFFD8Eh]
		neg	edi
		sbb	edi, edi
		and	edi, eax

loc_A1A5B7:				; CODE XREF: sub_A1A21B+2E5j
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		push	eax
		push	8
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A1A6F3
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_8]
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	loc_A1A6F3
		mov	esi, [ebp+arg_4]
		mov	eax, [ebp+var_8]
		lea	ebx, [esi+4]
		mov	[ebx], eax
		test	eax, eax
		jnz	short loc_A1A605
		mov	esi, 0C000003Eh
		jmp	loc_A1A6F0
; 

loc_A1A605:				; CODE XREF: sub_A1A21B+3DEj
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_A1A622
		mov	esi, 0C0000017h
		jmp	loc_A1A6F0
; 

loc_A1A622:				; CODE XREF: sub_A1A21B+3FBj
		mov	[esi+8], edx
		and	dword ptr [esi], 0
		or	edi, 10000000h
		lea	esi, [edx+4]
		cmp	esi, edx
		jb	loc_A1A6EB
		mov	ecx, [ebx]
		lea	eax, [edx+8]
		add	ecx, edx
		cmp	eax, ecx
		jbe	short loc_A1A64E

loc_A1A644:				; CODE XREF: sub_A1A21B+4B2j
		mov	esi, 0C0000023h
		jmp	loc_A1A6F0
; 

loc_A1A64E:				; CODE XREF: sub_A1A21B+427j
		mov	dword ptr [edx], 4
		mov	[esi], edi
		mov	edi, [ebp+arg_4]
		inc	dword ptr [edi]
		mov	ecx, [edi]
		mov	[ebp+var_30], ecx
		mov	eax, [edi+8]
		mov	[ebp+var_20], eax
		test	eax, eax
		jnz	short loc_A1A681
		mov	ecx, [ebx]
		push	ebx
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A1A6F0
		inc	dword ptr [edi]
		xor	esi, esi
		jmp	short loc_A1A6F0
; 

loc_A1A681:				; CODE XREF: sub_A1A21B+44Dj
		and	[ebp+var_24], 0
		mov	edi, eax
		mov	[ebp+var_10], edi
		test	ecx, ecx
		jz	short loc_A1A6BB

loc_A1A68E:				; CODE XREF: sub_A1A21B+49Bj
		mov	edx, [edi]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A1A6EB
		lea	eax, [ebp+var_10]
		mov	ecx, edi
		push	eax
		call	RtlUIntAdd
		mov	esi, eax
		test	esi, esi
		js	short loc_A1A6F0
		mov	ecx, [ebp+var_24]
		mov	edi, [ebp+var_10]
		inc	ecx
		mov	[ebp+var_24], ecx
		cmp	ecx, [ebp+var_30]
		jb	short loc_A1A68E
		mov	eax, [ebp+var_20]

loc_A1A6BB:				; CODE XREF: sub_A1A21B+471j
		lea	edx, [edi+4]
		cmp	edx, edi
		jb	short loc_A1A6EB
		mov	ecx, [ebx]
		xor	esi, esi
		add	ecx, eax
		lea	eax, [edi+0Ch]
		cmp	eax, ecx
		ja	loc_A1A644
		mov	eax, [ebp+var_28]
		mov	dword ptr [edi], 8
		mov	[edx], eax
		mov	eax, [ebp+var_2C]
		mov	[edx+4], eax
		mov	eax, [ebp+arg_4]
		inc	dword ptr [eax]
		jmp	short loc_A1A6F0
; 

loc_A1A6EB:				; CODE XREF: sub_A1A21B+418j
					; sub_A1A21B+47Bj ...
		mov	esi, 0C0000095h

loc_A1A6F0:				; CODE XREF: sub_A1A21B+2B8j
					; sub_A1A21B+341j ...
		mov	ebx, [ebp+var_4]

loc_A1A6F3:				; CODE XREF: sub_A1A21B+3B2j
					; sub_A1A21B+3CBj
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_A1A705
		push	20534C53h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1A705:				; CODE XREF: sub_A1A21B+4DDj
		test	ebx, ebx
		jz	short loc_A1A714
		push	20534C53h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1A714:				; CODE XREF: sub_A1A21B+28j
					; sub_A1A21B+B9j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
sub_A1A21B	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1A71D	proc near		; CODE XREF: sub_785212+14CBp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_10], 0
		mov	eax, edx
		and	[ebp+var_14], 0
		and	[ebp+var_8], 0
		mov	[ebp+var_24], eax
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jnz	short loc_A1A747

loc_A1A73D:				; CODE XREF: sub_A1A71D+2Cj
					; sub_A1A71D+33j
		mov	edx, 0C000000Dh
		jmp	loc_A1AA61
; 

loc_A1A747:				; CODE XREF: sub_A1A71D+1Ej
		test	eax, eax
		jz	short loc_A1A73D
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	short loc_A1A73D
		mov	eax, [ecx+8]
		xor	esi, esi
		and	[ebp+var_4], esi
		test	eax, eax
		jnz	short loc_A1A768

loc_A1A75E:				; CODE XREF: sub_A1A71D+4Ej
		mov	edx, 0C000000Dh
		jmp	loc_A1A7F3
; 

loc_A1A768:				; CODE XREF: sub_A1A71D+3Fj
		cmp	dword ptr [ecx], 3
		jbe	short loc_A1A75E
		xor	ebx, ebx

loc_A1A76F:				; CODE XREF: sub_A1A71D+8Aj
		mov	ecx, [eax]
		mov	[ebp+var_1C], ecx
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1A77F
		xor	edx, edx
		jmp	short loc_A1A787
; 

loc_A1A77F:				; CODE XREF: sub_A1A71D+5Cj
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1A787:				; CODE XREF: sub_A1A71D+60j
		mov	[ebp+arg_4], ecx
		test	edx, edx
		js	short loc_A1A7CE
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A1A7CE
		mov	eax, [ebp+arg_4]
		inc	ebx
		cmp	ebx, 3
		jb	short loc_A1A76F
		mov	ebx, [eax]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1A7B6
		xor	edx, edx
		jmp	short loc_A1A7BE
; 

loc_A1A7B6:				; CODE XREF: sub_A1A71D+93j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1A7BE:				; CODE XREF: sub_A1A71D+97j
		test	edx, edx
		js	short loc_A1A7CE
		mov	esi, ebx
		mov	eax, ebx
		neg	esi
		sbb	esi, esi
		and	esi, ecx
		jmp	short loc_A1A7D1
; 

loc_A1A7CE:				; CODE XREF: sub_A1A71D+6Fj
					; sub_A1A71D+81j ...
		mov	eax, [ebp+var_4]

loc_A1A7D1:				; CODE XREF: sub_A1A71D+AFj
		test	edx, edx
		js	loc_A1AA61
		cmp	eax, 8
		jz	short loc_A1A7E8

loc_A1A7DE:				; CODE XREF: sub_A1A71D+2A2j
					; sub_A1A71D+323j
		mov	edx, 0C0000023h
		jmp	loc_A1AA61
; 

loc_A1A7E8:				; CODE XREF: sub_A1A71D+BFj
		mov	eax, [esi]
		mov	[ebp+var_10], eax
		mov	eax, [esi+4]
		mov	[ebp+var_14], eax

loc_A1A7F3:				; CODE XREF: sub_A1A71D+46j
		test	edx, edx
		js	loc_A1AA61
		or	[ebp+var_1C], 0FFFFFFFFh
		mov	[ebp+var_20], 0FDE9F140h

loc_A1A806:				; CODE XREF: sub_A1A71D+FEj
		lea	eax, [ebp+var_20]
		push	eax
		push	1
		push	1
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		mov	esi, eax
		cmp	esi, 101h
		jz	short loc_A1A806
		test	esi, esi
		js	short loc_A1A86F
		mov	ebx, 0C0h
		cmp	esi, ebx
		jz	short loc_A1A86F
		or	[ebp+var_1C], 0FFFFFFFFh
		mov	[ebp+var_20], 0EFE82080h

loc_A1A835:				; CODE XREF: sub_A1A71D+134j
		lea	eax, [ebp+var_20]
		push	eax
		push	1
		push	1
		push	6
		push	offset unk_6B72E0
		call	KeWaitForSingleObject
		mov	esi, eax
		cmp	esi, 101h
		jz	short loc_A1A835
		test	esi, esi
		js	short loc_A1A86F
		cmp	esi, ebx
		jz	short loc_A1A86F
		cmp	esi, 102h
		jz	short loc_A1A86F
		push	0
		push	offset unk_6B72E0
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)

loc_A1A86F:				; CODE XREF: sub_A1A71D+102j
					; sub_A1A71D+10Bj ...
		push	8
		pop	ecx
		mov	[ebp+arg_4], ecx
		lea	eax, [ebp+arg_4]
		push	eax
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A1A88F
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_8], eax
		jmp	short loc_A1A892
; 

loc_A1A88F:				; CODE XREF: sub_A1A71D+168j
		mov	eax, [ebp+var_8]

loc_A1A892:				; CODE XREF: sub_A1A71D+170j
		test	edx, edx
		js	loc_A1AA61
		xor	ebx, ebx
		mov	[ebp+var_C], 8
		lea	ecx, [ebp+var_C]
		mov	edx, eax
		push	ecx
		push	8
		pop	ecx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A1AA61
		mov	eax, [ebp+var_C]
		lea	ecx, [eax+7]
		and	ecx, 0FFFFFFF8h
		cmp	ecx, eax
		jnb	short loc_A1A8CF
		mov	edx, 0C0000095h
		jmp	short loc_A1A8DC
; 

loc_A1A8CF:				; CODE XREF: sub_A1A71D+1A9j
		lea	ebx, [ecx+8]
		cmp	ebx, ecx
		jb	loc_A1A95F
		xor	edx, edx

loc_A1A8DC:				; CODE XREF: sub_A1A71D+1B0j
		test	edx, edx
		js	loc_A1AA61
		mov	ecx, [ebp+var_24]
		mov	edx, ebx
		push	4
		mov	eax, [ecx+10h]
		mov	[ebp+var_1C], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+arg_4]
		pop	ecx
		push	eax
		mov	[ebp+arg_4], ecx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A1AA61
		mov	eax, [ebp+arg_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1A91C
		xor	edx, edx
		jmp	short loc_A1A924
; 

loc_A1A91C:				; CODE XREF: sub_A1A71D+1F9j
		mov	edx, 0C0000095h
		or	ecx, 0FFFFFFFFh

loc_A1A924:				; CODE XREF: sub_A1A71D+1FDj
		mov	[ebp+arg_4], ecx
		test	edx, edx
		js	loc_A1AA61
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	loc_A1AA61
		mov	eax, [ebp+arg_4]
		lea	ecx, [eax+4]
		cmp	ecx, eax
		jb	short loc_A1A95F
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+arg_4]
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		jmp	short loc_A1A964
; 

loc_A1A95F:				; CODE XREF: sub_A1A71D+1B7j
					; sub_A1A71D+230j
		mov	edx, 0C0000095h

loc_A1A964:				; CODE XREF: sub_A1A71D+240j
		test	edx, edx
		js	loc_A1AA61
		mov	eax, [ebp+var_8]
		lea	ebx, [edi+4]
		mov	[ebx], eax
		test	eax, eax
		jnz	short loc_A1A982
		mov	edx, 0C000003Eh
		jmp	loc_A1AA61
; 

loc_A1A982:				; CODE XREF: sub_A1A71D+259j
		push	20534C53h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jnz	short loc_A1A99F
		mov	edx, 0C0000017h
		jmp	loc_A1AA61
; 

loc_A1A99F:				; CODE XREF: sub_A1A71D+276j
		mov	[edi+8], edx
		and	dword ptr [edi], 0
		or	esi, 10000000h
		lea	eax, [edx+4]
		cmp	eax, edx
		jb	loc_A1AA5C
		mov	ecx, [ebx]
		lea	eax, [edx+8]
		add	ecx, edx
		cmp	eax, ecx
		ja	loc_A1A7DE
		mov	dword ptr [edx], 4
		mov	[edx+4], esi
		inc	dword ptr [edi]
		mov	ecx, [edi]
		mov	[ebp+var_24], ecx
		mov	eax, [edi+8]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jnz	short loc_A1A9F6
		mov	ecx, [ebx]
		push	ebx
		push	0Ch
		pop	edx
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A1AA61
		inc	dword ptr [edi]
		xor	edx, edx
		jmp	short loc_A1AA61
; 

loc_A1A9F6:				; CODE XREF: sub_A1A71D+2C0j
		and	[ebp+var_8], 0
		mov	esi, eax
		mov	[ebp+arg_4], esi
		test	ecx, ecx
		jz	short loc_A1AA2D

loc_A1AA03:				; CODE XREF: sub_A1A71D+30Ej
		mov	edx, [esi]
		add	edx, 4
		cmp	edx, 4
		jb	short loc_A1AA5C
		lea	eax, [ebp+arg_4]
		mov	ecx, esi
		push	eax
		call	RtlUIntAdd
		mov	edx, eax
		test	edx, edx
		js	short loc_A1AA61
		mov	ecx, [ebp+var_8]
		mov	esi, [ebp+arg_4]
		inc	ecx
		mov	[ebp+var_8], ecx
		cmp	ecx, [ebp+var_24]
		jb	short loc_A1AA03

loc_A1AA2D:				; CODE XREF: sub_A1A71D+2E4j
		lea	eax, [esi+4]
		cmp	eax, esi
		jb	short loc_A1AA5C
		mov	ecx, [ebx]
		lea	eax, [esi+0Ch]
		add	ecx, [ebp+var_1C]
		xor	edx, edx
		cmp	eax, ecx
		ja	loc_A1A7DE
		mov	eax, [ebp+var_10]
		mov	dword ptr [esi], 8
		mov	[esi+4], eax
		mov	eax, [ebp+var_14]
		mov	[esi+8], eax
		inc	dword ptr [edi]
		jmp	short loc_A1AA61
; 

loc_A1AA5C:				; CODE XREF: sub_A1A71D+293j
					; sub_A1A71D+2EEj ...
		mov	edx, 0C0000095h

loc_A1AA61:				; CODE XREF: sub_A1A71D+25j
					; sub_A1A71D+B6j ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	8
sub_A1A71D	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1AA6A	proc near		; CODE XREF: WarbirdKmDecryptPointer+EEp
					; WarbirdKmDecryptPointer+11Bp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		push	3
		pop	ebx
		push	0Fh
		pop	ecx
		div	ecx
		mov	eax, [ebp+arg_4]
		mov	edi, [ebp+arg_0]
		mov	esi, [ebp+arg_18]
		and	edi, ebx
		lea	ecx, [edx+1]
		xor	edx, edx
		div	ebx
		lea	eax, [edi+1]
		ror	esi, cl
		mov	ecx, [ebp+arg_14]
		add	eax, edx
		and	eax, ebx
		movzx	eax, word ptr [ecx+eax*2]
		xor	eax, [ebp+arg_18]
		movzx	ecx, word ptr [ecx+edi*2]
		imul	eax, ecx
		pop	edi
		sub	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	1Ch
sub_A1AA6A	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1AAB4	proc near		; CODE XREF: PAGE:007812CAp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	20h
		push	offset dword_6AAAD8
		call	__SEH_prolog4
		mov	edi, edx
		mov	ebx, ecx
		mov	[ebp+var_24], ebx
		xor	edx, edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_20], edx
		test	ebx, ebx
		jz	short loc_A1AB48
		mov	[ebp+ms_exc.disabled], edx
		cmp	edi, 8
		jnb	short loc_A1AAEF
		mov	esi, 0C000000Dh

loc_A1AAE0:				; CODE XREF: sub_A1AAB4+92j
		mov	[ebp+var_28], esi

loc_A1AAE3:				; CODE XREF: sub_A1AAB4+5Ej
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_A1AC11
; 

loc_A1AAEF:				; CODE XREF: sub_A1AAB4+25j
		lea	ecx, [ebx+edi]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_A1AAFF
		cmp	ecx, ebx
		jnb	short loc_A1AB01

loc_A1AAFF:				; CODE XREF: sub_A1AAB4+45j
		mov	[eax], dl

loc_A1AB01:				; CODE XREF: sub_A1AAB4+49j
		lea	edx, [ebp+var_20]
		mov	ecx, edi
		call	sub_A1ACD8
		mov	esi, eax
		mov	[ebp+var_28], esi
		test	esi, esi
		js	short loc_A1AAE3
		push	edi		; size_t
		push	ebx		; void *
		mov	esi, [ebp+var_20]
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, [esi]
		mov	[ebp+var_2C], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A1AB4E
; 

loc_A1AB30:				; DATA XREF: .text:006AAAECo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A1AB40:				; DATA XREF: .text:006AAAF0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_30]
		jmp	short loc_A1AAE0
; 

loc_A1AB48:				; CODE XREF: sub_A1AAB4+1Dj
		push	4
		pop	eax
		mov	[ebp+var_2C], eax

loc_A1AB4E:				; CODE XREF: sub_A1AAB4+7Aj
		xor	ebx, ebx
		cmp	eax, 7
		setnz	bl
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	eax
		call	_PsGetProcessId@4 ; PsGetProcessId(x)
		mov	edx, ebx
		mov	ecx, eax
		call	sub_A1B500
		mov	esi, eax
		test	esi, esi
		js	loc_A1AC11
		mov	eax, [ebp+var_2C]
		dec	eax
		cmp	eax, 8		; switch 9 cases
		ja	loc_A1AC0C	; default
		jmp	ds:off_A1AC34[eax*4] ; switch jump

loc_A1AB93:				; DATA XREF: PAGE:off_A1AC34o
		push	edi		; case 0x7
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_1C]
		call	sub_A1B731

loc_A1AB9F:				; CODE XREF: sub_A1AAB4+FBj
					; sub_A1AAB4+109j ...
		mov	esi, eax
		jmp	short loc_A1AC11
; 

loc_A1ABA3:				; CODE XREF: sub_A1AAB4+D8j
					; DATA XREF: PAGE:off_A1AC34o
		push	edi		; case 0x8
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_1C]
		call	sub_A1B649
		jmp	short loc_A1AB9F
; 

loc_A1ABB1:				; CODE XREF: sub_A1AAB4+D8j
					; DATA XREF: PAGE:off_A1AC34o
		push	edi		; case 0x0
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_1C]
		call	sub_A1BA08
		jmp	short loc_A1AB9F
; 

loc_A1ABBF:				; CODE XREF: sub_A1AAB4+D8j
					; DATA XREF: PAGE:off_A1AC34o
		push	edi		; case 0x1
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_1C]
		call	sub_A1C4CE
		jmp	short loc_A1AB9F
; 

loc_A1ABCD:				; CODE XREF: sub_A1AAB4+D8j
					; DATA XREF: PAGE:off_A1AC34o
		push	edi		; case 0x2
		push	[ebp+var_24]	; int
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_1C]
		call	sub_A1D36F
		jmp	short loc_A1AB9F
; 

loc_A1ABDE:				; CODE XREF: sub_A1AAB4+D8j
					; DATA XREF: PAGE:off_A1AC34o
		cmp	[ebp+var_20], 0	; case 0x3
		jnz	short loc_A1AC0C ; default
		mov	ecx, [ebp+var_1C]
		call	sub_A1D4C6
		jmp	short loc_A1AB9F
; 

loc_A1ABEE:				; CODE XREF: sub_A1AAB4+D8j
					; DATA XREF: PAGE:off_A1AC34o
		mov	esi, [ebp+var_24] ; case 0x4
		neg	esi
		sbb	esi, esi
		and	esi, 0FFFFFFF5h
		add	esi, 0C000000Dh
		jmp	short loc_A1AC11
; 

loc_A1AC00:				; CODE XREF: sub_A1AAB4+D8j
					; DATA XREF: PAGE:off_A1AC34o
		mov	ecx, [ebp+var_1C] ; case 0x6
		mov	ecx, [ecx]
		call	WbRemoveWarbirdProcess
		jmp	short loc_A1AB9F
; 

loc_A1AC0C:				; CODE XREF: sub_A1AAB4+D2j
					; sub_A1AAB4+12Ej
		mov	esi, 0C000000Dh	; default

loc_A1AC11:				; CODE XREF: sub_A1AAB4+36j
					; sub_A1AAB4+C5j ...
		mov	ecx, [ebp+var_1C]
		call	sub_A1B39D
		mov	ecx, [ebp+var_20]
		call	sub_A1AD19
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
sub_A1AAB4	endp

; 
		align 4
off_A1AC34	dd offset loc_A1ABB1	; DATA XREF: sub_A1AAB4+D8r
		dd offset loc_A1ABBF	; jump table for switch	statement
		dd offset loc_A1ABCD
		dd offset loc_A1ABDE
		dd offset loc_A1ABEE
		dd offset loc_A1ABEE
		dd offset loc_A1AC00
		dd offset loc_A1AB93
		dd offset loc_A1ABA3

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall sub_A1AC58(int,void *,void *,int,int,int,int,int,int)
sub_A1AC58	proc near		; CODE XREF: sub_A1BBB6+E8p
					; sub_A1BD0C+121p ...

var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0B4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0B4h+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_10]
		mov	eax, ecx
		mov	ecx, [ebp+arg_18]
		test	eax, eax
		mov	eax, [ebp+arg_8]
		mov	ebx, [ebp+arg_0]
		push	edi
		push	28h
		mov	[esp+0C4h+var_B4], ecx
		lea	edi, [esp+0C4h+var_AC]
		pop	ecx
		push	[esp+0C0h+var_B4] ; int
		mov	[esp+0C4h+var_B0], (offset loc_404E87+1)
		push	[ebp+arg_C]	; int
		rep movsd
		push	dword ptr [eax+4] ; int
		lea	ecx, [esp+0CCh+var_B0]
		push	dword ptr [eax]	; int
		push	[ebp+arg_4]	; int
		push	ebx		; void *
		push	edx		; void *
		jz	short loc_A1ACBA
		call	sub_694E72
		jmp	short loc_A1ACBF ; void	*
; 

loc_A1ACBA:				; CODE XREF: sub_A1AC58+59j
		call	sub_694B86

loc_A1ACBF:				; CODE XREF: sub_A1AC58+60j
		mov	ecx, [esp+0C0h+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	1Ch
sub_A1AC58	endp


;  S U B	R O U T	I N E 


sub_A1ACD8	proc near		; CODE XREF: sub_A1AAB4+52p
					; sub_A1AD6F+6Ep ...
		mov	edi, edi
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, 42524157h
		mov	eax, esi
		push	edi
		mov	edi, edx
		test	ecx, ecx
		jz	short loc_A1AD00
		push	ebx
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jnz	short loc_A1AD00
		mov	esi, 0C0000017h
		jmp	short loc_A1AD13
; 

loc_A1AD00:				; CODE XREF: sub_A1ACD8+12j
					; sub_A1ACD8+1Fj
		test	edi, edi
		jz	short loc_A1AD08
		mov	[edi], eax
		mov	eax, esi

loc_A1AD08:				; CODE XREF: sub_A1ACD8+2Aj
		test	eax, eax
		jz	short loc_A1AD13
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1AD13:				; CODE XREF: sub_A1ACD8+26j
					; sub_A1ACD8+32j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
sub_A1ACD8	endp


;  S U B	R O U T	I N E 


sub_A1AD19	proc near		; CODE XREF: sub_A1AAB4+168p
		test	ecx, ecx
		jz	short locret_A1AD28
		push	42524157h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

locret_A1AD28:				; CODE XREF: sub_A1AD19+2j
		retn
sub_A1AD19	endp


;  S U B	R O U T	I N E 


sub_A1AD29	proc near		; CODE XREF: sub_A1D36F+A9p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, edx
		mov	ecx, large fs:124h
		push	1
		push	1
		lea	edx, [esi+20h]
		push	0
		mov	dword ptr [edx], 10001h
		call	PspGetContextThreadInternal
		test	eax, eax
		js	short loc_A1AD6B
		mov	ecx, [esi+0D8h]
		mov	[edi+4], ecx
		mov	ecx, [esi+0E4h]
		mov	[edi], ecx
		mov	ecx, [esi+0E0h]
		mov	[edi+8], ecx

loc_A1AD6B:				; CODE XREF: sub_A1AD29+26j
		pop	edi
		pop	esi
		pop	ecx
		retn
sub_A1AD29	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1AD6F	proc near		; CODE XREF: sub_A1B127+31p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		mov	ecx, dword_6D6BE0
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_10], eax
		push	esi
		push	edi
		mov	edi, edx
		test	ecx, ecx
		jnz	short loc_A1ADA0
		mov	esi, 0C000000Dh
		jmp	loc_A1AE48
; 

loc_A1ADA0:				; CODE XREF: sub_A1AD6F+25j
		sub	esp, 0Ch
		lea	edx, [ebp+var_8]
		push	eax
		push	eax
		call	_BCryptCreateHash@28 ; BCryptCreateHash(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A1AE3C
		push	ecx
		lea	eax, [ebp+var_10]
		mov	edx, (offset loc_8C215F+1)
		push	eax
		push	ecx
		mov	ecx, dword_6D6BE0
		lea	eax, [ebp+var_4]
		push	eax
		call	_BCryptGetProperty@24 ;	BCryptGetProperty(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A1AE3C
		mov	ecx, [ebp+var_4]
		lea	edx, [ebp+var_C]
		call	sub_A1ACD8
		mov	esi, eax
		test	esi, esi
		js	short loc_A1AE2A
		push	ecx
		mov	ecx, [ebp+var_8]
		mov	edx, ebx
		push	edi
		call	_BCryptHashData@16 ; BCryptHashData(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A1AE2A
		mov	edi, [ebp+var_C]
		mov	edx, edi
		push	ecx
		push	[ebp+var_4]
		mov	ecx, [ebp+var_8]
		call	_BCryptFinishHash@16 ; BCryptFinishHash(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A1AE2D
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_A1AE1C
		mov	[eax], edi
		xor	edi, edi

loc_A1AE1C:				; CODE XREF: sub_A1AD6F+A7j
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_A1AE2D
		mov	eax, [ebp+var_4]
		mov	[ecx], eax
		jmp	short loc_A1AE2D
; 

loc_A1AE2A:				; CODE XREF: sub_A1AD6F+77j
					; sub_A1AD6F+89j
		mov	edi, [ebp+var_C]

loc_A1AE2D:				; CODE XREF: sub_A1AD6F+A0j
					; sub_A1AD6F+B2j ...
		test	edi, edi
		jz	short loc_A1AE3C
		push	42524157h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1AE3C:				; CODE XREF: sub_A1AD6F+42j
					; sub_A1AD6F+66j ...
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_A1AE48
		call	_BCryptDestroyHash@4 ; BCryptDestroyHash(x)

loc_A1AE48:				; CODE XREF: sub_A1AD6F+2Cj
					; sub_A1AD6F+D2j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
sub_A1AD6F	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1AE51	proc near		; CODE XREF: sub_A1BBB6:loc_A1BC30p
					; sub_A1BD0C:loc_A1BD86p ...

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	30h
		push	offset dword_6AAB18
		call	__SEH_prolog4
		mov	eax, edx
		mov	[ebp+var_34], eax
		mov	[ebp+var_38], ecx
		xor	esi, esi
		mov	[ebp+var_20], esi
		xor	ebx, ebx
		mov	[ebp+var_24], ebx
		and	[ebp+var_28], ebx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	4
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		push	0FFFFFFFFh
		call	_ZwProtectVirtualMemory@20 ; ZwProtectVirtualMemory(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_A1AF39
		xor	eax, eax
		mov	[ebp+ms_exc.disabled], eax
		push	eax
		push	eax
		push	eax
		push	[ebp+var_34]
		push	[ebp+var_38]
		call	IoAllocateMdl
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		jnz	short loc_A1AEC4

loc_A1AEB3:				; CODE XREF: sub_A1AE51+A3j
		mov	edi, 0C0000017h
		mov	[ebp+var_1C], edi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A1AF39
; 

loc_A1AEC4:				; CODE XREF: sub_A1AE51+60j
		push	2
		xor	ebx, ebx
		inc	ebx
		push	ebx
		push	esi
		call	_MmProbeAndLockPages@12	; MmProbeAndLockPages(x,x,x)
		mov	[ebp+var_24], ebx
		test	byte ptr [esi+6], 5
		jz	short loc_A1AEDE
		mov	eax, [esi+0Ch]
		jmp	short loc_A1AEEF
; 

loc_A1AEDE:				; CODE XREF: sub_A1AE51+86j
		push	40000020h
		xor	eax, eax
		push	eax
		push	eax
		push	ebx
		push	eax
		push	esi
		call	MmMapLockedPagesSpecifyCache

loc_A1AEEF:				; CODE XREF: sub_A1AE51+8Bj
		mov	[ebp+var_3C], eax
		test	eax, eax
		jz	short loc_A1AEB3
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_A1AF06
		mov	[ecx], eax

loc_A1AF06:				; CODE XREF: sub_A1AE51+B1j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_A1AF39
		mov	[eax], esi
		xor	esi, esi
		jmp	short loc_A1AF39
; 

loc_A1AF13:				; DATA XREF: .text:006AAB2Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_40], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A1AF23:				; DATA XREF: .text:006AAB30o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_40]
		mov	[ebp+var_1C], edi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+var_20]
		mov	ebx, [ebp+var_24]

loc_A1AF39:				; CODE XREF: sub_A1AE51+40j
					; sub_A1AE51+71j ...
		test	esi, esi
		jz	short loc_A1AF4D
		test	ebx, ebx
		jz	short loc_A1AF47
		push	esi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)

loc_A1AF47:				; CODE XREF: sub_A1AE51+EEj
		push	esi
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_A1AF4D:				; CODE XREF: sub_A1AE51+EAj
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
sub_A1AE51	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1AF61	proc near		; CODE XREF: sub_A1BBB6+73p
					; sub_A1BD0C+73p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	20h
		push	offset dword_6AAAF8
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+var_20], esi
		mov	ebx, esi
		mov	[ebp+var_24], ebx
		mov	[ebp+ms_exc.disabled], esi
		push	esi
		push	esi
		push	esi
		push	edx
		push	ecx
		call	IoAllocateMdl
		mov	edi, eax
		mov	[ebp+var_20], edi
		test	edi, edi
		jnz	short loc_A1AF9E

loc_A1AF8D:				; CODE XREF: sub_A1AF61+69j
		mov	esi, 0C0000017h
		mov	[ebp+var_1C], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A1B00F
; 

loc_A1AF9E:				; CODE XREF: sub_A1AF61+2Aj
		mov	ecx, edi
		call	_MmProbeAndLockPagesPrivate@8 ;	MmProbeAndLockPagesPrivate(x,x)
		xor	ebx, ebx
		inc	ebx
		mov	[ebp+var_24], ebx
		test	byte ptr [edi+6], 5
		jz	short loc_A1AFB6
		mov	eax, [edi+0Ch]
		jmp	short loc_A1AFC5
; 

loc_A1AFB6:				; CODE XREF: sub_A1AF61+4Ej
		push	40000020h
		push	esi
		push	esi
		push	ebx
		push	esi
		push	edi
		call	MmMapLockedPagesSpecifyCache

loc_A1AFC5:				; CODE XREF: sub_A1AF61+53j
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	short loc_A1AF8D
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_A1AFDC
		mov	[ecx], eax

loc_A1AFDC:				; CODE XREF: sub_A1AF61+77j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_A1B00F
		mov	[eax], edi
		mov	edi, esi
		jmp	short loc_A1B00F
; 

loc_A1AFE9:				; DATA XREF: .text:006AAB0Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A1AFF9:				; DATA XREF: .text:006AAB10o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_2C]
		mov	[ebp+var_1C], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_20]
		mov	ebx, [ebp+var_24]

loc_A1B00F:				; CODE XREF: sub_A1AF61+3Bj
					; sub_A1AF61+80j ...
		test	edi, edi
		jz	short loc_A1B023
		test	ebx, ebx
		jz	short loc_A1B01D
		push	edi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)

loc_A1B01D:				; CODE XREF: sub_A1AF61+B4j
		push	edi
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_A1B023:				; CODE XREF: sub_A1AF61+B0j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
sub_A1AF61	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1B037	proc near		; CODE XREF: sub_A1CAF1+6Ap
					; sub_A1DBB6+83p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		mov	ecx, edi
		lea	edx, [ebp+var_4]
		call	sub_A1ACD8
		mov	esi, [ebp+var_4]
		mov	[ebp+arg_0], eax
		test	eax, eax
		js	short loc_A1B094
		test	ebx, ebx
		jz	short loc_A1B089
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_A1B07E
		cmp	edi, eax
		jb	short loc_A1B073
		mov	edi, eax

loc_A1B073:				; CODE XREF: sub_A1B037+38j
		push	edi		; size_t
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_A1B07E:				; CODE XREF: sub_A1B037+34j
		push	42524157h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1B089:				; CODE XREF: sub_A1B037+2Dj
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_A1B094
		mov	[eax], esi
		xor	esi, esi

loc_A1B094:				; CODE XREF: sub_A1B037+29j
					; sub_A1B037+57j
		test	esi, esi
		jz	short loc_A1B0A3
		push	42524157h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1B0A3:				; CODE XREF: sub_A1B037+5Fj
		mov	eax, [ebp+arg_0]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
sub_A1B037	endp


;  S U B	R O U T	I N E 


sub_A1B0AD	proc near		; CODE XREF: sub_A1D36F+109p
					; sub_A1D4C6+4Fp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Eh]
		mov	ebx, edx
		mov	edi, ecx
		nop
		mov	ecx, large fs:124h
		lea	edx, [edi+20h]
		push	1
		push	1
		push	0
		mov	dword ptr [edi+20h], 10001h
		call	PspGetContextThreadInternal
		mov	esi, eax
		test	esi, esi
		js	short loc_A1B115
		mov	eax, [ebx+4]
		lea	edx, [edi+20h]
		mov	ecx, large fs:124h
		push	3
		mov	[edi+0D8h], eax
		mov	eax, [ebx]
		push	1
		mov	[edi+0E4h], eax
		mov	eax, [ebx+8]
		push	0
		mov	[edi+0E0h], eax
		call	PspSetContextThreadInternal
		mov	esi, eax

loc_A1B115:				; CODE XREF: sub_A1B0AD+35j
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
sub_A1B0AD	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1B127	proc near		; CODE XREF: sub_A1C264+10Bp
					; sub_A1CBC6+8Dp ...

var_8		= dword	ptr -8
Source2		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+Source2], 0
		and	[ebp+var_8], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		test	ebx, ebx
		jnz	short loc_A1B145

loc_A1B13E:				; CODE XREF: sub_A1B127+21j
		mov	esi, 0C000000Dh
		jmp	short loc_A1B198
; 

loc_A1B145:				; CODE XREF: sub_A1B127+15j
		cmp	edx, 20h
		jbe	short loc_A1B13E
		lea	eax, [ebp+var_8]
		add	edx, 0FFFFFFE0h
		push	eax
		lea	eax, [ebp+Source2]
		push	eax
		lea	ecx, [ebx+20h]
		call	sub_A1AD6F
		mov	esi, eax
		test	esi, esi
		js	short loc_A1B185
		cmp	[ebp+var_8], 20h
		jz	short loc_A1B170
		mov	esi, 0C000000Dh
		jmp	short loc_A1B185
; 

loc_A1B170:				; CODE XREF: sub_A1B127+40j
		push	20h		; Length
		push	[ebp+Source2]	; Source2
		push	ebx		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 20h
		jz	short loc_A1B185
		mov	esi, 0C0000428h

loc_A1B185:				; CODE XREF: sub_A1B127+3Aj
					; sub_A1B127+47j ...
		cmp	[ebp+Source2], 0
		jz	short loc_A1B198
		push	42524157h
		push	[ebp+Source2]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1B198:				; CODE XREF: sub_A1B127+1Cj
					; sub_A1B127+62j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
sub_A1B127	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1B19E	proc near		; CODE XREF: sub_A1BBB6+4Cp
					; sub_A1BD0C+4Cp ...

var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		push	7
		xor	eax, eax
		lea	edi, [ebp+var_34]
		mov	esi, ecx
		mov	ebx, edx
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_18]
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_4]
		push	eax
		push	0Ch
		lea	eax, [ebp+var_18]
		xor	edi, edi
		push	eax
		push	6
		push	esi
		push	0FFFFFFFFh
		mov	[ebp+var_C], edi
		mov	[ebp+var_4], edi
		call	_ZwQueryVirtualMemory@24 ; ZwQueryVirtualMemory(x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_A1B241
		mov	eax, [ebp+var_10]
		shr	eax, 2
		and	al, 0Fh
		mov	byte ptr [ebp+var_8], al
		mov	eax, dword_6BEA40
		test	eax, eax
		jz	short loc_A1B23C
		push	0Ch
		push	[ebp+var_8]
		call	eax
		test	eax, eax
		jz	short loc_A1B23C
		mov	edx, edi
		cmp	[ebp+arg_0], edx
		jz	short loc_A1B241
		lea	eax, [ebp+var_C]
		push	eax
		push	1Ch
		lea	eax, [ebp+var_34]
		push	eax
		push	edi
		push	esi
		push	0FFFFFFFFh
		call	_ZwQueryVirtualMemory@24 ; ZwQueryVirtualMemory(x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_A1B241
		mov	ecx, [ebp+var_34]
		cmp	esi, ecx
		jb	short loc_A1B235
		add	ecx, [ebp+var_28]
		lea	eax, [esi+ebx]
		cmp	eax, ecx
		ja	short loc_A1B235
		cmp	[ebp+var_20], 20h
		jz	short loc_A1B241

loc_A1B235:				; CODE XREF: sub_A1B19E+85j
					; sub_A1B19E+8Fj
		mov	edx, 0C000000Dh
		jmp	short loc_A1B241
; 

loc_A1B23C:				; CODE XREF: sub_A1B19E+53j
					; sub_A1B19E+5Ej
		mov	edx, 0C0000428h

loc_A1B241:				; CODE XREF: sub_A1B19E+3Fj
					; sub_A1B19E+65j ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	4
sub_A1B19E	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1B24A	proc near		; CODE XREF: sub_A1B500+F6p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		push	0FFFFFFFFh
		push	4
		mov	edx, esi
		push	dword ptr [esi]
		push	ecx
		mov	ecx, offset unk_6D6BC0
		call	sub_A1DB7E
		mov	edi, eax
		mov	[ebp+var_8], edi
		test	edi, edi
		js	short loc_A1B29E
		lea	edi, [esi+88h]

loc_A1B279:				; CODE XREF: sub_A1B24A+4Aj
					; sub_A1B24A+4Fj
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[ebp+var_4], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_A1B279
		cmp	edx, [ebp+var_4]
		jnz	short loc_A1B279
		mov	edi, [ebp+var_8]

loc_A1B29E:				; CODE XREF: sub_A1B24A+27j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
sub_A1B24A	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1B2A5	proc near		; DATA XREF: sub_8820B8+11o
					; sub_A1B2D2+8Fo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_A1B2BD
		xor	eax, eax
		cmp	[ebp+arg_4], eax
		jz	short loc_A1B2C7
		inc	eax
		xor	edx, edx
		jmp	short loc_A1B2CE
; 

loc_A1B2BD:				; CODE XREF: sub_A1B2A5+Aj
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	short loc_A1B2CB
		or	eax, 0FFFFFFFFh

loc_A1B2C7:				; CODE XREF: sub_A1B2A5+11j
		mov	edx, eax
		jmp	short loc_A1B2CE
; 

loc_A1B2CB:				; CODE XREF: sub_A1B2A5+1Dj
		sub	eax, [ecx]
		cdq

loc_A1B2CE:				; CODE XREF: sub_A1B2A5+16j
					; sub_A1B2A5+24j
		pop	ebp
		retn	0Ch
sub_A1B2A5	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1B2D2	proc near		; CODE XREF: sub_A1B500+B0p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_8], ecx
		mov	esi, 90h
		lea	edx, [ebp+var_4]
		push	edi
		mov	ecx, esi
		call	sub_A1ACD8
		mov	edi, eax
		test	edi, edi
		js	loc_A1B38C
		push	esi		; size_t
		mov	esi, [ebp+var_4]
		push	0		; int
		push	esi		; void *
		call	_memset
		add	dword ptr [esi+88h], 1
		lea	ecx, [esi+4]
		mov	eax, [ebp+var_8]
		mov	edx, offset sub_A1CB98
		adc	dword ptr [esi+8Ch], 0
		add	esp, 4
		mov	[esi], eax
		mov	dword ptr [esi+20h], 3Ch
		call	sub_88247E
		mov	edi, eax
		test	edi, edi
		js	short loc_A1B38F
		and	dword ptr [esi+2Ch], 0
		lea	eax, [esi+24h]
		push	ecx
		push	ecx
		lea	ecx, [esi+68h]
		mov	[eax+4], eax
		mov	edx, offset sub_A1E19C
		mov	[eax], eax
		call	sub_88247E
		mov	edi, eax
		test	edi, edi
		js	short loc_A1B38F
		push	ecx
		push	ecx
		lea	ecx, [esi+30h]
		mov	edx, offset sub_A1B2A5
		call	sub_88247E
		mov	edi, eax
		test	edi, edi
		js	short loc_A1B38F
		push	ecx
		push	ecx
		lea	ecx, [esi+4Ch]
		mov	edx, offset sub_A1B90A
		call	sub_88247E
		mov	edi, eax
		test	edi, edi
		js	short loc_A1B38F
		mov	[ebx], esi
		xor	esi, esi
		jmp	short loc_A1B38F
; 

loc_A1B38C:				; CODE XREF: sub_A1B2D2+27j
		mov	esi, [ebp+var_4]

loc_A1B38F:				; CODE XREF: sub_A1B2D2+67j
					; sub_A1B2D2+88j ...
		mov	ecx, esi
		call	sub_A1B39D
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
sub_A1B2D2	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1B39D	proc near		; CODE XREF: WbRemoveWarbirdProcess+17E394p
					; sub_A1AAB4+160p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	eax, ecx
		xor	esi, esi
		mov	[ebp+var_C], eax
		push	edi
		mov	edi, esi
		test	eax, eax
		jz	short loc_A1B401
		add	eax, 88h
		mov	[ebp+var_4], eax

loc_A1B3BD:				; CODE XREF: sub_A1B39D+48j
					; sub_A1B39D+4Cj
		mov	edx, [eax]
		mov	ebx, edx
		mov	edi, [eax+4]
		sub	ebx, 1
		mov	ecx, edi
		mov	[ebp+var_8], edx
		mov	eax, edx
		sbb	ecx, esi
		mov	edx, edi
		nop
		mov	esi, [ebp+var_4]
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [ebp+var_8]
		cmp	eax, ecx
		mov	eax, [ebp+var_4]
		push	0
		pop	esi
		jnz	short loc_A1B3BD
		cmp	edx, edi
		jnz	short loc_A1B3BD
		mov	esi, ecx
		add	esi, 0FFFFFFFFh
		mov	ecx, esi
		adc	edi, 0FFFFFFFFh
		or	ecx, edi
		jnz	short loc_A1B401
		mov	ecx, [ebp+var_C]
		call	sub_A1B40A

loc_A1B401:				; CODE XREF: sub_A1B39D+16j
					; sub_A1B39D+5Aj
		mov	edx, edi
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
sub_A1B39D	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1B40A	proc near		; CODE XREF: sub_A1B39D+5Fp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	esi, esi
		jz	loc_A1B4F4
		xor	edi, edi
		lea	ecx, [esi+30h]
		mov	ebx, edi
		cmp	[esi+34h], edi
		jbe	short loc_A1B447

loc_A1B429:				; CODE XREF: sub_A1B40A+36j
		mov	eax, [esi+30h]
		mov	ecx, esi
		mov	edx, [esi+3Ch]
		imul	eax, ebx
		mov	edx, [eax+edx]
		call	sub_A1E4FB
		inc	ebx
		cmp	ebx, [esi+34h]
		jb	short loc_A1B429
		xor	edi, edi
		lea	ecx, [esi+30h]

loc_A1B447:				; CODE XREF: sub_A1B40A+1Dj
		call	sub_A1DCA3
		mov	[ebp+var_4], edi
		cmp	[esi+8], edi
		jbe	short loc_A1B46F

loc_A1B454:				; CODE XREF: sub_A1B40A+61j
		mov	eax, [esi+4]
		mov	ecx, esi
		mov	edx, [esi+10h]
		imul	eax, edi
		mov	edx, [eax+edx]
		call	sub_A1D14F
		inc	edi
		cmp	edi, [esi+8]
		jb	short loc_A1B454
		xor	edi, edi

loc_A1B46F:				; CODE XREF: sub_A1B40A+48j
		lea	ecx, [esi+4]
		call	sub_A1DCA3
		lea	ebx, [esi+24h]

loc_A1B47A:				; CODE XREF: sub_A1B40A+8Ej
		mov	edx, [ebx]
		cmp	[edx+4], ebx
		jnz	short loc_A1B4FB
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	short loc_A1B4FB
		mov	[ebx], eax
		mov	[eax+4], ebx
		cmp	edx, ebx
		jz	short loc_A1B49A
		mov	ecx, esi
		call	sub_A1D14F
		jmp	short loc_A1B47A
; 

loc_A1B49A:				; CODE XREF: sub_A1B40A+85j
		lea	ecx, [esi+4Ch]
		mov	ebx, edi
		cmp	[esi+50h], edi
		jbe	short loc_A1B4C0

loc_A1B4A4:				; CODE XREF: sub_A1B40A+AFj
		mov	eax, [esi+4Ch]
		mov	ecx, [esi+58h]
		imul	eax, ebx
		mov	ecx, [eax+ecx]
		call	sub_A1BED9
		inc	ebx
		cmp	ebx, [esi+50h]
		jb	short loc_A1B4A4
		xor	edi, edi
		lea	ecx, [esi+4Ch]

loc_A1B4C0:				; CODE XREF: sub_A1B40A+98j
		call	sub_A1DCA3
		cmp	[esi+6Ch], edi
		jbe	short loc_A1B4E1

loc_A1B4CA:				; CODE XREF: sub_A1B40A+D5j
		mov	eax, [esi+68h]
		mov	ecx, [esi+74h]
		imul	eax, edi
		mov	ecx, [eax+ecx]
		call	sub_A1E255
		inc	edi
		cmp	edi, [esi+6Ch]
		jb	short loc_A1B4CA

loc_A1B4E1:				; CODE XREF: sub_A1B40A+BEj
		lea	ecx, [esi+68h]
		call	sub_A1DCA3
		push	42524157h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1B4F4:				; CODE XREF: sub_A1B40A+Dj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
; 

loc_A1B4FB:				; CODE XREF: sub_A1B40A+75j
					; sub_A1B40A+7Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
sub_A1B40A	endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1B500	proc near		; CODE XREF: sub_A1AAB4+BCp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], edx
		dec	word ptr [eax+13Eh]
		mov	ebx, ecx
		mov	[ebp+var_4], edi
		nop
		push	edi
		xor	edx, edx
		mov	ecx, offset unk_6D6BD8
		call	KeAbPreAcquire
		push	11h
		mov	esi, eax
		mov	edx, offset unk_6D6BD8
		pop	ecx
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	short loc_A1B54F
		mov	eax, edx
		mov	edx, esi
		push	eax
		mov	ecx, eax
		call	ExfAcquirePushLockSharedEx

loc_A1B54F:				; CODE XREF: sub_A1B500+41j
		test	esi, esi
		jz	short loc_A1B557
		or	byte ptr [esi+0Eh], 1

loc_A1B557:				; CODE XREF: sub_A1B500+51j
		push	ecx
		lea	edx, [ebp+var_4]
		mov	ecx, ebx
		call	WbFindWarbirdProcess
		push	11h
		mov	esi, eax
		xor	ecx, ecx
		pop	eax
		mov	edx, offset unk_6D6BD8
		lock cmpxchg [edx], ecx
		cmp	eax, 11h
		jz	short loc_A1B583
		mov	ecx, edx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
		mov	edx, offset unk_6D6BD8

loc_A1B583:				; CODE XREF: sub_A1B500+75j
		mov	ecx, edx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		cmp	esi, 0C0000272h
		jnz	loc_A1B624
		cmp	[ebp+var_8], edi
		jz	loc_A1B636
		lea	edx, [ebp+var_4]
		mov	ecx, ebx
		call	sub_A1B2D2
		mov	esi, eax
		test	esi, esi
		js	short loc_A1B636
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		mov	ebx, offset unk_6D6BD8
		xor	edx, edx
		push	edi
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	esi, eax
		lock bts dword ptr [ebx], 0
		jnb	short loc_A1B5EB
		push	ebx
		mov	edx, esi
		mov	ecx, ebx
		call	ExfAcquirePushLockExclusiveEx

loc_A1B5EB:				; CODE XREF: sub_A1B500+DFj
		test	esi, esi
		jz	short loc_A1B5F3
		or	byte ptr [esi+0Eh], 1

loc_A1B5F3:				; CODE XREF: sub_A1B500+EDj
		mov	ecx, [ebp+var_4]
		call	sub_A1B24A
		mov	esi, eax
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A1B611
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A1B611:				; CODE XREF: sub_A1B500+108j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_A1B624:				; CODE XREF: sub_A1B500+9Cj
		test	esi, esi
		js	short loc_A1B636
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_A1B636
		mov	eax, [ebp+var_4]
		mov	[ecx], eax
		jmp	short loc_A1B639
; 

loc_A1B636:				; CODE XREF: sub_A1B500+A5j
					; sub_A1B500+B9j ...
		mov	edi, [ebp+var_4]

loc_A1B639:				; CODE XREF: sub_A1B500+134j
		mov	ecx, edi
		call	sub_A1B39D
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
sub_A1B500	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1B649	proc near		; CODE XREF: sub_A1AAB4+F6p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	14h
		push	offset dword_6AAB58
		call	__SEH_prolog4
		mov	esi, edx
		mov	ebx, ecx
		and	[ebp+var_1C], 0
		cmp	[ebp+arg_0], 10h
		jb	loc_A1B706
		cmp	dword ptr [esi], 9
		jnz	loc_A1B706
		cmp	dword ptr [esi+4], 0
		jnz	loc_A1B706
		lea	edx, [ebp+var_1C]
		push	8
		pop	ecx
		call	sub_A1ACD8
		mov	edi, eax
		mov	[ebp+var_20], edi
		test	edi, edi
		js	short loc_A1B70B
		and	[ebp+ms_exc.disabled], 0
		mov	edx, [esi+8]
		lea	ecx, [edx+8]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_A1B6A5
		cmp	ecx, edx
		jnb	short loc_A1B6AB

loc_A1B6A5:				; CODE XREF: sub_A1B649+56j
		mov	byte ptr [eax],	0
		mov	edx, [esi+8]

loc_A1B6AB:				; CODE XREF: sub_A1B649+5Aj
		mov	eax, [edx]
		mov	ecx, [ebp+var_1C]
		mov	[ecx], eax
		mov	eax, [edx+4]
		mov	[ecx+4], eax
		cmp	dword ptr [ecx], 0
		jz	short loc_A1B6CE
		mov	edi, 0C000000Dh

loc_A1B6C2:				; CODE XREF: sub_A1B649+BBj
		mov	[ebp+var_20], edi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A1B70B
; 

loc_A1B6CE:				; CODE XREF: sub_A1B649+72j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+var_1C]
		mov	edx, [esi+4]
		mov	ecx, ebx
		call	_WbHeapExecutionUnloadModule@8 ; WbHeapExecutionUnloadModule(x,x)
		mov	edx, [esi+4]
		mov	ecx, ebx
		call	sub_A1C136
		jmp	short loc_A1B70B
; 

loc_A1B6EE:				; DATA XREF: .text:006AAB6Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A1B6FE:				; DATA XREF: .text:006AAB70o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_24]
		jmp	short loc_A1B6C2
; 

loc_A1B706:				; CODE XREF: sub_A1B649+18j
					; sub_A1B649+21j ...
		mov	edi, 0C000000Dh

loc_A1B70B:				; CODE XREF: sub_A1B649+43j
					; sub_A1B649+83j ...
		mov	ecx, [ebp+var_1C]
		test	ecx, ecx
		jz	short loc_A1B71D
		push	42524157h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1B71D:				; CODE XREF: sub_A1B649+C7j
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
sub_A1B649	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1B731	proc near		; CODE XREF: sub_A1AAB4+E6p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	1Ch
		push	offset dword_6AAB38
		call	__SEH_prolog4
		mov	esi, edx
		mov	[ebp+var_24], ecx
		and	[ebp+var_1C], 0
		push	10h
		pop	ecx
		cmp	[ebp+arg_0], ecx
		jb	loc_A1B7E9
		cmp	dword ptr [esi], 8
		jnz	loc_A1B7E9
		cmp	dword ptr [esi+4], 0
		jnz	loc_A1B7E9
		lea	edx, [ebp+var_1C]
		call	sub_A1ACD8
		mov	ebx, eax
		mov	[ebp+var_20], ebx
		test	ebx, ebx
		js	short loc_A1B7EE
		and	[ebp+ms_exc.disabled], 0
		mov	eax, [esi+8]
		lea	edx, [eax+10h]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		ja	short loc_A1B78E
		cmp	edx, eax
		jnb	short loc_A1B794

loc_A1B78E:				; CODE XREF: sub_A1B731+57j
		mov	byte ptr [ecx],	0
		mov	eax, [esi+8]

loc_A1B794:				; CODE XREF: sub_A1B731+5Bj
		mov	esi, eax
		mov	eax, [ebp+var_1C]
		mov	edi, eax
		movsd
		movsd
		movsd
		movsd
		cmp	dword ptr [eax], 0
		jz	short loc_A1B7B5
		mov	ebx, 0C000000Dh

loc_A1B7A9:				; CODE XREF: sub_A1B731+B6j
		mov	[ebp+var_20], ebx

loc_A1B7AC:				; CODE XREF: sub_A1B731+8Bj
					; sub_A1B731+9Ej
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A1B7EE
; 

loc_A1B7B5:				; CODE XREF: sub_A1B731+71j
		mov	ecx, [ebp+var_24]
		cmp	dword ptr [ecx+20h], 0
		jz	short loc_A1B7AC
		mov	eax, [ebp+var_1C]
		mov	eax, [eax+4]
		cmp	eax, 3Ch
		jb	short loc_A1B7CC
		push	3Ch
		pop	eax

loc_A1B7CC:				; CODE XREF: sub_A1B731+96j
		mov	[ecx+20h], eax
		jmp	short loc_A1B7AC
; 

loc_A1B7D1:				; DATA XREF: .text:006AAB4Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A1B7E1:				; DATA XREF: .text:006AAB50o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_28]
		jmp	short loc_A1B7A9
; 

loc_A1B7E9:				; CODE XREF: sub_A1B731+1Bj
					; sub_A1B731+24j ...
		mov	ebx, 0C000000Dh

loc_A1B7EE:				; CODE XREF: sub_A1B731+43j
					; sub_A1B731+82j
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_A1B800
		push	42524157h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1B800:				; CODE XREF: sub_A1B731+C2j
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
sub_A1B731	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1B814	proc near		; CODE XREF: sub_A1C03B+B4p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [edx+14h]
		mov	[ebp+var_14], eax
		mov	eax, [edx+18h]
		push	ebx
		mov	[ebp+var_18], eax
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10], edx
		xor	ecx, ecx
		mov	[ebp+var_C], edi
		dec	word ptr [eax+13Eh]
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], ecx
		nop
		lea	ebx, [edi+64h]
		xor	edx, edx
		push	ecx
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	esi, eax
		lock bts dword ptr [ebx], 0
		jnb	short loc_A1B869
		push	ebx
		mov	edx, esi
		mov	ecx, ebx
		call	ExfAcquirePushLockExclusiveEx

loc_A1B869:				; CODE XREF: sub_A1B814+49j
		test	esi, esi
		jz	short loc_A1B871
		or	byte ptr [esi+0Eh], 1

loc_A1B871:				; CODE XREF: sub_A1B814+57j
		lea	eax, [ebp+var_8]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	edx, [ebp+var_18]
		call	sub_A1BE9B
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A1B8A1
		cmp	[ebp+arg_0], eax
		jz	short loc_A1B8D2
		mov	esi, [ebp+var_4]
		mov	ecx, esi
		call	sub_A1C206
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	[eax], esi
		jmp	short loc_A1B8D5
; 

loc_A1B8A1:				; CODE XREF: sub_A1B814+73j
		cmp	edi, 0C0000272h
		jnz	short loc_A1B8D2
		push	[ebp+var_8]
		mov	esi, [ebp+var_10]
		lea	eax, [ebp+var_18]
		push	8
		push	eax
		push	ecx
		mov	ecx, [ebp+var_C]
		mov	edx, esi
		add	ecx, 4Ch
		call	sub_A1DB7E
		mov	edi, eax
		test	edi, edi
		js	short loc_A1B8D2
		mov	ecx, esi
		call	sub_A1C206
		mov	edi, eax

loc_A1B8D2:				; CODE XREF: sub_A1B814+78j
					; sub_A1B814+93j ...
		mov	ecx, [ebp+var_4]

loc_A1B8D5:				; CODE XREF: sub_A1B814+8Bj
		call	sub_A1B9A1
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A1B8EE
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A1B8EE:				; CODE XREF: sub_A1B814+D1j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
sub_A1B814	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1B90A	proc near		; DATA XREF: sub_A1B2D2+A4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, [esi]
		sub	eax, [edi+18h]
		cdq
		mov	ecx, eax
		or	ecx, edx
		jnz	short loc_A1B92A
		mov	eax, [esi+4]
		sub	eax, [edi+14h]
		cdq

loc_A1B92A:				; CODE XREF: sub_A1B90A+17j
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
sub_A1B90A	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1B930	proc near		; CODE XREF: sub_A1C03B+9Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		push	40h
		mov	[ebp+var_C], edx
		xor	edi, edi
		mov	[ebp+var_8], ecx
		lea	edx, [ebp+var_4]
		pop	ecx
		mov	[ebp+var_4], edi
		call	sub_A1ACD8
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A1B990
		mov	esi, [ebp+var_4]
		push	40h		; size_t
		push	edi		; int
		push	esi		; void *
		call	_memset
		mov	ecx, [ebp+var_8]
		add	esp, 0Ch
		mov	dword ptr [esi], 1
		mov	[esi+4], edi
		mov	[esi+8], edi
		mov	[esi+10h], edi
		mov	[esi+0Ch], edi
		mov	eax, [ecx+4]
		mov	[esi+14h], eax
		mov	eax, [ecx]
		mov	[esi+18h], eax
		mov	eax, [ebp+var_C]
		mov	[esi+1Ch], edi
		mov	[eax], esi
		jmp	short loc_A1B993
; 

loc_A1B990:				; CODE XREF: sub_A1B930+25j
		mov	edi, [ebp+var_4]

loc_A1B993:				; CODE XREF: sub_A1B930+5Ej
		mov	ecx, edi
		call	sub_A1B9A1
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
sub_A1B930	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1B9A1	proc near		; CODE XREF: sub_A1B814:loc_A1B8D5p
					; sub_A1B930+65p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	eax, ecx
		xor	esi, esi
		mov	[ebp+var_4], eax
		push	edi
		mov	edi, esi
		test	eax, eax
		jz	short loc_A1B9FF
		jmp	short loc_A1B9BE
; 

loc_A1B9BB:				; CODE XREF: sub_A1B9A1+42j
					; sub_A1B9A1+46j
		mov	eax, [ebp+var_4]

loc_A1B9BE:				; CODE XREF: sub_A1B9A1+18j
		mov	edx, [eax]
		mov	ebx, edx
		mov	edi, [eax+4]
		sub	ebx, 1
		mov	ecx, edi
		mov	[ebp+var_8], edx
		mov	eax, edx
		sbb	ecx, esi
		mov	edx, edi
		nop
		mov	esi, [ebp+var_4]
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [ebp+var_8]
		push	0
		pop	esi
		cmp	eax, ecx
		jnz	short loc_A1B9BB
		cmp	edx, edi
		jnz	short loc_A1B9BB
		mov	esi, ecx
		add	esi, 0FFFFFFFFh
		mov	ecx, esi
		adc	edi, 0FFFFFFFFh
		or	ecx, edi
		jnz	short loc_A1B9FF
		mov	ecx, [ebp+var_4]
		call	sub_A1BED9

loc_A1B9FF:				; CODE XREF: sub_A1B9A1+16j
					; sub_A1B9A1+54j
		mov	edx, edi
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
sub_A1B9A1	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1BA08	proc near		; CODE XREF: sub_A1AAB4+104p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		cmp	[ebp+arg_0], 10h
		push	ebx
		push	esi
		push	edi
		jnb	short loc_A1BA23
		mov	edi, 0C000000Dh
		jmp	short loc_A1BA9F
; 

loc_A1BA23:				; CODE XREF: sub_A1BA08+12j
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_0]
		call	sub_A1BF12
		mov	edi, eax
		test	edi, edi
		js	short loc_A1BA9F
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		mov	ebx, [ebp+var_4]
		xor	edx, edx
		push	0
		lea	esi, [ebx+8]
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	edi, eax
		lock bts dword ptr [esi], 0
		jnb	short loc_A1BA67
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockExclusiveEx

loc_A1BA67:				; CODE XREF: sub_A1BA08+53j
		test	edi, edi
		jz	short loc_A1BA6F
		or	byte ptr [edi+0Eh], 1

loc_A1BA6F:				; CODE XREF: sub_A1BA08+61j
		mov	ecx, ebx
		call	sub_A1BAB0
		mov	edi, eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A1BA8C
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A1BA8C:				; CODE XREF: sub_A1BA08+7Bj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_A1BA9F:				; CODE XREF: sub_A1BA08+19j
					; sub_A1BA08+2Bj
		mov	ecx, [ebp+var_4]
		call	sub_A1B9A1
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
sub_A1BA08	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1BAB0	proc near		; CODE XREF: sub_A1BA08+69p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	edx, [esi+30h]
		mov	eax, edx
		mov	ecx, [esi+34h]
		and	eax, ecx
		cmp	eax, 0FFFFFFFFh
		jz	loc_A1BBAB
		add	edx, 1
		mov	[esi+30h], edx
		adc	ecx, edi
		mov	[esi+34h], ecx
		cmp	edx, 1
		jnz	loc_A1BBAB
		test	ecx, ecx
		jnz	loc_A1BBAB
		cmp	[esi+24h], edx
		jz	short loc_A1BB04
		call	sub_597FFE
		cmp	[esi+24h], edi
		jnz	loc_A1BBA4

loc_A1BB04:				; CODE XREF: sub_A1BAB0+44j
		mov	eax, [esi+2Ch]
		mov	ebx, [esi+38h]
		mov	eax, [eax+0F0h]
		mov	[esp+20h+var_8], eax
		cmp	ebx, eax
		jnb	loc_A1BBAD
		mov	eax, [esi+3Ch]
		imul	ecx, ebx, 0Ch
		mov	[esp+20h+var_10], ecx
		mov	ecx, ebx
		shl	ecx, 4
		mov	[esp+20h+var_C], ecx

loc_A1BB2F:				; CODE XREF: sub_A1BAB0+F0j
		cmp	ebx, eax
		sbb	edi, edi
		inc	edi
		cmp	dword ptr [esi+24h], 1
		mov	[esp+20h+var_4], edi
		jnz	short loc_A1BB54
		mov	eax, [esi+2Ch]
		mov	edx, edi
		add	eax, 0F8h
		add	eax, ecx
		mov	ecx, esi
		push	eax
		call	sub_A1BD0C
		jmp	short loc_A1BB78
; 

loc_A1BB54:				; CODE XREF: sub_A1BAB0+8Cj
		call	sub_597FFE
		cmp	dword ptr [esi+24h], 0
		jnz	short loc_A1BBA4
		mov	ecx, [esp+20h+var_10]
		mov	edx, edi
		mov	eax, [esi+2Ch]
		add	ecx, 0F4h
		add	eax, ecx
		mov	ecx, esi
		push	eax
		call	sub_A1BBB6

loc_A1BB78:				; CODE XREF: sub_A1BAB0+A2j
		mov	edi, eax
		test	edi, edi
		js	short loc_A1BBAD
		mov	eax, [esp+20h+var_4]
		add	[esi+3Ch], eax
		inc	dword ptr [esi+38h]
		inc	ebx
		mov	ecx, [esp+20h+var_C]
		add	[esp+20h+var_10], 0Ch
		add	ecx, 10h
		mov	eax, [esi+3Ch]
		mov	[esp+20h+var_C], ecx
		cmp	ebx, [esp+20h+var_8]
		jb	short loc_A1BB2F
		jmp	short loc_A1BBAD
; 

loc_A1BBA4:				; CODE XREF: sub_A1BAB0+4Ej
					; sub_A1BAB0+ADj
		mov	edi, 0C000000Dh
		jmp	short loc_A1BBAD
; 

loc_A1BBAB:				; CODE XREF: sub_A1BAB0+1Fj
					; sub_A1BAB0+33j ...
		xor	edi, edi

loc_A1BBAD:				; CODE XREF: sub_A1BAB0+66j
					; sub_A1BAB0+CCj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
sub_A1BAB0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1BBB6	proc near		; CODE XREF: sub_A1BAB0+C3p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_14], edx
		mov	[ebp+var_8], ebx
		mov	eax, ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], ebx
		mov	byte ptr [ebp+var_1], bl
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	edx, edx
		jz	short loc_A1BBE4
		test	byte ptr [esi],	1
		jnz	loc_A1BD03

loc_A1BBE4:				; CODE XREF: sub_A1BBB6+23j
		mov	edi, [esi+4]
		mov	ecx, 0FFFFFFFh
		mov	edx, [esi+8]
		and	edi, ecx
		add	edi, [eax+18h]
		and	edx, ecx
		mov	eax, [esi]
		mov	ecx, edi
		shr	eax, 1
		not	eax
		and	eax, 1
		push	eax
		call	sub_A1B19E
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A1BD03
		mov	edx, [esi+8]
		lea	eax, [ebp+var_8]
		push	eax
		and	edx, 0FFFFFFFh
		lea	eax, [ebp+var_10]
		test	byte ptr [esi],	2
		mov	ecx, edi
		push	eax
		jnz	short loc_A1BC30
		call	sub_A1AF61
		jmp	short loc_A1BC35
; 

loc_A1BC30:				; CODE XREF: sub_A1BBB6+71j
		call	sub_A1AE51

loc_A1BC35:				; CODE XREF: sub_A1BBB6+78j
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A1BCF0
		cmp	[ebp+var_14], 0
		jz	short loc_A1BC73
		mov	ebx, [ebp+var_C]
		mov	eax, [esi+8]
		and	eax, 0FFFFFFFh
		push	eax
		mov	edx, [ebx+2Ch]
		push	[ebp+var_8]
		mov	ecx, [ebx+18h]
		push	edi
		mov	eax, [edx+38h]
		mov	edx, [edx+30h]
		sub	eax, ecx
		push	eax
		push	ecx
		mov	ecx, [ebx+20h]
		call	sub_695200
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A1BCF0

loc_A1BC73:				; CODE XREF: sub_A1BBB6+8Dj
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_1]
		push	eax		; int
		mov	edx, 0FFFFFFFh
		mov	ecx, [ecx+2Ch]
		push	ecx		; int
		lea	eax, [ecx+50h]
		push	eax		; int
		mov	eax, [esi+4]
		and	eax, edx
		push	eax		; int
		lea	eax, [ecx+48h]
		xor	ecx, ecx	; int
		push	eax		; int
		mov	eax, [esi+8]
		and	eax, edx
		mov	edx, edi	; void *
		push	eax		; int
		push	[ebp+var_8]	; void *
		call	sub_A1AC58
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A1BCF0
		cmp	[ebp+var_14], 0
		jz	short loc_A1BCDD
		mov	ebx, [ebp+var_C]
		mov	eax, [esi+8]
		and	eax, 0FFFFFFFh
		push	eax
		mov	edx, [ebx+2Ch]
		mov	ecx, [ebx+18h]
		mov	eax, ecx
		push	[ebp+var_8]
		sub	eax, [edx+38h]
		mov	edx, [edx+30h]
		push	edi
		push	eax
		push	ecx
		mov	ecx, [ebx+20h]
		call	sub_695200
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A1BCF0

loc_A1BCDD:				; CODE XREF: sub_A1BBB6+F7j
		mov	eax, [esi+8]
		and	eax, 0FFFFFFFh
		push	eax
		push	edi
		push	0FFFFFFFFh
		call	_ZwFlushInstructionCache@12 ; ZwFlushInstructionCache(x,x,x)
		mov	ebx, eax

loc_A1BCF0:				; CODE XREF: sub_A1BBB6+83j
					; sub_A1BBB6+BBj ...
		mov	esi, [ebp+var_10]
		test	esi, esi
		jz	short loc_A1BD03
		push	esi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	esi
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_A1BD03:				; CODE XREF: sub_A1BBB6+28j
					; sub_A1BBB6+55j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
sub_A1BBB6	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1BD0C	proc near		; CODE XREF: sub_A1BAB0+9Dp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_14], edx
		mov	[ebp+var_8], ebx
		mov	eax, ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], ebx
		mov	byte ptr [ebp+var_1], bl
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	edx, edx
		jz	short loc_A1BD3A
		test	byte ptr [esi],	1
		jnz	loc_A1BE92

loc_A1BD3A:				; CODE XREF: sub_A1BD0C+23j
		mov	edi, [esi+4]
		mov	ecx, 0FFFFFFFh
		mov	edx, [esi+8]
		and	edi, ecx
		add	edi, [eax+18h]
		and	edx, ecx
		mov	eax, [esi]
		mov	ecx, edi
		shr	eax, 1
		not	eax
		and	eax, 1
		push	eax
		call	sub_A1B19E
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A1BE92
		mov	edx, [esi+8]
		lea	eax, [ebp+var_8]
		push	eax
		and	edx, 0FFFFFFFh
		lea	eax, [ebp+var_10]
		test	byte ptr [esi],	2
		mov	ecx, edi
		push	eax
		jnz	short loc_A1BD86
		call	sub_A1AF61
		jmp	short loc_A1BD8B
; 

loc_A1BD86:				; CODE XREF: sub_A1BD0C+71j
		call	sub_A1AE51

loc_A1BD8B:				; CODE XREF: sub_A1BD0C+78j
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A1BE7F
		cmp	[ebp+var_14], 0
		jz	short loc_A1BDCD
		mov	ebx, [ebp+var_C]
		mov	eax, [esi+8]
		and	eax, 0FFFFFFFh
		push	eax
		mov	edx, [ebx+2Ch]
		push	[ebp+var_8]
		mov	ecx, [ebx+18h]
		push	edi
		mov	eax, [edx+38h]
		mov	edx, [edx+30h]
		sub	eax, ecx
		push	eax
		push	ecx
		mov	ecx, [ebx+20h]
		call	sub_695200
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A1BE7F

loc_A1BDCD:				; CODE XREF: sub_A1BD0C+8Dj
		mov	eax, [esi+8]
		mov	ebx, [ebp+var_8]
		and	eax, 0FFFFFFFh
		push	eax		; size_t
		push	edi		; void *
		push	ebx		; void *
		call	_memcpy
		mov	ecx, [esi]
		add	esp, 0Ch
		mov	edx, 0FFFFFFFh
		and	ecx, 2
		jnz	short loc_A1BE00
		mov	eax, [esi+8]
		and	eax, edx
		cmp	eax, 4
		jnb	short loc_A1BE00
		mov	ebx, 0C000000Dh
		jmp	short loc_A1BE7F
; 

loc_A1BE00:				; CODE XREF: sub_A1BD0C+E1j
					; sub_A1BD0C+EBj
		test	ecx, ecx
		jnz	short loc_A1BE09
		mov	eax, [esi+0Ch]
		mov	[ebx], eax

loc_A1BE09:				; CODE XREF: sub_A1BD0C+F6j
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_1]
		push	eax		; int
		mov	ecx, [ecx+2Ch]
		push	ecx		; int
		lea	eax, [ecx+50h]
		push	eax		; int
		mov	eax, [esi+4]
		and	eax, edx
		push	eax		; int
		lea	eax, [ecx+48h]
		xor	ecx, ecx	; int
		push	eax		; int
		mov	eax, [esi+8]
		and	eax, edx
		mov	edx, ebx	; void *
		push	eax		; int
		push	ebx		; void *
		call	sub_A1AC58
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A1BE7F
		cmp	[ebp+var_14], 0
		jz	short loc_A1BE6C
		mov	ebx, [ebp+var_C]
		mov	eax, [esi+8]
		and	eax, 0FFFFFFFh
		push	eax
		mov	edx, [ebx+2Ch]
		mov	ecx, [ebx+18h]
		mov	eax, ecx
		push	[ebp+var_8]
		sub	eax, [edx+38h]
		mov	edx, [edx+30h]
		push	edi
		push	eax
		push	ecx
		mov	ecx, [ebx+20h]
		call	sub_695200
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A1BE7F

loc_A1BE6C:				; CODE XREF: sub_A1BD0C+130j
		mov	eax, [esi+8]
		and	eax, 0FFFFFFFh
		push	eax
		push	edi
		push	0FFFFFFFFh
		call	_ZwFlushInstructionCache@12 ; ZwFlushInstructionCache(x,x,x)
		mov	ebx, eax

loc_A1BE7F:				; CODE XREF: sub_A1BD0C+83j
					; sub_A1BD0C+BBj ...
		mov	esi, [ebp+var_10]
		test	esi, esi
		jz	short loc_A1BE92
		push	esi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	esi
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_A1BE92:				; CODE XREF: sub_A1BD0C+28j
					; sub_A1BD0C+55j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
sub_A1BD0C	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1BE9B	proc near		; CODE XREF: sub_A1B814+6Ap
					; sub_A1C03B+61p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_4]
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		push	8
		add	ecx, 4Ch
		call	WbFindLookupEntry
		test	eax, eax
		js	short locret_A1BED5
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_A1BED4
		push	edi
		mov	edi, [ebp+var_4]
		mov	ecx, edi
		call	sub_A1C206
		test	eax, eax
		js	short loc_A1BED3
		mov	[esi], edi

loc_A1BED3:				; CODE XREF: sub_A1BE9B+34j
		pop	edi

loc_A1BED4:				; CODE XREF: sub_A1BE9B+25j
		pop	esi

locret_A1BED5:				; CODE XREF: sub_A1BE9B+1Dj
		leave
		retn	8
sub_A1BE9B	endp


;  S U B	R O U T	I N E 


sub_A1BED9	proc near		; CODE XREF: sub_A1B40A+A6p
					; sub_A1B9A1+59p
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		test	esi, esi
		jz	short loc_A1BF0C
		mov	eax, [esi+20h]
		mov	edi, 42524157h
		test	eax, eax
		jz	short loc_A1BEF7
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1BEF7:				; CODE XREF: sub_A1BED9+15j
		mov	eax, [esi+2Ch]
		test	eax, eax
		jz	short loc_A1BF05
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1BF05:				; CODE XREF: sub_A1BED9+23j
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1BF0C:				; CODE XREF: sub_A1BED9+9j
		pop	edi
		xor	eax, eax
		pop	esi
		pop	ecx
		retn
sub_A1BED9	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1BF12	proc near		; CODE XREF: sub_A1BA08+22p
					; sub_A1C4CE+22p

var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_8], edx
		mov	edx, [ebp+arg_0]
		lea	edi, [ebp+var_1C]
		stosd
		xor	esi, esi
		and	[ebp+var_10], esi
		mov	ebx, ecx
		mov	ecx, [ebp+var_8]
		and	[ebp+var_C], esi
		stosd
		mov	[ebp+var_4], esi
		stosd
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	sub_A1C7EF
		mov	edi, eax
		test	edi, edi
		js	loc_A1C018
		lea	eax, [ebp+var_4]
		mov	ecx, ebx
		push	eax
		lea	edx, [ebp+var_10]
		call	sub_A1C03B
		mov	edi, eax
		test	edi, edi
		js	loc_A1C015
		mov	esi, [ebp+var_4]
		cmp	dword ptr [esi+0Ch], 0
		jnz	loc_A1C001
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		mov	ebx, [ebp+var_4]
		xor	edx, edx
		add	ebx, 8
		push	0
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	[ebp+arg_0], eax
		lock bts dword ptr [ebx], 0
		jnb	short loc_A1BFAD
		push	ebx
		mov	edx, eax
		mov	ecx, ebx
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [ebp+arg_0]

loc_A1BFAD:				; CODE XREF: sub_A1BF12+8Cj
		test	eax, eax
		jz	short loc_A1BFB5
		or	byte ptr [eax+0Eh], 1

loc_A1BFB5:				; CODE XREF: sub_A1BF12+9Dj
		cmp	dword ptr [esi+0Ch], 0
		jnz	short loc_A1BFD3
		mov	edx, [ebp+var_4]
		lea	esi, [ebp+var_1C]
		mov	ecx, [ebp+var_8]
		sub	esp, 0Ch	; int
		mov	edi, esp
		movsd
		movsd
		movsd
		call	sub_A1C264
		mov	edi, eax

loc_A1BFD3:				; CODE XREF: sub_A1BF12+A7j
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A1BFE7
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A1BFE7:				; CODE XREF: sub_A1BF12+CCj
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		test	edi, edi
		js	short loc_A1C015
		mov	esi, [ebp+var_4]

loc_A1C001:				; CODE XREF: sub_A1BF12+5Fj
		mov	edi, [esi+10h]
		test	edi, edi
		js	short loc_A1C018
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_A1C018
		mov	[eax], esi
		xor	esi, esi
		jmp	short loc_A1C018
; 

loc_A1C015:				; CODE XREF: sub_A1BF12+52j
					; sub_A1BF12+EAj
		mov	esi, [ebp+var_4]

loc_A1C018:				; CODE XREF: sub_A1BF12+3Aj
					; sub_A1BF12+F4j ...
		mov	ecx, esi
		call	sub_A1B9A1
		cmp	[ebp+var_14], 0
		jz	short loc_A1C032
		push	42524157h
		push	[ebp+var_14]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1C032:				; CODE XREF: sub_A1BF12+111j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
sub_A1BF12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1C03B	proc near		; CODE XREF: sub_A1BF12+49p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, large fs:124h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_C], edx
		xor	ecx, ecx
		dec	word ptr [eax+13Eh]
		push	esi
		push	edi
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], ecx
		nop
		lea	esi, [ebx+64h]
		xor	edx, edx
		push	ecx
		mov	ecx, esi
		call	KeAbPreAcquire
		push	11h
		mov	edi, eax
		xor	eax, eax
		pop	ecx
		lock cmpxchg [esi], ecx
		test	eax, eax
		jz	short loc_A1C087
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockSharedEx

loc_A1C087:				; CODE XREF: sub_A1C03B+40j
		test	edi, edi
		jz	short loc_A1C08F
		or	byte ptr [edi+0Eh], 1

loc_A1C08F:				; CODE XREF: sub_A1C03B+4Ej
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_4]
		mov	ecx, ebx
		push	eax
		call	sub_A1BE9B
		push	11h
		mov	edi, eax
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_A1C0B8
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_A1C0B8:				; CODE XREF: sub_A1C03B+74j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		cmp	edi, 0C0000272h
		jnz	short loc_A1C10C
		mov	ecx, [ebp+var_C]
		lea	edx, [ebp+var_4]
		call	sub_A1B930
		mov	esi, [ebp+var_4]
		mov	edi, eax
		test	edi, edi
		js	short loc_A1C11E
		lea	eax, [ebp+var_8]
		mov	edx, esi
		push	eax
		mov	ecx, ebx
		call	sub_A1B814
		mov	edi, eax
		test	edi, edi
		js	short loc_A1C11E
		cmp	[ebp+var_8], 0
		jz	short loc_A1C113
		mov	ecx, esi
		call	sub_A1B9A1
		mov	esi, [ebp+var_8]
		jmp	short loc_A1C113
; 

loc_A1C10C:				; CODE XREF: sub_A1C03B+96j
		mov	esi, [ebp+var_4]
		test	edi, edi
		js	short loc_A1C11E

loc_A1C113:				; CODE XREF: sub_A1C03B+C3j
					; sub_A1C03B+CFj
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_A1C11E
		mov	[eax], esi
		xor	esi, esi

loc_A1C11E:				; CODE XREF: sub_A1C03B+AAj
					; sub_A1C03B+BDj ...
		mov	ecx, esi
		call	sub_A1B9A1
		mov	ecx, [ebp+var_8]
		call	sub_A1B9A1
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
sub_A1C03B	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1C136	proc near		; CODE XREF: sub_A1B649+9Ep

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, large fs:124h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		dec	word ptr [eax+13Eh]
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_C], edx
		nop
		lea	edi, [ebx+64h]
		xor	edx, edx
		push	0
		mov	ecx, edi
		mov	[ebp+var_10], edi
		call	KeAbPreAcquire
		mov	esi, eax
		lock bts dword ptr [edi], 0
		jnb	short loc_A1C17C
		push	edi
		mov	edx, esi
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_A1C17C:				; CODE XREF: sub_A1C136+3Aj
		test	esi, esi
		jz	short loc_A1C184
		or	byte ptr [esi+0Eh], 1

loc_A1C184:				; CODE XREF: sub_A1C136+48j
		xor	esi, esi
		cmp	[ebx+50h], esi
		jbe	short loc_A1C1D7
		lea	eax, [ebx+4Ch]
		mov	edi, ebx

loc_A1C190:				; CODE XREF: sub_A1C136+9Cj
		mov	ecx, [eax]
		mov	eax, [eax+0Ch]
		imul	ecx, esi
		mov	ebx, [ecx+eax]
		test	ebx, ebx
		jz	short loc_A1C1CB
		mov	eax, [ebx+18h]
		cmp	eax, [ebp+var_C]
		jnz	short loc_A1C1CB
		cmp	dword ptr [ebx+1Ch], 0
		jnz	short loc_A1C1CB
		push	0
		push	esi
		push	0
		xor	edx, edx
		lea	ecx, [edi+4Ch]
		call	sub_A1DCCB
		mov	[ebp+var_4], eax
		test	eax, eax
		js	short loc_A1C1CB
		mov	ecx, ebx
		call	sub_A1B9A1
		dec	esi

loc_A1C1CB:				; CODE XREF: sub_A1C136+67j
					; sub_A1C136+6Fj ...
		inc	esi
		lea	eax, [edi+4Ch]
		cmp	esi, [edi+50h]
		jb	short loc_A1C190
		mov	edi, [ebp+var_10]

loc_A1C1D7:				; CODE XREF: sub_A1C136+53j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A1C1EB
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A1C1EB:				; CODE XREF: sub_A1C136+ACj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
sub_A1C136	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1C206	proc near		; CODE XREF: sub_A1B814+7Fp
					; sub_A1B814+B7p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	edx, ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], edx
		test	edx, edx
		jz	short loc_A1C25F
		push	ebx
		push	edi

loc_A1C21B:				; CODE XREF: sub_A1C206+3Dj
					; sub_A1C206+41j
		mov	eax, [edx]
		mov	ebx, eax
		mov	edi, [edx+4]
		add	ebx, 1
		mov	ecx, edi
		mov	[ebp+var_8], eax
		adc	ecx, esi
		mov	edx, edi
		nop
		mov	esi, [ebp+var_4]
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [ebp+var_8]
		mov	ebx, edx
		mov	edx, [ebp+var_4]
		push	0
		pop	esi
		cmp	eax, ecx
		jnz	short loc_A1C21B
		cmp	ebx, edi
		jnz	short loc_A1C21B
		add	ecx, 1
		adc	edi, esi
		cmp	edi, esi
		pop	edi
		pop	ebx
		ja	short loc_A1C25F
		jb	short loc_A1C25A
		cmp	ecx, esi
		ja	short loc_A1C25F

loc_A1C25A:				; CODE XREF: sub_A1C206+4Ej
		mov	esi, 0C00000E5h

loc_A1C25F:				; CODE XREF: sub_A1C206+11j
					; sub_A1C206+4Cj ...
		mov	eax, esi
		pop	esi
		leave
		retn
sub_A1C206	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	sub_A1C264(int,int,void	*Source1)
sub_A1C264	proc near		; CODE XREF: sub_A1BF12+BAp

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
Length		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
Source1		= dword	ptr  10h

		push	3Ch
		push	offset dword_6AAB78
		call	__SEH_prolog4
		mov	edi, edx
		mov	[ebp+var_48], edi
		mov	[ebp+var_20], ecx
		and	[ebp+var_28], 0
		mov	ebx, [ebp+arg_0]
		cmp	ebx, 1
		jnz	short loc_A1C2A9
		mov	ecx, 0F8h
		push	10h

loc_A1C28B:				; CODE XREF: sub_A1C264+59j
		mov	eax, [ebp+Source1]
		mov	eax, [eax+0F0h]
		mov	[ebp+Length], ecx
		pop	edx
		mul	edx
		test	edx, edx
		ja	short loc_A1C2BF
		jb	short loc_A1C2A5
		cmp	eax, 0FFFFFFFFh
		ja	short loc_A1C2BF

loc_A1C2A5:				; CODE XREF: sub_A1C264+3Aj
		xor	esi, esi
		jmp	short loc_A1C2C7
; 

loc_A1C2A9:				; CODE XREF: sub_A1C264+1Ej
		call	sub_597FFE
		test	ebx, ebx
		jnz	loc_A1C4B2
		mov	ecx, 0F4h
		push	0Ch
		jmp	short loc_A1C28B
; 

loc_A1C2BF:				; CODE XREF: sub_A1C264+38j
					; sub_A1C264+3Fj
		mov	esi, 0C0000095h
		or	eax, 0FFFFFFFFh

loc_A1C2C7:				; CODE XREF: sub_A1C264+43j
		mov	[ebp+var_24], eax
		test	esi, esi
		js	loc_A1C4B7
		lea	edx, [ebp+var_28]
		push	edx
		mov	edx, ecx
		mov	ecx, eax
		call	?RtlULongAdd@@YGJKKPAK@Z ; RtlULongAdd(ulong,ulong,ulong *)
		mov	esi, eax
		test	esi, esi
		js	loc_A1C4B7
		mov	[edi+24h], ebx
		mov	eax, [ebp+arg_4]
		mov	[edi+28h], eax
		lea	ebx, [edi+2Ch]
		mov	edx, ebx
		mov	eax, [ebp+var_28]
		mov	[ebp+var_30], eax
		mov	ecx, eax
		call	sub_A1ACD8
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	loc_A1C4B7
		and	[ebp+ms_exc.disabled], 0
		mov	esi, [ebp+var_30]
		test	esi, esi
		jz	short loc_A1C335
		mov	ecx, [ebp+var_20]
		mov	ecx, [ecx+8]
		lea	edx, [ecx+esi]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_A1C332
		cmp	edx, ecx
		jnb	short loc_A1C335

loc_A1C332:				; CODE XREF: sub_A1C264+C8j
		mov	byte ptr [eax],	0

loc_A1C335:				; CODE XREF: sub_A1C264+B6j
					; sub_A1C264+CCj
		push	esi		; size_t
		mov	eax, [ebp+var_20]
		push	dword ptr [eax+8] ; void *
		push	dword ptr [ebx]	; void *
		call	_memcpy
		add	esp, 0Ch
		push	1
		mov	edx, esi
		mov	eax, [ebp+var_20]
		mov	ecx, [eax+8]
		call	sub_A1B19E
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		jns	short loc_A1C36A

loc_A1C35E:				; CODE XREF: sub_A1C264+117j
					; sub_A1C264+133j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	loc_A1C4B7
; 

loc_A1C36A:				; CODE XREF: sub_A1C264+F8j
		mov	edx, [ebp+var_30]
		mov	ecx, [ebx]
		call	sub_A1B127
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	short loc_A1C35E
		push	[ebp+Length]	; Length
		push	dword ptr [ebx]	; Source2
		push	[ebp+Source1]	; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, [ebp+Length]
		jz	short loc_A1C399

loc_A1C38F:				; CODE XREF: sub_A1C264+166j
					; sub_A1C264+18Bj
		mov	esi, 0C000000Dh
		mov	[ebp+var_1C], esi
		jmp	short loc_A1C35E
; 

loc_A1C399:				; CODE XREF: sub_A1C264+129j
		cmp	dword ptr [edi+24h], 1
		jnz	short loc_A1C3C1
		mov	edx, [ebx]
		mov	ecx, [edx+28h]
		and	ecx, 0FFFFFFFh
		mov	eax, [ebp+var_20]
		mov	eax, [eax+8]
		sub	eax, ecx
		mov	[edi+18h], eax
		and	dword ptr [edi+1Ch], 0
		mov	ebx, [edx+30h]
		mov	eax, [edx+2Ch]
		jmp	short loc_A1C3F9
; 

loc_A1C3C1:				; CODE XREF: sub_A1C264+139j
		call	sub_597FFE
		cmp	dword ptr [edi+24h], 0
		jnz	short loc_A1C38F
		mov	eax, [ebx]
		mov	ecx, [eax+28h]
		and	ecx, 0FFFFFFFh
		mov	eax, [ebp+var_20]
		mov	eax, [eax+8]
		sub	eax, ecx
		mov	[edi+18h], eax
		and	dword ptr [edi+1Ch], 0
		call	sub_597FFE
		cmp	dword ptr [edi+24h], 0
		jnz	short loc_A1C38F
		mov	eax, [ebx]
		mov	ebx, [eax+30h]
		mov	eax, [eax+2Ch]

loc_A1C3F9:				; CODE XREF: sub_A1C264+15Bj
		mov	[ebp+var_34], ebx
		and	eax, 0FFFFFFFh
		test	ebx, ebx
		jz	short loc_A1C481
		mov	ecx, [edi+18h]
		add	ecx, eax
		mov	[ebp+Source1], ecx
		mov	[ebp+var_4C], ecx
		mov	eax, ebx
		push	4
		pop	edx
		mul	edx
		mov	ebx, eax
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], edx
		test	edx, edx
		ja	short loc_A1C42E
		jb	short loc_A1C42A
		cmp	ebx, 0FFFFFFFFh
		ja	short loc_A1C42E

loc_A1C42A:				; CODE XREF: sub_A1C264+1BFj
		xor	esi, esi
		jmp	short loc_A1C436
; 

loc_A1C42E:				; CODE XREF: sub_A1C264+1BDj
					; sub_A1C264+1C4j
		or	ebx, 0FFFFFFFFh
		mov	esi, 0C0000095h

loc_A1C436:				; CODE XREF: sub_A1C264+1C8j
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	loc_A1C35E
		test	ebx, ebx
		jz	short loc_A1C45B
		lea	edx, [ecx+ebx]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_A1C458
		cmp	edx, ecx
		jnb	short loc_A1C45B

loc_A1C458:				; CODE XREF: sub_A1C264+1EEj
		mov	byte ptr [eax],	0

loc_A1C45B:				; CODE XREF: sub_A1C264+1E2j
					; sub_A1C264+1F2j
		lea	edx, [edi+20h]
		mov	ecx, ebx
		call	sub_A1ACD8
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		js	loc_A1C35E
		push	ebx		; size_t
		push	[ebp+Source1]	; void *
		push	dword ptr [edi+20h] ; void *
		call	_memcpy
		add	esp, 0Ch

loc_A1C481:				; CODE XREF: sub_A1C264+19Fj
		mov	dword ptr [edi+0Ch], 1
		jmp	loc_A1C35E
; 

loc_A1C48D:				; DATA XREF: .text:006AAB8Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_44], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A1C49D:				; DATA XREF: .text:006AAB90o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_44]
		mov	[ebp+var_1C], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_48]
		jmp	short loc_A1C4B7
; 

loc_A1C4B2:				; CODE XREF: sub_A1C264+4Cj
		mov	esi, 0C000000Dh

loc_A1C4B7:				; CODE XREF: sub_A1C264+68j
					; sub_A1C264+7Fj ...
		mov	[edi+10h], esi
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
sub_A1C264	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1C4CE	proc near		; CODE XREF: sub_A1AAB4+112p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		cmp	[ebp+arg_0], 10h
		push	ebx
		push	esi
		push	edi
		jnb	short loc_A1C4E9
		mov	edi, 0C000000Dh
		jmp	short loc_A1C565
; 

loc_A1C4E9:				; CODE XREF: sub_A1C4CE+12j
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_0]
		call	sub_A1BF12
		mov	edi, eax
		test	edi, edi
		js	short loc_A1C565
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		mov	ebx, [ebp+var_4]
		xor	edx, edx
		push	0
		lea	esi, [ebx+8]
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	edi, eax
		lock bts dword ptr [esi], 0
		jnb	short loc_A1C52D
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockExclusiveEx

loc_A1C52D:				; CODE XREF: sub_A1C4CE+53j
		test	edi, edi
		jz	short loc_A1C535
		or	byte ptr [edi+0Eh], 1

loc_A1C535:				; CODE XREF: sub_A1C4CE+61j
		mov	ecx, ebx
		call	sub_A1C576
		mov	edi, eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A1C552
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A1C552:				; CODE XREF: sub_A1C4CE+7Bj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_A1C565:				; CODE XREF: sub_A1C4CE+19j
					; sub_A1C4CE+2Bj
		mov	ecx, [ebp+var_4]
		call	sub_A1B9A1
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
sub_A1C4CE	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1C576	proc near		; CODE XREF: sub_A1C4CE+69p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		push	edi
		mov	edx, [esi+30h]
		mov	eax, edx
		mov	edi, [esi+34h]
		or	eax, edi
		jnz	short loc_A1C593

loc_A1C58F:				; CODE XREF: sub_A1C576+2Bj
		xor	ecx, ecx
		jmp	short loc_A1C60A
; 

loc_A1C593:				; CODE XREF: sub_A1C576+17j
		add	edx, 0FFFFFFFFh
		mov	[esi+30h], edx
		adc	edi, 0FFFFFFFFh
		or	edx, edi
		mov	[esi+34h], edi
		jnz	short loc_A1C58F
		mov	edi, [esi+38h]
		sub	edi, 1
		js	short loc_A1C60A
		imul	eax, edi, 0Ch
		mov	ebx, edi
		shl	ebx, 4
		mov	[ebp+var_4], eax

loc_A1C5B6:				; CODE XREF: sub_A1C576+8Bj
		cmp	dword ptr [esi+24h], 1
		jnz	short loc_A1C5D0
		mov	edx, [esi+2Ch]
		mov	ecx, esi
		add	edx, 0F8h
		add	edx, ebx
		call	sub_A1C6ED
		jmp	short loc_A1C5EE
; 

loc_A1C5D0:				; CODE XREF: sub_A1C576+44j
		call	sub_597FFE
		cmp	dword ptr [esi+24h], 0
		jnz	short loc_A1C605
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		add	edx, 0F4h
		add	edx, [esi+2Ch]
		call	sub_A1C611

loc_A1C5EE:				; CODE XREF: sub_A1C576+58j
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_A1C60A
		dec	dword ptr [esi+38h]
		sub	ebx, 10h
		sub	[ebp+var_4], 0Ch
		sub	edi, 1
		jns	short loc_A1C5B6
		jmp	short loc_A1C60A
; 

loc_A1C605:				; CODE XREF: sub_A1C576+63j
		mov	ecx, 0C000000Dh

loc_A1C60A:				; CODE XREF: sub_A1C576+1Bj
					; sub_A1C576+33j ...
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn
sub_A1C576	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1C611	proc near		; CODE XREF: sub_A1C576+73p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_8], 0
		mov	eax, ecx
		and	[ebp+var_C], 0
		mov	ecx, 0FFFFFFFh
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_10], eax
		mov	esi, [edi+4]
		mov	edx, [edi+8]
		and	esi, ecx
		add	esi, [eax+18h]
		and	edx, ecx
		mov	eax, [edi]
		mov	ecx, esi
		shr	eax, 1
		not	eax
		mov	[ebp+var_14], esi
		and	eax, 1
		push	eax
		call	sub_A1B19E
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A1C6E6
		mov	edx, [edi+8]
		lea	eax, [ebp+var_8]
		push	eax
		and	edx, 0FFFFFFFh
		lea	eax, [ebp+var_C]
		test	byte ptr [edi],	2
		mov	ecx, esi
		push	eax
		jnz	short loc_A1C67A
		call	sub_A1AF61
		jmp	short loc_A1C67F
; 

loc_A1C67A:				; CODE XREF: sub_A1C611+60j
		call	sub_A1AE51

loc_A1C67F:				; CODE XREF: sub_A1C611+67j
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A1C6D3
		mov	esi, [ebp+var_10]
		lea	eax, [ebp-1]
		push	eax		; int
		mov	edx, [ebp+var_14] ; void *
		push	ecx		; int
		mov	esi, [esi+2Ch]
		mov	ecx, 0FFFFFFFh
		mov	[ebp+var_1], 0
		lea	eax, [esi+50h]
		push	eax		; int
		mov	eax, [edi+4]
		and	eax, ecx
		push	eax		; int
		lea	eax, [esi+48h]
		push	eax		; int
		mov	eax, [edi+8]
		and	eax, ecx
		xor	ecx, ecx
		push	eax		; int
		push	[ebp+var_8]	; void *
		inc	ecx		; int
		call	sub_A1AC58
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A1C6D3
		mov	eax, [edi]
		movzx	ecx, [ebp+var_1]
		and	eax, 0FFFFFC03h
		shl	ecx, 2
		or	ecx, eax
		mov	[edi], ecx

loc_A1C6D3:				; CODE XREF: sub_A1C611+72j
					; sub_A1C611+AEj
		mov	esi, [ebp+var_C]
		test	esi, esi
		jz	short loc_A1C6E6
		push	esi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	esi
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_A1C6E6:				; CODE XREF: sub_A1C611+44j
					; sub_A1C611+C7j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
sub_A1C611	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1C6ED	proc near		; CODE XREF: sub_A1C576+53p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_8], 0
		mov	eax, ecx
		and	[ebp+var_C], 0
		mov	ecx, 0FFFFFFFh
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_10], eax
		mov	ebx, [edi+4]
		mov	edx, [edi+8]
		and	ebx, ecx
		add	ebx, [eax+18h]
		and	edx, ecx
		mov	eax, [edi]
		mov	ecx, ebx
		shr	eax, 1
		not	eax
		and	eax, 1
		push	eax
		call	sub_A1B19E
		mov	esi, eax
		test	esi, esi
		js	loc_A1C7E8
		mov	edx, [edi+8]
		lea	eax, [ebp+var_8]
		push	eax
		and	edx, 0FFFFFFFh
		lea	eax, [ebp+var_C]
		test	byte ptr [edi],	2
		mov	ecx, ebx
		push	eax
		jnz	short loc_A1C753
		call	sub_A1AF61
		jmp	short loc_A1C758
; 

loc_A1C753:				; CODE XREF: sub_A1C6ED+5Dj
		call	sub_A1AE51

loc_A1C758:				; CODE XREF: sub_A1C6ED+64j
		mov	esi, eax
		test	esi, esi
		js	short loc_A1C7D5
		mov	esi, [ebp+var_10]
		lea	eax, [ebp-1]
		push	eax		; int
		push	ecx		; int
		mov	ecx, 0FFFFFFFh
		mov	[ebp+var_1], 0
		mov	esi, [esi+2Ch]
		mov	edx, ebx	; void *
		lea	eax, [esi+50h]
		push	eax		; int
		mov	eax, [edi+4]
		and	eax, ecx
		push	eax		; int
		lea	eax, [esi+48h]
		push	eax		; int
		mov	eax, [edi+8]
		and	eax, ecx
		xor	ecx, ecx
		push	eax		; int
		push	[ebp+var_8]	; void *
		inc	ecx		; int
		call	sub_A1AC58
		mov	esi, eax
		test	esi, esi
		js	short loc_A1C7D5
		mov	eax, [edi]
		movzx	ecx, [ebp+var_1]
		and	eax, 0FFFFFC03h
		shl	ecx, 2
		or	ecx, eax
		mov	[edi], ecx
		test	cl, 2
		jnz	short loc_A1C7D5
		mov	eax, [edi+8]
		and	eax, 0FFFFFFFh
		cmp	eax, 4
		jnb	short loc_A1C7C4
		mov	esi, 0C000000Dh
		jmp	short loc_A1C7D5
; 

loc_A1C7C4:				; CODE XREF: sub_A1C6ED+CEj
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+var_8]
		mov	eax, [eax+2Ch]
		mov	eax, [eax+0F4h]
		mov	[ecx], eax

loc_A1C7D5:				; CODE XREF: sub_A1C6ED+6Fj
					; sub_A1C6ED+AAj ...
		mov	edi, [ebp+var_C]
		test	edi, edi
		jz	short loc_A1C7E8
		push	edi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	edi
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_A1C7E8:				; CODE XREF: sub_A1C6ED+41j
					; sub_A1C6ED+EDj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
sub_A1C6ED	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1C7EF	proc near		; CODE XREF: sub_A1BF12+31p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	20h
		push	offset dword_6AAB98
		call	__SEH_prolog4
		mov	esi, ecx
		mov	[ebp+var_1C], esi
		xor	eax, eax
		lea	edi, [ebp+var_30]
		stosd
		stosd
		stosd
		cmp	edx, 10h
		jnb	short loc_A1C817

loc_A1C80D:				; CODE XREF: sub_A1C7EF+106j
		mov	ebx, 0C000000Dh
		jmp	loc_A1C949
; 

loc_A1C817:				; CODE XREF: sub_A1C7EF+1Cj
		lea	edx, [ebp+var_28]
		mov	ecx, 0F4h
		call	sub_A1ACD8
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A1C949
		and	[ebp+ms_exc.disabled], 0
		mov	esi, [esi+8]
		lea	ecx, [esi+0F4h]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_A1C848
		cmp	ecx, esi
		jnb	short loc_A1C851

loc_A1C848:				; CODE XREF: sub_A1C7EF+53j
		mov	byte ptr [eax],	0
		mov	eax, [ebp+var_1C]
		mov	esi, [eax+8]

loc_A1C851:				; CODE XREF: sub_A1C7EF+57j
		push	3Dh
		pop	ecx
		mov	edx, [ebp+var_28]
		mov	edi, edx
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [edx+24h]
		mov	esi, eax
		and	esi, 0Fh
		mov	[ebp+var_30], esi
		shr	eax, 4
		and	eax, 0Fh
		mov	[ebp+var_2C], eax
		xor	edi, edi
		inc	edi
		cmp	esi, edi
		jnz	short loc_A1C8EE
		push	42524157h
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[ebp+var_28], 0
		lea	edx, [ebp+var_28]
		mov	ecx, 0F8h
		call	sub_A1ACD8
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A1C949
		mov	[ebp+ms_exc.disabled], edi
		mov	eax, [ebp+var_1C]
		mov	esi, [eax+8]
		lea	edx, [esi+0F8h]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edx, ecx
		ja	short loc_A1C8C0
		cmp	edx, esi
		jnb	short loc_A1C8C6

loc_A1C8C0:				; CODE XREF: sub_A1C7EF+CBj
		mov	byte ptr [ecx],	0
		mov	esi, [eax+8]

loc_A1C8C6:				; CODE XREF: sub_A1C7EF+CFj
		push	3Eh
		pop	ecx
		mov	edx, [ebp+var_28]
		mov	edi, edx
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A1C8FE
; 

loc_A1C8D9:				; DATA XREF: .text:006AABB8o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A1C8E9:				; DATA XREF: .text:006AABBCo
		mov	ebx, [ebp+var_20]
		jmp	short loc_A1C93F
; 

loc_A1C8EE:				; CODE XREF: sub_A1C7EF+8Cj
		call	sub_597FFE
		test	esi, esi
		jnz	loc_A1C80D
		mov	edx, [ebp+var_28]

loc_A1C8FE:				; CODE XREF: sub_A1C7EF+E8j
		mov	esi, [ebp+arg_4]
		mov	eax, [edx+40h]
		mov	[esi+4], eax
		mov	eax, [edx+28h]
		mov	ecx, [ebp+var_1C]
		and	eax, 0FFFFFFFh
		mov	ecx, [ecx+8]
		sub	ecx, eax
		mov	[esi], ecx
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_A1C949
		lea	esi, [ebp+var_30]
		movsd
		movsd
		movsd
		and	[ebp+var_28], 0
		jmp	short loc_A1C949
; 

loc_A1C92C:				; DATA XREF: .text:006AABACo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A1C93C:				; DATA XREF: .text:006AABB0o
		mov	ebx, [ebp+var_24]

loc_A1C93F:				; CODE XREF: sub_A1C7EF+FDj
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A1C949:				; CODE XREF: sub_A1C7EF+23j
					; sub_A1C7EF+39j ...
		mov	edx, [ebp+var_28]
		test	edx, edx
		jz	short loc_A1C95B
		push	42524157h
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1C95B:				; CODE XREF: sub_A1C7EF+15Fj
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
sub_A1C7EF	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1C96F	proc near		; CODE XREF: sub_A1D230+BBp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, large fs:124h
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		xor	edx, edx
		dec	word ptr [eax+13Eh]
		push	esi
		push	edi
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edx
		nop
		lea	edi, [ecx+1Ch]
		push	edx
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	esi, eax
		lock bts dword ptr [edi], 0
		jnb	short loc_A1C9B3
		push	edi
		mov	edx, esi
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_A1C9B3:				; CODE XREF: sub_A1C96F+38j
		test	esi, esi
		jz	short loc_A1C9BB
		or	byte ptr [esi+0Eh], 1

loc_A1C9BB:				; CODE XREF: sub_A1C96F+46j
		mov	edx, [ebx+18h]
		lea	eax, [ebp+var_C]
		mov	ecx, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	sub_A1D1C0
		mov	esi, eax
		test	esi, esi
		js	short loc_A1C9E2
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_A1CA29
		mov	ecx, [ebp+var_8]
		mov	[eax], ecx
		jmp	short loc_A1CA29
; 

loc_A1C9E2:				; CODE XREF: sub_A1C96F+63j
		cmp	esi, 0C0000272h
		jnz	short loc_A1CA29
		push	[ebp+var_C]
		mov	edx, ebx
		push	4
		push	dword ptr [ebx+18h]
		push	ecx
		mov	ecx, [ebp+var_4]
		lea	ecx, [ecx+4]
		call	sub_A1DB7E
		mov	esi, eax
		test	esi, esi
		js	short loc_A1CA29
		mov	ecx, ebx
		call	sub_A1D601
		mov	esi, eax
		test	esi, esi
		js	short loc_A1CA29
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_A1CA1D
		and	dword ptr [eax], 0

loc_A1CA1D:				; CODE XREF: sub_A1C96F+A9j
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		call	sub_A1CA59
		mov	esi, eax

loc_A1CA29:				; CODE XREF: sub_A1C96F+6Aj
					; sub_A1C96F+71j ...
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A1CA3D
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A1CA3D:				; CODE XREF: sub_A1C96F+C5j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
sub_A1C96F	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1CA59	proc near		; CODE XREF: sub_A1C96F+B3p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Eh]
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		nop
		lea	esi, [ecx+2Ch]
		xor	edx, edx
		push	0
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	edi, eax
		lock bts dword ptr [esi], 0
		jnb	short loc_A1CA96
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockExclusiveEx

loc_A1CA96:				; CODE XREF: sub_A1CA59+31j
		test	edi, edi
		jz	short loc_A1CA9E
		or	byte ptr [edi+0Eh], 1

loc_A1CA9E:				; CODE XREF: sub_A1CA59+3Fj
		mov	eax, [ebp+var_4]
		add	eax, 24h
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jz	short loc_A1CAB0
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A1CAB0:				; CODE XREF: sub_A1CA59+50j
		mov	[ebx], eax
		mov	[ebx+4], ecx
		mov	[ecx], ebx
		mov	[eax+4], ebx
		or	eax, 0FFFFFFFFh
		or	dword ptr [ebx+8], 1
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A1CAD2
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A1CAD2:				; CODE XREF: sub_A1CA59+70j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	ecx, ebx
		call	sub_A1D601
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
sub_A1CA59	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1CAF1	proc near		; CODE XREF: sub_A1D36F+C8p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	eax, eax
		mov	esi, ecx
		push	edi
		mov	[ebp+var_C], eax
		mov	ebx, edx
		mov	[ebp+var_8], eax
		mov	edi, [esi+14h]
		mov	ecx, edi
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_C]
		push	eax
		push	10h
		pop	edx
		call	?RtlULongMult@@YGJKKPAK@Z ; RtlULongMult(ulong,ulong,ulong *)
		test	eax, eax
		js	short loc_A1CB91
		mov	edx, [esi+1Ch]
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, edi
		call	?RtlULongAdd@@YGJKKPAK@Z ; RtlULongAdd(ulong,ulong,ulong *)
		test	eax, eax
		js	short loc_A1CB91
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		push	10h
		pop	edx
		call	?RtlULongMult@@YGJKKPAK@Z ; RtlULongMult(ulong,ulong,ulong *)
		test	eax, eax
		js	short loc_A1CB91
		mov	ecx, [esi+10h]
		lea	eax, [ecx+1]
		cmp	eax, edi
		jb	short loc_A1CB6D
		mov	edx, [ebp+var_C]
		lea	ecx, [esi+18h]
		push	ecx
		push	[ebp+var_8]
		mov	ecx, [ecx]
		call	sub_A1B037
		test	eax, eax
		js	short loc_A1CB91
		mov	eax, [esi+1Ch]
		add	[esi+14h], eax
		mov	ecx, [esi+10h]

loc_A1CB6D:				; CODE XREF: sub_A1CAF1+5Cj
		mov	eax, [ebp+arg_0]
		shl	ecx, 4
		add	ecx, [esi+18h]
		mov	[ecx+4], eax
		mov	eax, [ebp+arg_4]
		mov	[ecx+8], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx], ebx
		mov	[ecx+0Ch], eax
		mov	ecx, ebx
		inc	dword ptr [esi+10h]
		call	sub_A1D601

loc_A1CB91:				; CODE XREF: sub_A1CAF1+2Dj
					; sub_A1CAF1+3Fj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
sub_A1CAF1	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1CB98	proc near		; DATA XREF: sub_A1B2D2+46o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_A1CBB0
		xor	eax, eax
		cmp	[ebp+arg_4], eax
		jz	short loc_A1CBBA
		inc	eax
		xor	edx, edx
		jmp	short loc_A1CBC2
; 

loc_A1CBB0:				; CODE XREF: sub_A1CB98+Aj
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	short loc_A1CBBE
		or	eax, 0FFFFFFFFh

loc_A1CBBA:				; CODE XREF: sub_A1CB98+11j
		mov	edx, eax
		jmp	short loc_A1CBC2
; 

loc_A1CBBE:				; CODE XREF: sub_A1CB98+1Dj
		sub	eax, [ecx+18h]
		cdq

loc_A1CBC2:				; CODE XREF: sub_A1CB98+16j
					; sub_A1CB98+24j
		pop	ebp
		retn	0Ch
sub_A1CB98	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1CBC6	proc near		; CODE XREF: sub_A1D230+A5p

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_19		= dword	ptr -19h
arg_0		= dword	ptr  8

		push	64h
		push	offset dword_6AABE0
		call	__SEH_prolog4
		mov	edi, edx
		mov	[ebp+var_5C], ecx
		xor	ebx, ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_50], ebx
		mov	byte ptr [ebp+var_19], bl
		mov	eax, ebx
		mov	[ebp+var_28], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_38], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_48], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_58], ebx
		mov	eax, dword_6D6BDC
		mov	[ebp+var_68], eax
		lea	edx, [ebp+var_30]
		push	38h
		pop	ecx
		call	sub_A1ACD8
		mov	esi, eax
		test	esi, esi
		js	loc_A1D0D1
		push	38h		; size_t
		push	ebx		; int
		mov	ebx, [ebp+var_30]
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		and	dword ptr [ebx+8], 0FFFFFFFEh
		xor	eax, eax
		inc	eax
		mov	[ebx+30h], eax
		and	dword ptr [ebx+34h], 0
		cmp	[edi+8], eax
		jnz	loc_A1CCF5
		lea	ecx, [edi+10h]
		mov	edx, 0F8h
		call	sub_A1B127
		mov	esi, eax
		test	esi, esi
		js	loc_A1D0D4
		xor	eax, eax
		mov	[ebp-4], eax
		push	eax
		push	eax
		push	eax
		push	0F8h
		push	dword ptr [edi+140h]
		call	IoAllocateMdl
		mov	esi, eax
		mov	[ebp+var_20], esi
		mov	[ebp+var_34], esi
		test	esi, esi
		jnz	short loc_A1CC9A

loc_A1CC86:				; CODE XREF: sub_A1CBC6+17Bj
					; sub_A1CBC6+28Ej ...
		mov	esi, 0C0000017h

loc_A1CC8B:				; CODE XREF: sub_A1CBC6+24Ej
		mov	[ebp+var_24], esi

loc_A1CC8E:				; CODE XREF: sub_A1CBC6+2D2j
					; sub_A1CBC6+2F2j ...
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		jmp	loc_A1D0D4
; 

loc_A1CC9A:				; CODE XREF: sub_A1CBC6+BEj
		mov	ecx, esi
		call	_MmProbeAndLockPagesPrivate@8 ;	MmProbeAndLockPagesPrivate(x,x)
		xor	eax, eax
		inc	eax
		mov	[ebp+var_48], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, 0F8h
		jmp	loc_A1CD60
; 

loc_A1CCB8:				; DATA XREF: .text:006AABF4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_60], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A1CCC8:				; DATA XREF: .text:006AABF8o
		mov	esi, [ebp+var_60]

loc_A1CCCB:				; CODE XREF: sub_A1CBC6+4DFj
					; sub_A1CBC6+4FFj
		mov	esp, [ebp+var_19+1]
		mov	[ebp+var_24], esi
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	ebx, [ebp+var_30]
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_28], eax
		mov	edi, [ebp+var_34]
		mov	eax, [ebp+var_40]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_44]
		mov	[ebp+var_3C], eax
		jmp	loc_A1D0D7
; 

loc_A1CCF5:				; CODE XREF: sub_A1CBC6+7Fj
		call	sub_597FFE
		cmp	dword ptr [edi+8], 0
		jnz	loc_A1D0CA
		lea	ecx, [edi+10h]
		mov	edx, 0F0h
		call	sub_A1B127
		mov	esi, eax
		test	esi, esi
		js	loc_A1D0D4
		mov	dword ptr [ebp-4], 1
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	0F0h
		push	dword ptr [edi+140h]
		call	IoAllocateMdl
		mov	esi, eax
		mov	[ebp+var_20], esi
		mov	[ebp+var_34], esi
		test	esi, esi
		jz	loc_A1CC86
		mov	ecx, esi
		call	_MmProbeAndLockPagesPrivate@8 ;	MmProbeAndLockPagesPrivate(x,x)
		xor	eax, eax
		inc	eax
		mov	[ebp+var_48], eax
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	edx, 0F0h

loc_A1CD60:				; CODE XREF: sub_A1CBC6+EDj
		push	eax
		mov	ecx, [edi+140h]
		call	sub_A1B19E
		mov	esi, eax
		test	esi, esi
		js	loc_A1D0D4
		lea	eax, [ebp+var_50]
		push	eax
		lea	eax, [ebp+var_4C]
		push	eax
		mov	edx, [edi+138h]
		mov	ecx, [ebp+var_5C]
		call	sub_A1DFF5
		mov	esi, eax
		test	esi, esi
		js	loc_A1D0D4
		lea	edx, [ebp+var_2C]
		mov	ecx, [edi+138h]
		call	sub_A1ACD8
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		js	loc_A1D0AA
		mov	dword ptr [ebp-4], 2
		mov	eax, [edi+118h]
		test	eax, eax
		jz	short loc_A1CDE2
		mov	edx, [edi+110h]
		lea	esi, [edx+eax]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	esi, ecx
		ja	short loc_A1CDD9
		cmp	esi, edx
		jnb	short loc_A1CDE2

loc_A1CDD9:				; CODE XREF: sub_A1CBC6+20Dj
		mov	byte ptr [ecx],	0
		mov	eax, [edi+118h]

loc_A1CDE2:				; CODE XREF: sub_A1CBC6+1FAj
					; sub_A1CBC6+211j
		push	eax		; size_t
		push	dword ptr [edi+110h] ; void *
		mov	eax, [edi+11Ch]
		mov	esi, [ebp+var_2C]
		mov	[ebp+var_28], esi
		add	eax, esi
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	dword ptr [edi+8], 1
		jnz	short loc_A1CE2A
		cmp	dword ptr [edi+118h], 4
		jnb	short loc_A1CE19

loc_A1CE0F:				; CODE XREF: sub_A1CBC6+26Dj
					; sub_A1CBC6+35Dj ...
		mov	esi, 0C000000Dh
		jmp	loc_A1CC8B
; 

loc_A1CE19:				; CODE XREF: sub_A1CBC6+247j
		mov	ecx, [edi+11Ch]
		mov	eax, [edi+120h]
		mov	[esi+ecx], eax
		jmp	short loc_A1CE35
; 

loc_A1CE2A:				; CODE XREF: sub_A1CBC6+23Ej
		call	sub_597FFE
		cmp	dword ptr [edi+8], 0
		jnz	short loc_A1CE0F

loc_A1CE35:				; CODE XREF: sub_A1CBC6+262j
		push	0
		push	0
		push	0
		push	dword ptr [edi+118h]
		push	dword ptr [edi+110h]
		call	IoAllocateMdl
		mov	[ebp+var_38], eax
		mov	[ebp+var_40], eax
		test	eax, eax
		jz	loc_A1CC86
		mov	ecx, eax
		call	_MmProbeAndLockPagesPrivate@8 ;	MmProbeAndLockPagesPrivate(x,x)
		mov	[ebp+var_54], 1
		lea	ecx, [edi+60h]
		mov	edx, [edi+11Ch]
		add	edx, esi	; void *
		lea	eax, [ebp+var_19]
		push	eax		; int
		push	ecx		; int
		push	ecx		; int
		push	dword ptr [edi+114h] ; int
		lea	eax, [edi+58h]
		push	eax		; int
		push	dword ptr [edi+118h] ; int
		push	edx		; void *
		xor	ecx, ecx	; int
		call	sub_A1AC58
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		js	loc_A1CC8E
		push	1
		mov	edx, [edi+118h]
		mov	ecx, [edi+110h]
		call	sub_A1B19E
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		js	loc_A1CC8E
		mov	eax, [edi+124h]
		test	eax, eax
		jz	loc_A1CFD2
		mov	ecx, [edi+12Ch]
		mov	edx, eax
		test	ecx, ecx
		jz	short loc_A1CF00
		lea	esi, [ecx+eax]
		mov	edx, ds:_MmUserProbeAddress
		mov	[ebp+var_64], edx
		cmp	esi, edx
		ja	short loc_A1CEF1
		mov	edx, eax
		cmp	esi, eax
		jnb	short loc_A1CF00
		mov	edx, [ebp+var_64]

loc_A1CEF1:				; CODE XREF: sub_A1CBC6+320j
		mov	byte ptr [edx],	0
		mov	ecx, [edi+12Ch]
		mov	edx, [edi+124h]

loc_A1CF00:				; CODE XREF: sub_A1CBC6+310j
					; sub_A1CBC6+326j
		push	ecx		; size_t
		push	edx		; void *
		mov	eax, [edi+130h]
		mov	esi, [ebp+var_28]
		add	eax, esi
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		cmp	dword ptr [edi+8], 1
		jnz	short loc_A1CF3A
		cmp	dword ptr [edi+12Ch], 4
		jb	loc_A1CE0F
		mov	ecx, [edi+130h]
		mov	eax, [edi+134h]
		mov	[esi+ecx], eax
		jmp	short loc_A1CF49
; 

loc_A1CF3A:				; CODE XREF: sub_A1CBC6+354j
		call	sub_597FFE
		cmp	dword ptr [edi+8], 0
		jnz	loc_A1CE0F

loc_A1CF49:				; CODE XREF: sub_A1CBC6+372j
		push	0
		push	0
		push	0
		push	dword ptr [edi+12Ch]
		push	dword ptr [edi+124h]
		call	IoAllocateMdl
		mov	[ebp+var_3C], eax
		mov	[ebp+var_44], eax
		test	eax, eax
		jz	loc_A1CC86
		mov	ecx, eax
		call	_MmProbeAndLockPagesPrivate@8 ;	MmProbeAndLockPagesPrivate(x,x)
		mov	[ebp+var_58], 1
		mov	edx, [edi+130h]
		add	edx, esi	; void *
		lea	eax, [ebp+var_19]
		push	eax		; int
		push	ecx		; int
		lea	eax, [edi+60h]
		push	eax		; int
		push	dword ptr [edi+128h] ; int
		lea	eax, [edi+58h]
		push	eax		; int
		push	dword ptr [edi+12Ch] ; int
		push	edx		; void *
		xor	ecx, ecx	; int
		call	sub_A1AC58
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		js	loc_A1CC8E
		push	1
		mov	edx, [edi+12Ch]
		mov	ecx, [edi+124h]
		call	sub_A1B19E
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		js	loc_A1CC8E

loc_A1CFD2:				; CODE XREF: sub_A1CBC6+300j
		push	dword ptr [edi+138h] ; size_t
		mov	eax, [ebp+var_28]
		push	eax		; void *
		mov	esi, [ebp+var_4C]
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [ebp-4], 0FFFFFFFEh
		mov	eax, [edi]
		mov	[ebx+28h], eax
		mov	[ebx+14h], esi
		mov	eax, [edi+11Ch]
		mov	ecx, [ebp+var_50]
		add	eax, ecx
		mov	[ebx+0Ch], eax
		mov	eax, [edi+130h]
		test	eax, eax
		jz	short loc_A1D016
		add	eax, ecx
		mov	[ebx+10h], eax
		jmp	short loc_A1D01A
; 

loc_A1D016:				; CODE XREF: sub_A1CBC6+447j
		and	dword ptr [ebx+10h], 0

loc_A1D01A:				; CODE XREF: sub_A1CBC6+44Ej
		mov	eax, [edi+138h]
		mov	[ebx+2Ch], eax
		mov	eax, [edi+110h]
		mov	[ebx+18h], eax
		mov	eax, [edi+110h]
		sub	eax, [ebx+0Ch]
		mov	[ebx+20h], eax
		and	dword ptr [ebx+24h], 0
		mov	ecx, esi
		mov	eax, [ebx+28h]
		mov	[ecx], eax
		mov	eax, [ebx+14h]
		mov	ecx, [ebp+var_68]
		mov	[eax+8], ecx
		and	dword ptr [eax+0Ch], 0
		push	dword ptr [edi+118h]
		push	dword ptr [ebx+0Ch]
		push	0FFFFFFFFh
		call	_ZwFlushInstructionCache@12 ; ZwFlushInstructionCache(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A1D0D4
		cmp	dword ptr [edi+124h], 0
		jz	short loc_A1D085
		push	dword ptr [edi+12Ch]
		push	dword ptr [ebx+10h]
		push	0FFFFFFFFh
		call	_ZwFlushInstructionCache@12 ; ZwFlushInstructionCache(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A1D0D4

loc_A1D085:				; CODE XREF: sub_A1CBC6+4A7j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_A1D0D4
		mov	[eax], ebx
		xor	ebx, ebx
		jmp	short loc_A1D0D4
; 

loc_A1D092:				; DATA XREF: .text:006AAC0Co
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_6C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A1D0A2:				; DATA XREF: .text:006AAC10o
		mov	esi, [ebp+var_6C]
		jmp	loc_A1CCCB
; 

loc_A1D0AA:				; CODE XREF: sub_A1CBC6+1E5j
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_28], eax
		jmp	short loc_A1D0D4
; 

loc_A1D0B2:				; DATA XREF: .text:006AAC00o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_70], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A1D0C2:				; DATA XREF: .text:006AAC04o
		mov	esi, [ebp+var_70]
		jmp	loc_A1CCCB
; 

loc_A1D0CA:				; CODE XREF: sub_A1CBC6+138j
		mov	esi, 0C000000Dh
		jmp	short loc_A1D0D4
; 

loc_A1D0D1:				; CODE XREF: sub_A1CBC6+59j
		mov	ebx, [ebp+var_30]

loc_A1D0D4:				; CODE XREF: sub_A1CBC6+96j
					; sub_A1CBC6+CFj ...
		mov	edi, [ebp+var_20]

loc_A1D0D7:				; CODE XREF: sub_A1CBC6+12Aj
		test	edi, edi
		jz	short loc_A1D0ED
		cmp	[ebp+var_48], 0
		jz	short loc_A1D0E7
		push	edi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)

loc_A1D0E7:				; CODE XREF: sub_A1CBC6+519j
		push	edi
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_A1D0ED:				; CODE XREF: sub_A1CBC6+513j
		mov	edi, [ebp+var_38]
		test	edi, edi
		jz	short loc_A1D106
		cmp	[ebp+var_54], 0
		jz	short loc_A1D100
		push	edi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)

loc_A1D100:				; CODE XREF: sub_A1CBC6+532j
		push	edi
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_A1D106:				; CODE XREF: sub_A1CBC6+52Cj
		mov	edi, [ebp+var_3C]
		test	edi, edi
		jz	short loc_A1D11F
		cmp	[ebp+var_58], 0
		jz	short loc_A1D119
		push	edi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)

loc_A1D119:				; CODE XREF: sub_A1CBC6+54Bj
		push	edi
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_A1D11F:				; CODE XREF: sub_A1CBC6+545j
		mov	edx, ebx
		mov	ecx, [ebp+var_5C]
		call	sub_A1D14F
		mov	eax, [ebp+var_28]
		test	eax, eax
		jz	short loc_A1D13B
		push	42524157h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1D13B:				; CODE XREF: sub_A1CBC6+568j
		mov	eax, esi
		mov	ecx, [ebp-10h]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
sub_A1CBC6	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1D14F	proc near		; CODE XREF: sub_A1B40A+58p
					; sub_A1B40A+89p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	eax, edx
		mov	[ebp+var_10], ecx
		xor	esi, esi
		mov	[ebp+var_C], eax
		push	edi
		mov	edi, esi
		test	eax, eax
		jz	short loc_A1D1B7
		add	eax, 30h
		mov	[ebp+var_4], eax

loc_A1D170:				; CODE XREF: sub_A1D14F+49j
					; sub_A1D14F+4Dj
		mov	edx, [eax]
		mov	ebx, edx
		mov	edi, [eax+4]
		sub	ebx, 1
		mov	ecx, edi
		mov	[ebp+var_8], edx
		mov	eax, edx
		sbb	ecx, esi
		mov	edx, edi
		nop
		mov	esi, [ebp+var_4]
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [ebp+var_8]
		cmp	eax, ecx
		mov	eax, [ebp+var_4]
		push	0
		pop	esi
		jnz	short loc_A1D170
		cmp	edx, edi
		jnz	short loc_A1D170
		mov	esi, ecx
		add	esi, 0FFFFFFFFh
		mov	ecx, esi
		adc	edi, 0FFFFFFFFh
		or	ecx, edi
		jnz	short loc_A1D1B7
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		call	sub_A1D1FE

loc_A1D1B7:				; CODE XREF: sub_A1D14F+19j
					; sub_A1D14F+5Bj
		mov	edx, edi
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
sub_A1D14F	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1D1C0	proc near		; CODE XREF: sub_A1C96F+5Ap
					; sub_A1D230+6Cp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_4]
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		add	ecx, 4
		call	WbFindLookupEntry
		test	eax, eax
		js	short locret_A1D1FA
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_A1D1F9
		push	edi
		mov	edi, [ebp+var_4]
		mov	ecx, edi
		call	sub_A1D601
		test	eax, eax
		js	short loc_A1D1F8
		mov	[esi], edi

loc_A1D1F8:				; CODE XREF: sub_A1D1C0+34j
		pop	edi

loc_A1D1F9:				; CODE XREF: sub_A1D1C0+25j
		pop	esi

locret_A1D1FA:				; CODE XREF: sub_A1D1C0+1Dj
		leave
		retn	8
sub_A1D1C0	endp


;  S U B	R O U T	I N E 


sub_A1D1FE	proc near		; CODE XREF: sub_A1D14F+63p
		mov	edi, edi
		push	esi
		mov	esi, edx
		test	esi, esi
		jz	short loc_A1D22C
		mov	edx, [esi+14h]
		test	edx, edx
		jz	short loc_A1D221
		call	sub_A1E37F
		xor	eax, eax
		mov	[esi+14h], eax
		mov	[esi+0Ch], eax
		mov	[esi+10h], eax
		mov	[esi+2Ch], eax

loc_A1D221:				; CODE XREF: sub_A1D1FE+Ej
		push	42524157h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1D22C:				; CODE XREF: sub_A1D1FE+7j
		xor	eax, eax
		pop	esi
		retn
sub_A1D1FE	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1D230	proc near		; CODE XREF: sub_A1D36F+7Ep

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		xor	eax, eax
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_10], edx
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		mov	edx, [ebx+8]
		sub	edx, [ebx+20h]
		mov	[ebp+var_C], eax
		call	sub_A1D767
		call	_KeEnterGuardedRegion@0	; KeEnterGuardedRegion()
		lea	esi, [ebx+1Ch]
		xor	edx, edx
		push	0
		mov	ecx, esi
		call	KeAbPreAcquire
		push	11h
		mov	edi, eax
		xor	eax, eax
		pop	ecx
		lock cmpxchg [esi], ecx
		test	eax, eax
		jz	short loc_A1D283
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockSharedEx

loc_A1D283:				; CODE XREF: sub_A1D230+47j
		test	edi, edi
		jz	short loc_A1D28B
		or	byte ptr [edi+0Eh], 1

loc_A1D28B:				; CODE XREF: sub_A1D230+55j
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_4]
		push	0
		push	eax
		mov	ecx, ebx
		mov	edx, [edx+110h]
		call	sub_A1D1C0
		push	11h
		mov	edi, eax
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_A1D2B8
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_A1D2B8:				; CODE XREF: sub_A1D230+7Fj
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveGuardedRegion@0	; KeLeaveGuardedRegion()
		cmp	edi, 0C0000272h
		jnz	short loc_A1D312
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, ebx
		call	sub_A1CBC6
		mov	esi, [ebp+var_4]
		mov	edi, eax
		test	edi, edi
		js	short loc_A1D32D
		lea	eax, [ebp+var_C]
		mov	edx, esi
		push	eax
		mov	ecx, ebx
		call	sub_A1C96F
		mov	edi, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_8], eax
		test	edi, edi
		js	short loc_A1D32D
		test	eax, eax
		jz	short loc_A1D319
		mov	edx, esi
		mov	ecx, ebx
		call	sub_A1D14F
		mov	esi, [ebp+var_8]
		and	[ebp+var_8], 0
		jmp	short loc_A1D319
; 

loc_A1D312:				; CODE XREF: sub_A1D230+9Aj
		mov	esi, [ebp+var_4]
		test	edi, edi
		js	short loc_A1D32D

loc_A1D319:				; CODE XREF: sub_A1D230+CEj
					; sub_A1D230+E0j
		mov	edx, esi
		mov	ecx, ebx
		call	sub_A1D660
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_A1D32D
		mov	[eax], esi
		xor	esi, esi

loc_A1D32D:				; CODE XREF: sub_A1D230+B1j
					; sub_A1D230+CAj ...
		mov	edx, esi
		mov	ecx, ebx
		call	sub_A1D14F
		mov	edx, [ebp+var_8]
		mov	ecx, ebx
		call	sub_A1D14F
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
sub_A1D230	endp


;  S U B	R O U T	I N E 


sub_A1D349	proc near		; CODE XREF: sub_A1D4C6+29p
		mov	edi, edi
		push	esi
		mov	esi, [ecx+10h]
		xor	eax, eax
		test	esi, esi
		jnz	short loc_A1D35C
		mov	eax, 0C000000Dh
		pop	esi
		retn
; 

loc_A1D35C:				; CODE XREF: sub_A1D349+Aj
		test	edx, edx
		jz	short loc_A1D36D
		mov	ecx, [ecx+18h]
		shl	esi, 4
		add	ecx, 0FFFFFFF0h
		add	ecx, esi
		mov	[edx], ecx

loc_A1D36D:				; CODE XREF: sub_A1D349+15j
		pop	esi
		retn
sub_A1D349	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	sub_A1D36F(int,size_t)
sub_A1D36F	proc near		; CODE XREF: sub_A1AAB4+123p

var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 174h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+174h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[esp+180h+var_158], eax
		lea	edi, [esp+180h+var_168]
		xor	eax, eax
		mov	[esp+180h+var_15C], ecx
		stosd
		xor	ebx, ebx
		push	148h		; size_t
		mov	esi, edx
		mov	[esp+184h+var_170], ebx
		push	ebx		; int
		stosd
		mov	[esp+188h+var_154], esi
		mov	[esp+188h+var_16C], ebx
		stosd
		lea	eax, [esp+188h+var_150]
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+arg_4]
		lea	eax, [esp+18Ch+var_150]
		add	esp, 0Ch
		mov	ecx, esi
		push	eax		; void *
		call	sub_A1D969
		mov	esi, eax
		test	esi, esi
		js	loc_A1D493
		mov	ebx, [esp+180h+var_15C]
		lea	eax, [esp+180h+var_170]
		push	eax
		lea	edx, [esp+184h+var_150]
		mov	ecx, ebx
		call	sub_A1D230
		mov	esi, eax
		test	esi, esi
		js	loc_A1D48F
		lea	eax, [esp+180h+var_16C]
		mov	ecx, ebx
		push	eax
		call	sub_A1E613
		mov	edi, [esp+180h+var_16C]
		mov	esi, eax
		test	esi, esi
		js	short loc_A1D489
		lea	edx, [esp+180h+var_168]
		mov	ecx, edi
		call	sub_A1AD29
		mov	ebx, [esp+180h+var_170]
		mov	esi, eax
		test	esi, esi
		js	short loc_A1D497
		push	[esp+180h+var_160]
		mov	edx, ebx
		mov	ecx, edi
		push	[esp+184h+var_168]
		push	[esp+188h+var_164]
		call	sub_A1CAF1
		mov	esi, eax
		test	esi, esi
		js	short loc_A1D497
		push	[ebp+arg_4]	; size_t
		lea	eax, [esp+184h+var_168]
		mov	edx, ebx
		push	[esp+184h+var_158] ; void *
		lea	ecx, [esp+188h+var_150]
		push	[esp+188h+var_154] ; void *
		push	eax		; int
		call	sub_A1D8A2
		mov	esi, eax
		test	esi, esi
		js	short loc_A1D497
		and	[esp+180h+var_160], 0FFFFFEFFh
		mov	eax, [ebx+0Ch]
		lea	edx, [esp+180h+var_168]
		mov	ecx, edi
		mov	[esp+180h+var_164], eax
		call	sub_A1B0AD
		mov	esi, eax
		test	esi, esi
		js	short loc_A1D497
		mov	esi, [esp+180h+var_164]
		jmp	short loc_A1D497
; 

loc_A1D489:				; CODE XREF: sub_A1D36F+A1j
		mov	ebx, [esp+180h+var_170]
		jmp	short loc_A1D497
; 

loc_A1D48F:				; CODE XREF: sub_A1D36F+87j
		mov	ebx, [esp+180h+var_170]

loc_A1D493:				; CODE XREF: sub_A1D36F+69j
		mov	edi, [esp+180h+var_16C]

loc_A1D497:				; CODE XREF: sub_A1D36F+B6j
					; sub_A1D36F+D1j ...
		mov	ecx, [esp+180h+var_15C]
		mov	edx, edi
		call	sub_A1E4FB
		mov	ecx, [esp+180h+var_15C]
		mov	edx, ebx
		call	sub_A1D14F
		mov	ecx, [esp+180h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
sub_A1D36F	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1D4C6	proc near		; CODE XREF: sub_A1AAB4+133p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	eax
		mov	ebx, ecx
		call	sub_A1E613
		mov	esi, eax
		test	esi, esi
		js	short loc_A1D52E
		mov	ecx, [ebp+var_4]
		lea	edx, [ebp+var_8]
		call	sub_A1D349
		mov	esi, eax
		test	esi, esi
		js	short loc_A1D52E
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_14]
		mov	eax, [ecx+4]
		mov	[ebp+var_10], eax
		mov	eax, [ecx+8]
		mov	[ebp+var_14], eax
		mov	eax, [ecx+0Ch]
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_C], eax
		call	sub_A1B0AD
		mov	esi, eax
		test	esi, esi
		js	short loc_A1D52E
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		push	1
		call	sub_A1D706
		mov	esi, eax

loc_A1D52E:				; CODE XREF: sub_A1D4C6+21j
					; sub_A1D4C6+32j ...
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		call	sub_A1E4FB
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
sub_A1D4C6	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WbHeapExecutionUnloadModule(x, x)
_WbHeapExecutionUnloadModule@8 proc near ; CODE	XREF: sub_A1B649+94p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, large fs:124h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		dec	word ptr [eax+13Eh]
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_8], edx
		nop
		lea	edi, [ebx+1Ch]
		xor	edx, edx
		push	0
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	esi, eax
		lock bts dword ptr [edi], 0
		jnb	short loc_A1D581
		push	edi
		mov	edx, esi
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_A1D581:				; CODE XREF: WbHeapExecutionUnloadModule(x,x)+37j
		test	esi, esi
		jz	short loc_A1D589
		or	byte ptr [esi+0Eh], 1

loc_A1D589:				; CODE XREF: WbHeapExecutionUnloadModule(x,x)+45j
		xor	esi, esi
		cmp	[ebx+8], esi
		jbe	short loc_A1D5D2

loc_A1D590:				; CODE XREF: WbHeapExecutionUnloadModule(x,x)+92j
		mov	ecx, [ebx+4]
		mov	eax, [ebx+10h]
		imul	ecx, esi
		mov	eax, [ecx+eax]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_A1D5CC
		mov	ecx, [ebp+var_8]
		cmp	[eax+28h], ecx
		jnz	short loc_A1D5CC
		push	0
		push	esi
		push	0
		xor	edx, edx
		lea	ecx, [ebx+4]
		call	sub_A1DCCB
		mov	[ebp+var_4], eax
		test	eax, eax
		js	short loc_A1D5CC
		mov	edx, [ebp+var_C]
		mov	ecx, ebx
		call	sub_A1D14F
		dec	esi

loc_A1D5CC:				; CODE XREF: WbHeapExecutionUnloadModule(x,x)+63j
					; WbHeapExecutionUnloadModule(x,x)+6Bj	...
		inc	esi
		cmp	esi, [ebx+8]
		jb	short loc_A1D590

loc_A1D5D2:				; CODE XREF: WbHeapExecutionUnloadModule(x,x)+50j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A1D5E6
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A1D5E6:				; CODE XREF: WbHeapExecutionUnloadModule(x,x)+9Fj
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_WbHeapExecutionUnloadModule@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1D601	proc near		; CODE XREF: sub_A1C96F+99p
					; sub_A1CA59+8Ep ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		xor	esi, esi
		test	ecx, ecx
		jz	short loc_A1D65B
		lea	edx, [ecx+30h]
		push	ebx
		mov	[ebp+var_4], edx
		push	edi

loc_A1D617:				; CODE XREF: sub_A1D601+3Ej
					; sub_A1D601+42j
		mov	eax, [edx]
		mov	ebx, eax
		mov	edi, [edx+4]
		add	ebx, 1
		mov	ecx, edi
		mov	[ebp+var_8], eax
		adc	ecx, esi
		mov	edx, edi
		nop
		mov	esi, [ebp+var_4]
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [ebp+var_8]
		mov	ebx, edx
		mov	edx, [ebp+var_4]
		push	0
		pop	esi
		cmp	eax, ecx
		jnz	short loc_A1D617
		cmp	ebx, edi
		jnz	short loc_A1D617
		add	ecx, 1
		adc	edi, esi
		cmp	edi, esi
		pop	edi
		pop	ebx
		ja	short loc_A1D65B
		jb	short loc_A1D656
		cmp	ecx, esi
		ja	short loc_A1D65B

loc_A1D656:				; CODE XREF: sub_A1D601+4Fj
		mov	esi, 0C00000E5h

loc_A1D65B:				; CODE XREF: sub_A1D601+Cj
					; sub_A1D601+4Dj ...
		mov	eax, esi
		pop	esi
		leave
		retn
sub_A1D601	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1D660	proc near		; CODE XREF: sub_A1D230+EDp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Eh]
		mov	esi, edx
		mov	[ebp+var_4], ecx
		nop
		lea	edi, [ecx+2Ch]
		xor	edx, edx
		push	0
		mov	ecx, edi
		call	KeAbPreAcquire
		mov	ebx, eax
		lock bts dword ptr [edi], 0
		jnb	short loc_A1D69D
		push	edi
		mov	edx, ebx
		mov	ecx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_A1D69D:				; CODE XREF: sub_A1D660+31j
		test	ebx, ebx
		jz	short loc_A1D6A5
		or	byte ptr [ebx+0Eh], 1

loc_A1D6A5:				; CODE XREF: sub_A1D660+3Fj
		test	byte ptr [esi+8], 1
		jz	short loc_A1D6D5
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_A1D701
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_A1D701
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	eax, [ebp+var_4]
		add	eax, 24h
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_A1D701
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[ecx], esi
		mov	[eax+4], esi

loc_A1D6D5:				; CODE XREF: sub_A1D660+49j
		or	eax, 0FFFFFFFFh
		lock xadd [edi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A1D6E9
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A1D6E9:				; CODE XREF: sub_A1D660+80j
		mov	ecx, edi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_A1D701:				; CODE XREF: sub_A1D660+50j
					; sub_A1D660+57j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
sub_A1D660	endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1D706	proc near		; CODE XREF: sub_A1D4C6+61p
					; sub_A1E5D7+11p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		mov	[ebp+var_4], ecx
		mov	ebx, edx
		push	edi
		cmp	esi, 0FFFFFFFFh
		jg	short loc_A1D726
		mov	esi, [ebx+10h]
		mov	ecx, esi
		jmp	short loc_A1D729
; 

loc_A1D726:				; CODE XREF: sub_A1D706+17j
		mov	ecx, [ebx+10h]

loc_A1D729:				; CODE XREF: sub_A1D706+1Ej
		cmp	esi, ecx
		jbe	short loc_A1D734
		mov	eax, 0C000000Dh
		jmp	short loc_A1D760
; 

loc_A1D734:				; CODE XREF: sub_A1D706+25j
		test	esi, esi
		jle	short loc_A1D760

loc_A1D738:				; CODE XREF: sub_A1D706+56j
		mov	ecx, [ebx+10h]
		mov	edi, [ebx+18h]
		shl	ecx, 4
		add	edi, 0FFFFFFF0h
		add	edi, ecx
		mov	ecx, [ebp+var_4]
		mov	edx, [edi]
		call	sub_A1D14F
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		dec	dword ptr [ebx+10h]
		sub	esi, 1
		jnz	short loc_A1D738
		xor	eax, eax

loc_A1D760:				; CODE XREF: sub_A1D706+2Cj
					; sub_A1D706+30j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
sub_A1D706	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1D767	proc near		; CODE XREF: sub_A1D230+22p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		test	edx, edx
		jle	loc_A1D898
		lea	ebx, [edi+2Ch]

loc_A1D77F:				; CODE XREF: sub_A1D767+12Bj
		mov	eax, large fs:124h
		lea	ecx, [edi+1Ch]
		dec	edx
		mov	[ebp+var_8], edx
		dec	word ptr [eax+13Eh]
		nop
		push	0
		xor	edx, edx
		call	KeAbPreAcquire
		mov	esi, eax
		lea	eax, [edi+1Ch]
		lock bts dword ptr [eax], 0
		jnb	short loc_A1D7B3
		push	eax
		mov	edx, esi
		mov	ecx, eax
		call	ExfAcquirePushLockExclusiveEx

loc_A1D7B3:				; CODE XREF: sub_A1D767+40j
		test	esi, esi
		jz	short loc_A1D7BB
		or	byte ptr [esi+0Eh], 1

loc_A1D7BB:				; CODE XREF: sub_A1D767+4Ej
		push	0
		xor	edx, edx
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	esi, eax
		lock bts dword ptr [ebx], 0
		jnb	short loc_A1D7D9
		push	ebx
		mov	edx, esi
		mov	ecx, ebx
		call	ExfAcquirePushLockExclusiveEx

loc_A1D7D9:				; CODE XREF: sub_A1D767+66j
		test	esi, esi
		jz	short loc_A1D7E1
		or	byte ptr [esi+0Eh], 1

loc_A1D7E1:				; CODE XREF: sub_A1D767+74j
		lea	edx, [edi+24h]
		mov	eax, [edx]
		cmp	eax, edx
		jz	short loc_A1D805
		cmp	[eax+4], edx
		jnz	loc_A1D89D
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_A1D89D
		mov	[edx], ecx
		mov	[ecx+4], edx
		jmp	short loc_A1D807
; 

loc_A1D805:				; CODE XREF: sub_A1D767+81j
		xor	eax, eax

loc_A1D807:				; CODE XREF: sub_A1D767+9Cj
		xor	esi, esi
		test	eax, eax
		jz	short loc_A1D813
		and	dword ptr [eax+8], 0FFFFFFFEh
		mov	esi, eax

loc_A1D813:				; CODE XREF: sub_A1D767+A4j
		or	eax, 0FFFFFFFFh
		lock xadd [ebx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A1D827
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A1D827:				; CODE XREF: sub_A1D767+B7j
		mov	ecx, ebx
		call	KeAbPostRelease
		test	esi, esi
		jz	short loc_A1D857
		mov	edx, [esi+18h]
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		lea	ecx, [edi+4]
		push	eax
		push	0FFFFFFFFh
		push	4
		call	sub_A1DCCB
		test	eax, eax
		js	short loc_A1D857
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		call	sub_A1D14F

loc_A1D857:				; CODE XREF: sub_A1D767+C9j
					; sub_A1D767+E4j
		or	eax, 0FFFFFFFFh
		lea	ecx, [edi+1Ch]
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A1D86F
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		lea	ecx, [edi+1Ch]

loc_A1D86F:				; CODE XREF: sub_A1D767+FEj
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		test	esi, esi
		jz	short loc_A1D898
		mov	edx, esi
		mov	ecx, edi
		call	sub_A1D14F
		mov	edx, [ebp+var_8]
		test	edx, edx
		jg	loc_A1D77F

loc_A1D898:				; CODE XREF: sub_A1D767+Fj
					; sub_A1D767+11Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_A1D89D:				; CODE XREF: sub_A1D767+86j
					; sub_A1D767+91j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
sub_A1D767	endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	sub_A1D8A2(int,void *,void *,size_t)
sub_A1D8A2	proc near		; CODE XREF: sub_A1D36F+E9p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	18h
		push	offset dword_6AABC0
		call	__SEH_prolog4
		mov	eax, ecx
		mov	[ebp+var_1C], eax
		xor	esi, esi
		cmp	[eax+124h], esi
		jz	short loc_A1D8DD
		cmp	[ebp+arg_C], 20h
		jnb	short loc_A1D8CD
		mov	esi, 80000005h
		jmp	loc_A1D955
; 

loc_A1D8CD:				; CODE XREF: sub_A1D8A2+1Fj
		mov	eax, [edx+10h]
		cdq
		mov	ecx, [ebp+arg_4]
		mov	[ecx+18h], eax
		mov	[ecx+1Ch], edx
		mov	eax, [ebp+var_1C]

loc_A1D8DD:				; CODE XREF: sub_A1D8A2+19j
		mov	[ebp+ms_exc.disabled], esi
		mov	edi, esi
		mov	ebx, [ebp+arg_0]

loc_A1D8E5:				; CODE XREF: sub_A1D8A2+6Bj
		mov	[ebp+var_20], edi
		mov	eax, [eax+13Ch]
		shr	eax, 0Ah
		inc	eax
		cmp	edi, eax
		jnb	short loc_A1D90F
		push	1
		push	4
		mov	ecx, edi
		shl	ecx, 0Ah
		mov	eax, [ebx]
		sub	eax, ecx
		push	eax
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		inc	edi
		mov	eax, [ebp+var_1C]
		jmp	short loc_A1D8E5
; 

loc_A1D90F:				; CODE XREF: sub_A1D8A2+52j
		add	dword ptr [ebx], 0FFFFFFF0h
		mov	edx, [ebx]
		add	edx, 0FFFFFFF0h
		mov	[ebx], edx
		mov	[ebp+var_28], esi
		mov	ecx, [ebp+arg_8]
		lea	eax, [ecx+10h]
		mov	[edx], eax
		push	[ebp+arg_C]	; size_t
		push	[ebp+arg_4]	; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_A1D94E
; 

loc_A1D935:				; DATA XREF: .text:006AABD4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A1D945:				; DATA XREF: .text:006AABD8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_24]
		mov	[ebp+var_28], esi

loc_A1D94E:				; CODE XREF: sub_A1D8A2+91j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A1D955:				; CODE XREF: sub_A1D8A2+26j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
sub_A1D8A2	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	sub_A1D969(void	*)
sub_A1D969	proc near		; CODE XREF: sub_A1D36F+60p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	1Ch
		push	offset dword_6AAC18
		call	__SEH_prolog4
		mov	esi, edx
		mov	edi, ecx
		mov	[ebp+var_1C], edi
		mov	ebx, [ebp+arg_0]
		push	148h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		cmp	esi, 18h
		jnb	short loc_A1D99E

loc_A1D994:				; CODE XREF: sub_A1D969+38j
					; sub_A1D969+CDj ...
		mov	edx, 0C000000Dh
		jmp	loc_A1DB6A
; 

loc_A1D99E:				; CODE XREF: sub_A1D969+29j
		cmp	dword ptr [edi], 3
		jnz	short loc_A1D994
		xor	edx, edx
		mov	[ebp+ms_exc.disabled], edx
		mov	esi, [edi+8]
		lea	ecx, [esi+0F0h]
		mov	eax, ds:_MmUserProbeAddress
		cmp	ecx, eax
		ja	short loc_A1D9BE
		cmp	ecx, esi
		jnb	short loc_A1D9C3

loc_A1D9BE:				; CODE XREF: sub_A1D969+4Fj
		mov	[eax], dl
		mov	esi, [edi+8]

loc_A1D9C3:				; CODE XREF: sub_A1D969+53j
		lea	edi, [ebx+10h]
		push	3Ch
		pop	ecx
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+var_1C]
		mov	eax, [esi+8]
		mov	[ebx+140h], eax
		mov	eax, [ebx+34h]
		mov	ecx, eax
		and	ecx, 0Fh
		mov	[ebx+8], ecx
		shr	eax, 4
		and	eax, 0Fh
		mov	[ebx+0Ch], eax
		xor	eax, eax
		inc	eax
		cmp	ecx, eax
		jnz	loc_A1DAC9
		mov	[ebp+ms_exc.disabled], eax
		mov	eax, [esi+8]
		lea	edi, [eax+0F8h]
		mov	ecx, ds:_MmUserProbeAddress
		cmp	edi, ecx
		ja	short loc_A1DA17
		cmp	edi, eax
		jnb	short loc_A1DA1C

loc_A1DA17:				; CODE XREF: sub_A1D969+A8j
		mov	[ecx], dl
		mov	eax, [esi+8]

loc_A1DA1C:				; CODE XREF: sub_A1D969+ACj
		push	3Eh
		pop	ecx
		mov	esi, eax
		lea	edi, [ebx+10h]
		rep movsd
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebx+48h]
		and	edi, 0FFFFFFFh
		jbe	loc_A1D994
		mov	esi, [ebp+var_1C]

loc_A1DA3F:				; CODE XREF: sub_A1D969+179j
		mov	eax, [esi+8]
		mov	ecx, [eax+28h]
		mov	esi, 0FFFFFFFh
		and	ecx, esi
		mov	eax, [ebx+140h]
		sub	eax, ecx
		mov	[ebx], eax
		mov	[ebx+4], edx
		mov	eax, [ebx+3Ch]
		mov	ecx, 1000h
		cmp	eax, ecx
		ja	short loc_A1DA67
		mov	eax, ecx

loc_A1DA67:				; CODE XREF: sub_A1D969+FAj
		mov	[ebx+13Ch], eax
		mov	ecx, [ebx+4Ch]
		mov	eax, [ebx]
		mov	[ebp+var_1C], eax
		mov	eax, [ebx+44h]
		and	eax, esi
		mov	[ebp+var_24], eax
		and	ecx, esi
		jz	short loc_A1DAED
		mov	eax, [ebx+50h]
		and	eax, esi
		mov	[ebp+var_28], eax
		add	eax, 10h
		mov	[ebx+130h], eax
		mov	[ebx+12Ch], edi
		mov	eax, [ebp+var_24]
		mov	[ebx+128h], eax
		add	eax, [ebp+var_1C]
		mov	[ebx+124h], eax
		mov	eax, ecx
		mov	edi, [ebp+var_28]
		jmp	short loc_A1DAEF
; 

loc_A1DAB1:				; DATA XREF: .text:006AAC38o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A1DAC1:				; DATA XREF: .text:006AAC3Co
		mov	edx, [ebp+var_20]
		jmp	loc_A1DB60
; 

loc_A1DAC9:				; CODE XREF: sub_A1D969+8Ej
		call	sub_597FFE
		xor	edx, edx
		cmp	[ebx+8], edx
		jnz	loc_A1D994
		mov	edi, [ebx+48h]
		and	edi, 0FFFFFFFh
		ja	loc_A1DA3F
		jmp	loc_A1D994
; 

loc_A1DAED:				; CODE XREF: sub_A1D969+116j
		mov	ecx, eax

loc_A1DAEF:				; CODE XREF: sub_A1D969+146j
		add	eax, [ebp+var_1C]
		mov	ebx, [ebp+arg_0]
		mov	dword ptr [ebx+11Ch], 10h
		mov	[ebx+118h], edi
		mov	[ebx+114h], ecx
		mov	[ebx+110h], eax
		cmp	dword ptr [ebx+8], 1
		jnz	short loc_A1DB3C
		mov	ecx, [ebx+100h]
		test	[ebx+4Ch], esi
		jz	short loc_A1DB36
		mov	eax, [ebx+104h]
		mov	[ebx+120h], eax
		mov	[ebx+134h], ecx
		jmp	short loc_A1DB3C
; 

loc_A1DB36:				; CODE XREF: sub_A1D969+1B7j
		mov	[ebx+120h], ecx

loc_A1DB3C:				; CODE XREF: sub_A1D969+1ACj
					; sub_A1D969+1CBj
		lea	eax, [edi+10h]
		add	eax, [ebx+12Ch]
		mov	[ebx+138h], eax
		jmp	short loc_A1DB6A
; 

loc_A1DB4D:				; DATA XREF: .text:006AAC2Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		call	_ExSystemExceptionFilter@0 ; ExSystemExceptionFilter()
		retn
; 

loc_A1DB5D:				; DATA XREF: .text:006AAC30o
		mov	edx, [ebp+var_2C]

loc_A1DB60:				; CODE XREF: sub_A1D969+15Bj
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A1DB6A:				; CODE XREF: sub_A1D969+30j
					; sub_A1D969+1E2j
		mov	eax, edx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
sub_A1D969	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1DB7E	proc near		; CODE XREF: sub_A1B24A+1Bp
					; sub_A1B814+AAp ...

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_C]
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_A1DBA5
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+arg_C]
		push	eax
		push	0
		push	[ebp+arg_8]
		call	WbFindLookupEntry
		mov	eax, [ebp+arg_C]

loc_A1DBA5:				; CODE XREF: sub_A1DB7E+11j
		push	eax
		push	ecx
		mov	edx, edi
		mov	ecx, esi
		call	sub_A1DBB6
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
sub_A1DB7E	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1DBB6	proc near		; CODE XREF: sub_A1DB7E+2Dp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_18], edx
		xor	eax, eax
		lea	ecx, [ebp+var_C]
		push	edi
		mov	[ebp+var_C], eax
		mov	ebx, [esi+8]
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	eax, [esi]
		mov	edx, eax
		push	ecx
		mov	ecx, ebx
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], ebx
		call	?RtlULongMult@@YGJKKPAK@Z ; RtlULongMult(ulong,ulong,ulong *)
		mov	edi, eax
		test	edi, edi
		js	loc_A1DC9A
		mov	edx, [esi+10h]
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, ebx
		call	?RtlULongAdd@@YGJKKPAK@Z ; RtlULongAdd(ulong,ulong,ulong *)
		mov	edi, eax
		test	edi, edi
		js	loc_A1DC9A
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		push	eax
		call	?RtlULongMult@@YGJKKPAK@Z ; RtlULongMult(ulong,ulong,ulong *)
		mov	edi, eax
		test	edi, edi
		js	short loc_A1DC9A
		mov	ebx, [esi+4]
		mov	ecx, [ebp+var_14]
		lea	eax, [ebx+1]
		cmp	eax, ecx
		jb	short loc_A1DC50
		mov	edx, [ebp+var_C]
		lea	ecx, [esi+0Ch]
		push	ecx
		push	[ebp+var_8]
		mov	ecx, [ecx]
		call	sub_A1B037
		mov	edi, eax
		test	edi, edi
		js	short loc_A1DC9A
		mov	eax, [esi+10h]
		add	[esi+8], eax
		mov	ecx, [esi+8]
		mov	ebx, [esi+4]

loc_A1DC50:				; CODE XREF: sub_A1DBB6+75j
		mov	eax, [ebp+arg_4]
		cmp	eax, ebx
		ja	short loc_A1DC95
		test	ecx, ecx
		jz	short loc_A1DC95
		mov	edx, [esi]
		sub	ebx, eax
		mov	ecx, [esi+0Ch]
		mov	eax, edx
		imul	ebx, edx
		push	ebx		; size_t
		mov	ebx, [ebp+arg_4]
		imul	eax, ebx
		add	eax, ecx
		push	eax		; void *
		lea	eax, [ebx+1]
		imul	eax, edx
		add	eax, ecx
		push	eax		; void *
		call	_memmove
		mov	ecx, [esi]
		add	esp, 0Ch
		inc	dword ptr [esi+4]
		mov	eax, [esi+0Ch]
		mov	edx, [ebp+var_18]
		imul	ecx, ebx
		mov	[ecx+eax], edx
		jmp	short loc_A1DC9A
; 

loc_A1DC95:				; CODE XREF: sub_A1DBB6+9Fj
					; sub_A1DBB6+A3j
		mov	edi, 0C000000Dh

loc_A1DC9A:				; CODE XREF: sub_A1DBB6+37j
					; sub_A1DBB6+4Fj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
sub_A1DBB6	endp


;  S U B	R O U T	I N E 


sub_A1DCA3	proc near		; CODE XREF: sub_A1B40A:loc_A1B447p
					; sub_A1B40A+68p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_A1DCC9
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_A1DCBE
		push	42524157h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1DCBE:				; CODE XREF: sub_A1DCA3+Ej
		xor	eax, eax
		mov	[esi+0Ch], eax
		mov	[esi+4], eax
		mov	[esi+8], eax

loc_A1DCC9:				; CODE XREF: sub_A1DCA3+7j
		pop	esi
		retn
sub_A1DCA3	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1DCCB	proc near		; CODE XREF: WbRemoveWarbirdProcess+17E363p
					; sub_A1C136+81p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_A1DCF7
		lea	eax, [ebp+arg_4]
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_0]
		call	WbFindLookupEntry
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A1DD20
		mov	esi, [ebp+arg_4]

loc_A1DCF7:				; CODE XREF: sub_A1DCCB+12j
		mov	eax, [edi+4]
		mov	edx, [edi]
		sub	eax, esi
		mov	ecx, [edi+0Ch]
		dec	eax
		imul	eax, edx
		push	eax		; size_t
		lea	eax, [esi+1]
		imul	eax, edx
		imul	edx, esi
		add	eax, ecx
		push	eax		; void *
		add	edx, ecx
		push	edx		; void *
		call	_memmove
		add	esp, 0Ch
		dec	dword ptr [edi+4]

loc_A1DD20:				; CODE XREF: sub_A1DCCB+27j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	0Ch
sub_A1DCCB	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1DD29	proc near		; CODE XREF: sub_A1DFF5+E2p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	ebx, edx
		xor	esi, esi
		push	edi
		lea	edx, [ebp+var_4]
		mov	[ebp+var_4], esi
		mov	ecx, 420h
		call	sub_A1ACD8
		mov	edi, eax
		test	edi, edi
		js	loc_A1DE02
		mov	eax, [ebp+var_4]
		push	400h		; size_t
		push	0		; int
		mov	[eax], esi
		lea	ecx, [eax+4]
		mov	dword ptr [ecx], 10000h
		lea	edi, [eax+41Ch]
		mov	[ebp+var_8], ecx
		lea	ecx, [eax+0Ch]
		mov	[ecx], esi
		mov	[ebp+var_14], ecx
		lea	ecx, [eax+10h]
		mov	eax, large fs:124h
		mov	[ecx], esi
		mov	[edi], esi
		mov	esi, [ebp+var_4]
		mov	eax, [eax+80h]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edi
		mov	[esi+8], eax
		lea	eax, [esi+18h]
		and	dword ptr [esi+418h], 0
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		mov	edx, esi
		or	ecx, 0FFFFFFFFh
		push	edi
		push	2
		push	20000000h
		push	eax
		push	eax
		push	eax
		push	20h
		push	1000h
		push	[ebp+var_8]
		call	MmAllocateVirtualMemory
		mov	edi, eax
		test	edi, edi
		js	short loc_A1DE05
		mov	eax, [ebp+var_C]
		cmp	dword ptr [eax], 0
		jnz	short loc_A1DDE0
		mov	edi, 0C00000E5h
		jmp	short loc_A1DE05
; 

loc_A1DDE0:				; CODE XREF: sub_A1DD29+AEj
		mov	eax, [ebp+var_8]
		mov	ecx, [esi]
		mov	edx, [eax]
		push	[ebp+var_10]
		push	[ebp+var_14]
		call	sub_A1AF61
		mov	edi, eax
		test	edi, edi
		js	short loc_A1DE05
		test	ebx, ebx
		jz	short loc_A1DE05
		mov	[ebx], esi
		xor	esi, esi
		jmp	short loc_A1DE05
; 

loc_A1DE02:				; CODE XREF: sub_A1DD29+23j
		mov	esi, [ebp+var_4]

loc_A1DE05:				; CODE XREF: sub_A1DD29+A6j
					; sub_A1DD29+B5j ...
		mov	ecx, esi
		call	sub_A1E255
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
sub_A1DD29	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1DE13	proc near		; CODE XREF: sub_A1DFF5+90p
					; sub_A1DFF5+FDp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, ecx
		test	edx, edx
		jz	short loc_A1DE69
		lea	ebx, [edx+3Fh]
		xor	ecx, ecx
		shr	ebx, 6
		mov	esi, 3FFh
		inc	ecx
		sub	esi, ebx
		call	ExGenRandom
		and	eax, 7FFFFFFFh
		lea	ecx, [esi+1]
		xor	edx, edx
		div	ecx
		push	ebx
		mov	eax, edx
		mov	ecx, edi
		push	esi
		mov	[ebp+var_4], eax
		call	sub_A1DE7B
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A1DE69
		push	ebx
		push	[ebp+var_4]
		xor	edx, edx
		mov	ecx, edi
		call	sub_A1DE7B
		mov	esi, eax

loc_A1DE69:				; CODE XREF: sub_A1DE13+10j
					; sub_A1DE13+45j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_A1DE72
		mov	[eax], esi

loc_A1DE72:				; CODE XREF: sub_A1DE13+5Bj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	4
sub_A1DE13	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1DE7B	proc near		; CODE XREF: sub_A1DE13+3Cp
					; sub_A1DE13+4Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Eh]
		mov	edi, edx
		mov	[ebp+var_4], ecx
		nop
		lea	ebx, [ecx+418h]
		xor	edx, edx
		push	0
		mov	ecx, ebx
		mov	[ebp+var_8], ebx
		call	KeAbPreAcquire
		push	11h
		mov	esi, eax
		xor	eax, eax
		pop	ecx
		lock cmpxchg [ebx], ecx
		test	eax, eax
		jz	short loc_A1DEC6
		push	ebx
		mov	edx, esi
		mov	ecx, ebx
		call	ExfAcquirePushLockSharedEx

loc_A1DEC6:				; CODE XREF: sub_A1DE7B+3Fj
		test	esi, esi
		jz	short loc_A1DECE
		or	byte ptr [esi+0Eh], 1

loc_A1DECE:				; CODE XREF: sub_A1DE7B+4Dj
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_4]
		inc	eax
		mov	ebx, [ebp+arg_4]
		or	esi, 0FFFFFFFFh
		mov	[ebp+arg_0], eax
		jmp	short loc_A1DEE8
; 

loc_A1DEE0:				; CODE XREF: sub_A1DE7B+6Fj
		cmp	byte ptr [ecx+edi+18h],	0
		jz	short loc_A1DEEE
		inc	edi

loc_A1DEE8:				; CODE XREF: sub_A1DE7B+63j
					; sub_A1DE7B+8Dj
		cmp	edi, eax
		jb	short loc_A1DEE0
		mov	edi, esi

loc_A1DEEE:				; CODE XREF: sub_A1DE7B+6Aj
		cmp	edi, esi
		jz	short loc_A1DF0A
		lea	eax, [ebx-1]
		push	eax
		lea	edx, [edi+1]
		call	sub_A1E232
		cmp	eax, esi
		jz	short loc_A1DF0A
		lea	edi, [eax+1]
		mov	eax, [ebp+arg_0]
		jmp	short loc_A1DEE8
; 

loc_A1DF0A:				; CODE XREF: sub_A1DE7B+75j
					; sub_A1DE7B+85j
		mov	ebx, [ebp+var_8]
		xor	ecx, ecx
		push	11h
		pop	eax
		lock cmpxchg [ebx], ecx
		cmp	eax, 11h
		jz	short loc_A1DF22
		mov	ecx, ebx
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_A1DF22:				; CODE XREF: sub_A1DE7B+9Ej
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		cmp	edi, esi
		jz	loc_A1DFEA
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		xor	esi, esi
		xor	edx, edx
		push	esi
		mov	ecx, ebx
		call	KeAbPreAcquire
		mov	[ebp+arg_0], eax
		lock bts dword ptr [ebx], 0
		jnb	short loc_A1DF6E
		push	ebx
		mov	edx, eax
		mov	ecx, ebx
		call	ExfAcquirePushLockExclusiveEx
		mov	eax, [ebp+arg_0]

loc_A1DF6E:				; CODE XREF: sub_A1DE7B+E4j
		test	eax, eax
		jz	short loc_A1DF76
		or	byte ptr [eax+0Eh], 1

loc_A1DF76:				; CODE XREF: sub_A1DE7B+F5j
		push	[ebp+arg_4]
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		call	sub_A1E232
		or	ecx, 0FFFFFFFFh
		cmp	eax, ecx
		jnz	short loc_A1DFC2
		mov	esi, [ebp+var_4]
		mov	eax, edi
		shl	eax, 6
		add	eax, [esi+10h]
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_A1DFB4
		dec	eax
		push	eax		; size_t
		lea	eax, [esi+18h]
		add	eax, edi
		push	2		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		or	ecx, 0FFFFFFFFh

loc_A1DFB4:				; CODE XREF: sub_A1DE7B+122j
		mov	edx, [ebp+arg_4]
		lea	eax, [edi+esi]
		mov	esi, [ebp+arg_0]
		mov	byte ptr [eax+edx+17h],	1

loc_A1DFC2:				; CODE XREF: sub_A1DE7B+10Dj
		lock xadd [ebx], ecx
		and	cl, 6
		cmp	cl, 2
		jnz	short loc_A1DFD5
		mov	ecx, ebx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A1DFD5:				; CODE XREF: sub_A1DE7B+151j
		mov	ecx, ebx
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	short loc_A1DFEC
; 

loc_A1DFEA:				; CODE XREF: sub_A1DE7B+BCj
		xor	esi, esi

loc_A1DFEC:				; CODE XREF: sub_A1DE7B+16Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
sub_A1DE7B	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1DFF5	proc near		; CODE XREF: sub_A1CBC6+1C1p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	eax, edx
		xor	ecx, ecx
		mov	[ebp+var_14], eax
		and	[ebp+var_4], ecx
		xor	ebx, ebx
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], esi
		mov	[ebp+var_18], ecx
		mov	[ebp+var_C], ebx
		cmp	eax, 10000h
		jbe	short loc_A1E02A
		mov	edi, 0C000000Dh
		jmp	loc_A1E18C
; 

loc_A1E02A:				; CODE XREF: sub_A1DFF5+29j
		call	_KeEnterGuardedRegion@0	; KeEnterGuardedRegion()
		sub	esi, 0FFFFFF80h
		xor	edx, edx
		push	0
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	edx, eax
		xor	eax, eax
		push	11h
		mov	[ebp+var_10], edx
		pop	ecx
		lock cmpxchg [esi], ecx
		test	eax, eax
		jz	short loc_A1E05A
		push	esi
		mov	ecx, esi
		call	ExfAcquirePushLockSharedEx
		mov	edx, [ebp+var_10]

loc_A1E05A:				; CODE XREF: sub_A1DFF5+58j
		test	edx, edx
		jz	short loc_A1E062
		or	byte ptr [edx+0Eh], 1

loc_A1E062:				; CODE XREF: sub_A1DFF5+67j
		mov	edx, [ebp+var_8]
		xor	eax, eax
		mov	[ebp+var_10], eax
		cmp	[edx+6Ch], eax
		jbe	short loc_A1E0A8

loc_A1E06F:				; CODE XREF: sub_A1DFF5+B1j
		mov	ecx, [edx+68h]
		imul	ecx, eax
		mov	eax, [edx+74h]
		mov	edx, [ebp+var_14]
		mov	ecx, [ecx+eax]
		lea	eax, [ebp+var_4]
		push	eax
		mov	[ebp+var_18], ecx
		call	sub_A1DE13
		mov	edi, eax
		test	edi, edi
		js	loc_A1E18C
		cmp	[ebp+var_4], ebx
		jnz	short loc_A1E0A8
		mov	eax, [ebp+var_10]
		mov	edx, [ebp+var_8]
		inc	eax
		mov	[ebp+var_10], eax
		cmp	eax, [edx+6Ch]
		jb	short loc_A1E06F

loc_A1E0A8:				; CODE XREF: sub_A1DFF5+78j
					; sub_A1DFF5+A2j
		push	11h
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_A1E0BD
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_A1E0BD:				; CODE XREF: sub_A1DFF5+BFj
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveGuardedRegion@0	; KeLeaveGuardedRegion()
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jnz	loc_A1E170
		lea	edx, [ebp+var_C]
		call	sub_A1DD29
		mov	ebx, [ebp+var_C]
		mov	edi, eax
		test	edi, edi
		js	loc_A1E18C
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, ebx
		call	sub_A1DE13
		mov	edi, eax
		test	edi, edi
		js	loc_A1E18C
		call	_KeEnterGuardedRegion@0	; KeEnterGuardedRegion()
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	edi, eax
		lock bts dword ptr [esi], 0
		jnb	short loc_A1E124
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockExclusiveEx

loc_A1E124:				; CODE XREF: sub_A1DFF5+123j
		test	edi, edi
		jz	short loc_A1E12C
		or	byte ptr [edi+0Eh], 1

loc_A1E12C:				; CODE XREF: sub_A1DFF5+131j
		push	0FFFFFFFFh
		push	4
		push	dword ptr [ebx+10h]
		mov	edx, ebx
		push	ecx
		mov	ecx, [ebp+var_8]
		add	ecx, 68h
		call	sub_A1DB7E
		mov	edi, eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A1E157
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A1E157:				; CODE XREF: sub_A1DFF5+159j
		mov	ecx, esi
		call	KeAbPostRelease
		call	_KeLeaveGuardedRegion@0	; KeLeaveGuardedRegion()
		test	edi, edi
		js	short loc_A1E18C
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		xor	ebx, ebx
		jmp	short loc_A1E173
; 

loc_A1E170:				; CODE XREF: sub_A1DFF5+D9j
		mov	edx, [ebp+var_18]

loc_A1E173:				; CODE XREF: sub_A1DFF5+179j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_A1E17C
		mov	[eax], ecx

loc_A1E17C:				; CODE XREF: sub_A1DFF5+183j
		mov	esi, [ebp+arg_4]
		test	esi, esi
		jz	short loc_A1E18C
		mov	eax, [edx]
		sub	eax, [edx+10h]
		add	eax, ecx
		mov	[esi], eax

loc_A1E18C:				; CODE XREF: sub_A1DFF5+30j
					; sub_A1DFF5+99j ...
		mov	ecx, ebx
		call	sub_A1E255
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
sub_A1DFF5	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1E19C	proc near		; DATA XREF: sub_A1B2D2+78o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_A1E1B2
		cmp	[ebp+arg_4], eax
		jz	short loc_A1E1D0
		inc	eax
		xor	edx, edx
		jmp	short loc_A1E1DB
; 

loc_A1E1B2:				; CODE XREF: sub_A1E19C+Aj
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jnz	short loc_A1E1C0
		or	eax, 0FFFFFFFFh
		mov	edx, eax
		jmp	short loc_A1E1DB
; 

loc_A1E1C0:				; CODE XREF: sub_A1E19C+1Bj
		mov	edx, [eax+10h]
		cmp	ecx, edx
		jb	short loc_A1E1D6
		mov	eax, [eax+4]
		add	eax, edx
		cmp	ecx, eax
		jnb	short loc_A1E1D6

loc_A1E1D0:				; CODE XREF: sub_A1E19C+Fj
		xor	edx, edx
		mov	eax, edx
		jmp	short loc_A1E1DB
; 

loc_A1E1D6:				; CODE XREF: sub_A1E19C+29j
					; sub_A1E19C+32j
		sub	ecx, edx
		mov	eax, ecx
		cdq

loc_A1E1DB:				; CODE XREF: sub_A1E19C+14j
					; sub_A1E19C+22j ...
		pop	ebp
		retn	0Ch
sub_A1E19C	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1E1DF	proc near		; CODE XREF: sub_A1E2D0+5Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		mov	ecx, [ebp+arg_0]
		sub	edx, [esi+10h]
		shr	edx, 6
		test	edx, edx
		jz	short loc_A1E212
		lea	eax, [edx-1]
		test	eax, eax
		js	short loc_A1E20F
		push	edi
		mov	edi, eax

loc_A1E1FE:				; CODE XREF: sub_A1E1DF+2Dj
		cmp	byte ptr [esi+edi+18h],	2
		jnz	short loc_A1E20E
		lea	eax, [edi-1]
		mov	edi, eax
		test	eax, eax
		jns	short loc_A1E1FE

loc_A1E20E:				; CODE XREF: sub_A1E1DF+24j
		pop	edi

loc_A1E20F:				; CODE XREF: sub_A1E1DF+1Aj
		inc	eax
		jmp	short loc_A1E214
; 

loc_A1E212:				; CODE XREF: sub_A1E1DF+13j
		mov	eax, edx

loc_A1E214:				; CODE XREF: sub_A1E1DF+31j
		mov	[ecx], eax
		cmp	byte ptr [edx+esi+18h],	2
		mov	ecx, [ebp+arg_4]
		mov	[ecx], edx
		jnz	short loc_A1E22D

loc_A1E222:				; CODE XREF: sub_A1E1DF+4Cj
		inc	dword ptr [ecx]
		mov	eax, [ecx]
		cmp	byte ptr [eax+esi+18h],	2
		jz	short loc_A1E222

loc_A1E22D:				; CODE XREF: sub_A1E1DF+41j
		pop	esi
		pop	ebp
		retn	8
sub_A1E1DF	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1E232	proc near		; CODE XREF: sub_A1DE7B+7Ep
					; sub_A1DE7B+103p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		add	eax, edx
		jmp	short loc_A1E246
; 

loc_A1E23E:				; CODE XREF: sub_A1E232+16j
		cmp	byte ptr [ecx+edx+18h],	0
		jnz	short loc_A1E251
		inc	edx

loc_A1E246:				; CODE XREF: sub_A1E232+Aj
		cmp	edx, eax
		jb	short loc_A1E23E
		or	eax, 0FFFFFFFFh

loc_A1E24D:				; CODE XREF: sub_A1E232+21j
		pop	ebp
		retn	4
; 

loc_A1E251:				; CODE XREF: sub_A1E232+11j
		mov	eax, edx
		jmp	short loc_A1E24D
sub_A1E232	endp


;  S U B	R O U T	I N E 


sub_A1E255	proc near		; CODE XREF: sub_A1B40A+CCp
					; sub_A1DD29+DEp ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	esi, esi
		jz	short loc_A1E2CC
		mov	edx, large fs:124h
		xor	ebx, ebx
		mov	eax, [esi+8]
		cmp	eax, [edx+80h]
		jnz	short loc_A1E285
		mov	eax, [esi+41Ch]
		inc	ebx
		test	eax, eax
		jz	short loc_A1E285
		push	eax
		call	_MmUnsecureVirtualMemory@4 ; MmUnsecureVirtualMemory(x)

loc_A1E285:				; CODE XREF: sub_A1E255+1Dj
					; sub_A1E255+28j
		mov	edi, [esi+0Ch]
		test	edi, edi
		jz	short loc_A1E29C
		push	edi
		call	_MmUnlockPages@4 ; MmUnlockPages(x)
		push	edi
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		and	dword ptr [esi+0Ch], 0

loc_A1E29C:				; CODE XREF: sub_A1E255+35j
		and	dword ptr [esi+10h], 0
		cmp	dword ptr [esi], 0
		jz	short loc_A1E2C1
		test	ebx, ebx
		jz	short loc_A1E2BA
		push	8000h
		lea	eax, [esi+4]
		push	eax
		push	esi
		push	0FFFFFFFFh
		call	_ZwFreeVirtualMemory@16	; ZwFreeVirtualMemory(x,x,x,x)

loc_A1E2BA:				; CODE XREF: sub_A1E255+52j
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0

loc_A1E2C1:				; CODE XREF: sub_A1E255+4Ej
		push	42524157h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1E2CC:				; CODE XREF: sub_A1E255+9j
		pop	edi
		pop	esi
		pop	ebx
		retn
sub_A1E255	endp ; sp = -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1E2D0	proc near		; CODE XREF: sub_A1E37F+A7p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Eh]
		mov	ebx, ecx
		mov	[ebp+var_C], edx
		nop
		lea	esi, [ebx+418h]
		xor	edx, edx
		push	0
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	edi, eax
		lock bts dword ptr [esi], 0
		jnb	short loc_A1E312
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockExclusiveEx

loc_A1E312:				; CODE XREF: sub_A1E2D0+36j
		test	edi, edi
		jz	short loc_A1E31A
		or	byte ptr [edi+0Eh], 1

loc_A1E31A:				; CODE XREF: sub_A1E2D0+44j
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		xor	edi, edi
		push	eax
		mov	ecx, ebx
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], edi
		call	sub_A1E1DF
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_8]
		cmp	ecx, eax
		jg	short loc_A1E351
		sub	eax, ecx
		inc	eax
		push	eax		; size_t
		lea	eax, [ecx+18h]
		add	eax, ebx
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_A1E351:				; CODE XREF: sub_A1E2D0+6Cj
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A1E365
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A1E365:				; CODE XREF: sub_A1E2D0+8Cj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
sub_A1E2D0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1E37F	proc near		; CODE XREF: sub_A1D1FE+10p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_8], edx
		dec	word ptr [eax+13Eh]
		push	edi
		mov	[ebp+var_C], ecx
		nop
		lea	esi, [ecx+80h]
		xor	edx, edx
		push	ebx
		mov	ecx, esi
		call	KeAbPreAcquire
		push	11h
		mov	edi, eax
		xor	eax, eax
		pop	ecx
		lock cmpxchg [esi], ecx
		test	eax, eax
		jz	short loc_A1E3C9
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockSharedEx

loc_A1E3C9:				; CODE XREF: sub_A1E37F+3Ej
		test	edi, edi
		jz	short loc_A1E3D1
		or	byte ptr [edi+0Eh], 1

loc_A1E3D1:				; CODE XREF: sub_A1E37F+4Cj
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		mov	edx, [ebp+var_8]
		add	ecx, 68h
		push	eax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ebx
		push	eax
		push	4
		call	WbFindLookupEntry
		mov	edi, eax
		test	edi, edi
		js	short loc_A1E3F5
		mov	ebx, [ebp+var_4]

loc_A1E3F5:				; CODE XREF: sub_A1E37F+71j
		push	11h
		xor	edx, edx
		pop	eax
		lock cmpxchg [esi], edx
		cmp	eax, 11h
		jz	short loc_A1E40A
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_A1E40A:				; CODE XREF: sub_A1E37F+82j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		test	edi, edi
		js	short loc_A1E42D
		mov	edx, [ebp+var_8]
		mov	ecx, ebx
		call	sub_A1E2D0
		mov	edi, eax

loc_A1E42D:				; CODE XREF: sub_A1E37F+A0j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
sub_A1E37F	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1E434	proc near		; CODE XREF: sub_A1E613+E5p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	0FFFFFFFFh
		mov	esi, edx
		push	4
		push	dword ptr [esi]
		push	ecx
		add	ecx, 30h
		call	sub_A1DB7E
		mov	edi, eax
		mov	[ebp+var_8], edi
		test	edi, edi
		js	short loc_A1E480
		lea	edi, [esi+8]

loc_A1E45B:				; CODE XREF: sub_A1E434+42j
					; sub_A1E434+47j
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[ebp+var_4], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_A1E45B
		cmp	edx, [ebp+var_4]
		jnz	short loc_A1E45B
		mov	edi, [ebp+var_8]

loc_A1E480:				; CODE XREF: sub_A1E434+22j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
sub_A1E434	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1E489	proc near		; CODE XREF: sub_A1E613+A0p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		mov	esi, 2F0h
		mov	[ebp+var_C], ecx
		lea	edx, [ebp+var_4]
		xor	edi, edi
		mov	ecx, esi
		mov	[ebp+var_4], edi
		call	sub_A1ACD8
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A1E4E5
		push	esi		; size_t
		mov	esi, [ebp+var_4]
		push	edi		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		add	dword ptr [esi+8], 1
		adc	[esi+0Ch], edi
		mov	[esi], eax
		mov	eax, [ebp+arg_0]
		mov	[esi+10h], edi
		mov	[esi+14h], edi
		mov	[esi+18h], edi
		mov	dword ptr [esi+1Ch], 0Ah
		mov	[eax], esi
		jmp	short loc_A1E4E8
; 

loc_A1E4E5:				; CODE XREF: sub_A1E489+29j
		mov	edi, [ebp+var_4]

loc_A1E4E8:				; CODE XREF: sub_A1E489+5Aj
		mov	ecx, [ebp+var_C]
		mov	edx, edi
		call	sub_A1E4FB
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
sub_A1E489	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1E4FB	proc near		; CODE XREF: sub_A1B40A+2Dp
					; sub_A1D36F+12Ep ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	eax, edx
		mov	[ebp+var_10], ecx
		xor	esi, esi
		mov	[ebp+var_C], eax
		push	edi
		mov	edi, esi
		test	eax, eax
		jz	short loc_A1E563
		add	eax, 8
		mov	[ebp+var_4], eax

loc_A1E51C:				; CODE XREF: sub_A1E4FB+49j
					; sub_A1E4FB+4Dj
		mov	edx, [eax]
		mov	ebx, edx
		mov	edi, [eax+4]
		sub	ebx, 1
		mov	ecx, edi
		mov	[ebp+var_8], edx
		mov	eax, edx
		sbb	ecx, esi
		mov	edx, edi
		nop
		mov	esi, [ebp+var_4]
		lock cmpxchg8b qword ptr [esi]
		mov	ecx, [ebp+var_8]
		cmp	eax, ecx
		mov	eax, [ebp+var_4]
		push	0
		pop	esi
		jnz	short loc_A1E51C
		cmp	edx, edi
		jnz	short loc_A1E51C
		mov	esi, ecx
		add	esi, 0FFFFFFFFh
		mov	ecx, esi
		adc	edi, 0FFFFFFFFh
		or	ecx, edi
		jnz	short loc_A1E563
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		call	sub_A1E5D7

loc_A1E563:				; CODE XREF: sub_A1E4FB+19j
					; sub_A1E4FB+5Bj
		mov	edx, edi
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
sub_A1E4FB	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1E56C	proc near		; CODE XREF: sub_A1E613+60p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	0
		push	eax
		push	4
		add	ecx, 30h
		call	WbFindLookupEntry
		mov	[ebp+var_C], eax
		test	eax, eax
		js	short locret_A1E5D3
		push	edi
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_A1E5D2
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_A1E5D0
		push	ebx
		lea	edi, [ecx+8]
		push	esi

loc_A1E5A3:				; CODE XREF: sub_A1E56C+52j
					; sub_A1E56C+57j
		mov	esi, [edi]
		mov	ebx, esi
		mov	edx, [edi+4]
		add	ebx, 1
		mov	ecx, edx
		mov	[ebp+var_8], edx
		adc	ecx, 0
		mov	eax, esi
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_A1E5A3
		cmp	edx, [ebp+var_8]
		jnz	short loc_A1E5A3
		mov	ecx, [ebp+var_4]
		mov	edi, [ebp+arg_0]
		mov	eax, [ebp+var_C]
		pop	esi
		pop	ebx

loc_A1E5D0:				; CODE XREF: sub_A1E56C+30j
		mov	[edi], ecx

loc_A1E5D2:				; CODE XREF: sub_A1E56C+29j
		pop	edi

locret_A1E5D3:				; CODE XREF: sub_A1E56C+21j
		leave
		retn	8
sub_A1E56C	endp


;  S U B	R O U T	I N E 


sub_A1E5D7	proc near		; CODE XREF: sub_A1E4FB+63p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		test	esi, esi
		jnz	short loc_A1E5E6
		xor	edi, edi
		jmp	short loc_A1E60D
; 

loc_A1E5E6:				; CODE XREF: sub_A1E5D7+9j
		push	0FFFFFFFFh
		call	sub_A1D706
		mov	edi, eax
		test	edi, edi
		js	short loc_A1E60D
		mov	eax, [esi+18h]
		mov	ebx, 42524157h
		test	eax, eax
		jz	short loc_A1E606
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1E606:				; CODE XREF: sub_A1E5D7+26j
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1E60D:				; CODE XREF: sub_A1E5D7+Dj
					; sub_A1E5D7+1Aj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
sub_A1E5D7	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_A1E613	proc near		; CODE XREF: sub_A1D36F+94p
					; sub_A1D4C6+18p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	ebx
		mov	[ebp+var_8], eax
		mov	ebx, ecx
		mov	eax, large fs:124h
		xor	ecx, ecx
		push	esi
		push	edi
		mov	[ebp+var_4], ecx
		dec	word ptr [eax+13Eh]
		nop
		lea	esi, [ebx+48h]
		xor	edx, edx
		push	ecx
		mov	ecx, esi
		call	KeAbPreAcquire
		push	11h
		mov	edi, eax
		xor	eax, eax
		pop	ecx
		lock cmpxchg [esi], ecx
		test	eax, eax
		jz	short loc_A1E661
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockSharedEx

loc_A1E661:				; CODE XREF: sub_A1E613+42j
		test	edi, edi
		jz	short loc_A1E669
		or	byte ptr [edi+0Eh], 1

loc_A1E669:				; CODE XREF: sub_A1E613+50j
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	ecx
		push	eax
		mov	ecx, ebx
		call	sub_A1E56C
		push	11h
		mov	edi, eax
		xor	ecx, ecx
		pop	eax
		lock cmpxchg [esi], ecx
		cmp	eax, 11h
		jz	short loc_A1E68F
		mov	ecx, esi
		call	@ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)

loc_A1E68F:				; CODE XREF: sub_A1E613+73j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		cmp	edi, 0C0000272h
		jnz	short loc_A1E726
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		mov	ecx, ebx
		call	sub_A1E489
		mov	edi, eax
		test	edi, edi
		js	short loc_A1E73A
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	KeAbPreAcquire
		mov	edi, eax
		lock bts dword ptr [esi], 0
		jnb	short loc_A1E6EA
		push	esi
		mov	edx, edi
		mov	ecx, esi
		call	ExfAcquirePushLockExclusiveEx

loc_A1E6EA:				; CODE XREF: sub_A1E613+CBj
		test	edi, edi
		jz	short loc_A1E6F2
		or	byte ptr [edi+0Eh], 1

loc_A1E6F2:				; CODE XREF: sub_A1E613+D9j
		mov	edx, [ebp+var_4]
		push	ecx
		mov	ecx, ebx
		call	sub_A1E434
		mov	edi, eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_A1E713
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)

loc_A1E713:				; CODE XREF: sub_A1E613+F7j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)

loc_A1E726:				; CODE XREF: sub_A1E613+95j
		test	edi, edi
		js	short loc_A1E73A
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_A1E73A
		mov	eax, [ebp+var_4]
		mov	[ecx], eax
		xor	eax, eax
		jmp	short loc_A1E73D
; 

loc_A1E73A:				; CODE XREF: sub_A1E613+A9j
					; sub_A1E613+115j ...
		mov	eax, [ebp+var_4]

loc_A1E73D:				; CODE XREF: sub_A1E613+125j
		mov	edx, eax
		mov	ecx, ebx
		call	sub_A1E4FB
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
sub_A1E613	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbOpenDatabaseEx(x, x, x, x)
_SdbOpenDatabaseEx@16 proc near		; CODE XREF: SdbpOpenLocalDatabaseEx(x,x,x,x,x)+F2p

var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		mov	ebx, ecx
		stosd
		stosd
		stosd
		mov	eax, ebx
		test	ebx, ebx
		jnz	short loc_A1E76F
		mov	eax, offset ??_C@_11LOCGONAA@@NNGAKEGL@

loc_A1E76F:				; CODE XREF: SdbOpenDatabaseEx(x,x,x,x)+19j
		push	eax
		xor	edi, edi
		push	edi
		push	(offset	loc_8C2487+1)
		push	382h
		push	offset ??_C@_0BC@OLOFFDGE@SdbOpenDatabaseEx@NNGAKEGL@
		push	3
		call	AslLogCallPrintf
		add	esp, 14h
		mov	edx, 0A58h
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	esi, eax
		mov	[ebp+var_4], esi
		test	esi, esi
		jnz	short loc_A1E7BD
		push	offset ??_C@_0CA@IINJBIKG@Failed?5to?5allocate?5DB?5structure@NNGAKEGL@
		push	38Ah
		push	offset ??_C@_0BC@OLOFFDGE@SdbOpenDatabaseEx@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_A1E900
; 

loc_A1E7BD:				; CODE XREF: SdbOpenDatabaseEx(x,x,x,x)+4Ej
		push	0A58h		; size_t
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	edx, ebx
		mov	ecx, esi
		push	edi
		push	edi
		push	edi
		call	AslFileMappingCreate
		test	eax, eax
		jns	short loc_A1E7FB
		push	eax
		push	(offset	loc_8C23D9+7)
		push	395h

loc_A1E7E7:				; CODE XREF: SdbOpenDatabaseEx(x,x,x,x)+EBj
					; SdbOpenDatabaseEx(x,x,x,x)+13Dj
		push	offset ??_C@_0BC@OLOFFDGE@SdbOpenDatabaseEx@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A1E8EA
; 

loc_A1E7FB:				; CODE XREF: SdbOpenDatabaseEx(x,x,x,x)+8Bj
		mov	ecx, [esi]
		mov	eax, [ecx+14h]
		mov	ebx, [ecx+10h]
		cmp	eax, edi
		ja	loc_A1E8D1
		jb	short loc_A1E81D
		cmp	ebx, 7FFFFFFFh
		ja	loc_A1E8D1
		cmp	eax, edi
		ja	short loc_A1E826

loc_A1E81D:				; CODE XREF: SdbOpenDatabaseEx(x,x,x,x)+BCj
		cmp	ebx, 2Ah
		jb	loc_A1E8D1

loc_A1E826:				; CODE XREF: SdbOpenDatabaseEx(x,x,x,x)+CCj
		call	_AslFileMappingEnsureMappedAs@8	; AslFileMappingEnsureMappedAs(x,x)
		test	eax, eax
		jns	short loc_A1E83C
		push	eax
		push	offset ??_C@_0BH@KGGJNBJB@Failed?5to?5map?5SDB?5?$FL?$CFx?$FN@NNGAKEGL@
		push	3A4h
		jmp	short loc_A1E7E7
; 

loc_A1E83C:				; CODE XREF: SdbOpenDatabaseEx(x,x,x,x)+DEj
		mov	[esi+8], edi
		mov	[esi+0Ch], ebx
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_A1E84B
		mov	edi, [eax+18h]

loc_A1E84B:				; CODE XREF: SdbOpenDatabaseEx(x,x,x,x)+F7j
		push	0Ch		; size_t
		lea	eax, [ebp+var_10]
		mov	[esi+4], edi
		push	eax		; void *
		xor	edx, edx
		mov	ecx, esi
		call	SdbpReadMappedData
		test	eax, eax
		jnz	short loc_A1E86D
		push	offset ??_C@_0BP@DEIGBGOF@Failed?5to?5read?5database?5header@NNGAKEGL@
		push	3B1h
		jmp	short loc_A1E8DB
; 

loc_A1E86D:				; CODE XREF: SdbOpenDatabaseEx(x,x,x,x)+110j
		cmp	[ebp+var_8], 66626473h
		jz	short loc_A1E8BE
		cmp	[ebp+var_8], 6662647Ah
		jz	short loc_A1E891
		push	[ebp+var_8]
		push	(offset	loc_8C256B+1)
		push	3BEh
		jmp	loc_A1E7E7
; 

loc_A1E891:				; CODE XREF: SdbOpenDatabaseEx(x,x,x,x)+12Ej
		push	ecx
		lea	ecx, [ebp+var_4]
		call	_SdbpOpenCompressedDatabase@12 ; SdbpOpenCompressedDatabase(x,x,x)
		test	eax, eax
		jnz	short loc_A1E8B9
		push	offset ??_C@_0DP@MOGONKPB@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@
		push	3C4h
		push	offset ??_C@_0BC@OLOFFDGE@SdbOpenDatabaseEx@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		mov	esi, [ebp+var_4]
		jmp	short loc_A1E8E7
; 

loc_A1E8B9:				; CODE XREF: SdbOpenDatabaseEx(x,x,x,x)+14Dj
		mov	esi, [ebp+var_4]
		jmp	short loc_A1E8CD
; 

loc_A1E8BE:				; CODE XREF: SdbOpenDatabaseEx(x,x,x,x)+125j
		push	ecx
		lea	edx, [ebp+var_10]
		mov	ecx, esi
		call	SdbpValidateAndApplyCompatFlags
		test	eax, eax
		jz	short loc_A1E8EA

loc_A1E8CD:				; CODE XREF: SdbOpenDatabaseEx(x,x,x,x)+16Dj
		mov	eax, esi
		jmp	short loc_A1E902
; 

loc_A1E8D1:				; CODE XREF: SdbOpenDatabaseEx(x,x,x,x)+B6j
					; SdbOpenDatabaseEx(x,x,x,x)+C4j ...
		push	offset ??_C@_0DD@LMDIBKL@Failed?5to?5open?5SDB?5?9?5File?5size?5@NNGAKEGL@
		push	39Eh

loc_A1E8DB:				; CODE XREF: SdbOpenDatabaseEx(x,x,x,x)+11Cj
		push	offset ??_C@_0BC@OLOFFDGE@SdbOpenDatabaseEx@NNGAKEGL@
		push	1
		call	AslLogCallPrintf

loc_A1E8E7:				; CODE XREF: SdbOpenDatabaseEx(x,x,x,x)+168j
		add	esp, 10h

loc_A1E8EA:				; CODE XREF: SdbOpenDatabaseEx(x,x,x,x)+A7j
					; SdbOpenDatabaseEx(x,x,x,x)+17Cj
		test	esi, esi
		jz	short loc_A1E900
		mov	ecx, [esi]
		call	AslFileMappingDelete
		push	74705041h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1E900:				; CODE XREF: SdbOpenDatabaseEx(x,x,x,x)+69j
					; SdbOpenDatabaseEx(x,x,x,x)+19Dj
		xor	eax, eax

loc_A1E902:				; CODE XREF: SdbOpenDatabaseEx(x,x,x,x)+180j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_SdbOpenDatabaseEx@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbGetKShimTagRef(x, x)
_SdbGetKShimTagRef@8 proc near		; CODE XREF: KsepDbGetShimInfo(x,x)+7Fp

var_30		= dword	ptr -30h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		and	[ebp+var_4], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	ebx, ecx
		lea	edi, [ebp+var_30]
		pop	ecx
		rep stosd
		mov	esi, [ebx+4]
		lea	eax, [ebp+var_30]
		push	eax
		push	edx
		push	6001h
		mov	edx, 7025h
		mov	ecx, esi
		call	SdbFindFirstStringIndexedTag
		lea	ecx, [ebp+var_4]
		mov	edx, esi
		push	ecx
		push	eax
		mov	ecx, ebx
		call	SdbTagIDToTagRef
		neg	eax
		pop	edi
		sbb	eax, eax
		and	eax, [ebp+var_4]
		pop	esi
		pop	ebx
		leave
		retn
_SdbGetKShimTagRef@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbQueryDataEx(x, x, x, x, x, x, x)
_SdbQueryDataEx@28 proc	near		; CODE XREF: PiIsDriverBlocked+AFE7Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		push	esi
		mov	[ebp+var_8], eax
		mov	esi, edx
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	SdbTagRefToTagID
		test	eax, eax
		jnz	short loc_A1E99D
		push	esi
		push	offset ??_C@_0CH@KHIGAPEJ@Failed?5to?5convert?5tagref?50x?$CFx?5t@NNGAKEGL@
		push	1AB1h
		push	(offset	loc_8C34A8+2)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		push	57h
		pop	eax
		jmp	short loc_A1E9B6
; 

loc_A1E99D:				; CODE XREF: SdbQueryDataEx(x,x,x,x,x,x,x)+25j
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_C]
		push	eax		; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; void *
		push	[ebp+arg_4]	; int
		push	ecx		; int
		mov	ecx, [ebp+var_8]
		call	_SdbQueryDataExTagID@28	; SdbQueryDataExTagID(x,x,x,x,x,x,x)

loc_A1E9B6:				; CODE XREF: SdbQueryDataEx(x,x,x,x,x,x,x)+44j
		pop	esi
		leave
		retn	14h
_SdbQueryDataEx@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SdbQueryDataExTagID(int,int,void *,int,int)
_SdbQueryDataExTagID@28	proc near	; CODE XREF: SdbQueryDataEx(x,x,x,x,x,x,x)+5Ap

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], ecx
		mov	ebx, edx
		mov	[ebp+var_14], esi
		push	edi
		mov	edi, offset ??_C@_1O@MPKBHDFA@?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@NNGAKEGL@
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		cmp	[ebp+arg_8], esi
		jnz	short loc_A1EA06
		cmp	[ebp+arg_C], esi
		jnz	short loc_A1EA06
		push	offset ??_C@_0DF@DOHFJIJC@One?5of?5lpBuffer?5or?5lpcbBufferSi@NNGAKEGL@
		push	19CAh
		push	offset ??_C@_0BE@BDIMHFPA@SdbQueryDataExTagID@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		push	57h

loc_A1EA00:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+91j
		pop	esi
		jmp	loc_A1ECD9
; 

loc_A1EA06:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+23j
					; SdbQueryDataExTagID(x,x,x,x,x,x,x)+28j
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_A1EA0B:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+59j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_A1EA0B
		sub	ecx, edx
		sar	ecx, 1
		push	ecx
		lea	eax, [ecx+1]
		lea	edx, [eax+eax]
		mov	[ebp+var_10], eax
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	short loc_A1EA4E
		push	edi
		push	offset ??_C@_0DM@EFDBMOEF@Cannot?5allocate?5temporary?5buffe@NNGAKEGL@
		push	19D6h
		push	offset ??_C@_0BE@BDIMHFPA@SdbQueryDataExTagID@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		push	8
		jmp	short loc_A1EA00
; 

loc_A1EA4E:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+73j
					; SdbQueryDataExTagID(x,x,x,x,x,x,x)+10Aj
		push	5Ch		; wchar_t
		push	edi		; wchar_t *
		call	_wcschr
		mov	edx, [ebp+var_10]
		mov	[ebp+var_18], eax
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A1EA77
		mov	ecx, [ebp+var_C]
		push	edi
		call	RtlStringCchCopyW
		test	eax, eax
		js	loc_A1ECC9
		mov	edi, esi
		jmp	short loc_A1EAA1
; 

loc_A1EA77:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+A5j
		sub	eax, edi
		sar	eax, 1
		push	eax
		push	edi
		mov	edi, [ebp+var_C]
		mov	ecx, edi
		mov	[ebp+var_8], eax
		call	RtlStringCchCopyNW
		test	eax, eax
		js	loc_A1ECC9
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		mov	[edi+eax*2], cx
		mov	edi, [ebp+var_18]
		add	edi, 2

loc_A1EAA1:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+BAj
		push	[ebp+var_C]	; wchar_t *
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		push	6001h		; int
		push	700Fh		; __int16
		call	_SdbFindFirstNamedTag@20 ; SdbFindFirstNamedTag(x,x,x,x,x)
		mov	ebx, eax
		test	edi, edi
		jz	short loc_A1EAC9
		cmp	[edi], si
		jz	short loc_A1EAC9
		test	ebx, ebx
		jnz	short loc_A1EA4E
		jmp	short loc_A1EACD
; 

loc_A1EAC9:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+101j
					; SdbQueryDataExTagID(x,x,x,x,x,x,x)+106j
		test	ebx, ebx
		jnz	short loc_A1EAD7

loc_A1EACD:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+10Cj
					; SdbQueryDataExTagID(x,x,x,x,x,x,x)+1EEj ...
		mov	esi, 490h
		jmp	loc_A1ECCC
; 

loc_A1EAD7:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+110j
		mov	edi, [ebp+var_4]
		mov	edx, ebx
		push	4018h
		mov	ecx, edi
		mov	[ebp+var_8], esi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jnz	short loc_A1EB0D
		push	ebx
		push	offset ??_C@_0DD@OJKICILA@The?5entry?50x?$CFx?5does?5not?5have?5va@NNGAKEGL@
		push	1A07h
		push	offset ??_C@_0BE@BDIMHFPA@SdbQueryDataExTagID@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		mov	ecx, esi
		jmp	short loc_A1EB1C
; 

loc_A1EB0D:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+132j
		push	esi
		mov	edx, eax
		mov	ecx, edi
		call	SdbReadDWORDTag
		mov	ecx, eax
		mov	[ebp+var_8], ecx

loc_A1EB1C:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+150j
		mov	edi, esi
		mov	edx, esi
		test	ecx, ecx
		jz	loc_A1EC81
		mov	eax, ecx
		sub	eax, 1
		jz	short loc_A1EB79
		dec	eax
		sub	eax, 1
		jz	short loc_A1EB72
		sub	eax, 1
		jz	short loc_A1EB6B
		sub	eax, 7
		jz	short loc_A1EB64
		push	ecx
		push	ebx
		push	offset ??_C@_0DH@CJPEJPEJ@The?5entry?50x?$CFx?5contains?5bad?5val@NNGAKEGL@
		push	1A2Ch
		push	offset ??_C@_0BE@BDIMHFPA@SdbQueryDataExTagID@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		mov	esi, 54Eh
		jmp	loc_A1ECCC
; 

loc_A1EB64:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+182j
		mov	eax, 5007h
		jmp	short loc_A1EB7E
; 

loc_A1EB6B:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+17Dj
		mov	eax, 4019h
		jmp	short loc_A1EB7E
; 

loc_A1EB72:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+178j
		mov	eax, 9005h
		jmp	short loc_A1EB7E
; 

loc_A1EB79:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+172j
		mov	eax, 601Eh

loc_A1EB7E:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+1AEj
					; SdbQueryDataExTagID(x,x,x,x,x,x,x)+1B5j ...
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		push	eax
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A1EBAE
		push	ebx
		push	offset ??_C@_0CB@GDMDDNIA@The?5entry?50x?$CFx?5contains?5no?5valu@NNGAKEGL@
		push	1A38h
		push	offset ??_C@_0BE@BDIMHFPA@SdbQueryDataExTagID@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A1EACD
; 

loc_A1EBAE:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+1D2j
		mov	eax, [ebp+var_8]
		sub	eax, 1
		jz	short loc_A1EC2B
		dec	eax
		sub	eax, 1
		jz	short loc_A1EC00
		sub	eax, 1
		jz	short loc_A1EBE7
		sub	eax, 7
		jnz	loc_A1EC78
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		push	esi
		push	esi
		call	SdbReadQWORDTag
		push	8
		mov	[ebp+var_1C], edx
		lea	edx, [ebp+var_20]
		mov	[ebp+var_20], eax
		pop	edi
		jmp	loc_A1EC81
; 

loc_A1EBE7:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+204j
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		push	esi
		call	SdbReadDWORDTag
		push	4
		mov	[ebp+var_14], eax
		lea	edx, [ebp+var_14]
		pop	edi
		jmp	loc_A1EC85
; 

loc_A1EC00:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+1FFj
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		call	SdbGetTagDataSize
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		mov	[ebp+var_10], eax
		call	SdbpGetMappedTagData
		mov	edx, eax
		test	edx, edx
		jnz	short loc_A1EC7E
		push	edi
		push	ebx
		push	(offset	loc_8C34D1+1)
		push	1A56h
		jmp	short loc_A1EC47
; 

loc_A1EC2B:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+1F9j
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		call	SdbGetStringTagPtr
		mov	edx, eax
		test	edx, edx
		jnz	short loc_A1EC5B
		push	edi
		push	ebx
		push	offset ??_C@_0CO@JGKJJPEB@The?5entry?50x?$CFx?5contains?5bad?5str@NNGAKEGL@
		push	1A48h

loc_A1EC47:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+26Ej
		push	offset ??_C@_0BE@BDIMHFPA@SdbQueryDataExTagID@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		jmp	loc_A1EACD
; 

loc_A1EC5B:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+27Ej
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_A1EC60:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+2AEj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_A1EC60
		sub	ecx, edi
		sar	ecx, 1
		lea	edi, ds:2[ecx*2]
		jmp	short loc_A1EC81
; 

loc_A1EC78:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+209j
		mov	edi, esi
		mov	edx, esi
		jmp	short loc_A1EC81
; 

loc_A1EC7E:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+260j
		mov	edi, [ebp+var_10]

loc_A1EC81:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+167j
					; SdbQueryDataExTagID(x,x,x,x,x,x,x)+227j ...
		test	edi, edi
		jz	short loc_A1ECA9

loc_A1EC85:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+240j
		cmp	[ebp+arg_8], esi
		jz	short loc_A1ECA6
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_A1ECA6
		mov	eax, [eax]
		cmp	eax, edi
		jb	short loc_A1ECA6
		push	eax		; size_t
		push	edx		; void *
		push	[ebp+arg_8]	; void *
		call	_memmove
		add	esp, 0Ch
		jmp	short loc_A1ECA9
; 

loc_A1ECA6:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+2CDj
					; SdbQueryDataExTagID(x,x,x,x,x,x,x)+2D4j ...
		push	7Ah
		pop	esi

loc_A1ECA9:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+2C8j
					; SdbQueryDataExTagID(x,x,x,x,x,x,x)+2E9j
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_A1ECB2
		mov	[eax], edi

loc_A1ECB2:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+2F3j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_A1ECBE
		mov	ecx, [ebp+var_8]
		mov	[eax], ecx

loc_A1ECBE:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+2FCj
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_A1ECCC
		mov	[eax], ebx
		jmp	short loc_A1ECCC
; 

loc_A1ECC9:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+B2j
					; SdbQueryDataExTagID(x,x,x,x,x,x,x)+D1j
		push	7Ah
		pop	esi

loc_A1ECCC:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+117j
					; SdbQueryDataExTagID(x,x,x,x,x,x,x)+1A4j ...
		push	74705041h
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1ECD9:				; CODE XREF: SdbQueryDataExTagID(x,x,x,x,x,x,x)+46j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
_SdbQueryDataExTagID@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbReadEntryInformation(x, x, x)
_SdbReadEntryInformation@12 proc near	; CODE XREF: PiIsDriverBlocked+AFEF6p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_34], 0
		and	[ebp+var_38], 0
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	esi, ecx
		mov	[ebp+var_3C], eax
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_30]
		rep stosd
		lea	eax, [ebp+var_34]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_38]
		mov	ebx, edx
		push	eax
		call	SdbTagRefToTagID
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A1ED47
		push	ebx
		push	offset ??_C@_0CH@KHIGAPEJ@Failed?5to?5convert?5tagref?50x?$CFx?5t@NNGAKEGL@
		push	1AE9h

loc_A1ED33:				; CODE XREF: SdbReadEntryInformation(x,x,x)+C0j
		push	offset ??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A1EE05
; 

loc_A1ED47:				; CODE XREF: SdbReadEntryInformation(x,x,x)+44j
		mov	edi, [ebp+var_38]
		mov	ecx, edi
		mov	edx, [ebp+var_34]
		push	9004h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A1ED82
		push	[ebp+var_34]
		push	offset ??_C@_0CJ@GFAHPFCA@Failed?5to?5read?5TAG_EXE_ID?5for?5t@NNGAKEGL@
		push	1AF3h
		push	offset ??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A1ED7B:				; CODE XREF: SdbReadEntryInformation(x,x,x)+E9j
		xor	esi, esi
		jmp	loc_A1EE05
; 

loc_A1ED82:				; CODE XREF: SdbReadEntryInformation(x,x,x)+7Bj
		push	10h		; int
		lea	eax, [ebp+var_30]
		mov	edx, ebx
		push	eax		; void *
		mov	ecx, edi
		call	SdbReadBinaryTag
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A1EDA4
		push	ebx
		push	offset ??_C@_0CH@LFOAJKPD@Failed?5to?5read?5GUID?5referenced?5@NNGAKEGL@
		push	1AFDh
		jmp	short loc_A1ED33
; 

loc_A1EDA4:				; CODE XREF: SdbReadEntryInformation(x,x,x)+B3j
		lea	edx, [ebp+var_18]
		mov	ecx, edi
		call	SdbGetDatabaseID
		test	eax, eax
		jnz	short loc_A1EDCD
		push	offset ??_C@_0CE@IBKPPHLF@Failed?5to?5read?5GUID?5of?5the?5data@NNGAKEGL@
		push	1B05h
		push	offset ??_C@_0BI@PGDCLLBH@SdbReadEntryInformation@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	short loc_A1ED7B
; 

loc_A1EDCD:				; CODE XREF: SdbReadEntryInformation(x,x,x)+CEj
		lea	edx, [ebp+var_20]
		lea	ecx, [ebp+var_30] ; int
		call	SdbGetEntryFlags
		mov	edx, [ebp+var_34]
		neg	eax
		push	700Fh
		sbb	eax, eax
		mov	ecx, edi
		and	[ebp+var_20], eax
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_3C]
		test	eax, eax
		jz	short loc_A1EE02
		push	0Ah
		pop	ecx
		lea	esi, [ebp+var_30]
		mov	edi, eax
		rep movsd

loc_A1EE02:				; CODE XREF: SdbReadEntryInformation(x,x,x)+114j
		xor	esi, esi
		inc	esi

loc_A1EE05:				; CODE XREF: SdbReadEntryInformation(x,x,x)+60j
					; SdbReadEntryInformation(x,x,x)+9Bj
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_SdbReadEntryInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SdbpCheckExe(int,int,int,int,int,void *)
_SdbpCheckExe@32 proc near		; CODE XREF: SdbpSearchDB+AF6FAp
					; SdbpSearchDB+AF79Ep ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		push	2
		pop	edi
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], edi
		push	eax
		lea	eax, [ebp+var_4]
		xor	esi, esi
		push	eax
		push	[ebp+arg_8]
		mov	[ebp+var_8], esi
		push	[ebp+arg_0]
		call	SdbpCheckForMatch
		test	eax, eax
		jz	short loc_A1EE97
		cmp	[ebp+arg_C], 1
		mov	ebx, [ebp+var_4]
		jnz	short loc_A1EE52
		cmp	ebx, edi
		jnz	short loc_A1EE97

loc_A1EE52:				; CODE XREF: SdbpCheckExe(x,x,x,x,x,x,x,x)+34j
		cmp	[ebp+arg_C], edi
		jnz	short loc_A1EE5B
		cmp	ebx, edi
		jz	short loc_A1EE97

loc_A1EE5B:				; CODE XREF: SdbpCheckExe(x,x,x,x,x,x,x,x)+3Dj
		mov	edi, [ebp+arg_4]
		cmp	ebx, 1
		jnz	short loc_A1EEA0
		push	80h		; size_t
		push	esi		; int
		push	[ebp+arg_14]	; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, esi

loc_A1EE76:				; CODE XREF: SdbpCheckExe(x,x,x,x,x,x,x,x)+8Dj
		mov	edx, [ebp+arg_14]
		xor	esi, esi
		mov	eax, [ebp+arg_0]
		inc	esi
		mov	[edx+ecx*8], eax
		mov	eax, [ebp+var_8]
		mov	[edx+ecx*8+4], eax
		lea	eax, [ecx+1]
		mov	[edi], eax
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_A1EE97
		mov	[eax], ebx

loc_A1EE97:				; CODE XREF: SdbpCheckExe(x,x,x,x,x,x,x,x)+2Bj
					; SdbpCheckExe(x,x,x,x,x,x,x,x)+38j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_A1EEA0:				; CODE XREF: SdbpCheckExe(x,x,x,x,x,x,x,x)+49j
		mov	ecx, [edi]
		cmp	ecx, 10h
		jb	short loc_A1EE76
		push	(offset	loc_8C30BD+5)
		push	0FE8h
		push	offset ??_C@_0N@CCNBMNPH@SdbpCheckExe@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		inc	dword ptr [edi]
		jmp	short loc_A1EE97
_SdbpCheckExe@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckMatchingDevice(x, x, x, x,	x, x, x)
_SdbpCheckMatchingDevice@28 proc near	; DATA XREF: .text:00404614o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, [eax+3ECh]
		xor	esi, esi
		mov	[ebx], esi
		test	edi, edi
		jnz	short loc_A1EEFB
		push	offset ??_C@_0CD@LALAIDGB@No?5device?5query?5callback?5specif@NNGAKEGL@
		push	89Bh

loc_A1EEEA:				; CODE XREF: SdbpCheckMatchingDevice(x,x,x,x,x,x,x)+55j
					; SdbpCheckMatchingDevice(x,x,x,x,x,x,x)+6Fj
		push	offset ??_C@_0BI@KHBGCKAO@SdbpCheckMatchingDevice@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	short loc_A1EF47
; 

loc_A1EEFB:				; CODE XREF: SdbpCheckMatchingDevice(x,x,x,x,x,x,x)+1Aj
		mov	edx, [ebp+arg_10]
		mov	ecx, [ebp+arg_8]
		push	6001h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jnz	short loc_A1EF1B
		push	offset ??_C@_0BO@FMBINIHJ@Failed?5to?5read?5HWID?5attribute@NNGAKEGL@
		push	8A1h
		jmp	short loc_A1EEEA
; 

loc_A1EF1B:				; CODE XREF: SdbpCheckMatchingDevice(x,x,x,x,x,x,x)+49j
		mov	ecx, [ebp+arg_8]
		mov	edx, eax
		call	SdbGetStringTagPtr
		test	eax, eax
		jnz	short loc_A1EF35
		push	(offset	loc_8C2F8B+5)
		push	8A7h
		jmp	short loc_A1EEEA
; 

loc_A1EF35:				; CODE XREF: SdbpCheckMatchingDevice(x,x,x,x,x,x,x)+63j
		push	eax
		call	edi
		mov	ecx, [ebp+arg_14]
		xor	esi, esi
		inc	esi
		mov	[ebx], eax
		test	ecx, ecx
		jz	short loc_A1EF47
		mov	[ecx+28h], esi

loc_A1EF47:				; CODE XREF: SdbpCheckMatchingDevice(x,x,x,x,x,x,x)+35j
					; SdbpCheckMatchingDevice(x,x,x,x,x,x,x)+7Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	1Ch
_SdbpCheckMatchingDevice@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckMatchingDir(x, x, x, x, x,	x, x)
_SdbpCheckMatchingDir@28 proc near	; DATA XREF: .text:004046A4o

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	edx, [ebp+arg_10]
		mov	ecx, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		push	6001h
		mov	[esp+2Ch+var_C], edi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	loc_A1F082
		mov	ecx, [ebp+arg_8]
		mov	edx, eax
		call	SdbGetStringTagPtr
		mov	ecx, eax
		mov	[esp+28h+var_10], ecx
		test	ecx, ecx
		jnz	short loc_A1EFAE
		push	offset ??_C@_0CL@CODINPLA@Failed?5to?5get?5the?5string?5from?5t@NNGAKEGL@
		push	0AE2h

loc_A1EF9A:				; CODE XREF: SdbpCheckMatchingDir(x,x,x,x,x,x,x)+8Fj
					; SdbpCheckMatchingDir(x,x,x,x,x,x,x)+168j
		push	offset ??_C@_0BF@OIHNIAP@SdbpCheckMatchingDir@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_A1F082
; 

loc_A1EFAE:				; CODE XREF: SdbpCheckMatchingDir(x,x,x,x,x,x,x)+3Ej
		mov	esi, ecx
		lea	edx, [esi+2]

loc_A1EFB3:				; CODE XREF: SdbpCheckMatchingDir(x,x,x,x,x,x,x)+6Cj
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, di
		jnz	short loc_A1EFB3
		mov	ebx, [ebp+arg_14]
		sub	esi, edx
		sar	esi, 1
		test	byte ptr [ebx],	1
		jnz	short loc_A1EFE5
		mov	ecx, ebx
		call	SdbpInitializeSearchDBContext
		test	eax, eax
		jnz	short loc_A1EFE1
		push	offset ??_C@_0CF@DDPIMIDA@Failed?5to?5initialize?5SEARCHDBCO@NNGAKEGL@
		push	0AEFh
		jmp	short loc_A1EF9A
; 

loc_A1EFE1:				; CODE XREF: SdbpCheckMatchingDir(x,x,x,x,x,x,x)+83j
		mov	ecx, [esp+28h+var_10]

loc_A1EFE5:				; CODE XREF: SdbpCheckMatchingDir(x,x,x,x,x,x,x)+78j
		mov	edx, [ebx+24h]
		mov	[esp+28h+var_4], edx
		mov	[esp+28h+var_14], edi
		cmp	[edx], edi
		jle	short loc_A1F062
		add	edx, 4
		mov	[esp+28h+var_8], edx

loc_A1EFFB:				; CODE XREF: SdbpCheckMatchingDir(x,x,x,x,x,x,x)+110j
		lea	eax, [esp+28h+var_18]
		mov	[esp+28h+var_18], edi
		push	eax		; int
		push	edx		; int
		push	esi		; int
		push	ecx		; void *
		mov	ecx, [ebp+arg_4]
		mov	edx, ebx
		call	SdbpResolveMatchingFile
		test	eax, eax
		jz	loc_A1F0AE
		mov	ecx, [esp+28h+var_18]
		call	_AslDoesDirectoryExistNtPath@4 ; AslDoesDirectoryExistNtPath(x)
		mov	[esp+28h+var_C], eax
		cmp	[esp+28h+var_18], edi
		jz	short loc_A1F03E
		push	74705041h
		push	[esp+2Ch+var_18]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+28h+var_C]

loc_A1F03E:				; CODE XREF: SdbpCheckMatchingDir(x,x,x,x,x,x,x)+DAj
		test	eax, eax
		mov	eax, [esp+28h+var_14]
		jnz	short loc_A1F0A1
		mov	ecx, [esp+28h+var_4]
		inc	eax
		mov	edx, [esp+28h+var_8]
		add	edx, 18h
		mov	[esp+28h+var_14], eax
		mov	[esp+28h+var_8], edx
		cmp	eax, [ecx]
		mov	ecx, [esp+28h+var_10]
		jl	short loc_A1EFFB

loc_A1F062:				; CODE XREF: SdbpCheckMatchingDir(x,x,x,x,x,x,x)+A2j
					; SdbpCheckMatchingDir(x,x,x,x,x,x,x)+153j ...
		mov	eax, [esp+28h+var_10]
		movzx	eax, word ptr [eax]
		cmp	eax, 25h
		jz	short loc_A1F078
		cmp	eax, 5Ch
		jz	short loc_A1F078
		cmp	eax, 2Eh
		jnz	short loc_A1F07F

loc_A1F078:				; CODE XREF: SdbpCheckMatchingDir(x,x,x,x,x,x,x)+11Cj
					; SdbpCheckMatchingDir(x,x,x,x,x,x,x)+121j
		mov	dword ptr [ebx+28h], 1

loc_A1F07F:				; CODE XREF: SdbpCheckMatchingDir(x,x,x,x,x,x,x)+126j
		xor	edi, edi
		inc	edi

loc_A1F082:				; CODE XREF: SdbpCheckMatchingDir(x,x,x,x,x,x,x)+26j
					; SdbpCheckMatchingDir(x,x,x,x,x,x,x)+59j
		mov	ecx, [ebp+arg_0]
		mov	esi, [esp+28h+var_C]
		mov	[ecx], esi
		call	_Feature_CompatBuildInVb__private_IsEnabledDeviceUsage@0 ; Feature_CompatBuildInVb__private_IsEnabledDeviceUsage()
		test	eax, eax
		mov	eax, edi
		jnz	short loc_A1F098
		mov	eax, esi

loc_A1F098:				; CODE XREF: SdbpCheckMatchingDir(x,x,x,x,x,x,x)+144j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_A1F0A1:				; CODE XREF: SdbpCheckMatchingDir(x,x,x,x,x,x,x)+F4j
		test	eax, eax
		jle	short loc_A1F062
		mov	dword ptr [ebx+28h], 1
		jmp	short loc_A1F062
; 

loc_A1F0AE:				; CODE XREF: SdbpCheckMatchingDir(x,x,x,x,x,x,x)+C3j
		push	(offset	loc_8C309E+4)
		push	0B07h
		jmp	loc_A1EF9A
_SdbpCheckMatchingDir@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckMatchingRegistry(x, x, x, x, x, x,	x)
_SdbpCheckMatchingRegistry@28 proc near	; DATA XREF: .text:004045F4o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	eax
		mov	edx, [ebp+arg_10]
		lea	eax, [ebp+var_8]
		mov	ecx, [ebp+arg_8]
		xor	esi, esi
		push	eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_20], esi
		push	eax
		lea	eax, [ebp+var_C]
		mov	dword ptr [ebp+var_1C],	esi
		push	eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_18], esi
		push	eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_14], esi
		push	eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_10], esi
		push	eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_C], esi
		push	eax
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		mov	[edi], esi
		call	_SdbpGetRegistryMatchingAttributes@40 ;	SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_A1F136
		push	offset ??_C@_0CC@POBNGMOF@Failed?5to?5read?5MATCHING_REG?5ent@NNGAKEGL@
		push	678h

loc_A1F125:				; CODE XREF: SdbpCheckMatchingRegistry(x,x,x,x,x,x,x)+ABj
		push	offset ??_C@_0BK@HKIGDGDG@SdbpCheckMatchingRegistry@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	short loc_A1F178
; 

loc_A1F136:				; CODE XREF: SdbpCheckMatchingRegistry(x,x,x,x,x,x,x)+5Cj
		mov	edx, [ebp+var_18] ; int
		lea	eax, [ebp+var_20]
		mov	ecx, dword ptr [ebp+var_1C] ; char
		push	eax		; int
		push	[ebp+var_4]	; int
		push	[ebp+var_8]	; int
		push	[ebp+var_24]	; int
		push	[ebp+var_28]	; int
		push	[ebp+var_C]	; int
		push	[ebp+var_10]	; int
		push	[ebp+var_14]	; int
		call	_SdbpCheckMatchingRegistryEntry@40 ; SdbpCheckMatchingRegistryEntry(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_A1F16A
		push	offset ??_C@_0CD@CMJHNGOF@Failed?5to?5check?5MATCHING_REG?5en@NNGAKEGL@
		push	689h
		jmp	short loc_A1F125
; 

loc_A1F16A:				; CODE XREF: SdbpCheckMatchingRegistry(x,x,x,x,x,x,x)+9Fj
		mov	ecx, [ebp+arg_14]
		xor	esi, esi
		inc	esi
		mov	[ecx+28h], esi
		mov	ecx, [ebp+var_20]
		mov	[edi], ecx

loc_A1F178:				; CODE XREF: SdbpCheckMatchingRegistry(x,x,x,x,x,x,x)+77j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	1Ch
_SdbpCheckMatchingRegistry@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall SdbpCheckMatchingRegistryEntry(char,int,int,int,int,int,int,int,int,int)
_SdbpCheckMatchingRegistryEntry@40 proc	near
					; CODE XREF: SdbpCheckMatchingRegistry(x,x,x,x,x,x,x)+98p

var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_20C		= word ptr -20Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 244h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_1C]
		push	esi
		push	edi
		push	6
		mov	[ebp+var_220], eax
		lea	edi, [ebp+var_244]
		xor	eax, eax
		mov	[ebp+var_224], edx
		mov	edx, ecx
		mov	[ebp+var_20C], ax
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_218]
		xor	esi, esi
		stosd
		push	edx		; char
		push	(offset	loc_8C2B93+1) ;	wchar_t	*
		push	104h		; int
		stosd
		mov	[ebx], esi
		mov	[ebp+var_22C], esi
		mov	[ebp+var_228], esi
		stosd
		lea	eax, [ebp+var_20C]
		push	eax		; wchar_t *
		mov	[ebp+var_21C], esi
		call	RtlStringCchPrintfW
		add	esp, 10h
		test	eax, eax
		jns	short loc_A1F21B
		push	(offset	loc_8C2BBD+1)
		push	591h
		push	(offset	loc_8C2B49+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_A1F304
; 

loc_A1F21B:				; CODE XREF: SdbpCheckMatchingRegistryEntry(x,x,x,x,x,x,x,x,x,x)+7Bj
		lea	eax, [ebp+var_20C]
		push	eax
		lea	eax, [ebp+var_22C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_22C]
		mov	[ebp+var_244], 18h
		mov	[ebp+var_23C], eax
		lea	eax, [ebp+var_244]
		push	eax
		push	20019h
		lea	eax, [ebp+var_21C]
		mov	[ebp+var_240], esi
		push	eax
		mov	[ebp+var_238], 240h
		mov	[ebp+var_234], esi
		mov	[ebp+var_230], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		jns	short loc_A1F2D8
		push	esi
		push	0Ch
		lea	eax, [ebp+var_218]
		xor	edi, edi
		push	eax
		inc	edi
		push	edi
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		jns	short loc_A1F2AE
		push	eax
		push	offset ??_C@_0CK@OOILAFO@Failed?5to?5get?5processor?5archite@NNGAKEGL@
		push	5B4h
		push	(offset	loc_8C2B49+1)
		push	edi
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A1F304
; 

loc_A1F2AE:				; CODE XREF: SdbpCheckMatchingRegistryEntry(x,x,x,x,x,x,x,x,x,x)+111j
		cmp	word ptr [ebp+var_218],	9
		jz	short loc_A1F2BC

loc_A1F2B8:				; CODE XREF: SdbpCheckMatchingRegistryEntry(x,x,x,x,x,x,x,x,x,x)+156j
		mov	esi, edi
		jmp	short loc_A1F304
; 

loc_A1F2BC:				; CODE XREF: SdbpCheckMatchingRegistryEntry(x,x,x,x,x,x,x,x,x,x)+136j
		lea	eax, [ebp+var_244]
		push	eax
		push	20119h
		lea	eax, [ebp+var_21C]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_A1F2B8

loc_A1F2D8:				; CODE XREF: SdbpCheckMatchingRegistryEntry(x,x,x,x,x,x,x,x,x,x)+FAj
		mov	edx, [ebp+var_224] ; wchar_t *
		mov	ecx, [ebp+var_21C] ; int
		push	ebx		; int
		push	[ebp+arg_18]	; size_t
		push	[ebp+arg_14]	; void *
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		push	[ebp+var_220]	; int
		push	[ebp+arg_0]	; void *
		call	_SdbpCheckMatchingRegistryValue@40 ; SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax

loc_A1F304:				; CODE XREF: SdbpCheckMatchingRegistryEntry(x,x,x,x,x,x,x,x,x,x)+96j
					; SdbpCheckMatchingRegistryEntry(x,x,x,x,x,x,x,x,x,x)+12Cj ...
		cmp	[ebp+var_21C], 0
		jz	short loc_A1F318
		push	[ebp+var_21C]
		call	_ZwClose@4	; ZwClose(x)

loc_A1F318:				; CODE XREF: SdbpCheckMatchingRegistryEntry(x,x,x,x,x,x,x,x,x,x)+18Bj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	20h
_SdbpCheckMatchingRegistryEntry@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall SdbpCheckMatchingRegistryValue(int,wchar_t *,void *,int,int,int,int,void *,size_t,int)
_SdbpCheckMatchingRegistryValue@40 proc	near
					; CODE XREF: SdbpCheckMatchingRegistryEntry(x,x,x,x,x,x,x,x,x,x)+17Dp
					; SdbpCheckMatchingWildcardRegistryEntry(x,x,x,x,x,x,x,x,x,x)+4Bp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], ecx
		mov	eax, edx
		mov	[ebp+var_8], esi
		mov	[ebp+var_10], eax
		mov	ebx, esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_4], esi
		push	edi
		mov	edi, esi
		test	eax, eax
		jz	loc_A1F514
		cmp	[eax], si
		jz	loc_A1F514
		push	(offset	loc_8C2A4C+2) ;	wchar_t	*
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A1F375
		push	esi
		jmp	short loc_A1F38B
; 

loc_A1F375:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+45j
		mov	edx, [ebp+var_10]
		lea	ecx, [ebp+var_8]
		call	AslStringDuplicate
		test	eax, eax
		js	loc_A1F53A
		push	[ebp+var_8]

loc_A1F38B:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+48j
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		push	esi
		push	1
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+var_C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_A1F3C2
		cmp	eax, 80000005h
		jz	short loc_A1F3C2
		cmp	eax, 0C0000023h
		jz	short loc_A1F3C2
		xor	esi, esi
		inc	esi
		jmp	loc_A1F53A
; 

loc_A1F3C2:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+7Fj
					; SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+86j ...
		mov	edx, [ebp+var_4]
		push	ecx
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A1F3EF
		push	offset ??_C@_0BK@JNHKJALB@Failed?5to?5allocate?5memory@NNGAKEGL@ ; "Failed to allocate memory"
		push	475h
		push	offset ??_C@_0BP@IOIMNEOA@SdbpCheckMatchingRegistryValue@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_A1F53A
; 

loc_A1F3EF:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+A4j
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_4]
		lea	eax, [ebp+var_18]
		push	edi
		push	1
		push	eax
		push	[ebp+var_C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_A1F427
		push	offset ??_C@_0BF@JLNLEIIN@Failed?5to?5read?5value@NNGAKEGL@ ; "Failed to read value"
		push	480h

loc_A1F413:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+184j
					; SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+263j ...
		push	offset ??_C@_0BP@IOIMNEOA@SdbpCheckMatchingRegistryValue@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_A1F51C
; 

loc_A1F427:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+DCj
		mov	eax, [edi+4]
		cmp	[ebp+arg_0], ebx
		jnz	short loc_A1F43E
		mov	eax, [ebp+arg_1C]
		xor	ecx, ecx
		inc	ecx
		mov	esi, ecx
		mov	[eax], ecx
		jmp	loc_A1F51C
; 

loc_A1F43E:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+102j
		cmp	eax, [ebp+arg_0]
		jz	short loc_A1F44B

loc_A1F443:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+15Ej
					; SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x):loc_A1F50Ej ...
		xor	esi, esi
		inc	esi
		jmp	loc_A1F51C
; 

loc_A1F44B:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+116j
		mov	ecx, [edi+8]
		add	ecx, edi
		mov	[ebp+arg_0], ecx
		test	eax, eax
		jz	loc_A1F5C4
		cmp	eax, 2
		jbe	loc_A1F572
		cmp	eax, 3
		jz	loc_A1F555
		cmp	eax, 4
		jz	loc_A1F509
		cmp	eax, 7
		jz	short loc_A1F493
		cmp	eax, 0Bh
		jnz	loc_A1F5C4
		mov	eax, [ebp+arg_C]
		cmp	eax, [ecx]
		jnz	short loc_A1F443
		mov	eax, [ebp+arg_10]
		cmp	eax, [ecx+4]
		jmp	short loc_A1F50E
; 

loc_A1F493:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+14Ej
		mov	edx, [edi+0Ch]
		push	ecx
		add	edx, 2
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A1F4B4
		push	offset ??_C@_0BK@JNHKJALB@Failed?5to?5allocate?5memory@NNGAKEGL@ ; "Failed to allocate memory"
		push	4BCh
		jmp	loc_A1F413
; 

loc_A1F4B4:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+178j
		push	dword ptr [edi+0Ch] ; size_t
		push	[ebp+arg_0]	; void *
		push	ebx		; void *
		call	_memmove
		mov	eax, [edi+0Ch]
		xor	ecx, ecx
		shr	eax, 1
		add	esp, 0Ch
		mov	[ebx+eax*2], cx
		mov	ecx, ebx
		mov	eax, [edi+0Ch]
		and	eax, 0FFFFFFFEh
		add	eax, ebx
		cmp	ebx, eax
		jnb	loc_A1F5AD

loc_A1F4E0:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+1D7j
		cmp	[ecx], si
		jnz	short loc_A1F4F5
		cmp	[ecx+2], si
		jz	loc_A1F5AD
		push	3Bh
		pop	eax
		mov	[ecx], ax

loc_A1F4F5:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+1B8j
		mov	eax, [edi+0Ch]
		add	ecx, 2
		and	eax, 0FFFFFFFEh
		add	eax, ebx
		cmp	ecx, eax
		jb	short loc_A1F4E0
		jmp	loc_A1F5AD
; 

loc_A1F509:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+145j
		mov	eax, [ebp+arg_8]
		cmp	eax, [ecx]

loc_A1F50E:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+166j
					; SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+245j
		jnz	loc_A1F443

loc_A1F514:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+27j
					; SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+30j ...
		mov	eax, [ebp+arg_1C]
		xor	esi, esi
		inc	esi
		mov	[eax], esi

loc_A1F51C:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+F7j
					; SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+10Ej ...
		test	edi, edi
		jz	short loc_A1F52B
		push	74705041h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1F52B:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+1F3j
		test	ebx, ebx
		jz	short loc_A1F53A
		push	74705041h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1F53A:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+57j
					; SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+92j ...
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_A1F54C
		push	74705041h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1F54C:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+214j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	20h
; 

loc_A1F555:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+13Cj
		mov	eax, [ebp+arg_18]
		cmp	eax, [edi+0Ch]
		jnz	loc_A1F443
		push	eax		; size_t
		push	ecx		; void *
		push	[ebp+arg_14]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jmp	short loc_A1F50E
; 

loc_A1F572:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+133j
		mov	edx, [edi+0Ch]
		push	ecx
		add	edx, 2
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A1F593
		push	offset ??_C@_0BK@JNHKJALB@Failed?5to?5allocate?5memory@NNGAKEGL@ ; "Failed to allocate memory"
		push	4A5h
		jmp	loc_A1F413
; 

loc_A1F593:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+257j
		push	dword ptr [edi+0Ch] ; size_t
		push	[ebp+arg_0]	; void *
		push	ebx		; void *
		call	_memmove
		mov	eax, [edi+0Ch]
		add	esp, 0Ch
		shr	eax, 1
		xor	ecx, ecx
		mov	[ebx+eax*2], cx

loc_A1F5AD:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+1AFj
					; SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+1BEj ...
		mov	ecx, [ebp+arg_4]
		mov	edx, ebx
		call	AslStringPatternMatchW
		test	eax, eax
		jnz	loc_A1F514
		jmp	loc_A1F443
; 

loc_A1F5C4:				; CODE XREF: SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+12Aj
					; SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)+153j
		push	offset ??_C@_0CB@NOENIKHC@Unknown?5registry?5value?5data?5typ@NNGAKEGL@
		push	507h
		jmp	loc_A1F413
_SdbpCheckMatchingRegistryValue@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckMatchingText(x, x,	x, x, x, x, x)
_SdbpCheckMatchingText@28 proc near	; DATA XREF: .text:00404604o

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [ebp+arg_0]
		mov	edx, [ebp+arg_10]
		mov	ecx, [ebp+arg_8]
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], 2000h
		mov	[eax], esi
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_1C], esi
		push	eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_18], esi
		push	eax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_14], esi
		push	eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_4], esi
		push	eax
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		call	_SdbpGetMatchingTextAttributes@28 ; SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_A1F63A
		push	(offset	loc_8C2E8B+3)
		push	846h
		push	offset ??_C@_0BG@PMEDILFH@SdbpCheckMatchingText@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	short loc_A1F690
; 

loc_A1F63A:				; CODE XREF: SdbpCheckMatchingText(x,x,x,x,x,x,x)+4Aj
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+var_18]
		push	ebx
		mov	ebx, [ebp+arg_14]
		mov	edx, ebx
		push	eax		; int
		lea	eax, [ebp+var_1C]
		push	eax		; int
		push	[ebp+var_8]	; int
		push	[ebp+var_C]	; int
		push	[ebp+var_10]	; int
		push	[ebp+var_4]	; int
		push	[ebp+var_14]	; void *
		call	_SdbpCheckMatchingTextEntry@36 ; SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_A1F67E
		push	(offset	loc_8C3000+6)
		push	857h
		push	offset ??_C@_0BG@PMEDILFH@SdbpCheckMatchingText@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	short loc_A1F68F
; 

loc_A1F67E:				; CODE XREF: SdbpCheckMatchingText(x,x,x,x,x,x,x)+8Ej
		mov	ecx, [ebp+arg_0]
		xor	esi, esi
		mov	eax, [ebp+var_18]
		inc	esi
		or	[ebx+28h], eax
		mov	eax, [ebp+var_1C]
		mov	[ecx], eax

loc_A1F68F:				; CODE XREF: SdbpCheckMatchingText(x,x,x,x,x,x,x)+A9j
		pop	ebx

loc_A1F690:				; CODE XREF: SdbpCheckMatchingText(x,x,x,x,x,x,x)+65j
		cmp	[ebp+var_4], 0
		jz	short loc_A1F6A3
		push	74705041h
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1F6A3:				; CODE XREF: SdbpCheckMatchingText(x,x,x,x,x,x,x)+C1j
		mov	eax, esi
		pop	esi
		leave
		retn	1Ch
_SdbpCheckMatchingText@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SdbpCheckMatchingTextEntry(void	*,int,int,int,int,int,int)
_SdbpCheckMatchingTextEntry@36 proc near
					; CODE XREF: SdbpCheckMatchingText(x,x,x,x,x,x,x)+87p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, [ebp+arg_14]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[esp+34h+var_14], edx
		test	byte ptr [edx],	1
		mov	ebx, esi
		mov	[eax], esi
		mov	eax, [ebp+arg_18]
		push	edi
		mov	[esp+38h+var_8], ecx
		mov	[esp+38h+var_18], esi
		mov	[esp+38h+var_1C], ebx
		mov	[esp+38h+var_10], esi
		mov	[esp+38h+var_28], esi
		mov	[eax], esi
		jnz	short loc_A1F712
		mov	ecx, edx
		call	SdbpInitializeSearchDBContext
		test	eax, eax
		jnz	short loc_A1F70E
		push	offset ??_C@_0CF@DDPIMIDA@Failed?5to?5initialize?5SEARCHDBCO@NNGAKEGL@
		xor	edi, edi
		push	741h
		inc	edi

loc_A1F6FB:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+301j
					; SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+310j ...
		push	offset ??_C@_0BL@EOPMKEHA@SdbpCheckMatchingTextEntry@NNGAKEGL@
		push	edi
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_A1F7E2
; 

loc_A1F70E:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+42j
		mov	edx, [esp+38h+var_14]

loc_A1F712:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+37j
		mov	ecx, [edx+24h]
		xor	edi, edi
		inc	edi
		mov	[esp+38h+var_4], ecx
		mov	[esp+38h+var_24], esi
		cmp	[ecx], esi
		jle	loc_A1F7DB
		lea	ebx, [ecx+4]
		mov	[esp+38h+var_20], ebx
		jmp	short loc_A1F735
; 

loc_A1F731:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+12Bj
		mov	ebx, [esp+38h+var_20]

loc_A1F735:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+85j
		mov	ecx, [ebp+arg_0]
		lea	eax, [ecx+2]
		mov	[esp+38h+var_C], eax

loc_A1F73F:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+9Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_A1F73F
		sub	ecx, [esp+38h+var_C]
		lea	eax, [esp+38h+var_1C]
		push	eax		; int
		sar	ecx, 1
		push	ebx		; int
		push	ecx		; int
		push	[ebp+arg_0]	; void *
		mov	ecx, [esp+48h+var_8]
		call	SdbpResolveMatchingFile
		test	eax, eax
		jz	loc_A1F9CE
		mov	ebx, [esp+38h+var_1C]
		lea	ecx, [esp+38h+var_28]
		push	esi
		push	esi
		push	esi
		mov	edx, ebx
		call	AslFileMappingCreate
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_A1F78E
		mov	ecx, [esp+38h+var_28]
		call	_AslFileMappingEnsureMappedAs@8	; AslFileMappingEnsureMappedAs(x,x)
		mov	ecx, eax

loc_A1F78E:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+D7j
		call	AslFileNotFound
		test	eax, eax
		jz	loc_A1F825
		mov	ecx, [esp+38h+var_28]
		call	AslFileMappingDelete
		mov	[esp+38h+var_28], esi
		test	ebx, ebx
		jz	short loc_A1F7B7
		push	74705041h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1F7B7:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+100j
		mov	eax, [esp+38h+var_24]
		mov	ebx, esi
		mov	ecx, [esp+38h+var_4]
		inc	eax
		add	[esp+38h+var_20], 18h
		mov	edx, [esp+38h+var_14]
		mov	[esp+38h+var_1C], ebx
		mov	[esp+38h+var_24], eax
		cmp	eax, [ecx]
		jl	loc_A1F731

loc_A1F7DB:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+78j
					; SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+1B0j ...
		mov	eax, [ebp+arg_14]
		mov	[eax], esi

loc_A1F7E0:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+2F2j
		mov	esi, edi

loc_A1F7E2:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+5Fj
					; SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+19Bj ...
		mov	eax, [ebp+arg_0]
		movzx	eax, word ptr [eax]
		cmp	eax, 25h
		jz	short loc_A1F7F7
		cmp	eax, 5Ch
		jz	short loc_A1F7F7
		cmp	eax, 2Eh
		jnz	short loc_A1F7FC

loc_A1F7F7:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+141j
					; SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+146j
		mov	eax, [ebp+arg_18]
		mov	[eax], edi

loc_A1F7FC:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+14Bj
		test	ebx, ebx
		jz	short loc_A1F80B
		push	74705041h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1F80B:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+154j
		mov	eax, [esp+38h+var_28]
		test	eax, eax
		jz	short loc_A1F81A
		mov	ecx, eax
		call	AslFileMappingDelete

loc_A1F81A:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+167j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_A1F825:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+EBj
		test	ecx, ecx
		jns	short loc_A1F847
		push	ecx
		push	(offset	loc_8C2EFA+4)
		push	779h
		xor	edi, edi
		push	offset ??_C@_0BL@EOPMKEHA@SdbpCheckMatchingTextEntry@NNGAKEGL@
		inc	edi
		push	edi
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A1F7E2
; 

loc_A1F847:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+17Dj
		mov	eax, [esp+38h+var_24]
		test	eax, eax
		jle	short loc_A1F854
		mov	eax, [ebp+arg_18]
		mov	[eax], edi

loc_A1F854:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+1A3j
		mov	ecx, [esp+38h+var_28]
		test	ecx, ecx
		jz	loc_A1F7DB
		mov	eax, [ecx+10h]
		mov	edx, esi
		mov	[esp+38h+var_14], eax
		mov	eax, [ecx+14h]
		mov	ecx, [ecx+18h]
		mov	[esp+38h+var_8], ecx
		mov	[esp+38h+var_20], edx
		cmp	esi, eax
		jb	short loc_A1F88F
		mov	eax, [esp+38h+var_14]
		ja	short loc_A1F888
		mov	ecx, [ebp+arg_10]
		cmp	ecx, eax
		jb	short loc_A1F892

loc_A1F888:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+1D5j
		mov	ecx, eax
		mov	[ebp+arg_10], ecx
		jmp	short loc_A1F892
; 

loc_A1F88F:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+1CFj
		mov	ecx, [ebp+arg_10]

loc_A1F892:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+1DCj
					; SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+1E3j
		cmp	[ebp+arg_8], ecx
		ja	loc_A1F7DB
		xor	eax, eax
		cmp	[ebp+arg_C], 3
		setz	al
		inc	eax
		mov	[esp+38h+var_C], eax
		test	ecx, ecx
		jz	loc_A1F993
		mov	[esp+38h+var_4], 1000h

loc_A1F8B9:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+2E3j
		cmp	edx, [ebp+arg_8]
		jbe	short loc_A1F8C7
		sub	eax, [ebp+arg_8]
		add	edx, eax
		mov	[esp+38h+var_20], edx

loc_A1F8C7:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+212j
		mov	eax, ecx
		mov	ecx, [esp+38h+var_4]
		sub	eax, edx
		mov	[esp+38h+var_24], eax
		cmp	eax, ecx
		jbe	short loc_A1F8DD
		mov	eax, ecx
		mov	[esp+38h+var_24], ecx

loc_A1F8DD:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+22Bj
		push	ecx
		lea	edx, [eax+2]
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	[esp+38h+var_1C], eax
		test	eax, eax
		jz	loc_A1F9BF
		mov	edx, [esp+38h+var_20]
		lea	eax, [esp+38h+var_10]
		mov	ecx, [esp+38h+var_8]
		push	eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_A1F9B0
		push	[esp+38h+var_24] ; size_t
		push	[esp+3Ch+var_10] ; void	*
		push	[esp+40h+var_1C] ; void	*
		call	_memcpy
		mov	eax, [ebp+arg_C]
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A1F9A1
		cmp	eax, 2
		jbe	short loc_A1F94B
		cmp	eax, 3
		jnz	short loc_A1F9A1
		mov	eax, [ebp+arg_8]
		mov	edx, [esp+38h+var_24]
		mov	ecx, [esp+38h+var_1C]
		shr	eax, 1
		push	eax
		push	[ebp+arg_4]
		shr	edx, 1
		call	_AslStringSearchW@16 ; AslStringSearchW(x,x,x,x)
		jmp	short loc_A1F95E
; 

loc_A1F94B:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+280j
		push	[ebp+arg_8]
		mov	ecx, [esp+3Ch+var_1C]
		push	[ebp+arg_4]
		mov	edx, [esp+40h+var_24]
		call	_AslStringSearchA@16 ; AslStringSearchA(x,x,x,x)

loc_A1F95E:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+29Fj
		test	eax, eax
		jz	short loc_A1F966
		mov	[esp+38h+var_18], edi

loc_A1F966:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+2B6j
		mov	eax, [esp+38h+var_20]
		add	eax, [esp+38h+var_24]
		push	74705041h
		push	[esp+3Ch+var_1C]
		mov	[esp+40h+var_20], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, [esp+38h+var_20]
		mov	eax, [esp+38h+var_C]
		cmp	edx, ecx
		jb	loc_A1F8B9

loc_A1F993:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+201j
		mov	eax, [ebp+arg_14]
		mov	ecx, [esp+38h+var_18]
		mov	[eax], ecx
		jmp	loc_A1F7E0
; 

loc_A1F9A1:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+27Bj
					; SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+285j
		push	(offset	loc_8C2EE0+8)
		push	7E9h
		jmp	loc_A1F6FB
; 

loc_A1F9B0:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+25Cj
		push	(offset	loc_8C2EC7+1)
		push	7C7h
		jmp	loc_A1F6FB
; 

loc_A1F9BF:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+242j
		push	offset ??_C@_0BP@JNLJBLGM@Failed?5to?5allocate?5temp?5buffer@NNGAKEGL@
		push	7C0h
		jmp	loc_A1F6FB
; 

loc_A1F9CE:				; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+BBj
		push	offset ??_C@_0CF@OMCJMENO@Failed?5to?5resolve?5matching?5text@NNGAKEGL@
		push	759h
		xor	edi, edi
		push	offset ??_C@_0BL@EOPMKEHA@SdbpCheckMatchingTextEntry@NNGAKEGL@
		inc	edi
		push	edi
		call	AslLogCallPrintf
		mov	ebx, [esp+48h+var_1C]
		add	esp, 10h
		jmp	loc_A1F7E2
_SdbpCheckMatchingTextEntry@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckMatchingWildcardFiles(x, x, x, x, x, x, x)
_SdbpCheckMatchingWildcardFiles@28 proc	near ; DATA XREF: .text:00404684o

var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 244h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+244h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_14]
		push	esi
		xor	esi, esi
		mov	[esp+24Ch+var_214], eax
		mov	eax, [ebp+arg_4]
		push	edi
		mov	[esp+250h+var_228], eax
		mov	edi, esi
		mov	eax, [ebp+arg_8]
		mov	[esp+250h+var_22C], eax
		mov	[esp+250h+var_240], ebx
		mov	[esp+250h+var_230], esi
		mov	[esp+250h+var_238], edi
		mov	[esp+250h+var_23C], esi
		mov	[esp+250h+var_234], esi
		call	_Feature_CompatBuildInVb__private_IsEnabledDeviceUsage@0 ; Feature_CompatBuildInVb__private_IsEnabledDeviceUsage()
		test	eax, eax
		jnz	short loc_A1FA59
		cmp	[ebx+2Ch], esi
		jz	short loc_A1FA59
		inc	esi
		mov	[esp+250h+var_230], esi
		jmp	loc_A1FBFC
; 

loc_A1FA59:				; CODE XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+56j
					; SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+5Bj
		mov	ebx, [esp+250h+var_22C]
		mov	ecx, ebx
		mov	edx, [ebp+arg_10]
		push	6001h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	loc_A1FBFC
		mov	edx, eax
		mov	ecx, ebx
		call	SdbGetStringTagPtr
		mov	[esp+250h+var_21C], eax
		test	eax, eax
		jnz	short loc_A1FAA3
		push	offset ??_C@_0CL@CODINPLA@Failed?5to?5get?5the?5string?5from?5t@NNGAKEGL@
		push	0C5Dh

loc_A1FA8F:				; CODE XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+E3j
		push	(offset	loc_8C314D+5)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_A1FBFC
; 

loc_A1FAA3:				; CODE XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+91j
		mov	ebx, eax
		lea	ecx, [ebx+2]

loc_A1FAA8:				; CODE XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+BFj
		mov	ax, [ebx]
		add	ebx, 2
		cmp	ax, si
		jnz	short loc_A1FAA8
		mov	eax, [esp+250h+var_240]
		sub	ebx, ecx
		sar	ebx, 1
		test	byte ptr [eax],	1
		jnz	short loc_A1FADB
		mov	ecx, eax
		call	SdbpInitializeSearchDBContext
		test	eax, eax
		jnz	short loc_A1FAD7
		push	offset ??_C@_0CF@DDPIMIDA@Failed?5to?5initialize?5SEARCHDBCO@NNGAKEGL@
		push	0C6Bh
		jmp	short loc_A1FA8F
; 

loc_A1FAD7:				; CODE XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+D7j
		mov	eax, [esp+250h+var_240]

loc_A1FADB:				; CODE XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+CCj
		mov	ecx, [eax+24h]
		mov	[esp+250h+var_218], ecx
		mov	[esp+250h+var_224], esi
		cmp	[ecx], esi
		jle	loc_A1FBF6
		lea	edx, [ecx+4]
		mov	[esp+250h+var_220], edx

loc_A1FAF5:				; CODE XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+1FEj
		lea	ecx, [esp+250h+var_238]
		push	ecx		; int
		mov	ecx, [esp+254h+var_228]
		push	edx		; int
		push	ebx		; int
		push	[esp+25Ch+var_21C] ; void *
		mov	edx, eax
		call	SdbpResolveMatchingFile
		test	eax, eax
		jz	loc_A1FC46
		lea	ecx, [esp+250h+var_234]
		call	_AslPathWildcardFindClose@4 ; AslPathWildcardFindClose(x)
		push	208h		; size_t
		lea	eax, [esp+254h+var_210]
		push	esi		; int
		push	eax		; void *
		call	_memset
		mov	edi, [esp+25Ch+var_238]
		lea	eax, [esp+25Ch+var_234]
		add	esp, 0Ch
		lea	ecx, [esp+250h+var_210]
		push	eax		; int
		push	edi		; void *
		call	_AslPathWildcardFindFirst@16 ; AslPathWildcardFindFirst(x,x,x,x)
		jmp	short loc_A1FB98
; 

loc_A1FB44:				; CODE XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+1A8j
		mov	eax, [esp+250h+var_23C]
		test	eax, eax
		jz	short loc_A1FB57
		mov	ecx, eax
		call	AslFileMappingDelete
		mov	[esp+250h+var_23C], esi

loc_A1FB57:				; CODE XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+158j
		push	esi
		push	esi
		push	esi
		lea	edx, [esp+25Ch+var_210]
		lea	ecx, [esp+25Ch+var_23C]
		call	AslFileMappingCreate
		test	eax, eax
		js	short loc_A1FB9C
		push	[esp+250h+var_23C]
		mov	edx, [esp+254h+var_228]
		lea	ecx, [esp+254h+var_230]
		push	[ebp+arg_10]
		push	[esp+258h+var_22C]
		call	_SdbpCheckAllAttributes@20 ; SdbpCheckAllAttributes(x,x,x,x,x)
		test	eax, eax
		jns	loc_A1FC40
		push	[esp+250h+var_234]
		lea	ecx, [esp+254h+var_210]
		call	_AslPathWildcardFindNext@12 ; AslPathWildcardFindNext(x,x,x)

loc_A1FB98:				; CODE XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+150j
		test	eax, eax
		jns	short loc_A1FB44

loc_A1FB9C:				; CODE XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+177j
		cmp	eax, 80000006h
		jz	short loc_A1FBBD
		push	eax
		push	offset ??_C@_0DJ@BEFCHLOA@AslPathWildcardFindFirst?1Next?5f@NNGAKEGL@
		push	0CB9h
		push	(offset	loc_8C314D+5)
		push	3
		call	AslLogCallPrintf
		add	esp, 14h

loc_A1FBBD:				; CODE XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+1AFj
		test	edi, edi
		jz	short loc_A1FBD2
		push	74705041h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, esi
		mov	[esp+250h+var_238], edi

loc_A1FBD2:				; CODE XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+1CDj
		mov	eax, [esp+250h+var_218]
		mov	ecx, [esp+250h+var_224]
		mov	edx, [esp+250h+var_220]
		inc	ecx
		add	edx, 18h
		mov	[esp+250h+var_224], ecx
		cmp	ecx, [eax]
		mov	eax, [esp+250h+var_240]
		mov	[esp+250h+var_220], edx
		jl	loc_A1FAF5

loc_A1FBF6:				; CODE XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+F6j
					; SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+252j
		xor	esi, esi
		inc	esi
		mov	[eax+28h], esi

loc_A1FBFC:				; CODE XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+62j
					; SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+7Cj ...
		lea	ecx, [esp+250h+var_234]
		call	_AslPathWildcardFindClose@4 ; AslPathWildcardFindClose(x)
		mov	ecx, [esp+250h+var_23C]
		call	AslFileMappingDelete
		test	edi, edi
		jz	short loc_A1FC1D
		push	74705041h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A1FC1D:				; CODE XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+21Ej
		mov	eax, [esp+250h+var_214]
		mov	ecx, [esp+250h+var_230]
		pop	edi
		mov	[eax], ecx
		mov	eax, esi
		mov	ecx, [esp+24Ch+var_4]
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	1Ch
; 

loc_A1FC40:				; CODE XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+193j
		mov	eax, [esp+250h+var_240]
		jmp	short loc_A1FBF6
; 

loc_A1FC46:				; CODE XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+11Bj
		push	offset ??_C@_0CA@GEALLKGN@Failed?5to?5resolve?5matching?5file@NNGAKEGL@
		push	0C83h
		push	(offset	loc_8C314D+5)
		push	1
		call	AslLogCallPrintf
		mov	edi, [esp+260h+var_238]
		add	esp, 10h
		jmp	short loc_A1FBFC
_SdbpCheckMatchingWildcardFiles@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckMatchingWildcardRegistry(x, x, x, x, x, x,	x)
_SdbpCheckMatchingWildcardRegistry@28 proc near	; DATA XREF: .text:00404694o

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	eax
		mov	edx, [ebp+arg_10]
		lea	eax, [ebp+var_8]
		mov	ecx, [ebp+arg_8]
		xor	esi, esi
		push	eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_20], esi
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_1C], esi
		push	eax
		lea	eax, [ebp+var_10]
		mov	[ebp+var_18], esi
		push	eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_14], esi
		push	eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_10], esi
		push	eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_C], esi
		push	eax
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		mov	[edi], esi
		call	_SdbpGetRegistryMatchingAttributes@40 ;	SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_A1FCDE
		push	offset ??_C@_0DA@IPBPJHH@Failed?5to?5read?5MATCHING_WILDCAR@NNGAKEGL@
		push	621h

loc_A1FCCD:				; CODE XREF: SdbpCheckMatchingWildcardRegistry(x,x,x,x,x,x,x)+ABj
		push	offset ??_C@_0CC@GNBGCCDF@SdbpCheckMatchingWildcardRegist@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	short loc_A1FD20
; 

loc_A1FCDE:				; CODE XREF: SdbpCheckMatchingWildcardRegistry(x,x,x,x,x,x,x)+5Cj
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_20]
		mov	ecx, [ebp+var_1C]
		push	eax		; int
		push	[ebp+var_4]	; size_t
		push	[ebp+var_8]	; void *
		push	[ebp+var_24]	; int
		push	[ebp+var_28]	; int
		push	[ebp+var_C]	; int
		push	[ebp+var_10]	; int
		push	[ebp+var_14]	; void *
		call	_SdbpCheckMatchingWildcardRegistryEntry@40 ; SdbpCheckMatchingWildcardRegistryEntry(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_A1FD12
		push	offset ??_C@_0DB@EIHOIBJC@Failed?5to?5check?5MATCHING_WILDCA@NNGAKEGL@
		push	632h
		jmp	short loc_A1FCCD
; 

loc_A1FD12:				; CODE XREF: SdbpCheckMatchingWildcardRegistry(x,x,x,x,x,x,x)+9Fj
		mov	ecx, [ebp+arg_14]
		xor	esi, esi
		inc	esi
		mov	[ecx+28h], esi
		mov	ecx, [ebp+var_20]
		mov	[edi], ecx

loc_A1FD20:				; CODE XREF: SdbpCheckMatchingWildcardRegistry(x,x,x,x,x,x,x)+77j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	1Ch
_SdbpCheckMatchingWildcardRegistry@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SdbpCheckMatchingWildcardRegistryEntry(void *,int,int,int,int,void *,size_t,int)
_SdbpCheckMatchingWildcardRegistryEntry@40 proc	near
					; CODE XREF: SdbpCheckMatchingWildcardRegistry(x,x,x,x,x,x,x)+98p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_1C]
		xor	ebx, ebx
		push	edi
		mov	edi, edx
		mov	[esp+18h+var_4], ebx
		push	ecx
		lea	edx, [esp+1Ch+var_4]
		mov	[esp+1Ch+var_8], ebx
		lea	ecx, [esp+1Ch+var_8]
		mov	[esi], ebx
		call	_AslRegWildcardFindFirst@12 ; AslRegWildcardFindFirst(x,x,x)
		jmp	short loc_A1FD8D
; 

loc_A1FD57:				; CODE XREF: SdbpCheckMatchingWildcardRegistryEntry(x,x,x,x,x,x,x,x,x,x)+67j
		mov	ecx, [esp+18h+var_8] ; int
		mov	edx, edi	; wchar_t *
		push	esi		; int
		push	[ebp+arg_18]	; size_t
		push	[ebp+arg_14]	; void *
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; void *
		call	_SdbpCheckMatchingRegistryValue@40 ; SdbpCheckMatchingRegistryValue(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_A1FD80
		cmp	[esi], ebx
		jnz	short loc_A1FD91

loc_A1FD80:				; CODE XREF: SdbpCheckMatchingWildcardRegistryEntry(x,x,x,x,x,x,x,x,x,x)+52j
		mov	edx, [esp+18h+var_4]
		lea	ecx, [esp+18h+var_8]
		call	_AslRegWildcardFindNext@8 ; AslRegWildcardFindNext(x,x)

loc_A1FD8D:				; CODE XREF: SdbpCheckMatchingWildcardRegistryEntry(x,x,x,x,x,x,x,x,x,x)+2Dj
		test	eax, eax
		jns	short loc_A1FD57

loc_A1FD91:				; CODE XREF: SdbpCheckMatchingWildcardRegistryEntry(x,x,x,x,x,x,x,x,x,x)+56j
		mov	ecx, [esp+18h+var_4]
		call	_AslRegWildcardFindClose@4 ; AslRegWildcardFindClose(x)
		pop	edi
		xor	eax, eax
		pop	esi
		inc	eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	20h
_SdbpCheckMatchingWildcardRegistryEntry@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckOSKind(x, x, x, x,	x, x, x)
_SdbpCheckOSKind@28 proc near		; DATA XREF: .text:00404644o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_10]
		mov	ecx, [ebp+arg_8]
		push	0
		call	SdbReadDWORDTag
		mov	ecx, [ebp+arg_4]
		mov	ecx, [ecx+1A0h]
		and	ecx, eax
		mov	eax, [ebp+arg_0]
		neg	ecx
		sbb	ecx, ecx
		neg	ecx
		mov	[eax], ecx
		xor	eax, eax
		inc	eax
		pop	ebp
		retn	1Ch
_SdbpCheckOSKind@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckPackageAttributes(x, x, x,	x, x, x, x)
_SdbpCheckPackageAttributes@28 proc near ; DATA	XREF: .text:00404654o
					; .text:00404664o ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_14]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	ebx, ebx
		mov	eax, [eax+2Ch]
		inc	ebx
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], ebx
		mov	[eax], edi
		mov	eax, edi
		mov	[ebp+var_4], eax

loc_A1FDFE:				; CODE XREF: SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+1F8j
		movzx	eax, word_6B68F4[eax]
		mov	edx, [ebp+arg_10]
		mov	ecx, [esi+4]
		push	eax
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	[ebp+arg_14], eax
		test	eax, eax
		jz	loc_A1FFC1
		mov	edx, [ebp+var_8]
		mov	ebx, edi
		mov	eax, [edx+8]
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	loc_A1FFE4
		mov	ecx, [ebp+var_4]
		movzx	esi, word_6B68F6[ecx]
		mov	[ebp+var_C], esi
		mov	ecx, esi

loc_A1FE3E:				; CODE XREF: SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+A6j
		mov	esi, edi
		cmp	ebx, eax
		jnb	short loc_A1FE71
		mov	eax, [edx+4]
		lea	ecx, [ebp+var_14]
		mul	ebx
		mov	[ebp+var_14], edi
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		mov	edx, [ebp+var_8]
		test	eax, eax
		js	short loc_A1FE69
		mov	ecx, [edx+14h]
		mov	esi, [ebp+var_14]
		add	esi, ecx
		cmp	esi, ecx
		jnb	short loc_A1FE6B

loc_A1FE69:				; CODE XREF: SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+86j
		mov	esi, edi

loc_A1FE6B:				; CODE XREF: SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+92j
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_18]

loc_A1FE71:				; CODE XREF: SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+6Dj
		cmp	[esi], cx
		jz	short loc_A1FE7D
		inc	ebx
		mov	esi, edi
		cmp	ebx, eax
		jb	short loc_A1FE3E

loc_A1FE7D:				; CODE XREF: SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+9Fj
		test	esi, esi
		jz	loc_A1FFE4
		mov	eax, [ebp+var_4]
		mov	ecx, 5017h
		movzx	eax, word_6B68F4[eax]
		cmp	eax, ecx
		ja	loc_A1FF45
		jz	short loc_A1FF17
		sub	eax, 4045h
		jz	short loc_A1FEEF
		sub	eax, 0FCFh
		jz	short loc_A1FF17
		sub	eax, 1
		jz	loc_A1FF83
		sub	eax, 1
		jnz	loc_A1FFDB

loc_A1FEBE:				; CODE XREF: SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+17Cj
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_14]
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		mov	ecx, [eax+4]
		call	SdbReadQWORDTag
		mov	ecx, eax
		and	eax, edx
		cmp	eax, 0FFFFFFFFh
		jz	loc_A1FFDB
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	edx
		push	ecx
		call	_SdbpCheckUptoVersion@16 ; SdbpCheckUptoVersion(x,x,x,x)
		jmp	loc_A1FFAB
; 

loc_A1FEEF:				; CODE XREF: SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+CEj
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_14]
		push	0FFFFFFFFh
		mov	ecx, [eax+4]
		call	SdbReadDWORDTag
		mov	ecx, eax
		cmp	ecx, 0FFFFFFFFh
		jz	loc_A1FFDB
		xor	eax, eax
		cmp	ecx, [esi+8]
		setz	al
		jmp	loc_A1FFAB
; 

loc_A1FF17:				; CODE XREF: SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+C7j
					; SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+D5j
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_14]
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		mov	ecx, [eax+4]
		call	SdbReadQWORDTag
		mov	ecx, eax
		and	eax, edx
		cmp	eax, 0FFFFFFFFh
		jz	loc_A1FFDB
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	edx
		push	ecx
		call	_SdbpCheckVersion@16 ; SdbpCheckVersion(x,x,x,x)
		jmp	short loc_A1FFAB
; 

loc_A1FF45:				; CODE XREF: SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+C1j
		cmp	eax, 5018h
		jz	short loc_A1FF83
		cmp	eax, 5019h
		jz	loc_A1FEBE
		cmp	eax, 6028h
		jbe	short loc_A1FFDB
		cmp	eax, 602Bh
		ja	short loc_A1FFDB
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_14]
		mov	ecx, [eax+4]
		call	SdbGetStringTagPtr
		test	eax, eax
		jz	short loc_A1FFDB
		mov	edx, [esi+8]
		mov	ecx, eax
		call	AslStringPatternMatchW
		jmp	short loc_A1FFAB
; 

loc_A1FF83:				; CODE XREF: SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+DAj
					; SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+175j
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_14]
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		mov	ecx, [eax+4]
		call	SdbReadQWORDTag
		mov	ecx, eax
		and	eax, edx
		cmp	eax, 0FFFFFFFFh
		jz	short loc_A1FFDB
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	edx
		push	ecx
		call	_SdbpCheckFromVersion@16 ; SdbpCheckFromVersion(x,x,x,x)

loc_A1FFAB:				; CODE XREF: SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+115j
					; SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+13Dj ...
		cmp	[ebp+var_10], edi
		jz	short loc_A1FFB9
		test	eax, eax
		jz	short loc_A1FFB9
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_A1FFBB
; 

loc_A1FFB9:				; CODE XREF: SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+1D9j
					; SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+1DDj
		mov	ebx, edi

loc_A1FFBB:				; CODE XREF: SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+1E2j
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_10], ebx

loc_A1FFC1:				; CODE XREF: SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+41j
		mov	eax, [ebp+var_4]
		add	eax, 4
		mov	[ebp+var_4], eax
		cmp	eax, 28h
		jb	loc_A1FDFE
		mov	eax, [ebp+arg_0]
		xor	edi, edi
		inc	edi
		mov	[eax], ebx

loc_A1FFDB:				; CODE XREF: SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+E3j
					; SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+102j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
; 

loc_A1FFE4:				; CODE XREF: SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+54j
					; SdbpCheckPackageAttributes(x,x,x,x,x,x,x)+AAj
		push	offset ??_C@_0CM@KNENAJOM@Failed?5to?5find?5Attribute?5to?5use@NNGAKEGL@
		push	13E2h
		push	offset ??_C@_0BL@IBJIFFMD@SdbpCheckPackageAttributes@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	short loc_A1FFDB
_SdbpCheckPackageAttributes@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckRuntimePlatform(x,	x, x, x, x, x, x)
_SdbpCheckRuntimePlatform@28 proc near	; DATA XREF: .text:00404634o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_10]
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ecx, esi
		push	edi
		mov	edi, [eax+194h]
		push	0FFh
		call	SdbReadDWORDTag
		mov	edx, [esi+0A28h]
		mov	ecx, [ebp+arg_0]
		push	eax
		push	edi
		call	_SdbpCheckRuntimePlatformImpl@16 ; SdbpCheckRuntimePlatformImpl(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	1Ch
_SdbpCheckRuntimePlatform@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckRuntimePlatformImpl(x, x, x, x)
_SdbpCheckRuntimePlatformImpl@16 proc near
					; CODE XREF: SdbpCheckRuntimePlatform(x,x,x,x,x,x,x)+2Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	dl, 2
		jz	short loc_A2004E
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		call	_SdbpCheckRuntimePlatformV2Impl@12 ; SdbpCheckRuntimePlatformV2Impl(x,x,x)
		jmp	short loc_A2005F
; 

loc_A2004E:				; CODE XREF: SdbpCheckRuntimePlatformImpl(x,x,x,x)+8j
		mov	eax, [ebp+arg_0]
		and	eax, [ebp+arg_4]
		neg	eax
		sbb	eax, eax
		neg	eax
		mov	[ecx], eax
		xor	eax, eax
		inc	eax

loc_A2005F:				; CODE XREF: SdbpCheckRuntimePlatformImpl(x,x,x,x)+15j
		pop	ebp
		retn	8
_SdbpCheckRuntimePlatformImpl@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckRuntimePlatformV2Impl(x, x, x)
_SdbpCheckRuntimePlatformV2Impl@12 proc	near
					; CODE XREF: SdbpCheckRuntimePlatformImpl(x,x,x,x)+10p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		xor	eax, eax
		xor	esi, esi
		cmp	[ebp+arg_0], 0C0000000h
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		jnz	short loc_A2008A
		inc	esi

loc_A2007D:				; CODE XREF: SdbpCheckRuntimePlatformV2Impl(x,x,x)+72j
		mov	eax, esi

loc_A2007F:				; CODE XREF: SdbpCheckRuntimePlatformV2Impl(x,x,x)+2Cj
					; SdbpCheckRuntimePlatformV2Impl(x,x,x)+78j ...
		mov	[edi], eax
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_A2008A:				; CODE XREF: SdbpCheckRuntimePlatformV2Impl(x,x,x)+17j
		xor	ecx, ecx
		inc	esi

loc_A2008D:				; CODE XREF: SdbpCheckRuntimePlatformV2Impl(x,x,x)+80j
		test	eax, eax
		jnz	short loc_A2007F
		mov	edx, [ebp+arg_0]
		shr	edx, cl
		test	dl, 40h
		jz	short loc_A200DD
		and	edx, 3Fh
		sub	edx, eax
		jz	short loc_A200D2
		sub	edx, 5
		jz	short loc_A200CB
		sub	edx, 4
		jz	short loc_A200BC
		dec	edx
		sub	edx, 1
		jz	short loc_A200C4
		sub	edx, 1
		jz	short loc_A200C4
		sub	edx, 1
		jnz	short loc_A200D7

loc_A200BC:				; CODE XREF: SdbpCheckRuntimePlatformV2Impl(x,x,x)+47j
		mov	eax, ebx
		shr	eax, 1

loc_A200C0:				; CODE XREF: SdbpCheckRuntimePlatformV2Impl(x,x,x)+66j
					; SdbpCheckRuntimePlatformV2Impl(x,x,x)+6Dj
		and	eax, esi
		jmp	short loc_A200D9
; 

loc_A200C4:				; CODE XREF: SdbpCheckRuntimePlatformV2Impl(x,x,x)+4Dj
					; SdbpCheckRuntimePlatformV2Impl(x,x,x)+52j
		mov	eax, ebx
		shr	eax, 2
		jmp	short loc_A200C0
; 

loc_A200CB:				; CODE XREF: SdbpCheckRuntimePlatformV2Impl(x,x,x)+42j
		mov	eax, ebx
		shr	eax, 3
		jmp	short loc_A200C0
; 

loc_A200D2:				; CODE XREF: SdbpCheckRuntimePlatformV2Impl(x,x,x)+3Dj
		test	bl, 1
		jnz	short loc_A2007D

loc_A200D7:				; CODE XREF: SdbpCheckRuntimePlatformV2Impl(x,x,x)+57j
		xor	eax, eax

loc_A200D9:				; CODE XREF: SdbpCheckRuntimePlatformV2Impl(x,x,x)+5Fj
		test	eax, eax
		jnz	short loc_A2007F

loc_A200DD:				; CODE XREF: SdbpCheckRuntimePlatformV2Impl(x,x,x)+36j
		add	ecx, 8
		cmp	ecx, 18h
		jl	short loc_A2008D
		jmp	short loc_A2007F
_SdbpCheckRuntimePlatformV2Impl@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpGetDeviceDWORD(x, x, x)
_SdbpGetDeviceDWORD@12 proc near	; CODE XREF: SdbpMatchDeviceDWORD(x,x,x,x,x,x)+14p
					; SdbpMatchDeviceDWORD(x,x,x,x,x,x)+2Cp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	ebx
		mov	edi, ecx
		or	esi, 0FFFFFFFFh
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_A20110
		movzx	eax, bx
		mov	ecx, edi
		push	eax
		call	SdbReadDWORDTag
		mov	esi, eax

loc_A20110:				; CODE XREF: SdbpGetDeviceDWORD(x,x,x)+1Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_SdbpGetDeviceDWORD@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpGetMatchingTextAttributes(x, x,	x, x, x, x, x)
_SdbpGetMatchingTextAttributes@28 proc near
					; CODE XREF: SdbpCheckMatchingText(x,x,x,x,x,x,x)+43p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, ecx
		mov	eax, edx
		mov	ecx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], eax
		push	edi
		mov	[ecx], esi
		mov	edi, esi
		mov	ecx, [ebp+arg_4]
		push	6001h
		mov	[ecx], esi
		mov	ecx, [ebp+arg_8]
		mov	[ecx], esi
		mov	ecx, [ebp+arg_C]
		mov	[ecx], esi
		mov	ecx, [ebp+arg_10]
		mov	dword ptr [ecx], 2000h
		mov	ecx, ebx
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jnz	short loc_A2017A
		push	offset ??_C@_0CG@JELBPBFJ@Failed?5to?5get?5MATCHING_TEXT?5fil@NNGAKEGL@	; "Failed to get MATCHING_TEXT file path"
		push	6C7h

loc_A20166:				; CODE XREF: SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+9Ej
					; SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+BAj ...
		push	offset ??_C@_0BO@OFDLBECN@SdbpGetMatchingTextAttributes@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_A202C5
; 

loc_A2017A:				; CODE XREF: SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+41j
		mov	edx, eax
		mov	ecx, ebx
		call	SdbGetStringTagPtr
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_A2029B
		cmp	[eax], si
		jz	loc_A2029B
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		push	9013h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	short loc_A201B9
		push	offset ??_C@_0BN@IOMIMCFC@Failed?5to?5read?5text?5to?5match@NNGAKEGL@
		push	6D6h
		jmp	short loc_A20166
; 

loc_A201B9:				; CODE XREF: SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+92j
		mov	edx, eax
		mov	ecx, ebx
		call	SdbGetTagDataSize
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	short loc_A201D5
		push	(offset	loc_8C2DF9+5)
		push	6DCh
		jmp	short loc_A20166
; 

loc_A201D5:				; CODE XREF: SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+AEj
		push	ecx
		lea	edx, [eax+2]
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A201F3
		push	offset ??_C@_0CI@OJKHAKHB@Failed?5to?5allocate?5memory?5for?5t@NNGAKEGL@
		push	6E2h
		jmp	loc_A20166
; 

loc_A201F3:				; CODE XREF: SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+C9j
		push	[ebp+var_8]	; int
		mov	edx, [ebp+var_C]
		mov	ecx, ebx
		push	edi		; void *
		call	SdbReadBinaryTag
		test	eax, eax
		jnz	short loc_A20214
		mov	eax, 6E7h
		mov	ecx, offset ??_C@_0CC@MGLCBEGO@Failed?5to?5read?5matching?5text?5bl@NNGAKEGL@
		jmp	loc_A202A5
; 

loc_A20214:				; CODE XREF: SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+EAj
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		push	4053h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jnz	short loc_A20233
		mov	eax, 6F0h
		mov	ecx, offset ??_C@_0BN@CECBNFLP@Failed?5to?5read?5text?5encoding@NNGAKEGL@
		jmp	short loc_A202A5
; 

loc_A20233:				; CODE XREF: SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+10Cj
		push	esi
		mov	edx, eax
		mov	ecx, ebx
		call	SdbReadDWORDTag
		mov	[ebp+var_C], eax
		test	eax, eax
		jnz	short loc_A20250
		mov	eax, 6F6h
		mov	ecx, (offset loc_8C2D72+8)
		jmp	short loc_A202A5
; 

loc_A20250:				; CODE XREF: SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+129j
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		push	4001h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	ecx, 2000h
		test	eax, eax
		jz	short loc_A20274
		push	ecx
		mov	edx, eax
		mov	ecx, ebx
		call	SdbReadDWORDTag
		mov	ecx, eax

loc_A20274:				; CODE XREF: SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+14Dj
		mov	edx, [ebp+arg_0]
		xor	esi, esi
		mov	eax, [ebp+var_10]
		inc	esi
		mov	[edx], eax
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_8]
		mov	[eax], edi
		mov	eax, [ebp+var_8]
		mov	[edx], eax
		mov	edx, [ebp+arg_C]
		mov	eax, [ebp+var_C]
		mov	[edx], eax
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx
		jmp	short loc_A202C5
; 

loc_A2029B:				; CODE XREF: SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+6Fj
					; SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+78j
		mov	eax, 6CDh
		mov	ecx, offset ??_C@_0CH@DKPEDAPC@Failed?5to?5read?5MATCHING_TEXT?5fi@NNGAKEGL@

loc_A202A5:				; CODE XREF: SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+F6j
					; SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+118j ...
		push	ecx
		push	eax
		push	offset ??_C@_0BO@OFDLBECN@SdbpGetMatchingTextAttributes@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		test	edi, edi
		jz	short loc_A202C5
		push	74705041h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A202C5:				; CODE XREF: SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+5Cj
					; SdbpGetMatchingTextAttributes(x,x,x,x,x,x,x)+180j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
_SdbpGetMatchingTextAttributes@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpGetRegistryMatchingAttributes(x, x, x, x, x, x,	x, x, x, x)
_SdbpGetRegistryMatchingAttributes@40 proc near
					; CODE XREF: SdbpCheckMatchingRegistry(x,x,x,x,x,x,x)+55p
					; SdbpCheckMatchingWildcardRegistry(x,x,x,x,x,x,x)+55p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		xor	esi, esi
		mov	eax, edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], eax
		mov	ecx, [ebp+arg_0]
		mov	ebx, esi
		push	6001h
		mov	[ebp+var_C], esi
		mov	[ebp+var_10], esi
		mov	[ecx], esi
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_14], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_1C], esi
		mov	[ecx], esi
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_20], esi
		mov	[ebp+var_4], esi
		mov	[ecx], esi
		mov	ecx, [ebp+arg_C]
		mov	[ecx], esi
		mov	ecx, [ebp+arg_10]
		mov	[ecx], esi
		mov	ecx, [ebp+arg_14]
		mov	[ecx], esi
		mov	[ecx+4], esi
		mov	ecx, [ebp+arg_18]
		mov	[ecx], esi
		mov	ecx, [ebp+arg_1C]
		mov	[ecx], esi
		mov	ecx, edi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jnz	short loc_A20343
		push	offset ??_C@_0BL@MDKIPEHO@Failed?5to?5get?5key?5path?5tag@NNGAKEGL@
		push	3C5h
		jmp	loc_A20558
; 

loc_A20343:				; CODE XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+64j
		mov	edx, eax
		mov	ecx, edi
		call	SdbGetStringTagPtr
		mov	[ebp+var_24], eax
		test	eax, eax
		jz	loc_A2054E
		cmp	[eax], si
		jz	loc_A2054E
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		push	6030h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	short loc_A2037F
		mov	edx, eax
		mov	ecx, edi
		call	SdbGetStringTagPtr
		mov	[ebp+var_C], eax

loc_A2037F:				; CODE XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+A3j
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		push	4051h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	loc_A20420
		push	esi
		mov	edx, eax
		mov	ecx, edi
		call	SdbReadDWORDTag
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A203C3
		push	offset ??_C@_0BK@FFANNGGM@Failed?5to?5read?5value?5type@NNGAKEGL@
		push	3DEh

loc_A203B0:				; CODE XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+13Fj
					; SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+1B7j ...
		push	offset ??_C@_0CC@CENPHDLK@SdbpGetRegistryMatchingAttribut@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		mov	eax, esi
		jmp	loc_A20566
; 

loc_A203C3:				; CODE XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+D6j
		cmp	ebx, 2
		jbe	loc_A204EF
		cmp	ebx, 3
		jz	loc_A20499
		cmp	ebx, 4
		jz	loc_A20468
		cmp	ebx, 7
		jz	loc_A204EF
		cmp	ebx, 0Bh
		jnz	loc_A2053F
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		push	501Bh
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jnz	short loc_A2040F
		push	offset ??_C@_0CH@ENLBMAPM@Failed?5to?5get?5TAG_REG_VALUE_DAT@NNGAKEGL@ ; "Failed to get	TAG_REG_VALUE_DATA_QWORD"
		push	403h
		jmp	short loc_A203B0
; 

loc_A2040F:				; CODE XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+133j
		push	esi
		push	esi
		mov	edx, eax
		mov	ecx, edi
		call	SdbReadQWORDTag
		mov	[ebp+var_14], eax
		mov	[ebp+var_18], edx

loc_A20420:				; CODE XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+C2j
					; SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+1C9j ...
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		mov	ecx, [ebp+var_24]
		inc	eax
		mov	[edx], ecx
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_C]
		mov	[edx], ecx
		mov	ecx, [ebp+arg_8]
		mov	edx, [ebp+arg_10]
		mov	[ecx], ebx
		mov	ecx, [ebp+arg_C]
		mov	[ecx], esi
		mov	ecx, [ebp+var_10]
		mov	[edx], ecx
		mov	ecx, [ebp+arg_14]
		mov	edx, [ebp+var_14]
		mov	[ecx], edx
		mov	edx, [ebp+var_18]
		mov	[ecx+4], edx
		mov	edx, [ebp+arg_18]
		mov	ecx, [ebp+var_1C]
		mov	[edx], ecx
		mov	edx, [ebp+arg_1C]
		mov	ecx, [ebp+var_20]
		mov	[edx], ecx
		jmp	loc_A20569
; 

loc_A20468:				; CODE XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+10Aj
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		push	4052h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jnz	short loc_A2048A
		push	(offset	loc_8C2AE3+1)
		push	3F9h
		jmp	loc_A203B0
; 

loc_A2048A:				; CODE XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+1ABj
		push	esi
		mov	edx, eax
		mov	ecx, edi
		call	SdbReadDWORDTag
		mov	[ebp+var_10], eax
		jmp	short loc_A20420
; 

loc_A20499:				; CODE XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+101j
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		push	9012h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		jnz	short loc_A204BE
		push	offset ??_C@_0CI@NHLCACFB@Failed?5to?5get?5TAG_REG_VALUE_DAT@NNGAKEGL@
		push	40Dh
		jmp	loc_A203B0
; 

loc_A204BE:				; CODE XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+1DFj
		mov	edx, eax
		mov	ecx, edi
		call	_SdbGetBinaryTagData@8 ; SdbGetBinaryTagData(x,x)
		mov	[ebp+var_1C], eax
		test	eax, eax
		jnz	short loc_A204DD
		push	(offset	loc_8C2AC9+1)
		push	413h
		jmp	loc_A203B0
; 

loc_A204DD:				; CODE XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+1FEj
		mov	edx, [ebp+var_20]
		mov	ecx, edi
		call	SdbGetTagDataSize
		mov	[ebp+var_20], eax
		jmp	loc_A20420
; 

loc_A204EF:				; CODE XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+F8j
					; SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+113j
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		push	6031h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jnz	short loc_A20511
		push	(offset	loc_8C2B24+2)
		push	3EBh
		jmp	loc_A203B0
; 

loc_A20511:				; CODE XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+232j
		mov	edx, eax
		mov	ecx, edi
		call	SdbGetStringTagPtr
		mov	esi, eax
		test	esi, esi
		jnz	loc_A20420
		push	(offset	loc_8C2AC9+1)
		push	3F1h
		push	offset ??_C@_0CC@CENPHDLK@SdbpGetRegistryMatchingAttribut@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		mov	eax, [ebp+var_4]
		jmp	short loc_A20566
; 

loc_A2053F:				; CODE XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+11Cj
		push	(offset	loc_8C2A31+1)
		push	41Ah
		jmp	loc_A203B0
; 

loc_A2054E:				; CODE XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+83j
					; SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+8Cj
		push	offset ??_C@_0BI@KFGKGOFP@Failed?5to?5read?5key?5path@NNGAKEGL@
		push	3CBh

loc_A20558:				; CODE XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+70j
		push	offset ??_C@_0CC@CENPHDLK@SdbpGetRegistryMatchingAttribut@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		mov	eax, ebx

loc_A20566:				; CODE XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+F0j
					; SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+26Fj
		add	esp, 10h

loc_A20569:				; CODE XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+195j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
_SdbpGetRegistryMatchingAttributes@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpMatchDeviceDWORD(x, x, x, x, x,	x)
_SdbpMatchDeviceDWORD@24 proc near	; CODE XREF: SdbpCheckKObject+8A606p
					; SdbpCheckKObject+8A629p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_4]
		mov	edi, edx
		mov	ebx, ecx
		mov	edx, [ebp+arg_0]
		xor	esi, esi
		call	_SdbpGetDeviceDWORD@12 ; SdbpGetDeviceDWORD(x,x,x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_A20594
		cmp	eax, edi
		jnz	short loc_A205C3
		jmp	short loc_A205C0
; 

loc_A20594:				; CODE XREF: SdbpMatchDeviceDWORD(x,x,x,x,x,x)+1Cj
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	_SdbpGetDeviceDWORD@12 ; SdbpGetDeviceDWORD(x,x,x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_A205AA
		cmp	eax, edi
		jb	short loc_A205C3

loc_A205AA:				; CODE XREF: SdbpMatchDeviceDWORD(x,x,x,x,x,x)+34j
		push	[ebp+arg_C]
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	_SdbpGetDeviceDWORD@12 ; SdbpGetDeviceDWORD(x,x,x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_A205C0
		cmp	eax, edi
		ja	short loc_A205C3

loc_A205C0:				; CODE XREF: SdbpMatchDeviceDWORD(x,x,x,x,x,x)+22j
					; SdbpMatchDeviceDWORD(x,x,x,x,x,x)+4Aj
		xor	esi, esi
		inc	esi

loc_A205C3:				; CODE XREF: SdbpMatchDeviceDWORD(x,x,x,x,x,x)+20j
					; SdbpMatchDeviceDWORD(x,x,x,x,x,x)+38j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
_SdbpMatchDeviceDWORD@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpMatchDeviceString(x, x,	x, x)
_SdbpMatchDeviceString@16 proc near	; CODE XREF: SdbpCheckKObject+8A5CAp
					; SdbpCheckKObject+8A5E3p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_4]
		mov	edi, edx
		mov	ebx, ecx
		mov	edx, [ebp+arg_0]
		xor	esi, esi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	short loc_A20608
		mov	edx, eax
		mov	ecx, ebx
		call	SdbGetStringTagPtr
		test	eax, eax
		jz	short loc_A2060B
		test	edi, edi
		jz	short loc_A2060B
		push	edi		; wchar_t *
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A2060B

loc_A20608:				; CODE XREF: SdbpMatchDeviceString(x,x,x,x)+1Cj
		xor	esi, esi
		inc	esi

loc_A2060B:				; CODE XREF: SdbpMatchDeviceString(x,x,x,x)+29j
					; SdbpMatchDeviceString(x,x,x,x)+2Dj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8
_SdbpMatchDeviceString@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpMatchOne(x, x, x, x, x,	x, x)
_SdbpMatchOne@28 proc near		; DATA XREF: .text:00404624o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	esi
		call	_Feature_CompatBuildInVb__private_IsEnabledDeviceUsage@0 ; Feature_CompatBuildInVb__private_IsEnabledDeviceUsage()
		lea	edx, [esp+10h+var_8]
		push	ecx
		push	1
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		test	eax, eax
		jz	short loc_A20683
		and	[esp+28h+var_4], 0
		lea	ecx, [esp+28h+var_4]
		and	[esp+28h+var_8], 0
		call	_SdbpMatchList@32 ; SdbpMatchList(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A20676
		cmp	[esp+10h+var_8], 0
		jnz	short loc_A20676
		mov	edx, [ebp+arg_10]
		mov	ecx, [ebp+arg_8]
		push	1003h
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	ecx, eax
		neg	ecx
		sbb	ecx, ecx
		inc	ecx
		jmp	short loc_A2067A
; 

loc_A20676:				; CODE XREF: SdbpMatchOne(x,x,x,x,x,x,x)+3Fj
					; SdbpMatchOne(x,x,x,x,x,x,x)+46j
		mov	ecx, [esp+10h+var_4]

loc_A2067A:				; CODE XREF: SdbpMatchOne(x,x,x,x,x,x,x)+5Fj
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	eax, esi
		jmp	short loc_A2068B
; 

loc_A20683:				; CODE XREF: SdbpMatchOne(x,x,x,x,x,x,x)+26j
		mov	ecx, [ebp+arg_0]
		call	_SdbpMatchList@32 ; SdbpMatchList(x,x,x,x,x,x,x,x)

loc_A2068B:				; CODE XREF: SdbpMatchOne(x,x,x,x,x,x,x)+6Cj
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	1Ch
_SdbpMatchOne@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SdbFindFirstNamedTag(__int16,int,wchar_t *)
_SdbFindFirstNamedTag@20 proc near	; CODE XREF: SdbpSearchDB+AF77Fp
					; SdbpSearchDB+AF856p ...

var_4		= dword	ptr -4
arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	eax, edx
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_4], eax
		mov	edi, ecx
		call	_SdbGetFirstChild@8 ; SdbGetFirstChild(x,x)
		jmp	short loc_A206F2
; 

loc_A206AC:				; CODE XREF: SdbFindFirstNamedTag(x,x,x,x,x)+64j
		mov	edx, esi
		mov	ecx, edi
		call	SdbGetTagFromTagID
		cmp	ax, [ebp+arg_0]
		jnz	short loc_A206E7
		push	[ebp+arg_4]
		mov	edx, esi
		mov	ecx, edi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	short loc_A206E7
		mov	edx, eax
		mov	ecx, edi
		call	SdbGetStringTagPtr
		test	eax, eax
		jz	short loc_A206FE
		push	eax		; wchar_t *
		push	[ebp+arg_8]	; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A206FA

loc_A206E7:				; CODE XREF: SdbFindFirstNamedTag(x,x,x,x,x)+27j
					; SdbFindFirstNamedTag(x,x,x,x,x)+37j
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		push	esi
		call	SdbGetNextChild

loc_A206F2:				; CODE XREF: SdbFindFirstNamedTag(x,x,x,x,x)+18j
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A206AC
		jmp	short loc_A20717
; 

loc_A206FA:				; CODE XREF: SdbFindFirstNamedTag(x,x,x,x,x)+53j
		mov	ebx, esi
		jmp	short loc_A20717
; 

loc_A206FE:				; CODE XREF: SdbFindFirstNamedTag(x,x,x,x,x)+44j
		push	offset ??_C@_0BK@BHKCJLNO@Can?8t?5get?5the?5name?5string@NNGAKEGL@
		push	98h
		push	(offset	loc_8C360A+2)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h

loc_A20717:				; CODE XREF: SdbFindFirstNamedTag(x,x,x,x,x)+66j
					; SdbFindFirstNamedTag(x,x,x,x,x)+6Aj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
_SdbFindFirstNamedTag@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SdbpFindNextNamedTag(int,int,wchar_t *)
_SdbpFindNextNamedTag@20 proc near	; CODE XREF: SdbpSearchDB+AF7E1p
					; SdbpSearchDB+AF8B5p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	edx, [ebp+arg_0]
		push	edi
		mov	[ebp+var_8], esi
		mov	edi, ecx
		call	SdbGetTagFromTagID
		push	[ebp+arg_0]
		movzx	ebx, ax
		mov	[ebp+var_4], ebx
		test	bx, bx
		jnz	short loc_A20764
		push	(offset	loc_8C3524+4)
		push	0C6h
		push	offset ??_C@_0BF@FGMJDGGO@SdbpFindNextNamedTag@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		xor	eax, eax
		jmp	short loc_A207D8
; 

loc_A20764:				; CODE XREF: SdbpFindNextNamedTag(x,x,x,x,x)+25j
		mov	edx, esi
		jmp	short loc_A207AB
; 

loc_A20768:				; CODE XREF: SdbpFindNextNamedTag(x,x,x,x,x)+96j
		mov	edx, esi
		mov	ecx, edi
		call	SdbGetTagFromTagID
		cmp	ax, bx
		jnz	short loc_A207A7
		push	[ebp+arg_4]
		mov	edx, esi
		mov	ecx, edi
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_A207A4
		mov	edx, ebx
		mov	ecx, edi
		call	SdbGetStringTagPtr
		test	eax, eax
		jz	short loc_A207BA
		push	eax		; wchar_t *
		push	[ebp+arg_8]	; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A207D6

loc_A207A4:				; CODE XREF: SdbpFindNextNamedTag(x,x,x,x,x)+66j
		mov	ebx, [ebp+var_4]

loc_A207A7:				; CODE XREF: SdbpFindNextNamedTag(x,x,x,x,x)+54j
		mov	edx, [ebp+var_8]
		push	esi

loc_A207AB:				; CODE XREF: SdbpFindNextNamedTag(x,x,x,x,x)+46j
		mov	ecx, edi
		call	SdbGetNextChild
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A20768
		jmp	short loc_A207D4
; 

loc_A207BA:				; CODE XREF: SdbpFindNextNamedTag(x,x,x,x,x)+73j
		push	ebx
		push	offset ??_C@_0CG@ILCHFAAO@Can?8t?5get?5the?5name?5string?5tagid@NNGAKEGL@
		push	0D7h
		push	offset ??_C@_0BF@FGMJDGGO@SdbpFindNextNamedTag@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A207D4:				; CODE XREF: SdbpFindNextNamedTag(x,x,x,x,x)+98j
		xor	esi, esi

loc_A207D6:				; CODE XREF: SdbpFindNextNamedTag(x,x,x,x,x)+82j
		mov	eax, esi

loc_A207D8:				; CODE XREF: SdbpFindNextNamedTag(x,x,x,x,x)+42j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_SdbpFindNextNamedTag@20 endp


;  S U B	R O U T	I N E 


; __stdcall SdbGetBinaryTagData(x, x)
_SdbGetBinaryTagData@8 proc near	; CODE XREF: SdbpGetRegistryMatchingAttributes(x,x,x,x,x,x,x,x,x,x)+1F4p
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	SdbGetTagFromTagID
		mov	ecx, 0F000h
		mov	edx, esi
		and	ax, cx
		mov	ecx, 9000h
		cmp	ax, cx
		mov	ecx, edi
		jz	short loc_A2082A
		call	SdbGetTagFromTagID
		movzx	eax, ax
		push	eax
		push	esi
		push	(offset	loc_8C39D7+1)
		push	3B4h
		push	offset ??_C@_0BE@GHDFKEEC@SdbGetBinaryTagData@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		xor	eax, eax
		pop	edi
		pop	esi
		retn
; 

loc_A2082A:				; CODE XREF: SdbGetBinaryTagData(x,x)+21j
		pop	edi
		pop	esi
		jmp	SdbpGetMappedTagData
_SdbGetBinaryTagData@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SdbReadGUIDTag(void *,int,int,int,int)
_SdbReadGUIDTag@24 proc	near		; CODE XREF: KsepDbGetDriverShimsInternal+AFCD8p
					; KsepDbGetShimInfo(x,x)+D3p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, [ebp+arg_0]
		xor	eax, eax
		push	10h		; int
		push	[ebp+arg_0]	; void *
		stosd
		stosd
		stosd
		stosd
		call	SdbReadBinaryTag
		test	eax, eax
		jnz	short loc_A20873
		push	esi
		push	(offset	loc_8C3675+1)
		push	0A7h
		push	(offset	loc_8C3689+1)
		push	1
		call	AslLogCallPrintf
		mov	edi, [ebp+arg_0]
		lea	esi, [ebp+arg_4]
		add	esp, 10h
		movsd
		movsd
		movsd
		movsd
		pop	esi

loc_A20873:				; CODE XREF: SdbReadGUIDTag(x,x,x,x,x,x)+1Bj
		mov	eax, [ebp+arg_0]
		pop	edi
		pop	ebp
		retn	14h
_SdbReadGUIDTag@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	SdbpGetProcessHistory(void *)
_SdbpGetProcessHistory@12 proc near	; CODE XREF: SdbpInitializeSearchDBContext+91F50p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	eax, edx
		mov	[ebp+var_8], ecx
		push	esi
		mov	esi, eax
		mov	[ebp+var_14], eax
		xor	edx, edx
		push	edi
		mov	[ebp+var_4], edx
		lea	edi, [esi+2]

loc_A20898:				; CODE XREF: SdbpGetProcessHistory(x,x,x)+26j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, dx
		jnz	short loc_A20898
		mov	ebx, [ebp+arg_0]
		sub	esi, edi
		sar	esi, 1
		lea	ecx, [ebx+2]

loc_A208AD:				; CODE XREF: SdbpGetProcessHistory(x,x,x)+3Bj
		mov	ax, [ebx]
		add	ebx, 2
		cmp	ax, dx
		jnz	short loc_A208AD
		lea	eax, [ebp+var_4]
		sub	ebx, ecx
		mov	ecx, [ebp+var_8]
		push	eax		; int
		push	edx		; int
		push	edx		; void *
		push	11h		; int
		mov	edx, offset ??_C@_1CE@DAGHINBE@?$AA_?$AA_?$AAP?$AAR?$AAO?$AAC?$AAE?$AAS?$AAS?$AA_?$AAH?$AAI?$AAS?$AAT?$AAO@NNGAKEGL@
		sar	ebx, 1
		call	AslEnvVarQuery
		mov	[ebp+var_10], eax
		cmp	eax, 0C0000023h
		jnz	short loc_A208EB
		mov	ecx, [ebp+var_4]
		add	ecx, ebx
		add	ecx, esi
		lea	edx, ds:4[ecx*2]
		jmp	short loc_A208F5
; 

loc_A208EB:				; CODE XREF: SdbpGetProcessHistory(x,x,x)+5Ej
		lea	eax, [ebx+esi]
		lea	edx, ds:2[eax*2]

loc_A208F5:				; CODE XREF: SdbpGetProcessHistory(x,x,x)+6Ej
		push	ecx
		mov	[ebp+var_4], edx
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	[ebp+var_C], eax
		mov	edi, eax
		test	eax, eax
		jnz	short loc_A20924
		push	offset ??_C@_0CK@DJJDHFIA@Unable?5to?5allocate?5process?5hist@NNGAKEGL@
		push	8CCh
		push	offset ??_C@_0BG@JPAHFGJG@SdbpGetProcessHistory@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		xor	eax, eax
		jmp	short loc_A20996
; 

loc_A20924:				; CODE XREF: SdbpGetProcessHistory(x,x,x)+8Aj
		xor	ecx, ecx
		cmp	[ebp+var_10], 0C0000023h
		mov	[eax], cx
		jnz	short loc_A2096F
		mov	ecx, [ebp+var_4]
		lea	edx, [ebp+var_4]
		push	edx		; int
		mov	[ebp+var_4], ecx
		mov	edx, offset ??_C@_1CE@DAGHINBE@?$AA_?$AA_?$AAP?$AAR?$AAO?$AAC?$AAE?$AAS?$AAS?$AA_?$AAH?$AAI?$AAS?$AAT?$AAO@NNGAKEGL@
		shr	ecx, 1
		push	ecx		; int
		mov	ecx, [ebp+var_8]
		push	eax		; void *
		push	11h		; int
		call	AslEnvVarQuery
		test	eax, eax
		js	short loc_A2096F
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_4]
		push	3Bh
		lea	eax, [ecx+eax*2]
		lea	edi, [eax-2]
		pop	ecx
		cmp	[edi], cx
		jz	short loc_A2096C
		mov	edi, eax
		mov	[edi], cx

loc_A2096C:				; CODE XREF: SdbpGetProcessHistory(x,x,x)+EAj
		add	edi, 2

loc_A2096F:				; CODE XREF: SdbpGetProcessHistory(x,x,x)+B5j
					; SdbpGetProcessHistory(x,x,x)+D6j
		add	esi, esi
		push	esi		; size_t
		push	[ebp+var_14]	; void *
		push	edi		; void *
		call	_memmove
		add	edi, esi
		lea	esi, [ebx+ebx]
		push	esi		; size_t
		push	[ebp+arg_0]	; void *
		push	edi		; void *
		call	_memmove
		add	esp, 18h
		xor	eax, eax
		mov	[esi+edi], ax
		mov	eax, [ebp+var_C]

loc_A20996:				; CODE XREF: SdbpGetProcessHistory(x,x,x)+A7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_SdbpGetProcessHistory@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbGuestHostArchsToRuntimePlatformFlag(x, x)
_SdbGuestHostArchsToRuntimePlatformFlag@8 proc near
					; CODE XREF: SdbGuestTargetPlatformFlagsToRuntimePlatformFlags(x)+62p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	si, cx
		mov	ecx, 0FFFFh
		cmp	si, cx
		jz	short loc_A209F0
		mov	[ebp+var_4], ecx
		test	edx, edx
		jz	short loc_A209C5
		movzx	eax, word ptr [edx]
		mov	edx, eax
		mov	[ebp+var_4], edx
		cmp	ax, cx
		jnz	short loc_A209F8

loc_A209C5:				; CODE XREF: SdbGuestHostArchsToRuntimePlatformFlag(x,x)+19j
		sub	esp, 0Ch
		lea	ecx, [ebp+var_4]
		xor	edx, edx
		call	AslEnvGetProcessWowInfo
		test	eax, eax
		jns	short loc_A209F5
		push	eax
		push	offset ??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@
		push	0F9h
		push	offset ??_C@_0CH@COPFLLI@SdbGuestHostArchsToRuntimePlatf@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A209F0:				; CODE XREF: SdbGuestHostArchsToRuntimePlatformFlag(x,x)+12j
					; SdbGuestHostArchsToRuntimePlatformFlag(x,x)+76j
		xor	eax, eax

loc_A209F2:				; CODE XREF: SdbGuestHostArchsToRuntimePlatformFlag(x,x)+81j
		pop	esi
		leave
		retn
; 

loc_A209F5:				; CODE XREF: SdbGuestHostArchsToRuntimePlatformFlag(x,x)+37j
		mov	edx, [ebp+var_4]

loc_A209F8:				; CODE XREF: SdbGuestHostArchsToRuntimePlatformFlag(x,x)+26j
		xor	eax, eax
		mov	ecx, offset word_42E9E6

loc_A209FF:				; CODE XREF: SdbGuestHostArchsToRuntimePlatformFlag(x,x)+74j
		cmp	si, [ecx-2]
		jnz	short loc_A20A0A
		cmp	dx, [ecx]
		jz	short loc_A20A15

loc_A20A0A:				; CODE XREF: SdbGuestHostArchsToRuntimePlatformFlag(x,x)+66j
		inc	eax
		add	ecx, 10h
		cmp	eax, 8
		jb	short loc_A209FF
		jmp	short loc_A209F0
; 

loc_A20A15:				; CODE XREF: SdbGuestHostArchsToRuntimePlatformFlag(x,x)+6Bj
		shl	eax, 4
		mov	eax, ds:dword_42E9E8[eax]
		jmp	short loc_A209F2
_SdbGuestHostArchsToRuntimePlatformFlag@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbGuestTargetPlatformFlagsToRuntimePlatformFlags(x)
_SdbGuestTargetPlatformFlagsToRuntimePlatformFlags@4 proc near
					; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+116p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	edi
		sub	esp, 0Ch
		lea	ecx, [ebp+var_4]
		xor	edi, edi
		xor	edx, edx
		mov	[ebp+var_4], edi
		call	AslEnvGetProcessWowInfo
		test	eax, eax
		jns	short loc_A20A59
		push	eax
		push	offset ??_C@_0EA@NDEIOECD@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@
		push	146h
		push	offset ??_C@_0DC@EODMJGNB@SdbGuestTargetPlatformFlagsToRu@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A20A92
; 

loc_A20A59:				; CODE XREF: SdbGuestTargetPlatformFlagsToRuntimePlatformFlags(x)+1Bj
		push	esi
		mov	esi, edi

loc_A20A5C:				; CODE XREF: SdbGuestTargetPlatformFlagsToRuntimePlatformFlags(x)+6Fj
		test	ds:byte_42EA68[esi], 1Fh
		jz	short loc_A20A89
		mov	dx, ds:word_42EA64[esi]
		lea	ecx, [ebp+var_4]
		call	_AslEnvVerifyGuestProcessorSupport@8 ; AslEnvVerifyGuestProcessorSupport(x,x)
		test	eax, eax
		js	short loc_A20A89
		mov	cx, ds:word_42EA64[esi]
		lea	edx, [ebp+var_4]
		call	_SdbGuestHostArchsToRuntimePlatformFlag@8 ; SdbGuestHostArchsToRuntimePlatformFlag(x,x)
		or	edi, eax

loc_A20A89:				; CODE XREF: SdbGuestTargetPlatformFlagsToRuntimePlatformFlags(x)+43j
					; SdbGuestTargetPlatformFlagsToRuntimePlatformFlags(x)+56j
		add	esi, 0Ch
		cmp	esi, 3Ch
		jb	short loc_A20A5C
		pop	esi

loc_A20A92:				; CODE XREF: SdbGuestTargetPlatformFlagsToRuntimePlatformFlags(x)+37j
		mov	eax, edi
		pop	edi
		leave
		retn
_SdbGuestTargetPlatformFlagsToRuntimePlatformFlags@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCloseLocalDatabaseEx(x,	x, x)
_SdbpCloseLocalDatabaseEx@12 proc near	; CODE XREF: SdbpCleanupLocalDatabaseSupport+AF369p
					; SdbpCleanupLocalDatabaseSupport+AF37Dp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		push	edi
		cmp	ebx, 10h
		jnb	short loc_A20AEC
		xor	eax, eax
		mov	ecx, ebx
		inc	eax
		shl	eax, cl
		test	[esi+10h], eax
		jz	short loc_A20AEC
		imul	eax, ebx, 18h
		lea	edi, [esi+14h]
		add	edi, eax
		test	byte ptr [edi+14h], 2
		jz	short loc_A20ACF
		mov	ecx, [edi+10h]
		test	ecx, ecx
		jz	short loc_A20ACF
		call	SdbCloseDatabaseRead

loc_A20ACF:				; CODE XREF: SdbpCloseLocalDatabaseEx(x,x,x)+2Aj
					; SdbpCloseLocalDatabaseEx(x,x,x)+31j
		push	6
		xor	eax, eax
		pop	ecx
		rep stosd
		mov	ecx, [esi+10h]
		btr	ecx, ebx
		mov	[esi+10h], ecx
		cmp	ebx, 1
		jnz	short loc_A20AE7
		and	[esi+8], eax

loc_A20AE7:				; CODE XREF: SdbpCloseLocalDatabaseEx(x,x,x)+4Bj
		xor	eax, eax
		inc	eax
		jmp	short loc_A20AEE
; 

loc_A20AEC:				; CODE XREF: SdbpCloseLocalDatabaseEx(x,x,x)+10j
					; SdbpCloseLocalDatabaseEx(x,x,x)+1Cj
		xor	eax, eax

loc_A20AEE:				; CODE XREF: SdbpCloseLocalDatabaseEx(x,x,x)+53j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_SdbpCloseLocalDatabaseEx@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpOpenLocalDatabaseEx(x, x, x, x,	x)
_SdbpOpenLocalDatabaseEx@20 proc near	; CODE XREF: SdbTagRefToTagID+8453Bp

var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_214		= dword	ptr -214h
var_8		= dword	ptr -8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 240h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	[ebp+var_23C], eax
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_224]
		mov	[ebp+var_230], edx
		stosd
		mov	esi, ecx
		mov	ecx, [ebp+arg_8]
		mov	[ebp+var_234], esi
		mov	[ebp+var_238], ecx
		stosd
		mov	ebx, [ecx]
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_228], eax
		mov	[ebp+var_22C], eax
		test	ebx, 0F0000000h
		jz	short loc_A20B54
		shr	ebx, 1Ch

loc_A20B54:				; CODE XREF: SdbpOpenLocalDatabaseEx(x,x,x,x,x)+5Aj
		push	ebx
		cmp	ebx, 10h
		jb	short loc_A20B69
		push	offset ??_C@_0BA@FCOGLIBF@Bad?5index?50x?$CFlx@NNGAKEGL@
		push	3FBh
		jmp	loc_A20C89
; 

loc_A20B69:				; CODE XREF: SdbpOpenLocalDatabaseEx(x,x,x,x,x)+63j
		mov	ecx, esi
		call	_SdbpCloseLocalDatabaseEx@12 ; SdbpCloseLocalDatabaseEx(x,x,x)
		mov	edx, [ebp+var_230] ; void *
		lea	eax, [ebp+var_214]
		push	ecx		; int
		push	eax		; int
		lea	eax, [ebp+var_22C]
		mov	ecx, esi	; int
		push	eax		; int
		lea	eax, [ebp+var_228]
		push	eax		; int
		call	_SdbResolveDatabaseEx@24 ; SdbResolveDatabaseEx(x,x,x,x,x,x)
		test	eax, eax
		jz	loc_A20C7E
		cmp	eax, 104h
		jnb	loc_A20C7E
		mov	eax, 7FFFh
		cmp	[esi+1A8h], ax
		jz	short loc_A20BDF
		mov	eax, [esi+194h]
		test	[ebp+var_22C], eax
		jnz	short loc_A20BDF
		lea	eax, [ebp+var_214]
		push	eax
		push	(offset	loc_8C3B47+1)
		push	432h
		push	offset ??_C@_0BI@JKJMGENA@SdbpOpenLocalDatabaseEx@NNGAKEGL@
		push	3
		jmp	loc_A20C90
; 

loc_A20BDF:				; CODE XREF: SdbpOpenLocalDatabaseEx(x,x,x,x,x)+BDj
					; SdbpOpenLocalDatabaseEx(x,x,x,x,x)+CBj
		push	ecx
		push	ecx
		lea	ecx, [ebp+var_214]
		call	_SdbOpenDatabaseEx@16 ;	SdbOpenDatabaseEx(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_A20C10
		push	offset ??_C@_0BI@GIECIBFC@Failed?5to?5open?5database@NNGAKEGL@
		push	442h
		push	offset ??_C@_0BI@JKJMGENA@SdbpOpenLocalDatabaseEx@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_A20C98
; 

loc_A20C10:				; CODE XREF: SdbpOpenLocalDatabaseEx(x,x,x,x,x)+FBj
		imul	edx, ebx, 18h
		lea	edi, [esi+14h]
		add	edi, edx
		mov	[ebp+var_228], edx
		mov	[edx+esi+24h], ecx
		mov	dword ptr [edx+esi+28h], 2
		xor	edx, edx
		mov	eax, [esi+10h]
		inc	edx
		bts	eax, ebx
		mov	[esi+10h], eax
		mov	eax, [ebp+var_230]
		test	eax, eax
		jz	short loc_A20C58
		mov	esi, eax
		mov	eax, [ebp+var_228]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_234]
		or	[eax+esi+28h], edx
		jmp	short loc_A20C5E
; 

loc_A20C58:				; CODE XREF: SdbpOpenLocalDatabaseEx(x,x,x,x,x)+149j
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd

loc_A20C5E:				; CODE XREF: SdbpOpenLocalDatabaseEx(x,x,x,x,x)+161j
		cmp	ebx, edx
		jnz	short loc_A20C65
		mov	[esi+8], ecx

loc_A20C65:				; CODE XREF: SdbpOpenLocalDatabaseEx(x,x,x,x,x)+16Bj
		mov	eax, [ebp+var_238]
		shl	ebx, 1Ch
		mov	[eax], ebx
		mov	eax, [ebp+var_23C]
		test	eax, eax
		jz	short loc_A20C9A
		mov	[eax], ecx
		jmp	short loc_A20C9A
; 

loc_A20C7E:				; CODE XREF: SdbpOpenLocalDatabaseEx(x,x,x,x,x)+A0j
					; SdbpOpenLocalDatabaseEx(x,x,x,x,x)+ABj
		push	eax
		push	offset ??_C@_0DC@EIBCFMBP@Cannot?5resolve?5database?0?5the?5pa@NNGAKEGL@
		push	41Dh

loc_A20C89:				; CODE XREF: SdbpOpenLocalDatabaseEx(x,x,x,x,x)+6Fj
		push	offset ??_C@_0BI@JKJMGENA@SdbpOpenLocalDatabaseEx@NNGAKEGL@
		push	1

loc_A20C90:				; CODE XREF: SdbpOpenLocalDatabaseEx(x,x,x,x,x)+E5j
		call	AslLogCallPrintf
		add	esp, 14h

loc_A20C98:				; CODE XREF: SdbpOpenLocalDatabaseEx(x,x,x,x,x)+116j
		xor	edx, edx

loc_A20C9A:				; CODE XREF: SdbpOpenLocalDatabaseEx(x,x,x,x,x)+183j
					; SdbpOpenLocalDatabaseEx(x,x,x,x,x)+187j
		mov	ecx, [ebp+var_8]
		mov	eax, edx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_SdbpOpenLocalDatabaseEx@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbGetPathCustomSdb(x, x, x, x)
_SdbGetPathCustomSdb@16	proc near	; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+261p

var_5C		= dword	ptr -5Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		lea	eax, [ebp+var_5C]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	56h		; size_t
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		jz	short loc_A20D09
		push	esi
		lea	ecx, [ebp+var_5C]
		call	_SdbpGetCustomSdbFileName@12 ; SdbpGetCustomSdbFileName(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A20D09
		push	esi
		push	(offset	loc_8C3F1F+3)
		push	5F8h

loc_A20CF8:				; CODE XREF: SdbGetPathCustomSdb(x,x,x,x)+7Cj
		push	offset ??_C@_0BE@MNHDHJED@SdbGetPathCustomSdb@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A20D2D
; 

loc_A20D09:				; CODE XREF: SdbGetPathCustomSdb(x,x,x,x)+2Fj
					; SdbGetPathCustomSdb(x,x,x,x)+3Ej
		push	ebx
		lea	eax, [ebp+var_5C]
		push	eax
		push	ecx
		push	7
		mov	ecx, edi
		call	_SdbpGetSystemSdbFilePath@24 ; SdbpGetSystemSdbFilePath(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A20D2B
		push	esi
		push	(offset	loc_8C3E63+1)
		push	604h
		jmp	short loc_A20CF8
; 

loc_A20D2B:				; CODE XREF: SdbGetPathCustomSdb(x,x,x,x)+6Fj
		xor	esi, esi

loc_A20D2D:				; CODE XREF: SdbGetPathCustomSdb(x,x,x,x)+5Aj
		mov	ecx, [ebp+var_4]
		not	esi
		shr	esi, 1Fh
		xor	ecx, ebp
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_SdbGetPathCustomSdb@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall SdbResolveDatabaseEx(int,void *,int,int,int,int)
_SdbResolveDatabaseEx@24 proc near	; CODE XREF: SdbpOpenLocalDatabaseEx(x,x,x,x,x)+99p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], edx
		push	edi
		mov	edi, [ebp+arg_8]
		xor	eax, eax
		mov	[ebp+var_14], ecx
		mov	[ebp+var_8], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		test	edi, edi
		jz	loc_A2100E
		mov	[edi], ax
		mov	ebx, esi
		mov	eax, offset off_6B37B8
		mov	[ebp+arg_8], eax

loc_A20D8A:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+66j
		push	10h		; size_t
		push	edx		; void *
		push	dword ptr [eax]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A20DDF
		mov	eax, [ebp+arg_8]
		inc	ebx
		mov	edx, [ebp+var_C]
		add	eax, 10h
		mov	[ebp+arg_8], eax
		cmp	ebx, 3
		jb	short loc_A20D8A

loc_A20DAD:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+B7j
		mov	edx, [ebp+var_C]
		lea	ecx, [ebp+var_28]
		call	_AslGuidToString_UStr@8	; AslGuidToString_UStr(x,x)
		test	eax, eax
		jns	loc_A20E74
		push	eax
		push	offset ??_C@_0CG@CEIAABEP@Failed?5to?5convert?5guid?5to?5strin@NNGAKEGL@
		push	7D4h

loc_A20DCB:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+153j
		push	(offset	loc_8C40DC+6)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A20FDE
; 

loc_A20DDF:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+54j
		shl	ebx, 4
		mov	eax, dword_6B37BC[ebx]
		mov	ecx, dword_6B37C4[ebx]
		mov	ebx, dword_6B37C0[ebx]
		mov	[ebp+arg_8], eax
		mov	[ebp+var_8], eax
		test	ecx, ecx
		jz	short loc_A20DAD
		mov	eax, [ebp+var_14]
		add	eax, 1A8h
		push	eax
		push	esi
		push	ecx
		push	ecx
		mov	ecx, edi
		call	_SdbpGetSystemSdbFilePath@24 ; SdbpGetSystemSdbFilePath(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A20E2B
		lea	ecx, [edi+2]

loc_A20E18:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+DCj
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, si
		jnz	short loc_A20E18
		mov	esi, edi
		sub	esi, ecx
		sar	esi, 1
		jmp	short loc_A20E44
; 

loc_A20E2B:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+CEj
		push	(offset	loc_8C40C5+1)
		push	7BDh
		push	(offset	loc_8C40DC+6)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h

loc_A20E44:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+E4j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_A20E50
		mov	ecx, [ebp+arg_8]
		mov	[eax], ecx

loc_A20E50:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+104j
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	loc_A2100C
		call	_SdbGuestTargetPlatformFlagsToRuntimePlatformFlags@4 ; SdbGuestTargetPlatformFlagsToRuntimePlatformFlags(x)
		mov	[edi], eax
		test	ebx, ebx
		jz	loc_A2100C
		and	eax, 1Bh
		mov	[edi], eax
		jmp	loc_A2100C
; 

loc_A20E74:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+75j
		movzx	ebx, word ptr [ebp+var_28]
		add	ebx, 0B8h
		push	ecx
		mov	edx, ebx
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jnz	short loc_A20E9D
		push	ebx
		push	(offset	loc_8C409B+1)
		push	7E9h
		jmp	loc_A20DCB
; 

loc_A20E9D:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+146j
		mov	[ebp+var_1C], eax
		xor	eax, eax
		mov	word ptr [ebp+var_20], ax
		lea	eax, [ebp+var_20]
		push	(offset	loc_8C3FA1+1) ;	void *
		push	eax		; int
		mov	word ptr [ebp+var_20+2], bx
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@ ; void	*
		lea	eax, [ebp+var_20]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		lea	eax, [ebp+var_20]
		mov	[ebp+var_40], 18h
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_40]
		push	eax
		push	80000100h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_3C], esi
		push	eax
		mov	[ebp+var_34], 240h
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		jns	short loc_A20F28
		push	eax
		push	[ebp+var_1C]
		push	offset ??_C@_0BO@OHGFJCDI@Failed?5to?5open?5Key?5?$CC?$CFws?$CC?5?$FL?$CFx?$FN@NNGAKEGL@ ; "Failed to open Key \"%ws\" [%x]"
		push	7F9h
		push	(offset	loc_8C40DC+6)
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		jmp	loc_A20FDE
; 

loc_A20F28:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+1BFj
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jz	short loc_A20F6B
		mov	edx, [ebp+var_4]
		lea	ecx, [ebp+var_8]
		push	offset _g_ustrDatabaseType
		call	_AslRegistryGetUInt32_UStr@12 ;	AslRegistryGetUInt32_UStr(x,x,x)
		test	eax, eax
		jns	short loc_A20F61
		push	eax
		push	offset ??_C@_0CB@HAJBCKAO@Failed?5to?5get?5database?5type?5?$FL?$CFx@NNGAKEGL@
		push	805h

loc_A20F4E:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+24Cj
		push	(offset	loc_8C40DC+6)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		mov	[ebx], esi
		jmp	short loc_A20FDE
; 

loc_A20F61:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+1FCj
		mov	eax, [ebp+var_8]
		and	eax, 7FFFFFFFh
		mov	[ebx], eax

loc_A20F6B:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+1E8j
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_A20F98
		mov	edx, [ebp+var_4]
		lea	ecx, [ebp+var_10]
		push	offset _g_ustrRuntimePlatform
		call	_AslRegistryGetUInt32_UStr@12 ;	AslRegistryGetUInt32_UStr(x,x,x)
		test	eax, eax
		jns	short loc_A20F93
		push	eax
		push	offset ??_C@_0CE@HLHNCJNF@Failed?5to?5get?5runtime?5platform?5@NNGAKEGL@
		push	815h
		jmp	short loc_A20F4E
; 

loc_A20F93:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+23Fj
		mov	eax, [ebp+var_10]
		mov	[ebx], eax

loc_A20F98:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+22Bj
		mov	eax, [ebp+var_14]
		mov	ecx, edi
		add	eax, 1A8h
		push	eax
		push	[ebp+var_C]
		call	_SdbGetPathCustomSdb@16	; SdbGetPathCustomSdb(x,x,x,x)
		test	eax, eax
		jnz	short loc_A20FCA
		push	offset ??_C@_0DF@OGEFBPKL@SdbGetPathCustomSdb?5failed?5to?5g@NNGAKEGL@
		push	81Eh
		push	(offset	loc_8C40DC+6)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	short loc_A20FDE
; 

loc_A20FCA:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+268j
		lea	ecx, [edi+2]

loc_A20FCD:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+291j
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, si
		jnz	short loc_A20FCD
		mov	esi, edi
		sub	esi, ecx
		sar	esi, 1

loc_A20FDE:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+95j
					; SdbResolveDatabaseEx(x,x,x,x,x,x)+1DEj ...
		cmp	[ebp+var_4], 0
		jz	short loc_A20FEC
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A20FEC:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+29Dj
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	short loc_A20FFE
		push	74705041h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A20FFE:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+2ACj
		cmp	[ebp+var_24], 0
		jz	short loc_A2100C
		lea	ecx, [ebp+var_28]
		call	_AslUnicodeStringFree@4	; AslUnicodeStringFree(x)

loc_A2100C:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+110j
					; SdbResolveDatabaseEx(x,x,x,x,x,x)+11Fj ...
		mov	eax, esi

loc_A2100E:				; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+32j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_SdbResolveDatabaseEx@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpGetCustomSdbFileName(x,	x, x)
_SdbpGetCustomSdbFileName@12 proc near	; CODE XREF: SdbGetPathCustomSdb(x,x,x,x)+35p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	[ebp+arg_0]	; int
		mov	edi, ecx
		xor	eax, eax
		push	2Bh
		pop	edx
		mov	[edi], ax
		call	AslGuidToString
		mov	esi, eax
		test	esi, esi
		jns	short loc_A21050
		push	esi
		push	offset ??_C@_0BM@KAMLNOAN@AslGuidToString?5failed?5?$FL?$CFx?$FN@NNGAKEGL@ ; "AslGuidToString failed [%x]"
		push	32Bh

loc_A2103F:				; CODE XREF: SdbpGetCustomSdbFileName(x,x,x)+5Bj
		push	offset ??_C@_0BJ@GFHGNMMI@SdbpGetCustomSdbFileName@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A21074
; 

loc_A21050:				; CODE XREF: SdbpGetCustomSdbFileName(x,x,x)+1Dj
		push	offset ??_C@_19GNHEEAFN@?$AA?4?$AAs?$AAd?$AAb@NNGAKEGL@
		push	2Bh
		pop	edx
		mov	ecx, edi
		call	_RtlStringCchCatW@12 ; RtlStringCchCatW(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A21072
		push	esi
		push	offset ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	331h
		jmp	short loc_A2103F
; 

loc_A21072:				; CODE XREF: SdbpGetCustomSdbFileName(x,x,x)+4Ej
		xor	esi, esi

loc_A21074:				; CODE XREF: SdbpGetCustomSdbFileName(x,x,x)+39j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_SdbpGetCustomSdbFileName@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpGetPathAppPatch(x, x, x, x)
_SdbpGetPathAppPatch@16	proc near	; CODE XREF: SdbpGetPathAppPatchPreRS3(x,x,x,x)+129p
					; SdbpGetPathCustomSdbPreRS3(x,x,x,x)+109p ...

var_220		= dword	ptr -220h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 220h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	[ebp+arg_4], 0Ah
		mov	edx, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	5
		pop	ecx
		mov	esi, offset ??_C@_1BE@MMECJMEH@?$AA?2?$AAA?$AAp?$AAp?$AAP?$AAa?$AAt?$AAc?$AAh@NNGAKEGL@
		lea	edi, [ebp+var_18]
		rep movsd
		jnb	short loc_A210B4
		mov	eax, 0C0000023h
		jmp	short loc_A21123
; 

loc_A210B4:				; CODE XREF: SdbpGetPathAppPatch(x,x,x,x)+2Fj
		xor	eax, eax
		mov	word ptr [ebp+var_220],	ax
		mov	[ebx], ax
		test	edx, edx
		jnz	short loc_A210C9
		mov	edx, offset ??_C@_11LOCGONAA@@NNGAKEGL@

loc_A210C9:				; CODE XREF: SdbpGetPathAppPatch(x,x,x,x)+46j
		push	104h
		lea	eax, [ebp+var_220]
		push	eax
		lea	ecx, [ebp+var_18]
		call	_AslPathCombine@16 ; AslPathCombine(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A210F0
		push	esi
		push	offset ??_C@_0BL@IPDIPDIN@AslPathCombine?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	3ABh
		jmp	short loc_A21112
; 

loc_A210F0:				; CODE XREF: SdbpGetPathAppPatch(x,x,x,x)+65j
		mov	edx, [ebp+arg_4] ; int
		lea	eax, [ebp+var_220]
		push	eax		; int
		mov	ecx, ebx	; void *
		call	_AslPathToSystemPathBuf@12 ; AslPathToSystemPathBuf(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A21121
		push	esi
		push	offset ??_C@_0CD@JEFPKOCA@AslPathToSystemPathBuf?5failed?5?$FL@NNGAKEGL@
		push	3B1h

loc_A21112:				; CODE XREF: SdbpGetPathAppPatch(x,x,x,x)+72j
		push	offset ??_C@_0BE@MLFMMAEH@SdbpGetPathAppPatch@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A21121:				; CODE XREF: SdbpGetPathAppPatch(x,x,x,x)+89j
		mov	eax, esi

loc_A21123:				; CODE XREF: SdbpGetPathAppPatch(x,x,x,x)+36j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_SdbpGetPathAppPatch@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpGetPathAppraiser(x, x, x, x)
_SdbpGetPathAppraiser@16 proc near	; DATA XREF: .text:00404EF8o
					; .text:00404EFCo

var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 230h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	[ebp+arg_4], 0Bh
		push	ebx
		push	esi
		push	edi
		mov	eax, [ebp+arg_C]
		lea	edi, [ebp+var_1C]
		push	5
		mov	ebx, [ebp+arg_0]
		mov	esi, offset ??_C@_1BG@KDDEGGCL@?$AA?2?$AAa?$AAp?$AAp?$AAr?$AAa?$AAi?$AAs?$AAe?$AAr@NNGAKEGL@
		mov	edx, [ebp+arg_8]
		pop	ecx
		rep movsd
		mov	[ebp+var_230], eax
		movsw
		jnb	short loc_A2117A
		mov	eax, 0C0000023h
		jmp	loc_A21222
; 

loc_A2117A:				; CODE XREF: SdbpGetPathAppraiser(x,x,x,x)+3Aj
		xor	eax, eax
		mov	[ebx], ax
		mov	word ptr [ebp+var_224],	ax
		mov	eax, 0FFFFh
		mov	[ebp+var_22C], eax
		mov	[ebp+var_228], eax
		test	edx, edx
		jnz	short loc_A211A0
		mov	edx, offset ??_C@_11LOCGONAA@@NNGAKEGL@

loc_A211A0:				; CODE XREF: SdbpGetPathAppraiser(x,x,x,x)+65j
		push	104h
		lea	eax, [ebp+var_224]
		push	eax
		lea	ecx, [ebp+var_1C]
		call	_AslPathCombine@16 ; AslPathCombine(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A211D6
		push	esi
		push	offset ??_C@_0BL@IPDIPDIN@AslPathCombine?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	4BBh

loc_A211C5:				; CODE XREF: SdbpGetPathAppraiser(x,x,x,x)+CAj
		push	(offset	loc_8C3ED4+2)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A21220
; 

loc_A211D6:				; CODE XREF: SdbpGetPathAppraiser(x,x,x,x)+84j
		push	[ebp+var_230]
		lea	edx, [ebp+var_228]
		lea	ecx, [ebp+var_22C]
		call	_SdbpGetProcessHostGuestArchitectures@12 ; SdbpGetProcessHostGuestArchitectures(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A21200
		push	esi
		push	offset ??_C@_0DB@LPCMCBIC@SdbpGetProcessHostGuestArchitec@NNGAKEGL@
		push	4C1h
		jmp	short loc_A211C5
; 

loc_A21200:				; CODE XREF: SdbpGetPathAppraiser(x,x,x,x)+BDj
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_228]
		push	eax
		push	[ebp+var_22C]
		lea	eax, [ebp+var_224]
		mov	ecx, ebx
		push	eax
		call	_AslEnvGetSysNativeDirPathForGuestBuf@20 ; AslEnvGetSysNativeDirPathForGuestBuf(x,x,x,x,x)
		mov	esi, eax

loc_A21220:				; CODE XREF: SdbpGetPathAppraiser(x,x,x,x)+A0j
		mov	eax, esi

loc_A21222:				; CODE XREF: SdbpGetPathAppraiser(x,x,x,x)+41j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_SdbpGetPathAppraiser@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpGetPathCustomSdb(x, x, x, x)
_SdbpGetPathCustomSdb@16 proc near	; DATA XREF: .text:00404F08o

var_224		= dword	ptr -224h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 224h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	[ebp+arg_4], 0Bh
		push	ebx
		push	esi
		push	edi
		push	5
		mov	ebx, [ebp+arg_0]
		lea	edi, [ebp+var_1C]
		mov	edx, [ebp+arg_8]
		mov	esi, offset ??_C@_1BG@GDIBOBAP@?$AA?2?$AAC?$AAu?$AAs?$AAt?$AAo?$AAm?$AAS?$AAD?$AAB@NNGAKEGL@
		pop	ecx
		rep movsd
		movsw
		jnb	short loc_A2126D
		mov	eax, 0C0000023h
		jmp	short loc_A212CE
; 

loc_A2126D:				; CODE XREF: SdbpGetPathCustomSdb(x,x,x,x)+31j
		xor	eax, eax
		mov	word ptr [ebp+var_224],	ax
		mov	[ebx], ax
		test	edx, edx
		jnz	short loc_A21282
		mov	edx, offset ??_C@_11LOCGONAA@@NNGAKEGL@

loc_A21282:				; CODE XREF: SdbpGetPathCustomSdb(x,x,x,x)+48j
		push	104h
		lea	eax, [ebp+var_224]
		push	eax
		lea	ecx, [ebp+var_1C]
		call	_AslPathCombine@16 ; AslPathCombine(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A212B8
		push	esi
		push	offset ??_C@_0BL@IPDIPDIN@AslPathCombine?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	44Ah
		push	offset ??_C@_0BF@OKGMJLIO@SdbpGetPathCustomSdb@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A212CC
; 

loc_A212B8:				; CODE XREF: SdbpGetPathCustomSdb(x,x,x,x)+67j
		push	0
		lea	eax, [ebp+var_224]
		push	eax
		push	[ebp+arg_4]
		push	ebx
		call	_SdbpGetPathAppPatch@16	; SdbpGetPathAppPatch(x,x,x,x)
		mov	esi, eax

loc_A212CC:				; CODE XREF: SdbpGetPathCustomSdb(x,x,x,x)+83j
		mov	eax, esi

loc_A212CE:				; CODE XREF: SdbpGetPathCustomSdb(x,x,x,x)+38j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_SdbpGetPathCustomSdb@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpGetPathSystem(x, x, x, x)
_SdbpGetPathSystem@16 proc near		; DATA XREF: .text:00404F28o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	edx, [ebp+var_4]
		and	[ebp+var_4], 0
		lea	ecx, [ebp+var_8]
		push	esi
		push	[ebp+arg_C]
		call	_SdbpGetProcessHostGuestArchitectures@12 ; SdbpGetProcessHostGuestArchitectures(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A21310
		push	esi
		push	offset ??_C@_0DB@LPCMCBIC@SdbpGetProcessHostGuestArchitec@NNGAKEGL@
		push	410h
		jmp	short loc_A21336
; 

loc_A21310:				; CODE XREF: SdbpGetPathSystem(x,x,x,x)+22j
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		push	eax
		push	[ebp+var_8]
		push	[ebp+arg_8]
		call	_AslEnvGetSystem32DirPathBuf@20	; AslEnvGetSystem32DirPathBuf(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A21345
		push	esi
		push	(offset	loc_8C3DDD+1)
		push	416h

loc_A21336:				; CODE XREF: SdbpGetPathSystem(x,x,x,x)+2Fj
		push	offset ??_C@_0BC@FMFCMILN@SdbpGetPathSystem@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A21345:				; CODE XREF: SdbpGetPathSystem(x,x,x,x)+4Aj
		mov	eax, esi
		pop	esi
		leave
		retn	10h
_SdbpGetPathSystem@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpGetProcessHostGuestArchitectures(x, x, x)
_SdbpGetProcessHostGuestArchitectures@12 proc near
					; CODE XREF: SdbpGetPathAppPatchPreRS3(x,x,x,x)+73p
					; SdbpGetPathCustomSdbPreRS3(x,x,x,x)+84p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	eax, 0FFFFh
		sub	esp, 0Ch
		mov	edi, edx
		mov	[ebp+var_4], eax
		mov	ebx, ecx
		mov	[ebp+var_8], eax
		lea	edx, [ebp+var_4]
		lea	ecx, [ebp+var_8]
		call	AslEnvGetProcessWowInfo
		mov	esi, eax
		test	esi, esi
		jns	short loc_A21395
		push	esi
		push	offset ??_C@_0CE@JCOOOONA@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@
		push	369h
		push	offset ??_C@_0CF@OLEHGKON@SdbpGetProcessHostGuestArchitec@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A213C1
; 

loc_A21395:				; CODE XREF: SdbpGetProcessHostGuestArchitectures(x,x,x)+2Bj
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_A213B1
		mov	cx, [eax]
		call	AslImageFileToArchitecture
		movzx	ecx, ax
		mov	eax, 0FFFFh
		cmp	cx, ax
		jnz	short loc_A213B5

loc_A213B1:				; CODE XREF: SdbpGetProcessHostGuestArchitectures(x,x,x)+4Ej
		movzx	ecx, word ptr [ebp+var_4]

loc_A213B5:				; CODE XREF: SdbpGetProcessHostGuestArchitectures(x,x,x)+63j
		mov	ax, word ptr [ebp+var_8]
		xor	esi, esi
		mov	[ebx], ax
		mov	[edi], cx

loc_A213C1:				; CODE XREF: SdbpGetProcessHostGuestArchitectures(x,x,x)+47j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_SdbpGetProcessHostGuestArchitectures@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpGetSystemSdbFilePath(x,	x, x, x, x, x)
_SdbpGetSystemSdbFilePath@24 proc near	; CODE XREF: SdbGetPathCustomSdb(x,x,x,x)+66p
					; SdbResolveDatabaseEx(x,x,x,x,x,x)+C7p

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		xor	eax, eax
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[esi], ax
		test	edi, edi
		jz	loc_A21492
		cmp	edi, 0Ah
		jge	loc_A21492
		inc	eax
		mov	ecx, offset dword_404EA0

loc_A213F2:				; CODE XREF: SdbpGetSystemSdbFilePath(x,x,x,x,x,x)+33j
		cmp	[ecx], edi
		jz	short loc_A21401
		inc	eax
		add	ecx, 10h
		cmp	eax, 0Ah
		jb	short loc_A213F2
		jmp	short loc_A2140B
; 

loc_A21401:				; CODE XREF: SdbpGetSystemSdbFilePath(x,x,x,x,x,x)+2Aj
		shl	eax, 4
		add	eax, offset dword_404E90
		jnz	short loc_A2142C

loc_A2140B:				; CODE XREF: SdbpGetSystemSdbFilePath(x,x,x,x,x,x)+35j
		push	edi
		push	(offset	loc_8C3EE6+6)
		push	501h
		push	offset ??_C@_0BJ@HFHDPNEL@SdbpGetSystemSdbFilePath@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		mov	esi, 0C0000225h
		jmp	short loc_A21497
; 

loc_A2142C:				; CODE XREF: SdbpGetSystemSdbFilePath(x,x,x,x,x,x)+3Fj
		mov	edx, [eax+8]
		test	edx, edx
		jnz	short loc_A21453
		push	offset ??_C@_0DC@PFAPBPOE@SdbFileDetails?5missing?5function@NNGAKEGL@
		push	50Fh
		push	offset ??_C@_0BJ@HFHDPNEL@SdbpGetSystemSdbFilePath@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		mov	esi, 0C00000E5h
		jmp	short loc_A21497
; 

loc_A21453:				; CODE XREF: SdbpGetSystemSdbFilePath(x,x,x,x,x,x)+67j
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jnz	short loc_A2145D
		mov	ecx, [eax+4]

loc_A2145D:				; CODE XREF: SdbpGetSystemSdbFilePath(x,x,x,x,x,x)+8Ej
		push	[ebp+arg_C]
		push	ecx
		push	104h
		push	esi
		call	edx
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2148E
		push	esi
		push	0
		push	edi
		push	offset ??_C@_0DO@KLLBMCFK@GetPathFunction?5?$CIfor?5SdbFileTyp@NNGAKEGL@
		push	519h
		push	offset ??_C@_0BJ@HFHDPNEL@SdbpGetSystemSdbFilePath@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 1Ch
		jmp	short loc_A21497
; 

loc_A2148E:				; CODE XREF: SdbpGetSystemSdbFilePath(x,x,x,x,x,x)+A3j
		xor	esi, esi
		jmp	short loc_A21497
; 

loc_A21492:				; CODE XREF: SdbpGetSystemSdbFilePath(x,x,x,x,x,x)+13j
					; SdbpGetSystemSdbFilePath(x,x,x,x,x,x)+1Cj
		mov	esi, 0C00000F1h

loc_A21497:				; CODE XREF: SdbpGetSystemSdbFilePath(x,x,x,x,x,x)+60j
					; SdbpGetSystemSdbFilePath(x,x,x,x,x,x)+87j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	10h
_SdbpGetSystemSdbFilePath@24 endp


;  S U B	R O U T	I N E 


; __stdcall SdbpRemoveSDBLookupEntry(x,	x)
_SdbpRemoveSDBLookupEntry@8 proc near	; CODE XREF: SdbReleaseDatabase+8Fp
		mov	edi, edi
		push	esi
		mov	esi, [edx+4]
		cmp	esi, edx
		jnz	short loc_A214B2
		and	dword ptr [ecx+1A4h], 0
		jmp	short loc_A214D1
; 

loc_A214B2:				; CODE XREF: SdbpRemoveSDBLookupEntry(x,x)+8j
		cmp	[ecx+1A4h], edx
		jnz	short loc_A214C5
		mov	eax, [edx]
		mov	[ecx+1A4h], eax
		mov	esi, [edx+4]

loc_A214C5:				; CODE XREF: SdbpRemoveSDBLookupEntry(x,x)+19j
		mov	eax, [edx]
		mov	[esi], eax
		mov	ecx, [edx]
		mov	eax, [edx+4]
		mov	[ecx+4], eax

loc_A214D1:				; CODE XREF: SdbpRemoveSDBLookupEntry(x,x)+11j
		push	74705041h
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
_SdbpRemoveSDBLookupEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpOpenCompressedDatabase(x, x, x)
_SdbpOpenCompressedDatabase@12 proc near ; CODE	XREF: SdbOpenDatabaseEx(x,x,x,x)+146p

var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		and	[ebp+var_4], 0
		mov	eax, ecx
		and	[ebp+var_8], 0
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_10], eax
		mov	eax, [eax]
		push	esi
		push	edi
		mov	[ebp+var_C], eax
		cmp	_g_ExpandCallback, ebx
		jnz	short loc_A21526
		push	(offset	loc_8C4161+3)
		push	93h

loc_A2150F:				; CODE XREF: SdbpOpenCompressedDatabase(x,x,x)+58j
					; SdbpOpenCompressedDatabase(x,x,x)+78j ...
		push	offset ??_C@_0BL@JHLABFDA@SdbpOpenCompressedDatabase@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		mov	esi, [ebp+var_4]
		add	esp, 10h
		jmp	loc_A21634
; 

loc_A21526:				; CODE XREF: SdbpOpenCompressedDatabase(x,x,x)+25j
		cmp	dword ptr [eax+0Ch], 14h
		jnb	short loc_A21538
		push	offset ??_C@_0BP@FEFPKLNB@SDB?5file?5too?5small?5to?5be?5valid@NNGAKEGL@
		push	98h
		jmp	short loc_A2150F
; 

loc_A21538:				; CODE XREF: SdbpOpenCompressedDatabase(x,x,x)+4Cj
		mov	esi, [eax+4]
		lea	edi, [ebp+var_24]
		push	5
		pop	ecx
		rep movsd
		cmp	[ebp+var_1C], 6662647Ah
		jz	short loc_A21558
		push	(offset	loc_8C414A+4)
		push	9Fh
		jmp	short loc_A2150F
; 

loc_A21558:				; CODE XREF: SdbpOpenCompressedDatabase(x,x,x)+6Cj
		mov	eax, [ebp+var_18]
		cmp	eax, _g_ExpectedAlgorithm
		jz	short loc_A2156F
		push	offset ??_C@_0DN@KMAJDPML@SDB?5compression?5algorithm?5does?5@NNGAKEGL@
		push	0A4h
		jmp	short loc_A2150F
; 

loc_A2156F:				; CODE XREF: SdbpOpenCompressedDatabase(x,x,x)+83j
		mov	edx, [ebp+var_14]
		mov	[ebp+var_8], edx
		cmp	edx, 7FFFFFFFh
		jbe	short loc_A2158E
		cmp	edx, 2Ah
		jnb	short loc_A2158E
		push	offset ??_C@_0DG@DAKFPAHP@Expanded?5SDB?5file?5too?5small?5or?5@NNGAKEGL@
		push	0ADh
		jmp	short loc_A2150F
; 

loc_A2158E:				; CODE XREF: SdbpOpenCompressedDatabase(x,x,x)+9Dj
					; SdbpOpenCompressedDatabase(x,x,x)+A2j
		push	ecx
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A215A9
		push	offset ??_C@_0EO@JMMLLMHM@SdbpOpenCompressedDatabase?5fail@NNGAKEGL@
		push	0B7h
		jmp	loc_A2150F
; 

loc_A215A9:				; CODE XREF: SdbpOpenCompressedDatabase(x,x,x)+BAj
		mov	eax, [ebp+var_C]
		mov	ecx, [eax+4]
		mov	eax, [eax+0Ch]
		add	ecx, 14h
		sub	eax, 14h
		push	eax
		push	ecx
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	_g_ExpandCallback
		test	eax, eax
		jnz	short loc_A215E4
		push	(offset	loc_8C4205+1)
		push	0C1h
		push	offset ??_C@_0BL@JHLABFDA@SdbpOpenCompressedDatabase@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	short loc_A21605
; 

loc_A215E4:				; CODE XREF: SdbpOpenCompressedDatabase(x,x,x)+E9j
		mov	edx, [ebp+var_8]
		push	ecx
		mov	ecx, esi
		call	SdbpOpenDatabaseInMemory
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_A21605
		or	dword ptr [ebx+10h], 0Ch
		xor	esi, esi
		and	[ebp+var_8], esi
		mov	[ebp+var_4], 1

loc_A21605:				; CODE XREF: SdbpOpenCompressedDatabase(x,x,x)+104j
					; SdbpOpenCompressedDatabase(x,x,x)+115j
		test	esi, esi
		jz	short loc_A21620
		push	74705041h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	[ebp+var_8], 0
		test	ebx, ebx
		jz	short loc_A21620
		and	dword ptr [ebx+4], 0

loc_A21620:				; CODE XREF: SdbpOpenCompressedDatabase(x,x,x)+129j
					; SdbpOpenCompressedDatabase(x,x,x)+13Cj
		mov	esi, [ebp+var_4]
		test	esi, esi
		jnz	short loc_A21634
		test	ebx, ebx
		jz	short loc_A21634
		mov	ecx, ebx
		call	SdbCloseDatabaseRead
		xor	ebx, ebx

loc_A21634:				; CODE XREF: SdbpOpenCompressedDatabase(x,x,x)+43j
					; SdbpOpenCompressedDatabase(x,x,x)+147j ...
		mov	edi, [ebp+var_10]
		mov	ecx, [edi]
		call	SdbCloseDatabaseRead
		mov	[edi], ebx
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_SdbpOpenCompressedDatabase@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckAllAttributes(x, x, x, x, x)
_SdbpCheckAllAttributes@20 proc	near	; CODE XREF: SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+A3p
					; SdbpCheckMatchingFiles(x,x,x,x,x,x,x)+1ADp ...

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	eax, ecx
		push	esi
		push	edi
		xor	ecx, ecx
		mov	[ebp+var_20], edx
		xor	edi, edi
		mov	[ebp+var_24], eax
		inc	edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ecx
		mov	[eax], ecx
		mov	[ebp+var_14], edi
		test	ebx, ebx
		jz	loc_A21857
		cmp	[ebx+30h], ecx
		jz	short loc_A21689
		xor	eax, eax
		cmp	[ebx+18h], ecx
		setnz	al
		jmp	short loc_A21690
; 

loc_A21689:				; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+34j
		cmp	[ebx+8], ecx
		jnz	short loc_A21698
		mov	eax, ecx

loc_A21690:				; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+3Ej
		test	eax, eax
		jz	loc_A21857

loc_A21698:				; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+43j
		push	ecx
		mov	edx, 348h
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		jnz	short loc_A216B6
		mov	esi, 0C0000017h
		jmp	loc_A21859
; 

loc_A216B6:				; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+61j
		mov	eax, offset unk_6B6924
		xor	ecx, ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_18], ecx

loc_A216C3:				; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+1A4j
		movzx	eax, word ptr [eax-4]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	eax
		mov	[ebp+var_C], eax
		call	_SdbFindFirstTag@12 ; SdbFindFirstTag(x,x,x)
		test	eax, eax
		jz	loc_A217D5
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		and	ecx, 0F000h
		mov	[ebp+arg_8], edx
		mov	edi, edx
		mov	[ebp+var_4], edi
		cmp	ecx, 4000h
		jz	short loc_A2174C
		cmp	ecx, 5000h
		jz	short loc_A21733
		cmp	ecx, 6000h
		jnz	short loc_A21766
		mov	ecx, [ebp+arg_0]
		mov	edx, eax
		call	SdbGetStringTagPtr
		mov	edx, eax
		mov	[ebp+arg_8], eax
		lea	eax, [edx+2]

loc_A2171B:				; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+DBj
		mov	cx, [edx]
		add	edx, 2
		cmp	cx, di
		jnz	short loc_A2171B
		sub	edx, eax
		sar	edx, 1
		lea	edi, ds:2[edx*2]
		jmp	short loc_A21763
; 

loc_A21733:				; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+B6j
		mov	ecx, [ebp+arg_0]
		push	edx
		push	edx
		mov	edx, eax
		call	SdbReadQWORDTag
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_30]
		mov	[ebp+var_2C], edx
		push	8
		jmp	short loc_A2175F
; 

loc_A2174C:				; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+AEj
		mov	ecx, [ebp+arg_0]
		push	edx
		mov	edx, eax
		call	SdbReadDWORDTag
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_10]
		push	4

loc_A2175F:				; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+101j
		pop	edi
		mov	[ebp+arg_8], eax

loc_A21763:				; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+E8j
		mov	[ebp+var_4], edi

loc_A21766:				; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+BEj
		mov	ecx, [ebp+var_8]
		xor	eax, eax
		inc	eax
		xor	edx, edx
		mov	ecx, [ecx]
		call	__allshl
		push	edx
		push	eax
		mov	edx, ebx
		mov	ecx, esi
		call	_AslFileAllocAndGetAttributes@16 ; AslFileAllocAndGetAttributes(x,x,x,x)
		mov	esi, eax
		mov	eax, [ebp+var_8]
		mov	eax, [eax]
		test	esi, esi
		js	loc_A2183A
		mov	esi, [ebp+var_1C]
		imul	eax, 18h
		add	eax, esi
		test	byte ptr [eax+10h], 1
		jz	loc_A21834
		mov	edx, [ebp+var_C]
		lea	ecx, [ebp+var_14]
		push	eax
		push	edi
		push	[ebp+arg_8]
		call	_SdbpCheckAttribute@20 ; SdbpCheckAttribute(x,x,x,x,x)
		test	eax, eax
		jz	short loc_A21813
		mov	eax, [ebp+var_20]
		mov	edi, [ebp+var_14]
		mov	eax, [eax+3F0h]
		test	eax, eax
		jz	short loc_A217D1
		push	edi
		push	[ebp+var_4]
		push	[ebp+arg_8]
		push	[ebp+var_C]
		call	eax

loc_A217D1:				; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+17Aj
		test	edi, edi
		jz	short loc_A217F3

loc_A217D5:				; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+8Fj
		mov	ecx, [ebp+var_18]
		mov	eax, [ebp+var_8]
		add	ecx, 8
		add	eax, 8
		mov	[ebp+var_18], ecx
		mov	[ebp+var_8], eax
		cmp	ecx, 130h
		jb	loc_A216C3

loc_A217F3:				; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+18Aj
		xor	eax, eax
		mov	esi, eax
		mov	eax, [ebp+var_24]
		mov	[eax], edi

loc_A217FC:				; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+1E9j
					; SdbpCheckAllAttributes(x,x,x,x,x)+1EFj ...
		mov	edi, [ebp+var_1C]
		mov	ecx, edi
		call	_AslFileFreeAttributes@4 ; AslFileFreeAttributes(x)
		push	74705041h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A21859
; 

loc_A21813:				; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+16Aj
		mov	esi, 0C00000E5h
		push	esi
		push	offset ??_C@_0BP@NLPCOOD@SdbpCheckAttribute?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	359h
		push	offset ??_C@_0BH@LGBLGPBK@SdbpCheckAllAttributes@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A217FC
; 

loc_A21834:				; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+152j
		xor	eax, eax
		mov	esi, eax
		jmp	short loc_A217FC
; 

loc_A2183A:				; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+140j
		push	esi
		push	eax
		push	offset ??_C@_0CA@NOHMNGME@Failed?5to?5get?5attribute?5?$CFd?5?$FL?$CFx?$FN@NNGAKEGL@
		push	342h
		push	offset ??_C@_0BH@LGBLGPBK@SdbpCheckAllAttributes@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		jmp	short loc_A217FC
; 

loc_A21857:				; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+2Bj
					; SdbpCheckAllAttributes(x,x,x,x,x)+49j
		mov	esi, ecx

loc_A21859:				; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+68j
					; SdbpCheckAllAttributes(x,x,x,x,x)+1C8j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_SdbpCheckAllAttributes@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckAttribute(x, x, x,	x, x)
_SdbpCheckAttribute@20 proc near	; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+163p

var_6		= word ptr -6
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	esi, esi
		mov	[esp+14h+var_4], ecx
		push	edi
		mov	ax, dx
		mov	[ecx], esi
		xor	edi, edi
		movzx	ebx, ax
		mov	ecx, 5006h
		mov	[esp+18h+var_6], ax
		inc	edi
		cmp	ebx, ecx
		ja	loc_A21940
		jz	loc_A21AC0
		cmp	ebx, 401Eh
		jz	short loc_A2191E
		cmp	ebx, 4033h
		jz	short loc_A218F7
		lea	eax, [ebx-5002h]
		cmp	eax, edi
		ja	loc_A21A21
		cmp	[ebp+arg_4], 8
		jnb	short loc_A218DC
		push	offset ??_C@_0BN@MAJDMDHG@Attribute?5size?5doesn?8t?5match@NNGAKEGL@ ; "Attribute size doesn't match"
		push	238h

loc_A218C7:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+1F1j
					; SdbpCheckAttribute(x,x,x,x,x)+219j ...
		push	offset ??_C@_0BD@EDJAJPBP@SdbpCheckAttribute@NNGAKEGL@
		push	edi

loc_A218CD:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+19Fj
		call	AslLogCallPrintf
		add	esp, 10h
		mov	edi, esi
		jmp	loc_A21AF3
; 

loc_A218DC:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+59j
		mov	eax, [ebp+arg_8]
		push	dword ptr [eax+0Ch]
		push	dword ptr [eax+8]
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		call	_SdbpCheckVersion@16 ; SdbpCheckVersion(x,x,x,x)
		jmp	loc_A21AEB
; 

loc_A218F7:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+45j
		cmp	[ebp+arg_4], 4
		jnb	short loc_A2190C
		push	offset ??_C@_0BN@MAJDMDHG@Attribute?5size?5doesn?8t?5match@NNGAKEGL@ ; "Attribute size doesn't match"
		push	261h
		jmp	loc_A219FA
; 

loc_A2190C:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+99j
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		mov	eax, [ebp+arg_8]
		cmp	[eax+8], ecx

loc_A21917:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+DCj
		sbb	esi, esi
		jmp	loc_A21ABD
; 

loc_A2191E:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+3Dj
		cmp	[ebp+arg_4], 4
		jnb	short loc_A21933
		push	offset ??_C@_0BN@MAJDMDHG@Attribute?5size?5doesn?8t?5match@NNGAKEGL@ ; "Attribute size doesn't match"
		push	26Eh
		jmp	loc_A219FA
; 

loc_A21933:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+C0j
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		mov	eax, [ebp+arg_8]
		cmp	ecx, [eax+8]
		jmp	short loc_A21917
; 

loc_A21940:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+2Bj
		cmp	ebx, 500Dh
		jz	loc_A21AC0
		cmp	ebx, 5011h
		jbe	loc_A21A21
		cmp	ebx, 5013h
		jbe	loc_A219EA
		cmp	ebx, 6043h
		jbe	loc_A21A21
		mov	ecx, 6047h
		cmp	ax, cx
		ja	loc_A21A21
		call	_Feature_CompatBuildInVb__private_IsEnabledDeviceUsage@0 ; Feature_CompatBuildInVb__private_IsEnabledDeviceUsage()
		test	eax, eax
		jz	loc_A21A21
		mov	ax, [esp+18h+var_6]
		mov	ecx, 6046h
		cmp	ax, cx
		jz	short loc_A219C5
		inc	ecx
		cmp	ax, cx
		jz	short loc_A219C5
		cmp	[ebp+arg_4], 2
		jnb	short loc_A219B2
		push	offset ??_C@_0BN@MAJDMDHG@Attribute?5size?5doesn?8t?5match@NNGAKEGL@ ; "Attribute size doesn't match"
		push	28Fh
		jmp	short loc_A219FA
; 

loc_A219B2:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+142j
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		mov	edx, [edx+8]
		call	_SdbpCheckUptoStringVersion@8 ;	SdbpCheckUptoStringVersion(x,x)
		jmp	loc_A21AEB
; 

loc_A219C5:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+136j
					; SdbpCheckAttribute(x,x,x,x,x)+13Cj
		cmp	[ebp+arg_4], 2
		jnb	short loc_A219D7
		push	offset ??_C@_0BN@MAJDMDHG@Attribute?5size?5doesn?8t?5match@NNGAKEGL@ ; "Attribute size doesn't match"
		push	281h
		jmp	short loc_A219FA
; 

loc_A219D7:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+167j
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		mov	edx, [edx+8]
		call	_SdbpCheckFromStringVersion@8 ;	SdbpCheckFromStringVersion(x,x)
		jmp	loc_A21AEB
; 

loc_A219EA:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+FCj
		cmp	[ebp+arg_4], 8
		jnb	short loc_A21A06
		push	offset ??_C@_0BN@MAJDMDHG@Attribute?5size?5doesn?8t?5match@NNGAKEGL@ ; "Attribute size doesn't match"
		push	246h

loc_A219FA:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+A5j
					; SdbpCheckAttribute(x,x,x,x,x)+CCj ...
		push	offset ??_C@_0BD@EDJAJPBP@SdbpCheckAttribute@NNGAKEGL@
		push	1
		jmp	loc_A218CD
; 

loc_A21A06:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+18Cj
		mov	eax, [ebp+arg_8]
		push	dword ptr [eax+0Ch]
		push	dword ptr [eax+8]
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax+4]
		push	dword ptr [eax]
		call	_SdbpCheckFromVersion@16 ; SdbpCheckFromVersion(x,x,x,x)
		jmp	loc_A21AEB
; 

loc_A21A21:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+4Fj
					; SdbpCheckAttribute(x,x,x,x,x)+F0j ...
		and	ebx, 0F000h
		cmp	ebx, 4000h
		jz	short loc_A21A99
		cmp	ebx, 5000h
		jz	short loc_A21A6B
		cmp	ebx, 6000h
		jnz	loc_A21AED
		cmp	[ebp+arg_4], 2
		jnb	short loc_A21A58
		push	offset ??_C@_0BN@MAJDMDHG@Attribute?5size?5doesn?8t?5match@NNGAKEGL@ ; "Attribute size doesn't match"
		push	2B6h
		jmp	loc_A218C7
; 

loc_A21A58:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+1E5j
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		mov	edx, [edx+8]
		call	AslStringPatternMatchW
		jmp	loc_A21AEB
; 

loc_A21A6B:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+1D3j
		cmp	[ebp+arg_4], 8
		jnb	short loc_A21A80
		push	offset ??_C@_0BN@MAJDMDHG@Attribute?5size?5doesn?8t?5match@NNGAKEGL@ ; "Attribute size doesn't match"
		push	2C4h
		jmp	loc_A218C7
; 

loc_A21A80:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+20Dj
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+arg_8]
		mov	eax, [ecx]
		cmp	eax, [edx+8]
		jnz	short loc_A21AED
		mov	eax, [ecx+4]
		cmp	eax, [edx+0Ch]
		jnz	short loc_A21AED
		mov	esi, edi
		jmp	short loc_A21AED
; 

loc_A21A99:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+1CBj
		cmp	[ebp+arg_4], 4
		jnb	short loc_A21AAE
		push	offset ??_C@_0BN@MAJDMDHG@Attribute?5size?5doesn?8t?5match@NNGAKEGL@ ; "Attribute size doesn't match"
		push	2A6h
		jmp	loc_A218C7
; 

loc_A21AAE:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+23Bj
		mov	eax, [ebp+arg_0]
		mov	esi, [eax]
		mov	eax, [ebp+arg_8]
		sub	esi, [eax+8]
		neg	esi
		sbb	esi, esi

loc_A21ABD:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+B7j
		inc	esi
		jmp	short loc_A21AED
; 

loc_A21AC0:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+31j
					; SdbpCheckAttribute(x,x,x,x,x)+E4j
		cmp	[ebp+arg_4], 8
		jnb	short loc_A21AD5
		push	offset ??_C@_0BN@MAJDMDHG@Attribute?5size?5doesn?8t?5match@NNGAKEGL@ ; "Attribute size doesn't match"
		push	254h
		jmp	loc_A219FA
; 

loc_A21AD5:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+262j
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		push	dword ptr [eax+0Ch]
		push	dword ptr [eax+8]
		push	dword ptr [ecx+4]
		push	dword ptr [ecx]
		call	_SdbpCheckUptoVersion@16 ; SdbpCheckUptoVersion(x,x,x,x)

loc_A21AEB:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+90j
					; SdbpCheckAttribute(x,x,x,x,x)+15Ej ...
		mov	esi, eax

loc_A21AED:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+1DBj
					; SdbpCheckAttribute(x,x,x,x,x)+229j ...
		mov	eax, [esp+18h+var_4]
		mov	[eax], esi

loc_A21AF3:				; CODE XREF: SdbpCheckAttribute(x,x,x,x,x)+75j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_SdbpCheckAttribute@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckFromVersion(x, x, x, x)
_SdbpCheckFromVersion@16 proc near	; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+162p
					; SdbpMatchOsVersion+8A5CFp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		push	30h
		inc	esi
		pop	edi

loc_A21B0C:				; CODE XREF: SdbpCheckFromVersion(x,x,x,x)+40j
		mov	eax, [ebp+arg_0]
		mov	ecx, edi
		mov	edx, [ebp+arg_4]
		call	__aullshr
		mov	edx, [ebp+arg_C]
		mov	ecx, edi
		movzx	ebx, ax
		mov	eax, [ebp+arg_8]
		call	__aullshr
		movzx	eax, ax
		cmp	bx, ax
		jz	short loc_A21B3B
		mov	ecx, 0FFFFh
		cmp	bx, cx
		jnz	short loc_A21B42

loc_A21B3B:				; CODE XREF: SdbpCheckFromVersion(x,x,x,x)+31j
		sub	edi, 10h
		jns	short loc_A21B0C
		jmp	short loc_A21B49
; 

loc_A21B42:				; CODE XREF: SdbpCheckFromVersion(x,x,x,x)+3Bj
		cmp	bx, ax
		sbb	esi, esi
		neg	esi

loc_A21B49:				; CODE XREF: SdbpCheckFromVersion(x,x,x,x)+42j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
_SdbpCheckFromVersion@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckUptoVersion(x, x, x, x)
_SdbpCheckUptoVersion@16 proc near	; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+130p
					; SdbpMatchOsVersion+8A600p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		push	30h
		inc	esi
		pop	edi

loc_A21B60:				; CODE XREF: SdbpCheckUptoVersion(x,x,x,x)+40j
		mov	eax, [ebp+arg_0]
		mov	ecx, edi
		mov	edx, [ebp+arg_4]
		call	__aullshr
		mov	edx, [ebp+arg_C]
		mov	ecx, edi
		movzx	ebx, ax
		mov	eax, [ebp+arg_8]
		call	__aullshr
		movzx	eax, ax
		cmp	bx, ax
		jz	short loc_A21B8F
		mov	ecx, 0FFFFh
		cmp	bx, cx
		jnz	short loc_A21B96

loc_A21B8F:				; CODE XREF: SdbpCheckUptoVersion(x,x,x,x)+31j
		sub	edi, 10h
		jns	short loc_A21B60
		jmp	short loc_A21B9D
; 

loc_A21B96:				; CODE XREF: SdbpCheckUptoVersion(x,x,x,x)+3Bj
		cmp	ax, bx
		sbb	esi, esi
		neg	esi

loc_A21B9D:				; CODE XREF: SdbpCheckUptoVersion(x,x,x,x)+42j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
_SdbpCheckUptoVersion@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SdbpCheckVersion(x,	x, x, x)
_SdbpCheckVersion@16 proc near		; CODE XREF: SdbpCheckApplicationTypeAttributes(x,x,x,x)+194p
					; SdbpMatchOsVersion+8A5A4p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	30h
		pop	esi

loc_A21BB0:				; CODE XREF: SdbpCheckVersion(x,x,x,x)+39j
		mov	eax, [ebp+arg_0]
		mov	ecx, esi
		mov	edx, [ebp+arg_4]
		call	__aullshr
		mov	edx, [ebp+arg_C]
		mov	ecx, esi
		movzx	edi, ax
		mov	eax, [ebp+arg_8]
		call	__aullshr
		cmp	di, ax
		jz	short loc_A21BDC
		mov	eax, 0FFFFh
		cmp	di, ax
		jnz	short loc_A21BEA

loc_A21BDC:				; CODE XREF: SdbpCheckVersion(x,x,x,x)+2Aj
		sub	esi, 10h
		jns	short loc_A21BB0
		xor	eax, eax
		inc	eax

loc_A21BE4:				; CODE XREF: SdbpCheckVersion(x,x,x,x)+46j
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
; 

loc_A21BEA:				; CODE XREF: SdbpCheckVersion(x,x,x,x)+34j
		xor	eax, eax
		jmp	short loc_A21BE4
_SdbpCheckVersion@16 endp


;  S U B	R O U T	I N E 


; __stdcall SdbFindNextStringIndexedTag(x, x)
_SdbFindNextStringIndexedTag@8 proc near ; CODE	XREF: SdbGetDatabaseMatchEx+AFC55p
					; SdbpSearchDB+AF7C9p ...
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, edx
		push	edi
		push	esi
		mov	edi, ecx
		mov	edx, [esi]
		call	SdbpGetNextIndexedRecord
		test	eax, eax
		jz	short loc_A21C0D
		push	esi
		mov	edx, eax
		mov	ecx, edi
		call	SdbpFindMatchingName

loc_A21C0D:				; CODE XREF: SdbFindNextStringIndexedTag(x,x)+13j
		pop	edi
		pop	esi
		pop	ecx
		retn
_SdbFindNextStringIndexedTag@8 endp


;  S U B	R O U T	I N E 


; __stdcall AslGuidToString_UStr(x, x)
_AslGuidToString_UStr@8	proc near	; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+6Ep
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	4Ch
		pop	eax
		mov	ebx, ecx
		mov	edi, edx
		push	4Eh
		pop	edx
		push	ecx
		mov	[ebx], ax
		mov	[ebx+2], dx
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A21C56
		push	offset ??_C@_0O@NALGGDJF@Out?5of?5memory@NNGAKEGL@
		push	0F1h
		push	(offset	loc_8C4836+4)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		mov	edi, 0C0000017h
		jmp	loc_A21CD7
; 

loc_A21C56:				; CODE XREF: AslGuidToString_UStr(x,x)+20j
		movzx	eax, byte ptr [edi+0Fh]
		push	eax
		movzx	eax, byte ptr [edi+0Eh]
		push	eax
		movzx	eax, byte ptr [edi+0Dh]
		push	eax
		movzx	eax, byte ptr [edi+0Ch]
		push	eax
		movzx	eax, byte ptr [edi+0Bh]
		push	eax
		movzx	eax, byte ptr [edi+0Ah]
		push	eax
		movzx	eax, byte ptr [edi+9]
		push	eax
		movzx	eax, byte ptr [edi+8]
		push	eax
		movzx	eax, word ptr [edi+6]
		push	eax
		movzx	eax, word ptr [edi+4]
		push	eax
		push	dword ptr [edi]	; char
		movzx	eax, word ptr [ebx+2]
		push	offset ??_C@_1HM@GHDLPNLE@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAh?$AAx?$AA?9?$AA?$CF?$AA0@NNGAKEGL@ ;	"{%08lx-%04hx-%04hx-%02hx%02hx-%02hx%02h"...
		shr	eax, 1
		push	eax		; int
		push	esi		; wchar_t *
		call	RtlStringCchPrintfW
		mov	edi, eax
		add	esp, 38h
		test	edi, edi
		jns	short loc_A21CC1
		push	edi
		push	offset ??_C@_0CA@FFNDHPE@RtlStringCchPrintfW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	105h
		push	(offset	loc_8C4836+4)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A21CC8
; 

loc_A21CC1:				; CODE XREF: AslGuidToString_UStr(x,x)+92j
		mov	[ebx+4], esi
		xor	esi, esi
		mov	edi, esi

loc_A21CC8:				; CODE XREF: AslGuidToString_UStr(x,x)+AEj
		test	esi, esi
		jz	short loc_A21CD7
		push	74705041h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A21CD7:				; CODE XREF: AslGuidToString_UStr(x,x)+40j
					; AslGuidToString_UStr(x,x)+B9j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_AslGuidToString_UStr@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslStringAnsiToUnicode(x, x)
_AslStringAnsiToUnicode@8 proc near	; CODE XREF: AslpFileGet16BitDescription(x,x)+69p
					; AslpFileGet16BitModuleName(x,x)+69p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		push	edx
		lea	eax, [ebp+var_10]
		xor	esi, esi
		push	eax
		mov	ebx, ecx
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		call	_RtlInitString@8 ; RtlInitString(x,x)
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlxAnsiStringToUnicodeSize@4 ; RtlxAnsiStringToUnicodeSize(x)
		mov	edi, eax
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		mov	[ebx], esi
		cmp	edi, 0FFFFh
		jbe	short loc_A21D38
		push	edi
		push	offset ??_C@_0CJ@FKBOKAKO@Ansi?5string?5is?5too?5long?5to?5conv@NNGAKEGL@
		mov	esi, 0C000000Dh
		push	188h

loc_A21D27:				; CODE XREF: AslStringAnsiToUnicode(x,x)+B3j
		push	(offset	loc_8C47ED+5)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A21D9D
; 

loc_A21D38:				; CODE XREF: AslStringAnsiToUnicode(x,x)+38j
		push	ecx
		mov	edx, edi
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jnz	short loc_A21D67
		push	offset ??_C@_0O@NALGGDJF@Out?5of?5memory@NNGAKEGL@
		push	18Fh
		push	(offset	loc_8C47ED+5)
		push	1
		mov	esi, 0C0000017h
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	short loc_A21D9D
; 

loc_A21D67:				; CODE XREF: AslStringAnsiToUnicode(x,x)+68j
		xor	eax, eax
		mov	word ptr [ebp+var_8+2],	di
		mov	word ptr [ebp+var_8], ax
		lea	eax, [ebp+var_10]
		push	esi
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	RtlAnsiStringToUnicodeString
		mov	esi, eax
		test	esi, esi
		jns	short loc_A21D92
		push	esi
		push	offset ??_C@_0CJ@JMPLFPEH@RtlAnsiStringToUnicodeString?5fa@NNGAKEGL@
		push	198h
		jmp	short loc_A21D27
; 

loc_A21D92:				; CODE XREF: AslStringAnsiToUnicode(x,x)+A6j
		mov	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		xor	esi, esi
		mov	[ebx], eax

loc_A21D9D:				; CODE XREF: AslStringAnsiToUnicode(x,x)+59j
					; AslStringAnsiToUnicode(x,x)+88j
		cmp	[ebp+var_4], 0
		jz	short loc_A21DB0
		push	74705041h
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A21DB0:				; CODE XREF: AslStringAnsiToUnicode(x,x)+C4j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_AslStringAnsiToUnicode@8 endp


;  S U B	R O U T	I N E 


; __stdcall AslStringHasWildcard(x)
_AslStringHasWildcard@4	proc near	; CODE XREF: AslpPathWildcardMakeLeaves(x)+136p
		mov	edi, edi
		push	esi
		xor	esi, esi
		test	ecx, ecx
		jz	short loc_A21DE8
		movzx	eax, word ptr [ecx]
		test	ax, ax
		jz	short loc_A21DE8
		mov	edx, eax

loc_A21DCA:				; CODE XREF: AslStringHasWildcard(x)+2Aj
		cmp	dx, 2Ah
		jz	short loc_A21DE5
		cmp	dx, 3Fh
		jz	short loc_A21DE5
		add	ecx, 2
		movzx	eax, word ptr [ecx]
		mov	edx, eax
		test	ax, ax
		jnz	short loc_A21DCA
		jmp	short loc_A21DE8
; 

loc_A21DE5:				; CODE XREF: AslStringHasWildcard(x)+17j
					; AslStringHasWildcard(x)+1Dj
		xor	esi, esi
		inc	esi

loc_A21DE8:				; CODE XREF: AslStringHasWildcard(x)+7j
					; AslStringHasWildcard(x)+Fj ...
		mov	eax, esi
		pop	esi
		retn
_AslStringHasWildcard@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslStringSearchA(x,	x, x, x)
_AslStringSearchA@16 proc near		; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+2AFp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], ecx
		test	edx, edx
		jz	short loc_A21E5A
		push	esi
		mov	esi, [ebp+arg_4]
		cmp	esi, edx
		ja	short loc_A21E59
		push	ebx
		mov	ebx, edi

loc_A21E08:				; CODE XREF: AslStringSearchA(x,x,x,x)+63j
		mov	eax, edi
		mov	ecx, ebx
		mov	[ebp+var_4], eax
		test	esi, esi
		jz	short loc_A21E45

loc_A21E13:				; CODE XREF: AslStringSearchA(x,x,x,x)+57j
		cmp	ecx, edx
		jnb	short loc_A21E45
		mov	eax, [ebp+var_8]
		cmp	byte ptr [ecx+eax], 0
		jnz	short loc_A21E25
		inc	ecx
		cmp	ecx, edx
		jnb	short loc_A21E58

loc_A21E25:				; CODE XREF: AslStringSearchA(x,x,x,x)+32j
		mov	esi, [ebp+var_4]
		mov	edi, [ebp+arg_0]
		mov	al, [ecx+eax]
		push	0
		cmp	al, [esi+edi]
		mov	esi, [ebp+arg_4]
		mov	eax, [ebp+var_4]
		pop	edi
		jnz	short loc_A21E45
		inc	eax
		inc	ecx
		mov	[ebp+var_4], eax
		cmp	eax, esi
		jb	short loc_A21E13

loc_A21E45:				; CODE XREF: AslStringSearchA(x,x,x,x)+25j
					; AslStringSearchA(x,x,x,x)+29j ...
		cmp	eax, esi
		jz	short loc_A21E53
		inc	ebx
		lea	eax, [ebx+esi]
		cmp	eax, edx
		jbe	short loc_A21E08
		jmp	short loc_A21E58
; 

loc_A21E53:				; CODE XREF: AslStringSearchA(x,x,x,x)+5Bj
		mov	edi, [ebp+var_8]
		add	edi, ebx

loc_A21E58:				; CODE XREF: AslStringSearchA(x,x,x,x)+37j
					; AslStringSearchA(x,x,x,x)+65j
		pop	ebx

loc_A21E59:				; CODE XREF: AslStringSearchA(x,x,x,x)+17j
		pop	esi

loc_A21E5A:				; CODE XREF: AslStringSearchA(x,x,x,x)+Fj
		mov	eax, edi
		pop	edi
		leave
		retn	8
_AslStringSearchA@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslStringSearchW(x,	x, x, x)
_AslStringSearchW@16 proc near		; CODE XREF: SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+29Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], ecx
		test	edx, edx
		jz	short loc_A21ED2
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	edi, edx
		ja	short loc_A21ED1
		push	ebx
		mov	ebx, esi

loc_A21E7D:				; CODE XREF: AslStringSearchW(x,x,x,x)+65j
		mov	eax, esi
		mov	ecx, ebx
		mov	[ebp+var_4], eax
		test	edi, edi
		jz	short loc_A21EBC

loc_A21E88:				; CODE XREF: AslStringSearchW(x,x,x,x)+59j
		cmp	ecx, edx
		jnb	short loc_A21EBC
		mov	eax, [ebp+var_8]
		cmp	[eax+ecx*2], si
		jnz	short loc_A21E9A
		inc	ecx
		cmp	ecx, edx
		jnb	short loc_A21ED0

loc_A21E9A:				; CODE XREF: AslStringSearchW(x,x,x,x)+32j
		mov	edi, [ebp+var_4]
		mov	esi, [ebp+arg_0]
		mov	ax, [eax+ecx*2]
		push	0
		cmp	ax, [esi+edi*2]
		mov	edi, [ebp+arg_4]
		mov	eax, [ebp+var_4]
		pop	esi
		jnz	short loc_A21EBC
		inc	eax
		inc	ecx
		mov	[ebp+var_4], eax
		cmp	eax, edi
		jb	short loc_A21E88

loc_A21EBC:				; CODE XREF: AslStringSearchW(x,x,x,x)+25j
					; AslStringSearchW(x,x,x,x)+29j ...
		cmp	eax, edi
		jz	short loc_A21ECA
		inc	ebx
		lea	eax, [ebx+edi]
		cmp	eax, edx
		jbe	short loc_A21E7D
		jmp	short loc_A21ED0
; 

loc_A21ECA:				; CODE XREF: AslStringSearchW(x,x,x,x)+5Dj
		mov	ecx, [ebp+var_8]
		lea	esi, [ecx+ebx*2]

loc_A21ED0:				; CODE XREF: AslStringSearchW(x,x,x,x)+37j
					; AslStringSearchW(x,x,x,x)+67j
		pop	ebx

loc_A21ED1:				; CODE XREF: AslStringSearchW(x,x,x,x)+17j
		pop	edi

loc_A21ED2:				; CODE XREF: AslStringSearchW(x,x,x,x)+Fj
		mov	eax, esi
		pop	esi
		leave
		retn	8
_AslStringSearchW@16 endp


;  S U B	R O U T	I N E 


; __stdcall AslStringXmlSanitize(x)
_AslStringXmlSanitize@4	proc near	; CODE XREF: AslpFileGetClrVersionAttribute(x,x)+108p
					; AslpFileGetHeaderAttributesNE(x,x)+ADp ...
		mov	edx, ecx
		test	edx, edx
		jnz	short loc_A21EE5
		mov	eax, 0C000000Dh
		retn
; 

loc_A21EE5:				; CODE XREF: AslStringXmlSanitize(x)+4j
		push	ebx
		xor	ebx, ebx
		cmp	[edx], bx
		jz	short loc_A21F33
		push	esi
		lea	esi, [ecx+2]

loc_A21EF1:				; CODE XREF: AslStringXmlSanitize(x)+21j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A21EF1
		sub	ecx, esi
		mov	eax, ebx
		sar	ecx, 1
		jz	short loc_A21F32
		push	edi

loc_A21F05:				; CODE XREF: AslStringXmlSanitize(x)+56j
		movzx	edi, word ptr [edx+eax*2]
		mov	esi, ebx

loc_A21F0B:				; CODE XREF: AslStringXmlSanitize(x)+4Aj
		cmp	di, ds:word_42EAE8[esi]
		jb	short loc_A21F1D
		cmp	di, ds:word_42EAEA[esi]
		jbe	short loc_A21F2C

loc_A21F1D:				; CODE XREF: AslStringXmlSanitize(x)+39j
		add	esi, 4
		cmp	esi, 14h
		jb	short loc_A21F0B
		push	40h
		pop	esi
		mov	[edx+eax*2], si

loc_A21F2C:				; CODE XREF: AslStringXmlSanitize(x)+42j
		inc	eax
		cmp	eax, ecx
		jb	short loc_A21F05
		pop	edi

loc_A21F32:				; CODE XREF: AslStringXmlSanitize(x)+29j
		pop	esi

loc_A21F33:				; CODE XREF: AslStringXmlSanitize(x)+12j
		xor	eax, eax
		pop	ebx
		retn
_AslStringXmlSanitize@4	endp


;  S U B	R O U T	I N E 


; __stdcall AslUnicodeStringFree(x)
_AslUnicodeStringFree@4	proc near	; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+2C2p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_A21F70
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_A21F69
		movzx	eax, word ptr [esi+2]
		push	eax		; size_t
		push	42h		; int
		push	ecx		; void *
		call	_memset
		mov	eax, [esi+4]
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A21F69
		push	74705041h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A21F69:				; CODE XREF: AslUnicodeStringFree(x)+Ej
					; AslUnicodeStringFree(x)+25j
		and	dword ptr [esi], 0
		and	dword ptr [esi+4], 0

loc_A21F70:				; CODE XREF: AslUnicodeStringFree(x)+7j
		pop	esi
		retn
_AslUnicodeStringFree@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslComputeCrc32(x, x, x)
_AslComputeCrc32@12 proc near		; CODE XREF: AslpFileGetCrcChecksum(x,x)+3Ep
					; AslpFileGetCrcChecksum(x,x):loc_A24CF9p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		not	ecx
		cmp	[ebp+arg_0], esi
		jbe	short loc_A21F9A

loc_A21F81:				; CODE XREF: AslComputeCrc32(x,x,x)+26j
		movzx	eax, byte ptr [esi+edx]
		xor	eax, ecx
		shr	ecx, 8
		movzx	eax, al
		xor	ecx, ds:_AslpCrc32Table[eax*4]
		inc	esi
		cmp	esi, [ebp+arg_0]
		jb	short loc_A21F81

loc_A21F9A:				; CODE XREF: AslComputeCrc32(x,x,x)+Dj
		not	ecx
		mov	eax, ecx
		pop	esi
		pop	ebp
		retn	4
_AslComputeCrc32@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslDoesDirectoryExistNtPath(x)
_AslDoesDirectoryExistNtPath@4 proc near
					; CODE XREF: SdbpCheckMatchingDir(x,x,x,x,x,x,x)+CDp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	esi
		xor	esi, esi
		lea	eax, [ebp+var_C]
		push	ecx
		push	eax
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	1
		lea	eax, [ebp+var_C]
		mov	[ebp+var_2C], 18h
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_14]
		push	3
		push	eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_28], esi
		push	eax
		push	100080h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_20], 240h
		push	eax
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A2200C
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_A2201A
; 

loc_A2200C:				; CODE XREF: AslDoesDirectoryExistNtPath(x)+5Dj
		cmp	eax, 0C0000022h
		jz	short loc_A2201A
		cmp	eax, 0C0000043h
		jnz	short loc_A2201D

loc_A2201A:				; CODE XREF: AslDoesDirectoryExistNtPath(x)+67j
					; AslDoesDirectoryExistNtPath(x)+6Ej
		xor	esi, esi
		inc	esi

loc_A2201D:				; CODE XREF: AslDoesDirectoryExistNtPath(x)+75j
		mov	eax, esi
		pop	esi
		leave
		retn
_AslDoesDirectoryExistNtPath@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslDoesFileExistNtPath(x)
_AslDoesFileExistNtPath@4 proc near	; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+159p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	esi
		xor	esi, esi
		lea	eax, [ebp+var_C]
		push	ecx
		push	eax
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_C]
		mov	[ebp+var_2C], 18h
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_14]
		push	1
		push	eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_28], esi
		push	eax
		push	100080h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_20], 240h
		push	eax
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_A22093
		cmp	eax, 0C0000043h
		jz	short loc_A2208E
		cmp	eax, 0C0000022h
		jnz	short loc_A2209E

loc_A2208E:				; CODE XREF: AslDoesFileExistNtPath(x)+63j
		xor	esi, esi
		inc	esi
		jmp	short loc_A2209E
; 

loc_A22093:				; CODE XREF: AslDoesFileExistNtPath(x)+5Cj
		push	[ebp+var_4]
		xor	esi, esi
		inc	esi
		call	_ZwClose@4	; ZwClose(x)

loc_A2209E:				; CODE XREF: AslDoesFileExistNtPath(x)+6Aj
					; AslDoesFileExistNtPath(x)+6Fj
		mov	eax, esi
		pop	esi
		leave
		retn
_AslDoesFileExistNtPath@4 endp


;  S U B	R O U T	I N E 


; __stdcall AslFileResourceNotFound(x)
_AslFileResourceNotFound@4 proc	near	; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+18Cp
					; AslpFileGetVersionAttributes(x,x)+2Cp ...
		cmp	ecx, 0C0000089h
		jz	short loc_A220BE
		cmp	ecx, 0C000008Ah
		jz	short loc_A220BE
		cmp	ecx, 0C000008Bh
		jz	short loc_A220BE
		xor	eax, eax
		retn
; 

loc_A220BE:				; CODE XREF: AslFileResourceNotFound(x)+6j
					; AslFileResourceNotFound(x)+Ej ...
		xor	eax, eax
		inc	eax
		retn
_AslFileResourceNotFound@4 endp


;  S U B	R O U T	I N E 


; __stdcall AslFree(x, x)
_AslFree@8	proc near		; CODE XREF: SdbpCreateSearchDBContext(x,x,x,x,x,x)+151p
					; SdbpCreateSearchDBContext(x,x,x,x,x,x)+15Cp ...
		test	edx, edx
		jz	short locret_A220D1
		push	74705041h
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

locret_A220D1:				; CODE XREF: AslFree(x,x)+2j
		retn
_AslFree@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslRegistryEnumKey(x, x, x,	x)
_AslRegistryEnumKey@16 proc near	; CODE XREF: AslpProcessMatchRegNode(x,x)+91p

var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 214h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_214], 0
		push	ebx
		push	edi
		mov	ebx, ecx
		lea	ecx, [ebp+var_214]
		push	ecx
		push	20Ch
		lea	ecx, [ebp+var_210]
		push	ecx
		push	0
		push	[ebp+arg_4]
		push	eax
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A22151
		push	esi
		mov	esi, [ebp+var_204]
		shr	esi, 1
		lea	ecx, [esi+1]
		cmp	ecx, 104h
		jb	short loc_A22134
		mov	edi, 0C0000023h
		jmp	short loc_A22150
; 

loc_A22134:				; CODE XREF: AslRegistryEnumKey(x,x,x,x)+59j
		push	[ebp+var_204]	; size_t
		lea	eax, [ebp+var_200]
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax
		mov	[ebx+esi*2], ax

loc_A22150:				; CODE XREF: AslRegistryEnumKey(x,x,x,x)+60j
		pop	esi

loc_A22151:				; CODE XREF: AslRegistryEnumKey(x,x,x,x)+45j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_AslRegistryEnumKey@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslRegistryGetUInt32(x, x, x)
_AslRegistryGetUInt32@12 proc near	; CODE XREF: SdbpQueryAppCompatFlagsByExeID+8A4BDp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_0]
		mov	edi, edx
		mov	ebx, ecx
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A221A7
		push	esi
		push	offset ??_C@_0CD@LDGCFCIP@RtlInitUnicodeStringEx?5failed?5?$FL@NNGAKEGL@
		push	3DAh
		push	offset ??_C@_0BF@GLMGGLJH@AslRegistryGetUInt32@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A221B6
; 

loc_A221A7:				; CODE XREF: AslRegistryGetUInt32(x,x,x)+26j
		lea	eax, [ebp+var_8]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	_AslRegistryGetUInt32_UStr@12 ;	AslRegistryGetUInt32_UStr(x,x,x)
		mov	esi, eax

loc_A221B6:				; CODE XREF: AslRegistryGetUInt32(x,x,x)+42j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_AslRegistryGetUInt32@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslRegistryGetUInt32_UStr(x, x, x)
_AslRegistryGetUInt32_UStr@12 proc near	; CODE XREF: SdbResolveDatabaseEx(x,x,x,x,x,x)+1F5p
					; SdbResolveDatabaseEx(x,x,x,x,x,x)+238p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	esi, [ebp+arg_0]
		lea	edi, [ebp+var_18]
		and	[ebp+var_1C], 0
		stosd
		mov	ebx, ecx
		stosd
		and	dword ptr [ebx], 0
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_1C]
		push	eax
		push	14h
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		push	esi
		push	edx
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A22227
		cmp	esi, 0C0000034h
		jz	short loc_A2225A
		push	esi
		push	offset ??_C@_0BP@PMIDEKOL@Failed?5to?5query?5key?5value?5?$FL?$CFx?$FN@NNGAKEGL@ ; "Failed to query key	value [%x]"
		push	3A1h
		push	offset ??_C@_0BK@GEIFCLB@AslRegistryGetUInt32_UStr@NNGAKEGL@ ; "AslRegistryGetUInt32_UStr"
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A2225A
; 

loc_A22227:				; CODE XREF: AslRegistryGetUInt32_UStr(x,x,x)+42j
		cmp	[ebp+var_14], 4
		jnz	short loc_A2223C
		cmp	[ebp+var_10], 4
		jnz	short loc_A2223C
		mov	eax, [ebp+var_C]
		xor	esi, esi
		mov	[ebx], eax
		jmp	short loc_A2225A
; 

loc_A2223C:				; CODE XREF: AslRegistryGetUInt32_UStr(x,x,x)+6Cj
					; AslRegistryGetUInt32_UStr(x,x,x)+72j
		push	offset ??_C@_0BD@BBKBCNOK@Invalid?5value?5type@NNGAKEGL@ ; "Invalid value type"
		push	3A8h
		push	offset ??_C@_0BK@GEIFCLB@AslRegistryGetUInt32_UStr@NNGAKEGL@ ; "AslRegistryGetUInt32_UStr"
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		mov	esi, 0C0000024h

loc_A2225A:				; CODE XREF: AslRegistryGetUInt32_UStr(x,x,x)+4Aj
					; AslRegistryGetUInt32_UStr(x,x,x)+66j	...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_AslRegistryGetUInt32_UStr@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslRegistryOpenSubKey(x, x,	x, x)
_AslRegistryOpenSubKey@16 proc near	; CODE XREF: AslpProcessMatchRegNode(x,x)+105p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		push	[ebp+arg_0]
		mov	edi, ecx
		xor	eax, eax
		mov	[ebp+var_8], eax
		mov	ebx, edx
		mov	[ebp+var_4], eax
		mov	[edi], eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A222B6
		push	esi
		push	offset ??_C@_0CL@KEPLONEJ@AslRegistryOpenSubKey?5passed?5ba@NNGAKEGL@ ;	"AslRegistryOpenSubKey passed bad Path ["...
		push	31Ch
		push	offset ??_C@_0BG@KMCFDHP@AslRegistryOpenSubKey@NNGAKEGL@ ; "AslRegistryOpenSubKey"
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		mov	eax, esi
		jmp	short loc_A222E4
; 

loc_A222B6:				; CODE XREF: AslRegistryOpenSubKey(x,x,x,x)+29j
		and	[ebp+var_10], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_C], 0
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_20]
		push	eax
		push	20019h
		push	edi
		mov	[ebp+var_20], 18h
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], 240h
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)

loc_A222E4:				; CODE XREF: AslRegistryOpenSubKey(x,x,x,x)+47j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_AslRegistryOpenSubKey@16 endp


;  S U B	R O U T	I N E 


; __stdcall AslFileMappingEnsure(x)
_AslFileMappingEnsure@4	proc near	; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+30p
					; AslFileMappingGetImageTypeEx(x,x,x,x,x)+3Ap ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		cmp	[esi+30h], edi
		jz	short loc_A22312
		cmp	dword ptr [esi+28h], 1
		jz	short loc_A2231F
		mov	eax, [esi+18h]
		neg	eax
		sbb	eax, eax
		and	eax, 3FFFFB93h
		add	eax, 0C000046Dh
		jmp	short loc_A22378
; 

loc_A22312:				; CODE XREF: AslFileMappingEnsure(x)+Cj
		cmp	[esi+18h], edi
		jnz	short loc_A22376
		lea	ebx, [esi+28h]
		cmp	dword ptr [ebx], 1
		jnz	short loc_A22326

loc_A2231F:				; CODE XREF: AslFileMappingEnsure(x)+12j
		mov	eax, 0C000011Eh
		jmp	short loc_A22378
; 

loc_A22326:				; CODE XREF: AslFileMappingEnsure(x)+32j
		lea	ecx, [esi+8]
		xor	dl, dl
		call	_RtlFileMapMapView@8 ; RtlFileMapMapView(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A22376
		cmp	byte ptr [esi+27h], 0
		jz	short loc_A22344
		mov	dword ptr [ebx], 6
		jmp	short loc_A22376
; 

loc_A22344:				; CODE XREF: AslFileMappingEnsure(x)+4Fj
		mov	edx, ebx
		lea	ecx, [esi+8]
		call	AslpFileMappingGetFileKind
		mov	edi, eax
		test	edi, edi
		jns	short loc_A22376
		push	edi
		push	dword ptr [esi]
		push	offset ??_C@_0CK@IADOKJDF@AslpFileMappingGetFileKind?5fail@NNGAKEGL@
		push	24Fh
		push	offset ??_C@_0BF@GCAEIEGC@AslFileMappingEnsure@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		mov	dword ptr [ebx], 3

loc_A22376:				; CODE XREF: AslFileMappingEnsure(x)+2Aj
					; AslFileMappingEnsure(x)+49j ...
		mov	eax, edi

loc_A22378:				; CODE XREF: AslFileMappingEnsure(x)+25j
					; AslFileMappingEnsure(x)+39j
		pop	edi
		pop	esi
		pop	ebx
		retn
_AslFileMappingEnsure@4	endp


;  S U B	R O U T	I N E 


; __stdcall AslFileMappingEnsureMappedAs(x, x)
_AslFileMappingEnsureMappedAs@8	proc near
					; CODE XREF: SdbOpenDatabaseEx(x,x,x,x):loc_A1E826p
					; SdbpCheckMatchingTextEntry(x,x,x,x,x,x,x,x,x)+DDp ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		cmp	dword ptr [edi+30h], 0
		lea	ebx, [edi+28h]
		mov	eax, [ebx]
		jz	short loc_A2239A
		cmp	eax, 1
		jz	short loc_A2239F
		mov	eax, 0C000046Dh
		jmp	short loc_A2240A
; 

loc_A2239A:				; CODE XREF: AslFileMappingEnsureMappedAs(x,x)+10j
		cmp	eax, 1
		jnz	short loc_A223A6

loc_A2239F:				; CODE XREF: AslFileMappingEnsureMappedAs(x,x)+15j
		mov	eax, 0C000011Eh
		jmp	short loc_A2240A
; 

loc_A223A6:				; CODE XREF: AslFileMappingEnsureMappedAs(x,x)+21j
		lea	ecx, [edi+8]
		xor	dl, dl
		call	_RtlFileMapMapView@8 ; RtlFileMapMapView(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A223C8
		cmp	esi, 0C000010Eh
		jnz	short loc_A22408
		cmp	byte ptr [edi+27h], 0
		jnz	short loc_A22408
		xor	esi, esi
		jmp	short loc_A22408
; 

loc_A223C8:				; CODE XREF: AslFileMappingEnsureMappedAs(x,x)+38j
		cmp	byte ptr [edi+27h], 0
		jz	short loc_A223D6
		mov	dword ptr [ebx], 6
		jmp	short loc_A22408
; 

loc_A223D6:				; CODE XREF: AslFileMappingEnsureMappedAs(x,x)+50j
		mov	edx, ebx
		lea	ecx, [edi+8]
		call	AslpFileMappingGetFileKind
		mov	esi, eax
		test	esi, esi
		jns	short loc_A22408
		push	esi
		push	dword ptr [edi]
		push	offset ??_C@_0CK@IADOKJDF@AslpFileMappingGetFileKind?5fail@NNGAKEGL@
		push	1F7h
		push	(offset	loc_8C4C8A+4)
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		mov	dword ptr [ebx], 3

loc_A22408:				; CODE XREF: AslFileMappingEnsureMappedAs(x,x)+40j
					; AslFileMappingEnsureMappedAs(x,x)+46j ...
		mov	eax, esi

loc_A2240A:				; CODE XREF: AslFileMappingEnsureMappedAs(x,x)+1Cj
					; AslFileMappingEnsureMappedAs(x,x)+28j
		pop	edi
		pop	esi
		pop	ebx
		retn
_AslFileMappingEnsureMappedAs@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslFileMappingGetFileKindDetail(x, x)
_AslFileMappingGetFileKindDetail@8 proc	near
					; CODE XREF: AslpFileGetFileKindDetailAttribute(x,x)+12p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_14], ecx
		mov	edi, edx
		mov	[ebp+var_8], eax
		mov	ebx, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		cmp	dword ptr [edi+28h], 1
		jnz	short loc_A2243C
		inc	ebx
		mov	esi, eax
		jmp	loc_A2255D
; 

loc_A2243C:				; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+24j
		mov	ecx, edi
		call	_AslFileMappingEnsure@4	; AslFileMappingEnsure(x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A22468
		push	esi
		push	offset ??_C@_0CB@GHEHFDAF@AslFileMappingEnsure?5failed?5?$FL?$CFx@NNGAKEGL@
		push	550h

loc_A22454:				; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+91j
					; AslFileMappingGetFileKindDetail(x,x)+B8j
		push	offset ??_C@_0CA@FHIHKCPF@AslFileMappingGetFileKindDetail@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A2255D
; 

loc_A22468:				; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+39j
		mov	ecx, [edi+28h]
		mov	eax, ecx
		sub	eax, 3
		jz	loc_A22558
		sub	eax, 1
		jz	loc_A22554
		sub	eax, 1
		jz	loc_A22550
		sub	eax, 1
		jz	short loc_A224A1
		push	ecx
		push	offset ??_C@_0BM@LFKGHHKF@Unhandled?5ASL_FILE_KIND?3?5?$CFd@NNGAKEGL@
		xor	ebx, ebx
		mov	esi, 0C0000001h
		push	573h
		jmp	short loc_A22454
; 

loc_A224A1:				; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+7Dj
		push	edi
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	edx, [ebp+var_4]
		lea	ecx, [ebp+var_8]
		call	_AslFileMappingGetImageTypeEx@20 ; AslFileMappingGetImageTypeEx(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A224C8
		push	esi
		push	(offset	loc_8C4DF9+3)
		push	57Dh
		jmp	short loc_A22454
; 

loc_A224C8:				; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+ABj
		mov	eax, 20Bh
		cmp	[ebp+var_C], ebx
		jz	short loc_A22500
		cmp	word ptr [ebp+var_4], ax
		jnz	short loc_A224DC
		push	0Fh
		jmp	short loc_A2255A
; 

loc_A224DC:				; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+C8j
		mov	ebx, [ebp+var_10]
		mov	ecx, 20002h
		mov	eax, ebx
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_A224F0
		push	0Eh
		jmp	short loc_A2255A
; 

loc_A224F0:				; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+DCj
		and	ebx, 20003h
		dec	ebx
		neg	ebx
		sbb	ebx, ebx
		add	ebx, 0Dh
		jmp	short loc_A2255B
; 

loc_A22500:				; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+C2j
		cmp	word ptr [ebp+var_4], ax
		movzx	eax, word ptr [ebp+var_8]
		jnz	short loc_A22533
		cmp	eax, 200h
		jz	short loc_A2252F
		cmp	eax, 8664h
		jz	short loc_A2252B
		xor	ebx, ebx
		cmp	eax, 0AA64h
		setz	bl
		lea	ebx, ds:8[ebx*2]
		jmp	short loc_A2255B
; 

loc_A2252B:				; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+108j
		push	9
		jmp	short loc_A2255A
; 

loc_A2252F:				; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+101j
		push	0Bh
		jmp	short loc_A2255A
; 

loc_A22533:				; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+FAj
		sub	eax, 14Ch
		jz	short loc_A2254C
		sub	eax, 74h
		jz	short loc_A22548
		sub	eax, 4
		jz	short loc_A22548
		push	5
		jmp	short loc_A2255A
; 

loc_A22548:				; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+12Fj
					; AslFileMappingGetFileKindDetail(x,x)+134j
		push	7
		jmp	short loc_A2255A
; 

loc_A2254C:				; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+12Aj
		push	6
		jmp	short loc_A2255A
; 

loc_A22550:				; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+74j
		push	4
		jmp	short loc_A2255A
; 

loc_A22554:				; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+6Bj
		push	3
		jmp	short loc_A2255A
; 

loc_A22558:				; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+62j
		push	2

loc_A2255A:				; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+CCj
					; AslFileMappingGetFileKindDetail(x,x)+E0j ...
		pop	ebx

loc_A2255B:				; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+F0j
					; AslFileMappingGetFileKindDetail(x,x)+11Bj
		xor	esi, esi

loc_A2255D:				; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+29j
					; AslFileMappingGetFileKindDetail(x,x)+55j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_A22566
		mov	[eax], ebx

loc_A22566:				; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+154j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_AslFileMappingGetFileKindDetail@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslFileMappingGetImageTypeEx(x, x, x, x, x)
_AslFileMappingGetImageTypeEx@20 proc near
					; CODE XREF: AslFileMappingGetFileKindDetail(x,x)+A2p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		push	2Ch
		push	offset dword_6AAC40
		call	__SEH_prolog4
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], ecx
		xor	eax, eax
		mov	[ebp+var_1C], eax
		mov	ebx, eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_30], eax
		mov	edi, [ebp+arg_8]
		cmp	dword ptr [edi+28h], 1
		jnz	short loc_A225A5

loc_A2259B:				; CODE XREF: AslFileMappingGetImageTypeEx(x,x,x,x,x)+68j
		mov	esi, 0C000007Bh
		jmp	loc_A226BB
; 

loc_A225A5:				; CODE XREF: AslFileMappingGetImageTypeEx(x,x,x,x,x)+2Cj
		mov	ecx, edi
		call	_AslFileMappingEnsure@4	; AslFileMappingEnsure(x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A225D1
		push	esi
		push	offset ??_C@_0CB@GHEHFDAF@AslFileMappingEnsure?5failed?5?$FL?$CFx@NNGAKEGL@
		push	44Eh

loc_A225BD:				; CODE XREF: AslFileMappingGetImageTypeEx(x,x,x,x,x)+85j
		push	offset ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A226BB
; 

loc_A225D1:				; CODE XREF: AslFileMappingGetImageTypeEx(x,x,x,x,x)+43j
		cmp	dword ptr [edi+28h], 6
		jnz	short loc_A2259B
		mov	edx, edi
		lea	ecx, [ebp+var_1C]
		call	_AslpFileGetImageNtHeader@8 ; AslpFileGetImageNtHeader(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A225F4
		push	esi
		push	offset ??_C@_0CF@GGCNCAGG@AslpFileGetImageNtHeader?5failed@NNGAKEGL@
		push	462h
		jmp	short loc_A225BD
; 

loc_A225F4:				; CODE XREF: AslFileMappingGetImageTypeEx(x,x,x,x,x)+78j
		mov	ecx, [ebp+var_1C]
		movzx	eax, word ptr [ecx+4]
		mov	[ebp+var_24], eax
		movzx	edx, word ptr [ecx+18h]
		mov	eax, edx
		mov	[ebp+var_28], eax
		cmp	[edi+30h], ebx
		jz	short loc_A22613

loc_A2260C:				; CODE XREF: AslFileMappingGetImageTypeEx(x,x,x,x,x)+AEj
					; AslFileMappingGetImageTypeEx(x,x,x,x,x)+D4j
		xor	esi, esi
		jmp	loc_A226BB
; 

loc_A22613:				; CODE XREF: AslFileMappingGetImageTypeEx(x,x,x,x,x)+9Dj
		cmp	[ebp+arg_0], ebx
		jnz	short loc_A2261D
		cmp	[ebp+arg_4], ebx
		jz	short loc_A2260C

loc_A2261D:				; CODE XREF: AslFileMappingGetImageTypeEx(x,x,x,x,x)+A9j
		mov	eax, 10Bh
		cmp	dx, ax
		jnz	short loc_A2262F
		mov	ebx, [ecx+0E8h]
		jmp	short loc_A2263F
; 

loc_A2262F:				; CODE XREF: AslFileMappingGetImageTypeEx(x,x,x,x,x)+B8j
		mov	eax, 20Bh
		cmp	dx, ax
		jnz	short loc_A2263F
		mov	ebx, [ecx+0F8h]

loc_A2263F:				; CODE XREF: AslFileMappingGetImageTypeEx(x,x,x,x,x)+C0j
					; AslFileMappingGetImageTypeEx(x,x,x,x,x)+CAj
		test	ebx, ebx
		jz	short loc_A2260C
		and	[ebp+ms_exc.disabled], 0
		push	ebx
		lea	edx, [edi+8]
		call	_AslpImageRvaToVa@12 ; AslpImageRvaToVa(x,x,x)
		test	eax, eax
		jnz	short loc_A2266F
		push	offset ??_C@_0BP@GNNEOEPF@Failed?5to?5find?5the?5Cor20Header@NNGAKEGL@
		push	498h
		push	offset ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@
		push	2
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	short loc_A2267C
; 

loc_A2266F:				; CODE XREF: AslFileMappingGetImageTypeEx(x,x,x,x,x)+E5j
		mov	[ebp+var_2C], 1
		mov	eax, [eax+10h]
		mov	[ebp+var_30], eax

loc_A2267C:				; CODE XREF: AslFileMappingGetImageTypeEx(x,x,x,x,x)+100j
		xor	esi, esi
		mov	[ebp+var_20], esi
		jmp	short loc_A226B4
; 

loc_A22683:				; DATA XREF: .text:006AAC54o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A22691:				; DATA XREF: .text:006AAC58o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_34]
		mov	[ebp+var_20], esi
		push	esi
		push	(offset	loc_8C4D43+3)
		push	4A5h
		push	offset ??_C@_0BN@BGNMOAPO@AslFileMappingGetImageTypeEx@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A226B4:				; CODE XREF: AslFileMappingGetImageTypeEx(x,x,x,x,x)+114j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A226BB:				; CODE XREF: AslFileMappingGetImageTypeEx(x,x,x,x,x)+33j
					; AslFileMappingGetImageTypeEx(x,x,x,x,x)+5Fj ...
		mov	ecx, [ebp+var_38]
		test	ecx, ecx
		jz	short loc_A226C9
		mov	ax, word ptr [ebp+var_24]
		mov	[ecx], ax

loc_A226C9:				; CODE XREF: AslFileMappingGetImageTypeEx(x,x,x,x,x)+153j
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jz	short loc_A226D7
		mov	ax, word ptr [ebp+var_28]
		mov	[ecx], ax

loc_A226D7:				; CODE XREF: AslFileMappingGetImageTypeEx(x,x,x,x,x)+161j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_A226E3
		mov	eax, [ebp+var_2C]
		mov	[ecx], eax

loc_A226E3:				; CODE XREF: AslFileMappingGetImageTypeEx(x,x,x,x,x)+16Fj
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_A226EF
		mov	eax, [ebp+var_30]
		mov	[ecx], eax

loc_A226EF:				; CODE XREF: AslFileMappingGetImageTypeEx(x,x,x,x,x)+17Bj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_AslFileMappingGetImageTypeEx@20 endp


;  S U B	R O U T	I N E 


; __stdcall AslHashFree(x)
_AslHashFree@4	proc near		; CODE XREF: SdbpReleaseSearchDBContext(x)+5Ep
					; SdbpReleaseSearchDBContext(x)+6Ep ...
		mov	edi, edi
		push	edi
		mov	edi, ecx
		test	edi, edi
		jz	short loc_A22760
		mov	eax, [edi+4]
		test	eax, eax
		jz	short loc_A22755
		push	ebx
		xor	ebx, ebx
		cmp	[edi], ebx
		jle	short loc_A22745
		push	esi

loc_A2271B:				; CODE XREF: AslHashFree(x)+3Dj
		mov	ecx, [eax+ebx*4]
		mov	edx, eax
		test	ecx, ecx
		jz	short loc_A2273D

loc_A22724:				; CODE XREF: AslHashFree(x)+33j
		mov	esi, [ecx+8]
		push	74705041h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, esi
		test	esi, esi
		jnz	short loc_A22724
		mov	eax, [edi+4]
		mov	edx, eax

loc_A2273D:				; CODE XREF: AslHashFree(x)+1Fj
		inc	ebx
		cmp	ebx, [edi]
		jl	short loc_A2271B
		mov	eax, edx
		pop	esi

loc_A22745:				; CODE XREF: AslHashFree(x)+15j
		pop	ebx
		test	eax, eax
		jz	short loc_A22755
		push	74705041h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A22755:				; CODE XREF: AslHashFree(x)+Ej
					; AslHashFree(x)+45j
		push	74705041h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A22760:				; CODE XREF: AslHashFree(x)+7j
		pop	edi
		retn
_AslHashFree@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslPathCleanUstr(x)
_AslPathCleanUstr@4 proc near		; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+A2p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		push	2
		movzx	eax, word ptr [ebx]
		mov	cx, ax
		shr	cx, 1
		movzx	edx, cx
		mov	[ebp+var_8], edx
		pop	edx
		cmp	ax, dx
		jb	loc_A22A15
		mov	eax, [ebx+4]
		xor	edx, edx
		cmp	[eax], dx
		jz	loc_A22A15
		movzx	edi, cx
		push	8
		pop	ecx
		cmp	di, cx
		jb	short loc_A227BA
		push	ecx		; size_t
		push	(offset	loc_5A7307+1) ;	wchar_t	*
		push	eax		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A227BA
		push	5
		jmp	short loc_A227D9
; 

loc_A227BA:				; CODE XREF: AslPathCleanUstr(x)+3Fj
					; AslPathCleanUstr(x)+52j
		push	4
		pop	esi
		cmp	di, si
		jb	short loc_A22806
		push	esi		; size_t
		push	offset ??_C@_19JHEHLFPM@?$AA?2?$AA?$DP?$AA?$DP?$AA?2@FNODOBFM@ ; wchar_t *
		push	dword ptr [ebx+4] ; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A227DC
		push	3

loc_A227D9:				; CODE XREF: AslPathCleanUstr(x)+56j
		pop	esi
		jmp	short loc_A22826
; 

loc_A227DC:				; CODE XREF: AslPathCleanUstr(x)+73j
		push	esi		; size_t
		push	(offset	loc_5A72FD+1) ;	wchar_t	*
		push	dword ptr [ebx+4] ; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A22826
		push	esi		; size_t
		push	(offset	loc_5A7319+1) ;	wchar_t	*
		push	dword ptr [ebx+4] ; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A22826

loc_A22806:				; CODE XREF: AslPathCleanUstr(x)+5Ej
		push	2
		pop	eax
		cmp	di, ax
		jbe	short loc_A22823
		push	eax		; size_t
		push	(offset	loc_5A7323+1) ;	wchar_t	*
		push	dword ptr [ebx+4] ; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A22826

loc_A22823:				; CODE XREF: AslPathCleanUstr(x)+AAj
		xor	esi, esi
		inc	esi

loc_A22826:				; CODE XREF: AslPathCleanUstr(x)+78j
					; AslPathCleanUstr(x)+8Dj ...
		movzx	edx, word ptr [ebx]
		xor	eax, eax
		push	5Ch
		mov	[ebp+var_4], eax
		pop	edi
		mov	[ebp+var_14], 2Fh

loc_A22838:				; CODE XREF: AslPathCleanUstr(x)+FDj
		movzx	ecx, ax
		add	ecx, ecx
		cmp	ecx, edx
		jnb	short loc_A22861
		mov	eax, [ebx+4]
		movzx	eax, word ptr [ecx+eax]
		cmp	ax, di
		jz	short loc_A22855
		push	2Fh
		pop	ecx
		cmp	ax, cx
		jnz	short loc_A22856

loc_A22855:				; CODE XREF: AslPathCleanUstr(x)+E9j
		dec	esi

loc_A22856:				; CODE XREF: AslPathCleanUstr(x)+F1j
		mov	eax, [ebp+var_4]
		inc	eax
		mov	[ebp+var_4], eax
		test	esi, esi
		jg	short loc_A22838

loc_A22861:				; CODE XREF: AslPathCleanUstr(x)+DDj
		movzx	edi, ax
		movzx	esi, ax
		mov	[ebp+var_10], edi
		cmp	ax, word ptr [ebp+var_8]
		jnb	loc_A229DF
		mov	[ebp+var_18], 2Eh

loc_A2287B:				; CODE XREF: AslPathCleanUstr(x)+277j
		cmp	di, si
		jb	loc_A229F5
		mov	edx, [ebx+4]
		movzx	eax, di
		push	5Ch
		mov	[ebp+var_C], eax
		pop	ecx
		movzx	eax, word ptr [edx+eax*2]
		cmp	ax, cx
		jz	loc_A229B3
		cmp	ax, word ptr [ebp+var_14]
		jz	loc_A229B3
		cmp	ax, word ptr [ebp+var_18]
		jnz	loc_A229A5
		mov	eax, [ebp+var_8]
		movzx	eax, ax
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_C]
		inc	eax
		cmp	eax, [ebp+var_1C]
		jz	loc_A229DF
		mov	eax, [ebp+var_C]
		movzx	eax, word ptr [edx+eax*2+2]
		cmp	ax, cx
		mov	ecx, [ebp+var_4]
		jz	loc_A22974
		cmp	ax, word ptr [ebp+var_14]
		jz	loc_A22974
		cmp	ax, word ptr [ebp+var_18]
		jnz	loc_A229D1
		mov	eax, [ebp+var_C]
		add	eax, 2
		cmp	eax, [ebp+var_1C]
		jz	short loc_A22912
		movzx	eax, word ptr [edx+eax*2]
		push	5Ch
		pop	edx
		cmp	ax, dx
		jz	short loc_A22912
		push	2Fh
		pop	edx
		cmp	ax, dx
		jnz	loc_A229D1

loc_A22912:				; CODE XREF: AslPathCleanUstr(x)+196j
					; AslPathCleanUstr(x)+1A2j
		cmp	si, cx
		jb	short loc_A22973

loc_A22917:				; CODE XREF: AslPathCleanUstr(x)+1D9j
		mov	ecx, [ebx+4]
		xor	edi, edi
		movzx	edx, si
		push	5Ch
		movzx	eax, word ptr [ecx+edx*2]
		mov	[ecx+edx*2], di
		mov	edi, [ebp+var_4]
		pop	ecx
		cmp	ax, cx
		jz	short loc_A2293D
		add	esi, 0FFFFh
		cmp	si, di
		jnb	short loc_A22917

loc_A2293D:				; CODE XREF: AslPathCleanUstr(x)+1CEj
		cmp	si, di
		mov	edi, [ebp+var_10]
		jb	short loc_A22973

loc_A22945:				; CODE XREF: AslPathCleanUstr(x)+207j
		mov	ecx, [ebx+4]
		xor	edi, edi
		movzx	edx, si
		push	5Ch
		movzx	eax, word ptr [ecx+edx*2]
		mov	[ecx+edx*2], di
		mov	edi, [ebp+var_4]
		pop	ecx
		cmp	ax, cx
		jz	short loc_A2296B
		add	esi, 0FFFFh
		cmp	si, di
		jnb	short loc_A22945

loc_A2296B:				; CODE XREF: AslPathCleanUstr(x)+1FCj
		cmp	si, di
		mov	edi, [ebp+var_10]
		jnb	short loc_A22974

loc_A22973:				; CODE XREF: AslPathCleanUstr(x)+1B3j
					; AslPathCleanUstr(x)+1E1j
		inc	esi

loc_A22974:				; CODE XREF: AslPathCleanUstr(x)+173j
					; AslPathCleanUstr(x)+17Dj ...
		inc	edi
		jmp	short loc_A229D1
; 

loc_A22977:				; CODE XREF: AslPathCleanUstr(x)+247j
		mov	edx, [ebx+4]
		movzx	eax, di
		mov	[ebp+var_1C], edx
		push	5Ch
		movzx	edx, word ptr [edx+eax*2]
		pop	eax
		cmp	dx, ax
		jz	short loc_A229AB
		push	2Fh
		pop	eax
		cmp	dx, ax
		jz	short loc_A229AB
		cmp	di, si
		jz	short loc_A229A3
		mov	ecx, [ebp+var_1C]
		movzx	eax, si
		mov	[ecx+eax*2], dx

loc_A229A3:				; CODE XREF: AslPathCleanUstr(x)+235j
		inc	esi
		inc	edi

loc_A229A5:				; CODE XREF: AslPathCleanUstr(x)+149j
		cmp	di, word ptr [ebp+var_8]
		jb	short loc_A22977

loc_A229AB:				; CODE XREF: AslPathCleanUstr(x)+228j
					; AslPathCleanUstr(x)+230j
		add	edi, 0FFFFh
		jmp	short loc_A229D1
; 

loc_A229B3:				; CODE XREF: AslPathCleanUstr(x)+135j
					; AslPathCleanUstr(x)+13Fj
		test	si, si
		jz	short loc_A229C7
		movzx	eax, si
		push	5Ch
		pop	ecx
		cmp	[edx+eax*2-2], cx
		jz	short loc_A229D1
		jmp	short loc_A229C9
; 

loc_A229C7:				; CODE XREF: AslPathCleanUstr(x)+254j
		xor	eax, eax

loc_A229C9:				; CODE XREF: AslPathCleanUstr(x)+263j
		push	5Ch
		pop	ecx
		mov	[edx+eax*2], cx
		inc	esi

loc_A229D1:				; CODE XREF: AslPathCleanUstr(x)+187j
					; AslPathCleanUstr(x)+1AAj ...
		inc	edi
		mov	[ebp+var_10], edi
		cmp	di, word ptr [ebp+var_8]
		jb	loc_A2287B

loc_A229DF:				; CODE XREF: AslPathCleanUstr(x)+10Cj
					; AslPathCleanUstr(x)+15Fj
		mov	eax, [ebx+4]
		xor	edx, edx
		movzx	ecx, si
		mov	[eax+ecx*2], dx
		lea	eax, [esi+esi]
		mov	[ebx], ax
		xor	eax, eax
		jmp	short loc_A22A38
; 

loc_A229F5:				; CODE XREF: AslPathCleanUstr(x)+11Cj
		push	(offset	loc_8C4E7A+4)
		push	2E9h
		push	(offset	loc_8C4EED+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		mov	eax, 0C00000E5h
		jmp	short loc_A22A38
; 

loc_A22A15:				; CODE XREF: AslPathCleanUstr(x)+22j
					; AslPathCleanUstr(x)+30j
		push	0C00000F2h
		push	(offset	loc_8C4ECB+1)
		push	2DDh
		push	(offset	loc_8C4EED+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		mov	eax, 0C00000F2h

loc_A22A38:				; CODE XREF: AslPathCleanUstr(x)+291j
					; AslPathCleanUstr(x)+2B1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AslPathCleanUstr@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslPathCombine(x, x, x, x)
_AslPathCombine@16 proc	near		; CODE XREF: SdbpGetPathAppPatchPreRS3(x,x,x,x)+F8p
					; SdbpGetPathCustomSdbPreRS3(x,x,x,x)+DBp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		mov	eax, ecx
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_C], eax
		push	edi
		mov	edi, edx
		test	ebx, ebx
		jnz	short loc_A22A67
		mov	eax, 0C0000023h
		jmp	loc_A22B4D
; 

loc_A22A67:				; CODE XREF: AslPathCombine(x,x,x,x)+1Ej
		push	esi
		lea	ecx, [ebp+var_8]
		mov	edx, 7FFFFFFFh
		push	ecx
		mov	ecx, eax
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A22B30
		lea	eax, [ebp+var_4]
		mov	edx, 7FFFFFFFh
		push	eax
		mov	ecx, edi
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A22B30
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jnz	short loc_A22AC4
		cmp	[ebp+var_4], ecx
		jnz	short loc_A22AB5
		mov	eax, [ebp+arg_0]
		xor	esi, esi
		mov	[eax], cx
		jmp	loc_A22B4A
; 

loc_A22AB5:				; CODE XREF: AslPathCombine(x,x,x,x)+69j
		push	edi

loc_A22AB6:				; CODE XREF: AslPathCombine(x,x,x,x)+91j
		mov	ecx, [ebp+arg_0]
		mov	edx, ebx
		call	RtlStringCchCopyW
		mov	esi, eax
		jmp	short loc_A22B2C
; 

loc_A22AC4:				; CODE XREF: AslPathCombine(x,x,x,x)+64j
		cmp	[ebp+var_4], 0
		mov	eax, [ebp+var_C]
		jnz	short loc_A22AD0
		push	eax
		jmp	short loc_A22AB6
; 

loc_A22AD0:				; CODE XREF: AslPathCombine(x,x,x,x)+8Ej
		push	5Ch
		xor	ebx, ebx
		pop	edx
		cmp	[eax+ecx*2-2], dx
		setz	bl
		cmp	[edi], dx
		jnz	short loc_A22AE3
		inc	ebx

loc_A22AE3:				; CODE XREF: AslPathCombine(x,x,x,x)+A3j
		cmp	ebx, 1
		jbe	short loc_A22AEC
		add	edi, 2
		dec	ebx

loc_A22AEC:				; CODE XREF: AslPathCombine(x,x,x,x)+A9j
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	eax
		call	RtlStringCchCopyW
		mov	esi, eax
		test	esi, esi
		js	short loc_A22B30
		test	ebx, ebx
		jnz	short loc_A22B18
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@
		call	_RtlStringCchCatW@12 ; RtlStringCchCatW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A22B30

loc_A22B18:				; CODE XREF: AslPathCombine(x,x,x,x)+C3j
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	edi
		call	_RtlStringCchCatW@12 ; RtlStringCchCatW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A22B30
		xor	esi, esi

loc_A22B2C:				; CODE XREF: AslPathCombine(x,x,x,x)+85j
		test	esi, esi
		jns	short loc_A22B4A

loc_A22B30:				; CODE XREF: AslPathCombine(x,x,x,x)+3Fj
					; AslPathCombine(x,x,x,x)+59j ...
		push	esi
		push	offset ??_C@_0BN@EJJJFBGC@An?5RtlString?5API?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	593h
		push	offset ??_C@_0P@HNMKLMPG@AslPathCombine@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A22B4A:				; CODE XREF: AslPathCombine(x,x,x,x)+73j
					; AslPathCombine(x,x,x,x)+F1j
		mov	eax, esi
		pop	esi

loc_A22B4D:				; CODE XREF: AslPathCombine(x,x,x,x)+25j
		pop	edi
		pop	ebx
		leave
		retn	8
_AslPathCombine@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall AslPathToSystemPathBuf(void *,int,int)
_AslPathToSystemPathBuf@12 proc	near	; CODE XREF: SdbpGetPathAppPatch(x,x,x,x)+80p
					; AslEnvGetSysNativeDirPathForGuestBuf(x,x,x,x,x)+66p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		lea	eax, [edi+edi]
		push	eax		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		mov	edx, edi
		mov	ecx, ebx
		push	offset ??_C@_1BI@OMNCDEIM@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt@NNGAKEGL@
		call	RtlStringCchCopyW
		mov	esi, eax
		test	esi, esi
		jns	short loc_A22B9B
		push	esi
		push	(offset	loc_8C4F19+1)
		push	5C6h
		push	offset ??_C@_0BH@FBHBCBNC@AslPathToSystemPathBuf@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		jmp	short loc_A22BC9
; 

loc_A22B9B:				; CODE XREF: AslPathToSystemPathBuf(x,x,x)+2Dj
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, ebx
		call	_RtlStringCchCatW@12 ; RtlStringCchCatW(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A22BCC
		push	esi
		push	offset ??_C@_0BK@PABECCHN@Failed?5to?5cat?5string?5?$FL?$CFx?$FN@NNGAKEGL@
		push	5D7h
		push	offset ??_C@_0BH@FBHBCBNC@AslPathToSystemPathBuf@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		mov	esi, 0C000000Dh

loc_A22BC9:				; CODE XREF: AslPathToSystemPathBuf(x,x,x)+46j
		add	esp, 14h

loc_A22BCC:				; CODE XREF: AslPathToSystemPathBuf(x,x,x)+58j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_AslPathToSystemPathBuf@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslPathWildcardFindClose(x)
_AslPathWildcardFindClose@4 proc near	; CODE XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+125p
					; SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+20Ep

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_A22BFB
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_A22BFB
		cmp	eax, 0FFFFFFFFh
		jz	short loc_A22BF8
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_4], eax
		call	_AslpPathWildcardFreeFindContext@4 ; AslpPathWildcardFreeFindContext(x)

loc_A22BF8:				; CODE XREF: AslPathWildcardFindClose(x)+16j
		and	dword ptr [esi], 0

loc_A22BFB:				; CODE XREF: AslPathWildcardFindClose(x)+Bj
					; AslPathWildcardFindClose(x)+11j
		pop	esi
		leave
		retn
_AslPathWildcardFindClose@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	AslPathWildcardFindFirst(void *,int)
_AslPathWildcardFindFirst@16 proc near	; CODE XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+14Bp

var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		mov	edx, ecx
		mov	[ebp+var_10], edx
		push	esi
		push	edi
		test	edx, edx
		jnz	short loc_A22C1C
		mov	eax, 0C00000EFh
		jmp	loc_A2310F
; 

loc_A22C1C:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+12j
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jz	loc_A2310A
		xor	eax, eax
		cmp	[ebx], ax
		jz	loc_A2310A
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jnz	short loc_A22C43
		mov	eax, 0C00000F2h
		jmp	loc_A2310F
; 

loc_A22C43:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+39j
		and	dword ptr [ecx], 0
		lea	edi, [ebp+var_3C]
		mov	[ebp+var_14], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		xor	eax, eax
		stosd
		push	ebx		; void *
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	[edx], ax
		lea	eax, [ebp+var_24]
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jnz	short loc_A22C9D
		push	offset ??_C@_0BO@PAMJCGGK@RtlCreateUnicodeString?5failed@NNGAKEGL@
		mov	esi, 0C0000017h
		push	8C3h

loc_A22C86:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+146j
		push	(offset	loc_8C4FB3+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h

loc_A22C95:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+C7j
					; AslPathWildcardFindFirst(x,x,x,x)+105j
		mov	edi, [ebp+arg_4]
		jmp	loc_A230D4
; 

loc_A22C9D:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+77j
		lea	ecx, [ebp+var_24]
		call	_AslPathCleanUstr@4 ; AslPathCleanUstr(x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A22CC7
		push	esi
		push	offset ??_C@_0BN@CGGIFPNM@AslPathCleanUstr?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	8D8h

loc_A22CB6:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+E9j
					; AslPathWildcardFindFirst(x,x,x,x)+127j ...
		push	(offset	loc_8C4FB3+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A22C95
; 

loc_A22CC7:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+ABj
		mov	ecx, [ebp+var_24]
		lea	eax, [ebp+var_8]
		push	eax
		push	4
		pop	edx
		call	_RtlUShortAdd@12 ; RtlUShortAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A22CE9
		push	esi
		push	offset ??_C@_0BJ@MDGLKPJG@RtlUShortAdd?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	8DEh
		jmp	short loc_A22CB6
; 

loc_A22CE9:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+DCj
		movzx	esi, word ptr [ebp+var_8]
		push	ecx
		mov	edx, esi
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jnz	short loc_A22D05

loc_A22CFE:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+1B6j
		mov	esi, 0C0000017h
		jmp	short loc_A22C95
; 

loc_A22D05:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+FEj
		movzx	eax, word ptr [ebp+var_24]
		mov	edx, esi
		push	eax
		push	[ebp+var_20]
		call	_RtlStringCbCopyNW@16 ;	RtlStringCbCopyNW(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A22D27
		push	esi
		push	offset ??_C@_0BO@EGIGDNGO@RtlStringCbCopyNW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	8EAh
		jmp	short loc_A22CB6
; 

loc_A22D27:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+11Aj
		mov	esi, [ebp+var_4]
		mov	ecx, esi
		call	_AslpPathWildcardMakeLeaves@4 ;	AslpPathWildcardMakeLeaves(x)
		test	eax, eax
		jnz	short loc_A22D49
		push	offset ??_C@_0CC@NDNNDPAJ@Failed?5to?5split?5the?5wildcard?5pa@NNGAKEGL@
		mov	esi, 0C0000039h
		push	8FCh
		jmp	loc_A22C86
; 

loc_A22D49:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+135j
		cmp	eax, 1
		jnz	short loc_A22DA4
		mov	edi, [ebp+arg_4]
		mov	ecx, [ebp+var_20]
		or	dword ptr [edi], 0FFFFFFFFh
		call	_AslDoesFileExistNtPath@4 ; AslDoesFileExistNtPath(x)
		test	eax, eax
		jnz	short loc_A22D6A
		mov	esi, 80000006h
		jmp	loc_A230D4
; 

loc_A22D6A:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+160j
		mov	ecx, [ebp+var_10]
		mov	edx, 104h
		push	ebx
		call	RtlStringCchCopyW
		mov	esi, eax
		test	esi, esi
		jns	short loc_A22D9D
		push	esi
		push	offset ??_C@_0BO@EGIGDNGO@RtlStringCbCopyNW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	90Eh
		push	(offset	loc_8C4FB3+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A230D4
; 

loc_A22D9D:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+17Ej
		xor	esi, esi
		jmp	loc_A230D4
; 

loc_A22DA4:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+14Ej
		push	ecx
		push	20h
		pop	edx
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_14], ebx
		test	ebx, ebx
		jz	loc_A22CFE
		push	4		; size_t
		push	offset ??_C@_19JHEHLFPM@?$AA?2?$AA?$DP?$AA?$DP?$AA?2@NNGAKEGL@ ; "\\??\\"
		push	[ebp+arg_0]	; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		lea	edi, [ebx+8]
		neg	eax
		sbb	eax, eax
		neg	eax
		mov	[ebx], eax
		xor	eax, eax
		mov	[ebx+4], esi
		xor	esi, esi
		push	6
		pop	ecx
		rep stosd
		lea	edi, [ebx+8]
		mov	[ebp+var_4], esi
		and	[edi], eax
		and	[edi+0Ch], esi
		and	[edi+8], esi
		and	[edi+14h], esi
		push	10h
		pop	eax
		mov	[edi+10h], eax
		mov	[edi+4], eax
		mov	eax, [edi+0Ch]
		cmp	eax, 8
		jb	short loc_A22E0F
		mov	esi, 80070057h
		jmp	loc_A22EF2
; 

loc_A22E0F:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+205j
		mov	esi, [edi+10h]
		lea	ecx, [esi+7]
		cmp	ecx, 8
		jb	loc_A22EED
		and	[ebp+var_8], 0
		neg	esi
		and	[ebp+arg_0], 0
		and	esi, ecx
		mov	ecx, [edi+4]
		mul	ecx
		mov	[ebp+var_C], ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		mov	[ebp+var_18], esi
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		jns	short loc_A22E4D

loc_A22E43:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+260j
		mov	esi, 8000000Bh
		jmp	loc_A22EE7
; 

loc_A22E4D:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+243j
		mov	eax, [ebp+var_C]
		lea	ecx, [ebp+arg_0]
		mul	esi
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_A22E43
		mov	eax, [edi+14h]
		mov	[ebp+var_C], eax
		push	72615452h
		push	[ebp+arg_0]
		push	1
		test	eax, eax
		jnz	short loc_A22E8F
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A22EE2
		push	[ebp+arg_0]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_A22ED1
; 

loc_A22E8F:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+274j
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A22EE2
		push	[ebp+arg_0]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		jz	short loc_A22EE2
		mov	eax, [ebp+var_8]
		cmp	eax, [ebp+arg_0]
		jb	short loc_A22EB7
		mov	eax, [ebp+arg_0]

loc_A22EB7:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+2B4j
		push	eax		; size_t
		push	[ebp+var_C]	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	72615452h
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A22ED1:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+28Fj
		test	esi, esi
		jz	short loc_A22EE2
		mov	eax, [ebp+var_18]
		mov	[edi+14h], esi
		xor	esi, esi
		mov	[edi+0Ch], eax
		jmp	short loc_A22EE7
; 

loc_A22EE2:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+27Fj
					; AslPathWildcardFindFirst(x,x,x,x)+29Aj ...
		mov	esi, 8007000Eh

loc_A22EE7:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+24Aj
					; AslPathWildcardFindFirst(x,x,x,x)+2E2j
		test	esi, esi
		jnz	short loc_A22EF2
		jmp	short loc_A22F29
; 

loc_A22EED:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+21Aj
		mov	esi, 8000000Bh

loc_A22EF2:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+20Cj
					; AslPathWildcardFindFirst(x,x,x,x)+2EBj
		mov	eax, [edi+14h]
		test	eax, eax
		jz	short loc_A22F04
		push	72615452h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A22F04:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+2F9j
		push	6
		xor	eax, eax
		pop	ecx
		rep stosd
		test	esi, esi
		jns	short loc_A22F3D
		push	esi
		push	offset ??_C@_0BP@JCGJLENG@RtlArrayInitialize?5failed?5?$FL?$CFx?$FN@FNODOBFM@
		push	86Bh
		push	(offset	loc_5A738F+3)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A22F29:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+2EDj
		test	esi, esi
		jns	short loc_A22F3D
		push	esi
		push	(offset	loc_8C512D+1)
		push	934h
		jmp	loc_A22CB6
; 

loc_A22F3D:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+30Fj
					; AslPathWildcardFindFirst(x,x,x,x)+32Dj
		push	dword ptr [ebx+4]
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	0
		push	0
		push	1
		push	dword ptr [ebx+4]
		lea	edx, [ebp+var_2C]
		lea	ecx, [ebp+var_3C]
		call	_AslpPathWildcardAllocMatchNode@24 ; AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A22F73
		push	esi
		push	(offset	loc_8C50A3+1)
		push	941h
		jmp	loc_A22CB6
; 

loc_A22F73:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+363j
		mov	eax, [ebx+10h]
		mov	edx, [ebx+14h]
		mov	[ebp+var_1C], eax
		cmp	eax, edx
		jb	loc_A23070
		lea	ecx, [eax+1]
		cmp	ecx, edx
		ja	short loc_A22F95
		mov	esi, 80070057h
		jmp	loc_A230A7
; 

loc_A22F95:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+38Bj
		mov	edi, [ebx+18h]
		dec	edi
		lea	eax, [edi+ecx]
		cmp	eax, ecx
		jb	loc_A230A2
		mov	esi, [ebx+0Ch]
		lea	ecx, [ebp+var_C]
		and	[ebp+var_C], 0
		not	edi
		and	[ebp+arg_0], 0
		and	edi, eax
		mov	eax, edx
		mov	[ebp+var_8], edi
		mul	esi
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		jns	short loc_A22FD2

loc_A22FC8:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+3E4j
		mov	esi, 8000000Bh
		jmp	loc_A2306C
; 

loc_A22FD2:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+3C8j
		mov	eax, esi
		lea	ecx, [ebp+arg_0]
		mul	edi
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_A22FC8
		mov	eax, [ebx+1Ch]
		mov	[ebp+var_18], eax
		push	72615452h
		test	eax, eax
		jnz	short loc_A23013
		push	[ebp+arg_0]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A23067
		push	[ebp+arg_0]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_A23059
; 

loc_A23013:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+3F3j
		mov	edi, [ebp+arg_0]
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A23067
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		jz	short loc_A23067
		mov	eax, [ebp+var_C]
		cmp	eax, edi
		jb	short loc_A2303D
		mov	eax, edi

loc_A2303D:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+43Bj
		mov	edi, [ebp+var_18]
		push	eax		; size_t
		push	edi		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	72615452h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [ebp+var_8]

loc_A23059:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+413j
		test	esi, esi
		jz	short loc_A23067
		mov	[ebx+1Ch], esi
		xor	esi, esi
		mov	[ebx+14h], edi
		jmp	short loc_A2306C
; 

loc_A23067:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+403j
					; AslPathWildcardFindFirst(x,x,x,x)+424j ...
		mov	esi, 8007000Eh

loc_A2306C:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+3CFj
					; AslPathWildcardFindFirst(x,x,x,x)+467j
		test	esi, esi
		jnz	short loc_A230A9

loc_A23070:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+380j
		mov	eax, [ebx+0Ch]
		lea	ecx, [ebp+arg_0]
		mul	[ebp+var_1C]
		and	[ebp+arg_0], 0
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_A230A2
		mov	ecx, [ebx+1Ch]
		mov	edi, [ebp+arg_0]
		add	edi, ecx
		cmp	edi, ecx
		jb	short loc_A230A2
		lea	esi, [ebp+var_3C]
		movsd
		movsd
		movsd
		movsd
		inc	dword ptr [ebx+10h]
		xor	esi, esi
		jmp	short loc_A230A7
; 

loc_A230A2:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+3A0j
					; AslPathWildcardFindFirst(x,x,x,x)+488j ...
		mov	esi, 8000000Bh

loc_A230A7:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+392j
					; AslPathWildcardFindFirst(x,x,x,x)+4A2j
		test	esi, esi

loc_A230A9:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+470j
		jns	short loc_A230BB
		push	esi
		push	(offset	loc_8C50E5+1)
		push	947h
		jmp	loc_A22CB6
; 

loc_A230BB:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x):loc_A230A9j
		mov	ecx, [ebp+var_10]
		lea	edi, [ebp+var_3C]
		xor	eax, eax
		stosd
		push	ebx
		stosd
		stosd
		stosd
		mov	edi, [ebp+arg_4]
		mov	[edi], ebx
		call	_AslPathWildcardFindNext@12 ; AslPathWildcardFindNext(x,x,x)
		mov	esi, eax

loc_A230D4:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+9Aj
					; AslPathWildcardFindFirst(x,x,x,x)+167j ...
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_A230EF
		push	74705041h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A230EF:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+4E4j
		test	esi, esi
		jns	short loc_A23106
		lea	ecx, [ebp+var_14]
		call	_AslpPathWildcardFreeFindContext@4 ; AslpPathWildcardFreeFindContext(x)
		lea	ecx, [ebp+var_3C]
		call	_AslpPathWildcardFreeMatchNode@4 ; AslpPathWildcardFreeMatchNode(x)
		and	dword ptr [edi], 0

loc_A23106:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+4F3j
		mov	eax, esi
		jmp	short loc_A2310F
; 

loc_A2310A:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+23j
					; AslPathWildcardFindFirst(x,x,x,x)+2Ej
		mov	eax, 0C00000F1h

loc_A2310F:				; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+19j
					; AslPathWildcardFindFirst(x,x,x,x)+40j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_AslPathWildcardFindFirst@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslPathWildcardFindNext(x, x, x)
_AslPathWildcardFindNext@12 proc near	; CODE XREF: SdbpCheckMatchingWildcardFiles(x,x,x,x,x,x,x)+1A1p
					; AslPathWildcardFindFirst(x,x,x,x)+4CFp

var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, ecx
		mov	[ebp+var_1C], eax
		push	esi
		push	edi
		cmp	ebx, 0FFFFFFFFh
		jnz	short loc_A23138
		mov	eax, 80000006h
		jmp	loc_A23294
; 

loc_A23138:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+16j
		test	eax, eax
		jnz	short loc_A23146
		mov	eax, 0C00000EFh
		jmp	loc_A23294
; 

loc_A23146:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+24j
		test	ebx, ebx
		jnz	short loc_A23154
		mov	eax, 0C00000F1h
		jmp	loc_A23294
; 

loc_A23154:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+32j
		xor	eax, eax
		lea	edi, [ebp+var_3C]
		mov	[ebp+var_2C], eax
		mov	edx, 268h
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		stosd
		push	ecx
		stosd
		stosd
		stosd
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	esi, eax
		mov	[ebp+arg_0], esi
		test	esi, esi
		jnz	short loc_A23187
		mov	esi, 0C0000017h
		jmp	loc_A23292
; 

loc_A23187:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+65j
		mov	eax, [ebx+10h]
		cmp	eax, 1
		jb	loc_A2327F
		mov	edx, eax

loc_A23195:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+163j
		lea	ecx, [eax-1]
		xor	eax, eax
		mov	edi, eax
		cmp	ecx, edx
		jnb	short loc_A231CA
		mov	[ebp+var_8], eax
		mov	eax, [ebx+0Ch]
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_A231C6
		mov	ecx, [ebx+1Ch]
		mov	edi, [ebp+var_8]
		add	edi, ecx
		cmp	edi, ecx
		jb	short loc_A231C6
		xor	eax, eax
		jmp	short loc_A231CA
; 

loc_A231C6:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+9Ej
					; AslPathWildcardFindNext(x,x,x)+AAj
		xor	eax, eax
		mov	edi, eax

loc_A231CA:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+88j
					; AslPathWildcardFindNext(x,x,x)+AEj
		test	edi, edi
		jz	loc_A23852
		cmp	[edi+0Ch], eax
		jnz	loc_A233DC
		push	(offset	loc_8C5005+5)
		push	9CEh
		push	offset ??_C@_0BI@KNFLDNF@AslPathWildcardFindNext@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		mov	ecx, [ebx+10h]
		add	esp, 10h
		cmp	ecx, 1
		jnb	short loc_A23203

loc_A231FC:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+347j
		mov	esi, 8000001Ah
		jmp	short loc_A23254
; 

loc_A23203:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+E4j
		lea	edx, [ecx-1]
		xor	edi, edi
		mov	eax, edi
		cmp	edx, ecx
		jnb	short loc_A23232
		mov	eax, [ebx+0Ch]
		lea	ecx, [ebp+var_8]
		mul	edx
		mov	[ebp+var_8], edi
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_A23230
		mov	ecx, [ebx+1Ch]
		mov	eax, [ebp+var_8]
		add	eax, ecx
		cmp	eax, ecx
		jnb	short loc_A23232

loc_A23230:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+10Cj
		mov	eax, edi

loc_A23232:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+F6j
					; AslPathWildcardFindNext(x,x,x)+118j
		test	eax, eax
		jnz	short loc_A2329B

loc_A23236:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+37Ej
		push	offset ??_C@_0CI@FJNDACIF@RtlArrayGet?5failed?5to?5get?5the?5n@FNODOBFM@
		push	826h
		push	offset ??_C@_0BJ@GPOAMCLL@AslpPathWildcardPeekNode@FNODOBFM@
		push	1
		mov	esi, 0C00000E5h
		call	AslLogCallPrintf
		add	esp, 10h

loc_A23254:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+EBj
		push	esi
		push	offset ??_C@_0CF@FHOJMFII@AslpPathWildcardPeekNode?5failed@FNODOBFM@
		push	841h
		push	offset ??_C@_0BI@JOOHLFOI@AslpPathWildcardPopNode@FNODOBFM@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A2326E:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+1ACj
					; AslPathWildcardFindNext(x,x,x)+1B8j ...
		mov	esi, [ebp+arg_0]

loc_A23271:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+194j
					; AslPathWildcardFindNext(x,x,x)+393j ...
		mov	eax, [ebx+10h]
		mov	edx, eax
		cmp	eax, 1
		jnb	loc_A23195

loc_A2327F:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+77j
		mov	esi, 80000006h

loc_A23284:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+67Dj
		mov	edi, [ebp+arg_0]

loc_A23287:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+72Ej
					; AslPathWildcardFindNext(x,x,x)+737j
		push	74705041h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A23292:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+6Cj
		mov	eax, esi

loc_A23294:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+1Dj
					; AslPathWildcardFindNext(x,x,x)+2Bj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_A2329B:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+11Ej
		mov	ecx, eax
		call	_AslpPathWildcardFreeMatchNode@4 ; AslpPathWildcardFreeMatchNode(x)
		mov	eax, [ebx+10h]
		lea	ecx, [eax-1]
		cmp	ecx, eax
		jnb	short loc_A23271
		mov	esi, [ebx+0Ch]
		mov	eax, esi
		mul	ecx
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_8], edi
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_A2326E
		mov	ecx, [ebx+1Ch]
		mov	eax, [ebp+var_8]
		add	eax, ecx
		cmp	eax, ecx
		jb	short loc_A2326E
		push	esi		; size_t
		add	eax, edi
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		dec	dword ptr [ebx+10h]
		mov	edi, [ebx+10h]
		cmp	edi, 10h
		jbe	short loc_A2326E
		mov	edx, [ebx+14h]
		mov	eax, edx
		mov	esi, [ebx+0Ch]
		imul	eax, esi
		cmp	eax, 400h
		jb	loc_A2326E
		mov	ecx, edx
		shr	ecx, 2
		cmp	edi, ecx
		jnb	loc_A2326E
		xor	eax, eax
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_C], eax
		mov	edi, edx
		mov	[ebp+var_8], eax
		mov	eax, edx
		mul	esi
		shr	edi, 1
		push	edx
		push	eax
		mov	[ebp+var_14], edi
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	loc_A2326E
		mov	eax, esi
		lea	ecx, [ebp+var_8]
		mul	edi
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	loc_A2326E
		mov	eax, [ebx+1Ch]
		mov	[ebp+var_10], eax
		push	72615452h
		test	eax, eax
		jnz	short loc_A2337A

loc_A23355:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+44Cj
		push	[ebp+var_8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_A2326E
		push	[ebp+var_8]	; size_t
		xor	eax, eax
		push	eax		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_A233C9
; 

loc_A2337A:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+23Dj
		mov	edi, [ebp+var_8]
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_A2326E
		push	edi		; size_t
		xor	eax, eax
		push	eax		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		jz	loc_A2326E
		mov	eax, [ebp+var_C]
		cmp	eax, edi
		jb	short loc_A233AD
		mov	eax, edi

loc_A233AD:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+293j
		mov	edi, [ebp+var_10]
		push	eax		; size_t
		push	edi		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	72615452h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [ebp+var_14]

loc_A233C9:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+262j
					; AslPathWildcardFindNext(x,x,x)+4A1j
		test	esi, esi
		jz	loc_A2326E
		mov	[ebx+1Ch], esi
		mov	[ebx+14h], edi
		jmp	loc_A2326E
; 

loc_A233DC:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+BFj
		push	dword ptr [edi+8]
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	ecx, ecx
		lea	eax, [ebp+var_24]
		push	ecx
		push	eax
		push	1
		push	3
		push	268h
		push	esi
		lea	eax, [ebp+var_2C]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	dword ptr [edi+0Ch]
		call	_ZwQueryDirectoryFile@44 ; ZwQueryDirectoryFile(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	loc_A235BC
		cmp	eax, 80000006h
		jz	short loc_A23457
		cmp	eax, 0C000000Fh
		jz	short loc_A23457
		push	eax
		push	offset ??_C@_0DE@OOMHCHCG@NtQueryDirectoryFile?5failed?5to?5@NNGAKEGL@
		push	9E6h
		push	offset ??_C@_0BI@KNFLDNF@AslPathWildcardFindNext@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		push	[ebp+var_20]
		push	dword ptr [edi+4]
		push	offset ??_C@_0CA@NNDPHLIO@FilePath?3?5?8?$CFws?8?5?5Pattern?3?5?8?$CFws?8@NNGAKEGL@
		push	9E7h
		push	offset ??_C@_0BI@KNFLDNF@AslPathWildcardFindNext@NNGAKEGL@
		push	2
		call	AslLogCallPrintf
		add	esp, 18h

loc_A23457:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+2FFj
					; AslPathWildcardFindNext(x,x,x)+306j
		mov	ecx, [ebx+10h]
		cmp	ecx, 1
		jb	loc_A231FC
		lea	edx, [ecx-1]
		xor	edi, edi
		mov	eax, edi
		cmp	edx, ecx
		jnb	short loc_A23492
		mov	eax, [ebx+0Ch]
		lea	ecx, [ebp+var_C]
		mul	edx
		mov	[ebp+var_C], edi
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_A23490
		mov	ecx, [ebx+1Ch]
		mov	eax, [ebp+var_C]
		add	eax, ecx
		cmp	eax, ecx
		jnb	short loc_A23492

loc_A23490:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+36Cj
		mov	eax, edi

loc_A23492:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+356j
					; AslPathWildcardFindNext(x,x,x)+378j
		test	eax, eax
		jz	loc_A23236
		mov	ecx, eax
		call	_AslpPathWildcardFreeMatchNode@4 ; AslpPathWildcardFreeMatchNode(x)
		mov	eax, [ebx+10h]
		lea	ecx, [eax-1]
		cmp	ecx, eax
		jnb	loc_A23271
		mov	esi, [ebx+0Ch]
		mov	eax, esi
		mul	ecx
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_C], edi
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	loc_A2326E
		mov	ecx, [ebx+1Ch]
		mov	eax, [ebp+var_C]
		add	eax, ecx
		cmp	eax, ecx
		jb	loc_A2326E
		push	esi		; size_t
		add	eax, edi
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		dec	dword ptr [ebx+10h]
		mov	edi, [ebx+10h]
		cmp	edi, 10h
		jbe	loc_A2326E
		mov	edx, [ebx+14h]
		mov	eax, edx
		mov	esi, [ebx+0Ch]
		imul	eax, esi
		cmp	eax, 400h
		jb	loc_A2326E
		mov	ecx, edx
		shr	ecx, 2
		cmp	edi, ecx
		jnb	loc_A2326E
		xor	eax, eax
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_C], eax
		mov	edi, edx
		mov	[ebp+var_8], eax
		mov	eax, edx
		mul	esi
		shr	edi, 1
		push	edx
		push	eax
		mov	[ebp+var_10], edi
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	loc_A2326E
		mov	eax, esi
		lea	ecx, [ebp+var_8]
		mul	edi
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	loc_A2326E
		mov	eax, [ebx+1Ch]
		mov	[ebp+var_14], eax
		push	72615452h
		test	eax, eax
		jz	loc_A23355
		mov	edi, [ebp+var_8]
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_A2326E
		push	edi		; size_t
		xor	eax, eax
		push	eax		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		jz	loc_A2326E
		mov	eax, [ebp+var_C]
		cmp	eax, edi
		jb	short loc_A2359B
		mov	eax, edi

loc_A2359B:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+481j
		mov	edi, [ebp+var_14]
		push	eax		; size_t
		push	edi		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	72615452h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [ebp+var_10]
		jmp	loc_A233C9
; 

loc_A235BC:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+2F4j
		mov	eax, [esi+3Ch]
		push	2Eh
		pop	edx
		cmp	eax, 4
		jnz	short loc_A235D9
		lea	ecx, [esi+5Eh]
		cmp	[ecx], dx
		jnz	short loc_A235EE
		cmp	[esi+60h], dx
		jz	loc_A23271

loc_A235D9:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+4AFj
		lea	ecx, [esi+5Eh]
		mov	[ebp+var_C], ecx
		cmp	eax, 2
		jnz	short loc_A235EE
		cmp	[ecx], dx
		jnz	short loc_A235F1
		jmp	loc_A23271
; 

loc_A235EE:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+4B7j
					; AslPathWildcardFindNext(x,x,x)+4CCj
		mov	[ebp+var_C], ecx

loc_A235F1:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+4D1j
		movzx	eax, ax
		mov	edx, edi
		push	eax
		mov	eax, [esi+38h]
		push	ecx
		shr	eax, 4
		lea	ecx, [ebp+var_3C]
		and	eax, 1
		push	eax
		push	dword ptr [edi+8]
		call	_AslpPathWildcardAllocMatchNode@24 ; AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)
		cmp	eax, 0C0000273h
		jz	loc_A237B7
		cmp	eax, 0C0000103h
		jz	loc_A23271
		cmp	eax, 0C00000BAh
		jz	loc_A23271
		test	eax, eax
		js	loc_A23798
		mov	eax, [ebx+10h]
		mov	edx, [ebx+14h]
		mov	[ebp+var_18], eax
		cmp	eax, edx
		jb	loc_A23737
		lea	ecx, [eax+1]
		cmp	ecx, edx
		ja	short loc_A23658
		mov	esi, 80070057h
		jmp	loc_A23771
; 

loc_A23658:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+536j
		mov	edi, [ebx+18h]
		dec	edi
		lea	eax, [edi+ecx]
		cmp	eax, ecx
		jb	loc_A2376C
		mov	esi, [ebx+0Ch]
		lea	ecx, [ebp+var_C]
		not	edi
		and	edi, eax
		xor	eax, eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	eax, edx
		mul	esi
		mov	[ebp+var_10], edi
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		jns	short loc_A23695

loc_A2368B:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+58Fj
		mov	esi, 8000000Bh
		jmp	loc_A23733
; 

loc_A23695:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+573j
		mov	eax, esi
		lea	ecx, [ebp+var_8]
		mul	edi
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_A2368B
		mov	eax, [ebx+1Ch]
		mov	[ebp+var_14], eax
		push	72615452h
		test	eax, eax
		jnz	short loc_A236D7
		push	[ebp+var_8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A2372E
		push	[ebp+var_8]	; size_t
		xor	eax, eax
		push	eax		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_A2371E
; 

loc_A236D7:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+59Ej
		mov	edi, [ebp+var_8]
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A2372E
		push	edi		; size_t
		xor	eax, eax
		push	eax		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		jz	short loc_A2372E
		mov	eax, [ebp+var_C]
		cmp	eax, edi
		jb	short loc_A23702
		mov	eax, edi

loc_A23702:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+5E8j
		mov	edi, [ebp+var_14]
		push	eax		; size_t
		push	edi		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	72615452h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edi, [ebp+var_10]

loc_A2371E:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+5BFj
		test	esi, esi
		jz	short loc_A2372E
		xor	eax, eax
		mov	[ebx+1Ch], esi
		mov	[ebx+14h], edi
		mov	esi, eax
		jmp	short loc_A23733
; 

loc_A2372E:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+5AEj
					; AslPathWildcardFindNext(x,x,x)+5D0j ...
		mov	esi, 8007000Eh

loc_A23733:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+57Aj
					; AslPathWildcardFindNext(x,x,x)+616j
		test	esi, esi
		jnz	short loc_A23773

loc_A23737:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+52Bj
		xor	eax, eax
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_C], eax
		mov	eax, [ebx+0Ch]
		mul	[ebp+var_18]
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_A2376C
		mov	ecx, [ebx+1Ch]
		mov	edi, [ebp+var_C]
		add	edi, ecx
		cmp	edi, ecx
		jb	short loc_A2376C
		lea	esi, [ebp+var_3C]
		movsd
		movsd
		movsd
		movsd
		inc	dword ptr [ebx+10h]
		xor	eax, eax
		mov	esi, eax
		jmp	short loc_A23771
; 

loc_A2376C:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+54Bj
					; AslPathWildcardFindNext(x,x,x)+638j ...
		mov	esi, 8000000Bh

loc_A23771:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+53Dj
					; AslPathWildcardFindNext(x,x,x)+654j
		test	esi, esi

loc_A23773:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+61Fj
		jns	loc_A2326E
		push	esi
		push	(offset	loc_8C50E5+1)
		push	0A18h

loc_A23784:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+6C8j
					; AslPathWildcardFindNext(x,x,x)+6F9j ...
		push	offset ??_C@_0BI@KNFLDNF@AslPathWildcardFindNext@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A23284
; 

loc_A23798:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+51Aj
		push	eax
		push	offset ??_C@_0CL@HJAMGFDB@AslpPathWildcardAllocMatchNode?5@NNGAKEGL@
		push	0A20h
		push	offset ??_C@_0BI@KNFLDNF@AslPathWildcardFindNext@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A23271
; 

loc_A237B7:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+4FCj
		movzx	eax, word ptr [edi]
		mov	edx, 208h
		mov	ebx, [ebp+var_1C]
		mov	ecx, ebx
		push	eax
		push	dword ptr [edi+4]
		call	_RtlStringCbCopyNW@16 ;	RtlStringCbCopyNW(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A237E0
		push	esi
		push	offset ??_C@_0BO@EGIGDNGO@RtlStringCbCopyNW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	0A30h
		jmp	short loc_A23784
; 

loc_A237E0:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+6BBj
		movzx	ecx, word ptr [edi]
		mov	eax, [edi+4]
		shr	ecx, 1
		cmp	word ptr [eax+ecx*2-2],	5Ch
		jz	short loc_A23814
		push	2
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@
		mov	ecx, ebx
		call	_RtlStringCbCatNW@16 ; RtlStringCbCatNW(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A23814
		push	esi
		push	(offset	loc_8C51DD+1)
		push	0A37h
		jmp	loc_A23784
; 

loc_A23814:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+6D8j
					; AslPathWildcardFindNext(x,x,x)+6ECj
		mov	edi, [ebp+arg_0]
		mov	ecx, ebx
		push	dword ptr [edi+3Ch]
		push	[ebp+var_C]
		call	_RtlStringCbCatNW@16 ; RtlStringCbCatNW(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A23849
		push	esi
		push	(offset	loc_8C51DD+1)
		push	0A3Eh
		push	offset ??_C@_0BI@KNFLDNF@AslPathWildcardFindNext@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A23287
; 

loc_A23849:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+712j
		xor	eax, eax
		mov	esi, eax
		jmp	loc_A23287
; 

loc_A23852:				; CODE XREF: AslPathWildcardFindNext(x,x,x)+B6j
		push	offset ??_C@_0CI@FJNDACIF@RtlArrayGet?5failed?5to?5get?5the?5n@FNODOBFM@
		push	826h
		push	offset ??_C@_0BJ@GPOAMCLL@AslpPathWildcardPeekNode@FNODOBFM@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		mov	esi, 0C00000E5h
		push	esi
		push	(offset	loc_8C5065+1)
		push	9C9h
		jmp	loc_A23784
_AslPathWildcardFindNext@12 endp


;  S U B	R O U T	I N E 


; __stdcall AslRegWildcardFindClose(x)
_AslRegWildcardFindClose@4 proc	near	; CODE XREF: SdbpCheckMatchingWildcardRegistryEntry(x,x,x,x,x,x,x,x,x,x)+6Dp
					; AslRegWildcardFindFirst(x,x,x)+74p
		mov	edi, edi
		push	edi
		mov	edi, ecx
		test	edi, edi
		jz	short loc_A238D4
		push	ebx
		mov	ebx, [edi]
		cmp	ebx, edi
		jz	short loc_A238B6
		push	esi

loc_A23891:				; CODE XREF: AslRegWildcardFindClose(x)+33j
		mov	eax, [ebx+10h]
		test	eax, eax
		jz	short loc_A238A2
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		and	dword ptr [ebx+10h], 0

loc_A238A2:				; CODE XREF: AslRegWildcardFindClose(x)+16j
		mov	esi, [ebx]
		push	74705041h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, esi
		cmp	esi, edi
		jnz	short loc_A23891
		pop	esi

loc_A238B6:				; CODE XREF: AslRegWildcardFindClose(x)+Ej
		mov	eax, [edi+0Ch]
		pop	ebx
		test	eax, eax
		jz	short loc_A238C9
		push	74705041h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A238C9:				; CODE XREF: AslRegWildcardFindClose(x)+3Cj
		push	74705041h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A238D4:				; CODE XREF: AslRegWildcardFindClose(x)+7j
		pop	edi
		retn
_AslRegWildcardFindClose@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslRegWildcardFindFirst(x, x, x)
_AslRegWildcardFindFirst@12 proc near	; CODE XREF: SdbpCheckMatchingWildcardRegistryEntry(x,x,x,x,x,x,x,x,x,x)+28p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		push	ecx
		push	10h
		xor	edi, edi
		pop	edx
		mov	[ebx], edi
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A238FF
		mov	eax, 0C0000017h
		jmp	short loc_A23951
; 

loc_A238FF:				; CODE XREF: AslRegWildcardFindFirst(x,x,x)+20j
		mov	edx, [ebp+arg_0]
		lea	ecx, [esi+0Ch]
		mov	[esi+8], edi
		mov	[esi+0Ch], edi
		mov	[esi+4], esi
		mov	[esi], esi
		call	AslStringDuplicate
		mov	edi, eax
		test	edi, edi
		js	short loc_A23944
		mov	ecx, [esi+0Ch]
		mov	edx, esi
		call	_AslpParsePattern@8 ; AslpParsePattern(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A23944
		mov	eax, [esi]
		mov	edx, esi
		mov	ecx, [ebp+var_4]
		mov	[esi+8], eax
		call	_AslRegWildcardFindNext@8 ; AslRegWildcardFindNext(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A23944
		mov	[ebx], esi
		xor	esi, esi

loc_A23944:				; CODE XREF: AslRegWildcardFindFirst(x,x,x)+43j
					; AslRegWildcardFindFirst(x,x,x)+53j ...
		test	esi, esi
		jz	short loc_A2394F
		mov	ecx, esi
		call	_AslRegWildcardFindClose@4 ; AslRegWildcardFindClose(x)

loc_A2394F:				; CODE XREF: AslRegWildcardFindFirst(x,x,x)+70j
		mov	eax, edi

loc_A23951:				; CODE XREF: AslRegWildcardFindFirst(x,x,x)+27j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_AslRegWildcardFindFirst@12 endp


;  S U B	R O U T	I N E 


; __stdcall AslRegWildcardFindNext(x, x)
_AslRegWildcardFindNext@8 proc near	; CODE XREF: SdbpCheckMatchingWildcardRegistryEntry(x,x,x,x,x,x,x,x,x,x)+60p
					; AslRegWildcardFindFirst(x,x,x)+5Fp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		mov	esi, [edi+8]
		test	esi, esi
		jnz	short loc_A2398D
		mov	eax, 8000001Ah

loc_A2396D:				; CODE XREF: AslRegWildcardFindNext(x,x)+45j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_A23971:				; CODE XREF: AslRegWildcardFindNext(x,x)+37j
		mov	edx, edi
		mov	ecx, esi
		call	_AslpProcessMatchRegNode@8 ; AslpProcessMatchRegNode(x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_A2398A
		mov	eax, [esi]
		cmp	eax, edi
		jz	short loc_A2399F
		mov	esi, eax
		jmp	short loc_A2398D
; 

loc_A2398A:				; CODE XREF: AslRegWildcardFindNext(x,x)+26j
		mov	esi, [esi+4]

loc_A2398D:				; CODE XREF: AslRegWildcardFindNext(x,x)+Ej
					; AslRegWildcardFindNext(x,x)+30j
		cmp	esi, edi
		jnz	short loc_A23971
		mov	ecx, 8000001Ah
		xor	esi, esi

loc_A23998:				; CODE XREF: AslRegWildcardFindNext(x,x)+4Cj
		mov	[edi+8], esi
		mov	eax, ecx
		jmp	short loc_A2396D
; 

loc_A2399F:				; CODE XREF: AslRegWildcardFindNext(x,x)+2Cj
		mov	eax, [esi+10h]
		mov	[ebx], eax
		jmp	short loc_A23998
_AslRegWildcardFindNext@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpAllocMatchNode(x, x, x)
_AslpAllocMatchNode@12 proc near	; CODE XREF: AslpParsePattern(x,x)+43p
					; AslpParsePattern(x,x)+74p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	ecx
		push	18h
		mov	esi, edx
		mov	edi, ecx
		pop	edx
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		test	eax, eax
		jnz	short loc_A239C5
		mov	ecx, 0C0000017h
		jmp	short loc_A239F1
; 

loc_A239C5:				; CODE XREF: AslpAllocMatchNode(x,x,x)+16j
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[eax+14h], ecx
		mov	[eax+10h], ecx
		mov	[eax+0Ch], esi
		mov	[eax+8], edi
		mov	esi, [edx]
		cmp	[esi+4], edx
		jz	short loc_A239E7
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A239E7:				; CODE XREF: AslpAllocMatchNode(x,x,x)+3Aj
		mov	[eax], esi
		mov	[eax+4], edx
		mov	[esi+4], eax
		mov	[edx], eax

loc_A239F1:				; CODE XREF: AslpAllocMatchNode(x,x,x)+1Dj
		pop	edi
		mov	eax, ecx
		pop	esi
		pop	ebp
		retn	4
_AslpAllocMatchNode@12 endp


;  S U B	R O U T	I N E 


; __stdcall AslpParsePattern(x,	x)
_AslpParsePattern@8 proc near		; CODE XREF: AslRegWildcardFindFirst(x,x,x)+4Ap
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	esi, edi
		xor	edx, edx
		lea	ecx, [esi+2]

loc_A23A09:				; CODE XREF: AslpParsePattern(x,x)+19j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, dx
		jnz	short loc_A23A09
		sub	esi, ecx
		sar	esi, 1
		xor	al, al
		lea	edx, [edi+esi*2]
		lea	esi, [edx-2]
		jmp	short loc_A23A59
; 

loc_A23A22:				; CODE XREF: AslpParsePattern(x,x)+62j
		movzx	ecx, word ptr [esi]
		cmp	ecx, 2Ah
		jz	short loc_A23A54
		cmp	ecx, 3Fh
		jz	short loc_A23A54
		cmp	ecx, 5Ch
		jnz	short loc_A23A56
		test	al, al
		jz	short loc_A23A50
		push	ebx
		lea	ecx, [esi+2]
		call	_AslpAllocMatchNode@12 ; AslpAllocMatchNode(x,x,x)
		test	eax, eax
		js	short loc_A23A72
		xor	eax, eax
		mov	edx, esi
		mov	[esi], ax
		xor	al, al
		jmp	short loc_A23A56
; 

loc_A23A50:				; CODE XREF: AslpParsePattern(x,x)+3Dj
		mov	edx, esi
		jmp	short loc_A23A56
; 

loc_A23A54:				; CODE XREF: AslpParsePattern(x,x)+2Fj
					; AslpParsePattern(x,x)+34j
		mov	al, 1

loc_A23A56:				; CODE XREF: AslpParsePattern(x,x)+39j
					; AslpParsePattern(x,x)+55j ...
		sub	esi, 2

loc_A23A59:				; CODE XREF: AslpParsePattern(x,x)+27j
		cmp	esi, edi
		ja	short loc_A23A22
		test	al, al
		jnz	short loc_A23A63
		mov	edx, esi

loc_A23A63:				; CODE XREF: AslpParsePattern(x,x)+66j
		movzx	ecx, al
		neg	ecx
		push	ebx
		sbb	ecx, ecx
		and	ecx, esi
		call	_AslpAllocMatchNode@12 ; AslpAllocMatchNode(x,x,x)

loc_A23A72:				; CODE XREF: AslpParsePattern(x,x)+4Aj
		pop	edi
		pop	esi
		pop	ebx
		retn
_AslpParsePattern@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpPathWildcardAllocMatchNode(x, x, x, x, x, x)
_AslpPathWildcardAllocMatchNode@24 proc	near
					; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+35Ap
					; AslPathWildcardFindNext(x,x,x)+4F2p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4], edx
		mov	ebx, ecx
		lea	edi, [ebp+var_24]
		push	6
		pop	ecx
		rep stosd
		mov	edi, ebx
		xor	ecx, ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		jmp	short loc_A23AA6
; 

loc_A23AA3:				; CODE XREF: AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+36j
		add	eax, 2

loc_A23AA6:				; CODE XREF: AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+2Bj
		mov	[ebx+8], eax
		cmp	[eax], cx
		jnz	short loc_A23AA3
		add	eax, 2
		mov	[ebx+8], eax
		cmp	[eax], cx
		jnz	short loc_A23AD1
		mov	esi, [ebp+arg_4]
		neg	esi
		sbb	esi, esi
		and	esi, 0FFFFFE47h
		add	esi, 0C0000273h
		jmp	loc_A23C24
; 

loc_A23AD1:				; CODE XREF: AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+41j
		cmp	[ebp+arg_4], ecx
		jnz	short loc_A23AE0
		mov	esi, 0C0000103h
		jmp	loc_A23C28
; 

loc_A23AE0:				; CODE XREF: AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+5Ej
		movzx	ecx, word ptr [edx]
		lea	eax, [ebp+arg_4]
		mov	edi, [ebp+arg_C]
		mov	edx, edi
		push	eax
		mov	[ebp+arg_4], ecx
		call	_RtlUShortAdd@12 ; RtlUShortAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A23B0A
		push	esi
		push	offset ??_C@_0BJ@MDGLKPJG@RtlUShortAdd?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	0B4Dh
		jmp	loc_A23C15
; 

loc_A23B0A:				; CODE XREF: AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+82j
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+arg_4]
		push	eax
		push	4
		pop	edx
		call	_RtlUShortAdd@12 ; RtlUShortAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A23B2F
		push	esi
		push	offset ??_C@_0BJ@MDGLKPJG@RtlUShortAdd?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	0B53h
		jmp	loc_A23C15
; 

loc_A23B2F:				; CODE XREF: AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+A7j
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		push	ecx
		movzx	edx, ax
		mov	[ebx+2], ax
		mov	[ebx], cx
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	[ebx+4], eax
		test	eax, eax
		jnz	short loc_A23B55
		mov	esi, 0C0000017h
		jmp	loc_A23C28
; 

loc_A23B55:				; CODE XREF: AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+D3j
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		call	_RtlUnicodeStringCopy@8	; RtlUnicodeStringCopy(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A23B75
		push	esi
		push	(offset	loc_8C5195+1)
		push	0B62h
		jmp	loc_A23C15
; 

loc_A23B75:				; CODE XREF: AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+EDj
		movzx	ecx, word ptr [ebx]
		mov	eax, [ebx+4]
		shr	ecx, 1
		cmp	word ptr [eax+ecx*2-2],	5Ch
		jz	short loc_A23BA4
		mov	edx, offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@
		mov	ecx, ebx
		call	_RtlUnicodeStringCatString@8 ; RtlUnicodeStringCatString(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A23BA4
		push	esi
		push	offset ??_C@_0CG@LPADCGAM@RtlUnicodeStringCatString?5faile@NNGAKEGL@
		push	0B72h
		jmp	short loc_A23C15
; 

loc_A23BA4:				; CODE XREF: AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+10Dj
					; AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+11Fj
		mov	edx, [ebp+arg_8]
		test	edx, edx
		jz	short loc_A23BCE
		test	di, di
		jz	short loc_A23BCE
		movzx	eax, di
		mov	ecx, ebx
		push	eax
		call	_RtlUnicodeStringCbCatStringN@12 ; RtlUnicodeStringCbCatStringN(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A23BCE
		push	esi
		push	(offset	loc_8C5153+1)
		push	0B7Ah
		jmp	short loc_A23C15
; 

loc_A23BCE:				; CODE XREF: AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+133j
					; AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+138j ...
		xor	eax, eax
		mov	[ebp+var_24], 18h
		push	21h
		mov	[ebp+var_20], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_C]
		push	1
		push	eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_18], 240h
		push	eax
		push	100001h
		lea	eax, [ebx+0Ch]
		mov	[ebp+var_1C], ebx
		push	eax
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A23C2F
		push	esi
		push	offset ??_C@_0BI@LPPODAJD@Failed?5to?5open?5dir?5?$FL?$CFx?$FN@NNGAKEGL@
		push	0B88h

loc_A23C15:				; CODE XREF: AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+8Fj
					; AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+B4j ...
		push	offset ??_C@_0BP@NAHNFMLD@AslpPathWildcardAllocMatchNode@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A23C24:				; CODE XREF: AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+56j
		test	esi, esi
		jns	short loc_A23C2F

loc_A23C28:				; CODE XREF: AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+65j
					; AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+DAj
		mov	ecx, ebx
		call	_AslpPathWildcardFreeMatchNode@4 ; AslpPathWildcardFreeMatchNode(x)

loc_A23C2F:				; CODE XREF: AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+192j
					; AslpPathWildcardAllocMatchNode(x,x,x,x,x,x)+1B0j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_AslpPathWildcardAllocMatchNode@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpPathWildcardFreeFindContext(x)
_AslpPathWildcardFreeFindContext@4 proc	near ; CODE XREF: AslPathWildcardFindClose(x)+1Ep
					; AslPathWildcardFindFirst(x,x,x,x)+4F8p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		test	ebx, ebx
		jz	loc_A23CD6
		push	esi
		mov	esi, [ebx]
		test	esi, esi
		jz	loc_A23CD5
		mov	ecx, [esi+10h]
		push	edi
		xor	edi, edi
		test	ecx, ecx
		jz	short loc_A23C97

loc_A23C5E:				; CODE XREF: AslpPathWildcardFreeFindContext(x)+5Dj
		xor	eax, eax
		cmp	edi, ecx
		jnb	short loc_A23C88
		and	[ebp+var_4], eax
		lea	ecx, [ebp+var_4]
		mov	eax, [esi+0Ch]
		mul	edi
		push	edx
		push	eax
		call	_ULongLongToULong@12 ; ULongLongToULong(x,x,x)
		test	eax, eax
		js	short loc_A23C86
		mov	ecx, [esi+1Ch]
		mov	eax, [ebp+var_4]
		add	eax, ecx
		cmp	eax, ecx
		jnb	short loc_A23C88

loc_A23C86:				; CODE XREF: AslpPathWildcardFreeFindContext(x)+40j
		xor	eax, eax

loc_A23C88:				; CODE XREF: AslpPathWildcardFreeFindContext(x)+2Aj
					; AslpPathWildcardFreeFindContext(x)+4Cj
		mov	ecx, eax
		call	_AslpPathWildcardFreeMatchNode@4 ; AslpPathWildcardFreeMatchNode(x)
		mov	ecx, [esi+10h]
		inc	edi
		cmp	edi, ecx
		jb	short loc_A23C5E

loc_A23C97:				; CODE XREF: AslpPathWildcardFreeFindContext(x)+24j
		lea	edi, [esi+8]
		mov	eax, [edi+14h]
		test	eax, eax
		jz	short loc_A23CAC
		push	72615452h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A23CAC:				; CODE XREF: AslpPathWildcardFreeFindContext(x)+67j
		push	6
		xor	eax, eax
		pop	ecx
		rep stosd
		mov	eax, [esi+4]
		mov	edi, 74705041h
		test	eax, eax
		jz	short loc_A23CCA
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+4], 0

loc_A23CCA:				; CODE XREF: AslpPathWildcardFreeFindContext(x)+85j
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [ebx], 0
		pop	edi

loc_A23CD5:				; CODE XREF: AslpPathWildcardFreeFindContext(x)+16j
		pop	esi

loc_A23CD6:				; CODE XREF: AslpPathWildcardFreeFindContext(x)+Bj
		pop	ebx
		leave
		retn
_AslpPathWildcardFreeFindContext@4 endp


;  S U B	R O U T	I N E 


; __stdcall AslpPathWildcardFreeMatchNode(x)
_AslpPathWildcardFreeMatchNode@4 proc near
					; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+500p
					; AslPathWildcardFindNext(x,x,x)+187p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_A23D0D
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_A23CF3
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		and	dword ptr [esi+0Ch], 0

loc_A23CF3:				; CODE XREF: AslpPathWildcardFreeMatchNode(x)+Ej
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_A23D09
		push	74705041h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+4], 0

loc_A23D09:				; CODE XREF: AslpPathWildcardFreeMatchNode(x)+1Fj
		and	dword ptr [esi+8], 0

loc_A23D0D:				; CODE XREF: AslpPathWildcardFreeMatchNode(x)+7j
		pop	esi
		retn
_AslpPathWildcardFreeMatchNode@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpPathWildcardMakeLeaves(x)
_AslpPathWildcardMakeLeaves@4 proc near	; CODE XREF: AslPathWildcardFindFirst(x,x,x,x)+12Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		test	edi, edi
		jz	loc_A23E87
		xor	ebx, ebx
		cmp	[edi], bx
		jz	loc_A23E87
		push	edi
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], ebx
		push	eax
		mov	[ebp+var_4], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, [ebp+var_8]
		push	2
		pop	eax
		cmp	cx, ax
		jb	loc_A23E69
		mov	eax, [ebp+var_4]
		cmp	[eax], bx
		jz	loc_A23E69
		shr	cx, 1
		movzx	esi, cx
		push	8
		pop	ecx
		cmp	si, cx
		jb	short loc_A23D81
		push	ecx		; size_t
		push	(offset	loc_5A7307+1) ;	wchar_t	*
		push	eax		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A23D7E
		push	0FFFFFFFCh
		jmp	short loc_A23DEC
; 

loc_A23D7E:				; CODE XREF: AslpPathWildcardMakeLeaves(x)+69j
		mov	eax, [ebp+var_4]

loc_A23D81:				; CODE XREF: AslpPathWildcardMakeLeaves(x)+56j
		push	4
		pop	ecx
		cmp	si, cx
		jb	short loc_A23DCF
		push	ecx		; size_t
		push	offset ??_C@_19JHEHLFPM@?$AA?2?$AA?$DP?$AA?$DP?$AA?2@FNODOBFM@ ; wchar_t *
		push	eax		; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A23DA0
		push	0FFFFFFFEh
		jmp	short loc_A23DEC
; 

loc_A23DA0:				; CODE XREF: AslpPathWildcardMakeLeaves(x)+8Bj
		push	4		; size_t
		push	(offset	loc_5A72FD+1) ;	wchar_t	*
		push	[ebp+var_4]	; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A23DEA
		push	4		; size_t
		push	(offset	loc_5A7319+1) ;	wchar_t	*
		push	[ebp+var_4]	; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A23DEA
		mov	eax, [ebp+var_4]

loc_A23DCF:				; CODE XREF: AslpPathWildcardMakeLeaves(x)+78j
		push	2
		pop	ecx
		cmp	si, cx
		jbe	short loc_A23DEF
		push	ecx		; size_t
		push	(offset	loc_5A7323+1) ;	wchar_t	*
		push	eax		; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A23DEF

loc_A23DEA:				; CODE XREF: AslpPathWildcardMakeLeaves(x)+A5j
					; AslpPathWildcardMakeLeaves(x)+BBj
		push	0FFFFFFFDh

loc_A23DEC:				; CODE XREF: AslpPathWildcardMakeLeaves(x)+6Dj
					; AslpPathWildcardMakeLeaves(x)+8Fj
		pop	esi
		jmp	short loc_A23DF1
; 

loc_A23DEF:				; CODE XREF: AslpPathWildcardMakeLeaves(x)+C6j
					; AslpPathWildcardMakeLeaves(x)+D9j
		mov	esi, ebx

loc_A23DF1:				; CODE XREF: AslpPathWildcardMakeLeaves(x)+DEj
		movzx	eax, word ptr [edi]
		mov	ecx, edi
		test	ax, ax
		jz	short loc_A23E1E
		push	5Ch
		mov	edx, eax
		pop	ebx

loc_A23E00:				; CODE XREF: AslpPathWildcardMakeLeaves(x)+10Bj
		cmp	dx, bx
		jnz	short loc_A23E0F
		test	esi, esi
		js	short loc_A23E0E
		xor	eax, eax
		mov	[ecx], ax

loc_A23E0E:				; CODE XREF: AslpPathWildcardMakeLeaves(x)+F8j
		inc	esi

loc_A23E0F:				; CODE XREF: AslpPathWildcardMakeLeaves(x)+F4j
		add	ecx, 2
		movzx	eax, word ptr [ecx]
		mov	edx, eax
		test	ax, ax
		jnz	short loc_A23E00
		xor	ebx, ebx

loc_A23E1E:				; CODE XREF: AslpPathWildcardMakeLeaves(x)+EAj
		xor	eax, eax
		mov	[ecx+2], ax
		movzx	eax, word ptr [edi]
		test	ax, ax
		jz	short loc_A23E60

loc_A23E2C:				; CODE XREF: AslpPathWildcardMakeLeaves(x)+14Fj
		test	ax, ax
		jz	short loc_A23E39

loc_A23E31:				; CODE XREF: AslpPathWildcardMakeLeaves(x)+128j
		add	edi, 2
		cmp	[edi], bx
		jnz	short loc_A23E31

loc_A23E39:				; CODE XREF: AslpPathWildcardMakeLeaves(x)+120j
		lea	ebx, [edi+2]
		xor	eax, eax
		cmp	[ebx], ax
		jz	short loc_A23E60
		mov	ecx, ebx
		call	_AslStringHasWildcard@4	; AslStringHasWildcard(x)
		test	eax, eax
		jnz	short loc_A23E60
		push	5Ch
		pop	edx
		xor	ecx, ecx
		mov	[edi], dx
		dec	esi
		mov	eax, edx
		cmp	[ebx], cx
		push	ecx
		pop	ebx
		jnz	short loc_A23E2C

loc_A23E60:				; CODE XREF: AslpPathWildcardMakeLeaves(x)+11Bj
					; AslpPathWildcardMakeLeaves(x)+132j ...
		add	esi, 1
		js	short loc_A23E87
		mov	eax, esi
		jmp	short loc_A23E89
; 

loc_A23E69:				; CODE XREF: AslpPathWildcardMakeLeaves(x)+38j
					; AslpPathWildcardMakeLeaves(x)+44j
		push	0C00000F2h
		push	(offset	loc_8C4ECB+1)
		push	0BE5h
		push	offset ??_C@_0BL@DFNMDNKJ@AslpPathWildcardMakeLeaves@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A23E87:				; CODE XREF: AslpPathWildcardMakeLeaves(x)+Ej
					; AslpPathWildcardMakeLeaves(x)+19j ...
		xor	eax, eax

loc_A23E89:				; CODE XREF: AslpPathWildcardMakeLeaves(x)+158j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AslpPathWildcardMakeLeaves@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpProcessMatchRegNode(x, x)
_AslpProcessMatchRegNode@8 proc	near	; CODE XREF: AslRegWildcardFindNext(x,x)+1Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		cmp	[ebx+4], edx
		jnz	short loc_A23ED5
		lea	esi, [ebx+10h]
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_A23EC2
		mov	edx, [ebx+0Ch]
		push	ecx
		push	1
		push	20019h
		mov	ecx, esi
		call	AslRegistryGetKey
		mov	esi, eax
		jmp	loc_A23FBA
; 

loc_A23EC2:				; CODE XREF: AslpProcessMatchRegNode(x,x)+19j
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		and	dword ptr [esi], 0
		mov	esi, 8000001Ah
		jmp	loc_A23FBA
; 

loc_A23ED5:				; CODE XREF: AslpProcessMatchRegNode(x,x)+10j
		mov	ecx, [ebx+0Ch]
		xor	eax, eax
		mov	word ptr [ebp+var_C], ax
		xor	esi, esi
		lea	edx, [ecx+2]

loc_A23EE3:				; CODE XREF: AslpProcessMatchRegNode(x,x)+5Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_A23EE3
		sub	ecx, edx
		sar	ecx, 1
		push	ecx
		lea	eax, ds:20Ah[ecx*2]
		movzx	edx, ax
		mov	word ptr [ebp+var_C+2],	ax
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	ecx, [ebx+4]
		mov	edi, eax
		mov	[ebp+var_8], edi
		mov	eax, [ecx+10h]
		mov	[ebp+var_4], eax

loc_A23F14:				; CODE XREF: AslpProcessMatchRegNode(x,x)+BFj
					; AslpProcessMatchRegNode(x,x)+113j
		xor	ecx, ecx
		mov	[edi], cx
		mov	ecx, edi
		push	dword ptr [ebx+14h]
		push	eax
		call	_AslRegistryEnumKey@16 ; AslRegistryEnumKey(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A23FA6
		mov	eax, [ebx+0Ch]
		xor	ecx, ecx
		inc	dword ptr [ebx+14h]
		mov	edx, edi
		movzx	esi, word ptr [eax]
		mov	[eax], cx
		mov	ecx, [ebx+8]
		call	AslStringPatternMatchW
		mov	ecx, [ebx+0Ch]
		test	eax, eax
		mov	eax, [ebp+var_4]
		mov	[ecx], si
		jz	short loc_A23F14
		lea	ecx, [edi+2]
		xor	edx, edx

loc_A23F54:				; CODE XREF: AslpProcessMatchRegNode(x,x)+CFj
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, dx
		jnz	short loc_A23F54
		push	dword ptr [ebx+0Ch] ; void *
		sub	edi, ecx
		sar	edi, 1
		lea	eax, [edi+edi]
		mov	word ptr [ebp+var_C], ax
		lea	eax, [ebp+var_C]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		lea	esi, [ebx+10h]
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_A23F89
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		xor	eax, eax
		mov	[esi], eax

loc_A23F89:				; CODE XREF: AslpProcessMatchRegNode(x,x)+EFj
		mov	edi, [ebp+var_8]
		mov	edx, [ebp+var_4]
		push	ecx
		push	edi
		mov	ecx, esi
		call	_AslRegistryOpenSubKey@16 ; AslRegistryOpenSubKey(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A23FAB
		mov	eax, [ebp+var_4]
		jmp	loc_A23F14
; 

loc_A23FA6:				; CODE XREF: AslpProcessMatchRegNode(x,x)+9Aj
		xor	eax, eax
		mov	[ebx+14h], eax

loc_A23FAB:				; CODE XREF: AslpProcessMatchRegNode(x,x)+10Ej
		test	edi, edi
		jz	short loc_A23FBA
		push	74705041h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A23FBA:				; CODE XREF: AslpProcessMatchRegNode(x,x)+2Fj
					; AslpProcessMatchRegNode(x,x)+42j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_AslpProcessMatchRegNode@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslEnvGetSysNativeDirPathForGuestBuf(x, x, x, x, x)
_AslEnvGetSysNativeDirPathForGuestBuf@20 proc near
					; CODE XREF: SdbpGetPathAppraiser(x,x,x,x)+E5p

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	eax, eax
		push	80h		; size_t
		push	eax		; int
		lea	eax, [ebp+var_84]
		mov	esi, edx
		push	eax		; void *
		mov	[ebp+var_88], esi
		mov	ebx, ecx
		call	_memset
		mov	ecx, [ebp+arg_4]
		xor	eax, eax
		mov	[ebx], ax
		add	esp, 0Ch
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	loc_A240A9
		cmp	[eax], cx
		jz	loc_A240A9
		push	offset ??_C@_1BG@LEIPKKKH@?$AA?2?$AAS?$AAy?$AAs?$AAN?$AAa?$AAt?$AAi?$AAv?$AAe@NNGAKEGL@	; int
		push	40h
		pop	edx
		lea	ecx, [ebp+var_84] ; void *
		call	_AslPathToSystemPathBuf@12 ; AslPathToSystemPathBuf(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2403F
		push	esi
		push	offset ??_C@_0CD@JEFPKOCA@AslPathToSystemPathBuf?5failed?5?$FL@NNGAKEGL@
		push	696h
		jmp	short loc_A24096
; 

loc_A2403F:				; CODE XREF: AslEnvGetSysNativeDirPathForGuestBuf(x,x,x,x,x)+6Fj
		test	edi, edi
		jz	short loc_A24071
		xor	eax, eax
		cmp	[edi], ax
		jz	short loc_A24071
		push	[ebp+var_88]
		mov	edx, edi
		lea	ecx, [ebp+var_84]
		push	ebx
		call	_AslPathCombine@16 ; AslPathCombine(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A240A5
		push	esi
		push	offset ??_C@_0BL@IPDIPDIN@AslPathCombine?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	6A0h
		jmp	short loc_A24096
; 

loc_A24071:				; CODE XREF: AslEnvGetSysNativeDirPathForGuestBuf(x,x,x,x,x)+80j
					; AslEnvGetSysNativeDirPathForGuestBuf(x,x,x,x,x)+87j
		mov	edx, [ebp+var_88]
		lea	eax, [ebp+var_84]
		push	eax
		mov	ecx, ebx
		call	RtlStringCchCopyW
		mov	esi, eax
		test	esi, esi
		jns	short loc_A240A5
		push	esi
		push	offset ??_C@_0BO@LFCDCAJH@RtlStringCchCopyW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	6A8h

loc_A24096:				; CODE XREF: AslEnvGetSysNativeDirPathForGuestBuf(x,x,x,x,x)+7Cj
					; AslEnvGetSysNativeDirPathForGuestBuf(x,x,x,x,x)+AEj
		push	(offset	loc_8C54C4+4)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A240A5:				; CODE XREF: AslEnvGetSysNativeDirPathForGuestBuf(x,x,x,x,x)+A1j
					; AslEnvGetSysNativeDirPathForGuestBuf(x,x,x,x,x)+C8j
		mov	eax, esi
		jmp	short loc_A240B5
; 

loc_A240A9:				; CODE XREF: AslEnvGetSysNativeDirPathForGuestBuf(x,x,x,x,x)+49j
					; AslEnvGetSysNativeDirPathForGuestBuf(x,x,x,x,x)+52j
		push	eax
		push	ecx
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	_AslEnvGetSystem32DirPathBuf@20	; AslEnvGetSystem32DirPathBuf(x,x,x,x,x)

loc_A240B5:				; CODE XREF: AslEnvGetSysNativeDirPathForGuestBuf(x,x,x,x,x)+E6j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_AslEnvGetSysNativeDirPathForGuestBuf@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslEnvGetSystem32DirPathBuf(x, x, x, x, x)
_AslEnvGetSystem32DirPathBuf@20	proc near ; CODE XREF: SdbpGetPathSystem(x,x,x,x)+41p
					; AslEnvGetSysNativeDirPathForGuestBuf(x,x,x,x,x)+EFp

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= word ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	eax, [ebp+var_84]
		push	80h		; size_t
		xor	esi, esi
		mov	[ebp+var_88], edx
		push	esi		; int
		push	eax		; void *
		mov	ebx, ecx
		call	_memset
		mov	dx, [ebp+arg_4]
		xor	eax, eax
		mov	[ebx], ax
		add	esp, 0Ch
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_A24115
		movzx	ecx, word ptr [eax]
		jmp	short loc_A24118
; 

loc_A24115:				; CODE XREF: AslEnvGetSystem32DirPathBuf(x,x,x,x,x)+48j
		movzx	ecx, dx

loc_A24118:				; CODE XREF: AslEnvGetSystem32DirPathBuf(x,x,x,x,x)+4Dj
		mov	eax, esi

loc_A2411A:				; CODE XREF: AslEnvGetSystem32DirPathBuf(x,x,x,x,x)+6Cj
		cmp	word_6B3470[eax*8], dx
		jnz	short loc_A2412E
		cmp	word_6B3472[eax*8], cx
		jz	short loc_A2414C

loc_A2412E:				; CODE XREF: AslEnvGetSystem32DirPathBuf(x,x,x,x,x)+5Cj
		inc	eax
		cmp	eax, 7
		jb	short loc_A2411A
		mov	esi, 0C00000BBh

loc_A24139:				; CODE XREF: AslEnvGetSystem32DirPathBuf(x,x,x,x,x)+BBj
					; AslEnvGetSystem32DirPathBuf(x,x,x,x,x)+11Aj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_A2414C:				; CODE XREF: AslEnvGetSystem32DirPathBuf(x,x,x,x,x)+66j
		push	off_6B3474[eax*8] ; int
		lea	ecx, [ebp+var_84] ; void *
		push	40h
		pop	edx
		call	_AslPathToSystemPathBuf@12 ; AslPathToSystemPathBuf(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A24183
		push	esi
		push	offset ??_C@_0CD@JEFPKOCA@AslPathToSystemPathBuf?5failed?5?$FL@NNGAKEGL@
		push	586h

loc_A24172:				; CODE XREF: AslEnvGetSystem32DirPathBuf(x,x,x,x,x)+EDj
					; AslEnvGetSystem32DirPathBuf(x,x,x,x,x)+114j
		push	offset ??_C@_0BM@NMMIKIII@AslEnvGetSystem32DirPathBuf@NNGAKEGL@	; "AslEnvGetSystem32DirPathBuf"
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A24139
; 

loc_A24183:				; CODE XREF: AslEnvGetSystem32DirPathBuf(x,x,x,x,x)+9Fj
		test	edi, edi
		jz	short loc_A241B5
		xor	eax, eax
		cmp	[edi], ax
		jz	short loc_A241B5
		push	[ebp+var_88]
		mov	edx, edi
		lea	ecx, [ebp+var_84]
		push	ebx
		call	_AslPathCombine@16 ; AslPathCombine(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A241DC
		push	esi
		push	offset ??_C@_0BL@IPDIPDIN@AslPathCombine?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	590h
		jmp	short loc_A24172
; 

loc_A241B5:				; CODE XREF: AslEnvGetSystem32DirPathBuf(x,x,x,x,x)+BFj
					; AslEnvGetSystem32DirPathBuf(x,x,x,x,x)+C6j
		mov	edx, [ebp+var_88]
		lea	eax, [ebp+var_84]
		push	eax
		mov	ecx, ebx
		call	RtlStringCchCopyW
		mov	esi, eax
		test	esi, esi
		jns	short loc_A241DC
		push	esi
		push	offset ??_C@_0BO@LFCDCAJH@RtlStringCchCopyW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	598h
		jmp	short loc_A24172
; 

loc_A241DC:				; CODE XREF: AslEnvGetSystem32DirPathBuf(x,x,x,x,x)+E0j
					; AslEnvGetSystem32DirPathBuf(x,x,x,x,x)+107j
		xor	eax, eax
		mov	esi, eax
		jmp	loc_A24139
_AslEnvGetSystem32DirPathBuf@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslEnvVerifyGuestProcessorSupport(x, x)
_AslEnvVerifyGuestProcessorSupport@8 proc near
					; CODE XREF: SdbGuestTargetPlatformFlagsToRuntimePlatformFlags(x)+4Fp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	di, dx
		test	ecx, ecx
		jz	short loc_A241FD
		movzx	ecx, word ptr [ecx]
		jmp	short loc_A2422F
; 

loc_A241FD:				; CODE XREF: AslEnvVerifyGuestProcessorSupport(x,x)+11j
		sub	esp, 0Ch
		lea	ecx, [ebp+var_4]
		xor	edx, edx
		call	AslEnvGetProcessWowInfo
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2422C
		push	esi
		push	offset ??_C@_0CE@JCOOOONA@AslEnvGetProcessWowInfo?5failed?5@NNGAKEGL@
		push	74Bh
		push	offset ??_C@_0CC@BMJNLKJB@AslEnvVerifyGuestProcessorSuppo@NNGAKEGL@ ; "AslEnvVerifyGuestProcessorSupport"
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A24250
; 

loc_A2422C:				; CODE XREF: AslEnvVerifyGuestProcessorSupport(x,x)+29j
		mov	ecx, [ebp+var_4]

loc_A2422F:				; CODE XREF: AslEnvVerifyGuestProcessorSupport(x,x)+16j
		xor	eax, eax

loc_A24231:				; CODE XREF: AslEnvVerifyGuestProcessorSupport(x,x)+64j
		cmp	word_6B3470[eax], cx
		jnz	short loc_A24243
		cmp	word_6B3472[eax], di
		jz	short loc_A24256

loc_A24243:				; CODE XREF: AslEnvVerifyGuestProcessorSupport(x,x)+53j
		add	eax, 8
		cmp	eax, 38h
		jb	short loc_A24231
		mov	esi, 0C00000BBh

loc_A24250:				; CODE XREF: AslEnvVerifyGuestProcessorSupport(x,x)+45j
					; AslEnvVerifyGuestProcessorSupport(x,x)+73j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_A24256:				; CODE XREF: AslEnvVerifyGuestProcessorSupport(x,x)+5Cj
		xor	esi, esi
		jmp	short loc_A24250
_AslEnvVerifyGuestProcessorSupport@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslFileAllocAndGetAttributes(x, x, x, x)
_AslFileAllocAndGetAttributes@16 proc near
					; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+132p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		and	[ebp+var_8], 0
		or	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		jz	short loc_A242DF
		xor	esi, esi
		inc	esi
		cmp	[ebx+28h], esi
		jnz	short loc_A242EA
		push	2
		pop	edx
		push	4
		xor	ecx, ecx
		pop	ebx

loc_A24285:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+83j
		imul	eax, ecx, 18h
		test	ecx, ecx
		jz	short loc_A242C7
		cmp	ecx, 11h
		jz	short loc_A242B1
		cmp	ecx, 1Ch
		jz	short loc_A2429C
		or	[eax+edi+10h], edx
		jmp	short loc_A242D9
; 

loc_A2429C:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+3Aj
		and	dword ptr [edi+2ACh], 0
		or	[edi+2B0h], esi
		mov	[edi+2A8h], esi
		jmp	short loc_A242D2
; 

loc_A242B1:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+35j
		and	dword ptr [edi+1A0h], 0
		and	dword ptr [edi+1A4h], 0
		or	[edi+1A8h], esi
		jmp	short loc_A242D2
; 

loc_A242C7:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+30j
		and	dword ptr [edi+8], 0
		and	dword ptr [edi+0Ch], 0
		or	[edi+10h], esi

loc_A242D2:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+55j
					; AslFileAllocAndGetAttributes(x,x,x,x)+6Bj
		mov	[eax+edi], edx
		mov	[eax+edi+4], ebx

loc_A242D9:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+40j
		inc	ecx
		cmp	ecx, 23h
		jl	short loc_A24285

loc_A242DF:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+19j
					; AslFileAllocAndGetAttributes(x,x,x,x)+2D7j
		xor	esi, esi

loc_A242E1:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+FEj
					; AslFileAllocAndGetAttributes(x,x,x,x)+309j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_A242EA:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+21j
		cmp	dword ptr [ebx+30h], 0
		jz	short loc_A24318
		push	23h
		or	edx, 0FFFFFFFFh
		lea	ecx, [edi+10h]
		pop	esi

loc_A242F9:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+BCj
		cmp	edx, 21h
		ja	short loc_A2430C
		movzx	eax, ds:byte_A24576[edx]
		jmp	ds:off_A2456A[eax*4]

loc_A2430C:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+A2j
					; DATA XREF: PAGE:00A2456Eo ...
		or	dword ptr [ecx], 2

loc_A2430F:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+ABj
					; DATA XREF: PAGE:off_A2456Ao
		inc	edx
		add	ecx, 18h
		sub	esi, 1
		jnz	short loc_A242F9

loc_A24318:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+94j
		mov	ecx, ebx
		call	_AslFileMappingEnsure@4	; AslFileMappingEnsure(x)
		mov	esi, eax
		cmp	esi, 0C0000017h
		jnz	short loc_A2435A
		cmp	dword ptr [ebx+30h], 0
		jnz	short loc_A2435E
		mov	edx, ebx
		mov	ecx, edi
		call	_AslpFileLargeEnsureLargeFileMapping@8 ; AslpFileLargeEnsureLargeFileMapping(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2436B
		push	esi
		push	offset ??_C@_0DA@KDDLGLDA@AslpFileLargeEnsureLargeFileMap@NNGAKEGL@
		push	2A2h

loc_A24349:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+10Fj
					; AslFileAllocAndGetAttributes(x,x,x,x)+174j ...
		push	(offset	loc_8C5651+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A242E1
; 

loc_A2435A:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+CDj
		test	esi, esi
		jns	short loc_A2436B

loc_A2435E:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+D3j
		push	esi
		push	offset ??_C@_0CB@GHEHFDAF@AslFileMappingEnsure?5failed?5?$FL?$CFx@NNGAKEGL@
		push	2A6h
		jmp	short loc_A24349
; 

loc_A2436B:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+E2j
					; AslFileAllocAndGetAttributes(x,x,x,x)+102j
		xor	esi, esi
		mov	[ebp+var_4], esi

loc_A24370:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+2DFj
		mov	eax, [ebp+arg_0]
		mov	ecx, esi
		mov	edx, [ebp+arg_4]
		call	__aullshr
		and	eax, 1
		xor	edx, edx
		or	eax, edx
		jz	loc_A24527
		imul	eax, esi, 18h
		test	byte ptr [eax+edi+10h],	3
		jnz	loc_A24527
		cmp	esi, 21h
		ja	loc_A2455E
		movzx	eax, ds:byte_A245C2[esi]
		jmp	ds:off_A2459A[eax*4]

loc_A243AF:				; DATA XREF: PAGE:off_A2459Ao
		lea	edx, [ebx+8]
		mov	ecx, edi
		call	_AslpFileGetSizeAttributes@8 ; AslpFileGetSizeAttributes(x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_A24527
		push	esi
		push	offset ??_C@_0CG@NCLAMMOD@AslpFileGetSizeAttributes?5faile@NNGAKEGL@
		push	2CDh
		jmp	loc_A24349
; 

loc_A243D3:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+14Ej
					; DATA XREF: PAGE:00A245A6o
		mov	edx, ebx
		mov	ecx, edi
		call	_AslpFileGetVersionAttributes@8	; AslpFileGetVersionAttributes(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jns	loc_A24527
		call	_AslFileResourceNotFound@4 ; AslFileResourceNotFound(x)
		test	eax, eax
		jnz	loc_A24527
		push	ecx
		push	(offset	loc_8C55F7+1)
		push	2E5h
		push	(offset	loc_8C5651+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A24527
; 

loc_A24412:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+14Ej
					; DATA XREF: PAGE:00A245AAo
		mov	edx, ebx
		lea	ecx, [ebp+var_8]
		call	_AslpFileGetModuleType@8 ; AslpFileGetModuleType(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2453E
		mov	eax, [ebp+var_8]
		and	dword ptr [edi+1A4h], 0
		or	dword ptr [edi+1A8h], 1
		mov	dword ptr [edi+198h], 2
		mov	dword ptr [edi+19Ch], 4
		mov	[edi+1A0h], eax
		jmp	loc_A24527
; 

loc_A24456:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+14Ej
					; DATA XREF: PAGE:00A245BEo
		mov	edx, ebx
		mov	ecx, edi
		call	_AslpFileGetFileKindDetailAttribute@8 ;	AslpFileGetFileKindDetailAttribute(x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_A24527
		push	esi
		push	offset ??_C@_0CP@DAOJOCEB@AslpFileGetFileKindDetailAttrib@NNGAKEGL@
		push	301h
		jmp	loc_A24349
; 

loc_A24479:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+14Ej
					; DATA XREF: PAGE:00A2459Eo
		mov	edx, ebx
		mov	ecx, edi
		call	_AslpFileGetHeaderAttributesPE@8 ; AslpFileGetHeaderAttributesPE(x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_A24527
		push	esi
		push	(offset	loc_8C56EF+1)
		push	311h
		jmp	loc_A24349
; 

loc_A2449C:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+14Ej
					; DATA XREF: PAGE:00A245B2o
		mov	edx, ebx
		mov	ecx, edi
		call	_AslpFileGetPeExportNameExeWrapper@8 ; AslpFileGetPeExportNameExeWrapper(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A24527
		push	esi
		push	(offset	loc_8C5719+1)
		push	326h
		jmp	loc_A24349
; 

loc_A244BB:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+14Ej
					; DATA XREF: PAGE:00A245B6o
		mov	edx, ebx
		mov	ecx, edi
		call	_AslpFileGetPeExportNameExeWrapper@8 ; AslpFileGetPeExportNameExeWrapper(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A24527
		push	esi
		push	(offset	loc_8C5719+1)
		push	33Ch
		jmp	loc_A24349
; 

loc_A244DA:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+14Ej
					; DATA XREF: PAGE:00A245BAo
		mov	edx, ebx
		mov	ecx, edi
		call	_AslpFileGetClrVersionAttribute@8 ; AslpFileGetClrVersionAttribute(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A24527
		push	esi
		push	(offset	loc_8C5699+1)
		push	346h
		jmp	loc_A24349
; 

loc_A244F9:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+14Ej
					; DATA XREF: PAGE:00A245AEo
		mov	edx, ebx
		mov	ecx, edi
		call	_AslpFileGetHeaderAttributesNE@8 ; AslpFileGetHeaderAttributesNE(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A24527
		push	esi
		push	offset ??_C@_0CK@JGKPMHMO@AslpFileGetHeaderAttributesNE?5f@NNGAKEGL@
		push	350h
		jmp	loc_A24349
; 

loc_A24518:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+14Ej
					; DATA XREF: PAGE:00A245A2o
		mov	edx, ebx
		mov	ecx, edi
		call	_AslpFileGetChecksumAttributes@8 ; AslpFileGetChecksumAttributes(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2454E

loc_A24527:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+12Aj
					; AslFileAllocAndGetAttributes(x,x,x,x)+138j ...
		mov	eax, [ebp+var_4]
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, 23h
		jge	loc_A242DF
		mov	esi, eax
		jmp	loc_A24370
; 

loc_A2453E:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+1C6j
		push	esi
		push	offset ??_C@_0CC@BEMDKDC@AslpFileGetModuleType?5failed?5?$FL?$CF@NNGAKEGL@ ; "AslpFileGetModuleType failed [%x]"
		push	2F2h
		jmp	loc_A24349
; 

loc_A2454E:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+2CBj
		push	esi
		push	offset ??_C@_0CK@CHCIOBLK@AslpFileGetChecksumAttributes?5f@NNGAKEGL@
		push	35Ah
		jmp	loc_A24349
; 

loc_A2455E:				; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+141j
		mov	esi, 0C00000E5h
		jmp	loc_A242E1
_AslFileAllocAndGetAttributes@16 endp

; 
		db 8Bh,	0FFh
off_A2456A	dd offset loc_A2430F	; DATA XREF: AslFileAllocAndGetAttributes(x,x,x,x)+ABr
		dd offset loc_A2430C
		dd offset loc_A2430C
byte_A24576	db 0			; DATA XREF: AslFileAllocAndGetAttributes(x,x,x,x)+A4r
		db 2
		dd 3 dup(1010101h), 101h, 20200h, 2020101h, 2, 1010200h
		db 8Bh,	0FFh
off_A2459A	dd offset loc_A243AF	; DATA XREF: AslFileAllocAndGetAttributes(x,x,x,x)+14Er
		dd offset loc_A24479
		dd offset loc_A24518
		dd offset loc_A243D3
		dd offset loc_A24412
		dd offset loc_A244F9
		dd offset loc_A2449C
		dd offset loc_A244BB
		dd offset loc_A244DA
		dd offset loc_A24456
byte_A245C2	db 0			; DATA XREF: AslFileAllocAndGetAttributes(x,x,x,x)+147r
; 
		add	[edx], eax
		add	eax, [ebx]
		add	eax, [ebx]
		add	eax, [ebx]
		add	eax, [ebx]
		add	eax, [ebx]
		add	eax, [ebx]
		add	eax, [ebx]
		add	al, 1
		add	ds:3060105h, eax
		pop	es
		add	cl, [eax]
		or	[ecx], eax
		add	[ecx], eax
		add	[ecx], al

;  S U B	R O U T	I N E 


; __stdcall AslFileFreeAttributes(x)
_AslFileFreeAttributes@4 proc near	; CODE XREF: SdbpCheckAllAttributes(x,x,x,x,x)+1B8p
		mov	edi, edi
		push	edi
		mov	edi, ecx
		test	edi, edi
		jz	short loc_A24630
		push	ebx
		push	esi
		push	23h
		lea	esi, [edi+8]
		pop	ebx

loc_A245F5:				; CODE XREF: AslFileFreeAttributes(x)+39j
		mov	eax, [esi+8]
		test	al, 1
		jz	short loc_A24617
		cmp	dword ptr [esi-8], 4
		jnz	short loc_A24617
		test	al, 4
		jz	short loc_A24617
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_A24617
		push	74705041h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A24617:				; CODE XREF: AslFileFreeAttributes(x)+16j
					; AslFileFreeAttributes(x)+1Cj	...
		add	esi, 18h
		sub	ebx, 1
		jnz	short loc_A245F5
		push	348h		; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		pop	esi
		pop	ebx

loc_A24630:				; CODE XREF: AslFileFreeAttributes(x)+7j
		pop	edi
		retn
_AslFileFreeAttributes@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileGet16BitDescription(x, x)
_AslpFileGet16BitDescription@8 proc near ; CODE	XREF: AslpFileGetHeaderAttributesNE(x,x)+A1p

var_104		= dword	ptr -104h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 104h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		cmp	dword ptr [esi+28h], 5
		jz	short loc_A2465D
		and	dword ptr [edi], 0
		mov	eax, 0C00000BBh
		jmp	short loc_A246C2
; 

loc_A2465D:				; CODE XREF: AslpFileGet16BitDescription(x,x)+1Fj
		push	100h		; size_t
		lea	eax, [ebp+var_104]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [ebp+var_104]
		mov	edx, esi
		call	_AslpFileQuery16BitDescription@8 ; AslpFileQuery16BitDescription(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A24693
		push	esi
		push	offset ??_C@_0CK@NDCMLJOK@AslpFileQuery16BitDescription?5f@NNGAKEGL@
		push	11C9h
		jmp	short loc_A246B1
; 

loc_A24693:				; CODE XREF: AslpFileGet16BitDescription(x,x)+52j
		lea	edx, [ebp+var_104]
		mov	ecx, edi
		call	_AslStringAnsiToUnicode@8 ; AslStringAnsiToUnicode(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A246C0
		push	esi
		push	offset ??_C@_0CD@HDIACEIF@AslStringAnsiToUnicode?5failed?5?$FL@NNGAKEGL@
		push	11CFh

loc_A246B1:				; CODE XREF: AslpFileGet16BitDescription(x,x)+5Fj
		push	(offset	loc_8C609F+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A246C0:				; CODE XREF: AslpFileGet16BitDescription(x,x)+72j
		mov	eax, esi

loc_A246C2:				; CODE XREF: AslpFileGet16BitDescription(x,x)+29j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_AslpFileGet16BitDescription@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileGet16BitModuleName(x, x)
_AslpFileGet16BitModuleName@8 proc near	; CODE XREF: AslpFileGetHeaderAttributesNE(x,x)+115p

var_104		= dword	ptr -104h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 104h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		cmp	dword ptr [esi+28h], 5
		jz	short loc_A246FB
		and	dword ptr [edi], 0
		mov	eax, 0C00000BBh
		jmp	short loc_A24760
; 

loc_A246FB:				; CODE XREF: AslpFileGet16BitModuleName(x,x)+1Fj
		push	100h		; size_t
		lea	eax, [ebp+var_104]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	ecx, [ebp+var_104]
		mov	edx, esi
		call	_AslpFileQuery16BitModuleName@8	; AslpFileQuery16BitModuleName(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A24731
		push	esi
		push	(offset	loc_8C602C+4)
		push	11F7h
		jmp	short loc_A2474F
; 

loc_A24731:				; CODE XREF: AslpFileGet16BitModuleName(x,x)+52j
		lea	edx, [ebp+var_104]
		mov	ecx, edi
		call	_AslStringAnsiToUnicode@8 ; AslStringAnsiToUnicode(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2475E
		push	esi
		push	offset ??_C@_0CD@HDIACEIF@AslStringAnsiToUnicode?5failed?5?$FL@NNGAKEGL@
		push	11FDh

loc_A2474F:				; CODE XREF: AslpFileGet16BitModuleName(x,x)+5Fj
		push	offset ??_C@_0BL@EJPFEEEP@AslpFileGet16BitModuleName@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A2475E:				; CODE XREF: AslpFileGet16BitModuleName(x,x)+72j
		mov	eax, esi

loc_A24760:				; CODE XREF: AslpFileGet16BitModuleName(x,x)+29j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_AslpFileGet16BitModuleName@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileGetChecksum(x, x)
_AslpFileGetChecksum@8 proc near	; CODE XREF: AslpFileGetChecksumAttributes(x,x)+C7p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	24h
		push	offset dword_6AACA0
		call	__SEH_prolog4
		mov	eax, edx
		mov	[ebp+var_24], eax
		mov	[ebp+var_2C], ecx
		mov	ebx, 1000h
		mov	edx, 200h
		xor	edi, edi
		mov	esi, edi
		mov	eax, [eax+8]
		cmp	eax, ebx
		jnb	short loc_A2479D
		mov	edx, edi
		mov	ebx, eax
		jmp	short loc_A247AA
; 

loc_A2479D:				; CODE XREF: AslpFileGetChecksum(x,x)+27j
		cmp	eax, 1200h
		jnb	short loc_A247AA
		lea	edx, [eax-1000h]

loc_A247AA:				; CODE XREF: AslpFileGetChecksum(x,x)+2Dj
					; AslpFileGetChecksum(x,x)+34j
		mov	[ebp+ms_exc.disabled], edi
		cmp	ebx, 4
		jb	short loc_A247F1
		mov	ecx, [ebp+var_24]
		mov	ecx, [ecx+10h]
		add	ecx, edx
		mov	[ebp+var_20], ecx
		mov	edx, edi

loc_A247BF:				; CODE XREF: AslpFileGetChecksum(x,x)+7Ej
		mov	[ebp+var_28], edx
		mov	eax, ebx
		shr	eax, 2
		cmp	edx, eax
		jnb	short loc_A247EE
		add	esi, [ecx]
		mov	[ebp+var_1C], esi
		add	ecx, 4
		mov	[ebp+var_20], ecx
		mov	eax, esi
		shr	esi, 1
		mov	[ebp+var_1C], esi
		and	eax, 1
		jz	short loc_A247EB
		or	esi, 80000000h
		mov	[ebp+var_1C], esi

loc_A247EB:				; CODE XREF: AslpFileGetChecksum(x,x)+72j
		inc	edx
		jmp	short loc_A247BF
; 

loc_A247EE:				; CODE XREF: AslpFileGetChecksum(x,x)+5Bj
		mov	ecx, [ebp+var_2C]

loc_A247F1:				; CODE XREF: AslpFileGetChecksum(x,x)+42j
		mov	[ecx], esi
		mov	[ebp+var_34], edi
		jmp	short loc_A24829
; 

loc_A247F8:				; DATA XREF: .text:006AACB4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A24806:				; DATA XREF: .text:006AACB8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_30]
		mov	[ebp+var_34], edi
		push	edi
		push	(offset	loc_8C4D43+3)
		push	1390h
		push	(offset	loc_8C60FD+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A24829:				; CODE XREF: AslpFileGetChecksum(x,x)+88j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AslpFileGetChecksum@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileGetChecksumAttributes(x, x)
_AslpFileGetChecksumAttributes@8 proc near
					; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+2C2p

var_28		= dword	ptr -28h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		push	8
		xor	eax, eax
		lea	edi, [ebp+var_28]
		pop	ecx
		rep stosd
		cmp	[edx+34h], eax
		jz	short loc_A24896
		push	offset ??_C@_0FA@BMENCCAD@AslpFileGetChecksumAttributes?5c@NNGAKEGL@
		push	12B7h
		push	offset ??_C@_0BO@PDLAAKIB@AslpFileGetChecksumAttributes@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		mov	esi, 0C0000001h
		push	2
		pop	edi
		or	[ebx+40h], edi
		or	[ebx+280h], edi
		or	[ebx+340h], edi
		jmp	loc_A24990
; 

loc_A24896:				; CODE XREF: AslpFileGetChecksumAttributes(x,x)+1Dj
		mov	ecx, edx
		call	_AslFileMappingEnsureMappedAs@8	; AslFileMappingEnsureMappedAs(x,x)
		mov	esi, eax
		mov	ecx, 0C000010Eh
		test	esi, esi
		jns	short loc_A248CB
		cmp	esi, ecx
		jz	short loc_A248CB
		push	esi
		push	offset ??_C@_0CJ@NGKNMDF@AslFileMappingEnsureMappedAs?5fa@NNGAKEGL@
		push	1300h

loc_A248B7:				; CODE XREF: AslpFileGetChecksumAttributes(x,x)+B6j
					; AslpFileGetChecksumAttributes(x,x)+DDj ...
		push	offset ??_C@_0BO@PDLAAKIB@AslpFileGetChecksumAttributes@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A24990
; 

loc_A248CB:				; CODE XREF: AslpFileGetChecksumAttributes(x,x)+64j
					; AslpFileGetChecksumAttributes(x,x)+68j
		mov	eax, [ebp+var_8]
		add	eax, 8
		mov	[ebp+var_8], eax
		cmp	esi, ecx
		jnz	short loc_A24900
		mov	eax, [eax]
		lea	ecx, [ebp+var_28]
		xor	dl, dl
		mov	[ebp+var_28], eax
		call	_RtlFileMapMapView@8 ; RtlFileMapMapView(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A248FA
		push	esi
		push	(offset	loc_8C58AE+2)
		push	1312h
		jmp	short loc_A248B7
; 

loc_A248FA:				; CODE XREF: AslpFileGetChecksumAttributes(x,x)+A9j
		lea	eax, [ebp+var_28]
		mov	[ebp+var_8], eax

loc_A24900:				; CODE XREF: AslpFileGetChecksumAttributes(x,x)+94j
		and	[ebp+var_4], 0
		lea	ecx, [ebp+var_4]
		mov	edx, eax
		call	_AslpFileGetChecksum@8 ; AslpFileGetChecksum(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A24921
		push	esi
		push	offset ??_C@_0CA@ECIAAMCP@AslpFileGetChecksum?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	1324h
		jmp	short loc_A248B7
; 

loc_A24921:				; CODE XREF: AslpFileGetChecksumAttributes(x,x)+D0j
		mov	eax, [ebp+var_4]
		lea	ecx, [ebp+var_4]
		mov	edx, [ebp+var_8]
		and	dword ptr [ebx+3Ch], 0
		or	dword ptr [ebx+40h], 1
		and	[ebp+var_4], 0
		push	2
		pop	edi
		mov	[ebx+30h], edi
		mov	dword ptr [ebx+34h], 4
		mov	[ebx+38h], eax
		call	_AslpFileGetCrcChecksum@8 ; AslpFileGetCrcChecksum(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A24961
		push	esi
		push	(offset	loc_8C6149+1)
		push	1335h
		jmp	loc_A248B7
; 

loc_A24961:				; CODE XREF: AslpFileGetChecksumAttributes(x,x)+10Dj
		mov	eax, [ebp+var_4]
		and	dword ptr [ebx+27Ch], 0
		or	dword ptr [ebx+280h], 1
		or	[ebx+340h], edi
		xor	esi, esi
		mov	[ebx+270h], edi
		mov	dword ptr [ebx+274h], 4
		mov	[ebx+278h], eax

loc_A24990:				; CODE XREF: AslpFileGetChecksumAttributes(x,x)+4Fj
					; AslpFileGetChecksumAttributes(x,x)+84j
		lea	ecx, [ebp+var_28]
		call	RtlFileMapFree
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_AslpFileGetChecksumAttributes@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileGetClrVersion(x, x)
_AslpFileGetClrVersion@8 proc near	; CODE XREF: AslpFileGetClrVersionAttribute(x,x)+C0p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	18h
		push	offset dword_6AAC60
		call	__SEH_prolog4
		mov	eax, edx
		mov	[ebp+var_24], eax
		mov	ebx, ecx
		and	[ebp+var_20], 0
		xor	edi, edi
		mov	byte ptr [ebx],	0
		lea	ecx, [ebp+var_20]
		call	_AslpFileGetImageNtHeader@8 ; AslpFileGetImageNtHeader(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A249E8
		push	esi
		push	offset ??_C@_0CF@GGCNCAGG@AslpFileGetImageNtHeader?5failed@NNGAKEGL@
		push	156Bh
		push	offset ??_C@_0BG@BCKDAEDA@AslpFileGetClrVersion@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A24B22
; 

loc_A249E8:				; CODE XREF: AslpFileGetClrVersion(x,x)+28j
		and	[ebp+ms_exc.disabled], edi
		mov	esi, [ebp+var_20]
		movzx	eax, word ptr [esi+18h]
		mov	ecx, 10Bh
		cmp	ax, cx
		jnz	short loc_A24A04
		lea	edi, [esi+0E8h]
		jmp	short loc_A24A14
; 

loc_A24A04:				; CODE XREF: AslpFileGetClrVersion(x,x)+5Bj
		mov	ecx, 20Bh
		cmp	ax, cx
		jnz	short loc_A24A14
		lea	edi, [esi+0F8h]

loc_A24A14:				; CODE XREF: AslpFileGetClrVersion(x,x)+63j
					; AslpFileGetClrVersion(x,x)+6Dj
		test	edi, edi
		jz	loc_A24AE0
		mov	eax, [edi]
		test	eax, eax
		jz	loc_A24AE0
		cmp	dword ptr [edi+4], 48h
		jb	loc_A24AE0
		mov	edi, [ebp+var_24]
		push	eax
		lea	edx, [edi+8]
		mov	ecx, esi
		call	_AslpImageRvaToVa@12 ; AslpImageRvaToVa(x,x,x)
		test	eax, eax
		jnz	short loc_A24A68
		push	(offset	loc_8C62A0+4)
		push	1588h

loc_A24A4C:				; CODE XREF: AslpFileGetClrVersion(x,x)+F4j
					; AslpFileGetClrVersion(x,x)+13Cj
		mov	esi, 0C000007Bh

loc_A24A51:				; CODE XREF: AslpFileGetClrVersion(x,x)+10Dj
		mov	[ebp+var_1C], esi
		push	offset ??_C@_0BG@BCKDAEDA@AslpFileGetClrVersion@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_A24B1B
; 

loc_A24A68:				; CODE XREF: AslpFileGetClrVersion(x,x)+A1j
		cmp	word ptr [eax+4], 2
		jz	short loc_A24A76
		mov	esi, 0C00000BBh
		jmp	short loc_A24AE5
; 

loc_A24A76:				; CODE XREF: AslpFileGetClrVersion(x,x)+CEj
		push	dword ptr [eax+8]
		lea	edx, [edi+8]
		mov	ecx, esi
		call	_AslpImageRvaToVa@12 ; AslpImageRvaToVa(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_A24A95
		push	offset ??_C@_0DD@FHOOCCGJ@Invalid?5COR20?5Metadata?5virtual?5@NNGAKEGL@
		push	159Ch
		jmp	short loc_A24A4C
; 

loc_A24A95:				; CODE XREF: AslpFileGetClrVersion(x,x)+E8j
		cmp	dword ptr [ecx], 424A5342h
		jz	short loc_A24AAE
		mov	esi, 0C00000BBh
		push	offset ??_C@_0CN@DHBHKMFP@Invalid?5COR20?5Metadata?5signatur@NNGAKEGL@
		push	15A6h
		jmp	short loc_A24A51
; 

loc_A24AAE:				; CODE XREF: AslpFileGetClrVersion(x,x)+FCj
		mov	esi, [ecx+0Ch]
		lea	eax, [esi-1]
		cmp	eax, 0FEh
		ja	short loc_A24AD1
		push	esi		; size_t
		lea	eax, [ecx+10h]
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	byte ptr [esi+ebx], 0
		xor	esi, esi
		jmp	short loc_A24AE5
; 

loc_A24AD1:				; CODE XREF: AslpFileGetClrVersion(x,x)+11Aj
		push	offset ??_C@_0CE@HKAOIBJK@CLR?5version?5string?5null?5or?5too?5@NNGAKEGL@
		push	15B2h
		jmp	loc_A24A4C
; 

loc_A24AE0:				; CODE XREF: AslpFileGetClrVersion(x,x)+77j
					; AslpFileGetClrVersion(x,x)+81j ...
		mov	esi, 0C000007Bh

loc_A24AE5:				; CODE XREF: AslpFileGetClrVersion(x,x)+D5j
					; AslpFileGetClrVersion(x,x)+130j
		mov	[ebp+var_1C], esi
		jmp	short loc_A24B1B
; 

loc_A24AEA:				; DATA XREF: .text:006AAC74o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A24AF8:				; DATA XREF: .text:006AAC78o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_28]
		mov	[ebp+var_1C], esi
		push	esi
		push	(offset	loc_8C4D43+3)
		push	15C9h
		push	offset ??_C@_0BG@BCKDAEDA@AslpFileGetClrVersion@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A24B1B:				; CODE XREF: AslpFileGetClrVersion(x,x)+C4j
					; AslpFileGetClrVersion(x,x)+149j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A24B22:				; CODE XREF: AslpFileGetClrVersion(x,x)+44j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AslpFileGetClrVersion@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileGetClrVersionAttribute(x, x)
_AslpFileGetClrVersionAttribute@8 proc near
					; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+284p

var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	100h		; size_t
		xor	esi, esi
		lea	eax, [ebp+var_108]
		push	esi		; int
		push	eax		; void *
		mov	ebx, edx
		mov	edi, ecx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_10C], esi
		mov	ecx, ebx
		call	_AslFileMappingEnsure@4	; AslFileMappingEnsure(x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A24B99
		push	esi
		push	offset ??_C@_0CB@GHEHFDAF@AslFileMappingEnsure?5failed?5?$FL?$CFx@NNGAKEGL@
		push	150Dh

loc_A24B85:				; CODE XREF: AslpFileGetClrVersionAttribute(x,x)+9Cj
					; AslpFileGetClrVersionAttribute(x,x)+D6j ...
		push	(offset	loc_8C60B8+4)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A24C9B
; 

loc_A24B99:				; CODE XREF: AslpFileGetClrVersionAttribute(x,x)+44j
		cmp	dword ptr [ebx+28h], 6
		jz	short loc_A24BAD

loc_A24B9F:				; CODE XREF: AslpFileGetClrVersionAttribute(x,x)+B6j
		or	dword ptr [edi+298h], 2
		xor	esi, esi
		jmp	loc_A24C9B
; 

loc_A24BAD:				; CODE XREF: AslpFileGetClrVersionAttribute(x,x)+69j
		test	byte ptr [edi+2B0h], 1
		jnz	short loc_A24BD2
		mov	edx, ebx
		mov	ecx, edi
		call	_AslpFileGetFileKindDetailAttribute@8 ;	AslpFileGetFileKindDetailAttribute(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A24BD2
		push	esi
		push	offset ??_C@_0CP@DAOJOCEB@AslpFileGetFileKindDetailAttrib@NNGAKEGL@
		push	151Eh
		jmp	short loc_A24B85
; 

loc_A24BD2:				; CODE XREF: AslpFileGetClrVersionAttribute(x,x)+80j
					; AslpFileGetClrVersionAttribute(x,x)+8Fj
		mov	eax, [edi+2A8h]
		cmp	eax, 0Ch
		jz	short loc_A24BEC
		cmp	eax, 0Dh
		jz	short loc_A24BEC
		cmp	eax, 0Eh
		jz	short loc_A24BEC
		cmp	eax, 0Fh
		jnz	short loc_A24B9F

loc_A24BEC:				; CODE XREF: AslpFileGetClrVersionAttribute(x,x)+A7j
					; AslpFileGetClrVersionAttribute(x,x)+ACj ...
		mov	edx, ebx
		lea	ecx, [ebp+var_108]
		call	_AslpFileGetClrVersion@8 ; AslpFileGetClrVersion(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A24C0F
		push	esi
		push	offset ??_C@_0CC@HLMBHAHE@AslpFileGetClrVersion?5failed?5?$FL?$CF@NNGAKEGL@
		push	1531h
		jmp	loc_A24B85
; 

loc_A24C0F:				; CODE XREF: AslpFileGetClrVersionAttribute(x,x)+C9j
		lea	edx, [ebp+var_108]
		lea	ecx, [ebp+var_10C]
		call	_AslStringAnsiToUnicode@8 ; AslStringAnsiToUnicode(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A24C36
		push	esi
		push	offset ??_C@_0CD@HDIACEIF@AslStringAnsiToUnicode?5failed?5?$FL@NNGAKEGL@
		push	1537h
		jmp	loc_A24B85
; 

loc_A24C36:				; CODE XREF: AslpFileGetClrVersionAttribute(x,x)+F0j
		mov	ecx, [ebp+var_10C]
		call	_AslStringXmlSanitize@4	; AslStringXmlSanitize(x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A24C57
		push	esi
		push	offset ??_C@_0CB@KOMIGNHG@AslStringXmlSanitize?5failed?5?$FL?$CFx@NNGAKEGL@
		push	153Dh
		jmp	loc_A24B85
; 

loc_A24C57:				; CODE XREF: AslpFileGetClrVersionAttribute(x,x)+111j
		mov	edx, [ebp+var_10C]
		xor	esi, esi
		mov	dword ptr [edi+288h], 4
		lea	eax, [edx+2]

loc_A24C6C:				; CODE XREF: AslpFileGetClrVersionAttribute(x,x)+141j
		mov	cx, [edx]
		add	edx, 2
		cmp	cx, si
		jnz	short loc_A24C6C
		sub	edx, eax
		mov	eax, [ebp+var_10C]
		sar	edx, 1
		or	dword ptr [edi+298h], 5
		mov	[edi+28Ch], edx
		cdq
		mov	[edi+290h], eax
		mov	[edi+294h], edx

loc_A24C9B:				; CODE XREF: AslpFileGetClrVersionAttribute(x,x)+60j
					; AslpFileGetClrVersionAttribute(x,x)+74j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_AslpFileGetClrVersionAttribute@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileGetCrcChecksum(x, x)
_AslpFileGetCrcChecksum@8 proc near	; CODE XREF: AslpFileGetChecksumAttributes(x,x)+104p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	10h
		push	offset dword_6AAC80
		call	__SEH_prolog4
		mov	eax, edx
		mov	ebx, ecx
		xor	edi, edi
		mov	[ebp+ms_exc.disabled], edi
		cmp	[eax+0Ch], edi
		ja	short loc_A24CDB
		jb	short loc_A24CD1
		cmp	dword ptr [eax+8], 2000h
		jnb	short loc_A24CDB

loc_A24CD1:				; CODE XREF: AslpFileGetCrcChecksum(x,x)+1Aj
		push	dword ptr [eax+14h]
		mov	edx, [eax+10h]
		xor	ecx, ecx
		jmp	short loc_A24CF9
; 

loc_A24CDB:				; CODE XREF: AslpFileGetCrcChecksum(x,x)+18j
					; AslpFileGetCrcChecksum(x,x)+23j
		mov	edx, [eax+10h]
		mov	ecx, 1000h
		push	ecx
		mov	esi, [eax+8]
		push	ecx
		xor	ecx, ecx
		call	_AslComputeCrc32@12 ; AslComputeCrc32(x,x,x)
		add	edx, 0FFFFF000h
		add	edx, esi
		mov	ecx, eax

loc_A24CF9:				; CODE XREF: AslpFileGetCrcChecksum(x,x)+2Dj
		call	_AslComputeCrc32@12 ; AslComputeCrc32(x,x,x)
		mov	[ebx], eax
		mov	[ebp+var_1C], edi
		jmp	short loc_A24D36
; 

loc_A24D05:				; DATA XREF: .text:006AAC94o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A24D13:				; DATA XREF: .text:006AAC98o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_20]
		mov	[ebp+var_1C], edi
		push	edi
		push	(offset	loc_8C4D43+3)
		push	13F6h
		push	(offset	loc_8C6111+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A24D36:				; CODE XREF: AslpFileGetCrcChecksum(x,x)+57j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, edi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AslpFileGetCrcChecksum@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileGetExeWrapper(x, x)
_AslpFileGetExeWrapper@8 proc near	; CODE XREF: AslpFileGetPeExportNameExeWrapper(x,x)+63p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	18h
		push	offset dword_6AAD40
		call	__SEH_prolog4
		mov	ebx, edx
		mov	edi, ecx
		xor	eax, eax
		mov	[ebp+var_20], eax
		mov	[edi], eax
		mov	[ebp+var_1C], eax
		cmp	dword ptr [ebx+14h], 1
		jb	short loc_A24D7D
		ja	short loc_A24D76
		cmp	[ebx+10h], eax
		jb	short loc_A24D7D

loc_A24D76:				; CODE XREF: AslpFileGetExeWrapper(x,x)+20j
		xor	eax, eax
		jmp	loc_A24E87
; 

loc_A24D7D:				; CODE XREF: AslpFileGetExeWrapper(x,x)+1Ej
					; AslpFileGetExeWrapper(x,x)+25j
		lea	ecx, [ebp+var_1C]
		call	_AslpFileGetImageNtHeader@8 ; AslpFileGetImageNtHeader(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A24DAA
		push	esi
		push	offset ??_C@_0CF@GGCNCAGG@AslpFileGetImageNtHeader?5failed@NNGAKEGL@
		push	0F90h
		push	offset ??_C@_0BG@HGDCKIPM@AslpFileGetExeWrapper@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A24E85
; 

loc_A24DAA:				; CODE XREF: AslpFileGetExeWrapper(x,x)+3Aj
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, [ebp+var_1C]
		call	_AslpFileHasSecuromWrapper@4 ; AslpFileHasSecuromWrapper(x)
		test	eax, eax
		jz	short loc_A24DC5
		mov	dword ptr [edi], 1
		jmp	loc_A24E46
; 

loc_A24DC5:				; CODE XREF: AslpFileGetExeWrapper(x,x)+69j
		push	ebx
		mov	edx, [ebp+var_1C]
		lea	ecx, [ebp+var_20]
		call	_AslpFileHasActiveMarkWrapper@12 ; AslpFileHasActiveMarkWrapper(x,x,x)
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		jns	short loc_A24E12
		mov	eax, 0C0000225h
		cmp	esi, eax
		jnz	short loc_A24E05
		push	eax
		push	dword ptr [ebx+14h]
		push	dword ptr [ebx+10h]
		push	offset ??_C@_0DL@MCGFOHLO@AslpFileHasActiveMarkWrapper?5fa@NNGAKEGL@
		push	0FA9h
		push	offset ??_C@_0BG@HGDCKIPM@AslpFileGetExeWrapper@NNGAKEGL@
		push	2
		call	AslLogCallPrintf
		add	esp, 1Ch
		jmp	short loc_A24E7E
; 

loc_A24E05:				; CODE XREF: AslpFileGetExeWrapper(x,x)+92j
		push	esi
		push	offset ??_C@_0CJ@OLKHAPFK@AslpFileHasActiveMarkWrapper?5fa@NNGAKEGL@ ; "AslpFileHasActiveMarkWrapper failed [%x"...
		push	0FABh
		jmp	short loc_A24E6F
; 

loc_A24E12:				; CODE XREF: AslpFileGetExeWrapper(x,x)+89j
		cmp	[ebp+var_20], 0
		jz	short loc_A24E20
		mov	dword ptr [edi], 2
		jmp	short loc_A24E46
; 

loc_A24E20:				; CODE XREF: AslpFileGetExeWrapper(x,x)+C7j
		mov	ecx, [ebp+var_1C]
		call	_AslpFileHasArmadilloWrapper@4 ; AslpFileHasArmadilloWrapper(x)
		test	eax, eax
		jz	short loc_A24E34
		mov	dword ptr [edi], 3
		jmp	short loc_A24E46
; 

loc_A24E34:				; CODE XREF: AslpFileGetExeWrapper(x,x)+DBj
		mov	ecx, [ebp+var_1C]
		call	_AslpHasStarForceWrapper@4 ; AslpHasStarForceWrapper(x)
		test	eax, eax
		jz	short loc_A24E46
		mov	dword ptr [edi], 4

loc_A24E46:				; CODE XREF: AslpFileGetExeWrapper(x,x)+71j
					; AslpFileGetExeWrapper(x,x)+CFj ...
		xor	esi, esi
		mov	[ebp+var_24], esi
		jmp	short loc_A24E7E
; 

loc_A24E4D:				; DATA XREF: .text:006AAD54o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A24E5B:				; DATA XREF: .text:006AAD58o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_28]
		mov	[ebp+var_24], esi
		push	esi
		push	(offset	loc_8C4D43+3)
		push	0FBFh

loc_A24E6F:				; CODE XREF: AslpFileGetExeWrapper(x,x)+C1j
		push	offset ??_C@_0BG@HGDCKIPM@AslpFileGetExeWrapper@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A24E7E:				; CODE XREF: AslpFileGetExeWrapper(x,x)+B4j
					; AslpFileGetExeWrapper(x,x)+FCj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A24E85:				; CODE XREF: AslpFileGetExeWrapper(x,x)+56j
		mov	eax, esi

loc_A24E87:				; CODE XREF: AslpFileGetExeWrapper(x,x)+29j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AslpFileGetExeWrapper@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileGetExportName(x, x)
_AslpFileGetExportName@8 proc near	; CODE XREF: AslpFileGetPeExportNameExeWrapper(x,x)+A4p

var_104		= dword	ptr -104h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 104h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	100h		; size_t
		lea	eax, [ebp+var_104]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		add	esp, 0Ch
		lea	ecx, [ebp+var_104]
		mov	edx, esi
		call	_AslpFileQueryExportName_Vb@8 ;	AslpFileQueryExportName_Vb(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A24F07
		cmp	esi, 0C0000225h
		jz	short loc_A24F29
		cmp	esi, 0C000007Bh
		jz	short loc_A24F29
		push	esi
		push	offset ??_C@_0CE@GHMPLADB@AslpFileQueryExportName?5failed?5@NNGAKEGL@
		push	10C6h

loc_A24EF6:				; CODE XREF: AslpFileGetExportName(x,x)+8Ej
		push	(offset	loc_8C5F77+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A24F29
; 

loc_A24F07:				; CODE XREF: AslpFileGetExportName(x,x)+42j
		lea	edx, [ebp+var_104]
		mov	ecx, edi
		call	_AslStringAnsiToUnicode@8 ; AslStringAnsiToUnicode(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A24F27
		push	esi
		push	offset ??_C@_0CD@HDIACEIF@AslStringAnsiToUnicode?5failed?5?$FL@NNGAKEGL@
		push	10CDh
		jmp	short loc_A24EF6
; 

loc_A24F27:				; CODE XREF: AslpFileGetExportName(x,x)+81j
		xor	esi, esi

loc_A24F29:				; CODE XREF: AslpFileGetExportName(x,x)+4Aj
					; AslpFileGetExportName(x,x)+52j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_AslpFileGetExportName@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileGetFileKindDetailAttribute(x, x)
_AslpFileGetFileKindDetailAttribute@8 proc near
					; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+200p
					; AslpFileGetClrVersionAttribute(x,x)+86p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx
		lea	ecx, [ebp+var_4]
		push	edi
		call	_AslFileMappingGetFileKindDetail@8 ; AslFileMappingGetFileKindDetail(x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_A24F72
		push	edi
		push	(offset	loc_8C61FC+2)
		push	15ECh
		push	offset ??_C@_0CD@IEAEKNMD@AslpFileGetFileKindDetailAttrib@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A24F9F
; 

loc_A24F72:				; CODE XREF: AslpFileGetFileKindDetailAttribute(x,x)+1Bj
		mov	eax, [ebp+var_4]
		or	dword ptr [esi+2B0h], 1
		xor	edi, edi
		cdq
		mov	dword ptr [esi+2A0h], 2
		mov	dword ptr [esi+2A4h], 4
		mov	[esi+2A8h], eax
		mov	[esi+2ACh], edx

loc_A24F9F:				; CODE XREF: AslpFileGetFileKindDetailAttribute(x,x)+37j
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn
_AslpFileGetFileKindDetailAttribute@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileGetHeaderAttributesNE(x, x)
_AslpFileGetHeaderAttributesNE@8 proc near
					; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+2A3p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	ebx, edx
		xor	eax, eax
		mov	esi, ecx
		mov	[ebp+var_C], ebx
		push	edi
		mov	ecx, ebx
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		call	_AslFileMappingEnsure@4	; AslFileMappingEnsure(x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_A24FEB
		push	edi
		push	offset ??_C@_0CB@GHEHFDAF@AslFileMappingEnsure?5failed?5?$FL?$CFx@NNGAKEGL@
		push	0E58h

loc_A24FD7:				; CODE XREF: AslpFileGetHeaderAttributesNE(x,x)+C3j
					; AslpFileGetHeaderAttributesNE(x,x)+137j
		push	offset ??_C@_0BO@ECMFKLEM@AslpFileGetHeaderAttributesNE@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A25126
; 

loc_A24FEB:				; CODE XREF: AslpFileGetHeaderAttributesNE(x,x)+25j
		cmp	dword ptr [ebx+28h], 5
		push	2
		pop	ebx
		jz	short loc_A25007
		or	[esi+1F0h], ebx
		or	[esi+208h], ebx
		xor	edi, edi
		jmp	loc_A25126
; 

loc_A25007:				; CODE XREF: AslpFileGetHeaderAttributesNE(x,x)+4Dj
		mov	edx, [ebp+var_C]
		lea	ecx, [ebp+var_4]
		or	[esi+1C0h], ebx
		or	[esi+1D8h], ebx
		or	[esi+220h], ebx
		or	[esi+28h], ebx
		or	[esi+268h], ebx
		or	[esi+238h], ebx
		or	[esi+2C8h], ebx
		or	[esi+2E0h], ebx
		or	[esi+2F8h], ebx
		or	[esi+328h], ebx
		call	_AslpFileGet16BitDescription@8 ; AslpFileGet16BitDescription(x,x)
		test	eax, eax
		js	short loc_A250AC
		mov	ecx, [ebp+var_4]
		call	_AslStringXmlSanitize@4	; AslStringXmlSanitize(x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_A2506D
		push	edi
		push	offset ??_C@_0CB@KOMIGNHG@AslStringXmlSanitize?5failed?5?$FL?$CFx@NNGAKEGL@
		push	0E7Ch
		jmp	loc_A24FD7
; 

loc_A2506D:				; CODE XREF: AslpFileGetHeaderAttributesNE(x,x)+B6j
		mov	edx, [ebp+var_4]
		xor	edi, edi
		mov	dword ptr [esi+1E0h], 4
		lea	eax, [edx+2]

loc_A2507F:				; CODE XREF: AslpFileGetHeaderAttributesNE(x,x)+E2j
		mov	cx, [edx]
		add	edx, ebx
		cmp	cx, di
		jnz	short loc_A2507F
		sub	edx, eax
		mov	eax, [ebp+var_4]
		sar	edx, 1
		or	dword ptr [esi+1F0h], 5
		mov	[esi+1E4h], edx
		cdq
		mov	[esi+1E8h], eax
		mov	[esi+1ECh], edx
		jmp	short loc_A250B4
; 

loc_A250AC:				; CODE XREF: AslpFileGetHeaderAttributesNE(x,x)+A8j
		or	[esi+1F0h], ebx
		xor	edi, edi

loc_A250B4:				; CODE XREF: AslpFileGetHeaderAttributesNE(x,x)+105j
		mov	edx, [ebp+var_C]
		lea	ecx, [ebp+var_8]
		call	_AslpFileGet16BitModuleName@8 ;	AslpFileGet16BitModuleName(x,x)
		test	eax, eax
		js	short loc_A25120
		mov	ecx, [ebp+var_8]
		call	_AslStringXmlSanitize@4	; AslStringXmlSanitize(x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_A250E1
		push	edi
		push	offset ??_C@_0CB@KOMIGNHG@AslStringXmlSanitize?5failed?5?$FL?$CFx@NNGAKEGL@
		push	0E91h
		jmp	loc_A24FD7
; 

loc_A250E1:				; CODE XREF: AslpFileGetHeaderAttributesNE(x,x)+12Aj
		mov	edx, [ebp+var_8]
		xor	edi, edi
		mov	dword ptr [esi+1F8h], 4
		lea	eax, [edx+2]

loc_A250F3:				; CODE XREF: AslpFileGetHeaderAttributesNE(x,x)+156j
		mov	cx, [edx]
		add	edx, ebx
		cmp	cx, di
		jnz	short loc_A250F3
		sub	edx, eax
		mov	eax, [ebp+var_8]
		sar	edx, 1
		or	dword ptr [esi+208h], 5
		mov	[esi+1FCh], edx
		cdq
		mov	[esi+200h], eax
		mov	[esi+204h], edx
		jmp	short loc_A25126
; 

loc_A25120:				; CODE XREF: AslpFileGetHeaderAttributesNE(x,x)+11Cj
		or	[esi+208h], ebx

loc_A25126:				; CODE XREF: AslpFileGetHeaderAttributesNE(x,x)+41j
					; AslpFileGetHeaderAttributesNE(x,x)+5Dj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AslpFileGetHeaderAttributesNE@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileGetHeaderAttributesPE(x, x)
_AslpFileGetHeaderAttributesPE@8 proc near
					; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+223p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		xor	eax, eax
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_14], eax
		mov	esi, ecx
		mov	[ebp+var_18], eax
		push	edi
		mov	ecx, ebx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], eax
		call	_AslFileMappingEnsure@4	; AslFileMappingEnsure(x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_A2517F
		push	edi
		push	offset ??_C@_0CB@GHEHFDAF@AslFileMappingEnsure?5failed?5?$FL?$CFx@NNGAKEGL@
		push	0DCFh
		push	offset ??_C@_0BO@FEHNCFDG@AslpFileGetHeaderAttributesPE@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A25376
; 

loc_A2517F:				; CODE XREF: AslpFileGetHeaderAttributesPE(x,x)+31j
		cmp	dword ptr [ebx+28h], 6
		push	2
		pop	edi
		jz	short loc_A251BA
		or	[esi+1C0h], edi
		or	[esi+1D8h], edi
		or	[esi+220h], edi
		or	[esi+28h], edi
		or	[esi+2F8h], edi
		or	[esi+2C8h], edi
		or	[esi+2E0h], edi
		or	[esi+328h], edi
		jmp	loc_A25374
; 

loc_A251BA:				; CODE XREF: AslpFileGetHeaderAttributesPE(x,x)+59j
		or	[esi+1F0h], edi
		lea	eax, [ebp+var_1C]
		or	[esi+208h], edi
		lea	edx, [ebp+var_8]
		push	ebx
		push	ecx
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	ecx, [ebp+var_4]
		call	_AslpFileGetNtHeaderAttributes@36 ; AslpFileGetNtHeaderAttributes(x,x,x,x,x,x,x,x,x)
		mov	ecx, [esi+1C0h]
		mov	edx, [esi+2F8h]
		mov	[ebp+var_20], ecx
		mov	ecx, [esi+1D8h]
		mov	[ebp+var_24], ecx
		mov	ecx, [esi+220h]
		mov	[ebp+var_28], ecx
		mov	ecx, [esi+28h]
		mov	[ebp+var_2C], ecx
		mov	ecx, [esi+2C8h]
		mov	[ebp+var_30], ecx
		mov	ecx, [esi+328h]
		mov	[ebp+var_34], edx
		mov	[ebp+var_38], ecx
		test	eax, eax
		js	loc_A25325
		mov	eax, [ebp+var_4]
		xor	ecx, ecx
		mov	[esi+1B8h], eax
		inc	ecx
		mov	eax, [ebp+var_20]
		or	eax, ecx
		and	dword ptr [esi+1BCh], 0
		mov	[esi+1C0h], eax
		mov	eax, [ebp+var_8]
		mov	[esi+1D0h], eax
		mov	eax, [ebp+var_24]
		or	eax, ecx
		and	dword ptr [esi+1D4h], 0
		mov	[esi+1D8h], eax
		mov	eax, [ebp+var_C]
		and	dword ptr [esi+21Ch], 0
		and	dword ptr [esi+24h], 0
		mov	[esi+218h], eax
		mov	eax, [ebp+var_28]
		or	eax, ecx
		mov	[esi+1B0h], edi
		mov	[esi+220h], eax
		mov	eax, [ebp+var_10]
		mov	[esi+20h], eax
		mov	eax, [ebp+var_2C]
		or	eax, ecx
		mov	[esi+1C8h], edi
		mov	[esi+28h], eax
		movzx	eax, word ptr [ebp+var_14]
		push	4
		pop	edx
		mov	[esi+1B4h], edx
		mov	[esi+1CCh], edx
		mov	[esi+214h], edx
		mov	[esi+1Ch], edx
		cdq
		mov	[esi+2C0h], eax
		mov	eax, [ebp+var_30]
		or	eax, ecx
		mov	[esi+2C4h], edx
		mov	[esi+2C8h], eax
		movzx	eax, word ptr [ebp+var_18]
		cdq
		mov	[esi+2D8h], eax
		movzx	eax, word ptr [ebp+var_1C]
		mov	[esi+2DCh], edx
		cdq
		mov	[esi+2F4h], edx
		mov	edx, [ebp+var_34]
		mov	[esi+210h], edi
		mov	[esi+18h], edi
		mov	[esi+2B8h], ecx
		mov	[esi+2BCh], edi
		mov	[esi+2D0h], ecx
		mov	[esi+2D4h], edi
		mov	[esi+2E8h], ecx
		mov	[esi+2ECh], edi
		mov	[esi+2F0h], eax
		jmp	short loc_A2535B
; 

loc_A25325:				; CODE XREF: AslpFileGetHeaderAttributesPE(x,x)+F8j
		mov	eax, [ebp+var_20]
		mov	ecx, edi
		or	eax, edi
		mov	[esi+1C0h], eax
		mov	eax, [ebp+var_24]
		or	eax, edi
		mov	[esi+1D8h], eax
		mov	eax, [ebp+var_28]
		or	eax, edi
		mov	[esi+220h], eax
		mov	eax, [ebp+var_2C]
		or	eax, edi
		mov	[esi+28h], eax
		mov	eax, [ebp+var_30]
		or	eax, edi
		mov	[esi+2C8h], eax

loc_A2535B:				; CODE XREF: AslpFileGetHeaderAttributesPE(x,x)+1F6j
		mov	eax, [ebp+var_38]
		or	edx, ecx
		or	[esi+2E0h], ecx
		or	eax, edi
		mov	[esi+2F8h], edx
		mov	[esi+328h], eax

loc_A25374:				; CODE XREF: AslpFileGetHeaderAttributesPE(x,x)+88j
		xor	edi, edi

loc_A25376:				; CODE XREF: AslpFileGetHeaderAttributesPE(x,x)+4Dj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AslpFileGetHeaderAttributesPE@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileGetImageNtHeader(x,	x)
_AslpFileGetImageNtHeader@8 proc near	; CODE XREF: AslpFileGetNtHeaderAttributes(x,x,x,x,x,x,x,x,x)+1Ap
					; AslpFileQueryExportName_Vb(x,x)+20p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	10h
		push	offset dword_6AADA0
		call	__SEH_prolog4
		mov	edi, ecx
		cmp	dword ptr [edx+28h], 6
		jz	short loc_A253B2
		mov	esi, 0C00000BBh
		push	esi
		push	offset ??_C@_0BL@MMANKHCP@File?5mapping?5not?5a?5PE?5?$FL?$CFx?$FN@NNGAKEGL@
		push	0F50h
		push	offset ??_C@_0BJ@PNILLELB@AslpFileGetImageNtHeader@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A25428
; 

loc_A253B2:				; CODE XREF: AslpFileGetImageNtHeader(x,x)+12j
		xor	esi, esi
		mov	[ebp+ms_exc.disabled], esi
		mov	eax, [edx+18h]
		mov	ecx, [eax+3Ch]
		lea	ebx, [ecx+eax]
		add	ecx, 0F8h
		cmp	[edx+14h], esi
		jb	short loc_A253DE
		ja	short loc_A253D2
		cmp	[edx+10h], ecx
		jb	short loc_A253DE

loc_A253D2:				; CODE XREF: AslpFileGetImageNtHeader(x,x)+4Ej
		cmp	[edx+1Ch], ecx
		jb	short loc_A253DE
		mov	[edi], ebx
		mov	[ebp+var_1C], esi
		jmp	short loc_A25421
; 

loc_A253DE:				; CODE XREF: AslpFileGetImageNtHeader(x,x)+4Cj
					; AslpFileGetImageNtHeader(x,x)+53j ...
		mov	esi, 0C000007Bh
		push	esi
		push	offset ??_C@_0BK@JBDFECNJ@File?5mapping?5invalid?5?$FL?$CFx?$FN@NNGAKEGL@
		push	0F5Ch
		jmp	short loc_A2540F
; 

loc_A253F0:				; DATA XREF: .text:006AADB4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A253FE:				; DATA XREF: .text:006AADB8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_20]
		push	esi
		push	(offset	loc_8C4D43+3)
		push	0F65h

loc_A2540F:				; CODE XREF: AslpFileGetImageNtHeader(x,x)+71j
		push	offset ??_C@_0BJ@PNILLELB@AslpFileGetImageNtHeader@NNGAKEGL@
		push	1
		mov	[ebp+var_1C], esi
		call	AslLogCallPrintf
		add	esp, 14h

loc_A25421:				; CODE XREF: AslpFileGetImageNtHeader(x,x)+5Fj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A25428:				; CODE XREF: AslpFileGetImageNtHeader(x,x)+33j
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AslpFileGetImageNtHeader@8 endp


;  S U B	R O U T	I N E 


; __stdcall AslpFileGetModuleType(x, x)
_AslpFileGetModuleType@8 proc near	; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+1BDp
		mov	eax, [edx+28h]
		sub	eax, 4
		jz	short loc_A25461
		sub	eax, 1
		jz	short loc_A25459
		sub	eax, 1
		jz	short loc_A25451
		and	dword ptr [ecx], 0
		jmp	short loc_A25467
; 

loc_A25451:				; CODE XREF: AslpFileGetModuleType(x,x)+10j
		mov	dword ptr [ecx], 3
		jmp	short loc_A25467
; 

loc_A25459:				; CODE XREF: AslpFileGetModuleType(x,x)+Bj
		mov	dword ptr [ecx], 2
		jmp	short loc_A25467
; 

loc_A25461:				; CODE XREF: AslpFileGetModuleType(x,x)+6j
		mov	dword ptr [ecx], 1

loc_A25467:				; CODE XREF: AslpFileGetModuleType(x,x)+15j
					; AslpFileGetModuleType(x,x)+1Dj ...
		xor	eax, eax
		retn
_AslpFileGetModuleType@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileGetPeExportNameExeWrapper(x, x)
_AslpFileGetPeExportNameExeWrapper@8 proc near
					; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+246p
					; AslFileAllocAndGetAttributes(x,x,x,x)+265p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	ebx, edx
		xor	eax, eax
		mov	esi, ecx
		mov	[ebp+var_8], eax
		push	edi
		mov	ecx, ebx
		mov	[ebp+var_4], eax
		call	_AslFileMappingEnsure@4	; AslFileMappingEnsure(x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_A254AD
		push	edi
		push	offset ??_C@_0CB@GHEHFDAF@AslFileMappingEnsure?5failed?5?$FL?$CFx@NNGAKEGL@
		push	0CE6h

loc_A25499:				; CODE XREF: AslpFileGetPeExportNameExeWrapper(x,x)+C6j
		push	offset ??_C@_0CC@HPCEKKIJ@AslpFileGetPeExportNameExeWrapp@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A2557C
; 

loc_A254AD:				; CODE XREF: AslpFileGetPeExportNameExeWrapper(x,x)+22j
		cmp	dword ptr [ebx+28h], 6
		jz	short loc_A254C8
		or	dword ptr [esi+268h], 2
		or	dword ptr [esi+238h], 2
		xor	edi, edi
		jmp	loc_A2557C
; 

loc_A254C8:				; CODE XREF: AslpFileGetPeExportNameExeWrapper(x,x)+47j
		mov	edx, ebx
		lea	ecx, [ebp+var_8]
		call	_AslpFileGetExeWrapper@8 ; AslpFileGetExeWrapper(x,x)
		xor	edi, edi
		test	eax, eax
		js	short loc_A25500
		mov	eax, [ebp+var_8]
		mov	[esi+260h], eax
		xor	eax, eax
		mov	dword ptr [esi+258h], 2
		inc	eax
		mov	dword ptr [esi+25Ch], 4
		mov	[esi+264h], edi
		jmp	short loc_A25503
; 

loc_A25500:				; CODE XREF: AslpFileGetPeExportNameExeWrapper(x,x)+6Cj
		push	2
		pop	eax

loc_A25503:				; CODE XREF: AslpFileGetPeExportNameExeWrapper(x,x)+94j
		or	[esi+268h], eax
		lea	ecx, [ebp+var_4]
		mov	edx, ebx
		call	_AslpFileGetExportName@8 ; AslpFileGetExportName(x,x)
		test	eax, eax
		js	short loc_A25575
		mov	ecx, [ebp+var_4]
		call	_AslStringXmlSanitize@4	; AslStringXmlSanitize(x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_A25535
		push	edi
		push	offset ??_C@_0CB@KOMIGNHG@AslStringXmlSanitize?5failed?5?$FL?$CFx@NNGAKEGL@
		push	0D09h
		jmp	loc_A25499
; 

loc_A25535:				; CODE XREF: AslpFileGetPeExportNameExeWrapper(x,x)+B9j
		mov	edx, [ebp+var_4]
		xor	edi, edi
		mov	dword ptr [esi+228h], 4
		lea	eax, [edx+2]

loc_A25547:				; CODE XREF: AslpFileGetPeExportNameExeWrapper(x,x)+E6j
		mov	cx, [edx]
		add	edx, 2
		cmp	cx, di
		jnz	short loc_A25547
		sub	edx, eax
		mov	eax, [ebp+var_4]
		sar	edx, 1
		or	dword ptr [esi+238h], 5
		mov	[esi+22Ch], edx
		cdq
		mov	[esi+230h], eax
		mov	[esi+234h], edx
		jmp	short loc_A2557C
; 

loc_A25575:				; CODE XREF: AslpFileGetPeExportNameExeWrapper(x,x)+ABj
		or	dword ptr [esi+238h], 2

loc_A2557C:				; CODE XREF: AslpFileGetPeExportNameExeWrapper(x,x)+3Ej
					; AslpFileGetPeExportNameExeWrapper(x,x)+59j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AslpFileGetPeExportNameExeWrapper@8 endp


;  S U B	R O U T	I N E 


; __stdcall AslpFileGetSizeAttributes(x, x)
_AslpFileGetSizeAttributes@8 proc near	; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+15Ap
		mov	eax, [edx+0Ch]
		push	esi
		mov	esi, [edx+8]
		or	dword ptr [ecx+310h], 1
		and	dword ptr [ecx+0Ch], 0
		or	dword ptr [ecx+10h], 1
		mov	[ecx+308h], esi
		mov	[ecx+30Ch], eax
		xor	eax, eax
		mov	[ecx+8], esi
		mov	dword ptr [ecx+300h], 3
		mov	dword ptr [ecx+304h], 8
		mov	dword ptr [ecx], 2
		mov	dword ptr [ecx+4], 4
		pop	esi
		retn
_AslpFileGetSizeAttributes@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileGetVersionAttributes(x, x)
_AslpFileGetVersionAttributes@8	proc near
					; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+17Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	ecx, [ebp+var_4]
		push	edx
		lea	edx, [ebp+var_8]
		call	_AslpFileGetVersionBlock@12 ; AslpFileGetVersionBlock(x,x,x)
		mov	ecx, eax
		mov	ebx, (offset loc_8C5747+1)
		test	ecx, ecx
		jns	short loc_A2561E
		call	_AslFileResourceNotFound@4 ; AslFileResourceNotFound(x)
		test	eax, eax
		jnz	short loc_A25618
		push	ecx
		push	(offset	loc_8C5795+1)
		push	604h
		push	ebx
		push	3
		call	AslLogCallPrintf
		add	esp, 14h

loc_A25618:				; CODE XREF: AslpFileGetVersionAttributes(x,x)+33j
		xor	esi, esi
		xor	edx, edx
		jmp	short loc_A25624
; 

loc_A2561E:				; CODE XREF: AslpFileGetVersionAttributes(x,x)+2Aj
		mov	esi, [ebp+var_4]
		mov	edx, [ebp+var_8]

loc_A25624:				; CODE XREF: AslpFileGetVersionAttributes(x,x)+4Fj
		mov	ecx, edi
		call	_AslpFileMakeBinVersionAttributes@8 ; AslpFileMakeBinVersionAttributes(x,x)
		mov	edx, esi
		mov	ecx, edi
		call	_AslpFileMakeStringVersionAttributes@8 ; AslpFileMakeStringVersionAttributes(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A25652
		push	esi
		push	offset ??_C@_0DA@JAHKPBMF@AslpFileMakeStringVersionAttrib@NNGAKEGL@
		push	61Ch
		push	ebx
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A25654
; 

loc_A25652:				; CODE XREF: AslpFileGetVersionAttributes(x,x)+6Bj
		xor	esi, esi

loc_A25654:				; CODE XREF: AslpFileGetVersionAttributes(x,x)+83j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_AslpFileGetVersionAttributes@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileGetVersionBlock(x, x, x)
_AslpFileGetVersionBlock@12 proc near	; CODE XREF: AslpFileGetVersionAttributes(x,x)+1Cp

var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= byte ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	184h
		push	offset dword_6AAD80
		call	__SEH_prolog4
		mov	[ebp+var_3C], edx
		mov	esi, ecx
		mov	[ebp+var_40], esi
		xor	eax, eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	ebx, eax
		mov	[ebp+var_30], ebx
		mov	[ebp+var_24], eax
		push	8
		pop	ecx
		lea	edi, [ebp+var_74]
		rep stosd
		mov	edi, [ebp+arg_0]
		mov	eax, [edi+2Ch]
		test	eax, eax
		jz	short loc_A256B2
		lea	ecx, [eax+28h]
		cmp	word ptr [eax+2], 34h
		sbb	eax, eax
		not	eax
		and	eax, ecx
		mov	[edx], eax
		mov	eax, [edi+2Ch]
		mov	[esi], eax
		xor	edx, edx
		mov	esi, edx
		jmp	loc_A25A4F
; 

loc_A256B2:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+37j
		mov	ecx, edi
		call	_AslFileMappingEnsure@4	; AslFileMappingEnsure(x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A256DE
		push	esi
		push	offset ??_C@_0CB@GHEHFDAF@AslFileMappingEnsure?5failed?5?$FL?$CFx@NNGAKEGL@
		push	66Ah
		push	(offset	loc_8C5897+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A25A4F
; 

loc_A256DE:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+62j
		cmp	dword ptr [edi+28h], 6
		jz	short loc_A256EE
		mov	esi, 0C0000089h
		jmp	loc_A25A4F
; 

loc_A256EE:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+87j
		xor	edx, edx
		mov	[ebp+ms_exc.disabled], edx
		mov	[ebp+var_50], 10h
		mov	[ebp+var_4C], 1
		mov	[ebp+var_48], edx
		mov	eax, [edi+18h]
		mov	[ebp+var_34], eax
		mov	ecx, [edi+1Ch]
		mov	[ebp+var_38], ecx
		cmp	[edi+27h], dl
		mov	ecx, edx
		jnz	short loc_A2571C
		mov	ecx, 200h

loc_A2571C:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+BAj
		push	edx
		push	edx
		lea	edx, [ebp+var_24]
		push	edx
		lea	edx, [ebp+var_28]
		push	edx
		push	ecx
		push	3
		lea	ecx, [ebp+var_50]
		push	ecx
		push	eax
		call	_LdrResSearchResource@32 ; LdrResSearchResource(x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		jns	loc_A2589B
		mov	ecx, esi
		call	_AslFileResourceNotFound@4 ; AslFileResourceNotFound(x)
		test	eax, eax
		jnz	loc_A25A06
		cmp	esi, 0C000007Bh
		jnz	loc_A258C0
		cmp	[edi+27h], al
		jnz	loc_A258C0
		xor	edx, edx
		cmp	[edi+34h], edx
		jnz	loc_A258C0
		mov	esi, 11Ch
		push	esi		; size_t
		push	edx		; int
		lea	eax, [ebp+var_194]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_194], esi
		mov	[ebp+var_190], 6
		push	2
		pop	eax
		mov	[ebp+var_18C], eax
		push	3
		push	1
		push	3
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		call	_VerSetConditionMask@16	; VerSetConditionMask(x,x,x,x)
		push	edx
		push	eax
		call	_VerSetConditionMask@16	; VerSetConditionMask(x,x,x,x)
		push	edx
		push	eax
		push	3
		lea	eax, [ebp+var_194]
		push	eax
		call	RtlVerifyVersionInfo
		mov	[ebp+var_20], eax
		test	eax, eax
		jns	short loc_A257D9

loc_A257CC:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+260j
		mov	esi, 0C0000089h

loc_A257D1:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+374j
		mov	[ebp+var_20], esi
		jmp	loc_A25A06
; 

loc_A257D9:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+16Fj
		mov	eax, [edi+8]
		xor	edx, edx
		mov	[ebp+var_58], dl
		mov	[ebp+var_74], eax
		mov	[ebp+var_20], edx
		mov	dl, 1
		lea	ecx, [ebp+var_74]
		call	_RtlFileMapMapView@8 ; RtlFileMapMapView(x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		jns	short loc_A25819
		push	esi
		push	(offset	loc_8C58AE+2)
		push	6C6h

loc_A25805:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+235j
		push	(offset	loc_8C5897+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A25A06
; 

loc_A25819:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+19Dj
		push	dword ptr [edi]
		push	offset ??_C@_0DC@DPKBOOEO@Re?9mapped?5file?5as?5image?5to?5get?5@NNGAKEGL@
		push	6CFh
		push	(offset	loc_8C5897+1)
		push	3
		call	AslLogCallPrintf
		add	esp, 14h
		xor	ecx, ecx
		push	ecx
		push	ecx
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		push	ecx
		push	3
		lea	eax, [ebp+var_50]
		push	eax
		mov	eax, [ebp+var_64]
		mov	[ebp+var_34], eax
		push	eax
		call	_LdrResSearchResource@32 ; LdrResSearchResource(x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		mov	eax, (offset loc_8C5887+5)
		jns	short loc_A25866
		mov	eax, offset ??_C@_1BK@GKLIJHC@?$AAD?$AAi?$AAd?$AA?5?$AAn?$AAo?$AAt?$AA?5?$AAf?$AAi?$AAn?$AAd@NNGAKEGL@

loc_A25866:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+204j
		push	esi
		push	eax
		push	offset ??_C@_0DB@HCBHNBKL@?$CFls?5version?5block?5after?5re?9mapp@NNGAKEGL@ ; "%ls version block after re-mapping as i"...
		push	6DCh
		push	(offset	loc_8C5897+1)
		push	2
		call	AslLogCallPrintf
		add	esp, 18h
		test	esi, esi
		jns	short loc_A25895
		push	esi
		push	offset ??_C@_0BP@PMJGBMEO@LdrResFindResource?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	6DFh
		jmp	loc_A25805
; 

loc_A25895:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+228j
		mov	eax, [ebp+var_60]
		mov	[ebp+var_38], eax

loc_A2589B:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+DFj
		cmp	[ebp+var_28], 0
		jnz	short loc_A258E1
		push	esi
		push	offset ??_C@_0EB@PANFBJOL@LdrResFindResource?5returned?5nul@NNGAKEGL@
		push	6EEh
		push	(offset	loc_8C5897+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A257CC
; 

loc_A258C0:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+FAj
					; AslpFileGetVersionBlock(x,x,x)+103j ...
		push	esi
		push	dword ptr [edi]
		push	offset ??_C@_0CD@MLDHNGPC@LdrResFindResource?5failed?5?$CFls?5?$FL@NNGAKEGL@
		push	6E7h
		push	(offset	loc_8C5897+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		jmp	loc_A25A06
; 

loc_A258E1:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+244j
		lea	eax, [ebp+var_2C]
		push	eax
		mov	edx, [ebp+var_24]
		mov	esi, [ebp+var_28]
		mov	ecx, esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		jns	short loc_A25908
		push	offset ??_C@_0BL@MHNFPBOP@Version?5block?5has?5bad?5size@NNGAKEGL@
		push	6FCh
		jmp	loc_A259EF
; 

loc_A25908:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+29Cj
		mov	ecx, [ebp+var_34]
		cmp	esi, ecx
		jb	loc_A259E5
		mov	eax, [ebp+var_38]
		add	eax, ecx
		cmp	[ebp+var_2C], eax
		ja	loc_A259E5
		cmp	byte ptr [edi+27h], 0
		jnz	short loc_A25951
		cmp	[ebp+var_70], 0
		jnz	short loc_A25951
		xor	eax, eax
		add	ecx, [edi+10h]
		adc	eax, [edi+14h]
		xor	edx, edx
		cmp	edx, eax
		jb	short loc_A25951
		ja	short loc_A25942
		cmp	[ebp+var_2C], ecx
		jbe	short loc_A25951

loc_A25942:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+2E0j
		push	offset ??_C@_0BL@FACOOBH@Version?5block?5out?5of?5range@NNGAKEGL@
		push	71Ah
		jmp	loc_A259EF
; 

loc_A25951:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+2CAj
					; AslpFileGetVersionBlock(x,x,x)+2D0j ...
		cmp	[ebp+var_24], 26h
		jb	short loc_A259D4
		push	offset ??_C@_1CA@FOECMPGO@?$AAV?$AAS?$AA_?$AAV?$AAE?$AAR?$AAS?$AAI?$AAO?$AAN?$AA_?$AAI?$AAN?$AAF?$AAO@NNGAKEGL@	; wchar_t *
		lea	eax, [esi+6]
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A259D4
		push	ecx
		mov	edx, [ebp+var_24]
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_30], ebx
		test	ebx, ebx
		jnz	short loc_A2598E
		mov	esi, 0C0000017h
		push	offset ??_C@_0O@NALGGDJF@Out?5of?5memory@NNGAKEGL@
		push	730h
		jmp	short loc_A259F4
; 

loc_A2598E:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+320j
		push	[ebp+var_24]	; size_t
		push	[ebp+var_28]	; void *
		push	ebx		; void *
		call	_memmove
		add	esp, 0Ch
		movzx	eax, word ptr [ebx]
		mov	ecx, [ebp+var_24]
		cmp	ecx, eax
		jnb	short loc_A259AA
		mov	[ebx], cx

loc_A259AA:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+34Aj
		mov	[edi+2Ch], ebx
		xor	eax, eax
		mov	ebx, eax
		mov	[ebp+var_30], ebx
		mov	ecx, [edi+2Ch]
		mov	edx, [ebp+var_3C]
		cmp	word ptr [ecx+2], 34h
		jb	short loc_A259C4
		lea	eax, [ecx+28h]

loc_A259C4:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+364j
		mov	[edx], eax
		mov	eax, [ebp+var_40]
		mov	[eax], ecx
		xor	edx, edx
		mov	esi, edx
		jmp	loc_A257D1
; 

loc_A259D4:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+2FAj
					; AslpFileGetVersionBlock(x,x,x)+30Ej
		mov	esi, 0C00000E5h
		push	offset ??_C@_0BG@NGDGBFBB@Version?5block?5invalid@NNGAKEGL@ ; "Version block invalid"
		push	725h
		jmp	short loc_A259F4
; 

loc_A259E5:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+2B2j
					; AslpFileGetVersionBlock(x,x,x)+2C0j
		push	offset ??_C@_0BL@FACOOBH@Version?5block?5out?5of?5range@NNGAKEGL@
		push	708h

loc_A259EF:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+2A8j
					; AslpFileGetVersionBlock(x,x,x)+2F1j
		mov	esi, 0C0000089h

loc_A259F4:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+331j
					; AslpFileGetVersionBlock(x,x,x)+388j
		push	(offset	loc_8C5897+1)
		push	1
		mov	[ebp+var_20], esi
		call	AslLogCallPrintf
		add	esp, 10h

loc_A25A06:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+EEj
					; AslpFileGetVersionBlock(x,x,x)+179j ...
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A25A4F
; 

loc_A25A0F:				; DATA XREF: .text:006AAD94o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_44], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A25A1D:				; DATA XREF: .text:006AAD98o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_44]
		mov	[ebp+var_20], esi
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax]
		push	esi
		push	offset ??_C@_0DC@KHINOBN@Exception?5retrieving?5version?5bl@NNGAKEGL@
		push	756h
		push	(offset	loc_8C5897+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 18h
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ebx, [ebp+var_30]

loc_A25A4F:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+52j
					; AslpFileGetVersionBlock(x,x,x)+7Ej ...
		test	ebx, ebx
		jz	short loc_A25A5E
		push	74705041h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A25A5E:				; CODE XREF: AslpFileGetVersionBlock(x,x,x)+3F6j
		lea	ecx, [ebp+var_74]
		call	RtlFileMapFree
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_AslpFileGetVersionBlock@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileHasActiveMarkWrapper(x, x, x)
_AslpFileHasActiveMarkWrapper@12 proc near ; CODE XREF:	AslpFileGetExeWrapper(x,x)+7Dp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	1Ch
		push	offset dword_6AAD20
		call	__SEH_prolog4
		mov	[ebp+var_1C], edx
		mov	eax, ecx
		mov	[ebp+var_24], eax
		xor	esi, esi
		mov	edi, esi
		mov	[eax], esi
		mov	ebx, [ebp+arg_0]
		mov	ecx, [ebx+1Ch]
		mov	edx, [ebx+10h]
		mov	eax, [ebx+14h]
		cmp	eax, esi
		ja	short loc_A25AAA
		jb	short loc_A25AB2
		cmp	edx, ecx
		jb	short loc_A25AAE

loc_A25AAA:				; CODE XREF: AslpFileHasActiveMarkWrapper(x,x,x)+28j
		mov	edx, ecx
		mov	eax, esi

loc_A25AAE:				; CODE XREF: AslpFileHasActiveMarkWrapper(x,x,x)+2Ej
		cmp	eax, esi
		ja	short loc_A25ABE

loc_A25AB2:				; CODE XREF: AslpFileHasActiveMarkWrapper(x,x,x)+2Aj
		cmp	edx, 400h
		jbe	loc_A25BDB

loc_A25ABE:				; CODE XREF: AslpFileHasActiveMarkWrapper(x,x,x)+36j
		xor	ecx, ecx
		inc	ecx
		cmp	eax, ecx
		ja	loc_A25BDB
		jb	short loc_A25AD3
		cmp	edx, esi
		jnb	loc_A25BDB

loc_A25AD3:				; CODE XREF: AslpFileHasActiveMarkWrapper(x,x,x)+4Fj
		cmp	[ebx+34h], esi
		jnz	loc_A25BDB
		cmp	[ebx+30h], esi
		jnz	loc_A25BDB
		mov	[ebp+ms_exc.disabled], esi
		mov	ecx, [ebp+var_1C]
		movzx	ecx, word ptr [ecx+18h]
		mov	[ebp+arg_0], 10Bh
		cmp	cx, word ptr [ebp+arg_0]
		jnz	short loc_A25B07
		mov	edi, [ebp+var_1C]
		add	edi, 98h
		jmp	short loc_A25B1D
; 

loc_A25B07:				; CODE XREF: AslpFileHasActiveMarkWrapper(x,x,x)+80j
		mov	[ebp+arg_0], 20Bh
		cmp	cx, word ptr [ebp+arg_0]
		jnz	short loc_A25B1D
		mov	edi, [ebp+var_1C]
		add	edi, 0A8h

loc_A25B1D:				; CODE XREF: AslpFileHasActiveMarkWrapper(x,x,x)+8Bj
					; AslpFileHasActiveMarkWrapper(x,x,x)+98j
		test	edi, edi
		jz	short loc_A25B97
		mov	ecx, [edi+4]
		lea	edi, [ecx+400h]
		cmp	eax, esi
		jb	short loc_A25B97
		ja	short loc_A25B34
		cmp	edx, edi
		jbe	short loc_A25B97

loc_A25B34:				; CODE XREF: AslpFileHasActiveMarkWrapper(x,x,x)+B4j
		mov	eax, [ebx+18h]
		sub	eax, ecx
		lea	ebx, [edx-400h]
		add	ebx, eax
		lea	edi, [ebx+3E6h]

loc_A25B47:				; CODE XREF: AslpFileHasActiveMarkWrapper(x,x,x)+11Bj
		mov	[ebp+var_28], edi
		cmp	edi, ebx
		jb	short loc_A25B9C
		push	8		; size_t
		push	offset aTmsamvof ; "TMSAMVOF"
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A25B94
		inc	eax
		cmp	ax, [edi+8]
		jnz	short loc_A25B94
		mov	ecx, [edi+12h]
		xor	edx, edx
		add	ecx, [edi+0Eh]
		adc	edx, esi
		add	ecx, [edi+0Ah]
		adc	edx, esi
		add	ecx, 26Eh
		adc	edx, esi
		cmp	ecx, [edi+16h]
		jnz	short loc_A25B94
		cmp	edx, esi
		jnz	short loc_A25B94
		mov	eax, [ebp+var_24]
		mov	dword ptr [eax], 1
		jmp	short loc_A25B9C
; 

loc_A25B94:				; CODE XREF: AslpFileHasActiveMarkWrapper(x,x,x)+E6j
					; AslpFileHasActiveMarkWrapper(x,x,x)+EDj ...
		dec	edi
		jmp	short loc_A25B47
; 

loc_A25B97:				; CODE XREF: AslpFileHasActiveMarkWrapper(x,x,x)+A5j
					; AslpFileHasActiveMarkWrapper(x,x,x)+B2j ...
		mov	esi, 0C0000225h

loc_A25B9C:				; CODE XREF: AslpFileHasActiveMarkWrapper(x,x,x)+D2j
					; AslpFileHasActiveMarkWrapper(x,x,x)+118j
		mov	[ebp+var_20], esi

loc_A25B9F:				; CODE XREF: AslpFileHasActiveMarkWrapper(x,x,x)+15Fj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A25BE0
; 

loc_A25BA8:				; DATA XREF: .text:006AAD34o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A25BB6:				; DATA XREF: .text:006AAD38o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, [ebp+var_2C]
		mov	[ebp+var_20], esi
		push	esi
		push	(offset	loc_8C4D43+3)
		push	106Dh
		push	offset ??_C@_0BN@JELEGGGH@AslpFileHasActiveMarkWrapper@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A25B9F
; 

loc_A25BDB:				; CODE XREF: AslpFileHasActiveMarkWrapper(x,x,x)+3Ej
					; AslpFileHasActiveMarkWrapper(x,x,x)+49j ...
		mov	esi, 0C0000225h

loc_A25BE0:				; CODE XREF: AslpFileHasActiveMarkWrapper(x,x,x)+12Cj
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_AslpFileHasActiveMarkWrapper@12 endp


;  S U B	R O U T	I N E 


; __stdcall AslpFileHasArmadilloWrapper(x)
_AslpFileHasArmadilloWrapper@4 proc near ; CODE	XREF: AslpFileGetExeWrapper(x,x)+D4p
		cmp	dword ptr [ecx], 4550h
		jnz	short loc_A25C0C
		cmp	byte ptr [ecx+1Ah], 53h
		jnz	short loc_A25C0C
		cmp	byte ptr [ecx+1Bh], 52h
		jnz	short loc_A25C0C
		xor	eax, eax
		inc	eax
		retn
; 

loc_A25C0C:				; CODE XREF: AslpFileHasArmadilloWrapper(x)+6j
					; AslpFileHasArmadilloWrapper(x)+Cj ...
		xor	eax, eax
		retn
_AslpFileHasArmadilloWrapper@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileHasSecuromWrapper(x)
_AslpFileHasSecuromWrapper@4 proc near	; CODE XREF: AslpFileGetExeWrapper(x,x)+62p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		movzx	eax, word ptr [ecx+14h]
		push	ebx
		push	esi
		push	edi
		lea	edi, [ecx+18h]
		mov	[ebp+var_4], ecx
		add	edi, eax
		xor	esi, esi
		xor	eax, eax
		mov	ebx, esi
		cmp	ax, [ecx+6]
		jnb	short loc_A25C62

loc_A25C30:				; CODE XREF: AslpFileHasSecuromWrapper(x)+4Cj
		cmp	[edi+0Ch], esi
		jz	short loc_A25C51
		cmp	[edi+8], esi
		jz	short loc_A25C51
		push	8		; size_t
		push	offset ??_C@_08EFCIKEPK@?4securom@NNGAKEGL@ ; char *
		push	edi		; char *
		call	_strncmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A25C5F
		mov	ecx, [ebp+var_4]

loc_A25C51:				; CODE XREF: AslpFileHasSecuromWrapper(x)+24j
					; AslpFileHasSecuromWrapper(x)+29j
		movzx	eax, word ptr [ecx+6]
		inc	ebx
		add	edi, 28h
		cmp	ebx, eax
		jb	short loc_A25C30
		jmp	short loc_A25C62
; 

loc_A25C5F:				; CODE XREF: AslpFileHasSecuromWrapper(x)+3Dj
		xor	esi, esi
		inc	esi

loc_A25C62:				; CODE XREF: AslpFileHasSecuromWrapper(x)+1Fj
					; AslpFileHasSecuromWrapper(x)+4Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_AslpFileHasSecuromWrapper@4 endp


;  S U B	R O U T	I N E 


; __stdcall AslpFileMakeBinVersionAttributes(x,	x)
_AslpFileMakeBinVersionAttributes@8 proc near
					; CODE XREF: AslpFileGetVersionAttributes(x,x)+59p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	edx, edx
		jnz	short loc_A25C95
		push	2
		pop	ecx
		or	[esi+148h], ecx
		or	[esi+160h], ecx
		or	[esi+178h], ecx
		or	[esi+190h], ecx
		or	[esi+70h], ecx
		or	[esi+58h], ecx
		pop	esi
		retn
; 

loc_A25C95:				; CODE XREF: AslpFileMakeBinVersionAttributes(x,x)+7j
		push	ebx
		push	edi
		push	2
		pop	ecx
		push	4
		pop	ebx
		mov	[esi+13Ch], ebx
		xor	edi, edi
		mov	[esi+138h], ecx
		mov	eax, [edx+2Ch]
		or	dword ptr [esi+148h], 1
		mov	[esi+144h], edi
		mov	[esi+154h], ebx
		mov	[esi+140h], eax
		mov	[esi+150h], ecx
		mov	eax, [edx+30h]
		or	dword ptr [esi+160h], 1
		mov	[esi+15Ch], edi
		mov	[esi+16Ch], ebx
		mov	[esi+158h], eax
		mov	[esi+168h], ecx
		mov	eax, [edx+20h]
		or	dword ptr [esi+178h], 1
		mov	[esi+184h], ebx
		push	3
		mov	[esi+174h], edi
		pop	ebx
		mov	[esi+170h], eax
		mov	[esi+180h], ecx
		mov	eax, [edx+24h]
		or	dword ptr [esi+190h], 1
		mov	[esi+18Ch], edi
		push	8
		mov	[esi+188h], eax
		mov	eax, [edx+14h]
		mov	ecx, [edx+10h]
		or	dword ptr [esi+70h], 1
		pop	edi
		mov	[esi+60h], ebx
		mov	[esi+64h], edi
		mov	[esi+68h], eax
		mov	[esi+6Ch], ecx
		mov	eax, [edx+0Ch]
		mov	ecx, [edx+8]
		or	dword ptr [esi+58h], 1
		mov	[esi+4Ch], edi
		pop	edi
		mov	[esi+48h], ebx
		pop	ebx
		mov	[esi+50h], eax
		mov	[esi+54h], ecx
		pop	esi
		retn
_AslpFileMakeBinVersionAttributes@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileMakeStringVersionAttributes(x, x)
_AslpFileMakeStringVersionAttributes@8 proc near
					; CODE XREF: AslpFileGetVersionAttributes(x,x)+62p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		xor	ebx, ebx
		mov	eax, edx
		mov	[ebp+var_18], eax
		mov	[ebp+var_20], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_14], ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	eax, eax
		jnz	short loc_A25DC9
		push	2
		pop	ebx
		or	[esi+88h], ebx
		or	[esi+0A0h], ebx
		or	[esi+0B8h], ebx
		or	[esi+0D0h], ebx
		or	[esi+0E8h], ebx
		or	[esi+100h], ebx
		or	[esi+118h], ebx
		or	[esi+130h], ebx

loc_A25DBA:				; CODE XREF: AslpFileMakeStringVersionAttributes(x,x)+189j
					; AslpFileMakeStringVersionAttributes(x,x)+193j
		or	[esi+250h], ebx

loc_A25DC0:				; CODE XREF: AslpFileMakeStringVersionAttributes(x,x)+1C0j
		xor	eax, eax
		mov	edi, eax
		jmp	loc_A25F3C
; 

loc_A25DC9:				; CODE XREF: AslpFileMakeStringVersionAttributes(x,x)+28j
		lea	ecx, [ebp+var_8]
		mov	edx, offset ??_C@_1DC@HCLBMGIA@?$AA?2?$AAV?$AAa?$AAr?$AAF?$AAi?$AAl?$AAe?$AAI?$AAn?$AAf?$AAo?$AA?2?$AAT?$AAr@NNGAKEGL@
		push	ecx
		lea	ecx, [ebp+var_10]
		push	ecx
		mov	ecx, eax
		call	_AslpFileVerQueryBlock@16 ; AslpFileVerQueryBlock(x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000225h
		jnz	short loc_A25DF0
		mov	eax, ebx
		mov	edi, ebx
		mov	[ebp+var_4], eax
		jmp	short loc_A25E36
; 

loc_A25DF0:				; CODE XREF: AslpFileMakeStringVersionAttributes(x,x)+88j
		test	edi, edi
		jns	short loc_A25E04
		push	edi
		push	offset ??_C@_0CC@NIKDGGIJ@AslpFileVerQueryBlock?5failed?5?$FL?$CF@NNGAKEGL@
		push	0A51h
		jmp	loc_A25F2D
; 

loc_A25E04:				; CODE XREF: AslpFileMakeStringVersionAttributes(x,x)+95j
		push	[ebp+var_8]
		mov	[ebp+var_4], ebx
		lea	ecx, [ebp+var_14]
		mov	edi, ebx
		mov	ebx, [ebp+var_10]
		mov	edx, ebx
		call	_AslpFileVerBlockGetValueOffset@12 ; AslpFileVerBlockGetValueOffset(x,x,x)
		test	eax, eax
		js	short loc_A25E32
		mov	ecx, [ebp+var_14]
		cmp	[ebp+var_8], ecx
		jbe	short loc_A25E32
		mov	edi, [ebp+var_8]
		lea	eax, [ecx+ebx]
		mov	[ebp+var_4], eax
		sub	edi, ecx
		jmp	short loc_A25E34
; 

loc_A25E32:				; CODE XREF: AslpFileMakeStringVersionAttributes(x,x)+BEj
					; AslpFileMakeStringVersionAttributes(x,x)+C6j
		mov	eax, edi

loc_A25E34:				; CODE XREF: AslpFileMakeStringVersionAttributes(x,x)+D3j
		xor	ebx, ebx

loc_A25E36:				; CODE XREF: AslpFileMakeStringVersionAttributes(x,x)+91j
		mov	ecx, ebx
		shr	edi, 2
		push	2
		mov	[ebp+var_8], edi
		mov	[ebp+var_10], ecx
		pop	ebx

loc_A25E44:				; CODE XREF: AslpFileMakeStringVersionAttributes(x,x)+175j
		push	ds:off_404204[ecx]
		mov	edx, ds:dword_404200[ecx]
		lea	ecx, [ebp+var_C]
		push	edi
		push	eax
		push	[ebp+var_18]
		mov	[ebp+var_14], edx
		lea	edx, [ebp+var_1C]
		call	_AslpFileQueryVersionString@24 ; AslpFileQueryVersionString(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A25EAE
		mov	ecx, [ebp+var_C]
		call	_AslStringXmlSanitize@4	; AslStringXmlSanitize(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A25ED7
		imul	edi, [ebp+var_14], 18h
		mov	edx, [ebp+var_C]
		lea	eax, [edx+2]
		mov	dword ptr [edi+esi], 4

loc_A25E88:				; CODE XREF: AslpFileMakeStringVersionAttributes(x,x)+134j
		mov	cx, [edx]
		add	edx, ebx
		cmp	cx, word ptr [ebp+var_20]
		jnz	short loc_A25E88
		sub	edx, eax
		mov	eax, [ebp+var_C]
		sar	edx, 1
		or	dword ptr [edi+esi+10h], 1
		mov	[edi+esi+4], edx
		cdq
		mov	[edi+esi+8], eax
		mov	[edi+esi+0Ch], edx
		jmp	short loc_A25EBE
; 

loc_A25EAE:				; CODE XREF: AslpFileMakeStringVersionAttributes(x,x)+10Aj
		cmp	edi, 0C0000225h
		jnz	short loc_A25F22
		imul	eax, [ebp+var_14], 18h
		or	[eax+esi+10h], ebx

loc_A25EBE:				; CODE XREF: AslpFileMakeStringVersionAttributes(x,x)+14Fj
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_4]
		add	ecx, 8
		mov	[ebp+var_10], ecx
		cmp	ecx, 40h
		jnb	short loc_A25EE4
		mov	edi, [ebp+var_8]
		jmp	loc_A25E44
; 

loc_A25ED7:				; CODE XREF: AslpFileMakeStringVersionAttributes(x,x)+118j
		push	edi
		push	offset ??_C@_0CB@KOMIGNHG@AslStringXmlSanitize?5failed?5?$FL?$CFx@NNGAKEGL@
		push	0A7Bh
		jmp	short loc_A25F2D
; 

loc_A25EE4:				; CODE XREF: AslpFileMakeStringVersionAttributes(x,x)+170j
		test	eax, eax
		jz	loc_A25DBA
		cmp	[ebp+var_8], 1
		jnz	loc_A25DBA
		mov	[esi+240h], ebx
		mov	dword ptr [esi+244h], 4
		movzx	eax, word ptr [eax]
		or	dword ptr [esi+250h], 1
		cdq
		mov	[esi+248h], eax
		mov	[esi+24Ch], edx
		jmp	loc_A25DC0
; 

loc_A25F22:				; CODE XREF: AslpFileMakeStringVersionAttributes(x,x)+157j
		push	edi
		push	(offset	loc_8C5B81+3)
		push	0A88h

loc_A25F2D:				; CODE XREF: AslpFileMakeStringVersionAttributes(x,x)+A2j
					; AslpFileMakeStringVersionAttributes(x,x)+185j
		push	offset ??_C@_0CE@OAAMAOIJ@AslpFileMakeStringVersionAttrib@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A25F3C:				; CODE XREF: AslpFileMakeStringVersionAttributes(x,x)+67j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AslpFileMakeStringVersionAttributes@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileQuery16BitDescription(x, x)
_AslpFileQuery16BitDescription@8 proc near ; CODE XREF:	AslpFileGet16BitDescription(x,x)+49p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	20h
		push	offset dword_6AACE0
		call	__SEH_prolog4
		mov	edi, ecx
		xor	ebx, ebx
		mov	[edi], bl
		cmp	dword ptr [edx+28h], 5
		jz	short loc_A25F65
		mov	ebx, 0C00000BBh
		jmp	loc_A26051
; 

loc_A25F65:				; CODE XREF: AslpFileQuery16BitDescription(x,x)+16j
		mov	[ebp+ms_exc.disabled], ebx
		mov	esi, [edx+18h]
		mov	[ebp+var_24], esi
		mov	eax, [esi+3Ch]
		mov	[ebp+var_28], eax
		mov	eax, [edx+10h]
		mov	[ebp+var_2C], eax
		mov	ecx, [edx+14h]
		mov	[ebp+var_20], ecx
		mov	edx, [ebp+var_28]
		cmp	ecx, ebx
		jb	short loc_A25FF6
		ja	short loc_A25F90
		lea	ecx, [edx+40h]
		cmp	eax, ecx
		jb	short loc_A25FF6

loc_A25F90:				; CODE XREF: AslpFileQuery16BitDescription(x,x)+44j
		mov	ecx, [edx+esi+2Ch]
		lea	edx, [ecx+1]
		cmp	[ebp+var_20], ebx
		jb	short loc_A25FF6
		ja	short loc_A25FA2
		cmp	eax, edx
		jb	short loc_A25FF6

loc_A25FA2:				; CODE XREF: AslpFileQuery16BitDescription(x,x)+59j
		movzx	esi, byte ptr [ecx+esi]
		test	esi, esi
		jz	short loc_A25FEA
		lea	eax, [esi+1]
		cmp	eax, 100h
		ja	short loc_A25FEA
		lea	eax, [ecx+1]
		add	eax, esi
		cmp	[ebp+var_20], ebx
		ja	short loc_A25FD1
		jb	short loc_A25FC5
		cmp	[ebp+var_2C], eax
		jnb	short loc_A25FD1

loc_A25FC5:				; CODE XREF: AslpFileQuery16BitDescription(x,x)+7Bj
		push	(offset	loc_8C5FF9+3)
		push	123Ch
		jmp	short loc_A26000
; 

loc_A25FD1:				; CODE XREF: AslpFileQuery16BitDescription(x,x)+79j
					; AslpFileQuery16BitDescription(x,x)+80j
		push	esi		; size_t
		mov	eax, [ebp+var_24]
		inc	eax
		add	eax, ecx
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[esi+edi], bl
		mov	[ebp+var_1C], ebx
		jmp	short loc_A2604A
; 

loc_A25FEA:				; CODE XREF: AslpFileQuery16BitDescription(x,x)+65j
					; AslpFileQuery16BitDescription(x,x)+6Fj
		push	(offset	loc_8C5FF9+3)
		push	1236h
		jmp	short loc_A26000
; 

loc_A25FF6:				; CODE XREF: AslpFileQuery16BitDescription(x,x)+42j
					; AslpFileQuery16BitDescription(x,x)+4Bj ...
		push	(offset	loc_8C5FF9+3)
		push	122Dh

loc_A26000:				; CODE XREF: AslpFileQuery16BitDescription(x,x)+8Cj
					; AslpFileQuery16BitDescription(x,x)+B1j
		push	(offset	loc_8C600E+4)
		mov	ebx, 0C000007Bh
		push	1
		mov	[ebp+var_1C], ebx
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	short loc_A2604A
; 

loc_A26019:				; DATA XREF: .text:006AACF4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A26027:				; DATA XREF: .text:006AACF8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_30]
		mov	[ebp+var_1C], ebx
		push	ebx
		push	(offset	loc_8C4D43+3)
		push	1247h
		push	(offset	loc_8C600E+4)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A2604A:				; CODE XREF: AslpFileQuery16BitDescription(x,x)+A5j
					; AslpFileQuery16BitDescription(x,x)+D4j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A26051:				; CODE XREF: AslpFileQuery16BitDescription(x,x)+1Dj
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AslpFileQuery16BitDescription@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileQuery16BitModuleName(x, x)
_AslpFileQuery16BitModuleName@8	proc near ; CODE XREF: AslpFileGet16BitModuleName(x,x)+49p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	20h
		push	offset dword_6AACC0
		call	__SEH_prolog4
		mov	edi, ecx
		xor	ebx, ebx
		mov	[edi], bl
		cmp	dword ptr [edx+28h], 5
		jz	short loc_A26085
		mov	ebx, 0C00000BBh
		jmp	loc_A2616D
; 

loc_A26085:				; CODE XREF: AslpFileQuery16BitModuleName(x,x)+16j
		mov	[ebp+ms_exc.disabled], ebx
		mov	esi, [edx+18h]
		mov	[ebp+var_20], esi
		mov	eax, [esi+3Ch]
		mov	[ebp+var_28], eax
		mov	ecx, [edx+10h]
		mov	edx, [edx+14h]
		mov	[ebp+var_2C], edx
		lea	esi, [eax+40h]
		mov	[ebp+var_24], esi
		cmp	edx, ebx
		mov	esi, [ebp+var_20]
		jb	short loc_A26112
		ja	short loc_A260B1
		cmp	ecx, [ebp+var_24]
		jb	short loc_A26112

loc_A260B1:				; CODE XREF: AslpFileQuery16BitModuleName(x,x)+47j
		movzx	eax, word ptr [eax+esi+26h]
		cmp	edx, ebx
		mov	esi, [ebp+var_20]
		jb	short loc_A26112
		ja	short loc_A260C6
		lea	edx, [eax+1]
		cmp	ecx, edx
		jb	short loc_A26112

loc_A260C6:				; CODE XREF: AslpFileQuery16BitModuleName(x,x)+5Aj
		add	eax, [ebp+var_28]
		movzx	esi, byte ptr [eax+esi]
		test	esi, esi
		jz	short loc_A26106
		lea	edx, [eax+1]
		add	edx, esi
		cmp	[ebp+var_2C], ebx
		ja	short loc_A260ED
		jb	short loc_A260E1
		cmp	ecx, edx
		jnb	short loc_A260ED

loc_A260E1:				; CODE XREF: AslpFileQuery16BitModuleName(x,x)+78j
		push	(offset	loc_8C5FF9+3)
		push	128Ah
		jmp	short loc_A2611C
; 

loc_A260ED:				; CODE XREF: AslpFileQuery16BitModuleName(x,x)+76j
					; AslpFileQuery16BitModuleName(x,x)+7Cj
		push	esi		; size_t
		mov	ecx, [ebp+var_20]
		inc	ecx
		add	eax, ecx
		push	eax		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[esi+edi], bl
		mov	[ebp+var_1C], ebx
		jmp	short loc_A26166
; 

loc_A26106:				; CODE XREF: AslpFileQuery16BitModuleName(x,x)+6Cj
		push	(offset	loc_8C5FF9+3)
		push	1283h
		jmp	short loc_A2611C
; 

loc_A26112:				; CODE XREF: AslpFileQuery16BitModuleName(x,x)+45j
					; AslpFileQuery16BitModuleName(x,x)+4Cj ...
		push	(offset	loc_8C5FF9+3)
		push	127Ah

loc_A2611C:				; CODE XREF: AslpFileQuery16BitModuleName(x,x)+88j
					; AslpFileQuery16BitModuleName(x,x)+ADj
		push	(offset	loc_8C5F8C+2)
		mov	ebx, 0C000007Bh
		push	1
		mov	[ebp+var_1C], ebx
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	short loc_A26166
; 

loc_A26135:				; DATA XREF: .text:006AACD4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A26143:				; DATA XREF: .text:006AACD8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_30]
		mov	[ebp+var_1C], ebx
		push	ebx
		push	(offset	loc_8C4D43+3)
		push	1295h
		push	(offset	loc_8C5F8C+2)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A26166:				; CODE XREF: AslpFileQuery16BitModuleName(x,x)+A1j
					; AslpFileQuery16BitModuleName(x,x)+D0j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A2616D:				; CODE XREF: AslpFileQuery16BitModuleName(x,x)+1Dj
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AslpFileQuery16BitModuleName@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileQueryVersionString(x, x, x,	x, x, x)
_AslpFileQueryVersionString@24 proc near
					; CODE XREF: AslpFileMakeStringVersionAttributes(x,x)+101p

var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= word ptr -104h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 128h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_11C], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	[ebp+var_120], eax
		mov	eax, [ebp+arg_C]
		push	esi
		mov	[ebp+var_118], eax
		xor	eax, eax
		push	edi
		xor	edi, edi
		mov	[ebp+var_124], edx
		mov	[ecx], edi
		mov	ebx, edi
		mov	[ebp+var_128], ecx
		mov	[ebp+var_104], ax
		mov	[ebp+var_114], edi
		mov	[ebp+var_110], edi
		mov	[ebp+var_10C], edi
		mov	[ebp+var_108], edi
		mov	[edx], edi

loc_A261E7:				; CODE XREF: AslpFileQueryVersionString(x,x,x,x,x,x)+DBj
		push	dword ptr ds:(loc_404F3B+5)[ebx]
		mov	edx, 80h
		lea	ecx, [ebp+var_104]
		call	RtlStringCchCopyW
		mov	esi, eax
		test	esi, esi
		js	loc_A2637C
		push	[ebp+var_118]
		mov	edx, 80h
		lea	ecx, [ebp+var_104]
		call	_RtlStringCchCatW@12 ; RtlStringCchCatW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2636F
		mov	ecx, [ebp+var_11C]
		lea	eax, [ebp+var_108]
		push	eax
		lea	eax, [ebp+var_10C]
		push	eax
		lea	edx, [ebp+var_104]
		call	_AslpFileVerQueryBlock@16 ; AslpFileVerQueryBlock(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2626E
		cmp	esi, 0C0000225h
		jnz	short loc_A2625E
		add	ebx, 4
		cmp	ebx, 10h
		jb	short loc_A261E7
		jmp	short loc_A26293
; 

loc_A2625E:				; CODE XREF: AslpFileQueryVersionString(x,x,x,x,x,x)+D3j
		push	esi
		push	offset ??_C@_0CC@NIKDGGIJ@AslpFileVerQueryBlock?5failed?5?$FL?$CF@NNGAKEGL@
		push	0C94h
		jmp	loc_A26387
; 

loc_A2626E:				; CODE XREF: AslpFileQueryVersionString(x,x,x,x,x,x)+CBj
		push	[ebp+var_108]
		lea	edx, [ebp+var_110]
		push	[ebp+var_10C]
		lea	ecx, [ebp+var_114]
		call	_AslpFileVerStringBlockGetValue@16 ; AslpFileVerStringBlockGetValue(x,x,x,x)
		test	eax, eax
		jns	loc_A26342

loc_A26293:				; CODE XREF: AslpFileQueryVersionString(x,x,x,x,x,x)+DDj
		mov	ebx, [ebp+var_120]
		test	ebx, ebx
		jz	short loc_A2630A
		cmp	[ebp+arg_8], edi
		jbe	short loc_A2630A

loc_A262A2:				; CODE XREF: AslpFileQueryVersionString(x,x,x,x,x,x)+189j
		push	[ebp+var_118]
		movzx	eax, word ptr [ebx+2]
		push	eax
		movzx	eax, word ptr [ebx]
		push	eax		; char
		push	offset ??_C@_1DI@IKFJEGJK@?$AA?2?$AAS?$AAt?$AAr?$AAi?$AAn?$AAg?$AAF?$AAi?$AAl?$AAe?$AAI?$AAn?$AAf?$AAo@NNGAKEGL@ ; wchar_t *
		lea	eax, [ebp+var_104]
		push	80h		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		mov	esi, eax
		add	esp, 18h
		test	esi, esi
		js	loc_A26362
		mov	ecx, [ebp+var_11C]
		lea	eax, [ebp+var_108]
		push	eax
		lea	eax, [ebp+var_10C]
		push	eax
		lea	edx, [ebp+var_104]
		call	_AslpFileVerQueryBlock@16 ; AslpFileVerQueryBlock(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A26321
		cmp	esi, 0C0000225h
		jnz	short loc_A26314
		inc	edi
		add	ebx, 4
		cmp	edi, [ebp+arg_8]
		jb	short loc_A262A2

loc_A2630A:				; CODE XREF: AslpFileQueryVersionString(x,x,x,x,x,x)+11Cj
					; AslpFileQueryVersionString(x,x,x,x,x,x)+121j	...
		mov	eax, 0C0000225h
		jmp	loc_A26398
; 

loc_A26314:				; CODE XREF: AslpFileQueryVersionString(x,x,x,x,x,x)+180j
		push	esi
		push	offset ??_C@_0CC@NIKDGGIJ@AslpFileVerQueryBlock?5failed?5?$FL?$CF@NNGAKEGL@
		push	0CC4h
		jmp	short loc_A26387
; 

loc_A26321:				; CODE XREF: AslpFileQueryVersionString(x,x,x,x,x,x)+178j
		push	[ebp+var_108]
		lea	edx, [ebp+var_110]
		push	[ebp+var_10C]
		lea	ecx, [ebp+var_114]
		call	_AslpFileVerStringBlockGetValue@16 ; AslpFileVerStringBlockGetValue(x,x,x,x)
		test	eax, eax
		js	short loc_A2630A

loc_A26342:				; CODE XREF: AslpFileQueryVersionString(x,x,x,x,x,x)+10Ej
		mov	ecx, [ebp+var_124]
		mov	eax, [ebp+var_110]
		mov	[ecx], eax
		mov	ecx, [ebp+var_128]
		mov	eax, [ebp+var_114]
		mov	[ecx], eax
		xor	eax, eax
		jmp	short loc_A26398
; 

loc_A26362:				; CODE XREF: AslpFileQueryVersionString(x,x,x,x,x,x)+14Fj
		push	esi
		push	offset ??_C@_0CA@FFNDHPE@RtlStringCchPrintfW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	0CA6h
		jmp	short loc_A26387
; 

loc_A2636F:				; CODE XREF: AslpFileQueryVersionString(x,x,x,x,x,x)+A2j
		push	esi
		push	offset ??_C@_0BN@IGBCHOAA@RtlStringCchCatW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	0C76h
		jmp	short loc_A26387
; 

loc_A2637C:				; CODE XREF: AslpFileQueryVersionString(x,x,x,x,x,x)+82j
		push	esi
		push	offset ??_C@_0BO@LFCDCAJH@RtlStringCchCopyW?5failed?5?$FL?$CFx?$FN@NNGAKEGL@
		push	0C70h

loc_A26387:				; CODE XREF: AslpFileQueryVersionString(x,x,x,x,x,x)+EAj
					; AslpFileQueryVersionString(x,x,x,x,x,x)+1A0j	...
		push	(offset	loc_8C5C83+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		mov	eax, esi

loc_A26398:				; CODE XREF: AslpFileQueryVersionString(x,x,x,x,x,x)+190j
					; AslpFileQueryVersionString(x,x,x,x,x,x)+1E1j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_AslpFileQueryVersionString@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileVerQueryBlock(x, x,	x, x)
_AslpFileVerQueryBlock@16 proc near	; CODE XREF: AslpFileMakeStringVersionAttributes(x,x)+7Bp
					; AslpFileQueryVersionString(x,x,x,x,x,x)+C2p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		push	edi
		mov	[ebp+var_4], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		mov	[eax], ecx
		cmp	[esi+4], cx
		jz	short loc_A263EE
		push	offset ??_C@_0BG@NGDGBFBB@Version?5block?5invalid@NNGAKEGL@ ; "Version block invalid"
		push	0B33h
		push	offset ??_C@_0BG@IJCNELEP@AslpFileVerQueryBlock@NNGAKEGL@
		push	1
		mov	edi, 0C000000Dh
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_A2652C
; 

loc_A263EE:				; CODE XREF: AslpFileVerQueryBlock(x,x,x,x)+20j
		lea	ecx, [ebp+var_4]
		call	AslStringDuplicate
		mov	edi, eax
		test	edi, edi
		jns	short loc_A2641B
		push	edi
		push	(offset	loc_8C3E05+1)
		push	0B39h
		push	offset ??_C@_0BG@IJCNELEP@AslpFileVerQueryBlock@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A26519
; 

loc_A2641B:				; CODE XREF: AslpFileVerQueryBlock(x,x,x,x)+51j
		movzx	eax, word ptr [esi]
		mov	ecx, 7FFFh
		cmp	ax, cx
		jbe	short loc_A2644B
		push	offset ??_C@_0BJ@DLBDCGBP@VersionBlock?5is?5too?5long@NNGAKEGL@
		push	0B45h

loc_A26432:				; CODE XREF: AslpFileVerQueryBlock(x,x,x,x)+B4j
		push	offset ??_C@_0BG@IJCNELEP@AslpFileVerQueryBlock@NNGAKEGL@
		push	1
		mov	edi, 0C000000Dh
		call	AslLogCallPrintf
		add	esp, 10h
		jmp	loc_A26519
; 

loc_A2644B:				; CODE XREF: AslpFileVerQueryBlock(x,x,x,x)+7Dj
		push	8
		pop	ecx
		cmp	ax, cx
		jnb	short loc_A2645F
		push	offset ??_C@_0BN@OIJGCAOH@VersionBlock?5not?5long?5enough@NNGAKEGL@
		push	0B4Ah
		jmp	short loc_A26432
; 

loc_A2645F:				; CODE XREF: AslpFileVerQueryBlock(x,x,x,x)+A8j
		mov	ecx, [ebp+var_4]
		push	ebx
		lea	ebx, [esi+eax]
		movzx	eax, word ptr [ebx-2]
		mov	edi, ebx
		mov	[ebp+var_14], eax
		xor	eax, eax
		mov	[ebx-2], ax
		jmp	short loc_A264EF
; 

loc_A26477:				; CODE XREF: AslpFileVerQueryBlock(x,x,x,x)+154j
		mov	ecx, ebx
		push	8
		sub	ecx, esi
		pop	eax
		cmp	ecx, eax
		jb	short loc_A264E6
		movzx	edi, word ptr [esi]
		cmp	edi, ecx
		ja	short loc_A264E6
		push	ecx
		mov	edx, esi
		lea	ecx, [ebp+var_8]
		call	_AslpFileVerBlockGetValueOffset@12 ; AslpFileVerBlockGetValueOffset(x,x,x)
		test	eax, eax
		js	short loc_A264E6
		movzx	ecx, word ptr [esi+2]
		mov	eax, [ebp+var_8]
		add	ecx, 3
		and	ecx, 0FFFFFFFCh
		add	eax, ecx
		mov	[ebp+var_8], eax
		cmp	eax, edi
		ja	short loc_A264E6
		add	edi, esi
		jmp	short loc_A264E0
; 

loc_A264B2:				; CODE XREF: AslpFileVerQueryBlock(x,x,x,x)+13Bj
		movzx	eax, word ptr [esi]
		push	8
		pop	ecx
		cmp	ax, cx
		jbe	short loc_A264E6
		mov	ecx, edi
		sub	ecx, esi
		cmp	eax, ecx
		ja	short loc_A264E6
		lea	eax, [esi+6]
		push	eax		; wchar_t *
		push	[ebp+var_10]	; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A264ED
		movzx	eax, word ptr [esi]
		add	eax, 3
		and	eax, 0FFFFFFFCh

loc_A264E0:				; CODE XREF: AslpFileVerQueryBlock(x,x,x,x)+107j
		add	esi, eax
		cmp	esi, edi
		jb	short loc_A264B2

loc_A264E6:				; CODE XREF: AslpFileVerQueryBlock(x,x,x,x)+D7j
					; AslpFileVerQueryBlock(x,x,x,x)+DEj ...
		mov	edi, 0C0000225h
		jmp	short loc_A26511
; 

loc_A264ED:				; CODE XREF: AslpFileVerQueryBlock(x,x,x,x)+12Cj
		xor	ecx, ecx

loc_A264EF:				; CODE XREF: AslpFileVerQueryBlock(x,x,x,x)+CCj
		lea	eax, [ebp+var_C]
		push	eax
		call	_AslpFileStringTokenize@12 ; AslpFileStringTokenize(x,x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	loc_A26477
		mov	eax, [ebp+arg_4]
		sub	edi, esi
		mov	[eax], edi
		xor	edi, edi
		mov	eax, [ebp+arg_0]
		mov	[eax], esi

loc_A26511:				; CODE XREF: AslpFileVerQueryBlock(x,x,x,x)+142j
		mov	eax, [ebp+var_14]
		mov	[ebx-2], ax
		pop	ebx

loc_A26519:				; CODE XREF: AslpFileVerQueryBlock(x,x,x,x)+6Dj
					; AslpFileVerQueryBlock(x,x,x,x)+9Dj
		cmp	[ebp+var_4], 0
		jz	short loc_A2652C
		push	74705041h
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2652C:				; CODE XREF: AslpFileVerQueryBlock(x,x,x,x)+40j
					; AslpFileVerQueryBlock(x,x,x,x)+174j
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn	8
_AslpFileVerQueryBlock@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileVerStringBlockGetValue(x, x, x, x)
_AslpFileVerStringBlockGetValue@16 proc	near
					; CODE XREF: AslpFileQueryVersionString(x,x,x,x,x,x)+107p
					; AslpFileQueryVersionString(x,x,x,x,x,x)+1BAp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, edx
		xor	edx, edx
		mov	[ebp+var_10], ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, edx
		mov	[ecx], edx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_4], edx
		mov	[eax], edx
		mov	edx, ebx
		push	edi
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], esi
		call	_AslpFileVerBlockGetValueOffset@12 ; AslpFileVerBlockGetValueOffset(x,x,x)
		test	eax, eax
		js	short loc_A265B6
		mov	eax, [ebp+var_4]
		cmp	eax, edi
		jbe	short loc_A26578
		mov	eax, 0C000000Dh
		jmp	short loc_A265B6
; 

loc_A26578:				; CODE XREF: AslpFileVerStringBlockGetValue(x,x,x,x)+3Bj
		jnz	short loc_A26581
		add	ebx, 0FFFFFFFEh
		add	ebx, eax
		jmp	short loc_A265A8
; 

loc_A26581:				; CODE XREF: AslpFileVerStringBlockGetValue(x,x,x,x):loc_A26578j
		add	ebx, eax
		sub	edi, eax
		lea	eax, [ebp+var_8]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	_RtlStringCbLengthW@12 ; RtlStringCbLengthW(x,x,x)
		test	eax, eax
		jns	short loc_A265A5
		lea	esi, [edi-2]
		mov	eax, esi
		shr	eax, 1
		xor	ecx, ecx
		mov	[ebx+eax*2], cx
		jmp	short loc_A265A8
; 

loc_A265A5:				; CODE XREF: AslpFileVerStringBlockGetValue(x,x,x,x)+60j
		mov	esi, [ebp+var_8]

loc_A265A8:				; CODE XREF: AslpFileVerStringBlockGetValue(x,x,x,x)+4Bj
					; AslpFileVerStringBlockGetValue(x,x,x,x)+6Fj
		mov	ecx, [ebp+var_C]
		xor	eax, eax
		shr	esi, 1
		mov	[ecx], esi
		mov	ecx, [ebp+var_10]
		mov	[ecx], ebx

loc_A265B6:				; CODE XREF: AslpFileVerStringBlockGetValue(x,x,x,x)+34j
					; AslpFileVerStringBlockGetValue(x,x,x,x)+42j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_AslpFileVerStringBlockGetValue@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpHasStarForceWrapper(x)
_AslpHasStarForceWrapper@4 proc	near	; CODE XREF: AslpFileGetExeWrapper(x,x)+E8p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		movzx	eax, word ptr [ecx+14h]
		push	ebx
		push	esi
		push	edi
		lea	edi, [ecx+18h]
		mov	[ebp+var_4], ecx
		add	edi, eax
		xor	esi, esi
		xor	eax, eax
		mov	ebx, esi
		cmp	ax, [ecx+6]
		jnb	short loc_A26610

loc_A265DE:				; CODE XREF: AslpHasStarForceWrapper(x)+4Cj
		cmp	[edi+0Ch], esi
		jz	short loc_A265FF
		cmp	[edi+8], esi
		jz	short loc_A265FF
		push	8		; size_t
		push	offset ??_C@_04MBIOBMOF@?4ps4@NNGAKEGL@	; char *
		push	edi		; char *
		call	_strncmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A2660D
		mov	ecx, [ebp+var_4]

loc_A265FF:				; CODE XREF: AslpHasStarForceWrapper(x)+24j
					; AslpHasStarForceWrapper(x)+29j
		movzx	eax, word ptr [ecx+6]
		inc	ebx
		add	edi, 28h
		cmp	ebx, eax
		jb	short loc_A265DE
		jmp	short loc_A26610
; 

loc_A2660D:				; CODE XREF: AslpHasStarForceWrapper(x)+3Dj
		xor	esi, esi
		inc	esi

loc_A26610:				; CODE XREF: AslpHasStarForceWrapper(x)+1Fj
					; AslpHasStarForceWrapper(x)+4Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_AslpHasStarForceWrapper@4 endp


;  S U B	R O U T	I N E 


; __stdcall AslpImageRvaToSection(x, x)
_AslpImageRvaToSection@8 proc near	; CODE XREF: AslpImageRvaToVa(x,x,x)+20p
		mov	ax, [ecx+14h]
		push	ebx
		movzx	ebx, word ptr [ecx+6]
		push	esi
		push	edi
		movzx	eax, ax
		lea	esi, [ecx+18h]
		mov	edi, edx
		add	esi, eax
		xor	edx, edx
		test	ebx, ebx
		jz	short loc_A2664A

loc_A26632:				; CODE XREF: AslpImageRvaToSection(x,x)+31j
		mov	ecx, [esi+0Ch]
		cmp	edi, ecx
		jb	short loc_A26642
		mov	eax, [esi+10h]
		add	eax, ecx
		cmp	edi, eax
		jb	short loc_A26650

loc_A26642:				; CODE XREF: AslpImageRvaToSection(x,x)+20j
		add	esi, 28h
		inc	edx
		cmp	edx, ebx
		jb	short loc_A26632

loc_A2664A:				; CODE XREF: AslpImageRvaToSection(x,x)+19j
		xor	eax, eax

loc_A2664C:				; CODE XREF: AslpImageRvaToSection(x,x)+3Bj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_A26650:				; CODE XREF: AslpImageRvaToSection(x,x)+29j
		mov	eax, esi
		jmp	short loc_A2664C
_AslpImageRvaToSection@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpImageRvaToVa(x,	x, x)
_AslpImageRvaToVa@12 proc near		; CODE XREF: AslpFileQueryExportName_Vb(x,x)+81p
					; AslFileMappingGetImageTypeEx(x,x,x,x,x)+DEp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		cmp	byte ptr [esi+1Fh], 0
		jz	short loc_A26671
		mov	ecx, [ebp+arg_0]
		cmp	ecx, [esi+14h]

loc_A26668:				; CODE XREF: AslpImageRvaToVa(x,x,x)+3Ej
		jnb	short loc_A26694

loc_A2666A:				; CODE XREF: AslpImageRvaToVa(x,x,x)+39j
		mov	eax, [esi+10h]
		add	eax, ecx
		jmp	short loc_A26696
; 

loc_A26671:				; CODE XREF: AslpImageRvaToVa(x,x,x)+Cj
		mov	edx, [ebp+arg_0]
		call	_AslpImageRvaToSection@8 ; AslpImageRvaToSection(x,x)
		test	eax, eax
		jz	short loc_A26694
		mov	ecx, [eax+14h]
		sub	ecx, [eax+0Ch]
		xor	eax, eax
		add	ecx, [ebp+arg_0]
		cmp	eax, [esi+0Ch]
		ja	short loc_A26694
		jb	short loc_A2666A
		cmp	ecx, [esi+8]
		jmp	short loc_A26668
; 

loc_A26694:				; CODE XREF: AslpImageRvaToVa(x,x,x):loc_A26668j
					; AslpImageRvaToVa(x,x,x)+27j ...
		xor	eax, eax

loc_A26696:				; CODE XREF: AslpImageRvaToVa(x,x,x)+1Bj
		pop	esi
		pop	ebp
		retn	4
_AslpImageRvaToVa@12 endp


;  S U B	R O U T	I N E 


; __stdcall AslpFileLargeAssignViewAndDelete(x,	x)
_AslpFileLargeAssignViewAndDelete@8 proc near
					; CODE XREF: AslpFileLargeEnsureLargeFileMapping(x,x)+91p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		test	edx, edx
		jz	short loc_A266F7
		mov	esi, [edx]
		test	esi, esi
		jz	short loc_A266F7
		mov	eax, [esi+4]
		xor	ecx, ecx
		mov	[edi+0Ch], eax
		mov	byte ptr [edi+25h], 1
		mov	eax, [esi+18h]
		mov	[esi+4], ecx
		mov	[edi+20h], eax
		mov	eax, [esi+8]
		mov	[esi+18h], ecx
		mov	[edi+18h], eax
		mov	eax, [esi+0Ch]
		mov	[edi+1Ch], eax
		mov	word ptr [edi+26h], 1
		mov	dword ptr [edi+34h], 1
		mov	[esi+8], ecx
		mov	[esi+0Ch], ecx
		mov	ecx, edx
		call	_AslpFileLargeMapDelete@4 ; AslpFileLargeMapDelete(x)
		lea	edx, [edi+28h]
		lea	ecx, [edi+8]
		call	AslpFileMappingGetFileKind
		jmp	short loc_A266FC
; 

loc_A266F7:				; CODE XREF: AslpFileLargeAssignViewAndDelete(x,x)+9j
					; AslpFileLargeAssignViewAndDelete(x,x)+Fj
		mov	eax, 0C00000F0h

loc_A266FC:				; CODE XREF: AslpFileLargeAssignViewAndDelete(x,x)+5Aj
		pop	edi
		pop	esi
		pop	ecx
		retn
_AslpFileLargeAssignViewAndDelete@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileLargeEnsureLargeFileMapping(x, x)
_AslpFileLargeEnsureLargeFileMapping@8 proc near
					; CODE XREF: AslFileAllocAndGetAttributes(x,x,x,x)+D9p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	esi, esi
		mov	ebx, ecx
		cmp	[edi+14h], esi
		ja	short loc_A26726
		jb	short loc_A2671F
		cmp	dword ptr [edi+10h], 100000h
		jnb	short loc_A26726

loc_A2671F:				; CODE XREF: AslpFileLargeEnsureLargeFileMapping(x,x)+14j
		mov	eax, 0C00000F0h
		jmp	short loc_A267A2
; 

loc_A26726:				; CODE XREF: AslpFileLargeEnsureLargeFileMapping(x,x)+12j
					; AslpFileLargeEnsureLargeFileMapping(x,x)+1Dj
		mov	[ebp+var_4], esi
		lea	ecx, [ebx+10h]

loc_A2672C:				; CODE XREF: AslpFileLargeEnsureLargeFileMapping(x,x)+51j
		test	esi, esi
		js	short loc_A26747
		cmp	esi, 13h
		jle	short loc_A2674A
		cmp	esi, 16h
		jz	short loc_A2674A
		cmp	esi, 18h
		jz	short loc_A2674A
		lea	eax, [esi-1Ah]
		cmp	eax, 5
		jbe	short loc_A2674A

loc_A26747:				; CODE XREF: AslpFileLargeEnsureLargeFileMapping(x,x)+2Ej
		or	dword ptr [ecx], 2

loc_A2674A:				; CODE XREF: AslpFileLargeEnsureLargeFileMapping(x,x)+33j
					; AslpFileLargeEnsureLargeFileMapping(x,x)+38j	...
		inc	esi
		add	ecx, 18h
		cmp	esi, 23h
		jl	short loc_A2672C
		lea	edx, [edi+8]
		lea	ecx, [ebp+var_4]
		call	_AslpFileLargeMapCreate@8 ; AslpFileLargeMapCreate(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A26798
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		call	_AslpFileLargeGetChecksumAttributes@8 ;	AslpFileLargeGetChecksumAttributes(x,x)
		test	eax, eax
		jns	short loc_A2678C
		push	eax
		push	(offset	loc_8C6399+1)
		push	105h
		push	(offset	loc_8C63E0+4)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A2678C:				; CODE XREF: AslpFileLargeEnsureLargeFileMapping(x,x)+70j
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	_AslpFileLargeAssignViewAndDelete@8 ; AslpFileLargeAssignViewAndDelete(x,x)
		mov	esi, eax

loc_A26798:				; CODE XREF: AslpFileLargeEnsureLargeFileMapping(x,x)+62j
		lea	ecx, [ebp+var_4]
		call	_AslpFileLargeMapDelete@4 ; AslpFileLargeMapDelete(x)
		mov	eax, esi

loc_A267A2:				; CODE XREF: AslpFileLargeEnsureLargeFileMapping(x,x)+24j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AslpFileLargeEnsureLargeFileMapping@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileLargeGetChecksum(x,	x)
_AslpFileLargeGetChecksum@8 proc near	; CODE XREF: AslpFileLargeGetChecksumAttributes(x,x)+18p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	1Ch
		push	offset dword_6AADE0
		call	__SEH_prolog4
		mov	ebx, ecx
		xor	edi, edi
		mov	esi, edi
		mov	eax, [edx]
		cmp	[eax+0Ch], edi
		ja	short loc_A267CD
		cmp	dword ptr [eax+8], 100000h
		jb	loc_A2686C

loc_A267CD:				; CODE XREF: AslpFileLargeGetChecksum(x,x)+17j
		mov	ecx, [edx+8]
		test	ecx, ecx
		jz	loc_A2686C
		cmp	dword ptr [edx+0Ch], 1200h
		jb	loc_A2686C
		mov	eax, [edx+10h]
		or	eax, [edx+14h]
		jnz	short loc_A2686C
		mov	[ebp+ms_exc.disabled], edi
		add	ecx, 200h
		mov	[ebp+var_20], ecx
		mov	edx, edi

loc_A267FB:				; CODE XREF: AslpFileLargeGetChecksum(x,x)+80j
		mov	[ebp+var_24], edx
		cmp	edx, 400h
		jnb	short loc_A26829
		add	esi, [ecx]
		mov	[ebp+var_1C], esi
		add	ecx, 4
		mov	[ebp+var_20], ecx
		mov	eax, esi
		shr	esi, 1
		mov	[ebp+var_1C], esi
		and	eax, 1
		jz	short loc_A26826
		or	esi, 80000000h
		mov	[ebp+var_1C], esi

loc_A26826:				; CODE XREF: AslpFileLargeGetChecksum(x,x)+74j
		inc	edx
		jmp	short loc_A267FB
; 

loc_A26829:				; CODE XREF: AslpFileLargeGetChecksum(x,x)+5Dj
		mov	[ebx], esi
		mov	[ebp+var_2C], edi
		jmp	short loc_A26861
; 

loc_A26830:				; DATA XREF: .text:006AADF4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A2683E:				; DATA XREF: .text:006AADF8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_28]
		mov	[ebp+var_2C], edi
		push	edi
		push	(offset	loc_8C4D43+3)
		push	339h
		push	offset ??_C@_0BJ@HBFAEJPP@AslpFileLargeGetChecksum@NNGAKEGL@
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A26861:				; CODE XREF: AslpFileLargeGetChecksum(x,x)+87j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, edi
		jmp	short loc_A26871
; 

loc_A2686C:				; CODE XREF: AslpFileLargeGetChecksum(x,x)+20j
					; AslpFileLargeGetChecksum(x,x)+2Bj ...
		mov	eax, 0C000000Dh

loc_A26871:				; CODE XREF: AslpFileLargeGetChecksum(x,x)+C3j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AslpFileLargeGetChecksum@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileLargeGetChecksumAttributes(x, x)
_AslpFileLargeGetChecksumAttributes@8 proc near
					; CODE XREF: AslpFileLargeEnsureLargeFileMapping(x,x)+69p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		mov	eax, edx
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_8], eax
		push	edi
		lea	ecx, [ebp+var_4]
		call	_AslpFileLargeGetChecksum@8 ; AslpFileLargeGetChecksum(x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_A268CC
		push	edi
		push	offset ??_C@_0CF@NKLIOJAG@AslpFileLargeGetChecksum?5failed@NNGAKEGL@
		push	2B7h
		push	(offset	loc_8C6465+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		push	2
		pop	ebx
		or	[esi+40h], ebx

loc_A268C4:				; CODE XREF: AslpFileLargeGetChecksumAttributes(x,x)+95j
		or	[esi+280h], ebx
		jmp	short loc_A26941
; 

loc_A268CC:				; CODE XREF: AslpFileLargeGetChecksumAttributes(x,x)+21j
		mov	eax, [ebp+var_4]
		lea	ecx, [ebp+var_4]
		mov	edx, [ebp+var_8]
		and	dword ptr [esi+3Ch], 0
		or	dword ptr [esi+40h], 1
		and	[ebp+var_4], 0
		push	2
		pop	ebx
		mov	[esi+30h], ebx
		mov	dword ptr [esi+34h], 4
		mov	[esi+38h], eax
		call	_AslpFileLargeGetCrcChecksum@8 ; AslpFileLargeGetCrcChecksum(x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_A26918
		push	edi
		push	(offset	loc_8C6149+1)
		push	2CCh
		push	(offset	loc_8C6465+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	short loc_A268C4
; 

loc_A26918:				; CODE XREF: AslpFileLargeGetChecksumAttributes(x,x)+79j
		mov	eax, [ebp+var_4]
		and	dword ptr [esi+27Ch], 0
		or	dword ptr [esi+280h], 1
		xor	edi, edi
		mov	[esi+270h], ebx
		mov	dword ptr [esi+274h], 4
		mov	[esi+278h], eax

loc_A26941:				; CODE XREF: AslpFileLargeGetChecksumAttributes(x,x)+49j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AslpFileLargeGetChecksumAttributes@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileLargeGetCrcChecksum(x, x)
_AslpFileLargeGetCrcChecksum@8 proc near
					; CODE XREF: AslpFileLargeGetChecksumAttributes(x,x)+70p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	28h
		push	offset dword_6AADC0
		call	__SEH_prolog4
		mov	esi, edx
		mov	eax, ecx
		mov	[ebp+var_30], eax
		xor	edi, edi
		mov	[eax], edi
		mov	eax, [esi]
		mov	edx, [eax+8]
		mov	eax, [eax+0Ch]
		mov	[ebp+var_20], eax
		cmp	eax, edi
		ja	short loc_A2697A
		cmp	edx, 100000h
		jb	loc_A26B03

loc_A2697A:				; CODE XREF: AslpFileLargeGetCrcChecksum(x,x)+24j
		mov	ecx, [esi+20h]
		test	ecx, ecx
		jz	loc_A26B03
		mov	eax, [esi+24h]
		mov	[ebp+var_24], eax
		mov	ebx, 1000h
		cmp	eax, ebx
		jb	loc_A26B03
		mov	eax, [esi+8]
		mov	[ebp+var_2C], eax
		test	eax, eax
		jz	loc_A26B03
		cmp	[esi+0Ch], ebx
		jb	loc_A26B03
		mov	eax, [esi+10h]
		or	eax, [esi+14h]
		jnz	loc_A26B03
		mov	ebx, edx
		sub	ebx, [esi+28h]
		mov	eax, [ebp+var_20]
		sbb	eax, [esi+2Ch]
		add	ebx, 0FFFFF000h
		adc	eax, 0FFFFFFFFh
		mov	[ebp+var_28], eax
		mov	[ebp+var_1C], ebx
		add	[ebp+var_1C], 1000h
		adc	eax, edi
		cmp	eax, edi
		jb	loc_A26A9D
		ja	short loc_A269F4
		mov	eax, [ebp+var_1C]
		cmp	eax, [ebp+var_24]
		jbe	loc_A26A9D

loc_A269F4:				; CODE XREF: AslpFileLargeGetCrcChecksum(x,x)+9Ej
		push	[ebp+var_20]
		push	edx
		push	(offset	loc_8C6433+1)
		push	38Ch
		push	(offset	loc_8C6449+1)
		push	edi
		call	AslLogCallPrintf
		mov	eax, [esi]
		mov	ecx, [eax+8]
		add	ecx, 0FFFFF000h
		mov	eax, [eax+0Ch]
		adc	eax, 0FFFFFFFFh
		push	eax
		push	ecx
		push	(offset	loc_8C6406+2)
		push	38Dh
		push	(offset	loc_8C6449+1)
		push	edi
		call	AslLogCallPrintf
		push	dword ptr [esi+2Ch]
		push	dword ptr [esi+28h]
		push	(offset	loc_8C641D+1)
		push	38Eh
		push	(offset	loc_8C6449+1)
		push	edi
		call	AslLogCallPrintf
		add	esp, 48h
		push	dword ptr [esi+24h]
		push	offset ??_C@_0BD@GMBLCEKJ@ViewFileSize?5?5?3?5?$CFu@NNGAKEGL@
		push	38Fh
		mov	esi, (offset loc_8C6449+1)
		push	esi
		push	edi
		call	AslLogCallPrintf
		push	[ebp+var_28]
		push	ebx
		push	(offset	loc_8C654A+4)
		push	390h
		push	esi
		push	edi
		call	AslLogCallPrintf
		push	offset ??_C@_0DJ@GHPJJPKH@Alignment?5error?5in?5the?5end?5of?5f@NNGAKEGL@
		push	394h
		push	esi
		push	1
		call	AslLogCallPrintf
		add	esp, 3Ch
		mov	eax, 0C0000220h
		jmp	short loc_A26B08
; 

loc_A26A9D:				; CODE XREF: AslpFileLargeGetCrcChecksum(x,x)+98j
					; AslpFileLargeGetCrcChecksum(x,x)+A6j
		mov	[ebp+ms_exc.disabled], edi
		mov	eax, 1000h
		push	eax
		lea	esi, [ecx+ebx]
		push	eax
		mov	edx, [ebp+var_2C]
		xor	ecx, ecx
		call	_AslComputeCrc32@12 ; AslComputeCrc32(x,x,x)
		mov	edx, esi
		mov	ecx, eax
		call	_AslComputeCrc32@12 ; AslComputeCrc32(x,x,x)
		mov	ecx, [ebp+var_30]
		mov	[ecx], eax
		mov	[ebp+var_38], edi
		jmp	short loc_A26AF8
; 

loc_A26AC7:				; DATA XREF: .text:006AADD4o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A26AD5:				; DATA XREF: .text:006AADD8o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	edi, [ebp+var_34]
		mov	[ebp+var_38], edi
		push	edi
		push	(offset	loc_8C4D43+3)
		push	3A6h
		push	(offset	loc_8C6449+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h

loc_A26AF8:				; CODE XREF: AslpFileLargeGetCrcChecksum(x,x)+17Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, edi
		jmp	short loc_A26B08
; 

loc_A26B03:				; CODE XREF: AslpFileLargeGetCrcChecksum(x,x)+2Cj
					; AslpFileLargeGetCrcChecksum(x,x)+37j	...
		mov	eax, 0C000000Dh

loc_A26B08:				; CODE XREF: AslpFileLargeGetCrcChecksum(x,x)+153j
					; AslpFileLargeGetCrcChecksum(x,x)+1B9j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AslpFileLargeGetCrcChecksum@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AslpFileLargeMapCreate(x, x)
_AslpFileLargeMapCreate@8 proc near	; CODE XREF: AslpFileLargeEnsureLargeFileMapping(x,x)+59p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		push	ecx
		mov	ebx, edx
		mov	[ebp+var_C], ecx
		push	38h
		pop	edx
		mov	[ebp+var_8], ebx
		call	_AslAlloc@12	; AslAlloc(x,x,x)
		mov	edi, eax
		mov	[ebp+var_4], edi
		test	edi, edi
		jnz	short loc_A26B47
		mov	esi, 0C0000017h
		jmp	loc_A26CCB
; 

loc_A26B47:				; CODE XREF: AslpFileLargeMapCreate(x,x)+23j
		push	dword ptr [ebx]
		xor	ecx, ecx
		mov	[ebp+var_24], 18h
		push	8000000h
		push	2
		push	ecx
		mov	[ebp+var_20], ecx
		lea	eax, [edi+4]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		lea	ecx, [ebp+var_24]
		push	ecx
		push	0F0005h
		push	eax
		mov	[ebp+var_18], 200h
		call	_ZwCreateSection@28 ; ZwCreateSection(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A26BA4
		push	esi
		push	(offset	loc_8C4BAF+1)
		push	166h

loc_A26B90:				; CODE XREF: AslpFileLargeMapCreate(x,x)+DAj
					; AslpFileLargeMapCreate(x,x)+171j
		push	(offset	loc_8C6347+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 14h
		jmp	loc_A26CBF
; 

loc_A26BA4:				; CODE XREF: AslpFileLargeMapCreate(x,x)+6Bj
		mov	ecx, [ebx+8]
		lea	edx, [edi+28h]
		mov	eax, [ebx+0Ch]
		sub	ecx, 1000h
		push	2
		push	offset loc_500000
		sbb	eax, 0
		and	ecx, 0FFFF0000h
		push	2
		mov	[edx], ecx
		lea	ecx, [edi+20h]
		mov	[edx+4], eax
		lea	eax, [edi+24h]
		push	eax
		push	edx
		push	0
		push	0
		push	ecx
		push	0FFFFFFFFh
		push	dword ptr [edi+4]
		call	_ZwMapViewOfSection@40 ; ZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A26BF4
		push	esi
		push	offset ??_C@_0DK@GKAIOMFA@ZwMapViewOfSection?5failed?5to?5ma@NNGAKEGL@
		push	182h
		jmp	short loc_A26B90
; 

loc_A26BF4:				; CODE XREF: AslpFileLargeMapCreate(x,x)+CDj
		push	2
		push	dword ptr [edi+24h]
		push	dword ptr [edi+20h]
		call	_MmSecureVirtualMemory@12 ; MmSecureVirtualMemory(x,x,x)
		mov	[edi+30h], eax
		test	eax, eax
		jnz	short loc_A26C2B
		push	offset ??_C@_0DE@CHEICMFI@MmSecureVirtualMemory?5failed?5to@NNGAKEGL@
		push	189h

loc_A26C12:				; CODE XREF: AslpFileLargeMapCreate(x,x)+194j
		push	(offset	loc_8C6347+1)
		push	1
		call	AslLogCallPrintf
		add	esp, 10h
		mov	esi, 0C0000001h
		jmp	loc_A26CBF
; 

loc_A26C2B:				; CODE XREF: AslpFileLargeMapCreate(x,x)+EEj
		mov	ebx, 20000000h
		lea	eax, [edi+0Ch]
		lea	edx, [edi+10h]
		lea	ecx, [edi+8]

loc_A26C39:				; CODE XREF: AslpFileLargeMapCreate(x,x)+15Dj
		push	2
		push	offset loc_500000
		push	2
		push	eax
		push	edx
		xor	esi, esi
		mov	[eax], ebx
		push	esi
		push	esi
		push	ecx
		mov	[edx], esi
		push	0FFFFFFFFh
		mov	[edx+4], esi
		push	dword ptr [edi+4]
		call	_ZwMapViewOfSection@40 ; ZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		shr	ebx, 1
		cmp	esi, 0C0000017h
		jnz	short loc_A26C77
		lea	eax, [edi+0Ch]
		lea	ecx, [edi+8]
		lea	edx, [edi+10h]
		cmp	ebx, 100000h
		jnb	short loc_A26C39

loc_A26C77:				; CODE XREF: AslpFileLargeMapCreate(x,x)+14Cj
		mov	ebx, [ebp+var_8]
		test	esi, esi
		jns	short loc_A26C8E
		push	esi
		push	offset ??_C@_0DM@DNPNPCFE@ZwMapViewOfSection?5failed?5to?5ma@NNGAKEGL@
		push	1B5h
		jmp	loc_A26B90
; 

loc_A26C8E:				; CODE XREF: AslpFileLargeMapCreate(x,x)+164j
		push	2
		push	dword ptr [edi+0Ch]
		push	dword ptr [edi+8]
		call	_MmSecureVirtualMemory@12 ; MmSecureVirtualMemory(x,x,x)
		mov	[edi+18h], eax
		test	eax, eax
		jnz	short loc_A26CB1
		push	offset ??_C@_0DG@GNMNFDCD@MmSecureVirtualMemory?5failed?5to@NNGAKEGL@
		push	1BCh
		jmp	loc_A26C12
; 

loc_A26CB1:				; CODE XREF: AslpFileLargeMapCreate(x,x)+188j
		mov	eax, [ebp+var_C]
		mov	[edi], ebx
		mov	[eax], edi
		xor	edi, edi
		mov	[ebp+var_4], edi
		xor	esi, esi

loc_A26CBF:				; CODE XREF: AslpFileLargeMapCreate(x,x)+87j
					; AslpFileLargeMapCreate(x,x)+10Ej
		test	edi, edi
		jz	short loc_A26CCB
		lea	ecx, [ebp+var_4]
		call	_AslpFileLargeMapDelete@4 ; AslpFileLargeMapDelete(x)

loc_A26CCB:				; CODE XREF: AslpFileLargeMapCreate(x,x)+2Aj
					; AslpFileLargeMapCreate(x,x)+1A9j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_AslpFileLargeMapCreate@8 endp


;  S U B	R O U T	I N E 


; __stdcall AslpFileLargeMapDelete(x)
_AslpFileLargeMapDelete@4 proc near	; CODE XREF: AslpFileLargeAssignViewAndDelete(x,x)+4Ap
					; AslpFileLargeEnsureLargeFileMapping(x,x)+9Bp	...
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		test	edi, edi
		jz	short loc_A26D0E
		mov	esi, [edi]
		test	esi, esi
		jz	short loc_A26D0E
		lea	ecx, [esi+20h]
		call	_AslpFilePartialViewFree@4 ; AslpFilePartialViewFree(x)
		lea	ecx, [esi+8]
		call	_AslpFilePartialViewFree@4 ; AslpFilePartialViewFree(x)
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_A26D00
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_A26D00:				; CODE XREF: AslpFileLargeMapDelete(x)+26j
		push	74705041h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [edi], 0

loc_A26D0E:				; CODE XREF: AslpFileLargeMapDelete(x)+9j
					; AslpFileLargeMapDelete(x)+Fj
		pop	edi
		pop	esi
		pop	ecx
		retn
_AslpFileLargeMapDelete@4 endp


;  S U B	R O U T	I N E 


; __stdcall AslpFilePartialViewFree(x)
_AslpFilePartialViewFree@4 proc	near	; CODE XREF: AslpFileLargeMapDelete(x)+14p
					; AslpFileLargeMapDelete(x)+1Cp
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		test	esi, esi
		jz	short loc_A26D48
		mov	eax, [esi+10h]
		xor	edi, edi
		test	eax, eax
		jz	short loc_A26D2F
		push	eax
		call	_MmUnsecureVirtualMemory@4 ; MmUnsecureVirtualMemory(x)
		mov	[esi+10h], edi

loc_A26D2F:				; CODE XREF: AslpFilePartialViewFree(x)+12j
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_A26D48
		push	eax
		push	0FFFFFFFFh
		call	_ZwUnmapViewOfSection@8	; ZwUnmapViewOfSection(x,x)
		mov	[esi], edi
		mov	[esi+4], edi
		mov	[esi+8], edi
		mov	[esi+0Ch], edi

loc_A26D48:				; CODE XREF: AslpFilePartialViewFree(x)+9j
					; AslpFilePartialViewFree(x)+21j
		pop	edi
		pop	esi
		pop	ecx
		retn
_AslpFilePartialViewFree@4 endp


;  S U B	R O U T	I N E 


; __stdcall AuthzBasepAllocateClaimCollectionNoLists()
_AuthzBasepAllocateClaimCollectionNoLists@0 proc near
					; CODE XREF: SepCreateClaimAttributes:loc_8F8865p
					; SepDuplicateClaimAttributes(x,x):loc_9E00FAp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, 130h
		push	74416553h
		mov	ecx, edi
		call	_AuthzBasepMemAlloc@12 ; AuthzBasepMemAlloc(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A26D75
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, esi

loc_A26D75:				; CODE XREF: AuthzBasepAllocateClaimCollectionNoLists()+19j
		pop	edi
		pop	esi
		retn
_AuthzBasepAllocateClaimCollectionNoLists@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepCompareSecurityAttributesInformation(x, x)
_AuthzBasepCompareSecurityAttributesInformation@8 proc near
					; CODE XREF: SepCompareClaimAttributes+127486p
					; SepCompareClaimAttributes+12749Fp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx]
		push	ebx
		push	esi
		xor	bl, bl
		mov	[ebp+var_4], edx
		push	edi
		cmp	eax, [edx]
		jnz	short loc_A26DBB
		test	eax, eax
		jz	short loc_A26DB9
		lea	edi, [ecx+4]
		mov	esi, [edi]
		jmp	short loc_A26DB5
; 

loc_A26D97:				; CODE XREF: AuthzBasepCompareSecurityAttributesInformation(x,x)+3Fj
		mov	ecx, [ebp+var_4]
		lea	edx, [esi+10h]
		call	_AuthzBasepFindSecurityAttribute@8 ; AuthzBasepFindSecurityAttribute(x,x)
		test	eax, eax
		jz	short loc_A26DBB
		mov	edx, eax
		mov	ecx, esi
		call	AuthzBasepCompareSecurityAttribute
		test	al, al
		jz	short loc_A26DBB
		mov	esi, [esi]

loc_A26DB5:				; CODE XREF: AuthzBasepCompareSecurityAttributesInformation(x,x)+1Dj
		cmp	esi, edi
		jnz	short loc_A26D97

loc_A26DB9:				; CODE XREF: AuthzBasepCompareSecurityAttributesInformation(x,x)+16j
		mov	bl, 1

loc_A26DBB:				; CODE XREF: AuthzBasepCompareSecurityAttributesInformation(x,x)+12j
					; AuthzBasepCompareSecurityAttributesInformation(x,x)+2Cj ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_AuthzBasepCompareSecurityAttributesInformation@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepCopyoutClaimAttributeValues(x, x,	x, x, x)
_AuthzBasepCopyoutClaimAttributeValues@20 proc near
					; CODE XREF: AuthzBasepCopyoutClaimAttributes(x,x,x)+11Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		mov	ecx, [ebp+arg_0]
		xor	esi, esi
		add	ebx, ecx
		cmp	ebx, ecx
		jnb	short loc_A26DEA

loc_A26DE0:				; CODE XREF: AuthzBasepCopyoutClaimAttributeValues(x,x,x,x,x)+80j
					; AuthzBasepCopyoutClaimAttributeValues(x,x,x,x,x)+AEj	...
		mov	esi, 80000005h
		jmp	loc_A26FDE
; 

loc_A26DEA:				; CODE XREF: AuthzBasepCopyoutClaimAttributeValues(x,x,x,x,x)+1Cj
		mov	eax, [ebp+arg_8]
		movzx	edx, word ptr [edi+18h]
		mov	[eax], esi
		mov	eax, edx
		test	ax, ax
		jz	loc_A26FD9
		cmp	eax, 2
		jbe	loc_A26F89
		cmp	eax, 3
		jz	loc_A26F22
		cmp	eax, 4
		jz	loc_A26E9B
		cmp	eax, 5
		jz	short loc_A26E30
		cmp	eax, 6
		jz	loc_A26F89
		cmp	edx, 10h
		jnz	loc_A26FD9

loc_A26E30:				; CODE XREF: AuthzBasepCopyoutClaimAttributeValues(x,x,x,x,x)+5Aj
		mov	edx, [edi+24h]
		add	ecx, 3
		mov	eax, ecx
		shl	edx, 3
		and	eax, 0FFFFFFFCh
		add	eax, edx
		cmp	eax, ebx
		ja	short loc_A26DE0
		mov	eax, [ebp+var_4]
		and	ecx, 0FFFFFFFCh
		mov	[ebp+arg_4], ecx
		mov	[eax+10h], ecx
		lea	eax, [edi+2Ch]
		mov	edi, [eax]
		add	ecx, edx
		mov	[ebp+var_8], eax
		cmp	edi, eax
		jz	loc_A26FCF

loc_A26E62:				; CODE XREF: AuthzBasepCopyoutClaimAttributeValues(x,x,x,x,x)+D2j
		mov	edx, [edi+1Ch]
		lea	eax, [ecx+edx]
		mov	[ebp+var_4], eax
		cmp	eax, ebx
		mov	eax, [ebp+arg_4]
		ja	loc_A26DE0
		push	edx		; size_t
		mov	[eax], ecx
		mov	[eax+4], edx
		push	dword ptr [edi+18h] ; void *
		push	ecx		; void *
		call	_memcpy
		add	[ebp+arg_4], 8
		add	esp, 0Ch
		mov	edi, [edi]
		mov	ecx, [ebp+var_4]
		cmp	edi, [ebp+var_8]
		jnz	short loc_A26E62
		jmp	loc_A26FCF
; 

loc_A26E9B:				; CODE XREF: AuthzBasepCopyoutClaimAttributeValues(x,x,x,x,x)+51j
		mov	edx, [edi+24h]
		add	ecx, 7
		mov	eax, ecx
		shl	edx, 4
		and	eax, 0FFFFFFF8h
		add	eax, edx
		cmp	eax, ebx
		ja	loc_A26DE0
		mov	eax, [ebp+var_4]
		and	ecx, 0FFFFFFF8h
		mov	[ebp+arg_4], ecx
		mov	[eax+10h], ecx
		lea	eax, [edi+2Ch]
		mov	edi, [eax]
		add	ecx, edx
		mov	[ebp+var_10], eax
		cmp	edi, eax
		jz	loc_A26FCF
		mov	edx, [ebp+arg_4]

loc_A26ED4:				; CODE XREF: AuthzBasepCopyoutClaimAttributeValues(x,x,x,x,x)+159j
		movzx	eax, word ptr [edi+20h]
		mov	[ebp+var_8], eax
		add	eax, 2
		mov	[ebp+var_4], eax
		add	eax, ecx
		mov	[ebp+var_C], eax
		cmp	eax, ebx
		ja	loc_A26DE0
		mov	eax, [edi+18h]
		push	[ebp+var_8]
		mov	[edx], eax
		mov	eax, [edi+1Ch]
		mov	[edx+4], eax
		mov	[edx+8], ecx
		push	dword ptr [edi+24h]
		mov	edx, [ebp+var_4]
		call	_RtlStringCbCopyNW@16 ;	RtlStringCbCopyNW(x,x,x,x)
		mov	edx, [ebp+arg_4]
		mov	edi, [edi]
		add	edx, 10h
		mov	ecx, [ebp+var_C]
		mov	[ebp+arg_4], edx
		cmp	edi, [ebp+var_10]
		jnz	short loc_A26ED4
		jmp	loc_A26FCF
; 

loc_A26F22:				; CODE XREF: AuthzBasepCopyoutClaimAttributeValues(x,x,x,x,x)+48j
		mov	edx, [edi+24h]
		add	ecx, 3
		mov	eax, ecx
		shl	edx, 2
		and	eax, 0FFFFFFFCh
		add	eax, edx
		cmp	eax, ebx
		ja	loc_A26DE0
		mov	eax, [ebp+var_4]
		and	ecx, 0FFFFFFFCh
		mov	[ebp+arg_4], ecx
		mov	[eax+10h], ecx
		lea	eax, [edi+2Ch]
		mov	edi, [eax]
		add	ecx, edx
		mov	[ebp+var_C], eax
		cmp	edi, eax
		jz	short loc_A26FCF

loc_A26F54:				; CODE XREF: AuthzBasepCopyoutClaimAttributeValues(x,x,x,x,x)+1C3j
		movzx	edx, word ptr [edi+18h]
		lea	eax, [edx+2]
		add	eax, ecx
		mov	[ebp+var_10], eax
		cmp	eax, ebx
		mov	eax, [ebp+arg_4]
		ja	loc_A26DE0
		push	edx
		mov	[eax], ecx
		lea	edx, [edx+2]
		push	dword ptr [edi+1Ch]
		call	_RtlStringCbCopyNW@16 ;	RtlStringCbCopyNW(x,x,x,x)
		add	[ebp+arg_4], 4
		mov	edi, [edi]
		mov	ecx, [ebp+var_10]
		cmp	edi, [ebp+var_C]
		jnz	short loc_A26F54
		jmp	short loc_A26FCF
; 

loc_A26F89:				; CODE XREF: AuthzBasepCopyoutClaimAttributeValues(x,x,x,x,x)+3Fj
					; AuthzBasepCopyoutClaimAttributeValues(x,x,x,x,x)+5Fj
		mov	edx, [edi+24h]
		add	ecx, 7
		shl	edx, 3
		mov	eax, ecx
		and	eax, 0FFFFFFF8h
		mov	[ebp+arg_4], edx
		add	eax, edx
		cmp	eax, ebx
		ja	loc_A26DE0
		mov	eax, [ebp+var_4]
		lea	ebx, [edi+2Ch]
		and	ecx, 0FFFFFFF8h
		mov	[eax+10h], ecx
		mov	edx, [ebx]
		cmp	edx, ebx
		jz	short loc_A26FCC
		mov	edi, ecx

loc_A26FB8:				; CODE XREF: AuthzBasepCopyoutClaimAttributeValues(x,x,x,x,x)+208j
		mov	eax, [edx+18h]
		mov	[edi], eax
		lea	edi, [edi+8]
		mov	eax, [edx+1Ch]
		mov	[edi-4], eax
		mov	edx, [edx]
		cmp	edx, ebx
		jnz	short loc_A26FB8

loc_A26FCC:				; CODE XREF: AuthzBasepCopyoutClaimAttributeValues(x,x,x,x,x)+1F2j
		add	ecx, [ebp+arg_4]

loc_A26FCF:				; CODE XREF: AuthzBasepCopyoutClaimAttributeValues(x,x,x,x,x)+9Aj
					; AuthzBasepCopyoutClaimAttributeValues(x,x,x,x,x)+D4j	...
		mov	eax, [ebp+arg_8]
		sub	ecx, [ebp+arg_0]
		mov	[eax], ecx
		jmp	short loc_A26FDE
; 

loc_A26FD9:				; CODE XREF: AuthzBasepCopyoutClaimAttributeValues(x,x,x,x,x)+36j
					; AuthzBasepCopyoutClaimAttributeValues(x,x,x,x,x)+68j
		mov	esi, 0C000000Dh

loc_A26FDE:				; CODE XREF: AuthzBasepCopyoutClaimAttributeValues(x,x,x,x,x)+23j
					; AuthzBasepCopyoutClaimAttributeValues(x,x,x,x,x)+215j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_AuthzBasepCopyoutClaimAttributeValues@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall AuthzBasepCopyoutClaimAttributes(int,void *,int)
_AuthzBasepCopyoutClaimAttributes@12 proc near
					; CODE XREF: AuthzBasepQueryClaimAttributesToken+12A5EFp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_10], ecx
		test	edi, edi
		jz	loc_A27131
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jz	loc_A27131
		lea	ebx, [edi+edx]
		mov	[ebp+var_8], ebx
		cmp	ebx, edi
		jnb	short loc_A2701E
		mov	edx, 0C000000Dh
		jmp	loc_A2713A
; 

loc_A2701E:				; CODE XREF: AuthzBasepCopyoutClaimAttributes(x,x,x)+2Bj
		push	edx		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		lea	esi, [edi+0Ch]
		mov	[ebp+var_4], 0Ch
		add	esp, 0Ch
		cmp	esi, ebx
		jbe	short loc_A27042
		mov	edx, 0C0000023h
		jmp	loc_A2713A
; 

loc_A27042:				; CODE XREF: AuthzBasepCopyoutClaimAttributes(x,x,x)+4Fj
		mov	eax, [ebp+var_10]
		push	14h
		pop	ecx
		mov	eax, [eax]
		mov	[ebp+var_18], eax
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	edx, eax
		test	edx, edx
		js	loc_A2713A
		mov	ebx, [ebp+var_4]
		add	ebx, esi
		cmp	ebx, [ebp+var_8]
		jbe	short loc_A27077

loc_A2706D:				; CODE XREF: AuthzBasepCopyoutClaimAttributes(x,x,x)+EFj
		mov	edx, 80000005h
		jmp	loc_A2713A
; 

loc_A27077:				; CODE XREF: AuthzBasepCopyoutClaimAttributes(x,x,x)+84j
		xor	eax, eax
		mov	[edi+8], esi
		inc	eax
		mov	[edi], ax
		xor	eax, eax
		mov	[edi+2], ax
		mov	eax, [ebp+var_18]
		mov	[edi+4], eax
		mov	eax, [ebp+var_10]
		add	eax, 4
		mov	ecx, [eax]
		mov	[ebp+var_C], ecx
		cmp	ecx, eax
		jz	loc_A27136
		add	esi, 0Ch
		mov	[ebp+var_14], esi

loc_A270A5:				; CODE XREF: AuthzBasepCopyoutClaimAttributes(x,x,x)+142j
		mov	ax, [ecx+18h]
		mov	[esi-8], ax
		mov	eax, [ecx+24h]
		mov	[esi], eax
		xor	eax, eax
		mov	[esi-6], ax
		inc	ebx
		mov	eax, [ecx+1Ch]
		mov	[esi-4], eax
		movzx	eax, word ptr [ecx+10h]
		mov	[ebp+var_18], eax
		lea	edx, [eax+2]
		mov	eax, ebx
		and	eax, 0FFFFFFFEh
		mov	[ebp+var_4], edx
		add	eax, edx
		cmp	eax, [ebp+var_8]
		ja	short loc_A2706D
		push	[ebp+var_18]
		and	ebx, 0FFFFFFFEh
		mov	[esi-0Ch], ebx
		push	dword ptr [ecx+14h]
		mov	ecx, ebx
		call	_RtlStringCbCopyNW@16 ;	RtlStringCbCopyNW(x,x,x,x)
		mov	eax, [ebp+var_18]
		lea	edx, [esi-0Ch]
		mov	ecx, [ebp+var_C]
		add	eax, 2
		add	ebx, eax
		lea	eax, [ebp+var_4]
		push	eax
		mov	eax, [ebp+var_8]
		sub	eax, ebx
		push	eax
		push	ebx
		call	_AuthzBasepCopyoutClaimAttributeValues@20 ; AuthzBasepCopyoutClaimAttributeValues(x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_A2713A
		mov	ecx, [ebp+var_C]
		mov	eax, [ebp+var_10]
		add	[ebp+var_14], 14h
		add	eax, 4
		add	ebx, [ebp+var_4]
		mov	ecx, [ecx]
		mov	esi, [ebp+var_14]
		mov	[ebp+var_C], ecx
		cmp	ecx, eax
		jnz	loc_A270A5
		jmp	short loc_A27136
; 

loc_A27131:				; CODE XREF: AuthzBasepCopyoutClaimAttributes(x,x,x)+12j
					; AuthzBasepCopyoutClaimAttributes(x,x,x)+1Dj
		mov	edx, 0C000000Dh

loc_A27136:				; CODE XREF: AuthzBasepCopyoutClaimAttributes(x,x,x)+B2j
					; AuthzBasepCopyoutClaimAttributes(x,x,x)+148j
		test	edx, edx
		jns	short loc_A27145

loc_A2713A:				; CODE XREF: AuthzBasepCopyoutClaimAttributes(x,x,x)+32j
					; AuthzBasepCopyoutClaimAttributes(x,x,x)+56j ...
		cmp	[ebp+arg_0], 0Ch
		jb	short loc_A27145
		xor	eax, eax
		stosd
		stosd
		stosd

loc_A27145:				; CODE XREF: AuthzBasepCopyoutClaimAttributes(x,x,x)+151j
					; AuthzBasepCopyoutClaimAttributes(x,x,x)+157j
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	4
_AuthzBasepCopyoutClaimAttributes@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x, x)
_AuthzBasepGetClaimAttributeValueCopyoutBufferSize@8 proc near
					; CODE XREF: AuthzBasepGetClaimAttributesCopyoutBufferSize(x,x)+62p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		movzx	ecx, word ptr [edi+18h]
		mov	eax, [ebx]
		mov	esi, ecx
		test	si, si
		jz	loc_A272DA
		cmp	esi, 2
		jbe	loc_A272A3
		cmp	esi, 3
		jz	loc_A2724A
		cmp	esi, 4
		jz	short loc_A271F2
		cmp	esi, 5
		jz	short loc_A2719E
		cmp	esi, 6
		jz	loc_A272A3
		cmp	ecx, 10h
		jnz	loc_A272DA

loc_A2719E:				; CODE XREF: AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x,x)+3Cj
		lea	esi, [eax+3]
		and	esi, 0FFFFFFFCh
		cmp	esi, eax
		jnb	short loc_A271B2

loc_A271A8:				; CODE XREF: AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x,x)+85j
					; AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x,x)+95j ...
		mov	eax, 0C0000095h
		jmp	loc_A272DF
; 

loc_A271B2:				; CODE XREF: AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x,x)+58j
		mov	eax, [edi+24h]
		push	8
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_A272DF
		mov	ecx, [ebp+var_4]
		add	ecx, esi
		cmp	ecx, esi
		jb	short loc_A271A8
		add	edi, 2Ch
		mov	edx, [edi]
		jmp	short loc_A271E9
; 

loc_A271DC:				; CODE XREF: AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x,x)+9Dj
		mov	eax, [edx+1Ch]
		add	eax, ecx
		cmp	eax, ecx
		jb	short loc_A271A8
		mov	edx, [edx]
		mov	ecx, eax

loc_A271E9:				; CODE XREF: AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x,x)+8Cj
		cmp	edx, edi
		jnz	short loc_A271DC
		jmp	loc_A272D4
; 

loc_A271F2:				; CODE XREF: AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x,x)+37j
		lea	esi, [eax+7]
		and	esi, 0FFFFFFF8h
		cmp	esi, eax
		jb	short loc_A271A8
		mov	eax, [edi+24h]
		push	10h
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_A272DF
		mov	ecx, [ebp+var_4]
		add	ecx, esi
		cmp	ecx, esi
		jb	short loc_A271A8
		add	edi, 2Ch
		mov	edx, [edi]
		jmp	short loc_A27241
; 

loc_A27226:				; CODE XREF: AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x,x)+F5j
		movzx	eax, word ptr [edx+20h]
		add	eax, ecx
		cmp	eax, ecx
		jb	loc_A271A8
		lea	ecx, [eax+2]
		cmp	ecx, eax
		jb	loc_A271A8
		mov	edx, [edx]

loc_A27241:				; CODE XREF: AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x,x)+D6j
		cmp	edx, edi
		jnz	short loc_A27226
		jmp	loc_A272D4
; 

loc_A2724A:				; CODE XREF: AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x,x)+2Ej
		lea	esi, [eax+3]
		and	esi, 0FFFFFFFCh
		cmp	esi, eax
		jb	loc_A271A8
		mov	eax, [edi+24h]
		push	4
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_A272DF
		mov	ecx, [ebp+var_4]
		add	ecx, esi
		cmp	ecx, esi
		jb	loc_A271A8
		add	edi, 2Ch
		mov	edx, [edi]
		jmp	short loc_A2729D
; 

loc_A27282:				; CODE XREF: AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x,x)+151j
		movzx	eax, word ptr [edx+18h]
		add	eax, ecx
		cmp	eax, ecx
		jb	loc_A271A8
		lea	ecx, [eax+2]
		cmp	ecx, eax
		jb	loc_A271A8
		mov	edx, [edx]

loc_A2729D:				; CODE XREF: AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x,x)+132j
		cmp	edx, edi
		jnz	short loc_A27282
		jmp	short loc_A272D4
; 

loc_A272A3:				; CODE XREF: AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x,x)+25j
					; AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x,x)+41j
		lea	esi, [eax+7]
		and	esi, 0FFFFFFF8h
		cmp	esi, eax
		jb	loc_A271A8
		mov	eax, [edi+24h]
		push	8
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_A272DF
		mov	ecx, [ebp+var_4]
		add	ecx, esi
		cmp	ecx, esi
		jb	loc_A271A8

loc_A272D4:				; CODE XREF: AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x,x)+9Fj
					; AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x,x)+F7j ...
		mov	[ebx], ecx
		xor	eax, eax
		jmp	short loc_A272DF
; 

loc_A272DA:				; CODE XREF: AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x,x)+1Cj
					; AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x,x)+4Aj
		mov	eax, 0C000000Dh

loc_A272DF:				; CODE XREF: AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x,x)+5Fj
					; AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x,x)+78j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AuthzBasepGetClaimAttributeValueCopyoutBufferSize@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AuthzBasepGetClaimAttributesCopyoutBufferSize(x, x)
_AuthzBasepGetClaimAttributesCopyoutBufferSize@8 proc near
					; CODE XREF: AuthzBasepQueryClaimAttributesToken+12A5B0p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		push	14h
		pop	ecx
		mov	eax, [edi]
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_A2735B
		mov	ecx, [ebp+var_4]
		add	ecx, 0Ch
		cmp	ecx, 0Ch
		jnb	short loc_A2731B
		mov	eax, 0C0000095h
		jmp	short loc_A2735B
; 

loc_A2731B:				; CODE XREF: AuthzBasepGetClaimAttributesCopyoutBufferSize(x,x)+2Ej
		add	edi, 4
		push	esi
		mov	esi, [edi]
		jmp	short loc_A27354
; 

loc_A27323:				; CODE XREF: AuthzBasepGetClaimAttributesCopyoutBufferSize(x,x)+72j
		lea	edx, [ecx+1]
		and	edx, 0FFFFFFFEh
		cmp	edx, ecx
		jb	short loc_A2735F
		movzx	eax, word ptr [esi+10h]
		add	eax, edx
		cmp	eax, edx
		jb	short loc_A2735F
		lea	ecx, [eax+2]
		cmp	ecx, eax
		jb	short loc_A2735F
		mov	[ebp+var_4], ecx
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		call	_AuthzBasepGetClaimAttributeValueCopyoutBufferSize@8 ; AuthzBasepGetClaimAttributeValueCopyoutBufferSize(x,x)
		test	eax, eax
		js	short loc_A2735A
		mov	esi, [esi]
		mov	ecx, [ebp+var_4]

loc_A27354:				; CODE XREF: AuthzBasepGetClaimAttributesCopyoutBufferSize(x,x)+3Dj
		cmp	esi, edi
		jnz	short loc_A27323
		mov	[ebx], ecx

loc_A2735A:				; CODE XREF: AuthzBasepGetClaimAttributesCopyoutBufferSize(x,x)+69j
					; AuthzBasepGetClaimAttributesCopyoutBufferSize(x,x)+80j
		pop	esi

loc_A2735B:				; CODE XREF: AuthzBasepGetClaimAttributesCopyoutBufferSize(x,x)+23j
					; AuthzBasepGetClaimAttributesCopyoutBufferSize(x,x)+35j
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_A2735F:				; CODE XREF: AuthzBasepGetClaimAttributesCopyoutBufferSize(x,x)+47j
					; AuthzBasepGetClaimAttributesCopyoutBufferSize(x,x)+51j ...
		mov	eax, 0C0000095h
		jmp	short loc_A2735A
_AuthzBasepGetClaimAttributesCopyoutBufferSize@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpBuildGuidString(x, x, x, x, x, x)
_AdtpBuildGuidString@24	proc near	; CODE XREF: AdtpBuildObjectTypeStrings(x,x,x,x,x,x)+121p

arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		test	esi, esi
		jz	short loc_A273F4
		push	6B416553h
		push	4Eh
		pop	eax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A27393
		mov	eax, 0C0000017h
		jmp	short loc_A273F9
; 

loc_A27393:				; CODE XREF: AdtpBuildGuidString(x,x,x,x,x,x)+24j
		mov	eax, [ebp+arg_C]
		mov	byte ptr [eax],	1
		movzx	eax, byte ptr [ebx+0Fh]
		push	eax
		movzx	eax, byte ptr [ebx+0Eh]
		push	eax
		movzx	eax, byte ptr [ebx+0Dh]
		push	eax
		movzx	eax, byte ptr [ebx+0Ch]
		push	eax
		movzx	eax, byte ptr [ebx+0Bh]
		push	eax
		movzx	eax, byte ptr [ebx+0Ah]
		push	eax
		movzx	eax, byte ptr [ebx+9]
		push	eax
		movzx	eax, byte ptr [ebx+8]
		push	eax
		movzx	eax, word ptr [ebx+6]
		push	eax
		movzx	eax, word ptr [ebx+4]
		push	eax
		push	dword ptr [ebx]	; char
		push	offset ??_C@_1GI@JHCBPFLC@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAx?$AA?9?$AA?$CF?$AA0?$AA4@NNGAKEGL@ ;	wchar_t	*
		push	27h		; int
		push	edi		; wchar_t *
		call	StringCchPrintfW
		add	esp, 38h
		test	eax, eax
		jns	short loc_A27400
		mov	esi, [ebp+arg_C]
		cmp	byte ptr [esi],	1
		jnz	short loc_A273F4
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	byte ptr [esi],	0

loc_A273F4:				; CODE XREF: AdtpBuildGuidString(x,x,x,x,x,x)+Ej
					; AdtpBuildGuidString(x,x,x,x,x,x)+81j
		mov	eax, 0C000000Dh

loc_A273F9:				; CODE XREF: AdtpBuildGuidString(x,x,x,x,x,x)+2Bj
					; AdtpBuildGuidString(x,x,x,x,x,x)+ACj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_A27400:				; CODE XREF: AdtpBuildGuidString(x,x,x,x,x,x)+79j
		push	4Ch
		pop	eax
		mov	[esi], ax
		push	4Eh
		pop	eax
		mov	[esi+2], ax
		xor	eax, eax
		mov	[esi+4], edi
		jmp	short loc_A273F9
_AdtpBuildGuidString@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpBuildHexInt64String(x, x, x, x,	x, x)
_AdtpBuildHexInt64String@24 proc near	; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+71p

var_4		= dword	ptr -4
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	6B416553h
		push	26h
		pop	eax
		push	eax
		push	1
		mov	[ebp+var_4], edx
		mov	ebx, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A2743F
		mov	eax, 0C0000017h
		jmp	short loc_A274A0
; 

loc_A2743F:				; CODE XREF: AdtpBuildHexInt64String(x,x,x,x,x,x)+22j
		mov	edi, [ebp+arg_C]
		mov	byte ptr [edi],	1
		push	dword ptr [ebx+4]
		push	dword ptr [ebx]	; char
		push	(offset	loc_8C57B9+1) ;	wchar_t	*
		push	13h		; int
		push	esi		; wchar_t *
		call	StringCchPrintfW
		add	esp, 14h
		test	eax, eax
		jns	short loc_A27475
		cmp	byte ptr [edi],	1
		jnz	short loc_A2746E
		xor	ebx, ebx
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[edi], bl

loc_A2746E:				; CODE XREF: AdtpBuildHexInt64String(x,x,x,x,x,x)+4Dj
		mov	eax, 0C000000Dh
		jmp	short loc_A274A0
; 

loc_A27475:				; CODE XREF: AdtpBuildHexInt64String(x,x,x,x,x,x)+48j
		mov	ecx, esi
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_A2747C:				; CODE XREF: AdtpBuildHexInt64String(x,x,x,x,x,x)+71j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A2747C
		sub	ecx, edx
		sar	ecx, 1
		push	26h
		lea	eax, [ecx+ecx]
		mov	ecx, [ebp+var_4]
		mov	[ecx], ax
		pop	eax
		mov	[ecx+2], ax
		xor	eax, eax
		mov	[ecx+4], esi

loc_A274A0:				; CODE XREF: AdtpBuildHexInt64String(x,x,x,x,x,x)+29j
					; AdtpBuildHexInt64String(x,x,x,x,x,x)+5Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_AdtpBuildHexInt64String@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpBuildIPv4Strings(x, x, x, x, x)
_AdtpBuildIPv4Strings@20 proc near	; CODE XREF: AdtpBuildSockAddrString(x,x,x,x,x)+29p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	eax, ecx
		push	2
		pop	ecx
		mov	ebx, edx
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], ebx
		cmp	[eax], cx
		jz	short loc_A274D0
		mov	esi, 0C0000141h
		jmp	loc_A27575
; 

loc_A274D0:				; CODE XREF: AdtpBuildIPv4Strings(x,x,x,x,x)+1Dj
		test	ebx, ebx
		jz	short loc_A27518
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_A27518
		push	20h
		pop	eax
		push	6B416553h
		push	eax
		push	1
		mov	[ebx+2], ax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+4], eax
		test	eax, eax
		jnz	short loc_A274FD

loc_A274F6:				; CODE XREF: AdtpBuildIPv4Strings(x,x,x,x,x)+9Fj
		mov	esi, 0C0000017h
		jmp	short loc_A27575
; 

loc_A274FD:				; CODE XREF: AdtpBuildIPv4Strings(x,x,x,x,x)+4Dj
		mov	eax, [ebp+var_4]
		mov	byte ptr [esi],	1
		add	eax, 4
		push	dword ptr [ebx+4]
		push	eax
		call	_RtlIpv4AddressToStringW@8 ; RtlIpv4AddressToStringW(x,x)
		sub	eax, [ebx+4]
		and	eax, 0FFFFFFFEh
		mov	[ebx], ax

loc_A27518:				; CODE XREF: AdtpBuildIPv4Strings(x,x,x,x,x)+2Bj
					; AdtpBuildIPv4Strings(x,x,x,x,x)+32j
		mov	esi, [ebp+arg_4]
		xor	ebx, ebx
		test	esi, esi
		jz	loc_A275C3
		test	edi, edi
		jz	loc_A275C3
		push	10h
		pop	eax
		push	6B416553h
		push	eax
		push	1
		mov	[esi+2], ax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+4], eax
		test	eax, eax
		jz	short loc_A274F6
		mov	eax, [ebp+var_4]
		mov	byte ptr [edi],	1
		mov	ax, [eax+2]
		rol	ax, 8
		movzx	eax, ax
		push	eax		; char
		push	offset ??_C@_15KNBIKKIN@?$AA?$CF?$AAd@NNGAKEGL@	; wchar_t *
		push	8		; int
		push	dword ptr [esi+4] ; wchar_t *
		call	StringCchPrintfW
		add	esp, 10h
		test	eax, eax
		jns	short loc_A275A8
		mov	esi, 0C000000Dh

loc_A27575:				; CODE XREF: AdtpBuildIPv4Strings(x,x,x,x,x)+24j
					; AdtpBuildIPv4Strings(x,x,x,x,x)+54j
		mov	eax, [ebp+arg_0]
		xor	ebx, ebx
		test	eax, eax
		jz	short loc_A27590
		cmp	[eax], bl
		jz	short loc_A27590
		mov	[eax], bl
		mov	eax, [ebp+var_8]
		push	ebx
		push	dword ptr [eax+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A27590:				; CODE XREF: AdtpBuildIPv4Strings(x,x,x,x,x)+D5j
					; AdtpBuildIPv4Strings(x,x,x,x,x)+D9j
		test	edi, edi
		jz	short loc_A275C5
		cmp	[edi], bl
		jz	short loc_A275C5
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	[edi], bl
		push	dword ptr [eax+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A275C5
; 

loc_A275A8:				; CODE XREF: AdtpBuildIPv4Strings(x,x,x,x,x)+C7j
		mov	ecx, [esi+4]
		lea	edx, [ecx+2]

loc_A275AE:				; CODE XREF: AdtpBuildIPv4Strings(x,x,x,x,x)+110j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A275AE
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, [ecx+ecx]
		mov	[esi], ax

loc_A275C3:				; CODE XREF: AdtpBuildIPv4Strings(x,x,x,x,x)+78j
					; AdtpBuildIPv4Strings(x,x,x,x,x)+80j
		mov	esi, ebx

loc_A275C5:				; CODE XREF: AdtpBuildIPv4Strings(x,x,x,x,x)+EBj
					; AdtpBuildIPv4Strings(x,x,x,x,x)+EFj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_AdtpBuildIPv4Strings@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpBuildIPv6Strings(x, x, x, x, x)
_AdtpBuildIPv6Strings@20 proc near	; CODE XREF: AdtpBuildSockAddrString(x,x,x,x,x)+3Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	eax, ecx
		mov	ebx, edx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		cmp	word ptr [eax],	17h
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], eax
		jz	short loc_A275F5
		mov	esi, 0C0000141h
		jmp	loc_A2769A
; 

loc_A275F5:				; CODE XREF: AdtpBuildIPv6Strings(x,x,x,x,x)+1Bj
		test	ebx, ebx
		jz	short loc_A2763D
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_A2763D
		push	6Eh
		pop	eax
		push	6B416553h
		push	eax
		push	1
		mov	[ebx+2], ax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+4], eax
		test	eax, eax
		jnz	short loc_A27622

loc_A2761B:				; CODE XREF: AdtpBuildIPv6Strings(x,x,x,x,x)+9Dj
		mov	esi, 0C0000017h
		jmp	short loc_A2769A
; 

loc_A27622:				; CODE XREF: AdtpBuildIPv6Strings(x,x,x,x,x)+4Bj
		mov	eax, [ebp+var_4]
		mov	byte ptr [esi],	1
		add	eax, 8
		push	dword ptr [ebx+4]
		push	eax
		call	RtlIpv6AddressToStringW
		sub	eax, [ebx+4]
		and	eax, 0FFFFFFFEh
		mov	[ebx], ax

loc_A2763D:				; CODE XREF: AdtpBuildIPv6Strings(x,x,x,x,x)+29j
					; AdtpBuildIPv6Strings(x,x,x,x,x)+30j
		mov	esi, [ebp+arg_4]
		xor	ebx, ebx
		test	esi, esi
		jz	loc_A276E8
		test	edi, edi
		jz	loc_A276E8
		push	10h
		pop	eax
		push	6B416553h
		push	eax
		push	1
		mov	[esi+2], ax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+4], eax
		test	eax, eax
		jz	short loc_A2761B
		mov	eax, [ebp+var_4]
		mov	byte ptr [edi],	1
		mov	ax, [eax+2]
		rol	ax, 8
		movzx	eax, ax
		push	eax		; char
		push	offset ??_C@_15KNBIKKIN@?$AA?$CF?$AAd@NNGAKEGL@	; wchar_t *
		push	8		; int
		push	dword ptr [esi+4] ; wchar_t *
		call	StringCchPrintfW
		add	esp, 10h
		test	eax, eax
		jns	short loc_A276CD
		mov	esi, 0C000000Dh

loc_A2769A:				; CODE XREF: AdtpBuildIPv6Strings(x,x,x,x,x)+22j
					; AdtpBuildIPv6Strings(x,x,x,x,x)+52j
		mov	eax, [ebp+arg_0]
		xor	ebx, ebx
		test	eax, eax
		jz	short loc_A276B5
		cmp	[eax], bl
		jz	short loc_A276B5
		mov	[eax], bl
		mov	eax, [ebp+var_8]
		push	ebx
		push	dword ptr [eax+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A276B5:				; CODE XREF: AdtpBuildIPv6Strings(x,x,x,x,x)+D3j
					; AdtpBuildIPv6Strings(x,x,x,x,x)+D7j
		test	edi, edi
		jz	short loc_A276EA
		cmp	[edi], bl
		jz	short loc_A276EA
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	[edi], bl
		push	dword ptr [eax+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A276EA
; 

loc_A276CD:				; CODE XREF: AdtpBuildIPv6Strings(x,x,x,x,x)+C5j
		mov	ecx, [esi+4]
		lea	edx, [ecx+2]

loc_A276D3:				; CODE XREF: AdtpBuildIPv6Strings(x,x,x,x,x)+10Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A276D3
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, [ecx+ecx]
		mov	[esi], ax

loc_A276E8:				; CODE XREF: AdtpBuildIPv6Strings(x,x,x,x,x)+76j
					; AdtpBuildIPv6Strings(x,x,x,x,x)+7Ej
		mov	esi, ebx

loc_A276EA:				; CODE XREF: AdtpBuildIPv6Strings(x,x,x,x,x)+E9j
					; AdtpBuildIPv6Strings(x,x,x,x,x)+EDj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_AdtpBuildIPv6Strings@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpBuildMacStrings(x, x, x)
_AdtpBuildMacStrings@12	proc near	; CODE XREF: AdtpBuildSockAddrString(x,x,x,x,x)+47p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		cmp	word ptr [ebx],	21h
		mov	edi, edx
		jz	short loc_A2770F
		mov	ebx, 0C0000141h
		jmp	short loc_A27737
; 

loc_A2770F:				; CODE XREF: AdtpBuildMacStrings(x,x,x)+13j
		test	edi, edi
		jz	short loc_A27767
		test	esi, esi
		jz	short loc_A27767
		push	24h
		pop	eax
		push	6B416553h
		push	eax
		push	1
		mov	[edi+2], ax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi+4], eax
		test	eax, eax
		jnz	short loc_A2774F
		mov	ebx, 0C0000017h

loc_A27737:				; CODE XREF: AdtpBuildMacStrings(x,x,x)+1Aj
		test	esi, esi
		jz	short loc_A27769
		cmp	byte ptr [esi],	0
		jz	short loc_A27769
		push	0
		mov	byte ptr [esi],	0
		push	dword ptr [edi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A27769
; 

loc_A2774F:				; CODE XREF: AdtpBuildMacStrings(x,x,x)+3Dj
		mov	byte ptr [esi],	1
		lea	eax, [ebx+2]
		push	dword ptr [edi+4]
		push	eax
		call	_RtlEthernetAddressToStringW@8 ; RtlEthernetAddressToStringW(x,x)
		sub	eax, [edi+4]
		and	eax, 0FFFFFFFEh
		mov	[edi], ax

loc_A27767:				; CODE XREF: AdtpBuildMacStrings(x,x,x)+1Ej
					; AdtpBuildMacStrings(x,x,x)+22j
		xor	ebx, ebx

loc_A27769:				; CODE XREF: AdtpBuildMacStrings(x,x,x)+46j
					; AdtpBuildMacStrings(x,x,x)+4Bj ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	4
_AdtpBuildMacStrings@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpBuildPrivilegeAuditString(x, x,	x, x, x, x)
_AdtpBuildPrivilegeAuditString@24 proc near ; CODE XREF: AdtpPackageParameters+8420Ep
					; AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+60Cp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		mov	ebx, ecx
		xor	ecx, ecx
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], ebx
		push	edi
		mov	eax, [ebx]
		mov	[ebp+var_10], esi
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx
		test	eax, eax
		jnz	short loc_A277D8
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_A277C0
		mov	dword ptr [eax], offset	dword_40A908
		mov	[eax+4], ecx
		mov	dword ptr [eax+8], 4
		mov	[eax+0Ch], ecx
		jmp	loc_A27935
; 

loc_A277C0:				; CODE XREF: AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)+34j
		test	esi, esi
		jz	loc_A27935
		push	offset ??_C@_13IMODFHAA@?$AA?9@NNGAKEGL@
		push	esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	loc_A27935
; 

loc_A277D8:				; CODE XREF: AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)+2Dj
		cmp	eax, 42h
		ja	loc_A27939
		push	(offset	loc_8C65A5+1)
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_13HGPDMIBE@?$AA?$DP@NNGAKEGL@
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	cx, _AdtpWellKnownPrivilegeMaxLen
		add	cx, word ptr [ebp+var_18]
		movzx	eax, word ptr [ebx]
		mov	ebx, [ebp+arg_4]
		movzx	ecx, cx
		imul	ecx, eax
		push	2
		pop	eax
		sub	cx, word ptr [ebp+var_18]
		add	cx, ax
		shr	cx, 1
		movzx	eax, cx
		mov	[ebp+var_8], eax
		movzx	edi, ax
		test	ebx, ebx
		jz	short loc_A27848
		mov	eax, [ebp+arg_8]
		mov	ecx, [eax]
		lea	edx, [ecx+edi]
		cmp	edx, 400h
		jnb	short loc_A27848
		lea	ebx, [ebx+ecx*2]
		mov	[eax], edx
		mov	[ebp+arg_8], ebx
		jmp	short loc_A27871
; 

loc_A27848:				; CODE XREF: AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)+BAj
					; AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)+CAj
		push	6B416553h
		lea	eax, [edi+edi]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+arg_8], ebx
		test	ebx, ebx
		jnz	short loc_A2786B
		mov	eax, 0C0000017h
		jmp	loc_A2793E
; 

loc_A2786B:				; CODE XREF: AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)+EDj
		mov	eax, [ebp+arg_C]
		mov	byte ptr [eax],	1

loc_A27871:				; CODE XREF: AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)+D4j
		mov	eax, [ebp+var_8]
		mov	edi, ebx
		and	[ebp+arg_C], 0
		add	eax, eax
		mov	word ptr [ebp+var_C+2],	ax
		mov	eax, [ebp+var_4]
		cmp	dword ptr [eax], 0
		jbe	short loc_A27907
		mov	esi, [ebp+var_4]
		add	eax, 8
		mov	ebx, [ebp+arg_C]
		mov	[ebp+arg_4], eax

loc_A27894:				; CODE XREF: AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)+18Dj
		lea	edx, [ebp+var_28]
		mov	ecx, eax
		call	_AdtpLookupKnownPrivilegeNameQuickly@8 ; AdtpLookupKnownPrivilegeNameQuickly(x,x)
		test	eax, eax
		jnz	short loc_A278BA
		movzx	esi, word ptr [ebp+var_28]
		push	esi		; size_t
		push	[ebp+var_24]	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		add	edi, esi
		mov	esi, [ebp+var_4]
		jmp	short loc_A278D1
; 

loc_A278BA:				; CODE XREF: AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)+12Ej
		movzx	eax, word ptr [ebp+var_20]
		push	eax		; size_t
		push	[ebp+var_1C]	; void *
		push	edi		; void *
		call	_memcpy
		movzx	eax, word ptr [ebp+var_20]
		add	esp, 0Ch
		add	edi, eax

loc_A278D1:				; CODE XREF: AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)+146j
		mov	ecx, [esi]
		lea	eax, [ecx-1]
		cmp	ebx, eax
		jnb	short loc_A278F3
		movzx	eax, word ptr [ebp+var_18]
		push	eax		; size_t
		push	[ebp+var_14]	; void *
		push	edi		; void *
		call	_memcpy
		movzx	eax, word ptr [ebp+var_18]
		add	esp, 0Ch
		mov	ecx, [esi]
		add	edi, eax

loc_A278F3:				; CODE XREF: AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)+166j
		mov	eax, [ebp+arg_4]
		inc	ebx
		add	eax, 0Ch
		mov	[ebp+arg_4], eax
		cmp	ebx, ecx
		jb	short loc_A27894
		mov	ebx, [ebp+arg_8]
		mov	esi, [ebp+var_10]

loc_A27907:				; CODE XREF: AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)+114j
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		mov	[edi], ax
		sub	edi, ebx
		mov	word ptr [ebp+var_C], di
		test	ecx, ecx
		jz	short loc_A2792D
		and	[ecx+4], eax
		movzx	eax, di
		add	eax, 2
		mov	[ecx], ebx
		and	dword ptr [ecx+0Ch], 0
		mov	[ecx+8], eax
		jmp	short loc_A27935
; 

loc_A2792D:				; CODE XREF: AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)+1A5j
		mov	eax, [ebp+var_C]
		mov	[esi], eax
		mov	[esi+4], ebx

loc_A27935:				; CODE XREF: AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)+49j
					; AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)+50j ...
		xor	eax, eax
		jmp	short loc_A2793E
; 

loc_A27939:				; CODE XREF: AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)+69j
		mov	eax, 0C000000Dh

loc_A2793E:				; CODE XREF: AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)+F4j
					; AdtpBuildPrivilegeAuditString(x,x,x,x,x,x)+1C5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_AdtpBuildPrivilegeAuditString@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	AdtpBuildRegistryValueString(void *,int,int)
_AdtpBuildRegistryValueString@20 proc near
					; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+239p
					; SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+332p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, edx
		xor	ebx, ebx
		mov	edx, [ebp+arg_8]
		xor	eax, eax
		inc	eax
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], eax
		mov	[edx], bl
		push	edi
		mov	edi, [ebp+arg_4]
		cmp	ecx, 4
		jnz	short loc_A2797D
		cmp	esi, 4
		jb	loc_A27ABC
		mov	ecx, [ebp+arg_0]
		mov	ecx, [ecx]
		jmp	short loc_A27992
; 

loc_A2797D:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+26j
		cmp	ecx, 5
		jnz	short loc_A2799F
		cmp	esi, 4
		jb	loc_A27ABC
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax]
		bswap	ecx

loc_A27992:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+36j
		push	edx
		push	ebx
		push	ebx
		mov	edx, edi
		push	ebx
		call	_AdtpBuildUlongString@24 ; AdtpBuildUlongString(x,x,x,x,x,x)
		jmp	short loc_A279BB
; 

loc_A2799F:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+3Bj
		cmp	ecx, 0Bh
		jnz	short loc_A279C5
		cmp	esi, 8
		jb	loc_A27ABC
		mov	ecx, [ebp+arg_0]
		push	edx
		sub	esp, 0Ch
		mov	edx, edi
		call	_AdtpBuildHexInt64String@24 ; AdtpBuildHexInt64String(x,x,x,x,x,x)

loc_A279BB:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+58j
					; AdtpBuildRegistryValueString(x,x,x,x,x)+1AEj
		mov	esi, eax
		mov	[ebp+var_4], esi
		jmp	loc_A27B87
; 

loc_A279C5:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+5Dj
		cmp	ecx, eax
		jz	loc_A27AF8
		cmp	ecx, 2
		jz	loc_A27AF8
		cmp	ecx, 7
		jnz	loc_A27ABC
		shr	esi, 1
		mov	ecx, ebx
		jz	short loc_A27A01
		mov	edx, [ebp+arg_0]
		lea	edx, [edx+esi*2]
		add	edx, 0FFFFFFFEh

loc_A279EE:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+BAj
		cmp	[edx], bx
		jnz	short loc_A27A01
		cmp	ecx, 2
		jnb	short loc_A27A01
		sub	edx, 2
		inc	ecx
		sub	esi, 1
		jnz	short loc_A279EE

loc_A27A01:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+9Ej
					; AdtpBuildRegistryValueString(x,x,x,x,x)+ACj ...
		cmp	esi, eax
		jb	loc_A27A9A
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		mov	[ebp+var_C], 2Ah
		mov	edi, ebx

loc_A27A17:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+E2j
		movzx	eax, word ptr [ecx]
		lea	ecx, [ecx+2]
		cmp	ax, word ptr [ebp+var_C]
		jnz	short loc_A27A24
		inc	edi

loc_A27A24:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+DCj
		sub	edx, 1
		jnz	short loc_A27A17
		lea	eax, [edi+esi]
		mov	[ebp+var_10], eax
		lea	eax, ds:2[eax*2]
		push	6B416553h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, [ebp+arg_4]
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jnz	short loc_A27A5B

loc_A27A4F:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+18Bj
					; AdtpBuildRegistryValueString(x,x,x,x,x)+1E1j
		mov	[ebp+var_4], 0C0000017h
		jmp	loc_A27B8B
; 

loc_A27A5B:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+108j
		mov	edi, [ebp+var_10]
		mov	eax, ebx

loc_A27A60:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+136j
		cmp	eax, edi
		jnb	short loc_A27A7D
		mov	edx, [ebp+arg_0]
		movzx	edx, word ptr [edx+ebx*2]
		test	dx, dx
		jnz	short loc_A27A85
		push	2Ah
		pop	edx

loc_A27A73:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+144j
		mov	[ecx+eax*2], dx

loc_A27A77:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+153j
		inc	ebx
		inc	eax
		cmp	ebx, esi
		jb	short loc_A27A60

loc_A27A7D:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+11Dj
		xor	edx, edx
		mov	[ecx+eax*2], dx
		jmp	short loc_A27A9C
; 

loc_A27A85:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+129j
		cmp	dx, word ptr [ebp+var_C]
		jnz	short loc_A27A73
		push	2Ah
		pop	edx
		mov	[ecx+eax*2], dx
		mov	[ecx+eax*2+2], dx
		inc	eax
		jmp	short loc_A27A77
; 

loc_A27A9A:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+BEj
		mov	ecx, ebx

loc_A27A9C:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+13Ej
		push	ecx
		push	[ebp+arg_4]
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		cmp	[ebp+var_8], 0
		jz	loc_A27BA2
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		inc	ecx
		mov	[eax], cl
		jmp	loc_A27BA2
; 

loc_A27ABC:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+2Bj
					; AdtpBuildRegistryValueString(x,x,x,x,x)+40j ...
		push	6B416553h
		push	1Ah
		pop	esi
		push	esi
		push	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi+4], eax
		test	eax, eax
		jz	loc_A27A4F
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		inc	ecx
		mov	edx, edi
		mov	[eax], cl
		xor	eax, eax
		mov	ecx, 708h
		mov	[edi], ax
		mov	[edi+2], si
		call	_AdtpBuildReplacementString@8 ;	AdtpBuildReplacementString(x,x)
		jmp	loc_A279BB
; 

loc_A27AF8:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+82j
					; AdtpBuildRegistryValueString(x,x,x,x,x)+8Bj
		mov	ecx, [ebp+arg_0]
		cmp	esi, 2
		jb	short loc_A27B47
		mov	eax, esi
		xor	edx, edx
		and	eax, 0FFFFFFFEh
		mov	[ebp+var_10], eax
		cmp	dx, [eax+ecx-2]
		jz	short loc_A27B47
		push	6B416553h
		lea	eax, [esi+2]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+arg_4], eax
		test	eax, eax
		jz	loc_A27A4F
		push	esi		; size_t
		push	[ebp+arg_0]	; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		mov	ecx, [ebp+var_10]
		xor	edx, edx
		mov	[ecx+eax], dx
		jmp	short loc_A27B53
; 

loc_A27B47:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+1B9j
					; AdtpBuildRegistryValueString(x,x,x,x,x)+1CAj
		cmp	esi, 2
		mov	byte ptr [ebp+var_C], bl
		sbb	eax, eax
		not	eax
		and	eax, ecx

loc_A27B53:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+200j
		push	eax
		push	edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_C]
		mov	[eax], cl
		movzx	eax, word ptr [edi]
		movzx	ecx, si
		mov	esi, ecx
		cmp	ax, cx
		jb	short loc_A27B71
		mov	eax, ecx

loc_A27B71:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+228j
		mov	[edi], ax
		movzx	eax, word ptr [edi+2]
		mov	edx, eax
		cmp	ax, cx
		jb	short loc_A27B81
		mov	eax, esi

loc_A27B81:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+238j
		mov	[edi+2], ax
		mov	esi, ebx

loc_A27B87:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+7Bj
		test	esi, esi
		jns	short loc_A27BA2

loc_A27B8B:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+111j
		mov	esi, [ebp+arg_8]
		cmp	[esi], bl
		jz	short loc_A27BA0
		mov	eax, [edi+4]
		test	eax, eax
		jz	short loc_A27BA0
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A27BA0:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+24Bj
					; AdtpBuildRegistryValueString(x,x,x,x,x)+252j
		mov	[esi], bl

loc_A27BA2:				; CODE XREF: AdtpBuildRegistryValueString(x,x,x,x,x)+164j
					; AdtpBuildRegistryValueString(x,x,x,x,x)+172j	...
		mov	eax, [ebp+var_4]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_AdtpBuildRegistryValueString@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpBuildSecurityDescriptorChangeString(x, x, x, x,	x, x, x, x, x, x, x)
_AdtpBuildSecurityDescriptorChangeString@44 proc near
					; CODE XREF: AdtpPackageParameters+8424Cp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	eax, ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_C]
		push	edi
		push	[ebp+arg_20]
		mov	[ebp+var_4], eax
		push	[ebp+arg_1C]
		push	ebx
		push	0
		call	_AdtpBuildSecurityDescriptorUnicodeString@28 ; AdtpBuildSecurityDescriptorUnicodeString(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A27C06
		push	[ebp+arg_18]
		mov	edx, [ebp+arg_0]
		push	[ebp+arg_20]
		mov	ecx, [ebp+var_4]
		push	[ebp+arg_1C]
		push	[ebp+arg_14]
		push	0
		call	_AdtpBuildSecurityDescriptorUnicodeString@28 ; AdtpBuildSecurityDescriptorUnicodeString(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A27C06
		cmp	byte ptr [edi],	0
		jz	short loc_A27C06
		push	0
		mov	byte ptr [edi],	0
		push	dword ptr [ebx]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A27C06:				; CODE XREF: AdtpBuildSecurityDescriptorChangeString(x,x,x,x,x,x,x,x,x,x,x)+28j
					; AdtpBuildSecurityDescriptorChangeString(x,x,x,x,x,x,x,x,x,x,x)+47j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	24h
_AdtpBuildSecurityDescriptorChangeString@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpBuildSecurityDescriptorUnicodeString(x,	x, x, x, x, x, x)
_AdtpBuildSecurityDescriptorUnicodeString@28 proc near
					; CODE XREF: AdtpPackageParameters+8429Ep
					; AdtpBuildSecurityDescriptorChangeString(x,x,x,x,x,x,x,x,x,x,x)+1Fp ...

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= word ptr -28h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_40], esi
		xor	esi, esi
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_48], eax
		mov	[ebp+var_38], esi
		mov	[ebp+var_2C], esi
		push	edi
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_44], edi
		test	ebx, ebx
		jnz	short loc_A27C59
		test	eax, eax
		jnz	short loc_A27C59
		mov	eax, 0C000000Dh
		jmp	loc_A27DA6
; 

loc_A27C59:				; CODE XREF: AdtpBuildSecurityDescriptorUnicodeString(x,x,x,x,x,x,x)+3Aj
					; AdtpBuildSecurityDescriptorUnicodeString(x,x,x,x,x,x,x)+3Ej
		lea	eax, [ebp+var_3C]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	ecx
		push	1
		push	edx
		call	SeConvertSecurityDescriptorToStringSecurityDescriptor
		mov	edx, [ebp+var_2C]
		mov	esi, eax
		mov	[ebp+var_3C], edx
		test	esi, esi
		jns	short loc_A27CA6
		cmp	esi, 0C0000017h
		jz	loc_A27D94
		push	esi		; char
		push	offset ??_C@_1BC@JBLGCGBA@?$AA?$DM?$AA0?$AAx?$AA?$CF?$AA0?$AA8?$AAX?$AA?$DO@NNGAKEGL@ ;	wchar_t	*
		lea	eax, [ebp+var_28]
		push	10h		; int
		push	eax		; wchar_t *
		call	StringCchPrintfW
		add	esp, 10h
		lea	edx, [ebp+var_28]
		test	eax, eax
		jns	short loc_A27CA2
		mov	edx, offset ??_C@_13IMODFHAA@?$AA?9@NNGAKEGL@

loc_A27CA2:				; CODE XREF: AdtpBuildSecurityDescriptorUnicodeString(x,x,x,x,x,x,x)+8Cj
		xor	eax, eax
		mov	esi, eax

loc_A27CA6:				; CODE XREF: AdtpBuildSecurityDescriptorUnicodeString(x,x,x,x,x,x,x)+65j
		mov	ecx, edx
		mov	[ebp+var_30], edx
		lea	edx, [ecx+2]

loc_A27CAE:				; CODE XREF: AdtpBuildSecurityDescriptorUnicodeString(x,x,x,x,x,x,x)+A9j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_38]
		jnz	short loc_A27CAE
		sub	ecx, edx
		sar	ecx, 1
		inc	ecx
		mov	[ebp+var_2C], ecx
		lea	eax, [ecx+ecx]
		cmp	eax, 0FFFFh
		jbe	short loc_A27D0D
		push	725h		; char
		push	offset ??_C@_1O@PEHDFMOI@?$AA?$CF?$AA?$CF?$AA?$CF?$AA?$CF?$AA?$CF?$AAu@NNGAKEGL@ ; "%%%%%u"
		lea	eax, [ebp+var_28]
		push	10h		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	esi, eax
		add	esp, 10h
		test	esi, esi
		js	loc_A27D94
		lea	eax, [ebp+var_28]
		mov	ecx, eax
		mov	[ebp+var_30], eax
		lea	edx, [ecx+2]

loc_A27CF9:				; CODE XREF: AdtpBuildSecurityDescriptorUnicodeString(x,x,x,x,x,x,x)+F4j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_38]
		jnz	short loc_A27CF9
		sub	ecx, edx
		sar	ecx, 1
		inc	ecx
		mov	[ebp+var_2C], ecx

loc_A27D0D:				; CODE XREF: AdtpBuildSecurityDescriptorUnicodeString(x,x,x,x,x,x,x)+BBj
		mov	eax, [edi]
		lea	edx, [eax+ecx]
		cmp	edx, 400h
		jnb	short loc_A27D29
		mov	edi, [ebp+var_40]
		lea	edi, [edi+eax*2]
		mov	eax, [ebp+var_44]
		mov	[eax], edx
		xor	eax, eax
		jmp	short loc_A27D4C
; 

loc_A27D29:				; CODE XREF: AdtpBuildSecurityDescriptorUnicodeString(x,x,x,x,x,x,x)+109j
		push	6B416553h
		lea	eax, [ecx+ecx]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A27D46
		mov	esi, 0C0000017h
		jmp	short loc_A27D94
; 

loc_A27D46:				; CODE XREF: AdtpBuildSecurityDescriptorUnicodeString(x,x,x,x,x,x,x)+12Ej
		mov	ecx, [ebp+var_2C]
		xor	eax, eax
		inc	eax

loc_A27D4C:				; CODE XREF: AdtpBuildSecurityDescriptorUnicodeString(x,x,x,x,x,x,x)+118j
		mov	edx, [ebp+var_34]
		mov	[edx], al
		lea	eax, [ecx+ecx]
		push	eax		; size_t
		push	[ebp+var_30]	; void *
		mov	[ebp+var_34], eax
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		test	ebx, ebx
		jz	short loc_A27D7A
		mov	eax, [ebp+var_34]
		xor	ecx, ecx
		mov	[ebx], edi
		mov	[ebx+4], ecx
		mov	[ebx+8], eax
		mov	[ebx+0Ch], ecx
		jmp	short loc_A27D96
; 

loc_A27D7A:				; CODE XREF: AdtpBuildSecurityDescriptorUnicodeString(x,x,x,x,x,x,x)+157j
		mov	eax, [ebp+var_2C]
		mov	ecx, [ebp+var_48]
		lea	eax, ds:0FFFFFFFEh[eax*2]
		mov	[ecx], ax
		add	eax, 2
		mov	[ecx+2], ax
		mov	[ecx+4], edi

loc_A27D94:				; CODE XREF: AdtpBuildSecurityDescriptorUnicodeString(x,x,x,x,x,x,x)+6Dj
					; AdtpBuildSecurityDescriptorUnicodeString(x,x,x,x,x,x,x)+D9j ...
		xor	ecx, ecx

loc_A27D96:				; CODE XREF: AdtpBuildSecurityDescriptorUnicodeString(x,x,x,x,x,x,x)+169j
		mov	ebx, [ebp+var_3C]
		test	ebx, ebx
		jz	short loc_A27DA4
		push	ecx
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A27DA4:				; CODE XREF: AdtpBuildSecurityDescriptorUnicodeString(x,x,x,x,x,x,x)+18Cj
		mov	eax, esi

loc_A27DA6:				; CODE XREF: AdtpBuildSecurityDescriptorUnicodeString(x,x,x,x,x,x,x)+45j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_AdtpBuildSecurityDescriptorUnicodeString@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpBuildSidListString(x, x, x, x, x, x)
_AdtpBuildSidListString@24 proc	near	; CODE XREF: AdtpPackageParameters+84017p

var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_209		= byte ptr -209h
var_208		= dword	ptr -208h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 244h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		mov	[ebp+var_238], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_218], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_240], eax
		mov	eax, edx
		mov	[ebp+var_23C], ecx
		mov	[ebp+var_230], edx
		mov	[ebp+var_22C], edx
		mov	[ebp+var_220], edx
		mov	[ebp+var_21C], edx
		mov	[ebp+var_209], dl
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, edx
		test	ecx, ecx
		jz	loc_A28021
		mov	edx, [ecx]
		mov	[ebp+var_234], edx
		test	edx, edx
		jz	loc_A2801F
		and	[ebp+var_228], eax
		xor	ebx, ebx
		mov	ecx, [ecx+4]
		inc	ebx
		mov	[ebp+var_210], ebx
		test	edx, edx
		jz	loc_A27EDD
		add	ecx, 4
		mov	[ebp+var_214], ecx

loc_A27E52:				; CODE XREF: AdtpBuildSidListString(x,x,x,x,x,x)+F6j
		mov	ecx, [ecx]
		lea	edx, [ebp+var_224]
		and	[ebp+var_224], 0
		call	_RtlLengthSidAsUnicodeString@8 ; RtlLengthSidAsUnicodeString(x,x)
		mov	edx, [ebp+var_224]
		lea	eax, [ebp+var_210]
		shr	edx, 1
		mov	ecx, ebx
		push	eax
		add	edx, 7
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A27EBC
		mov	eax, [ebp+var_228]
		mov	ecx, [ebp+var_214]
		inc	eax
		mov	ebx, [ebp+var_210]
		add	ecx, 8
		mov	[ebp+var_228], eax
		mov	[ebp+var_214], ecx
		cmp	eax, [ebp+var_234]
		jb	short loc_A27E52
		cmp	ebx, 7FFFh
		jbe	short loc_A27EDD
		mov	edi, 0C000000Dh

loc_A27EBC:				; CODE XREF: AdtpBuildSidListString(x,x,x,x,x,x)+CCj
					; AdtpBuildSidListString(x,x,x,x,x,x)+173j ...
		mov	cl, [ebp+var_209]

loc_A27EC2:				; CODE XREF: AdtpBuildSidListString(x,x,x,x,x,x)+293j
					; AdtpBuildSidListString(x,x,x,x,x,x)+2A3j
		mov	eax, [ebp+var_240]
		mov	[eax], cl
		mov	eax, edi
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_A27EDD:				; CODE XREF: AdtpBuildSidListString(x,x,x,x,x,x)+8Cj
					; AdtpBuildSidListString(x,x,x,x,x,x)+FEj
		mov	eax, [ebp+var_218]
		mov	eax, [eax]
		lea	edx, [eax+ebx]
		cmp	edx, 400h
		jnb	short loc_A27F09
		mov	ecx, [ebp+var_238]
		lea	ecx, [ecx+eax*2]
		mov	eax, [ebp+var_218]
		mov	[ebp+var_210], ecx
		mov	[eax], edx
		jmp	short loc_A27F33
; 

loc_A27F09:				; CODE XREF: AdtpBuildSidListString(x,x,x,x,x,x)+137j
		push	6B416553h
		lea	eax, [ebx+ebx]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_210], ecx
		test	ecx, ecx
		jnz	short loc_A27F2C
		mov	edi, 0C0000017h
		jmp	short loc_A27EBC
; 

loc_A27F2C:				; CODE XREF: AdtpBuildSidListString(x,x,x,x,x,x)+16Cj
		mov	[ebp+var_209], 1

loc_A27F33:				; CODE XREF: AdtpBuildSidListString(x,x,x,x,x,x)+150j
		lea	eax, [ebx+ebx]
		mov	[ebp+var_21C], ecx
		mov	ebx, [ebp+var_23C]
		xor	edx, edx
		mov	word ptr [ebp+var_220+2], ax
		mov	eax, 200h
		mov	word ptr [ebp+var_230+2], ax
		lea	eax, [ebp+var_208]
		mov	[ebp+var_22C], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_218], edx
		cmp	[ebx], edx
		jbe	loc_A27FF6
		add	eax, 4
		mov	[ebp+var_214], eax

loc_A27F7D:				; CODE XREF: AdtpBuildSidListString(x,x,x,x,x,x)+237j
		push	edx
		push	dword ptr [eax]
		lea	eax, [ebp+var_230]
		push	eax
		call	RtlConvertSidToUnicodeString
		mov	edi, eax
		test	edi, edi
		js	loc_A2803C
		push	offset ??_C@_1O@HLIMJNPL@?$AA?$AN?$AA?6?$AA?7?$AA?7?$AA?$CF?$AA?$HL@NNGAKEGL@ ;	void *
		lea	eax, [ebp+var_220]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		lea	eax, [ebp+var_230]
		push	eax
		lea	eax, [ebp+var_220]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	offset ??_C@_13EHOOFIKC@?$AA?$HN@NNGAKEGL@ ; void *
		lea	eax, [ebp+var_220]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	ecx, [ebp+var_218]
		mov	edi, eax
		mov	eax, [ebp+var_214]
		inc	ecx
		add	eax, 8
		mov	[ebp+var_218], ecx
		push	0
		mov	[ebp+var_214], eax
		pop	edx
		cmp	ecx, [ebx]
		jb	short loc_A27F7D
		mov	ecx, [ebp+var_210]

loc_A27FF6:				; CODE XREF: AdtpBuildSidListString(x,x,x,x,x,x)+1B7j
		test	esi, esi
		jz	short loc_A2800F
		movzx	eax, word ptr [ebp+var_220]
		add	eax, 2
		mov	[esi], ecx
		mov	[esi+4], edx
		mov	[esi+8], eax
		mov	[esi+0Ch], edx

loc_A2800F:				; CODE XREF: AdtpBuildSidListString(x,x,x,x,x,x)+241j
		mov	eax, [ebp+var_210]

loc_A28015:				; CODE XREF: AdtpBuildSidListString(x,x,x,x,x,x)+283j
		test	edi, edi
		jns	loc_A27EBC
		jmp	short loc_A28042
; 

loc_A2801F:				; CODE XREF: AdtpBuildSidListString(x,x,x,x,x,x)+72j
		xor	edx, edx

loc_A28021:				; CODE XREF: AdtpBuildSidListString(x,x,x,x,x,x)+62j
		test	esi, esi
		jz	short loc_A28038
		mov	dword ptr [esi], offset	dword_40A908
		mov	[esi+4], edx
		mov	dword ptr [esi+8], 4
		mov	[esi+0Ch], edx

loc_A28038:				; CODE XREF: AdtpBuildSidListString(x,x,x,x,x,x)+26Cj
		mov	edi, edx
		jmp	short loc_A28015
; 

loc_A2803C:				; CODE XREF: AdtpBuildSidListString(x,x,x,x,x,x)+1D9j
		mov	eax, [ebp+var_210]

loc_A28042:				; CODE XREF: AdtpBuildSidListString(x,x,x,x,x,x)+266j
		mov	cl, [ebp+var_209]
		test	cl, cl
		jz	loc_A27EC2
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	cl, cl
		jmp	loc_A27EC2
_AdtpBuildSidListString@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpBuildSockAddrString(x, x, x, x,	x)
_AdtpBuildSockAddrString@20 proc near	; CODE XREF: AdtpPackageParameters+84136p
					; AdtpPackageParameters+84174p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	ebx, ebx
		push	edi
		test	esi, esi
		jz	short loc_A28072
		mov	[esi], bl

loc_A28072:				; CODE XREF: AdtpBuildSockAddrString(x,x,x,x,x)+Fj
		mov	edi, [ebp+arg_8]
		test	edi, edi
		jz	short loc_A2807B
		mov	[edi], bl

loc_A2807B:				; CODE XREF: AdtpBuildSockAddrString(x,x,x,x,x)+18j
		movzx	eax, word ptr [ecx]
		cmp	eax, 2
		jnz	short loc_A2808F
		push	edi
		push	[ebp+arg_4]
		push	esi
		call	_AdtpBuildIPv4Strings@20 ; AdtpBuildIPv4Strings(x,x,x,x,x)
		jmp	short loc_A280AB
; 

loc_A2808F:				; CODE XREF: AdtpBuildSockAddrString(x,x,x,x,x)+22j
		cmp	eax, 17h
		jnz	short loc_A280A0
		push	edi
		push	[ebp+arg_4]
		push	esi
		call	_AdtpBuildIPv6Strings@20 ; AdtpBuildIPv6Strings(x,x,x,x,x)
		jmp	short loc_A280AB
; 

loc_A280A0:				; CODE XREF: AdtpBuildSockAddrString(x,x,x,x,x)+33j
		cmp	eax, 21h
		jnz	short loc_A280AF
		push	esi
		call	_AdtpBuildMacStrings@12	; AdtpBuildMacStrings(x,x,x)

loc_A280AB:				; CODE XREF: AdtpBuildSockAddrString(x,x,x,x,x)+2Ej
					; AdtpBuildSockAddrString(x,x,x,x,x)+3Fj
		mov	ebx, eax
		jmp	short loc_A280DC
; 

loc_A280AF:				; CODE XREF: AdtpBuildSockAddrString(x,x,x,x,x)+44j
		test	edx, edx
		jz	short loc_A280C4
		test	esi, esi
		jz	short loc_A280C4
		push	offset ??_C@_13IMODFHAA@?$AA?9@NNGAKEGL@
		push	edx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[esi], bl

loc_A280C4:				; CODE XREF: AdtpBuildSockAddrString(x,x,x,x,x)+52j
					; AdtpBuildSockAddrString(x,x,x,x,x)+56j
		cmp	[ebp+arg_4], ebx
		jz	short loc_A280DC
		test	edi, edi
		jz	short loc_A280DC
		push	offset ??_C@_13IMODFHAA@?$AA?9@NNGAKEGL@
		push	[ebp+arg_4]
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[edi], bl

loc_A280DC:				; CODE XREF: AdtpBuildSockAddrString(x,x,x,x,x)+4Ej
					; AdtpBuildSockAddrString(x,x,x,x,x)+68j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	0Ch
_AdtpBuildSockAddrString@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpBuildStringListString(x, x, x, x, x, x)
_AdtpBuildStringListString@24 proc near	; CODE XREF: AdtpPackageParameters+83FF1p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ecx, ecx
		push	2
		pop	esi
		test	edi, edi
		jz	loc_A281F4
		mov	edx, [edi]
		test	edx, edx
		jz	loc_A281F4
		mov	ecx, [edi+4]
		add	ecx, 4

loc_A2810E:				; CODE XREF: AdtpBuildStringListString(x,x,x,x,x,x)+37j
		movzx	eax, word ptr [ecx]
		add	esi, 8
		add	esi, eax
		lea	ecx, [ecx+0Ch]
		sub	edx, 1
		jnz	short loc_A2810E
		cmp	esi, 0FFFFh
		jbe	short loc_A28130
		mov	eax, 0C000000Dh
		jmp	loc_A28210
; 

loc_A28130:				; CODE XREF: AdtpBuildStringListString(x,x,x,x,x,x)+3Fj
		mov	ecx, [ebp+arg_8]
		shr	esi, 1
		mov	edx, [ecx]
		lea	eax, [edx+esi]
		cmp	eax, 400h
		jnb	short loc_A28153
		mov	eax, [ebp+arg_4]
		lea	ebx, [eax+edx*2]
		lea	eax, [edx+esi]
		mov	[ebp+arg_8], ebx
		mov	[ecx], eax
		xor	cl, cl
		jmp	short loc_A28179
; 

loc_A28153:				; CODE XREF: AdtpBuildStringListString(x,x,x,x,x,x)+5Aj
		push	6B416553h
		lea	eax, [esi+esi]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+arg_8], ebx
		test	ebx, ebx
		jnz	short loc_A28176
		mov	eax, 0C0000017h
		jmp	loc_A28210
; 

loc_A28176:				; CODE XREF: AdtpBuildStringListString(x,x,x,x,x,x)+85j
		xor	ecx, ecx
		inc	ecx

loc_A28179:				; CODE XREF: AdtpBuildStringListString(x,x,x,x,x,x)+6Cj
		mov	eax, [ebp+arg_C]
		mov	edx, ebx
		mov	[eax], cl
		xor	eax, eax
		mov	word ptr [ebp+var_8], ax
		lea	eax, [esi+esi]
		mov	esi, [edi+4]
		mov	word ptr [ebp+var_8+2],	ax
		xor	eax, eax
		mov	[ebp+var_4], edx
		cmp	[edi], eax
		jbe	short loc_A281CA
		add	esi, 4
		mov	ebx, eax

loc_A2819E:				; CODE XREF: AdtpBuildStringListString(x,x,x,x,x,x)+D7j
		push	offset ??_C@_19CCEMBOLD@?$AA?$AN?$AA?6?$AA?7?$AA?7@NNGAKEGL@ ; "\r"
		lea	eax, [ebp+var_8]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		push	esi
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		inc	ebx
		add	esi, 0Ch
		cmp	ebx, [edi]
		jb	short loc_A2819E
		mov	edx, [ebp+var_4]
		mov	ax, word ptr [ebp+var_8]
		mov	ebx, [ebp+arg_8]
		jmp	short loc_A281CC
; 

loc_A281CA:				; CODE XREF: AdtpBuildStringListString(x,x,x,x,x,x)+B2j
		xor	eax, eax

loc_A281CC:				; CODE XREF: AdtpBuildStringListString(x,x,x,x,x,x)+E3j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_A281E8
		and	dword ptr [ecx+4], 0
		movzx	eax, ax
		add	eax, 2
		mov	[ecx], ebx
		and	dword ptr [ecx+0Ch], 0
		mov	[ecx+8], eax
		jmp	short loc_A2820E
; 

loc_A281E8:				; CODE XREF: AdtpBuildStringListString(x,x,x,x,x,x)+ECj
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		mov	[ecx], eax
		mov	[ecx+4], edx
		jmp	short loc_A2820E
; 

loc_A281F4:				; CODE XREF: AdtpBuildStringListString(x,x,x,x,x,x)+13j
					; AdtpBuildStringListString(x,x,x,x,x,x)+1Dj
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_A2820E
		mov	dword ptr [eax], offset	dword_40A908
		mov	[eax+4], ecx
		mov	dword ptr [eax+8], 4
		mov	[eax+0Ch], ecx

loc_A2820E:				; CODE XREF: AdtpBuildStringListString(x,x,x,x,x,x)+101j
					; AdtpBuildStringListString(x,x,x,x,x,x)+10Dj ...
		xor	eax, eax

loc_A28210:				; CODE XREF: AdtpBuildStringListString(x,x,x,x,x,x)+46j
					; AdtpBuildStringListString(x,x,x,x,x,x)+8Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_AdtpBuildStringListString@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpBuildUlongString(x, x, x, x, x,	x)
_AdtpBuildUlongString@24 proc near	; CODE XREF: AdtpPackageParameters+83E43p
					; AdtpBuildRegistryValueString(x,x,x,x,x)+53p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		test	esi, esi
		jnz	short loc_A28239
		test	ebx, ebx
		jnz	short loc_A28239
		mov	eax, 0C000000Dh
		jmp	loc_A282DA
; 

loc_A28239:				; CODE XREF: AdtpBuildUlongString(x,x,x,x,x,x)+12j
					; AdtpBuildUlongString(x,x,x,x,x,x)+16j
		and	[ebp+arg_0], 0
		mov	ecx, [ebp+arg_4]
		push	edi
		test	ecx, ecx
		jz	short loc_A28267
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_A28267
		mov	edx, [eax]
		lea	edi, [edx+0Bh]
		cmp	edi, 400h
		jnb	short loc_A28267
		lea	edi, [ecx+edx*2]
		lea	ecx, [edx+0Bh]
		mov	[eax], ecx
		xor	eax, eax
		mov	cl, al
		jmp	short loc_A28285
; 

loc_A28267:				; CODE XREF: AdtpBuildUlongString(x,x,x,x,x,x)+2Cj
					; AdtpBuildUlongString(x,x,x,x,x,x)+33j ...
		push	6B416553h
		push	16h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A28282
		mov	eax, 0C0000017h
		jmp	short loc_A282D9
; 

loc_A28282:				; CODE XREF: AdtpBuildUlongString(x,x,x,x,x,x)+62j
		xor	ecx, ecx
		inc	ecx

loc_A28285:				; CODE XREF: AdtpBuildUlongString(x,x,x,x,x,x)+4Ej
		mov	eax, [ebp+arg_C]
		push	0Ah		; int
		push	edi		; wchar_t *
		push	[ebp+var_4]	; unsigned __int32
		mov	[eax], cl
		call	__ultow
		mov	ecx, edi
		add	esp, 0Ch
		lea	edx, [ecx+2]

loc_A2829D:				; CODE XREF: AdtpBuildUlongString(x,x,x,x,x,x)+90j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+arg_0]
		jnz	short loc_A2829D
		sub	ecx, edx
		sar	ecx, 1
		test	esi, esi
		jz	short loc_A282C7
		xor	edx, edx
		mov	[esi], edi
		lea	eax, ds:2[ecx*2]
		mov	[esi+4], edx
		mov	[esi+8], eax
		mov	[esi+0Ch], edx
		jmp	short loc_A282D7
; 

loc_A282C7:				; CODE XREF: AdtpBuildUlongString(x,x,x,x,x,x)+98j
		lea	eax, [ecx+ecx]
		mov	[ebx+4], edi
		push	16h
		mov	[ebx], ax
		pop	eax
		mov	[ebx+2], ax

loc_A282D7:				; CODE XREF: AdtpBuildUlongString(x,x,x,x,x,x)+AEj
		xor	eax, eax

loc_A282D9:				; CODE XREF: AdtpBuildUlongString(x,x,x,x,x,x)+69j
		pop	edi

loc_A282DA:				; CODE XREF: AdtpBuildUlongString(x,x,x,x,x,x)+1Dj
		pop	esi
		pop	ebx
		leave
		retn	10h
_AdtpBuildUlongString@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpAppendString(x,	x, x, x)
_AdtpAppendString@16 proc near		; CODE XREF: AdtpAppendZString(x,x,x,x)+2Cp
					; AdtpBuildObjectTypeStrings(x,x,x,x,x,x)+C7p ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	[ebp+var_C], edx
		mov	[ebp+var_4], ecx
		mov	eax, [esi]
		mov	ebx, [esi+4]
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_1C], eax
		mov	[ebp+arg_0], ebx
		mov	esi, [esi]
		mov	[ebp+var_10], esi
		cmp	esi, 1
		jb	short loc_A28313
		xor	eax, eax
		jmp	loc_A2845D
; 

loc_A28313:				; CODE XREF: AdtpAppendString(x,x,x,x)+2Aj
		mov	di, word ptr [ebp+var_1C]
		xor	edx, edx
		test	di, di
		jz	loc_A28456
		mov	eax, [ebp+var_C]
		mov	[ebp+var_8], 0FFFEh
		mov	al, [esi+eax]

loc_A2832F:				; CODE XREF: AdtpAppendString(x,x,x,x)+16Cj
		test	al, al
		jz	short loc_A28398
		lea	ebx, [ecx+esi*8]
		movzx	eax, word ptr [ebx]
		mov	[ebp+var_14], eax
		cmp	ax, word ptr [ebp+var_8]
		jz	short loc_A28395
		mov	ecx, [ebp+arg_0]
		mov	ax, [ebx+2]
		sub	ax, word ptr [ebp+var_14]
		push	25h
		pop	esi
		cmp	[ecx], si
		mov	esi, [ebp+var_10]
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], edx
		movzx	eax, ax
		jnz	short loc_A28369
		cmp	ax, di
		jb	short loc_A28395

loc_A28369:				; CODE XREF: AdtpAppendString(x,x,x,x)+82j
		cmp	ax, di
		jb	short loc_A28371
		mov	ax, di

loc_A28371:				; CODE XREF: AdtpAppendString(x,x,x,x)+8Cj
		mov	ecx, [ebp+arg_0]
		sub	di, ax
		mov	word ptr [ebp+var_1C], ax
		movzx	eax, ax
		mov	[ebp+var_18], ecx
		add	ecx, eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+arg_0], ecx
		push	eax
		push	ebx
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	ecx, [ebp+var_4]
		xor	edx, edx

loc_A28395:				; CODE XREF: AdtpAppendString(x,x,x,x)+60j
					; AdtpAppendString(x,x,x,x)+87j
		mov	ebx, [ebp+arg_0]

loc_A28398:				; CODE XREF: AdtpAppendString(x,x,x,x)+51j
		test	di, di
		jz	loc_A28456
		movzx	eax, word ptr [ecx+esi*8]
		cmp	ax, word ptr [ebp+var_8]
		jnb	loc_A28456
		push	25h
		pop	esi
		cmp	[ebx], si
		mov	esi, [ebp+var_10]
		jnz	short loc_A283CD
		mov	ecx, eax
		movzx	eax, di
		add	ecx, eax
		cmp	ecx, [ebp+var_8]
		jnb	loc_A28456
		mov	ecx, [ebp+var_4]

loc_A283CD:				; CODE XREF: AdtpAppendString(x,x,x,x)+D8j
		movzx	ebx, word ptr [ecx+esi*8+2]
		add	ebx, 400h
		movzx	eax, di
		cmp	ebx, eax
		ja	short loc_A283E1
		mov	ebx, eax

loc_A283E1:				; CODE XREF: AdtpAppendString(x,x,x,x)+FDj
		mov	eax, [ebp+var_8]
		cmp	ebx, eax
		jb	short loc_A283EA
		mov	ebx, eax

loc_A283EA:				; CODE XREF: AdtpAppendString(x,x,x,x)+106j
		push	6B416553h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	short loc_A28451
		mov	ecx, [ebp+var_4]
		mov	edx, [ecx+esi*8+4]
		test	edx, edx
		jz	short loc_A28435
		movzx	ecx, word ptr [ecx+esi*8]
		push	ecx		; size_t
		push	edx		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_C]
		add	esp, 0Ch
		cmp	byte ptr [esi+eax], 0
		jz	short loc_A2842F
		mov	eax, [ebp+var_4]
		push	0
		push	dword ptr [eax+esi*8+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2842F:				; CODE XREF: AdtpAppendString(x,x,x,x)+13Fj
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+var_4]

loc_A28435:				; CODE XREF: AdtpAppendString(x,x,x,x)+127j
		mov	[ecx+esi*8+4], eax
		xor	edx, edx
		mov	eax, [ebp+var_C]
		mov	[ecx+esi*8+2], bx
		mov	ebx, [ebp+arg_0]
		mov	byte ptr [esi+eax], 1
		mov	al, 1
		jmp	loc_A2832F
; 

loc_A28451:				; CODE XREF: AdtpAppendString(x,x,x,x)+11Cj
		mov	edx, 0C0000017h

loc_A28456:				; CODE XREF: AdtpAppendString(x,x,x,x)+3Cj
					; AdtpAppendString(x,x,x,x)+BBj ...
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		mov	eax, edx

loc_A2845D:				; CODE XREF: AdtpAppendString(x,x,x,x)+2Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_AdtpAppendString@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpAppendZString(x, x, x, x)
_AdtpAppendZString@16 proc near		; CODE XREF: AdtpBuildObjectTypeStrings(x,x,x,x,x,x)+105p
					; AdtpBuildObjectTypeStrings(x,x,x,x,x,x)+15Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	esi
		push	edi
		push	[ebp+arg_0]
		mov	esi, edx
		mov	edi, ecx
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	[ebp+arg_4]
		lea	eax, [ebp+var_8]
		mov	edx, esi
		push	eax
		mov	ecx, edi
		call	_AdtpAppendString@16 ; AdtpAppendString(x,x,x,x)
		pop	edi
		pop	esi
		leave
		retn	8
_AdtpAppendZString@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpBuildAccessesString(x, x, x, x,	x, x, x, x, x)
_AdtpBuildAccessesString@36 proc near	; CODE XREF: AdtpPackageParameters+83EB0p
					; AdtpBuildAccessReasonAuditStringInternal(x,x,x,x,x,x,x,x,x,x,x,x)+25Bp ...

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_48], eax
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	[ebp+var_50], edx
		mov	edx, eax
		push	esi
		mov	esi, [ebp+arg_C]
		mov	[ebp+var_38], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_64], eax
		mov	[ebp+var_60], eax
		mov	[ebp+var_6C], eax
		mov	[ebp+var_68], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_3C], esi
		push	edi
		test	eax, eax
		jnz	short loc_A28523
		test	esi, esi
		jz	short loc_A2850D
		and	[esi+4], edx
		and	[esi+0Ch], edx
		mov	dword ptr [esi], offset	dword_40A908
		mov	dword ptr [esi+8], 4
		jmp	short loc_A2851C
; 

loc_A2850D:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+5Bj
		test	ebx, ebx
		jz	short loc_A2851C
		push	offset ??_C@_13IMODFHAA@?$AA?9@NNGAKEGL@
		push	ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)

loc_A2851C:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+70j
					; AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+74j
		xor	eax, eax
		jmp	loc_A28886
; 

loc_A28523:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+57j
		mov	ecx, eax

loc_A28525:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+90j
		lea	eax, [ecx-1]
		inc	edx
		and	ecx, eax
		jnz	short loc_A28525
		mov	eax, [ebp+arg_4]
		sub	eax, ecx
		jz	short loc_A28550
		sub	eax, 1
		jz	short loc_A28547
		sub	eax, 1
		jnz	short loc_A28550
		mov	[ebp+var_30], offset ??_C@_15JGNEDFBN@?$AA?3?$AA?7@NNGAKEGL@
		jmp	short loc_A28557
; 

loc_A28547:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+9Cj
		mov	[ebp+var_30], offset ??_C@_15JNBOKNOG@?$AA?$AN?$AA?6@NNGAKEGL@
		jmp	short loc_A28557
; 

loc_A28550:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+97j
					; AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+A1j
		mov	[ebp+var_30], offset ??_C@_1O@MKNEDAKB@?$AA?$AN?$AA?6?$AA?7?$AA?7?$AA?7?$AA?7@NNGAKEGL@	; "\r\n\t\t\t\t"

loc_A28557:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+AAj
					; AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+B3j
		imul	edi, edx, 18h
		xor	ebx, ebx
		inc	ebx
		inc	edi
		cmp	[ebp+var_34], 0
		jz	short loc_A28585
		mov	edx, [ebp+var_20]
		test	edx, edx
		jz	short loc_A28585
		mov	eax, [edx]
		lea	ecx, [eax+edi]
		cmp	ecx, 400h
		jnb	short loc_A28585
		mov	esi, [ebp+var_34]
		mov	[edx], ecx
		lea	eax, [esi+eax*2]
		mov	[ebp+var_34], eax
		jmp	short loc_A285AA
; 

loc_A28585:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+C7j
					; AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+CEj ...
		push	6B416553h
		lea	eax, [edi+edi]
		push	eax
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_34], eax
		test	eax, eax
		jnz	short loc_A285A5
		mov	eax, 0C0000017h
		jmp	loc_A28886
; 

loc_A285A5:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+FEj
		mov	eax, [ebp+var_48]
		mov	[eax], bl

loc_A285AA:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+E8j
		mov	ecx, [ebp+arg_0]
		xor	eax, eax
		mov	word ptr [ebp+var_2C], ax
		lea	eax, [edi+edi]
		mov	word ptr [ebp+var_2C+2], ax
		mov	eax, [ebp+var_34]
		mov	[ebp+var_28], eax
		push	14h
		pop	edx
		test	ecx, 1F0000h
		jz	short loc_A2861D
		mov	esi, [ebp+var_30]
		mov	eax, offset _AdtpEventIdStringStandard
		mov	[ebp+var_20], eax
		xor	edi, edi

loc_A285D8:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+180j
		test	ds:_AdtpStandardAccessTypes[edi], ecx
		jz	short loc_A28610
		push	offset ??_C@_15IOLAJFNF@?$AA?$CF?$AA?$CF@NNGAKEGL@ ; "%%"
		lea	eax, [ebp+var_2C]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		push	[ebp+var_20]
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	esi		; void *
		lea	eax, [ebp+var_2C]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	ecx, [ebp+arg_0]
		push	14h
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_20]
		pop	edx

loc_A28610:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+143j
		add	edi, 4
		add	eax, 8
		mov	[ebp+var_20], eax
		cmp	edi, edx
		jb	short loc_A285D8

loc_A2861D:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+12Ej
		mov	esi, [ebp+var_30]
		mov	eax, offset unk_6B6FC8
		mov	[ebp+var_20], eax
		mov	edi, edx

loc_A2862A:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+1D0j
		test	ds:_AdtpStandardAccessTypes[edi], ecx
		jz	short loc_A2865F
		push	offset ??_C@_15IOLAJFNF@?$AA?$CF?$AA?$CF@NNGAKEGL@ ; "%%"
		lea	eax, [ebp+var_2C]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		push	[ebp+var_20]
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	esi		; void *
		lea	eax, [ebp+var_2C]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_20]

loc_A2865F:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+195j
		add	edi, 4
		add	eax, 8
		mov	[ebp+var_20], eax
		cmp	edi, 1Ch
		jb	short loc_A2862A
		mov	esi, [ebp+var_3C]
		test	cx, cx
		jz	loc_A28852
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		push	ebx
		push	offset _AdtpSourceModuleLock
		call	ExAcquireResourceExclusiveLite
		xor	cl, cl
		mov	edi, offset _AdtpSourceModules
		cmp	_AdtpSourceModules, 0
		mov	[ebp+var_19], cl
		jz	loc_A287BF

loc_A286A9:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+24Fj
		test	cl, cl
		jnz	short loc_A286EC
		mov	eax, [edi]
		push	ebx
		push	[ebp+var_4C]
		mov	[ebp+var_20], eax
		add	eax, 4
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_A286E1
		mov	esi, [ebp+var_20]
		mov	cl, bl
		mov	[ebp+var_19], cl
		mov	[ebp+var_40], esi
		mov	eax, [esi]
		mov	[edi], eax
		mov	eax, _AdtpSourceModules
		mov	[esi], eax
		mov	_AdtpSourceModules, esi
		jmp	short loc_A286E7
; 

loc_A286E1:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+226j
		mov	edi, [ebp+var_20]
		mov	cl, [ebp+var_19]

loc_A286E7:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+244j
		cmp	dword ptr [edi], 0
		jnz	short loc_A286A9

loc_A286EC:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+210j
		cmp	cl, bl
		jnz	loc_A287BF
		mov	edi, [ebp+var_40]
		lea	eax, [ebp+var_64]
		push	offset ??_C@_15DEMLGGK@?$AAD?$AAS@NNGAKEGL@ ; "D"
		add	edi, 0Ch
		mov	[ebp+var_19], 0
		push	eax
		mov	[ebp+var_48], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		lea	eax, [ebp+var_64]
		push	eax
		push	[ebp+var_4C]
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_A2874B
		mov	eax, [ebp+var_50]
		push	4Eh
		pop	ecx
		cmp	cx, [eax]
		jnz	short loc_A2874B
		mov	eax, [eax+4]
		push	25h
		pop	ecx
		cmp	cx, [eax]
		jnz	short loc_A2874B
		push	7Bh
		pop	ecx
		cmp	cx, [eax+2]
		jnz	short loc_A2874B
		push	7Dh
		pop	ecx
		mov	[ebp+var_21], bl
		cmp	cx, [eax+4Ch]
		jz	short loc_A2874F

loc_A2874B:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+283j
					; AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+28Ej ...
		mov	[ebp+var_21], 0

loc_A2874F:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+2AEj
		push	offset ??_C@_1DC@MPDDGCGD@?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt?$AAo?$AAr?$AAy?$AA?5?$AAS?$AAe?$AAr?$AAv?$AAi@NNGAKEGL@ ; "Directory Service Object"
		lea	eax, [ebp+var_6C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		cmp	dword ptr [edi], 0
		jz	short loc_A287BF
		mov	esi, [ebp+var_48]

loc_A28765:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+322j
		cmp	[ebp+var_19], 0
		jnz	short loc_A287BF
		cmp	[ebp+var_21], 0
		jz	short loc_A2878C
		mov	edi, [esi]
		lea	eax, [ebp+var_6C]
		push	ebx
		push	eax
		lea	eax, [edi+4]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_A2878C
		mov	edx, edi
		mov	[ebp+var_44], edx
		jmp	short loc_A287A4
; 

loc_A2878C:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+2D4j
					; AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+2E8j
		mov	edi, [esi]
		push	ebx
		push	[ebp+var_50]
		lea	eax, [edi+4]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_A287B8
		mov	edx, edi
		mov	[ebp+var_44], edi

loc_A287A4:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+2EFj
		mov	ecx, [ebp+var_40]
		mov	eax, [edx]
		mov	[esi], eax
		mov	[ebp+var_19], bl
		mov	eax, [ecx+0Ch]
		mov	[edx], eax
		mov	[ecx+0Ch], edx
		jmp	short loc_A287BA
; 

loc_A287B8:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+302j
		mov	esi, edi

loc_A287BA:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+31Bj
		cmp	dword ptr [esi], 0
		jnz	short loc_A28765

loc_A287BF:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+208j
					; AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+253j ...
		mov	ecx, offset _AdtpSourceModuleLock
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		cmp	[ebp+var_19], 0
		jz	short loc_A287E3
		mov	esi, [ebp+var_44]
		mov	esi, [esi+0Ch]
		jmp	short loc_A287E8
; 

loc_A287E3:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+33Ej
		mov	esi, 610h

loc_A287E8:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+346j
		lea	eax, [ebp+var_18]
		mov	[ebp+var_54], eax
		push	14h
		pop	eax
		mov	word ptr [ebp+var_58+2], ax
		xor	eax, eax
		mov	word ptr [ebp+var_58], ax
		xor	edi, edi
		mov	eax, [ebp+arg_0]

loc_A28800:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+3B2j
		test	ebx, eax
		jz	short loc_A28847
		lea	eax, [ebp+var_58]
		push	eax
		push	0Ah
		lea	eax, [edi+esi]
		push	eax
		call	_RtlIntegerToUnicodeString@12 ;	RtlIntegerToUnicodeString(x,x,x)
		mov	[ebp+var_38], eax
		test	eax, eax
		js	short loc_A28844
		push	offset ??_C@_15IOLAJFNF@?$AA?$CF?$AA?$CF@NNGAKEGL@ ; "%%"
		lea	eax, [ebp+var_2C]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		lea	eax, [ebp+var_58]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	[ebp+var_30]	; void *
		lea	eax, [ebp+var_2C]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	[ebp+var_38], eax

loc_A28844:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+37Dj
		mov	eax, [ebp+arg_0]

loc_A28847:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+367j
		inc	edi
		add	ebx, ebx
		cmp	edi, 10h
		jb	short loc_A28800
		mov	esi, [ebp+var_3C]

loc_A28852:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+1D8j
		mov	ecx, [ebp+var_38]
		test	ecx, ecx
		js	short loc_A28884
		test	esi, esi
		jz	short loc_A28876
		mov	eax, [ebp+var_34]
		and	dword ptr [esi+4], 0
		mov	[esi], eax
		movzx	eax, word ptr [ebp+var_2C]
		add	eax, 2
		and	dword ptr [esi+0Ch], 0
		mov	[esi+8], eax
		jmp	short loc_A28884
; 

loc_A28876:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+3C0j
		mov	edx, [ebp+var_5C]
		mov	eax, [ebp+var_2C]
		mov	[edx], eax
		mov	eax, [ebp+var_28]
		mov	[edx+4], eax

loc_A28884:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+3BCj
					; AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+3D9j
		mov	eax, ecx

loc_A28886:				; CODE XREF: AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+83j
					; AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)+105j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	1Ch
_AdtpBuildAccessesString@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	AdtpBuildObjectTypeStrings(void	*,size_t,int,int)
_AdtpBuildObjectTypeStrings@24 proc near ; CODE	XREF: AdtpPackageParameters+83F1Ep

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_14], edx
		push	offset ??_C@_11LOCGONAA@@NNGAKEGL@
		push	[ebp+arg_8]
		mov	[ebp+var_18], ecx
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], eax
		mov	byte ptr [ebp+var_1], al
		mov	[ebp+var_8], eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		cmp	[ebp+arg_4], 0
		mov	ebx, [ebp+arg_C]
		mov	byte ptr [ebx],	0
		jnz	short loc_A288D6
		xor	eax, eax
		jmp	loc_A28A18
; 

loc_A288D6:				; CODE XREF: AdtpBuildObjectTypeStrings(x,x,x,x,x,x)+36j
		mov	esi, [ebp+arg_0]
		push	offset _CompareObjectTypes ; int __cdecl (*)(const void	*,const	void *)
		push	18h		; size_t
		push	[ebp+arg_4]	; size_t
		push	esi		; void *
		call	_qsort
		mov	ecx, [esi+14h]
		add	esp, 10h
		and	[ebp+var_C], 0
		dec	ecx
		cmp	[ebp+arg_4], 0
		mov	[ebp+var_10], ecx
		jbe	loc_A28A14
		lea	edi, [esi+12h]

loc_A28904:				; CODE XREF: AdtpBuildObjectTypeStrings(x,x,x,x,x,x)+177j
		mov	eax, [edi+2]
		cmp	eax, ecx
		jz	short loc_A2897E
		mov	[ebp+var_10], eax
		test	eax, eax
		jnz	short loc_A28927
		push	offset ??_C@_1M@JEHOPNL@?$AA?9?$AA?9?$AA?9?$AA?$AN?$AA?6@NNGAKEGL@
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	bl, bl
		mov	byte ptr [ebp+var_1], bl
		jmp	short loc_A28950
; 

loc_A28927:				; CODE XREF: AdtpBuildObjectTypeStrings(x,x,x,x,x,x)+79j
		mov	edx, [ebp+var_14]
		lea	ecx, [ebp+var_1]
		push	ecx
		push	0
		push	0
		push	0
		lea	ecx, [ebp+var_20]
		push	ecx
		mov	ecx, [ebp+var_18]
		push	1
		push	eax
		call	_AdtpBuildAccessesString@36 ; AdtpBuildAccessesString(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A28A16
		mov	bl, byte ptr [ebp+var_1]

loc_A28950:				; CODE XREF: AdtpBuildObjectTypeStrings(x,x,x,x,x,x)+8Ej
		mov	edx, [ebp+arg_C]
		lea	eax, [ebp+var_8]
		mov	ecx, [ebp+arg_8]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_AdtpAppendString@16 ; AdtpAppendString(x,x,x,x)
		mov	esi, eax
		test	bl, bl
		jz	short loc_A28973
		push	0
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A28973:				; CODE XREF: AdtpBuildObjectTypeStrings(x,x,x,x,x,x)+D0j
		test	esi, esi
		js	loc_A28A16
		mov	ebx, [ebp+arg_C]

loc_A2897E:				; CODE XREF: AdtpBuildObjectTypeStrings(x,x,x,x,x,x)+72j
		movzx	eax, word ptr [edi]
		cmp	eax, 4
		jb	short loc_A28989
		push	3
		pop	eax

loc_A28989:				; CODE XREF: AdtpBuildObjectTypeStrings(x,x,x,x,x,x)+EDj
		movzx	eax, ax
		lea	ecx, [ebp+var_8]
		push	ecx
		mov	ecx, [ebp+arg_8]
		mov	edx, ebx
		push	dword ptr ds:(loc_404F6F+1)[eax*4]
		call	_AdtpAppendZString@16 ;	AdtpAppendZString(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A28A16
		lea	eax, [ebp+arg_0+3]
		mov	byte ptr [ebp+arg_0+3],	0
		push	eax
		sub	esp, 0Ch
		lea	ecx, [edi-12h]
		lea	edx, [ebp+var_20]
		call	_AdtpBuildGuidString@24	; AdtpBuildGuidString(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A28A16
		mov	ecx, [ebp+arg_8]
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_20]
		mov	edx, ebx
		push	eax
		call	_AdtpAppendString@16 ; AdtpAppendString(x,x,x,x)
		push	0
		push	[ebp+var_1C]
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		js	short loc_A28A16
		mov	ecx, [ebp+arg_8]
		lea	eax, [ebp+var_8]
		push	eax
		push	offset ??_C@_15JNBOKNOG@?$AA?$AN?$AA?6@NNGAKEGL@
		mov	edx, ebx
		call	_AdtpAppendZString@16 ;	AdtpAppendZString(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A28A16
		mov	edx, [ebp+var_C]
		add	edi, 18h
		mov	ecx, [ebp+var_10]
		inc	edx
		mov	[ebp+var_C], edx
		cmp	edx, [ebp+arg_4]
		jb	loc_A28904

loc_A28A14:				; CODE XREF: AdtpBuildObjectTypeStrings(x,x,x,x,x,x)+64j
		xor	esi, esi

loc_A28A16:				; CODE XREF: AdtpBuildObjectTypeStrings(x,x,x,x,x,x)+B0j
					; AdtpBuildObjectTypeStrings(x,x,x,x,x,x)+DEj ...
		mov	eax, esi

loc_A28A18:				; CODE XREF: AdtpBuildObjectTypeStrings(x,x,x,x,x,x)+3Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_AdtpBuildObjectTypeStrings@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpBuildReplacementString(x, x)
_AdtpBuildReplacementString@8 proc near	; CODE XREF: SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+263p
					; SeAdtRegistryValueChangedAuditAlarm(x,x,x,x,x,x,x,x)+361p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	14h
		lea	eax, [ebp+var_18]
		mov	esi, edx
		mov	[ebp+var_1C], eax
		pop	eax
		mov	word ptr [ebp+var_20+2], ax
		xor	eax, eax
		mov	word ptr [ebp+var_20], ax
		lea	eax, [ebp+var_20]
		push	eax
		push	0Ah
		push	ecx
		call	_RtlIntegerToUnicodeString@12 ;	RtlIntegerToUnicodeString(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A28A80
		cmp	word ptr [esi],	0
		jz	short loc_A28A6B
		push	offset ??_C@_15JOGBDECP@?$AA?0?$AA?5@NNGAKEGL@ ; void *
		push	esi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)

loc_A28A6B:				; CODE XREF: AdtpBuildReplacementString(x,x)+3Fj
		push	offset ??_C@_15IOLAJFNF@?$AA?$CF?$AA?$CF@NNGAKEGL@ ; "%%"
		push	esi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		lea	eax, [ebp+var_20]
		push	eax
		push	esi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)

loc_A28A80:				; CODE XREF: AdtpBuildReplacementString(x,x)+39j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_AdtpBuildReplacementString@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AdtpBuildUserAccountControlString(x, x, x, x, x, x,	x, x)
_AdtpBuildUserAccountControlString@32 proc near	; CODE XREF: AdtpPackageParameters+8404Ep

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_30], edx
		mov	[ebp+var_20], ecx
		mov	eax, [ebp+arg_8]
		mov	ebx, [ebp+arg_14]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_C]
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_34], ebx
		xor	ebx, ebx
		mov	[edx], bl
		mov	esi, ebx
		mov	[eax], bl
		mov	eax, [ebp+var_34]
		mov	edi, [ebp+arg_10]
		push	14h
		mov	[eax], bl
		lea	eax, [ebp+var_18]
		mov	[ebp+var_24], eax
		pop	eax
		mov	ecx, [ebp+arg_0]
		mov	word ptr [ebp+var_28+2], ax
		xor	eax, eax
		push	16h
		mov	word ptr [ebp+var_28], ax
		mov	[ecx], ax
		pop	eax
		push	6B416553h
		push	eax
		push	1
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_38], edx
		mov	[ecx+2], ax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+var_2C]
		mov	[ecx+4], eax
		test	eax, eax
		jnz	short loc_A28B17

loc_A28B0D:				; CODE XREF: AdtpBuildUserAccountControlString(x,x,x,x,x,x,x,x)+B2j
					; AdtpBuildUserAccountControlString(x,x,x,x,x,x,x,x)+152j
		mov	ebx, 0C0000017h
		jmp	loc_A28C3E
; 

loc_A28B17:				; CODE XREF: AdtpBuildUserAccountControlString(x,x,x,x,x,x,x,x)+7Bj
		mov	ecx, [ebp+var_38]
		xor	eax, eax
		inc	eax
		xor	edx, edx
		push	16h
		mov	[ecx], al
		mov	ecx, [ebp+var_1C]
		mov	[ecx], dx
		pop	edx
		push	6B416553h
		push	edx
		push	eax
		mov	[ecx+2], dx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+var_1C]
		mov	[ecx+4], eax
		test	eax, eax
		jz	short loc_A28B0D
		mov	eax, [ebp+var_3C]
		push	offset ??_C@_15OEMMNBIC@?$AA0?$AAx@NNGAKEGL@ ; void *
		push	[ebp+var_2C]	; int
		mov	byte ptr [eax],	1
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		lea	eax, [ebp+var_28]
		push	eax
		push	10h
		push	[ebp+var_20]
		call	_RtlIntegerToUnicodeString@12 ;	RtlIntegerToUnicodeString(x,x,x)
		lea	eax, [ebp+var_28]
		push	eax
		push	[ebp+var_2C]
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		push	offset ??_C@_15OEMMNBIC@?$AA0?$AAx@NNGAKEGL@ ; void *
		push	[ebp+var_1C]	; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		lea	eax, [ebp+var_28]
		push	eax
		push	10h
		push	[ebp+var_30]
		call	_RtlIntegerToUnicodeString@12 ;	RtlIntegerToUnicodeString(x,x,x)
		lea	eax, [ebp+var_28]
		push	eax
		push	[ebp+var_1C]
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	edx, [ebp+var_20]
		xor	edx, [ebp+var_30]
		mov	[ebp+var_20], edx
		jnz	short loc_A28BB3
		push	offset ??_C@_13IMODFHAA@?$AA?9@NNGAKEGL@
		push	edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	loc_A28C3E
; 

loc_A28BB3:				; CODE XREF: AdtpBuildUserAccountControlString(x,x,x,x,x,x,x,x)+111j
		xor	ecx, ecx
		inc	ecx
		mov	eax, ecx

loc_A28BB8:				; CODE XREF: AdtpBuildUserAccountControlString(x,x,x,x,x,x,x,x)+12Fj
		test	eax, edx
		jz	short loc_A28BBD
		inc	esi

loc_A28BBD:				; CODE XREF: AdtpBuildUserAccountControlString(x,x,x,x,x,x,x,x)+12Aj
		add	eax, eax
		jnz	short loc_A28BB8
		shl	esi, 5
		mov	[edi], ax
		push	6B416553h
		lea	eax, [esi+2]
		mov	[edi+2], ax
		movzx	eax, ax
		push	eax
		push	ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[edi+4], eax
		test	eax, eax
		jz	loc_A28B0D
		mov	eax, [ebp+var_34]
		mov	esi, ebx
		xor	ebx, ebx
		inc	ebx
		mov	byte ptr [eax],	1

loc_A28BF3:				; CODE XREF: AdtpBuildUserAccountControlString(x,x,x,x,x,x,x,x)+1AAj
		test	ebx, ebx
		jz	short loc_A28C3C
		test	[ebp+var_20], ebx
		jz	short loc_A28C34
		lea	eax, [ebp+var_28]
		push	eax
		mov	eax, ebx
		and	eax, [ebp+var_30]
		neg	eax
		push	0Ah
		sbb	eax, eax
		and	eax, 20h
		add	eax, 800h
		add	eax, esi
		push	eax
		call	_RtlIntegerToUnicodeString@12 ;	RtlIntegerToUnicodeString(x,x,x)
		test	eax, eax
		js	short loc_A28C34
		push	offset ??_C@_1O@FAFOOFGK@?$AA?$AN?$AA?6?$AA?7?$AA?7?$AA?$CF?$AA?$CF@NNGAKEGL@ ;	void *
		push	edi		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		lea	eax, [ebp+var_28]
		push	eax
		push	edi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)

loc_A28C34:				; CODE XREF: AdtpBuildUserAccountControlString(x,x,x,x,x,x,x,x)+16Aj
					; AdtpBuildUserAccountControlString(x,x,x,x,x,x,x,x)+18Dj
		inc	esi
		add	ebx, ebx
		cmp	esi, 20h
		jb	short loc_A28BF3

loc_A28C3C:				; CODE XREF: AdtpBuildUserAccountControlString(x,x,x,x,x,x,x,x)+165j
		xor	ebx, ebx

loc_A28C3E:				; CODE XREF: AdtpBuildUserAccountControlString(x,x,x,x,x,x,x,x)+82j
					; AdtpBuildUserAccountControlString(x,x,x,x,x,x,x,x)+11Ej
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_AdtpBuildUserAccountControlString@32 endp


;  S U B	R O U T	I N E 


; __stdcall BcdOpenSystemStore(x)
_BcdOpenSystemStore@4 proc near		; CODE XREF: SepSecureBootCorrectBcd()+24p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	cl, cl
		call	BiAcquireBcdSyncMutant
		mov	edx, eax
		test	edx, edx
		jns	short loc_A28C77
		push	edx
		push	offset ??_C@_1IC@GNJOCBBO@?$AAB?$AAc?$AAd?$AAO?$AAp?$AAe?$AAn?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAS?$AAt@NNGAKEGL@	; "B"
		push	4
		call	_BiLogMessage
		add	esp, 0Ch
		mov	eax, edx
		pop	esi
		retn
; 

loc_A28C77:				; CODE XREF: BcdOpenSystemStore(x)+10j
		xor	edx, edx
		mov	ecx, esi
		call	BiOpenSystemStore
		xor	cl, cl
		mov	esi, eax
		call	_BiReleaseBcdSyncMutant@4 ; BiReleaseBcdSyncMutant(x)
		mov	eax, esi
		pop	esi
		retn
_BcdOpenSystemStore@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BcdCreateObject(x, x, x, x)
_BcdCreateObject@16 proc near		; CODE XREF: WheaPersistBadPageToBcd(x)+6Cp
					; PopBcdRegenerateResumeObject(x,x,x)+5Dp ...

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_BiIsOfflineHandle@4 ; BiIsOfflineHandle(x)
		mov	cl, al
		mov	[ebp+var_1], al
		call	BiAcquireBcdSyncMutant
		test	eax, eax
		js	short loc_A28CE5
		mov	ebx, [ebp+arg_4]
		mov	edx, edi
		push	ebx
		push	0
		push	[ebp+arg_0]
		mov	ecx, esi
		call	_BiCreateObject@20 ; BiCreateObject(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A28CDB
		mov	ecx, [ebx]
		xor	edx, edx
		call	BiIsLinkedToFirmwareVariable
		test	al, al
		jz	short loc_A28CDB
		mov	dl, 1
		mov	ecx, esi
		call	BiSetFirmwareModified

loc_A28CDB:				; CODE XREF: BcdCreateObject(x,x,x,x)+36j
					; BcdCreateObject(x,x,x,x)+43j
		mov	cl, [ebp+var_1]
		call	_BiReleaseBcdSyncMutant@4 ; BiReleaseBcdSyncMutant(x)
		mov	eax, edi

loc_A28CE5:				; CODE XREF: BcdCreateObject(x,x,x,x)+1Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_BcdCreateObject@16 endp


;  S U B	R O U T	I N E 


; __stdcall BcdDeleteObject(x)
_BcdDeleteObject@4 proc	near		; CODE XREF: PopBcdRegenerateResumeObject(x,x,x):loc_9BA31Cp
					; BiBindEfiBootManager(x,x)+55p ...
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		call	_BiIsOfflineHandle@4 ; BiIsOfflineHandle(x)
		mov	bl, al
		mov	cl, al
		call	BiAcquireBcdSyncMutant
		test	eax, eax
		js	short loc_A28D2B
		xor	edx, edx
		mov	ecx, esi
		call	BiIsLinkedToFirmwareVariable
		test	al, al
		jz	short loc_A28D19
		mov	ecx, esi
		call	_BiSetFirmwareModifiedFromObject@8 ; BiSetFirmwareModifiedFromObject(x,x)

loc_A28D19:				; CODE XREF: BcdDeleteObject(x)+24j
		mov	ecx, esi
		call	BiDeleteKey
		mov	cl, bl
		mov	esi, eax
		call	_BiReleaseBcdSyncMutant@4 ; BiReleaseBcdSyncMutant(x)
		mov	eax, esi

loc_A28D2B:				; CODE XREF: BcdDeleteObject(x)+17j
		pop	esi
		pop	ebx
		pop	ecx
		retn
_BcdDeleteObject@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BcdEnumerateObjects(x, x, x, x, x)
_BcdEnumerateObjects@20	proc near	; CODE XREF: SepSecureBootCorrectBcd()+54p
					; SepSecureBootCorrectBcd()+A0p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	eax, edx
		mov	esi, ecx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_30], edi
		mov	[ebp+var_2C], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_18], edi
		cmp	[ebp+arg_0], edi
		jnz	short loc_A28D6A
		mov	eax, [ebp+arg_4]
		cmp	[eax], edi
		jnz	loc_A28FA8
		mov	eax, edx

loc_A28D6A:				; CODE XREF: BcdEnumerateObjects(x,x,x,x,x)+2Cj
		cmp	[ebp+arg_8], edi
		jz	loc_A28FA8
		cmp	[eax], edi
		jz	loc_A28FA8
		call	_BiIsOfflineHandle@4 ; BiIsOfflineHandle(x)
		mov	bl, al
		mov	cl, al
		mov	[ebp+var_1], bl
		call	BiAcquireBcdSyncMutant
		test	eax, eax
		js	loc_A28FAD
		lea	eax, [ebp+var_14]
		mov	[ebp+var_14], edi
		push	eax
		push	20019h
		mov	edx, (offset loc_8C6F2D+1)
		mov	[ebp+var_10], edi
		mov	ecx, esi
		mov	[ebp+var_20], edi
		call	BiOpenKey
		mov	esi, eax
		test	esi, esi
		js	loc_A28EAA
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		push	eax
		lea	edx, [ebp+var_20]
		call	BiEnumerateSubKeys
		mov	esi, eax
		test	esi, esi
		js	loc_A28FA0
		and	[ebp+var_C], edi
		xor	ebx, ebx
		mov	edi, [ebp+var_20]
		cmp	[ebp+var_18], ebx
		jbe	short loc_A28E2E

loc_A28DE2:				; CODE XREF: BcdEnumerateObjects(x,x,x,x,x)+FDj
		mov	edx, [edi+ebx*4]
		lea	eax, [ebp+var_8]
		mov	ecx, [ebp+var_14]
		push	eax
		push	20019h
		call	BiOpenKey
		test	eax, eax
		js	short loc_A28E28
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_30]
		call	_BiGetObjectDescription@8 ; BiGetObjectDescription(x,x)
		mov	ecx, [ebp+var_8]
		mov	esi, eax
		call	_BiCloseKey@4	; BiCloseKey(x)
		test	esi, esi
		js	short loc_A28E28
		mov	eax, [ebp+var_1C]
		mov	edx, [ebp+var_2C]
		mov	ecx, [eax+4]
		call	_BiIsEnumerateMatch@8 ;	BiIsEnumerateMatch(x,x)
		test	al, al
		jz	short loc_A28E28
		inc	[ebp+var_C]

loc_A28E28:				; CODE XREF: BcdEnumerateObjects(x,x,x,x,x)+C9j
					; BcdEnumerateObjects(x,x,x,x,x)+E2j ...
		inc	ebx
		cmp	ebx, [ebp+var_18]
		jb	short loc_A28DE2

loc_A28E2E:				; CODE XREF: BcdEnumerateObjects(x,x,x,x,x)+B1j
		mov	ebx, [ebp+var_C]
		mov	eax, ebx
		push	14h
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_10]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A28EA7
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+arg_0]
		add	ecx, 3
		and	ecx, 0FFFFFFFCh
		add	eax, ecx
		mov	[ebp+var_20], ecx
		push	8
		mov	[ebp+var_28], eax
		mov	eax, ebx
		mov	[ebp+var_10], ecx
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_24]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A28EA7
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_10]
		mov	ecx, [ebp+var_20]
		add	edx, 3
		push	eax
		and	edx, 0FFFFFFFCh
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A28EA7
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_10]
		cmp	eax, [ecx]
		jbe	short loc_A28ED5
		mov	[ecx], eax
		mov	esi, 0C0000023h
		mov	eax, [ebp+arg_8]
		mov	[eax], ebx

loc_A28EA7:				; CODE XREF: BcdEnumerateObjects(x,x,x,x,x)+117j
					; BcdEnumerateObjects(x,x,x,x,x)+145j ...
		mov	bl, [ebp+var_1]

loc_A28EAA:				; CODE XREF: BcdEnumerateObjects(x,x,x,x,x)+87j
					; BcdEnumerateObjects(x,x,x,x,x)+274j
		cmp	[ebp+var_14], 0
		jz	short loc_A28EB8
		mov	ecx, [ebp+var_14]
		call	_BiCloseKey@4	; BiCloseKey(x)

loc_A28EB8:				; CODE XREF: BcdEnumerateObjects(x,x,x,x,x)+17Fj
		test	edi, edi
		jz	short loc_A28EC7
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A28EC7:				; CODE XREF: BcdEnumerateObjects(x,x,x,x,x)+18Bj
		mov	cl, bl
		call	_BiReleaseBcdSyncMutant@4 ; BiReleaseBcdSyncMutant(x)
		mov	eax, esi
		jmp	loc_A28FAD
; 

loc_A28ED5:				; CODE XREF: BcdEnumerateObjects(x,x,x,x,x)+16Aj
		xor	eax, eax
		xor	edx, edx
		mov	[ebp+var_20], eax
		mov	[ebp+var_C], edx
		cmp	[ebp+var_18], eax
		jbe	loc_A28F8F

loc_A28EE8:				; CODE XREF: BcdEnumerateObjects(x,x,x,x,x)+257j
		cmp	edx, ebx
		jnb	loc_A28F8C
		mov	edx, [edi+eax*4]
		lea	ecx, [ebp+var_8]
		push	ecx
		mov	ecx, [ebp+var_14]
		push	20019h
		call	BiOpenKey
		test	eax, eax
		js	short loc_A28F79
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_30]
		call	_BiGetObjectDescription@8 ; BiGetObjectDescription(x,x)
		mov	ecx, [ebp+var_8]
		mov	esi, eax
		call	_BiCloseKey@4	; BiCloseKey(x)
		test	esi, esi
		js	short loc_A28F79
		mov	eax, [ebp+var_1C]
		mov	edx, [ebp+var_2C]
		mov	ecx, [eax+4]
		call	_BiIsEnumerateMatch@8 ;	BiIsEnumerateMatch(x,x)
		test	al, al
		jz	short loc_A28F79
		mov	eax, [ebp+var_20]
		push	dword ptr [edi+eax*4]
		lea	eax, [ebp+var_38]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	esi, [ebp+arg_0]
		lea	eax, [ebp+var_38]
		push	esi
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	edx, [ebp+var_C]
		test	eax, eax
		js	short loc_A28F7C
		mov	ecx, [ebp+var_28]
		mov	eax, [ebp+var_30]
		mov	[esi+10h], ecx
		add	esi, 14h
		mov	[ebp+arg_0], esi
		mov	[ecx], eax
		mov	eax, [ebp+var_2C]
		mov	[ecx+4], eax
		add	ecx, 8
		inc	edx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_C], edx
		jmp	short loc_A28F7C
; 

loc_A28F79:				; CODE XREF: BcdEnumerateObjects(x,x,x,x,x)+1D7j
					; BcdEnumerateObjects(x,x,x,x,x)+1F0j ...
		mov	edx, [ebp+var_C]

loc_A28F7C:				; CODE XREF: BcdEnumerateObjects(x,x,x,x,x)+225j
					; BcdEnumerateObjects(x,x,x,x,x)+248j
		mov	eax, [ebp+var_20]
		inc	eax
		mov	[ebp+var_20], eax
		cmp	eax, [ebp+var_18]
		jb	loc_A28EE8

loc_A28F8C:				; CODE XREF: BcdEnumerateObjects(x,x,x,x,x)+1BBj
		mov	ecx, [ebp+arg_4]

loc_A28F8F:				; CODE XREF: BcdEnumerateObjects(x,x,x,x,x)+1B3j
		mov	eax, [ebp+var_10]
		xor	esi, esi
		mov	[ecx], eax
		mov	eax, [ebp+arg_8]
		mov	[eax], edx
		jmp	loc_A28EA7
; 

loc_A28FA0:				; CODE XREF: BcdEnumerateObjects(x,x,x,x,x)+A0j
		mov	edi, [ebp+var_20]
		jmp	loc_A28EAA
; 

loc_A28FA8:				; CODE XREF: BcdEnumerateObjects(x,x,x,x,x)+33j
					; BcdEnumerateObjects(x,x,x,x,x)+3Ej ...
		mov	eax, 0C000000Dh

loc_A28FAD:				; CODE XREF: BcdEnumerateObjects(x,x,x,x,x)+5Fj
					; BcdEnumerateObjects(x,x,x,x,x)+1A1j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_BcdEnumerateObjects@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiCreateObject(x, x, x, x, x)
_BiCreateObject@20 proc	near		; CODE XREF: BcdCreateObject(x,x,x,x)+2Dp
					; BiBindEfiEntryToBcdObject(x,x)+50p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+48h+var_24], ecx
		mov	ecx, [ebp+arg_0] ; int
		lea	edi, [esp+48h+var_14]
		stosd
		mov	esi, edx
		mov	edx, [ebp+arg_8]
		mov	[esp+48h+var_20], ecx
		mov	[esp+48h+var_1C], edx
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	[edx], eax
		mov	ebx, eax
		push	dword ptr [ecx+4]
		mov	edi, eax
		mov	[esp+4Ch+var_30], eax
		push	dword ptr [ecx]
		mov	[esp+50h+var_2C], eax
		push	offset ??_C@_1FG@FFBPIKFN@?$AAC?$AAr?$AAe?$AAa?$AAt?$AAi?$AAn?$AAg?$AA?5?$AAo?$AAb?$AAj?$AAe?$AAc?$AAt@NNGAKEGL@ ; "Creating object. Version: %d. Type:	0x%"...
		push	2
		mov	[esp+58h+var_34], ebx
		mov	[esp+58h+var_38], edi
		mov	[esp+58h+var_28], eax
		call	_BiLogMessage
		add	esp, 10h
		mov	edx, esi	; void *
		push	dword ptr [ebp+arg_4] ;	char
		call	_BiIsValidObject@12 ; BiIsValidObject(x,x,x)
		test	al, al
		jnz	short loc_A29033
		mov	esi, 0C00000BBh
		jmp	loc_A29158
; 

loc_A29033:				; CODE XREF: BiCreateObject(x,x,x,x,x)+73j
		test	esi, esi
		jz	short loc_A29050
		lea	edx, [esp+48h+var_18]
		mov	ecx, esi	; void *
		call	BiIsObjectAliased
		test	al, al
		jz	short loc_A29075
		mov	eax, 0C0000033h
		jmp	loc_A2915A
; 

loc_A29050:				; CODE XREF: BiCreateObject(x,x,x,x,x)+81j
		push	offset ??_C@_1DA@COAMFJPD@?$AAG?$AAe?$AAn?$AAe?$AAr?$AAa?$AAt?$AAi?$AAn?$AAg?$AA?5?$AAo?$AAb?$AAj?$AAe@NNGAKEGL@ ; "Generating object GUID."
		push	2
		call	_BiLogMessage
		add	esp, 8
		lea	eax, [esp+48h+var_14]
		push	eax
		call	ExUuidCreate
		test	eax, eax
		js	loc_A2915A
		lea	esi, [esp+48h+var_14]

loc_A29075:				; CODE XREF: BiCreateObject(x,x,x,x,x)+90j
		push	1
		lea	edx, [esp+4Ch+var_30]
		mov	ecx, esi
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2912D
		push	[esp+48h+var_2C]
		push	offset ??_C@_1CA@CKEBPLDC@?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AA?5?$AAG?$AAU?$AAI?$AAD?$AA?3?$AA?5?$AA?$CF?$AAs@NNGAKEGL@ ;	"Object	GUID: %s"
		push	2
		call	_BiLogMessage
		mov	ecx, [esp+54h+var_24]
		lea	eax, [esp+54h+var_34]
		add	esp, 0Ch
		mov	edx, (offset loc_8C6F2D+1)
		push	eax
		push	4
		call	BiOpenKey
		mov	ebx, [esp+48h+var_34]
		mov	esi, eax
		test	esi, esi
		js	short loc_A2912D
		mov	edx, [esp+48h+var_2C]
		lea	eax, [esp+0Fh]
		push	eax
		lea	eax, [esp+4Ch+var_38]
		mov	ecx, ebx
		push	eax
		push	0
		push	0F003Fh
		call	BiCreateKey
		mov	edi, [esp+48h+var_38]
		mov	esi, eax
		test	esi, esi
		js	short loc_A2912D
		mov	edx, [esp+48h+var_20]
		mov	ecx, edi
		call	_BiSetObjectDescription@8 ; BiSetObjectDescription(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2912D
		lea	eax, [esp+0Fh]
		mov	edx, (offset loc_8C7715+1)
		push	eax
		lea	eax, [esp+4Ch+var_28]
		mov	ecx, edi
		push	eax
		push	0
		push	20019h
		call	BiCreateKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A29120
		mov	eax, [esp+48h+var_1C]
		xor	esi, esi
		mov	[eax], edi

loc_A29120:				; CODE XREF: BiCreateObject(x,x,x,x,x)+162j
		mov	ecx, [esp+48h+var_28]
		test	ecx, ecx
		jz	short loc_A2912D
		call	_BiCloseKey@4	; BiCloseKey(x)

loc_A2912D:				; CODE XREF: BiCreateObject(x,x,x,x,x)+D2j
					; BiCreateObject(x,x,x,x,x)+108j ...
		cmp	[esp+48h+var_2C], 0
		jz	short loc_A2913E
		lea	eax, [esp+48h+var_30]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_A2913E:				; CODE XREF: BiCreateObject(x,x,x,x,x)+17Ej
		test	esi, esi
		jns	short loc_A2914D
		test	edi, edi
		jz	short loc_A2914D
		mov	ecx, edi
		call	_BiCloseKey@4	; BiCloseKey(x)

loc_A2914D:				; CODE XREF: BiCreateObject(x,x,x,x,x)+18Cj
					; BiCreateObject(x,x,x,x,x)+190j
		test	ebx, ebx
		jz	short loc_A29158
		mov	ecx, ebx
		call	_BiCloseKey@4	; BiCloseKey(x)

loc_A29158:				; CODE XREF: BiCreateObject(x,x,x,x,x)+7Aj
					; BiCreateObject(x,x,x,x,x)+19Bj
		mov	eax, esi

loc_A2915A:				; CODE XREF: BiCreateObject(x,x,x,x,x)+97j
					; BiCreateObject(x,x,x,x,x)+B7j
		mov	ecx, [esp+48h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_BiCreateObject@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiGetDefaultBootEntryIdentifier(x, x)
_BiGetDefaultBootEntryIdentifier@8 proc	near ; CODE XREF: BcdOpenObject+A231Fp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		and	[esp+24h+var_20], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [esp+30h+var_14]
		mov	[esp+30h+var_18], edx
		stosd
		mov	edx, offset _GUID_WINDOWS_BOOTMGR
		stosd
		stosd
		stosd
		lea	eax, [esp+30h+var_20]
		push	eax
		call	BcdOpenObject
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A291E2
		lea	eax, [esp+30h+var_1C]
		mov	[esp+30h+var_1C], 10h
		push	eax
		lea	eax, [esp+34h+var_14]
		mov	edx, 23000003h
		push	eax
		push	ecx
		mov	ecx, [esp+3Ch+var_20]
		call	BcdGetElementDataWithFlags
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A291E2
		mov	edi, [esp+30h+var_18]
		lea	esi, [esp+30h+var_14]
		movsd
		movsd
		movsd
		movsd

loc_A291E2:				; CODE XREF: BiGetDefaultBootEntryIdentifier(x,x)+3Fj
					; BiGetDefaultBootEntryIdentifier(x,x)+66j
		mov	ecx, [esp+30h+var_20]
		test	ecx, ecx
		jz	short loc_A291EF
		call	_BcdCloseObject@4 ; BcdCloseObject(x)

loc_A291EF:				; CODE XREF: BiGetDefaultBootEntryIdentifier(x,x)+7Aj
		mov	ecx, [esp+30h+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_BiGetDefaultBootEntryIdentifier@8 endp


;  S U B	R O U T	I N E 


; __stdcall BiIsEnumerateMatch(x, x)
_BiIsEnumerateMatch@8 proc near		; CODE XREF: BcdEnumerateObjects(x,x,x,x,x)+EDp
					; BcdEnumerateObjects(x,x,x,x,x)+1FBp
		test	ecx, ecx
		jnz	short loc_A2920E
		mov	cl, 1
		jmp	loc_A29292
; 

loc_A2920E:				; CODE XREF: BiIsEnumerateMatch(x,x)+2j
		push	esi
		mov	esi, ecx
		mov	eax, edx
		shr	esi, 1Ch
		shr	eax, 1Ch
		cmp	esi, eax
		jz	short loc_A29221
		xor	cl, cl
		jmp	short loc_A29291
; 

loc_A29221:				; CODE XREF: BiIsEnumerateMatch(x,x)+18j
		push	ebx
		push	edi
		sub	esi, 1
		jz	short loc_A2924F
		sub	esi, 1
		jz	short loc_A2924F
		sub	esi, 1
		jz	short loc_A29242
		xor	ecx, edx
		and	ecx, 0FFFFFFFh
		neg	ecx
		sbb	cl, cl
		inc	cl
		jmp	short loc_A2928F
; 

loc_A29242:				; CODE XREF: BiIsEnumerateMatch(x,x)+2Dj
		mov	eax, 0FFFFFFFh
		and	ecx, eax
		jz	short loc_A2928D
		and	edx, eax
		jmp	short loc_A29285
; 

loc_A2924F:				; CODE XREF: BiIsEnumerateMatch(x,x)+23j
					; BiIsEnumerateMatch(x,x)+28j
		push	0Fh
		mov	edi, ecx
		pop	esi
		shr	edi, 14h
		and	edi, esi
		jz	short loc_A29266
		mov	eax, edx
		shr	eax, 14h
		and	eax, esi
		cmp	edi, eax
		jnz	short loc_A29289

loc_A29266:				; CODE XREF: BiIsEnumerateMatch(x,x)+56j
		mov	edi, 0FFFFFh
		mov	ebx, ecx
		and	ebx, edi
		jz	short loc_A29279
		mov	eax, edx
		and	eax, edi
		cmp	ebx, eax
		jnz	short loc_A29289

loc_A29279:				; CODE XREF: BiIsEnumerateMatch(x,x)+6Cj
		shr	ecx, 18h
		and	ecx, esi
		jz	short loc_A2928D
		shr	edx, 18h
		and	edx, esi

loc_A29285:				; CODE XREF: BiIsEnumerateMatch(x,x)+4Aj
		cmp	ecx, edx
		jz	short loc_A2928D

loc_A29289:				; CODE XREF: BiIsEnumerateMatch(x,x)+61j
					; BiIsEnumerateMatch(x,x)+74j
		xor	cl, cl
		jmp	short loc_A2928F
; 

loc_A2928D:				; CODE XREF: BiIsEnumerateMatch(x,x)+46j
					; BiIsEnumerateMatch(x,x)+7Bj ...
		mov	cl, 1

loc_A2928F:				; CODE XREF: BiIsEnumerateMatch(x,x)+3Dj
					; BiIsEnumerateMatch(x,x)+88j
		pop	edi
		pop	ebx

loc_A29291:				; CODE XREF: BiIsEnumerateMatch(x,x)+1Cj
		pop	esi

loc_A29292:				; CODE XREF: BiIsEnumerateMatch(x,x)+6j
		mov	al, cl
		retn
_BiIsEnumerateMatch@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall BiIsValidObject(int,void *,char)
_BiIsValidObject@12 proc near		; CODE XREF: BiCreateObject(x,x,x,x,x)+6Cp

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	ecx, ecx
		jz	short loc_A292D8
		cmp	dword ptr [ecx], 0
		jz	short loc_A292D8
		mov	eax, [ecx+4]
		mov	ecx, eax
		shr	ecx, 1Ch
		sub	ecx, 0
		jz	short loc_A292D8
		sub	ecx, 1
		jz	short loc_A292DE
		sub	ecx, 1
		jz	short loc_A292BF
		sub	ecx, 1
		jmp	short loc_A29322
; 

loc_A292BF:				; CODE XREF: BiIsValidObject(x,x,x)+23j
		mov	ecx, eax
		and	ecx, 0F00000h
		jz	short loc_A292D8
		cmp	ecx, 200000h
		jnz	short loc_A29322
		test	eax, 0FFFFFh
		jnz	short loc_A29322

loc_A292D8:				; CODE XREF: BiIsValidObject(x,x,x)+7j
					; BiIsValidObject(x,x,x)+Cj ...
		xor	al, al

loc_A292DA:				; CODE XREF: BiIsValidObject(x,x,x)+8Fj
		pop	ebp
		retn	4
; 

loc_A292DE:				; CODE XREF: BiIsValidObject(x,x,x)+1Ej
		mov	ecx, eax
		and	ecx, 0FFFFFh
		jz	short loc_A292D8
		shr	eax, 14h
		and	eax, 0Fh
		jz	short loc_A292D8
		sub	eax, 1
		jnz	short loc_A29322
		sub	ecx, 1
		jz	short loc_A2930A
		sub	ecx, 0FFFFEh
		jnz	short loc_A29322
		test	[ebp+arg_0], 1
		jz	short loc_A292D8
		jmp	short loc_A29322
; 

loc_A2930A:				; CODE XREF: BiIsValidObject(x,x,x)+63j
		test	edx, edx
		jz	short loc_A292D8
		push	10h		; size_t
		push	(offset	loc_428CA1+3) ;	void *
		push	edx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A292D8

loc_A29322:				; CODE XREF: BiIsValidObject(x,x,x)+28j
					; BiIsValidObject(x,x,x)+3Aj ...
		mov	al, 1
		jmp	short loc_A292DA
_BiIsValidObject@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiSetObjectDescription(x, x)
_BiSetObjectDescription@8 proc near	; CODE XREF: BiCreateObject(x,x,x,x,x)+136p

var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		lea	eax, [ebp-1]
		push	ebx
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_8]
		mov	edi, edx
		push	eax
		push	1
		mov	ebx, offset ??_C@_1BI@DLMANABL@?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		mov	esi, ecx
		push	20019h
		mov	edx, ebx
		call	BiCreateKey
		test	eax, eax
		js	short loc_A29375
		mov	ecx, [ebp+var_8]
		call	_BiCloseKey@4	; BiCloseKey(x)
		push	4
		lea	eax, [edi+4]
		mov	edx, offset ??_C@_19BIEPDBPA@?$AAT?$AAy?$AAp?$AAe@NNGAKEGL@
		push	eax
		push	4
		push	ebx
		mov	ecx, esi
		call	BiSetRegistryValue

loc_A29375:				; CODE XREF: BiSetObjectDescription(x,x)+30j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_BiSetObjectDescription@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BcdGetElementData(x, x, x, x)
_BcdGetElementData@16 proc near		; CODE XREF: WheaPersistBadPageToBcd(x)+95p
					; WheaPersistBadPageToBcd(x)+103p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	ecx
		call	BcdGetElementDataWithFlags
		mov	esp, ebp
		pop	ebp
		retn	8
_BcdGetElementData@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BcdSetElementData(x, x, x, x)
_BcdSetElementData@16 proc near		; CODE XREF: WheaPersistBadPageToBcd(x)+167p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	ecx
		call	BcdSetElementDataWithFlags
		pop	ebp
		retn	8
_BcdSetElementData@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiConvertQualifiedPartitionToBootEnvironment(x, x, x)
_BiConvertQualifiedPartitionToBootEnvironment@12 proc near
					; CODE XREF: BiConvertElementToRegistryData+A1B0Cp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edi
		cmp	edx, 3Ch
		jnb	short loc_A293C6
		mov	esi, 0C000000Dh
		jmp	loc_A29456
; 

loc_A293C6:				; CODE XREF: BiConvertQualifiedPartitionToBootEnvironment(x,x,x)+11j
		push	4B444342h
		push	48h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A293E1
		mov	esi, 0C000009Ah
		jmp	short loc_A29456
; 

loc_A293E1:				; CODE XREF: BiConvertQualifiedPartitionToBootEnvironment(x,x,x)+2Fj
		push	48h		; size_t
		xor	esi, esi
		push	esi		; int
		push	ebx		; void *
		call	_memset
		mov	dword ptr [ebx], 6
		add	esp, 0Ch
		mov	dword ptr [ebx+8], 48h
		mov	eax, [edi+14h]
		test	eax, eax
		jnz	short loc_A2941E
		mov	dword ptr [ebx+24h], 1
		mov	eax, [edi+1Ch]
		mov	[ebx+28h], eax
		mov	eax, [edi+20h]
		mov	[ebx+10h], eax
		mov	eax, [edi+24h]
		mov	[ebx+14h], eax
		jmp	short loc_A2943F
; 

loc_A2941E:				; CODE XREF: BiConvertQualifiedPartitionToBootEnvironment(x,x,x)+58j
		cmp	eax, 1
		jnz	short loc_A29446
		mov	[ebx+24h], esi
		lea	esi, [edi+1Ch]
		lea	edi, [ebx+28h]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_4]
		lea	edi, [ebx+10h]
		lea	esi, [esi+2Ch]
		movsd
		movsd
		movsd
		movsd
		xor	esi, esi

loc_A2943F:				; CODE XREF: BiConvertQualifiedPartitionToBootEnvironment(x,x,x)+73j
		mov	eax, [ebp+arg_0]
		mov	[eax], ebx
		jmp	short loc_A29456
; 

loc_A29446:				; CODE XREF: BiConvertQualifiedPartitionToBootEnvironment(x,x,x)+78j
		mov	esi, 0C000000Dh
		push	4B444342h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A29456:				; CODE XREF: BiConvertQualifiedPartitionToBootEnvironment(x,x,x)+18j
					; BiConvertQualifiedPartitionToBootEnvironment(x,x,x)+36j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_BiConvertQualifiedPartitionToBootEnvironment@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiGetElement(x, x, x, x)
_BiGetElement@16 proc near		; CODE XREF: BiAddBootEntryToEfiBootManagerDisplayOrder(x,x)+41p
					; BiCreateBootEntry(x,x)+49p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		xor	esi, esi
		mov	[esp+14h+var_8], edx
		push	edi
		mov	[eax], esi
		lea	eax, [esp+18h+var_C]
		push	eax
		push	esi
		push	ecx
		mov	[esp+24h+var_4], ecx
		mov	[ebx], esi
		mov	[esp+24h+var_C], esi
		call	BcdGetElementDataWithFlags
		mov	edi, eax
		cmp	edi, 0C0000023h
		jnz	short loc_A294DB
		push	4B444342h
		push	[esp+1Ch+var_C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A294B6
		add	edi, 77h
		jmp	short loc_A294EE
; 

loc_A294B6:				; CODE XREF: BiGetElement(x,x,x,x)+50j
		mov	edx, [esp+18h+var_8]
		lea	eax, [esp+18h+var_C]
		push	eax
		push	esi
		push	ecx
		mov	ecx, [esp+24h+var_4]
		call	BcdGetElementDataWithFlags
		mov	edi, eax
		test	edi, edi
		js	short loc_A294DF
		mov	ecx, [ebp+arg_4]
		mov	eax, [esp+18h+var_C]
		mov	[ebx], esi
		mov	[ecx], eax

loc_A294DB:				; CODE XREF: BiGetElement(x,x,x,x)+3Aj
		test	edi, edi
		jns	short loc_A294EE

loc_A294DF:				; CODE XREF: BiGetElement(x,x,x,x)+6Fj
		test	esi, esi
		jz	short loc_A294EE
		push	4B444342h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A294EE:				; CODE XREF: BiGetElement(x,x,x,x)+55j
					; BiGetElement(x,x,x,x)+7Ej ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_BiGetElement@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiResolveLocateDevice(x, x)
_BiResolveLocateDevice@8 proc near	; CODE XREF: BiConvertRegistryDataToElement+A1A39p

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_30]
		push	0Ah
		xor	eax, eax
		mov	[ebp+var_48], esi
		pop	ecx
		rep stosd
		mov	ebx, edx
		lea	edi, [ebp+var_60]
		push	6
		pop	ecx
		rep stosd
		mov	eax, [ebx+18h]
		xor	edx, edx
		add	eax, ebx
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], edx
		mov	edi, edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_44], edx
		cmp	dword ptr [eax], 2
		mov	[ebp+var_40], eax
		jz	short loc_A2954E

loc_A29544:				; CODE XREF: BiResolveLocateDevice(x,x)+6Bj
		mov	esi, 0C00000BBh
		jmp	loc_A2968A
; 

loc_A2954E:				; CODE XREF: BiResolveLocateDevice(x,x)+49j
		mov	eax, [ebx+14h]
		test	eax, eax
		jnz	short loc_A295B3
		mov	edx, [ebx+1Ch]
		mov	eax, edx
		and	eax, 0F000000h
		cmp	eax, 2000000h
		jnz	short loc_A29544
		lea	eax, [ebp+var_3C]
		mov	ecx, esi
		push	eax
		xor	eax, eax
		push	eax
		call	_BcdGetElementData@16 ;	BcdGetElementData(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	loc_A29668
		push	4B444342h
		push	[ebp+var_3C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A2959F
		add	esi, 77h
		jmp	loc_A29668
; 

loc_A2959F:				; CODE XREF: BiResolveLocateDevice(x,x)+9Cj
		mov	edx, [ebx+1Ch]
		lea	eax, [ebp+var_3C]
		mov	ecx, [ebp+var_48]
		push	eax
		push	edi
		call	_BcdGetElementData@16 ;	BcdGetElementData(x,x,x,x)
		mov	ebx, edi
		jmp	short loc_A295BF
; 

loc_A295B3:				; CODE XREF: BiResolveLocateDevice(x,x)+5Aj
		cmp	eax, 1
		jnz	loc_A29663
		add	ebx, 20h

loc_A295BF:				; CODE XREF: BiResolveLocateDevice(x,x)+B8j
		mov	esi, [ebp+var_40]
		add	esi, 14h
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_A295CA:				; CODE XREF: BiResolveLocateDevice(x,x)+DBj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_44]
		jnz	short loc_A295CA
		sub	ecx, edx
		mov	edx, ebx
		sar	ecx, 1
		lea	eax, [edx+2]
		mov	[ebp+var_40], eax

loc_A295E2:				; CODE XREF: BiResolveLocateDevice(x,x)+F3j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [ebp+var_44]
		jnz	short loc_A295E2
		sub	edx, [ebp+var_40]
		sar	edx, 1
		push	4B444342h
		lea	eax, [ecx+edx]
		lea	eax, ds:2[eax*2]
		mov	word ptr [ebp+var_38+2], ax
		movzx	eax, ax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_34], eax
		test	eax, eax
		jnz	short loc_A2961F
		mov	esi, 0C000009Ah
		jmp	short loc_A2967B
; 

loc_A2961F:				; CODE XREF: BiResolveLocateDevice(x,x)+11Dj
		push	esi		; void *
		lea	eax, [ebp+var_38]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		push	ebx		; void *
		lea	eax, [ebp+var_38]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		lea	eax, [ebp+var_38]
		mov	[ebp+var_60], 18h
		mov	[ebp+var_58], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_30]
		mov	[ebp+var_5C], ecx
		push	eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_54], 240h
		push	eax
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], ecx
		call	_ZwQueryAttributesFile@8 ; ZwQueryAttributesFile(x,x)
		mov	esi, eax
		jmp	short loc_A29668
; 

loc_A29663:				; CODE XREF: BiResolveLocateDevice(x,x)+BDj
		mov	esi, 0C00000BBh

loc_A29668:				; CODE XREF: BiResolveLocateDevice(x,x)+83j
					; BiResolveLocateDevice(x,x)+A1j ...
		cmp	[ebp+var_34], 0
		jz	short loc_A2967B
		push	4B444342h
		push	[ebp+var_34]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2967B:				; CODE XREF: BiResolveLocateDevice(x,x)+124j
					; BiResolveLocateDevice(x,x)+173j
		test	edi, edi
		jz	short loc_A2968A
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2968A:				; CODE XREF: BiResolveLocateDevice(x,x)+50j
					; BiResolveLocateDevice(x,x)+184j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_BiResolveLocateDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall BiDoesHiveKeyExist(wchar_t *)
_BiDoesHiveKeyExist@4 proc near		; CODE XREF: BiAddStoreFromFile+A2F5Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		push	5Ch		; wchar_t
		push	edi		; wchar_t *
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_1], bl
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A2970F
		lea	eax, [ebp+var_8]
		mov	edx, offset ??_C@_1CE@NMBJJGCH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@ ; "\\"
		push	eax
		push	20019h
		xor	ecx, ecx
		call	BiOpenKeyNonBcd
		test	eax, eax
		js	short loc_A296F7
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		push	eax
		push	20019h
		mov	edx, edi
		call	BiOpenKeyNonBcd
		mov	ebx, [ebp+var_C]
		test	eax, eax
		js	short loc_A296F7
		mov	[ebp+var_1], 1

loc_A296F7:				; CODE XREF: BiDoesHiveKeyExist(x)+3Cj
					; BiDoesHiveKeyExist(x)+56j
		cmp	[ebp+var_8], 0
		jz	short loc_A29705
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_A29705:				; CODE XREF: BiDoesHiveKeyExist(x)+60j
		test	ebx, ebx
		jz	short loc_A2970F
		push	ebx
		call	_ZwClose@4	; ZwClose(x)

loc_A2970F:				; CODE XREF: BiDoesHiveKeyExist(x)+23j
					; BiDoesHiveKeyExist(x)+6Cj
		mov	al, [ebp+var_1]
		pop	edi
		pop	ebx
		leave
		retn
_BiDoesHiveKeyExist@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiIsPortableWorkspaceBoot()
_BiIsPortableWorkspaceBoot@0 proc near	; CODE XREF: BiBindEfiEntries(x,x):loc_A2A2CCp
					; BiBindEfiEntries(x,x)+BEp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		lea	eax, [ebp+var_4]
		xor	ebx, ebx
		push	eax
		push	20019h
		mov	edx, (offset loc_8C7F41+1)
		mov	[ebp+var_8], ebx
		xor	ecx, ecx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_C], ebx
		call	BiOpenKey
		test	eax, eax
		js	short loc_A2974E
		mov	ecx, [ebp+var_4]
		call	_BiCloseKey@4	; BiCloseKey(x)
		jmp	short loc_A29782
; 

loc_A2974E:				; CODE XREF: BiIsPortableWorkspaceBoot()+2Cj
		lea	eax, [ebp+var_C]
		mov	edx, offset ??_C@_1DA@IFMDNCPF@?$AAP?$AAo?$AAr?$AAt?$AAa?$AAb?$AAl?$AAe?$AAO?$AAp?$AAe?$AAr?$AAa?$AAt?$AAi@NNGAKEGL@
		push	eax
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		push	eax
		push	4
		push	(offset	loc_8C7FB5+1)
		call	BiGetRegistryValue
		test	eax, eax
		js	short loc_A29782
		mov	eax, [ebp+var_8]
		push	4B444342h
		push	eax
		mov	esi, [eax]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		setnz	bl

loc_A29782:				; CODE XREF: BiIsPortableWorkspaceBoot()+36j
					; BiIsPortableWorkspaceBoot()+55j
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_BiIsPortableWorkspaceBoot@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiConvertBootEnvironmentDeviceToQualifiedPartition(x, x, x)
_BiConvertBootEnvironmentDeviceToQualifiedPartition@12 proc near
					; CODE XREF: BiConvertRegistryDataToElement+A1A1Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edi
		cmp	dword ptr [edi], 6
		jz	short loc_A297A9
		mov	esi, 0C000000Dh
		jmp	loc_A29842
; 

loc_A297A9:				; CODE XREF: BiConvertBootEnvironmentDeviceToQualifiedPartition(x,x,x)+15j
		push	4B444342h
		push	3Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A297C4
		mov	esi, 0C000009Ah
		jmp	short loc_A29842
; 

loc_A297C4:				; CODE XREF: BiConvertBootEnvironmentDeviceToQualifiedPartition(x,x,x)+33j
		push	3Ch		; size_t
		xor	esi, esi
		push	esi		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [ebx], 6
		cmp	[edi+20h], esi
		jz	short loc_A297E4
		mov	esi, 0C00000BBh
		jmp	short loc_A29837
; 

loc_A297E4:				; CODE XREF: BiConvertBootEnvironmentDeviceToQualifiedPartition(x,x,x)+53j
		mov	eax, [edi+24h]
		xor	ecx, ecx
		inc	ecx
		cmp	eax, ecx
		jnz	short loc_A29802
		mov	eax, [edi+28h]
		mov	[ebx+1Ch], eax
		mov	eax, [edi+10h]
		mov	[ebx+20h], eax
		mov	eax, [edi+14h]
		mov	[ebx+24h], eax
		jmp	short loc_A29822
; 

loc_A29802:				; CODE XREF: BiConvertBootEnvironmentDeviceToQualifiedPartition(x,x,x)+64j
		test	eax, eax
		jnz	short loc_A29832
		lea	esi, [edi+28h]
		mov	[ebx+14h], ecx
		lea	edi, [ebx+1Ch]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_4]
		lea	edi, [ebx+2Ch]
		lea	esi, [esi+10h]
		movsd
		movsd
		movsd
		movsd
		xor	esi, esi

loc_A29822:				; CODE XREF: BiConvertBootEnvironmentDeviceToQualifiedPartition(x,x,x)+78j
		mov	eax, [ebp+var_8]
		mov	[eax], ebx
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 3Ch
		jmp	short loc_A29842
; 

loc_A29832:				; CODE XREF: BiConvertBootEnvironmentDeviceToQualifiedPartition(x,x,x)+7Cj
		mov	esi, 0C000000Dh

loc_A29837:				; CODE XREF: BiConvertBootEnvironmentDeviceToQualifiedPartition(x,x,x)+5Aj
		push	4B444342h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A29842:				; CODE XREF: BiConvertBootEnvironmentDeviceToQualifiedPartition(x,x,x)+1Cj
					; BiConvertBootEnvironmentDeviceToQualifiedPartition(x,x,x)+3Aj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_BiConvertBootEnvironmentDeviceToQualifiedPartition@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiConvertBootEnvironmentDeviceToUnknown(x, x, x)
_BiConvertBootEnvironmentDeviceToUnknown@12 proc near
					; CODE XREF: BiConvertBootEnvironmentDeviceToNt+A2EA8p
					; BiConvertRegistryDataToElement+A1A2Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		push	eax
		push	14h
		pop	ecx
		mov	edx, [ebx+8]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_A298BB
		push	esi
		push	edi
		mov	edi, [ebp+var_4]
		push	4B444342h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A2988E
		mov	eax, 0C000009Ah
		jmp	short loc_A298B9
; 

loc_A2988E:				; CODE XREF: BiConvertBootEnvironmentDeviceToUnknown(x,x,x)+3Aj
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	dword ptr [esi], 5
		lea	eax, [esi+14h]
		push	dword ptr [ebx+8] ; size_t
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esp, 18h
		mov	[eax], esi
		mov	eax, [ebp+arg_0]
		mov	[eax], edi
		xor	eax, eax

loc_A298B9:				; CODE XREF: BiConvertBootEnvironmentDeviceToUnknown(x,x,x)+41j
		pop	edi
		pop	esi

loc_A298BB:				; CODE XREF: BiConvertBootEnvironmentDeviceToUnknown(x,x,x)+22j
		pop	ebx
		leave
		retn	4
_BiConvertBootEnvironmentDeviceToUnknown@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	BiConvertNtFilePathToBootEnvironment(void *,int,int)
_BiConvertNtFilePathToBootEnvironment@20 proc near
					; CODE XREF: BiConvertNtDeviceToBootEnvironment+A1AD1p
					; BiConvertNtDeviceToBootEnvironment+A1B8Dp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_4]
		xor	ebx, ebx
		push	eax
		push	[ebp+arg_4]
		mov	[ebp+var_4], ebx
		call	BiConvertNtDeviceToBootEnvironment
		mov	esi, eax
		test	esi, esi
		js	loc_A29964
		mov	ecx, [ebp+arg_0]
		lea	edx, [ecx+2]

loc_A298EA:				; CODE XREF: BiConvertNtFilePathToBootEnvironment(x,x,x,x,x)+33j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A298EA
		mov	eax, [ebp+var_4]
		sub	ecx, edx
		sar	ecx, 1
		push	4B444342h
		mov	ebx, [eax+8]
		lea	edi, ds:2[ecx*2]
		add	ebx, 0Ch
		add	ebx, edi
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A29925
		mov	esi, 0C000009Ah
		jmp	short loc_A29964
; 

loc_A29925:				; CODE XREF: BiConvertNtFilePathToBootEnvironment(x,x,x,x,x)+5Cj
		mov	dword ptr [esi], 1
		mov	dword ptr [esi+8], 5
		mov	[esi+4], ebx
		mov	eax, [ebp+var_4]
		push	dword ptr [eax+8] ; size_t
		push	eax		; void *
		lea	eax, [esi+0Ch]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		push	edi		; size_t
		push	[ebp+arg_0]	; void *
		mov	eax, [eax+8]
		add	eax, 0Ch
		add	eax, esi
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+arg_8]
		add	esp, 18h
		mov	[eax], esi
		xor	esi, esi

loc_A29964:				; CODE XREF: BiConvertNtFilePathToBootEnvironment(x,x,x,x,x)+1Ej
					; BiConvertNtFilePathToBootEnvironment(x,x,x,x,x)+63j
		cmp	[ebp+var_4], 0
		jz	short loc_A29977
		push	4B444342h
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A29977:				; CODE XREF: BiConvertNtFilePathToBootEnvironment(x,x,x,x,x)+A8j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_BiConvertNtFilePathToBootEnvironment@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall BiCreateFileDeviceElement(wchar_t *,int,int)
_BiCreateFileDeviceElement@12 proc near	; CODE XREF: BiCreatePartitionDevice+A1CA8p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		push	16h		; size_t
		mov	edi, ecx
		mov	[ebp+var_10], edx
		push	offset ??_C@_1CO@JFDIPJLA@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi?$AAs@NNGAKEGL@ ; "\\Device\\HarddiskVolume"
		push	edi		; wchar_t *
		xor	esi, esi
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_A29B01
		lea	eax, [edi+2Ch]
		push	5Ch		; wchar_t
		push	eax		; wchar_t *
		call	_wcschr
		mov	[ebp+var_8], eax
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_A29B01
		sub	eax, edi
		sar	eax, 1
		add	eax, eax
		mov	[ebp+var_4], eax
		add	eax, 2
		push	4B444342h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A299EB
		mov	esi, 0C000009Ah
		jmp	loc_A29B06
; 

loc_A299EB:				; CODE XREF: BiCreateFileDeviceElement(x,x,x)+5Fj
		push	[ebp+var_4]	; size_t
		push	edi		; void *
		push	ebx		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		xor	ecx, ecx
		mov	[eax+ebx], cx
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_A29A06:				; CODE XREF: BiCreateFileDeviceElement(x,x,x)+8Fj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_A29A06
		sub	ecx, edx
		mov	edx, [ebp+var_8]
		sar	ecx, 1
		lea	edi, [edx+2]

loc_A29A1B:				; CODE XREF: BiCreateFileDeviceElement(x,x,x)+A4j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, si
		jnz	short loc_A29A1B
		sub	edx, edi
		sar	edx, 1
		push	4B444342h
		lea	eax, ds:2Eh[edx*2]
		mov	[ebp+var_4], eax
		lea	eax, [eax+ecx*2]
		add	eax, 16h
		push	eax
		push	1
		mov	[ebp+var_C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A29A5A
		mov	esi, 0C000009Ah
		jmp	loc_A29AE1
; 

loc_A29A5A:				; CODE XREF: BiCreateFileDeviceElement(x,x,x)+CEj
		push	[ebp+var_C]	; size_t
		push	esi		; int
		push	edi		; void *
		call	_memset
		mov	edx, [ebp+var_8]
		add	esp, 0Ch
		mov	eax, [ebp+var_4]
		mov	ecx, edx
		mov	[edi+14h], eax
		mov	dword ptr [edi], 3
		lea	eax, [ecx+2]
		mov	[ebp+var_8], eax

loc_A29A7E:				; CODE XREF: BiCreateFileDeviceElement(x,x,x)+107j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_A29A7E
		sub	ecx, [ebp+var_8]
		sar	ecx, 1
		push	edx
		lea	eax, [ecx+1]
		push	eax
		lea	eax, [edi+18h]
		push	eax
		call	_wcscpy_s
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		add	esp, 0Ch
		lea	eax, [ecx+2]
		mov	dword ptr [edx+edi], 2
		mov	[ebp+var_8], eax

loc_A29AB1:				; CODE XREF: BiCreateFileDeviceElement(x,x,x)+13Aj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_A29AB1
		sub	ecx, [ebp+var_8]
		sar	ecx, 1
		push	ebx
		lea	eax, [ecx+1]
		push	eax
		lea	eax, [edx+14h]
		add	eax, edi
		push	eax
		call	_wcscpy_s
		mov	eax, [ebp+var_10]
		add	esp, 0Ch
		mov	ecx, [ebp+var_C]
		mov	[eax], edi
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_A29AE1:				; CODE XREF: BiCreateFileDeviceElement(x,x,x)+D5j
		push	4B444342h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jns	short loc_A29B06
		test	edi, edi
		jz	short loc_A29B06
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A29B06
; 

loc_A29B01:				; CODE XREF: BiCreateFileDeviceElement(x,x,x)+24j
					; BiCreateFileDeviceElement(x,x,x)+3Cj
		mov	esi, 0C000000Dh

loc_A29B06:				; CODE XREF: BiCreateFileDeviceElement(x,x,x)+66j
					; BiCreateFileDeviceElement(x,x,x)+16Ej ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_BiCreateFileDeviceElement@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiGetPhysicalDriveName(x, x)
_BiGetPhysicalDriveName@8 proc near	; CODE XREF: BiGetDriveLayoutBlock+A2B60p
					; BiCreatePartitionDevice+A1C25p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_C], edx
		push	ecx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_14], esi
		push	eax
		mov	[ebp+var_10], esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	20h
		lea	eax, [ebp+var_14]
		mov	[ebp+var_34], 18h
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_1C]
		push	3
		push	eax
		lea	eax, [ebp+var_34]
		mov	[ebp+var_30], esi
		push	eax
		push	80100000h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_28], 240h
		push	eax
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A29BED
		mov	ecx, [ebp+var_4]
		lea	edx, [ebp+var_8]
		call	_BiGetVolumeDiskExtentsInformation@8 ; BiGetVolumeDiskExtentsInformation(x,x)
		mov	edi, [ebp+var_8]
		mov	esi, eax
		test	esi, esi
		js	short loc_A29BDE
		cmp	dword ptr [edi], 1
		jz	short loc_A29B98
		mov	esi, 0C00000BBh
		jmp	short loc_A29BDE
; 

loc_A29B98:				; CODE XREF: BiGetPhysicalDriveName(x,x)+80j
		push	4B444342h
		push	3Eh
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A29BB3
		mov	esi, 0C000009Ah
		jmp	short loc_A29BDE
; 

loc_A29BB3:				; CODE XREF: BiGetPhysicalDriveName(x,x)+9Bj
		push	dword ptr [edi+8] ; char
		push	offset ??_C@_1CK@HJDFLMHG@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAP?$AAh?$AAy?$AAs?$AAi?$AAc?$AAa?$AAl?$AAD?$AAr?$AAi@NNGAKEGL@	; wchar_t *
		push	3Eh		; int
		push	ebx		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	esi, eax
		add	esp, 10h
		test	esi, esi
		js	short loc_A29BD3
		mov	eax, [ebp+var_C]
		mov	[eax], ebx
		jmp	short loc_A29BDE
; 

loc_A29BD3:				; CODE XREF: BiGetPhysicalDriveName(x,x)+BBj
		push	4B444342h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A29BDE:				; CODE XREF: BiGetPhysicalDriveName(x,x)+7Bj
					; BiGetPhysicalDriveName(x,x)+87j ...
		test	edi, edi
		jz	short loc_A29BED
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A29BED:				; CODE XREF: BiGetPhysicalDriveName(x,x)+67j
					; BiGetPhysicalDriveName(x,x)+D1j
		cmp	[ebp+var_4], 0
		jz	short loc_A29BFB
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A29BFB:				; CODE XREF: BiGetPhysicalDriveName(x,x)+E2j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_BiGetPhysicalDriveName@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiGetVolumeDiskExtentsInformation(x, x)
_BiGetVolumeDiskExtentsInformation@8 proc near ; CODE XREF: BiGetPhysicalDriveName(x,x)+6Fp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_C], edx
		mov	edi, ecx
		mov	[ebp+var_14], eax
		push	20h
		mov	[ebp+var_8], edi
		mov	[ebp+var_10], eax
		pop	ebx
		mov	[ebp+var_4], eax
		jmp	short loc_A29C28
; 

loc_A29C25:				; CODE XREF: BiGetVolumeDiskExtentsInformation(x,x)+7Fj
		mov	edi, [ebp+var_8]

loc_A29C28:				; CODE XREF: BiGetVolumeDiskExtentsInformation(x,x)+21j
		push	4B444342h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A29C85
		push	ebx
		push	esi
		xor	ecx, ecx
		lea	eax, [ebp+var_14]
		push	ecx
		push	ecx
		push	560000h
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	edi
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000023h
		jz	short loc_A29C65
		cmp	edi, 80000005h
		jnz	short loc_A29C8A

loc_A29C65:				; CODE XREF: BiGetVolumeDiskExtentsInformation(x,x)+59j
		imul	ecx, [esi], 18h
		push	4B444342h
		push	esi
		add	ebx, ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_4]
		xor	esi, esi
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, 2
		jb	short loc_A29C25
		jmp	short loc_A29C8A
; 

loc_A29C85:				; CODE XREF: BiGetVolumeDiskExtentsInformation(x,x)+37j
		mov	edi, 0C000009Ah

loc_A29C8A:				; CODE XREF: BiGetVolumeDiskExtentsInformation(x,x)+61j
					; BiGetVolumeDiskExtentsInformation(x,x)+81j
		test	edi, edi
		js	short loc_A29C95
		mov	eax, [ebp+var_C]
		mov	[eax], esi
		jmp	short loc_A29CA4
; 

loc_A29C95:				; CODE XREF: BiGetVolumeDiskExtentsInformation(x,x)+8Aj
		test	esi, esi
		jz	short loc_A29CA4
		push	4B444342h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A29CA4:				; CODE XREF: BiGetVolumeDiskExtentsInformation(x,x)+91j
					; BiGetVolumeDiskExtentsInformation(x,x)+95j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_BiGetVolumeDiskExtentsInformation@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall BiTranslateSymbolicLinkFile(wchar_t *)
_BiTranslateSymbolicLinkFile@8 proc near
					; CODE XREF: BiGetPartitionVhdFilePathFromUnicodeString+A1B49p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_20], ecx
		mov	eax, edx
		mov	[ebp+var_14], eax
		push	esi
		mov	esi, ebx
		mov	[ebp+var_10], esi
		push	edi
		test	ecx, ecx
		jz	loc_A29DE9
		test	eax, eax
		jz	loc_A29DE9
		mov	[eax], ebx
		mov	eax, ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], ebx
		mov	[ebp+var_1], bl

loc_A29CE2:				; CODE XREF: BiTranslateSymbolicLinkFile(x,x)+126j
		push	5Ch
		pop	ecx
		push	ecx		; wchar_t
		push	eax		; wchar_t *
		call	_wcsrchr
		mov	edi, eax
		mov	eax, [ebp+var_C]
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A29CFD
		push	5Ch
		pop	ecx
		mov	[eax], cx

loc_A29CFD:				; CODE XREF: BiTranslateSymbolicLinkFile(x,x)+4Aj
		test	edi, edi
		jz	loc_A29DDD
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_10]
		xor	eax, eax
		mov	[edi], ax
		call	BiTranslateSymbolicLink
		mov	esi, [ebp+var_10]
		test	eax, eax
		js	loc_A29DCB
		mov	ecx, esi
		mov	[ebp+var_1], 1
		push	5Ch
		pop	eax
		mov	[edi], ax
		lea	edx, [ecx+2]

loc_A29D2F:				; CODE XREF: BiTranslateSymbolicLinkFile(x,x)+8Dj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A29D2F
		sub	ecx, edx
		sar	ecx, 1
		lea	edx, [ecx+ecx]
		mov	ecx, edi
		mov	[ebp+var_C], edx
		lea	eax, [ecx+2]
		mov	[ebp+var_18], eax

loc_A29D4C:				; CODE XREF: BiTranslateSymbolicLinkFile(x,x)+AAj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A29D4C
		sub	ecx, [ebp+var_18]
		sar	ecx, 1
		push	4B444342h
		lea	eax, ds:2[ecx*2]
		mov	[ebp+var_18], eax
		add	eax, edx
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+var_14]
		mov	[ebp+var_1C], eax
		mov	[ecx], eax
		test	eax, eax
		jz	short loc_A29DD6
		mov	ecx, [ebp+var_C]
		push	ecx		; size_t
		push	esi		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_C]
		add	esp, 0Ch
		push	[ebp+var_18]	; size_t
		push	edi		; void *
		mov	edi, [ebp+var_1C]
		add	eax, edi
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esp, 0Ch
		cmp	eax, [ebp+var_20]
		jz	short loc_A29DBC
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_14]
		mov	edi, [eax]

loc_A29DBC:				; CODE XREF: BiTranslateSymbolicLinkFile(x,x)+FFj
		mov	eax, edi
		add	edi, [ebp+var_C]
		xor	ecx, ecx
		mov	[ebp+var_8], eax
		mov	[edi], cx
		jmp	short loc_A29DCE
; 

loc_A29DCB:				; CODE XREF: BiTranslateSymbolicLinkFile(x,x)+6Fj
		mov	eax, [ebp+var_8]

loc_A29DCE:				; CODE XREF: BiTranslateSymbolicLinkFile(x,x)+11Ej
		mov	[ebp+var_C], edi
		jmp	loc_A29CE2
; 

loc_A29DD6:				; CODE XREF: BiTranslateSymbolicLinkFile(x,x)+D4j
		mov	ebx, 0C0000017h
		jmp	short loc_A29DEE
; 

loc_A29DDD:				; CODE XREF: BiTranslateSymbolicLinkFile(x,x)+54j
		cmp	[ebp+var_1], bl
		jnz	short loc_A29DEE
		mov	ebx, 0C0000001h
		jmp	short loc_A29DEE
; 

loc_A29DE9:				; CODE XREF: BiTranslateSymbolicLinkFile(x,x)+1Cj
					; BiTranslateSymbolicLinkFile(x,x)+24j
		mov	ebx, 0C000000Dh

loc_A29DEE:				; CODE XREF: BiTranslateSymbolicLinkFile(x,x)+130j
					; BiTranslateSymbolicLinkFile(x,x)+135j ...
		test	esi, esi
		jz	short loc_A29DFD
		push	4B444342h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A29DFD:				; CODE XREF: BiTranslateSymbolicLinkFile(x,x)+145j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_BiTranslateSymbolicLinkFile@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiAddBootEntry(x, x)
_BiAddBootEntry@8 proc near		; CODE XREF: BiCreateEfiEntry(x,x)+7Ap
					; BiCreateEfiEntry(x,x)+EEp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		push	16h
		mov	edi, edx
		mov	ebx, ecx
		lea	edx, [ebp+var_8]
		pop	ecx
		call	BiAcquirePrivilege
		mov	esi, eax
		test	esi, esi
		js	short loc_A29E51
		push	edi
		push	ebx
		call	_ZwAddBootEntry@8 ; ZwAddBootEntry(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A29E49
		push	esi
		push	offset ??_C@_1EK@DADMEGIB@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAa?$AAd?$AAd?$AA?5?$AAb@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 0Ch

loc_A29E49:				; CODE XREF: BiAddBootEntry(x,x)+33j
		lea	ecx, [ebp+var_8]
		call	_BiReleasePrivilege@4 ;	BiReleasePrivilege(x)

loc_A29E51:				; CODE XREF: BiAddBootEntry(x,x)+26j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_BiAddBootEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiAddBootEntryToEfiBootManagerDisplayOrder(x, x)
_BiAddBootEntryToEfiBootManagerDisplayOrder@8 proc near
					; CODE XREF: BiExportBcdObjects(x,x)+A8p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], edx
		lea	eax, [ebp+var_8]
		mov	[ebp+var_C], edi
		push	eax
		mov	edx, (offset loc_428CA1+3)
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], edi
		call	BcdOpenObject
		mov	esi, eax
		test	esi, esi
		js	loc_A29F66
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_4]
		mov	edx, 24000001h
		push	eax
		call	_BiGetElement@16 ; BiGetElement(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	short loc_A29EAC
		mov	ebx, edi
		jmp	short loc_A29EB7
; 

loc_A29EAC:				; CODE XREF: BiAddBootEntryToEfiBootManagerDisplayOrder(x,x)+4Ej
		test	esi, esi
		js	loc_A29F53
		mov	ebx, [ebp+var_C]

loc_A29EB7:				; CODE XREF: BiAddBootEntryToEfiBootManagerDisplayOrder(x,x)+52j
		mov	eax, [ebp+var_4]
		mov	esi, ebx
		shr	esi, 4
		mov	[ebp+var_C], eax
		test	esi, esi
		jz	short loc_A29EF6
		mov	ecx, [ebp+var_10]
		add	ecx, 8
		mov	[ebp+var_14], ecx

loc_A29ECF:				; CODE XREF: BiAddBootEntryToEfiBootManagerDisplayOrder(x,x)+98j
		push	10h		; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A29EF2
		mov	eax, [ebp+var_C]
		add	eax, 10h
		inc	edi
		mov	[ebp+var_C], eax
		cmp	edi, esi
		jnb	short loc_A29EF6
		mov	ecx, [ebp+var_14]
		jmp	short loc_A29ECF
; 

loc_A29EF2:				; CODE XREF: BiAddBootEntryToEfiBootManagerDisplayOrder(x,x)+85j
		xor	esi, esi
		jmp	short loc_A29F53
; 

loc_A29EF6:				; CODE XREF: BiAddBootEntryToEfiBootManagerDisplayOrder(x,x)+6Cj
					; BiAddBootEntryToEfiBootManagerDisplayOrder(x,x)+93j
		push	4B444342h
		lea	eax, [ebx+10h]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jnz	short loc_A29F14
		mov	esi, 0C0000017h
		jmp	short loc_A29F53
; 

loc_A29F14:				; CODE XREF: BiAddBootEntryToEfiBootManagerDisplayOrder(x,x)+B3j
		mov	ecx, [ebp+var_10]
		mov	edi, eax
		push	ebx		; size_t
		push	[ebp+var_4]	; void *
		add	eax, 10h
		lea	esi, [ecx+8]
		movsd
		push	eax		; void *
		movsd
		movsd
		movsd
		call	_memcpy
		mov	edi, [ebp+var_14]
		lea	eax, [ebx+10h]
		add	esp, 0Ch
		mov	edx, 24000001h
		push	eax
		push	edi
		push	ecx
		mov	ecx, [ebp+var_8]
		call	BcdSetElementDataWithFlags
		mov	esi, eax
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A29F53:				; CODE XREF: BiAddBootEntryToEfiBootManagerDisplayOrder(x,x)+56j
					; BiAddBootEntryToEfiBootManagerDisplayOrder(x,x)+9Cj ...
		cmp	[ebp+var_4], 0
		jz	short loc_A29F66
		push	4B444342h
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A29F66:				; CODE XREF: BiAddBootEntryToEfiBootManagerDisplayOrder(x,x)+2Bj
					; BiAddBootEntryToEfiBootManagerDisplayOrder(x,x)+FFj
		cmp	[ebp+var_8], 0
		jz	short loc_A29F74
		mov	ecx, [ebp+var_8]
		call	_BcdCloseObject@4 ; BcdCloseObject(x)

loc_A29F74:				; CODE XREF: BiAddBootEntryToEfiBootManagerDisplayOrder(x,x)+112j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_BiAddBootEntryToEfiBootManagerDisplayOrder@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiAddBootEntryToNvramDisplayOrder(x)
_BiAddBootEntryToNvramDisplayOrder@4 proc near ; CODE XREF: BiBindEfiEntries(x,x)+B1p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	[ebp+var_C], ecx
		lea	edx, [ebp+var_4]
		xor	esi, esi
		lea	ecx, [ebp+var_8]
		push	edi
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		call	_BiQueryBootEntryOrder@8 ; BiQueryBootEntryOrder(x,x)
		mov	ebx, [ebp+var_8]
		mov	edi, eax
		mov	[ebp+var_10], edi
		test	edi, edi
		js	short loc_A2A018
		mov	edi, esi
		cmp	[ebp+var_4], esi
		jbe	short loc_A29FC3
		mov	eax, [ebp+var_C]
		mov	eax, [eax+1Ch]
		mov	eax, [eax+8]

loc_A29FB8:				; CODE XREF: BiAddBootEntryToNvramDisplayOrder(x)+46j
		cmp	[ebx+edi*4], eax
		jz	short loc_A2A015
		inc	edi
		cmp	edi, [ebp+var_4]
		jb	short loc_A29FB8

loc_A29FC3:				; CODE XREF: BiAddBootEntryToNvramDisplayOrder(x)+32j
		mov	eax, edi
		shl	eax, 2
		push	4B444342h
		add	eax, 4
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A29FE5
		mov	edi, 0C0000017h
		jmp	short loc_A2A018
; 

loc_A29FE5:				; CODE XREF: BiAddBootEntryToNvramDisplayOrder(x)+61j
		test	edi, edi
		jz	short loc_A29FFC
		mov	eax, edi
		shl	eax, 2
		push	eax		; size_t
		lea	eax, [esi+4]
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_A29FFC:				; CODE XREF: BiAddBootEntryToNvramDisplayOrder(x)+6Cj
		mov	eax, [ebp+var_C]
		lea	edx, [edi+1]
		mov	ecx, esi
		mov	eax, [eax+1Ch]
		mov	eax, [eax+8]
		mov	[esi], eax
		call	_BiSetBootEntryOrder@8 ; BiSetBootEntryOrder(x,x)
		mov	edi, eax
		jmp	short loc_A2A018
; 

loc_A2A015:				; CODE XREF: BiAddBootEntryToNvramDisplayOrder(x)+40j
		mov	edi, [ebp+var_10]

loc_A2A018:				; CODE XREF: BiAddBootEntryToNvramDisplayOrder(x)+2Bj
					; BiAddBootEntryToNvramDisplayOrder(x)+68j ...
		test	ebx, ebx
		jz	short loc_A2A027
		push	4B444342h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2A027:				; CODE XREF: BiAddBootEntryToNvramDisplayOrder(x)+9Fj
		test	esi, esi
		jz	short loc_A2A036
		push	4B444342h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2A036:				; CODE XREF: BiAddBootEntryToNvramDisplayOrder(x)+AEj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_BiAddBootEntryToNvramDisplayOrder@4 endp


;  S U B	R O U T	I N E 


; int __fastcall BiAreBootEntriesEqual(void *,void *)
_BiAreBootEntriesEqual@8 proc near	; CODE XREF: BiUpdateEfiEntry(x,x)+D5p
		mov	eax, [ecx+4]
		cmp	eax, [edx+4]
		jnz	short loc_A2A057
		push	eax		; size_t
		push	edx		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A2A057
		mov	al, 1
		retn
; 

loc_A2A057:				; CODE XREF: BiAreBootEntriesEqual(x,x)+6j
					; BiAreBootEntriesEqual(x,x)+15j
		xor	al, al
		retn
_BiAreBootEntriesEqual@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiBindEfiBootManager(x, x)
_BiBindEfiBootManager@8	proc near	; CODE XREF: BiBindEfiNamespaceObjects(x)+44p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_28], edx
		lea	edi, [ebp+var_14]
		mov	esi, ecx
		stosd
		xor	ecx, ecx
		mov	[ebp+var_34], ecx
		mov	ebx, ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_30], ecx
		stosd
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ecx
		stosd
		mov	[ebp+var_18], ecx
		mov	ecx, esi
		stosd
		lea	eax, [ebp+var_18]
		mov	edi, (offset loc_428CA1+3)
		push	eax
		mov	edx, edi
		call	BcdOpenObject
		test	eax, eax
		js	short loc_A2A0B7
		mov	ecx, [ebp+var_18]
		call	_BcdDeleteObject@4 ; BcdDeleteObject(x)
		and	[ebp+var_18], ebx

loc_A2A0B7:				; CODE XREF: BiBindEfiBootManager(x,x)+50j
		lea	eax, [ebp+var_18]
		mov	[ebp+var_3C], 1
		push	eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_38], 10100001h
		push	eax
		mov	edx, edi
		mov	ecx, esi
		call	_BcdCreateObject@16 ; BcdCreateObject(x,x,x,x)
		mov	edi, [ebp+var_18]
		mov	esi, eax
		test	esi, esi
		js	loc_A2A1F8
		lea	edx, [ebp+var_1C]
		lea	ecx, [ebp+var_24]
		call	_BiQueryBootEntryOrder@8 ; BiQueryBootEntryOrder(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2A1D6
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_A2A152
		push	4B444342h
		shl	eax, 4
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A2A11F
		mov	esi, 0C000009Ah
		jmp	loc_A2A1D6
; 

loc_A2A11F:				; CODE XREF: BiBindEfiBootManager(x,x)+B9j
		mov	edx, [ebp+var_24]
		lea	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_28]
		push	eax
		push	ebx
		call	_BiTranslateBootOrder@16 ; BiTranslateBootOrder(x,x,x,x)
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_A2A152
		shl	eax, 4
		mov	edx, 24000001h
		push	eax
		push	ebx
		push	ecx
		mov	ecx, edi
		call	BcdSetElementDataWithFlags
		mov	esi, eax
		test	esi, esi
		js	loc_A2A1D6

loc_A2A152:				; CODE XREF: BiBindEfiBootManager(x,x)+A3j
					; BiBindEfiBootManager(x,x)+DAj
		lea	edx, [ebp+var_34]
		lea	ecx, [ebp+var_20]
		call	_BiQueryBootOptions@8 ;	BiQueryBootOptions(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2A1C4
		mov	eax, [ebp+var_20]
		mov	ecx, [eax+8]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_A2A191
		and	[ebp+var_2C], 0
		lea	eax, [ebp+var_30]
		push	8
		push	eax
		mov	[ebp+var_30], ecx
		mov	edx, 25000004h
		push	ecx
		mov	ecx, edi
		call	BcdSetElementDataWithFlags
		mov	esi, eax
		test	esi, esi
		js	short loc_A2A1C4
		mov	eax, [ebp+var_20]

loc_A2A191:				; CODE XREF: BiBindEfiBootManager(x,x)+112j
		mov	edx, [eax+10h]
		cmp	edx, 0FFFFFFFEh
		jz	short loc_A2A1C2
		mov	ecx, [ebp+var_28]
		lea	eax, [ebp+var_14]
		push	eax
		call	_BiTranslateBootEntryId@12 ; BiTranslateBootEntryId(x,x,x)
		test	eax, eax
		js	short loc_A2A1C2
		push	10h
		lea	eax, [ebp+var_14]
		mov	edx, 24000002h
		push	eax
		push	ecx
		mov	ecx, edi
		call	BcdSetElementDataWithFlags
		mov	esi, eax
		test	esi, esi
		js	short loc_A2A1C4

loc_A2A1C2:				; CODE XREF: BiBindEfiBootManager(x,x)+13Dj
					; BiBindEfiBootManager(x,x)+14Dj
		xor	esi, esi

loc_A2A1C4:				; CODE XREF: BiBindEfiBootManager(x,x)+107j
					; BiBindEfiBootManager(x,x)+132j ...
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_A2A1D6
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2A1D6:				; CODE XREF: BiBindEfiBootManager(x,x)+98j
					; BiBindEfiBootManager(x,x)+C0j ...
		cmp	[ebp+var_24], 0
		jz	short loc_A2A1E9
		push	4B444342h
		push	[ebp+var_24]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2A1E9:				; CODE XREF: BiBindEfiBootManager(x,x)+180j
		test	ebx, ebx
		jz	short loc_A2A1F8
		push	4B444342h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2A1F8:				; CODE XREF: BiBindEfiBootManager(x,x)+83j
					; BiBindEfiBootManager(x,x)+191j
		test	edi, edi
		jz	short loc_A2A20E
		mov	ecx, edi
		test	esi, esi
		jns	short loc_A2A209
		call	_BcdDeleteObject@4 ; BcdDeleteObject(x)
		jmp	short loc_A2A20E
; 

loc_A2A209:				; CODE XREF: BiBindEfiBootManager(x,x)+1A6j
		call	_BcdCloseObject@4 ; BcdCloseObject(x)

loc_A2A20E:				; CODE XREF: BiBindEfiBootManager(x,x)+1A0j
					; BiBindEfiBootManager(x,x)+1ADj
		test	esi, esi
		jns	short loc_A2A222
		push	esi
		push	offset ??_C@_1DO@EJCDHKOL@?$AAB?$AAi?$AAB?$AAi?$AAn?$AAd?$AAE?$AAf?$AAi?$AAB?$AAo?$AAo?$AAt?$AAM?$AAa@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 0Ch

loc_A2A222:				; CODE XREF: BiBindEfiBootManager(x,x)+1B6j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_BiBindEfiBootManager@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiBindEfiEntries(x,	x)
_BiBindEfiEntries@8 proc near		; CODE XREF: BiBindEfiNamespaceObjects(x)+34p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	eax, edx
		mov	ebx, ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], eax
		mov	esi, [eax]
		mov	[ebp+var_4], edi
		cmp	esi, eax
		jz	loc_A2A345

loc_A2A254:				; CODE XREF: BiBindEfiEntries(x,x)+F8j
		mov	eax, [esi+20h]
		mov	ecx, eax
		and	ecx, 1
		test	al, 10h
		jz	short loc_A2A29A
		test	ecx, ecx
		jz	loc_A2A326
		push	dword ptr [esi+18h]
		push	(offset	loc_8C81FF+1)
		push	3
		call	_BiLogMessage
		mov	ecx, [esi+18h]
		add	esp, 0Ch
		call	_BiDeleteBootEntry@4 ; BiDeleteBootEntry(x)
		test	eax, eax
		js	loc_A2A326
		and	dword ptr [esi+20h], 0FFFFFFFEh

loc_A2A28E:				; CODE XREF: BiBindEfiEntries(x,x)+D3j
		mov	ecx, esi
		call	_BiRemoveBootEntryFromNvramDisplayOrder@4 ; BiRemoveBootEntryFromNvramDisplayOrder(x)
		jmp	loc_A2A326
; 

loc_A2A29A:				; CODE XREF: BiBindEfiEntries(x,x)+2Bj
		test	ecx, ecx
		jnz	short loc_A2A2EB
		test	al, 4
		jz	loc_A2A326
		test	al, 8
		jz	short loc_A2A2CC
		lea	eax, [ebp+var_4]
		mov	ecx, ebx
		push	eax
		lea	edx, [esi+8]
		call	BcdOpenObject
		mov	edi, eax
		test	edi, edi
		js	short loc_A2A335
		mov	ecx, [ebp+var_4]
		call	_BcdDeleteObject@4 ; BcdDeleteObject(x)
		and	dword ptr [esi+20h], 0FFFFFFF9h
		jmp	short loc_A2A326
; 

loc_A2A2CC:				; CODE XREF: BiBindEfiEntries(x,x)+75j
		call	_BiIsPortableWorkspaceBoot@0 ; BiIsPortableWorkspaceBoot()
		test	al, al
		jnz	short loc_A2A326
		mov	edx, esi
		mov	ecx, ebx
		call	_BiCreateEfiEntry@8 ; BiCreateEfiEntry(x,x)
		test	eax, eax
		js	short loc_A2A326
		mov	ecx, esi
		call	_BiAddBootEntryToNvramDisplayOrder@4 ; BiAddBootEntryToNvramDisplayOrder(x)
		jmp	short loc_A2A326
; 

loc_A2A2EB:				; CODE XREF: BiBindEfiEntries(x,x)+69j
		and	al, 24h
		cmp	al, 20h
		jnz	short loc_A2A308
		call	_BiIsPortableWorkspaceBoot@0 ; BiIsPortableWorkspaceBoot()
		test	al, al
		jnz	short loc_A2A308
		mov	ecx, [esi+18h]
		call	_BiDeleteBootEntry@4 ; BiDeleteBootEntry(x)
		test	eax, eax
		js	short loc_A2A326
		jmp	short loc_A2A28E
; 

loc_A2A308:				; CODE XREF: BiBindEfiEntries(x,x)+BCj
					; BiBindEfiEntries(x,x)+C5j
		mov	edx, esi
		mov	ecx, ebx
		call	_BiBindEfiEntryToBcdObject@8 ; BiBindEfiEntryToBcdObject(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A2A335
		mov	edx, esi
		mov	ecx, ebx
		call	_BiUpdateBcdObject@8 ; BiUpdateBcdObject(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A2A335

loc_A2A326:				; CODE XREF: BiBindEfiEntries(x,x)+2Fj
					; BiBindEfiEntries(x,x)+51j ...
		mov	esi, [esi]
		cmp	esi, [ebp+var_8]
		jnz	loc_A2A254
		test	edi, edi
		jns	short loc_A2A345

loc_A2A335:				; CODE XREF: BiBindEfiEntries(x,x)+89j
					; BiBindEfiEntries(x,x)+E2j ...
		push	edi
		push	offset ??_C@_1DG@JDHODPKM@?$AAB?$AAi?$AAB?$AAi?$AAn?$AAd?$AAE?$AAf?$AAi?$AAE?$AAn?$AAt?$AAr?$AAi?$AAe@NNGAKEGL@	; "B"
		push	4
		call	_BiLogMessage
		add	esp, 0Ch

loc_A2A345:				; CODE XREF: BiBindEfiEntries(x,x)+1Bj
					; BiBindEfiEntries(x,x)+100j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_BiBindEfiEntries@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiBindEfiEntryToBcdObject(x, x)
_BiBindEfiEntryToBcdObject@8 proc near	; CODE XREF: BiBindEfiEntries(x,x)+D9p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		mov	esi, edx
		xor	ebx, ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ebx
		test	byte ptr [esi+20h], 4
		stosd
		mov	[ebp+var_18], ebx
		mov	[ebp+var_1C], ebx
		stosd
		stosd
		jnz	loc_A2A406
		xor	edx, edx
		mov	[ebp+var_28], 101FFFFFh
		inc	edx
		lea	eax, [ebp+var_1C]
		push	eax
		push	edx
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_2C], edx
		push	eax
		xor	edx, edx
		call	_BiCreateObject@20 ; BiCreateObject(x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A2A3F8
		mov	ecx, [ebp+var_1C]
		lea	edx, [ebp+var_18]
		call	BiGetKeyName
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A2A3E5
		push	[ebp+var_18]
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A2A3E5
		or	dword ptr [esi+20h], 4
		lea	edi, [esi+8]
		lea	esi, [ebp+var_14]
		movsd
		movsd
		movsd
		movsd

loc_A2A3E5:				; CODE XREF: BiBindEfiEntryToBcdObject(x,x)+6Aj
					; BiBindEfiEntryToBcdObject(x,x)+89j
		cmp	[ebp+var_18], 0
		jz	short loc_A2A3F8
		push	4B444342h
		push	[ebp+var_18]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2A3F8:				; CODE XREF: BiBindEfiEntryToBcdObject(x,x)+59j
					; BiBindEfiEntryToBcdObject(x,x)+9Dj
		cmp	[ebp+var_1C], 0
		jz	short loc_A2A406
		mov	ecx, [ebp+var_1C]
		call	_BcdCloseObject@4 ; BcdCloseObject(x)

loc_A2A406:				; CODE XREF: BiBindEfiEntryToBcdObject(x,x)+32j
					; BiBindEfiEntryToBcdObject(x,x)+B0j
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_BiBindEfiEntryToBcdObject@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiBindEfiNamespaceObjects(x)
_BiBindEfiNamespaceObjects@4 proc near	; CODE XREF: BiOpenSystemStore+A24B1p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		push	offset ??_C@_1DM@JCLOENPL@?$AAB?$AAi?$AAn?$AAd?$AAi?$AAn?$AAg?$AA?5?$AAE?$AAF?$AAI?$AA?5?$AAn?$AAa?$AAm@NNGAKEGL@
		push	2
		mov	edi, ecx
		call	_BiLogMessage
		add	esp, 8
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		push	eax
		call	_BiBuildIdentifierList@12 ; BiBuildIdentifierList(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2A466
		lea	edx, [ebp+var_8]
		mov	ecx, edi
		call	_BiBindEfiEntries@8 ; BiBindEfiEntries(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2A466
		lea	edx, [ebp+var_8]
		mov	ecx, edi
		call	_BiBindEfiBootManager@8	; BiBindEfiBootManager(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2A476

loc_A2A466:				; CODE XREF: BiBindEfiNamespaceObjects(x)+2Dj
					; BiBindEfiNamespaceObjects(x)+3Dj
		push	esi
		push	offset ??_C@_1EI@CKKEMGAG@?$AAB?$AAi?$AAB?$AAi?$AAn?$AAd?$AAE?$AAf?$AAi?$AAN?$AAa?$AAm?$AAe?$AAs?$AAp@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 0Ch

loc_A2A476:				; CODE XREF: BiBindEfiNamespaceObjects(x)+4Dj
		lea	ecx, [ebp+var_8]
		call	_BiFreeIdentifierList@4	; BiFreeIdentifierList(x)
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_BiBindEfiNamespaceObjects@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiBuildIdentifierList(x, x,	x)
_BiBuildIdentifierList@12 proc near	; CODE XREF: BiBindEfiNamespaceObjects(x)+24p
					; BiExportStoreAlterationsToEfi(x)+24p

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+74h+var_4], eax
		push	ebx
		xor	eax, eax
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		lea	edi, [esp+80h+var_14]
		mov	[esp+80h+var_2C], ecx
		stosd
		xor	edx, edx
		mov	[esp+80h+var_3C], edx
		mov	[esp+80h+var_30], edx
		mov	[esp+80h+var_18], edx
		stosd
		mov	[esp+80h+var_28], edx
		mov	[esp+80h+var_44], edx
		mov	[esp+80h+var_70], edx
		stosd
		mov	[esp+80h+var_24], edx
		mov	[esp+80h+var_20], edx
		mov	[esp+80h+var_40], edx
		stosd
		xor	eax, eax
		mov	word ptr [esp+80h+var_48], ax
		mov	edi, edx
		lea	eax, [esp+80h+var_50]
		mov	[esp+80h+var_38], edx
		mov	[esp+80h+var_4C], eax
		mov	edx, (offset loc_8C6F2D+1)
		mov	[esp+80h+var_50], eax
		lea	eax, [esp+80h+var_58]
		mov	[esp+80h+var_54], eax
		mov	[esp+80h+var_58], eax
		lea	eax, [esp+80h+var_64]
		mov	[esp+80h+var_60], eax
		mov	[esp+80h+var_64], eax
		lea	eax, [esp+80h+var_38]
		push	eax
		push	20019h
		mov	[esp+88h+var_5C], edi
		mov	[ebx+4], ebx
		mov	[ebx], ebx
		call	BiOpenKey
		mov	esi, eax
		test	esi, esi
		js	loc_A2A983
		mov	ecx, [esp+80h+var_38]
		lea	eax, [esp+80h+var_70]
		push	eax
		lea	edx, [esp+84h+var_5C]
		call	BiEnumerateSubKeys
		mov	esi, eax
		test	esi, esi
		js	loc_A2A97F
		xor	eax, eax
		mov	[esp+80h+var_6C], eax
		cmp	[esp+80h+var_70], eax
		jbe	loc_A2A6EB
		mov	edi, [esp+80h+var_5C]

loc_A2A55C:				; CODE XREF: BiBuildIdentifierList(x,x,x)+261j
		push	dword ptr [edi+eax*4]
		lea	eax, [esp+84h+var_24]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+80h+var_14]
		push	eax
		lea	eax, [esp+84h+var_24]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		test	eax, eax
		js	loc_A2A6D8
		mov	ecx, [esp+80h+var_2C]
		lea	eax, [esp+80h+var_44]
		push	eax
		lea	edx, [esp+84h+var_14]
		call	BcdOpenObject
		test	eax, eax
		js	loc_A2A6D8
		mov	esi, [esp+80h+var_44]
		lea	edx, [esp+80h+var_1C]
		mov	ecx, esi
		call	_BiGetObjectDescription@8 ; BiGetObjectDescription(x,x)
		test	eax, eax
		js	loc_A2A6D1
		mov	ecx, [esp+80h+var_18]
		mov	eax, ecx
		and	eax, 0F0000000h
		cmp	eax, 10000000h
		jnz	loc_A2A6D1
		mov	eax, ecx
		and	eax, 0F00000h
		cmp	eax, 100000h
		jnz	loc_A2A6D1
		and	ecx, 0FFFFFh
		mov	[esp+80h+var_68], ecx
		cmp	ecx, 1
		jz	loc_A2A6D1
		push	4B444342h
		push	24h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[esp+80h+var_34], edx
		test	edx, edx
		jz	loc_A2A74D
		push	9
		xor	eax, eax
		lea	esi, [esp+84h+var_14]
		pop	ecx
		mov	edi, edx
		rep stosd
		lea	edi, [edx+8]
		movsd
		movsd
		movsd
		movsd
		or	dword ptr [edx+20h], 4
		cmp	[esp+80h+var_68], 0FFFFFh
		jnz	short loc_A2A64B
		or	dword ptr [edx+20h], 8
		lea	ecx, [esp+80h+var_58]
		mov	eax, [esp+80h+var_54]
		cmp	[eax], ecx
		jnz	loc_A2A9EE
		mov	[edx], ecx
		mov	[edx+4], eax
		mov	[eax], edx
		mov	[esp+80h+var_54], edx
		jmp	short loc_A2A666
; 

loc_A2A64B:				; CODE XREF: BiBuildIdentifierList(x,x,x)+1A4j
		mov	eax, [esp+80h+var_4C]
		lea	ecx, [esp+80h+var_50]
		cmp	[eax], ecx
		jnz	loc_A2A9EE
		mov	[edx], ecx
		mov	[edx+4], eax
		mov	[eax], edx
		mov	[esp+80h+var_4C], edx

loc_A2A666:				; CODE XREF: BiBuildIdentifierList(x,x,x)+1C5j
		push	2
		pop	edi
		lea	eax, [esp+80h+var_68]
		mov	[esp+80h+var_68], edi
		push	eax
		lea	eax, [esp+84h+var_48]
		mov	edx, 16000082h
		push	eax
		push	ecx
		mov	ecx, [esp+8Ch+var_44]
		call	BcdGetElementDataWithFlags
		mov	esi, [esp+80h+var_34]
		test	eax, eax
		js	short loc_A2A699
		cmp	byte ptr [esp+80h+var_48], 0
		jz	short loc_A2A699
		or	dword ptr [esi+20h], 10h

loc_A2A699:				; CODE XREF: BiBuildIdentifierList(x,x,x)+208j
					; BiBuildIdentifierList(x,x,x)+20Fj
		mov	ecx, [esp+80h+var_44]
		lea	edx, [esp+80h+var_3C]
		call	_BiGetSavedBootEntry@8 ; BiGetSavedBootEntry(x,x)
		test	eax, eax
		js	short loc_A2A6C2
		mov	ecx, [esp+80h+var_3C]
		push	4B444342h
		push	ecx
		mov	eax, [ecx+8]
		mov	[esi+18h], eax
		or	[esi+20h], edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2A6C2:				; CODE XREF: BiBuildIdentifierList(x,x,x)+224j
		mov	ecx, [esp+80h+var_44]
		call	_BcdCloseObject@4 ; BcdCloseObject(x)
		mov	edi, [esp+80h+var_5C]
		jmp	short loc_A2A6D8
; 

loc_A2A6D1:				; CODE XREF: BiBuildIdentifierList(x,x,x)+127j
					; BiBuildIdentifierList(x,x,x)+13Dj ...
		mov	ecx, esi
		call	_BcdCloseObject@4 ; BcdCloseObject(x)

loc_A2A6D8:				; CODE XREF: BiBuildIdentifierList(x,x,x)+F6j
					; BiBuildIdentifierList(x,x,x)+110j ...
		mov	eax, [esp+80h+var_6C]
		inc	eax
		mov	[esp+80h+var_6C], eax
		cmp	eax, [esp+80h+var_70]
		jb	loc_A2A55C

loc_A2A6EB:				; CODE XREF: BiBuildIdentifierList(x,x,x)+CEj
		lea	edx, [esp+80h+var_30]
		lea	ecx, [esp+80h+var_40]
		call	_BiEnumerateBootEntries@8 ; BiEnumerateBootEntries(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2A96A
		mov	edi, [esp+80h+var_40]
		xor	esi, esi
		mov	[esp+80h+var_70], esi
		mov	[esp+80h+var_3C], edi
		cmp	[esp+80h+var_30], esi
		jbe	loc_A2A841

loc_A2A71A:				; CODE XREF: BiBuildIdentifierList(x,x,x)+3B7j
		lea	ecx, [edi+4]
		lea	edx, [esp+80h+var_14]
		call	_BiGetObjectReferenceFromEfiEntry@8 ; BiGetObjectReferenceFromEfiEntry(x,x)
		test	eax, eax
		js	short loc_A2A75E
		lea	eax, [esp+80h+var_70]
		push	eax		; int
		push	dword ptr [edi+0Ch] ; int
		lea	edx, [esp+88h+var_14] ;	void *
		lea	ecx, [esp+88h+var_50] ;	int
		call	_BiLookupObjectByIdentifierAndBootEntry@16 ; BiLookupObjectByIdentifierAndBootEntry(x,x,x,x)
		mov	esi, [esp+80h+var_70]
		mov	[esp+80h+var_6C], 20h
		jmp	short loc_A2A763
; 

loc_A2A74D:				; CODE XREF: BiBuildIdentifierList(x,x,x)+17Ej
		mov	ecx, esi
		call	_BcdCloseObject@4 ; BcdCloseObject(x)
		mov	esi, 0C000009Ah
		jmp	loc_A2A983
; 

loc_A2A75E:				; CODE XREF: BiBuildIdentifierList(x,x,x)+2A4j
		and	[esp+80h+var_6C], 0

loc_A2A763:				; CODE XREF: BiBuildIdentifierList(x,x,x)+2C7j
		test	eax, eax
		js	short loc_A2A799
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_A2A9EE
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_A2A9EE
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	eax, [ebx+4]
		cmp	[eax], ebx
		jnz	loc_A2A9EE
		mov	[esi], ebx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[ebx+4], esi
		jmp	short loc_A2A7E1
; 

loc_A2A799:				; CODE XREF: BiBuildIdentifierList(x,x,x)+2E1j
		push	4B444342h
		push	24h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[esp+80h+var_70], esi
		test	esi, esi
		jz	loc_A2A84A
		push	9
		xor	eax, eax
		mov	edi, esi
		pop	ecx
		rep stosd
		or	dword ptr [esi+20h], 8
		lea	ecx, [esp+80h+var_64]
		mov	eax, [esp+80h+var_60]
		cmp	[eax], ecx
		jnz	loc_A2A9EE
		mov	edi, [esp+80h+var_3C]
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[esp+80h+var_60], esi

loc_A2A7E1:				; CODE XREF: BiBuildIdentifierList(x,x,x)+313j
		push	4B444342h
		push	dword ptr [edi+8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+80h+var_68], eax
		test	eax, eax
		jz	short loc_A2A84A
		push	dword ptr [edi+8] ; size_t
		lea	ecx, [edi+4]
		push	ecx		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [esp+8Ch+var_68]
		add	esp, 0Ch
		mov	[esi+1Ch], eax
		mov	eax, [eax+8]
		mov	[esi+18h], eax
		mov	eax, [esi+20h]
		and	eax, 0FFFFFFDFh
		or	eax, [esp+80h+var_6C]
		or	eax, 1
		mov	[esi+20h], eax
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_A2A841
		add	edi, eax
		mov	eax, edi
		mov	[esp+80h+var_3C], edi
		sub	eax, [esp+80h+var_40]
		cmp	eax, [esp+80h+var_30]
		jb	loc_A2A71A

loc_A2A841:				; CODE XREF: BiBuildIdentifierList(x,x,x)+290j
					; BiBuildIdentifierList(x,x,x)+3A5j
		mov	eax, [esp+80h+var_64]
		jmp	loc_A2A8F9
; 

loc_A2A84A:				; CODE XREF: BiBuildIdentifierList(x,x,x)+32Bj
					; BiBuildIdentifierList(x,x,x)+372j
		mov	esi, 0C000009Ah
		jmp	loc_A2A96A
; 

loc_A2A854:				; CODE XREF: BiBuildIdentifierList(x,x,x)+47Bj
		mov	edi, eax
		mov	[esp+80h+var_2C], eax
		mov	eax, [eax]
		lea	ecx, [esp+80h+var_58]
		mov	[esp+80h+var_6C], eax
		lea	eax, [esp+80h+var_28]
		push	eax
		mov	edx, [edi+18h]
		mov	[esp+84h+var_68], edi
		call	_BiLookupObjectByBootEntry@12 ;	BiLookupObjectByBootEntry(x,x,x)
		test	eax, eax
		js	short loc_A2A8F5
		mov	ecx, [esp+80h+var_28]
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	loc_A2A9EE
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	loc_A2A9EE
		mov	[edx], eax
		lea	esi, [ecx+8]
		mov	[eax+4], edx
		add	edi, 8
		push	4B444342h
		push	ecx
		movsd
		movsd
		movsd
		movsd
		mov	esi, [esp+88h+var_68]
		mov	eax, [ecx+20h]
		xor	eax, [esi+20h]
		and	eax, 2
		xor	[esi+20h], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+80h+var_2C]
		or	dword ptr [esi+20h], 4
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	loc_A2A9EE
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	loc_A2A9EE
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, [ebx+4]
		cmp	[ecx], ebx
		jnz	loc_A2A9EE
		mov	[eax], ebx
		mov	[eax+4], ecx
		mov	[ecx], eax
		mov	[ebx+4], eax

loc_A2A8F5:				; CODE XREF: BiBuildIdentifierList(x,x,x)+3F3j
		mov	eax, [esp+80h+var_6C]

loc_A2A8F9:				; CODE XREF: BiBuildIdentifierList(x,x,x)+3C1j
		lea	ecx, [esp+80h+var_64]
		cmp	eax, ecx
		jnz	loc_A2A854
		mov	eax, [esp+80h+var_50]
		lea	ecx, [esp+80h+var_50]
		cmp	eax, ecx
		jz	short loc_A2A926
		mov	ecx, [ebx+4]
		mov	[ecx], eax
		mov	eax, [esp+80h+var_4C]
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	eax, [esp+80h+var_50]
		mov	[eax+4], ecx

loc_A2A926:				; CODE XREF: BiBuildIdentifierList(x,x,x)+48Bj
		mov	eax, [esp+80h+var_58]
		lea	ecx, [esp+80h+var_58]
		cmp	eax, ecx
		jz	short loc_A2A947
		mov	ecx, [ebx+4]
		mov	[ecx], eax
		mov	eax, [esp+80h+var_54]
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	eax, [esp+80h+var_58]
		mov	[eax+4], ecx

loc_A2A947:				; CODE XREF: BiBuildIdentifierList(x,x,x)+4ACj
		mov	eax, [esp+80h+var_64]
		lea	ecx, [esp+80h+var_64]
		cmp	eax, ecx
		jz	short loc_A2A968
		mov	ecx, [ebx+4]
		mov	[ecx], eax
		mov	eax, [esp+80h+var_60]
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	eax, [esp+80h+var_64]
		mov	[eax+4], ecx

loc_A2A968:				; CODE XREF: BiBuildIdentifierList(x,x,x)+4CDj
		xor	esi, esi

loc_A2A96A:				; CODE XREF: BiBuildIdentifierList(x,x,x)+278j
					; BiBuildIdentifierList(x,x,x)+3CBj
		cmp	[esp+80h+var_40], 0
		jz	short loc_A2A97F
		push	4B444342h
		push	[esp+84h+var_40]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2A97F:				; CODE XREF: BiBuildIdentifierList(x,x,x)+BEj
					; BiBuildIdentifierList(x,x,x)+4EBj
		mov	edi, [esp+80h+var_5C]

loc_A2A983:				; CODE XREF: BiBuildIdentifierList(x,x,x)+A2j
					; BiBuildIdentifierList(x,x,x)+2D5j
		cmp	[esp+80h+var_38], 0
		jz	short loc_A2A993
		mov	ecx, [esp+80h+var_38]
		call	_BiCloseKey@4	; BiCloseKey(x)

loc_A2A993:				; CODE XREF: BiBuildIdentifierList(x,x,x)+504j
		test	edi, edi
		jz	short loc_A2A9A2
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2A9A2:				; CODE XREF: BiBuildIdentifierList(x,x,x)+511j
		test	esi, esi
		jns	short loc_A2A9D8
		lea	ecx, [esp+80h+var_64]
		call	_BiFreeIdentifierList@4	; BiFreeIdentifierList(x)
		lea	ecx, [esp+80h+var_58]
		call	_BiFreeIdentifierList@4	; BiFreeIdentifierList(x)
		lea	ecx, [esp+80h+var_50]
		call	_BiFreeIdentifierList@4	; BiFreeIdentifierList(x)
		mov	ecx, ebx
		call	_BiFreeIdentifierList@4	; BiFreeIdentifierList(x)
		push	esi
		push	(offset	loc_8C8287+1)
		push	4
		call	_BiLogMessage
		add	esp, 0Ch

loc_A2A9D8:				; CODE XREF: BiBuildIdentifierList(x,x,x)+520j
		mov	ecx, [esp+80h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_A2A9EE:				; CODE XREF: BiBuildIdentifierList(x,x,x)+1B4j
					; BiBuildIdentifierList(x,x,x)+1D1j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_BiBuildIdentifierList@12 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiCreateBootEntry(x, x)
_BiCreateBootEntry@8 proc near		; CODE XREF: BiCreateEfiEntry(x,x):loc_A2AE56p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		mov	eax, ecx
		mov	[ebp+var_34], edx
		xor	ecx, ecx
		mov	[ebp+var_20], eax
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_30], ecx
		mov	ebx, ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_28], ecx
		mov	edx, 12000004h
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_24], ecx
		lea	ecx, [ebp+var_10]
		push	ecx
		lea	ecx, [ebp+var_14]
		mov	[ebp+var_8], edi
		push	ecx
		mov	ecx, eax
		mov	[ebp+var_C], ebx
		call	_BiGetElement@16 ; BiGetElement(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2AA5C
		push	esi
		push	offset ??_C@_1KK@IILAFCHP@?$AAB?$AAi?$AAC?$AAr?$AAe?$AAa?$AAt?$AAe?$AAB?$AAo?$AAo?$AAt?$AAE?$AAn?$AAt@NNGAKEGL@	; "BiCreateBootEntry: Could not	retrieve B"...
		push	4
		call	_BiLogMessage
		add	esp, 0Ch
		jmp	loc_A2AD18
; 

loc_A2AA5C:				; CODE XREF: BiCreateBootEntry(x,x)+52j
		mov	edi, [ebp+var_20]
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_8]
		mov	edx, 11000001h
		push	eax
		mov	ecx, edi
		call	_BiGetElement@16 ; BiGetElement(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2AA91
		push	esi
		push	offset ??_C@_1KA@IBHAJMFM@?$AAB?$AAi?$AAC?$AAr?$AAe?$AAa?$AAt?$AAe?$AAB?$AAo?$AAo?$AAt?$AAE?$AAn?$AAt@NNGAKEGL@	; "BiCreateBootEntry: Could not	retrieve B"...
		push	4
		call	_BiLogMessage
		mov	edi, [ebp+var_8]
		add	esp, 0Ch
		jmp	loc_A2AD18
; 

loc_A2AA91:				; CODE XREF: BiCreateBootEntry(x,x)+84j
		lea	eax, [ebp+var_2C]
		mov	edx, 12000002h
		push	eax
		lea	eax, [ebp+var_C]
		mov	ecx, edi
		push	eax
		call	_BiGetElement@16 ; BiGetElement(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2AAC6
		push	esi
		push	offset ??_C@_1JM@LOPNJMKF@?$AAB?$AAi?$AAC?$AAr?$AAe?$AAa?$AAt?$AAe?$AAB?$AAo?$AAo?$AAt?$AAE?$AAn?$AAt@NNGAKEGL@	; "BiCreateBootEntry: Could not	retrieve B"...
		push	4
		call	_BiLogMessage
		mov	edi, [ebp+var_8]
		add	esp, 0Ch
		mov	ebx, [ebp+var_C]
		jmp	loc_A2AD18
; 

loc_A2AAC6:				; CODE XREF: BiCreateBootEntry(x,x)+B6j
		mov	edi, [ebp+var_8]
		mov	ebx, [ebp+var_C]
		cmp	dword ptr [edi], 2
		jz	short loc_A2AADB
		mov	esi, 0C00000BBh
		jmp	loc_A2AD18
; 

loc_A2AADB:				; CODE XREF: BiCreateBootEntry(x,x)+DCj
		mov	ecx, ebx
		xor	esi, esi
		lea	edx, [ecx+2]

loc_A2AAE2:				; CODE XREF: BiCreateBootEntry(x,x)+F8j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_A2AAE2
		sub	ecx, edx
		sar	ecx, 1
		lea	edx, ds:2[ecx*2]
		lea	ecx, [edi+14h]
		mov	[ebp+var_2C], edx
		lea	esi, [ecx+2]

loc_A2AB01:				; CODE XREF: BiCreateBootEntry(x,x)+118j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_30]
		jnz	short loc_A2AB01
		sub	ecx, esi
		sar	ecx, 1
		lea	eax, ds:2[ecx*2]
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_C], eax
		push	ecx
		mov	ecx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2AD18
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	0Ch
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2AD18
		push	4B444342h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_24], esi
		test	esi, esi
		jnz	short loc_A2AB6B

loc_A2AB61:				; CODE XREF: BiCreateBootEntry(x,x)+265j
		mov	esi, 0C000009Ah
		jmp	loc_A2AD18
; 

loc_A2AB6B:				; CODE XREF: BiCreateBootEntry(x,x)+16Cj
		mov	eax, [ebp+var_4]
		push	[ebp+var_C]	; size_t
		mov	[esi+4], eax
		lea	eax, [edi+14h]
		push	eax		; void *
		lea	eax, [esi+0Ch]
		mov	dword ptr [esi], 1
		push	eax		; void *
		mov	dword ptr [esi+8], 3
		call	_memcpy
		mov	eax, [ebp+var_C]
		add	esp, 0Ch
		add	eax, 0Ch
		add	eax, esi
		push	[ebp+var_2C]	; size_t
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_18]
		mov	ecx, esi
		push	eax
		push	4
		pop	edx
		call	_BiTranslateFilePath@12	; BiTranslateFilePath(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2AD18
		mov	ecx, [ebp+var_20]
		lea	edx, [ebp+var_1C]
		call	BiGetKeyName
		mov	esi, eax
		test	esi, esi
		js	loc_A2AD18
		mov	ecx, [ebp+var_1C]
		xor	esi, esi
		lea	edx, [ecx+2]

loc_A2ABDB:				; CODE XREF: BiCreateBootEntry(x,x)+1F1j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_A2ABDB
		sub	ecx, edx
		lea	edx, [ebp+var_C]
		sar	ecx, 1
		mov	[ebp+var_28], ecx
		push	edx
		lea	eax, ds:2Dh[ecx*2]
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_2C], eax
		add	eax, 10h
		mov	[ebp+var_8], eax
		lea	ecx, [eax+1Fh]
		mov	eax, [ebp+var_18]
		and	ecx, 0FFFFFFFCh
		mov	[ebp+var_20], ecx
		mov	eax, [eax+4]
		mov	[ebp+var_30], eax
		lea	edx, [eax+4]
		add	edx, ecx
		mov	ecx, [ebp+var_10]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2AD18
		mov	ecx, [ebp+var_10]
		mov	eax, [ebp+var_20]
		add	ecx, 3
		add	eax, ecx
		and	eax, 0FFFFFFFCh
		mov	[ebp+var_C], eax
		add	eax, [ebp+var_30]
		push	4B444342h
		push	eax
		push	1
		mov	[ebp+var_30], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_4], esi
		test	esi, esi
		jz	loc_A2AB61
		mov	eax, [ebp+var_30]
		xor	ecx, ecx
		push	[ebp+var_10]	; size_t
		or	dword ptr [esi+8], 0FFFFFFFFh
		inc	ecx
		push	[ebp+var_14]	; void *
		mov	[esi+4], eax
		mov	eax, [ebp+var_C]
		mov	[esi], ecx
		mov	[esi+0Ch], ecx
		mov	ecx, [ebp+var_20]
		mov	[esi+14h], eax
		mov	eax, [ebp+var_8]
		mov	[esi+18h], eax
		lea	eax, [ecx+esi]
		mov	[esi+10h], ecx
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_18]
		add	esp, 0Ch
		push	dword ptr [eax+4] ; size_t
		push	eax		; void *
		mov	eax, [ebp+var_C]
		add	eax, esi
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esi, 1Ch
		add	esp, 0Ch
		mov	[esi+0Ch], eax
		push	[ebp+var_1C]
		mov	eax, [ebp+var_2C]
		mov	[esi+10h], eax
		mov	eax, [ebp+var_28]
		push	offset ??_C@_1BG@IHEHAJI@?$AAB?$AAC?$AAD?$AAO?$AAB?$AAJ?$AAE?$AAC?$AAT?$AA?$DN@NNGAKEGL@ ; "BCDOBJECT="
		add	eax, 0Bh
		mov	dword ptr [esi], 444E4957h
		push	offset ??_C@_19LJDFFCJJ@?$AA?$CF?$AAs?$AA?$CF?$AAs@NNGAKEGL@ ; "%s%s"
		push	eax
		lea	eax, [esi+14h]
		mov	dword ptr [esi+4], 53574Fh
		push	eax
		mov	dword ptr [esi+8], 1
		call	_swprintf_s
		mov	eax, [esi+10h]
		add	esp, 14h
		mov	ecx, [ebp+var_34]
		add	eax, esi
		xor	edx, edx
		mov	esi, edx
		mov	dword ptr [eax], 1
		mov	dword ptr [eax+4], 10h
		mov	dword ptr [eax+8], 4
		mov	dword ptr [eax+0Ch], 4FF7Fh
		mov	eax, [ebp+var_4]
		mov	[ecx], eax

loc_A2AD18:				; CODE XREF: BiCreateBootEntry(x,x)+64j
					; BiCreateBootEntry(x,x)+99j ...
		cmp	[ebp+var_14], 0
		jz	short loc_A2AD2B
		push	4B444342h
		push	[ebp+var_14]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2AD2B:				; CODE XREF: BiCreateBootEntry(x,x)+329j
		test	edi, edi
		jz	short loc_A2AD3A
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2AD3A:				; CODE XREF: BiCreateBootEntry(x,x)+33Aj
		mov	edi, 4B444342h
		test	ebx, ebx
		jz	short loc_A2AD4A
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2AD4A:				; CODE XREF: BiCreateBootEntry(x,x)+34Ej
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	short loc_A2AD58
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2AD58:				; CODE XREF: BiCreateBootEntry(x,x)+35Cj
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_A2AD66
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2AD66:				; CODE XREF: BiCreateBootEntry(x,x)+36Aj
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	short loc_A2AD74
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2AD74:				; CODE XREF: BiCreateBootEntry(x,x)+378j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_BiCreateBootEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiCreateEfiEntry(x,	x)
_BiCreateEfiEntry@8 proc near		; CODE XREF: BiBindEfiEntries(x,x)+A6p
					; BiExportBcdObjects(x,x)+89p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	eax, ecx
		mov	ebx, edx
		push	edi
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_10], eax
		xor	edi, edi
		push	ecx
		lea	edx, [ebx+8]
		mov	[ebp+var_4], edi
		mov	ecx, eax
		mov	[ebp+var_8], edi
		mov	[ebp+var_C], edi
		call	BcdOpenObject
		mov	esi, eax
		test	esi, esi
		js	loc_A2AEC5
		test	byte ptr [ebx+20h], 2
		lea	edx, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		jz	loc_A2AE56
		call	_BiGetSavedBootEntry@8 ; BiGetSavedBootEntry(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2AEC2
		test	byte ptr [ebx+20h], 8
		mov	edi, [ebp+var_C]
		jnz	short loc_A2ADF0
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		call	_BiUpdateObjectReferenceInEfiEntry@8 ; BiUpdateObjectReferenceInEfiEntry(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2AEC5
		or	dword ptr [ebx+20h], 20h

loc_A2ADF0:				; CODE XREF: BiCreateEfiEntry(x,x)+5Bj
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	_BiAddBootEntry@8 ; BiAddBootEntry(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2AEC5
		push	[ebp+var_4]
		push	offset ??_C@_1FM@ILDKKABF@?$AAC?$AAr?$AAe?$AAa?$AAt?$AAe?$AAd?$AA?5?$AAb?$AAo?$AAo?$AAt?$AA?5?$AAe?$AAn@NNGAKEGL@
		push	2
		call	_BiLogMessage
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		mov	ecx, [ebp+var_8]
		mov	edx, offset ??_C@_1CC@MDJGBMLK@?$AAF?$AAi?$AAr?$AAm?$AAw?$AAa?$AAr?$AAe?$AAV?$AAa?$AAr?$AAi?$AAa?$AAb?$AAl@NNGAKEGL@ ; "FirmwareVariable"
		mov	[edi+8], eax
		mov	eax, [ebp+var_4]
		or	dword ptr [ebx+20h], 1
		mov	[ebx+1Ch], edi
		mov	[ebx+18h], eax
		mov	eax, [edi+4]
		push	eax
		push	edi
		push	3
		push	offset ??_C@_1BI@DLMANABL@?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		call	BiSetRegistryValue
		mov	esi, eax
		test	esi, esi
		js	short loc_A2AEC5
		mov	ecx, [ebp+var_10]
		mov	edx, ebx
		call	_BiUpdateEfiEntry@8 ; BiUpdateEfiEntry(x,x)
		mov	esi, eax
		jmp	short loc_A2AEBC
; 

loc_A2AE56:				; CODE XREF: BiCreateEfiEntry(x,x)+3Fj
		call	_BiCreateBootEntry@8 ; BiCreateBootEntry(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2AEC2
		mov	edi, [ebp+var_C]
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	_BiAddBootEntry@8 ; BiAddBootEntry(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2AEC5
		push	[ebp+var_4]
		push	offset ??_C@_1DI@CDFHKDHD@?$AAC?$AAr?$AAe?$AAa?$AAt?$AAe?$AAd?$AA?5?$AAn?$AAe?$AAw?$AA?5?$AAb?$AAo?$AAo@NNGAKEGL@ ; "Created new boot entry 0x%x"
		push	2
		call	_BiLogMessage
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		mov	ecx, [ebp+var_8]
		mov	edx, offset ??_C@_1CC@MDJGBMLK@?$AAF?$AAi?$AAr?$AAm?$AAw?$AAa?$AAr?$AAe?$AAV?$AAa?$AAr?$AAi?$AAa?$AAb?$AAl@NNGAKEGL@ ; "FirmwareVariable"
		mov	[edi+8], eax
		mov	eax, [ebp+var_4]
		or	dword ptr [ebx+20h], 21h
		mov	[ebx+1Ch], edi
		mov	[ebx+18h], eax
		mov	eax, [edi+4]
		push	eax
		push	edi
		push	3
		push	offset ??_C@_1BI@DLMANABL@?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		call	BiSetRegistryValue
		mov	esi, eax
		test	esi, esi
		js	short loc_A2AEC5
		or	dword ptr [ebx+20h], 2

loc_A2AEBC:				; CODE XREF: BiCreateEfiEntry(x,x)+D9j
		test	esi, esi
		jns	short loc_A2AED5
		jmp	short loc_A2AEC5
; 

loc_A2AEC2:				; CODE XREF: BiCreateEfiEntry(x,x)+4Ej
					; BiCreateEfiEntry(x,x)+E4j
		mov	edi, [ebp+var_C]

loc_A2AEC5:				; CODE XREF: BiCreateEfiEntry(x,x)+2Fj
					; BiCreateEfiEntry(x,x)+6Bj ...
		push	esi
		push	offset ??_C@_1DG@CHHIIJIE@?$AAB?$AAi?$AAC?$AAr?$AAe?$AAa?$AAt?$AAe?$AAE?$AAf?$AAi?$AAE?$AAn?$AAt?$AAr@NNGAKEGL@	; "BiCreateEfiEntry failed %x"
		push	4
		call	_BiLogMessage
		add	esp, 0Ch

loc_A2AED5:				; CODE XREF: BiCreateEfiEntry(x,x)+143j
		cmp	[ebp+var_8], 0
		jz	short loc_A2AEE3
		mov	ecx, [ebp+var_8]
		call	_BcdCloseObject@4 ; BcdCloseObject(x)

loc_A2AEE3:				; CODE XREF: BiCreateEfiEntry(x,x)+15Ej
		test	byte ptr [ebx+20h], 1
		jnz	short loc_A2AEF8
		test	edi, edi
		jz	short loc_A2AEF8
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2AEF8:				; CODE XREF: BiCreateEfiEntry(x,x)+16Cj
					; BiCreateEfiEntry(x,x)+170j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_BiCreateEfiEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	BiCreateMergedBootEntry(size_t,size_t,int)
_BiCreateMergedBootEntry@20 proc near	; CODE XREF: BiUpdateEfiEntry(x,x)+B6p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_18], edx
		xor	ecx, ecx
		mov	eax, ecx
		mov	[ebp+var_24], ecx
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		mov	edi, ecx
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_10], edi
		mov	[ebp+var_1], cl
		mov	[ebp+var_2], cl
		mov	[ebp+var_28], ecx
		test	eax, eax
		jz	short loc_A2AF60
		mov	ecx, [eax]
		cmp	ecx, 5
		jnz	short loc_A2AF51
		mov	eax, 0C000000Eh
		jmp	loc_A2B098
; 

loc_A2AF51:				; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+46j
		cmp	ecx, 2
		jz	short loc_A2AF8D
		mov	eax, 0C000000Dh
		jmp	loc_A2B098
; 

loc_A2AF60:				; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+3Fj
		mov	edi, [ebx+14h]
		add	edi, ebx
		cmp	[ebp+arg_4], ecx
		jz	loc_A2B0FB
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_10], edi
		push	eax
		lea	ecx, [edi+0Ch]
		lea	edx, [ebp+var_20]
		call	_BiGetDeviceFromEfiPath@12 ; BiGetDeviceFromEfiPath(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2B04D
		mov	eax, [ebp+var_20]

loc_A2AF8D:				; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+55j
		add	eax, 14h
		cmp	[ebp+arg_4], 0
		mov	[ebp+arg_0], eax
		jz	short loc_A2AF9E
		mov	edx, [ebp+arg_4]
		jmp	short loc_A2AFC6
; 

loc_A2AF9E:				; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+98j
		mov	edi, [ebx+14h]
		lea	eax, [ebp+var_30]
		add	edi, ebx
		lea	edx, [ebp+var_1C]
		push	eax
		mov	[ebp+var_10], edi
		lea	ecx, [edi+0Ch]
		call	_BiGetFilePathFromEfiPath@12 ; BiGetFilePathFromEfiPath(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2B218
		mov	edx, [ebp+var_1C]
		mov	[ebp+var_2], 1

loc_A2AFC6:				; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+9Dj
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_8], edx
		lea	esi, [ecx+2]

loc_A2AFCF:				; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+DAj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_24]
		jnz	short loc_A2AFCF
		sub	ecx, esi
		sar	ecx, 1
		lea	esi, ds:2[ecx*2]
		mov	ecx, edx
		mov	[ebp+arg_4], esi
		lea	edx, [ecx+2]

loc_A2AFEE:				; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+F9j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_24]
		jnz	short loc_A2AFEE
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, ds:2[ecx*2]
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_30], eax
		push	ecx
		mov	edx, eax
		mov	ecx, esi
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2B04D
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_C]
		push	eax
		push	0Ch
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2B04D
		push	4B444342h
		push	[ebp+var_C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_28], esi
		test	esi, esi
		jnz	short loc_A2B09F

loc_A2B048:				; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+295j
		mov	esi, 0C000009Ah

loc_A2B04D:				; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+85j
					; BiCreateMergedBootEntry(x,x,x,x,x)+11Aj ...
		mov	ebx, [ebp+var_8]

loc_A2B050:				; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+31Cj
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	short loc_A2B062
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2B062:				; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+156j
		cmp	[ebp+var_1], 0
		jz	short loc_A2B073
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2B073:				; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+167j
		cmp	[ebp+var_2], 0
		jz	short loc_A2B084
		push	4B444342h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2B084:				; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+178j
		mov	eax, [ebp+var_28]
		test	eax, eax
		jz	short loc_A2B096
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2B096:				; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+18Aj
		mov	eax, esi

loc_A2B098:				; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+4Dj
					; BiCreateMergedBootEntry(x,x,x,x,x)+5Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_A2B09F:				; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+147j
		mov	edi, [ebp+arg_4]
		mov	eax, [ebp+var_C]
		push	edi		; size_t
		push	[ebp+arg_0]	; void *
		mov	[esi+4], eax
		lea	eax, [esi+0Ch]
		push	eax		; void *
		mov	dword ptr [esi], 1
		mov	dword ptr [esi+8], 3
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [edi+0Ch]
		add	eax, esi
		push	[ebp+var_30]	; size_t
		push	[ebp+var_8]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_10]
		mov	ecx, esi
		push	eax
		push	4
		pop	edx
		call	_BiTranslateFilePath@12	; BiTranslateFilePath(x,x,x)
		mov	edi, [ebp+var_10]
		mov	esi, eax
		test	esi, esi
		js	loc_A2B04D
		mov	edx, [ebp+var_18]
		mov	[ebp+var_1], 1

loc_A2B0FB:				; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+69j
		test	edx, edx
		jnz	short loc_A2B107
		mov	edx, [ebx+10h]
		add	edx, ebx
		mov	[ebp+var_18], edx

loc_A2B107:				; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+1FEj
		mov	ecx, edx
		xor	esi, esi
		lea	edx, [ecx+2]

loc_A2B10E:				; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+218j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_A2B10E
		sub	ecx, edx
		lea	edx, [ebp+var_14]
		sar	ecx, 1
		push	edx
		lea	eax, ds:2[ecx*2]
		mov	ecx, [ebx+18h]
		mov	edx, eax
		mov	[ebp+arg_0], eax
		mov	[ebp+arg_4], ecx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2B04D
		mov	eax, [edi+4]
		lea	ecx, [ebp+var_14]
		push	ecx
		mov	ecx, [ebp+var_14]
		mov	[ebp+var_30], eax
		lea	edx, [eax+24h]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2B04D
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		add	eax, 1Fh
		and	eax, 0FFFFFFFCh
		add	ecx, 3
		add	ecx, eax
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+var_30]
		and	ecx, 0FFFFFFFCh
		add	eax, ecx
		mov	[ebp+var_24], ecx
		push	4B444342h
		push	eax
		push	1
		mov	[ebp+arg_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_A2B048
		push	[ebp+arg_4]	; size_t
		xor	eax, eax
		push	eax		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		mov	ecx, [ebp+var_2C]
		mov	[esi+4], eax
		mov	dword ptr [esi], 1
		mov	eax, [ebx+8]
		push	[ebp+arg_0]	; size_t
		mov	[esi+8], eax
		mov	eax, [ebx+0Ch]
		push	[ebp+var_18]	; void *
		mov	[esi+0Ch], eax
		mov	eax, [ebp+var_24]
		mov	[esi+14h], eax
		mov	[esi+10h], ecx
		mov	eax, [ebx+18h]
		mov	[esi+18h], eax
		lea	eax, [ecx+esi]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_24]
		add	esp, 0Ch
		add	eax, esi
		push	dword ptr [edi+4] ; size_t
		push	edi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebx+1Ch]
		push	dword ptr [ebx+18h] ; size_t
		push	eax		; void *
		lea	eax, [esi+1Ch]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+arg_8]
		add	esp, 0Ch
		mov	[eax], esi
		xor	eax, eax
		mov	esi, eax
		jmp	loc_A2B04D
; 

loc_A2B218:				; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+BAj
		mov	ebx, [ebp+var_1C]
		jmp	loc_A2B050
_BiCreateMergedBootEntry@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiDeleteBootEntry(x)
_BiDeleteBootEntry@4 proc near		; CODE XREF: BiBindEfiEntries(x,x)+4Ap
					; BiBindEfiEntries(x,x)+CAp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	edi, ecx
		push	edi
		push	offset ??_C@_1DC@NCCLAKLN@?$AAD?$AAe?$AAl?$AAe?$AAt?$AAi?$AAn?$AAg?$AA?5?$AAb?$AAo?$AAo?$AAt?$AA?5?$AAe@NNGAKEGL@
		push	2
		call	_BiLogMessage
		add	esp, 0Ch
		lea	edx, [ebp+var_8]
		push	16h
		pop	ecx
		call	BiAcquirePrivilege
		mov	esi, eax
		test	esi, esi
		js	short loc_A2B279
		push	edi
		call	_ZwDeleteBootEntry@4 ; ZwDeleteBootEntry(x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2B271
		push	esi
		push	edi
		push	offset ??_C@_1FK@DFNGLIPH@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAd?$AAe?$AAl?$AAe?$AAt@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 10h

loc_A2B271:				; CODE XREF: BiDeleteBootEntry(x)+3Ej
		lea	ecx, [ebp+var_8]
		call	_BiReleasePrivilege@4 ;	BiReleasePrivilege(x)

loc_A2B279:				; CODE XREF: BiDeleteBootEntry(x)+32j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_BiDeleteBootEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiDeleteEfiVariable(x)
_BiDeleteEfiVariable@4 proc near	; CODE XREF: BiExportEfiBootManager(x,x,x)+1A4p
					; BiExportEfiBootManager(x,x,x)+203p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_14], 8BE4DF61h
		push	16h
		mov	edi, ecx
		mov	[ebp+var_10], 11D293CAh
		lea	edx, [ebp+var_28]
		mov	[ebp+var_C], 0E0000DAAh
		pop	ecx
		mov	[ebp+var_8], 8C2B0398h
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		call	BiAcquirePrivilege
		mov	esi, eax
		test	esi, esi
		js	short loc_A2B340
		push	edi
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_20], ebx
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		lea	eax, [ebp+var_20]
		push	eax
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	_ZwQuerySystemEnvironmentValueEx@20 ; ZwQuerySystemEnvironmentValueEx(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_A2B310
		cmp	esi, 0C0000100h
		jnz	short loc_A2B307
		mov	esi, ebx
		jmp	short loc_A2B338
; 

loc_A2B307:				; CODE XREF: BiDeleteEfiVariable(x)+82j
		push	esi
		push	edi
		push	(offset	loc_8C8B41+1)
		jmp	short loc_A2B32E
; 

loc_A2B310:				; CODE XREF: BiDeleteEfiVariable(x)+7Aj
		push	1
		push	ebx
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	_ZwSetSystemEnvironmentValueEx@20 ; ZwSetSystemEnvironmentValueEx(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2B338
		push	esi
		push	edi
		push	offset ??_C@_1FI@CPKADNBM@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAd?$AAe?$AAl?$AAe?$AAt@NNGAKEGL@

loc_A2B32E:				; CODE XREF: BiDeleteEfiVariable(x)+8Fj
		push	4
		call	_BiLogMessage
		add	esp, 10h

loc_A2B338:				; CODE XREF: BiDeleteEfiVariable(x)+86j
					; BiDeleteEfiVariable(x)+A6j
		lea	ecx, [ebp+var_28]
		call	_BiReleasePrivilege@4 ;	BiReleasePrivilege(x)

loc_A2B340:				; CODE XREF: BiDeleteEfiVariable(x)+50j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_BiDeleteEfiVariable@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiEnumerateBootEntries(x, x)
_BiEnumerateBootEntries@8 proc near	; CODE XREF: BiBuildIdentifierList(x,x,x)+26Fp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		push	edi
		push	16h
		mov	ebx, edx
		mov	[ebp+var_8], ecx
		lea	edx, [ebp+var_10]
		pop	ecx
		call	BiAcquirePrivilege
		mov	edi, eax
		test	edi, edi
		js	loc_A2B416
		mov	eax, 2000h
		push	4B444342h
		push	eax
		push	1
		mov	[ebp+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	ecx, esi
		neg	ecx
		sbb	ecx, ecx
		and	[ebp+var_4], ecx
		jmp	short loc_A2B3C4
; 

loc_A2B3A0:				; CODE XREF: BiEnumerateBootEntries(x,x)+85j
		test	esi, esi
		jz	short loc_A2B3AF
		push	4B444342h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2B3AF:				; CODE XREF: BiEnumerateBootEntries(x,x)+51j
		push	4B444342h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A2B3FD

loc_A2B3C4:				; CODE XREF: BiEnumerateBootEntries(x,x)+4Dj
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		call	_ZwEnumerateBootEntries@8 ; ZwEnumerateBootEntries(x,x)
		mov	edi, eax
		cmp	edi, 0C0000023h
		jz	short loc_A2B3A0
		test	edi, edi
		jns	short loc_A2B404
		push	edi
		push	(offset	loc_8C861F+1)
		push	4
		call	_BiLogMessage
		add	esp, 0Ch
		test	esi, esi
		jz	short loc_A2B40E
		push	4B444342h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A2B40E
; 

loc_A2B3FD:				; CODE XREF: BiEnumerateBootEntries(x,x)+71j
		mov	edi, 0C000009Ah
		jmp	short loc_A2B40E
; 

loc_A2B404:				; CODE XREF: BiEnumerateBootEntries(x,x)+89j
		mov	eax, [ebp+var_8]
		mov	[eax], esi
		mov	eax, [ebp+var_4]
		mov	[ebx], eax

loc_A2B40E:				; CODE XREF: BiEnumerateBootEntries(x,x)+9Dj
					; BiEnumerateBootEntries(x,x)+AAj ...
		lea	ecx, [ebp+var_10]
		call	_BiReleasePrivilege@4 ;	BiReleasePrivilege(x)

loc_A2B416:				; CODE XREF: BiEnumerateBootEntries(x,x)+27j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_BiEnumerateBootEntries@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiExportBcdObjects(x, x)
_BiExportBcdObjects@8 proc near		; CODE XREF: BiExportStoreAlterationsToEfi(x)+34p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	eax, edx
		mov	ebx, ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_C], eax
		mov	esi, [eax]
		mov	[ebp+var_8], ebx
		cmp	esi, eax
		jz	loc_A2B515

loc_A2B43E:				; CODE XREF: BiExportBcdObjects(x,x)+DEj
		mov	ecx, [esi+20h]
		mov	eax, ecx
		and	eax, 5
		jz	loc_A2B4F6
		test	cl, 10h
		jz	short loc_A2B473
		test	cl, 1
		jz	loc_A2B4F6
		mov	ecx, [esi+18h]
		call	_BiDeleteBootEntry@4 ; BiDeleteBootEntry(x)
		test	eax, eax
		js	loc_A2B4F4
		and	dword ptr [esi+20h], 0FFFFFFFEh
		jmp	loc_A2B4F6
; 

loc_A2B473:				; CODE XREF: BiExportBcdObjects(x,x)+32j
		cmp	eax, 1
		jnz	short loc_A2B486
		mov	ecx, [esi+18h]
		call	_BiDeleteBootEntry@4 ; BiDeleteBootEntry(x)
		test	eax, eax
		jns	short loc_A2B4F6
		jmp	short loc_A2B4F4
; 

loc_A2B486:				; CODE XREF: BiExportBcdObjects(x,x)+59j
		cmp	eax, 4
		jnz	short loc_A2B4DC
		xor	ebx, ebx
		call	_BiIsPortableWorkspaceBoot@0 ; BiIsPortableWorkspaceBoot()
		mov	ecx, [esi+20h]
		mov	[ebp+var_1], al
		test	cl, 8
		jnz	short loc_A2B4A1
		test	al, al
		jnz	short loc_A2B4B3

loc_A2B4A1:				; CODE XREF: BiExportBcdObjects(x,x)+7Ej
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	_BiCreateEfiEntry@8 ; BiCreateEfiEntry(x,x)
		mov	ecx, [esi+20h]
		mov	ebx, eax
		mov	al, [ebp+var_1]

loc_A2B4B3:				; CODE XREF: BiExportBcdObjects(x,x)+82j
		test	cl, 8
		jnz	short loc_A2B4CE
		test	al, al
		jnz	short loc_A2B4CE
		test	ebx, ebx
		js	short loc_A2B4CC
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		call	_BiAddBootEntryToEfiBootManagerDisplayOrder@8 ;	BiAddBootEntryToEfiBootManagerDisplayOrder(x,x)
		jmp	short loc_A2B4CE
; 

loc_A2B4CC:				; CODE XREF: BiExportBcdObjects(x,x)+A1j
		xor	ebx, ebx

loc_A2B4CE:				; CODE XREF: BiExportBcdObjects(x,x)+99j
					; BiExportBcdObjects(x,x)+9Dj ...
		test	ebx, ebx
		mov	ebx, [ebp+var_8]
		jns	short loc_A2B4F6
		mov	edi, 80390001h
		jmp	short loc_A2B4F6
; 

loc_A2B4DC:				; CODE XREF: BiExportBcdObjects(x,x)+6Cj
		mov	edx, esi
		mov	ecx, ebx
		call	_BiUpdateEfiEntry@8 ; BiUpdateEfiEntry(x,x)
		test	eax, eax
		jns	short loc_A2B4F6
		test	byte ptr [esi+20h], 8
		mov	edi, 80390003h
		jnz	short loc_A2B4F6

loc_A2B4F4:				; CODE XREF: BiExportBcdObjects(x,x)+47j
					; BiExportBcdObjects(x,x)+67j
		mov	edi, eax

loc_A2B4F6:				; CODE XREF: BiExportBcdObjects(x,x)+29j
					; BiExportBcdObjects(x,x)+37j ...
		mov	esi, [esi]
		cmp	esi, [ebp+var_C]
		jnz	loc_A2B43E
		test	edi, edi
		jns	short loc_A2B515
		push	edi
		push	offset ??_C@_1DK@EFCNLFKL@?$AAB?$AAi?$AAE?$AAx?$AAp?$AAo?$AAr?$AAt?$AAB?$AAc?$AAd?$AAO?$AAb?$AAj?$AAe@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 0Ch

loc_A2B515:				; CODE XREF: BiExportBcdObjects(x,x)+1Bj
					; BiExportBcdObjects(x,x)+E6j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_BiExportBcdObjects@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiExportEfiBootManager(x, x, x)
_BiExportEfiBootManager@12 proc	near	; CODE XREF: BiExportStoreAlterationsToEfi(x)+45p

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_3C], edx
		mov	esi, ecx
		mov	[ebp+var_50], ebx
		push	6
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_48], ebx
		lea	edi, [ebp+var_20]
		mov	[ebp+var_2C], ebx
		rep stosd
		lea	eax, [ebp+var_28]
		mov	[ebp+var_4C], ebx
		mov	edi, ebx
		mov	[ebp+var_5C], ebx
		push	eax
		mov	edx, (offset loc_428CA1+3)
		mov	[ebp+var_30], ebx
		mov	ecx, esi
		mov	[ebp+var_24], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], edi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_54], ebx
		call	BcdOpenObject
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2B594
		cmp	esi, 0C0000034h
		jnz	loc_A2B7B9
		mov	esi, ebx
		jmp	loc_A2B7B9
; 

loc_A2B594:				; CODE XREF: BiExportEfiBootManager(x,x,x)+63j
		mov	ecx, [ebp+var_28]
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_38]
		mov	edx, 24000001h
		push	eax
		call	_BiGetElement@16 ; BiGetElement(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2B5ED
		mov	eax, [ebp+var_2C]
		shr	eax, 4
		mov	[ebp+var_2C], eax
		push	4B444342h
		shl	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_30], eax
		test	eax, eax
		jnz	short loc_A2B5D9
		mov	esi, 0C000009Ah
		jmp	loc_A2B7A6
; 

loc_A2B5D9:				; CODE XREF: BiExportEfiBootManager(x,x,x)+B1j
		mov	esi, [ebp+var_3C]
		lea	ecx, [ebp+var_2C]
		mov	edx, [ebp+var_38]
		push	ecx
		push	eax
		mov	ecx, esi
		call	_BiTranslateDisplayOrder@16 ; BiTranslateDisplayOrder(x,x,x,x)
		jmp	short loc_A2B5FF
; 

loc_A2B5ED:				; CODE XREF: BiExportEfiBootManager(x,x,x)+91j
		cmp	esi, 0C0000225h
		jnz	loc_A2B7A6
		mov	esi, [ebp+var_3C]
		mov	[ebp+var_2C], ebx

loc_A2B5FF:				; CODE XREF: BiExportEfiBootManager(x,x,x)+CFj
		lea	edx, [ebp+var_4C]
		lea	ecx, [ebp+var_44]
		call	_BiQueryBootEntryOrder@8 ; BiQueryBootEntryOrder(x,x)
		mov	edx, [ebp+var_28]
		mov	ecx, esi
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_2C]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		call	_BiHandleFirmwareDefaultEntry@16 ; BiHandleFirmwareDefaultEntry(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2B781
		mov	esi, [ebp+var_2C]
		cmp	[ebp+var_58], ebx
		jl	short loc_A2B652
		test	esi, esi
		jz	short loc_A2B652
		cmp	[ebp+var_4C], esi
		jnz	short loc_A2B652
		mov	eax, esi
		shl	eax, 2
		push	eax		; size_t
		push	[ebp+var_44]	; void *
		push	[ebp+var_30]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A2B666

loc_A2B652:				; CODE XREF: BiExportEfiBootManager(x,x,x)+113j
					; BiExportEfiBootManager(x,x,x)+117j ...
		mov	ecx, [ebp+var_30]
		mov	edx, esi
		call	_BiSetBootEntryOrder@8 ; BiSetBootEntryOrder(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2B781

loc_A2B666:				; CODE XREF: BiExportEfiBootManager(x,x,x)+134j
		mov	ecx, [ebp+var_28]
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_1C], 18h
		push	eax
		mov	edx, 25000004h
		mov	[ebp+var_20], 1
		call	_BiGetElement@16 ; BiGetElement(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2B6AF
		mov	eax, [ebp+var_40]
		xor	edi, edi
		inc	edi
		mov	[ebp+var_34], edi
		cmp	[eax+4], ebx
		ja	short loc_A2B6A9
		cmp	dword ptr [eax], 0FFFFFFFFh
		ja	short loc_A2B6A9
		mov	eax, [eax]
		mov	[ebp+var_18], eax
		jmp	short loc_A2B6D2
; 

loc_A2B6A9:				; CODE XREF: BiExportEfiBootManager(x,x,x)+17Fj
					; BiExportEfiBootManager(x,x,x)+184j
		or	[ebp+var_18], 0FFFFFFFFh
		jmp	short loc_A2B6D2
; 

loc_A2B6AF:				; CODE XREF: BiExportEfiBootManager(x,x,x)+171j
		cmp	esi, 0C0000225h
		jnz	loc_A2B781
		mov	ecx, offset ??_C@_1BA@BKONPLFM@?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@NNGAKEGL@
		call	_BiDeleteEfiVariable@4 ; BiDeleteEfiVariable(x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2B781
		mov	[ebp+var_18], ebx

loc_A2B6D2:				; CODE XREF: BiExportEfiBootManager(x,x,x)+18Bj
					; BiExportEfiBootManager(x,x,x)+191j
		mov	ecx, [ebp+var_28]
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_24]
		mov	edx, 24000002h
		push	eax
		call	_BiGetElement@16 ; BiGetElement(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2B712
		mov	ecx, [ebp+var_3C]
		lea	eax, [ebp+var_50]
		or	edi, 2
		mov	[ebp+var_34], edi
		mov	edi, [ebp+var_24]
		mov	edx, edi
		push	eax
		call	_BiTranslateObjectIdentifier@12	; BiTranslateObjectIdentifier(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2B784
		mov	eax, [ebp+var_50]
		mov	[ebp+var_10], eax
		jmp	short loc_A2B730
; 

loc_A2B712:				; CODE XREF: BiExportEfiBootManager(x,x,x)+1CFj
		cmp	esi, 0C0000225h
		jnz	short loc_A2B781
		mov	ecx, offset ??_C@_1BC@HGEHGBBD@?$AAB?$AAo?$AAo?$AAt?$AAN?$AAe?$AAx?$AAt@NNGAKEGL@
		call	_BiDeleteEfiVariable@4 ; BiDeleteEfiVariable(x)
		mov	edi, [ebp+var_24]
		mov	esi, eax
		test	esi, esi
		js	short loc_A2B784
		mov	[ebp+var_10], ebx

loc_A2B730:				; CODE XREF: BiExportEfiBootManager(x,x,x)+1F4j
		lea	edx, [ebp+var_48]
		mov	[ebp+var_48], ebx
		lea	ecx, [ebp+var_54]
		call	_BiQueryBootOptions@8 ;	BiQueryBootOptions(x,x)
		mov	ebx, [ebp+var_54]
		mov	ecx, [ebp+var_34]
		test	eax, eax
		js	short loc_A2B76F
		mov	eax, [ebx]
		cmp	eax, [ebp+var_20]
		jnz	short loc_A2B76F
		test	cl, 1
		jz	short loc_A2B75F
		mov	eax, [ebx+8]
		cmp	eax, [ebp+var_18]
		jnz	short loc_A2B75F
		and	ecx, 0FFFFFFFEh

loc_A2B75F:				; CODE XREF: BiExportEfiBootManager(x,x,x)+236j
					; BiExportEfiBootManager(x,x,x)+23Ej
		test	cl, 2
		jz	short loc_A2B76F
		mov	eax, [ebx+10h]
		cmp	eax, [ebp+var_10]
		jnz	short loc_A2B76F
		and	ecx, 0FFFFFFFDh

loc_A2B76F:				; CODE XREF: BiExportEfiBootManager(x,x,x)+22Aj
					; BiExportEfiBootManager(x,x,x)+231j ...
		test	ecx, ecx
		jz	short loc_A2B784
		mov	edx, ecx
		lea	ecx, [ebp+var_20]
		call	_BiSetBootOptions@8 ; BiSetBootOptions(x,x)
		mov	esi, eax
		jmp	short loc_A2B784
; 

loc_A2B781:				; CODE XREF: BiExportEfiBootManager(x,x,x)+107j
					; BiExportEfiBootManager(x,x,x)+144j ...
		mov	edi, [ebp+var_24]

loc_A2B784:				; CODE XREF: BiExportEfiBootManager(x,x,x)+1ECj
					; BiExportEfiBootManager(x,x,x)+20Fj ...
		cmp	[ebp+var_30], 0
		jz	short loc_A2B797
		push	4B444342h
		push	[ebp+var_30]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2B797:				; CODE XREF: BiExportEfiBootManager(x,x,x)+26Cj
		test	edi, edi
		jz	short loc_A2B7A6
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2B7A6:				; CODE XREF: BiExportEfiBootManager(x,x,x)+B8j
					; BiExportEfiBootManager(x,x,x)+D7j ...
		cmp	[ebp+var_38], 0
		jz	short loc_A2B7B9
		push	4B444342h
		push	[ebp+var_38]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2B7B9:				; CODE XREF: BiExportEfiBootManager(x,x,x)+6Bj
					; BiExportEfiBootManager(x,x,x)+73j ...
		cmp	[ebp+var_28], 0
		jz	short loc_A2B7C7
		mov	ecx, [ebp+var_28]
		call	_BcdCloseObject@4 ; BcdCloseObject(x)

loc_A2B7C7:				; CODE XREF: BiExportEfiBootManager(x,x,x)+2A1j
		mov	eax, [ebp+var_40]
		test	eax, eax
		jz	short loc_A2B7D9
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2B7D9:				; CODE XREF: BiExportEfiBootManager(x,x,x)+2B0j
		mov	eax, [ebp+var_44]
		test	eax, eax
		jz	short loc_A2B7EB
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2B7EB:				; CODE XREF: BiExportEfiBootManager(x,x,x)+2C2j
		test	ebx, ebx
		jz	short loc_A2B7FA
		push	4B444342h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2B7FA:				; CODE XREF: BiExportEfiBootManager(x,x,x)+2D1j
		test	esi, esi
		jns	short loc_A2B80E
		push	esi
		push	offset ??_C@_1EE@FJNEFEPL@?$AAB?$AAi?$AAE?$AAx?$AAp?$AAo?$AAr?$AAt?$AAE?$AAf?$AAi?$AAB?$AAo?$AAo?$AAt@NNGAKEGL@	; "BiExportEfiBootManager failed: %x"
		push	4
		call	_BiLogMessage
		add	esp, 0Ch

loc_A2B80E:				; CODE XREF: BiExportEfiBootManager(x,x,x)+2E0j
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_BiExportEfiBootManager@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiExportStoreAlterationsToEfi(x)
_BiExportStoreAlterationsToEfi@4 proc near
					; CODE XREF: BiExportStoreAlterationsToFirmware+A633Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		push	(offset	loc_8C82C7+1)
		push	2
		mov	edi, ecx
		call	_BiLogMessage
		add	esp, 8
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		push	eax
		call	_BiBuildIdentifierList@12 ; BiBuildIdentifierList(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2B875
		lea	edx, [ebp+var_8]
		mov	ecx, edi
		call	_BiExportBcdObjects@8 ;	BiExportBcdObjects(x,x)
		test	eax, eax
		jns	short loc_A2B860
		mov	esi, eax

loc_A2B860:				; CODE XREF: BiExportStoreAlterationsToEfi(x)+3Bj
		push	ecx
		lea	edx, [ebp+var_8]
		mov	ecx, edi
		call	_BiExportEfiBootManager@12 ; BiExportEfiBootManager(x,x,x)
		test	eax, eax
		jns	short loc_A2B871
		mov	esi, eax

loc_A2B871:				; CODE XREF: BiExportStoreAlterationsToEfi(x)+4Cj
		test	esi, esi
		jns	short loc_A2B885

loc_A2B875:				; CODE XREF: BiExportStoreAlterationsToEfi(x)+2Dj
		push	esi
		push	offset ??_C@_1FA@COMALIMP@?$AAB?$AAi?$AAE?$AAx?$AAp?$AAo?$AAr?$AAt?$AAS?$AAt?$AAo?$AAr?$AAe?$AAA?$AAl@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 0Ch

loc_A2B885:				; CODE XREF: BiExportStoreAlterationsToEfi(x)+52j
		lea	ecx, [ebp+var_8]
		call	_BiFreeIdentifierList@4	; BiFreeIdentifierList(x)
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_BiExportStoreAlterationsToEfi@4 endp


;  S U B	R O U T	I N E 


; __stdcall BiFreeIdentifierList(x)
_BiFreeIdentifierList@4	proc near	; CODE XREF: BiBindEfiNamespaceObjects(x)+62p
					; BiBuildIdentifierList(x,x,x)+526p ...
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, [ebx]
		jmp	short loc_A2B8D8
; 

loc_A2B89E:				; CODE XREF: BiFreeIdentifierList(x)+47j
		mov	eax, [edi]
		mov	esi, edi
		mov	edi, eax
		cmp	[eax+4], esi
		jnz	short loc_A2B8E0
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_A2B8E0
		mov	[ecx], eax
		mov	[eax+4], ecx
		test	byte ptr [esi+20h], 1
		jz	short loc_A2B8CD
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	short loc_A2B8CD
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2B8CD:				; CODE XREF: BiFreeIdentifierList(x)+26j
					; BiFreeIdentifierList(x)+2Dj
		push	4B444342h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2B8D8:				; CODE XREF: BiFreeIdentifierList(x)+9j
		cmp	edi, ebx
		jnz	short loc_A2B89E
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_A2B8E0:				; CODE XREF: BiFreeIdentifierList(x)+14j
					; BiFreeIdentifierList(x)+1Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_BiFreeIdentifierList@4	endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiGetDeviceFromEfiPath(x, x, x)
_BiGetDeviceFromEfiPath@12 proc	near	; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+7Cp
					; BiUpdateBcdObject(x,x)+198p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10], edx
		push	7Fh
		pop	edx
		mov	al, [edi]
		and	al, dl
		cmp	al, dl
		jnz	short loc_A2B90E
		mov	esi, 0C000003Ah
		jmp	loc_A2BA21
; 

loc_A2B90E:				; CODE XREF: BiGetDeviceFromEfiPath(x,x,x)+1Dj
		movzx	esi, byte ptr [edi+3]
		movzx	eax, byte ptr [edi+2]
		shl	esi, 8
		or	esi, eax
		add	esi, edi

loc_A2B91D:				; CODE XREF: BiGetDeviceFromEfiPath(x,x,x)+5Bj
		mov	cl, [esi]
		mov	al, cl
		and	al, dl
		cmp	al, dl
		jz	short loc_A2B942
		cmp	cl, 4
		jnz	short loc_A2B931
		cmp	[esi+1], cl
		jz	short loc_A2B942

loc_A2B931:				; CODE XREF: BiGetDeviceFromEfiPath(x,x,x)+45j
		movzx	ecx, byte ptr [esi+3]
		movzx	eax, byte ptr [esi+2]
		shl	ecx, 8
		or	ecx, eax
		add	esi, ecx
		jmp	short loc_A2B91D
; 

loc_A2B942:				; CODE XREF: BiGetDeviceFromEfiPath(x,x,x)+40j
					; BiGetDeviceFromEfiPath(x,x,x)+4Aj
		sub	esi, edi
		push	4B444342h
		lea	eax, [esi+10h]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A2B964
		mov	esi, 0C000009Ah
		jmp	loc_A2BA21
; 

loc_A2B964:				; CODE XREF: BiGetDeviceFromEfiPath(x,x,x)+73j
		lea	eax, [esi+10h]
		mov	dword ptr [ebx], 1
		push	esi		; size_t
		mov	[ebx+4], eax
		lea	eax, [ebx+0Ch]
		push	edi		; void *
		push	eax		; void *
		mov	dword ptr [ebx+8], 4
		call	_memcpy
		add	esp, 0Ch
		mov	dword ptr [esi+ebx+0Ch], 4FF7Fh
		lea	eax, [ebp+var_4]
		mov	ecx, ebx
		push	eax
		push	3
		pop	edx
		call	_BiTranslateFilePath@12	; BiTranslateFilePath(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2BA04
		mov	eax, [ebp+var_4]
		push	4B444342h
		mov	eax, [eax+4]
		sub	eax, 0Ch
		mov	[ebp+var_C], eax
		add	eax, 14h
		push	eax
		push	1
		mov	[ebp+var_8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A2B9CD
		mov	esi, 0C000009Ah
		jmp	short loc_A2BA04
; 

loc_A2B9CD:				; CODE XREF: BiGetDeviceFromEfiPath(x,x,x)+DFj
		push	[ebp+var_8]	; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		add	eax, 0Ch
		mov	dword ptr [edi], 2
		push	[ebp+var_C]	; size_t
		push	eax		; void *
		lea	eax, [edi+14h]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_10]
		add	esp, 0Ch
		mov	ecx, [ebp+var_8]
		mov	[eax], edi
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx

loc_A2BA04:				; CODE XREF: BiGetDeviceFromEfiPath(x,x,x)+BAj
					; BiGetDeviceFromEfiPath(x,x,x)+E6j
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_A2BA16
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2BA16:				; CODE XREF: BiGetDeviceFromEfiPath(x,x,x)+124j
		push	4B444342h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2BA21:				; CODE XREF: BiGetDeviceFromEfiPath(x,x,x)+24j
					; BiGetDeviceFromEfiPath(x,x,x)+7Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_BiGetDeviceFromEfiPath@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiGetFilePathFromEfiPath(x,	x, x)
_BiGetFilePathFromEfiPath@12 proc near	; CODE XREF: BiCreateMergedBootEntry(x,x,x,x,x)+B1p
					; BiUpdateBcdObject(x,x)+1E1p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], edx
		xor	ebx, ebx
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], ebx
		mov	al, [edi]
		and	al, 7Fh
		cmp	al, 7Fh
		jnz	short loc_A2BA53
		mov	eax, 0C000003Ah
		jmp	loc_A2BB4C
; 

loc_A2BA53:				; CODE XREF: BiGetFilePathFromEfiPath(x,x,x)+1Dj
		movzx	eax, byte ptr [edi+2]
		push	esi
		movzx	esi, byte ptr [edi+3]
		shl	esi, 8
		or	esi, eax
		add	esi, edi

loc_A2BA63:				; CODE XREF: BiGetFilePathFromEfiPath(x,x,x)+80j
		mov	cl, [esi]
		mov	al, cl
		and	al, 7Fh
		cmp	al, 7Fh
		jz	short loc_A2BAAC
		cmp	cl, 4
		jnz	short loc_A2BA9B
		cmp	[esi+1], cl
		jnz	short loc_A2BA9B
		movzx	ecx, byte ptr [esi+3]
		lea	eax, [ebp+var_4]
		push	eax
		movzx	eax, byte ptr [esi+2]
		shl	ecx, 8
		push	4
		or	ecx, eax
		pop	edx
		call	_RtlULongPtrSub@12 ; RtlULongPtrSub(x,x,x)
		test	eax, eax
		js	loc_A2BB4B
		add	ebx, [ebp+var_4]

loc_A2BA9B:				; CODE XREF: BiGetFilePathFromEfiPath(x,x,x)+46j
					; BiGetFilePathFromEfiPath(x,x,x)+4Bj
		movzx	ecx, byte ptr [esi+3]
		movzx	eax, byte ptr [esi+2]
		shl	ecx, 8
		or	ecx, eax
		add	esi, ecx
		jmp	short loc_A2BA63
; 

loc_A2BAAC:				; CODE XREF: BiGetFilePathFromEfiPath(x,x,x)+41j
		test	ebx, ebx
		jnz	short loc_A2BABA
		mov	eax, 0C0000225h
		jmp	loc_A2BB4B
; 

loc_A2BABA:				; CODE XREF: BiGetFilePathFromEfiPath(x,x,x)+84j
		push	4B444342h
		add	ebx, 2
		push	ebx
		push	1
		mov	[ebp+var_10], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_4], edx
		test	edx, edx
		jnz	short loc_A2BADD
		mov	eax, 0C000009Ah
		jmp	short loc_A2BB4B
; 

loc_A2BADD:				; CODE XREF: BiGetFilePathFromEfiPath(x,x,x)+AAj
		mov	ecx, [ebp+var_8]
		mov	ebx, edx
		movzx	edi, byte ptr [edi+3]
		shl	edi, 8
		movzx	eax, byte ptr [ecx+2]
		or	edi, eax

loc_A2BAEF:				; CODE XREF: BiGetFilePathFromEfiPath(x,x,x)+108j
		add	edi, ecx
		mov	cl, [edi]
		mov	al, cl
		and	al, 7Fh
		cmp	al, 7Fh
		jz	short loc_A2BB34
		cmp	cl, 4
		jnz	short loc_A2BB25
		cmp	[edi+1], cl
		jnz	short loc_A2BB25
		movzx	esi, byte ptr [edi+3]
		movzx	eax, byte ptr [edi+2]
		shl	esi, 8
		or	esi, eax
		lea	eax, [edi+4]
		add	esi, 0FFFFFFFCh
		push	esi		; size_t
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		add	ebx, esi

loc_A2BB25:				; CODE XREF: BiGetFilePathFromEfiPath(x,x,x)+D4j
					; BiGetFilePathFromEfiPath(x,x,x)+D9j
		movzx	ecx, byte ptr [edi+3]
		movzx	eax, byte ptr [edi+2]
		shl	ecx, 8
		or	ecx, eax
		jmp	short loc_A2BAEF
; 

loc_A2BB34:				; CODE XREF: BiGetFilePathFromEfiPath(x,x,x)+CFj
		mov	ecx, [ebp+var_C]
		xor	eax, eax
		mov	[ebx], ax
		mov	eax, [ebp+var_4]
		mov	ebx, [ebp+var_10]
		mov	[ecx], eax
		mov	eax, [ebp+arg_0]
		mov	[eax], ebx
		xor	eax, eax

loc_A2BB4B:				; CODE XREF: BiGetFilePathFromEfiPath(x,x,x)+68j
					; BiGetFilePathFromEfiPath(x,x,x)+8Bj ...
		pop	esi

loc_A2BB4C:				; CODE XREF: BiGetFilePathFromEfiPath(x,x,x)+24j
		pop	edi
		pop	ebx
		leave
		retn	4
_BiGetFilePathFromEfiPath@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiGetObjectReferenceFromEfiEntry(x,	x)
_BiGetObjectReferenceFromEfiEntry@8 proc near ;	CODE XREF: BiBuildIdentifierList(x,x,x)+29Dp
					; BiUpdateObjectReferenceInEfiEntry(x,x)+39p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_C		= word ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_64], 0
		and	[ebp+var_60], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_5C], edx
		mov	edi, ecx
		call	_BiIsWindowsEfiEntry@4 ; BiIsWindowsEfiEntry(x)
		test	al, al
		jnz	short loc_A2BB87
		mov	esi, 0C000000Dh
		jmp	loc_A2BC15
; 

loc_A2BB87:				; CODE XREF: BiGetObjectReferenceFromEfiEntry(x,x)+29j
		mov	esi, [edi+28h]
		push	4B444342h
		sub	esi, 14h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A2BBA7
		mov	esi, 0C000009Ah
		jmp	short loc_A2BC15
; 

loc_A2BBA7:				; CODE XREF: BiGetObjectReferenceFromEfiEntry(x,x)+4Cj
		push	esi		; size_t
		lea	eax, [edi+30h]
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		push	ebx		; wchar_t *
		call	__wcsupr
		push	offset ??_C@_1BG@IHEHAJI@?$AAB?$AAC?$AAD?$AAO?$AAB?$AAJ?$AAE?$AAC?$AAT?$AA?$DN@NNGAKEGL@ ; "BCDOBJECT="
		push	ebx		; wchar_t *
		call	_wcsstr
		add	esp, 18h
		test	eax, eax
		jnz	short loc_A2BBD1

loc_A2BBCA:				; CODE XREF: BiGetObjectReferenceFromEfiEntry(x,x)+89j
		mov	esi, 0C0000225h
		jmp	short loc_A2BC0A
; 

loc_A2BBD1:				; CODE XREF: BiGetObjectReferenceFromEfiEntry(x,x)+76j
		add	eax, 14h
		sub	esi, eax
		add	esi, ebx
		cmp	esi, 4Eh
		jb	short loc_A2BBCA
		push	13h
		mov	esi, eax
		lea	edi, [ebp+var_58]
		pop	ecx
		rep movsd
		xor	eax, eax
		movsw
		mov	[ebp+var_C], ax
		lea	eax, [ebp+var_58]
		push	eax
		lea	eax, [ebp+var_64]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	[ebp+var_5C]
		lea	eax, [ebp+var_64]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	esi, eax

loc_A2BC0A:				; CODE XREF: BiGetObjectReferenceFromEfiEntry(x,x)+7Dj
		push	4B444342h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2BC15:				; CODE XREF: BiGetObjectReferenceFromEfiEntry(x,x)+30j
					; BiGetObjectReferenceFromEfiEntry(x,x)+53j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_BiGetObjectReferenceFromEfiEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiGetSavedBootEntry(x, x)
_BiGetSavedBootEntry@8 proc near	; CODE XREF: BiBuildIdentifierList(x,x,x)+21Dp
					; BiCreateEfiEntry(x,x)+45p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_4]
		mov	edi, edx
		push	eax
		push	3
		push	offset ??_C@_1BI@DLMANABL@?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		mov	edx, offset ??_C@_1CC@MDJGBMLK@?$AAF?$AAi?$AAr?$AAm?$AAw?$AAa?$AAr?$AAe?$AAV?$AAa?$AAr?$AAi?$AAa?$AAb?$AAl@NNGAKEGL@ ; "FirmwareVariable"
		call	BiGetRegistryValue
		mov	ecx, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	short loc_A2BC79
		cmp	[ebp+var_8], 1Ch
		jb	short loc_A2BC70
		cmp	dword ptr [ecx+4], 1Ch
		jb	short loc_A2BC70
		cmp	dword ptr [ecx], 0
		jz	short loc_A2BC70
		mov	[edi], ecx
		jmp	short loc_A2BC75
; 

loc_A2BC70:				; CODE XREF: BiGetSavedBootEntry(x,x)+39j
					; BiGetSavedBootEntry(x,x)+3Fj	...
		mov	esi, 0C000000Dh

loc_A2BC75:				; CODE XREF: BiGetSavedBootEntry(x,x)+48j
		test	esi, esi
		jns	short loc_A2BC88

loc_A2BC79:				; CODE XREF: BiGetSavedBootEntry(x,x)+33j
		test	ecx, ecx
		jz	short loc_A2BC88
		push	4B444342h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2BC88:				; CODE XREF: BiGetSavedBootEntry(x,x)+51j
					; BiGetSavedBootEntry(x,x)+55j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_BiGetSavedBootEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiHandleFirmwareDefaultEntry(x, x, x, x)
_BiHandleFirmwareDefaultEntry@16 proc near ; CODE XREF:	BiExportEfiBootManager(x,x,x)+FEp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		mov	edi, edx
		mov	[ebp+var_C], eax
		mov	edx, 23000003h
		mov	[ebp+var_4], eax
		mov	ecx, edi
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_BiGetElement@16 ; BiGetElement(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000225h
		jz	loc_A2BDAC
		test	esi, esi
		js	loc_A2BDAE
		push	ecx
		mov	edx, 23000003h
		mov	ecx, edi
		call	BiDeleteElement
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		mov	ecx, ebx
		call	_BiTranslateObjectIdentifier@12	; BiTranslateObjectIdentifier(x,x,x)
		xor	esi, esi
		test	eax, eax
		js	loc_A2BDAE
		mov	edi, [ebp+arg_4]
		mov	eax, [ebp+arg_0]
		mov	edi, [edi]
		mov	eax, [eax]
		mov	[ebp+var_C], eax
		test	edi, edi
		jz	short loc_A2BD27
		mov	ecx, [ebp+var_8]

loc_A2BD0B:				; CODE XREF: BiHandleFirmwareDefaultEntry(x,x,x,x)+85j
		cmp	[eax+esi*4], ecx
		jz	short loc_A2BD15
		inc	esi
		cmp	esi, edi
		jb	short loc_A2BD0B

loc_A2BD15:				; CODE XREF: BiHandleFirmwareDefaultEntry(x,x,x,x)+80j
		test	esi, esi
		jz	short loc_A2BD1F
		cmp	esi, edi
		jz	short loc_A2BD27
		jmp	short loc_A2BD28
; 

loc_A2BD1F:				; CODE XREF: BiHandleFirmwareDefaultEntry(x,x,x,x)+89j
		test	edi, edi
		jnz	loc_A2BDAC

loc_A2BD27:				; CODE XREF: BiHandleFirmwareDefaultEntry(x,x,x,x)+78j
					; BiHandleFirmwareDefaultEntry(x,x,x,x)+8Dj
		inc	edi

loc_A2BD28:				; CODE XREF: BiHandleFirmwareDefaultEntry(x,x,x,x)+8Fj
		push	4B444342h
		mov	eax, edi
		shl	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A2BD47
		mov	esi, 0C000009Ah
		jmp	short loc_A2BDAE
; 

loc_A2BD47:				; CODE XREF: BiHandleFirmwareDefaultEntry(x,x,x,x)+B0j
		mov	eax, [ebp+var_8]
		mov	[ebx], eax
		test	esi, esi
		jz	short loc_A2BD65
		mov	eax, esi
		shl	eax, 2
		push	eax		; size_t
		push	[ebp+var_C]	; void *
		lea	eax, [ebx+4]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_A2BD65:				; CODE XREF: BiHandleFirmwareDefaultEntry(x,x,x,x)+C0j
		lea	eax, [edi-1]
		cmp	esi, eax
		jnb	short loc_A2BD91
		mov	eax, edi
		sub	eax, esi
		lea	eax, ds:0FFFFFFFCh[eax*4]
		push	eax		; size_t
		mov	eax, [ebp+var_C]
		lea	eax, [eax+esi*4]
		add	eax, 4
		push	eax		; void *
		lea	eax, [esi+1]
		lea	eax, [ebx+eax*4]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_A2BD91:				; CODE XREF: BiHandleFirmwareDefaultEntry(x,x,x,x)+DCj
		mov	esi, [ebp+arg_0]
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_A2BDA5
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2BDA5:				; CODE XREF: BiHandleFirmwareDefaultEntry(x,x,x,x)+10Aj
		mov	eax, [ebp+arg_4]
		mov	[esi], ebx
		mov	[eax], edi

loc_A2BDAC:				; CODE XREF: BiHandleFirmwareDefaultEntry(x,x,x,x)+36j
					; BiHandleFirmwareDefaultEntry(x,x,x,x)+93j
		xor	esi, esi

loc_A2BDAE:				; CODE XREF: BiHandleFirmwareDefaultEntry(x,x,x,x)+3Ej
					; BiHandleFirmwareDefaultEntry(x,x,x,x)+63j ...
		cmp	[ebp+var_4], 0
		jz	short loc_A2BDC1
		push	4B444342h
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2BDC1:				; CODE XREF: BiHandleFirmwareDefaultEntry(x,x,x,x)+124j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_BiHandleFirmwareDefaultEntry@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiIsLinkedToEfiVariable(x, x)
_BiIsLinkedToEfiVariable@8 proc	near	; CODE XREF: BiIsLinkedToFirmwareVariable+A1A9Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, edx
		lea	edx, [ebp+var_8]
		call	_BiGetObjectDescription@8 ; BiGetObjectDescription(x,x)
		test	eax, eax
		js	short loc_A2BE34
		mov	ecx, [ebp+var_4]
		mov	eax, ecx
		and	eax, 0F0000000h
		cmp	eax, 10000000h
		jnz	short loc_A2BE34
		mov	eax, ecx
		and	eax, 0F00000h
		cmp	eax, 100000h
		jnz	short loc_A2BE34
		and	ecx, 0FFFFFh
		cmp	ecx, 2
		jnz	short loc_A2BE30
		test	esi, esi
		jz	short loc_A2BE30
		mov	eax, [esi]
		cmp	eax, 11000001h
		jz	short loc_A2BE30
		cmp	eax, 12000002h
		jz	short loc_A2BE30
		cmp	eax, 12000004h
		jz	short loc_A2BE30
		cmp	eax, 16000082h
		jnz	short loc_A2BE34

loc_A2BE30:				; CODE XREF: BiIsLinkedToEfiVariable(x,x)+42j
					; BiIsLinkedToEfiVariable(x,x)+46j ...
		mov	al, 1
		jmp	short loc_A2BE36
; 

loc_A2BE34:				; CODE XREF: BiIsLinkedToEfiVariable(x,x)+18j
					; BiIsLinkedToEfiVariable(x,x)+29j ...
		xor	al, al

loc_A2BE36:				; CODE XREF: BiIsLinkedToEfiVariable(x,x)+68j
		pop	esi
		leave
		retn
_BiIsLinkedToEfiVariable@8 endp


;  S U B	R O U T	I N E 


; __stdcall BiIsWindowsEfiEntry(x)
_BiIsWindowsEfiEntry@4 proc near	; CODE XREF: BiGetObjectReferenceFromEfiEntry(x,x)+22p
		cmp	dword ptr [ecx+4], 1Ch
		push	esi
		push	edi
		jb	short loc_A2BE82
		cmp	dword ptr [ecx+18h], 14h
		jb	short loc_A2BE82
		push	7		; size_t
		lea	edi, [ecx+1Ch]
		push	offset ??_C@_07LHJOABLP@WINDOWS@NNGAKEGL@ ; "WINDOWS"
		push	edi		; char *
		call	_strncmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A2BE82
		mov	esi, [edi+0Ch]
		cmp	esi, 14h
		jb	short loc_A2BE82
		cmp	[edi+8], eax
		jz	short loc_A2BE82
		add	esi, 0FFFFFFECh
		lea	eax, [edi+14h]
		push	esi
		push	eax
		call	_wcsnlen
		pop	ecx
		pop	ecx
		cmp	eax, esi
		jz	short loc_A2BE82
		mov	al, 1
		jmp	short loc_A2BE84
; 

loc_A2BE82:				; CODE XREF: BiIsWindowsEfiEntry(x)+6j
					; BiIsWindowsEfiEntry(x)+Cj ...
		xor	al, al

loc_A2BE84:				; CODE XREF: BiIsWindowsEfiEntry(x)+47j
		pop	edi
		pop	esi
		retn
_BiIsWindowsEfiEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiLookupObjectByBootEntry(x, x, x)
_BiLookupObjectByBootEntry@12 proc near	; CODE XREF: BiBuildIdentifierList(x,x,x)+3ECp
					; BiTranslateBootEntryId(x,x,x)+Ep

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ecx]
		jmp	short loc_A2BE9E
; 

loc_A2BE91:				; CODE XREF: BiLookupObjectByBootEntry(x,x,x)+19j
		test	byte ptr [esi+20h], 3
		jz	short loc_A2BE9C
		cmp	[esi+18h], edx
		jz	short loc_A2BEAC

loc_A2BE9C:				; CODE XREF: BiLookupObjectByBootEntry(x,x,x)+Ej
		mov	esi, [esi]

loc_A2BE9E:				; CODE XREF: BiLookupObjectByBootEntry(x,x,x)+8j
		cmp	esi, ecx
		jnz	short loc_A2BE91
		mov	eax, 0C0000225h

loc_A2BEA7:				; CODE XREF: BiLookupObjectByBootEntry(x,x,x)+2Cj
		pop	esi
		pop	ebp
		retn	4
; 

loc_A2BEAC:				; CODE XREF: BiLookupObjectByBootEntry(x,x,x)+13j
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		xor	eax, eax
		jmp	short loc_A2BEA7
_BiLookupObjectByBootEntry@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall BiLookupObjectByIdentifier(int,void *,int)
_BiLookupObjectByIdentifier@12 proc near ; CODE	XREF: BiTranslateObjectIdentifier(x,x,x)+Ep

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	esi, [edi]
		jmp	short loc_A2BEE0
; 

loc_A2BEC5:				; CODE XREF: BiLookupObjectByIdentifier(x,x,x)+2Dj
		test	byte ptr [esi+20h], 4
		jz	short loc_A2BEDE
		push	10h		; size_t
		lea	eax, [esi+8]
		push	eax		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A2BEF0

loc_A2BEDE:				; CODE XREF: BiLookupObjectByIdentifier(x,x,x)+14j
		mov	esi, [esi]

loc_A2BEE0:				; CODE XREF: BiLookupObjectByIdentifier(x,x,x)+Ej
		cmp	esi, edi
		jnz	short loc_A2BEC5
		mov	eax, 0C0000225h

loc_A2BEE9:				; CODE XREF: BiLookupObjectByIdentifier(x,x,x)+42j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_A2BEF0:				; CODE XREF: BiLookupObjectByIdentifier(x,x,x)+27j
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		xor	eax, eax
		jmp	short loc_A2BEE9
_BiLookupObjectByIdentifier@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall BiLookupObjectByIdentifierAndBootEntry(int,void *,int,int)
_BiLookupObjectByIdentifierAndBootEntry@16 proc	near
					; CODE XREF: BiBuildIdentifierList(x,x,x)+2B6p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], edx
		mov	esi, [edi]
		jmp	short loc_A2BF38
; 

loc_A2BF0B:				; CODE XREF: BiLookupObjectByIdentifierAndBootEntry(x,x,x,x)+41j
		mov	ebx, [esi+20h]
		test	bl, 4
		jz	short loc_A2BF36
		push	10h		; size_t
		lea	eax, [esi+8]
		push	eax		; void *
		push	edx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A2BF33
		test	bl, 3
		jz	short loc_A2BF33
		mov	eax, [ebp+arg_0]
		cmp	[esi+18h], eax
		jz	short loc_A2BF48

loc_A2BF33:				; CODE XREF: BiLookupObjectByIdentifierAndBootEntry(x,x,x,x)+2Bj
					; BiLookupObjectByIdentifierAndBootEntry(x,x,x,x)+30j
		mov	edx, [ebp+var_4]

loc_A2BF36:				; CODE XREF: BiLookupObjectByIdentifierAndBootEntry(x,x,x,x)+18j
		mov	esi, [esi]

loc_A2BF38:				; CODE XREF: BiLookupObjectByIdentifierAndBootEntry(x,x,x,x)+10j
		cmp	esi, edi
		jnz	short loc_A2BF0B
		mov	eax, 0C0000225h

loc_A2BF41:				; CODE XREF: BiLookupObjectByIdentifierAndBootEntry(x,x,x,x)+56j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_A2BF48:				; CODE XREF: BiLookupObjectByIdentifierAndBootEntry(x,x,x,x)+38j
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		xor	eax, eax
		jmp	short loc_A2BF41
_BiLookupObjectByIdentifierAndBootEntry@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiModifyBootEntry(x)
_BiModifyBootEntry@4 proc near		; CODE XREF: BiUpdateEfiEntry(x,x)+E0p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	edx, [ebp+var_8]
		and	[ebp+var_4], 0
		push	esi
		push	edi
		push	16h
		mov	edi, ecx
		pop	ecx
		call	BiAcquirePrivilege
		mov	esi, eax
		test	esi, esi
		js	short loc_A2BF9C
		push	edi
		call	_ZwModifyBootEntry@4 ; ZwModifyBootEntry(x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2BF94
		push	esi
		push	dword ptr [edi+8]
		push	(offset	loc_8C8A8D+1)
		push	4
		call	_BiLogMessage
		add	esp, 10h

loc_A2BF94:				; CODE XREF: BiModifyBootEntry(x)+2Ej
		lea	ecx, [ebp+var_8]
		call	_BiReleasePrivilege@4 ;	BiReleasePrivilege(x)

loc_A2BF9C:				; CODE XREF: BiModifyBootEntry(x)+22j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_BiModifyBootEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiQueryBootEntryOrder(x, x)
_BiQueryBootEntryOrder@8 proc near	; CODE XREF: BiAddBootEntryToNvramDisplayOrder(x)+1Cp
					; BiBindEfiBootManager(x,x)+8Fp ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], ecx
		push	16h
		mov	ebx, edx
		mov	[ebp+var_10], edi
		lea	edx, [ebp+var_10]
		mov	[ebp+var_C], edi
		pop	ecx
		mov	[ebp+var_4], edi
		call	BiAcquirePrivilege
		mov	esi, eax
		test	esi, esi
		js	short loc_A2C047
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		call	_ZwQueryBootEntryOrder@8 ; ZwQueryBootEntryOrder(x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_A2C010
		mov	eax, [ebp+var_4]
		push	4B444342h
		shl	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A2C000
		add	esi, 77h
		jmp	short loc_A2C03F
; 

loc_A2C000:				; CODE XREF: BiQueryBootEntryOrder(x,x)+57j
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		call	_ZwQueryBootEntryOrder@8 ; ZwQueryBootEntryOrder(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2C024

loc_A2C010:				; CODE XREF: BiQueryBootEntryOrder(x,x)+3Ej
		push	esi
		push	offset ??_C@_1FK@GDCDCJIK@?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo?$AA?5?$AAq?$AAu?$AAe?$AAr?$AAy@NNGAKEGL@
		push	4
		call	_BiLogMessage
		add	esp, 0Ch
		test	esi, esi
		js	short loc_A2C030

loc_A2C024:				; CODE XREF: BiQueryBootEntryOrder(x,x)+6Cj
		mov	eax, [ebp+var_8]
		mov	[eax], edi
		mov	eax, [ebp+var_4]
		mov	[ebx], eax
		jmp	short loc_A2C03F
; 

loc_A2C030:				; CODE XREF: BiQueryBootEntryOrder(x,x)+80j
		test	edi, edi
		jz	short loc_A2C03F
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2C03F:				; CODE XREF: BiQueryBootEntryOrder(x,x)+5Cj
					; BiQueryBootEntryOrder(x,x)+8Cj ...
		lea	ecx, [ebp+var_10]
		call	_BiReleasePrivilege@4 ;	BiReleasePrivilege(x)

loc_A2C047:				; CODE XREF: BiQueryBootEntryOrder(x,x)+2Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_BiQueryBootEntryOrder@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiQueryBootOptions(x, x)
_BiQueryBootOptions@8 proc near		; CODE XREF: BiBindEfiBootManager(x,x)+FEp
					; BiExportEfiBootManager(x,x,x)+21Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	eax, ecx
		mov	ebx, edx
		push	edi
		xor	esi, esi
		mov	[ebp+var_8], eax
		push	16h
		lea	edx, [ebp+var_10]
		mov	[ebp+var_10], esi
		pop	ecx
		mov	[ebp+var_C], esi
		mov	[eax], esi
		mov	[ebx], esi
		mov	[ebp+var_4], esi
		call	BiAcquirePrivilege
		mov	edi, eax
		test	edi, edi
		js	short loc_A2C0F5
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		call	_ZwQueryBootOptions@8 ;	ZwQueryBootOptions(x,x)
		mov	edi, eax
		cmp	edi, 0C0000023h
		jnz	short loc_A2C0BE
		push	4B444342h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A2C0AE
		add	edi, 77h
		jmp	short loc_A2C0ED
; 

loc_A2C0AE:				; CODE XREF: BiQueryBootOptions(x,x)+59j
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		call	_ZwQueryBootOptions@8 ;	ZwQueryBootOptions(x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_A2C0D2

loc_A2C0BE:				; CODE XREF: BiQueryBootOptions(x,x)+44j
		push	edi
		push	(offset	loc_8C893F+1)
		push	4
		call	_BiLogMessage
		add	esp, 0Ch
		test	edi, edi
		js	short loc_A2C0DE

loc_A2C0D2:				; CODE XREF: BiQueryBootOptions(x,x)+6Ej
		mov	eax, [ebp+var_8]
		mov	[eax], esi
		mov	eax, [ebp+var_4]
		mov	[ebx], eax
		jmp	short loc_A2C0ED
; 

loc_A2C0DE:				; CODE XREF: BiQueryBootOptions(x,x)+82j
		test	esi, esi
		jz	short loc_A2C0ED
		push	4B444342h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2C0ED:				; CODE XREF: BiQueryBootOptions(x,x)+5Ej
					; BiQueryBootOptions(x,x)+8Ej ...
		lea	ecx, [ebp+var_10]
		call	_BiReleasePrivilege@4 ;	BiReleasePrivilege(x)

loc_A2C0F5:				; CODE XREF: BiQueryBootOptions(x,x)+30j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_BiQueryBootOptions@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiRemoveBootEntryFromNvramDisplayOrder(x)
_BiRemoveBootEntryFromNvramDisplayOrder@4 proc near ; CODE XREF: BiBindEfiEntries(x,x)+5Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		lea	edx, [ebp+var_8]
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	[ebp+var_C], ecx
		lea	ecx, [ebp+var_4]
		push	edi
		call	_BiQueryBootEntryOrder@8 ; BiQueryBootEntryOrder(x,x)
		mov	edi, [ebp+var_4]
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A2C14F
		mov	ecx, [ebp+var_C]
		lea	edx, [ebp+var_8]
		mov	esi, [ebp+var_8]
		mov	[ebp+var_8], esi
		mov	ecx, [ecx+1Ch]
		push	dword ptr [ecx+8]
		mov	ecx, edi
		call	_BiRemoveEntryFromBootOrder@12 ; BiRemoveEntryFromBootOrder(x,x,x)
		mov	edx, [ebp+var_8]
		cmp	esi, edx
		jz	short loc_A2C14F
		mov	ecx, edi
		call	_BiSetBootEntryOrder@8 ; BiSetBootEntryOrder(x,x)
		mov	ebx, eax

loc_A2C14F:				; CODE XREF: BiRemoveBootEntryFromNvramDisplayOrder(x)+28j
					; BiRemoveBootEntryFromNvramDisplayOrder(x)+48j
		test	edi, edi
		jz	short loc_A2C15E
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2C15E:				; CODE XREF: BiRemoveBootEntryFromNvramDisplayOrder(x)+55j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_BiRemoveBootEntryFromNvramDisplayOrder@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiRemoveEntryFromBootOrder(x, x, x)
_BiRemoveEntryFromBootOrder@12 proc near
					; CODE XREF: BiRemoveBootEntryFromNvramDisplayOrder(x)+3Ep

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [edx]
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, ecx
		test	eax, eax
		jz	short loc_A2C183
		mov	ecx, [ebp+arg_0]

loc_A2C179:				; CODE XREF: BiRemoveEntryFromBootOrder(x,x,x)+1Cj
		cmp	[edi+esi*4], ecx
		jz	short loc_A2C183
		inc	esi
		cmp	esi, eax
		jb	short loc_A2C179

loc_A2C183:				; CODE XREF: BiRemoveEntryFromBootOrder(x,x,x)+Fj
					; BiRemoveEntryFromBootOrder(x,x,x)+17j
		cmp	esi, eax
		jz	short loc_A2C19A
		lea	ecx, [eax-1]
		mov	[edx], ecx
		jmp	short loc_A2C196
; 

loc_A2C18E:				; CODE XREF: BiRemoveEntryFromBootOrder(x,x,x)+33j
		mov	eax, [edi+esi*4+4]
		mov	[edi+esi*4], eax
		inc	esi

loc_A2C196:				; CODE XREF: BiRemoveEntryFromBootOrder(x,x,x)+27j
		cmp	esi, ecx
		jb	short loc_A2C18E

loc_A2C19A:				; CODE XREF: BiRemoveEntryFromBootOrder(x,x,x)+20j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_BiRemoveEntryFromBootOrder@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiSetBootEntryOrder(x, x)
_BiSetBootEntryOrder@8 proc near	; CODE XREF: BiAddBootEntryToNvramDisplayOrder(x)+91p
					; BiExportEfiBootManager(x,x,x)+13Bp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		push	16h
		mov	edi, edx
		mov	ebx, ecx
		lea	edx, [ebp+var_8]
		pop	ecx
		call	BiAcquirePrivilege
		mov	esi, eax
		test	esi, esi
		js	short loc_A2C1ED
		push	edi
		push	ebx
		call	_ZwSetBootEntryOrder@8 ; ZwSetBootEntryOrder(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2C1E5
		push	esi
		push	(offset	loc_8C8991+1)
		push	4
		call	_BiLogMessage
		add	esp, 0Ch

loc_A2C1E5:				; CODE XREF: BiSetBootEntryOrder(x,x)+33j
		lea	ecx, [ebp+var_8]
		call	_BiReleasePrivilege@4 ;	BiReleasePrivilege(x)

loc_A2C1ED:				; CODE XREF: BiSetBootEntryOrder(x,x)+26j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_BiSetBootEntryOrder@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiSetBootOptions(x,	x)
_BiSetBootOptions@8 proc near		; CODE XREF: BiExportEfiBootManager(x,x,x)+25Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		push	16h
		mov	edi, edx
		mov	ebx, ecx
		lea	edx, [ebp+var_8]
		pop	ecx
		call	BiAcquirePrivilege
		mov	esi, eax
		test	esi, esi
		js	short loc_A2C241
		push	edi
		push	ebx
		call	_ZwSetBootOptions@8 ; ZwSetBootOptions(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2C239
		push	esi
		push	(offset	loc_8C89E7+1)
		push	4
		call	_BiLogMessage
		add	esp, 0Ch

loc_A2C239:				; CODE XREF: BiSetBootOptions(x,x)+33j
		lea	ecx, [ebp+var_8]
		call	_BiReleasePrivilege@4 ;	BiReleasePrivilege(x)

loc_A2C241:				; CODE XREF: BiSetBootOptions(x,x)+26j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_BiSetBootOptions@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiTranslateBootEntryId(x, x, x)
_BiTranslateBootEntryId@12 proc	near	; CODE XREF: BiBindEfiBootManager(x,x)+146p
					; BiTranslateBootOrder(x,x,x,x)+30p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		call	_BiLookupObjectByBootEntry@12 ;	BiLookupObjectByBootEntry(x,x,x)
		test	eax, eax
		js	short locret_A2C29D
		push	esi
		mov	esi, [ebp+var_4]
		mov	ecx, [esi+20h]
		test	cl, 4
		jnz	short loc_A2C272
		mov	eax, 0C0000225h
		jmp	short loc_A2C29C
; 

loc_A2C272:				; CODE XREF: BiTranslateBootEntryId(x,x,x)+21j
		test	cl, 10h
		jz	short loc_A2C290
		push	dword ptr [esi+18h]
		push	offset ??_C@_1FC@IKHACEFF@?$AAT?$AAr?$AAa?$AAn?$AAs?$AAl?$AAa?$AAt?$AAe?$AAd?$AA?5?$AAa?$AA?5?$AAD?$AAo@NNGAKEGL@ ; "Translated	a DontSync entry with ID 0x%"...
		push	3
		call	_BiLogMessage
		add	esp, 0Ch
		mov	eax, 0C0000024h
		jmp	short loc_A2C29C
; 

loc_A2C290:				; CODE XREF: BiTranslateBootEntryId(x,x,x)+2Dj
		push	edi
		mov	edi, [ebp+arg_0]
		add	esi, 8
		movsd
		movsd
		movsd
		movsd
		pop	edi

loc_A2C29C:				; CODE XREF: BiTranslateBootEntryId(x,x,x)+28j
					; BiTranslateBootEntryId(x,x,x)+46j
		pop	esi

locret_A2C29D:				; CODE XREF: BiTranslateBootEntryId(x,x,x)+15j
		leave
		retn	4
_BiTranslateBootEntryId@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiTranslateBootOrder(x, x, x, x)
_BiTranslateBootOrder@16 proc near	; CODE XREF: BiBindEfiBootManager(x,x)+D0p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_4]
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], ecx
		push	edi
		mov	ecx, [eax]
		mov	edi, esi
		mov	[ebp+var_10], edx
		mov	eax, esi
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], eax
		test	ecx, ecx
		jz	short loc_A2C2F5
		push	ebx
		mov	ebx, [ebp+arg_0]

loc_A2C2CA:				; CODE XREF: BiTranslateBootOrder(x,x,x,x)+51j
		mov	ecx, [ebp+var_8]
		mov	edx, [edx+edi*4]
		push	ebx
		call	_BiTranslateBootEntryId@12 ; BiTranslateBootEntryId(x,x,x)
		test	eax, eax
		jns	short loc_A2C2E4
		mov	eax, 8000000Dh
		mov	[ebp+var_4], eax
		jmp	short loc_A2C2EB
; 

loc_A2C2E4:				; CODE XREF: BiTranslateBootOrder(x,x,x,x)+37j
		mov	eax, [ebp+var_4]
		inc	esi
		add	ebx, 10h

loc_A2C2EB:				; CODE XREF: BiTranslateBootOrder(x,x,x,x)+41j
		mov	edx, [ebp+var_10]
		inc	edi
		cmp	edi, [ebp+var_C]
		jb	short loc_A2C2CA
		pop	ebx

loc_A2C2F5:				; CODE XREF: BiTranslateBootOrder(x,x,x,x)+23j
		mov	ecx, [ebp+arg_4]
		pop	edi
		mov	[ecx], esi
		pop	esi
		leave
		retn	8
_BiTranslateBootOrder@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiTranslateDisplayOrder(x, x, x, x)
_BiTranslateDisplayOrder@16 proc near	; CODE XREF: BiExportEfiBootManager(x,x,x)+CAp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], ecx
		mov	eax, [eax]
		mov	ecx, esi
		mov	[ebp+var_8], eax
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		test	eax, eax
		jz	short loc_A2C350
		push	edi
		mov	edi, [ebp+arg_0]

loc_A2C326:				; CODE XREF: BiTranslateDisplayOrder(x,x,x,x)+4Dj
		mov	ecx, [ebp+var_C]
		mov	edx, ebx
		push	edi
		call	_BiTranslateObjectIdentifier@12	; BiTranslateObjectIdentifier(x,x,x)
		test	eax, eax
		jns	short loc_A2C33F
		mov	ecx, 8000000Dh
		mov	[ebp+var_4], ecx
		jmp	short loc_A2C346
; 

loc_A2C33F:				; CODE XREF: BiTranslateDisplayOrder(x,x,x,x)+33j
		mov	ecx, [ebp+var_4]
		inc	esi
		add	edi, 4

loc_A2C346:				; CODE XREF: BiTranslateDisplayOrder(x,x,x,x)+3Dj
		add	ebx, 10h
		sub	[ebp+var_8], 1
		jnz	short loc_A2C326
		pop	edi

loc_A2C350:				; CODE XREF: BiTranslateDisplayOrder(x,x,x,x)+20j
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		mov	eax, ecx
		pop	esi
		pop	ebx
		leave
		retn	8
_BiTranslateDisplayOrder@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiTranslateFilePath(x, x, x)
_BiTranslateFilePath@12	proc near	; CODE XREF: BiCreateBootEntry(x,x)+1BCp
					; BiCreateMergedBootEntry(x,x,x,x,x)+1E3p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		push	16h
		mov	ebx, edx
		mov	[ebp+var_8], ecx
		xor	edi, edi
		lea	edx, [ebp+var_10]
		pop	ecx
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		call	BiAcquirePrivilege
		mov	esi, eax
		test	esi, esi
		js	short loc_A2C3FA
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], edi
		push	eax
		push	edi
		push	ebx
		push	[ebp+var_8]
		call	_ZwTranslateFilePath@16	; ZwTranslateFilePath(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_A2C3AC
		test	esi, esi
		js	short loc_A2C3D8
		mov	esi, 0C000000Dh
		jmp	short loc_A2C3D8
; 

loc_A2C3AC:				; CODE XREF: BiTranslateFilePath(x,x,x)+42j
		push	4B444342h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A2C3C8
		mov	esi, 0C000009Ah
		jmp	short loc_A2C3D8
; 

loc_A2C3C8:				; CODE XREF: BiTranslateFilePath(x,x,x)+62j
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		push	ebx
		push	[ebp+var_8]
		call	_ZwTranslateFilePath@16	; ZwTranslateFilePath(x,x,x,x)
		mov	esi, eax

loc_A2C3D8:				; CODE XREF: BiTranslateFilePath(x,x,x)+46j
					; BiTranslateFilePath(x,x,x)+4Dj ...
		lea	ecx, [ebp+var_10]
		call	_BiReleasePrivilege@4 ;	BiReleasePrivilege(x)
		test	esi, esi
		js	short loc_A2C3EB
		mov	eax, [ebp+arg_0]
		mov	[eax], edi
		jmp	short loc_A2C3FA
; 

loc_A2C3EB:				; CODE XREF: BiTranslateFilePath(x,x,x)+85j
		test	edi, edi
		jz	short loc_A2C3FA
		push	4B444342h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2C3FA:				; CODE XREF: BiTranslateFilePath(x,x,x)+27j
					; BiTranslateFilePath(x,x,x)+8Cj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_BiTranslateFilePath@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiTranslateObjectIdentifier(x, x, x)
_BiTranslateObjectIdentifier@12	proc near ; CODE XREF: BiExportEfiBootManager(x,x,x)+1E3p
					; BiHandleFirmwareDefaultEntry(x,x,x,x)+5Ap ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax		; int
		call	_BiLookupObjectByIdentifier@12 ; BiLookupObjectByIdentifier(x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_A2C452
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx+20h]
		test	al, 3
		jnz	short loc_A2C42D
		mov	edx, 0C0000225h
		jmp	short loc_A2C452
; 

loc_A2C42D:				; CODE XREF: BiTranslateObjectIdentifier(x,x,x)+21j
		test	al, 10h
		jz	short loc_A2C44A
		push	dword ptr [ecx+18h]
		push	offset ??_C@_1FA@HPKMDCCM@?$AAT?$AAr?$AAa?$AAn?$AAs?$AAl?$AAa?$AAt?$AAe?$AAd?$AA?5?$AAa?$AA?5?$AAD?$AAo@NNGAKEGL@
		push	3
		call	_BiLogMessage
		add	esp, 0Ch
		mov	edx, 0C0000024h
		jmp	short loc_A2C452
; 

loc_A2C44A:				; CODE XREF: BiTranslateObjectIdentifier(x,x,x)+2Cj
		mov	eax, [ebp+arg_0]
		mov	ecx, [ecx+18h]
		mov	[eax], ecx

loc_A2C452:				; CODE XREF: BiTranslateObjectIdentifier(x,x,x)+17j
					; BiTranslateObjectIdentifier(x,x,x)+28j ...
		mov	eax, edx
		leave
		retn	4
_BiTranslateObjectIdentifier@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiUpdateBcdObject(x, x)
_BiUpdateBcdObject@8 proc near		; CODE XREF: BiBindEfiEntries(x,x)+E8p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
Length		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
Source2		= dword	ptr -14h
var_10		= dword	ptr -10h
Source1		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, edx
		xor	edx, edx
		push	ebx
		push	esi
		mov	[esp+34h+var_4], edx
		mov	ebx, edx
		mov	[esp+34h+var_1C], edx
		mov	[esp+34h+var_8], edx
		mov	[esp+34h+var_28], edx
		mov	[esp+34h+var_18], edx
		mov	[esp+34h+Source2], edx
		mov	[esp+34h+Source1], edx
		mov	[esp+34h+var_10], edx
		mov	[esp+34h+var_2C], edx
		lea	edx, [esp+34h+var_10]
		push	edi
		mov	edi, [eax+1Ch]
		push	edx
		lea	edx, [eax+8]
		mov	[esp+3Ch+var_20], eax
		call	BcdOpenObject
		mov	esi, [esp+38h+var_10]
		test	eax, eax
		js	loc_A2C6A8
		mov	eax, [esp+38h+var_20]
		test	byte ptr [eax+20h], 2
		jz	short loc_A2C4F4
		lea	eax, [esp+38h+Source1]
		mov	edx, offset ??_C@_1CC@MDJGBMLK@?$AAF?$AAi?$AAr?$AAm?$AAw?$AAa?$AAr?$AAe?$AAV?$AAa?$AAr?$AAi?$AAa?$AAb?$AAl@NNGAKEGL@ ; "FirmwareVariable"
		push	eax
		lea	eax, [esp+3Ch+Source2]
		mov	ecx, esi
		push	eax
		push	3
		push	offset ??_C@_1BI@DLMANABL@?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		call	BiGetRegistryValue
		test	eax, eax
		js	short loc_A2C4F4
		mov	eax, [edi+4]
		cmp	eax, [esp+38h+Source1]
		jnz	short loc_A2C4F4
		push	eax		; Length
		push	[esp+3Ch+Source2] ; Source2
		push	edi		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, [edi+4]
		jz	short loc_A2C520

loc_A2C4F4:				; CODE XREF: BiUpdateBcdObject(x,x)+60j
					; BiUpdateBcdObject(x,x)+81j ...
		mov	eax, [edi+4]
		mov	edx, offset ??_C@_1CC@MDJGBMLK@?$AAF?$AAi?$AAr?$AAm?$AAw?$AAa?$AAr?$AAe?$AAV?$AAa?$AAr?$AAi?$AAa?$AAb?$AAl@NNGAKEGL@ ; "FirmwareVariable"
		push	eax
		push	edi
		push	3
		push	offset ??_C@_1BI@DLMANABL@?$AAD?$AAe?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		mov	ecx, esi
		call	BiSetRegistryValue
		mov	[esp+38h+Length], eax
		test	eax, eax
		js	loc_A2C68F
		mov	eax, [esp+38h+var_20]
		or	dword ptr [eax+20h], 2

loc_A2C520:				; CODE XREF: BiUpdateBcdObject(x,x)+9Aj
		mov	eax, [edi+10h]
		add	eax, edi
		mov	ecx, eax
		mov	[esp+38h+Source1], eax
		lea	edx, [ecx+2]

loc_A2C52E:				; CODE XREF: BiUpdateBcdObject(x,x)+E1j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+38h+var_4]
		jnz	short loc_A2C52E
		sub	ecx, edx
		mov	edx, 12000004h
		sar	ecx, 1
		lea	eax, ds:2[ecx*2]
		mov	[esp+38h+Length], eax
		lea	eax, [esp+38h+var_2C]
		push	eax
		xor	eax, eax
		push	eax
		push	ecx
		mov	ecx, esi
		call	BcdGetElementDataWithFlags
		cmp	eax, 0C0000023h
		jnz	short loc_A2C58F
		push	4B444342h
		push	[esp+3Ch+var_2C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_A2C5B2
		lea	eax, [esp+38h+var_2C]
		mov	edx, 12000004h
		push	eax
		push	ebx
		push	ecx
		mov	ecx, esi
		call	BcdGetElementDataWithFlags

loc_A2C58F:				; CODE XREF: BiUpdateBcdObject(x,x)+10Cj
		test	eax, eax
		js	short loc_A2C5B2
		test	ebx, ebx
		jz	short loc_A2C5B2
		mov	eax, [esp+38h+Length]
		cmp	[esp+38h+var_2C], eax
		jnz	short loc_A2C5B2
		push	eax		; Length
		push	ebx		; Source2
		push	[esp+40h+Source1] ; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, [esp+38h+Length]
		jz	short loc_A2C5D4

loc_A2C5B2:				; CODE XREF: BiUpdateBcdObject(x,x)+122j
					; BiUpdateBcdObject(x,x)+139j ...
		push	ecx
		mov	edx, 12000004h
		mov	ecx, esi
		call	BiDeleteElement
		push	[esp+38h+Length]
		mov	edx, 12000004h
		push	[esp+3Ch+Source1]
		push	ecx
		mov	ecx, esi
		call	BcdSetElementDataWithFlags

loc_A2C5D4:				; CODE XREF: BiUpdateBcdObject(x,x)+158j
		mov	eax, [edi+14h]
		cmp	dword ptr [eax+edi+8], 4
		jnz	loc_A2C663
		add	edi, eax
		lea	edx, [esp+38h+var_28]
		lea	eax, [esp+38h+var_1C]
		push	eax
		lea	ecx, [edi+0Ch]
		call	_BiGetDeviceFromEfiPath@12 ; BiGetDeviceFromEfiPath(x,x,x)
		test	eax, eax
		js	short loc_A2C62D
		push	ecx
		mov	edx, 11000001h
		mov	ecx, esi
		call	BiDeleteElement
		mov	ecx, [esp+38h+var_20]
		lea	eax, [esp+38h+var_1C]
		push	eax
		lea	edx, [esp+3Ch+var_28]
		call	_BiMapEfiDeviceForSpaces@12 ; BiMapEfiDeviceForSpaces(x,x,x)
		push	[esp+38h+var_1C]
		mov	edx, 11000001h
		push	[esp+3Ch+var_28]
		push	ecx
		mov	ecx, esi
		call	BcdSetElementDataWithFlags

loc_A2C62D:				; CODE XREF: BiUpdateBcdObject(x,x)+19Fj
		lea	eax, [esp+38h+var_8]
		push	eax
		lea	edx, [esp+3Ch+var_18]
		lea	ecx, [edi+0Ch]
		call	_BiGetFilePathFromEfiPath@12 ; BiGetFilePathFromEfiPath(x,x,x)
		test	eax, eax
		js	short loc_A2C663
		push	ecx
		mov	edi, 12000002h
		mov	ecx, esi
		mov	edx, edi
		call	BiDeleteElement
		push	[esp+38h+var_8]
		mov	edx, edi
		push	[esp+3Ch+var_18]
		push	ecx
		mov	ecx, esi
		call	BcdSetElementDataWithFlags

loc_A2C663:				; CODE XREF: BiUpdateBcdObject(x,x)+184j
					; BiUpdateBcdObject(x,x)+1E8j
		xor	eax, eax
		mov	edi, eax
		mov	eax, [esp+38h+var_28]
		test	eax, eax
		jz	short loc_A2C67A
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2C67A:				; CODE XREF: BiUpdateBcdObject(x,x)+215j
		mov	eax, [esp+38h+var_18]
		test	eax, eax
		jz	short loc_A2C693
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A2C693
; 

loc_A2C68F:				; CODE XREF: BiUpdateBcdObject(x,x)+BAj
		mov	edi, [esp+38h+Length]

loc_A2C693:				; CODE XREF: BiUpdateBcdObject(x,x)+228j
					; BiUpdateBcdObject(x,x)+235j
		mov	eax, [esp+38h+Source2]
		test	eax, eax
		jz	short loc_A2C6AA
		push	4B444342h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A2C6AA
; 

loc_A2C6A8:				; CODE XREF: BiUpdateBcdObject(x,x)+52j
		mov	edi, eax

loc_A2C6AA:				; CODE XREF: BiUpdateBcdObject(x,x)+241j
					; BiUpdateBcdObject(x,x)+24Ej
		test	esi, esi
		jz	short loc_A2C6B5
		mov	ecx, esi
		call	_BcdCloseObject@4 ; BcdCloseObject(x)

loc_A2C6B5:				; CODE XREF: BiUpdateBcdObject(x,x)+254j
		test	ebx, ebx
		jz	short loc_A2C6C4
		push	4B444342h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2C6C4:				; CODE XREF: BiUpdateBcdObject(x,x)+25Fj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_BiUpdateBcdObject@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiUpdateEfiEntry(x,	x)
_BiUpdateEfiEntry@8 proc near		; CODE XREF: BiCreateEfiEntry(x,x)+D2p
					; BiExportBcdObjects(x,x)+C3p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		xor	eax, eax
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_18], eax
		push	esi
		mov	[ebp+var_1C], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_8], eax
		lea	edx, [ebx+8]
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_10]
		push	edi
		push	eax
		mov	[ebp+var_24], ebx
		call	BcdOpenObject
		mov	edi, [ebp+var_10]
		mov	esi, eax
		test	esi, esi
		js	loc_A2C7DC
		lea	eax, [ebp+var_18]
		mov	edx, 12000004h
		push	eax
		lea	eax, [ebp+var_8]
		mov	ecx, edi
		push	eax
		call	_BiGetElement@16 ; BiGetElement(x,x,x,x)
		test	byte ptr [ebx+20h], 8
		jnz	short loc_A2C76E
		lea	eax, [ebp+var_1C]
		mov	edx, 11000001h
		push	eax
		lea	eax, [ebp+var_4]
		mov	ecx, edi
		push	eax
		call	_BiGetElement@16 ; BiGetElement(x,x,x,x)
		lea	ecx, [ebp+var_4]
		call	_BiSpacesUpdatePhysicalDevicePath@4 ; BiSpacesUpdatePhysicalDevicePath(x)
		test	eax, eax
		jns	short loc_A2C75A
		push	eax
		push	offset ??_C@_1FG@BBCBCAPA@?$AAB?$AAi?$AAS?$AAp?$AAa?$AAc?$AAe?$AAs?$AAU?$AAp?$AAd?$AAa?$AAt?$AAe?$AAP@NNGAKEGL@
		push	3
		call	_BiLogMessage
		add	esp, 0Ch

loc_A2C75A:				; CODE XREF: BiUpdateEfiEntry(x,x)+7Bj
		lea	eax, [ebp+var_20]
		mov	edx, 12000002h
		push	eax
		lea	eax, [ebp+var_C]
		mov	ecx, edi
		push	eax
		call	_BiGetElement@16 ; BiGetElement(x,x,x,x)

loc_A2C76E:				; CODE XREF: BiUpdateEfiEntry(x,x)+5Bj
		mov	eax, [ebx+1Ch]
		lea	ecx, [ebp+var_14]
		mov	edx, [ebp+var_8]
		push	ecx		; int
		push	[ebp+var_C]	; size_t
		mov	ecx, eax
		mov	[ebp+var_10], eax
		push	[ebp+var_4]	; size_t
		call	_BiCreateMergedBootEntry@20 ; BiCreateMergedBootEntry(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C000003Ah
		jnz	short loc_A2C796
		xor	esi, esi
		jmp	short loc_A2C7EC
; 

loc_A2C796:				; CODE XREF: BiUpdateEfiEntry(x,x)+C3j
		test	esi, esi
		js	short loc_A2C7DC
		mov	ebx, [ebp+var_14]
		mov	edx, ebx	; void *
		mov	ecx, [ebp+var_10] ; void *
		call	_BiAreBootEntriesEqual@8 ; BiAreBootEntriesEqual(x,x)
		test	al, al
		jnz	short loc_A2C7C5
		mov	ecx, ebx
		call	_BiModifyBootEntry@4 ; BiModifyBootEntry(x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2C7C5
		push	4B444342h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A2C7D8
; 

loc_A2C7C5:				; CODE XREF: BiUpdateEfiEntry(x,x)+DCj
					; BiUpdateEfiEntry(x,x)+E9j
		push	4B444342h
		push	[ebp+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_24]
		mov	[eax+1Ch], ebx

loc_A2C7D8:				; CODE XREF: BiUpdateEfiEntry(x,x)+F6j
		test	esi, esi
		jns	short loc_A2C7EC

loc_A2C7DC:				; CODE XREF: BiUpdateEfiEntry(x,x)+3Dj
					; BiUpdateEfiEntry(x,x)+CBj
		push	esi
		push	(offset	loc_8C857D+1)
		push	4
		call	_BiLogMessage
		add	esp, 0Ch

loc_A2C7EC:				; CODE XREF: BiUpdateEfiEntry(x,x)+C7j
					; BiUpdateEfiEntry(x,x)+10Dj
		mov	eax, [ebp+var_8]
		mov	ebx, 4B444342h
		test	eax, eax
		jz	short loc_A2C7FF
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2C7FF:				; CODE XREF: BiUpdateEfiEntry(x,x)+129j
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	short loc_A2C80D
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2C80D:				; CODE XREF: BiUpdateEfiEntry(x,x)+137j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_A2C81B
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2C81B:				; CODE XREF: BiUpdateEfiEntry(x,x)+145j
		test	edi, edi
		jz	short loc_A2C826
		mov	ecx, edi
		call	_BcdCloseObject@4 ; BcdCloseObject(x)

loc_A2C826:				; CODE XREF: BiUpdateEfiEntry(x,x)+150j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_BiUpdateEfiEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BiUpdateObjectReferenceInEfiEntry(x, x)
_BiUpdateObjectReferenceInEfiEntry@8 proc near ; CODE XREF: BiCreateEfiEntry(x,x)+62p

var_44		= dword	ptr -44h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		and	[ebp+var_2C], 0
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		and	[ebp+var_28], 0
		stosd
		mov	esi, edx
		mov	ebx, ecx
		lea	edx, [ebp+var_24]
		mov	[ebp+var_30], ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_24]
		stosd
		stosd
		stosd
		stosd
		call	_BiGetObjectReferenceFromEfiEntry@8 ; BiGetObjectReferenceFromEfiEntry(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_A2C950
		lea	eax, [ebp+var_14]
		xor	edx, edx
		push	eax
		push	0
		mov	ecx, esi
		call	_BcdQueryObject@16 ; BcdQueryObject(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_A2C950
		push	10h		; size_t
		lea	eax, [ebp+var_14]
		push	eax		; void *
		lea	eax, [ebp+var_24]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_A2C950
		mov	esi, [ebx+28h]
		push	4B444342h
		sub	esi, 14h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A2C8CB
		mov	edi, 0C000009Ah
		jmp	loc_A2C950
; 

loc_A2C8CB:				; CODE XREF: BiUpdateObjectReferenceInEfiEntry(x,x)+92j
		mov	eax, [ebp+var_30]
		push	esi		; size_t
		add	eax, 30h
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	ebx		; wchar_t *
		call	__wcsupr
		mov	[esp+44h+var_44], offset ??_C@_1BG@IHEHAJI@?$AAB?$AAC?$AAD?$AAO?$AAB?$AAJ?$AAE?$AAC?$AAT?$AA?$DN@NNGAKEGL@ ; "BCDOBJECT="
		push	ebx		; wchar_t *
		call	_wcsstr
		mov	esi, eax
		pop	ecx
		pop	ecx
		test	esi, esi
		jnz	short loc_A2C8FE
		mov	edi, 0C0000225h
		jmp	short loc_A2C945
; 

loc_A2C8FE:				; CODE XREF: BiUpdateObjectReferenceInEfiEntry(x,x)+C8j
		push	0
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	1
		lea	edx, [ebp+var_2C]
		lea	ecx, [ebp+var_14]
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A2C945
		movzx	eax, word ptr [ebp+var_2C]
		sub	esi, ebx
		push	eax		; size_t
		mov	eax, [ebp+var_30]
		push	[ebp+var_28]	; void *
		sar	esi, 1
		shr	esi, 1
		lea	eax, [eax+esi*2]
		add	eax, 44h
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_A2C945:				; CODE XREF: BiUpdateObjectReferenceInEfiEntry(x,x)+CFj
					; BiUpdateObjectReferenceInEfiEntry(x,x)+EDj
		push	4B444342h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2C950:				; CODE XREF: BiUpdateObjectReferenceInEfiEntry(x,x)+42j
					; BiUpdateObjectReferenceInEfiEntry(x,x)+5Bj ...
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_BiUpdateObjectReferenceInEfiEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SiGetSystemDisk(x, x)
_SiGetSystemDisk@8 proc	near		; DATA XREF: IopFindSystemDevice(x,x)+12o
					; IopFindSystemDevice(x,x)+5Bo	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], 1
		push	edi
		mov	[ebp+var_4], esi
		call	_SiIsWinPEBoot@0 ; SiIsWinPEBoot()
		mov	edi, [ebp+arg_4]
		mov	edx, offset ??_C@_1CK@LADPALDF@?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AAS?$AAy?$AAs?$AAP?$AAa?$AAr?$AAt?$AAD@NNGAKEGL@ ; "WindowsSysPartDevice"
		push	edi
		push	esi
		push	esi
		push	esi
		xor	ecx, ecx
		mov	bl, al
		call	SiGetBootDeviceName
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2C9F1
		test	bl, bl
		jnz	short loc_A2C9B4
		push	edi
		push	0
		push	0
		push	1
		mov	edx, offset ??_C@_1CG@EEKKLGPP@?$AAF?$AAi?$AAr?$AAm?$AAw?$AAa?$AAr?$AAe?$AAB?$AAo?$AAo?$AAt?$AAD?$AAe?$AAv@NNGAKEGL@
		xor	ecx, ecx
		call	SiGetBootDeviceName
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2C9F1

loc_A2C9B4:				; CODE XREF: SiGetSystemDisk(x,x)+38j
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		call	_SiGetDefaultSystemDisk@8 ; SiGetDefaultSystemDisk(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2C9FA
		cmp	esi, 0C0000451h
		jnz	short loc_A2C9F1
		test	bl, bl
		jz	short loc_A2C9F1
		cmp	[ebp+arg_0], 2
		jnz	short loc_A2C9F1
		push	edi
		push	1
		lea	eax, [ebp+var_8]
		mov	edx, offset ??_C@_1CG@EEKKLGPP@?$AAF?$AAi?$AAr?$AAm?$AAw?$AAa?$AAr?$AAe?$AAB?$AAo?$AAo?$AAt?$AAD?$AAe?$AAv@NNGAKEGL@
		push	eax
		push	1
		xor	ecx, ecx
		call	SiGetBootDeviceName
		test	eax, eax
		js	short loc_A2C9F1

loc_A2C9EF:				; CODE XREF: SiGetSystemDisk(x,x)+A7j
		xor	esi, esi

loc_A2C9F1:				; CODE XREF: SiGetSystemDisk(x,x)+34j
					; SiGetSystemDisk(x,x)+51j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_A2C9FA:				; CODE XREF: SiGetSystemDisk(x,x)+61j
		mov	ecx, [edi]
		lea	edx, [ebp+var_4]
		call	SiTranslateSymbolicLink
		mov	esi, eax
		test	esi, esi
		js	short loc_A2C9EF
		push	0
		push	dword ptr [edi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_4]
		mov	[edi], eax
		jmp	short loc_A2C9F1
_SiGetSystemDisk@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SyspartDirectGetSystemDisk(x, x, x)
_SyspartDirectGetSystemDisk@12 proc near ; DATA	XREF: IoQuerySystemDeviceName:loc_7C8168o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_0]
		mov	ecx, offset _SiGetSystemDisk@8 ; SiGetSystemDisk(x,x)
		push	[ebp+arg_4]
		call	SiGetSystemDeviceName
		pop	ebp
		retn	0Ch
_SyspartDirectGetSystemDisk@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SyspartGetPhysicalPartitions(x, x, x)
_SyspartGetPhysicalPartitions@12 proc near
					; CODE XREF: BiSpacesUpdatePhysicalDevicePath(x)+148p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	0Ch
		xor	edi, edi
		mov	esi, edx
		pop	ebx
		mov	[ebp+var_14], esi
		mov	[ebp+var_4], edi
		cmp	eax, ebx
		jnb	short loc_A2CA5F
		mov	ebx, 0C0000023h
		jmp	loc_A2CB09
; 

loc_A2CA5F:				; CODE XREF: SyspartGetPhysicalPartitions(x,x,x)+1Dj
		push	18h
		pop	edx
		add	eax, 0FFFFFFF4h
		mov	[esi], edx
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	edx
		push	15h
		pop	edx
		mov	[esi+4], ebx
		mov	[esi+8], edi
		call	_SiQueryProperty@16 ; SiQueryProperty(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A2CAFA
		mov	[ebp+var_C], edi
		mov	edi, [ebp+var_4]
		cmp	dword ptr [edi+8], 0
		jbe	short loc_A2CAEB
		lea	ecx, [edi+0Ch]
		mov	[ebp+var_10], ecx

loc_A2CA95:				; CODE XREF: SyspartGetPhysicalPartitions(x,x,x)+B3j
		call	_SiFindSystemPartition@4 ; SiFindSystemPartition(x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A2CAFD
		mov	ecx, [ebp+var_10]
		cmp	dword ptr [ecx+8], 0FFFFFFFFh
		jz	short loc_A2CAD9
		add	dword ptr [esi+4], 0Ch
		mov	edx, [ebp+var_8]
		cmp	edx, 0Ch
		jnb	short loc_A2CABC
		xor	eax, eax
		mov	[ebp+var_8], eax
		jmp	short loc_A2CAD9
; 

loc_A2CABC:				; CODE XREF: SyspartGetPhysicalPartitions(x,x,x)+7Dj
		mov	eax, [esi+8]
		inc	eax
		imul	edi, eax, 0Ch
		add	edi, esi
		mov	esi, ecx
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_14]
		mov	edi, [ebp+var_4]
		inc	dword ptr [esi+8]
		sub	edx, 0Ch
		mov	[ebp+var_8], edx

loc_A2CAD9:				; CODE XREF: SyspartGetPhysicalPartitions(x,x,x)+71j
					; SyspartGetPhysicalPartitions(x,x,x)+84j
		mov	eax, [ebp+var_C]
		add	ecx, 0Ch
		inc	eax
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], eax
		cmp	eax, [edi+8]
		jb	short loc_A2CA95

loc_A2CAEB:				; CODE XREF: SyspartGetPhysicalPartitions(x,x,x)+57j
		mov	eax, [ebp+arg_0]
		cmp	eax, [esi+4]
		jnb	short loc_A2CAFD
		mov	ebx, 80000005h
		jmp	short loc_A2CAFD
; 

loc_A2CAFA:				; CODE XREF: SyspartGetPhysicalPartitions(x,x,x)+4Bj
		mov	edi, [ebp+var_4]

loc_A2CAFD:				; CODE XREF: SyspartGetPhysicalPartitions(x,x,x)+68j
					; SyspartGetPhysicalPartitions(x,x,x)+BBj ...
		test	edi, edi
		jz	short loc_A2CB09
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2CB09:				; CODE XREF: SyspartGetPhysicalPartitions(x,x,x)+24j
					; SyspartGetPhysicalPartitions(x,x,x)+C9j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
_SyspartGetPhysicalPartitions@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SyspartGetSystemPartition(x, x, x)
_SyspartGetSystemPartition@12 proc near	; CODE XREF: BiMapEfiDeviceForSpaces(x,x,x)+31p
					; BiMapEfiDeviceForSpaces(x,x,x)+8Ep ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		push	[ebp+arg_0]
		mov	esi, edx
		mov	edi, ecx
		push	esi
		push	62h
		mov	edx, edi
		pop	ecx
		call	SiQuerySystemInformationString
		test	eax, eax
		jns	short loc_A2CB47
		cmp	eax, 0C0000023h
		jz	short loc_A2CB47
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, offset _SiGetSystemPartition@8 ; SiGetSystemPartition(x,x)
		push	esi
		call	SiGetSystemDeviceName

loc_A2CB47:				; CODE XREF: SyspartGetSystemPartition(x,x,x)+1Cj
					; SyspartGetSystemPartition(x,x,x)+23j
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
_SyspartGetSystemPartition@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SyspartIsSpace(x, x)
_SyspartIsSpace@8 proc near		; CODE XREF: BiMapEfiDeviceForSpaces(x,x,x)+A3p
					; BiSpacesUpdatePhysicalDevicePath(x)+39p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		mov	edi, edx
		xor	edx, edx
		push	eax
		push	8
		mov	byte ptr [edi],	0
		call	_SiQueryProperty@16 ; SiQueryProperty(x,x,x,x)
		mov	ecx, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	short loc_A2CB7F
		cmp	dword ptr [ecx+1Ch], 10h
		jnz	short loc_A2CB7F
		mov	byte ptr [edi],	1

loc_A2CB7F:				; CODE XREF: SyspartIsSpace(x,x)+26j
					; SyspartIsSpace(x,x)+2Cj
		test	ecx, ecx
		jz	short loc_A2CB8B
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2CB8B:				; CODE XREF: SyspartIsSpace(x,x)+33j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_SyspartIsSpace@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SiFindSystemPartition(x)
_SiFindSystemPartition@4 proc near	; CODE XREF: SyspartGetPhysicalPartitions(x,x,x):loc_A2CA95p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_4C], 0
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		push	dword ptr [eax+4]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_48]
		push	offset ??_C@_1CI@PAILJJFK@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAP?$AAh?$AAy?$AAs?$AAi?$AAc?$AAa?$AAl?$AAD?$AAr?$AAi@NNGAKEGL@	; "\\??\\PhysicalDrive%d"
		push	20h
		push	eax
		call	_swprintf_s
		add	esp, 10h
		lea	edx, [ebp+var_4C]
		lea	ecx, [ebp+var_48]
		call	_SiGetDriveLayoutInformation@8 ; SiGetDriveLayoutInformation(x,x)
		mov	esi, [ebp+var_4C]
		mov	ebx, eax
		mov	[ebp+var_50], ebx
		test	ebx, ebx
		js	short loc_A2CC1C
		mov	ecx, [esi]
		sub	ecx, 0
		jz	short loc_A2CC39
		sub	ecx, 1
		jnz	short loc_A2CC17
		mov	eax, [esi+4]
		xor	edi, edi
		mov	[ebp+var_4C], eax
		test	eax, eax
		jz	short loc_A2CC17
		lea	ebx, [esi+50h]

loc_A2CBF7:				; CODE XREF: SiFindSystemPartition(x)+84j
		push	10h		; size_t
		push	offset _PARTITION_SYSTEM_GUID ;	void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A2CC56
		inc	edi
		add	ebx, 90h
		cmp	edi, [ebp+var_4C]
		jb	short loc_A2CBF7

loc_A2CC17:				; CODE XREF: SiFindSystemPartition(x)+55j
					; SiFindSystemPartition(x)+61j	...
		mov	ebx, 0C0000225h

loc_A2CC1C:				; CODE XREF: SiFindSystemPartition(x)+49j
					; SiFindSystemPartition(x)+D8j
		test	esi, esi
		jz	short loc_A2CC28
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2CC28:				; CODE XREF: SiFindSystemPartition(x)+8Dj
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_A2CC39:				; CODE XREF: SiFindSystemPartition(x)+50j
		mov	ecx, [esi+4]
		xor	edi, edi
		test	ecx, ecx
		jz	short loc_A2CC17
		lea	eax, [esi+51h]

loc_A2CC45:				; CODE XREF: SiFindSystemPartition(x)+C1j
		cmp	byte ptr [eax],	0
		jnz	short loc_A2CC59
		inc	edi
		add	eax, 90h
		cmp	edi, ecx
		jb	short loc_A2CC45
		jmp	short loc_A2CC17
; 

loc_A2CC56:				; CODE XREF: SiFindSystemPartition(x)+78j
		mov	ebx, [ebp+var_50]

loc_A2CC59:				; CODE XREF: SiFindSystemPartition(x)+B7j
		mov	ecx, [ebp+var_54]
		imul	eax, edi, 90h
		mov	eax, [eax+esi+48h]
		mov	[ecx+8], eax
		jmp	short loc_A2CC1C
_SiFindSystemPartition@4 endp


;  S U B	R O U T	I N E 


; __stdcall SiGetDefaultSystemDisk(x, x)
_SiGetDefaultSystemDisk@8 proc near	; CODE XREF: SiGetSystemDisk(x,x)+58p
		sub	ecx, 1
		jz	short loc_A2CC84
		sub	ecx, 1
		jz	short loc_A2CC7B
		mov	eax, 0C00000BBh
		retn
; 

loc_A2CC7B:				; CODE XREF: SiGetDefaultSystemDisk(x,x)+8j
		push	edx
		xor	ecx, ecx
		call	_SiGetEfiSystemDevice@12 ; SiGetEfiSystemDevice(x,x,x)
		retn
; 

loc_A2CC84:				; CODE XREF: SiGetDefaultSystemDisk(x,x)+3j
		mov	ecx, edx
		jmp	_SiGetBiosSystemDisk@4 ; SiGetBiosSystemDisk(x)
_SiGetDefaultSystemDisk@8 endp


;  S U B	R O U T	I N E 


; __stdcall SiGetDefaultSystemPartition(x, x)
_SiGetDefaultSystemPartition@8 proc near ; CODE	XREF: SiGetFirmwareSystemPartition+129375p
		mov	edi, edi
		push	ecx
		sub	ecx, 1
		jz	short loc_A2CCAA
		sub	ecx, 1
		jz	short loc_A2CC9F
		mov	eax, 0C00000BBh
		pop	ecx
		retn
; 

loc_A2CC9F:				; CODE XREF: SiGetDefaultSystemPartition(x,x)+Bj
		xor	ecx, ecx
		push	edx
		inc	ecx
		call	_SiGetEfiSystemDevice@12 ; SiGetEfiSystemDevice(x,x,x)
		pop	ecx
		retn
; 

loc_A2CCAA:				; CODE XREF: SiGetDefaultSystemPartition(x,x)+6j
		mov	ecx, edx
		call	_SiGetBiosSystemPartition@4 ; SiGetBiosSystemPartition(x)
		pop	ecx
		retn
_SiGetDefaultSystemPartition@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SiGetDeviceNumberInformation(x, x, x)
_SiGetDeviceNumberInformation@12 proc near ; CODE XREF:	SiDisambiguateSystemDevice(x,x)+52p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_20], 0
		and	[ebp+var_1C], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_18], eax
		lea	edi, [ebp+var_10]
		xor	eax, eax
		mov	ebx, edx
		stosd
		lea	edx, [ebp+var_14]
		stosd
		stosd
		xor	edi, edi
		mov	[ebp+var_14], edi
		call	_SiOpenDevice@8	; SiOpenDevice(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2CD2F
		push	0Ch
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		push	edi
		push	2D1080h
		lea	eax, [ebp+var_20]
		push	eax
		push	edi
		push	edi
		push	edi
		push	[ebp+var_14]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2CD2F
		cmp	[ebp+var_10], 7
		jz	short loc_A2CD22
		mov	esi, 0C00000BBh
		jmp	short loc_A2CD2F
; 

loc_A2CD22:				; CODE XREF: SiGetDeviceNumberInformation(x,x,x)+66j
		mov	ecx, [ebp+var_18]
		mov	eax, [ebp+var_C]
		mov	[ebx], eax
		mov	eax, [ebp+var_8]
		mov	[ecx], eax

loc_A2CD2F:				; CODE XREF: SiGetDeviceNumberInformation(x,x,x)+3Ej
					; SiGetDeviceNumberInformation(x,x,x)+60j ...
		cmp	[ebp+var_14], edi
		jz	short loc_A2CD3C
		push	[ebp+var_14]
		call	_ZwClose@4	; ZwClose(x)

loc_A2CD3C:				; CODE XREF: SiGetDeviceNumberInformation(x,x,x)+7Fj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_SiGetDeviceNumberInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SiGetDriveLayoutInformation(x, x)
_SiGetDriveLayoutInformation@8 proc near ; CODE	XREF: SiFindSystemPartition(x)+3Ap
					; SiGetEfiSystemDevice(x,x,x)+21Ep ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_8], edx
		push	esi
		push	edi
		lea	edx, [ebp+var_4]
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], eax
		call	_SiOpenDevice@8	; SiOpenDevice(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2CE0A
		push	4B505953h
		mov	ebx, 4830h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A2CD99
		mov	esi, 0C000009Ah
		jmp	short loc_A2CE0A
; 

loc_A2CD99:				; CODE XREF: SiGetDriveLayoutInformation(x,x)+41j
		push	ebx
		push	edi
		xor	ecx, ecx
		lea	eax, [ebp+var_10]
		push	ecx
		push	ecx
		push	70050h
		push	eax
		push	ecx
		push	ecx
		push	ecx
		jmp	short loc_A2CDDF
; 

loc_A2CDAD:				; CODE XREF: SiGetDriveLayoutInformation(x,x)+A0j
		xor	esi, esi
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	4B505953h
		add	ebx, 2400h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A2CE1F
		push	ebx
		push	edi
		push	esi
		push	esi
		push	70050h
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		push	esi
		push	esi

loc_A2CDDF:				; CODE XREF: SiGetDriveLayoutInformation(x,x)+5Cj
		push	[ebp+var_4]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_A2CDAD
		test	esi, esi
		js	short loc_A2CDFE
		mov	eax, [ebp+var_8]
		mov	[eax], edi

loc_A2CDFA:				; CODE XREF: SiGetDriveLayoutInformation(x,x)+D5j
		test	esi, esi
		jns	short loc_A2CE0A

loc_A2CDFE:				; CODE XREF: SiGetDriveLayoutInformation(x,x)+A4j
		test	edi, edi
		jz	short loc_A2CE0A
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2CE0A:				; CODE XREF: SiGetDriveLayoutInformation(x,x)+25j
					; SiGetDriveLayoutInformation(x,x)+48j	...
		cmp	[ebp+var_4], 0
		jz	short loc_A2CE18
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A2CE18:				; CODE XREF: SiGetDriveLayoutInformation(x,x)+BFj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_A2CE1F:				; CODE XREF: SiGetDriveLayoutInformation(x,x)+7Ej
		mov	esi, 0C000009Ah
		jmp	short loc_A2CDFA
_SiGetDriveLayoutInformation@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SiIssueSynchronousIoctl(x, x, x, x,	x, x)
_SiIssueSynchronousIoctl@24 proc near	; CODE XREF: SiValidateSystemPartition+D76DCp
					; SiGetEfiSystemDevice(x,x,x)+1E2p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		xor	edi, edi
		lea	edx, [ebp+var_4]
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		call	_SiOpenDevice@8	; SiOpenDevice(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2CE6A
		push	[ebp+arg_C]
		lea	eax, [ebp+var_C]
		push	[ebp+arg_8]
		push	0Ch
		push	[ebp+arg_0]
		push	2D1400h
		push	eax
		push	edi
		push	edi
		push	edi
		push	[ebp+var_4]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax

loc_A2CE6A:				; CODE XREF: SiIssueSynchronousIoctl(x,x,x,x,x,x)+21j
		cmp	[ebp+var_4], edi
		jz	short loc_A2CE77
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A2CE77:				; CODE XREF: SiIssueSynchronousIoctl(x,x,x,x,x,x)+47j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	10h
_SiIssueSynchronousIoctl@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SiQueryProperty(x, x, x, x)
_SiQueryProperty@16 proc near		; CODE XREF: SyspartGetPhysicalPartitions(x,x,x)+42p
					; SyspartIsSpace(x,x)+1Ap

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		xor	ebx, ebx
		mov	esi, edx
		mov	[ebp+var_20], ebx
		mov	edx, [ebp+arg_4]
		mov	[ebp+var_1C], ebx
		stosd
		mov	[ebp+var_14], ebx
		mov	[edx], ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_18], edx
		stosd
		cmp	ebx, 8
		jnb	short loc_A2CEBC
		push	8
		pop	ebx

loc_A2CEBC:				; CODE XREF: SiQueryProperty(x,x,x,x)+38j
		lea	edx, [ebp+var_14]
		call	_SiOpenDevice@8	; SiOpenDevice(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A2CF36
		and	[ebp+var_C], 0
		mov	[ebp+var_10], esi
		jmp	short loc_A2CF12
; 

loc_A2CED3:				; CODE XREF: SiQueryProperty(x,x,x,x)+A4j
		push	ebx
		push	esi
		push	0Ch
		lea	eax, [ebp+var_10]
		push	eax
		push	2D1400h
		lea	eax, [ebp+var_20]
		push	eax
		push	0
		push	0
		push	0
		push	[ebp+var_14]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_A2CF00
		cmp	edi, 80000005h
		jnz	short loc_A2CF2A

loc_A2CF00:				; CODE XREF: SiQueryProperty(x,x,x,x)+77j
		mov	eax, [esi+4]
		xor	edi, edi
		cmp	eax, ebx
		jbe	short loc_A2CF57
		push	edi
		push	esi
		mov	ebx, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2CF12:				; CODE XREF: SiQueryProperty(x,x,x,x)+52j
		push	4B505953h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A2CED3
		mov	edi, 0C000009Ah

loc_A2CF2A:				; CODE XREF: SiQueryProperty(x,x,x,x)+7Fj
					; SiQueryProperty(x,x,x,x)+E2j
		test	esi, esi
		jz	short loc_A2CF36
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2CF36:				; CODE XREF: SiQueryProperty(x,x,x,x)+49j
					; SiQueryProperty(x,x,x,x)+ADj
		cmp	[ebp+var_14], 0
		jz	short loc_A2CF44
		push	[ebp+var_14]
		call	_ZwClose@4	; ZwClose(x)

loc_A2CF44:				; CODE XREF: SiQueryProperty(x,x,x,x)+BBj
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_A2CF57:				; CODE XREF: SiQueryProperty(x,x,x,x)+88j
		mov	eax, [ebp+var_18]
		mov	[esi+4], ebx
		mov	[eax], esi
		xor	esi, esi
		jmp	short loc_A2CF2A
_SiQueryProperty@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SiBootEntryGetNtFilePath(x,	x)
_SiBootEntryGetNtFilePath@8 proc near	; CODE XREF: SiGetEspFromFirmware(x,x)+13Ep
					; SiGetEspFromFirmware(x,x)+203p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ecx+14h]
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, edx
		push	edi
		test	eax, eax
		jnz	short loc_A2CF7F
		mov	edi, 0C0000225h
		jmp	short loc_A2CFDE
; 

loc_A2CF7F:				; CODE XREF: SiBootEntryGetNtFilePath(x,x)+13j
		and	[ebp+var_4], esi
		add	eax, ecx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_8], eax
		push	ecx
		push	0
		push	3
		push	eax
		call	_ZwTranslateFilePath@16	; ZwTranslateFilePath(x,x,x,x)
		mov	edi, eax
		cmp	edi, 0C0000023h
		jnz	short loc_A2CFCA
		push	4B505953h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A2CFB9
		add	edi, 0FFFFFFF4h
		jmp	short loc_A2CFDE
; 

loc_A2CFB9:				; CODE XREF: SiBootEntryGetNtFilePath(x,x)+4Fj
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		push	3
		push	[ebp+var_8]
		call	_ZwTranslateFilePath@16	; ZwTranslateFilePath(x,x,x,x)
		mov	edi, eax

loc_A2CFCA:				; CODE XREF: SiBootEntryGetNtFilePath(x,x)+3Aj
		test	edi, edi
		js	short loc_A2CFD2
		mov	[ebx], esi
		xor	esi, esi

loc_A2CFD2:				; CODE XREF: SiBootEntryGetNtFilePath(x,x)+69j
		test	esi, esi
		jz	short loc_A2CFDE
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2CFDE:				; CODE XREF: SiBootEntryGetNtFilePath(x,x)+1Aj
					; SiBootEntryGetNtFilePath(x,x)+54j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SiBootEntryGetNtFilePath@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SiDisambiguateSystemDevice(x, x)
_SiDisambiguateSystemDevice@8 proc near	; CODE XREF: SiGetEfiSystemDevice(x,x,x)+9Dp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		xor	eax, eax
		mov	[ebp+var_14], ecx
		push	ebx
		push	esi
		mov	[ebp+var_C], eax
		mov	ebx, edx
		mov	[ebp+var_10], eax
		mov	edx, offset ??_C@_1CA@BCILKFEE@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAP?$AAa?$AAr?$AAt?$AAi?$AAt?$AAi?$AAo?$AAn@NNGAKEGL@
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		push	offset ??_C@_1HG@BDMNOANN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		call	_SiGetRegistryValue@24 ; SiGetRegistryValue(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2D052
		cmp	[ebp+var_8], 4
		jnb	short loc_A2D030
		mov	esi, 0C0000001h
		jmp	short loc_A2D052
; 

loc_A2D030:				; CODE XREF: SiDisambiguateSystemDevice(x,x)+3Fj
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_10]
		push	eax
		lea	edx, [ebp+var_C]
		call	_SiGetDeviceNumberInformation@12 ; SiGetDeviceNumberInformation(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2D052
		mov	ecx, [ebp+var_14]
		mov	eax, [ebp+var_C]
		mov	[ecx], eax
		mov	eax, [ebp+var_10]
		mov	[ebx], eax

loc_A2D052:				; CODE XREF: SiDisambiguateSystemDevice(x,x)+39j
					; SiDisambiguateSystemDevice(x,x)+46j ...
		cmp	[ebp+var_4], 0
		jz	short loc_A2D062
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2D062:				; CODE XREF: SiDisambiguateSystemDevice(x,x)+6Ej
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_SiDisambiguateSystemDevice@8 endp


;  S U B	R O U T	I N E 


; __stdcall SiGetEfiBootEntryById(x, x)
_SiGetEfiBootEntryById@8 proc near	; CODE XREF: SiGetEspFromFirmware(x,x)+12Dp
					; SiGetEspFromFirmware(x,x)+1F2p
		jmp	short loc_A2D072
; 

loc_A2D06A:				; CODE XREF: SiGetEfiBootEntryById(x,x)+10j
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_A2D07B
		add	ecx, eax

loc_A2D072:				; CODE XREF: SiGetEfiBootEntryById(x,x)j
		lea	eax, [ecx+4]
		cmp	[eax+8], edx
		jnz	short loc_A2D06A
		retn
; 

loc_A2D07B:				; CODE XREF: SiGetEfiBootEntryById(x,x)+6j
		xor	eax, eax
		retn
_SiGetEfiBootEntryById@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SiGetEfiSystemDevice(x, x, x)
_SiGetEfiSystemDevice@12 proc near	; CODE XREF: SiGetDefaultSystemDisk(x,x)+13p
					; SiGetDefaultSystemPartition(x,x)+18p

var_8E		= byte ptr -8Eh
var_8D		= byte ptr -8Dh
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= byte ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_14		= byte ptr -14h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+8Ch+var_4], eax
		mov	eax, [ebp+arg_0]
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		push	8
		mov	esi, ecx
		mov	[esp+9Ch+var_5C], eax
		pop	ecx
		xor	eax, eax
		mov	[esp+98h+var_54], esi
		push	6
		lea	edi, [esp+9Ch+var_24]
		mov	[esp+9Ch+var_50], edx
		rep stosd
		pop	ecx
		lea	edi, [esp+98h+var_48]
		mov	[esp+98h+var_4C], edx
		rep stosd
		lea	edi, [esp+98h+var_30]
		mov	dword ptr [esp+98h+var_68], edx
		stosd
		push	4B505953h
		push	6Ah
		push	1
		stosd
		mov	[esp+0A4h+var_78], edx
		mov	[esp+0A4h+var_80], edx
		mov	[esp+0A4h+var_70], edx
		stosd
		mov	edi, edx
		mov	[esp+0A4h+var_64], edx
		mov	[esp+0A4h+var_60], edx
		mov	[esp+0A4h+var_6C], edx
		mov	[esp+0A4h+var_7C], edx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[esp+98h+var_58], ebx
		test	ebx, ebx
		jnz	short loc_A2D113
		mov	esi, 0C0000017h
		jmp	loc_A2D3CA
; 

loc_A2D113:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+89j
		lea	edx, [esp+98h+var_6C]
		lea	ecx, [esp+98h+var_60]
		call	_SiDisambiguateSystemDevice@8 ;	SiDisambiguateSystemDevice(x,x)
		test	eax, eax
		jns	loc_A2D360
		push	offset ??_C@_1BA@CCLAPIHO@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@NNGAKEGL@
		lea	eax, [esp+9Ch+var_50]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+98h+var_50]
		mov	[esp+98h+var_48], 18h
		mov	[esp+98h+var_40], eax
		xor	ecx, ecx
		lea	eax, [esp+98h+var_48]
		mov	[esp+98h+var_44], ecx
		push	eax
		push	1
		lea	eax, [esp+0A0h+var_78]
		mov	[esp+0A0h+var_3C], 240h
		push	eax
		mov	[esp+0A4h+var_38], ecx
		mov	[esp+0A4h+var_34], ecx
		call	_ZwOpenDirectoryObject@12 ; ZwOpenDirectoryObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2D39D
		mov	eax, 1000h
		push	4B505953h
		mov	esi, eax
		mov	[esp+9Ch+var_74], eax
		push	eax
		jmp	short loc_A2D1CC
; 

loc_A2D18B:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+15Dj
		xor	ecx, ecx
		lea	eax, [esp+0A0h+var_70]
		push	ecx
		push	eax
		push	1
		push	ecx
		push	esi
		push	edi
		push	[esp+0B8h+var_80]
		mov	[esp+0BCh+var_70], ecx
		call	_ZwQueryDirectoryObject@28 ; ZwQueryDirectoryObject(x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 105h
		jnz	short loc_A2D1EB
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [esp+0A0h+var_7C]
		add	esi, 1000h
		push	4B505953h
		mov	[esp+0A4h+var_7C], esi
		push	esi

loc_A2D1CC:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+10Bj
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+0A0h+var_8C], edi
		test	edi, edi
		jnz	short loc_A2D18B
		mov	esi, 0C0000017h

loc_A2D1E2:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+300j
		mov	edi, [esp+0A0h+var_8C]
		jmp	loc_A2D39D
; 

loc_A2D1EB:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+12Fj
		test	esi, esi
		jns	short loc_A2D1FB
		cmp	esi, 8000001Ah
		jnz	loc_A2D354

loc_A2D1FB:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+16Fj
		xor	ecx, ecx
		cmp	[edi], cx
		jz	loc_A2D379
		lea	esi, [edi+4]

loc_A2D209:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+2A2j
		mov	edx, [esi+8]
		mov	ecx, [esi]
		call	_SiIsValidDiskDevice@8 ; SiIsValidDiskDevice(x,x)
		test	al, al
		jz	loc_A2D317
		xor	eax, eax
		push	eax
		push	dword ptr [esi]	; char
		push	offset ??_C@_1DA@FBMBGMIJ@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AA?$CF?$AAs?$AA?2?$AAP?$AAa?$AAr?$AAt@NNGAKEGL@ ;	"\\"
		push	6Ah		; int
		push	ebx		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 14h
		mov	[esp+0A0h+var_38], 1
		xor	eax, eax
		lea	edi, [esp+0A0h+var_2C]
		xor	edx, edx
		mov	[esp+0A0h+var_30], edx
		push	8
		pop	ecx
		rep stosd
		push	20h
		lea	eax, [esp+0A4h+var_2C]
		mov	[esp+0A4h+var_34], edx
		push	eax
		push	ecx
		lea	eax, [esp+0ACh+var_38]
		mov	[esp+0ACh+var_8D], dl
		push	eax
		mov	ecx, ebx
		call	_SiIssueSynchronousIoctl@24 ; SiIssueSynchronousIoctl(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A2D281
		mov	al, [esp+0A0h+var_14]
		cmp	al, 0Fh
		jz	loc_A2D317
		cmp	al, 10h
		jnz	short loc_A2D281
		mov	[esp+0A0h+var_8D], 1

loc_A2D281:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+1E9j
					; SiGetEfiSystemDevice(x,x,x)+1FCj
		mov	eax, [esp+0A0h+var_88]
		test	eax, eax
		jz	short loc_A2D296
		xor	edi, edi
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esp+0A0h+var_88], edi

loc_A2D296:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+209j
		lea	edx, [esp+0A0h+var_88]
		mov	ecx, ebx
		call	_SiGetDriveLayoutInformation@8 ; SiGetDriveLayoutInformation(x,x)
		test	eax, eax
		js	short loc_A2D317
		mov	eax, [esp+0A0h+var_88]
		cmp	dword ptr [eax], 1
		jnz	short loc_A2D317
		mov	ecx, [eax+4]
		test	ecx, ecx
		jz	short loc_A2D317
		lea	edi, [eax+48h]
		mov	ebx, ecx

loc_A2D2BA:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+293j
		push	10h		; size_t
		lea	eax, [edi+8]
		push	offset _PARTITION_SYSTEM_GUID ;	void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A2D308
		mov	ecx, [esp+0A0h+var_78]
		test	ecx, ecx
		jz	short loc_A2D2E7
		mov	eax, [esp+0A0h+var_84]
		test	eax, eax
		jnz	short loc_A2D2F7
		cmp	[esp+0A0h+var_8D], al
		jz	short loc_A2D2F7

loc_A2D2E7:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+259j
		mov	eax, [esi]
		mov	[esp+0A0h+var_6C], eax
		mov	eax, [edi]
		mov	[esp+0A0h+var_74], eax
		mov	eax, [esp+0A0h+var_84]

loc_A2D2F7:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+261j
					; SiGetEfiSystemDevice(x,x,x)+267j
		inc	ecx
		cmp	[esp+0A0h+var_8D], 0
		mov	[esp+0A0h+var_78], ecx
		jz	short loc_A2D308
		inc	eax
		mov	[esp+0A0h+var_84], eax

loc_A2D308:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+251j
					; SiGetEfiSystemDevice(x,x,x)+283j
		add	edi, 90h
		sub	ebx, 1
		jnz	short loc_A2D2BA
		mov	ebx, [esp+0A0h+var_60]

loc_A2D317:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+197j
					; SiGetEfiSystemDevice(x,x,x)+1F4j ...
		add	esi, 10h
		xor	ecx, ecx
		cmp	[esi-4], cx
		jnz	loc_A2D209
		mov	eax, [esp+0A0h+var_78]
		test	eax, eax
		jz	short loc_A2D379
		cmp	eax, 1
		jbe	short loc_A2D352
		cmp	[esp+0A0h+var_84], 1
		jz	short loc_A2D352
		mov	ecx, ebx
		call	_SiGetEspFromFirmware@8	; SiGetEspFromFirmware(x,x)
		mov	edi, [esp+0A0h+var_8C]
		mov	esi, eax
		test	esi, esi
		jns	short loc_A2D3A8
		mov	esi, 0C0000451h
		jmp	short loc_A2D39D
; 

loc_A2D352:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+2B3j
					; SiGetEfiSystemDevice(x,x,x)+2BAj
		mov	esi, ecx

loc_A2D354:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+177j
		mov	edi, [esp+0A0h+var_8C]
		test	esi, esi
		js	short loc_A2D39D
		mov	esi, [esp+0A0h+var_5C]

loc_A2D360:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+A4j
		mov	eax, [esp+0A0h+var_6C]
		neg	esi
		sbb	esi, esi
		and	esi, [esp+0A0h+var_74]
		push	esi
		test	eax, eax
		jz	short loc_A2D383
		push	eax
		push	offset ??_C@_1DA@FBMBGMIJ@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AA?$CF?$AAs?$AA?2?$AAP?$AAa?$AAr?$AAt@NNGAKEGL@ ;	"\\"
		jmp	short loc_A2D38C
; 

loc_A2D379:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+182j
					; SiGetEfiSystemDevice(x,x,x)+2AEj
		mov	esi, 0C0000452h
		jmp	loc_A2D1E2
; 

loc_A2D383:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+2F1j
		push	dword ptr [esp+0A4h+var_68] ; char
		push	offset ??_C@_1EC@CDJBOKNM@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi?$AAs@NNGAKEGL@ ; "\\Device\\Harddisk%lu\\Partition%lu"

loc_A2D38C:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+2F9j
		push	6Ah		; int
		push	ebx		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	esi, eax
		add	esp, 14h
		test	esi, esi
		jns	short loc_A2D3A8

loc_A2D39D:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+F4j
					; SiGetEfiSystemDevice(x,x,x)+168j ...
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A2D3AE
; 

loc_A2D3A8:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+2CBj
					; SiGetEfiSystemDevice(x,x,x)+31Dj
		mov	eax, [esp+0A0h+var_64]
		mov	[eax], ebx

loc_A2D3AE:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+328j
		mov	eax, [esp+0A0h+var_88]
		xor	ebx, ebx
		test	eax, eax
		jz	short loc_A2D3BF
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2D3BF:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+338j
		test	edi, edi
		jz	short loc_A2D3CA
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2D3CA:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+90j
					; SiGetEfiSystemDevice(x,x,x)+343j
		cmp	[esp+0A0h+var_80], 0
		jz	short loc_A2D3DA
		push	[esp+0A0h+var_80]
		call	_ZwClose@4	; ZwClose(x)

loc_A2D3DA:				; CODE XREF: SiGetEfiSystemDevice(x,x,x)+351j
		mov	ecx, [esp+0A0h+var_C]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_SiGetEfiSystemDevice@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SiGetEspFromFirmware(x, x)
_SiGetEspFromFirmware@8	proc near	; CODE XREF: SiGetEfiSystemDevice(x,x,x)+2BEp

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_28], ecx
		push	edi
		push	16h
		mov	ebx, esi
		mov	[ebp+var_24], esi
		mov	edi, esi
		mov	[ebp+var_8], esi
		lea	edx, [ebp+var_30]
		mov	[ebp+var_30], esi
		pop	ecx
		mov	[ebp+var_2C], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_C], edi
		call	BiAcquirePrivilege
		test	eax, eax
		js	loc_A2D70E
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], esi
		push	eax
		push	esi
		call	_ZwEnumerateBootEntries@8 ; ZwEnumerateBootEntries(x,x)
		mov	esi, eax
		xor	ecx, ecx
		cmp	esi, 0C0000023h
		jnz	short loc_A2D49D
		mov	eax, ecx

loc_A2D450:				; CODE XREF: SiGetEspFromFirmware(x,x)+A8j
		cmp	eax, [ebp+var_4]
		jnb	short loc_A2D49D
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_A2D463
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2D463:				; CODE XREF: SiGetEspFromFirmware(x,x)+67j
		push	4B505953h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_A2D667
		mov	ecx, [ebp+var_4]
		mov	[ebp+var_20], ecx
		lea	ecx, [ebp+var_4]
		push	ecx
		push	eax
		call	_ZwEnumerateBootEntries@8 ; ZwEnumerateBootEntries(x,x)
		mov	esi, eax
		mov	eax, [ebp+var_20]
		push	0
		pop	ecx
		cmp	esi, 0C0000023h
		jz	short loc_A2D450

loc_A2D49D:				; CODE XREF: SiGetEspFromFirmware(x,x)+59j
					; SiGetEspFromFirmware(x,x)+60j
		test	esi, esi
		js	loc_A2D66C
		cmp	[ebp+var_4], ebx
		jnz	short loc_A2D4B4

loc_A2D4AA:				; CODE XREF: SiGetEspFromFirmware(x,x)+1DFj
		mov	esi, 0C0000225h
		jmp	loc_A2D66C
; 

loc_A2D4B4:				; CODE XREF: SiGetEspFromFirmware(x,x)+B5j
		push	18h
		pop	eax
		mov	[ebp+var_4], eax

loc_A2D4BA:				; CODE XREF: SiGetEspFromFirmware(x,x)+11Aj
		mov	edx, [ebp+var_18]
		test	edx, edx
		jz	short loc_A2D4CB
		push	ecx
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_4]

loc_A2D4CB:				; CODE XREF: SiGetEspFromFirmware(x,x)+CCj
		push	4B505953h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_18], ecx
		test	ecx, ecx
		jz	loc_A2D667
		mov	eax, [ebp+var_4]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		call	_ZwQueryBootOptions@8 ;	ZwQueryBootOptions(x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_A2D50F
		mov	eax, [ebp+var_4]
		cmp	[ebp+var_20], eax
		jnb	loc_A2D66C
		xor	ecx, ecx
		jmp	short loc_A2D4BA
; 

loc_A2D50F:				; CODE XREF: SiGetEspFromFirmware(x,x)+10Aj
		test	esi, esi
		js	loc_A2D66C
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_10]
		mov	edx, [edx+0Ch]
		call	_SiGetEfiBootEntryById@8 ; SiGetEfiBootEntryById(x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	short loc_A2D55C
		lea	edx, [ebp+var_1C]
		mov	ecx, eax
		call	_SiBootEntryGetNtFilePath@8 ; SiBootEntryGetNtFilePath(x,x)
		mov	ebx, [ebp+var_1C]
		mov	esi, eax
		test	esi, esi
		js	short loc_A2D55C
		mov	ecx, [ebp+var_20]
		mov	edx, ebx
		call	_SiIsValidWindowsBootEntry@8 ; SiIsValidWindowsBootEntry(x,x)
		test	al, al
		jnz	loc_A2D66C
		xor	esi, esi
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, esi

loc_A2D55C:				; CODE XREF: SiGetEspFromFirmware(x,x)+137j
					; SiGetEspFromFirmware(x,x)+14Aj
		lea	eax, [ebp+var_8]
		push	eax
		xor	eax, eax
		push	eax
		call	_ZwQueryBootEntryOrder@8 ; ZwQueryBootEntryOrder(x,x)
		mov	esi, eax
		xor	ecx, ecx
		cmp	esi, 0C0000023h
		jnz	short loc_A2D5C7
		mov	eax, ecx

loc_A2D576:				; CODE XREF: SiGetEspFromFirmware(x,x)+1D2j
		cmp	eax, [ebp+var_8]
		jnb	short loc_A2D5C7
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_A2D589
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2D589:				; CODE XREF: SiGetEspFromFirmware(x,x)+18Dj
		mov	eax, [ebp+var_8]
		push	4B505953h
		shl	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_A2D667
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_20], ecx
		lea	ecx, [ebp+var_8]
		push	ecx
		push	eax
		call	_ZwQueryBootEntryOrder@8 ; ZwQueryBootEntryOrder(x,x)
		mov	esi, eax
		mov	eax, [ebp+var_20]
		push	0
		pop	ecx
		cmp	esi, 0C0000023h
		jz	short loc_A2D576

loc_A2D5C7:				; CODE XREF: SiGetEspFromFirmware(x,x)+17Fj
					; SiGetEspFromFirmware(x,x)+186j
		test	esi, esi
		jnz	loc_A2D66C
		cmp	[ebp+var_8], edi
		jz	loc_A2D4AA
		mov	esi, ecx
		jbe	short loc_A2D641

loc_A2D5DC:				; CODE XREF: SiGetEspFromFirmware(x,x)+24Cj
		mov	eax, [ebp+var_14]
		mov	ecx, [ebp+var_10]
		mov	edx, [eax+esi*4]
		call	_SiGetEfiBootEntryById@8 ; SiGetEfiBootEntryById(x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	short loc_A2D63B
		lea	edx, [ebp+var_C]
		mov	ecx, eax
		call	_SiBootEntryGetNtFilePath@8 ; SiBootEntryGetNtFilePath(x,x)
		mov	edi, [ebp+var_C]
		test	eax, eax
		js	short loc_A2D627
		mov	ecx, [ebp+var_20]
		mov	edx, edi
		call	_SiIsValidWindowsBootEntry@8 ; SiIsValidWindowsBootEntry(x,x)
		test	al, al
		jz	short loc_A2D627
		test	ebx, ebx
		jz	short loc_A2D655
		lea	eax, [edi+0Ch]
		push	eax		; wchar_t *
		lea	eax, [ebx+0Ch]
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A2D660

loc_A2D627:				; CODE XREF: SiGetEspFromFirmware(x,x)+20Dj
					; SiGetEspFromFirmware(x,x)+21Bj
		xor	eax, eax

loc_A2D629:				; CODE XREF: SiGetEspFromFirmware(x,x)+26Bj
		test	edi, edi
		jz	short loc_A2D63B
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		mov	edi, eax
		mov	[ebp+var_C], edi

loc_A2D63B:				; CODE XREF: SiGetEspFromFirmware(x,x)+1FCj
					; SiGetEspFromFirmware(x,x)+238j
		inc	esi
		cmp	esi, [ebp+var_8]
		jb	short loc_A2D5DC

loc_A2D641:				; CODE XREF: SiGetEspFromFirmware(x,x)+1E7j
		mov	esi, ebx
		neg	esi
		sbb	esi, esi
		and	esi, 3FFFFDDBh
		add	esi, 0C0000225h
		jmp	short loc_A2D66C
; 

loc_A2D655:				; CODE XREF: SiGetEspFromFirmware(x,x)+21Fj
		xor	eax, eax
		mov	ebx, edi
		mov	edi, eax
		mov	[ebp+var_C], edi
		jmp	short loc_A2D629
; 

loc_A2D660:				; CODE XREF: SiGetEspFromFirmware(x,x)+232j
		mov	esi, 0C0000451h
		jmp	short loc_A2D66C
; 

loc_A2D667:				; CODE XREF: SiGetEspFromFirmware(x,x)+84j
					; SiGetEspFromFirmware(x,x)+ECj ...
		mov	esi, 0C0000017h

loc_A2D66C:				; CODE XREF: SiGetEspFromFirmware(x,x)+ACj
					; SiGetEspFromFirmware(x,x)+BCj ...
		lea	ecx, [ebp+var_30]
		call	_BiReleasePrivilege@4 ;	BiReleasePrivilege(x)
		test	esi, esi
		js	short loc_A2D6C2
		test	ebx, ebx
		jnz	short loc_A2D683
		mov	esi, 0C0000001h
		jmp	short loc_A2D6C2
; 

loc_A2D683:				; CODE XREF: SiGetEspFromFirmware(x,x)+287j
		lea	edx, [ebx+0Ch]
		mov	ecx, edx
		lea	eax, [ecx+2]
		mov	[ebp+var_20], eax

loc_A2D68E:				; CODE XREF: SiGetEspFromFirmware(x,x)+2A5j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_24]
		jnz	short loc_A2D68E
		sub	ecx, [ebp+var_20]
		sar	ecx, 1
		lea	ecx, ds:2[ecx*2]
		mov	[ebp+var_4], ecx
		cmp	ecx, 6Ah
		jbe	short loc_A2D6B5
		mov	esi, 0C0000023h
		jmp	short loc_A2D6C2
; 

loc_A2D6B5:				; CODE XREF: SiGetEspFromFirmware(x,x)+2B9j
		push	ecx		; size_t
		push	edx		; void *
		push	[ebp+var_28]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_A2D6C2:				; CODE XREF: SiGetEspFromFirmware(x,x)+283j
					; SiGetEspFromFirmware(x,x)+28Ej ...
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_A2D6D2
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2D6D2:				; CODE XREF: SiGetEspFromFirmware(x,x)+2D4j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_A2D6E2
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2D6E2:				; CODE XREF: SiGetEspFromFirmware(x,x)+2E4j
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	short loc_A2D6F2
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2D6F2:				; CODE XREF: SiGetEspFromFirmware(x,x)+2F4j
		test	ebx, ebx
		jz	short loc_A2D6FF
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2D6FF:				; CODE XREF: SiGetEspFromFirmware(x,x)+301j
		test	edi, edi
		jz	short loc_A2D70C
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2D70C:				; CODE XREF: SiGetEspFromFirmware(x,x)+30Ej
		mov	eax, esi

loc_A2D70E:				; CODE XREF: SiGetEspFromFirmware(x,x)+3Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SiGetEspFromFirmware@8	endp


;  S U B	R O U T	I N E 


; __stdcall SiIsValidDiskDevice(x, x)
_SiIsValidDiskDevice@8 proc near	; CODE XREF: SiGetEfiSystemDevice(x,x,x)+190p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		push	offset ??_C@_1BE@DNDHOCGP@?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt?$AAo?$AAr?$AAy@NNGAKEGL@ ; "Directory"
		push	edi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A2D73D
		push	offset ??_C@_1BK@KDPOKCA@?$AAS?$AAy?$AAm?$AAb?$AAo?$AAl?$AAi?$AAc?$AAL?$AAi?$AAn?$AAk@NNGAKEGL@	; wchar_t *
		push	edi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A2D76B

loc_A2D73D:				; CODE XREF: SiIsValidDiskDevice(x,x)+17j
		push	8		; size_t
		push	offset ??_C@_1BC@PEHNMCKA@?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi?$AAs?$AAk@NNGAKEGL@ ; "Harddisk"
		push	esi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A2D76B
		lea	ecx, [esi+10h]
		movzx	eax, word ptr [ecx]
		test	ax, ax
		jz	short loc_A2D76B
		push	30h
		pop	edi
		cmp	ax, di
		jnz	short loc_A2D770
		cmp	word ptr [ecx+2], 0
		jz	short loc_A2D792

loc_A2D76B:				; CODE XREF: SiIsValidDiskDevice(x,x)+28j
					; SiIsValidDiskDevice(x,x)+3Cj	...
		xor	al, al

loc_A2D76D:				; CODE XREF: SiIsValidDiskDevice(x,x)+81j
		pop	edi
		pop	esi
		retn
; 

loc_A2D770:				; CODE XREF: SiIsValidDiskDevice(x,x)+4Fj
		xor	edx, edx
		mov	esi, eax

loc_A2D774:				; CODE XREF: SiIsValidDiskDevice(x,x)+7Dj
		cmp	si, di
		jb	short loc_A2D76B
		cmp	si, 39h
		ja	short loc_A2D76B
		inc	edx
		cmp	edx, 0Ah
		ja	short loc_A2D76B
		add	ecx, 2
		movzx	eax, word ptr [ecx]
		mov	esi, eax
		test	ax, ax
		jnz	short loc_A2D774

loc_A2D792:				; CODE XREF: SiIsValidDiskDevice(x,x)+56j
		mov	al, 1
		jmp	short loc_A2D76D
_SiIsValidDiskDevice@8 endp


;  S U B	R O U T	I N E 


; __stdcall SiIsValidWindowsBootEntry(x, x)
_SiIsValidWindowsBootEntry@8 proc near	; CODE XREF: SiGetEspFromFirmware(x,x)+151p
					; SiGetEspFromFirmware(x,x)+214p
		cmp	dword ptr [ecx+14h], 0
		push	edi
		mov	edi, edx
		jz	short loc_A2D7E5
		test	byte ptr [ecx+0Ch], 4
		jz	short loc_A2D7AB
		cmp	dword ptr [ecx+18h], 18h
		jnb	short loc_A2D7E1

loc_A2D7AB:				; CODE XREF: SiIsValidWindowsBootEntry(x,x)+Dj
		mov	eax, [edi+4]
		push	esi
		shr	eax, 1
		lea	esi, [edi+0Ch]
		push	eax
		push	esi
		call	_wcsnlen
		add	esi, 2
		pop	ecx
		pop	ecx
		lea	ecx, [esi+eax*2]
		mov	eax, [edi+4]
		add	eax, 0Ch
		add	eax, edi
		pop	esi
		cmp	ecx, eax
		jnb	short loc_A2D7E5
		push	offset ??_C@_1EC@LNDFLFLH@?$AA?2?$AAE?$AAF?$AAI?$AA?2?$AAM?$AAi?$AAc?$AAr?$AAo?$AAs?$AAo?$AAf?$AAt?$AA?2@NNGAKEGL@ ; wchar_t *
		push	ecx		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A2D7E5

loc_A2D7E1:				; CODE XREF: SiIsValidWindowsBootEntry(x,x)+13j
		mov	al, 1
		pop	edi
		retn
; 

loc_A2D7E5:				; CODE XREF: SiIsValidWindowsBootEntry(x,x)+7j
					; SiIsValidWindowsBootEntry(x,x)+38j ...
		xor	al, al
		pop	edi
		retn
_SiIsValidWindowsBootEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SiGetBiosSystemDisk(x)
_SiGetBiosSystemDisk@4 proc near	; CODE XREF: SiGetDefaultSystemDisk(x,x)+1Bj
					; SiGetBiosSystemPartition(x)+22p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		xor	eax, eax
		mov	[esp+18h+var_C], ecx
		push	esi
		push	edi
		mov	[esp+20h+var_10], eax
		mov	edi, eax
		mov	[esp+20h+var_8], eax
		mov	[esp+20h+var_4], eax
		mov	[esp+20h+var_14], eax
		call	_SiIsWinPeHardDiskZeroUfdBoot@0	; SiIsWinPeHardDiskZeroUfdBoot()
		lea	edx, [esp+20h+var_14]
		test	al, al
		jz	short loc_A2D834
		mov	ecx, offset ??_C@_1EC@DDFPLGMM@?$AA?2?$AAA?$AAr?$AAc?$AAN?$AAa?$AAm?$AAe?$AA?2?$AAm?$AAu?$AAl?$AAt?$AAi?$AA?$CI@NNGAKEGL@ ; "\\ArcName\\multi(0)disk(0)rdisk(1)"
		call	_SiOpenArcNameObject@8 ; SiOpenArcNameObject(x,x)
		mov	esi, eax
		cmp	esi, 0C0000452h
		jnz	short loc_A2D840
		lea	edx, [esp+20h+var_14]

loc_A2D834:				; CODE XREF: SiGetBiosSystemDisk(x)+31j
		mov	ecx, offset ??_C@_1EC@PIADGFGJ@?$AA?2?$AAA?$AAr?$AAc?$AAN?$AAa?$AAm?$AAe?$AA?2?$AAm?$AAu?$AAl?$AAt?$AAi?$AA?$CI@NNGAKEGL@ ; "\\ArcName\\multi(0)disk(0)rdisk(0)"
		call	_SiOpenArcNameObject@8 ; SiOpenArcNameObject(x,x)
		mov	esi, eax

loc_A2D840:				; CODE XREF: SiGetBiosSystemDisk(x)+45j
		mov	ebx, [esp+20h+var_14]
		test	esi, esi
		js	loc_A2D8D2
		push	0
		lea	eax, [esp+24h+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+20h+var_10]
		push	eax
		lea	eax, [esp+24h+var_8]
		push	eax
		push	ebx
		call	_ZwQuerySymbolicLinkObject@12 ;	ZwQuerySymbolicLinkObject(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_A2D87D
		test	esi, esi
		js	short loc_A2D8D2
		mov	esi, 0C0000001h
		jmp	short loc_A2D8D2
; 

loc_A2D87D:				; CODE XREF: SiGetBiosSystemDisk(x)+87j
		mov	eax, [esp+20h+var_10]
		push	4B505953h
		add	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A2D89E
		mov	esi, 0C000009Ah
		jmp	short loc_A2D8D2
; 

loc_A2D89E:				; CODE XREF: SiGetBiosSystemDisk(x)+ACj
		mov	ax, word ptr [esp+20h+var_10]
		mov	word ptr [esp+20h+var_8+2], ax
		lea	eax, [esp+20h+var_8]
		push	0
		push	eax
		push	ebx
		mov	[esp+2Ch+var_4], edi
		call	_ZwQuerySymbolicLinkObject@12 ;	ZwQuerySymbolicLinkObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2D8D2
		movzx	eax, word ptr [esp+20h+var_8]
		shr	eax, 1
		xor	ecx, ecx
		mov	[edi+eax*2], cx
		mov	eax, [esp+20h+var_C]
		mov	[eax], edi

loc_A2D8D2:				; CODE XREF: SiGetBiosSystemDisk(x)+5Dj
					; SiGetBiosSystemDisk(x)+8Bj ...
		test	ebx, ebx
		jz	short loc_A2D8DC
		push	ebx
		call	_ZwClose@4	; ZwClose(x)

loc_A2D8DC:				; CODE XREF: SiGetBiosSystemDisk(x)+EBj
		test	esi, esi
		jns	short loc_A2D8EC
		test	edi, edi
		jz	short loc_A2D8EC
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2D8EC:				; CODE XREF: SiGetBiosSystemDisk(x)+F5j
					; SiGetBiosSystemDisk(x)+F9j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_SiGetBiosSystemDisk@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SiGetBiosSystemPartition(x)
_SiGetBiosSystemPartition@4 proc near	; CODE XREF: SiGetDefaultSystemPartition(x,x)+21p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		xor	eax, eax
		mov	[esp+10h+var_4], ecx
		push	esi
		push	edi
		lea	ecx, [esp+18h+var_8]
		mov	[esp+18h+var_C], eax
		mov	ebx, eax
		mov	[esp+18h+var_8], eax
		call	_SiGetBiosSystemDisk@4 ; SiGetBiosSystemDisk(x)
		mov	edi, [esp+18h+var_8]
		mov	esi, eax
		test	esi, esi
		js	loc_A2D9D9
		lea	edx, [esp+18h+var_C]
		mov	ecx, edi
		call	_SiGetDriveLayoutInformation@8 ; SiGetDriveLayoutInformation(x,x)
		mov	esi, eax
		xor	ecx, ecx
		test	esi, esi
		js	short loc_A2D9B9
		mov	esi, [esp+18h+var_C]
		cmp	[esi], ecx
		jnz	short loc_A2D9B4
		push	offset ??_C@_1BI@LDJIHBPK@?$AA?2?$AAP?$AAa?$AAr?$AAt?$AAi?$AAt?$AAi?$AAo?$AAn?$AA0@NNGAKEGL@ ; "\\Partition0"
		push	edi		; wchar_t *
		call	_wcsstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A2D95B
		xor	ecx, ecx
		mov	[eax], cx

loc_A2D95B:				; CODE XREF: SiGetBiosSystemPartition(x)+5Fj
		mov	ecx, edi
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_A2D962:				; CODE XREF: SiGetBiosSystemPartition(x)+76j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A2D962
		sub	ecx, edx
		sar	ecx, 1
		push	4B505953h
		lea	ecx, ds:2Ah[ecx*2]
		push	ecx
		push	1
		mov	[esp+24h+var_8], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		xor	ecx, ecx
		test	ebx, ebx
		jnz	short loc_A2D998
		mov	esi, 0C000009Ah
		jmp	short loc_A2D9B9
; 

loc_A2D998:				; CODE XREF: SiGetBiosSystemPartition(x)+9Aj
		mov	edx, [esi+4]
		lea	eax, [esi+30h]
		test	edx, edx
		jz	short loc_A2D9B2

loc_A2D9A2:				; CODE XREF: SiGetBiosSystemPartition(x)+BBj
		cmp	byte ptr [eax+21h], 0
		jnz	short loc_A2D9EF
		inc	ecx
		add	eax, 90h
		cmp	ecx, edx
		jb	short loc_A2D9A2

loc_A2D9B2:				; CODE XREF: SiGetBiosSystemPartition(x)+ABj
		xor	ecx, ecx

loc_A2D9B4:				; CODE XREF: SiGetBiosSystemPartition(x)+4Ej
		mov	esi, 0C0000452h

loc_A2D9B9:				; CODE XREF: SiGetBiosSystemPartition(x)+46j
					; SiGetBiosSystemPartition(x)+A1j ...
		mov	eax, [esp+18h+var_C]
		test	eax, eax
		jz	short loc_A2D9C8
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2D9C8:				; CODE XREF: SiGetBiosSystemPartition(x)+CAj
		test	esi, esi
		jns	short loc_A2D9D9
		test	ebx, ebx
		jz	short loc_A2D9D9
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2D9D9:				; CODE XREF: SiGetBiosSystemPartition(x)+2Fj
					; SiGetBiosSystemPartition(x)+D5j ...
		test	edi, edi
		jz	short loc_A2D9E6
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2D9E6:				; CODE XREF: SiGetBiosSystemPartition(x)+E6j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_A2D9EF:				; CODE XREF: SiGetBiosSystemPartition(x)+B1j
		push	dword ptr [eax+18h]
		mov	eax, [esp+1Ch+var_8]
		push	edi
		push	offset ??_C@_1CA@KOFIMBAB@?$AA?$CF?$AAs?$AA?2?$AAP?$AAa?$AAr?$AAt?$AAi?$AAt?$AAi?$AAo?$AAn?$AA?$CF?$AAl?$AAu@NNGAKEGL@ ; "%s\\Partition%lu"
		shr	eax, 1
		push	eax
		push	ebx
		call	_swprintf_s
		mov	eax, [esp+2Ch+var_4]
		add	esp, 14h
		xor	ecx, ecx
		mov	esi, ecx
		mov	[eax], ebx
		jmp	short loc_A2D9B9
_SiGetBiosSystemPartition@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SiIsWinPeHardDiskZeroUfdBoot()
_SiIsWinPeHardDiskZeroUfdBoot@0	proc near ; CODE XREF: SiGetBiosSystemDisk(x)+26p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	edi
		push	0Ah
		xor	eax, eax
		lea	edi, [ebp+var_38]
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_10]
		xor	ebx, ebx
		stosd
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		stosd
		mov	[ebp+var_40], ebx
		mov	[ebp+var_48], ebx
		stosd
		call	_SiIsWinPEBoot@0 ; SiIsWinPEBoot()
		test	al, al
		jz	loc_A2DAF9
		lea	edx, [ebp+var_3C]
		mov	ecx, offset ??_C@_1CG@EEKKLGPP@?$AAF?$AAi?$AAr?$AAm?$AAw?$AAa?$AAr?$AAe?$AAB?$AAo?$AAo?$AAt?$AAD?$AAe?$AAv@NNGAKEGL@
		call	_SiGetBootDeviceNameFromRegistry@8 ; SiGetBootDeviceNameFromRegistry(x,x)
		test	eax, eax
		js	loc_A2DAF7
		mov	ecx, [ebp+var_3C]
		lea	edx, [ecx+2]

loc_A2DA71:				; CODE XREF: SiIsWinPeHardDiskZeroUfdBoot()+66j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A2DA71
		lea	eax, [ebp+var_48]
		sub	ecx, edx
		push	eax
		lea	eax, [ebp+var_44]
		sar	ecx, 1
		push	eax
		lea	eax, [ebp+var_40]
		push	eax
		push	offset ??_C@_1DG@NPLCAPOH@?$AAm?$AAu?$AAl?$AAt?$AAi?$AA?$CI?$AA?$CF?$AAd?$AA?$CJ?$AAd?$AAi?$AAs?$AAk?$AA?$CI?$AA?$CF@NNGAKEGL@
		lea	eax, [ecx+1]
		push	eax
		push	[ebp+var_3C]
		call	__snwscanf_s
		add	esp, 18h
		cmp	eax, 3
		jnz	short loc_A2DAF7
		cmp	[ebp+var_40], ebx
		jnz	short loc_A2DAF7
		cmp	[ebp+var_44], ebx
		jnz	short loc_A2DAF7
		cmp	[ebp+var_48], ebx
		jnz	short loc_A2DAF7
		lea	edx, [ebp+var_4C]
		mov	ecx, offset ??_C@_1EC@PIADGFGJ@?$AA?2?$AAA?$AAr?$AAc?$AAN?$AAa?$AAm?$AAe?$AA?2?$AAm?$AAu?$AAl?$AAt?$AAi?$AA?$CI@NNGAKEGL@ ; "\\ArcName\\multi(0)disk(0)rdisk(0)"
		call	SiTranslateSymbolicLink
		test	eax, eax
		js	short loc_A2DAF7
		push	ebx
		push	[ebp+var_3C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	28h
		lea	eax, [ebp+var_38]
		mov	[ebp+var_8], ebx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_4C]
		lea	eax, [ebp+var_10]
		push	eax
		call	_SiIssueSynchronousIoctl@24 ; SiIssueSynchronousIoctl(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_A2DAEF
		cmp	eax, 0C000003Ah
		jmp	short loc_A2DAF3
; 

loc_A2DAEF:				; CODE XREF: SiIsWinPeHardDiskZeroUfdBoot()+D2j
		cmp	[ebp+var_1C], 7

loc_A2DAF3:				; CODE XREF: SiIsWinPeHardDiskZeroUfdBoot()+D9j
		jnz	short loc_A2DAF7
		mov	bl, 1

loc_A2DAF7:				; CODE XREF: SiIsWinPeHardDiskZeroUfdBoot()+51j
					; SiIsWinPeHardDiskZeroUfdBoot()+8Fj ...
		mov	al, bl

loc_A2DAF9:				; CODE XREF: SiIsWinPeHardDiskZeroUfdBoot()+3Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_SiIsWinPeHardDiskZeroUfdBoot@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SiOpenArcNameObject(x, x)
_SiOpenArcNameObject@8 proc near	; CODE XREF: SiGetBiosSystemDisk(x)+38p
					; SiGetBiosSystemDisk(x)+50p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_C]
		push	ecx
		push	eax
		mov	esi, edx
		mov	[ebp+var_4], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_C]
		mov	[ebp+var_24], 18h
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	20001h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_20], edi
		push	eax
		mov	[ebp+var_18], 240h
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		call	_ZwOpenSymbolicLinkObject@12 ; ZwOpenSymbolicLinkObject(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jns	short loc_A2DB74
		cmp	ecx, 0C0000017h
		jz	short loc_A2DB79
		cmp	ecx, 0C000009Ah
		jz	short loc_A2DB79
		mov	ecx, 0C0000452h
		jmp	short loc_A2DB79
; 

loc_A2DB74:				; CODE XREF: SiOpenArcNameObject(x,x)+54j
		mov	eax, [ebp+var_4]
		mov	[esi], eax

loc_A2DB79:				; CODE XREF: SiOpenArcNameObject(x,x)+5Cj
					; SiOpenArcNameObject(x,x)+64j	...
		pop	edi
		mov	eax, ecx
		pop	esi
		leave
		retn
_SiOpenArcNameObject@8 endp


;  S U B	R O U T	I N E 


; __stdcall _PnpCtxCloseMachine(x)
__PnpCtxCloseMachine@4 proc near	; CODE XREF: PiDevCfgInitDriverDatabaseCallback(x,x,x)+1A9p
					; PipMigratePnpState+146E9p
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edi, ecx
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	dword ptr [edi+7Ch]
		call	ExAcquireResourceExclusiveLite
		lea	esi, [edi+8]

loc_A2DBA1:				; CODE XREF: _PnpCtxCloseMachine(x)+45j
		cmp	[esi], esi
		jz	short loc_A2DBC6
		mov	ecx, [edi+0Ch]
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_A2DBFD
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_A2DBFD
		mov	[edx], eax
		mov	[eax+4], edx
		call	__PnpCtxDestroyNode@4 ;	_PnpCtxDestroyNode(x)
		mov	ebx, eax
		test	ebx, ebx
		jns	short loc_A2DBA1

loc_A2DBC6:				; CODE XREF: _PnpCtxCloseMachine(x)+24j
		mov	ecx, [edi+7Ch]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		test	ebx, ebx
		js	short loc_A2DBF7
		mov	esi, [edi+7Ch]
		push	esi
		call	ExDeleteResourceLite
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2DBF7:				; CODE XREF: _PnpCtxCloseMachine(x)+5Dj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		retn
; 

loc_A2DBFD:				; CODE XREF: _PnpCtxCloseMachine(x)+2Ej
					; _PnpCtxCloseMachine(x)+35j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
__PnpCtxCloseMachine@4 endp		; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall _PnpCtxDestroyNode(x)
__PnpCtxDestroyNode@4 proc near		; CODE XREF: _PnpCtxOpenMachine+1CEp
					; _PnpCtxCloseMachine(x)+3Cp ...
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, ecx
		push	edi
		lea	eax, [esi+10h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, [esi+20h]
		or	edi, 0FFFFFFFFh
		test	eax, eax
		jz	short loc_A2DC26
		cmp	eax, edi
		jz	short loc_A2DC26
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_A2DC26:				; CODE XREF: _PnpCtxDestroyNode(x)+18j
					; _PnpCtxDestroyNode(x)+1Cj
		mov	eax, [esi+24h]
		test	eax, eax
		jz	short loc_A2DC37
		cmp	eax, edi
		jz	short loc_A2DC37
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_A2DC37:				; CODE XREF: _PnpCtxDestroyNode(x)+29j
					; _PnpCtxDestroyNode(x)+2Dj
		mov	eax, [esi+28h]
		test	eax, eax
		jz	short loc_A2DC48
		cmp	eax, edi
		jz	short loc_A2DC48
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_A2DC48:				; CODE XREF: _PnpCtxDestroyNode(x)+3Aj
					; _PnpCtxDestroyNode(x)+3Ej
		mov	eax, [esi+2Ch]
		test	eax, eax
		jz	short loc_A2DC59
		cmp	eax, edi
		jz	short loc_A2DC59
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_A2DC59:				; CODE XREF: _PnpCtxDestroyNode(x)+4Bj
					; _PnpCtxDestroyNode(x)+4Fj
		mov	eax, [esi+30h]
		test	eax, eax
		jz	short loc_A2DC6A
		cmp	eax, edi
		jz	short loc_A2DC6A
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_A2DC6A:				; CODE XREF: _PnpCtxDestroyNode(x)+5Cj
					; _PnpCtxDestroyNode(x)+60j
		mov	eax, [esi+34h]
		test	eax, eax
		jz	short loc_A2DC7B
		cmp	eax, edi
		jz	short loc_A2DC7B
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_A2DC7B:				; CODE XREF: _PnpCtxDestroyNode(x)+6Dj
					; _PnpCtxDestroyNode(x)+71j
		mov	eax, [esi+38h]
		test	eax, eax
		jz	short loc_A2DC8C
		cmp	eax, edi
		jz	short loc_A2DC8C
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_A2DC8C:				; CODE XREF: _PnpCtxDestroyNode(x)+7Ej
					; _PnpCtxDestroyNode(x)+82j
		mov	eax, [esi+40h]
		test	eax, eax
		jz	short loc_A2DC9D
		cmp	eax, edi
		jz	short loc_A2DC9D
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_A2DC9D:				; CODE XREF: _PnpCtxDestroyNode(x)+8Fj
					; _PnpCtxDestroyNode(x)+93j
		mov	eax, [esi+44h]
		test	eax, eax
		jz	short loc_A2DCAE
		cmp	eax, edi
		jz	short loc_A2DCAE
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_A2DCAE:				; CODE XREF: _PnpCtxDestroyNode(x)+A0j
					; _PnpCtxDestroyNode(x)+A4j
		mov	eax, [esi+48h]
		test	eax, eax
		jz	short loc_A2DCBF
		cmp	eax, edi
		jz	short loc_A2DCBF
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_A2DCBF:				; CODE XREF: _PnpCtxDestroyNode(x)+B1j
					; _PnpCtxDestroyNode(x)+B5j
		mov	ecx, [esi+1Ch]
		test	ecx, ecx
		jz	short loc_A2DCCB
		call	__SysCtxCloseMachine@4 ; _SysCtxCloseMachine(x)

loc_A2DCCB:				; CODE XREF: _PnpCtxDestroyNode(x)+C2j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		xor	eax, eax
		pop	esi
		pop	ecx
		retn
__PnpCtxDestroyNode@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxFindNode(x, x, x, x)
__PnpCtxFindNode@16 proc near		; CODE XREF: _PnpCtxRegisterMachineNode(x,x,x,x,x,x,x)+3Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	eax, eax
		mov	[ebp+var_8], eax
		mov	ebx, ecx
		mov	[ebp+var_4], eax
		push	edx
		mov	[edi], eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_A2DD35
		lea	ebx, [ebx+eax*8]
		add	ebx, 10h
		mov	esi, [ebx]
		jmp	short loc_A2DD28
; 

loc_A2DD0D:				; CODE XREF: _PnpCtxFindNode(x,x,x,x)+51j
		lea	eax, [esi-8]
		push	1
		lea	ecx, [ebp+var_8]
		mov	[ebp+arg_4], eax
		push	ecx
		add	eax, 10h
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_A2DD2E
		mov	esi, [esi]

loc_A2DD28:				; CODE XREF: _PnpCtxFindNode(x,x,x,x)+32j
		cmp	esi, ebx
		jnz	short loc_A2DD0D
		jmp	short loc_A2DD59
; 

loc_A2DD2E:				; CODE XREF: _PnpCtxFindNode(x,x,x,x)+4Bj
		mov	eax, [ebp+arg_4]
		mov	[edi], eax
		jmp	short loc_A2DD59
; 

loc_A2DD35:				; CODE XREF: _PnpCtxFindNode(x,x,x,x)+28j
		add	ebx, 8
		mov	esi, [ebx]
		jmp	short loc_A2DD51
; 

loc_A2DD3C:				; CODE XREF: _PnpCtxFindNode(x,x,x,x)+7Aj
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [esi+10h]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_A2DD57
		mov	esi, [esi]

loc_A2DD51:				; CODE XREF: _PnpCtxFindNode(x,x,x,x)+61j
		cmp	esi, ebx
		jnz	short loc_A2DD3C
		jmp	short loc_A2DD59
; 

loc_A2DD57:				; CODE XREF: _PnpCtxFindNode(x,x,x,x)+74j
		mov	[edi], esi

loc_A2DD59:				; CODE XREF: _PnpCtxFindNode(x,x,x,x)+53j
					; _PnpCtxFindNode(x,x,x,x)+5Aj	...
		mov	eax, [edi]
		neg	eax
		pop	edi
		sbb	eax, eax
		and	eax, 3FFFFFCCh
		pop	esi
		add	eax, 0C0000034h
		pop	ebx
		leave
		retn	8
__PnpCtxFindNode@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxOpenContextBaseKey(x, x, x, x, x)
__PnpCtxOpenContextBaseKey@20 proc near	; CODE XREF: PiCMOpenClassKey+12AA6Fp
					; PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x):loc_974A72p ...

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		mov	edi, _PiPnpRtlCtx
		mov	ecx, edi
		push	eax
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2DDC7
		test	edi, edi
		jnz	short loc_A2DD9B
		xor	ecx, ecx
		jmp	short loc_A2DD9E
; 

loc_A2DD9B:				; CODE XREF: _PnpCtxOpenContextBaseKey(x,x,x,x,x)+25j
		mov	ecx, [edi+74h]

loc_A2DD9E:				; CODE XREF: _PnpCtxOpenContextBaseKey(x,x,x,x,x)+29j
		push	[ebp+arg_8]
		mov	edx, [ebp+var_4]
		push	[ebp+arg_4]
		push	0
		push	offset ??_C@_11LOCGONAA@@NNGAKEGL@
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jnz	short loc_A2DDC1
		mov	esi, 0C00000E5h
		jmp	short loc_A2DDC7
; 

loc_A2DDC1:				; CODE XREF: _PnpCtxOpenContextBaseKey(x,x,x,x,x)+48j
		test	eax, eax
		jns	short loc_A2DDC7
		mov	esi, eax

loc_A2DDC7:				; CODE XREF: _PnpCtxOpenContextBaseKey(x,x,x,x,x)+21j
					; _PnpCtxOpenContextBaseKey(x,x,x,x,x)+4Fj ...
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	0Ch
__PnpCtxOpenContextBaseKey@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxOpenContextNodeBaseKey(x, x,	x, x, x, x, x)
__PnpCtxOpenContextNodeBaseKey@28 proc near
					; CODE XREF: PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+127p

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	edi, _PiPnpRtlCtx
		lea	eax, [edi+20h]
		mov	edx, [eax]
		cmp	edx, eax
		jnz	short loc_A2DDF1
		mov	esi, 0C0000034h
		jmp	short loc_A2DE3E
; 

loc_A2DDF1:				; CODE XREF: _PnpCtxOpenContextNodeBaseKey(x,x,x,x,x,x,x)+19j
		lea	eax, [ebp+var_4]
		add	edx, 0FFFFFFF8h
		push	eax
		push	[ebp+arg_4]
		mov	ecx, edi
		call	_PnpCtxGetCachedNodeBaseKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A2DE3E
		test	edi, edi
		jnz	short loc_A2DE10
		xor	ecx, ecx
		jmp	short loc_A2DE13
; 

loc_A2DE10:				; CODE XREF: _PnpCtxOpenContextNodeBaseKey(x,x,x,x,x,x,x)+3Bj
		mov	ecx, [edi+74h]

loc_A2DE13:				; CODE XREF: _PnpCtxOpenContextNodeBaseKey(x,x,x,x,x,x,x)+3Fj
		push	[ebp+arg_10]
		mov	edx, [ebp+var_4]
		push	0F003Fh
		push	0
		push	offset ??_C@_11LOCGONAA@@NNGAKEGL@
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jnz	short loc_A2DE38
		mov	esi, 0C00000E5h
		jmp	short loc_A2DE3E
; 

loc_A2DE38:				; CODE XREF: _PnpCtxOpenContextNodeBaseKey(x,x,x,x,x,x,x)+60j
		test	eax, eax
		jns	short loc_A2DE3E
		mov	esi, eax

loc_A2DE3E:				; CODE XREF: _PnpCtxOpenContextNodeBaseKey(x,x,x,x,x,x,x)+20j
					; _PnpCtxOpenContextNodeBaseKey(x,x,x,x,x,x,x)+37j ...
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	14h
__PnpCtxOpenContextNodeBaseKey@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxRegCopyTree(x, x, x,	x, x)
__PnpCtxRegCopyTree@20 proc near	; CODE XREF: PipMigratePnpState+14625p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, edx
		push	ecx
		mov	eax, _PiPnpRtlCtx
		test	eax, eax
		jz	short loc_A2DE63
		mov	eax, [eax+74h]
		test	eax, eax
		jz	short loc_A2DE63
		mov	eax, [eax+4]
		jmp	short loc_A2DE65
; 

loc_A2DE63:				; CODE XREF: _PnpCtxRegCopyTree(x,x,x,x,x)+Fj
					; _PnpCtxRegCopyTree(x,x,x,x,x)+16j
		xor	eax, eax

loc_A2DE65:				; CODE XREF: _PnpCtxRegCopyTree(x,x,x,x,x)+1Bj
		mov	edx, [ebp+arg_0]
		push	0
		push	eax
		push	0
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	__RegRtlCopyTreeInternal@28 ; _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)
		pop	ecx
		pop	ebp
		retn	0Ch
__PnpCtxRegCopyTree@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxRegDeleteKey(x, x, x)
__PnpCtxRegDeleteKey@12	proc near	; CODE XREF: PipCommitPendingOsExtensionResource(x,x,x,x)+12Ep
					; PipCommitPendingService(x,x,x,x)+21Ap ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		test	ecx, ecx
		jz	short loc_A2DE95
		mov	eax, [ecx+74h]
		test	eax, eax
		jz	short loc_A2DE95
		mov	eax, [eax+4]
		jmp	short loc_A2DE97
; 

loc_A2DE95:				; CODE XREF: _PnpCtxRegDeleteKey(x,x,x)+Aj
					; _PnpCtxRegDeleteKey(x,x,x)+11j
		xor	eax, eax

loc_A2DE97:				; CODE XREF: _PnpCtxRegDeleteKey(x,x,x)+16j
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	eax
		call	__RegRtlDeleteKeyTransacted@12 ; _RegRtlDeleteKeyTransacted(x,x,x)
		pop	esi
		pop	ebp
		retn	4
__PnpCtxRegDeleteKey@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxRegDeleteValue(x, x,	x)
__PnpCtxRegDeleteValue@12 proc near	; CODE XREF: PipUpdateDeviceProducts+81C98p
					; PiCMCreateDevice(x,x,x,x,x,x)+48Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	esi
		push	[ebp+arg_0]
		mov	esi, edx
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_A2DED3
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_A2DED3:				; CODE XREF: _PnpCtxRegDeleteValue(x,x,x)+20j
		pop	esi
		leave
		retn	4
__PnpCtxRegDeleteValue@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxRegSetValue(x, x, x,	x, x, x)
__PnpCtxRegSetValue@24 proc near	; CODE XREF: PipUpdateDeviceProducts+81C74p
					; PipUpdateDeviceProducts+81C8Ap ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		mov	ecx, edx
		mov	edx, [ebp+arg_0]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		pop	ebp
		retn	10h
__PnpCtxRegSetValue@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCtxRegisterMachineNode(x, x, x,	x, x, x, x)
__PnpCtxRegisterMachineNode@28 proc near ; CODE	XREF: PiPnpRtlInit+9E4CDp
					; PiPnpRtlRegisterDriverMachineNodeCallback+9C698p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	ecx, edx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], esi
		push	edi
		mov	edi, _PiPnpRtlCtx
		test	ebx, ebx
		jle	loc_A2DFDD
		cmp	ebx, 2
		jle	short loc_A2DF41
		cmp	ebx, 3
		jnz	loc_A2DFDD

loc_A2DF27:				; CODE XREF: _PnpCtxRegisterMachineNode(x,x,x,x,x,x,x)+55j
		lea	eax, [ebp+var_4]
		mov	ecx, edi
		push	eax
		push	esi
		call	__PnpCtxFindNode@16 ; _PnpCtxFindNode(x,x,x,x)
		test	eax, eax
		js	short loc_A2DF55
		mov	ebx, 0C0000035h
		jmp	loc_A2DFE2
; 

loc_A2DF41:				; CODE XREF: _PnpCtxRegisterMachineNode(x,x,x,x,x,x,x)+28j
		lea	eax, [ebx+2]
		lea	eax, [edi+eax*8]
		cmp	[eax], eax
		jz	short loc_A2DF27
		mov	ebx, 0C000020Eh
		jmp	loc_A2DFE2
; 

loc_A2DF55:				; CODE XREF: _PnpCtxRegisterMachineNode(x,x,x,x,x,x,x)+41j
		mov	eax, [edi+74h]
		mov	eax, [eax+4]
		mov	edx, [ebp+var_8]
		lea	ecx, [ebp+var_4]
		push	ecx
		push	eax
		push	0FFFFFFFFh
		push	ecx
		push	[ebp+arg_8]
		push	ecx
		push	ebx
		mov	ecx, edi
		call	_PnpCtxCreateNode
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A2DFCD
		lea	ecx, [edi+8]
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_A2DFC8
		mov	eax, [ebp+var_4]
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[edx], eax
		mov	[ecx+4], eax
		lea	ecx, [eax+8]
		mov	eax, [ebp+arg_0]
		add	eax, 2
		lea	eax, [edi+eax*8]
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_A2DFC8
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[edx], ecx
		push	40h		; size_t
		mov	[eax+4], ecx
		lea	eax, [edi+34h]
		push	esi		; int
		push	eax		; void *
		call	_memset
		lea	eax, [edi+20h]
		add	esp, 0Ch
		cmp	[eax], eax
		setnz	al
		mov	[edi+4], al
		jmp	short loc_A2DFD0
; 

loc_A2DFC8:				; CODE XREF: _PnpCtxRegisterMachineNode(x,x,x,x,x,x,x)+8Cj
					; _PnpCtxRegisterMachineNode(x,x,x,x,x,x,x)+ACj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A2DFCD:				; CODE XREF: _PnpCtxRegisterMachineNode(x,x,x,x,x,x,x)+82j
		mov	esi, [ebp+var_4]

loc_A2DFD0:				; CODE XREF: _PnpCtxRegisterMachineNode(x,x,x,x,x,x,x)+D2j
		test	esi, esi
		jz	short loc_A2DFE2
		mov	ecx, esi
		call	__PnpCtxDestroyNode@4 ;	_PnpCtxDestroyNode(x)
		jmp	short loc_A2DFE2
; 

loc_A2DFDD:				; CODE XREF: _PnpCtxRegisterMachineNode(x,x,x,x,x,x,x)+1Fj
					; _PnpCtxRegisterMachineNode(x,x,x,x,x,x,x)+2Dj
		mov	ebx, 0C000000Dh

loc_A2DFE2:				; CODE XREF: _PnpCtxRegisterMachineNode(x,x,x,x,x,x,x)+48j
					; _PnpCtxRegisterMachineNode(x,x,x,x,x,x,x)+5Cj ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	14h
__PnpCtxRegisterMachineNode@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmCreateDeviceInterface(x,	x, x, x, x, x)
__CmCreateDeviceInterface@24 proc near	; CODE XREF: _PnpDispatchDeviceInterface+11A8B7p
					; IopRegisterDeviceInterface+9917Ep

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, ecx
		push	2Ch		; size_t
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_30]
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_34], edx
		mov	[ebp+var_38], esi
		call	_memset
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	ebx, [esi+100h]
		add	esp, 0Ch
		inc	ecx
		test	eax, eax
		jnz	short loc_A2E038
		mov	[ebp+var_28], ecx
		test	edi, edi
		jz	short loc_A2E03B

loc_A2E038:				; CODE XREF: _CmCreateDeviceInterface(x,x,x,x,x,x)+44j
		mov	[ebp+var_28], eax

loc_A2E03B:				; CODE XREF: _CmCreateDeviceInterface(x,x,x,x,x,x)+4Bj
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_1C], eax
		test	ebx, ebx
		jz	short loc_A2E05D
		lea	eax, [ebp+var_30]
		push	eax
		push	ecx
		push	2
		push	3
		push	[ebp+var_34]
		push	esi
		call	ebx
		cmp	eax, 0C0000002h
		jnz	short loc_A2E0B6
		xor	ebx, ebx

loc_A2E05D:				; CODE XREF: _CmCreateDeviceInterface(x,x,x,x,x,x)+58j
					; _CmCreateDeviceInterface(x,x,x,x,x,x)+D9j
		push	[ebp+var_1C]
		mov	edx, [ebp+var_34]
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_24]
		mov	ecx, esi
		push	eax
		push	[ebp+var_28]
		call	__CmCreateDeviceInterfaceWorker@24 ; _CmCreateDeviceInterfaceWorker(x,x,x,x,x,x)
		mov	esi, eax
		test	ebx, ebx
		jz	short loc_A2E0A7
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	2
		push	3
		push	[ebp+var_34]
		push	[ebp+var_38]
		call	ebx
		cmp	eax, 0C0000002h
		jz	short loc_A2E0A7
		cmp	eax, 0C0000120h
		jz	short loc_A2E0BD
		test	eax, eax
		jz	short loc_A2E0A7
		mov	esi, 0C00000E5h

loc_A2E0A7:				; CODE XREF: _CmCreateDeviceInterface(x,x,x,x,x,x)+8Ej
					; _CmCreateDeviceInterface(x,x,x,x,x,x)+AAj ...
		test	esi, esi
		js	short loc_A2E0CB
		test	edi, edi
		jz	short loc_A2E0CB
		mov	eax, [ebp+var_24]
		mov	[edi], eax
		jmp	short loc_A2E0D9
; 

loc_A2E0B6:				; CODE XREF: _CmCreateDeviceInterface(x,x,x,x,x,x)+6Ej
		cmp	eax, 0C0000120h
		jnz	short loc_A2E0C2

loc_A2E0BD:				; CODE XREF: _CmCreateDeviceInterface(x,x,x,x,x,x)+B1j
		mov	esi, [ebp+var_30]
		jmp	short loc_A2E0A7
; 

loc_A2E0C2:				; CODE XREF: _CmCreateDeviceInterface(x,x,x,x,x,x)+D0j
		test	eax, eax
		jz	short loc_A2E05D
		mov	esi, 0C00000E5h

loc_A2E0CB:				; CODE XREF: _CmCreateDeviceInterface(x,x,x,x,x,x)+BEj
					; _CmCreateDeviceInterface(x,x,x,x,x,x)+C2j
		cmp	[ebp+var_24], 0
		jz	short loc_A2E0D9
		push	[ebp+var_24]
		call	_ZwClose@4	; ZwClose(x)

loc_A2E0D9:				; CODE XREF: _CmCreateDeviceInterface(x,x,x,x,x,x)+C9j
					; _CmCreateDeviceInterface(x,x,x,x,x,x)+E4j
		test	esi, esi
		js	short loc_A2E0E9
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jz	short loc_A2E0E9
		mov	al, byte ptr [ebp+var_20]
		mov	[ecx], al

loc_A2E0E9:				; CODE XREF: _CmCreateDeviceInterface(x,x,x,x,x,x)+F0j
					; _CmCreateDeviceInterface(x,x,x,x,x,x)+F7j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
__CmCreateDeviceInterface@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmCreateDeviceInterfaceWorker(x, x, x, x, x, x)
__CmCreateDeviceInterfaceWorker@24 proc	near
					; CODE XREF: _CmCreateDeviceInterface(x,x,x,x,x,x)+85p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= word ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		and	[ebp+var_5C], 0
		push	ebx
		mov	[ebp+var_64], eax
		mov	ebx, ecx
		movzx	eax, [ebp+arg_C]
		mov	[ebp+var_60], edx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		test	eax, eax
		jz	short loc_A2E152
		mov	esi, 0C000000Dh

loc_A2E130:				; CODE XREF: _CmCreateDeviceInterfaceWorker(x,x,x,x,x,x)+64j
					; _CmCreateDeviceInterfaceWorker(x,x,x,x,x,x)+7Aj ...
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_A2E13F
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		and	dword ptr [edi], 0

loc_A2E13F:				; CODE XREF: _CmCreateDeviceInterfaceWorker(x,x,x,x,x,x)+38j
					; _CmCreateDeviceInterfaceWorker(x,x,x,x,x,x)+A7j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
; 

loc_A2E152:				; CODE XREF: _CmCreateDeviceInterfaceWorker(x,x,x,x,x,x)+2Dj
		push	ecx
		lea	eax, [ebp+var_58]
		push	eax
		call	__CmGetDeviceInterfaceClassGuidString@16 ; _CmGetDeviceInterfaceClassGuidString(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2E130
		xor	eax, eax
		lea	edx, [ebp+var_58]
		push	eax
		push	eax
		push	eax
		push	eax
		mov	ecx, ebx
		call	__CmCreateInterfaceClass@24 ; _CmCreateInterfaceClass(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2E130
		mov	edx, [ebp+var_60]
		lea	eax, [ebp+var_5C]
		push	eax
		push	edi
		push	1
		push	[ebp+arg_0]
		push	ecx
		push	30h
		mov	ecx, ebx
		call	_CmOpenDeviceInterfaceRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A2E130
		cmp	[ebp+var_5C], 1
		mov	ecx, [ebp+var_64]
		setz	al
		mov	[ecx], al
		test	al, al
		jz	short loc_A2E13F
		push	dword ptr [edi]
		mov	edx, [ebp+var_60]
		mov	ecx, ebx
		push	3
		call	__CmRaiseCreateEvent@16	; _CmRaiseCreateEvent(x,x,x,x)
		jmp	short loc_A2E13F
__CmCreateDeviceInterfaceWorker@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmCreateInstallerClass(x, x, x, x,	x, x)
__CmCreateInstallerClass@24 proc near	; CODE XREF: PiCMOpenClassKey+12AA54p
					; _PnpDispatchInstallerClass+ADCA5p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		push	2Ch		; size_t
		mov	[ebp+var_3C], eax
		mov	esi, ecx
		lea	eax, [ebp+var_30]
		mov	[ebp+var_34], edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_38], esi
		call	_memset
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	edi, [esi+100h]
		add	esp, 0Ch
		inc	ecx
		test	eax, eax
		jnz	short loc_A2E202
		mov	[ebp+var_28], ecx
		test	ebx, ebx
		jz	short loc_A2E205

loc_A2E202:				; CODE XREF: _CmCreateInstallerClass(x,x,x,x,x,x)+44j
		mov	[ebp+var_28], eax

loc_A2E205:				; CODE XREF: _CmCreateInstallerClass(x,x,x,x,x,x)+4Bj
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_1C], eax
		test	edi, edi
		jz	short loc_A2E227
		lea	eax, [ebp+var_30]
		push	eax
		push	ecx
		push	2
		push	2
		push	[ebp+var_34]
		push	esi
		call	edi
		cmp	eax, 0C0000002h
		jnz	short loc_A2E280
		xor	edi, edi

loc_A2E227:				; CODE XREF: _CmCreateInstallerClass(x,x,x,x,x,x)+58j
					; _CmCreateInstallerClass(x,x,x,x,x,x)+D9j
		push	[ebp+var_1C]
		mov	edx, [ebp+var_34]
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_24]
		mov	ecx, esi
		push	eax
		push	[ebp+var_28]
		call	__CmCreateInstallerClassWorker@24 ; _CmCreateInstallerClassWorker(x,x,x,x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_A2E271
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	2
		push	2
		push	[ebp+var_34]
		push	[ebp+var_38]
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_A2E271
		cmp	eax, 0C0000120h
		jz	short loc_A2E287
		test	eax, eax
		jz	short loc_A2E271
		mov	esi, 0C00000E5h

loc_A2E271:				; CODE XREF: _CmCreateInstallerClass(x,x,x,x,x,x)+8Ej
					; _CmCreateInstallerClass(x,x,x,x,x,x)+AAj ...
		test	esi, esi
		js	short loc_A2E295
		test	ebx, ebx
		jz	short loc_A2E295
		mov	eax, [ebp+var_24]
		mov	[ebx], eax
		jmp	short loc_A2E2A3
; 

loc_A2E280:				; CODE XREF: _CmCreateInstallerClass(x,x,x,x,x,x)+6Ej
		cmp	eax, 0C0000120h
		jnz	short loc_A2E28C

loc_A2E287:				; CODE XREF: _CmCreateInstallerClass(x,x,x,x,x,x)+B1j
		mov	esi, [ebp+var_30]
		jmp	short loc_A2E271
; 

loc_A2E28C:				; CODE XREF: _CmCreateInstallerClass(x,x,x,x,x,x)+D0j
		test	eax, eax
		jz	short loc_A2E227
		mov	esi, 0C00000E5h

loc_A2E295:				; CODE XREF: _CmCreateInstallerClass(x,x,x,x,x,x)+BEj
					; _CmCreateInstallerClass(x,x,x,x,x,x)+C2j
		cmp	[ebp+var_24], 0
		jz	short loc_A2E2A3
		push	[ebp+var_24]
		call	_ZwClose@4	; ZwClose(x)

loc_A2E2A3:				; CODE XREF: _CmCreateInstallerClass(x,x,x,x,x,x)+C9j
					; _CmCreateInstallerClass(x,x,x,x,x,x)+E4j
		test	esi, esi
		js	short loc_A2E2B3
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jz	short loc_A2E2B3
		mov	al, byte ptr [ebp+var_20]
		mov	[ecx], al

loc_A2E2B3:				; CODE XREF: _CmCreateInstallerClass(x,x,x,x,x,x)+F0j
					; _CmCreateInstallerClass(x,x,x,x,x,x)+F7j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
__CmCreateInstallerClass@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmCreateInstallerClassWorker(x, x,	x, x, x, x)
__CmCreateInstallerClassWorker@24 proc near
					; CODE XREF: _CmCreateInstallerClass(x,x,x,x,x,x)+85p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= word ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		movzx	eax, [ebp+arg_C]
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		test	eax, eax
		jz	short loc_A2E2E6
		mov	esi, 0C000000Dh
		jmp	short loc_A2E321
; 

loc_A2E2E6:				; CODE XREF: _CmCreateInstallerClassWorker(x,x,x,x,x,x)+17j
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		push	1
		push	[ebp+arg_0]
		push	0
		push	20h
		call	_CmOpenCommonClassRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A2E321
		cmp	[ebp+var_4], 1
		mov	eax, [ebp+arg_8]
		setz	cl
		mov	[eax], cl
		test	cl, cl
		jz	short loc_A2E321
		mov	eax, [ebp+arg_4]
		mov	edx, edi
		mov	ecx, ebx
		push	dword ptr [eax]
		push	2
		call	__CmRaiseCreateEvent@16	; _CmRaiseCreateEvent(x,x,x,x)

loc_A2E321:				; CODE XREF: _CmCreateInstallerClassWorker(x,x,x,x,x,x)+1Ej
					; _CmCreateInstallerClassWorker(x,x,x,x,x,x)+39j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
__CmCreateInstallerClassWorker@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmCreateInterfaceClass(x, x, x, x,	x, x)
__CmCreateInterfaceClass@24 proc near	; CODE XREF: PiCMOpenClassKey+12AA1Dp
					; _PnpDispatchInterfaceClass+11853Fp ...

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, ecx
		push	2Ch		; size_t
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_30]
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_34], edx
		mov	[ebp+var_38], esi
		call	_memset
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	ebx, [esi+100h]
		add	esp, 0Ch
		inc	ecx
		test	eax, eax
		jnz	short loc_A2E377
		mov	[ebp+var_28], ecx
		test	edi, edi
		jz	short loc_A2E37A

loc_A2E377:				; CODE XREF: _CmCreateInterfaceClass(x,x,x,x,x,x)+44j
		mov	[ebp+var_28], eax

loc_A2E37A:				; CODE XREF: _CmCreateInterfaceClass(x,x,x,x,x,x)+4Bj
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_1C], eax
		test	ebx, ebx
		jz	short loc_A2E39C
		lea	eax, [ebp+var_30]
		push	eax
		push	ecx
		push	2
		push	4
		push	[ebp+var_34]
		push	esi
		call	ebx
		cmp	eax, 0C0000002h
		jnz	short loc_A2E3F5
		xor	ebx, ebx

loc_A2E39C:				; CODE XREF: _CmCreateInterfaceClass(x,x,x,x,x,x)+58j
					; _CmCreateInterfaceClass(x,x,x,x,x,x)+D9j
		push	[ebp+var_1C]
		mov	edx, [ebp+var_34]
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_24]
		mov	ecx, esi
		push	eax
		push	[ebp+var_28]
		call	__CmCreateInterfaceClassWorker@24 ; _CmCreateInterfaceClassWorker(x,x,x,x,x,x)
		mov	esi, eax
		test	ebx, ebx
		jz	short loc_A2E3E6
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	2
		push	4
		push	[ebp+var_34]
		push	[ebp+var_38]
		call	ebx
		cmp	eax, 0C0000002h
		jz	short loc_A2E3E6
		cmp	eax, 0C0000120h
		jz	short loc_A2E3FC
		test	eax, eax
		jz	short loc_A2E3E6
		mov	esi, 0C00000E5h

loc_A2E3E6:				; CODE XREF: _CmCreateInterfaceClass(x,x,x,x,x,x)+8Ej
					; _CmCreateInterfaceClass(x,x,x,x,x,x)+AAj ...
		test	esi, esi
		js	short loc_A2E40A
		test	edi, edi
		jz	short loc_A2E40A
		mov	eax, [ebp+var_24]
		mov	[edi], eax
		jmp	short loc_A2E418
; 

loc_A2E3F5:				; CODE XREF: _CmCreateInterfaceClass(x,x,x,x,x,x)+6Ej
		cmp	eax, 0C0000120h
		jnz	short loc_A2E401

loc_A2E3FC:				; CODE XREF: _CmCreateInterfaceClass(x,x,x,x,x,x)+B1j
		mov	esi, [ebp+var_30]
		jmp	short loc_A2E3E6
; 

loc_A2E401:				; CODE XREF: _CmCreateInterfaceClass(x,x,x,x,x,x)+D0j
		test	eax, eax
		jz	short loc_A2E39C
		mov	esi, 0C00000E5h

loc_A2E40A:				; CODE XREF: _CmCreateInterfaceClass(x,x,x,x,x,x)+BEj
					; _CmCreateInterfaceClass(x,x,x,x,x,x)+C2j
		cmp	[ebp+var_24], 0
		jz	short loc_A2E418
		push	[ebp+var_24]
		call	_ZwClose@4	; ZwClose(x)

loc_A2E418:				; CODE XREF: _CmCreateInterfaceClass(x,x,x,x,x,x)+C9j
					; _CmCreateInterfaceClass(x,x,x,x,x,x)+E4j
		test	esi, esi
		js	short loc_A2E428
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jz	short loc_A2E428
		mov	al, byte ptr [ebp+var_20]
		mov	[ecx], al

loc_A2E428:				; CODE XREF: _CmCreateInterfaceClass(x,x,x,x,x,x)+F0j
					; _CmCreateInterfaceClass(x,x,x,x,x,x)+F7j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
__CmCreateInterfaceClass@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmCreateInterfaceClassWorker(x, x,	x, x, x, x)
__CmCreateInterfaceClassWorker@24 proc near
					; CODE XREF: _CmCreateInterfaceClass(x,x,x,x,x,x)+85p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= word ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		movzx	eax, [ebp+arg_C]
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		test	eax, eax
		jz	short loc_A2E45B
		mov	esi, 0C000000Dh
		jmp	short loc_A2E496
; 

loc_A2E45B:				; CODE XREF: _CmCreateInterfaceClassWorker(x,x,x,x,x,x)+17j
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		push	1
		push	[ebp+arg_0]
		push	0
		push	40h
		call	_CmOpenCommonClassRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A2E496
		cmp	[ebp+var_4], 1
		mov	eax, [ebp+arg_8]
		setz	cl
		mov	[eax], cl
		test	cl, cl
		jz	short loc_A2E496
		mov	eax, [ebp+arg_4]
		mov	edx, edi
		mov	ecx, ebx
		push	dword ptr [eax]
		push	4
		call	__CmRaiseCreateEvent@16	; _CmRaiseCreateEvent(x,x,x,x)

loc_A2E496:				; CODE XREF: _CmCreateInterfaceClassWorker(x,x,x,x,x,x)+1Ej
					; _CmCreateInterfaceClassWorker(x,x,x,x,x,x)+39j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
__CmCreateInterfaceClassWorker@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmCreateOrdinalInstanceKey(x, x, x, x, x, x)
__CmCreateOrdinalInstanceKey@24	proc near ; CODE XREF: _CmGetDeviceSoftwareKey+1261D3p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_14], edx
		push	24h		; int
		push	esi		; wchar_t **
		push	offset ??_C@_19BCMMBPBA@?$AA9?$AA9?$AA9?$AAA@NNGAKEGL@ ; wchar_t *
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		call	_wcstoul
		add	esp, 0Ch
		mov	[ebp+var_C], eax
		push	24h		; int
		push	esi		; wchar_t **
		push	offset ??_C@_19HPAAKKFB@?$AAZ?$AAZ?$AAZ?$AAZ@NNGAKEGL@ ; wchar_t *
		call	_wcstoul
		mov	ecx, eax
		add	esp, 0Ch
		mov	eax, [ebp+var_C]
		mov	[ebp+var_18], ecx
		test	eax, eax
		jz	short loc_A2E517
		cmp	eax, 0FFFFFFFFh
		jz	short loc_A2E517
		test	ecx, ecx
		jz	short loc_A2E517
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_A2E517
		mov	ebx, [ebp+arg_0]
		mov	edi, esi

loc_A2E4FA:				; CODE XREF: _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+8Cj
					; _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+12Ej
		cmp	edi, 270Fh
		ja	short loc_A2E525
		push	edi
		push	offset ??_C@_19PDMGBJHF@?$AA?$CF?$AA0?$AA4?$AAu@NNGAKEGL@
		push	5
		push	ebx
		call	_swprintf_s
		add	esp, 10h
		test	eax, eax
		jns	short loc_A2E547

loc_A2E517:				; CODE XREF: _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+46j
					; _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+4Bj	...
		mov	esi, 0C00000E5h

loc_A2E51C:				; CODE XREF: _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+156j
					; _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+164j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_A2E525:				; CODE XREF: _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+61j
		cmp	edi, eax
		jnb	short loc_A2E52D
		mov	edi, eax
		jmp	short loc_A2E4FA
; 

loc_A2E52D:				; CODE XREF: _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+88j
		cmp	edi, ecx
		ja	loc_A2E5EE
		push	24h
		push	5
		push	ebx
		push	edi
		call	__ultow_s
		add	esp, 10h
		test	eax, eax
		jnz	short loc_A2E517

loc_A2E547:				; CODE XREF: _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+76j
		movzx	eax, word ptr [ebx]
		mov	ecx, ebx
		mov	[ebp+arg_0], 1
		test	ax, ax
		jz	short loc_A2E580
		mov	edx, eax

loc_A2E55A:				; CODE XREF: _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+DFj
		movzx	eax, dx
		add	eax, 0FFFFFFBFh
		cmp	eax, 38h
		ja	short loc_A2E573
		movzx	eax, ds:byte_A2E613[eax]
		jmp	ds:off_A2E60B[eax*4]

loc_A2E573:				; CODE XREF: _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+C4j
					; DATA XREF: PAGE:00A2E60Fo
		add	ecx, 2
		movzx	eax, word ptr [ecx]
		mov	edx, eax
		test	ax, ax
		jnz	short loc_A2E55A

loc_A2E580:				; CODE XREF: _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+B7j
		mov	eax, [ebp+var_10]
		mov	ecx, esi
		test	eax, eax
		jz	short loc_A2E58C
		mov	ecx, [eax+74h]

loc_A2E58C:				; CODE XREF: _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+E8j
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		push	esi
		push	1
		push	esi
		push	ebx
		call	__SysCtxRegCreateKey@36	; _SysCtxRegCreateKey(x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jz	loc_A2E517
		test	eax, eax
		js	short loc_A2E5EA
		cmp	[ebp+var_8], 1
		jz	short loc_A2E5FB
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_4], esi

loc_A2E5C5:				; CODE XREF: _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+13Fj
					; _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+149j
		mov	eax, [ebp+var_C]
		add	edi, ecx
		mov	ecx, [ebp+var_18]
		jmp	loc_A2E4FA
; 

loc_A2E5D2:				; CODE XREF: _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+CDj
					; DATA XREF: PAGE:off_A2E60Bo
		sub	ecx, ebx
		push	3
		sar	ecx, 1
		pop	eax
		sub	eax, ecx
		mov	ecx, [ebp+arg_0]
		jz	short loc_A2E5C5

loc_A2E5E0:				; CODE XREF: _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+147j
		imul	ecx, 24h
		sub	eax, 1
		jnz	short loc_A2E5E0
		jmp	short loc_A2E5C5
; 

loc_A2E5EA:				; CODE XREF: _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+110j
		mov	esi, eax
		jmp	short loc_A2E5F3
; 

loc_A2E5EE:				; CODE XREF: _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+90j
		mov	esi, 8000001Ah

loc_A2E5F3:				; CODE XREF: _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+14Dj
		test	esi, esi
		js	loc_A2E51C

loc_A2E5FB:				; CODE XREF: _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+116j
		mov	ecx, [ebp+arg_C]
		mov	eax, [ebp+var_4]
		mov	[ecx], eax
		jmp	loc_A2E51C
__CmCreateOrdinalInstanceKey@24	endp

; 
		db 8Dh,	49h, 0
off_A2E60B	dd offset loc_A2E5D2	; DATA XREF: _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+CDr
		dd offset loc_A2E573
byte_A2E613	db 0			; DATA XREF: _CmCreateOrdinalInstanceKey(x,x,x,x,x,x)+C6r
; 
		add	[ecx], eax
		add	[eax], eax
		add	[ecx], eax
		add	[eax], eax
		add	[ecx], eax
		add	[ecx], eax
		add	[eax], eax
		add	[ecx], eax
		add	[ecx], eax
		add	[eax], eax
		add	[ecx], al
		add	[eax], eax
		add	[ecx], eax
		add	[ecx], eax
		add	[ecx], eax
		add	[eax], eax
		add	[ecx], eax
		add	[eax], eax
		add	[ecx], eax
		add	[eax], eax
		add	[ecx], eax
		add	[ecx], eax
		add	[eax], eax
		add	[ecx], eax
		add	[ecx], eax
		add	[eax], eax
		add	[ecx], al
		add	[eax], eax

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteCommonClassRegKey(x, x, x,	x, x)
__CmDeleteCommonClassRegKey@20 proc near
					; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+93p
					; _CmDeleteInstallerClassWorker(x,x,x)+1C6p ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	2Ch		; size_t
		lea	eax, [ebp+var_30]
		mov	[ebp+var_34], edx
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_38], esi
		call	_memset
		mov	ecx, [ebp+arg_0]
		add	esp, 0Ch
		movzx	eax, cl
		cmp	eax, 20h
		jnz	short loc_A2E688
		push	2
		jmp	short loc_A2E693
; 

loc_A2E688:				; CODE XREF: _CmDeleteCommonClassRegKey(x,x,x,x,x)+36j
		cmp	eax, 40h
		jnz	loc_A2E721
		push	4

loc_A2E693:				; CODE XREF: _CmDeleteCommonClassRegKey(x,x,x,x,x)+3Aj
		mov	eax, [ebp+arg_4]
		mov	edi, [esi+100h]
		and	[ebp+var_1C], 0
		mov	[ebp+var_24], eax
		mov	al, [ebp+arg_8]
		mov	[ebp+var_28], ecx
		mov	byte ptr [ebp+var_20], al
		pop	ebx
		test	edi, edi
		jz	short loc_A2E6C9
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	0Ch
		push	ebx
		push	[ebp+var_34]
		push	esi
		call	edi
		cmp	eax, 0C0000002h
		jnz	short loc_A2E70A
		xor	edi, edi

loc_A2E6C9:				; CODE XREF: _CmDeleteCommonClassRegKey(x,x,x,x,x)+63j
					; _CmDeleteCommonClassRegKey(x,x,x,x,x)+CCj
		push	[ebp+var_20]
		mov	edx, [ebp+var_34]
		mov	ecx, esi
		push	[ebp+var_24]
		push	[ebp+var_28]
		call	__CmDeleteCommonClassRegKeyWorker@20 ; _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_A2E726
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	0Ch
		push	ebx
		push	[ebp+var_34]
		push	[ebp+var_38]
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_A2E726
		cmp	eax, 0C0000120h
		jz	short loc_A2E711
		test	eax, eax
		jz	short loc_A2E726
		jmp	short loc_A2E71A
; 

loc_A2E70A:				; CODE XREF: _CmDeleteCommonClassRegKey(x,x,x,x,x)+79j
		cmp	eax, 0C0000120h
		jnz	short loc_A2E716

loc_A2E711:				; CODE XREF: _CmDeleteCommonClassRegKey(x,x,x,x,x)+B6j
		mov	esi, [ebp+var_30]
		jmp	short loc_A2E726
; 

loc_A2E716:				; CODE XREF: _CmDeleteCommonClassRegKey(x,x,x,x,x)+C3j
		test	eax, eax
		jz	short loc_A2E6C9

loc_A2E71A:				; CODE XREF: _CmDeleteCommonClassRegKey(x,x,x,x,x)+BCj
		mov	esi, 0C00000E5h
		jmp	short loc_A2E726
; 

loc_A2E721:				; CODE XREF: _CmDeleteCommonClassRegKey(x,x,x,x,x)+3Fj
		mov	esi, 0C000000Dh

loc_A2E726:				; CODE XREF: _CmDeleteCommonClassRegKey(x,x,x,x,x)+94j
					; _CmDeleteCommonClassRegKey(x,x,x,x,x)+AFj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
__CmDeleteCommonClassRegKey@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteCommonClassRegKeyWorker(x,	x, x, x, x)
__CmDeleteCommonClassRegKeyWorker@20 proc near
					; CODE XREF: _CmDeleteCommonClassRegKey(x,x,x,x,x)+8Bp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		xor	eax, eax
		mov	[esp+30h+var_20], 4
		test	[ebp+arg_0], 200h
		mov	ebx, ecx
		push	esi
		push	edi
		mov	esi, edx
		mov	[esp+38h+var_10], ebx
		mov	edi, 0C8h
		mov	[esp+38h+var_C], esi
		mov	[esp+38h+var_14], eax
		mov	[esp+38h+var_24], eax
		mov	[esp+38h+var_1C], eax
		mov	[esp+38h+var_8], eax
		mov	[esp+38h+var_4], eax
		mov	[esp+38h+var_18], edi
		jz	short loc_A2E78A
		add	edi, 78h
		mov	[esp+38h+var_18], edi

loc_A2E78A:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+48j
		push	52504E50h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		jmp	short loc_A2E7FD
; 

loc_A2E799:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+CCj
		lea	eax, [esp+38h+var_14]
		mov	edx, esi
		push	eax		; int
		mov	eax, edi
		shr	eax, 1
		push	eax		; int
		push	ecx		; void *
		push	ecx		; int
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		call	_CmGetCommonClassRegKeyPath
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_A2E80E
		mov	edi, [esp+38h+var_28]
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+38h+var_14]
		xor	edi, edi
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [esp+38h+var_18]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2EA22
		mov	edi, [esp+38h+var_18]
		push	52504E50h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, [esp+38h+var_C]

loc_A2E7FD:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+5Ej
		mov	ecx, eax
		mov	[esp+38h+var_28], ecx
		test	ecx, ecx
		jnz	short loc_A2E799
		mov	esi, 0C0000017h
		jmp	short loc_A2E812
; 

loc_A2E80E:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+81j
		mov	ecx, [esp+38h+var_28]

loc_A2E812:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+D3j
		test	esi, esi
		js	loc_A2EA1E
		test	[ebp+arg_0], 100h
		jnz	loc_A2E920
		push	ecx
		lea	eax, [esp+3Ch+var_8]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2EA1E
		mov	si, word ptr [esp+38h+var_8]
		movzx	eax, si
		cmp	eax, edi
		jnb	loc_A2E916
		cmp	si, 32h
		jbe	loc_A2E916
		push	1
		lea	eax, [esp+3Ch+var_8]
		push	eax
		push	(offset	loc_404F8D+3)
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		mov	edi, [esp+38h+var_28]
		test	al, al
		jnz	short loc_A2E879
		mov	esi, 0C000000Dh
		jmp	loc_A2EA22
; 

loc_A2E879:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+134j
		mov	eax, 0FFCEh
		add	edi, 32h
		add	word ptr [esp+38h+var_8+2], ax
		add	si, ax
		push	1
		lea	eax, [esp+3Ch+var_8]
		mov	[esp+3Ch+var_4], edi
		push	eax
		push	offset ?ClassKeyPrefix@?1??_CmDeleteCommonClassRegKeyWorker@@9@9 ; `_CmDeleteCommonClassRegKeyWorker'::`2'::ClassKeyPrefix
		mov	word ptr [esp+44h+var_8], si
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_A2E8B3
		push	7
		pop	eax
		mov	[esp+38h+var_20], eax
		add	edi, 1Ch
		jmp	short loc_A2E8F8
; 

loc_A2E8B3:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+16Cj
		push	1
		lea	eax, [esp+3Ch+var_8]
		push	eax
		push	(offset	loc_404F97+1)
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_A2E8D4
		push	8
		pop	eax
		mov	[esp+38h+var_20], eax
		add	edi, 2Ch
		jmp	short loc_A2E8F8
; 

loc_A2E8D4:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+18Dj
		push	1
		lea	eax, [esp+3Ch+var_8]
		push	eax
		push	(offset	loc_404F87+1)
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_A2E8F5
		push	0Eh
		pop	eax
		mov	[esp+38h+var_20], eax
		add	edi, 24h
		jmp	short loc_A2E8F8
; 

loc_A2E8F5:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+1AEj
		push	4
		pop	eax

loc_A2E8F8:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+178j
					; _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+199j ...
		lea	ecx, [esp+38h+var_24]
		mov	edx, eax
		push	ecx
		mov	ecx, ebx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2EA1E
		mov	ecx, [esp+38h+var_24]
		jmp	short loc_A2E950
; 

loc_A2E916:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+10Dj
					; _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+117j
		mov	esi, 0C000000Dh
		jmp	loc_A2EA1E
; 

loc_A2E920:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+E8j
		mov	edi, ecx
		test	ebx, ebx
		jnz	short loc_A2E92A
		xor	ecx, ecx
		jmp	short loc_A2E92D
; 

loc_A2E92A:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+1EBj
		mov	ecx, [ebx+74h]

loc_A2E92D:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+1EFj
		lea	eax, [esp+38h+var_1C]
		xor	edx, edx
		push	eax
		push	2000000h
		call	__SysCtxRegOpenCurrentUserKey@16 ; _SysCtxRegOpenCurrentUserKey(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2EA1E
		mov	ecx, [esp+38h+var_1C]
		mov	[esp+38h+var_24], ecx

loc_A2E950:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+1DBj
		cmp	[ebp+arg_8], 0
		jz	short loc_A2E974
		test	ebx, ebx
		jz	short loc_A2E966
		mov	eax, [ebx+74h]
		test	eax, eax
		jz	short loc_A2E966
		mov	eax, [eax+4]
		jmp	short loc_A2E968
; 

loc_A2E966:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+21Fj
					; _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+226j
		xor	eax, eax

loc_A2E968:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+22Bj
		push	0
		push	eax
		mov	edx, edi
		call	_RegRtlDeleteTreeInternal
		jmp	short loc_A2E98E
; 

loc_A2E974:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+21Bj
		test	ebx, ebx
		jz	short loc_A2E984
		mov	eax, [ebx+74h]
		test	eax, eax
		jz	short loc_A2E984
		mov	eax, [eax+4]
		jmp	short loc_A2E986
; 

loc_A2E984:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+23Dj
					; _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+244j
		xor	eax, eax

loc_A2E986:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+249j
		push	eax
		mov	edx, edi
		call	__RegRtlDeleteKeyTransacted@12 ; _RegRtlDeleteKeyTransacted(x,x,x)

loc_A2E98E:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+239j
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_A2E9A4
		cmp	ebx, 0C000017Ch
		jz	short loc_A2E9A4
		cmp	ebx, 0C0000034h
		jnz	short loc_A2EA10

loc_A2E9A4:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+259j
					; _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+261j
		cmp	[esp+38h+var_20], 8
		jnz	short loc_A2EA10
		mov	eax, [esp+38h+var_10]
		cmp	byte ptr [eax+4], 0
		jz	short loc_A2EA10
		lea	ecx, [esp+38h+var_24]
		push	ecx
		push	9
		pop	edx
		mov	ecx, eax
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2EA1E
		cmp	[ebp+arg_8], 0
		mov	eax, [esp+38h+var_10]
		mov	eax, [eax+74h]
		jz	short loc_A2E9EE
		test	eax, eax
		jz	short loc_A2E9DE
		mov	eax, [eax+4]

loc_A2E9DE:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+2A0j
		mov	ecx, [esp+38h+var_24]
		mov	edx, edi
		push	0
		push	eax
		call	_RegRtlDeleteTreeInternal
		jmp	short loc_A2EA01
; 

loc_A2E9EE:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+29Cj
		test	eax, eax
		jz	short loc_A2E9F5
		mov	eax, [eax+4]

loc_A2E9F5:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+2B7j
		mov	ecx, [esp+38h+var_24]
		mov	edx, edi
		push	eax
		call	__RegRtlDeleteKeyTransacted@12 ; _RegRtlDeleteKeyTransacted(x,x,x)

loc_A2EA01:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+2B3j
		mov	ecx, 0C0000034h
		cmp	ebx, ecx
		jz	short loc_A2EA0E
		cmp	eax, ecx
		jz	short loc_A2EA10

loc_A2EA0E:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+2CFj
		mov	ebx, eax

loc_A2EA10:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+269j
					; _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+270j ...
		cmp	ebx, 0C000017Ch
		jz	short loc_A2EA1E
		test	ebx, ebx
		jns	short loc_A2EA1E
		mov	esi, ebx

loc_A2EA1E:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+DBj
					; _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+FDj ...
		mov	edi, [esp+38h+var_28]

loc_A2EA22:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+A9j
					; _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+13Bj
		cmp	[esp+38h+var_1C], 0
		jz	short loc_A2EA32
		push	[esp+38h+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_A2EA32:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+2EEj
		test	edi, edi
		jz	short loc_A2EA3E
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2EA3E:				; CODE XREF: _CmDeleteCommonClassRegKeyWorker(x,x,x,x,x)+2FBj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
__CmDeleteCommonClassRegKeyWorker@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteDevice(x, x, x)
__CmDeleteDevice@12 proc near		; CODE XREF: _PnpDispatchDevice+117DD7p
					; PpDevCfgProcessDevices+A1CA6p ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	2Ch		; size_t
		lea	eax, [ebp+var_30]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_34], esi
		mov	ebx, ecx
		call	_memset
		mov	edi, [ebx+100h]
		add	esp, 0Ch
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_28], eax
		test	edi, edi
		jz	short loc_A2EAAE
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	3
		push	1
		push	esi
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jnz	short loc_A2EA9E
		xor	edi, edi
		jmp	short loc_A2EAAE
; 

loc_A2EA9E:				; CODE XREF: _CmDeleteDevice(x,x,x)+4Fj
		cmp	eax, 0C0000120h
		jnz	short loc_A2EAAA

loc_A2EAA5:				; CODE XREF: _CmDeleteDevice(x,x,x)+96j
		mov	esi, [ebp+var_30]
		jmp	short loc_A2EAEA
; 

loc_A2EAAA:				; CODE XREF: _CmDeleteDevice(x,x,x)+5Aj
		test	eax, eax
		jnz	short loc_A2EAE5

loc_A2EAAE:				; CODE XREF: _CmDeleteDevice(x,x,x)+3Aj
					; _CmDeleteDevice(x,x,x)+53j
		push	[ebp+var_28]
		mov	edx, esi
		mov	ecx, ebx
		call	__CmDeleteDeviceWorker@12 ; _CmDeleteDeviceWorker(x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_A2EAEA
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	3
		push	1
		push	[ebp+var_34]
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_A2EAEA
		cmp	eax, 0C0000120h
		jz	short loc_A2EAA5
		test	eax, eax
		jz	short loc_A2EAEA

loc_A2EAE5:				; CODE XREF: _CmDeleteDevice(x,x,x)+63j
		mov	esi, 0C00000E5h

loc_A2EAEA:				; CODE XREF: _CmDeleteDevice(x,x,x)+5Fj
					; _CmDeleteDevice(x,x,x)+75j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
__CmDeleteDevice@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteDeviceInterface(x,	x, x)
__CmDeleteDeviceInterface@12 proc near	; CODE XREF: _PnpDispatchDeviceInterface+11A8D2p
					; IopRegisterDeviceInterface+991CAp ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	2Ch		; size_t
		lea	eax, [ebp+var_30]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_34], esi
		mov	ebx, ecx
		call	_memset
		mov	edi, [ebx+100h]
		add	esp, 0Ch
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_28], eax
		test	edi, edi
		jz	short loc_A2EB62
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	3
		push	3
		push	esi
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jnz	short loc_A2EB52
		xor	edi, edi
		jmp	short loc_A2EB62
; 

loc_A2EB52:				; CODE XREF: _CmDeleteDeviceInterface(x,x,x)+4Fj
		cmp	eax, 0C0000120h
		jnz	short loc_A2EB5E

loc_A2EB59:				; CODE XREF: _CmDeleteDeviceInterface(x,x,x)+96j
		mov	esi, [ebp+var_30]
		jmp	short loc_A2EB9E
; 

loc_A2EB5E:				; CODE XREF: _CmDeleteDeviceInterface(x,x,x)+5Aj
		test	eax, eax
		jnz	short loc_A2EB99

loc_A2EB62:				; CODE XREF: _CmDeleteDeviceInterface(x,x,x)+3Aj
					; _CmDeleteDeviceInterface(x,x,x)+53j
		push	[ebp+var_28]
		mov	edx, esi
		mov	ecx, ebx
		call	__CmDeleteDeviceInterfaceWorker@12 ; _CmDeleteDeviceInterfaceWorker(x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_A2EB9E
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	3
		push	3
		push	[ebp+var_34]
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_A2EB9E
		cmp	eax, 0C0000120h
		jz	short loc_A2EB59
		test	eax, eax
		jz	short loc_A2EB9E

loc_A2EB99:				; CODE XREF: _CmDeleteDeviceInterface(x,x,x)+63j
		mov	esi, 0C00000E5h

loc_A2EB9E:				; CODE XREF: _CmDeleteDeviceInterface(x,x,x)+5Fj
					; _CmDeleteDeviceInterface(x,x,x)+75j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
__CmDeleteDeviceInterface@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteDeviceInterfaceRegKey(x, x, x, x, x)
__CmDeleteDeviceInterfaceRegKey@20 proc	near
					; CODE XREF: PiCMDeleteDeviceInterfaceKey(x,x,x,x,x,x)+73p
					; _CmDeleteDeviceInterfaceWorker(x,x,x)+5Cp ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	2Ch		; size_t
		lea	eax, [ebp+var_30]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_34], esi
		mov	ebx, ecx
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	edi, [ebx+100h]
		and	[ebp+var_24], 0
		and	[ebp+var_1C], 0
		mov	[ebp+var_28], eax
		mov	al, [ebp+arg_8]
		mov	byte ptr [ebp+var_20], al
		test	edi, edi
		jz	short loc_A2EC24
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	0Ch
		push	3
		push	esi
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jnz	short loc_A2EC14
		xor	edi, edi
		jmp	short loc_A2EC24
; 

loc_A2EC14:				; CODE XREF: _CmDeleteDeviceInterfaceRegKey(x,x,x,x,x)+5Dj
		cmp	eax, 0C0000120h
		jnz	short loc_A2EC20

loc_A2EC1B:				; CODE XREF: _CmDeleteDeviceInterfaceRegKey(x,x,x,x,x)+AAj
		mov	esi, [ebp+var_30]
		jmp	short loc_A2EC66
; 

loc_A2EC20:				; CODE XREF: _CmDeleteDeviceInterfaceRegKey(x,x,x,x,x)+68j
		test	eax, eax
		jnz	short loc_A2EC61

loc_A2EC24:				; CODE XREF: _CmDeleteDeviceInterfaceRegKey(x,x,x,x,x)+48j
					; _CmDeleteDeviceInterfaceRegKey(x,x,x,x,x)+61j
		push	[ebp+var_20]
		mov	edx, esi
		mov	ecx, ebx
		push	[ebp+var_24]
		push	[ebp+var_28]
		call	__CmDeleteDeviceInterfaceRegKeyWorker@20 ; _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_A2EC66
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	0Ch
		push	3
		push	[ebp+var_34]
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_A2EC66
		cmp	eax, 0C0000120h
		jz	short loc_A2EC1B
		test	eax, eax
		jz	short loc_A2EC66

loc_A2EC61:				; CODE XREF: _CmDeleteDeviceInterfaceRegKey(x,x,x,x,x)+71j
		mov	esi, 0C00000E5h

loc_A2EC66:				; CODE XREF: _CmDeleteDeviceInterfaceRegKey(x,x,x,x,x)+6Dj
					; _CmDeleteDeviceInterfaceRegKey(x,x,x,x,x)+89j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
__CmDeleteDeviceInterfaceRegKey@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteDeviceInterfaceRegKeyWorker(x, x, x, x, x)
__CmDeleteDeviceInterfaceRegKeyWorker@20 proc near
					; CODE XREF: _CmDeleteDeviceInterfaceRegKey(x,x,x,x,x)+80p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_18], ecx
		and	[ebp+var_10], ebx
		and	[ebp+var_14], ebx
		and	[ebp+var_4], ebx
		and	[ebp+var_C], ebx
		and	[ebp+var_24], ebx
		and	[ebp+var_20], ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	[ebp+var_1C], esi
		cmp	[ebp+arg_0], ebx
		jz	loc_A2EEBA
		test	[ebp+arg_0], 0FFFFFCCCh
		jnz	loc_A2EEBA
		test	[ebp+arg_0], 200h
		mov	edi, 1E0h
		mov	[ebp+var_8], edi
		jz	short loc_A2ECCD
		add	edi, 78h
		mov	[ebp+var_8], edi

loc_A2ECCD:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+4Cj
		push	52504E50h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		jmp	short loc_A2ED37
; 

loc_A2ECDC:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+C2j
		lea	eax, [ebp+var_10]
		mov	edx, esi
		push	eax
		mov	eax, edi
		shr	eax, 1
		push	eax
		push	ebx
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_CmGetDeviceInterfaceRegKeyPath
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_A2ED42
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_10]
		xor	ebx, ebx
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2EEBF
		mov	edi, [ebp+var_8]
		push	52504E50h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, [ebp+var_1C]

loc_A2ED37:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+61j
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A2ECDC
		mov	esi, 0C0000017h

loc_A2ED42:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+83j
		test	esi, esi
		js	loc_A2EEBF
		test	[ebp+arg_0], 100h
		jnz	loc_A2EE11
		push	ebx
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2EEBF
		movzx	eax, word ptr [ebp+var_24]
		cmp	eax, edi
		jnb	loc_A2EEBA
		mov	di, word ptr [ebp+var_24]
		cmp	di, 32h
		jbe	loc_A2EEBA
		push	1
		lea	eax, [ebp+var_24]
		push	eax
		push	(offset	loc_404F8D+3)
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	loc_A2EEBA
		mov	eax, 0FFCEh
		lea	esi, [ebx+32h]
		add	word ptr [ebp+var_24+2], ax
		add	di, ax
		push	1
		lea	eax, [ebp+var_24]
		mov	[ebp+arg_4], esi
		push	eax
		push	(offset	loc_404F97+1)
		mov	[ebp+var_20], esi
		mov	word ptr [ebp+var_24], di
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_A2EDD4
		push	9
		add	esi, 2Ch

loc_A2EDCF:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+174j
		mov	[ebp+arg_4], esi
		jmp	short loc_A2EDF1
; 

loc_A2EDD4:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+14Fj
		push	1
		lea	eax, [ebp+var_24]
		push	eax
		push	(offset	loc_404F87+1)
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_A2EDEF
		push	0Eh
		add	esi, 24h
		jmp	short loc_A2EDCF
; 

loc_A2EDEF:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+16Dj
		push	4

loc_A2EDF1:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+159j
		mov	edi, [ebp+var_18]
		lea	ecx, [ebp+var_14]
		pop	eax
		push	ecx
		mov	edx, eax
		mov	ecx, edi
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2EEBF
		mov	eax, [ebp+var_14]
		jmp	short loc_A2EE3F
; 

loc_A2EE11:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+D8j
		mov	edi, [ebp+var_18]
		mov	[ebp+arg_4], ebx
		test	edi, edi
		jnz	short loc_A2EE1F
		xor	ecx, ecx
		jmp	short loc_A2EE22
; 

loc_A2EE1F:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+1A0j
		mov	ecx, [edi+74h]

loc_A2EE22:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+1A4j
		lea	eax, [ebp+var_4]
		xor	edx, edx
		push	eax
		push	2000000h
		call	__SysCtxRegOpenCurrentUserKey@16 ; _SysCtxRegOpenCurrentUserKey(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2EEBF
		mov	eax, [ebp+var_4]

loc_A2EE3F:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+196j
		cmp	[ebp+arg_0], 31h
		mov	[ebp+var_8], eax
		jz	short loc_A2EE65
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_C]
		push	0
		push	eax
		push	0
		push	1
		push	ecx
		push	30h
		mov	ecx, edi
		call	_CmOpenDeviceInterfaceRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A2EEBF

loc_A2EE65:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+1CDj
		cmp	[ebp+arg_8], 0
		jz	short loc_A2EE8D
		test	edi, edi
		jz	short loc_A2EE7B
		mov	eax, [edi+74h]
		test	eax, eax
		jz	short loc_A2EE7B
		mov	eax, [eax+4]
		jmp	short loc_A2EE7D
; 

loc_A2EE7B:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+1F4j
					; _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+1FBj
		xor	eax, eax

loc_A2EE7D:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+200j
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_8]
		push	0
		push	eax
		call	_RegRtlDeleteTreeInternal
		jmp	short loc_A2EEAB
; 

loc_A2EE8D:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+1F0j
		test	edi, edi
		jz	short loc_A2EE9D
		mov	eax, [edi+74h]
		test	eax, eax
		jz	short loc_A2EE9D
		mov	eax, [eax+4]
		jmp	short loc_A2EE9F
; 

loc_A2EE9D:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+216j
					; _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+21Dj
		xor	eax, eax

loc_A2EE9F:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+222j
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+var_8]
		push	eax
		call	__RegRtlDeleteKeyTransacted@12 ; _RegRtlDeleteKeyTransacted(x,x,x)

loc_A2EEAB:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+212j
		cmp	eax, 0C000017Ch
		jz	short loc_A2EEBF
		test	eax, eax
		jns	short loc_A2EEBF
		mov	esi, eax
		jmp	short loc_A2EEBF
; 

loc_A2EEBA:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+2Aj
					; _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+37j ...
		mov	esi, 0C000000Dh

loc_A2EEBF:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+A5j
					; _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+CBj ...
		cmp	[ebp+var_C], 0
		jz	short loc_A2EECD
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_A2EECD:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+24Aj
		cmp	[ebp+var_4], 0
		jz	short loc_A2EEDB
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A2EEDB:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+258j
		test	ebx, ebx
		jz	short loc_A2EEE7
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2EEE7:				; CODE XREF: _CmDeleteDeviceInterfaceRegKeyWorker(x,x,x,x,x)+264j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
__CmDeleteDeviceInterfaceRegKeyWorker@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteDeviceInterfaceWorker(x, x, x)
__CmDeleteDeviceInterfaceWorker@12 proc	near
					; CODE XREF: _CmDeleteDeviceInterface(x,x,x)+6Cp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+24h+var_4], eax
		movzx	eax, [ebp+arg_0]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[esp+2Ch+var_20], edx
		mov	[esp+2Ch+var_1C], ecx
		push	edi
		test	eax, eax
		jz	short loc_A2EF25
		mov	esi, 0C000000Dh
		jmp	loc_A2F112
; 

loc_A2EF25:				; CODE XREF: _CmDeleteDeviceInterfaceWorker(x,x,x)+29j
		mov	[esp+30h+var_10], 300h
		xor	edi, edi
		mov	[esp+30h+var_C], 200h
		mov	[esp+30h+var_8], 100h

loc_A2EF3F:				; CODE XREF: _CmDeleteDeviceInterfaceWorker(x,x,x)+BCj
		mov	ebx, [esp+edi*4+30h+var_10]
		mov	eax, ebx
		push	1
		push	ecx
		or	eax, 30h
		push	eax
		call	__CmDeleteDeviceInterfaceRegKey@20 ; _CmDeleteDeviceInterfaceRegKey(x,x,x,x,x)
		test	eax, eax
		jz	short loc_A2EF6A
		cmp	eax, 0C0000034h
		jz	short loc_A2EF6A
		cmp	eax, 0C000000Dh
		jz	short loc_A2EF6A
		cmp	eax, 0C00000BBh
		jnz	short loc_A2EFAE

loc_A2EF6A:				; CODE XREF: _CmDeleteDeviceInterfaceWorker(x,x,x)+63j
					; _CmDeleteDeviceInterfaceWorker(x,x,x)+6Aj ...
		mov	edx, [esp+30h+var_20]
		or	ebx, 31h
		push	0
		push	ecx
		mov	ecx, [esp+38h+var_1C]
		push	ebx
		call	__CmDeleteDeviceInterfaceRegKey@20 ; _CmDeleteDeviceInterfaceRegKey(x,x,x,x,x)
		test	eax, eax
		jz	short loc_A2EF9E
		cmp	eax, 0C0000034h
		jz	short loc_A2EF9E
		cmp	eax, 0C000000Dh
		jz	short loc_A2EF9E
		cmp	eax, 0C00000BBh
		jz	short loc_A2EF9E
		cmp	eax, 0C0000121h
		jnz	short loc_A2EFAE

loc_A2EF9E:				; CODE XREF: _CmDeleteDeviceInterfaceWorker(x,x,x)+90j
					; _CmDeleteDeviceInterfaceWorker(x,x,x)+97j ...
		inc	edi
		cmp	edi, 3
		jnb	short loc_A2EFB8
		mov	ecx, [esp+30h+var_1C]
		mov	edx, [esp+30h+var_20]
		jmp	short loc_A2EF3F
; 

loc_A2EFAE:				; CODE XREF: _CmDeleteDeviceInterfaceWorker(x,x,x)+78j
					; _CmDeleteDeviceInterfaceWorker(x,x,x)+ACj
		mov	esi, eax
		test	esi, esi
		js	loc_A2F112

loc_A2EFB8:				; CODE XREF: _CmDeleteDeviceInterfaceWorker(x,x,x)+B2j
		xor	ebx, ebx
		xor	edi, edi
		and	[esp+30h+var_14], ebx
		mov	[esp+30h+var_18], ebx

loc_A2EFC4:				; CODE XREF: _CmDeleteDeviceInterfaceWorker(x,x,x)+12Dj
		mov	edx, [esp+30h+var_20]
		lea	eax, [esp+30h+var_18]
		mov	ecx, [esp+30h+var_1C]
		push	eax
		push	ebx
		push	edi
		push	1
		push	0
		call	__CmGetDeviceInterfaceMappedPropertyKeys@28 ; _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)
		mov	ebx, [esp+30h+var_18]
		cmp	eax, 0C0000023h
		jnz	short loc_A2F024
		push	14h
		pop	ecx
		mov	eax, ebx
		mul	ecx
		lea	ecx, [esp+30h+var_14]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_A2F036
		test	edi, edi
		jz	short loc_A2F009
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2F009:				; CODE XREF: _CmDeleteDeviceInterfaceWorker(x,x,x)+10Fj
		push	52504E50h
		push	[esp+34h+var_14]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A2EFC4
		mov	eax, 0C0000017h

loc_A2F024:				; CODE XREF: _CmDeleteDeviceInterfaceWorker(x,x,x)+F5j
		test	eax, eax
		jz	short loc_A2F03D
		cmp	eax, 0C0000225h
		jz	short loc_A2F03D

loc_A2F02F:				; CODE XREF: _CmDeleteDeviceInterfaceWorker(x,x,x)+14Bj
					; _CmDeleteDeviceInterfaceWorker(x,x,x)+1D6j ...
		mov	esi, eax
		jmp	loc_A2F106
; 

loc_A2F036:				; CODE XREF: _CmDeleteDeviceInterfaceWorker(x,x,x)+10Bj
		mov	eax, 0C000000Dh
		jmp	short loc_A2F02F
; 

loc_A2F03D:				; CODE XREF: _CmDeleteDeviceInterfaceWorker(x,x,x)+136j
					; _CmDeleteDeviceInterfaceWorker(x,x,x)+13Dj
		xor	eax, eax
		mov	[esp+30h+var_14], eax
		test	ebx, ebx
		jz	short loc_A2F09E
		mov	ecx, edi
		mov	[esp+30h+var_18], edi

loc_A2F04D:				; CODE XREF: _CmDeleteDeviceInterfaceWorker(x,x,x)+1AAj
		mov	edx, [esp+30h+var_20]
		push	eax
		push	eax
		push	eax
		push	ecx
		mov	ecx, [esp+40h+var_1C]
		push	eax
		push	eax
		call	_CmSetDeviceInterfaceMappedProperty
		test	eax, eax
		jz	short loc_A2F080
		cmp	eax, 0C0000225h
		jz	short loc_A2F080
		cmp	eax, 0C0000022h
		jz	short loc_A2F080
		cmp	eax, 0C0000016h
		jz	short loc_A2F080
		cmp	eax, 0C00000BBh
		jnz	short loc_A2F09C

loc_A2F080:				; CODE XREF: _CmDeleteDeviceInterfaceWorker(x,x,x)+172j
					; _CmDeleteDeviceInterfaceWorker(x,x,x)+179j ...
		mov	eax, [esp+30h+var_14]
		mov	ecx, [esp+30h+var_18]
		inc	eax
		add	ecx, 14h
		mov	[esp+30h+var_14], eax
		mov	[esp+30h+var_18], ecx
		cmp	eax, ebx
		jnb	short loc_A2F09E
		xor	eax, eax
		jmp	short loc_A2F04D
; 

loc_A2F09C:				; CODE XREF: _CmDeleteDeviceInterfaceWorker(x,x,x)+18Ej
		mov	esi, eax

loc_A2F09E:				; CODE XREF: _CmDeleteDeviceInterfaceWorker(x,x,x)+155j
					; _CmDeleteDeviceInterfaceWorker(x,x,x)+1A6j
		test	esi, esi
		js	short loc_A2F106
		mov	ebx, [esp+30h+var_1C]
		mov	edx, [esp+30h+var_20]
		push	1
		push	ecx
		push	30h
		mov	ecx, ebx
		call	__CmDeleteDeviceInterfaceRegKey@20 ; _CmDeleteDeviceInterfaceRegKey(x,x,x,x,x)
		test	eax, eax
		jz	short loc_A2F0CC
		cmp	eax, 0C0000034h
		jz	short loc_A2F0CC
		cmp	eax, 0C000000Dh
		jnz	loc_A2F02F

loc_A2F0CC:				; CODE XREF: _CmDeleteDeviceInterfaceWorker(x,x,x)+1C8j
					; _CmDeleteDeviceInterfaceWorker(x,x,x)+1CFj
		mov	edx, [esp+30h+var_20]
		push	0
		push	ecx
		push	31h
		mov	ecx, ebx
		call	__CmDeleteDeviceInterfaceRegKey@20 ; _CmDeleteDeviceInterfaceRegKey(x,x,x,x,x)
		test	eax, eax
		jz	short loc_A2F0F9
		cmp	eax, 0C0000034h
		jz	short loc_A2F0F9
		cmp	eax, 0C000000Dh
		jz	short loc_A2F0F9
		cmp	eax, 0C0000121h
		jnz	loc_A2F02F

loc_A2F0F9:				; CODE XREF: _CmDeleteDeviceInterfaceWorker(x,x,x)+1EEj
					; _CmDeleteDeviceInterfaceWorker(x,x,x)+1F5j ...
		mov	edx, [esp+30h+var_20]
		mov	ecx, ebx
		push	3
		call	__CmRaiseDeleteEvent@12	; _CmRaiseDeleteEvent(x,x,x)

loc_A2F106:				; CODE XREF: _CmDeleteDeviceInterfaceWorker(x,x,x)+141j
					; _CmDeleteDeviceInterfaceWorker(x,x,x)+1B0j
		test	edi, edi
		jz	short loc_A2F112
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2F112:				; CODE XREF: _CmDeleteDeviceInterfaceWorker(x,x,x)+30j
					; _CmDeleteDeviceInterfaceWorker(x,x,x)+C2j ...
		mov	ecx, [esp+30h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
__CmDeleteDeviceInterfaceWorker@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteDeviceRegKey(x, x,	x, x, x)
__CmDeleteDeviceRegKey@20 proc near	; CODE XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+BFBp
					; PiDevCfgConfigureDevice(x,x,x,x,x)+C45p ...

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	2Ch		; size_t
		lea	eax, [esp+44h+var_30]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	[esp+4Ch+var_34], esi
		mov	ebx, ecx
		call	_memset
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	edi, [ebx+100h]
		and	[esp+40h+var_1C], 0
		mov	[esp+40h+var_28], eax
		mov	eax, [ebp+arg_4]
		mov	[esp+40h+var_24], eax
		mov	[esp+40h+var_20], 1
		test	edi, edi
		jz	short loc_A2F1A7
		lea	eax, [esp+40h+var_30]
		push	eax
		push	1
		push	0Ch
		push	1
		push	esi
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jnz	short loc_A2F196
		xor	edi, edi
		jmp	short loc_A2F1A7
; 

loc_A2F196:				; CODE XREF: _CmDeleteDeviceRegKey(x,x,x,x,x)+68j
		cmp	eax, 0C0000120h
		jnz	short loc_A2F1A3

loc_A2F19D:				; CODE XREF: _CmDeleteDeviceRegKey(x,x,x,x,x)+BCj
		mov	esi, [esp+58h+var_48]
		jmp	short loc_A2F1EF
; 

loc_A2F1A3:				; CODE XREF: _CmDeleteDeviceRegKey(x,x,x,x,x)+73j
		test	eax, eax
		jnz	short loc_A2F1EA

loc_A2F1A7:				; CODE XREF: _CmDeleteDeviceRegKey(x,x,x,x,x)+52j
					; _CmDeleteDeviceRegKey(x,x,x,x,x)+6Cj
		push	[esp+58h+var_38]
		mov	edx, esi
		mov	ecx, ebx
		push	[esp+5Ch+var_3C]
		push	[esp+60h+var_40]
		call	__CmDeleteDeviceRegKeyWorker@20	; _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_A2F1EF
		lea	eax, [esp+58h+var_48]
		mov	[esp+58h+var_48], esi
		push	eax
		push	2
		push	0Ch
		push	1
		push	[esp+68h+var_4C]
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_A2F1EF
		cmp	eax, 0C0000120h
		jz	short loc_A2F19D
		test	eax, eax
		jz	short loc_A2F1EF

loc_A2F1EA:				; CODE XREF: _CmDeleteDeviceRegKey(x,x,x,x,x)+7Dj
		mov	esi, 0C00000E5h

loc_A2F1EF:				; CODE XREF: _CmDeleteDeviceRegKey(x,x,x,x,x)+79j
					; _CmDeleteDeviceRegKey(x,x,x,x,x)+98j	...
		mov	ecx, [esp+70h+var_34]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
__CmDeleteDeviceRegKey@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteDeviceRegKeyWorker(x, x, x, x, x)
__CmDeleteDeviceRegKeyWorker@20	proc near ; CODE XREF: _CmDeleteDeviceRegKey(x,x,x,x,x)+8Fp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	edi, eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_1C], eax
		mov	esi, edx
		mov	[ebp+var_24], eax
		mov	ebx, ecx
		mov	[ebp+var_2C], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_20], esi
		test	eax, eax
		jz	loc_A2F3AC
		test	eax, 0FFFFFCE8h
		jnz	loc_A2F3AC
		mov	edi, 0F0h
		mov	[ebp+var_18], edi
		test	eax, 200h
		jz	short loc_A2F262
		add	edi, 78h
		mov	[ebp+var_18], edi

loc_A2F262:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+55j
		push	52504E50h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		jmp	short loc_A2F2D2
; 

loc_A2F271:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+D4j
		lea	eax, [ebp+var_28]
		mov	edx, esi
		push	eax		; int
		mov	eax, edi
		shr	eax, 1
		push	eax		; int
		push	ecx		; void *
		push	0		; int
		push	[ebp+arg_4]	; int
		mov	ecx, ebx
		push	[ebp+arg_0]	; int
		call	_CmGetDeviceRegKeyPath
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_A2F2E2
		mov	edi, [ebp+var_14]
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_28]
		xor	edi, edi
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_18]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2F3B1
		mov	edi, [ebp+var_18]
		push	52504E50h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, [ebp+var_20]

loc_A2F2D2:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+6Aj
		mov	ecx, eax
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jnz	short loc_A2F271
		mov	esi, 0C0000017h
		jmp	short loc_A2F2E5
; 

loc_A2F2E2:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+8Fj
		mov	ecx, [ebp+var_14]

loc_A2F2E5:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+DBj
		test	esi, esi
		js	loc_A2F4E2
		test	[ebp+arg_0], 100h
		jnz	loc_A2F3EC
		push	ecx
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2F4E2
		mov	si, word ptr [ebp+var_C]
		movzx	eax, si
		cmp	eax, edi
		jnb	loc_A2F3A9
		cmp	si, 32h
		jbe	loc_A2F3A9
		push	1
		lea	eax, [ebp+var_C]
		push	eax
		push	(offset	loc_404F8D+3)
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		mov	edi, [ebp+var_14]
		test	al, al
		jz	short loc_A2F3AC
		mov	eax, 0FFCEh
		add	edi, 32h
		add	word ptr [ebp+var_C+2],	ax
		add	si, ax
		push	1
		lea	eax, [ebp+var_C]
		mov	[ebp+var_8], edi
		push	eax
		push	offset ?EnumKeyPrefix@?1??_CmDeleteDeviceRegKeyWorker@@9@9 ; `_CmDeleteDeviceRegKeyWorker'::`2'::EnumKeyPrefix
		mov	word ptr [ebp+var_C], si
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_A2F36F
		push	5
		add	edi, 0Ah
		jmp	short loc_A2F38C
; 

loc_A2F36F:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+161j
		push	1
		lea	eax, [ebp+var_C]
		push	eax
		push	(offset	loc_404F87+1)
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_A2F38A
		push	0Eh
		add	edi, 24h
		jmp	short loc_A2F38C
; 

loc_A2F38A:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+17Cj
		push	4

loc_A2F38C:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+168j
					; _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+183j
		pop	eax
		lea	ecx, [ebp+var_1C]
		mov	edx, eax
		push	ecx
		mov	ecx, ebx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2F4E2
		mov	eax, [ebp+var_1C]
		jmp	short loc_A2F416
; 

loc_A2F3A9:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+112j
					; _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+11Cj
		mov	edi, [ebp+var_14]

loc_A2F3AC:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+37j
					; _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+42j ...
		mov	esi, 0C000000Dh

loc_A2F3B1:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+B4j
					; _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+2E0j ...
		cmp	[ebp+var_2C], 0
		jz	short loc_A2F3BF
		push	[ebp+var_2C]
		call	_ZwClose@4	; ZwClose(x)

loc_A2F3BF:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+1B0j
		cmp	[ebp+var_24], 0
		jz	short loc_A2F3CD
		push	[ebp+var_24]
		call	_ZwClose@4	; ZwClose(x)

loc_A2F3CD:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+1BEj
		test	edi, edi
		jz	short loc_A2F3D9
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2F3D9:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+1CAj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_A2F3EC:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+EFj
		mov	edi, ecx
		test	ebx, ebx
		jnz	short loc_A2F3F6
		xor	ecx, ecx
		jmp	short loc_A2F3F9
; 

loc_A2F3F6:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+1EBj
		mov	ecx, [ebx+74h]

loc_A2F3F9:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+1EFj
		lea	eax, [ebp+var_24]
		xor	edx, edx
		push	eax
		push	2000000h
		call	__SysCtxRegOpenCurrentUserKey@16 ; _SysCtxRegOpenCurrentUserKey(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A2F4E2
		mov	eax, [ebp+var_24]

loc_A2F416:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+1A2j
		mov	edx, [ebp+var_20]
		xor	ecx, ecx
		push	ecx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	ecx
		push	1
		push	ecx
		push	10h
		mov	ecx, ebx
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_A2F4E2
		mov	eax, [ebp+arg_0]
		movzx	ecx, al
		mov	[ebp+var_28], ecx
		cmp	ecx, 12h
		jnz	loc_A2F4EA
		test	eax, 0F00h
		jnz	loc_A2F4EA
		xor	eax, eax
		mov	[ebp+var_10], 312h
		mov	[ebp+var_C], 212h
		mov	[ebp+var_8], 112h
		mov	[ebp+var_1C], eax

loc_A2F471:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+2A1j
		mov	edx, [ebp+var_20]
		mov	ecx, ebx
		push	1
		push	0
		push	[ebp+eax*4+var_10]
		call	__CmDeleteDeviceRegKey@20 ; _CmDeleteDeviceRegKey(x,x,x,x,x)
		test	eax, eax
		jz	short loc_A2F49C
		cmp	eax, 0C0000034h
		jz	short loc_A2F49C
		cmp	eax, 0C000000Dh
		jz	short loc_A2F49C
		cmp	eax, 0C00000BBh
		jnz	short loc_A2F4AA

loc_A2F49C:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+280j
					; _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+287j ...
		mov	eax, [ebp+var_1C]
		inc	eax
		mov	[ebp+var_1C], eax
		cmp	eax, 3
		jb	short loc_A2F471
		jmp	short loc_A2F4AC
; 

loc_A2F4AA:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+295j
		mov	esi, eax

loc_A2F4AC:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+2A3j
		test	esi, esi
		js	short loc_A2F4E2
		mov	edx, [ebp+var_20]
		mov	ecx, ebx
		call	__CmDeleteDeviceMappedPropertyForAllDriverKeyRegValues@8 ; _CmDeleteDeviceMappedPropertyForAllDriverKeyRegValues(x,x)
		mov	edx, [ebp+var_20]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	1
		push	0Ah
		push	eax
		mov	ecx, ebx
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_A2F4EA
		cmp	eax, 0C0000225h
		jz	short loc_A2F4EA
		cmp	eax, 0C000000Eh
		jz	short loc_A2F4EA

loc_A2F4E0:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+332j
					; _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+3A2j
		mov	esi, eax

loc_A2F4E2:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+E2j
					; _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+103j ...
		mov	edi, [ebp+var_14]
		jmp	loc_A2F3B1
; 

loc_A2F4EA:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+241j
					; _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+24Cj ...
		cmp	[ebp+arg_8], 0
		jz	short loc_A2F511
		test	ebx, ebx
		jz	short loc_A2F500
		mov	eax, [ebx+74h]
		test	eax, eax
		jz	short loc_A2F500
		mov	eax, [eax+4]
		jmp	short loc_A2F502
; 

loc_A2F500:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+2EDj
					; _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+2F4j
		xor	eax, eax

loc_A2F502:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+2F9j
		mov	ecx, [ebp+var_18]
		mov	edx, edi
		push	0
		push	eax
		call	_RegRtlDeleteTreeInternal
		jmp	short loc_A2F52E
; 

loc_A2F511:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+2E9j
		test	ebx, ebx
		jz	short loc_A2F521
		mov	eax, [ebx+74h]
		test	eax, eax
		jz	short loc_A2F521
		mov	eax, [eax+4]
		jmp	short loc_A2F523
; 

loc_A2F521:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+30Ej
					; _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+315j
		xor	eax, eax

loc_A2F523:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+31Aj
		mov	ecx, [ebp+var_18]
		mov	edx, edi
		push	eax
		call	__RegRtlDeleteKeyTransacted@12 ; _RegRtlDeleteKeyTransacted(x,x,x)

loc_A2F52E:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+30Aj
		cmp	eax, 0C000017Ch
		jz	short loc_A2F4E2
		test	eax, eax
		js	short loc_A2F4E0
		mov	eax, [ebp+var_28]
		cmp	eax, 12h
		jz	short loc_A2F4E2
		cmp	eax, 11h
		jnz	short loc_A2F54F
		test	[ebp+arg_0], 0F00h
		jz	short loc_A2F4E2

loc_A2F54F:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+33Fj
		push	5Ch		; wchar_t
		push	edi		; wchar_t *
		call	_wcsrchr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A2F567

loc_A2F55D:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+376j
		mov	esi, 0C00000E5h
		jmp	loc_A2F4E2
; 

loc_A2F567:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+356j
		xor	ecx, ecx
		push	5Ch		; wchar_t
		push	edi		; wchar_t *
		mov	[eax], cx
		call	_wcsrchr
		mov	[ebp+var_1C], eax
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A2F55D
		test	ebx, ebx
		jz	short loc_A2F58D
		mov	eax, [ebx+74h]
		test	eax, eax
		jz	short loc_A2F58D
		mov	eax, [eax+4]
		jmp	short loc_A2F58F
; 

loc_A2F58D:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+37Aj
					; _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+381j
		xor	eax, eax

loc_A2F58F:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+386j
		mov	ecx, [ebp+var_18]
		mov	edx, edi
		push	eax
		call	__RegRtlDeleteKeyTransacted@12 ; _RegRtlDeleteKeyTransacted(x,x,x)
		cmp	eax, 0C0000121h
		jz	loc_A2F4E2
		test	eax, eax
		js	loc_A2F4E0
		mov	eax, [ebp+var_1C]
		xor	ecx, ecx
		mov	[eax], cx
		test	ebx, ebx
		jz	short loc_A2F5C5
		mov	eax, [ebx+74h]
		test	eax, eax
		jz	short loc_A2F5C5
		mov	eax, [eax+4]
		jmp	short loc_A2F5C7
; 

loc_A2F5C5:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+3B2j
					; _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+3B9j
		xor	eax, eax

loc_A2F5C7:				; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+3BEj
		mov	ecx, [ebp+var_18]
		mov	edx, edi
		push	eax
		call	__RegRtlDeleteKeyTransacted@12 ; _RegRtlDeleteKeyTransacted(x,x,x)
		cmp	eax, 0C0000121h
		jz	loc_A2F4E2
		mov	edi, [ebp+var_14]
		test	eax, eax
		jns	loc_A2F3B1
		mov	esi, eax
		jmp	loc_A2F3B1
__CmDeleteDeviceRegKeyWorker@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteDeviceWorker(x, x,	x)
__CmDeleteDeviceWorker@12 proc near	; CODE XREF: _CmDeleteDevice(x,x,x)+6Cp

var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_58		= dword	ptr -58h
var_4		= dword	ptr -4
arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 104h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+104h+var_4], eax
		movzx	eax, [ebp+arg_0]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[esp+10Ch+var_100], edx
		mov	[esp+10Ch+var_F4], ecx
		mov	ebx, esi
		mov	[esp+10Ch+var_F0], esi
		mov	[esp+10Ch+var_F8], esi
		mov	[esp+10Ch+var_E0], esi
		mov	[esp+10Ch+var_E4], esi
		mov	[esp+10Ch+var_D8], esi
		mov	[esp+10Ch+var_D4], esi
		mov	[esp+10Ch+var_CC], esi
		mov	[esp+10Ch+var_E8], esi
		mov	[esp+10Ch+var_D0], esi
		mov	[esp+10Ch+var_EC], esi
		mov	[esp+10Ch+var_DC], esi
		push	edi
		mov	edi, esi
		test	eax, eax
		jz	short loc_A2F65A
		mov	esi, 0C000000Dh
		jmp	loc_A2F87B
; 

loc_A2F65A:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+5Fj
		push	esi
		lea	eax, [esp+114h+var_F0]
		push	eax
		push	esi
		push	2010002h
		push	esi
		push	10h
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		mov	[esp+110h+var_FC], esi
		test	esi, esi
		js	loc_A2F86B
		mov	edx, [esp+110h+var_100]
		xor	eax, eax
		mov	ecx, [esp+110h+var_F4]
		push	eax
		lea	eax, [esp+114h+var_E8]
		mov	[esp+114h+var_E8], 4Eh
		push	eax
		lea	eax, [esp+118h+var_A8]
		push	eax
		lea	eax, [esp+11Ch+var_CC]
		push	eax
		push	25h
		push	[esp+124h+var_F0]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A2F6F3
		mov	edx, [esp+110h+var_100]
		lea	eax, [esp+110h+var_58]
		push	ecx
		mov	ecx, [esp+114h+var_F4]
		push	eax
		lea	eax, [esp+118h+var_A8]
		push	eax
		call	_CmGetDeviceContainerIdFromBase
		test	eax, eax
		jns	short loc_A2F6D3

loc_A2F6CC:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+102j
					; _CmDeleteDeviceWorker(x,x,x)+109j
		mov	esi, eax
		jmp	loc_A2F86B
; 

loc_A2F6D3:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+DBj
		push	ecx
		push	[esp+114h+var_100]
		mov	ecx, [esp+118h+var_F4]
		lea	eax, [esp+118h+var_A8]
		push	eax
		lea	edx, [esp+11Ch+var_58]
		call	__CmRemoveDeviceFromContainer@20 ; _CmRemoveDeviceFromContainer(x,x,x,x,x)
		test	eax, eax
		jns	short loc_A2F6FA
		jmp	short loc_A2F6CC
; 

loc_A2F6F3:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+BCj
		cmp	eax, 0C0000225h
		jnz	short loc_A2F6CC

loc_A2F6FA:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+100j
		mov	ecx, ebx

loc_A2F6FC:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+168j
		xor	edx, edx
		lea	eax, [esp+110h+var_E8]
		push	edx
		push	eax
		push	edi
		mov	edi, [esp+11Ch+var_F4]
		lea	eax, [esp+11Ch+var_D0]
		push	ecx
		push	eax
		push	offset _DEVPKEY_Device_PanelId
		push	edx
		push	[esp+12Ch+var_F0]
		mov	edx, [esp+130h+var_100]
		mov	ecx, edi
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_A2F764
		mov	eax, [esp+110h+var_DC]
		test	eax, eax
		jz	short loc_A2F73E
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2F73E:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+144j
		mov	edi, [esp+110h+var_E8]
		push	52504E50h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+110h+var_DC], ecx
		test	ecx, ecx
		jnz	short loc_A2F6FC
		mov	edi, [esp+110h+var_F4]
		mov	eax, 0C0000017h
		jmp	short loc_A2F768
; 

loc_A2F764:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+13Cj
		mov	ecx, [esp+110h+var_DC]

loc_A2F768:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+173j
		push	2
		pop	edx
		test	eax, eax
		js	short loc_A2F7AC
		cmp	[esp+110h+var_D0], 12h
		jnz	short loc_A2F7A2
		mov	eax, [esp+110h+var_E8]
		cmp	eax, edx
		jb	short loc_A2F7A2
		shr	eax, 1
		xor	edx, edx
		cmp	[ecx+eax*2-2], dx
		jnz	short loc_A2F7A2
		push	ecx
		push	[esp+114h+var_100]
		mov	edx, ecx
		mov	ecx, edi
		call	__CmRemovePanelDevice@16 ; _CmRemovePanelDevice(x,x,x,x)
		test	eax, eax
		jns	short loc_A2F7B3

loc_A2F79B:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+1C2j
		mov	esi, eax
		jmp	loc_A2F85A
; 

loc_A2F7A2:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+185j
					; _CmDeleteDeviceWorker(x,x,x)+18Dj ...
		mov	esi, 0C0000001h
		jmp	loc_A2F85A
; 

loc_A2F7AC:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+17Ej
		cmp	eax, 0C0000225h
		jnz	short loc_A2F79B

loc_A2F7B3:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+1AAj
		mov	edi, [esp+110h+var_100]
		mov	ecx, ebx

loc_A2F7B9:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+231j
		xor	edx, edx
		lea	eax, [esp+110h+var_D8]
		push	edx
		push	eax
		push	ebx
		mov	ebx, [esp+11Ch+var_F4]
		push	ecx
		push	edx
		push	edx
		push	edx
		push	edi
		mov	ecx, ebx
		call	_CmGetMatchingFilteredDeviceInterfaceList
		cmp	eax, 0C0000023h
		jnz	short loc_A2F830
		mov	eax, [esp+110h+var_D8]
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [esp+110h+var_F8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_A2F829
		mov	eax, [esp+110h+var_E0]
		test	eax, eax
		jz	short loc_A2F802
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2F802:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+208j
		push	52504E50h
		push	[esp+114h+var_F8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+110h+var_E0], ecx
		test	ecx, ecx
		jz	short loc_A2F822
		mov	ebx, [esp+110h+var_D8]
		jmp	short loc_A2F7B9
; 

loc_A2F822:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+22Bj
		mov	eax, 0C0000017h
		jmp	short loc_A2F834
; 

loc_A2F829:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+200j
		mov	eax, 0C000000Dh
		jmp	short loc_A2F838
; 

loc_A2F830:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+1E8j
		mov	ecx, [esp+110h+var_E0]

loc_A2F834:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+238j
		test	eax, eax
		jz	short loc_A2F894

loc_A2F838:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+23Fj
		mov	esi, eax

loc_A2F83A:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+56Dj
		xor	ebx, ebx

loc_A2F83C:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+57Cj
		mov	eax, [esp+110h+var_E0]
		test	eax, eax
		jz	short loc_A2F84B
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2F84B:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+253j
		mov	eax, [esp+110h+var_EC]
		test	eax, eax
		jz	short loc_A2F85A
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2F85A:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+1AEj
					; _CmDeleteDeviceWorker(x,x,x)+1B8j ...
		mov	eax, [esp+110h+var_DC]
		test	eax, eax
		jz	short loc_A2F86B
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2F86B:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+87j
					; _CmDeleteDeviceWorker(x,x,x)+DFj ...
		cmp	[esp+110h+var_F0], 0
		jz	short loc_A2F87B
		push	[esp+110h+var_F0]
		call	_ZwClose@4	; ZwClose(x)

loc_A2F87B:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+66j
					; _CmDeleteDeviceWorker(x,x,x)+281j
		mov	ecx, [esp+110h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_A2F894:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+247j
		cmp	[esp+110h+var_D8], 0
		jbe	short loc_A2F8D7
		xor	eax, eax
		mov	edi, ecx
		cmp	[ecx], ax
		jz	short loc_A2F8D3
		xor	esi, esi

loc_A2F8A6:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+2DEj
		push	esi
		mov	edx, edi
		mov	ecx, ebx
		call	__CmDeleteDeviceInterface@12 ; _CmDeleteDeviceInterface(x,x,x)
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_A2F8B5:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+2CFj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_A2F8B5
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2
		cmp	[edi], si
		jnz	short loc_A2F8A6
		mov	esi, [esp+110h+var_FC]

loc_A2F8D3:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+2B3j
		mov	edi, [esp+110h+var_100]

loc_A2F8D7:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+2AAj
		xor	ecx, ecx
		mov	eax, ecx
		mov	[esp+110h+var_F8], ecx

loc_A2F8DF:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+355j
		xor	edx, edx
		push	edx
		lea	edx, [esp+114h+var_D4]
		push	edx
		push	eax
		push	ecx
		push	edi
		mov	edx, offset __CmMatchLastKnownParentCallback@16	; _CmMatchLastKnownParentCallback(x,x,x,x)
		mov	ecx, ebx
		call	_CmGetMatchingDeviceList
		cmp	eax, 0C0000023h
		jnz	short loc_A2F954
		mov	eax, [esp+110h+var_D4]
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [esp+110h+var_F8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_A2F94D
		mov	eax, [esp+110h+var_E4]
		test	eax, eax
		jz	short loc_A2F926
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2F926:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+32Cj
		push	52504E50h
		push	[esp+114h+var_F8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+110h+var_E4], ecx
		test	ecx, ecx
		jz	short loc_A2F946
		mov	eax, [esp+110h+var_D4]
		jmp	short loc_A2F8DF
; 

loc_A2F946:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+34Fj
		mov	eax, 0C0000017h
		jmp	short loc_A2F958
; 

loc_A2F94D:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+324j
					; _CmDeleteDeviceWorker(x,x,x)+46Cj
		mov	eax, 0C000000Dh
		jmp	short loc_A2F95C
; 

loc_A2F954:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+30Cj
		mov	ecx, [esp+110h+var_E4]

loc_A2F958:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+35Cj
		test	eax, eax
		jz	short loc_A2F963

loc_A2F95C:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+363j
					; _CmDeleteDeviceWorker(x,x,x)+4D4j
		mov	esi, eax
		jmp	loc_A2FB56
; 

loc_A2F963:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+36Bj
		cmp	[esp+110h+var_D4], 0
		jbe	short loc_A2F9AE
		xor	eax, eax
		mov	edi, ecx
		cmp	[ecx], ax
		jz	short loc_A2F9AE
		xor	esi, esi

loc_A2F975:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+3B9j
		push	esi
		push	esi
		push	esi
		push	esi
		push	offset _DEVPKEY_Device_LastKnownParent ; "&cڃ@S?W;)\n"
		push	esi
		push	esi
		push	1
		mov	edx, edi
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_A2F990:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+3AAj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_A2F990
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2
		cmp	[edi], si
		jnz	short loc_A2F975
		mov	esi, [esp+110h+var_FC]

loc_A2F9AE:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+379j
					; _CmDeleteDeviceWorker(x,x,x)+382j
		xor	ecx, ecx
		mov	[esp+110h+var_C8], 312h
		mov	[esp+110h+var_C4], 212h
		mov	edi, ecx
		mov	[esp+110h+var_C0], 112h
		mov	[esp+110h+var_BC], 12h
		mov	[esp+110h+var_B8], 311h
		mov	[esp+110h+var_B4], 211h
		mov	[esp+110h+var_B0], 111h
		mov	[esp+110h+var_AC], 11h

loc_A2F9F2:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+435j
		mov	edx, [esp+110h+var_100]
		push	ecx
		push	ecx
		push	[esp+edi*4+118h+var_C8]
		mov	ecx, ebx
		call	__CmDeleteDeviceRegKey@20 ; _CmDeleteDeviceRegKey(x,x,x,x,x)
		test	eax, eax
		jz	short loc_A2FA1C
		cmp	eax, 0C0000034h
		jz	short loc_A2FA1C
		cmp	eax, 0C000000Dh
		jz	short loc_A2FA1C
		cmp	eax, 0C00000BBh
		jnz	short loc_A2FA26

loc_A2FA1C:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+416j
					; _CmDeleteDeviceWorker(x,x,x)+41Dj ...
		inc	edi
		cmp	edi, 8
		jnb	short loc_A2FA28
		xor	ecx, ecx
		jmp	short loc_A2F9F2
; 

loc_A2FA26:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+42Bj
		mov	esi, eax

loc_A2FA28:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+431j
		test	esi, esi
		js	loc_A2FB56
		xor	ecx, ecx
		lea	eax, [esp+110h+var_FC]
		push	eax
		mov	[esp+114h+var_EC], ecx
		mov	[esp+114h+var_FC], ecx
		mov	[esp+114h+var_F8], ecx
		push	ecx
		jmp	short loc_A2FA96
; 

loc_A2FA46:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+4C1j
		mov	edi, [esp+118h+var_104]
		mov	eax, edi
		mul	ecx
		lea	ecx, [esp+118h+var_100]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	loc_A2F94D
		mov	eax, [esp+118h+var_F4]
		test	eax, eax
		jz	short loc_A2FA72
		xor	ecx, ecx
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2FA72:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+478j
		push	52504E50h
		push	[esp+11Ch+var_100]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esp+118h+var_F4], ecx
		test	ecx, ecx
		jz	loc_A2FB21
		lea	eax, [esp+118h+var_104]
		push	eax
		push	edi

loc_A2FA96:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+455j
		mov	edx, [esp+120h+var_108]
		push	ecx
		push	1
		push	[esp+128h+var_F8]
		mov	ecx, ebx
		call	__CmGetDeviceMappedPropertyKeys@28 ; _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)
		push	14h
		pop	ecx
		cmp	eax, 0C0000023h
		jz	short loc_A2FA46
		mov	ecx, [esp+118h+var_F4]
		mov	edi, [esp+118h+var_104]

loc_A2FABA:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+537j
		test	eax, eax
		jz	short loc_A2FAC9
		cmp	eax, 0C0000225h
		jnz	loc_A2F95C

loc_A2FAC9:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+4CDj
		xor	edx, edx
		mov	ebx, edx
		test	edi, edi
		jz	short loc_A2FB2C
		mov	eax, ecx
		mov	[esp+118h+var_104], ecx

loc_A2FAD7:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+530j
		mov	ecx, [esp+118h+var_FC]
		push	edx		; int
		push	edx		; int
		push	edx		; int
		push	eax		; void *
		push	edx		; void *
		push	[esp+12Ch+var_F8] ; void *
		mov	edx, [esp+130h+var_108]
		call	_CmSetDeviceMappedProperty
		test	eax, eax
		jz	short loc_A2FB0D
		cmp	eax, 0C0000225h
		jz	short loc_A2FB0D
		cmp	eax, 0C0000022h
		jz	short loc_A2FB0D
		cmp	eax, 0C0000016h
		jz	short loc_A2FB0D
		cmp	eax, 0C00000BBh
		jnz	short loc_A2FB28

loc_A2FB0D:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+500j
					; _CmDeleteDeviceWorker(x,x,x)+507j ...
		mov	eax, [esp+118h+var_104]
		inc	ebx
		add	eax, 14h
		xor	edx, edx
		mov	[esp+118h+var_104], eax
		cmp	ebx, edi
		jnb	short loc_A2FB2C
		jmp	short loc_A2FAD7
; 

loc_A2FB21:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+49Bj
		mov	eax, 0C0000017h
		jmp	short loc_A2FABA
; 

loc_A2FB28:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+51Cj
		mov	esi, eax
		xor	edx, edx

loc_A2FB2C:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+4E0j
					; _CmDeleteDeviceWorker(x,x,x)+52Ej
		test	esi, esi
		js	short loc_A2FB56
		mov	edi, [esp+118h+var_108]
		mov	ebx, [esp+118h+var_FC]
		push	ecx
		push	edx
		push	10h
		mov	edx, edi
		mov	ecx, ebx
		call	__CmDeleteDeviceRegKey@20 ; _CmDeleteDeviceRegKey(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A2FB56
		push	1
		mov	edx, edi
		mov	ecx, ebx
		call	__CmRaiseDeleteEvent@12	; _CmRaiseDeleteEvent(x,x,x)

loc_A2FB56:				; CODE XREF: _CmDeleteDeviceWorker(x,x,x)+36Fj
					; _CmDeleteDeviceWorker(x,x,x)+43Bj ...
		mov	eax, [esp+118h+var_EC]
		test	eax, eax
		jz	loc_A2F83A
		xor	ebx, ebx
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_A2F83C
__CmDeleteDeviceWorker@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteInstallerClass(x, x, x)
__CmDeleteInstallerClass@12 proc near	; CODE XREF: _PnpDispatchInstallerClass+ADCC0p
					; PiCMDeleteClassKey(x,x,x,x,x,x):loc_983E55p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	2Ch		; size_t
		lea	eax, [ebp+var_30]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_34], esi
		mov	ebx, ecx
		call	_memset
		mov	edi, [ebx+100h]
		add	esp, 0Ch
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_28], eax
		test	edi, edi
		jz	short loc_A2FBD5
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	3
		push	2
		push	esi
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jnz	short loc_A2FBC5
		xor	edi, edi
		jmp	short loc_A2FBD5
; 

loc_A2FBC5:				; CODE XREF: _CmDeleteInstallerClass(x,x,x)+4Fj
		cmp	eax, 0C0000120h
		jnz	short loc_A2FBD1

loc_A2FBCC:				; CODE XREF: _CmDeleteInstallerClass(x,x,x)+96j
		mov	esi, [ebp+var_30]
		jmp	short loc_A2FC11
; 

loc_A2FBD1:				; CODE XREF: _CmDeleteInstallerClass(x,x,x)+5Aj
		test	eax, eax
		jnz	short loc_A2FC0C

loc_A2FBD5:				; CODE XREF: _CmDeleteInstallerClass(x,x,x)+3Aj
					; _CmDeleteInstallerClass(x,x,x)+53j
		push	[ebp+var_28]
		mov	edx, esi
		mov	ecx, ebx
		call	__CmDeleteInstallerClassWorker@12 ; _CmDeleteInstallerClassWorker(x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_A2FC11
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	3
		push	2
		push	[ebp+var_34]
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_A2FC11
		cmp	eax, 0C0000120h
		jz	short loc_A2FBCC
		test	eax, eax
		jz	short loc_A2FC11

loc_A2FC0C:				; CODE XREF: _CmDeleteInstallerClass(x,x,x)+63j
		mov	esi, 0C00000E5h

loc_A2FC11:				; CODE XREF: _CmDeleteInstallerClass(x,x,x)+5Fj
					; _CmDeleteInstallerClass(x,x,x)+75j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
__CmDeleteInstallerClass@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteInstallerClassWorker(x, x,	x)
__CmDeleteInstallerClassWorker@12 proc near ; CODE XREF: _CmDeleteInstallerClass(x,x,x)+6Cp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		movzx	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_18], edx
		mov	[ebp+var_24], edi
		mov	ebx, ecx
		mov	[ebp+var_20], ebx
		mov	esi, edi
		test	eax, eax
		jz	short loc_A2FC5A
		mov	esi, 0C000000Dh
		jmp	loc_A2FE1D
; 

loc_A2FC5A:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+2Aj
		push	ecx
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		push	edi
		push	edi
		push	edi
		push	80h
		call	_CmGetMatchingFilteredDeviceList
		cmp	eax, 0C0000023h
		jnz	short loc_A2FC7E
		mov	esi, 0C0000121h
		jmp	loc_A2FE1D
; 

loc_A2FC7E:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+4Ej
		test	eax, eax
		jz	short loc_A2FC89
		mov	esi, eax
		jmp	loc_A2FE1D
; 

loc_A2FC89:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+5Cj
		mov	[ebp+var_10], 320h
		mov	[ebp+var_C], 220h
		mov	[ebp+var_8], 120h

loc_A2FC9E:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+BCj
		mov	eax, [ebp+edi*4+var_10]
		test	eax, eax
		jz	short loc_A2FCBE
		test	eax, 0FFFFFCDFh
		jnz	short loc_A2FCBE
		mov	edx, [ebp+var_18]
		mov	ecx, ebx
		push	1
		push	0
		push	eax
		call	__CmDeleteCommonClassRegKey@20 ; _CmDeleteCommonClassRegKey(x,x,x,x,x)
		jmp	short loc_A2FCC3
; 

loc_A2FCBE:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+80j
					; _CmDeleteInstallerClassWorker(x,x,x)+87j
		mov	eax, 0C000000Dh

loc_A2FCC3:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+98j
		test	eax, eax
		jz	short loc_A2FCDC
		cmp	eax, 0C0000034h
		jz	short loc_A2FCDC
		cmp	eax, 0C000000Dh
		jz	short loc_A2FCDC
		cmp	eax, 0C00000BBh
		jnz	short loc_A2FCE4

loc_A2FCDC:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+A1j
					; _CmDeleteInstallerClassWorker(x,x,x)+A8j ...
		inc	edi
		cmp	edi, 3
		jb	short loc_A2FC9E
		jmp	short loc_A2FCEE
; 

loc_A2FCE4:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+B6j
		mov	esi, eax
		test	eax, eax
		js	loc_A2FE1D

loc_A2FCEE:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+BEj
		xor	ecx, ecx
		lea	eax, [ebp+var_14]
		push	eax
		push	ecx
		push	ecx
		push	1
		mov	edi, ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_1C], ecx
		push	ecx
		mov	ecx, ebx
		jmp	short loc_A2FD48
; 

loc_A2FD05:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+134j
		mov	ebx, [ebp+var_14]
		mov	eax, ebx
		mul	ecx
		lea	ecx, [ebp+var_1C]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_A2FD76
		test	edi, edi
		jz	short loc_A2FD26
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2FD26:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+F8j
		push	52504E50h
		push	[ebp+var_1C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A2FD6F
		mov	ecx, [ebp+var_20]
		lea	eax, [ebp+var_14]
		push	eax
		push	ebx
		push	edi
		push	1
		push	0

loc_A2FD48:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+DFj
		mov	edx, [ebp+var_18]
		call	__CmGetInstallerClassMappedPropertyKeys@28 ; _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)
		push	14h
		pop	ecx
		cmp	eax, 0C0000023h
		jz	short loc_A2FD05
		mov	ebx, [ebp+var_14]

loc_A2FD5D:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+150j
		test	eax, eax
		jz	short loc_A2FD7D
		cmp	eax, 0C0000225h
		jz	short loc_A2FD7D

loc_A2FD68:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+157j
					; _CmDeleteInstallerClassWorker(x,x,x)+1DBj
		mov	esi, eax
		jmp	loc_A2FE11
; 

loc_A2FD6F:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+115j
		mov	eax, 0C0000017h
		jmp	short loc_A2FD5D
; 

loc_A2FD76:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+F4j
		mov	eax, 0C000000Dh
		jmp	short loc_A2FD68
; 

loc_A2FD7D:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+13Bj
					; _CmDeleteInstallerClassWorker(x,x,x)+142j
		and	[ebp+var_1C], 0
		test	ebx, ebx
		jz	short loc_A2FDD8
		mov	ecx, edi
		mov	[ebp+var_14], edi

loc_A2FD8A:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+1AEj
		mov	edx, [ebp+var_18]
		push	0		; int
		push	0		; int
		push	0		; int
		push	ecx		; void *
		mov	ecx, [ebp+var_20]
		push	0		; int
		push	0		; int
		call	__CmSetInstallerClassMappedProperty@32 ; _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_A2FDC0
		cmp	eax, 0C0000225h
		jz	short loc_A2FDC0
		cmp	eax, 0C0000022h
		jz	short loc_A2FDC0
		cmp	eax, 0C0000016h
		jz	short loc_A2FDC0
		cmp	eax, 0C00000BBh
		jnz	short loc_A2FDD6

loc_A2FDC0:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+17Ej
					; _CmDeleteInstallerClassWorker(x,x,x)+185j ...
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_14]
		inc	eax
		add	ecx, 14h
		mov	[ebp+var_1C], eax
		mov	[ebp+var_14], ecx
		cmp	eax, ebx
		jb	short loc_A2FD8A
		jmp	short loc_A2FDD8
; 

loc_A2FDD6:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+19Aj
		mov	esi, eax

loc_A2FDD8:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+15Fj
					; _CmDeleteInstallerClassWorker(x,x,x)+1B0j
		test	esi, esi
		js	short loc_A2FE11
		mov	ebx, [ebp+var_20]
		mov	ecx, ebx
		mov	edx, [ebp+var_18]
		push	1
		push	0
		push	20h
		call	__CmDeleteCommonClassRegKey@20 ; _CmDeleteCommonClassRegKey(x,x,x,x,x)
		test	eax, eax
		jz	short loc_A2FE05
		cmp	eax, 0C0000034h
		jz	short loc_A2FE05
		cmp	eax, 0C000000Dh
		jnz	loc_A2FD68

loc_A2FE05:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+1CDj
					; _CmDeleteInstallerClassWorker(x,x,x)+1D4j
		mov	edx, [ebp+var_18]
		mov	ecx, ebx
		push	2
		call	__CmRaiseDeleteEvent@12	; _CmRaiseDeleteEvent(x,x,x)

loc_A2FE11:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+146j
					; _CmDeleteInstallerClassWorker(x,x,x)+1B6j
		test	edi, edi
		jz	short loc_A2FE1D
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2FE1D:				; CODE XREF: _CmDeleteInstallerClassWorker(x,x,x)+31j
					; _CmDeleteInstallerClassWorker(x,x,x)+55j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
__CmDeleteInstallerClassWorker@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteInterfaceClass(x, x, x)
__CmDeleteInterfaceClass@12 proc near	; CODE XREF: _PnpDispatchInterfaceClass+11855Ap
					; PiCMDeleteClassKey(x,x,x,x,x,x)+92p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	2Ch		; size_t
		lea	eax, [ebp+var_30]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_34], esi
		mov	ebx, ecx
		call	_memset
		mov	edi, [ebx+100h]
		add	esp, 0Ch
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_28], eax
		test	edi, edi
		jz	short loc_A2FE95
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	3
		push	4
		push	esi
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jnz	short loc_A2FE85
		xor	edi, edi
		jmp	short loc_A2FE95
; 

loc_A2FE85:				; CODE XREF: _CmDeleteInterfaceClass(x,x,x)+4Fj
		cmp	eax, 0C0000120h
		jnz	short loc_A2FE91

loc_A2FE8C:				; CODE XREF: _CmDeleteInterfaceClass(x,x,x)+96j
		mov	esi, [ebp+var_30]
		jmp	short loc_A2FED1
; 

loc_A2FE91:				; CODE XREF: _CmDeleteInterfaceClass(x,x,x)+5Aj
		test	eax, eax
		jnz	short loc_A2FECC

loc_A2FE95:				; CODE XREF: _CmDeleteInterfaceClass(x,x,x)+3Aj
					; _CmDeleteInterfaceClass(x,x,x)+53j
		push	[ebp+var_28]
		mov	edx, esi
		mov	ecx, ebx
		call	__CmDeleteInterfaceClassWorker@12 ; _CmDeleteInterfaceClassWorker(x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_A2FED1
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	3
		push	4
		push	[ebp+var_34]
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_A2FED1
		cmp	eax, 0C0000120h
		jz	short loc_A2FE8C
		test	eax, eax
		jz	short loc_A2FED1

loc_A2FECC:				; CODE XREF: _CmDeleteInterfaceClass(x,x,x)+63j
		mov	esi, 0C00000E5h

loc_A2FED1:				; CODE XREF: _CmDeleteInterfaceClass(x,x,x)+5Fj
					; _CmDeleteInterfaceClass(x,x,x)+75j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
__CmDeleteInterfaceClass@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteInterfaceClassWorker(x, x,	x)
__CmDeleteInterfaceClassWorker@12 proc near ; CODE XREF: _CmDeleteInterfaceClass(x,x,x)+6Cp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		movzx	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_14], edx
		mov	[ebp+var_24], edi
		mov	ebx, ecx
		mov	[ebp+var_20], ebx
		mov	esi, edi
		test	eax, eax
		jz	short loc_A2FF1A
		mov	esi, 0C000000Dh
		jmp	loc_A300C8
; 

loc_A2FF1A:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+2Aj
		push	edi
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	edi
		call	_CmGetMatchingFilteredDeviceInterfaceList
		cmp	eax, 0C0000023h
		jnz	short loc_A2FF3B
		mov	esi, 0C0000121h
		jmp	loc_A300C8
; 

loc_A2FF3B:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+4Bj
		test	eax, eax
		jz	short loc_A2FF46
		mov	esi, eax
		jmp	loc_A300C8
; 

loc_A2FF46:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+59j
		mov	[ebp+var_10], 340h
		mov	[ebp+var_C], 240h
		mov	[ebp+var_8], 140h

loc_A2FF5B:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+B9j
		mov	eax, [ebp+edi*4+var_10]
		test	eax, eax
		jz	short loc_A2FF7B
		test	eax, 0FFFFFCBFh
		jnz	short loc_A2FF7B
		mov	edx, [ebp+var_14]
		mov	ecx, ebx
		push	1
		push	0
		push	eax
		call	__CmDeleteCommonClassRegKey@20 ; _CmDeleteCommonClassRegKey(x,x,x,x,x)
		jmp	short loc_A2FF80
; 

loc_A2FF7B:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+7Dj
					; _CmDeleteInterfaceClassWorker(x,x,x)+84j
		mov	eax, 0C000000Dh

loc_A2FF80:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+95j
		test	eax, eax
		jz	short loc_A2FF99
		cmp	eax, 0C0000034h
		jz	short loc_A2FF99
		cmp	eax, 0C000000Dh
		jz	short loc_A2FF99
		cmp	eax, 0C00000BBh
		jnz	short loc_A2FFA1

loc_A2FF99:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+9Ej
					; _CmDeleteInterfaceClassWorker(x,x,x)+A5j ...
		inc	edi
		cmp	edi, 3
		jb	short loc_A2FF5B
		jmp	short loc_A2FFAB
; 

loc_A2FFA1:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+B3j
		mov	esi, eax
		test	eax, eax
		js	loc_A300C8

loc_A2FFAB:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+BBj
		xor	ebx, ebx
		xor	edi, edi
		and	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx

loc_A2FFB5:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+124j
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		mov	ecx, [ebp+var_20]
		push	eax
		push	ebx
		push	edi
		push	1
		push	0
		call	__CmGetInterfaceClassMappedPropertyKeys@28 ; _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)
		mov	ebx, [ebp+var_18]
		cmp	eax, 0C0000023h
		jnz	short loc_A3000F
		push	14h
		pop	ecx
		mov	eax, ebx
		mul	ecx
		lea	ecx, [ebp+var_1C]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_A30021
		test	edi, edi
		jz	short loc_A2FFF5
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A2FFF5:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+107j
		push	52504E50h
		push	[ebp+var_1C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A2FFB5
		mov	eax, 0C0000017h

loc_A3000F:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+EEj
		test	eax, eax
		jz	short loc_A30028
		cmp	eax, 0C0000225h
		jz	short loc_A30028

loc_A3001A:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+142j
					; _CmDeleteInterfaceClassWorker(x,x,x)+1C6j
		mov	esi, eax
		jmp	loc_A300BC
; 

loc_A30021:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+103j
		mov	eax, 0C000000Dh
		jmp	short loc_A3001A
; 

loc_A30028:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+12Dj
					; _CmDeleteInterfaceClassWorker(x,x,x)+134j
		and	[ebp+var_1C], 0
		test	ebx, ebx
		jz	short loc_A30083
		mov	ecx, edi
		mov	[ebp+var_18], edi

loc_A30035:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+199j
		mov	edx, [ebp+var_14]
		push	0		; int
		push	0		; int
		push	0		; int
		push	ecx		; void *
		mov	ecx, [ebp+var_20]
		push	0		; int
		push	0		; int
		call	__CmSetInterfaceClassMappedProperty@32 ; _CmSetInterfaceClassMappedProperty(x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_A3006B
		cmp	eax, 0C0000225h
		jz	short loc_A3006B
		cmp	eax, 0C0000022h
		jz	short loc_A3006B
		cmp	eax, 0C0000016h
		jz	short loc_A3006B
		cmp	eax, 0C00000BBh
		jnz	short loc_A30081

loc_A3006B:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+169j
					; _CmDeleteInterfaceClassWorker(x,x,x)+170j ...
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_18]
		inc	eax
		add	ecx, 14h
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], ecx
		cmp	eax, ebx
		jb	short loc_A30035
		jmp	short loc_A30083
; 

loc_A30081:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+185j
		mov	esi, eax

loc_A30083:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+14Aj
					; _CmDeleteInterfaceClassWorker(x,x,x)+19Bj
		test	esi, esi
		js	short loc_A300BC
		mov	ebx, [ebp+var_20]
		mov	ecx, ebx
		mov	edx, [ebp+var_14]
		push	1
		push	0
		push	40h
		call	__CmDeleteCommonClassRegKey@20 ; _CmDeleteCommonClassRegKey(x,x,x,x,x)
		test	eax, eax
		jz	short loc_A300B0
		cmp	eax, 0C0000034h
		jz	short loc_A300B0
		cmp	eax, 0C000000Dh
		jnz	loc_A3001A

loc_A300B0:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+1B8j
					; _CmDeleteInterfaceClassWorker(x,x,x)+1BFj
		mov	edx, [ebp+var_14]
		mov	ecx, ebx
		push	4
		call	__CmRaiseDeleteEvent@12	; _CmRaiseDeleteEvent(x,x,x)

loc_A300BC:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+138j
					; _CmDeleteInterfaceClassWorker(x,x,x)+1A1j
		test	edi, edi
		jz	short loc_A300C8
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A300C8:				; CODE XREF: _CmDeleteInterfaceClassWorker(x,x,x)+31j
					; _CmDeleteInterfaceClassWorker(x,x,x)+52j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
__CmDeleteInterfaceClassWorker@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetDeviceInterfaceRegKeySecurityDescriptor(x, x,	x)
__CmGetDeviceInterfaceRegKeySecurityDescriptor@12 proc near
					; CODE XREF: _CmOpenDeviceInterfaceRegKeyWorker+11ADDCp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	eax, eax
		xor	esi, esi
		xor	bl, bl
		mov	[ebp+var_4], eax
		push	edi
		test	edx, edx
		jz	short loc_A30137
		test	edx, 0FFFFFCCCh
		jnz	short loc_A30137
		mov	edi, [ebp+arg_0]
		and	[edi], eax
		test	edx, 0F00h
		jnz	short loc_A30148
		cmp	dl, 32h
		jnz	short loc_A30148
		cmp	[ecx+4], al
		jz	short loc_A30148
		cmp	dword ptr [ecx], 0A000000h
		jb	short loc_A3011B
		inc	bl

loc_A3011B:				; CODE XREF: _CmGetDeviceInterfaceRegKeySecurityDescriptor(x,x,x)+3Cj
		lea	edx, [ebp+var_4]
		mov	cl, bl
		call	_CmGetRegKeySecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	short loc_A30132
		mov	ecx, [ebp+var_4]
		mov	[edi], ecx
		jmp	short loc_A30148
; 

loc_A30132:				; CODE XREF: _CmGetDeviceInterfaceRegKeySecurityDescriptor(x,x,x)+4Ej
		mov	eax, [ebp+var_4]
		jmp	short loc_A3013C
; 

loc_A30137:				; CODE XREF: _CmGetDeviceInterfaceRegKeySecurityDescriptor(x,x,x)+15j
					; _CmGetDeviceInterfaceRegKeySecurityDescriptor(x,x,x)+1Dj
		mov	esi, 0C000000Dh

loc_A3013C:				; CODE XREF: _CmGetDeviceInterfaceRegKeySecurityDescriptor(x,x,x)+5Aj
		test	eax, eax
		jz	short loc_A30148
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A30148:				; CODE XREF: _CmGetDeviceInterfaceRegKeySecurityDescriptor(x,x,x)+2Aj
					; _CmGetDeviceInterfaceRegKeySecurityDescriptor(x,x,x)+2Fj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
__CmGetDeviceInterfaceRegKeySecurityDescriptor@12 endp


;  S U B	R O U T	I N E 


; __stdcall _CmIsInstallerClassRegPropWritable(x, x)
__CmIsInstallerClassRegPropWritable@8 proc near
					; CODE XREF: PiPnpRtlCmActionCallback+115874p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		lea	eax, [esi-1]
		cmp	eax, 24h
		ja	short loc_A3018B
		cmp	esi, 25h
		ja	short loc_A3018B
		movzx	eax, ds:byte_A3019D[esi]
		jmp	ds:off_A30195[eax*4]

loc_A30173:				; DATA XREF: PAGE:00A30199o
		movzx	eax, ds:byte_A301CD[esi]
		jmp	ds:off_A301C5[eax*4]

loc_A30181:				; DATA XREF: PAGE:00A301C9o
		mov	al, 1
		jmp	short loc_A30187
; 

loc_A30185:				; CODE XREF: _CmIsInstallerClassRegPropWritable(x,x)+29j
					; DATA XREF: PAGE:off_A301C5o
		mov	al, cl

loc_A30187:				; CODE XREF: _CmIsInstallerClassRegPropWritable(x,x)+32j
		mov	[edx], al
		jmp	short loc_A30190
; 

loc_A3018B:				; CODE XREF: _CmIsInstallerClassRegPropWritable(x,x)+Dj
					; _CmIsInstallerClassRegPropWritable(x,x)+12j ...
		mov	ecx, 0C0000230h

loc_A30190:				; CODE XREF: _CmIsInstallerClassRegPropWritable(x,x)+38j
		mov	eax, ecx
		pop	esi
		retn
__CmIsInstallerClassRegPropWritable@8 endp

; 
		db 90h
off_A30195	dd offset loc_A3018B	; DATA XREF: _CmIsInstallerClassRegPropWritable(x,x)+1Br
		dd offset loc_A30173
byte_A3019D	db 0			; DATA XREF: _CmIsInstallerClassRegPropWritable(x,x)+14r
		align 10h
		dd 0
		dd 100h, 10000h, 1000000h, 1, 1000100h,	101h, 0
		dd 8B000000h
		db 0FFh
off_A301C5	dd offset loc_A30185	; DATA XREF: _CmIsInstallerClassRegPropWritable(x,x)+29r
		dd offset loc_A30181
byte_A301CD	db 0			; DATA XREF: _CmIsInstallerClassRegPropWritable(x,x):loc_A30173r
		align 10h
		dd 0
		dd 100h, 10000h, 1000000h, 1, 1000100h,	101h, 0
		db 3 dup(0)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmMatchLastKnownParentCallback(x, x, x, x)
__CmMatchLastKnownParentCallback@16 proc near ;	DATA XREF: _CmDeleteDeviceWorker(x,x,x)+2FBo

var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= word ptr -194h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 19Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_19C]
		mov	edx, [ebp+arg_4]
		xor	ebx, ebx
		push	esi
		mov	esi, [ebp+arg_C]
		push	ebx
		push	eax
		push	190h
		lea	eax, [ebp+var_194]
		mov	[ebp+var_198], ebx
		push	eax
		lea	eax, [ebp+var_198]
		mov	[ebp+var_19C], ebx
		push	eax
		push	offset _DEVPKEY_Device_LastKnownParent ; "&cڃ@S?W;)\n"
		push	ebx
		push	ebx
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A3026D
		cmp	[ebp+var_198], 12h
		jnz	short loc_A3026D
		lea	eax, [ebp+var_194]
		push	eax		; wchar_t *
		push	esi		; wchar_t *
		call	__wcsicmp
		neg	eax
		pop	ecx
		sbb	al, al
		pop	ecx
		lea	ebx, [eax+1]

loc_A3026D:				; CODE XREF: _CmMatchLastKnownParentCallback(x,x,x,x)+59j
					; _CmMatchLastKnownParentCallback(x,x,x,x)+62j
		mov	ecx, [ebp+var_4]
		mov	al, bl
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
__CmMatchLastKnownParentCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmSetInstallerClassRegProp(x, x, x, x, x, x, x, x)
__CmSetInstallerClassRegProp@32	proc near
					; CODE XREF: PiCMSetRegistryProperty(x,x,x,x,x,x)+FFp
					; _CmSetInstallerClassMappedPropertyFromRegProp(x,x,x,x,x,x,x)+BEp

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		push	esi
		mov	esi, [ebp+arg_C]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_8]
		push	edi
		mov	edi, [ebx+100h]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_1C], esi
		mov	esi, edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], ecx
		test	edi, edi
		jz	short loc_A30300
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	0Ah
		push	2
		push	esi
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jnz	short loc_A302F0
		xor	edi, edi
		jmp	short loc_A30300
; 

loc_A302F0:				; CODE XREF: _CmSetInstallerClassRegProp(x,x,x,x,x,x,x,x)+6Bj
		cmp	eax, 0C0000120h
		jnz	short loc_A302FC

loc_A302F7:				; CODE XREF: _CmSetInstallerClassRegProp(x,x,x,x,x,x,x,x)+C1j
		mov	esi, [ebp+var_30]
		jmp	short loc_A3034B
; 

loc_A302FC:				; CODE XREF: _CmSetInstallerClassRegProp(x,x,x,x,x,x,x,x)+76j
		test	eax, eax
		jnz	short loc_A30346

loc_A30300:				; CODE XREF: _CmSetInstallerClassRegProp(x,x,x,x,x,x,x,x)+56j
					; _CmSetInstallerClassRegProp(x,x,x,x,x,x,x,x)+6Fj
		push	[ebp+var_14]
		mov	edx, esi
		mov	ecx, ebx
		push	[ebp+var_18]
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	[ebp+var_24]
		push	[ebp+var_28]
		call	__CmSetInstallerClassRegPropWorker@32 ;	_CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_A3034B
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	0Ah
		push	2
		push	[ebp+var_34]
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_A3034B
		cmp	eax, 0C0000120h
		jz	short loc_A302F7
		test	eax, eax
		jz	short loc_A3034B

loc_A30346:				; CODE XREF: _CmSetInstallerClassRegProp(x,x,x,x,x,x,x,x)+7Fj
		mov	esi, 0C00000E5h

loc_A3034B:				; CODE XREF: _CmSetInstallerClassRegProp(x,x,x,x,x,x,x,x)+7Bj
					; _CmSetInstallerClassRegProp(x,x,x,x,x,x,x,x)+A0j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
__CmSetInstallerClassRegProp@32	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmSetInstallerClassRegPropWorker(x, x, x, x, x, x,	x, x)
__CmSetInstallerClassRegPropWorker@32 proc near
					; CODE XREF: _CmSetInstallerClassRegProp(x,x,x,x,x,x,x,x)+97p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= word ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		movzx	eax, [ebp+arg_14]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_10], edx
		and	[ebp+var_4], esi
		and	[ebp+var_8], esi
		mov	[ebp+var_C], ecx
		push	edi
		test	eax, eax
		jz	short loc_A30389

loc_A3037F:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+41j
					; _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+99j ...
		mov	esi, 0C000000Dh
		jmp	loc_A3056A
; 

loc_A30389:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+1Fj
		mov	ebx, [ebp+arg_10]
		test	ebx, ebx
		jnz	short loc_A30397
		xor	edx, edx
		mov	[ebp+arg_C], edx
		jmp	short loc_A303A1
; 

loc_A30397:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+30j
		mov	edx, [ebp+arg_C]
		mov	[ebp+arg_C], edx
		test	edx, edx
		jz	short loc_A3037F

loc_A303A1:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+37j
		mov	edi, [ebp+arg_4]
		lea	eax, [edi-1]
		cmp	eax, 24h
		ja	loc_A30549
		cmp	edi, 25h
		ja	loc_A30549
		movzx	eax, ds:byte_A3057E[edi]
		jmp	ds:off_A30576[eax*4]

loc_A303C7:				; DATA XREF: PAGE:00A3057Ao
		movzx	eax, ds:byte_A305AE[edi]
		jmp	ds:off_A305A6[eax*4]

loc_A303D5:				; DATA XREF: PAGE:off_A305A6o
		mov	esi, 0C0000022h
		jmp	loc_A3056A
; 

loc_A303DF:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+70j
					; DATA XREF: PAGE:00A305AAo
		mov	ecx, edi
		call	__MapCmClassPropertyToRegType@4	; _MapCmClassPropertyToRegType(x)
		test	eax, eax
		jnz	short loc_A303F4
		mov	esi, 0C0000230h
		jmp	loc_A3056A
; 

loc_A303F4:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+8Aj
		cmp	[ebp+arg_8], eax
		jnz	short loc_A3037F
		cmp	edi, 8
		jz	short loc_A3042A
		cmp	edi, 18h
		jnz	short loc_A30433
		test	ebx, ebx
		jz	short loc_A30433
		push	0
		push	ebx
		push	edx
		call	_RtlValidRelativeSecurityDescriptor@12 ; RtlValidRelativeSecurityDescriptor(x,x,x)
		test	al, al
		jz	short loc_A30420
		push	[ebp+arg_C]
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		cmp	eax, ebx
		jz	short loc_A30433

loc_A30420:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+B4j
		mov	esi, 0C000000Dh
		jmp	loc_A3054E
; 

loc_A3042A:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+9Ej
		cmp	ebx, 40h
		ja	loc_A3037F

loc_A30433:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+A3j
					; _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+A7j ...
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jnz	short loc_A3045F
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	ecx
		push	2000006h
		push	ecx
		mov	ecx, [ebp+var_C]
		push	20h
		call	_CmOpenCommonClassRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_A3054E

loc_A3045F:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+DAj
		cmp	edi, 8
		jz	short loc_A3049E
		cmp	edi, 0Dh
		jz	short loc_A3049E
		cmp	edi, 11h
		jle	short loc_A30473
		cmp	edi, 13h
		jle	short loc_A3049E

loc_A30473:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+10Ej
		mov	edx, ebx
		test	ebx, ebx
		jnz	short loc_A3047C
		mov	edx, [ebp+var_4]

loc_A3047C:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+119j
		lea	eax, [ebp+var_8]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_C]
		push	1
		push	2
		push	0
		call	_PnpOpenPropertiesKey
		mov	esi, eax
		test	esi, esi
		js	loc_A3054E
		mov	ecx, [ebp+var_8]
		jmp	short loc_A304A5
; 

loc_A3049E:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+104j
					; _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+109j ...
		test	ebx, ebx
		jnz	short loc_A304AA
		mov	ecx, [ebp+var_4]

loc_A304A5:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+13Ej
		mov	dword ptr [ebp+arg_14],	ecx
		jmp	short loc_A304AF
; 

loc_A304AA:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+142j
		mov	ecx, ebx
		mov	dword ptr [ebp+arg_14],	ebx

loc_A304AF:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+14Aj
		test	esi, esi
		js	loc_A3054E
		mov	edx, edi
		call	__MapCmClassPropertyToRegValue@8 ; _MapCmClassPropertyToRegValue(x,x)
		test	eax, eax
		jz	loc_A30549
		cmp	[ebp+arg_10], 0
		jnz	short loc_A30509
		and	[ebp+var_18], 0
		and	[ebp+var_14], 0
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A304F2
		lea	eax, [ebp+var_18]
		push	eax
		push	dword ptr [ebp+arg_14]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		mov	esi, eax

loc_A304F2:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+184j
		cmp	esi, 0C0000034h
		jz	short loc_A30502
		cmp	esi, 0C000017Ch
		jnz	short loc_A3052D

loc_A30502:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+19Aj
		mov	esi, 0C0000225h
		jmp	short loc_A3052D
; 

loc_A30509:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+16Cj
		push	[ebp+arg_10]
		mov	edx, eax
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jnz	short loc_A30527
		mov	esi, 0C0000034h
		jmp	short loc_A3054E
; 

loc_A30527:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+1C0j
		test	eax, eax
		jns	short loc_A3052D
		mov	esi, eax

loc_A3052D:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+1A2j
					; _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+1A9j ...
		test	esi, esi
		js	short loc_A3054E
		test	ebx, ebx
		jnz	short loc_A30538
		mov	ebx, [ebp+var_4]

loc_A30538:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+1D5j
		mov	edx, [ebp+var_10]
		mov	ecx, [ebp+var_C]
		push	edi
		push	ebx
		push	2
		call	_CmRaisePropertyChangeEvent
		jmp	short loc_A3054E
; 

loc_A30549:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+4Cj
					; _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+55j ...
		mov	esi, 0C0000230h

loc_A3054E:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+C7j
					; _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+FBj ...
		cmp	[ebp+var_8], 0
		jz	short loc_A3055C
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_A3055C:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+1F4j
		cmp	[ebp+var_4], 0
		jz	short loc_A3056A
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A3056A:				; CODE XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+26j
					; _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+7Cj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
__CmSetInstallerClassRegPropWorker@32 endp

; 
		db 8Dh
		db 49h,	0
off_A30576	dd offset loc_A30549	; DATA XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+62r
		dd offset loc_A303C7
byte_A3057E	db 0			; DATA XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+5Br
		align 10h
		dd 0
		dd 10000h, 1000000h, 0
		dd 101h, 10000h, 10101h, 2 dup(0)
		db 8Bh,	0FFh
off_A305A6	dd offset loc_A303D5	; DATA XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x)+70r
		dd offset loc_A303DF
byte_A305AE	db 0			; DATA XREF: _CmSetInstallerClassRegPropWorker(x,x,x,x,x,x,x,x):loc_A303C7r
		align 10h
		dd 0
		dd 10000h, 1000000h, 0
		dd 101h, 10000h, 10101h, 2 dup(0)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteDeviceContainer(x,	x, x)
__CmDeleteDeviceContainer@12 proc near	; CODE XREF: _CmAddDeviceToContainerWorker+6E83Dp
					; _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)+13Bp

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	2Ch		; size_t
		lea	eax, [ebp+var_30]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_34], esi
		mov	ebx, ecx
		call	_memset
		mov	edi, [ebx+100h]
		add	esp, 0Ch
		test	edi, edi
		jz	short loc_A30633
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	3
		push	5
		push	esi
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jnz	short loc_A30623
		xor	edi, edi
		jmp	short loc_A30633
; 

loc_A30623:				; CODE XREF: _CmDeleteDeviceContainer(x,x,x)+49j
		cmp	eax, 0C0000120h
		jnz	short loc_A3062F

loc_A3062A:				; CODE XREF: _CmDeleteDeviceContainer(x,x,x)+90j
		mov	esi, [ebp+var_30]
		jmp	short loc_A3066F
; 

loc_A3062F:				; CODE XREF: _CmDeleteDeviceContainer(x,x,x)+54j
		test	eax, eax
		jnz	short loc_A3066A

loc_A30633:				; CODE XREF: _CmDeleteDeviceContainer(x,x,x)+34j
					; _CmDeleteDeviceContainer(x,x,x)+4Dj
		push	[ebp+var_28]
		mov	edx, esi
		mov	ecx, ebx
		call	__CmDeleteDeviceContainerWorker@12 ; _CmDeleteDeviceContainerWorker(x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_A3066F
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	3
		push	5
		push	[ebp+var_34]
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_A3066F
		cmp	eax, 0C0000120h
		jz	short loc_A3062A
		test	eax, eax
		jz	short loc_A3066F

loc_A3066A:				; CODE XREF: _CmDeleteDeviceContainer(x,x,x)+5Dj
		mov	esi, 0C00000E5h

loc_A3066F:				; CODE XREF: _CmDeleteDeviceContainer(x,x,x)+59j
					; _CmDeleteDeviceContainer(x,x,x)+6Fj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
__CmDeleteDeviceContainer@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteDeviceContainerRegKey(x, x, x, x, x)
__CmDeleteDeviceContainerRegKey@20 proc	near
					; CODE XREF: _CmDeleteDeviceContainerWorker(x,x,x)+34p
					; _CmDeleteDeviceContainerWorker(x,x,x)+140p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	2Ch		; size_t
		lea	eax, [ebp+var_30]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_34], esi
		mov	ebx, ecx
		call	_memset
		mov	edi, [ebx+100h]
		add	esp, 0Ch
		and	[ebp+var_24], 0
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_28], eax
		mov	byte ptr [ebp+var_20], 1
		test	edi, edi
		jz	short loc_A306EF
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	0Ch
		push	5
		push	esi
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jnz	short loc_A306DF
		xor	edi, edi
		jmp	short loc_A306EF
; 

loc_A306DF:				; CODE XREF: _CmDeleteDeviceContainerRegKey(x,x,x,x,x)+57j
		cmp	eax, 0C0000120h
		jnz	short loc_A306EB

loc_A306E6:				; CODE XREF: _CmDeleteDeviceContainerRegKey(x,x,x,x,x)+A2j
		mov	esi, [ebp+var_30]
		jmp	short loc_A3072F
; 

loc_A306EB:				; CODE XREF: _CmDeleteDeviceContainerRegKey(x,x,x,x,x)+62j
		test	eax, eax
		jnz	short loc_A3072A

loc_A306EF:				; CODE XREF: _CmDeleteDeviceContainerRegKey(x,x,x,x,x)+42j
					; _CmDeleteDeviceContainerRegKey(x,x,x,x,x)+5Bj
		push	[ebp+var_20]
		mov	edx, esi
		push	ecx
		push	[ebp+var_28]
		mov	ecx, ebx
		call	__CmDeleteDeviceContainerRegKeyWorker@20 ; _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_A3072F
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	0Ch
		push	5
		push	[ebp+var_34]
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_A3072F
		cmp	eax, 0C0000120h
		jz	short loc_A306E6
		test	eax, eax
		jz	short loc_A3072F

loc_A3072A:				; CODE XREF: _CmDeleteDeviceContainerRegKey(x,x,x,x,x)+6Bj
		mov	esi, 0C00000E5h

loc_A3072F:				; CODE XREF: _CmDeleteDeviceContainerRegKey(x,x,x,x,x)+67j
					; _CmDeleteDeviceContainerRegKey(x,x,x,x,x)+81j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
__CmDeleteDeviceContainerRegKey@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteDeviceContainerRegKeyWorker(x, x, x, x, x)
__CmDeleteDeviceContainerRegKeyWorker@20 proc near
					; CODE XREF: _CmDeleteDeviceContainerRegKey(x,x,x,x,x)+78p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		xor	eax, eax
		mov	[ebp+var_14], edx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_C], eax
		push	esi
		push	edi
		mov	edi, eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		cmp	[ebp+arg_0], eax
		jz	loc_A30912
		test	[ebp+arg_0], 0FFFFFEAFh
		jnz	loc_A30912
		mov	esi, 104h
		mov	[ebp+var_8], esi
		jmp	short loc_A307CF
; 

loc_A30785:				; CODE XREF: _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+9Ej
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_C]
		push	eax		; int
		mov	ecx, esi
		shr	ecx, 1
		push	ecx		; int
		push	edi		; void *
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_0]	; int
		call	__CmGetDeviceContainerRegKeyPath@32 ; _CmGetDeviceContainerRegKeyPath(x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_A307E7
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_C]
		xor	edi, edi
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A30917
		mov	esi, [ebp+var_8]

loc_A307CF:				; CODE XREF: _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+41j
		push	52504E50h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A30785
		mov	esi, 0C0000017h

loc_A307E7:				; CODE XREF: _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+62j
		test	esi, esi
		js	loc_A30917
		test	[ebp+arg_0], 100h
		jnz	loc_A3089C
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A30917
		mov	cx, word ptr [ebp+var_1C]
		movzx	eax, cx
		cmp	eax, [ebp+var_8]
		jnb	loc_A30912
		push	32h
		pop	eax
		cmp	cx, ax
		jbe	loc_A30912
		push	1
		lea	eax, [ebp+var_1C]
		push	eax
		push	(offset	loc_404F8D+3)
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	loc_A30912
		mov	eax, 0FFCEh
		lea	esi, [edi+32h]
		add	word ptr [ebp+var_1C], ax
		add	word ptr [ebp+var_1C+2], ax
		lea	eax, [ebp+var_1C]
		push	1
		push	eax
		push	(offset	loc_404FAF+1)
		mov	[ebp+arg_0], esi
		mov	[ebp+var_18], esi
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_A30874
		add	esi, 32h
		mov	[ebp+arg_0], esi

loc_A30874:				; CODE XREF: _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+12Aj
		xor	edx, edx
		lea	ecx, [ebp+var_10]
		test	al, al
		push	ecx
		setnz	dl
		mov	ecx, ebx
		dec	edx
		and	edx, 0FFFFFFFAh
		add	edx, 0Ah
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A30917
		mov	ecx, [ebp+var_10]
		jmp	short loc_A308C3
; 

loc_A3089C:				; CODE XREF: _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+B4j
		mov	[ebp+arg_0], edi
		test	ebx, ebx
		jnz	short loc_A308A7
		xor	ecx, ecx
		jmp	short loc_A308AA
; 

loc_A308A7:				; CODE XREF: _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+15Fj
		mov	ecx, [ebx+74h]

loc_A308AA:				; CODE XREF: _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+163j
		lea	eax, [ebp+var_4]
		xor	edx, edx
		push	eax
		push	2000000h
		call	__SysCtxRegOpenCurrentUserKey@16 ; _SysCtxRegOpenCurrentUserKey(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A30917
		mov	ecx, [ebp+var_4]

loc_A308C3:				; CODE XREF: _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+158j
		cmp	[ebp+arg_8], 0
		jz	short loc_A308E8
		test	ebx, ebx
		jz	short loc_A308D9
		mov	eax, [ebx+74h]
		test	eax, eax
		jz	short loc_A308D9
		mov	eax, [eax+4]
		jmp	short loc_A308DB
; 

loc_A308D9:				; CODE XREF: _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+189j
					; _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+190j
		xor	eax, eax

loc_A308DB:				; CODE XREF: _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+195j
		mov	edx, [ebp+arg_0]
		push	0
		push	eax
		call	_RegRtlDeleteTreeInternal
		jmp	short loc_A30903
; 

loc_A308E8:				; CODE XREF: _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+185j
		test	ebx, ebx
		jz	short loc_A308F8
		mov	eax, [ebx+74h]
		test	eax, eax
		jz	short loc_A308F8
		mov	eax, [eax+4]
		jmp	short loc_A308FA
; 

loc_A308F8:				; CODE XREF: _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+1A8j
					; _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+1AFj
		xor	eax, eax

loc_A308FA:				; CODE XREF: _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+1B4j
		mov	edx, [ebp+arg_0]
		push	eax
		call	__RegRtlDeleteKeyTransacted@12 ; _RegRtlDeleteKeyTransacted(x,x,x)

loc_A30903:				; CODE XREF: _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+1A4j
		cmp	eax, 0C000017Ch
		jz	short loc_A30917
		test	eax, eax
		jns	short loc_A30917
		mov	esi, eax
		jmp	short loc_A30917
; 

loc_A30912:				; CODE XREF: _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+26j
					; _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+33j ...
		mov	esi, 0C000000Dh

loc_A30917:				; CODE XREF: _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+84j
					; _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+A7j ...
		cmp	[ebp+var_4], 0
		jz	short loc_A30925
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A30925:				; CODE XREF: _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+1D9j
		test	edi, edi
		jz	short loc_A30931
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A30931:				; CODE XREF: _CmDeleteDeviceContainerRegKeyWorker(x,x,x,x,x)+1E5j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
__CmDeleteDeviceContainerRegKeyWorker@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteDeviceContainerWorker(x, x, x)
__CmDeleteDeviceContainerWorker@12 proc	near
					; CODE XREF: _CmDeleteDeviceContainer(x,x,x)+66p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		movzx	eax, [ebp+arg_0]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], edx
		mov	[ebp+var_4], ecx
		push	edi
		test	eax, eax
		jz	short loc_A3095F
		mov	esi, 0C000000Dh
		jmp	loc_A30AAD
; 

loc_A3095F:				; CODE XREF: _CmDeleteDeviceContainerWorker(x,x,x)+19j
		mov	dword ptr [ebp+arg_0], 150h
		xor	edi, edi

loc_A30968:				; CODE XREF: _CmDeleteDeviceContainerWorker(x,x,x)+5Ej
		push	ecx
		push	ecx
		push	dword ptr [ebp+edi*4+arg_0]
		call	__CmDeleteDeviceContainerRegKey@20 ; _CmDeleteDeviceContainerRegKey(x,x,x,x,x)
		test	eax, eax
		jz	short loc_A3098C
		cmp	eax, 0C0000034h
		jz	short loc_A3098C
		cmp	eax, 0C000000Dh
		jz	short loc_A3098C
		cmp	eax, 0C00000BBh
		jnz	short loc_A3099A

loc_A3098C:				; CODE XREF: _CmDeleteDeviceContainerWorker(x,x,x)+3Bj
					; _CmDeleteDeviceContainerWorker(x,x,x)+42j ...
		inc	edi
		cmp	edi, 1
		jnb	short loc_A309A4
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_4]
		jmp	short loc_A30968
; 

loc_A3099A:				; CODE XREF: _CmDeleteDeviceContainerWorker(x,x,x)+50j
		mov	esi, eax
		test	eax, eax
		js	loc_A30AAD

loc_A309A4:				; CODE XREF: _CmDeleteDeviceContainerWorker(x,x,x)+56j
		xor	ebx, ebx
		xor	edi, edi
		and	[ebp+var_8], ebx
		mov	dword ptr [ebp+arg_0], ebx

loc_A309AE:				; CODE XREF: _CmDeleteDeviceContainerWorker(x,x,x)+BFj
		lea	eax, [ebp+arg_0]
		push	eax
		push	ebx
		push	edi
		push	ecx
		push	ecx
		call	__CmGetDeviceContainerMappedPropertyKeys@28 ; _CmGetDeviceContainerMappedPropertyKeys(x,x,x,x,x,x,x)
		mov	ebx, dword ptr [ebp+arg_0]
		cmp	eax, 0C0000023h
		jnz	short loc_A30A00
		push	14h
		pop	ecx
		mov	eax, ebx
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_A30A12
		test	edi, edi
		jz	short loc_A309E6
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A309E6:				; CODE XREF: _CmDeleteDeviceContainerWorker(x,x,x)+A2j
		push	52504E50h
		push	[ebp+var_8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A309AE
		mov	eax, 0C0000017h

loc_A30A00:				; CODE XREF: _CmDeleteDeviceContainerWorker(x,x,x)+89j
		test	eax, eax
		jz	short loc_A30A19
		cmp	eax, 0C0000225h
		jz	short loc_A30A19

loc_A30A0B:				; CODE XREF: _CmDeleteDeviceContainerWorker(x,x,x)+DDj
					; _CmDeleteDeviceContainerWorker(x,x,x)+155j
		mov	esi, eax
		jmp	loc_A30AA1
; 

loc_A30A12:				; CODE XREF: _CmDeleteDeviceContainerWorker(x,x,x)+9Ej
		mov	eax, 0C000000Dh
		jmp	short loc_A30A0B
; 

loc_A30A19:				; CODE XREF: _CmDeleteDeviceContainerWorker(x,x,x)+C8j
					; _CmDeleteDeviceContainerWorker(x,x,x)+CFj
		and	dword ptr [ebp+arg_0], 0
		test	ebx, ebx
		jz	short loc_A30A6A
		mov	eax, edi
		mov	[ebp+var_8], edi

loc_A30A26:				; CODE XREF: _CmDeleteDeviceContainerWorker(x,x,x)+12Aj
		sub	esp, 0Ch
		push	eax
		push	0
		push	ecx
		call	_CmSetDeviceContainerMappedProperty
		test	eax, eax
		jz	short loc_A30A52
		cmp	eax, 0C0000225h
		jz	short loc_A30A52
		cmp	eax, 0C0000022h
		jz	short loc_A30A52
		cmp	eax, 0C0000016h
		jz	short loc_A30A52
		cmp	eax, 0C00000BBh
		jnz	short loc_A30A68

loc_A30A52:				; CODE XREF: _CmDeleteDeviceContainerWorker(x,x,x)+FAj
					; _CmDeleteDeviceContainerWorker(x,x,x)+101j ...
		mov	ecx, dword ptr [ebp+arg_0]
		mov	eax, [ebp+var_8]
		inc	ecx
		add	eax, 14h
		mov	dword ptr [ebp+arg_0], ecx
		mov	[ebp+var_8], eax
		cmp	ecx, ebx
		jb	short loc_A30A26
		jmp	short loc_A30A6A
; 

loc_A30A68:				; CODE XREF: _CmDeleteDeviceContainerWorker(x,x,x)+116j
		mov	esi, eax

loc_A30A6A:				; CODE XREF: _CmDeleteDeviceContainerWorker(x,x,x)+E5j
					; _CmDeleteDeviceContainerWorker(x,x,x)+12Cj
		test	esi, esi
		js	short loc_A30AA1
		mov	ebx, [ebp+var_C]
		mov	edx, ebx
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_4]
		push	50h
		call	__CmDeleteDeviceContainerRegKey@20 ; _CmDeleteDeviceContainerRegKey(x,x,x,x,x)
		test	eax, eax
		jz	short loc_A30A95
		cmp	eax, 0C0000034h
		jz	short loc_A30A95
		cmp	eax, 0C000000Dh
		jnz	loc_A30A0B

loc_A30A95:				; CODE XREF: _CmDeleteDeviceContainerWorker(x,x,x)+147j
					; _CmDeleteDeviceContainerWorker(x,x,x)+14Ej
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		push	5
		call	__CmRaiseDeleteEvent@12	; _CmRaiseDeleteEvent(x,x,x)

loc_A30AA1:				; CODE XREF: _CmDeleteDeviceContainerWorker(x,x,x)+D3j
					; _CmDeleteDeviceContainerWorker(x,x,x)+132j
		test	edi, edi
		jz	short loc_A30AAD
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A30AAD:				; CODE XREF: _CmDeleteDeviceContainerWorker(x,x,x)+20j
					; _CmDeleteDeviceContainerWorker(x,x,x)+64j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
__CmDeleteDeviceContainerWorker@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmEnumDevicesInContainerWithCallback(x, x,	x, x, x, x)
__CmEnumDevicesInContainerWithCallback@24 proc near
					; CODE XREF: PiDcResetChildDeviceContainers(x,x)+58p
					; _CmGetContainerBooleanProperty(x,x,x,x,x,x,x,x)+45p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_34], edx
		mov	edx, ecx
		xor	ecx, ecx
		mov	[ebp+var_38], edx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, [edx+100h]
		mov	[ebp+var_28], esi
		mov	esi, [ebp+var_34]
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_20], eax
		mov	[ebp+var_1C], ecx
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_24], edi
		test	ebx, ebx
		jz	short loc_A30B35
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	0Fh
		push	5
		push	esi
		push	edx
		call	ebx
		cmp	eax, 0C0000002h
		jnz	short loc_A30B25
		xor	ebx, ebx
		jmp	short loc_A30B35
; 

loc_A30B25:				; CODE XREF: _CmEnumDevicesInContainerWithCallback(x,x,x,x,x,x)+69j
		cmp	eax, 0C0000120h
		jnz	short loc_A30B31

loc_A30B2C:				; CODE XREF: _CmEnumDevicesInContainerWithCallback(x,x,x,x,x,x)+BCj
		mov	esi, [ebp+var_30]
		jmp	short loc_A30B7D
; 

loc_A30B31:				; CODE XREF: _CmEnumDevicesInContainerWithCallback(x,x,x,x,x,x)+74j
		test	eax, eax
		jnz	short loc_A30B78

loc_A30B35:				; CODE XREF: _CmEnumDevicesInContainerWithCallback(x,x,x,x,x,x)+54j
					; _CmEnumDevicesInContainerWithCallback(x,x,x,x,x,x)+6Dj
		push	[ebp+var_1C]
		mov	edi, [ebp+var_38]
		mov	edx, esi
		push	[ebp+var_20]
		mov	ecx, edi
		push	[ebp+var_24]
		push	[ebp+var_28]
		call	__CmEnumDevicesInContainerWithCallbackWorker@24	; _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)
		mov	esi, eax
		test	ebx, ebx
		jz	short loc_A30B7D
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	0Fh
		push	5
		push	[ebp+var_34]
		push	edi
		call	ebx
		cmp	eax, 0C0000002h
		jz	short loc_A30B7D
		cmp	eax, 0C0000120h
		jz	short loc_A30B2C
		test	eax, eax
		jz	short loc_A30B7D

loc_A30B78:				; CODE XREF: _CmEnumDevicesInContainerWithCallback(x,x,x,x,x,x)+7Dj
		mov	esi, 0C00000E5h

loc_A30B7D:				; CODE XREF: _CmEnumDevicesInContainerWithCallback(x,x,x,x,x,x)+79j
					; _CmEnumDevicesInContainerWithCallback(x,x,x,x,x,x)+9Bj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
__CmEnumDevicesInContainerWithCallback@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmEnumDevicesInContainerWithCallbackWorker(x, x, x, x, x, x)
__CmEnumDevicesInContainerWithCallbackWorker@24	proc near
					; CODE XREF: _CmEnumDevicesInContainerWithCallback(x,x,x,x,x,x)+92p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		movzx	eax, word ptr [ebp+arg_C]
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_14], esi
		push	edi
		mov	edi, esi
		test	eax, eax
		jz	short loc_A30BBC
		mov	esi, 0C000000Dh
		jmp	loc_A30D67
; 

loc_A30BBC:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+20j
		cmp	[ebp+arg_0], esi
		jnz	short loc_A30BE2
		push	esi
		push	esi
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		push	1
		push	5
		call	_PnpOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_A30D32
		mov	edx, [ebp+var_8]
		test	edx, edx
		jnz	short loc_A30BE5

loc_A30BE2:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+2Fj
		mov	edx, [ebp+arg_0]

loc_A30BE5:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+50j
		test	ebx, ebx
		jnz	short loc_A30BED
		xor	ecx, ecx
		jmp	short loc_A30BF0
; 

loc_A30BED:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+57j
		mov	ecx, [ebx+74h]

loc_A30BF0:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+5Bj
		lea	eax, [ebp+var_4]
		push	eax
		push	8
		push	0
		push	offset ??_C@_1BO@HPNNFMNF@?$AAB?$AAa?$AAs?$AAe?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAs@NNGAKEGL@ ; "BaseContainers"
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A30D32
		push	52504E50h
		push	190h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A30C2D
		mov	esi, 0C0000017h
		jmp	loc_A30D3F
; 

loc_A30C2D:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+91j
		xor	eax, eax

loc_A30C2F:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+19Bj
		mov	[ebp+var_10], eax

loc_A30C32:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+D3j
		and	[ebp+arg_0], 0
		lea	ecx, [ebp+arg_C]
		push	ecx
		mov	ecx, [ebp+var_4]
		mov	edx, eax
		push	edi
		mov	[ebp+arg_C], 0C8h
		call	_RegRtlEnumKey
		mov	esi, eax
		cmp	esi, 8000001Ah
		jz	loc_A30D30
		mov	eax, [ebp+var_10]
		cmp	esi, 0C0000023h
		jz	short loc_A30C32
		test	esi, esi
		js	loc_A30D32
		test	ebx, ebx
		jnz	short loc_A30C75
		xor	ecx, ecx
		jmp	short loc_A30C78
; 

loc_A30C75:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+DFj
		mov	ecx, [ebx+74h]

loc_A30C78:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+E3j
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+arg_0]
		push	eax
		push	1
		push	0
		push	edi
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A30D32
		xor	eax, eax

loc_A30C95:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+155j
		mov	[ebp+var_C], eax

loc_A30C98:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+139j
		push	0		; int
		push	0		; void *
		lea	ecx, [ebp+var_18]
		mov	[ebp+arg_C], 0C8h
		push	ecx		; int
		lea	ecx, [ebp+arg_C]
		mov	edx, eax
		push	ecx		; int
		mov	ecx, [ebp+arg_0]
		push	edi		; void *
		call	_RegRtlEnumValue
		mov	esi, eax
		cmp	esi, 8000001Ah
		jz	short loc_A30D04
		mov	eax, [ebp+var_C]
		cmp	esi, 0C0000023h
		jz	short loc_A30C98
		test	esi, esi
		js	short loc_A30D06
		push	[ebp+arg_8]
		push	edi
		push	ebx
		call	[ebp+arg_4]
		mov	ecx, eax
		mov	[ebp+var_14], eax
		sub	ecx, 0
		jnz	short loc_A30CE7
		mov	eax, [ebp+var_C]
		inc	eax
		jmp	short loc_A30C95
; 

loc_A30CE7:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+14Fj
		sub	ecx, 1
		jz	short loc_A30D06
		sub	ecx, 1
		jz	short loc_A30D06
		sub	ecx, 1
		jz	short loc_A30CFD
		mov	esi, 0C00000E5h
		jmp	short loc_A30D06
; 

loc_A30CFD:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+164j
		mov	esi, 0C0000240h
		jmp	short loc_A30D06
; 

loc_A30D04:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+12Ej
		xor	esi, esi

loc_A30D06:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+13Dj
					; _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+15Aj ...
		cmp	[ebp+arg_0], 0
		jz	short loc_A30D14
		push	[ebp+arg_0]
		call	_ZwClose@4	; ZwClose(x)

loc_A30D14:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+17Aj
		test	esi, esi
		js	short loc_A30D32
		mov	ecx, [ebp+var_14]
		cmp	ecx, 2
		jz	short loc_A30D32
		mov	eax, [ebp+var_10]
		inc	eax
		dec	ecx
		neg	ecx
		sbb	ecx, ecx
		and	eax, ecx
		jmp	loc_A30C2F
; 

loc_A30D30:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+C4j
		xor	esi, esi

loc_A30D32:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+45j
					; _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+76j	...
		cmp	esi, 0C000017Ch
		jnz	short loc_A30D3F
		mov	esi, 0C0000034h

loc_A30D3F:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+98j
					; _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+1A8j
		cmp	[ebp+var_4], 0
		jz	short loc_A30D4D
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A30D4D:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+1B3j
		test	edi, edi
		jz	short loc_A30D59
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A30D59:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+1BFj
		cmp	[ebp+var_8], 0
		jz	short loc_A30D67
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_A30D67:				; CODE XREF: _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+27j
					; _CmEnumDevicesInContainerWithCallbackWorker(x,x,x,x,x,x)+1CDj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
__CmEnumDevicesInContainerWithCallbackWorker@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetContainerBooleanProperty(x, x, x, x, x, x, x,	x)
__CmGetContainerBooleanProperty@32 proc	near
					; CODE XREF: _CmGetDeviceContainerMappedProperty+13367Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_14]
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		cmp	[ebp+arg_10], 1
		mov	dword ptr [eax], 1
		mov	eax, [ebp+arg_8]
		mov	dword ptr [eax], 11h
		jnb	short loc_A30D9E
		mov	eax, 0C0000023h
		jmp	short locret_A30DC2
; 

loc_A30D9E:				; CODE XREF: _CmGetContainerBooleanProperty(x,x,x,x,x,x,x,x)+25j
		mov	eax, [ebp+arg_4]
		push	ecx
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	offset __CmGetContainerBooleanPropertyCallback@12 ; _CmGetContainerBooleanPropertyCallback(x,x,x)
		push	[ebp+arg_0]
		mov	byte ptr [ebp+var_4], 0
		call	__CmEnumDevicesInContainerWithCallback@24 ; _CmEnumDevicesInContainerWithCallback(x,x,x,x,x,x)
		mov	edx, [ebp+arg_C]
		mov	cl, byte ptr [ebp+var_4]
		mov	[edx], cl

locret_A30DC2:				; CODE XREF: _CmGetContainerBooleanProperty(x,x,x,x,x,x,x,x)+2Cj
		leave
		retn	18h
__CmGetContainerBooleanProperty@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetContainerBooleanPropertyCallback(x, x, x)
__CmGetContainerBooleanPropertyCallback@12 proc	near
					; DATA XREF: _CmGetContainerBooleanProperty(x,x,x,x,x,x,x,x)+39o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	byte ptr [ebp+var_1], bl
		test	esi, esi
		jz	short loc_A30E13
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_8]
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	eax
		push	1
		lea	eax, [ebp+var_1]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	dword ptr [esi]
		push	ebx
		push	ebx
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A30E13
		cmp	byte ptr [ebp+var_1], 0FFh
		jnz	short loc_A30E13
		push	2
		mov	byte ptr [esi+4], 0FFh
		pop	ebx

loc_A30E13:				; CODE XREF: _CmGetContainerBooleanPropertyCallback(x,x,x)+1Aj
					; _CmGetContainerBooleanPropertyCallback(x,x,x)+3Ej ...
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	0Ch
__CmGetContainerBooleanPropertyCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetDeviceContainerMappedPropertyKeys(x, x, x, x,	x, x, x)
__CmGetDeviceContainerMappedPropertyKeys@28 proc near
					; CODE XREF: _PnpDispatchDeviceContainer+1336B6p
					; _CmDeleteDeviceContainerWorker(x,x,x)+7Cp

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_10]
		xor	eax, eax
		push	esi
		push	edi
		and	[ebx], eax
		xor	esi, esi
		mov	[ebp+arg_10], esi

loc_A30E2F:				; CODE XREF: _CmGetDeviceContainerMappedPropertyKeys(x,x,x,x,x,x,x)+53j
		mov	edx, ds:off_404C40[esi]
		test	edx, edx
		jz	short loc_A30E65
		cmp	[ebp+arg_8], 0
		jz	short loc_A30E56
		mov	eax, [ebx]
		cmp	eax, [ebp+arg_C]
		jnb	short loc_A30E56
		imul	edi, eax, 14h
		mov	esi, edx
		push	5
		pop	ecx
		add	edi, [ebp+arg_8]
		rep movsd
		mov	esi, [ebp+arg_10]

loc_A30E56:				; CODE XREF: _CmGetDeviceContainerMappedPropertyKeys(x,x,x,x,x,x,x)+22j
					; _CmGetDeviceContainerMappedPropertyKeys(x,x,x,x,x,x,x)+29j
		mov	ecx, [ebx]
		xor	edx, edx
		push	ebx
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_A30E72

loc_A30E65:				; CODE XREF: _CmGetDeviceContainerMappedPropertyKeys(x,x,x,x,x,x,x)+1Cj
		add	esi, 8
		mov	[ebp+arg_10], esi
		cmp	esi, 20h
		jb	short loc_A30E2F
		jmp	short loc_A30E75
; 

loc_A30E72:				; CODE XREF: _CmGetDeviceContainerMappedPropertyKeys(x,x,x,x,x,x,x)+48j
		and	dword ptr [ebx], 0

loc_A30E75:				; CODE XREF: _CmGetDeviceContainerMappedPropertyKeys(x,x,x,x,x,x,x)+55j
		pop	edi
		test	eax, eax
		js	short loc_A30E86
		mov	eax, [ebp+arg_C]
		cmp	eax, [ebx]
		sbb	eax, eax
		and	eax, 0C0000023h

loc_A30E86:				; CODE XREF: _CmGetDeviceContainerMappedPropertyKeys(x,x,x,x,x,x,x)+5Dj
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
__CmGetDeviceContainerMappedPropertyKeys@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmGetDeviceContainerMappedPropertyLocales(int,void *,int,int,int)
__CmGetDeviceContainerMappedPropertyLocales@28 proc near
					; CODE XREF: _PnpDispatchDeviceContainer+1336D0p

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_10]
		push	esi
		push	edi
		mov	esi, 0C0000016h
		and	dword ptr [ebx], 0
		xor	edi, edi
		mov	edx, [ecx+10h]
		mov	[ebp+arg_10], edx

loc_A30EAA:				; CODE XREF: _CmGetDeviceContainerMappedPropertyLocales(x,x,x,x,x,x,x)+45j
		mov	eax, ds:off_404C40[edi]
		cmp	edx, [eax+10h]
		jnz	short loc_A30ECB
		push	10h		; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A30ED5
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+arg_10]

loc_A30ECB:				; CODE XREF: _CmGetDeviceContainerMappedPropertyLocales(x,x,x,x,x,x,x)+27j
		add	edi, 8
		cmp	edi, 20h
		jb	short loc_A30EAA
		jmp	short loc_A30EF0
; 

loc_A30ED5:				; CODE XREF: _CmGetDeviceContainerMappedPropertyLocales(x,x,x,x,x,x,x)+37j
		xor	eax, eax
		inc	eax
		mov	[ebx], eax
		cmp	[ebp+arg_C], eax
		jb	short loc_A30EEB
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		xor	esi, esi
		mov	[eax], cx
		jmp	short loc_A30EF0
; 

loc_A30EEB:				; CODE XREF: _CmGetDeviceContainerMappedPropertyLocales(x,x,x,x,x,x,x)+51j
		mov	esi, 0C0000023h

loc_A30EF0:				; CODE XREF: _CmGetDeviceContainerMappedPropertyLocales(x,x,x,x,x,x,x)+47j
					; _CmGetDeviceContainerMappedPropertyLocales(x,x,x,x,x,x,x)+5Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
__CmGetDeviceContainerMappedPropertyLocales@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetDevicesInBaseContainerList(x,	x, x, x)
__CmGetDevicesInBaseContainerList@16 proc near
					; CODE XREF: _CmMoveBaseContainer(x,x,x,x)+29p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	eax, eax
		push	esi
		push	edi
		mov	[ebp+var_14], eax
		mov	edi, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebx], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	0Ah
		mov	[ebp+var_20], edx
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A3103E
		test	edi, edi
		jnz	short loc_A30F43
		xor	ecx, ecx
		jmp	short loc_A30F46
; 

loc_A30F43:				; CODE XREF: _CmGetDevicesInBaseContainerList(x,x,x,x)+44j
		mov	ecx, [edi+74h]

loc_A30F46:				; CODE XREF: _CmGetDevicesInBaseContainerList(x,x,x,x)+48j
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_10]
		push	eax
		push	1
		push	0
		push	[ebp+var_20]
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A3103E
		test	edi, edi
		jnz	short loc_A30F6B
		xor	ecx, ecx
		jmp	short loc_A30F6E
; 

loc_A30F6B:				; CODE XREF: _CmGetDevicesInBaseContainerList(x,x,x,x)+6Cj
		mov	ecx, [edi+74h]

loc_A30F6E:				; CODE XREF: _CmGetDevicesInBaseContainerList(x,x,x,x)+70j
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_C]
		push	eax
		push	1
		push	0
		push	offset ??_C@_1BO@HPNNFMNF@?$AAB?$AAa?$AAs?$AAe?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAs@NNGAKEGL@ ; "BaseContainers"
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A3103E
		test	edi, edi
		jnz	short loc_A30F95
		xor	ecx, ecx
		jmp	short loc_A30F98
; 

loc_A30F95:				; CODE XREF: _CmGetDevicesInBaseContainerList(x,x,x,x)+96j
		mov	ecx, [edi+74h]

loc_A30F98:				; CODE XREF: _CmGetDevicesInBaseContainerList(x,x,x,x)+9Aj
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_4]
		push	eax
		push	3
		push	0
		push	[ebp+arg_0]
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A3103E
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_18]
		push	0
		push	eax
		lea	eax, [ebp+var_1C]
		xor	edx, edx
		push	eax
		push	0
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A3103E
		mov	edi, [ebp+var_18]
		inc	edi
		imul	edi, [ebp+var_1C]
		push	52504E50h
		inc	edi
		lea	eax, [edi+edi]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx], eax
		test	eax, eax
		jnz	short loc_A30FF7
		mov	esi, 0C0000017h
		jmp	short loc_A31050
; 

loc_A30FF7:				; CODE XREF: _CmGetDevicesInBaseContainerList(x,x,x,x)+F5j
		mov	edx, eax
		xor	ecx, ecx

loc_A30FFB:				; CODE XREF: _CmGetDevicesInBaseContainerList(x,x,x,x)+141j
		push	0		; int
		push	0		; void *
		lea	eax, [edi-1]
		mov	[ebp+var_8], edx
		mov	[ebp+arg_4], eax
		lea	eax, [ebp+arg_4]
		push	0		; int
		push	eax		; int
		push	edx		; void *
		mov	[ebp+arg_0], ecx
		mov	edx, ecx
		mov	ecx, [ebp+var_4]
		call	_RegRtlEnumValue
		mov	esi, eax
		cmp	esi, 8000001Ah
		jz	short loc_A3103C
		test	esi, esi
		js	short loc_A3103E
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+var_8]
		inc	eax
		mov	ecx, [ebp+arg_0]
		sub	edi, eax
		inc	ecx
		lea	edx, [edx+eax*2]
		jmp	short loc_A30FFB
; 

loc_A3103C:				; CODE XREF: _CmGetDevicesInBaseContainerList(x,x,x,x)+12Bj
		xor	esi, esi

loc_A3103E:				; CODE XREF: _CmGetDevicesInBaseContainerList(x,x,x,x)+3Cj
					; _CmGetDevicesInBaseContainerList(x,x,x,x)+64j ...
		cmp	esi, 0C0000034h
		jz	short loc_A3104E
		cmp	esi, 0C000017Ch
		jnz	short loc_A31050

loc_A3104E:				; CODE XREF: _CmGetDevicesInBaseContainerList(x,x,x,x)+14Bj
		xor	esi, esi

loc_A31050:				; CODE XREF: _CmGetDevicesInBaseContainerList(x,x,x,x)+FCj
					; _CmGetDevicesInBaseContainerList(x,x,x,x)+153j
		mov	eax, [ebx]
		test	esi, esi
		js	short loc_A3107F
		test	eax, eax
		jz	short loc_A31064
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		mov	[eax], cx
		jmp	short loc_A3108E
; 

loc_A31064:				; CODE XREF: _CmGetDevicesInBaseContainerList(x,x,x,x)+15Fj
		push	52504E50h
		push	2
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx], eax
		test	eax, eax
		jnz	short loc_A3108B
		mov	esi, 0C0000017h
		jmp	short loc_A3108E
; 

loc_A3107F:				; CODE XREF: _CmGetDevicesInBaseContainerList(x,x,x,x)+15Bj
		test	eax, eax
		jz	short loc_A3108E
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3108B:				; CODE XREF: _CmGetDevicesInBaseContainerList(x,x,x,x)+17Dj
		and	dword ptr [ebx], 0

loc_A3108E:				; CODE XREF: _CmGetDevicesInBaseContainerList(x,x,x,x)+169j
					; _CmGetDevicesInBaseContainerList(x,x,x,x)+184j ...
		cmp	[ebp+var_4], 0
		jz	short loc_A3109C
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A3109C:				; CODE XREF: _CmGetDevicesInBaseContainerList(x,x,x,x)+199j
		cmp	[ebp+var_C], 0
		jz	short loc_A310AA
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_A310AA:				; CODE XREF: _CmGetDevicesInBaseContainerList(x,x,x,x)+1A7j
		cmp	[ebp+var_10], 0
		jz	short loc_A310B8
		push	[ebp+var_10]
		call	_ZwClose@4	; ZwClose(x)

loc_A310B8:				; CODE XREF: _CmGetDevicesInBaseContainerList(x,x,x,x)+1B5j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
__CmGetDevicesInBaseContainerList@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmMoveBaseContainer(x, x, x, x)
__CmMoveBaseContainer@16 proc near	; CODE XREF: PiDcHandleCustomDeviceEvent+11BCF7p
					; PiDcHandleCustomDeviceEvent+11BD68p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	ecx, _PiPnpRtlCtx
		mov	eax, edx
		push	ebx
		push	esi
		push	edi
		lea	edx, [ebp+var_4]
		mov	[ebp+var_C], eax
		push	edx
		mov	edx, [ebp+arg_0]
		xor	ebx, ebx
		push	eax
		mov	[ebp+var_8], ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_4], ebx
		call	__CmGetDevicesInBaseContainerList@16 ; _CmGetDevicesInBaseContainerList(x,x,x,x)
		mov	esi, [ebp+var_4]
		mov	edi, eax
		test	edi, edi
		js	short loc_A31155
		xor	eax, eax
		mov	ebx, esi
		cmp	[esi], ax
		jz	short loc_A31153
		mov	esi, [ebp+var_C]

loc_A31104:				; CODE XREF: _CmMoveBaseContainer(x,x,x,x)+8Dj
		mov	edx, [ebp+arg_0]
		push	ecx
		mov	ecx, [ebp+var_8]
		push	ebx
		push	esi
		call	__CmRemoveDeviceFromContainer@20 ; _CmRemoveDeviceFromContainer(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A31150
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		mov	ecx, [ebp+var_8]
		push	eax
		push	ebx
		push	esi
		call	_CmAddDeviceToContainer
		mov	edi, eax
		test	edi, edi
		js	short loc_A31150
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_A31133:				; CODE XREF: _CmMoveBaseContainer(x,x,x,x)+7Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_10]
		jnz	short loc_A31133
		sub	ecx, edx
		xor	eax, eax
		sar	ecx, 1
		lea	ebx, [ebx+ecx*2]
		add	ebx, 2
		cmp	[ebx], ax
		jnz	short loc_A31104

loc_A31150:				; CODE XREF: _CmMoveBaseContainer(x,x,x,x)+55j
					; _CmMoveBaseContainer(x,x,x,x)+6Bj
		mov	esi, [ebp+var_4]

loc_A31153:				; CODE XREF: _CmMoveBaseContainer(x,x,x,x)+3Ej
		xor	ebx, ebx

loc_A31155:				; CODE XREF: _CmMoveBaseContainer(x,x,x,x)+35j
		test	esi, esi
		jz	short loc_A31160
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A31160:				; CODE XREF: _CmMoveBaseContainer(x,x,x,x)+96j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
__CmMoveBaseContainer@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmRemoveDeviceFromContainer(x, x, x, x, x)
__CmRemoveDeviceFromContainer@20 proc near
					; CODE XREF: PiDcUpdateDeviceContainerMembership+6E9A0p
					; PiDcResetChildDeviceContainers(x,x)+BDp ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [ebp+var_30]
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ebx, ecx
		push	2Ch		; size_t
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_34], edx
		mov	[ebp+var_38], ebx
		call	_memset
		mov	ebx, [ebx+100h]
		add	esp, 0Ch
		mov	[ebp+var_28], esi
		mov	esi, [ebp+var_34]
		mov	[ebp+var_24], edi
		mov	edi, [ebp+var_38]
		test	ebx, ebx
		jz	short loc_A311C9
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	0Eh
		push	5
		push	esi
		push	edi
		call	ebx
		cmp	eax, 0C0000002h
		jnz	short loc_A3122C
		xor	ebx, ebx

loc_A311C9:				; CODE XREF: _CmRemoveDeviceFromContainer(x,x,x,x,x)+47j
					; _CmRemoveDeviceFromContainer(x,x,x,x,x)+D1j
		lea	eax, [ebp+var_20]
		mov	edx, esi
		push	eax
		push	[ebp+var_24]
		mov	ecx, edi
		push	[ebp+var_28]
		call	__CmRemoveDeviceFromContainerWorker@20 ; _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)
		mov	esi, eax
		test	ebx, ebx
		jz	short loc_A31207
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	0Eh
		push	5
		push	[ebp+var_34]
		push	edi
		call	ebx
		cmp	eax, 0C0000002h
		jz	short loc_A31207
		cmp	eax, 0C0000120h
		jz	short loc_A31233
		test	eax, eax
		jnz	short loc_A3123C

loc_A31207:				; CODE XREF: _CmRemoveDeviceFromContainer(x,x,x,x,x)+77j
					; _CmRemoveDeviceFromContainer(x,x,x,x,x)+91j
		cmp	byte ptr [ebp+var_20], 0
		jnz	short loc_A31219
		mov	edx, [ebp+var_34]
		mov	ecx, edi
		push	5
		call	__PnpObjectRaiseDevicesChangeEvent@12 ;	_PnpObjectRaiseDevicesChangeEvent(x,x,x)

loc_A31219:				; CODE XREF: _CmRemoveDeviceFromContainer(x,x,x,x,x)+A2j
					; _CmRemoveDeviceFromContainer(x,x,x,x,x)+CDj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_A3122C:				; CODE XREF: _CmRemoveDeviceFromContainer(x,x,x,x,x)+5Cj
		cmp	eax, 0C0000120h
		jnz	short loc_A31238

loc_A31233:				; CODE XREF: _CmRemoveDeviceFromContainer(x,x,x,x,x)+98j
		mov	esi, [ebp+var_30]
		jmp	short loc_A31219
; 

loc_A31238:				; CODE XREF: _CmRemoveDeviceFromContainer(x,x,x,x,x)+C8j
		test	eax, eax
		jz	short loc_A311C9

loc_A3123C:				; CODE XREF: _CmRemoveDeviceFromContainer(x,x,x,x,x)+9Cj
		mov	esi, 0C00000E5h
		jmp	short loc_A31219
__CmRemoveDeviceFromContainer@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmRemoveDeviceFromContainerWorker(x, x, x,	x, x)
__CmRemoveDeviceFromContainerWorker@20 proc near
					; CODE XREF: _CmRemoveDeviceFromContainer(x,x,x,x,x)+6Ep

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		mov	ebx, [ebp+arg_8]
		xor	eax, eax
		push	esi
		push	edi
		mov	[ebp+var_14], eax
		mov	edi, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], eax
		mov	[ebx], al
		lea	eax, [ebp+var_14]
		push	eax
		push	0Ah
		mov	[ebp+var_1C], edx
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A313A1
		test	edi, edi
		jnz	short loc_A31287
		xor	ecx, ecx
		jmp	short loc_A3128A
; 

loc_A31287:				; CODE XREF: _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)+3Ej
		mov	ecx, [edi+74h]

loc_A3128A:				; CODE XREF: _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)+42j
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_10]
		push	eax
		push	1
		push	0
		push	[ebp+var_1C]
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A313A1
		test	edi, edi
		jnz	short loc_A312AF
		xor	ecx, ecx
		jmp	short loc_A312B2
; 

loc_A312AF:				; CODE XREF: _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)+66j
		mov	ecx, [edi+74h]

loc_A312B2:				; CODE XREF: _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)+6Aj
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		push	0
		push	offset ??_C@_1BO@HPNNFMNF@?$AAB?$AAa?$AAs?$AAe?$AAC?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAe?$AAr?$AAs@NNGAKEGL@ ; "BaseContainers"
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A313A1
		test	edi, edi
		jnz	short loc_A312D9
		xor	ecx, ecx
		jmp	short loc_A312DC
; 

loc_A312D9:				; CODE XREF: _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)+90j
		mov	ecx, [edi+74h]

loc_A312DC:				; CODE XREF: _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)+94j
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	3
		push	0
		push	[ebp+arg_0]
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A313A1
		push	[ebp+arg_4]
		lea	eax, [ebp+var_18]
		xor	esi, esi
		push	eax
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_A3131D
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+var_4]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_A3131D:				; CODE XREF: _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)+CCj
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_C]
		push	esi
		push	esi
		push	eax
		push	esi
		xor	edx, edx
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A313A1
		cmp	[ebp+var_C], 0
		jnz	short loc_A3135B
		test	edi, edi
		jz	short loc_A3134D
		mov	eax, [edi+74h]
		test	eax, eax
		jz	short loc_A3134D
		mov	ecx, [eax+4]
		push	0
		push	ecx
		jmp	short loc_A31351
; 

loc_A3134D:				; CODE XREF: _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)+F9j
					; _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)+100j
		push	0
		push	0

loc_A31351:				; CODE XREF: _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)+108j
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		call	_RegRtlDeleteTreeInternal

loc_A3135B:				; CODE XREF: _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)+F5j
		mov	ecx, [ebp+var_8]
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A313A1
		cmp	[ebp+var_C], 0
		jnz	short loc_A3138C
		mov	edx, [ebp+var_1C]
		push	ecx
		mov	ecx, edi
		call	__CmDeleteDeviceContainer@12 ; _CmDeleteDeviceContainer(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A3138C
		mov	byte ptr [ebx],	1

loc_A3138C:				; CODE XREF: _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)+133j
					; _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)+144j
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		push	offset _DEVPKEY_Device_ContainerId
		push	0
		push	0
		push	1
		call	_PnpObjectRaisePropertyChangeEvent

loc_A313A1:				; CODE XREF: _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)+36j
					; _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)+5Ej ...
		cmp	esi, 0C0000034h
		jz	short loc_A313B1
		cmp	esi, 0C000017Ch
		jnz	short loc_A313B3

loc_A313B1:				; CODE XREF: _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)+164j
		xor	esi, esi

loc_A313B3:				; CODE XREF: _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)+16Cj
		cmp	[ebp+var_4], 0
		jz	short loc_A313C1
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A313C1:				; CODE XREF: _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)+174j
		cmp	[ebp+var_8], 0
		jz	short loc_A313CF
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_A313CF:				; CODE XREF: _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)+182j
		cmp	[ebp+var_10], 0
		jz	short loc_A313DD
		push	[ebp+var_10]
		call	_ZwClose@4	; ZwClose(x)

loc_A313DD:				; CODE XREF: _CmRemoveDeviceFromContainerWorker(x,x,x,x,x)+190j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
__CmRemoveDeviceFromContainerWorker@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCreateObject(x,	x, x, x, x, x, x)
__PnpCreateObject@28 proc near		; CODE XREF: PiCMOpenObjectKey+12A8C5p
					; PiCMCreateObject(x,x,x,x,x,x)+113p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		push	ebx
		push	esi
		mov	esi, _PiPnpRtlCtx
		mov	[ebp+var_8], edx
		xor	edx, edx
		inc	edx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		mov	ebx, [esi+0F8h]
		mov	[ebp+var_C], esi
		push	edi
		mov	edi, [ebp+arg_8]
		test	eax, eax
		jnz	short loc_A31431
		mov	[ebp+var_2C], edx
		test	edi, edi
		jz	short loc_A31434

loc_A31431:				; CODE XREF: _PnpCreateObject(x,x,x,x,x,x,x)+42j
		mov	[ebp+var_2C], eax

loc_A31434:				; CODE XREF: _PnpCreateObject(x,x,x,x,x,x,x)+49j
		mov	[ebp+var_20], ecx
		test	ebx, ebx
		jz	short loc_A31454
		lea	eax, [ebp+var_34]
		push	eax
		push	edx
		push	3
		push	[ebp+arg_0]
		push	[ebp+var_8]
		push	esi
		call	ebx
		cmp	eax, 0C0000002h
		jnz	short loc_A314B1
		xor	ebx, ebx

loc_A31454:				; CODE XREF: _PnpCreateObject(x,x,x,x,x,x,x)+53j
					; _PnpCreateObject(x,x,x,x,x,x,x)+D9j
		push	[ebp+var_20]
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_28]
		mov	ecx, esi
		push	eax
		push	[ebp+var_2C]
		push	[ebp+arg_0]
		call	__PnpCreateObjectDispatch@28 ; _PnpCreateObjectDispatch(x,x,x,x,x,x,x)
		mov	esi, eax
		test	ebx, ebx
		jz	short loc_A314A2
		lea	eax, [ebp+var_34]
		mov	[ebp+var_34], esi
		push	eax
		push	2
		push	3
		push	[ebp+arg_0]
		push	[ebp+var_8]
		push	[ebp+var_C]
		call	ebx
		cmp	eax, 0C0000002h
		jz	short loc_A314A2
		cmp	eax, 0C0000120h
		jz	short loc_A314B8
		test	eax, eax
		jz	short loc_A314A2
		mov	esi, 0C00000E5h

loc_A314A2:				; CODE XREF: _PnpCreateObject(x,x,x,x,x,x,x)+8Dj
					; _PnpCreateObject(x,x,x,x,x,x,x)+AAj ...
		test	esi, esi
		js	short loc_A314C6
		test	edi, edi
		jz	short loc_A314C6
		mov	eax, [ebp+var_28]
		mov	[edi], eax
		jmp	short loc_A314D4
; 

loc_A314B1:				; CODE XREF: _PnpCreateObject(x,x,x,x,x,x,x)+6Aj
		cmp	eax, 0C0000120h
		jnz	short loc_A314BD

loc_A314B8:				; CODE XREF: _PnpCreateObject(x,x,x,x,x,x,x)+B1j
		mov	esi, [ebp+var_34]
		jmp	short loc_A314A2
; 

loc_A314BD:				; CODE XREF: _PnpCreateObject(x,x,x,x,x,x,x)+D0j
		test	eax, eax
		jz	short loc_A31454
		mov	esi, 0C00000E5h

loc_A314C6:				; CODE XREF: _PnpCreateObject(x,x,x,x,x,x,x)+BEj
					; _PnpCreateObject(x,x,x,x,x,x,x)+C2j
		cmp	[ebp+var_28], 0
		jz	short loc_A314D4
		push	[ebp+var_28]
		call	_ZwClose@4	; ZwClose(x)

loc_A314D4:				; CODE XREF: _PnpCreateObject(x,x,x,x,x,x,x)+C9j
					; _PnpCreateObject(x,x,x,x,x,x,x)+E4j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
__PnpCreateObject@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCreateObjectDispatch(x,	x, x, x, x, x, x)
__PnpCreateObjectDispatch@28 proc near	; CODE XREF: _PnpCreateObject(x,x,x,x,x,x,x)+84p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		xor	eax, eax
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_10]
		push	ebx
		movzx	eax, ax
		mov	ebx, ecx
		push	esi
		test	eax, eax
		jz	short loc_A31514
		mov	esi, 0C000000Dh
		jmp	short loc_A3157C
; 

loc_A31514:				; CODE XREF: _PnpCreateObjectDispatch(x,x,x,x,x,x,x)+2Ej
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_8]
		push	eax
		call	__PnpCtxGetObjectDispatchCallback@12 ; _PnpCtxGetObjectDispatchCallback(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A3157C
		cmp	[ebp+var_8], 0
		jnz	short loc_A31533
		mov	esi, 0C0000002h
		jmp	short loc_A3157C
; 

loc_A31533:				; CODE XREF: _PnpCreateObjectDispatch(x,x,x,x,x,x,x)+4Dj
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	3
		push	edx
		push	[ebp+var_C]
		push	ebx
		call	[ebp+var_8]
		mov	esi, eax
		test	esi, esi
		js	short loc_A3157C
		mov	edx, [ebp+arg_8]
		mov	eax, [ebp+var_28]
		mov	ecx, [ebp+var_24]
		mov	[edx], eax
		mov	eax, [ebp+arg_C]
		mov	[eax], cl
		test	cl, cl
		jz	short loc_A3157C
		cmp	[ebp+arg_0], 7
		jl	short loc_A3157C
		push	dword ptr [edx]
		mov	edx, [ebp+var_C]
		mov	ecx, ebx
		push	[ebp+arg_0]
		call	__PnpObjectRaiseCreateEvent@16 ; _PnpObjectRaiseCreateEvent(x,x,x,x)

loc_A3157C:				; CODE XREF: _PnpCreateObjectDispatch(x,x,x,x,x,x,x)+35j
					; _PnpCreateObjectDispatch(x,x,x,x,x,x,x)+47j ...
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
__PnpCreateObjectDispatch@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpDeleteObject(x,	x, x, x)
__PnpDeleteObject@16 proc near		; CODE XREF: PiCMDeleteObject(x,x,x,x,x,x)+122p

var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		mov	ebx, _PiPnpRtlCtx
		xor	eax, eax
		push	esi
		push	edi
		push	0Ah
		pop	ecx
		lea	edi, [ebp+var_30]
		mov	esi, edx
		rep stosd
		mov	edi, [ebx+0F8h]
		mov	[ebp+var_4], esi
		test	edi, edi
		jz	short loc_A315D8
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	4
		push	[ebp+arg_0]
		push	esi
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jnz	short loc_A315C8
		xor	edi, edi
		jmp	short loc_A315D8
; 

loc_A315C8:				; CODE XREF: _PnpDeleteObject(x,x,x,x)+3Ej
		cmp	eax, 0C0000120h
		jnz	short loc_A315D4

loc_A315CF:				; CODE XREF: _PnpDeleteObject(x,x,x,x)+89j
		mov	esi, [ebp+var_30]
		jmp	short loc_A31618
; 

loc_A315D4:				; CODE XREF: _PnpDeleteObject(x,x,x,x)+49j
		test	eax, eax
		jnz	short loc_A31613

loc_A315D8:				; CODE XREF: _PnpDeleteObject(x,x,x,x)+28j
					; _PnpDeleteObject(x,x,x,x)+42j
		push	[ebp+var_28]
		mov	edx, esi
		mov	ecx, ebx
		push	[ebp+arg_0]
		call	__PnpDeleteObjectDispatch@16 ; _PnpDeleteObjectDispatch(x,x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_A31618
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	4
		push	[ebp+arg_0]
		push	[ebp+var_4]
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_A31618
		cmp	eax, 0C0000120h
		jz	short loc_A315CF
		test	eax, eax
		jz	short loc_A31618

loc_A31613:				; CODE XREF: _PnpDeleteObject(x,x,x,x)+52j
		mov	esi, 0C00000E5h

loc_A31618:				; CODE XREF: _PnpDeleteObject(x,x,x,x)+4Ej
					; _PnpDeleteObject(x,x,x,x)+67j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
__PnpDeleteObject@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpDeleteObjectDispatch(x,	x, x, x)
__PnpDeleteObjectDispatch@16 proc near	; CODE XREF: _PnpDeleteObject(x,x,x,x)+5Ep

var_28		= dword	ptr -28h
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		and	[ebp+var_4], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		push	8
		pop	ecx
		lea	edi, [ebp+var_28]
		rep stosd
		mov	eax, [ebp+arg_4]
		movzx	eax, ax
		test	eax, eax
		jz	short loc_A31650
		mov	esi, 0C000000Dh
		jmp	short loc_A3169D
; 

loc_A31650:				; CODE XREF: _PnpDeleteObjectDispatch(x,x,x,x)+26j
		mov	edi, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	eax
		mov	edx, edi
		mov	ecx, ebx
		call	__PnpCtxGetObjectDispatchCallback@12 ; _PnpCtxGetObjectDispatchCallback(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A3169D
		cmp	[ebp+var_4], 0
		jnz	short loc_A31673
		mov	esi, 0C0000002h
		jmp	short loc_A3169D
; 

loc_A31673:				; CODE XREF: _PnpDeleteObjectDispatch(x,x,x,x)+49j
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	4
		push	edi
		push	[ebp+var_8]
		push	ebx
		call	[ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	short loc_A3169D
		cmp	edi, 7
		jl	short loc_A3169D
		mov	edx, [ebp+var_8]
		mov	ecx, ebx
		push	edi
		call	__PnpObjectRaiseDeleteEvent@12 ; _PnpObjectRaiseDeleteEvent(x,x,x)

loc_A3169D:				; CODE XREF: _PnpDeleteObjectDispatch(x,x,x,x)+2Dj
					; _PnpDeleteObjectDispatch(x,x,x,x)+43j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
__PnpDeleteObjectDispatch@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpGetMappedPropertyKeysDispatch(x, x, x, x, x, x,	x, x, x, x)
__PnpGetMappedPropertyKeysDispatch@40 proc near
					; CODE XREF: _PnpGetObjectPropertyKeysWorker(x,x,x,x,x,x,x,x,x,x)+73p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_1B		= word ptr -1Bh
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		xor	eax, eax
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_1B], ax
		mov	edi, edx
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	eax
		mov	esi, ecx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_19], bl
		mov	[ebp+var_8], ebx
		call	__PnpCtxGetObjectDispatchCallback@12 ; _PnpCtxGetObjectDispatchCallback(x,x,x)
		test	eax, eax
		js	short loc_A31715
		cmp	[ebp+var_4], ebx
		jnz	short loc_A316E2
		mov	eax, 0C0000002h
		jmp	short loc_A31715
; 

loc_A316E2:				; CODE XREF: _PnpGetMappedPropertyKeysDispatch(x,x,x,x,x,x,x,x,x,x)+33j
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_20], eax
		mov	al, [ebp+arg_C]
		mov	[ebp+var_1C], al
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	6
		push	edx
		push	edi
		push	esi
		mov	[ebp+var_C], ebx
		call	[ebp+var_4]

loc_A31715:				; CODE XREF: _PnpGetMappedPropertyKeysDispatch(x,x,x,x,x,x,x,x,x,x)+2Ej
					; _PnpGetMappedPropertyKeysDispatch(x,x,x,x,x,x,x,x,x,x)+3Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
__PnpGetMappedPropertyKeysDispatch@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpGetMappedPropertyLocalesDispatch(x, x, x, x, x,	x, x, x, x)
__PnpGetMappedPropertyLocalesDispatch@36 proc near
					; CODE XREF: _PnpGetObjectPropertyLocalesWorker(x,x,x,x,x,x,x,x,x)+50p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		xor	eax, eax
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		mov	edi, edx
		mov	edx, [ebp+arg_0]
		mov	esi, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_8]
		push	eax
		call	__PnpCtxGetObjectDispatchCallback@12 ; _PnpCtxGetObjectDispatchCallback(x,x,x)
		test	eax, eax
		js	short loc_A31782
		cmp	[ebp+var_8], 0
		jnz	short loc_A31752
		mov	eax, 0C0000002h
		jmp	short loc_A31782
; 

loc_A31752:				; CODE XREF: _PnpGetMappedPropertyLocalesDispatch(x,x,x,x,x,x,x,x,x)+2Dj
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	7
		push	edx
		push	edi
		push	esi
		call	[ebp+var_8]

loc_A31782:				; CODE XREF: _PnpGetMappedPropertyLocalesDispatch(x,x,x,x,x,x,x,x,x)+27j
					; _PnpGetMappedPropertyLocalesDispatch(x,x,x,x,x,x,x,x,x)+34j
		pop	edi
		pop	esi
		leave
		retn	1Ch
__PnpGetMappedPropertyLocalesDispatch@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpGetObjectPropertyKeys(x, x, x, x, x, x,	x, x, x, x)
__PnpGetObjectPropertyKeys@40 proc near	; CODE XREF: PiDqPnPGetObjectPropertyKeys(x,x,x,x,x,x)+6Fp
					; PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+B7p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		xor	eax, eax
		mov	[ebp-1Bh], ax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_24], eax
		mov	al, [ebp+arg_C]
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_1C], al
		mov	eax, [ebp+arg_10]
		xor	ecx, ecx
		push	esi
		mov	[ebp+var_18], eax
		mov	esi, edx
		mov	eax, [ebp+arg_14]
		push	edi
		mov	edi, [ebx+0F8h]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_4], esi
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_19], cl
		mov	[ebp+var_8], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], ecx
		test	edi, edi
		jz	short loc_A31806
		lea	eax, [ebp+var_2C]
		push	eax
		push	1
		push	6
		push	[ebp+arg_0]
		push	esi
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jnz	short loc_A317F6
		xor	edi, edi
		jmp	short loc_A31806
; 

loc_A317F6:				; CODE XREF: _PnpGetObjectPropertyKeys(x,x,x,x,x,x,x,x,x,x)+68j
		cmp	eax, 0C0000120h
		jnz	short loc_A31802

loc_A317FD:				; CODE XREF: _PnpGetObjectPropertyKeys(x,x,x,x,x,x,x,x,x,x)+C5j
		mov	esi, [ebp+var_2C]
		jmp	short loc_A31858
; 

loc_A31802:				; CODE XREF: _PnpGetObjectPropertyKeys(x,x,x,x,x,x,x,x,x,x)+73j
		test	eax, eax
		jnz	short loc_A31853

loc_A31806:				; CODE XREF: _PnpGetObjectPropertyKeys(x,x,x,x,x,x,x,x,x,x)+52j
					; _PnpGetObjectPropertyKeys(x,x,x,x,x,x,x,x,x,x)+6Cj
		push	[ebp+var_C]
		mov	edx, esi
		mov	ecx, ebx
		push	[ebp+var_10]
		push	[ebp+var_14]
		push	[ebp+var_18]
		push	dword ptr [ebp+var_1C]
		push	[ebp+var_20]
		push	[ebp+var_24]
		push	[ebp+arg_0]
		call	__PnpGetObjectPropertyKeysWorker@40 ; _PnpGetObjectPropertyKeysWorker(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_A31858
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_2C], esi
		push	eax
		push	2
		push	6
		push	[ebp+arg_0]
		push	[ebp+var_4]
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_A31858
		cmp	eax, 0C0000120h
		jz	short loc_A317FD
		test	eax, eax
		jz	short loc_A31858

loc_A31853:				; CODE XREF: _PnpGetObjectPropertyKeys(x,x,x,x,x,x,x,x,x,x)+7Cj
		mov	esi, 0C00000E5h

loc_A31858:				; CODE XREF: _PnpGetObjectPropertyKeys(x,x,x,x,x,x,x,x,x,x)+78j
					; _PnpGetObjectPropertyKeys(x,x,x,x,x,x,x,x,x,x)+A3j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	20h
__PnpGetObjectPropertyKeys@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpGetObjectPropertyKeysWorker(x, x, x, x,	x, x, x, x, x, x)
__PnpGetObjectPropertyKeysWorker@40 proc near
					; CODE XREF: _PnpGetObjectPropertyKeys(x,x,x,x,x,x,x,x,x,x)+9Ap

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= word ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		movzx	eax, [ebp+arg_1C]
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_14], edx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_10], edi
		test	eax, eax
		jz	short loc_A3188F
		mov	esi, 0C000000Dh
		jmp	loc_A3195E
; 

loc_A3188F:				; CODE XREF: _PnpGetObjectPropertyKeysWorker(x,x,x,x,x,x,x,x,x,x)+22j
		mov	eax, [ebp+arg_18]
		mov	ebx, [ebp+arg_4]
		mov	[eax], edi
		test	ebx, ebx
		jnz	short loc_A318BF
		push	edi
		push	edi
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		push	2000001h
		push	[ebp+arg_0]
		call	_PnpOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_A31950
		mov	edx, [ebp+var_14]
		mov	ecx, [ebp+var_C]

loc_A318BF:				; CODE XREF: _PnpGetObjectPropertyKeysWorker(x,x,x,x,x,x,x,x,x,x)+38j
		push	ecx
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	ebx
		push	[ebp+arg_0]
		call	__PnpGetMappedPropertyKeysDispatch@40 ;	_PnpGetMappedPropertyKeysDispatch(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A318EF
		cmp	esi, 0C0000023h
		jz	short loc_A318EF
		cmp	esi, 0C0000022h
		jnz	short loc_A31950

loc_A318EF:				; CODE XREF: _PnpGetObjectPropertyKeysWorker(x,x,x,x,x,x,x,x,x,x)+7Cj
					; _PnpGetObjectPropertyKeysWorker(x,x,x,x,x,x,x,x,x,x)+84j
		mov	eax, [ebp+var_8]
		cmp	eax, [ebp+arg_14]
		jnb	short loc_A31904
		mov	ecx, [ebp+arg_14]
		imul	edi, eax, 14h
		add	edi, [ebp+arg_10]
		sub	ecx, eax
		jmp	short loc_A31906
; 

loc_A31904:				; CODE XREF: _PnpGetObjectPropertyKeysWorker(x,x,x,x,x,x,x,x,x,x)+94j
		mov	ecx, edi

loc_A31906:				; CODE XREF: _PnpGetObjectPropertyKeysWorker(x,x,x,x,x,x,x,x,x,x)+A1j
		test	ebx, ebx
		jnz	short loc_A3190D
		mov	ebx, [ebp+var_4]

loc_A3190D:				; CODE XREF: _PnpGetObjectPropertyKeysWorker(x,x,x,x,x,x,x,x,x,x)+A7j
		push	ecx
		lea	eax, [ebp+var_10]
		mov	edx, ebx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_C]
		push	edi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	__PnpGetGenericStorePropertyKeys@32 ; _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A3193A
		cmp	esi, 0C0000023h
		jz	short loc_A3193A
		cmp	esi, 0C0000022h
		jnz	short loc_A31950

loc_A3193A:				; CODE XREF: _PnpGetObjectPropertyKeysWorker(x,x,x,x,x,x,x,x,x,x)+C7j
					; _PnpGetObjectPropertyKeysWorker(x,x,x,x,x,x,x,x,x,x)+CFj
		mov	eax, [ebp+var_10]
		add	eax, [ebp+var_8]
		cmp	[ebp+arg_14], eax
		mov	ecx, [ebp+arg_18]
		sbb	esi, esi
		and	esi, 0C0000023h
		mov	[ecx], eax

loc_A31950:				; CODE XREF: _PnpGetObjectPropertyKeysWorker(x,x,x,x,x,x,x,x,x,x)+52j
					; _PnpGetObjectPropertyKeysWorker(x,x,x,x,x,x,x,x,x,x)+8Cj ...
		cmp	[ebp+var_4], 0
		jz	short loc_A3195E
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A3195E:				; CODE XREF: _PnpGetObjectPropertyKeysWorker(x,x,x,x,x,x,x,x,x,x)+29j
					; _PnpGetObjectPropertyKeysWorker(x,x,x,x,x,x,x,x,x,x)+F3j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	20h
__PnpGetObjectPropertyKeysWorker@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpGetObjectPropertyLocales(x, x, x, x, x,	x, x, x, x)
__PnpGetObjectPropertyLocales@36 proc near
					; CODE XREF: PiDqPnPGetObjectPropertyLocales(x,x,x,x,x)+5Dp

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		push	ebx
		mov	ebx, _PiPnpRtlCtx
		push	esi
		push	edi
		mov	[ebp+var_34], ecx
		mov	esi, edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		mov	edi, [ebx+0F8h]
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_8], esi
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], ecx
		test	edi, edi
		jz	short loc_A319E0
		lea	eax, [ebp+var_34]
		push	eax
		push	1
		push	7
		push	[ebp+arg_0]
		push	esi
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jnz	short loc_A319D0
		xor	edi, edi
		jmp	short loc_A319E0
; 

loc_A319D0:				; CODE XREF: _PnpGetObjectPropertyLocales(x,x,x,x,x,x,x,x,x)+63j
		cmp	eax, 0C0000120h
		jnz	short loc_A319DC

loc_A319D7:				; CODE XREF: _PnpGetObjectPropertyLocales(x,x,x,x,x,x,x,x,x)+BDj
		mov	esi, [ebp+var_34]
		jmp	short loc_A31A2F
; 

loc_A319DC:				; CODE XREF: _PnpGetObjectPropertyLocales(x,x,x,x,x,x,x,x,x)+6Ej
		test	eax, eax
		jnz	short loc_A31A2A

loc_A319E0:				; CODE XREF: _PnpGetObjectPropertyLocales(x,x,x,x,x,x,x,x,x)+4Dj
					; _PnpGetObjectPropertyLocales(x,x,x,x,x,x,x,x,x)+67j
		push	[ebp+var_18]
		mov	edx, esi
		mov	ecx, ebx
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	[ebp+var_24]
		push	[ebp+var_28]
		push	[ebp+var_2C]
		push	[ebp+arg_0]
		call	__PnpGetObjectPropertyLocalesWorker@36 ; _PnpGetObjectPropertyLocalesWorker(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_A31A2F
		lea	eax, [ebp+var_34]
		mov	[ebp+var_34], esi
		push	eax
		push	2
		push	7
		push	[ebp+arg_0]
		push	[ebp+var_8]
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_A31A2F
		cmp	eax, 0C0000120h
		jz	short loc_A319D7
		test	eax, eax
		jz	short loc_A31A2F

loc_A31A2A:				; CODE XREF: _PnpGetObjectPropertyLocales(x,x,x,x,x,x,x,x,x)+77j
		mov	esi, 0C00000E5h

loc_A31A2F:				; CODE XREF: _PnpGetObjectPropertyLocales(x,x,x,x,x,x,x,x,x)+73j
					; _PnpGetObjectPropertyLocales(x,x,x,x,x,x,x,x,x)+9Bj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
__PnpGetObjectPropertyLocales@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpGetObjectPropertyLocalesWorker(x, x, x,	x, x, x, x, x, x)
__PnpGetObjectPropertyLocalesWorker@36 proc near
					; CODE XREF: _PnpGetObjectPropertyLocales(x,x,x,x,x,x,x,x,x)+92p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_18]
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ecx
		push	edi
		test	si, si
		jz	short loc_A31A5F
		mov	esi, 0C000000Dh
		jmp	loc_A31AE6
; 

loc_A31A5F:				; CODE XREF: _PnpGetObjectPropertyLocalesWorker(x,x,x,x,x,x,x,x,x)+1Bj
		mov	edi, [ebp+arg_C]
		test	edi, edi
		jnz	short loc_A31A6A
		xor	ebx, ebx
		jmp	short loc_A31A75
; 

loc_A31A6A:				; CODE XREF: _PnpGetObjectPropertyLocalesWorker(x,x,x,x,x,x,x,x,x)+2Cj
		mov	ebx, [ebp+arg_10]
		mov	eax, ebx
		neg	eax
		sbb	eax, eax
		and	edi, eax

loc_A31A75:				; CODE XREF: _PnpGetObjectPropertyLocalesWorker(x,x,x,x,x,x,x,x,x)+30j
		mov	eax, [ebp+arg_14]
		push	esi
		push	eax
		push	ebx
		and	dword ptr [eax], 0
		push	edi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	__PnpGetMappedPropertyLocalesDispatch@36 ; _PnpGetMappedPropertyLocalesDispatch(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000016h
		jnz	short loc_A31AD8
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jnz	short loc_A31AC3
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_8]
		push	2000001h
		push	[ebp+arg_0]
		call	_PnpOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A31AD8
		mov	eax, [ebp+var_4]

loc_A31AC3:				; CODE XREF: _PnpGetObjectPropertyLocalesWorker(x,x,x,x,x,x,x,x,x)+64j
		push	ecx
		push	[ebp+arg_14]
		mov	ecx, [ebp+var_8]
		mov	edx, eax
		push	ebx
		push	edi
		push	[ebp+arg_8]
		call	__PnpGetGenericStorePropertyLocales@28 ; _PnpGetGenericStorePropertyLocales(x,x,x,x,x,x,x)
		mov	esi, eax

loc_A31AD8:				; CODE XREF: _PnpGetObjectPropertyLocalesWorker(x,x,x,x,x,x,x,x,x)+5Dj
					; _PnpGetObjectPropertyLocalesWorker(x,x,x,x,x,x,x,x,x)+86j
		cmp	[ebp+var_4], 0
		jz	short loc_A31AE6
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A31AE6:				; CODE XREF: _PnpGetObjectPropertyLocalesWorker(x,x,x,x,x,x,x,x,x)+22j
					; _PnpGetObjectPropertyLocalesWorker(x,x,x,x,x,x,x,x,x)+A4j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
__PnpGetObjectPropertyLocalesWorker@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmClassFilterCallback(x, x, x, x)
__CmClassFilterCallback@16 proc	near	; DATA XREF: _CmGetMatchingFilteredDeviceListWorker(x,x,x,x,x,x,x,x,x)+BBo

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_14		= dword	ptr -14h
var_C		= word ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+74h+var_4], eax
		mov	ecx, [ebp+arg_4]
		push	ebx
		xor	ebx, ebx
		mov	[esp+78h+var_6C], ecx
		push	esi
		mov	esi, [ebp+arg_C]
		mov	[esp+7Ch+var_74], ebx
		mov	[esp+7Ch+var_70], ebx
		mov	[esp+7Ch+var_60], ebx
		mov	[esp+7Ch+var_5C], ebx
		mov	[esp+7Ch+var_68], ebx
		mov	[esp+7Ch+var_64], ebx
		push	edi
		mov	edi, [ebp+arg_0]
		test	esi, esi
		jz	loc_A31BD9
		mov	eax, [esi]
		test	eax, eax
		jz	loc_A31BC4
		cmp	[eax], bx
		jz	short loc_A31BC4
		push	eax
		lea	eax, [esp+84h+var_60]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	loc_A31BD9
		mov	edx, [esp+80h+var_6C]
		lea	eax, [esp+80h+var_74]
		push	ebx
		push	eax
		lea	eax, [esp+88h+var_58]
		mov	[esp+88h+var_74], 4Eh
		push	eax
		lea	eax, [esp+8Ch+var_70]
		mov	ecx, edi
		push	eax
		push	9
		push	ebx
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A31BD9
		cmp	[esp+80h+var_70], 1
		jnz	short loc_A31BD9
		cmp	[esp+80h+var_74], 2
		jb	short loc_A31BD9
		xor	eax, eax
		mov	[esp+80h+var_C], ax
		lea	eax, [esp+80h+var_58]
		push	eax
		lea	eax, [esp+84h+var_68]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_A31BD9
		push	1
		lea	eax, [esp+84h+var_68]
		push	eax
		lea	eax, [esp+88h+var_60]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_A31BD9
		mov	ecx, [esp+80h+var_6C]

loc_A31BC4:				; CODE XREF: _CmClassFilterCallback(x,x,x,x)+4Cj
					; _CmClassFilterCallback(x,x,x,x)+55j
		mov	eax, [esi+4]
		mov	bl, 1
		test	eax, eax
		jz	short loc_A31BD9
		push	dword ptr [esi+8]
		push	[ebp+arg_8]
		push	ecx
		push	edi
		call	eax
		mov	bl, al

loc_A31BD9:				; CODE XREF: _CmClassFilterCallback(x,x,x,x)+42j
					; _CmClassFilterCallback(x,x,x,x)+64j ...
		mov	ecx, [esp+90h+var_14]
		mov	al, bl
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
__CmClassFilterCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetDeviceRelationsList(x, x, x, x, x, x,	x)
__CmGetDeviceRelationsList@28 proc near	; CODE XREF: PiCMGetDeviceIdList(x,x,x,x,x,x)+281p
					; _CmGetDeviceMappedPropertyFromComposite+119E41p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, [ebp+arg_0]
		call	__MapCmRelationTypeToNtRelationType@4 ;	_MapCmRelationTypeToNtRelationType(x)
		mov	esi, eax
		cmp	esi, 0FFFFFFFFh
		jnz	short loc_A31C18
		mov	eax, 0C000000Dh
		jmp	short loc_A31C3B
; 

loc_A31C18:				; CODE XREF: _CmGetDeviceRelationsList(x,x,x,x,x,x,x)+20j
		push	edx
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_A31C3B
		push	ecx
		push	[ebp+arg_C]
		lea	edx, [ebp+var_8]
		mov	ecx, edi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	__NtPlugPlayGetDeviceRelationsList@28 ;	_NtPlugPlayGetDeviceRelationsList(x,x,x,x,x,x,x)

loc_A31C3B:				; CODE XREF: _CmGetDeviceRelationsList(x,x,x,x,x,x,x)+27j
					; _CmGetDeviceRelationsList(x,x,x,x,x,x,x)+35j
		pop	edi
		pop	esi
		leave
		retn	14h
__CmGetDeviceRelationsList@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetMatchingFilteredDeviceListWorker(x, x, x, x, x, x, x,	x, x)
__CmGetMatchingFilteredDeviceListWorker@36 proc	near
					; CODE XREF: _CmGetMatchingFilteredDeviceList+12280Bp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= word ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		mov	ebx, [ebp+arg_10]
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		mov	edi, [ebp+arg_14]
		mov	[ebp+var_4], ecx
		and	dword ptr [edi], 0
		test	ebx, ebx
		jz	short loc_A31C64
		xor	eax, eax
		mov	[esi], ax

loc_A31C64:				; CODE XREF: _CmGetMatchingFilteredDeviceListWorker(x,x,x,x,x,x,x,x,x)+1Cj
		mov	ecx, [ebp+arg_0]
		test	ecx, 0FFFFFE00h
		jz	short loc_A31C79

loc_A31C6F:				; CODE XREF: _CmGetMatchingFilteredDeviceListWorker(x,x,x,x,x,x,x,x,x)+3Ej
					; _CmGetMatchingFilteredDeviceListWorker(x,x,x,x,x,x,x,x,x)+5Aj ...
		mov	esi, 0C000000Dh
		jmp	loc_A31D4F
; 

loc_A31C79:				; CODE XREF: _CmGetMatchingFilteredDeviceListWorker(x,x,x,x,x,x,x,x,x)+2Cj
		movzx	eax, [ebp+arg_18]
		test	eax, eax
		jnz	short loc_A31C6F
		mov	eax, ecx
		shr	eax, 8
		and	al, 1
		mov	[ebp+arg_14], eax
		test	cl, 7Ch
		jnz	loc_A31D38
		test	cl, 2
		jz	short loc_A31CE1
		test	edx, edx
		jz	short loc_A31C6F
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+var_4]
		and	[ebp+var_20], 0
		and	[ebp+var_1C], 0
		push	edi
		push	ebx
		mov	[ebp+var_18], eax
		mov	eax, [ebp+arg_8]
		push	esi
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	offset __CmServiceFilterCallback@16 ; _CmServiceFilterCallback(x,x,x,x)
		push	[ebp+arg_14]
		mov	[ebp+var_24], edx
		xor	edx, edx
		call	_CmGetMatchingDeviceListForSubkey
		cmp	[ebp+var_20], 0
		mov	esi, eax
		jz	short loc_A31D4F
		push	0
		push	[ebp+var_20]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A31D4F
; 

loc_A31CE1:				; CODE XREF: _CmGetMatchingFilteredDeviceListWorker(x,x,x,x,x,x,x,x,x)+56j
		test	cl, cl
		jns	short loc_A31D13
		test	edx, edx
		jz	short loc_A31C6F
		mov	eax, [ebp+arg_4]
		push	edi
		push	ebx
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_8]
		push	esi
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_10]
		push	eax
		push	offset __CmClassFilterCallback@16 ; _CmClassFilterCallback(x,x,x,x)
		push	[ebp+arg_14]
		mov	[ebp+var_10], edx

loc_A31D07:				; CODE XREF: _CmGetMatchingFilteredDeviceListWorker(x,x,x,x,x,x,x,x,x)+F5j
		xor	edx, edx

loc_A31D09:				; CODE XREF: _CmGetMatchingFilteredDeviceListWorker(x,x,x,x,x,x,x,x,x)+E9j
		mov	ecx, [ebp+var_4]
		call	_CmGetMatchingDeviceListForSubkey
		jmp	short loc_A31D4D
; 

loc_A31D13:				; CODE XREF: _CmGetMatchingFilteredDeviceListWorker(x,x,x,x,x,x,x,x,x)+A2j
		test	cl, 1
		jz	short loc_A31D2C
		test	edx, edx
		jz	loc_A31C6F
		push	edi
		push	ebx
		push	esi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	eax
		jmp	short loc_A31D09
; 

loc_A31D2C:				; CODE XREF: _CmGetMatchingFilteredDeviceListWorker(x,x,x,x,x,x,x,x,x)+D5j
		push	edi
		push	ebx
		push	esi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	eax
		jmp	short loc_A31D07
; 

loc_A31D38:				; CODE XREF: _CmGetMatchingFilteredDeviceListWorker(x,x,x,x,x,x,x,x,x)+4Dj
		test	edx, edx
		jz	loc_A31C6F
		push	ecx
		push	edi
		push	ebx
		push	esi
		push	ecx
		mov	ecx, [ebp+var_4]
		call	__CmGetDeviceRelationsList@28 ;	_CmGetDeviceRelationsList(x,x,x,x,x,x,x)

loc_A31D4D:				; CODE XREF: _CmGetMatchingFilteredDeviceListWorker(x,x,x,x,x,x,x,x,x)+D0j
		mov	esi, eax

loc_A31D4F:				; CODE XREF: _CmGetMatchingFilteredDeviceListWorker(x,x,x,x,x,x,x,x,x)+33j
					; _CmGetMatchingFilteredDeviceListWorker(x,x,x,x,x,x,x,x,x)+92j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
__CmGetMatchingFilteredDeviceListWorker@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmServiceFilterCallback(x,	x, x, x)
__CmServiceFilterCallback@16 proc near	; DATA XREF: _CmGetMatchingFilteredDeviceListWorker(x,x,x,x,x,x,x,x,x)+7Ao

var_9A		= byte ptr -9Ah
var_99		= byte ptr -99h
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_14		= dword	ptr -14h
var_C		= word ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+9Ch+var_4], eax
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		mov	bl, dl
		mov	[esp+0A4h+var_8C], ecx
		mov	[esp+0A4h+var_6C], edx
		mov	[esp+0A4h+var_99], bl
		mov	[esp+0A4h+var_98], edx
		mov	[esp+0A4h+var_90], edx
		mov	[esp+0A4h+var_74], edx
		mov	[esp+0A4h+var_70], edx
		mov	[esp+0A4h+var_7C], edx
		mov	[esp+0A4h+var_78], edx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[esp+0A8h+var_94], edi
		test	esi, esi
		jz	loc_A31F97
		mov	eax, [esi]
		test	eax, eax
		jz	loc_A32116
		cmp	[eax], dx
		jz	loc_A32116
		push	eax
		lea	eax, [esp+0ACh+var_74]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	loc_A31F97
		mov	ecx, [esi+4]

loc_A31DDD:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+106j
		mov	eax, [esi+8]
		xor	edx, edx
		push	edx
		mov	[esp+0ACh+var_98], eax
		lea	eax, [esp+0ACh+var_98]
		push	eax
		push	ecx
		lea	eax, [esp+0B4h+var_90]
		mov	ecx, edi
		push	eax
		push	5
		push	edx
		mov	edx, [esp+0C0h+var_8C]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	edi, eax
		mov	ecx, 0C000000Dh
		mov	eax, [esp+0A8h+var_98]
		test	edi, edi
		jnz	short loc_A31E14
		cmp	eax, 2
		jb	short loc_A31E63

loc_A31E14:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+B5j
		cmp	edi, 0C0000023h
		jnz	loc_A31F35
		cmp	eax, 2
		jb	short loc_A31E63
		mov	ecx, [esi+4]
		xor	edi, edi
		test	ecx, ecx
		jz	short loc_A31E39
		push	edi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+0A8h+var_98]

loc_A31E39:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+D4j
		push	52504E50h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[esi+4], ecx
		test	ecx, ecx
		jz	loc_A31F2D
		mov	eax, [esp+0A8h+var_98]
		mov	edi, [esp+0A8h+var_94]
		mov	[esi+8], eax
		jmp	loc_A31DDD
; 

loc_A31E63:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+BAj
					; _CmServiceFilterCallback(x,x,x,x)+CBj
		mov	edi, ecx

loc_A31E65:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+1DFj
					; _CmServiceFilterCallback(x,x,x,x)+203j ...
		xor	ecx, ecx
		mov	[esp+0A8h+var_60], 1
		mov	eax, ecx
		mov	[esp+0A8h+var_5C], 2
		mov	[esp+0A8h+var_80], eax
		mov	[esp+0A8h+var_68], 12h
		mov	[esp+0A8h+var_64], 13h

loc_A31E8D:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+3ABj
		mov	edx, [esp+eax*4+0A8h+var_60]
		mov	[esp+0A8h+var_84], edx
		cmp	edx, 2
		jnz	short loc_A31EF2
		mov	edx, [esp+0A8h+var_8C]
		lea	eax, [esp+0A8h+var_98]
		push	ecx
		push	eax
		lea	eax, [esp+0B0h+var_58]
		mov	[esp+0B0h+var_98], 4Eh
		push	eax
		lea	eax, [esp+0B4h+var_90]
		push	eax
		push	9
		push	ecx
		mov	ecx, [esp+0C0h+var_94]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_A31F97
		cmp	[esp+0A8h+var_90], 1
		jnz	loc_A31F97
		cmp	[esp+0A8h+var_98], 2
		jb	loc_A31F97
		mov	edx, [esp+0A8h+var_84]
		xor	eax, eax
		mov	[esp+0A8h+var_C], ax
		xor	ecx, ecx

loc_A31EF2:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+140j
		mov	[esp+0A8h+var_88], ecx

loc_A31EF6:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+2DCj
					; _CmServiceFilterCallback(x,x,x,x)+38Ej
		mov	eax, [esi+8]
		mov	[esp+0A8h+var_98], eax
		cmp	edx, 1
		jnz	loc_A31FB0
		xor	edx, edx
		lea	eax, [esp+0A8h+var_98]
		push	edx
		push	eax
		push	dword ptr [esi+4]
		lea	eax, [esp+0B4h+var_90]
		push	eax
		push	[esp+ecx*4+0B8h+var_68]
		mov	ecx, [esp+0BCh+var_94]
		push	edx
		mov	edx, [esp+0C0h+var_8C]
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		jmp	loc_A31FD7
; 

loc_A31F2D:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+F5j
		mov	[esi+8], edi
		mov	edi, 0C0000017h

loc_A31F35:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+C2j
		test	edi, edi
		jnz	loc_A31E65
		mov	ecx, [esi+8]
		xor	edx, edx
		mov	eax, [esi+4]
		shr	ecx, 1
		mov	[eax+ecx*2-2], dx
		lea	eax, [esp+0A8h+var_7C]
		push	dword ptr [esi+4]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	loc_A31E65
		push	1
		lea	eax, [esp+0ACh+var_7C]
		push	eax
		lea	eax, [esp+0B0h+var_74]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	loc_A31E65
		mov	bl, 1

loc_A31F7C:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+378j
					; _CmServiceFilterCallback(x,x,x,x)+396j
		mov	edi, [esp+0A8h+var_94]
		mov	ecx, [esp+0A8h+var_8C]

loc_A31F84:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+3C0j
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_A31F97
		push	dword ptr [esi+10h]
		push	[ebp+arg_8]
		push	ecx
		push	edi
		call	eax
		mov	bl, al

loc_A31F97:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+56j
					; _CmServiceFilterCallback(x,x,x,x)+7Cj ...
		mov	ecx, [esp+0B8h+var_14]
		mov	al, bl
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_A31FB0:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+1A8j
		cmp	edx, 2
		jnz	short loc_A31FDD
		push	ecx
		lea	eax, [esp+0ACh+var_98]
		push	eax
		push	dword ptr [esi+4]
		lea	eax, [esp+0B4h+var_90]
		push	eax
		push	[esp+ecx*4+0B8h+var_68]
		mov	ecx, [esp+0BCh+var_94]
		lea	edx, [esp+0BCh+var_58]
		xor	eax, eax
		push	eax
		call	__CmGetInstallerClassRegProp@32	; _CmGetInstallerClassRegProp(x,x,x,x,x,x,x,x)

loc_A31FD7:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+1D0j
		mov	edi, eax
		mov	eax, [esp+0A8h+var_98]

loc_A31FDD:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+25Bj
		test	edi, edi
		jnz	short loc_A31FF0
		cmp	eax, 2
		jnb	short loc_A31FF0

loc_A31FE6:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+2A3j
		mov	edi, 0C000000Dh
		jmp	loc_A320D6
; 

loc_A31FF0:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+287j
					; _CmServiceFilterCallback(x,x,x,x)+28Cj
		cmp	edi, 0C0000023h
		jnz	short loc_A32043
		cmp	eax, 2
		jb	short loc_A31FE6
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_A32011
		xor	eax, eax
		push	eax
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+0A8h+var_98]

loc_A32011:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+2AAj
		push	52504E50h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+4], eax
		test	eax, eax
		jz	short loc_A32039
		mov	eax, [esp+0A8h+var_98]
		mov	ecx, [esp+0A8h+var_88]
		mov	edx, [esp+0A8h+var_84]
		mov	[esi+8], eax
		jmp	loc_A31EF6
; 

loc_A32039:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+2CBj
		xor	eax, eax
		mov	edi, 0C0000017h
		mov	[esi+8], eax

loc_A32043:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+29Ej
		test	edi, edi
		js	loc_A320D6
		cmp	[esp+0A8h+var_90], 7
		jnz	loc_A320D6
		mov	ecx, [esi+8]
		cmp	ecx, 2
		jbe	short loc_A3206D
		mov	eax, [esi+4]
		shr	ecx, 1
		xor	edx, edx
		mov	[eax+ecx*2-2], dx
		mov	ecx, [esi+8]

loc_A3206D:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+304j
		cmp	ecx, 4
		jbe	short loc_A3207E
		mov	eax, [esi+4]
		shr	ecx, 1
		xor	edx, edx
		mov	[eax+ecx*2-4], dx

loc_A3207E:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+318j
		mov	ebx, [esi+4]
		jmp	short loc_A320C3
; 

loc_A32083:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+370j
		push	ebx
		lea	eax, [esp+0ACh+var_7C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_A320A7
		push	1
		lea	eax, [esp+0ACh+var_7C]
		push	eax
		lea	eax, [esp+0B0h+var_74]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_A3210E

loc_A320A7:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+338j
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_A320AC:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+35Fj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+0A8h+var_6C]
		jnz	short loc_A320AC
		sub	ecx, edx
		sar	ecx, 1
		lea	ebx, [ebx+ecx*2]
		add	ebx, 2

loc_A320C3:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+329j
		xor	eax, eax
		cmp	[ebx], ax
		jnz	short loc_A32083
		mov	bl, [esp+0A8h+var_99]

loc_A320CE:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+3BCj
		test	bl, bl
		jnz	loc_A31F7C

loc_A320D6:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+293j
					; _CmServiceFilterCallback(x,x,x,x)+2EDj ...
		mov	ecx, [esp+0A8h+var_88]
		mov	edx, [esp+0A8h+var_84]
		inc	ecx
		mov	[esp+0A8h+var_88], ecx
		cmp	ecx, 2
		jb	loc_A31EF6
		test	bl, bl
		jnz	loc_A31F7C
		mov	eax, [esp+0A8h+var_80]
		inc	eax
		mov	[esp+0A8h+var_80], eax
		push	0
		pop	ecx
		cmp	eax, 2
		jb	loc_A31E8D
		jmp	loc_A31F97
; 

loc_A3210E:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+34Dj
		mov	bl, 1
		mov	[esp+0A8h+var_99], bl
		jmp	short loc_A320CE
; 

loc_A32116:				; CODE XREF: _CmServiceFilterCallback(x,x,x,x)+60j
					; _CmServiceFilterCallback(x,x,x,x)+69j
		mov	bl, 1
		jmp	loc_A31F84
__CmServiceFilterCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmRaiseCreateEvent(x, x, x, x)
__CmRaiseCreateEvent@16	proc near	; CODE XREF: _CmCreateDeviceWorker+6E128p
					; _CmCreateDeviceContainerWorker+6E655p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, edx
		mov	ecx, [ebp+arg_0]
		push	ebx
		call	_CmMapCmObjectTypeToPnpObjectType
		push	eax
		mov	ecx, esi
		call	__PnpObjectRaiseCreateEvent@16 ; _PnpObjectRaiseCreateEvent(x,x,x,x)
		mov	eax, [esi+104h]
		test	eax, eax
		jz	short loc_A32161
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_8], ebx
		push	ecx
		push	2
		push	[ebp+arg_0]
		push	edi
		push	esi
		call	eax

loc_A32161:				; CODE XREF: _CmRaiseCreateEvent(x,x,x,x)+32j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
__CmRaiseCreateEvent@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmRaiseDeleteEvent(x, x, x)
__CmRaiseDeleteEvent@12	proc near	; CODE XREF: _CmDeleteDeviceInterfaceWorker(x,x,x)+211p
					; _CmDeleteDeviceWorker(x,x,x)+562p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx
		mov	ecx, [ebp+arg_0]
		push	edi
		mov	edi, edx
		call	_CmMapCmObjectTypeToPnpObjectType
		push	eax
		mov	ecx, esi
		call	__PnpObjectRaiseDeleteEvent@12 ; _PnpObjectRaiseDeleteEvent(x,x,x)
		mov	eax, [esi+104h]
		test	eax, eax
		jz	short loc_A321A4
		lea	ecx, [ebp+var_8]
		push	ecx
		push	3
		push	[ebp+arg_0]
		push	edi
		push	esi
		call	eax

loc_A321A4:				; CODE XREF: _CmRaiseDeleteEvent(x,x,x)+2Dj
		pop	edi
		pop	esi
		leave
		retn	4
__CmRaiseDeleteEvent@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpContainerRaiseDevicesChangeEvent(x, x, x)
__PnpContainerRaiseDevicesChangeEvent@12 proc near
					; CODE XREF: _PnpObjectRaiseDevicesChangeEvent(x,x,x)+53p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_C]
		mov	edi, edx
		push	eax
		push	5
		push	5
		xor	esi, esi
		mov	ebx, ecx
		push	edi
		push	ebx
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_C], esi
		call	[ebp+arg_0]
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi

loc_A321D7:				; CODE XREF: _PnpContainerRaiseDevicesChangeEvent(x,x,x)+49j
		mov	eax, dword ptr ds:(loc_404FE7+1)[esi]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_C]
		push	eax
		push	4
		push	5
		push	edi
		push	ebx
		call	[ebp+arg_0]
		add	esi, 4
		cmp	esi, 0Ch
		jb	short loc_A321D7
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
__PnpContainerRaiseDevicesChangeEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpInstallerClassRaisePropertyChangeEventWorker(x,	x, x, x, x, x)
__PnpInstallerClassRaisePropertyChangeEventWorker@24 proc near
					; CODE XREF: _PnpObjectRaisePropertyChangeEvent+CD96Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_C], eax
		mov	edi, edx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_C]
		push	eax
		push	4
		push	2
		push	edi
		push	ebx
		mov	[ebp+var_4], esi
		call	[ebp+arg_C]
		push	[ebp+arg_C]
		lea	eax, [ebp+var_C]
		mov	edx, edi
		push	eax
		push	3
		push	(offset	loc_404FB7+1)
		push	esi
		push	2
		mov	ecx, ebx
		call	__PnpNotifyDerivedKeys@32 ; _PnpNotifyDerivedKeys(x,x,x,x,x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
__PnpInstallerClassRaisePropertyChangeEventWorker@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpInterfaceClassRaisePropertyChangeEventWorker(x,	x, x, x, x, x)
__PnpInterfaceClassRaisePropertyChangeEventWorker@24 proc near
					; CODE XREF: _PnpObjectRaisePropertyChangeEvent+CD95Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_C], eax
		mov	edi, edx
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_C]
		push	eax
		push	4
		push	4
		push	edi
		push	ebx
		mov	[ebp+var_4], esi
		call	[ebp+arg_C]
		push	[ebp+arg_C]
		lea	eax, [ebp+var_C]
		mov	edx, edi
		push	eax
		push	1
		push	offset off_404FDC
		push	esi
		push	4
		mov	ecx, ebx
		call	__PnpNotifyDerivedKeys@32 ; _PnpNotifyDerivedKeys(x,x,x,x,x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
__PnpInterfaceClassRaisePropertyChangeEventWorker@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpObjectRaiseCreateEvent(x, x, x,	x)
__PnpObjectRaiseCreateEvent@16 proc near
					; CODE XREF: _PnpCreateObjectDispatch(x,x,x,x,x,x,x)+9Ap
					; _CmRaiseCreateEvent(x,x,x,x)+25p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		mov	esi, [ecx+0FCh]
		test	esi, esi
		jz	short loc_A322C8
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_C]
		push	eax
		push	2
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	esi

loc_A322C8:				; CODE XREF: _PnpObjectRaiseCreateEvent(x,x,x,x)+19j
		pop	esi
		leave
		retn	8
__PnpObjectRaiseCreateEvent@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpObjectRaiseDeleteEvent(x, x, x)
__PnpObjectRaiseDeleteEvent@12 proc near ; CODE	XREF: _PnpDeleteObjectDispatch(x,x,x,x)+77p
					; _CmRaiseDeleteEvent(x,x,x)+20p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ecx+0FCh]
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		test	eax, eax
		jz	short loc_A322F8
		mov	[ebp+var_C], esi
		lea	esi, [ebp+var_C]
		push	esi
		push	3
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	eax

loc_A322F8:				; CODE XREF: _PnpObjectRaiseDeleteEvent(x,x,x)+19j
		pop	esi
		leave
		retn	4
__PnpObjectRaiseDeleteEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpObjectRaiseDevicesChangeEvent(x, x, x)
__PnpObjectRaiseDevicesChangeEvent@12 proc near	; CODE XREF: _CmAddDeviceToContainer+6E86Fp
					; _CmRemoveDeviceFromContainer(x,x,x,x,x)+ABp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ecx+0FCh]
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, edx
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		test	eax, eax
		jz	short loc_A32355
		mov	edx, [ebp+arg_0]
		sub	edx, 5
		jz	short loc_A3234D
		sub	edx, 1
		jz	short loc_A32336
		lea	edx, [ebp+var_C]
		mov	[ebp+var_C], edi
		push	edx
		push	5
		push	[ebp+arg_0]
		jmp	short loc_A32347
; 

loc_A32336:				; CODE XREF: _PnpObjectRaiseDevicesChangeEvent(x,x,x)+29j
		lea	edx, [ebp+var_18]
		mov	[ebp+var_14], edi
		push	edx
		push	5
		mov	[ebp+var_10], edi
		mov	[ebp+var_18], edi
		push	6

loc_A32347:				; CODE XREF: _PnpObjectRaiseDevicesChangeEvent(x,x,x)+37j
		push	esi
		push	ecx
		call	eax
		jmp	short loc_A32355
; 

loc_A3234D:				; CODE XREF: _PnpObjectRaiseDevicesChangeEvent(x,x,x)+24j
		push	eax
		mov	edx, esi
		call	__PnpContainerRaiseDevicesChangeEvent@12 ; _PnpContainerRaiseDevicesChangeEvent(x,x,x)

loc_A32355:				; CODE XREF: _PnpObjectRaiseDevicesChangeEvent(x,x,x)+1Cj
					; _PnpObjectRaiseDevicesChangeEvent(x,x,x)+4Ej
		pop	edi
		pop	esi
		leave
		retn	4
__PnpObjectRaiseDevicesChangeEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmAddPanelDevice(x, x, x, x)
__CmAddPanelDevice@16 proc near		; CODE XREF: _CmUpdateDevicePanel+6E3BFp

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [ebp+var_30]
		push	edi
		push	2Ch		; size_t
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_34], edx
		mov	ebx, ecx
		call	_memset
		mov	edi, [ebx+100h]
		add	esp, 0Ch
		mov	eax, [ebp+var_34]
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], esi
		test	edi, edi
		jz	short loc_A323B5
		lea	ecx, [ebp+var_30]
		push	ecx
		push	1
		push	0Dh
		push	6
		push	eax
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jnz	short loc_A32415
		xor	edi, edi

loc_A323B2:				; CODE XREF: _CmAddPanelDevice(x,x,x,x)+C8j
		mov	eax, [ebp+var_34]

loc_A323B5:				; CODE XREF: _CmAddPanelDevice(x,x,x,x)+3Ej
		lea	ecx, [ebp+var_20]
		mov	edx, eax
		push	ecx
		push	[ebp+var_24]
		mov	ecx, ebx
		call	__CmAddPanelDeviceWorker@16 ; _CmAddPanelDeviceWorker(x,x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_A323F0
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	0Dh
		push	6
		push	[ebp+var_34]
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_A323F0
		cmp	eax, 0C0000120h
		jz	short loc_A3241C
		test	eax, eax
		jnz	short loc_A32425

loc_A323F0:				; CODE XREF: _CmAddPanelDevice(x,x,x,x)+6Ej
					; _CmAddPanelDevice(x,x,x,x)+88j
		cmp	byte ptr [ebp+var_20], 0
		jnz	short loc_A32402
		mov	edx, [ebp+var_34]
		mov	ecx, ebx
		push	6
		call	__PnpObjectRaiseDevicesChangeEvent@12 ;	_PnpObjectRaiseDevicesChangeEvent(x,x,x)

loc_A32402:				; CODE XREF: _CmAddPanelDevice(x,x,x,x)+99j
					; _CmAddPanelDevice(x,x,x,x)+C4j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_A32415:				; CODE XREF: _CmAddPanelDevice(x,x,x,x)+53j
		cmp	eax, 0C0000120h
		jnz	short loc_A32421

loc_A3241C:				; CODE XREF: _CmAddPanelDevice(x,x,x,x)+8Fj
		mov	esi, [ebp+var_30]
		jmp	short loc_A32402
; 

loc_A32421:				; CODE XREF: _CmAddPanelDevice(x,x,x,x)+BFj
		test	eax, eax
		jz	short loc_A323B2

loc_A32425:				; CODE XREF: _CmAddPanelDevice(x,x,x,x)+93j
		mov	esi, 0C00000E5h
		jmp	short loc_A32402
__CmAddPanelDevice@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmAddPanelDeviceWorker(x, x, x, x)
__CmAddPanelDeviceWorker@16 proc near	; CODE XREF: _CmAddPanelDevice(x,x,x,x)+65p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	eax, edx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_14], eax
		xor	ecx, ecx
		push	ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		mov	byte ptr [ebp+var_1], cl
		mov	[ebp+var_10], ecx
		mov	[ebx], cl
		lea	ecx, [ebp+var_1]
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		push	ecx
		mov	ecx, edi
		call	__CmCreateDevicePanel@24 ; _CmCreateDevicePanel(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A32507
		test	edi, edi
		jnz	short loc_A32474
		xor	ecx, ecx
		jmp	short loc_A32477
; 

loc_A32474:				; CODE XREF: _CmAddPanelDeviceWorker(x,x,x,x)+42j
		mov	ecx, [edi+74h]

loc_A32477:				; CODE XREF: _CmAddPanelDeviceWorker(x,x,x,x)+46j
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	ecx
		push	0
		push	7
		push	0
		push	offset ??_C@_1BA@HICHNCPO@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAs@NNGAKEGL@	; "Devices"
		call	__SysCtxRegCreateKey@36	; _SysCtxRegCreateKey(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A32507
		cmp	[ebp+var_10], 2
		jnz	short loc_A324D2
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+arg_4]
		xor	ecx, ecx
		push	eax
		push	ecx
		mov	[ebp+arg_4], ecx
		push	ecx
		mov	ecx, [ebp+var_8]
		call	_RegRtlQueryValue
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_A324D0
		cmp	esi, 0C000017Ch
		jz	short loc_A324D0
		test	esi, esi
		jnz	short loc_A324D4
		mov	byte ptr [ebx],	1
		jmp	short loc_A3254C
; 

loc_A324D0:				; CODE XREF: _CmAddPanelDeviceWorker(x,x,x,x)+91j
					; _CmAddPanelDeviceWorker(x,x,x,x)+99j
		xor	esi, esi

loc_A324D2:				; CODE XREF: _CmAddPanelDeviceWorker(x,x,x,x)+71j
		test	esi, esi

loc_A324D4:				; CODE XREF: _CmAddPanelDeviceWorker(x,x,x,x)+9Dj
		js	short loc_A32507
		cmp	byte ptr [ebx],	0
		jnz	short loc_A32507
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_8]
		push	0
		push	0
		push	0
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A32507
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	offset _DEVPKEY_Device_PanelId
		push	0
		push	0
		push	1
		call	_PnpObjectRaisePropertyChangeEvent

loc_A32507:				; CODE XREF: _CmAddPanelDeviceWorker(x,x,x,x)+3Aj
					; _CmAddPanelDeviceWorker(x,x,x,x)+6Bj	...
		cmp	esi, 0C000017Ch
		jnz	short loc_A32514
		mov	esi, 0C0000034h

loc_A32514:				; CODE XREF: _CmAddPanelDeviceWorker(x,x,x,x)+E1j
		test	esi, esi
		jns	short loc_A3254C
		cmp	[ebp+var_10], 1
		jnz	short loc_A3253B
		test	edi, edi
		jz	short loc_A3252F
		mov	eax, [edi+74h]
		test	eax, eax
		jz	short loc_A3252F
		mov	ecx, [eax+4]
		push	ecx
		jmp	short loc_A32531
; 

loc_A3252F:				; CODE XREF: _CmAddPanelDeviceWorker(x,x,x,x)+F4j
					; _CmAddPanelDeviceWorker(x,x,x,x)+FBj
		push	0

loc_A32531:				; CODE XREF: _CmAddPanelDeviceWorker(x,x,x,x)+101j
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		call	__RegRtlDeleteKeyTransacted@12 ; _RegRtlDeleteKeyTransacted(x,x,x)

loc_A3253B:				; CODE XREF: _CmAddPanelDeviceWorker(x,x,x,x)+F0j
		cmp	byte ptr [ebp+var_1], 1
		jnz	short loc_A3254C
		mov	edx, [ebp+var_14]
		push	ecx
		mov	ecx, edi
		call	__CmDeleteDevicePanel@12 ; _CmDeleteDevicePanel(x,x,x)

loc_A3254C:				; CODE XREF: _CmAddPanelDeviceWorker(x,x,x,x)+A2j
					; _CmAddPanelDeviceWorker(x,x,x,x)+EAj	...
		cmp	[ebp+var_8], 0
		jz	short loc_A3255A
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_A3255A:				; CODE XREF: _CmAddPanelDeviceWorker(x,x,x,x)+124j
		cmp	[ebp+var_C], 0
		jz	short loc_A32568
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_A32568:				; CODE XREF: _CmAddPanelDeviceWorker(x,x,x,x)+132j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
__CmAddPanelDeviceWorker@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall _CmBuildDevicePanelId(int,int,int,int,int)
__CmBuildDevicePanelId@20 proc near	; CODE XREF: _CmUpdateDevicePanel+6DB58p
					; _CmUpdateDevicePanel+6E453p ...

var_54		= byte ptr -54h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, edx
		push	ecx		; int
		lea	edx, [ebp+var_54] ; void *
		call	_PnpStringFromGuid@12 ;	PnpStringFromGuid(x,x,x)
		test	eax, eax
		js	short loc_A325B8
		push	[ebp+arg_0]
		lea	eax, [ebp+var_54]
		push	esi
		push	eax		; char
		push	offset ??_C@_1BI@FONNLNOC@?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF?$AA0?$AA4?$AAX?$AA?2?$AA?$CF?$AAu@NNGAKEGL@ ; wchar_t *
		push	800h		; int
		push	0		; int
		push	0		; int
		push	39h		; int
		push	edi		; void *
		call	RtlStringCchPrintfExW
		add	esp, 24h

loc_A325B8:				; CODE XREF: _CmBuildDevicePanelId(x,x,x,x,x)+24j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
__CmBuildDevicePanelId@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmCreateDevicePanel(x, x, x, x, x,	x)
__CmCreateDevicePanel@24 proc near	; CODE XREF: _CmUpdateDevicePanel+6E471p
					; _CmAddPanelDeviceWorker(x,x,x,x)+31p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		push	2Ch		; size_t
		mov	[ebp+var_3C], eax
		mov	esi, ecx
		lea	eax, [ebp+var_30]
		mov	[ebp+var_34], edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_38], esi
		call	_memset
		mov	edi, [esi+100h]
		add	esp, 0Ch
		and	[ebp+var_1C], 0
		mov	[ebp+var_28], 4
		test	edi, edi
		jz	short loc_A3262C
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	2
		push	6
		push	[ebp+var_34]
		push	esi
		call	edi
		cmp	eax, 0C0000002h
		jnz	short loc_A32685
		xor	edi, edi

loc_A3262C:				; CODE XREF: _CmCreateDevicePanel(x,x,x,x,x,x)+49j
					; _CmCreateDevicePanel(x,x,x,x,x,x)+CBj
		push	[ebp+var_1C]
		mov	edx, [ebp+var_34]
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_24]
		mov	ecx, esi
		push	eax
		push	[ebp+var_28]
		call	__CmCreateDevicePanelWorker@24 ; _CmCreateDevicePanelWorker(x,x,x,x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_A32676
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	2
		push	6
		push	[ebp+var_34]
		push	[ebp+var_38]
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_A32676
		cmp	eax, 0C0000120h
		jz	short loc_A3268C
		test	eax, eax
		jz	short loc_A32676
		mov	esi, 0C00000E5h

loc_A32676:				; CODE XREF: _CmCreateDevicePanel(x,x,x,x,x,x)+80j
					; _CmCreateDevicePanel(x,x,x,x,x,x)+9Cj ...
		test	esi, esi
		js	short loc_A3269A
		test	ebx, ebx
		jz	short loc_A3269A
		mov	eax, [ebp+var_24]
		mov	[ebx], eax
		jmp	short loc_A326A8
; 

loc_A32685:				; CODE XREF: _CmCreateDevicePanel(x,x,x,x,x,x)+60j
		cmp	eax, 0C0000120h
		jnz	short loc_A32691

loc_A3268C:				; CODE XREF: _CmCreateDevicePanel(x,x,x,x,x,x)+A3j
		mov	esi, [ebp+var_30]
		jmp	short loc_A32676
; 

loc_A32691:				; CODE XREF: _CmCreateDevicePanel(x,x,x,x,x,x)+C2j
		test	eax, eax
		jz	short loc_A3262C
		mov	esi, 0C00000E5h

loc_A3269A:				; CODE XREF: _CmCreateDevicePanel(x,x,x,x,x,x)+B0j
					; _CmCreateDevicePanel(x,x,x,x,x,x)+B4j
		cmp	[ebp+var_24], 0
		jz	short loc_A326A8
		push	[ebp+var_24]
		call	_ZwClose@4	; ZwClose(x)

loc_A326A8:				; CODE XREF: _CmCreateDevicePanel(x,x,x,x,x,x)+BBj
					; _CmCreateDevicePanel(x,x,x,x,x,x)+D6j
		test	esi, esi
		js	short loc_A326B8
		mov	ecx, [ebp+var_3C]
		test	ecx, ecx
		jz	short loc_A326B8
		mov	al, byte ptr [ebp+var_20]
		mov	[ecx], al

loc_A326B8:				; CODE XREF: _CmCreateDevicePanel(x,x,x,x,x,x)+E2j
					; _CmCreateDevicePanel(x,x,x,x,x,x)+E9j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
__CmCreateDevicePanel@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmCreateDevicePanelWorker(x, x, x,	x, x, x)
__CmCreateDevicePanelWorker@24 proc near ; CODE	XREF: _CmCreateDevicePanel(x,x,x,x,x,x)+77p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= word ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		movzx	eax, [ebp+arg_C]
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		test	eax, eax
		jz	short loc_A326EB
		mov	esi, 0C000000Dh
		jmp	short loc_A32724
; 

loc_A326EB:				; CODE XREF: _CmCreateDevicePanelWorker(x,x,x,x,x,x)+17j
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		push	1
		push	[ebp+arg_0]
		push	ecx
		push	ecx
		call	__CmOpenDevicePanelRegKey@32 ; _CmOpenDevicePanelRegKey(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A32724
		cmp	[ebp+var_4], 1
		mov	ecx, [ebp+arg_8]
		setz	dl
		mov	[ecx], dl
		test	dl, dl
		jz	short loc_A32724
		mov	eax, [ebp+arg_4]
		mov	edx, edi
		mov	ecx, ebx
		push	dword ptr [eax]
		push	6
		call	__CmRaiseCreateEvent@16	; _CmRaiseCreateEvent(x,x,x,x)

loc_A32724:				; CODE XREF: _CmCreateDevicePanelWorker(x,x,x,x,x,x)+1Ej
					; _CmCreateDevicePanelWorker(x,x,x,x,x,x)+37j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
__CmCreateDevicePanelWorker@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteDevicePanel(x, x, x)
__CmDeleteDevicePanel@12 proc near	; CODE XREF: _CmAddPanelDeviceWorker(x,x,x,x)+11Bp

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	2Ch		; size_t
		lea	eax, [ebp+var_30]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_34], esi
		mov	ebx, ecx
		call	_memset
		mov	edi, [ebx+100h]
		add	esp, 0Ch
		test	edi, edi
		jz	short loc_A3278C
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	3
		push	6
		push	esi
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jnz	short loc_A3277C
		xor	edi, edi
		jmp	short loc_A3278C
; 

loc_A3277C:				; CODE XREF: _CmDeleteDevicePanel(x,x,x)+49j
		cmp	eax, 0C0000120h
		jnz	short loc_A32788

loc_A32783:				; CODE XREF: _CmDeleteDevicePanel(x,x,x)+90j
		mov	esi, [ebp+var_30]
		jmp	short loc_A327C8
; 

loc_A32788:				; CODE XREF: _CmDeleteDevicePanel(x,x,x)+54j
		test	eax, eax
		jnz	short loc_A327C3

loc_A3278C:				; CODE XREF: _CmDeleteDevicePanel(x,x,x)+34j
					; _CmDeleteDevicePanel(x,x,x)+4Dj
		push	[ebp+var_28]
		mov	edx, esi
		mov	ecx, ebx
		call	__CmDeleteDevicePanelWorker@12 ; _CmDeleteDevicePanelWorker(x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_A327C8
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	3
		push	6
		push	[ebp+var_34]
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_A327C8
		cmp	eax, 0C0000120h
		jz	short loc_A32783
		test	eax, eax
		jz	short loc_A327C8

loc_A327C3:				; CODE XREF: _CmDeleteDevicePanel(x,x,x)+5Dj
		mov	esi, 0C00000E5h

loc_A327C8:				; CODE XREF: _CmDeleteDevicePanel(x,x,x)+59j
					; _CmDeleteDevicePanel(x,x,x)+6Fj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
__CmDeleteDevicePanel@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteDevicePanelRegKey(x, x, x,	x, x)
__CmDeleteDevicePanelRegKey@20 proc near ; CODE	XREF: _CmDeleteDevicePanelWorker(x,x,x)+34p
					; _CmDeleteDevicePanelWorker(x,x,x)+140p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	2Ch		; size_t
		lea	eax, [ebp+var_30]
		mov	esi, edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_34], esi
		mov	ebx, ecx
		call	_memset
		mov	edi, [ebx+100h]
		add	esp, 0Ch
		and	[ebp+var_24], 0
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_28], eax
		mov	[ebp+var_20], 1
		test	edi, edi
		jz	short loc_A32848
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	0Ch
		push	6
		push	esi
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jnz	short loc_A32838
		xor	edi, edi
		jmp	short loc_A32848
; 

loc_A32838:				; CODE XREF: _CmDeleteDevicePanelRegKey(x,x,x,x,x)+57j
		cmp	eax, 0C0000120h
		jnz	short loc_A32844

loc_A3283F:				; CODE XREF: _CmDeleteDevicePanelRegKey(x,x,x,x,x)+A2j
		mov	esi, [ebp+var_30]
		jmp	short loc_A32888
; 

loc_A32844:				; CODE XREF: _CmDeleteDevicePanelRegKey(x,x,x,x,x)+62j
		test	eax, eax
		jnz	short loc_A32883

loc_A32848:				; CODE XREF: _CmDeleteDevicePanelRegKey(x,x,x,x,x)+42j
					; _CmDeleteDevicePanelRegKey(x,x,x,x,x)+5Bj
		push	dword ptr [ebp+var_20] ; char
		mov	edx, esi
		push	ecx		; int
		push	[ebp+var_28]	; wchar_t *
		mov	ecx, ebx
		call	__CmDeleteDevicePanelRegKeyWorker@20 ; _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_A32888
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	0Ch
		push	6
		push	[ebp+var_34]
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_A32888
		cmp	eax, 0C0000120h
		jz	short loc_A3283F
		test	eax, eax
		jz	short loc_A32888

loc_A32883:				; CODE XREF: _CmDeleteDevicePanelRegKey(x,x,x,x,x)+6Bj
		mov	esi, 0C00000E5h

loc_A32888:				; CODE XREF: _CmDeleteDevicePanelRegKey(x,x,x,x,x)+67j
					; _CmDeleteDevicePanelRegKey(x,x,x,x,x)+81j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
__CmDeleteDevicePanelRegKey@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmDeleteDevicePanelRegKeyWorker(wchar_t *,int,char)
__CmDeleteDevicePanelRegKeyWorker@20 proc near
					; CODE XREF: _CmDeleteDevicePanelRegKey(x,x,x,x,x)+78p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		xor	eax, eax
		mov	[ebp+var_14], edx
		push	ebx
		mov	ebx, eax
		mov	[ebp+var_C], eax
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		cmp	[ebp+arg_0], eax
		jz	loc_A32B03
		test	[ebp+arg_0], 0FFFFFE9Fh
		jnz	loc_A32B03
		mov	esi, 13Dh
		mov	[ebp+var_8], esi
		jmp	short loc_A32928
; 

loc_A328DE:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+9Ej
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_C]
		push	eax		; int
		mov	ecx, esi
		shr	ecx, 1
		push	ecx		; int
		push	ebx		; void *
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_0]	; int
		call	__CmGetDevicePanelRegKeyPath@32	; _CmGetDevicePanelRegKeyPath(x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_A32940
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_C]
		xor	ebx, ebx
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A32B08
		mov	esi, [ebp+var_8]

loc_A32928:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+41j
		push	52504E50h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A328DE
		mov	esi, 0C0000017h

loc_A32940:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+62j
		test	esi, esi
		js	loc_A32B08
		test	[ebp+arg_0], 100h
		jnz	loc_A329F3
		push	ebx
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A32B08
		mov	cx, word ptr [ebp+var_1C]
		movzx	eax, cx
		cmp	eax, [ebp+var_8]
		jnb	loc_A32B03
		cmp	cx, 32h
		jbe	loc_A32B03
		push	1
		lea	eax, [ebp+var_1C]
		push	eax
		push	(offset	loc_404F8D+3)
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	loc_A32B03
		mov	eax, 0FFCEh
		lea	esi, [ebx+32h]
		add	word ptr [ebp+var_1C], ax
		add	word ptr [ebp+var_1C+2], ax
		lea	eax, [ebp+var_1C]
		push	1
		push	eax
		push	(offset	loc_404FF3+1)
		mov	[ebp+arg_0], esi
		mov	[ebp+var_18], esi
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_A329CB
		add	esi, 2Ah
		mov	[ebp+arg_0], esi

loc_A329CB:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+128j
		xor	edx, edx
		lea	ecx, [ebp+var_10]
		test	al, al
		push	ecx
		setnz	dl
		mov	ecx, edi
		dec	edx
		and	edx, 0FFFFFFF9h
		add	edx, 0Bh
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A32B08
		mov	eax, [ebp+var_10]
		jmp	short loc_A32A1E
; 

loc_A329F3:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+B4j
		mov	[ebp+arg_0], ebx
		test	edi, edi
		jnz	short loc_A329FE
		xor	ecx, ecx
		jmp	short loc_A32A01
; 

loc_A329FE:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+15Dj
		mov	ecx, [edi+74h]

loc_A32A01:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+161j
		lea	eax, [ebp+var_4]
		xor	edx, edx
		push	eax
		push	2000000h
		call	__SysCtxRegOpenCurrentUserKey@16 ; _SysCtxRegOpenCurrentUserKey(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A32B08
		mov	eax, [ebp+var_4]

loc_A32A1E:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+156j
		cmp	[ebp+arg_8], 0
		mov	[ebp+var_8], eax
		jz	short loc_A32A48
		test	edi, edi
		jz	short loc_A32A37
		mov	ecx, [edi+74h]
		test	ecx, ecx
		jz	short loc_A32A37
		mov	ecx, [ecx+4]
		jmp	short loc_A32A39
; 

loc_A32A37:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+18Ej
					; _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+195j
		xor	ecx, ecx

loc_A32A39:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+19Aj
		mov	edx, [ebp+arg_0]
		push	0
		push	ecx
		mov	ecx, eax
		call	_RegRtlDeleteTreeInternal
		jmp	short loc_A32A65
; 

loc_A32A48:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+18Aj
		test	edi, edi
		jz	short loc_A32A58
		mov	ecx, [edi+74h]
		test	ecx, ecx
		jz	short loc_A32A58
		mov	ecx, [ecx+4]
		jmp	short loc_A32A5A
; 

loc_A32A58:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+1AFj
					; _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+1B6j
		xor	ecx, ecx

loc_A32A5A:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+1BBj
		mov	edx, [ebp+arg_0]
		push	ecx
		mov	ecx, eax
		call	__RegRtlDeleteKeyTransacted@12 ; _RegRtlDeleteKeyTransacted(x,x,x)

loc_A32A65:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+1ABj
		cmp	eax, 0C000017Ch
		jz	loc_A32B08
		test	eax, eax
		jns	short loc_A32A7B

loc_A32A74:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+223j
					; _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+263j
		mov	esi, eax
		jmp	loc_A32B08
; 

loc_A32A7B:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+1D7j
		push	5Ch		; wchar_t
		push	[ebp+arg_0]	; wchar_t *
		call	_wcsrchr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A32A92

loc_A32A8B:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+233j
		mov	esi, 0C00000E5h
		jmp	short loc_A32B08
; 

loc_A32A92:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+1EEj
		xor	ecx, ecx
		mov	[eax], cx
		test	edi, edi
		jz	short loc_A32AA7
		mov	eax, [edi+74h]
		test	eax, eax
		jz	short loc_A32AA7
		mov	eax, [eax+4]
		jmp	short loc_A32AA9
; 

loc_A32AA7:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+1FEj
					; _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+205j
		xor	eax, eax

loc_A32AA9:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+20Aj
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_8]
		push	eax
		call	__RegRtlDeleteKeyTransacted@12 ; _RegRtlDeleteKeyTransacted(x,x,x)
		cmp	eax, 0C0000121h
		jz	short loc_A32B08
		test	eax, eax
		js	short loc_A32A74
		push	5Ch		; wchar_t
		push	[ebp+arg_0]	; wchar_t *
		call	_wcsrchr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A32A8B
		xor	ecx, ecx
		mov	[eax], cx
		test	edi, edi
		jz	short loc_A32AE5
		mov	eax, [edi+74h]
		test	eax, eax
		jz	short loc_A32AE5
		mov	eax, [eax+4]
		jmp	short loc_A32AE7
; 

loc_A32AE5:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+23Cj
					; _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+243j
		xor	eax, eax

loc_A32AE7:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+248j
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_8]
		push	eax
		call	__RegRtlDeleteKeyTransacted@12 ; _RegRtlDeleteKeyTransacted(x,x,x)
		cmp	eax, 0C0000121h
		jz	short loc_A32B08
		test	eax, eax
		jns	short loc_A32B08
		jmp	loc_A32A74
; 

loc_A32B03:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+26j
					; _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+33j ...
		mov	esi, 0C000000Dh

loc_A32B08:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+84j
					; _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+A7j ...
		cmp	[ebp+var_4], 0
		jz	short loc_A32B16
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A32B16:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+271j
		test	ebx, ebx
		jz	short loc_A32B22
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A32B22:				; CODE XREF: _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+27Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
__CmDeleteDevicePanelRegKeyWorker@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteDevicePanelWorker(x, x, x)
__CmDeleteDevicePanelWorker@12 proc near ; CODE	XREF: _CmDeleteDevicePanel(x,x,x)+66p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		movzx	eax, [ebp+arg_0]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], edx
		mov	[ebp+var_4], ecx
		push	edi
		test	eax, eax
		jz	short loc_A32B50
		mov	esi, 0C000000Dh
		jmp	loc_A32C9E
; 

loc_A32B50:				; CODE XREF: _CmDeleteDevicePanelWorker(x,x,x)+19j
		mov	dword ptr [ebp+arg_0], 160h
		xor	edi, edi

loc_A32B59:				; CODE XREF: _CmDeleteDevicePanelWorker(x,x,x)+5Ej
		push	ecx
		push	ecx
		push	dword ptr [ebp+edi*4+arg_0]
		call	__CmDeleteDevicePanelRegKey@20 ; _CmDeleteDevicePanelRegKey(x,x,x,x,x)
		test	eax, eax
		jz	short loc_A32B7D
		cmp	eax, 0C0000034h
		jz	short loc_A32B7D
		cmp	eax, 0C000000Dh
		jz	short loc_A32B7D
		cmp	eax, 0C00000BBh
		jnz	short loc_A32B8B

loc_A32B7D:				; CODE XREF: _CmDeleteDevicePanelWorker(x,x,x)+3Bj
					; _CmDeleteDevicePanelWorker(x,x,x)+42j ...
		inc	edi
		cmp	edi, 1
		jnb	short loc_A32B95
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_4]
		jmp	short loc_A32B59
; 

loc_A32B8B:				; CODE XREF: _CmDeleteDevicePanelWorker(x,x,x)+50j
		mov	esi, eax
		test	eax, eax
		js	loc_A32C9E

loc_A32B95:				; CODE XREF: _CmDeleteDevicePanelWorker(x,x,x)+56j
		xor	ebx, ebx
		xor	edi, edi
		and	[ebp+var_8], ebx
		mov	dword ptr [ebp+arg_0], ebx

loc_A32B9F:				; CODE XREF: _CmDeleteDevicePanelWorker(x,x,x)+BFj
		lea	eax, [ebp+arg_0]
		push	eax
		push	ebx
		push	edi
		push	ecx
		push	ecx
		call	__CmGetDevicePanelMappedPropertyKeys@28	; _CmGetDevicePanelMappedPropertyKeys(x,x,x,x,x,x,x)
		mov	ebx, dword ptr [ebp+arg_0]
		cmp	eax, 0C0000023h
		jnz	short loc_A32BF1
		push	14h
		pop	ecx
		mov	eax, ebx
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_A32C03
		test	edi, edi
		jz	short loc_A32BD7
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A32BD7:				; CODE XREF: _CmDeleteDevicePanelWorker(x,x,x)+A2j
		push	52504E50h
		push	[ebp+var_8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A32B9F
		mov	eax, 0C0000017h

loc_A32BF1:				; CODE XREF: _CmDeleteDevicePanelWorker(x,x,x)+89j
		test	eax, eax
		jz	short loc_A32C0A
		cmp	eax, 0C0000225h
		jz	short loc_A32C0A

loc_A32BFC:				; CODE XREF: _CmDeleteDevicePanelWorker(x,x,x)+DDj
					; _CmDeleteDevicePanelWorker(x,x,x)+155j
		mov	esi, eax
		jmp	loc_A32C92
; 

loc_A32C03:				; CODE XREF: _CmDeleteDevicePanelWorker(x,x,x)+9Ej
		mov	eax, 0C000000Dh
		jmp	short loc_A32BFC
; 

loc_A32C0A:				; CODE XREF: _CmDeleteDevicePanelWorker(x,x,x)+C8j
					; _CmDeleteDevicePanelWorker(x,x,x)+CFj
		and	dword ptr [ebp+arg_0], 0
		test	ebx, ebx
		jz	short loc_A32C5B
		mov	eax, edi
		mov	[ebp+var_8], edi

loc_A32C17:				; CODE XREF: _CmDeleteDevicePanelWorker(x,x,x)+12Aj
		sub	esp, 0Ch	; int
		push	eax		; void *
		push	0		; int
		push	ecx		; int
		call	__CmSetDevicePanelMappedProperty@32 ; _CmSetDevicePanelMappedProperty(x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_A32C43
		cmp	eax, 0C0000225h
		jz	short loc_A32C43
		cmp	eax, 0C0000022h
		jz	short loc_A32C43
		cmp	eax, 0C0000016h
		jz	short loc_A32C43
		cmp	eax, 0C00000BBh
		jnz	short loc_A32C59

loc_A32C43:				; CODE XREF: _CmDeleteDevicePanelWorker(x,x,x)+FAj
					; _CmDeleteDevicePanelWorker(x,x,x)+101j ...
		mov	ecx, dword ptr [ebp+arg_0]
		mov	eax, [ebp+var_8]
		inc	ecx
		add	eax, 14h
		mov	dword ptr [ebp+arg_0], ecx
		mov	[ebp+var_8], eax
		cmp	ecx, ebx
		jb	short loc_A32C17
		jmp	short loc_A32C5B
; 

loc_A32C59:				; CODE XREF: _CmDeleteDevicePanelWorker(x,x,x)+116j
		mov	esi, eax

loc_A32C5B:				; CODE XREF: _CmDeleteDevicePanelWorker(x,x,x)+E5j
					; _CmDeleteDevicePanelWorker(x,x,x)+12Cj
		test	esi, esi
		js	short loc_A32C92
		mov	ebx, [ebp+var_C]
		mov	edx, ebx
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_4]
		push	60h
		call	__CmDeleteDevicePanelRegKey@20 ; _CmDeleteDevicePanelRegKey(x,x,x,x,x)
		test	eax, eax
		jz	short loc_A32C86
		cmp	eax, 0C0000034h
		jz	short loc_A32C86
		cmp	eax, 0C000000Dh
		jnz	loc_A32BFC

loc_A32C86:				; CODE XREF: _CmDeleteDevicePanelWorker(x,x,x)+147j
					; _CmDeleteDevicePanelWorker(x,x,x)+14Ej
		mov	ecx, [ebp+var_4]
		mov	edx, ebx
		push	6
		call	__CmRaiseDeleteEvent@12	; _CmRaiseDeleteEvent(x,x,x)

loc_A32C92:				; CODE XREF: _CmDeleteDevicePanelWorker(x,x,x)+D3j
					; _CmDeleteDevicePanelWorker(x,x,x)+132j
		test	edi, edi
		jz	short loc_A32C9E
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A32C9E:				; CODE XREF: _CmDeleteDevicePanelWorker(x,x,x)+20j
					; _CmDeleteDevicePanelWorker(x,x,x)+64j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
__CmDeleteDevicePanelWorker@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmDevicePanelEnumSubkeyCallback(int,int,wchar_t *,int)
__CmDevicePanelEnumSubkeyCallback@16 proc near
					; DATA XREF: _CmGetMatchingDevicePanelListWorker+92o
					; _CmDevicePanelEnumSubkeyCallback(x,x,x,x)+1FBo

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	[ebp+var_30], eax
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		lea	edi, [ebp+var_14]
		mov	[ebp+var_34], ecx
		stosd
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_18], ecx
		stosd
		mov	[ebp+var_24], ecx
		mov	[ebp+var_1C], ecx
		stosd
		stosd
		mov	eax, [esi]
		sub	eax, 1
		jz	short loc_A32D45
		sub	eax, 1
		jz	short loc_A32D2F
		sub	eax, 1
		jnz	loc_A32F57
		push	10h		; int
		lea	eax, [ebp+var_18]
		push	eax		; wchar_t **
		push	ebx		; wchar_t *
		call	_wcstoul
		add	esp, 0Ch
		cmp	eax, 7

loc_A32D12:				; CODE XREF: _CmDevicePanelEnumSubkeyCallback(x,x,x,x)+9Cj
		ja	loc_A32F49
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	loc_A32F49
		xor	ecx, ecx
		cmp	[eax], cx
		jz	short loc_A32D64
		jmp	loc_A32F49
; 

loc_A32D2F:				; CODE XREF: _CmDevicePanelEnumSubkeyCallback(x,x,x,x)+4Ej
		push	10h		; int
		lea	eax, [ebp+var_18]
		push	eax		; wchar_t **
		push	ebx		; wchar_t *
		call	_wcstoul
		add	esp, 0Ch
		cmp	eax, 0FFFFh
		jmp	short loc_A32D12
; 

loc_A32D45:				; CODE XREF: _CmDevicePanelEnumSubkeyCallback(x,x,x,x)+49j
		push	ebx
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		test	eax, eax
		js	loc_A32F49

loc_A32D64:				; CODE XREF: _CmDevicePanelEnumSubkeyCallback(x,x,x,x)+81j
		push	52504E50h
		push	72h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_A32F49
		lea	eax, [esi+4]
		xor	ecx, ecx
		cmp	[eax], cx
		jz	short loc_A32DD1
		push	900h
		lea	ecx, [ebp+var_24]
		push	ecx
		lea	ecx, [ebp+var_18]
		push	ecx
		push	eax
		push	39h
		pop	edx
		mov	ecx, edi
		call	RtlStringCchCopyExW
		test	eax, eax
		js	loc_A32F40
		mov	ecx, [ebp+var_24]
		cmp	ecx, 2
		jb	loc_A32F40
		mov	eax, [ebp+var_18]
		push	5Ch
		pop	edx
		mov	[eax], dx
		mov	eax, [ebp+var_18]
		add	eax, 2
		xor	edx, edx
		mov	[ebp+var_18], eax
		mov	[eax], dx
		lea	edx, [ecx-2]
		mov	ecx, [ebp+var_18]
		jmp	short loc_A32DD9
; 

loc_A32DD1:				; CODE XREF: _CmDevicePanelEnumSubkeyCallback(x,x,x,x)+DDj
		mov	ecx, edi
		push	39h
		mov	[ebp+var_18], ecx
		pop	edx

loc_A32DD9:				; CODE XREF: _CmDevicePanelEnumSubkeyCallback(x,x,x,x)+128j
		push	ebx
		call	RtlStringCchCopyW
		test	eax, eax
		js	loc_A32F40
		cmp	dword ptr [esi], 3
		jnb	loc_A32ED2
		mov	eax, [ebp+var_20]
		test	eax, eax
		jnz	short loc_A32DFB
		mov	ecx, eax
		jmp	short loc_A32DFE
; 

loc_A32DFB:				; CODE XREF: _CmDevicePanelEnumSubkeyCallback(x,x,x,x)+14Ej
		mov	ecx, [eax+74h]

loc_A32DFE:				; CODE XREF: _CmDevicePanelEnumSubkeyCallback(x,x,x,x)+152j
		mov	edx, [ebp+var_30]
		lea	eax, [ebp+var_1C]
		push	eax
		push	20019h
		push	8
		push	ebx
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jz	loc_A32F40
		test	eax, eax
		js	loc_A32F40
		push	52504E50h
		push	90h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_A32F40
		push	90h		; size_t
		xor	eax, eax
		push	eax		; int
		push	ebx		; void *
		call	_memset
		mov	ecx, [esi]
		add	esp, 0Ch
		xor	eax, eax
		inc	ecx
		mov	[ebx], ecx
		lea	ecx, [ebx+4]
		push	900h
		push	eax
		push	eax
		push	edi
		push	39h
		pop	edx
		call	RtlStringCchCopyExW
		mov	eax, [esi+78h]
		mov	ecx, [ebp+var_20]
		mov	[ebx+78h], eax
		mov	eax, [esi+7Ch]
		mov	[ebx+7Ch], eax
		mov	eax, [esi+80h]
		mov	[ebx+80h], eax
		mov	eax, [esi+84h]
		mov	[ebx+84h], eax
		mov	eax, [esi+88h]
		push	ebx
		mov	[ebx+88h], eax
		mov	edx, [ebp+var_1C]
		push	offset __CmDevicePanelEnumSubkeyCallback@16 ; _CmDevicePanelEnumSubkeyCallback(x,x,x,x)
		call	__PnpCtxRegEnumKeyWithCallback@16 ; _PnpCtxRegEnumKeyWithCallback(x,x,x,x)
		mov	eax, [ebx+88h]
		mov	[esi+88h], eax
		mov	eax, [ebx+80h]
		mov	[esi+80h], eax
		mov	eax, [ebx+84h]
		mov	[esi+84h], eax
		jmp	short loc_A32F33
; 

loc_A32ED2:				; CODE XREF: _CmDevicePanelEnumSubkeyCallback(x,x,x,x)+143j
		push	edi
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_A32F40
		movzx	ebx, word ptr [ebp+var_2C+2]
		mov	eax, [esi+78h]
		shr	ebx, 1
		test	eax, eax
		jz	short loc_A32EFC
		push	dword ptr [esi+7Ch]
		push	6
		push	edi
		push	[ebp+var_20]
		call	eax
		test	al, al
		jz	short loc_A32F40

loc_A32EFC:				; CODE XREF: _CmDevicePanelEnumSubkeyCallback(x,x,x,x)+244j
		add	[esi+88h], ebx
		mov	edx, [esi+84h]
		cmp	edx, ebx
		jbe	short loc_A32F40
		mov	ecx, [esi+80h]
		xor	eax, eax
		push	900h
		push	eax
		push	eax
		push	edi
		call	RtlStringCchCopyExW
		lea	eax, [ebx+ebx]
		add	[esi+80h], eax
		sub	[esi+84h], ebx
		mov	ebx, [ebp+var_34]

loc_A32F33:				; CODE XREF: _CmDevicePanelEnumSubkeyCallback(x,x,x,x)+229j
		test	ebx, ebx
		jz	short loc_A32F40
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A32F40:				; CODE XREF: _CmDevicePanelEnumSubkeyCallback(x,x,x,x)+F9j
					; _CmDevicePanelEnumSubkeyCallback(x,x,x,x)+105j ...
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A32F49:				; CODE XREF: _CmDevicePanelEnumSubkeyCallback(x,x,x,x):loc_A32D12j
					; _CmDevicePanelEnumSubkeyCallback(x,x,x,x)+76j ...
		cmp	[ebp+var_1C], 0
		jz	short loc_A32F57
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_A32F57:				; CODE XREF: _CmDevicePanelEnumSubkeyCallback(x,x,x,x)+53j
					; _CmDevicePanelEnumSubkeyCallback(x,x,x,x)+2A6j
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
__CmDevicePanelEnumSubkeyCallback@16 endp


;  S U B	R O U T	I N E 


; __stdcall _CmGetDevicePanelGroup(x)
__CmGetDevicePanelGroup@4 proc near	; CODE XREF: _CmUpdateDevicePanel+6DB0Cp
					; _CmUpdateDevicePanel+6E3FFp ...
		mov	eax, [ecx]
		xor	edx, edx
		and	al, 7Fh
		cmp	al, 2
		jb	short loc_A32F7F
		mov	eax, [ecx+0Ch]
		shr	eax, 2
		movzx	edx, al
		jmp	short loc_A32F96
; 

loc_A32F7F:				; CODE XREF: _CmGetDevicePanelGroup(x)+8j
		mov	eax, [ecx+8]
		test	al, 4
		jz	short loc_A32F8D
		mov	edx, 100h
		jmp	short loc_A32F96
; 

loc_A32F8D:				; CODE XREF: _CmGetDevicePanelGroup(x)+1Aj
		test	al, 2
		jz	short loc_A32F96
		mov	edx, 101h

loc_A32F96:				; CODE XREF: _CmGetDevicePanelGroup(x)+13j
					; _CmGetDevicePanelGroup(x)+21j ...
		mov	eax, edx
		retn
__CmGetDevicePanelGroup@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmGetDevicePanelMappedProperty(int,int,void *,void *,int,int,int)
__CmGetDevicePanelMappedProperty@36 proc near ;	CODE XREF: _PnpDispatchDevicePanel+9809Ep

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_18]
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, 0C0000016h
		and	dword ptr [ebx], 0
		cmp	[ebp+arg_4], 0
		mov	[ebp+var_4], edi
		jnz	loc_A33077
		mov	eax, [ebp+arg_8]
		mov	ecx, [eax+10h]
		cmp	ecx, 2
		jnz	short loc_A33003
		push	10h		; size_t
		push	offset _DEVPKEY_DevicePanel_ContainerId	; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_A33077
		mov	eax, [ebp+arg_C]
		push	10h
		mov	dword ptr [eax], 0Dh
		pop	eax
		mov	[ebx], eax
		cmp	[ebp+arg_14], eax
		jnb	short loc_A32FFA

loc_A32FF3:				; CODE XREF: _CmGetDevicePanelMappedProperty(x,x,x,x,x,x,x,x,x)+94j
					; _CmGetDevicePanelMappedProperty(x,x,x,x,x,x,x,x,x)+CBj
		mov	esi, 0C0000023h
		jmp	short loc_A33077
; 

loc_A32FFA:				; CODE XREF: _CmGetDevicePanelMappedProperty(x,x,x,x,x,x,x,x,x)+58j
		mov	edx, [ebp+arg_10]
		mov	ecx, edi
		push	0
		jmp	short loc_A3306E
; 

loc_A33003:				; CODE XREF: _CmGetDevicePanelMappedProperty(x,x,x,x,x,x,x,x,x)+2Dj
		cmp	ecx, 3
		jnz	short loc_A3303B
		push	10h		; size_t
		push	(offset	loc_427D7B+1) ;	void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A33077
		mov	eax, [ebp+arg_C]
		push	4
		pop	edi
		mov	dword ptr [eax], 7
		mov	[ebx], edi
		cmp	[ebp+arg_14], edi
		jb	short loc_A32FF3
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		push	0
		push	[ebp+arg_10]
		jmp	short loc_A33070
; 

loc_A3303B:				; CODE XREF: _CmGetDevicePanelMappedProperty(x,x,x,x,x,x,x,x,x)+6Dj
		push	4
		pop	edi
		cmp	ecx, edi
		jnz	short loc_A33077
		push	10h		; size_t
		push	offset _DEVPKEY_DevicePanel_Side ; void	*
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A33077
		mov	eax, [ebp+arg_C]
		mov	dword ptr [eax], 7
		mov	[ebx], edi
		cmp	[ebp+arg_14], edi
		jb	short loc_A32FF3
		push	[ebp+arg_10]
		mov	ecx, [ebp+var_4]
		xor	edx, edx

loc_A3306E:				; CODE XREF: _CmGetDevicePanelMappedProperty(x,x,x,x,x,x,x,x,x)+68j
		push	0

loc_A33070:				; CODE XREF: _CmGetDevicePanelMappedProperty(x,x,x,x,x,x,x,x,x)+A0j
		call	__CmSplitDevicePanelId@16 ; _CmSplitDevicePanelId(x,x,x,x)
		mov	esi, eax

loc_A33077:				; CODE XREF: _CmGetDevicePanelMappedProperty(x,x,x,x,x,x,x,x,x)+1Ej
					; _CmGetDevicePanelMappedProperty(x,x,x,x,x,x,x,x,x)+41j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
__CmGetDevicePanelMappedProperty@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetDevicePanelMappedPropertyKeys(x, x, x, x, x, x, x)
__CmGetDevicePanelMappedPropertyKeys@28	proc near
					; CODE XREF: _PnpDispatchDevicePanel+98061p
					; _CmDeleteDevicePanelWorker(x,x,x)+7Cp

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_10]
		push	esi
		push	edi
		and	dword ptr [ebx], 0
		xor	esi, esi
		mov	[ebp+arg_10], esi

loc_A33093:				; CODE XREF: _CmGetDevicePanelMappedPropertyKeys(x,x,x,x,x,x,x)+51j
		cmp	[ebp+arg_8], 0
		mov	edi, [ebp+arg_C]
		jz	short loc_A330B9
		mov	eax, [ebx]
		cmp	eax, edi
		jnb	short loc_A330B9
		mov	esi, ds:off_404FFC[esi]
		imul	edi, eax, 14h
		push	5
		pop	ecx
		add	edi, [ebp+arg_8]
		rep movsd
		mov	esi, [ebp+arg_10]
		mov	edi, [ebp+arg_C]

loc_A330B9:				; CODE XREF: _CmGetDevicePanelMappedPropertyKeys(x,x,x,x,x,x,x)+1Aj
					; _CmGetDevicePanelMappedPropertyKeys(x,x,x,x,x,x,x)+20j
		mov	ecx, [ebx]
		xor	edx, edx
		push	ebx
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_A330D5
		add	esi, 8
		mov	[ebp+arg_10], esi
		cmp	esi, 18h
		jb	short loc_A33093
		jmp	short loc_A330D8
; 

loc_A330D5:				; CODE XREF: _CmGetDevicePanelMappedPropertyKeys(x,x,x,x,x,x,x)+46j
		and	dword ptr [ebx], 0

loc_A330D8:				; CODE XREF: _CmGetDevicePanelMappedPropertyKeys(x,x,x,x,x,x,x)+53j
		test	eax, eax
		js	short loc_A330E5
		cmp	edi, [ebx]
		sbb	eax, eax
		and	eax, 0C0000023h

loc_A330E5:				; CODE XREF: _CmGetDevicePanelMappedPropertyKeys(x,x,x,x,x,x,x)+5Aj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
__CmGetDevicePanelMappedPropertyKeys@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmGetDevicePanelMappedPropertyLocales(int,void	*,int,int,int)
__CmGetDevicePanelMappedPropertyLocales@28 proc	near
					; CODE XREF: _PnpDispatchDevicePanel+9807Bp

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_10]
		push	esi
		push	edi
		mov	esi, 0C0000016h
		and	dword ptr [ebx], 0
		xor	edi, edi
		mov	edx, [ecx+10h]
		mov	[ebp+arg_10], edx

loc_A3310A:				; CODE XREF: _CmGetDevicePanelMappedPropertyLocales(x,x,x,x,x,x,x)+45j
		mov	eax, ds:off_404FFC[edi]
		cmp	edx, [eax+10h]
		jnz	short loc_A3312B
		push	10h		; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A33135
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+arg_10]

loc_A3312B:				; CODE XREF: _CmGetDevicePanelMappedPropertyLocales(x,x,x,x,x,x,x)+27j
		add	edi, 8
		cmp	edi, 18h
		jb	short loc_A3310A
		jmp	short loc_A33150
; 

loc_A33135:				; CODE XREF: _CmGetDevicePanelMappedPropertyLocales(x,x,x,x,x,x,x)+37j
		xor	eax, eax
		inc	eax
		mov	[ebx], eax
		cmp	[ebp+arg_C], eax
		jb	short loc_A3314B
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		xor	esi, esi
		mov	[eax], cx
		jmp	short loc_A33150
; 

loc_A3314B:				; CODE XREF: _CmGetDevicePanelMappedPropertyLocales(x,x,x,x,x,x,x)+51j
		mov	esi, 0C0000023h

loc_A33150:				; CODE XREF: _CmGetDevicePanelMappedPropertyLocales(x,x,x,x,x,x,x)+47j
					; _CmGetDevicePanelMappedPropertyLocales(x,x,x,x,x,x,x)+5Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
__CmGetDevicePanelMappedPropertyLocales@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmGetDevicePanelRegKeyPath(int,int,int,void *,int,int)
__CmGetDevicePanelRegKeyPath@32	proc near ; CODE XREF: PiDqGetRelativeObjectRegPath+133830p
					; _CmDeleteDevicePanelRegKeyWorker(x,x,x,x,x)+55p ...

arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	esi
		push	edi
		mov	esi, edx
		jz	short loc_A331C5
		test	[ebp+arg_0], 0FFFFFE9Fh
		jnz	short loc_A331C5
		call	__CmValidateDevicePanelName@8 ;	_CmValidateDevicePanelName(x,x)
		test	eax, eax
		js	short loc_A331CA
		mov	ecx, esi
		xor	edi, edi
		lea	edx, [ecx+2]

loc_A33181:				; CODE XREF: _CmGetDevicePanelRegKeyPath(x,x,x,x,x,x,x,x)+31j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_A33181
		mov	eax, [ebp+arg_14]
		sub	ecx, edx
		sar	ecx, 1
		add	ecx, 2Fh
		test	eax, eax
		jz	short loc_A3319C
		mov	[eax], ecx

loc_A3319C:				; CODE XREF: _CmGetDevicePanelRegKeyPath(x,x,x,x,x,x,x,x)+3Fj
		cmp	ecx, [ebp+arg_10]
		jbe	short loc_A331A8
		mov	eax, 0C0000023h
		jmp	short loc_A331CA
; 

loc_A331A8:				; CODE XREF: _CmGetDevicePanelRegKeyPath(x,x,x,x,x,x,x,x)+46j
		push	esi		; char
		push	offset ??_C@_1GC@DIEKECLA@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@NNGAKEGL@ ; wchar_t *
		push	800h		; int
		push	edi		; int
		push	edi		; int
		push	[ebp+arg_10]	; int
		push	[ebp+arg_C]	; void *
		call	RtlStringCchPrintfExW
		add	esp, 1Ch
		jmp	short loc_A331CA
; 

loc_A331C5:				; CODE XREF: _CmGetDevicePanelRegKeyPath(x,x,x,x,x,x,x,x)+Dj
					; _CmGetDevicePanelRegKeyPath(x,x,x,x,x,x,x,x)+16j
		mov	eax, 0C000000Dh

loc_A331CA:				; CODE XREF: _CmGetDevicePanelRegKeyPath(x,x,x,x,x,x,x,x)+1Fj
					; _CmGetDevicePanelRegKeyPath(x,x,x,x,x,x,x,x)+4Dj ...
		pop	edi
		pop	esi
		pop	ebp
		retn	18h
__CmGetDevicePanelRegKeyPath@32	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetParentDeviceContainerId(x, x,	x)
__CmGetParentDeviceContainerId@12 proc near ; CODE XREF: _CmUpdateDevicePanel+6DAF6p
					; _CmUpdateDevicePanel+6E3E9p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		push	52504E50h
		push	190h
		push	1
		mov	esi, edx
		mov	[ebp+var_C], 0C8h
		mov	ebx, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A3320C
		mov	esi, 0C0000017h
		jmp	short loc_A33261
; 

loc_A3320C:				; CODE XREF: _CmGetParentDeviceContainerId(x,x,x)+33j
		lea	eax, [ebp+var_C]
		mov	edx, esi
		push	eax
		push	edi
		mov	ecx, ebx
		call	_CmGetDeviceParent
		mov	esi, eax
		test	esi, esi
		js	short loc_A33259
		xor	ecx, ecx
		lea	eax, [ebp+var_8]
		push	ecx
		push	eax
		push	10h
		push	[ebp+arg_0]
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		push	offset _DEVPKEY_Device_ContainerId
		push	ecx
		push	ecx
		push	1
		mov	ecx, ebx
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A33259
		cmp	[ebp+var_4], 0Dh
		jnz	short loc_A33254
		cmp	[ebp+var_8], 10h
		jz	short loc_A33259

loc_A33254:				; CODE XREF: _CmGetParentDeviceContainerId(x,x,x)+7Cj
		mov	esi, 0C0000001h

loc_A33259:				; CODE XREF: _CmGetParentDeviceContainerId(x,x,x)+4Ej
					; _CmGetParentDeviceContainerId(x,x,x)+76j ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A33261:				; CODE XREF: _CmGetParentDeviceContainerId(x,x,x)+3Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
__CmGetParentDeviceContainerId@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmOpenDevicePanelRegKey(x,	x, x, x, x, x, x, x)
__CmOpenDevicePanelRegKey@32 proc near	; CODE XREF: _PnpDispatchDevicePanel+98029p
					; _CmCreateDevicePanelWorker(x,x,x,x,x,x)+2Ep

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_14]
		lea	eax, [ebp+var_30]
		push	esi
		mov	esi, [ebp+arg_10]
		push	edi
		push	2Ch		; size_t
		mov	edi, ecx
		mov	[ebp+var_34], edx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_38], edi
		call	_memset
		mov	eax, [ebp+arg_8]
		add	esp, 0Ch
		mov	edi, [edi+100h]
		and	[ebp+var_24], 0
		mov	[ebp+var_20], eax
		mov	al, [ebp+arg_C]
		mov	[ebp+var_18], esi
		mov	esi, [ebp+var_38]
		mov	[ebp+var_28], 60h
		mov	byte ptr [ebp+var_1C], al
		test	edi, edi
		jz	short loc_A332DD
		lea	eax, [ebp+var_30]
		push	eax
		push	1
		push	0Bh
		push	6
		push	[ebp+var_34]
		push	esi
		call	edi
		cmp	eax, 0C0000002h
		jnz	short loc_A3334A
		xor	edi, edi

loc_A332DD:				; CODE XREF: _CmOpenDevicePanelRegKey(x,x,x,x,x,x,x,x)+58j
					; _CmOpenDevicePanelRegKey(x,x,x,x,x,x,x,x)+EEj
		mov	edx, [ebp+var_34]
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_18]
		push	[ebp+var_1C]
		push	[ebp+var_20]
		push	ecx
		push	[ebp+var_28]
		mov	ecx, esi
		call	__CmOpenDevicePanelRegKeyWorker@32 ; _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_A3332A
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	0Bh
		push	6
		push	[ebp+var_34]
		push	[ebp+var_38]
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_A3332A
		cmp	eax, 0C0000120h
		jz	short loc_A33351
		test	eax, eax
		jz	short loc_A3332A
		mov	esi, 0C00000E5h

loc_A3332A:				; CODE XREF: _CmOpenDevicePanelRegKey(x,x,x,x,x,x,x,x)+92j
					; _CmOpenDevicePanelRegKey(x,x,x,x,x,x,x,x)+AEj ...
		test	esi, esi
		js	short loc_A33337
		test	ebx, ebx
		jz	short loc_A33337
		mov	eax, [ebp+var_14]
		mov	[ebx], eax

loc_A33337:				; CODE XREF: _CmOpenDevicePanelRegKey(x,x,x,x,x,x,x,x)+C2j
					; _CmOpenDevicePanelRegKey(x,x,x,x,x,x,x,x)+C6j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
; 

loc_A3334A:				; CODE XREF: _CmOpenDevicePanelRegKey(x,x,x,x,x,x,x,x)+6Fj
		cmp	eax, 0C0000120h
		jnz	short loc_A33356

loc_A33351:				; CODE XREF: _CmOpenDevicePanelRegKey(x,x,x,x,x,x,x,x)+B5j
		mov	esi, [ebp+var_30]
		jmp	short loc_A3332A
; 

loc_A33356:				; CODE XREF: _CmOpenDevicePanelRegKey(x,x,x,x,x,x,x,x)+E5j
		test	eax, eax
		jz	short loc_A332DD
		mov	esi, 0C00000E5h
		jmp	short loc_A33337
__CmOpenDevicePanelRegKey@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmOpenDevicePanelRegKeyWorker(x, x, x, x, x, x, x,	x)
__CmOpenDevicePanelRegKeyWorker@32 proc	near
					; CODE XREF: _CmOpenDevicePanelRegKey(x,x,x,x,x,x,x,x)+89p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		xor	eax, eax
		mov	[esp+1Ch+var_C], edx
		push	ebx
		mov	ebx, ecx
		mov	[esp+20h+var_14], eax
		push	esi
		push	edi
		mov	edi, eax
		mov	[esp+28h+var_10], eax
		mov	[esp+28h+var_18], eax
		mov	[esp+28h+var_8], eax
		mov	[esp+28h+var_4], eax
		cmp	[ebp+arg_0], eax
		jz	loc_A3356C
		test	[ebp+arg_0], 0FFFFFE9Fh
		jnz	loc_A3356C
		mov	esi, 13Dh
		mov	[esp+28h+var_1C], esi
		jmp	short loc_A333FD
; 

loc_A333AE:				; CODE XREF: _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+ADj
		mov	edx, [esp+28h+var_C]
		lea	eax, [esp+28h+var_14]
		push	eax		; int
		mov	ecx, esi
		shr	ecx, 1
		push	ecx		; int
		push	edi		; void *
		push	ecx		; int
		push	ecx		; int
		push	[ebp+arg_0]	; int
		call	__CmGetDevicePanelRegKeyPath@32	; _CmGetDevicePanelRegKeyPath(x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_A33415
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+28h+var_14]
		xor	edi, edi
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [esp+28h+var_1C]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A33571
		mov	esi, [esp+28h+var_1C]

loc_A333FD:				; CODE XREF: _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+4Bj
		push	52504E50h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A333AE
		mov	esi, 0C0000017h

loc_A33415:				; CODE XREF: _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+6Ej
		test	esi, esi
		js	loc_A33571
		test	[ebp+arg_0], 100h
		jnz	loc_A334D4
		push	edi
		lea	eax, [esp+2Ch+var_8]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A33571
		mov	cx, word ptr [esp+28h+var_8]
		movzx	eax, cx
		cmp	eax, [esp+28h+var_1C]
		jnb	loc_A3356C
		cmp	cx, 32h
		jbe	loc_A3356C
		push	1
		lea	eax, [esp+2Ch+var_8]
		push	eax
		push	(offset	loc_404F8D+3)
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	loc_A3356C
		mov	eax, 0FFCEh
		lea	esi, [edi+32h]
		add	word ptr [esp+28h+var_8], ax
		add	word ptr [esp+28h+var_8+2], ax
		lea	eax, [esp+28h+var_8]
		push	1
		push	eax
		push	(offset	loc_404FF3+1)
		mov	[esp+34h+var_1C], esi
		mov	[esp+34h+var_4], esi
		call	_RtlPrefixUnicodeString@12 ; RtlPrefixUnicodeString(x,x,x)
		test	al, al
		jz	short loc_A334AA
		add	esi, 2Ah
		mov	[esp+28h+var_1C], esi

loc_A334AA:				; CODE XREF: _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+140j
		xor	edx, edx
		lea	ecx, [esp+28h+var_10]
		test	al, al
		push	ecx
		setnz	dl
		mov	ecx, ebx
		dec	edx
		and	edx, 0FFFFFFF9h
		add	edx, 0Bh
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A33571
		mov	edx, [esp+28h+var_10]
		jmp	short loc_A334FE
; 

loc_A334D4:				; CODE XREF: _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+C3j
		mov	[esp+28h+var_1C], edi
		test	ebx, ebx
		jnz	short loc_A334E0
		xor	ecx, ecx
		jmp	short loc_A334E3
; 

loc_A334E0:				; CODE XREF: _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+179j
		mov	ecx, [ebx+74h]

loc_A334E3:				; CODE XREF: _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+17Dj
		lea	eax, [esp+28h+var_18]
		xor	edx, edx
		push	eax
		push	2000000h
		call	__SysCtxRegOpenCurrentUserKey@16 ; _SysCtxRegOpenCurrentUserKey(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A33571
		mov	edx, [esp+28h+var_18]

loc_A334FE:				; CODE XREF: _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+171j
		cmp	[ebp+arg_C], 0
		jz	short loc_A3352A
		test	ebx, ebx
		jnz	short loc_A3350C
		xor	ecx, ecx
		jmp	short loc_A3350F
; 

loc_A3350C:				; CODE XREF: _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+1A5j
		mov	ecx, [ebx+74h]

loc_A3350F:				; CODE XREF: _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+1A9j
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	ecx
		push	0
		push	[ebp+arg_8]
		push	0
		push	[esp+40h+var_1C]
		call	__SysCtxRegCreateTree@36 ; _SysCtxRegCreateTree(x,x,x,x,x,x,x,x,x)
		mov	ecx, eax
		jmp	short loc_A33555
; 

loc_A3352A:				; CODE XREF: _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+1A1j
		test	ebx, ebx
		jnz	short loc_A33532
		xor	ecx, ecx
		jmp	short loc_A33535
; 

loc_A33532:				; CODE XREF: _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+1CBj
		mov	ecx, [ebx+74h]

loc_A33535:				; CODE XREF: _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+1CFj
		push	[ebp+arg_10]
		push	[ebp+arg_8]
		push	0
		push	[esp+34h+var_1C]
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_A33555
		mov	eax, [ebp+arg_14]
		mov	dword ptr [eax], 2

loc_A33555:				; CODE XREF: _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+1C7j
					; _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+1E9j
		cmp	ecx, 0C000017Ch
		jnz	short loc_A33564
		mov	esi, 0C00000E5h
		jmp	short loc_A33571
; 

loc_A33564:				; CODE XREF: _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+1FAj
		test	ecx, ecx
		jns	short loc_A33571
		mov	esi, ecx
		jmp	short loc_A33571
; 

loc_A3356C:				; CODE XREF: _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+2Fj
					; _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+3Cj ...
		mov	esi, 0C000000Dh

loc_A33571:				; CODE XREF: _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+92j
					; _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+B6j ...
		cmp	[esp+28h+var_18], 0
		jz	short loc_A33581
		push	[esp+28h+var_18]
		call	_ZwClose@4	; ZwClose(x)

loc_A33581:				; CODE XREF: _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+215j
		test	edi, edi
		jz	short loc_A3358D
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3358D:				; CODE XREF: _CmOpenDevicePanelRegKeyWorker(x,x,x,x,x,x,x,x)+222j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
__CmOpenDevicePanelRegKeyWorker@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmRemovePanelDevice(x, x, x, x)
__CmRemovePanelDevice@16 proc near	; CODE XREF: _CmUpdateDevicePanel+6DC74p
					; _CmDeleteDeviceWorker(x,x,x)+1A3p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [ebp+var_30]
		push	edi
		push	2Ch		; size_t
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_34], edx
		mov	ebx, ecx
		call	_memset
		mov	edi, [ebx+100h]
		add	esp, 0Ch
		mov	eax, [ebp+var_34]
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], esi
		test	edi, edi
		jz	short loc_A335F2
		lea	ecx, [ebp+var_30]
		push	ecx
		push	1
		push	0Eh
		push	6
		push	eax
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jnz	short loc_A33652
		xor	edi, edi

loc_A335EF:				; CODE XREF: _CmRemovePanelDevice(x,x,x,x)+C8j
		mov	eax, [ebp+var_34]

loc_A335F2:				; CODE XREF: _CmRemovePanelDevice(x,x,x,x)+3Ej
		lea	ecx, [ebp+var_20]
		mov	edx, eax
		push	ecx
		push	[ebp+var_24]
		mov	ecx, ebx
		call	__CmRemovePanelDeviceWorker@16 ; _CmRemovePanelDeviceWorker(x,x,x,x)
		mov	esi, eax
		test	edi, edi
		jz	short loc_A3362D
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		push	2
		push	0Eh
		push	6
		push	[ebp+var_34]
		push	ebx
		call	edi
		cmp	eax, 0C0000002h
		jz	short loc_A3362D
		cmp	eax, 0C0000120h
		jz	short loc_A33659
		test	eax, eax
		jnz	short loc_A33662

loc_A3362D:				; CODE XREF: _CmRemovePanelDevice(x,x,x,x)+6Ej
					; _CmRemovePanelDevice(x,x,x,x)+88j
		cmp	byte ptr [ebp+var_20], 0
		jnz	short loc_A3363F
		mov	edx, [ebp+var_34]
		mov	ecx, ebx
		push	6
		call	__PnpObjectRaiseDevicesChangeEvent@12 ;	_PnpObjectRaiseDevicesChangeEvent(x,x,x)

loc_A3363F:				; CODE XREF: _CmRemovePanelDevice(x,x,x,x)+99j
					; _CmRemovePanelDevice(x,x,x,x)+C4j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_A33652:				; CODE XREF: _CmRemovePanelDevice(x,x,x,x)+53j
		cmp	eax, 0C0000120h
		jnz	short loc_A3365E

loc_A33659:				; CODE XREF: _CmRemovePanelDevice(x,x,x,x)+8Fj
		mov	esi, [ebp+var_30]
		jmp	short loc_A3363F
; 

loc_A3365E:				; CODE XREF: _CmRemovePanelDevice(x,x,x,x)+BFj
		test	eax, eax
		jz	short loc_A335EF

loc_A33662:				; CODE XREF: _CmRemovePanelDevice(x,x,x,x)+93j
		mov	esi, 0C00000E5h
		jmp	short loc_A3363F
__CmRemovePanelDevice@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmRemovePanelDeviceWorker(x, x, x,	x)
__CmRemovePanelDeviceWorker@16 proc near ; CODE	XREF: _CmRemovePanelDevice(x,x,x,x)+65p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		xor	ecx, ecx
		mov	[eax], cl
		lea	eax, [ebp+var_C]
		push	eax
		push	0Bh
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_14], ecx
		mov	ecx, edi
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A33782
		test	edi, edi
		jnz	short loc_A336AB
		xor	ecx, ecx
		jmp	short loc_A336AE
; 

loc_A336AB:				; CODE XREF: _CmRemovePanelDeviceWorker(x,x,x,x)+3Cj
		mov	ecx, [edi+74h]

loc_A336AE:				; CODE XREF: _CmRemovePanelDeviceWorker(x,x,x,x)+40j
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		push	0
		push	ebx
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		xor	ebx, ebx
		test	esi, esi
		js	loc_A33784
		mov	ecx, ebx
		test	edi, edi
		jz	short loc_A336D4
		mov	ecx, [edi+74h]

loc_A336D4:				; CODE XREF: _CmRemovePanelDeviceWorker(x,x,x,x)+66j
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	3
		push	ebx
		push	offset ??_C@_1BA@HICHNCPO@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAs@NNGAKEGL@	; "Devices"
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A33784
		push	[ebp+arg_0]
		lea	eax, [ebp+var_10]
		mov	[ebp+var_10], ebx
		push	eax
		mov	[ebp+var_C], ebx
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A33718
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_4]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		mov	esi, eax

loc_A33718:				; CODE XREF: _CmRemovePanelDeviceWorker(x,x,x,x)+9Fj
		cmp	esi, 0C0000034h
		jz	short loc_A3372C
		cmp	esi, 0C000017Ch
		jz	short loc_A3372C
		test	esi, esi
		js	short loc_A33784

loc_A3372C:				; CODE XREF: _CmRemovePanelDeviceWorker(x,x,x,x)+B5j
					; _CmRemovePanelDeviceWorker(x,x,x,x)+BDj
		mov	eax, [ebp+arg_4]
		xor	edx, edx
		mov	ecx, [ebp+var_4]
		push	ebx
		push	ebx
		mov	byte ptr [eax],	1
		lea	eax, [ebp+var_14]
		push	eax
		push	ebx
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A33784
		cmp	[ebp+var_14], 0
		jnz	short loc_A3376D
		test	edi, edi
		jz	short loc_A33761
		mov	eax, [edi+74h]
		test	eax, eax
		jz	short loc_A33761
		mov	ecx, [eax+4]
		push	ebx
		push	ecx
		jmp	short loc_A33763
; 

loc_A33761:				; CODE XREF: _CmRemovePanelDeviceWorker(x,x,x,x)+E8j
					; _CmRemovePanelDeviceWorker(x,x,x,x)+EFj
		push	ebx
		push	ebx

loc_A33763:				; CODE XREF: _CmRemovePanelDeviceWorker(x,x,x,x)+F6j
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		call	_RegRtlDeleteTreeInternal

loc_A3376D:				; CODE XREF: _CmRemovePanelDeviceWorker(x,x,x,x)+E4j
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	offset _DEVPKEY_Device_PanelId
		push	ebx
		push	ebx
		push	1
		call	_PnpObjectRaisePropertyChangeEvent
		jmp	short loc_A33784
; 

loc_A33782:				; CODE XREF: _CmRemovePanelDeviceWorker(x,x,x,x)+34j
		xor	ebx, ebx

loc_A33784:				; CODE XREF: _CmRemovePanelDeviceWorker(x,x,x,x)+5Cj
					; _CmRemovePanelDeviceWorker(x,x,x,x)+83j ...
		cmp	esi, 0C0000034h
		jz	short loc_A33794
		cmp	esi, 0C000017Ch
		jnz	short loc_A33796

loc_A33794:				; CODE XREF: _CmRemovePanelDeviceWorker(x,x,x,x)+121j
		mov	esi, ebx

loc_A33796:				; CODE XREF: _CmRemovePanelDeviceWorker(x,x,x,x)+129j
		cmp	[ebp+var_4], 0
		jz	short loc_A337A4
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A337A4:				; CODE XREF: _CmRemovePanelDeviceWorker(x,x,x,x)+131j
		cmp	[ebp+var_8], 0
		jz	short loc_A337B2
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_A337B2:				; CODE XREF: _CmRemovePanelDeviceWorker(x,x,x,x)+13Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
__CmRemovePanelDeviceWorker@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmSetDevicePanelMappedProperty(int,int,void *,int,int,int)
__CmSetDevicePanelMappedProperty@32 proc near ;	CODE XREF: _PnpDispatchDevicePanel+980B5p
					; _CmDeleteDevicePanelWorker(x,x,x)+F3p

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_4], 0
		push	edi
		mov	edi, 0C0000016h
		jnz	short loc_A33808
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		xor	esi, esi
		mov	ecx, [ebx+10h]
		mov	[ebp+arg_4], ecx

loc_A337D9:				; CODE XREF: _CmSetDevicePanelMappedProperty(x,x,x,x,x,x,x,x)+42j
		mov	eax, ds:off_404FFC[esi]
		cmp	ecx, [eax+10h]
		jnz	short loc_A337F7
		push	10h		; size_t
		push	eax		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A33801
		mov	ecx, [ebp+arg_4]

loc_A337F7:				; CODE XREF: _CmSetDevicePanelMappedProperty(x,x,x,x,x,x,x,x)+27j
		add	esi, 8
		cmp	esi, 18h
		jb	short loc_A337D9
		jmp	short loc_A33806
; 

loc_A33801:				; CODE XREF: _CmSetDevicePanelMappedProperty(x,x,x,x,x,x,x,x)+37j
		mov	edi, 0C0000022h

loc_A33806:				; CODE XREF: _CmSetDevicePanelMappedProperty(x,x,x,x,x,x,x,x)+44j
		pop	esi
		pop	ebx

loc_A33808:				; CODE XREF: _CmSetDevicePanelMappedProperty(x,x,x,x,x,x,x,x)+Fj
		mov	eax, edi
		pop	edi
		pop	ebp
		retn	18h
__CmSetDevicePanelMappedProperty@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmSplitDevicePanelId(x, x,	x, x)
__CmSplitDevicePanelId@16 proc near	; CODE XREF: PiPnpRtlSetObjectProperty+A15FDp
					; _CmGetDevicePanelMappedProperty(x,x,x,x,x,x,x,x,x):loc_A33070p ...

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_18		= word ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[ebp+var_70], eax
		mov	ebx, ecx
		mov	eax, [ebp+arg_4]
		push	esi
		mov	[ebp+var_7C], eax
		xor	eax, eax
		push	edi
		mov	[ebp+var_78], eax
		mov	edi, edx
		mov	[ebp+var_74], eax
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_78]
		push	ebx
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A33957
		mov	eax, [ebp+var_78+2]
		and	eax, 0FFFEh
		cmp	ax, 52h
		jb	loc_A33957
		push	5Ch
		pop	eax
		cmp	[ebx+4Ch], ax
		jnz	loc_A33957
		test	edi, edi
		jz	short loc_A338B8
		push	800h
		xor	eax, eax
		lea	ecx, [ebp+var_68]
		push	eax
		push	eax
		push	26h
		push	ebx
		push	27h
		pop	edx
		call	RtlStringCchCopyNExW
		mov	esi, eax
		test	esi, esi
		js	loc_A3395C
		lea	eax, [ebp+var_68]
		push	eax
		lea	eax, [ebp+var_78]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		lea	eax, [ebp+var_78]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A33957

loc_A338B8:				; CODE XREF: _CmSplitDevicePanelId(x,x,x,x)+65j
		lea	eax, [ebx+4Eh]
		push	5Ch		; wchar_t
		push	eax		; wchar_t *
		call	_wcschr
		mov	edi, eax
		pop	ecx
		pop	ecx
		test	edi, edi
		jz	loc_A33957
		add	edi, 2
		cmp	[ebp+var_70], 0
		jz	short loc_A3392C
		xor	eax, eax
		lea	ecx, [ebp+var_18]
		push	800h
		push	eax
		push	eax
		mov	eax, edi
		sub	eax, ebx
		sub	eax, 50h
		sar	eax, 1
		push	eax
		lea	eax, [ebx+4Eh]
		push	eax
		push	9
		pop	edx
		call	RtlStringCchCopyNExW
		mov	esi, eax
		test	esi, esi
		js	short loc_A3395C
		push	10h		; int
		lea	eax, [ebp+var_6C]
		push	eax		; wchar_t **
		lea	eax, [ebp+var_18]
		push	eax		; wchar_t *
		call	_wcstoul
		mov	ecx, [ebp+var_70]
		add	esp, 0Ch
		mov	[ecx], eax
		cmp	eax, 0FFFFh
		ja	short loc_A33957
		mov	eax, [ebp+var_6C]
		test	eax, eax
		jz	short loc_A33957
		xor	ecx, ecx
		cmp	[eax], cx
		jnz	short loc_A33957

loc_A3392C:				; CODE XREF: _CmSplitDevicePanelId(x,x,x,x)+C7j
		mov	ebx, [ebp+var_7C]
		test	ebx, ebx
		jz	short loc_A3395C
		push	10h		; int
		lea	eax, [ebp+var_6C]
		push	eax		; wchar_t **
		push	edi		; wchar_t *
		call	_wcstoul
		add	esp, 0Ch
		mov	[ebx], eax
		cmp	eax, 7
		ja	short loc_A33957
		mov	eax, [ebp+var_6C]
		test	eax, eax
		jz	short loc_A33957
		xor	ecx, ecx
		cmp	[eax], cx
		jz	short loc_A3395C

loc_A33957:				; CODE XREF: _CmSplitDevicePanelId(x,x,x,x)+3Ej
					; _CmSplitDevicePanelId(x,x,x,x)+50j ...
		mov	esi, 0C0000033h

loc_A3395C:				; CODE XREF: _CmSplitDevicePanelId(x,x,x,x)+82j
					; _CmSplitDevicePanelId(x,x,x,x)+EFj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
__CmSplitDevicePanelId@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmUpdateDevicePanelInterface(x, x,	x)
__CmUpdateDevicePanelInterface@12 proc near ; CODE XREF: PiPnpRtlSetObjectProperty+A178Ep

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_1C], edx
		lea	edi, [ebp+var_18]
		xor	esi, esi
		stosd
		mov	ebx, ecx
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_3C], esi
		stosd
		mov	[ebp+var_44], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_40], esi
		stosd
		mov	[ebp+var_38], esi
		mov	[ebp+var_28], esi
		mov	[ebp+var_2C], esi
		stosd
		lea	eax, [ebp+var_40]
		push	eax
		lea	eax, [ebp+var_24]
		mov	[ebp+var_34], esi
		push	eax
		lea	eax, [ebp+var_44]
		mov	[ebp+var_30], esi
		push	eax
		lea	eax, [ebp+var_3C]
		mov	edi, esi
		push	eax
		push	offset _DEVPKEY_Device_PhysicalDeviceLocation ;	"~\vT@Ej\vL\t"
		push	ecx
		push	3
		mov	ecx, ebx
		call	_CmQueryDevicePanelPldProperty
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	short loc_A339E9
		xor	ecx, ecx
		mov	esi, ecx
		jmp	loc_A33B6A
; 

loc_A339E9:				; CODE XREF: _CmUpdateDevicePanelInterface(x,x,x)+6Fj
		test	esi, esi
		js	loc_A33BF7
		cmp	[ebp+var_24], edi
		jz	loc_A33B68
		push	52504E50h
		mov	esi, 190h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_38], eax
		test	eax, eax
		jnz	short loc_A33A1D
		mov	esi, 0C0000017h
		jmp	loc_A33BF7
; 

loc_A33A1D:				; CODE XREF: _CmUpdateDevicePanelInterface(x,x,x)+A2j
		xor	edx, edx
		lea	ecx, [ebp+var_30]
		push	edx
		push	ecx
		push	esi
		push	eax
		lea	eax, [ebp+var_34]
		mov	ecx, ebx
		push	eax
		push	offset _DEVPKEY_Device_InstanceId
		push	edx
		push	[ebp+var_20]
		mov	edx, [ebp+var_1C]
		push	3
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A33BDC
		cmp	[ebp+var_34], 12h
		jnz	loc_A33B61
		cmp	[ebp+var_30], 2
		jb	loc_A33B61
		mov	edx, [ebp+var_38]
		lea	eax, [ebp+var_18]
		push	eax
		mov	ecx, ebx
		call	__CmGetParentDeviceContainerId@12 ; _CmGetParentDeviceContainerId(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A33BDC
		mov	ecx, [ebp+var_24]
		call	__CmGetDevicePanelGroup@4 ; _CmGetDevicePanelGroup(x)
		mov	[ebp+var_28], eax
		mov	eax, [ecx+8]
		xor	ecx, ecx
		shr	eax, 3
		and	eax, 7
		cmp	eax, 7
		jnb	short loc_A33A97
		mov	ecx, ds:dword_40F8EC[eax*4]

loc_A33A97:				; CODE XREF: _CmUpdateDevicePanelInterface(x,x,x)+11Fj
		push	52504E50h
		push	72h
		push	1
		mov	[ebp+var_2C], ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A33AB8
		mov	esi, 0C0000017h
		jmp	loc_A33BDC
; 

loc_A33AB8:				; CODE XREF: _CmUpdateDevicePanelInterface(x,x,x)+13Dj
		mov	edx, [ebp+var_28] ; int
		push	ecx		; int
		push	edi		; int
		push	[ebp+var_2C]	; int
		lea	ecx, [ebp+var_18] ; int
		call	__CmBuildDevicePanelId@20 ; _CmBuildDevicePanelId(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A33BDC
		mov	ecx, edi
		xor	esi, esi
		lea	edx, [ecx+2]

loc_A33AD9:				; CODE XREF: _CmUpdateDevicePanelInterface(x,x,x)+173j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_A33AD9
		sub	ecx, edx
		mov	edx, [ebp+var_1C]
		sar	ecx, 1
		push	esi
		lea	eax, ds:2[ecx*2]
		mov	ecx, ebx
		push	eax
		push	edi
		push	12h
		push	offset _DEVPKEY_Device_PanelId
		push	esi
		push	[ebp+var_20]
		push	3
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A33BDC
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		push	ecx
		push	4
		push	eax
		push	7
		push	offset _DEVPKEY_Device_PanelGroup
		push	ecx
		push	[ebp+var_20]
		mov	ecx, ebx
		push	3
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A33BDC
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_2C]
		xor	ecx, ecx
		push	ecx
		push	4
		push	eax
		push	7
		push	offset _DEVPKEY_Device_PanelSide
		push	ecx
		push	[ebp+var_20]
		mov	ecx, ebx
		push	3
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		jmp	short loc_A33BDC
; 

loc_A33B61:				; CODE XREF: _CmUpdateDevicePanelInterface(x,x,x)+DEj
					; _CmUpdateDevicePanelInterface(x,x,x)+E8j
		mov	esi, 0C0000001h
		jmp	short loc_A33BDC
; 

loc_A33B68:				; CODE XREF: _CmUpdateDevicePanelInterface(x,x,x)+85j
		xor	ecx, ecx

loc_A33B6A:				; CODE XREF: _CmUpdateDevicePanelInterface(x,x,x)+75j
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_30]
		push	ecx
		push	eax
		push	ecx
		push	ecx
		lea	eax, [ebp+var_34]
		push	eax
		push	offset _DEVPKEY_Device_PanelId
		push	ecx
		push	[ebp+var_20]
		mov	ecx, ebx
		push	3
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_A33BF7
		mov	edx, [ebp+var_1C]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_PanelId
		push	eax
		push	eax
		push	3
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	edx, [ebp+var_1C]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_PanelGroup
		push	eax
		push	eax
		push	3
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	edx, [ebp+var_1C]
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _DEVPKEY_Device_PanelSide
		push	eax
		push	eax
		push	3
		mov	ecx, ebx
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)

loc_A33BDC:				; CODE XREF: _CmUpdateDevicePanelInterface(x,x,x)+D4j
					; _CmUpdateDevicePanelInterface(x,x,x)+100j ...
		mov	eax, [ebp+var_38]
		xor	ebx, ebx
		test	eax, eax
		jz	short loc_A33BEC
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A33BEC:				; CODE XREF: _CmUpdateDevicePanelInterface(x,x,x)+274j
		test	edi, edi
		jz	short loc_A33BF7
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A33BF7:				; CODE XREF: _CmUpdateDevicePanelInterface(x,x,x)+7Cj
					; _CmUpdateDevicePanelInterface(x,x,x)+A9j ...
		cmp	[ebp+var_3C], 0
		jz	short loc_A33C08
		xor	ecx, ecx
		push	ecx
		push	[ebp+var_3C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A33C08:				; CODE XREF: _CmUpdateDevicePanelInterface(x,x,x)+28Cj
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
__CmUpdateDevicePanelInterface@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmValidateDevicePanelName(x, x)
__CmValidateDevicePanelName@8 proc near	; CODE XREF: _PnpDispatchDevicePanel+98006p
					; _CmGetDevicePanelRegKeyPath(x,x,x,x,x,x,x,x)+18p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	edi
		and	[ebp+var_1C], 0
		lea	edi, [ebp+var_14]
		and	[ebp+var_18], 0
		xor	eax, eax
		stosd
		mov	ecx, edx
		lea	edx, [ebp+var_14]
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	__CmSplitDevicePanelId@16 ; _CmSplitDevicePanelId(x,x,x,x)
		test	eax, eax
		jns	short loc_A33C5A
		mov	eax, 0C0000033h

loc_A33C5A:				; CODE XREF: _CmValidateDevicePanelName(x,x)+38j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
__CmValidateDevicePanelName@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpGetGenericStorePropertyKeys(x, x, x, x,	x, x, x, x)
__PnpGetGenericStorePropertyKeys@32 proc near
					; CODE XREF: PiDqPnPGetObjectPropertyKeys(x,x,x,x,x,x)+81p
					; PiDevCfgCopyObjectProperties(x,x,x,x,x,x,x,x,x,x,x)+D0p ...

var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_118		= dword	ptr -118h
var_68		= dword	ptr -68h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 164h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	[ebp+var_160], eax
		mov	ebx, ecx
		mov	ecx, [ebp+arg_10]
		xor	eax, eax
		push	esi
		push	edi
		mov	[ebp+var_138], eax
		lea	edi, [ebp+var_128]
		mov	[ebp+var_134], eax
		mov	esi, edx
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_130], eax
		mov	[ebp+var_144], eax
		stosd
		mov	[ebp+var_14C], ebx
		mov	[ebp+var_140], edx
		mov	[ebp+var_150], ecx
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_148], eax
		mov	[ebp+var_15C], eax
		mov	[ebp+var_158], eax
		mov	[ecx], eax
		test	edx, edx
		jz	short loc_A33D03
		mov	edi, [ebp+var_140]
		lea	eax, [ebp+var_154]
		push	eax
		push	55h
		pop	edx
		mov	ecx, edi
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		test	eax, eax
		js	loc_A33F6B
		jmp	short loc_A33D05
; 

loc_A33D03:				; CODE XREF: _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)+79j
		mov	edi, edx

loc_A33D05:				; CODE XREF: _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)+9Aj
		lea	eax, [ebp+var_138]
		mov	edx, esi
		push	eax
		push	ecx
		push	0
		push	9
		push	0
		mov	ecx, ebx
		call	_PnpOpenPropertiesKey
		cmp	eax, 0C0000034h
		jnz	short loc_A33D2A
		xor	eax, eax
		jmp	loc_A33F6B
; 

loc_A33D2A:				; CODE XREF: _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)+BAj
		test	eax, eax
		js	loc_A33F6B
		xor	esi, esi

loc_A33D34:				; CODE XREF: _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)+FBj
					; _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)+117j ...
		mov	ecx, [ebp+var_138]
		lea	eax, [ebp+var_12C]
		push	eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_12C], 27h
		push	eax
		mov	edx, esi
		call	_RegRtlEnumKey
		inc	esi
		mov	[ebp+var_154], esi
		cmp	eax, 0C0000023h
		jz	short loc_A33D34
		test	eax, eax
		jnz	loc_A33F4E
		lea	eax, [ebp+var_68]
		push	eax
		lea	eax, [ebp+var_15C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_A33D34
		lea	eax, [ebp+var_128]
		push	eax
		lea	eax, [ebp+var_15C]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		test	eax, eax
		js	short loc_A33D34
		test	ebx, ebx
		jnz	short loc_A33D9F
		xor	ecx, ecx
		jmp	short loc_A33DA2
; 

loc_A33D9F:				; CODE XREF: _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)+132j
		mov	ecx, [ebx+74h]

loc_A33DA2:				; CODE XREF: _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)+136j
		mov	edx, [ebp+var_138]
		lea	eax, [ebp+var_134]
		push	eax
		push	9
		push	0
		lea	eax, [ebp+var_68]
		push	eax
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_A33D34
		xor	esi, esi

loc_A33DC6:				; CODE XREF: _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)+18Dj
					; _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)+1A9j ...
		mov	ecx, [ebp+var_134]
		lea	eax, [ebp+var_12C]
		push	eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_12C], 9
		push	eax
		mov	edx, esi
		call	_RegRtlEnumKey
		inc	esi
		mov	[ebp+var_13C], esi
		cmp	eax, 0C0000023h
		jz	short loc_A33DC6
		test	eax, eax
		jnz	loc_A33F38
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_15C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_A33DC6
		lea	eax, [ebp+var_148]
		push	eax
		push	10h
		lea	eax, [ebp+var_15C]
		push	eax
		call	RtlUnicodeStringToInteger
		test	eax, eax
		js	short loc_A33DC6
		test	ebx, ebx
		jnz	short loc_A33E33
		xor	ecx, ecx
		jmp	short loc_A33E36
; 

loc_A33E33:				; CODE XREF: _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)+1C6j
		mov	ecx, [ebx+74h]

loc_A33E36:				; CODE XREF: _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)+1CAj
		mov	edx, [ebp+var_134]
		lea	eax, [ebp+var_130]
		push	eax
		push	1
		push	0
		lea	eax, [ebp+var_18]
		push	eax
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_A33DC6
		xor	bl, bl
		cmp	[ebp+arg_4], bl
		jz	short loc_A33EA3
		xor	esi, esi

loc_A33E61:				; CODE XREF: _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)+230j
		mov	ecx, [ebp+var_130]
		lea	eax, [ebp+var_144]
		push	0		; int
		push	0		; void *
		push	eax		; int
		lea	eax, [ebp+var_12C]
		mov	[ebp+var_12C], 55h
		push	eax		; int
		lea	eax, [ebp+var_118]
		mov	edx, esi
		push	eax		; void *
		call	_RegRtlEnumValue
		inc	esi
		cmp	eax, 0C0000023h
		jz	short loc_A33E61
		mov	esi, [ebp+var_13C]
		test	eax, eax
		jmp	short loc_A33ED0
; 

loc_A33EA3:				; CODE XREF: _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)+1F6j
		mov	ecx, [ebp+var_130]
		lea	eax, [ebp+var_12C]
		and	[ebp+var_12C], 0
		mov	edx, edi
		push	eax
		push	0
		lea	eax, [ebp+var_144]
		push	eax
		call	_RegRtlQueryValue
		test	eax, eax
		jz	short loc_A33ED2
		cmp	eax, 0C0000023h

loc_A33ED0:				; CODE XREF: _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)+23Aj
		jnz	short loc_A33ED4

loc_A33ED2:				; CODE XREF: _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)+262j
		mov	bl, 1

loc_A33ED4:				; CODE XREF: _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x):loc_A33ED0j
		push	[ebp+var_130]
		call	_ZwClose@4	; ZwClose(x)
		test	bl, bl
		mov	ebx, [ebp+var_14C]
		jz	loc_A33DC6
		mov	edx, [ebp+var_150]
		mov	eax, [edx]
		cmp	eax, [ebp+arg_C]
		jnb	short loc_A33F1E
		mov	ebx, [ebp+var_160]
		lea	esi, [ebp+var_128]
		imul	edi, eax, 14h
		mov	eax, [ebp+var_148]
		add	edi, ebx
		movsd
		movsd
		movsd
		movsd
		imul	ecx, [edx], 14h
		mov	[ecx+ebx+10h], eax
		mov	eax, [edx]

loc_A33F1E:				; CODE XREF: _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)+291j
		mov	ebx, [ebp+var_14C]
		inc	eax
		mov	esi, [ebp+var_13C]
		mov	edi, [ebp+var_140]
		mov	[edx], eax
		jmp	loc_A33DC6
; 

loc_A33F38:				; CODE XREF: _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)+191j
		push	[ebp+var_134]
		call	_ZwClose@4	; ZwClose(x)
		mov	esi, [ebp+var_154]
		jmp	loc_A33D34
; 

loc_A33F4E:				; CODE XREF: _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)+FFj
		push	[ebp+var_138]
		call	_ZwClose@4	; ZwClose(x)
		mov	ecx, [ebp+var_150]
		mov	eax, [ebp+arg_C]
		cmp	eax, [ecx]
		sbb	eax, eax
		and	eax, 0C0000023h

loc_A33F6B:				; CODE XREF: _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)+94j
					; _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)+BEj	...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
__PnpGetGenericStorePropertyKeys@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpGetGenericStorePropertyLocales(x, x, x,	x, x, x, x)
__PnpGetGenericStorePropertyLocales@28 proc near
					; CODE XREF: PiDqPnPGetObjectPropertyLocales(x,x,x,x,x)+6Dp
					; _PnpGetObjectPropertyLocalesWorker(x,x,x,x,x,x,x,x,x)+99p

var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_6C		= dword	ptr -6Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 130h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, [ebp+arg_C]
		mov	[ebp+var_124], edx
		xor	edx, edx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_120], ecx
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_128], edx
		mov	[ebx], edx
		cmp	[ebp+arg_8], edx
		jbe	short loc_A33FBD
		xor	eax, eax
		mov	[edi], ax

loc_A33FBD:				; CODE XREF: _PnpGetGenericStorePropertyLocales(x,x,x,x,x,x,x)+3Aj
		push	dword ptr [ecx+10h]
		movzx	eax, byte ptr [ecx+0Fh]
		push	eax
		movzx	eax, byte ptr [ecx+0Eh]
		push	eax
		movzx	eax, byte ptr [ecx+0Dh]
		push	eax
		movzx	eax, byte ptr [ecx+0Ch]
		push	eax
		movzx	eax, byte ptr [ecx+0Bh]
		push	eax
		movzx	eax, byte ptr [ecx+0Ah]
		push	eax
		movzx	eax, byte ptr [ecx+9]
		push	eax
		movzx	eax, byte ptr [ecx+8]
		push	eax
		movzx	eax, word ptr [ecx+6]
		push	eax
		movzx	eax, word ptr [ecx+4]
		push	eax
		push	dword ptr [ecx]	; char
		lea	eax, [ebp+var_6C]
		push	offset ??_C@_1HE@PLLNIKMH@?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAl?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAx?$AA?9?$AA?$CF?$AA0?$AA4@NNGAKEGL@ ;	"{%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%"...
		push	800h		; int
		push	edx		; int
		push	edx		; int
		push	30h		; int
		push	eax		; void *
		call	RtlStringCchPrintfExW
		mov	esi, eax
		add	esp, 48h
		test	esi, esi
		js	loc_A3412B
		mov	edx, [ebp+var_124]
		lea	eax, [ebp+var_128]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_120]
		lea	eax, [ebp+var_6C]
		push	0
		push	1
		push	eax
		call	_PnpOpenPropertiesKey
		mov	esi, eax
		mov	[ebp+var_12C], esi
		cmp	esi, 0C0000034h
		jnz	short loc_A34050
		xor	esi, esi
		jmp	loc_A3412B
; 

loc_A34050:				; CODE XREF: _PnpGetGenericStorePropertyLocales(x,x,x,x,x,x,x)+CBj
		test	esi, esi
		js	loc_A3412B
		mov	esi, [ebp+arg_8]
		xor	eax, eax
		mov	[ebp+var_120], eax

loc_A34063:				; CODE XREF: _PnpGetGenericStorePropertyLocales(x,x,x,x,x,x,x)+127j
					; _PnpGetGenericStorePropertyLocales(x,x,x,x,x,x,x)+140j ...
		push	0		; int
		push	0		; void *
		push	0		; int
		lea	ecx, [ebp+var_124]
		mov	[ebp+var_124], 55h
		push	ecx		; int
		lea	ecx, [ebp+var_11C]
		mov	edx, eax
		push	ecx		; void *
		mov	ecx, [ebp+var_128]
		call	_RegRtlEnumValue
		mov	ecx, eax
		mov	eax, [ebp+var_120]
		inc	eax
		mov	[ebp+var_120], eax
		cmp	ecx, 0C0000023h
		jz	short loc_A34063
		test	ecx, ecx
		jnz	short loc_A34100
		lea	ecx, [ebp+var_11C]
		call	__IsNeutralLocale@4 ; _IsNeutralLocale(x)
		test	al, al
		mov	eax, [ebp+var_120]
		jnz	short loc_A34063
		mov	eax, [ebp+var_124]
		inc	eax
		mov	[ebp+var_124], eax
		cmp	eax, esi
		jnb	short loc_A340F3
		push	900h
		push	0
		push	0
		lea	eax, [ebp+var_11C]
		mov	edx, esi
		push	eax
		mov	ecx, edi
		call	RtlStringCchCopyExW
		mov	eax, [ebp+var_124]
		sub	esi, eax
		lea	edi, [edi+eax*2]

loc_A340F3:				; CODE XREF: _PnpGetGenericStorePropertyLocales(x,x,x,x,x,x,x)+151j
		add	[ebx], eax
		mov	eax, [ebp+var_120]
		jmp	loc_A34063
; 

loc_A34100:				; CODE XREF: _PnpGetGenericStorePropertyLocales(x,x,x,x,x,x,x)+12Bj
		push	[ebp+var_128]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [ebx]
		mov	esi, [ebp+var_12C]
		inc	eax
		mov	[ebx], eax
		test	edi, edi
		jz	short loc_A34126
		cmp	[ebp+arg_8], eax
		jb	short loc_A34126
		xor	eax, eax
		mov	[edi], ax
		jmp	short loc_A3412B
; 

loc_A34126:				; CODE XREF: _PnpGetGenericStorePropertyLocales(x,x,x,x,x,x,x)+19Cj
					; _PnpGetGenericStorePropertyLocales(x,x,x,x,x,x,x)+1A1j
		mov	esi, 0C0000023h

loc_A3412B:				; CODE XREF: _PnpGetGenericStorePropertyLocales(x,x,x,x,x,x,x)+96j
					; _PnpGetGenericStorePropertyLocales(x,x,x,x,x,x,x)+CFj ...
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
__PnpGetGenericStorePropertyLocales@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmAppendDeclarativeDefaultFilters(x, x, x,	x, x, x, x)
__CmAppendDeclarativeDefaultFilters@28 proc near
					; CODE XREF: _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+4Dp
					; _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+90p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, [ebp+arg_C]
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		xor	esi, esi
		mov	[ebp+var_8], edx
		lea	edx, [ecx+2]
		mov	[ebp+var_4], edi
		mov	[ebp+arg_8], esi

loc_A34163:				; CODE XREF: _CmAppendDeclarativeDefaultFilters(x,x,x,x,x,x,x)+2Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_A34163
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, ds:2[ecx*2]
		mov	[ebp+arg_C], eax
		test	edi, edi
		jz	short loc_A341A1
		lea	eax, [ebp+var_4]
		mov	[ebp+arg_8], ebx
		push	eax
		push	[ebp+arg_0]
		lea	edx, [ebp+arg_8]
		mov	ecx, edi
		call	__PnpMultiSzAppend@16 ;	_PnpMultiSzAppend(x,x,x,x)
		movzx	edi, al
		neg	edi
		sbb	edi, edi
		and	edi, [ebp+var_4]
		sub	ebx, [ebp+arg_C]

loc_A341A1:				; CODE XREF: _CmAppendDeclarativeDefaultFilters(x,x,x,x,x,x,x)+40j
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+arg_8]
		mov	ecx, [ebp+var_C]
		push	eax
		push	ebx
		push	edi
		push	[ebp+arg_0]
		call	__CmAppendDeclarativeFilterLevel@24 ; _CmAppendDeclarativeFilterLevel(x,x,x,x,x,x)
		mov	edx, eax
		cmp	edx, 0C0000034h
		jnz	short loc_A341C3
		mov	edx, esi
		jmp	short loc_A341D2
; 

loc_A341C3:				; CODE XREF: _CmAppendDeclarativeDefaultFilters(x,x,x,x,x,x,x)+7Fj
		cmp	edx, 0C0000023h
		jz	short loc_A341CF
		test	edx, edx
		js	short loc_A341DC

loc_A341CF:				; CODE XREF: _CmAppendDeclarativeDefaultFilters(x,x,x,x,x,x,x)+8Bj
		mov	esi, [ebp+arg_8]

loc_A341D2:				; CODE XREF: _CmAppendDeclarativeDefaultFilters(x,x,x,x,x,x,x)+83j
		mov	eax, [ebp+arg_10]
		mov	ecx, [ebp+arg_C]
		add	ecx, esi
		mov	[eax], ecx

loc_A341DC:				; CODE XREF: _CmAppendDeclarativeDefaultFilters(x,x,x,x,x,x,x)+8Fj
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	14h
__CmAppendDeclarativeDefaultFilters@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmAppendDeclarativeFilterLevel(x, x, x, x,	x, x)
__CmAppendDeclarativeFilterLevel@24 proc near
					; CODE XREF: _CmAppendDeclarativeDefaultFilters(x,x,x,x,x,x,x)+72p
					; _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+CCp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		mov	esi, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_10], eax
		mov	edi, eax
		mov	[ebp+arg_4], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_14], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_C], ebx
		and	[eax], esi
		test	ecx, ecx
		jz	short loc_A34217
		mov	ecx, [ecx+74h]

loc_A34217:				; CODE XREF: _CmAppendDeclarativeFilterLevel(x,x,x,x,x,x)+2Dj
		lea	eax, [ebp+var_4]
		push	eax
		push	80000000h
		push	0
		push	[ebp+arg_0]
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_A34235

loc_A3422E:				; CODE XREF: _CmAppendDeclarativeFilterLevel(x,x,x,x,x,x)+68j
		mov	esi, eax
		jmp	loc_A3430B
; 

loc_A34235:				; CODE XREF: _CmAppendDeclarativeFilterLevel(x,x,x,x,x,x)+47j
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+arg_4]
		push	0
		push	eax
		lea	eax, [ebp+var_10]
		xor	edx, edx
		push	eax
		push	0
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A3422E
		test	ebx, ebx
		jz	short loc_A34279
		mov	eax, [ebp+arg_4]
		inc	eax
		mov	[ebp+var_14], eax
		add	eax, eax
		push	52504E50h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A34279
		mov	esi, 0C0000017h
		jmp	loc_A3430B
; 

loc_A34279:				; CODE XREF: _CmAppendDeclarativeFilterLevel(x,x,x,x,x,x)+6Cj
					; _CmAppendDeclarativeFilterLevel(x,x,x,x,x,x)+88j
		xor	eax, eax
		mov	[ebp+arg_0], eax
		cmp	[ebp+var_10], eax
		jbe	short loc_A342F5

loc_A34283:				; CODE XREF: _CmAppendDeclarativeFilterLevel(x,x,x,x,x,x)+10Aj
		mov	ecx, [ebp+var_14]
		mov	edx, eax
		push	0		; int
		push	0		; void *
		mov	[ebp+arg_4], ecx
		lea	ecx, [ebp+arg_4]
		push	0		; int
		push	ecx		; int
		mov	ecx, [ebp+var_4]
		push	edi		; void *
		call	_RegRtlEnumValue
		mov	ecx, 0C0000023h
		cmp	eax, ecx
		jnz	short loc_A342AB
		mov	esi, ecx
		jmp	short loc_A342AF
; 

loc_A342AB:				; CODE XREF: _CmAppendDeclarativeFilterLevel(x,x,x,x,x,x)+C0j
		test	eax, eax
		js	short loc_A342F3

loc_A342AF:				; CODE XREF: _CmAppendDeclarativeFilterLevel(x,x,x,x,x,x)+C4j
		mov	ecx, [ebp+var_8]
		add	ecx, [ebp+arg_4]
		mov	[ebp+var_8], ecx
		test	eax, eax
		js	short loc_A342E5
		test	ebx, ebx
		jz	short loc_A342E5
		mov	eax, [ebp+arg_8]
		lea	edx, [ebp+arg_4]
		mov	[ebp+arg_4], eax
		inc	ecx
		lea	eax, [ebp+var_C]
		mov	[ebp+var_8], ecx
		push	eax
		push	edi
		mov	ecx, ebx
		call	__PnpMultiSzAppend@16 ;	_PnpMultiSzAppend(x,x,x,x)
		mov	ebx, [ebp+var_C]
		test	al, al
		jnz	short loc_A342E5
		mov	esi, 0C0000023h

loc_A342E5:				; CODE XREF: _CmAppendDeclarativeFilterLevel(x,x,x,x,x,x)+D5j
					; _CmAppendDeclarativeFilterLevel(x,x,x,x,x,x)+D9j ...
		mov	eax, [ebp+arg_0]
		inc	eax
		mov	[ebp+arg_0], eax
		cmp	eax, [ebp+var_10]
		jb	short loc_A34283
		jmp	short loc_A342F5
; 

loc_A342F3:				; CODE XREF: _CmAppendDeclarativeFilterLevel(x,x,x,x,x,x)+C8j
		mov	esi, eax

loc_A342F5:				; CODE XREF: _CmAppendDeclarativeFilterLevel(x,x,x,x,x,x)+9Cj
					; _CmAppendDeclarativeFilterLevel(x,x,x,x,x,x)+10Cj
		mov	ecx, [ebp+arg_C]
		mov	eax, [ebp+var_8]
		add	eax, eax
		mov	[ecx], eax
		test	edi, edi
		jz	short loc_A3430B
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3430B:				; CODE XREF: _CmAppendDeclarativeFilterLevel(x,x,x,x,x,x)+4Bj
					; _CmAppendDeclarativeFilterLevel(x,x,x,x,x,x)+8Fj ...
		cmp	[ebp+var_4], 0
		jz	short loc_A34319
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A34319:				; CODE XREF: _CmAppendDeclarativeFilterLevel(x,x,x,x,x,x)+12Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
__CmAppendDeclarativeFilterLevel@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmDeleteDeviceInterfaceMappedPropertyFromRegValue(int,void *)
__CmDeleteDeviceInterfaceMappedPropertyFromRegValue@16 proc near
					; CODE XREF: _CmSetDeviceInterfaceMappedProperty+9E3BEp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	esi, esi
		and	[ebp+var_8], esi
		and	[ebp+var_4], esi
		mov	[ebp+var_18], edx
		mov	eax, [edi+10h]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_14], eax
		cmp	eax, 2
		jnb	short loc_A34353

loc_A34349:				; CODE XREF: _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+7Ej
		mov	esi, 0C0000230h
		jmp	loc_A344E3
; 

loc_A34353:				; CODE XREF: _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+25j
		mov	ebx, [ebp+var_14]
		mov	eax, offset off_A42DD8
		xor	ecx, ecx
		mov	[ebp+var_C], eax
		mov	[ebp+arg_4], ecx

loc_A34363:				; CODE XREF: _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+72j
		mov	edx, [eax]
		mov	[ebp+var_14], eax
		cmp	ebx, [edx+10h]
		jnz	short loc_A34383
		push	10h		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A34398
		mov	eax, [ebp+var_C]
		mov	ecx, [ebp+arg_4]

loc_A34383:				; CODE XREF: _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+49j
		add	ecx, 8
		add	eax, 8
		xor	edx, edx
		mov	[ebp+arg_4], ecx
		mov	[ebp+var_C], eax
		cmp	ecx, 18h
		jb	short loc_A34363
		jmp	short loc_A3439B
; 

loc_A34398:				; CODE XREF: _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+59j
		mov	edx, [ebp+var_14]

loc_A3439B:				; CODE XREF: _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+74j
		mov	ebx, [ebp+var_10]
		test	edx, edx
		jz	short loc_A34349
		cmp	[ebp+arg_0], esi
		jnz	short loc_A343C8
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_8]
		push	0
		push	eax
		push	0
		push	1
		push	ecx
		push	30h
		mov	ecx, ebx
		call	_CmOpenDeviceInterfaceRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_A344C7

loc_A343C8:				; CODE XREF: _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+83j
		mov	ebx, [edi+10h]
		cmp	ebx, 2
		jnz	loc_A3446D
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceInterface_FriendlyName ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_A344C2
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_A343F6
		mov	eax, [ebp+var_8]

loc_A343F6:				; CODE XREF: _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+CFj
		mov	ecx, [ebp+var_10]
		test	ecx, ecx
		jz	short loc_A34400
		mov	ecx, [ecx+74h]

loc_A34400:				; CODE XREF: _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+D9j
		lea	edx, [ebp+var_4]
		push	edx
		push	2
		push	0
		push	offset ??_C@_1CE@JDBBMLAG@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?5?$AAP?$AAa?$AAr?$AAa?$AAm?$AAe?$AAt?$AAe@NNGAKEGL@ ; "Device Parameters"
		mov	edx, eax
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	ebx, 0C0000034h
		cmp	eax, ebx
		jz	loc_A344C7
		mov	edi, 0C000017Ch
		cmp	eax, edi
		jz	loc_A344C7
		test	eax, eax
		jns	short loc_A34439

loc_A34432:				; CODE XREF: _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+149j
		mov	esi, eax
		jmp	loc_A344C7
; 

loc_A34439:				; CODE XREF: _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+10Ej
		and	[ebp+var_1C], 0
		lea	eax, [ebp+var_1C]
		and	[ebp+var_18], 0
		push	offset ??_C@_1BK@BFIEKNFP@?$AAF?$AAr?$AAi?$AAe?$AAn?$AAd?$AAl?$AAy?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@ ; "FriendlyName"
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_A3445F
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_4]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_A3445F:				; CODE XREF: _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+12Fj
		cmp	eax, ebx
		jz	short loc_A344C7
		cmp	eax, edi
		jz	short loc_A344C7
		test	eax, eax
		jns	short loc_A344C7
		jmp	short loc_A34432
; 

loc_A3446D:				; CODE XREF: _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+ACj
		cmp	ebx, 3
		jnz	short loc_A34486
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceInterface_Enabled	; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A344BB

loc_A34486:				; CODE XREF: _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+14Ej
		cmp	ebx, 4
		jnz	short loc_A3449F
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceInterface_ClassGuid ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A344BB

loc_A3449F:				; CODE XREF: _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+167j
		cmp	ebx, 100h
		jnz	short loc_A344C2
		push	10h		; size_t
		push	offset _DEVPKEY_Device_InstanceId ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A344C2

loc_A344BB:				; CODE XREF: _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+162j
					; _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+17Bj
		mov	esi, 0C0000022h
		jmp	short loc_A344C7
; 

loc_A344C2:				; CODE XREF: _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+C4j
					; _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+183j ...
		mov	esi, 0C0000230h

loc_A344C7:				; CODE XREF: _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+A0j
					; _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+F9j ...
		cmp	[ebp+var_4], 0
		jz	short loc_A344D5
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A344D5:				; CODE XREF: _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+1A9j
		cmp	[ebp+var_8], 0
		jz	short loc_A344E3
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_A344E3:				; CODE XREF: _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+2Cj
					; _CmDeleteDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x)+1B7j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
__CmDeleteDeviceInterfaceMappedPropertyFromRegValue@16 endp


;  S U B	R O U T	I N E 


; __stdcall _CmDeleteDeviceMappedPropertyForAllDriverKeyRegValues(x, x)
__CmDeleteDeviceMappedPropertyForAllDriverKeyRegValues@8 proc near
					; CODE XREF: _CmDeleteDeviceRegKeyWorker(x,x,x,x,x)+2B0p
		mov	edi, edi
		push	ebx
		push	esi
		xor	eax, eax
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		mov	esi, eax

loc_A344F9:				; CODE XREF: _CmDeleteDeviceMappedPropertyForAllDriverKeyRegValues(x,x)+30j
		push	eax
		push	eax
		push	eax
		push	eax
		push	ds:off_A42D08[esi]
		mov	edx, edi
		mov	ecx, ebx
		push	eax
		push	eax
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		add	esi, 10h
		push	0
		pop	eax
		cmp	esi, 0D0h
		jb	short loc_A344F9
		pop	edi
		pop	esi
		pop	ebx
		retn
__CmDeleteDeviceMappedPropertyForAllDriverKeyRegValues@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmDeleteDeviceMappedPropertyFromDriverKeyRegValue(void	*)
__CmDeleteDeviceMappedPropertyFromDriverKeyRegValue@12 proc near
					; CODE XREF: _CmSetDeviceMappedProperty+A0C32p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, offset off_A42D08
		mov	[ebp+var_10], ecx
		xor	ebx, ebx
		mov	[ebp+var_C], edx
		mov	ecx, [edi+10h]
		mov	[ebp+var_8], ecx

loc_A34547:				; CODE XREF: _CmDeleteDeviceMappedPropertyFromDriverKeyRegValue(x,x,x)+53j
		mov	eax, [esi]
		mov	[ebp+arg_0], esi
		cmp	ecx, [eax+10h]
		jnz	short loc_A34564
		push	10h		; size_t
		push	eax		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A34579
		mov	ecx, [ebp+var_8]

loc_A34564:				; CODE XREF: _CmDeleteDeviceMappedPropertyFromDriverKeyRegValue(x,x,x)+2Dj
		xor	eax, eax
		add	ebx, 10h
		add	esi, 10h
		mov	[ebp+arg_0], eax
		cmp	ebx, 0D0h
		jb	short loc_A34547
		jmp	short loc_A3457C
; 

loc_A34579:				; CODE XREF: _CmDeleteDeviceMappedPropertyFromDriverKeyRegValue(x,x,x)+3Dj
		mov	eax, [ebp+arg_0]

loc_A3457C:				; CODE XREF: _CmDeleteDeviceMappedPropertyFromDriverKeyRegValue(x,x,x)+55j
		test	eax, eax
		jnz	short loc_A3458A
		mov	esi, 0C0000016h
		jmp	loc_A34643
; 

loc_A3458A:				; CODE XREF: _CmDeleteDeviceMappedPropertyFromDriverKeyRegValue(x,x,x)+5Cj
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_10]
		push	0
		push	eax
		push	0
		push	2
		push	0
		push	12h
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_A345B4
		xor	esi, esi
		jmp	loc_A34635
; 

loc_A345B4:				; CODE XREF: _CmDeleteDeviceMappedPropertyFromDriverKeyRegValue(x,x,x)+89j
		test	esi, esi
		js	short loc_A34635
		mov	eax, [ebp+arg_0]
		mov	ebx, [ebp+var_4]
		and	[ebp+var_14], 0
		and	[ebp+var_10], 0
		mov	eax, [eax+8]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_A345E1
		lea	eax, [ebp+var_14]
		push	eax
		push	ebx
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_A345E1:				; CODE XREF: _CmDeleteDeviceMappedPropertyFromDriverKeyRegValue(x,x,x)+B3j
		cmp	eax, 0C0000034h
		jz	short loc_A345F7
		cmp	eax, 0C000017Ch
		jz	short loc_A34635
		test	eax, eax
		jns	short loc_A345F7
		mov	esi, eax
		jmp	short loc_A34635
; 

loc_A345F7:				; CODE XREF: _CmDeleteDeviceMappedPropertyFromDriverKeyRegValue(x,x,x)+C4j
					; _CmDeleteDeviceMappedPropertyFromDriverKeyRegValue(x,x,x)+CFj
		cmp	dword ptr [edi+10h], 2
		jnz	short loc_A34635
		push	10h		; size_t
		push	offset _DEVPKEY_Device_DriverDate ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A34635
		and	[ebp+var_14], eax
		and	[ebp+var_10], eax
		lea	eax, [ebp+var_14]
		push	offset ??_C@_1BG@IAFOGIBK@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAD?$AAa?$AAt?$AAe@NNGAKEGL@ ; "DriverDate"
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_A34635
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_4]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_A34635:				; CODE XREF: _CmDeleteDeviceMappedPropertyFromDriverKeyRegValue(x,x,x)+8Dj
					; _CmDeleteDeviceMappedPropertyFromDriverKeyRegValue(x,x,x)+94j ...
		cmp	[ebp+var_4], 0
		jz	short loc_A34643
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A34643:				; CODE XREF: _CmDeleteDeviceMappedPropertyFromDriverKeyRegValue(x,x,x)+63j
					; _CmDeleteDeviceMappedPropertyFromDriverKeyRegValue(x,x,x)+117j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
__CmDeleteDeviceMappedPropertyFromDriverKeyRegValue@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmDeleteDeviceMappedPropertyFromInstanceKeyRegValue(int,void *)
__CmDeleteDeviceMappedPropertyFromInstanceKeyRegValue@16 proc near
					; CODE XREF: _CmSetDeviceMappedProperty+A0C6Fp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_10], edx
		and	[ebp+var_4], esi
		xor	eax, eax
		mov	[ebp+var_C], esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	[ebp+var_14], ecx
		mov	edi, offset off_A42DF0
		mov	[ebp+arg_4], eax
		mov	edx, [esi+10h]
		mov	[ebp+var_8], edx

loc_A34678:				; CODE XREF: _CmDeleteDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x)+59j
		mov	ecx, [edi]
		mov	ebx, edi
		cmp	edx, [ecx+10h]
		jnz	short loc_A34697
		push	10h		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A346A7
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+var_8]

loc_A34697:				; CODE XREF: _CmDeleteDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x)+33j
		add	eax, 10h
		xor	ebx, ebx
		add	edi, 10h
		mov	[ebp+arg_4], eax
		cmp	eax, 20h
		jb	short loc_A34678

loc_A346A7:				; CODE XREF: _CmDeleteDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x)+43j
		mov	esi, [ebp+var_C]
		test	ebx, ebx
		jnz	short loc_A346B5
		mov	esi, 0C0000230h
		jmp	short loc_A34724
; 

loc_A346B5:				; CODE XREF: _CmDeleteDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x)+60j
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jnz	short loc_A346D8
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_14]
		push	edi
		push	eax
		push	edi
		push	2
		push	edi
		push	10h
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A34716

loc_A346D8:				; CODE XREF: _CmDeleteDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x)+6Ej
		mov	eax, [ebx+8]
		test	edi, edi
		jnz	short loc_A346E2
		mov	edi, [ebp+var_4]

loc_A346E2:				; CODE XREF: _CmDeleteDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x)+91j
		and	[ebp+var_18], 0
		and	[ebp+var_14], 0
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_A34702
		lea	eax, [ebp+var_18]
		push	eax
		push	edi
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_A34702:				; CODE XREF: _CmDeleteDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x)+AAj
		cmp	eax, 0C0000034h
		jz	short loc_A34716
		cmp	eax, 0C000017Ch
		jz	short loc_A34716
		test	eax, eax
		jns	short loc_A34716
		mov	esi, eax

loc_A34716:				; CODE XREF: _CmDeleteDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x)+8Aj
					; _CmDeleteDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x)+BBj ...
		cmp	[ebp+var_4], 0
		jz	short loc_A34724
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A34724:				; CODE XREF: _CmDeleteDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x)+67j
					; _CmDeleteDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x)+CEj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
__CmDeleteDeviceMappedPropertyFromInstanceKeyRegValue@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmDeleteInstallerClassMappedPropertyFromCoInstallers(x, x,	x)
__CmDeleteInstallerClassMappedPropertyFromCoInstallers@12 proc near
					; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+159p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		push	edi
		lea	eax, [ebp+var_4]
		mov	edi, edx
		push	eax
		push	0Dh
		xor	esi, esi
		pop	edx
		mov	[ebp+var_4], esi
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		test	eax, eax
		js	short loc_A34780
		push	edi
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], esi
		push	eax
		mov	[ebp+var_8], esi
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_A3476E
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+var_4]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_A3476E:				; CODE XREF: _CmDeleteInstallerClassMappedPropertyFromCoInstallers(x,x,x)+33j
		cmp	eax, 0C0000034h
		jz	short loc_A34782
		cmp	eax, 0C000017Ch
		jz	short loc_A34782
		test	eax, eax
		jns	short loc_A34782

loc_A34780:				; CODE XREF: _CmDeleteInstallerClassMappedPropertyFromCoInstallers(x,x,x)+1Fj
		mov	esi, eax

loc_A34782:				; CODE XREF: _CmDeleteInstallerClassMappedPropertyFromCoInstallers(x,x,x)+46j
					; _CmDeleteInstallerClassMappedPropertyFromCoInstallers(x,x,x)+4Dj ...
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	4
__CmDeleteInstallerClassMappedPropertyFromCoInstallers@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmDeleteInstallerClassMappedPropertyFromRegValue(int,void *)
__CmDeleteInstallerClassMappedPropertyFromRegValue@16 proc near
					; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+EEp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	ebx, ebx
		and	[ebp+var_4], ebx
		mov	esi, offset off_A42C38
		mov	[ebp+var_14], ecx
		xor	ecx, ecx
		mov	[ebp+var_20], edx
		mov	edx, [edi+10h]
		mov	[ebp+var_8], ebx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], ecx

loc_A347B6:				; CODE XREF: _CmDeleteInstallerClassMappedPropertyFromRegValue(x,x,x,x)+60j
		mov	eax, [esi]
		mov	[ebp+var_C], esi
		cmp	edx, [eax+10h]
		jnz	short loc_A347D6
		push	10h		; size_t
		push	eax		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A347EE
		mov	ecx, [ebp+var_10]
		mov	edx, [ebp+var_18]

loc_A347D6:				; CODE XREF: _CmDeleteInstallerClassMappedPropertyFromRegValue(x,x,x,x)+34j
		add	ecx, 10h
		xor	eax, eax
		add	esi, 10h
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], ecx
		cmp	ecx, 0D0h
		jb	short loc_A347B6
		jmp	short loc_A347F1
; 

loc_A347EE:				; CODE XREF: _CmDeleteInstallerClassMappedPropertyFromRegValue(x,x,x,x)+44j
		mov	eax, [ebp+var_C]

loc_A347F1:				; CODE XREF: _CmDeleteInstallerClassMappedPropertyFromRegValue(x,x,x,x)+62j
		mov	edi, ebx
		test	eax, eax
		jnz	short loc_A34801
		mov	edi, 0C0000016h
		jmp	loc_A34901
; 

loc_A34801:				; CODE XREF: _CmDeleteInstallerClassMappedPropertyFromRegValue(x,x,x,x)+6Bj
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jnz	short loc_A34830
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	ecx
		push	2
		push	ecx
		mov	ecx, [ebp+var_14]
		push	20h
		call	_CmOpenCommonClassRegKey
		mov	edi, eax
		test	edi, edi
		js	loc_A348E5
		mov	ebx, [ebp+var_8]
		mov	eax, [ebp+var_C]

loc_A34830:				; CODE XREF: _CmDeleteInstallerClassMappedPropertyFromRegValue(x,x,x,x)+7Cj
		mov	eax, [eax+8]
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+arg_4]
		cmp	dword ptr [eax+10h], 2
		jnz	short loc_A34885
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_DHPRebalanceOptOut ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A34885
		test	esi, esi
		jnz	short loc_A34859
		mov	esi, ebx

loc_A34859:				; CODE XREF: _CmDeleteInstallerClassMappedPropertyFromRegValue(x,x,x,x)+CBj
		lea	eax, [ebp+var_4]
		xor	ebx, ebx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_14]
		mov	edx, esi
		push	ebx
		push	2
		push	ebx
		call	_PnpOpenPropertiesKey
		mov	edi, eax
		cmp	edi, 0C0000034h
		jnz	short loc_A3487C
		mov	edi, ebx
		jmp	short loc_A348E5
; 

loc_A3487C:				; CODE XREF: _CmDeleteInstallerClassMappedPropertyFromRegValue(x,x,x,x)+ECj
		test	edi, edi
		js	short loc_A348E5
		mov	esi, [ebp+var_4]
		jmp	short loc_A3488D
; 

loc_A34885:				; CODE XREF: _CmDeleteInstallerClassMappedPropertyFromRegValue(x,x,x,x)+B3j
					; _CmDeleteInstallerClassMappedPropertyFromRegValue(x,x,x,x)+C7j
		test	esi, esi
		jnz	short loc_A3488B
		mov	esi, ebx

loc_A3488B:				; CODE XREF: _CmDeleteInstallerClassMappedPropertyFromRegValue(x,x,x,x)+FDj
		xor	ebx, ebx

loc_A3488D:				; CODE XREF: _CmDeleteInstallerClassMappedPropertyFromRegValue(x,x,x,x)+F9j
		push	[ebp+arg_0]
		lea	eax, [ebp+var_24]
		mov	[ebp+var_24], ebx
		push	eax
		mov	[ebp+var_20], ebx
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_A348AD
		lea	eax, [ebp+var_24]
		push	eax
		push	esi
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_A348AD:				; CODE XREF: _CmDeleteInstallerClassMappedPropertyFromRegValue(x,x,x,x)+117j
		cmp	eax, 0C0000034h
		jz	short loc_A348C3
		cmp	eax, 0C000017Ch
		jz	short loc_A348E5
		test	eax, eax
		jns	short loc_A348C3
		mov	edi, eax
		jmp	short loc_A348E5
; 

loc_A348C3:				; CODE XREF: _CmDeleteInstallerClassMappedPropertyFromRegValue(x,x,x,x)+128j
					; _CmDeleteInstallerClassMappedPropertyFromRegValue(x,x,x,x)+133j
		push	offset ??_C@_11LOCGONAA@@NNGAKEGL@
		lea	eax, [ebp+var_24]
		mov	[ebp+var_24], ebx
		push	eax
		mov	[ebp+var_20], ebx
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_A348E5
		lea	eax, [ebp+var_24]
		push	eax
		push	esi
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_A348E5:				; CODE XREF: _CmDeleteInstallerClassMappedPropertyFromRegValue(x,x,x,x)+9Aj
					; _CmDeleteInstallerClassMappedPropertyFromRegValue(x,x,x,x)+F0j ...
		cmp	[ebp+var_4], 0
		jz	short loc_A348F3
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A348F3:				; CODE XREF: _CmDeleteInstallerClassMappedPropertyFromRegValue(x,x,x,x)+15Fj
		cmp	[ebp+var_8], 0
		jz	short loc_A34901
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_A34901:				; CODE XREF: _CmDeleteInstallerClassMappedPropertyFromRegValue(x,x,x,x)+72j
					; _CmDeleteInstallerClassMappedPropertyFromRegValue(x,x,x,x)+16Dj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
__CmDeleteInstallerClassMappedPropertyFromRegValue@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmDeleteInterfaceClassMappedPropertyFromRegValue(int,void *)
__CmDeleteInterfaceClassMappedPropertyFromRegValue@16 proc near
					; CODE XREF: _CmSetInterfaceClassMappedProperty(x,x,x,x,x,x,x,x)+8Ap

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_1C], edx
		and	[ebp+var_4], esi
		and	[ebp+var_8], esi
		mov	ebx, [eax+10h]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_18], esi
		push	edi
		cmp	ebx, 2
		jnb	short loc_A3493B

loc_A34931:				; CODE XREF: _CmDeleteInterfaceClassMappedPropertyFromRegValue(x,x,x,x)+75j
		mov	esi, 0C0000230h
		jmp	loc_A34A48
; 

loc_A3493B:				; CODE XREF: _CmDeleteInterfaceClassMappedPropertyFromRegValue(x,x,x,x)+25j
		mov	esi, [ebp+arg_4]
		xor	eax, eax
		mov	edi, offset off_A42EE8
		mov	[ebp+var_C], eax

loc_A34948:				; CODE XREF: _CmDeleteInterfaceClassMappedPropertyFromRegValue(x,x,x,x)+69j
		mov	ecx, [edi]
		mov	[ebp+var_14], edi
		cmp	ebx, [ecx+10h]
		jnz	short loc_A34965
		push	10h		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A34977
		mov	eax, [ebp+var_C]

loc_A34965:				; CODE XREF: _CmDeleteInterfaceClassMappedPropertyFromRegValue(x,x,x,x)+46j
		add	eax, 8
		xor	ecx, ecx
		add	edi, 8
		mov	[ebp+var_C], eax
		cmp	eax, 8
		jb	short loc_A34948
		jmp	short loc_A3497A
; 

loc_A34977:				; CODE XREF: _CmDeleteInterfaceClassMappedPropertyFromRegValue(x,x,x,x)+56j
		mov	ecx, [ebp+var_14]

loc_A3497A:				; CODE XREF: _CmDeleteInterfaceClassMappedPropertyFromRegValue(x,x,x,x)+6Bj
		mov	esi, [ebp+var_18]
		test	ecx, ecx
		jz	short loc_A34931
		cmp	ebx, 2
		jnz	loc_A34A48
		mov	eax, [ebp+arg_4]
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceInterfaceClass_DefaultInterface ;	void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_A34A48
		mov	edx, [ebp+arg_0]
		xor	ebx, ebx
		mov	edi, [ebp+var_10]
		test	edx, edx
		jnz	short loc_A349CF
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_4]
		push	ebx
		push	eax
		push	ebx
		push	1
		push	ebx
		push	40h
		mov	ecx, edi
		call	_CmOpenCommonClassRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A34A3A
		mov	edx, [ebp+var_4]

loc_A349CF:				; CODE XREF: _CmDeleteInterfaceClassMappedPropertyFromRegValue(x,x,x,x)+A5j
		lea	eax, [ebp+var_8]
		push	eax
		push	ecx
		push	ebx
		push	2
		push	ebx
		mov	ecx, edi
		call	_PnpOpenPropertiesKey
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_A349F0
		mov	esi, 0C0000225h
		jmp	short loc_A34A3A
; 

loc_A349F0:				; CODE XREF: _CmDeleteInterfaceClassMappedPropertyFromRegValue(x,x,x,x)+DDj
		test	esi, esi
		js	short loc_A34A3A
		push	offset ??_C@_1BA@GHOECOCL@?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt@NNGAKEGL@	; "D"
		lea	eax, [ebp+var_20]
		mov	[ebp+var_20], ebx
		push	eax
		mov	[ebp+var_1C], ebx
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A34A1C
		lea	eax, [ebp+var_20]
		push	eax
		push	[ebp+var_8]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		mov	edi, eax

loc_A34A1C:				; CODE XREF: _CmDeleteInterfaceClassMappedPropertyFromRegValue(x,x,x,x)+102j
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		cmp	edi, 0C0000034h
		jz	short loc_A34A3A
		cmp	edi, 0C000017Ch
		jz	short loc_A34A3A
		test	edi, edi
		jns	short loc_A34A3A
		mov	esi, edi

loc_A34A3A:				; CODE XREF: _CmDeleteInterfaceClassMappedPropertyFromRegValue(x,x,x,x)+C0j
					; _CmDeleteInterfaceClassMappedPropertyFromRegValue(x,x,x,x)+E4j ...
		cmp	[ebp+var_4], 0
		jz	short loc_A34A48
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A34A48:				; CODE XREF: _CmDeleteInterfaceClassMappedPropertyFromRegValue(x,x,x,x)+2Cj
					; _CmDeleteInterfaceClassMappedPropertyFromRegValue(x,x,x,x)+7Aj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
__CmDeleteInterfaceClassMappedPropertyFromRegValue@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall _CmFindFilterListInflectionPoint(int,wchar_t *,wchar_t	*)
__CmFindFilterListInflectionPoint@12 proc near
					; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+45p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	eax, edx
		mov	esi, ecx
		xor	ecx, ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], ecx
		mov	ebx, ecx
		push	edi
		mov	edi, ecx
		test	eax, eax
		jz	short loc_A34AC5
		cmp	[eax], cx
		jz	short loc_A34AC5
		cmp	[esi], cx
		jz	short loc_A34AC5

loc_A34A79:				; CODE XREF: _CmFindFilterListInflectionPoint(x,x,x)+6Cj
		push	ecx		; int
		mov	edx, esi	; int
		mov	ecx, eax	; wchar_t *
		call	__PnpMultiSzFind@12 ; _PnpMultiSzFind(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A34AC5
		push	[ebp+arg_0]	; wchar_t *
		push	esi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A34A9A
		mov	ebx, esi

loc_A34A9A:				; CODE XREF: _CmFindFilterListInflectionPoint(x,x,x)+45j
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_A34A9F:				; CODE XREF: _CmFindFilterListInflectionPoint(x,x,x)+58j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_4]
		jnz	short loc_A34A9F
		sub	ecx, edx
		xor	eax, eax
		sar	ecx, 1
		lea	esi, [esi+ecx*2]
		add	esi, 2
		cmp	[esi], ax
		mov	eax, [ebp+var_8]
		jnz	short loc_A34A79
		test	ebx, ebx
		jz	short loc_A34AC5
		mov	edi, ebx

loc_A34AC5:				; CODE XREF: _CmFindFilterListInflectionPoint(x,x,x)+1Cj
					; _CmFindFilterListInflectionPoint(x,x,x)+21j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
__CmFindFilterListInflectionPoint@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmGetDeclarativeFilterList(int,wchar_t	*,int,int,int,int)
__CmGetDeclarativeFilterList@32	proc near
					; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+26Ap
					; _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+2B0p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		mov	[ebp+var_C], edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_14], eax
		mov	esi, eax
		mov	edi, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	ebx, eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_10], ecx
		test	eax, eax
		jz	short loc_A34B07
		cmp	[ebp+arg_10], 2
		jb	short loc_A34B2A
		mov	ebx, [ebp+arg_10]
		xor	edx, edx
		mov	[eax], dx
		mov	edi, eax

loc_A34B07:				; CODE XREF: _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+27j
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_A34B34
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		push	edi
		push	ecx
		push	[ebp+arg_8]
		call	__CmAppendDeclarativeDefaultFilters@28 ; _CmAppendDeclarativeDefaultFilters(x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_8]
		mov	esi, eax
		jmp	loc_A34BFD
; 

loc_A34B2A:				; CODE XREF: _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+2Dj
		mov	esi, 0C000000Dh
		jmp	loc_A34C13
; 

loc_A34B34:				; CODE XREF: _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+3Ej
		xor	eax, eax
		cmp	[edx], ax
		jz	loc_A34C20

loc_A34B3F:				; CODE XREF: _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+126j
		push	[ebp+arg_4]	; wchar_t *
		push	edx		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A34B8B
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		push	edi
		push	ecx
		push	[ebp+arg_8]
		mov	ecx, [ebp+var_10]
		call	__CmAppendDeclarativeDefaultFilters@28 ; _CmAppendDeclarativeDefaultFilters(x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_A34B72
		mov	esi, eax
		xor	eax, eax
		mov	edi, eax
		jmp	short loc_A34B7A
; 

loc_A34B72:				; CODE XREF: _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+9Aj
		test	eax, eax
		js	loc_A34C1C

loc_A34B7A:				; CODE XREF: _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+A2j
		mov	eax, [ebp+var_8]
		add	[ebp+var_4], eax
		test	edi, edi
		jz	short loc_A34B8B
		sub	ebx, eax
		shr	eax, 1
		lea	edi, [edi+eax*2]

loc_A34B8B:				; CODE XREF: _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+7Ej
					; _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+B4j
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		mov	ecx, [ebp+var_10]
		push	eax
		push	ebx
		push	edi
		push	[ebp+arg_0]
		call	__CmAppendDeclarativeFilterLevel@24 ; _CmAppendDeclarativeFilterLevel(x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_A34BAE
		mov	esi, eax
		xor	eax, eax
		mov	edi, eax
		jmp	short loc_A34BB9
; 

loc_A34BAE:				; CODE XREF: _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+D6j
		cmp	eax, 0C0000034h
		jz	short loc_A34BB9
		test	eax, eax
		js	short loc_A34C1C

loc_A34BB9:				; CODE XREF: _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+DEj
					; _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+E5j
		mov	eax, [ebp+var_8]
		add	[ebp+var_4], eax
		test	edi, edi
		jz	short loc_A34BCA
		sub	ebx, eax
		shr	eax, 1
		lea	edi, [edi+eax*2]

loc_A34BCA:				; CODE XREF: _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+F3j
		mov	edx, [ebp+arg_0]
		mov	ecx, edx
		lea	eax, [ecx+2]
		mov	[ebp+arg_0], eax

loc_A34BD5:				; CODE XREF: _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+111j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_14]
		jnz	short loc_A34BD5
		sub	ecx, [ebp+arg_0]
		xor	eax, eax
		sar	ecx, 1
		lea	edx, [edx+ecx*2]
		add	edx, 2
		mov	[ebp+arg_0], edx
		cmp	[edx], ax
		jnz	loc_A34B3F

loc_A34BFA:				; CODE XREF: _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+150j
		mov	ecx, [ebp+var_4]

loc_A34BFD:				; CODE XREF: _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+57j
					; _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+154j
		mov	eax, [ebp+arg_14]
		add	ecx, 2
		mov	[eax], ecx
		test	esi, esi
		js	short loc_A34C13
		cmp	ecx, [ebp+arg_10]
		jbe	short loc_A34C13
		mov	esi, 0C0000023h

loc_A34C13:				; CODE XREF: _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+61j
					; _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+139j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
; 

loc_A34C1C:				; CODE XREF: _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+A6j
					; _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+E9j
		mov	esi, eax
		jmp	short loc_A34BFA
; 

loc_A34C20:				; CODE XREF: _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)+6Bj
		mov	ecx, eax
		jmp	short loc_A34BFD
__CmGetDeclarativeFilterList@32	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetDeviceChildren(x, x, x, x)
__CmGetDeviceChildren@16 proc near	; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+119F1Bp
					; _CmGetDeviceSiblings(x,x,x,x)+A5p

var_340		= dword	ptr -340h
var_33C		= dword	ptr -33Ch
var_338		= dword	ptr -338h
var_334		= dword	ptr -334h
var_330		= dword	ptr -330h
var_32C		= dword	ptr -32Ch
var_328		= dword	ptr -328h
var_198		= dword	ptr -198h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 344h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_340], eax
		xor	ecx, ecx
		mov	[ebp+var_33C], ebx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_32C], ecx
		mov	[ebp+var_338], ecx
		mov	[ebp+var_334], ecx
		test	edi, edi
		jz	short loc_A34C6E
		cmp	[eax], ecx
		jnz	short loc_A34C72
		mov	edi, ecx

loc_A34C6E:				; CODE XREF: _CmGetDeviceChildren(x,x,x,x)+42j
		mov	esi, ecx
		jmp	short loc_A34C79
; 

loc_A34C72:				; CODE XREF: _CmGetDeviceChildren(x,x,x,x)+46j
		xor	ecx, ecx
		mov	[edi], cx
		mov	esi, [eax]

loc_A34C79:				; CODE XREF: _CmGetDeviceChildren(x,x,x,x)+4Cj
		mov	[eax], ecx
		lea	eax, [ebp+var_338]
		push	edx
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	loc_A34E34
		push	ecx
		lea	eax, [ebp+var_32C]
		push	eax
		push	ecx
		lea	eax, [ebp+var_198]
		mov	ecx, ebx
		push	eax
		push	2
		lea	edx, [ebp+var_338]
		call	__NtPlugPlayGetDeviceRelatedDevice@28 ;	_NtPlugPlayGetDeviceRelatedDevice(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_A34E34
		mov	eax, [ebp+var_32C]
		test	eax, eax
		jnz	short loc_A34CCB
		mov	eax, 0C0000225h
		jmp	loc_A34E34
; 

loc_A34CCB:				; CODE XREF: _CmGetDeviceChildren(x,x,x,x)+9Bj
		lea	ebx, [eax+1]
		test	esi, esi
		jz	short loc_A34CF9
		lea	eax, [esi+esi]
		mov	ecx, edi
		mov	[ebp+var_330], eax
		lea	edx, [ebp+var_330]
		push	0
		lea	eax, [ebp+var_198]
		push	eax
		call	__PnpMultiSzAppend@16 ;	_PnpMultiSzAppend(x,x,x,x)
		test	al, al
		jnz	short loc_A34CF9
		xor	edi, edi
		xor	esi, esi

loc_A34CF9:				; CODE XREF: _CmGetDeviceChildren(x,x,x,x)+ACj
					; _CmGetDeviceChildren(x,x,x,x)+CFj
		push	800h
		push	0
		push	0
		lea	eax, [ebp+var_198]
		mov	edx, 0C8h
		push	eax
		lea	ecx, [ebp+var_328]
		call	RtlStringCchCopyExW
		test	eax, eax
		js	loc_A34E34
		lea	eax, [ebp+var_328]
		push	eax
		lea	eax, [ebp+var_338]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	loc_A34E34

loc_A34D3C:				; CODE XREF: _CmGetDeviceChildren(x,x,x,x)+1E5j
		push	ecx
		lea	eax, [ebp+var_32C]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_33C]
		lea	eax, [ebp+var_198]
		push	eax
		push	3
		lea	edx, [ebp+var_338]
		call	__NtPlugPlayGetDeviceRelatedDevice@28 ;	_NtPlugPlayGetDeviceRelatedDevice(x,x,x,x,x,x,x)
		cmp	eax, 0C000000Eh
		jz	loc_A34E1D
		mov	ecx, [ebp+var_32C]
		test	ecx, ecx
		jz	loc_A34E1D
		test	eax, eax
		js	loc_A34E34
		cmp	ecx, 0C8h
		ja	loc_A34E16
		lea	eax, ds:0FFFFFFFEh[ecx*2]
		cmp	eax, 190h
		jnb	short loc_A34E11
		xor	edx, edx
		add	ebx, ecx
		mov	word ptr [ebp+eax+var_198], dx
		test	esi, esi
		jz	short loc_A34DD0
		lea	eax, [esi+esi]
		mov	ecx, edi
		mov	[ebp+var_330], eax
		lea	eax, [ebp+var_198]
		push	edx
		push	eax
		lea	edx, [ebp+var_330]
		call	__PnpMultiSzAppend@16 ;	_PnpMultiSzAppend(x,x,x,x)
		test	al, al
		jnz	short loc_A34DD0
		xor	edi, edi
		xor	esi, esi

loc_A34DD0:				; CODE XREF: _CmGetDeviceChildren(x,x,x,x)+184j
					; _CmGetDeviceChildren(x,x,x,x)+1A6j
		push	800h
		push	0
		push	0
		lea	eax, [ebp+var_198]
		mov	edx, 0C8h
		push	eax
		lea	ecx, [ebp+var_328]
		call	RtlStringCchCopyExW
		test	eax, eax
		js	short loc_A34E34
		lea	eax, [ebp+var_328]
		push	eax
		lea	eax, [ebp+var_338]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		jns	loc_A34D3C
		jmp	short loc_A34E1F
; 

loc_A34E11:				; CODE XREF: _CmGetDeviceChildren(x,x,x,x)+174j
		call	___report_rangecheckfailure

loc_A34E16:				; CODE XREF: _CmGetDeviceChildren(x,x,x,x)+162j
		mov	eax, 0C000000Dh
		jmp	short loc_A34E34
; 

loc_A34E1D:				; CODE XREF: _CmGetDeviceChildren(x,x,x,x)+140j
					; _CmGetDeviceChildren(x,x,x,x)+14Ej
		xor	eax, eax

loc_A34E1F:				; CODE XREF: _CmGetDeviceChildren(x,x,x,x)+1EBj
		test	eax, eax
		js	short loc_A34E34
		mov	ecx, [ebp+var_340]
		mov	[ecx], ebx
		cmp	esi, ebx
		jnb	short loc_A34E34
		mov	eax, 0C0000023h

loc_A34E34:				; CODE XREF: _CmGetDeviceChildren(x,x,x,x)+66j
					; _CmGetDeviceChildren(x,x,x,x)+8Dj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
__CmGetDeviceChildren@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmGetDeviceCompoundFiltersWorker(int,int,void *,void *,int,int,int,int)
__CmGetDeviceCompoundFiltersWorker@40 proc near
					; CODE XREF: _CmGetDeviceCompoundFilters+B9C57p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		xor	eax, eax
		mov	[ebp+var_C], edx
		push	ebx
		push	esi
		push	edi
		push	eax
		push	eax
		mov	esi, ecx
		mov	[ebp+var_8], eax
		mov	ecx, [ebp+arg_4]
		lea	edx, [ebp+var_20]
		push	eax
		push	eax
		mov	[ebp+var_10], esi
		mov	ebx, eax
		mov	[ebp+var_20], eax
		mov	edi, eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_4], eax
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_A351DA
		cmp	[ebp+var_20], ebx
		jz	loc_A351DA
		mov	eax, [ebp+arg_8]
		cmp	dword ptr [eax+10h], 16h
		jnz	short loc_A34EC9
		push	10h		; size_t
		push	offset _DEVPKEY_Device_CompoundUpperFilters ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A34EC9
		mov	eax, offset _DEVPKEY_Device_UpperFilterCache
		mov	[ebp+var_1C], (offset loc_427ECF+1)
		mov	[ebp+arg_8], (offset loc_427EF4+4)
		mov	[ebp+var_14], offset ??_C@_1O@FGNJOLJB@?$AA?$CK?$AAU?$AAp?$AAp?$AAe?$AAr@NNGAKEGL@
		jmp	short loc_A34EE3
; 

loc_A34EC9:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+52j
					; _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+66j
		mov	eax, offset _DEVPKEY_Device_LowerFilterCache
		mov	[ebp+var_1C], offset _DEVPKEY_Device_LowerFilterLevels
		mov	[ebp+arg_8], offset _DEVPKEY_Device_LowerFilterDefaultLevel
		mov	[ebp+var_14], (offset loc_8C9419+1)

loc_A34EE3:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+82j
		xor	edx, edx
		mov	[ebp+var_20], eax
		push	edx
		lea	ecx, [ebp+var_4]
		push	ecx
		push	edx
		push	edx
		lea	ecx, [ebp+var_8]
		push	ecx
		push	eax
		push	edx
		push	[ebp+arg_0]
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	loc_A34F9C
		cmp	[ebp+var_8], 2012h
		jnz	loc_A34F9C
		push	52504E50h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A34F3B

loc_A34F31:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+1A7j
		mov	esi, 0C0000017h
		jmp	loc_A3521A
; 

loc_A34F3B:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+EAj
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_4]
		push	0
		push	eax
		push	[ebp+var_4]
		lea	eax, [ebp+var_8]
		mov	ecx, esi
		push	edi
		push	eax
		push	[ebp+var_20]
		push	0
		push	[ebp+arg_0]
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A351F0
		xor	esi, esi

loc_A34F69:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+2DFj
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_10]
		push	esi		; int
		push	eax		; int
		push	esi		; int
		push	esi		; int
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	[ebp+arg_C]	; void *
		push	[ebp+arg_0]	; int
		call	_CmGetDeviceMappedPropertyFromRegProp
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	loc_A3513B
		and	[ebp+var_4], 0
		jmp	loc_A35192
; 

loc_A34F9C:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+C4j
					; _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+D1j
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	ecx
		push	ecx
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_8]
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, esi
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, 0C0000225h
		cmp	esi, 0C0000023h
		jnz	loc_A35129
		cmp	[ebp+var_8], 12h
		jnz	loc_A351C1
		push	52504E50h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_A34F31
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_10]
		push	0
		push	eax
		push	[ebp+var_4]
		lea	eax, [ebp+var_8]
		push	ebx
		push	eax
		push	[ebp+arg_8]
		push	0
		push	[ebp+arg_0]
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A351DF
		mov	esi, [ebp+var_10]
		lea	eax, [ebp+var_4]
		mov	edx, [ebp+var_C]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	ecx
		push	ecx
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_1C]
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, esi
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	loc_A351DA
		push	52504E50h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jnz	short loc_A3506D

loc_A35063:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+299j
					; _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+322j
		mov	esi, 0C0000017h
		jmp	loc_A351DF
; 

loc_A3506D:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+21Cj
		mov	edx, [ebp+var_C]
		lea	ecx, [ebp+var_4]
		push	0
		push	ecx
		push	[ebp+var_4]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_1C]
		push	0
		push	[ebp+arg_0]
		push	1
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A351DF
		mov	eax, [ebp+var_14]

loc_A3509C:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+2F1j
		mov	edx, [ebp+arg_4]
		lea	ecx, [ebp+var_4]
		push	ecx		; int
		mov	ecx, [ebp+var_10]
		push	0		; int
		push	0		; int
		push	eax		; int
		push	ebx		; wchar_t *
		push	[ebp+var_18]	; int
		call	__CmGetDeclarativeFilterList@32	; _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A350BF
		mov	esi, 0C000003Eh

loc_A350BF:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+273j
		cmp	esi, 0C0000023h
		jnz	loc_A351DF
		push	52504E50h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A35063
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_10]
		push	eax		; int
		push	[ebp+var_4]	; int
		push	edi		; int
		push	[ebp+var_14]	; int
		push	ebx		; wchar_t *
		push	[ebp+var_18]	; int
		call	__CmGetDeclarativeFilterList@32	; _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A351DF
		mov	edx, [ebp+var_C]
		xor	esi, esi
		mov	ecx, [ebp+var_10]
		push	esi
		push	[ebp+var_4]
		push	edi
		push	2012h
		push	[ebp+var_20]
		push	esi
		push	[ebp+arg_0]
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		jmp	loc_A34F69
; 

loc_A35129:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+184j
		cmp	esi, eax
		jnz	loc_A351C1
		mov	eax, [ebp+var_14]
		mov	ebx, eax
		jmp	loc_A3509C
; 

loc_A3513B:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+148j
		cmp	esi, 0C0000023h
		jnz	loc_A351DF
		cmp	[ebp+var_4], 0
		jbe	short loc_A35192
		cmp	[ebp+arg_18], 0
		jbe	short loc_A35192
		push	52504E50h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_24], eax
		test	eax, eax
		jz	loc_A35063
		mov	edx, [ebp+var_C]
		lea	ecx, [ebp+var_4]
		push	0		; int
		push	ecx		; int
		push	[ebp+var_4]	; int
		mov	ecx, [ebp+var_10]
		push	eax		; int
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	[ebp+arg_C]	; void *
		push	[ebp+arg_0]	; int
		call	_CmGetDeviceMappedPropertyFromRegProp
		mov	esi, eax
		test	esi, esi
		js	short loc_A351DF

loc_A35192:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+152j
					; _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+306j ...
		push	[ebp+arg_1C]	; int
		mov	edx, [ebp+var_24] ; wchar_t *
		mov	ecx, edi	; int
		push	[ebp+arg_18]	; int
		push	[ebp+arg_14]	; int
		push	[ebp+var_14]	; wchar_t *
		call	__CmMergeFilterLists@24	; _CmMergeFilterLists(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_A351B6
		test	esi, esi
		js	short loc_A351DF

loc_A351B6:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+36Bj
		mov	eax, [ebp+arg_10]
		mov	dword ptr [eax], 2012h
		jmp	short loc_A351DF
; 

loc_A351C1:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+18Ej
					; _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+2E6j
		cmp	[ebp+var_8], 2012h
		jnz	short loc_A351D6
		cmp	esi, 0C000090Bh
		jz	short loc_A351D6
		test	esi, esi
		jnz	short loc_A3521A

loc_A351D6:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+383j
					; _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+38Bj
		mov	esi, eax
		jmp	short loc_A3521A
; 

loc_A351DA:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+3Cj
					; _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+45j ...
		mov	esi, 0C0000225h

loc_A351DF:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+1D4j
					; _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+223j ...
		test	ebx, ebx
		jz	short loc_A351F0
		cmp	ebx, [ebp+var_14]
		jz	short loc_A351F0
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A351F0:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+11Cj
					; _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+39Cj ...
		test	edi, edi
		jz	short loc_A351FC
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A351FC:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+3ADj
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	short loc_A3520B
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3520B:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+3BCj
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	short loc_A3521A
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3521A:				; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+F1j
					; _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+38Fj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	20h
__CmGetDeviceCompoundFiltersWorker@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetDeviceInterfaceMappedPropertyKeys(x, x, x, x,	x, x, x)
__CmGetDeviceInterfaceMappedPropertyKeys@28 proc near
					; CODE XREF: _PnpDispatchDeviceInterface+11A907p
					; _CmDeleteDeviceInterfaceWorker(x,x,x)+E7p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, [ebp+arg_10]
		xor	eax, eax
		and	[ebp+var_C], eax
		push	esi
		push	edi
		and	[ebx], eax
		mov	edi, edx
		xor	esi, esi
		mov	[ebp+var_10], edi
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], esi

loc_A35245:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+150j
		mov	edx, ds:off_A42DD8[esi]
		mov	byte ptr [ebp+arg_10+3], 0
		mov	[ebp+var_14], edx
		test	edx, edx
		jz	loc_A3536A
		cmp	[ebp+arg_4], 0
		jnz	loc_A35334
		lea	eax, [ebp+var_18]
		push	eax		; int
		push	0		; int
		push	0		; int
		lea	eax, [ebp+var_C]
		push	eax		; int
		push	edx		; void *
		push	[ebp+arg_0]	; int
		mov	edx, edi
		call	_CmGetDeviceInterfaceMappedPropertyFromRegValue
		cmp	eax, 0C0000023h
		jz	loc_A35326
		test	eax, eax
		jz	loc_A35326
		cmp	eax, 0C000000Dh
		jz	short loc_A352A7
		cmp	eax, 0C000003Ah
		jz	short loc_A352A7
		cmp	eax, 0C0000039h
		jnz	loc_A3532A

loc_A352A7:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+70j
					; _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+77j ...
		and	dword ptr [ebx], 0

loc_A352AA:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+156j
		test	eax, eax
		js	short loc_A3531F
		xor	esi, esi
		mov	[ebp+var_8], esi

loc_A352B3:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+1A5j
		cmp	[ebp+arg_4], 0
		mov	edx, ds:off_A42EF0[esi]
		mov	byte ptr [ebp+arg_10+3], 0
		mov	[ebp+var_14], edx
		jnz	loc_A3538C
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_18]
		push	eax		; void *
		push	0		; int
		push	0		; int
		lea	eax, [ebp+var_C]
		push	eax		; int
		push	edx		; void *
		push	[ebp+arg_0]	; int
		mov	edx, edi
		call	_CmGetDeviceInterfaceMappedPropertyFromComposite
		cmp	eax, 0C0000023h
		jz	loc_A3537E
		test	eax, eax
		jz	loc_A3537E
		cmp	eax, 0C000000Dh
		jz	short loc_A3530C
		cmp	eax, 0C000003Ah
		jz	short loc_A3530C
		cmp	eax, 0C0000039h
		jnz	short loc_A35382

loc_A3530C:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+D9j
					; _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+E0j ...
		and	dword ptr [ebx], 0

loc_A3530F:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+1ABj
		test	eax, eax
		js	short loc_A3531F
		mov	eax, [ebp+arg_C]
		cmp	eax, [ebx]
		sbb	eax, eax
		and	eax, 0C0000023h

loc_A3531F:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+89j
					; _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+EEj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_A35326:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+5Dj
					; _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+65j
		mov	byte ptr [ebp+arg_10+3], 1

loc_A3532A:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+7Ej
		xor	eax, eax
		cmp	byte ptr [ebp+arg_10+3], al
		jz	short loc_A35367
		mov	edx, [ebp+var_14]

loc_A35334:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+3Bj
		cmp	[ebp+arg_8], 0
		jz	short loc_A35354
		mov	eax, [ebx]
		cmp	eax, [ebp+arg_C]
		jnb	short loc_A35354
		imul	edi, eax, 14h
		mov	esi, edx
		push	5
		pop	ecx
		add	edi, [ebp+arg_8]
		rep movsd
		mov	esi, [ebp+var_8]
		mov	edi, [ebp+var_10]

loc_A35354:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+115j
					; _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+11Cj
		mov	ecx, [ebx]
		xor	edx, edx
		push	ebx
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_A352A7

loc_A35367:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+10Cj
		mov	ecx, [ebp+var_4]

loc_A3536A:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+31j
		add	esi, 8
		mov	[ebp+var_8], esi
		cmp	esi, 18h
		jb	loc_A35245
		jmp	loc_A352AA
; 

loc_A3537E:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+C6j
					; _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+CEj
		mov	byte ptr [ebp+arg_10+3], 1

loc_A35382:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+E7j
		xor	eax, eax
		cmp	byte ptr [ebp+arg_10+3], al
		jz	short loc_A353BF
		mov	edx, [ebp+var_14]

loc_A3538C:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+A1j
		cmp	[ebp+arg_8], 0
		jz	short loc_A353A9
		mov	eax, [ebx]
		cmp	eax, [ebp+arg_C]
		jnb	short loc_A353A9
		imul	edi, eax, 14h
		mov	esi, edx
		push	5
		pop	ecx
		add	edi, [ebp+arg_8]
		rep movsd
		mov	esi, [ebp+var_8]

loc_A353A9:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+16Dj
					; _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+174j
		mov	ecx, [ebx]
		xor	edx, edx
		push	ebx
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_A3530C
		mov	edi, [ebp+var_10]

loc_A353BF:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyKeys(x,x,x,x,x,x,x)+164j
		add	esi, 8
		mov	[ebp+var_8], esi
		cmp	esi, 20h
		jb	loc_A352B3
		jmp	loc_A3530F
__CmGetDeviceInterfaceMappedPropertyKeys@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmGetDeviceInterfaceMappedPropertyLocales(int,void *,int,int,int)
__CmGetDeviceInterfaceMappedPropertyLocales@28 proc near
					; CODE XREF: _PnpDispatchDeviceInterface+11A921p

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		and	dword ptr [eax], 0
		mov	esi, 0C0000016h
		push	edi
		xor	edi, edi

loc_A353EB:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyLocales(x,x,x,x,x,x,x)+40j
		mov	ecx, ds:off_A42DD8[edi]
		test	ecx, ecx
		jz	short loc_A3540D
		mov	eax, [ebx+10h]
		cmp	eax, [ecx+10h]
		jnz	short loc_A3540D
		push	10h		; size_t
		push	ecx		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A35445

loc_A3540D:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyLocales(x,x,x,x,x,x,x)+20j
					; _CmGetDeviceInterfaceMappedPropertyLocales(x,x,x,x,x,x,x)+28j
		add	edi, 8
		cmp	edi, 18h
		jb	short loc_A353EB
		mov	ecx, [ebx+10h]
		xor	edi, edi
		mov	[ebp+arg_4], ecx

loc_A3541D:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyLocales(x,x,x,x,x,x,x)+6Ej
		mov	eax, ds:off_A42EF0[edi]
		cmp	ecx, [eax+10h]
		jnz	short loc_A3543B
		push	10h		; size_t
		push	eax		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A35445
		mov	ecx, [ebp+arg_4]

loc_A3543B:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyLocales(x,x,x,x,x,x,x)+53j
		add	edi, 8
		cmp	edi, 20h
		jb	short loc_A3541D
		jmp	short loc_A35463
; 

loc_A35445:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyLocales(x,x,x,x,x,x,x)+38j
					; _CmGetDeviceInterfaceMappedPropertyLocales(x,x,x,x,x,x,x)+63j
		mov	eax, [ebp+arg_10]
		xor	ecx, ecx
		inc	ecx
		mov	[eax], ecx
		cmp	[ebp+arg_C], ecx
		jb	short loc_A3545E
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		xor	esi, esi
		mov	[eax], cx
		jmp	short loc_A35463
; 

loc_A3545E:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyLocales(x,x,x,x,x,x,x)+7Dj
		mov	esi, 0C0000023h

loc_A35463:				; CODE XREF: _CmGetDeviceInterfaceMappedPropertyLocales(x,x,x,x,x,x,x)+70j
					; _CmGetDeviceInterfaceMappedPropertyLocales(x,x,x,x,x,x,x)+89j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
__CmGetDeviceInterfaceMappedPropertyLocales@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetDeviceMappedPropertyKeys(x, x, x, x, x, x, x)
__CmGetDeviceMappedPropertyKeys@28 proc	near ; CODE XREF: _PnpDispatchDevice+117E0Cp
					; _CmDeleteDeviceWorker(x,x,x)+4B4p

var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		mov	ebx, [ebp+arg_10]
		xor	eax, eax
		and	[esp+20h+var_10], eax
		and	[esp+20h+var_14], eax
		push	esi
		and	[ebx], eax
		xor	esi, esi
		push	edi
		mov	edi, edx
		mov	[esp+28h+var_18], ecx
		mov	[esp+28h+var_C], edi
		mov	[esp+28h+var_8], esi

loc_A35499:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+D2j
		mov	edx, ds:__CmDeviceRegPropMap[esi]
		mov	[esp+28h+var_19], 0
		mov	[esp+28h+var_4], edx
		test	edx, edx
		jz	loc_A35531
		cmp	[ebp+arg_4], 0
		jnz	short loc_A354FC
		push	0		; int
		lea	eax, [esp+2Ch+var_14]
		push	eax		; int
		push	0		; int
		push	0		; int
		lea	eax, [esp+38h+var_10]
		push	eax		; int
		push	edx		; void *
		push	[ebp+arg_0]	; int
		mov	edx, edi
		call	_CmGetDeviceMappedPropertyFromRegProp
		cmp	eax, 0C0000023h
		jz	short loc_A354EB
		test	eax, eax
		jz	short loc_A354EB
		cmp	eax, 0C00000C0h
		jnz	short loc_A354F0

loc_A354E3:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+131j
		and	dword ptr [ebx], 0
		jmp	loc_A356BA
; 

loc_A354EB:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+6Aj
					; _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+6Ej
		mov	[esp+28h+var_19], 1

loc_A354F0:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+75j
		xor	eax, eax
		cmp	[esp+28h+var_19], al
		jz	short loc_A3552D
		mov	edx, [esp+28h+var_4]

loc_A354FC:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+48j
		cmp	[ebp+arg_8], 0
		jz	short loc_A3551E
		mov	eax, [ebx]
		cmp	eax, [ebp+arg_C]
		jnb	short loc_A3551E
		imul	edi, eax, 14h
		mov	esi, edx
		push	5
		pop	ecx
		add	edi, [ebp+arg_8]
		rep movsd
		mov	esi, [esp+28h+var_8]
		mov	edi, [esp+28h+var_C]

loc_A3551E:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+94j
					; _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+9Bj
		mov	ecx, [ebx]
		xor	edx, edx
		push	ebx
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_A35546

loc_A3552D:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+8Aj
		mov	ecx, [esp+28h+var_18]

loc_A35531:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+3Ej
		add	esi, 10h
		mov	[esp+28h+var_8], esi
		cmp	esi, 210h
		jb	loc_A35499
		jmp	short loc_A35549
; 

loc_A35546:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+BFj
		and	dword ptr [ebx], 0

loc_A35549:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+D8j
		test	eax, eax
		js	loc_A356BA
		xor	esi, esi
		mov	[esp+28h+var_8], esi

loc_A35557:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+187j
		mov	edx, ds:off_A42DF0[esi]
		mov	[esp+28h+var_19], 0
		mov	[esp+28h+var_4], edx
		test	edx, edx
		jz	short loc_A355E3
		cmp	[ebp+arg_4], 0
		jnz	short loc_A355B6
		mov	ecx, [esp+28h+var_18]
		lea	eax, [esp+28h+var_14]
		push	eax		; int
		push	0		; int
		push	0		; int
		lea	eax, [esp+34h+var_10]
		push	eax		; int
		push	edx		; void *
		push	[ebp+arg_0]	; int
		mov	edx, edi
		call	_CmGetDeviceMappedPropertyFromInstanceKeyRegValue
		cmp	eax, 0C0000023h
		jz	short loc_A355A5
		test	eax, eax
		jz	short loc_A355A5
		cmp	eax, 0C00000C0h
		jz	loc_A354E3
		jmp	short loc_A355AA
; 

loc_A355A5:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+126j
					; _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+12Aj
		mov	[esp+28h+var_19], 1

loc_A355AA:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+137j
		xor	eax, eax
		cmp	[esp+28h+var_19], al
		jz	short loc_A355E3
		mov	edx, [esp+28h+var_4]

loc_A355B6:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+102j
		cmp	[ebp+arg_8], 0
		jz	short loc_A355D4
		mov	eax, [ebx]
		cmp	eax, [ebp+arg_C]
		jnb	short loc_A355D4
		imul	edi, eax, 14h
		mov	esi, edx
		push	5
		pop	ecx
		add	edi, [ebp+arg_8]
		rep movsd
		mov	esi, [esp+28h+var_8]

loc_A355D4:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+14Ej
					; _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+155j
		mov	ecx, [ebx]
		xor	edx, edx
		push	ebx
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_A355F8

loc_A355E3:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+FCj
					; _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+144j
		add	esi, 10h
		mov	[esp+28h+var_8], esi
		cmp	esi, 20h
		jnb	short loc_A355FB
		mov	edi, [esp+28h+var_C]
		jmp	loc_A35557
; 

loc_A355F8:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+175j
		and	dword ptr [ebx], 0

loc_A355FB:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+181j
		test	eax, eax
		js	loc_A356BA
		xor	esi, esi
		mov	[esp+28h+var_8], esi

loc_A35609:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+233j
		cmp	[ebp+arg_4], 0
		mov	edx, ds:off_A42E10[esi]
		mov	[esp+28h+var_19], 0
		mov	[esp+28h+var_4], edx
		jnz	short loc_A35665
		mov	ecx, [esp+28h+var_18]
		lea	eax, [esp+28h+var_14]
		xor	edi, edi
		push	edi		; int
		push	eax		; int
		push	edi		; int
		push	edi		; int
		lea	eax, [esp+38h+var_10]
		push	eax		; int
		push	edx		; void *
		push	[ebp+arg_0]	; int
		mov	edx, [esp+44h+var_C]
		call	_CmGetDeviceMappedPropertyFromComposite
		cmp	eax, 0C0000023h
		jz	short loc_A35654
		test	eax, eax
		jz	short loc_A35654
		cmp	eax, 0C00000C0h
		jnz	short loc_A35659
		mov	[ebx], edi
		jmp	short loc_A356BA
; 

loc_A35654:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+1D7j
					; _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+1DBj
		mov	[esp+28h+var_19], 1

loc_A35659:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+1E2j
		xor	eax, eax
		cmp	[esp+28h+var_19], al
		jz	short loc_A35692
		mov	edx, [esp+28h+var_4]

loc_A35665:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+1B0j
		cmp	[ebp+arg_8], 0
		jz	short loc_A35683
		mov	eax, [ebx]
		cmp	eax, [ebp+arg_C]
		jnb	short loc_A35683
		imul	edi, eax, 14h
		mov	esi, edx
		push	5
		pop	ecx
		add	edi, [ebp+arg_8]
		rep movsd
		mov	esi, [esp+28h+var_8]

loc_A35683:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+1FDj
					; _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+204j
		mov	ecx, [ebx]
		xor	edx, edx
		push	ebx
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_A356A7

loc_A35692:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+1F3j
		add	esi, 8
		mov	[esp+28h+var_8], esi
		cmp	esi, 0D8h
		jb	loc_A35609
		jmp	short loc_A356AA
; 

loc_A356A7:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+224j
		and	dword ptr [ebx], 0

loc_A356AA:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+239j
		test	eax, eax
		js	short loc_A356BA
		mov	eax, [ebp+arg_C]
		cmp	eax, [ebx]
		sbb	eax, eax
		and	eax, 0C0000023h

loc_A356BA:				; CODE XREF: _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+7Aj
					; _CmGetDeviceMappedPropertyKeys(x,x,x,x,x,x,x)+DFj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
__CmGetDeviceMappedPropertyKeys@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmGetDeviceMappedPropertyLocales(int,void *,int,int,int)
__CmGetDeviceMappedPropertyLocales@28 proc near	; CODE XREF: _PnpDispatchDevice+117E26p

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		and	dword ptr [eax], 0
		xor	esi, esi
		push	edi
		mov	edi, 0C0000016h

loc_A356DB:				; CODE XREF: _CmGetDeviceMappedPropertyLocales(x,x,x,x,x,x,x)+43j
		mov	ecx, ds:__CmDeviceRegPropMap[esi]
		test	ecx, ecx
		jz	short loc_A356FD
		mov	eax, [ebx+10h]
		cmp	eax, [ecx+10h]
		jnz	short loc_A356FD
		push	10h		; size_t
		push	ecx		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A35767

loc_A356FD:				; CODE XREF: _CmGetDeviceMappedPropertyLocales(x,x,x,x,x,x,x)+20j
					; _CmGetDeviceMappedPropertyLocales(x,x,x,x,x,x,x)+28j
		add	esi, 10h
		cmp	esi, 210h
		jb	short loc_A356DB
		xor	esi, esi

loc_A3570A:				; CODE XREF: _CmGetDeviceMappedPropertyLocales(x,x,x,x,x,x,x)+6Fj
		mov	ecx, ds:off_A42DF0[esi]
		test	ecx, ecx
		jz	short loc_A3572C
		mov	eax, [ebx+10h]
		cmp	eax, [ecx+10h]
		jnz	short loc_A3572C
		push	10h		; size_t
		push	ecx		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A35767

loc_A3572C:				; CODE XREF: _CmGetDeviceMappedPropertyLocales(x,x,x,x,x,x,x)+4Fj
					; _CmGetDeviceMappedPropertyLocales(x,x,x,x,x,x,x)+57j
		add	esi, 10h
		cmp	esi, 20h
		jb	short loc_A3570A
		mov	ecx, [ebx+10h]
		xor	esi, esi
		mov	[ebp+arg_4], ecx

loc_A3573C:				; CODE XREF: _CmGetDeviceMappedPropertyLocales(x,x,x,x,x,x,x)+A0j
		mov	eax, ds:off_A42E10[esi]
		cmp	ecx, [eax+10h]
		jnz	short loc_A3575A
		push	10h		; size_t
		push	eax		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A35767
		mov	ecx, [ebp+arg_4]

loc_A3575A:				; CODE XREF: _CmGetDeviceMappedPropertyLocales(x,x,x,x,x,x,x)+82j
		add	esi, 8
		cmp	esi, 0D8h
		jb	short loc_A3573C
		jmp	short loc_A35785
; 

loc_A35767:				; CODE XREF: _CmGetDeviceMappedPropertyLocales(x,x,x,x,x,x,x)+38j
					; _CmGetDeviceMappedPropertyLocales(x,x,x,x,x,x,x)+67j	...
		mov	eax, [ebp+arg_10]
		xor	ecx, ecx
		inc	ecx
		mov	[eax], ecx
		cmp	[ebp+arg_C], ecx
		jb	short loc_A35780
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		xor	edi, edi
		mov	[eax], cx
		jmp	short loc_A35785
; 

loc_A35780:				; CODE XREF: _CmGetDeviceMappedPropertyLocales(x,x,x,x,x,x,x)+AFj
		mov	edi, 0C0000023h

loc_A35785:				; CODE XREF: _CmGetDeviceMappedPropertyLocales(x,x,x,x,x,x,x)+A2j
					; _CmGetDeviceMappedPropertyLocales(x,x,x,x,x,x,x)+BBj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
__CmGetDeviceMappedPropertyLocales@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetDeviceSiblings(x, x, x, x)
__CmGetDeviceSiblings@16 proc near	; CODE XREF: _CmGetDeviceMappedPropertyFromComposite+119CCBp

var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1B0h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_1AC], edx
		mov	[ebp+var_1A4], ebx
		mov	[ebp+var_1B0], eax
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1A8], esi
		test	ebx, ebx
		jz	short loc_A357D5
		cmp	dword ptr [eax], 0
		jnz	short loc_A357DE
		and	[ebp+var_1A4], 0

loc_A357D5:				; CODE XREF: _CmGetDeviceSiblings(x,x,x,x)+39j
		and	[ebp+var_1A0], 0
		jmp	short loc_A357EB
; 

loc_A357DE:				; CODE XREF: _CmGetDeviceSiblings(x,x,x,x)+3Ej
		xor	ecx, ecx
		mov	[ebx], cx
		mov	ecx, [eax]
		mov	[ebp+var_1A0], ecx

loc_A357EB:				; CODE XREF: _CmGetDeviceSiblings(x,x,x,x)+4Ej
		and	dword ptr [eax], 0
		mov	ecx, esi
		lea	eax, [ebp+var_19C]
		mov	[ebp+var_19C], 0C8h
		push	eax
		lea	eax, [ebp+var_198]
		push	eax
		call	_CmGetDeviceParent
		mov	esi, eax
		test	esi, esi
		js	loc_A358E1
		xor	ebx, ebx
		and	[ebp+var_19C], ebx

loc_A3581F:				; CODE XREF: _CmGetDeviceSiblings(x,x,x,x)+DDj
		mov	ecx, [ebp+var_1A8]
		lea	eax, [ebp+var_19C]
		push	eax
		push	ebx
		lea	edx, [ebp+var_198]
		call	__CmGetDeviceChildren@16 ; _CmGetDeviceChildren(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A35876
		cmp	esi, 0C0000023h
		jnz	short loc_A35872
		test	ebx, ebx
		jz	short loc_A35852
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A35852:				; CODE XREF: _CmGetDeviceSiblings(x,x,x,x)+BAj
		mov	eax, [ebp+var_19C]
		push	52504E50h
		add	eax, eax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A3581F
		mov	esi, 0C0000017h

loc_A35872:				; CODE XREF: _CmGetDeviceSiblings(x,x,x,x)+B6j
		test	esi, esi
		js	short loc_A358D5

loc_A35876:				; CODE XREF: _CmGetDeviceSiblings(x,x,x,x)+AEj
		test	ebx, ebx
		jnz	short loc_A35881
		mov	esi, 0C0000225h
		jmp	short loc_A358E1
; 

loc_A35881:				; CODE XREF: _CmGetDeviceSiblings(x,x,x,x)+EAj
		mov	edx, [ebp+var_1AC] ; wchar_t *
		mov	ecx, ebx	; wchar_t *
		call	__PnpMultiSzDeleteString@8 ; _PnpMultiSzDeleteString(x,x)
		test	al, al
		jnz	short loc_A35899
		mov	esi, 0C00000E5h
		jmp	short loc_A358D5
; 

loc_A35899:				; CODE XREF: _CmGetDeviceSiblings(x,x,x,x)+102j
		mov	ecx, ebx
		call	__PnpMultiSzGetLen@4 ; _PnpMultiSzGetLen(x)
		cmp	eax, 1
		ja	short loc_A358AC
		mov	esi, 0C0000225h
		jmp	short loc_A358D5
; 

loc_A358AC:				; CODE XREF: _CmGetDeviceSiblings(x,x,x,x)+115j
		mov	ecx, [ebp+var_1B0]
		mov	[ecx], eax
		cmp	[ebp+var_1A0], eax
		jnb	short loc_A358C3
		mov	esi, 0C0000023h
		jmp	short loc_A358D5
; 

loc_A358C3:				; CODE XREF: _CmGetDeviceSiblings(x,x,x,x)+12Cj
		add	eax, eax
		push	eax		; size_t
		push	ebx		; void *
		push	[ebp+var_1A4]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_A358D5:				; CODE XREF: _CmGetDeviceSiblings(x,x,x,x)+E6j
					; _CmGetDeviceSiblings(x,x,x,x)+109j ...
		test	ebx, ebx
		jz	short loc_A358E1
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A358E1:				; CODE XREF: _CmGetDeviceSiblings(x,x,x,x)+83j
					; _CmGetDeviceSiblings(x,x,x,x)+F1j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
__CmGetDeviceSiblings@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmGetInstallerClassCompoundFiltersWorker(int,int,int,void *,int,int,int,int)
__CmGetInstallerClassCompoundFiltersWorker@40 proc near
					; CODE XREF: _CmGetInstallerClassCompoundFilters+ADC3Cp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		mov	ecx, [ebp+arg_4]
		push	esi
		push	edi
		push	eax
		push	eax
		mov	esi, edx
		mov	[ebp+var_8], eax
		push	eax
		push	eax
		lea	edx, [ebp+var_20]
		mov	[ebp+var_C], esi
		mov	[ebp+var_20], eax
		mov	edi, eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_14], eax
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_A35C67
		cmp	[ebp+var_20], edi
		jz	loc_A35C67
		mov	eax, [ebp+arg_8]
		cmp	dword ptr [eax+10h], 14h
		jnz	short loc_A35974
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_CompoundUpperFilters ; void	*
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A35974
		mov	eax, offset _DEVPKEY_DeviceClass_UpperFilterCache
		mov	[ebp+var_1C], offset _DEVPKEY_DeviceClass_UpperFilterLevels
		mov	[ebp+var_18], offset _DEVPKEY_DeviceClass_UpperFilterDefaultLevel
		mov	[ebp+arg_8], offset ??_C@_1O@FGNJOLJB@?$AA?$CK?$AAU?$AAp?$AAp?$AAe?$AAr@NNGAKEGL@
		jmp	short loc_A3598E
; 

loc_A35974:				; CODE XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+4Fj
					; _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+63j
		mov	eax, offset _DEVPKEY_DeviceClass_LowerFilterCache
		mov	[ebp+var_1C], offset _DEVPKEY_DeviceClass_LowerFilterLevels
		mov	[ebp+var_18], offset _DEVPKEY_DeviceClass_LowerFilterDefaultLevel
		mov	[ebp+arg_8], (offset loc_8C9419+1)

loc_A3598E:				; CODE XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+7Fj
		xor	edx, edx
		mov	[ebp+var_20], eax
		push	edx
		lea	ecx, [ebp+var_4]
		push	ecx
		push	edx
		push	edx
		lea	ecx, [ebp+var_8]
		push	ecx
		push	eax
		push	edx
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, ebx
		push	2
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	loc_A35A41
		cmp	[ebp+var_8], 2012h
		jnz	short loc_A35A41
		push	52504E50h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A359E1

loc_A359D7:				; CODE XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+199j
		mov	esi, 0C0000017h
		jmp	loc_A35CA5
; 

loc_A359E1:				; CODE XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+E2j
		push	0
		lea	eax, [ebp+var_4]
		mov	edx, esi
		push	eax
		push	[ebp+var_4]
		lea	eax, [ebp+var_8]
		mov	ecx, ebx
		push	edi
		push	eax
		push	[ebp+var_20]
		push	0
		push	[ebp+arg_0]
		push	2
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A35C7B
		mov	esi, [ebp+var_C]

loc_A35A0F:				; CODE XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+2D0j
		lea	eax, [ebp+var_4]
		mov	edx, esi
		push	eax		; int
		push	0		; int
		push	0		; int
		lea	eax, [ebp+var_8]
		mov	ecx, ebx
		push	eax		; int
		push	[ebp+arg_C]	; void *
		push	[ebp+arg_0]	; int
		call	_CmGetInstallerClassMappedPropertyFromRegProp
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	loc_A35BC8
		and	[ebp+var_4], 0
		jmp	loc_A35C1C
; 

loc_A35A41:				; CODE XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+C0j
					; _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+CDj
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	ecx
		push	eax
		push	ecx
		push	ecx
		lea	eax, [ebp+var_8]
		mov	edx, esi
		push	eax
		push	[ebp+var_18]
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, ebx
		push	2
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	loc_A35C4B
		cmp	[ebp+var_8], 12h
		jnz	loc_A35C4B
		push	52504E50h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_A359D7
		mov	edx, [ebp+var_C]
		lea	ecx, [ebp+var_4]
		push	0
		push	ecx
		push	[ebp+var_4]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_18]
		push	0
		push	[ebp+arg_0]
		push	2
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A35C6C
		mov	esi, [ebp+var_C]
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		mov	edx, esi
		push	ecx
		push	eax
		push	ecx
		push	ecx
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_1C]
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, ebx
		push	2
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	loc_A35C67
		push	52504E50h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jnz	short loc_A35B0B

loc_A35B01:				; CODE XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+288j
					; _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+301j
		mov	esi, 0C0000017h
		jmp	loc_A35C6C
; 

loc_A35B0B:				; CODE XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+20Cj
		push	0
		lea	ecx, [ebp+var_4]
		mov	edx, esi
		push	ecx
		push	[ebp+var_4]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_1C]
		push	0
		push	[ebp+arg_0]
		push	2
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A35C6C
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	0		; int
		push	0		; int
		push	[ebp+arg_8]	; int
		mov	ecx, ebx
		push	[ebp+var_10]	; wchar_t *
		push	[ebp+var_14]	; int
		call	__CmGetDeclarativeFilterList@32	; _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A35B5C
		mov	esi, 0C000003Eh

loc_A35B5C:				; CODE XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+262j
		cmp	esi, 0C0000023h
		jnz	loc_A35C6C
		push	52504E50h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A35B01
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	[ebp+var_4]	; int
		mov	ecx, ebx
		push	edi		; int
		push	[ebp+arg_8]	; int
		push	[ebp+var_10]	; wchar_t *
		push	[ebp+var_14]	; int
		call	__CmGetDeclarativeFilterList@32	; _CmGetDeclarativeFilterList(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A35C6C
		mov	esi, [ebp+var_C]
		mov	ecx, ebx
		push	0
		push	[ebp+var_4]
		mov	edx, esi
		push	edi
		push	2012h
		push	[ebp+var_20]
		push	0
		push	[ebp+arg_0]
		push	2
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		jmp	loc_A35A0F
; 

loc_A35BC8:				; CODE XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+13Fj
		cmp	esi, 0C0000023h
		jnz	loc_A35C6C
		cmp	[ebp+var_4], 0
		jbe	short loc_A35C1C
		cmp	[ebp+arg_18], 0
		jbe	short loc_A35C1C
		push	52504E50h
		push	[ebp+var_4]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_24], eax
		test	eax, eax
		jz	loc_A35B01
		mov	edx, [ebp+var_C]
		lea	ecx, [ebp+var_4]
		push	ecx		; int
		push	[ebp+var_4]	; int
		mov	ecx, ebx
		push	eax		; int
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	[ebp+arg_C]	; void *
		push	[ebp+arg_0]	; int
		call	_CmGetInstallerClassMappedPropertyFromRegProp
		mov	esi, eax
		test	esi, esi
		js	short loc_A35C6C

loc_A35C1C:				; CODE XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+149j
					; _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+2E5j ...
		push	[ebp+arg_1C]	; int
		mov	edx, [ebp+var_24] ; wchar_t *
		mov	ecx, edi	; int
		push	[ebp+arg_18]	; int
		push	[ebp+arg_14]	; int
		push	[ebp+arg_8]	; wchar_t *
		call	__CmMergeFilterLists@24	; _CmMergeFilterLists(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_A35C40
		test	esi, esi
		js	short loc_A35C6C

loc_A35C40:				; CODE XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+347j
		mov	eax, [ebp+arg_10]
		mov	dword ptr [eax], 2012h
		jmp	short loc_A35C6C
; 

loc_A35C4B:				; CODE XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+175j
					; _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+17Fj
		cmp	[ebp+var_8], 2012h
		jnz	short loc_A35C60
		cmp	esi, 0C000090Bh
		jz	short loc_A35C60
		test	esi, esi
		jnz	short loc_A35CA5

loc_A35C60:				; CODE XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+35Fj
					; _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+367j
		mov	esi, 0C0000225h
		jmp	short loc_A35CA5
; 

loc_A35C67:				; CODE XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+39j
					; _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+42j ...
		mov	esi, 0C0000225h

loc_A35C6C:				; CODE XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+1C5j
					; _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+213j ...
		mov	eax, [ebp+var_10]
		test	eax, eax
		jz	short loc_A35C7B
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A35C7B:				; CODE XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+113j
					; _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+37Ej
		test	edi, edi
		jz	short loc_A35C87
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A35C87:				; CODE XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+38Aj
		mov	eax, [ebp+var_24]
		test	eax, eax
		jz	short loc_A35C96
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A35C96:				; CODE XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+399j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_A35CA5
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A35CA5:				; CODE XREF: _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+E9j
					; _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+36Bj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	20h
__CmGetInstallerClassCompoundFiltersWorker@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetInstallerClassMappedPropertyKeys(x, x, x, x, x, x, x)
__CmGetInstallerClassMappedPropertyKeys@28 proc	near
					; CODE XREF: _PnpDispatchInstallerClass+ADCF5p
					; _CmDeleteInstallerClassWorker(x,x,x)+127p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, [ebp+arg_10]
		xor	eax, eax
		and	[ebp+var_C], eax
		and	[ebp+var_8], eax
		push	esi
		and	[ebx], eax
		xor	esi, esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_10], edi
		mov	[ebp+var_14], esi

loc_A35CD3:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+B7j
		mov	edx, ds:__CmClassRegPropMap[esi]
		mov	byte ptr [ebp+arg_10+3], 0
		mov	[ebp+var_18], edx
		test	edx, edx
		jz	short loc_A35D59
		cmp	[ebp+arg_4], 0
		jnz	short loc_A35D27
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	0		; int
		push	0		; int
		lea	eax, [ebp+var_C]
		push	eax		; int
		push	edx		; void *
		push	[ebp+arg_0]	; int
		mov	edx, edi
		call	_CmGetInstallerClassMappedPropertyFromRegProp
		cmp	eax, 0C0000023h
		jz	short loc_A35D19
		test	eax, eax
		jz	short loc_A35D19
		cmp	eax, 0C0000034h
		jz	loc_A35F14
		jmp	short loc_A35D1D
; 

loc_A35D19:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+58j
					; _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+5Cj
		mov	byte ptr [ebp+arg_10+3], 1

loc_A35D1D:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+69j
		xor	eax, eax
		cmp	byte ptr [ebp+arg_10+3], al
		jz	short loc_A35D56
		mov	edx, [ebp+var_18]

loc_A35D27:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+3Aj
		cmp	[ebp+arg_8], 0
		jz	short loc_A35D47
		mov	eax, [ebx]
		cmp	eax, [ebp+arg_C]
		jnb	short loc_A35D47
		imul	edi, eax, 14h
		mov	esi, edx
		push	5
		pop	ecx
		add	edi, [ebp+arg_8]
		rep movsd
		mov	esi, [ebp+var_14]
		mov	edi, [ebp+var_10]

loc_A35D47:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+7Dj
					; _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+84j
		mov	ecx, [ebx]
		xor	edx, edx
		push	ebx
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_A35D6D

loc_A35D56:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+74j
		mov	ecx, [ebp+var_4]

loc_A35D59:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+34j
		add	esi, 10h
		mov	[ebp+var_14], esi
		cmp	esi, 90h
		jb	loc_A35CD3
		jmp	short loc_A35D70
; 

loc_A35D6D:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+A6j
		and	dword ptr [ebx], 0

loc_A35D70:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+BDj
		test	eax, eax
		js	loc_A35F25
		xor	esi, esi
		mov	[ebp+var_14], esi

loc_A35D7D:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+163j
		mov	edx, ds:off_A42C38[esi]
		mov	byte ptr [ebp+arg_10+3], 0
		mov	[ebp+var_18], edx
		test	edx, edx
		jz	short loc_A35E00
		cmp	[ebp+arg_4], 0
		jnz	short loc_A35DD4
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	0		; int
		push	0		; int
		lea	eax, [ebp+var_C]
		push	eax		; int
		push	edx		; void *
		push	[ebp+arg_0]	; int
		mov	edx, edi
		call	_CmGetInstallerClassMappedPropertyFromRegValue
		cmp	eax, 0C0000023h
		jz	short loc_A35DC6
		test	eax, eax
		jz	short loc_A35DC6
		cmp	eax, 0C0000034h
		jz	loc_A35F14
		jmp	short loc_A35DCA
; 

loc_A35DC6:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+105j
					; _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+109j
		mov	byte ptr [ebp+arg_10+3], 1

loc_A35DCA:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+116j
		xor	eax, eax
		cmp	byte ptr [ebp+arg_10+3], al
		jz	short loc_A35E00
		mov	edx, [ebp+var_18]

loc_A35DD4:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+E4j
		cmp	[ebp+arg_8], 0
		jz	short loc_A35DF1
		mov	eax, [ebx]
		cmp	eax, [ebp+arg_C]
		jnb	short loc_A35DF1
		imul	edi, eax, 14h
		mov	esi, edx
		push	5
		pop	ecx
		add	edi, [ebp+arg_8]
		rep movsd
		mov	esi, [ebp+var_14]

loc_A35DF1:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+12Aj
					; _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+131j
		mov	ecx, [ebx]
		xor	edx, edx
		push	ebx
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_A35E16

loc_A35E00:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+DEj
					; _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+121j
		add	esi, 10h
		mov	[ebp+var_14], esi
		cmp	esi, 0D0h
		jnb	short loc_A35E19
		mov	edi, [ebp+var_10]
		jmp	loc_A35D7D
; 

loc_A35E16:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+150j
		and	dword ptr [ebx], 0

loc_A35E19:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+15Ej
		test	eax, eax
		js	loc_A35F25
		xor	esi, esi
		mov	[ebp+var_14], esi

loc_A35E26:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+202j
		cmp	[ebp+arg_4], 0
		mov	edx, ds:off_A42F10[esi]
		mov	byte ptr [ebp+arg_10+3], 0
		mov	[ebp+var_18], edx
		jnz	short loc_A35E7B
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax		; int
		xor	edi, edi
		lea	eax, [ebp+var_C]
		push	edi		; int
		push	edi		; int
		push	eax		; int
		push	edx		; void *
		push	[ebp+arg_0]	; int
		mov	edx, [ebp+var_10]
		call	_CmGetInstallerClassMappedPropertyFromComposite
		cmp	eax, 0C0000023h
		jz	short loc_A35E6D
		test	eax, eax
		jz	short loc_A35E6D
		cmp	eax, 0C0000034h
		jnz	short loc_A35E71
		mov	[ebx], edi
		jmp	loc_A35F25
; 

loc_A35E6D:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+1ABj
					; _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+1AFj
		mov	byte ptr [ebp+arg_10+3], 1

loc_A35E71:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+1B6j
		xor	eax, eax
		cmp	byte ptr [ebp+arg_10+3], al
		jz	short loc_A35EA7
		mov	edx, [ebp+var_18]

loc_A35E7B:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+189j
		cmp	[ebp+arg_8], 0
		jz	short loc_A35E98
		mov	eax, [ebx]
		cmp	eax, [ebp+arg_C]
		jnb	short loc_A35E98
		imul	edi, eax, 14h
		mov	esi, edx
		push	5
		pop	ecx
		add	edi, [ebp+arg_8]
		rep movsd
		mov	esi, [ebp+var_14]

loc_A35E98:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+1D1j
					; _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+1D8j
		mov	ecx, [ebx]
		xor	edx, edx
		push	ebx
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_A35EB8

loc_A35EA7:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+1C8j
		add	esi, 8
		mov	[ebp+var_14], esi
		cmp	esi, 20h
		jb	loc_A35E26
		jmp	short loc_A35EBB
; 

loc_A35EB8:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+1F7j
		and	dword ptr [ebx], 0

loc_A35EBB:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+208j
		test	eax, eax
		js	short loc_A35F25
		cmp	[ebp+arg_4], 0
		jnz	short loc_A35EE8
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_8]
		push	eax
		push	0
		push	0
		lea	eax, [ebp+var_C]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_4]
		call	_CmGetInstallerClassMappedPropertyFromCoInstallers
		cmp	eax, 0C0000023h
		jz	short loc_A35EE8
		test	eax, eax
		jnz	short loc_A35F19

loc_A35EE8:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+215j
					; _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+234j
		cmp	[ebp+arg_8], 0
		jz	short loc_A35F05
		mov	eax, [ebx]
		cmp	eax, [ebp+arg_C]
		jnb	short loc_A35F05
		imul	edi, eax, 14h
		mov	esi, offset _DEVPKEY_DeviceClass_ClassCoInstallers
		push	5
		pop	ecx
		add	edi, [ebp+arg_8]
		rep movsd

loc_A35F05:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+23Ej
					; _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+245j
		mov	ecx, [ebx]
		xor	edx, edx
		push	ebx
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		jns	short loc_A35F19

loc_A35F14:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+63j
					; _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+110j
		and	dword ptr [ebx], 0
		jmp	short loc_A35F25
; 

loc_A35F19:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+238j
					; _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+264j
		mov	eax, [ebp+arg_C]
		cmp	eax, [ebx]
		sbb	eax, eax
		and	eax, 0C0000023h

loc_A35F25:				; CODE XREF: _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+C4j
					; _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+16Dj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
__CmGetInstallerClassMappedPropertyKeys@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmGetInstallerClassMappedPropertyLocales(int,void *,int,int,int)
__CmGetInstallerClassMappedPropertyLocales@28 proc near
					; CODE XREF: _PnpDispatchInstallerClass+ADD0Fp

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_10]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	ebx, 0C0000016h
		and	dword ptr [eax], 0
		push	edi
		xor	edi, edi

loc_A35F44:				; CODE XREF: _CmGetInstallerClassMappedPropertyLocales(x,x,x,x,x,x,x)+47j
		mov	ecx, ds:__CmClassRegPropMap[edi]
		test	ecx, ecx
		jz	short loc_A35F6A
		mov	eax, [esi+10h]
		cmp	eax, [ecx+10h]
		jnz	short loc_A35F6A
		push	10h		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_A35FEB

loc_A35F6A:				; CODE XREF: _CmGetInstallerClassMappedPropertyLocales(x,x,x,x,x,x,x)+20j
					; _CmGetInstallerClassMappedPropertyLocales(x,x,x,x,x,x,x)+28j
		add	edi, 10h
		cmp	edi, 90h
		jb	short loc_A35F44
		xor	edi, edi

loc_A35F77:				; CODE XREF: _CmGetInstallerClassMappedPropertyLocales(x,x,x,x,x,x,x)+76j
		mov	ecx, ds:off_A42C38[edi]
		test	ecx, ecx
		jz	short loc_A35F99
		mov	eax, [esi+10h]
		cmp	eax, [ecx+10h]
		jnz	short loc_A35F99
		push	10h		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A35FEB

loc_A35F99:				; CODE XREF: _CmGetInstallerClassMappedPropertyLocales(x,x,x,x,x,x,x)+53j
					; _CmGetInstallerClassMappedPropertyLocales(x,x,x,x,x,x,x)+5Bj
		add	edi, 10h
		cmp	edi, 0D0h
		jb	short loc_A35F77
		mov	eax, [esi+10h]
		xor	edi, edi
		mov	[ebp+arg_4], eax

loc_A35FAC:				; CODE XREF: _CmGetInstallerClassMappedPropertyLocales(x,x,x,x,x,x,x)+A4j
		mov	ecx, ds:off_A42F10[edi]
		cmp	eax, [ecx+10h]
		jnz	short loc_A35FCA
		push	10h		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A35FEB
		mov	eax, [ebp+arg_4]

loc_A35FCA:				; CODE XREF: _CmGetInstallerClassMappedPropertyLocales(x,x,x,x,x,x,x)+89j
		add	edi, 8
		cmp	edi, 20h
		jb	short loc_A35FAC
		cmp	eax, 2
		jnz	short loc_A36009
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_ClassCoInstallers ;	void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A36009

loc_A35FEB:				; CODE XREF: _CmGetInstallerClassMappedPropertyLocales(x,x,x,x,x,x,x)+38j
					; _CmGetInstallerClassMappedPropertyLocales(x,x,x,x,x,x,x)+6Bj	...
		mov	eax, [ebp+arg_10]
		xor	ecx, ecx
		inc	ecx
		mov	[eax], ecx
		cmp	[ebp+arg_C], ecx
		jb	short loc_A36004
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		xor	ebx, ebx
		mov	[eax], cx
		jmp	short loc_A36009
; 

loc_A36004:				; CODE XREF: _CmGetInstallerClassMappedPropertyLocales(x,x,x,x,x,x,x)+CAj
		mov	ebx, 0C0000023h

loc_A36009:				; CODE XREF: _CmGetInstallerClassMappedPropertyLocales(x,x,x,x,x,x,x)+A9j
					; _CmGetInstallerClassMappedPropertyLocales(x,x,x,x,x,x,x)+BDj	...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	14h
__CmGetInstallerClassMappedPropertyLocales@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmGetInterfaceClassMappedPropertyFromComposite(int,void *,int,int,int,int)
__CmGetInterfaceClassMappedPropertyFromComposite@32 proc near
					; CODE XREF: _CmGetInterfaceClassMappedProperty+118573p
					; _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+F3p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_8]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_8], edx
		mov	[eax], esi
		mov	eax, [ebp+arg_14]
		push	edi
		mov	edi, [ebp+arg_C]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], esi
		mov	[eax], esi
		test	edi, edi
		jnz	short loc_A3603D
		mov	ebx, esi
		jmp	short loc_A36048
; 

loc_A3603D:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromComposite(x,x,x,x,x,x,x,x)+25j
		mov	ebx, [ebp+arg_10]
		mov	eax, ebx
		neg	eax
		sbb	eax, eax
		and	edi, eax

loc_A36048:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromComposite(x,x,x,x,x,x,x,x)+29j
		mov	ecx, [ebp+arg_4]
		mov	eax, [ecx+10h]
		cmp	eax, 2
		jnb	short loc_A3605A
		mov	esi, 0C0000230h
		jmp	short loc_A360A9
; 

loc_A3605A:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromComposite(x,x,x,x,x,x,x,x)+3Fj
		cmp	eax, 0Ah
		jnz	short loc_A360A9
		push	10h		; size_t
		push	offset _DEVPKEY_NAME ; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A360A9
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_C]
		push	esi
		push	eax
		push	ebx
		push	edi
		push	[ebp+arg_8]
		push	offset _DEVPKEY_DeviceInterfaceClass_Name
		push	esi
		push	[ebp+arg_0]
		push	4
		call	__PnpGetObjectProperty@44 ; _PnpGetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A360A1
		cmp	esi, 0C0000023h
		jnz	short loc_A360A9

loc_A360A1:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromComposite(x,x,x,x,x,x,x,x)+85j
		mov	eax, [ebp+arg_14]
		mov	ecx, [ebp+var_4]
		mov	[eax], ecx

loc_A360A9:				; CODE XREF: _CmGetInterfaceClassMappedPropertyFromComposite(x,x,x,x,x,x,x,x)+46j
					; _CmGetInterfaceClassMappedPropertyFromComposite(x,x,x,x,x,x,x,x)+4Bj	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
__CmGetInterfaceClassMappedPropertyFromComposite@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmGetInterfaceClassMappedPropertyKeys(x, x, x, x, x, x, x)
__CmGetInterfaceClassMappedPropertyKeys@28 proc	near
					; CODE XREF: _PnpDispatchInterfaceClass+11858Fp
					; _CmDeleteInterfaceClassWorker(x,x,x)+E1p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, [ebp+arg_10]
		xor	eax, eax
		and	[ebp+var_C], eax
		push	esi
		push	edi
		and	[ebx], eax
		mov	edi, edx
		xor	esi, esi
		mov	[ebp+var_10], edi
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], esi

loc_A360D4:				; CODE XREF: _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+B3j
		mov	edx, ds:off_A42EE8[esi]
		mov	byte ptr [ebp+arg_10+3], 0
		mov	[ebp+var_14], edx
		test	edx, edx
		jz	short loc_A3615C
		cmp	[ebp+arg_4], 0
		jnz	short loc_A3612A
		lea	eax, [ebp+var_18]
		push	eax		; int
		push	0		; int
		push	0		; int
		lea	eax, [ebp+var_C]
		push	eax		; int
		push	edx		; void *
		push	[ebp+arg_0]	; int
		mov	edx, edi
		call	_CmGetInterfaceClassMappedPropertyFromRegValue
		cmp	eax, 0C0000023h
		jz	short loc_A3611C
		test	eax, eax
		jz	short loc_A3611C
		cmp	eax, 0C0000034h
		jnz	short loc_A36120

loc_A36114:				; CODE XREF: _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+108j
		and	dword ptr [ebx], 0
		jmp	loc_A36223
; 

loc_A3611C:				; CODE XREF: _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+55j
					; _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+59j
		mov	byte ptr [ebp+arg_10+3], 1

loc_A36120:				; CODE XREF: _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+60j
		xor	eax, eax
		cmp	byte ptr [ebp+arg_10+3], al
		jz	short loc_A36159
		mov	edx, [ebp+var_14]

loc_A3612A:				; CODE XREF: _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+37j
		cmp	[ebp+arg_8], 0
		jz	short loc_A3614A
		mov	eax, [ebx]
		cmp	eax, [ebp+arg_C]
		jnb	short loc_A3614A
		imul	edi, eax, 14h
		mov	esi, edx
		push	5
		pop	ecx
		add	edi, [ebp+arg_8]
		rep movsd
		mov	esi, [ebp+var_8]
		mov	edi, [ebp+var_10]

loc_A3614A:				; CODE XREF: _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+7Cj
					; _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+83j
		mov	ecx, [ebx]
		xor	edx, edx
		push	ebx
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_A3616D

loc_A36159:				; CODE XREF: _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+73j
		mov	ecx, [ebp+var_4]

loc_A3615C:				; CODE XREF: _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+31j
		add	esi, 8
		mov	[ebp+var_8], esi
		cmp	esi, 8
		jb	loc_A360D4
		jmp	short loc_A36170
; 

loc_A3616D:				; CODE XREF: _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+A5j
		and	dword ptr [ebx], 0

loc_A36170:				; CODE XREF: _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+B9j
		test	eax, eax
		js	loc_A36223
		xor	esi, esi
		mov	[ebp+var_8], esi

loc_A3617D:				; CODE XREF: _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+156j
		cmp	[ebp+arg_4], 0
		mov	edx, ds:off_A42F30[esi]
		mov	byte ptr [ebp+arg_10+3], 0
		mov	[ebp+var_14], edx
		jnz	short loc_A361D0
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_18]
		push	eax		; int
		push	0		; int
		push	0		; int
		lea	eax, [ebp+var_C]
		push	eax		; int
		push	edx		; void *
		push	[ebp+arg_0]	; int
		mov	edx, edi
		call	__CmGetInterfaceClassMappedPropertyFromComposite@32 ; _CmGetInterfaceClassMappedPropertyFromComposite(x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jz	short loc_A361C2
		test	eax, eax
		jz	short loc_A361C2
		cmp	eax, 0C0000034h
		jz	loc_A36114
		jmp	short loc_A361C6
; 

loc_A361C2:				; CODE XREF: _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+FDj
					; _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+101j
		mov	byte ptr [ebp+arg_10+3], 1

loc_A361C6:				; CODE XREF: _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+10Ej
		xor	eax, eax
		cmp	byte ptr [ebp+arg_10+3], al
		jz	short loc_A361FF
		mov	edx, [ebp+var_14]

loc_A361D0:				; CODE XREF: _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+DCj
		cmp	[ebp+arg_8], 0
		jz	short loc_A361ED
		mov	eax, [ebx]
		cmp	eax, [ebp+arg_C]
		jnb	short loc_A361ED
		imul	edi, eax, 14h
		mov	esi, edx
		push	5
		pop	ecx
		add	edi, [ebp+arg_8]
		rep movsd
		mov	esi, [ebp+var_8]

loc_A361ED:				; CODE XREF: _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+122j
					; _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+129j
		mov	ecx, [ebx]
		xor	edx, edx
		push	ebx
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_A36210
		mov	edi, [ebp+var_10]

loc_A361FF:				; CODE XREF: _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+119j
		add	esi, 8
		mov	[ebp+var_8], esi
		cmp	esi, 8
		jb	loc_A3617D
		jmp	short loc_A36213
; 

loc_A36210:				; CODE XREF: _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+148j
		and	dword ptr [ebx], 0

loc_A36213:				; CODE XREF: _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+15Cj
		test	eax, eax
		js	short loc_A36223
		mov	eax, [ebp+arg_C]
		cmp	eax, [ebx]
		sbb	eax, eax
		and	eax, 0C0000023h

loc_A36223:				; CODE XREF: _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+65j
					; _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+C0j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
__CmGetInterfaceClassMappedPropertyKeys@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmGetInterfaceClassMappedPropertyLocales(int,void *,int,int,int)
__CmGetInterfaceClassMappedPropertyLocales@28 proc near
					; CODE XREF: _PnpDispatchInterfaceClass+1185A9p

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_10]
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		and	dword ptr [eax], 0
		mov	esi, 0C0000016h
		push	edi
		xor	edi, edi

loc_A36242:				; CODE XREF: _CmGetInterfaceClassMappedPropertyLocales(x,x,x,x,x,x,x)+40j
		mov	ecx, ds:off_A42EE8[edi]
		test	ecx, ecx
		jz	short loc_A36264
		mov	eax, [ebx+10h]
		cmp	eax, [ecx+10h]
		jnz	short loc_A36264
		push	10h		; size_t
		push	ecx		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A3629C

loc_A36264:				; CODE XREF: _CmGetInterfaceClassMappedPropertyLocales(x,x,x,x,x,x,x)+20j
					; _CmGetInterfaceClassMappedPropertyLocales(x,x,x,x,x,x,x)+28j
		add	edi, 8
		cmp	edi, 8
		jb	short loc_A36242
		mov	ecx, [ebx+10h]
		xor	edi, edi
		mov	[ebp+arg_4], ecx

loc_A36274:				; CODE XREF: _CmGetInterfaceClassMappedPropertyLocales(x,x,x,x,x,x,x)+6Ej
		mov	eax, ds:off_A42F30[edi]
		cmp	ecx, [eax+10h]
		jnz	short loc_A36292
		push	10h		; size_t
		push	eax		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A3629C
		mov	ecx, [ebp+arg_4]

loc_A36292:				; CODE XREF: _CmGetInterfaceClassMappedPropertyLocales(x,x,x,x,x,x,x)+53j
		add	edi, 8
		cmp	edi, 8
		jb	short loc_A36274
		jmp	short loc_A362BA
; 

loc_A3629C:				; CODE XREF: _CmGetInterfaceClassMappedPropertyLocales(x,x,x,x,x,x,x)+38j
					; _CmGetInterfaceClassMappedPropertyLocales(x,x,x,x,x,x,x)+63j
		mov	eax, [ebp+arg_10]
		xor	ecx, ecx
		inc	ecx
		mov	[eax], ecx
		cmp	[ebp+arg_C], ecx
		jb	short loc_A362B5
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		xor	esi, esi
		mov	[eax], cx
		jmp	short loc_A362BA
; 

loc_A362B5:				; CODE XREF: _CmGetInterfaceClassMappedPropertyLocales(x,x,x,x,x,x,x)+7Dj
		mov	esi, 0C0000023h

loc_A362BA:				; CODE XREF: _CmGetInterfaceClassMappedPropertyLocales(x,x,x,x,x,x,x)+70j
					; _CmGetInterfaceClassMappedPropertyLocales(x,x,x,x,x,x,x)+89j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
__CmGetInterfaceClassMappedPropertyLocales@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall _CmMergeFilterLists(int,wchar_t *,wchar_t *,int,int,int)
__CmMergeFilterLists@24	proc near	; CODE XREF: _CmGetDeviceCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+35Ep
					; _CmGetInstallerClassCompoundFiltersWorker(x,x,x,x,x,x,x,x,x,x)+33Ap

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_10], ecx
		xor	edx, edx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_20], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edx
		push	esi
		mov	esi, edx
		mov	[ebp+var_4], esi
		push	edi
		test	eax, eax
		jz	short loc_A36303
		mov	edx, [ebp+arg_8]
		cmp	edx, 2
		jb	short loc_A36303
		mov	[eax], si
		mov	esi, eax
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], edx

loc_A36303:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+2Bj
					; _CmMergeFilterLists(x,x,x,x,x,x)+33j	...
		push	[ebp+arg_0]	; wchar_t *
		mov	edx, ebx	; wchar_t *
		call	__CmFindFilterListInflectionPoint@12 ; _CmFindFilterListInflectionPoint(x,x,x)
		mov	ecx, [ebp+var_10]
		xor	edx, edx
		mov	[ebp+var_14], eax
		mov	edi, ecx
		cmp	[ecx], dx
		jz	loc_A363C2
		xor	ebx, ebx

loc_A36322:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+F6j
		test	eax, eax
		jz	short loc_A36337
		push	eax		; wchar_t *
		push	edi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_A363BF

loc_A36337:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+61j
		push	[ebp+arg_0]	; wchar_t *
		push	edi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A36397
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_A3634B:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+91j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A3634B
		sub	ecx, edx
		sar	ecx, 1
		lea	ebx, ds:2[ecx*2]
		add	[ebp+var_C], ebx
		test	esi, esi
		jz	short loc_A36397
		mov	eax, [ebp+var_8]
		lea	edx, [ebp+arg_4]
		mov	[ebp+arg_4], eax
		mov	ecx, esi
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		call	__PnpMultiSzAppend@16 ;	_PnpMultiSzAppend(x,x,x,x)
		test	al, al
		jnz	short loc_A36391
		xor	eax, eax
		mov	[ebp+var_18], 0C0000023h
		mov	esi, eax
		mov	[ebp+var_4], esi
		jmp	short loc_A36394
; 

loc_A36391:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+BCj
		mov	esi, [ebp+var_4]

loc_A36394:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+CCj
		sub	[ebp+var_8], ebx

loc_A36397:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+81j
					; _CmMergeFilterLists(x,x,x,x,x,x)+A3j
		mov	ecx, edi
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_A3639E:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+E4j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A3639E
		mov	eax, [ebp+var_14]
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2
		cmp	[edi], bx
		jnz	loc_A36322

loc_A363BF:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+6Ej
		mov	ebx, [ebp+var_1C]

loc_A363C2:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+57j
		xor	eax, eax
		mov	[ebp+var_10], edi
		cmp	[edi], ax
		jz	short loc_A363EA
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_A363D1:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+118j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_20]
		jnz	short loc_A363D1
		sub	ecx, edx
		sar	ecx, 1
		inc	ecx
		xor	eax, eax
		lea	ecx, [edi+ecx*2]
		mov	[ebp+var_10], ecx

loc_A363EA:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+107j
		test	ebx, ebx
		jz	loc_A364B8
		mov	edi, ebx
		cmp	[ebx], ax
		jz	loc_A3648F

loc_A363FD:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+1C2j
		mov	eax, [ebp+var_14]
		test	eax, eax
		jz	short loc_A36411
		push	eax		; wchar_t *
		push	edi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A3648D

loc_A36411:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+13Fj
		mov	ecx, edi
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_A36418:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+15Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A36418
		sub	ecx, edx
		sar	ecx, 1
		lea	ebx, ds:2[ecx*2]
		add	[ebp+var_C], ebx
		test	esi, esi
		jz	short loc_A36464
		mov	eax, [ebp+var_8]
		lea	edx, [ebp+arg_4]
		mov	[ebp+arg_4], eax
		mov	ecx, esi
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		call	__PnpMultiSzAppend@16 ;	_PnpMultiSzAppend(x,x,x,x)
		test	al, al
		jnz	short loc_A3645E
		xor	eax, eax
		mov	[ebp+var_18], 0C0000023h
		mov	esi, eax
		mov	[ebp+var_4], esi
		jmp	short loc_A36461
; 

loc_A3645E:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+189j
		mov	esi, [ebp+var_4]

loc_A36461:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+199j
		sub	[ebp+var_8], ebx

loc_A36464:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+170j
		mov	ecx, edi
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_A3646B:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+1B1j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A3646B
		sub	ecx, edx
		xor	eax, eax
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2
		cmp	[edi], ax
		jnz	loc_A363FD
		jmp	short loc_A3648F
; 

loc_A3648D:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+14Cj
		xor	eax, eax

loc_A3648F:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+134j
					; _CmMergeFilterLists(x,x,x,x,x,x)+1C8j
		mov	ebx, edi
		mov	[ebp+var_1C], ebx
		cmp	[edi], ax
		jz	short loc_A364B8
		mov	ecx, edi
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_A364A0:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+1E6j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A364A0
		sub	ecx, edx
		sar	ecx, 1
		lea	ebx, [ecx+1]
		lea	ebx, [edi+ebx*2]
		mov	[ebp+var_1C], ebx

loc_A364B8:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+129j
					; _CmMergeFilterLists(x,x,x,x,x,x)+1D4j
		mov	edi, [ebp+var_14]
		test	edi, edi
		jz	short loc_A36539
		push	[ebp+arg_0]	; wchar_t *
		push	edi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		mov	ecx, [ebp+var_10]
		test	eax, eax
		jz	loc_A36303
		mov	ecx, edi
		xor	edi, edi
		lea	edx, [ecx+2]

loc_A364DC:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+222j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_A364DC
		sub	ecx, edx
		sar	ecx, 1
		lea	edi, ds:2[ecx*2]
		mov	ecx, [ebp+var_10]
		add	[ebp+var_C], edi
		test	esi, esi
		jz	loc_A36303
		mov	eax, [ebp+var_8]
		lea	edx, [ebp+arg_4]
		mov	[ebp+arg_4], eax
		mov	ecx, esi
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_14]
		call	__PnpMultiSzAppend@16 ;	_PnpMultiSzAppend(x,x,x,x)
		test	al, al
		jnz	short loc_A3652B
		xor	eax, eax
		mov	[ebp+var_18], 0C0000023h
		mov	esi, eax
		mov	[ebp+var_4], esi
		jmp	short loc_A3652E
; 

loc_A3652B:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+256j
		mov	esi, [ebp+var_4]

loc_A3652E:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+266j
		sub	[ebp+var_8], edi
		mov	ecx, [ebp+var_10]
		jmp	loc_A36303
; 

loc_A36539:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+1FAj
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jnz	short loc_A36547
		mov	eax, 0C0000225h
		jmp	short loc_A36562
; 

loc_A36547:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+27Bj
		mov	eax, [ebp+arg_C]
		add	ecx, 2
		mov	[eax], ecx
		test	esi, esi
		jz	short loc_A36558
		cmp	[ebp+arg_8], ecx
		jnb	short loc_A3655F

loc_A36558:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+28Ej
		mov	eax, 0C0000023h
		jmp	short loc_A36562
; 

loc_A3655F:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+293j
		mov	eax, [ebp+var_18]

loc_A36562:				; CODE XREF: _CmMergeFilterLists(x,x,x,x,x,x)+282j
					; _CmMergeFilterLists(x,x,x,x,x,x)+29Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
__CmMergeFilterLists@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmSetDeviceInterfaceMappedPropertyFromRegValue(int,void *,int,int,int)
__CmSetDeviceInterfaceMappedPropertyFromRegValue@28 proc near
					; CODE XREF: _CmSetDeviceInterfaceMappedProperty+9E3ADp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	eax, eax
		mov	[ebp+var_14], edx
		mov	esi, eax
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], eax
		mov	edx, [edi+10h]
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_18], edx
		cmp	edx, 2
		jnb	short loc_A3659F

loc_A36595:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+77j
		mov	esi, 0C0000230h
		jmp	loc_A36784
; 

loc_A3659F:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+2Aj
		mov	ebx, offset off_A42DD8
		mov	[ebp+arg_4], eax
		mov	ecx, eax

loc_A365A9:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+6Ej
		mov	eax, [ebx]
		mov	[ebp+var_1C], ebx
		cmp	edx, [eax+10h]
		jnz	short loc_A365C9
		push	10h		; size_t
		push	eax		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A365DB
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+var_18]

loc_A365C9:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+48j
		add	ecx, 8
		xor	eax, eax
		add	ebx, 8
		mov	[ebp+arg_4], ecx
		cmp	ecx, 18h
		jb	short loc_A365A9
		jmp	short loc_A365DE
; 

loc_A365DB:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+58j
		mov	eax, [ebp+var_1C]

loc_A365DE:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+70j
		test	eax, eax
		jz	short loc_A36595
		mov	ecx, [eax+4]
		mov	eax, [ebp+arg_8]
		cmp	eax, ecx
		jz	short loc_A36609
		cmp	eax, 19h
		jnz	short loc_A36600
		cmp	ecx, 12h

loc_A365F4:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+9Ej
		jz	short loc_A36609
		mov	esi, 0C000000Dh
		jmp	loc_A36784
; 

loc_A36600:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+86j
		test	eax, eax
		jz	short loc_A36609
		cmp	eax, 1
		jmp	short loc_A365F4
; 

loc_A36609:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+81j
					; _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x):loc_A365F4j ...
		cmp	[ebp+arg_0], esi
		jnz	short loc_A36630
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_C]
		push	0
		push	eax
		push	0
		push	1
		push	ecx
		mov	ecx, [ebp+var_10]
		push	30h
		call	_CmOpenDeviceInterfaceRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_A3675A

loc_A36630:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+A3j
		mov	ebx, [edi+10h]
		cmp	ebx, 2
		jnz	loc_A366C2
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceInterface_FriendlyName ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_A36755
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_A3665E
		mov	eax, [ebp+var_C]

loc_A3665E:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+F0j
		mov	ecx, [ebp+var_10]
		test	ecx, ecx
		jz	short loc_A36668
		mov	ecx, [ecx+74h]

loc_A36668:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+FAj
		push	0
		lea	edx, [ebp+var_8]
		push	edx
		push	ecx
		push	0
		push	2
		push	0
		push	offset ??_C@_1CE@JDBBMLAG@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?5?$AAP?$AAa?$AAr?$AAa?$AAm?$AAe?$AAt?$AAe@NNGAKEGL@ ; "Device Parameters"
		mov	edx, eax
		call	__SysCtxRegCreateKey@36	; _SysCtxRegCreateKey(x,x,x,x,x,x,x,x,x)
		mov	edi, 0C000017Ch
		cmp	eax, edi
		jnz	short loc_A36694

loc_A3668A:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+14Dj
					; _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+1AEj
		mov	esi, 0C0000034h
		jmp	loc_A3675A
; 

loc_A36694:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+11Fj
		test	eax, eax
		jns	short loc_A3669F

loc_A36698:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+157j
		mov	esi, eax
		jmp	loc_A3675A
; 

loc_A3669F:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+12Dj
		push	[ebp+arg_10]
		mov	ecx, [ebp+var_8]
		mov	edx, offset ??_C@_1BK@BFIEKNFP@?$AAF?$AAr?$AAi?$AAe?$AAn?$AAd?$AAl?$AAy?$AAN?$AAa?$AAm?$AAe@NNGAKEGL@ ;	"FriendlyName"
		push	[ebp+arg_C]
		push	1
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		cmp	eax, edi
		jz	short loc_A3668A

loc_A366B8:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+1ACj
		test	eax, eax
		jns	loc_A3675A
		jmp	short loc_A36698
; 

loc_A366C2:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+CDj
		cmp	ebx, 100h
		jnz	short loc_A3671C
		push	10h		; size_t
		push	offset _DEVPKEY_Device_InstanceId ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A36755
		mov	edx, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		push	2
		push	ecx
		mov	ecx, [ebp+var_10]
		push	31h
		call	_CmOpenDeviceInterfaceRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A3675A
		push	[ebp+arg_10]
		mov	ecx, [ebp+var_4]
		mov	edx, offset ??_C@_1BO@PDEOPOFH@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe@NNGAKEGL@	; "DeviceInstance"
		push	[ebp+arg_C]
		push	1
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jnz	short loc_A366B8
		jmp	loc_A3668A
; 

loc_A3671C:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+15Fj
		cmp	ebx, 3
		jnz	short loc_A36735
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceInterface_Enabled	; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A3674E

loc_A36735:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+1B6j
		cmp	ebx, 4
		jnz	short loc_A36755
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceInterface_ClassGuid ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A36755

loc_A3674E:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+1CAj
		mov	esi, 0C0000022h
		jmp	short loc_A3675A
; 

loc_A36755:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+E5j
					; _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+173j ...
		mov	esi, 0C0000230h

loc_A3675A:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+C1j
					; _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+126j ...
		cmp	[ebp+var_4], 0
		jz	short loc_A36768
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A36768:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+1F5j
		cmp	[ebp+var_8], 0
		jz	short loc_A36776
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_A36776:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+203j
		cmp	[ebp+var_C], 0
		jz	short loc_A36784
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_A36784:				; CODE XREF: _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+31j
					; _CmSetDeviceInterfaceMappedPropertyFromRegValue(x,x,x,x,x,x,x)+92j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
__CmSetDeviceInterfaceMappedPropertyFromRegValue@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmSetDeviceMappedPropertyFromDriverKeyRegValue(void *,int,int,int)
__CmSetDeviceMappedPropertyFromDriverKeyRegValue@24 proc near
					; CODE XREF: _CmSetDeviceMappedProperty+A0C24p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= word ptr -28h
var_1C		= word ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+44h+var_4], eax
		mov	eax, [ebp+arg_8]
		and	[esp+44h+var_44], 0
		and	[esp+44h+var_40], 0
		push	ebx
		mov	[esp+48h+var_30], eax
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [esp+50h+var_2C]
		mov	[esp+50h+var_38], edx
		stosd
		mov	esi, offset off_A42D08
		mov	[esp+50h+var_34], ecx
		xor	ebx, ebx
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_0]
		mov	edx, [eax+10h]
		mov	[esp+50h+var_3C], edx

loc_A367D9:				; CODE XREF: _CmSetDeviceMappedPropertyFromDriverKeyRegValue(x,x,x,x,x,x)+7Aj
		mov	ecx, [esi]
		mov	edi, esi
		cmp	edx, [ecx+10h]
		jnz	short loc_A367F9
		push	10h		; size_t
		push	ecx		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A36809
		mov	eax, [ebp+arg_0]
		mov	edx, [esp+50h+var_3C]

loc_A367F9:				; CODE XREF: _CmSetDeviceMappedPropertyFromDriverKeyRegValue(x,x,x,x,x,x)+53j
		add	ebx, 10h
		xor	edi, edi
		add	esi, 10h
		cmp	ebx, 0D0h
		jb	short loc_A367D9

loc_A36809:				; CODE XREF: _CmSetDeviceMappedPropertyFromDriverKeyRegValue(x,x,x,x,x,x)+63j
		test	edi, edi
		jnz	short loc_A36817
		mov	esi, 0C0000016h
		jmp	loc_A36930
; 

loc_A36817:				; CODE XREF: _CmSetDeviceMappedPropertyFromDriverKeyRegValue(x,x,x,x,x,x)+7Ej
		mov	ecx, [edi+4]
		mov	eax, [ebp+arg_4]
		cmp	eax, ecx
		jz	short loc_A3683E
		cmp	eax, 19h
		jnz	short loc_A36835
		cmp	ecx, 12h

loc_A36829:				; CODE XREF: _CmSetDeviceMappedPropertyFromDriverKeyRegValue(x,x,x,x,x,x)+AFj
		jz	short loc_A3683E
		mov	esi, 0C000000Dh
		jmp	loc_A36930
; 

loc_A36835:				; CODE XREF: _CmSetDeviceMappedPropertyFromDriverKeyRegValue(x,x,x,x,x,x)+97j
		test	eax, eax
		jz	short loc_A3683E
		cmp	eax, 1
		jmp	short loc_A36829
; 

loc_A3683E:				; CODE XREF: _CmSetDeviceMappedPropertyFromDriverKeyRegValue(x,x,x,x,x,x)+92j
					; _CmSetDeviceMappedPropertyFromDriverKeyRegValue(x,x,x,x,x,x):loc_A36829j ...
		mov	edx, [esp+50h+var_38]
		lea	eax, [esp+50h+var_44]
		mov	ecx, [esp+50h+var_34]
		push	0
		push	eax
		push	1
		push	2
		push	0
		push	12h
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_A36920
		mov	ecx, [edi+0Ch]
		push	[ebp+arg_C]
		mov	edx, [edi+8]
		mov	edi, [esp+54h+var_30]
		push	edi
		push	ecx
		mov	ecx, [esp+5Ch+var_44]
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jnz	short loc_A3688D
		mov	esi, 0C0000034h
		jmp	loc_A36920
; 

loc_A3688D:				; CODE XREF: _CmSetDeviceMappedPropertyFromDriverKeyRegValue(x,x,x,x,x,x)+F4j
		test	eax, eax
		jns	short loc_A36898
		mov	esi, eax
		jmp	loc_A36920
; 

loc_A36898:				; CODE XREF: _CmSetDeviceMappedPropertyFromDriverKeyRegValue(x,x,x,x,x,x)+102j
		mov	eax, [ebp+arg_0]
		cmp	dword ptr [eax+10h], 2
		jnz	short loc_A36920
		push	10h		; size_t
		push	offset _DEVPKEY_Device_DriverDate ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A36920
		lea	eax, [esp+50h+var_2C]
		push	eax
		push	edi
		call	_RtlTimeToTimeFields@8 ; RtlTimeToTimeFields(x,x)
		movsx	eax, word ptr [esp+50h+var_2C]
		push	eax
		movsx	eax, [esp+54h+var_28]
		push	eax
		movsx	eax, word ptr [esp+58h+var_2C+2]
		push	eax		; char
		push	offset ??_C@_1BC@GPHOKLFC@?$AA?$CF?$AAd?$AA?9?$AA?$CF?$AAd?$AA?9?$AA?$CF?$AAd@NNGAKEGL@	; wchar_t *
		lea	eax, [esp+60h+var_1C]
		push	0Bh		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 18h
		test	eax, eax
		js	short loc_A36920
		lea	eax, [esp+50h+var_40]
		push	eax
		push	0Bh
		pop	edx
		lea	ecx, [esp+54h+var_1C]
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		test	eax, eax
		js	short loc_A36920
		mov	eax, [esp+50h+var_40]
		mov	edx, offset ??_C@_1BG@IAFOGIBK@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAD?$AAa?$AAt?$AAe@NNGAKEGL@ ; "DriverDate"
		mov	ecx, [esp+50h+var_44]
		lea	eax, ds:2[eax*2]
		push	eax
		lea	eax, [esp+54h+var_1C]
		push	eax
		push	1
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)

loc_A36920:				; CODE XREF: _CmSetDeviceMappedPropertyFromDriverKeyRegValue(x,x,x,x,x,x)+D1j
					; _CmSetDeviceMappedPropertyFromDriverKeyRegValue(x,x,x,x,x,x)+FBj ...
		cmp	[esp+50h+var_44], 0
		jz	short loc_A36930
		push	[esp+50h+var_44]
		call	_ZwClose@4	; ZwClose(x)

loc_A36930:				; CODE XREF: _CmSetDeviceMappedPropertyFromDriverKeyRegValue(x,x,x,x,x,x)+85j
					; _CmSetDeviceMappedPropertyFromDriverKeyRegValue(x,x,x,x,x,x)+A3j ...
		mov	ecx, [esp+50h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	10h
__CmSetDeviceMappedPropertyFromDriverKeyRegValue@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmSetDeviceMappedPropertyFromInstanceKeyRegValue(int,void *,int,int,int)
__CmSetDeviceMappedPropertyFromInstanceKeyRegValue@28 proc near
					; CODE XREF: _CmSetDeviceMappedProperty+A0C5Ep

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_18], ecx
		mov	ecx, [eax+10h]
		push	edi
		mov	[ebp+var_10], ecx
		mov	edi, offset off_A42DF0
		mov	[ebp+var_14], edx
		mov	ecx, esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi

loc_A36972:				; CODE XREF: _CmSetDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x,x,x,x)+5Cj
		mov	edx, [edi]
		mov	ebx, edi
		mov	eax, [ebp+var_10]
		cmp	eax, [edx+10h]
		mov	eax, [ebp+arg_4]
		jnz	short loc_A36994
		push	10h		; size_t
		push	edx		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A369A4
		mov	ecx, [ebp+var_8]

loc_A36994:				; CODE XREF: _CmSetDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x,x,x,x)+39j
		add	ecx, 10h
		add	edi, 10h
		mov	[ebp+var_8], ecx
		mov	ebx, esi
		cmp	ecx, 20h
		jb	short loc_A36972

loc_A369A4:				; CODE XREF: _CmSetDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x,x,x,x)+49j
		test	ebx, ebx
		jnz	short loc_A369B2
		mov	esi, 0C0000230h
		jmp	loc_A36A6A
; 

loc_A369B2:				; CODE XREF: _CmSetDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x,x,x,x)+60j
		mov	eax, [ebp+arg_8]
		cmp	eax, [ebx+4]
		jz	short loc_A369C4
		mov	esi, 0C000000Dh
		jmp	loc_A36A6A
; 

loc_A369C4:				; CODE XREF: _CmSetDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x,x,x,x)+72j
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jnz	short loc_A369E7
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+var_18]
		push	esi
		push	eax
		push	esi
		push	2
		push	esi
		push	10h
		call	_CmOpenDeviceRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A36A5C

loc_A369E7:				; CODE XREF: _CmSetDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x,x,x,x)+83j
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebx+8]
		mov	ebx, [ebx+0Ch]
		mov	[ebp+arg_8], ecx
		cmp	dword ptr [eax+10h], 2
		jnz	short loc_A36A31
		push	10h		; size_t
		push	offset _DEVPKEY_Device_Reported	; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A36A2E
		mov	eax, [ebp+arg_C]
		cmp	byte ptr [eax],	0FFh
		jnz	short loc_A36A1C
		mov	[ebp+var_C], 1

loc_A36A1C:				; CODE XREF: _CmSetDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x,x,x,x)+CDj
		test	edi, edi
		jnz	short loc_A36A23
		mov	edi, [ebp+var_4]

loc_A36A23:				; CODE XREF: _CmSetDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x,x,x,x)+D8j
		mov	edx, [ebp+arg_8]
		lea	eax, [ebp+var_C]
		push	4
		push	eax
		jmp	short loc_A36A40
; 

loc_A36A2E:				; CODE XREF: _CmSetDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x,x,x,x)+C5j
		mov	ecx, [ebp+arg_8]

loc_A36A31:				; CODE XREF: _CmSetDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x,x,x,x)+B1j
		test	edi, edi
		jnz	short loc_A36A38
		mov	edi, [ebp+var_4]

loc_A36A38:				; CODE XREF: _CmSetDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x,x,x,x)+EDj
		push	[ebp+arg_10]
		mov	edx, ecx
		push	[ebp+arg_C]

loc_A36A40:				; CODE XREF: _CmSetDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x,x,x,x)+E6j
		push	ebx
		mov	ecx, edi
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jnz	short loc_A36A56
		mov	esi, 0C000000Eh
		jmp	short loc_A36A5C
; 

loc_A36A56:				; CODE XREF: _CmSetDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x,x,x,x)+107j
		test	eax, eax
		jns	short loc_A36A5C
		mov	esi, eax

loc_A36A5C:				; CODE XREF: _CmSetDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x,x,x,x)+9Fj
					; _CmSetDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x,x,x,x)+10Ej ...
		cmp	[ebp+var_4], 0
		jz	short loc_A36A6A
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A36A6A:				; CODE XREF: _CmSetDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x,x,x,x)+67j
					; _CmSetDeviceMappedPropertyFromInstanceKeyRegValue(x,x,x,x,x,x,x)+79j	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
__CmSetDeviceMappedPropertyFromInstanceKeyRegValue@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmSetDeviceMappedPropertyFromRegProp(int,void *,int,int,int)
__CmSetDeviceMappedPropertyFromRegProp@28 proc near
					; CODE XREF: _CmSetDeviceMappedProperty+A0BF2p

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 78h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		and	[ebp+var_6C], 0
		push	ebx
		push	esi
		mov	esi, [ebp+arg_C]
		mov	ebx, offset __CmDeviceRegPropMap
		mov	[ebp+var_74], esi
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_5C], eax
		xor	eax, eax
		mov	[ebp+var_60], edx
		push	edi
		mov	edx, [esi+10h]
		mov	[ebp+var_64], ecx
		mov	[ebp+var_70], edx
		mov	[ebp+var_68], eax

loc_A36AB1:				; CODE XREF: _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+6Dj
		mov	ecx, [ebx]
		mov	edi, ebx
		cmp	edx, [ecx+10h]
		jnz	short loc_A36AD0
		push	10h		; size_t
		push	ecx		; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A36AE2
		mov	eax, [ebp+var_68]
		mov	edx, [ebp+var_70]

loc_A36AD0:				; CODE XREF: _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+45j
		add	eax, 10h
		xor	edi, edi
		add	ebx, 10h
		mov	[ebp+var_68], eax
		cmp	eax, 210h
		jb	short loc_A36AB1

loc_A36AE2:				; CODE XREF: _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+55j
		mov	esi, [ebp+var_74]
		test	edi, edi
		jnz	short loc_A36AF3
		mov	eax, 0C0000230h
		jmp	loc_A36BBC
; 

loc_A36AF3:				; CODE XREF: _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+74j
		mov	edx, [edi+4]
		xor	ecx, ecx
		mov	eax, [ebp+arg_8]
		inc	ecx
		mov	ebx, [edi+8]
		cmp	eax, edx
		jz	short loc_A36B1F
		cmp	eax, 19h
		jnz	short loc_A36B17
		cmp	edx, 12h

loc_A36B0B:				; CODE XREF: _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+AAj
		jz	short loc_A36B1F

loc_A36B0D:				; CODE XREF: _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+E3j
					; _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+EDj ...
		mov	eax, 0C000000Dh
		jmp	loc_A36BBC
; 

loc_A36B17:				; CODE XREF: _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+93j
		test	eax, eax
		jz	short loc_A36B1F
		cmp	eax, ecx
		jmp	short loc_A36B0B
; 

loc_A36B1F:				; CODE XREF: _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+8Ej
					; _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x):loc_A36B0Bj ...
		mov	edi, [edi+0Ch]
		mov	eax, ebx
		sub	eax, 9
		jz	short loc_A36B83
		sub	eax, 10h
		jz	short loc_A36B7C
		dec	eax
		sub	eax, 1
		jz	short loc_A36B4F
		sub	eax, 0Ah
		jz	short loc_A36B83
		mov	eax, esi
		neg	eax
		push	0
		sbb	eax, eax
		and	eax, [ebp+arg_10]
		push	eax
		mov	eax, esi
		neg	eax
		sbb	eax, eax
		and	eax, esi
		jmp	short loc_A36BAB
; 

loc_A36B4F:				; CODE XREF: _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+BFj
		test	esi, esi
		jz	short loc_A36B6F
		cmp	[ebp+arg_10], ecx
		jb	short loc_A36B0D
		mov	al, [esi]
		cmp	al, 0FFh
		jz	short loc_A36B64
		test	al, al
		jnz	short loc_A36B0D
		xor	ecx, ecx

loc_A36B64:				; CODE XREF: _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+E9j
		push	4
		mov	[ebp+var_6C], ecx
		lea	eax, [ebp+var_6C]
		pop	ecx
		jmp	short loc_A36B73
; 

loc_A36B6F:				; CODE XREF: _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+DEj
		xor	eax, eax
		xor	ecx, ecx

loc_A36B73:				; CODE XREF: _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+FAj
		push	0
		push	ecx
		push	eax
		push	edi
		push	1Bh
		jmp	short loc_A36BAE
; 

loc_A36B7C:				; CODE XREF: _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+B9j
		mov	eax, 0C00000BBh
		jmp	short loc_A36BBC
; 

loc_A36B83:				; CODE XREF: _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+B4j
					; _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+C4j
		test	esi, esi
		jz	short loc_A36BA4
		cmp	[ebp+arg_10], 10h
		jb	short loc_A36B0D
		push	ecx		; int
		lea	edx, [ebp+var_58] ; void *
		mov	ecx, esi	; int
		call	_PnpStringFromGuid@12 ;	PnpStringFromGuid(x,x,x)
		test	eax, eax
		js	short loc_A36BBC
		push	4Eh
		lea	eax, [ebp+var_58]
		pop	ecx
		jmp	short loc_A36BA8
; 

loc_A36BA4:				; CODE XREF: _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+112j
		xor	eax, eax
		xor	ecx, ecx

loc_A36BA8:				; CODE XREF: _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+12Fj
		push	0
		push	ecx

loc_A36BAB:				; CODE XREF: _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+DAj
		push	eax
		push	edi
		push	ebx

loc_A36BAE:				; CODE XREF: _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+107j
		push	[ebp+var_5C]
		mov	edx, [ebp+var_60]
		mov	ecx, [ebp+var_64]
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)

loc_A36BBC:				; CODE XREF: _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+7Bj
					; _CmSetDeviceMappedPropertyFromRegProp(x,x,x,x,x,x,x)+9Fj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
__CmSetDeviceMappedPropertyFromRegProp@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmSetInstallerClassMappedProperty(int,int,void	*,int,int,int)
__CmSetInstallerClassMappedProperty@32 proc near
					; CODE XREF: _PnpDispatchInstallerClass+ADD33p
					; _CmDeleteInstallerClassWorker(x,x,x)+177p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		cmp	[ebp+arg_4], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	esi, 0C0000016h
		mov	[ebp+var_8], ecx
		jnz	loc_A36D7E
		mov	edi, [ebp+arg_8]
		xor	ebx, ebx
		mov	ecx, ebx
		mov	[ebp+arg_4], ebx

loc_A36BF7:				; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+5Bj
		mov	edx, ds:__CmClassRegPropMap[ecx]
		test	edx, edx
		jz	short loc_A36C1C
		mov	eax, [edi+10h]
		cmp	eax, [edx+10h]
		jnz	short loc_A36C1C
		push	10h		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A36C2C
		mov	ecx, [ebp+arg_4]

loc_A36C1C:				; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+32j
					; _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+3Aj
		add	ecx, 10h
		mov	[ebp+arg_4], ecx
		cmp	ecx, 90h
		jb	short loc_A36BF7
		jmp	short loc_A36C52
; 

loc_A36C2C:				; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+4Aj
		push	[ebp+arg_14]	; int
		mov	edx, [ebp+var_4]
		push	[ebp+arg_10]	; int
		mov	ecx, [ebp+var_8]
		push	[ebp+arg_C]	; int
		push	edi		; void *
		push	[ebp+arg_0]	; int
		call	__CmSetInstallerClassMappedPropertyFromRegProp@28 ; _CmSetInstallerClassMappedPropertyFromRegProp(x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000016h
		jnz	loc_A36D7E

loc_A36C52:				; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+5Dj
		mov	edx, [edi+10h]
		mov	eax, ebx
		mov	[ebp+arg_8], edx
		mov	[ebp+arg_4], ebx

loc_A36C5D:				; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+BCj
		mov	ecx, ds:off_A42C38[eax]
		cmp	edx, [ecx+10h]
		jnz	short loc_A36C7E
		push	10h		; size_t
		push	ecx		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A36C8D
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_8]

loc_A36C7E:				; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+99j
		add	eax, 10h
		mov	[ebp+arg_4], eax
		cmp	eax, 0D0h
		jb	short loc_A36C5D
		jmp	short loc_A36CE4
; 

loc_A36C8D:				; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+A9j
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_A36CB1
		cmp	eax, 1
		jz	short loc_A36CB1
		push	[ebp+arg_14]	; int
		mov	edx, [ebp+var_4]
		push	[ebp+arg_10]	; int
		mov	ecx, [ebp+var_8]
		push	eax		; int
		push	edi		; void *
		push	[ebp+arg_0]	; int
		call	__CmSetInstallerClassMappedPropertyFromRegValue@28 ; _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)
		jmp	short loc_A36CC0
; 

loc_A36CB1:				; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+C5j
					; _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+CAj
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		push	edi		; void *
		push	[ebp+arg_0]	; int
		call	__CmDeleteInstallerClassMappedPropertyFromRegValue@16 ;	_CmDeleteInstallerClassMappedPropertyFromRegValue(x,x,x,x)

loc_A36CC0:				; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+E2j
		mov	esi, eax
		test	esi, esi
		js	short loc_A36CD8
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		push	edi
		push	ebx
		push	[ebp+arg_0]
		push	2
		call	_PnpObjectRaisePropertyChangeEvent

loc_A36CD8:				; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+F7j
		cmp	esi, 0C0000016h
		jnz	loc_A36D7E

loc_A36CE4:				; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+BEj
		cmp	dword ptr [edi+10h], 2
		jnz	short loc_A36D4B
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_ClassCoInstallers ;	void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A36D4B
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_A36D1F
		cmp	eax, 1
		jz	short loc_A36D1F
		push	[ebp+arg_14]
		mov	edx, [ebp+var_4]
		push	[ebp+arg_10]
		push	eax
		push	ecx
		mov	ecx, [ebp+var_8]
		call	__CmSetInstallerClassMappedPropertyFromCoInstallers@24 ; _CmSetInstallerClassMappedPropertyFromCoInstallers(x,x,x,x,x,x)
		jmp	short loc_A36D2B
; 

loc_A36D1F:				; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+136j
					; _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+13Bj
		mov	edx, [ebp+var_4]
		push	ecx
		mov	ecx, [ebp+var_8]
		call	__CmDeleteInstallerClassMappedPropertyFromCoInstallers@12 ; _CmDeleteInstallerClassMappedPropertyFromCoInstallers(x,x,x)

loc_A36D2B:				; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+150j
		mov	esi, eax
		test	esi, esi
		js	short loc_A36D43
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		push	edi
		push	ebx
		push	[ebp+arg_0]
		push	2
		call	_PnpObjectRaisePropertyChangeEvent

loc_A36D43:				; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+162j
		cmp	esi, 0C0000016h
		jnz	short loc_A36D7E

loc_A36D4B:				; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+11Bj
					; _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+12Fj
		mov	ecx, [edi+10h]
		mov	[ebp+arg_0], ecx

loc_A36D51:				; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+1A8j
		mov	eax, ds:off_A42F10[ebx]
		cmp	ecx, [eax+10h]
		jnz	short loc_A36D6F
		push	10h		; size_t
		push	eax		; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A36D79
		mov	ecx, [ebp+arg_0]

loc_A36D6F:				; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+18Dj
		add	ebx, 8
		cmp	ebx, 20h
		jb	short loc_A36D51
		jmp	short loc_A36D7E
; 

loc_A36D79:				; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+19Dj
		mov	esi, 0C0000022h

loc_A36D7E:				; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+1Aj
					; _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+7Fj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
__CmSetInstallerClassMappedProperty@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _CmSetInstallerClassMappedPropertyFromCoInstallers(x, x, x,	x, x, x)
__CmSetInstallerClassMappedPropertyFromCoInstallers@24 proc near
					; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+14Bp

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		xor	esi, esi
		cmp	[ebp+arg_4], 2012h
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], esi
		jz	short loc_A36DA7
		mov	esi, 0C000000Dh
		jmp	short loc_A36DDD
; 

loc_A36DA7:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromCoInstallers(x,x,x,x,x,x)+17j
		lea	eax, [ebp+var_4]
		push	eax
		push	0Dh
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		test	eax, eax
		js	short loc_A36DDB
		push	[ebp+arg_C]
		mov	ecx, [ebp+var_4]
		mov	edx, edi
		push	[ebp+arg_8]
		push	7
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jnz	short loc_A36DD7
		mov	esi, 0C00000E5h
		jmp	short loc_A36DDD
; 

loc_A36DD7:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromCoInstallers(x,x,x,x,x,x)+47j
		test	eax, eax
		jns	short loc_A36DDD

loc_A36DDB:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromCoInstallers(x,x,x,x,x,x)+2Ej
		mov	esi, eax

loc_A36DDD:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromCoInstallers(x,x,x,x,x,x)+1Ej
					; _CmSetInstallerClassMappedPropertyFromCoInstallers(x,x,x,x,x,x)+4Ej ...
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	10h
__CmSetInstallerClassMappedPropertyFromCoInstallers@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmSetInstallerClassMappedPropertyFromRegProp(int,void *,int,int,int)
__CmSetInstallerClassMappedPropertyFromRegProp@28 proc near
					; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+72p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	[ebp+var_C], edx
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_10], ecx
		mov	eax, [edx+10h]
		mov	ebx, offset __CmClassRegPropMap
		mov	[ebp+var_14], eax
		mov	eax, esi
		push	edi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi

loc_A36E0E:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegProp(x,x,x,x,x,x,x)+5Bj
		mov	ecx, [ebx]
		mov	edi, ebx
		mov	edx, [ebp+var_14]
		cmp	edx, [ecx+10h]
		mov	edx, [ebp+arg_4]
		jnz	short loc_A36E30
		push	10h		; size_t
		push	ecx		; void *
		push	edx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A36E42
		mov	eax, [ebp+var_4]

loc_A36E30:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegProp(x,x,x,x,x,x,x)+36j
		add	eax, 10h
		add	ebx, 10h
		mov	[ebp+var_4], eax
		mov	edi, esi
		cmp	eax, 90h
		jb	short loc_A36E0E

loc_A36E42:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegProp(x,x,x,x,x,x,x)+46j
		test	edi, edi
		jnz	short loc_A36E50
		mov	eax, 0C0000230h
		jmp	loc_A36ED9
; 

loc_A36E50:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegProp(x,x,x,x,x,x,x)+5Fj
		mov	edx, [edi+4]
		xor	ecx, ecx
		mov	eax, [ebp+arg_8]
		inc	ecx
		mov	ebx, [edi+8]
		cmp	eax, edx
		jz	short loc_A36E79
		cmp	eax, 19h
		jnz	short loc_A36E71
		cmp	edx, 12h

loc_A36E68:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegProp(x,x,x,x,x,x,x)+92j
		jz	short loc_A36E79

loc_A36E6A:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegProp(x,x,x,x,x,x,x)+CCj
					; _CmSetInstallerClassMappedPropertyFromRegProp(x,x,x,x,x,x,x)+D6j
		mov	eax, 0C000000Dh
		jmp	short loc_A36ED9
; 

loc_A36E71:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegProp(x,x,x,x,x,x,x)+7Ej
		test	eax, eax
		jz	short loc_A36E79
		cmp	eax, ecx
		jmp	short loc_A36E68
; 

loc_A36E79:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegProp(x,x,x,x,x,x,x)+79j
					; _CmSetInstallerClassMappedPropertyFromRegProp(x,x,x,x,x,x,x):loc_A36E68j ...
		mov	edx, [edi+0Ch]
		mov	eax, ebx
		sub	eax, 19h
		jz	short loc_A36ED4
		dec	eax
		sub	eax, 1
		mov	eax, [ebp+arg_C]
		jz	short loc_A36EAA
		neg	eax
		push	ecx
		sbb	eax, eax
		and	eax, [ebp+arg_10]
		push	eax
		push	[ebp+arg_C]
		push	edx
		push	ebx

loc_A36E9A:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegProp(x,x,x,x,x,x,x)+EDj
		push	[ebp+arg_0]
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		call	__CmSetInstallerClassRegProp@32	; _CmSetInstallerClassRegProp(x,x,x,x,x,x,x,x)
		jmp	short loc_A36ED9
; 

loc_A36EAA:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegProp(x,x,x,x,x,x,x)+A5j
		test	eax, eax
		jz	short loc_A36ECA
		cmp	[ebp+arg_10], ecx
		jb	short loc_A36E6A
		mov	al, [eax]
		cmp	al, 0FFh
		jz	short loc_A36EBF
		test	al, al
		jnz	short loc_A36E6A
		mov	ecx, esi

loc_A36EBF:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegProp(x,x,x,x,x,x,x)+D2j
		push	4
		mov	[ebp+var_8], ecx
		lea	esi, [ebp+var_8]
		pop	eax
		jmp	short loc_A36ECC
; 

loc_A36ECA:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegProp(x,x,x,x,x,x,x)+C7j
		mov	eax, esi

loc_A36ECC:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegProp(x,x,x,x,x,x,x)+E3j
		push	ecx
		push	eax
		push	esi
		push	edx
		push	1Bh
		jmp	short loc_A36E9A
; 

loc_A36ED4:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegProp(x,x,x,x,x,x,x)+9Cj
		mov	eax, 0C00000BBh

loc_A36ED9:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegProp(x,x,x,x,x,x,x)+66j
					; _CmSetInstallerClassMappedPropertyFromRegProp(x,x,x,x,x,x,x)+8Aj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
__CmSetInstallerClassMappedPropertyFromRegProp@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmSetInstallerClassMappedPropertyFromRegValue(int,void	*,int,int,int)
__CmSetInstallerClassMappedPropertyFromRegValue@28 proc	near
					; CODE XREF: _CmSetInstallerClassMappedProperty(x,x,x,x,x,x,x,x)+DDp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		mov	ebx, [ebp+arg_4]
		xor	eax, eax
		push	esi
		mov	[ebp+var_1C], edx
		mov	esi, eax
		push	edi
		mov	edx, [ebx+10h]
		mov	edi, offset off_A42C38
		mov	[ebp+var_10], ecx
		mov	[ebp+var_14], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_18], edx
		mov	[ebp+var_C], eax

loc_A36F0F:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+62j
		mov	ecx, [edi]
		mov	[ebp+arg_4], edi
		cmp	edx, [ecx+10h]
		jnz	short loc_A36F2F
		push	10h		; size_t
		push	ecx		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A36F46
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+var_18]

loc_A36F2F:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+37j
		add	eax, 10h
		xor	ecx, ecx
		add	edi, 10h
		mov	[ebp+arg_4], ecx
		mov	[ebp+var_C], eax
		cmp	eax, 0D0h
		jb	short loc_A36F0F
		jmp	short loc_A36F49
; 

loc_A36F46:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+47j
		mov	ecx, [ebp+arg_4]

loc_A36F49:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+64j
		test	ecx, ecx
		jnz	short loc_A36F57
		mov	esi, 0C0000016h
		jmp	loc_A37160
; 

loc_A36F57:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+6Bj
		mov	edx, [ecx+4]
		mov	eax, [ebp+arg_8]
		cmp	eax, edx
		jz	short loc_A36F7E
		cmp	eax, 19h
		jnz	short loc_A36F75
		cmp	edx, 12h

loc_A36F69:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+9Cj
		jz	short loc_A36F7E
		mov	esi, 0C000000Dh
		jmp	loc_A37160
; 

loc_A36F75:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+84j
		test	eax, eax
		jz	short loc_A36F7E
		cmp	eax, 1
		jmp	short loc_A36F69
; 

loc_A36F7E:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+7Fj
					; _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x):loc_A36F69j ...
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jnz	short loc_A36FAA
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	ecx
		push	3
		push	ecx
		mov	ecx, [ebp+var_10]
		push	20h
		call	_CmOpenCommonClassRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_A37144
		mov	ecx, [ebp+arg_4]

loc_A36FAA:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+A3j
		mov	eax, [ecx+8]
		mov	[ebp+arg_0], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp+arg_8], eax
		mov	eax, [ebx+10h]
		mov	[ebp+arg_4], eax
		cmp	eax, 7
		jnz	short loc_A36FD8
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_NoInstallClass ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A37049
		mov	eax, [ebp+arg_4]

loc_A36FD8:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+DFj
		cmp	eax, 8
		jnz	short loc_A36FF4
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_NoDisplayClass ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A37049
		mov	eax, [ebp+arg_4]

loc_A36FF4:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+FBj
		cmp	eax, 9
		jnz	short loc_A37010
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_SilentInstall ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A37049
		mov	eax, [ebp+arg_4]

loc_A37010:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+117j
		cmp	eax, 0Ah
		jnz	short loc_A3702C
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_NoUseClass ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A37049
		mov	eax, [ebp+arg_4]

loc_A3702C:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+133j
		cmp	eax, 0Fh
		jnz	short loc_A3709E
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_FSFilterClass ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_A37124

loc_A37049:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+F3j
					; _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+10Fj ...
		cmp	[ebp+arg_10], 1
		jnb	short loc_A37059

loc_A3704F:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+18Bj
					; _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+1DBj ...
		mov	esi, 0C000000Dh
		jmp	loc_A37144
; 

loc_A37059:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+16Dj
		mov	eax, [ebp+arg_C]
		mov	al, [eax]
		cmp	al, 0FFh
		jnz	short loc_A37069
		mov	eax, offset ??_C@_13JGCMLPCH@?$AA1@NNGAKEGL@
		jmp	short loc_A37072
; 

loc_A37069:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+180j
		test	al, al
		jnz	short loc_A3704F
		mov	eax, offset ??_C@_13COJANIEC@?$AA0@NNGAKEGL@

loc_A37072:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+187j
		test	edi, edi
		jnz	short loc_A37079
		mov	edi, [ebp+var_4]

loc_A37079:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+194j
		mov	ecx, edi

loc_A3707B:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+21Cj
		mov	edx, [ebp+arg_0]
		push	4
		push	eax
		push	[ebp+arg_8]
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		cmp	eax, 0C000017Ch
		jnz	loc_A3713E
		mov	esi, 0C0000034h
		jmp	loc_A37144
; 

loc_A3709E:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+14Fj
		cmp	eax, 2
		jnz	short loc_A37101
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_DHPRebalanceOptOut ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A37124
		cmp	[ebp+arg_10], 1
		jb	short loc_A3704F
		mov	eax, [ebp+arg_C]
		mov	al, [eax]
		cmp	al, 0FFh
		jnz	short loc_A370CB
		xor	eax, eax
		inc	eax
		jmp	short loc_A370D1
; 

loc_A370CB:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+1E4j
		test	al, al
		jnz	short loc_A3704F
		xor	eax, eax

loc_A370D1:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+1E9j
		mov	[ebp+var_14], eax
		test	edi, edi
		jnz	short loc_A370DB
		mov	edi, [ebp+var_4]

loc_A370DB:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+1F6j
		lea	eax, [ebp+var_8]
		mov	edx, edi
		push	eax
		push	ecx
		mov	ecx, [ebp+var_10]
		push	1
		push	2
		push	0
		call	_PnpOpenPropertiesKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A37144
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_14]
		jmp	loc_A3707B
; 

loc_A37101:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+1C1j
		cmp	eax, 3
		jnz	short loc_A37124
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceClass_ClassName ;	void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A37124
		cmp	[ebp+arg_10], 40h
		ja	loc_A3704F

loc_A37124:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+163j
					; _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+1D5j ...
		test	edi, edi
		jnz	short loc_A3712B
		mov	edi, [ebp+var_4]

loc_A3712B:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+246j
		push	[ebp+arg_10]
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)

loc_A3713E:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+1AEj
		test	eax, eax
		jns	short loc_A37144
		mov	esi, eax

loc_A37144:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+C1j
					; _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+174j ...
		cmp	[ebp+var_8], 0
		jz	short loc_A37152
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_A37152:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+268j
		cmp	[ebp+var_4], 0
		jz	short loc_A37160
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A37160:				; CODE XREF: _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+72j
					; _CmSetInstallerClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+90j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
__CmSetInstallerClassMappedPropertyFromRegValue@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmSetInterfaceClassMappedProperty(int,int,void	*,int,int,int)
__CmSetInterfaceClassMappedProperty@32 proc near
					; CODE XREF: _PnpDispatchInterfaceClass+1185CDp
					; _CmDeleteInterfaceClassWorker(x,x,x)+162p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		cmp	[ebp+arg_4], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	esi, 0C0000016h
		mov	[ebp+var_8], ecx
		jnz	loc_A3724B
		mov	ebx, [ebp+arg_8]
		xor	edi, edi
		mov	ecx, edi
		mov	[ebp+arg_4], edi

loc_A37193:				; CODE XREF: _CmSetInterfaceClassMappedProperty(x,x,x,x,x,x,x,x)+58j
		mov	edx, ds:off_A42EE8[ecx]
		test	edx, edx
		jz	short loc_A371B8
		mov	eax, [ebx+10h]
		cmp	eax, [edx+10h]
		jnz	short loc_A371B8
		push	10h		; size_t
		push	edx		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A371C5
		mov	ecx, [ebp+arg_4]

loc_A371B8:				; CODE XREF: _CmSetInterfaceClassMappedProperty(x,x,x,x,x,x,x,x)+32j
					; _CmSetInterfaceClassMappedProperty(x,x,x,x,x,x,x,x)+3Aj
		add	ecx, 8
		mov	[ebp+arg_4], ecx
		cmp	ecx, 8
		jb	short loc_A37193
		jmp	short loc_A37218
; 

loc_A371C5:				; CODE XREF: _CmSetInterfaceClassMappedProperty(x,x,x,x,x,x,x,x)+4Aj
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_A371E9
		cmp	eax, 1
		jz	short loc_A371E9
		push	[ebp+arg_14]	; int
		mov	edx, [ebp+var_4]
		push	[ebp+arg_10]	; int
		mov	ecx, [ebp+var_8]
		push	eax		; int
		push	ebx		; void *
		push	[ebp+arg_0]	; int
		call	__CmSetInterfaceClassMappedPropertyFromRegValue@28 ; _CmSetInterfaceClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)
		jmp	short loc_A371F8
; 

loc_A371E9:				; CODE XREF: _CmSetInterfaceClassMappedProperty(x,x,x,x,x,x,x,x)+61j
					; _CmSetInterfaceClassMappedProperty(x,x,x,x,x,x,x,x)+66j
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		push	ebx		; void *
		push	[ebp+arg_0]	; int
		call	__CmDeleteInterfaceClassMappedPropertyFromRegValue@16 ;	_CmDeleteInterfaceClassMappedPropertyFromRegValue(x,x,x,x)

loc_A371F8:				; CODE XREF: _CmSetInterfaceClassMappedProperty(x,x,x,x,x,x,x,x)+7Ej
		mov	esi, eax
		test	esi, esi
		js	short loc_A37210
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		push	ebx
		push	edi
		push	[ebp+arg_0]
		push	4
		call	_PnpObjectRaisePropertyChangeEvent

loc_A37210:				; CODE XREF: _CmSetInterfaceClassMappedProperty(x,x,x,x,x,x,x,x)+93j
		cmp	esi, 0C0000016h
		jnz	short loc_A3724B

loc_A37218:				; CODE XREF: _CmSetInterfaceClassMappedProperty(x,x,x,x,x,x,x,x)+5Aj
		mov	ecx, [ebx+10h]
		mov	[ebp+arg_0], ecx

loc_A3721E:				; CODE XREF: _CmSetInterfaceClassMappedProperty(x,x,x,x,x,x,x,x)+D9j
		mov	eax, ds:off_A42F30[edi]
		cmp	ecx, [eax+10h]
		jnz	short loc_A3723C
		push	10h		; size_t
		push	eax		; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A37246
		mov	ecx, [ebp+arg_0]

loc_A3723C:				; CODE XREF: _CmSetInterfaceClassMappedProperty(x,x,x,x,x,x,x,x)+BEj
		add	edi, 8
		cmp	edi, 8
		jb	short loc_A3721E
		jmp	short loc_A3724B
; 

loc_A37246:				; CODE XREF: _CmSetInterfaceClassMappedProperty(x,x,x,x,x,x,x,x)+CEj
		mov	esi, 0C0000022h

loc_A3724B:				; CODE XREF: _CmSetInterfaceClassMappedProperty(x,x,x,x,x,x,x,x)+1Aj
					; _CmSetInterfaceClassMappedProperty(x,x,x,x,x,x,x,x)+ADj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
__CmSetInterfaceClassMappedProperty@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	_CmSetInterfaceClassMappedPropertyFromRegValue(int,void	*,int,int,int)
__CmSetInterfaceClassMappedPropertyFromRegValue@28 proc	near
					; CODE XREF: _CmSetInterfaceClassMappedProperty(x,x,x,x,x,x,x,x)+79p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_1C], edx
		mov	eax, [eax+10h]
		and	[ebp+var_4], esi
		and	[ebp+var_8], esi
		mov	[ebp+var_14], ecx
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], eax
		push	edi
		cmp	eax, 2
		jnb	short loc_A37288

loc_A3727E:				; CODE XREF: _CmSetInterfaceClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+75j
		mov	esi, 0C0000230h
		jmp	loc_A37386
; 

loc_A37288:				; CODE XREF: _CmSetInterfaceClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+28j
		mov	esi, [ebp+arg_4]
		xor	ecx, ecx
		mov	edi, offset off_A42EE8
		mov	[ebp+var_C], ecx

loc_A37295:				; CODE XREF: _CmSetInterfaceClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+6Ej
		mov	edx, [edi]
		mov	ebx, edi
		cmp	eax, [edx+10h]
		jnz	short loc_A372B4
		push	10h		; size_t
		push	edx		; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A372C4
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+var_C]

loc_A372B4:				; CODE XREF: _CmSetInterfaceClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+48j
		add	ecx, 8
		xor	ebx, ebx
		add	edi, 8
		mov	[ebp+var_C], ecx
		cmp	ecx, 8
		jb	short loc_A37295

loc_A372C4:				; CODE XREF: _CmSetInterfaceClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+58j
		mov	esi, [ebp+var_18]
		test	ebx, ebx
		jz	short loc_A3727E
		mov	eax, [ebp+arg_8]
		cmp	eax, [ebx+4]
		jz	short loc_A372DD
		mov	esi, 0C000000Dh
		jmp	loc_A37386
; 

loc_A372DD:				; CODE XREF: _CmSetInterfaceClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+7Dj
		cmp	[ebp+var_10], 2
		jnz	loc_A37386
		mov	eax, [ebp+arg_4]
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceInterfaceClass_DefaultInterface ;	void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_A37386
		mov	edx, [ebp+arg_0]
		mov	edi, [ebp+var_14]
		test	edx, edx
		jnz	short loc_A3732C
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	ecx
		push	1
		push	ecx
		push	40h
		mov	ecx, edi
		call	_CmOpenCommonClassRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A37378
		mov	edx, [ebp+var_4]

loc_A3732C:				; CODE XREF: _CmSetInterfaceClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+B6j
		lea	eax, [ebp+var_8]
		push	eax
		push	ecx
		push	1
		push	2
		push	0
		mov	ecx, edi
		call	_PnpOpenPropertiesKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A37378
		push	[ebp+arg_10]
		mov	ecx, [ebp+var_8]
		mov	edx, offset ??_C@_1BA@GHOECOCL@?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt@NNGAKEGL@ ; "D"
		push	[ebp+arg_C]
		push	1
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		push	[ebp+var_8]
		mov	edi, eax
		call	_ZwClose@4	; ZwClose(x)
		cmp	edi, 0C000017Ch
		jnz	short loc_A37372
		mov	esi, 0C0000034h
		jmp	short loc_A37378
; 

loc_A37372:				; CODE XREF: _CmSetInterfaceClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+115j
		test	edi, edi
		jns	short loc_A37378
		mov	esi, edi

loc_A37378:				; CODE XREF: _CmSetInterfaceClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+D3j
					; _CmSetInterfaceClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+EEj ...
		cmp	[ebp+var_4], 0
		jz	short loc_A37386
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A37386:				; CODE XREF: _CmSetInterfaceClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+2Fj
					; _CmSetInterfaceClassMappedPropertyFromRegValue(x,x,x,x,x,x,x)+84j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
__CmSetInterfaceClassMappedPropertyFromRegValue@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpCmMatchCallbackRoutine(x, x, x,	x)
__PnpCmMatchCallbackRoutine@16 proc near ; DATA	XREF: _PnpDispatchDeviceContainer+13369Bo
					; _PnpDispatchInstallerClass+ADCD3o ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_8]
		call	_CmMapCmObjectTypeToPnpObjectType
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_A373A6
		xor	al, al
		jmp	short loc_A373B5
; 

loc_A373A6:				; CODE XREF: _PnpCmMatchCallbackRoutine(x,x,x,x)+11j
		mov	eax, [ebp+arg_C]
		push	dword ptr [eax+4]
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	dword ptr [eax]

loc_A373B5:				; CODE XREF: _PnpCmMatchCallbackRoutine(x,x,x,x)+15j
		pop	ebp
		retn	10h
__PnpCmMatchCallbackRoutine@16 endp


;  S U B	R O U T	I N E 


; __stdcall _SysCtxCloseMachine(x)
__SysCtxCloseMachine@4 proc near	; CODE XREF: _PnpCtxCreateNode+DDp
					; _PnpCtxDestroyNode(x)+C4p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_A373CB
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_A373CB:				; CODE XREF: _SysCtxCloseMachine(x)+Aj
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_A373D8
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_A373D8:				; CODE XREF: _SysCtxCloseMachine(x)+17j
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_A373E5
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_A373E5:				; CODE XREF: _SysCtxCloseMachine(x)+24j
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_A373F2
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_A373F2:				; CODE XREF: _SysCtxCloseMachine(x)+31j
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_A373FF
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_A373FF:				; CODE XREF: _SysCtxCloseMachine(x)+3Ej
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		pop	esi
		retn
__SysCtxCloseMachine@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _SysCtxRegOpenCurrentUserKey(x, x, x, x)
__SysCtxRegOpenCurrentUserKey@16 proc near
					; CODE XREF: _CmOpenDeviceContainerRegKeyWorker+1335D1p
					; _CmOpenCommonClassRegKeyWorker+117EA1p ...

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 98h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebx+0Ch]
		push	esi
		push	edi
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	200h
		mov	[ebp+var_84], ecx
		xor	ecx, ecx
		push	ecx
		push	8
		push	0FFFFFFFEh
		mov	[ebp+var_98], edx
		mov	edi, ecx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_74], ecx
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_78], ecx
		mov	[ebp+var_6C], ecx
		mov	word ptr [ebp+var_68], 500h
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_88], ecx
		mov	[ebp+var_80], ecx
		mov	[ebp+var_70], ecx
		call	_ZwOpenThreadTokenEx@20	; ZwOpenThreadTokenEx(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C000007Ch
		jnz	short loc_A374A5
		lea	eax, [ebp+var_64]
		push	eax
		push	200h
		push	8
		push	0FFFFFFFFh
		call	_ZwOpenProcessTokenEx@16 ; ZwOpenProcessTokenEx(x,x,x,x)
		mov	esi, eax

loc_A374A5:				; CODE XREF: _SysCtxRegOpenCurrentUserKey(x,x,x,x)+84j
		test	esi, esi
		js	loc_A37657
		lea	eax, [ebp+var_78]
		push	eax
		push	4
		lea	eax, [ebp+var_74]
		push	eax
		push	8
		push	[ebp+var_64]
		call	_ZwQueryInformationToken@20 ; ZwQueryInformationToken(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A37657
		cmp	[ebp+var_74], 2
		jnz	short loc_A374FF
		lea	eax, [ebp+var_78]
		push	eax
		push	4
		lea	eax, [ebp+var_7C]
		push	eax
		push	9
		push	[ebp+var_64]
		call	_ZwQueryInformationToken@20 ; ZwQueryInformationToken(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A37657
		cmp	[ebp+var_7C], 2
		jge	short loc_A3750F
		mov	esi, 0C0000022h
		jmp	loc_A37657
; 

loc_A374FF:				; CODE XREF: _SysCtxRegOpenCurrentUserKey(x,x,x,x)+C4j
		cmp	[ebp+var_74], 1
		jz	short loc_A3750F

loc_A37505:				; CODE XREF: _SysCtxRegOpenCurrentUserKey(x,x,x,x)+167j
		mov	esi, 0C00000BBh
		jmp	loc_A37657
; 

loc_A3750F:				; CODE XREF: _SysCtxRegOpenCurrentUserKey(x,x,x,x)+E8j
					; _SysCtxRegOpenCurrentUserKey(x,x,x,x)+F8j
		lea	eax, [ebp+var_78]
		push	eax
		push	4Ch
		lea	eax, [ebp+var_60]
		push	eax
		push	1
		push	[ebp+var_64]
		call	_ZwQueryInformationToken@20 ; ZwQueryInformationToken(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A37657
		mov	eax, [ebp+var_60]
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_6C]
		push	1
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A37657
		push	0
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	esi, [ebp+var_90]
		push	esi
		mov	dword ptr [eax], 12h
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlEqualSid@8	; RtlEqualSid(x,x)
		test	al, al
		jnz	short loc_A37505
		push	1
		push	esi
		lea	eax, [ebp+var_8C]
		push	eax
		call	RtlConvertSidToUnicodeString
		mov	esi, eax
		test	esi, esi
		js	loc_A37657
		mov	ecx, [ebp+var_8C]
		lea	eax, [ebp+var_70]
		push	eax
		push	1Eh
		pop	edx
		call	_RtlUShortAdd@12 ; RtlUShortAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A37657
		mov	ecx, [ebp+var_70]
		lea	eax, [ebp+var_70]
		push	eax
		push	2
		pop	edx
		call	_RtlUShortAdd@12 ; RtlUShortAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A37657
		mov	esi, [ebp+var_70]
		push	53504E50h
		movzx	eax, si
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A375E2
		mov	esi, 0C0000017h
		jmp	short loc_A37657
; 

loc_A375E2:				; CODE XREF: _SysCtxRegOpenCurrentUserKey(x,x,x,x)+1CEj
		xor	eax, eax
		mov	word ptr [ebp+var_6C+2], si
		mov	word ptr [ebp+var_6C], ax
		lea	eax, [ebp+var_6C]
		push	offset dword_405014
		push	eax
		mov	[ebp+var_68], edi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A37657
		lea	eax, [ebp+var_8C]
		push	eax
		lea	eax, [ebp+var_6C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A37657
		mov	ecx, [ebp+var_84]
		lea	eax, [ebp+var_80]
		push	eax
		push	3
		pop	edx
		call	__SysCtxGetCachedContextBaseKey@12 ; _SysCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A37657
		push	[ebp+var_94]
		mov	eax, [ebp+var_68]
		push	dword ptr [ebx+8]
		mov	edx, [ebp+var_80]
		add	eax, 1Eh
		push	[ebp+var_98]
		mov	ecx, [ebp+var_84]
		push	eax
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax

loc_A37657:				; CODE XREF: _SysCtxRegOpenCurrentUserKey(x,x,x,x)+9Cj
					; _SysCtxRegOpenCurrentUserKey(x,x,x,x)+BAj ...
		cmp	[ebp+var_64], 0
		jz	short loc_A37665
		push	[ebp+var_64]
		call	_ZwClose@4	; ZwClose(x)

loc_A37665:				; CODE XREF: _SysCtxRegOpenCurrentUserKey(x,x,x,x)+250j
		lea	eax, [ebp+var_8C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	edi, edi
		jz	short loc_A3767D
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3767D:				; CODE XREF: _SysCtxRegOpenCurrentUserKey(x,x,x,x)+268j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	8
__SysCtxRegOpenCurrentUserKey@16 endp ;	sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpGetPropertiesSecurityDescriptor(x)
__PnpGetPropertiesSecurityDescriptor@4 proc near
					; CODE XREF: _PnpOpenPropertiesKey:loc_91A063p

var_30		= dword	ptr -30h
var_2C		= word ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[esp+38h+var_2C], 500h
		push	esi
		push	edi
		mov	ebx, eax
		mov	[esp+40h+var_30], eax
		lea	edi, [esp+40h+var_24]
		mov	[esp+40h+var_28], ebx
		stosd
		push	1
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esp+44h+var_30]
		push	eax
		lea	eax, [esp+48h+var_10]
		push	eax
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		test	eax, eax
		js	loc_A37833
		push	ebx
		lea	eax, [esp+44h+var_10]
		push	eax
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		mov	dword ptr [eax], 12h
		lea	eax, [esp+40h+var_10]
		push	eax
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_A37833
		lea	eax, [esp+40h+var_10]
		push	eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	52504E50h
		lea	esi, [eax+10h]
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_A37833
		push	2		; int
		push	esi		; size_t
		push	edi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		test	eax, eax
		js	loc_A3782B
		push	ebx
		lea	eax, [esp+44h+var_10]
		mov	ecx, edi
		push	eax
		push	0F003Fh
		push	2
		push	2
		pop	edx
		call	RtlpAddKnownAce
		test	eax, eax
		js	loc_A3782B
		xor	esi, esi
		lea	eax, [esp+40h+var_24]
		inc	esi
		push	esi
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		test	eax, eax
		js	loc_A3782B
		push	ebx
		push	edi
		push	esi
		lea	eax, [esp+4Ch+var_24]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		test	eax, eax
		js	loc_A3782B
		push	esi
		lea	eax, [esp+44h+var_10]
		push	eax
		lea	eax, [esp+48h+var_24]
		push	eax
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		test	eax, eax
		js	loc_A3782B
		push	esi
		lea	eax, [esp+44h+var_10]
		push	eax
		lea	eax, [esp+48h+var_24]
		push	eax
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		test	eax, eax
		js	short loc_A3782B
		mov	eax, 1400h
		or	word ptr [esp+40h+var_24+2], ax
		lea	eax, [esp+40h+var_24]
		push	eax
		call	_RtlValidSecurityDescriptor@4 ;	RtlValidSecurityDescriptor(x)
		test	al, al
		jz	short loc_A3782B
		lea	eax, [esp+40h+var_24]
		push	eax
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		mov	ebx, eax
		mov	[esp+40h+var_30], ebx
		cmp	ebx, 14h
		jb	short loc_A37827
		push	52504E50h
		push	ebx
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A37827
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+40h+var_30]
		push	eax
		push	esi
		lea	eax, [esp+48h+var_24]
		push	eax
		call	_RtlAbsoluteToSelfRelativeSD@12	; RtlAbsoluteToSelfRelativeSD(x,x,x)
		test	eax, eax
		js	short loc_A37815
		mov	ebx, esi
		xor	esi, esi
		jmp	short loc_A37819
; 

loc_A37815:				; CODE XREF: _PnpGetPropertiesSecurityDescriptor(x)+179j
		mov	ebx, [esp+40h+var_28]

loc_A37819:				; CODE XREF: _PnpGetPropertiesSecurityDescriptor(x)+17Fj
		test	esi, esi
		jz	short loc_A3782B
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A3782B
; 

loc_A37827:				; CODE XREF: _PnpGetPropertiesSecurityDescriptor(x)+147j
					; _PnpGetPropertiesSecurityDescriptor(x)+159j
		mov	ebx, [esp+40h+var_28]

loc_A3782B:				; CODE XREF: _PnpGetPropertiesSecurityDescriptor(x)+A0j
					; _PnpGetPropertiesSecurityDescriptor(x)+BFj ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A37833:				; CODE XREF: _PnpGetPropertiesSecurityDescriptor(x)+48j
					; _PnpGetPropertiesSecurityDescriptor(x)+6Bj ...
		mov	ecx, [esp+40h+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
__PnpGetPropertiesSecurityDescriptor@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _NtPlugPlayGetDeviceRelationsList(x, x, x, x, x, x,	x)
__NtPlugPlayGetDeviceRelationsList@28 proc near
					; CODE XREF: _CmGetDeviceRelationsList(x,x,x,x,x,x,x)+47p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	edi
		push	eax
		push	4
		mov	edi, edx
		mov	esi, ecx
		pop	edx
		call	__PnpCtxGetNtPlugPlayRoutine@12	; _PnpCtxGetNtPlugPlayRoutine(x,x,x)
		test	eax, eax
		js	short loc_A37893
		cmp	[ebp+var_4], 0
		jnz	short loc_A37874
		mov	eax, 0C0000002h
		jmp	short loc_A37893
; 

loc_A37874:				; CODE XREF: _NtPlugPlayGetDeviceRelationsList(x,x,x,x,x,x,x)+24j
		push	0
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edi
		push	esi
		call	[ebp+var_4]
		cmp	eax, 80000005h
		jnz	short loc_A37893
		mov	eax, 0C0000023h

loc_A37893:				; CODE XREF: _NtPlugPlayGetDeviceRelationsList(x,x,x,x,x,x,x)+1Ej
					; _NtPlugPlayGetDeviceRelationsList(x,x,x,x,x,x,x)+2Bj	...
		pop	edi
		pop	esi
		leave
		retn	14h
__NtPlugPlayGetDeviceRelationsList@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _PnpMultiSzAppend(x, x, x, x)
__PnpMultiSzAppend@16 proc near		; CODE XREF: _CmAppendDeclarativeDefaultFilters(x,x,x,x,x,x,x)+51p
					; _CmAppendDeclarativeFilterLevel(x,x,x,x,x,x)+EFp ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		mov	ecx, [edx]
		xor	ebx, ebx
		mov	[ebp+var_4], edi
		mov	[ebp+var_C], ecx
		movzx	eax, word ptr [edi]
		test	ax, ax
		jnz	short loc_A3792E
		mov	edx, [ebp+arg_0]
		lea	esi, [edx+2]

loc_A378C1:				; CODE XREF: _PnpMultiSzAppend(x,x,x,x)+31j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, bx
		jnz	short loc_A378C1
		sub	edx, esi
		sar	edx, 1
		lea	esi, ds:4[edx*2]
		cmp	esi, ecx
		ja	loc_A379D9
		push	900h
		push	ebx
		push	ebx
		push	[ebp+arg_0]
		mov	edx, ecx
		mov	ecx, edi
		call	RtlStringCbCopyExW
		test	eax, eax
		js	loc_A379D9
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_A378FF:				; CODE XREF: _PnpMultiSzAppend(x,x,x,x)+6Fj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A378FF
		sub	ecx, edx
		mov	edx, [ebp+var_8]
		sar	ecx, 1
		inc	ecx
		mov	[edx], esi
		lea	eax, [edi+ecx*2]
		xor	ecx, ecx
		mov	[eax], cx
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	loc_A379D5
		mov	[ecx], eax
		jmp	loc_A379D5
; 

loc_A3792E:				; CODE XREF: _PnpMultiSzAppend(x,x,x,x)+20j
		mov	esi, edi
		test	ecx, ecx
		jz	short loc_A3795B
		mov	edx, eax

loc_A37936:				; CODE XREF: _PnpMultiSzAppend(x,x,x,x)+C0j
		test	dx, dx
		jz	short loc_A37943

loc_A3793B:				; CODE XREF: _PnpMultiSzAppend(x,x,x,x)+A8j
		add	esi, 2
		cmp	[esi], bx
		jnz	short loc_A3793B

loc_A37943:				; CODE XREF: _PnpMultiSzAppend(x,x,x,x)+A0j
		add	esi, 2
		movzx	eax, word ptr [esi]
		test	ax, ax
		jz	short loc_A3795B
		mov	edx, eax
		mov	eax, esi
		sub	eax, edi
		and	eax, 0FFFFFFFEh
		cmp	eax, ecx
		jb	short loc_A37936

loc_A3795B:				; CODE XREF: _PnpMultiSzAppend(x,x,x,x)+99j
					; _PnpMultiSzAppend(x,x,x,x)+B3j
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_A37963:				; CODE XREF: _PnpMultiSzAppend(x,x,x,x)+D3j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A37963
		sub	ecx, edx
		mov	eax, esi
		sub	eax, [ebp+var_4]
		mov	edx, [ebp+var_C]
		sar	eax, 1
		sar	ecx, 1
		add	eax, ecx
		lea	eax, ds:4[eax*2]
		cmp	eax, edx
		ja	short loc_A379D9
		push	900h
		push	ebx
		push	ebx
		push	edi
		mov	ecx, esi
		call	RtlStringCbCopyExW
		test	eax, eax
		js	short loc_A379D9
		lea	ecx, [edi+2]

loc_A3799F:				; CODE XREF: _PnpMultiSzAppend(x,x,x,x)+10Fj
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, bx
		jnz	short loc_A3799F
		mov	edx, [ebp+var_8]
		sub	edi, ecx
		sar	edi, 1
		xor	eax, eax
		lea	ecx, [edi+1]
		lea	ecx, [esi+ecx*2]
		mov	[ecx], ax
		mov	eax, ecx
		sub	eax, [ebp+var_4]
		sar	eax, 1
		lea	eax, ds:2[eax*2]
		mov	[edx], eax
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_A379D5
		mov	[eax], ecx

loc_A379D5:				; CODE XREF: _PnpMultiSzAppend(x,x,x,x)+88j
					; _PnpMultiSzAppend(x,x,x,x)+90j ...
		mov	al, 1
		jmp	short loc_A379DB
; 

loc_A379D9:				; CODE XREF: _PnpMultiSzAppend(x,x,x,x)+40j
					; _PnpMultiSzAppend(x,x,x,x)+5Bj ...
		xor	al, al

loc_A379DB:				; CODE XREF: _PnpMultiSzAppend(x,x,x,x)+13Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
__PnpMultiSzAppend@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall _PnpMultiSzDeleteString(wchar_t *,wchar_t *)
__PnpMultiSzDeleteString@8 proc	near	; CODE XREF: _CmGetDeviceSiblings(x,x,x,x)+FBp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	loc_A37A8F
		test	edi, edi
		jz	loc_A37A8F
		xor	eax, eax
		mov	[ebp+var_4], eax
		jmp	short loc_A37A30
; 

loc_A37A06:				; CODE XREF: _PnpMultiSzDeleteString(x,x)+51j
		push	edi		; wchar_t *
		push	esi		; wchar_t *
		call	__wcsicmp
		mov	edx, esi
		pop	ecx
		pop	ecx
		lea	ebx, [edx+2]

loc_A37A14:				; CODE XREF: _PnpMultiSzDeleteString(x,x)+3Cj
		mov	cx, [edx]
		add	edx, 2
		cmp	cx, word ptr [ebp+var_4]
		jnz	short loc_A37A14
		sub	edx, ebx
		sar	edx, 1
		test	eax, eax
		jz	short loc_A37A37
		lea	esi, [esi+edx*2]
		add	esi, 2
		xor	eax, eax

loc_A37A30:				; CODE XREF: _PnpMultiSzDeleteString(x,x)+22j
		cmp	[esi], ax
		jnz	short loc_A37A06
		jmp	short loc_A37A4B
; 

loc_A37A37:				; CODE XREF: _PnpMultiSzDeleteString(x,x)+44j
		lea	eax, [edx+1]
		xor	ecx, ecx
		lea	eax, [esi+eax*2]
		mov	[ebp+var_4], eax
		cmp	[eax], cx
		jnz	short loc_A37A4F
		xor	eax, eax
		mov	[esi], eax

loc_A37A4B:				; CODE XREF: _PnpMultiSzDeleteString(x,x)+53j
					; _PnpMultiSzDeleteString(x,x)+ABj
		mov	al, 1
		jmp	short loc_A37A91
; 

loc_A37A4F:				; CODE XREF: _PnpMultiSzDeleteString(x,x)+63j
		mov	ecx, eax
		call	__PnpMultiSzGetLen@4 ; _PnpMultiSzGetLen(x)
		mov	edi, eax
		add	edi, edi
		jz	short loc_A37A8F
		push	52504E50h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_A37A8F
		push	edi		; size_t
		push	[ebp+var_4]	; void *
		push	ebx		; void *
		call	_memcpy
		push	edi		; size_t
		push	ebx		; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 18h
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A37A4B
; 

loc_A37A8F:				; CODE XREF: _PnpMultiSzDeleteString(x,x)+Fj
					; _PnpMultiSzDeleteString(x,x)+17j ...
		xor	al, al

loc_A37A91:				; CODE XREF: _PnpMultiSzDeleteString(x,x)+6Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
__PnpMultiSzDeleteString@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall _PnpMultiSzFind(wchar_t *,int,int)
__PnpMultiSzFind@12 proc near		; CODE XREF: _CmFindFilterListInflectionPoint(x,x,x)+2Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	eax, edx
		xor	ebx, ebx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], eax
		mov	ecx, eax
		lea	esi, [ecx+2]

loc_A37AAE:				; CODE XREF: _PnpMultiSzFind(x,x,x)+21j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A37AAE
		sub	ecx, esi
		sar	ecx, 1
		mov	[ebp+var_8], ecx
		jmp	short loc_A37AF2
; 

loc_A37AC2:				; CODE XREF: _PnpMultiSzFind(x,x,x)+5Fj
		mov	esi, edi
		lea	edx, [esi+2]

loc_A37AC7:				; CODE XREF: _PnpMultiSzFind(x,x,x)+3Aj
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, bx
		jnz	short loc_A37AC7
		sub	esi, edx
		sar	esi, 1
		cmp	esi, ecx
		jnz	short loc_A37AEC
		push	[ebp+var_4]	; wchar_t *
		push	edi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A37AF9
		mov	ecx, [ebp+var_8]

loc_A37AEC:				; CODE XREF: _PnpMultiSzFind(x,x,x)+42j
		lea	edi, [edi+esi*2]
		add	edi, 2

loc_A37AF2:				; CODE XREF: _PnpMultiSzFind(x,x,x)+2Aj
		cmp	[edi], bx
		jnz	short loc_A37AC2
		jmp	short loc_A37AFB
; 

loc_A37AF9:				; CODE XREF: _PnpMultiSzFind(x,x,x)+51j
		mov	ebx, edi

loc_A37AFB:				; CODE XREF: _PnpMultiSzFind(x,x,x)+61j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
__PnpMultiSzFind@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _RegRtlCopyTreeInternal(x, x, x, x,	x, x, x)
__RegRtlCopyTreeInternal@28 proc near	; CODE XREF: PiDevCfgConfigureDeviceFilters(x,x)+8Dp
					; PiDevCfgConfigureSoftwareDevices(x,x)+132p ...

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_58], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[ebp+var_5C], eax
		mov	eax, [ebp+arg_C]
		push	esi
		push	edi
		mov	[ebp+var_38], eax
		lea	edi, [ebp+var_10]
		xor	eax, eax
		mov	[ebp+var_50], ecx
		stosd
		xor	ecx, ecx
		mov	ebx, ecx
		mov	[ebp+var_1C], ecx
		mov	esi, edx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_54], ecx
		stosd
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_44], ecx
		stosd
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_40], ecx
		push	eax
		mov	[ebp+var_18], ecx
		mov	edi, ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_3C], ecx
		call	IoGetStackLimits
		lea	eax, [ebp+var_28]
		sub	eax, [ebp+var_3C]
		cmp	eax, 400h
		jnb	short loc_A37B8F
		mov	esi, 0C000009Ah
		jmp	loc_A37F06
; 

loc_A37B8F:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+7Fj
		push	[ebp+var_38]
		mov	ecx, [ebp+var_50]
		lea	eax, [ebp+var_1C]
		push	eax
		push	20019h
		push	8
		mov	edx, esi
		call	_RegRtlOpenKeyTransacted
		mov	esi, eax
		test	esi, esi
		js	loc_A37F06
		lea	eax, [ebp+var_54]
		push	eax
		push	0Ch
		lea	eax, [ebp+var_10]
		push	eax
		push	5
		push	[ebp+var_1C]
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		test	eax, eax
		jnz	short loc_A37BE6
		test	[ebp+var_C], 2
		jz	short loc_A37BD9
		mov	esi, 8000002Dh
		jmp	loc_A37F06
; 

loc_A37BD9:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+C9j
		test	[ebp+var_C], 1
		jz	short loc_A37BE6
		mov	[ebp+var_40], 1

loc_A37BE6:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+C3j
					; _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+D9j
		mov	eax, [ebp+arg_8]
		test	al, al
		jz	short loc_A37C3A

loc_A37BED:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+124j
		lea	eax, [ebp+var_34]
		push	eax
		push	[ebp+var_34]
		push	ebx
		push	4
		push	[ebp+var_1C]
		call	_ZwQuerySecurityObject@20 ; ZwQuerySecurityObject(x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_A37C2F
		test	ebx, ebx
		jz	short loc_A37C12
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A37C12:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+104j
		push	4C474552h
		push	[ebp+var_34]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_4C], ebx
		test	ebx, ebx
		jnz	short loc_A37BED
		mov	esi, 0C0000017h

loc_A37C2F:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+100j
		test	esi, esi
		js	loc_A37F06
		mov	eax, [ebp+arg_8]

loc_A37C3A:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+E7j
		push	[ebp+var_38]
		mov	edx, [ebp+var_58]
		lea	ecx, [ebp+var_44]
		push	ecx
		movzx	eax, al
		lea	ecx, [ebp+var_30]
		neg	eax
		push	ecx
		mov	ecx, [ebp+var_5C]
		sbb	eax, eax
		push	0
		and	eax, ebx
		push	eax
		push	6001Fh
		push	[ebp+var_40]
		call	_RegRtlCreateKeyTransacted
		mov	esi, eax
		test	esi, esi
		js	loc_A37F06
		cmp	byte ptr [ebp+arg_8], 0
		push	2
		pop	eax
		jz	short loc_A37C8B
		test	ebx, ebx
		jz	short loc_A37C8B
		cmp	[ebp+var_44], eax
		jnz	short loc_A37C8B
		push	ebx
		push	4
		push	[ebp+var_30]
		call	_ZwSetSecurityObject@12	; ZwSetSecurityObject(x,x,x)

loc_A37C8B:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+171j
					; _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+175j ...
		mov	ecx, [ebp+var_1C]
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_14]
		xor	edx, edx
		push	eax
		push	0
		lea	eax, [ebp+var_18]
		push	eax
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_A37CF2
		mov	eax, [ebp+var_18]
		cmp	eax, [ebp+var_14]
		ja	short loc_A37CB5
		mov	eax, [ebp+var_14]
		mov	[ebp+var_18], eax

loc_A37CB5:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+1A9j
		test	eax, eax
		jz	short loc_A37CD4
		lea	ecx, [ebp+var_18]
		xor	edx, edx
		push	ecx
		inc	edx
		mov	ecx, eax
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A37F06
		mov	eax, [ebp+var_18]

loc_A37CD4:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+1B3j
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_20]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A37F06
		mov	ebx, [ebp+var_24]
		jmp	short loc_A37CF4
; 

loc_A37CF2:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+1A1j
		xor	ebx, ebx

loc_A37CF4:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+1ECj
		mov	eax, [ebp+var_20]
		mov	[ebp+var_28], ebx
		test	eax, eax
		jz	short loc_A37D1B
		push	4C474552h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A37D1B
		mov	esi, 0C0000017h
		jmp	loc_A37F06
; 

loc_A37D1B:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+1F8j
					; _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+20Bj
		test	ebx, ebx
		jz	short loc_A37D3D
		push	4C474552h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_2C], eax
		test	eax, eax
		jnz	short loc_A37D3D

loc_A37D33:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+3A7j
		mov	esi, 0C0000017h
		jmp	loc_A37EFA
; 

loc_A37D3D:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+219j
					; _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+22Dj
		xor	eax, eax

loc_A37D3F:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+2DCj
		mov	[ebp+var_14], eax

loc_A37D42:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+2ABj
		mov	ebx, [ebp+var_20]
		lea	ecx, [ebp+var_24]
		push	ecx
		mov	ecx, [ebp+var_1C]
		mov	edx, eax
		shr	ebx, 1
		push	edi
		mov	[ebp+var_24], ebx
		call	_RegRtlEnumKey
		cmp	eax, 8000001Ah
		jz	loc_A37DE7
		cmp	eax, 0C0000023h
		jnz	short loc_A37DB1
		mov	eax, [ebp+var_24]
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_20]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A37EEB
		test	edi, edi
		jz	short loc_A37D93
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A37D93:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+285j
		push	4C474552h
		push	[ebp+var_20]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_A37EE2
		mov	eax, [ebp+var_14]
		jmp	short loc_A37D42
; 

loc_A37DB1:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+265j
		test	eax, eax
		jnz	short loc_A37DE5
		push	[ebp+arg_10]
		mov	[edi+ebx*2-2], ax
		mov	edx, edi
		push	[ebp+var_38]
		mov	ecx, [ebp+var_1C]
		push	[ebp+arg_8]
		push	edi
		push	[ebp+var_30]
		call	__RegRtlCopyTreeInternal@28 ; _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_A37DDC
		cmp	eax, 8000002Dh
		jnz	short loc_A37DE5

loc_A37DDC:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+2CFj
		mov	eax, [ebp+var_14]
		inc	eax
		jmp	loc_A37D3F
; 

loc_A37DE5:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+2AFj
					; _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+2D6j
		mov	esi, eax

loc_A37DE7:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+25Aj
		test	esi, esi
		js	loc_A37EEB
		xor	eax, eax

loc_A37DF1:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+3D9j
		mov	[ebp+var_14], eax

loc_A37DF4:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+378j
					; _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+3B0j
		mov	ecx, [ebp+var_28]
		mov	edx, eax
		mov	ebx, [ebp+var_20]
		mov	[ebp+var_18], ecx
		lea	ecx, [ebp+var_18]
		push	ecx		; int
		push	[ebp+var_2C]	; void *
		lea	ecx, [ebp+var_48]
		shr	ebx, 1
		push	ecx		; int
		lea	ecx, [ebp+var_24]
		mov	[ebp+var_24], ebx
		push	ecx		; int
		mov	ecx, [ebp+var_1C]
		push	edi		; void *
		call	_RegRtlEnumValue
		cmp	eax, 8000001Ah
		jz	loc_A37EEB
		cmp	eax, 0C0000023h
		jnz	loc_A37EB9
		mov	eax, [ebp+var_24]
		cmp	eax, ebx
		jbe	short loc_A37E73
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_20]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A37EEB
		test	edi, edi
		jz	short loc_A37E5E
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A37E5E:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+350j
		push	4C474552h
		push	[ebp+var_20]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A37EE2

loc_A37E73:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+333j
		mov	eax, [ebp+var_28]
		cmp	[ebp+var_18], eax
		mov	eax, [ebp+var_14]
		jbe	loc_A37DF4
		mov	eax, [ebp+var_18]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jz	short loc_A37E97
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A37E97:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+389j
		push	4C474552h
		push	[ebp+var_18]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_2C], eax
		test	eax, eax
		jz	loc_A37D33
		mov	eax, [ebp+var_14]
		jmp	loc_A37DF4
; 

loc_A37EB9:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+328j
		test	eax, eax
		jnz	short loc_A37EE9
		push	[ebp+var_18]
		mov	[edi+ebx*2-2], ax
		mov	edx, edi
		push	[ebp+var_2C]
		mov	ecx, [ebp+var_30]
		push	[ebp+var_48]
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		test	eax, eax
		jnz	short loc_A37EE9
		mov	eax, [ebp+var_14]
		inc	eax
		jmp	loc_A37DF1
; 

loc_A37EE2:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+2A2j
					; _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+36Dj
		mov	esi, 0C0000017h
		jmp	short loc_A37EEB
; 

loc_A37EE9:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+3B7j
					; _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+3D3j
		mov	esi, eax

loc_A37EEB:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+27Dj
					; _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+2E5j ...
		mov	eax, [ebp+var_2C]
		test	eax, eax
		jz	short loc_A37EFA
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A37EFA:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+234j
					; _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+3ECj
		test	edi, edi
		jz	short loc_A37F06
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A37F06:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+86j
					; _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+A7j ...
		cmp	[ebp+var_1C], 0
		jz	short loc_A37F14
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_A37F14:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+406j
		cmp	[ebp+var_30], 0
		jz	short loc_A37F22
		push	[ebp+var_30]
		call	_ZwClose@4	; ZwClose(x)

loc_A37F22:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+414j
		mov	eax, [ebp+var_4C]
		test	eax, eax
		jz	short loc_A37F31
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A37F31:				; CODE XREF: _RegRtlCopyTreeInternal(x,x,x,x,x,x,x)+423j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
__RegRtlCopyTreeInternal@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _RegRtlDeletePathInternal(x, x, x, x, x)
__RegRtlDeletePathInternal@20 proc near	; CODE XREF: PiDevCfgClearDeviceMigrationNode(x,x)+19Ap
					; PiDevCfgClearDeviceMigrationNode(x,x)+26Ap ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_14], ecx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		mov	edx, 7FFFh
		mov	[ebp+var_C], eax
		mov	ecx, ebx
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_8]
		push	edi
		push	eax
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A38099
		mov	esi, [ebp+var_8]
		inc	esi
		push	4C474552h
		lea	eax, [esi+esi]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A37FA0
		mov	esi, 0C0000017h
		jmp	loc_A38099
; 

loc_A37FA0:				; CODE XREF: _RegRtlDeletePathInternal(x,x,x,x,x)+50j
		push	100h
		push	0
		push	0
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	RtlStringCchCopyExW
		mov	esi, eax
		test	esi, esi
		jnz	loc_A38091
		mov	ebx, [ebp+var_14]
		mov	al, 1

loc_A37FC2:				; CODE XREF: _RegRtlDeletePathInternal(x,x,x,x,x)+13Cj
		test	al, al
		jz	short loc_A37FDC
		cmp	[ebp+arg_0], 0
		jz	short loc_A37FDC
		push	0
		push	[ebp+arg_4]
		mov	edx, edi
		mov	ecx, ebx
		call	_RegRtlDeleteTreeInternal
		jmp	short loc_A38043
; 

loc_A37FDC:				; CODE XREF: _RegRtlDeletePathInternal(x,x,x,x,x)+80j
					; _RegRtlDeletePathInternal(x,x,x,x,x)+86j
		push	[ebp+arg_4]
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		push	1
		push	0
		mov	ecx, ebx
		call	_RegRtlOpenKeyTransacted
		test	eax, eax
		jnz	short loc_A38031
		xor	ecx, ecx
		lea	eax, [ebp+var_10]
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_4]
		lea	edx, [ebp+var_C]
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		cmp	esi, 0C000017Ch
		jz	short loc_A3801E
		test	esi, esi
		jnz	short loc_A38091

loc_A3801E:				; CODE XREF: _RegRtlDeletePathInternal(x,x,x,x,x)+D4j
		cmp	[ebp+var_C], 0
		jnz	short loc_A3802A
		cmp	[ebp+var_10], 0
		jz	short loc_A38038

loc_A3802A:				; CODE XREF: _RegRtlDeletePathInternal(x,x,x,x,x)+DEj
		mov	esi, 0C0000121h
		jmp	short loc_A38091
; 

loc_A38031:				; CODE XREF: _RegRtlDeletePathInternal(x,x,x,x,x)+AEj
		cmp	eax, 0C0000034h
		jnz	short loc_A38085

loc_A38038:				; CODE XREF: _RegRtlDeletePathInternal(x,x,x,x,x)+E4j
		push	0
		mov	edx, edi
		mov	ecx, ebx
		call	__RegRtlDeleteKeyTransacted@12 ; _RegRtlDeleteKeyTransacted(x,x,x)

loc_A38043:				; CODE XREF: _RegRtlDeletePathInternal(x,x,x,x,x)+96j
		mov	esi, eax
		test	esi, esi
		jz	short loc_A38051
		cmp	esi, 0C0000034h
		jnz	short loc_A38091

loc_A38051:				; CODE XREF: _RegRtlDeletePathInternal(x,x,x,x,x)+103j
		push	5Ch
		pop	eax
		push	eax		; wchar_t
		push	edi		; wchar_t *
		call	_wcsrchr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A38091
		xor	ecx, ecx
		mov	[eax], cx
		cmp	eax, edi
		jz	short loc_A3807E
		push	5Ch
		pop	edx

loc_A3806D:				; CODE XREF: _RegRtlDeletePathInternal(x,x,x,x,x)+138j
		sub	eax, 2
		cmp	[eax], dx
		jnz	short loc_A3807E
		xor	ecx, ecx
		mov	[eax], cx
		cmp	eax, edi
		jnz	short loc_A3806D

loc_A3807E:				; CODE XREF: _RegRtlDeletePathInternal(x,x,x,x,x)+124j
					; _RegRtlDeletePathInternal(x,x,x,x,x)+12Fj
		xor	al, al
		jmp	loc_A37FC2
; 

loc_A38085:				; CODE XREF: _RegRtlDeletePathInternal(x,x,x,x,x)+F2j
		lea	esi, [eax+3FFFFE84h]
		neg	esi
		sbb	esi, esi
		and	esi, eax

loc_A38091:				; CODE XREF: _RegRtlDeletePathInternal(x,x,x,x,x)+73j
					; _RegRtlDeletePathInternal(x,x,x,x,x)+D8j ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A38099:				; CODE XREF: _RegRtlDeletePathInternal(x,x,x,x,x)+32j
					; _RegRtlDeletePathInternal(x,x,x,x,x)+57j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
__RegRtlDeletePathInternal@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtCreateKeyTransacted_Stub(x, x, x,	x, x, x, x, x)
_NtCreateKeyTransacted_Stub@32 proc near ; CODE	XREF: _RegRtlCreateKeyTransacted+117F1Cp

arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	byte ptr dword_70136C, 0
		jnz	short loc_A380C3
		mov	eax, offset _ZwCreateKeyTransacted@32 ;	ZwCreateKeyTransacted(x,x,x,x,x,x,x,x)
		mov	byte ptr dword_70136C, 1
		mov	dword_701370, eax
		jmp	short loc_A380C8
; 

loc_A380C3:				; CODE XREF: NtCreateKeyTransacted_Stub(x,x,x,x,x,x,x,x)+Cj
		mov	eax, dword_701370

loc_A380C8:				; CODE XREF: NtCreateKeyTransacted_Stub(x,x,x,x,x,x,x,x)+1Fj
		test	eax, eax
		jnz	short loc_A380D3
		mov	eax, 0C000007Ah
		jmp	short loc_A380E7
; 

loc_A380D3:				; CODE XREF: NtCreateKeyTransacted_Stub(x,x,x,x,x,x,x,x)+28j
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	0
		push	0
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	eax

loc_A380E7:				; CODE XREF: NtCreateKeyTransacted_Stub(x,x,x,x,x,x,x,x)+2Fj
		pop	ebp
		retn	18h
_NtCreateKeyTransacted_Stub@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtOpenKeyTransactedEx_Stub(x, x, x,	x, x)
_NtOpenKeyTransactedEx_Stub@20 proc near ; CODE	XREF: _RegRtlOpenKeyTransacted+11787Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	byte_701364, 0
		jnz	short loc_A3810C
		mov	eax, offset _ZwOpenKeyTransactedEx@20 ;	ZwOpenKeyTransactedEx(x,x,x,x,x)
		mov	byte_701364, 1
		mov	dword_701368, eax
		jmp	short loc_A38111
; 

loc_A3810C:				; CODE XREF: NtOpenKeyTransactedEx_Stub(x,x,x,x,x)+Cj
		mov	eax, dword_701368

loc_A38111:				; CODE XREF: NtOpenKeyTransactedEx_Stub(x,x,x,x,x)+1Fj
		test	eax, eax
		jnz	short loc_A3811C
		mov	eax, 0C000007Ah
		jmp	short loc_A38129
; 

loc_A3811C:				; CODE XREF: NtOpenKeyTransactedEx_Stub(x,x,x,x,x)+28j
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	eax

loc_A38129:				; CODE XREF: NtOpenKeyTransactedEx_Stub(x,x,x,x,x)+2Fj
		pop	ebp
		retn	0Ch
_NtOpenKeyTransactedEx_Stub@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtOpenKeyTransacted_Stub(x,	x, x, x)
_NtOpenKeyTransacted_Stub@16 proc near	; CODE XREF: _RegRtlOpenKeyTransacted+11789Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	byte_70135C, 0
		jnz	short loc_A3814E
		mov	eax, offset _ZwOpenKeyTransacted@16 ; ZwOpenKeyTransacted(x,x,x,x)
		mov	byte_70135C, 1
		mov	dword_701360, eax
		jmp	short loc_A38153
; 

loc_A3814E:				; CODE XREF: NtOpenKeyTransacted_Stub(x,x,x,x)+Cj
		mov	eax, dword_701360

loc_A38153:				; CODE XREF: NtOpenKeyTransacted_Stub(x,x,x,x)+1Fj
		test	eax, eax
		jnz	short loc_A3815E
		mov	eax, 0C000007Ah
		jmp	short loc_A38168
; 

loc_A3815E:				; CODE XREF: NtOpenKeyTransacted_Stub(x,x,x,x)+28j
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	eax

loc_A38168:				; CODE XREF: NtOpenKeyTransacted_Stub(x,x,x,x)+2Fj
		pop	ebp
		retn	8
_NtOpenKeyTransacted_Stub@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PlugPlayGetDeviceRelations(x, x, x,	x, x, x)
_PlugPlayGetDeviceRelations@24 proc near
					; CODE XREF: PiPnpRtlGetDeviceRelationsList(x,x,x,x,x,x,x)+17p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	esi
		test	ecx, ecx
		jz	short loc_A381E1
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jz	short loc_A381E1
		cmp	[ebp+arg_C], 0
		jnz	short loc_A381E1
		mov	eax, [ecx]
		mov	[ebp+var_14], eax
		mov	eax, [ecx+4]
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_14]
		push	14h
		push	eax
		push	10h
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edi
		call	_ZwPlugPlayControl@12 ;	ZwPlugPlayControl(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_A381C8
		mov	eax, [ebp+var_8]
		mov	[esi], eax
		test	eax, eax
		jz	short loc_A381D7
		cmp	eax, edi
		jbe	short loc_A381DC
		mov	ecx, 0C0000023h
		jmp	short loc_A381DC
; 

loc_A381C8:				; CODE XREF: PlugPlayGetDeviceRelations(x,x,x,x,x,x)+46j
		cmp	ecx, 0C0000023h
		jnz	short loc_A381D7
		mov	eax, [ebp+var_8]
		mov	[esi], eax
		jmp	short loc_A381DC
; 

loc_A381D7:				; CODE XREF: PlugPlayGetDeviceRelations(x,x,x,x,x,x)+4Fj
					; PlugPlayGetDeviceRelations(x,x,x,x,x,x)+62j
		mov	ecx, 0C0000034h

loc_A381DC:				; CODE XREF: PlugPlayGetDeviceRelations(x,x,x,x,x,x)+53j
					; PlugPlayGetDeviceRelations(x,x,x,x,x,x)+5Aj ...
		mov	eax, ecx
		pop	edi
		jmp	short loc_A381E6
; 

loc_A381E1:				; CODE XREF: PlugPlayGetDeviceRelations(x,x,x,x,x,x)+Bj
					; PlugPlayGetDeviceRelations(x,x,x,x,x,x)+12j ...
		mov	eax, 0C000000Dh

loc_A381E6:				; CODE XREF: PlugPlayGetDeviceRelations(x,x,x,x,x,x)+73j
		pop	esi
		leave
		retn	10h
_PlugPlayGetDeviceRelations@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbCreateDeviceId(x, x, x, x, x)
_DrvDbCreateDeviceId@20	proc near	; CODE XREF: DrvDbDispatchDeviceId+AE8A8p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	0
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		push	1
		push	[ebp+arg_0]
		push	edx
		push	5
		xor	edx, edx
		call	DrvDbOpenObjectRegKey
		test	eax, eax
		js	short locret_A3821D
		cmp	[ebp+var_4], 1
		mov	ecx, [ebp+arg_8]
		setz	dl
		mov	[ecx], dl

locret_A3821D:				; CODE XREF: DrvDbCreateDeviceId(x,x,x,x,x)+24j
		leave
		retn	0Ch
_DrvDbCreateDeviceId@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbCreateDriverDatabase(x, x, x, x, x)
_DrvDbCreateDriverDatabase@20 proc near	; CODE XREF: DrvDbDispatchDriverDatabase+11B01Ap

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	[ebp+arg_4]	; int
		push	1		; char
		push	[ebp+arg_0]	; int
		call	DrvDbOpenDriverDatabaseRegKey
		test	eax, eax
		js	short locret_A3824C
		cmp	[ebp+var_4], 1
		mov	ecx, [ebp+arg_8]
		setz	dl
		mov	[ecx], dl

locret_A3824C:				; CODE XREF: DrvDbCreateDriverDatabase(x,x,x,x,x)+1Dj
		leave
		retn	0Ch
_DrvDbCreateDriverDatabase@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbCreateDriverFile(x, x,	x, x, x)
_DrvDbCreateDriverFile@20 proc near	; CODE XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+D4p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	0
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		push	1
		push	[ebp+arg_0]
		push	edx
		push	4
		xor	edx, edx
		call	DrvDbOpenObjectRegKey
		test	eax, eax
		js	short locret_A38282
		cmp	[ebp+var_4], 1
		mov	ecx, [ebp+arg_8]
		setz	dl
		mov	[ecx], dl

locret_A38282:				; CODE XREF: DrvDbCreateDriverFile(x,x,x,x,x)+24j
		leave
		retn	0Ch
_DrvDbCreateDriverFile@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbCreateDriverInfFile(x,	x, x, x, x)
_DrvDbCreateDriverInfFile@20 proc near	; CODE XREF: DrvDbDispatchDriverInfFile+1185C9p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	0
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		push	1
		push	[ebp+arg_0]
		push	edx
		push	3
		xor	edx, edx
		call	DrvDbOpenObjectRegKey
		test	eax, eax
		js	short locret_A382B8
		cmp	[ebp+var_4], 1
		mov	ecx, [ebp+arg_8]
		setz	dl
		mov	[ecx], dl

locret_A382B8:				; CODE XREF: DrvDbCreateDriverInfFile(x,x,x,x,x)+24j
		leave
		retn	0Ch
_DrvDbCreateDriverInfFile@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbCreateDriverPackage(x,	x, x, x, x)
_DrvDbCreateDriverPackage@20 proc near	; CODE XREF: DrvDbDispatchDriverPackage+11AA6Fp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	0
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_4]
		push	1
		push	[ebp+arg_0]
		push	edx
		push	2
		xor	edx, edx
		call	DrvDbOpenObjectRegKey
		test	eax, eax
		js	short locret_A382EE
		cmp	[ebp+var_4], 1
		mov	ecx, [ebp+arg_8]
		setz	dl
		mov	[ecx], dl

locret_A382EE:				; CODE XREF: DrvDbCreateDriverPackage(x,x,x,x,x)+24j
		leave
		retn	0Ch
_DrvDbCreateDriverPackage@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbDeleteDriverDatabase(x, x)
_DrvDbDeleteDriverDatabase@8 proc near	; CODE XREF: DrvDbDispatchDriverDatabase+11B02Ap

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	eax
		mov	esi, ecx
		call	_DrvDbFindDatabaseNode@12 ; DrvDbFindDatabaseNode(x,x,x)
		test	eax, eax
		js	short loc_A38323
		mov	edx, [ebp+var_4]
		test	byte ptr [edx+1Ch], 10h
		jnz	short loc_A3831C
		mov	eax, 0C0000022h
		jmp	short loc_A38323
; 

loc_A3831C:				; CODE XREF: DrvDbDeleteDriverDatabase(x,x)+21j
		mov	ecx, esi
		call	_DrvDbDestroyDatabaseNode@8 ; DrvDbDestroyDatabaseNode(x,x)

loc_A38323:				; CODE XREF: DrvDbDeleteDriverDatabase(x,x)+18j
					; DrvDbDeleteDriverDatabase(x,x)+28j
		pop	esi
		leave
		retn
_DrvDbDeleteDriverDatabase@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbDeleteObjectRegKey(x, x, x, x)
_DrvDbDeleteObjectRegKey@16 proc near	; CODE XREF: DrvDbDispatchDeviceId+AE8BCp
					; DrvDbDispatchDriverInfFile+1185DDp ...

var_E		= byte ptr -0Eh
var_D		= byte ptr -0Dh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		xor	eax, eax
		mov	[esp+18h+var_4], edx
		mov	edx, [ebp+arg_0]
		push	esi
		push	edi
		mov	[esp+20h+var_C], eax
		mov	edi, ecx
		mov	[esp+20h+var_8], eax
		mov	[esp+20h+var_D], al
		lea	eax, [esp+20h+var_8]
		push	eax
		lea	eax, [ebp+arg_0]
		push	eax
		call	DrvDbGetObjectDatabaseNode
		mov	ebx, [esp+20h+var_8]
		mov	esi, eax
		test	esi, esi
		js	loc_A38446
		test	ebx, ebx
		jz	short loc_A383B1
		lea	eax, [esp+20h+var_C]
		mov	edx, ebx
		push	eax
		push	[esp+24h+var_4]
		mov	ecx, edi
		call	DrvDbAcquireDatabaseNodeBaseKey
		mov	esi, eax
		test	esi, esi
		jns	short loc_A38399
		cmp	esi, 0C0000467h
		jnz	loc_A38446
		mov	esi, 0C00000A2h
		jmp	loc_A38446
; 

loc_A38399:				; CODE XREF: DrvDbDeleteObjectRegKey(x,x,x,x)+5Bj
		push	[ebp+arg_4]
		mov	edx, [esp+24h+var_C]
		mov	ecx, edi
		push	[ebp+arg_0]
		call	_DrvDbDeleteObjectSubKey@16 ; DrvDbDeleteObjectSubKey(x,x,x,x)
		mov	esi, eax
		jmp	loc_A38446
; 

loc_A383B1:				; CODE XREF: DrvDbDeleteObjectRegKey(x,x,x,x)+43j
		lea	ecx, [edi+0Ch]
		mov	eax, [ecx]
		jmp	short loc_A38425
; 

loc_A383B8:				; CODE XREF: DrvDbDeleteObjectRegKey(x,x,x,x)+105j
		lea	ecx, [esp+20h+var_C]
		mov	edx, eax
		push	ecx
		push	[esp+24h+var_4]
		mov	ecx, edi
		mov	ebx, eax
		call	DrvDbAcquireDatabaseNodeBaseKey
		mov	esi, eax
		cmp	esi, 0C0000467h
		jnz	short loc_A383DD
		mov	esi, 0C00000A2h
		jmp	short loc_A3841C
; 

loc_A383DD:				; CODE XREF: DrvDbDeleteObjectRegKey(x,x,x,x)+AEj
		test	esi, esi
		js	short loc_A3842D
		push	[ebp+arg_4]
		mov	edx, [esp+24h+var_C]
		mov	ecx, edi
		push	[ebp+arg_0]
		call	_DrvDbDeleteObjectSubKey@16 ; DrvDbDeleteObjectSubKey(x,x,x,x)
		push	[esp+20h+var_C]
		mov	edx, [esp+24h+var_8]
		mov	esi, eax
		push	ecx
		mov	ecx, edi
		call	_DrvDbReleaseDatabaseNodeBaseKey@16 ; DrvDbReleaseDatabaseNodeBaseKey(x,x,x,x)
		and	[esp+20h+var_C], 0
		test	esi, esi
		js	short loc_A38414
		mov	[esp+20h+var_D], 1
		jmp	short loc_A3841C
; 

loc_A38414:				; CODE XREF: DrvDbDeleteObjectRegKey(x,x,x,x)+E5j
		cmp	esi, 0C0000034h
		jnz	short loc_A38435

loc_A3841C:				; CODE XREF: DrvDbDeleteObjectRegKey(x,x,x,x)+B5j
					; DrvDbDeleteObjectRegKey(x,x,x,x)+ECj
		mov	eax, [esp+20h+var_8]
		lea	ecx, [edi+0Ch]
		mov	eax, [eax]

loc_A38425:				; CODE XREF: DrvDbDeleteObjectRegKey(x,x,x,x)+90j
		mov	[esp+20h+var_8], eax
		cmp	eax, ecx
		jnz	short loc_A383B8

loc_A3842D:				; CODE XREF: DrvDbDeleteObjectRegKey(x,x,x,x)+B9j
		cmp	esi, 0C0000034h
		jz	short loc_A3843D

loc_A38435:				; CODE XREF: DrvDbDeleteObjectRegKey(x,x,x,x)+F4j
		cmp	esi, 0C00000A2h
		jnz	short loc_A38446

loc_A3843D:				; CODE XREF: DrvDbDeleteObjectRegKey(x,x,x,x)+10Dj
		cmp	[esp+20h+var_D], 0
		jz	short loc_A38446
		xor	esi, esi

loc_A38446:				; CODE XREF: DrvDbDeleteObjectRegKey(x,x,x,x)+3Bj
					; DrvDbDeleteObjectRegKey(x,x,x,x)+63j	...
		cmp	[esp+20h+var_C], 0
		jz	short loc_A3845B
		push	[esp+20h+var_C]
		mov	edx, ebx
		push	ecx
		mov	ecx, edi
		call	_DrvDbReleaseDatabaseNodeBaseKey@16 ; DrvDbReleaseDatabaseNodeBaseKey(x,x,x,x)

loc_A3845B:				; CODE XREF: DrvDbDeleteObjectRegKey(x,x,x,x)+125j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_DrvDbDeleteObjectRegKey@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbDeleteObjectSubKey(x, x, x, x)
_DrvDbDeleteObjectSubKey@16 proc near	; CODE XREF: DrvDbDeleteObjectRegKey(x,x,x,x)+7Fp
					; DrvDbDeleteObjectRegKey(x,x,x,x)+C7p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		xor	edx, edx
		mov	[ebp+var_20], esi
		cmp	[ebp+arg_4], 1
		mov	ebx, edx
		mov	[ebp+var_10], edi
		mov	eax, [edi]
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_1C], edx
		ja	short loc_A384D1
		test	eax, eax
		jz	short loc_A384AC
		mov	eax, [eax+74h]
		test	eax, eax
		jz	short loc_A384AC
		mov	eax, [eax+4]
		jmp	short loc_A384AE
; 

loc_A384AC:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+38j
					; DrvDbDeleteObjectSubKey(x,x,x,x)+3Fj
		mov	eax, edx

loc_A384AE:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+44j
		push	edx
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	eax
		call	_RegRtlDeleteTreeInternal
		mov	esi, eax

loc_A384BC:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+8Cj
		cmp	esi, 0C000017Ch
		jnz	loc_A387C2
		xor	eax, eax
		mov	esi, eax
		jmp	loc_A387C2
; 

loc_A384D1:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+34j
		mov	ecx, edx
		test	eax, eax
		jz	short loc_A384DA
		mov	ecx, [eax+74h]

loc_A384DA:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+6Fj
		lea	eax, [ebp+var_4]
		push	eax
		push	3001Fh
		push	edx
		push	[ebp+arg_0]
		mov	edx, esi
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A384BC
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_C]
		push	ecx
		mov	ecx, [edi]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		call	__PnpGetGenericStorePropertyKeys@32 ; _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_A38574

loc_A38513:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+F9j
		cmp	[ebp+var_C], ebx
		jbe	short loc_A3856D
		mov	eax, [ebp+var_8]
		xor	esi, esi
		test	eax, eax
		jz	short loc_A38528
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A38528:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+B9j
		mov	ebx, [ebp+var_C]
		imul	eax, ebx, 14h
		push	42444450h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_8], ecx
		test	ecx, ecx
		jz	short loc_A38566
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_C]
		push	ecx
		push	eax
		push	ebx
		push	ecx
		mov	ecx, [edi]
		push	esi
		push	esi
		call	__PnpGetGenericStorePropertyKeys@32 ; _PnpGetGenericStorePropertyKeys(x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jz	short loc_A38513

loc_A38561:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+10Cj
		mov	ecx, [ebp+var_8]
		jmp	short loc_A38576
; 

loc_A38566:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+DCj
		mov	esi, 0C0000017h
		jmp	short loc_A38576
; 

loc_A3856D:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+B0j
		mov	esi, 0C00000E5h
		jmp	short loc_A38561
; 

loc_A38574:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+ABj
		mov	ecx, ebx

loc_A38576:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+FEj
					; DrvDbDeleteObjectSubKey(x,x,x,x)+105j
		mov	eax, 0C0000225h
		cmp	esi, eax
		jz	short loc_A38587
		test	esi, esi
		js	loc_A387B2

loc_A38587:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+117j
		mov	edi, esi
		sub	edi, eax
		lea	eax, [esi+3FFFFDDBh]
		neg	edi
		sbb	edi, edi
		xor	edx, edx
		neg	eax
		mov	[ebp+arg_4], edx
		sbb	eax, eax
		and	esi, eax
		and	edi, ebx
		jz	short loc_A385E9
		mov	ebx, ecx

loc_A385A6:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+181j
		mov	eax, [ebp+var_10]
		mov	ecx, [eax]
		push	ecx
		push	edx
		push	ecx
		push	edx
		push	ebx
		push	edx
		mov	edx, [ebp+var_4]
		call	_PnpDeletePropertyWorker
		mov	esi, eax
		cmp	esi, 0C0000225h
		jz	short loc_A385D7
		cmp	esi, 0C0000022h
		jz	short loc_A385D7
		test	esi, esi
		js	loc_A387B2
		xor	edx, edx
		jmp	short loc_A385DB
; 

loc_A385D7:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+15Bj
					; DrvDbDeleteObjectSubKey(x,x,x,x)+163j
		xor	edx, edx
		mov	esi, edx

loc_A385DB:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+16Fj
		mov	eax, [ebp+arg_4]
		add	ebx, 14h
		inc	eax
		mov	[ebp+arg_4], eax
		cmp	eax, edi
		jb	short loc_A385A6

loc_A385E9:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+13Cj
		test	esi, esi
		js	loc_A387B2
		push	5Ch		; wchar_t
		push	[ebp+arg_0]	; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_A38737
		mov	ecx, [ebp+arg_0]
		xor	edi, edi
		lea	edx, [ecx+2]

loc_A3860D:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+1B0j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_A3860D
		sub	ecx, edx
		sar	ecx, 1
		push	42444450h
		lea	esi, [ecx+1]
		lea	eax, [esi+esi]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A3863F
		mov	esi, 0C0000017h
		jmp	loc_A387B4
; 

loc_A3863F:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+1CDj
		push	900h
		push	edi
		push	edi
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, ebx
		call	RtlStringCchCopyExW
		mov	eax, [ebp+var_4]
		mov	edi, [ebp+var_10]

loc_A38658:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+2AFj
		test	eax, eax
		jnz	short loc_A386BF
		mov	eax, [ebp+var_10]
		xor	edi, edi
		mov	ecx, edi
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_A3866C
		mov	ecx, [eax+74h]

loc_A3866C:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+201j
		mov	edx, [ebp+var_20]
		lea	eax, [ebp+var_4]
		push	eax
		push	3001Fh
		push	edi
		push	ebx
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A3871A
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_14]
		push	edi
		push	edi
		push	eax
		push	edi
		lea	edx, [ebp+var_18]
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A38846
		cmp	[ebp+var_18], 0
		ja	loc_A38846
		cmp	[ebp+var_14], 0
		ja	loc_A38846
		mov	eax, [ebp+var_4]
		mov	edi, [ebp+var_10]

loc_A386BF:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+1F4j
		mov	ecx, [edi]
		test	ecx, ecx
		jz	short loc_A386D1
		mov	ecx, [ecx+74h]
		test	ecx, ecx
		jz	short loc_A386D1
		mov	ecx, [ecx+4]
		jmp	short loc_A386D3
; 

loc_A386D1:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+25Dj
					; DrvDbDeleteObjectSubKey(x,x,x,x)+264j
		xor	ecx, ecx

loc_A386D3:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+269j
		push	ecx
		xor	edx, edx
		mov	ecx, eax
		call	__RegRtlDeleteKeyTransacted@12 ; _RegRtlDeleteKeyTransacted(x,x,x)
		mov	esi, eax
		cmp	esi, 0C000017Ch
		jnz	short loc_A386ED
		xor	eax, eax
		mov	esi, eax
		jmp	short loc_A386F1
; 

loc_A386ED:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+27Fj
		test	esi, esi
		js	short loc_A3872D

loc_A386F1:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+285j
		push	5Ch		; wchar_t
		push	ebx		; wchar_t *
		call	_wcsrchr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_A38844
		xor	ecx, ecx
		mov	[eax], cx
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		xor	eax, eax
		mov	[ebp+var_4], eax
		jmp	loc_A38658
; 

loc_A3871A:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+21Dj
		cmp	esi, 0C000017Ch

loc_A38720:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+2CFj
		jnz	loc_A38846
		mov	esi, edi
		jmp	loc_A38846
; 

loc_A3872D:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+289j
		xor	edi, edi
		cmp	esi, 0C0000121h
		jmp	short loc_A38720
; 

loc_A38737:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+199j
		mov	eax, [ebp+var_10]
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_A3874E
		mov	eax, [eax+74h]
		test	eax, eax
		jz	short loc_A3874E
		mov	eax, [eax+4]
		xor	edi, edi
		jmp	short loc_A38752
; 

loc_A3874E:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+2D8j
					; DrvDbDeleteObjectSubKey(x,x,x,x)+2DFj
		xor	edi, edi
		mov	eax, edi

loc_A38752:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+2E6j
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		push	eax
		call	__RegRtlDeleteKeyTransacted@12 ; _RegRtlDeleteKeyTransacted(x,x,x)
		mov	esi, eax
		cmp	esi, 0C000017Ch
		jnz	short loc_A3876B
		mov	esi, edi
		jmp	short loc_A387B4
; 

loc_A3876B:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+2FFj
		cmp	esi, 0C0000121h
		jnz	short loc_A387B4
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_1C]
		push	edi
		push	eax
		lea	eax, [ebp+var_14]
		xor	edx, edx
		push	eax
		push	edi
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A387B4
		mov	ebx, [ebp+var_1C]
		inc	ebx
		cmp	[ebp+var_14], 0
		jbe	short loc_A387B4
		push	42444450h
		lea	eax, [ebx+ebx]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A387D9
		mov	esi, 0C0000017h

loc_A387B2:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+11Bj
					; DrvDbDeleteObjectSubKey(x,x,x,x)+167j ...
		xor	edi, edi

loc_A387B4:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+1D4j
					; DrvDbDeleteObjectSubKey(x,x,x,x)+303j ...
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_A387C2
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A387C2:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+5Cj
					; DrvDbDeleteObjectSubKey(x,x,x,x)+66j	...
		cmp	[ebp+var_4], 0
		jz	short loc_A387D0
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A387D0:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+360j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_A387D9:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+345j
					; DrvDbDeleteObjectSubKey(x,x,x,x)+3BEj ...
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+arg_0]
		xor	esi, esi
		mov	[ebp+arg_0], ebx
		push	esi		; int
		push	esi		; void *
		push	esi		; int
		push	eax		; int
		push	edi		; void *
		xor	edx, edx
		call	_RegRtlEnumValue
		test	eax, eax
		js	short loc_A3882C
		mov	eax, [ebp+var_4]
		mov	[ebp+arg_0], eax
		lea	eax, [ebp+var_24]
		push	edi
		push	eax
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], esi
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A3881E
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+arg_0]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		mov	esi, eax

loc_A3881E:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+3A8j
		cmp	esi, 0C0000034h
		jz	short loc_A387D9
		test	esi, esi
		jns	short loc_A387D9
		jmp	short loc_A38838
; 

loc_A3882C:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+38Cj
		lea	esi, [eax+7FFFFFE6h]
		neg	esi
		sbb	esi, esi
		and	esi, eax

loc_A38838:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+3C4j
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, [ebp+var_28]

loc_A38844:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+297j
		xor	edi, edi

loc_A38846:				; CODE XREF: DrvDbDeleteObjectSubKey(x,x,x,x)+239j
					; DrvDbDeleteObjectSubKey(x,x,x,x)+243j ...
		test	ebx, ebx
		jz	loc_A387B4
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_A387B4
_DrvDbDeleteObjectSubKey@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbGetCompositeMappedPropertyKeys(x, x, x, x, x, x)
_DrvDbGetCompositeMappedPropertyKeys@24	proc near
					; CODE XREF: DrvDbGetDeviceIdMappedPropertyKeys(x,x,x,x,x,x)+65p
					; DrvDbGetDriverDatabaseMappedPropertyKeys(x,x,x,x,x,x)+34p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	edi
		mov	edi, edx
		xor	eax, eax
		xor	edx, edx
		mov	[ebp+var_C], edi
		xor	ebx, ebx
		mov	[ebp+var_8], edx
		cmp	[ebp+arg_0], eax
		jbe	short loc_A388C9
		mov	eax, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_C]
		mov	[ebp+var_4], eax
		jmp	short loc_A38886
; 

loc_A38883:				; CODE XREF: DrvDbGetCompositeMappedPropertyKeys(x,x,x,x,x,x)+67j
		mov	eax, [ebp+var_4]

loc_A38886:				; CODE XREF: DrvDbGetCompositeMappedPropertyKeys(x,x,x,x,x,x)+27j
		cmp	[ebp+arg_4], 0
		jz	short loc_A388AB
		cmp	edx, [ebp+arg_8]
		jnb	short loc_A388AB
		mov	esi, [edi+ebx*4]
		inc	edx
		push	5
		mov	edi, eax
		mov	[ebp+var_8], edx
		pop	ecx
		rep movsd
		mov	esi, [ebp+arg_C]
		add	eax, 14h
		mov	edi, [ebp+var_C]
		mov	[ebp+var_4], eax

loc_A388AB:				; CODE XREF: DrvDbGetCompositeMappedPropertyKeys(x,x,x,x,x,x)+30j
					; DrvDbGetCompositeMappedPropertyKeys(x,x,x,x,x,x)+35j
		mov	ecx, [esi]
		xor	edx, edx
		push	esi
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_A388C5
		mov	edx, [ebp+var_8]
		inc	ebx
		cmp	ebx, [ebp+arg_0]
		jb	short loc_A38883
		jmp	short loc_A388C8
; 

loc_A388C5:				; CODE XREF: DrvDbGetCompositeMappedPropertyKeys(x,x,x,x,x,x)+5Ej
		and	dword ptr [esi], 0

loc_A388C8:				; CODE XREF: DrvDbGetCompositeMappedPropertyKeys(x,x,x,x,x,x)+69j
		pop	esi

loc_A388C9:				; CODE XREF: DrvDbGetCompositeMappedPropertyKeys(x,x,x,x,x,x)+1Bj
		pop	edi
		pop	ebx
		leave
		retn	10h
_DrvDbGetCompositeMappedPropertyKeys@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbGetDeviceIdMappedPropertyKeys(x, x, x,	x, x, x)
_DrvDbGetDeviceIdMappedPropertyKeys@24 proc near ; CODE	XREF: DrvDbDispatchDeviceId+AE8FAp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_C]
		xor	ebx, ebx
		mov	eax, ecx
		mov	[ebp+var_4], ebx
		mov	ecx, [ebp+arg_0]
		mov	[ebp+var_8], ebx
		mov	[edi], ebx
		test	ecx, ecx
		jnz	short loc_A3890D
		push	ebx
		push	ebx
		lea	ecx, [ebp+var_4]
		push	ecx
		push	ebx
		push	1
		push	edx
		push	5
		xor	edx, edx
		mov	ecx, eax
		call	DrvDbOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A3893B
		mov	ecx, [ebp+var_4]

loc_A3890D:				; CODE XREF: DrvDbGetDeviceIdMappedPropertyKeys(x,x,x,x,x,x)+1Ej
		push	ebx
		push	ebx
		lea	eax, [ebp+var_8]
		xor	edx, edx
		push	eax
		push	ebx
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A3893B
		cmp	[ebp+var_8], ebx
		jbe	short loc_A3893B
		push	edi
		push	[ebp+arg_8]
		mov	edx, offset off_6B3834
		push	[ebp+arg_4]
		push	3
		call	_DrvDbGetCompositeMappedPropertyKeys@24	; DrvDbGetCompositeMappedPropertyKeys(x,x,x,x,x,x)
		mov	esi, eax

loc_A3893B:				; CODE XREF: DrvDbGetDeviceIdMappedPropertyKeys(x,x,x,x,x,x)+39j
					; DrvDbGetDeviceIdMappedPropertyKeys(x,x,x,x,x,x)+50j ...
		cmp	[ebp+var_4], ebx
		jz	short loc_A38948
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A38948:				; CODE XREF: DrvDbGetDeviceIdMappedPropertyKeys(x,x,x,x,x,x)+6Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_DrvDbGetDeviceIdMappedPropertyKeys@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbGetDriverDatabaseMappedPropertyKeys(x,	x, x, x, x, x)
_DrvDbGetDriverDatabaseMappedPropertyKeys@24 proc near
					; CODE XREF: DrvDbDispatchDriverDatabase+11B048p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		push	eax
		push	ebx
		mov	[ebp+var_14], ecx
		xor	ecx, ecx
		push	edi
		mov	[ebp+var_10], edx
		mov	edx, offset off_6B2AC4
		push	7
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_18], ecx
		mov	[eax], ecx
		call	_DrvDbGetCompositeMappedPropertyKeys@24	; DrvDbGetCompositeMappedPropertyKeys(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A38A79
		mov	ecx, [ebp+arg_C]
		mov	ecx, [ecx]
		test	ecx, ecx
		jz	short loc_A389A8
		test	edi, edi
		jz	short loc_A389A6
		imul	eax, ecx, 14h
		add	edi, eax

loc_A389A6:				; CODE XREF: DrvDbGetDriverDatabaseMappedPropertyKeys(x,x,x,x,x,x)+4Ej
		sub	ebx, ecx

loc_A389A8:				; CODE XREF: DrvDbGetDriverDatabaseMappedPropertyKeys(x,x,x,x,x,x)+4Aj
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_C]
		mov	ecx, [ebp+var_14]
		push	eax
		call	_DrvDbFindDatabaseNode@12 ; DrvDbFindDatabaseNode(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A38A79
		mov	eax, [ebp+var_C]
		test	byte ptr [eax+1Ch], 10h
		jz	short loc_A38A27
		xor	ecx, ecx
		lea	eax, [ebp+var_8]
		push	ecx
		push	ecx
		push	eax
		mov	eax, [ebp+var_14]
		push	ecx
		push	1
		push	[ebp+var_10]
		mov	edx, [eax+14h]
		mov	ecx, eax
		push	1
		call	DrvDbOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A38A5D
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_18]
		push	eax
		push	ebx
		push	edi
		push	4
		push	offset off_405080
		call	_DrvDbGetRegValueMappedPropertyKeys@28 ; DrvDbGetRegValueMappedPropertyKeys(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A38A5D
		mov	ecx, [ebp+var_18]
		test	ecx, ecx
		jz	short loc_A38A1A
		test	edi, edi
		jz	short loc_A38A18
		imul	eax, ecx, 14h
		add	edi, eax

loc_A38A18:				; CODE XREF: DrvDbGetDriverDatabaseMappedPropertyKeys(x,x,x,x,x,x)+C0j
		sub	ebx, ecx

loc_A38A1A:				; CODE XREF: DrvDbGetDriverDatabaseMappedPropertyKeys(x,x,x,x,x,x)+BCj
		mov	eax, [ebp+var_C]
		test	byte ptr [eax+1Ch], 4
		jz	short loc_A38A27
		xor	esi, esi
		jmp	short loc_A38A5D
; 

loc_A38A27:				; CODE XREF: DrvDbGetDriverDatabaseMappedPropertyKeys(x,x,x,x,x,x)+77j
					; DrvDbGetDriverDatabaseMappedPropertyKeys(x,x,x,x,x,x)+D0j
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_A38A4A
		mov	ecx, [ebp+var_14] ; int
		lea	eax, [ebp+var_4]
		push	edx		; int
		push	eax		; int
		push	edx		; char
		mov	edx, [ebp+var_10] ; wchar_t *
		push	1		; int
		call	DrvDbOpenDriverDatabaseRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A38A5D
		mov	edx, [ebp+var_4]

loc_A38A4A:				; CODE XREF: DrvDbGetDriverDatabaseMappedPropertyKeys(x,x,x,x,x,x)+DBj
		push	[ebp+arg_C]
		push	ebx
		push	edi
		push	0Ch
		push	offset off_4037F8
		call	_DrvDbGetRegValueMappedPropertyKeys@28 ; DrvDbGetRegValueMappedPropertyKeys(x,x,x,x,x,x,x)
		mov	esi, eax

loc_A38A5D:				; CODE XREF: DrvDbGetDriverDatabaseMappedPropertyKeys(x,x,x,x,x,x)+9Aj
					; DrvDbGetDriverDatabaseMappedPropertyKeys(x,x,x,x,x,x)+B5j ...
		cmp	[ebp+var_4], 0
		jz	short loc_A38A6B
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A38A6B:				; CODE XREF: DrvDbGetDriverDatabaseMappedPropertyKeys(x,x,x,x,x,x)+110j
		cmp	[ebp+var_8], 0
		jz	short loc_A38A79
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_A38A79:				; CODE XREF: DrvDbGetDriverDatabaseMappedPropertyKeys(x,x,x,x,x,x)+3Dj
					; DrvDbGetDriverDatabaseMappedPropertyKeys(x,x,x,x,x,x)+6Aj ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_DrvDbGetDriverDatabaseMappedPropertyKeys@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	DrvDbGetDriverFileMappedProperty(int,void *,int,int,int,int)
_DrvDbGetDriverFileMappedProperty@32 proc near
					; CODE XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+13Dp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_4]
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, [ebp+arg_14]
		mov	esi, edx
		and	dword ptr [ebx], 0
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], ecx
		and	dword ptr [edi], 0
		mov	edx, [eax+10h]
		mov	[ebp+arg_14], edx
		cmp	edx, 2
		jnz	short loc_A38AFB
		push	10h		; size_t
		push	offset _DEVPKEY_NODE ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A38AF5
		mov	eax, [ebp+arg_10]
		mov	ecx, [ebp+var_8]
		push	edi		; int
		shr	eax, 1
		push	eax		; int
		push	[ebp+arg_C]	; void *
		mov	dword ptr [ebx], 12h
		push	esi		; int
		push	4
		pop	edx
		call	_DrvDbGetObjectDatabaseNodeName@24 ; DrvDbGetObjectDatabaseNodeName(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A38AF1
		cmp	esi, 0C0000023h
		jnz	short loc_A38B70

loc_A38AF1:				; CODE XREF: DrvDbGetDriverFileMappedProperty(x,x,x,x,x,x,x,x)+65j
		shl	dword ptr [edi], 1
		jmp	short loc_A38B70
; 

loc_A38AF5:				; CODE XREF: DrvDbGetDriverFileMappedProperty(x,x,x,x,x,x,x,x)+43j
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+arg_14]

loc_A38AFB:				; CODE XREF: DrvDbGetDriverFileMappedProperty(x,x,x,x,x,x,x,x)+2Fj
		xor	ebx, ebx
		xor	esi, esi

loc_A38AFF:				; CODE XREF: DrvDbGetDriverFileMappedProperty(x,x,x,x,x,x,x,x)+A7j
		mov	ecx, ds:off_405034[esi]
		cmp	[ecx+10h], edx
		jnz	short loc_A38B1D
		push	10h		; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A38B2B
		mov	edx, [ebp+arg_14]

loc_A38B1D:				; CODE XREF: DrvDbGetDriverFileMappedProperty(x,x,x,x,x,x,x,x)+86j
		add	esi, 18h
		inc	ebx
		cmp	esi, 30h
		jnb	short loc_A38B80
		mov	eax, [ebp+arg_4]
		jmp	short loc_A38AFF
; 

loc_A38B2B:				; CODE XREF: DrvDbGetDriverFileMappedProperty(x,x,x,x,x,x,x,x)+96j
		imul	ebx, 18h
		add	ebx, offset off_405034
		jz	short loc_A38B80
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_A38B5E
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_8]
		push	1
		push	[ebp+var_C]
		push	4
		call	DrvDbOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A38B70
		mov	edx, [ebp+var_4]

loc_A38B5E:				; CODE XREF: DrvDbGetDriverFileMappedProperty(x,x,x,x,x,x,x,x)+B9j
		push	edi
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	ebx
		call	DrvDbGetRegValueMappedProperty
		mov	esi, eax

loc_A38B70:				; CODE XREF: DrvDbGetDriverFileMappedProperty(x,x,x,x,x,x,x,x)+6Dj
					; DrvDbGetDriverFileMappedProperty(x,x,x,x,x,x,x,x)+71j ...
		cmp	[ebp+var_4], 0
		jz	short loc_A38B85
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_A38B85
; 

loc_A38B80:				; CODE XREF: DrvDbGetDriverFileMappedProperty(x,x,x,x,x,x,x,x)+A2j
					; DrvDbGetDriverFileMappedProperty(x,x,x,x,x,x,x,x)+B2j
		mov	esi, 0C0000016h

loc_A38B85:				; CODE XREF: DrvDbGetDriverFileMappedProperty(x,x,x,x,x,x,x,x)+F2j
					; DrvDbGetDriverFileMappedProperty(x,x,x,x,x,x,x,x)+FCj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
_DrvDbGetDriverFileMappedProperty@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbGetDriverFileMappedPropertyKeys(x, x, x, x, x,	x)
_DrvDbGetDriverFileMappedPropertyKeys@24 proc near
					; CODE XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+120p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_C]
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, [ebp+arg_8]
		and	dword ptr [eax], 0
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		push	eax
		push	ebx
		push	edi
		mov	[ebp+var_8], edx
		mov	edx, offset off_6B387C
		push	1
		mov	[ebp+var_C], ecx
		call	_DrvDbGetCompositeMappedPropertyKeys@24	; DrvDbGetCompositeMappedPropertyKeys(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A38C21
		mov	ecx, [ebp+arg_C]
		mov	ecx, [ecx]
		test	ecx, ecx
		jz	short loc_A38BD8
		test	edi, edi
		jz	short loc_A38BD6
		imul	eax, ecx, 14h
		add	edi, eax

loc_A38BD6:				; CODE XREF: DrvDbGetDriverFileMappedPropertyKeys(x,x,x,x,x,x)+41j
		sub	ebx, ecx

loc_A38BD8:				; CODE XREF: DrvDbGetDriverFileMappedPropertyKeys(x,x,x,x,x,x)+3Dj
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_A38C00
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_C]
		push	1
		push	[ebp+var_8]
		push	4
		call	DrvDbOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A38C13
		mov	edx, [ebp+var_4]

loc_A38C00:				; CODE XREF: DrvDbGetDriverFileMappedPropertyKeys(x,x,x,x,x,x)+4Fj
		push	[ebp+arg_C]
		push	ebx
		push	edi
		push	2
		push	offset off_405034
		call	_DrvDbGetRegValueMappedPropertyKeys@28 ; DrvDbGetRegValueMappedPropertyKeys(x,x,x,x,x,x,x)
		mov	esi, eax

loc_A38C13:				; CODE XREF: DrvDbGetDriverFileMappedPropertyKeys(x,x,x,x,x,x)+6Dj
		cmp	[ebp+var_4], 0
		jz	short loc_A38C21
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A38C21:				; CODE XREF: DrvDbGetDriverFileMappedPropertyKeys(x,x,x,x,x,x)+34j
					; DrvDbGetDriverFileMappedPropertyKeys(x,x,x,x,x,x)+89j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_DrvDbGetDriverFileMappedPropertyKeys@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbGetDriverInfFileMappedPropertyKeys(x, x, x, x,	x, x)
_DrvDbGetDriverInfFileMappedPropertyKeys@24 proc near
					; CODE XREF: DrvDbDispatchDriverInfFile+11861Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_C]
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, [ebp+arg_8]
		and	dword ptr [eax], 0
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		push	eax
		push	ebx
		push	edi
		mov	[ebp+var_8], edx
		mov	edx, offset off_6B3878
		push	1
		mov	[ebp+var_C], ecx
		call	_DrvDbGetCompositeMappedPropertyKeys@24	; DrvDbGetCompositeMappedPropertyKeys(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A38CBD
		mov	ecx, [ebp+arg_C]
		mov	ecx, [ecx]
		test	ecx, ecx
		jz	short loc_A38C74
		test	edi, edi
		jz	short loc_A38C72
		imul	eax, ecx, 14h
		add	edi, eax

loc_A38C72:				; CODE XREF: DrvDbGetDriverInfFileMappedPropertyKeys(x,x,x,x,x,x)+41j
		sub	ebx, ecx

loc_A38C74:				; CODE XREF: DrvDbGetDriverInfFileMappedPropertyKeys(x,x,x,x,x,x)+3Dj
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_A38C9C
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_C]
		push	1
		push	[ebp+var_8]
		push	3
		call	DrvDbOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A38CAF
		mov	edx, [ebp+var_4]

loc_A38C9C:				; CODE XREF: DrvDbGetDriverInfFileMappedPropertyKeys(x,x,x,x,x,x)+4Fj
		push	[ebp+arg_C]
		push	ebx
		push	edi
		push	4
		push	(offset	loc_40166B+5)
		call	_DrvDbGetRegValueMappedPropertyKeys@28 ; DrvDbGetRegValueMappedPropertyKeys(x,x,x,x,x,x,x)
		mov	esi, eax

loc_A38CAF:				; CODE XREF: DrvDbGetDriverInfFileMappedPropertyKeys(x,x,x,x,x,x)+6Dj
		cmp	[ebp+var_4], 0
		jz	short loc_A38CBD
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A38CBD:				; CODE XREF: DrvDbGetDriverInfFileMappedPropertyKeys(x,x,x,x,x,x)+34j
					; DrvDbGetDriverInfFileMappedPropertyKeys(x,x,x,x,x,x)+89j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_DrvDbGetDriverInfFileMappedPropertyKeys@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbGetDriverPackageMappedPropertyKeys(x, x, x, x,	x, x)
_DrvDbGetDriverPackageMappedPropertyKeys@24 proc near
					; CODE XREF: DrvDbDispatchDriverPackage+11AAC1p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		push	ebx
		push	[ebp+arg_8]
		mov	[ebp+var_10], ecx
		xor	ecx, ecx
		push	edi
		mov	[ebp+var_C], edx
		mov	edx, offset off_6B3840
		push	0Eh
		mov	[ebp+var_4], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_18], ecx
		mov	[ebx], ecx
		call	_DrvDbGetCompositeMappedPropertyKeys@24	; DrvDbGetCompositeMappedPropertyKeys(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A38ED7
		mov	ecx, [ebx]
		test	ecx, ecx
		jz	short loc_A38D20
		test	edi, edi
		jz	short loc_A38D1D
		imul	eax, ecx, 14h
		add	edi, eax
		mov	[ebp+arg_4], edi

loc_A38D1D:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+4Dj
		sub	[ebp+arg_8], ecx

loc_A38D20:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+49j
		cmp	[ebp+arg_0], 0
		jnz	short loc_A38D4A
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_10]
		xor	edx, edx
		push	1
		push	[ebp+var_C]
		push	2
		call	DrvDbOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_A38EC9

loc_A38D4A:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+5Ej
		xor	esi, esi
		mov	[ebp+arg_C], edi
		mov	[ebp+var_14], esi

loc_A38D52:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+10Cj
		cmp	[ebp+arg_0], 0
		mov	eax, [ebp+arg_0]
		jnz	short loc_A38D5E
		mov	eax, [ebp+var_4]

loc_A38D5E:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+93j
		mov	edx, [ebp+var_C]
		lea	ecx, [ebp+var_1C]
		push	ecx		; int
		push	0		; int
		push	0		; void *
		lea	ecx, [ebp+var_20]
		push	ecx		; int
		push	ds:off_40502C[esi] ; void *
		mov	ecx, [ebp+var_10]
		push	eax		; int
		call	DrvDbGetDriverPackageMappedProperty
		cmp	eax, 0C0000225h
		jz	short loc_A38DC9
		test	eax, eax
		jz	short loc_A38D8E
		cmp	eax, 0C0000023h
		jnz	short loc_A38DDD

loc_A38D8E:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+BFj
		test	edi, edi
		jz	short loc_A38DBA
		mov	eax, [ebp+var_8]
		cmp	eax, [ebp+arg_8]
		jnb	short loc_A38DBA
		mov	edx, [ebp+arg_C]
		inc	eax
		mov	esi, ds:off_40502C[esi]
		mov	edi, edx
		push	5
		pop	ecx
		rep movsd
		mov	edi, [ebp+arg_4]
		add	edx, 14h
		mov	esi, [ebp+var_14]
		mov	[ebp+var_8], eax
		mov	[ebp+arg_C], edx

loc_A38DBA:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+CAj
					; DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+D2j
		mov	ecx, [ebx]
		xor	edx, edx
		push	ebx
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_A38DDA

loc_A38DC9:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+BBj
		add	esi, 4
		mov	[ebp+var_14], esi
		cmp	esi, 8
		jb	loc_A38D52
		jmp	short loc_A38DDD
; 

loc_A38DDA:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+101j
		and	dword ptr [ebx], 0

loc_A38DDD:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+C6j
					; DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+112j
		imul	eax, [ebp+var_8], arg_C
		add	eax, edi
		mov	[ebp+var_14], eax
		xor	eax, eax
		mov	[ebp+arg_C], eax

loc_A38DEB:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+1F8j
		and	[ebp+var_24], 0
		cmp	[ebp+arg_0], 0
		mov	ecx, [ebp+arg_0]
		jnz	short loc_A38DFB
		mov	ecx, [ebp+var_4]

loc_A38DFB:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+130j
		mov	edx, ds:off_401738[eax]
		lea	eax, [ebp+var_24]
		push	eax
		push	0
		push	0
		call	_RegRtlQueryValue
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_A38E67
		mov	esi, [ebp+arg_C]
		mov	eax, ds:off_401730[esi]
		cmp	dword ptr [eax+10h], 7
		jnz	short loc_A38E63
		push	10h		; size_t
		push	offset _DEVPKEY_DriverPackage_SignerName ; void	*
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A38E63
		cmp	[ebp+arg_0], eax
		mov	eax, [ebp+arg_0]
		jnz	short loc_A38E46
		mov	eax, [ebp+var_4]

loc_A38E46:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+17Bj
		mov	edx, [ebp+var_C]
		lea	ecx, [ebp+var_18]
		push	ecx		; void *
		mov	ecx, [ebp+var_10]
		push	eax		; int
		call	_DrvDbGetDriverPackageSignerScore@16 ; DrvDbGetDriverPackageSignerScore(x,x,x,x)
		test	eax, eax
		js	short loc_A38E63
		cmp	[ebp+var_18], 0D000003h
		jz	short loc_A38E76

loc_A38E63:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+15Fj
					; DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+173j ...
		xor	esi, esi
		jmp	short loc_A38EB0
; 

loc_A38E67:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+150j
		test	esi, esi
		jz	short loc_A38E73
		cmp	esi, 0C0000023h
		jnz	short loc_A38EC9

loc_A38E73:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+1A3j
		mov	esi, [ebp+arg_C]

loc_A38E76:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+19Bj
		test	edi, edi
		jz	short loc_A38E9F
		mov	edx, [ebp+var_8]
		cmp	edx, [ebp+arg_8]
		jnb	short loc_A38E9F
		mov	eax, [ebp+var_14]
		inc	edx
		mov	esi, ds:off_401730[esi]
		mov	edi, eax
		push	5
		pop	ecx
		rep movsd
		mov	edi, [ebp+arg_4]
		add	eax, 14h
		mov	[ebp+var_8], edx
		mov	[ebp+var_14], eax

loc_A38E9F:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+1B2j
					; DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+1BAj
		mov	ecx, [ebx]
		xor	edx, edx
		push	ebx
		inc	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A38EC6

loc_A38EB0:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+19Fj
		mov	eax, [ebp+arg_C]
		add	eax, 18h
		mov	[ebp+arg_C], eax
		cmp	eax, 300h
		jb	loc_A38DEB
		jmp	short loc_A38EC9
; 

loc_A38EC6:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+1E8j
		and	dword ptr [ebx], 0

loc_A38EC9:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+7Ej
					; DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+1ABj ...
		cmp	[ebp+var_4], 0
		jz	short loc_A38ED7
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A38ED7:				; CODE XREF: DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+3Fj
					; DrvDbGetDriverPackageMappedPropertyKeys(x,x,x,x,x,x)+207j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_DrvDbGetDriverPackageMappedPropertyKeys@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbGetDriverPackageSignerName(x, x, x, x,	x, x)
_DrvDbGetDriverPackageSignerName@24 proc near
					; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+38Bp
					; DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+3D1p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		xor	esi, esi
		push	edi
		mov	[ebp+var_4], esi
		mov	edi, esi
		mov	[ebx], esi

loc_A38EF5:				; CODE XREF: DrvDbGetDriverPackageSignerName(x,x,x,x,x,x)+3Fj
		mov	eax, ds:off_401730[edi]
		cmp	dword ptr [eax+10h], 7
		jnz	short loc_A38F15
		push	10h		; size_t
		push	offset _DEVPKEY_DriverPackage_SignerName ; void	*
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A38F2D

loc_A38F15:				; CODE XREF: DrvDbGetDriverPackageSignerName(x,x,x,x,x,x)+1Fj
		add	edi, 18h
		inc	esi
		cmp	edi, 300h
		jb	short loc_A38EF5

loc_A38F21:				; CODE XREF: DrvDbGetDriverPackageSignerName(x,x,x,x,x,x)+56j
		mov	eax, 0C00000E5h

loc_A38F26:				; CODE XREF: DrvDbGetDriverPackageSignerName(x,x,x,x,x,x)+7Bj
					; DrvDbGetDriverPackageSignerName(x,x,x,x,x,x)+84j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_A38F2D:				; CODE XREF: DrvDbGetDriverPackageSignerName(x,x,x,x,x,x)+33j
		imul	ecx, esi, 18h
		add	ecx, offset off_401730
		jz	short loc_A38F21
		mov	edx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		push	eax
		mov	eax, [ebp+arg_8]
		add	eax, eax
		push	eax
		push	[ebp+arg_4]
		lea	eax, [ebp+arg_C]
		push	eax
		push	ecx
		call	DrvDbGetRegValueMappedProperty
		test	eax, eax
		jns	short loc_A38F5D
		cmp	eax, 0C0000023h
		jnz	short loc_A38F26

loc_A38F5D:				; CODE XREF: DrvDbGetDriverPackageSignerName(x,x,x,x,x,x)+74j
		mov	ecx, [ebp+var_4]
		shr	ecx, 1
		mov	[ebx], ecx
		jmp	short loc_A38F26
_DrvDbGetDriverPackageSignerName@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	DrvDbGetObjectDatabaseNodeName(int,void	*,int,int)
_DrvDbGetObjectDatabaseNodeName@24 proc	near
					; CODE XREF: DrvDbGetDeviceIdMappedProperty+AE8BBp
					; DrvDbGetDriverInfFileMappedProperty+11863Cp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_C]
		lea	eax, [ebp+var_8]
		push	eax
		xor	esi, esi
		lea	eax, [ebp+var_4]
		push	esi
		push	eax
		push	esi
		push	1
		push	[ebp+arg_0]
		mov	[ebp+var_4], esi
		push	edx
		xor	edx, edx
		mov	[ebp+var_8], esi
		mov	[edi], esi
		call	DrvDbOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A38FC6
		mov	eax, [ebp+var_8]
		movzx	ecx, word ptr [eax+8]
		add	ecx, 2
		cmp	[ebp+arg_4], 0
		mov	[edi], ecx
		jz	short loc_A38FC1
		cmp	[ebp+arg_8], ecx
		jb	short loc_A38FC1
		push	ecx		; size_t
		push	dword ptr [eax+0Ch] ; void *
		push	[ebp+arg_4]	; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_A38FC6
; 

loc_A38FC1:				; CODE XREF: DrvDbGetObjectDatabaseNodeName(x,x,x,x,x,x)+43j
					; DrvDbGetObjectDatabaseNodeName(x,x,x,x,x,x)+48j
		mov	esi, 0C0000023h

loc_A38FC6:				; CODE XREF: DrvDbGetObjectDatabaseNodeName(x,x,x,x,x,x)+31j
					; DrvDbGetObjectDatabaseNodeName(x,x,x,x,x,x)+59j
		cmp	[ebp+var_4], 0
		jz	short loc_A38FD4
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A38FD4:				; CODE XREF: DrvDbGetObjectDatabaseNodeName(x,x,x,x,x,x)+64j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	10h
_DrvDbGetObjectDatabaseNodeName@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbGetObjectList(x, x, x,	x, x, x, x, x)
_DrvDbGetObjectList@32 proc near	; CODE XREF: DrvDbDispatchDeviceId+AE8E0p
					; DrvDbDispatchDriverInfFile+118601p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, [ebp+arg_10]
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], eax
		mov	esi, eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		mov	[ebx], eax
		mov	eax, [edi+18h]
		mov	[ebp+var_14], edx
		test	eax, eax
		jz	short loc_A39056
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_10], eax
		push	ecx
		push	edx
		mov	edx, eax
		mov	ecx, edi
		call	DrvDbAcquireDatabaseNodeBaseKey
		mov	esi, eax
		test	esi, esi
		jns	short loc_A39035
		cmp	esi, 0C0000467h
		jnz	loc_A39123
		mov	esi, 0C000003Ah
		jmp	loc_A39123
; 

loc_A39035:				; CODE XREF: DrvDbGetObjectList(x,x,x,x,x,x,x,x)+41j
		push	[ebp+arg_14]
		mov	edx, [ebp+var_4]
		mov	ecx, [edi]
		push	ebx
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_DrvDbGetObjectSubKeyList@32 ; DrvDbGetObjectSubKeyList(x,x,x,x,x,x,x,x)
		mov	esi, eax
		jmp	loc_A39123
; 

loc_A39056:				; CODE XREF: DrvDbGetObjectList(x,x,x,x,x,x,x,x)+2Aj
		lea	ecx, [edi+0Ch]
		mov	eax, [ecx]
		jmp	loc_A390F5
; 

loc_A39060:				; CODE XREF: DrvDbGetObjectList(x,x,x,x,x,x,x,x)+11Ej
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_10], eax
		push	ecx
		push	edx
		mov	edx, eax
		mov	ecx, edi
		call	DrvDbAcquireDatabaseNodeBaseKey
		mov	esi, eax
		cmp	esi, 0C0000467h
		jnz	short loc_A3907F
		xor	esi, esi
		jmp	short loc_A390EA
; 

loc_A3907F:				; CODE XREF: DrvDbGetObjectList(x,x,x,x,x,x,x,x)+9Dj
		test	esi, esi
		js	short loc_A39100
		push	[ebp+arg_14]
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		mov	edx, [ebp+var_4]
		push	eax
		mov	eax, [ebp+arg_C]
		sub	eax, ecx
		push	eax
		mov	eax, [ebp+arg_8]
		lea	eax, [eax+ecx*2]
		mov	ecx, [edi]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_DrvDbGetObjectSubKeyList@32 ; DrvDbGetObjectSubKeyList(x,x,x,x,x,x,x,x)
		push	[ebp+var_4]
		mov	edx, [ebp+arg_10]
		mov	esi, eax
		push	ecx
		mov	ecx, edi
		call	_DrvDbReleaseDatabaseNodeBaseKey@16 ; DrvDbReleaseDatabaseNodeBaseKey(x,x,x,x)
		and	[ebp+var_4], 0
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_A390C9
		dec	eax
		mov	[ebp+var_8], eax

loc_A390C9:				; CODE XREF: DrvDbGetObjectList(x,x,x,x,x,x,x,x)+E7j
		cmp	[ebp+arg_8], 0
		jz	short loc_A390DC
		mov	ecx, [ebp+var_C]
		add	ecx, eax
		cmp	ecx, [ebp+arg_C]
		jnb	short loc_A390DC
		mov	[ebp+var_C], ecx

loc_A390DC:				; CODE XREF: DrvDbGetObjectList(x,x,x,x,x,x,x,x)+F1j
					; DrvDbGetObjectList(x,x,x,x,x,x,x,x)+FBj
		add	[ebx], eax
		cmp	esi, 0C0000023h
		jz	short loc_A390EA
		test	esi, esi
		js	short loc_A39100

loc_A390EA:				; CODE XREF: DrvDbGetObjectList(x,x,x,x,x,x,x,x)+A1j
					; DrvDbGetObjectList(x,x,x,x,x,x,x,x)+108j
		mov	eax, [ebp+arg_10]
		lea	ecx, [edi+0Ch]
		mov	edx, [ebp+var_14]
		mov	eax, [eax]

loc_A390F5:				; CODE XREF: DrvDbGetObjectList(x,x,x,x,x,x,x,x)+7Fj
		mov	[ebp+arg_10], eax
		cmp	eax, ecx
		jnz	loc_A39060

loc_A39100:				; CODE XREF: DrvDbGetObjectList(x,x,x,x,x,x,x,x)+A5j
					; DrvDbGetObjectList(x,x,x,x,x,x,x,x)+10Cj
		mov	eax, [ebx]
		inc	eax
		mov	[ebx], eax
		test	esi, esi
		js	short loc_A39123
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_A3911E
		cmp	eax, [ebp+arg_C]
		ja	short loc_A3911E
		xor	edx, edx
		mov	[ecx+eax*2-2], dx
		jmp	short loc_A39123
; 

loc_A3911E:				; CODE XREF: DrvDbGetObjectList(x,x,x,x,x,x,x,x)+132j
					; DrvDbGetObjectList(x,x,x,x,x,x,x,x)+137j
		mov	esi, 0C0000023h

loc_A39123:				; CODE XREF: DrvDbGetObjectList(x,x,x,x,x,x,x,x)+49j
					; DrvDbGetObjectList(x,x,x,x,x,x,x,x)+54j ...
		cmp	[ebp+var_4], 0
		jz	short loc_A39137
		push	[ebp+var_4]
		mov	edx, [ebp+var_10]
		push	ecx
		mov	ecx, edi
		call	_DrvDbReleaseDatabaseNodeBaseKey@16 ; DrvDbReleaseDatabaseNodeBaseKey(x,x,x,x)

loc_A39137:				; CODE XREF: DrvDbGetObjectList(x,x,x,x,x,x,x,x)+14Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	18h
_DrvDbGetObjectList@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	DrvDbGetObjectSubKeyCallback(int,int,wchar_t *,int)
_DrvDbGetObjectSubKeyCallback@16 proc near
					; DATA XREF: DrvDbGetObjectSubKeyCallback(x,x,x,x)+178o
					; DrvDbGetObjectSubKeyList(x,x,x,x,x,x,x,x)+97o

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_C], eax
		mov	edi, eax
		mov	[ebp+var_8], eax
		mov	esi, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax

loc_A39166:				; CODE XREF: DrvDbGetObjectSubKeyCallback(x,x,x,x)+44j
		push	ds:off_404240[esi] ; wchar_t *
		push	[ebp+arg_8]	; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_A3936D
		add	esi, 4
		cmp	esi, 4
		jb	short loc_A39166
		push	42444450h
		push	200h
		push	1
		mov	[ebp+var_18], 100h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		jz	loc_A3936D
		mov	ebx, [ebp+arg_C]
		xor	ecx, ecx
		lea	eax, [ebx+8]
		cmp	[eax], cx
		jnz	short loc_A391BF
		mov	eax, [ebp+var_18]
		mov	ecx, esi
		jmp	short loc_A39201
; 

loc_A391BF:				; CODE XREF: DrvDbGetObjectSubKeyCallback(x,x,x,x)+76j
		push	900h
		lea	ecx, [ebp+var_8]
		mov	edx, 100h
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		push	eax
		mov	ecx, esi
		call	RtlStringCchCopyExW
		test	eax, eax
		js	loc_A39364
		mov	eax, [ebp+var_8]
		cmp	eax, 2
		jb	loc_A39364
		mov	ecx, [ebp+var_C]
		push	5Ch
		pop	edx
		mov	[ecx], dx
		add	ecx, 2
		xor	edx, edx
		add	eax, 0FFFFFFFEh
		mov	[ecx], dx

loc_A39201:				; CODE XREF: DrvDbGetObjectSubKeyCallback(x,x,x,x)+7Dj
		push	[ebp+arg_8]
		mov	edx, eax
		call	RtlStringCchCopyW
		test	eax, eax
		js	loc_A39364
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_A3921E
		mov	ecx, eax
		jmp	short loc_A39221
; 

loc_A3921E:				; CODE XREF: DrvDbGetObjectSubKeyCallback(x,x,x,x)+D8j
		mov	ecx, [eax+74h]

loc_A39221:				; CODE XREF: DrvDbGetObjectSubKeyCallback(x,x,x,x)+DCj
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		push	eax
		push	20019h
		push	8
		push	[ebp+arg_8]
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_A39364
		xor	ecx, ecx
		lea	eax, [ebp+var_14]
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_4]
		lea	edx, [ebp+var_10]
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_A39364
		cmp	[ebp+var_10], edi
		jbe	loc_A392E6
		mov	eax, [ebx+4]
		cmp	eax, [ebx]
		jnb	short loc_A392E6
		push	42444450h
		push	21Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+arg_8], eax
		test	eax, eax
		jz	loc_A39364
		mov	edi, eax
		mov	ecx, 87h
		mov	esi, ebx
		mov	edx, 100h
		rep movsd
		mov	esi, [ebp+var_1C]
		mov	edi, eax
		push	900h
		xor	eax, eax
		push	eax
		inc	dword ptr [edi+4]
		lea	ecx, [edi+8]
		push	eax
		push	esi
		call	RtlStringCchCopyExW
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		push	edi
		push	offset _DrvDbGetObjectSubKeyCallback@16	; DrvDbGetObjectSubKeyCallback(x,x,x,x)
		call	__PnpCtxRegEnumKeyWithCallback@16 ; _PnpCtxRegEnumKeyWithCallback(x,x,x,x)
		mov	eax, [edi+210h]
		mov	[ebx+210h], eax
		mov	eax, [edi+214h]
		mov	[ebx+214h], eax
		mov	eax, [edi+218h]
		mov	[ebx+218h], eax

loc_A392E6:				; CODE XREF: DrvDbGetObjectSubKeyCallback(x,x,x,x)+11Ej
					; DrvDbGetObjectSubKeyCallback(x,x,x,x)+129j
		cmp	[ebp+var_14], 0
		jbe	short loc_A39357
		mov	eax, [ebx+208h]
		test	eax, eax
		jz	short loc_A39309
		push	dword ptr [ebx+20Ch]
		xor	ecx, ecx
		push	ecx
		push	esi
		push	[ebp+arg_0]
		call	eax
		test	al, al
		jz	short loc_A39357

loc_A39309:				; CODE XREF: DrvDbGetObjectSubKeyCallback(x,x,x,x)+1B4j
		push	esi
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_A39357
		movzx	eax, word ptr [ebp+var_24+2]
		mov	edx, [ebx+214h]
		shr	eax, 1
		add	[ebx+218h], eax
		mov	[ebp+arg_8], eax
		cmp	edx, eax
		jbe	short loc_A39357
		mov	ecx, [ebx+210h]
		xor	eax, eax
		push	900h
		push	eax
		push	eax
		push	esi
		call	RtlStringCchCopyExW
		mov	ecx, [ebp+arg_8]
		lea	eax, [ecx+ecx]
		add	[ebx+210h], eax
		sub	[ebx+214h], ecx

loc_A39357:				; CODE XREF: DrvDbGetObjectSubKeyCallback(x,x,x,x)+1AAj
					; DrvDbGetObjectSubKeyCallback(x,x,x,x)+1C7j ...
		test	edi, edi
		jz	short loc_A39364
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A39364:				; CODE XREF: DrvDbGetObjectSubKeyCallback(x,x,x,x)+9Bj
					; DrvDbGetObjectSubKeyCallback(x,x,x,x)+A7j ...
		xor	eax, eax
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3936D:				; CODE XREF: DrvDbGetObjectSubKeyCallback(x,x,x,x)+38j
					; DrvDbGetObjectSubKeyCallback(x,x,x,x)+65j
		cmp	[ebp+var_4], 0
		jz	short loc_A3937B
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A3937B:				; CODE XREF: DrvDbGetObjectSubKeyCallback(x,x,x,x)+231j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	10h
_DrvDbGetObjectSubKeyCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbGetObjectSubKeyList(x,	x, x, x, x, x, x, x)
_DrvDbGetObjectSubKeyList@32 proc near	; CODE XREF: DrvDbGetObjectList(x,x,x,x,x,x,x,x)+6Ep
					; DrvDbGetObjectList(x,x,x,x,x,x,x,x)+C9p

var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 230h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_10]
		mov	[ebp+var_224], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_22C], edx
		and	dword ptr [edi], 0
		mov	[ebp+var_230], ecx
		mov	[ebp+var_228], eax
		test	esi, esi
		jz	short loc_A393D3
		test	ebx, ebx
		jz	short loc_A393D3
		xor	eax, eax
		mov	[esi], ax

loc_A393D3:				; CODE XREF: DrvDbGetObjectSubKeyList(x,x,x,x,x,x,x,x)+44j
					; DrvDbGetObjectSubKeyList(x,x,x,x,x,x,x,x)+48j
		push	204h		; size_t
		lea	eax, [ebp+var_21C]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+arg_14]
		add	esp, 0Ch
		mov	edx, [ebp+var_22C]
		mov	ecx, [ebp+var_230]
		and	[ebp+var_8], 0
		mov	[ebp+var_220], eax
		mov	eax, [ebp+var_224]
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_228]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_220]
		push	eax
		push	offset _DrvDbGetObjectSubKeyCallback@16	; DrvDbGetObjectSubKeyCallback(x,x,x,x)
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], ebx
		call	__PnpCtxRegEnumKeyWithCallback@16 ; _PnpCtxRegEnumKeyWithCallback(x,x,x,x)
		test	eax, eax
		js	short loc_A39455
		mov	ecx, [ebp+var_8]
		mov	[edi], ecx
		test	ecx, ecx
		jnz	short loc_A3943C
		xor	eax, eax
		jmp	short loc_A39455
; 

loc_A3943C:				; CODE XREF: DrvDbGetObjectSubKeyList(x,x,x,x,x,x,x,x)+B2j
		inc	ecx
		mov	[edi], ecx
		test	esi, esi
		jz	short loc_A39450
		cmp	ecx, ebx
		ja	short loc_A39450
		xor	edx, edx
		mov	[esi+ecx*2-2], dx
		jmp	short loc_A39455
; 

loc_A39450:				; CODE XREF: DrvDbGetObjectSubKeyList(x,x,x,x,x,x,x,x)+BDj
					; DrvDbGetObjectSubKeyList(x,x,x,x,x,x,x,x)+C1j
		mov	eax, 0C0000023h

loc_A39455:				; CODE XREF: DrvDbGetObjectSubKeyList(x,x,x,x,x,x,x,x)+A9j
					; DrvDbGetObjectSubKeyList(x,x,x,x,x,x,x,x)+B6j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_DrvDbGetObjectSubKeyList@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbGetRegValueMappedPropertyKeys(x, x, x,	x, x, x, x)
_DrvDbGetRegValueMappedPropertyKeys@28 proc near
					; CODE XREF: DrvDbGetDriverDatabaseMappedPropertyKeys(x,x,x,x,x,x)+ACp
					; DrvDbGetDriverDatabaseMappedPropertyKeys(x,x,x,x,x,x)+105p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	eax, eax
		mov	ecx, edx
		and	[ebp+var_4], eax
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], edi
		cmp	[ebp+arg_4], eax
		jbe	loc_A3950A
		mov	esi, [ebp+arg_8]
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_8], esi

loc_A39492:				; CODE XREF: DrvDbGetRegValueMappedPropertyKeys(x,x,x,x,x,x,x)+9Dj
		mov	edx, [ebx+8]
		lea	eax, [ebp+arg_0]
		and	[ebp+arg_0], 0
		push	eax
		push	0
		push	0
		call	_RegRtlQueryValue
		cmp	eax, 0C0000034h
		jnz	short loc_A394B1
		xor	eax, eax
		jmp	short loc_A394F6
; 

loc_A394B1:				; CODE XREF: DrvDbGetRegValueMappedPropertyKeys(x,x,x,x,x,x,x)+45j
		test	eax, eax
		jz	short loc_A394BC
		cmp	eax, 0C0000023h
		jnz	short loc_A3950A

loc_A394BC:				; CODE XREF: DrvDbGetRegValueMappedPropertyKeys(x,x,x,x,x,x,x)+4Dj
		test	esi, esi
		jz	short loc_A394E1
		mov	eax, [ebp+var_4]
		cmp	eax, [ebp+arg_C]
		jnb	short loc_A394E1
		mov	edx, [ebp+var_8]
		inc	eax
		mov	esi, [ebx]
		mov	edi, edx
		push	5
		pop	ecx
		rep movsd
		mov	edi, [ebp+var_C]
		add	edx, 14h
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], edx

loc_A394E1:				; CODE XREF: DrvDbGetRegValueMappedPropertyKeys(x,x,x,x,x,x,x)+58j
					; DrvDbGetRegValueMappedPropertyKeys(x,x,x,x,x,x,x)+60j
		mov	esi, [ebp+arg_10]
		xor	edx, edx
		push	esi
		inc	edx
		mov	ecx, [esi]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_A39507
		mov	esi, [ebp+arg_8]

loc_A394F6:				; CODE XREF: DrvDbGetRegValueMappedPropertyKeys(x,x,x,x,x,x,x)+49j
		mov	ecx, [ebp+var_10]
		inc	edi
		add	ebx, 18h
		mov	[ebp+var_C], edi
		cmp	edi, [ebp+arg_4]
		jb	short loc_A39492
		jmp	short loc_A3950A
; 

loc_A39507:				; CODE XREF: DrvDbGetRegValueMappedPropertyKeys(x,x,x,x,x,x,x)+8Bj
		and	dword ptr [esi], 0

loc_A3950A:				; CODE XREF: DrvDbGetRegValueMappedPropertyKeys(x,x,x,x,x,x,x)+1Dj
					; DrvDbGetRegValueMappedPropertyKeys(x,x,x,x,x,x,x)+54j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_DrvDbGetRegValueMappedPropertyKeys@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	DrvDbSetDeviceIdDriverInfMatches(wchar_t *,int)
_DrvDbSetDeviceIdDriverInfMatches@16 proc near
					; CODE XREF: DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+121p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= word ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	esi
		push	edi
		xor	edi, edi
		lea	ecx, [ebp+var_1C]
		push	edi
		push	ecx
		mov	eax, edx
		mov	[ebp+var_28], edi
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_C], eax
		push	ecx
		push	edi
		xor	edx, edx
		mov	[ebp+var_8], edi
		mov	ecx, eax
		mov	[ebp+var_1C], edi
		mov	[ebp+var_14], edi
		mov	dword ptr [ebp+var_20],	edi
		call	__RegRtlQueryInfoKey@24	; _RegRtlQueryInfoKey(x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_18], esi
		test	esi, esi
		js	loc_A3981B
		mov	eax, [ebp+var_1C]
		push	ebx
		mov	ebx, [ebp+arg_0]
		inc	eax
		mov	[ebp+var_4], eax
		test	ebx, ebx
		jz	loc_A39773
		xor	ecx, ecx
		mov	edi, ebx
		push	5Ch
		pop	edx
		cmp	[ebx], cx
		jz	short loc_A395D0
		mov	ebx, eax
		xor	esi, esi

loc_A39574:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+B1j
		push	edx		; wchar_t
		push	edi		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_A39587
		sub	ecx, edi
		jmp	short loc_A39599
; 

loc_A39587:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+70j
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_A3958C:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+84j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_A3958C
		sub	ecx, edx

loc_A39599:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+74j
		sar	ecx, 1
		inc	ecx
		cmp	ecx, ebx
		jbe	short loc_A395A2
		mov	ebx, ecx

loc_A395A2:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+8Dj
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_A395A7:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+9Fj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_A395A7
		sub	ecx, edx
		sar	ecx, 1
		push	5Ch
		pop	edx
		lea	edi, [edi+ecx*2]
		add	edi, 2
		cmp	[edi], si
		jnz	short loc_A39574
		mov	esi, [ebp+var_18]
		mov	[ebp+var_4], ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, [ebp+var_4]

loc_A395D0:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+5Dj
		push	42444450h
		add	eax, eax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_A39794
		xor	edx, edx
		mov	eax, edx
		mov	[ebp+var_24], edx
		cmp	[ebp+var_8], eax
		jbe	loc_A396F3

loc_A395F9:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+1CCj
		mov	ecx, [ebp+var_4]
		push	edx		; int
		mov	[ebp+var_10], ecx
		lea	ecx, [ebp+var_14]
		push	edx		; void *
		push	ecx		; int
		lea	ecx, [ebp+var_10]
		mov	edx, eax
		push	ecx		; int
		mov	ecx, [ebp+var_C]
		push	edi		; void *
		call	_RegRtlEnumValue
		mov	esi, eax
		mov	[ebp+var_18], esi
		test	esi, esi
		js	loc_A396E5
		cmp	[ebp+var_14], 3
		jz	short loc_A39631
		cmp	[ebp+var_14], 0
		jnz	loc_A396D1

loc_A39631:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+114j
		xor	edx, edx
		mov	eax, ebx
		mov	[ebp+var_1C], eax
		cmp	[ebx], dx
		jz	short loc_A39692
		mov	esi, [ebp+var_10]

loc_A39640:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+16Fj
		push	esi		; size_t
		push	edi		; wchar_t *
		push	ebx		; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A39660
		movzx	eax, word ptr [ebx+esi*2]
		push	5Ch
		pop	ecx
		cmp	ax, cx
		jz	short loc_A39684
		test	ax, ax
		jz	short loc_A39684

loc_A39660:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+13Cj
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_A39665:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+15Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_28]
		jnz	short loc_A39665
		sub	ecx, edx
		xor	edx, edx
		sar	ecx, 1
		lea	ebx, [ebx+ecx*2]
		add	ebx, 2
		cmp	[ebx], dx
		jnz	short loc_A39640
		jmp	short loc_A39686
; 

loc_A39684:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+148j
					; DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+14Dj
		xor	edx, edx

loc_A39686:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+171j
		mov	esi, [ebp+var_18]
		mov	[ebp+var_1C], ebx
		mov	ebx, [ebp+arg_0]
		mov	eax, [ebp+var_1C]

loc_A39692:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+12Aj
		cmp	[eax], dx
		jnz	short loc_A396D3
		push	edi
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], edx
		push	eax
		mov	[ebp+var_2C], edx
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A396BB
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_C]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		mov	esi, eax

loc_A396BB:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+19Aj
		cmp	esi, 0C0000034h
		jnz	short loc_A396C9
		xor	edx, edx
		mov	esi, edx
		jmp	short loc_A396D3
; 

loc_A396C9:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+1B0j
		test	esi, esi
		js	loc_A39811

loc_A396D1:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+11Aj
		xor	edx, edx

loc_A396D3:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+184j
					; DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+1B6j
		mov	eax, [ebp+var_24]
		inc	eax
		mov	[ebp+var_24], eax
		cmp	eax, [ebp+var_8]
		jb	loc_A395F9
		jmp	short loc_A396F3
; 

loc_A396E5:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+10Aj
		lea	eax, [esi+7FFFFFE6h]
		neg	eax
		sbb	eax, eax
		and	esi, eax
		xor	edx, edx

loc_A396F3:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+E2j
					; DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+1D2j
		test	esi, esi
		js	loc_A39811
		cmp	[ebx], dx
		jz	loc_A39811

loc_A39704:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+25Bj
		lea	eax, [ebp+var_20]
		mov	edx, edi	; int
		push	eax		; wchar_t *
		push	[ebp+var_4]	; int
		mov	ecx, ebx	; wchar_t *
		call	_DrvDbSplitDeviceIdDriverInfMatch@16 ; DrvDbSplitDeviceIdDriverInfMatch(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A39811
		cmp	byte ptr [ebp+var_20], 0
		jnz	short loc_A3972C
		xor	edx, edx
		mov	eax, edx
		mov	ecx, edx
		jmp	short loc_A39735
; 

loc_A3972C:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+211j
		push	3
		pop	eax
		push	4
		lea	ecx, [ebp+var_20]
		pop	edx

loc_A39735:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+219j
		push	edx
		push	ecx
		mov	ecx, [ebp+var_C]
		mov	edx, edi
		push	eax
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A39811
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_A39751:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+24Aj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_28]
		jnz	short loc_A39751
		sub	ecx, edx
		xor	eax, eax
		sar	ecx, 1
		lea	ebx, [ebx+ecx*2]
		add	ebx, 2
		cmp	[ebx], ax
		jnz	short loc_A39704
		jmp	loc_A39811
; 

loc_A39773:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+4Dj
		cmp	[ebp+var_8], edi
		jnz	short loc_A3977F
		mov	esi, edi
		jmp	loc_A3981A
; 

loc_A3977F:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+265j
		push	42444450h
		add	eax, eax
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A3979B

loc_A39794:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+D2j
		mov	esi, 0C0000017h
		jmp	short loc_A3981A
; 

loc_A3979B:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+281j
		xor	eax, eax
		mov	ebx, eax
		cmp	[ebp+var_8], eax
		jbe	short loc_A39811

loc_A397A4:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+2F0j
		mov	eax, [ebp+var_4]
		xor	esi, esi
		mov	ecx, [ebp+var_C]
		mov	edx, ebx
		push	esi		; int
		push	esi		; void *
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_10]
		push	esi		; int
		push	eax		; int
		push	edi		; void *
		call	_RegRtlEnumValue
		test	eax, eax
		js	short loc_A39805
		push	edi
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], esi
		push	eax
		mov	[ebp+var_2C], esi
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A397E6
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_C]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		mov	esi, eax

loc_A397E6:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+2C5j
		mov	ecx, 0C0000034h
		cmp	esi, ecx
		jz	short loc_A397F3
		test	esi, esi
		js	short loc_A39811

loc_A397F3:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+2DCj
		mov	eax, esi
		sub	eax, ecx
		neg	eax
		sbb	eax, eax
		and	esi, eax
		inc	ebx
		cmp	ebx, [ebp+var_8]
		jb	short loc_A397A4
		jmp	short loc_A39811
; 

loc_A39805:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+2AFj
		lea	esi, [eax+7FFFFFE6h]
		neg	esi
		sbb	esi, esi
		and	esi, eax

loc_A39811:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+1BAj
					; DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+1E4j ...
		xor	ebx, ebx
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3981A:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+269j
					; DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+288j
		pop	ebx

loc_A3981B:				; CODE XREF: DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+3Aj
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	8
_DrvDbSetDeviceIdDriverInfMatches@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	DrvDbSetDeviceIdMappedProperty(int,void	*,int,wchar_t *,int)
_DrvDbSetDeviceIdMappedProperty@28 proc	near ; CODE XREF: DrvDbDispatchDeviceId+AE917p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_4]
		push	esi
		push	edi
		mov	[ebp+var_C], edx
		xor	edi, edi
		mov	edx, [eax+10h]
		mov	[ebp+var_10], ecx
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], edx
		cmp	edx, 2
		jnz	short loc_A3986A
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceId_DriverInfNames	; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A39864
		mov	esi, 0C0000022h
		jmp	loc_A39979
; 

loc_A39864:				; CODE XREF: DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+35j
		mov	eax, [ebp+arg_4]
		mov	edx, [ebp+var_8]

loc_A3986A:				; CODE XREF: DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+21j
		push	ebx
		mov	ebx, edi
		mov	esi, edi

loc_A3986F:				; CODE XREF: DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+7Aj
		mov	ecx, ds:off_405064[esi]
		cmp	[ecx+10h], edx
		jnz	short loc_A3988D
		push	10h		; size_t
		push	eax		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A3989F
		mov	edx, [ebp+var_8]

loc_A3988D:				; CODE XREF: DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+55j
		add	esi, 18h
		inc	ebx
		cmp	esi, 18h
		jnb	loc_A39973
		mov	eax, [ebp+arg_4]
		jmp	short loc_A3986F
; 

loc_A3989F:				; CODE XREF: DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+65j
		imul	eax, ebx, 18h
		add	eax, offset off_405064
		mov	[ebp+var_8], eax
		jz	loc_A39973
		mov	esi, [ebp+arg_8]
		cmp	esi, [eax+4]
		jz	short loc_A398C6
		test	esi, esi
		jz	short loc_A398C6
		mov	esi, 0C000000Dh
		jmp	loc_A39978
; 

loc_A398C6:				; CODE XREF: DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+93j
					; DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+97j
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jnz	short loc_A398F1
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_4]
		push	edi
		push	edi
		push	eax
		push	edi
		push	3
		push	[ebp+var_C]
		xor	edx, edx
		push	5
		call	DrvDbOpenObjectRegKey
		mov	edi, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	short loc_A39967
		mov	esi, [ebp+arg_8]

loc_A398F1:				; CODE XREF: DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+A8j
		mov	eax, [ebp+arg_4]
		cmp	dword ptr [eax+10h], 3
		jnz	short loc_A3994B
		push	10h		; size_t
		push	offset _DEVPKEY_DeviceId_DriverInfMatches ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A3994B
		cmp	esi, 2012h
		jnz	short loc_A3992A
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_A39923
		cmp	[ebp+arg_10], 0
		jnz	short loc_A3993A

loc_A39923:				; CODE XREF: DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+F8j
					; DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+109j ...
		mov	esi, 0C000000Dh
		jmp	short loc_A39967
; 

loc_A3992A:				; CODE XREF: DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+F1j
		test	esi, esi
		jnz	short loc_A39923
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jnz	short loc_A39923
		cmp	[ebp+arg_10], eax
		jnz	short loc_A39923

loc_A3993A:				; CODE XREF: DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+FEj
		test	ebx, ebx
		jnz	short loc_A39940
		mov	ebx, edi

loc_A39940:				; CODE XREF: DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+119j
		push	ecx		; int
		push	eax		; wchar_t *
		mov	edx, ebx
		call	_DrvDbSetDeviceIdDriverInfMatches@16 ; DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)
		jmp	short loc_A39962
; 

loc_A3994B:				; CODE XREF: DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+D5j
					; DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+E9j
		test	ebx, ebx
		jnz	short loc_A39951
		mov	ebx, edi

loc_A39951:				; CODE XREF: DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+12Aj
		push	[ebp+arg_10]
		mov	edx, ebx
		push	[ebp+arg_C]
		push	esi
		push	[ebp+var_8]
		call	_DrvDbSetRegValueMappedProperty@24 ; DrvDbSetRegValueMappedProperty(x,x,x,x,x,x)

loc_A39962:				; CODE XREF: DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+126j
		mov	edi, [ebp+var_4]
		mov	esi, eax

loc_A39967:				; CODE XREF: DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+C9j
					; DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+105j
		test	edi, edi
		jz	short loc_A39978
		push	edi
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_A39978
; 

loc_A39973:				; CODE XREF: DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+71j
					; DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+87j
		mov	esi, 0C0000016h

loc_A39978:				; CODE XREF: DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+9Ej
					; DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+146j ...
		pop	ebx

loc_A39979:				; CODE XREF: DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+3Cj
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	14h
_DrvDbSetDeviceIdMappedProperty@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall DrvDbSetDriverDatabaseMappedProperty(int,wchar_t *,int,void *,int,void	*,int)
_DrvDbSetDriverDatabaseMappedProperty@28 proc near
					; CODE XREF: DrvDbDispatchDriverDatabase+11B069p
					; DrvDbCreateDatabaseNode+9C7F4p ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[esp+38h+var_18], edx
		xor	ecx, ecx
		mov	eax, ecx
		mov	[esp+38h+var_1C], ecx
		push	offset ??_C@_13BBDEGPLJ@?$AA?$CK@NNGAKEGL@ ; wchar_t *
		push	edx		; wchar_t *
		mov	ebx, ecx
		mov	[esp+40h+var_28], eax
		mov	[esp+40h+var_8], ecx
		mov	[esp+40h+var_4], ecx
		call	__wcsicmp
		mov	edi, [ebp+arg_4]
		pop	ecx
		pop	ecx
		mov	ecx, [edi+10h]
		mov	[esp+38h+var_20], ecx
		test	eax, eax
		jnz	loc_A39A7A
		cmp	ecx, 6
		jnz	short loc_A39A19
		push	10h		; size_t
		push	offset _DEVPKEY_DriverDatabase_Selected	; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_A39A70
		cmp	[ebp+arg_8], 11h
		jnz	loc_A39EDA
		cmp	[ebp+arg_10], 1
		jnz	loc_A39EDA
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	loc_A39EDA
		cmp	byte ptr [eax],	0FFh
		jnz	loc_A39EDF
		xor	edx, edx
		mov	[esi+18h], edx
		jmp	loc_A39EDF
; 

loc_A39A19:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+4Cj
		cmp	ecx, 0Bh
		jnz	short loc_A39A70
		push	10h		; size_t
		push	offset _DEVPKEY_DriverDatabase_AccessMask ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A39A70
		cmp	[ebp+arg_8], 7
		jnz	loc_A39EDA
		cmp	[ebp+arg_10], 4
		jnz	loc_A39EDA
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	loc_A39EDA
		mov	eax, [eax]

loc_A39A53:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+34Aj
		mov	ecx, 0D0000000h
		and	eax, ecx
		mov	[esi+8], eax
		cmp	eax, 10000000h
		jnz	loc_A39EDF
		mov	[esi+8], ecx
		jmp	loc_A39EDF
; 

loc_A39A70:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+60j
					; DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+9Bj ...
		mov	ebx, 0C00000BBh
		jmp	loc_A39EDF
; 

loc_A39A7A:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+43j
		cmp	ecx, 2
		jnz	short loc_A39AA1
		push	10h		; size_t
		push	offset _DEVPKEY_NODE ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A39A9D

loc_A39A93:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+208j
					; DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+342j ...
		mov	ebx, 0C0000022h
		jmp	loc_A39EDF
; 

loc_A39A9D:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+110j
		mov	ecx, [esp+38h+var_20]

loc_A39AA1:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+FCj
		xor	edx, edx

loc_A39AA3:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+147j
		mov	eax, off_6B2AC4[ebx]
		cmp	[eax+10h], ecx
		jnz	short loc_A39AC2
		push	10h		; size_t
		push	edi		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A39B28
		mov	ecx, [esp+38h+var_20]

loc_A39AC2:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+12Bj
		add	ebx, 4
		cmp	ebx, 1Ch
		jb	short loc_A39AA3
		xor	eax, eax
		mov	edx, eax
		mov	[esp+38h+var_24], eax
		mov	[esp+38h+var_14], edx
		mov	[esp+38h+var_10], eax

loc_A39ADA:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+1A0j
		mov	ebx, ds:off_4037F8[eax]
		mov	[esp+38h+var_C], ebx
		cmp	[ebx+10h], ecx
		mov	ebx, [esp+38h+var_24]
		jnz	short loc_A39B10
		push	10h		; size_t
		push	edi		; void *
		push	[esp+40h+var_C]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_A39CD0
		mov	ecx, [esp+38h+var_20]
		mov	eax, [esp+38h+var_10]
		mov	edx, [esp+38h+var_14]

loc_A39B10:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+16Aj
		add	eax, 18h
		inc	edx
		mov	[esp+38h+var_14], edx
		mov	[esp+38h+var_10], eax
		cmp	eax, 120h
		jb	short loc_A39ADA
		jmp	loc_A39CDF
; 

loc_A39B28:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+13Bj
		mov	edx, [esp+38h+var_18]
		lea	eax, [esp+38h+var_28]
		push	eax
		mov	ecx, esi
		call	_DrvDbFindDatabaseNode@12 ; DrvDbFindDatabaseNode(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A39EDF
		mov	eax, [edi+10h]
		cmp	eax, 5
		jnz	short loc_A39BC7
		push	10h		; size_t
		push	offset _DEVPKEY_DriverDatabase_Loaded ;	void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_A39EDF
		cmp	[ebp+arg_8], 11h
		jnz	loc_A39EDA
		cmp	[ebp+arg_10], 1
		jnz	loc_A39EDA
		mov	ebx, [ebp+arg_C]
		test	ebx, ebx
		jz	loc_A39EDA
		mov	eax, [esp+38h+var_28]
		test	byte ptr [eax+1Ch], 1
		jnz	loc_A39A93
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [esp+38h+var_28]
		push	1
		push	dword ptr [edi+4Ch]
		call	ExAcquireResourceExclusiveLite
		cmp	byte ptr [ebx],	0FFh
		mov	edx, edi
		mov	ecx, esi
		jnz	short loc_A39BBB
		call	DrvDbLoadDatabaseNode
		jmp	short loc_A39BC0
; 

loc_A39BBB:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+231j
		call	DrvDbUnloadDatabaseNode

loc_A39BC0:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+238j
		mov	ebx, eax
		jmp	loc_A39EC4
; 

loc_A39BC7:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+1C7j
		cmp	eax, 6
		jnz	short loc_A39C25
		push	10h		; size_t
		push	offset _DEVPKEY_DriverDatabase_Selected	; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_A39EDF
		cmp	[ebp+arg_8], 11h
		jnz	loc_A39EDA
		cmp	[ebp+arg_10], 1
		jnz	loc_A39EDA
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	loc_A39EDA
		cmp	byte ptr [eax],	0FFh
		mov	eax, [esp+38h+var_28]
		jnz	short loc_A39C14

loc_A39C0C:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+2A2j
		mov	[esi+18h], eax
		jmp	loc_A39EDF
; 

loc_A39C14:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+289j
		cmp	eax, [esi+18h]
		jz	short loc_A39C21
		test	eax, eax
		jnz	loc_A39EDF

loc_A39C21:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+296j
		xor	eax, eax
		jmp	short loc_A39C0C
; 

loc_A39C25:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+249j
		cmp	eax, 7
		jnz	short loc_A39C7C
		push	10h		; size_t
		push	offset _DEVPKEY_DriverDatabase_Disabled	; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_A39EDF
		cmp	[ebp+arg_8], 11h
		jnz	loc_A39EDA
		cmp	[ebp+arg_10], 1
		jnz	loc_A39EDA
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	loc_A39EDA
		cmp	byte ptr [eax],	0FFh
		mov	eax, [esp+38h+var_28]
		jnz	short loc_A39C73
		or	dword ptr [eax+1Ch], 4
		jmp	loc_A39EDF
; 

loc_A39C73:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+2E7j
		and	dword ptr [eax+1Ch], 0FFFFFFFBh
		jmp	loc_A39EDF
; 

loc_A39C7C:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+2A7j
		cmp	eax, 0Bh
		jnz	loc_A39EDF
		push	10h		; size_t
		push	offset _DEVPKEY_DriverDatabase_AccessMask ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_A39EDF
		cmp	[ebp+arg_8], 7
		jnz	loc_A39EDA
		cmp	[ebp+arg_10], 4
		jnz	loc_A39EDA
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	loc_A39EDA
		mov	eax, [esp+38h+var_28]
		cmp	eax, [esi+14h]
		jnz	loc_A39A93
		mov	eax, [ecx]
		jmp	loc_A39A53
; 

loc_A39CD0:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+17Dj
		imul	ebx, [esp+38h+var_14], arg_10
		add	ebx, offset off_4037F8
		mov	[esp+38h+var_24], ebx

loc_A39CDF:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+1A2j
		test	ebx, ebx
		jnz	loc_A39D8D
		xor	eax, eax
		mov	edx, eax
		mov	[esp+38h+var_24], eax
		mov	ecx, eax
		mov	[esp+38h+var_14], edx
		mov	eax, [esp+38h+var_20]
		mov	[esp+38h+var_10], ecx

loc_A39CFD:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+3BDj
		mov	ebx, ds:off_405080[ecx]
		mov	[esp+38h+var_C], ebx
		cmp	[ebx+10h], eax
		mov	ebx, [esp+38h+var_24]
		jnz	short loc_A39D2F
		push	10h		; size_t
		push	edi		; void *
		push	[esp+40h+var_C]	; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A39D42
		mov	eax, [esp+38h+var_20]
		mov	ecx, [esp+38h+var_10]
		mov	edx, [esp+38h+var_14]

loc_A39D2F:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+38Dj
		add	ecx, 18h
		inc	edx
		mov	[esp+38h+var_14], edx
		mov	[esp+38h+var_10], ecx
		cmp	ecx, 60h
		jb	short loc_A39CFD
		jmp	short loc_A39D51
; 

loc_A39D42:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+3A0j
		imul	ebx, [esp+38h+var_14], arg_10
		add	ebx, offset off_405080
		mov	[esp+38h+var_24], ebx

loc_A39D51:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+3BFj
		test	ebx, ebx
		jnz	short loc_A39D5F
		mov	ebx, 0C0000016h
		jmp	loc_A39EDF
; 

loc_A39D5F:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+3D2j
		mov	edx, [esp+38h+var_18]
		lea	eax, [esp+38h+var_28]
		push	eax
		mov	ecx, esi
		call	_DrvDbFindDatabaseNode@12 ; DrvDbFindDatabaseNode(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A39EDF
		mov	eax, [esp+38h+var_28]
		test	byte ptr [eax+1Ch], 10h
		jz	loc_A39A93
		mov	ebx, [esp+38h+var_24]
		jmp	short loc_A39D91
; 

loc_A39D8D:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+360j
		mov	eax, [esp+38h+var_28]

loc_A39D91:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+40Aj
		mov	ecx, [ebp+arg_8]
		cmp	ecx, [ebx+4]
		jz	short loc_A39DA1
		test	ecx, ecx
		jnz	loc_A39EDA

loc_A39DA1:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+416j
		cmp	[ebp+arg_0], 0
		jz	short loc_A39DB1
		test	eax, eax
		jz	short loc_A39E00
		test	byte ptr [eax+1Ch], 10h
		jz	short loc_A39E00

loc_A39DB1:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+424j
		test	eax, eax
		jz	short loc_A39DD9
		test	byte ptr [eax+1Ch], 10h
		jz	short loc_A39DD9
		mov	edx, [esi+14h]
		lea	eax, [esp+38h+var_1C]
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	eax
		push	ecx
		push	2
		push	[esp+4Ch+var_18]
		mov	ecx, esi
		push	1
		call	DrvDbOpenObjectRegKey
		jmp	short loc_A39DEF
; 

loc_A39DD9:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+432j
					; DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+438j
		mov	edx, [esp+38h+var_18] ;	wchar_t	*
		lea	eax, [esp+38h+var_1C]
		xor	ecx, ecx
		push	ecx		; int
		push	eax		; int
		push	ecx		; char
		push	2		; int
		mov	ecx, esi	; int
		call	DrvDbOpenDriverDatabaseRegKey

loc_A39DEF:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+456j
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A39EDF
		mov	ecx, [ebp+arg_8]
		mov	ebx, [esp+38h+var_24]

loc_A39E00:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+428j
					; DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+42Ej
		mov	edx, [esp+38h+var_1C]
		test	edx, edx
		jnz	short loc_A39E0B
		mov	edx, [ebp+arg_0]

loc_A39E0B:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+485j
		mov	esi, [ebp+arg_10]
		push	esi
		push	[ebp+arg_C]
		push	ecx
		push	ebx
		call	_DrvDbSetRegValueMappedProperty@24 ; DrvDbSetRegValueMappedProperty(x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A39EDF
		mov	eax, [esp+38h+var_28]
		test	eax, eax
		jz	loc_A39EDF
		test	byte ptr [eax+1Ch], 10h
		jz	loc_A39EDF
		cmp	dword ptr [edi+10h], 0Eh
		jnz	loc_A39EDF
		push	10h		; size_t
		push	offset _DEVPKEY_DriverDatabase_RegistryPath ; void *
		push	edi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_A39EDF
		cmp	[ebp+arg_8], eax
		jz	short loc_A39EDF
		cmp	esi, 2
		jb	short loc_A39EDA
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_A39EDA
		shr	esi, 1
		xor	edx, edx
		cmp	[eax+esi*2-2], dx
		jnz	short loc_A39EDA
		push	eax		; void *
		lea	eax, [esp+3Ch+var_8]
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jnz	short loc_A39E8D
		mov	ebx, 0C000009Ah
		jmp	short loc_A39EDF
; 

loc_A39E8D:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+503j
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, [esp+38h+var_28]
		push	1
		push	dword ptr [edi+4Ch]
		call	ExAcquireResourceExclusiveLite
		lea	esi, [edi+14h]
		push	esi
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		xor	eax, eax
		mov	[edi+10h], eax
		mov	eax, [esp+38h+var_8]
		mov	[esi], eax
		mov	eax, [esp+38h+var_4]
		mov	[esi+4], eax

loc_A39EC4:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+241j
		mov	ecx, [edi+4Ch]
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		jmp	short loc_A39EDF
; 

loc_A39EDA:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+6Aj
					; DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+74j ...
		mov	ebx, 0C000000Dh

loc_A39EDF:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+88j
					; DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+93j ...
		cmp	[esp+38h+var_1C], 0
		jz	short loc_A39EEF
		push	[esp+38h+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_A39EEF:				; CODE XREF: DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+563j
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
_DrvDbSetDriverDatabaseMappedProperty@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	DrvDbSetDriverFileMappedProperty(int,void *,int,int,int)
_DrvDbSetDriverFileMappedProperty@28 proc near
					; CODE XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+157p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_C], ecx
		push	esi
		mov	[ebp+var_8], edx
		mov	ecx, [ebx+10h]
		mov	[ebp+arg_4], ecx
		cmp	ecx, 2
		jnz	short loc_A39F3A
		push	10h		; size_t
		push	offset _DEVPKEY_NODE ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A39F37
		mov	esi, 0C0000022h
		jmp	short loc_A39F6C
; 

loc_A39F37:				; CODE XREF: DrvDbSetDriverFileMappedProperty(x,x,x,x,x,x,x)+34j
		mov	ecx, [ebp+arg_4]

loc_A39F3A:				; CODE XREF: DrvDbSetDriverFileMappedProperty(x,x,x,x,x,x,x)+20j
		push	edi
		xor	edi, edi
		xor	esi, esi

loc_A39F3F:				; CODE XREF: DrvDbSetDriverFileMappedProperty(x,x,x,x,x,x,x)+6Aj
		mov	eax, ds:off_405034[esi]
		cmp	[eax+10h], ecx
		jnz	short loc_A39F5D
		push	10h		; size_t
		push	ebx		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A39F74
		mov	ecx, [ebp+arg_4]

loc_A39F5D:				; CODE XREF: DrvDbSetDriverFileMappedProperty(x,x,x,x,x,x,x)+4Ej
		add	esi, 18h
		inc	edi
		cmp	esi, 30h
		jb	short loc_A39F3F

loc_A39F66:				; CODE XREF: DrvDbSetDriverFileMappedProperty(x,x,x,x,x,x,x)+83j
		mov	esi, 0C0000016h

loc_A39F6B:				; CODE XREF: DrvDbSetDriverFileMappedProperty(x,x,x,x,x,x,x)+96j
					; DrvDbSetDriverFileMappedProperty(x,x,x,x,x,x,x)+D3j ...
		pop	edi

loc_A39F6C:				; CODE XREF: DrvDbSetDriverFileMappedProperty(x,x,x,x,x,x,x)+3Bj
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_A39F74:				; CODE XREF: DrvDbSetDriverFileMappedProperty(x,x,x,x,x,x,x)+5Ej
		imul	edi, 18h
		add	edi, offset off_405034
		jz	short loc_A39F66
		mov	ebx, [ebp+arg_8]
		cmp	ebx, [edi+4]
		jz	short loc_A39F92
		test	ebx, ebx
		jz	short loc_A39F92
		mov	esi, 0C000000Dh
		jmp	short loc_A39F6B
; 

loc_A39F92:				; CODE XREF: DrvDbSetDriverFileMappedProperty(x,x,x,x,x,x,x)+8Bj
					; DrvDbSetDriverFileMappedProperty(x,x,x,x,x,x,x)+8Fj
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_A39FBA
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_C]
		push	2
		push	[ebp+var_8]
		push	4
		call	DrvDbOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A39FC9
		mov	edx, [ebp+var_4]

loc_A39FBA:				; CODE XREF: DrvDbSetDriverFileMappedProperty(x,x,x,x,x,x,x)+9Dj
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	ebx
		push	edi
		call	_DrvDbSetRegValueMappedProperty@24 ; DrvDbSetRegValueMappedProperty(x,x,x,x,x,x)
		mov	esi, eax

loc_A39FC9:				; CODE XREF: DrvDbSetDriverFileMappedProperty(x,x,x,x,x,x,x)+BBj
		cmp	[ebp+var_4], 0
		jz	short loc_A39F6B
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_A39F6B
_DrvDbSetDriverFileMappedProperty@28 endp

; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	DrvDbSetDriverInfFileMappedProperty(int,void *,int,int,int)
_DrvDbSetDriverInfFileMappedProperty@28	proc near
					; CODE XREF: DrvDbDispatchDriverInfFile+118638p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_C], ecx
		push	esi
		mov	[ebp+var_8], edx
		mov	ecx, [ebx+10h]
		mov	[ebp+arg_4], ecx
		cmp	ecx, 2
		jnz	short loc_A3A01B
		push	10h		; size_t
		push	offset _DEVPKEY_NODE ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A3A018
		mov	esi, 0C0000022h
		jmp	short loc_A3A04D
; 

loc_A3A018:				; CODE XREF: DrvDbSetDriverInfFileMappedProperty(x,x,x,x,x,x,x)+34j
		mov	ecx, [ebp+arg_4]

loc_A3A01B:				; CODE XREF: DrvDbSetDriverInfFileMappedProperty(x,x,x,x,x,x,x)+20j
		push	edi
		xor	edi, edi
		xor	esi, esi

loc_A3A020:				; CODE XREF: DrvDbSetDriverInfFileMappedProperty(x,x,x,x,x,x,x)+6Aj
		mov	eax, dword ptr ds:(loc_40166B+5)[esi]
		cmp	[eax+10h], ecx
		jnz	short loc_A3A03E
		push	10h		; size_t
		push	ebx		; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A3A055
		mov	ecx, [ebp+arg_4]

loc_A3A03E:				; CODE XREF: DrvDbSetDriverInfFileMappedProperty(x,x,x,x,x,x,x)+4Ej
		add	esi, 18h
		inc	edi
		cmp	esi, 60h
		jb	short loc_A3A020

loc_A3A047:				; CODE XREF: DrvDbSetDriverInfFileMappedProperty(x,x,x,x,x,x,x)+83j
		mov	esi, 0C0000016h

loc_A3A04C:				; CODE XREF: DrvDbSetDriverInfFileMappedProperty(x,x,x,x,x,x,x)+96j
					; DrvDbSetDriverInfFileMappedProperty(x,x,x,x,x,x,x)+D3j ...
		pop	edi

loc_A3A04D:				; CODE XREF: DrvDbSetDriverInfFileMappedProperty(x,x,x,x,x,x,x)+3Bj
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_A3A055:				; CODE XREF: DrvDbSetDriverInfFileMappedProperty(x,x,x,x,x,x,x)+5Ej
		imul	edi, 18h
		add	edi, (offset loc_40166B+5)
		jz	short loc_A3A047
		mov	ebx, [ebp+arg_8]
		cmp	ebx, [edi+4]
		jz	short loc_A3A073
		test	ebx, ebx
		jz	short loc_A3A073
		mov	esi, 0C000000Dh
		jmp	short loc_A3A04C
; 

loc_A3A073:				; CODE XREF: DrvDbSetDriverInfFileMappedProperty(x,x,x,x,x,x,x)+8Bj
					; DrvDbSetDriverInfFileMappedProperty(x,x,x,x,x,x,x)+8Fj
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jnz	short loc_A3A09B
		xor	ecx, ecx
		lea	eax, [ebp+var_4]
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_C]
		push	2
		push	[ebp+var_8]
		push	3
		call	DrvDbOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	short loc_A3A0AA
		mov	edx, [ebp+var_4]

loc_A3A09B:				; CODE XREF: DrvDbSetDriverInfFileMappedProperty(x,x,x,x,x,x,x)+9Dj
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	ebx
		push	edi
		call	_DrvDbSetRegValueMappedProperty@24 ; DrvDbSetRegValueMappedProperty(x,x,x,x,x,x)
		mov	esi, eax

loc_A3A0AA:				; CODE XREF: DrvDbSetDriverInfFileMappedProperty(x,x,x,x,x,x,x)+BBj
		cmp	[ebp+var_4], 0
		jz	short loc_A3A04C
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_A3A04C
_DrvDbSetDriverInfFileMappedProperty@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	DrvDbSetDriverPackageMappedProperty(int,void *,int,wchar_t *,int)
_DrvDbSetDriverPackageMappedProperty@28	proc near
					; CODE XREF: DrvDbDispatchDriverPackage+11AADEp
					; DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+419p ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+30h+var_14], edx
		mov	esi, [ebx+10h]
		mov	[esp+30h+var_1C], ecx
		mov	[esp+30h+var_24], edi
		mov	[esp+30h+var_4], edi
		mov	[esp+30h+var_C], edi
		mov	[esp+30h+var_10], edi
		mov	[esp+30h+var_8], edi
		mov	[esp+30h+var_20], edi
		cmp	esi, 2
		jnz	short loc_A3A109
		push	10h		; size_t
		push	offset _DEVPKEY_NODE ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A3A186

loc_A3A109:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+39j
		cmp	esi, 12h
		jnz	short loc_A3A122
		push	10h		; size_t
		push	offset _DEVPKEY_DriverPackage_Configurable ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A3A186

loc_A3A122:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+52j
		cmp	esi, 1Dh
		jnz	short loc_A3A13B
		push	10h		; size_t
		push	offset _DEVPKEY_DriverPackage_Configurations ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A3A186

loc_A3A13B:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+6Bj
		cmp	esi, 1Eh
		jnz	short loc_A3A154
		push	10h		; size_t
		push	offset _DEVPKEY_DriverPackage_ConfigurationScopes ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A3A186

loc_A3A154:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+84j
		cmp	esi, 21h
		jnz	short loc_A3A16D
		push	10h		; size_t
		push	offset _DEVPKEY_DriverPackage_FamilyId ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A3A186

loc_A3A16D:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+9Dj
		cmp	esi, 28h
		jnz	short loc_A3A18D
		push	10h		; size_t
		push	offset _DEVPKEY_DriverPackage_Primitive	; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A3A18D

loc_A3A186:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+4Dj
					; DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+66j ...
		mov	esi, 0C0000022h
		jmp	short loc_A3A1C7
; 

loc_A3A18D:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+B6j
					; DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+CAj
		mov	eax, edi
		mov	[esp+30h+var_18], edi

loc_A3A193:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+106j
		mov	ecx, ds:off_401730[edi]
		cmp	[ecx+10h], esi
		jnz	short loc_A3A1B2
		push	10h		; size_t
		push	ebx		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_A3A1D2
		mov	eax, [esp+30h+var_18]

loc_A3A1B2:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+E2j
		inc	eax
		add	edi, 18h
		mov	[esp+30h+var_18], eax
		cmp	edi, 300h
		jb	short loc_A3A193

loc_A3A1C2:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+126j
		mov	esi, 0C0000016h

loc_A3A1C7:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+D1j
					; DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+139j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
; 

loc_A3A1D2:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+F2j
		imul	eax, [esp+30h+var_18], arg_10
		add	eax, offset off_401730
		mov	[esp+30h+var_18], eax
		jz	short loc_A3A1C2
		mov	esi, [ebp+arg_8]
		cmp	esi, [eax+4]
		jz	short loc_A3A1F5
		test	esi, esi
		jz	short loc_A3A1F5
		mov	esi, 0C000000Dh
		jmp	short loc_A3A1C7
; 

loc_A3A1F5:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+12Ej
					; DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+132j
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jnz	short loc_A3A22A
		xor	ecx, ecx
		lea	eax, [esp+30h+var_24]
		push	ecx
		push	ecx
		push	eax
		push	ecx
		mov	ecx, [esp+40h+var_1C]
		xor	edx, edx
		push	3
		push	[esp+44h+var_14]
		push	2
		call	DrvDbOpenObjectRegKey
		mov	esi, eax
		test	esi, esi
		js	loc_A3A516
		mov	esi, [ebp+arg_8]
		mov	eax, [esp+30h+var_18]

loc_A3A22A:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+140j
		mov	eax, [eax+14h]
		test	eax, eax
		jz	loc_A3A325
		test	esi, esi
		jz	short loc_A3A248
		cmp	[ebp+arg_10], eax

loc_A3A23C:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+192j
		jz	short loc_A3A24E
		mov	esi, 0C0000001h
		jmp	loc_A3A516
; 

loc_A3A248:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+17Dj
		cmp	[ebp+arg_10], 0
		jmp	short loc_A3A23C
; 

loc_A3A24E:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x):loc_A3A23Cj
		push	30h
		pop	eax
		push	42444450h
		push	eax
		push	1
		mov	[esp+3Ch+var_14], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A3A272

loc_A3A268:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+3B8j
		mov	esi, 0C0000017h
		jmp	loc_A3A516
; 

loc_A3A272:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+1ACj
		mov	ecx, edi
		test	edi, edi
		jnz	short loc_A3A27C
		mov	ecx, [esp+30h+var_24]

loc_A3A27C:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+1BCj
		lea	eax, [esp+30h+var_14]
		mov	edx, offset ??_C@_1BA@LIACFDLB@?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@NNGAKEGL@ ; "Version"
		push	eax
		push	ebx
		lea	eax, [esp+38h+var_C]
		push	eax
		call	_RegRtlQueryValue
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_A3A2AB
		push	30h		; size_t
		xor	esi, esi
		push	esi		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_A3A2D5
; 

loc_A3A2AB:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+1DFj
		cmp	esi, 0C0000023h
		jnz	short loc_A3A2BD
		mov	esi, 0C00000E5h
		jmp	loc_A3A4FA
; 

loc_A3A2BD:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+1F7j
		test	esi, esi
		js	loc_A3A4FA
		cmp	[esp+30h+var_C], 3
		jnz	short loc_A3A31B
		cmp	[esp+30h+var_14], 30h
		jnz	short loc_A3A31B
		xor	esi, esi

loc_A3A2D5:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+1EFj
		mov	eax, [esp+30h+var_18]
		mov	ecx, [eax+14h]
		mov	eax, [eax+10h]
		add	eax, ebx
		cmp	[ebp+arg_8], 0
		push	ecx		; size_t
		jz	short loc_A3A2F3
		push	[ebp+arg_C]	; void *
		push	eax		; void *
		call	_memcpy
		jmp	short loc_A3A2FA
; 

loc_A3A2F3:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+22Cj
		push	esi		; int
		push	eax		; void *
		call	_memset

loc_A3A2FA:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+237j
		add	esp, 0Ch
		test	edi, edi
		jnz	short loc_A3A305
		mov	edi, [esp+30h+var_24]

loc_A3A305:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+245j
		push	30h
		push	ebx
		push	3
		mov	edx, offset ??_C@_1BA@LIACFDLB@?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@NNGAKEGL@ ; "Version"
		mov	ecx, edi
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		jmp	loc_A3A4F8
; 

loc_A3A31B:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+210j
					; DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+217j
		mov	esi, 0C0000001h
		jmp	loc_A3A4FA
; 

loc_A3A325:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+175j
		cmp	dword ptr [ebx+10h], 7
		jnz	loc_A3A3E5
		push	10h		; size_t
		push	offset _DEVPKEY_DriverPackage_SignerName ; void	*
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_A3A3E5
		cmp	esi, 12h
		jnz	loc_A3A3E5
		cmp	[ebp+arg_10], 2
		jbe	loc_A3A3E5
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	loc_A3A3E5
		mov	eax, [ebp+arg_10]
		xor	edx, edx
		shr	eax, 1
		cmp	[ecx+eax*2-2], dx
		jnz	short loc_A3A3E5
		push	offset ??_C@_1CE@PEJPMNIN@?$AAM?$AAi?$AAc?$AAr?$AAo?$AAs?$AAo?$AAf?$AAt?$AA?5?$AAW?$AAi?$AAn?$AAd?$AAo@NNGAKEGL@ ; "Microsoft Windows"
		push	ecx		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A3A3E5
		mov	eax, edi
		test	edi, edi
		jnz	short loc_A3A38E
		mov	eax, [esp+30h+var_24]

loc_A3A38E:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+2CEj
		mov	edx, [esp+30h+var_14]
		lea	ecx, [esp+30h+var_10]
		push	ecx		; void *
		mov	ecx, [esp+34h+var_1C]
		push	eax		; int
		call	_DrvDbGetDriverPackageSignerScore@16 ; DrvDbGetDriverPackageSignerScore(x,x,x,x)
		test	eax, eax
		js	loc_A3A4D8
		cmp	[esp+30h+var_10], 0D000003h
		jnz	loc_A3A4D8
		test	edi, edi
		jnz	short loc_A3A3BF
		mov	edi, [esp+30h+var_24]

loc_A3A3BF:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+2FFj
		mov	eax, [esp+30h+var_18]
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	ebx
		push	eax
		mov	edx, edi
		call	_DrvDbSetRegValueMappedProperty@24 ; DrvDbSetRegValueMappedProperty(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000225h
		jnz	loc_A3A516
		mov	esi, ebx
		jmp	loc_A3A516
; 

loc_A3A3E5:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+26Fj
					; DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+287j ...
		cmp	dword ptr [ebx+10h], 8
		jnz	loc_A3A4D8
		push	10h		; size_t
		push	offset _DEVPKEY_DriverPackage_SignerScore ; void *
		push	ebx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_A3A4D8
		cmp	esi, 7
		jnz	loc_A3A52F
		cmp	[ebp+arg_10], 4
		mov	eax, [ebp+arg_C]
		jnz	loc_A3A4DB
		test	eax, eax
		jz	loc_A3A4DB
		cmp	dword ptr [eax], 0D000003h
		jnz	loc_A3A533
		mov	eax, edi
		test	edi, edi
		jnz	short loc_A3A43B
		mov	eax, [esp+30h+var_24]

loc_A3A43B:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+37Bj
		lea	ecx, [esp+30h+var_20]
		push	ecx
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	eax
		call	_DrvDbGetDriverPackageSignerName@24 ; DrvDbGetDriverPackageSignerName(x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	loc_A3A4D8
		cmp	[esp+30h+var_20], 12h
		jnz	short loc_A3A4D8
		push	42444450h
		push	24h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[esp+30h+var_8], ebx
		test	ebx, ebx
		jz	loc_A3A268
		mov	eax, edi
		test	edi, edi
		jnz	short loc_A3A482
		mov	eax, [esp+30h+var_24]

loc_A3A482:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+3C2j
		lea	ecx, [esp+30h+var_20]
		push	ecx
		push	12h
		push	ebx
		push	eax
		call	_DrvDbGetDriverPackageSignerName@24 ; DrvDbGetDriverPackageSignerName(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A3A4D8
		mov	eax, [esp+30h+var_20]
		test	eax, eax
		jz	short loc_A3A4D8
		xor	edx, edx
		cmp	[ebx+eax*2-2], dx
		jnz	short loc_A3A4D8
		push	offset ??_C@_1CE@PEJPMNIN@?$AAM?$AAi?$AAc?$AAr?$AAo?$AAs?$AAo?$AAf?$AAt?$AA?5?$AAW?$AAi?$AAn?$AAd?$AAo@NNGAKEGL@ ; "Microsoft Windows"
		push	ebx		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A3A4D8
		mov	eax, edi
		test	edi, edi
		jnz	short loc_A3A4C0
		mov	eax, [esp+30h+var_24]

loc_A3A4C0:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+400j
		mov	edx, [esp+30h+var_14]
		xor	ebx, ebx
		mov	ecx, [esp+30h+var_1C]
		push	ebx		; int
		push	ebx		; wchar_t *
		push	ebx		; int
		push	offset _DEVPKEY_DriverPackage_SignerName ; void	*
		push	eax		; int
		call	_DrvDbSetDriverPackageMappedProperty@28	; DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)

loc_A3A4D8:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+2E9j
					; DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+2F7j ...
		mov	eax, [ebp+arg_C]

loc_A3A4DB:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+35Dj
					; DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+365j
		test	edi, edi
		jnz	short loc_A3A4E3
		mov	edi, [esp+30h+var_24]

loc_A3A4E3:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+423j
		push	[ebp+arg_10]
		mov	edx, edi
		push	eax
		mov	eax, [esp+38h+var_18]
		push	esi
		push	eax
		call	_DrvDbSetRegValueMappedProperty@24 ; DrvDbSetRegValueMappedProperty(x,x,x,x,x,x)
		mov	ebx, [esp+30h+var_4]

loc_A3A4F8:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+25Cj
		mov	esi, eax

loc_A3A4FA:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+1FEj
					; DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+205j ...
		xor	edi, edi
		test	ebx, ebx
		jz	short loc_A3A507
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3A507:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+444j
		mov	eax, [esp+30h+var_8]
		test	eax, eax
		jz	short loc_A3A516
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3A516:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+163j
					; DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+189j ...
		cmp	[esp+30h+var_24], 0
		jz	loc_A3A1C7
		push	[esp+30h+var_24]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_A3A1C7
; 

loc_A3A52F:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+350j
		test	esi, esi
		jnz	short loc_A3A4D8

loc_A3A533:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+371j
		mov	eax, edi
		test	edi, edi
		jnz	short loc_A3A53D
		mov	eax, [esp+30h+var_24]

loc_A3A53D:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+47Dj
		mov	ebx, [esp+30h+var_14]
		lea	ecx, [esp+30h+var_10]
		push	ecx		; void *
		mov	ecx, [esp+34h+var_1C]
		mov	edx, ebx
		push	eax		; int
		call	_DrvDbGetDriverPackageSignerScore@16 ; DrvDbGetDriverPackageSignerScore(x,x,x,x)
		test	eax, eax
		js	short loc_A3A4D8
		cmp	[esp+30h+var_10], 0D000003h
		jnz	loc_A3A4D8
		mov	eax, edi
		test	edi, edi
		jnz	short loc_A3A56E
		mov	eax, [esp+30h+var_24]

loc_A3A56E:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+4AEj
		lea	ecx, [esp+30h+var_20]
		push	ecx
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	eax
		call	_DrvDbGetDriverPackageSignerName@24 ; DrvDbGetDriverPackageSignerName(x,x,x,x,x,x)
		cmp	eax, 0C0000225h
		jnz	loc_A3A4D8
		mov	edx, edi
		test	edi, edi
		jnz	short loc_A3A592
		mov	edx, [esp+30h+var_24]

loc_A3A592:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+4D2j
		push	[ebp+arg_10]
		mov	eax, [esp+34h+var_18]
		push	[ebp+arg_C]
		push	esi
		push	eax
		call	_DrvDbSetRegValueMappedProperty@24 ; DrvDbSetRegValueMappedProperty(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A3A516
		test	edi, edi
		jnz	short loc_A3A5B5
		mov	edi, [esp+30h+var_24]

loc_A3A5B5:				; CODE XREF: DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)+4F5j
		mov	ecx, [esp+30h+var_1C]
		mov	edx, ebx
		push	24h		; int
		push	offset ??_C@_1CE@PEJPMNIN@?$AAM?$AAi?$AAc?$AAr?$AAo?$AAs?$AAo?$AAf?$AAt?$AA?5?$AAW?$AAi?$AAn?$AAd?$AAo@NNGAKEGL@ ; "Microsoft Windows"
		push	12h		; int
		push	offset _DEVPKEY_DriverPackage_SignerName ; void	*
		push	edi		; int
		call	_DrvDbSetDriverPackageMappedProperty@28	; DrvDbSetDriverPackageMappedProperty(x,x,x,x,x,x,x)
		xor	edx, edx
		mov	esi, edx
		jmp	loc_A3A516
_DrvDbSetDriverPackageMappedProperty@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbSetRegValueMappedProperty(x, x, x, x, x, x)
_DrvDbSetRegValueMappedProperty@24 proc	near
					; CODE XREF: DrvDbSetDeviceIdMappedProperty(x,x,x,x,x,x,x)+13Ap
					; DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)+493p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		mov	[ebp+var_4], ecx
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		test	eax, eax
		jz	short loc_A3A64A
		cmp	eax, 5
		jz	short loc_A3A620
		cmp	eax, 11h
		jz	short loc_A3A603
		mov	esi, [ebp+arg_8]
		mov	edi, [ebp+arg_C]
		jmp	short loc_A3A635
; 

loc_A3A603:				; CODE XREF: DrvDbSetRegValueMappedProperty(x,x,x,x,x,x)+21j
		cmp	[ebp+arg_C], 1
		jz	short loc_A3A610

loc_A3A609:				; CODE XREF: DrvDbSetRegValueMappedProperty(x,x,x,x,x,x)+4Cj
		mov	eax, 0C000000Dh
		jmp	short loc_A3A67A
; 

loc_A3A610:				; CODE XREF: DrvDbSetRegValueMappedProperty(x,x,x,x,x,x)+2Fj
		mov	eax, [ebp+arg_8]
		xor	ecx, ecx
		cmp	byte ptr [eax],	0FFh
		setz	cl
		mov	[ebp+var_4], ecx
		jmp	short loc_A3A62F
; 

loc_A3A620:				; CODE XREF: DrvDbSetRegValueMappedProperty(x,x,x,x,x,x)+1Cj
		cmp	[ebp+arg_C], 2
		jnz	short loc_A3A609
		mov	eax, [ebp+arg_8]
		movzx	eax, word ptr [eax]
		mov	[ebp+var_4], eax

loc_A3A62F:				; CODE XREF: DrvDbSetRegValueMappedProperty(x,x,x,x,x,x)+46j
		push	4
		pop	edi
		lea	esi, [ebp+var_4]

loc_A3A635:				; CODE XREF: DrvDbSetRegValueMappedProperty(x,x,x,x,x,x)+29j
		mov	eax, [ebp+arg_0]
		push	edi
		push	esi
		mov	ecx, [eax+0Ch]
		mov	edx, [eax+8]
		push	ecx
		mov	ecx, ebx
		call	__RegRtlSetValue@20 ; _RegRtlSetValue(x,x,x,x,x)
		jmp	short loc_A3A67A
; 

loc_A3A64A:				; CODE XREF: DrvDbSetRegValueMappedProperty(x,x,x,x,x,x)+17j
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], ecx
		mov	eax, [eax+8]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_A3A66E
		lea	eax, [ebp+var_C]
		push	eax
		push	ebx
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_A3A66E:				; CODE XREF: DrvDbSetRegValueMappedProperty(x,x,x,x,x,x)+8Aj
		cmp	eax, 0C0000034h
		jnz	short loc_A3A67A
		mov	eax, 0C0000225h

loc_A3A67A:				; CODE XREF: DrvDbSetRegValueMappedProperty(x,x,x,x,x,x)+36j
					; DrvDbSetRegValueMappedProperty(x,x,x,x,x,x)+70j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_DrvDbSetRegValueMappedProperty@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall DrvDbSplitDeviceIdDriverInfMatch(wchar_t *,int,int,wchar_t *)
_DrvDbSplitDeviceIdDriverInfMatch@16 proc near
					; CODE XREF: PiDevCfgFindDeviceDriver(x,x,x)+210p
					; DrvDbSetDeviceIdDriverInfMatches(x,x,x,x)+1FEp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		push	5Ch
		pop	eax
		mov	edi, ecx
		mov	[ebp+var_C], edx
		push	eax		; wchar_t
		push	edi		; wchar_t *
		mov	[ebp+var_10], edi
		xor	ebx, ebx
		mov	[ebp+var_4], 0FFh
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_A3A748
		mov	esi, eax
		sub	esi, edi
		mov	edi, [ebp+arg_4]
		sar	esi, 1
		test	edi, edi
		jz	loc_A3A76B
		add	eax, 2
		push	5Ch		; wchar_t
		push	eax		; wchar_t *
		mov	[ebp+arg_4], eax
		call	_wcschr
		mov	[ebp+var_8], eax
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A3A6FE
		xor	ecx, ecx
		push	10h		; int
		mov	[eax], cx
		add	eax, 2
		push	ebx		; wchar_t **
		push	eax		; wchar_t *
		call	_wcstol
		mov	ecx, eax
		add	esp, 0Ch
		mov	eax, 0FFh
		mov	[ebp+var_4], ecx
		cmp	ecx, eax
		jbe	short loc_A3A6FE
		mov	[ebp+var_4], eax

loc_A3A6FE:				; CODE XREF: DrvDbSplitDeviceIdDriverInfMatch(x,x,x,x)+56j
					; DrvDbSplitDeviceIdDriverInfMatch(x,x,x,x)+78j
		mov	eax, [ebp+arg_4]
		cmp	word ptr [eax],	2Ah
		jnz	short loc_A3A70C
		mov	byte ptr [edi],	3
		jmp	short loc_A3A71F
; 

loc_A3A70C:				; CODE XREF: DrvDbSplitDeviceIdDriverInfMatch(x,x,x,x)+84j
		push	10h		; int
		push	ebx		; wchar_t **
		push	eax		; wchar_t *
		call	_wcstol
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A3A723
		mov	byte ptr [edi],	1

loc_A3A71F:				; CODE XREF: DrvDbSplitDeviceIdDriverInfMatch(x,x,x,x)+89j
		mov	eax, ebx
		jmp	short loc_A3A735
; 

loc_A3A723:				; CODE XREF: DrvDbSplitDeviceIdDriverInfMatch(x,x,x,x)+99j
		dec	eax
		mov	byte ptr [edi],	2
		mov	ecx, 0FFFFh
		cmp	eax, ecx
		jbe	short loc_A3A732
		mov	eax, ecx

loc_A3A732:				; CODE XREF: DrvDbSplitDeviceIdDriverInfMatch(x,x,x,x)+ADj
		movzx	eax, ax

loc_A3A735:				; CODE XREF: DrvDbSplitDeviceIdDriverInfMatch(x,x,x,x)+A0j
		mov	[edi+2], ax
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_A3A76B
		push	5Ch
		pop	ecx
		mov	[eax], cx
		jmp	short loc_A3A76B
; 

loc_A3A748:				; CODE XREF: DrvDbSplitDeviceIdDriverInfMatch(x,x,x,x)+2Aj
		mov	esi, edi
		lea	ecx, [esi+2]

loc_A3A74D:				; CODE XREF: DrvDbSplitDeviceIdDriverInfMatch(x,x,x,x)+D5j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, bx
		jnz	short loc_A3A74D
		mov	edi, [ebp+arg_4]
		sub	esi, ecx
		sar	esi, 1
		test	edi, edi
		jz	short loc_A3A76B
		xor	eax, eax
		mov	[edi], bl
		mov	[edi+2], ax

loc_A3A76B:				; CODE XREF: DrvDbSplitDeviceIdDriverInfMatch(x,x,x,x)+3Bj
					; DrvDbSplitDeviceIdDriverInfMatch(x,x,x,x)+BDj ...
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_A3A78D
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		push	900h
		push	ebx
		push	ebx
		push	esi
		push	[ebp+var_10]
		call	RtlStringCchCopyNExW
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A3A797

loc_A3A78D:				; CODE XREF: DrvDbSplitDeviceIdDriverInfMatch(x,x,x,x)+EFj
		test	edi, edi
		jz	short loc_A3A797
		mov	eax, [ebp+var_4]
		mov	[edi+1], al

loc_A3A797:				; CODE XREF: DrvDbSplitDeviceIdDriverInfMatch(x,x,x,x)+10Aj
					; DrvDbSplitDeviceIdDriverInfMatch(x,x,x,x)+10Ej
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_DrvDbSplitDeviceIdDriverInfMatch@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbValidateDeviceIdName(x, x)
_DrvDbValidateDeviceIdName@8 proc near	; CODE XREF: DrvDbDispatchDeviceId+AE866p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, edx
		lea	eax, [ebp+var_4]
		push	eax
		mov	edx, 0C8h
		mov	ecx, edi
		call	_RtlStringCchLengthW@12	; RtlStringCchLengthW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A3A7EB
		push	5Ch		; wchar_t
		push	edi		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A3A7F0
		mov	ecx, eax
		add	eax, 2
		cmp	ecx, edi
		jz	short loc_A3A7EB
		cmp	word ptr [eax],	0
		jz	short loc_A3A7EB
		push	5Ch		; wchar_t
		push	eax		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A3A7F0

loc_A3A7EB:				; CODE XREF: DrvDbValidateDeviceIdName(x,x)+1Ej
					; DrvDbValidateDeviceIdName(x,x)+35j ...
		mov	esi, 0C0000033h

loc_A3A7F0:				; CODE XREF: DrvDbValidateDeviceIdName(x,x)+2Cj
					; DrvDbValidateDeviceIdName(x,x)+49j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_DrvDbValidateDeviceIdName@8 endp


;  S U B	R O U T	I N E 


; __stdcall DrvDbValidateDriverDatabaseName(x, x)
_DrvDbValidateDriverDatabaseName@8 proc	near
					; CODE XREF: DrvDbDispatchDriverDatabase+11AFFDp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		xor	edi, edi
		push	40h
		pop	ebx
		cmp	[esi], bx
		jnz	short loc_A3A81E
		lea	eax, [esi+2]
		push	3Ah		; wchar_t
		push	eax		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A3A81E
		inc	eax
		add	eax, 1
		jnz	short loc_A3A820

loc_A3A81E:				; CODE XREF: DrvDbValidateDriverDatabaseName(x,x)+Fj
					; DrvDbValidateDriverDatabaseName(x,x)+20j
		mov	eax, esi

loc_A3A820:				; CODE XREF: DrvDbValidateDriverDatabaseName(x,x)+26j
		cmp	eax, esi
		jnz	short loc_A3A837
		push	5Ch		; wchar_t
		push	esi		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A3A837
		cmp	[esi], bx
		jnz	short loc_A3A83C

loc_A3A837:				; CODE XREF: DrvDbValidateDriverDatabaseName(x,x)+2Cj
					; DrvDbValidateDriverDatabaseName(x,x)+3Aj
		mov	edi, 0C0000033h

loc_A3A83C:				; CODE XREF: DrvDbValidateDriverDatabaseName(x,x)+3Fj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_DrvDbValidateDriverDatabaseName@8 endp


;  S U B	R O U T	I N E 


; __stdcall DrvDbValidateDriverInfFileName(x, x)
_DrvDbValidateDriverInfFileName@8 proc near ; CODE XREF: DrvDbDispatchDriverInfFile+1185B0p
					; DrvDbDispatchDriverPackage+11AA56p ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		push	edi
		xor	edi, edi
		cmp	word ptr [esi],	40h
		jnz	short loc_A3A867
		lea	eax, [esi+2]
		push	3Ah		; wchar_t
		push	eax		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A3A867
		inc	eax
		add	eax, 1
		jnz	short loc_A3A869

loc_A3A867:				; CODE XREF: DrvDbValidateDriverInfFileName(x,x)+Cj
					; DrvDbValidateDriverInfFileName(x,x)+1Dj
		mov	eax, esi

loc_A3A869:				; CODE XREF: DrvDbValidateDriverInfFileName(x,x)+23j
		push	5Ch		; wchar_t
		push	eax		; wchar_t *
		call	_wcschr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A3A87C
		mov	edi, 0C0000033h

loc_A3A87C:				; CODE XREF: DrvDbValidateDriverInfFileName(x,x)+33j
		mov	eax, edi
		pop	edi
		pop	esi
		retn
_DrvDbValidateDriverInfFileName@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbUnregisterDatabase(x, x)
_DrvDbUnregisterDatabase@8 proc	near	; CODE XREF: PiDrvDbRegisterNode+9E306p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		mov	esi, _PiDrvDbCtx
		mov	ecx, esi
		push	eax
		call	_DrvDbFindDatabaseNode@12 ; DrvDbFindDatabaseNode(x,x,x)
		test	eax, eax
		js	short loc_A3A8C1
		mov	edx, [ebp+var_4]
		test	byte ptr [edx+1Ch], 1
		jz	short loc_A3A8B1
		mov	eax, 0C000000Dh
		jmp	short loc_A3A8C1
; 

loc_A3A8B1:				; CODE XREF: DrvDbUnregisterDatabase(x,x)+27j
		cmp	[esi+18h], edx
		jnz	short loc_A3A8BA
		and	dword ptr [esi+18h], 0

loc_A3A8BA:				; CODE XREF: DrvDbUnregisterDatabase(x,x)+33j
		mov	ecx, esi
		call	_DrvDbDestroyDatabaseNode@8 ; DrvDbDestroyDatabaseNode(x,x)

loc_A3A8C1:				; CODE XREF: DrvDbUnregisterDatabase(x,x)+1Ej
					; DrvDbUnregisterDatabase(x,x)+2Ej
		pop	esi
		leave
		retn
_DrvDbUnregisterDatabase@8 endp


;  S U B	R O U T	I N E 


; __stdcall DrvDbDestroyDatabaseNode(x,	x)
_DrvDbDestroyDatabaseNode@8 proc near	; CODE XREF: DrvDbOpenContext+9C887p
					; DrvDbOpenDriverDatabaseRegKey+8A9BDp	...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, edx
		call	DrvDbUnloadDatabaseNode
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A3A919
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_A3A91E
		mov	edx, [esi+4]
		cmp	[edx], esi
		jnz	short loc_A3A91E
		mov	[edx], ecx
		push	edi
		mov	[ecx+4], edx
		mov	edi, [esi+4Ch]
		test	edi, edi
		jz	short loc_A3A8FE
		push	edi
		call	ExDeleteResourceLite
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3A8FE:				; CODE XREF: DrvDbDestroyDatabaseNode(x,x)+2Aj
		lea	eax, [esi+8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+14h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi

loc_A3A919:				; CODE XREF: DrvDbDestroyDatabaseNode(x,x)+Fj
		pop	esi
		mov	eax, ebx
		pop	ebx
		retn
; 

loc_A3A91E:				; CODE XREF: DrvDbDestroyDatabaseNode(x,x)+16j
					; DrvDbDestroyDatabaseNode(x,x)+1Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall DrvDbGetSecurityDescriptor()
_DrvDbGetSecurityDescriptor@0:		; CODE XREF: DrvDbLoadDatabaseNode:loc_8F13F0p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		xor	eax, eax
		mov	word ptr [ebp-18h], 500h
		push	esi
		push	edi
		mov	esi, eax
		mov	[ebp-1Ch], eax
		mov	[ebp-0Ch], eax
		lea	edi, [ebp-38h]
		mov	[ebp-24h], eax
		stosd
		push	42444450h
		push	0Ch
		push	1
		stosd
		mov	[ebp-14h], esi
		mov	word ptr [ebp-8], 300h
		mov	word ptr [ebp-20h], 100h
		stosd
		stosd
		stosd
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp-10h], ebx
		test	ebx, ebx
		jz	loc_A3AC1D
		xor	edi, edi
		lea	eax, [ebp-1Ch]
		inc	edi
		push	edi
		push	eax
		push	ebx
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		test	eax, eax
		js	loc_A3AC15
		push	esi
		push	ebx
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	ebx
		mov	dword ptr [eax], 12h
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_A3AC15
		push	42444450h
		push	0Ch
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp-4], esi
		test	esi, esi
		jz	loc_A3AC12
		push	edi
		lea	eax, [ebp-0Ch]
		push	eax
		push	esi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		test	eax, eax
		js	loc_A3AC0A
		push	0
		push	esi
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	esi
		mov	dword ptr [eax], 4
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_A3AC0A
		push	42444450h
		push	0Ch
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_A3AC07
		push	edi
		lea	eax, [ebp-24h]
		push	eax
		push	ebx
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		test	eax, eax
		js	loc_A3ABFF
		push	0
		push	ebx
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	ebx
		and	dword ptr [eax], 0
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_A3ABFF
		push	42444450h
		push	10h
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_A3ABFF
		push	2
		lea	eax, [ebp-1Ch]
		push	eax
		push	edi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		test	eax, eax
		js	loc_A3ABF7
		push	0
		push	edi
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	1
		push	edi
		mov	dword ptr [eax], 20h
		call	_RtlSubAuthoritySid@8 ;	RtlSubAuthoritySid(x,x)
		push	edi
		mov	dword ptr [eax], 220h
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_A3ABF7
		push	ebx
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	dword ptr [ebp-4]
		mov	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	dword ptr [ebp-10h]
		add	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	esi, 20h
		add	eax, esi
		push	42444450h
		push	eax
		push	1
		mov	[ebp-1Ch], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp-0Ch], esi
		test	esi, esi
		jz	loc_A3ABF4
		push	2		; int
		push	dword ptr [ebp-1Ch] ; size_t
		push	esi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		test	eax, eax
		js	loc_A3ABE5
		push	0
		push	dword ptr [ebp-10h]
		mov	ecx, esi
		push	0F003Fh
		push	2
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, [ebp-4]
		test	eax, eax
		js	loc_A3ABE8
		mov	ecx, [ebp-0Ch]
		push	0
		push	esi
		push	20000h
		push	2
		push	2
		pop	edx
		call	RtlpAddKnownAce
		test	eax, eax
		js	loc_A3ABE8
		mov	ecx, [ebp-0Ch]
		push	0
		push	ebx
		push	20019h
		push	2
		push	2
		pop	edx
		call	RtlpAddKnownAce
		test	eax, eax
		js	loc_A3ABE8
		push	1
		lea	eax, [ebp-38h]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		test	eax, eax
		js	loc_A3ABE8
		push	0
		push	dword ptr [ebp-0Ch]
		lea	eax, [ebp-38h]
		push	1
		push	eax
		call	RtlSetDaclSecurityDescriptor
		test	eax, eax
		js	loc_A3ABE8
		push	1
		push	edi
		lea	eax, [ebp-38h]
		push	eax
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		test	eax, eax
		js	short loc_A3ABE8
		push	1
		push	edi
		lea	eax, [ebp-38h]
		push	eax
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		test	eax, eax
		js	short loc_A3ABE8
		mov	eax, 1400h
		or	[ebp-36h], ax
		lea	eax, [ebp-38h]
		push	eax
		call	_RtlValidSecurityDescriptor@4 ;	RtlValidSecurityDescriptor(x)
		test	al, al
		jz	short loc_A3ABE8
		lea	eax, [ebp-38h]
		push	eax
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		mov	[ebp-1Ch], eax
		cmp	eax, 14h
		jb	short loc_A3ABE8
		push	42444450h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A3ABE5
		push	dword ptr [ebp-1Ch] ; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp-1Ch]
		push	eax
		push	esi
		lea	eax, [ebp-38h]
		push	eax
		call	_RtlAbsoluteToSelfRelativeSD@12	; RtlAbsoluteToSelfRelativeSD(x,x,x)
		test	eax, eax
		js	short loc_A3ABD9
		mov	[ebp-14h], esi
		xor	esi, esi

loc_A3ABD9:				; CODE XREF: DrvDbDestroyDatabaseNode(x,x)+30Ej
		test	esi, esi
		jz	short loc_A3ABE5
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3ABE5:				; CODE XREF: DrvDbDestroyDatabaseNode(x,x)+20Aj
					; DrvDbDestroyDatabaseNode(x,x)+2EEj ...
		mov	esi, [ebp-4]

loc_A3ABE8:				; CODE XREF: DrvDbDestroyDatabaseNode(x,x)+22Bj
					; DrvDbDestroyDatabaseNode(x,x)+248j ...
		push	0
		push	dword ptr [ebp-0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A3ABF7
; 

loc_A3ABF4:				; CODE XREF: DrvDbDestroyDatabaseNode(x,x)+1F7j
		mov	esi, [ebp-4]

loc_A3ABF7:				; CODE XREF: DrvDbDestroyDatabaseNode(x,x)+191j
					; DrvDbDestroyDatabaseNode(x,x)+1BBj ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3ABFF:				; CODE XREF: DrvDbDestroyDatabaseNode(x,x)+14Dj
					; DrvDbDestroyDatabaseNode(x,x)+166j ...
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3AC07:				; CODE XREF: DrvDbDestroyDatabaseNode(x,x)+13Aj
		mov	ebx, [ebp-10h]

loc_A3AC0A:				; CODE XREF: DrvDbDestroyDatabaseNode(x,x)+107j
					; DrvDbDestroyDatabaseNode(x,x)+123j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3AC12:				; CODE XREF: DrvDbDestroyDatabaseNode(x,x)+F4j
		mov	esi, [ebp-14h]

loc_A3AC15:				; CODE XREF: DrvDbDestroyDatabaseNode(x,x)+BFj
					; DrvDbDestroyDatabaseNode(x,x)+DAj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3AC1D:				; CODE XREF: DrvDbDestroyDatabaseNode(x,x)+A9j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_DrvDbDestroyDatabaseNode@8 endp ; sp =	-4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbInitializeDatabaseNodeVersion(x, x)
_DrvDbInitializeDatabaseNodeVersion@8 proc near	; CODE XREF: DrvDbLoadDatabaseNode+1298C6p
					; DrvDbLoadDatabaseNode+129941p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	ebx, ecx
		xor	esi, esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], esi
		mov	ecx, esi
		mov	eax, [ebx]
		mov	edx, [edi+30h]
		test	eax, eax
		jz	short loc_A3AC44
		mov	ecx, [eax+74h]

loc_A3AC44:				; CODE XREF: DrvDbInitializeDatabaseNodeVersion(x,x)+1Bj
		lea	eax, [ebp+var_4]
		push	eax
		push	2
		push	esi
		push	esi
		call	__SysCtxRegOpenKey@24 ;	_SysCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A3AC93
		mov	edx, [edi+0Ch]	; wchar_t *
		lea	eax, [edi+20h]
		push	4		; int
		push	eax		; void *
		push	7		; int
		push	offset _DEVPKEY_DriverDatabase_Version ; void *
		push	[ebp+var_4]	; int
		mov	ecx, ebx	; int
		call	_DrvDbSetDriverDatabaseMappedProperty@28 ; DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A3AC93
		mov	edx, [edi+0Ch]	; wchar_t *
		lea	eax, [edi+24h]
		push	4		; int
		push	eax		; void *
		push	7		; int
		push	offset _DEVPKEY_DriverDatabase_SchemaVersion ; void *
		push	[ebp+var_4]	; int
		mov	ecx, ebx	; int
		call	_DrvDbSetDriverDatabaseMappedProperty@28 ; DrvDbSetDriverDatabaseMappedProperty(x,x,x,x,x,x,x)
		mov	esi, eax

loc_A3AC93:				; CODE XREF: DrvDbInitializeDatabaseNodeVersion(x,x)+31j
					; DrvDbInitializeDatabaseNodeVersion(x,x)+51j
		cmp	[ebp+var_4], 0
		jz	short loc_A3ACA1
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_A3ACA1:				; CODE XREF: DrvDbInitializeDatabaseNodeVersion(x,x)+73j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_DrvDbInitializeDatabaseNodeVersion@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DrvDbDispatchDriverFile(x, x, x, x,	x)
_DrvDbDispatchDriverFile@20 proc near	; DATA XREF: .text:00404C7Co

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		lea	eax, [ebp+var_4]
		and	[ebp+var_4], 0
		mov	edx, [ebp+arg_8]
		push	esi
		push	eax
		call	__PnpCtxGetObjectContext@12 ; _PnpCtxGetObjectContext(x,x,x)
		test	eax, eax
		js	loc_A3AE0D
		mov	ecx, [ebp+arg_C]
		push	ebx
		mov	ebx, [ebp+var_4]
		push	edi
		mov	edi, [ebp+arg_10]
		mov	eax, [ebx+8]
		test	eax, 10000000h
		jnz	short loc_A3AD08
		test	eax, eax
		jnz	short loc_A3ACED
		mov	eax, 0C0000467h
		jmp	loc_A3AE0B
; 

loc_A3ACED:				; CODE XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+39j
		cmp	ecx, 2
		jz	short loc_A3AD19
		jle	short loc_A3AD08
		cmp	ecx, 4
		jle	short loc_A3AD1F
		cmp	ecx, 6
		jle	short loc_A3AD26
		cmp	ecx, 8
		jz	short loc_A3AD26
		cmp	ecx, 9
		jz	short loc_A3AD1F

loc_A3AD08:				; CODE XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+35j
					; DrvDbDispatchDriverFile(x,x,x,x,x)+4Aj ...
		dec	ecx
		cmp	ecx, 8		; switch 9 cases
		ja	loc_A3AE06	; default
		jmp	ds:off_A3AE14[ecx*4] ; switch jump
; 

loc_A3AD19:				; CODE XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+48j
		cmp	byte ptr [edi+4], 0
		jz	short loc_A3AD26

loc_A3AD1F:				; CODE XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+4Fj
					; DrvDbDispatchDriverFile(x,x,x,x,x)+5Ej
		shr	eax, 1Eh
		and	al, 1
		jmp	short loc_A3AD29
; 

loc_A3AD26:				; CODE XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+54j
					; DrvDbDispatchDriverFile(x,x,x,x,x)+59j ...
		shr	eax, 1Fh

loc_A3AD29:				; CODE XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+7Cj
		test	al, al
		jnz	short loc_A3AD08
		mov	eax, 0C0000022h
		jmp	loc_A3AE0B
; 

loc_A3AD37:				; CODE XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+6Aj
					; DATA XREF: PAGE:off_A3AE14o
		mov	edx, [ebp+arg_4] ; case	0x0
		call	_DrvDbValidateDriverInfFileName@8 ; DrvDbValidateDriverInfFileName(x,x)
		jmp	loc_A3AE0B
; 

loc_A3AD44:				; CODE XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+6Aj
					; DATA XREF: PAGE:off_A3AE14o
		mov	al, [edi+4]	; case 0x1
		mov	esi, [edi+8]
		mov	edx, [edi]
		mov	byte ptr [ebp+arg_8], al
		push	0
		lea	eax, [edi+0Ch]
		mov	ecx, ebx
		push	eax
		push	esi
		push	[ebp+arg_8]
		push	edx
		push	[ebp+arg_4]
		xor	edx, edx
		push	4
		call	DrvDbOpenObjectRegKey
		jmp	loc_A3AE0B
; 

loc_A3AD6D:				; CODE XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+6Aj
					; DATA XREF: PAGE:off_A3AE14o
		mov	edx, [ebp+arg_4] ; case	0x2
		lea	eax, [edi+8]
		push	eax
		lea	eax, [edi+4]
		mov	ecx, ebx
		push	eax
		push	dword ptr [edi]
		call	_DrvDbCreateDriverFile@20 ; DrvDbCreateDriverFile(x,x,x,x,x)
		jmp	loc_A3AE0B
; 

loc_A3AD86:				; CODE XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+6Aj
					; DATA XREF: PAGE:off_A3AE14o
		push	0		; case 0x3
		push	[ebp+arg_4]
		mov	ecx, ebx
		push	4
		pop	edx
		call	_DrvDbDeleteObjectRegKey@16 ; DrvDbDeleteObjectRegKey(x,x,x,x)
		jmp	short loc_A3AE0B
; 

loc_A3AD97:				; CODE XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+6Aj
					; DATA XREF: PAGE:off_A3AE14o
		mov	eax, [edi+10h]	; case 0x4
		mov	ecx, [edi+0Ch]
		mov	edx, [edi+8]
		mov	esi, [edi+4]
		mov	edi, [edi]
		push	0
		push	eax
		push	ecx
		push	edx
		push	esi
		push	edi
		push	4
		pop	edx
		mov	ecx, ebx
		call	_DrvDbGetObjectList@32 ; DrvDbGetObjectList(x,x,x,x,x,x,x,x)
		jmp	short loc_A3AE0B
; 

loc_A3ADB8:				; CODE XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+6Aj
					; DATA XREF: PAGE:off_A3AE14o
		push	dword ptr [edi+14h] ; case 0x5
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		push	dword ptr [edi+10h]
		push	dword ptr [edi+0Ch]
		push	dword ptr [edi]
		call	_DrvDbGetDriverFileMappedPropertyKeys@24 ; DrvDbGetDriverFileMappedPropertyKeys(x,x,x,x,x,x)
		jmp	short loc_A3AE0B
; 

loc_A3ADCF:				; CODE XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+6Aj
					; DATA XREF: PAGE:off_A3AE14o
		push	dword ptr [edi+18h] ; case 0x7
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		push	dword ptr [edi+14h] ; int
		push	dword ptr [edi+10h] ; int
		push	dword ptr [edi+0Ch] ; int
		push	dword ptr [edi+8] ; void *
		push	dword ptr [edi]	; int
		call	_DrvDbGetDriverFileMappedProperty@32 ; DrvDbGetDriverFileMappedProperty(x,x,x,x,x,x,x,x)
		jmp	short loc_A3AE0B
; 

loc_A3ADEC:				; CODE XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+6Aj
					; DATA XREF: PAGE:off_A3AE14o
		push	dword ptr [edi+14h] ; case 0x8
		mov	edx, [ebp+arg_4]
		mov	ecx, ebx
		push	dword ptr [edi+10h] ; int
		push	dword ptr [edi+0Ch] ; int
		push	dword ptr [edi+8] ; void *
		push	dword ptr [edi]	; int
		call	_DrvDbSetDriverFileMappedProperty@28 ; DrvDbSetDriverFileMappedProperty(x,x,x,x,x,x,x)
		jmp	short loc_A3AE0B
; 

loc_A3AE06:				; CODE XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+64j
					; DrvDbDispatchDriverFile(x,x,x,x,x)+6Aj
					; DATA XREF: ...
		mov	eax, 0C000000Dh	; default

loc_A3AE0B:				; CODE XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+40j
					; DrvDbDispatchDriverFile(x,x,x,x,x)+8Aj ...
		pop	edi
		pop	ebx

loc_A3AE0D:				; CODE XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+1Cj
		pop	esi
		leave
		retn	14h
_DrvDbDispatchDriverFile@20 endp

; 
		align 4
off_A3AE14	dd offset loc_A3AD37	; DATA XREF: DrvDbDispatchDriverFile(x,x,x,x,x)+6Ar
		dd offset loc_A3AD44	; jump table for switch	statement
		dd offset loc_A3AD6D
		dd offset loc_A3AD86
		dd offset loc_A3AD97
		dd offset loc_A3ADB8
		dd offset loc_A3AE06
		dd offset loc_A3ADCF
		dd offset loc_A3ADEC

;  S U B	R O U T	I N E 


; __stdcall CompareFileTimeType(x, x)
_CompareFileTimeType@8 proc near	; CODE XREF: PropertyEval+11AF8Cp
					; PropertyEval+11AF9Ep	...
		mov	eax, [ecx]
		push	esi
		mov	esi, [ecx+4]
		mov	ecx, [edx]
		mov	edx, [edx+4]
		cmp	esi, edx
		ja	short loc_A3AE5C
		jb	short loc_A3AE4D
		cmp	eax, ecx
		jnb	short loc_A3AE52

loc_A3AE4D:				; CODE XREF: CompareFileTimeType(x,x)+Fj
		or	eax, 0FFFFFFFFh
		pop	esi
		retn
; 

loc_A3AE52:				; CODE XREF: CompareFileTimeType(x,x)+13j
		cmp	esi, edx
		jb	short loc_A3AE61
		ja	short loc_A3AE5C
		cmp	eax, ecx
		jbe	short loc_A3AE61

loc_A3AE5C:				; CODE XREF: CompareFileTimeType(x,x)+Dj
					; CompareFileTimeType(x,x)+1Ej
		xor	eax, eax
		inc	eax
		pop	esi
		retn
; 

loc_A3AE61:				; CODE XREF: CompareFileTimeType(x,x)+1Cj
					; CompareFileTimeType(x,x)+22j
		xor	eax, eax
		pop	esi
		retn
_CompareFileTimeType@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ConvertDevpropcompkeyToString(size_t,int)
_ConvertDevpropcompkeyToString@16 proc near
					; CODE XREF: PnpConvertDevpropcompkeyArrayToString(x,x,x,x,x)+41p
					; ConvertDevpropertyToString(x,x,x,x)+38p

var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, edx
		xor	ecx, ecx
		mov	[ebp+var_C], eax
		cmp	[ebp+arg_0], 2
		mov	[ebp+var_4], ecx
		mov	[ebp+var_14], ecx
		mov	dword ptr [ebp+var_10],	ecx
		jb	short loc_A3AE8A
		mov	[eax], cx

loc_A3AE8A:				; CODE XREF: ConvertDevpropcompkeyToString(x,x,x,x)+20j
		push	1
		lea	edx, [ebp+var_14]
		mov	ecx, edi
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A3AF45
		mov	esi, [edi+14h]
		movzx	eax, word ptr [ebp+var_14]
		push	ebx
		test	esi, esi
		jnz	short loc_A3AEB0
		push	30h
		jmp	short loc_A3AEBB
; 

loc_A3AEB0:				; CODE XREF: ConvertDevpropcompkeyToString(x,x,x,x)+45j
		cmp	esi, 1
		jnz	loc_A3AF3F
		push	2Ch

loc_A3AEBB:				; CODE XREF: ConvertDevpropcompkeyToString(x,x,x,x)+49j
		mov	ecx, [edi+18h]
		pop	ebx
		test	ecx, ecx
		jz	short loc_A3AEE4
		mov	edx, ecx
		lea	eax, [edx+2]
		mov	[ebp+var_8], eax

loc_A3AECB:				; CODE XREF: ConvertDevpropcompkeyToString(x,x,x,x)+70j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [ebp+var_4]
		jnz	short loc_A3AECB
		sub	edx, [ebp+var_8]
		movzx	eax, word ptr [ebp+var_14]
		sar	edx, 1
		add	edx, edx
		jmp	short loc_A3AEE7
; 

loc_A3AEE4:				; CODE XREF: ConvertDevpropcompkeyToString(x,x,x,x)+5Cj
		push	0Ch
		pop	edx

loc_A3AEE7:				; CODE XREF: ConvertDevpropcompkeyToString(x,x,x,x)+7Dj
		add	eax, ebx
		add	eax, edx
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_A3AEF4
		mov	[edx], eax

loc_A3AEF4:				; CODE XREF: ConvertDevpropcompkeyToString(x,x,x,x)+8Bj
		cmp	eax, [ebp+arg_0]
		ja	short loc_A3AF38
		test	ecx, ecx
		jnz	short loc_A3AF02
		mov	ecx, offset ??_C@_1O@INIEDEDF@?$AA?$CI?$AAN?$AAU?$AAL?$AAL?$AA?$CJ@NNGAKEGL@

loc_A3AF02:				; CODE XREF: ConvertDevpropcompkeyToString(x,x,x,x)+96j
		mov	eax, offset ??_C@_1O@GINMMDNN@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm@NNGAKEGL@
		test	esi, esi
		jz	short loc_A3AF10
		mov	eax, offset ??_C@_19PIJILKAI@?$AAU?$AAs?$AAe?$AAr@NNGAKEGL@

loc_A3AF10:				; CODE XREF: ConvertDevpropcompkeyToString(x,x,x,x)+A4j
		push	ecx
		push	eax
		push	dword ptr [edi+10h]
		xor	eax, eax
		push	dword ptr [ebp+var_10] ; char
		push	offset ??_C@_1CC@CKHDNODK@?$AA?$FL?$AA?$CI?$AA?$CF?$AAs?$AA?5?$AA?$CF?$AA3?$AAd?$AA?$CJ?$AA?5?$AA?$CF?$AAs?$AA?5?$AA?$CF?$AAs@NNGAKEGL@	; wchar_t *
		push	800h		; int
		push	eax		; int
		push	eax		; int
		push	[ebp+arg_0]	; size_t
		push	[ebp+var_C]	; int
		call	RtlStringCbPrintfExW
		add	esp, 28h
		mov	esi, eax
		jmp	short loc_A3AF44
; 

loc_A3AF38:				; CODE XREF: ConvertDevpropcompkeyToString(x,x,x,x)+92j
		mov	esi, 0C0000023h
		jmp	short loc_A3AF44
; 

loc_A3AF3F:				; CODE XREF: ConvertDevpropcompkeyToString(x,x,x,x)+4Ej
		mov	esi, 0C000000Dh

loc_A3AF44:				; CODE XREF: ConvertDevpropcompkeyToString(x,x,x,x)+D1j
					; ConvertDevpropcompkeyToString(x,x,x,x)+D8j
		pop	ebx

loc_A3AF45:				; CODE XREF: ConvertDevpropcompkeyToString(x,x,x,x)+35j
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn	8
_ConvertDevpropcompkeyToString@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ConvertDevpropertyToString(int,size_t,int,int)
_ConvertDevpropertyToString@16 proc near
					; CODE XREF: ExpressionConvertToString(x,x,x,x)+2C2p

var_48		= qword	ptr -48h
var_34		= byte ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_14], ecx
		xor	eax, eax
		mov	[ebp+var_4], ebx
		mov	[ebp+var_10], eax
		mov	[ebp+var_18], eax
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		cmp	ebx, 2
		jb	short loc_A3AF7C
		mov	[esi], ax

loc_A3AF7C:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+21j
		lea	eax, [ebp+var_18]
		mov	[ebp+var_8], esi
		push	eax		; int
		mov	edi, ebx
		mov	edx, esi
		push	ebx		; size_t
		mov	[ebp+var_1C], edi
		mov	[ebp+var_C], edi
		call	_ConvertDevpropcompkeyToString@16 ; ConvertDevpropcompkeyToString(x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jns	short loc_A3AFA5
		cmp	edx, 0C0000023h
		jnz	loc_A3B1E1

loc_A3AFA5:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+41j
		mov	ecx, [ebp+var_18]
		xor	edx, edx
		lea	eax, [ecx-2]
		cmp	ebx, eax
		jb	short loc_A3AFC7
		sub	edi, ecx
		add	edi, 2
		shr	eax, 1
		mov	[ebp+var_1C], edi
		mov	[ebp+var_C], edi
		lea	esi, [esi+eax*2]
		mov	[ebp+arg_0], esi
		mov	[ebp+var_8], esi

loc_A3AFC7:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+59j
		mov	eax, [ebp+var_14]
		mov	ecx, 1003h
		mov	eax, [eax+1Ch]
		cmp	eax, ecx
		ja	loc_A3B0D4
		jz	loc_A3B0CD
		cmp	eax, 19h	; switch 26 cases
		ja	loc_A3B0E2	; default
		jmp	ds:off_A3B466[eax*4] ; switch jump

loc_A3AFF0:				; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1M@DDJCIMGP@?$AAE?$AAM?$AAP?$AAT?$AAY@NNGAKEGL@ ; case 0x0
		jmp	loc_A3B0F8
; 

loc_A3AFFA:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_19CIJIHAKK@?$AAN?$AAU?$AAL?$AAL@NNGAKEGL@ ; case 0x1
		jmp	loc_A3B0F8
; 

loc_A3B004:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1M@CEDMGMPC@?$AAS?$AAB?$AAY?$AAT?$AAE@NNGAKEGL@ ; case 0x2
		jmp	loc_A3B0F8
; 

loc_A3B00E:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_19PHIGEKBH@?$AAB?$AAY?$AAT?$AAE@NNGAKEGL@ ; case 0x3
		jmp	loc_A3B0F8
; 

loc_A3B018:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1M@GCJJANKL@?$AAI?$AAN?$AAT?$AA1?$AA6@NNGAKEGL@ ; case 0x4
		jmp	loc_A3B0F8
; 

loc_A3B022:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1O@GLFPBHPD@?$AAU?$AAI?$AAN?$AAT?$AA1?$AA6@NNGAKEGL@ ; case 0x5
		jmp	loc_A3B0F8
; 

loc_A3B02C:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1M@KADDDLPH@?$AAI?$AAN?$AAT?$AA3?$AA2@NNGAKEGL@ ; case 0x6
		jmp	loc_A3B0F8
; 

loc_A3B036:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1O@KJPFCBKP@?$AAU?$AAI?$AAN?$AAT?$AA3?$AA2@NNGAKEGL@ ; case 0x7
		jmp	loc_A3B0F8
; 

loc_A3B040:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1M@NFJFPFJI@?$AAI?$AAN?$AAT?$AA6?$AA4@NNGAKEGL@ ; case 0x8
		jmp	loc_A3B0F8
; 

loc_A3B04A:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1O@NMFDOPMA@?$AAU?$AAI?$AAN?$AAT?$AA6?$AA4@NNGAKEGL@ ; case 0x9
		jmp	loc_A3B0F8
; 

loc_A3B054:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1M@KPCEFNND@?$AAF?$AAL?$AAO?$AAA?$AAT@NNGAKEGL@ ; case 0xA
		jmp	loc_A3B0F8
; 

loc_A3B05E:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1O@NEHDDMNH@?$AAD?$AAO?$AAU?$AAB?$AAL?$AAE@NNGAKEGL@ ; case 0xB
		jmp	loc_A3B0F8
; 

loc_A3B068:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1BA@KOBNDHFB@?$AAD?$AAE?$AAC?$AAI?$AAM?$AAA?$AAL@NNGAKEGL@ ; case 0xC
		jmp	loc_A3B0F8
; 

loc_A3B072:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_19EBPEOCDM@?$AAG?$AAU?$AAI?$AAD@NNGAKEGL@ ; case 0xD
		jmp	short loc_A3B0F8
; 

loc_A3B079:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1BC@BHIHGHLA@?$AAC?$AAU?$AAR?$AAR?$AAE?$AAN?$AAC?$AAY@NNGAKEGL@ ; case 0xE
		jmp	short loc_A3B0F8
; 

loc_A3B080:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_19FFMGBAMO@?$AAD?$AAA?$AAT?$AAE@NNGAKEGL@ ; case 0xF
		jmp	short loc_A3B0F8
; 

loc_A3B087:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1BC@IFLNOMAG@?$AAF?$AAI?$AAL?$AAE?$AAT?$AAI?$AAM?$AAE@NNGAKEGL@ ; case 0x10
		jmp	short loc_A3B0F8
; 

loc_A3B08E:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1BA@LFHENBNF@?$AAB?$AAO?$AAO?$AAL?$AAE?$AAA?$AAN@NNGAKEGL@ ; case 0x11
		jmp	short loc_A3B0F8
; 

loc_A3B095:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1O@PCPBINCG@?$AAS?$AAT?$AAR?$AAI?$AAN?$AAG@NNGAKEGL@ ; case 0x12
		jmp	short loc_A3B0F8
; 

loc_A3B09C:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1CI@KFCNFMPF@?$AAS?$AAE?$AAC?$AAU?$AAR?$AAI?$AAT?$AAY?$AA_?$AAD?$AAE?$AAS?$AAC?$AAR?$AAI@NNGAKEGL@ ; case 0x13
		jmp	short loc_A3B0F8
; 

loc_A3B0A3:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1DG@OCDNNEBM@?$AAS?$AAE?$AAC?$AAU?$AAR?$AAI?$AAT?$AAY?$AA_?$AAD?$AAE?$AAS?$AAC?$AAR?$AAI@NNGAKEGL@ ; case 0x14
		jmp	short loc_A3B0F8
; 

loc_A3B0AA:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1BG@CNKBHCPN@?$AAD?$AAE?$AAV?$AAP?$AAR?$AAO?$AAP?$AAK?$AAE?$AAY@NNGAKEGL@ ; case 0x15
		jmp	short loc_A3B0F8
; 

loc_A3B0B1:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1BI@GJGNKFIH@?$AAD?$AAE?$AAV?$AAP?$AAR?$AAO?$AAP?$AAT?$AAY?$AAP?$AAE@NNGAKEGL@ ; case	0x16
		jmp	short loc_A3B0F8
; 

loc_A3B0B8:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1M@BJACCECO@?$AAE?$AAR?$AAR?$AAO?$AAR@NNGAKEGL@ ; case 0x17
		jmp	short loc_A3B0F8
; 

loc_A3B0BF:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1BC@GGNEPBCH@?$AAN?$AAT?$AAS?$AAT?$AAA?$AAT?$AAU?$AAS@NNGAKEGL@ ; case 0x18
		jmp	short loc_A3B0F8
; 

loc_A3B0C6:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+93j
					; DATA XREF: PAGE:off_A3B466o
		mov	ecx, offset ??_C@_1CA@DHJFKEDL@?$AAS?$AAT?$AAR?$AAI?$AAN?$AAG?$AA_?$AAI?$AAN?$AAD?$AAI?$AAR?$AAE?$AAC?$AAT@NNGAKEGL@ ; case 0x19
		jmp	short loc_A3B0F8
; 

loc_A3B0CD:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+84j
		mov	ecx, offset ??_C@_1O@LBFOCELB@?$AAB?$AAI?$AAN?$AAA?$AAR?$AAY@NNGAKEGL@
		jmp	short loc_A3B0F8
; 

loc_A3B0D4:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+7Ej
		cmp	eax, 100Dh
		jz	short loc_A3B0F3
		cmp	eax, 2012h
		jz	short loc_A3B0EC

loc_A3B0E2:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+8Dj
					; ConvertDevpropertyToString(x,x,x,x)+23Fj
					; DATA XREF: ...
		mov	edx, 0C000000Dh	; default
		jmp	loc_A3B1E1
; 

loc_A3B0EC:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+18Aj
		mov	ecx, offset ??_C@_1BI@CHLHLCJC@?$AAS?$AAT?$AAR?$AAI?$AAN?$AAG?$AA_?$AAL?$AAI?$AAS?$AAT@NNGAKEGL@
		jmp	short loc_A3B0F8
; 

loc_A3B0F3:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+183j
		mov	ecx, offset ??_C@_1BG@LMIOOFJP@?$AAG?$AAU?$AAI?$AAD?$AA_?$AAA?$AAR?$AAR?$AAA?$AAY@NNGAKEGL@ ; "GUID_ARRAY"

loc_A3B0F8:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+9Fj
					; ConvertDevpropertyToString(x,x,x,x)+A9j ...
		mov	esi, ecx
		xor	ebx, ebx
		lea	eax, [esi+2]
		mov	[ebp+var_24], eax

loc_A3B102:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+1B5j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, bx
		jnz	short loc_A3B102
		mov	eax, esi
		mov	[ebp+var_20], esi
		sub	eax, [ebp+var_24]
		mov	esi, [ebp+var_18]
		sar	eax, 1
		lea	ebx, [esi+eax*2]
		mov	esi, [ebp+arg_0]
		cmp	ebx, [ebp+var_4]
		ja	short loc_A3B152
		push	400h
		lea	eax, [ebp+var_C]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	ecx
		mov	ecx, esi
		call	RtlStringCbCopyExW
		mov	edx, eax
		test	edx, edx
		js	loc_A3B1E1
		mov	ecx, [ebp+var_8]
		mov	edi, [ebp+var_C]
		mov	[ebp+arg_0], ecx
		mov	[ebp+var_1C], edi

loc_A3B152:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+1CDj
		mov	esi, [ebp+var_14]
		xor	eax, eax
		cmp	[esi+20h], eax
		jbe	short loc_A3B1CC
		mov	esi, [esi+24h]
		test	esi, esi
		jz	short loc_A3B1CC
		mov	ecx, [ebp+var_14]
		mov	ecx, [ecx+1Ch]
		cmp	ecx, 1003h
		mov	[ebp+var_18], ecx
		mov	ecx, [ebp+arg_0]
		ja	loc_A3B2F0
		mov	eax, [ebp+var_18]
		cmp	eax, 1003h
		jz	short loc_A3B1CC
		cmp	eax, 19h
		ja	loc_A3B30A
		movzx	eax, ds:byte_A3B4F6[eax]
		jmp	ds:off_A3B4CE[eax*4] ; default

loc_A3B19C:				; DATA XREF: PAGE:00A3B4D2o
		mov	eax, [ebp+var_4]
		add	ebx, 0Ch
		cmp	ebx, eax
		ja	short loc_A3B1CF
		movzx	eax, byte ptr [esi]
		push	eax		; char
		push	offset ??_C@_1BC@NGHIGKIN@?$AA?$CI?$AA0?$AAx?$AA?$CF?$AA?4?$AA2?$AAx?$AA?$CJ@NNGAKEGL@ ; wchar_t *

loc_A3B1AF:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+2A7j
					; ConvertDevpropertyToString(x,x,x,x)+2BAj ...
		push	400h		; int
		lea	eax, [ebp+var_C]
		push	eax		; int
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	edi		; size_t
		push	ecx		; int
		call	RtlStringCbPrintfExW
		add	esp, 1Ch

loc_A3B1C6:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+2E7j
					; ConvertDevpropertyToString(x,x,x,x)+35Bj
		mov	edx, eax
		test	edx, edx
		js	short loc_A3B1E1

loc_A3B1CC:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+204j
					; ConvertDevpropertyToString(x,x,x,x)+20Bj ...
		mov	eax, [ebp+var_4]

loc_A3B1CF:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+24Ej
					; ConvertDevpropertyToString(x,x,x,x)+29Cj ...
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_A3B1D8
		mov	[ecx], ebx

loc_A3B1D8:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+27Ej
		cmp	ebx, eax
		jbe	short loc_A3B1E1
		mov	edx, 0C0000023h

loc_A3B1E1:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+49j
					; ConvertDevpropertyToString(x,x,x,x)+191j ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	8
; 

loc_A3B1EA:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+23Fj
					; DATA XREF: PAGE:00A3B4D6o
		mov	eax, [ebp+var_4]
		add	ebx, 10h
		cmp	ebx, eax
		ja	short loc_A3B1CF
		movsx	eax, word ptr [esi]
		push	eax
		push	offset ??_C@_1BC@BABHGDAK@?$AA?$CI?$AA0?$AAx?$AA?$CF?$AA?4?$AA4?$AAx?$AA?$CJ@NNGAKEGL@
		jmp	short loc_A3B1AF
; 

loc_A3B1FF:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+23Fj
					; DATA XREF: PAGE:00A3B4DAo
		mov	eax, [ebp+var_4]
		add	ebx, 18h
		cmp	ebx, eax
		ja	short loc_A3B1CF
		push	dword ptr [esi]
		push	offset ??_C@_1BC@EHLIHGEF@?$AA?$CI?$AA0?$AAx?$AA?$CF?$AA?4?$AA8?$AAx?$AA?$CJ@NNGAKEGL@
		jmp	short loc_A3B1AF
; 

loc_A3B212:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+23Fj
					; DATA XREF: PAGE:00A3B4DEo
		mov	eax, [ebp+var_4]
		add	ebx, 28h
		cmp	ebx, eax
		ja	short loc_A3B1CF
		push	dword ptr [esi+4]
		push	dword ptr [esi]	; char
		push	offset ??_C@_1BK@NDKFDMJO@?$AA?$CI?$AA0?$AAx?$AA?$CF?$AA?4?$AA1?$AA6?$AAI?$AA6?$AA4?$AAx?$AA?$CJ@NNGAKEGL@ ; "(0x%.16I64x)"

loc_A3B226:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+309j
		push	400h		; int
		lea	eax, [ebp+var_C]
		push	eax		; int
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	edi		; size_t
		push	ecx		; int
		call	RtlStringCbPrintfExW
		add	esp, 20h
		jmp	short loc_A3B1C6
; 

loc_A3B23F:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+23Fj
					; DATA XREF: PAGE:00A3B4E2o
		mov	eax, [ebp+var_4]
		add	ebx, 20h
		cmp	ebx, eax
		ja	short loc_A3B1CF
		cmp	[ebp+var_18], 0Ah
		jnz	short loc_A3B253
		fld	dword ptr [esi]
		jmp	short loc_A3B255
; 

loc_A3B253:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+2F7j
		fld	qword ptr [esi]

loc_A3B255:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+2FBj
		push	ecx
		push	ecx
		fstp	[esp+48h+var_48]
		push	offset ??_C@_1O@MHNOFLPK@?$AA?$CI?$AA?$CF?$AA?4?$AA6?$AAe?$AA?$CJ@NNGAKEGL@
		jmp	short loc_A3B226
; 

loc_A3B261:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+23Fj
					; DATA XREF: PAGE:00A3B4EEo
		cmp	byte ptr [esi],	0FFh
		mov	eax, offset ??_C@_1O@MNIMFBBJ@?$AA?$CI?$AAT?$AAR?$AAU?$AAE?$AA?$CJ@NNGAKEGL@
		jz	short loc_A3B270
		mov	eax, offset ??_C@_1BA@LIFFHPCA@?$AA?$CI?$AAF?$AAA?$AAL?$AAS?$AAE?$AA?$CJ@NNGAKEGL@

loc_A3B270:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+313j
		mov	esi, eax
		mov	[ebp+arg_0], eax
		lea	eax, [esi+2]
		mov	[ebp+var_24], eax

loc_A3B27B:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+32Fj
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, word ptr [ebp+var_10]
		jnz	short loc_A3B27B
		sub	esi, [ebp+var_24]
		mov	eax, [ebp+var_4]
		sar	esi, 1
		lea	ebx, [ebx+esi*2]
		cmp	ebx, eax
		ja	loc_A3B1CF
		push	400h
		lea	eax, [ebp+var_C]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+arg_0]
		call	RtlStringCbCopyExW
		jmp	loc_A3B1C6
; 

loc_A3B2B6:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+23Fj
					; DATA XREF: PAGE:00A3B4F2o
		mov	ecx, esi
		lea	eax, [ecx+2]
		mov	[ebp+var_20], eax

loc_A3B2BE:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+372j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_10]
		jnz	short loc_A3B2BE
		mov	eax, ecx
		mov	[ebp+var_24], ecx
		sub	eax, [ebp+var_20]
		mov	ecx, [ebp+arg_0]
		sar	eax, 1
		lea	ebx, [ebx+eax*2]
		mov	eax, [ebp+var_4]
		cmp	ebx, eax
		ja	loc_A3B1CF
		push	esi
		push	offset ??_C@_19KBOFCHEE@?$AA?$CI?$AA?$CF?$AAs?$AA?$CJ@NNGAKEGL@	; "(%s)"
		jmp	loc_A3B1AF
; 

loc_A3B2F0:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+21Fj
		cmp	[ebp+var_18], 100Dh
		jz	loc_A3B3A4
		cmp	[ebp+var_18], 2012h
		jz	loc_A3B396

loc_A3B30A:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+232j
		mov	edx, 0C000000Dh
		jmp	loc_A3B1CC
; 

loc_A3B314:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+443j
		mov	ecx, esi
		lea	eax, [ecx+2]
		mov	[ebp+var_20], eax

loc_A3B31C:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+3D0j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_10]
		jnz	short loc_A3B31C
		mov	[ebp+var_24], ecx
		mov	eax, ecx
		sub	eax, [ebp+var_20]
		mov	ecx, [ebp+arg_0]
		sar	eax, 1
		lea	ebx, [ebx+eax*2]
		add	ebx, 4
		cmp	ebx, [ebp+var_4]
		ja	short loc_A3B370
		push	esi		; char
		push	offset ??_C@_19FIMGCOBE@?$AA?$FL?$AA?$CF?$AAs?$AA?$FN@NNGAKEGL@	; "["
		push	400h		; int
		lea	eax, [ebp+var_C]
		push	eax		; int
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	edi		; size_t
		push	ecx		; int
		call	RtlStringCbPrintfExW
		mov	edx, eax
		add	esp, 1Ch
		test	edx, edx
		js	loc_A3B1E1
		mov	ecx, [ebp+var_8]
		mov	edi, [ebp+var_C]
		mov	[ebp+arg_0], ecx

loc_A3B370:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+3E8j
		mov	ecx, esi
		lea	eax, [ecx+2]
		mov	[ebp+var_20], eax

loc_A3B378:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+42Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_10]
		jnz	short loc_A3B378
		mov	eax, ecx
		mov	[ebp+var_24], ecx
		sub	eax, [ebp+var_20]
		sar	eax, 1
		lea	esi, [esi+eax*2]
		add	esi, 2
		xor	eax, eax

loc_A3B396:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+3AEj
		cmp	[esi], ax
		jnz	loc_A3B314
		jmp	loc_A3B1CC
; 

loc_A3B3A4:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+23Fj
					; ConvertDevpropertyToString(x,x,x,x)+3A1j
					; DATA XREF: ...
		mov	eax, [ebp+var_4]
		xor	ecx, ecx
		mov	esi, [ebp+var_14]

loc_A3B3AC:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+503j
		mov	esi, [esi+24h]
		lea	edi, [ebp+var_34]
		add	esi, ecx
		add	ebx, 50h
		movsd
		movsd
		movsd
		movsd
		cmp	ebx, eax
		ja	loc_A3B44D
		mov	ecx, [ebp+var_28]
		mov	eax, ecx
		shr	eax, 18h
		push	eax
		mov	eax, ecx
		shr	eax, 10h
		movzx	eax, al
		push	eax
		mov	eax, ecx
		shr	eax, 8
		movzx	eax, al
		push	eax
		movzx	eax, cl
		mov	ecx, [ebp+var_2C]
		push	eax
		mov	eax, ecx
		shr	eax, 18h
		push	eax
		mov	eax, ecx
		shr	eax, 10h
		movzx	eax, al
		push	eax
		mov	eax, ecx
		shr	eax, 8
		movzx	eax, al
		push	eax
		movzx	eax, cl
		mov	ecx, [ebp+var_30]
		push	eax
		mov	eax, ecx
		shr	eax, 10h
		push	eax
		movzx	eax, cx
		push	eax
		push	dword ptr [ebp+var_34] ; char
		lea	eax, [ebp+var_C]
		push	offset ??_C@_1GK@MCFCFGIP@?$AA?$CI?$AA?$HL?$AA?$CF?$AA0?$AA8?$AAx?$AA?9?$AA?$CF?$AA0?$AA4?$AAx?$AA?9?$AA?$CF?$AA0?$AA4@NNGAKEGL@ ; wchar_t *
		push	400h		; int
		push	eax		; int
		lea	eax, [ebp+var_8]
		push	eax		; int
		push	[ebp+var_1C]	; size_t
		push	[ebp+arg_0]	; int
		call	RtlStringCbPrintfExW
		mov	edx, eax
		add	esp, 44h
		test	edx, edx
		js	loc_A3B1E1
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_10]
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_4]

loc_A3B44D:				; CODE XREF: ConvertDevpropertyToString(x,x,x,x)+467j
		mov	esi, [ebp+var_14]
		add	ecx, 10h
		mov	[ebp+var_10], ecx
		cmp	ecx, [esi+20h]
		jb	loc_A3B3AC
		jmp	loc_A3B1CF
_ConvertDevpropertyToString@16 endp

; 
		db 8Bh,	0FFh
off_A3B466	dd offset loc_A3AFF0	; DATA XREF: ConvertDevpropertyToString(x,x,x,x)+93r
		dd offset loc_A3AFFA	; jump table for switch	statement
		dd offset loc_A3B004
		dd offset loc_A3B00E
		dd offset loc_A3B018
		dd offset loc_A3B022
		dd offset loc_A3B02C
		dd offset loc_A3B036
		dd offset loc_A3B040
		dd offset loc_A3B04A
		dd offset loc_A3B054
		dd offset loc_A3B05E
		dd offset loc_A3B068
		dd offset loc_A3B072
		dd offset loc_A3B079
		dd offset loc_A3B080
		dd offset loc_A3B087
		dd offset loc_A3B08E
		dd offset loc_A3B095
		dd offset loc_A3B09C
		dd offset loc_A3B0A3
		dd offset loc_A3B0AA
		dd offset loc_A3B0B1
		dd offset loc_A3B0B8
		dd offset loc_A3B0BF
		dd offset loc_A3B0C6
off_A3B4CE	dd offset loc_A3B0E2	; DATA XREF: ConvertDevpropertyToString(x,x,x,x)+23Fr
					; default
		dd offset loc_A3B19C
		dd offset loc_A3B1EA
		dd offset loc_A3B1FF
		dd offset loc_A3B212
		dd offset loc_A3B23F
		dd offset loc_A3B1CC
		dd offset loc_A3B3A4
		dd offset loc_A3B261
		dd offset loc_A3B2B6
byte_A3B4F6	db 0			; DATA XREF: ConvertDevpropertyToString(x,x,x,x)+238r
		align 4
		add	[ecx], eax
		add	al, [edx]
		add	eax, [ebx]
		add	al, 4
		add	eax, 6070605h
		push	es
		push	es
		or	[ecx], cl
		push	es
		or	[esi], eax
		add	eax, [ebx]
		add	ecx, [ecx]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpressionConvertToString(x, x, x, x)
_ExpressionConvertToString@16 proc near	; CODE XREF: FilterConvertToString(x,x,x,x,x)+45p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_C], edx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_14], esi
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_18], eax
		push	edi
		mov	edi, eax
		mov	[ebp+var_4], edi
		test	esi, esi
		jnz	short loc_A3B543

loc_A3B539:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+7Aj
					; ExpressionConvertToString(x,x,x,x)+1A8j ...
		mov	eax, 0C000000Dh	; default
		jmp	loc_A3B83C
; 

loc_A3B543:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+27j
		mov	ecx, [ebp+arg_0]
		push	2
		pop	eax
		mov	[ebp+var_10], eax
		cmp	edx, eax
		jb	short loc_A3B555
		xor	eax, eax
		mov	[ecx], ax

loc_A3B555:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+3Ej
		mov	eax, [esi]
		and	eax, 0FF00000h
		jz	loc_A3B5E9
		cmp	eax, 100000h
		jz	short loc_A3B5A1
		cmp	eax, 200000h
		jz	short loc_A3B58C
		cmp	eax, 300000h
		jz	short loc_A3B59A
		cmp	eax, 400000h
		jz	short loc_A3B58C
		cmp	eax, offset loc_500000
		jz	short loc_A3B593
		cmp	eax, 600000h
		jnz	short loc_A3B539 ; default

loc_A3B58C:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+5Ej
					; ExpressionConvertToString(x,x,x,x)+6Cj
		mov	edx, offset ??_C@_13DIBMAFH@?$AA?$CJ@NNGAKEGL@
		jmp	short loc_A3B5A6
; 

loc_A3B593:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+73j
		mov	edx, offset ??_C@_19JOCCLNOL@?$AAN?$AAO?$AAT?$AA?$CI@NNGAKEGL@
		jmp	short loc_A3B5A6
; 

loc_A3B59A:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+65j
		mov	edx, offset ??_C@_17EOKANOPK@?$AAO?$AAR?$AA?$CI@NNGAKEGL@
		jmp	short loc_A3B5A6
; 

loc_A3B5A1:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+57j
		mov	edx, offset ??_C@_19KAFFOEGD@?$AAA?$AAN?$AAD?$AA?$CI@NNGAKEGL@ ; "AND("

loc_A3B5A6:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+81j
					; ExpressionConvertToString(x,x,x,x)+88j ...
		mov	ebx, [ebp+var_10]
		mov	ecx, edx
		xor	edi, edi
		lea	esi, [ecx+2]

loc_A3B5B0:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+A8j
		mov	ax, [ecx]
		add	ecx, ebx
		cmp	ax, di
		jnz	short loc_A3B5B0
		mov	eax, [ebp+arg_4]
		sub	ecx, esi
		sar	ecx, 1
		lea	ecx, ds:2[ecx*2]
		test	eax, eax
		jz	short loc_A3B5CE
		mov	[eax], ecx

loc_A3B5CE:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+BAj
		mov	esi, [ebp+var_C]
		cmp	ecx, esi
		ja	loc_A3B837
		mov	ecx, [ebp+arg_0]
		push	edx
		mov	edx, esi
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		jmp	loc_A3B83C
; 

loc_A3B5E9:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+4Cj
		push	6
		pop	esi
		mov	[ebp+arg_0], esi
		cmp	edx, esi
		jb	short loc_A3B61B
		push	400h
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	offset ??_C@_15JEEKIBPF@?$AA?$FL?$AA?$HL@NNGAKEGL@
		call	RtlStringCbCopyExW
		test	eax, eax
		js	loc_A3B83C
		mov	edi, [ebp+var_4]
		mov	ebx, [ebp+var_8]
		mov	edx, [ebp+var_C]

loc_A3B61B:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+E1j
		mov	esi, [ebp+var_14]
		mov	esi, [esi]
		and	esi, 0F0000h
		test	esi, 10000h
		jz	short loc_A3B66C
		push	10h
		pop	eax
		and	esi, 0FFFEFFFFh
		mov	[ebp+arg_0], eax
		cmp	edx, eax
		jb	short loc_A3B66F
		push	400h
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_8]
		mov	ecx, ebx
		push	eax
		push	offset ??_C@_1M@KAPMNJJB@?$AA?$CI?$AAN?$AAO?$AAT?$AA?$CJ@NNGAKEGL@
		call	RtlStringCbCopyExW
		test	eax, eax
		js	loc_A3B83C
		mov	edi, [ebp+var_4]
		mov	ebx, [ebp+var_8]
		mov	eax, [ebp+arg_0]
		jmp	short loc_A3B66F
; 

loc_A3B66C:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+11Cj
		push	6
		pop	eax

loc_A3B66F:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+12Cj
					; ExpressionConvertToString(x,x,x,x)+15Aj
		mov	edx, [ebp+var_C]
		test	esi, 20000h
		jz	short loc_A3B6B6
		add	eax, 1Ah
		and	esi, 0FFFDFFFFh
		mov	[ebp+arg_0], eax
		cmp	eax, edx
		ja	short loc_A3B6B6
		push	400h
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_8]
		mov	ecx, ebx
		push	eax
		push	offset ??_C@_1BM@LGOPPIEI@?$AA?$CI?$AAI?$AAG?$AAN?$AAO?$AAR?$AAE?$AA_?$AAC?$AAA?$AAS?$AAE?$AA?$CJ@NNGAKEGL@ ; "(IGNORE_CASE)"
		call	RtlStringCbCopyExW
		test	eax, eax
		js	loc_A3B83C
		mov	edi, [ebp+var_4]
		mov	ebx, [ebp+var_8]
		mov	edx, [ebp+var_C]

loc_A3B6B6:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+168j
					; ExpressionConvertToString(x,x,x,x)+178j
		test	esi, esi
		jnz	loc_A3B539	; default
		mov	esi, [ebp+arg_0]
		add	esi, [ebp+var_10]
		cmp	esi, edx
		ja	short loc_A3B6F1
		push	400h
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_8]
		mov	ecx, ebx
		push	eax
		push	offset ??_C@_13EHOOFIKC@?$AA?$HN@NNGAKEGL@
		call	RtlStringCbCopyExW
		test	eax, eax
		js	loc_A3B83C
		mov	edi, [ebp+var_4]
		mov	ebx, [ebp+var_8]

loc_A3B6F1:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+1B6j
		mov	eax, [ebp+var_14]
		mov	ecx, 1000h
		mov	eax, [eax]
		and	eax, 0F000FFFFh
		cmp	eax, ecx
		jg	short loc_A3B76B
		jz	short loc_A3B764
		dec	eax
		cmp	eax, 0Ah	; switch 11 cases
		ja	loc_A3B539	; default
		jmp	ds:off_A3B844[eax*4] ; switch jump

loc_A3B717:				; DATA XREF: PAGE:off_A3B844o
		mov	ecx, offset ??_C@_1BC@IPPBMIKC@?$AA?$CI?$AAE?$AAx?$AAi?$AAs?$AAt?$AAs?$AA?$CJ@NNGAKEGL@	; case 0x0
		jmp	short loc_A3B77B
; 

loc_A3B71E:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+200j
					; DATA XREF: PAGE:off_A3B844o
		mov	ecx, offset ??_C@_19DLOJGGMG@?$AA?$CI?$AA?$DN?$AA?$DN?$AA?$CJ@NNGAKEGL@	; case 0x1
		jmp	short loc_A3B77B
; 

loc_A3B725:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+200j
					; DATA XREF: PAGE:off_A3B844o
		mov	ecx, offset ??_C@_17FDAENPBM@?$AA?$CI?$AA?$DO?$AA?$CJ@NNGAKEGL@	; case 0x2
		jmp	short loc_A3B77B
; 

loc_A3B72C:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+200j
					; DATA XREF: PAGE:off_A3B844o
		mov	ecx, (offset loc_8C999D+1) ; case 0x3
		jmp	short loc_A3B77B
; 

loc_A3B733:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+200j
					; DATA XREF: PAGE:off_A3B844o
		mov	ecx, (offset loc_8C9993+1) ; case 0x4
		jmp	short loc_A3B77B
; 

loc_A3B73A:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+200j
					; DATA XREF: PAGE:off_A3B844o
		mov	ecx, offset ??_C@_19PHEDGGFI@?$AA?$CI?$AA?$DM?$AA?$DN?$AA?$CJ@NNGAKEGL@	; case 0x5
		jmp	short loc_A3B77B
; 

loc_A3B741:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+200j
					; DATA XREF: PAGE:off_A3B844o
		mov	ecx, offset ??_C@_17LMIBFPOK@?$AA?$CI?$AA?$CG?$AA?$CJ@NNGAKEGL@	; case 0x6
		jmp	short loc_A3B77B
; 

loc_A3B748:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+200j
					; DATA XREF: PAGE:off_A3B844o
		mov	ecx, offset ??_C@_17BBJEHEHL@?$AA?$CI?$AA?$HM?$AA?$CJ@NNGAKEGL@	; case 0x7
		jmp	short loc_A3B77B
; 

loc_A3B74F:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+200j
					; DATA XREF: PAGE:off_A3B844o
		mov	ecx, offset ??_C@_1BM@MPDDCFMI@?$AA?$CI?$AAb?$AAe?$AAg?$AAi?$AAn?$AAs?$AA_?$AAw?$AAi?$AAt?$AAh?$AA?$CJ@NNGAKEGL@ ; case	0x8
		jmp	short loc_A3B77B
; 

loc_A3B756:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+200j
					; DATA XREF: PAGE:off_A3B844o
		mov	ecx, offset ??_C@_1BI@EILENIFL@?$AA?$CI?$AAe?$AAn?$AAd?$AAs?$AA_?$AAw?$AAi?$AAt?$AAh?$AA?$CJ@NNGAKEGL@ ; case 0x9
		jmp	short loc_A3B77B
; 

loc_A3B75D:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+200j
					; DATA XREF: PAGE:off_A3B844o
		mov	ecx, offset ??_C@_1BG@BGPLEOMO@?$AA?$CI?$AAc?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAs?$AA?$CJ@NNGAKEGL@ ; case 0xA
		jmp	short loc_A3B77B
; 

loc_A3B764:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+1F4j
		mov	ecx, offset ??_C@_1CA@EKNKOPMG@?$AA?$CI?$AAl?$AAi?$AAs?$AAt?$AA_?$AAc?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAs?$AA?$CJ@NNGAKEGL@
		jmp	short loc_A3B77B
; 

loc_A3B76B:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+1F2j
		cmp	eax, 10000000h
		jnz	loc_A3B539	; default
		mov	ecx, offset ??_C@_1CC@JBMFGBFB@?$AA?$CI?$AAa?$AAr?$AAr?$AAa?$AAy?$AA_?$AAc?$AAo?$AAn?$AAt?$AAa?$AAi?$AAn?$AAs@NNGAKEGL@

loc_A3B77B:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+20Cj
					; ExpressionConvertToString(x,x,x,x)+213j ...
		mov	edx, ecx
		lea	eax, [edx+2]
		mov	[ebp+var_20], eax

loc_A3B783:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+27Dj
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, word ptr [ebp+var_1C]
		jnz	short loc_A3B783
		mov	eax, edx
		mov	[ebp+arg_0], edx
		sub	eax, [ebp+var_20]
		sar	eax, 1
		lea	eax, [esi+eax*2]
		mov	[ebp+arg_0], eax
		cmp	eax, [ebp+var_C]
		ja	short loc_A3B7C5
		push	400h
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	ecx
		mov	ecx, ebx
		call	RtlStringCbCopyExW
		test	eax, eax
		js	short loc_A3B83C
		mov	edi, [ebp+var_4]
		mov	ebx, [ebp+var_8]

loc_A3B7C5:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+292j
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_18]
		push	eax		; int
		push	ebx		; int
		mov	edx, edi	; size_t
		lea	ecx, [ecx+4]	; int
		call	_ConvertDevpropertyToString@16 ; ConvertDevpropertyToString(x,x,x,x)
		test	eax, eax
		jns	short loc_A3B7E2
		cmp	eax, 0C0000023h
		jnz	short loc_A3B83C

loc_A3B7E2:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+2C9j
		mov	esi, [ebp+var_18]
		xor	eax, eax
		mov	ecx, [ebp+arg_0]
		add	ecx, esi
		mov	[ebp+arg_0], ecx
		lea	edx, [esi-2]
		cmp	edi, edx
		jb	short loc_A3B801
		sub	[ebp+var_10], esi
		add	edi, [ebp+var_10]
		shr	edx, 1
		lea	ebx, [ebx+edx*2]

loc_A3B801:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+2E4j
		mov	esi, [ebp+var_C]
		cmp	ecx, esi
		ja	short loc_A3B82A
		push	400h
		lea	eax, [ebp+var_4]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_8]
		mov	ecx, ebx
		push	eax
		push	offset ??_C@_13OHNMPHJM@?$AA?$FN@NNGAKEGL@
		call	RtlStringCbCopyExW
		test	eax, eax
		js	short loc_A3B83C
		mov	ecx, [ebp+arg_0]

loc_A3B82A:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+2F6j
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	short loc_A3B833
		mov	[edx], ecx

loc_A3B833:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+31Fj
		cmp	ecx, esi
		jbe	short loc_A3B83C

loc_A3B837:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+C3j
		mov	eax, 0C0000023h

loc_A3B83C:				; CODE XREF: ExpressionConvertToString(x,x,x,x)+2Ej
					; ExpressionConvertToString(x,x,x,x)+D4j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_ExpressionConvertToString@16 endp

; 
		align 4
off_A3B844	dd offset loc_A3B717	; DATA XREF: ExpressionConvertToString(x,x,x,x)+200r
		dd offset loc_A3B71E	; jump table for switch	statement
		dd offset loc_A3B725
		dd offset loc_A3B72C
		dd offset loc_A3B733
		dd offset loc_A3B73A
		dd offset loc_A3B741
		dd offset loc_A3B748
		dd offset loc_A3B74F
		dd offset loc_A3B756
		dd offset loc_A3B75D

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FilterConvertToString(x, x,	x, x, x)
_FilterConvertToString@20 proc near	; CODE XREF: PiDqIrpQueryCreate+118A6Dp
					; PiDqIrpQueryCreate+118AA6p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_8], 0
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, edx
		push	2
		pop	esi
		mov	[ebp+var_4], ebx
		mov	edx, edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_14], edx
		mov	[ebp+arg_0], esi
		cmp	edi, esi
		jb	short loc_A3B8A4
		xor	ebx, ebx
		mov	[eax], bx
		mov	ebx, [ebp+var_4]

loc_A3B8A4:				; CODE XREF: FilterConvertToString(x,x,x,x,x)+2Aj
		and	[ebp+var_C], 0
		test	ecx, ecx
		jz	short loc_A3B913

loc_A3B8AC:				; CODE XREF: FilterConvertToString(x,x,x,x,x)+9Ej
		lea	ecx, [ebp+var_8]
		mov	edx, edi
		push	ecx
		push	eax
		mov	ecx, ebx
		call	_ExpressionConvertToString@16 ;	ExpressionConvertToString(x,x,x,x)
		test	eax, eax
		jns	short loc_A3B8C5
		cmp	eax, 0C0000023h
		jnz	short loc_A3B927

loc_A3B8C5:				; CODE XREF: FilterConvertToString(x,x,x,x,x)+4Cj
		mov	ebx, [ebp+var_8]
		lea	eax, [ebp+arg_0]
		add	ebx, 0FFFFFFFEh
		mov	ecx, esi
		push	eax
		mov	edx, ebx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	short loc_A3B927
		cmp	edi, ebx
		jb	short loc_A3B8F5
		push	2
		pop	eax
		sub	eax, [ebp+var_8]
		add	edi, eax
		mov	eax, [ebp+arg_4]
		shr	ebx, 1
		lea	eax, [eax+ebx*2]
		mov	[ebp+arg_4], eax
		jmp	short loc_A3B8F8
; 

loc_A3B8F5:				; CODE XREF: FilterConvertToString(x,x,x,x,x)+6Ej
		mov	eax, [ebp+arg_4]

loc_A3B8F8:				; CODE XREF: FilterConvertToString(x,x,x,x,x)+83j
		mov	ebx, [ebp+var_C]
		add	[ebp+var_4], 2Ch
		inc	ebx
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_C], ebx
		cmp	ebx, [ebp+var_10]
		jnb	short loc_A3B910
		mov	ebx, [ebp+var_4]
		jmp	short loc_A3B8AC
; 

loc_A3B910:				; CODE XREF: FilterConvertToString(x,x,x,x,x)+99j
		mov	edx, [ebp+var_14]

loc_A3B913:				; CODE XREF: FilterConvertToString(x,x,x,x,x)+3Aj
		mov	ecx, [ebp+arg_8]
		xor	eax, eax
		test	ecx, ecx
		jz	short loc_A3B91E
		mov	[ecx], esi

loc_A3B91E:				; CODE XREF: FilterConvertToString(x,x,x,x,x)+AAj
		cmp	esi, edx
		jbe	short loc_A3B927
		mov	eax, 0C0000023h

loc_A3B927:				; CODE XREF: FilterConvertToString(x,x,x,x,x)+53j
					; FilterConvertToString(x,x,x,x,x)+6Aj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_FilterConvertToString@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall StringListElementSubstringMatch(wchar_t *,int,wchar_t *,int,int)
_StringListElementSubstringMatch@20 proc near ;	CODE XREF: PropertyEval+11B103p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edx
		cmp	[ebp+arg_8], 2000h
		mov	edx, edi
		mov	[ebp+var_10], ecx
		mov	ebx, edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edx
		jz	short loc_A3B96E
		cmp	[ebp+arg_8], 3000h
		jz	short loc_A3B96A
		cmp	[ebp+arg_8], 4000h
		jnz	short loc_A3B971
		push	0Bh
		jmp	short loc_A3B970
; 

loc_A3B96A:				; CODE XREF: StringListElementSubstringMatch(x,x,x,x,x)+2Dj
		push	0Ah
		jmp	short loc_A3B970
; 

loc_A3B96E:				; CODE XREF: StringListElementSubstringMatch(x,x,x,x,x)+24j
		push	9

loc_A3B970:				; CODE XREF: StringListElementSubstringMatch(x,x,x,x,x)+3Aj
					; StringListElementSubstringMatch(x,x,x,x,x)+3Ej
		pop	ebx

loc_A3B971:				; CODE XREF: StringListElementSubstringMatch(x,x,x,x,x)+36j
		mov	esi, [ebp+arg_0]
		cmp	[esi], di
		jz	loc_A3BA03

loc_A3B97D:				; CODE XREF: StringListElementSubstringMatch(x,x,x,x,x)+CFj
		xor	eax, eax
		mov	edi, ecx
		cmp	[ecx], ax
		mov	eax, [ebp+var_4]
		jz	short loc_A3B9CA

loc_A3B989:				; CODE XREF: StringListElementSubstringMatch(x,x,x,x,x)+8Cj
		push	ebx		; int
		push	[ebp+arg_4]	; int
		mov	edx, esi	; wchar_t *
		mov	ecx, edi	; wchar_t *
		call	_SubstringMatch@16 ; SubstringMatch(x,x,x,x)
		test	eax, eax
		jnz	short loc_A3B9C1
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_A3B99F:				; CODE XREF: StringListElementSubstringMatch(x,x,x,x,x)+7Bj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_C]
		jnz	short loc_A3B99F
		sub	ecx, edx
		xor	eax, eax
		sar	ecx, 1
		lea	edi, [edi+ecx*2]
		add	edi, 2
		cmp	[edi], ax
		jnz	short loc_A3B989
		mov	edx, [ebp+var_8]
		jmp	short loc_A3B9C7
; 

loc_A3B9C1:				; CODE XREF: StringListElementSubstringMatch(x,x,x,x,x)+6Aj
		xor	edx, edx
		inc	edx
		mov	[ebp+var_8], edx

loc_A3B9C7:				; CODE XREF: StringListElementSubstringMatch(x,x,x,x,x)+91j
		mov	eax, [ebp+var_4]

loc_A3B9CA:				; CODE XREF: StringListElementSubstringMatch(x,x,x,x,x)+59j
		cmp	eax, 12h
		jz	short loc_A3BA03
		cmp	eax, 2012h
		jnz	short loc_A3B9DA
		test	edx, edx
		jnz	short loc_A3BA03

loc_A3B9DA:				; CODE XREF: StringListElementSubstringMatch(x,x,x,x,x)+A6j
		mov	ecx, esi
		lea	edi, [ecx+2]

loc_A3B9DF:				; CODE XREF: StringListElementSubstringMatch(x,x,x,x,x)+BBj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_C]
		jnz	short loc_A3B9DF
		sub	ecx, edi
		xor	eax, eax
		sar	ecx, 1
		lea	esi, [esi+ecx*2]
		mov	ecx, [ebp+var_10]
		add	esi, 2
		cmp	[esi], ax
		jnz	loc_A3B97D

loc_A3BA03:				; CODE XREF: StringListElementSubstringMatch(x,x,x,x,x)+49j
					; StringListElementSubstringMatch(x,x,x,x,x)+9Fj ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn	0Ch
_StringListElementSubstringMatch@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall SubstringMatch(wchar_t	*,wchar_t *,int,int)
_SubstringMatch@16 proc	near		; CODE XREF: PropertyEval+11B019p
					; StringListElementSubstringMatch(x,x,x,x,x)+63p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jnz	short loc_A3BA28
		push	esi		; wchar_t *
		push	edi		; wchar_t *
		call	_wcsstr
		pop	ecx
		pop	ecx
		jmp	short loc_A3BA2D
; 

loc_A3BA28:				; CODE XREF: SubstringMatch(x,x,x,x)+Fj
		call	__wcsistr

loc_A3BA2D:				; CODE XREF: SubstringMatch(x,x,x,x)+1Aj
		mov	edx, eax
		xor	ecx, ecx
		test	edx, edx
		jz	short loc_A3BA76
		cmp	[ebp+arg_4], 9
		jnz	short loc_A3BA3F
		cmp	edx, edi
		jmp	short loc_A3BA71
; 

loc_A3BA3F:				; CODE XREF: SubstringMatch(x,x,x,x)+2Dj
		cmp	[ebp+arg_4], 0Ah
		jnz	short loc_A3BA6D
		lea	edi, [edx+2]

loc_A3BA48:				; CODE XREF: SubstringMatch(x,x,x,x)+45j
		mov	ax, [edx]
		add	edx, 2
		cmp	ax, cx
		jnz	short loc_A3BA48
		sub	edx, edi
		lea	edi, [esi+2]
		sar	edx, 1

loc_A3BA5A:				; CODE XREF: SubstringMatch(x,x,x,x)+57j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, cx
		jnz	short loc_A3BA5A
		sub	esi, edi
		sar	esi, 1
		cmp	edx, esi
		jmp	short loc_A3BA71
; 

loc_A3BA6D:				; CODE XREF: SubstringMatch(x,x,x,x)+37j
		cmp	[ebp+arg_4], 0Bh

loc_A3BA71:				; CODE XREF: SubstringMatch(x,x,x,x)+31j
					; SubstringMatch(x,x,x,x)+5Fj
		jnz	short loc_A3BA76
		xor	ecx, ecx
		inc	ecx

loc_A3BA76:				; CODE XREF: SubstringMatch(x,x,x,x)+27j
					; SubstringMatch(x,x,x,x):loc_A3BA71j
		pop	edi
		mov	eax, ecx
		pop	esi
		pop	ebp
		retn	8
_SubstringMatch@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

__wcsistr	proc near		; CODE XREF: SubstringMatch(x,x,x,x):loc_A3BA28p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		xor	eax, eax
		mov	[ebp+var_8], edx
		cmp	[edx], ax
		jnz	short loc_A3BA93
		mov	eax, ecx
		leave
		retn
; 

loc_A3BA93:				; CODE XREF: __wcsistr+Fj
		movzx	eax, word ptr [ecx]
		push	ebx
		push	esi
		push	edi
		test	ax, ax
		jz	short loc_A3BB04
		mov	esi, ecx
		mov	[ebp+var_4], 19h
		sub	esi, edx
		test	ax, ax
		jz	short loc_A3BAEC

loc_A3BAAE:				; CODE XREF: __wcsistr+6Aj
					; __wcsistr+84j
		movzx	eax, word ptr [edx]
		test	ax, ax
		jz	short loc_A3BB0B
		movzx	ebx, word ptr [esi+edx]
		mov	edi, eax
		lea	eax, [ebx-61h]
		cmp	ax, word ptr [ebp+var_4]
		ja	short loc_A3BACB
		add	ebx, 0FFE0h

loc_A3BACB:				; CODE XREF: __wcsistr+45j
		lea	eax, [edi-61h]
		cmp	ax, word ptr [ebp+var_4]
		ja	short loc_A3BADA
		add	edi, 0FFE0h

loc_A3BADA:				; CODE XREF: __wcsistr+54j
		xor	eax, eax
		cmp	bx, di
		jnz	short loc_A3BAEE
		add	edx, 2
		cmp	[esi+edx], ax
		jnz	short loc_A3BAAE
		jmp	short loc_A3BAEE
; 

loc_A3BAEC:				; CODE XREF: __wcsistr+2Ej
		xor	eax, eax

loc_A3BAEE:				; CODE XREF: __wcsistr+61j
					; __wcsistr+6Cj
		cmp	[edx], ax
		jz	short loc_A3BB0B
		mov	edx, [ebp+var_8]
		add	ecx, 2
		add	esi, 2
		movzx	eax, word ptr [ecx]
		test	ax, ax
		jnz	short loc_A3BAAE

loc_A3BB04:				; CODE XREF: __wcsistr+1Ej
		xor	eax, eax

loc_A3BB06:				; CODE XREF: __wcsistr+8Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_A3BB0B:				; CODE XREF: __wcsistr+36j
					; __wcsistr+73j
		mov	eax, ecx
		jmp	short loc_A3BB06
__wcsistr	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WdtpBarkWorkerThread(x)
_WdtpBarkWorkerThread@4	proc near	; DATA XREF: PnpWatchdogTimerAllocate+46o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	dword ptr [esi+4]
		call	dword ptr [esi+0Ch]
		push	0
		push	0
		lea	eax, [esi+38h]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		pop	esi
		pop	ebp
		retn	4
_WdtpBarkWorkerThread@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CancelTimerCallbacksAndDeleteTimer proc	near ; CODE XREF: DestroyAggregateSession+9p

var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		cmp	[esi+0D0h], ebx
		jz	short loc_A3BB97
		mov	eax, [esi+88h]
		push	2
		pop	edx
		add	eax, 20h
		xchg	dx, [eax]
		xor	ecx, ecx
		movzx	eax, dx
		inc	ecx
		cmp	ax, cx
		jnz	short loc_A3BB77
		mov	eax, [esi+88h]
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		add	eax, 10h
		push	eax
		call	KeWaitForSingleObject
		xor	ecx, ecx
		inc	ecx

loc_A3BB77:				; CODE XREF: CancelTimerCallbacksAndDeleteTimer+2Fj
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_10]
		push	eax
		push	ecx
		push	ecx
		push	dword ptr [esi+0D0h]
		call	ExDeleteTimer
		mov	[esi+0D0h], ebx

loc_A3BB97:				; CODE XREF: CancelTimerCallbacksAndDeleteTimer+15j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
CancelTimerCallbacksAndDeleteTimer endp


;  S U B	R O U T	I N E 


DestroyAggregateSession	proc near	; CODE XREF: CreateTlgAggregateSession+D5p
					; TlgRegisterAggregateProviderEx+65FB5p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_A3BBC4
		call	CancelTimerCallbacksAndDeleteTimer
		mov	eax, [esi+88h]
		test	eax, eax
		jz	short loc_A3BBBC
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3BBBC:				; CODE XREF: DestroyAggregateSession+16j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3BBC4:				; CODE XREF: DestroyAggregateSession+7j
		pop	esi
		retn
DestroyAggregateSession	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FlushEventEntry	proc near		; CODE XREF: FlushEventEntryList+15p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		movzx	eax, byte ptr [ecx+21h]
		push	esi
		push	2
		pop	esi
		add	eax, esi
		cmp	eax, esi
		jbe	short loc_A3BBF3
		push	20h
		pop	edx

loc_A3BBDC:				; CODE XREF: FlushEventEntry+2Bj
		mov	eax, [ecx+10h]
		lea	edx, [edx+10h]
		inc	esi
		mov	byte ptr [eax+edx-3], 0
		movzx	eax, byte ptr [ecx+21h]
		add	eax, 2
		cmp	esi, eax
		jl	short loc_A3BBDC

loc_A3BBF3:				; CODE XREF: FlushEventEntry+11j
		push	dword ptr [ecx+10h]
		movzx	eax, byte ptr [ecx+20h]
		push	eax
		push	0
		push	0
		push	ecx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_EtwWriteTransfer@28 ; EtwWriteTransfer(x,x,x,x,x,x,x)
		pop	esi
		pop	ebp
		retn	8
FlushEventEntry	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FlushEventEntryList proc near		; CODE XREF: FlushLookUpTableBucket+3ABp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, ecx
		test	edi, edi
		jz	short loc_A3BC3B
		push	esi

loc_A3BC1D:				; CODE XREF: FlushEventEntryList+28j
		push	[ebp+arg_4]
		mov	ecx, edi
		push	[ebp+arg_0]
		call	FlushEventEntry
		mov	esi, [edi+14h]
		mov	ecx, edi
		call	DestroyEventEntry
		mov	edi, esi
		test	esi, esi
		jnz	short loc_A3BC1D
		pop	esi

loc_A3BC3B:				; CODE XREF: FlushEventEntryList+Aj
		pop	edi
		pop	ebp
		retn	8
FlushEventEntryList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LookUpTableFlushPartial	proc near	; CODE XREF: TlgAggregateInternalRegisteredProviderEtwCallback+84DF1p
					; TlgAggregateFlushTimerCallback:loc_A3BCB8p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		cmp	[edi+80h], ebx
		jz	short loc_A3BC90
		mov	eax, [edi+84h]
		mov	esi, eax
		mov	[ebp+var_4], eax

loc_A3BC60:				; CODE XREF: LookUpTableFlushPartial+3Fj
		cmp	dword ptr [edi+esi*4], 0
		jz	short loc_A3BC74
		mov	edx, esi
		mov	ecx, edi
		call	FlushLookUpTableBucket
		add	ebx, eax
		mov	eax, [ebp+var_4]

loc_A3BC74:				; CODE XREF: LookUpTableFlushPartial+24j
		inc	esi
		and	esi, 1Fh
		cmp	esi, eax
		jz	short loc_A3BC81
		cmp	ebx, 10h
		jb	short loc_A3BC60

loc_A3BC81:				; CODE XREF: LookUpTableFlushPartial+3Aj
		mov	edx, ebx
		mov	[edi+84h], esi
		mov	ecx, edi
		call	UpdateInternalStatsOnFlush

loc_A3BC90:				; CODE XREF: LookUpTableFlushPartial+13j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
LookUpTableFlushPartial	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

TlgAggregateFlushTimerCallback proc near
					; CODE XREF: TlgAggregateInternalFlushWorkItemRoutineKernelMode(void *)+Bp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	esi
		mov	esi, ecx
		cmp	byte ptr [esi+0D8h], 0
		jz	short loc_A3BCB8
		mov	byte ptr [esi+0D8h], 0
		call	LookUpTableFlushComplete
		jmp	short loc_A3BCBD
; 

loc_A3BCB8:				; CODE XREF: TlgAggregateFlushTimerCallback+13j
		call	LookUpTableFlushPartial

loc_A3BCBD:				; CODE XREF: TlgAggregateFlushTimerCallback+21j
		cmp	dword ptr [esi+80h], 0
		jz	short loc_A3BCD7
		mov	edx, [esi+0D4h]
		mov	ecx, [esi+0D0h]
		call	EnableFlushTimer

loc_A3BCD7:				; CODE XREF: TlgAggregateFlushTimerCallback+2Fj
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
TlgAggregateFlushTimerCallback endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void __stdcall TlgAggregateInternalFlushWorkItemRoutineKernelMode(void *)
?TlgAggregateInternalFlushWorkItemRoutineKernelMode@@YGXPAX@Z proc near
					; DATA XREF: CreateTlgAggregateSession+97o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	TlgAggregateFlushTimerCallback
		mov	ecx, [esi+88h]
		xor	eax, eax
		inc	eax
		xor	edx, edx
		add	ecx, 20h
		lock cmpxchg [ecx], dx
		cmp	ax, 2
		jnz	short loc_A3BD18
		mov	eax, [esi+88h]
		push	0
		push	0
		add	eax, 10h
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_A3BD18:				; CODE XREF: TlgAggregateInternalFlushWorkItemRoutineKernelMode(void *)+27j
		pop	esi
		pop	ebp
		retn	4
?TlgAggregateInternalFlushWorkItemRoutineKernelMode@@YGXPAX@Z endp


;  S U B	R O U T	I N E 


UpdateInternalStatsOnFlush proc	near	; CODE XREF: LookUpTableFlushComplete:loc_93698Bp
					; LookUpTableFlushPartial+4Bp
		test	edx, edx
		jz	short locret_A3BD72
		push	esi
		mov	esi, [ecx+0A0h]
		push	edi
		mov	edi, [ecx+0A4h]
		cmp	[ecx+0B0h], edx
		ja	short loc_A3BD3D
		mov	eax, esi
		or	eax, edi
		jnz	short loc_A3BD43

loc_A3BD3D:				; CODE XREF: UpdateInternalStatsOnFlush+18j
		mov	[ecx+0B0h], edx

loc_A3BD43:				; CODE XREF: UpdateInternalStatsOnFlush+1Ej
		cmp	[ecx+0ACh], edx
		jnb	short loc_A3BD51
		mov	[ecx+0ACh], edx

loc_A3BD51:				; CODE XREF: UpdateInternalStatsOnFlush+2Cj
		add	esi, 1
		mov	[ecx+0A0h], esi
		adc	edi, 0
		add	[ecx+98h], edx
		mov	[ecx+0A4h], edi
		adc	dword ptr [ecx+9Ch], 0
		pop	edi
		pop	esi

locret_A3BD72:				; CODE XREF: UpdateInternalStatsOnFlush+2j
		retn
UpdateInternalStatsOnFlush endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AhcCacheQueryHwId(x)
_AhcCacheQueryHwId@4 proc near		; CODE XREF: NtApphelpCacheControl+EBB14p

var_100		= dword	ptr -100h
var_5A		= dword	ptr -5Ah
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	0F0h
		push	offset dword_6AAE40
		call	__SEH_prolog4
		mov	edi, ecx
		mov	[ebp+var_28], edi
		xor	ebx, ebx
		mov	[ebp+var_20], ebx
		mov	esi, ebx
		mov	[ebp+var_24], esi
		mov	[ebp+var_1C], esi
		call	_PsGetCurrentThreadPreviousMode@0 ; PsGetCurrentThreadPreviousMode()
		cmp	al, 1
		jz	short loc_A3BDA7
		mov	ebx, 0C0000002h
		jmp	loc_A3BF16
; 

loc_A3BDA7:				; CODE XREF: AhcCacheQueryHwId(x)+28j
		mov	[ebp+ms_exc.disabled], ebx
		mov	esi, edi
		mov	eax, ds:_MmUserProbeAddress
		cmp	edi, eax
		jb	short loc_A3BDB7
		mov	esi, eax

loc_A3BDB7:				; CODE XREF: AhcCacheQueryHwId(x)+40j
		push	31h
		pop	ecx
		lea	edi, [ebp+var_100]
		rep movsd
		nop
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_5A]
		test	cx, cx
		jz	loc_A3BEEE
		mov	edi, [ebp-5Ch]
		test	di, di
		jz	loc_A3BEEE
		cmp	[ebp+var_5A+2],	0
		jz	loc_A3BEEE
		mov	eax, edi
		or	eax, ecx
		xor	edx, edx
		bt	ax, dx
		jb	loc_A3BEEE
		cmp	di, cx
		ja	loc_A3BEEE
		mov	eax, 0FFFCh
		cmp	di, ax
		ja	loc_A3BEEE
		push	6F637061h
		movzx	eax, di
		add	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_1C], esi
		test	esi, esi
		jnz	short loc_A3BE39
		mov	ebx, 0C000009Ah
		jmp	loc_A3BF16
; 

loc_A3BE39:				; CODE XREF: AhcCacheQueryHwId(x)+BAj
		lea	eax, [edi+2]
		mov	word ptr [ebp+var_20+2], ax
		xor	ecx, ecx
		mov	word ptr [ebp+var_20], cx
		movzx	eax, ax
		push	eax		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 1
		mov	ecx, [ebp+var_5A+2]
		test	cl, 1
		jz	short loc_A3BE68
		call	_ExRaiseDatatypeMisalignment@0 ; ExRaiseDatatypeMisalignment()

loc_A3BE68:				; CODE XREF: AhcCacheQueryHwId(x)+EEj
		mov	eax, [ebp+var_5A]
		movzx	edx, ax
		add	edx, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_A3BE7D
		cmp	edx, ecx
		jnb	short loc_A3BE7F

loc_A3BE7D:				; CODE XREF: AhcCacheQueryHwId(x)+104j
		mov	[eax], bl

loc_A3BE7F:				; CODE XREF: AhcCacheQueryHwId(x)+108j
		lea	eax, [ebp-5Ch]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		push	0FFFFFFFEh
		pop	edi
		mov	[ebp+ms_exc.disabled], edi
		mov	esi, [ebp+var_1C]
		mov	ecx, esi
		call	_KseLookupHardwareId@4 ; KseLookupHardwareId(x)
		mov	[ebp+ms_exc.disabled], 2
		xor	ecx, ecx
		test	eax, eax
		setz	cl
		mov	[ebp+var_24], ecx
		mov	eax, [ebp+var_28]
		add	eax, 0A0h
		mov	edx, ds:_MmUserProbeAddress
		cmp	eax, edx
		jb	short loc_A3BEC1
		mov	eax, edx

loc_A3BEC1:				; CODE XREF: AhcCacheQueryHwId(x)+14Aj
		mov	[eax], cl
		mov	[ebp+ms_exc.disabled], edi
		jmp	short loc_A3BF16
; 

loc_A3BEC8:				; DATA XREF: .text:006AAE6Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_2C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A3BED6:				; DATA XREF: .text:006AAE70o
		mov	ebx, [ebp+var_2C]
		jmp	short loc_A3BF09
; 

loc_A3BEDB:				; DATA XREF: .text:006AAE60o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_30], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A3BEE9:				; DATA XREF: .text:006AAE64o
		mov	ebx, [ebp+var_30]
		jmp	short loc_A3BF09
; 

loc_A3BEEE:				; CODE XREF: AhcCacheQueryHwId(x)+5Dj
					; AhcCacheQueryHwId(x)+69j ...
		mov	ebx, 0C000000Dh
		mov	esi, [ebp+var_24]
		jmp	short loc_A3BF16
; 

loc_A3BEF8:				; DATA XREF: .text:006AAE54o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_34], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A3BF06:				; DATA XREF: .text:006AAE58o
		mov	ebx, [ebp+var_34]

loc_A3BF09:				; CODE XREF: AhcCacheQueryHwId(x)+166j
					; AhcCacheQueryHwId(x)+179j
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+var_1C]

loc_A3BF16:				; CODE XREF: AhcCacheQueryHwId(x)+2Fj
					; AhcCacheQueryHwId(x)+C1j ...
		test	esi, esi
		jz	short loc_A3BF25
		push	6F637061h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3BF25:				; CODE XREF: AhcCacheQueryHwId(x)+1A5j
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_AhcCacheQueryHwId@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ArbInitializeRangeList(x, x, x, x)
_ArbInitializeRangeList@16 proc	near	; DATA XREF: ArbInitializeArbiterInstance+1CEo

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		mov	ebx, [ebp+arg_4]
		lea	eax, [ebp+var_24]
		xor	ecx, ecx
		shl	ebx, 4
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		add	ebx, edi
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_20], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		cmp	edi, ebx
		jnb	short loc_A3BFE0
		mov	esi, [ebp+arg_0]

loc_A3BF74:				; CODE XREF: ArbInitializeRangeList(x,x,x,x)+A5j
		mov	cl, [edi]
		mov	edx, [esi+10h]
		movzx	eax, cl
		cmp	eax, edx
		jz	short loc_A3BF8A
		cmp	cl, 7
		jnz	short loc_A3BFD7
		cmp	edx, 3
		jnz	short loc_A3BFD7

loc_A3BF8A:				; CODE XREF: ArbInitializeRangeList(x,x,x,x)+47j
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		call	dword ptr [esi+44h]
		mov	esi, eax
		test	esi, esi
		js	short loc_A3BFF7
		mov	ecx, [ebp+var_C]
		xor	edx, edx
		mov	eax, [ebp+var_10]
		cmp	ecx, edx
		ja	short loc_A3BFAC
		cmp	eax, edx
		jbe	short loc_A3BFD0

loc_A3BFAC:				; CODE XREF: ArbInitializeRangeList(x,x,x,x)+6Fj
		add	eax, [ebp+var_8]
		push	edx
		adc	ecx, [ebp+var_4]
		add	eax, 0FFFFFFFFh
		push	edx
		push	3
		push	edx
		adc	ecx, 0FFFFFFFFh
		push	ecx
		push	eax
		push	[ebp+var_4]
		lea	eax, [ebp+var_24]
		push	[ebp+var_8]
		push	eax
		call	_RtlAddRange@36	; RtlAddRange(x,x,x,x,x,x,x,x,x)
		mov	esi, eax

loc_A3BFD0:				; CODE XREF: ArbInitializeRangeList(x,x,x,x)+73j
		test	esi, esi
		js	short loc_A3BFF7
		mov	esi, [ebp+arg_0]

loc_A3BFD7:				; CODE XREF: ArbInitializeRangeList(x,x,x,x)+4Cj
					; ArbInitializeRangeList(x,x,x,x)+51j
		add	edi, 10h
		cmp	edi, ebx
		jb	short loc_A3BF74
		xor	ecx, ecx

loc_A3BFE0:				; CODE XREF: ArbInitializeRangeList(x,x,x,x)+38j
		push	ecx
		push	ecx
		push	ecx
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+arg_C]
		call	_RtlInvertRangeListEx@20 ; RtlInvertRangeListEx(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A3BFF7
		xor	esi, esi

loc_A3BFF7:				; CODE XREF: ArbInitializeRangeList(x,x,x,x)+63j
					; ArbInitializeRangeList(x,x,x,x)+9Bj ...
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlFreeRangeList@4 ; RtlFreeRangeList(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_ArbInitializeRangeList@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ArbIsConflictWithMmConfigRange(x, x, x, x)
_ArbIsConflictWithMmConfigRange@16 proc	near ; CODE XREF: IopMemQueryConflict(x,x)+5Bp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, _ArbMmConfigRange
		push	ebx
		xor	bl, bl
		test	edx, edx
		jnz	short loc_A3C01F
		xor	al, al
		jmp	short loc_A3C089
; 

loc_A3C01F:				; CODE XREF: ArbIsConflictWithMmConfigRange(x,x,x,x)+10j
		mov	eax, [edx+4]
		lea	ecx, [edx+8]
		push	edi
		shl	eax, 5
		lea	edi, [edx+8]
		add	edi, eax
		cmp	ecx, edi
		jnb	short loc_A3C086
		push	esi

loc_A3C033:				; CODE XREF: ArbIsConflictWithMmConfigRange(x,x,x,x)+76j
		mov	al, [ecx+1]
		cmp	al, 3
		jz	short loc_A3C03E
		cmp	al, 7
		jnz	short loc_A3C07A

loc_A3C03E:				; CODE XREF: ArbIsConflictWithMmConfigRange(x,x,x,x)+2Fj
		mov	esi, [ecx+14h]
		mov	edx, [ecx+10h]
		cmp	esi, [ebp+arg_4]
		ja	short loc_A3C062
		jb	short loc_A3C050
		cmp	edx, [ebp+arg_0]
		jnb	short loc_A3C062

loc_A3C050:				; CODE XREF: ArbIsConflictWithMmConfigRange(x,x,x,x)+40j
		mov	eax, [ecx+1Ch]
		cmp	eax, [ebp+arg_4]
		jb	short loc_A3C07A
		ja	short loc_A3C062
		mov	eax, [ecx+18h]
		cmp	eax, [ebp+arg_0]
		jb	short loc_A3C07A

loc_A3C062:				; CODE XREF: ArbIsConflictWithMmConfigRange(x,x,x,x)+3Ej
					; ArbIsConflictWithMmConfigRange(x,x,x,x)+45j ...
		cmp	[ebp+arg_4], esi
		ja	short loc_A3C083
		jb	short loc_A3C06E
		cmp	[ebp+arg_0], edx
		jnb	short loc_A3C083

loc_A3C06E:				; CODE XREF: ArbIsConflictWithMmConfigRange(x,x,x,x)+5Ej
		cmp	[ebp+arg_C], esi
		ja	short loc_A3C083
		jb	short loc_A3C07A
		cmp	[ebp+arg_8], edx
		jnb	short loc_A3C083

loc_A3C07A:				; CODE XREF: ArbIsConflictWithMmConfigRange(x,x,x,x)+33j
					; ArbIsConflictWithMmConfigRange(x,x,x,x)+4Dj ...
		add	ecx, 20h
		cmp	ecx, edi
		jb	short loc_A3C033
		jmp	short loc_A3C085
; 

loc_A3C083:				; CODE XREF: ArbIsConflictWithMmConfigRange(x,x,x,x)+5Cj
					; ArbIsConflictWithMmConfigRange(x,x,x,x)+63j ...
		mov	bl, 1

loc_A3C085:				; CODE XREF: ArbIsConflictWithMmConfigRange(x,x,x,x)+78j
		pop	esi

loc_A3C086:				; CODE XREF: ArbIsConflictWithMmConfigRange(x,x,x,x)+27j
		mov	al, bl
		pop	edi

loc_A3C089:				; CODE XREF: ArbIsConflictWithMmConfigRange(x,x,x,x)+14j
		pop	ebx
		pop	ebp
		retn	10h
_ArbIsConflictWithMmConfigRange@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ArbQueryConflict(x,	x)
_ArbQueryConflict@8 proc near		; CODE XREF: IopMemQueryConflict(x,x)+18p
					; DATA XREF: ArbInitializeArbiterInstance+1A7o

var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= word ptr -80h
var_7E		= dword	ptr -7Eh
var_7A		= word ptr -7Ah
var_78		= dword	ptr -78h
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0D4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0D4h+var_4], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ebx, ebx
		push	38h		; size_t
		mov	[esp+0E4h+var_C8], eax
		lea	eax, [esp+0E4h+var_78]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		push	38h		; size_t
		lea	eax, [esp+0F0h+var_40]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		push	38h		; size_t
		lea	eax, [esp+0FCh+var_B0]
		mov	[esp+0FCh+var_D0], ebx
		push	ebx		; int
		push	eax		; void *
		mov	[esp+104h+var_C0], 0Ah
		mov	esi, ebx
		mov	[esp+104h+var_D4], ebx
		mov	[esp+104h+var_C4], ebx
		call	_memset
		mov	eax, [edi+0A8h]
		add	esp, 24h
		mov	[esp+0E0h+var_B8], eax
		mov	eax, [edi+0A4h]
		mov	[esp+0E0h+var_B4], eax
		lea	eax, [esp+0E0h+var_D4]
		push	dword ptr [edi+14h]
		mov	dword ptr [edi+0A8h], offset _ArbpQueryConflictCallback@8 ; ArbpQueryConflictCallback(x,x)
		push	dword ptr [edi+18h]
		mov	[edi+0A4h], eax
		call	RtlCopyRangeList
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A3C3A6
		mov	edx, [esp+0E0h+var_C8]
		lea	eax, [esp+0E0h+var_40]
		push	eax
		mov	ecx, edi
		mov	edx, [edx+4]
		call	_ArbpBuildAlternative@12 ; ArbpBuildAlternative(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A3C3A6
		mov	edx, [esp+0E0h+var_3C]
		xor	eax, eax
		mov	ecx, [esp+0E0h+var_38]
		and	[esp+0E0h+var_7E], esi
		mov	esi, [esp+0E0h+var_40]
		mov	ebx, [esp+0E0h+var_C8]
		push	4
		mov	[esp+0E4h+var_7A], ax
		mov	eax, [esp+0E4h+var_34]
		mov	[esp+0E4h+var_A8], ecx
		mov	[esp+0E4h+var_98], ecx
		lea	ecx, [esp+0E4h+var_C4]
		mov	[esp+0E4h+var_AC], edx
		mov	[esp+0E4h+var_9C], edx
		pop	edx
		push	ecx
		mov	[esp+0E4h+var_A4], eax
		lea	ecx, [esp+0E4h+var_58]
		mov	[esp+0E4h+var_94], eax
		lea	eax, [esp+0E4h+var_40]
		push	ecx
		mov	[esp+0E8h+var_8C], eax
		mov	[esp+0E8h+var_84], eax
		lea	eax, [esp+0E8h+var_78]
		mov	[esp+0E8h+var_B0], esi
		mov	[esp+0E8h+var_A0], esi
		xor	esi, esi
		push	edx
		mov	[esp+0ECh+var_90], eax
		inc	esi
		mov	eax, [ebx]
		push	0Dh
		push	eax
		mov	[esp+0F4h+var_88], esi
		mov	[esp+0F4h+var_80], dx
		mov	[esp+0F4h+var_64], edx
		mov	[esp+0F4h+var_68], eax
		call	IoGetDeviceProperty
		test	eax, eax
		jns	short loc_A3C1FB
		mov	[esp+0E0h+var_58], esi

loc_A3C1FB:				; CODE XREF: ArbQueryConflict(x,x)+164j
		lea	eax, [esp+0E0h+var_C4]
		push	eax
		lea	eax, [esp+0E4h+var_50]
		push	eax
		push	4
		push	0Eh
		push	dword ptr [ebx]
		call	IoGetDeviceProperty
		test	eax, eax
		jns	short loc_A3C21F
		and	[esp+0E0h+var_50], 0

loc_A3C21F:				; CODE XREF: ArbQueryConflict(x,x)+187j
		push	43627241h
		mov	eax, 0F0h
		push	eax
		push	esi
		mov	[esp+0ECh+var_BC], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A3C244
		mov	ebx, 0C000009Ah
		jmp	loc_A3C3A6
; 

loc_A3C244:				; CODE XREF: ArbQueryConflict(x,x)+1AAj
		lea	eax, [esp+0E0h+var_B0]
		push	eax
		push	edi
		call	dword ptr [edi+70h]
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A3C3A6
		mov	eax, [esp+0E8h+var_98]
		push	dword ptr [eax+10h]
		push	dword ptr [edi+18h]
		call	_RtlDeleteOwnersRanges@8 ; RtlDeleteOwnersRanges(x,x)
		and	[esp+0E8h+var_DC], 0
		xor	ebx, ebx

loc_A3C26D:				; CODE XREF: ArbQueryConflict(x,x)+2BDj
		mov	eax, [esp+0E8h+var_B8]
		mov	[esp+0E8h+var_A8], eax
		mov	eax, [esp+0E8h+var_B4]
		mov	[esp+0E8h+var_A4], eax
		mov	eax, [esp+0E8h+var_B0]
		mov	[esp+0E8h+var_A0], eax
		mov	eax, [esp+0E8h+var_AC]
		mov	[esp+0E8h+var_9C], eax
		lea	eax, [esp+0E8h+var_B8]
		push	eax
		push	edi
		call	dword ptr [edi+7Ch]
		test	al, al
		jnz	loc_A3C376
		mov	eax, [esp+0F0h+var_E0]
		mov	ecx, [esp+0F0h+var_D0]
		cmp	eax, ecx
		jnz	short loc_A3C2F0
		mov	eax, [esp+0F0h+var_CC]
		add	ecx, 5
		add	eax, 78h
		mov	[esp+0F0h+var_DC], esi
		push	43627241h
		push	eax
		push	1
		mov	[esp+0FCh+var_D0], ecx
		mov	[esp+0FCh+var_CC], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A3C350
		push	ebx		; size_t
		push	[esp+0F4h+var_DC] ; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		push	0
		push	[esp+0F4h+var_DC]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+0F0h+var_E0]

loc_A3C2F0:				; CODE XREF: ArbQueryConflict(x,x)+21Aj
		mov	ecx, [esp+0F0h+var_E4]
		inc	eax
		mov	[esp+0F0h+var_E0], eax
		test	ecx, ecx
		jz	short loc_A3C35B
		mov	eax, [ecx+14h]
		mov	[ebx+esi], eax
		mov	ecx, [esp+0F0h+var_E4]
		mov	eax, [ecx]
		mov	[ebx+esi+8], eax
		mov	eax, [ecx+4]
		mov	[ebx+esi+0Ch], eax
		mov	ecx, [esp+0F0h+var_E4]
		mov	eax, [ecx+8]
		mov	[ebx+esi+10h], eax
		mov	eax, [ecx+0Ch]
		mov	[ebx+esi+14h], eax
		add	ebx, 18h
		mov	eax, [esp+0F0h+var_E4]
		mov	[esp+0F0h+var_DC], ebx
		push	dword ptr [eax+14h]
		push	dword ptr [edi+18h]
		call	_RtlDeleteOwnersRanges@8 ; RtlDeleteOwnersRanges(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A3C3A6
		and	[esp+0F0h+var_E4], 0
		mov	ebx, [esp+0F0h+var_DC]
		jmp	loc_A3C26D
; 

loc_A3C350:				; CODE XREF: ArbQueryConflict(x,x)+243j
		mov	esi, [esp+0F0h+var_DC]
		mov	ebx, 0C000009Ah
		jmp	short loc_A3C3A6
; 

loc_A3C35B:				; CODE XREF: ArbQueryConflict(x,x)+26Dj
		or	dword ptr [ebx+esi+10h], 0FFFFFFFFh
		xor	ecx, ecx
		or	dword ptr [ebx+esi+14h], 0FFFFFFFFh
		mov	[ebx+esi], ecx
		mov	[ebx+esi+8], ecx
		mov	[ebx+esi+0Ch], ecx
		mov	[esp+0F0h+var_E0], eax

loc_A3C376:				; CODE XREF: ArbQueryConflict(x,x)+20Aj
		push	dword ptr [edi+18h]
		call	_RtlFreeRangeList@4 ; RtlFreeRangeList(x)
		mov	ecx, [esp+0F0h+var_D8]
		xor	ebx, ebx
		mov	eax, [esp+0F0h+var_C8]
		mov	[edi+0A8h], eax
		mov	eax, [esp+0F0h+var_C4]
		mov	[edi+0A4h], eax
		mov	eax, [ecx+0Ch]
		mov	[eax], esi
		mov	eax, [ecx+8]
		mov	ecx, [esp+0F0h+var_E0]
		mov	[eax], ecx

loc_A3C3A6:				; CODE XREF: ArbQueryConflict(x,x)+A5j
					; ArbQueryConflict(x,x)+C5j ...
		test	byte ptr [esp+0F0h+var_90], 10h
		jz	short loc_A3C3C2
		push	0
		push	[esp+0F4h+var_8C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0FFEFh
		and	word ptr [esp+0F0h+var_90], ax

loc_A3C3C2:				; CODE XREF: ArbQueryConflict(x,x)+31Dj
		test	ebx, ebx
		jns	short loc_A3C3F8
		test	esi, esi
		jz	short loc_A3C3D2
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3C3D2:				; CODE XREF: ArbQueryConflict(x,x)+33Aj
		push	dword ptr [edi+18h]
		call	_RtlFreeRangeList@4 ; RtlFreeRangeList(x)
		mov	eax, [esp+0F0h+var_C8]
		mov	[edi+0A8h], eax
		mov	eax, [esp+0F0h+var_C4]
		mov	[edi+0A4h], eax
		mov	eax, [esp+0F0h+var_D8]
		mov	eax, [eax+0Ch]
		and	dword ptr [eax], 0

loc_A3C3F8:				; CODE XREF: ArbQueryConflict(x,x)+336j
		mov	ecx, [esp+0F0h+var_14]
		mov	eax, ebx
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_ArbQueryConflict@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ArbRetestAllocation(x, x)
_ArbRetestAllocation@8 proc near	; DATA XREF: ArbInitializeArbiterInstance+105o

var_A0		= dword	ptr -0A0h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_64		= word ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= word ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+84h+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		lea	eax, [esp+88h+var_78]
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		xor	edi, edi
		mov	[esp+90h+var_84], ebx
		push	38h		; size_t
		push	edi		; int
		push	eax		; void *
		mov	[esp+9Ch+var_80], edi
		mov	[esp+9Ch+var_7C], edi
		call	_memset
		push	38h		; size_t
		lea	eax, [esp+0A0h+var_40]
		push	edi		; int
		push	eax		; void *
		call	_memset
		lea	eax, [esp+0A8h+var_40]
		xor	ecx, ecx
		inc	ecx
		mov	[esp+0A8h+var_4C], eax
		mov	[esp+0A8h+var_54], eax
		add	esp, 18h
		mov	eax, [ebx+8]
		mov	[esp+90h+var_50], ecx
		mov	[esp+90h+var_48], cx
		test	eax, eax
		jnz	short loc_A3C4B8
		push	dword ptr [esi+14h]
		push	dword ptr [esi+18h]
		call	RtlCopyRangeList
		mov	edi, eax
		test	edi, edi
		js	short loc_A3C4CC
		mov	ecx, [ebx]
		mov	ebx, [ecx]
		cmp	ecx, ebx
		jz	short loc_A3C4ED

loc_A3C499:				; CODE XREF: ArbRetestAllocation(x,x)+A1j
		push	dword ptr [ebx+10h]
		push	dword ptr [esi+18h]
		call	_RtlDeleteOwnersRanges@8 ; RtlDeleteOwnersRanges(x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A3C4CC
		mov	eax, [esp+90h+var_84]
		mov	ebx, [ebx]
		cmp	[eax], ebx
		jnz	short loc_A3C499
		mov	ebx, eax
		jmp	short loc_A3C4F1
; 

loc_A3C4B8:				; CODE XREF: ArbRetestAllocation(x,x)+6Dj
		push	dword ptr [esi+18h]
		push	eax
		push	dword ptr [ebx+4]
		push	esi
		call	dword ptr [esi+8Ch]
		mov	edi, eax
		test	edi, edi
		jns	short loc_A3C4F1

loc_A3C4CC:				; CODE XREF: ArbRetestAllocation(x,x)+7Ej
					; ArbRetestAllocation(x,x)+97j	...
		push	dword ptr [esi+18h]
		call	_RtlFreeRangeList@4 ; RtlFreeRangeList(x)

loc_A3C4D4:				; CODE XREF: ArbRetestAllocation(x,x)+E6j
					; ArbRetestAllocation(x,x)+189j
		mov	ecx, [esp+0A0h+var_14]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_A3C4ED:				; CODE XREF: ArbRetestAllocation(x,x)+86j
		mov	ebx, [esp+90h+var_84]

loc_A3C4F1:				; CODE XREF: ArbRetestAllocation(x,x)+A5j
					; ArbRetestAllocation(x,x)+B9j
		mov	eax, [ebx]
		mov	ebx, [eax]
		cmp	eax, ebx
		jz	short loc_A3C4D4

loc_A3C4F9:				; CODE XREF: ArbRetestAllocation(x,x)+183j
		and	[esp+90h+var_44], 0
		lea	eax, [esp+90h+var_40]
		mov	[esp+90h+var_58], ebx
		mov	ecx, esi
		mov	edx, [ebx+30h]
		push	eax
		call	_ArbpBuildAlternative@12 ; ArbpBuildAlternative(x,x,x)
		cmp	dword ptr [ebx+34h], 2
		mov	edi, eax
		jz	short loc_A3C58C
		lea	eax, [esp+90h+var_80]
		push	eax
		lea	eax, [esp+94h+var_78]
		push	eax
		push	dword ptr [ebx+2Ch]
		call	dword ptr [esi+44h]
		mov	ecx, [esp+9Ch+var_84]
		add	ecx, [esp+9Ch+var_8C]
		mov	eax, [esp+9Ch+var_80]
		adc	eax, [esp+9Ch+var_88]
		add	ecx, 0FFFFFFFFh
		mov	[esp+9Ch+var_7C], ecx
		adc	eax, 0FFFFFFFFh
		mov	[esp+9Ch+var_78], eax
		lea	eax, [esp+9Ch+var_84]
		push	eax
		push	esi
		call	dword ptr [esi+70h]
		mov	edi, eax
		test	edi, edi
		js	loc_A3C4CC
		mov	eax, [esp+0A4h+var_94]
		or	eax, [esp+0A4h+var_90]
		jz	short loc_A3C570
		lea	eax, [esp+0A4h+var_8C]
		push	eax
		push	esi
		call	dword ptr [esi+80h]

loc_A3C570:				; CODE XREF: ArbRetestAllocation(x,x)+151j
		test	byte ptr [esp+0ACh+var_64], 10h
		jz	short loc_A3C58C
		push	0
		push	[esp+0B0h+var_60]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, 0FFEFh
		and	[esp+0ACh+var_64], ax

loc_A3C58C:				; CODE XREF: ArbRetestAllocation(x,x)+106j
					; ArbRetestAllocation(x,x)+164j
		mov	eax, [esp+0ACh+var_A0]
		mov	ebx, [ebx]
		cmp	[eax], ebx
		jnz	loc_A3C4F9
		jmp	loc_A3C4D4
_ArbRetestAllocation@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ArbRollbackAllocation(x)
_ArbRollbackAllocation@4 proc near	; DATA XREF: ArbInitializeArbiterInstance+11Do

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	dword ptr [eax+18h]
		call	_RtlFreeRangeList@4 ; RtlFreeRangeList(x)
		xor	eax, eax
		pop	ebp
		retn	4
_ArbRollbackAllocation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ArbStartArbiter(x, x)
_ArbStartArbiter@8 proc	near		; DATA XREF: ArbInitializeArbiterInstance+1BFo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	dword ptr [esi+14h]
		call	_RtlFreeRangeList@4 ; RtlFreeRangeList(x)
		mov	ecx, [ebp+arg_4]
		push	dword ptr [esi+14h]
		lea	eax, [ecx+14h]
		push	eax
		push	dword ptr [ecx+10h]
		push	esi
		call	dword ptr [esi+8Ch]
		pop	esi
		pop	ebp
		retn	8
_ArbStartArbiter@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; void __stdcall MIDL_user_free(void *)
_MIDL_user_free@4 proc near		; DATA XREF: .text:004016E0o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	6370726Bh
		push	[ebp+arg_0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	4
_MIDL_user_free@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VhdiVerifyBootDisk(x)
_VhdiVerifyBootDisk@4 proc near		; CODE XREF: IopCreateArcName+8523Ap

var_1C		= dword	ptr -1Ch
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4], ecx
		lea	edi, [ebp+var_1C]
		xor	ebx, ebx
		stosd
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		stosd
		stosd
		stosd
		test	ecx, ecx
		jz	loc_A3C6CA
		mov	ecx, _NtVhdBootFile
		test	ecx, ecx
		jz	loc_A3C6CA
		lea	edx, [ecx+2]

loc_A3C62D:				; CODE XREF: VhdiVerifyBootDisk(x)+41j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A3C62D
		sub	ecx, edx
		sar	ecx, 1
		push	42646856h
		lea	edi, ds:2[ecx*2]
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A3C6CA
		push	ebx
		push	1
		lea	eax, [ebp+var_1C]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	ebx
		push	edi
		mov	edi, [ebp+var_4]
		push	esi
		push	ebx
		push	ebx
		push	edi
		push	2D5928h
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_A3C6BF
		mov	edx, eax
		mov	ecx, edi
		call	IofCallDriver
		cmp	eax, 103h
		jnz	short loc_A3C6A4
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_1C]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [ebp+var_C]

loc_A3C6A4:				; CODE XREF: VhdiVerifyBootDisk(x)+9Dj
		test	eax, eax
		js	short loc_A3C6BF
		mov	eax, _NtVhdBootFile
		add	eax, 2
		push	eax		; wchar_t *
		push	esi		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A3C6BF
		mov	bl, 1

loc_A3C6BF:				; CODE XREF: VhdiVerifyBootDisk(x)+8Dj
					; VhdiVerifyBootDisk(x)+B1j ...
		push	42646856h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3C6CA:				; CODE XREF: VhdiVerifyBootDisk(x)+21j
					; VhdiVerifyBootDisk(x)+2Fj ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_VhdiVerifyBootDisk@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SbpVmbusNotificationHandler(x, x)
_SbpVmbusNotificationHandler@8 proc near ; DATA	XREF: SbpWaitForVmbus()+23o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	10h		; size_t
		add	eax, 4
		push	offset _GUID_DEVICE_INTERFACE_ARRIVAL ;	void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A3C6FC
		push	eax
		push	eax
		push	offset _SbiVmbusArrivalEvent
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_A3C6FC:				; CODE XREF: SbpVmbusNotificationHandler(x,x)+1Dj
		xor	eax, eax
		pop	ebp
		retn	8
_SbpVmbusNotificationHandler@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtDisableLastKnownGood()
_NtDisableLastKnownGood@0 proc near	; DATA XREF: .text:00581094o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		mov	eax, large fs:124h
		push	ebx
		xor	ebx, ebx
		mov	[esp+1Ch+var_C], ebx
		cmp	byte ptr [eax+15Ah], 1
		push	esi
		mov	[esp+20h+var_10], ebx
		mov	[esp+20h+var_14], ebx
		jz	short loc_A3C736
		mov	esi, 0C0000022h
		jmp	loc_A3C7F4
; 

loc_A3C736:				; CODE XREF: NtDisableLastKnownGood()+28j
		push	1
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A3C757
		mov	esi, 0C0000061h
		jmp	loc_A3C7F4
; 

loc_A3C757:				; CODE XREF: NtDisableLastKnownGood()+49j
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [esp+20h+var_10]
		push	eax
		push	4
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A3C7F4
		mov	edx, [esp+20h+var_10]
		lea	ecx, [esp+20h+var_14]
		push	18h
		pop	eax
		push	16h
		mov	word ptr [esp+24h+var_8+2], ax
		pop	eax
		push	ebx
		push	ebx
		mov	word ptr [esp+28h+var_8], ax
		lea	eax, [esp+28h+var_8]
		push	0F003Fh
		push	eax
		mov	[esp+30h+var_4], offset	??_C@_1BI@EIJDOAKI@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAP?$AAn?$AAp@NNGAKEGL@ ;	"Control\\Pnp"
		call	IopCreateRegistryKeyEx
		mov	esi, eax
		test	esi, esi
		js	short loc_A3C7E5
		push	16h
		pop	eax
		push	14h
		mov	word ptr [esp+24h+var_8+2], ax
		pop	eax
		push	4
		mov	word ptr [esp+24h+var_8], ax
		lea	eax, [esp+24h+var_C]
		push	eax
		push	4
		push	ebx
		lea	eax, [esp+30h+var_8]
		mov	[esp+30h+var_C], 1
		push	eax
		push	[esp+34h+var_14]
		mov	[esp+38h+var_4], (offset loc_8C9C73+1)
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax

loc_A3C7E5:				; CODE XREF: NtDisableLastKnownGood()+A7j
		cmp	[esp+20h+var_14], ebx
		jz	short loc_A3C7F4
		push	[esp+20h+var_14]
		call	_ZwClose@4	; ZwClose(x)

loc_A3C7F4:				; CODE XREF: NtDisableLastKnownGood()+2Fj
					; NtDisableLastKnownGood()+50j	...
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_NtDisableLastKnownGood@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall NtEnableLastKnownGood()
_NtEnableLastKnownGood@0 proc near	; DATA XREF: .text:00581080o

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 6Ch
		push	ebx
		xor	ebx, ebx
		xor	eax, eax
		push	esi
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+78h+var_30]
		mov	[esp+78h+var_40], ebx
		rep stosd
		mov	eax, large fs:124h
		mov	[esp+78h+var_3C], ebx
		mov	[esp+78h+var_50], ebx
		mov	[esp+78h+var_4C], ebx
		mov	[esp+78h+var_38], ebx
		mov	[esp+78h+var_34], ebx
		mov	[esp+78h+var_48], ebx
		mov	[esp+78h+var_44], ebx
		mov	[esp+78h+var_58], ebx
		mov	[esp+78h+var_54], ebx
		mov	[esp+78h+var_6C], ebx
		mov	[esp+78h+var_68], ebx
		mov	[esp+78h+var_64], ebx
		cmp	byte ptr [eax+15Ah], 1
		mov	[esp+78h+var_60], ebx
		mov	[esp+78h+var_5C], ebx
		jz	short loc_A3C86C
		mov	esi, 0C0000022h
		jmp	loc_A3CAD4
; 

loc_A3C86C:				; CODE XREF: NtEnableLastKnownGood()+64j
		push	1
		push	ds:dword_A949B4
		push	ds:_SeTcbPrivilege
		call	SeSinglePrivilegeCheck
		test	al, al
		jnz	short loc_A3C88D
		mov	esi, 0C0000061h
		jmp	loc_A3CAA4
; 

loc_A3C88D:				; CODE XREF: NtEnableLastKnownGood()+85j
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [esp+78h+var_60]
		push	eax
		push	4
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A3CAA4
		push	18h
		pop	eax
		mov	word ptr [esp+78h+var_58+2], ax
		mov	[esp+78h+var_18], eax
		mov	eax, [esp+78h+var_60]
		mov	[esp+78h+var_14], eax
		lea	eax, [esp+78h+var_58]
		push	16h
		pop	ecx
		mov	[esp+78h+var_10], eax
		lea	eax, [esp+78h+var_18]
		push	eax
		push	0F003Fh
		lea	eax, [esp+80h+var_6C]
		mov	word ptr [esp+80h+var_58], cx
		push	eax
		mov	[esp+84h+var_54], offset ??_C@_1BI@EIJDOAKI@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAP?$AAn?$AAp@NNGAKEGL@ ; "Control\\Pnp"
		mov	[esp+84h+var_C], 240h
		mov	[esp+84h+var_8], ebx
		mov	[esp+84h+var_4], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A3CAA4
		mov	ecx, [esp+78h+var_6C]
		lea	eax, [esp+78h+var_5C]
		push	eax
		xor	edi, edi
		mov	esi, (offset loc_8C9C73+1)
		push	edi
		mov	edx, esi
		call	IopGetRegistryValue
		test	eax, eax
		js	loc_A3CA9F
		mov	ecx, [esp+78h+var_5C]
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_A3C93D
		cmp	dword ptr [ecx+0Ch], 4
		jnz	short loc_A3C93D
		mov	eax, [ecx+8]
		mov	bl, [ecx+eax]

loc_A3C93D:				; CODE XREF: NtEnableLastKnownGood()+133j
					; NtEnableLastKnownGood()+139j
		push	edi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	bl, bl
		jz	loc_A3CA9F
		push	16h
		pop	eax
		push	14h
		mov	word ptr [esp+7Ch+var_58+2], ax
		pop	eax
		mov	word ptr [esp+78h+var_58], ax
		lea	eax, [esp+78h+var_58]
		push	eax
		push	[esp+7Ch+var_6C]
		mov	[esp+80h+var_54], esi
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A3CAA4
		push	offset ??_C@_1HA@JIFMKPBK@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		lea	eax, [esp+7Ch+var_40]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	18h
		pop	ebx
		lea	eax, [esp+78h+var_40]
		mov	[esp+78h+var_30], ebx
		mov	[esp+78h+var_28], eax
		mov	esi, 240h
		lea	eax, [esp+78h+var_30]
		mov	[esp+78h+var_2C], edi
		push	eax
		push	0F003Fh
		lea	eax, [esp+80h+var_68]
		mov	[esp+80h+var_24], esi
		push	eax
		mov	[esp+84h+var_20], edi
		mov	[esp+84h+var_1C], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_A3C9CC
		push	[esp+78h+var_68]
		call	_ZwDeleteKey@4	; ZwDeleteKey(x)

loc_A3C9CC:				; CODE XREF: NtEnableLastKnownGood()+1C5j
		push	offset ??_C@_1HI@JJAPFIHO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		lea	eax, [esp+7Ch+var_38]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+78h+var_38]
		mov	[esp+78h+var_30], ebx
		mov	[esp+78h+var_28], eax
		lea	eax, [esp+78h+var_30]
		push	eax
		push	0F003Fh
		lea	eax, [esp+80h+var_64]
		mov	[esp+80h+var_2C], edi
		push	eax
		mov	[esp+84h+var_24], esi
		mov	[esp+84h+var_20], edi
		mov	[esp+84h+var_1C], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_A3CA18
		push	[esp+78h+var_64]
		call	_ZwDeleteKey@4	; ZwDeleteKey(x)

loc_A3CA18:				; CODE XREF: NtEnableLastKnownGood()+211j
		push	offset ??_C@_1CK@BMHMHDCI@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAL?$AAa?$AAs@NNGAKEGL@
		lea	eax, [esp+7Ch+var_50]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ecx
		push	ecx
		lea	ecx, [esp+80h+var_50]
		call	_IopFileUtilWalkDirectoryTreeBottomUp@16 ; IopFileUtilWalkDirectoryTreeBottomUp(x,x,x,x)
		push	40h
		lea	eax, [esp+7Ch+var_50]
		mov	[esp+7Ch+var_30], ebx
		pop	esi
		mov	[esp+78h+var_28], eax
		lea	eax, [esp+78h+var_30]
		push	eax
		mov	[esp+7Ch+var_2C], edi
		mov	[esp+7Ch+var_24], esi
		mov	[esp+7Ch+var_20], edi
		mov	[esp+7Ch+var_1C], edi
		call	_ZwDeleteFile@4	; ZwDeleteFile(x)
		push	offset ??_C@_1DC@HBEOHGCL@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAL?$AAa?$AAs@NNGAKEGL@
		lea	eax, [esp+7Ch+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ecx
		push	ecx
		lea	ecx, [esp+80h+var_48]
		call	_IopFileUtilWalkDirectoryTreeBottomUp@16 ; IopFileUtilWalkDirectoryTreeBottomUp(x,x,x,x)
		lea	eax, [esp+78h+var_48]
		mov	[esp+78h+var_30], ebx
		mov	[esp+78h+var_28], eax
		lea	eax, [esp+78h+var_30]
		push	eax
		mov	[esp+7Ch+var_2C], edi
		mov	[esp+7Ch+var_24], esi
		mov	[esp+7Ch+var_20], edi
		mov	[esp+7Ch+var_1C], edi
		call	_ZwDeleteFile@4	; ZwDeleteFile(x)
		mov	esi, edi
		jmp	short loc_A3CAA4
; 

loc_A3CA9F:				; CODE XREF: NtEnableLastKnownGood()+125j
					; NtEnableLastKnownGood()+14Aj
		mov	esi, 0C0000001h

loc_A3CAA4:				; CODE XREF: NtEnableLastKnownGood()+8Cj
					; NtEnableLastKnownGood()+A8j ...
		cmp	[esp+78h+var_68], 0
		jz	short loc_A3CAB4
		push	[esp+78h+var_68]
		call	_ZwClose@4	; ZwClose(x)

loc_A3CAB4:				; CODE XREF: NtEnableLastKnownGood()+2ADj
		cmp	[esp+78h+var_64], 0
		jz	short loc_A3CAC4
		push	[esp+78h+var_64]
		call	_ZwClose@4	; ZwClose(x)

loc_A3CAC4:				; CODE XREF: NtEnableLastKnownGood()+2BDj
		cmp	[esp+78h+var_6C], 0
		jz	short loc_A3CAD4
		push	[esp+78h+var_6C]
		call	_ZwClose@4	; ZwClose(x)

loc_A3CAD4:				; CODE XREF: NtEnableLastKnownGood()+6Bj
					; NtEnableLastKnownGood()+2CDj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_NtEnableLastKnownGood@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Ke386GetGdtEntryThread(x, x, x)
_Ke386GetGdtEntryThread@12 proc	near	; CODE XREF: PspQueryDescriptorThread(x,x,x,x)+65p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		mov	edi, ecx
		cmp	edx, 50h
		jnb	short loc_A3CB41
		cmp	edx, 48h
		jnz	short loc_A3CB05
		mov	edx, [edi+150h]
		mov	ecx, [ebp+arg_0]
		mov	eax, [edx+1Ch]
		mov	[ecx], eax
		mov	eax, [edx+20h]
		mov	[ecx+4], eax
		jmp	short loc_A3CB41
; 

loc_A3CB05:				; CODE XREF: Ke386GetGdtEntryThread(x,x,x)+10j
		mov	eax, large fs:1Ch
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, [eax+3Ch]
		mov	eax, [edx+ecx]
		mov	[esi], eax
		mov	eax, [edx+ecx+4]
		mov	[esi+4], eax
		cmp	edx, 38h
		jnz	short loc_A3CB40
		mov	ax, [edi+0A8h]
		mov	[esi+2], ax
		mov	al, [edi+0AAh]
		mov	[esi+4], al
		mov	al, [edi+0ABh]
		mov	[esi+7], al

loc_A3CB40:				; CODE XREF: Ke386GetGdtEntryThread(x,x,x)+44j
		pop	esi

loc_A3CB41:				; CODE XREF: Ke386GetGdtEntryThread(x,x,x)+Bj
					; Ke386GetGdtEntryThread(x,x,x)+26j
		pop	edi
		pop	ebp
		retn	4
_Ke386GetGdtEntryThread@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObCreateSiloRootDirectory(x, x)
_ObCreateSiloRootDirectory@8 proc near	; CODE XREF: sub_8D3EE6+52p

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+5Ch+var_4], eax
		push	ebx
		push	esi
		push	edi		; struct _exception *
		xor	eax, eax
		mov	[esp+68h+var_2C], edx
		mov	[esp+68h+var_54], eax
		mov	ebx, ecx
		mov	[esp+68h+var_50], eax
		lea	edi, [esp+68h+var_44]
		mov	[esp+68h+var_58], eax
		mov	[esp+68h+var_5C], eax
		mov	[esp+68h+var_4C], eax
		push	6
		pop	ecx
		rep stosd
		mov	edi, eax
		mov	[esp+68h+var_48], edi
		test	edx, 0FFFFFFF8h
		jnz	loc_A3CE12
		mov	eax, edx
		and	al, 6
		cmp	al, 4
		jz	loc_A3CE12
		mov	ecx, ebx
		call	_PsIsJobParentImmutable@4 ; PsIsJobParentImmutable(x)
		test	al, al
		jz	loc_A3CE12
		push	ebx
		call	_PsGetParentSilo@4 ; PsGetParentSilo(x)
		mov	esi, eax
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		cmp	esi, eax
		jz	short loc_A3CBCC
		mov	eax, 0C0000719h
		jmp	loc_A3CE17
; 

loc_A3CBCC:				; CODE XREF: ObCreateSiloRootDirectory(x,x)+7Aj
		push	ebx
		call	_PsGetParentSilo@4 ; PsGetParentSilo(x)
		push	eax
		call	_PsAttachSiloToCurrentThread@4 ; PsAttachSiloToCurrentThread(x)
		and	[esp+68h+var_28], edi
		push	16h
		mov	[esp+6Ch+var_20], eax
		pop	eax
		mov	word ptr [esp+68h+var_28+2], ax
		lea	eax, [esp+68h+var_1C]
		mov	[esp+68h+var_24], eax
		lea	eax, [esp+68h+var_28]
		push	eax
		push	0Ah
		push	ebx
		call	_PsGetSiloIdentifier@4 ; PsGetSiloIdentifier(x)
		push	eax
		call	_RtlIntegerToUnicodeString@12 ;	RtlIntegerToUnicodeString(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A3CDAC
		lea	ecx, [esp+68h+var_50]
		call	_ObpGetSilosRootDirectory@4 ; ObpGetSilosRootDirectory(x)
		mov	esi, eax
		test	esi, esi
		js	loc_A3CDAC
		test	byte ptr [esp+68h+var_2C], 1
		jz	short loc_A3CC68
		xor	eax, eax
		mov	[esp+68h+var_44], 18h
		mov	[esp+68h+var_40], eax
		mov	[esp+68h+var_34], eax
		mov	[esp+68h+var_30], eax
		lea	eax, [esp+68h+var_44]
		push	eax
		push	3
		lea	eax, [esp+70h+var_4C]
		mov	[esp+70h+var_38], 200h
		push	eax
		mov	[esp+74h+var_3C], (offset loc_A401A7+1)
		call	_ZwOpenDirectoryObject@12 ; ZwOpenDirectoryObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A3CDAC

loc_A3CC68:				; CODE XREF: ObCreateSiloRootDirectory(x,x)+DFj
		mov	eax, [esp+68h+var_50]
		and	[esp+68h+var_30], edi
		mov	[esp+68h+var_40], eax
		lea	eax, [esp+68h+var_28]
		push	0
		push	[esp+6Ch+var_4C]
		mov	[esp+70h+var_3C], eax
		mov	eax, ds:_SePublicDefaultUnrestrictedSd
		mov	[esp+70h+var_34], eax
		lea	eax, [esp+70h+var_44]
		push	eax
		push	0F000Fh
		lea	eax, [esp+78h+var_58]
		mov	[esp+78h+var_44], 18h
		push	eax
		mov	[esp+7Ch+var_38], 250h
		call	_ZwCreateDirectoryObjectEx@20 ;	ZwCreateDirectoryObjectEx(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A3CDAC
		mov	eax, _ObpDirectoryObjectType
		lea	ecx, [esp+68h+var_5C]
		xor	edx, edx
		push	edx
		push	ecx
		push	edx
		push	eax
		push	0F000Fh
		push	[esp+7Ch+var_58]
		mov	[esp+80h+var_5C], edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		mov	eax, [esp+68h+var_5C]
		mov	[esp+68h+var_5C], eax
		test	esi, esi
		js	loc_A3CDAC
		lea	eax, [esp+68h+var_48]
		push	eax
		push	offset _ObpDirectoryTeardownCallback@4 ; ObpDirectoryTeardownCallback(x)
		push	1
		push	4
		push	ebx
		call	PsCreateSiloContext
		mov	esi, eax
		test	esi, esi
		js	loc_A3CDA8
		mov	esi, [esp+68h+var_5C]
		mov	edx, 7254624Fh
		mov	ecx, esi
		call	ObfReferenceObjectWithTag
		mov	edi, [esp+68h+var_48]
		push	edi
		mov	[edi], esi
		push	ds:_PsObjectDirectoryTeardownSlot
		push	ebx
		call	_PsInsertSiloContext@12	; PsInsertSiloContext(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A3CDAC
		mov	edx, ds:_PsObjectDirectorySiloContextSlot
		mov	ecx, ebx
		push	1
		push	[esp+6Ch+var_5C]
		call	PsInsertPermanentSiloContextEx
		mov	esi, eax
		test	esi, esi
		js	short loc_A3CDAC
		mov	eax, [esp+68h+var_2C]
		test	al, 2
		jz	short loc_A3CDAC
		test	al, 4
		jz	short loc_A3CD95
		xor	eax, eax
		mov	[esp+68h+var_44], 18h
		mov	[esp+68h+var_40], eax
		mov	[esp+68h+var_34], eax
		mov	[esp+68h+var_30], eax
		lea	eax, [esp+68h+var_44]
		push	eax
		push	3
		lea	eax, [esp+70h+var_54]
		mov	[esp+70h+var_38], 200h
		push	eax
		mov	[esp+74h+var_3C], (offset loc_A40194+4)
		call	_ZwOpenDirectoryObject@12 ; ZwOpenDirectoryObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A3CDAC

loc_A3CD95:				; CODE XREF: ObCreateSiloRootDirectory(x,x)+210j
		push	[esp+68h+var_54]
		mov	edx, [esp+6Ch+var_58]
		mov	ecx, ebx
		call	ObpInitializeRootNamespace
		mov	esi, eax
		jmp	short loc_A3CDAC
; 

loc_A3CDA8:				; CODE XREF: ObCreateSiloRootDirectory(x,x)+1BEj
		mov	edi, [esp+68h+var_48]

loc_A3CDAC:				; CODE XREF: ObCreateSiloRootDirectory(x,x)+C1j
					; ObCreateSiloRootDirectory(x,x)+D4j ...
		cmp	[esp+68h+var_54], 0
		jz	short loc_A3CDBC
		push	[esp+68h+var_54]
		call	_ZwClose@4	; ZwClose(x)

loc_A3CDBC:				; CODE XREF: ObCreateSiloRootDirectory(x,x)+26Bj
		cmp	[esp+68h+var_50], 0
		jz	short loc_A3CDCC
		push	[esp+68h+var_50]
		call	_ZwClose@4	; ZwClose(x)

loc_A3CDCC:				; CODE XREF: ObCreateSiloRootDirectory(x,x)+27Bj
		cmp	[esp+68h+var_58], 0
		jz	short loc_A3CDDC
		push	[esp+68h+var_58]
		call	_ZwClose@4	; ZwClose(x)

loc_A3CDDC:				; CODE XREF: ObCreateSiloRootDirectory(x,x)+28Bj
		mov	eax, [esp+68h+var_5C]
		test	eax, eax
		jz	short loc_A3CDEB
		mov	ecx, eax
		call	ObfDereferenceObject

loc_A3CDEB:				; CODE XREF: ObCreateSiloRootDirectory(x,x)+29Cj
		cmp	[esp+68h+var_4C], 0
		jz	short loc_A3CDFB
		push	[esp+68h+var_4C]
		call	_ZwClose@4	; ZwClose(x)

loc_A3CDFB:				; CODE XREF: ObCreateSiloRootDirectory(x,x)+2AAj
		test	edi, edi
		jz	short loc_A3CE05
		push	edi
		call	_PsDereferenceSiloContext@4 ; PsDereferenceSiloContext(x)

loc_A3CE05:				; CODE XREF: ObCreateSiloRootDirectory(x,x)+2B7j
		push	[esp+68h+var_20]
		call	_PsDetachSiloFromCurrentThread@4 ; PsDetachSiloFromCurrentThread(x)
		mov	eax, esi
		jmp	short loc_A3CE17
; 

loc_A3CE12:				; CODE XREF: ObCreateSiloRootDirectory(x,x)+4Aj
					; ObCreateSiloRootDirectory(x,x)+56j ...
		mov	eax, 0C000000Dh

loc_A3CE17:				; CODE XREF: ObCreateSiloRootDirectory(x,x)+81j
					; ObCreateSiloRootDirectory(x,x)+2CAj
		mov	ecx, [esp+68h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_ObCreateSiloRootDirectory@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObGetSiloRootDirectoryPath(x, x)
_ObGetSiloRootDirectoryPath@8 proc near	; CODE XREF: PAGE:008D29E3p
					; PspConvertSiloToServerSilo(x,x,x,x)+A0p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	2
		pop	eax
		push	4
		mov	word ptr [ebp+var_2C], ax
		mov	edi, ecx
		pop	eax
		mov	word ptr [ebp+var_2C+2], ax
		mov	esi, edx
		lea	eax, [ebp+var_30]
		mov	[ebp+var_28], offset ??_C@_13FPGAJAPJ@?$AA?2@NNGAKEGL@
		push	eax
		push	ds:_PsObjectDirectorySiloContextSlot
		push	edi
		call	PsGetPermanentSiloContext
		test	eax, eax
		js	loc_A3CF26
		push	ebx
		test	edi, edi
		jnz	short loc_A3CE77
		xor	ebx, ebx
		jmp	short loc_A3CE84
; 

loc_A3CE77:				; CODE XREF: ObGetSiloRootDirectoryPath(x,x)+48j
		mov	ecx, [edi+244h]
		call	_PspGetJobSilo@4 ; PspGetJobSilo(x)
		mov	ebx, eax

loc_A3CE84:				; CODE XREF: ObGetSiloRootDirectoryPath(x,x)+4Cj
		call	_PsGetCurrentSilo@0 ; PsGetCurrentSilo()
		cmp	eax, ebx
		jz	short loc_A3CE97
		mov	eax, 0C0000719h
		jmp	loc_A3CF25
; 

loc_A3CE97:				; CODE XREF: ObGetSiloRootDirectoryPath(x,x)+62j
		xor	ebx, ebx
		mov	[ebp+var_24], ebx
		push	16h
		pop	eax
		mov	word ptr [ebp+var_24+2], ax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_20], eax
		mov	eax, ebx
		test	edi, edi
		jz	short loc_A3CEB5
		mov	eax, [edi+2D4h]

loc_A3CEB5:				; CODE XREF: ObGetSiloRootDirectoryPath(x,x)+84j
		lea	ecx, [ebp+var_24]
		push	ecx
		push	0Ah
		push	eax
		call	_RtlIntegerToUnicodeString@12 ;	RtlIntegerToUnicodeString(x,x,x)
		test	eax, eax
		js	short loc_A3CF25
		movzx	edi, word ptr [ebp+var_24]
		add	edi, 0Eh
		cmp	[esi+4], ebx
		jz	short loc_A3CEE0
		movzx	eax, word ptr [esi+2]
		cmp	eax, edi
		jnb	short loc_A3CF04
		mov	eax, 0C0000023h
		jmp	short loc_A3CF25
; 

loc_A3CEE0:				; CODE XREF: ObGetSiloRootDirectoryPath(x,x)+A6j
		push	6D4E624Fh
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+4], eax
		test	eax, eax
		jnz	short loc_A3CEFB
		mov	eax, 0C000009Ah
		jmp	short loc_A3CF25
; 

loc_A3CEFB:				; CODE XREF: ObGetSiloRootDirectoryPath(x,x)+C9j
		xor	eax, eax
		mov	[esi+2], di
		mov	[esi], ax

loc_A3CF04:				; CODE XREF: ObGetSiloRootDirectoryPath(x,x)+AEj
		push	offset _ObpSilosDirectoryName
		push	esi
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		lea	eax, [ebp+var_2C]
		push	eax
		push	esi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		lea	eax, [ebp+var_24]
		push	eax
		push	esi
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		xor	eax, eax

loc_A3CF25:				; CODE XREF: ObGetSiloRootDirectoryPath(x,x)+69j
					; ObGetSiloRootDirectoryPath(x,x)+9Aj ...
		pop	ebx

loc_A3CF26:				; CODE XREF: ObGetSiloRootDirectoryPath(x,x)+3Fj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_ObGetSiloRootDirectoryPath@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpDirectoryTeardownCallback(x)
_ObpDirectoryTeardownCallback@4	proc near ; DATA XREF: ObCreateSiloRootDirectory(x,x)+1ABo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	dword ptr [esi]
		call	_ObMakeTemporaryObject@4 ; ObMakeTemporaryObject(x)
		mov	ecx, [esi]
		mov	edx, 7254624Fh
		call	ObfDereferenceObjectWithTag
		pop	esi
		pop	ebp
		retn	4
_ObpDirectoryTeardownCallback@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ObpGetSilosRootDirectory(x)
_ObpGetSilosRootDirectory@4 proc near	; CODE XREF: ObCreateSiloRootDirectory(x,x)+CBp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		push	6
		mov	ebx, ecx
		lea	edi, [ebp+var_2C]
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_14]
		stosd
		push	1
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		test	eax, eax
		js	loc_A3D071
		push	_SeWorldSid
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	_SeLocalSystemSid
		mov	esi, eax
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		add	eax, 20h
		push	6C636144h
		add	esi, eax
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A3CFC1
		mov	eax, 0C000009Ah
		jmp	loc_A3D071
; 

loc_A3CFC1:				; CODE XREF: ObpGetSilosRootDirectory(x)+60j
		push	2		; int
		push	esi		; size_t
		push	edi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A3D064
		push	0
		push	_SeWorldSid
		mov	ecx, edi
		push	20003h
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	short loc_A3D064
		push	0
		push	_SeLocalSystemSid
		mov	ecx, edi
		push	0F000Fh
		push	0
		push	2
		pop	edx
		call	RtlpAddKnownAce
		mov	esi, eax
		test	esi, esi
		js	short loc_A3D064
		push	0
		push	edi
		push	1
		lea	eax, [ebp+var_14]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	short loc_A3D064
		and	[ebp+var_28], 0
		lea	eax, [ebp+var_14]
		and	[ebp+var_18], 0
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	0F000Fh
		push	ebx
		mov	[ebp+var_2C], 18h
		mov	[ebp+var_20], 0D0h
		mov	[ebp+var_24], offset _ObpSilosDirectoryName
		call	_ZwCreateDirectoryObject@12 ; ZwCreateDirectoryObject(x,x,x)
		lea	esi, [eax-40000000h]
		neg	esi
		sbb	esi, esi
		and	esi, eax

loc_A3D064:				; CODE XREF: ObpGetSilosRootDirectory(x)+79j
					; ObpGetSilosRootDirectory(x)+9Cj ...
		push	6C636144h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi

loc_A3D071:				; CODE XREF: ObpGetSilosRootDirectory(x)+2Cj
					; ObpGetSilosRootDirectory(x)+67j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ObpGetSilosRootDirectory@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlParseLeapSecondData(x, x, x, x)
_RtlParseLeapSecondData@16 proc	near	; CODE XREF: ExpParseAndUpdateLeapSecondData+11861Ap

var_38		= dword	ptr -38h
var_34		= word ptr -34h
var_32		= word ptr -32h
var_30		= word ptr -30h
var_2E		= word ptr -2Eh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		xor	esi, esi
		mov	eax, edx
		mov	[ebp+var_20], eax
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[edi+4], esi
		test	eax, eax
		jz	loc_A3D1D7
		mov	eax, [ebp+arg_0]
		lea	edx, [ecx+4]
		sub	eax, edi
		mov	[ebp+var_4], edx
		lea	ebx, [edi+8]
		mov	[ebp+var_18], eax

loc_A3D0B9:				; CODE XREF: RtlParseLeapSecondData(x,x,x,x)+14Dj
		mov	ax, [edx-4]
		mov	word ptr [ebp+var_38], ax
		mov	ax, [edx-2]
		mov	word ptr [ebp+var_38+2], ax
		mov	ax, [edx]
		push	3Bh
		pop	ecx
		mov	[ebp+var_34], ax
		mov	ax, [edx+2]
		lea	edx, [ebp+var_28]
		mov	[ebp+var_30], cx
		mov	[ebp+var_2E], cx
		lea	ecx, [ebp+var_38]
		mov	[ebp+var_2C], esi
		mov	[ebp+var_32], ax
		call	_RtlpTimeFieldsToTimeNoLeapSeconds@8 ; RtlpTimeFieldsToTimeNoLeapSeconds(x,x)
		test	al, al
		jz	loc_A3D1D4
		mov	eax, [ebp+var_14]
		cmp	[ebp+var_24], eax
		jl	loc_A3D1D0
		jg	short loc_A3D113
		mov	eax, [ebp+var_10]
		cmp	[ebp+var_28], eax
		jbe	loc_A3D1D0

loc_A3D113:				; CODE XREF: RtlParseLeapSecondData(x,x,x,x)+8Fj
		mov	eax, [ebp+var_28]
		mov	ecx, 989680h
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_24]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_C]
		imul	ecx
		lea	ecx, [ebp+var_28]
		push	edx
		push	eax
		push	[ebp+var_24]
		push	[ebp+var_28]
		call	_RtlLongLongAdd@20 ; RtlLongLongAdd(x,x,x,x,x)
		test	eax, eax
		js	loc_A3D1CC
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_28]
		lea	eax, [edx+4]
		test	byte ptr [eax],	1
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_24]
		jz	short loc_A3D160
		or	eax, 80000000h
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], eax

loc_A3D160:				; CODE XREF: RtlParseLeapSecondData(x,x,x,x)+DDj
		mov	edi, [ebp+arg_4]
		cmp	[ebp+arg_0], esi
		jz	short loc_A3D190
		mov	edx, [ebp+arg_0]
		mov	edi, [ebp+var_8]
		cmp	edi, [edx+4]
		mov	edi, [ebp+arg_4]
		mov	edx, [ebp+var_4]
		jnb	short loc_A3D190
		mov	edi, [ebp+var_18]
		cmp	ecx, [edi+ebx]
		mov	edi, [ebp+arg_4]
		jnz	short loc_A3D1C8
		mov	edx, [ebp+var_18]
		cmp	eax, [edx+ebx+4]
		mov	edx, [ebp+var_4]
		jnz	short loc_A3D1C8

loc_A3D190:				; CODE XREF: RtlParseLeapSecondData(x,x,x,x)+F0j
					; RtlParseLeapSecondData(x,x,x,x)+101j
		mov	[ebx+4], eax
		add	edx, 0Ch
		mov	eax, [ebp+var_1C]
		mov	[ebx], ecx
		add	ebx, 8
		inc	dword ptr [edi+4]
		mov	edi, [ebp+var_C]
		movzx	eax, word ptr [eax]
		mov	ecx, [ebp+var_8]
		not	ax
		and	eax, 1
		mov	[ebp+var_4], edx
		inc	ecx
		mov	[ebp+var_8], ecx
		lea	edi, [edi+eax*2]
		dec	edi
		mov	[ebp+var_C], edi
		cmp	ecx, [ebp+var_20]
		jnb	short loc_A3D1D7
		jmp	loc_A3D0B9
; 

loc_A3D1C8:				; CODE XREF: RtlParseLeapSecondData(x,x,x,x)+10Cj
					; RtlParseLeapSecondData(x,x,x,x)+118j
		push	6
		jmp	short loc_A3D1D6
; 

loc_A3D1CC:				; CODE XREF: RtlParseLeapSecondData(x,x,x,x)+C5j
		push	7
		jmp	short loc_A3D1D6
; 

loc_A3D1D0:				; CODE XREF: RtlParseLeapSecondData(x,x,x,x)+89j
					; RtlParseLeapSecondData(x,x,x,x)+97j
		push	5
		jmp	short loc_A3D1D6
; 

loc_A3D1D4:				; CODE XREF: RtlParseLeapSecondData(x,x,x,x)+7Dj
		push	4

loc_A3D1D6:				; CODE XREF: RtlParseLeapSecondData(x,x,x,x)+154j
					; RtlParseLeapSecondData(x,x,x,x)+158j	...
		pop	esi

loc_A3D1D7:				; CODE XREF: RtlParseLeapSecondData(x,x,x,x)+2Cj
					; RtlParseLeapSecondData(x,x,x,x)+14Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_RtlParseLeapSecondData@16 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpIsALicensedLIPLanguage(x, x)
_RtlpIsALicensedLIPLanguage@8 proc near	; CODE XREF: RtlpMuiRegAddLanguageByName:loc_893B8Fp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jnz	short loc_A3D1F3
		mov	eax, 0C000000Dh
		jmp	short loc_A3D226
; 

loc_A3D1F3:				; CODE XREF: RtlpIsALicensedLIPLanguage(x,x)+Aj
		mov	ecx, [esi+50h]	; wchar_t *
		test	ecx, ecx
		jz	short loc_A3D20A
		call	RtlpLangNameInMultiSzString
		test	al, al
		jz	short loc_A3D20A
		mov	eax, 0C0000034h
		jmp	short loc_A3D226
; 

loc_A3D20A:				; CODE XREF: RtlpIsALicensedLIPLanguage(x,x)+18j
					; RtlpIsALicensedLIPLanguage(x,x)+21j
		mov	ecx, [esi+5Ch]	; wchar_t *
		xor	eax, eax
		test	ecx, ecx
		jz	short loc_A3D226
		mov	edx, edi	; wchar_t *
		call	RtlpLangNameInMultiSzString
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 0C0000034h

loc_A3D226:				; CODE XREF: RtlpIsALicensedLIPLanguage(x,x)+11j
					; RtlpIsALicensedLIPLanguage(x,x)+28j ...
		pop	edi
		pop	esi
		retn
_RtlpIsALicensedLIPLanguage@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpLoadPolicyLanguageSpec(x, x, x,	x)
_RtlpLoadPolicyLanguageSpec@16 proc near ; CODE	XREF: RtlpLoadLanguageConfigList+98105p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_C], 0
		mov	eax, edx
		and	[ebp+var_20], 0
		and	[ebp+var_1C], 0
		or	[ebp+var_18], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_14], eax
		and	[ebp+var_10], edi
		mov	esi, ecx
		test	eax, eax
		jz	loc_A3D380
		test	esi, esi
		jz	loc_A3D380
		and	[ebp+var_4], edi
		lea	eax, [ebp+var_20]
		xor	ebx, ebx
		push	offset ??_C@_1CK@CDBMDBEP@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAr?$AAr?$AAe?$AAd?$AAU?$AAI?$AAL?$AAa?$AAn?$AAg@NNGAKEGL@
		inc	ebx
		push	eax
		mov	[ebp+var_8], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ecx		; int
		lea	eax, [ebp+var_4]
		mov	ecx, esi
		push	eax		; int
		push	edi		; void *
		lea	eax, [ebp+var_8]
		push	eax		; int
		lea	edx, [ebp+var_20]
		call	LdrpQueryValueKey
		cmp	[ebp+var_4], edi
		jz	loc_A3D379
		cmp	eax, 0C0000034h
		jz	loc_A3D379
		push	72746C6Dh
		push	[ebp+var_4]
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A3D2C5
		push	[ebp+var_4]	; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		test	edi, edi
		jnz	short loc_A3D2CF

loc_A3D2C5:				; CODE XREF: RtlpLoadPolicyLanguageSpec(x,x,x,x)+88j
		mov	esi, 0C0000017h
		jmp	loc_A3D385
; 

loc_A3D2CF:				; CODE XREF: RtlpLoadPolicyLanguageSpec(x,x,x,x)+9Aj
		push	ecx		; int
		lea	eax, [ebp+var_4]
		mov	ecx, esi
		push	eax		; int
		push	edi		; void *
		lea	eax, [ebp+var_8]
		push	eax		; int
		lea	edx, [ebp+var_20]
		call	LdrpQueryValueKey
		mov	esi, eax
		test	esi, esi
		js	loc_A3D385
		cmp	[ebp+var_8], ebx
		jz	short loc_A3D2FC

loc_A3D2F2:				; CODE XREF: RtlpLoadPolicyLanguageSpec(x,x,x,x)+ECj
		mov	esi, 0C0000001h
		jmp	loc_A3D385
; 

loc_A3D2FC:				; CODE XREF: RtlpLoadPolicyLanguageSpec(x,x,x,x)+C7j
		push	edi
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlCultureNameToLCID@8	; RtlCultureNameToLCID(x,x)
		test	al, al
		jz	short loc_A3D2F2
		mov	eax, [ebp+var_C]
		cmp	eax, 1000h
		jz	short loc_A3D32D
		cmp	eax, 1400h
		jz	short loc_A3D32D
		movzx	eax, ax
		jmp	short loc_A3D34A
; 

loc_A3D32D:				; CODE XREF: RtlpLoadPolicyLanguageSpec(x,x,x,x)+F6j
					; RtlpLoadPolicyLanguageSpec(x,x,x,x)+FDj
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_10]
		mov	ecx, [ebp+var_14]
		push	eax
		push	0
		call	RtlpMuiRegGetOrAddString
		mov	esi, eax
		test	esi, esi
		js	short loc_A3D385
		mov	eax, [ebp+var_10]
		push	3
		pop	ebx

loc_A3D34A:				; CODE XREF: RtlpLoadPolicyLanguageSpec(x,x,x,x)+102j
		lea	ecx, [ebp+var_18]
		mov	edx, ebx
		push	ecx
		mov	ecx, [ebp+var_14]
		push	eax
		call	_RtlpMuiRegGetInstalledLanguageIndex@16	; RtlpMuiRegGetInstalledLanguageIndex(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A3D385
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_A3D369
		mov	byte ptr [eax],	2

loc_A3D369:				; CODE XREF: RtlpLoadPolicyLanguageSpec(x,x,x,x)+13Bj
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_A3D385
		mov	ax, word ptr [ebp+var_18]
		mov	[ecx], ax
		jmp	short loc_A3D385
; 

loc_A3D379:				; CODE XREF: RtlpLoadPolicyLanguageSpec(x,x,x,x)+65j
					; RtlpLoadPolicyLanguageSpec(x,x,x,x)+70j
		mov	esi, 0C0000001h
		jmp	short loc_A3D391
; 

loc_A3D380:				; CODE XREF: RtlpLoadPolicyLanguageSpec(x,x,x,x)+29j
					; RtlpLoadPolicyLanguageSpec(x,x,x,x)+31j
		mov	esi, 0C000000Dh

loc_A3D385:				; CODE XREF: RtlpLoadPolicyLanguageSpec(x,x,x,x)+A1j
					; RtlpLoadPolicyLanguageSpec(x,x,x,x)+BEj ...
		test	edi, edi
		jz	short loc_A3D391
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3D391:				; CODE XREF: RtlpLoadPolicyLanguageSpec(x,x,x,x)+155j
					; RtlpLoadPolicyLanguageSpec(x,x,x,x)+15Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_RtlpLoadPolicyLanguageSpec@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpMuiRegConfigListAddLanguage(x, x, x)
_RtlpMuiRegConfigListAddLanguage@12 proc near
					; CODE XREF: RtlpPopulateLanguageConfigList+98559p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= word ptr -2

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_10], edx
		xor	ebx, ebx
		push	edi
		test	esi, esi
		jz	loc_A3D4B4
		mov	ecx, [esi]
		test	ecx, ecx
		jz	loc_A3D4B4
		test	edx, edx
		jz	loc_A3D4B4
		movzx	eax, word ptr [edx+2]
		movzx	edi, word ptr [edx]
		mov	[ebp+var_20], eax
		shr	ax, 0Eh
		mov	[ebp+var_2], ax
		mov	[ebp+var_18], edi
		test	al, al
		jz	loc_A3D4B4
		movzx	eax, word ptr [ecx+4]
		movzx	edi, ax
		mov	[ebp+var_C], ebx
		mov	[ebp+var_14], eax
		mov	[ebp+var_1C], edi
		test	edi, edi
		jz	short loc_A3D436
		mov	eax, [ecx+8]
		mov	di, [ebp+var_2]
		mov	[ebp+var_8], eax

loc_A3D401:				; CODE XREF: RtlpMuiRegConfigListAddLanguage(x,x,x)+97j
		movzx	eax, word ptr [eax+2]
		mov	[ebp-4], eax
		shr	ax, 0Eh
		cmp	ax, di
		mov	eax, [ebp+var_8]
		jnz	short loc_A3D41F
		mov	edx, [ebp+var_18]
		cmp	[eax], dx
		mov	edx, [ebp+var_10]
		jz	short loc_A3D44E

loc_A3D41F:				; CODE XREF: RtlpMuiRegConfigListAddLanguage(x,x,x)+78j
		inc	[ebp+var_C]
		add	eax, 0Ch
		mov	edx, [ebp+var_1C]
		cmp	[ebp+var_C], edx
		mov	edx, [ebp+var_10]
		mov	[ebp+var_8], eax
		jl	short loc_A3D401

loc_A3D433:				; CODE XREF: RtlpMuiRegConfigListAddLanguage(x,x,x)+B7j
		mov	eax, [ebp+var_14]

loc_A3D436:				; CODE XREF: RtlpMuiRegConfigListAddLanguage(x,x,x)+5Bj
		cmp	ax, [ecx+6]
		jb	short loc_A3D49F
		call	_RtlpMuiRegGrowLanguageConfigList@8 ; RtlpMuiRegGrowLanguageConfigList(x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_A3D49A
		mov	ebx, 0C0000017h
		jmp	short loc_A3D4B9
; 

loc_A3D44E:				; CODE XREF: RtlpMuiRegConfigListAddLanguage(x,x,x)+83j
		cmp	[ebp+var_C], ebx
		jl	short loc_A3D433
		mov	ecx, [ebp+var_20]
		lea	esi, [edx+6]
		movzx	ecx, cx
		sub	eax, edx
		mov	edi, ebx
		mov	[ebp+var_20], ecx
		mov	[ebp+var_8], eax

loc_A3D466:				; CODE XREF: RtlpMuiRegConfigListAddLanguage(x,x,x)+F5j
		mov	edx, [ebp-4]
		lea	eax, [edi+edi]
		xor	edx, ecx
		mov	cx, ax
		shr	dx, cl
		test	dl, 3
		jnz	short loc_A3D493
		mov	eax, [ebp+var_8]
		mov	ax, [eax+esi]
		cmp	ax, [esi]
		jnz	short loc_A3D493
		mov	ecx, [ebp+var_20]
		inc	edi
		add	esi, 2
		cmp	edi, 3
		jl	short loc_A3D466
		jmp	short loc_A3D4B9
; 

loc_A3D493:				; CODE XREF: RtlpMuiRegConfigListAddLanguage(x,x,x)+DDj
					; RtlpMuiRegConfigListAddLanguage(x,x,x)+E9j
		mov	ebx, 40000000h
		jmp	short loc_A3D4B9
; 

loc_A3D49A:				; CODE XREF: RtlpMuiRegConfigListAddLanguage(x,x,x)+ABj
		mov	edx, [ebp+var_10]
		mov	[esi], ecx

loc_A3D49F:				; CODE XREF: RtlpMuiRegConfigListAddLanguage(x,x,x)+A0j
		movzx	eax, word ptr [ecx+4]
		mov	esi, edx
		imul	edi, eax, 0Ch
		add	edi, [ecx+8]
		movsd
		movsd
		movsd
		inc	word ptr [ecx+4]
		jmp	short loc_A3D4B9
; 

loc_A3D4B4:				; CODE XREF: RtlpMuiRegConfigListAddLanguage(x,x,x)+14j
					; RtlpMuiRegConfigListAddLanguage(x,x,x)+1Ej ...
		mov	ebx, 0C000000Dh

loc_A3D4B9:				; CODE XREF: RtlpMuiRegConfigListAddLanguage(x,x,x)+B2j
					; RtlpMuiRegConfigListAddLanguage(x,x,x)+F7j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
_RtlpMuiRegConfigListAddLanguage@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpMuiRegConfigMatchesInstalled(x,	x, x, x, x, x, x)
_RtlpMuiRegConfigMatchesInstalled@28 proc near
					; CODE XREF: RtlpMuiRegValidateConfigNode(x,x)+BEp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		xor	eax, eax
		mov	[ebp+var_8], edx
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_10], eax
		mov	ecx, [ebp+arg_4]
		mov	esi, eax
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_4], esi
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], eax
		push	edi
		mov	edi, [ebp+arg_0]
		cmp	dl, cl
		jnz	short loc_A3D501
		cmp	di, word ptr [ebp+arg_8]
		setz	bl
		jmp	short loc_A3D568
; 

loc_A3D501:				; CODE XREF: RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+34j
		test	dl, dl
		jz	loc_A3D727
		test	cl, cl
		jz	loc_A3D727
		mov	esi, [ebp+arg_10]
		test	esi, esi
		jz	short loc_A3D51E
		or	eax, 0FFFFFFFFh
		mov	[esi], ax

loc_A3D51E:				; CODE XREF: RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+54j
		cmp	dl, 2
		jnz	loc_A3D5CF
		test	ebx, ebx
		jz	loc_A3D724
		test	di, di
		js	loc_A3D724
		mov	edx, [ebx+14h]
		movsx	esi, di
		movzx	eax, word ptr [edx+6]
		cmp	esi, eax
		jge	loc_A3D724
		push	[ebp+arg_8]
		imul	eax, esi, 1Ch
		push	ecx
		mov	ecx, ebx
		add	eax, [edx+0Ch]
		mov	edx, eax
		mov	[ebp+var_14], eax
		call	_RtlpMuiRegLangInfoMatchesSpec@16 ; RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)
		mov	bl, al

loc_A3D562:				; CODE XREF: RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+1E7j
					; RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+269j	...
		mov	edx, [ebp+var_8]

loc_A3D565:				; CODE XREF: RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+178j
		mov	eax, [ebp+var_C]

loc_A3D568:				; CODE XREF: RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+3Dj
					; RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+16Cj	...
		mov	esi, [ebp+arg_C]
		test	esi, esi
		jz	loc_A3D749
		test	bl, bl
		jz	loc_A3D746
		test	eax, eax
		jnz	short loc_A3D5C8
		mov	eax, [ebp+var_14]
		test	eax, eax
		jnz	short loc_A3D5C8
		and	[esi], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	edi
		mov	edi, [ebp+var_1C]
		mov	ecx, edi
		movzx	edx, dl
		call	_RtlpMuiRegGetInstalledLanguageIndex@16	; RtlpMuiRegGetInstalledLanguageIndex(x,x,x,x)
		test	eax, eax
		js	loc_A3D749
		mov	eax, [ebp+var_18]
		xor	ecx, ecx
		cmp	cx, ax
		jg	loc_A3D749
		mov	ecx, [edi+14h]
		movsx	edx, ax
		movzx	eax, word ptr [ecx+6]
		cmp	edx, eax
		jge	loc_A3D749
		imul	eax, edx, 1Ch
		add	eax, [ecx+0Ch]

loc_A3D5C8:				; CODE XREF: RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+BBj
					; RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+C2j
		mov	[esi], eax
		jmp	loc_A3D749
; 

loc_A3D5CF:				; CODE XREF: RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+5Fj
		cmp	cl, 2
		jnz	short loc_A3D63F
		test	ebx, ebx
		jz	loc_A3D724
		mov	eax, [ebp+arg_8]
		test	ax, ax
		js	loc_A3D724
		mov	ecx, [ebx+14h]
		cwde
		mov	[ebp+arg_4], eax
		movzx	eax, word ptr [ecx+6]
		cmp	[ebp+arg_4], eax
		jge	loc_A3D724
		imul	eax, [ebp+arg_4], 1Ch
		mov	edi, [ebp+arg_0]
		push	edi
		push	edx
		add	eax, [ecx+0Ch]
		mov	ecx, ebx
		mov	edx, eax
		mov	[ebp+var_C], eax
		call	_RtlpMuiRegLangInfoMatchesSpec@16 ; RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)
		mov	bl, al
		mov	eax, [ebp+var_C]
		test	bl, bl
		jz	loc_A3D73E
		test	eax, eax
		jz	loc_A3D73E
		mov	edx, [ebp+var_8]
		test	esi, esi
		jz	loc_A3D568
		mov	eax, [ebp+arg_8]
		mov	[esi], ax
		jmp	loc_A3D565
; 

loc_A3D63F:				; CODE XREF: RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+110j
		cmp	dl, 1
		jnz	short loc_A3D6AE
		cmp	cl, 3
		jnz	loc_A3D724
		mov	edx, [ebx+18h]
		test	edx, edx
		jz	short loc_A3D676
		mov	eax, [ebp+arg_8]
		test	ax, ax
		js	short loc_A3D676
		movsx	ecx, ax
		movzx	eax, word ptr [edx+6]
		cmp	ecx, eax
		jge	short loc_A3D676
		mov	eax, [edx+0Ch]
		movsx	ecx, word ptr [eax+ecx*2]
		mov	eax, [edx+10h]
		lea	eax, [eax+ecx*2]
		jmp	short loc_A3D678
; 

loc_A3D676:				; CODE XREF: RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+190j
					; RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+198j	...
		xor	eax, eax

loc_A3D678:				; CODE XREF: RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+1B2j
		test	eax, eax
		jz	loc_A3D724
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlCultureNameToLCID@8	; RtlCultureNameToLCID(x,x)
		test	al, al
		jz	loc_A3D724
		mov	edi, [ebp+arg_0]
		cmp	di, word ptr [ebp+var_10]
		setz	bl
		jmp	loc_A3D562
; 

loc_A3D6AE:				; CODE XREF: RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+180j
		cmp	dl, 3
		jnz	short loc_A3D724
		cmp	cl, 1
		jnz	short loc_A3D724
		push	55h
		pop	edx
		call	_MuiRegAllocArray
		mov	esi, eax
		test	esi, esi
		jz	short loc_A3D727
		lea	eax, [ebp+var_24]
		mov	[ebp+var_20], esi
		push	eax
		movsx	eax, word ptr [ebp+arg_8]
		push	eax
		mov	[ebp+var_24], offset unk_AA0000
		call	_RtlLCIDToCultureName@8	; RtlLCIDToCultureName(x,x)
		test	al, al
		jz	short loc_A3D727
		mov	edx, [ebx+18h]
		mov	edi, [ebp+arg_0]
		test	edx, edx
		jz	short loc_A3D70B
		test	di, di
		js	short loc_A3D70B
		movzx	eax, word ptr [edx+6]
		movsx	ecx, di
		cmp	ecx, eax
		jge	short loc_A3D70B
		mov	eax, [edx+0Ch]
		movsx	ecx, word ptr [eax+ecx*2]
		mov	eax, [edx+10h]
		lea	eax, [eax+ecx*2]
		jmp	short loc_A3D70D
; 

loc_A3D70B:				; CODE XREF: RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+228j
					; RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+22Dj	...
		xor	eax, eax

loc_A3D70D:				; CODE XREF: RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+247j
		test	eax, eax
		jz	short loc_A3D727
		push	eax		; wchar_t *
		push	[ebp+var_20]	; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A3D727
		mov	bl, 1
		jmp	short loc_A3D729
; 

loc_A3D724:				; CODE XREF: RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+67j
					; RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+70j ...
		mov	esi, [ebp+var_4]

loc_A3D727:				; CODE XREF: RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+41j
					; RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+49j ...
		xor	bl, bl

loc_A3D729:				; CODE XREF: RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+260j
		test	esi, esi
		jz	loc_A3D562
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_A3D562
; 

loc_A3D73E:				; CODE XREF: RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+159j
					; RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+161j
		mov	edx, [ebp+var_8]
		jmp	loc_A3D568
; 

loc_A3D746:				; CODE XREF: RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+B3j
		and	dword ptr [esi], 0

loc_A3D749:				; CODE XREF: RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+ABj
					; RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+DAj ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	14h
_RtlpMuiRegConfigMatchesInstalled@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpMuiRegGetInstalledLangInfoIndex(x, x, x, x)
_RtlpMuiRegGetInstalledLangInfoIndex@16	proc near
					; CODE XREF: _RtlpMuiRegValidateLIPLanguage(x,x)+13Dp
					; _RtlpMuiRegValidatePartialLanguage(x,x)+7Ep

var_4		= dword	ptr -4
arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		test	esi, esi
		jz	loc_A3D869
		test	edx, edx
		jz	loc_A3D869
		cmp	edx, 1
		jnz	short loc_A3D7CE
		mov	ax, [ebp+arg_0]
		test	ax, ax
		jz	loc_A3D869
		movzx	edi, word ptr [esi+6]
		xor	ecx, ecx
		test	edi, edi
		jz	short loc_A3D7C4
		mov	edx, [esi+0Ch]
		mov	esi, 1020h
		cwde
		push	20h
		mov	dword ptr [ebp+arg_0], edx
		mov	edx, ecx
		mov	[ebp+var_4], eax
		pop	ebx

loc_A3D79D:				; CODE XREF: RtlpMuiRegGetInstalledLangInfoIndex(x,x,x,x)+70j
		mov	eax, dword ptr [ebp+arg_0]
		imul	edx, 1Ch
		movzx	eax, word ptr [edx+eax+4]
		cmp	eax, [ebp+var_4]
		jnz	short loc_A3D7BC
		mov	eax, dword ptr [ebp+arg_0]
		mov	ax, [edx+eax]
		and	ax, si
		cmp	ax, bx
		jz	short loc_A3D81A

loc_A3D7BC:				; CODE XREF: RtlpMuiRegGetInstalledLangInfoIndex(x,x,x,x)+59j
		inc	ecx
		movsx	edx, cx
		cmp	edx, edi
		jl	short loc_A3D79D

loc_A3D7C4:				; CODE XREF: RtlpMuiRegGetInstalledLangInfoIndex(x,x,x,x)+35j
					; RtlpMuiRegGetInstalledLangInfoIndex(x,x,x,x)+96j ...
		mov	eax, 0C0000001h
		jmp	loc_A3D86E
; 

loc_A3D7CE:				; CODE XREF: RtlpMuiRegGetInstalledLangInfoIndex(x,x,x,x)+1Ej
		cmp	edx, 3
		jnz	short loc_A3D826
		mov	dx, [ebp+arg_0]
		test	dx, dx
		js	loc_A3D869
		movzx	edi, word ptr [esi+6]
		xor	ecx, ecx
		test	edi, edi
		jz	short loc_A3D7C4
		mov	esi, [esi+0Ch]
		mov	eax, ecx
		push	20h
		mov	dword ptr [ebp+arg_0], 1020h
		pop	ebx

loc_A3D7F9:				; CODE XREF: RtlpMuiRegGetInstalledLangInfoIndex(x,x,x,x)+C4j
		imul	eax, 1Ch
		cmp	[eax+esi+6], dx
		jnz	short loc_A3D810
		mov	ax, [eax+esi]
		and	ax, [ebp+arg_0]
		cmp	ax, bx
		jz	short loc_A3D81A

loc_A3D810:				; CODE XREF: RtlpMuiRegGetInstalledLangInfoIndex(x,x,x,x)+AFj
		inc	ecx
		movsx	eax, cx
		cmp	eax, edi
		jl	short loc_A3D7F9
		jmp	short loc_A3D7C4
; 

loc_A3D81A:				; CODE XREF: RtlpMuiRegGetInstalledLangInfoIndex(x,x,x,x)+68j
					; RtlpMuiRegGetInstalledLangInfoIndex(x,x,x,x)+BCj
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_A3D865
		mov	[eax], cx
		jmp	short loc_A3D865
; 

loc_A3D826:				; CODE XREF: RtlpMuiRegGetInstalledLangInfoIndex(x,x,x,x)+7Fj
		cmp	edx, 2
		jnz	short loc_A3D7C4
		mov	dx, [ebp+arg_0]
		test	dx, dx
		js	short loc_A3D869
		movzx	eax, word ptr [esi+6]
		movsx	ecx, dx
		cmp	ecx, eax
		jge	short loc_A3D869
		mov	eax, [esi+0Ch]
		imul	ecx, 1Ch
		mov	ax, [ecx+eax]
		mov	ecx, 1020h
		and	ax, cx
		cmp	ax, 20h
		jnz	loc_A3D7C4
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_A3D865
		mov	[eax], dx

loc_A3D865:				; CODE XREF: RtlpMuiRegGetInstalledLangInfoIndex(x,x,x,x)+CDj
					; RtlpMuiRegGetInstalledLangInfoIndex(x,x,x,x)+D2j ...
		xor	eax, eax
		jmp	short loc_A3D86E
; 

loc_A3D869:				; CODE XREF: RtlpMuiRegGetInstalledLangInfoIndex(x,x,x,x)+Dj
					; RtlpMuiRegGetInstalledLangInfoIndex(x,x,x,x)+15j ...
		mov	eax, 0C000000Dh

loc_A3D86E:				; CODE XREF: RtlpMuiRegGetInstalledLangInfoIndex(x,x,x,x)+77j
					; RtlpMuiRegGetInstalledLangInfoIndex(x,x,x,x)+115j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_RtlpMuiRegGetInstalledLangInfoIndex@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpMuiRegGetInstalledLanguageIndex(x, x, x, x)
_RtlpMuiRegGetInstalledLanguageIndex@16	proc near
					; CODE XREF: RtlpMuiRegValidateConfigNode(x,x)+29p
					; RtlpLoadPolicyLanguageSpec(x,x,x,x)+12Bp ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	byte ptr [ebp+var_8], 1
		push	edi
		mov	edi, ecx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	eax, edx
		mov	[ebp+var_4], ebx
		test	edi, edi
		jnz	short loc_A3D8A1

loc_A3D897:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndex(x,x,x,x)+F2j
					; RtlpMuiRegGetInstalledLanguageIndex(x,x,x,x)+104j
		mov	ebx, 0C000000Dh
		jmp	loc_A3D98D
; 

loc_A3D8A1:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndex(x,x,x,x)+20j
		mov	edx, [edi+14h]
		mov	esi, [ebp+arg_4]
		mov	[ebp+var_10], edx
		cmp	eax, 3
		jnz	loc_A3D948
		movzx	eax, word ptr [edx+6]
		mov	ecx, ebx
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_A3D8ED
		mov	edx, [edx+0Ch]

loc_A3D8C3:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndex(x,x,x,x)+76j
		mov	ax, [edx]
		mov	[ebp+arg_4], 1020h
		and	ax, word ptr [ebp+arg_4]
		cmp	ax, 20h
		jnz	short loc_A3D8E4
		mov	eax, [ebp+arg_0]
		cmp	[edx+6], ax
		jnz	short loc_A3D8E4
		test	esi, esi
		jnz	short loc_A3D916

loc_A3D8E4:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndex(x,x,x,x)+60j
					; RtlpMuiRegGetInstalledLanguageIndex(x,x,x,x)+69j
		inc	ecx
		add	edx, 1Ch
		cmp	ecx, [ebp+var_C]
		jl	short loc_A3D8C3

loc_A3D8ED:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndex(x,x,x,x)+49j
		mov	edx, [edi+18h]
		test	edx, edx
		jz	short loc_A3D91B
		mov	eax, [ebp+arg_0]
		test	ax, ax
		js	short loc_A3D91B
		movsx	ecx, ax
		movzx	eax, word ptr [edx+6]
		cmp	ecx, eax
		jge	short loc_A3D91B
		mov	eax, [edx+0Ch]
		movsx	ecx, word ptr [eax+ecx*2]
		mov	eax, [edx+10h]
		lea	eax, [eax+ecx*2]
		jmp	short loc_A3D91D
; 

loc_A3D916:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndex(x,x,x,x)+6Dj
		mov	[esi], cx
		jmp	short loc_A3D98D
; 

loc_A3D91B:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndex(x,x,x,x)+7Dj
					; RtlpMuiRegGetInstalledLanguageIndex(x,x,x,x)+85j ...
		mov	eax, ebx

loc_A3D91D:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndex(x,x,x,x)+9Fj
		test	eax, eax
		jz	short loc_A3D988
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlCultureNameToLCID@8	; RtlCultureNameToLCID(x,x)
		test	al, al
		jz	short loc_A3D988
		movzx	edx, word ptr [ebp+var_4]
		xor	eax, eax
		inc	eax
		mov	byte ptr [ebp+var_8], bl
		jmp	short loc_A3D94B
; 

loc_A3D948:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndex(x,x,x,x)+38j
		mov	edx, [ebp+arg_0]

loc_A3D94B:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndex(x,x,x,x)+D1j
		cmp	eax, 1
		jnz	short loc_A3D95F
		push	esi
		push	[ebp+var_8]
		mov	ecx, edi
		call	RtlpMuiRegGetInstalledLanguageIndexByLangId
		mov	ebx, eax
		jmp	short loc_A3D98D
; 

loc_A3D95F:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndex(x,x,x,x)+D9j
		cmp	eax, 2
		jnz	short loc_A3D988
		test	dx, dx
		jle	loc_A3D897
		mov	eax, [ebp+var_10]
		movzx	ecx, word ptr [eax+6]
		movsx	eax, dx
		cmp	eax, ecx
		jge	loc_A3D897
		test	esi, esi
		jz	short loc_A3D98D
		mov	[esi], dx
		jmp	short loc_A3D98D
; 

loc_A3D988:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndex(x,x,x,x)+AAj
					; RtlpMuiRegGetInstalledLanguageIndex(x,x,x,x)+C5j ...
		mov	ebx, 0C0000034h

loc_A3D98D:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndex(x,x,x,x)+27j
					; RtlpMuiRegGetInstalledLanguageIndex(x,x,x,x)+A4j ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_RtlpMuiRegGetInstalledLanguageIndex@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpMuiRegGetInstalledLanguageIndexByName(x, x, x, x)
_RtlpMuiRegGetInstalledLanguageIndexByName@16 proc near
					; CODE XREF: _RtlpRemovePendingDeleteLanguages+87FCCp
					; RtlpMuiRegGetInstalledLanguageIndexByLangId+97F5Cp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	short loc_A3DA29
		test	edx, edx
		jz	short loc_A3DA29
		mov	esi, [ecx+14h]
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		call	RtlpMuiRegGetOrAddString
		test	eax, eax
		js	short loc_A3DA22
		movzx	edx, word ptr [esi+6]
		mov	ecx, ebx
		mov	[ebp+var_8], edx
		test	edx, edx
		jz	short loc_A3DA22
		mov	edx, [esi+0Ch]
		mov	esi, [ebp+arg_4]
		mov	eax, [ebp+var_8]
		mov	edi, [ebp+var_4]

loc_A3D9DE:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndexByName(x,x,x,x)+7Fj
		cmp	[edx+6], di
		jnz	short loc_A3DA0F
		movzx	edi, word ptr [edx]
		mov	eax, edi
		and	eax, 1020h
		cmp	ax, 20h
		jnz	short loc_A3D9FF
		test	esi, esi
		jz	short loc_A3DA09
		mov	[esi], cx
		xor	eax, eax
		jmp	short loc_A3DA2E
; 

loc_A3D9FF:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndexByName(x,x,x,x)+5Cj
		test	edi, 1000h
		jz	short loc_A3DA09
		mov	bl, 1

loc_A3DA09:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndexByName(x,x,x,x)+60j
					; RtlpMuiRegGetInstalledLanguageIndexByName(x,x,x,x)+6Fj
		mov	eax, [ebp+var_8]
		mov	edi, [ebp+var_4]

loc_A3DA0F:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndexByName(x,x,x,x)+4Cj
		inc	ecx
		add	edx, 1Ch
		cmp	ecx, eax
		jl	short loc_A3D9DE
		test	bl, bl
		jz	short loc_A3DA22
		mov	eax, 0C00000BBh
		jmp	short loc_A3DA2E
; 

loc_A3DA22:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndexByName(x,x,x,x)+2Dj
					; RtlpMuiRegGetInstalledLanguageIndexByName(x,x,x,x)+3Aj ...
		mov	eax, 0C0000034h
		jmp	short loc_A3DA2E
; 

loc_A3DA29:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndexByName(x,x,x,x)+18j
					; RtlpMuiRegGetInstalledLanguageIndexByName(x,x,x,x)+1Cj
		mov	eax, 0C000000Dh

loc_A3DA2E:				; CODE XREF: RtlpMuiRegGetInstalledLanguageIndexByName(x,x,x,x)+67j
					; RtlpMuiRegGetInstalledLanguageIndexByName(x,x,x,x)+8Aj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_RtlpMuiRegGetInstalledLanguageIndexByName@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpMuiRegGetLanguageSpec(x, x, x, x, x)
_RtlpMuiRegGetLanguageSpec@20 proc near	; CODE XREF: RtlpPopulateLanguageConfigList+98371p
					; RtlpPopulateLanguageConfigList+98445p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_C], ecx
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], eax
		mov	esi, eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	bl, al
		push	edi
		lea	eax, [ebp+var_14]
		mov	[ebp+var_8], esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlCultureNameToLCID@8	; RtlCultureNameToLCID(x,x)
		test	al, al
		jz	short loc_A3DAAB
		mov	eax, [ebp+var_4]
		cmp	eax, 1000h
		jz	short loc_A3DA8A
		cmp	eax, 1400h
		jz	short loc_A3DA8A
		mov	bl, 1
		movzx	esi, ax
		jmp	short loc_A3DAA7
; 

loc_A3DA8A:				; CODE XREF: RtlpMuiRegGetLanguageSpec(x,x,x,x,x)+45j
					; RtlpMuiRegGetLanguageSpec(x,x,x,x,x)+4Cj
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		push	eax
		push	1
		mov	edx, edi
		call	RtlpMuiRegGetOrAddString
		test	eax, eax
		jns	short loc_A3DAA2
		xor	esi, esi
		jmp	short loc_A3DAB0
; 

loc_A3DAA2:				; CODE XREF: RtlpMuiRegGetLanguageSpec(x,x,x,x,x)+67j
		mov	esi, [ebp+var_8]
		mov	bl, 3

loc_A3DAA7:				; CODE XREF: RtlpMuiRegGetLanguageSpec(x,x,x,x,x)+53j
		xor	eax, eax
		jmp	short loc_A3DAB0
; 

loc_A3DAAB:				; CODE XREF: RtlpMuiRegGetLanguageSpec(x,x,x,x,x)+3Bj
		mov	eax, 0C000000Dh

loc_A3DAB0:				; CODE XREF: RtlpMuiRegGetLanguageSpec(x,x,x,x,x)+6Bj
					; RtlpMuiRegGetLanguageSpec(x,x,x,x,x)+74j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_A3DAB9
		mov	[ecx], bl

loc_A3DAB9:				; CODE XREF: RtlpMuiRegGetLanguageSpec(x,x,x,x,x)+80j
		mov	ecx, [ebp+arg_8]
		test	ecx, ecx
		jz	short loc_A3DAC3
		mov	[ecx], si

loc_A3DAC3:				; CODE XREF: RtlpMuiRegGetLanguageSpec(x,x,x,x,x)+89j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_RtlpMuiRegGetLanguageSpec@20 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpMuiRegGrowLanguageConfigList(x,	x)
_RtlpMuiRegGrowLanguageConfigList@8 proc near
					; CODE XREF: RtlpMuiRegConfigListAddLanguage(x,x,x)+A2p
		mov	edi, edi
		push	ecx
		test	ecx, ecx
		jz	short loc_A3DAE9
		movzx	edx, word ptr [ecx+4]
		movzx	eax, word ptr [ecx+6]
		inc	edx
		cmp	edx, eax
		jb	short loc_A3DAE5
		call	_RtlpMuiRegResizeLanguageConfigList@8 ;	RtlpMuiRegResizeLanguageConfigList(x,x)
		mov	ecx, eax

loc_A3DAE5:				; CODE XREF: RtlpMuiRegGrowLanguageConfigList(x,x)+12j
		mov	eax, ecx
		pop	ecx
		retn
; 

loc_A3DAE9:				; CODE XREF: RtlpMuiRegGrowLanguageConfigList(x,x)+5j
		xor	eax, eax
		pop	ecx
		retn
_RtlpMuiRegGrowLanguageConfigList@8 endp


;  S U B	R O U T	I N E 


; __stdcall RtlpMuiRegGrowLanguages(x, x)
_RtlpMuiRegGrowLanguages@8 proc	near	; CODE XREF: RtlpMuiRegGetOrAddLangInfo+850FFp
		mov	edi, edi
		push	ecx
		xor	eax, eax
		test	ecx, ecx
		jz	short loc_A3DB0E
		movzx	edx, word ptr [ecx+6]
		movzx	eax, word ptr [ecx+4]
		add	edx, 4
		cmp	edx, eax
		jnb	short loc_A3DB09
		mov	eax, ecx
		pop	ecx
		retn
; 

loc_A3DB09:				; CODE XREF: RtlpMuiRegGrowLanguages(x,x)+16j
		call	_RtlpMuiRegResizeLanguages@8 ; RtlpMuiRegResizeLanguages(x,x)

loc_A3DB0E:				; CODE XREF: RtlpMuiRegGrowLanguages(x,x)+7j
		pop	ecx
		retn
_RtlpMuiRegGrowLanguages@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpMuiRegGrowStringPool(x,	x, x, x)
_RtlpMuiRegGrowStringPool@16 proc near	; CODE XREF: RtlpMuiRegGetOrAddString+97E45p

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		test	ecx, ecx
		jz	short loc_A3DB5F
		mov	edx, [ebp+arg_0]
		test	edx, edx
		jns	short loc_A3DB25
		push	10h
		pop	edx

loc_A3DB25:				; CODE XREF: RtlpMuiRegGrowStringPool(x,x,x,x)+10j
		movzx	eax, word ptr [ecx+0Ah]
		movzx	edi, word ptr [ecx+6]
		add	eax, edx
		movzx	edx, word ptr [ecx+4]
		inc	edi
		cmp	edi, edx
		jnb	short loc_A3DB3A
		mov	edi, edx

loc_A3DB3A:				; CODE XREF: RtlpMuiRegGrowStringPool(x,x,x,x)+26j
		movzx	esi, word ptr [ecx+8]
		cmp	eax, esi
		jge	short loc_A3DB44
		mov	eax, esi

loc_A3DB44:				; CODE XREF: RtlpMuiRegGrowStringPool(x,x,x,x)+30j
		cmp	[ebp+arg_4], 0
		jnz	short loc_A3DB52
		cmp	edi, edx
		jnz	short loc_A3DB52
		cmp	eax, esi
		jz	short loc_A3DB5F

loc_A3DB52:				; CODE XREF: RtlpMuiRegGrowStringPool(x,x,x,x)+38j
					; RtlpMuiRegGrowStringPool(x,x,x,x)+3Cj
		push	dword ptr [ebp+arg_4]
		mov	edx, edi
		push	eax
		call	_RtlpMuiRegResizeStringPool@16 ; RtlpMuiRegResizeStringPool(x,x,x,x)
		mov	ecx, eax

loc_A3DB5F:				; CODE XREF: RtlpMuiRegGrowStringPool(x,x,x,x)+9j
					; RtlpMuiRegGrowStringPool(x,x,x,x)+40j
		pop	edi
		mov	eax, ecx
		pop	esi
		pop	ebp
		retn	8
_RtlpMuiRegGrowStringPool@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpMuiRegLangInfoMatchesSpec(x, x,	x, x)
_RtlpMuiRegLangInfoMatchesSpec@16 proc near
					; CODE XREF: RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+99p
					; RtlpMuiRegConfigMatchesInstalled(x,x,x,x,x,x,x)+14Dp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_3		= byte ptr  0Bh
arg_4		= word ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	al, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_4], ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ebx
		cmp	al, 1
		jnz	short loc_A3DC01
		movzx	eax, word ptr [esi+4]
		test	ax, ax
		jz	short loc_A3DBA4
		mov	ecx, eax
		movsx	eax, [ebp+arg_4]
		cmp	ecx, eax

loc_A3DB9C:				; CODE XREF: RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+98j
					; RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+1B2j
		setz	al
		jmp	loc_A3DCEF
; 

loc_A3DBA4:				; CODE XREF: RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+2Bj
		movzx	eax, word ptr [esi+6]
		test	ax, ax
		js	loc_A3DCED
		mov	edx, [ecx+18h]
		test	edx, edx
		jz	short loc_A3DBD0
		movsx	ecx, ax
		movzx	eax, word ptr [edx+6]
		cmp	ecx, eax
		jge	short loc_A3DBD0
		mov	eax, [edx+0Ch]
		movsx	ecx, word ptr [eax+ecx*2]
		mov	eax, [edx+10h]
		lea	ebx, [eax+ecx*2]

loc_A3DBD0:				; CODE XREF: RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+4Fj
					; RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+5Aj
		test	ebx, ebx
		jz	loc_A3DCED
		push	ebx
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlCultureNameToLCID@8	; RtlCultureNameToLCID(x,x)
		test	al, al
		jz	loc_A3DCED
		mov	ax, word ptr [ebp+var_4]
		cmp	ax, [ebp+arg_4]
		jmp	short loc_A3DB9C
; 

loc_A3DC01:				; CODE XREF: RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+22j
		cmp	al, 3
		jnz	loc_A3DCF6
		movzx	eax, word ptr [esi+6]
		test	ax, ax
		js	short loc_A3DC59
		mov	si, [ebp+arg_4]
		cmp	ax, si
		jnz	short loc_A3DC22
		mov	al, 1
		jmp	loc_A3DCEF
; 

loc_A3DC22:				; CODE XREF: RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+B2j
		mov	edx, [ecx+18h]
		test	edx, edx
		jz	short loc_A3DC43
		movsx	ecx, ax
		movzx	eax, word ptr [edx+6]
		cmp	ecx, eax
		jge	short loc_A3DC43
		mov	eax, [edx+0Ch]
		movsx	ecx, word ptr [eax+ecx*2]
		mov	eax, [edx+10h]
		lea	eax, [eax+ecx*2]
		jmp	short loc_A3DC45
; 

loc_A3DC43:				; CODE XREF: RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+C0j
					; RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+CBj
		mov	eax, ebx

loc_A3DC45:				; CODE XREF: RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+DAj
		test	eax, eax
		jz	loc_A3DCED
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	short loc_A3DC91
; 

loc_A3DC59:				; CODE XREF: RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+A9j
		cmp	[esi+4], bx
		jz	loc_A3DCED
		push	55h
		pop	edx
		call	_MuiRegAllocArray
		mov	edi, eax
		test	edi, edi
		jz	short loc_A3DCED
		movzx	ecx, word ptr [esi+4]
		lea	eax, [ebp+var_10]
		push	eax
		push	ecx
		mov	[ebp+var_C], edi
		mov	[ebp+var_10], offset unk_AA0000
		call	_RtlLCIDToCultureName@8	; RtlLCIDToCultureName(x,x)
		test	al, al
		jz	short loc_A3DCE6
		mov	si, [ebp+arg_4]

loc_A3DC91:				; CODE XREF: RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+F0j
		mov	edx, [ebp+var_8]
		mov	edx, [edx+18h]
		test	edx, edx
		jz	short loc_A3DCBA
		test	si, si
		js	short loc_A3DCBA
		movzx	eax, word ptr [edx+6]
		movsx	ecx, si
		cmp	ecx, eax
		jge	short loc_A3DCBA
		mov	eax, [edx+0Ch]
		movsx	ecx, word ptr [eax+ecx*2]
		mov	eax, [edx+10h]
		lea	eax, [eax+ecx*2]
		jmp	short loc_A3DCBC
; 

loc_A3DCBA:				; CODE XREF: RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+132j
					; RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+137j ...
		mov	eax, ebx

loc_A3DCBC:				; CODE XREF: RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+151j
		test	eax, eax
		jz	short loc_A3DCD3
		push	eax		; wchar_t *
		push	[ebp+var_C]	; wchar_t *
		call	__wcsicmp
		mov	[ebp+arg_3], 1
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A3DCD6

loc_A3DCD3:				; CODE XREF: RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+157j
		mov	[ebp+arg_3], bl

loc_A3DCD6:				; CODE XREF: RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+16Aj
		test	edi, edi
		jz	short loc_A3DCE1
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3DCE1:				; CODE XREF: RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+171j
		mov	al, [ebp+arg_3]
		jmp	short loc_A3DCEF
; 

loc_A3DCE6:				; CODE XREF: RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+124j
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3DCED:				; CODE XREF: RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+44j
					; RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+6Bj ...
		xor	al, al

loc_A3DCEF:				; CODE XREF: RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+38j
					; RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+B6j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_A3DCF6:				; CODE XREF: RtlpMuiRegLangInfoMatchesSpec(x,x,x,x)+9Cj
		cmp	al, 2
		jnz	short loc_A3DCED
		mov	ax, [ebp+arg_4]
		test	ax, ax
		js	short loc_A3DCED
		mov	ecx, [ecx+14h]
		movsx	edx, ax
		movzx	eax, word ptr [ecx+6]
		cmp	edx, eax
		jge	short loc_A3DCED
		imul	eax, edx, 1Ch
		add	eax, [ecx+0Ch]
		cmp	esi, eax
		jmp	loc_A3DB9C
_RtlpMuiRegLangInfoMatchesSpec@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpMuiRegResizeLanguageConfigList(x, x)
_RtlpMuiRegResizeLanguageConfigList@8 proc near
					; CODE XREF: RtlpMuiRegGrowLanguageConfigList(x,x)+14p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, edx
		xor	esi, esi
		mov	[ebp+var_4], esi
		cmp	edi, 1
		jge	short loc_A3DD36
		push	4
		pop	edi

loc_A3DD36:				; CODE XREF: RtlpMuiRegResizeLanguageConfigList(x,x)+13j
		test	ecx, ecx
		jz	short loc_A3DD67
		movzx	eax, word ptr [ecx+4]
		cmp	edi, eax
		jl	short loc_A3DD67
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		push	ecx
		push	0Ch
		pop	edx
		push	edx
		push	edi
		call	_SafeReallocBlob
		mov	esi, eax
		test	esi, esi
		jz	short loc_A3DD67
		mov	ecx, [ebp+var_4]
		mov	[esi], ecx
		lea	ecx, [esi+0Ch]
		mov	[esi+6], di
		mov	[esi+8], ecx

loc_A3DD67:				; CODE XREF: RtlpMuiRegResizeLanguageConfigList(x,x)+1Aj
					; RtlpMuiRegResizeLanguageConfigList(x,x)+22j ...
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_RtlpMuiRegResizeLanguageConfigList@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpMuiRegResizeLanguages(x, x)
_RtlpMuiRegResizeLanguages@8 proc near	; CODE XREF: RtlpMuiRegGrowLanguages(x,x):loc_A3DB09p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, edx
		xor	esi, esi
		mov	[ebp+var_4], esi
		cmp	edi, 1
		jge	short loc_A3DD85
		push	4
		pop	edi

loc_A3DD85:				; CODE XREF: RtlpMuiRegResizeLanguages(x,x)+13j
		test	ecx, ecx
		jz	short loc_A3DDB7
		movzx	eax, word ptr [ecx+6]
		cmp	edi, eax
		jl	short loc_A3DDB7
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		push	ecx
		push	1Ch
		push	edi
		push	10h
		pop	edx
		call	_SafeReallocBlob
		mov	esi, eax
		test	esi, esi
		jz	short loc_A3DDB7
		mov	ecx, [ebp+var_4]
		mov	[esi], ecx
		lea	ecx, [esi+10h]
		mov	[esi+4], di
		mov	[esi+0Ch], ecx

loc_A3DDB7:				; CODE XREF: RtlpMuiRegResizeLanguages(x,x)+1Aj
					; RtlpMuiRegResizeLanguages(x,x)+22j ...
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_RtlpMuiRegResizeLanguages@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RtlpMuiRegResizeStringPool(x, x, x,	x)
_RtlpMuiRegResizeStringPool@16 proc near ; CODE	XREF: RtlpMuiRegGrowStringPool(x,x,x,x)+48p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		xor	eax, eax
		and	[ebp+var_8], 0
		inc	eax
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		cmp	dx, ax
		jge	short loc_A3DDDF
		push	4
		pop	edx

loc_A3DDDF:				; CODE XREF: RtlpMuiRegResizeStringPool(x,x,x,x)+1Dj
		mov	ecx, [ebp+arg_0]
		cmp	cx, ax
		jge	short loc_A3DDEA
		push	28h
		pop	ecx

loc_A3DDEA:				; CODE XREF: RtlpMuiRegResizeStringPool(x,x,x,x)+28j
		test	esi, esi
		jz	loc_A3DE9F
		cmp	dx, ax
		jl	loc_A3DE9F
		cmp	cx, ax
		jl	loc_A3DE9F
		movzx	eax, word ptr [esi+6]
		movsx	ebx, dx
		cmp	ebx, eax
		jl	loc_A3DE9F
		movzx	eax, word ptr [esi+0Ah]
		movsx	ecx, cx
		mov	[ebp+arg_0], ecx
		cmp	ecx, eax
		jl	short loc_A3DE9F
		movzx	eax, word ptr [esi+4]
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_A3DE9F
		movzx	eax, word ptr [esi+8]
		push	2
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_A3DE9F
		mov	edx, [ebp+arg_0]
		mov	ecx, ebx
		call	_RtlpMuiRegCreateStringPool@8 ;	RtlpMuiRegCreateStringPool(x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A3DE9F
		push	[ebp+var_4]	; size_t
		push	dword ptr [esi+0Ch] ; void *
		push	dword ptr [edi+0Ch] ; void *
		call	_memcpy
		add	esp, 0Ch
		push	[ebp+var_8]	; size_t
		push	dword ptr [esi+10h] ; void *
		push	dword ptr [edi+10h] ; void *
		call	_memcpy
		mov	ax, [esi+6]
		add	esp, 0Ch
		cmp	[ebp+arg_4], 0
		mov	[edi+6], ax
		mov	ax, [esi+0Ah]
		mov	[edi+0Ah], ax
		jnz	short loc_A3DE9F
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3DE9F:				; CODE XREF: RtlpMuiRegResizeStringPool(x,x,x,x)+2Fj
					; RtlpMuiRegResizeStringPool(x,x,x,x)+38j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_RtlpMuiRegResizeStringPool@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _RtlMuiRegAddLIPParent(x, x, x, x)
__RtlMuiRegAddLIPParent@16 proc	near	; CODE XREF: _RtlpMuiRegInitLIPLanguage(x,x,x)+16Ep
					; _RtlpMuiRegInitLIPLanguage(x,x,x)+266p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		or	[ebp+var_4], 0FFFFFFFFh
		mov	eax, ecx
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], esi
		mov	ebx, edx
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		push	edi
		test	eax, eax
		jz	loc_A3E02B
		test	ebx, ebx
		jz	loc_A3E02B
		cmp	[ebp+arg_0], 4
		jnb	loc_A3E02B
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	loc_A3E02B
		cmp	[edi], si
		jz	loc_A3E02B
		push	edi
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlCultureNameToLCID@8	; RtlCultureNameToLCID(x,x)
		test	al, al
		jz	loc_A3E022
		mov	ecx, [ebp+var_C]
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		mov	edx, edi
		call	RtlpMuiRegGetOrAddString
		mov	edi, eax
		test	edi, edi
		js	loc_A3E022
		mov	eax, [ebp+var_4]
		test	ax, ax
		js	loc_A3E022
		mov	ecx, [ebp+var_C]
		mov	ecx, [ecx+14h]
		mov	edx, [ecx+0Ch]
		movzx	ecx, word ptr [ecx+6]
		test	ecx, ecx
		jz	short loc_A3DF84

loc_A3DF4D:				; CODE XREF: _RtlMuiRegAddLIPParent(x,x,x,x)+DAj
		mov	ax, [edx]
		mov	[ebp+arg_4], 3024h
		and	ax, word ptr [ebp+arg_4]
		cmp	ax, 20h
		jnz	short loc_A3DF79
		movzx	eax, word ptr [ebp+var_8]
		cmp	eax, 1000h
		jz	short loc_A3DFAC
		cmp	eax, 1400h
		jz	short loc_A3DFAC
		cmp	[edx+4], ax
		jz	short loc_A3DFB7

loc_A3DF79:				; CODE XREF: _RtlMuiRegAddLIPParent(x,x,x,x)+B7j
		mov	eax, [ebp+var_4]

loc_A3DF7C:				; CODE XREF: _RtlMuiRegAddLIPParent(x,x,x,x)+10Dj
		inc	esi
		add	edx, 1Ch
		cmp	esi, ecx
		jl	short loc_A3DF4D

loc_A3DF84:				; CODE XREF: _RtlMuiRegAddLIPParent(x,x,x,x)+A3j
					; _RtlMuiRegAddLIPParent(x,x,x,x)+129j
		movzx	ecx, word ptr [ebp+var_8]
		test	ecx, ecx
		jz	short loc_A3DFF8
		mov	esi, [ebp+arg_0]
		movzx	eax, word ptr [ebx+8]
		push	3
		pop	edx
		lea	ecx, [esi+esi]
		shl	edx, cl
		not	edx
		and	edx, eax
		movzx	eax, word ptr [ebp+var_8]
		bts	edx, ecx
		mov	[ebx+8], dx
		jmp	short loc_A3E01B
; 

loc_A3DFAC:				; CODE XREF: _RtlMuiRegAddLIPParent(x,x,x,x)+C2j
					; _RtlMuiRegAddLIPParent(x,x,x,x)+C9j
		mov	eax, [ebp+var_4]
		cmp	[edx+6], ax
		jz	short loc_A3DFC8
		jmp	short loc_A3DF7C
; 

loc_A3DFB7:				; CODE XREF: _RtlMuiRegAddLIPParent(x,x,x,x)+CFj
		movzx	ecx, word ptr [edx+6]
		mov	eax, [ebp+var_4]
		test	cx, cx
		js	short loc_A3DFC8
		cmp	cx, ax
		jnz	short loc_A3E022

loc_A3DFC8:				; CODE XREF: _RtlMuiRegAddLIPParent(x,x,x,x)+10Bj
					; _RtlMuiRegAddLIPParent(x,x,x,x)+119j
		movzx	ecx, si
		mov	[ebp+arg_4], ecx
		test	cx, cx
		js	short loc_A3DF84
		mov	esi, [ebp+arg_0]
		push	3
		pop	edx
		push	2
		lea	ecx, [esi+esi]
		shl	dx, cl
		not	dx
		and	dx, [ebx+8]
		pop	eax
		shl	ax, cl
		or	dx, ax
		mov	eax, [ebp+arg_4]
		mov	[ebx+8], dx
		jmp	short loc_A3E01B
; 

loc_A3DFF8:				; CODE XREF: _RtlMuiRegAddLIPParent(x,x,x,x)+E2j
		test	ax, ax
		jle	short loc_A3E022
		mov	esi, [ebp+arg_0]
		push	3
		pop	edx
		lea	ecx, [esi+esi]
		shl	dx, cl
		mov	eax, edx
		not	eax
		and	ax, [ebx+8]
		or	ax, dx
		mov	[ebx+8], ax
		mov	eax, [ebp+var_4]

loc_A3E01B:				; CODE XREF: _RtlMuiRegAddLIPParent(x,x,x,x)+102j
					; _RtlMuiRegAddLIPParent(x,x,x,x)+14Ej
		mov	[ebx+esi*2+0Ch], ax
		jmp	short loc_A3E027
; 

loc_A3E022:				; CODE XREF: _RtlMuiRegAddLIPParent(x,x,x,x)+68j
					; _RtlMuiRegAddLIPParent(x,x,x,x)+82j ...
		mov	edi, 0C0000001h

loc_A3E027:				; CODE XREF: _RtlMuiRegAddLIPParent(x,x,x,x)+178j
		mov	eax, edi
		jmp	short loc_A3E030
; 

loc_A3E02B:				; CODE XREF: _RtlMuiRegAddLIPParent(x,x,x,x)+23j
					; _RtlMuiRegAddLIPParent(x,x,x,x)+2Bj ...
		mov	eax, 0C000000Dh

loc_A3E030:				; CODE XREF: _RtlMuiRegAddLIPParent(x,x,x,x)+181j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
__RtlMuiRegAddLIPParent@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _RtlpMuiRegAddBaseLanguage(x, x, x,	x, x)
__RtlpMuiRegAddBaseLanguage@20 proc near
					; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+22Ep
					; _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+354p ...

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= byte ptr -24h
var_23		= byte ptr -23h
var_22		= byte ptr -22h
var_21		= dword	ptr -21h
var_1C		= word ptr -1Ch
var_1A		= word ptr -1Ah
var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_48], eax
		lea	edi, [ebp+var_21+1]
		mov	eax, [ebp+arg_8]
		mov	esi, ecx
		mov	[ebp+var_54], eax
		xor	eax, eax
		mov	[ebp+var_40], edx
		mov	bl, al
		mov	edx, [ebp+arg_4]
		mov	bh, al
		mov	[ebp+var_2C], esi
		mov	[ebp+var_38], edx
		mov	[ebp+var_58], eax
		mov	[ebp+var_50], eax
		mov	[ebp+var_4C], eax
		mov	byte ptr [ebp+var_21], bl
		mov	[ebp+var_22], bh
		mov	[ebp+var_3C], eax
		push	7
		pop	ecx
		rep stosd
		test	esi, esi
		jz	loc_A3E31E
		cmp	[ebp+var_40], eax
		jz	loc_A3E31E
		test	edx, edx
		jz	loc_A3E31E
		cmp	[ebp+var_48], 3
		ja	loc_A3E31E
		mov	esi, [edx+8]
		add	esi, edx
		cmp	[edx+0Ch], eax
		jbe	short loc_A3E0C0
		test	esi, esi
		jz	short loc_A3E0C0
		mov	[ebp+var_23], 1
		cmp	[esi], ax
		jnz	short loc_A3E0C3

loc_A3E0C0:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+7Aj
					; _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+7Ej
		mov	[ebp+var_23], al

loc_A3E0C3:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+87j
		mov	eax, [edx+10h]
		shr	eax, 1
		mov	[ebp+var_34], eax
		movzx	ecx, word ptr [edx+eax*2+14h]
		mov	[ebp+var_28], ecx
		xor	ecx, ecx
		mov	[edx+eax*2+14h], cx
		lea	eax, [edx+14h]
		push	eax
		lea	eax, [ebp+var_50]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	ecx, ecx
		mov	eax, ecx
		mov	[ebp+var_44], eax
		mov	[ebp+var_30], eax
		cmp	[ebp+var_23], al
		jz	loc_A3E299
		mov	edi, [ebp+var_38]
		lea	edx, [ebp+var_21+1]
		push	402h
		mov	eax, [edi+0Ch]
		shr	eax, 1
		mov	[esi+eax*2], cx
		push	[ebp+var_4C]
		mov	ecx, [ebp+var_2C]
		call	__RtlpMuiRegInitAnyLanguage@16 ; _RtlpMuiRegInitAnyLanguage(x,x,x,x)
		mov	[ebp+var_38], eax
		test	eax, eax
		js	loc_A3E323
		mov	eax, [ebp+var_40]
		mov	dx, word ptr [ebp+var_21+1]
		mov	cx, [eax]
		mov	eax, [ebp+var_34]
		xor	cx, dx
		and	cx, 18h
		xor	dx, cx
		mov	ecx, [ebp+var_28]
		mov	word ptr [ebp+var_21+1], dx
		mov	[edi+eax*2+14h], cx
		xor	ecx, ecx
		mov	edi, [ebp+var_54]
		mov	edx, ecx
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], cl
		test	edi, edi
		jz	short loc_A3E1BA
		cmp	[edi], cx
		jz	short loc_A3E1BA
		mov	edx, edi	; wchar_t *
		mov	ecx, esi	; wchar_t *
		call	RtlpLangNameInMultiSzString
		test	al, al
		jz	short loc_A3E1B5
		lea	eax, [ebp+var_3C]
		mov	edx, edi
		mov	edi, [ebp+var_2C]
		push	eax
		push	ecx
		lea	eax, [ebp+var_22]
		mov	ecx, edi
		push	eax
		call	_RtlpMuiRegGetLanguageSpec@20 ;	RtlpMuiRegGetLanguageSpec(x,x,x,x,x)
		mov	bh, [ebp+var_22]
		test	eax, eax
		js	short loc_A3E1B0
		mov	al, bh
		xor	edx, edx
		and	al, 3
		movzx	ecx, al
		mov	eax, [ebp+var_18]
		and	eax, 0FFFCh
		or	cx, ax
		mov	eax, [ebp+var_3C]
		inc	edx
		mov	word ptr [ebp+var_18], cx
		mov	[ebp+var_14], ax
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], dl

loc_A3E1AC:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+17Cj
		xor	ecx, ecx
		jmp	short loc_A3E1BD
; 

loc_A3E1B0:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+14Dj
		mov	edx, [ebp+var_28]
		jmp	short loc_A3E1AC
; 

loc_A3E1B5:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+131j
		mov	edx, [ebp+var_28]
		xor	ecx, ecx

loc_A3E1BA:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+11Fj
					; _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+124j
		mov	edi, [ebp+var_2C]

loc_A3E1BD:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+177j
		test	esi, esi
		jz	loc_A3E26E
		lea	eax, [edx+edx]
		mov	[ebp+var_34], eax

loc_A3E1CB:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+231j
		cmp	[esi], cx
		jz	loc_A3E26E
		cmp	eax, 8
		jge	loc_A3E26E
		lea	eax, [ebp+var_30]
		mov	edx, esi
		push	eax
		push	ecx
		lea	eax, [ebp-21h]
		mov	ecx, edi
		push	eax
		call	_RtlpMuiRegGetLanguageSpec@20 ;	RtlpMuiRegGetLanguageSpec(x,x,x,x,x)
		mov	edi, [ebp+var_30]
		mov	bl, byte ptr [ebp+var_21]
		mov	[ebp+var_44], edi
		test	eax, eax
		js	short loc_A3E241
		cmp	[ebp+var_24], 0
		jz	short loc_A3E20C
		cmp	bh, bl
		jnz	short loc_A3E20C
		cmp	word ptr [ebp+var_3C], di
		jz	short loc_A3E241

loc_A3E20C:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+1C9j
					; _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+1CDj
		mov	ecx, [ebp+var_34]
		mov	al, bl
		push	3
		pop	edx
		shl	dx, cl
		and	al, 3
		not	dx
		movzx	eax, al
		and	dx, word ptr [ebp+var_18]
		shl	ax, cl
		or	dx, ax
		mov	word ptr [ebp+var_18], dx
		mov	edx, [ebp+var_28]
		inc	edx
		mov	[ebp+ecx+var_14], di
		add	ecx, 2
		mov	[ebp+var_28], edx
		mov	[ebp+var_34], ecx
		jmp	short loc_A3E244
; 

loc_A3E241:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+1C3j
					; _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+1D3j
		mov	edx, [ebp+var_28]

loc_A3E244:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+208j
		mov	ecx, esi
		lea	edi, [ecx+2]

loc_A3E249:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+21Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_58]
		jnz	short loc_A3E249
		mov	eax, [ebp+var_34]
		sub	ecx, edi
		mov	edi, [ebp+var_2C]
		sar	ecx, 1
		push	0
		lea	esi, [esi+ecx*2]
		pop	ecx
		add	esi, 2
		jnz	loc_A3E1CB

loc_A3E26E:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+188j
					; _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+197j ...
		test	edx, edx
		jns	short loc_A3E2BE
		mov	ax, [ebp+var_1C]
		test	ax, ax
		jz	short loc_A3E282
		mov	bl, 1

loc_A3E27D:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+256j
		movzx	edx, ax
		jmp	short loc_A3E2EE
; 

loc_A3E282:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+242j
		mov	ax, [ebp+var_1A]
		test	ax, ax
		jle	short loc_A3E28F
		mov	bl, 3
		jmp	short loc_A3E27D
; 

loc_A3E28F:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+252j
		mov	eax, 0C0000001h
		jmp	loc_A3E323
; 

loc_A3E299:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+BDj
		mov	esi, [ebp+var_2C]
		lea	eax, [ebp+var_30]
		mov	edx, [ebp+var_4C]
		push	eax
		push	ecx
		lea	eax, [ebp+var_21]
		mov	ecx, esi
		push	eax
		call	_RtlpMuiRegGetLanguageSpec@20 ;	RtlpMuiRegGetLanguageSpec(x,x,x,x,x)
		mov	[ebp+var_38], eax
		test	eax, eax
		js	short loc_A3E323
		mov	bl, byte ptr [ebp+var_21]
		mov	edx, [ebp+var_30]
		jmp	short loc_A3E2C4
; 

loc_A3E2BE:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+239j
		mov	edx, [ebp+var_44]
		mov	esi, [ebp+var_2C]

loc_A3E2C4:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+285j
		cmp	[ebp+var_23], 0
		jz	short loc_A3E2EE
		mov	eax, 0FFDFh
		lea	ecx, [esi+14h]
		and	word ptr [ebp+var_21+1], ax
		lea	edx, [ebp+var_21+1]
		lea	eax, [ebp+var_30]
		push	eax
		call	RtlpMuiRegGetOrAddLangInfo
		mov	[ebp+var_38], eax
		test	eax, eax
		js	short loc_A3E323
		mov	edx, [ebp+var_30]
		mov	bl, 2

loc_A3E2EE:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+249j
					; _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+291j
		mov	esi, [ebp+var_48]
		and	bl, 3
		movzx	eax, bl
		push	3
		pop	ebx
		lea	ecx, [esi+esi]
		shl	bx, cl
		shl	ax, cl
		not	bx
		mov	ecx, [ebp+var_40]
		and	bx, [ecx+8]
		or	ax, bx
		mov	[ecx+8], ax
		mov	eax, [ebp+var_38]
		mov	[ecx+esi*2+0Ch], dx
		jmp	short loc_A3E323
; 

loc_A3E31E:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+51j
					; _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+5Aj ...
		mov	eax, 0C000000Dh

loc_A3E323:				; CODE XREF: _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+E7j
					; _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)+25Dj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
__RtlpMuiRegAddBaseLanguage@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _RtlpMuiRegInitLIPLanguage(x, x, x)
__RtlpMuiRegInitLIPLanguage@12 proc near ; CODE	XREF: RtlpMuiRegAddLanguageByName+982DFp

var_2E4		= dword	ptr -2E4h
var_2E0		= dword	ptr -2E0h
var_2DC		= dword	ptr -2DCh
var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_2CC		= dword	ptr -2CCh
var_2C8		= dword	ptr -2C8h
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_B8		= dword	ptr -0B8h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFE0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 2F8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebx+8]
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_2DC], eax
		push	0AAh		; size_t
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_2CC], edx
		push	esi		; int
		push	eax		; void *
		mov	[ebp+var_2E0], ecx
		mov	[ebp+var_2C4], esi
		mov	[ebp+var_2D8], esi
		mov	[ebp+var_2D4], esi
		mov	[ebp+var_2E4], esi
		call	_memset
		add	esp, 0Ch
		mov	edi, esi
		cmp	[ebp+var_2E0], esi
		jz	loc_A3E5C2
		cmp	[ebp+var_2CC], esi
		jz	loc_A3E5C2
		mov	eax, [ebp+var_2DC]
		test	eax, eax
		jz	loc_A3E5C2
		test	byte ptr [eax],	4
		jz	loc_A3E5C2
		push	offset ??_C@_1CA@EOGMNDBN@?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt?$AAF?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk@NNGAKEGL@	; "DefaultFallback"
		lea	eax, [ebp+var_2D8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ecx		; int
		mov	ecx, [ebp+var_2CC]
		lea	eax, [ebp+var_2D0]
		push	eax		; int
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_2C8], 1
		push	eax		; void *
		lea	eax, [ebp+var_2C8]
		mov	[ebp+var_2D0], 0AAh
		push	eax		; int
		lea	edx, [ebp+var_2D8]
		call	LdrpQueryValueKey
		test	eax, eax
		js	loc_A3E4DD
		cmp	[ebp+var_2C8], 1
		jnz	loc_A3E4DD
		lea	eax, [ebp+var_B8]
		push	eax
		lea	eax, [ebp+var_2D8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ecx		; int
		mov	ecx, [ebp+var_2CC]
		lea	eax, [ebp+var_2C8]
		push	esi		; int
		push	esi		; void *
		push	eax		; int
		lea	edx, [ebp+var_2D8]
		mov	[ebp+var_2C8], 7
		call	LdrpQueryValueKey
		mov	[ebp+var_2D0], eax
		test	eax, eax
		jz	short loc_A3E47C
		cmp	eax, 80000005h
		jnz	short loc_A3E4D2

loc_A3E47C:				; CODE XREF: _RtlpMuiRegInitLIPLanguage(x,x,x)+13Fj
		cmp	[ebp+var_2C8], 7
		jz	short loc_A3E48E
		cmp	[ebp+var_2C8], 1
		jnz	short loc_A3E4D2

loc_A3E48E:				; CODE XREF: _RtlpMuiRegInitLIPLanguage(x,x,x)+14Fj
		mov	edx, [ebp+var_2DC]
		lea	eax, [ebp+var_B8]
		mov	ecx, [ebp+var_2E0]
		push	eax
		push	esi
		call	__RtlMuiRegAddLIPParent@16 ; _RtlMuiRegAddLIPParent(x,x,x,x)
		test	eax, eax
		js	short loc_A3E4CC
		xor	eax, eax
		lea	edi, [ebp+var_B8]
		inc	eax
		lea	ecx, [edi+2]
		mov	[ebp+var_2C4], eax

loc_A3E4BD:				; CODE XREF: _RtlpMuiRegInitLIPLanguage(x,x,x)+192j
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, si
		jnz	short loc_A3E4BD
		sub	edi, ecx
		sar	edi, 1

loc_A3E4CC:				; CODE XREF: _RtlpMuiRegInitLIPLanguage(x,x,x)+175j
		mov	eax, [ebp+var_2D0]

loc_A3E4D2:				; CODE XREF: _RtlpMuiRegInitLIPLanguage(x,x,x)+146j
					; _RtlpMuiRegInitLIPLanguage(x,x,x)+158j
		cmp	eax, 8000001Ah
		jz	loc_A3E5BE

loc_A3E4DD:				; CODE XREF: _RtlpMuiRegInitLIPLanguage(x,x,x)+ECj
					; _RtlpMuiRegInitLIPLanguage(x,x,x)+F9j
		mov	eax, [ebp+var_2C4]

loc_A3E4E3:				; CODE XREF: _RtlpMuiRegInitLIPLanguage(x,x,x)+285j
		cmp	eax, 4
		jnb	loc_A3E5BE
		lea	eax, [ebp+var_2E4]
		push	eax
		push	200h
		lea	eax, [ebp+var_2C0]
		push	eax
		push	1
		push	esi
		push	[ebp+var_2CC]
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_A3E5BE
		cmp	[ebp+var_2BC], 7
		jz	short loc_A3E52B
		cmp	[ebp+var_2BC], 1
		jnz	loc_A3E5B2

loc_A3E52B:				; CODE XREF: _RtlpMuiRegInitLIPLanguage(x,x,x)+1E8j
		mov	ecx, [ebp+var_2B0]
		lea	eax, [ecx+18h]
		cmp	eax, 200h
		ja	short loc_A3E5B2
		shr	ecx, 1
		xor	eax, eax
		mov	word ptr [ebp+ecx*2+var_2AC], ax
		lea	eax, [ebp+var_2AC]
		push	eax
		lea	eax, [ebp+var_2D8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		test	edi, edi
		jz	short loc_A3E581
		push	1
		push	edi
		lea	eax, [ebp+var_B8]
		push	eax
		movzx	eax, word ptr [ebp+var_2D8]
		shr	eax, 1
		push	eax
		push	[ebp+var_2D4]
		call	_RtlCompareUnicodeStrings@20 ; RtlCompareUnicodeStrings(x,x,x,x,x)
		test	eax, eax
		jz	short loc_A3E5B2

loc_A3E581:				; CODE XREF: _RtlpMuiRegInitLIPLanguage(x,x,x)+228j
		push	[ebp+var_2D4]
		mov	eax, [ebp+var_2C4]
		mov	edx, [ebp+var_2DC]
		mov	ecx, [ebp+var_2E0]
		push	eax
		call	__RtlMuiRegAddLIPParent@16 ; _RtlMuiRegAddLIPParent(x,x,x,x)
		test	eax, eax
		mov	eax, [ebp+var_2C4]
		js	short loc_A3E5B8
		inc	eax
		mov	[ebp+var_2C4], eax
		jmp	short loc_A3E5B8
; 

loc_A3E5B2:				; CODE XREF: _RtlpMuiRegInitLIPLanguage(x,x,x)+1F1j
					; _RtlpMuiRegInitLIPLanguage(x,x,x)+205j ...
		mov	eax, [ebp+var_2C4]

loc_A3E5B8:				; CODE XREF: _RtlpMuiRegInitLIPLanguage(x,x,x)+273j
					; _RtlpMuiRegInitLIPLanguage(x,x,x)+27Cj
		inc	esi
		jmp	loc_A3E4E3
; 

loc_A3E5BE:				; CODE XREF: _RtlpMuiRegInitLIPLanguage(x,x,x)+1A3j
					; _RtlpMuiRegInitLIPLanguage(x,x,x)+1B2j ...
		xor	eax, eax
		jmp	short loc_A3E5C7
; 

loc_A3E5C2:				; CODE XREF: _RtlpMuiRegInitLIPLanguage(x,x,x)+75j
					; _RtlpMuiRegInitLIPLanguage(x,x,x)+81j ...
		mov	eax, 0C000000Dh

loc_A3E5C7:				; CODE XREF: _RtlpMuiRegInitLIPLanguage(x,x,x)+28Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
__RtlpMuiRegInitLIPLanguage@12 endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _RtlpMuiRegInitPartialLanguage(x, x, x)
__RtlpMuiRegInitPartialLanguage@12 proc	near ; CODE XREF: RtlpMuiRegAddLanguageByName+982EEp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		test	ecx, ecx
		jz	short loc_A3E620
		test	edx, edx
		jz	short loc_A3E620
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_A3E620
		test	byte ptr [esi],	2
		jz	short loc_A3E620
		push	ecx
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		call	__RtlpMuiRegPopulateBaseLanguages@20 ; _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)
		mov	ecx, 1000h
		test	eax, eax
		jns	short loc_A3E613
		or	[esi], cx

loc_A3E613:				; CODE XREF: _RtlpMuiRegInitPartialLanguage(x,x,x)+32j
		cmp	[ebp+var_4], 0
		jnz	short loc_A3E61C
		or	[esi], cx

loc_A3E61C:				; CODE XREF: _RtlpMuiRegInitPartialLanguage(x,x,x)+3Bj
		xor	eax, eax
		jmp	short loc_A3E625
; 

loc_A3E620:				; CODE XREF: _RtlpMuiRegInitPartialLanguage(x,x,x)+Ej
					; _RtlpMuiRegInitPartialLanguage(x,x,x)+12j ...
		mov	eax, 0C000000Dh

loc_A3E625:				; CODE XREF: _RtlpMuiRegInitPartialLanguage(x,x,x)+42j
		pop	esi
		leave
		retn	4
__RtlpMuiRegInitPartialLanguage@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _RtlpMuiRegPopulateBaseLanguages(x,	x, x, x, x)
__RtlpMuiRegPopulateBaseLanguages@20 proc near
					; CODE XREF: _RtlpMuiRegInitPartialLanguage(x,x,x)+26p

var_478		= dword	ptr -478h
var_474		= dword	ptr -474h
var_470		= dword	ptr -470h
var_454		= dword	ptr -454h
var_450		= dword	ptr -450h
var_44C		= dword	ptr -44Ch
var_448		= dword	ptr -448h
var_444		= dword	ptr -444h
var_440		= dword	ptr -440h
var_43C		= dword	ptr -43Ch
var_438		= dword	ptr -438h
var_434		= dword	ptr -434h
var_430		= dword	ptr -430h
var_42C		= dword	ptr -42Ch
var_428		= dword	ptr -428h
var_424		= dword	ptr -424h
var_420		= dword	ptr -420h
var_370		= dword	ptr -370h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_B8		= dword	ptr -0B8h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFE0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 478h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebx+8]
		push	esi
		mov	[ebp+var_434], eax
		xor	esi, esi
		mov	eax, [ebx+0Ch]
		push	edi
		mov	[ebp+var_478], eax
		mov	edi, ecx
		mov	eax, 0AAh
		mov	[ebp+var_430], edx
		push	eax		; size_t
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_470], esi
		push	esi		; int
		push	eax		; void *
		mov	[ebp+var_474], esi
		mov	[ebp+var_444], esi
		mov	[ebp+var_440], esi
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_370]
		mov	ecx, 0AAh
		push	ecx		; size_t
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	eax, 0AAh
		push	eax		; size_t
		lea	eax, [ebp+var_420]
		push	esi		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		mov	[ebp+var_450], esi
		add	esp, 0Ch
		mov	[ebp+var_44C], esi
		mov	[ebp+var_448], eax
		mov	[ebp+var_438], eax
		mov	[ebp+var_42C], eax
		mov	[ebp+var_428], eax
		test	edi, edi
		jz	loc_A3EB18
		cmp	[ebp+var_434], eax
		jz	loc_A3EB18
		cmp	[ebp+var_430], eax
		jz	loc_A3EB18
		mov	[ebp+var_43C], eax
		mov	[ebp+var_454], eax
		mov	[ebp+var_424], eax
		movzx	eax, word ptr [edi+4]
		test	ax, ax
		jnz	short loc_A3E792
		lea	eax, [ebp+var_448]
		push	eax
		call	NtQueryInstallUILanguage
		mov	[ebp+var_43C], eax
		test	eax, eax
		js	loc_A3EB1D
		lea	eax, [ebp+var_42C]
		mov	ecx, edi
		push	eax
		lea	edx, [ebp+var_438]
		call	RtlpLoadInstallLanguageFallback
		test	eax, eax
		jns	short loc_A3E764
		xor	ecx, ecx
		mov	eax, ecx
		mov	edx, ecx
		jmp	short loc_A3E770
; 

loc_A3E764:				; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+130j
		mov	edx, [ebp+var_42C]
		mov	eax, [ebp+var_438]

loc_A3E770:				; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+138j
		mov	ecx, [ebp+var_448]
		mov	[ebp+var_42C], edx
		cmp	ds:_PsUILanguageComitted, esi
		jz	short loc_A3E7A2
		mov	[edi+8], dx
		mov	[edi+6], ax
		mov	[edi+4], cx
		jmp	short loc_A3E7A2
; 

loc_A3E792:				; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+FEj
		movzx	edx, word ptr [edi+8]
		mov	ecx, eax
		movzx	eax, word ptr [edi+6]
		mov	[ebp+var_42C], edx

loc_A3E7A2:				; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+158j
					; _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+166j
		mov	edx, [ebp+var_434]
		cmp	[edx+4], cx
		jnz	loc_A3E88A
		test	ax, ax
		jz	loc_A3E88A
		lea	ecx, [ebp+var_370]
		movzx	eax, ax
		mov	[ebp+var_440], ecx
		mov	ecx, 0AAh
		mov	word ptr [ebp+var_444+2], cx
		lea	ecx, [ebp+var_444]
		push	ecx
		push	eax
		mov	[ebp+var_428], 200h
		call	_RtlLCIDToCultureName@8	; RtlLCIDToCultureName(x,x)
		test	al, al
		jz	loc_A3E88A
		lea	eax, [ebp+var_428]
		push	eax
		push	200h
		lea	eax, [ebp+var_2C0]
		push	eax
		push	1
		lea	eax, [ebp+var_444]
		push	eax
		push	[ebp+var_430]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A3E88A
		push	ecx
		lea	eax, [ebp+var_420]
		mov	ecx, edi
		push	eax
		push	[ebp+var_42C]
		lea	edx, [ebp+var_2C0]
		call	__RtlpMuiRegValidateAndGetInstallFallbackBase@20 ; _RtlpMuiRegValidateAndGetInstallFallbackBase(x,x,x,x,x)
		test	eax, eax
		js	short loc_A3E88A
		mov	edx, [ebp+var_434]
		lea	eax, [ebp+var_420]
		push	eax
		lea	eax, [ebp+var_2C0]
		mov	ecx, edi
		push	eax
		xor	eax, eax
		push	eax
		call	__RtlpMuiRegAddBaseLanguage@20 ; _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)
		test	eax, eax
		js	short loc_A3E88A
		xor	eax, eax
		lea	esi, [ebp+var_370]
		inc	eax
		lea	ecx, [esi+2]
		mov	[ebp+var_424], eax
		xor	edx, edx

loc_A3E875:				; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+254j
		mov	ax, [esi]
		add	esi, 2
		cmp	ax, dx
		jnz	short loc_A3E875
		sub	esi, ecx
		sar	esi, 1
		mov	[ebp+var_44C], esi

loc_A3E88A:				; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+182j
					; _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+18Bj ...
		push	offset ??_C@_1CA@EOGMNDBN@?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt?$AAF?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk@NNGAKEGL@	; "DefaultFallback"
		lea	eax, [ebp+var_444]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, 0AAh
		mov	[ebp+var_438], 1
		mov	[ebp+var_428], eax
		lea	edx, [ebp+var_444]
		push	ecx		; int
		mov	ecx, [ebp+var_430]
		lea	eax, [ebp+var_428]
		push	eax		; int
		lea	eax, [ebp+var_B8]
		push	eax		; void *
		lea	eax, [ebp+var_438]
		push	eax		; int
		call	LdrpQueryValueKey
		test	eax, eax
		js	loc_A3E9B2
		cmp	[ebp+var_438], 1
		jnz	loc_A3E9B2
		test	esi, esi
		jz	short loc_A3E917
		push	1
		push	esi
		lea	eax, [ebp+var_370]
		push	eax
		mov	eax, [ebp+var_428]
		shr	eax, 1
		push	eax
		lea	eax, [ebp+var_B8]
		push	eax
		call	_RtlCompareUnicodeStrings@20 ; RtlCompareUnicodeStrings(x,x,x,x,x)
		test	eax, eax
		jz	loc_A3E9B2

loc_A3E917:				; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+2C4j
		lea	eax, [ebp+var_B8]
		push	eax
		lea	eax, [ebp+var_444]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_428]
		mov	ecx, 200h
		push	eax
		push	ecx
		lea	eax, [ebp+var_2C0]
		mov	[ebp+var_428], ecx
		push	eax
		push	1
		lea	eax, [ebp+var_444]
		push	eax
		push	[ebp+var_430]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, [ebp+var_424]
		test	eax, eax
		js	short loc_A3E9B8
		cmp	[ebp+var_2BC], 7
		jnz	short loc_A3E9B8
		mov	edx, [ebp+var_434]
		xor	eax, eax
		push	eax
		lea	eax, [ebp+var_2C0]
		mov	ecx, edi
		push	eax
		push	esi
		call	__RtlpMuiRegAddBaseLanguage@20 ; _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)
		test	eax, eax
		js	short loc_A3E9B8
		inc	esi
		lea	ecx, [ebp+var_B8]
		mov	[ebp+var_424], esi
		lea	edx, [ecx+2]

loc_A3E997:				; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+37Aj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_470]
		jnz	short loc_A3E997
		sub	ecx, edx
		sar	ecx, 1
		mov	[ebp+var_450], ecx
		jmp	short loc_A3E9B8
; 

loc_A3E9B2:				; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+2AFj
					; _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+2BCj ...
		mov	esi, [ebp+var_424]

loc_A3E9B8:				; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+336j
					; _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+33Fj ...
		cmp	[ebp+var_43C], 8000001Ah
		jz	loc_A3EB08
		mov	eax, [ebp+var_454]

loc_A3E9CE:				; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+4D9j
		cmp	esi, 4
		jnb	loc_A3EB08
		lea	ecx, [ebp+var_474]
		push	ecx
		push	200h
		lea	ecx, [ebp+var_2C0]
		push	ecx
		push	1
		push	eax
		push	[ebp+var_430]
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		cmp	eax, 8000001Ah
		jz	loc_A3EB08
		test	eax, eax
		js	loc_A3EB08
		cmp	[ebp+var_2BC], 7
		jnz	loc_A3EAF6
		mov	esi, [ebp+var_2B0]
		cmp	esi, 200h
		ja	loc_A3EAF0
		cmp	[ebp+var_450], 0
		mov	eax, [ebp+var_44C]
		ja	short loc_A3EA41
		test	eax, eax
		jz	loc_A3EAC5

loc_A3EA41:				; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+40Dj
		shr	esi, 1
		movzx	ecx, word ptr [ebp+esi*2+var_2AC]
		mov	[ebp+var_43C], ecx
		xor	ecx, ecx
		mov	word ptr [ebp+esi*2+var_2AC], cx
		mov	ecx, [ebp+var_2B0]
		mov	[ebp+var_470], ecx
		test	eax, eax
		jz	short loc_A3EA90
		push	1
		push	eax
		lea	eax, [ebp+var_370]
		push	eax
		mov	eax, ecx
		shr	eax, 1
		push	eax
		lea	eax, [ebp+var_2AC]
		push	eax
		call	_RtlCompareUnicodeStrings@20 ; RtlCompareUnicodeStrings(x,x,x,x,x)
		test	eax, eax
		jz	short loc_A3EAF0
		mov	ecx, [ebp+var_470]

loc_A3EA90:				; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+43Fj
		mov	eax, [ebp+var_450]
		test	eax, eax
		jz	short loc_A3EAB7
		push	1
		push	eax
		lea	eax, [ebp+var_B8]
		shr	ecx, 1
		push	eax
		push	ecx
		lea	eax, [ebp+var_2AC]
		push	eax
		call	_RtlCompareUnicodeStrings@20 ; RtlCompareUnicodeStrings(x,x,x,x,x)
		test	eax, eax
		jz	short loc_A3EAF0

loc_A3EAB7:				; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+46Ej
		mov	eax, [ebp+var_43C]
		mov	word ptr [ebp+esi*2+var_2AC], ax

loc_A3EAC5:				; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+411j
		mov	esi, [ebp+var_424]
		xor	eax, eax
		mov	edx, [ebp+var_434]
		mov	ecx, edi
		push	eax
		lea	eax, [ebp+var_2C0]
		push	eax
		push	esi
		call	__RtlpMuiRegAddBaseLanguage@20 ; _RtlpMuiRegAddBaseLanguage(x,x,x,x,x)
		test	eax, eax
		js	short loc_A3EAF6
		inc	esi
		mov	[ebp+var_424], esi
		jmp	short loc_A3EAF6
; 

loc_A3EAF0:				; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+3FAj
					; _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+45Ej ...
		mov	esi, [ebp+var_424]

loc_A3EAF6:				; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+3E8j
					; _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+4BBj ...
		mov	eax, [ebp+var_454]
		inc	eax
		mov	[ebp+var_454], eax
		jmp	loc_A3E9CE
; 

loc_A3EB08:				; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+398j
					; _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+3A7j ...
		mov	eax, [ebp+var_478]
		test	eax, eax
		jz	short loc_A3EB14
		mov	[eax], esi

loc_A3EB14:				; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+4E6j
		xor	eax, eax
		jmp	short loc_A3EB1D
; 

loc_A3EB18:				; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+C7j
					; _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+D3j ...
		mov	eax, 0C000000Dh

loc_A3EB1D:				; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+114j
					; _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+4ECj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	0Ch
__RtlpMuiRegPopulateBaseLanguages@20 endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _RtlpMuiRegValidateAndGetInstallFallbackBase(x, x, x, x, x)
__RtlpMuiRegValidateAndGetInstallFallbackBase@20 proc near
					; CODE XREF: _RtlpMuiRegPopulateBaseLanguages(x,x,x,x,x)+20Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		push	esi
		mov	esi, 0C0000001h
		push	edi
		test	ecx, ecx
		jz	short loc_A3EBB5
		mov	ecx, [ebp+arg_4]
		test	ecx, ecx
		jz	short loc_A3EBB5
		test	edx, edx
		jz	short loc_A3EBB5
		cmp	dword ptr [edx+4], 7
		jnz	short loc_A3EBB1
		cmp	[edx+0Ch], ebx
		jbe	short loc_A3EBA7
		mov	edi, [edx+8]
		add	edi, edx
		jz	short loc_A3EBA7
		cmp	[edi], bx
		jz	short loc_A3EBA7
		mov	ax, [ebp+arg_0]
		test	ax, ax
		jz	short loc_A3EBA3
		mov	[ebp+var_4], ecx
		mov	ecx, 0AAh
		mov	word ptr [ebp+var_8+2],	cx
		lea	ecx, [ebp+var_8]
		push	ecx
		movzx	eax, ax
		push	eax
		call	_RtlLCIDToCultureName@8	; RtlLCIDToCultureName(x,x)
		test	al, al
		jz	short loc_A3EBB1
		mov	edx, [ebp+var_4] ; wchar_t *
		mov	ecx, edi	; wchar_t *
		call	RtlpLangNameInMultiSzString
		test	al, al
		jz	short loc_A3EBB1

loc_A3EBA3:				; CODE XREF: _RtlpMuiRegValidateAndGetInstallFallbackBase(x,x,x,x,x)+44j
		mov	esi, ebx
		jmp	short loc_A3EBB1
; 

loc_A3EBA7:				; CODE XREF: _RtlpMuiRegValidateAndGetInstallFallbackBase(x,x,x,x,x)+2Fj
					; _RtlpMuiRegValidateAndGetInstallFallbackBase(x,x,x,x,x)+36j ...
		movzx	eax, [ebp+arg_0]
		neg	eax
		sbb	eax, eax
		and	esi, eax

loc_A3EBB1:				; CODE XREF: _RtlpMuiRegValidateAndGetInstallFallbackBase(x,x,x,x,x)+2Aj
					; _RtlpMuiRegValidateAndGetInstallFallbackBase(x,x,x,x,x)+61j ...
		mov	eax, esi
		jmp	short loc_A3EBBA
; 

loc_A3EBB5:				; CODE XREF: _RtlpMuiRegValidateAndGetInstallFallbackBase(x,x,x,x,x)+19j
					; _RtlpMuiRegValidateAndGetInstallFallbackBase(x,x,x,x,x)+20j ...
		mov	eax, 0C000000Dh

loc_A3EBBA:				; CODE XREF: _RtlpMuiRegValidateAndGetInstallFallbackBase(x,x,x,x,x)+81j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
__RtlpMuiRegValidateAndGetInstallFallbackBase@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _RtlpMuiRegValidateLIPLanguage(x, x)
__RtlpMuiRegValidateLIPLanguage@8 proc near ; CODE XREF: _RtlpMuiRegValidateInstalled+98361p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	eax, edx
		mov	[ebp+var_C], ecx
		push	esi
		imul	esi, eax, 1Ch
		xor	ebx, ebx
		mov	[ebp+var_14], eax
		mov	edx, ebx
		mov	eax, [ecx+14h]
		mov	ecx, ebx
		push	edi
		mov	[ebp+var_4], edx
		mov	edi, ebx
		mov	[ebp+var_1C], ecx
		mov	eax, [eax+0Ch]
		add	esi, eax

loc_A3EBED:				; CODE XREF: _RtlpMuiRegValidateLIPLanguage(x,x)+1E5j
		movzx	ebx, word ptr [esi+8]
		add	cl, cl
		movzx	eax, bx
		mov	[ebp+var_18], eax
		mov	eax, ebx
		shr	ax, cl
		mov	[ebp+var_8], ebx
		and	al, 3
		jz	loc_A3ED99
		movzx	ecx, word ptr [edi+esi+0Ch]
		cmp	al, 2
		jnz	loc_A3ECE6
		test	cx, cx
		js	loc_A3ECC8
		mov	eax, [ebp+var_C]
		movsx	ecx, cx
		mov	eax, [eax+14h]
		mov	[ebp+var_10], eax
		movzx	eax, word ptr [eax+6]
		cmp	ecx, eax
		jge	loc_A3ECC8
		cmp	ecx, [ebp+var_14]
		jz	loc_A3ECC8
		mov	eax, [ebp+var_10]
		imul	ebx, ecx, 1Ch
		add	ebx, [eax+0Ch]
		movzx	eax, word ptr [ebx]
		test	al, 4
		jnz	loc_A3EDC0
		and	eax, 1820h
		mov	ecx, 820h
		cmp	ax, cx
		jz	loc_A3ED7E
		xor	eax, eax
		mov	ecx, edi
		push	3
		cmp	[ebx+4], ax
		jz	short loc_A3EC90
		mov	eax, [ebp+var_8]
		pop	edx
		shl	edx, cl
		not	edx
		movzx	eax, ax
		and	edx, eax
		bts	edx, edi
		mov	[esi+8], dx
		movzx	eax, word ptr [ebx+4]
		mov	edx, [ebp+var_4]
		jmp	short loc_A3ECBE
; 

loc_A3EC90:				; CODE XREF: _RtlpMuiRegValidateLIPLanguage(x,x)+B0j
		pop	eax
		shl	ax, cl
		xor	edx, edx
		movzx	ecx, ax
		mov	eax, ecx
		not	eax
		and	eax, [ebp+var_18]
		cmp	[ebx+6], dx
		mov	edx, [ebp+var_4]
		movzx	eax, ax
		jle	short loc_A3ECB8
		or	ecx, eax
		mov	[esi+8], cx
		movzx	eax, word ptr [ebx+6]
		jmp	short loc_A3ECBE
; 

loc_A3ECB8:				; CODE XREF: _RtlpMuiRegValidateLIPLanguage(x,x)+E9j
		mov	[esi+8], ax
		xor	eax, eax

loc_A3ECBE:				; CODE XREF: _RtlpMuiRegValidateLIPLanguage(x,x)+CDj
					; _RtlpMuiRegValidateLIPLanguage(x,x)+F5j
		mov	[esi+edi+0Ch], ax
		jmp	loc_A3ED99
; 

loc_A3ECC8:				; CODE XREF: _RtlpMuiRegValidateLIPLanguage(x,x)+58j
					; _RtlpMuiRegValidateLIPLanguage(x,x)+70j ...
		push	3
		pop	eax
		mov	ecx, edi
		shl	ax, cl
		not	ax
		and	ax, bx
		mov	[esi+8], ax
		xor	eax, eax
		mov	[edi+esi+0Ch], ax
		jmp	loc_A3ED99
; 

loc_A3ECE6:				; CODE XREF: _RtlpMuiRegValidateLIPLanguage(x,x)+4Fj
		mov	edx, [ebp+var_C]
		or	[ebp+var_8], 0FFFFFFFFh
		mov	edx, [edx+14h]
		mov	[ebp+var_10], edx
		lea	edx, [ebp+var_8]
		push	edx
		push	ecx
		mov	ecx, [ebp+var_10]
		movzx	edx, al
		call	_RtlpMuiRegGetInstalledLangInfoIndex@16	; RtlpMuiRegGetInstalledLangInfoIndex(x,x,x,x)
		test	eax, eax
		js	short loc_A3ED84
		mov	eax, [ebp+var_8]
		test	ax, ax
		js	short loc_A3ED84
		mov	edx, [ebp+var_10]
		movsx	ecx, ax
		movzx	eax, word ptr [edx+6]
		cmp	ecx, eax
		jge	short loc_A3ED84
		cmp	ecx, [ebp+var_14]
		jz	short loc_A3ED84
		mov	eax, [edx+0Ch]
		imul	ecx, 1Ch
		push	3
		movzx	eax, word ptr [ecx+eax]
		mov	ecx, edi
		mov	[ebp+var_10], eax
		pop	eax
		shl	ax, cl
		mov	ecx, [ebp+var_10]
		movzx	eax, ax
		not	eax
		test	cl, 4
		jz	short loc_A3ED48
		and	eax, ebx
		jmp	short loc_A3ED92
; 

loc_A3ED48:				; CODE XREF: _RtlpMuiRegValidateLIPLanguage(x,x)+181j
		and	eax, [ebp+var_18]
		and	ecx, 1820h
		movzx	edx, ax
		mov	eax, 820h
		cmp	cx, ax
		jz	short loc_A3ED64
		mov	[esi+8], dx
		jmp	short loc_A3ED96
; 

loc_A3ED64:				; CODE XREF: _RtlpMuiRegValidateLIPLanguage(x,x)+19Bj
		push	2
		pop	eax
		mov	ecx, edi
		shl	ax, cl
		or	ax, dx
		mov	edx, [ebp+var_4]
		mov	[esi+8], ax
		mov	eax, [ebp+var_8]
		mov	[edi+esi+0Ch], ax

loc_A3ED7E:				; CODE XREF: _RtlpMuiRegValidateLIPLanguage(x,x)+A0j
		inc	edx
		mov	[ebp+var_4], edx
		jmp	short loc_A3ED99
; 

loc_A3ED84:				; CODE XREF: _RtlpMuiRegValidateLIPLanguage(x,x)+144j
					; _RtlpMuiRegValidateLIPLanguage(x,x)+14Cj ...
		push	3
		mov	ecx, edi
		pop	eax
		shl	ax, cl
		not	ax
		and	ax, bx

loc_A3ED92:				; CODE XREF: _RtlpMuiRegValidateLIPLanguage(x,x)+185j
		mov	[esi+8], ax

loc_A3ED96:				; CODE XREF: _RtlpMuiRegValidateLIPLanguage(x,x)+1A1j
		mov	edx, [ebp+var_4]

loc_A3ED99:				; CODE XREF: _RtlpMuiRegValidateLIPLanguage(x,x)+42j
					; _RtlpMuiRegValidateLIPLanguage(x,x)+102j ...
		mov	ecx, [ebp+var_1C]
		add	edi, 2
		inc	ecx
		mov	[ebp+var_1C], ecx
		cmp	edi, 8
		jl	loc_A3EBED
		mov	eax, 1000h

loc_A3EDB1:				; CODE XREF: _RtlpMuiRegValidateLIPLanguage(x,x)+207j
		cmp	edx, 1
		jge	short loc_A3EDCA
		or	[esi], ax
		mov	eax, 0C0000001h
		jmp	short loc_A3EDCC
; 

loc_A3EDC0:				; CODE XREF: _RtlpMuiRegValidateLIPLanguage(x,x)+8Dj
		mov	eax, 1000h
		or	[esi], ax
		jmp	short loc_A3EDB1
; 

loc_A3EDCA:				; CODE XREF: _RtlpMuiRegValidateLIPLanguage(x,x)+1F3j
		xor	eax, eax

loc_A3EDCC:				; CODE XREF: _RtlpMuiRegValidateLIPLanguage(x,x)+1FDj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
__RtlpMuiRegValidateLIPLanguage@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall _RtlpMuiRegValidatePartialLanguage(x, x)
__RtlpMuiRegValidatePartialLanguage@8 proc near
					; CODE XREF: _RtlpMuiRegValidateInstalled+982A2p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	eax, edx
		mov	[ebp+var_14], ecx
		push	edi
		imul	edi, eax, 1Ch
		xor	esi, esi
		mov	[ebp+var_C], eax
		mov	ebx, esi
		mov	eax, [ecx+14h]
		add	edi, [eax+0Ch]
		mov	eax, esi
		mov	[ebp+var_10], eax

loc_A3EDF6:				; CODE XREF: _RtlpMuiRegValidatePartialLanguage(x,x)+E3j
		movzx	edx, word ptr [edi+8]
		mov	cl, al
		add	cl, cl
		mov	[ebp+var_18], edx
		mov	eax, edx
		shr	ax, cl
		and	al, 3
		jz	loc_A3EEA7
		movzx	ecx, word ptr [edi+ebx+0Ch]
		cmp	al, 2
		jnz	short loc_A3EE37
		movsx	eax, cx
		cmp	eax, [ebp+var_C]
		jnz	loc_A3EEA6
		push	3
		pop	eax
		mov	ecx, ebx
		shl	ax, cl
		not	ax
		and	ax, dx
		mov	[edi+8], ax
		jmp	short loc_A3EEA7
; 

loc_A3EE37:				; CODE XREF: _RtlpMuiRegValidatePartialLanguage(x,x)+44j
		mov	edx, [ebp+var_14]
		or	[ebp+var_4], 0FFFFFFFFh
		mov	edx, [edx+14h]
		mov	[ebp+var_8], edx
		lea	edx, [ebp+var_4]
		push	edx
		push	ecx
		mov	ecx, [ebp+var_8]
		movzx	edx, al
		call	_RtlpMuiRegGetInstalledLangInfoIndex@16	; RtlpMuiRegGetInstalledLangInfoIndex(x,x,x,x)
		test	eax, eax
		js	short loc_A3EEA6
		mov	eax, [ebp+var_4]
		test	ax, ax
		js	short loc_A3EEA7
		mov	edx, [ebp+var_8]
		movsx	ecx, ax
		movzx	eax, word ptr [edx+6]
		cmp	ecx, eax
		jge	short loc_A3EEA7
		cmp	ecx, [ebp+var_C]
		jz	short loc_A3EEA7
		mov	eax, [edx+0Ch]
		inc	esi
		imul	ecx, 1Ch
		test	byte ptr [ecx+eax], 1
		jz	short loc_A3EEA7
		push	3
		pop	edx
		mov	ecx, ebx
		shl	dx, cl
		push	2
		not	dx
		and	dx, word ptr [ebp+var_18]
		pop	eax
		shl	ax, cl
		or	dx, ax
		mov	eax, [ebp+var_4]
		mov	[edi+8], dx
		mov	[edi+ebx+0Ch], ax
		jmp	short loc_A3EEA7
; 

loc_A3EEA6:				; CODE XREF: _RtlpMuiRegValidatePartialLanguage(x,x)+4Cj
					; _RtlpMuiRegValidatePartialLanguage(x,x)+85j
		inc	esi

loc_A3EEA7:				; CODE XREF: _RtlpMuiRegValidatePartialLanguage(x,x)+37j
					; _RtlpMuiRegValidatePartialLanguage(x,x)+64j ...
		mov	eax, [ebp+var_10]
		add	ebx, 2
		inc	eax
		mov	[ebp+var_10], eax
		cmp	ebx, 8
		jl	loc_A3EDF6
		cmp	esi, 1
		jge	short loc_A3EECE
		mov	eax, 1000h
		or	[edi], ax
		mov	eax, 0C0000001h
		jmp	short loc_A3EED0
; 

loc_A3EECE:				; CODE XREF: _RtlpMuiRegValidatePartialLanguage(x,x)+ECj
		xor	eax, eax

loc_A3EED0:				; CODE XREF: _RtlpMuiRegValidatePartialLanguage(x,x)+FBj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
__RtlpMuiRegValidatePartialLanguage@8 endp


;  S U B	R O U T	I N E 


; __stdcall EtwUnregisterCounters()
_EtwUnregisterCounters@0 proc near	; CODE XREF: ExpPcwHostCallback:loc_92D737p
		mov	eax, _PcwpEventTracingSessionCounterSet
		test	eax, eax
		jz	short loc_A3EEEB
		push	eax
		call	_PcwUnregister@4 ; PcwUnregister(x)
		and	_PcwpEventTracingSessionCounterSet, 0

loc_A3EEEB:				; CODE XREF: EtwUnregisterCounters()+7j
		mov	eax, _PcwpEventTracingCounterSet
		test	eax, eax
		jz	short locret_A3EF01
		push	eax
		call	_PcwUnregister@4 ; PcwUnregister(x)
		and	_PcwpEventTracingCounterSet, 0

locret_A3EF01:				; CODE XREF: EtwUnregisterCounters()+1Dj
		retn
_EtwUnregisterCounters@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpEventTracingCounterSetCallback(x, x, x)
_EtwpEventTracingCounterSetCallback@12 proc near ; DATA	XREF: EtwRegisterCounters()+12o

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+5Ch+var_4], eax
		mov	edx, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		push	2Ch
		pop	eax
		mov	word ptr [esp+68h+var_48], ax
		lea	edi, [esp+68h+var_20]
		push	2Eh
		pop	eax
		mov	word ptr [esp+68h+var_48+2], ax
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd
		mov	eax, [ebp+arg_0]
		dec	eax
		mov	[esp+68h+var_44], (offset loc_8C9E8A+4)
		sub	eax, 1
		jz	short loc_A3EF56
		sub	eax, 1
		jz	short loc_A3EF56
		xor	eax, eax
		jmp	loc_A3F0D4
; 

loc_A3EF56:				; CODE XREF: EtwpEventTracingCounterSetCallback(x,x,x)+46j
					; EtwpEventTracingCounterSetCallback(x,x,x)+4Bj
		mov	edi, [edx+14h]
		mov	[esp+68h+var_4C], edi
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		xor	esi, esi
		cmp	[ebp+arg_8], 1
		mov	ebx, [eax+1F0h]
		jnz	loc_A3EFF8
		mov	[esp+68h+var_2C], esi
		xor	edx, edx
		mov	[esp+68h+var_28], esi
		mov	[esp+68h+var_24], esi
		jmp	short loc_A3EFA2
; 

loc_A3EF84:				; CODE XREF: EtwpEventTracingCounterSetCallback(x,x,x)+ACj
		cmp	[ecx+40h], esi
		jnz	short loc_A3EF8F
		inc	[esp+68h+var_28]
		jmp	short loc_A3EFA0
; 

loc_A3EF8F:				; CODE XREF: EtwpEventTracingCounterSetCallback(x,x,x)+85j
		lea	eax, [ecx+24h]
		cmp	[eax], eax
		jnz	short loc_A3EF9C
		inc	[esp+68h+var_24]
		jmp	short loc_A3EFA0
; 

loc_A3EF9C:				; CODE XREF: EtwpEventTracingCounterSetCallback(x,x,x)+92j
		inc	[esp+68h+var_2C]

loc_A3EFA0:				; CODE XREF: EtwpEventTracingCounterSetCallback(x,x,x)+8Bj
					; EtwpEventTracingCounterSetCallback(x,x,x)+98j
		mov	edx, ecx

loc_A3EFA2:				; CODE XREF: EtwpEventTracingCounterSetCallback(x,x,x)+80j
		push	esi
		mov	ecx, ebx
		call	_EtwpGetNextGuidEntry@12 ; EtwpGetNextGuidEntry(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_A3EF84
		mov	eax, [ebx+8C8h]
		mov	[esp+68h+var_38], eax
		mov	eax, [ebx+8C4h]
		mov	[esp+68h+var_30], eax
		mov	eax, [ebx+8C0h]
		mov	[esp+68h+var_34], eax
		lea	eax, [esp+68h+var_38]
		mov	[esp+68h+var_58], eax
		lea	eax, [esp+68h+var_58]
		push	eax
		push	1
		push	esi
		lea	eax, [esp+74h+var_48]
		mov	[esp+74h+var_54], 18h
		push	eax
		push	edi
		call	_PcwAddInstance@20 ; PcwAddInstance(x,x,x,x,x)
		mov	ecx, eax
		jmp	loc_A3F0D2
; 

loc_A3EFF8:				; CODE XREF: EtwpEventTracingCounterSetCallback(x,x,x)+6Cj
		mov	eax, esi
		mov	ecx, esi
		mov	[esp+68h+var_5C], eax
		mov	[esp+68h+var_58], ecx
		cmp	[ebx+8], esi
		jbe	loc_A3F0D2

loc_A3F00D:				; CODE XREF: EtwpEventTracingCounterSetCallback(x,x,x)+1CAj
		push	esi
		mov	edx, eax
		mov	ecx, ebx
		call	EtwpAcquireLoggerContextByLoggerId
		mov	edx, eax
		mov	[esp+68h+var_50], edx
		test	edx, edx
		jz	loc_A3F0BC
		push	6
		xor	eax, eax
		lea	edi, [esp+6Ch+var_20]
		pop	ecx
		rep stosd
		cmp	dword ptr [edx+0E0h], 1
		mov	eax, [edx+0A0h]
		jnz	short loc_A3F049
		imul	eax, [edx+4]
		mov	[esp+68h+var_20], eax
		jmp	short loc_A3F051
; 

loc_A3F049:				; CODE XREF: EtwpEventTracingCounterSetCallback(x,x,x)+13Bj
		imul	eax, [edx+4]
		mov	[esp+68h+var_1C], eax

loc_A3F051:				; CODE XREF: EtwpEventTracingCounterSetCallback(x,x,x)+145j
		mov	eax, [edx+0A8h]
		mov	[esp+68h+var_10], eax
		mov	eax, [edx+108h]
		mov	[esp+68h+var_C], eax
		lea	eax, [esp+68h+var_5C]
		push	eax
		push	esi
		push	8
		lea	eax, [esp+74h+var_18]
		push	eax
		push	0Ah
		call	WmiQueryTraceInformation
		mov	edi, [esp+68h+var_50]
		lea	eax, [esp+68h+var_20]
		mov	[esp+68h+var_40], eax
		lea	eax, [esp+68h+var_40]
		push	eax
		push	1
		push	[esp+70h+var_5C]
		lea	eax, [edi+5Ch]
		mov	[esp+74h+var_3C], 18h
		push	eax
		push	[esp+78h+var_4C]
		call	_PcwAddInstance@20 ; PcwAddInstance(x,x,x,x,x)
		xor	dl, dl
		mov	[esp+68h+var_58], eax
		mov	ecx, edi
		call	@EtwpReleaseLoggerContext@8 ; EtwpReleaseLoggerContext(x,x)
		mov	ecx, [esp+68h+var_58]
		test	ecx, ecx
		js	short loc_A3F0D2
		jmp	short loc_A3F0C0
; 

loc_A3F0BC:				; CODE XREF: EtwpEventTracingCounterSetCallback(x,x,x)+11Dj
		mov	ecx, [esp+68h+var_58]

loc_A3F0C0:				; CODE XREF: EtwpEventTracingCounterSetCallback(x,x,x)+1B8j
		mov	eax, [esp+68h+var_5C]
		inc	eax
		mov	[esp+68h+var_5C], eax
		cmp	eax, [ebx+8]
		jb	loc_A3F00D

loc_A3F0D2:				; CODE XREF: EtwpEventTracingCounterSetCallback(x,x,x)+F1j
					; EtwpEventTracingCounterSetCallback(x,x,x)+105j ...
		mov	eax, ecx

loc_A3F0D4:				; CODE XREF: EtwpEventTracingCounterSetCallback(x,x,x)+4Fj
		mov	ecx, [esp+68h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_EtwpEventTracingCounterSetCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LkmdTelCreateReport(x, x, x, x, x, x)
_LkmdTelCreateReport@24	proc near	; CODE XREF: WheapReportLiveDump(x)+5Bp

var_2E0		= dword	ptr -2E0h
var_2DC		= dword	ptr -2DCh
var_2D8		= dword	ptr -2D8h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2E4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	2CCh		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_2D8]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_2DC], ebx
		mov	edi, 200h
		mov	[ebp+var_2E0], ebx
		push	74614454h
		push	74h
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_A3F237
		push	74h		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		push	74614454h
		push	20000h
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi], eax
		test	eax, eax
		jz	loc_A3F219
		push	offset ??_C@_19MBPIHHGH@?$AAW?$AAH?$AAE?$AAA@NNGAKEGL@ ; char
		push	offset ??_C@_17EEOGHOKP@?$AA?$CF?$AAw?$AAs@NNGAKEGL@ ; wchar_t *
		lea	edi, [esi+54h]
		push	20h		; int
		push	edi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 10h
		test	eax, eax
		js	loc_A3F219
		lea	eax, [ebp+var_2DC]
		mov	[ebp+var_2E0], 1
		push	eax
		lea	eax, [ebp+var_2E0]
		push	eax
		push	edi		; char
		call	ds:__imp__WerLiveKernelCreateReport@12 ; WerLiveKernelCreateReport(x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_A3F1BD
		push	edi		; char
		push	offset ??_C@_0DM@MDCGBJNP@LKMDTEL?3?5WerLiveKernelCreateRep@NNGAKEGL@ ;	char *
		push	ebx		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 10h
		jmp	short loc_A3F215
; 

loc_A3F1BD:				; CODE XREF: LkmdTelCreateReport(x,x,x,x,x,x)+C0j
		cmp	[ebp+var_2E0], ebx
		jnz	short loc_A3F1D8
		push	offset ??_C@_0EG@JBJCILOI@LKMDTEL?3?5WerPolicy?5is?5WerLiveKe@NNGAKEGL@	; char *
		push	1		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		jmp	short loc_A3F219
; 

loc_A3F1D8:				; CODE XREF: LkmdTelCreateReport(x,x,x,x,x,x)+DBj
		mov	eax, [ebp+var_2DC]
		mov	[esi+50h], eax
		lea	eax, [ebp+var_2D8]
		push	eax
		call	dword ptr ds:__imp__RtlCaptureContext@4	; RtlCaptureContext(x)
		push	dword ptr [esi]	; size_t
		lea	eax, [ebp+var_2D8]
		push	[ebp+arg_C]	; int
		push	[ebp+arg_8]	; int
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		push	124h		; int
		push	ebx		; size_t
		push	eax		; int
		call	_KeCapturePersistentThreadState@32 ; KeCapturePersistentThreadState(x,x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_A3F219
		mov	[esi+4], eax

loc_A3F215:				; CODE XREF: LkmdTelCreateReport(x,x,x,x,x,x)+D3j
		test	edi, edi
		jns	short loc_A3F280

loc_A3F219:				; CODE XREF: LkmdTelCreateReport(x,x,x,x,x,x)+77j
					; LkmdTelCreateReport(x,x,x,x,x,x)+97j	...
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_A3F22A
		push	74614454h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A3F22A:				; CODE XREF: LkmdTelCreateReport(x,x,x,x,x,x)+135j
		push	74614454h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, ebx

loc_A3F237:				; CODE XREF: LkmdTelCreateReport(x,x,x,x,x,x)+51j
		cmp	[ebp+var_2DC], ebx
		jz	short loc_A3F280
		push	[ebp+var_2DC]
		call	ds:__imp__WerLiveKernelCancelReport@4 ;	WerLiveKernelCancelReport(x)
		mov	edi, offset ??_C@_0DC@NDBFJGLB@LKMDTEL?3?5WerLiveCancelReport?5fa@NNGAKEGL@
		test	eax, eax
		jns	short loc_A3F262
		push	eax		; char
		push	edi		; char *
		push	1		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 10h

loc_A3F262:				; CODE XREF: LkmdTelCreateReport(x,x,x,x,x,x)+16Aj
		push	[ebp+var_2DC]
		call	ds:__imp__WerLiveKernelCloseHandle@4 ; WerLiveKernelCloseHandle(x)
		test	eax, eax
		jns	short loc_A3F280
		push	eax		; char
		push	edi		; char *
		push	1		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 10h

loc_A3F280:				; CODE XREF: LkmdTelCreateReport(x,x,x,x,x,x)+12Fj
					; LkmdTelCreateReport(x,x,x,x,x,x)+155j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_LkmdTelCreateReport@24	endp


;  S U B	R O U T	I N E 


; __stdcall LkmdTelSubmitReport(x)
_LkmdTelSubmitReport@4 proc near	; CODE XREF: WheapReportLiveDump(x)+98p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		call	_LkmdTelpWriteDumpFile@4 ; LkmdTelpWriteDumpFile(x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A3F2AD
		push	esi
		push	offset ??_C@_0EJ@KNFLKGLB@LKMDTEL?3?5LkmdTelSubmitReport?3?5L@NNGAKEGL@
		jmp	short loc_A3F2C4
; 

loc_A3F2AD:				; CODE XREF: LkmdTelSubmitReport(x)+10j
		push	0
		push	dword ptr [edi+50h]
		call	ds:__imp__WerLiveKernelSubmitReport@8 ;	WerLiveKernelSubmitReport(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A3F2D0
		push	esi		; char
		push	offset ??_C@_0EN@BDGICLBJ@LKMDTEL?3?5LkmdTelSubmitReport?3?5W@NNGAKEGL@	; char *

loc_A3F2C4:				; CODE XREF: LkmdTelSubmitReport(x)+18j
		push	0		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 10h

loc_A3F2D0:				; CODE XREF: LkmdTelSubmitReport(x)+29j
		mov	eax, [edi+50h]
		test	eax, eax
		jz	short loc_A3F31B
		test	esi, esi
		jns	short loc_A3F2F8
		push	eax
		call	ds:__imp__WerLiveKernelCancelReport@4 ;	WerLiveKernelCancelReport(x)
		test	eax, eax
		jns	short loc_A3F2F8
		push	eax		; char
		push	offset ??_C@_0EN@BGMPLCFC@LKMDTEL?3?5LkmdTelSubmitReport?3?5W@NNGAKEGL@	; char *
		push	1		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 10h

loc_A3F2F8:				; CODE XREF: LkmdTelSubmitReport(x)+46j
					; LkmdTelSubmitReport(x)+51j
		push	dword ptr [edi+50h]
		call	ds:__imp__WerLiveKernelCloseHandle@4 ; WerLiveKernelCloseHandle(x)
		test	eax, eax
		jns	short loc_A3F317
		push	eax		; char
		push	offset ??_C@_0EM@FOEELLKM@LKMDTEL?3?5LkmdTelSubmitReport?3?5W@NNGAKEGL@	; char *
		push	1		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 10h

loc_A3F317:				; CODE XREF: LkmdTelSubmitReport(x)+70j
		and	dword ptr [edi+50h], 0

loc_A3F31B:				; CODE XREF: LkmdTelSubmitReport(x)+42j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ecx
		retn
_LkmdTelSubmitReport@4 endp


;  S U B	R O U T	I N E 


; __stdcall LkmdTelpUpdateSecondaryData(x)
_LkmdTelpUpdateSecondaryData@4 proc near ; CODE	XREF: LkmdTelpWriteDumpFile(x)+54p
		mov	eax, [ecx+0Ch]
		mov	edx, [ecx]
		add	eax, 20030h
		push	esi
		push	edi
		lea	esi, [ecx+10h]
		and	dword ptr [edx+0FA4h], 0
		lea	edi, [ecx+34h]
		mov	[edx+0FA0h], eax
		mov	dword ptr [ecx+20h], 706D7544h
		mov	dword ptr [ecx+24h], 626F6C42h
		mov	dword ptr [ecx+28h], 10h
		mov	eax, _NtBuildNumber
		mov	[ecx+2Ch], eax
		mov	dword ptr [ecx+30h], 20h
		movsd
		movsd
		movsd
		movsd
		and	dword ptr [ecx+48h], 0
		and	dword ptr [ecx+4Ch], 0
		mov	eax, [ecx+0Ch]
		pop	edi
		mov	[ecx+44h], eax
		pop	esi
		retn
_LkmdTelpUpdateSecondaryData@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall LkmdTelpWriteDumpFile(x)
_LkmdTelpWriteDumpFile@4 proc near	; CODE XREF: LkmdTelSubmitReport(x)+7p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	eax, [esp+18h+var_C]
		push	eax
		xor	ebx, ebx
		mov	[esp+1Ch+var_8], ebx
		push	dword ptr [esi+50h]
		mov	[esp+20h+var_4], ebx
		mov	[esp+20h+var_C], ebx
		call	ds:__imp__WerLiveKernelOpenDumpFile@8 ;	WerLiveKernelOpenDumpFile(x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_A3F3C1
		push	edi		; char
		push	offset ??_C@_0EP@JAKBNMKN@LKMDTEL?3?5LkmdTelpWriteDumpFile?3@NNGAKEGL@ ; char *
		push	ebx		; int
		push	5		; int
		call	_DbgPrintEx
		add	esp, 10h
		jmp	loc_A3F44E
; 

loc_A3F3C1:				; CODE XREF: LkmdTelpWriteDumpFile(x)+30j
		cmp	[esi+0Ch], ebx
		jbe	short loc_A3F3D2
		cmp	[esi+8], ebx
		jz	short loc_A3F3D2
		mov	ecx, esi
		call	_LkmdTelpUpdateSecondaryData@4 ; LkmdTelpUpdateSecondaryData(x)

loc_A3F3D2:				; CODE XREF: LkmdTelpWriteDumpFile(x)+4Bj
					; LkmdTelpWriteDumpFile(x)+50j
		push	ebx
		push	ebx
		push	dword ptr [esi+4]
		lea	eax, [esp+2Ch+var_10]
		push	dword ptr [esi]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	[esp+40h+var_14]
		mov	ebx, ds:__imp__ZwWriteFile@36 ;	ZwWriteFile(x,x,x,x,x,x,x,x,x)
		call	ebx ; ZwWriteFile(x,x,x,x,x,x,x,x,x) ; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A3F44E
		xor	ecx, ecx
		cmp	[esi+0Ch], ecx
		jbe	short loc_A3F44E
		push	ecx
		push	ecx
		push	10h
		lea	eax, [esi+20h]
		push	eax
		lea	eax, [esp+30h+var_10]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	[esp+40h+var_14]
		call	ebx ; ZwWriteFile(x,x,x,x,x,x,x,x,x) ; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A3F44E
		xor	ecx, ecx
		lea	eax, [esi+30h]
		push	ecx
		push	ecx
		push	20h
		push	eax
		lea	eax, [esp+30h+var_10]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	[esp+40h+var_14]
		call	ebx ; ZwWriteFile(x,x,x,x,x,x,x,x,x) ; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A3F44E
		xor	ecx, ecx
		lea	eax, [esp+20h+var_10]
		push	ecx
		push	ecx
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	[esp+40h+var_14]
		call	ebx ; ZwWriteFile(x,x,x,x,x,x,x,x,x) ; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		mov	edi, eax

loc_A3F44E:				; CODE XREF: LkmdTelpWriteDumpFile(x)+43j
					; LkmdTelpWriteDumpFile(x)+78j	...
		cmp	[esp+20h+var_14], 0
		jz	short loc_A3F45F
		push	[esp+20h+var_14]
		call	ds:__imp__ZwClose@4 ; ZwClose(x)

loc_A3F45F:				; CODE XREF: LkmdTelpWriteDumpFile(x)+DAj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_LkmdTelpWriteDumpFile@4 endp

; 
; Exported entry 1531. NtImageInfo
		public _NtImageInfo
_NtImageInfo	dd 0
		dd 0Ah,	0
		dd 0A000008h, 0C8h, 0D30h
_CmFileNameExtensions dd 0		; DATA XREF: CmpOpenHiveFile+D6r
		dd offset ??_C@_19MLBOKLHF@?$AA?4?$AAL?$AAO?$AAG@LBKOJDO@
		align 10h
		dd offset ??_C@_1M@FLNLKDAJ@?$AA?4?$AAL?$AAO?$AAG?$AA1@LBKOJDO@
		dd offset ??_C@_1M@EJGOAMOH@?$AA?4?$AAL?$AAO?$AAG?$AA2@LBKOJDO@
; 

_CmpRegistryProcessName:
		cld
		cmp	eax, 3DD800A4h
		movsb
; 
		db 0
_CmpProcessorControl db	0B4h ;  OFF32 SEGDEF [PAGE,A43DB4]
		db 3Dh
; 
		movsb
		add	[eax+3Dh], bh
		movsb
		add	[eax+3Dh], ch
		movsb
; 
		db 0
; 

_CmpRegistryAppString:
		push	eax
		cmp	eax, 3D3400A4h
		movsb
		add	ds:3C8800A4h[edi], dl
		movsb
		add	[eax], cl
		cmp	al, 0A4h
		add	[eax+1000A43Bh], cl
		cmp	esp, ds:??_C@_1KK@OBGIGMAN@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@[eax+eax]

_CmpRegistryMachineSystemCurrentControlSetControlSafeBootString:
		call	near ptr 70A4990Ah
		cmp	ds:??_C@_1IK@HBJLIGFJ@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@[eax+eax], esp

_CmpRegistryMachineSystemCurrentControlSetServicesString:
		js	short near ptr loc_A3F511+1
		movsb
		add	[eax], cl
		cmp	ds:??_C@_1GA@LDINLKCH@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@[eax+eax], ah

_CmpRegistryMachineSystemCurrentControlSetString:
		push	eax
		aaa
		movsb
		add	[eax], bl
		aaa
		movsb
		add	al, dl
		movs	byte ptr es:[edi], byte	ptr ss:[esi]
		add	[eax+3000A436h], al
		movs	byte ptr es:[edi], byte	ptr ss:[esi]
		add	al, dl
		xor	eax, 358000A4h
		movsb
		add	[eax+35h], cl
		movsb
		add	ds:351000A4h[esi], ah
		movsb

loc_A3F50B:				; DATA XREF: PAGEDATA:00A9331Co
		add	[esi], dl
		add	[eax], bl
		add	al, bh

loc_A3F511:				; CODE XREF: PAGE:_CmpRegistryMachineSystemCurrentControlSetServicesStringj
		xor	al, 0A4h

loc_A3F513:				; DATA XREF: PAGEDATA:_CmpWellKnownVolumeListo
		add	[esi], dl
		add	[eax], bl
		add	al, ah
		xor	al, 0A4h
; 
		db 0
_nullclass	dd 2 dup(0)		; DATA XREF: CmpSetVersionData+A7o
					; CmpSetVersionData+104o ...
_IopCacheHitIncrement dd 0
; void *CmTypeString
_CmTypeString	dd offset loc_A42F57+1	; DATA XREF: pIoQueryDeviceDescription+6Fr
					; pIoQueryDeviceDescription+1B3r ...
		dd offset ??_C@_1CC@GHGIBEHL@?$AAC?$AAe?$AAn?$AAt?$AAr?$AAa?$AAl?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo@LBKOJDO@
		dd offset ??_C@_1CO@KLKKJNCD@?$AAF?$AAl?$AAo?$AAa?$AAt?$AAi?$AAn?$AAg?$AAP?$AAo?$AAi?$AAn?$AAt?$AAP?$AAr@LBKOJDO@
		dd offset ??_C@_1BM@GCEPECGH@?$AAP?$AAr?$AAi?$AAm?$AAa?$AAr?$AAy?$AAI?$AAC?$AAa?$AAc?$AAh?$AAe@LBKOJDO@
		dd offset ??_C@_1BM@NFLFDCDM@?$AAP?$AAr?$AAi?$AAm?$AAa?$AAr?$AAy?$AAD?$AAC?$AAa?$AAc?$AAh?$AAe@LBKOJDO@
		dd offset loc_A42FF3+1
		dd offset loc_A43013+1
		dd offset loc_A43033+1
; wchar_t *off_A3F548
off_A3F548	dd offset ??_C@_1BI@PHEFAEKH@?$AAE?$AAi?$AAs?$AAa?$AAA?$AAd?$AAa?$AAp?$AAt?$AAe?$AAr@LBKOJDO@
					; DATA XREF: pIoQueryBusDescription+22Ar
; wchar_t *off_A3F54C
off_A3F54C	dd offset ??_C@_1BE@IHHIDKBI@?$AAT?$AAc?$AAA?$AAd?$AAa?$AAp?$AAt?$AAe?$AAr@LBKOJDO@
					; DATA XREF: pIoQueryBusDescription+24Ar
		dd offset ??_C@_1BI@LIFBGIEG@?$AAS?$AAc?$AAs?$AAi?$AAA?$AAd?$AAa?$AAp?$AAt?$AAe?$AAr@LBKOJDO@
		dd offset ??_C@_1BG@LOBCDFDG@?$AAD?$AAt?$AAi?$AAA?$AAd?$AAa?$AAp?$AAt?$AAe?$AAr@LBKOJDO@
; wchar_t *off_A3F558
off_A3F558	dd offset ??_C@_1CK@BONJKOHP@?$AAM?$AAu?$AAl?$AAt?$AAi?$AAf?$AAu?$AAn?$AAc?$AAt?$AAi?$AAo?$AAn?$AAA?$AAd@LBKOJDO@
					; DATA XREF: pIoQueryBusDescription+20Dr
		dd offset ??_C@_1BO@NBDLLCOE@?$AAD?$AAi?$AAs?$AAk?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl?$AAe?$AAr@LBKOJDO@
		dd offset ??_C@_1BO@DMBPOFBI@?$AAT?$AAa?$AAp?$AAe?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl?$AAe?$AAr@LBKOJDO@
		dd offset ??_C@_1CA@NCNEDNBG@?$AAC?$AAd?$AAR?$AAo?$AAm?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl?$AAe?$AAr@LBKOJDO@
		dd offset ??_C@_1BO@LHOKFBHH@?$AAW?$AAo?$AAr?$AAm?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl?$AAe?$AAr@LBKOJDO@
		dd offset ??_C@_1CC@BHFHDMKO@?$AAS?$AAe?$AAr?$AAi?$AAa?$AAl?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl?$AAe@LBKOJDO@
		dd offset ??_C@_1CE@EOABGGPC@?$AAN?$AAe?$AAt?$AAw?$AAo?$AAr?$AAk?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl@LBKOJDO@
		dd offset ??_C@_1CE@FDGHAKKG@?$AAD?$AAi?$AAs?$AAp?$AAl?$AAa?$AAy?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl@LBKOJDO@
		dd offset ??_C@_1CG@INBLODGN@?$AAP?$AAa?$AAr?$AAa?$AAl?$AAl?$AAe?$AAl?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl@LBKOJDO@
		dd offset ??_C@_1CE@OAFMNDDC@?$AAP?$AAo?$AAi?$AAn?$AAt?$AAe?$AAr?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl@LBKOJDO@
		dd offset ??_C@_1CG@EPHKBOAL@?$AAK?$AAe?$AAy?$AAb?$AAo?$AAa?$AAr?$AAd?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl@LBKOJDO@
		dd offset ??_C@_1CA@GICEICIJ@?$AAA?$AAu?$AAd?$AAi?$AAo?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl?$AAe?$AAr@LBKOJDO@
		dd offset ??_C@_1CA@MPJPFNOP@?$AAO?$AAt?$AAh?$AAe?$AAr?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl?$AAe?$AAr@LBKOJDO@
		dd offset ??_C@_1BO@OABDOLEF@?$AAD?$AAi?$AAs?$AAk?$AAP?$AAe?$AAr?$AAi?$AAp?$AAh?$AAe?$AAr?$AAa?$AAl@LBKOJDO@
		dd offset ??_C@_1CK@BMIHPOLL@?$AAF?$AAl?$AAo?$AAp?$AAp?$AAy?$AAD?$AAi?$AAs?$AAk?$AAP?$AAe?$AAr?$AAi?$AAp@LBKOJDO@
		dd offset ??_C@_1BO@NDHLMLJ@?$AAT?$AAa?$AAp?$AAe?$AAP?$AAe?$AAr?$AAi?$AAp?$AAh?$AAe?$AAr?$AAa?$AAl@LBKOJDO@
		dd offset ??_C@_1CA@FNEPGGCI@?$AAM?$AAo?$AAd?$AAe?$AAm?$AAP?$AAe?$AAr?$AAi?$AAp?$AAh?$AAe?$AAr?$AAa?$AAl@LBKOJDO@
		dd offset loc_A43307+1
		dd offset loc_A4332B+1
		dd offset loc_A4334F+1
		dd offset loc_A43373+1
		dd offset ??_C@_1CG@KJFBDCKC@?$AAT?$AAe?$AAr?$AAm?$AAi?$AAn?$AAa?$AAl?$AAP?$AAe?$AAr?$AAi?$AAp?$AAh?$AAe@LBKOJDO@
		dd offset ??_C@_1CA@POLHAEEO@?$AAO?$AAt?$AAh?$AAe?$AAr?$AAP?$AAe?$AAr?$AAi?$AAp?$AAh?$AAe?$AAr?$AAa?$AAl@LBKOJDO@
		dd offset loc_A433E3+1
		dd offset ??_C@_1CE@HPCJDPFD@?$AAN?$AAe?$AAt?$AAw?$AAo?$AAr?$AAk?$AAP?$AAe?$AAr?$AAi?$AAp?$AAh?$AAe?$AAr@LBKOJDO@
		dd offset ??_C@_1BK@GDHDNALB@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy@LBKOJDO@
		dd offset ??_C@_1CG@ONFLCPHN@?$AAD?$AAo?$AAc?$AAk?$AAi?$AAn?$AAg?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa?$AAt@LBKOJDO@
		dd offset ??_C@_1DA@JIDFBLKA@?$AAR?$AAe?$AAa?$AAl?$AAM?$AAo?$AAd?$AAe?$AAI?$AAr?$AAq?$AAR?$AAo?$AAu?$AAt@LBKOJDO@
		dd offset ??_C@_1CO@LCDGCCNJ@?$AAR?$AAe?$AAa?$AAl?$AAM?$AAo?$AAd?$AAe?$AAP?$AAC?$AAI?$AAE?$AAn?$AAu?$AAm@LBKOJDO@
		dd offset ??_C@_1BE@NGPHOPKF@?$AAU?$AAn?$AAd?$AAe?$AAf?$AAi?$AAn?$AAe?$AAd@LBKOJDO@
; 

_CmpEditionBuildLabExString:		; DATA XREF: CmpQueryEditionVersion+9A522o
		and	al, [eax]
		and	al, 0
		or	[edx-5Ch], al
; 
		db 0
; 

_CmpEditionBuildLabString:		; DATA XREF: CmpQueryEditionVersion+9A48Ao
		push	ds
		add	[eax], ah
		add	al, ch
		inc	ecx
		movsb
; 
		db 0
; 

_CmpEditionBuildBranchString:		; DATA XREF: CmpQueryEditionVersion+9A3EEo
		and	al, 0
		db	26h
		add	al, al
		inc	ecx
		movsb

loc_A3F5E7:				; DATA XREF: CmpQueryEditionVersion+9A387o
		add	[esi], bl
		add	[eax], ah

loc_A3F5EB:				; DATA XREF: CmpQueryEditionVersion+9A321o
		add	[eax+2400A441h], ah
		add	[esi], ah
		add	[eax+41h], bh
		movsb
; 
		db 0
; 

_CmpEditionVersionString:		; DATA XREF: CmpQueryEditionVersion+79o
		sbb	al, 0
		push	ds
		add	[eax+41h], bl
		movsb

loc_A3F5FF:				; DATA XREF: CmpSetVersionData+134o
		add	[eax+eax], dl
		push	ss
		add	[eax+41h], al
		movsb

loc_A3F607:				; DATA XREF: CmpSetVersionData+3A5o
		add	[eax+eax], dl
		push	ss
		add	[eax], ch
		inc	ecx
		movsb

loc_A3F60F:				; DATA XREF: CmpOpenDevicesControlSet+33o
					; CmGetSystemDriverList+1BF4Eo
		add	[esi], cl
		add	[eax], dl
		add	[eax], bl
		inc	ecx
		movsb

loc_A3F617:				; DATA XREF: CmpOpenDevicesControlSet+49o
					; CmpOpenDevicesControlSet+9A09Eo ...
		add	[eax+eax], cl
		push	cs
		add	[eax+3Dh], ch
		movsb

loc_A3F61F:				; DATA XREF: CmSetAcpiHwProfile+191o
					; CmSetAcpiHwProfile+9B981o ...
		add	[edx], dh
		add	[eax+eax], dh
		in	al, 40h		; Timer	8253-5 (AT: 8254.2).
		movsb

loc_A3F627:				; DATA XREF: CmSetAcpiHwProfile+392o
					; CmpMoveBiosAliasTable(x,x,x,x,x,x,x,x)+40Eo ...
		add	[edx], ah
		add	[eax+eax], ah
		rol	byte ptr [eax-5Ch], 0

_CmpControlIdConfigDbString:		; DATA XREF: CmpMarkCurrentProfileDirty()+4Co
					; CmSetAcpiHwProfile+108o ...
		and	al, 0

loc_A3F632:				; DATA XREF: CmpMarkCurrentValueDirty(x,x)+29o
					; CmpCreateControlSet+119o
		add	es:[eax+0C00A440h], bl
		add	[esi], cl
; 
		db 0
		dd offset ??_C@_1O@PMDCHDHI@?$AAS?$AAe?$AAl?$AAe?$AAc?$AAt@LBKOJDO@
_CmpPerflibPathString dd offset	loc_8E008C ; DATA XREF:	CmpCreatePerfKeys+3Do
		dd offset ??_C@_1IO@GJAPCHJE@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@
; 

_CmpCurrentMinorVersionString:		; DATA XREF: CmpSetVersionData+250o
		xor	al, [eax]
		xor	al, 0
		les	edi, [edi+0]	; CmpCaptureKeyValueArray(x,x,x,x,x,x)
		movsb

loc_A3F64F:				; DATA XREF: CmpSetVersionData+22Eo
		add	[edx], dh
		add	[eax+eax], dh
		nop
		aas
		movsb

loc_A3F657:				; DATA XREF: CmpSetVersionData+1A4o
					; CmpSetVersionData+208o
		add	[eax+eax], bl
		push	ds
		add	[eax+3Fh], dh
		movsb

loc_A3F65F:				; DATA XREF: CmpSetVersionData+2EAo
		add	[esi], dl
		add	[eax], bl
		add	[eax+3Fh], bl
		movsb

loc_A3F667:				; DATA XREF: CmpMarkCurrentProfileDirty()+C5o
					; CmpCreateHardwareProfiles+114o ...
		add	[edx], bl
		add	[eax+eax], bl
		cmp	al, 3Fh
		movsb

loc_A3F66F:				; DATA XREF: CmpRestampVersion(x,x)+F1o
		add	[eax+eax], dl
		push	ss
		add	[edi+edi], ah
		movsb

loc_A3F677:				; DATA XREF: CmpRestampVersion(x,x)+CEo
		add	[eax], dl
		add	[edx], dl
		add	[eax], dl
		aas
		movsb

loc_A3F67F:				; DATA XREF: CmpRestampVersion(x,x)+ABo
		add	[esi], dl
		add	[eax], bl
		add	al, bh
		db	3Eh
		movs	byte ptr es:[edi], byte	ptr ds:[esi]
; 
		db 0
; 

_CmpUBRString:				; DATA XREF: CmpRestampVersion(x,x)+88o
		push	es
		add	[eax], cl
		add	al, dh
		db	3Eh
		movs	byte ptr es:[edi], byte	ptr ds:[esi]

loc_A3F68F:				; DATA XREF: CmpRestampVersion(x,x)+74o
		add	[eax], bl
		add	[edx], bl
		add	ah, dl
		db	3Eh
		movs	byte ptr es:[edi], byte	ptr ds:[esi]

loc_A3F697:				; DATA XREF: CmpRestampVersion(x,x)+5Co
		add	[eax+eax], ah

loc_A3F69A:				; DATA XREF: CmpMarkCurrentValueDirty(x,x)+5Do
					; CmpCreateControlSet+167o ...
		add	es:[esi+edi+0E00A4h], ch
		adc	[eax], al
		pushf
		db	3Eh
		movs	byte ptr es:[edi], byte	ptr ds:[esi]

loc_A3F6A7:				; DATA XREF: CmpSetVersionData+309o
					; CmpSetVersionData+9A6A4o
		add	[eax+eax], dl
		push	ss

loc_A3F6AB:				; DATA XREF: CmpSetVersionData+9A6E7o
					; CmpSetVersionData:loc_92A3A2o
		add	[esi+edi+1C00A4h], al
		push	ds
		add	[esi+edi-5Ch], ah

loc_A3F6B7:				; DATA XREF: CmpInterlockedFunction+77o
		add	[esi], ch
		add	[eax], dh
		add	[esi+edi], dh
		movsb

loc_A3F6BF:				; DATA XREF: sub_785212+127Co
					; sub_785212+1669o ...
		add	[ecx+16001200h], cl
		add	[edx], edx
		add	[eax-0FFEE00h],	ah
		add	[edi], ebx

loc_A3F6CF:				; DATA XREF: IopSymlinkGetECP(x,x)+3o
					; IopSymlinkRemoveECP(x,x)+3o ...
		add	[edx-458C2AEFh], cl
		mov	[edi+46F49243h], bl

loc_A3F6DB:				; DATA XREF: .text:00521DD8r
					; IoCheckQuerySetFileInformation(x,x,x)+11o
		ror	dword ptr [ecx+50D252h], cl
; 
		db 3 dup(0)
		dd 28h,	10100000h, 80100h, 8000004h, 8000008h, 4001000h
		dd 10084800h, 38h, 800000Ch, 4080408h, 14h, 3 dup(0)
		dd 800h, 8001004h, 4000800h, 4040010h
		dd 0FFh
_IopQueryOperationLength db 0		; DATA XREF: IopValidateQueryInformationParameters+49r
					; IoCheckQuerySetFileInformation(x,x,x)+18o
		align 4
		dd 4081828h, 804h, 80000h, 680404h, 8200800h, 181028h
		dd 4810h, 8381038h, 0
		dd 4000400h, 8200C14h, 1000808h, 740C0200h, 18080000h
		dd 240000h, 8000000h, 4600048h,	4040000h, 0FFh
_IopSetFsOperationAccess dd 0		; DATA XREF: IoCheckFunctionAccess(x,x,x,x,x,x)+C9r
					; NtSetVolumeInformationFile(x,x,x,x,x)+C0r
		align 8
		dd 2, 3	dup(0)
		dd 2, 0
		dd 2, 0
		dd 100h, 4 dup(0)
		dd 0FFFFFFFFh
_IopSetFsOperationLength db 0		; DATA XREF: IoCheckQuerySetVolumeInformation(x,x,x)+9o
					; NtSetVolumeInformationFile(x,x,x,x,x)+55r
		align 2
		dw 8
		dd 300000h, 40040h, 0FF000000h
; 

_IopQueryFsOperationLength:		; DATA XREF: PAGE:007F727Ar
					; IoCheckQuerySetVolumeInformation(x,x,x)+10o
		add	[eax], bl
		add	[eax], bl
		or	[eax], dl
		xor	[eax], ah
		inc	eax
		or	al, 4
		sbb	al, 4
		adc	[eax-1], ah
; 
_IopSetOperationAccess dd 0		; DATA XREF: .text:00521E44r
					; .text:loc_521F56r ...
		dd 3 dup(0)
		dd 100h, 5 dup(0)
		dd 10000h, 2 dup(0)
		dd 10000h, 5 dup(0)
		dd 2 dup(2), 2 dup(0)
		dd 100h, 0
		dd 100h, 5 dup(0)
		dd 2, 4	dup(0)
		dd 2, 2	dup(0)
		dd 2, 10000h, 0Bh dup(0)
		dd 0FFFFFFFFh, 0Bh dup(0)
		dd 2 dup(10000h), 0
		dd 100h, 8 dup(0)
		dd 0FFFFFFFFh
_SysEnvTraceLoggingProvider dd offset dword_6B2D08
_IopQueryFsOperationAccess dd 0		; DATA XREF: PAGE:007F733Br
					; IoCheckFunctionAccess(x,x,x,x,x,x)+B1r
		dd 5 dup(0)
		dd 1, 3	dup(0)
		dd 80h,	4 dup(0)
		dd 0FFFFFFFFh
_IopQueryOperationAccess dd 0		; DATA XREF: NtQueryInformationFile(x,x,x,x,x)+BFr
					; IoCheckFunctionAccess(x,x,x,x,x,x)+5Ar
		dd 3 dup(0)
		dd 80h,	0Ah dup(0)
		dd 8, 2	dup(0)
		dd 80h,	4 dup(0)
		dd 3 dup(80h), 8 dup(0)
		dd 2 dup(80h), 5 dup(0)
		dd 2 dup(80h), 2 dup(1), 80h, 0
		dd 80h,	3 dup(0)
		dd 80h,	0FFFFFFFFh, 0Eh	dup(0)
		dd 2 dup(80h), 0
		dd 88h,	3 dup(0)
		dd 80h,	0
		dd 0FFFFFFFFh
; 

_IopSysEnvFunctionTableHal:		; DATA XREF: IopOpenSystemVariableDevice(x,x,x)+107o
		div	byte ptr [edx+0] ; CmpCaptureKeyValueArray(x,x,x,x,x,x)
		xchg	eax, esi
		add	[ebp-22FF69C8h], bh
		db	2Eh
		xchg	eax, esi
		add	[edi+esi-6Ah], al

loc_A3FA9B:				; DATA XREF: IopOpenSystemVariableDevice(x,x,x)+4Ao
					; IopOpenSystemVariableDevice(x,x,x)+A5o
		add	[esi], dl
		xor	al, 96h
		add	[edi+52009639h], cl
		das
		xchg	eax, esi
		add	[eax+edi], al
		xchg	eax, esi

loc_A3FAAB:				; DATA XREF: IopOpenSystemVariableDevice(x,x,x)+DBo
		add	[ebx+esi], dl
		xchg	eax, esi
		add	bl, bl
		cmp	[esi-69D10800h], dl
		add	[edi+37h], bl
		xchg	eax, esi
		add	[eax+42h], bh
		movsb
		add	[eax], dh
		inc	edx
		movsb

loc_A3FAC3:				; DATA XREF: PiDevCfgResolveVariableExpression(x,x,x):loc_97B790o
					; PiDevCfgResolveVariableExpression(x,x,x)+3DEo ...
		add	large ds:0, al
; 
		db 3 dup(0)
		dd 0
		dd 20000h
		dd offset ??_C@_11LOCGONAA@@LBKOJDO@
		dd 3 dup(0)
; 

_PiDevCfgNullSid:			; DATA XREF: PiDevCfgGetKeySecurityDescriptor(x,x):loc_976241o
		add	[ecx], eax
; 
		dw 0
		align 10h
; wchar_t *off_A3FAF0
off_A3FAF0	dd offset ??_C@_1BC@FOJGCCIG@?$AAC?$AAo?$AAn?$AAs?$AAt?$AAa?$AAn?$AAt@LBKOJDO@
					; DATA XREF: PiDevCfgResolveVariable(x,x,x)+14Dr
off_A3FAF4	dd offset _PiDevCfgResolveVariableConstant@12
					; DATA XREF: PiDevCfgResolveVariable(x,x,x):loc_97AF9Ar
					; PiDevCfgResolveVariableConstant(x,x,x)
		dd offset ??_C@_1BG@LOINBPFE@?$AAE?$AAx?$AAp?$AAr?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn@LBKOJDO@
		dd offset _PiDevCfgResolveVariableExpression@12	; PiDevCfgResolveVariableExpression(x,x,x)
; 
		xor	al, 44h
		movsb
		add	ah, bl
		setalc
		xchg	eax, edi
		add	[esp+eax*2-39D1FF5Ch], bh
		xchg	eax, edi
		add	[esp+eax*2-4DFFFF5Ch], bl
		xchg	eax, edi
		add	[eax+2500A444h], cl
		aad	97h
		add	[eax+44h], bh
		movsb
		add	[ecx-34h], ah
		xchg	eax, edi
		add	ah, bh
		inc	esp
		movsb

loc_A3FB2B:				; DATA XREF: PiDevCfgResolveVariableExpression(x,x,x)+17Eo
		add	[ebx+ecx*8+97h], cl
; 
		dw 0
dword_A3FB34	dd 0			; DATA XREF: PiDevCfgResolveVariableExpression(x,x,x):loc_97B679r
		dd 0
		dd 1
		dd offset ??_C@_13KJIIAINM@?$AA?$CL@LBKOJDO@
		dd 2 dup(2)
		dd offset ??_C@_13IMODFHAA@?$AA?9@LBKOJDO@
		dd 2, 3
		dd offset ??_C@_13BBDEGPLJ@?$AA?$CK@LBKOJDO@
		dd 2, 4
		dd offset ??_C@_13EJFHHPOP@?$AA?$CF@LBKOJDO@+4
		dd 2, 5
		dd offset ??_C@_13EJFHHPOP@?$AA?$CF@LBKOJDO@
		dd 2, 6
		dd offset ??_C@_15IHHINOJD@?$AA?$DM?$AA?$DM@LBKOJDO@
		dd 2, 7
		dd offset ??_C@_15GALJLHBD@?$AA?$DO?$AA?$DO@LBKOJDO@
		dd 2, 8
		dd offset ??_C@_13FLOCNAAB@?$AA?$CG@LBKOJDO@
		dd 2, 9
		dd offset ??_C@_13PPFCDPMH@?$AA?$HM@LBKOJDO@
		dd 2, 0Ah
		dd offset ??_C@_13PFGJFIHC@?$AA?$FO@LBKOJDO@
		dd 2, 0Bh
		dd offset ??_C@_13FFFLPHEM@?$AA?$HO@LBKOJDO@
		dd 1, 0Ch
		dd offset ??_C@_13MGDFOILI@?$AA?$CB@LBKOJDO@
		dd 1, 0Dh
		dd offset ??_C@_15BKJBEIJF@?$AA?$CG?$AA?$CG@LBKOJDO@
		dd 2, 0Eh
		dd offset ??_C@_15BDDEIMMC@?$AA?$HM?$AA?$HM@LBKOJDO@
		dd 2, 0Fh
		dd offset ??_C@_15PEJIGKFD@?$AA?$DN?$AA?$DN@LBKOJDO@
		dd 2, 10h
		dd offset ??_C@_15IAIMKILD@?$AA?$CB?$AA?$DN@LBKOJDO@
		dd 2, 11h
		dd offset ??_C@_13GEEGGHPK@?$AA?$DM@LBKOJDO@
		dd 2, 12h
		dd offset loc_A4457B+1
		dd 2, 13h
		dd offset ??_C@_15DPMELJPG@?$AA?$DM?$AA?$DN@LBKOJDO@
		dd 2, 14h
		dd offset ??_C@_15HCAMBIPN@?$AA?$DO?$AA?$DN@LBKOJDO@
		dd 2, 15h
		dd offset ??_C@_15CEIHPDOB@?$AA?$DP?$AA?3@LBKOJDO@
		dd 3, 16h
		dd offset ??_C@_13HGPDMIBE@?$AA?$DP@LBKOJDO@
		dd 1, 17h
		dd offset ??_C@_15CKIFGADI@?$AA?$CB?$AA?$DP@LBKOJDO@
		dd 1, 18h
		dd offset ??_C@_13EFKPHINO@?$AA?$EA@LBKOJDO@
		dd 2, 19h
		dd offset ??_C@_13GMDMCADD@?$AA?$CD@LBKOJDO@
		dd 1, 1Ah
		dd offset ??_C@_13PBOLBIIK@?$AA$@LBKOJDO@
		dd 1
off_A3FC74	dd offset ??_C@_19HGHALIPE@?$AAN?$AAu?$AAl?$AAl@LBKOJDO@
					; DATA XREF: PiDevCfgResolveVariable(x,x,x)+195r
					; PiDevCfgResolveVariable(x,x,x)+1CBo
		align 10h
		dd offset loc_A444E3+1
		align 8
		dd 1
		dd offset ??_C@_1M@GDFLIJGE@?$AAF?$AAa?$AAl?$AAs?$AAe@LBKOJDO@
		dd 2 dup(0)
		dd offset ??_C@_1M@CCCHEHOB@?$AAE?$AAm?$AAp?$AAt?$AAy@LBKOJDO@
		dd offset ??_C@_11LOCGONAA@@LBKOJDO@
		dd 0
off_A3FCA4	dd offset ??_C@_1BI@ELGHKGG@?$AAH?$AAa?$AAr?$AAd?$AAw?$AAa?$AAr?$AAe?$AAI?$AAd?$AAs@NNGAKEGL@
					; DATA XREF: PiDevCfgQueryDeviceMigrationNode(x,x,x):loc_978DEEr
		dd offset ??_C@_1BM@BIEIEELI@?$AAC?$AAo?$AAm?$AAp?$AAa?$AAt?$AAi?$AAb?$AAl?$AAe?$AAI?$AAd?$AAs@NNGAKEGL@
dword_A3FCAC	dd 10000h		; DATA XREF: PiDevCfgFindDeviceMigrationNode(x,x,x,x,x)+2C6r
		dd 1000h
dword_A3FCB4	dd 33205054h, 7, 3 dup(0) ; DATA XREF: PiSwIrpPropertySet+5Ao
					; PiSwIrpInterfaceSetState+57o	...
off_A3FCC8	dd offset ??_C@_1O@HAMLNBEA@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@LBKOJDO@
					; DATA XREF: PiDevCfgResolveVariableKeyHandle(x,x,x)+B5r
					; PiDevCfgResolveVariableKeyHandle(x,x,x)+FBo
		dd 102h
dword_A3FCD0	dd 0			; DATA XREF: PiDevCfgEnumDeviceKeys(x,x,x,x,x,x,x)+1Fo
		dd 11h,	0
		dd offset ??_C@_1O@GAOCKAOK@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@LBKOJDO@
		dd 1, 0
		dd 12h,	0
		dd offset ??_C@_1BC@LDHKIAE@?$AAI?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe@LBKOJDO@
		dd 2, 0
		dd 10h,	0
		dd offset ??_C@_1BG@COALCEMK@?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAi?$AAe?$AAs@LBKOJDO@
		dd 1, 0
		dd 10h,	0
		dd offset ??_C@_1M@OAHBGIFG@?$AAC?$AAl?$AAa?$AAs?$AAs@LBKOJDO@
		dd 1, 7, 2 dup(0)
		dd offset ??_C@_1BC@DHAHNLLM@?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe?$AAs@LBKOJDO@
		dd 4, 6, 2 dup(0)
		dd offset ??_C@_1BA@JGFNDEFA@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl@LBKOJDO@
		dd 1, 4, 0
		dd offset ??_C@_1BA@JGFNDEFA@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl@LBKOJDO@
; wchar_t *off_A3FD54
off_A3FD54	dd offset ??_C@_1O@GAOCKAOK@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@LBKOJDO@
					; DATA XREF: PiDevCfgGetDriverConfigurationKeyScope(x)+Cr
dword_A3FD58	dd 1			; DATA XREF: PiDevCfgGetDriverConfigurationKeyScope(x):loc_61449Cr
		dd offset ??_C@_1O@HAMLNBEA@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@LBKOJDO@
		dd 2
		dd offset ??_C@_1BC@DHAHNLLM@?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe?$AAs@LBKOJDO@
		dd 4
		dd offset ??_C@_1BG@JELGADA@?$AAI?$AAn?$AAt?$AAe?$AAr?$AAf?$AAa?$AAc?$AAe?$AAs@LBKOJDO@
		dd 8
		dd offset ??_C@_1BA@HICHNCPO@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAs@LBKOJDO@
		dd 10h
		dd offset ??_C@_1BA@DJLBFCNB@?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@LBKOJDO@
		dd 20h
		dd offset ??_C@_17EIBGDPNK@?$AAW?$AAd?$AAf@LBKOJDO@
		dd 100h, 0
off_A3FD90	dd offset _GUID_BUS_TYPE_PCI
					; DATA XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+BCo
		dd 11h
		dd offset ??_C@_1CK@CHPJJMAE@?$AAI?$AAn?$AAt?$AAe?$AAr?$AAr?$AAu?$AAp?$AAt?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg@LBKOJDO@
		dd 2 dup(0)
		dd offset _GUID_BUS_TYPE_PCI
		dd 11h
		dd offset ??_C@_1EK@INHJLCLA@?$AAe?$AA5?$AAb?$AA3?$AAb?$AA5?$AAa?$AAc?$AA?9?$AA9?$AA7?$AA2?$AA5?$AA?9?$AA4@LBKOJDO@
		dd 0
; 

_PiDevCfgSystem32:			; DATA XREF: PiDevCfgMakeServiceBootStart(x)+17Bo
		adc	[eax], al
		adc	al, [eax]
		int	3		; Trap to Debugger
		inc	edx
		movsb

loc_A3FDBB:				; DATA XREF: PiDevCfgMakeServiceBootStart(x)+11Fo
		add	[eax], bl
		add	[edx], bl
		add	al, ah
		inc	edx
		movsb
; 
		db 0
_PiDevCfgNullGuid dd 4 dup(0)		; DATA XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x):loc_977062o
					; PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x):loc_97716Co ...
_PiDevCfgEmptyString dd	20000h		; DATA XREF: PiDevCfgPushCopyKeyEntry(x,x,x,x)+70o
					; PiDevCfgPushCopyKeyEntry(x,x,x,x)+ABo ...
off_A3FDD8	dd offset ??_C@_11LOCGONAA@@LBKOJDO@
					; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+1A1Er
; 

_PiDevCfgNullDriver:
		or	[eax], al
		or	al, [eax]
		rol	byte ptr [edx-5Ch], 0

_PiDrvDbDriverStoresRoot:		; DATA XREF: PiDrvDbQuerySystemPathWin32(x,x)+155o
					; PiDrvDbResolveKeyFilePaths(x)+84o
		sbb	al, [eax]
		sbb	al, 0
		mov	ah, 45h
		movsb

loc_A3FDEB:				; DATA XREF: PiDrvDbOverlayNodeHive(x,x,x)+70o
		add	[eax+esi*4-75h], dl
		add	[eax+76h], cl
		mov	eax, [eax]
		adc	[eax-4FD1FF75h], dh
		mov	eax, [eax]

_PiDrvDbSystemRootWin32:		; DATA XREF: PiDrvDbResolveFilePathKeyValues(x,x,x,x)+E2o
					; PiDrvDbResolveSystemFilePath(x,x,x,x,x,x)+E4o
		sbb	[eax], al
		sbb	al, [eax]
		rol	byte ptr [ebp-5Ch], 1 ;	CmpCaptureKeyValueArray(x,x,x,x,x,x)
; 
		db 0
; 

_PiDrvDbSystemRootNt:			; DATA XREF: PiDrvDbQuerySystemPathWin32(x,x)+FCo
					; PiDrvDbResolveFilePathKeyValues(x,x,x,x)+CBo	...
		push	ss
		add	[eax], bl
		add	al, ah
		xor	al, 0A4h
		add	[edx+0], al
		push	esp
		add	[eax+0], cl
		inc	ebp
		add	[esi+0], cl
		push	ebp
		add	[ebp+0], cl
		pop	esp
; 
		db 0
dword_A3FE1C	dd 2 dup(0)		; DATA XREF: PAGE:00A400E8o
dword_A3FE24	dd 0E60112h, 2011Bh, 0C0019h, 1, 2 dup(0)
					; DATA XREF: PiSwIrpStartCreate+53o
		dd 11B5B05h, 190002h, 10014h, 2	dup(0)
		dd 5B050000h, 8001Dh, 3155B01h,	6080010h, 0F1004C06h, 1B5BFFh
		dd 190001h, 1002Ch, 2 dup(0)
		dd 5B020000h, 140315h, 0FFD8004Ch, 3165B08h, 5C4B001Ch
		dd 185C46h, 8120018h, 4C5B5C25h, 0EFFE300h, 1B5B08h, 190001h
		dd 10020h, 2 dup(0)
		dd 5B020000h, 280316h, 5C465C4Bh, 180018h, 5C250812h, 245C46h
		dd 20120024h, 4C5BFFD2h, 8FFB500h, 5B5C0808h, 28031Bh
		dd 340019h, 10011h, 0
		dd 2710h, 49485C4Bh, 28h, 180002h, 8120018h, 245C25h, 20120024h
		dd 4C5BFF9Ah, 5BFFAB00h, 3C0316h, 5C465C4Bh, 0
		dd 5C250812h, 45C46h, 8120004h,	5C465C25h, 80008h, 5C250812h
		dd 105C46h, 20120010h, 5C46FEF0h, 180018h, 0FEFC2012h
		dd 1C5C46h, 12001Ch, 5C46FF0Eh,	240024h, 5C250812h, 285C46h
		dd 8120028h, 5C465C25h,	300030h, 0FEFC2012h, 385C46h, 20120038h
		dd 85BFF64h, 3 dup(8080808h), 5B5C0808h
dword_A3FF88	dd 360112h, 28031Bh, 19h, 10011h, 0 ; DATA XREF: PiSwIrpPropertySet+50o
		dd 2710h, 49485C4Bh, 28h, 180002h, 8120018h, 245C25h, 20120024h
		dd 4C5BFEE6h, 5BFEF700h, 80316h, 5C465C4Bh, 40004h, 0FFBE2012h
		dd 5B08085Bh
dword_A3FFD4	dd 360112h, 28031Bh, 80019h, 10011h, 0
					; DATA XREF: PiSwIrpInterfaceRegister+5Fo
		dd 2710h, 49485C4Bh, 28h, 180002h, 8120018h, 245C25h, 20120024h
		dd 4C5BFE9Ah, 5BFEAB00h, 140316h, 5C465C4Bh, 0
		dd 0FE400012h, 45C46h, 8120004h, 5C465C25h, 0C000Ch, 0FFAA2012h
		dd 808085Bh, 5B5C0808h
dword_A40038	dd 20112h, 80316h, 5C465C4Bh, 0	; DATA XREF: PiSwIrpInterfaceSetState+4Do
		dd 5C250812h, 5B08085Bh
dword_A40050	dd 360112h, 28031Bh, 40019h, 10011h, 0
					; DATA XREF: PiSwIrpInterfacePropertySet+4Do
		dd 2710h, 49485C4Bh, 28h, 180002h, 8120018h, 245C25h, 20120024h
		dd 4C5BFE1Eh, 5BFE2F00h, 0C0316h
dword_A4008C	dd 5C465C4Bh, 0		; DATA XREF: DbgkpSendErrorMessage+1CEo
		dd 5C250812h, 85C46h, 20120008h, 85BFFB4h, 5B5C0808h, 0
; 

_ObpDosDevicesShortName:
		or	[eax], al
		or	[eax], al
		pusha

loc_A400B1:				; DATA XREF: PopIdleWakeGenerateDescriptionString(x,x)+32r
		add	ds:??_C@_1BM@KEFGLAAA@?$AAS?$AAp?$AAu?$AAr?$AAi?$AAo?$AAu?$AAs?$AA?5?$AAW?$AAa?$AAk?$AAe@LBKOJDO@[eax+eax], esp
		in	al, 50h
		movsb
		add	[eax], ch
		push	eax
		movsb
		add	[eax+50h], dl
		movsb
		add	[eax+edx*2-5Ch], ch

loc_A400C7:				; DATA XREF: PiSwIrpPropertySet+55o
					; PiSwIrpInterfaceSetState+52o	...
		add	[eax], bl
		add	dword ptr ds:_MIDL_user_allocate@4[eax+eax], esp ; MIDL_user_allocate(x)
		ffreep	st(5)
		mov	ds:6FDA5000h, eax
; 
		db 0
		dd 4 dup(0)
		dd offset dword_A3FE1C+6
		dd 1, 0A0000h, 0
		dd 801026Eh, 3 dup(0)
		dd 1, 3	dup(0)
		dd 44h,	0DE6B4478h, 4445ACB7h, 0CDCE19ACh, 0A798984Bh
		dd 1, 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 6 dup(0)
; 

_PopIrTimerDescriptionsLength:
		adc	[eax], al
; 
		dw 0
_ObpDosDevicesShortNamePrefix dd 3F005Ch ; DATA	XREF: ObpCreateSymbolicLinkName+109r
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+4AAr
off_A40164	dd offset loc_5C0039+6	; DATA XREF: ObpCreateSymbolicLinkName+114r
					; ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+4B9r
; 

_ObpDosDevicesShortNameRoot:		; DATA XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+679r
		pop	esp
		add	[edi], bh
		add	[edi], bh
; 
		db 3 dup(0)
; 

_ObpKernelObjectsNameString:		; DATA XREF: ObpInitializeRootNamespace+7Eo
		sbb	al, [eax]
		sbb	al, 0
		sub	[esi-5Ch], al

loc_A40177:				; DATA XREF: ObpInitializeRootNamespace+658D3o
		add	[eax+eax], bl
		push	ds
		add	[eax], cl
		inc	esi
		movsb

loc_A4017F:				; DATA XREF: ObpInitializeRootNamespace+BAo
		add	[esi], dl
		add	[eax], bl

loc_A40183:				; DATA XREF: ObpInitializeRootNamespace:loc_8E5F52o
		add	[eax+1800A446h], dh
		add	[edx], bl

loc_A4018B:				; DATA XREF: ObpCreateDosDevicesDirectory+155o
		add	[esi+eax*2+600A4h], dl
		or	[eax], al

loc_A40194:				; DATA XREF: ObpCreateDosDevicesDirectory+10Bo
					; ObCreateSiloRootDirectory(x,x)+23Co
		push	1200A401h
		add	[eax+eax], dl
		add	byte ptr [esi-5Ch], 0

_ObpGlobalDirectoryName:		; DATA XREF: ObpCreateDosDevicesDirectory+74o
					; ObInitServerSilo+85FFCo
		adc	[eax], al
		adc	al, [eax]
		insb
		inc	esi
		movsb

loc_A401A7:				; DATA XREF: ObCreateSiloRootDirectory(x,x)+10Bo
					; ObInitSystem+413o
		add	[edx], al
		add	[eax+eax], al
		add	al, 46h
		movsb

loc_A401AF:				; DATA XREF: ObpCreateDosDevicesDirectory+16Eo
		add	[eax+eax], dl
		push	ss
		add	ah, ch
		inc	ebp
		movsb

loc_A401B7:				; DATA XREF: ObpCreateDosDevicesDirectory+DBo
		add	[eax+eax], dl
		push	ss
		add	[esi+eax*2-5Ch], dl

loc_A401BF:				; DATA XREF: ObpCreateDosDevicesDirectory+128o
		add	[eax+eax], cl
		push	cs
		add	[esi+eax*2-5Ch], al

loc_A401C7:				; DATA XREF: PoInitHiberServices+A1EF4r
		add	[eax+eax], al
; 
		dw 0
		dd 5
; 

_PpmProcessorDriverDispatchTable:	; DATA XREF: NtPowerInformation+1407o
		db	3Eh
		add	[eax], al
		add	[edx-2], bh	; CODE XREF: PAGE:00A401E8j
		mov	[eax], eax
		test	eax, 2D009A75h
		and	dword ptr (byte_A491FF-0A4925Ch)[eax+eax], 0FFFFFFA8h
		wait
		add	al, ah
		xchg	eax, ebp
		mov	[eax], al
		jnz	short near ptr loc_A401D3+1
		add	fs:[ebp-61h], bl
		call	far ptr	5700h:9A99C700h
		movsd
		call	far ptr	7B00h:5425CE00h
		out	dx, eax
		add	fs:[esi], cl
		out	dx, al
		add	fs:[esi], dh
		scasd
		wait
		add	dh, ch
		lodsd
		wait
		add	[edi], bh
		lodsd
		wait
		add	[edi], bh
		scasb
		wait
		add	[esi+480057CBh], ch
		enter	64h, 0EAh
		mov	dword ptr (byte_6AB5FF-6AB60Ah)[eax+eax], 150064C6h
		leave
		db	64h
		add	ah, cl
		enter	64h, 53h
		mov	dword ptr (byte_6AB5FF-6AB64Bh)[eax+eax], 5425h
; 
		db 3 dup(0)
		dd offset _PpmHeteroGetHgsEnablementStatus@0 ; PpmHeteroGetHgsEnablementStatus()
		dd offset _PpmHeteroDispatchHgsInterrupt@0 ; PpmHeteroDispatchHgsInterrupt()
		dd offset _PpmPerfQueryPackageId@4 ; PpmPerfQueryPackageId(x)
		dd offset _PpmPerfQueryPackageProcessorCount@4 ; PpmPerfQueryPackageProcessorCount(x)
; 

_PopBthEnumEnumeratorPrefix:		; DATA XREF: PopDirectedDripsDiagSanitizeHardwareId(x)+53o
					; PopDirectedDripsDiagSanitizeHardwareId(x):loc_9BC429o
		adc	[eax], al
		adc	al, [eax]
		or	al, 0FEh
; 
		dw 0A3h
; 

_PopIrTimerDescriptions:		; DATA XREF: PopIdleWakeGenerateDescriptionString(x,x)+AAr
		pop	eax
		dec	edi
		movsb
		add	[eax+4Fh], ch
		movsb
		add	[esi+ecx*2+4EC800A4h], bl
		movsb
		add	ah, ah
		dec	esi
		movsb
		add	al, dh
		dec	esi
		movsb
		add	ah, ah
		dec	edi
		movsb
		add	al, dh
		dec	edi
		movsb
		add	[eax+edx*2], cl
		movsb
		add	[eax+edx*2], bl
		movsb
		add	[eax-67FF5BB1h], cl
		dec	edi
		movsb
		add	[edi+ecx*2+4FCC00A4h], ch
		movsb
		add	[eax+edx*2+50B800A4h], dl
		movsb
		add	al, ch
		inc	edi
		movsb

loc_A40293:				; DATA XREF: PopDiagTraceHiberStats+113o
		add	al, ah
; 
		db 3 dup(0)
		dd 80000012h
		dd offset ??_C@_1BC@PIAIECI@?$AAP?$AAO?$AAS?$AAT?$AAT?$AAi?$AAm?$AAe@LBKOJDO@
		dd 50h,	12h
		dd offset ??_C@_1CE@OECHCOIM@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAB?$AAo?$AAo?$AAt?$AAM?$AAg?$AAr?$AAT?$AAi@LBKOJDO@
		dd 54h,	12h
		dd offset ??_C@_1BM@MAAMFBPC@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAA?$AAp?$AAp?$AAT?$AAi?$AAm?$AAe@LBKOJDO@
		dd 60h,	80000012h
		dd offset ??_C@_1DA@ONJDJLGG@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAA?$AAp?$AAp?$AAS?$AAt?$AAa?$AAr?$AAt?$AAT@LBKOJDO@
		dd 68h,	80000012h
		dd offset ??_C@_1CM@LGBJGKNF@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAL?$AAi?$AAb?$AAr?$AAa?$AAr?$AAy?$AAI?$AAn@LBKOJDO@
		dd 70h,	80000012h
		dd offset ??_C@_1BO@MCCLNOJC@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAI?$AAn?$AAi?$AAt?$AAT?$AAi?$AAm?$AAe@LBKOJDO@
		dd 78h,	80000012h
		dd offset ??_C@_1CI@DDAGPALP@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe@LBKOJDO@
		dd 88h,	80000012h
		dd offset ??_C@_1EC@GLBPNMMI@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAR?$AAe?$AAs?$AAt?$AAo?$AAr?$AAe?$AAI?$AAm@LBKOJDO@
		dd 80h,	80000012h
		dd offset ??_C@_1BK@IHGDOJJ@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAI?$AAo?$AAT?$AAi?$AAm?$AAe@LBKOJDO@
		dd 90h,	80000012h
		dd offset ??_C@_1CK@POAIHJCH@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAD?$AAe?$AAc?$AAo?$AAm?$AAp?$AAr?$AAe?$AAs@LBKOJDO@
		dd 98h,	80000012h
		dd offset ??_C@_1BM@JMJDFPCA@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAM?$AAa?$AAp?$AAT?$AAi?$AAm?$AAe@LBKOJDO@
		dd 0B0h, 80000012h
		dd offset ??_C@_1CA@MFBHDPIB@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAU?$AAn?$AAm?$AAa?$AAp?$AAT?$AAi?$AAm?$AAe@LBKOJDO@
		dd 0B8h, 80000012h
		dd offset ??_C@_1CI@KMDLLIHP@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAU?$AAs?$AAe?$AAr?$AAI?$AAn?$AAO?$AAu?$AAt@LBKOJDO@
		dd 0A8h, 80000012h
		dd offset ??_C@_1CG@JDDNJHMM@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAA?$AAl?$AAl?$AAo?$AAc?$AAa?$AAt?$AAe?$AAT@LBKOJDO@
		dd 0A0h, 80000012h
		dd offset ??_C@_1DI@BKDGJOEP@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAS?$AAw?$AAi@LBKOJDO@
		dd 0D0h, 80000012h
		dd offset ??_C@_1EC@NPLJOAHD@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAR?$AAe?$AAt?$AAu?$AAr?$AAn?$AAF?$AAr?$AAo@LBKOJDO@
		dd 0E8h, 80000012h
		dd offset ??_C@_1DE@MGNHFHJ@?$AAS?$AAl?$AAe?$AAe?$AAp?$AAe?$AAr?$AAT?$AAh?$AAr?$AAe?$AAa?$AAd?$AAE?$AAn@LBKOJDO@
		dd 108h, 80000012h
		dd offset ??_C@_1DK@LNAMNHGF@?$AAT?$AAi?$AAm?$AAe?$AAS?$AAt?$AAa?$AAm?$AAp?$AAC?$AAo?$AAu?$AAn?$AAt?$AAe@LBKOJDO@
		dd 0F0h, 80000012h
		dd offset ??_C@_1DK@IHCDHLKC@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAR?$AAe?$AAt?$AAu?$AAr?$AAn?$AAS?$AAy?$AAs@LBKOJDO@
		dd 118h, 80000012h
		dd offset ??_C@_1CG@BLKNBNAE@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe?$AAT@LBKOJDO@
		dd 18h,	80000012h
		dd offset ??_C@_1BM@HCECIHOD@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAI?$AAn?$AAi?$AAt?$AAT?$AAi?$AAm?$AAe@LBKOJDO@
		dd 10h,	80000012h
		dd offset ??_C@_1CM@MMAPKBEN@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAS?$AAh?$AAa?$AAr?$AAe?$AAd?$AAB?$AAu?$AAf?$AAf@LBKOJDO@
		dd 28h,	80000012h
		dd offset ??_C@_1CG@KJAIDIGP@?$AAT?$AAo?$AAt?$AAa?$AAl?$AAH?$AAi?$AAb?$AAe?$AAr?$AAn?$AAa?$AAt?$AAe?$AAT@LBKOJDO@
		dd 40h,	12h
		dd offset ??_C@_1DE@MEPFPENI@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAH?$AAi?$AAb@LBKOJDO@
		dd 150h, 80000012h
		dd offset ??_C@_1CK@CIKBCBAO@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAI?$AAn?$AAi@LBKOJDO@
		dd 148h, 80000012h
		dd offset ??_C@_1DK@EFLINPH@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAS?$AAh?$AAa@LBKOJDO@
		dd 160h, 80000012h
		dd offset ??_C@_1CC@CIGNMBJM@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAT?$AAi?$AAm@LBKOJDO@
		dd 190h, 12h
		dd offset ??_C@_1CI@ENDKNON@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAA?$AAn?$AAi?$AAm?$AAa?$AAt?$AAi?$AAo?$AAn@LBKOJDO@
		dd 168h, 80000012h
		dd offset ??_C@_1CK@GLCKBBJM@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAP?$AAa?$AAg?$AAe?$AAs?$AAP?$AAr?$AAo?$AAc@LBKOJDO@
		dd 1A8h, 12h
		dd offset ??_C@_1CG@HJMGCOCM@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAP?$AAa?$AAg?$AAe?$AAs?$AAW?$AAr?$AAi?$AAt@LBKOJDO@
		dd 1C8h, 22h
		dd offset ??_C@_1CG@JKDNNLLE@?$AAB?$AAo?$AAo?$AAt?$AAP?$AAa?$AAg?$AAe?$AAs?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs@LBKOJDO@
		dd 1A0h, 12h
		dd offset ??_C@_1CC@KPOMOBFM@?$AAB?$AAo?$AAo?$AAt?$AAP?$AAa?$AAg?$AAe?$AAs?$AAW?$AAr?$AAi?$AAt?$AAt?$AAe@LBKOJDO@
		dd 1C0h, 22h
		dd offset ??_C@_1BO@EBKJMBFK@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAW?$AAr?$AAi?$AAt?$AAe?$AAR?$AAa?$AAt?$AAe@LBKOJDO@
		dd 0
		dd 40000011h
		dd offset ??_C@_1CE@NFJJNNKA@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAC?$AAo?$AAm?$AAp?$AAr?$AAe?$AAs?$AAs?$AAR?$AAa@LBKOJDO@
		dd 8, 40000011h
		dd offset ??_C@_1BO@IOOHBBDC@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAR?$AAe?$AAa?$AAd?$AAR?$AAa?$AAt?$AAe@LBKOJDO@
		dd 4, 40000011h
		dd offset ??_C@_1CK@ECKEBIG@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAD?$AAe?$AAc?$AAo?$AAm?$AAp?$AAr?$AAe?$AAs@LBKOJDO@
		dd 0Ch,	40000011h
		dd offset ??_C@_1BC@MMNDNCML@?$AAF?$AAi?$AAl?$AAe?$AAR?$AAu?$AAn?$AAs@LBKOJDO@
		dd 1DCh, 11h
		dd offset ??_C@_1DC@FMDNKEGG@?$AAN?$AAo?$AAM?$AAu?$AAl?$AAt?$AAi?$AAS?$AAt?$AAa?$AAg?$AAe?$AAR?$AAe?$AAs@LBKOJDO@
		dd 1E0h, 11h
		dd offset ??_C@_1BK@BGJMKJDB@?$AAM?$AAa?$AAx?$AAH?$AAu?$AAf?$AAf?$AAR?$AAa?$AAt?$AAi?$AAo@LBKOJDO@
		dd 1E4h, 11h
		dd offset ??_C@_1CK@HEELHFJJ@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAe?$AAP?$AAa?$AAg?$AAe?$AAs?$AAP?$AAr?$AAo?$AAc@LBKOJDO@
		dd 198h, 12h
		dd offset ??_C@_1CE@JGHCHEEC@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAC?$AAh?$AAe?$AAc?$AAk?$AAs?$AAu?$AAm?$AAT?$AAi@LBKOJDO@
		dd 30h,	80000012h
		dd offset ??_C@_1CI@CDCODDOA@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAC?$AAh?$AAe?$AAc?$AAk?$AAs?$AAu?$AAm?$AAI?$AAo@LBKOJDO@
		dd 38h,	80000012h
		dd offset loc_A44DB7+1
		dd 0C8h, 80000012h
		dd offset ??_C@_1CK@PKKEPCPN@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAC?$AAh?$AAe?$AAc?$AAk?$AAs?$AAu?$AAm?$AAI@LBKOJDO@
		dd 0C8h, 80000012h
		dd offset ??_C@_1CG@NHBOODHH@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAC?$AAh?$AAe?$AAc?$AAk?$AAs?$AAu?$AAm?$AAT@LBKOJDO@
		dd 170h, 80000012h
		dd offset ??_C@_1CK@NEBEMAKL@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAC?$AAh?$AAe?$AAc?$AAk?$AAs?$AAu?$AAm?$AAI@LBKOJDO@
		dd 178h, 80000012h
; 

_PspJobSchedulingClasses:		; DATA XREF: PspApplyJobLimitsToProcess:loc_8D0B79r
					; PspComputeQuantum:loc_8D4CD5r
		push	es
		or	al, 12h
		sbb	[esi], bl
		and	al, 2Ah
		xor	[esi], dh
		cmp	al, 0

loc_A404CF:				; DATA XREF: PopConfigureHeteroPolicies(x,x):loc_8A11C7r
		add	[ecx+edx*2], al
		movsb

loc_A404D3:				; DATA XREF: PopConfigureHeteroPolicies(x,x)+27Br
		add	[edx+edx*2], ah
		movsb
; 
		db 0
dword_A404D8	dd 0			; DATA XREF: PopConfigureHeteroPolicies(x,x)+2B5r
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@LBKOJDO@
		dd offset ??_C@_1DM@PFNDMIG@?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt?$AAD?$AAy?$AAn?$AAa?$AAm?$AAi?$AAc?$AAH@LBKOJDO@
		dd 18h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@LBKOJDO@
		dd offset ??_C@_1DG@NDCFNKJL@?$AAD?$AAy?$AAn?$AAa?$AAm?$AAi?$AAc?$AAH?$AAe?$AAt?$AAe?$AAr?$AAo?$AAC?$AAp@LBKOJDO@
		dd 34h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@LBKOJDO@
		dd offset ??_C@_1EA@MJOKHKE@?$AAD?$AAy?$AAn?$AAa?$AAm?$AAi?$AAc?$AAH?$AAe?$AAt?$AAe?$AAr?$AAo?$AAC?$AAp@LBKOJDO@
		dd 8
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@LBKOJDO@
		dd offset ??_C@_1EK@PPHFGMFH@?$AAD?$AAy?$AAn?$AAa?$AAm?$AAi?$AAc?$AAH?$AAe?$AAt?$AAe?$AAr?$AAo?$AAC?$AAp@LBKOJDO@
		dd 4
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@LBKOJDO@
		dd offset ??_C@_1FA@HJGJFDCC@?$AAD?$AAy?$AAn?$AAa?$AAm?$AAi?$AAc?$AAH?$AAe?$AAt?$AAe?$AAr?$AAo?$AAC?$AAp@LBKOJDO@
		align 8
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@LBKOJDO@
		dd offset ??_C@_1EM@DEKBLBMJ@?$AAD?$AAy?$AAn?$AAa?$AAm?$AAi?$AAc?$AAH?$AAe?$AAt?$AAe?$AAr?$AAo?$AAC?$AAp@LBKOJDO@
		dd 30h
_PspProtectedRuntimeData dd 0		; DATA XREF: PspCaptureUserProcessParameters+47Fr
dword_A40528	dd 0			; DATA XREF: PspCaptureUserProcessParameters+488r
; 

_PspSystemRootString:
		push	ss
		add	[eax], bl

loc_A4052F:				; DATA XREF: PspInitializeProtectedProcessParameters+CBr
		add	[ebx+edx*2], ah
		movsb
; 
		db 0
; 

_PspPathVarString:
		or	al, [eax]
		or	al, 0
; 
off_A40538	dd offset ??_C@_1M@EIIIDOPD@?$AAP?$AAa?$AAt?$AAh?$AA?$DN@LBKOJDO@
					; DATA XREF: PspInitializeProtectedProcessParameters+69r
; 

_PspSystemDriveString:
		sbb	[eax], al
		sbb	al, [eax]
; 
off_A40540	dd offset ??_C@_1BK@NFBPFMLB@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAD?$AAr?$AAi?$AAv?$AAe?$AA?$DN@LBKOJDO@
					; DATA XREF: PspInitializeProtectedProcessParameters+B1r
; 

_PspSystem32String:
		adc	al, [eax]
		adc	al, 0
; 
off_A40548	dd offset ??_C@_1BE@JPDJANBF@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA3?$AA2@LBKOJDO@
					; DATA XREF: PspInitializeProtectedProcessParameters+98r
; 

_PspVariableQuantums:			; DATA XREF: PsChangeQuantumTable:loc_86E343o
		push	es
		or	al, 12h
		or	al, 18h
		and	al, 0
; 
		db 0
; 

_PspFixedQuantums:			; DATA XREF: PsChangeQuantumTable:loc_90BCF1o
		adc	dl, [edx]

loc_A40556:				; DATA XREF: PsChangeQuantumTable+65o
		adc	ah, [esp]
		and	al, 0

loc_A4055B:				; DATA XREF: PspSiloInitializeSystemRootSymlink(x)+96o
		add	[esi], dl
		add	[eax], bl
		add	al, ah
		xor	al, 0A4h

loc_A40563:				; DATA XREF: PspSiloInitializeSystemRootSymlink(x)+64o
		add	[eax+eax], dl
		push	ss
		add	al, cl
		push	ebx
		movsb

loc_A4056B:				; DATA XREF: PsGetCurrentServerSiloName()+10o
		add	[eax+eax], dl
		push	ss
; 
		db 0
		dd offset ??_C@_1BG@HOMFIHAA@?$AAP?$AAs?$AAH?$AAo?$AAs?$AAt?$AAS?$AAi?$AAl?$AAo@LBKOJDO@
_PspQuotaKeyNames dd offset loc_A0009E	; DATA XREF: PspReadDfssConfigurationValues()+49o
					; PspReadUserQuotaLimits+EFo ...
		dd offset ??_C@_1KA@FFCLDMMF@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@
		dd 0A600A4h
		dd offset ??_C@_1KG@PGMKLFDM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@
; 

_PspQuotaLimitOffsets:			; DATA XREF: PspInitializeQuotaBlock:loc_936922r
		add	al, 0
; 
		dw 0
		dd 0
		dd 10h,	20h
; 

_PspDefaultResourceNames:		; DATA XREF: PspReadUserQuotaLimits+122E97o
		and	al, [eax]
		and	al, 0
		loopne	loc_A405ED
		movsb
		add	[eax+eax], bl
		push	ds
		add	[esp+edx*2], al
		movsb
		add	[esi], bl
		add	[eax], ah
		add	[esp+edx*2], ah
		movsb
		add	[eax], ch
		add	[edx], ch
		add	[esp+edx*2-5Ch], al
; 
		db 0
; 

_PspPriorityTable:			; DATA XREF: PspComputeQuantumAndPriority(x,x,x,x,x)+49r
					; PspReadUserQuotaLimits+122F02o
		or	[eax], al
; 
		dw 0
		dd 4, 8, 0Dh, 18h, 6, 0Ah
; 

_PspSysAppIdClaim:			; DATA XREF: PsQueryProcessAttributesByToken(x,x,x)+Do
					; ExpGetProcessInformation+6E0o
		sbb	al, 0
		push	ds

loc_A405D3:				; DATA XREF: PspSinglePrivCheck(x,x,x,x):loc_7D652Br
		add	[eax-7FF5BABh],	bh
		dec	ecx
		test	eax, 0A949F000h

loc_A405DF:				; DATA XREF: PsQueryProcessAttributesByToken(x,x,x):loc_805B16o
		add	[edx], dl
		add	[eax+eax], dl
		fcom	dword ptr [ebp-5Ch]

loc_A405E7:				; DATA XREF: PspSinglePrivCheckAudit(x,x,x)+29o
		add	[eax+eax], ah
		db	26h
		add	ah, ch

loc_A405ED:				; CODE XREF: PAGE:00A40598j
		push	ebp
		movsb
; 
		db 0
_PspNullGuid	dd 4 dup(0)		; DATA XREF: EtwpWriteAppStateChangeSummary+8Eo
; 

_PspPriorityClassRank:			; DATA XREF: PspSetEffectiveJobLimits+11F4B8r
					; PspSetEffectiveJobLimits+11F4BEr
		push	es
		add	[edx], al
; 
		db 4
dword_A40604	dd 30105h		; DATA XREF: PAGE:loc_757233r
					; NtSetInformationJobObject+1ABr
; 

_PspJobInfoLengths:
		xor	[eax], al
; 
		dw 0
		dd 30h,	0Ch, 4,	14h, 4,	8, 60h,	70h, 4,	2, 3 dup(0)
		dd 8, 4, 8, 10h, 1B0h, 0
		dd 3 dup(1), 8,	0
		dd 8, 0
		dd 10h,	8, 0
		dd 88h,	10h, 48h, 68h, 0
		dd 10h,	8, 18h,	270h, 8, 4, 48h, 4, 10h, 2 dup(8), 1
dword_A406C4	dd 0			; DATA XREF: PAGE:007572A3r
					; sub_759647-62Cr
; 

_PspJobInfoAlign:
		add	al, 0
; 
		dw 0
		dd 9 dup(4), 2,	9 dup(4), 3 dup(1), 0Bh	dup(4),	0
		dd 9 dup(4), 8,	4, 1, 0
; 

_PspLargePageDLLKeyName:		; DATA XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+864o
		sbb	al, [eax]
		sbb	al, 0
		sub	al, 56h
		movsb

loc_A4078F:				; DATA XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+A0Ao
		add	[esi], dl
		add	[eax], bl
		add	[esi+edx*2], dl
		movsb
; 
		db 0
_PspPartitionInfoDetails dd 1		; DATA XREF: NtManagePartition+107r
					; NtManagePartition+13587Er
word_A4079C	dw 80h			; DATA XREF: NtManagePartition+89r
byte_A4079E	db 4			; DATA XREF: NtManagePartition+B1r
					; sub_7B76AF-8Cr
byte_A4079F	db 0Bh			; DATA XREF: NtManagePartition+79r
					; NtManagePartition+12Dr ...
		dd 2, 504000Ch,	2, 1080020h, 2,	304000Ch, 2, 3040014h
		dd 1, 0B040018h, 2, 1080008h, 1, 0B04000Ch, 2, 3040014h
_RtlProtectedAccess dd 0		; DATA XREF: RtlTestProtectedAccess(x,x)+3Cr
dword_A407E4	dd 0			; DATA XREF: PAGE:007A348Br
					; PspValidateCreateProcessProtection(x,x,x,x,x)+2Fr ...
dword_A407E8	dd 0			; DATA XREF: PAGE:007A34C5r
					; PspThreadOpen+21r
		dd 2, 0FC7FEh, 0FE3FDh,	4, 0FC7FEh, 0FE3FDh, 108h, 0FC7FFh
		dd 0FE3FFh, 110h, 0FC7FFh, 0FE3FFh, 13Eh, 0FC7FEh, 0FE3FDh
		dd 17Eh, 0FC7FFh, 0FE3FFh, 1FEh, 0FEFFFh, 0FF7FFh, 0
		dd 0FC6FEh, 0FE3FDh
_RtlReserveChunkProcs dd 0		; DATA XREF: RtlReserveChunk(x,x,x,x,x)+2Br
		dd 0
		dd offset _RtlReserveChunkLZNT1@16 ; RtlReserveChunkLZNT1(x,x,x,x)
		dd offset _RtlReserveChunkNS@16	; RtlReserveChunkNS(x,x,x,x)
		dd offset _RtlReserveChunkNS@16	; RtlReserveChunkNS(x,x,x,x)
_RtlDescribeChunkProcs dd 0		; DATA XREF: RtlDescribeChunk(x,x,x,x,x)+2Br
		align 8
		dd offset _RtlDescribeChunkLZNT1@16 ; RtlDescribeChunkLZNT1(x,x,x,x)
		dd offset _RtlReserveChunkNS@16	; RtlReserveChunkNS(x,x,x,x)
		dd offset _RtlReserveChunkNS@16	; RtlReserveChunkNS(x,x,x,x)
_RtlDecompressFragmentProcs dd 0	; DATA XREF: RtlDecompressFragmentEx(x,x,x,x,x,x,x,x,x)+30r
					; RtlDecompressFragment(x,x,x,x,x,x,x,x)+36r
		dd 0
		dd offset RtlDecompressFragmentLZNT1
		dd offset _RtlDecompressFragmentNS@32 ;	RtlDecompressFragmentNS(x,x,x,x,x,x,x,x)
		dd offset _RtlDecompressFragmentNS@32 ;	RtlDecompressFragmentNS(x,x,x,x,x,x,x,x)
; 
; Exported entry 1490. NlsLeadByteInfo

		public _NlsLeadByteInfo
_NlsLeadByteInfo:
		mov	al, 47h
		test	eax, 0A945B000h

loc_A4088F:				; DATA XREF: .text:0051368Fo
		add	[eax+eax], bl
		push	ds
		add	al, bl
		push	esi
		movsb
		add	[eax], ch
		add	[edx], ch
		add	al, bh
		push	esi
		movsb
		add	[eax+eax], dh
		add	ss:[eax+56h], cl
		movsb
		add	[esi], bl
		add	[eax], ah
		add	[eax+1A00A456h], al
		add	[eax+eax], bl
		mov	al, ds:1800A456h
		add	[edx], bl
		add	[esi+edx*2+2000A4h], bh
		and	al, [eax]
		push	esp
		push	edi
		movsb
		add	[eax], dh
		add	[edx], dh
		add	[eax+57h], bh
		movsb
		add	[eax+eax], ch
		add	cs:[edi+edx*2+2000A4h],	ch
		and	al, [eax]
		fcom	qword ptr [edi-5Ch]
		add	[eax], bl
		add	[edx], bl
		add	[edi+edx*2], ah
		movsb
		add	[eax], dl
		add	[edx], dl
		add	[eax+57h], al
		movsb
; 
		db 0
_RtlBaseAceType	db 0			; DATA XREF: RtlpIsDuplicateAce+ABr
					; RtlpIsDuplicateAce+B1r ...
		db 1, 2, 3
		dd 2010000h, 3
; 

_RtlpLegacyApplicationCapabilityBaseRid:
		add	[eax], eax
; 
		dw 0
_RtlIsSystemAceType db 0		; DATA XREF: RtlpIsDuplicateAce+B9r
					; RtlpCompareKnownObjectAces(x,x,x,x)+27r
		align 2
		dw 101h
		dd 1000000h, 1
dword_A4090C	dd 0AE00ACh		; DATA XREF: RtlGetPersistedStateLocation:loc_7BB8EFo
		dd offset ??_C@_1KO@ILBBOJJH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
		dd offset unk_B000AE
		dd offset ??_C@_1LA@PLBLPNML@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@NNGAKEGL@
_RtlpIntegerWChars dw 30h		; DATA XREF: RtlIntegerToUnicode+8Ar
					; RtlLargeIntegerToUnicode(x,x,x,x)+29r
		dw 31h
a23456789abcd_0:
		unicode	0, <23456789ABCDEF>
_RtlpIntegerChars db 30h		; DATA XREF: RtlLargeIntegerToChar+87r
					; RtlIntegerToChar+5Fr	...
; 
		xor	[edx], esi
		xor	esi, ds:39383736h[esi]
		inc	ecx
		inc	edx
		inc	ebx
		inc	esp
		inc	ebp
		inc	esi

_RtlpRegistryQueryInitialBuffersize:
		test	[eax], al
; 
		dw 0
_RtlFatIllegalTable dd 0FFFFFFFFh	; DATA XREF: RtlIsNameLegalDOS8Dot3+BAr
					; GetNextWchar+5Br
		dd 0FC009C04h, 38000000h, 10000000h
_szDynamicDst	dd offset loc_790041+3	; DATA XREF: RtlpUpdateDynamicTimeZones+195o
aNamicDst:
		unicode	0, <namic DST>,0
; void *RtlpRegistryPaths
_RtlpRegistryPaths dd 0			; DATA XREF: RtlpGetRegistryHandle:loc_7BB58Fr
		dd offset ??_C@_1GI@HGIHOLK@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@
		dd offset ??_C@_1GG@KMAKALDL@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@
		dd offset ??_C@_1HO@PKFMCJEM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@
		dd offset loc_A45917+1
off_A4098C	dd offset ??_C@_1DA@PDHFOJA@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAU?$AAs?$AAe?$AAr?$AA?2@LBKOJDO@
					; DATA XREF: RtlOpenCurrentUser:loc_92CA2Cr
_szLastEntry:				; DATA XREF: RtlpFindRegTziForCurrentYear+B5o
		unicode	0, <LastEntry>,0
; 

_szStandardBias:			; DATA XREF: RtlpQueryTimeZoneInformationWorker(x,x)+FBo
					; RtlpSetTimeZoneInformationWorker(x,x)+D3o
		push	ebx
		add	[eax+eax+61h], dh
		add	[esi+0], ch
		add	fs:[ecx+0], ah
		jb	short $+2
		add	fs:[edx+0], al
		imul	eax, [eax], 730061h
; 
		dd 0
; 

_szDaylightBias:			; DATA XREF: RtlpQueryTimeZoneInformationWorker(x,x)+132o
					; RtlpSetTimeZoneInformationWorker(x,x)+131o
		inc	esp
		add	[ecx+0], ah
		jns	short $+2
		insb
		add	[ecx+0], ch
		add	[bx+si+0], ch
		jz	short $+2
		inc	edx
		add	[ecx+0], ch
		popa
		add	[ebx+0], dh
; 
		dd 0
; 

_szDaylightName:			; DATA XREF: RtlpQueryTimeZoneInformationWorker(x,x)+120o
					; RtlpSetTimeZoneInformationWorker(x,x)+114o
		inc	esp
		add	[ecx+0], ah
		jns	short $+2
		insb
		add	[ecx+0], ch
		add	[bx+si+0], ch
		jz	short $+2
		dec	esi
		add	[ecx+0], ah
		insd
		add	[ebp+0], ah
; 
		dd 0
_szSlashDynamicDst:			; DATA XREF: RtlpGetDynamicTimeZoneInfoHandle+8Do
		unicode	0, <\Dynamic DST>,0
		align 4

_szStandardStart:			; DATA XREF: RtlpQueryTimeZoneInformationWorker(x,x)+103o
					; RtlpSetTimeZoneInformationWorker(x,x)+F1o
		push	ebx
		add	[eax+eax+61h], dh
		add	[esi+0], ch
		add	fs:[ecx+0], ah
		jb	short $+2
		add	fs:[ebx+0], dl
		jz	short $+2
		popa
		add	[edx+0], dh
		jz	short $+2
; 
		dw 0
; 

_szStandardName:			; DATA XREF: RtlpQueryTimeZoneInformationWorker(x,x)+F3o
					; RtlpSetTimeZoneInformationWorker(x,x)+B0o
		push	ebx
		add	[eax+eax+61h], dh
		add	[esi+0], ch
		add	fs:[ecx+0], ah
		jb	short $+2
		add	fs:[esi+0], cl
		popa
		add	[ebp+0], ch
		add	gs:[eax], al
; 
		db 3 dup(0)
_szDaylightStart:			; DATA XREF: RtlpQueryTimeZoneInformationWorker(x,x)+14Fo
					; RtlpSetTimeZoneInformationWorker(x,x)+14Eo
		unicode	0, <DaylightStart>,0
_szTimeZoneKeyName:			; DATA XREF: RtlpQueryTimeZoneInformationWorker(x,x)+216o
					; RtlpSetTimeZoneInformationWorker(x,x)+18Co
		unicode	0, <TimeZoneKeyName>,0
_szDynamicDaylightDisabled dd offset loc_790041+3
					; DATA XREF: RtlpQueryTimeZoneInformationWorker(x,x)+228o
					; RtlpSetTimeZoneInformationWorker(x,x)+1B2o
aNamicdaylightt:
		unicode	0, <namicDaylightTimeDisabled>,0
_szFirstEntry:				; DATA XREF: RtlpFindRegTziForCurrentYear+70o
		unicode	0, <FirstEntry>,0
		align 4
_szBias:				; DATA XREF: RtlpQueryTimeZoneInformationWorker(x,x)+66o
					; RtlpSetTimeZoneInformationWorker(x,x)+88o
		unicode	0, <Bias>,0
		align 4
_szTimeZonesSlash:			; DATA XREF: RtlpGetDynamicTimeZoneInfoHandle+2Do
		unicode	0, <Time Zones\>,0
; 

_SepNumberOfValidAttributesTypes:
		add	al, 0
; 
		dw 0
; 

_GuidFormat:				; DATA XREF: RtlStringFromGUIDEx(x,x,x)+66o
					; RtlGUIDFromString(x,x)+4Fo
		jnp	short $+2
		and	eax, 38003000h
		add	[eax+eax+78h], ch
		add	ds:30002500h, ch
		add	[eax+eax], dh
		js	short $+2
		sub	eax, 30002500h
		add	[eax+eax], dh
		js	short $+2
		sub	eax, 30002500h
		add	[edx], dh
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		sub	eax, 30002500h
		add	[edx], dh
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		and	eax, 32003000h
		add	[eax+0], bh
		jge	short $+2
; 
		dw 0
; 

; void CheckHeapFillPattern
_CheckHeapFillPattern:			; DATA XREF: RtlpHpSizeHeap(x,x,x)+4Fo
		stosd
		stosd
		stosd
		stosd
		stosd
		stosd
		stosd
		stosd

_SepSystemContextSecurityDescriptor:	; DATA XREF: SeIsSystemContext(x,x)+44o
		add	[eax], eax
		add	al, 80h
		xchg	eax, esp
; 
		db 3 dup(0)
		dd 0A0h, 0
		dd 14h,	800002h, 5, 140000h, 1,	101h, 5000000h,	12h, 140000h
		dd 1, 101h, 5000000h, 6, 280000h, 1, 601h, 5000000h, 50h
		dd 38FB89B5h, 0CBC28419h, 6D236C5Ch, 6E770057h,	876402C0h
		dd 140000h, 1, 101h, 5000000h, 0Ch, 140000h, 1,	101h, 5000000h
		dd 21h,	101h, 5000000h,	12h, 101h, 5000000h, 12h
dword_A40C1C	dd 0			; DATA XREF: SepVariableInitialization()+242r
word_A40C20	dw 1000h		; DATA XREF: SepVariableInitialization()+24Ar
		align 4
dword_A40C24	dd 0			; DATA XREF: SepVariableInitialization()+230r
word_A40C28	dw 500h			; DATA XREF: SepVariableInitialization()+238r
		align 4
dword_A40C2C	dd 0			; DATA XREF: SepVariableInitialization()+266r
word_A40C30	dw 1300h		; DATA XREF: SepVariableInitialization()+26Er
		align 4
dword_A40C34	dd 0			; DATA XREF: SepVariableInitialization()+254r
word_A40C38	dw 0F00h		; DATA XREF: SepVariableInitialization()+25Cr
		align 4
dword_A40C3C	dd 0			; DATA XREF: SepVariableInitialization()+1FAr
word_A40C40	dw 100h			; DATA XREF: SepVariableInitialization()+202r
		align 4
dword_A40C44	dd 0			; DATA XREF: SepVariableInitialization()+1E8r
word_A40C48	dw 0			; DATA XREF: SepVariableInitialization()+1F0r
		align 4
dword_A40C4C	dd 0			; DATA XREF: SepVariableInitialization()+21Er
word_A40C50	dw 300h			; DATA XREF: SepVariableInitialization()+226r
		align 4
dword_A40C54	dd 0			; DATA XREF: SepVariableInitialization()+20Cr
word_A40C58	dw 200h			; DATA XREF: SepVariableInitialization()+214r
		align 4

_SepNumberOfUwpAttributes:
		add	al, 0
; 
		dw 0
; 

_SepValidAttributesTypes:		; DATA XREF: SepCaptureTokenSecurityAttributesInformation+2FBo
		sbb	al, 0
		push	ds
; 
		db 0
		dd offset ??_C@_1BO@BOGEHPME@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAS?$AAY?$AAS?$AAA?$AAP?$AAP?$AAI?$AAD@LBKOJDO@
dword_A40C68	dd 3			; DATA XREF: SepCaptureTokenSecurityAttributesInformation+32Fr
dword_A40C6C	dd 2			; DATA XREF: SepCaptureTokenSecurityAttributesInformation+343r
		dd 140012h
		dd offset ??_C@_1BE@BDEKEKBI@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAP?$AAK?$AAG@LBKOJDO@
		dd 2, 1, 20001Eh
		dd offset ??_C@_1CA@KNFPKGEL@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAP?$AAK?$AAG?$AAH?$AAO?$AAS?$AAT?$AAI?$AAD@LBKOJDO@
		dd 2, 1, 160014h
		dd offset ??_C@_1BG@DFCGIBG@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAB?$AAG?$AAK?$AAD@LBKOJDO@
		dd 2 dup(1)
; 

_SepUwpAttributes:
		sbb	al, 0
		push	ds
		add	[eax+1200A455h], bh
		add	[eax+eax], dl
		fcom	dword ptr [ebp-5Ch]
		add	[esi], bl
		add	[eax], ah
		add	al, ch
		pop	ecx
		movsb
		add	[eax+eax], dl
		push	ss
		add	al, dl
		pop	ecx
		movsb
; 
		db 0
; 

_SeSystemAuthenticationId:		; DATA XREF: SeInitServerSilo(x)+31o
					; SeInitServerSilo(x)+4Ao ...
		out	3, eax		; DMA controller, 8237A-5.
					; channel 1 base address and word count
; 
		dw 0
		align 8

_SeSystemTokenSource:			; DATA XREF: SepCreateToken(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+11o
		sub	dl, [ebx+59h]
		push	ebx
		push	esp
		inc	ebp
		dec	ebp
		sub	al, [eax]
; 
		db 3 dup(0)
		align 8

_SeAnonymousAuthenticationId:		; DATA XREF: SeInitServerSilo(x):loc_9D847Eo
					; SeInitServerSilo(x)+84o ...
		out	3, al		; DMA controller, 8237A-5.
					; channel 1 base address and word count
; 
		dw 0
		align 10h
_SeProtectedMapping db 0		; DATA XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+1B6r
					; SepIsImageInMinTcbList+68r
byte_A40CE1	db 0			; DATA XREF: SeQuerySigningPolicyWorker(x,x,x,x,x,x,x,x)+1C8r
					; SepIsImageInMinTcbList+71r
		dw 404h
		dd 707060Bh, 0C0C080Ch
		db 0Eh,	0Ch
dword_A40CEE	dd 5050C0Eh		; DATA XREF: PspCreateProcess+301r
		align 4

_SepRmCommandPortName:			; DATA XREF: SeRmInitPhase1()+21o
		and	[eax], al
		and	al, [eax]
		aam	5Ch
		movsb
; 
		db 0
_SepRmCommandDispatch dd 0		; DATA XREF: SepRmCommandServerThread+106r
		dd offset SepRmSetAuditEventWrkr
		dd offset _SepRmCreateLogonSessionWrkr@8 ; SepRmCreateLogonSessionWrkr(x,x)
		dd offset _SepRmDeleteLogonSessionWrkr@8 ; SepRmDeleteLogonSessionWrkr(x,x)
		dd offset _SepRmAddLogonSessionInfoWrkr@8 ; SepRmAddLogonSessionInfoWrkr(x,x)
		dd offset SepRmGlobalSaclSetWrkr
		dd offset SepRmCapUpdateWrkr
		dd offset _SepRmProcessCreationCommandLineAuditSettingsWrkr@8 ;	SepRmProcessCreationCommandLineAuditSettingsWrkr(x,x)
		dd offset _SepRmInteractiveLogoffLogonSessionWrkr@8 ; SepRmInteractiveLogoffLogonSessionWrkr(x,x)
		dd offset _SepRmInteractiveLogoffLogonSessionCompletedWrkr@8 ; SepRmInteractiveLogoffLogonSessionCompletedWrkr(x,x)
		dd offset _SepRmMakeLogonSessionsSiblingsWrkr@8	; SepRmMakeLogonSessionsSiblingsWrkr(x,x)
		dd offset _SepRmValidateProcUniqueLuidWrkr@8 ; SepRmValidateProcUniqueLuidWrkr(x,x)
		dd offset _SepRmSetSharedUserSessionWrkr@8 ; SepRmSetSharedUserSessionWrkr(x,x)
; 

_SeMsMinTestTCBList:			; DATA XREF: SepIsMinTCB+147678o
		and	[eax], al
		and	al, [eax]
		push	eax
		pop	esp
		movsb
; 
		db 0
		dd 620000h, 0
		dd 240022h
		dd offset loc_A45C2B+1
		dd 610000h, 0
		dd 1C001Ah
		dd offset ??_C@_1BM@PJLKBIO@?$AAw?$AAi?$AAn?$AAt?$AAe?$AAs?$AAt?$AAp?$AAp?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@
		dd 520000h, 0
		dd 1E001Ch
		dd offset ??_C@_1BO@OKNNMOJG@?$AAw?$AAi?$AAn?$AAt?$AAe?$AAs?$AAt?$AAp?$AAp?$AAl?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@
		dd 510000h, 0
		dd 1E001Ch
		dd offset ??_C@_1BO@CFGKKGNO@?$AAw?$AAi?$AAn?$AAt?$AAe?$AAs?$AAt?$AAn?$AAp?$AAp?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@
		dd 0C0Ch, 0
		dd 260024h
		dd offset ??_C@_1CG@MJCONBCN@?$AAc?$AAo?$AAd?$AAe?$AAg?$AAe?$AAn?$AAt?$AAe?$AAs?$AAt?$AAp?$AAp?$AAl?$AA?4@LBKOJDO@
		dd 210000h, 0
		dd 1C001Ah
		dd offset ??_C@_1BM@KJIGJJKN@?$AAa?$AAm?$AAt?$AAe?$AAs?$AAt?$AAp?$AAp?$AAl?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@
		dd 310000h, 0
		dd 1E001Ch
		dd offset ??_C@_1BO@MLDCGLHA@?$AAa?$AAu?$AAt?$AAh?$AAt?$AAe?$AAs?$AAt?$AAp?$AAp?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@
		dd 120000h, 0
		dd 220020h
		dd offset ??_C@_1CC@IJFBFJPN@?$AAw?$AAi?$AAn?$AAt?$AAe?$AAs?$AAt?$AAa?$AAu?$AAd?$AAi?$AAt?$AA?4?$AAe?$AAx@LBKOJDO@
		dd 0Ch,	0
; 

_SeMsMinTCBList:			; DATA XREF: SepIsMinTCB+B6o
		adc	[eax], al
		adc	al, [eax]
		jo	short loc_A40E20
		movsb
; 
		db 0
		dd 610000h, 0
		dd 260024h
		dd offset loc_A45A97+1
		dd 620000h, 0
		dd 140012h
		dd offset ??_C@_1BE@OMGDNGEO@?$AAc?$AAs?$AAr?$AAs?$AAs?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@
		dd 610000h, 0
		dd 1A0018h
		dd offset ??_C@_1BK@ILFKGFOJ@?$AAs?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe?$AAs?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@
		dd 610000h, 0
		dd 160014h
		dd offset ??_C@_1BG@BKPLIDKL@?$AAs?$AAp?$AAp?$AAs?$AAv?$AAc?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@
		dd 520000h, 0
		dd 1C001Ah
		dd offset loc_A45A53+1
		dd 520000h, 0
; 

loc_A40E20:				; CODE XREF: PAGE:00A40DC4j
		push	ss
		add	[eax], bl
		add	[edx+ebx*2], bh
		movsb
; 
		db 0
		dd 610000h, 0
		dd 140012h
		dd offset ??_C@_1BE@FPBDCMAD@?$AAl?$AAs?$AAa?$AAs?$AAs?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@
		dd 0Ch,	0
		dd 1A0018h
		dd offset loc_A45B43+1
		dd 0Ch,	0
		dd 1A0018h
		dd offset loc_A45B8B+1
		dd 0Ch,	0
		dd 180016h
		dd offset ??_C@_1BI@OBPOPBKG@?$AAa?$AAu?$AAt?$AAo?$AAc?$AAh?$AAk?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@
		dd 0Ch,	2, 340032h
		dd offset ??_C@_1DE@JNGANGBM@?$AAs?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AAh?$AAe?$AAa?$AAl?$AAt?$AAh?$AAs@LBKOJDO@
		dd 510000h, 0
		dd 1E001Ch
		dd offset ??_C@_1BO@ICOPDBBO@?$AAs?$AAg?$AAr?$AAm?$AAb?$AAr?$AAo?$AAk?$AAe?$AAr?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@
		dd 620000h, 0
		dd 1C001Ah
		dd offset loc_A45B27+1
		dd 510000h, 0
		dd 140012h
		dd offset loc_A45B13+1
		dd 510000h, 5 dup(0)
_SepServicesFilterPrivileges dd	offset _SeSystemtimePrivilege
					; DATA XREF: SepFilterPrivilegeAudits+9Do
					; SepFilterPrivilegeAudits+A5r
		align 8

_SepSensitivePrivileges:		; DATA XREF: SepAdtCheckPrivilegeForSensitivity(x,x,x)+3Fo
					; SepAdtCheckPrivilegeForSensitivity(x,x,x)+4Cr
		add	[edx-57h], cl
		add	[eax-1FFF56B4h], ch
		dec	ecx
		test	eax, 0A94CB000h
		add	[eax], dl
		dec	edx
		test	eax, 0A94A7800h
		add	[eax+0A94Ah], cl
		dec	esi
		test	eax, 0A949D800h
		add	[eax], bh
		dec	edx
		test	eax, 0A94CA000h
		add	[eax-4FFF56B4h], bh
		dec	ecx
		test	eax, 0A94C6800h
; 
		db 0
		dd 0
_SepFilterPrivilegesShort dd offset _SeChangeNotifyPrivilege
					; DATA XREF: SepAdtInitializePrivilegeAuditing()+2Ao
					; PAGEDATA:_SepFilterPrivilegeso
		dd offset _SeAuditPrivilege
		dd offset _SeCreateTokenPrivilege
		dd offset _SeAssignPrimaryTokenPrivilege
		dd offset _SeDebugPrivilege
		dd 0
_SepFilterPrivilegesLong dd offset _SeChangeNotifyPrivilege
					; DATA XREF: SepAdtInitializePrivilegeAuditing():loc_8A383Do
		dd offset _SeAuditPrivilege
		dd offset _SeCreateTokenPrivilege
		dd offset _SeAssignPrimaryTokenPrivilege
		dd offset _SeBackupPrivilege
		dd offset _SeRestorePrivilege
		dd offset _SeDebugPrivilege
		dd 0
; 

_SepTokenMapping:			; DATA XREF: SepTokenInitialization()+47o
		sbb	al, [eax]
		add	al, [eax]
		loopne	near ptr loc_A40F42+1

loc_A40F42:				; CODE XREF: PAGE:00A40F40j
		add	al, [eax]
		add	eax, 0FF000200h
		add	[edi], ecx
; 
		db 0
_DesiredAccessForFunction dd 1		; DATA XREF: WmipQuerySetExecuteSI+59r
		dd 1, 2	dup(2),	5 dup(0)
		dd 10h,	4 dup(0)
; 

_GUID_MOF_RESOURCE_ADDED_NOTIFICATION:	; DATA XREF: WmipAddDataSource+16Ao
					; WmipUpdateDataSource+9D78Eo ...
		mov	ds:77B48D49h, al
		out	0D0h, eax
		adc	[ebp-365FFFF4h], esp
		push	es
		sub	[eax], edx

_GUID_MOF_RESOURCE_REMOVED_NOTIFICATION: ; DATA	XREF: WmipUpdateDataSource+9D6BBo
					; WmipDSCleanup(x)+7Ao	...
		mov	ds:77B48D49h, eax
		out	0D0h, eax
		adc	[ebp-365FFFF4h], esp
		push	es
		sub	[eax], edx

; void WmipBinaryMofGuid
_WmipBinaryMofGuid:			; DATA XREF: WmipAddDataSource+1ADo
					; WmipUpdateDataSource+9D6A3o ...
		and	[edx], edx
		nop
		add	eax, 11D1D566h
		mov	dl, 0F0h
		add	[eax+102906C9h], ah

_WmipGenericMapping:			; DATA XREF: WmipCreateGuidObject(x,x,x,x)+A8o
					; WmipInitializeSecurity+193o
		add	[eax], eax
; 
		dw 0
		dd 2, 10h, 121FFFh
_WmipWmiLibInfo	dd 2 dup(0)		; DATA XREF: WmipSystemControl(x,x)+Bo
		dd 7
; void *off_A40FD0
off_A40FD0	dd offset _WmipGuidList	; DATA XREF: IoWMISystemControl+3Dr
					; IoWMISystemControl+64r ...
		dd offset _WmipQueryWmiRegInfo@16 ; WmipQueryWmiRegInfo(x,x,x,x)
		dd offset WmipQueryWmiDataBlock
		dd 4 dup(0)
; 

_EtwpAllNotifyRoutines:			; DATA XREF: WmiQueryTraceInformation+11CEC5o
		mov	edx, 0DD004F87h
		in	eax, 67h
		add	[ebx], ch
		out	67h, eax
		add	[edx+ebp*8], dh
		add	[bx+si+4F8Ah], dh
		add	[eax], cl
		in	eax, 67h
		add	[eax], cl
		in	eax, 67h
		add	[esi+5F0067E6h], bh
		jmp	short loc_A41076
; 
		db 0
		dd offset _EtwpTraceFltIo@16 ; EtwpTraceFltIo(x,x,x,x)
		dd offset _EtwpTraceFltTimedIo@20 ; EtwpTraceFltTimedIo(x,x,x,x,x)
		dd offset @EtwGetKernelTraceTimestamp@8	; EtwGetKernelTraceTimestamp(x,x)
		dd offset _EtwpTraceWdf@20 ; EtwpTraceWdf(x,x,x,x,x)
		dd offset _EtwpSystemTraceWdf@20 ; EtwpSystemTraceWdf(x,x,x,x,x)
		dd offset _EtwpTraceRedirectedIo@8 ; EtwpTraceRedirectedIo(x,x)
; 

_WmipGuidList:				; DATA XREF: PAGE:off_A40FD0o
		sal	byte ptr ds:0AADBC7BFh,	cl
		rcl	dword ptr [ecx], 1
		mov	edi, 0C9A0004Ah
		push	es
		sub	[eax], edx
; 
		dd 0
		dd 10000h, 0C7BF35D3h, 11D1AADBh, 0A0004ABFh, 102906C9h
		dd 0
		dd 10000h, 5DAF38AEh, 4D90F6F8h, 0DEEB9981h, 3BEC0068h
		dd 1, 0
		dd 8F680850h
		db 84h,	0A5h
; 

loc_A41076:				; CODE XREF: PAGE:00A4100Dj
		rcl	dword ptr [ecx], 1
		mov	edi, 0C9A00038h
		push	es
		sub	[eax], edx
		add	[eax], eax
; 
		dw 0
		align 8
		dd 8F680853h, 11D1A584h, 0A00038BFh, 102906C9h,	1, 0
		dd 8F680855h, 11D1A584h, 0A00038BFh, 102906C9h,	1, 0
		dd 8F680851h, 11D1A584h, 0A00038BFh, 102906C9h,	1, 0
_EtwpEnableFlagMap dd 10h		; DATA XREF: EtwpMapEnableFlags(x,x)+2Br
					; EtwpMapEnableFlags(x,x)+41r
dword_A410D4	dd 20000004h		; DATA XREF: EtwpMapEnableFlags(x,x)+17r
					; EtwpMapEnableFlags(x,x):loc_7E3C65r
		dd 20h,	20000080h, 40h,	20004000h, 80h,	40000040h, 800000h
		dd 20000010h, 1000000h,	20000002h, 4000h, 20008000h, 800h
		dd 20000200h
; void *EtwpUmglProviders
_EtwpUmglProviders dd offset _HeapRangeGuid ; DATA XREF: EtwpEnableDisableSpecialGuids+3Ar
					; EtwpEnumerateTraceGuids(x,x,x)+C9r ...
byte_A41114	db 4			; DATA XREF: EtwpEnumerateTraceGuids(x,x,x):loc_846C6Ar
					; EtwpGetTraceGuidInfo(x,x,x,x)+ACr ...
		align 4
		dd offset _LoadMUIDllGuid
		dd 2
		dd offset loc_410EAB+1
		dd 3
		dd offset _UmsTraceGuid
		dd 6
		dd offset _HeapSummaryGuid
		dd 5
		dd offset _ImageLoadGuid
		dd 2
		dd offset _HeapGuid
		align 8
		dd offset _CritSecGuid
		dd 1
		dd offset _WnfGuid
		dd 7
		db  6Ch	; l OFF32 SEGDEF [_text,410E6C]
; 

loc_A41159:				; CODE XREF: PAGE:00A41192j
		push	cs
		inc	ecx
		add	[eax], cl
; 
		db 3 dup(0)
_RefSetStartString db 'RefSetStart::AutoMark',0 ; DATA XREF: EtwpLogRefSetAutoMark(x,x)+31o
		align 4
_RefSetStopString db 'RefSetStop::AutoMark',0
					; DATA XREF: EtwpLogRefSetAutoMark(x,x):loc_9F9A52o
		align 10h

_EtwpKsrGuid:				; DATA XREF: EtwpCancelMemoryPreservation(x)+1Bo
					; EtwpPreserveMdlList(x,x,x,x)+8Bo ...
		mov	bl, 0CDh
		js	short loc_A41159
		adc	[ecx-1952BF09h], ebx
		lahf
		clc
		sub	al, ah
		add	dh, bh

_ExpCpuSetSecurityDescriptor:		; DATA XREF: ExCpuSetResourceManagerAccessCheck(x)+5Ao
		add	[eax], eax
		add	al, 80h
; 
		dd 3 dup(0)
		dd 14h,	440002h, 2, 140000h, 1,	101h, 5000000h,	12h, 280000h
		dd 1, 601h, 5000000h, 50h, 9F88E7C9h, 71F18F19h, 9C77CB5Dh
		dd 0F907DC14h, 51771D47h
dword_A411F8	dd 2C002Ah		; DATA XREF: ExpGetSystemWriteConstraintInformation+20o
		dd offset ??_C@_1CM@DGFIDOEL@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAU?$AAw?$AAf?$AAv?$AAo?$AAl?$AAC@LBKOJDO@
		dd 220A0Ch
off_A41204	dd offset loc_760072+2	; DATA XREF: ExpInitFullProcessSecurityInfo(x,x,x)+42o
		dd offset ??_C@_1HG@MFCMOGIO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@
; 

_ExHandleTraceDbDefaultStacks:		; DATA XREF: ExEnableHandleTracing(x,x)+12r
		add	[eax], dl
; 
		dw 0
; 

_ExpProductInfoSuiteTypeMap:		; DATA XREF: ExpGetProductInfoSuiteTypeMap(x,x):loc_89649Ar
					; ExpGetProductInfoSuiteTypeMap(x,x)+28o ...
		or	eax, [eax]
; 
		dw 0
dword_A41214	dd 200h			; DATA XREF: ExpGetNonMatchingSuiteMask(x)+Cr
		dd 1, 2, 200h, 1, 5, 200h, 1, 3, 200h, 1, 6, 0
		dd 1, 10h, 0
		dd 1, 4, 0
		dd 2 dup(1), 0
		dd 1, 9, 21h, 3, 19h, 21h, 3, 21h, 0
		dd 3, 18h, 21h,	3, 23h,	21h, 3,	0Dh, 0
		dd 3, 7, 0
		dd 3, 0Eh, 2, 3, 0Ah, 2, 3, 0Ch, 80h, 3, 8, 80h, 3, 28h
		dd 0
		dd 3, 24h, 0
		dd 3, 29h, 2, 3, 26h, 2, 3, 27h, 80h, 3, 25h, 80h, 3, 0Fh
		dd 2, 3, 11h, 400h, 3, 12h, 0
		dd 3, 13h, 8000h, 3, 14h, 2000h, 3, 15h, 2000h,	3, 16h
		dd 2000h, 3, 17h, 2000h, 3, 1Ah, 200h, 1, 1Bh, 0
		dd 1, 1Ch, 0
		dd 1, 1Eh, 0
		dd 3, 1Fh, 0
		dd 3, 20h, 0
		dd 3, 3Bh, 0
		dd 3, 3Ch, 0
		dd 3, 3Dh, 0
		dd 3, 3Eh, 0
		dd 3, 1Dh, 400h, 3, 22h, 8000h,	3, 2Ah,	0
		dd 3, 2Bh, 2000h, 3, 2Ch, 2000h, 3, 2Dh, 2000h,	3, 2Eh
		dd 2000h, 3, 41h, 40h, 1
_ExHandleTraceDbMinStacks dd 80h	; DATA XREF: ExEnableHandleTracing(x,x):loc_A05A5Er
					; ExEnableHandleTracing(x,x)+22r
off_A41478	dd offset ??_C@_1DO@PGOAJPNE@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@
					; DATA XREF: ExInitSystem+33r
					; ExpWatchProductTypeInitialization+61r
off_A4147C	dd offset ??_C@_1BE@MMGHIOAH@?$AAS?$AAe?$AAt?$AAu?$AAp?$AAT?$AAy?$AAp?$AAe@LBKOJDO@
					; DATA XREF: ExInitSystem+27r
					; ExpWatchProductTypeInitialization+E1r
off_A41480	dd offset ??_C@_1BK@BHIOFGBH@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAP?$AAr?$AAe?$AAf?$AAi?$AAx@LBKOJDO@
					; DATA XREF: ExInitSystem+C9r
off_A41484	dd offset ??_C@_1IE@CPEFALAA@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@
					; DATA XREF: ExpWatchProductTypeWork+20r
					; ExInitSystem+C3r ...
off_A41488	dd offset ??_C@_1BI@JPCMFPH@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAT?$AAy?$AAp?$AAe@LBKOJDO@
					; DATA XREF: ExpWatchProductTypeWork+DBr
					; ExInitSystem+BDr ...
; wchar_t *off_A4148C
off_A4148C	dd offset ??_C@_1BC@NCHLLMKP@?$AAL?$AAa?$AAn?$AAm?$AAa?$AAn?$AAN?$AAT@LBKOJDO@
					; DATA XREF: ExpWatchProductTypeWork+119r
					; ExInitSystem+B7r ...
off_A41490	dd offset ??_C@_1BC@MNKEGIPF@?$AAS?$AAe?$AAr?$AAv?$AAe?$AAr?$AAN?$AAT@LBKOJDO@
					; DATA XREF: ExpWatchProductTypeWork+156r
					; ExInitSystem+B1r ...
off_A41494	dd offset ??_C@_1M@FFGHOEMJ@?$AAW?$AAi?$AAn?$AAN?$AAT@LBKOJDO@
					; DATA XREF: ExpWatchProductTypeWork+19Br
					; ExInitSystem+ABr ...
off_A41498	dd offset ??_C@_1BK@HJNBLNLJ@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAS?$AAu?$AAi?$AAt?$AAe@LBKOJDO@
					; DATA XREF: ExpWatchProductTypeWork+297r
					; ExInitSystem+A5r ...
off_A4149C	dd offset ??_C@_1IM@BMOFCHBC@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@
					; DATA XREF: ExInitSystem+9Fr
					; ExpWatchProductTypeInitialization+368r ...
off_A414A0	dd offset ??_C@_1CA@DKJDGANH@?$AAC?$AAo?$AAn?$AAc?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAL?$AAi?$AAm?$AAi?$AAt@LBKOJDO@
					; DATA XREF: ExpWatchLicenseInfoWork+1DFr
					; ExInitSystem+99r ...
; void *off_A414A4
off_A414A4	dd offset ??_C@_1BO@GKCMPHLG@?$AAS?$AAm?$AAa?$AAl?$AAl?$AA?5?$AAB?$AAu?$AAs?$AAi?$AAn?$AAe?$AAs?$AAs@LBKOJDO@
					; DATA XREF: ExpParseSuiteMask:loc_8964F2r
					; ExInitSystem+93r ...
; void *off_A414A8
off_A414A8	dd offset ??_C@_1BG@PCCIFCMK@?$AAE?$AAn?$AAt?$AAe?$AAr?$AAp?$AAr?$AAi?$AAs?$AAe@LBKOJDO@
					; DATA XREF: ExpParseSuiteMask+88r
					; ExInitSystem+8Dr ...
; void *off_A414AC
off_A414AC	dd offset ??_C@_1CI@DPGNCPEG@?$AAC?$AAo?$AAm?$AAm?$AAu?$AAn?$AAi?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AAS?$AAe@LBKOJDO@
					; DATA XREF: ExpParseSuiteMask+C4r
					; ExInitSystem+87r ...
; void *off_A414B0
off_A414B0	dd offset ??_C@_1BG@NGPLODIG@?$AAB?$AAa?$AAc?$AAk?$AAO?$AAf?$AAf?$AAi?$AAc?$AAe@LBKOJDO@
					; DATA XREF: ExpParseSuiteMask+100r
					; ExInitSystem+81r ...
; void *off_A414B4
off_A414B4	dd offset ??_C@_1DG@DFNPOBGK@?$AAS?$AAm?$AAa?$AAl?$AAl?$AA?5?$AAB?$AAu?$AAs?$AAi?$AAn?$AAe?$AAs?$AAs?$AA?$CI@LBKOJDO@
					; DATA XREF: ExpParseSuiteMask+4Cr
					; ExInitSystem+7Br ...
; void *off_A414B8
off_A414B8	dd offset ??_C@_1CA@BFNKNOIB@?$AAT?$AAe?$AAr?$AAm?$AAi?$AAn?$AAa?$AAl?$AA?5?$AAS?$AAe?$AAr?$AAv?$AAe?$AAr@LBKOJDO@
					; DATA XREF: ExpParseSuiteMask+13Cr
					; ExInitSystem+75r ...
; void *off_A414BC
off_A414BC	dd offset ??_C@_1BG@ECDEFKDD@?$AAE?$AAm?$AAb?$AAe?$AAd?$AAd?$AAe?$AAd?$AAN?$AAT@LBKOJDO@
					; DATA XREF: ExpParseSuiteMask:loc_92D346r
					; ExInitSystem+6Fr ...
; void *off_A414C0
off_A414C0	dd offset ??_C@_1BG@CNKBPOLO@?$AAD?$AAa?$AAt?$AAa?$AAC?$AAe?$AAn?$AAt?$AAe?$AAr@LBKOJDO@
					; DATA XREF: ExpParseSuiteMask:loc_92D385r
					; ExInitSystem+69r ...
; void *off_A414C4
off_A414C4	dd offset ??_C@_1BC@EANCBBIH@?$AAP?$AAe?$AAr?$AAs?$AAo?$AAn?$AAa?$AAl@LBKOJDO@
					; DATA XREF: ExpParseSuiteMask:loc_92D3C7r
					; ExInitSystem+63r ...
; void *off_A414C8
off_A414C8	dd offset ??_C@_1M@BAHFBOFJ@?$AAB?$AAl?$AAa?$AAd?$AAe@LBKOJDO@
					; DATA XREF: ExpParseSuiteMask:loc_92D409r
					; ExInitSystem+5Dr ...
; void *off_A414CC
off_A414CC	dd offset ??_C@_1CK@OEJDIJIK@?$AAE?$AAm?$AAb?$AAe?$AAd?$AAd?$AAe?$AAd?$AA?$CI?$AAR?$AAe?$AAs?$AAt?$AAr?$AAi@LBKOJDO@
					; DATA XREF: ExpParseSuiteMask:loc_92D44Br
					; ExInitSystem+57r ...
; void *off_A414D0
off_A414D0	dd offset ??_C@_1CG@PMLDFGPP@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AA?5?$AAA?$AAp?$AAp?$AAl?$AAi?$AAa@LBKOJDO@
					; DATA XREF: ExpParseSuiteMask:loc_92D48Dr
					; ExInitSystem+51r ...
; void *off_A414D4
off_A414D4	dd offset ??_C@_1BO@EICAEGDK@?$AAS?$AAt?$AAo?$AAr?$AAa?$AAg?$AAe?$AA?5?$AAS?$AAe?$AAr?$AAv?$AAe?$AAr@LBKOJDO@
					; DATA XREF: ExpParseSuiteMask:loc_92D4CFr
					; ExInitSystem+4Br ...
; void *off_A414D8
off_A414D8	dd offset ??_C@_1BO@FKKKPMOJ@?$AAC?$AAo?$AAm?$AAp?$AAu?$AAt?$AAe?$AA?5?$AAS?$AAe?$AAr?$AAv?$AAe?$AAr@LBKOJDO@
					; DATA XREF: ExpParseSuiteMask:loc_92D511r
					; ExInitSystem+45r ...
off_A414DC	dd offset ??_C@_1BE@JEKEKCNB@?$AAW?$AAH?$AA?5?$AAS?$AAe?$AAr?$AAv?$AAe?$AAr@LBKOJDO@
					; DATA XREF: ExpParseSuiteMask:loc_92D553r
					; ExInitSystem+3Fr
off_A414E0	dd offset ??_C@_1CM@DHJDDPJO@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAS?$AAe?$AAt?$AAu?$AAp?$AAI?$AAn?$AAP?$AAr@LBKOJDO@
					; DATA XREF: ExInitSystem+39r
					; ExpWatchProductTypeInitialization:loc_AD361Er
; void *off_A414E4
off_A414E4	dd offset ??_C@_1BA@BIEHHHFN@?$AAP?$AAh?$AAo?$AAn?$AAe?$AAN?$AAT@LBKOJDO@
					; DATA XREF: ExpParseSuiteMask:loc_92D595r
					; ExInitSystem+2Dr ...
off_A414E8	dd offset ??_C@_1CG@NDJCHNKO@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAT@LBKOJDO@
					; DATA XREF: ExpGetNtProductTypeFromLicenseValue+8r
					; ExInitSystem:loc_ACC021r
_ExHandleTraceDbMaxStacks dd 20000h	; DATA XREF: ExEnableHandleTracing(x,x):loc_A05A6Er
					; ExEnableHandleTracing(x,x)+32r
; 

_ExpWakeTimerSecurityDescriptor:	; DATA XREF: ExpCheckWakeTimerAccess(x)+5Do
		add	[eax], eax
		add	al, 80h
; 
		dd 3 dup(0)
		dd 14h,	6C0002h, 3, 140000h, 1,	101h, 5000000h,	12h, 280000h
		dd 1, 601h, 5000000h, 50h, 0D40E55A9h, 0CD740A54h, 9A881131h
		dd 0CAC40E68h, 0FEBD6DC7h, 280000h, 1, 601h, 5000000h
		dd 50h,	0DCC6F35Ch, 41413E3Bh, 46113B07h, 7C7ACB0Fh, 2EADF7A2h
_ExpInitializeCallback dd offset _ExCbEnlightenmentState
					; DATA XREF: ExpInitializeCallbacks()+F4r
					; ExpInitializeCallbacks()+FEo	...
off_A41574	dd offset ??_C@_1DK@GHDAFMLO@?$AA?2?$AAC?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk?$AA?2?$AAE?$AAn?$AAl?$AAi?$AAg@LBKOJDO@
					; DATA XREF: ExpInitializeCallbacks():loc_AD737Br
		dd offset _ExCbSetSystemTime
		dd offset ??_C@_1DA@PGBCEJOI@?$AA?2?$AAC?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk?$AA?2?$AAS?$AAe?$AAt?$AAS?$AAy@LBKOJDO@
		dd offset _ExCbSetSystemState
		dd offset ??_C@_1DC@KMLCFGFF@?$AA?2?$AAC?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk?$AA?2?$AAS?$AAe?$AAt?$AAS?$AAy@LBKOJDO@
		dd offset _ExCbPowerState
		dd offset ??_C@_1CK@DOCFKPNP@?$AA?2?$AAC?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk?$AA?2?$AAP?$AAo?$AAw?$AAe?$AAr@LBKOJDO@
		dd offset _ExCbProcessorAdd
		dd offset ??_C@_1CO@FHBOFCJN@?$AA?2?$AAC?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk?$AA?2?$AAP?$AAr?$AAo?$AAc?$AAe@LBKOJDO@
		dd offset _ExCbPhase1InitComplete
		dd offset ??_C@_1DK@OAFMFLJJ@?$AA?2?$AAC?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk?$AA?2?$AAP?$AAh?$AAa?$AAs?$AAe@LBKOJDO@
		dd offset _ExCbSeImageVerificationDriverInfo
		dd offset ??_C@_1FA@BFIGFFEL@?$AA?2?$AAC?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk?$AA?2?$AAS?$AAe?$AAI?$AAm?$AAa@LBKOJDO@
		align 10h
dword_A415B0	dd 18h,	0		; DATA XREF: ExInitLicenseCallback()+Co
		dd offset loc_A419EB+1
		dd 250h, 2 dup(0)
dword_A415C8	dd 18h,	0		; DATA XREF: sub_A0692F+46o
		dd offset loc_A419E3+1
		dd 240h, 2 dup(0)
dword_A415E0	dd 18h,	0		; DATA XREF: ExpOsProductCacheProviderHelper+Do
		dd offset loc_A419E3+1
		dd 240h, 2 dup(0)
dword_A415F8	dd 0D5B2D79Eh, 0DDB1D7AFh, 0DDB3DFB8h, 0D598DFF8h, 0D587D7A6h
					; DATA XREF: PAGE:00A465D4o
		dd 0DDB0D7AFh, 0DDAADFB9h, 0F583DF96h, 0F5B4F7D8h, 0FD91F792h
		dd 0FD9AFF89h, 0F583FF9Bh, 0F593F7BCh, 0DDBADF96h, 0F599DF87h
		dd 0F59BF790h, 0FDB0F7D0h, 0FDAFFF8Eh, 0F598FF87h, 0F582F791h
		dd 0FD8BF79Eh, 0FDAFFFD0h, 0D599FF93h, 771A7734h, 770E7719h
		dd 7F107F0Ah, 7F347F1Ah, 77117713h, 77137718h, 7F127F2Fh
		dd 7F3C7F13h, 572C5734h, 57385704h, 5F2Bh, 556F576Ch, 5D6D5765h
		dd 5D6A5F6Ah, 75135F45h, 75477758h, 7D1E771Ch, 7D527F4Ah
		dd 754F7F41h, 75467745h, 7D1D7750h, 7D467F1Fh, 0D5FA7FB7h
		dd 0D5E7D7ECh, 0DDBAD7BCh, 0DDE9DFE8h, 0D5E0DFB7h, 0D5E5D7B6h
		dd 0DDBDD7BCh, 5F385D0Ch, 5F205D3Ch, 573C5525h,	57245523h
		dd 5F0E5D72h, 5F255D0Fh, 7727755Ah, 770E7512h, 7F0F7D1Ah
		dd 7F107D09h, 77587513h, 7712753Bh, 7F1C7D1Ch, 7F1D7D13h
		dd 57275536h, 572A5533h, 5F2F5D3Eh, 5F1C5D3Ah, 5533h, 0FD9AF7B6h
		dd 0FD91FF8Fh, 573BFF30h, 57125778h, 5F2F5725h,	5F2D5F34h
		dd 57235F34h, 5738573Ch, 5F1B5733h, 5F2B5F3Ch, 5F10h, 0D792D796h
		dd 0DFE9D7ECh, 0DF9DDFEEh, 0F7CFDFC6h, 0F7C6F7D8h, 0FFBAF7BCh
		dd 0FFD2FFBEh, 0F7C0FFC1h, 0F7B1F7B4h, 0FFC7F7D0h, 0FFCBFFC8h
		dd 0D7FAFF91h, 0D794D793h, 0DFEFD7E4h, 0DF9DDF9Ch, 0D7E1DF91h
		dd 0D7E2D7ECh, 0DF9CD7ECh, 5F1B5F1Bh, 57615F10h, 57125711h
		dd 5F6C571Fh, 5F195F70h, 774E5F42h, 775A7745h, 7F477749h
		dd 7F397F3Bh, 774F7F58h, 77457733h, 7F52774Ah, 7F4C7F49h
		dd 0D7E17FE1h, 0D7EED7E4h, 0DFEBD7E9h, 0DF9BDF9Bh, 0D792DFE6h
		dd 5F1B5F1Dh, 5F645F6Ch, 5717576Eh, 57695762h, 5F695F72h
		dd 5F375F66h, 77587742h, 774C7743h, 7F3F7F4Dh, 7F4D7F52h
		dd 77367734h, 7750774Fh, 7F3E7F39h, 7F967F4Dh, 0D7E5D7E7h
		dd 0D799D7E4h, 0DFECDFECh, 0DF93DF9Eh, 0DFB6DF90h, 0F785DF96h
		dd 0F784F79Ah, 0FF99F792h, 0FFD2FF89h, 0F792FFA7h, 0F792F786h
		dd 0FF89F78Fh, 0FF9BFF98h, 5765FF78h, 57145761h, 5F69576Fh
		dd 5F1C5F1Ch, 577A5F16h, 57125711h, 5F6D576Bh, 5F6B5F70h
		dd 77475F46h, 775A7746h, 7F477745h, 7F3B7F3Ch, 77417F58h
		dd 77337736h, 7F397749h, 7F4B7F4Ch, 57607F61h, 57665713h
		dd 5765h, 95BABA28h, 49C9ED26h,	0B1934FB7h, 49B8E170h
; 

_ExpValidAttributes:
		add	eax, [eax]
; 
		dw 0
dword_A4189C	dd 2C002Ah		; DATA XREF: ExpCloudbookHardwareLockedProvider(x,x,x,x,x,x)+36o
		dd offset ??_C@_1CM@LLLEBFDB@?$AAC?$AAl?$AAo?$AAu?$AAd?$AAb?$AAo?$AAo?$AAk?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@LBKOJDO@
dword_A418A4	dd 240022h		; DATA XREF: ExpCloudbookHardwareIDProvider(x,x,x,x,x,x)+3Bo
		dd offset ??_C@_1CE@FCDBCNKE@?$AAC?$AAl?$AAo?$AAu?$AAd?$AAb?$AAo?$AAo?$AAk?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@LBKOJDO@
dword_A418AC	dd 2C002Ah		; DATA XREF: PAGE:00A418D4o
		dd offset ??_C@_1CM@GMHOJELD@?$AAC?$AAo?$AAn?$AAs?$AAu?$AAm?$AAe?$AAA?$AAd?$AAd?$AAo?$AAn?$AAP?$AAo?$AAl@LBKOJDO@
dword_A418B4	dd 4C004Ah		; DATA XREF: ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+A3o
		dd offset ??_C@_1EM@PHDPIAKH@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AA?9?$AAS?$AAP?$AAP?$AA?9?$AAI?$AAg@LBKOJDO@
_ExpCacheProviderPolicyNamesCounterBase	dd 0
dword_A418C0	dd 1			; DATA XREF: SLGetSubscriptionPfn(x,x)+34o
					; SLGetSubscriptionPfn(x,x)+7Do
		dd offset dword_A418C8
dword_A418C8	dd 2A0028h		; DATA XREF: SLQueryLicenseValueInternal+84CFAo
					; PAGE:00A418C4o
		dd offset ??_C@_1CK@NEMLIBJE@?$AAC?$AAl?$AAi?$AAp?$AA?9?$AAS?$AAu?$AAb?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi@LBKOJDO@
dword_A418D0	dd 1			; DATA XREF: SLQueryLicenseValueInternal+1A0o
					; ExpConsumeAddonPolicySetCacheProvider(x,x,x,x,x,x)+Bo
		dd offset dword_A418AC
dword_A418D8	dd 0FFB0FDACh, 0D7A0D5B4h, 0D7B4D5A5h, 0DFA4DDABh, 0DF86DDF2h
					; DATA XREF: PAGE:00A46584o
		dd 0D785D587h, 0D78FD5FAh, 0DFAEDDBAh, 0DF87DDBAh, 0F790F581h
		dd 0F7D0F593h, 0FFBFFDABh, 0FFA7FDB3h, 0F798F592h, 0F794F596h
		dd 0FF94FD91h, 0FF32FD91h, 573C5503h, 5738553Ah, 0D7B0D584h
		dd 0D7A8D5B4h, 0DFB4DDADh, 0DFACDDABh, 0D786D5FAh, 0D78DD587h
		dd 0DF8FDDF2h
		db 0BAh, 0DDh, 86h
; 

loc_A41943:				; CODE XREF: PAGE:loc_A4199Bj
		fist	word ptr [edx-7E08780Bh]
		cmc
		cwde
		neg	dword ptr [ebx-54002F03h]
		std
		mov	bh, 0FFh
		mov	ebx, 83F7A6F5h
		cmc
		pushf

loc_A4195B:				; DATA XREF: PAGE:00A4655Co
		test	dword ptr [ebx+6FF98FDh], 3E553257h
		push	edi
		sub	bl, [ebp+2Fh]
		pop	edi
		db	36h
		pop	ebp
		and	[edi+2Eh], ebx
		push	ebp
		js	short loc_A419C9
		add	al, 55h
		or	eax, 705D0F57h
		pop	edi
		sbb	[ebp+10h], bl
		pop	edi
		sbb	[ebp+0], esi
		ja	short near ptr loc_A4199F+2
		jnz	short near ptr loc_A41997+1
		ja	short near ptr loc_A4199F+2
		jge	short near ptr loc_A419B8+2
		jg	short loc_A4199B
		jge	short near ptr loc_A4199F+4
		jg	short near ptr loc_A4199F+6
		jnz	short loc_A419AA
; 
		db 77h
; 

loc_A41992:				; CODE XREF: PAGE:00A41A0Dj
		and	al, 75h
		or	[edi+1Eh], esi

loc_A41997:				; CODE XREF: PAGE:00A41983j
		jge	short near ptr loc_A4199F+3
		jg	short near ptr loc_A4199F+6

loc_A4199B:				; CODE XREF: PAGE:00A41989j
		jge	short loc_A41943
		jg	short $+2

loc_A4199F:				; CODE XREF: PAGE:00A41981j
					; PAGE:00A41985j ...
		add	ds:55255730h[edx*2], bl
		xor	edx, [edi+3Ah]
		pop	ebp

loc_A419AA:				; CODE XREF: PAGE:00A4198Fj
		xor	[edi+72h], ebx
		pop	ebp
		push	es
		pop	edi
		xor	dl, [ebp+26h]
		push	edi
		and	al, 55h
		xor	al, 57h

loc_A419B8:				; CODE XREF: PAGE:00A41987j
		xor	[ebp+33h], bl
		pop	edi
		jb	short near ptr loc_A41A17+4
		cmp	[edi+16h], bl
		jnz	short loc_A419D9
		ja	short near ptr loc_A419E3+1
		jnz	short loc_A419DB
		ja	short near ptr loc_A419D9+1

loc_A419C9:				; CODE XREF: PAGE:00A41970j
		jge	short loc_A419E3
		jg	short near ptr loc_A41A1D+2
		jge	short near ptr loc_A41A08+3
		jg	short near ptr loc_A419E3+1
		jnz	short loc_A419E3
		ja	short near ptr loc_A419ED+1
		jnz	short near ptr loc_A419DF+1
		ja	short loc_A419EF

loc_A419D9:				; CODE XREF: PAGE:00A419C1j
					; PAGE:00A419C7j
		jge	short loc_A419F6

loc_A419DB:				; CODE XREF: PAGE:00A419C5j
		jg	short loc_A419F3
		jge	short loc_A41A0F

loc_A419DF:				; CODE XREF: PAGE:00A419D5j
		jg	short near ptr loc_A41A05+1
		push	ebp
; 
		db 0
; 

loc_A419E3:				; CODE XREF: PAGE:loc_A419C9j
					; PAGE:00A419D1j ...
		add	[edx+8400h], al
		pop	esi
		movsb

loc_A419EB:				; DATA XREF: PAGE:00A415B8o
		add	[esi], ch

loc_A419ED:				; CODE XREF: PAGE:00A419D3j
		add	[eax], dh

loc_A419EF:				; CODE XREF: PAGE:00A419D7j
		add	[eax+64h], dh
		movsb

loc_A419F3:				; CODE XREF: PAGE:loc_A419DBj
					; DATA XREF: ExpOsProductContentIdCacheProvider(x,x,x,x,x,x)+8o
		add	[eax+eax], ah

loc_A419F6:				; CODE XREF: PAGE:loc_A419D9j
		add	es:[eax], dl
		movs	byte ptr es:[edi], byte	ptr fs:[esi]

loc_A419FB:				; DATA XREF: ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+ECo
					; ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+12Ao ...
		add	[eax], bl
		add	[edx], bl
		add	[esp-5Ch], dl

loc_A41A03:				; DATA XREF: sub_A0692F+70o
		add	[edx], bl

loc_A41A05:				; CODE XREF: PAGE:loc_A419DFj
		add	[eax+eax], bl

loc_A41A08:				; CODE XREF: PAGE:00A419CDj
		cmp	[esp+0], ah

_RtlAllocateStringRoutine:
		dec	edx
		js	short loc_A41992

loc_A41A0F:				; CODE XREF: PAGE:00A419DDj
					; DATA XREF: ExpGetGlobalLocaleSection+BEo
		add	[eax+18006AF1h], ch
		add	[edx], bl

loc_A41A17:				; CODE XREF: PAGE:00A419BCj
					; DATA XREF: ExpGetGlobalLocaleSection+10Co
		add	[eax+3E00A466h], ah

loc_A41A1D:				; CODE XREF: PAGE:00A419CBj
		add	[eax+0], al
		pusha
		db	66h
		movsb
; 
		db 0
; 

_NlsRegKeyName:				; DATA XREF: ExpGetGlobalLocaleSection+97o
		insb
		add	[esi+0], ch
		enter	0FFFFA466h, 0

_NlsDirectoryName:			; DATA XREF: PAGE:00A41A3Co
		or	[eax], al
		or	al, [eax]
		mov	esp, 1800A466h	; DATA XREF: ExInitializeNls()+Do
; 
		db 3 dup(0)
		dd 0
		dd offset _NlsDirectoryName
		dd 250h, 3 dup(0)
; 

; char ExpWorkerActivityIdSetMessage
_ExpWorkerActivityIdSetMessage:		; DATA XREF: ExpWorkerThread+160E6Eo
		inc	ebp
		pop	eax
		push	edi
		dec	edi
		push	edx
		dec	ebx
		inc	ebp
		push	edx
		cmp	ah, [eax]
		ja	short near ptr loc_A41AC9+2
		jb	short loc_A41AC9
		db	65h
		jb	short near ptr loc_A41A80+1
		db	65h
		js	short near ptr loc_A41ACC+1
		jz	short near ptr loc_A41A85+1
		ja	short near ptr loc_A41ACC+5
		jz	short loc_A41AD2
		and	[ecx+63h], ah
		jz	short near ptr loc_A41AD7+1
		jbe	short loc_A41ADA
		jz	short near ptr loc_A41AEA+2
		and	[ecx+44h], cl
		and	[ebx+65h], dh
		jz	short loc_A41AA7
		and	[edi+6Fh], dh
		jb	short near ptr loc_A41AEA+1

loc_A41A80:				; CODE XREF: PAGE:00A41A5Ej
		db	65h
		jb	short near ptr loc_A41AA1+2
		jb	short near ptr loc_A41AF3+1

loc_A41A85:				; CODE XREF: PAGE:00A41A64j
		jnz	short near ptr loc_A41AFA+1
		imul	ebp, [esi+65h],	2C702520h
		and	[eax+61h], dh
		jb	short near ptr loc_A41AF3+1
		insd
		db	65h
		jz	short loc_A41AFC
		jb	short loc_A41AB9
		and	eax, 69202C70h
		jz	short near ptr _ExpWnfPermanentNameSequenceNumberValueName+1
		insd

loc_A41AA1:				; CODE XREF: PAGE:loc_A41A80j
		and	large ds:0A70h,	ah

loc_A41AA7:				; CODE XREF: PAGE:00A41A79j
					; DATA XREF: ExpWorkerThread+160E1Bo
		add	[ebp+58h], al
		push	edi
		dec	edi
		push	edx
		dec	ebx
		inc	ebp
		push	edx
		cmp	ah, [eax]
		ja	short near ptr loc_A41B21+2
		jb	short loc_A41B21
		db	65h
		jb	short near ptr loc_A41AD7+2

loc_A41AB9:				; CODE XREF: PAGE:00A41A97j
		db	65h
		js	short near ptr loc_A41B24+1
		jz	short near ptr loc_A41ADC+2
		ja	short near ptr byte_A41B29
		jz	short near ptr word_A41B2A
		and	[ebx+79h], dh
		jnb	short near ptr off_A41B38+3
		db	65h
		insd

loc_A41AC9:				; CODE XREF: PAGE:00A41A5Cj
					; PAGE:00A41A5Aj
		and	[ecx+66h], ah

loc_A41ACC:				; CODE XREF: PAGE:00A41A61j
					; PAGE:00A41A66j
		imul	bp, [esi+69h], 7974h

loc_A41AD2:				; CODE XREF: PAGE:00A41A68j
		and	[ebx+65h], dh
		jz	short near ptr byte_A41B03

loc_A41AD7:				; CODE XREF: PAGE:00A41A6Dj
					; PAGE:00A41AB6j
		and	[edi+6Fh], dh

loc_A41ADA:				; CODE XREF: PAGE:00A41A6Fj
		jb	short near ptr dword_A41B44+3

loc_A41ADC:				; CODE XREF: PAGE:00A41ABCj
		db	65h
		jb	short near ptr loc_A41AFD+2
		jb	short loc_A41B50
		jnz	short loc_A41B57
		imul	ebp, [esi+65h],	2C702520h

loc_A41AEA:				; CODE XREF: PAGE:00A41A7Ej
					; PAGE:00A41A71j
		and	[eax+61h], dh
		jb	short loc_A41B50
		insd
		db	65h
		jz	short near ptr loc_A41B57+1

loc_A41AF3:				; CODE XREF: PAGE:00A41A83j
					; PAGE:00A41A91j
		jb	short near ptr loc_A41B14+1
		and	eax, 69202C70h

loc_A41AFA:				; CODE XREF: PAGE:loc_A41A85j
		jz	short near ptr byte_A41B61

loc_A41AFC:				; CODE XREF: PAGE:00A41A94j
		insd

loc_A41AFD:				; CODE XREF: PAGE:loc_A41ADCj
		and	large ds:0A70h,	ah
; 
byte_A41B03	db 0			; CODE XREF: PAGE:00A41AD5j
; 

_ExpWnfPermanentNameSequenceNumberValueName: ; CODE XREF: PAGE:00A41A9Ej
					; DATA XREF: ExpWnfAllocateNextPersistentNameSequence(x,x)+F1o	...
		sbb	al, 0
		push	ds
		add	[ebx+ebx], cl
		movsb
		add	[ebx+0], dl
		add	gs:[ecx+0], dh
		jnz	short $+2

loc_A41B14:				; CODE XREF: PAGE:loc_A41AF3j
		add	gs:[esi+0], ch
		arpl	[eax], ax
		add	gs:[esi+0], cl
		jnz	short $+2
		insd

loc_A41B21:				; CODE XREF: PAGE:00A41AB4j
					; PAGE:00A41AB2j
		add	[edx+0], ah

loc_A41B24:				; CODE XREF: PAGE:loc_A41AB9j
		add	gs:[edx+0], dh
; 
		db 0
byte_A41B29	db 0			; CODE XREF: PAGE:00A41ABEj
word_A41B2A	dw 0			; CODE XREF: PAGE:00A41AC0j
		align 10h
_ExpWnfNameStoreDescriptors dd 0
off_A41B34	dd offset loc_82007E+2	; DATA XREF: ExpWnfGetNameStoreRegistryRoot+7Dr
					; ExpWnfGetNameStoreRegistryRoot+F2r
off_A41B38	dd offset ??_C@_1IC@EGPGEMK@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@
					; CODE XREF: PAGE:00A41AC5j
off_A41B3C	dd offset loc_82007E+2	; DATA XREF: ExpWnfGetNameStoreRegistryRoot+64r
					; ExpWnfGetNameStoreRegistryRoot+EBr
		dd offset ??_C@_1IC@EGPGEMK@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@
dword_A41B44	dd 1			; CODE XREF: PAGE:loc_A41ADAj
					; DATA XREF: ExpWnfGetNameStoreRegistryRoot+A2r
dword_A41B48	dd 0			; DATA XREF: ExpWnfGetNameStoreRegistryRoot+8Fr
		dd 1
; 

loc_A41B50:				; CODE XREF: PAGE:00A41ADFj
					; PAGE:00A41AEDj
		cwde
		add	[edx-5B981800h], bl

loc_A41B57:				; CODE XREF: PAGE:00A41AE1j
					; PAGE:00A41AF0j
		add	[eax+eax+4Eh], cl
		add	[eax+0A468h], cl
; 
byte_A41B61	db 3 dup(0)		; CODE XREF: PAGE:loc_A41AFAj
		align 8
		dd 2, 0AA00A8h
		dd offset ??_C@_1KK@IMGDCCKA@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@
		dd offset unk_AA00A8
		dd offset ??_C@_1KK@IMGDCCKA@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@
		align 10h
		dd 1
; 

_ExpWnfNotificationMapping:		; DATA XREF: ExpWnfSpecializeSecurityDescriptor(x)+25o
					; ExpWnfCheckCallerAccess(x,x)+53o
		add	[eax], eax
		adc	al, [eax]
		add	al, [eax]
; 
		dw 0
		dd 1F0000h, 1F0013h, 0
; 

_WheaRegPolicyTable:			; DATA XREF: WheapCommitPolicy()+43o
		pop	esp
; 
		db 69h,	0A4h, 0
off_A41B9C	dd offset _WheaRegPolicyDisableOffline ; DATA XREF: PAGE:00A12950r
					; WheapSetPolicyValue(x,x)+32r	...
dword_A41BA0	dd 0			; DATA XREF: WheapSetPolicyValue(x,x)+17r
dword_A41BA4	dd 0FFFFFFFEh		; DATA XREF: WheapSetPolicyValue(x,x)+23r
		dd offset ??_C@_1CE@GEOJMGFF@?$AAM?$AAe?$AAm?$AAP?$AAe?$AAr?$AAs?$AAi?$AAs?$AAt?$AAO?$AAf?$AAf?$AAl?$AAi@LBKOJDO@
		dd offset _WheaRegPolicyMemPersistOffline
		dd 0
		dd 0FFFFFFFEh
		dd offset loc_A46A77+1
		dd offset _WheaRegPolicyMemPfaDisable
		dd 0
		dd 0FFFFFFFEh
		dd offset ??_C@_1CA@ICAGHMPK@?$AAM?$AAe?$AAm?$AAP?$AAf?$AAa?$AAP?$AAa?$AAg?$AAe?$AAC?$AAo?$AAu?$AAn?$AAt@LBKOJDO@
		dd offset _WheaRegPolicyMemPfaPageCount
		dd 1, 10000h
		dd offset ??_C@_1CA@KOMJJKMM@?$AAM?$AAe?$AAm?$AAP?$AAf?$AAa?$AAT?$AAh?$AAr?$AAe?$AAs?$AAh?$AAo?$AAl?$AAd@LBKOJDO@
		dd offset _WheaRegPolicyMemPfaThreshold
		dd 1, 10000h
		dd offset ??_C@_1BM@LFDBDPAM@?$AAM?$AAe?$AAm?$AAP?$AAf?$AAa?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@LBKOJDO@
		dd offset _WheaRegPolicyMemPfaTimeout
		dd 0
		dd 93A80h
		dd offset ??_C@_1CC@CBMFOILI@?$AAI?$AAg?$AAn?$AAo?$AAr?$AAe?$AAD?$AAu?$AAm?$AAm?$AAy?$AAW?$AAr?$AAi?$AAt@LBKOJDO@
		dd offset _WheaRegPolicyIgnoreDummyWrite
		dd 0
		dd 0FFFFFFFEh
		dd offset ??_C@_1CG@GGAGMKOM@?$AAR?$AAe?$AAs?$AAt?$AAo?$AAr?$AAe?$AAC?$AAm?$AAc?$AAi?$AAE?$AAn?$AAa?$AAb@LBKOJDO@
		dd offset _WheapRegPolicyRestoreCmciEnabled
		dd 0
		dd 0FFFFFFFEh
		dd offset ??_C@_1CO@EJEIPIDH@?$AAR?$AAe?$AAs?$AAt?$AAo?$AAr?$AAe?$AAC?$AAm?$AAc?$AAi?$AAM?$AAa?$AAx?$AAA@LBKOJDO@
		dd offset _WheapRegPolicyRestoreCmciMaxAttempts
		dd 0
		dd 0FFFFFFFEh
		dd offset ??_C@_1CM@IIKEJCG@?$AAR?$AAe?$AAs?$AAt?$AAo?$AAr?$AAe?$AAC?$AAm?$AAc?$AAi?$AAE?$AAr?$AAr?$AAo@LBKOJDO@
		dd offset _WheapRegPolicyRestoreCmciErrorLimit
		dd 0
		dd 0FFFFFFFEh
		dd offset ??_C@_1CE@IFNODAPI@?$AAC?$AAM?$AAC?$AAT?$AAh?$AAr?$AAe?$AAs?$AAh?$AAo?$AAl?$AAd?$AAC?$AAo?$AAu@LBKOJDO@
		dd offset _WheapRegPolicyCmciThresholdCount
		dd 0
		dd 0FFFFFFFEh
		dd offset ??_C@_1CI@NKLDOMBM@?$AAC?$AAM?$AAC?$AAT?$AAh?$AAr?$AAe?$AAs?$AAh?$AAo?$AAl?$AAd?$AAS?$AAe?$AAc@LBKOJDO@
		dd offset _WheapRegPolicyCmciThresholdTime
		dd 0
		dd 0FFFFFFFEh
		dd offset ??_C@_1CA@KBCEKDGB@?$AAC?$AAM?$AAC?$AAP?$AAo?$AAl?$AAl?$AAi?$AAn?$AAg?$AAL?$AAi?$AAm?$AAi?$AAt@LBKOJDO@
		dd offset _WheapRegPolicyCmciThresholdPollCount
		dd 0
		dd 0FFFFFFFEh
dword_A41C68	dd 55B292C4h		; DATA XREF: sub_785212+1363r
dword_A41C6C	dd 0A5645958h		; DATA XREF: sub_785212+136Cr
dword_A41C70	dd 3BBDC445h, 93278D84h	; DATA XREF: sub_785212+13EBo
dword_A41C78	dd 4820C9C6h, 3D7AAD4Bh, 280C818Eh, 0AD691E11h,	0CFCFC0B6h
					; DATA XREF: sub_785212+17B9o
					; sub_785212+17C9o
		dd 0D0DBE288h, 0E569BC2Ch, 0DDD5744Ah, 33C5BCA4h, 4EB80762h
		dd 815B94B6h, 487F7FE7h, 14h dup(0)
		dd 110D0A0Bh, 1A141300h, 1E1D1906h, 5 dup(1F1F1F1Fh)
dword_A41D18	dd 36811074h, 0A6723CF7h ; DATA	XREF: sub_785212+1900o
dword_A41D20	dd 4FE939B7h		; DATA XREF: sub_785212+2189r
dword_A41D24	dd 9F2DD878h		; DATA XREF: sub_785212+2192r
dword_A41D28	dd 0C74FF43Eh, 57B56108h, 0AD6A283Eh, 8CC96773h, 0B7DA3AE1h
					; DATA XREF: sub_785212+1828o
					; sub_785212+1838o
		dd 3C18AFA8h, 6B636F74h, 0E0A9FA09h, 49BC495h, 0D0716A40h
		dd 0ED47C9ABh, 1195DA01h, 322C0FBEh, 13h dup(0)
		dd 70E131Ah, 14090410h,	1E19151Ch, 1F1F1F1Bh, 4	dup(1F1F1F1Fh)
dword_A41DC8	dd 1621EA95h, 768DFD32h	; DATA XREF: sub_785212+17F7o
dword_A41DD0	dd 1621EA95h		; DATA XREF: sub_785212+2296r
dword_A41DD4	dd 768DFD32h		; DATA XREF: sub_785212+229Fr
dword_A41DD8	dd 0B2BB8BB9h, 0F10D668Dh ; DATA XREF: sub_785212+2304o
dword_A41DE0	dd 2F3355A5h		; DATA XREF: sub_785212+216Dr
dword_A41DE4	dd 5638EBB7h		; DATA XREF: sub_785212+2176r
dword_A41DE8	dd 16625EEDh, 8451C28Fh, 8598CE11h, 38FEC1E4h, 111A23D4h
					; DATA XREF: sub_785212+214Eo
		dd 0CA20EE61h, 10281376h, 2C96111Dh, 0F4B16B95h, 93AB8A37h
		dd 3975AC79h, 0D373A104h, 14h dup(0)
		dd 70E0413h, 1016060Ah,	1E0F141Ch, 5 dup(1F1F1F1Fh)
dword_A41E88	dd 0CEF759BCh, 0F61ABDAh, 420358BFh, 98AF79B3h,	0C8BA4177h
					; DATA XREF: sub_785212+1344o
		dd 803FB294h, 0F86D225h, 1E963781h, 0ED502852h,	8B964951h
		dd 0C4FF9BF7h, 3B47B043h, 14h dup(0)
		dd 1E07090Eh, 4140211h,	161B1303h, 5 dup(1F1F1F1Fh)
dword_A41F28	dd 1621EA95h, 768DFD32h	; DATA XREF: sub_785212+232Co
dword_A41F30	dd 16625EEDh, 8451C28Fh, 8598CE11h, 38FEC1E4h, 111A23D4h
					; DATA XREF: sub_785212+21C5o
					; sub_785212+21D5o
		dd 0CA20EE61h, 10281376h, 2C96111Dh, 0F4B16B95h, 93AB8A37h
		dd 3975AC79h, 0D373A104h, 14h dup(0)
		dd 70E0413h, 1016060Ah,	1E0F141Ch, 5 dup(1F1F1F1Fh)
dword_A41FD0	dd 4FE939B7h, 9F2DD878h	; DATA XREF: sub_785212+2203o
dword_A41FD8	dd 18277B63h, 1516B47Fh, 378EE96Ch, 0B71E9AAEh,	0A45E080Ah
					; DATA XREF: sub_785212:loc_7869A6o
					; sub_785212+17A4o
		dd 7E6B3A9Bh, 0D4BA98E6h, 0E6414FFCh, 92DA15E1h, 0A6007E7Ah
		dd 0C4E2C8A5h, 6A5CEF58h, 71544D43h, 13h dup(0)
		dd 2171912h, 18030D11h,	1E1C071Ah, 1F1F1F1Bh, 4	dup(1F1F1F1Fh)
dword_A42078	dd 6CED030Bh, 863BF519h, 0DBBDC48h, 56FAC27Dh, 0C3546E3Eh
					; DATA XREF: sub_785212:loc_7873B2o
					; sub_785212+21B0o
		dd 8F0AFA5Bh, 1B353B4Dh, 31063933h, 2DD7AD07h, 2C8F4675h
		dd 0D285A9B2h, 39C22E3Bh, 14h dup(0)
		dd 100612h, 5040118h, 1B1D0C16h, 5 dup(1F1F1F1Fh)
dword_A42118	dd 0AB21D998h, 6223E824h, 1A0019h ; DATA XREF: sub_785212+1407o
off_A42124	dd offset loc_A46B2B+1	; DATA XREF: sub_A16A58+21Br
					; sub_A16F7C+4FBr
dword_A42128	dd 0B2BB8BB9h		; DATA XREF: sub_785212+227Ar
dword_A4212C	dd 0F10D668Dh		; DATA XREF: sub_785212+2283r
dword_A42130	dd 8128F8D0h, 1F3ECBA6h, 0D66ACF40h, 26D03449h,	1468709Ah
					; DATA XREF: sub_785212:loc_786ABBo
					; sub_785212+18BDo
		dd 0F50B6306h, 928C0D6Ah, 3DC0C65h, 58F0AA87h, 63EEBE8Ah
		dd 2913A20Bh, 0E060A7BDh, 14h dup(0)
		dd 181C1409h, 8111902h,	60B001Bh, 5 dup(1F1F1F1Fh)
dword_A421D0	dd 6CED030Bh, 863BF519h, 0DBBDC48h, 56FAC27Dh, 0C3546E3Eh
					; DATA XREF: sub_785212+211Fo
					; sub_785212+212Fo
		dd 8F0AFA5Bh, 1B353B4Dh, 31063933h, 2DD7AD07h, 2C8F4675h
		dd 0D285A9B2h, 39C22E3Bh, 14h dup(0)
		dd 100612h, 5040118h, 1B1D0C16h, 5 dup(1F1F1F1Fh)
dword_A42270	dd 766AABAAh		; DATA XREF: sub_785212+175Br
dword_A42274	dd 35DCEB18h		; DATA XREF: sub_785212+1764r
dword_A42278	dd 5B32E7D5h, 91496425h, 1A14E6BCh, 2A59E568h, 239E6EEEh
					; DATA XREF: sub_785212:loc_7865AEo
					; sub_785212+13B0o
		dd 0FB7956EDh, 0B669BE9Eh, 4867DBA8h, 2F340C2Ah, 0DD8C2CF7h
		dd 1E318AD4h, 15h dup(0)
		dd 0C140F1Ah, 3190502h,	1F06000Eh, 5 dup(1F1F1F1Fh)
dword_A42318	dd 6B54655Bh, 3F0B3DC8h, 0B2AD639Eh, 5381065Ah,	894AF156h
					; DATA XREF: sub_785212+18D6o
					; sub_785212+18EAo
		dd 0E34BC59Bh, 89924D75h, 782C18BAh, 0CC675045h, 4ABBED47h
		dd 58C93C65h, 20EF66FBh, 14h dup(0)
		dd 8070E10h, 1C1A0A12h,	1D17160Dh, 5 dup(1F1F1F1Fh)
dword_A423B8	dd 0A716A96h		; DATA XREF: sub_785212+1892r
dword_A423BC	dd 0C349B50Bh		; DATA XREF: sub_785212+189Br
dword_A423C0	dd 98EF63F8h, 0BF84E735h, 7EB3B50Ah, 0A2B64021h, 33B9CEBDh
					; DATA XREF: sub_785212+170Eo
		dd 0E681C805h, 9F8496D1h, 0AC0B07D3h, 9128942Bh, 0B67F623Eh
		dd 6BD5651Bh, 11C9B003h, 14h dup(0)
		dd 20B1E0Ch, 50A0311h, 1A10081Dh, 5 dup(1F1F1F1Fh)
dword_A42460	dd 42B0C6D8h, 6105128Ah, 6BD0EBE8h, 98203CDCh, 2763508Fh
					; DATA XREF: sub_785212+173Co
		dd 640D4B6Eh, 85F36166h, 5CDDFD40h, 827153Ah, 0FC5BDA48h
		dd 9653E573h, 8F560E85h, 14h dup(0)
		dd 60F1D0Bh, 1A1E0E15h,	16110207h, 5 dup(1F1F1F1Fh)
dword_A42500	dd 4820C9C6h, 3D7AAD4Bh, 280C818Eh, 0AD691E11h,	0CFCFC0B6h
					; DATA XREF: sub_785212+225Bo
		dd 0D0DBE288h, 0E569BC2Ch, 0DDD5744Ah, 33C5BCA4h, 4EB80762h
		dd 815B94B6h, 487F7FE7h, 14h dup(0)
		dd 110D0A0Bh, 1A141300h, 1E1D1906h, 5 dup(1F1F1F1Fh)
dword_A425A0	dd 1A2F2A8Ah		; DATA XREF: sub_785212+1876r
dword_A425A4	dd 0A10B922Fh		; DATA XREF: sub_785212+187Fr
dword_A425A8	dd 18277B63h, 1516B47Fh, 378EE96Ch, 0B71E9AAEh,	0A45E080Ah
					; DATA XREF: sub_785212+222Co
					; sub_785212+223Co
		dd 7E6B3A9Bh, 0D4BA98E6h, 0E6414FFCh, 92DA15E1h, 0A6007E7Ah
		dd 0C4E2C8A5h, 6A5CEF58h, 71544D43h, 13h dup(0)
		dd 2171912h, 18030D11h,	1E1C071Ah, 1F1F1F1Bh, 4	dup(1F1F1F1Fh)
dword_A42648	dd 9616793h, 825D0106h,	676E44F9h, 195B88BEh, 17E051BFh
					; DATA XREF: sub_785212+1313o
		dd 84F82F4Bh, 0A8773BB5h, 73D03DB1h, 249CFCEDh,	63B6E02Bh
		dd 0EEE1BF54h, 40EDC21Eh, 14h dup(0)
dword_A426C8	dd 0A051517h, 106100Fh,	1B0B181Eh, 5 dup(1F1F1F1Fh), 0B000AEh
		dd offset ??_C@_1LA@BFGPJOCH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@
dword_A426F0	dd 178DA076h, 7511056Eh	; DATA XREF: sub_785212+191Co
dword_A426F8	dd 8C40A2A1h, 0EE1D4B02h, 0F5CB93E1h, 33E1849Fh, 0ED97EC9h
					; DATA XREF: sub_785212+1857o
		dd 1C791F47h, 0D4714F40h, 17BB0BA4h, 0D75108F9h, 85B3086Ah
		dd 34086787h, 5F0ADD55h, 14h dup(0)
		dd 130610h, 0E0B1B18h, 190A1C07h, 5 dup(1F1F1F1Fh)
dword_A42798	dd 42C14855h, 0F662CD55h, 0A14E8226h, 0DD5F3CEDh, 5CE0CFF6h
					; DATA XREF: sub_785212+13C9o
					; sub_785212+13D9o
		dd 0F65C971Eh, 5AC601B9h, 0BA8D793Fh, 1771E07h,	310D3156h
		dd 0C230DBDEh, 9846C556h, 14h dup(0)
		dd 50A030Fh, 910171Ah, 190E1B1Ch, 5 dup(1F1F1F1Fh)
dword_A42838	dd 4820C9C6h, 3D7AAD4Bh, 280C818Eh, 0AD691E11h,	0CFCFC0B6h
					; DATA XREF: sub_785212+22DAo
					; sub_785212+22EEo
		dd 0D0DBE288h, 0E569BC2Ch, 0DDD5744Ah, 33C5BCA4h, 4EB80762h
		dd 815B94B6h, 487F7FE7h, 14h dup(0)
		dd 110D0A0Bh, 1A141300h, 1E1D1906h, 5 dup(1F1F1F1Fh)
dword_A428D8	dd 2F3355A5h, 5638EBB7h	; DATA XREF: sub_785212+21E7o
dword_A428E0	dd 6B4D09FCh		; DATA XREF: sub_785212+137Fr
dword_A428E4	dd 1B732BD7h		; DATA XREF: sub_785212+1388r
dword_A428E8	dd 0E086077Ch		; DATA XREF: sub_785212+1777r
dword_A428EC	dd 14CEA8BAh		; DATA XREF: sub_785212+1780r
dword_A428F0	dd 18277B63h, 1516B47Fh, 378EE96Ch, 0B71E9AAEh,	0A45E080Ah
					; DATA XREF: sub_785212:loc_7874BFo
					; sub_785212+22C1o
		dd 7E6B3A9Bh, 0D4BA98E6h, 0E6414FFCh, 92DA15E1h, 0A6007E7Ah
		dd 0C4E2C8A5h, 6A5CEF58h, 71544D43h, 13h dup(0)
		dd 2171912h, 18030D11h,	1E1C071Ah, 1F1F1F1Bh, 4	dup(1F1F1F1Fh)
dword_A42990	dd 0B2BB8BB9h, 0F10D668Dh ; DATA XREF: sub_785212+17DBo
__CmClassRegPropMap dd offset _DEVPKEY_DeviceClass_ClassName
					; DATA XREF: _CmGetInstallerClassMappedProperty:loc_858F69r
					; _CmGetInstallerClassMappedPropertyFromRegProp+56o ...
		dd 12h,	8, 1
		dd offset _DEVPKEY_DeviceClass_Name
		dd 12h,	0Dh, 1
		dd offset _DEVPKEY_DeviceClass_UpperFilters
		dd 2012h, 12h, 7
		dd offset _DEVPKEY_DeviceClass_LowerFilters
		dd 2012h, 13h, 7
		dd offset _DEVPKEY_DeviceClass_Security
		dd 13h,	18h, 3
		dd offset _DEVPKEY_DeviceClass_SecuritySDS
		dd 14h,	19h, 1
		dd offset _DEVPKEY_DeviceClass_DevType
		dd 7, 1Ah, 4
		dd offset _DEVPKEY_DeviceClass_Exclusive
		dd 11h,	1Bh, 4
		dd offset _DEVPKEY_DeviceClass_Characteristics
		dd 7, 1Ch, 4
__CmDeviceRegPropMap dd	offset _DEVPKEY_Device_DeviceDesc
					; DATA XREF: _CmGetDeviceMappedPropertyFromRegProp+B2o
					; _CmGetDeviceMappedProperty:loc_802310r ...
		dd 12h,	2 dup(1)
		dd offset loc_4069E3+5
		dd 2012h, 2, 7
		dd offset _DEVPKEY_Device_CompatibleIds
		dd 2012h, 3, 7
		dd offset _DEVPKEY_Device_Service
		dd 12h,	5, 1
		dd offset _DEVPKEY_Device_Class
		dd 12h,	8, 1
		dd offset _DEVPKEY_Device_ClassGuid
		dd 0Dh,	9, 1
		dd offset _DEVPKEY_Device_Driver
		dd 12h,	0Ah, 1
		dd offset _DEVPKEY_Device_ConfigFlags
		dd 7, 0Bh, 4
		dd offset _DEVPKEY_Device_Manufacturer
		dd 12h,	0Ch, 1
		dd offset _DEVPKEY_Device_FriendlyName
		dd 12h,	0Dh, 1
		dd offset _DEVPKEY_Device_LocationInfo
		dd 12h,	0Eh, 1
		dd offset _DEVPKEY_Device_PDOName
		dd 12h,	0Fh, 1
		dd offset _DEVPKEY_Device_Capabilities
		dd 7, 10h, 4
		dd offset _DEVPKEY_Device_UINumber
		dd 7, 11h, 4
		dd offset _DEVPKEY_Device_UpperFilters
		dd 2012h, 12h, 7
		dd offset _DEVPKEY_Device_LowerFilters
		dd 2012h, 13h, 7
		dd offset _DEVPKEY_Device_BusTypeGuid
		dd 0Dh,	14h, 3
		dd offset _DEVPKEY_Device_LegacyBusType
		dd 7, 15h, 4
		dd offset _DEVPKEY_Device_BusNumber
		dd 7, 16h, 4
		dd offset _DEVPKEY_Device_EnumeratorName
		dd 12h,	17h, 1
		dd offset _DEVPKEY_Device_Security
		dd 13h,	18h, 3
		dd offset _DEVPKEY_Device_SecuritySDS
		dd 14h,	19h, 1
		dd offset _DEVPKEY_Device_DevType
		dd 7, 1Ah, 4
		dd offset _DEVPKEY_Device_Exclusive
		dd 11h,	1Bh, 4
		dd offset _DEVPKEY_Device_Characteristics
		dd 7, 1Ch, 4
		dd offset _DEVPKEY_Device_Address
		dd 7, 1Dh, 4
		dd offset _DEVPKEY_Device_UINumberDescFormat
		dd 12h,	1Eh, 1
		dd offset _DEVPKEY_Device_PowerData
		dd 1003h, 1Fh, 3
		dd offset _DEVPKEY_Device_RemovalPolicy
		dd 7, 20h, 4
		dd offset _DEVPKEY_Device_RemovalPolicyDefault
		dd 7, 21h, 4
		dd offset _DEVPKEY_Device_RemovalPolicyOverride
		dd 7, 22h, 4
		dd offset _DEVPKEY_Device_InstallState
		dd 7, 23h, 4
		dd offset _DEVPKEY_Device_BaseContainerId
		dd 0Dh,	25h, 1
off_A42C38	dd offset _DEVPKEY_DeviceClass_Icon
					; DATA XREF: _CmGetInstallerClassMappedPropertyFromRegValue+36o
					; _CmGetInstallerClassMappedProperty:loc_858F98r ...
		dd 12h
		dd offset ??_C@_19COFCBAE@?$AAI?$AAc?$AAo?$AAn@LBKOJDO@
		dd 1
		dd offset _DEVPKEY_DeviceClass_ClassInstaller
		dd 12h
		dd offset ??_C@_1BI@BPCMDBKA@?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAe?$AAr?$AA3?$AA2@LBKOJDO@
		dd 1
		dd offset _DEVPKEY_DeviceClass_PropPageProvider
		dd 12h
		dd offset ??_C@_1CA@IBBBLONP@?$AAE?$AAn?$AAu?$AAm?$AAP?$AAr?$AAo?$AAp?$AAP?$AAa?$AAg?$AAe?$AAs?$AA3?$AA2@LBKOJDO@
		dd 1
		dd offset _DEVPKEY_DeviceClass_NoInstallClass
		dd 11h
		dd offset ??_C@_1BO@MPEEJDBI@?$AAN?$AAo?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAC?$AAl?$AAa?$AAs?$AAs@LBKOJDO@
		dd 1
		dd offset _DEVPKEY_DeviceClass_NoDisplayClass
		dd 11h
		dd offset ??_C@_1BO@DAOBINHA@?$AAN?$AAo?$AAD?$AAi?$AAs?$AAp?$AAl?$AAa?$AAy?$AAC?$AAl?$AAa?$AAs?$AAs@LBKOJDO@
		dd 1
		dd offset _DEVPKEY_DeviceClass_SilentInstall
		dd 11h
		dd offset ??_C@_1BM@GGJNCOBC@?$AAS?$AAi?$AAl?$AAe?$AAn?$AAt?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl@LBKOJDO@
		dd 1
		dd offset _DEVPKEY_DeviceClass_NoUseClass
		dd 11h
		dd offset ??_C@_1BG@OPOOGLJC@?$AAN?$AAo?$AAU?$AAs?$AAe?$AAC?$AAl?$AAa?$AAs?$AAs@LBKOJDO@
		dd 1
		dd offset _DEVPKEY_DeviceClass_DefaultService
		dd 12h
		dd offset ??_C@_1CA@IHGDELPO@?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt?$AA?5?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe@LBKOJDO@
		dd 1
		dd offset _DEVPKEY_DeviceClass_IconPath
		dd 2012h
		dd offset ??_C@_1BC@BKLNFDNF@?$AAI?$AAc?$AAo?$AAn?$AAP?$AAa?$AAt?$AAh@LBKOJDO@
		dd 7
		dd offset loc_410EDB+1
		dd 12h
		dd offset ??_C@_1CC@LCCGGDAB@?$AAL?$AAo?$AAw?$AAe?$AAr?$AAL?$AAo?$AAg?$AAo?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo@LBKOJDO@
		dd 1
		dd offset _DEVPKEY_DeviceClass_DHPRebalanceOptOut
		dd 11h
		dd offset ??_C@_1CG@CKOGFCLL@?$AAD?$AAH?$AAP?$AAR?$AAe?$AAb?$AAa?$AAl?$AAa?$AAn?$AAc?$AAe?$AAO?$AAp?$AAt@LBKOJDO@
		align 8
		dd offset _DEVPKEY_DeviceClass_LastDeleteDate
		dd 10h
		dd offset ??_C@_1BO@NHPFCBDB@?$AAL?$AAa?$AAs?$AAt?$AAD?$AAe?$AAl?$AAe?$AAt?$AAe?$AAD?$AAa?$AAt?$AAe@LBKOJDO@
		dd 3
		dd offset _DEVPKEY_DeviceClass_FSFilterClass
		dd 11h
		dd offset ??_C@_1BM@ODHILDJN@?$AAF?$AAS?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAC?$AAl?$AAa?$AAs?$AAs@LBKOJDO@
		dd 1
off_A42D08	dd offset _DEVPKEY_Device_DriverDate
					; DATA XREF: _CmSetDeviceMappedProperty:loc_86970Er
					; _CmDeleteDeviceMappedPropertyForAllDriverKeyRegValues(x,x)+11r ...
		dd 10h
		dd offset ??_C@_1BO@EKHJCODK@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAD?$AAa?$AAt?$AAe?$AAD?$AAa?$AAt?$AAa@LBKOJDO@
		dd 3
		dd offset _DEVPKEY_Device_DriverVersion
		dd 12h
		dd offset ??_C@_1BM@JBLBDIOG@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@LBKOJDO@
		dd 1
		dd offset _DEVPKEY_Device_DriverDesc
		dd 12h
		dd offset ??_C@_1BG@DMHKAJIE@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAD?$AAe?$AAs?$AAc@LBKOJDO@
		dd 1
		dd offset _DEVPKEY_Device_DriverInfPath
		dd 12h
		dd offset ??_C@_1BA@KLBMOJJJ@?$AAI?$AAn?$AAf?$AAP?$AAa?$AAt?$AAh@LBKOJDO@
		dd 1
		dd offset _DEVPKEY_Device_DriverInfSection
		dd 12h
		dd offset ??_C@_1BG@EIMGGAFA@?$AAI?$AAn?$AAf?$AAS?$AAe?$AAc?$AAt?$AAi?$AAo?$AAn@LBKOJDO@
		dd 1
		dd offset _DEVPKEY_Device_DriverInfSectionExt
		dd 12h
		dd offset ??_C@_1BM@NKECGGPG@?$AAI?$AAn?$AAf?$AAS?$AAe?$AAc?$AAt?$AAi?$AAo?$AAn?$AAE?$AAx?$AAt@LBKOJDO@
		dd 1
		dd offset _DEVPKEY_Device_MatchingDeviceId
		dd 12h
		dd offset ??_C@_1CC@EHFPJOIB@?$AAM?$AAa?$AAt?$AAc?$AAh?$AAi?$AAn?$AAg?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI@LBKOJDO@
		dd 1
		dd offset loc_41118C+4
		dd 12h
		dd offset ??_C@_1BK@IDHMMGND@?$AAP?$AAr?$AAo?$AAv?$AAi?$AAd?$AAe?$AAr?$AAN?$AAa?$AAm?$AAe@LBKOJDO@
		dd 1
		dd offset _DEVPKEY_Device_DriverPropPageProvider
		dd 12h
		dd offset ??_C@_1CA@IBBBLONP@?$AAE?$AAn?$AAu?$AAm?$AAP?$AAr?$AAo?$AAp?$AAP?$AAa?$AAg?$AAe?$AAs?$AA3?$AA2@LBKOJDO@
		dd 1
		dd offset _DEVPKEY_Device_DriverCoInstallers
		dd 2012h
		dd offset ??_C@_1BO@OGNECOBA@?$AAC?$AAo?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAe?$AAr?$AAs?$AA3?$AA2@LBKOJDO@
		dd 7
		dd offset _DEVPKEY_Device_ResourcePickerTags
		dd 12h
		dd offset ??_C@_1CG@PLOFMBCB@?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc?$AAe?$AAP?$AAi?$AAc?$AAk?$AAe?$AAr?$AAT@LBKOJDO@
		dd 1
		dd offset _DEVPKEY_Device_ResourcePickerExceptions
		dd 12h
		dd offset ??_C@_1DC@JMAOOCEC@?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc?$AAe?$AAP?$AAi?$AAc?$AAk?$AAe?$AAr?$AAE@LBKOJDO@
		dd 1
		dd offset _DEVPKEY_Device_DriverIncludedInfs
		dd 2012h
		dd offset ??_C@_1BK@PIHNOJBM@?$AAI?$AAn?$AAc?$AAl?$AAu?$AAd?$AAe?$AAd?$AAI?$AAn?$AAf?$AAs@LBKOJDO@
		dd 7
off_A42DD8	dd offset _DEVPKEY_DeviceInterface_FriendlyName
					; DATA XREF: _CmGetDeviceInterfaceMappedPropertyFromRegValue+63o
					; _CmGetDeviceInterfaceMappedProperty(x,x,x,x,x,x,x,x,x):loc_7FE43Br ...
		dd 12h
		dd offset _DEVPKEY_DeviceInterface_Enabled
		dd 11h
		dd offset _DEVPKEY_Device_InstanceId
		dd 12h
off_A42DF0	dd offset _DEVPKEY_Device_Reported
					; DATA XREF: _CmGetDeviceMappedProperty:loc_802340r
					; _CmSetDeviceMappedProperty:loc_869731r ...
		dd 11h
		dd offset ??_C@_1BO@DEANAFMF@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAR?$AAe?$AAp?$AAo?$AAr?$AAt?$AAe?$AAd@LBKOJDO@
		align 10h
		dd offset _DEVPKEY_Device_InstallFlags
		dd 7
		dd offset ??_C@_1BK@JLNLHJCB@?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAF?$AAl?$AAa?$AAg?$AAs@LBKOJDO@
		align 10h
off_A42E10	dd offset _DEVPKEY_NAME	; DATA XREF: _CmGetDeviceMappedProperty:loc_802360r
					; _CmSetDeviceMappedProperty:loc_869751r ...
		dd 12h
		dd offset _DEVPKEY_Device_InstanceId
		dd 12h
		dd offset _DEVPKEY_Device_DevNodeStatus
		dd 7
		dd offset _DEVPKEY_Device_ProblemCode
		dd 7
		dd offset _DEVPKEY_Device_ProblemStatus
		dd 18h
		dd offset _DEVPKEY_Device_EjectionRelations
		dd 2012h
		dd offset _DEVPKEY_Device_RemovalRelations
		dd 2012h
		dd offset _DEVPKEY_Device_PowerRelations
		dd 2012h
		dd offset _DEVPKEY_Device_BusRelations
		dd 2012h
		dd offset _DEVPKEY_Device_TransportRelations
		dd 2012h
		dd offset _DEVPKEY_Device_Parent
		dd 12h
		dd offset _DEVPKEY_Device_Children
		dd 2012h
		dd offset _DEVPKEY_Device_Siblings
		dd 2012h
		dd offset _DEVPKEY_Device_SafeRemovalRequired
		dd 11h
		dd offset _DEVPKEY_Device_ContainerId
		dd 0Dh
		dd offset _DEVPKEY_Device_IsPresent
		dd 11h
		dd offset _DEVPKEY_Device_HasProblem
		dd 11h
		dd offset _DEVPKEY_Device_IsConnected
		dd 11h
		dd offset _DEVPKEY_Device_IsRebootRequired
		dd 11h
		dd offset _DEVPKEY_Device_ReportedDeviceIdsHash	; "~\vT@Ej\vL\b"
		dd 7
		dd offset _DEVPKEY_Device_InLocalMachineContainer
		dd 11h
		dd offset _DEVPKEY_Device_Stack
		dd 2012h
		dd offset loc_410083+5
		dd 2012h
		dd offset _DEVPKEY_Device_DependencyDependents
		dd 2012h
		dd offset _DEVPKEY_Device_OmitFromSystemSpec
		dd 11h
		dd offset _DEVPKEY_Device_CompoundUpperFilters
		dd 2012h
		dd offset _DEVPKEY_Device_CompoundLowerFilters
		dd 2012h
off_A42EE8	dd offset _DEVPKEY_DeviceInterfaceClass_DefaultInterface
					; DATA XREF: _CmGetInterfaceClassMappedProperty:loc_7FB8FBr
					; _CmGetInterfaceClassMappedPropertyFromRegValue+57o ...
		dd 12h
off_A42EF0	dd offset _DEVPKEY_NAME	; DATA XREF: _CmGetDeviceInterfaceMappedProperty(x,x,x,x,x,x,x,x,x):loc_7FE45Er
					; _CmSetDeviceInterfaceMappedProperty:loc_86D60Dr ...
		dd 12h
		db  18h	;  OFF32 SEGDEF	[_text,407B18]
; 
		jnp	short loc_A42F3B

loc_A42EFB:				; CODE XREF: PAGE:00A42F55j
		add	ds:74000000h, cl
		add	[ecx+0], al
		adc	al, [eax]
; 
		dw 0
		dd offset _DEVPKEY_Device_ContainerId
		dd 0Dh
off_A42F10	dd offset _DEVPKEY_NAME	; DATA XREF: _CmGetInstallerClassMappedProperty:loc_858FC4r
					; _CmGetInstallerClassMappedPropertyKeys(x,x,x,x,x,x,x)+17Cr ...
		dd 12h
		dd offset _DEVPKEY_DeviceClass_Configurable
		dd 11h
		dd offset _DEVPKEY_DeviceClass_CompoundUpperFilters
		dd 2012h
		dd offset _DEVPKEY_DeviceClass_CompoundLowerFilters
		dd 2012h
off_A42F30	dd offset _DEVPKEY_NAME	; DATA XREF: _CmGetInterfaceClassMappedProperty:loc_913E04r
					; _CmGetInterfaceClassMappedPropertyKeys(x,x,x,x,x,x,x)+CFr ...
		dd 12h
; 

_TransportName:
		rol	byte ptr [eax],	0C2h

loc_A42F3B:				; CODE XREF: PAGE:00A42EF9j
					; DATA XREF: SbpStartLanman()+53o
		add	[eax+3000A46Fh], dh
		add	[edx], dh
		add	[eax+esi*2-5Ch], dh
		add	[edx], bl	; DATA XREF: RamdiskStart(x)+3CDo
		add	[eax+eax], bl
		test	al, 70h
		movsb
; 
		db 0
; 

_ObpSilosDirectoryName:			; DATA XREF: ObGetSiloRootDirectoryPath(x,x):loc_A3CF04o
					; ObpGetSilosRootDirectory(x)+F7o
		or	al, 0
		push	cs
		add	ah, al
		jo	short loc_A42EFB

loc_A42F57:				; DATA XREF: PAGE:_CmTypeStringo
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
; 
		dd 0
; 

??_C@_1CC@GHGIBEHL@?$AAC?$AAe?$AAn?$AAt?$AAr?$AAa?$AAl?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo@LBKOJDO@:
					; DATA XREF: PAGE:00A3F52Co
		inc	ebx
		add	[ebp+0], ah
		outsb
		add	[eax+eax+72h], dh
		add	[ecx+0], ah
		insb
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		outsd
		add	[edx+0], dh
; 
		dd 0
; 

??_C@_1CO@KLKKJNCD@?$AAF?$AAl?$AAo?$AAa?$AAt?$AAi?$AAn?$AAg?$AAP?$AAo?$AAi?$AAn?$AAt?$AAP?$AAr@LBKOJDO@:
					; DATA XREF: PAGE:00A3F530o
		inc	esi
		add	[eax+eax+6Fh], ch
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 67006Eh
		push	eax
		add	[edi+0], ch
		imul	eax, [eax], 74006Eh
		push	eax
		add	[edx+0], dh
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		outsd
		add	[edx+0], dh
; 
		dd 0
; 

??_C@_1BM@GCEPECGH@?$AAP?$AAr?$AAi?$AAm?$AAa?$AAr?$AAy?$AAI?$AAC?$AAa?$AAc?$AAh?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A3F534o
		push	eax
		add	[edx+0], dh
		imul	eax, [eax], 61006Dh
		jb	short $+2
		jns	short $+2
		dec	ecx
		add	[ebx+0], al
		popa
		add	[ebx+0], ah
		push	6500h
; 
		db 0
; 

??_C@_1BM@NFLFDCDM@?$AAP?$AAr?$AAi?$AAm?$AAa?$AAr?$AAy?$AAD?$AAC?$AAa?$AAc?$AAh?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A3F538o
		push	eax
		add	[edx+0], dh
		imul	eax, [eax], 61006Dh
		jb	short $+2
		jns	short $+2
		inc	esp
		add	[ebx+0], al
		popa
		add	[ebx+0], ah
		push	6500h

loc_A42FF3:				; DATA XREF: PAGE:00A3F53Co
		add	[ebx+0], dl
		add	gs:[ebx+0], ah
		outsd
		add	[esi+0], ch
		add	fs:[ecx+0], ah
		jb	short $+2
		jns	short $+2
		dec	ecx
		add	[ebx+0], al
		popa
		add	[ebx+0], ah
		push	6500h

loc_A43013:				; DATA XREF: PAGE:00A3F540o
		add	[ebx+0], dl
		add	gs:[ebx+0], ah
		outsd
		add	[esi+0], ch
		add	fs:[ecx+0], ah
		jb	short $+2
		jns	short $+2
		inc	esp
		add	[ebx+0], al
		popa
		add	[ebx+0], ah
		push	6500h

loc_A43033:				; DATA XREF: PAGE:00A3F544o
		add	[ebx+0], dl
		add	gs:[ebx+0], ah
		outsd
		add	[esi+0], ch
		add	fs:[ecx+0], ah
		jb	short $+2
		jns	short $+2
		inc	ebx
		add	[ecx+0], ah
		arpl	[eax], ax
		push	6500h
; 
		db 3 dup(0)
; 

??_C@_1BI@PHEFAEKH@?$AAE?$AAi?$AAs?$AAa?$AAA?$AAd?$AAa?$AAp?$AAt?$AAe?$AAr@LBKOJDO@:
					; DATA XREF: PAGE:off_A3F548o
		inc	ebp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[ecx+0], al
		add	fs:[ecx+0], ah
		jo	short $+2
		jz	short $+2
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1BE@IHHIDKBI@?$AAT?$AAc?$AAA?$AAd?$AAa?$AAp?$AAt?$AAe?$AAr@LBKOJDO@:
					; DATA XREF: PAGE:off_A3F54Co
		push	esp
		add	[ebx+0], ah
		inc	ecx
		add	[eax+eax+61h], ah
		add	[eax+0], dh
		jz	short $+2
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1BI@LIFBGIEG@?$AAS?$AAc?$AAs?$AAi?$AAA?$AAd?$AAa?$AAp?$AAt?$AAe?$AAr@LBKOJDO@:
					; DATA XREF: PAGE:00A3F550o
		push	ebx
		add	[ebx+0], ah
		jnb	short $+2
		imul	eax, [eax], 640041h
		popa
		add	[eax+0], dh
		jz	short $+2
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1BG@LOBCDFDG@?$AAD?$AAt?$AAi?$AAA?$AAd?$AAa?$AAp?$AAt?$AAe?$AAr@LBKOJDO@:
					; DATA XREF: PAGE:00A3F554o
		inc	esp
		add	[eax+eax+69h], dh
		add	[ecx+0], al
		add	fs:[ecx+0], ah
		jo	short $+2
		jz	short $+2
		add	gs:[edx+0], dh
; 
		dd 0
; 

??_C@_1CK@BONJKOHP@?$AAM?$AAu?$AAl?$AAt?$AAi?$AAf?$AAu?$AAn?$AAc?$AAt?$AAi?$AAo?$AAn?$AAA?$AAd@LBKOJDO@:
					; DATA XREF: PAGE:off_A3F558o
		dec	ebp
		add	[ebp+0], dh
		insb
		add	[eax+eax+69h], dh
		add	[esi+0], ah
		jnz	short $+2
		outsb
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		inc	ecx
		add	[eax+eax+61h], ah
		add	[eax+0], dh
		jz	short $+2
		add	gs:[edx+0], dh
; 
		dd 0
; 

??_C@_1BO@NBDLLCOE@?$AAD?$AAi?$AAs?$AAk?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl?$AAe?$AAr@LBKOJDO@:
					; DATA XREF: PAGE:00A3F55Co
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		imul	eax, [eax], 43h
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+65h], ch
		add	[edx+0], dh
; 
		dd 0
; 

??_C@_1BO@DMBPOFBI@?$AAT?$AAa?$AAp?$AAe?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl?$AAe?$AAr@LBKOJDO@:
					; DATA XREF: PAGE:00A3F560o
		push	esp
		add	[ecx+0], ah
		jo	short $+2
		add	gs:[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+6Ch], ch
		add	[ebp+0], ah
		jb	short $+2
; 
		dd 0
; 

??_C@_1CA@NCNEDNBG@?$AAC?$AAd?$AAR?$AAo?$AAm?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl?$AAe?$AAr@LBKOJDO@:
					; DATA XREF: PAGE:00A3F564o
		inc	ebx
		add	[eax+eax+52h], ah
		add	[edi+0], ch
		insd
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+6Ch], ch
		add	[ebp+0], ah
		jb	short $+2
; 
		dw 0
; 

??_C@_1BO@LHOKFBHH@?$AAW?$AAo?$AAr?$AAm?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl?$AAe?$AAr@LBKOJDO@:
					; DATA XREF: PAGE:00A3F568o
		push	edi
		add	[edi+0], ch
		jb	short $+2
		insd
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+6Ch], ch
		add	[ebp+0], ah
		jb	short $+2
; 
		dd 0
; 

??_C@_1CC@BHFHDMKO@?$AAS?$AAe?$AAr?$AAi?$AAa?$AAl?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A3F56Co
		push	ebx
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 6C0061h
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+65h], ch
		add	[edx+0], dh
; 
		dd 0
; 

??_C@_1CE@EOABGGPC@?$AAN?$AAe?$AAt?$AAw?$AAo?$AAr?$AAk?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl@LBKOJDO@:
					; DATA XREF: PAGE:00A3F570o
		dec	esi
		add	[ebp+0], ah
		jz	short $+2
		ja	short $+2
		outsd
		add	[edx+0], dh
		imul	eax, [eax], 43h
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+65h], ch
		add	[edx+0], dh
; 
		dw 0
; 

??_C@_1CE@FDGHAKKG@?$AAD?$AAi?$AAs?$AAp?$AAl?$AAa?$AAy?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl@LBKOJDO@:
					; DATA XREF: PAGE:00A3F574o
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		jo	short $+2
		insb
		add	[ecx+0], ah
		jns	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+65h], ch
		add	[edx+0], dh
; 
		dw 0
; 

??_C@_1CG@INBLODGN@?$AAP?$AAa?$AAr?$AAa?$AAl?$AAl?$AAe?$AAl?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl@LBKOJDO@:
					; DATA XREF: PAGE:00A3F578o
		push	eax
		add	[ecx+0], ah
		jb	short $+2
		popa
		add	[eax+eax+6Ch], ch
		add	[ebp+0], ah
		insb
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+6Ch], ch
		add	[ebp+0], ah
		jb	short $+2
; 
		dd 0
; 

??_C@_1CE@OAFMNDDC@?$AAP?$AAo?$AAi?$AAn?$AAt?$AAe?$AAr?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl@LBKOJDO@:
					; DATA XREF: PAGE:00A3F57Co
		push	eax
		add	[edi+0], ch
		imul	eax, [eax], 74006Eh
		add	gs:[edx+0], dh
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+65h], ch
		add	[edx+0], dh
; 
		dw 0
; 

??_C@_1CG@EPHKBOAL@?$AAK?$AAe?$AAy?$AAb?$AAo?$AAa?$AAr?$AAd?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl@LBKOJDO@:
					; DATA XREF: PAGE:00A3F580o
		dec	ebx
		add	[ebp+0], ah
		jns	short $+2
		bound	eax, [eax]
		outsd
		add	[ecx+0], ah
		jb	short $+2
		add	fs:[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+6Ch], ch
		add	[ebp+0], ah
		jb	short $+2
; 
		dd 0
; 

??_C@_1CA@GICEICIJ@?$AAA?$AAu?$AAd?$AAi?$AAo?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl?$AAe?$AAr@LBKOJDO@:
					; DATA XREF: PAGE:00A3F584o
		inc	ecx
		add	[ebp+0], dh
		add	fs:[ecx+0], ch
		outsd
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+6Ch], ch
		add	[ebp+0], ah
		jb	short $+2
; 
		dw 0
; 

??_C@_1CA@MPJPFNOP@?$AAO?$AAt?$AAh?$AAe?$AAr?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl?$AAe?$AAr@LBKOJDO@:
					; DATA XREF: PAGE:00A3F588o
		dec	edi
		add	[eax+eax+68h], dh
		add	[ebp+0], ah
		jb	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+65h], ch
		add	[edx+0], dh
; 
		dw 0
; 

??_C@_1BO@OABDOLEF@?$AAD?$AAi?$AAs?$AAk?$AAP?$AAe?$AAr?$AAi?$AAp?$AAh?$AAe?$AAr?$AAa?$AAl@LBKOJDO@:
					; DATA XREF: PAGE:00A3F58Co
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		imul	eax, [eax], 50h
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 680070h
		add	gs:[edx+0], dh
		popa
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

??_C@_1CK@BMIHPOLL@?$AAF?$AAl?$AAo?$AAp?$AAp?$AAy?$AAD?$AAi?$AAs?$AAk?$AAP?$AAe?$AAr?$AAi?$AAp@LBKOJDO@:
					; DATA XREF: PAGE:00A3F590o
		inc	esi
		add	[eax+eax+6Fh], ch
		add	[eax+0], dh
		jo	short $+2
		jns	short $+2
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		imul	eax, [eax], 50h
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 680070h
		add	gs:[edx+0], dh
		popa
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

??_C@_1BO@NDHLMLJ@?$AAT?$AAa?$AAp?$AAe?$AAP?$AAe?$AAr?$AAi?$AAp?$AAh?$AAe?$AAr?$AAa?$AAl@LBKOJDO@:
					; DATA XREF: PAGE:00A3F594o
		push	esp
		add	[ecx+0], ah
		jo	short $+2
		add	gs:[eax+0], dl
		add	gs:[edx+0], dh
		imul	eax, [eax], 680070h
		add	gs:[edx+0], dh
		popa
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

??_C@_1CA@FNEPGGCI@?$AAM?$AAo?$AAd?$AAe?$AAm?$AAP?$AAe?$AAr?$AAi?$AAp?$AAh?$AAe?$AAr?$AAa?$AAl@LBKOJDO@:
					; DATA XREF: PAGE:00A3F598o
		dec	ebp
		add	[edi+0], ch
		add	fs:[ebp+0], ah
		insd
		add	[eax+0], dl
		add	gs:[edx+0], dh
		imul	eax, [eax], 680070h
		add	gs:[edx+0], dh
		popa
		add	[eax+eax+0], ch

loc_A43307:				; DATA XREF: PAGE:00A3F59Co
		add	[ebp+0], cl
		outsd
		add	[esi+0], ch
		imul	eax, [eax], 6F0074h
		jb	short $+2
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 680070h
		add	gs:[edx+0], dh
		popa
		add	[eax+eax+0], ch

loc_A4332B:				; DATA XREF: PAGE:00A3F5A0o
		add	[eax+0], dl
		jb	short $+2
		imul	eax, [eax], 74006Eh
		add	gs:[edx+0], dh
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 680070h
		add	gs:[edx+0], dh
		popa
		add	[eax+eax+0], ch

loc_A4334F:				; DATA XREF: PAGE:00A3F5A4o
		add	[eax+0], dl
		outsd
		add	[ecx+0], ch
		outsb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 680070h
		add	gs:[edx+0], dh
		popa
		add	[eax+eax+0], ch

loc_A43373:				; DATA XREF: PAGE:00A3F5A8o
		add	[ebx+0], cl
		add	gs:[ecx+0], bh
		bound	eax, [eax]
		outsd
		add	[ecx+0], ah
		jb	short $+2
		add	fs:[eax+0], dl
		add	gs:[edx+0], dh
		imul	eax, [eax], 680070h
		add	gs:[edx+0], dh
		popa
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

??_C@_1CG@KJFBDCKC@?$AAT?$AAe?$AAr?$AAm?$AAi?$AAn?$AAa?$AAl?$AAP?$AAe?$AAr?$AAi?$AAp?$AAh?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A3F5ACo
		push	esp
		add	[ebp+0], ah
		jb	short $+2
		insd
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ah
		insb
		add	[eax+0], dl
		add	gs:[edx+0], dh
		imul	eax, [eax], 680070h
		add	gs:[edx+0], dh
		popa
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

??_C@_1CA@POLHAEEO@?$AAO?$AAt?$AAh?$AAe?$AAr?$AAP?$AAe?$AAr?$AAi?$AAp?$AAh?$AAe?$AAr?$AAa?$AAl@LBKOJDO@:
					; DATA XREF: PAGE:00A3F5B0o
		dec	edi
		add	[eax+eax+68h], dh
		add	[ebp+0], ah
		jb	short $+2
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 680070h
		add	gs:[edx+0], dh
		popa
		add	[eax+eax+0], ch

loc_A433E3:				; DATA XREF: PAGE:00A3F5B4o
		add	[eax+eax+69h], cl
		add	[esi+0], ch
		add	gs:[eax+0], dl
		add	gs:[edx+0], dh
		imul	eax, [eax], 680070h
		add	gs:[edx+0], dh
		popa
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

??_C@_1CE@HPCJDPFD@?$AAN?$AAe?$AAt?$AAw?$AAo?$AAr?$AAk?$AAP?$AAe?$AAr?$AAi?$AAp?$AAh?$AAe?$AAr@LBKOJDO@:
					; DATA XREF: PAGE:00A3F5B8o
		dec	esi
		add	[ebp+0], ah
		jz	short $+2
		ja	short $+2
		outsd
		add	[edx+0], dh
		imul	eax, [eax], 50h
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 680070h
		add	gs:[edx+0], dh
		popa
		add	[eax+eax+0], ch
; 
		db 0
; 

??_C@_1BK@GDHDNALB@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy@LBKOJDO@:
					; DATA XREF: PAGE:00A3F5BCo
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		dec	ebp
		add	[ebp+0], ah
		insd
		add	[edi+0], ch
		jb	short $+2
		jns	short $+2
; 
		dd 0
; 

??_C@_1CG@ONFLCPHN@?$AAD?$AAo?$AAc?$AAk?$AAi?$AAn?$AAg?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa?$AAt@LBKOJDO@:
					; DATA XREF: PAGE:00A3F5C0o
		inc	esp
		add	[edi+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 69h
		add	[esi+0], ch
		add	[bx+di+0], cl
		outsb
		add	[esi+0], ah
		outsd
		add	[edx+0], dh
		insd
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dd 0
; 

??_C@_1DA@JIDFBLKA@?$AAR?$AAe?$AAa?$AAl?$AAM?$AAo?$AAd?$AAe?$AAI?$AAr?$AAq?$AAR?$AAo?$AAu?$AAt@LBKOJDO@:
					; DATA XREF: PAGE:00A3F5C4o
		push	edx
		add	[ebp+0], ah
		popa
		add	[eax+eax+4Dh], ch
		add	[edi+0], ch
		add	fs:[ebp+0], ah
		dec	ecx
		add	[edx+0], dh
		jno	short $+2
		push	edx
		add	[edi+0], ch
		jnz	short $+2
		jz	short $+2
		imul	eax, [eax], 67006Eh
		push	esp
		add	[ecx+0], ah
		bound	eax, [eax]
		insb
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1CO@LCDGCCNJ@?$AAR?$AAe?$AAa?$AAl?$AAM?$AAo?$AAd?$AAe?$AAP?$AAC?$AAI?$AAE?$AAn?$AAu?$AAm@LBKOJDO@:
					; DATA XREF: PAGE:00A3F5C8o
		push	edx
		add	[ebp+0], ah
		popa
		add	[eax+eax+4Dh], ch
		add	[edi+0], ch
		add	fs:[ebp+0], ah
		push	eax
		add	[ebx+0], al
		dec	ecx
		add	[ebp+0], al
		outsb
		add	[ebp+0], dh
		insd
		add	[ebp+0], ah
		jb	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
; 
		db 0
		dd 0
; 

??_C@_1BE@NGPHOPKF@?$AAU?$AAn?$AAd?$AAe?$AAf?$AAi?$AAn?$AAe?$AAd@LBKOJDO@:
					; DATA XREF: PAGE:00A3F5CCo
		push	ebp
		add	[esi+0], ch
		add	fs:[ebp+0], ah
		db	66h
		add	[ecx+0], ch
		outsb
		add	[ebp+0], ah
		add	fs:[eax], al
		add	[eax+eax+53h], bl
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+0], dh
		add	[eax+eax+4Fh], bl
		add	[ebx+0], dl
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		popa
		add	[edx+0], dl
		outsd
		add	[edi+0], ch
		jz	short $+2
; 
		dw 0
; 

??_C@_1BE@MOENMHEO@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+4o
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
; 
		db 3 dup(0)
; 

??_C@_1CE@BGEMHEPM@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+13o
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
; 
		db 3 dup(0)
; 

??_C@_1DG@ODDNOCB@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+22o
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+48h], bl
		add	[ecx+0], al
		push	edx
		add	[eax+eax+57h], al
		add	[ecx+0], al
		push	edx
		add	[ebp+0], al
; 
		dd 0
; 

??_C@_1EO@DMECHFLJ@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+31o
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+48h], bl
		add	[ecx+0], al
		push	edx
		add	[eax+eax+57h], al
		add	[ecx+0], al
		push	edx
		add	[ebp+0], al
		pop	esp
		add	[eax+eax+45h], al
		add	[ebx+0], dl
		inc	ebx
		add	[edx+0], dl
		dec	ecx
		add	[eax+0], dl
		push	esp
		add	[ecx+0], cl
		dec	edi
		add	[esi+0], cl
; 
		dd 0
; 

??_C@_1FM@PPGHCFAK@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+40o
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+48h], bl
		add	[ecx+0], al
		push	edx
		add	[eax+eax+57h], al
		add	[ecx+0], al
		push	edx
		add	[ebp+0], al
		pop	esp
		add	[eax+eax+45h], al
		add	[ebx+0], dl
		inc	ebx
		add	[edx+0], dl
		dec	ecx
		add	[eax+0], dl
		push	esp
		add	[ecx+0], cl
		dec	edi
		add	[esi+0], cl
		pop	esp
		add	[ebx+0], dl
		pop	ecx
		add	[ebx+0], dl
		push	esp
		add	[ebp+0], al
		dec	ebp
; 
		db 3 dup(0)
		align 10h

??_C@_1EK@KCBLDELJ@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+4Fo
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+48h], bl
		add	[ecx+0], al
		push	edx
		add	[eax+eax+57h], al
		add	[ecx+0], al
		push	edx
		add	[ebp+0], al
		pop	esp
		add	[eax+eax+45h], al
		add	[esi+0], dl
		dec	ecx
		add	[ebx+0], al
		inc	ebp
		add	[ebp+0], cl
		inc	ecx
		add	[eax+0], dl
; 
		dd 2 dup(0)
; 

??_C@_1EO@IGPCEENG@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+5Eo
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+48h], bl
		add	[ecx+0], al
		push	edx
		add	[eax+eax+57h], al
		add	[ecx+0], al
		push	edx
		add	[ebp+0], al
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[ebx+0], dl
		dec	edi
		add	[ebp+0], dl
		push	edx
		add	[ebx+0], al
		inc	ebp
		add	[ebp+0], cl
		inc	ecx
		add	[eax+0], dl
; 
		dd 0
; 

??_C@_1EI@GLMAMPDA@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+6Do
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+48h], bl
		add	[ecx+0], al
		push	edx
		add	[eax+eax+57h], al
		add	[ecx+0], al
		push	edx
		add	[ebp+0], al
		pop	esp
		add	[edi+0], cl
		push	edi
		add	[esi+0], cl
		inc	ebp
		add	[edx+0], dl
		dec	ebp
		add	[ecx+0], al
		push	eax
; 
		db 3 dup(0)
; 

??_C@_1DC@GKOJGBFO@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+7Co
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
; 
		dd 2 dup(0)
; 

??_C@_1FG@FGBKPELI@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+8Bo
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
		pop	esp
		add	[ebx+0], al
		push	ebp
		add	[edx+0], dl
		push	edx
		add	[ebp+0], al
		dec	esi
		add	[eax+eax+43h], dl
		add	[edi+0], cl
		dec	esi
		add	[eax+eax+52h], dl
		add	[edi+0], cl
		dec	esp
		add	[ebx+0], dl
		inc	ebp
		add	[eax+eax+0], dl
; 
		db 3 dup(0)
??_C@_1GA@LDINLKCH@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@ db 5Ch
					; DATA XREF: PAGE:00A3F4DDr
					; CmpInitializeRegistryNames()+D6o
		align 2
		dw 52h
aEgistryMachine:
		unicode	0, <EGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM>,0
; 

??_C@_1GK@GHCECGGJ@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+E5o
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
		pop	esp
		add	[ebx+0], al
		push	ebp
		add	[edx+0], dl
		push	edx
		add	[ebp+0], al
		dec	esi
		add	[eax+eax+43h], dl
		add	[edi+0], cl
		dec	esi
		add	[eax+eax+52h], dl
		add	[edi+0], cl
		dec	esp
		add	[ebx+0], dl
		inc	ebp
		add	[eax+eax+5Ch], dl
		add	[ebp+0], al
		dec	esi
		add	[ebp+0], dl
		dec	ebp
		add	[eax+eax+52h], bl
		add	[edi+0], cl
		dec	edi
		add	[eax+eax+0], dl
; 
		db 3 dup(0)
		align 8

??_C@_1GI@KDCMPEIG@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+F4o
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
		pop	esp
		add	[ebx+0], al
		push	ebp
		add	[edx+0], dl
		push	edx
		add	[ebp+0], al
		dec	esi
		add	[eax+eax+43h], dl
		add	[edi+0], cl
		dec	esi
		add	[eax+eax+52h], dl
		add	[edi+0], cl
		dec	esp
		add	[ebx+0], dl
		inc	ebp
		add	[eax+eax+5Ch], dl
		add	[ebx+0], dl
		inc	ebp
		add	[edx+0], dl
		push	esi
		add	[ecx+0], cl
		inc	ebx
		add	[ebp+0], al
		push	ebx
; 
		db 3 dup(0)
??_C@_1IK@HBJLIGFJ@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@ dd 52005Ch
					; DATA XREF: PAGE:00A3F4D1r
					; CmpInitializeRegistryNames()+103o
aEgistryMachi_0:
		unicode	0, <EGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILE>
		unicode	0, <S\CURRENT>,0
		align 10h

??_C@_1HC@HJNLJPFC@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+112o
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
		pop	esp
		add	[ebx+0], al
		push	ebp
		add	[edx+0], dl
		push	edx
		add	[ebp+0], al
		dec	esi
		add	[eax+eax+43h], dl
		add	[edi+0], cl
		dec	esi
		add	[eax+eax+52h], dl
		add	[edi+0], cl
		dec	esp
		add	[ebx+0], dl
		inc	ebp
		add	[eax+eax+5Ch], dl
		add	[ebx+0], al
		dec	edi
		add	[esi+0], cl
		push	esp
		add	[edx+0], dl
		dec	edi
		add	[eax+eax+5Ch], cl
		add	[ebx+0], al
		dec	esp
		add	[ecx+0], al
		push	ebx
		add	[ebx+0], dl
; 
		dd 2 dup(0)
; 

??_C@_1HI@JLNEJCDM@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+121o
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
		pop	esp
		add	[ebx+0], al
		push	ebp
		add	[edx+0], dl
		push	edx
		add	[ebp+0], al
		dec	esi
		add	[eax+eax+43h], dl
		add	[edi+0], cl
		dec	esi
		add	[eax+eax+52h], dl
		add	[edi+0], cl
		dec	esp
		add	[ebx+0], dl
		inc	ebp
		add	[eax+eax+5Ch], dl
		add	[ebx+0], al
		dec	edi
		add	[esi+0], cl
		push	esp
		add	[edx+0], dl
		dec	edi
		add	[eax+eax+5Ch], cl
		add	[ebx+0], dl
		inc	ecx
		add	[esi+0], al
		inc	ebp
		add	[edx+0], al
		dec	edi
		add	[edi+0], cl
		push	esp
; 
		db 3 dup(0)
??_C@_1KK@OBGIGMAN@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@ dd 52005Ch
					; DATA XREF: PAGE:00A3F4C5r
					; CmpInitializeRegistryNames()+130o
aEgistryMachi_1:
		unicode	0, <EGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION >
		unicode	0, <MANAGER\MEMORY MANAGEMENT>,0
		align 10h

??_C@_1HG@FIOMGKDP@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+13Fo
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
		pop	esp
		add	[ebx+0], al
		push	ebp
		add	[edx+0], dl
		push	edx
		add	[ebp+0], al
		dec	esi
		add	[eax+eax+43h], dl
		add	[edi+0], cl
		dec	esi
		add	[eax+eax+52h], dl
		add	[edi+0], cl
		dec	esp
		add	[ebx+0], dl
		inc	ebp
		add	[eax+eax+5Ch], dl
		add	[ebx+0], al
		dec	edi
		add	[esi+0], cl
		push	esp
		add	[edx+0], dl
		dec	edi
		add	[eax+eax+5Ch], cl
		add	[edx+0], al
		dec	edi
		add	[edi+0], cl
		push	esp
		add	[eax+eax+4Fh], cl
		add	[edi+0], al
; 
		dd 0
; 

??_C@_1HK@IDPKCGLJ@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+14Eo
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
		pop	esp
		add	[ebx+0], al
		push	ebp
		add	[edx+0], dl
		push	edx
		add	[ebp+0], al
		dec	esi
		add	[eax+eax+43h], dl
		add	[edi+0], cl
		dec	esi
		add	[eax+eax+52h], dl
		add	[edi+0], cl
		dec	esp
		add	[ebx+0], dl
		inc	ebp
		add	[eax+eax+5Ch], dl
		add	[ebx+0], dl
		inc	ebp
		add	[edx+0], dl
		push	esi
		add	[ecx+0], cl
		inc	ebx
		add	[ebp+0], al
		push	ebx
		add	[eax+eax+45h], bl
		add	[esi+0], dl
		inc	ebp
		add	[esi+0], cl
		push	esp
		add	[eax+eax+4Fh], cl
		add	[edi+0], al
; 
		dd 2 dup(0)
??_C@_1HO@BGPGFBAF@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@:
					; DATA XREF: CmpReadBuildLab(x,x)+10o
		unicode	0, <\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVE>
		unicode	0, <RSION>,0
		align 4

; void ??_C
??_C@_1IK@DKMPJJDM@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@:
					; DATA XREF: CmpRecordShutdownStopTime()+5Eo
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[edi+0], cl
		inc	esi
		add	[eax+eax+57h], dl
		add	[ecx+0], al
		push	edx
		add	[ebp+0], al
		pop	esp
		add	[ebp+0], cl
		dec	ecx
		add	[ebx+0], al
		push	edx
		add	[edi+0], cl
		push	ebx
		add	[edi+0], cl
		inc	esi
		add	[eax+eax+5Ch], dl
		add	[edi+0], dl
		dec	ecx
		add	[esi+0], cl
		inc	esp
		add	[edi+0], cl
		push	edi
		add	[ebx+0], dl
		pop	esp
		add	[ebx+0], al
		push	ebp
		add	[edx+0], dl
		push	edx
		add	[ebp+0], al
		dec	esi
		add	[eax+eax+56h], dl
		add	[ebp+0], al
		push	edx
		add	[ebx+0], dl
		dec	ecx
		add	[edi+0], cl
		dec	esi
		add	[eax+eax+53h], bl
		add	[eax+0], cl
		push	ebp
		add	[eax+eax+44h], dl
		add	[edi+0], cl
		push	edi
		add	[esi+0], cl
; 
		dd 0
; 

??_C@_1BO@PBBLJICK@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAU?$AAS?$AAE?$AAR@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+9Ao
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+55h], bl
		add	[ebx+0], dl
		inc	ebp
		add	[edx+0], dl
; 
		dd 0
; 

??_C@_1BK@GILENGI@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAW?$AAC@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+A9o
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+57h], bl
		add	[ebx+0], al
; 
		dd 0
; 

??_C@_1BI@IOMEIGOA@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAA@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+B8o
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+41h], bl
; 
		db 3 dup(0)
; 

??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+C7o
		push	ebx
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
; 
		dd 0
; 

??_C@_1DM@HHDLMKAF@?$AAC?$AAO?$AAN?$AAT?$AAR?$AAO?$AAL?$AAS?$AAE?$AAT?$AA0?$AA0?$AA1?$AA?2?$AAS@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+16Co
		inc	ebx
		add	[edi+0], cl
		dec	esi
		add	[eax+eax+52h], dl
		add	[edi+0], cl
		dec	esp
		add	[ebx+0], dl
		inc	ebp
		add	[eax+eax+30h], dl
		add	[eax], dh
		add	[ecx], dh
		add	[eax+eax+53h], bl
		add	[ebp+0], al
		push	edx
		add	[esi+0], dl
		dec	ecx
		add	[ebx+0], al
		inc	ebp
		add	[ebx+0], dl
		pop	esp
		add	[ebp+0], cl
		push	eax
		add	[ebx+0], dl
		push	ebx
		add	[esi+0], dl
		inc	ebx
; 
		db 3 dup(0)
??_C@_1CC@PLGBKPMK@?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo?$AAr?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo@LBKOJDO@:
					; DATA XREF: CmpInterlockedFunction+97o
		unicode	0, <ProcessorControl>,0
		align 4

??_C@_1CE@CFOIKICP@?$AAS?$AAy?$AAm?$AAb?$AAo?$AAl?$AAi?$AAc?$AAL?$AAi?$AAn?$AAk?$AAV?$AAa?$AAl@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+15Do
		push	ebx
		add	[ecx+0], bh
		insd
		add	[edx+0], ah
		outsd
		add	[eax+eax+69h], ch
		add	[ebx+0], ah
		dec	esp
		add	[ecx+0], ch
		outsb
		add	[ebx+0], ch
		push	esi
		add	[ecx+0], ah
		insb
		add	[ebp+0], dh
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1BC@HDFELGIF@?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy@LBKOJDO@:
					; DATA XREF: CmpInitializeRegistryNames()+17Bo
		push	edx
		add	[ebp+0], ah
		add	[bx+di+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jns	short $+2
; 
		dd 0
; 

??_C@_19MLBOKLHF@?$AA?4?$AAL?$AAO?$AAG@LBKOJDO@: ; DATA	XREF: PAGE:00A3F484o
		add	cs:[eax+eax+4Fh], cl
		add	[edi+0], al
; 
		dd 0
; 

??_C@_1M@FLNLKDAJ@?$AA?4?$AAL?$AAO?$AAG?$AA1@LBKOJDO@: ; DATA XREF: PAGE:00A3F490o
		add	cs:[eax+eax+4Fh], cl
		add	[edi+0], al
		xor	[eax], eax
; 
		dw 0
; 

??_C@_1M@EJGOAMOH@?$AA?4?$AAL?$AAO?$AAG?$AA2@LBKOJDO@: ; DATA XREF: PAGE:00A3F494o
		add	cs:[eax+eax+4Fh], cl
		add	[edi+0], al
		xor	al, [eax]
; 
		dw 0
; 

??_C@_1DA@DDOGAFBM@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn@LBKOJDO@:
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+53h], bl
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
; 
		dw 0
; 

??_C@_1BO@LOIKKPLA@?$AAC?$AAS?$AAD?$AAB?$AAu?$AAi?$AAl?$AAd?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr@LBKOJDO@:
		inc	ebx
		add	[ebx+0], dl
		inc	esp
		add	[edx+0], al
		jnz	short $+2
		imul	eax, [eax], 64006Ch
		dec	esi
		add	[ebp+0], dh
		insd
		add	[edx+0], ah
		add	gs:[edx+0], dh
; 
		dd 0
; 

??_C@_1BG@MEBEMGBM@?$AAC?$AAS?$AAD?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@LBKOJDO@:
		inc	ebx
		add	[ebx+0], dl
		inc	esp
		add	[esi+0], dl
		add	gs:[edx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dd 0
; 

??_C@_1BA@OFLJGHK@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt@LBKOJDO@:
		inc	ebx
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
; 
		dw 0
; 

??_C@_1CG@HMPMFHA@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAB?$AAu?$AAi?$AAl?$AAd?$AAN?$AAu?$AAm@LBKOJDO@:
		inc	ebx
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	edx
		add	[ebp+0], dh
		imul	eax, [eax], 64006Ch
		dec	esi
		add	[ebp+0], dh
		insd
		add	[edx+0], ah
		add	gs:[edx+0], dh
; 
		dd 0
; 

??_C@_1BK@MIHJMJHO@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAB?$AAu?$AAi?$AAl?$AAd@LBKOJDO@:
		inc	ebx
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	edx
		add	[ebp+0], dh
		imul	eax, [eax], 64006Ch
; 
		dd 0
; 

??_C@_17KEIPLBHK@?$AAU?$AAB?$AAR@LBKOJDO@:
		push	ebp
		add	[edx+0], al
		push	edx
; 
		db 3 dup(0)
; 

??_C@_1BI@CBJMDBLL@?$AAB?$AAu?$AAi?$AAl?$AAd?$AAB?$AAr?$AAa?$AAn?$AAc?$AAh@LBKOJDO@:
		inc	edx
		add	[ebp+0], dh
		imul	eax, [eax], 64006Ch
		inc	edx
		add	[edx+0], dh
		popa
		add	[esi+0], ch
		arpl	[eax], ax
; 
		dd 68h
; 

??_C@_1BC@HJOIIEGB@?$AAB?$AAu?$AAi?$AAl?$AAd?$AAL?$AAa?$AAb@LBKOJDO@:
		inc	edx
		add	[ebp+0], dh
		imul	eax, [eax], 64006Ch
		dec	esp
		add	[ecx+0], ah
		bound	eax, [eax]
; 
		dd 0
; 

??_C@_1BG@CLMGIAOK@?$AAB?$AAu?$AAi?$AAl?$AAd?$AAL?$AAa?$AAb?$AAE?$AAx@LBKOJDO@:
		inc	edx
		add	[ebp+0], dh
		imul	eax, [eax], 64006Ch
		dec	esp
		add	[ecx+0], ah
		bound	eax, [eax]
		inc	ebp
		add	[eax+0], bh
; 
		dd 0
; 

??_C@_1BM@EBFHNJCL@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg@LBKOJDO@:
		inc	ebx
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[esi+0], ah
		imul	eax, [eax], 67h

??_C@_1BI@GMMLCOHC@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAT?$AAy?$AAp?$AAe@LBKOJDO@:
		inc	ebx
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		push	esp
		add	[ecx+0], bh
		jo	short $+2
		add	gs:[eax], al
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dd 0
; 

??_C@_1DE@FEFODBMC@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAM?$AAa?$AAj?$AAo?$AAr?$AAV?$AAe?$AAr@LBKOJDO@:
		inc	ebx
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		dec	ebp
		add	[ecx+0], ah
		push	0
		outsd
		add	[edx+0], dh
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		dec	esi
		add	[ebp+0], dh
		insd
		add	[edx+0], ah
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1DE@LGPHMEDE@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAM?$AAi?$AAn?$AAo?$AAr?$AAV?$AAe?$AAr@LBKOJDO@:
		inc	ebx
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		dec	ebp
		add	[ecx+0], ch
		outsb
		add	[edi+0], ch
		jb	short $+2
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		dec	esi
		add	[ebp+0], dh
		insd
		add	[edx+0], ah
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1IO@GJAPCHJE@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@:
					; DATA XREF: PAGE:00A3F644o
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[edi+0], cl
		inc	esi
		add	[eax+eax+57h], dl
		add	[ecx+0], al
		push	edx
		add	[ebp+0], al
		pop	esp
		add	[ebp+0], cl
		dec	ecx
		add	[ebx+0], al
		push	edx
		add	[edi+0], cl
		push	ebx
		add	[edi+0], cl
		inc	esi
		add	[eax+eax+5Ch], dl
		add	[edi+0], dl
		dec	ecx
		add	[esi+0], cl
		inc	esp
		add	[edi+0], cl
		push	edi
		add	[ebx+0], dl
		and	[eax], al
		dec	esi
		add	[eax+eax+5Ch], dl
		add	[ebx+0], al
		push	ebp
		add	[edx+0], dl
		push	edx
		add	[ebp+0], al
		dec	esi
		add	[eax+eax+56h], dl
		add	[ebp+0], al
		push	edx
		add	[ebx+0], dl
		dec	ecx
		add	[edi+0], cl
		dec	esi
		add	[eax+eax+50h], bl
		add	[ebp+0], al
		push	edx
		add	[esi+0], al
		dec	esp
		add	[ecx+0], cl
		inc	edx
; 
		db 0
		align 8

??_C@_1O@PMDCHDHI@?$AAS?$AAe?$AAl?$AAe?$AAc?$AAt@LBKOJDO@: ; DATA XREF:	PAGE:00A3F63Co
		push	ebx
		add	[ebp+0], ah
		insb
		add	[ebp+0], ah
		arpl	[eax], ax
		jz	short $+2
; 
		dd 0
; 

??_C@_1CG@BCIBLINF@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAI?$AAD?$AAC?$AAo?$AAn?$AAf?$AAi@LBKOJDO@:
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+49h], bl
		add	[eax+eax+43h], al
		add	[edi+0], ch
		outsb
		add	[esi+0], ah
		imul	eax, [eax], 440067h
		inc	edx
; 
		db 0
		align 10h

??_C@_1CE@JCFICPFJ@?$AAH?$AAa?$AAr?$AAd?$AAw?$AAa?$AAr?$AAe?$AA?5?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl@LBKOJDO@:
		dec	eax
		add	[ecx+0], ah
		jb	short $+2
		add	fs:[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[eax], ah
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[esi+0], ah
		imul	eax, [eax], 65006Ch
		jnb	short $+2
; 
		dw 0
; 

??_C@_1DE@DMMEKPDG@?$AAH?$AAa?$AAr?$AAd?$AAw?$AAa?$AAr?$AAe?$AA?5?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl@LBKOJDO@:
		dec	eax
		add	[ecx+0], ah
		jb	short $+2
		add	fs:[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[eax], ah
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[esi+0], ah
		imul	eax, [eax], 65006Ch
		jnb	short $+2
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
; 
		dw 0
; 

??_C@_1BA@LMMHLKFA@?$AAD?$AAE?$AAV?$AAI?$AAC?$AAE?$AAS@LBKOJDO@:
		inc	esp
		add	[ebp+0], al
		push	esi
		add	[ecx+0], cl
		inc	ebx
		add	[ebp+0], al
		push	ebx
; 
		db 3 dup(0)
; 

??_C@_1BG@FIGGICF@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt@LBKOJDO@:
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+0], dh
; 
		db 3 dup(0)
; 

??_C@_1BG@IKDGODGJ@?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AA?5?$AAN?$AAT@LBKOJDO@:
		push	edi
		add	[ecx+0], ch
		outsb
		add	[eax+eax+6Fh], ah
		add	[edi+0], dh
		jnb	short $+2
		and	[eax], al
		dec	esi
		add	[eax+eax+0], dl
; 
		db 3 dup(0)
; 

??_C@_1BO@KKBDLPJB@?$AAE?$AAd?$AAi?$AAt?$AAi?$AAo?$AAn?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@LBKOJDO@:
		inc	ebp
		add	[eax+eax+69h], ah
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[esi+0], dl
		add	gs:[edx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dd 0
; 

??_C@_1CG@DEEDFDNH@?$AAE?$AAd?$AAi?$AAt?$AAi?$AAo?$AAn?$AAB?$AAu?$AAi?$AAl?$AAd?$AAN?$AAu?$AAm@LBKOJDO@:
		inc	ebp
		add	[eax+eax+69h], ah
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[edx+0], al
		jnz	short $+2
		imul	eax, [eax], 64006Ch
		dec	esi
		add	[ebp+0], dh
		insd
		add	[edx+0], ah
		add	gs:[edx+0], dh
; 
		dd 0
; 

??_C@_1CA@CCLMDAHK@?$AAE?$AAd?$AAi?$AAt?$AAi?$AAo?$AAn?$AAB?$AAu?$AAi?$AAl?$AAd?$AAQ?$AAf?$AAe@LBKOJDO@:
		inc	ebp
		add	[eax+eax+69h], ah
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[edx+0], al
		jnz	short $+2
		imul	eax, [eax], 64006Ch
		push	ecx
		add	[esi+0], ah
		add	gs:[eax], al
		add	[ebp+0], al
		add	fs:[ecx+0], ch
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		inc	edx
		add	[ebp+0], dh
		imul	eax, [eax], 64006Ch
		inc	edx
		add	[edx+0], dh
		popa
		add	[esi+0], ch
		arpl	[eax], ax
		push	0
		add	[ebp+0], al
		add	fs:[ecx+0], ch
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		inc	edx
		add	[ebp+0], dh
		imul	eax, [eax], 64006Ch
		dec	esp
		add	[ecx+0], ah
		bound	eax, [eax]
; 
		dw 0
; 

??_C@_1CE@DGEJOIOG@?$AAE?$AAd?$AAi?$AAt?$AAi?$AAo?$AAn?$AAB?$AAu?$AAi?$AAl?$AAd?$AAL?$AAa?$AAb@LBKOJDO@:
		inc	ebp
		add	[eax+eax+69h], ah
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[edx+0], al
		jnz	short $+2
		imul	eax, [eax], 64006Ch
		dec	esp
		add	[ecx+0], ah
		bound	eax, [eax]
		inc	ebp
		add	[eax+0], bh
; 
		dw 0
		align 10h
??_C@_1EC@CMHHICB@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAA?$AAp?$AAp@LBKOJDO@:
					; DATA XREF: PiLookupInDDB+7Bo
		unicode	0, <\SystemRoot\AppPatch\drvmain.sdb>,0
		align 8
??_C@_1EE@HOPNLEHB@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAA?$AAp?$AAp@LBKOJDO@:
					; DATA XREF: PiLookupInDDB+96o
		unicode	0, <\SystemRoot\AppPatch\drvpatch.sdb>,0
??_C@_11LOCGONAA@@LBKOJDO@ dd 0		; DATA XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+4D0o
					; PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x)+5DAo ...
??_C@_19DJCNLLCE@?$AAn?$AAu?$AAl?$AAl@LBKOJDO@ dd offset loc_75006C+2
					; DATA XREF: PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x):loc_97707Bo
					; PiDevCfgLogDeviceConfigured(x,x,x,x,x,x,x,x):loc_977185o ...
aLl:
		unicode	0, <ll>,0
		align 4

??_C@_1BC@PBPPGPAN@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA3?$AA2@LBKOJDO@:
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		xor	eax, [eax]
		xor	al, [eax]
; 
		dd 0
; 

??_C@_1BK@DHFJHPDK@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2@LBKOJDO@:
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+5Ch], dh
; 
		db 0
		dd 0
; 

??_C@_1BG@JELGADA@?$AAI?$AAn?$AAt?$AAe?$AAr?$AAf?$AAa?$AAc?$AAe?$AAs@LBKOJDO@:
					; DATA XREF: PAGE:00A3FD6Co
		dec	ecx
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edx+0], dh
		db	66h
		add	[ecx+0], ah
		arpl	[eax], ax
		add	gs:[ebx+0], dh
; 
		dd 0
; 

??_C@_1BC@DHAHNLLM@?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe?$AAs@LBKOJDO@:
					; DATA XREF: PAGE:00A3FD2Co
					; PAGE:00A3FD64o
		push	ebx
		add	[ebp+0], ah
		jb	short $+2
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
; 
		dd 0
; 

??_C@_1O@HAMLNBEA@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@LBKOJDO@: ; DATA XREF:	PAGE:off_A3FCC8o
					; PAGE:00A3FD5Co
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
; 
		dd 0
; 

??_C@_1O@GAOCKAOK@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@LBKOJDO@: ; DATA XREF:	PAGE:00A3FCDCo
					; PAGE:off_A3FD54o
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
; 
		dd 0
; 

??_C@_17EIBGDPNK@?$AAW?$AAd?$AAf@LBKOJDO@: ; DATA XREF:	PAGE:00A3FD84o
		push	edi
		add	[eax+eax+66h], ah
; 
		db 3 dup(0)
; 

??_C@_1BA@DJLBFCNB@?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAs@LBKOJDO@: ; DATA	XREF: PAGE:00A3FD7Co
		inc	esi
		add	[ecx+0], ch
		insb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BA@HICHNCPO@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAs@LBKOJDO@: ; DATA	XREF: PAGE:00A3FD74o
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BG@COALCEMK@?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAi?$AAe?$AAs@LBKOJDO@:
					; DATA XREF: PAGE:00A3FD04o
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+0], dh
		add	gs:[edx+0], dh
		jz	short $+2
		imul	eax, [eax], 730065h
; 
		dd 0
; 

??_C@_1BC@LDHKIAE@?$AAI?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A3FCF0o
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[esi+0], ch
		arpl	[eax], ax
		add	gs:[eax], al
; 
		db 3 dup(0)
		align 10h

??_C@_1EK@INHJLCLA@?$AAe?$AA5?$AAb?$AA3?$AAb?$AA5?$AAa?$AAc?$AA?9?$AA9?$AA7?$AA2?$AA5?$AA?9?$AA4@LBKOJDO@:
					; DATA XREF: PAGE:00A3FDACo
		add	gs:33006200h, dh
		add	[edx+0], ah
		xor	eax, 63006100h
		add	ds:37003900h, ch
		add	[edx], dh
		add	ds:34002D00h, dh
		add	[esi+0], ah
		aaa
		add	[eax], bh
		add	ds:36003900h, ch
		add	[ebx], dh
		add	[esi+0], ah
		sub	eax, 33003000h
		add	[eax+eax+66h], ah
		add	[edx+0], ah
		xor	[eax], eax
		add	fs:[eax], bh
		add	[edx], dh
		add	[eax], bh
		add	[ebx+0], ah
		aaa
; 
		db 0
		dd 0
; 

??_C@_1CK@CHPJJMAE@?$AAI?$AAn?$AAt?$AAe?$AAr?$AAr?$AAu?$AAp?$AAt?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg@LBKOJDO@:
					; DATA XREF: PAGE:00A3FD98o
		dec	ecx
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edx+0], dh
		jb	short $+2
		jnz	short $+2
		jo	short $+2
		jz	short $+2
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+0], dh
; 
		db 3 dup(0)
; 

??_C@_1BA@JGFNDEFA@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl@LBKOJDO@: ; DATA	XREF: PAGE:00A3FD40o
					; PAGE:00A3FD50o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
; 
		db 3 dup(0)
; 

??_C@_1M@OAHBGIFG@?$AAC?$AAl?$AAa?$AAs?$AAs@LBKOJDO@: ;	DATA XREF: PAGE:00A3FD18o
		inc	ebx
		add	[eax+eax+61h], ch
		add	[ebx+0], dh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BG@BGOIMIN@?$AAS?$AAw?$AAi?$AAt?$AAc?$AAh?$AAC?$AAa?$AAs?$AAe@LBKOJDO@:
		push	ebx
		add	[edi+0], dh
		imul	eax, [eax], 630074h
		push	61004300h
		add	[ebx+0], dh
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BG@LOINBPFE@?$AAE?$AAx?$AAp?$AAr?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn@LBKOJDO@:
					; DATA XREF: PAGE:00A3FAF8o
		inc	ebp
		add	[eax+0], bh
		jo	short $+2
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dd 0
; 

??_C@_1BC@FOJGCCIG@?$AAC?$AAo?$AAn?$AAs?$AAt?$AAa?$AAn?$AAt@LBKOJDO@:
					; DATA XREF: PAGE:off_A3FAF0o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[ebx+0], dh
		jz	short $+2
		popa
		add	[esi+0], ch
		jz	short $+2
; 
		dd 0
; 

??_C@_1BA@LHCPNPKP@?$AAK?$AAe?$AAy?$AAC?$AAo?$AAp?$AAy@LBKOJDO@:
		dec	ebx
		add	[ebp+0], ah
		jns	short $+2
		inc	ebx
		add	[edi+0], ch
		jo	short $+2
		jns	short $+2
; 
		dw 0
; 

??_C@_1BC@OFKPJBDN@?$AAK?$AAe?$AAy?$AAV?$AAa?$AAl?$AAu?$AAe@LBKOJDO@:
		dec	ebx
		add	[ebp+0], ah
		jns	short $+2
		push	esi
		add	[ecx+0], ah
		insb
		add	[ebp+0], dh
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BO@NEJJPNA@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAP?$AAr?$AAo?$AAp?$AAe?$AAr?$AAt?$AAy@LBKOJDO@:
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+0], dh
		add	gs:[edx+0], dh
		jz	short $+2
		jns	short $+2
; 
		dd 0
; 

??_C@_1BK@BKNEKKGL@?$AAF?$AAo?$AAr?$AAm?$AAa?$AAt?$AAS?$AAt?$AAr?$AAi?$AAn?$AAg@LBKOJDO@:
		inc	esi
		add	[edi+0], ch
		jb	short $+2
		insd
		add	[ecx+0], ah
		jz	short $+2
		push	ebx
		add	[eax+eax+72h], dh
		add	[ecx+0], ch
		outsb
		add	[edi+0], ah
; 
		dd 0
; 

??_C@_1M@GDFLIJGE@?$AAF?$AAa?$AAl?$AAs?$AAe@LBKOJDO@: ;	DATA XREF: PAGE:00A3FC8Co
		inc	esi
		add	[ecx+0], ah
		insb
		add	[ebx+0], dh
		add	gs:[eax], al

loc_A444E3:				; DATA XREF: PAGE:00A3FC80o
		add	[eax+eax+72h], dl
		add	[ebp+0], dh
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_19HGHALIPE@?$AAN?$AAu?$AAl?$AAl@LBKOJDO@:	; DATA XREF: PAGE:off_A3FC74o
		dec	esi
		add	[ebp+0], dh
		insb
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

??_C@_1BK@OKAADGIJ@?$AAG?$AAe?$AAn?$AAe?$AAr?$AAa?$AAt?$AAe?$AAG?$AAu?$AAi?$AAd@LBKOJDO@:
		inc	edi
		add	[ebp+0], ah
		outsb
		add	[ebp+0], ah
		jb	short $+2
		popa
		add	[eax+eax+65h], dh
		add	[edi+0], al
		jnz	short $+2
		imul	eax, [eax], 64h
; 
		dw 0
; 

??_C@_1M@CCCHEHOB@?$AAE?$AAm?$AAp?$AAt?$AAy@LBKOJDO@: ;	DATA XREF: PAGE:00A3FC98o
		inc	ebp
		add	[ebp+0], ch
		jo	short $+2
		jz	short $+2
		jns	short $+2
; 
		dw 0
; 

??_C@_13BBDEGPLJ@?$AA?$CK@LBKOJDO@:	; DATA XREF: PAGE:00A3FB58o
		sub	al, [eax]
; 
		dw 0
??_C@_13IMODFHAA@?$AA?9@LBKOJDO@ dd 2Dh	; DATA XREF: PAGE:00A3FB4Co
; 

??_C@_13KJIIAINM@?$AA?$CL@LBKOJDO@:	; DATA XREF: PAGE:00A3FB40o
		sub	eax, [eax]
; 
		dw 0
; 

??_C@_15GALJLHBD@?$AA?$DO?$AA?$DO@LBKOJDO@: ; DATA XREF: PAGE:00A3FB88o
		db	3Eh
		add	[esi], bh
; 
		db 0
		align 8

??_C@_15IHHINOJD@?$AA?$DM?$AA?$DM@LBKOJDO@: ; DATA XREF: PAGE:00A3FB7Co
		cmp	al, 0
		cmp	al, 0
; 
		dd 0
; 

??_C@_13EJFHHPOP@?$AA?$CF@LBKOJDO@:	; DATA XREF: PAGE:00A3FB70o
					; PAGE:00A3FB64o
		and	eax, 2F000000h
; 
		db 3 dup(0)
; 

??_C@_13FFFLPHEM@?$AA?$HO@LBKOJDO@:	; DATA XREF: PAGE:00A3FBB8o
		jle	short $+2
; 
		dw 0
; 

??_C@_13PFGJFIHC@?$AA?$FO@LBKOJDO@:	; DATA XREF: PAGE:00A3FBACo
		pop	esi
; 
		db 3 dup(0)
; 

??_C@_13PPFCDPMH@?$AA?$HM@LBKOJDO@:	; DATA XREF: PAGE:00A3FBA0o
		jl	short $+2
; 
		dw 0
; 

??_C@_13FLOCNAAB@?$AA?$CG@LBKOJDO@:	; DATA XREF: PAGE:00A3FB94o
		add	es:[eax], al
; 
		db 0
; 

??_C@_15PEJIGKFD@?$AA?$DN?$AA?$DN@LBKOJDO@: ; DATA XREF: PAGE:00A3FBE8o
		cmp	eax, 3D00h
; 
		db 3 dup(0)
; 

??_C@_15BDDEIMMC@?$AA?$HM?$AA?$HM@LBKOJDO@: ; DATA XREF: PAGE:00A3FBDCo
		jl	short $+2
		jl	short $+2
; 
		dd 0
; 

??_C@_15BKJBEIJF@?$AA?$CG?$AA?$CG@LBKOJDO@: ; DATA XREF: PAGE:00A3FBD0o
		add	es:[esi], ah
; 
		db 0
		align 10h

??_C@_13MGDFOILI@?$AA?$CB@LBKOJDO@:	; DATA XREF: PAGE:00A3FBC4o
		and	[eax], eax
; 
		dw 0
; 

??_C@_15DPMELJPG@?$AA?$DM?$AA?$DN@LBKOJDO@: ; DATA XREF: PAGE:00A3FC18o
		cmp	al, 0
		cmp	eax, 0

loc_A4457B:				; DATA XREF: PAGE:00A3FC0Co
		add	[esi], bh
; 
		db 3 dup(0)
; 

??_C@_13GEEGGHPK@?$AA?$DM@LBKOJDO@:	; DATA XREF: PAGE:00A3FC00o
		cmp	al, 0
; 
		dw 0
; 

??_C@_15IAIMKILD@?$AA?$CB?$AA?$DN@LBKOJDO@: ; DATA XREF: PAGE:00A3FBF4o
		and	[eax], eax
		cmp	eax, 0
; 
		db 0
; 

??_C@_15CKIFGADI@?$AA?$CB?$AA?$DP@LBKOJDO@: ; DATA XREF: PAGE:00A3FC48o
		and	[eax], eax
		aas
; 
		db 0
		dd 0
; 

??_C@_13HGPDMIBE@?$AA?$DP@LBKOJDO@:	; DATA XREF: PAGE:00A3FC3Co
		aas
; 
		db 3 dup(0)
; 

??_C@_15CEIHPDOB@?$AA?$DP?$AA?3@LBKOJDO@: ; DATA XREF: PAGE:00A3FC30o
		aas
		add	[edx], bh
; 
		db 0
		align 10h

??_C@_15HCAMBIPN@?$AA?$DO?$AA?$DN@LBKOJDO@: ; DATA XREF: PAGE:00A3FC24o
		db	3Eh
		add	large ds:0, bh
; 
		db 0
; 

??_C@_13PBOLBIIK@?$AA$@LBKOJDO@:	; DATA XREF: PAGE:00A3FC6Co
		and	al, 0
; 
		dw 0
; 

??_C@_13GMDMCADD@?$AA?$CD@LBKOJDO@:	; DATA XREF: PAGE:00A3FC60o
		and	eax, [eax]
; 
		dw 0
; 

??_C@_13EFKPHINO@?$AA?$EA@LBKOJDO@:	; DATA XREF: PAGE:00A3FC54o
		inc	eax
; 
		db 3 dup(0)
; 

??_C@_1BM@PNGDECLI@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAS?$AAt?$AAo?$AAr?$AAe?$AAs@LBKOJDO@:
		pop	esp
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		push	ebx
		add	[eax+eax+6Fh], dh
		add	[edx+0], dh
		add	gs:[ebx+0], dh
; 
		dw 0
; 

??_C@_1BK@HCAHJHON@?$AA?$CF?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?$CF@LBKOJDO@:
		and	eax, 79005300h
		add	[ebx+0], dh
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+25h], dh
; 
		db 0
		dd 0
; 

??_C@_1BG@NKCPFBJK@?$AAD?$AAo?$AAs?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAs@LBKOJDO@:
		inc	esp
		add	[edi+0], ch
		jnb	short $+2
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
; 
		dd 0
; 

??_C@_13FPGAJAPJ@?$AA?2@LBKOJDO@:
		pop	esp
; 
		db 3 dup(0)
; 

??_C@_1BO@DNPPELLB@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs@LBKOJDO@:
		pop	esp
		add	[ebx+0], cl
		add	gs:[edx+0], dh
		outsb
		add	[ebp+0], ah
		insb
		add	[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
; 
		dd 0
; 

??_C@_1BM@BMFDFKIH@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs@LBKOJDO@:
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
; 
		dw 0
; 

??_C@_1O@CHBCJGPP@?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl@LBKOJDO@:
		inc	edi
		add	[eax+eax+6Fh], ch
		add	[edx+0], ah
		popa
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

??_C@_1BG@OFEBIDHK@?$AAG?$AAL?$AAO?$AAB?$AAA?$AAL?$AAR?$AAO?$AAO?$AAT@LBKOJDO@:
		inc	edi
		add	[eax+eax+4Fh], cl
		add	[edx+0], al
		inc	ecx
		add	[eax+eax+52h], cl
		add	[edi+0], cl
		dec	edi
		add	[eax+eax+0], dl
; 
		db 3 dup(0)
; 

??_C@_1BC@NDEAODFP@?$AAG?$AAL?$AAO?$AAB?$AAA?$AAL?$AA?$DP?$AA?$DP@LBKOJDO@:
		inc	edi
		add	[eax+eax+4Fh], cl
		add	[edx+0], al
		inc	ecx
		add	[eax+eax+3Fh], cl
		add	[edi], bh
; 
		db 0
		align 10h

??_C@_1BE@LNIGIBEH@?$AA?2?$AAG?$AAL?$AAO?$AAB?$AAA?$AAL?$AA?$DP?$AA?$DP@LBKOJDO@:
		pop	esp
		add	[edi+0], al
		dec	esp
		add	[edi+0], cl
		inc	edx
		add	[ecx+0], al
		dec	esp
		add	[edi], bh
		add	[edi], bh
; 
		db 3 dup(0)
; 

??_C@_1BK@MIMGHMJJ@?$AA?2?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAT?$AAy?$AAp?$AAe?$AAs@LBKOJDO@:
		pop	esp
		add	[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		push	esp
		add	[ecx+0], bh
		jo	short $+2
		add	gs:[ebx+0], dh
; 
		dd 0
; 

??_C@_1BI@NFNOIPLC@?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAT?$AAy?$AAp?$AAe?$AAs@LBKOJDO@:
		dec	edi
		add	[edx+0], ah
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		push	esp
		add	[ecx+0], bh
		jo	short $+2
		add	gs:[ebx+0], dh
; 
		dw 0
; 

??_C@_1BE@MLPDMAIF@?$AAA?$AAp?$AAp?$AAL?$AAa?$AAu?$AAn?$AAc?$AAh@LBKOJDO@:
					; DATA XREF: PAGEDATA:_PfSnAppLaunchScenarioTypePrefixo
					; PfSnParametersSetDefaults(x)+C2o
		inc	ecx
		add	[eax+0], dh
		jo	short $+2
		dec	esp
		add	[ecx+0], ah
		jnz	short $+2
		outsb
		add	[ebx+0], ah
; 
		dd 68h
; 

??_C@_1BC@CJPNELAP@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAi?$AAt?$AAy@LBKOJDO@:
					; DATA XREF: PAGEDATA:_PfSnActivityScenarioTypePrefixo
					; PfSnParametersSetDefaults(x)+3Do
		inc	ecx
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 690076h ; CODE XREF: PAGE:00A44715j
		jz	short $+2
		jns	short $+2
; 
		dd 0
; 

_GUID_DEVICE_FAN:			; DATA XREF: PoInitDriverServices()+92o
		cmp	eax, 0DA05ECD1h
		sub	dword ptr [edx], 524C8A4Ah
		dec	edi
		and	ebx, ebp
		dec	ebp
		leave

_GUID_DEVICE_ACPI_TIME:			; DATA XREF: PoInitDriverServices()+76o
		neg	byte ptr [ebx+449797F9h]
		sbb	[edi-45h], cl
		and	cl, [ebx-61h]
		mov	dl, 0FBh
		out	dx, eax
		pushf

_GUID_DEVICE_BATTERY:			; DATA XREF: PoInitDriverServices()+3Eo
		push	esp
		push	ds
		arpl	[edx-5Ch], si
		js	short near ptr loc_A446E2+5
		adc	[edi+esi*8-48FF5600h], edi
		mov	bl, 2Ah

_GUID_DEVICE_THERMAL_ZONE:		; DATA XREF: PoInitDriverServices()+1Do
		push	ecx
		cmp	eax, 74A74AFAh
		rcl	byte ptr [ecx],	1
		mov	esi, 0C9A0005Eh
		push	es

loc_A4472E:				; DATA XREF: PnprIsProcessorDevice(x,x,x,x)+24o
		sub	[edi+10h], dl
; 
		db 0DBh, 0FAh, 97h
		dd 40AE4E33h, 0EF8B9C35h, 0D0BD9D02h
; 

_GUID_DEVICE_MEMORY:			; DATA XREF: PnprIsMemoryDevice(x,x)+29o
					; PoInitDriverServices()+5Ao
		cmp	eax, 0E03FD0F0h
		xchg	eax, edx
		sti
		inc	ebp
		mov	bh, 5Ch
		pop	esi
		fdivr	st, st(7)
		mov	al, 10h

loc_A4474F:				; DATA XREF: PnprIsProcessorDevice(x,x,x,x)+51o
		and	ds:0AF5724C8h, ebx
		aad	1Fh
		dec	esp
		mov	eax, ds:286EA003h
		repne add al, 0C6h
		add	[eax], eax
; 
		dw 0
; 

??_C@_1BC@PIAIECI@?$AAP?$AAO?$AAS?$AAT?$AAT?$AAi?$AAm?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A4029Co
		push	eax
		add	[edi+0], cl
		push	ebx
		add	[eax+eax+54h], dl
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
		dd 0
; 

??_C@_1CE@OECHCOIM@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAB?$AAo?$AAo?$AAt?$AAM?$AAg?$AAr?$AAT?$AAi@LBKOJDO@:
					; DATA XREF: PAGE:00A402A8o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+4Dh], dh
		add	[edi+0], ah
		jb	short $+2
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1BM@MAAMFBPC@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAA?$AAp?$AAp?$AAT?$AAi?$AAm?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A402B4o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		inc	ecx
		add	[eax+0], dh
		jo	short $+2
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1DA@ONJDJLGG@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAA?$AAp?$AAp?$AAS?$AAt?$AAa?$AAr?$AAt?$AAT@LBKOJDO@:
					; DATA XREF: PAGE:00A402C0o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		inc	ecx
		add	[eax+0], dh
		jo	short $+2
		push	ebx
		add	[eax+eax+61h], dh
		add	[edx+0], dh
		jz	short $+2
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		jnb	short $+2
		jz	short $+2
		popa
		add	[ebp+0], ch
		jo	short $+2
; 
		dw 0
; 

??_C@_1CA@IBPMIPHC@?$AAT?$AAo?$AAt?$AAa?$AAl?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAT?$AAi?$AAm?$AAe@LBKOJDO@:
		push	esp
		add	[edi+0], ch
		jz	short $+2
		popa
		add	[eax+eax+52h], ch
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1BK@IHGDOJJ@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAI?$AAo?$AAT?$AAi?$AAm?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A402FCo
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		dec	ecx
		add	[edi+0], ch
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
		dd 0
; 

??_C@_1CK@POAIHJCH@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAD?$AAe?$AAc?$AAo?$AAm?$AAp?$AAr?$AAe?$AAs@LBKOJDO@:
					; DATA XREF: PAGE:00A40308o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		inc	esp
		add	[ebp+0], ah
		arpl	[eax], ax
		outsd
		add	[ebp+0], ch
		jo	short $+2
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
		dd 0
; 

??_C@_1BM@JMJDFPCA@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAM?$AAa?$AAp?$AAT?$AAi?$AAm?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A40314o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		dec	ebp
		add	[ecx+0], ah
		jo	short $+2
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1CA@MFBHDPIB@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAU?$AAn?$AAm?$AAa?$AAp?$AAT?$AAi?$AAm?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A40320o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		push	ebp
		add	[esi+0], ch
		insd
		add	[ecx+0], ah
		jo	short $+2
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1CM@LGBJGKNF@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAL?$AAi?$AAb?$AAr?$AAa?$AAr?$AAy?$AAI?$AAn@LBKOJDO@:
					; DATA XREF: PAGE:00A402CCo
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		dec	esp
		add	[ecx+0], ch
		bound	eax, [eax]
		jb	short $+2
		popa
		add	[edx+0], dh
		jns	short $+2
		dec	ecx
		add	[esi+0], ch
		imul	eax, [eax], 540074h
		imul	eax, [eax], 65006Dh
; 
		dw 0
; 

??_C@_1BO@MCCLNOJC@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAI?$AAn?$AAi?$AAt?$AAT?$AAi?$AAm?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A402D8o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		dec	ecx
		add	[esi+0], ch
		imul	eax, [eax], 540074h
		imul	eax, [eax], 65006Dh
; 
		dd 0
; 

??_C@_1CI@DDAGPALP@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A402E4o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		dec	eax
		add	[ecx+0], ch
		bound	eax, [eax]
		add	gs:[edx+0], dh
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1EC@GLBPNMMI@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAR?$AAe?$AAs?$AAt?$AAo?$AAr?$AAe?$AAI?$AAm@LBKOJDO@:
					; DATA XREF: PAGE:00A402F0o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[ecx+0], cl
		insd
		add	[ecx+0], ah
		add	[di+0],	ah
		push	ebx
		add	[eax+eax+61h], dh
		add	[edx+0], dh
		jz	short $+2
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		jnb	short $+2
		jz	short $+2
		popa
		add	[ebp+0], ch
		jo	short $+2
; 
		dd 0
; 

??_C@_1DE@MGNHFHJ@?$AAS?$AAl?$AAe?$AAe?$AAp?$AAe?$AAr?$AAT?$AAh?$AAr?$AAe?$AAa?$AAd?$AAE?$AAn@LBKOJDO@:
					; DATA XREF: PAGE:00A4035Co
		push	ebx
		add	[eax+eax+65h], ch
		add	[ebp+0], ah
		jo	short $+2
		add	gs:[edx+0], dh
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ecx+0], ah
		add	fs:[ebp+0], al
		outsb
		add	[eax+eax+54h], ah
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		jnb	short $+2
		jz	short $+2
		popa
		add	[ebp+0], ch
		jo	short $+2
; 
		dw 0
; 

??_C@_1DK@LNAMNHGF@?$AAT?$AAi?$AAm?$AAe?$AAS?$AAt?$AAa?$AAm?$AAp?$AAC?$AAo?$AAu?$AAn?$AAt?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A40368o
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		push	ebx
		add	[eax+eax+61h], dh
		add	[ebp+0], ch
		jo	short $+2
		inc	ebx
		add	[edi+0], ch
		jnz	short $+2
		outsb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		inc	ecx
		add	[eax+eax+53h], dh
		add	[edi+0], dh
		imul	eax, [eax], 630074h
		push	69005400h
		add	[ebp+0], ch
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1DK@IHCDHLKC@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAR?$AAe?$AAt?$AAu?$AAr?$AAn?$AAS?$AAy?$AAs@LBKOJDO@:
					; DATA XREF: PAGE:00A40374o
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	[edx+0], dl
		add	gs:[eax+eax+75h], dh
		add	[edx+0], dh
		outsb
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		push	ebx
		add	[eax+eax+61h], dh
		add	[eax+eax+65h], dh
; 
		db 0
		align 10h

??_C@_1CG@BLKNBNAE@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe?$AAT@LBKOJDO@:
					; DATA XREF: PAGE:00A40380o
		dec	eax
		add	[ecx+0], ch
		bound	eax, [eax]
		add	gs:[edx+0], dh
		dec	eax
		add	[ecx+0], ch
		bound	eax, [eax]
		add	gs:[edx+0], dh
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
		dd 0
; 

??_C@_1CI@KMDLLIHP@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAU?$AAs?$AAe?$AAr?$AAI?$AAn?$AAO?$AAu?$AAt@LBKOJDO@:
					; DATA XREF: PAGE:00A4032Co
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		push	ebp
		add	[ebx+0], dh
		add	gs:[edx+0], dh
		dec	ecx
		add	[esi+0], ch
		dec	edi
		add	[ebp+0], dh
		jz	short $+2
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1CG@JDDNJHMM@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAA?$AAl?$AAl?$AAo?$AAc?$AAa?$AAt?$AAe?$AAT@LBKOJDO@:
					; DATA XREF: PAGE:00A40338o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		inc	ecx
		add	[eax+eax+6Ch], ch
		add	[edi+0], ch
		arpl	[eax], ax
		popa
		add	[eax+eax+65h], dh
		add	[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1DI@BKDGJOEP@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAS?$AAw?$AAi@LBKOJDO@:
					; DATA XREF: PAGE:00A40344o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	[ebx+0], dl
		ja	short $+2
		imul	eax, [eax], 630074h
		push	69005400h
		add	[ebp+0], ch
		add	gs:[ebx+0], dh
		jz	short $+2
		popa
		add	[ebp+0], ch
		jo	short $+2
; 
		dw 0
; 

??_C@_1EC@NPLJOAHD@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAR?$AAe?$AAt?$AAu?$AAr?$AAn?$AAF?$AAr?$AAo@LBKOJDO@:
					; DATA XREF: PAGE:00A40350o
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	[edx+0], dl
		add	gs:[eax+eax+75h], dh
		add	[edx+0], dh
		outsb
		add	[esi+0], al
		jb	short $+2
		outsd
		add	[ebp+0], ch
		dec	eax
		add	[ecx+0], ah
		outsb
		add	[eax+eax+6Ch], ah
		add	[ebp+0], ah
		jb	short $+2
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		jnb	short $+2
		jz	short $+2
		popa
		add	[ebp+0], ch
		jo	short $+2
; 
		dd 0
; 

??_C@_1CK@CIKBCBAO@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAI?$AAn?$AAi@LBKOJDO@:
					; DATA XREF: PAGE:00A403BCo
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	[edx+0], dl
		add	gs:[ebx+0], dh
		jnz	short $+2
		insd
		add	[ebp+0], ah
		dec	ecx
		add	[esi+0], ch
		imul	eax, [eax], 540074h
		imul	eax, [eax], 65006Dh
; 
		dd 0
; 

??_C@_1DK@EFLINPH@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAS?$AAh?$AAa@LBKOJDO@:
					; DATA XREF: PAGE:00A403C8o
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	[edx+0], dl
		add	gs:[ebx+0], dh
		jnz	short $+2
		insd
		add	[ebp+0], ah
		push	ebx
		add	[eax+0], ch
		popa
		add	[edx+0], dh
		add	gs:[eax+eax+42h], ah
		add	[ebp+0], dh
		db	66h
		add	[esi+0], ah
		add	gs:[edx+0], dh
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
		dd 0
; 

??_C@_1CC@CIGNMBJM@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAT?$AAi?$AAm@LBKOJDO@:
					; DATA XREF: PAGE:00A403D4o
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
		dd 0
; 

??_C@_1CI@ENDKNON@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAA?$AAn?$AAi?$AAm?$AAa?$AAt?$AAi?$AAo?$AAn@LBKOJDO@:
					; DATA XREF: PAGE:00A403E0o
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	[ecx+0], al
		outsb
		add	[ecx+0], ch
		insd
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1BM@HCECIHOD@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAI?$AAn?$AAi?$AAt?$AAT?$AAi?$AAm?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A4038Co
		dec	eax
		add	[ecx+0], ch
		bound	eax, [eax]
		add	gs:[edx+0], dh
		dec	ecx
		add	[esi+0], ch
		imul	eax, [eax], 540074h
		imul	eax, [eax], 65006Dh
; 
		dw 0
; 

??_C@_1CM@MMAPKBEN@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAS?$AAh?$AAa?$AAr?$AAe?$AAd?$AAB?$AAu?$AAf?$AAf@LBKOJDO@:
					; DATA XREF: PAGE:00A40398o
		dec	eax
		add	[ecx+0], ch
		bound	eax, [eax]
		add	gs:[edx+0], dh
		push	ebx
		add	[eax+0], ch
		popa
		add	[edx+0], dh
		add	gs:[eax+eax+42h], ah
		add	[ebp+0], dh
		db	66h
		add	[esi+0], ah
		add	gs:[edx+0], dh
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1CG@KJAIDIGP@?$AAT?$AAo?$AAt?$AAa?$AAl?$AAH?$AAi?$AAb?$AAe?$AAr?$AAn?$AAa?$AAt?$AAe?$AAT@LBKOJDO@:
					; DATA XREF: PAGE:00A403A4o
		push	esp
		add	[edi+0], ch
		jz	short $+2
		popa
		add	[eax+eax+48h], ch
		add	[ecx+0], ch
		bound	eax, [eax]
		add	gs:[edx+0], dh
		outsb
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1DE@MEPFPENI@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAH?$AAi?$AAb@LBKOJDO@:
					; DATA XREF: PAGE:00A403B0o
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	[edx+0], dl
		add	gs:[ebx+0], dh
		jnz	short $+2
		insd
		add	[ebp+0], ah
		dec	eax
		add	[ecx+0], ch
		bound	eax, [eax]
		add	gs:[edx+0], dh
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1BO@EBKJMBFK@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAW?$AAr?$AAi?$AAt?$AAe?$AAR?$AAa?$AAt?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A4041Co
		dec	eax
		add	[ecx+0], ch
		bound	eax, [eax]
		add	gs:[edx+0], dh
		push	edi
		add	[edx+0], dh
		imul	eax, [eax], 650074h
		push	edx
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CE@NFJJNNKA@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAC?$AAo?$AAm?$AAp?$AAr?$AAe?$AAs?$AAs?$AAR?$AAa@LBKOJDO@:
					; DATA XREF: PAGE:00A40428o
		dec	eax
		add	[ecx+0], ch
		bound	eax, [eax]
		add	gs:[edx+0], dh
		inc	ebx
		add	[edi+0], ch
		insd
		add	[eax+0], dh
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
		push	edx
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1BO@IOOHBBDC@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAR?$AAe?$AAa?$AAd?$AAR?$AAa?$AAt?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A40434o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		push	edx
		add	[ebp+0], ah
		popa
		add	[eax+eax+52h], ah
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CK@ECKEBIG@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAD?$AAe?$AAc?$AAo?$AAm?$AAp?$AAr?$AAe?$AAs@LBKOJDO@:
					; DATA XREF: PAGE:00A40440o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		inc	esp
		add	[ebp+0], ah
		arpl	[eax], ax
		outsd
		add	[ebp+0], ch
		jo	short $+2
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
		push	edx
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CK@GLCKBBJM@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAP?$AAa?$AAg?$AAe?$AAs?$AAP?$AAr?$AAo?$AAc@LBKOJDO@:
					; DATA XREF: PAGE:00A403ECo
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	[eax+0], dl
		popa
		add	[edi+0], ah
		add	gs:[ebx+0], dh
		push	eax
		add	[edx+0], dh
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		add	gs:[eax+eax+0],	ah
; 
		db 3 dup(0)
; 

??_C@_1CG@HJMGCOCM@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAP?$AAa?$AAg?$AAe?$AAs?$AAW?$AAr?$AAi?$AAt@LBKOJDO@:
					; DATA XREF: PAGE:00A403F8o
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	[eax+0], dl
		popa
		add	[edi+0], ah
		add	gs:[ebx+0], dh
		push	edi
		add	[edx+0], dh
		imul	eax, [eax], 740074h
		add	gs:[esi+0], ch
; 
		dd 0
; 

??_C@_1CG@JKDNNLLE@?$AAB?$AAo?$AAo?$AAt?$AAP?$AAa?$AAg?$AAe?$AAs?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs@LBKOJDO@:
					; DATA XREF: PAGE:00A40404o
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+50h], dh
		add	[ecx+0], ah
		add	[di+0],	ah
		jnb	short $+2
		push	eax
		add	[edx+0], dh
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		add	gs:[eax+eax+0],	ah
; 
		db 3 dup(0)
; 

??_C@_1CC@KPOMOBFM@?$AAB?$AAo?$AAo?$AAt?$AAP?$AAa?$AAg?$AAe?$AAs?$AAW?$AAr?$AAi?$AAt?$AAt?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A40410o
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+50h], dh
		add	[ecx+0], ah
		add	[di+0],	ah
		jnb	short $+2
		push	edi
		add	[edx+0], dh
		imul	eax, [eax], 740074h
		add	gs:[esi+0], ch
; 
		dd 0
; 

??_C@_1CE@JGHCHEEC@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAC?$AAh?$AAe?$AAc?$AAk?$AAs?$AAu?$AAm?$AAT?$AAi@LBKOJDO@:
					; DATA XREF: PAGE:00A4047Co
		dec	eax
		add	[ecx+0], ch
		bound	eax, [eax]
		add	gs:[edx+0], dh
		inc	ebx
		add	[eax+0], ch
		add	gs:[ebx+0], ah
		imul	eax, [eax], 73h
		add	[ebp+0], dh
		insd
		add	[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1CI@CDCODDOA@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAC?$AAh?$AAe?$AAc?$AAk?$AAs?$AAu?$AAm?$AAI?$AAo@LBKOJDO@:
					; DATA XREF: PAGE:00A40488o
		dec	eax
		add	[ecx+0], ch
		bound	eax, [eax]
		add	gs:[edx+0], dh
		inc	ebx
		add	[eax+0], ch
		add	gs:[ebx+0], ah
		imul	eax, [eax], 73h
		add	[ebp+0], dh
		insd
		add	[ecx+0], cl
		outsd
		add	[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[eax], al

loc_A44DB7:				; DATA XREF: PAGE:00A40494o
		add	[edx+0], dl
		add	gs:[ebx+0], dh
		jnz	short $+2
		insd
		add	[ebp+0], ah
		inc	ebx
		add	[eax+0], ch
		add	gs:[ebx+0], ah
		imul	eax, [eax], 73h
		add	[ebp+0], dh
		insd
		add	[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CK@PKKEPCPN@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAC?$AAh?$AAe?$AAc?$AAk?$AAs?$AAu?$AAm?$AAI@LBKOJDO@:
					; DATA XREF: PAGE:00A404A0o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		inc	ebx
		add	[eax+0], ch
		add	gs:[ebx+0], ah
		imul	eax, [eax], 73h
		add	[ebp+0], dh
		insd
		add	[ecx+0], cl
		outsd
		add	[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BC@MMNDNCML@?$AAF?$AAi?$AAl?$AAe?$AAR?$AAu?$AAn?$AAs@LBKOJDO@:
					; DATA XREF: PAGE:00A4044Co
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		push	edx
		add	[ebp+0], dh
		outsb
		add	[ebx+0], dh
; 
		dd 0
; 

??_C@_1DC@FMDNKEGG@?$AAN?$AAo?$AAM?$AAu?$AAl?$AAt?$AAi?$AAS?$AAt?$AAa?$AAg?$AAe?$AAR?$AAe?$AAs@LBKOJDO@:
					; DATA XREF: PAGE:00A40458o
		dec	esi
		add	[edi+0], ch
		dec	ebp
		add	[ebp+0], dh
		insb
		add	[eax+eax+69h], dh
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[edi+0], ah
		add	gs:[edx+0], dl
		add	gs:[ebx+0], dh
		jnz	short $+2
		insd
		add	[ebp+0], ah
		push	edx
		add	[ebp+0], ah
		popa
		add	[ebx+0], dh
		outsd
		add	[esi+0], ch
; 
		dd 0
; 

??_C@_1BK@BGJMKJDB@?$AAM?$AAa?$AAx?$AAH?$AAu?$AAf?$AAf?$AAR?$AAa?$AAt?$AAi?$AAo@LBKOJDO@:
					; DATA XREF: PAGE:00A40464o
		dec	ebp
		add	[ecx+0], ah
		js	short $+2
		dec	eax
		add	[ebp+0], dh
		db	66h
		add	[esi+0], ah
		push	edx
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6Fh
; 
		dw 0
; 

??_C@_1CK@HEELHFJJ@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAe?$AAP?$AAa?$AAg?$AAe?$AAs?$AAP?$AAr?$AAo?$AAc@LBKOJDO@:
					; DATA XREF: PAGE:00A40470o
		push	ebx
		add	[ebp+0], ah
		arpl	[eax], ax
		jnz	short $+2
		jb	short $+2
		add	gs:[eax+0], dl
		popa
		add	[edi+0], ah
		add	gs:[ebx+0], dh
		push	eax
		add	[edx+0], dh
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		add	gs:[eax+eax+0],	ah
; 
		db 3 dup(0)
; 

??_C@_1CK@PHNLGGBD@?$AAB?$AAr?$AAo?$AAk?$AAe?$AAr?$AAI?$AAn?$AAf?$AAr?$AAa?$AAs?$AAt?$AAr?$AAu@LBKOJDO@:
		inc	edx
		add	[edx+0], dh
		outsd
		add	[ebx+0], ch
		add	gs:[edx+0], dh
		dec	ecx
		add	[esi+0], ch
		db	66h
		add	[edx+0], dh
		popa
		add	[ebx+0], dh
		jz	short $+2
		jb	short $+2
		jnz	short $+2
		arpl	[eax], ax
		jz	short $+2
		jnz	short $+2
		jb	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BM@DHPHEIAH@?$AAT?$AAi?$AAm?$AAe?$AAB?$AAr?$AAo?$AAk?$AAe?$AAr?$AAS?$AAv?$AAc@LBKOJDO@:
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		inc	edx
		add	[edx+0], dh
		outsd
		add	[ebx+0], ch
		add	gs:[edx+0], dh
		push	ebx
		add	[esi+0], dh
		arpl	[eax], ax
; 
		dw 0
; 

??_C@_1M@ECPLPFMC@?$AAL?$AAf?$AAS?$AAv?$AAc@LBKOJDO@:
		dec	esp
		add	[esi+0], ah
		push	ebx
		add	[esi+0], dh
		arpl	[eax], ax
; 
		dw 0
; 

??_C@_1BC@KDGIHOMP@?$AAW?$AAi?$AAn?$AAL?$AAo?$AAg?$AAo?$AAn@LBKOJDO@:
		push	edi
		add	[ecx+0], ch
		outsb
		add	[eax+eax+6Fh], cl
		add	[edi+0], ah
		outsd
		add	[esi+0], ch
; 
		dd 0
; 

??_C@_1CG@NHBOODHH@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAC?$AAh?$AAe?$AAc?$AAk?$AAs?$AAu?$AAm?$AAT@LBKOJDO@:
					; DATA XREF: PAGE:00A404ACo
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	[ebx+0], al
		push	63006500h
		add	[ebx+0], ch
		jnb	short $+2
		jnz	short $+2
		insd
		add	[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CK@NEBEMAKL@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAC?$AAh?$AAe?$AAc?$AAk?$AAs?$AAu?$AAm?$AAI@LBKOJDO@:
					; DATA XREF: PAGE:00A404B8o
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	[ebx+0], al
		push	63006500h
		add	[ebx+0], ch
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ecx+0], cl
		outsd
		add	[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BA@LEPJIIOK@?$AAU?$AAn?$AAk?$AAn?$AAo?$AAw?$AAn@LBKOJDO@:
		push	ebp
		add	[esi+0], ch
		imul	eax, [eax], 6Eh
		add	[edi+0], ch
		ja	short $+2
		outsb
; 
		db 3 dup(0)
; 

??_C@_1BO@DEMOBFFB@?$AAT?$AAe?$AAs?$AAt?$AAI?$AAd?$AAe?$AAn?$AAt?$AAi?$AAf?$AAi?$AAe?$AAr@LBKOJDO@:
		push	esp
		add	[ebp+0], ah
		jnb	short $+2
		jz	short $+2
		dec	ecx
		add	[eax+eax+65h], ah
		add	[esi+0], ch
		jz	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
; 
		dd 0
; 

??_C@_1O@MHJJMELH@?$AAB?$AAu?$AAt?$AAt?$AAo?$AAn@LBKOJDO@:
		inc	edx
		add	[ebp+0], dh
		jz	short $+2
		jz	short $+2
		outsd
		add	[esi+0], ch
; 
		dd 0
; 

??_C@_1BE@IKDNLNBB@?$AAM?$AAs?$AAG?$AAp?$AAi?$AAo?$AAC?$AAl?$AAx@LBKOJDO@:
		dec	ebp
		add	[ebx+0], dh
		inc	edi
		add	[eax+0], dh
		imul	eax, [eax], 43006Fh
		insb
		add	[eax+0], bh
; 
		dw 0
; 

??_C@_1CA@KDGNPNGE@?$AAB?$AAu?$AAt?$AAt?$AAo?$AAn?$AAC?$AAo?$AAn?$AAv?$AAe?$AAr?$AAt?$AAe?$AAr@LBKOJDO@:
		inc	edx
		add	[ebp+0], dh
		jz	short $+2
		jz	short $+2
		outsd
		add	[esi+0], ch
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[esi+0], dh
		add	gs:[edx+0], dh
		jz	short $+2
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1BI@MJIJBPHL@?$AAM?$AAs?$AAG?$AAp?$AAi?$AAo?$AAW?$AAi?$AAn?$AA3?$AA2@LBKOJDO@:
		dec	ebp
		add	[ebx+0], dh
		inc	edi
		add	[eax+0], dh
		imul	eax, [eax], 57006Fh
		imul	eax, [eax], 33006Eh
		xor	al, [eax]
; 
		dw 0
; 

??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@LBKOJDO@:
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1BM@ONEBALJK@?$AAS?$AAe?$AAn?$AAs?$AAo?$AAr?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe@LBKOJDO@:
		push	ebx
		add	[ebp+0], ah
		outsb
		add	[ebx+0], dh
		outsd
		add	[edx+0], dh
		push	ebx
		add	[ebp+0], ah
		jb	short $+2
		jbe	short $+2
		imul	eax, [eax], 650063h
; 
		dw 0
; 

??_C@_1O@OONCLIOO@?$AAN?$AAt?$AAo?$AAs?$AAP?$AAo@LBKOJDO@:
		dec	esi
		add	[eax+eax+6Fh], dh
		add	[ebx+0], dh
		push	eax
		add	[edi+0], ch
; 
		dd 0
; 

??_C@_19HOGFOJAH@?$AAA?$AAc?$AAp?$AAi@LBKOJDO@:
		inc	ecx
		add	[ebx+0], ah
		jo	short $+2
		imul	eax, [eax], 0

??_C@_1CG@DOEHDPBP@?$AAS?$AAp?$AAu?$AAr?$AAi?$AAo?$AAu?$AAs?$AA?5?$AAI?$AAn?$AAt?$AAe?$AAr?$AAr@LBKOJDO@:
		push	ebx
		add	[eax+0], dh
		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 75006Fh
		jnb	short $+2
		and	[eax], al
		dec	ecx
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edx+0], dh
		jb	short $+2
		jnz	short $+2
		jo	short $+2
		jz	short $+2
; 
		dd 0
; 

??_C@_1BM@HBGOLJP@?$AAQ?$AAu?$AAe?$AAr?$AAy?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAu?$AAr?$AAe@LBKOJDO@:
		push	ecx
		add	[ebp+0], dh
		add	gs:[edx+0], dh
		jns	short $+2
		and	[eax], al
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 75006Ch
		jb	short $+2
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1CG@EKLCEIFL@?$AAA?$AAc?$AAc?$AAo?$AAu?$AAn?$AAt?$AAi?$AAn?$AAg?$AA?5?$AAF?$AAa?$AAi?$AAl@LBKOJDO@:
		inc	ecx
		add	[ebx+0], ah
		arpl	[eax], ax
		outsd
		add	[ebp+0], dh
		outsb
		add	[eax+eax+69h], dh
		add	[esi+0], ch
		add	[bx+si], ah
		add	[esi+0], al
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], dh
		jb	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CC@NBDOBLDP@?$AAK?$AAN?$AAe?$AAt?$AAP?$AAw?$AAr?$AAD?$AAe?$AAp?$AAB?$AAr?$AAo?$AAk?$AAe@LBKOJDO@:
		dec	ebx
		add	[esi+0], cl
		add	gs:[eax+eax+50h], dh
		add	[edi+0], dh
		jb	short $+2
		inc	esp
		add	[ebp+0], ah
		jo	short $+2
		inc	edx
		add	[edx+0], dh
		outsd
		add	[ebx+0], ch
		add	gs:[edx+0], dh
; 
		dd 0
; 

??_C@_1O@BINMDFIA@?$AAC?$AAm?$AAb?$AAa?$AAt?$AAt@LBKOJDO@:
		inc	ebx
		add	[ebp+0], ch
		bound	eax, [eax]
		popa
		add	[eax+eax+74h], dh
; 
		db 0
		align 8
??_C@_1BM@KEFGLAAA@?$AAS?$AAp?$AAu?$AAr?$AAi?$AAo?$AAu?$AAs?$AA?5?$AAW?$AAa?$AAk?$AAe@LBKOJDO@ dd offset unk_700053
					; DATA XREF: PAGE:loc_A400B1w
aUriousWake:
		unicode	0, <urious Wake>,0
; 

??_C@_1BO@IPLFNHAM@?$AAS?$AAp?$AAu?$AAr?$AAi?$AAo?$AAu?$AAs?$AA?5?$AAC?$AAl?$AAo?$AAc?$AAk@LBKOJDO@:
		push	ebx
		add	[eax+0], dh
		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 75006Fh
		jnb	short $+2
		and	[eax], al
		inc	ebx
		add	[eax+eax+6Fh], ch
		add	[ebx+0], ah
		imul	eax, [eax], 0
; 
		db 3 dup(0)
; 

??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@LBKOJDO@:
					; DATA XREF: PAGE:00A404DCo
					; PAGE:00A404E8o ...
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ebx+0], cl
		add	gs:[edx+0], dh
		outsb
		add	[ebp+0], ah
		insb
; 
		db 0
		dd 2 dup(0)
; 

??_C@_1EK@PPHFGMFH@?$AAD?$AAy?$AAn?$AAa?$AAm?$AAi?$AAc?$AAH?$AAe?$AAt?$AAe?$AAr?$AAo?$AAC?$AAp@LBKOJDO@:
					; DATA XREF: PAGE:00A40504o
		inc	esp
		add	[ecx+0], bh
		outsb
		add	[ecx+0], ah
		insd
		add	[ecx+0], ch
		arpl	[eax], ax
		dec	eax
		add	[ebp+0], ah
		jz	short $+2
		add	gs:[edx+0], dh
		outsd
		add	[ebx+0], al
		jo	short $+2
		jnz	short $+2
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
		dec	ecx
		add	[ebp+0], ch
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		popa
		add	[esi+0], ch
		jz	short $+2
		push	ebx
		add	[eax+0], ch
		outsd
		add	[edx+0], dh
		jz	short $+2
; 
		dd 2 dup(0)
; 

??_C@_1FA@HJGJFDCC@?$AAD?$AAy?$AAn?$AAa?$AAm?$AAi?$AAc?$AAH?$AAe?$AAt?$AAe?$AAr?$AAo?$AAC?$AAp@LBKOJDO@:
					; DATA XREF: PAGE:00A40510o
		inc	esp
		add	[ecx+0], bh
		outsb
		add	[ecx+0], ah
		insd
		add	[ecx+0], ch
		arpl	[eax], ax
		dec	eax
		add	[ebp+0], ah
		jz	short $+2
		add	gs:[edx+0], dh
		outsd
		add	[ebx+0], al
		jo	short $+2
		jnz	short $+2
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
		dec	ecx
		add	[ebp+0], ch
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		popa
		add	[esi+0], ch
		jz	short $+2
		push	eax
		add	[edx+0], dh
		imul	eax, [eax], 72006Fh
		imul	eax, [eax], 790074h
; 
		dw 0
; 

??_C@_1EM@DEKBLBMJ@?$AAD?$AAy?$AAn?$AAa?$AAm?$AAi?$AAc?$AAH?$AAe?$AAt?$AAe?$AAr?$AAo?$AAC?$AAp@LBKOJDO@:
					; DATA XREF: PAGE:00A4051Co
		inc	esp
		add	[ecx+0], bh
		outsb
		add	[ecx+0], ah
		insd
		add	[ecx+0], ch
		arpl	[eax], ax
		dec	eax
		add	[ebp+0], ah
		jz	short $+2
		add	gs:[edx+0], dh
		outsd
		add	[ebx+0], al
		jo	short $+2
		jnz	short $+2
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
		inc	ebp
		add	[eax+0], bh
		jo	short $+2
		add	gs:[ebx+0], ah
		jz	short $+2
		add	gs:[eax+eax+52h], ah
		add	[ebp+0], dh
		outsb
		add	[eax+eax+69h], dh
		add	[ebp+0], ch
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1CO@KKJDNLAA@?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt?$AAH?$AAe?$AAt?$AAe?$AAr?$AAo?$AAC?$AAp@LBKOJDO@:
		inc	esp
		add	[ebp+0], ah
		db	66h
		add	[ecx+0], ah
		jnz	short $+2
		insb
		add	[eax+eax+48h], dh
		add	[ebp+0], ah
		jz	short $+2
		add	gs:[edx+0], dh
		outsd
		add	[ebx+0], al
		jo	short $+2
		jnz	short $+2
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
; 
		dd 0
; 

??_C@_1DM@PFNDMIG@?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt?$AAD?$AAy?$AAn?$AAa?$AAm?$AAi?$AAc?$AAH@LBKOJDO@:
					; DATA XREF: PAGE:00A404E0o
		inc	esp
		add	[ebp+0], ah
		db	66h
		add	[ecx+0], ah
		jnz	short $+2
		insb
		add	[eax+eax+44h], dh
		add	[ecx+0], bh
		outsb
		add	[ecx+0], ah
		insd
		add	[ecx+0], ch
		arpl	[eax], ax
		dec	eax
		add	[ebp+0], ah
		jz	short $+2
		add	gs:[edx+0], dh
		outsd
		add	[ebx+0], al
		jo	short $+2
		jnz	short $+2
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
; 
		dw 0
; 

??_C@_1DG@NDCFNKJL@?$AAD?$AAy?$AAn?$AAa?$AAm?$AAi?$AAc?$AAH?$AAe?$AAt?$AAe?$AAr?$AAo?$AAC?$AAp@LBKOJDO@:
					; DATA XREF: PAGE:00A404ECo
		inc	esp
		add	[ecx+0], bh
		outsb
		add	[ecx+0], ah
		insd
		add	[ecx+0], ch
		arpl	[eax], ax
		dec	eax
		add	[ebp+0], ah
		jz	short $+2
		add	gs:[edx+0], dh
		outsd
		add	[ebx+0], al
		jo	short $+2
		jnz	short $+2
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
		dec	ebp
		add	[ecx+0], ah
		jnb	short $+2
		imul	eax, [eax], 0
; 
		db 3 dup(0)
; 

??_C@_1EA@MJOKHKE@?$AAD?$AAy?$AAn?$AAa?$AAm?$AAi?$AAc?$AAH?$AAe?$AAt?$AAe?$AAr?$AAo?$AAC?$AAp@LBKOJDO@:
					; DATA XREF: PAGE:00A404F8o
		inc	esp
		add	[ecx+0], bh
		outsb
		add	[ecx+0], ah
		insd
		add	[ecx+0], ch
		arpl	[eax], ax
		dec	eax
		add	[ebp+0], ah
		jz	short $+2
		add	gs:[edx+0], dh
		outsd
		add	[ebx+0], al
		jo	short $+2
		jnz	short $+2
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
		dec	ecx
		add	[ebp+0], ch
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		popa
		add	[esi+0], ch
		jz	short $+2
; 
		dw 0
; 

??_C@_1BK@NFBPFMLB@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAD?$AAr?$AAi?$AAv?$AAe?$AA?$DN@LBKOJDO@:
					; DATA XREF: PAGE:off_A40540o
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		cmp	eax, 0
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+3Dh], dh
; 
		db 3 dup(0)
; 

??_C@_1DO@PDFEEOKF@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@LBKOJDO@:
					; DATA XREF: PAGEDATA:00A93BB4o
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+5Ch], dh
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		xor	eax, [eax]
		xor	al, [eax]
		pop	esp
		add	[esi+0], ch
		jz	short $+2
		add	fs:[eax+eax+6Ch], ch
		add	[esi], ch
		add	[eax+eax+6Ch], ah
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

??_C@_1BE@GJOFHIHD@?$AAn?$AAt?$AAd?$AAl?$AAl?$AA?4?$AAd?$AAl?$AAl@LBKOJDO@:
					; DATA XREF: PAGEDATA:00A93BBCo
		outsb
		add	[eax+eax+64h], dh
		add	[eax+eax+6Ch], ch
		add	[esi], ch
		add	[eax+eax+6Ch], ah
		add	[eax+eax+0], ch
; 
		db 0
; 

??_C@_1BE@JPDJANBF@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA3?$AA2@LBKOJDO@:
					; DATA XREF: PAGE:off_A40548o
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		xor	eax, [eax]
		xor	al, [eax]
; 
		dw 0
; 

??_C@_1M@EIIIDOPD@?$AAP?$AAa?$AAt?$AAh?$AA?$DN@LBKOJDO@: ; DATA	XREF: PAGE:off_A40538o
		push	eax
		add	[ecx+0], ah
		jz	short $+2
		push	3D00h
; 
		db 0
; 

??_C@_1BG@HOMFIHAA@?$AAP?$AAs?$AAH?$AAo?$AAs?$AAt?$AAS?$AAi?$AAl?$AAo@LBKOJDO@:
					; DATA XREF: PAGE:00A40570o
		push	eax
		add	[ebx+0], dh
		dec	eax
		add	[edi+0], ch
		jnb	short $+2
		jz	short $+2
		push	ebx
		add	[ecx+0], ch
		insb
		add	[edi+0], ch
; 
		dd 0
; 

??_C@_1BG@KEFMGHOI@?$AA?2?$AAG?$AAL?$AAO?$AAB?$AAA?$AAL?$AA?$DP?$AA?$DP?$AA?2@LBKOJDO@:
		pop	esp
		add	[edi+0], al
		dec	esp
		add	[edi+0], cl
		inc	edx
		add	[ecx+0], al
		dec	esp
		add	[edi], bh
		add	[edi], bh
		add	[eax+eax+0], bl
; 
		db 3 dup(0)
; 

??_C@_1CE@NAICKCLE@?$AAN?$AAo?$AAn?$AAP?$AAa?$AAg?$AAe?$AAd?$AAP?$AAo?$AAo?$AAl?$AAQ?$AAu?$AAo@LBKOJDO@:
		dec	esi
		add	[edi+0], ch
		outsb
		add	[eax+0], dl
		popa
		add	[edi+0], ah
		add	gs:[eax+eax+50h], ah
		add	[edi+0], ch
		outsd
		add	[eax+eax+51h], ch
		add	[ebp+0], dh
		outsd
		add	[eax+eax+61h], dh
; 
		db 3 dup(0)
; 

??_C@_1BO@IGDMFFA@?$AAP?$AAa?$AAg?$AAe?$AAd?$AAP?$AAo?$AAo?$AAl?$AAQ?$AAu?$AAo?$AAt?$AAa@LBKOJDO@:
		push	eax
		add	[ecx+0], ah
		add	[di+0],	ah
		add	fs:[eax+0], dl
		outsd
		add	[edi+0], ch
		insb
		add	[ecx+0], dl
		jnz	short $+2
		outsd
		add	[eax+eax+61h], dh
; 
		db 0
		dd 0
; 

??_C@_1CA@OFCCNLFJ@?$AAP?$AAa?$AAg?$AAi?$AAn?$AAg?$AAF?$AAi?$AAl?$AAe?$AAQ?$AAu?$AAo?$AAt?$AAa@LBKOJDO@:
		push	eax
		add	[ecx+0], ah
		add	[bx+di+0], ch
		outsb
		add	[edi+0], ah
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		push	ecx
		add	[ebp+0], dh
		outsd
		add	[eax+eax+61h], dh
; 
		db 3 dup(0)
; 

??_C@_1CK@MGPMLEDB@?$AAW?$AAo?$AAr?$AAk?$AAi?$AAn?$AAg?$AAS?$AAe?$AAt?$AAP?$AAa?$AAg?$AAe?$AAs@LBKOJDO@:
		push	edi
		add	[edi+0], ch
		jb	short $+2
		imul	eax, [eax], 69h
		add	[esi+0], ch
		add	[bp+di+0], dl
		add	gs:[eax+eax+50h], dh
		add	[ecx+0], ah
		add	[di+0],	ah
		jnb	short $+2
		push	ecx
		add	[ebp+0], dh
		outsd
		add	[eax+eax+61h], dh
; 
		db 0
		align 10h

??_C@_1KA@FFCLDMMF@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@:
					; DATA XREF: PAGE:00A40578o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ecx+0], dl
		jnz	short $+2
		outsd
		add	[eax+eax+61h], dh
		add	[eax], ah
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
; 
		dw 0
; 

??_C@_1KG@PGMKLFDM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@:
					; DATA XREF: PAGE:00A40580o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		outsd
		add	[esi+0], ah
		jz	short $+2
		ja	short $+2
		popa
		add	[edx+0], dh
		add	gs:[eax+eax+50h], bl
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 730065h
		pop	esp
		add	[ebp+0], cl
		imul	eax, [eax], 720063h
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		pop	esp
		add	[edi+0], dl
		imul	eax, [eax], 64006Eh
		outsd
		add	[edi+0], dh
		jnb	short $+2
		pop	esp
		add	[ebx+0], dl
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ecx+0], dl
		jnz	short $+2
		outsd
		add	[eax+eax+61h], dh
		add	[eax], ah
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
; 
		dd 0
; 

??_C@_1BO@BOGEHPME@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAS?$AAY?$AAS?$AAA?$AAP?$AAP?$AAI?$AAD@LBKOJDO@:
					; DATA XREF: PAGE:00A40C64o
		push	edi
		add	[ecx+0], cl
		dec	esi
		add	[edx], bh
		add	[edi], ch
		add	[edi], ch
		add	[ebx+0], dl
		pop	ecx
		add	[ebx+0], dl
		inc	ecx
		add	[eax+0], dl
		push	eax
		add	[ecx+0], cl
		inc	esp
; 
		db 0
		align 8

??_C@_1BE@BDEKEKBI@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAP?$AAK?$AAG@LBKOJDO@:
					; DATA XREF: PAGE:00A40C74o
		push	edi
		add	[ecx+0], cl
		dec	esi
		add	[edx], bh
		add	[edi], ch
		add	[edi], ch
		add	[eax+0], dl
		dec	ebx
		add	[edi+0], al
; 
		dw 0
; 

??_C@_1CG@JBOPFCIA@?$AAP?$AAs?$AAW?$AAo?$AAr?$AAk?$AAi?$AAn?$AAg?$AAS?$AAe?$AAt?$AAA?$AAd?$AAj@LBKOJDO@:
		push	eax
		add	[ebx+0], dh
		push	edi
		add	[edi+0], ch
		jb	short $+2
		imul	eax, [eax], 69h
		add	[esi+0], ch
		add	[bp+di+0], dl
		add	gs:[eax+eax+41h], dh
		add	[eax+eax+6Ah], ah
		add	[ebp+0], dh
		jnb	short $+2
		jz	short $+2
; 
		dd 0
; 

??_C@_1BI@OCJAMLAJ@?$AAP?$AAe?$AAr?$AAf?$AAO?$AAp?$AAt?$AAi?$AAo?$AAn?$AAs@LBKOJDO@:
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		db	66h
		add	[edi+0], cl
		jo	short $+2
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BM@FKNDABPG@?$AAL?$AAa?$AAr?$AAg?$AAe?$AAP?$AAa?$AAg?$AAe?$AAD?$AAL?$AAL?$AAs@LBKOJDO@:
		dec	esp
		add	[ecx+0], ah
		jb	short $+2
		add	[di+0],	ah
		push	eax
		add	[ecx+0], ah
		add	[di+0],	ah
		inc	esp
		add	[eax+eax+4Ch], cl
		add	[ebx+0], dh
; 
		dw 0
; 

??_C@_1DG@ENGJHFDI@?$AAP?$AAR?$AAI?$AAV?$AAA?$AAT?$AAE?$AAN?$AAE?$AAT?$AAW?$AAO?$AAR?$AAK?$AAC@LBKOJDO@:
		push	eax
		add	[edx+0], dl
		dec	ecx
		add	[esi+0], dl
		inc	ecx
		add	[eax+eax+45h], dl
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+57h], dl
		add	[edi+0], cl
		push	edx
		add	[ebx+0], cl
		inc	ebx
		add	[eax+eax+49h], cl
		add	[ebp+0], al
		dec	esi
		add	[eax+eax+53h], dl
		add	[ebp+0], al
		push	edx
		add	[esi+0], dl
		inc	ebp
		add	[edx+0], dl
; 
		dd 0
; 

??_C@_1CA@DAHKLIGG@?$AAP?$AAI?$AAC?$AAT?$AAU?$AAR?$AAE?$AAS?$AAL?$AAI?$AAB?$AAR?$AAA?$AAR?$AAY@LBKOJDO@:
		push	eax
		add	[ecx+0], cl
		inc	ebx
		add	[eax+eax+55h], dl
		add	[edx+0], dl
		inc	ebp
		add	[ebx+0], dl
		dec	esp
		add	[ecx+0], cl
		inc	edx
		add	[edx+0], dl
		inc	ecx
		add	[edx+0], dl
		pop	ecx
; 
		db 3 dup(0)
; 

??_C@_1BM@JGFBBEDO@?$AAV?$AAI?$AAD?$AAE?$AAO?$AAS?$AAL?$AAI?$AAB?$AAR?$AAA?$AAR?$AAY@LBKOJDO@:
		push	esi
		add	[ecx+0], cl
		inc	esp
		add	[ebp+0], al
		dec	edi
		add	[ebx+0], dl
		dec	esp
		add	[ecx+0], cl
		inc	edx
		add	[edx+0], dl
		inc	ecx
		add	[edx+0], dl
		pop	ecx
; 
		db 3 dup(0)
; 

??_C@_1BK@GPANBIPD@?$AAM?$AAU?$AAS?$AAI?$AAC?$AAL?$AAI?$AAB?$AAR?$AAA?$AAR?$AAY@LBKOJDO@:
		dec	ebp
		add	[ebp+0], dl
		push	ebx
		add	[ecx+0], cl
		inc	ebx
		add	[eax+eax+49h], cl
		add	[edx+0], al
		push	edx
		add	[ecx+0], al
		push	edx
		add	[ecx+0], bl
; 
		dd 0
; 

??_C@_1BO@FFALCFOG@?$AAI?$AAN?$AAT?$AAE?$AAR?$AAN?$AAE?$AAT?$AAC?$AAL?$AAI?$AAE?$AAN?$AAT@LBKOJDO@:
		dec	ecx
		add	[esi+0], cl
		push	esp
		add	[ebp+0], al
		push	edx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+43h], dl
		add	[eax+eax+49h], cl
		add	[ebp+0], al
		dec	esi
		add	[eax+eax+0], dl
; 
		db 3 dup(0)
; 

??_C@_1CK@HDNFKEDH@?$AAI?$AAN?$AAT?$AAE?$AAR?$AAN?$AAE?$AAT?$AAC?$AAL?$AAI?$AAE?$AAN?$AAT?$AAS@LBKOJDO@:
		dec	ecx
		add	[esi+0], cl
		push	esp
		add	[ebp+0], al
		push	edx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+43h], dl
		add	[eax+eax+49h], cl
		add	[ebp+0], al
		dec	esi
		add	[eax+eax+53h], dl
		add	[ebp+0], al
		push	edx
		add	[esi+0], dl
		inc	ebp
		add	[edx+0], dl
; 
		dd 0
; 

??_C@_1BK@NGIHNAJC@?$AAA?$AAP?$AAP?$AAO?$AAI?$AAN?$AAT?$AAM?$AAE?$AAN?$AAT?$AAS@LBKOJDO@:
		inc	ecx
		add	[eax+0], dl
		push	eax
		add	[edi+0], cl
		dec	ecx
		add	[esi+0], cl
		push	esp
		add	[ebp+0], cl
		inc	ebp
		add	[esi+0], cl
		push	esp
		add	[ebx+0], dl
; 
		dd 0
; 

??_C@_1BC@EFOJIMEP@?$AAC?$AAO?$AAN?$AAT?$AAA?$AAC?$AAT?$AAS@LBKOJDO@:
		inc	ebx
		add	[edi+0], cl
		dec	esi
		add	[eax+eax+41h], dl
		add	[ebx+0], al
		push	esp
		add	[ebx+0], dl
; 
		dd 0
; 

??_C@_1CC@NKOFCMFO@?$AAD?$AAO?$AAC?$AAU?$AAM?$AAE?$AAN?$AAT?$AAS?$AAL?$AAI?$AAB?$AAR?$AAA?$AAR@LBKOJDO@:
		inc	esp
		add	[edi+0], cl
		inc	ebx
		add	[ebp+0], dl
		dec	ebp
		add	[ebp+0], al
		dec	esi
		add	[eax+eax+53h], dl
		add	[eax+eax+49h], cl
		add	[edx+0], al
		push	edx
		add	[ecx+0], al
		push	edx
		add	[ecx+0], bl
; 
		dd 0
; 

??_C@_1DC@DGDLMKCJ@?$AAE?$AAN?$AAT?$AAE?$AAR?$AAP?$AAR?$AAI?$AAS?$AAE?$AAA?$AAU?$AAT?$AAH?$AAE@LBKOJDO@:
		inc	ebp
		add	[esi+0], cl
		push	esp
		add	[ebp+0], al
		push	edx
		add	[eax+0], dl
		push	edx
		add	[ecx+0], cl
		push	ebx
		add	[ebp+0], al
		inc	ecx
		add	[ebp+0], dl
		push	esp
		add	[eax+0], cl
		inc	ebp
		add	[esi+0], cl
		push	esp
		add	[ecx+0], cl
		inc	ebx
		add	[ecx+0], al
		push	esp
		add	[ecx+0], cl
		dec	edi
		add	[esi+0], cl
; 
		dd 0
; 

??_C@_1CO@MBAJCLOO@?$AAS?$AAH?$AAA?$AAR?$AAE?$AAD?$AAU?$AAS?$AAE?$AAR?$AAC?$AAE?$AAR?$AAT?$AAI@LBKOJDO@:
		push	ebx
		add	[eax+0], cl
		inc	ecx
		add	[edx+0], dl
		inc	ebp
		add	[eax+eax+55h], al
		add	[ebx+0], dl
		inc	ebp
		add	[edx+0], dl
		inc	ebx
		add	[ebp+0], al
		push	edx
		add	[eax+eax+49h], dl
		add	[esi+0], al
		dec	ecx
		add	[ebx+0], al
		inc	ecx
		add	[eax+eax+45h], dl
		add	[ebx+0], dl
; 
		dd 0
; 

??_C@_1CC@OJNEDPCA@?$AAR?$AAE?$AAM?$AAO?$AAV?$AAA?$AAB?$AAL?$AAE?$AAS?$AAT?$AAO?$AAR?$AAA?$AAG@LBKOJDO@:
		push	edx
		add	[ebp+0], al
		dec	ebp
		add	[edi+0], cl
		push	esi
		add	[ecx+0], al
		inc	edx
		add	[eax+eax+45h], cl
		add	[ebx+0], dl
		push	esp
		add	[edi+0], cl
		push	edx
		add	[ecx+0], al
		inc	edi
		add	[ebp+0], al
; 
		dd 0
; 

??_C@_1HO@PKFMCJEM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@:
					; DATA XREF: PAGE:00A40984o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		outsd
		add	[esi+0], ah
		jz	short $+2
		ja	short $+2
		popa
		add	[edx+0], dh
		add	gs:[eax+eax+4Dh], bl
		add	[ecx+0], ch
		arpl	[eax], ax
		jb	short $+2
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		pop	esp
		add	[edi+0], dl
		imul	eax, [eax], 64006Eh
		outsd
		add	[edi+0], dh
		jnb	short $+2
		and	[eax], al
		dec	esi
		add	[eax+eax+5Ch], dl
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dd 0
; 

??_C@_1GG@KMAKALDL@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@:
					; DATA XREF: PAGE:00A40980o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

??_C@_1DA@PDHFOJA@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAU?$AAs?$AAe?$AAr?$AA?2@LBKOJDO@:
					; DATA XREF: PAGE:off_A4098Co
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], dl
		jnb	short $+2
		add	gs:[edx+0], dh
		pop	esp
		add	[esi], ch
		add	[eax+eax+65h], al
		add	[esi+0], ah
		popa
		add	[ebp+0], dh
		insb
		add	[eax+eax+0], dh

loc_A45917:				; DATA XREF: PAGE:00A40988o
		add	[eax+eax+52h], bl
		add	[ebp+0], ah
		add	[bx+di+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[eax+0], cl
		popa
		add	[edx+0], dh
		add	fs:[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[eax+eax+44h], bl
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		dec	ebp
		add	[ecx+0], ah
		jo	short $+2
; 
		dd 2 dup(0)
; 

??_C@_1GI@HGIHOLK@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@:
					; DATA XREF: PAGE:00A4097Co
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], dl
		add	gs:[edx+0], dh
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BG@DFCGIBG@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAB?$AAG?$AAK?$AAD@LBKOJDO@:
					; DATA XREF: PAGE:00A40C94o
		push	edi
		add	[ecx+0], cl
		dec	esi
		add	[edx], bh
		add	[edi], ch
		add	[edi], ch
		add	[edx+0], al
		inc	edi
		add	[ebx+0], cl
		inc	esp
; 
		db 0
		align 8

??_C@_1CA@KNFPKGEL@?$AAW?$AAI?$AAN?$AA?3?$AA?1?$AA?1?$AAP?$AAK?$AAG?$AAH?$AAO?$AAS?$AAT?$AAI?$AAD@LBKOJDO@:
					; DATA XREF: PAGE:00A40C84o
		push	edi
		add	[ecx+0], cl
		dec	esi
		add	[edx], bh
		add	[edi], ch
		add	[edi], ch
		add	[eax+0], dl
		dec	ebx
		add	[edi+0], al
		dec	eax
		add	[edi+0], cl
		push	ebx
		add	[eax+eax+49h], dl
		add	[eax+eax+0], al
; 
		db 0
; 

??_C@_1BG@BKPLIDKL@?$AAs?$AAp?$AAp?$AAs?$AAv?$AAc?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A40E04o
		jnb	short $+2
		jo	short $+2
		jo	short $+2
		jnb	short $+2
		jbe	short $+2
		arpl	[eax], ax
		add	cs:[ebp+0], ah
		js	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BK@ILFKGFOJ@?$AAs?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe?$AAs?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A40DF4o
		jnb	short $+2
		add	gs:[edx+0], dh
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
		add	cs:[ebp+0], ah
		js	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BI@DBNLEFLG@?$AAw?$AAi?$AAn?$AAi?$AAn?$AAi?$AAt?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@:
		ja	short $+2
		imul	eax, [eax], 69006Eh
		outsb
		add	[ecx+0], ch
		jz	short $+2
		add	cs:[ebp+0], ah
		js	short $+2
		add	gs:[eax], al

loc_A45A53:				; DATA XREF: PAGE:00A40E14o
		add	[edi+0], ah
		add	gs:[esi+0], ch
		jbe	short $+2
		popa
		add	[eax+eax+6Fh], ch
		add	[edx+0], ah
		push	0
		add	cs:[ebp+0], ah
		js	short $+2
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1BC@GMMNGGPN@?$AAs?$AAm?$AAs?$AAs?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@:
		jnb	short $+2
		insd
		add	[ebx+0], dh
		jnb	short $+2
		add	cs:[ebp+0], ah
		js	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BE@OMGDNGEO@?$AAc?$AAs?$AAr?$AAs?$AAs?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A40DE4o
		arpl	[eax], ax
		jnb	short $+2
		jb	short $+2
		jnb	short $+2
		jnb	short $+2
		add	cs:[ebp+0], ah
		js	short $+2
		add	gs:[eax], al

loc_A45A97:				; DATA XREF: PAGE:00A40DD4o
		add	[edi+0], dh
		add	gs:[edx+0], dh
		db	66h
		add	[ecx+0], ah
		jnz	short $+2
		insb
		add	[eax+eax+73h], dh
		add	[ebp+0], ah
		arpl	[eax], ax
		jnz	short $+2
		jb	short $+2
		add	gs:[esi], ch
		add	[ebp+0], ah
		js	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BO@ICOPDBBO@?$AAs?$AAg?$AAr?$AAm?$AAb?$AAr?$AAo?$AAk?$AAe?$AAr?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A40E84o
		jnb	short $+2
		add	[bp+si+0], dh
		insd
		add	[edx+0], ah
		jb	short $+2
		outsd
		add	[ebx+0], ch
		add	gs:[edx+0], dh
		add	cs:[ebp+0], ah
		js	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1DE@JNGANGBM@?$AAs?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AAh?$AAe?$AAa?$AAl?$AAt?$AAh?$AAs@LBKOJDO@:
					; DATA XREF: PAGE:00A40E74o
		jnb	short $+2
		add	gs:[ebx+0], ah
		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 790074h
		push	61006500h
		add	[eax+eax+74h], ch
		add	[eax+0], ch
		jnb	short $+2
		add	gs:[edx+0], dh
		jbe	short $+2
		imul	eax, [eax], 650063h
		add	cs:[ebp+0], ah
		js	short $+2
		add	gs:[eax], al

loc_A45B13:				; DATA XREF: PAGE:00A40EA4o
		add	[esi+0], ah
		arpl	[eax], ax
		insb
		add	[ecx+0], ch
		jo	short $+2
		add	cs:[ebp+0], ah
		js	short $+2
		add	gs:[eax], al

loc_A45B27:				; DATA XREF: PAGE:00A40E94o
		add	[ebx+0], dl
		dec	ecx
		add	[eax+0], cl
		inc	ebx
		add	[eax+eax+69h], ch
		add	[ebp+0], ah
		outsb
		add	[eax+eax+2Eh], dh
		add	[ebp+0], ah
		js	short $+2
		add	gs:[eax], al

loc_A45B43:				; DATA XREF: PAGE:00A40E44o
		add	[ebp+0], dh
		jnb	short $+2
		add	gs:[edx+0], dh
		imul	eax, [eax], 69006Eh
		jz	short $+2
		add	cs:[ebp+0], ah
		js	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BE@FPBDCMAD@?$AAl?$AAs?$AAa?$AAs?$AAs?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A40E34o
		insb
		add	[ebx+0], dh
		popa
		add	[ebx+0], dh
		jnb	short $+2
		add	cs:[ebp+0], ah
		js	short $+2
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1BI@OBPOPBKG@?$AAa?$AAu?$AAt?$AAo?$AAc?$AAh?$AAk?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A40E64o
		popa
		add	[ebp+0], dh
		jz	short $+2
		outsd
		add	[ebx+0], ah
		push	2E006B00h
		add	[ebp+0], ah
		js	short $+2
		add	gs:[eax], al

loc_A45B8B:				; DATA XREF: PAGE:00A40E54o
		add	[edi+0], dh
		imul	eax, [eax], 6C006Eh
		outsd
		add	[edi+0], ah
		outsd
		add	[esi+0], ch
		add	cs:[ebp+0], ah
		js	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CG@MJCONBCN@?$AAc?$AAo?$AAd?$AAe?$AAg?$AAe?$AAn?$AAt?$AAe?$AAs?$AAt?$AAp?$AAp?$AAl?$AA?4@LBKOJDO@:
					; DATA XREF: PAGE:00A40D84o
		arpl	[eax], ax
		outsd
		add	[eax+eax+65h], ah
		add	[edi+0], ah
		add	gs:[esi+0], ch
		jz	short $+2
		add	gs:[ebx+0], dh
		jz	short $+2
		jo	short $+2
		jo	short $+2
		insb
		add	[esi], ch
		add	[ebp+0], ah
		js	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BO@CFGKKGNO@?$AAw?$AAi?$AAn?$AAt?$AAe?$AAs?$AAt?$AAn?$AAp?$AAp?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A40D74o
		ja	short $+2
		imul	eax, [eax], 74006Eh
		add	gs:[ebx+0], dh
		jz	short $+2
		outsb
		add	[eax+0], dh
		jo	short $+2
		add	cs:[ebp+0], ah
		js	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BO@MLDCGLHA@?$AAa?$AAu?$AAt?$AAh?$AAt?$AAe?$AAs?$AAt?$AAp?$AAp?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A40DA4o
		popa
		add	[ebp+0], dh
		jz	short $+2
		push	65007400h
		add	[ebx+0], dh
		jz	short $+2
		jo	short $+2
		jo	short $+2
		add	cs:[ebp+0], ah
		js	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BM@KJIGJJKN@?$AAa?$AAm?$AAt?$AAe?$AAs?$AAt?$AAp?$AAp?$AAl?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A40D94o
		popa
		add	[ebp+0], ch
		jz	short $+2
		add	gs:[ebx+0], dh
		jz	short $+2
		jo	short $+2
		jo	short $+2
		insb
		add	[esi], ch
		add	[ebp+0], ah
		js	short $+2
		add	gs:[eax], al

loc_A45C2B:				; DATA XREF: PAGE:00A40D44o
		add	[edi+0], dh
		imul	eax, [eax], 74006Eh
		add	gs:[ebx+0], dh
		jz	short $+2
		jz	short $+2
		arpl	[eax], ax
		bound	eax, [eax]
		jo	short $+2
		jo	short $+2
		insb
		add	[esi], ch
		add	[ebp+0], ah
		js	short $+2
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1CC@PKLBFDON@?$AAw?$AAi?$AAn?$AAt?$AAe?$AAs?$AAt?$AAt?$AAc?$AAb?$AAp?$AAp?$AA?4?$AAe?$AAx@LBKOJDO@:
		ja	short $+2
		imul	eax, [eax], 74006Eh
		add	gs:[ebx+0], dh
		jz	short $+2
		jz	short $+2
		arpl	[eax], ax
		bound	eax, [eax]
		jo	short $+2
		jo	short $+2
		add	cs:[ebp+0], ah
		js	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BO@OKNNMOJG@?$AAw?$AAi?$AAn?$AAt?$AAe?$AAs?$AAt?$AAp?$AAp?$AAl?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A40D64o
		ja	short $+2
		imul	eax, [eax], 74006Eh
		add	gs:[ebx+0], dh
		jz	short $+2
		jo	short $+2
		jo	short $+2
		insb
		add	[esi], ch
		add	[ebp+0], ah
		js	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BM@PJLKBIO@?$AAw?$AAi?$AAn?$AAt?$AAe?$AAs?$AAt?$AAp?$AAp?$AA?4?$AAe?$AAx?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A40D54o
		ja	short $+2
		imul	eax, [eax], 74006Eh
		add	gs:[ebx+0], dh
		jz	short $+2
		jo	short $+2
		jo	short $+2
		add	cs:[ebp+0], ah
		js	short $+2
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1CC@IJFBFJPN@?$AAw?$AAi?$AAn?$AAt?$AAe?$AAs?$AAt?$AAa?$AAu?$AAd?$AAi?$AAt?$AA?4?$AAe?$AAx@LBKOJDO@:
					; DATA XREF: PAGE:00A40DB4o
		ja	short $+2
		imul	eax, [eax], 74006Eh
		add	gs:[ebx+0], dh
		jz	short $+2
		popa
		add	[ebp+0], dh
		add	fs:[ecx+0], ch
		jz	short $+2
		add	cs:[ebp+0], ah
		js	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CC@NHFIIIMN@?$AA?2?$AAS?$AAe?$AAR?$AAm?$AAC?$AAo?$AAm?$AAm?$AAa?$AAn?$AAd?$AAP?$AAo?$AAr@LBKOJDO@:
		pop	esp
		add	[ebx+0], dl
		add	gs:[edx+0], dl
		insd
		add	[ebx+0], al
		outsd
		add	[ebp+0], ch
		insd
		add	[ecx+0], ah
		outsb
		add	[eax+eax+50h], ah
		add	[edi+0], ch
		jb	short $+2
		jz	short $+2
; 
		dd 0
; 

_ImageLoadGuid:				; DATA XREF: PAGE:00A41138o
		sbb	eax, 0C12CB15Dh
		pop	edi
		rcl	byte ptr [ecx],	cl
		stosd
		loope	$+2
		mov	al, ds:18F511C9h

; void GlobalLoggerGuid
_GlobalLoggerGuid:			; DATA XREF: EtwpStartLogger+2A5o
					; EtwStartAutoLogger:loc_90A8FFo
		mov	esp, 84E8908Ah
		stosb
		rcl	byte ptr [ecx],	cl
		call	far ptr	0D785h:5F800093h
; 
		db 0C6h
; 

??_C@_1HG@MFCMOGIO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@:
					; DATA XREF: PAGE:00A41208o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		pop	ecx
		add	[ebx+0], dl
		push	esp
		add	[ebp+0], al
		dec	ebp
		add	[eax+eax+43h], bl
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[edi+0], dl
		imul	eax, [eax], 64006Eh
		outsd
		add	[edi+0], dh
		jnb	short $+2
; 
		dd 0
; 

??_C@_1DE@HOCGNCOF@?$AAF?$AAu?$AAl?$AAl?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAI?$AAn?$AAf?$AAo@LBKOJDO@:
					; DATA XREF: .data:006B301Co
		inc	esi
		add	[ebp+0], dh
		insb
		add	[eax+eax+50h], ch
		add	[edx+0], dh
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		dec	ecx
		add	[esi+0], ch
		db	66h
		add	[edi+0], ch
		jb	short $+2
		insd
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		push	ebx
		add	[ecx+0], cl
		inc	esp
; 
		db 3 dup(0)
; 

??_C@_1CM@DGFIDOEL@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAU?$AAw?$AAf?$AAv?$AAo?$AAl?$AAC@LBKOJDO@:
					; DATA XREF: PAGE:00A411FCo
		pop	esp
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		pop	esp
		add	[ebp+0], dl
		ja	short $+2
		db	66h
		add	[esi+0], dh
		outsd
		add	[eax+eax+43h], ch
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
; 
		db 3 dup(0)
; 

; void PORTABLE_WORKSPACE_LAUNCHER_EFI_ENTRY_ID
_PORTABLE_WORKSPACE_LAUNCHER_EFI_ENTRY_ID:
					; DATA XREF: ExpQueryPortableWorkspaceEfiLauncherInformation(x,x,x)+125o
		fsubr	qword ptr [edi+40260DF5h]
		in	al, 47h
; 
		dd 43F38A81h, 15369580h
; 

??_C@_1IE@CPEFALAA@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@:
					; DATA XREF: PAGE:off_A41484o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[eax+eax+75h], ah
		add	[ebx+0], ah
		jz	short $+2
		dec	edi
		add	[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BI@JPCMFPH@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAT?$AAy?$AAp?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:off_A41488o
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+75h], ah
		add	[ebx+0], ah
		jz	short $+2
		push	esp
		add	[ecx+0], bh
		jo	short $+2
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1BE@MMGHIOAH@?$AAS?$AAe?$AAt?$AAu?$AAp?$AAT?$AAy?$AAp?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:off_A4147Co
		push	ebx
		add	[ebp+0], ah
		jz	short $+2
		jnz	short $+2
		jo	short $+2
		push	esp
		add	[ecx+0], bh
		jo	short $+2
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1BK@BHIOFGBH@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAP?$AAr?$AAe?$AAf?$AAi?$AAx@LBKOJDO@:
					; DATA XREF: PAGE:off_A41480o
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	eax
		add	[edx+0], dh
		add	gs:[esi+0], ah
		imul	eax, [eax], 78h
; 
		dw 0
; 

??_C@_1DO@PGOAJPNE@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@:
					; DATA XREF: PAGE:off_A41478o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], dl
		add	gs:[eax+eax+75h], dh
		add	[eax+0], dh
; 
		dd 0
; 

??_C@_1BO@GKCMPHLG@?$AAS?$AAm?$AAa?$AAl?$AAl?$AA?5?$AAB?$AAu?$AAs?$AAi?$AAn?$AAe?$AAs?$AAs@LBKOJDO@:
					; DATA XREF: PAGE:off_A414A4o
		push	ebx
		add	[ebp+0], ch
		popa
		add	[eax+eax+6Ch], ch
		add	[eax], ah
		add	[edx+0], al
		jnz	short $+2
		jnb	short $+2
		imul	eax, [eax], 65006Eh
		jnb	short $+2
		jnb	short $+2
; 
		dd 0
; 

??_C@_1BG@PCCIFCMK@?$AAE?$AAn?$AAt?$AAe?$AAr?$AAp?$AAr?$AAi?$AAs?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:off_A414A8o
		inc	ebp
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edx+0], dh
		jo	short $+2
		jb	short $+2
		imul	eax, [eax], 650073h
; 
		dd 2 dup(0)
; 

??_C@_1IM@BMOFCHBC@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@:
					; DATA XREF: PAGE:off_A4149Co
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], dl
		add	gs:[edx+0], dh
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
		pop	esp
		add	[eax+eax+69h], cl
		add	[ebx+0], ah
		add	gs:[esi+0], ch
		jnb	short $+2
		add	gs:[ecx+0], cl
		outsb
		add	[esi+0], ah
		outsd
		add	[ebx+0], dl
		jnz	short $+2
		imul	eax, [eax], 650074h
		jnb	short $+2
; 
		dw 0
; 

??_C@_1CA@DKJDGANH@?$AAC?$AAo?$AAn?$AAc?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAL?$AAi?$AAm?$AAi?$AAt@LBKOJDO@:
					; DATA XREF: PAGE:off_A414A0o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[ebx+0], ah
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		dec	esp
		add	[ecx+0], ch
		insd
		add	[ecx+0], ch
		jz	short $+2
; 
		dw 0
; 

??_C@_1M@FFGHOEMJ@?$AAW?$AAi?$AAn?$AAN?$AAT@LBKOJDO@: ;	DATA XREF: PAGE:off_A41494o
		push	edi
		add	[ecx+0], ch
		outsb
		add	[esi+0], cl
		push	esp
; 
		db 3 dup(0)
; 

??_C@_1BK@HJNBLNLJ@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAS?$AAu?$AAi?$AAt?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:off_A41498o
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+75h], ah
		add	[ebx+0], ah
		jz	short $+2
		push	ebx
		add	[ebp+0], dh
		imul	eax, [eax], 650074h
; 
		dd 0
; 

??_C@_1BC@NCHLLMKP@?$AAL?$AAa?$AAn?$AAm?$AAa?$AAn?$AAN?$AAT@LBKOJDO@:
					; DATA XREF: PAGE:off_A4148Co
		dec	esp
		add	[ecx+0], ah
		outsb
		add	[ebp+0], ch
		popa
		add	[esi+0], ch
		dec	esi
		add	[eax+eax+0], dl
; 
		db 3 dup(0)
; 

??_C@_1BC@MNKEGIPF@?$AAS?$AAe?$AAr?$AAv?$AAe?$AAr?$AAN?$AAT@LBKOJDO@:
					; DATA XREF: PAGE:off_A41490o
		push	ebx
		add	[ebp+0], ah
		jb	short $+2
		jbe	short $+2
		add	gs:[edx+0], dh
		dec	esi
		add	[eax+eax+0], dl
; 
		db 3 dup(0)
; 

??_C@_1BC@EANCBBIH@?$AAP?$AAe?$AAr?$AAs?$AAo?$AAn?$AAa?$AAl@LBKOJDO@:
					; DATA XREF: PAGE:off_A414C4o
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		outsd
		add	[esi+0], ch
		popa
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

??_C@_1M@BAHFBOFJ@?$AAB?$AAl?$AAa?$AAd?$AAe@LBKOJDO@: ;	DATA XREF: PAGE:off_A414C8o
		inc	edx
		add	[eax+eax+61h], ch
		add	[eax+eax+65h], ah
; 
		db 3 dup(0)
; 

??_C@_1BG@ECDEFKDD@?$AAE?$AAm?$AAb?$AAe?$AAd?$AAd?$AAe?$AAd?$AAN?$AAT@LBKOJDO@:
					; DATA XREF: PAGE:off_A414BCo
		inc	ebp
		add	[ebp+0], ch
		bound	eax, [eax]
		add	gs:[eax+eax+64h], ah
		add	[ebp+0], ah
		add	fs:[esi+0], cl
		push	esp
; 
		db 0
		dd 0
; 

??_C@_1BG@CNKBPOLO@?$AAD?$AAa?$AAt?$AAa?$AAC?$AAe?$AAn?$AAt?$AAe?$AAr@LBKOJDO@:
					; DATA XREF: PAGE:off_A414C0o
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		popa
		add	[ebx+0], al
		add	gs:[esi+0], ch
		jz	short $+2
		add	gs:[edx+0], dh
; 
		dd 0
; 

??_C@_1DG@DFNPOBGK@?$AAS?$AAm?$AAa?$AAl?$AAl?$AA?5?$AAB?$AAu?$AAs?$AAi?$AAn?$AAe?$AAs?$AAs?$AA?$CI@LBKOJDO@:
					; DATA XREF: PAGE:off_A414B4o
		push	ebx
		add	[ebp+0], ch
		popa
		add	[eax+eax+6Ch], ch
		add	[eax], ah
		add	[edx+0], al
		jnz	short $+2
		jnb	short $+2
		imul	eax, [eax], 65006Eh
		jnb	short $+2
		jnb	short $+2
		sub	[eax], al
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		imul	eax, [eax], 740063h
		add	gs:[eax+eax+29h], ah
; 
		db 0
		dd 0
; 

??_C@_1CA@BFNKNOIB@?$AAT?$AAe?$AAr?$AAm?$AAi?$AAn?$AAa?$AAl?$AA?5?$AAS?$AAe?$AAr?$AAv?$AAe?$AAr@LBKOJDO@:
					; DATA XREF: PAGE:off_A414B8o
		push	esp
		add	[ebp+0], ah
		jb	short $+2
		insd
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ah
		insb
		add	[eax], ah
		add	[ebx+0], dl
		add	gs:[edx+0], dh
		jbe	short $+2
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1CI@DPGNCPEG@?$AAC?$AAo?$AAm?$AAm?$AAu?$AAn?$AAi?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AAS?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:off_A414ACo
		inc	ebx
		add	[edi+0], ch
		insd
		add	[ebp+0], ch
		jnz	short $+2
		outsb
		add	[ecx+0], ch
		arpl	[eax], ax
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], dl
		add	gs:[edx+0], dh
		jbe	short $+2
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1BG@NGPLODIG@?$AAB?$AAa?$AAc?$AAk?$AAO?$AAf?$AAf?$AAi?$AAc?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:off_A414B0o
		inc	edx
		add	[ecx+0], ah
		arpl	[eax], ax
		imul	eax, [eax], 4Fh
		add	[esi+0], ah
		db	66h
		add	[ecx+0], ch
		arpl	[eax], ax
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BA@BIEHHHFN@?$AAP?$AAh?$AAo?$AAn?$AAe?$AAN?$AAT@LBKOJDO@:
					; DATA XREF: PAGE:off_A414E4o
		push	eax
		add	[eax+0], ch
		outsd
		add	[esi+0], ch
		add	gs:[esi+0], cl
		push	esp
; 
		db 3 dup(0)
; 

??_C@_1CG@NDJCHNKO@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAT@LBKOJDO@:
					; DATA XREF: PAGE:off_A414E8o
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	ds:72005000h, ch
		add	[edi+0], ch
		add	fs:[ebp+0], dh
		arpl	[eax], ax
		jz	short $+2
		push	esp
		add	[ecx+0], bh
		jo	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BE@JEKEKCNB@?$AAW?$AAH?$AA?5?$AAS?$AAe?$AAr?$AAv?$AAe?$AAr@LBKOJDO@:
					; DATA XREF: PAGE:off_A414DCo
		push	edi
		add	[eax+0], cl
		and	[eax], al
		push	ebx
		add	[ebp+0], ah
		jb	short $+2
		jbe	short $+2
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1CM@DHJDDPJO@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAS?$AAe?$AAt?$AAu?$AAp?$AAI?$AAn?$AAP?$AAr@LBKOJDO@:
					; DATA XREF: PAGE:off_A414E0o
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	ebx
		add	[ebp+0], ah
		jz	short $+2
		jnz	short $+2
		jo	short $+2
		dec	ecx
		add	[esi+0], ch
		push	eax
		add	[edx+0], dh
		outsd
		add	[edi+0], ah
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BO@EICAEGDK@?$AAS?$AAt?$AAo?$AAr?$AAa?$AAg?$AAe?$AA?5?$AAS?$AAe?$AAr?$AAv?$AAe?$AAr@LBKOJDO@:
					; DATA XREF: PAGE:off_A414D4o
		push	ebx
		add	[eax+eax+6Fh], dh
		add	[edx+0], dh
		popa
		add	[edi+0], ah
		add	gs:[eax], ah
		add	[ebx+0], dl
		add	gs:[edx+0], dh
		jbe	short $+2
		add	gs:[edx+0], dh
; 
		dd 0
; 

??_C@_1BO@FKKKPMOJ@?$AAC?$AAo?$AAm?$AAp?$AAu?$AAt?$AAe?$AA?5?$AAS?$AAe?$AAr?$AAv?$AAe?$AAr@LBKOJDO@:
					; DATA XREF: PAGE:off_A414D8o
		inc	ebx
		add	[edi+0], ch
		insd
		add	[eax+0], dh
		jnz	short $+2
		jz	short $+2
		add	gs:[eax], ah
		add	[ebx+0], dl
		add	gs:[edx+0], dh
		jbe	short $+2
		add	gs:[edx+0], dh
; 
		dd 0
; 

??_C@_1CK@OEJDIJIK@?$AAE?$AAm?$AAb?$AAe?$AAd?$AAd?$AAe?$AAd?$AA?$CI?$AAR?$AAe?$AAs?$AAt?$AAr?$AAi@LBKOJDO@:
					; DATA XREF: PAGE:off_A414CCo
		inc	ebp
		add	[ebp+0], ch
		bound	eax, [eax]
		add	gs:[eax+eax+64h], ah
		add	[ebp+0], ah
		add	fs:[eax], ch
		add	[edx+0], dl
		add	gs:[ebx+0], dh
		jz	short $+2
		jb	short $+2
		imul	eax, [eax], 740063h
		add	gs:[eax+eax+29h], ah
; 
		db 0
		align 10h

??_C@_1CG@PMLDFGPP@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AA?5?$AAA?$AAp?$AAp?$AAl?$AAi?$AAa@LBKOJDO@:
					; DATA XREF: PAGE:off_A414D0o
		push	ebx
		add	[ebp+0], ah
		arpl	[eax], ax
		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 790074h
		and	[eax], al
		inc	ecx
		add	[eax+0], dh
		jo	short $+2
		insb
		add	[ecx+0], ch
		popa
		add	[esi+0], ch
		arpl	[eax], ax
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CK@DOCFKPNP@?$AA?2?$AAC?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk?$AA?2?$AAP?$AAo?$AAw?$AAe?$AAr@LBKOJDO@:
					; DATA XREF: PAGE:00A4158Co
		pop	esp
		add	[ebx+0], al
		popa
		add	[eax+eax+6Ch], ch
		add	[edx+0], ah
		popa
		add	[ebx+0], ah
		imul	eax, [eax], 5Ch
		add	[eax+0], dl
		outsd
		add	[edi+0], dh
		add	gs:[edx+0], dh
		push	ebx
		add	[eax+eax+61h], dh
		add	[eax+eax+65h], dh
; 
		db 0
		dd 0
; 

??_C@_1CO@FHBOFCJN@?$AA?2?$AAC?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk?$AA?2?$AAP?$AAr?$AAo?$AAc?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A41594o
		pop	esp
		add	[ebx+0], al
		popa
		add	[eax+eax+6Ch], ch
		add	[edx+0], ah
		popa
		add	[ebx+0], ah
		imul	eax, [eax], 5Ch
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		outsd
		add	[edx+0], dh
		inc	ecx
		add	[eax+eax+64h], ah
; 
		db 0
		dd 0
; 

??_C@_1DA@PGBCEJOI@?$AA?2?$AAC?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk?$AA?2?$AAS?$AAe?$AAt?$AAS?$AAy@LBKOJDO@:
					; DATA XREF: PAGE:00A4157Co
		pop	esp
		add	[ebx+0], al
		popa
		add	[eax+eax+6Ch], ch
		add	[edx+0], ah
		popa
		add	[ebx+0], ah
		imul	eax, [eax], 5Ch
		add	[ebx+0], dl
		add	gs:[eax+eax+53h], dh
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1DC@KMLCFGFF@?$AA?2?$AAC?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk?$AA?2?$AAS?$AAe?$AAt?$AAS?$AAy@LBKOJDO@:
					; DATA XREF: PAGE:00A41584o
		pop	esp
		add	[ebx+0], al
		popa
		add	[eax+eax+6Ch], ch
		add	[edx+0], ah
		popa
		add	[ebx+0], ah
		imul	eax, [eax], 5Ch
		add	[ebx+0], dl
		add	gs:[eax+eax+53h], dh
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	ebx
		add	[eax+eax+61h], dh
		add	[eax+eax+65h], dh
; 
		db 0
		align 8

??_C@_1DK@GHDAFMLO@?$AA?2?$AAC?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk?$AA?2?$AAE?$AAn?$AAl?$AAi?$AAg@LBKOJDO@:
					; DATA XREF: PAGE:off_A41574o
		pop	esp
		add	[ebx+0], al
		popa
		add	[eax+eax+6Ch], ch
		add	[edx+0], ah
		popa
		add	[ebx+0], ah
		imul	eax, [eax], 5Ch
		add	[ebp+0], al
		outsb
		add	[eax+eax+69h], ch
		add	[edi+0], ah
		push	65007400h
		add	[esi+0], ch
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+53h], dh
		add	[eax+eax+61h], dh
		add	[eax+eax+65h], dh
; 
		db 0
		dd 0
; 

??_C@_1DK@OAFMFLJJ@?$AA?2?$AAC?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk?$AA?2?$AAP?$AAh?$AAa?$AAs?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A4159Co
		pop	esp
		add	[ebx+0], al
		popa
		add	[eax+eax+6Ch], ch
		add	[edx+0], ah
		popa
		add	[ebx+0], ah
		imul	eax, [eax], 5Ch
		add	[eax+0], dl
		push	73006100h
		add	[ebp+0], ah
		xor	[eax], eax
		dec	ecx
		add	[esi+0], ch
		imul	eax, [eax], 430074h
		outsd
		add	[ebp+0], ch
		jo	short $+2
		insb
		add	[ebp+0], ah
		jz	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1FA@BFIGFFEL@?$AA?2?$AAC?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk?$AA?2?$AAS?$AAe?$AAI?$AAm?$AAa@LBKOJDO@:
					; DATA XREF: PAGE:00A415A4o
		pop	esp
		add	[ebx+0], al
		popa
		add	[eax+eax+6Ch], ch
		add	[edx+0], ah
		popa
		add	[ebx+0], ah
		imul	eax, [eax], 5Ch
		add	[ebx+0], dl
		add	gs:[ecx+0], cl
		insd
		add	[ecx+0], ah
		add	[di+0],	ah
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 690066h
		arpl	[eax], ax
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		dec	ecx
		add	[esi+0], ch
		db	66h
		add	[edi+0], ch
; 
		dw 0
; 

??_C@_1CE@FCDBCNKE@?$AAC?$AAl?$AAo?$AAu?$AAd?$AAb?$AAo?$AAo?$AAk?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A418A8o
		inc	ebx
		add	[eax+eax+6Fh], ch
		add	[ebp+0], dh
		add	fs:[edx+0], ah
		outsd
		add	[edi+0], ch
		imul	eax, [eax], 44h
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		dec	ecx
		add	[eax+eax+0], al
; 
		db 0
; 

??_C@_1CM@LLLEBFDB@?$AAC?$AAl?$AAo?$AAu?$AAd?$AAb?$AAo?$AAo?$AAk?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A418A0o
		inc	ebx
		add	[eax+eax+6Fh], ch
		add	[ebp+0], dh
		add	fs:[edx+0], ah
		outsd
		add	[edi+0], ch
		imul	eax, [eax], 44h
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		dec	esp
		add	[edi+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 65h
		add	[eax+eax+0], ah
		add	[edi+0], cl
		push	ebx
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[eax+eax+75h], ah
		add	[ebx+0], ah
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+65h], dh
		add	[esi+0], ch
		jz	short $+2
		dec	ecx
		add	[eax+eax+0], ah
; 
		db 3 dup(0)
; 

??_C@_1BM@NLGAGAOC@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@LBKOJDO@:
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+75h], ah
		add	[ebx+0], ah
		jz	short $+2
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
; 
		dw 0
; 

??_C@_1BK@BMCLGMFN@?$AAO?$AAS?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAP?$AAf?$AAn@LBKOJDO@:
		dec	edi
		add	[ebx+0], dl
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+75h], ah
		add	[ebx+0], ah
		jz	short $+2
		push	eax
		add	[esi+0], ah
		outsb
; 
		db 0
		align 10h

??_C@_1DA@JCKMAOAN@?$AA?2?$AAC?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk?$AA?2?$AAL?$AAi?$AAc?$AAe?$AAn@LBKOJDO@:
		pop	esp
		add	[ebx+0], al
		popa
		add	[eax+eax+6Ch], ch
		add	[edx+0], ah
		popa
		add	[ebx+0], ah
		imul	eax, [eax], 5Ch
		add	[eax+eax+69h], cl
		add	[ebx+0], ah
		add	gs:[esi+0], ch
		jnb	short $+2
		imul	eax, [eax], 67006Eh
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		popa
; 
		db 3 dup(0)
; 

??_C@_1CK@NEMLIBJE@?$AAC?$AAl?$AAi?$AAp?$AA?9?$AAS?$AAu?$AAb?$AAs?$AAc?$AAr?$AAi?$AAp?$AAt?$AAi@LBKOJDO@:
					; DATA XREF: PAGE:00A418CCo
		inc	ebx
		add	[eax+eax+69h], ch
		add	[eax+0], dh
		sub	eax, 75005300h
		add	[edx+0], ah
		jnb	short $+2
		arpl	[eax], ax
		jb	short $+2
		imul	eax, [eax], 740070h
		imul	eax, [eax], 6E006Fh
		push	eax
		add	[esi+0], al
		dec	esi
; 
		db 0
		align 10h

??_C@_1EM@PHDPIAKH@?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AA?9?$AAS?$AAP?$AAP?$AA?9?$AAI?$AAg@LBKOJDO@:
					; DATA XREF: PAGE:00A418B8o
		push	ebx
		add	[ebp+0], ah
		arpl	[eax], ax
		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 790074h
		sub	eax, 50005300h
		add	[eax+0], dl
		sub	eax, 67004900h
		add	[esi+0], ch
		outsd
		add	[edx+0], dh
		add	gs:[eax+eax+65h], al
		add	[esi+0], ah
		add	gs:[edx+0], dh
		jb	short $+2
		add	gs:[eax+eax+41h], ah
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 610076h
		jz	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dw 0
; 

??_C@_1CM@GMHOJELD@?$AAC?$AAo?$AAn?$AAs?$AAu?$AAm?$AAe?$AAA?$AAd?$AAd?$AAo?$AAn?$AAP?$AAo?$AAl@LBKOJDO@:
					; DATA XREF: PAGE:00A418B0o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[ebx+0], dh
		jnz	short $+2
		insd
		add	[ebp+0], ah
		inc	ecx
		add	[eax+eax+64h], ah
		add	[edi+0], ch
		outsb
		add	[eax+0], dl
		outsd
		add	[eax+eax+69h], ch
		add	[ebx+0], ah
		jns	short $+2
		push	ebx
		add	[ebp+0], ah
		jz	short $+2
; 
		dw 0
off_A46548	dd offset loc_A4199F+1	; DATA XREF: SLQueryLicenseValueInternal+109o
					; SLQueryLicenseValueInternal+22Do ...
		dd 42h
		dd offset unk_A06A26
		align 8
		dd 1
		dd offset loc_A4195B+5
		dd 3Eh
		dd offset unk_A063B6
		dd offset _ExpGenuinePolicyPostProcess@24 ; ExpGenuinePolicyPostProcess(x,x,x,x,x,x)
		dd 1
		dd offset dword_A418D8+4Ch
		dd 3Ch
		dd offset loc_A06AB8
		align 10h
		dd 1
		dd offset dword_A418D8
		dd 4Ch
		dd offset unk_A06A72
		dd 0
		dd 1
		dd offset dword_A415F8+0D0h
		dd 4Ah
		dd offset _NtCreateCrossVmEvent@24 ; NtCreateCrossVmEvent(x,x,x,x,x,x)
		dd 2 dup(0)
		dd offset dword_A415F8+88h
		dd 48h
		dd offset sub_6860F0
		dd 0
		dd 1
		dd offset dword_A415F8+34h
		dd 28h
		dd offset _ExpOsProductPfnCacheProvider@24 ; ExpOsProductPfnCacheProvider(x,x,x,x,x,x)
		dd 2 dup(0)
		dd offset dword_A415F8
		dd 34h
		dd offset _ExpOsProductContentIdCacheProvider@24 ; ExpOsProductContentIdCacheProvider(x,x,x,x,x,x)
		dd 2 dup(0)
		dd offset dword_A415F8+11Ch
		dd 2Ah
		dd offset ExpKernelExpirationDateCacheProvider
		dd 2 dup(0)
		dd offset dword_A415F8+5Ch
		dd 2Ah
		dd offset _ExpConsumeAddonPolicySetCacheProvider@24 ; ExpConsumeAddonPolicySetCacheProvider(x,x,x,x,x,x)
		dd 0
		dd 1
		dd offset dword_A415F8+190h
		dd 48h
		dd offset _ExpCloudbookHardwareIDProvider@24 ; ExpCloudbookHardwareIDProvider(x,x,x,x,x,x)
		dd 2 dup(0)
		dd offset dword_A415F8+148h
		dd 48h
		dd offset _ExpCloudbookHardwareLockedProvider@24 ; ExpCloudbookHardwareLockedProvider(x,x,x,x,x,x)
		dd 2 dup(0)
		dd offset dword_A415F8+220h
		dd 6Eh
		dd offset _ExpCloudbookHardwareLockedProvider@24 ; ExpCloudbookHardwareLockedProvider(x,x,x,x,x,x)
		dd 2 dup(0)
		dd offset dword_A415F8+1D8h
		dd 48h
		dd offset _ExpCloudbookHardwareLockedProvider@24 ; ExpCloudbookHardwareLockedProvider(x,x,x,x,x,x)
		align 10h

??_C@_1EA@KFFCOKBH@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@LBKOJDO@:
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+5Ch], dh
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		xor	eax, [eax]
		xor	al, [eax]
		pop	esp
		add	[eax+eax+6Fh], ch
		add	[ebx+0], ah
		popa
		add	[eax+eax+65h], ch
		add	[esi], ch
		add	[esi+0], ch
		insb
		add	[ebx+0], dh
; 
		dw 0
; 

??_C@_1BK@HFOEHBHO@?$AAT?$AAa?$AAb?$AAl?$AAe?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@LBKOJDO@:
		push	esp
		add	[ecx+0], ah
		bound	eax, [eax]
		insb
		add	[ebp+0], ah
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dd 0
; 

??_C@_19CCGIELML@?$AA?2?$AAN?$AAL?$AAS@LBKOJDO@:
		pop	esp
		add	[esi+0], cl
		dec	esp
		add	[ebx+0], dl
; 
		dd 0
; 

??_C@_1GO@MGEPHBAE@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@:
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		pop	ecx
		add	[ebx+0], dl
		push	esp
		add	[ebp+0], al
		dec	ebp
		add	[eax+eax+43h], bl
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[esi+0], cl
		insb
		add	[ebx+0], dh
; 
		dd 0
; 

??_C@_1KK@IMGDCCKA@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@:
					; DATA XREF: PAGE:00A41B70o
					; PAGE:00A41B78o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		outsd
		add	[esi+0], ah
		jz	short $+2
		ja	short $+2
		popa
		add	[edx+0], dh
		add	gs:[eax+eax+4Dh], bl
		add	[ecx+0], ch
		arpl	[eax], ax
		jb	short $+2
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		pop	esp
		add	[edi+0], dl
		imul	eax, [eax], 64006Eh
		outsd
		add	[edi+0], dh
		jnb	short $+2
		and	[eax], al
		dec	esi
		add	[eax+eax+5Ch], dl
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		pop	esp
		add	[esi+0], dl
		outsd
		add	[eax+eax+61h], ch
		add	[eax+eax+69h], dh
		add	[eax+eax+65h], ch
		add	[esi+0], cl
		outsd
		add	[eax+eax+69h], dh
		add	[esi+0], ah
		imul	eax, [eax], 610063h
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dd 2 dup(0)
; 

??_C@_1JK@PILPPDFK@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@:
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		outsd
		add	[esi+0], ah
		jz	short $+2
		ja	short $+2
		popa
		add	[edx+0], dh
		add	gs:[eax+eax+4Dh], bl
		add	[ecx+0], ch
		arpl	[eax], ax
		jb	short $+2
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		pop	esp
		add	[edi+0], dl
		imul	eax, [eax], 64006Eh
		outsd
		add	[edi+0], dh
		jnb	short $+2
		and	[eax], al
		dec	esi
		add	[eax+eax+5Ch], dl
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		pop	esp
		add	[esi+0], cl
		outsd
		add	[eax+eax+69h], dh
		add	[esi+0], ah
		imul	eax, [eax], 610063h
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dd 2 dup(0)
; 

??_C@_1EO@LPCOMBBD@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@:
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+4Fh], bl
		add	[ebx+0], dl
		inc	esp
		add	[ecx+0], al
		push	esp
		add	[ecx+0], al
		pop	esp
		add	[esi+0], cl
		outsd
		add	[eax+eax+69h], dh
		add	[esi+0], ah
		imul	eax, [eax], 610063h
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dd 0
; 

??_C@_1IC@EGPGEMK@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@:
					; DATA XREF: PAGE:off_A41B38o
					; PAGE:00A41B40o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[esi+0], cl
		outsd
		add	[eax+eax+69h], dh
		add	[esi+0], ah
		imul	eax, [eax], 610063h
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dd 0
; 

??_C@_1BO@LBFJPMML@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAO?$AAf?$AAf?$AAl?$AAi?$AAn?$AAe@LBKOJDO@:
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		dec	edi
		add	[esi+0], ah
		db	66h
		add	[eax+eax+69h], ch
		add	[esi+0], ch
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CG@GGAGMKOM@?$AAR?$AAe?$AAs?$AAt?$AAo?$AAr?$AAe?$AAC?$AAm?$AAc?$AAi?$AAE?$AAn?$AAa?$AAb@LBKOJDO@:
					; DATA XREF: PAGE:00A41C08o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[ebx+0], al
		insd
		add	[ebx+0], ah
		imul	eax, [eax], 6E0045h
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CO@EJEIPIDH@?$AAR?$AAe?$AAs?$AAt?$AAo?$AAr?$AAe?$AAC?$AAm?$AAc?$AAi?$AAM?$AAa?$AAx?$AAA@LBKOJDO@:
					; DATA XREF: PAGE:00A41C18o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[ebx+0], al
		insd
		add	[ebx+0], ah
		imul	eax, [eax], 61004Dh
		js	short $+2
		inc	ecx
		add	[eax+eax+74h], dh
		add	[ebp+0], ah
		insd
		add	[eax+0], dh
		jz	short $+2
		jnb	short $+2
; 
		dd 0
; 

??_C@_1BM@LFDBDPAM@?$AAM?$AAe?$AAm?$AAP?$AAf?$AAa?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@LBKOJDO@:
					; DATA XREF: PAGE:00A41BE8o
		dec	ebp
		add	[ebp+0], ah
		insd
		add	[eax+0], dl
		db	66h
		add	[ecx+0], ah
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
; 
		dw 0
; 

??_C@_1CC@CBMFOILI@?$AAI?$AAg?$AAn?$AAo?$AAr?$AAe?$AAD?$AAu?$AAm?$AAm?$AAy?$AAW?$AAr?$AAi?$AAt@LBKOJDO@:
					; DATA XREF: PAGE:00A41BF8o
		dec	ecx
		add	[edi+0], ah
		outsb
		add	[edi+0], ch
		jb	short $+2
		add	gs:[eax+eax+75h], al
		add	[ebp+0], ch
		insd
		add	[ecx+0], bh
		push	edi
		add	[edx+0], dh
		imul	eax, [eax], 650074h
; 
		dd 0
; 

??_C@_1CA@ICAGHMPK@?$AAM?$AAe?$AAm?$AAP?$AAf?$AAa?$AAP?$AAa?$AAg?$AAe?$AAC?$AAo?$AAu?$AAn?$AAt@LBKOJDO@:
					; DATA XREF: PAGE:00A41BC8o
		dec	ebp
		add	[ebp+0], ah
		insd
		add	[eax+0], dl
		db	66h
		add	[ecx+0], ah
		push	eax
		add	[ecx+0], ah
		add	[di+0],	ah
		inc	ebx
		add	[edi+0], ch
		jnz	short $+2
		outsb
		add	[eax+eax+0], dh
; 
		db 0
; 

??_C@_1CA@KOMJJKMM@?$AAM?$AAe?$AAm?$AAP?$AAf?$AAa?$AAT?$AAh?$AAr?$AAe?$AAs?$AAh?$AAo?$AAl?$AAd@LBKOJDO@:
					; DATA XREF: PAGE:00A41BD8o
		dec	ebp
		add	[ebp+0], ah
		insd
		add	[eax+0], dl
		db	66h
		add	[ecx+0], ah
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ebx+0], dh
		push	6C006F00h
		add	[eax+eax+0], ah
; 
		db 0
; 

??_C@_1CE@GEOJMGFF@?$AAM?$AAe?$AAm?$AAP?$AAe?$AAr?$AAs?$AAi?$AAs?$AAt?$AAO?$AAf?$AAf?$AAl?$AAi@LBKOJDO@:
					; DATA XREF: PAGE:00A41BA8o
		dec	ebp
		add	[ebp+0], ah
		insd
		add	[eax+0], dl
		add	gs:[edx+0], dh
		jnb	short $+2
		imul	eax, [eax], 740073h
		dec	edi
		add	[esi+0], ah
		db	66h
		add	[eax+eax+69h], ch
		add	[esi+0], ch
		add	gs:[eax], al

loc_A46A77:				; DATA XREF: PAGE:00A41BB8o
		add	[ebp+0], cl
		add	gs:[ebp+0], ch
		push	eax
		add	[esi+0], ah
		popa
		add	[eax+eax+69h], al
		add	[ebx+0], dh
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1CI@NKLDOMBM@?$AAC?$AAM?$AAC?$AAT?$AAh?$AAr?$AAe?$AAs?$AAh?$AAo?$AAl?$AAd?$AAS?$AAe?$AAc@LBKOJDO@:
					; DATA XREF: PAGE:00A41C48o
		inc	ebx
		add	[ebp+0], cl
		inc	ebx
		add	[eax+eax+68h], dl
		add	[edx+0], dh
		add	gs:[ebx+0], dh
		push	6C006F00h
		add	[eax+eax+53h], ah
		add	[ebp+0], ah
		arpl	[eax], ax
		outsd
		add	[esi+0], ch
		add	fs:[ebx+0], dh
; 
		dw 0
; 

??_C@_1CA@KBCEKDGB@?$AAC?$AAM?$AAC?$AAP?$AAo?$AAl?$AAl?$AAi?$AAn?$AAg?$AAL?$AAi?$AAm?$AAi?$AAt@LBKOJDO@:
					; DATA XREF: PAGE:00A41C58o
		inc	ebx
		add	[ebp+0], cl
		inc	ebx
		add	[eax+0], dl
		outsd
		add	[eax+eax+6Ch], ch
		add	[ecx+0], ch
		outsb
		add	[edi+0], ah
		dec	esp
		add	[ecx+0], ch
		insd
		add	[ecx+0], ch
		jz	short $+2
; 
		dw 0
; 

??_C@_1CM@IIKEJCG@?$AAR?$AAe?$AAs?$AAt?$AAo?$AAr?$AAe?$AAC?$AAm?$AAc?$AAi?$AAE?$AAr?$AAr?$AAo@LBKOJDO@:
					; DATA XREF: PAGE:00A41C28o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[ebx+0], al
		insd
		add	[ebx+0], ah
		imul	eax, [eax], 720045h
		jb	short $+2
		outsd
		add	[edx+0], dh
		dec	esp
		add	[ecx+0], ch
		insd
		add	[ecx+0], ch
		jz	short $+2
; 
		dw 0
; 

??_C@_1CE@IFNODAPI@?$AAC?$AAM?$AAC?$AAT?$AAh?$AAr?$AAe?$AAs?$AAh?$AAo?$AAl?$AAd?$AAC?$AAo?$AAu@LBKOJDO@:
					; DATA XREF: PAGE:00A41C38o
		inc	ebx
		add	[ebp+0], cl
		inc	ebx
		add	[eax+eax+68h], dl
		add	[edx+0], dh
		add	gs:[ebx+0], dh
		push	6C006F00h
		add	[eax+eax+43h], ah
		add	[edi+0], ch
		jnz	short $+2
		outsb
		add	[eax+eax+0], dh

loc_A46B2B:				; DATA XREF: PAGE:off_A42124o
		add	[ebx+ecx*2], ah
		db	65h
		jb	short near ptr loc_A46B9D+2
		db	65h
		insb
		db	2Eh
		push	eax
		jnz	short loc_A46BA9
		db	67h, 65h, 2Eh
		inc	ecx
		jo	short loc_A46BAD
		js	short near ptr loc_A46B82+3
		dec	ecx
		inc	ebx
		popa
		arpl	[eax+65h], bp
; 
		db 3 dup(0)
; 

??_C@_1LA@BFGPJOCH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@LBKOJDO@:
					; DATA XREF: PAGE:00A426ECo
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2

loc_A46B82:				; CODE XREF: PAGE:00A46B3Dj
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh

loc_A46B9D:				; CODE XREF: PAGE:00A46B2Ej
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd

loc_A46BA9:				; CODE XREF: PAGE:00A46B35j
		add	[eax+eax+5Ch], ch

loc_A46BAD:				; CODE XREF: PAGE:00A46B3Bj
		add	[edi], dh
		add	ds:33003000h, dh
		add	[eax+eax], dh
		cmp	[eax], eax
		xor	[eax], eax
		db	66h
		add	ds:61003400h, ch
		add	[ebx], dh
		add	[ecx], bh
		add	ds:66003400h, ch
		add	[eax], bh
		add	[eax+eax], dh
		sub	eax, 32006200h
		add	[ebx], dh
		add	[ecx], dh
		add	ds:61003800h, ch
		add	[ebx+0], ah
		popa
		add	[ebx], dh
		add	[ebp+0], ah
		xor	al, [eax]
		xor	[eax], al
		xor	eax, [eax]
		bound	eax, [eax]
		cmp	[eax], eax
		xor	al, 0
; 
		dw 0
; 

??_C@_1EE@DCEFFCO@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAN?$AAo?$AAn?$AAG?$AAe?$AAn?$AAu?$AAi@LBKOJDO@:
					; DATA XREF: PAGEDATA:00A93F58o
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	ds:6F004E00h, ch
		add	[esi+0], ch
		inc	edi
		add	[ebp+0], ah
		outsb
		add	[ebp+0], dh
		imul	eax, [eax], 65006Eh
		dec	esi
		add	[edi+0], ch
		jz	short $+2
		imul	eax, [eax], 690066h
		arpl	[eax], ax
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax+eax+79h], dl
		add	[eax+0], dh
		add	gs:[eax], al
; 
		db 0
		align 10h

??_C@_1EO@LEFKKHLK@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAN?$AAo?$AAn?$AAG?$AAe?$AAn?$AAu?$AAi@LBKOJDO@:
					; DATA XREF: PAGEDATA:00A93F4Co
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	ds:6F004E00h, ch
		add	[esi+0], ch
		inc	edi
		add	[ebp+0], ah
		outsb
		add	[ebp+0], dh
		imul	eax, [eax], 65006Eh
		dec	esi
		add	[edi+0], ch
		jz	short $+2
		imul	eax, [eax], 690066h
		arpl	[eax], ax
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], dl
		jz	short $+2
		jb	short $+2
		imul	eax, [eax], 67006Eh
		dec	ecx
		add	[eax+eax+73h], ah
; 
		db 0
		align 10h

??_C@_1BA@KLBMOJJJ@?$AAI?$AAn?$AAf?$AAP?$AAa?$AAt?$AAh@LBKOJDO@: ; DATA	XREF: PAGE:00A42D40o
		dec	ecx
		add	[esi+0], ch
		db	66h
		add	[eax+0], dl
		popa
		add	[eax+eax+68h], dh
; 
		db 3 dup(0)
; 

??_C@_1BG@DMHKAJIE@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAD?$AAe?$AAs?$AAc@LBKOJDO@:
					; DATA XREF: PAGE:00A42D30o
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		inc	esp
		add	[ebp+0], ah
		jnb	short $+2
		arpl	[eax], ax
; 
		dd 0
; 

??_C@_1BM@JBLBDIOG@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@LBKOJDO@:
					; DATA XREF: PAGE:00A42D20o
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dw 0
; 

??_C@_1BO@EKHJCODK@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAD?$AAa?$AAt?$AAe?$AAD?$AAa?$AAt?$AAa@LBKOJDO@:
					; DATA XREF: PAGE:00A42D10o
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[eax+eax+61h], al
		add	[eax+eax+61h], dh
; 
		db 0
		dd 0
; 

??_C@_1DC@JMAOOCEC@?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc?$AAe?$AAP?$AAi?$AAc?$AAk?$AAe?$AAr?$AAE@LBKOJDO@:
					; DATA XREF: PAGE:00A42DC0o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		outsd
		add	[ebp+0], dh
		jb	short $+2
		arpl	[eax], ax
		add	gs:[eax+0], dl
		imul	eax, [eax], 6B0063h
		add	gs:[edx+0], dh
		inc	ebp
		add	[eax+0], bh
		arpl	[eax], ax
		add	gs:[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dd 0
; 

??_C@_1CG@PLOFMBCB@?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc?$AAe?$AAP?$AAi?$AAc?$AAk?$AAe?$AAr?$AAT@LBKOJDO@:
					; DATA XREF: PAGE:00A42DB0o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		outsd
		add	[ebp+0], dh
		jb	short $+2
		arpl	[eax], ax
		add	gs:[eax+0], dl
		imul	eax, [eax], 6B0063h
		add	gs:[edx+0], dh
		push	esp
		add	[ecx+0], ah
		add	[bp+di+0], dh
; 
		dd 0
; 

??_C@_1BO@OGNECOBA@?$AAC?$AAo?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAe?$AAr?$AAs?$AA3?$AA2@LBKOJDO@:
					; DATA XREF: PAGE:00A42DA0o
		inc	ebx
		add	[edi+0], ch
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[eax+eax+6Ch], ch
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		xor	eax, [eax]
		xor	al, [eax]
; 
		dd 0
; 

??_C@_1CA@IBBBLONP@?$AAE?$AAn?$AAu?$AAm?$AAP?$AAr?$AAo?$AAp?$AAP?$AAa?$AAg?$AAe?$AAs?$AA3?$AA2@LBKOJDO@:
					; DATA XREF: PAGE:00A42C60o
					; PAGE:00A42D90o
		inc	ebp
		add	[esi+0], ch
		jnz	short $+2
		insd
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[eax+0], dh
		push	eax
		add	[ecx+0], ah
		add	[di+0],	ah
		jnb	short $+2
		xor	eax, [eax]
		xor	al, [eax]
; 
		dw 0
; 

??_C@_1BK@IDHMMGND@?$AAP?$AAr?$AAo?$AAv?$AAi?$AAd?$AAe?$AAr?$AAN?$AAa?$AAm?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A42D80o
		push	eax
		add	[edx+0], dh
		outsd
		add	[esi+0], dh
		imul	eax, [eax], 650064h
		jb	short $+2
		dec	esi
		add	[ecx+0], ah
		insd
		add	[ebp+0], ah
; 
		dd 0
; 

??_C@_1CC@EHFPJOIB@?$AAM?$AAa?$AAt?$AAc?$AAh?$AAi?$AAn?$AAg?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI@LBKOJDO@:
					; DATA XREF: PAGE:00A42D70o
		dec	ebp
		add	[ecx+0], ah
		jz	short $+2
		arpl	[eax], ax
		push	6E006900h
		add	[edi+0], ah
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		dec	ecx
		add	[eax+eax+0], ah
; 
		db 3 dup(0)
; 

??_C@_1BM@NKECGGPG@?$AAI?$AAn?$AAf?$AAS?$AAe?$AAc?$AAt?$AAi?$AAo?$AAn?$AAE?$AAx?$AAt@LBKOJDO@:
					; DATA XREF: PAGE:00A42D60o
		dec	ecx
		add	[esi+0], ch
		db	66h
		add	[ebx+0], dl
		add	gs:[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		inc	ebp
		add	[eax+0], bh
		jz	short $+2
; 
		dw 0
; 

??_C@_1BG@EIMGGAFA@?$AAI?$AAn?$AAf?$AAS?$AAe?$AAc?$AAt?$AAi?$AAo?$AAn@LBKOJDO@:
					; DATA XREF: PAGE:00A42D50o
		dec	ecx
		add	[esi+0], ch
		db	66h
		add	[ebx+0], dl
		add	gs:[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dd 0
; 

??_C@_1CA@IHGDELPO@?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt?$AA?5?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A42CB0o
		inc	esp
		add	[ebp+0], ah
		db	66h
		add	[ecx+0], ah
		jnz	short $+2
		insb
		add	[eax+eax+20h], dh
		add	[ebx+0], dl
		add	gs:[edx+0], dh
		jbe	short $+2
		imul	eax, [eax], 650063h
; 
		dw 0
; 

??_C@_1BG@OPOOGLJC@?$AAN?$AAo?$AAU?$AAs?$AAe?$AAC?$AAl?$AAa?$AAs?$AAs@LBKOJDO@:
					; DATA XREF: PAGE:00A42CA0o
		dec	esi
		add	[edi+0], ch
		push	ebp
		add	[ebx+0], dh
		add	gs:[ebx+0], al
		insb
		add	[ecx+0], ah
		jnb	short $+2
		jnb	short $+2
; 
		dd 0
; 

??_C@_1BM@GGJNCOBC@?$AAS?$AAi?$AAl?$AAe?$AAn?$AAt?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl@LBKOJDO@:
					; DATA XREF: PAGE:00A42C90o
		push	ebx
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		outsb
		add	[eax+eax+49h], dh
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[eax+eax+6Ch], ch
; 
		db 3 dup(0)
; 

??_C@_1BO@DAOBINHA@?$AAN?$AAo?$AAD?$AAi?$AAs?$AAp?$AAl?$AAa?$AAy?$AAC?$AAl?$AAa?$AAs?$AAs@LBKOJDO@:
					; DATA XREF: PAGE:00A42C80o
		dec	esi
		add	[edi+0], ch
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		jo	short $+2
		insb
		add	[ecx+0], ah
		jns	short $+2
		inc	ebx
		add	[eax+eax+61h], ch
		add	[ebx+0], dh
		jnb	short $+2
; 
		dd 0
; 

??_C@_1BO@MPEEJDBI@?$AAN?$AAo?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAC?$AAl?$AAa?$AAs?$AAs@LBKOJDO@:
					; DATA XREF: PAGE:00A42C70o
		dec	esi
		add	[edi+0], ch
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[eax+eax+6Ch], ch
		add	[ebx+0], al
		insb
		add	[ecx+0], ah
		jnb	short $+2
		jnb	short $+2
; 
		dd 0
; 

??_C@_1BI@BPCMDBKA@?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAe?$AAr?$AA3?$AA2@LBKOJDO@:
					; DATA XREF: PAGE:00A42C50o
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[eax+eax+6Ch], ch
		add	[ebp+0], ah
		jb	short $+2
		xor	eax, [eax]
		xor	al, [eax]
; 
		dw 0
; 

??_C@_19COFCBAE@?$AAI?$AAc?$AAo?$AAn@LBKOJDO@: ; DATA XREF: PAGE:00A42C40o
		dec	ecx
		add	[ebx+0], ah
		outsd
		add	[esi+0], ch
; 
		dd 0
; 

??_C@_1BK@PIHNOJBM@?$AAI?$AAn?$AAc?$AAl?$AAu?$AAd?$AAe?$AAd?$AAI?$AAn?$AAf?$AAs@LBKOJDO@:
					; DATA XREF: PAGE:00A42DD0o
		dec	ecx
		add	[esi+0], ch
		arpl	[eax], ax
		insb
		add	[ebp+0], dh
		add	fs:[ebp+0], ah
		add	fs:[ecx+0], cl
		outsb
		add	[esi+0], ah
		jnb	short $+2
; 
		dd 0
; 

??_C@_1BK@JLNLHJCB@?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAF?$AAl?$AAa?$AAg?$AAs@LBKOJDO@:
					; DATA XREF: PAGE:00A42E08o
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[eax+eax+6Ch], ch
		add	[esi+0], al
		insb
		add	[ecx+0], ah
		add	[bp+di+0], dh
; 
		dd 0
; 

??_C@_1BO@DEANAFMF@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAR?$AAe?$AAp?$AAo?$AAr?$AAt?$AAe?$AAd@LBKOJDO@:
					; DATA XREF: PAGE:00A42DF8o
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		push	edx
		add	[ebp+0], ah
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		add	gs:[eax+eax+0],	ah
; 
		db 3 dup(0)
; 

??_C@_1BM@ODHILDJN@?$AAF?$AAS?$AAF?$AAi?$AAl?$AAt?$AAe?$AAr?$AAC?$AAl?$AAa?$AAs?$AAs@LBKOJDO@:
					; DATA XREF: PAGE:00A42D00o
		inc	esi
		add	[ebx+0], dl
		inc	esi
		add	[ecx+0], ch
		insb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		inc	ebx
		add	[eax+eax+61h], ch
		add	[ebx+0], dh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BO@NHPFCBDB@?$AAL?$AAa?$AAs?$AAt?$AAD?$AAe?$AAl?$AAe?$AAt?$AAe?$AAD?$AAa?$AAt?$AAe@LBKOJDO@:
					; DATA XREF: PAGE:00A42CF0o
		dec	esp
		add	[ecx+0], ah
		jnb	short $+2
		jz	short $+2
		inc	esp
		add	[ebp+0], ah
		insb
		add	[ebp+0], ah
		jz	short $+2
		add	gs:[eax+eax+61h], al
		add	[eax+eax+65h], dh
; 
		db 0
		align 10h

??_C@_1CG@CKOGFCLL@?$AAD?$AAH?$AAP?$AAR?$AAe?$AAb?$AAa?$AAl?$AAa?$AAn?$AAc?$AAe?$AAO?$AAp?$AAt@LBKOJDO@:
					; DATA XREF: PAGE:00A42CE0o
		inc	esp
		add	[eax+0], cl
		push	eax
		add	[edx+0], dl
		add	gs:[edx+0], ah
		popa
		add	[eax+eax+61h], ch
		add	[esi+0], ch
		arpl	[eax], ax
		add	gs:[edi+0], cl
		jo	short $+2
		jz	short $+2
		dec	edi
		add	[ebp+0], dh
		jz	short $+2
; 
		dd 0
; 

??_C@_1CC@LCCGGDAB@?$AAL?$AAo?$AAw?$AAe?$AAr?$AAL?$AAo?$AAg?$AAo?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo@LBKOJDO@:
					; DATA XREF: PAGE:00A42CD0o
		dec	esp
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		dec	esp
		add	[edi+0], ch
		add	[bx+0],	ch
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dd 0
; 

??_C@_1BC@BKLNFDNF@?$AAI?$AAc?$AAo?$AAn?$AAP?$AAa?$AAt?$AAh@LBKOJDO@:
					; DATA XREF: PAGE:00A42CC0o
		dec	ecx
		add	[ebx+0], ah
		outsd
		add	[esi+0], ch
		push	eax
		add	[ecx+0], ah
		jz	short $+2
		push	0
; 
		db 0
??_C@_1MC@GGJHCNHO@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAV?$AAM?$AAB?$AAu?$AAs?$AA?2?$AA?$HL@LBKOJDO@:
					; DATA XREF: RamdiskStart(x)+454o
		unicode	0, <\Device\VMBus\{4d12e519-17a0-4ae4-8eaa-5270fc6abdb7}-{dcc>
		unicode	0, <079ae-60ba-4d07-847c-3493609c0870}-0000>,0
		align 4

??_C@_1DC@HPJECOGA@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAL?$AAa?$AAn?$AAm?$AAa?$AAn?$AAR@LBKOJDO@:
		pop	esp
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		pop	esp
		add	[eax+eax+61h], cl
		add	[esi+0], ch
		insd
		add	[ecx+0], ah
		outsb
		add	[edx+0], dl
		add	gs:[eax+eax+69h], ah
		add	[edx+0], dh
		add	gs:[ebx+0], ah
		jz	short $+2
		outsd
		add	[edx+0], dh
; 
		dd 0
; 

??_C@_1BM@DJIALBME@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAv?$AAm?$AAs?$AAm?$AAb@LBKOJDO@:
					; DATA XREF: SbpStartLanman()+1EFo
		pop	esp
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		pop	esp
		add	[esi+0], dh
		insd
		add	[ebx+0], dh
		insd
		add	[edx+0], ah
; 
		dw 0
; 

??_C@_1O@ECMBHMMH@?$AA?2?$AAS?$AAi?$AAl?$AAo?$AAs@LBKOJDO@:
		pop	esp
		add	[ebx+0], dl
		imul	eax, [eax], 6F006Ch
		jnb	short $+2
; 
		dd 0

;  S U B	R O U T	I N E 


OpcodeESPrefix	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		or	dword ptr [esi+30h], 100h
		jmp	OpcodeGenericPrefix
OpcodeESPrefix	endp


;  S U B	R O U T	I N E 


OpcodeCSPrefix	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		or	dword ptr [esi+30h], 200h
		jmp	OpcodeGenericPrefix
OpcodeCSPrefix	endp


;  S U B	R O U T	I N E 


OpcodeSSPrefix	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		or	dword ptr [esi+30h], 400h
		jmp	OpcodeGenericPrefix
OpcodeSSPrefix	endp


;  S U B	R O U T	I N E 


OpcodeDSPrefix	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		or	dword ptr [esi+30h], 800h
		jmp	OpcodeGenericPrefix
OpcodeDSPrefix	endp


;  S U B	R O U T	I N E 


OpcodeFSPrefix	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		or	dword ptr [esi+30h], 1000h
		jmp	OpcodeGenericPrefix
OpcodeFSPrefix	endp


;  S U B	R O U T	I N E 


OpcodeGSPrefix	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		or	dword ptr [esi+30h], 2000h
		jmp	OpcodeGenericPrefix
OpcodeGSPrefix	endp


;  S U B	R O U T	I N E 


OpcodeOPER32Prefix proc	near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		or	dword ptr [esi+30h], 4000h
		jmp	OpcodeGenericPrefix
OpcodeOPER32Prefix endp


;  S U B	R O U T	I N E 


OpcodeADDR32Prefix proc	near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		or	dword ptr [esi+30h], 8000h
		jmp	OpcodeGenericPrefix
OpcodeADDR32Prefix endp


;  S U B	R O U T	I N E 


OpcodeLOCKPrefix proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		or	dword ptr [esi+30h], 10000h
		jmp	OpcodeGenericPrefix
OpcodeLOCKPrefix endp


;  S U B	R O U T	I N E 


OpcodeREPNEPrefix proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		or	dword ptr [esi+30h], 20000h
		jmp	OpcodeGenericPrefix
OpcodeREPNEPrefix endp


;  S U B	R O U T	I N E 


OpcodeREPPrefix	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		or	dword ptr [esi+30h], 40000h
		jmp	OpcodeGenericPrefix
OpcodeREPPrefix	endp


;  S U B	R O U T	I N E 


; __stdcall Ki386DispatchOpcode(x)
_Ki386DispatchOpcode@4 proc near	; CODE XREF: VdmDispatchOpcode_try(x)+13p

arg_0		= dword	ptr  8

		push	ebp
		mov	ebp, [esp+arg_0]
		sub	esp, 38h
		mov	esi, esp
		lea	eax, [esi+18h]
		push	eax
		lea	eax, [esi+1Ch]
		push	eax
		lea	eax, [esi+20h]
		push	eax
		push	dword ptr [ebp+6Ch]
		call	_Ki386GetSelectorParameters@16 ; Ki386GetSelectorParameters(x,x,x,x)
		or	al, al
		jz	loc_A471FE
		test	dword ptr [esi+20h], 4
		jz	short loc_A471FE
		test	dword ptr [esi+20h], 20h
		jz	short loc_A4719B
		shl	dword ptr [esi+18h], 0Ch
		or	dword ptr [esi+18h], 0FFFh

loc_A4719B:				; CODE XREF: Ki386DispatchOpcode(x)+36j
		mov	edi, [ebp+68h]
		cmp	edi, [esi+18h]
		ja	short loc_A471FE
		add	edi, [esi+1Ch]
		cmp	edi, ds:_MmUserProbeAddress
		ja	short loc_A471FE
		movzx	ecx, byte ptr [edi]
		mov	eax, ecx
		and	eax, 0F8h
		cmp	eax, 0D8h
		jz	short loc_A47202
		movzx	eax, ss:OpcodeIndex[ecx]
		mov	ebx, 1
		inc	ss:_ExVdmOpcodeDispatchCounts[eax*4]
		pusha
		push	ebp
		push	0
		push	eax
		push	1
		call	_VdmTraceEvent@16 ; VdmTraceEvent(x,x,x,x)
		popa
		call	ss:OpcodeDispatch[eax*4]
		pusha
		push	ebp
		push	1
		push	0
		push	1
		call	_VdmTraceEvent@16 ; VdmTraceEvent(x,x,x,x)
		popa

loc_A471F7:				; CODE XREF: Ki386DispatchOpcode(x)+A8j
					; Ki386DispatchOpcode(x)+AFj
		add	esp, 38h
		pop	ebp
		retn	4
; 

loc_A471FE:				; CODE XREF: Ki386DispatchOpcode(x)+20j
					; Ki386DispatchOpcode(x)+2Dj ...
		xor	eax, eax
		jmp	short loc_A471F7
; 

loc_A47202:				; CODE XREF: Ki386DispatchOpcode(x)+65j
		call	OpcodeNPXV86
		jmp	short loc_A471F7
_Ki386DispatchOpcode@4 endp


;  S U B	R O U T	I N E 


OpcodeInvalid	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj ...
		xor	eax, eax
		retn
OpcodeInvalid	endp


;  S U B	R O U T	I N E 


OpcodeGenericPrefix proc near		; CODE XREF: OpcodeESPrefix+7j
					; OpcodeCSPrefix+7j ...
		inc	edi
		inc	ebx
		cmp	bl, 80h
		ja	short loc_A4723F
		mov	eax, edi
		sub	eax, [esi+1Ch]
		cmp	eax, [esi+18h]
		ja	short loc_A4723F
		cmp	edi, ds:_MmHighestUserAddress
		ja	short loc_A4723F
		mov	cl, [edi]
		movzx	eax, ss:OpcodeIndex[ecx]
		inc	ss:_ExVdmOpcodeDispatchCounts[eax*4]
		jmp	ss:OpcodeDispatch[eax*4]
; 

loc_A4723F:				; CODE XREF: OpcodeGenericPrefix+5j
					; OpcodeGenericPrefix+Fj ...
		xor	eax, eax
		retn
OpcodeGenericPrefix endp


;  S U B	R O U T	I N E 


Opcode0F	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		mov	eax, [ebp+68h]
		mov	[esi+10h], eax
		mov	[esi+14h], ebp
		mov	[esi+30h], ebx
		mov	eax, [ebp+70h]
		mov	[esi+8], eax
		call	VdmOpcode0f
		test	eax, 0FFFFh
		jz	short locret_A4726B
		mov	eax, [esi+10h]
		mov	[ebp+68h], eax
		mov	eax, 1

locret_A4726B:				; CODE XREF: Opcode0F+1Cj
		retn
Opcode0F	endp


;  S U B	R O U T	I N E 


OpcodeINSB	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		push	ebp
		push	ebx
		movzx	eax, word ptr [ebp+30h]
		shl	eax, 10h
		mov	ax, [ebp+54h]
		push	eax
		xor	eax, eax
		mov	ecx, 1
		test	ebx, 40000h
		jz	short loc_A47292
		mov	eax, 1
		movzx	ecx, word ptr [ebp+3Ch]

loc_A47292:				; CODE XREF: OpcodeINSB+1Bj
		push	ecx
		push	1
		push	eax
		push	1
		movzx	edx, word ptr [ebp+38h]
		push	edx
		call	_Ki386VdmDispatchStringIo@32 ; Ki386VdmDispatchStringIo(x,x,x,x,x,x,x,x)
		retn
OpcodeINSB	endp


;  S U B	R O U T	I N E 


OpcodeINSW	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		push	ebp
		push	ebx
		movzx	eax, word ptr [ebp+30h]
		shl	eax, 10h
		mov	ax, [ebp+54h]
		push	eax
		xor	eax, eax
		mov	ecx, 1
		test	ebx, 40000h
		jz	short loc_A472C9
		mov	eax, 1
		movzx	ecx, word ptr [ebp+3Ch]

loc_A472C9:				; CODE XREF: OpcodeINSW+1Bj
		movzx	edx, word ptr [ebp+38h]
		push	ecx
		push	1
		push	eax
		push	2
		push	edx
		call	_Ki386VdmDispatchStringIo@32 ; Ki386VdmDispatchStringIo(x,x,x,x,x,x,x,x)
		retn
OpcodeINSW	endp


;  S U B	R O U T	I N E 


OpcodeOUTSB	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		push	ebp
		push	ebx
		movzx	eax, word ptr [ebp+34h]
		shl	eax, 10h
		mov	ax, [ebp+58h]
		push	eax
		xor	eax, eax
		mov	ecx, 1
		test	ebx, 40000h
		jz	short loc_A47300
		mov	eax, 1
		movzx	ecx, word ptr [ebp+3Ch]

loc_A47300:				; CODE XREF: OpcodeOUTSB+1Bj
		movzx	edx, word ptr [ebp+38h]
		push	ecx
		push	0
		push	eax
		push	1
		push	edx
		call	_Ki386VdmDispatchStringIo@32 ; Ki386VdmDispatchStringIo(x,x,x,x,x,x,x,x)
		retn
OpcodeOUTSB	endp


;  S U B	R O U T	I N E 


OpcodeOUTSW	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		push	ebp
		push	ebx
		movzx	eax, word ptr [ebp+34h]
		shl	eax, 10h
		mov	ax, [ebp+58h]
		push	eax
		xor	eax, eax
		mov	ecx, 1
		test	ebx, 40000h
		jz	short loc_A47337
		mov	eax, 1
		movzx	ecx, word ptr [ebp+3Ch]

loc_A47337:				; CODE XREF: OpcodeOUTSW+1Bj
		movzx	edx, word ptr [ebp+38h]
		push	ecx
		push	0
		push	eax
		push	2
		push	edx
		call	_Ki386VdmDispatchStringIo@32 ; Ki386VdmDispatchStringIo(x,x,x,x,x,x,x,x)
		retn
OpcodeOUTSW	endp


;  S U B	R O U T	I N E 


OpcodeINTnn	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...

var_4		= dword	ptr -4

		mov	eax, large ds:714h
		and	eax, 203h
		cmp	eax, 203h
		jnz	short loc_A47363
		call	VdmDispatchIntAck
		jmp	loc_A473EA
; 

loc_A47363:				; CODE XREF: OpcodeINTnn+Fj
		mov	eax, [ebp+70h]
		call	GetVirtualBits
		mov	[esi+8], eax
		movzx	eax, word ptr [ebp+78h]
		call	SsToLinear
		test	al, 0FFh
		jz	short loc_A473F0
		inc	edi
		mov	eax, edi
		sub	eax, [esi+1Ch]
		cmp	eax, [esi+18h]
		ja	short loc_A473F0
		cmp	edi, ds:_MmHighestUserAddress
		ja	short loc_A473F0
		movzx	ecx, byte ptr [edi]
		inc	eax
		mov	[esi+10h], eax
		call	PushInt
		test	al, 0FFh
		jz	short loc_A473F0
		mov	eax, [esi+4]
		mov	[ebp+74h], eax
		mov	ax, [esi+0Ch]
		or	ax, 7
		cmp	ax, 8
		jge	short loc_A473BF
		test	dword ptr [esi+8], 20000h
		jnz	short loc_A473BF
		mov	ax, 23h

loc_A473BF:				; CODE XREF: OpcodeINTnn+68j
					; OpcodeINTnn+71j
		mov	[ebp+6Ch], ax
		mov	eax, [esi+8]
		push	dword ptr [ebp+70h]
		mov	[ebp+70h], eax
		or	dword ptr [ebp+70h], 200h
		xor	eax, [esp+4+var_4]
		test	eax, 20000h
		pop	eax
		jz	short loc_A473E4
		push	ebp
		call	_Ki386AdjustEsp0@4 ; Ki386AdjustEsp0(x)

loc_A473E4:				; CODE XREF: OpcodeINTnn+94j
		mov	eax, [esi+10h]
		mov	[ebp+68h], eax

loc_A473EA:				; CODE XREF: OpcodeINTnn+16j
		mov	eax, 1
		retn
; 

loc_A473F0:				; CODE XREF: OpcodeINTnn+31j
					; OpcodeINTnn+3Cj ...
		xor	eax, eax
		retn
OpcodeINTnn	endp


;  S U B	R O U T	I N E 


OpcodeINTO	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		xor	eax, eax
		retn
OpcodeINTO	endp


;  S U B	R O U T	I N E 


OpcodeINBimm	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		inc	ebx
		inc	edi
		mov	eax, edi
		sub	eax, [esi+1Ch]
		cmp	eax, [esi+18h]
		ja	short loc_A4741A
		cmp	edi, ds:_MmHighestUserAddress
		ja	short loc_A4741A
		movzx	ecx, byte ptr [edi]
		push	ebp
		push	ebx
		push	1
		push	1
		push	ecx
		call	_Ki386VdmDispatchIo@20 ; Ki386VdmDispatchIo(x,x,x,x,x)
		retn
; 

loc_A4741A:				; CODE XREF: OpcodeINBimm+Aj
					; OpcodeINBimm+12j
		xor	eax, eax
		retn
OpcodeINBimm	endp


;  S U B	R O U T	I N E 


OpcodeINWimm	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		inc	ebx
		inc	edi
		mov	eax, edi
		sub	eax, [esi+1Ch]
		cmp	eax, [esi+18h]
		ja	short loc_A47441
		cmp	edi, ds:_MmHighestUserAddress
		ja	short loc_A47441
		movzx	ecx, byte ptr [edi]
		push	ebp
		push	ebx
		push	1
		push	2
		push	ecx
		call	_Ki386VdmDispatchIo@20 ; Ki386VdmDispatchIo(x,x,x,x,x)
		retn
; 

loc_A47441:				; CODE XREF: OpcodeINWimm+Aj
					; OpcodeINWimm+12j
		xor	eax, eax
		retn
OpcodeINWimm	endp


;  S U B	R O U T	I N E 


OpcodeOUTBimm	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		inc	ebx
		inc	edi
		mov	eax, edi
		sub	eax, [esi+1Ch]
		cmp	eax, [esi+18h]
		ja	short loc_A47468
		cmp	edi, ds:_MmHighestUserAddress
		ja	short loc_A47468
		movzx	ecx, byte ptr [edi]
		push	ebp
		push	ebx
		push	0
		push	1
		push	ecx
		call	_Ki386VdmDispatchIo@20 ; Ki386VdmDispatchIo(x,x,x,x,x)
		retn
; 

loc_A47468:				; CODE XREF: OpcodeOUTBimm+Aj
					; OpcodeOUTBimm+12j
		xor	eax, eax
		retn
OpcodeOUTBimm	endp


;  S U B	R O U T	I N E 


OpcodeOUTWimm	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		inc	ebx
		inc	edi
		mov	eax, edi
		sub	eax, [esi+1Ch]
		cmp	eax, [esi+18h]
		ja	short loc_A4748F
		cmp	edi, ds:_MmHighestUserAddress
		ja	short loc_A4748F
		movzx	ecx, byte ptr [edi]
		push	ebp
		push	ebx
		push	0
		push	2
		push	ecx
		call	_Ki386VdmDispatchIo@20 ; Ki386VdmDispatchIo(x,x,x,x,x)
		retn
; 

loc_A4748F:				; CODE XREF: OpcodeOUTWimm+Aj
					; OpcodeOUTWimm+12j
		xor	eax, eax
		retn
OpcodeOUTWimm	endp


;  S U B	R O U T	I N E 


OpcodeINB	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		movzx	eax, word ptr [ebp+38h]
		cmp	eax, 3BDh
		jz	short loc_A474B8
		cmp	eax, 379h
		jz	short loc_A474B8
		cmp	eax, 279h
		jz	short loc_A474B8

loc_A474AB:				; CODE XREF: OpcodeINB+35j
		push	ebp
		push	ebx
		push	1
		push	1
		push	eax
		call	_Ki386VdmDispatchIo@20 ; Ki386VdmDispatchIo(x,x,x,x,x)
		retn
; 

loc_A474B8:				; CODE XREF: OpcodeINB+9j
					; OpcodeINB+10j ...
		movzx	ebx, bl
		push	eax
		push	ebp
		push	ebx
		push	eax
		call	_VdmPrinterStatus@12 ; VdmPrinterStatus(x,x,x)
		or	al, al
		pop	eax
		jz	short loc_A474AB
		mov	al, 1
		retn
OpcodeINB	endp


;  S U B	R O U T	I N E 


OpcodeINW	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		movzx	eax, word ptr [ebp+38h]
		push	ebp
		push	ebx
		push	1
		push	2
		push	eax
		call	_Ki386VdmDispatchIo@20 ; Ki386VdmDispatchIo(x,x,x,x,x)
		retn
OpcodeINW	endp


;  S U B	R O U T	I N E 


OpcodeOUTB	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		movzx	eax, word ptr [ebp+38h]
		cmp	eax, 3BCh
		jz	short loc_A47503
		cmp	eax, 378h
		jz	short loc_A47503
		cmp	eax, 278h
		jz	short loc_A47503

loc_A474F6:				; CODE XREF: OpcodeOUTB+35j
		push	ebp
		push	ebx
		push	0
		push	1
		push	eax
		call	_Ki386VdmDispatchIo@20 ; Ki386VdmDispatchIo(x,x,x,x,x)
		retn
; 

loc_A47503:				; CODE XREF: OpcodeOUTB+9j
					; OpcodeOUTB+10j ...
		movzx	ebx, bl
		push	eax
		push	ebp
		push	ebx
		push	eax
		call	_VdmPrinterWriteData@12	; VdmPrinterWriteData(x,x,x)
		or	al, al
		pop	eax
		jz	short loc_A474F6
		mov	al, 1
		retn
OpcodeOUTB	endp


;  S U B	R O U T	I N E 


OpcodeOUTW	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		movzx	eax, word ptr [ebp+38h]
		push	ebp
		push	ebx
		push	0
		push	2
		push	eax
		call	_Ki386VdmDispatchIo@20 ; Ki386VdmDispatchIo(x,x,x,x,x)
		retn
OpcodeOUTW	endp


;  S U B	R O U T	I N E 


OpcodeCLI	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		mov	eax, large ds:714h
		and	eax, 203h
		cmp	eax, 203h
		jnz	short loc_A47540
		call	VdmDispatchIntAck
		jmp	short loc_A47557
; 

loc_A47540:				; CODE XREF: OpcodeCLI+Fj
		mov	eax, [ebp+70h]
		and	eax, 0FFFFFDFFh
		call	SetVirtualBits
		inc	dword ptr [ebp+68h]
		push	0
		call	_VdmSetPMCliTimeStamp@4	; VdmSetPMCliTimeStamp(x)

loc_A47557:				; CODE XREF: OpcodeCLI+16j
		mov	eax, 1
		retn
OpcodeCLI	endp


;  S U B	R O U T	I N E 


OpcodeSTI	proc near		; CODE XREF: Ki386DispatchOpcode(x)+89p
					; OpcodeGenericPrefix+2Bj
					; DATA XREF: ...
		call	_VdmClearPMCliTimeStamp@0 ; VdmClearPMCliTimeStamp()
		mov	eax, [ebp+70h]
		or	eax, 200h
		call	SetVirtualBits
		inc	dword ptr [ebp+68h]
		mov	eax, large ds:714h
		test	eax, 3
		jz	short loc_A47583
		call	VdmDispatchIntAck

loc_A47583:				; CODE XREF: OpcodeSTI+1Fj
		mov	eax, 1
		retn
OpcodeSTI	endp


;  S U B	R O U T	I N E 


CheckVdmFlags	proc near		; CODE XREF: PushException+31Ep
		mov	eax, [esi+8]
		and	eax, 20000h
		test	eax, 20000h
		jz	short loc_A475B1
		test	_KeI386VirtualIntExtensions, 1
		jz	short loc_A475B1
		mov	edx, ecx
		and	edx, 200h
		shl	edx, 0Ah
		or	eax, edx

loc_A475B1:				; CODE XREF: CheckVdmFlags+Dj
					; CheckVdmFlags+19j
		or	ecx, 200h
		and	ecx, 0FFE58FFFh
		or	ecx, eax
		retn
CheckVdmFlags	endp


;  S U B	R O U T	I N E 


GetVirtualBits	proc near		; CODE XREF: OpcodeINTnn+1Ep
					; Ki386VdmSegmentNotPresent()+AFp ...
		push	ebp
		push	edx
		push	ebx
		push	esi
		push	edi
		test	eax, 20000h
		jz	short loc_A475FE
		test	_KeI386VirtualIntExtensions, 1
		jz	short loc_A475FE
		mov	ecx, eax
		and	ecx, 80000h
		shr	ecx, 0Ah
		and	eax, 0FFFFFDFFh
		or	eax, ecx
		call	sub_A4761B
		and	ecx, 40000h
		and	eax, 0FFFBFFFFh
		or	eax, ecx
		jmp	short loc_A47610
; 

loc_A475FE:				; CODE XREF: GetVirtualBits+Aj
					; GetVirtualBits+16j
		and	eax, 0FFFFFDFFh
		call	sub_A4761B
		and	ecx, 40200h
		or	eax, ecx

loc_A47610:				; CODE XREF: GetVirtualBits+3Cj
		or	eax, 3000h
		pop	edi
		pop	esi
		pop	ebx
		pop	edx
		pop	ebp
		retn
GetVirtualBits	endp


;  S U B	R O U T	I N E 


sub_A4761B	proc near		; CODE XREF: GetVirtualBits+2Ap
					; GetVirtualBits+43p
		push	eax
		push	offset GetVirtualBits_Handler
		push	large dword ptr	fs:0
		mov	large fs:0, esp
		mov	ecx, large ds:714h

loc_A47635:				; CODE XREF: GetVirtualBits_Handler+6j
		pop	large dword ptr	fs:0
		add	esp, 4
		pop	eax
		retn
sub_A4761B	endp


;  S U B	R O U T	I N E 


GetVirtualBits_Handler proc near	; DATA XREF: sub_A4761B+1o

arg_4		= dword	ptr  8

		mov	esp, [esp+arg_4]
		xor	ecx, ecx
		jmp	short loc_A47635
GetVirtualBits_Handler endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SetVirtualBits	proc near		; CODE XREF: OpcodeCLI+20p
					; OpcodeSTI+Dp	...

var_4		= dword	ptr -4

		push	ebp
		push	edx
		push	ebx
		push	esi
		push	edi
		push	offset SetVirtualBits_Handler
		push	large dword ptr	fs:0
		mov	large fs:0, esp
		mov	ebp, esp
		sub	esp, 4
		mov	[ebp+var_4], eax
		lea	edx, large ds:714h
		and	eax, 200h
		lock and dword ptr [edx], 0FFFFFDFFh
		lock or	[edx], eax
		test	ebx, 4000h
		jz	short loc_A47698
		mov	eax, [ebp+var_4]
		and	eax, 40000h
		lock and dword ptr [edx], 0FFFBFFFFh
		lock or	[edx], eax

loc_A47698:				; CODE XREF: SetVirtualBits+3Bj
		mov	esp, ebp

loc_A4769A:				; CODE XREF: SetVirtualBits_Handler+4j
		pop	large dword ptr	fs:0
		lea	esp, [esp+4]
		pop	edi
		pop	esi
		pop	ebx
		pop	edx
		pop	ebp
		retn
SetVirtualBits	endp ; sp =  8


;  S U B	R O U T	I N E 


SetVirtualBits_Handler proc near	; DATA XREF: SetVirtualBits+5o

arg_4		= dword	ptr  8

		mov	esp, [esp+arg_4]
		jmp	short loc_A4769A
SetVirtualBits_Handler endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Ki386VdmReflectException(x)
_Ki386VdmReflectException@4 proc near	; CODE XREF: V86_kit6_a+2C1p
					; V86_kit6_a+800p ...

var_60		= dword	ptr -60h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
arg_4		= word ptr  8
arg_64		= dword	ptr  68h

		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	dword ptr [eax+0F4h], 0
		jnz	short loc_A476CE
		xor	eax, eax
		retn	4
; 

loc_A476CE:				; CODE XREF: Ki386VdmReflectException(x)+13j
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		pusha
		lea	esi, large ds:714h
		push	esi
		call	_VdmFetchULONG@4 ; VdmFetchULONG(x)
		test	eax, 8
		jz	short loc_A47710
		mov	ebx, 10h
		cmp	[ebp+arg_4], 0Ch
		jz	short loc_A47700
		mov	ebx, 7
		cmp	[ebp+arg_4], 0Dh
		jnz	short loc_A47710

loc_A47700:				; CODE XREF: Ki386VdmReflectException(x)+3Ej
		test	eax, 4000h
		jnz	loc_A4788F
		jmp	loc_A47871
; 

loc_A47710:				; CODE XREF: Ki386VdmReflectException(x)+32j
					; Ki386VdmReflectException(x)+4Aj
		test	eax, 10h
		jz	short loc_A4774F
		mov	ebx, 5
		cmp	[ebp+arg_4], 1
		jnz	short loc_A47733
		test	eax, 4000h
		jnz	loc_A4788F
		jmp	loc_A4782B
; 

loc_A47733:				; CODE XREF: Ki386VdmReflectException(x)+6Dj
		mov	ebx, 6
		cmp	[ebp+arg_4], 3
		jnz	short loc_A4774F
		test	eax, 4000h
		jnz	loc_A4788F
		jmp	loc_A47850
; 

loc_A4774F:				; CODE XREF: Ki386VdmReflectException(x)+61j
					; Ki386VdmReflectException(x)+89j
		mov	esi, [ebp+0]
		cmp	word ptr [esi+6Ch], 1Bh
		jz	loc_A4781A
		cmp	[ebp+arg_4], 0Bh
		jnz	short loc_A4776B
		inc	ss:_ExVdmSegmentNotPresent

loc_A4776B:				; CODE XREF: Ki386VdmReflectException(x)+AEj
		mov	[ebp+var_24], esi
		mov	eax, [esi+78h]
		mov	[ebp+var_38], eax
		mov	eax, [esi+74h]
		mov	[ebp+var_34], eax
		mov	eax, [esi+70h]
		mov	[ebp+var_30], eax
		mov	eax, [esi+68h]
		mov	[ebp+var_28], eax
		mov	eax, [esi+6Ch]
		mov	[ebp+var_2C], eax
		lea	esi, [ebp+var_38]
		call	CsToLinear
		test	al, 0FFh
		jz	loc_A47826
		mov	eax, [esi]
		call	SsToLinear
		test	al, 0FFh
		jz	short loc_A47826
		mov	ecx, dword ptr [ebp+arg_4]
		call	PushException
		test	al, 0FFh
		jz	short loc_A47826
		mov	esi, [ebp+var_24]
		mov	eax, [ebp+var_34]
		mov	[esi+74h], eax
		xor	bl, bl
		test	dword ptr [esi+70h], 20000h
		jnz	short loc_A477C9
		mov	bl, 7

loc_A477C9:				; CODE XREF: Ki386VdmReflectException(x)+111j
		mov	eax, [ebp+var_38]
		or	al, bl
		mov	[esi+78h], eax
		mov	eax, [ebp+var_30]
		push	dword ptr [esi+70h]
		mov	[esi+70h], eax
		xor	eax, [esp+60h+var_60]
		test	eax, 20000h
		pop	eax
		jz	short loc_A477EB
		push	esi
		call	_Ki386AdjustEsp0@4 ; Ki386AdjustEsp0(x)

loc_A477EB:				; CODE XREF: Ki386VdmReflectException(x)+12Fj
		mov	eax, [ebp+var_2C]
		or	al, bl
		cmp	eax, 8
		jnb	short loc_A47803
		test	dword ptr [esi+70h], 20000h
		jnz	short loc_A47803
		mov	eax, 1Bh

loc_A47803:				; CODE XREF: Ki386VdmReflectException(x)+13Fj
					; Ki386VdmReflectException(x)+148j
		mov	[esi+6Ch], eax
		mov	eax, [ebp+var_28]
		mov	[esi+68h], eax
		cmp	[ebp+arg_4], 1
		jnz	short loc_A4781A
		and	dword ptr [esi+70h], 0FFFFFEFFh

loc_A4781A:				; CODE XREF: Ki386VdmReflectException(x)+A3j
					; Ki386VdmReflectException(x)+15Dj ...
		popa
		mov	eax, 1

loc_A47820:				; CODE XREF: Ki386VdmReflectException(x)+175j
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_A47826:				; CODE XREF: Ki386VdmReflectException(x)+E2j
					; Ki386VdmReflectException(x)+F1j ...
		popa
		xor	eax, eax
		jmp	short loc_A47820
; 

loc_A4782B:				; CODE XREF: Ki386VdmReflectException(x)+7Aj
		mov	eax, [ebp+0]
		and	dword ptr [eax+70h], 0FFFFFEFFh
		mov	eax, [ebp+arg_64]
		push	0
		push	0
		push	0
		push	0
		push	eax
		push	80000004h
		push	dword ptr [ebp+0]
		call	_VdmDispatchException@28 ; VdmDispatchException(x,x,x,x,x,x,x)
		jmp	short loc_A4781A
; 

loc_A47850:				; CODE XREF: Ki386VdmReflectException(x)+96j
		mov	eax, 0
		mov	ebx, [ebp+0]
		mov	ebx, [ebx+68h]
		dec	ebx
		push	edx
		push	ecx
		push	eax
		push	3
		push	ebx
		push	80000003h
		push	dword ptr [ebp+0]
		call	_VdmDispatchException@28 ; VdmDispatchException(x,x,x,x,x,x,x)
		jmp	short loc_A4781A
; 

loc_A47871:				; CODE XREF: Ki386VdmReflectException(x)+57j
		mov	eax, [ebp+0]
		mov	eax, [eax+68h]
		push	0
		push	0FFFFFFFFh
		push	0
		push	2
		push	eax
		push	0C0000005h
		push	dword ptr [ebp+0]
		call	_VdmDispatchException@28 ; VdmDispatchException(x,x,x,x,x,x,x)
		jmp	short loc_A4781A
; 

loc_A4788F:				; CODE XREF: Ki386VdmReflectException(x)+51j
					; Ki386VdmReflectException(x)+74j ...
		mov	eax, [ebp+0]
		cmp	ebx, 5
		jnz	short loc_A4789E
		and	dword ptr [eax+70h], 0FFFFFEFFh

loc_A4789E:				; CODE XREF: Ki386VdmReflectException(x)+1E1j
		mov	eax, [eax+68h]
		push	0
		push	0
		push	ebx
		push	1
		push	eax
		push	40000005h
		push	dword ptr [ebp+0]
		call	_VdmDispatchException@28 ; VdmDispatchException(x,x,x,x,x,x,x)
		jmp	loc_A4781A
_Ki386VdmReflectException@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall Ki386VdmSegmentNotPresent()
_Ki386VdmSegmentNotPresent@0 proc near	; CODE XREF: V86_kitb_a+2ECp
		mov	edi, large fs:18h
		mov	ecx, 0B0h
		push	ebp
		push	offset VdmSegNotPres_ExceptionHandler
		push	large dword ptr	fs:0
		mov	large fs:0, esp
		mov	edi, [edi+0F18h]
		xor	ebx, ebx
		cmp	edi, ds:_MmUserProbeAddress
		jnb	short loc_A47906
		lea	esi, [edi+634h]
		mov	edi, [edi+8]
		lea	edi, [edi+ecx]
		cmp	edi, ds:_MmUserProbeAddress
		jnb	short loc_A47906
		cmp	word ptr [esi],	0
		jz	short loc_A4791F

loc_A47906:				; CODE XREF: Ki386VdmSegmentNotPresent()+2Ej
					; Ki386VdmSegmentNotPresent()+42j ...
		pop	large dword ptr	fs:0
		add	esp, 4
		pop	ebp
		pop	eax
		push	0Bh
		push	eax
		jmp	_Ki386VdmReflectException@4 ; Ki386VdmReflectException(x)
; 

loc_A4791A:				; CODE XREF: Ki386VdmSegmentNotPresent()+9Bj
		add	esp, 3Ch
		jmp	short loc_A47906
; 

loc_A4791F:				; CODE XREF: Ki386VdmSegmentNotPresent()+48j
		inc	ss:_ExVdmSegmentNotPresent
		inc	word ptr [esi]
		mov	eax, [ebp+68h]
		mov	[esi+0Ch], eax
		mov	eax, [ebp+74h]
		mov	[esi+8], eax
		mov	ax, [ebp+78h]
		mov	[esi+6], ax
		movzx	eax, word ptr [esi+4]
		sub	esp, 38h
		push	esi
		mov	esi, esp
		add	esi, 4
		mov	ecx, [ebp+70h]
		mov	[esi+8], ecx
		call	SsToLinear
		test	al, 0FFh
		jz	short loc_A4791A
		mov	ebx, [esi+28h]
		pop	esi
		add	esp, 38h
		cmp	ebx, ds:_MmUserProbeAddress
		jnb	short loc_A47906
		mov	eax, [ebp+70h]
		call	GetVirtualBits
		push	esi
		mov	edx, 0FE0h
		test	word ptr [esi+2], 1
		jz	short loc_A479BA
		sub	edx, 20h
		add	edx, ebx
		mov	esi, [ebp+74h]
		mov	ecx, [ebp+78h]
		mov	[edx+14h], eax
		mov	[edx+18h], esi
		mov	[edx+1Ch], ecx
		mov	ecx, [ebp+6Ch]
		mov	eax, [ebp+68h]
		mov	esi, [ebp+64h]
		mov	[edx+10h], ecx
		mov	[edx+0Ch], eax
		mov	[edx+8], esi
		pop	esi
		mov	ecx, [esi+1Ch]
		mov	eax, ecx
		shr	eax, 10h
		and	ecx, 0FFFFh
		mov	[edx+4], eax
		mov	[edx], ecx
		jmp	short loc_A479F6
; 

loc_A479BA:				; CODE XREF: Ki386VdmSegmentNotPresent()+C0j
		sub	edx, 10h
		add	edx, ebx
		mov	esi, [ebp+74h]
		mov	ecx, [ebp+78h]
		mov	[edx+0Ah], ax
		mov	[edx+0Ch], si
		mov	[edx+0Eh], cx
		mov	ecx, [ebp+6Ch]
		mov	eax, [ebp+68h]
		mov	esi, [ebp+64h]
		mov	[edx+8], cx
		mov	[edx+6], ax
		mov	[edx+4], si
		pop	esi
		mov	ecx, [esi+18h]
		mov	eax, ecx
		shr	eax, 10h
		mov	[edx+2], ax
		mov	[edx], cx

loc_A479F6:				; CODE XREF: Ki386VdmSegmentNotPresent()+FCj
		mov	eax, [edi+4]
		sub	edx, ebx
		mov	cx, [edi]
		mov	bx, [esi+4]
		test	dword ptr [edi+0Ch], 1
		jz	short loc_A47A1F
		lea	esi, large ds:714h
		lock and dword ptr [esi], 0FFFFFDFFh
		and	dword ptr [ebp+70h], 0FFF7FFFFh

loc_A47A1F:				; CODE XREF: Ki386VdmSegmentNotPresent()+14Dj
		or	cx, 7
		or	bx, 7
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_A47A3A
		cmp	cx, 8
		jge	short loc_A47A3A
		mov	cx, 1Bh

loc_A47A3A:				; CODE XREF: Ki386VdmSegmentNotPresent()+172j
					; Ki386VdmSegmentNotPresent()+178j
		mov	[ebp+6Ch], cx
		mov	[ebp+68h], eax
		mov	[ebp+74h], edx
		mov	[ebp+78h], bx
		pop	large dword ptr	fs:0
		add	esp, 4
		pop	ebp
		mov	eax, 1
		retn
_Ki386VdmSegmentNotPresent@0 endp


;  S U B	R O U T	I N E 


VdmSegNotPres_ExceptionHandler proc near ; DATA	XREF: Ki386VdmSegmentNotPresent()+Do

arg_4		= dword	ptr  8

		mov	esp, [esp+arg_4]
		jmp	loc_A47906
VdmSegNotPres_ExceptionHandler endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VdmDispatchException(x, x, x, x, x,	x, x)
_VdmDispatchException@28 proc near	; CODE XREF: Ki386VdmReflectException(x)+195p
					; Ki386VdmReflectException(x)+1B6p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		push	ebp
		mov	ebp, esp
		pusha
		mov	ecx, 0
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+arg_4]
		mov	ebx, [ebp+arg_8]
		mov	ecx, [ebp+arg_C]
		mov	edx, [ebp+arg_10]
		mov	esi, [ebp+arg_14]
		mov	ebp, [ebp+arg_0]
		push	[ebp+arg_18]
		mov	edi, ebp
		sub	edi, 80h
		and	edi, 0FFFFFFF0h
		cmp	[ebp+arg_4+3], 2
		jnz	short loc_A47A9B
		xor	edi, edi

loc_A47A9B:				; CODE XREF: VdmDispatchException(x,x,x,x,x,x,x)+33j
		call	KiDispatchTrapException
		popa
		pop	ebp
		retn	1Ch
_VdmDispatchException@28 endp ;	sp = -4


;  S U B	R O U T	I N E 


PushInt		proc near		; CODE XREF: OpcodeINTnn+4Dp
		push	ebx
		push	edi
		mov	eax, large fs:18h
		push	esi
		push	ebp
		push	offset PushIntExceptionHandler
		push	large dword ptr	fs:0
		mov	large fs:0, esp
		mov	eax, [eax+0F18h]
		cmp	eax, ds:_MmUserProbeAddress
		jnb	loc_A47BF9
		mov	eax, [eax+4]
		lea	eax, [eax+ecx*8]
		cmp	eax, ds:_MmUserProbeAddress
		jnb	loc_A47BF9
		mov	edi, [ebp+74h]
		test	dword ptr [esi+2Ch], 8
		jnz	short loc_A47AF5
		movzx	edi, di

loc_A47AF5:				; CODE XREF: PushInt+4Bj
		test	dword ptr [eax+2], 2
		jz	short loc_A47B0F
		cmp	edi, 0Ch
		jb	loc_A47BF9
		sub	edi, 0Ch
		mov	[esi+4], edi
		jmp	short loc_A47B1E
; 

loc_A47B0F:				; CODE XREF: PushInt+57j
		cmp	edi, 6
		jb	loc_A47BF9
		sub	edi, 6
		mov	[esi+4], edi

loc_A47B1E:				; CODE XREF: PushInt+68j
		test	dword ptr [esi+2Ch], 10h
		jz	short loc_A47B32
		cmp	edi, [esi+24h]
		jbe	loc_A47BF9
		jmp	short loc_A47B3B
; 

loc_A47B32:				; CODE XREF: PushInt+80j
		cmp	edi, [esi+24h]
		jnb	loc_A47BF9

loc_A47B3B:				; CODE XREF: PushInt+8Bj
		mov	ebx, [esi+28h]
		lea	ebx, [ebx+edi]
		cmp	ebx, ds:_MmUserProbeAddress
		jnb	loc_A47BF9
		test	dword ptr [eax+2], 2
		jz	short loc_A47B71
		mov	edx, [esi+10h]
		mov	[ebx], edx
		mov	dx, [ebp+6Ch]
		mov	[ebx+4], edx
		push	eax
		mov	eax, [esi+8]
		call	GetVirtualBits
		mov	[ebx+8], eax
		pop	eax
		jmp	short loc_A47B8E
; 

loc_A47B71:				; CODE XREF: PushInt+AFj
		mov	dx, [esi+10h]
		mov	[ebx], dx
		mov	dx, [ebp+6Ch]
		mov	[ebx+2], dx
		push	eax
		mov	eax, [esi+8]
		call	GetVirtualBits
		mov	[ebx+4], ax
		pop	eax

loc_A47B8E:				; CODE XREF: PushInt+CAj
		mov	ebx, eax
		mov	dx, [eax]
		mov	[esi+0Ch], dx
		mov	edx, [eax+4]
		mov	[esi+10h], edx
		movzx	eax, word ptr [esi+0Ch]
		call	CsToLinear
		test	al, 0FFh
		jnz	short loc_A47BB7
		test	dword ptr [esi+20h], 40h
		jz	short loc_A47BF9
		mov	al, 0FFh
		jmp	short loc_A47BBF
; 

loc_A47BB7:				; CODE XREF: PushInt+103j
		mov	edx, [esi+10h]
		cmp	edx, [esi+18h]
		jnb	short loc_A47BF9

loc_A47BBF:				; CODE XREF: PushInt+110j
		and	dword ptr [esi+8], 0FFFFFEFFh
		test	dword ptr [ebx+2], 1
		jz	short loc_A47BDC
		lea	ebx, large ds:714h
		lock and dword ptr [ebx], 0FFFFFDFFh

loc_A47BDC:				; CODE XREF: PushInt+128j
		and	dword ptr [esi+8], 0FFFD8FFFh
		or	dword ptr [esi+8], 200h

loc_A47BEA:				; CODE XREF: PushInt+156j
					; PushIntExceptionHandler+6j
		pop	large dword ptr	fs:0
		add	esp, 4
		pop	ebp
		pop	esi
		pop	edi
		pop	ebx
		retn
; 

loc_A47BF9:				; CODE XREF: PushInt+29j PushInt+3Bj ...
		xor	eax, eax
		jmp	short loc_A47BEA
PushInt		endp


;  S U B	R O U T	I N E 


PushIntExceptionHandler	proc near	; DATA XREF: PushInt+Ao

arg_4		= dword	ptr  8

		mov	esp, [esp+arg_4]
		xor	eax, eax
		jmp	short loc_A47BEA
PushIntExceptionHandler	endp


;  S U B	R O U T	I N E 


CsToLinear	proc near		; CODE XREF: Ki386VdmReflectException(x)+DBp
					; PushInt+FCp ...
		test	dword ptr [esi+8], 20000h
		jz	short loc_A47C28
		shl	eax, 4
		mov	[esi+1Ch], eax
		mov	dword ptr [esi+18h], 0FFFFh
		mov	dword ptr [esi+20h], 0
		mov	eax, 1
		retn
; 

loc_A47C28:				; CODE XREF: CsToLinear+7j
		push	edx
		lea	edx, [esi+18h]
		push	edx
		lea	edx, [esi+1Ch]
		push	edx
		lea	edx, [esi+20h]
		push	edx
		push	eax
		call	_Ki386GetSelectorParameters@16 ; Ki386GetSelectorParameters(x,x,x,x)
		pop	edx
		or	al, al
		jz	short loc_A47C63
		test	dword ptr [esi+20h], 4
		jz	short loc_A47C63
		test	dword ptr [esi+20h], 20h
		jz	short loc_A47C5D
		shl	dword ptr [esi+18h], 0Ch
		or	dword ptr [esi+18h], 0FFFh

loc_A47C5D:				; CODE XREF: CsToLinear+4Bj
		mov	eax, 1
		retn
; 

loc_A47C63:				; CODE XREF: CsToLinear+39j
					; CsToLinear+42j
		xor	eax, eax
		retn
CsToLinear	endp


;  S U B	R O U T	I N E 


CheckEip	proc near		; CODE XREF: VdmOpcode0f+7p
					; VdmOpcodeLmsw+9p ...
		mov	eax, [esi+10h]
		test	dword ptr [esi+8], 20000h
		jz	short loc_A47C7A
		and	eax, [esi+18h]
		mov	[esi+10h], eax
		jmp	short loc_A47C7F
; 

loc_A47C7A:				; CODE XREF: CheckEip+Aj
		cmp	eax, [esi+18h]
		ja	short loc_A47C85

loc_A47C7F:				; CODE XREF: CheckEip+12j
		mov	eax, 1

locret_A47C84:				; CODE XREF: CheckEip+21j
		retn
; 

loc_A47C85:				; CODE XREF: CheckEip+17j
		xor	eax, eax
		jmp	short locret_A47C84
CheckEip	endp


;  S U B	R O U T	I N E 


SsToLinear	proc near		; CODE XREF: OpcodeINTnn+2Ap
					; Ki386VdmReflectException(x)+EAp ...
		test	dword ptr [esi+8], 20000h
		jz	short loc_A47CAC
		shl	eax, 4
		mov	[esi+28h], eax
		mov	dword ptr [esi+24h], 0FFFFh
		mov	dword ptr [esi+2Ch], 0
		mov	eax, 1
		retn
; 

loc_A47CAC:				; CODE XREF: SsToLinear+7j
		push	ecx
		lea	ecx, [esi+24h]
		push	ecx
		lea	ecx, [esi+28h]
		push	ecx
		lea	ecx, [esi+2Ch]
		push	ecx
		push	eax
		call	_Ki386GetSelectorParameters@16 ; Ki386GetSelectorParameters(x,x,x,x)
		pop	ecx
		or	al, al
		jz	short loc_A47CEA
		test	dword ptr [esi+2Ch], 2
		jz	short loc_A47CEA
		test	dword ptr [esi+2Ch], 20h
		jz	short loc_A47CE4
		mov	eax, [esi+24h]
		shl	eax, 0Ch
		or	eax, 0FFFh
		mov	[esi+24h], eax

loc_A47CE4:				; CODE XREF: SsToLinear+4Bj
		mov	eax, 1

locret_A47CE9:				; CODE XREF: SsToLinear+63j
		retn
; 

loc_A47CEA:				; CODE XREF: SsToLinear+39j
					; SsToLinear+42j
		xor	eax, eax
		jmp	short locret_A47CE9
SsToLinear	endp


;  S U B	R O U T	I N E 


CheckEsp	proc near		; CODE XREF: PushException+123p
					; PushException+1D2p
		mov	eax, [esi+4]
		test	dword ptr [esi+8], 20000h
		jz	short loc_A47D02
		and	eax, [esi+24h]
		mov	[esi+4], eax
		jmp	short loc_A47D2C
; 

loc_A47D02:				; CODE XREF: CheckEsp+Aj
		test	dword ptr [esi+2Ch], 8
		jnz	short loc_A47D10
		and	eax, 0FFFFh

loc_A47D10:				; CODE XREF: CheckEsp+1Bj
		cmp	ecx, eax
		ja	short loc_A47D32
		dec	eax
		test	dword ptr [esi+2Ch], 10h
		jz	short loc_A47D27
		sub	eax, ecx
		cmp	eax, [esi+24h]
		jb	short loc_A47D32
		jmp	short loc_A47D2C
; 

loc_A47D27:				; CODE XREF: CheckEsp+2Ej
		cmp	eax, [esi+24h]
		ja	short loc_A47D32

loc_A47D2C:				; CODE XREF: CheckEsp+12j CheckEsp+37j
		mov	eax, 1

locret_A47D31:				; CODE XREF: CheckEsp+46j
		retn
; 

loc_A47D32:				; CODE XREF: CheckEsp+24j CheckEsp+35j ...
		xor	eax, eax
		jmp	short locret_A47D31
CheckEsp	endp


;  S U B	R O U T	I N E 


SwitchToHandlerStack proc near		; CODE XREF: PushException+CDp
		push	ebx
		push	esi
		push	edi
		push	ebp
		push	offset SwitchToHandlerStack_fault
		push	large dword ptr	fs:0
		mov	large fs:0, esp
		cmp	word ptr [edi],	0
		jnz	short loc_A47D9F
		mov	eax, [esi+10h]
		mov	[edi+0Ch], eax
		mov	eax, [esi+4]
		mov	[edi+8], eax
		mov	eax, [esi]
		mov	[edi+6], ax
		movzx	eax, word ptr [edi+4]
		pop	large dword ptr	fs:0
		add	esp, 4
		pop	ebp
		mov	[esi], eax
		mov	dword ptr [esi+4], 1000h
		movzx	eax, word ptr [esi]
		push	ecx
		call	SsToLinear
		pop	ecx
		test	al, 0FFh
		jz	short loc_A47DB4
		push	ebp
		push	offset SwitchToHandlerStack_fault
		push	large dword ptr	fs:0
		mov	large fs:0, esp

loc_A47D9F:				; CODE XREF: SwitchToHandlerStack+1Bj
		inc	word ptr [edi]
		pop	large dword ptr	fs:0
		add	esp, 4
		pop	ebp
		mov	eax, 1
		jmp	short loc_A47DB6
; 

loc_A47DB4:				; CODE XREF: SwitchToHandlerStack+53j
					; SwitchToHandlerStack_fault+Fj
		xor	eax, eax

loc_A47DB6:				; CODE XREF: SwitchToHandlerStack+7Cj
		pop	edi
		pop	esi
		pop	ebx
		retn
SwitchToHandlerStack endp


;  S U B	R O U T	I N E 


SwitchToHandlerStack_fault proc	near	; DATA XREF: SwitchToHandlerStack+4o
					; SwitchToHandlerStack+56o

arg_4		= dword	ptr  8

		mov	esp, [esp+arg_4]
		pop	large dword ptr	fs:0
		add	esp, 4
		pop	ebp
		jmp	short loc_A47DB4
SwitchToHandlerStack_fault endp


;  S U B	R O U T	I N E 


GetHandlerAddress proc near		; CODE XREF: PushException:loc_A480B6p
		push	ebp
		push	ebx
		push	esi
		push	edi
		push	ecx
		push	edx
		push	offset GetHandlerAddress_fault
		push	large dword ptr	fs:0
		mov	large fs:0, esp
		mov	eax, 10h
		mul	ecx
		mov	edi, large fs:18h
		mov	edi, [edi+0F18h]
		cmp	edi, ds:_MmUserProbeAddress
		jnb	short loc_A47E20
		mov	edi, [edi+8]
		cmp	edi, ds:_MmUserProbeAddress
		jnb	short loc_A47E20
		movzx	ecx, word ptr [edi+eax]
		mov	[esi+0Ch], ecx
		mov	ecx, [edi+eax+4]
		mov	[esi+10h], ecx
		mov	eax, 1
		jmp	short loc_A47E22
; 

loc_A47E20:				; CODE XREF: GetHandlerAddress+33j
					; GetHandlerAddress+3Ej ...
		xor	eax, eax

loc_A47E22:				; CODE XREF: GetHandlerAddress+53j
		pop	large dword ptr	fs:0
		add	esp, 4
		pop	edx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
GetHandlerAddress endp


;  S U B	R O U T	I N E 


GetHandlerAddress_fault	proc near	; DATA XREF: GetHandlerAddress+6o

arg_4		= dword	ptr  8

		mov	esp, [esp+arg_4]
		jmp	short loc_A47E20
GetHandlerAddress_fault	endp


;  S U B	R O U T	I N E 


PushException	proc near		; CODE XREF: Ki386VdmReflectException(x)+F6p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		push	ebx
		push	edi
		push	esi
		test	dword ptr [esi+8], 20000h
		jz	short loc_A47EC2
		cmp	ecx, 7
		ja	loc_A48172
		mov	edx, [esi+4]
		mov	ebx, [esi+28h]
		and	edx, 0FFFFh
		sub	dx, 2
		mov	eax, [esi+8]
		push	ecx
		call	GetVirtualBits
		pop	ecx
		push	ebp
		push	esp
		push	offset perr_fault
		push	large dword ptr	fs:0
		mov	large fs:0, esp
		mov	[ebx+edx], ax
		sub	dx, 2
		mov	ax, [esi+0Ch]
		mov	[ebx+edx], ax
		sub	dx, 2
		mov	ax, [esi+10h]
		mov	[ebx+edx], ax
		mov	eax, ds:0[ecx*4]
		pop	large dword ptr	fs:0
		add	esp, 8
		pop	ebp
		push	eax
		movzx	eax, ax
		mov	[esi+10h], eax
		pop	eax
		shr	eax, 10h
		mov	[esi+0Ch], eax
		mov	[esi+4], dx
		jmp	loc_A480C3
; 

loc_A47EC2:				; CODE XREF: PushException+Aj
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		push	ebp
		push	esp
		push	offset perr1_fault
		push	large dword ptr	fs:0
		mov	large fs:0, esp
		mov	edi, large fs:18h
		mov	edi, [edi+0F18h]
		pop	large dword ptr	fs:0
		add	esp, 8
		pop	ebp
		cmp	edi, ds:_MmUserProbeAddress
		jnb	loc_A4816F
		lea	edi, [edi+634h]
		call	SwitchToHandlerStack
		test	al, 0FFh
		jz	loc_A4816F
		sub	dword ptr [esi+4], 20h
		mov	ebx, [esi+28h]
		mov	edx, [esi+4]
		test	dword ptr [esi+2Ch], 8
		jnz	short loc_A47F29
		movzx	edx, dx

loc_A47F29:				; CODE XREF: PushException+EBj
		push	ebp
		push	esp
		push	offset perr1_fault
		push	large dword ptr	fs:0
		mov	large fs:0, esp
		test	word ptr [edi+2], 1
		pop	large dword ptr	fs:0
		lea	esp, [esp+8]
		pop	ebp
		jnz	loc_A48005
		push	ecx
		mov	ecx, 10h
		call	CheckEsp
		pop	ecx
		test	al, 0FFh
		jz	loc_A4816F
		sub	edx, 10h
		mov	[esi+4], edx
		lea	ebx, [ebx+edx]
		cmp	ebx, ds:_MmUserProbeAddress
		jnb	loc_A4816F
		push	ebp
		push	esp
		push	offset perr1_fault
		push	large dword ptr	fs:0
		mov	large fs:0, esp
		mov	eax, [esp+24h+var_14]
		mov	[ebx+0Eh], ax
		mov	eax, [esp+24h+var_10]
		mov	[ebx+0Ch], ax
		pop	large dword ptr	fs:0
		lea	esp, [esp+8]
		pop	ebp
		lea	esp, [esp+8]
		mov	eax, [esi+8]
		push	ecx
		call	GetVirtualBits
		pop	ecx
		push	ebp
		push	esp
		push	offset perr_fault
		push	large dword ptr	fs:0
		mov	large fs:0, esp
		mov	[ebx+0Ah], ax
		movzx	eax, word ptr [esi+0Ch]
		mov	[ebx+8], ax
		mov	eax, [esi+10h]
		mov	[ebx+6], ax
		mov	eax, [ebp-24h]
		mov	eax, [eax+64h]
		mov	[ebx+4], ax
		mov	eax, [edi+18h]
		mov	[ebx], eax
		pop	large dword ptr	fs:0
		add	esp, 8
		pop	ebp
		jmp	loc_A480B6
; 

loc_A48005:				; CODE XREF: PushException+117j
		push	ecx
		mov	ecx, 20h
		call	CheckEsp
		pop	ecx
		test	al, 0FFh
		jz	loc_A4816F
		sub	edx, 20h
		mov	[esi+4], edx
		lea	ebx, [ebx+edx]
		cmp	ebx, ds:_MmUserProbeAddress
		jnb	loc_A4816F
		push	ebp
		push	esp
		push	offset perr1_fault
		push	large dword ptr	fs:0
		mov	large fs:0, esp
		mov	eax, [esp+24h+var_14]
		mov	[ebx+1Ch], eax
		mov	eax, [esp+24h+var_10]
		mov	[ebx+18h], eax
		pop	large dword ptr	fs:0
		add	esp, 8
		pop	ebp
		lea	esp, [esp+8]
		mov	eax, [esi+8]
		push	ecx
		call	GetVirtualBits
		pop	ecx
		push	ebp
		push	esp
		push	offset perr_fault
		push	large dword ptr	fs:0
		mov	large fs:0, esp
		mov	[ebx+14h], eax
		movzx	eax, word ptr [esi+0Ch]
		mov	[ebx+10h], eax
		mov	eax, [esi+10h]
		mov	[ebx+0Ch], eax
		mov	eax, [ebp-24h]
		mov	eax, [eax+64h]
		mov	[ebx+8], eax
		mov	eax, [edi+1Ch]
		shr	eax, 10h
		mov	[ebx+4], eax
		mov	eax, [edi+1Ch]
		and	eax, 0FFFFh
		mov	[ebx], eax
		pop	large dword ptr	fs:0
		add	esp, 8
		pop	ebp

loc_A480B6:				; CODE XREF: PushException+1C7j
		call	GetHandlerAddress
		test	al, 0FFh
		jz	loc_A48172

loc_A480C3:				; CODE XREF: PushException+84j
		push	ecx
		movzx	eax, word ptr [esi+0Ch]
		call	CsToLinear
		pop	ecx
		test	al, 0FFh
		jz	loc_A48172
		mov	eax, [esi+10h]
		cmp	eax, [esi+18h]
		ja	loc_A48172
		mov	eax, 10h
		push	edx
		mul	ecx
		pop	edx
		push	ebp
		push	esp
		push	offset perr_fault
		push	large dword ptr	fs:0
		mov	large fs:0, esp
		mov	edi, large fs:18h
		mov	edi, [edi+0F18h]
		cmp	edi, ds:_MmUserProbeAddress
		jb	short loc_A4811B
		mov	edi, ds:_MmUserProbeAddress

loc_A4811B:				; CODE XREF: PushException+2DAj
		mov	edi, [edi+8]
		add	edi, eax
		cmp	edi, ds:_MmUserProbeAddress
		jb	short loc_A4812E
		mov	edi, ds:_MmUserProbeAddress

loc_A4812E:				; CODE XREF: PushException+2EDj
		mov	eax, [esi+8]
		test	dword ptr [edi+0Ch], 1
		pop	large dword ptr	fs:0
		lea	esp, [esp+8]
		pop	ebp
		jz	short loc_A48154
		and	eax, 0FFFFFCFFh
		push	eax
		xor	ebx, ebx
		call	SetVirtualBits
		pop	eax

loc_A48154:				; CODE XREF: PushException+30Bj
		push	ecx
		mov	ecx, eax
		call	CheckVdmFlags
		and	ecx, 0FFFFFEFFh
		mov	[esi+8], ecx
		pop	ecx
		mov	eax, 1

loc_A4816B:				; CODE XREF: PushException+33Bj
		pop	esi
		pop	edi
		pop	ebx
		retn
; 

loc_A4816F:				; CODE XREF: PushException+C1j
					; PushException+D4j ...
		add	esp, 8

loc_A48172:				; CODE XREF: PushException+Fj
					; PushException+284j ...
		xor	eax, eax
		jmp	short loc_A4816B
PushException	endp


;  S U B	R O U T	I N E 


perr1_fault	proc near		; DATA XREF: PushException+90o
					; PushException+F2o ...

arg_4		= dword	ptr  8

		mov	esp, [esp+arg_4]
		pop	large dword ptr	fs:0
		add	esp, 8
		pop	ebp
		jmp	short loc_A4816F
perr1_fault	endp


;  S U B	R O U T	I N E 


perr_fault	proc near		; DATA XREF: PushException+31o
					; PushException+187o ...

arg_4		= dword	ptr  8

		mov	esp, [esp+arg_4]
		pop	large dword ptr	fs:0
		add	esp, 8
		pop	ebp
		jmp	short loc_A48172
perr_fault	endp


;  S U B	R O U T	I N E 


OpcodeESPrefixV86 proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		or	ebx, 100h
		push	dword ptr [ebp+68h]
		push	dword ptr [ebp+6Ch]
		push	offset aNtvdmEncount_4 ; "NTVDM: Encountered override prefix ES	%"...
		call	_DbgPrint
		add	esp, 0Ch
		jmp	OpcodeGenericPrefixV86
OpcodeESPrefixV86 endp


;  S U B	R O U T	I N E 


OpcodeCSPrefixV86 proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		or	ebx, 200h
		push	dword ptr [ebp+68h]
		push	dword ptr [ebp+6Ch]
		push	offset aNtvdmEncount_2 ; "NTVDM: Encountered override prefix CS	%"...
		call	_DbgPrint
		add	esp, 0Ch
		jmp	OpcodeGenericPrefixV86
OpcodeCSPrefixV86 endp


;  S U B	R O U T	I N E 


OpcodeSSPrefixV86 proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		or	ebx, 400h
		push	dword ptr [ebp+68h]
		push	dword ptr [ebp+6Ch]
		push	offset aNtvdmEncount_1 ; "NTVDM: Encountered override prefix SS	%"...
		call	_DbgPrint
		add	esp, 0Ch
		jmp	OpcodeGenericPrefixV86
OpcodeSSPrefixV86 endp


;  S U B	R O U T	I N E 


OpcodeDSPrefixV86 proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		or	ebx, 800h
		push	dword ptr [ebp+68h]
		push	dword ptr [ebp+6Ch]
		push	offset aNtvdmEncount_3 ; "NTVDM: Encountered override prefix DS	%"...
		call	_DbgPrint
		add	esp, 0Ch
		jmp	OpcodeGenericPrefixV86
OpcodeDSPrefixV86 endp


;  S U B	R O U T	I N E 


OpcodeFSPrefixV86 proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		or	ebx, 1000h
		push	dword ptr [ebp+68h]
		push	dword ptr [ebp+6Ch]
		push	offset aNtvdmEncount_6 ; "NTVDM: Encountered override prefix FS	%"...
		call	_DbgPrint
		add	esp, 0Ch
		jmp	OpcodeGenericPrefixV86
OpcodeFSPrefixV86 endp


;  S U B	R O U T	I N E 


OpcodeGSPrefixV86 proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		or	ebx, 2000h
		push	dword ptr [ebp+68h]
		push	dword ptr [ebp+6Ch]
		push	offset aNtvdmEncount_7 ; "NTVDM: Encountered override prefix GS	%"...
		call	_DbgPrint
		add	esp, 0Ch
		jmp	OpcodeGenericPrefixV86
OpcodeGSPrefixV86 endp


;  S U B	R O U T	I N E 


OpcodeOPER32PrefixV86 proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		or	ebx, 4000h
		push	dword ptr [ebp+68h]
		push	dword ptr [ebp+6Ch]
		push	offset aNtvdmEncount_5 ; "NTVDM: Encountered override prefix OPER"...
		call	_DbgPrint
		add	esp, 0Ch
		jmp	OpcodeGenericPrefixV86
OpcodeOPER32PrefixV86 endp


;  S U B	R O U T	I N E 


OpcodeADDR32PrefixV86 proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		or	ebx, 8000h
		push	dword ptr [ebp+68h]
		push	dword ptr [ebp+6Ch]
		push	offset aNtvdmEncount_9 ; "NTVDM: Encountered override prefix ADDR"...
		call	_DbgPrint
		add	esp, 0Ch
		jmp	OpcodeGenericPrefixV86
OpcodeADDR32PrefixV86 endp


;  S U B	R O U T	I N E 


OpcodeLOCKPrefixV86 proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		or	ebx, 10000h
		push	dword ptr [ebp+68h]
		push	dword ptr [ebp+6Ch]
		push	offset aNtvdmEncount_8 ; "NTVDM: Encountered override prefix LOCK"...
		call	_DbgPrint
		add	esp, 0Ch
		jmp	OpcodeGenericPrefixV86
OpcodeLOCKPrefixV86 endp


;  S U B	R O U T	I N E 


OpcodeREPNEPrefixV86 proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		or	ebx, 20000h
		push	dword ptr [ebp+68h]
		push	dword ptr [ebp+6Ch]
		push	offset aNtvdmEncount_0 ; "NTVDM: Encountered override prefix REPN"...
		call	_DbgPrint
		add	esp, 0Ch
		jmp	OpcodeGenericPrefixV86
OpcodeREPNEPrefixV86 endp


;  S U B	R O U T	I N E 


OpcodeREPPrefixV86 proc	near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		or	ebx, 40000h
		push	dword ptr [ebp+68h]
		push	dword ptr [ebp+6Ch]
		push	offset aNtvdmEncounter ; "NTVDM: Encountered override prefix REP "...
		call	_DbgPrint
		add	esp, 0Ch
		jmp	short OpcodeGenericPrefixV86
OpcodeREPPrefixV86 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall Ki386DispatchOpcodeV86(x)
_Ki386DispatchOpcodeV86@4 proc near	; CODE XREF: VdmDispatchOpcodeV86_try(x)+13p

arg_0		= dword	ptr  8

		push	ebp
		mov	ebp, [esp+arg_0]
		movzx	esi, word ptr [ebp+6Ch]
		shl	esi, 4
		and	dword ptr [ebp+68h], 0FFFFh
		and	dword ptr [ebp+74h], 0FFFFh
		add	esi, [ebp+68h]
		push	esi
		call	_VdmFetchBop1@4	; VdmFetchBop1(x)
		movzx	edx, ds:OpcodeIndex[eax]
		mov	edi, 1
		xor	ebx, ebx
		inc	ds:_ExVdmOpcodeDispatchCounts[edx*4]
		pusha
		push	ebp
		push	0
		push	edx
		push	2
		call	_VdmTraceEvent@16 ; VdmTraceEvent(x,x,x,x)
		popa
		call	ss:OpcodeDispatchV86[edx*4]
		pusha
		push	ebp
		push	1
		push	0
		push	2
		call	_VdmTraceEvent@16 ; VdmTraceEvent(x,x,x,x)
		popa
		pop	ebp
		retn	4
_Ki386DispatchOpcodeV86@4 endp


;  S U B	R O U T	I N E 


OpcodeInvalidV86 proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		xor	eax, eax
		retn
OpcodeInvalidV86 endp


;  S U B	R O U T	I N E 


OpcodeGenericPrefixV86 proc near	; CODE XREF: OpcodeESPrefixV86+19j
					; OpcodeCSPrefixV86+19j ...

var_6		= byte ptr -6
var_4		= dword	ptr -4

		inc	esi
		inc	edi
		movzx	ecx, byte ptr [esi]
		movzx	edx, ds:OpcodeIndex[ecx]
		inc	ds:_ExVdmOpcodeDispatchCounts[edx*4]
		jmp	ss:OpcodeDispatchV86[edx*4]

OpcodeINSBV86:				; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; DATA XREF: PAGEDATA:00A93240o
		push	ebp
		push	edi
		movzx	eax, word ptr [ebp+7Ch]
		shl	eax, 10h
		movzx	ecx, word ptr [ebp+54h]
		or	eax, ecx
		push	eax
		mov	eax, 1
		xor	ecx, ecx
		test	ebx, 40000h
		jz	short loc_A48385
		mov	ecx, 1
		movzx	eax, word ptr [ebp+3Ch]

loc_A48385:				; CODE XREF: OpcodeGenericPrefixV86+38j
		push	eax
		push	1
		push	ecx
		push	1
		movzx	eax, word ptr [ebp+38h]
		push	eax
		call	_Ki386VdmDispatchStringIo@32 ; Ki386VdmDispatchStringIo(x,x,x,x,x,x,x,x)
		retn
; 

OpcodeINSWV86:				; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		push	ebp
		push	edi
		movzx	eax, word ptr [ebp+7Ch]
		shl	eax, 10h
		movzx	ecx, word ptr [ebp+54h]
		or	eax, ecx
		push	eax
		mov	eax, 1
		xor	ecx, ecx
		test	ebx, 40000h
		jz	short loc_A483BE
		mov	ecx, 1
		movzx	eax, word ptr [ebp+3Ch]

loc_A483BE:				; CODE XREF: OpcodeGenericPrefixV86+71j
		push	eax
		push	1
		push	ecx
		push	2
		movzx	eax, word ptr [ebp+38h]
		push	eax
		call	_Ki386VdmDispatchStringIo@32 ; Ki386VdmDispatchStringIo(x,x,x,x,x,x,x,x)
		retn
; 

OpcodeOUTSBV86:				; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		push	ebp
		push	edi
		movzx	eax, word ptr [ebp+80h]
		shl	eax, 10h
		movzx	ecx, word ptr [ebp+58h]
		or	eax, ecx
		push	eax
		mov	eax, 1
		xor	ecx, ecx
		test	ebx, 40000h
		jz	short loc_A483FA
		mov	ecx, 1
		movzx	eax, word ptr [ebp+3Ch]

loc_A483FA:				; CODE XREF: OpcodeGenericPrefixV86+ADj
		push	eax
		push	0
		push	ecx
		push	1
		movzx	eax, word ptr [ebp+38h]
		push	eax
		call	_Ki386VdmDispatchStringIo@32 ; Ki386VdmDispatchStringIo(x,x,x,x,x,x,x,x)
		retn
; 

OpcodeOUTSWV86:				; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		push	ebp
		push	edi
		movzx	eax, word ptr [ebp+80h]
		shl	eax, 10h
		movzx	ecx, word ptr [ebp+58h]
		or	eax, ecx
		push	eax
		mov	eax, 1
		xor	ecx, ecx
		test	ebx, 40000h
		jz	short loc_A48436
		mov	ecx, 1
		movzx	eax, word ptr [ebp+3Ch]

loc_A48436:				; CODE XREF: OpcodeGenericPrefixV86+E9j
		push	eax
		push	0
		push	ecx
		push	2
		movzx	eax, word ptr [ebp+38h]
		push	eax
		call	_Ki386VdmDispatchStringIo@32 ; Ki386VdmDispatchStringIo(x,x,x,x,x,x,x,x)
		retn
; 

OpcodePUSHFV86:				; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		test	_KeI386VirtualIntExtensions, 1
		jz	short loc_A48478
		mov	eax, [ebp+70h]
		lea	ecx, large ds:714h
		lock or	dword ptr [ecx], 200h
		test	eax, 80000h
		jnz	short loc_A48495
		lock and dword ptr [ecx], 0FFFFFDFFh
		and	eax, 0FFFFFDFFh
		jmp	short loc_A48495
; 

loc_A48478:				; CODE XREF: OpcodeGenericPrefixV86+10Fj
		lea	eax, large ds:714h
		mov	edx, [ebp+70h]
		mov	eax, [eax]
		and	edx, 0FFFFFDFFh
		and	eax, 44200h
		or	eax, edx
		or	eax, 3000h

loc_A48495:				; CODE XREF: OpcodeGenericPrefixV86+126j
					; OpcodeGenericPrefixV86+134j
		movzx	ecx, word ptr [ebp+78h]
		movzx	edx, word ptr [ebp+74h]
		shl	ecx, 4
		sub	dx, 2
		test	ebx, 4000h
		jnz	short loc_A484D5
		mov	[ecx+edx], ax

loc_A484B0:				; CODE XREF: OpcodeGenericPrefixV86+19Aj
		mov	[ebp+74h], dx
		add	[ebp+68h], edi
		mov	eax, large ds:714h
		test	eax, 200h
		jz	short loc_A484CF
		test	eax, 3
		jz	short loc_A484CF
		call	VdmDispatchIntAck

loc_A484CF:				; CODE XREF: OpcodeGenericPrefixV86+17Fj
					; OpcodeGenericPrefixV86+186j
		mov	eax, 1
		retn
; 

loc_A484D5:				; CODE XREF: OpcodeGenericPrefixV86+168j
		sub	dx, 2
		mov	[ecx+edx], eax
		jmp	short loc_A484B0
; 

OpcodePOPFV86:				; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		lea	eax, large ds:714h
		mov	ecx, [ebp+78h]
		movzx	edx, word ptr [ebp+74h]
		shl	ecx, 4
		mov	ecx, [ecx+edx]
		add	edx, 4
		test	ebx, 4000h
		jnz	short loc_A48505
		and	ecx, 0FFFFh
		sub	edx, 2

loc_A48505:				; CODE XREF: OpcodeGenericPrefixV86+1B8j
		mov	[ebp+74h], edx
		and	ecx, 0FFFFCFFFh
		mov	ebx, ecx
		and	ebx, 0FFFFBFFFh
		and	ecx, 44200h
		test	_KeI386VirtualIntExtensions, 1
		jz	short loc_A48553
		and	ebx, 0FFE7FFFFh
		test	ebx, 200h
		jz	short loc_A4853C
		or	ebx, 80000h

loc_A4853C:				; CODE XREF: OpcodeGenericPrefixV86+1F2j
		or	ebx, 20200h
		push	eax
		mov	eax, [ebp+70h]
		push	eax
		and	eax, 100000h
		or	eax, ebx
		mov	[ebp+70h], eax
		jmp	short loc_A48560
; 

loc_A48553:				; CODE XREF: OpcodeGenericPrefixV86+1E4j
		push	eax
		or	ebx, 20200h
		push	dword ptr [ebp+70h]
		mov	[ebp+70h], ebx

loc_A48560:				; CODE XREF: OpcodeGenericPrefixV86+20Fj
		test	[esp+8+var_6], 2
		lea	esp, [esp+4]
		jnz	short loc_A48571
		push	ebp
		call	_Ki386AdjustEsp0@4 ; Ki386AdjustEsp0(x)

loc_A48571:				; CODE XREF: OpcodeGenericPrefixV86+227j
		pop	eax
		lock and dword ptr [eax], 0FFFBBDFFh
		lock or	[eax], ecx
		add	[ebp+68h], edi
		mov	eax, [eax]
		test	eax, 3
		jz	short loc_A48594
		test	eax, 200h
		jz	short loc_A48594
		call	VdmDispatchIntAck

loc_A48594:				; CODE XREF: OpcodeGenericPrefixV86+244j
					; OpcodeGenericPrefixV86+24Bj
		mov	eax, 1
		retn
; 

OpcodeINTnnV86:				; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		mov	edx, [ebp+70h]
		lea	eax, large ds:714h
		mov	ecx, [eax]
		lock and dword ptr [eax], 0FFFFFDFFh
		mov	eax, edx
		and	eax, 0FFFFFDFFh
		and	ecx, 40200h
		test	_KeI386VirtualIntExtensions, 1
		jz	short loc_A485D8
		and	ecx, 40000h
		or	eax, ecx
		mov	ecx, edx
		and	ecx, 80000h
		ror	ecx, 0Ah

loc_A485D8:				; CODE XREF: OpcodeGenericPrefixV86+281j
		or	eax, ecx
		and	edx, 0FFF7BEFFh
		mov	[ebp+70h], edx
		or	eax, 3000h
		movzx	ecx, word ptr [ebp+78h]
		shl	ecx, 4
		movzx	edx, word ptr [ebp+74h]
		sub	dx, 2
		mov	[ecx+edx], ax
		mov	ax, [ebp+6Ch]
		sub	dx, 2
		mov	[ecx+edx], ax
		movzx	eax, word ptr [ebp+68h]
		add	eax, edi
		inc	eax
		sub	dx, 2
		mov	[ecx+edx], ax
		mov	[ebp+74h], dx
		inc	esi
		movzx	ecx, byte ptr [esi]
		push	ecx
		call	oinnvuserrefs
		or	eax, eax
		pop	ecx
		jz	short loc_A48637
		mov	eax, ebx
		shr	eax, 10h
		sub	eax, ecx
		shl	ecx, 4
		add	ebx, ecx
		jmp	short loc_A48643
; 

loc_A48637:				; CODE XREF: OpcodeGenericPrefixV86+2E5j
		mov	ebx, ds:0[ecx*4]
		mov	eax, ebx
		shr	eax, 10h

loc_A48643:				; CODE XREF: OpcodeGenericPrefixV86+2F3j
		mov	[ebp+68h], bx
		test	dword ptr [ebp+70h], 20000h
		jnz	short loc_A4865E
		or	ax, 3
		cmp	ax, 8
		jnb	short loc_A4865E
		mov	ax, 1Bh

loc_A4865E:				; CODE XREF: OpcodeGenericPrefixV86+30Cj
					; OpcodeGenericPrefixV86+316j
		mov	[ebp+6Ch], ax
		mov	eax, 1
		retn
OpcodeGenericPrefixV86 endp


;  S U B	R O U T	I N E 


oinnvuserrefs	proc near		; CODE XREF: OpcodeGenericPrefixV86+2DDp
		push	ebp
		push	offset oinnvuserrefs_fault
		push	large dword ptr	fs:0
		mov	large fs:0, esp
		mov	eax, large fs:18h
		mov	eax, [eax+0F18h]
		cmp	eax, ds:_MmUserProbeAddress
		jnb	short loc_A486C6
		mov	ebx, [eax+4]
		cmp	ebx, 0
		jz	short loc_A486C6
		lea	ebx, [ebx+ecx*8]
		cmp	ebx, ds:_MmUserProbeAddress
		jnb	short loc_A486C6
		test	dword ptr [ebx+2], 4
		jz	short loc_A486C6
		lea	ebx, [eax+634h]
		mov	ebx, [ebx+20h]
		mov	eax, 1
		pop	large dword ptr	fs:0
		add	esp, 4
		pop	ebp
		retn
; 

loc_A486C6:				; CODE XREF: oinnvuserrefs+26j
					; oinnvuserrefs+2Ej ...
		pop	large dword ptr	fs:0
		add	esp, 4
		pop	ebp
		xor	eax, eax
		retn
oinnvuserrefs	endp


;  S U B	R O U T	I N E 


oinnvuserrefs_fault proc near		; DATA XREF: oinnvuserrefs+1o

arg_4		= dword	ptr  8

		mov	esp, [esp+arg_4]
		jmp	short loc_A486C6
oinnvuserrefs_fault endp


;  S U B	R O U T	I N E 


OpcodeINTOV86	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		xor	eax, eax
		retn
OpcodeINTOV86	endp


;  S U B	R O U T	I N E 


OpcodeIRETV86	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		lea	eax, large ds:714h
		movzx	ecx, word ptr [ebp+78h]
		movzx	edx, word ptr [ebp+74h]
		shl	ecx, 4
		add	ecx, edx
		test	ebx, 4000h
		jnz	loc_A487B5
		movzx	edi, word ptr [ecx]
		mov	[ebp+68h], edi
		movzx	esi, word ptr [ecx+2]
		add	edx, 6
		movzx	ebx, word ptr [ecx+4]
		mov	[ebp+74h], edx
		mov	[ebp+6Ch], esi

loc_A48713:				; CODE XREF: OpcodeIRETV86+EDj
		and	ebx, 0FFE78FFFh
		mov	ecx, ebx
		test	_KeI386VirtualIntExtensions, 1
		jz	short loc_A4873B
		or	ebx, 80000h
		test	ebx, 200h
		jnz	short loc_A4873B
		and	ebx, 0FFF7FFFFh

loc_A4873B:				; CODE XREF: OpcodeIRETV86+48j
					; OpcodeIRETV86+56j
		push	eax
		or	ebx, 20200h
		mov	eax, [ebp+70h]
		push	eax
		and	eax, 100000h
		or	eax, ebx
		mov	[ebp+70h], eax
		pop	ebx
		test	ebx, 20000h
		jnz	short loc_A48763
		push	ecx
		push	edx
		push	ebp
		call	_Ki386AdjustEsp0@4 ; Ki386AdjustEsp0(x)
		pop	edx
		pop	ecx

loc_A48763:				; CODE XREF: OpcodeIRETV86+7Aj
		pop	eax
		and	ecx, 200h
		lock and dword ptr [eax], 0FFFFFDFFh
		lock or	[eax], ecx
		mov	ebx, [eax]
		shl	esi, 4
		add	esi, edi
		cmp	esi, ds:_MmUserProbeAddress
		jbe	short loc_A48789
		mov	esi, ds:_MmUserProbeAddress

loc_A48789:				; CODE XREF: OpcodeIRETV86+A4j
		mov	ax, [esi]
		cmp	ax, 0C4C4h
		jz	short loc_A487AD
		test	ebx, 3
		jz	short loc_A487A7
		test	ebx, 200h
		jz	short loc_A487A7
		call	VdmDispatchIntAck

loc_A487A7:				; CODE XREF: OpcodeIRETV86+BBj
					; OpcodeIRETV86+C3j ...
		mov	eax, 1
		retn
; 

loc_A487AD:				; CODE XREF: OpcodeIRETV86+B3j
		push	ebp
		call	_VdmDispatchBop@4 ; VdmDispatchBop(x)
		jmp	short loc_A487A7
; 

loc_A487B5:				; CODE XREF: OpcodeIRETV86+19j
		mov	edi, [ecx]
		mov	[ebp+68h], edi
		movzx	esi, word ptr [ecx+4]
		add	edx, 0Ch
		mov	ebx, [ecx+8]
		mov	[ebp+6Ch], esi
		mov	[ebp+74h], edx
		jmp	loc_A48713
OpcodeIRETV86	endp


;  S U B	R O U T	I N E 


OpcodeINBimmV86	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		inc	esi
		inc	edi
		movzx	ecx, byte ptr [esi]
		push	ebp
		push	edi
		push	1
		push	1
		push	ecx
		call	_Ki386VdmDispatchIo@20 ; Ki386VdmDispatchIo(x,x,x,x,x)
		retn
OpcodeINBimmV86	endp


;  S U B	R O U T	I N E 


OpcodeINWimmV86	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		inc	esi
		inc	edi
		movzx	ecx, byte ptr [esi]
		push	ebp
		push	edi
		push	1
		push	2
		push	ecx
		call	_Ki386VdmDispatchIo@20 ; Ki386VdmDispatchIo(x,x,x,x,x)
		retn
OpcodeINWimmV86	endp


;  S U B	R O U T	I N E 


OpcodeOUTBimmV86 proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		inc	edi
		inc	esi
		movzx	ecx, byte ptr [esi]
		push	ebp
		push	edi
		push	0
		push	1
		push	ecx
		call	_Ki386VdmDispatchIo@20 ; Ki386VdmDispatchIo(x,x,x,x,x)
		retn
OpcodeOUTBimmV86 endp


;  S U B	R O U T	I N E 


OpcodeOUTWimmV86 proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		inc	esi
		inc	edi
		movzx	ecx, byte ptr [esi]
		push	ebp
		push	edi
		push	0
		push	2
		push	ecx
		call	_Ki386VdmDispatchIo@20 ; Ki386VdmDispatchIo(x,x,x,x,x)
		retn
OpcodeOUTWimmV86 endp


;  S U B	R O U T	I N E 


OpcodeINBV86	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		movzx	ebx, word ptr [ebp+38h]
		cmp	ebx, 3BDh
		jz	short loc_A48840
		cmp	ebx, 379h
		jz	short loc_A48840
		cmp	ebx, 279h
		jz	short loc_A48840

loc_A48833:				; CODE XREF: OpcodeINBV86+33j
		push	ebp
		push	edi
		push	1
		push	1
		push	ebx
		call	_Ki386VdmDispatchIo@20 ; Ki386VdmDispatchIo(x,x,x,x,x)
		retn
; 

loc_A48840:				; CODE XREF: OpcodeINBV86+Aj
					; OpcodeINBV86+12j ...
		push	ebp
		push	edi
		push	ebx
		call	_VdmPrinterStatus@12 ; VdmPrinterStatus(x,x,x)
		or	al, al
		jz	short loc_A48833
		retn
OpcodeINBV86	endp


;  S U B	R O U T	I N E 


OpcodeINWV86	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		movzx	ebx, word ptr [ebp+38h]
		push	ebp
		push	edi
		push	1
		push	2
		push	ebx
		call	_Ki386VdmDispatchIo@20 ; Ki386VdmDispatchIo(x,x,x,x,x)
		retn
OpcodeINWV86	endp


;  S U B	R O U T	I N E 


OpcodeOUTBV86	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		movzx	ebx, word ptr [ebp+38h]
		cmp	ebx, 3BCh
		jz	short loc_A48887
		cmp	ebx, 378h
		jz	short loc_A48887
		cmp	ebx, 278h
		jz	short loc_A48887

loc_A4887A:				; CODE XREF: OpcodeOUTBV86+33j
		push	ebp
		push	edi
		push	0
		push	1
		push	ebx
		call	_Ki386VdmDispatchIo@20 ; Ki386VdmDispatchIo(x,x,x,x,x)
		retn
; 

loc_A48887:				; CODE XREF: OpcodeOUTBV86+Aj
					; OpcodeOUTBV86+12j ...
		push	ebp
		push	edi
		push	ebx
		call	_VdmPrinterWriteData@12	; VdmPrinterWriteData(x,x,x)
		or	al, al
		jz	short loc_A4887A
		retn
OpcodeOUTBV86	endp


;  S U B	R O U T	I N E 


OpcodeOUTWV86	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		movzx	ebx, word ptr [ebp+38h]
		push	ebp
		push	edi
		push	0
		push	2
		push	ebx
		call	_Ki386VdmDispatchIo@20 ; Ki386VdmDispatchIo(x,x,x,x,x)
		retn
OpcodeOUTWV86	endp


;  S U B	R O U T	I N E 


OpcodeCLIV86	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		lea	eax, large ds:714h
		test	_KeI386VirtualIntExtensions, 1
		jz	short loc_A488E2
		mov	edx, [ebp+70h]
		mov	eax, [eax]
		and	edx, 180000h
		cmp	edx, 180000h
		jnz	short loc_A488DC
		test	eax, 3
		jz	short loc_A488DC
		call	VdmDispatchIntAck
		mov	eax, 1
		retn
; 

loc_A488DC:				; CODE XREF: OpcodeCLIV86+23j
					; OpcodeCLIV86+2Aj
		lea	eax, large ds:714h

loc_A488E2:				; CODE XREF: OpcodeCLIV86+10j
		lock and dword ptr [eax], 0FFFFFDFFh
		add	[ebp+68h], edi
		mov	eax, 1
		retn
OpcodeCLIV86	endp


;  S U B	R O U T	I N E 


OpcodeSTIV86	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		lea	eax, large ds:714h
		test	_KeI386VirtualIntExtensions, 1
		jz	short loc_A4890B
		or	dword ptr [ebp+70h], 80000h

loc_A4890B:				; CODE XREF: OpcodeSTIV86+10j
		lock or	dword ptr [eax], 200h
		add	[ebp+68h], edi
		mov	eax, [eax]
		test	eax, 3
		jz	short loc_A48923
		call	VdmDispatchIntAck

loc_A48923:				; CODE XREF: OpcodeSTIV86+2Aj
		mov	eax, 1
		retn
OpcodeSTIV86	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

Opcode0FV86	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_8		= dword	ptr -8

		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	esi
		push	edi
		mov	esi, [ebp+0]
		mov	eax, [esi+7Ch]
		mov	[esi+30h], eax
		mov	eax, [esi+80h]
		mov	[esi+34h], eax
		mov	eax, [esi+84h]
		mov	[esi+50h], eax
		mov	eax, [esi+88h]
		mov	[esi+2Ch], eax
		mov	[ebp+var_24], esi
		mov	eax, [esi+78h]
		mov	[ebp+var_38], eax
		mov	eax, [esi+74h]
		mov	[ebp+var_34], eax
		mov	eax, [esi+70h]
		mov	[ebp+var_30], eax
		mov	eax, [esi+6Ch]
		mov	[ebp+var_2C], eax
		mov	eax, [esi+68h]
		dec	edi
		add	eax, edi
		mov	[ebp+var_28], eax
		mov	[ebp+var_8], ebx
		lea	esi, [ebp+var_38]
		movzx	eax, word ptr [esi+0Ch]
		shl	eax, 4
		mov	[esi+1Ch], eax
		mov	dword ptr [esi+18h], 0FFFFh
		mov	dword ptr [esi+20h], 0
		call	VdmOpcode0f
		test	eax, 0FFFFh
		jz	short loc_A489B1
		mov	edi, [ebp+var_24]
		mov	eax, [ebp+var_28]
		mov	[edi+68h], eax
		mov	eax, 1

loc_A489B1:				; CODE XREF: Opcode0FV86+78j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
Opcode0FV86	endp


;  S U B	R O U T	I N E 


VdmDispatchIntAck proc near		; CODE XREF: OpcodeINTnn+11p
					; OpcodeCLI+11p ...
		push	ebp
		push	offset diafault
		push	large dword ptr	fs:0
		mov	large fs:0, esp
		test	large dword ptr	ds:714h, 1
		mov	eax, large fs:18h
		mov	eax, [eax+0F18h]
		jz	short loc_A48A0A
		cmp	eax, ds:_MmUserProbeAddress
		jnb	short loc_A489FE
		pop	large dword ptr	fs:0
		add	esp, 4
		pop	ebp
		push	eax
		push	ebp
		call	_VdmDispatchInterrupts@8 ; VdmDispatchInterrupts(x,x)
		retn
; 

loc_A489FE:				; CODE XREF: VdmDispatchIntAck+32j
					; VdmDispatchIntAck+59j
		pop	large dword ptr	fs:0
		add	esp, 4
		pop	ebp
		retn
; 

loc_A48A0A:				; CODE XREF: VdmDispatchIntAck+2Aj
		cmp	eax, ds:_MmUserProbeAddress
		jnb	short loc_A489FE
		mov	dword ptr [eax+5A8h], 3
		mov	dword ptr [eax+5ACh], 0
		mov	dword ptr [eax+5B0h], 0
		pop	large dword ptr	fs:0
		add	esp, 4
		pop	ebp
		push	eax
		push	ebp
		call	_VdmEndExecution@8 ; VdmEndExecution(x,x)
		retn
VdmDispatchIntAck endp


;  S U B	R O U T	I N E 


diafault	proc near		; DATA XREF: VdmDispatchIntAck+1o

arg_4		= dword	ptr  8

		mov	esp, [esp+arg_4]
		pop	large dword ptr	fs:0
		add	esp, 4
		pop	ebp
		retn
diafault	endp ; sp =  0Ch


;  S U B	R O U T	I N E 


vdmDebugPoint	proc near
		retn
vdmDebugPoint	endp


;  S U B	R O U T	I N E 


OpcodeHLTV86	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		add	[ebp+68h], edi
		mov	eax, 1
		retn
OpcodeHLTV86	endp

; 
		align 10h
off_A48A60	dd offset VdmOpcodeGetCrx ; DATA XREF: VdmOpcode0f+3Er
		dd offset VdmOpcodeGetDrx
		dd offset VdmOpcodeSetCrx
		dd offset VdmOpcodeSetDrx
		dd offset OpcodeInvalid
		dd offset OpcodeInvalid
		dd offset OpcodeInvalid

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VdmOpcode0f	proc near		; CODE XREF: Opcode0F+12p
					; Opcode0FV86+6Ep
		push	ebp
		mov	ebp, esp
		push	edi
		inc	dword ptr [esi+10h]
		call	CheckEip
		test	al, 0FFh
		jz	short loc_A48AC6
		mov	edi, [esi+1Ch]
		add	edi, [esi+10h]
		movzx	edx, byte ptr [edi]
		cmp	edx, 1
		jnz	short loc_A48AA1
		call	VdmOpcodeLmsw
		jmp	short loc_A48AC1
; 

loc_A48AA1:				; CODE XREF: VdmOpcode0f+1Cj
		cmp	edx, 6
		jnz	short loc_A48AAD
		call	VdmOpcodeClts
		jmp	short loc_A48AC1
; 

loc_A48AAD:				; CODE XREF: VdmOpcode0f+28j
		cmp	edx, 20h
		jb	short loc_A48AC6
		cmp	edx, 26h
		ja	short loc_A48AC6
		sub	edx, 20h
		call	ds:off_A48A60[edx*4]

loc_A48AC1:				; CODE XREF: VdmOpcode0f+23j
					; VdmOpcode0f+2Fj ...
		pop	edi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_A48AC6:				; CODE XREF: VdmOpcode0f+Ej
					; VdmOpcode0f+34j ...
		xor	eax, eax
		jmp	short loc_A48AC1
VdmOpcode0f	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VdmOpcodeLmsw	proc near		; CODE XREF: VdmOpcode0f+1Ep
		push	ebp
		mov	ebp, esp
		push	edi
		push	esi
		push	ebx
		inc	dword ptr [esi+10h]
		call	CheckEip
		test	al, 0FFh
		jz	short loc_A48B11
		mov	edi, [esi+10h]
		add	edi, [esi+1Ch]
		movzx	edx, byte ptr [edi]
		and	edx, 38h
		cmp	edx, 30h
		jnz	short loc_A48B18
		and	dword ptr [esi+30h], 0FFFFBFFFh
		mov	eax, 1
		call	VdmDecodeOperand
		test	al, 0Fh
		jz	short loc_A48B11
		mov	edi, [esi+34h]
		mov	eax, [edi]
		call	KiVdmSetUserCR0
		mov	eax, 1

loc_A48B11:				; CODE XREF: VdmOpcodeLmsw+10j
					; VdmOpcodeLmsw+36j ...
		pop	ebx
		pop	esi
		pop	edi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_A48B18:				; CODE XREF: VdmOpcodeLmsw+21j
		xor	eax, eax
		jmp	short loc_A48B11
VdmOpcodeLmsw	endp


;  S U B	R O U T	I N E 


VdmOpcodeClts	proc near		; CODE XREF: VdmOpcode0f+2Ap
		inc	dword ptr [esi+10h]
		mov	eax, 1
		retn
VdmOpcodeClts	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VdmOpcodeGetCrx	proc near		; CODE XREF: VdmOpcode0f+3Ep
					; DATA XREF: PAGE:off_A48A60o
		push	ebp
		mov	ebp, esp
		push	edi
		inc	dword ptr [esi+10h]
		call	CheckEip
		test	al, 0FFh
		jz	short loc_A48B77
		mov	edi, [esi+10h]
		add	edi, [esi+1Ch]
		inc	dword ptr [esi+10h]
		movzx	edx, byte ptr [edi]
		and	edx, 0C0h
		cmp	edx, 0C0h
		jnz	short loc_A48B7C
		movzx	edx, byte ptr [edi]
		test	edx, 38h
		mov	eax, 0
		jnz	short loc_A48B62
		mov	eax, cr0

loc_A48B62:				; CODE XREF: VdmOpcodeGetCrx+38j
		and	edx, 7
		mov	edi, [esi+14h]
		mov	edx, ds:RegTab[edx*4]
		mov	[edx+edi], eax
		mov	eax, 1

loc_A48B77:				; CODE XREF: VdmOpcodeGetCrx+Ej
					; VdmOpcodeGetCrx+59j
		pop	edi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_A48B7C:				; CODE XREF: VdmOpcodeGetCrx+28j
		xor	eax, eax
		jmp	short loc_A48B77
VdmOpcodeGetCrx	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VdmOpcodeSetCrx	proc near		; CODE XREF: VdmOpcode0f+3Ep
					; DATA XREF: PAGE:00A48A68o
		push	ebp
		mov	ebp, esp
		push	edi
		push	esi
		push	ebx
		inc	dword ptr [esi+10h]
		call	CheckEip
		test	al, 0FFh
		jz	short loc_A48BD1
		mov	edi, [esi+10h]
		add	edi, [esi+1Ch]
		inc	dword ptr [esi+10h]
		movzx	edx, byte ptr [edi]
		and	edx, 0C0h
		cmp	edx, 0C0h
		jnz	short loc_A48BD8
		movzx	edx, byte ptr [edi]
		test	edx, 38h
		jnz	short loc_A48BD8
		and	edx, 7
		mov	edi, [esi+14h]
		mov	edx, ds:RegTab[edx*4]
		mov	eax, [edx+edi]
		call	KiVdmSetUserCR0
		mov	eax, 1

loc_A48BD1:				; CODE XREF: VdmOpcodeSetCrx+10j
					; VdmOpcodeSetCrx+5Aj
		pop	ebx
		pop	esi
		pop	edi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_A48BD8:				; CODE XREF: VdmOpcodeSetCrx+2Aj
					; VdmOpcodeSetCrx+35j
		xor	eax, eax
		jmp	short loc_A48BD1
VdmOpcodeSetCrx	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VdmOpcodeGetDrx	proc near		; CODE XREF: VdmOpcode0f+3Ep
					; DATA XREF: PAGE:00A48A64o

var_4		= dword	ptr -4

		push	ebp
		mov	ebp, esp
		sub	esp, 4
		push	edi
		push	ecx
		inc	dword ptr [esi+10h]
		call	CheckEip
		test	al, 0FFh
		jz	short loc_A48C66
		mov	edi, [esi+10h]
		add	edi, [esi+1Ch]
		inc	dword ptr [esi+10h]
		movzx	edx, byte ptr [edi]
		mov	[ebp+var_4], edx
		and	edx, 0C0h
		cmp	edx, 0C0h
		jnz	short loc_A48C6C
		mov	edi, [esi+14h]
		mov	edx, [ebp+var_4]
		and	edx, 38h
		shr	edx, 3
		cmp	edx, 4
		jb	short loc_A48C2A
		cmp	edx, 5
		ja	short loc_A48C2A
		mov	eax, 0
		jmp	short loc_A48C51
; 

loc_A48C2A:				; CODE XREF: VdmOpcodeGetDrx+40j
					; VdmOpcodeGetDrx+45j
		mov	ecx, ds:_KiDebugRegisterTrapOffsets[edx*4]
		mov	eax, [edi+ecx]
		cmp	edx, 6
		jb	short loc_A48C51
		cmp	edx, 7
		jz	short loc_A48C45
		and	eax, 0E00Fh
		jmp	short loc_A48C51
; 

loc_A48C45:				; CODE XREF: VdmOpcodeGetDrx+60j
		and	eax, 0FFFF0155h
		mov	ecx, eax
		call	@KiUpdateDr7@4	; KiUpdateDr7(x)

loc_A48C51:				; CODE XREF: VdmOpcodeGetDrx+4Cj
					; VdmOpcodeGetDrx+5Bj ...
		mov	edx, [ebp+var_4]
		and	edx, 7
		mov	ecx, ds:RegTab[edx*4]
		mov	[ecx+edi], eax
		mov	eax, 1

loc_A48C66:				; CODE XREF: VdmOpcodeGetDrx+12j
					; VdmOpcodeGetDrx+92j
		pop	ecx
		pop	edi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_A48C6C:				; CODE XREF: VdmOpcodeGetDrx+2Fj
		xor	eax, eax
		jmp	short loc_A48C66
VdmOpcodeGetDrx	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VdmOpcodeSetDrx	proc near		; CODE XREF: VdmOpcode0f+3Ep
					; DATA XREF: PAGE:00A48A6Co

var_4		= dword	ptr -4

		push	ebp
		mov	ebp, esp
		sub	esp, 4
		push	edi
		push	ecx
		inc	dword ptr [esi+10h]
		call	CheckEip
		test	al, 0FFh
		jz	loc_A48D4C
		mov	edi, [esi+10h]
		add	edi, [esi+1Ch]
		inc	dword ptr [esi+10h]
		movzx	edx, byte ptr [edi]
		mov	[ebp+var_4], edx
		and	edx, 0C0h
		cmp	edx, 0C0h
		jnz	loc_A48D52
		mov	edi, [esi+14h]
		mov	edx, [ebp+var_4]
		and	edx, 7
		mov	edx, ds:RegTab[edx*4]
		mov	eax, [edi+edx]
		mov	edx, [ebp+var_4]
		and	edx, 38h
		shr	edx, 3
		mov	ecx, ds:_KiDebugRegisterTrapOffsets[edx*4]
		lea	ecx, [edi+ecx]
		cmp	edx, 4
		mov	[ecx], eax
		jnb	short loc_A48CE5
		and	dword ptr [ecx], 0FFFFFFh
		mov	ecx, edi
		call	@KiProcessDebugRegister@8 ; KiProcessDebugRegister(x,x)
		jmp	short loc_A48D19
; 

loc_A48CE5:				; CODE XREF: VdmOpcodeSetDrx+64j
		cmp	edx, 6
		jnb	short loc_A48CEF
		and	dword ptr [ecx], 0
		jmp	short loc_A48D47
; 

loc_A48CEF:				; CODE XREF: VdmOpcodeSetDrx+78j
		cmp	edx, 6
		jnz	short loc_A48D03
		and	dword ptr [ecx], 0E00Fh
		mov	ecx, edi
		call	@KiProcessDebugRegister@8 ; KiProcessDebugRegister(x,x)
		jmp	short loc_A48D19
; 

loc_A48D03:				; CODE XREF: VdmOpcodeSetDrx+82j
		and	eax, 2AAh
		shr	eax, 1
		or	[ecx], eax
		xor	edx, edx
		and	dword ptr [ecx], 0FFFF0155h
		call	KiRecordDr7

loc_A48D19:				; CODE XREF: VdmOpcodeSetDrx+73j
					; VdmOpcodeSetDrx+91j
		or	al, al
		jz	short loc_A48D47
		and	dword ptr [edi+14h], 0FFFFFFh
		and	dword ptr [edi+18h], 0FFFFFFh
		and	dword ptr [edi+1Ch], 0FFFFFFh
		and	dword ptr [edi+20h], 0FFFFFFh
		and	dword ptr [edi+24h], 0E00Fh
		and	dword ptr [edi+28h], 0FFFF0155h

loc_A48D47:				; CODE XREF: VdmOpcodeSetDrx+7Dj
					; VdmOpcodeSetDrx+ABj
		mov	eax, 1

loc_A48D4C:				; CODE XREF: VdmOpcodeSetDrx+12j
					; VdmOpcodeSetDrx+E4j
		pop	ecx
		pop	edi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_A48D52:				; CODE XREF: VdmOpcodeSetDrx+33j
		xor	eax, eax
		jmp	short loc_A48D4C
VdmOpcodeSetDrx	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VdmDecodeOperand proc near		; CODE XREF: VdmOpcodeLmsw+2Fp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00A48F52 SIZE 0000001F BYTES

		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	edi
		push	ecx
		push	ebx
		mov	[ebp+var_14], eax
		lea	edx, [ebp+var_8]
		push	edx
		lea	edx, [ebp+var_4]
		push	edx
		lea	edx, [ebp+var_C]
		push	edx
		mov	edi, [esi+14h]
		push	dword ptr [edi+34h]
		call	VdmSegParams
		add	esp, 10h
		mov	[ebp+var_10], eax
		mov	edi, [esi+10h]
		add	edi, [esi+1Ch]
		call	CheckEip
		test	al, 0Fh
		jz	loc_A48F4E
		movzx	edx, byte ptr [edi]
		inc	dword ptr [esi+10h]
		inc	edi
		mov	ecx, edx
		mov	[ebp+var_18], edx
		and	edx, 0C0h
		shr	edx, 6
		and	ecx, 7
		test	dword ptr [esi+30h], 8000h
		jnz	loc_A48F52
		jmp	ds:off_A932A0[edx*4]
VdmDecodeOperand endp


;  S U B	R O U T	I N E 


sub_A48DC0	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j
					; DATA XREF: ...
		mov	ebx, 0
		cmp	ecx, 6
		jnz	short loc_A48DE5
		call	CheckEip
		test	al, 0Fh
		jz	loc_A48F4E
		movzx	ebx, word ptr [edi]
		inc	dword ptr [esi+10h]
		inc	dword ptr [esi+10h]
		jmp	loc_A48EAB
; 

loc_A48DE5:				; CODE XREF: sub_A48DC0+8j
		mov	edi, [esi+14h]
		jmp	ds:off_A932B0[ecx*4]
sub_A48DC0	endp


;  S U B	R O U T	I N E 


sub_A48DEF	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j ...
		call	CheckEip
		test	al, 0Fh
		jz	loc_A48F4E
		movsx	ebx, byte ptr [edi]
		inc	dword ptr [esi+10h]
		mov	edi, [esi+14h]
		jmp	ds:off_A932B0[ecx*4]
sub_A48DEF	endp


;  S U B	R O U T	I N E 


sub_A48E0C	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j ...
		call	CheckEip
		test	al, 0Fh
		jz	loc_A48F4E
		movzx	ebx, word ptr [edi]
		inc	dword ptr [esi+10h]
		inc	dword ptr [esi+10h]
		mov	edi, [esi+14h]
		jmp	ds:off_A932B0[ecx*4]
sub_A48E0C	endp


;  S U B	R O U T	I N E 


sub_A48E2C	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j ...
		mov	ebx, ds:RegTab[ecx*4]
		add	ebx, [esi+14h]
		jmp	loc_A48F3F
sub_A48E2C	endp


;  S U B	R O U T	I N E 


sub_A48E3B	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j ...
		movzx	edx, word ptr [edi+58h]
		add	ebx, edx
sub_A48E3B	endp


;  S U B	R O U T	I N E 


sub_A48E41	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j ...
		movzx	edx, word ptr [edi+5Ch]
		add	ebx, edx
		jmp	short loc_A48EAB
sub_A48E41	endp


;  S U B	R O U T	I N E 


sub_A48E49	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j ...
		movzx	edx, word ptr [edi+5Ch]
		add	ebx, edx
sub_A48E49	endp


;  S U B	R O U T	I N E 


sub_A48E4F	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j ...
		movzx	edx, word ptr [edi+54h]
		add	ebx, edx
		jmp	short loc_A48EAB
sub_A48E4F	endp


;  S U B	R O U T	I N E 


sub_A48E57	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j ...
		movzx	edx, word ptr [edi+60h]
		add	ebx, edx
		lea	edx, [ebp-8]
		push	edx
		lea	edx, [ebp-4]
		push	edx
		lea	edx, [ebp-0Ch]
		push	edx
		mov	edi, [esi+14h]
		push	dword ptr [edi+78h]
		call	VdmSegParams
		add	esp, 10h
		mov	[ebp-10h], eax
sub_A48E57	endp


;  S U B	R O U T	I N E 


sub_A48E7A	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j ...
		movzx	edx, word ptr [edi+58h]
		add	ebx, edx
		jmp	short loc_A48EAB
sub_A48E7A	endp


;  S U B	R O U T	I N E 


sub_A48E82	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j ...
		movzx	edx, word ptr [edi+54h]
		add	ebx, edx
sub_A48E82	endp


;  S U B	R O U T	I N E 


sub_A48E88	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j ...
		movzx	edx, word ptr [edi+60h]
		add	ebx, edx
		lea	edx, [ebp-8]
		push	edx
		lea	edx, [ebp-4]
		push	edx
		lea	edx, [ebp-0Ch]
		push	edx
		mov	edi, [esi+14h]
		push	dword ptr [edi+78h]
		call	VdmSegParams
		add	esp, 10h
		mov	[ebp-10h], eax

loc_A48EAB:				; CODE XREF: sub_A48DC0+20j
					; sub_A48E41+6j ...
		test	dword ptr [esi+30h], 3F00h
		jz	loc_A48F3C
		mov	edi, [esi+14h]
		test	dword ptr [esi+30h], 100h
		jz	short loc_A48ECA
		movzx	edx, word ptr [edi+30h]
		jmp	short loc_A48F0A
; 

loc_A48ECA:				; CODE XREF: sub_A48E88+3Aj
		test	dword ptr [esi+30h], 200h
		jz	short loc_A48ED9
		movzx	edx, word ptr [edi+6Ch]
		jmp	short loc_A48F0A
; 

loc_A48ED9:				; CODE XREF: sub_A48E88+49j
		test	dword ptr [esi+30h], 400h
		jz	short loc_A48EE8
		movzx	edx, word ptr [edi+78h]
		jmp	short loc_A48F0A
; 

loc_A48EE8:				; CODE XREF: sub_A48E88+58j
		test	dword ptr [esi+30h], 800h
		jz	short loc_A48EF7
		movzx	edx, word ptr [edi+34h]
		jmp	short loc_A48F0A
; 

loc_A48EF7:				; CODE XREF: sub_A48E88+67j
		test	dword ptr [esi+30h], 1000h
		jz	short loc_A48F06
		movzx	edx, word ptr [edi+50h]
		jmp	short loc_A48F0A
; 

loc_A48F06:				; CODE XREF: sub_A48E88+76j
		movzx	edx, word ptr [edi+2Ch]

loc_A48F0A:				; CODE XREF: sub_A48E88+40j
					; sub_A48E88+4Fj ...
		lea	ecx, [ebp-8]
		push	ecx
		lea	ecx, [ebp-4]
		push	ecx
		lea	ecx, [ebp-0Ch]
		push	ecx
		push	edx
		call	VdmSegParams
		add	esp, 10h
		mov	[ebp-10h], eax
		test	byte ptr [ebp-10h], 0Fh
		jz	short loc_A48F4E
		cmp	dword ptr [ebp-14h], 0
		jnz	short loc_A48F3C
		test	dword ptr [ebp-0Ch], 2
		jz	short loc_A48F4E
		cmp	ebx, [ebp-8]
		jnb	short loc_A48F4E

loc_A48F3C:				; CODE XREF: sub_A48E88+2Aj
					; sub_A48E88+A4j
		add	ebx, [ebp-4]

loc_A48F3F:				; CODE XREF: sub_A48E2C+Aj
		mov	[esi+34h], ebx
		mov	eax, 1

loc_A48F47:				; CODE XREF: sub_A48E88+C8j
					; sub_A48FB1+Aj
		pop	ebx
		pop	ecx
		pop	edi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_A48F4E:				; CODE XREF: VdmDecodeOperand+36j
					; sub_A48DC0+11j ...
		xor	eax, eax
		jmp	short loc_A48F47
sub_A48E88	endp

; 
; START	OF FUNCTION CHUNK FOR VdmDecodeOperand

loc_A48F52:				; CODE XREF: VdmDecodeOperand+5Bj
		cmp	ecx, 4
		jnz	short loc_A48F6A
		call	CheckEip
		test	al, 0Fh
		jz	short loc_A48F4E
		movzx	eax, byte ptr [edi]
		mov	[ebp+var_1C], eax
		inc	edi
		inc	dword ptr [esi+10h]

loc_A48F6A:				; CODE XREF: VdmDecodeOperand+1FDj
		jmp	ds:off_A932D0[edx*4]
; END OF FUNCTION CHUNK	FOR VdmDecodeOperand

;  S U B	R O U T	I N E 


sub_A48F71	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j ...

; FUNCTION CHUNK AT 00A48FBD SIZE 000000C1 BYTES

		mov	ebx, 0
		cmp	ecx, 6
		jnz	short loc_A48FBD
		call	CheckEip
		test	al, 0Fh
		jz	short loc_A48F4E
		mov	ebx, [edi]
		add	dword ptr [esi+10h], 4
		jmp	loc_A48EAB
sub_A48F71	endp


;  S U B	R O U T	I N E 


sub_A48F8F	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j ...
		call	CheckEip
		test	al, 0Fh
		jz	short loc_A48F4E
		movsx	ebx, byte ptr [edi]
		inc	dword ptr [esi+10h]
		jmp	short loc_A48FBD
sub_A48F8F	endp


;  S U B	R O U T	I N E 


sub_A48FA0	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j ...
		call	CheckEip
		test	al, 0Fh
		jz	short loc_A48F4E
		mov	ebx, [edi]
		add	dword ptr [esi+10h], 4
		jmp	short loc_A48FBD
sub_A48FA0	endp


;  S U B	R O U T	I N E 


sub_A48FB1	proc near		; CODE XREF: Ki386DispatchOpcodeV86(x)+45p
					; OpcodeGenericPrefixV86+13j ...
		mov	ebx, ds:RegTab[ecx*4]
		add	ebx, [esi+14h]
		jmp	short loc_A48F47
sub_A48FB1	endp

; 
; START	OF FUNCTION CHUNK FOR sub_A48F71

loc_A48FBD:				; CODE XREF: sub_A48F71+8j
					; sub_A48F8F+Fj ...
		cmp	ecx, 4
		jz	short loc_A48FFB
		mov	edi, [esi+14h]
		mov	edx, ds:RegTab[ecx*4]
		add	ebx, [edx+edi]
		cmp	ecx, 6
		jz	short loc_A48FD9
		jmp	loc_A48EAB
; 

loc_A48FD9:				; CODE XREF: sub_A48F71+61j
		lea	edx, [ebp-8]
		push	edx
		lea	edx, [ebp-4]
		push	edx
		lea	edx, [ebp-0Ch]
		push	edx
		mov	edi, [esi+14h]
		push	dword ptr [edi+78h]
		call	VdmSegParams
		add	esp, 10h
		mov	[ebp-10h], eax
		jmp	loc_A48EAB
; 

loc_A48FFB:				; CODE XREF: sub_A48F71+4Fj
		mov	edx, [ebp-1Ch]
		mov	edi, [esi+14h]
		and	edx, 7
		cmp	edx, 5
		jz	short loc_A49013
		mov	eax, ds:RegTab[edx*4]
		add	ebx, [edi+eax]

loc_A49013:				; CODE XREF: sub_A48F71+96j
		mov	edx, [ebp-1Ch]
		and	ecx, 38h
		shr	ecx, 3
		cmp	ecx, 20h
		jz	short loc_A4903B
		mov	eax, ds:RegTab[ecx*4]
		mov	eax, [eax+edi]
		mov	ecx, [ebp-1Ch]
		and	ecx, 0C0h
		shr	ecx, 6
		shl	eax, cl
		add	ebx, eax

loc_A4903B:				; CODE XREF: sub_A48F71+AEj
		cmp	edx, 5
		jnz	loc_A48EAB
		mov	edx, [ebp-18h]
		and	edx, 0C0h
		shr	edx, 6
		cmp	edx, 0
		jnz	loc_A48EAB
		add	ebx, [edi+60h]
		lea	edx, [ebp-8]
		push	edx
		lea	edx, [ebp-4]
		push	edx
		lea	edx, [ebp-0Ch]
		push	edx
		mov	edi, [esi+14h]
		push	dword ptr [edi+78h]
		call	VdmSegParams
		add	esp, 10h
		mov	[ebp-10h], eax
		jmp	loc_A48EAB
; END OF FUNCTION CHUNK	FOR sub_A48F71

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VdmSegParams	proc near		; CODE XREF: VdmDecodeOperand+1Ep
					; sub_A48E57+18p ...

arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		push	edi
		mov	edi, [esi+14h]
		test	dword ptr [edi+70h], 20000h
		jz	short loc_A490B8
		pop	edi
		push	ebp
		mov	ebp, esp
		push	edi
		movzx	eax, [ebp+arg_0]
		shl	eax, 4
		mov	edi, [ebp+arg_8]
		mov	[edi], eax
		mov	edi, [ebp+arg_C]
		mov	dword ptr [edi], 0FFFFh
		mov	edi, [ebp+arg_4]
		mov	dword ptr [edi], 2
		mov	eax, 1
		pop	edi
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_A490B8:				; CODE XREF: VdmSegParams+Bj
		pop	edi
		jmp	_Ki386GetSelectorParameters@16 ; Ki386GetSelectorParameters(x,x,x,x)
VdmSegParams	endp

; 
		align 10h
		dd 4Fh dup(0)
		db 3 dup(0)
byte_A491FF	db 0			; DATA XREF: PAGE:00A401DDw
PAGE		ends

; Section 12. (virtual address 0064A000)
; Virtual size			: 000051E5 (  20965.)
; Section size in file		: 00005200 (  20992.)
; Offset to raw	data for section: 005E6000
; Flags	60000020: Text Executable Readable
; Alignment	: default
; 

; Segment type:	Pure code
; Segment permissions: Read/Execute
PAGEKD		segment	para public 'CODE' use32
		assume cs:PAGEKD
		;org 0A4A000h
		assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing

;  S U B	R O U T	I N E 


; __stdcall KdIsThisAKdTrap(x, x, x)
_KdIsThisAKdTrap@12 proc near		; CODE XREF: KiDispatchException+32Ap
		cmp	dword ptr [ecx], 80000003h
		jz	short loc_A4A00D

loc_A4A008:				; CODE XREF: KdIsThisAKdTrap(x,x,x)+11j
					; KdIsThisAKdTrap(x,x,x)+17j
		xor	al, al

locret_A4A00A:				; CODE XREF: KdIsThisAKdTrap(x,x,x)+1Bj
		retn	4
; 

loc_A4A00D:				; CODE XREF: KdIsThisAKdTrap(x,x,x)+6j
		cmp	dword ptr [ecx+10h], 0
		jbe	short loc_A4A008
		cmp	dword ptr [ecx+14h], 0
		jz	short loc_A4A008
		mov	al, 1
		jmp	short locret_A4A00A
_KdIsThisAKdTrap@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KdInitSystem	proc near		; CODE XREF: KdEnableDebuggerWithLock(x)+8Cp
					; KdEnableDebuggerWithLock(x)+E0p ...

var_134		= dword	ptr -134h
var_11E		= byte ptr -11Eh
var_11D		= byte ptr -11Dh
var_11C		= dword	ptr -11Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 124h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+124h+var_4], eax
		push	ebx
		xor	edx, edx
		xor	ecx, ecx
		push	esi
		mov	esi, [ebp+arg_4]
		inc	edx
		cmp	[ebp+arg_0], 0FFFFFFFFh
		push	edi
		mov	[esp+130h+var_11E], cl
		mov	[esp+130h+var_11D], cl
		jz	loc_A4A27E
		cmp	[ebp+arg_0], ecx
		jnz	loc_A4A28D
		cmp	_KdDebuggerEnabled, cl
		jnz	loc_A4A245
		mov	_KdpDebugRoutineSelect,	ecx
		mov	_KdBreakAfterSymbolLoad, cl
		cmp	_KdPitchDebugger, cl
		jz	short loc_A4A08A
		mov	bh, dl
		cmp	_KdLocalDebugEnabled, cl
		jnz	short loc_A4A08C

loc_A4A08A:				; CODE XREF: KdInitSystem+60j
		mov	bh, cl

loc_A4A08C:				; CODE XREF: KdInitSystem+6Aj
		mov	eax, _KdDebugDevice
		test	eax, eax
		jnz	loc_A4A5C0

loc_A4A099:				; CODE XREF: KdRegisterDebuggerDataBlock+319j
					; KdRegisterDebuggerDataBlock+329j
		cmp	ds:_KdpDebuggerDataListHead, ecx
		jnz	loc_A4A13F
		mov	dword_6CB518, eax
		call	_MmGetPagedPoolCommitPointer@0 ; MmGetPagedPoolCommitPointer()
		cdq
		mov	edi, offset _KdpDebuggerDataListHead
		mov	dword_6B1BF8, eax
		mov	eax, offset _KdpPowerListHead
		mov	dword_6B1BFC, edx
		mov	edx, offset _KdDebuggerDataBlock
		push	ecx
		mov	_KdpPowerSpinLock, ecx
		mov	ds:dword_A9B044, edi
		mov	ds:_KdpDebuggerDataListHead, edi
		mov	ds:dword_A9B03C, eax
		mov	ds:_KdpPowerListHead, eax
		call	KdRegisterDebuggerDataBlock
		mov	eax, _NtBuildNumber
		mov	word_6B3F82, ax
		shr	eax, 1Ch
		mov	_KdVersionBlock, ax
		mov	eax, offset _PsLoadedModuleList
		cdq
		mov	dword_6B3F98, eax
		mov	eax, edi
		mov	dword_6B3F9C, edx
		cdq
		mov	dword_6B3FA0, eax
		xor	eax, eax
		inc	eax
		mov	word_6B3F8B, 3303h
		or	word_6B3F86, ax
		mov	eax, large fs:1Ch
		mov	dword_6B3FA4, edx
		mov	dword ptr [eax+34h], offset _KdVersionBlock

loc_A4A13F:				; CODE XREF: KdInitSystem+81j
		mov	ecx, large fs:20h
		cmp	dword ptr [ecx+4168h], 0
		jz	loc_A4A5DC

loc_A4A153:				; CODE XREF: KdRegisterDebuggerDataBlock+341j
		test	esi, esi
		jz	loc_A4A79D
		lea	ecx, [esi+10h]
		mov	eax, [ecx]
		mov	eax, [eax+18h]
		cdq
		mov	dword_6B3F90, eax
		mov	eax, offset _KdpLoaderDebuggerBlock
		mov	dword_6B3F94, edx
		cdq
		mov	_KdpLoaderDebuggerBlock, ecx
		mov	off_6B1D60, eax
		mov	dword_6B1D64, edx
		mov	edi, [esi+78h]
		mov	[esp+130h+var_11C], edi
		test	edi, edi
		jz	loc_A4A785
		push	edi		; char *
		call	__strupr
		and	ds:_KdPrintBufferAllocateSize, 0
		xor	bl, bl
		mov	[esp+134h+var_134], offset ??_C@_0BD@MFHLEEJK@DBGPRINT_LOG_SIZE?$DN@DFIOBLLK@ ;	"DBGPRINT_LOG_SIZE="
		push	edi		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_A4A5F4

loc_A4A1BB:				; CODE XREF: KdRegisterDebuggerDataBlock+375j
					; KdRegisterDebuggerDataBlock+382j
		push	offset ??_C@_07PEABMPLF@NODEBUG@DFIOBLLK@ ; "NODEBUG"
		push	edi		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_A4A635
		xor	eax, eax
		inc	eax
		mov	_KdPitchDebugger, al
		mov	_KdPageDebuggerSection,	al
		mov	ds:_KdpBootedNodebug, al

loc_A4A1E2:				; CODE XREF: KdRegisterDebuggerDataBlock+3B8j
					; KdRegisterDebuggerDataBlock+3FAj
		push	offset ??_C@_07PEFGMEPI@NOEVENT@DFIOBLLK@ ; "NOEVENT"
		push	edi		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_A4A760
		push	offset ??_C@_05KOOCGPHN@EVENT@DFIOBLLK@	; "EVENT"
		push	edi		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_A4A76D
		xor	ecx, ecx

loc_A4A20E:				; CODE XREF: KdRegisterDebuggerDataBlock+4BAj
		xor	edx, edx
		inc	edx

loc_A4A211:				; CODE XREF: KdRegisterDebuggerDataBlock+4D2j
					; KdRegisterDebuggerDataBlock+4EAj ...
		mov	eax, dword_6B3F90
		mov	dword_6B1AA0, eax
		mov	dword_6B1AA4, ecx
		test	bh, bh
		jnz	loc_A4A7EF
		test	esi, esi
		jz	short loc_A4A237
		cmp	dword ptr [esi+0Ch], 2
		sbb	al, al
		not	al
		and	bl, al

loc_A4A237:				; CODE XREF: KdInitSystem+20Dj
		test	bl, bl
		jnz	loc_A4A7BA
		mov	_KdDebuggerNotPresent, dl

loc_A4A245:				; CODE XREF: KdInitSystem+48j
					; KdRegisterDebuggerDataBlock+5E2j ...
		test	esi, esi
		jz	short loc_A4A264
		mov	eax, [esi+84h]
		test	eax, eax
		jz	short loc_A4A264
		push	20h
		pop	ecx
		add	eax, 940h

loc_A4A25B:				; CODE XREF: KdInitSystem+244j
		mov	byte ptr [eax],	0
		inc	eax
		sub	ecx, 1
		jnz	short loc_A4A25B

loc_A4A264:				; CODE XREF: KdInitSystem+229j
					; KdInitSystem+233j ...
		mov	ecx, [esp+130h+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		inc	eax
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_A4A27E:				; CODE XREF: KdInitSystem+33j
		mov	eax, [esi+84h]
		test	byte ptr [eax+54h], 8
		jz	short loc_A4A264
		int	3		; Trap to Debugger
		jmp	short loc_A4A264
; 

loc_A4A28D:				; CODE XREF: KdInitSystem+3Cj
		push	offset _KdPerformanceCounterRate
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		cmp	_KdPitchDebugger, 0
		jz	loc_A4A990

loc_A4A2A5:				; CODE XREF: KdRegisterDebuggerDataBlock+6EAj
					; KdRegisterDebuggerDataBlock+735j
		and	_KdpLoaderDebuggerBlock, 0
		jmp	short loc_A4A264
KdInitSystem	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KdRegisterDebuggerDataBlock proc near	; CODE XREF: KdInitSystem+C9p

var_3A		= byte ptr -3Ah
var_39		= byte ptr -39h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_14		= dword	ptr -14h
arg_8		= dword	ptr  10h
arg_20		= dword	ptr  28h
arg_32		= dword	ptr  3Ah
arg_3A		= byte ptr  42h
arg_5C		= dword	ptr  64h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _KdpDataSpinLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:_KdpDebuggerDataListHead
		mov	edx, offset _KdpDebuggerDataListHead

loc_A4A2D7:				; CODE XREF: KdRegisterDebuggerDataBlock+749j
		cmp	ecx, edx
		jnz	loc_A4A9E8
		mov	dword ptr [esi+10h], 4742444Bh
		mov	dword ptr [esi+14h], 380h
		mov	eax, ds:dword_A9B044
		cmp	[eax], edx
		jnz	short loc_A4A326
		mov	[esi], edx
		mov	[esi+4], eax
		mov	[eax], esi
		test	ds:byte_70EFC6,	1
		mov	ds:dword_A9B044, esi
		jnz	loc_A4AA26
		xor	eax, eax
		lock and [edi],	eax

loc_A4A315:				; CODE XREF: KdRegisterDebuggerDataBlock+782j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, 1

loc_A4A31F:				; CODE XREF: KdRegisterDebuggerDataBlock+773j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_A4A326:				; CODE XREF: KdRegisterDebuggerDataBlock+46j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

ExpDebuggerWorker:			; DATA XREF: ExpWorkerInitialization+D1o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_14], eax
		push	ebx
		mov	ebx, _ExpDebuggerProcessAttach
		xor	eax, eax
		push	esi
		push	edi
		push	6
		pop	ecx
		lea	edi, [esp+48h+var_2C]
		rep stosd
		mov	eax, _ExpDebuggerProcessKill
		mov	[esp+48h+var_38], eax
		mov	al, _EtwWmitraceWork
		mov	[esp+48h+var_39], al
		call	_MmGetDefaultPagePriority@0 ; MmGetDefaultPagePriority()
		mov	esi, eax
		xor	edi, edi
		mov	eax, _ExpDebuggerPageIn
		and	esi, 7
		mov	[esp+48h+var_34], eax
		or	esi, 0B8h
		mov	[esp+48h+var_30], 1
		xor	eax, eax
		mov	_ExpDebuggerProcessKill, edi
		mov	ecx, offset _ExpDebuggerWork
		mov	_ExpDebuggerProcessAttach, edi
		mov	_ExpDebuggerPageIn, edi
		xchg	eax, [ecx]
		call	MmDbgMarkPfnModifiedWorker
		test	ebx, ebx
		jnz	short loc_A4A3FB
		cmp	[esp+48h+var_38], edi
		jnz	short loc_A4A3FB

loc_A4A3B5:				; CODE XREF: KdRegisterDebuggerDataBlock+7BFj
					; KdRegisterDebuggerDataBlock+7E1j
		mov	ecx, [esp+48h+var_34]
		test	ecx, ecx
		jnz	loc_A4AA94

loc_A4A3C1:				; CODE XREF: KdRegisterDebuggerDataBlock+824j
		mov	al, [esp+48h+var_39]
		test	al, al
		jnz	loc_A4AAD7

loc_A4A3CD:				; CODE XREF: KdRegisterDebuggerDataBlock+836j
		test	ebx, ebx
		jnz	short loc_A4A402
		cmp	[esp+48h+var_38], ebx
		jnz	short loc_A4A402
		test	ecx, ecx
		jnz	short loc_A4A402
		test	al, al
		jnz	short loc_A4A402

loc_A4A3DF:				; CODE XREF: KdRegisterDebuggerDataBlock+15Bj
		test	edi, edi
		jnz	loc_A4AAE9

loc_A4A3E7:				; CODE XREF: KdRegisterDebuggerDataBlock+84Dj
		mov	ecx, [esp+48h+var_14]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_A4A3FB:				; CODE XREF: KdRegisterDebuggerDataBlock+FFj
					; KdRegisterDebuggerDataBlock+105j
		xor	ecx, ecx
		jmp	loc_A4AA50
; 

loc_A4A402:				; CODE XREF: KdRegisterDebuggerDataBlock+121j
					; KdRegisterDebuggerDataBlock+127j ...
		push	7
		call	_DbgBreakPointWithStatus@4 ; DbgBreakPointWithStatus(x)
		jmp	short loc_A4A3DF
; 
		align 4

; char ??_C
??_C@_0BA@LFIBOGJF@DEBUGPORT?$DNLOCAL@DFIOBLLK@:
					; DATA XREF: KdRegisterDebuggerDataBlock:loc_A4A635o
		inc	esp
		inc	ebp
		inc	edx
		push	ebp
		inc	edi
		push	eax
		dec	edi
		push	edx
		push	esp
		cmp	eax, 41434F4Ch
		dec	esp
; 
		db 0
; char ??_C[]
??_C@_07PEABMPLF@NODEBUG@DFIOBLLK@ db 'NODEBUG',0 ; DATA XREF: KdInitSystem:loc_A4A1BBo
??_C@_0BD@MFHLEEJK@DBGPRINT_LOG_SIZE?$DN@DFIOBLLK@ db 'DBGPRINT_LOG_SIZE=',0
					; DATA XREF: KdInitSystem+186o
		align 4

; char ??_C
??_C@_07MMIDIINJ@DISABLE@DFIOBLLK@:	; DATA XREF: KdRegisterDebuggerDataBlock+45Fo
		inc	esp
		dec	ecx
		push	ebx
		inc	ecx
		inc	edx
		dec	esp
		inc	ebp
; 
		db 0
; 

; char ??_C
??_C@_0L@IAOBBKGC@AUTOENABLE@DFIOBLLK@:	; DATA XREF: KdRegisterDebuggerDataBlock+436o
		inc	ecx
		push	ebp
		push	esp
		dec	edi
		inc	ebp
		dec	esi
		inc	ecx
		inc	edx
		dec	esp
		inc	ebp
		add	ah, cl

; char ??_C
??_C@_06ENKGCDHB@?5DEBUG@DFIOBLLK@:	; DATA XREF: KdRegisterDebuggerDataBlock+3CEo
		and	[ebp+eax*2+arg_3A], al
		push	ebp
		inc	edi
		add	ah, cl

; char ??_C
??_C@_07ENKHKPDH@?5DEBUG?$DN@DFIOBLLK@:	; DATA XREF: KdRegisterDebuggerDataBlock:loc_A4A66Bo
		and	[ebp+eax*2+arg_3A], al
		push	ebp
		inc	edi
; 
		dw 3Dh
; char ??_C[]
??_C@_05KOOCGPHN@EVENT@DFIOBLLK@ db 'EVENT',0 ; DATA XREF: KdInitSystem+1D9o
; char ??_C[]
??_C@_07PEFGMEPI@NOEVENT@DFIOBLLK@ db 'NOEVENT',0 ; DATA XREF: KdInitSystem:loc_A4A1E2o
; 

; char ??_C
??_C@_06BFBHMODA@NOUMEX@DFIOBLLK@:	; DATA XREF: KdRegisterDebuggerDataBlock+489o
		dec	esi
		dec	edi
		push	ebp
		dec	ebp
		inc	ebp
		pop	eax
		add	ah, cl
; 
; char ??_C[]
??_C@_0DE@HLDOGPGI@?6KdPullRemoteFile?3?5Local?5file?5w@DFIOBLLK@ db 0Ah
					; DATA XREF: KdpWriteFileCallback(x,x,x,x,x)+44o
		db 'KdPullRemoteFile: Local file write failed, 0x%08x',0Ah,0
; 

; char ??_C
??_C@_0DD@PKMAJJMP@?6KdPullRemoteFile?3?5Local?5file?5o@DFIOBLLK@:
					; DATA XREF: KdpCreateFileCallback(x,x,x,x)+A5o
		or	cl, [ebx+64h]
		push	eax
		jnz	short near ptr ??_C@_0DP@JCDMHMMD@KdPullRemoteFile?$CI?$CFp?$CJ?3?5Return?5fr@DFIOBLLK@+3Eh
		insb
		push	edx
		db	65h
		insd
		outsd
		jz	short near ptr ??_C@_0DP@JCDMHMMD@KdPullRemoteFile?$CI?$CFp?$CJ?3?5Return?5fr@DFIOBLLK@+3Eh
		inc	esi
		imul	ebp, [ebp+arg_32], 636F4C20h
		popa
		insb
		and	[esi+69h], ah
		insb
		and	gs:[edi+70h], ch
		outs	dx, byte ptr gs:[esi]
		and	[esi+61h], ah
		imul	ebp, [ebp+arg_5C], 7830202Ch
		and	eax, 0A783830h
		add	ah, cl
; 
; char ??_C[]
??_C@_0DP@JCDMHMMD@KdPullRemoteFile?$CI?$CFp?$CJ?3?5Return?5fr@DFIOBLLK@ db 'KdPullRemoteFile(%p): Return from ZwCreateFile with status %x',0Ah,0
					; DATA XREF: KdpCreateFileCallback(x,x,x,x)+91o
		align 2

; char ??_C
??_C@_0EH@OJJGBFGI@KdPullRemoteFile?$CI?$CFp?$CJ?3?5About?5to?5@DFIOBLLK@:
					; DATA XREF: KdPullRemoteFileEx(x,x,x,x,x)+ADo
		dec	ebx
		db	64h
		push	eax
		jnz	short near ptr ??_C@_0CK@LNFJKKHG@EX?5debug?5work?3?5Unable?5to?5find?5p@DFIOBLLK@+29h
		insb
		push	edx
		db	65h
		insd
		outsd
		jz	short near ptr ??_C@_0CK@LNFJKKHG@EX?5debug?5work?3?5Unable?5to?5find?5p@DFIOBLLK@+29h
		inc	esi
		imul	ebp, [ebp+arg_20], 3A297025h
		and	[ecx+62h], al
		outsd
		jnz	short near ptr ??_C@_0DE@JPOCFMII@EX?5page?5in?3?5MmPrefetchVirtualMe@DFIOBLLK@+1Dh
		and	[edi+ebp*2+20h], dh
		outsd
		jbe	short near ptr ??_C@_0DE@JPOCFMII@EX?5page?5in?3?5MmPrefetchVirtualMe@DFIOBLLK@+15h
		jb	short near ptr ??_C@_0DE@JPOCFMII@EX?5page?5in?3?5MmPrefetchVirtualMe@DFIOBLLK@+29h
		jb	short near ptr ??_C@_0DE@JPOCFMII@EX?5page?5in?3?5MmPrefetchVirtualMe@DFIOBLLK@+1Dh
		jz	short near ptr ??_C@_0DE@JPOCFMII@EX?5page?5in?3?5MmPrefetchVirtualMe@DFIOBLLK@+1Bh
		and	ds:6120736Ch, ah
		outsb
		and	fs:[eax+72h], dh
		db	65h
		popa
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		and	gs:[edi+ebp*2+20h], dh
		and	eax, 78343649h
		or	al, [eax]
		int	3		; Trap to Debugger
; 
; char ??_C[]
??_C@_0CK@LNFJKKHG@EX?5debug?5work?3?5Unable?5to?5find?5p@DFIOBLLK@ db 'EX debug work: Unable to find process %p',0Ah,0
					; DATA XREF: KdRegisterDebuggerDataBlock+7D0o
; char ??_C[]
??_C@_0DE@JPOCFMII@EX?5page?5in?3?5MmPrefetchVirtualMe@DFIOBLLK@ db 'EX page in: MmPrefetchVirtualMemory failed, 0x%08x',0Ah,0
					; DATA XREF: KdRegisterDebuggerDataBlock+80Fo
; 

loc_A4A5C0:				; CODE XREF: KdInitSystem+75j
		cmp	dword ptr [eax+9Ch], 3
		jnz	loc_A4A099
		mov	ds:_KdTransportMaxPacketSize, 480h
		jmp	loc_A4A099
; 

loc_A4A5DC:				; CODE XREF: KdInitSystem+12Fj
		lea	eax, [ecx+18h]
		mov	dword ptr [ecx+416Ch], 1002Fh
		mov	[ecx+4168h], eax
		jmp	loc_A4A153
; 

loc_A4A5F4:				; CODE XREF: KdInitSystem+197j
		add	eax, 12h
		push	eax		; char *
		call	_atol
		add	eax, 0FFFh
		pop	ecx
		and	eax, 0FFFFF000h
		mov	ecx, 1000000h
		mov	ds:_KdPrintBufferAllocateSize, eax
		cmp	eax, ecx
		jbe	short loc_A4A61E
		mov	ds:_KdPrintBufferAllocateSize, ecx
		mov	eax, ecx

loc_A4A61E:				; CODE XREF: KdRegisterDebuggerDataBlock+366j
		cmp	eax, 1000h
		ja	loc_A4A1BB
		and	ds:_KdPrintBufferAllocateSize, 0
		jmp	loc_A4A1BB
; 

loc_A4A635:				; CODE XREF: KdInitSystem+1ACj
		push	offset ??_C@_0BA@LFIBOGJF@DEBUGPORT?$DNLOCAL@DFIOBLLK@ ; char *
		push	edi		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A4A66B
		xor	eax, eax
		mov	ds:_KdpBootedNodebug, 0
		inc	eax
		mov	_KdPitchDebugger, al
		mov	bh, al
		mov	_KdPageDebuggerSection,	al
		mov	_KdDebuggerNotPresent, al
		mov	_KdLocalDebugEnabled, al
		jmp	loc_A4A1E2
; 

loc_A4A66B:				; CODE XREF: KdRegisterDebuggerDataBlock+396j
					; KdRegisterDebuggerDataBlock+3F4j
		push	offset ??_C@_07ENKHKPDH@?5DEBUG?$DN@DFIOBLLK@ ;	char *
		push	edi		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A4A68D
		push	offset ??_C@_06ENKGCDHB@?5DEBUG@DFIOBLLK@ ; char *
		push	edi		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A4A6A4

loc_A4A68D:				; CODE XREF: KdRegisterDebuggerDataBlock+3CCj
		lea	edi, [eax+6]
		mov	cl, [edi]
		cmp	cl, 3Dh
		jz	short loc_A4A6AD
		cmp	cl, 20h
		jz	short loc_A4A6AD
		test	cl, cl
		jz	short loc_A4A6AD
		test	edi, edi
		jnz	short loc_A4A66B

loc_A4A6A4:				; CODE XREF: KdRegisterDebuggerDataBlock+3DDj
					; KdRegisterDebuggerDataBlock+40Cj ...
		mov	edi, [esp+40h+var_2C]
		jmp	loc_A4A1E2
; 

loc_A4A6AD:				; CODE XREF: KdRegisterDebuggerDataBlock+3E7j
					; KdRegisterDebuggerDataBlock+3ECj ...
		mov	ds:_KdpBootedNodebug, 0
		mov	bl, 1
		cmp	byte ptr [eax+6], 3Dh
		jnz	short loc_A4A6A4
		lea	ecx, [eax+7]

loc_A4A6BF:				; CODE XREF: KdRegisterDebuggerDataBlock+4ADj
		mov	al, [ecx]
		mov	edi, ecx
		jmp	short loc_A4A6D4
; 

loc_A4A6C5:				; CODE XREF: KdRegisterDebuggerDataBlock+428j
		cmp	al, 2Ch
		jz	short loc_A4A6D8
		cmp	al, 20h
		jz	short loc_A4A6D8
		cmp	al, 9
		jz	short loc_A4A6D8
		inc	edi
		mov	al, [edi]

loc_A4A6D4:				; CODE XREF: KdRegisterDebuggerDataBlock+415j
		test	al, al
		jnz	short loc_A4A6C5

loc_A4A6D8:				; CODE XREF: KdRegisterDebuggerDataBlock+419j
					; KdRegisterDebuggerDataBlock+41Dj ...
		mov	eax, edi
		sub	eax, ecx
		jz	short loc_A4A6A4
		cmp	eax, 0Ah
		jnz	short loc_A4A707
		push	eax		; size_t
		push	offset ??_C@_0L@IAOBBKGC@AUTOENABLE@DFIOBLLK@ ;	char *
		push	ecx		; char *
		call	_strncmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A4A74F
		inc	eax
		mov	byte ptr [esp+40h+var_30+3], 0
		mov	byte ptr [esp+40h+var_30+2], al
		mov	_KdAutoEnableOnEvent, al
		jmp	short loc_A4A74F
; 

loc_A4A707:				; CODE XREF: KdRegisterDebuggerDataBlock+433j
		cmp	eax, 7
		jnz	short loc_A4A731
		push	eax		; size_t
		push	offset ??_C@_07MMIDIINJ@DISABLE@DFIOBLLK@ ; char *
		push	ecx		; char *
		call	_strncmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A4A74F
		inc	eax
		mov	_KdAutoEnableOnEvent, 0
		mov	byte ptr [esp+40h+var_30+2], al
		mov	byte ptr [esp+40h+var_30+3], al
		jmp	short loc_A4A74F
; 

loc_A4A731:				; CODE XREF: KdRegisterDebuggerDataBlock+45Cj
		cmp	eax, 6
		jnz	short loc_A4A74F
		push	eax		; size_t
		push	offset ??_C@_06BFBHMODA@NOUMEX@DFIOBLLK@ ; char	*
		push	ecx		; char *
		call	_strncmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A4A74F
		inc	eax
		mov	_KdIgnoreUmExceptions, al

loc_A4A74F:				; CODE XREF: KdRegisterDebuggerDataBlock+446j
					; KdRegisterDebuggerDataBlock+457j ...
		cmp	byte ptr [edi],	2Ch
		jnz	loc_A4A6A4
		lea	ecx, [edi+1]
		jmp	loc_A4A6BF
; 

loc_A4A760:				; CODE XREF: KdInitSystem+1D3j
		xor	ecx, ecx
		mov	_KdEventLoggingEnabled,	cl
		jmp	loc_A4A20E
; 

loc_A4A76D:				; CODE XREF: KdInitSystem+1E8j
		xor	edx, edx
		inc	edx
		xor	ecx, ecx
		mov	_KdEventLoggingEnabled,	dl
		mov	bl, dl
		mov	_KdPageDebuggerSection,	cl
		jmp	loc_A4A211
; 

loc_A4A785:				; CODE XREF: KdInitSystem+171j
		xor	edx, edx
		inc	edx
		xor	ecx, ecx
		mov	_KdPitchDebugger, dl
		mov	bl, cl
		mov	_KdPageDebuggerSection,	dl
		jmp	loc_A4A211
; 

loc_A4A79D:				; CODE XREF: KdInitSystem+137j
		mov	eax, ds:_PsNtosImageBase
		cdq
		mov	dword_6B3F94, edx
		xor	edx, edx
		inc	edx
		mov	dword_6B3F90, eax
		mov	bl, dl
		xor	ecx, ecx
		jmp	loc_A4A211
; 

loc_A4A7BA:				; CODE XREF: KdInitSystem+21Bj
		push	offset _KdpContext
		push	esi
		push	ecx
		call	ds:__imp__KdInitialize@12 ; KdInitialize(x,x,x)
		xor	edx, edx
		test	eax, eax
		js	short loc_A4A7D8
		inc	edx
		xor	ecx, ecx
		mov	_KdpDebugRoutineSelect,	edx
		jmp	short loc_A4A7EF
; 

loc_A4A7D8:				; CODE XREF: KdRegisterDebuggerDataBlock+51Dj
		xor	ecx, ecx
		inc	edx
		mov	_KdPitchDebugger, cl
		mov	bl, cl
		mov	_KdDebuggerNotPresent, dl
		mov	_KdLocalDebugEnabled, dl

loc_A4A7EF:				; CODE XREF: KdInitSystem+205j
					; KdRegisterDebuggerDataBlock+528j
		cmp	ds:_KdpDebuggerStructuresInitialized, 0
		jnz	short loc_A4A845
		push	ecx
		push	offset _KdpTimeSlipDpcRoutine@16 ; KdpTimeSlipDpcRoutine(x,x,x,x)
		push	offset _KdpTimeSlipDpc
		mov	byte_6CB514, cl
		mov	_KdpContext, 14h
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	0
		push	offset _KdpTimeSlipTimer
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		xor	ecx, ecx
		mov	dword_6FE028, offset _KdpTimeSlipWork@4	; KdpTimeSlipWork(x)
		xor	edx, edx
		mov	dword_6FE02C, ecx
		inc	edx
		mov	_KdpTimeSlipWorkItem, ecx
		mov	ds:_KdpDebuggerStructuresInitialized, dl

loc_A4A845:				; CODE XREF: KdRegisterDebuggerDataBlock+548j
		cmp	_KdEventLoggingEnabled,	0
		mov	ds:dword_A9B024, ecx
		mov	ds:_KdTimerStart, ecx
		jz	short loc_A4A87D
		cmp	ds:_KdpBootedNodebug, 0
		jz	short loc_A4A87D
		mov	_KdPitchDebugger, dl
		mov	_KdEventLoggingPresent,	bl
		mov	_KdDebuggerNotPresent, dl
		mov	_KdLocalDebugEnabled, cl
		jmp	short loc_A4A896
; 

loc_A4A87D:				; CODE XREF: KdRegisterDebuggerDataBlock+5AAj
					; KdRegisterDebuggerDataBlock+5B3j
		mov	_KdDebuggerEnabled, dl
		mov	ds:0FFDF02D4h, dl
		cmp	_KdLocalDebugEnabled, 0
		jnz	loc_A4A245

loc_A4A896:				; CODE XREF: KdRegisterDebuggerDataBlock+5CDj
		cmp	_KdEventLoggingEnabled,	0
		jz	short loc_A4A8AC
		cmp	_KdDebuggerEnabled, 0
		jz	loc_A4A245

loc_A4A8AC:				; CODE XREF: KdRegisterDebuggerDataBlock+5EFj
		cmp	[esp+4Ch+var_3A], 0
		mov	_KdPitchDebugger, cl
		jz	short loc_A4A8CC
		call	_KdDisableDebuggerWithLock@4 ; KdDisableDebuggerWithLock(x)
		mov	al, [esp+4Ch+var_39]
		mov	_KdBlockEnable,	al
		jmp	loc_A4A245
; 

loc_A4A8CC:				; CODE XREF: KdRegisterDebuggerDataBlock+609j
		test	esi, esi
		jz	loc_A4A96B
		lea	ebx, [esi+10h]
		mov	eax, ecx
		mov	edi, [ebx]
		mov	[esp+4Ch+var_38], eax
		cmp	edi, ebx
		jnz	short loc_A4A8EA
		jmp	loc_A4A979
; 

loc_A4A8E8:				; CODE XREF: KdRegisterDebuggerDataBlock+6B4j
		xor	ecx, ecx

loc_A4A8EA:				; CODE XREF: KdRegisterDebuggerDataBlock+633j
		cmp	eax, 3
		jnb	loc_A4A979
		mov	[esp+4Ch+var_2C], ecx
		mov	[esp+4Ch+var_28], ecx
		movzx	edx, word ptr [edi+24h]
		mov	eax, [edi+28h]
		shr	edx, 1
		mov	[esp+4Ch+var_34], eax
		cmp	edx, 100h
		jb	short loc_A4A915
		mov	edx, 0FFh

loc_A4A915:				; CODE XREF: KdRegisterDebuggerDataBlock+660j
		mov	ebx, [esp+4Ch+var_34]

loc_A4A919:				; CODE XREF: KdRegisterDebuggerDataBlock+677j
		mov	al, [ebx]
		lea	ebx, [ebx+2]
		mov	byte ptr [esp+ecx+4Ch+var_24], al
		inc	ecx
		cmp	ecx, edx
		jb	short loc_A4A919
		lea	ebx, [esi+10h]
		cmp	ecx, 100h
		jnb	short loc_A4A966
		lea	eax, [esp+4Ch+var_24]
		mov	byte ptr [esp+ecx+4Ch+var_24], 0
		push	eax
		lea	eax, [esp+50h+var_2C]
		push	eax
		call	_RtlInitString@8 ; RtlInitString(x,x)
		push	0FFFFFFFFh
		push	dword ptr [edi+18h]
		lea	eax, [esp+54h+var_2C]
		push	eax
		call	DbgLoadImageSymbols
		mov	eax, [esp+4Ch+var_38]
		mov	edi, [edi]
		inc	eax
		mov	[esp+4Ch+var_38], eax
		cmp	edi, ebx
		jnz	short loc_A4A8E8
		jmp	short loc_A4A979
; 

loc_A4A966:				; CODE XREF: KdRegisterDebuggerDataBlock+682j
		call	___report_rangecheckfailure

loc_A4A96B:				; CODE XREF: KdRegisterDebuggerDataBlock+620j
		push	0FFFFFFFFh
		push	dword_6B1AA0
		push	ecx
		call	DbgLoadImageSymbols

loc_A4A979:				; CODE XREF: KdRegisterDebuggerDataBlock+635j
					; KdRegisterDebuggerDataBlock+63Fj ...
		test	esi, esi
		jz	loc_A4A264
		call	KdPollBreakIn
		mov	_KdBreakAfterSymbolLoad, al
		jmp	loc_A4A245
; 

loc_A4A990:				; CODE XREF: KdInitSystem+281j
		xor	esi, esi
		cmp	ds:_KeNumberProcessors,	esi
		jbe	loc_A4A2A5
		mov	ebx, 1000h

loc_A4A9A3:				; CODE XREF: KdRegisterDebuggerDataBlock+733j
		push	6F49644Bh
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A4A9DA
		push	ebx		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		and	[esp+4Ch+var_24], 0
		lea	eax, [esp+4Ch+var_24]
		add	esp, 0Ch
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	_KdLogBuffer[esi*4], edi

loc_A4A9DA:				; CODE XREF: KdRegisterDebuggerDataBlock+709j
		inc	esi
		cmp	esi, ds:_KeNumberProcessors
		jb	short loc_A4A9A3
		jmp	loc_A4A2A5
; 

loc_A4A9E8:				; CODE XREF: KdRegisterDebuggerDataBlock+2Bj
		mov	eax, ecx
		mov	ecx, [ecx]
		cmp	eax, esi
		jz	short loc_A4A9FD
		cmp	dword ptr [eax+10h], 4742444Bh
		jnz	loc_A4A2D7

loc_A4A9FD:				; CODE XREF: KdRegisterDebuggerDataBlock+740j
		test	ds:byte_70EFC6,	1
		jz	short loc_A4AA12
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A4AA17
; 

loc_A4AA12:				; CODE XREF: KdRegisterDebuggerDataBlock+756j
		xor	eax, eax
		lock and [edi],	eax

loc_A4AA17:				; CODE XREF: KdRegisterDebuggerDataBlock+762j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	al, al
		jmp	loc_A4A31F
; 

loc_A4AA26:				; CODE XREF: KdRegisterDebuggerDataBlock+5Cj
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_A4A315
; 

loc_A4AA35:				; CODE XREF: KdRegisterDebuggerDataBlock+7ABj
		cmp	edi, ebx
		jz	short loc_A4AA5D
		mov	ecx, edi
		cmp	edi, [esp+10h]
		jnz	short loc_A4AA50
		mov	edx, 40010004h
		call	_PsTerminateProcess@8 ;	PsTerminateProcess(x,x)
		jmp	loc_A4AAF4
; 

loc_A4AA50:				; CODE XREF: KdRegisterDebuggerDataBlock+14Fj
					; KdRegisterDebuggerDataBlock+791j
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A4AA35
		jmp	short loc_A4AA73
; 

loc_A4AA5D:				; CODE XREF: KdRegisterDebuggerDataBlock+789j
		lea	eax, [esp+0Ch+arg_8]
		xor	edx, edx
		push	eax
		mov	ecx, ebx
		call	KiStackAttachProcess
		test	edi, edi
		jnz	loc_A4A3B5

loc_A4AA73:				; CODE XREF: KdRegisterDebuggerDataBlock+7ADj
		mov	eax, ebx
		test	ebx, ebx
		jnz	short loc_A4AA7D
		mov	eax, [esp+10h]

loc_A4AA7D:				; CODE XREF: KdRegisterDebuggerDataBlock+7C9j
		push	eax		; char
		push	offset ??_C@_0CK@LNFJKKHG@EX?5debug?5work?3?5Unable?5to?5find?5p@DFIOBLLK@ ; "EX debug work: Unable to find process %"...
		push	0		; int
		push	0		; int
		call	_DbgPrintEx
		add	esp, 10h
		jmp	loc_A4A3B5
; 

loc_A4AA94:				; CODE XREF: KdRegisterDebuggerDataBlock+10Dj
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		test	eax, eax
		jz	short loc_A4AAA2
		push	0FFFFFFFDh
		pop	ecx
		jmp	short loc_A4AAAA
; 

loc_A4AAA2:				; CODE XREF: KdRegisterDebuggerDataBlock+7EDj
		cmp	ecx, ds:_MmSystemRangeStart
		sbb	ecx, ecx

loc_A4AAAA:				; CODE XREF: KdRegisterDebuggerDataBlock+7F2j
		push	esi
		lea	eax, [esp+4Ch+var_34]
		xor	edx, edx
		push	eax
		inc	edx
		call	MmPrefetchVirtualMemory
		test	eax, eax
		jns	short loc_A4AACE
		push	eax		; char
		push	offset ??_C@_0DE@JPOCFMII@EX?5page?5in?3?5MmPrefetchVirtualMe@DFIOBLLK@	; "EX page in: MmPrefetchVirtualMemory fai"...
		push	0		; int
		push	0		; int
		call	_DbgPrintEx
		add	esp, 10h

loc_A4AACE:				; CODE XREF: KdRegisterDebuggerDataBlock+80Cj
		mov	ecx, [esp+48h+var_34]
		jmp	loc_A4A3C1
; 

loc_A4AAD7:				; CODE XREF: KdRegisterDebuggerDataBlock+119j
		call	_EtwWmitraceWorker@0 ; EtwWmitraceWorker()
		mov	ecx, [esp+48h+var_34]
		mov	al, [esp+48h+var_39]
		jmp	loc_A4A3CD
; 

loc_A4AAE9:				; CODE XREF: KdRegisterDebuggerDataBlock+133j
		xor	edx, edx
		lea	ecx, [esp+48h+var_2C]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)

loc_A4AAF4:				; CODE XREF: KdRegisterDebuggerDataBlock+79Dj
		mov	ecx, edi
		call	_PsQuitNextProcess@4 ; PsQuitNextProcess(x)
		jmp	loc_A4A3E7
KdRegisterDebuggerDataBlock endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdPullRemoteFile(x,	x, x, x)
_KdPullRemoteFile@16 proc near		; CODE XREF: MiCreateSectionForDriver+AF3F1p
					; ExpKdPullRemoteFileForUser(x)+3F4p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10h
		and	[esp+10h+var_4], 0
		lea	eax, [esp+10h+var_10]
		push	eax
		push	offset _KdpCloseFileCallback@8 ; KdpCloseFileCallback(x,x)
		push	offset _KdpWriteFileCallback@20	; KdpWriteFileCallback(x,x,x,x,x)
		push	offset _KdpCreateFileCallback@16 ; KdpCreateFileCallback(x,x,x,x)
		push	ecx
		mov	[esp+24h+var_10], 80h
		mov	[esp+24h+var_C], 5
		mov	[esp+24h+var_8], 20h
		call	_KdPullRemoteFileEx@20 ; KdPullRemoteFileEx(x,x,x,x,x)
		mov	esp, ebp
		pop	ebp
		retn	8
_KdPullRemoteFile@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdPullRemoteFileEx(x, x, x,	x, x)
_KdPullRemoteFileEx@20 proc near	; CODE XREF: KdPullRemoteFile(x,x,x,x)+3Cp
					; DATA XREF: Phase1InitializationDiscard(x)+A96o

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	[esp+28h+var_8], eax
		mov	[esp+28h+var_4], eax
		mov	[esp+28h+var_10], eax
		cmp	_KdDebuggerEnabled, al
		jz	loc_A4ACE0
		cmp	_KdDebuggerNotPresent, al
		jnz	loc_A4ACE0
		cmp	_KdPitchDebugger, al
		jnz	loc_A4ACE0
		push	6F49644Bh
		push	2000h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A4ABAB
		mov	eax, 0C0000017h
		jmp	loc_A4ACE5
; 

loc_A4ABAB:				; CODE XREF: KdPullRemoteFileEx(x,x,x,x,x)+58j
		mov	ebx, [ebp+arg_0]
		lea	edx, [esp+28h+var_8]
		sub	esp, 14h
		lea	ecx, [esp+3Ch+var_10]
		push	ebx
		call	_KdpCreateRemoteFile@32	; KdpCreateRemoteFile(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A4ACBE
		movzx	eax, word ptr [ebx]
		push	eax		; size_t
		push	dword ptr [ebx+4] ; void *
		push	edi		; void *
		call	_memcpy
		movzx	eax, word ptr [ebx]
		add	esp, 0Ch
		shr	eax, 1
		xor	ecx, ecx
		push	[esp+28h+var_4]
		mov	[edi+eax*2], cx
		push	[esp+2Ch+var_8]
		mov	eax, large fs:124h
		push	edi
		push	eax		; char
		push	offset ??_C@_0EH@OJJGBFGI@KdPullRemoteFile?$CI?$CFp?$CJ?3?5About?5to?5@DFIOBLLK@ ; char	*
		push	ecx		; int
		push	ecx		; int
		call	_DbgPrintEx
		mov	eax, [esp+44h+var_4]
		add	esp, 1Ch
		mov	[esp+28h+var_C], eax
		push	eax
		push	[esp+2Ch+var_8]
		push	ebx
		push	[ebp+arg_10]
		call	[ebp+arg_4]
		mov	esi, eax
		test	esi, esi
		js	loc_A4ACBE
		mov	eax, [esp+38h+var_14]
		xor	ecx, ecx
		mov	ebx, [esp+38h+var_18]
		xor	edx, edx
		mov	[esp+38h+var_28], ecx
		mov	[esp+38h+var_24], edx
		test	eax, eax
		jz	short loc_A4ACB6

loc_A4AC39:				; CODE XREF: KdPullRemoteFileEx(x,x,x,x,x)+16Bj
					; KdPullRemoteFileEx(x,x,x,x,x)+171j
		and	[esp+38h+var_2C], 0
		test	eax, eax
		jnz	short loc_A4AC4C
		mov	eax, ebx
		cmp	ebx, 2000h
		jbe	short loc_A4AC51

loc_A4AC4C:				; CODE XREF: KdPullRemoteFileEx(x,x,x,x,x)+F9j
		mov	eax, 2000h

loc_A4AC51:				; CODE XREF: KdPullRemoteFileEx(x,x,x,x,x)+103j
		lea	esi, [esp+38h+var_2C]
		push	esi
		push	eax
		push	edx
		push	ecx
		mov	ecx, [esp+48h+var_20]
		mov	edx, edi
		call	_KdpReadRemoteFile@24 ;	KdpReadRemoteFile(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A4ACBE
		cmp	[esp+38h+var_2C], 0
		jz	short loc_A4ACBE
		push	[esp+38h+var_2C]
		push	edi
		push	[esp+40h+var_24]
		push	[esp+44h+var_28]
		push	[ebp+arg_10]
		call	[ebp+arg_8]
		mov	esi, eax
		test	esi, esi
		js	short loc_A4ACBE
		mov	ecx, [esp+4Ch+var_3C]
		add	ecx, [esp+4Ch+var_40]
		mov	edx, [esp+4Ch+var_38]
		mov	eax, [esp+4Ch+var_30]
		adc	edx, 0
		sub	ebx, [esp+4Ch+var_40]
		mov	[esp+4Ch+var_3C], ecx
		sbb	eax, 0
		mov	[esp+4Ch+var_38], edx
		mov	[esp+4Ch+var_30], eax
		test	eax, eax
		ja	short loc_A4AC39
		jb	short loc_A4ACBE

loc_A4ACB6:				; CODE XREF: KdPullRemoteFileEx(x,x,x,x,x)+F0j
		test	ebx, ebx
		jnz	loc_A4AC39

loc_A4ACBE:				; CODE XREF: KdPullRemoteFileEx(x,x,x,x,x)+7Cj
					; KdPullRemoteFileEx(x,x,x,x,x)+D4j ...
		mov	eax, [esp+4Ch+var_34]
		test	eax, eax
		jz	short loc_A4ACCD
		mov	ecx, eax
		call	_KdpCloseRemoteFile@4 ;	KdpCloseRemoteFile(x)

loc_A4ACCD:				; CODE XREF: KdPullRemoteFileEx(x,x,x,x,x)+17Dj
		push	esi
		push	[ebp+arg_10]
		call	[ebp+arg_C]
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		jmp	short loc_A4ACE5
; 

loc_A4ACE0:				; CODE XREF: KdPullRemoteFileEx(x,x,x,x,x)+22j
					; KdPullRemoteFileEx(x,x,x,x,x)+2Ej ...
		mov	eax, 0C0000354h

loc_A4ACE5:				; CODE XREF: KdPullRemoteFileEx(x,x,x,x,x)+5Fj
					; KdPullRemoteFileEx(x,x,x,x,x)+197j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
_KdPullRemoteFileEx@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpCloseFileCallback(x, x)
_KdpCloseFileCallback@8	proc near	; DATA XREF: KdPullRemoteFile(x,x,x,x)+14o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+0Ch]
		test	eax, eax
		jz	short loc_A4AD03
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_A4AD03:				; CODE XREF: KdpCloseFileCallback(x,x)+Dj
		pop	ebp
		retn	8
_KdpCloseFileCallback@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpCloseRemoteFile(x)
_KdpCloseRemoteFile@4 proc near		; CODE XREF: KdPullRemoteFileEx(x,x,x,x,x)+181p

var_5C		= dword	ptr -5Ch
var_56		= word ptr -56h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	40h
		pop	eax
		push	eax		; size_t
		lea	eax, [ebp+var_48]
		push	0		; int
		push	eax		; void *
		lea	esi, [ecx-1]
		call	_memset
		add	esp, 0Ch
		cmp	esi, 10h
		jb	short loc_A4AD40
		mov	eax, 0C000000Dh
		jmp	loc_A4AE27
; 

loc_A4AD40:				; CODE XREF: KdpCloseRemoteFile(x)+2Dj
		xor	edx, edx
		xor	ecx, ecx
		call	_KdEnterDebugger@8 ; KdEnterDebugger(x,x)
		mov	edx, ds:_KdpRemoteFiles[esi*8]
		mov	bl, al
		mov	edi, ds:dword_A9B04C[esi*8]
		mov	ecx, edx
		or	ecx, edi
		jnz	short loc_A4AD6B
		mov	[ebp+var_44], 0C000000Dh
		jmp	loc_A4AE1D
; 

loc_A4AD6B:				; CODE XREF: KdpCloseRemoteFile(x)+56j
		mov	[ebp+var_3C], edi
		xor	ecx, ecx
		mov	edi, ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		mov	[ebp+var_40], edx
		jmp	short loc_A4ADC5
; 

loc_A4AD7B:				; CODE XREF: KdpCloseRemoteFile(x)+F4j
		mov	eax, 1000h
		mov	[ebp+var_54], offset _KdpMessageBuffer
		mov	[ebp+var_56], ax
		lea	eax, [ebp+var_5C]
		push	offset _KdpContext
		push	eax
		lea	eax, [ebp-58h]
		push	eax
		lea	eax, [ebp+var_50]
		push	eax
		push	0Bh
		call	ds:__imp__KdReceivePacket@20 ; KdReceivePacket(x,x,x,x,x)
		test	eax, eax
		jz	loc_A4AE36
		mov	eax, ds:_KdpRemoteFiles[esi*8]
		xor	ecx, ecx
		mov	[ebp+var_40], eax
		mov	eax, ds:dword_A9B04C[esi*8]
		mov	[ebp+var_44], ecx
		mov	[ebp+var_3C], eax

loc_A4ADC5:				; CODE XREF: KdpCloseRemoteFile(x)+72j
		push	40h
		pop	eax
		mov	word ptr [ebp+var_50], ax
		mov	word ptr [ebp+var_50+2], ax
		lea	eax, [ebp+var_48]
		push	offset _KdpContext
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_50]
		push	ecx
		push	eax
		push	0Bh
		mov	[ebp-58h], ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_48], 3433h
		call	edi
		cmp	_KdDebuggerNotPresent, 0
		jz	loc_A4AD7B
		mov	eax, 0C0000354h
		mov	[ebp+var_44], eax

loc_A4AE09:				; CODE XREF: KdpCloseRemoteFile(x)+132j
		test	eax, eax
		js	short loc_A4AE1D
		and	ds:_KdpRemoteFiles[esi*8], 0
		and	ds:dword_A9B04C[esi*8],	0

loc_A4AE1D:				; CODE XREF: KdpCloseRemoteFile(x)+5Fj
					; KdpCloseRemoteFile(x)+104j
		mov	cl, bl
		call	_KdExitDebugger@4 ; KdExitDebugger(x)
		mov	eax, [ebp+var_44]

loc_A4AE27:				; CODE XREF: KdpCloseRemoteFile(x)+34j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_A4AE36:				; CODE XREF: KdpCloseRemoteFile(x)+9Fj
		mov	eax, [ebp+var_44]
		jmp	short loc_A4AE09
_KdpCloseRemoteFile@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpCreateFileCallback(x, x,	x, x)
_KdpCreateFileCallback@16 proc near	; DATA XREF: KdPullRemoteFile(x,x,x,x)+1Eo

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 28h
		mov	edx, [ebp+arg_0]
		mov	ecx, _CmStateSeparationEnabled
		mov	eax, [ebp+arg_4]
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+30h+var_10], eax
		mov	eax, [ebp+arg_8]
		neg	ecx
		mov	[esp+30h+var_28], eax
		mov	eax, [ebp+arg_C]
		sbb	ecx, ecx
		push	edi
		mov	[esp+34h+var_24], eax
		and	ecx, 80000h
		mov	eax, [edx+8]
		push	edi
		or	eax, ecx
		mov	[esp+38h+var_20], edi
		push	eax
		push	dword ptr [edx+4]
		lea	eax, [esp+40h+var_28]
		mov	[esp+40h+var_1C], edi
		push	edi
		push	dword ptr [edx]
		mov	[esp+48h+var_18], 18h
		push	eax
		lea	eax, [esp+4Ch+var_20]
		mov	[esp+4Ch+var_14], edi
		push	eax
		lea	eax, [esp+50h+var_18]
		mov	[esp+50h+var_C], 240h
		push	eax
		push	120116h
		lea	eax, [edx+0Ch]
		mov	[esp+58h+var_8], edi
		push	eax
		mov	[esp+5Ch+var_4], edi
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, large fs:124h
		mov	esi, eax
		push	esi
		push	ecx		; char
		push	offset ??_C@_0DP@JCDMHMMD@KdPullRemoteFile?$CI?$CFp?$CJ?3?5Return?5fr@DFIOBLLK@	; "KdPullRemoteFile(%p): Return	from ZwCre"...
		push	edi		; int
		push	edi		; int
		call	_DbgPrintEx
		add	esp, 14h
		test	esi, esi
		jns	short loc_A4AEF0
		push	esi		; char
		push	offset ??_C@_0DD@PKMAJJMP@?6KdPullRemoteFile?3?5Local?5file?5o@DFIOBLLK@ ; char	*
		push	2		; int
		push	edi		; int
		call	_DbgPrintEx
		add	esp, 10h

loc_A4AEF0:				; CODE XREF: KdpCreateFileCallback(x,x,x,x)+A2j
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	10h
_KdpCreateFileCallback@16 endp

; 
		db 0CCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpCreateRemoteFile(x, x, x, x, x, x, x, x)
_KdpCreateRemoteFile@32	proc near	; CODE XREF: KdPullRemoteFileEx(x,x,x,x,x)+73p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	40h
		pop	eax
		push	eax		; size_t
		lea	eax, [ebp+var_48]
		mov	[ebp+var_64], ecx
		push	0		; int
		push	eax		; void *
		mov	edi, edx
		call	_memset
		mov	ebx, [ebp+arg_0]
		add	esp, 0Ch
		mov	ecx, ds:_KdTransportMaxPacketSize
		add	ecx, 0FFFFFFC0h
		movzx	eax, word ptr [ebx]
		cmp	eax, ecx
		jbe	short loc_A4AF44
		mov	eax, 0C000000Dh
		jmp	loc_A4B0B5
; 

loc_A4AF44:				; CODE XREF: KdpCreateRemoteFile(x,x,x,x,x,x,x,x)+3Dj
		cmp	_KdDebuggerNotPresent, 0
		jz	short loc_A4AF57
		mov	eax, 0C0000354h
		jmp	loc_A4B0B5
; 

loc_A4AF57:				; CODE XREF: KdpCreateRemoteFile(x,x,x,x,x,x,x,x)+50j
		xor	edx, edx
		xor	ecx, ecx
		call	_KdEnterDebugger@8 ; KdEnterDebugger(x,x)
		mov	[ebp+var_49], al
		xor	esi, esi

loc_A4AF65:				; CODE XREF: KdpCreateRemoteFile(x,x,x,x,x,x,x,x)+7Ej
		mov	ecx, ds:_KdpRemoteFiles[esi*8]
		or	ecx, ds:dword_A9B04C[esi*8]
		jz	short loc_A4AF7B
		inc	esi
		cmp	esi, 10h
		jb	short loc_A4AF65

loc_A4AF7B:				; CODE XREF: KdpCreateRemoteFile(x,x,x,x,x,x,x,x)+78j
		cmp	esi, 10h
		jb	short loc_A4AF8C
		mov	[ebp+var_44], 0C0000017h
		jmp	loc_A4B0AA
; 

loc_A4AF8C:				; CODE XREF: KdpCreateRemoteFile(x,x,x,x,x,x,x,x)+83j
					; KdpCreateRemoteFile(x,x,x,x,x,x,x,x)+154j
		movzx	edx, word ptr [ebx]
		xor	ecx, ecx
		push	40h
		pop	eax
		mov	word ptr [ebp+var_60], ax
		mov	word ptr [ebp+var_60+2], ax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_50]
		push	eax
		push	4
		push	ecx
		push	ecx
		push	dword ptr [ebx+4]
		mov	[ebp+var_58], ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_30], ecx
		mov	ecx, offset _KdpMessageBuffer
		mov	[ebp+var_48], 3430h
		mov	[ebp+var_40], 120089h
		mov	[ebp+var_3C], 80h
		mov	[ebp+var_38], 1
		mov	[ebp+var_34], 1
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		mov	eax, [ebp+var_50]
		xor	ecx, ecx
		add	eax, 2
		mov	[ebp+var_54], offset _KdpMessageBuffer
		mov	word ptr [ebp+var_58], ax
		movzx	eax, ax
		push	offset _KdpContext
		mov	ds:word_A9B0C6[eax], cx
		lea	eax, [ebp+var_58]
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		push	0Bh
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		cmp	_KdDebuggerNotPresent, 0
		jnz	short loc_A4B05A
		mov	eax, 1000h
		mov	[ebp+var_54], offset _KdpMessageBuffer
		mov	word ptr [ebp+var_58+2], ax
		lea	eax, [ebp+var_50]
		push	offset _KdpContext
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		push	0Bh
		call	ds:__imp__KdReceivePacket@20 ; KdReceivePacket(x,x,x,x,x)
		test	eax, eax
		jnz	loc_A4AF8C
		mov	eax, [ebp+var_44]
		jmp	short loc_A4B062
; 

loc_A4B05A:				; CODE XREF: KdpCreateRemoteFile(x,x,x,x,x,x,x,x)+127j
		mov	eax, 0C0000354h
		mov	[ebp+var_44], eax

loc_A4B062:				; CODE XREF: KdpCreateRemoteFile(x,x,x,x,x,x,x,x)+15Dj
		test	eax, eax
		js	short loc_A4B0AA
		mov	eax, [ebp+var_28]
		mov	ecx, [ebp+var_64]
		mov	ds:_KdpRemoteFiles[esi*8], eax
		mov	eax, [ebp+var_24]
		mov	ds:dword_A9B04C[esi*8],	eax
		lea	eax, [esi+1]
		mov	[ecx], eax
		test	edi, edi
		jz	short loc_A4B0AA
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jnz	short loc_A4B09F
		mov	ecx, [ebp+var_20]
		cmp	ecx, 10000000h
		jnb	short loc_A4B09F
		mov	[edi], ecx
		mov	[edi+4], eax
		jmp	short loc_A4B0AA
; 

loc_A4B09F:				; CODE XREF: KdpCreateRemoteFile(x,x,x,x,x,x,x,x)+190j
					; KdpCreateRemoteFile(x,x,x,x,x,x,x,x)+19Bj
		and	dword ptr [edi+4], 0
		mov	eax, 1000h
		mov	[edi], eax

loc_A4B0AA:				; CODE XREF: KdpCreateRemoteFile(x,x,x,x,x,x,x,x)+8Cj
					; KdpCreateRemoteFile(x,x,x,x,x,x,x,x)+169j ...
		mov	cl, [ebp+var_49]
		call	_KdExitDebugger@4 ; KdExitDebugger(x)
		mov	eax, [ebp+var_44]

loc_A4B0B5:				; CODE XREF: KdpCreateRemoteFile(x,x,x,x,x,x,x,x)+44j
					; KdpCreateRemoteFile(x,x,x,x,x,x,x,x)+57j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	18h
_KdpCreateRemoteFile@32	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpReadRemoteFile(x, x, x, x, x, x)
_KdpReadRemoteFile@24 proc near		; CODE XREF: KdPullRemoteFileEx(x,x,x,x,x)+118p

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_49		= byte ptr -49h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		push	edi
		push	40h
		mov	[ebp+var_70], eax
		lea	edi, [ecx-1]
		pop	eax
		push	eax		; size_t
		lea	eax, [ebp+var_48]
		mov	[ebp+var_50], edx
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		xor	ebx, ebx
		cmp	edi, 10h
		jb	short loc_A4B10A
		mov	eax, 0C000000Dh
		jmp	loc_A4B22D
; 

loc_A4B10A:				; CODE XREF: KdpReadRemoteFile(x,x,x,x,x,x)+38j
		xor	edx, edx
		xor	ecx, ecx
		call	_KdEnterDebugger@8 ; KdEnterDebugger(x,x)
		mov	ecx, ds:_KdpRemoteFiles[edi*8]
		or	ecx, ds:dword_A9B04C[edi*8]
		mov	[ebp+var_49], al
		jnz	short loc_A4B132
		mov	[ebp+var_44], 0C000000Dh
		jmp	loc_A4B223
; 

loc_A4B132:				; CODE XREF: KdpReadRemoteFile(x,x,x,x,x,x)+5Ej
		mov	esi, [ebp+arg_8]
		test	esi, esi
		jz	loc_A4B21E
		mov	ecx, [ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	[ebp+var_54], ecx
		mov	[ebp+var_58], edx

loc_A4B149:				; CODE XREF: KdpReadRemoteFile(x,x,x,x,x,x)+146j
		xor	eax, eax
		mov	[ebp+var_48], 3431h
		mov	[ebp+var_64], eax
		mov	[ebp+var_60], eax
		mov	[ebp+var_5C], eax
		mov	[ebp+var_44], eax
		mov	eax, ds:_KdpRemoteFiles[edi*8]
		mov	[ebp+var_40], eax
		mov	eax, ds:dword_A9B04C[edi*8]
		mov	[ebp+var_3C], eax
		mov	eax, ds:_KdTransportMaxPacketSize
		add	eax, 0FFFFFFC0h
		mov	[ebp+var_38], edx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], eax
		cmp	esi, eax
		ja	short loc_A4B18A
		mov	[ebp+var_30], esi

loc_A4B18A:				; CODE XREF: KdpReadRemoteFile(x,x,x,x,x,x)+BFj
		push	40h
		pop	eax
		mov	word ptr [ebp+var_6C], ax
		mov	word ptr [ebp+var_6C+2], ax
		lea	eax, [ebp+var_48]
		push	offset _KdpContext
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_6C]
		push	0
		push	eax
		push	0Bh
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		cmp	_KdDebuggerNotPresent, 0
		jnz	short loc_A4B214
		mov	ax, word ptr [ebp+var_30]
		mov	word ptr [ebp+var_64+2], ax
		mov	eax, [ebp+var_50]
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_5C]
		push	offset _KdpContext
		push	eax
		lea	eax, [ebp+var_64]
		push	eax
		lea	eax, [ebp+var_6C]
		push	eax
		push	0Bh
		call	ds:__imp__KdReceivePacket@20 ; KdReceivePacket(x,x,x,x,x)
		test	eax, eax
		jnz	short loc_A4B204
		cmp	[ebp+var_44], eax
		jl	short loc_A4B21B
		mov	eax, [ebp+var_5C]
		add	ebx, eax
		mov	edx, [ebp+var_58]
		add	[ebp+var_50], eax
		add	edx, eax
		mov	ecx, [ebp+var_54]
		adc	ecx, 0
		mov	[ebp+var_58], edx
		mov	[ebp+var_54], ecx
		sub	esi, eax
		jmp	short loc_A4B20A
; 

loc_A4B204:				; CODE XREF: KdpReadRemoteFile(x,x,x,x,x,x)+11Aj
		mov	ecx, [ebp+var_54]
		mov	edx, [ebp+var_58]

loc_A4B20A:				; CODE XREF: KdpReadRemoteFile(x,x,x,x,x,x)+13Cj
		test	esi, esi
		jnz	loc_A4B149
		jmp	short loc_A4B21B
; 

loc_A4B214:				; CODE XREF: KdpReadRemoteFile(x,x,x,x,x,x)+EFj
		mov	[ebp+var_44], 0C0000354h

loc_A4B21B:				; CODE XREF: KdpReadRemoteFile(x,x,x,x,x,x)+11Fj
					; KdpReadRemoteFile(x,x,x,x,x,x)+14Cj
		mov	al, [ebp+var_49]

loc_A4B21E:				; CODE XREF: KdpReadRemoteFile(x,x,x,x,x,x)+71j
		mov	ecx, [ebp+var_70]
		mov	[ecx], ebx

loc_A4B223:				; CODE XREF: KdpReadRemoteFile(x,x,x,x,x,x)+67j
		mov	cl, al
		call	_KdExitDebugger@4 ; KdExitDebugger(x)
		mov	eax, [ebp+var_44]

loc_A4B22D:				; CODE XREF: KdpReadRemoteFile(x,x,x,x,x,x)+3Fj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
_KdpReadRemoteFile@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpWriteFileCallback(x, x, x, x, x)
_KdpWriteFileCallback@20 proc near	; DATA XREF: KdPullRemoteFile(x,x,x,x)+19o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_10]
		xor	ebx, ebx
		push	ebx
		mov	[ebp+var_10], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		push	[ebp+arg_C]
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], ebx
		push	eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	ebx
		push	ebx
		push	dword ptr [eax+0Ch]
		mov	[ebp+var_4], ebx
		call	_ZwWriteFile@36	; ZwWriteFile(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_A4B294
		push	esi		; char
		push	offset ??_C@_0DE@HLDOGPGI@?6KdPullRemoteFile?3?5Local?5file?5w@DFIOBLLK@ ; "\nKdPullRemoteFile:	Local file write fai"...
		push	2		; int
		push	ebx		; int
		call	_DbgPrintEx
		add	esp, 10h
		jmp	short loc_A4B29E
; 

loc_A4B294:				; CODE XREF: KdpWriteFileCallback(x,x,x,x,x)+41j
		cmp	[ebp+var_4], edi
		jnb	short loc_A4B29E
		mov	esi, 0C0000001h

loc_A4B29E:				; CODE XREF: KdpWriteFileCallback(x,x,x,x,x)+54j
					; KdpWriteFileCallback(x,x,x,x,x)+59j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	14h
_KdpWriteFileCallback@20 endp


;  S U B	R O U T	I N E 


; __stdcall InternalBreakpointCheck(x, x, x, x)
_InternalBreakpointCheck@16 proc near	; DATA XREF: KdpProcessInternalBreakpoint(x)+22o
		push	0FFFFFFFFh
		push	0FF676980h
		push	offset _InternalBreakpointCheckDpc
		push	0
		xor	edx, edx
		mov	ecx, offset _InternalBreakpointTimer
		call	KiSetTimerEx
		mov	edx, ds:_KdpNumInternalBreakpoints
		test	edx, edx
		jz	short locret_A4B2F4
		mov	ecx, offset unk_AA5E6C
		push	esi

loc_A4B2D1:				; CODE XREF: InternalBreakpointCheck(x,x,x,x)+4Aj
		mov	eax, [ecx-0Ch]
		and	al, 3
		cmp	al, 1
		jnz	short loc_A4B2EB
		mov	esi, [ecx-8]
		mov	eax, esi
		sub	eax, [ecx-4]
		cmp	eax, [ecx]
		jbe	short loc_A4B2E8
		mov	[ecx], eax

loc_A4B2E8:				; CODE XREF: InternalBreakpointCheck(x,x,x,x)+3Dj
		mov	[ecx-4], esi

loc_A4B2EB:				; CODE XREF: InternalBreakpointCheck(x,x,x,x)+31j
		add	ecx, 38h
		sub	edx, 1
		jnz	short loc_A4B2D1
		pop	esi

locret_A4B2F4:				; CODE XREF: InternalBreakpointCheck(x,x,x,x)+22j
		retn	10h
_InternalBreakpointCheck@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdEnterDebugger(x, x)
_KdEnterDebugger@8 proc	near		; CODE XREF: KdRefreshDebuggerNotPresent+7DE6Dp
					; KdpReport(x,x,x,x,x,x):loc_6176E5p ...

var_6		= byte ptr -6
var_5		= byte ptr -5
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_VfIsVerifierEnabled@0 ; VfIsVerifierEnabled()
		test	eax, eax
		jz	short loc_A4B31F
		push	3
		pop	ecx
		call	_VfNotifyVerifierOfEvent@4 ; VfNotifyVerifierOfEvent(x)

loc_A4B31F:				; CODE XREF: KdEnterDebugger(x,x)+1Ej
		test	esi, esi
		jz	short loc_A4B35E
		test	dword ptr [esi+70h], 200h
		jnz	short loc_A4B332
		xor	eax, eax
		xor	edx, edx
		jmp	short loc_A4B33A
; 

loc_A4B332:				; CODE XREF: KdEnterDebugger(x,x)+33j
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)

loc_A4B33A:				; CODE XREF: KdEnterDebugger(x,x)+39j
		mov	ds:_KdTimerStop, eax
		sub	eax, ds:_KdTimerStart
		mov	ds:dword_AA5E54, edx
		sbb	edx, ds:dword_A9B024
		mov	ds:_KdTimerDifference, eax
		mov	ds:dword_AA49FC, edx
		jmp	short loc_A4B36C
; 

loc_A4B35E:				; CODE XREF: KdEnterDebugger(x,x)+2Aj
		and	ds:_KdTimerStop, 0
		and	ds:dword_AA5E54, 0

loc_A4B36C:				; CODE XREF: KdEnterDebugger(x,x)+65j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	edx, edi
		mov	[esp+18h+var_6], al
		mov	ecx, esi
		call	_KeFreezeExecution@8 ; KeFreezeExecution(x,x)
		mov	[esp+18h+var_5], al
		call	off_6B13AC	; SymCryptFatalIntercept(x)
		mov	ebx, large fs:20h
		mov	ecx, _KiBugCheckActive
		mov	edi, [ebx+3CCh]
		test	cl, 3
		jnz	short loc_A4B3E8
		cmp	_PoAllProcIntrDisabled,	0
		jnz	short loc_A4B3E8
		mov	eax, dword_6CB444
		mov	esi, ds:0FFDF05F0h
		not	eax
		mov	edx, ds:0FFDF05F4h
		or	esi, 100h
		mov	ecx, _KdIgnoredSavingSupervisorXStateFeatures
		and	edx, eax
		not	ecx
		mov	dword_6FE19C, edx
		and	esi, ecx
		mov	ecx, [ebx+47B8h]
		push	edx
		push	esi
		mov	dword_6FE198, esi
		call	_KeSaveSupervisorState@12 ; KeSaveSupervisorState(x,x,x)

loc_A4B3E8:				; CODE XREF: KdEnterDebugger(x,x)+A8j
					; KdEnterDebugger(x,x)+B1j
		lea	ecx, [esp+18h+var_4]
		call	KeIsBugCheckActive
		test	al, al
		jz	short loc_A4B3FB
		cmp	[esp+18h+var_4], edi
		jz	short loc_A4B405

loc_A4B3FB:				; CODE XREF: KdEnterDebugger(x,x)+FCj
		mov	al, [esp+18h+var_6]
		mov	[ebx+4C0h], al

loc_A4B405:				; CODE XREF: KdEnterDebugger(x,x)+102j
		mov	eax, _KdLogBuffer[edi*4]
		xor	esi, esi
		inc	esi
		test	eax, eax
		jz	short loc_A4B437
		mov	ecx, [eax]
		inc	ecx
		shl	ecx, 4
		add	ecx, eax
		rdtsc
		mov	[ecx], eax
		mov	[ecx+4], edx
		movzx	eax, _KdDebuggerNotPresent
		and	eax, esi
		shl	eax, 2
		or	eax, esi
		and	dword ptr [ecx+0Ch], 0
		mov	[ecx+8], eax

loc_A4B437:				; CODE XREF: KdEnterDebugger(x,x)+11Aj
		inc	_KdDebuggerEnteredCount
		xor	eax, eax
		cmp	_KdPortLocked, al
		pop	edi
		setz	al
		mov	_KdEnteredDebugger, esi
		add	_KdDebuggerEnteredWithoutLock, eax
		mov	al, [esp+14h+var_5]
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_KdEnterDebugger@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdExitDebugger(x)
_KdExitDebugger@4 proc near		; CODE XREF: KdRefreshDebuggerNotPresent+7DE84p
					; KdpReport(x,x,x,x,x,x)+BEp ...

var_6		= byte ptr -6
var_5		= byte ptr -5
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		movzx	eax, large byte	ptr fs:51h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[esp+14h+var_5], cl
		mov	ebx, _KdLogBuffer[eax*4]
		mov	_KdEnteredDebugger, esi
		push	edi
		test	ebx, ebx
		jz	short loc_A4B4DB
		mov	eax, [ebx]
		movzx	ecx, _KdDebuggerNotPresent
		mov	[esp+18h+var_4], eax
		lea	edi, [eax+1]
		shl	edi, 4
		add	edi, ebx
		rdtsc
		mov	esi, eax
		sub	esi, [edi]
		mov	eax, [edi+8]
		sbb	edx, [edi+4]
		and	ecx, 1
		add	ecx, ecx
		mov	[edi+0Ch], edx
		and	esi, 0FFFFFFF1h
		or	ecx, 1
		and	eax, 4
		or	esi, ecx
		or	esi, eax
		mov	eax, [esp+18h+var_4]
		mov	[edi+8], esi
		cmp	eax, 0FEh
		jnz	short loc_A4B4D6
		xor	esi, esi
		mov	[ebx], esi
		jmp	short loc_A4B4DB
; 

loc_A4B4D6:				; CODE XREF: KdExitDebugger(x)+6Fj
		inc	eax
		xor	esi, esi
		mov	[ebx], eax

loc_A4B4DB:				; CODE XREF: KdExitDebugger(x)+2Bj
					; KdExitDebugger(x)+75j
		call	off_6B13A4	; SymCryptFatalIntercept(x)
		mov	eax, _KiBugCheckActive
		test	al, 3
		jnz	short loc_A4B51D
		cmp	_PoAllProcIntrDisabled,	0
		jnz	short loc_A4B51D
		mov	ecx, large fs:20h
		push	dword_6FE19C
		push	dword_6FE198
		mov	ecx, [ecx+47B8h]
		call	_KeRestoreSupervisorState@12 ; KeRestoreSupervisorState(x,x,x)
		mov	dword_6FE198, esi
		mov	dword_6FE19C, esi

loc_A4B51D:				; CODE XREF: KdExitDebugger(x)+89j
					; KdExitDebugger(x)+92j
		mov	cl, [esp+18h+var_5]
		call	_KeThawExecution@4 ; KeThawExecution(x)
		mov	eax, ds:_KdTimerStop
		or	eax, ds:dword_AA5E54
		jnz	short loc_A4B539
		mov	eax, esi
		mov	edx, esi
		jmp	short loc_A4B540
; 

loc_A4B539:				; CODE XREF: KdExitDebugger(x)+D2j
		push	esi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)

loc_A4B540:				; CODE XREF: KdExitDebugger(x)+D8j
		cmp	_PoHiberInProgress, 0
		mov	ds:_KdTimerStart, eax
		mov	ds:dword_A9B024, edx
		jnz	short loc_A4B57C
		mov	eax, _KiBugCheckActive
		test	al, 3
		jnz	short loc_A4B57C
		push	2
		pop	eax
		mov	ecx, offset _KdpTimeSlipPending
		xchg	eax, [ecx]
		test	eax, eax
		jnz	short loc_A4B577
		push	esi
		push	esi
		push	offset _KdpTimeSlipDpc
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)

loc_A4B577:				; CODE XREF: KdExitDebugger(x)+10Aj
		call	_ExQueueDebuggerWorker@0 ; ExQueueDebuggerWorker()

loc_A4B57C:				; CODE XREF: KdExitDebugger(x)+F3j
					; KdExitDebugger(x)+FCj
		call	_VfIsVerifierEnabled@0 ; VfIsVerifierEnabled()
		test	eax, eax
		jz	short loc_A4B58D
		push	4
		pop	ecx
		call	_VfNotifyVerifierOfEvent@4 ; VfNotifyVerifierOfEvent(x)

loc_A4B58D:				; CODE XREF: KdExitDebugger(x)+124j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_KdExitDebugger@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdGetInternalBreakpoint(x)
_KdGetInternalBreakpoint@4 proc	near	; CODE XREF: KdpSendWaitContinue(x,x,x,x)+2BAp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_4], ecx
		push	38h
		pop	ebx
		mov	[ebp+var_8], esi
		mov	edx, esi
		mov	word ptr [ebp+var_8], bx
		mov	edi, esi
		mov	ebx, ds:_KdpNumInternalBreakpoints
		test	ebx, ebx
		jz	short loc_A4B5EA
		mov	esi, offset _KdpInternalBPs

loc_A4B5C0:				; CODE XREF: KdGetInternalBreakpoint(x)+47j
		test	byte ptr [esi+8], 6
		jnz	short loc_A4B5D5
		mov	eax, [esi]
		cmp	eax, [ecx+10h]
		jnz	short loc_A4B5D5
		mov	eax, [esi+4]
		cmp	eax, [ecx+14h]
		jz	short loc_A4B5DF

loc_A4B5D5:				; CODE XREF: KdGetInternalBreakpoint(x)+30j
					; KdGetInternalBreakpoint(x)+37j
		inc	edi
		add	esi, 38h
		cmp	edi, ebx
		jb	short loc_A4B5C0
		jmp	short loc_A4B5E8
; 

loc_A4B5DF:				; CODE XREF: KdGetInternalBreakpoint(x)+3Fj
		imul	edx, edi, 38h
		add	edx, offset _KdpInternalBPs

loc_A4B5E8:				; CODE XREF: KdGetInternalBreakpoint(x)+49j
		xor	esi, esi

loc_A4B5EA:				; CODE XREF: KdGetInternalBreakpoint(x)+25j
		push	2
		pop	edi
		test	edx, edx
		jnz	short loc_A4B609
		mov	[ecx+18h], edi
		mov	eax, 0C0000001h
		mov	[ecx+1Ch], esi
		mov	edx, esi
		mov	[ecx+20h], esi
		mov	[ecx+24h], esi
		mov	[ecx+28h], esi
		jmp	short loc_A4B62C
; 

loc_A4B609:				; CODE XREF: KdGetInternalBreakpoint(x)+5Bj
		mov	eax, [edx+8]
		mov	[ecx+18h], eax
		mov	eax, [edx+0Ch]
		mov	[ecx+1Ch], eax
		mov	eax, [edx+14h]
		mov	[ecx+20h], eax
		mov	eax, [edx+18h]
		mov	[ecx+24h], eax
		mov	eax, [edx+1Ch]
		mov	[ecx+28h], eax
		mov	eax, esi
		mov	edx, [edx+20h]

loc_A4B62C:				; CODE XREF: KdGetInternalBreakpoint(x)+73j
		push	offset _KdpContext
		mov	[ecx+2Ch], edx
		mov	[ecx+8], eax
		lea	eax, [ebp+var_8]
		push	esi
		push	eax
		push	edi
		mov	dword ptr [ecx], 3143h
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KdGetInternalBreakpoint@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdSendTraceData(x, x)
_KdSendTraceData@8 proc	near		; CODE XREF: EtwpSendTraceEvent(x,x)+A8p
					; EtwpSendBufferToDebugger(x)+32p ...

var_72		= byte ptr -72h
var_62		= byte ptr -62h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= word ptr -44h
var_42		= word ptr -42h
var_40		= dword	ptr -40h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+64h+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	40h
		xor	esi, esi
		mov	ebx, edx
		pop	eax
		push	eax		; size_t
		lea	eax, [esp+74h+var_48]
		mov	[esp+74h+var_60], esi
		push	esi		; int
		push	eax		; void *
		mov	edi, ecx
		mov	[esp+7Ch+var_5C], esi
		mov	[esp+7Ch+var_58], esi
		mov	[esp+7Ch+var_54], esi
		mov	[esp+7Ch+var_50], esi
		call	_memset
		add	esp, 0Ch
		test	ebx, ebx
		jz	short loc_A4B6AA
		lea	eax, [edi+4]
		mov	ecx, ebx

loc_A4B69C:				; CODE XREF: KdSendTraceData(x,x)+56j
		add	esi, [eax]
		lea	eax, [eax+8]
		sub	ecx, 1
		jnz	short loc_A4B69C
		mov	[esp+70h+var_60], esi

loc_A4B6AA:				; CODE XREF: KdSendTraceData(x,x)+47j
		mov	eax, ds:_KdTransportMaxPacketSize
		add	eax, 0FFFFFFC0h
		cmp	esi, eax
		ja	loc_A4B757
		xor	edx, edx
		xor	ecx, ecx
		call	_KdEnterDebugger@8 ; KdEnterDebugger(x,x)
		mov	[esp+0Fh], al
		mov	[esp+70h+var_4C], offset _KdpMessageBuffer
		test	ebx, ebx
		jz	short loc_A4B6F6
		mov	esi, [esp+70h+var_4C]
		add	edi, 4

loc_A4B6DA:				; CODE XREF: KdSendTraceData(x,x)+A2j
		push	dword ptr [edi]	; size_t
		push	dword ptr [edi-4] ; void *
		push	esi		; void *
		call	_memcpy
		add	esi, [edi]
		add	esp, 0Ch
		lea	edi, [edi+8]
		sub	ebx, 1
		jnz	short loc_A4B6DA
		mov	esi, [esp+70h+var_60]

loc_A4B6F6:				; CODE XREF: KdSendTraceData(x,x)+83j
		mov	ax, ds:_KeProcessorLevel
		mov	[esp+70h+var_44], ax
		movzx	eax, large byte	ptr fs:51h
		push	40h
		mov	[esp+74h+var_42], ax
		pop	eax
		mov	word ptr [esp+70h+var_54], ax
		lea	eax, [esp+70h+var_48]
		mov	[esp+70h+var_50], eax
		lea	eax, [esp+70h+var_5C]
		push	offset _KdpContext
		push	eax
		lea	eax, [esp+78h+var_54]
		mov	[esp+78h+var_48], 3330h
		push	eax
		push	9
		mov	[esp+80h+var_40], esi
		mov	word ptr [esp+80h+var_5C], si
		mov	[esp+80h+var_58], offset _KdpMessageBuffer
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		mov	cl, [esp+0Fh]
		call	_KdExitDebugger@4 ; KdExitDebugger(x)

loc_A4B757:				; CODE XREF: KdSendTraceData(x,x)+66j
		mov	ecx, [esp+80h+var_14]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_KdSendTraceData@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1083. KdSetEventLoggingPresent

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdSetEventLoggingPresent(x)
		public _KdSetEventLoggingPresent@4
_KdSetEventLoggingPresent@4 proc near

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	al, [ebp+arg_0]
		mov	_KdEventLoggingPresent,	al
		pop	ebp
		retn	4
_KdSetEventLoggingPresent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdSetInternalBreakpoint(x)
_KdSetInternalBreakpoint@4 proc	near	; CODE XREF: KdpSendWaitContinue(x,x,x,x)+2ADp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	edx, ds:_KdpNumInternalBreakpoints
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ebx
		push	edi
		mov	edi, ecx
		test	edx, edx
		jz	short loc_A4B7C9
		mov	eax, [edi+14h]
		mov	ecx, offset _KdpInternalBPs
		mov	ebx, [edi+10h]
		mov	[ebp+var_4], eax

loc_A4B7A6:				; CODE XREF: KdSetInternalBreakpoint(x)+39j
		cmp	[ecx], ebx
		jnz	short loc_A4B7B2
		mov	eax, [ecx+4]
		cmp	eax, [ebp+var_4]
		jz	short loc_A4B7BC

loc_A4B7B2:				; CODE XREF: KdSetInternalBreakpoint(x)+29j
		inc	esi
		add	ecx, 38h
		cmp	esi, edx
		jb	short loc_A4B7A6
		jmp	short loc_A4B7C7
; 

loc_A4B7BC:				; CODE XREF: KdSetInternalBreakpoint(x)+31j
		imul	esi, 38h
		add	esi, offset _KdpInternalBPs
		jnz	short loc_A4B80D

loc_A4B7C7:				; CODE XREF: KdSetInternalBreakpoint(x)+3Bj
		xor	ebx, ebx

loc_A4B7C9:				; CODE XREF: KdSetInternalBreakpoint(x)+17j
		mov	eax, ebx
		test	edx, edx
		jz	short loc_A4B7EE
		mov	ecx, offset dword_AA5E60

loc_A4B7D4:				; CODE XREF: KdSetInternalBreakpoint(x)+60j
		test	byte ptr [ecx],	2
		jnz	short loc_A4B7E3
		inc	eax
		add	ecx, 38h
		cmp	eax, edx
		jb	short loc_A4B7D4
		jmp	short loc_A4B7EE
; 

loc_A4B7E3:				; CODE XREF: KdSetInternalBreakpoint(x)+58j
		imul	esi, eax, 38h
		add	esi, offset _KdpInternalBPs
		jnz	short loc_A4B80F

loc_A4B7EE:				; CODE XREF: KdSetInternalBreakpoint(x)+4Ej
					; KdSetInternalBreakpoint(x)+62j
		cmp	edx, 14h
		jnb	loc_A4B899
		imul	esi, edx, 38h
		add	esi, offset _KdpInternalBPs
		inc	edx
		mov	ds:_KdpNumInternalBreakpoints, edx
		or	dword ptr [esi+8], 2
		jmp	short loc_A4B80F
; 

loc_A4B80D:				; CODE XREF: KdSetInternalBreakpoint(x)+46j
		xor	ebx, ebx

loc_A4B80F:				; CODE XREF: KdSetInternalBreakpoint(x)+6Dj
					; KdSetInternalBreakpoint(x)+8Cj
		mov	edx, [esi+8]
		test	dl, 2
		jz	short loc_A4B836
		test	byte ptr [edi+18h], 2
		jnz	short loc_A4B899
		or	dword ptr [esi+18h], 0FFFFFFFFh
		mov	[esi+20h], ebx
		mov	[esi+1Ch], ebx
		mov	[esi+0Ch], ebx
		mov	[esi+14h], ebx
		mov	[esi+10h], ebx
		mov	[esi+24h], ebx
		mov	[esi+28h], ebx

loc_A4B836:				; CODE XREF: KdSetInternalBreakpoint(x)+96j
		mov	ecx, [edi+18h]
		mov	[esi+8], ecx
		mov	eax, [edi+10h]
		mov	[esi], eax
		mov	eax, [edi+14h]
		mov	[esi+4], eax
		test	cl, 6
		jz	short loc_A4B870
		test	cl, 2
		jz	short loc_A4B85F
		cmp	[esi+28h], ebx
		jz	short loc_A4B85F
		and	ecx, 0FFFFFFFDh
		or	ecx, 8
		mov	[esi+8], ecx

loc_A4B85F:				; CODE XREF: KdSetInternalBreakpoint(x)+D0j
					; KdSetInternalBreakpoint(x)+D5j
		mov	ecx, [esi+24h]
		test	ecx, ecx
		jz	short loc_A4B86B
		call	_KdpDeleteBreakpoint@4 ; KdpDeleteBreakpoint(x)

loc_A4B86B:				; CODE XREF: KdSetInternalBreakpoint(x)+E5j
		mov	[esi+24h], ebx
		jmp	short loc_A4B899
; 

loc_A4B870:				; CODE XREF: KdSetInternalBreakpoint(x)+CBj
		test	dl, 6
		jz	short loc_A4B888
		mov	ecx, [esi]
		mov	dl, 1
		push	ebx
		push	ebx
		push	0CCh
		call	_KdpAddBreakpoint@20 ; KdpAddBreakpoint(x,x,x,x,x)
		mov	[esi+24h], eax

loc_A4B888:				; CODE XREF: KdSetInternalBreakpoint(x)+F4j
		cmp	ds:_BreakpointsSuspended, 0
		jz	short loc_A4B899
		mov	ecx, [esi+24h]
		call	_KdpSuspendBreakpoint@4	; KdpSuspendBreakpoint(x)

loc_A4B899:				; CODE XREF: KdSetInternalBreakpoint(x)+72j
					; KdSetInternalBreakpoint(x)+9Cj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KdSetInternalBreakpoint@4 endp


;  S U B	R O U T	I N E 


; __stdcall KdSetSpecialCall(x,	x)
_KdSetSpecialCall@8 proc near		; CODE XREF: KdpSendWaitContinue(x,x,x,x)+294p
		mov	edi, edi
		push	esi
		mov	esi, ds:_KdNumberOfSpecialCalls
		cmp	esi, 0Ah
		jnb	short loc_A4B8E5
		mov	eax, [ecx+10h]
		mov	ds:_KdSpecialCalls[esi*4], eax
		xor	eax, eax
		inc	esi
		mov	ds:_NextTraceDataSym, al
		mov	ds:_KdNumberOfSpecialCalls, esi
		mov	ds:_NumTraceDataSyms, al
		mov	ds:_KdpNextCallLevelChange, eax
		test	edx, edx
		jz	short loc_A4B8E5
		cmp	ds:_InstrCountInternal,	al
		jnz	short loc_A4B8E5
		mov	eax, [edx+0C4h]
		mov	ds:_InitialSP, eax

loc_A4B8E5:				; CODE XREF: KdSetSpecialCall(x,x)+Cj
					; KdSetSpecialCall(x,x)+32j ...
		pop	esi
		retn
_KdSetSpecialCall@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpCheckLowMemory(x)
_KdpCheckLowMemory@4 proc near		; CODE XREF: KdpSendWaitContinue(x,x,x,x)+E0p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		push	38h
		pop	eax
		mov	[ebp+var_8], edi
		mov	word ptr [ebp+var_8], ax
		mov	[ebp+var_4], esi
		cmp	ds:_KdpSearchInProgress, edi
		jz	short loc_A4B911
		push	4
		pop	ecx
		call	_KdpSearchPhysicalPageRange@4 ;	KdpSearchPhysicalPageRange(x)

loc_A4B911:				; CODE XREF: KdpCheckLowMemory(x)+20j
		push	offset _KdpContext
		push	edi
		lea	eax, [ebp+var_8]
		mov	[esi+8], edi
		push	eax
		push	2
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	edi
		pop	esi
		leave
		retn
_KdpCheckLowMemory@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpCheckTracePoint(x, x)
_KdpCheckTracePoint@8 proc near		; CODE XREF: KiDispatchException+10DF3Ep
					; KeInsertQueue+D6277p	...

var_C		= byte ptr -0Ch
var_B		= byte ptr -0Bh
var_A		= dword	ptr -0Ah
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		mov	eax, ecx
		xor	ecx, ecx
		push	esi
		mov	esi, edx
		mov	[esp+14h+var_4], eax
		push	edi
		mov	eax, [eax]
		mov	[esp+18h+var_A+2], ecx
		mov	ebx, [esi+0B8h]
		mov	byte ptr [esp+18h+var_A+1], cl
		cmp	eax, 80000004h
		jnz	loc_A4BB30
		cmp	ds:_WatchStepOverSuspended, cl
		jz	short loc_A4B996
		push	ecx
		push	ecx
		mov	ecx, ds:_WatchStepOverBreakAddr
		mov	dl, 1
		push	0CCh
		call	_KdpAddBreakpoint@20 ; KdpAddBreakpoint(x,x,x,x,x)
		mov	ds:_WatchStepOverSuspended, 0

loc_A4B980:				; CODE XREF: KdpCheckTracePoint(x,x)+201j
		mov	ds:_WatchStepOverHandle, eax

loc_A4B985:				; CODE XREF: KdpCheckTracePoint(x,x)+3DAj
		and	dword ptr [esi+0C0h], 0FFFFFEFFh

loc_A4B98F:				; CODE XREF: KdpCheckTracePoint(x,x)+E6j
					; KdpCheckTracePoint(x,x)+FEj ...
		mov	al, 1
		jmp	loc_A4BD8E
; 

loc_A4B996:				; CODE XREF: KdpCheckTracePoint(x,x)+39j
		cmp	ds:_SymbolRecorded, cl
		jnz	short loc_A4B9BA
		cmp	ds:_KdpCurrentSymbolStart, ecx
		jz	short loc_A4B9BA
		cmp	ds:_KdpCurrentSymbolEnd, ecx
		jz	short loc_A4B9BA
		call	_PotentialNewSymbol@4 ;	PotentialNewSymbol(x)
		mov	ds:_SymbolRecorded, 1

loc_A4B9BA:				; CODE XREF: KdpCheckTracePoint(x,x)+72j
					; KdpCheckTracePoint(x,x)+7Aj ...
		cmp	ds:_InstrCountInternal,	0
		jnz	loc_A4BA65
		mov	ecx, large fs:124h
		lea	edx, [esp+18h+var_A+2]
		call	_SkippingWhichBP@8 ; SkippingWhichBP(x,x)
		test	al, al
		jz	loc_A4BA65
		imul	edi, [esp+18h+var_A+2],	38h
		test	byte ptr ds:dword_AA5E60[edi], 1
		jz	short loc_A4BA2D
		dec	ds:_IntBPsSkipping
		call	_KdpRestoreAllBreakpoints@0 ; KdpRestoreAllBreakpoints()
		and	dword ptr [esi+0C0h], 0FFFFFEFFh
		and	ds:dword_AA5E80[edi], 0
		test	byte ptr ds:dword_AA5E60[edi], 8
		jz	loc_A4B98F
		mov	ecx, ds:dword_AA5E7C[edi]
		call	_KdpDeleteBreakpoint@4 ; KdpDeleteBreakpoint(x)
		or	ds:dword_AA5E60[edi], 2
		jmp	loc_A4B98F
; 

loc_A4BA2D:				; CODE XREF: KdpCheckTracePoint(x,x)+C1j
		mov	eax, ds:dword_AA5E88[edi]
		and	ds:_KdpCurrentSymbolEnd, 0
		or	dword ptr [esi+0C0h], 100h
		mov	ds:_KdpCurrentSymbolStart, eax
		mov	eax, [esi+0C4h]
		mov	ds:_InitialSP, eax
		mov	ds:_InstructionsTraced,	1
		mov	ds:_InstrCountInternal,	1

loc_A4BA65:				; CODE XREF: KdpCheckTracePoint(x,x)+97j
					; KdpCheckTracePoint(x,x)+AFj ...
		mov	edi, [esp+18h+var_4]
		cmp	dword ptr [edi], 80000004h
		jnz	loc_A4BD7F

loc_A4BA75:				; CODE XREF: KdpCheckTracePoint(x,x)+26Ej
		mov	ecx, ds:_KdpCurrentSymbolStart
		test	ecx, ecx
		jz	loc_A4BC3E
		mov	edx, ds:_KdpCurrentSymbolEnd
		test	edx, edx
		jnz	short loc_A4BA9B
		mov	eax, [esi+0C4h]
		cmp	eax, ds:_InitialSP
		jbe	short loc_A4BAAB

loc_A4BA9B:				; CODE XREF: KdpCheckTracePoint(x,x)+161j
		cmp	ecx, ebx
		ja	loc_A4BC3E
		cmp	ebx, edx
		jnb	loc_A4BC3E

loc_A4BAAB:				; CODE XREF: KdpCheckTracePoint(x,x)+16Fj
		lea	eax, [esp+18h+var_A]
		mov	byte ptr [esp+18h+var_A], 0
		push	eax
		mov	edx, esi
		mov	ecx, ebx
		call	_KdpLevelChange@12 ; KdpLevelChange(x,x,x)
		mov	ecx, ds:_CallLevelChange
		inc	ds:_InstructionsTraced
		add	ecx, eax
		cmp	byte ptr [esp+18h+var_A], 0
		mov	ds:_CallLevelChange, ecx
		jz	loc_A4BBAF
		cmp	eax, 0FFFFFFFFh
		jz	short loc_A4BAEA
		sub	ecx, eax
		mov	ds:_CallLevelChange, ecx

loc_A4BAEA:				; CODE XREF: KdpCheckTracePoint(x,x)+1B6j
		mov	edx, esi
		mov	ds:_WatchStepOver, 1
		mov	ecx, ebx
		call	_KdpGetCallNextOffset@8	; KdpGetCallNextOffset(x,x)
		mov	ds:_WatchStepOverBreakAddr, eax
		mov	eax, large fs:124h
		mov	ecx, ds:_WatchStepOverBreakAddr
		push	0
		mov	ds:_WSOThread, eax
		mov	eax, [esi+0C4h]
		push	0
		mov	ds:_WSOEsp, eax
		push	0CCh

loc_A4BB24:				; CODE XREF: KdpCheckTracePoint(x,x)+43Fj
		mov	dl, 1
		call	_KdpAddBreakpoint@20 ; KdpAddBreakpoint(x,x,x,x,x)
		jmp	loc_A4B980
; 

loc_A4BB30:				; CODE XREF: KdpCheckTracePoint(x,x)+2Dj
		cmp	eax, 80000003h
		jnz	loc_A4BA65
		cmp	ds:_WatchStepOver, cl
		jz	short loc_A4BBBE
		cmp	ebx, ds:_WatchStepOverBreakAddr
		jnz	short loc_A4BBBE
		mov	eax, ds:_WSOThread
		cmp	eax, large fs:124h
		jnz	short loc_A4BB9D
		mov	edx, ds:_WSOEsp
		mov	ecx, [esi+0C4h]
		lea	eax, [edx+20h]
		cmp	eax, ecx
		jb	short loc_A4BB9D
		lea	eax, [ecx+20h]
		cmp	eax, edx
		jb	short loc_A4BB9D
		mov	ecx, ds:_WatchStepOverHandle
		mov	ds:_WatchStepOver, 0
		call	_KdpDeleteBreakpoint@4 ; KdpDeleteBreakpoint(x)
		or	dword ptr [esi+0C0h], 100h
		mov	edi, [esp+18h+var_4]
		mov	byte ptr [esp+18h+var_A+1], 1
		jmp	loc_A4BA75
; 

loc_A4BB9D:				; CODE XREF: KdpCheckTracePoint(x,x)+22Dj
					; KdpCheckTracePoint(x,x)+240j	...
		mov	ecx, ds:_WatchStepOverHandle
		mov	ds:_WatchStepOverSuspended, 1
		call	_KdpDeleteBreakpoint@4 ; KdpDeleteBreakpoint(x)

loc_A4BBAF:				; CODE XREF: KdpCheckTracePoint(x,x)+1ADj
					; KdpCheckTracePoint(x,x)+408j
		or	dword ptr [esi+0C0h], 100h
		jmp	loc_A4B98F
; 

loc_A4BBBE:				; CODE XREF: KdpCheckTracePoint(x,x)+217j
					; KdpCheckTracePoint(x,x)+21Fj
		mov	edi, ecx
		mov	ecx, ds:_KdpNumInternalBreakpoints
		test	ecx, ecx
		jle	loc_A4BA65
		mov	eax, offset _KdpInternalBPs

loc_A4BBD3:				; CODE XREF: KdpCheckTracePoint(x,x)+2B9j
		test	byte ptr [eax+8], 6
		jnz	short loc_A4BBDD
		cmp	[eax], ebx
		jz	short loc_A4BBE5

loc_A4BBDD:				; CODE XREF: KdpCheckTracePoint(x,x)+2ADj
		inc	edi
		add	eax, 38h
		cmp	edi, ecx
		jl	short loc_A4BBD3

loc_A4BBE5:				; CODE XREF: KdpCheckTracePoint(x,x)+2B1j
		cmp	edi, ecx
		jge	loc_A4BA65
		mov	ecx, edi
		call	_KdpProcessInternalBreakpoint@4	; KdpProcessInternalBreakpoint(x)
		mov	eax, large fs:124h
		imul	edi, 38h
		inc	ds:_IntBPsSkipping
		mov	ds:dword_AA5E80[edi], eax
		call	_KdpSuspendAllBreakpoints@0 ; KdpSuspendAllBreakpoints()
		or	dword ptr [esi+0C0h], 100h
		test	byte ptr ds:dword_AA5E60[edi], 1
		jnz	loc_A4B98F
		mov	ecx, esi
		call	_KdpGetReturnAddress@4 ; KdpGetReturnAddress(x)
		and	ds:dword_AA5E8C[edi], 0
		mov	ds:dword_AA5E88[edi], eax
		jmp	loc_A4B98F
; 

loc_A4BC3E:				; CODE XREF: KdpCheckTracePoint(x,x)+153j
					; KdpCheckTracePoint(x,x)+173j	...
		cmp	byte ptr [esp+18h+var_A+1], 0
		jnz	short loc_A4BC51
		cmp	dword ptr [edi], 80000004h
		jnz	loc_A4BD7F

loc_A4BC51:				; CODE XREF: KdpCheckTracePoint(x,x)+319j
		test	ecx, ecx
		jz	loc_A4BD7F
		mov	eax, ds:_InstructionsTraced
		inc	eax
		mov	[esp+18h+var_B], 0
		cmp	ds:_InstrCountInternal,	0
		mov	[esp+18h+var_4], eax
		mov	ds:_InstructionsTraced,	eax
		jz	loc_A4BD09
		mov	ecx, large fs:124h
		lea	edx, [esp+18h+var_A+2]
		call	_SkippingWhichBP@8 ; SkippingWhichBP(x,x)
		test	al, al
		jz	short loc_A4BCF6
		imul	edi, [esp+18h+var_A+2],	38h
		mov	ecx, [esp+18h+var_4]
		inc	ds:dword_AA5E64[edi]
		cmp	ds:dword_AA5E70[edi], ecx
		jbe	short loc_A4BCB0
		mov	eax, ds:_InstructionsTraced
		mov	ds:dword_AA5E70[edi], eax

loc_A4BCB0:				; CODE XREF: KdpCheckTracePoint(x,x)+379j
		cmp	ds:dword_AA5E74[edi], ecx
		jnb	short loc_A4BCC3
		mov	eax, ds:_InstructionsTraced
		mov	ds:dword_AA5E74[edi], eax

loc_A4BCC3:				; CODE XREF: KdpCheckTracePoint(x,x)+38Cj
		add	ds:dword_AA5E78[edi], ecx
		and	ds:dword_AA5E80[edi], 0
		dec	ds:_IntBPsSkipping
		call	_KdpRestoreAllBreakpoints@0 ; KdpRestoreAllBreakpoints()
		test	byte ptr ds:dword_AA5E60[edi], 8
		jz	short loc_A4BCF6
		mov	ecx, ds:dword_AA5E7C[edi]
		call	_KdpDeleteBreakpoint@4 ; KdpDeleteBreakpoint(x)
		or	ds:dword_AA5E60[edi], 2

loc_A4BCF6:				; CODE XREF: KdpCheckTracePoint(x,x)+362j
					; KdpCheckTracePoint(x,x)+3B8j
		and	ds:_KdpCurrentSymbolStart, 0
		mov	ds:_InstrCountInternal,	0
		jmp	loc_A4B985
; 

loc_A4BD09:				; CODE XREF: KdpCheckTracePoint(x,x)+34Aj
		push	ebx
		call	_TraceDataRecordCallInfo@12 ; TraceDataRecordCallInfo(x,x,x)
		test	al, al
		mov	edx, esi
		lea	eax, [esp+0Dh]
		mov	ecx, ebx
		push	eax
		jz	short loc_A4BD6E
		call	_KdpLevelChange@12 ; KdpLevelChange(x,x,x)
		xor	ecx, ecx
		mov	ds:_CallLevelChange, eax
		mov	ds:_InstructionsTraced,	ecx
		cmp	[esp+18h+var_B], cl
		jz	loc_A4BBAF
		cmp	eax, 0FFFFFFFFh
		jz	short loc_A4BD43
		mov	ds:_CallLevelChange, ecx

loc_A4BD43:				; CODE XREF: KdpCheckTracePoint(x,x)+411j
		mov	eax, large fs:124h
		mov	edx, esi
		push	ecx
		push	ecx
		push	0CCh
		push	ecx
		mov	ecx, ebx
		mov	ds:_WatchStepOver, 1
		mov	ds:_WSOThread, eax
		call	_KdpGetCallNextOffset@8	; KdpGetCallNextOffset(x,x)
		pop	ecx
		mov	ecx, eax
		jmp	loc_A4BB24
; 

loc_A4BD6E:				; CODE XREF: KdpCheckTracePoint(x,x)+3F0j
		call	_KdpLevelChange@12 ; KdpLevelChange(x,x,x)
		and	ds:_InstructionsTraced,	0
		mov	ds:_CallLevelChange, eax

loc_A4BD7F:				; CODE XREF: KdpCheckTracePoint(x,x)+145j
					; KdpCheckTracePoint(x,x)+321j	...
		mov	ds:_SymbolRecorded, 0
		xor	al, al
		mov	ds:_oldpc, ebx

loc_A4BD8E:				; CODE XREF: KdpCheckTracePoint(x,x)+67j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_KdpCheckTracePoint@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpFillMemory(x, x,	x)
_KdpFillMemory@12 proc near		; CODE XREF: KdpSendWaitContinue(x,x,x,x)+33Ep

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_24], 0
		xor	eax, eax
		and	[ebp+var_20], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], edx
		mov	edx, [edx+4]
		mov	ebx, edx
		push	edi
		mov	[ebp+var_18], edx
		mov	ecx, [esi+18h]
		mov	[ebp+var_4], ecx
		movzx	ecx, word ptr [esi+1Eh]
		mov	[ebp+var_1C], esi
		mov	[ebp+var_8], 5
		lea	edi, [edx+ecx]
		movzx	edx, word ptr [esi+1Ch]
		mov	[ebp+var_14], edi
		xor	edi, edi
		test	dl, 2
		jz	short loc_A4BDE5
		mov	[ebp+var_8], 7
		jmp	short loc_A4BDEF
; 

loc_A4BDE5:				; CODE XREF: KdpFillMemory(x,x,x)+45j
		test	dl, 1
		jnz	short loc_A4BDEF
		mov	eax, 0C000000Dh

loc_A4BDEF:				; CODE XREF: KdpFillMemory(x,x,x)+4Ej
					; KdpFillMemory(x,x,x)+53j
		xor	edx, edx
		inc	edx
		cmp	cx, dx
		jb	short loc_A4BDFF
		mov	edx, [ebp+var_C]
		cmp	[edx], cx
		jnb	short loc_A4BE04

loc_A4BDFF:				; CODE XREF: KdpFillMemory(x,x,x)+60j
		mov	eax, 0C000000Dh

loc_A4BE04:				; CODE XREF: KdpFillMemory(x,x,x)+68j
		test	eax, eax
		js	short loc_A4BE68
		mov	ecx, [esi+10h]
		mov	[ebp+var_10], ecx
		mov	ecx, [esi+14h]
		mov	[ebp+var_C], ecx
		cmp	[ebp+var_4], edi
		jbe	short loc_A4BE68
		mov	esi, [ebp+var_10]
		mov	eax, [ebp+var_4]

loc_A4BE1F:				; CODE XREF: KdpFillMemory(x,x,x)+C4j
		dec	eax
		xor	edx, edx
		mov	[ebp+var_4], eax
		inc	edx
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_8]
		push	0
		push	ecx
		push	esi
		mov	ecx, ebx
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_A4BE5B
		mov	ecx, [ebp+var_C]
		add	esi, 1
		adc	ecx, 0
		inc	ebx
		mov	[ebp+var_C], ecx
		cmp	ebx, [ebp+var_14]
		jnz	short loc_A4BE53
		mov	ebx, [ebp+var_18]

loc_A4BE53:				; CODE XREF: KdpFillMemory(x,x,x)+B9j
		mov	eax, [ebp+var_4]
		inc	edi
		test	eax, eax
		jnz	short loc_A4BE1F

loc_A4BE5B:				; CODE XREF: KdpFillMemory(x,x,x)+A7j
		mov	esi, [ebp+var_1C]
		xor	eax, eax
		cmp	eax, edi
		sbb	eax, eax
		not	eax
		and	eax, edx

loc_A4BE68:				; CODE XREF: KdpFillMemory(x,x,x)+71j
					; KdpFillMemory(x,x,x)+82j
		push	38h
		mov	[esi+8], eax
		pop	eax
		push	offset _KdpContext
		mov	word ptr [ebp+var_24], ax
		lea	eax, [ebp+var_24]
		push	0
		push	eax
		push	2
		mov	[esi+18h], edi
		mov	[ebp+var_20], esi
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KdpFillMemory@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpGetBusData(x, x,	x)
_KdpGetBusData@12 proc near		; CODE XREF: KdpSendWaitContinue(x,x,x,x)+25Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		mov	esi, ds:_KdTransportMaxPacketSize
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		add	esi, 0FFFFFFC8h
		push	38h
		pop	eax
		mov	word ptr [ebp+var_C], ax
		mov	eax, [edi+20h]
		mov	[ebp+var_8], edi
		cmp	eax, esi
		ja	short loc_A4BEC1
		mov	esi, eax

loc_A4BEC1:				; CODE XREF: KdpGetBusData(x,x,x)+2Bj
		movzx	eax, word ptr [ebx+2]
		cmp	esi, eax
		jbe	short loc_A4BECB
		mov	esi, eax

loc_A4BECB:				; CODE XREF: KdpGetBusData(x,x,x)+35j
		mov	edx, [edi+14h]
		lea	eax, [ebp+var_4]
		mov	ecx, [edi+10h]
		push	eax
		push	esi
		push	dword ptr [ebx+4]
		mov	[ebp+var_4], esi
		push	dword ptr [edi+1Ch]
		push	dword ptr [edi+18h]
		call	_KdpSysReadBusData@28 ;	KdpSysReadBusData(x,x,x,x,x,x,x)
		mov	[edi+8], eax
		cmp	[ebp+var_4], esi
		jnb	short loc_A4BEF2
		mov	esi, [ebp+var_4]

loc_A4BEF2:				; CODE XREF: KdpGetBusData(x,x,x)+5Bj
		push	offset _KdpContext
		push	ebx
		lea	eax, [ebp+var_C]
		mov	[edi+20h], esi
		push	eax
		push	2
		mov	[ebx], si
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KdpGetBusData@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpGetContext(x, x,	x)
_KdpGetContext@12 proc near		; CODE XREF: KdpGetContextEx(x,x,x)+2Bp
					; KdpSendWaitContinue(x,x,x,x)+136p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, ecx
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_8], eax
		movzx	edx, word ptr [eax+6]
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edi
		cmp	edx, 20h
		jnb	short loc_A4BF9C
		mov	ebx, ds:_KiProcessorBlock[edx*4]
		test	ebx, ebx
		jz	short loc_A4BF9C
		movzx	eax, large byte	ptr fs:51h
		cmp	dx, ax
		jnz	short loc_A4BF4D
		mov	ebx, [ebp+arg_0]
		jmp	short loc_A4BF53
; 

loc_A4BF4D:				; CODE XREF: KdpGetContext(x,x,x)+35j
		mov	ebx, [ebx+4168h]

loc_A4BF53:				; CODE XREF: KdpGetContext(x,x,x)+3Aj
		mov	eax, [ebx]
		lea	edx, [ebp+var_4]
		mov	ecx, eax
		mov	[ebp+arg_0], eax
		call	_KdpGetExtendedContextLength@8 ; KdpGetExtendedContextLength(x,x)
		movzx	eax, word ptr [esi+2]
		cmp	[ebp+var_4], eax
		ja	short loc_A4BF9C
		mov	edx, [ebp+arg_0]
		mov	ecx, [esi+4]
		call	_KdpInitializeExtendedContext@8	; KdpInitializeExtendedContext(x,x)
		mov	ecx, [esi+4]
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	edx, ebx
		call	_KdpCopyContext@12 ; KdpCopyContext(x,x,x)
		mov	eax, 10040h
		and	ebx, eax
		cmp	ebx, eax
		mov	eax, [ebp+var_4]
		jz	short loc_A4BF97
		mov	eax, 2CCh

loc_A4BF97:				; CODE XREF: KdpGetContext(x,x,x)+7Fj
		mov	[esi], ax
		jmp	short loc_A4BFA1
; 

loc_A4BF9C:				; CODE XREF: KdpGetContext(x,x,x)+1Dj
					; KdpGetContext(x,x,x)+28j ...
		mov	edi, 0C0000001h

loc_A4BFA1:				; CODE XREF: KdpGetContext(x,x,x)+89j
		mov	eax, [ebp+var_8]
		mov	[eax+8], edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KdpGetContext@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpGetVersion(x)
_KdpGetVersion@4 proc near		; CODE XREF: KdpSendWaitContinue(x,x,x,x)+2D3p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	eax, ecx
		xor	edx, edx
		push	38h
		pop	ecx
		push	0Ah
		mov	[ebp+var_8], edx
		lea	edi, [eax+10h]
		mov	word ptr [ebp+var_8], cx
		mov	esi, offset _KdVersionBlock
		pop	ecx
		push	offset _KdpContext
		rep movsd
		mov	[ebp+var_4], eax
		mov	[eax+8], edx
		mov	dword ptr [eax], 3146h
		lea	eax, [ebp+var_8]
		push	edx
		push	eax
		push	2
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	edi
		pop	esi
		leave
		retn
_KdpGetVersion@4 endp


;  S U B	R O U T	I N E 


; __stdcall KdpProcessInternalBreakpoint(x)
_KdpProcessInternalBreakpoint@4	proc near ; CODE XREF: KdpCheckTracePoint(x,x)+2C5p
		mov	edi, edi
		push	esi
		imul	esi, ecx, 38h
		test	byte ptr ds:dword_AA5E60[esi], 1
		jz	short loc_A4C043
		cmp	ds:_BreakPointTimerStarted, 0
		jnz	short loc_A4C03D
		push	ebx
		push	edi
		xor	ebx, ebx
		mov	edi, offset _InternalBreakpointCheckDpc
		push	ebx
		push	offset _InternalBreakpointCheck@16 ; InternalBreakpointCheck(x,x,x,x)
		push	edi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	ebx
		push	offset _InternalBreakpointTimer
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	ebx
		push	ebx
		push	edi
		call	_KeInsertQueueDpc@12 ; KeInsertQueueDpc(x,x,x)
		pop	edi
		mov	ds:_BreakPointTimerStarted, 1
		pop	ebx

loc_A4C03D:				; CODE XREF: KdpProcessInternalBreakpoint(x)+16j
		inc	ds:dword_AA5E64[esi]

loc_A4C043:				; CODE XREF: KdpProcessInternalBreakpoint(x)+Dj
		pop	esi
		retn
_KdpProcessInternalBreakpoint@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpQueryMemory(x, x)
_KdpQueryMemory@8 proc near		; CODE XREF: KdpSendWaitContinue(x,x,x,x)+34Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_8], ebx
		mov	edi, ebx
		mov	[ebp+var_4], ebx
		cmp	[esi+20h], ebx
		jnz	short loc_A4C088
		mov	ecx, [esi+10h]
		cmp	ecx, ds:_MmHighestUserAddress
		jnb	short loc_A4C070
		mov	[esi+20h], ebx
		jmp	short loc_A4C07F
; 

loc_A4C070:				; CODE XREF: KdpQueryMemory(x,x)+24j
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		neg	eax
		sbb	eax, eax
		add	eax, 2
		mov	[esi+20h], eax

loc_A4C07F:				; CODE XREF: KdpQueryMemory(x,x)+29j
		mov	dword ptr [esi+24h], 7
		jmp	short loc_A4C08D
; 

loc_A4C088:				; CODE XREF: KdpQueryMemory(x,x)+19j
		mov	edi, 0C000000Dh

loc_A4C08D:				; CODE XREF: KdpQueryMemory(x,x)+41j
		push	38h
		pop	eax
		push	offset _KdpContext
		mov	word ptr [ebp+var_8], ax
		lea	eax, [ebp+var_8]
		push	ebx
		push	eax
		push	2
		mov	[esi+8], edi
		mov	[esi+18h], ebx
		mov	[esi+1Ch], ebx
		mov	[ebp+var_4], esi
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KdpQueryMemory@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpReadControlSpace(x, x, x)
_KdpReadControlSpace@12	proc near	; CODE XREF: KdpSendWaitContinue(x,x,x,x)+1BDp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		push	ebx
		push	esi
		mov	esi, ds:_KdTransportMaxPacketSize
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		add	esi, 0FFFFFFC8h
		push	38h
		pop	eax
		mov	word ptr [ebp+var_C], ax
		mov	eax, [edi+18h]
		mov	[ebp+var_8], edi
		cmp	eax, esi
		ja	short loc_A4C0E6
		mov	esi, eax

loc_A4C0E6:				; CODE XREF: KdpReadControlSpace(x,x,x)+2Bj
		movzx	eax, word ptr [ebx+2]
		cmp	esi, eax
		jbe	short loc_A4C0F0
		mov	esi, eax

loc_A4C0F0:				; CODE XREF: KdpReadControlSpace(x,x,x)+35j
		movzx	ecx, word ptr [edi+6]
		lea	eax, [ebp+var_4]
		mov	edx, [ebx+4]
		push	eax
		push	esi
		push	dword ptr [edi+14h]
		mov	[ebp+var_4], esi
		push	dword ptr [edi+10h]
		call	_KdpSysReadControlSpace@24 ; KdpSysReadControlSpace(x,x,x,x,x,x)
		mov	[edi+8], eax
		cmp	[ebp+var_4], esi
		jnb	short loc_A4C115
		mov	esi, [ebp+var_4]

loc_A4C115:				; CODE XREF: KdpReadControlSpace(x,x,x)+59j
		push	offset _KdpContext
		push	ebx
		lea	eax, [ebp+var_C]
		mov	[ebx], si
		push	eax
		push	2
		mov	[edi+1Ch], esi
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KdpReadControlSpace@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpReadIoSpace(x, x, x)
_KdpReadIoSpace@12 proc	near		; CODE XREF: KdpSendWaitContinue(x,x,x,x)+1DCp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		push	38h
		pop	eax
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_C], edi
		push	ecx
		push	dword ptr [esi+18h]
		mov	word ptr [ebp+var_C], ax
		xor	ecx, ecx
		lea	eax, [esi+1Ch]
		mov	[ebp+var_8], esi
		push	eax
		push	dword ptr [esi+14h]
		inc	ecx
		mov	[eax], edi
		push	dword ptr [esi+10h]
		xor	edx, edx
		push	ecx
		call	_KdpSysReadIoSpace@32 ;	KdpSysReadIoSpace(x,x,x,x,x,x,x,x)
		push	offset _KdpContext
		mov	[esi+8], eax
		lea	eax, [ebp+var_C]
		push	edi
		push	eax
		push	2
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	edi
		pop	esi
		leave
		retn	4
_KdpReadIoSpace@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpReadIoSpaceExtended(x, x, x)
_KdpReadIoSpaceExtended@12 proc	near	; CODE XREF: KdpSendWaitContinue(x,x,x,x)+1F8p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		push	38h
		pop	eax
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_C], edi
		mov	edx, [esi+18h]
		push	ecx
		push	dword ptr [esi+10h]
		mov	ecx, [esi+14h]
		mov	word ptr [ebp+var_C], ax
		lea	eax, [esi+28h]
		push	eax
		push	dword ptr [esi+24h]
		mov	[ebp+var_8], esi
		push	dword ptr [esi+20h]
		mov	[eax], edi
		push	dword ptr [esi+1Ch]
		call	_KdpSysReadIoSpace@32 ;	KdpSysReadIoSpace(x,x,x,x,x,x,x,x)
		push	offset _KdpContext
		mov	[esi+8], eax
		lea	eax, [ebp+var_C]
		push	edi
		push	eax
		push	2
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	edi
		pop	esi
		leave
		retn	4
_KdpReadIoSpaceExtended@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpReadMachineSpecificRegister(x, x, x)
_KdpReadMachineSpecificRegister@12 proc	near ; CODE XREF: KdpSendWaitContinue(x,x,x,x)+214p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		mov	esi, ecx
		lea	edx, [ebp+var_8]
		xor	edi, edi
		mov	[ebp+var_C], esi
		push	38h
		pop	eax
		mov	ecx, [esi+10h]
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		mov	word ptr [ebp+var_10], ax
		call	_KdpSysReadMsr@8 ; KdpSysReadMsr(x,x)
		mov	[esi+8], eax
		mov	eax, [ebp+var_8]
		mov	[esi+14h], eax
		mov	eax, [ebp+var_4]
		push	offset _KdpContext
		mov	[esi+18h], eax
		lea	eax, [ebp+var_10]
		push	edi
		push	eax
		push	2
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	edi
		pop	esi
		leave
		retn	4
_KdpReadMachineSpecificRegister@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpReadPhysicalMemory(x, x,	x, x)
_KdpReadPhysicalMemory@16 proc near	; CODE XREF: KdpReadPhysicalMemoryLong(x,x,x)+51p
					; KdpSendWaitContinue(x,x,x,x)+F3p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ds:_KdTransportMaxPacketSize
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		xor	edx, edx
		push	38h
		pop	eax
		mov	[ebp+var_C], edx
		add	esi, 0FFFFFFC8h
		mov	word ptr [ebp+var_C], ax
		mov	eax, [edi+18h]
		mov	[ebp+var_8], edi
		cmp	eax, esi
		ja	short loc_A4C262
		mov	esi, eax

loc_A4C262:				; CODE XREF: KdpReadPhysicalMemory(x,x,x,x)+2Cj
		movzx	eax, word ptr [ebx+2]
		mov	[ebp+var_4], esi
		cmp	esi, eax
		jbe	short loc_A4C272
		mov	esi, eax
		mov	[ebp+var_4], esi

loc_A4C272:				; CODE XREF: KdpReadPhysicalMemory(x,x,x,x)+39j
		mov	eax, [edi+1Ch]
		push	6
		pop	ecx
		sub	eax, 1
		jz	short loc_A4C28F
		sub	eax, 1
		jz	short loc_A4C28B
		sub	eax, 1
		jnz	short loc_A4C292
		push	26h
		jmp	short loc_A4C291
; 

loc_A4C28B:				; CODE XREF: KdpReadPhysicalMemory(x,x,x,x)+4Ej
		push	16h
		jmp	short loc_A4C291
; 

loc_A4C28F:				; CODE XREF: KdpReadPhysicalMemory(x,x,x,x)+49j
		push	0Eh

loc_A4C291:				; CODE XREF: KdpReadPhysicalMemory(x,x,x,x)+57j
					; KdpReadPhysicalMemory(x,x,x,x)+5Bj
		pop	ecx

loc_A4C292:				; CODE XREF: KdpReadPhysicalMemory(x,x,x,x)+53j
		cmp	dword ptr [edi], 3162h
		jnz	short loc_A4C2CD
		mov	eax, [edi+10h]
		mov	edx, 1000h
		and	eax, 0FFFh
		sub	edx, eax
		cmp	esi, edx
		jbe	short loc_A4C2AF
		mov	esi, edx

loc_A4C2AF:				; CODE XREF: KdpReadPhysicalMemory(x,x,x,x)+79j
		push	ecx
		mov	ecx, [ebx+4]
		mov	edx, esi
		push	0
		push	dword ptr [edi+14h]
		push	dword ptr [edi+10h]
		call	_MmDbgCopyMemory@24 ; MmDbgCopyMemory(x,x,x,x,x,x)
		mov	[edi+8], eax
		test	eax, eax
		jns	short loc_A4C2E9
		xor	esi, esi
		jmp	short loc_A4C2E9
; 

loc_A4C2CD:				; CODE XREF: KdpReadPhysicalMemory(x,x,x,x)+66j
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		mov	ecx, [ebx+4]
		push	edx
		push	dword ptr [edi+14h]
		mov	edx, esi
		push	dword ptr [edi+10h]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		mov	esi, [ebp+var_4]
		mov	[edi+8], eax

loc_A4C2E9:				; CODE XREF: KdpReadPhysicalMemory(x,x,x,x)+95j
					; KdpReadPhysicalMemory(x,x,x,x)+99j
		mov	[edi+1Ch], esi
		cmp	dword ptr [edi], 3162h
		jnz	short loc_A4C316
		cmp	esi, 4
		jb	short loc_A4C316
		mov	ecx, [ebx+4]
		mov	edx, esi
		call	_RunLengthEncode@8 ; RunLengthEncode(x,x)
		test	al, al
		jz	short loc_A4C316
		shr	esi, 2
		or	esi, 40000000h
		push	4
		mov	[edi+1Ch], esi
		pop	esi

loc_A4C316:				; CODE XREF: KdpReadPhysicalMemory(x,x,x,x)+C0j
					; KdpReadPhysicalMemory(x,x,x,x)+C5j ...
		push	[ebp+arg_4]
		lea	eax, [ebp+var_C]
		mov	[ebx], si
		push	ebx
		push	eax
		push	2
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_KdpReadPhysicalMemory@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpReadPhysicalMemoryLong(x, x, x)
_KdpReadPhysicalMemoryLong@12 proc near	; CODE XREF: KdpSendWaitContinue(x,x,x,x)+104p

var_20		= dword	ptr -20h
var_1A		= word ptr -1Ah
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	esi, offset _KdpContext
		mov	[ebp+var_C], edx
		lea	edi, [ebp+var_20]
		mov	ebx, ecx
		movsd
		mov	ecx, [ebx+1Ch]
		mov	eax, [ebx+14h]
		mov	[ebp+var_10], ecx
		movsd
		movsd
		movsd
		mov	esi, [ebx+18h]
		test	esi, esi
		mov	edi, [ebx+10h]
		jmp	short loc_A4C3BA
; 

loc_A4C35F:				; CODE XREF: KdpReadPhysicalMemoryLong(x,x,x)+8Dj
		mov	[ebx+14h], eax
		xor	eax, eax
		mov	[ebx+1Ch], ecx
		mov	[ebx+10h], edi
		mov	[ebx+18h], esi
		mov	[edx], ax
		and	[ebx+8], eax
		push	0Dh
		pop	eax
		mov	[ebp+var_1A], ax
		lea	eax, [ebp+var_20]
		push	eax
		push	ecx
		mov	ecx, ebx
		call	_KdpReadPhysicalMemory@16 ; KdpReadPhysicalMemory(x,x,x,x)
		mov	ecx, [ebx+1Ch]
		mov	eax, ecx
		and	eax, 0C0000000h
		cmp	eax, 40000000h
		jnz	short loc_A4C39A
		shl	ecx, 2

loc_A4C39A:				; CODE XREF: KdpReadPhysicalMemoryLong(x,x,x)+65j
		cmp	dword ptr [ebx+8], 0
		jl	short loc_A4C3BF
		test	ecx, ecx
		jz	short loc_A4C3BF
		cmp	ecx, esi
		jbe	short loc_A4C3AA
		mov	ecx, esi

loc_A4C3AA:				; CODE XREF: KdpReadPhysicalMemoryLong(x,x,x)+76j
		mov	eax, [ebp+var_8]
		add	edi, ecx
		mov	edx, [ebp+var_C]
		adc	eax, 0
		sub	esi, ecx
		mov	ecx, [ebp+var_10]

loc_A4C3BA:				; CODE XREF: KdpReadPhysicalMemoryLong(x,x,x)+2Dj
		mov	[ebp+var_8], eax
		jnz	short loc_A4C35F

loc_A4C3BF:				; CODE XREF: KdpReadPhysicalMemoryLong(x,x,x)+6Ej
					; KdpReadPhysicalMemoryLong(x,x,x)+72j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KdpReadPhysicalMemoryLong@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpReadVirtualMemory(x, x, x)
_KdpReadVirtualMemory@12 proc near	; CODE XREF: KdpSendWaitContinue(x,x,x,x)+C8p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, ds:_KdTransportMaxPacketSize
		push	esi
		mov	esi, ecx
		add	eax, 0FFFFFFC8h
		push	edi
		xor	ecx, ecx
		mov	edi, edx
		mov	[ebp+var_C], ecx
		mov	edx, [esi+18h]
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], edx
		cmp	edx, eax
		jbe	short loc_A4C3F3
		mov	edx, eax
		mov	[ebp+var_4], edx

loc_A4C3F3:				; CODE XREF: KdpReadVirtualMemory(x,x,x)+26j
		movzx	eax, word ptr [edi+2]
		cmp	edx, eax
		jbe	short loc_A4C400
		mov	edx, eax
		mov	[ebp+var_4], edx

loc_A4C400:				; CODE XREF: KdpReadVirtualMemory(x,x,x)+33j
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		push	ecx
		push	dword ptr [esi+14h]
		mov	ecx, [edi+4]
		push	dword ptr [esi+10h]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		mov	[esi+8], eax
		mov	eax, [ebp+var_4]
		push	38h
		mov	[edi], ax
		mov	[esi+1Ch], eax
		pop	eax
		push	offset _KdpContext
		mov	word ptr [ebp+var_C], ax
		lea	eax, [ebp+var_C]
		push	edi
		push	eax
		push	2
		mov	[ebp+var_8], esi
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	edi
		pop	esi
		leave
		retn	4
_KdpReadVirtualMemory@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpReportCommandStringStateChange(x, x, x)
_KdpReportCommandStringStateChange@12 proc near
					; CODE XREF: KdpCommandString(x,x,x,x,x,x)+5Bp

var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_D8		= dword	ptr -0D8h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+10Ch+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		xor	eax, eax
		push	edi
		mov	edi, ecx
		mov	[esp+118h+var_10C], eax
		mov	ecx, 0F0h
		mov	[esp+118h+var_108], eax
		push	ecx		; size_t
		push	eax		; int
		mov	[esp+120h+var_100], eax
		mov	ebx, edx
		mov	[esp+120h+var_FC], eax
		lea	eax, [esp+120h+var_F8]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		and	[esp+118h+var_104], 0

loc_A4C494:				; CODE XREF: KdpReportCommandStringStateChange(x,x,x)+138j
		lea	eax, [esp+118h+var_F8]
		mov	edx, esi
		push	eax
		mov	ecx, 3032h
		call	_KdpSetCommonState@12 ;	KdpSetCommonState(x,x,x)
		mov	edx, esi
		lea	ecx, [esp+118h+var_F8]
		call	_KdpSetContextState@8 ;	KdpSetContextState(x,x)
		push	40h		; size_t
		lea	eax, [esp+11Ch+var_D8]
		push	0		; int
		push	eax		; void *
		call	_memset
		movzx	eax, word ptr [edi]
		add	esp, 0Ch
		mov	[esp+118h+var_108], offset _KdpMessageBuffer
		push	7Fh
		pop	ecx
		mov	edx, ecx
		cmp	ax, cx
		ja	short loc_A4C4D8
		mov	edx, eax

loc_A4C4D8:				; CODE XREF: KdpReportCommandStringStateChange(x,x,x)+91j
		lea	eax, [esp+118h+var_104]
		mov	ecx, offset _KdpMessageBuffer
		push	eax
		push	4
		push	0
		push	0
		push	dword ptr [edi+4]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		mov	eax, [esp+118h+var_104]
		mov	edx, ds:_KdTransportMaxPacketSize
		inc	eax
		mov	word ptr [esp+118h+var_10C], ax
		movzx	ecx, ax
		mov	eax, [esp+118h+var_108]
		mov	byte ptr [ecx+eax-1], 0
		movzx	ecx, word ptr [esp+118h+var_10C]
		movzx	eax, word ptr [ebx]
		sub	edx, ecx
		sub	edx, 0F0h
		cmp	eax, edx
		jnb	short loc_A4C522
		mov	edx, eax

loc_A4C522:				; CODE XREF: KdpReportCommandStringStateChange(x,x,x)+DBj
		add	ecx, [esp+118h+var_108]
		lea	eax, [esp+118h+var_104]
		push	eax
		push	4
		push	0
		push	0
		push	dword ptr [ebx+4]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		mov	cx, word ptr [esp+118h+var_10C]
		lea	edx, [esp+118h+var_100]
		mov	eax, [esp+118h+var_104]
		inc	eax
		add	cx, ax
		mov	eax, [esp+118h+var_108]
		mov	word ptr [esp+118h+var_10C], cx
		movzx	ecx, cx
		push	esi
		mov	byte ptr [ecx+eax-1], 0
		mov	eax, 0F0h
		mov	word ptr [esp+11Ch+var_100], ax
		lea	eax, [esp+11Ch+var_F8]
		mov	[esp+11Ch+var_FC], eax
		lea	eax, [esp+11Ch+var_10C]
		push	eax
		call	_KdpSendWaitContinue@16	; KdpSendWaitContinue(x,x,x,x)
		cmp	eax, 2
		jz	loc_A4C494
		mov	ecx, [esp+118h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_KdpReportCommandStringStateChange@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpReportExceptionStateChange(x, x,	x)
_KdpReportExceptionStateChange@12 proc near ; CODE XREF: KiFreezeTargetExecution(x,x)+148p
					; KdpReport(x,x,x,x,x,x)+9Bp

var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_D8		= dword	ptr -0D8h
var_40		= dword	ptr -40h
var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+10Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	edi, ecx
		mov	ecx, 0F0h
		mov	[esp+118h+var_108], eax
		push	ecx		; size_t
		push	eax		; int
		mov	[esp+120h+var_104], eax
		mov	esi, edx
		mov	[esp+120h+var_100], eax
		mov	[esp+120h+var_FC], eax
		lea	eax, [esp+120h+var_F8]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	edx, esi
		mov	ecx, edi
		call	_KdpCheckTracePoint@8 ;	KdpCheckTracePoint(x,x)
		test	al, al
		jz	short loc_A4C5F5
		mov	al, 1
		jmp	loc_A4C675
; 

loc_A4C5F5:				; CODE XREF: KdpReportExceptionStateChange(x,x,x)+54j
		mov	bl, [ebp+arg_0]

loc_A4C5F8:				; CODE XREF: KdpReportExceptionStateChange(x,x,x)+DBj
		lea	eax, [esp+118h+var_F8]
		mov	edx, esi
		push	eax
		mov	ecx, 3030h
		call	_KdpSetCommonState@12 ;	KdpSetCommonState(x,x,x)
		lea	edx, [esp+118h+var_D8]
		mov	ecx, edi
		call	_ExceptionRecord32To64@8 ; ExceptionRecord32To64(x,x)
		xor	eax, eax
		lea	ecx, [esp+118h+var_F8]
		test	bl, bl
		mov	edx, esi
		setz	al
		mov	[esp+118h+var_40], eax
		call	_KdpSetContextState@8 ;	KdpSetContextState(x,x)
		mov	eax, 0F0h
		mov	[esp+118h+var_104], offset _TraceDataBuffer
		mov	word ptr [esp+118h+var_100], ax
		lea	edx, [esp+118h+var_100]
		mov	eax, ecx
		mov	[esp+118h+var_FC], eax
		mov	eax, ds:_TraceDataBufferPosition
		mov	ds:_TraceDataBuffer, eax
		shl	eax, 2
		mov	word ptr [esp+118h+var_108], ax
		lea	eax, [esp+118h+var_108]
		push	esi
		push	eax
		mov	ds:_TraceDataBufferPosition, 1
		call	_KdpSendWaitContinue@16	; KdpSendWaitContinue(x,x,x,x)
		cmp	eax, 2
		jz	short loc_A4C5F8

loc_A4C675:				; CODE XREF: KdpReportExceptionStateChange(x,x,x)+58j
		mov	ecx, [esp+118h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_KdpReportExceptionStateChange@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpReportLoadSymbolsStateChange(x, x, x, x)
_KdpReportLoadSymbolsStateChange@16 proc near ;	CODE XREF: KdpSymbol(x,x,x,x,x,x,x)+5Dp

var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_D8		= dword	ptr -0D8h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= byte ptr -0B8h
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+10Ch+var_4], eax
		push	ebx
		push	esi
		xor	eax, eax
		mov	esi, ecx
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ecx, 0F0h
		push	ecx		; size_t
		push	eax		; int
		mov	[esp+120h+var_108], eax
		mov	ebx, edx
		mov	[esp+120h+var_104], eax
		mov	[esp+120h+var_100], eax
		mov	[esp+120h+var_FC], eax
		lea	eax, [esp+120h+var_F8]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_A4C6D8:				; CODE XREF: KdpReportLoadSymbolsStateChange(x,x,x,x)+FEj
		lea	eax, [esp+118h+var_F8]
		mov	edx, edi
		push	eax
		mov	ecx, 3031h
		call	_KdpSetCommonState@12 ;	KdpSetCommonState(x,x,x)
		mov	edx, edi
		lea	ecx, [esp+118h+var_F8]
		call	_KdpSetContextState@8 ;	KdpSetContextState(x,x)
		mov	al, [ebp+arg_0]
		xor	ecx, ecx
		mov	[esp+118h+var_B8], al
		mov	eax, [ebx]
		cdq
		mov	[esp+118h+var_D0], eax
		mov	eax, [ebx+4]
		mov	[esp+118h+var_C8], eax
		mov	eax, [ebx+8]
		mov	[esp+118h+var_C0], eax
		mov	eax, [ebx+0Ch]
		mov	[esp+118h+var_CC], edx
		mov	[esp+118h+var_C4], ecx
		mov	[esp+118h+var_BC], eax
		test	esi, esi
		jz	short loc_A4C764
		movzx	edx, word ptr [esi]
		lea	eax, [esp+118h+var_D8]
		push	eax
		push	4
		push	ecx
		push	ecx
		push	dword ptr [esi+4]
		mov	ecx, offset _KdpPathBuffer
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		inc	[esp+118h+var_D8]
		mov	ax, word ptr [esp+118h+var_D8]
		mov	word ptr [esp+118h+var_108], ax
		movzx	eax, ax
		mov	[esp+118h+var_104], offset _KdpPathBuffer
		mov	ds:byte_AA4E47[eax], 0
		lea	eax, [esp+118h+var_108]
		jmp	short loc_A4C76A
; 

loc_A4C764:				; CODE XREF: KdpReportLoadSymbolsStateChange(x,x,x,x)+97j
		mov	[esp+118h+var_D8], ecx
		mov	eax, ecx

loc_A4C76A:				; CODE XREF: KdpReportLoadSymbolsStateChange(x,x,x,x)+D6j
		mov	ecx, 0F0h
		lea	edx, [esp+118h+var_100]
		mov	word ptr [esp+118h+var_100], cx
		lea	ecx, [esp+118h+var_F8]
		push	edi
		push	eax
		mov	[esp+120h+var_FC], ecx
		call	_KdpSendWaitContinue@16	; KdpSendWaitContinue(x,x,x,x)
		cmp	eax, 2
		jz	loc_A4C6D8
		mov	ecx, [esp+118h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	8
_KdpReportLoadSymbolsStateChange@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpRestoreBreakPointEx(x, x, x)
_KdpRestoreBreakPointEx@12 proc	near	; CODE XREF: KdpSendWaitContinue(x,x,x,x)+31Cp

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_94], edx
		xor	esi, esi
		mov	[ebp+var_8C], edi
		push	38h
		pop	eax
		mov	ecx, [edi+10h]
		mov	[ebp+var_90], esi
		mov	word ptr [ebp+var_90], ax
		movzx	eax, word ptr [edx]
		shl	ecx, 2
		mov	[ebp+var_88], esi
		cmp	eax, ecx
		jnz	short loc_A4C846
		lea	eax, [ebp+var_88]
		push	eax
		push	4
		push	esi
		push	esi
		push	dword ptr [edx+4]
		mov	edx, ecx
		lea	ecx, [ebp+var_84]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		mov	eax, [edi+10h]
		shl	eax, 2
		cmp	[ebp+var_88], eax
		jnz	short loc_A4C846
		mov	[edi+8], esi
		lea	ebx, [ebp+var_84]
		cmp	[edi+10h], esi
		jbe	short loc_A4C84D

loc_A4C829:				; CODE XREF: KdpRestoreBreakPointEx(x,x,x)+9Bj
		mov	ecx, [ebx]
		call	_KdpDeleteBreakpoint@4 ; KdpDeleteBreakpoint(x)
		test	al, al
		jnz	short loc_A4C83B
		mov	dword ptr [edi+8], 0C0000001h

loc_A4C83B:				; CODE XREF: KdpRestoreBreakPointEx(x,x,x)+8Bj
		inc	esi
		add	ebx, 4
		cmp	esi, [edi+10h]
		jb	short loc_A4C829
		jmp	short loc_A4C84D
; 

loc_A4C846:				; CODE XREF: KdpRestoreBreakPointEx(x,x,x)+49j
					; KdpRestoreBreakPointEx(x,x,x)+72j
		mov	dword ptr [edi+8], 0C0000001h

loc_A4C84D:				; CODE XREF: KdpRestoreBreakPointEx(x,x,x)+80j
					; KdpRestoreBreakPointEx(x,x,x)+9Dj
		push	offset _KdpContext
		push	[ebp+var_94]
		lea	eax, [ebp+var_90]
		push	eax
		push	2
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_KdpRestoreBreakPointEx@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpRestoreBreakpoint(x, x, x)
_KdpRestoreBreakpoint@12 proc near	; CODE XREF: KdpSendWaitContinue(x,x,x,x)+1ACp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		push	esi
		mov	esi, ecx
		push	38h
		pop	eax
		mov	word ptr [ebp+var_8], ax
		mov	ecx, [esi+10h]
		mov	[ebp+var_4], esi
		call	_KdpDeleteBreakpoint@4 ; KdpDeleteBreakpoint(x)
		movzx	eax, al
		neg	eax
		push	offset _KdpContext
		sbb	eax, eax
		and	eax, 3FFFFFFFh
		add	eax, 0C0000001h
		mov	[esi+8], eax
		lea	eax, [ebp+var_8]
		push	0
		push	eax
		push	2
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	esi
		leave
		retn	4
_KdpRestoreBreakpoint@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpSearchMemory(x, x, x)
_KdpSearchMemory@12 proc near		; CODE XREF: KdpSendWaitContinue(x,x,x,x)+32Dp

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_25		= dword	ptr -25h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_30], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	byte ptr [ebp+var_25], 0
		mov	ecx, [edx+4]
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_40], edi
		mov	[ebp+var_34], ecx
		mov	eax, [edi+18h]
		mov	ebx, [edi+10h]
		add	eax, ebx
		mov	esi, [edi+20h]
		mov	[ebp+var_3C], eax
		mov	[ebp+var_44], esi
		mov	dword ptr [edi+8], 8000001Ah
		cmp	esi, 3
		ja	short loc_A4C919
		push	4
		pop	ecx
		sub	ecx, esi
		shl	ecx, 3
		shr	edx, cl
		mov	ecx, [ebp+var_34]

loc_A4C919:				; CODE XREF: KdpSearchMemory(x,x,x)+46j
		and	[ebp+var_14], 0
		mov	eax, edx
		shl	eax, 8
		mov	[ebp+var_20], eax
		mov	eax, edx
		mov	[ebp+var_25+1],	edx
		shl	eax, 10h
		shl	edx, 18h
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], edx
		cmp	esi, 5
		jnb	short loc_A4C93F
		mov	eax, esi
		jmp	short loc_A4C942
; 

loc_A4C93F:				; CODE XREF: KdpSearchMemory(x,x,x)+75j
		push	4
		pop	eax

loc_A4C942:				; CODE XREF: KdpSearchMemory(x,x,x)+79j
		mov	edx, ecx
		lea	ecx, [ebp+var_14]
		push	eax
		call	_KdpQuickMoveMemory@12 ; KdpQuickMoveMemory(x,x,x)
		mov	ecx, [ebp+var_14]
		mov	esi, ebx
		shl	ecx, 8
		and	ebx, 0FFFFFFFCh
		mov	eax, ecx
		mov	[ebp+var_10], ecx
		shl	eax, 8
		and	esi, 3
		shl	ecx, 10h
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], ecx
		mov	[ebp+var_2C], esi
		mov	[ebp+var_38], ebx
		cmp	ebx, [ebp+var_3C]
		jnb	loc_A4CA22
		push	4
		pop	edi

loc_A4C97E:				; CODE XREF: KdpSearchMemory(x,x,x)+155j
		push	edi
		push	edi
		push	0
		push	ebx
		mov	edx, edi
		lea	ecx, [ebp+var_30]
		call	_MmDbgCopyMemory@24 ; MmDbgCopyMemory(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A4CA0C

loc_A4C991:				; CODE XREF: KdpSearchMemory(x,x,x)+146j
		mov	eax, [ebp+esi*4+var_25+1]
		and	eax, [ebp+var_30]
		cmp	eax, [ebp+esi*4+var_14]
		jnz	short loc_A4CA04
		mov	ecx, [ebp+var_44]
		mov	eax, edi
		sub	eax, esi
		cmp	eax, ecx
		jnb	loc_A4CA54
		mov	edx, [ebp+var_34]
		add	ecx, 0FFFFFFFCh
		mov	eax, edx
		sub	eax, esi
		add	eax, edi
		add	ecx, esi
		mov	[ebp+var_48], eax
		mov	[ebp+var_4C], ecx
		jz	loc_A4CA54
		mov	edi, eax
		sub	edi, edx
		add	edi, esi
		mov	esi, ecx
		add	edi, ebx
		mov	ebx, eax

loc_A4C9D3:				; CODE XREF: KdpSearchMemory(x,x,x)+131j
		push	4
		push	1
		push	0
		xor	edx, edx
		lea	ecx, [ebp+var_25]
		push	edi
		inc	edx
		call	_MmDbgCopyMemory@24 ; MmDbgCopyMemory(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A4C9F7
		mov	al, byte ptr [ebp+var_25]
		cmp	al, [ebx]
		jnz	short loc_A4C9F7
		inc	ebx
		inc	edi
		sub	esi, 1
		jnz	short loc_A4C9D3

loc_A4C9F7:				; CODE XREF: KdpSearchMemory(x,x,x)+123j
					; KdpSearchMemory(x,x,x)+12Aj
		mov	ebx, [ebp+var_38]
		test	esi, esi
		mov	esi, [ebp+var_2C]
		jz	short loc_A4CA54
		push	4
		pop	edi

loc_A4CA04:				; CODE XREF: KdpSearchMemory(x,x,x)+D8j
		inc	esi
		mov	[ebp+var_2C], esi
		cmp	esi, edi
		jb	short loc_A4C991

loc_A4CA0C:				; CODE XREF: KdpSearchMemory(x,x,x)+CBj
		add	ebx, edi
		xor	esi, esi
		mov	[ebp+var_38], ebx
		mov	[ebp+var_2C], esi
		cmp	ebx, [ebp+var_3C]
		jb	loc_A4C97E
		mov	edi, [ebp+var_40]

loc_A4CA22:				; CODE XREF: KdpSearchMemory(x,x,x)+B1j
					; KdpSearchMemory(x,x,x)+1A1j
		push	38h
		pop	eax
		push	offset _KdpContext
		mov	word ptr [ebp+var_54+2], ax
		mov	word ptr [ebp+var_54], ax
		lea	eax, [ebp+var_54]
		push	0
		push	eax
		push	2
		mov	[ebp+var_50], edi
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_A4CA54:				; CODE XREF: KdpSearchMemory(x,x,x)+E3j
					; KdpSearchMemory(x,x,x)+FDj ...
		mov	edi, [ebp+var_40]
		lea	eax, [esi+ebx]
		and	dword ptr [edi+14h], 0
		and	dword ptr [edi+8], 0
		mov	[edi+10h], eax
		jmp	short loc_A4CA22
_KdpSearchMemory@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpSearchPhysicalPage(x, x,	x, x, x)
_KdpSearchPhysicalPage@20 proc near	; CODE XREF: KdpSearchPhysicalPageRange(x)+43p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		mov	eax, ecx
		mov	[esp+28h+var_1C], edx
		xor	edx, edx
		mov	[esp+28h+var_18], eax
		mov	ebx, eax
		shld	edx, ebx, 0Ch
		push	esi
		xor	esi, esi
		shl	ebx, 0Ch
		push	edi
		mov	[esp+30h+var_14], edx
		cmp	ds:_KdpSearchPfnValue, esi
		jz	loc_A4CB39
		mov	eax, [ebp+arg_8]
		mov	edi, esi
		or	eax, 2
		mov	[esp+30h+var_8], esi
		mov	[esp+30h+var_4], esi
		mov	[esp+30h+var_24], eax

loc_A4CAB0:				; CODE XREF: KdpSearchPhysicalPage(x,x,x,x,x)+CDj
		push	eax
		xor	eax, eax
		mov	ecx, edi
		add	ecx, ebx
		push	8
		adc	eax, edx
		push	eax
		push	ecx
		push	8
		pop	edx
		lea	ecx, [esp+40h+var_8]
		call	_MmDbgCopyMemory@24 ; MmDbgCopyMemory(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A4CB1D
		mov	ecx, [esp+30h+var_8]
		mov	eax, [esp+30h+var_4]
		shrd	ecx, eax, 0Ch
		and	ecx, 3FFFFFFh
		cmp	ecx, [esp+30h+var_1C]
		jnz	short loc_A4CB1D
		cmp	ds:_KdpSearchPageHitIndex, 1000h
		jnb	short loc_A4CB13
		mov	eax, ds:_KdpSearchPageHitIndex
		mov	ecx, [esp+30h+var_18]
		mov	ds:_KdpSearchPageHits[eax*4], ecx
		mov	eax, ds:_KdpSearchPageHitIndex
		mov	ds:_KdpSearchPageHitOffsets[eax*4], edi
		inc	ds:_KdpSearchPageHitIndex

loc_A4CB13:				; CODE XREF: KdpSearchPhysicalPage(x,x,x,x,x)+88j
		test	[ebp+arg_4], 1
		jz	loc_A4CC1D

loc_A4CB1D:				; CODE XREF: KdpSearchPhysicalPage(x,x,x,x,x)+64j
					; KdpSearchPhysicalPage(x,x,x,x,x)+7Cj
		add	edi, 8
		cmp	edi, 1000h
		jnb	loc_A4CC20
		mov	eax, [esp+30h+var_24]
		mov	edx, [esp+30h+var_14]
		jmp	loc_A4CAB0
; 

loc_A4CB39:				; CODE XREF: KdpSearchPhysicalPage(x,x,x,x,x)+2Fj
		mov	eax, ds:_KdpSearchInProgress
		and	eax, 2
		mov	[esp+30h+var_20], esi
		mov	[esp+30h+var_10], eax
		mov	eax, ds:_KdpSearchInProgress
		test	al, 3Ch
		jz	short loc_A4CB6A
		mov	edi, ds:_KdpSearchInProgress
		shr	edi, 2
		and	edi, 0Fh
		cmp	edi, 4
		jbe	short loc_A4CB6D
		xor	eax, eax
		jmp	loc_A4CC22
; 

loc_A4CB6A:				; CODE XREF: KdpSearchPhysicalPage(x,x,x,x,x)+E9j
		push	4
		pop	edi

loc_A4CB6D:				; CODE XREF: KdpSearchPhysicalPage(x,x,x,x,x)+FAj
		mov	ecx, [ebp+arg_8]
		mov	eax, esi
		or	ecx, 2
		mov	[esp+30h+var_24], eax
		mov	[esp+30h+var_C], ecx

loc_A4CB7D:				; CODE XREF: KdpSearchPhysicalPage(x,x,x,x,x)+1B1j
		push	ecx
		mov	ecx, eax
		xor	eax, eax
		add	ecx, ebx
		push	esi
		adc	eax, edx
		mov	edx, edi
		push	eax
		push	ecx
		lea	ecx, [esp+40h+var_20]
		call	_MmDbgCopyMemory@24 ; MmDbgCopyMemory(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A4CBFF
		mov	eax, [esp+30h+var_20]
		mov	ecx, [esp+30h+var_1C]
		cmp	eax, ecx
		jb	short loc_A4CBA9
		cmp	eax, [ebp+arg_0]
		jbe	short loc_A4CBC7

loc_A4CBA9:				; CODE XREF: KdpSearchPhysicalPage(x,x,x,x,x)+13Bj
		cmp	[esp+30h+var_10], esi
		jnz	short loc_A4CBFF
		push	20h
		xor	eax, ecx
		mov	ecx, esi
		pop	edx

loc_A4CBB6:				; CODE XREF: KdpSearchPhysicalPage(x,x,x,x,x)+159j
		test	al, 1
		jz	short loc_A4CBBB
		inc	ecx

loc_A4CBBB:				; CODE XREF: KdpSearchPhysicalPage(x,x,x,x,x)+151j
		shr	eax, 1
		sub	edx, 1
		jnz	short loc_A4CBB6
		cmp	ecx, 1
		jnz	short loc_A4CBFF

loc_A4CBC7:				; CODE XREF: KdpSearchPhysicalPage(x,x,x,x,x)+140j
		cmp	ds:_KdpSearchPageHitIndex, 1000h
		jnb	short loc_A4CBF9
		mov	eax, ds:_KdpSearchPageHitIndex
		mov	ecx, [esp+30h+var_18]
		mov	ds:_KdpSearchPageHits[eax*4], ecx
		mov	eax, ds:_KdpSearchPageHitIndex
		mov	ecx, [esp+30h+var_24]
		mov	ds:_KdpSearchPageHitOffsets[eax*4], ecx
		inc	ds:_KdpSearchPageHitIndex

loc_A4CBF9:				; CODE XREF: KdpSearchPhysicalPage(x,x,x,x,x)+16Aj
		test	[ebp+arg_4], 1
		jz	short loc_A4CC1D

loc_A4CBFF:				; CODE XREF: KdpSearchPhysicalPage(x,x,x,x,x)+12Fj
					; KdpSearchPhysicalPage(x,x,x,x,x)+146j ...
		mov	eax, [esp+30h+var_24]
		add	eax, edi
		mov	[esp+30h+var_24], eax
		cmp	eax, 1000h
		jnb	short loc_A4CC20
		mov	edx, [esp+30h+var_14]
		mov	ecx, [esp+30h+var_C]
		jmp	loc_A4CB7D
; 

loc_A4CC1D:				; CODE XREF: KdpSearchPhysicalPage(x,x,x,x,x)+B0j
					; KdpSearchPhysicalPage(x,x,x,x,x)+196j
		xor	esi, esi
		inc	esi

loc_A4CC20:				; CODE XREF: KdpSearchPhysicalPage(x,x,x,x,x)+BFj
					; KdpSearchPhysicalPage(x,x,x,x,x)+1A7j
		mov	eax, esi

loc_A4CC22:				; CODE XREF: KdpSearchPhysicalPage(x,x,x,x,x)+FEj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_KdpSearchPhysicalPage@20 endp


;  S U B	R O U T	I N E 


; __stdcall KdpSearchPhysicalPageRange(x)
_KdpSearchPhysicalPageRange@4 proc near	; CODE XREF: KdpCheckLowMemory(x)+25p
					; KdpSysCheckLowMemory(x)+Cp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, ecx
		cmp	ds:_KdpSearchInProgress, edi
		jnz	short loc_A4CC40
		xor	eax, eax
		jmp	short loc_A4CC7F
; 

loc_A4CC40:				; CODE XREF: KdpSearchPhysicalPageRange(x)+Fj
		mov	eax, ds:_KdpSearchStartPageFrame
		cmp	ds:_KdpSearchEndPageFrame, eax
		jnz	short loc_A4CC56
		inc	ds:_KdpSearchEndPageFrame
		xor	edi, edi
		inc	edi

loc_A4CC56:				; CODE XREF: KdpSearchPhysicalPageRange(x)+20j
		mov	esi, ds:_KdpSearchStartPageFrame
		jmp	short loc_A4CC74
; 

loc_A4CC5E:				; CODE XREF: KdpSearchPhysicalPageRange(x)+4Fj
		push	ebx
		push	edi
		push	ds:_KdpSearchAddressRangeEnd
		mov	edx, ds:_KdpSearchAddressRangeStart
		mov	ecx, esi
		call	_KdpSearchPhysicalPage@20 ; KdpSearchPhysicalPage(x,x,x,x,x)
		inc	esi

loc_A4CC74:				; CODE XREF: KdpSearchPhysicalPageRange(x)+31j
		cmp	esi, ds:_KdpSearchEndPageFrame
		jb	short loc_A4CC5E
		xor	eax, eax
		inc	eax

loc_A4CC7F:				; CODE XREF: KdpSearchPhysicalPageRange(x)+13j
		pop	edi
		pop	esi
		pop	ebx
		retn
_KdpSearchPhysicalPageRange@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpSendWaitContinue(x, x, x, x)
_KdpSendWaitContinue@16	proc near	; CODE XREF: KdpReportCommandStringStateChange(x,x,x)+130p
					; KdpReportExceptionStateChange(x,x,x)+D3p ...

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3A		= word ptr -3Ah
var_38		= dword	ptr -38h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	eax, eax
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, edx
		push	38h
		pop	ecx
		push	ecx		; size_t
		push	eax		; int
		mov	[ebp+var_6C], eax
		mov	[ebp+var_48], eax
		mov	[ebp+var_50], eax
		lea	eax, [ebp+var_40]
		push	eax		; void *
		mov	[ebp+var_70], edi
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_44], offset _KdpMessageBuffer
		mov	_KdpContextSent, 0
		push	38h
		pop	eax
		mov	word ptr [ebp+var_50+2], ax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_4C], eax
		mov	eax, 1000h
		push	offset _KdpContext
		push	edi
		mov	edi, ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		mov	word ptr [ebp+var_48+2], ax
		jmp	loc_A4D003
; 

loc_A4CCF4:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+A7j
					; KdpSendWaitContinue(x,x,x,x)+CDj ...
		cmp	ds:_KeNumberProcessors,	1
		jnz	short loc_A4CD05
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)

loc_A4CD05:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+78j
		push	offset _KdpContext
		lea	eax, [ebp+var_6C]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_50]
		push	eax
		push	2
		call	ds:__imp__KdReceivePacket@20 ; KdReceivePacket(x,x,x,x,x)
		cmp	eax, 2
		jz	loc_A4CFFB
		cmp	eax, 1
		jz	short loc_A4CCF4
		mov	eax, [ebp+var_40]
		add	eax, 0FFFFCED0h	; switch 51 cases
		cmp	eax, 32h
		ja	loc_A4CFD8	; default
		jmp	ds:off_A4D06F[eax*4] ; switch jump

loc_A4CD44:				; DATA XREF: PAGEKD:off_A4D06Fo
		push	ecx		; case 0x3130
		lea	edx, [ebp+var_48]
		lea	ecx, [ebp+var_40]
		call	_KdpReadVirtualMemory@12 ; KdpReadVirtualMemory(x,x,x)
		jmp	short loc_A4CCF4
; 

loc_A4CD52:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	ecx		; case 0x3131
		lea	edx, [ebp+var_48]
		lea	ecx, [ebp+var_40]
		call	_KdpWriteVirtualMemory@12 ; KdpWriteVirtualMemory(x,x,x)
		jmp	short loc_A4CCF4
; 

loc_A4CD60:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		lea	ecx, [ebp+var_40] ; case 0x3159
		call	_KdpCheckLowMemory@4 ; KdpCheckLowMemory(x)
		jmp	short loc_A4CCF4
; 

loc_A4CD6A:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	offset _KdpContext ; case 0x313D
		push	ecx
		lea	edx, [ebp+var_48]
		lea	ecx, [ebp+var_40]
		call	_KdpReadPhysicalMemory@16 ; KdpReadPhysicalMemory(x,x,x,x)
		jmp	loc_A4CCF4
; 

loc_A4CD80:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	ecx		; case 0x3162
		lea	edx, [ebp+var_48]
		lea	ecx, [ebp+var_40]
		call	_KdpReadPhysicalMemoryLong@12 ;	KdpReadPhysicalMemoryLong(x,x,x)
		jmp	loc_A4CCF4
; 

loc_A4CD91:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	ecx		; case 0x313E
		lea	edx, [ebp+var_48]
		lea	ecx, [ebp+var_40]
		call	_KdpWritePhysicalMemory@12 ; KdpWritePhysicalMemory(x,x,x)
		jmp	loc_A4CCF4
; 

loc_A4CDA2:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		and	[ebp+var_58], 0	; case 0x3132
		lea	edx, [ebp+var_48]
		push	38h
		pop	eax
		mov	word ptr [ebp+var_58], ax
		lea	eax, [ebp+var_40]
		push	esi
		mov	ecx, eax
		mov	[ebp+var_54], eax
		call	_KdpGetContext@12 ; KdpGetContext(x,x,x)
		cmp	[ebp+var_38], 0
		jnz	short loc_A4CDCB
		mov	_KdpContextSent, 1

loc_A4CDCB:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+13Fj
		lea	eax, [ebp+var_48]
		push	offset _KdpContext
		push	eax
		lea	eax, [ebp+var_58]
		jmp	loc_A4CFF1
; 

loc_A4CDDC:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	esi		; case 0x3133
		lea	edx, [ebp+var_48]
		lea	ecx, [ebp+var_40]
		call	_KdpSetContext@12 ; KdpSetContext(x,x,x)
		jmp	loc_A4CCF4
; 

loc_A4CDED:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	esi		; case 0x315F
		lea	edx, [ebp+var_48]
		lea	ecx, [ebp+var_40]
		call	_KdpGetContextEx@12 ; KdpGetContextEx(x,x,x)
		jmp	loc_A4CCF4
; 

loc_A4CDFE:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	esi		; case 0x3160
		lea	edx, [ebp+var_48]
		lea	ecx, [ebp+var_40]
		call	_KdpSetContextEx@12 ; KdpSetContextEx(x,x,x)
		jmp	loc_A4CCF4
; 

loc_A4CE0F:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	ecx		; case 0x3134
		lea	ecx, [ebp+var_40]
		call	_KdpWriteBreakpoint@12 ; KdpWriteBreakpoint(x,x,x)
		jmp	loc_A4CCF4
; 

loc_A4CE1D:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	ecx		; case 0x3161
		lea	ecx, [ebp+var_40]
		call	_KdpWriteCustomBreakpoint@12 ; KdpWriteCustomBreakpoint(x,x,x)
		jmp	loc_A4CCF4
; 

loc_A4CE2B:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	ecx		; case 0x3135
		lea	ecx, [ebp+var_40]
		call	_KdpRestoreBreakpoint@12 ; KdpRestoreBreakpoint(x,x,x)
		jmp	loc_A4CCF4
; 

loc_A4CE39:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	ecx		; case 0x3137
		lea	edx, [ebp+var_48]
		lea	ecx, [ebp+var_40]
		call	_KdpReadControlSpace@12	; KdpReadControlSpace(x,x,x)
		jmp	loc_A4CCF4
; 

loc_A4CE4A:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	ecx		; case 0x3138
		lea	edx, [ebp+var_48]
		lea	ecx, [ebp+var_40]
		call	_KdpWriteControlSpace@12 ; KdpWriteControlSpace(x,x,x)
		jmp	loc_A4CCF4
; 

loc_A4CE5B:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	ecx		; case 0x3139
		lea	ecx, [ebp+var_40]
		call	_KdpReadIoSpace@12 ; KdpReadIoSpace(x,x,x)
		jmp	loc_A4CCF4
; 

loc_A4CE69:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	ecx		; case 0x313A
		lea	ecx, [ebp+var_40]
		call	_KdpWriteIoSpace@12 ; KdpWriteIoSpace(x,x,x)
		jmp	loc_A4CCF4
; 

loc_A4CE77:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	ecx		; case 0x3144
		lea	ecx, [ebp+var_40]
		call	_KdpReadIoSpaceExtended@12 ; KdpReadIoSpaceExtended(x,x,x)
		jmp	loc_A4CCF4
; 

loc_A4CE85:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	ecx		; case 0x3145
		lea	ecx, [ebp+var_40]
		call	_KdpWriteIoSpaceExtended@12 ; KdpWriteIoSpaceExtended(x,x,x)
		jmp	loc_A4CCF4
; 

loc_A4CE93:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	ecx		; case 0x3152
		lea	ecx, [ebp+var_40]
		call	_KdpReadMachineSpecificRegister@12 ; KdpReadMachineSpecificRegister(x,x,x)
		jmp	loc_A4CCF4
; 

loc_A4CEA1:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		and	[ebp+var_60], 0	; case 0x3153
		lea	edx, [ebp+var_78]
		mov	ecx, [ebp+var_30]
		push	38h
		pop	eax
		mov	word ptr [ebp+var_60], ax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_5C], eax
		mov	eax, [ebp+var_28]
		mov	[ebp+var_74], eax
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_78], eax
		call	_KdpSysWriteMsr@8 ; KdpSysWriteMsr(x,x)
		push	offset _KdpContext
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_60]
		push	0
		jmp	loc_A4CFF1
; 

loc_A4CEDB:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	ecx		; case 0x3157
		lea	edx, [ebp+var_48]
		lea	ecx, [ebp+var_40]
		call	_KdpGetBusData@12 ; KdpGetBusData(x,x,x)
		jmp	loc_A4CCF4
; 

loc_A4CEEC:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	ecx		; case 0x3158
		lea	edx, [ebp+var_48]
		lea	ecx, [ebp+var_40]
		call	_KdpSetBusData@12 ; KdpSetBusData(x,x,x)
		jmp	loc_A4CCF4
; 

loc_A4CEFD:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	0		; case 0x313B
		call	off_6B139C	; NtCompleteConnectPort(x)
		push	3
		call	ds:__imp__HalReturnToFirmware@4	; HalReturnToFirmware(x)
		jmp	loc_A4CCF4
; 

loc_A4CF12:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		mov	edx, esi	; case 0x3140
		lea	ecx, [ebp+var_40]
		call	_KdSetSpecialCall@8 ; KdSetSpecialCall(x,x)
		jmp	loc_A4CCF4
; 

loc_A4CF21:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		and	ds:_KdNumberOfSpecialCalls, 0 ;	case 0x3141
		jmp	loc_A4CCF4
; 

loc_A4CF2D:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		lea	ecx, [ebp+var_40] ; case 0x3142
		call	_KdSetInternalBreakpoint@4 ; KdSetInternalBreakpoint(x)
		jmp	loc_A4CCF4
; 

loc_A4CF3A:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		lea	ecx, [ebp+var_40] ; case 0x3143
		call	_KdGetInternalBreakpoint@4 ; KdGetInternalBreakpoint(x)
		jmp	loc_A4CCF4
; 

loc_A4CF47:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		and	ds:_KdpNumInternalBreakpoints, 0 ; case	0x315A
		jmp	loc_A4CCF4
; 

loc_A4CF53:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		lea	ecx, [ebp+var_40] ; case 0x3146
		call	_KdpGetVersion@4 ; KdpGetVersion(x)
		jmp	loc_A4CCF4
; 

loc_A4CF60:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	38h		; case 0x3151
		pop	eax
		xor	ecx, ecx
		mov	[ebp+var_68], ecx
		mov	word ptr [ebp+var_68], ax
		lea	eax, [ebp+var_40]
		push	offset _KdpContext
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_68]
		push	ecx
		jmp	short loc_A4CFEA
; 

loc_A4CF7D:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	ecx		; case 0x3147
		lea	edx, [ebp+var_48]
		lea	ecx, [ebp+var_40]
		call	_KdpWriteBreakPointEx@12 ; KdpWriteBreakPointEx(x,x,x)
		test	eax, eax
		jz	loc_A4CCF4

loc_A4CF91:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+3AAj
					; KdpSendWaitContinue(x,x,x,x)+3B6j
		xor	eax, eax
		jmp	loc_A4D018
; 

loc_A4CF98:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	ecx		; case 0x3148
		lea	edx, [ebp+var_48]
		lea	ecx, [ebp+var_40]
		call	_KdpRestoreBreakPointEx@12 ; KdpRestoreBreakPointEx(x,x,x)
		jmp	loc_A4CCF4
; 

loc_A4CFA9:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	ecx		; case 0x3156
		lea	edx, [ebp+var_48]
		lea	ecx, [ebp+var_40]
		call	_KdpSearchMemory@12 ; KdpSearchMemory(x,x,x)
		jmp	loc_A4CCF4
; 

loc_A4CFBA:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		push	ecx		; case 0x315B
		lea	edx, [ebp+var_48]
		lea	ecx, [ebp+var_40]
		call	_KdpFillMemory@12 ; KdpFillMemory(x,x,x)
		jmp	loc_A4CCF4
; 

loc_A4CFCB:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		lea	ecx, [ebp+var_40] ; case 0x315C
		call	_KdpQueryMemory@8 ; KdpQueryMemory(x,x)
		jmp	loc_A4CCF4
; 

loc_A4CFD8:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+B4j
					; KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: ...
		xor	eax, eax	; default
		mov	word ptr [ebp+var_48], ax
		lea	eax, [ebp+var_48]
		push	offset _KdpContext
		push	eax
		lea	eax, [ebp+var_50]

loc_A4CFEA:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+2F8j
		mov	[ebp+var_38], 0C0000001h

loc_A4CFF1:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+154j
					; KdpSendWaitContinue(x,x,x,x)+253j
		push	eax
		push	2
		call	edi
		jmp	loc_A4CCF4
; 

loc_A4CFFB:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+9Ej
		push	offset _KdpContext
		push	[ebp+var_70]

loc_A4D003:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+6Cj
		push	ebx
		push	7
		call	edi
		cmp	_KdDebuggerNotPresent, 0
		jz	loc_A4CCF4

loc_A4D015:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+3B0j
					; KdpSendWaitContinue(x,x,x,x)+3C6j
		xor	eax, eax
		inc	eax

loc_A4D018:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+310j
					; KdpSendWaitContinue(x,x,x,x)+3E8j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_A4D029:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		cmp	[ebp+var_30], 0	; case 0x3136
		jl	loc_A4CF91
		jmp	short loc_A4D015
; 

loc_A4D035:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		cmp	[ebp+var_30], 0	; case 0x313C
		jl	loc_A4CF91
		mov	edx, esi
		lea	ecx, [ebp+var_40]
		call	_KdpGetStateChange@8 ; KdpGetStateChange(x,x)
		jmp	short loc_A4D015
; 

loc_A4D04B:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		xor	cl, cl		; case 0x3149
		call	_KdExitDebugger@4 ; KdExitDebugger(x)
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	0E2h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_A4D062:				; CODE XREF: KdpSendWaitContinue(x,x,x,x)+BAj
					; DATA XREF: PAGEKD:off_A4D06Fo
		movzx	ecx, [ebp+var_3A] ; case 0x3150
		call	_KeSwitchFrozenProcessor@4 ; KeSwitchFrozenProcessor(x)
		jmp	short loc_A4D018
_KdpSendWaitContinue@16	endp

; 
		db 8Bh,	0FFh
off_A4D06F	dd offset loc_A4CD44, offset loc_A4CD52, offset	loc_A4CDA2
					; DATA XREF: KdpSendWaitContinue(x,x,x,x)+BAr
		dd offset loc_A4CDDC, offset loc_A4CE0F, offset	loc_A4CE2B ; jump table	for switch statement
		dd offset loc_A4D029, offset loc_A4CE39, offset	loc_A4CE4A
		dd offset loc_A4CE5B, offset loc_A4CE69, offset	loc_A4CEFD
		dd offset loc_A4D035, offset loc_A4CD6A, offset	loc_A4CD91
		dd offset loc_A4CFD8, offset loc_A4CF12, offset	loc_A4CF21
		dd offset loc_A4CF2D, offset loc_A4CF3A, offset	loc_A4CE77
		dd offset loc_A4CE85, offset loc_A4CF53, offset	loc_A4CF7D
		dd offset loc_A4CF98, offset loc_A4D04B, offset	loc_A4CFD8
		dd offset loc_A4CFD8, offset loc_A4CFD8, offset	loc_A4CFD8
		dd offset loc_A4CFD8, offset loc_A4CFD8, offset	loc_A4D062
		dd offset loc_A4CF60, offset loc_A4CE93, offset	loc_A4CEA1
		dd offset loc_A4CFD8, offset loc_A4CFD8, offset	loc_A4CFA9
		dd offset loc_A4CEDB, offset loc_A4CEEC, offset	loc_A4CD60
		dd offset loc_A4CF47, offset loc_A4CFBA, offset	loc_A4CFCB
		dd offset loc_A4CFD8, offset loc_A4CFD8, offset	loc_A4CDED
		dd offset loc_A4CDFE, offset loc_A4CE1D, offset	loc_A4CD80

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpSetBusData(x, x,	x)
_KdpSetBusData@12 proc near		; CODE XREF: KdpSendWaitContinue(x,x,x,x)+270p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		push	edi
		push	38h
		pop	eax
		mov	esi, ecx
		xor	edi, edi
		mov	[ebp+var_C], edi
		mov	word ptr [ebp+var_C], ax
		lea	eax, [ebp+var_4]
		push	eax
		push	dword ptr [esi+20h]
		mov	ecx, [esi+10h]
		push	dword ptr [edx+4]
		mov	edx, [esi+14h]
		push	dword ptr [esi+1Ch]
		mov	[ebp+var_4], edi
		push	dword ptr [esi+18h]
		mov	[ebp+var_8], esi
		call	_KdpSysWriteBusData@28 ; KdpSysWriteBusData(x,x,x,x,x,x,x)
		mov	[esi+8], eax
		mov	eax, [ebp+var_4]
		push	offset _KdpContext
		mov	[esi+20h], eax
		lea	eax, [ebp+var_C]
		push	edi
		push	eax
		push	2
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	edi
		pop	esi
		leave
		retn	4
_KdpSetBusData@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpSetContext(x, x,	x)
_KdpSetContext@12 proc near		; CODE XREF: KdpSendWaitContinue(x,x,x,x)+160p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_8], ecx
		mov	edi, edx
		mov	[ebp+var_C], ebx
		movzx	edx, word ptr [ecx+6]
		mov	[ebp+var_4], ebx
		push	38h
		pop	eax
		mov	word ptr [ebp+var_C], ax
		cmp	edx, 20h
		jnb	short loc_A4D20E
		mov	esi, edx
		cmp	ds:_KiProcessorBlock[esi*4], ebx
		jz	short loc_A4D20E
		cmp	_KdpContextSent, bl
		jz	short loc_A4D20E
		movzx	eax, large byte	ptr fs:51h
		mov	[ecx+8], ebx
		cmp	dx, ax
		jnz	short loc_A4D1E5
		mov	esi, [ebp+arg_0]
		jmp	short loc_A4D1F2
; 

loc_A4D1E5:				; CODE XREF: KdpSetContext(x,x,x)+49j
		mov	eax, ds:_KiProcessorBlock[esi*4]
		mov	esi, [eax+4168h]

loc_A4D1F2:				; CODE XREF: KdpSetContext(x,x,x)+4Ej
		movzx	edx, word ptr [edi]
		lea	eax, [ebp+var_4]
		mov	ecx, [edi+4]
		push	eax
		call	_KdpSanitizeContextFlags@12 ; KdpSanitizeContextFlags(x,x,x)
		mov	edx, [ebp+var_4]
		push	ecx
		mov	ecx, esi
		call	_KdpCopyContext@12 ; KdpCopyContext(x,x,x)
		jmp	short loc_A4D215
; 

loc_A4D20E:				; CODE XREF: KdpSetContext(x,x,x)+26j
					; KdpSetContext(x,x,x)+31j ...
		mov	dword ptr [ecx+8], 0C0000001h

loc_A4D215:				; CODE XREF: KdpSetContext(x,x,x)+77j
		push	offset _KdpContext
		push	ebx
		lea	eax, [ebp+var_C]
		push	eax
		push	2
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KdpSetContext@12 endp


;  S U B	R O U T	I N E 


; __stdcall KdpSysCheckLowMemory(x)
_KdpSysCheckLowMemory@4	proc near	; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+4BAp
		mov	edi, edi
		push	ecx
		cmp	ds:_KdpSearchInProgress, 0
		jz	short loc_A4D23F
		call	_KdpSearchPhysicalPageRange@4 ;	KdpSearchPhysicalPageRange(x)

loc_A4D23F:				; CODE XREF: KdpSysCheckLowMemory(x)+Aj
		xor	eax, eax
		pop	ecx
		retn
_KdpSysCheckLowMemory@4	endp


;  S U B	R O U T	I N E 


; __stdcall KdpSysGetVersion(x)
_KdpSysGetVersion@4 proc near		; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+77p
		mov	edi, edi
		push	esi
		push	edi
		push	0Ah
		mov	edi, ecx
		mov	esi, offset _KdVersionBlock
		pop	ecx
		rep movsd
		pop	edi
		pop	esi
		retn
_KdpSysGetVersion@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpSysReadBusData(x, x, x, x, x, x,	x)
_KdpSysReadBusData@28 proc near		; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+43Fp
					; KdpGetBusData(x,x,x)+50p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_C]
		push	esi
		push	[ebp+arg_4]
		push	[ebp+arg_8]
		push	[ebp+arg_0]
		push	edx
		cmp	ecx, 4
		jnz	short loc_A4D277
		call	dword_6B1260
		jmp	short loc_A4D27E
; 

loc_A4D277:				; CODE XREF: KdpSysReadBusData(x,x,x,x,x,x,x)+17j
		push	ecx
		call	ds:__imp__HalGetBusDataByOffset@24 ; HalGetBusDataByOffset(x,x,x,x,x,x)

loc_A4D27E:				; CODE XREF: KdpSysReadBusData(x,x,x,x,x,x,x)+1Fj
		mov	ecx, eax
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx
		sub	ecx, esi
		neg	ecx
		pop	esi
		sbb	ecx, ecx
		and	ecx, 0C0000001h
		mov	eax, ecx
		pop	ebp
		retn	14h
_KdpSysReadBusData@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpSysWriteBusData(x, x, x,	x, x, x, x)
_KdpSysWriteBusData@28 proc near	; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+4AEp
					; KdpSetBusData(x,x,x)+34p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_C]
		push	esi
		push	[ebp+arg_4]
		push	[ebp+arg_8]
		push	[ebp+arg_0]
		push	edx
		cmp	ecx, 4
		jnz	short loc_A4D2B9
		call	dword_6B1264
		jmp	short loc_A4D2C0
; 

loc_A4D2B9:				; CODE XREF: KdpSysWriteBusData(x,x,x,x,x,x,x)+17j
		push	ecx
		call	ds:__imp__HalSetBusDataByOffset@24 ; HalSetBusDataByOffset(x,x,x,x,x,x)

loc_A4D2C0:				; CODE XREF: KdpSysWriteBusData(x,x,x,x,x,x,x)+1Fj
		mov	ecx, eax
		mov	eax, [ebp+arg_10]
		mov	[eax], ecx
		sub	ecx, esi
		neg	ecx
		pop	esi
		sbb	ecx, ecx
		and	ecx, 0C0000001h
		mov	eax, ecx
		pop	ebp
		retn	14h
_KdpSysWriteBusData@28 endp


;  S U B	R O U T	I N E 


; __stdcall KdpTimeSlipDpcRoutine(x, x,	x, x)
_KdpTimeSlipDpcRoutine@16 proc near	; DATA XREF: KdRegisterDebuggerDataBlock+54Bo
		or	eax, 0FFFFFFFFh
		lock xadd _KdpTimeSlipPending, eax
		dec	eax
		test	eax, eax
		jle	short locret_A4D2F6
		push	1
		push	offset _KdpTimeSlipWorkItem
		call	ExQueueWorkItem

locret_A4D2F6:				; CODE XREF: KdpTimeSlipDpcRoutine(x,x,x,x)+Ej
		retn	10h
_KdpTimeSlipDpcRoutine@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpTimeSlipWork(x)
_KdpTimeSlipWork@4 proc	near		; DATA XREF: KdRegisterDebuggerDataBlock+578o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	cl, cl
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		test	al, al
		jz	short loc_A4D365
		push	ebx
		push	edi
		xor	edx, edx
		xor	cl, cl
		call	ExUpdateSystemTimeFromCmos
		call	_ExReleaseTimeRefreshLock@0 ; ExReleaseTimeRefreshLock()
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _KdpTimeSlipEventLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, _KdpTimeSlipEvent
		test	edx, edx
		jz	short loc_A4D341
		push	0
		push	0
		push	edx
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_A4D341:				; CODE XREF: KdpTimeSlipWork(x)+3Cj
		test	ds:byte_70EFC6,	1
		jz	short loc_A4D356
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A4D35B
; 

loc_A4D356:				; CODE XREF: KdpTimeSlipWork(x)+4Fj
		xor	eax, eax
		lock and [edi],	eax

loc_A4D35B:				; CODE XREF: KdpTimeSlipWork(x)+5Bj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	ebx

loc_A4D365:				; CODE XREF: KdpTimeSlipWork(x)+Ej
		push	0FFFFFFFFh
		push	94B62E00h
		push	offset _KdpTimeSlipDpc
		push	0
		xor	edx, edx
		mov	ecx, offset _KdpTimeSlipTimer
		call	KiSetTimerEx
		pop	ebp
		retn	4
_KdpTimeSlipWork@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpWriteBreakPointEx(x, x, x)
_KdpWriteBreakPointEx@12 proc near	; CODE XREF: KdpSendWaitContinue(x,x,x,x)+301p

var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_204		= dword	ptr -204h
var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 228h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, edx
		xor	ecx, ecx
		mov	[ebp+var_220], edi
		push	38h
		pop	eax
		mov	[ebp+var_218], ecx
		mov	word ptr [ebp+var_218],	ax
		mov	eax, [esi+10h]
		mov	[ebp+var_210], ecx
		mov	[ebp+var_214], esi
		mov	[ebp+var_21C], eax
		cmp	eax, 20h
		ja	loc_A4D4DB
		mov	ebx, eax
		movzx	eax, word ptr [edi]
		shl	ebx, 4
		mov	[ebp+var_224], ebx
		cmp	eax, ebx
		jnz	loc_A4D4DB
		lea	eax, [ebp+var_210]
		mov	edx, ebx
		push	eax
		push	4
		push	ecx
		push	ecx
		push	dword ptr [edi+4]
		lea	ecx, [ebp+var_20C]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		cmp	[ebp+var_210], ebx
		jnz	loc_A4D4DB
		and	dword ptr [esi+8], 0
		mov	eax, [ebp+var_21C]
		test	eax, eax
		jz	loc_A4D4A4
		lea	ebx, [ebp+var_204]
		mov	[ebp+var_210], eax

loc_A4D430:				; CODE XREF: KdpWriteBreakPointEx(x,x,x)+D8j
		mov	ecx, [ebx]
		test	ecx, ecx
		jz	short loc_A4D44F
		call	_KdpDeleteBreakpoint@4 ; KdpDeleteBreakpoint(x)
		test	al, al
		jnz	short loc_A4D446
		mov	dword ptr [esi+8], 0C0000001h

loc_A4D446:				; CODE XREF: KdpWriteBreakPointEx(x,x,x)+BAj
		and	dword ptr [ebx], 0
		mov	eax, [ebp+var_210]

loc_A4D44F:				; CODE XREF: KdpWriteBreakPointEx(x,x,x)+B1j
		add	ebx, 10h
		sub	eax, 1
		mov	[ebp+var_210], eax
		jnz	short loc_A4D430
		mov	edi, [ebp+var_21C]
		lea	ebx, [ebp+var_20C]

loc_A4D469:				; CODE XREF: KdpWriteBreakPointEx(x,x,x)+113j
		mov	eax, [ebx]
		or	eax, [ebx+4]
		jz	short loc_A4D490
		mov	ecx, [ebx]
		mov	dl, 1
		push	0
		push	0
		push	0CCh
		call	_KdpAddBreakpoint@20 ; KdpAddBreakpoint(x,x,x,x,x)
		mov	[ebx+8], eax
		test	eax, eax
		jnz	short loc_A4D490
		mov	dword ptr [esi+8], 0C0000001h

loc_A4D490:				; CODE XREF: KdpWriteBreakPointEx(x,x,x)+EBj
					; KdpWriteBreakPointEx(x,x,x)+104j
		add	ebx, 10h
		sub	edi, 1
		jnz	short loc_A4D469
		mov	edi, [ebp+var_220]
		mov	ebx, [ebp+var_224]

loc_A4D4A4:				; CODE XREF: KdpWriteBreakPointEx(x,x,x)+9Bj
		lea	eax, [ebp+var_210]
		mov	edx, ebx
		push	eax
		push	5
		push	0
		push	0
		push	dword ptr [edi+4]
		lea	ecx, [ebp+var_20C]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		push	offset _KdpContext
		push	edi
		lea	eax, [ebp+var_218]
		push	eax
		push	2
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		mov	eax, [esi+14h]
		jmp	short loc_A4D4FA
; 

loc_A4D4DB:				; CODE XREF: KdpWriteBreakPointEx(x,x,x)+4Cj
					; KdpWriteBreakPointEx(x,x,x)+62j ...
		push	offset _KdpContext
		push	edi
		lea	eax, [ebp+var_218]
		mov	dword ptr [esi+8], 0C0000001h
		push	eax
		push	2
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		mov	eax, [esi+8]

loc_A4D4FA:				; CODE XREF: KdpWriteBreakPointEx(x,x,x)+156j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_KdpWriteBreakPointEx@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpWriteBreakpoint(x, x, x)
_KdpWriteBreakpoint@12 proc near	; CODE XREF: KdpSendWaitContinue(x,x,x,x)+190p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		push	38h
		pop	eax
		xor	edi, edi
		mov	esi, ecx
		push	edi
		push	edi
		mov	[ebp+var_8], edi
		mov	dl, 1
		mov	ecx, [esi+10h]
		push	0CCh
		mov	word ptr [ebp+var_8], ax
		mov	[ebp+var_4], esi
		call	_KdpAddBreakpoint@20 ; KdpAddBreakpoint(x,x,x,x,x)
		mov	[esi+18h], eax
		neg	eax
		push	offset _KdpContext
		sbb	eax, eax
		and	eax, 3FFFFFFFh
		add	eax, 0C0000001h
		mov	[esi+8], eax
		lea	eax, [ebp+var_8]
		push	edi
		push	eax
		push	2
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	edi
		pop	esi
		leave
		retn	4
_KdpWriteBreakpoint@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpWriteControlSpace(x, x, x)
_KdpWriteControlSpace@12 proc near	; CODE XREF: KdpSendWaitContinue(x,x,x,x)+1CEp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		push	edi
		xor	eax, eax
		mov	edi, edx
		push	38h
		mov	[ebp+var_C], eax
		mov	esi, ecx
		mov	[ebp+var_4], eax
		mov	edx, [edi+4]
		pop	eax
		movzx	ecx, word ptr [esi+6]
		mov	word ptr [ebp+var_C], ax
		lea	eax, [ebp+var_4]
		push	eax
		movzx	eax, word ptr [edi]
		push	eax
		push	dword ptr [esi+14h]
		mov	[ebp+var_8], esi
		push	dword ptr [esi+10h]
		call	_KdpSysWriteControlSpace@24 ; KdpSysWriteControlSpace(x,x,x,x,x,x)
		mov	[esi+8], eax
		mov	eax, [ebp+var_4]
		push	offset _KdpContext
		mov	[esi+1Ch], eax
		lea	eax, [ebp+var_C]
		push	edi
		push	eax
		push	2
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	edi
		pop	esi
		leave
		retn	4
_KdpWriteControlSpace@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpWriteIoSpace(x, x, x)
_KdpWriteIoSpace@12 proc near		; CODE XREF: KdpSendWaitContinue(x,x,x,x)+1EAp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		xor	edx, edx
		push	esi
		push	38h
		pop	eax
		mov	esi, ecx
		mov	word ptr [ebp+var_C], ax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_8], esi
		push	eax
		xor	ecx, ecx
		push	dword ptr [esi+18h]
		lea	eax, [esi+1Ch]
		inc	ecx
		push	eax
		push	dword ptr [esi+14h]
		push	dword ptr [esi+10h]
		push	ecx
		call	_KdpSysWriteIoSpace@32 ; KdpSysWriteIoSpace(x,x,x,x,x,x,x,x)
		push	offset _KdpContext
		mov	[esi+8], eax
		lea	eax, [ebp+var_C]
		push	0
		push	eax
		push	2
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	esi
		leave
		retn	4
_KdpWriteIoSpace@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpWriteIoSpaceExtended(x, x, x)
_KdpWriteIoSpaceExtended@12 proc near	; CODE XREF: KdpSendWaitContinue(x,x,x,x)+206p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		push	esi
		push	38h
		pop	eax
		mov	esi, ecx
		mov	word ptr [ebp+var_C], ax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_8], esi
		push	eax
		push	dword ptr [esi+10h]
		mov	edx, [esi+18h]
		lea	eax, [esi+28h]
		mov	ecx, [esi+14h]
		push	eax
		push	dword ptr [esi+24h]
		push	dword ptr [esi+20h]
		push	dword ptr [esi+1Ch]
		call	_KdpSysWriteIoSpace@32 ; KdpSysWriteIoSpace(x,x,x,x,x,x,x,x)
		push	offset _KdpContext
		mov	[esi+8], eax
		lea	eax, [ebp+var_C]
		push	0
		push	eax
		push	2
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	esi
		leave
		retn	4
_KdpWriteIoSpaceExtended@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpWritePhysicalMemory(x, x, x)
_KdpWritePhysicalMemory@12 proc	near	; CODE XREF: KdpSendWaitContinue(x,x,x,x)+115p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	ebx, ebx
		push	38h
		pop	eax
		mov	edi, edx
		mov	[ebp+var_8], ebx
		mov	word ptr [ebp+var_8], ax
		lea	edx, [esi+1Ch]
		mov	eax, [edx]
		mov	[ebp+var_4], esi
		push	7
		pop	ecx
		sub	eax, 1
		jz	short loc_A4D69C
		sub	eax, 1
		jz	short loc_A4D698
		sub	eax, 1
		jnz	short loc_A4D69F
		push	27h
		jmp	short loc_A4D69E
; 

loc_A4D698:				; CODE XREF: KdpWritePhysicalMemory(x,x,x)+2Dj
		push	17h
		jmp	short loc_A4D69E
; 

loc_A4D69C:				; CODE XREF: KdpWritePhysicalMemory(x,x,x)+28j
		push	0Fh

loc_A4D69E:				; CODE XREF: KdpWritePhysicalMemory(x,x,x)+36j
					; KdpWritePhysicalMemory(x,x,x)+3Aj
		pop	ecx

loc_A4D69F:				; CODE XREF: KdpWritePhysicalMemory(x,x,x)+32j
		push	edx
		mov	edx, [esi+18h]
		push	ecx
		mov	ecx, [edi+4]
		push	ebx
		push	dword ptr [esi+14h]
		push	dword ptr [esi+10h]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		push	offset _KdpContext
		mov	[esi+8], eax
		lea	eax, [ebp+var_8]
		push	ebx
		push	eax
		push	2
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KdpWritePhysicalMemory@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpWriteVirtualMemory(x, x,	x)
_KdpWriteVirtualMemory@12 proc near	; CODE XREF: KdpSendWaitContinue(x,x,x,x)+D6p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	ebx, ebx
		mov	esi, edx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		lea	eax, [edi+1Ch]
		movzx	edx, word ptr [esi]
		mov	ecx, [esi+4]
		push	eax
		push	5
		push	ebx
		push	dword ptr [edi+14h]
		push	dword ptr [edi+10h]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		push	38h
		mov	[edi+8], eax
		pop	eax
		push	offset _KdpContext
		mov	word ptr [ebp+var_8], ax
		lea	eax, [ebp+var_8]
		push	ebx
		push	eax
		push	2
		mov	[ebp+var_4], edi
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_KdpWriteVirtualMemory@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PotentialNewSymbol(x)
_PotentialNewSymbol@4 proc near		; CODE XREF: KdpCheckTracePoint(x,x)+84p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	_TraceDataBufferFilled,	0
		mov	ecx, ds:_oldpc
		jnz	short loc_A4D746
		call	_SymNumFor@4	; SymNumFor(x)
		cmp	eax, 0FFFFFFFFh
		jnz	locret_A4D7C7

loc_A4D746:				; CODE XREF: PotentialNewSymbol(x)+13j
		push	esi
		mov	esi, ds:_TraceDataBufferPosition
		mov	_TraceDataBufferFilled,	0
		mov	byte ptr ds:(_TraceDataBuffer+1)[esi*4], 0
		call	_SymNumFor@4	; SymNumFor(x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_A4D788
		mov	ecx, ds:_TraceDataSyms[eax*8]
		mov	byte ptr ds:_TraceDataBuffer[esi*4], al
		mov	eax, ds:dword_AA41F4[eax*8]
		mov	ds:_KdpCurrentSymbolStart, ecx
		mov	ds:_KdpCurrentSymbolEnd, eax
		jmp	short loc_A4D7C6
; 

loc_A4D788:				; CODE XREF: PotentialNewSymbol(x)+41j
		mov	cl, ds:_NextTraceDataSym
		mov	eax, ds:_KdpCurrentSymbolStart
		movzx	edx, cl
		mov	byte ptr ds:_TraceDataBuffer[esi*4], cl
		mov	ds:_TraceDataSyms[edx*8], eax
		mov	eax, ds:_KdpCurrentSymbolEnd
		mov	ds:dword_AA41F4[edx*8],	eax
		inc	dl
		mov	ds:_NextTraceDataSym, dl
		cmp	ds:_NumTraceDataSyms, dl
		jnb	short loc_A4D7C6
		mov	ds:_NumTraceDataSyms, dl

loc_A4D7C6:				; CODE XREF: PotentialNewSymbol(x)+63j
					; PotentialNewSymbol(x)+9Bj
		pop	esi

locret_A4D7C7:				; CODE XREF: PotentialNewSymbol(x)+1Dj
		leave
		retn
_PotentialNewSymbol@4 endp


;  S U B	R O U T	I N E 


; __stdcall SkippingWhichBP(x, x)
_SkippingWhichBP@8 proc	near		; CODE XREF: KdpCheckTracePoint(x,x)+A8p
					; KdpCheckTracePoint(x,x)+35Bp
		cmp	ds:_IntBPsSkipping, 0
		push	esi
		push	edi
		mov	edi, ecx
		jz	short loc_A4D7F9
		mov	esi, ds:_KdpNumInternalBreakpoints
		xor	eax, eax
		test	esi, esi
		jz	short loc_A4D7F9
		mov	ecx, offset dword_AA5E80

loc_A4D7E7:				; CODE XREF: SkippingWhichBP(x,x)+2Ej
		test	byte ptr [ecx-20h], 2
		jnz	short loc_A4D7F1
		cmp	[ecx], edi
		jz	short loc_A4D7FE

loc_A4D7F1:				; CODE XREF: SkippingWhichBP(x,x)+22j
		inc	eax
		add	ecx, 38h
		cmp	eax, esi
		jb	short loc_A4D7E7

loc_A4D7F9:				; CODE XREF: SkippingWhichBP(x,x)+Bj
					; SkippingWhichBP(x,x)+17j
		xor	al, al

loc_A4D7FB:				; CODE XREF: SkippingWhichBP(x,x)+39j
		pop	edi
		pop	esi
		retn
; 

loc_A4D7FE:				; CODE XREF: SkippingWhichBP(x,x)+26j
		mov	[edx], eax
		mov	al, 1
		jmp	short loc_A4D7FB
_SkippingWhichBP@8 endp


;  S U B	R O U T	I N E 


; __stdcall SymNumFor(x)
_SymNumFor@4	proc near		; CODE XREF: PotentialNewSymbol(x)+15p
					; PotentialNewSymbol(x)+39p ...
		movzx	edx, ds:_NumTraceDataSyms
		xor	eax, eax
		test	edx, edx
		jz	short loc_A4D828

loc_A4D811:				; CODE XREF: SymNumFor(x)+22j
		cmp	ds:_TraceDataSyms[eax*8], ecx
		ja	short loc_A4D823
		cmp	ds:dword_AA41F4[eax*8],	ecx
		ja	short locret_A4D82B

loc_A4D823:				; CODE XREF: SymNumFor(x)+14j
		inc	eax
		cmp	eax, edx
		jb	short loc_A4D811

loc_A4D828:				; CODE XREF: SymNumFor(x)+Bj
		or	eax, 0FFFFFFFFh

locret_A4D82B:				; CODE XREF: SymNumFor(x)+1Dj
		retn
_SymNumFor@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TraceDataRecordCallInfo(x, x, x)
_TraceDataRecordCallInfo@12 proc near	; CODE XREF: KdpCheckTracePoint(x,x)+3E0p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	ebx
		mov	ebx, ds:_CallLevelChange
		push	esi
		mov	esi, ds:_InstructionsTraced
		call	_SymNumFor@4	; SymNumFor(x)
		mov	edx, eax
		mov	eax, ds:_KdpNextCallLevelChange
		test	eax, eax
		jz	short loc_A4D867
		mov	ecx, ds:_TraceDataBufferPosition
		and	ds:_KdpNextCallLevelChange, 0
		mov	byte ptr ds:(_TraceDataBuffer+1)[ecx*4], al

loc_A4D867:				; CODE XREF: TraceDataRecordCallInfo(x,x,x)+25j
		mov	eax, ds:_TraceDataBufferPosition
		mov	ecx, 0FFFFh
		cmp	esi, ecx
		jb	short loc_A4D889
		mov	word ptr ds:(_TraceDataBuffer+2)[eax*4], cx
		lea	ecx, [eax+2]
		mov	ds:dword_AA4154[eax*4],	esi
		jmp	short loc_A4D894
; 

loc_A4D889:				; CODE XREF: TraceDataRecordCallInfo(x,x,x)+47j
		mov	word ptr ds:(_TraceDataBuffer+2)[eax*4], si
		lea	ecx, [eax+1]

loc_A4D894:				; CODE XREF: TraceDataRecordCallInfo(x,x,x)+5Bj
		lea	eax, [ecx+2]
		mov	ds:_TraceDataBufferPosition, ecx
		cmp	eax, 28h
		jnb	short loc_A4D8D1
		cmp	edx, 0FFFFFFFFh
		jz	short loc_A4D8D8
		mov	eax, ds:_TraceDataSyms[edx*8]
		mov	ds:_KdpCurrentSymbolStart, eax
		mov	eax, ds:dword_AA41F4[edx*8]
		mov	byte ptr ds:(_TraceDataBuffer+1)[ecx*4], bl
		mov	ds:_KdpCurrentSymbolEnd, eax
		mov	al, 1
		mov	byte ptr ds:_TraceDataBuffer[ecx*4], dl
		jmp	short loc_A4D8E0
; 

loc_A4D8D1:				; CODE XREF: TraceDataRecordCallInfo(x,x,x)+74j
		mov	_TraceDataBufferFilled,	1

loc_A4D8D8:				; CODE XREF: TraceDataRecordCallInfo(x,x,x)+79j
		mov	ds:_KdpNextCallLevelChange, ebx
		xor	al, al

loc_A4D8E0:				; CODE XREF: TraceDataRecordCallInfo(x,x,x)+A3j
		pop	esi
		pop	ebx
		leave
		retn	4
_TraceDataRecordCallInfo@12 endp

; 
		align 4
		db 3 dup(0CCh)
; Exported entry 1076. KdLogDbgPrint

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdLogDbgPrint(x)
		public _KdLogDbgPrint@4
_KdLogDbgPrint@4 proc near		; CODE XREF: KdpPrint(x,x,x,x,x,x,x,x)+C0p
					; KdpPrompt(x,x,x,x,x,x,x)+D1p

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:20h
		xor	ecx, ecx
		mov	[ebp+var_8], ecx
		cmp	dword_6FE048, eax
		jnz	short loc_A4D911
		lock inc ds:_KdPrintSkippedCount
		jmp	locret_A4DA79
; 

loc_A4D911:				; CODE XREF: KdLogDbgPrint(x)+18j
		lock inc dword_6FE044
		jmp	short loc_A4D91C
; 

loc_A4D91A:				; CODE XREF: KdLogDbgPrint(x)+38j
		pause

loc_A4D91C:				; CODE XREF: KdLogDbgPrint(x)+2Dj
		nop
		cmp	_KdpPrintSpinLock, ecx
		jnz	short loc_A4D91A
		mov	cl, 1Fh
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		cmp	ds:_KdPrintCircularBuffer, 0
		mov	[ebp+var_1], al
		jz	loc_A4DA6A
		mov	ecx, ds:_KdPrintBufferSize
		mov	eax, 200h
		shr	ecx, 3
		cmp	ecx, eax
		jbe	short loc_A4D951
		mov	ecx, eax

loc_A4D951:				; CODE XREF: KdLogDbgPrint(x)+62j
		mov	eax, [ebp+arg_0]
		push	esi
		movzx	esi, word ptr [eax]
		cmp	esi, ecx
		jbe	short loc_A4D965
		mov	esi, ecx
		lock inc ds:_KdPrintTruncatedCount

loc_A4D965:				; CODE XREF: KdLogDbgPrint(x)+6Fj
		xor	ecx, ecx
		mov	edx, offset _KdPrintWritePointer
		xor	eax, eax
		lock cmpxchg [edx], ecx
		push	ebx
		push	edi

loc_A4D974:				; CODE XREF: KdLogDbgPrint(x)+AFj
		mov	ecx, ds:_KdPrintCircularBuffer
		lea	edx, [esi+eax]
		mov	edi, ds:_KdPrintBufferSize
		mov	ebx, eax
		add	ecx, edi
		cmp	edx, ecx
		jb	short loc_A4D98D
		sub	edx, edi

loc_A4D98D:				; CODE XREF: KdLogDbgPrint(x)+9Ej
		mov	ecx, edx
		mov	edi, offset _KdPrintWritePointer
		lock cmpxchg [edi], ecx
		cmp	eax, ebx
		jnz	short loc_A4D974
		cmp	edx, ebx
		jnb	short loc_A4D9A7
		lock inc ds:_KdPrintRolloverCount

loc_A4D9A7:				; CODE XREF: KdLogDbgPrint(x)+B3j
		mov	edi, ds:_KdPrintBufferSize
		lea	eax, [ebx+esi]
		mov	edx, ds:_KdPrintCircularBuffer
		lea	ecx, [edi+edx]
		cmp	eax, ecx
		lea	eax, [ebp+var_8]
		push	eax
		mov	eax, [ebp+arg_0]
		mov	ecx, ebx
		push	4
		ja	short loc_A4D9EA
		xor	edi, edi
		mov	edx, esi
		push	edi
		push	edi
		push	dword ptr [eax+4]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		mov	eax, [ebp+var_8]
		cmp	eax, esi
		jnb	loc_A4DA64
		sub	esi, eax
		add	eax, ebx
		push	esi
		push	edi

loc_A4D9E7:				; CODE XREF: KdLogDbgPrint(x)+166j
		push	eax
		jmp	short loc_A4DA5C
; 

loc_A4D9EA:				; CODE XREF: KdLogDbgPrint(x)+DBj
		push	0
		sub	edi, ebx
		push	0
		push	dword ptr [eax+4]
		add	edi, edx
		mov	edx, edi
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_8]
		cmp	ecx, edi
		jnb	short loc_A4DA19
		mov	eax, edi
		sub	eax, ecx
		push	eax		; size_t
		lea	eax, [ebx+ecx]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	ecx, [ebp+var_8]
		add	esp, 0Ch

loc_A4DA19:				; CODE XREF: KdLogDbgPrint(x)+116j
		sub	esi, edi
		cmp	ecx, edi
		jnz	short loc_A4DA53
		mov	ecx, ds:_KdPrintCircularBuffer
		lea	eax, [ebp+var_8]
		push	eax
		mov	eax, [ebp+arg_0]
		xor	ebx, ebx
		push	4
		push	ebx
		push	ebx
		mov	eax, [eax+4]
		mov	edx, esi
		add	eax, edi
		push	eax
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_8]
		cmp	ecx, esi
		jnb	short loc_A4DA64
		mov	eax, ds:_KdPrintCircularBuffer
		sub	esi, ecx
		push	esi
		push	ebx
		add	eax, ecx
		jmp	short loc_A4D9E7
; 

loc_A4DA53:				; CODE XREF: KdLogDbgPrint(x)+132j
		push	esi		; size_t
		push	0		; int
		push	ds:_KdPrintCircularBuffer ; void *

loc_A4DA5C:				; CODE XREF: KdLogDbgPrint(x)+FDj
		call	_memset
		add	esp, 0Ch

loc_A4DA64:				; CODE XREF: KdLogDbgPrint(x)+F0j
					; KdLogDbgPrint(x)+159j
		mov	al, [ebp+var_1]
		pop	edi
		pop	ebx
		pop	esi

loc_A4DA6A:				; CODE XREF: KdLogDbgPrint(x)+4Cj
		lock dec dword_6FE044
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

locret_A4DA79:				; CODE XREF: KdLogDbgPrint(x)+21j
		leave
		retn	4
_KdLogDbgPrint@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpCommandString(x,	x, x, x, x, x)
_KdpCommandString@24 proc near		; CODE XREF: KdpTrap(x,x,x,x,x,x)+69p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_3		= byte ptr  0Bh
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		cmp	[ebp+arg_0], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], ecx
		jnz	short loc_A4DAFB
		cmp	_KdDebuggerNotPresent, 0
		jnz	short loc_A4DAFB
		mov	edx, [ebp+arg_C]
		mov	ecx, [ebp+arg_8]
		call	_KdEnterDebugger@8 ; KdEnterDebugger(x,x)
		mov	edi, large fs:20h
		mov	[ebp+arg_3], al
		lea	ebx, [edi+18h]
		push	ebx
		call	_KiSaveProcessorControlState@4 ; KiSaveProcessorControlState(x)
		mov	esi, [ebp+arg_4]
		mov	ecx, [edi+4168h]
		push	esi
		mov	edx, [esi]
		call	_KdpCopyContext@12 ; KdpCopyContext(x,x,x)
		push	dword ptr [edi+4168h]
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		call	_KdpReportCommandStringStateChange@12 ;	KdpReportCommandStringStateChange(x,x,x)
		mov	edx, [edi+4168h]
		mov	ecx, esi
		push	edx
		mov	edx, [edx]
		call	_KdpCopyContext@12 ; KdpCopyContext(x,x,x)
		push	ebx
		call	_KiRestoreProcessorControlState@4 ; KiRestoreProcessorControlState(x)
		mov	cl, [ebp+arg_3]
		call	_KdExitDebugger@4 ; KdExitDebugger(x)

loc_A4DAFB:				; CODE XREF: KdpCommandString(x,x,x,x,x,x)+15j
					; KdpCommandString(x,x,x,x,x,x)+1Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_KdpCommandString@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpPrint(x,	x, x, x, x, x, x, x)
_KdpPrint@32	proc near		; CODE XREF: KdpTrap(x,x,x,x,x,x)+CFp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		push	18h
		push	offset dword_6A8378
		call	__SEH_prolog4_GS
		mov	esi, edx
		mov	edi, ecx
		xor	edx, edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], edx
		mov	ebx, 9Ch
		cmp	edi, ebx
		jb	short loc_A4DB2C
		push	65h
		pop	edi
		push	3
		pop	esi

loc_A4DB2C:				; CODE XREF: KdpPrint(x,x,x,x,x,x,x,x)+22j
		mov	eax, [ebp+arg_14]
		mov	[eax], dl
		cmp	esi, 1Fh
		ja	short loc_A4DB3F
		xor	eax, eax
		inc	eax
		mov	ecx, esi
		shl	eax, cl
		mov	esi, eax

loc_A4DB3F:				; CODE XREF: KdpPrint(x,x,x,x,x,x,x,x)+32j
		test	_Kd_WIN2000_Mask, esi
		jnz	short loc_A4DB5D
		cmp	edi, ebx
		jnb	short loc_A4DB5D
		lfence	eax
		mov	eax, ds:_KdComponentTable[edi*4]
		test	[eax], esi
		jz	loc_A4DC23

loc_A4DB5D:				; CODE XREF: KdpPrint(x,x,x,x,x,x,x,x)+43j
					; KdpPrint(x,x,x,x,x,x,x,x)+47j
		mov	ebx, 200h
		mov	edi, [ebp+arg_4]
		cmp	di, bx
		jbe	short loc_A4DB6C
		mov	edi, ebx

loc_A4DB6C:				; CODE XREF: KdpPrint(x,x,x,x,x,x,x,x)+66j
		cmp	[ebp+arg_8], dl
		jz	short loc_A4DBB4
		mov	[ebp+ms_exc.disabled], edx
		test	di, di
		jz	short loc_A4DB90
		movzx	esi, di
		mov	ecx, [ebp+arg_0]
		add	esi, ecx
		mov	eax, ds:_MmUserProbeAddress
		cmp	esi, eax
		ja	short loc_A4DB8E
		cmp	esi, ecx
		jnb	short loc_A4DB90

loc_A4DB8E:				; CODE XREF: KdpPrint(x,x,x,x,x,x,x,x)+86j
		mov	[eax], dl

loc_A4DB90:				; CODE XREF: KdpPrint(x,x,x,x,x,x,x,x)+75j
					; KdpPrint(x,x,x,x,x,x,x,x)+8Aj
		mov	eax, ebx
		call	__alloca_probe_16
		mov	[ebp+ms_exc.old_esp], esp
		mov	esi, esp
		movzx	eax, di
		push	eax
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_KdpQuickMoveMemory@12 ; KdpQuickMoveMemory(x,x,x)
		mov	[ebp+arg_0], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A4DBB4:				; CODE XREF: KdpPrint(x,x,x,x,x,x,x,x)+6Dj
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_24], eax
		mov	word ptr [ebp+var_28], di
		lea	eax, [ebp+var_28]
		push	eax
		call	_KdLogDbgPrint@4 ; KdLogDbgPrint(x)
		cmp	_KdDebuggerNotPresent, 0
		jz	short loc_A4DBF5
		cmp	_KdEventLoggingPresent,	0
		jnz	short loc_A4DBF5
		mov	edx, 0C000009Dh
		jmp	short loc_A4DC23
; 

loc_A4DBE0:				; DATA XREF: .text:006A838Co
		xor	eax, eax
		inc	eax
		retn
; 

loc_A4DBE4:				; DATA XREF: .text:006A8390o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, 0C0000005h
		jmp	short loc_A4DC2B
; 

loc_A4DBF5:				; CODE XREF: KdpPrint(x,x,x,x,x,x,x,x)+CCj
					; KdpPrint(x,x,x,x,x,x,x,x)+D5j
		mov	edx, [ebp+arg_10]
		mov	ecx, [ebp+arg_C]
		call	_KdEnterDebugger@8 ; KdEnterDebugger(x,x)
		mov	bl, al
		lea	ecx, [ebp+var_28]
		call	_KdpPrintString@4 ; KdpPrintString(x)
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	eax, 80000003h
		mov	[ebp+var_20], eax
		mov	cl, bl
		call	_KdExitDebugger@4 ; KdExitDebugger(x)
		mov	edx, [ebp+var_20]

loc_A4DC23:				; CODE XREF: KdpPrint(x,x,x,x,x,x,x,x)+55j
					; KdpPrint(x,x,x,x,x,x,x,x)+DCj
		mov	ecx, [ebp+arg_14]
		mov	byte ptr [ecx],	1
		mov	eax, edx

loc_A4DC2B:				; CODE XREF: KdpPrint(x,x,x,x,x,x,x,x)+F1j
		lea	esp, [ebp-38h]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_KdpPrint@32	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpPrompt(x, x, x, x, x, x,	x)
_KdpPrompt@28	proc near		; CODE XREF: KdpTrap(x,x,x,x,x,x)+A6p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		push	24h
		push	offset dword_6A8350
		call	__SEH_prolog4_GS
		mov	edi, edx
		mov	ebx, ecx
		mov	[ebp+var_30], ebx
		xor	eax, eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	edx, 200h
		cmp	di, dx
		jbe	short loc_A4DC67
		mov	edi, edx

loc_A4DC67:				; CODE XREF: KdpPrompt(x,x,x,x,x,x,x)+23j
		mov	esi, [ebp+arg_4]
		cmp	si, dx
		jbe	short loc_A4DC74
		mov	esi, edx
		mov	[ebp+arg_4], esi

loc_A4DC74:				; CODE XREF: KdpPrompt(x,x,x,x,x,x,x)+2Dj
		cmp	[ebp+arg_8], al
		jz	short loc_A4DCF6
		mov	[ebp+ms_exc.disabled], eax
		test	di, di
		jz	short loc_A4DC97
		movzx	eax, di
		add	eax, ebx
		mov	ecx, ds:_MmUserProbeAddress
		cmp	eax, ecx
		ja	short loc_A4DC94
		cmp	eax, ebx
		jnb	short loc_A4DC97

loc_A4DC94:				; CODE XREF: KdpPrompt(x,x,x,x,x,x,x)+4Ej
		mov	byte ptr [ecx],	0

loc_A4DC97:				; CODE XREF: KdpPrompt(x,x,x,x,x,x,x)+3Fj
					; KdpPrompt(x,x,x,x,x,x,x)+52j
		mov	eax, edx
		call	__alloca_probe_16
		mov	[ebp+ms_exc.old_esp], esp
		mov	esi, esp
		mov	[ebp+var_34], esi
		movzx	eax, di
		push	eax
		mov	edx, ebx
		mov	ecx, esi
		call	_KdpQuickMoveMemory@12 ; KdpQuickMoveMemory(x,x,x)
		mov	ebx, esi
		mov	[ebp+var_30], ebx
		push	1
		mov	esi, [ebp+arg_4]
		movzx	ecx, si
		push	ecx
		push	[ebp+arg_0]
		call	_ProbeForWrite@12 ; ProbeForWrite(x,x,x)
		mov	eax, 200h
		call	__alloca_probe_16
		mov	[ebp+ms_exc.old_esp], esp
		mov	eax, esp
		mov	[ebp+var_34], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A4DCF9
; 

loc_A4DCE4:				; DATA XREF: .text:006A8364o
		xor	eax, eax
		inc	eax
		retn
; 

loc_A4DCE8:				; DATA XREF: .text:006A8368o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	short loc_A4DD6A
; 

loc_A4DCF6:				; CODE XREF: KdpPrompt(x,x,x,x,x,x,x)+37j
		mov	eax, [ebp+arg_0]

loc_A4DCF9:				; CODE XREF: KdpPrompt(x,x,x,x,x,x,x)+A2j
		mov	[ebp+var_20], eax
		xor	eax, eax
		mov	word ptr [ebp+var_24], ax
		mov	word ptr [ebp+var_24+2], si
		mov	[ebp+var_28], ebx
		mov	word ptr [ebp+var_2C], di
		lea	eax, [ebp+var_2C]
		push	eax
		call	_KdLogDbgPrint@4 ; KdLogDbgPrint(x)
		mov	edx, [ebp+arg_10]
		mov	ecx, [ebp+arg_C]
		call	_KdEnterDebugger@8 ; KdEnterDebugger(x,x)
		mov	bl, al

loc_A4DD23:				; CODE XREF: KdpPrompt(x,x,x,x,x,x,x)+F0j
		lea	edx, [ebp+var_24]
		lea	ecx, [ebp+var_2C]
		call	_KdpPromptString@8 ; KdpPromptString(x,x)
		cmp	al, 1
		jz	short loc_A4DD23
		mov	cl, bl
		call	_KdExitDebugger@4 ; KdExitDebugger(x)
		cmp	[ebp+arg_8], 1
		jnz	short loc_A4DD66
		mov	[ebp+ms_exc.disabled], 1
		movzx	eax, word ptr [ebp+var_24]
		push	eax
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+arg_0]
		call	_KdpQuickMoveMemory@12 ; KdpQuickMoveMemory(x,x,x)
		jmp	short loc_A4DD5F
; 

loc_A4DD58:				; DATA XREF: .text:006A8370o
		xor	eax, eax
		inc	eax
		retn
; 

loc_A4DD5C:				; DATA XREF: .text:006A8374o
		mov	esp, [ebp+ms_exc.old_esp]

loc_A4DD5F:				; CODE XREF: KdpPrompt(x,x,x,x,x,x,x)+116j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A4DD66:				; CODE XREF: KdpPrompt(x,x,x,x,x,x,x)+FDj
		mov	ax, word ptr [ebp+var_24]

loc_A4DD6A:				; CODE XREF: KdpPrompt(x,x,x,x,x,x,x)+B4j
		lea	esp, [ebp-44h]
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_KdpPrompt@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpSymbol(x, x, x, x, x, x,	x)
_KdpSymbol@28	proc near		; CODE XREF: KdpTrap(x,x,x,x,x,x)+83p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_7		= byte ptr  0Fh
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	[ebp+arg_4], 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], ecx
		jnz	short loc_A4DDFF
		cmp	_KdDebuggerNotPresent, 0
		jnz	short loc_A4DDFF
		mov	edx, [ebp+arg_10]
		mov	ecx, [ebp+arg_C]
		call	_KdEnterDebugger@8 ; KdEnterDebugger(x,x)
		mov	edi, large fs:20h
		mov	[ebp+arg_7], al
		lea	ebx, [edi+18h]
		push	ebx
		call	_KiSaveProcessorControlState@4 ; KiSaveProcessorControlState(x)
		mov	esi, [ebp+arg_8]
		mov	ecx, [edi+4168h]
		push	esi
		mov	edx, [esi]
		call	_KdpCopyContext@12 ; KdpCopyContext(x,x,x)
		push	dword ptr [edi+4168h]
		mov	edx, [ebp+var_4]
		push	[ebp+arg_0]
		mov	ecx, [ebp+var_8]
		call	_KdpReportLoadSymbolsStateChange@16 ; KdpReportLoadSymbolsStateChange(x,x,x,x)
		mov	edx, [edi+4168h]
		mov	ecx, esi
		push	edx
		mov	edx, [edx]
		call	_KdpCopyContext@12 ; KdpCopyContext(x,x,x)
		push	ebx
		call	_KiRestoreProcessorControlState@4 ; KiRestoreProcessorControlState(x)
		mov	cl, [ebp+arg_7]
		call	_KdExitDebugger@4 ; KdExitDebugger(x)

loc_A4DDFF:				; CODE XREF: KdpSymbol(x,x,x,x,x,x,x)+14j
					; KdpSymbol(x,x,x,x,x,x,x)+1Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_KdpSymbol@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpCopyCodeStream(x, x, x, x, x)
_KdpCopyCodeStream@20 proc near		; CODE XREF: KdpAddBreakpoint(x,x,x,x,x)+BEp
					; KdpInsertBreakpoint(x,x)+2Cp	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ebx, ecx
		push	edi
		push	0
		push	esi
		mov	edi, edx
		push	edi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_A4DE5E
		mov	ecx, esi
		mov	_KdpOweBreakpoint, 1
		and	ecx, 5
		cmp	cl, 5
		jnz	short loc_A4DE60
		push	0
		or	esi, 40h
		mov	edx, edi
		push	esi
		push	edi
		push	[ebp+arg_4]
		mov	ecx, ebx
		push	[ebp+arg_0]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A4DE60
		mov	eax, 103h
		jmp	short loc_A4DE60
; 

loc_A4DE5E:				; CODE XREF: KdpCopyCodeStream(x,x,x,x,x)+24j
		xor	eax, eax

loc_A4DE60:				; CODE XREF: KdpCopyCodeStream(x,x,x,x,x)+35j
					; KdpCopyCodeStream(x,x,x,x,x)+4Fj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_KdpCopyCodeStream@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpCopyContext(x, x, x)
_KdpCopyContext@12 proc	near		; CODE XREF: KdpSetContextEx(x,x,x)+D9p
					; KdpReport(x,x,x,x,x,x)+6Cp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		push	2CCh
		mov	edx, ebx
		call	_KdpQuickMoveMemory@12 ; KdpQuickMoveMemory(x,x,x)
		mov	eax, 10040h
		mov	[edi], esi
		and	esi, eax
		cmp	esi, eax
		jnz	short loc_A4DEC1
		mov	eax, [edi+2E0h]
		mov	ecx, [ebx+2E0h]
		cmp	eax, ecx
		jbe	short loc_A4DEA3
		mov	eax, ecx

loc_A4DEA3:				; CODE XREF: KdpCopyContext(x,x,x)+36j
		lea	edx, [ebx+2CCh]
		add	edx, [ebx+2DCh]
		lea	ecx, [edi+2CCh]
		add	ecx, [edi+2DCh]
		push	eax
		call	_KdpQuickMoveMemory@12 ; KdpQuickMoveMemory(x,x,x)

loc_A4DEC1:				; CODE XREF: KdpCopyContext(x,x,x)+26j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_KdpCopyContext@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpCopyMemoryChunks(x, x, x, x, x, x, x)
_KdpCopyMemoryChunks@28	proc near	; CODE XREF: KdpSetCommonState(x,x,x)+86p
					; KdpSetCommonState(x,x,x)+B8p	...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		mov	ebx, [ebp+arg_8]
		mov	eax, edx
		mov	[esp+18h+var_4], eax
		mov	[esp+18h+var_10], ecx
		push	esi
		push	edi
		cmp	ebx, 8
		jbe	short loc_A4DEEC
		push	8
		jmp	short loc_A4DEF2
; 

loc_A4DEEC:				; CODE XREF: KdpCopyMemoryChunks(x,x,x,x,x,x,x)+1Ej
		test	ebx, ebx
		jnz	short loc_A4DEF3
		push	4

loc_A4DEF2:				; CODE XREF: KdpCopyMemoryChunks(x,x,x,x,x,x,x)+22j
		pop	ebx

loc_A4DEF3:				; CODE XREF: KdpCopyMemoryChunks(x,x,x,x,x,x,x)+26j
		xor	edi, edi
		mov	esi, eax
		inc	edi
		test	eax, eax
		jz	loc_A4DF80
		mov	edx, [ebp+arg_4]
		mov	eax, [ebp+arg_0]
		mov	[esp+20h+var_C], edx
		mov	[esp+20h+var_14], eax

loc_A4DF0E:				; CODE XREF: KdpCopyMemoryChunks(x,x,x,x,x,x,x)+B2j
		cmp	edi, ebx
		jnb	short loc_A4DF44

loc_A4DF12:				; CODE XREF: KdpCopyMemoryChunks(x,x,x,x,x,x,x)+6Ej
		lea	eax, [edi+edi]
		mov	[esp+20h+var_8], eax
		cmp	eax, esi
		ja	short loc_A4DF38
		xor	eax, eax
		lea	ecx, ds:0FFFFFFFFh[edi*2]
		and	ecx, [esp+20h+var_14]
		and	eax, edx
		or	ecx, eax
		jnz	short loc_A4DF38
		mov	edi, [esp+20h+var_8]
		cmp	edi, ebx
		jb	short loc_A4DF12

loc_A4DF38:				; CODE XREF: KdpCopyMemoryChunks(x,x,x,x,x,x,x)+53j
					; KdpCopyMemoryChunks(x,x,x,x,x,x,x)+66j
		mov	eax, [esp+20h+var_14]
		mov	ecx, [esp+20h+var_10]
		jmp	short loc_A4DF44
; 

loc_A4DF42:				; CODE XREF: KdpCopyMemoryChunks(x,x,x,x,x,x,x)+7Ej
		shr	edi, 1

loc_A4DF44:				; CODE XREF: KdpCopyMemoryChunks(x,x,x,x,x,x,x)+48j
					; KdpCopyMemoryChunks(x,x,x,x,x,x,x)+78j
		cmp	edi, esi
		ja	short loc_A4DF42
		push	[ebp+arg_C]
		push	edi
		push	edx
		push	eax
		mov	edx, edi
		call	_MmDbgCopyMemory@24 ; MmDbgCopyMemory(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A4DF7C
		mov	eax, [esp+20h+var_14]
		mov	edx, [esp+20h+var_C]
		add	eax, edi
		mov	ecx, [esp+20h+var_10]
		adc	edx, 0
		mov	[esp+20h+var_14], eax
		add	ecx, edi
		mov	[esp+20h+var_C], edx
		mov	[esp+20h+var_10], ecx
		sub	esi, edi
		jnz	short loc_A4DF0E

loc_A4DF7C:				; CODE XREF: KdpCopyMemoryChunks(x,x,x,x,x,x,x)+8Fj
		mov	eax, [esp+20h+var_4]

loc_A4DF80:				; CODE XREF: KdpCopyMemoryChunks(x,x,x,x,x,x,x)+32j
		mov	ecx, [ebp+arg_10]
		test	ecx, ecx
		jz	short loc_A4DF8B
		sub	eax, esi
		mov	[ecx], eax

loc_A4DF8B:				; CODE XREF: KdpCopyMemoryChunks(x,x,x,x,x,x,x)+BDj
		neg	esi
		pop	edi
		sbb	esi, esi
		and	esi, 0C0000001h
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
_KdpCopyMemoryChunks@28	endp


;  S U B	R O U T	I N E 


; __stdcall KdpGetExtendedContextLength(x, x)
_KdpGetExtendedContextLength@8 proc near ; CODE	XREF: KdpGetContext(x,x,x)+4Cp
		mov	edi, edi
		push	esi
		mov	esi, 10040h
		mov	eax, 2E4h
		and	ecx, esi
		cmp	ecx, esi
		pop	esi
		jnz	short loc_A4DFBE
		mov	eax, ds:0FFDF03E8h
		add	eax, 120h

loc_A4DFBE:				; CODE XREF: KdpGetExtendedContextLength(x,x)+12j
		add	eax, 3
		mov	[edx], eax
		retn
_KdpGetExtendedContextLength@8 endp


;  S U B	R O U T	I N E 


; __stdcall KdpInitializeExtendedContext(x, x)
_KdpInitializeExtendedContext@8	proc near ; CODE XREF: KdpGetContext(x,x,x)+60p
		mov	edi, edi
		push	edi
		lea	edi, [ecx+2CCh]
		mov	[ecx], edx
		mov	eax, edi
		sub	eax, ecx
		mov	ecx, eax
		mov	[edi+0Ch], eax
		add	eax, 18h
		neg	ecx
		mov	[edi+4], eax
		mov	eax, 10040h
		and	edx, eax
		mov	[edi+8], ecx
		mov	[edi], ecx
		cmp	edx, eax
		jnz	short loc_A4E01E
		push	esi
		push	40h		; size_t
		lea	esi, [edi+57h]
		and	esi, 0FFFFFFC0h
		push	0		; int
		push	esi		; void *
		call	_memset
		sub	esi, edi
		add	esp, 0Ch
		mov	[edi+10h], esi
		mov	eax, ds:0FFDF03E8h
		add	eax, 0FFFFFE00h
		mov	[edi+14h], eax
		sub	eax, [edi]
		add	eax, esi
		mov	[edi+4], eax
		pop	esi

loc_A4E01E:				; CODE XREF: KdpInitializeExtendedContext(x,x)+2Aj
		pop	edi
		retn
_KdpInitializeExtendedContext@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpQuickMoveMemory(x, x, x)
_KdpQuickMoveMemory@12 proc near	; CODE XREF: KdpGetContextEx(x,x,x)+5Dp
					; KdpSetContextEx(x,x,x)+91p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		test	esi, esi
		jz	short loc_A4E03A
		sub	ecx, edx

loc_A4E02F:				; CODE XREF: KdpQuickMoveMemory(x,x,x)+18j
		mov	al, [edx]
		mov	[ecx+edx], al
		inc	edx
		sub	esi, 1
		jnz	short loc_A4E02F

loc_A4E03A:				; CODE XREF: KdpQuickMoveMemory(x,x,x)+Bj
		pop	esi
		pop	ebp
		retn	4
_KdpQuickMoveMemory@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpSanitizeContextFlags(x, x, x)
_KdpSanitizeContextFlags@12 proc near	; CODE XREF: KdpSetContextEx(x,x,x)+CDp
					; KdpSetContext(x,x,x)+67p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, [ecx]
		push	edi
		mov	edi, esi
		mov	[ebp+var_4], edx
		and	edi, 1003Fh
		mov	edx, 10040h
		mov	[eax], edi
		mov	eax, large fs:20h
		mov	eax, [eax+416Ch]
		and	eax, esi
		and	eax, edx
		cmp	eax, edx
		jnz	short loc_A4E0D4
		mov	edx, [ecx+2CCh]
		cmp	edx, 0FFFFFFE8h
		jl	short loc_A4E0D4
		mov	eax, [ebp+var_4]
		push	ebx
		mov	ebx, [ecx+2D0h]
		add	eax, 0FFFFFFD0h
		add	ebx, edx
		cmp	ebx, eax
		jg	short loc_A4E0D3
		cmp	edx, ebx
		jg	short loc_A4E0D3
		mov	esi, [ecx+2D4h]
		cmp	edx, esi
		jg	short loc_A4E0D3
		mov	eax, [ecx+2D8h]
		add	eax, esi
		cmp	eax, ebx
		jg	short loc_A4E0D3
		cmp	esi, eax
		jg	short loc_A4E0D3
		mov	esi, [ecx+2DCh]
		cmp	edx, esi
		jg	short loc_A4E0D3
		mov	eax, [ecx+2E0h]
		add	eax, esi
		cmp	eax, ebx
		jg	short loc_A4E0D3
		cmp	esi, eax
		jg	short loc_A4E0D3
		mov	eax, [ebp+arg_0]
		or	edi, 10040h
		mov	[eax], edi

loc_A4E0D3:				; CODE XREF: KdpSanitizeContextFlags(x,x,x)+4Fj
					; KdpSanitizeContextFlags(x,x,x)+53j ...
		pop	ebx

loc_A4E0D4:				; CODE XREF: KdpSanitizeContextFlags(x,x,x)+31j
					; KdpSanitizeContextFlags(x,x,x)+3Cj
		pop	edi
		pop	esi
		leave
		retn	4
_KdpSanitizeContextFlags@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpAddBreakpoint(x,	x, x, x, x)
_KdpAddBreakpoint@20 proc near		; CODE XREF: KdpWriteCustomBreakpoint(x,x,x)+29p
					; KdSetInternalBreakpoint(x)+101p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		and	[esp+14h+var_8], 0
		and	[esp+14h+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	bl, dl
		mov	edi, ecx
		movzx	ecx, bl
		mov	[esp+20h+var_10], edi
		mov	[esp+20h+var_C], ecx
		lea	eax, [ecx-1]
		test	eax, ecx
		jnz	loc_A4E21B
		mov	bh, [ebp+arg_8]
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		cmp	edi, ds:_MmSystemRangeStart
		jb	short loc_A4E142
		cmp	ecx, 0CCh
		jnz	loc_A4E21B
		test	eax, eax
		jnz	loc_A4E21B
		cmp	bl, 1
		jnz	loc_A4E21B
		test	bh, bh
		jnz	loc_A4E21B

loc_A4E142:				; CODE XREF: KdpAddBreakpoint(x,x,x,x,x)+41j
		inc	ds:_KdpBreakpointChangeCount
		xor	esi, esi
		xor	edx, edx
		mov	ecx, offset _KdpBreakpointTable

loc_A4E151:				; CODE XREF: KdpAddBreakpoint(x,x,x,x,x)+93j
		mov	eax, [ecx+18h]
		test	al, 1
		jz	short loc_A4E15C
		cmp	[ecx], edi
		jz	short loc_A4E1D4

loc_A4E15C:				; CODE XREF: KdpAddBreakpoint(x,x,x,x,x)+7Cj
		test	esi, esi
		jnz	short loc_A4E166
		test	eax, eax
		jnz	short loc_A4E166
		mov	esi, ecx

loc_A4E166:				; CODE XREF: KdpAddBreakpoint(x,x,x,x,x)+84j
					; KdpAddBreakpoint(x,x,x,x,x)+88j
		inc	edx
		add	ecx, 20h
		cmp	edx, 20h
		jb	short loc_A4E151
		test	esi, esi
		jz	loc_A4E21B
		mov	edx, [esp+20h+var_C]
		lea	ecx, [esp+20h+var_8]
		push	4
		movzx	eax, bh
		mov	edi, esi
		not	eax
		sub	edi, offset _KdpBreakpointTable
		and	eax, [esp+24h+var_10]
		push	0
		push	eax
		sar	edi, 5
		call	_KdpCopyCodeStream@20 ;	KdpCopyCodeStream(x,x,x,x,x)
		mov	ecx, [esp+20h+var_10]
		mov	[esi], ecx
		mov	ecx, [ebp+arg_0]
		mov	[esi+1Ch], bl
		mov	[esi+1Dh], bh
		mov	[esi+8], ecx
		mov	ecx, [ebp+arg_4]
		mov	[esi+0Ch], ecx
		test	eax, eax
		jns	short loc_A4E1E3
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		mov	[esi+4], eax
		mov	dword ptr [esi+18h], 3

loc_A4E1CF:				; CODE XREF: KdpAddBreakpoint(x,x,x,x,x)+14Fj
		lea	eax, [edi+1]
		jmp	short loc_A4E21D
; 

loc_A4E1D4:				; CODE XREF: KdpAddBreakpoint(x,x,x,x,x)+80j
		test	al, 8
		jz	short loc_A4E21B
		and	eax, 0FFFFFFF7h
		mov	[ecx+18h], eax
		lea	eax, [edx+1]
		jmp	short loc_A4E21D
; 

loc_A4E1E3:				; CODE XREF: KdpAddBreakpoint(x,x,x,x,x)+DDj
		mov	eax, [esp+20h+var_8]
		lea	edx, [esp+20h+var_8]
		mov	[esi+10h], eax
		mov	ecx, esi
		mov	eax, [esp+20h+var_4]
		mov	[esi+14h], eax
		mov	eax, large fs:124h
		mov	bl, _KdpOweBreakpoint
		mov	eax, [eax+80h]
		mov	[esi+4], eax
		call	_KdpInsertBreakpoint@8 ; KdpInsertBreakpoint(x,x)
		test	eax, eax
		jnz	short loc_A4E226
		mov	_KdpOweBreakpoint, bl

loc_A4E21B:				; CODE XREF: KdpAddBreakpoint(x,x,x,x,x)+2Cj
					; KdpAddBreakpoint(x,x,x,x,x)+49j ...
		xor	eax, eax

loc_A4E21D:				; CODE XREF: KdpAddBreakpoint(x,x,x,x,x)+F8j
					; KdpAddBreakpoint(x,x,x,x,x)+107j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
; 

loc_A4E226:				; CODE XREF: KdpAddBreakpoint(x,x,x,x,x)+139j
		mov	[esi+18h], eax
		jmp	short loc_A4E1CF
_KdpAddBreakpoint@20 endp


;  S U B	R O U T	I N E 


; __stdcall KdpDeleteBreakpoint(x)
_KdpDeleteBreakpoint@4 proc near	; CODE XREF: KdSetInternalBreakpoint(x)+E7p
					; KdpCheckTracePoint(x,x)+F2p ...
		mov	edi, edi
		push	esi
		test	ecx, ecx
		jz	short loc_A4E273
		cmp	ecx, 20h
		ja	short loc_A4E273
		lea	esi, [ecx-1]
		shl	esi, 5
		mov	eax, ds:dword_AA4A60[esi]
		test	eax, eax
		jz	short loc_A4E273
		and	al, 0Ch
		cmp	al, 4
		jnz	short loc_A4E25E
		and	ds:dword_AA4A60[esi], 0
		inc	ds:_KdpBreakpointChangeCount

loc_A4E25A:				; CODE XREF: KdpDeleteBreakpoint(x)+3Dj
					; KdpDeleteBreakpoint(x)+46j
		mov	al, 1
		pop	esi
		retn
; 

loc_A4E25E:				; CODE XREF: KdpDeleteBreakpoint(x)+20j
		lea	ecx, [ecx-1]
		call	_KdpLowWriteContent@4 ;	KdpLowWriteContent(x)
		test	al, al
		jz	short loc_A4E25A
		and	ds:dword_AA4A60[esi], 0
		jmp	short loc_A4E25A
; 

loc_A4E273:				; CODE XREF: KdpDeleteBreakpoint(x)+5j
					; KdpDeleteBreakpoint(x)+Aj ...
		xor	al, al
		pop	esi
		retn
_KdpDeleteBreakpoint@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpDeleteBreakpointRange(x,	x)
_KdpDeleteBreakpointRange@8 proc near	; CODE XREF: KdpSetCommonState(x,x,x)+9Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_4], edx
		push	edi
		mov	[ebp+var_8], ecx
		mov	edi, ebx
		mov	esi, offset _KdpBreakpointTable

loc_A4E290:				; CODE XREF: KdpDeleteBreakpointRange(x,x)+44j
		test	byte ptr [esi+18h], 1
		jz	short loc_A4E2B4
		mov	eax, [esi]
		cmp	eax, ecx
		jb	short loc_A4E2B4
		cmp	eax, edx
		ja	short loc_A4E2B4
		lea	ecx, [edi+1]
		call	_KdpDeleteBreakpoint@4 ; KdpDeleteBreakpoint(x)
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		test	al, al
		jz	short loc_A4E2B4
		mov	bl, 1

loc_A4E2B4:				; CODE XREF: KdpDeleteBreakpointRange(x,x)+1Dj
					; KdpDeleteBreakpointRange(x,x)+23j ...
		inc	edi
		add	esi, 20h
		cmp	edi, 20h
		jb	short loc_A4E290
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_KdpDeleteBreakpointRange@8 endp


;  S U B	R O U T	I N E 


; __stdcall KdpInsertBreakpoint(x, x)
_KdpInsertBreakpoint@8 proc near	; CODE XREF: KdpAddBreakpoint(x,x,x,x,x)+132p
					; KdpLowRestoreBreakpoint(x)+6Fp ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	ecx, ebx
		push	dword ptr [edi+0Ch]
		mov	dl, [edi+1Ch]
		push	dword ptr [edi+8]
		mov	esi, [edi]
		call	_KdpWriteInstructionBuffer@16 ;	KdpWriteInstructionBuffer(x,x,x,x)
		movzx	eax, byte ptr [edi+1Dh]
		movzx	edx, byte ptr [edi+1Ch]
		not	eax
		push	5
		and	eax, esi
		push	0
		push	eax
		call	_KdpCopyCodeStream@20 ;	KdpCopyCodeStream(x,x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		test	eax, eax
		jns	short loc_A4E2FF
		xor	eax, eax
		retn
; 

loc_A4E2FF:				; CODE XREF: KdpInsertBreakpoint(x,x)+36j
		cmp	eax, 103h
		jnz	short loc_A4E30B
		push	2
		pop	eax
		jmp	short loc_A4E30D
; 

loc_A4E30B:				; CODE XREF: KdpInsertBreakpoint(x,x)+40j
		xor	eax, eax

loc_A4E30D:				; CODE XREF: KdpInsertBreakpoint(x,x)+45j
		or	eax, 1
		retn
_KdpInsertBreakpoint@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpLowRestoreBreakpoint(x)
_KdpLowRestoreBreakpoint@4 proc	near	; CODE XREF: KdpRestoreAllBreakpoints()+23p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		inc	ds:_KdpBreakpointChangeCount
		push	esi
		mov	esi, ecx
		shl	esi, 5
		add	esi, offset _KdpBreakpointTable
		mov	ecx, [esi+18h]
		test	cl, 8
		jz	short loc_A4E342
		and	ecx, 0FFFFFFF7h
		mov	[esi+18h], ecx
		jmp	short loc_A4E3A2
; 

loc_A4E342:				; CODE XREF: KdpLowRestoreBreakpoint(x)+27j
		test	cl, 10h
		jnz	short loc_A4E356
		lea	edx, [esi+10h]
		mov	ecx, esi
		call	_KdpIsBreakpoint@8 ; KdpIsBreakpoint(x,x)
		cmp	eax, 1
		jz	short loc_A4E3A2

loc_A4E356:				; CODE XREF: KdpLowRestoreBreakpoint(x)+34j
		movzx	eax, byte ptr [esi+1Dh]
		lea	ecx, [ebp+var_8]
		movzx	edx, byte ptr [esi+1Ch]
		not	eax
		and	eax, [esi]
		push	4
		push	0
		push	eax
		call	_KdpCopyCodeStream@20 ;	KdpCopyCodeStream(x,x,x,x,x)
		test	eax, eax
		jns	short loc_A4E37B
		or	dword ptr [esi+18h], 2

loc_A4E377:				; CODE XREF: KdpLowRestoreBreakpoint(x)+83j
		xor	al, al
		jmp	short loc_A4E3A4
; 

loc_A4E37B:				; CODE XREF: KdpLowRestoreBreakpoint(x)+60j
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	_KdpInsertBreakpoint@8 ; KdpInsertBreakpoint(x,x)
		mov	ecx, [esi+18h]
		mov	edx, eax
		test	edx, edx
		jnz	short loc_A4E396
		or	ecx, 2
		mov	[esi+18h], ecx
		jmp	short loc_A4E377
; 

loc_A4E396:				; CODE XREF: KdpLowRestoreBreakpoint(x)+7Bj
		mov	eax, ecx
		xor	eax, edx
		and	eax, 2
		xor	eax, ecx
		mov	[esi+18h], eax

loc_A4E3A2:				; CODE XREF: KdpLowRestoreBreakpoint(x)+2Fj
					; KdpLowRestoreBreakpoint(x)+43j
		mov	al, 1

loc_A4E3A4:				; CODE XREF: KdpLowRestoreBreakpoint(x)+68j
		pop	esi
		leave
		retn
_KdpLowRestoreBreakpoint@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpLowWriteContent(x)
_KdpLowWriteContent@4 proc near		; CODE XREF: KdpDeleteBreakpoint(x)+36p
					; KdpSuspendBreakpoint(x)+21j

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		inc	ds:_KdpBreakpointChangeCount
		push	esi
		mov	esi, ecx
		shl	esi, 5
		add	esi, offset _KdpBreakpointTable
		mov	ecx, [esi+18h]
		test	cl, 2
		jz	short loc_A4E3DA
		and	ecx, 0FFFFFFFDh
		mov	[esi+18h], ecx

loc_A4E3D6:				; CODE XREF: KdpLowWriteContent(x)+45j
		mov	al, 1
		jmp	short loc_A4E44D
; 

loc_A4E3DA:				; CODE XREF: KdpLowWriteContent(x)+27j
		test	cl, 10h
		jnz	short loc_A4E3EE
		lea	edx, [esi+10h]
		mov	ecx, esi
		call	_KdpIsBreakpoint@8 ; KdpIsBreakpoint(x,x)
		cmp	eax, 1
		jz	short loc_A4E3D6

loc_A4E3EE:				; CODE XREF: KdpLowWriteContent(x)+36j
		movzx	eax, byte ptr [esi+1Dh]
		lea	ecx, [ebp+var_8]
		movzx	edx, byte ptr [esi+1Ch]
		not	eax
		and	eax, [esi]
		push	4
		push	0
		push	eax
		call	_KdpCopyCodeStream@20 ;	KdpCopyCodeStream(x,x,x,x,x)
		test	eax, eax
		jns	short loc_A4E413

loc_A4E40B:				; CODE XREF: KdpLowWriteContent(x)+81j
		or	dword ptr [esi+18h], 8

loc_A4E40F:				; CODE XREF: KdpLowWriteContent(x)+9Aj
		xor	al, al
		jmp	short loc_A4E44D
; 

loc_A4E413:				; CODE XREF: KdpLowWriteContent(x)+62j
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	_KdpIsBreakpoint@8 ; KdpIsBreakpoint(x,x)
		test	eax, eax
		jnz	short loc_A4E42A
		mov	_KdpOweBreakpoint, 1
		jmp	short loc_A4E40B
; 

loc_A4E42A:				; CODE XREF: KdpLowWriteContent(x)+78j
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	_KdpRemoveBreakpoint@8 ; KdpRemoveBreakpoint(x,x)
		mov	ecx, [esi+18h]
		test	eax, eax
		jnz	short loc_A4E443
		or	ecx, 8
		mov	[esi+18h], ecx
		jmp	short loc_A4E40F
; 

loc_A4E443:				; CODE XREF: KdpLowWriteContent(x)+92j
		shr	ecx, 3
		not	cl
		and	cl, 1
		mov	al, cl

loc_A4E44D:				; CODE XREF: KdpLowWriteContent(x)+31j
					; KdpLowWriteContent(x)+6Aj
		pop	esi
		leave
		retn
_KdpLowWriteContent@4 endp


;  S U B	R O U T	I N E 


; __stdcall KdpRemoveBreakpoint(x, x)
_KdpRemoveBreakpoint@8 proc near	; CODE XREF: KdpLowWriteContent(x)+88p
					; KdpSetOwedBreakpoints(x):loc_A4E5F9p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		push	dword ptr [ebx+14h]
		mov	dl, [ebx+1Ch]
		mov	ecx, edi
		push	dword ptr [ebx+10h]
		mov	esi, [ebx]
		call	_KdpWriteInstructionBuffer@16 ;	KdpWriteInstructionBuffer(x,x,x,x)
		movzx	eax, byte ptr [ebx+1Dh]
		movzx	edx, byte ptr [ebx+1Ch]
		not	eax
		push	5
		and	eax, esi
		push	0
		push	eax
		call	_KdpCopyCodeStream@20 ;	KdpCopyCodeStream(x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jns	short loc_A4E48B
		xor	eax, eax
		jmp	short loc_A4E4AD
; 

loc_A4E48B:				; CODE XREF: KdpRemoveBreakpoint(x,x)+35j
		mov	eax, [ebx+18h]
		test	al, 4
		jz	short loc_A4E497
		or	eax, 5
		jmp	short loc_A4E499
; 

loc_A4E497:				; CODE XREF: KdpRemoveBreakpoint(x,x)+40j
		xor	eax, eax

loc_A4E499:				; CODE XREF: KdpRemoveBreakpoint(x,x)+45j
		mov	[ebx+18h], eax
		cmp	ecx, 103h
		jnz	short loc_A4E4AA
		or	eax, 9
		mov	[ebx+18h], eax

loc_A4E4AA:				; CODE XREF: KdpRemoveBreakpoint(x,x)+52j
		xor	eax, eax
		inc	eax

loc_A4E4AD:				; CODE XREF: KdpRemoveBreakpoint(x,x)+39j
		pop	edi
		pop	esi
		pop	ebx
		retn
_KdpRemoveBreakpoint@8 endp


;  S U B	R O U T	I N E 


; __stdcall KdpRestoreAllBreakpoints()
_KdpRestoreAllBreakpoints@0 proc near	; CODE XREF: KdEnableDebuggerWithLock(x)+D1p
					; KdEnableDebuggerWithLock(x)+E5p ...
		mov	edi, edi
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	ds:_BreakpointsSuspended, bl
		mov	esi, offset dword_AA4A60

loc_A4E4C2:				; CODE XREF: KdpRestoreAllBreakpoints()+2Fj
		mov	ecx, [esi]
		mov	eax, ecx
		and	eax, 5
		cmp	al, 5
		jnz	short loc_A4E4D9
		and	ecx, 0FFFFFFFBh
		mov	[esi], ecx
		mov	ecx, ebx
		call	_KdpLowRestoreBreakpoint@4 ; KdpLowRestoreBreakpoint(x)

loc_A4E4D9:				; CODE XREF: KdpRestoreAllBreakpoints()+1Aj
		inc	ebx
		add	esi, 20h
		cmp	ebx, 20h
		jb	short loc_A4E4C2
		pop	esi
		pop	ebx
		retn
_KdpRestoreAllBreakpoints@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpSetOwedBreakpoints(x)
_KdpSetOwedBreakpoints@4 proc near	; CODE XREF: KdSetOwedBreakpoints(x)+1Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_C], 0
		mov	edx, ecx
		and	[ebp+var_8], 0
		cmp	_KdpOweBreakpoint, 0
		jz	locret_A4E613
		push	ebx
		mov	ebx, ds:_KdpBreakpointChangeCount
		and	edx, 0FFFFF000h
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	ecx, [eax+80h]
		mov	eax, offset unk_AA4A4C
		mov	[ebp+var_4], ecx

loc_A4E527:				; CODE XREF: KdpSetOwedBreakpoints(x)+8Aj
		test	byte ptr [eax+14h], 0Ah
		jz	short loc_A4E567
		mov	esi, [eax-4]
		cmp	esi, ds:_MmSystemRangeStart
		jnb	short loc_A4E53C
		cmp	[eax], ecx
		jnz	short loc_A4E567

loc_A4E53C:				; CODE XREF: KdpSetOwedBreakpoints(x)+51j
		movzx	ecx, byte ptr [eax+19h]
		lea	edi, [edx+1000h]
		not	ecx
		and	ecx, esi
		cmp	ecx, edx
		jb	short loc_A4E552
		cmp	ecx, edi
		jb	short loc_A4E57D

loc_A4E552:				; CODE XREF: KdpSetOwedBreakpoints(x)+67j
		movzx	esi, byte ptr [eax+18h]
		add	esi, ecx
		cmp	esi, ecx
		jb	short loc_A4E564
		cmp	esi, edx
		jbe	short loc_A4E564
		cmp	esi, edi
		jbe	short loc_A4E57D

loc_A4E564:				; CODE XREF: KdpSetOwedBreakpoints(x)+75j
					; KdpSetOwedBreakpoints(x)+79j
		mov	ecx, [ebp+var_4]

loc_A4E567:				; CODE XREF: KdpSetOwedBreakpoints(x)+46j
					; KdpSetOwedBreakpoints(x)+55j
		add	eax, 20h
		cmp	eax, offset unk_AA4E4C
		jl	short loc_A4E527
		cmp	ebx, ds:_KdpBreakpointChangeCount
		jz	loc_A4E610

loc_A4E57D:				; CODE XREF: KdpSetOwedBreakpoints(x)+6Bj
					; KdpSetOwedBreakpoints(x)+7Dj
		xor	edx, edx
		xor	ecx, ecx
		call	_KdEnterDebugger@8 ; KdEnterDebugger(x,x)
		mov	bl, al
		mov	_KdpOweBreakpoint, 0
		mov	esi, offset unk_AA4A65

loc_A4E594:				; CODE XREF: KdpSetOwedBreakpoints(x)+122j
		test	byte ptr [esi-5], 0Ah
		jz	short loc_A4E5FE
		lea	edi, [esi-1Dh]
		mov	ecx, [edi]
		cmp	ecx, ds:_MmSystemRangeStart
		jnb	short loc_A4E5B8
		mov	eax, [ebp+var_4]
		cmp	[esi-19h], eax
		jz	short loc_A4E5B8
		mov	_KdpOweBreakpoint, 1
		jmp	short loc_A4E5FE
; 

loc_A4E5B8:				; CODE XREF: KdpSetOwedBreakpoints(x)+C0j
					; KdpSetOwedBreakpoints(x)+C8j
		movzx	eax, byte ptr [esi]
		movzx	edx, byte ptr [esi-1]
		not	eax
		push	4
		and	eax, ecx
		lea	ecx, [ebp+var_C]
		push	0
		push	eax
		call	_KdpCopyCodeStream@20 ;	KdpCopyCodeStream(x,x,x,x,x)
		test	eax, eax
		js	short loc_A4E5FE
		test	byte ptr [esi-5], 2
		lea	edx, [ebp+var_C]
		mov	ecx, edi
		jz	short loc_A4E5F9
		mov	eax, [ebp+var_C]
		mov	[esi-0Dh], eax
		mov	eax, [ebp+var_8]
		mov	[esi-9], eax
		call	_KdpInsertBreakpoint@8 ; KdpInsertBreakpoint(x,x)
		test	eax, eax
		jz	short loc_A4E5FE
		mov	[esi-5], eax
		jmp	short loc_A4E5FE
; 

loc_A4E5F9:				; CODE XREF: KdpSetOwedBreakpoints(x)+F8j
		call	_KdpRemoveBreakpoint@8 ; KdpRemoveBreakpoint(x,x)

loc_A4E5FE:				; CODE XREF: KdpSetOwedBreakpoints(x)+B3j
					; KdpSetOwedBreakpoints(x)+D1j	...
		add	esi, 20h
		cmp	esi, offset unk_AA4E65
		jl	short loc_A4E594
		mov	cl, bl
		call	_KdExitDebugger@4 ; KdExitDebugger(x)

loc_A4E610:				; CODE XREF: KdpSetOwedBreakpoints(x)+92j
		pop	edi
		pop	esi
		pop	ebx

locret_A4E613:				; CODE XREF: KdpSetOwedBreakpoints(x)+19j
		leave
		retn
_KdpSetOwedBreakpoints@4 endp


;  S U B	R O U T	I N E 


; __stdcall KdpSuspendAllBreakpoints()
_KdpSuspendAllBreakpoints@0 proc near	; CODE XREF: KdDisableDebuggerWithLock(x)+87p
					; KdpCheckTracePoint(x,x)+2DFp
		mov	edi, edi
		push	ebx
		xor	ebx, ebx
		inc	ebx
		mov	ds:_BreakpointsSuspended, bl

loc_A4E621:				; CODE XREF: KdpSuspendAllBreakpoints()+17j
		mov	ecx, ebx
		call	_KdpSuspendBreakpoint@4	; KdpSuspendBreakpoint(x)
		inc	ebx
		cmp	ebx, 20h
		jbe	short loc_A4E621
		pop	ebx
		retn
_KdpSuspendAllBreakpoints@0 endp


;  S U B	R O U T	I N E 


; __stdcall KdpSuspendBreakpoint(x)
_KdpSuspendBreakpoint@4	proc near	; CODE XREF: KdSetInternalBreakpoint(x)+115p
					; KdpSuspendAllBreakpoints()+Ep
		mov	edi, edi
		dec	ecx
		push	esi
		mov	esi, ecx
		shl	esi, 5
		mov	edx, ds:dword_AA4A60[esi]
		mov	eax, edx
		and	al, 5
		cmp	al, 1
		jnz	short loc_A4E656
		or	edx, 4
		mov	ds:dword_AA4A60[esi], edx
		pop	esi
		jmp	_KdpLowWriteContent@4 ;	KdpLowWriteContent(x)
; 

loc_A4E656:				; CODE XREF: KdpSuspendBreakpoint(x)+15j
		pop	esi
		retn
_KdpSuspendBreakpoint@4	endp


;  S U B	R O U T	I N E 


; __stdcall KdpAllowDisable()
_KdpAllowDisable@0 proc	near		; CODE XREF: KdDisableDebuggerWithLock(x)+57p
		xor	ecx, ecx
		cmp	ds:_KeNumberProcessors,	ecx
		jbe	short loc_A4E67B

loc_A4E662:				; CODE XREF: KdpAllowDisable()+21j
		mov	eax, ds:_KiProcessorBlock[ecx*4]
		cmp	byte ptr [eax+308h], 0
		jnz	short loc_A4E67E
		inc	ecx
		cmp	ecx, ds:_KeNumberProcessors
		jb	short loc_A4E662

loc_A4E67B:				; CODE XREF: KdpAllowDisable()+8j
		xor	eax, eax
		retn
; 

loc_A4E67E:				; CODE XREF: KdpAllowDisable()+18j
		mov	eax, 0C0000022h
		retn
_KdpAllowDisable@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpGetCallNextOffset(x, x)
_KdpGetCallNextOffset@8	proc near	; CODE XREF: KdpCheckTracePoint(x,x)+1CBp
					; KdpCheckTracePoint(x,x)+437p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	esi, ecx
		push	ebx
		push	4
		push	ebx
		push	ebx
		push	esi
		push	2
		mov	edi, edx
		lea	ecx, [ebp+var_4]
		pop	edx
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A4E709
		mov	ax, word ptr [ebp+var_4]
		cmp	al, 0E8h
		jnz	short loc_A4E6B5
		lea	eax, [esi+5]
		jmp	short loc_A4E70B
; 

loc_A4E6B5:				; CODE XREF: KdpGetCallNextOffset(x,x)+2Aj
		cmp	al, 9Ah
		jnz	short loc_A4E6BE
		lea	eax, [esi+7]
		jmp	short loc_A4E70B
; 

loc_A4E6BE:				; CODE XREF: KdpGetCallNextOffset(x,x)+33j
		cmp	al, 0FFh
		jnz	short loc_A4E709
		cmp	ah, 25h
		jnz	short loc_A4E6D0
		mov	ecx, edi
		call	_KdpGetReturnAddress@4 ; KdpGetReturnAddress(x)
		jmp	short loc_A4E70B
; 

loc_A4E6D0:				; CODE XREF: KdpGetCallNextOffset(x,x)+41j
		movzx	ecx, ah
		mov	dl, ah
		shr	ecx, 6
		and	dl, 7
		mov	eax, ecx
		sub	eax, ebx
		jz	short loc_A4E6F0
		dec	eax
		sub	eax, 1
		jz	short loc_A4E6F5
		sub	eax, 1
		jnz	short loc_A4E6F8
		mov	ecx, ebx
		jmp	short loc_A4E6F8
; 

loc_A4E6F0:				; CODE XREF: KdpGetCallNextOffset(x,x)+5Bj
		cmp	dl, 5
		jnz	short loc_A4E6F8

loc_A4E6F5:				; CODE XREF: KdpGetCallNextOffset(x,x)+61j
		push	4
		pop	ecx

loc_A4E6F8:				; CODE XREF: KdpGetCallNextOffset(x,x)+66j
					; KdpGetCallNextOffset(x,x)+6Aj ...
		xor	eax, eax
		cmp	dl, 4
		setz	al
		add	eax, 2
		add	eax, ecx
		add	eax, esi
		jmp	short loc_A4E70B
; 

loc_A4E709:				; CODE XREF: KdpGetCallNextOffset(x,x)+22j
					; KdpGetCallNextOffset(x,x)+3Cj
		xor	eax, eax

loc_A4E70B:				; CODE XREF: KdpGetCallNextOffset(x,x)+2Fj
					; KdpGetCallNextOffset(x,x)+38j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KdpGetCallNextOffset@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpGetReturnAddress(x)
_KdpGetReturnAddress@4 proc near	; CODE XREF: KdpCheckTracePoint(x,x)+2FDp
					; KdpGetCallNextOffset(x,x)+45p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		xor	esi, esi
		push	esi
		push	4
		pop	edx
		push	edx
		push	esi
		push	esi
		push	dword ptr [ecx+0C4h]
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_4], esi
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A4E738
		mov	esi, [ebp+var_4]

loc_A4E738:				; CODE XREF: KdpGetReturnAddress(x)+23j
		mov	eax, esi
		pop	esi
		leave
		retn
_KdpGetReturnAddress@4 endp


;  S U B	R O U T	I N E 


; __stdcall KdpGetStateChange(x, x)
_KdpGetStateChange@8 proc near		; CODE XREF: KdpSendWaitContinue(x,x,x,x)+3C1p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	dword ptr [esi+10h], 0
		jl	short loc_A4E7A5
		cmp	dword ptr [esi+14h], 1
		mov	eax, [edx+0C0h]
		jnz	short loc_A4E75B
		or	eax, 100h
		jmp	short loc_A4E760
; 

loc_A4E75B:				; CODE XREF: KdpGetStateChange(x,x)+15j
		and	eax, 0FFFFFEFFh

loc_A4E760:				; CODE XREF: KdpGetStateChange(x,x)+1Cj
		mov	[edx+0C0h], eax
		xor	edx, edx
		cmp	ds:_KeNumberProcessors,	edx
		jbe	short loc_A4E790

loc_A4E770:				; CODE XREF: KdpGetStateChange(x,x)+51j
		mov	ecx, ds:_KiProcessorBlock[edx*4]
		mov	eax, [esi+18h]
		and	dword ptr [ecx+304h], 0
		inc	edx
		mov	[ecx+308h], eax
		cmp	edx, ds:_KeNumberProcessors
		jb	short loc_A4E770

loc_A4E790:				; CODE XREF: KdpGetStateChange(x,x)+31j
		mov	eax, [esi+1Ch]
		cmp	eax, 1
		jz	short loc_A4E7A5
		mov	ds:_KdpCurrentSymbolStart, eax
		mov	eax, [esi+20h]
		mov	ds:_KdpCurrentSymbolEnd, eax

loc_A4E7A5:				; CODE XREF: KdpGetStateChange(x,x)+9j
					; KdpGetStateChange(x,x)+59j
		pop	esi
		retn
_KdpGetStateChange@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpIsSpecialCall(x,	x, x, x)
_KdpIsSpecialCall@16 proc near		; CODE XREF: KdpLevelChange(x,x,x)+84p
					; KdpLevelChange(x,x,x)+F7p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= dword	ptr -2
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	al, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		mov	byte ptr [ebp+var_2+1],	bl
		mov	[ebp+var_14], ebx
		mov	[ebp+var_8], ebx
		mov	byte ptr [ebp+var_2], bl
		mov	[ebp+var_10], ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_C], esi
		push	edi
		mov	edi, ecx
		cmp	al, 0E8h
		jnz	short loc_A4E7FA
		push	ebx
		push	4
		push	ebx
		push	ebx
		lea	eax, [edi+1]
		push	eax
		push	4
		pop	edx
		lea	ecx, [ebp+var_8]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_A4E9B1
		mov	ecx, [ebp+var_8]
		add	ecx, 5

loc_A4E7F3:				; CODE XREF: KdpIsSpecialCall(x,x,x,x)+18Dj
		add	ecx, edi
		jmp	loc_A4E9B4
; 

loc_A4E7FA:				; CODE XREF: KdpIsSpecialCall(x,x,x,x)+28j
		cmp	al, 0FFh
		jnz	loc_A4E993
		mov	cl, [ebp+arg_4]
		mov	al, cl
		and	al, 38h
		cmp	al, 10h
		jz	short loc_A4E815
		cmp	al, 20h
		jnz	loc_A4E9CB

loc_A4E815:				; CODE XREF: KdpIsSpecialCall(x,x,x,x)+64j
		test	cl, 8
		jnz	loc_A4E9CB
		mov	al, cl
		and	al, 0C0h
		cmp	al, 0C0h
		jnz	short loc_A4E835
		and	cl, 7
		call	_regValue@8	; regValue(x,x)
		mov	ecx, eax
		jmp	loc_A4E9B4
; 

loc_A4E835:				; CODE XREF: KdpIsSpecialCall(x,x,x,x)+7Dj
		mov	al, cl
		and	al, 0C7h
		cmp	al, 5
		jnz	short loc_A4E87B
		push	ebx
		push	4
		push	ebx
		push	ebx
		lea	eax, [edi+2]
		push	eax
		push	4
		pop	edx
		lea	ecx, [ebp+var_14]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_A4E9B1
		push	ebx
		push	4
		push	ebx
		push	ebx
		push	[ebp+var_14]
		lea	ecx, [ebp+var_10]
		push	4
		pop	edx
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		test	eax, eax
		jns	loc_A4E9B1
		mov	ecx, ebx
		jmp	loc_A4E9B4
; 

loc_A4E87B:				; CODE XREF: KdpIsSpecialCall(x,x,x,x)+94j
		mov	al, cl
		and	al, 7
		cmp	al, 4
		jnz	loc_A4E9CB
		push	ebx
		push	4
		push	ebx
		lea	eax, [edi+2]
		xor	edx, edx
		push	ebx
		push	eax
		inc	edx
		lea	ecx, [ebp+var_2+1]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		test	eax, eax
		mov	edx, esi
		sets	ch
		dec	ch
		and	ch, byte ptr [ebp+var_2+1]
		mov	cl, ch
		mov	byte ptr [ebp+var_2+1],	ch
		shr	cl, 3
		and	cl, 6
		call	_regValue@8	; regValue(x,x)
		mov	esi, eax
		mov	edx, 0C0h
		movzx	eax, ch
		and	eax, edx
		sub	eax, 40h
		jz	short loc_A4E8DC
		sub	eax, 40h
		jz	short loc_A4E8D7
		sub	eax, 40h
		jnz	short loc_A4E8DE
		shl	esi, 3
		jmp	short loc_A4E8DE
; 

loc_A4E8D7:				; CODE XREF: KdpIsSpecialCall(x,x,x,x)+124j
		shl	esi, 2
		jmp	short loc_A4E8DE
; 

loc_A4E8DC:				; CODE XREF: KdpIsSpecialCall(x,x,x,x)+11Fj
		add	esi, esi

loc_A4E8DE:				; CODE XREF: KdpIsSpecialCall(x,x,x,x)+129j
					; KdpIsSpecialCall(x,x,x,x)+12Ej ...
		movzx	eax, [ebp+arg_4]
		and	eax, edx
		sub	eax, ebx
		jz	loc_A4E97C
		sub	eax, 40h
		jz	short loc_A4E939
		sub	eax, 40h
		jnz	loc_A4E9B1
		and	ch, 6
		cmp	ch, 4
		jz	loc_A4E9CB
		push	ebx
		push	4
		push	ebx
		push	ebx
		lea	eax, [edi+3]
		push	eax
		push	4
		pop	edx
		lea	ecx, [ebp+var_8]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		mov	edi, ebx
		test	eax, eax
		js	short loc_A4E923
		mov	edi, [ebp+var_8]

loc_A4E923:				; CODE XREF: KdpIsSpecialCall(x,x,x,x)+177j
		mov	cl, byte ptr [ebp+var_2+1]
		mov	edx, [ebp+var_C]
		and	cl, 7
		call	_regValue@8	; regValue(x,x)
		lea	ecx, [esi+eax]
		jmp	loc_A4E7F3
; 

loc_A4E939:				; CODE XREF: KdpIsSpecialCall(x,x,x,x)+148j
		and	ch, 6
		cmp	ch, 4
		jz	loc_A4E9CB
		push	ebx
		push	4
		push	ebx
		lea	eax, [edi+3]
		xor	edx, edx
		push	ebx
		push	eax
		inc	edx
		lea	ecx, [ebp+var_2]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		mov	cl, byte ptr [ebp+var_2+1]
		test	eax, eax
		mov	edx, [ebp+var_C]
		sets	bl
		and	cl, 7
		dec	bl
		and	bl, byte ptr [ebp+var_2]
		call	_regValue@8	; regValue(x,x)
		movsx	ecx, bl
		add	eax, esi
		add	ecx, eax
		xor	ebx, ebx
		jmp	short loc_A4E9B4
; 

loc_A4E97C:				; CODE XREF: KdpIsSpecialCall(x,x,x,x)+13Fj
		and	ch, 7
		cmp	ch, 5
		jz	short loc_A4E9CB
		mov	edx, [ebp+var_C]
		mov	cl, ch
		call	_regValue@8	; regValue(x,x)
		lea	ecx, [esi+eax]
		jmp	short loc_A4E9B4
; 

loc_A4E993:				; CODE XREF: KdpIsSpecialCall(x,x,x,x)+55j
		cmp	al, 9Ah
		jnz	short loc_A4E9CB
		push	ebx
		push	4
		push	ebx
		push	ebx
		lea	eax, [edi+1]
		push	eax
		push	4
		pop	edx
		lea	ecx, [ebp+var_10]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		mov	ecx, ebx
		test	eax, eax
		js	short loc_A4E9B4

loc_A4E9B1:				; CODE XREF: KdpIsSpecialCall(x,x,x,x)+40j
					; KdpIsSpecialCall(x,x,x,x)+ACj ...
		mov	ecx, [ebp+var_10]

loc_A4E9B4:				; CODE XREF: KdpIsSpecialCall(x,x,x,x)+4Ej
					; KdpIsSpecialCall(x,x,x,x)+89j ...
		mov	eax, ds:_KdNumberOfSpecialCalls
		test	eax, eax
		jz	short loc_A4E9CB

loc_A4E9BD:				; CODE XREF: KdpIsSpecialCall(x,x,x,x)+222j
		cmp	ds:_KdSpecialCalls[ebx*4], ecx
		jz	short loc_A4E9D4
		inc	ebx
		cmp	ebx, eax
		jb	short loc_A4E9BD

loc_A4E9CB:				; CODE XREF: KdpIsSpecialCall(x,x,x,x)+68j
					; KdpIsSpecialCall(x,x,x,x)+71j ...
		xor	al, al

loc_A4E9CD:				; CODE XREF: KdpIsSpecialCall(x,x,x,x)+22Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_A4E9D4:				; CODE XREF: KdpIsSpecialCall(x,x,x,x)+21Dj
		mov	al, 1
		jmp	short loc_A4E9CD
_KdpIsSpecialCall@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpLevelChange(x, x, x)
_KdpLevelChange@12 proc	near		; CODE XREF: KdpCheckTracePoint(x,x)+18Fp
					; KdpCheckTracePoint(x,x)+3F2p	...

var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	word ptr [ebp+var_C], 0CCCCh
		push	eax
		push	4
		push	eax
		push	eax
		mov	edi, ecx
		mov	[ebp+var_4], eax
		push	edi
		push	2
		mov	ebx, edx
		lea	ecx, [ebp+var_C]
		pop	edx
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		mov	al, byte ptr [ebp+var_C]
		cmp	al, 9Ah
		jz	loc_A4EAC5
		cmp	al, 0C2h
		jz	loc_A4EAFC
		cmp	al, 0C3h
		jz	loc_A4EAEB
		cmp	al, 0C9h
		jbe	loc_A4EAE3
		cmp	al, 0CBh
		jbe	loc_A4EAFC
		cmp	al, 0E8h
		jz	short loc_A4EA8C
		mov	ecx, 0FFh
		cmp	al, cl
		jnz	loc_A4EAE3
		movzx	eax, byte ptr [ebp+var_C+1]
		and	eax, 38h
		cmp	eax, 10h
		jz	short loc_A4EA86
		cmp	eax, 20h
		jnz	loc_A4EAF8
		push	[ebp+var_C+1]
		mov	edx, ebx
		push	ecx
		mov	ecx, edi
		call	_KdpIsSpecialCall@16 ; KdpIsSpecialCall(x,x,x,x)
		mov	esi, [ebp+arg_0]
		mov	edx, ebx
		mov	ecx, edi
		mov	[esi], al
		call	_KdpIsTryFinallyReturn@8 ; KdpIsTryFinallyReturn(x,x)
		mov	cl, [esi]
		test	al, al
		jz	short loc_A4EA7D
		test	cl, cl
		jz	short loc_A4EAD9

loc_A4EA79:				; CODE XREF: KdpLevelChange(x,x,x)+A7j
					; KdpLevelChange(x,x,x)+111j
		xor	eax, eax
		jmp	short loc_A4EADC
; 

loc_A4EA7D:				; CODE XREF: KdpLevelChange(x,x,x)+9Bj
		test	cl, cl
		jz	short loc_A4EA79
		or	eax, 0FFFFFFFFh
		jmp	short loc_A4EADC
; 

loc_A4EA86:				; CODE XREF: KdpLevelChange(x,x,x)+71j
		push	[ebp+var_C+1]
		push	ecx
		jmp	short loc_A4EACB
; 

loc_A4EA8C:				; CODE XREF: KdpLevelChange(x,x,x)+58j
		xor	ecx, ecx
		lea	eax, [edi+1]
		push	ecx
		push	4
		push	ecx
		push	ecx
		push	eax
		push	4
		pop	edx
		lea	ecx, [ebp+var_4]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_A4EAAA
		xor	eax, eax
		jmp	short loc_A4EAB2
; 

loc_A4EAAA:				; CODE XREF: KdpLevelChange(x,x,x)+CCj
		mov	eax, [ebp+var_4]
		add	eax, 5
		add	eax, edi

loc_A4EAB2:				; CODE XREF: KdpLevelChange(x,x,x)+D0j
		mov	[ebp+var_4], eax
		cmp	ds:_KdpCurrentSymbolStart, eax
		ja	short loc_A4EAC5
		cmp	eax, ds:_KdpCurrentSymbolEnd
		jb	short loc_A4EAF8

loc_A4EAC5:				; CODE XREF: KdpLevelChange(x,x,x)+30j
					; KdpLevelChange(x,x,x)+E3j
		push	[ebp+var_C+1]
		push	[ebp+var_C]

loc_A4EACB:				; CODE XREF: KdpLevelChange(x,x,x)+B2j
		mov	edx, ebx
		mov	ecx, edi
		call	_KdpIsSpecialCall@16 ; KdpIsSpecialCall(x,x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	[ecx], al

loc_A4EAD9:				; CODE XREF: KdpLevelChange(x,x,x)+9Fj
		xor	eax, eax
		inc	eax

loc_A4EADC:				; CODE XREF: KdpLevelChange(x,x,x)+A3j
					; KdpLevelChange(x,x,x)+ACj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_A4EAE3:				; CODE XREF: KdpLevelChange(x,x,x)+48j
					; KdpLevelChange(x,x,x)+61j
		mov	eax, [ebp+arg_0]
		mov	byte ptr [eax],	0
		jmp	short loc_A4EA79
; 

loc_A4EAEB:				; CODE XREF: KdpLevelChange(x,x,x)+40j
		mov	edx, ebx
		mov	ecx, edi
		call	_KdpIsTryFinallyReturn@8 ; KdpIsTryFinallyReturn(x,x)
		test	al, al
		jz	short loc_A4EAFC

loc_A4EAF8:				; CODE XREF: KdpLevelChange(x,x,x)+76j
					; KdpLevelChange(x,x,x)+EBj
		xor	eax, eax
		jmp	short loc_A4EAFF
; 

loc_A4EAFC:				; CODE XREF: KdpLevelChange(x,x,x)+38j
					; KdpLevelChange(x,x,x)+50j ...
		or	eax, 0FFFFFFFFh

loc_A4EAFF:				; CODE XREF: KdpLevelChange(x,x,x)+122j
		mov	ecx, [ebp+arg_0]
		mov	byte ptr [ecx],	0
		jmp	short loc_A4EADC
_KdpLevelChange@12 endp


;  S U B	R O U T	I N E 


; __stdcall KdpSetContextState(x, x)
_KdpSetContextState@8 proc near		; CODE XREF: KdpReportCommandStringStateChange(x,x,x)+68p
					; KdpReportExceptionStateChange(x,x,x)+90p ...
		mov	edi, edi
		push	esi
		mov	esi, large fs:20h
		mov	eax, [esi+304h]
		mov	[ecx+0C0h], eax
		mov	eax, [esi+308h]
		mov	[ecx+0C4h], eax
		mov	ax, [edx+0BCh]
		mov	[ecx+0DCh], ax
		mov	ax, [edx+98h]
		mov	[ecx+0DEh], ax
		mov	ax, [edx+94h]
		mov	[ecx+0E0h], ax
		mov	ax, [edx+90h]
		mov	[ecx+0E2h], ax
		mov	eax, [edx+0C0h]
		mov	[ecx+0E4h], eax
		xor	eax, eax
		inc	eax
		mov	[ecx+0CAh], ax
		mov	eax, [edx+0BCh]
		pop	esi
		cmp	eax, 8
		jz	short loc_A4EB88
		cmp	eax, 1Bh
		jnz	short locret_A4EB92

loc_A4EB88:				; CODE XREF: KdpSetContextState(x,x)+7Aj
		push	3
		pop	eax
		mov	[ecx+0CAh], ax

locret_A4EB92:				; CODE XREF: KdpSetContextState(x,x)+7Fj
		retn
_KdpSetContextState@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpSysReadControlSpace(x, x, x, x, x, x)
_KdpSysReadControlSpace@24 proc	near	; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+23Cp
					; KdpReadControlSpace(x,x,x)+4Ep

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	edx, [ebp+arg_8]
		cmp	[ebp+arg_4], ebx
		ja	short loc_A4EBE2
		mov	ecx, [ebp+arg_0]
		mov	eax, 320h
		jb	short loc_A4EBB7
		cmp	ecx, eax
		jnb	short loc_A4EBE2

loc_A4EBB7:				; CODE XREF: KdpSysReadControlSpace(x,x,x,x,x,x)+1Ej
		cmp	esi, ds:_KeNumberProcessors
		jnb	short loc_A4EBE2
		sub	eax, ecx
		cmp	eax, edx
		jnb	short loc_A4EBC7
		mov	edx, eax

loc_A4EBC7:				; CODE XREF: KdpSysReadControlSpace(x,x,x,x,x,x)+30j
		push	[ebp+arg_C]
		add	ecx, 18h
		add	ecx, ds:_KiProcessorBlock[esi*4]
		push	5
		push	ebx
		push	ebx
		push	edi
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		mov	ecx, eax
		jmp	short loc_A4EBEC
; 

loc_A4EBE2:				; CODE XREF: KdpSysReadControlSpace(x,x,x,x,x,x)+14j
					; KdpSysReadControlSpace(x,x,x,x,x,x)+22j ...
		mov	eax, [ebp+arg_C]
		mov	ecx, 0C0000001h
		mov	[eax], ebx

loc_A4EBEC:				; CODE XREF: KdpSysReadControlSpace(x,x,x,x,x,x)+4Dj
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		pop	ebp
		retn	10h
_KdpSysReadControlSpace@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpSysReadIoSpace(x, x, x, x, x, x,	x, x)
_KdpSysReadIoSpace@32 proc near		; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+329p
					; KdpReadIoSpace(x,x,x)+34p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		xor	ebx, ebx
		push	edi
		xor	edi, edi
		inc	ebx
		mov	esi, edi
		cmp	ecx, ebx
		jnz	loc_A4EC9D
		test	edx, edx
		jnz	loc_A4EC9D
		cmp	[ebp+arg_0], ebx
		jnz	loc_A4EC9D
		mov	eax, [ebp+arg_10]
		sub	eax, ebx
		jz	short loc_A4EC86
		sub	eax, ebx
		jz	short loc_A4EC63
		dec	eax
		sub	eax, ebx
		jz	short loc_A4EC39
		mov	eax, [ebp+arg_14]
		mov	esi, 0C000000Dh
		mov	[eax], edi
		jmp	short loc_A4EC99
; 

loc_A4EC39:				; CODE XREF: KdpSysReadIoSpace(x,x,x,x,x,x,x,x)+36j
		mov	eax, [ebp+arg_4]
		and	eax, 3
		or	eax, edi
		jz	short loc_A4EC4A

loc_A4EC43:				; CODE XREF: KdpSysReadIoSpace(x,x,x,x,x,x,x,x)+75j
		mov	esi, 80000002h
		jmp	short loc_A4EC99
; 

loc_A4EC4A:				; CODE XREF: KdpSysReadIoSpace(x,x,x,x,x,x,x,x)+4Cj
		push	[ebp+arg_4]
		call	ds:__imp__READ_PORT_ULONG@4 ; READ_PORT_ULONG(x)
		mov	ecx, [ebp+arg_C]
		mov	[ecx], eax
		mov	eax, [ebp+arg_14]
		mov	dword ptr [eax], 4
		jmp	short loc_A4EC99
; 

loc_A4EC63:				; CODE XREF: KdpSysReadIoSpace(x,x,x,x,x,x,x,x)+31j
		mov	eax, [ebp+arg_4]
		and	eax, ebx
		or	eax, edi
		jnz	short loc_A4EC43
		push	[ebp+arg_4]
		call	ds:__imp__READ_PORT_USHORT@4 ; READ_PORT_USHORT(x)
		mov	ecx, [ebp+arg_C]
		mov	[ecx], ax
		mov	eax, [ebp+arg_14]
		mov	dword ptr [eax], 2
		jmp	short loc_A4EC99
; 

loc_A4EC86:				; CODE XREF: KdpSysReadIoSpace(x,x,x,x,x,x,x,x)+2Dj
		push	[ebp+arg_4]
		call	ds:__imp__READ_PORT_UCHAR@4 ; READ_PORT_UCHAR(x)
		mov	ecx, [ebp+arg_C]
		mov	[ecx], al
		mov	ecx, [ebp+arg_14]
		mov	[ecx], ebx

loc_A4EC99:				; CODE XREF: KdpSysReadIoSpace(x,x,x,x,x,x,x,x)+42j
					; KdpSysReadIoSpace(x,x,x,x,x,x,x,x)+53j ...
		mov	eax, esi
		jmp	short loc_A4ECA7
; 

loc_A4EC9D:				; CODE XREF: KdpSysReadIoSpace(x,x,x,x,x,x,x,x)+11j
					; KdpSysReadIoSpace(x,x,x,x,x,x,x,x)+19j ...
		mov	eax, [ebp+arg_14]
		mov	[eax], edi
		mov	eax, 0C0000001h

loc_A4ECA7:				; CODE XREF: KdpSysReadIoSpace(x,x,x,x,x,x,x,x)+A6j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	18h
_KdpSysReadIoSpace@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpSysReadMsr(x, x)
_KdpSysReadMsr@8 proc near		; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+3C1p
					; KdpReadMachineSpecificRegister(x,x,x)+27p

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	0Ch
		push	offset dword_6A83B8
		call	__SEH_prolog4
		mov	edi, edx
		mov	[ebp+var_1C], edi
		xor	esi, esi
		mov	[ebp+ms_exc.disabled], esi
		rdmsr
		mov	[edi], eax
		mov	[edi+4], edx
		jmp	short loc_A4ECE3
; 

loc_A4ECCD:				; DATA XREF: .text:006A83CCo
		xor	eax, eax
		inc	eax
		retn
; 

loc_A4ECD1:				; DATA XREF: .text:006A83D0o
		mov	esp, [ebp+ms_exc.old_esp]
		xor	esi, esi
		mov	ecx, [ebp+var_1C]
		mov	[ecx], esi
		mov	[ecx+4], esi
		mov	esi, 0C000000Eh

loc_A4ECE3:				; CODE XREF: KdpSysReadMsr(x,x)+1Dj
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KdpSysReadMsr@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpSysWriteControlSpace(x, x, x, x,	x, x)
_KdpSysWriteControlSpace@24 proc near	; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+2ACp
					; KdpWriteControlSpace(x,x,x)+35p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, edx
		xor	eax, eax
		mov	edx, [ebp+arg_8]
		mov	esi, edx
		push	edi
		mov	edi, [ebp+arg_0]
		add	esi, edi
		adc	eax, [ebp+arg_4]
		test	eax, eax
		ja	short loc_A4ED4A
		jb	short loc_A4ED23
		cmp	esi, 320h
		ja	short loc_A4ED4A

loc_A4ED23:				; CODE XREF: KdpSysWriteControlSpace(x,x,x,x,x,x)+1Dj
		cmp	ecx, ds:_KeNumberProcessors
		jnb	short loc_A4ED4A
		push	[ebp+arg_C]
		mov	eax, ds:_KiProcessorBlock[ecx*4]
		lea	ecx, [edi+18h]
		push	4
		push	0
		push	0
		add	ecx, eax
		push	ebx
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		mov	ecx, eax
		jmp	short loc_A4ED55
; 

loc_A4ED4A:				; CODE XREF: KdpSysWriteControlSpace(x,x,x,x,x,x)+1Bj
					; KdpSysWriteControlSpace(x,x,x,x,x,x)+25j ...
		mov	eax, [ebp+arg_C]
		mov	ecx, 0C0000001h
		and	dword ptr [eax], 0

loc_A4ED55:				; CODE XREF: KdpSysWriteControlSpace(x,x,x,x,x,x)+4Cj
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		pop	ebp
		retn	10h
_KdpSysWriteControlSpace@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpSysWriteIoSpace(x, x, x,	x, x, x, x, x)
_KdpSysWriteIoSpace@32 proc near	; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+3A5p
					; KdpWriteIoSpace(x,x,x)+30p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		xor	ebx, ebx
		push	edi
		xor	edi, edi
		inc	ebx
		mov	esi, edi
		cmp	ecx, ebx
		jnz	loc_A4EE09
		test	edx, edx
		jnz	loc_A4EE09
		cmp	[ebp+arg_0], ebx
		jnz	loc_A4EE09
		mov	eax, [ebp+arg_10]
		sub	eax, ebx
		jz	short loc_A4EDF0
		sub	eax, ebx
		jz	short loc_A4EDCC
		dec	eax
		sub	eax, ebx
		jz	short loc_A4EDA2
		mov	eax, [ebp+arg_14]
		mov	esi, 0C000000Dh
		mov	[eax], edi
		jmp	short loc_A4EE05
; 

loc_A4EDA2:				; CODE XREF: KdpSysWriteIoSpace(x,x,x,x,x,x,x,x)+36j
		mov	eax, [ebp+arg_4]
		and	eax, 3
		or	eax, edi
		jz	short loc_A4EDB3

loc_A4EDAC:				; CODE XREF: KdpSysWriteIoSpace(x,x,x,x,x,x,x,x)+75j
		mov	esi, 80000002h
		jmp	short loc_A4EE05
; 

loc_A4EDB3:				; CODE XREF: KdpSysWriteIoSpace(x,x,x,x,x,x,x,x)+4Cj
		mov	eax, [ebp+arg_C]
		push	dword ptr [eax]
		push	[ebp+arg_4]
		call	ds:__imp__WRITE_PORT_ULONG@8 ; WRITE_PORT_ULONG(x,x)
		mov	eax, [ebp+arg_14]
		mov	dword ptr [eax], 4
		jmp	short loc_A4EE05
; 

loc_A4EDCC:				; CODE XREF: KdpSysWriteIoSpace(x,x,x,x,x,x,x,x)+31j
		mov	eax, [ebp+arg_4]
		and	eax, ebx
		or	eax, edi
		jnz	short loc_A4EDAC
		mov	eax, [ebp+arg_C]
		movzx	eax, word ptr [eax]
		push	eax
		push	[ebp+arg_4]
		call	ds:__imp__WRITE_PORT_USHORT@8 ;	WRITE_PORT_USHORT(x,x)
		mov	eax, [ebp+arg_14]
		mov	dword ptr [eax], 2
		jmp	short loc_A4EE05
; 

loc_A4EDF0:				; CODE XREF: KdpSysWriteIoSpace(x,x,x,x,x,x,x,x)+2Dj
		mov	ecx, [ebp+arg_C]
		movzx	ecx, byte ptr [ecx]
		push	ecx
		push	[ebp+arg_4]
		call	ds:__imp__WRITE_PORT_UCHAR@8 ; WRITE_PORT_UCHAR(x,x)
		mov	ecx, [ebp+arg_14]
		mov	[ecx], ebx

loc_A4EE05:				; CODE XREF: KdpSysWriteIoSpace(x,x,x,x,x,x,x,x)+42j
					; KdpSysWriteIoSpace(x,x,x,x,x,x,x,x)+53j ...
		mov	eax, esi
		jmp	short loc_A4EE13
; 

loc_A4EE09:				; CODE XREF: KdpSysWriteIoSpace(x,x,x,x,x,x,x,x)+11j
					; KdpSysWriteIoSpace(x,x,x,x,x,x,x,x)+19j ...
		mov	eax, [ebp+arg_14]
		mov	[eax], edi
		mov	eax, 0C0000001h

loc_A4EE13:				; CODE XREF: KdpSysWriteIoSpace(x,x,x,x,x,x,x,x)+A9j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	18h
_KdpSysWriteIoSpace@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpSysWriteMsr(x, x)
_KdpSysWriteMsr@8 proc near		; CODE XREF: KdSystemDebugControl(x,x,x,x,x,x,x)+3DDp
					; KdpSendWaitContinue(x,x,x,x)+241p

ms_exc		= CPPEH_RECORD ptr -18h

		push	8
		push	offset dword_6A83D8
		call	__SEH_prolog4
		xor	esi, esi
		mov	[ebp+ms_exc.disabled], esi
		mov	eax, [edx]
		mov	edx, [edx+4]
		wrmsr
		jmp	short loc_A4EE40
; 

loc_A4EE34:				; DATA XREF: .text:006A83ECo
		xor	eax, eax
		inc	eax
		retn
; 

loc_A4EE38:				; DATA XREF: .text:006A83F0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	esi, 0C000000Eh

loc_A4EE40:				; CODE XREF: KdpSysWriteMsr(x,x)+18j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KdpSysWriteMsr@8 endp


;  S U B	R O U T	I N E 


; __stdcall regValue(x,	x)
_regValue@8	proc near		; CODE XREF: KdpIsSpecialCall(x,x,x,x)+82p
					; KdpIsSpecialCall(x,x,x,x)+10Bp ...
		movzx	eax, cl
		cmp	eax, 7		; switch 8 cases
		ja	short loc_A4EEA0 ; default
		jmp	ds:off_A4EEA5[eax*4] ; switch jump

loc_A4EE68:				; DATA XREF: PAGEKD:off_A4EEA5o
		mov	eax, [edx+0B0h]	; case 0x0
		retn
; 

loc_A4EE6F:				; CODE XREF: regValue(x,x)+8j
					; DATA XREF: PAGEKD:off_A4EEA5o
		mov	eax, [edx+0ACh]	; case 0x1
		retn
; 

loc_A4EE76:				; CODE XREF: regValue(x,x)+8j
					; DATA XREF: PAGEKD:off_A4EEA5o
		mov	eax, [edx+0A8h]	; case 0x2
		retn
; 

loc_A4EE7D:				; CODE XREF: regValue(x,x)+8j
					; DATA XREF: PAGEKD:off_A4EEA5o
		mov	eax, [edx+0A4h]	; case 0x3
		retn
; 

loc_A4EE84:				; CODE XREF: regValue(x,x)+8j
					; DATA XREF: PAGEKD:off_A4EEA5o
		mov	eax, [edx+0C4h]	; case 0x4
		retn
; 

loc_A4EE8B:				; CODE XREF: regValue(x,x)+8j
					; DATA XREF: PAGEKD:off_A4EEA5o
		mov	eax, [edx+0B4h]	; case 0x5
		retn
; 

loc_A4EE92:				; CODE XREF: regValue(x,x)+8j
					; DATA XREF: PAGEKD:off_A4EEA5o
		mov	eax, [edx+0A0h]	; case 0x6
		retn
; 

loc_A4EE99:				; CODE XREF: regValue(x,x)+8j
					; DATA XREF: PAGEKD:off_A4EEA5o
		mov	eax, [edx+9Ch]	; case 0x7
		retn
; 

loc_A4EEA0:				; CODE XREF: regValue(x,x)+6j
		xor	eax, eax	; default
		retn
_regValue@8	endp

; 
		db 8Bh
		db 0FFh
off_A4EEA5	dd offset loc_A4EE68	; DATA XREF: regValue(x,x)+8r
		dd offset loc_A4EE6F	; jump table for switch	statement
		dd offset loc_A4EE76
		dd offset loc_A4EE7D
		dd offset loc_A4EE84
		dd offset loc_A4EE8B
		dd offset loc_A4EE92
		dd offset loc_A4EE99

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpPrintString(x)
_KdpPrintString@4 proc near		; CODE XREF: KdRefreshDebuggerNotPresent+7DE77p
					; KdpPrint(x,x,x,x,x,x,x,x)+103p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= word ptr -10h
var_E		= word ptr -0Eh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		movzx	edx, word ptr [ecx]
		lea	eax, [esp+2Ch+var_28]
		push	esi
		xor	esi, esi
		push	eax
		push	4
		push	esi
		push	esi
		push	dword ptr [ecx+4]
		mov	[esp+44h+var_28], esi
		mov	[esp+44h+var_24], esi
		mov	[esp+44h+var_20], esi
		mov	[esp+44h+var_1C], esi
		mov	[esp+44h+var_18], esi
		mov	[esp+44h+var_8], esi
		mov	esi, offset _KdpMessageBuffer
		mov	ecx, esi
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		mov	eax, [esp+30h+var_28]
		mov	ecx, ds:_KdTransportMaxPacketSize
		add	eax, 10h
		cmp	eax, ecx
		jbe	short loc_A4EF29
		lea	eax, [ecx-10h]
		mov	[esp+30h+var_28], eax

loc_A4EF29:				; CODE XREF: KdpPrintString(x)+5Bj
		mov	ax, ds:_KeProcessorLevel
		mov	[esp+30h+var_10], ax
		movzx	eax, large byte	ptr fs:51h
		push	10h
		pop	ecx
		mov	[esp+30h+var_E], ax
		mov	eax, [esp+30h+var_28]
		mov	[esp+30h+var_C], eax
		mov	word ptr [esp+30h+var_24], ax
		lea	eax, [esp+30h+var_24]
		push	offset _KdpContext
		push	eax
		lea	eax, [esp+38h+var_1C]
		mov	word ptr [esp+38h+var_1C], cx
		push	eax
		lea	ecx, [esp+3Ch+var_14]
		mov	[esp+3Ch+var_14], 3230h
		push	3
		mov	[esp+40h+var_18], ecx
		mov	[esp+40h+var_20], esi
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		call	_KdpPollBreakInWithPortLock@0 ;	KdpPollBreakInWithPortLock()
		mov	ecx, [esp+40h+var_14]
		pop	esi
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_KdpPrintString@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpPromptString(x, x)
_KdpPromptString@8 proc	near		; CODE XREF: KdpPrompt(x,x,x,x,x,x,x)+E9p

var_4C		= dword	ptr -4Ch
var_38		= dword	ptr -38h
var_32		= word ptr -32h
var_2A		= word ptr -2Ah
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= word ptr -10h
var_E		= word ptr -0Eh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+2Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [esp+38h+var_28]
		push	eax
		push	4
		push	ebx
		push	ebx
		push	dword ptr [ecx+4]
		mov	esi, edx
		mov	[esp+4Ch+var_28], ebx
		movzx	edx, word ptr [ecx]
		mov	ecx, offset _KdpMessageBuffer
		mov	[esp+4Ch+var_24], ebx
		mov	[esp+4Ch+var_20], ebx
		mov	[esp+4Ch+var_1C], ebx
		mov	[esp+4Ch+var_18], ebx
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		mov	eax, [esp+38h+var_28]
		mov	ecx, ds:_KdTransportMaxPacketSize
		add	eax, 10h
		cmp	eax, ecx
		jbe	short loc_A4EFF8
		lea	eax, [ecx-10h]
		mov	[esp+38h+var_28], eax

loc_A4EFF8:				; CODE XREF: KdpPromptString(x,x)+59j
		mov	ax, ds:_KeProcessorLevel
		mov	[esp+38h+var_10], ax
		movzx	eax, large byte	ptr fs:51h
		mov	ecx, [esp+38h+var_28]
		mov	[esp+38h+var_E], ax
		movzx	eax, word ptr [esi+2]
		push	10h
		mov	[esp+3Ch+var_8], eax
		lea	eax, [esp+3Ch+var_14]
		pop	edi
		mov	[esp+38h+var_18], eax
		lea	eax, [esp+38h+var_24]
		push	offset _KdpContext
		push	eax
		lea	eax, [esp+40h+var_1C]
		mov	[esp+40h+var_14], 3231h
		push	eax
		push	3
		mov	[esp+48h+var_C], ecx
		mov	word ptr [esp+48h+var_1C], di
		mov	word ptr [esp+48h+var_24], cx
		mov	[esp+48h+var_20], offset _KdpMessageBuffer
		call	ds:__imp__KdSendPacket@16 ; KdSendPacket(x,x,x,x)
		mov	eax, 1000h
		mov	[esp+48h+var_2A], di
		mov	[esp+48h+var_32], ax

loc_A4F06B:				; CODE XREF: KdpPromptString(x,x)+F8j
		push	offset _KdpContext
		lea	eax, [esp+4Ch+var_38]
		push	eax
		lea	eax, [esp+1Ch]
		push	eax
		lea	eax, [esp+28h]
		push	eax
		push	3
		call	ds:__imp__KdReceivePacket@20 ; KdReceivePacket(x,x,x,x,x)
		cmp	eax, 2
		jz	short loc_A4F0C4
		test	eax, eax
		jnz	short loc_A4F06B
		movzx	eax, word ptr [esi+2]
		mov	edx, [esp+5Ch+var_4C]
		cmp	edx, eax
		jbe	short loc_A4F0A2
		mov	edx, eax
		mov	[esp+5Ch+var_4C], edx

loc_A4F0A2:				; CODE XREF: KdpPromptString(x,x)+104j
		lea	eax, [esp+5Ch+var_4C]
		mov	ecx, offset _KdpMessageBuffer
		push	eax
		push	5
		push	ebx
		push	ebx
		push	dword ptr [esi+4]
		call	_KdpCopyMemoryChunks@28	; KdpCopyMemoryChunks(x,x,x,x,x,x,x)
		mov	ax, word ptr [esp+5Ch+var_4C]
		mov	[esi], ax
		xor	al, al
		jmp	short loc_A4F0C6
; 

loc_A4F0C4:				; CODE XREF: KdpPromptString(x,x)+F4j
		mov	al, 1

loc_A4F0C6:				; CODE XREF: KdpPromptString(x,x)+12Cj
		mov	ecx, [esp+5Ch+var_28]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_KdpPromptString@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KdpTrap(x, x, x, x,	x, x)
_KdpTrap@24	proc near		; CODE XREF: KeInsertQueue+E3j
					; KiDispatchException+10DF5Ap ...

var_5		= dword	ptr -5
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		mov	ecx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, edx
		xor	edx, edx
		cmp	dword ptr [ecx], 80000003h
		mov	byte ptr [ebp+var_1], dl
		mov	byte ptr [ebp+var_5], dl
		jnz	loc_A4F1C9
		mov	eax, [ecx+14h]
		test	eax, eax
		jz	loc_A4F1C9
		mov	esi, [ebp+arg_4]
		mov	ecx, [esi+0B8h]
		mov	[ebp+arg_4], ecx
		mov	ecx, [ebp+arg_0]
		sub	eax, 1
		jz	short loc_A4F18A
		sub	eax, 1
		jz	short loc_A4F164
		sub	eax, 1
		jz	short loc_A4F14C
		sub	eax, 1
		jz	short loc_A4F148
		sub	eax, 1
		jnz	loc_A4F1B5
		mov	edx, [ecx+1Ch]
		mov	ecx, [ecx+18h]
		push	edi
		push	ebx
		push	esi
		push	[ebp+arg_8]
		call	_KdpCommandString@24 ; KdpCommandString(x,x,x,x,x,x)
		jmp	short loc_A4F160
; 

loc_A4F148:				; CODE XREF: KdpTrap(x,x,x,x,x,x)+52j
		mov	byte ptr [ebp+var_5], 1

loc_A4F14C:				; CODE XREF: KdpTrap(x,x,x,x,x,x)+4Dj
		mov	edx, [ecx+1Ch]
		mov	ecx, [ecx+18h]
		push	edi
		push	ebx
		push	esi
		push	[ebp+arg_8]
		push	[ebp+var_5]
		call	_KdpSymbol@28	; KdpSymbol(x,x,x,x,x,x,x)

loc_A4F160:				; CODE XREF: KdpTrap(x,x,x,x,x,x)+6Ej
		mov	dl, 1
		jmp	short loc_A4F1B5
; 

loc_A4F164:				; CODE XREF: KdpTrap(x,x,x,x,x,x)+48j
		movzx	eax, word ptr [esi+9Ch]
		mov	dx, [ecx+1Ch]
		mov	ecx, [ecx+18h]
		push	edi
		push	ebx
		push	[ebp+arg_8]
		push	eax
		push	dword ptr [esi+0A4h]
		call	_KdpPrompt@28	; KdpPrompt(x,x,x,x,x,x,x)
		movzx	eax, ax
		mov	dl, 1
		jmp	short loc_A4F1AF
; 

loc_A4F18A:				; CODE XREF: KdpTrap(x,x,x,x,x,x)+43j
		mov	edx, [esi+9Ch]
		lea	eax, [ebp+var_1]
		push	eax
		movzx	eax, word ptr [ecx+1Ch]
		push	edi
		push	ebx
		push	[ebp+arg_8]
		push	eax
		push	dword ptr [ecx+18h]
		mov	ecx, [esi+0A4h]
		call	_KdpPrint@32	; KdpPrint(x,x,x,x,x,x,x,x)
		mov	dl, byte ptr [ebp+var_1]

loc_A4F1AF:				; CODE XREF: KdpTrap(x,x,x,x,x,x)+B0j
		mov	[esi+0B0h], eax

loc_A4F1B5:				; CODE XREF: KdpTrap(x,x,x,x,x,x)+57j
					; KdpTrap(x,x,x,x,x,x)+8Aj
		mov	eax, [esi+0B8h]
		cmp	eax, [ebp+arg_4]
		jnz	short loc_A4F1DC
		inc	eax
		mov	[esi+0B8h], eax
		jmp	short loc_A4F1DC
; 

loc_A4F1C9:				; CODE XREF: KdpTrap(x,x,x,x,x,x)+20j
					; KdpTrap(x,x,x,x,x,x)+2Bj
		push	[ebp+arg_C]
		mov	edx, edi
		push	ecx
		push	[ebp+arg_4]
		push	ecx
		mov	ecx, ebx
		call	_KdpReport@24	; KdpReport(x,x,x,x,x,x)
		mov	dl, al

loc_A4F1DC:				; CODE XREF: KdpTrap(x,x,x,x,x,x)+E6j
					; KdpTrap(x,x,x,x,x,x)+EFj
		pop	edi
		pop	esi
		mov	al, dl
		pop	ebx
		leave
		retn	10h
_KdpTrap@24	endp

; 
		align 20h
PAGEKD		ends

; Section 13. (virtual address 00650000)
; Virtual size			: 00021F36 ( 139062.)
; Section size in file		: 00022000 ( 139264.)
; Offset to raw	data for section: 005EB200
; Flags	60000020: Text Executable Readable
; Alignment	: default
; 

; Segment type:	Pure code
; Segment permissions: Read/Execute
PAGEVRFY	segment	para public 'CODE' use32
		assume cs:PAGEVRFY
		;org 0A50000h
		assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing

_Printable:				; DATA XREF: PAGEVRFY:00A50088w
					; PAGEVRFY:_SystemStateNameso ...
		inc	ecx
		add	[edx+0], al
		inc	ebx
		add	[eax+eax+45h], al
		add	[esi+0], al
		inc	edi
		add	[eax+0], cl
		dec	ecx
		add	[edx+0], cl
		dec	ebx
		add	[eax+eax+4Dh], cl
		add	[esi+0], cl
		dec	edi
		add	[eax+0], dl
		push	ecx
		add	[edx+0], dl
		push	ebx
		add	[eax+eax+55h], dl
		add	[esi+0], dl
		push	edi
		add	[eax+0], bl
		pop	ecx
		add	[edx+0], bl
		popa
		add	[edx+0], ah
		arpl	[eax], ax
		add	fs:[ebp+0], ah
		db	66h
		add	[edi+0], ah
		push	6A006900h
		add	[ebx+0], ch
		insb
		add	[ebp+0], ch
		outsb
		add	[edi+0], ch
		jo	short $+2
		jno	short $+2
		jb	short $+2
		jnb	short $+2
		jz	short $+2
		jnz	short $+2
		jbe	short $+2
		ja	short $+2
		js	short $+2
		jns	short $+2
		jp	short $+2
		xor	[eax], al
		xor	[eax], eax
		xor	al, [eax]
		xor	eax, [eax]
		xor	al, 0
		xor	eax, 37003600h
		add	[eax], bh
		add	[ecx], bh
; 
		db 0
		align 10h

_PrintableChars:
		db	3Eh
		add	[eax], al
		add	al, cl		; DATA XREF: VfWmiDumpIrpStack(x)+1Br
; 
		db 8, 0A5h, 0
; 
		adc	[ecx+0], cl
		movsd
		add	al, dh
		or	[ebp-5AF78800h], ah
		add	[eax+8], ah
		movsd
		add	[eax-6BFF5AF8h], dh
		or	[ebp-5AF65C00h], ah
		add	[ecx+ecx+9D400A5h], dl
		movsd
; 
		db 0
		align 10h

_ViShortTime:				; DATA XREF: VfInitSystemNoRebootNeeded(x,x)+42o
					; ViThunkAdjustExportAddressIfHooked(x,x,x,x):loc_A65987o
		pusha

loc_A500B1:				; CODE XREF: PAGEVRFY:loc_A500B1j
		jns	short loc_A500B1
; 
		db 0FFh
		dd 0FFFFFFFFh
_PnPIrpNames	dd offset ??_C@_0BE@LNOGIHJB@IRP_MN_START_DEVICE@GHGBBCHJ@
					; DATA XREF: VfPnpDumpIrpStack(x)+28r
		dd offset loc_A50944+4
		dd offset ??_C@_0BI@DEIPGBBB@IRP_MN_REMOVE_DEVICE?5?9?5@GHGBBCHJ@
		dd offset ??_C@_0BM@NHOBKHFC@IRP_MN_CANCEL_REMOVE_DEVICE@GHGBBCHJ@
		dd offset ??_C@_0BD@OKOEKPNG@IRP_MN_STOP_DEVICE@GHGBBCHJ@
		dd offset ??_C@_0BJ@DBBODAKD@IRP_MN_QUERY_STOP_DEVICE@GHGBBCHJ@
		dd offset ??_C@_0BK@IHBBLJPI@IRP_MN_CANCEL_STOP_DEVICE@GHGBBCHJ@
		dd offset ??_C@_0BO@EDNJKJCF@IRP_MN_QUERY_DEVICE_RELATIONS@GHGBBCHJ@
		dd offset ??_C@_0BH@NJFMIPMO@IRP_MN_QUERY_INTERFACE@GHGBBCHJ@
		dd offset ??_C@_0BK@FNPJPCCF@IRP_MN_QUERY_CAPABILITIES@GHGBBCHJ@
		dd offset ??_C@_0BH@BAILDNEP@IRP_MN_QUERY_RESOURCES@GHGBBCHJ@
		dd offset ??_C@_0CD@MPPOHAEF@IRP_MN_QUERY_RESOURCE_REQUIREME@GHGBBCHJ@
		dd offset ??_C@_0BJ@KBKMPMKH@IRP_MN_QUERY_DEVICE_TEXT@GHGBBCHJ@
		dd offset ??_C@_0CE@FFGNIHMK@IRP_MN_FILTER_RESOURCE_REQUIREM@GHGBBCHJ@
		dd offset ??_C@_0BB@ENDMDNDI@INVALID_IRP_CODE@GHGBBCHJ@
		dd offset ??_C@_0BD@KCLCONNF@IRP_MN_READ_CONFIG@GHGBBCHJ@
		dd offset loc_A50B57+1
		dd offset loc_A50ADF+1
		dd offset ??_C@_0BA@JCIHPHAO@IRP_MN_SET_LOCK@GHGBBCHJ@
		dd offset ??_C@_0BA@MPOLLMHD@IRP_MN_QUERY_ID@GHGBBCHJ@
		dd offset ??_C@_0BO@CLJGNPDL@IRP_MN_QUERY_PNP_DEVICE_STATE@GHGBBCHJ@
		dd offset ??_C@_0BN@FKLLPNEA@IRP_MN_QUERY_BUS_INFORMATION@GHGBBCHJ@
		dd offset ??_C@_0CB@EEGIBKLH@IRP_MN_DEVICE_USAGE_NOTIFICATIO@GHGBBCHJ@
		dd offset ??_C@_0BI@JJMGKCHF@IRP_MN_SURPRISE_REMOVAL@GHGBBCHJ@
		dd offset ??_C@_0CE@OHHBNDAB@IRP_MN_QUERY_LEGACY_BUS_INFORMA@GHGBBCHJ@
		align 10h

_ViWindowStationTypeName:		; DATA XREF: VfCheckUserHandle(x)+158o
		sbb	al, [eax]
		sbb	al, 0
		in	al, 7		; DMA controller, 8237A-5.
					; channel 3 current word count
		movsd
		add	[esi], cl	; DATA XREF: VfCheckUserHandle(x)+143o
		add	[eax], dl
		add	al, ah
		or	[ebp-5AF2D800h], ah ; DATA XREF: VfPowerDumpIrpStack(x)+7Ar
		add	ds:0D5000A5h[ecx], dl
		movsd
		add	[eax], bh
		or	eax, 0DC000A5h
		movsd
		add	[ebp+ecx+0DEC00A5h], ah
		movsd
		add	ah, dl
		or	eax, 0A5h
; 
		dw 0
; 

_ViKernelVerifierMap:			; DATA XREF: ViInitializeKernelVerifierThunks()+10r
		xor	[ecx], al
; 
		dw 0
		dd 12Fh, 104h, 105h, 0FFh
; char *PowerIrpNames
_PowerIrpNames	dd offset ??_C@_0BB@KEEBPEDL@IRP_MN_WAIT_WAKE@GHGBBCHJ@
					; DATA XREF: VfPowerDumpIrpStack(x)+1Ar
		dd offset ??_C@_0BG@HJCHODFP@IRP_MN_POWER_SEQUENCE@GHGBBCHJ@
		dd offset ??_C@_0BB@MOFGLKAE@IRP_MN_SET_POWER@GHGBBCHJ@
		dd offset ??_C@_0BD@NCBACJCG@IRP_MN_QUERY_POWER@GHGBBCHJ@
		dd 0
; 

_SystemStateNames:			; DATA XREF: VfPowerDumpIrpStack(x)+4Fr
		int	3		; Trap to Debugger
		or	al, 0A5h
		add	[esp+ecx+0CFC00A5h], dh
		movsd
		add	ah, ah
		or	al, 0A5h
		add	[esp+ecx-5Bh], ch
		add	[esp+ecx-5Bh], dl
		add	[esp+ecx+0A5h],	bl
; 
		dw 0
; 

; char *DeviceStateNames
_DeviceStateNames:			; DATA XREF: VfPowerDumpIrpStack(x)+61r
		test	-5AF28C00h], cl
		add	[ebp+ecx-5Bh], ah
		add	[ebp+ecx+0D8400A5h], dl
		movsd
; 
		db 0
		dd 0
; 

_ViMaxCommonBuffersPerAdapter:
		and	[eax], al
; 
		dw 0
; 

_ViRequiredTimeSinceBoot:
		add	bl, 0C9h
		add	[eax], eax
; 
		db 3 dup(0)
; 

; void ViDmaVerifierTag
_ViDmaVerifierTag:			; DATA XREF: ViCheckTag(x,x,x,x)+20o
					; ViCheckTag(x,x,x,x)+6Do ...
		inc	esp
		insd
		popa
		push	esi

loc_A501C4:				; DATA XREF: ViTagBuffer(x,x,x)+13r
					; ViTagBuffer(x,x,x)+29r
		jb	short loc_A5022C
		jns	short loc_A501F8

_ViHalDefaultActions:			; DATA XREF: ViHalPreprocessOptions(x,x,x,x,x,x)+2Ar
		add	al, 0
; 
		dw 0
		align 10h
		dd 2, 4	dup(8),	5 dup(4)
; 

loc_A501F8:				; CODE XREF: PAGEVRFY:00A501C6j
		add	al, 0
; 
		dw 0
		align 10h
		dd 2 dup(8), 2 dup(4), 12h, 2 dup(4), 12h, 14h,	4, 8
; 

loc_A5022C:				; CODE XREF: PAGEVRFY:loc_A501C4j
		or	[eax], al
; 
		dw 0
		dd 0
		dd 3 dup(8), 3 dup(4), 14h, 8, 4, 8, 2
; 

_VerifierFilterDriverName:		; DATA XREF: VfFilterAttach(x,x)+2Do
		pop	esp
		add	[eax+eax+52h], al
		add	[ecx+0], cl
		push	esi
		add	[ebp+0], al
		push	edx
		add	[eax+eax+56h], bl
		add	[ebp+0], al
		push	edx
		add	[ecx+0], cl
		inc	esi
		add	[ecx+0], cl
		inc	ebp
		add	[edx+0], dl
		pop	edi
		add	[esi+0], al
		dec	ecx
		add	[eax+eax+54h], cl
		add	[ebp+0], al
		push	edx
; 
		db 3 dup(0)
_IrpMajorNames	dd offset ??_C@_0O@LCBLIIOL@IRP_MJ_CREATE@GHGBBCHJ@
					; DATA XREF: ViGenericDumpIrpStack(x)+1Ar
		dd offset ??_C@_0BJ@MMKIHFHH@IRP_MJ_CREATE_NAMED_PIPE@GHGBBCHJ@
		dd offset ??_C@_0N@FMCDOLCP@IRP_MJ_CLOSE@GHGBBCHJ@
		dd offset ??_C@_0M@LJKCMGIA@IRP_MJ_READ@GHGBBCHJ@
		dd offset ??_C@_0N@DLJAMLBI@IRP_MJ_WRITE@GHGBBCHJ@
		dd offset ??_C@_0BJ@FPMLIFJJ@IRP_MJ_QUERY_INFORMATION@GHGBBCHJ@
		dd offset ??_C@_0BH@GNAPBNMO@IRP_MJ_SET_INFORMATION@GHGBBCHJ@
		dd offset ??_C@_0BA@LFPMCNA@IRP_MJ_QUERY_EA@GHGBBCHJ@
		dd offset ??_C@_0O@FPNILENL@IRP_MJ_SET_EA@GHGBBCHJ@
		dd offset loc_A5065B+1
		dd offset ??_C@_0CA@FDGJPBOD@IRP_MJ_QUERY_VOLUME_INFORMATION@GHGBBCHJ@
		dd offset ??_C@_0BO@CJJMMMF@IRP_MJ_SET_VOLUME_INFORMATION@GHGBBCHJ@
		dd offset ??_C@_0BJ@NCGIANAN@IRP_MJ_DIRECTORY_CONTROL@GHGBBCHJ@
		dd offset ??_C@_0BL@MFHGBIDL@IRP_MJ_FILE_SYSTEM_CONTROL@GHGBBCHJ@
		dd offset ??_C@_0BG@HAFCIBGJ@IRP_MJ_DEVICE_CONTROL@GHGBBCHJ@
		dd offset loc_A5079B+1
		dd offset ??_C@_0BA@CDMDNOAC@IRP_MJ_SHUTDOWN@GHGBBCHJ@
		dd offset ??_C@_0BE@LODBBEFP@IRP_MJ_LOCK_CONTROL@GHGBBCHJ@
		dd offset ??_C@_0P@JJLCIODE@IRP_MJ_CLEANUP@GHGBBCHJ@
		dd offset ??_C@_0BH@CKPKPKHL@IRP_MJ_CREATE_MAILSLOT@GHGBBCHJ@
		dd offset loc_A50727+1
		dd offset ??_C@_0BE@MPINJCAP@IRP_MJ_SET_SECURITY@GHGBBCHJ@
		dd offset ??_C@_0N@BGEEMFOO@IRP_MJ_POWER@GHGBBCHJ@
		dd offset ??_C@_0BG@JHIMGJML@IRP_MJ_SYSTEM_CONTROL@GHGBBCHJ@
		dd offset loc_A5082F+1
		dd offset ??_C@_0BD@MDBGANBO@IRP_MJ_QUERY_QUOTA@GHGBBCHJ@
		dd offset ??_C@_0BB@MFPKCKFI@IRP_MJ_SET_QUOTA@GHGBBCHJ@
		dd offset ??_C@_0L@EACGAIIF@IRP_MJ_PNP@GHGBBCHJ@
		dd 0
_ViDeadlockDefaultActions dd 8		; DATA XREF: ViDeadlockPreprocessOptions(x,x,x,x,x,x)+22r
		dd 4, 8, 3 dup(4), 6 dup(8)
_ViInjectDmaFailures dd	0
_ViSuperDebug	dd 0
; 

_ViMaxMapRegistersPerAdapter:
		and	[eax], al
; 
		dw 0
_ViDeadlockVerifyOnlySpinlocks dd 0
; 

_ViDeadlockChildrenCountMaximum:
		add	[eax+eax], al
; 
		db 0
; 

_ViDeadlockReservedThreads:
		add	[edx], al
; 
		dw 0
; 

_ViDeadlockReservedNodes:
		add	[eax+0], al
; 
		db 0
; 

_ViDeadlockReservedResources:
		add	[eax], ah
; 
		dw 0
_ViDeadlockResourceTypeInfo dd 0	; DATA XREF: VfDeadlockAcquireResource(x,x,x,x,x)+BBr
					; VfDeadlockReleaseResource(x,x,x,x)+226r ...
		dd 0Dh,	1Dh, 2,	6, 3 dup(0Ch), 0
_ViDeadlockResourceTypeSizeInfo	dd 0	; DATA XREF: ViDeadlockAddResource(x,x,x,x,x,x)+133r
					; ViDeadlockRemoveResource(x,x,x)+F8r
		dd 4 dup(20h), 3 dup(4), 0
; 

_VerifierDdiDriverName:			; DATA XREF: VfDdiExposeWmiObjects()+2Bo
		pop	esp
		add	[eax+eax+52h], al
		add	[ecx+0], cl
		push	esi
		add	[ebp+0], al
		push	edx
		add	[eax+eax+56h], bl
		add	[ebp+0], al
		push	edx
		add	[ecx+0], cl
		inc	esi
		add	[ecx+0], cl
		inc	ebp
		add	[edx+0], dl
		pop	edi
		add	[eax+eax+44h], al
		add	[ecx+0], cl
; 
		dd 0
; 

_VfMupServiceName:			; DATA XREF: ViDifCheckCallbackInterception+91F43o
		push	es
		add	[eax], cl
		add	[eax], dl
		push	es
		movsd
; 
		db 0
; 

_VfRdbssServiceName:			; DATA XREF: ViDifCheckCallbackInterception+91F2Ao
		or	al, [eax]
		or	al, 0
		add	al, 6
		movsd

loc_A503D7:				; DATA XREF: ViDifCheckCallbackInterception+91F6Bo
		add	[eax], dl
		add	[edx], dl
		add	[eax], ch
		push	es
		movsd
		add	[eax+eax], bl	; DATA XREF: VfFilterAttach(x,x)+B3o
		push	ds
		add	ds:1C00A5h[eax], dh ; DATA XREF: VfFilterAttach(x,x)+C8o
		push	ds
		add	ds:0E00A5h[eax], dl ; DATA XREF: VfFilterAttach(x,x)+9Eo
		adc	[eax], al
		pop	esp

loc_A503F5:				; DATA XREF: ViDifCheckCallbackInterception+91F57o
		add	eax, 600A5h
		or	[eax], al
		push	esp
		add	eax, 1400A5h	; DATA XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+F0o
					; VfSuspectDriversUnloadCallback(x)+46o
		push	ss
		add	[ebp+eax-5Bh], bh
		add	[edx], dl	; DATA XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+A4o
					; VfSuspectDriversUnloadCallback(x)+12o
		add	[eax+eax], dl
		add	ds:0E00A5h, al	; DATA XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+CAo
					; VfSuspectDriversUnloadCallback(x)+2Do
		adc	[eax], al
		lock add al, 0A5h
		add	[eax+eax], dl	; DATA XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+136o
					; VfSuspectDriversUnloadCallback(x)+78o
		push	ss
		add	[ebp+eax+0C00A5h], ah
					; DATA XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+159o
					; VfSuspectDriversUnloadCallback(x)+91o
		push	cs
		add	[ebp+eax+0C00A5h], dl
					; DATA XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+113o
					; VfSuspectDriversUnloadCallback(x)+5Fo
		push	cs
		add	[ebp+eax-5Bh], ch
		add	[eax], bl	; DATA XREF: ViDriverReApplyVerifierForAll(x)+18o
					; ViInitSystemPhase0+1A374o
		add	[edx], bl
		add	ah, dl
		add	al, 0A5h
		add	dl, al		; DATA XREF: VerifierBugCheckIfAppropriate(x,x,x,x,x):loc_A6123Ao
; 
		db 3 dup(0)
		dd 9Ah,	3, 0C2h, 9Bh, 3, 0C2h, 9Ch, 3, 0C2h, 9Dh, 3, 0C4h
		dd 81h,	3, 0C4h, 82h, 3, 0C4h, 0
		dd 3, 0E6h, 1Eh, 3, 0C4h, 0F5h,	3, 0C4h, 0F7h, 3, 0C4h
		dd 37h,	3, 0C4h, 38h, 3, 0C4h, 0D7h, 3
; 

??_C@_1BK@ELHOPPAM@?$AAn?$AAt?$AAo?$AAs?$AAk?$AAr?$AAn?$AAl?$AA?4?$AAe?$AAx?$AAe@GHGBBCHJ@:
		outsb
		add	[eax+eax+6Fh], dh
		add	[ebx+0], dh
		imul	eax, [eax], 72h
		add	[esi+0], ch
		insb
		add	[esi], ch
		add	[ebp+0], ah
		js	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BA@IJMIEKGH@?$AAt?$AAd?$AAx?$AA?4?$AAs?$AAy?$AAs@GHGBBCHJ@:
		jz	short $+2
		add	fs:[eax+0], bh
		add	cs:[ebx+0], dh
		jns	short $+2
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BE@IDADHFMO@?$AAt?$AAc?$AAp?$AAi?$AAp?$AA?4?$AAs?$AAy?$AAs@GHGBBCHJ@:
		jz	short $+2
		arpl	[eax], ax
		jo	short $+2
		imul	eax, [eax], 2E0070h
		jnb	short $+2
		jns	short $+2
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BO@MLIILBKA@?$AAs?$AAy?$AAn?$AAt?$AAh?$AA3?$AAd?$AAv?$AAs?$AAp?$AA?4?$AAs?$AAy?$AAs@GHGBBCHJ@:
		jnb	short $+2
		jns	short $+2
		outsb
		add	[eax+eax+68h], dh
		add	[ebx], dh
		add	[eax+eax+76h], ah
		add	[ebx+0], dh
		jo	short $+2
		add	cs:[ebx+0], dh
		jns	short $+2
		jnb	short $+2
; 
		dd 0
; 

??_C@_1BO@LAAOIOKM@?$AAs?$AAy?$AAn?$AAt?$AAh?$AA3?$AAd?$AAv?$AAs?$AAc?$AA?4?$AAs?$AAy?$AAs@GHGBBCHJ@:
		jnb	short $+2
		jns	short $+2
		outsb
		add	[eax+eax+68h], dh
		add	[ebx], dh
		add	[eax+eax+76h], ah
		add	[ebx+0], dh
		arpl	[eax], ax
		add	cs:[ebx+0], dh
		jns	short $+2
		jnb	short $+2
; 
		dd 0
; 

??_C@_17DOHEGIBC@?$AAC?$AAS?$AAC@GHGBBCHJ@:
		inc	ebx
		add	[ebx+0], dl
		inc	ebx
; 
		db 3 dup(0)
; 

??_C@_1BA@LAIALPCC@?$AAv?$AAi?$AAd?$AA?4?$AAs?$AAy?$AAs@GHGBBCHJ@:
		jbe	short $+2
		imul	eax, [eax], 2E0064h
		jnb	short $+2
		jns	short $+2
		jnb	short $+2
; 
		dw 0
; 

??_C@_1O@ENJGCBOL@?$AAt?$AAm?$AA?4?$AAs?$AAy?$AAs@GHGBBCHJ@:
		jz	short $+2
		insd
		add	[esi], ch
		add	[ebx+0], dh
		jns	short $+2
		jnb	short $+2
; 
		dd 0
; 

??_C@_1BG@BDPEMFEO@?$AAm?$AAr?$AAx?$AAs?$AAm?$AAb?$AA?4?$AAs?$AAy?$AAs@GHGBBCHJ@:
		insd
		add	[edx+0], dh
		js	short $+2
		jnb	short $+2
		insd
		add	[edx+0], ah
		add	cs:[ebx+0], dh
		jns	short $+2
		jnb	short $+2
; 
		dd 0
; 

??_C@_1O@JIJJJHJD@?$AAk?$AAs?$AA?4?$AAs?$AAy?$AAs@GHGBBCHJ@:
		imul	eax, [eax], 73h
		add	[esi], ch
		add	[ebx+0], dh
		jns	short $+2
		jnb	short $+2
; 
		dd 0
; 

??_C@_1BG@BNDDADEP@?$AAw?$AAi?$AAn?$AA3?$AA2?$AAk?$AA?4?$AAs?$AAy?$AAs@GHGBBCHJ@:
		ja	short $+2
		imul	eax, [eax], 33006Eh
		xor	al, [eax]
		imul	eax, [eax], 2Eh
		add	[ebx+0], dh
		jns	short $+2
		jnb	short $+2
; 
		dd 0
; 

??_C@_0N@FMCDOLCP@IRP_MJ_CLOSE@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A50298o
					; PAGEVRFD:00AA8A58o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		inc	ebx
		dec	esp
		dec	edi
		push	ebx
		inc	ebp
; 
		dd 0
; 

??_C@_0BJ@MMKIHFHH@IRP_MJ_CREATE_NAMED_PIPE@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A50294o
					; PAGEVRFD:00AA8A48o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		inc	ebx
		push	edx
		inc	ebp
		inc	ecx
		push	esp
		inc	ebp
		pop	edi
		dec	esi
		inc	ecx
		dec	ebp
		inc	ebp
		inc	esp
		pop	edi
		push	eax
		dec	ecx
		push	eax
		inc	ebp
; 
		dd 0
; 

??_C@_0N@DLJAMLBI@IRP_MJ_WRITE@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A502A0o
					; PAGEVRFD:00AA8A78o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	edi
		push	edx
		dec	ecx
		push	esp
		inc	ebp
; 
		dd 0
; 

??_C@_0M@LJKCMGIA@IRP_MJ_READ@GHGBBCHJ@: ; DATA	XREF: PAGEVRFY:00A5029Co
					; PAGEVRFD:00AA8A68o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	edx
		inc	ebp
		inc	ecx
		inc	esp
; 
		db 0
; 

??_C@_1M@PCKFFFCK@?$AAr?$AAd?$AAb?$AAs?$AAs@GHGBBCHJ@:
		jb	short $+2
		add	fs:[edx+0], ah
		jnb	short $+2
		jnb	short $+2
; 
		dw 0
; 

??_C@_17BIJFMLEE@?$AAM?$AAu?$AAp@GHGBBCHJ@:
		dec	ebp
		add	[ebp+0], dh
		jo	short $+2
; 
		dw 0
; 

??_C@_0O@LCBLIIOL@IRP_MJ_CREATE@GHGBBCHJ@: ; DATA XREF:	PAGEVRFY:_IrpMajorNameso
					; PAGEVRFD:_VfXdvIoCallbackThunkso
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		inc	ebx
		push	edx
		inc	ebp
		inc	ecx
		push	esp
		inc	ebp
; 
		db 3 dup(0)
; 

??_C@_1BC@HJCGHLCN@?$AAa?$AAm?$AAd?$AAk?$AAm?$AAd?$AAa?$AAg@GHGBBCHJ@:
		popa
		add	[ebp+0], ch
		add	fs:[ebx+0], ch
		insd
		add	[eax+eax+61h], ah
		add	[edi+0], ah
; 
		dd 0
; 

??_C@_0CA@FDGJPBOD@IRP_MJ_QUERY_VOLUME_INFORMATION@GHGBBCHJ@:
					; DATA XREF: PAGEVRFY:00A502B8o
					; PAGEVRFD:00AA8AD8o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	ecx
		push	ebp
		inc	ebp
		push	edx
		pop	ecx
		pop	edi
		push	esi
		dec	edi
		dec	esp
		push	ebp
		dec	ebp
		inc	ebp
		pop	edi
		dec	ecx
		dec	esi
		inc	esi
		dec	edi
		push	edx
		dec	ebp
		inc	ecx
		push	esp
		dec	ecx
		dec	edi
		dec	esi

loc_A5065B:				; DATA XREF: PAGEVRFY:00A502B4o
					; PAGEVRFD:00AA8AC8o
		add	[ecx+52h], cl
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		inc	esi
		dec	esp
		push	ebp
		push	ebx
		dec	eax
		pop	edi
		inc	edx
		push	ebp
		inc	esi
		inc	esi
		inc	ebp
		push	edx
		push	ebx
; 
		dd 0
; 

??_C@_0BJ@NCGIANAN@IRP_MJ_DIRECTORY_CONTROL@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A502C0o
					; PAGEVRFD:00AA8AF8o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		inc	esp
		dec	ecx
		push	edx
		inc	ebp
		inc	ebx
		push	esp
		dec	edi
		push	edx
		pop	ecx
		pop	edi
		inc	ebx
		dec	edi
		dec	esi
		push	esp
		push	edx
		dec	edi
		dec	esp
; 
		dd 0
; 

??_C@_0BO@CJJMMMF@IRP_MJ_SET_VOLUME_INFORMATION@GHGBBCHJ@: ; DATA XREF:	PAGEVRFY:00A502BCo
					; PAGEVRFD:00AA8AE8o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	ebx
		inc	ebp
		push	esp
		pop	edi
		push	esi
		dec	edi
		dec	esp
		push	ebp
		dec	ebp
		inc	ebp
		pop	edi
		dec	ecx
		dec	esi
		inc	esi
		dec	edi
		push	edx
		dec	ebp
		inc	ecx
		push	esp
		dec	ecx
		dec	edi
		dec	esi
; 
		db 3 dup(0)
; 

??_C@_0BH@GNAPBNMO@IRP_MJ_SET_INFORMATION@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A502A8o
					; PAGEVRFD:00AA8A98o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	ebx
		inc	ebp
		push	esp
		pop	edi
		dec	ecx
		dec	esi
		inc	esi
		dec	edi
		push	edx
		dec	ebp
		inc	ecx
		push	esp
		dec	ecx
		dec	edi
		dec	esi
; 
		dw 0
; 

??_C@_0BJ@FPMLIFJJ@IRP_MJ_QUERY_INFORMATION@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A502A4o
					; PAGEVRFD:00AA8A88o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	ecx
		push	ebp
		inc	ebp
		push	edx
		pop	ecx
		pop	edi
		dec	ecx
		dec	esi
		inc	esi
		dec	edi
		push	edx
		dec	ebp
		inc	ecx
		push	esp
		dec	ecx
		dec	edi
		dec	esi
; 
		dd 0
; 

??_C@_0O@FPNILENL@IRP_MJ_SET_EA@GHGBBCHJ@: ; DATA XREF:	PAGEVRFY:00A502B0o
					; PAGEVRFD:00AA8AB8o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	ebx
		inc	ebp
		push	esp
		pop	edi
		inc	ebp
		inc	ecx
; 
		db 3 dup(0)
; 

??_C@_0BA@LFPMCNA@IRP_MJ_QUERY_EA@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A502ACo
					; PAGEVRFD:00AA8AA8o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	ecx
		push	ebp
		inc	ebp
		push	edx
		pop	ecx
		pop	edi
		inc	ebp
		inc	ecx
; 
		db 0
; 

??_C@_0P@JJLCIODE@IRP_MJ_CLEANUP@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A502D8o
					; PAGEVRFD:00AA8B58o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		inc	ebx
		dec	esp
		inc	ebp
		inc	ecx
		dec	esi
		push	ebp
		push	eax
; 
		dw 0
; 

??_C@_0BE@LODBBEFP@IRP_MJ_LOCK_CONTROL@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A502D4o
					; PAGEVRFD:00AA8B48o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		dec	esp
		dec	edi
		inc	ebx
		dec	ebx
		pop	edi
		inc	ebx
		dec	edi
		dec	esi
		push	esp
		push	edx
		dec	edi
		dec	esp

loc_A50727:				; DATA XREF: PAGEVRFY:00A502E0o
					; PAGEVRFD:00AA8B78o
		add	[ecx+52h], cl
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	ecx
		push	ebp
		inc	ebp
		push	edx
		pop	ecx
		pop	edi
		push	ebx
		inc	ebp
		inc	ebx
		push	ebp
		push	edx
		dec	ecx
		push	esp
		pop	ecx
; 
		db 3 dup(0)
; 

??_C@_0BH@CKPKPKHL@IRP_MJ_CREATE_MAILSLOT@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A502DCo
					; PAGEVRFD:00AA8B68o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		inc	ebx
		push	edx
		inc	ebp
		inc	ecx
		push	esp
		inc	ebp
		pop	edi
		dec	ebp
		inc	ecx
		dec	ecx
		dec	esp
		push	ebx
		dec	esp
		dec	edi
		push	esp
; 
		dw 0
; 

??_C@_0BG@HAFCIBGJ@IRP_MJ_DEVICE_CONTROL@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A502C8o
					; PAGEVRFD:00AA8B18o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		inc	esp
		inc	ebp
		push	esi
		dec	ecx
		inc	ebx
		inc	ebp
		pop	edi
		inc	ebx
		dec	edi
		dec	esi
		push	esp
		push	edx
		dec	edi
		dec	esp
; 
		db 3 dup(0)
; 

??_C@_0BL@MFHGBIDL@IRP_MJ_FILE_SYSTEM_CONTROL@GHGBBCHJ@: ; DATA	XREF: PAGEVRFY:00A502C4o
					; PAGEVRFD:00AA8B08o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		inc	esi
		dec	ecx
		dec	esp
		inc	ebp
		pop	edi
		push	ebx
		pop	ecx
		push	ebx
		push	esp
		inc	ebp
		dec	ebp
		pop	edi
		inc	ebx
		dec	edi
		dec	esi
		push	esp
		push	edx
		dec	edi
		dec	esp
; 
		dw 0
; 

??_C@_0BA@CDMDNOAC@IRP_MJ_SHUTDOWN@GHGBBCHJ@: ;	DATA XREF: PAGEVRFY:00A502D0o
					; PAGEVRFD:00AA8B38o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	ebx
		dec	eax
		push	ebp
		push	esp
		inc	esp
		dec	edi
		push	edi
		dec	esi

loc_A5079B:				; DATA XREF: PAGEVRFY:00A502CCo
					; PAGEVRFD:00AA8B28o
		add	[ecx+52h], cl
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		dec	ecx
		dec	esi
		push	esp
		inc	ebp
		push	edx
		dec	esi
		inc	ecx
		dec	esp
		pop	edi
		inc	esp
		inc	ebp
		push	esi
		dec	ecx
		inc	ebx
		inc	ebp
		pop	edi
		inc	ebx
		dec	edi
		dec	esi
		push	esp
		push	edx
		dec	edi
		dec	esp
; 
		dw 0
; 

??_C@_0BB@MFPKCKFI@IRP_MJ_SET_QUOTA@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A502F8o
					; PAGEVRFD:00AA8BD8o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	ebx
		inc	ebp
		push	esp
		pop	edi
		push	ecx
		push	ebp
		dec	edi
		push	esp
		inc	ecx
; 
		dd 0
; 

??_C@_0BD@MDBGANBO@IRP_MJ_QUERY_QUOTA@GHGBBCHJ@: ; DATA	XREF: PAGEVRFY:00A502F4o
					; PAGEVRFD:00AA8BC8o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	ecx
		push	ebp
		inc	ebp
		push	edx
		pop	ecx
		pop	edi
		push	ecx
		push	ebp
		dec	edi
		push	esp
		inc	ecx
; 
		dw 0
; 

??_C@_1BM@JIPCCEDL@?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAS?$AAt?$AAa?$AAt?$AAi?$AAo?$AAn@GHGBBCHJ@:
		push	edi
		add	[ecx+0], ch
		outsb
		add	[eax+eax+6Fh], ah
		add	[edi+0], dh
		push	ebx
		add	[eax+eax+61h], dh
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
; 
		db 3 dup(0)
; 

??_C@_0L@EACGAIIF@IRP_MJ_PNP@GHGBBCHJ@:	; DATA XREF: PAGEVRFY:00A502FCo
					; PAGEVRFD:00AA8BE8o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	eax
		dec	esi
		push	eax
; 
		dw 0
; 

??_C@_0N@BGEEMFOO@IRP_MJ_POWER@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A502E8o
					; PAGEVRFD:00AA8B98o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	eax
		dec	edi
		push	edi
		inc	ebp
		push	edx
; 
		dd 0
; 

??_C@_0BE@MPINJCAP@IRP_MJ_SET_SECURITY@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A502E4o
					; PAGEVRFD:00AA8B88o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	ebx
		inc	ebp
		push	esp
		pop	edi
		push	ebx
		inc	ebp
		inc	ebx
		push	ebp
		push	edx
		dec	ecx
		push	esp
		pop	ecx

loc_A5082F:				; DATA XREF: PAGEVRFY:00A502F0o
					; PAGEVRFD:00AA8BB8o
		add	[ecx+52h], cl
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		inc	esp
		inc	ebp
		push	esi
		dec	ecx
		inc	ebx
		inc	ebp
		pop	edi
		inc	ebx
		dec	eax
		inc	ecx
		dec	esi
		inc	edi
		inc	ebp
; 
		dd 0
; 

??_C@_0BG@JHIMGJML@IRP_MJ_SYSTEM_CONTROL@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A502ECo
					; PAGEVRFD:00AA8BA8o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	ebx
		pop	ecx
		push	ebx
		push	esp
		inc	ebp
		dec	ebp
		pop	edi
		inc	ebx
		dec	edi
		dec	esi
		push	esp
		push	edx
		dec	edi
		dec	esp
; 
		db 3 dup(0)
; 

??_C@_0BF@KOMFOADK@IRP_MN_ENABLE_EVENTS@GHGBBCHJ@:
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		inc	ebp
		dec	esi
		inc	ecx
		inc	edx
		dec	esp
		inc	ebp
		pop	edi
		inc	ebp
		push	esi
		inc	ebp
		dec	esi
		push	esp
		push	ebx
; 
		dd 0
; 

??_C@_0BK@IOJCDGCI@IRP_MN_CHANGE_SINGLE_ITEM@GHGBBCHJ@:
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		inc	ebx
		dec	eax
		inc	ecx
		dec	esi
		inc	edi
		inc	ebp
		pop	edi
		push	ebx
		dec	ecx
		dec	esi
		inc	edi
		dec	esp
		inc	ebp
		pop	edi
		dec	ecx
		push	esp
		inc	ebp
		dec	ebp
; 
		db 3 dup(0)
; 

??_C@_0BJ@JANDPHON@IRP_MN_ENABLE_COLLECTION@GHGBBCHJ@:
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		inc	ebp
		dec	esi
		inc	ecx
		inc	edx
		dec	esp
		inc	ebp
		pop	edi
		inc	ebx
		dec	edi
		dec	esp
		dec	esp
		inc	ebp
		inc	ebx
		push	esp
		dec	ecx
		dec	edi
		dec	esi
; 
		dd 0
; 

??_C@_0BG@MMHOCBEF@IRP_MN_DISABLE_EVENTS@GHGBBCHJ@:
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		inc	esp
		dec	ecx
		push	ebx
		inc	ecx
		inc	edx
		dec	esp
		inc	ebp
		pop	edi
		inc	ebp
		push	esi
		inc	ebp
		dec	esi
		push	esp
		push	ebx
; 
		db 3 dup(0)
; 

??_C@_0BG@NJEOKIEF@IRP_MN_QUERY_ALL_DATA@GHGBBCHJ@:
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	ecx
		push	ebp
		inc	ebp
		push	edx
		pop	ecx
		pop	edi
		inc	ecx
		dec	esp
		dec	esp
		pop	edi
		inc	esp
		inc	ecx
		push	esp
		inc	ecx
; 
		db 3 dup(0)
; 

??_C@_1BA@CBCBMBGJ@?$AAD?$AAe?$AAs?$AAk?$AAt?$AAo?$AAp@GHGBBCHJ@:
		inc	esp
		add	[ebp+0], ah
		jnb	short $+2
		imul	eax, [eax], 74h
		add	[edi+0], ch
		jo	short $+2
; 
		dw 0
; 

??_C@_0BO@CADBFJCG@IRP_MN_CHANGE_SINGLE_INSTANCE@GHGBBCHJ@:
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		inc	ebx
		dec	eax
		inc	ecx
		dec	esi
		inc	edi
		inc	ebp
		pop	edi
		push	ebx
		dec	ecx
		dec	esi
		inc	edi
		dec	esp
		inc	ebp
		pop	edi
		dec	ecx
		dec	esi
		push	ebx
		push	esp
		inc	ecx
		dec	esi
		inc	ebx
		inc	ebp
; 
		db 3 dup(0)
; 

??_C@_0BN@KPNLCOKD@IRP_MN_QUERY_SINGLE_INSTANCE@GHGBBCHJ@:
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	ecx
		push	ebp
		inc	ebp
		push	edx
		pop	ecx
		pop	edi
		push	ebx
		dec	ecx
		dec	esi
		inc	edi
		dec	esp
		inc	ebp
		pop	edi
		dec	ecx
		dec	esi
		push	ebx
		push	esp
		inc	ecx
		dec	esi
		inc	ebx
		inc	ebp
; 
		dd 0
; 

??_C@_0BI@DEIPGBBB@IRP_MN_REMOVE_DEVICE?5?9?5@GHGBBCHJ@: ; DATA	XREF: PAGEVRFY:00A500C0o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	edx
		inc	ebp
		dec	ebp
		dec	edi
		push	esi
		inc	ebp
		pop	edi
		inc	esp
		inc	ebp
		push	esi
		dec	ecx
		inc	ebx
		inc	ebp

loc_A50944:				; DATA XREF: PAGEVRFY:00A500BCo
		and	ds:52490020h, ch
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	ecx
		push	ebp
		inc	ebp
		push	edx
		pop	ecx
		pop	edi
		push	edx
		inc	ebp
		dec	ebp
		dec	edi
		push	esi
		inc	ebp
		pop	edi
		inc	esp
		inc	ebp
		push	esi
		dec	ecx
		inc	ebx
		inc	ebp
; 
		dw 0
; 

??_C@_0BD@OKOEKPNG@IRP_MN_STOP_DEVICE@GHGBBCHJ@: ; DATA	XREF: PAGEVRFY:00A500C8o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	ebx
		push	esp
		dec	edi
		push	eax
		pop	edi
		inc	esp
		inc	ebp
		push	esi
		dec	ecx
		inc	ebx
		inc	ebp
; 
		dw 0
; 

??_C@_0BM@NHOBKHFC@IRP_MN_CANCEL_REMOVE_DEVICE@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A500C4o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		inc	ebx
		inc	ecx
		dec	esi
		inc	ebx
		inc	ebp
		dec	esp
		pop	edi
		push	edx
		inc	ebp
		dec	ebp
		dec	edi
		push	esi
		inc	ebp
		pop	edi
		inc	esp
		inc	ebp
		push	esi
		dec	ecx
		inc	ebx
		inc	ebp
; 
		db 0
; 

??_C@_0P@BLFCKDFF@IRP_MN_REGINFO@GHGBBCHJ@:
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	edx
		inc	ebp
		inc	edi
		dec	ecx
		dec	esi
		inc	esi
		dec	edi
; 
		dw 0
; 

??_C@_0BK@JHGPMMFH@IRP_MN_DISABLE_COLLECTION@GHGBBCHJ@:
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		inc	esp
		dec	ecx
		push	ebx
		inc	ecx
		inc	edx
		dec	esp
		inc	ebp
		pop	edi
		inc	ebx
		dec	edi
		dec	esp
		dec	esp
		inc	ebp
		inc	ebx
		push	esp
		dec	ecx
		dec	edi
		dec	esi
; 
		db 3 dup(0)
; 

??_C@_0BE@LNOGIHJB@IRP_MN_START_DEVICE@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:_PnPIrpNameso
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	ebx
		push	esp
		inc	ecx
		push	edx
		push	esp
		pop	edi
		inc	esp
		inc	ebp
		push	esi
		dec	ecx
		inc	ebx
		inc	ebp
; 
		db 0
; 

??_C@_0BG@BOODMHMA@IRP_MN_EXECUTE_METHOD@GHGBBCHJ@:
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		inc	ebp
		pop	eax
		inc	ebp
		inc	ebx
		push	ebp
		push	esp
		inc	ebp
		pop	edi
		dec	ebp
		inc	ebp
		push	esp
		dec	eax
		dec	edi
		inc	esp
; 
		db 3 dup(0)
; 

??_C@_0BH@BAILDNEP@IRP_MN_QUERY_RESOURCES@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A500E0o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	ecx
		push	ebp
		inc	ebp
		push	edx
		pop	ecx
		pop	edi
		push	edx
		inc	ebp
		push	ebx
		dec	edi
		push	ebp
		push	edx
		inc	ebx
		inc	ebp
		push	ebx
; 
		dw 0
; 

??_C@_0BK@FNPJPCCF@IRP_MN_QUERY_CAPABILITIES@GHGBBCHJ@:	; DATA XREF: PAGEVRFY:00A500DCo
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	ecx
		push	ebp
		inc	ebp
		push	edx
		pop	ecx
		pop	edi
		inc	ebx
		inc	ecx
		push	eax
		inc	ecx
		inc	edx
		dec	ecx
		dec	esp
		dec	ecx
		push	esp
		dec	ecx
		inc	ebp
		push	ebx
; 
		db 3 dup(0)
; 

??_C@_0BJ@KBKMPMKH@IRP_MN_QUERY_DEVICE_TEXT@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A500E8o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	ecx
		push	ebp
		inc	ebp
		push	edx
		pop	ecx
		pop	edi
		inc	esp
		inc	ebp
		push	esi
		dec	ecx
		inc	ebx
		inc	ebp
		pop	edi
		push	esp
		inc	ebp
		pop	eax
		push	esp
; 
		dd 0
; 

??_C@_0CD@MPPOHAEF@IRP_MN_QUERY_RESOURCE_REQUIREME@GHGBBCHJ@:
					; DATA XREF: PAGEVRFY:00A500E4o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	ecx
		push	ebp
		inc	ebp
		push	edx
		pop	ecx
		pop	edi
		push	edx
		inc	ebp
		push	ebx
		dec	edi
		push	ebp
		push	edx
		inc	ebx
		inc	ebp
		pop	edi
		push	edx
		inc	ebp
		push	ecx
		push	ebp
		dec	ecx
		push	edx
		inc	ebp
		dec	ebp
		inc	ebp
		dec	esi
		push	esp
		push	ebx
; 
		dw 0
; 

??_C@_0BK@IHBBLJPI@IRP_MN_CANCEL_STOP_DEVICE@GHGBBCHJ@:	; DATA XREF: PAGEVRFY:00A500D0o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		inc	ebx
		inc	ecx
		dec	esi
		inc	ebx
		inc	ebp
		dec	esp
		pop	edi
		push	ebx
		push	esp
		dec	edi
		push	eax
		pop	edi
		inc	esp
		inc	ebp
		push	esi
		dec	ecx
		inc	ebx
		inc	ebp
; 
		db 3 dup(0)
; 

??_C@_0BJ@DBBODAKD@IRP_MN_QUERY_STOP_DEVICE@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A500CCo
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	ecx
		push	ebp
		inc	ebp
		push	edx
		pop	ecx
		pop	edi
		push	ebx
		push	esp
		dec	edi
		push	eax
		pop	edi
		inc	esp
		inc	ebp
		push	esi
		dec	ecx
		inc	ebx
		inc	ebp
; 
		dd 0
; 

??_C@_0BH@NJFMIPMO@IRP_MN_QUERY_INTERFACE@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A500D8o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	ecx
		push	ebp
		inc	ebp
		push	edx
		pop	ecx
		pop	edi
		dec	ecx
		dec	esi
		push	esp
		inc	ebp
		push	edx
		inc	esi
		inc	ecx
		inc	ebx
		inc	ebp
; 
		dw 0
; 

??_C@_0BO@EDNJKJCF@IRP_MN_QUERY_DEVICE_RELATIONS@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A500D4o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	ecx
		push	ebp
		inc	ebp
		push	edx
		pop	ecx
		pop	edi
		inc	esp
		inc	ebp
		push	esi
		dec	ecx
		inc	ebx
		inc	ebp
		pop	edi
		push	edx
		inc	ebp
		dec	esp
		inc	ecx
		push	esp
		dec	ecx
		dec	edi
		dec	esi
		push	ebx
; 
		db 3 dup(0)
; 

??_C@_0BA@JCIHPHAO@IRP_MN_SET_LOCK@GHGBBCHJ@: ;	DATA XREF: PAGEVRFY:00A50100o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	ebx
		inc	ebp
		push	esp
		pop	edi
		dec	esp
		dec	edi
		inc	ebx
		dec	ebx

loc_A50ADF:				; DATA XREF: PAGEVRFY:00A500FCo
		add	[ecx+52h], cl
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		inc	ebp
		dec	edx
		inc	ebp
		inc	ebx
		push	esp
; 
		dd 0
; 

??_C@_0BO@CLJGNPDL@IRP_MN_QUERY_PNP_DEVICE_STATE@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A50108o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	ecx
		push	ebp
		inc	ebp
		push	edx
		pop	ecx
		pop	edi
		push	eax
		dec	esi
		push	eax
		pop	edi
		inc	esp
		inc	ebp
		push	esi
		dec	ecx
		inc	ebx
		inc	ebp
		pop	edi
		push	ebx
		push	esp
		inc	ecx
		push	esp
		inc	ebp
; 
		db 3 dup(0)
; 

??_C@_0BA@MPOLLMHD@IRP_MN_QUERY_ID@GHGBBCHJ@: ;	DATA XREF: PAGEVRFY:00A50104o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	ecx
		push	ebp
		inc	ebp
		push	edx
		pop	ecx
		pop	edi
		dec	ecx
		inc	esp
; 
		db 0
; 

??_C@_0BB@ENDMDNDI@INVALID_IRP_CODE@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A500F0o
		dec	ecx
		dec	esi
		push	esi
		inc	ecx
		dec	esp
		dec	ecx
		inc	esp
		pop	edi
		dec	ecx
		push	edx
		push	eax
		pop	edi
		inc	ebx
		dec	edi
		inc	esp
		inc	ebp
; 
		dd 0
; 

??_C@_0CE@FFGNIHMK@IRP_MN_FILTER_RESOURCE_REQUIREM@GHGBBCHJ@:
					; DATA XREF: PAGEVRFY:00A500ECo
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		inc	esi
		dec	ecx
		dec	esp
		push	esp
		inc	ebp
		push	edx
		pop	edi
		push	edx
		inc	ebp
		push	ebx
		dec	edi
		push	ebp
		push	edx
		inc	ebx
		inc	ebp
		pop	edi
		push	edx
		inc	ebp
		push	ecx
		push	ebp
		dec	ecx
		push	edx
		inc	ebp
		dec	ebp
		inc	ebp
		dec	esi
		push	esp
		push	ebx

loc_A50B57:				; DATA XREF: PAGEVRFY:00A500F8o
		add	[ecx+52h], cl
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	edi
		push	edx
		dec	ecx
		push	esp
		inc	ebp
		pop	edi
		inc	ebx
		dec	edi
		dec	esi
		inc	esi
		dec	ecx
		inc	edi
; 
		db 0
; 

??_C@_0BD@KCLCONNF@IRP_MN_READ_CONFIG@GHGBBCHJ@: ; DATA	XREF: PAGEVRFY:00A500F4o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	edx
		inc	ebp
		inc	ecx
		inc	esp
		pop	edi
		inc	ebx
		dec	edi
		dec	esi
		inc	esi
		dec	ecx
		inc	edi
; 
		dw 0
; 

??_C@_0BG@HJCHODFP@IRP_MN_POWER_SEQUENCE@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A5016Co
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	eax
		dec	edi
		push	edi
		inc	ebp
		push	edx
		pop	edi
		push	ebx
		inc	ebp
		push	ecx
		push	ebp
		inc	ebp
		dec	esi
		inc	ebx
		inc	ebp
; 
		db 3 dup(0)
; 

??_C@_0BB@KEEBPEDL@IRP_MN_WAIT_WAKE@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:_PowerIrpNameso
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	edi
		inc	ecx
		dec	ecx
		push	esp
		pop	edi
		push	edi
		inc	ecx
		dec	ebx
		inc	ebp
; 
		dd 0
; 

??_C@_0BD@NCBACJCG@IRP_MN_QUERY_POWER@GHGBBCHJ@: ; DATA	XREF: PAGEVRFY:00A50174o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	ecx
		push	ebp
		inc	ebp
		push	edx
		pop	ecx
		pop	edi
		push	eax
		dec	edi
		push	edi
		inc	ebp
		push	edx
; 
		dw 0
; 

??_C@_0BB@MOFGLKAE@IRP_MN_SET_POWER@GHGBBCHJ@: ; DATA XREF: PAGEVRFY:00A50170o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	ebx
		inc	ebp
		push	esp
		pop	edi
		push	eax
		dec	edi
		push	edi
		inc	ebp
		push	edx
; 
		dd 0
; 

??_C@_0CB@EEGIBKLH@IRP_MN_DEVICE_USAGE_NOTIFICATIO@GHGBBCHJ@:
					; DATA XREF: PAGEVRFY:00A50110o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		inc	esp
		inc	ebp
		push	esi
		dec	ecx
		inc	ebx
		inc	ebp
		pop	edi
		push	ebp
		push	ebx
		inc	ecx
		inc	edi
		inc	ebp
		pop	edi
		dec	esi
		dec	edi
		push	esp
		dec	ecx
		inc	esi
		dec	ecx
		inc	ebx
		inc	ecx
		push	esp
		dec	ecx
		dec	edi
		dec	esi
; 
		dd 0
; 

??_C@_0BN@FKLLPNEA@IRP_MN_QUERY_BUS_INFORMATION@GHGBBCHJ@: ; DATA XREF:	PAGEVRFY:00A5010Co
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	ecx
		push	ebp
		inc	ebp
		push	edx
		pop	ecx
		pop	edi
		inc	edx
		push	ebp
		push	ebx
		pop	edi
		dec	ecx
		dec	esi
		inc	esi
		dec	edi
		push	edx
		dec	ebp
		inc	ecx
		push	esp
		dec	ecx
		dec	edi
		dec	esi
; 
		dd 0
; 

??_C@_0CE@OHHBNDAB@IRP_MN_QUERY_LEGACY_BUS_INFORMA@GHGBBCHJ@:
					; DATA XREF: PAGEVRFY:00A50118o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	ecx
		push	ebp
		inc	ebp
		push	edx
		pop	ecx
		pop	edi
		dec	esp
		inc	ebp
		inc	edi
		inc	ecx
		inc	ebx
		pop	ecx
		pop	edi
		inc	edx
		push	ebp
		push	ebx
		pop	edi
		dec	ecx
		dec	esi
		inc	esi
		dec	edi
		push	edx
		dec	ebp
		inc	ecx
		push	esp
		dec	ecx
		dec	edi
		dec	esi
; 
		db 0
; 

??_C@_0BI@JJMGKCHF@IRP_MN_SURPRISE_REMOVAL@GHGBBCHJ@: ;	DATA XREF: PAGEVRFY:00A50114o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		push	ebx
		push	ebp
		push	edx
		push	eax
		push	edx
		dec	ecx
		push	ebx
		inc	ebp
		pop	edi
		push	edx
		inc	ebp
		dec	ebp
		dec	edi
		push	esi
		inc	ecx
		dec	esp
		add	[eax+6Fh], dl
		ja	short near ptr loc_A50CBC+1
		jb	short loc_A50CAD
		jns	short near ptr loc_A50CCE+1
		jz	short loc_A50CC3
		insd
		dec	eax
		imul	esp, [edx+65h],	74616E72h
		db	65h, 2Eh
		push	ebx
		xor	al, 0

??_C@_0BI@OJBINKHC@PowerSystemSleeping3?4S3@GHGBBCHJ@:
		push	eax
		outsd
		ja	short near ptr loc_A50CD4+1
		jb	short near ptr loc_A50CC3+2
		jns	short near ptr loc_A50CE6+1
		jz	short loc_A50CDB
		insd
		push	ebx
		insb
		db	65h, 65h
		jo	short loc_A50CE6
		outsb
		xor	ebp, ds:3353h
		add	[eax+6Fh], dl
		ja	short near ptr loc_A50CEC+1
		jb	short loc_A50CCE
		db	65h
		jbe	short loc_A50CF6
		arpl	[ebp+55h], sp
		outsb
		jnb	short near ptr loc_A50D02+1
		arpl	gs:[ecx+66h], bp
		imul	esp, [ebp+64h],	6F500000h
		ja	short near ptr loc_A50D04+1
		jb	short loc_A50CF5
		jns	short near ptr loc_A50D16+1
		jz	short near ptr loc_A50D09+2
		insd
		push	ebx
		push	6F647475h

loc_A50CAD:				; CODE XREF: PAGEVRFY:00A50C58j
		ja	short near ptr loc_A50D1A+3
		db	2Eh
		push	ebx
; 
		db 35h,	2 dup(0)
; 

??_C@_0BG@CCBCDFCA@PowerSystemWorking?4S0@GHGBBCHJ@:
		push	eax
		outsd
		ja	short near ptr loc_A50D1A+3
		jb	short loc_A50D0D
		jns	short near ptr loc_A50D2E+1

loc_A50CBC:				; CODE XREF: PAGEVRFY:00A50C56j
		jz	short loc_A50D23
		insd
		push	edi
		outsd
		jb	short loc_A50D2E

loc_A50CC3:				; CODE XREF: PAGEVRFY:00A50C5Cj
					; PAGEVRFY:00A50C70j
		imul	ebp, [esi+67h],	30532Eh
; 
		dw 0
; 

??_C@_0BH@EHCPJIHK@PowerSystemUnspecified@GHGBBCHJ@:
		push	eax
		outsd

loc_A50CCE:				; CODE XREF: PAGEVRFY:00A50C88j
					; PAGEVRFY:00A50C5Aj
		ja	short loc_A50D35
		jb	short loc_A50D25
		jns	short near ptr loc_A50D44+3

loc_A50CD4:				; CODE XREF: PAGEVRFY:00A50C6Ej
		jz	short near ptr loc_A50D3A+1
		insd
		push	ebp
		outsb
		jnb	short loc_A50D4B

loc_A50CDB:				; CODE XREF: PAGEVRFY:00A50C74j
		arpl	gs:[ecx+66h], bp
; 
		db 69h
		dd 6465h
; 

??_C@_0BI@MNGDMCID@PowerSystemSleeping2?4S2@GHGBBCHJ@:
		push	eax
		outsd

loc_A50CE6:				; CODE XREF: PAGEVRFY:00A50C79j
					; PAGEVRFY:00A50C72j
		ja	short near ptr loc_A50D4B+2
		jb	short near ptr loc_A50D3C+1
		jns	short near ptr loc_A50D5D+2

loc_A50CEC:				; CODE XREF: PAGEVRFY:00A50C86j
		jz	short near ptr loc_A50D52+1
		insd
		push	ebx
		insb
		db	65h, 65h
		jo	short near ptr loc_A50D5D+1

loc_A50CF5:				; CODE XREF: PAGEVRFY:00A50CA0j
		outsb

loc_A50CF6:				; CODE XREF: PAGEVRFY:00A50C8Aj
		xor	ch, ds:3253h
		add	[eax+6Fh], dl
		ja	short loc_A50D65
		jb	short near ptr loc_A50D54+1

loc_A50D02:				; CODE XREF: PAGEVRFY:00A50C91j
		jns	short near ptr loc_A50D76+1

loc_A50D04:				; CODE XREF: PAGEVRFY:00A50C9Ej
		jz	short near ptr loc_A50D6A+1
		insd
		push	ebx
		insb

loc_A50D09:				; CODE XREF: PAGEVRFY:00A50CA4j
		db	65h, 65h
		jo	short loc_A50D76

loc_A50D0D:				; CODE XREF: PAGEVRFY:00A50CB8j
		outsb
		xor	ds:3153h, ebp
; 
		db 0
; 

??_C@_0BE@HJBJLEEB@PowerActionReserved@GHGBBCHJ@:
		push	eax
		outsd

loc_A50D16:				; CODE XREF: PAGEVRFY:00A50CA2j
		ja	short loc_A50D7D
		jb	short loc_A50D5B

loc_A50D1A:				; CODE XREF: PAGEVRFY:loc_A50CADj
					; PAGEVRFY:00A50CB6j
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		push	edx
		db	65h
		jnb	short loc_A50D88

loc_A50D23:				; CODE XREF: PAGEVRFY:loc_A50CBCj
		jb	short near ptr loc_A50D9A+1

loc_A50D25:				; CODE XREF: PAGEVRFY:00A50CD0j
		db	65h
		add	fs:[eax+6Fh], dl
		ja	short near ptr loc_A50D90+1
		jb	short near ptr loc_A50D6D+2

loc_A50D2E:				; CODE XREF: PAGEVRFY:00A50CC1j
					; PAGEVRFY:00A50CBAj
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		dec	esi
		outsd

loc_A50D35:				; CODE XREF: PAGEVRFY:loc_A50CCEj
		outsb
		add	gs:[eax+6Fh], dl

loc_A50D3A:				; CODE XREF: PAGEVRFY:loc_A50CD4j
		ja	short near ptr loc_A50DA0+1

loc_A50D3C:				; CODE XREF: PAGEVRFY:00A50CE8j
		jb	short near ptr loc_A50D7D+2
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		dec	eax

loc_A50D44:				; CODE XREF: PAGEVRFY:00A50CD2j
		imul	esp, [edx+65h],	74616E72h

loc_A50D4B:				; CODE XREF: PAGEVRFY:00A50CD9j
					; PAGEVRFY:loc_A50CE6j
		add	gs:[eax], al
; 
		dw 0
; 

??_C@_0BB@IAPEOOEG@PowerActionSleep@GHGBBCHJ@:
		push	eax
		outsd

loc_A50D52:				; CODE XREF: PAGEVRFY:loc_A50CECj
		ja	short near ptr loc_A50DB8+1

loc_A50D54:				; CODE XREF: PAGEVRFY:00A50D00j
		jb	short near ptr loc_A50D96+1
		arpl	[ecx+ebp*2+6Fh], si
		outsb

loc_A50D5B:				; CODE XREF: PAGEVRFY:00A50D18j
		push	ebx
		insb

loc_A50D5D:				; CODE XREF: PAGEVRFY:00A50CF1j
					; PAGEVRFY:00A50CEAj
		db	65h, 65h
		jo	short $+4
; 
		db 3 dup(0)
; 

??_C@_0O@HLLDCKDP@PowerDeviceD1@GHGBBCHJ@:
		push	eax

loc_A50D65:				; CODE XREF: PAGEVRFY:00A50CFEj
		outsd
		ja	short near ptr loc_A50DCC+1
		jb	short loc_A50DAE

loc_A50D6A:				; CODE XREF: PAGEVRFY:loc_A50D04j
		db	65h
		jbe	short loc_A50DD6

loc_A50D6D:				; CODE XREF: PAGEVRFY:00A50D2Cj
		arpl	[ebp+44h], sp
		xor	[eax], eax
; 
		dw 0
; 

??_C@_0O@GCKIBLHO@PowerDeviceD0@GHGBBCHJ@:
		push	eax
		outsd

loc_A50D76:				; CODE XREF: PAGEVRFY:loc_A50D09j
					; PAGEVRFY:loc_A50D02j
		ja	short near ptr loc_A50DDA+3
		jb	short near ptr word_A50DBE
		db	65h
		jbe	short loc_A50DE6

loc_A50D7D:				; CODE XREF: PAGEVRFY:loc_A50D16j
					; PAGEVRFY:loc_A50D3Cj
		arpl	[ebp+44h], sp
		xor	[eax], al
; 
		dw 0
; 

??_C@_0O@EJIFEILN@PowerDeviceD3@GHGBBCHJ@:
		push	eax
		outsd
		ja	short loc_A50DED

loc_A50D88:				; CODE XREF: PAGEVRFY:00A50D20j
		jb	short near ptr loc_A50DCC+2
		db	65h
		jbe	short loc_A50DF6
		arpl	[ebp+44h], sp

loc_A50D90:				; CODE XREF: PAGEVRFY:00A50D2Aj
		xor	eax, [eax]
; 
		dw 0
; 

??_C@_0O@FAJOHJPM@PowerDeviceD2@GHGBBCHJ@:
		push	eax
		outsd

loc_A50D96:				; CODE XREF: PAGEVRFY:loc_A50D54j
		ja	short loc_A50DFD
		jb	short loc_A50DDE

loc_A50D9A:				; CODE XREF: PAGEVRFY:loc_A50D23j
		db	65h
		jbe	short near ptr byte_A50E06
		arpl	[ebp+44h], sp

loc_A50DA0:				; CODE XREF: PAGEVRFY:loc_A50D3Aj
		xor	al, [eax]
; 
		dw 0
; 

??_C@_0BJ@JMIDEKIA@PowerActionShutdownReset@GHGBBCHJ@:
		push	eax
		outsd
		ja	short near ptr byte_A50E0D
		jb	short near ptr byte_A50DEB
		arpl	[ecx+ebp*2+6Fh], si

loc_A50DAE:				; CODE XREF: PAGEVRFY:00A50D68j
		outsb
		push	ebx
		push	6F647475h
		ja	short near ptr byte_A50E25
		push	edx

loc_A50DB8:				; CODE XREF: PAGEVRFY:loc_A50D52j
		db	65h
		jnb	short near ptr loc_A50E1F+1
		jz	short $+2
; 
		db 0
word_A50DBE	dw 0			; CODE XREF: PAGEVRFY:00A50D78j
; 

??_C@_0BE@HJMBLEHE@PowerActionShutdown@GHGBBCHJ@:
		push	eax
		outsd
		ja	short loc_A50E29
		jb	short near ptr byte_A50E07
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		push	ebx

loc_A50DCC:				; CODE XREF: PAGEVRFY:00A50D66j
					; PAGEVRFY:loc_A50D88j
		push	6F647475h
		ja	short loc_A50E41
		add	[eax+6Fh], dl

loc_A50DD6:				; CODE XREF: PAGEVRFY:loc_A50D6Aj
		ja	short near ptr loc_A50E39+4
		jb	short loc_A50E1B

loc_A50DDA:				; CODE XREF: PAGEVRFY:loc_A50D76j
		arpl	[ecx+ebp*2+6Fh], si

loc_A50DDE:				; CODE XREF: PAGEVRFY:00A50D98j
		outsb
		push	edi
		popa
		jb	short loc_A50E50
		inc	ebp
		push	65h

loc_A50DE6:				; CODE XREF: PAGEVRFY:00A50D7Aj
		arpl	[eax+eax+0], si
; 
		db 0
byte_A50DEB	db 0			; CODE XREF: PAGEVRFY:00A50DA8j
; 

??_C@_0BH@IDLIGKLH@PowerActionShutdownOff@GHGBBCHJ@:
		push	eax

loc_A50DED:				; CODE XREF: PAGEVRFY:00A50D86j
		outsd
		ja	short near ptr loc_A50E54+1
		jb	short near ptr loc_A50E2F+4
		arpl	[ecx+ebp*2+6Fh], si

loc_A50DF6:				; CODE XREF: PAGEVRFY:00A50D8Aj
		outsb
		push	ebx
		push	6F647475h

loc_A50DFD:				; CODE XREF: PAGEVRFY:loc_A50D96j
		ja	short near ptr loc_A50E6A+3
		dec	edi
		db	66h, 66h
		add	[eax], al
; 
_GUID_BOGUS_INTERFACE db 2 dup(0)	; DATA XREF: VfPnpTestStartedPdoStack(x)+112o
byte_A50E06	db 0			; CODE XREF: PAGEVRFY:loc_A50D9Aj
byte_A50E07	db 0			; CODE XREF: PAGEVRFY:00A50DC4j
		dd 0
		db 0
byte_A50E0D	db 3 dup(0)		; CODE XREF: PAGEVRFY:00A50DA6j
		dd 0

;  S U B	R O U T	I N E 


; void GUID_VERIFIER_WMI_INTERFACE
_GUID_VERIFIER_WMI_INTERFACE proc near	; DATA XREF: ViDdiBuildWmiRegInfoData(x,x)+15o
					; ViDdiDispatchWmiQueryAllData(x,x)+33o
		sub	byte ptr [ecx],	2Ch
		push	ds
		fcomi	st, st(7)
		stosb

loc_A50E1B:				; CODE XREF: PAGEVRFY:00A50DD8j
		inc	esi
		or	byte ptr [esi],	87h

loc_A50E1F:				; CODE XREF: PAGEVRFY:loc_A50DB8j
		xor	al, 0FCh
		retn	4C1Fh
_GUID_VERIFIER_WMI_INTERFACE endp ; sp = -4

; 
		db 0
byte_A50E25	db 3 dup(0)		; CODE XREF: PAGEVRFY:00A50DB5j
; 

??_C@_0JG@OMGDOMDM@Caller?5is?5forwarding?5an?5IRP?5tha@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA82F8o
		inc	ebx

loc_A50E29:				; CODE XREF: PAGEVRFY:00A50DC2j
		popa
		insb
		insb
		db	65h
		jb	short near ptr loc_A50E49+6

loc_A50E2F:				; CODE XREF: PAGEVRFY:00A50DF0j
		imul	esi, [ebx+20h],	77726F66h
		popa
		jb	short near ptr loc_A50E9B+2

loc_A50E39:				; CODE XREF: PAGEVRFY:loc_A50DD6j
		imul	ebp, [esi+67h],	206E6120h
		dec	ecx

loc_A50E41:				; CODE XREF: PAGEVRFY:00A50DD1j
		push	edx
		push	eax
		and	[eax+ebp*2+61h], dh
		jz	short loc_A50E69

loc_A50E49:				; CODE XREF: PAGEVRFY:00A50E2Cj
		imul	esi, [ebx+20h],	72727563h

loc_A50E50:				; CODE XREF: PAGEVRFY:00A50DE1j
		outs	dx, byte ptr gs:[esi]
		jz	short ??_C@_0CN@NJIDPCJN@Caller?5has?5passed?5in?5NULL?5as?5a?5@GHGBBCHJ@

loc_A50E54:				; CODE XREF: PAGEVRFY:00A50DEEj
		jns	short near ptr loc_A50E75+1
		jno	short loc_A50ECD
		db	65h
		jnz	short ??_C@_0CN@NJIDPCJN@Caller?5has?5passed?5in?5NULL?5as?5a?5@GHGBBCHJ@
		and	fs:[edx+65h], ah
		outsb
		db	65h
		popa
		jz	short loc_A50ECC
		and	[ecx+74h], ch
		and	[eax], esp

loc_A50E69:				; CODE XREF: PAGEVRFY:00A50E47j
		push	esp

loc_A50E6A:				; CODE XREF: PAGEVRFY:loc_A50DFDj
		push	6F630A65h
		db	64h
		and	gs:[eax+61h], ch
		outsb

loc_A50E75:				; CODE XREF: PAGEVRFY:loc_A50E54j
		db	64h
		insb
		imul	ebp, [esi+67h],	50524920h
		jnb	short near ptr loc_A50E9F+1
		jb	short near ptr loc_A50EE6+1
		jz	short near ptr loc_A50EF8+1
		jb	short near ptr loc_A50EF1+3
		imul	ebp, [esi+67h],	41545320h
		push	esp
		push	ebp
		push	ebx
		pop	edi
		push	eax
		inc	ebp
		dec	esi
		inc	esp
		dec	ecx
		dec	esi
		inc	edi
		and	[ecx+6Eh], ch

loc_A50E9B:				; CODE XREF: PAGEVRFY:00A50E37j
		and	[eax+ebp*2+69h], dh

loc_A50E9F:				; CODE XREF: PAGEVRFY:00A50E7Ej
		jnb	short loc_A50EC1
		db	64h
		jb	short loc_A50F0D
		jbe	short loc_A50F0B
		jb	short near ptr loc_A50EC7+1
		popa
		jo	short loc_A50F1B
		db	65h
		popa
		jb	short loc_A50F22
		and	[edi+ebp*2+0Ah], dh
		bound	esp, [ebp+20h]
		bound	esi, [edx+6Fh]
		imul	esp, [ebp+6Eh],	2Eh
; 
		db 3 dup(0)
; 

??_C@_0CN@NJIDPCJN@Caller?5has?5passed?5in?5NULL?5as?5a?5@GHGBBCHJ@:
					; CODE XREF: PAGEVRFY:00A50E52j
					; PAGEVRFY:00A50E58j
					; DATA XREF: ...
		inc	ebx

loc_A50EC1:				; CODE XREF: PAGEVRFY:loc_A50E9Fj
		popa
		insb
		insb
		db	65h
		jb	short near ptr loc_A50EE6+1

loc_A50EC7:				; CODE XREF: PAGEVRFY:00A50EA6j
		push	70207361h

loc_A50ECC:				; CODE XREF: PAGEVRFY:00A50E62j
		popa

loc_A50ECD:				; CODE XREF: PAGEVRFY:00A50E56j
		jnb	short loc_A50F42
		db	65h
		and	fs:[ecx+6Eh], ch
		and	[esi+55h], cl
		dec	esp
		dec	esp
		and	[ecx+73h], ah
		and	[ecx+20h], ah
		inc	esp
		db	65h
		jbe	short loc_A50F4C
		arpl	[ebp+4Fh], sp

loc_A50EE6:				; CODE XREF: PAGEVRFY:00A50E80j
					; PAGEVRFY:00A50EC4j
		bound	ebp, [edx+65h]
		arpl	[esi+ebp+0], si
; 
		db 3 dup(0)
; 

??_C@_0GJ@CBLDFCND@This?5IRP?5is?5about?5to?5run?5out?5of@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8310o
		push	esp

loc_A50EF1:				; CODE XREF: PAGEVRFY:00A50E84j
		push	49207369h
		push	edx
		push	eax

loc_A50EF8:				; CODE XREF: PAGEVRFY:00A50E82j
		and	[ecx+73h], ch
		and	[ecx+62h], ah
		outsd
		jnz	short near ptr loc_A50F74+1
		and	[edi+ebp*2+20h], dh
		jb	short near ptr loc_A50F77+5
		outsb
		and	[edi+75h], ch

loc_A50F0B:				; CODE XREF: PAGEVRFY:00A50EA4j
		jz	short loc_A50F2D

loc_A50F0D:				; CODE XREF: PAGEVRFY:00A50EA1j
		outsd
		db	66h
		and	[ebx+74h], dh
		popa
		arpl	[ebx+20h], bp
		insb
		outsd
		arpl	[ecx+74h], sp

loc_A50F1B:				; CODE XREF: PAGEVRFY:00A50EA9j
		imul	ebp, [edi+6Eh],	53202E73h

loc_A50F22:				; CODE XREF: PAGEVRFY:00A50EADj
		outsd
		insd
		outs	dx, dword ptr gs:[esi]
		outsb
		and	gs:[ebp+61h], ch
		jns	short loc_A50F4D

loc_A50F2D:				; CODE XREF: PAGEVRFY:loc_A50F0Bj
		push	0A657661h
		outsw
		jb	short loc_A50FAD
		popa
		jb	short near ptr loc_A50F9B+2
		db	65h
		and	fs:[eax+ebp*2+69h], dh
		jnb	short loc_A50F61
		dec	ecx

loc_A50F42:				; CODE XREF: PAGEVRFY:loc_A50ECDj
		push	edx
		push	eax
		and	[esi+72h], ah
		outsd
		insd
		and	[ecx+6Eh], ah

loc_A50F4C:				; CODE XREF: PAGEVRFY:00A50EE0j
		outsd

loc_A50F4D:				; CODE XREF: PAGEVRFY:00A50F2Bj
		jz	short loc_A50FB7
		db	65h
		jb	short loc_A50F72
		jnb	short near ptr loc_A50FC3+5
		popa
		arpl	[ebx+2Eh], bp
; 
		dd 2 dup(0)
; 

??_C@_0JI@KJDDBKCF@Caller?5has?5manually?5copied?5the?5@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8304o
		inc	ebx

loc_A50F61:				; CODE XREF: PAGEVRFY:00A50F3Fj
		popa
		insb
		insb
		db	65h
		jb	short loc_A50F87
		push	6D207361h
		popa
		outsb
		jnz	short loc_A50FD1
		insb
		insb

loc_A50F72:				; CODE XREF: PAGEVRFY:00A50F4Fj
		jns	short loc_A50F94

loc_A50F74:				; CODE XREF: PAGEVRFY:00A50EFFj
		arpl	[edi+70h], bp

loc_A50F77:				; CODE XREF: PAGEVRFY:00A50F05j
		imul	esp, [ebp+64h],	65687420h
		and	[ebx+74h], dh
		popa
		arpl	[ebx+20h], bp
		popa
		outsb

loc_A50F87:				; CODE XREF: PAGEVRFY:00A50F64j
		and	fs:[eax+61h], ch
		jnb	short loc_A50FAD
		imul	ebp, [esi+61h],	72657664h

loc_A50F94:				; CODE XREF: PAGEVRFY:loc_A50F72j
		jz	short near ptr byte_A50FF7
		outsb
		jz	short near ptr loc_A51004+1
		jns	short near ptr loc_A50FB9+2

loc_A50F9B:				; CODE XREF: PAGEVRFY:00A50F37j
		arpl	[edi+70h], bp
		imul	esp, [ebp+64h],	65687420h
		or	dh, [ebp+70h]
		jo	short loc_A5100F
		jb	short loc_A50FCC
		insb

loc_A50FAD:				; CODE XREF: PAGEVRFY:00A50F34j
					; PAGEVRFY:00A50F8Bj
		popa
		jns	short near ptr loc_A51012+3
		jb	short loc_A50FD9
		jnb	short near ptr loc_A50FD1+3
		arpl	[edi+6Dh], bp

loc_A50FB7:				; CODE XREF: PAGEVRFY:loc_A50F4Dj
		jo	short loc_A51025

loc_A50FB9:				; CODE XREF: PAGEVRFY:00A50F99j
		db	65h
		jz	short loc_A51025
		outsd
		outsb
		and	[edx+6Fh], dh
		jnz	short loc_A51037

loc_A50FC3:				; CODE XREF: PAGEVRFY:00A50F52j
		imul	ebp, [esi+65h],	6C50202Eh
		db	65h
		popa

loc_A50FCC:				; CODE XREF: PAGEVRFY:00A50FAAj
		jnb	short near ptr loc_A51032+1
		and	[ebp+73h], dh

loc_A50FD1:				; CODE XREF: PAGEVRFY:00A50F6Ej
					; PAGEVRFY:00A50FB2j
		or	cl, gs:[ecx+6Fh]
		inc	ebx
		outsd
		jo	short near ptr loc_A51051+1

loc_A50FD9:				; CODE XREF: PAGEVRFY:00A50FB0j
		inc	ebx
		jnz	short loc_A5104E
		jb	short loc_A51043
		outsb
		jz	short near ptr loc_A51028+2
		jb	short near ptr loc_A51051+2
		push	ebx
		jz	short loc_A51047
		arpl	[ebx+4Ch], bp
		outsd
		arpl	[ecx+74h], sp
		imul	ebp, [edi+6Eh],	654E6F54h
		js	short near ptr loc_A51069+1
; 
		db 2Eh
byte_A50FF7	db 0			; CODE XREF: PAGEVRFY:loc_A50F94j
; 

??_C@_0NO@HIIMOMJF@A?5device?5is?5deleting?5itself?5whi@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:off_AA82C8o
		inc	ecx
		and	[ebp+76h], ah
		imul	esp, [ebx+65h],	20736920h

loc_A51004:				; CODE XREF: PAGEVRFY:00A50F97j
		db	64h, 65h
		insb
		db	65h
		jz	short near ptr loc_A51071+2
		outsb
		and	[bx+di+74h], ch

loc_A5100F:				; CODE XREF: PAGEVRFY:00A50FA8j
		jnb	short loc_A51076
		insb

loc_A51012:				; CODE XREF: PAGEVRFY:00A50FAEj
		db	66h
		and	[edi+68h], dh
		imul	ebp, [ebp+20h],	72656874h
		and	gs:[ecx+73h], ch
		and	[ecx+6Eh], ah

loc_A51025:				; CODE XREF: PAGEVRFY:loc_A50FB7j
					; PAGEVRFY:loc_A50FB9j
		outsd
		jz	short loc_A51090

loc_A51028:				; CODE XREF: PAGEVRFY:00A50FDFj
		db	65h
		jb	short loc_A5104B
		db	64h, 65h
		jbe	short near ptr loc_A51096+2
		arpl	[ebp+20h], sp

loc_A51032:				; CODE XREF: PAGEVRFY:loc_A50FCCj
		bound	esp, [ebp+6Eh]
		db	65h
		popa

loc_A51037:				; CODE XREF: PAGEVRFY:00A50FC1j
		jz	short near ptr loc_A5109F+2
		and	[ecx+74h], ch
		and	[ecx+6Eh], ch
		or	dh, [eax+ebp*2+65h]

loc_A51043:				; CODE XREF: PAGEVRFY:00A50FDCj
		and	[edx+esi*2+69h], ah

loc_A51047:				; CODE XREF: PAGEVRFY:00A50FE4j
		jbe	short near ptr loc_A510AD+1
		jb	short near ptr loc_A51069+2

loc_A5104B:				; CODE XREF: PAGEVRFY:loc_A51028j
		jnb	short loc_A510C1
		popa

loc_A5104E:				; CODE XREF: PAGEVRFY:00A50FDAj
		arpl	[ebx+2Eh], bp

loc_A51051:				; CODE XREF: PAGEVRFY:00A50FD7j
					; PAGEVRFY:00A50FE1j
		and	[eax+ebp*2+69h], dl
		jnb	short loc_A51077
		insd
		popa
		jns	short near ptr loc_A5107A+1
		bound	esp, [ebp+20h]
		bound	esp, [ebp+63h]
		popa
		jnz	short loc_A510D7
		and	gs:[eax+ebp*2+65h], dh

loc_A51069:				; CODE XREF: PAGEVRFY:00A50FF4j
					; PAGEVRFY:00A51049j
		and	[ebx+61h], ah
		insb
		insb
		db	65h
		jb	short near ptr loc_A51090+1

loc_A51071:				; CODE XREF: PAGEVRFY:00A51007j
		push	66207361h

loc_A51076:				; CODE XREF: PAGEVRFY:loc_A5100Fj
		outsd

loc_A51077:				; CODE XREF: PAGEVRFY:00A51055j
		jb	short near ptr loc_A510DF+1
		outsd

loc_A5107A:				; CODE XREF: PAGEVRFY:00A51059j
		jz	short loc_A510F0
		outs	dx, byte ptr gs:[esi]
		and	[edi+ebp*2+20h], dh
		arpl	[ecx+6Ch], sp
		insb
		or	cl, [ecx+6Fh]
		inc	esp
		db	65h
		jz	short loc_A510EE
		arpl	[eax+44h], bp

loc_A51090:				; CODE XREF: PAGEVRFY:00A51026j
					; PAGEVRFY:00A5106Ej
		db	65h
		jbe	short near ptr loc_A510FB+1
		arpl	[ebp+20h], sp

loc_A51096:				; CODE XREF: PAGEVRFY:00A5102Bj
		imul	si, [edx+73h], 2C74h
		and	[edi+72h], ch

loc_A5109F:				; CODE XREF: PAGEVRFY:loc_A51037j
		and	[eax+ebp*2+65h], dh
		and	[edi+ebp*2+77h], ch
		db	65h
		jb	short near ptr loc_A510C9+1
		db	64h
		jb	short near ptr loc_A51115+1

loc_A510AD:				; CODE XREF: PAGEVRFY:loc_A51047j
		jbe	short loc_A51114
		jb	short near ptr loc_A510D0+1
		insd
		popa
		jns	short near ptr loc_A510D3+2
		push	20657661h
		imul	ebp, [esi+63h],	6572726Fh

loc_A510C1:				; CODE XREF: PAGEVRFY:loc_A5104Bj
		arpl	[esp+ebp*2+79h], si
		and	[ebp+6Ch], ah

loc_A510C9:				; CODE XREF: PAGEVRFY:00A510A7j
		db	65h
		jz	short loc_A51131
		or	ch, fs:[ecx+74h]

loc_A510D0:				; CODE XREF: PAGEVRFY:00A510AFj
		jnb	short loc_A51137
		insb

loc_A510D3:				; CODE XREF: PAGEVRFY:00A510B3j
		db	66h
		add	cs:[eax], al

loc_A510D7:				; CODE XREF: PAGEVRFY:00A51062j
					; DATA XREF: PAGEVRFD:00AA82E0o
		add	[ecx+20h], al
		db	64h
		jb	short near ptr loc_A51142+4
		jbe	short near ptr loc_A51142+2

loc_A510DF:				; CODE XREF: PAGEVRFY:loc_A51077j
		jb	short near ptr loc_A51100+1
		push	63207361h
		popa
		insb
		insb
		db	65h
		and	fs:[ecx+6Fh], cl

loc_A510EE:				; CODE XREF: PAGEVRFY:00A5108Aj
		inc	ebx
		popa

loc_A510F0:				; CODE XREF: PAGEVRFY:loc_A5107Aj
		insb
		insb
		inc	esp
		jb	short loc_A5115E
		jbe	short near ptr loc_A5115A+2
		jb	short near ptr loc_A51117+2
		ja	short near ptr loc_A51161+3

loc_A510FB:				; CODE XREF: PAGEVRFY:loc_A51090j
		jz	short loc_A51165
		outsd
		jnz	short loc_A51174

loc_A51100:				; CODE XREF: PAGEVRFY:loc_A510DFj
		and	[ebx+65h], dh
		jz	short near ptr loc_A51178+1
		imul	ebp, [esi+67h],	65687420h
		and	[ebx+61h], al
		outsb
		arpl	[ebp+6Ch], sp
		push	edx

loc_A51114:				; CODE XREF: PAGEVRFY:loc_A510ADj
		outsd

loc_A51115:				; CODE XREF: PAGEVRFY:00A510AAj
		jnz	short near ptr loc_A5118A+1

loc_A51117:				; CODE XREF: PAGEVRFY:00A510F7j
		imul	ebp, [esi+65h],	0A6E6920h
		jz	short near ptr loc_A51186+2
		and	gs:[ecx+72h], cl
		jo	short near ptr loc_A51142+4
		jz	short near ptr loc_A51196+1
		and	[esi+55h], cl
		dec	esp
		dec	esp
		add	cs:[eax], al

??_C@_0JM@HCHJENOP@Driver?5has?5attempted?5to?5detach?5@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA82D4o
		inc	esp

loc_A51131:				; CODE XREF: PAGEVRFY:loc_A510C9j
		jb	short near ptr loc_A51196+6
		jbe	short near ptr loc_A51196+4
		jb	short near ptr loc_A51156+1

loc_A51137:				; CODE XREF: PAGEVRFY:loc_A510D0j
		push	61207361h
		jz	short loc_A511B2
		db	65h
		insd
		jo	short near ptr loc_A511B3+3

loc_A51142:				; CODE XREF: PAGEVRFY:00A510DDj
					; PAGEVRFY:00A510DAj ...
		db	65h
		and	fs:[edi+ebp*2+20h], dh
		db	64h, 65h
		jz	short near ptr loc_A511A8+5
		arpl	[eax+20h], bp
		db	66h
		jb	short near ptr loc_A511C0+1
		insd
		and	[ecx+20h], ah

loc_A51156:				; CODE XREF: PAGEVRFY:00A51135j
		db	64h, 65h
		jbe	short near ptr loc_A511C0+3

loc_A5115A:				; CODE XREF: PAGEVRFY:00A510F5j
		arpl	[ebp+20h], sp
		outsd

loc_A5115E:				; CODE XREF: PAGEVRFY:00A510F3j
		bound	ebp, [edx+65h]

loc_A51161:				; CODE XREF: PAGEVRFY:00A510F9j
		arpl	[eax+77h], si

loc_A51165:				; CODE XREF: PAGEVRFY:loc_A510FBj
		push	20686369h
		imul	esi, [ebx+20h],	0A746F6Eh
		popa
		jz	short near ptr loc_A511E7+1

loc_A51174:				; CODE XREF: PAGEVRFY:00A510FEj
		popa
		arpl	[eax+65h], bp

loc_A51178:				; CODE XREF: PAGEVRFY:00A51103j
		and	fs:[edi+ebp*2+20h], dh
		popa
		outsb
		jns	short near ptr loc_A511EF+6
		push	2E676E69h

loc_A51186:				; CODE XREF: PAGEVRFY:00A5111Ej
		and	[eax+ebp*2+69h], dl

loc_A5118A:				; CODE XREF: PAGEVRFY:loc_A51115j
		jnb	short near ptr loc_A511A8+4
		insd
		popa
		jns	short near ptr loc_A511AE+2
		outsd
		arpl	[ebx+75h], sp
		jb	short near ptr loc_A511B3+3

loc_A51196:				; CODE XREF: PAGEVRFY:00A51126j
					; PAGEVRFY:00A51133j ...
		imul	esp, [esi+20h],	61746564h
		arpl	[eax+20h], bp
		ja	short loc_A51203
		jnb	short near ptr loc_A511C0+4
		arpl	[ecx+6Ch], sp
		insb

loc_A511A8:				; CODE XREF: PAGEVRFY:loc_A5118Aj
					; PAGEVRFY:00A51148j
		db	65h
		and	fs:[edi+esi*2+69h], dh

loc_A511AE:				; CODE XREF: PAGEVRFY:00A5118Ej
		arpl	[ebp+20h], sp
		outsd

loc_A511B2:				; CODE XREF: PAGEVRFY:00A5113Cj
		outsb

loc_A511B3:				; CODE XREF: PAGEVRFY:00A51140j
					; PAGEVRFY:00A51194j
		and	[eax+ebp*2+65h], dh
		or	dh, [ebx+61h]
		insd
		and	gs:[ebp+76h], ah

loc_A511C0:				; CODE XREF: PAGEVRFY:00A5114Fj
					; PAGEVRFY:loc_A51156j	...
		imul	esp, [ebx+65h],	6A626F20h
		arpl	gs:[esi+ebp+0],	si
; 
		dd 0
; 

??_C@_0EE@FEPECPDC@Any?5Power?5IRP?5must?5have?5status?5@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8358o
		inc	ecx
		outsb
		jns	short near ptr loc_A511EF+5
		push	eax
		outsd
		ja	short near ptr loc_A5123C+1
		jb	short near ptr loc_A511F6+4
		dec	ecx
		push	edx
		push	eax
		and	[ebp+75h], ch
		jnb	short loc_A51256
		and	[eax+61h], ch
		jbe	short loc_A5124C

loc_A511E7:				; CODE XREF: PAGEVRFY:00A51172j
		and	[ebx+74h], dh
		popa
		jz	short loc_A51262
		jnb	short loc_A5120F

loc_A511EF:				; CODE XREF: PAGEVRFY:00A511D2j
					; PAGEVRFY:00A5117Fj
		imul	ebp, [esi+69h],	6C616974h

loc_A511F6:				; CODE XREF: PAGEVRFY:00A511D8j
		imul	edi, [edx+65h],	6F742064h
		and	[ebx+54h], dl
		inc	ecx
		push	esp
		push	ebp

loc_A51203:				; CODE XREF: PAGEVRFY:00A511A0j
		push	ebx
		pop	edi
		dec	esi
		dec	edi
		push	esp
		pop	edi
		push	ebx
		push	ebp
		push	eax
		push	eax
		dec	edi
		push	edx

loc_A5120F:				; CODE XREF: PAGEVRFY:00A511EDj
		push	esp
		inc	ebp
		inc	esp
		add	cs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_0EC@KEEIEOFO@Any?5PNP?5IRP?5must?5have?5status?5in@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA834Co
		inc	ecx
		outsb
		jns	short loc_A5123C
		push	eax
		dec	esi
		push	eax
		and	[ecx+52h], cl
		push	eax
		and	[ebp+75h], ch
		jnb	short loc_A5129C
		and	[eax+61h], ch
		jbe	short near ptr loc_A51291+1
		and	[ebx+74h], dh
		popa
		jz	short loc_A512A8
		jnb	short loc_A51255
		imul	ebp, [esi+69h],	6C616974h

loc_A5123C:				; CODE XREF: PAGEVRFY:00A5121Aj
					; PAGEVRFY:00A511D6j
		imul	edi, [edx+65h],	6F742064h
		and	[ebx+54h], dl
		inc	ecx
		push	esp
		push	ebp
		push	ebx
		pop	edi
		dec	esi

loc_A5124C:				; CODE XREF: PAGEVRFY:00A511E5j
		dec	edi
		push	esp
		pop	edi
		push	ebx
		push	ebp
		push	eax
		push	eax
		dec	edi
		push	edx

loc_A51255:				; CODE XREF: PAGEVRFY:00A51233j
		push	esp

loc_A51256:				; CODE XREF: PAGEVRFY:00A511E0j
		inc	ebp
		inc	esp
		add	cs:[eax], al
; 
		db 0
		align 10h

??_C@_0LK@FDCFOCJA@Caller?5has?5forwarded?5an?5Irp?5whi@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8370o
		inc	ebx
		popa

loc_A51262:				; CODE XREF: PAGEVRFY:00A511EBj
		insb
		insb
		db	65h
		jb	short near ptr loc_A51286+1
		push	66207361h
		outsd
		jb	short loc_A512E6
		popa
		jb	short loc_A512D6
		db	65h
		and	fs:[ecx+6Eh], ah
		and	[ecx+72h], cl
		jo	short loc_A5129C
		ja	short loc_A512E6
		imul	ebp, [ebp+20h],	70696B73h

loc_A51286:				; CODE XREF: PAGEVRFY:00A51264j
		jo	short near ptr loc_A512ED+4
		outsb
		and	[bx+di+20h], ah
		db	64h, 65h
		jbe	short near ptr loc_A512F7+3

loc_A51291:				; CODE XREF: PAGEVRFY:00A5122Bj
		arpl	[ebp+20h], sp
		outsd
		bound	ebp, [edx+65h]
		arpl	[eax+69h], si

loc_A5129C:				; CODE XREF: PAGEVRFY:00A51226j
					; PAGEVRFY:00A5127Aj
		outsb
		and	[eax+ebp*2+65h], dh
		and	[ebx+74h], dh
		popa
		arpl	[ebx+2Eh], bp

loc_A512A8:				; CODE XREF: PAGEVRFY:00A51231j
		or	dl, [eax+ebp*2+65h]
		and	[ebx+61h], ah
		insb
		insb
		db	65h
		jb	short near ptr loc_A512D3+1
		imul	esi, [ebx+20h],	626F7270h
		popa
		bound	ebp, [ecx+edi*2+20h]
		jnb	short loc_A51327
		outsb
		imul	ebp, fs:[esi+67h], 50524920h
		jnb	short loc_A512ED
		jz	short near ptr loc_A5133D+1
		and	[eax+ebp*2+65h], dh

loc_A512D3:				; CODE XREF: PAGEVRFY:00A512B1j
		and	[eax+44h], dl

loc_A512D6:				; CODE XREF: PAGEVRFY:00A51270j
		dec	edi
		and	[ecx+6Eh], ch
		jnb	short loc_A51350
		db	65h
		popa
		and	fs:[edi+66h], ch
		and	[edi+ebp*2+20h], dh

loc_A512E6:				; CODE XREF: PAGEVRFY:00A5126Dj
					; PAGEVRFY:00A5127Cj
		jz	short loc_A51350
		and	gs:[ebp+76h], ah

loc_A512ED:				; CODE XREF: PAGEVRFY:00A512CBj
					; PAGEVRFY:loc_A51286j
		imul	esp, [ebx+65h],	7465720Ah
		jnz	short loc_A51368
		outsb

loc_A512F7:				; CODE XREF: PAGEVRFY:00A5128Dj
		db	65h
		and	fs:[edx+79h], ah
		and	[ecx+6Fh], cl
		inc	ecx
		jz	short near ptr loc_A51375+1
		popa
		arpl	[eax+44h], bp
		db	65h
		jbe	short near ptr loc_A51371+1
		arpl	[ebp+54h], sp
		outsd
		inc	esp
		db	65h
		jbe	short loc_A5137A
		arpl	[ebp+53h], sp
		jz	short loc_A51377
		arpl	[ebx+2Eh], bp
; 
		db 3 dup(0)
		align 10h

??_C@_0EC@KHGHABEE@Any?5WMI?5IRP?5must?5have?5status?5in@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8364o
		inc	ecx
		outsb
		jns	short loc_A51344
		push	edi
		dec	ebp
		dec	ecx

loc_A51327:				; CODE XREF: PAGEVRFY:00A512C0j
		and	[ecx+52h], cl
		push	eax
		and	[ebp+75h], ch
		jnb	short loc_A513A4
		and	[eax+61h], ch
		jbe	short loc_A5139A
		and	[ebx+74h], dh
		popa
		jz	short near ptr loc_A513AF+1
		jnb	short loc_A5135D

loc_A5133D:				; CODE XREF: PAGEVRFY:00A512CDj
		imul	ebp, [esi+69h],	6C616974h

loc_A51344:				; CODE XREF: PAGEVRFY:00A51322j
		imul	edi, [edx+65h],	6F742064h
		and	[ebx+54h], dl
		inc	ecx
		push	esp

loc_A51350:				; CODE XREF: PAGEVRFY:00A512DAj
					; PAGEVRFY:loc_A512E6j
		push	ebp
		push	ebx
		pop	edi
		dec	esi
		dec	edi
		push	esp
		pop	edi
		push	ebx
		push	ebp
		push	eax
		push	eax
		dec	edi
		push	edx

loc_A5135D:				; CODE XREF: PAGEVRFY:00A5133Bj
		push	esp
		inc	ebp
		inc	esp
		add	cs:[eax], al
; 
		db 0
; 

??_C@_0DM@NPFEJNDC@Caller?5of?5IoFreeIrp?5is?5freeing?5@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8328o
		inc	ebx
		popa
		insb
		insb

loc_A51368:				; CODE XREF: PAGEVRFY:00A512F4j
		db	65h
		jb	short near ptr loc_A51389+2
		outsd
		db	66h
		and	[ecx+6Fh], cl
		inc	esi

loc_A51371:				; CODE XREF: PAGEVRFY:00A51306j
		jb	short loc_A513D8
		db	65h
		dec	ecx

loc_A51375:				; CODE XREF: PAGEVRFY:00A51300j
		jb	short loc_A513E7

loc_A51377:				; CODE XREF: PAGEVRFY:00A51314j
		and	[ecx+73h], ch

loc_A5137A:				; CODE XREF: PAGEVRFY:00A5130Ej
		and	[esi+72h], ah
		db	65h
		imul	ebp, gs:[esi+67h], 206E6120h
		dec	ecx
		push	edx
		push	eax

loc_A51389:				; CODE XREF: PAGEVRFY:loc_A51368j
		and	[eax+ebp*2+61h], dh
		jz	short loc_A513AF
		imul	esi, [ebx+20h],	6C697473h
		insb
		and	[ecx+6Eh], ch

loc_A5139A:				; CODE XREF: PAGEVRFY:00A51333j
		and	[ebp+73h], dh
		and	gs:[eax], eax

??_C@_0JG@HCCABFLA@Caller?5is?5completing?5an?5IRP?5tha@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA831Co
		inc	ebx
		popa
		insb
		insb

loc_A513A4:				; CODE XREF: PAGEVRFY:00A5132Ej
		db	65h
		jb	short near ptr loc_A513C1+6
		imul	esi, [ebx+20h],	706D6F63h
		insb

loc_A513AF:				; CODE XREF: PAGEVRFY:00A5138Dj
					; PAGEVRFY:00A51339j
		db	65h
		jz	short near ptr loc_A51419+2
		outsb
		and	[bx+di+6Eh], ah
		and	[ecx+52h], cl
		push	eax
		and	[eax+ebp*2+61h], dh
		jz	short loc_A513E1

loc_A513C1:				; CODE XREF: PAGEVRFY:loc_A513A4j
		imul	esi, [ebx+20h],	72727563h
		outs	dx, byte ptr gs:[esi]
		jz	short ??_C@_0NK@IACMPAPC@Caller?5of?5IoInitializeIrp?5has?5p@GHGBBCHJ@
		jns	short near ptr loc_A513ED+1
		jno	short loc_A51445
		db	65h
		jnz	short ??_C@_0NK@IACMPAPC@Caller?5of?5IoInitializeIrp?5has?5p@GHGBBCHJ@
		and	fs:[edx+65h], ah
		outsb

loc_A513D8:				; CODE XREF: PAGEVRFY:loc_A51371j
		db	65h
		popa
		jz	short loc_A51444
		and	[ecx+74h], ch
		and	[eax], esp

loc_A513E1:				; CODE XREF: PAGEVRFY:00A513BFj
		push	esp
		push	6F630A65h

loc_A513E7:				; CODE XREF: PAGEVRFY:loc_A51375j
		db	64h
		and	gs:[eax+61h], ch
		outsb

loc_A513ED:				; CODE XREF: PAGEVRFY:00A513CCj
		db	64h
		insb
		imul	ebp, [esi+67h],	50524920h
		jnb	short near ptr loc_A51417+1
		jb	short loc_A5145F
		jz	short loc_A51471
		jb	short near ptr loc_A5146B+1
		imul	ebp, [esi+67h],	41545320h
		push	esp
		push	ebp
		push	ebx
		pop	edi
		push	eax
		inc	ebp
		dec	esi
		inc	esp
		dec	ecx
		dec	esi
		inc	edi
		and	[ecx+6Eh], ch
		and	[eax+ebp*2+69h], dh

loc_A51417:				; CODE XREF: PAGEVRFY:00A513F6j
		jnb	short loc_A51439

loc_A51419:				; CODE XREF: PAGEVRFY:loc_A513AFj
		db	64h
		jb	short loc_A51485
		jbe	short near ptr loc_A51482+1
		jb	short loc_A51440
		popa
		jo	short near ptr loc_A51490+3
		db	65h
		popa
		jb	short near ptr loc_A51499+1
		and	[edi+ebp*2+20h], dh
		bound	esp, [ebp+0Ah]
		bound	esi, [edx+6Fh]
		imul	esp, [ebp+6Eh],	2Eh
; 
		db 3 dup(0)
; 

??_C@_0NK@IACMPAPC@Caller?5of?5IoInitializeIrp?5has?5p@GHGBBCHJ@:
					; CODE XREF: PAGEVRFY:00A513CAj
					; PAGEVRFY:00A513D0j
					; DATA XREF: ...
		inc	ebx

loc_A51439:				; CODE XREF: PAGEVRFY:loc_A51417j
		popa
		insb
		insb
		db	65h
		jb	short loc_A5145F
		outsd

loc_A51440:				; CODE XREF: PAGEVRFY:00A5141Ej
		db	66h
		and	[ecx+6Fh], cl

loc_A51444:				; CODE XREF: PAGEVRFY:00A513DAj
		dec	ecx

loc_A51445:				; CODE XREF: PAGEVRFY:00A513CEj
		outsb
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		dec	ecx
		jb	short near ptr loc_A514C0+1
		and	[eax+61h], ch
		jnb	short near ptr loc_A51474+2
		jo	short near ptr loc_A514B7+2
		jnb	short loc_A514CD
		db	65h
		and	fs:[ecx+6Eh], ah

loc_A5145F:				; CODE XREF: PAGEVRFY:00A513F8j
					; PAGEVRFY:00A5143Cj
		and	[ecx+52h], cl
		push	eax
		and	[eax+ebp*2+61h], dh
		jz	short loc_A51489
		ja	short loc_A514CC

loc_A5146B:				; CODE XREF: PAGEVRFY:00A513FCj
		jnb	short near ptr loc_A51489+4
		popa
		insb
		insb
		outsd

loc_A51471:				; CODE XREF: PAGEVRFY:00A513FAj
		arpl	[ecx+74h], sp

loc_A51474:				; CODE XREF: PAGEVRFY:00A51454j
		db	65h
		and	fs:[edi+69h], dh
		jz	short loc_A514E3
		or	cl, [ecx+6Fh]
		inc	ecx
		insb
		insb
		outsd

loc_A51482:				; CODE XREF: PAGEVRFY:00A5141Cj
		arpl	[ecx+74h], sp

loc_A51485:				; CODE XREF: PAGEVRFY:loc_A51419j
		db	65h
		dec	ecx
		jb	short loc_A514F9

loc_A51489:				; CODE XREF: PAGEVRFY:00A51467j
					; PAGEVRFY:loc_A5146Bj
		and	cs:[eax+ebp*2+69h], dl
		jnb	short loc_A514B0

loc_A51490:				; CODE XREF: PAGEVRFY:00A51421j
		imul	esi, [ebx+20h],	6F636E69h
		jb	short loc_A5150B

loc_A51499:				; CODE XREF: PAGEVRFY:00A51425j
		arpl	gs:[eax+61h], si
		outsb
		and	fs:[ebp+6Eh], dh
		outsb
		arpl	gs:[ebx+65h], sp
		jnb	short near ptr loc_A5151C+1
		popa
		jb	short near ptr loc_A51525+1
		sub	al, 20h
		popa

loc_A514B0:				; CODE XREF: PAGEVRFY:00A5148Ej
		outsb
		and	fs:[eax+61h], ch
		jnb	short near ptr loc_A514D4+3

loc_A514B7:				; CODE XREF: PAGEVRFY:00A51456j
		arpl	[ecx+75h], sp
		jnb	short near ptr loc_A51520+1
		and	fs:[ecx+20h], ah

loc_A514C0:				; CODE XREF: PAGEVRFY:00A5144Fj
		jno	short near ptr loc_A51531+6
		outsd
		jz	short near ptr loc_A51525+1
		or	ch, [ebp+61h]
		imul	ebp, [esi], 20h

loc_A514CC:				; CODE XREF: PAGEVRFY:00A51469j
		inc	ebx

loc_A514CD:				; CODE XREF: PAGEVRFY:00A51458j
		push	206B6365h
		jz	short loc_A5153C

loc_A514D4:				; CODE XREF: PAGEVRFY:00A514B5j
		and	gs:[edi+ebp*2+63h], ah
		jnz	short near ptr loc_A51543+5
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_A5153D+3
		jz	short loc_A5154A
		outsd
		outsb

loc_A514E3:				; CODE XREF: PAGEVRFY:00A51479j
		and	[esi+6Fh], ah
		jb	short near ptr loc_A51504+4
		dec	ecx
		outsd
		push	edx
		db	65h
		jnz	short loc_A51561
		db	65h
		dec	ecx
		jb	short near ptr loc_A51561+1
		and	[ecx+66h], ch
		and	[eax+ebp*2+69h], dh

loc_A514F9:				; CODE XREF: PAGEVRFY:00A51487j
		jnb	short loc_A5151B
		dec	ecx
		push	edx
		push	eax
		and	[ecx+73h], ch
		and	[edx+65h], ah

loc_A51504:				; CODE XREF: PAGEVRFY:00A514E6j
		imul	ebp, [esi+67h],	6365720Ah

loc_A5150B:				; CODE XREF: PAGEVRFY:00A51497j
		jns	short loc_A51570
		insb
		db	65h, 64h
		add	cs:[eax], al
; 
		db 0
		align 8

??_C@_0EI@FAPBLNMK@Caller?5of?5IoFreeIrp?5is?5freeing?5@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8334o
		inc	ebx
		popa
		insb

loc_A5151B:				; CODE XREF: PAGEVRFY:loc_A514F9j
		insb

loc_A5151C:				; CODE XREF: PAGEVRFY:00A514A8j
		db	65h
		jb	short near ptr loc_A5153D+2
		outsd

loc_A51520:				; CODE XREF: PAGEVRFY:00A514BAj
		db	66h
		and	[ecx+6Fh], cl
		inc	esi

loc_A51525:				; CODE XREF: PAGEVRFY:00A514ABj
					; PAGEVRFY:00A514C3j
		jb	short near ptr loc_A51589+3
		db	65h
		dec	ecx
		jb	short loc_A5159B
		and	[ecx+73h], ch
		and	[esi+72h], ah

loc_A51531:				; CODE XREF: PAGEVRFY:loc_A514C0j
		db	65h
		imul	ebp, gs:[esi+67h], 206E6120h
		dec	ecx
		push	edx

loc_A5153C:				; CODE XREF: PAGEVRFY:00A514D2j
		push	eax

loc_A5153D:				; CODE XREF: PAGEVRFY:loc_A5151Cj
					; PAGEVRFY:00A514DDj
		and	[eax+ebp*2+61h], dh
		jz	short near ptr loc_A51561+2

loc_A51543:				; CODE XREF: PAGEVRFY:00A514D9j
		imul	esi, [ebx+20h],	6C697473h

loc_A5154A:				; CODE XREF: PAGEVRFY:00A514DFj
		insb
		and	[ecx+75h], dh
		db	65h
		jnz	short loc_A515B6
		and	fs:[edi+ebp*2+20h], dh
		popa
		or	dh, [eax+ebp*2+72h]
		db	65h
		popa
		and	fs:[eax], eax

??_C@_0IG@IOKDIEAF@The?5driver?5has?5not?5handled?5a?5re@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA83B8o
		push	esp

loc_A51561:				; CODE XREF: PAGEVRFY:00A514EBj
					; PAGEVRFY:00A514F0j ...
		push	72642065h
		imul	esi, [esi+65h],	61682072h
		jnb	short near ptr loc_A5158E+1
		outsb

loc_A51570:				; CODE XREF: PAGEVRFY:loc_A5150Bj
		outsd
		jz	short near ptr loc_A51592+1
		push	6C646E61h
		db	65h
		and	fs:[ecx+20h], ah
		jb	short near ptr loc_A515E3+1
		jno	short near ptr loc_A515F5+1
		imul	esi, [edx+65h],	52492064h
		push	eax

loc_A51589:				; CODE XREF: PAGEVRFY:loc_A51525j
		and	cs:[eax+ebp*2+65h], dl

loc_A5158E:				; CODE XREF: PAGEVRFY:00A5156Dj
		and	[edx+esi*2+69h], ah

loc_A51592:				; CODE XREF: PAGEVRFY:00A51571j
		jbe	short loc_A515F9
		jb	short loc_A515B6
		insd
		jnz	short near ptr loc_A51609+3
		jz	short loc_A515BB

loc_A5159B:				; CODE XREF: PAGEVRFY:00A51529j
		jnz	short near ptr loc_A51609+4
		db	64h
		popa
		jz	short near ptr loc_A51605+1
		and	[eax+ebp*2+65h], dh
		or	dh, [ebx+74h]
		popa
		jz	short loc_A51620
		jnb	short near ptr loc_A515CC+1
		outsd
		db	66h
		and	[eax+ebp*2+65h], dh
		and	[ecx+52h], cl

loc_A515B6:				; CODE XREF: PAGEVRFY:00A5154Ej
					; PAGEVRFY:00A51594j
		push	eax
		and	[edi+ebp*2+20h], dh

loc_A515BB:				; CODE XREF: PAGEVRFY:00A51599j
		imul	ebp, [esi+64h],	74616369h
		and	gs:[edi+68h], dh
		db	65h
		jz	short loc_A51631
		db	65h
		jb	short near ptr loc_A515EB+1

loc_A515CC:				; CODE XREF: PAGEVRFY:00A515ABj
		imul	esi, [edi+73h],	65656220h
		outsb
		and	[eax+61h], ch
		outsb
		db	64h
		insb
		db	65h
		and	fs:[edi+72h], ch
		and	[esi+6Fh], ch

loc_A515E3:				; CODE XREF: PAGEVRFY:00A5157Dj
		jz	short near ptr loc_A51611+2
; 
		db 3 dup(0)
; 

??_C@_0LA@FLFOPMBH@Previously?5set?5IRP_MJ_PNP?5statu@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA83ACo
		push	eax
		jb	short loc_A51650

loc_A515EB:				; CODE XREF: PAGEVRFY:00A515C9j
		jbe	short near ptr loc_A51652+4
		outsd
		jnz	short loc_A51663
		insb
		jns	short near ptr loc_A51611+2
		jnb	short near ptr loc_A51659+1

loc_A515F5:				; CODE XREF: PAGEVRFY:00A5157Fj
		jz	short loc_A51617
		dec	ecx
		push	edx

loc_A515F9:				; CODE XREF: PAGEVRFY:loc_A51592j
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	eax
		dec	esi
		push	eax
		and	[ebx+74h], dh
		popa

loc_A51605:				; CODE XREF: PAGEVRFY:00A5159Fj
		jz	short near ptr loc_A5167A+2
		jnb	short loc_A51629

loc_A51609:				; CODE XREF: PAGEVRFY:00A51597j
					; PAGEVRFY:loc_A5159Bj
		push	62207361h
		db	65h
		outs	dx, byte ptr gs:[esi]

loc_A51611:				; CODE XREF: PAGEVRFY:loc_A515E3j
					; PAGEVRFY:00A515F1j
		and	[ebx+6Fh], ah
		outsb
		jbe	short near ptr loc_A5167A+2

loc_A51617:				; CODE XREF: PAGEVRFY:loc_A515F5j
		jb	short near ptr loc_A5168B+2
		db	65h
		and	fs:[edi+ebp*2+0Ah], dh
		push	ebx

loc_A51620:				; CODE XREF: PAGEVRFY:00A515A9j
		push	esp
		inc	ecx
		push	esp
		push	ebp
		push	ebx
		pop	edi
		dec	esi
		dec	edi
		push	esp

loc_A51629:				; CODE XREF: PAGEVRFY:00A51607j
		pop	edi
		push	ebx
		push	ebp
		push	eax
		push	eax
		dec	edi
		push	edx
		push	esp

loc_A51631:				; CODE XREF: PAGEVRFY:00A515C6j
		inc	ebp
		inc	esp
		and	cs:[eax+ebp*2+69h], dl
		jnb	short near ptr loc_A51659+1
		popaw
		imul	ebp, [ebp+esi*2+72h], 74732065h
		popa
		jz	short loc_A516BC
		jnb	short near ptr loc_A51666+3
		imul	esi, [ebx+20h],	65736572h

loc_A51650:				; CODE XREF: PAGEVRFY:00A515E9j
		jb	short near ptr loc_A516C7+1

loc_A51652:				; CODE XREF: PAGEVRFY:loc_A515EBj
		db	65h
		and	fs:[esi+6Fh], ah
		jb	short near ptr loc_A51678+1

loc_A51659:				; CODE XREF: PAGEVRFY:00A515F3j
					; PAGEVRFY:00A51638j
		jnz	short near ptr loc_A516CD+1
		and	gs:[edi+66h], ch
		and	[eax+ebp*2+65h], dh

loc_A51663:				; CODE XREF: PAGEVRFY:00A515EEj
		and	[edi+53h], cl

loc_A51666:				; CODE XREF: PAGEVRFY:00A51647j
		or	ch, ds:69726420h
		jbe	short loc_A516D3
		jb	short near ptr loc_A516E1+2
		and	[ebx+61h], ah
		outsb
		outsb
		outsd
		jz	short ??_C@_0IF@NPBIADHN@Non?9successful?5non?9STATUS_NOT_S@GHGBBCHJ@

loc_A51678:				; CODE XREF: PAGEVRFY:00A51657j
		popaw

loc_A5167A:				; CODE XREF: PAGEVRFY:loc_A51605j
					; PAGEVRFY:00A51615j
		imul	ebp, [eax+61h],	506E5020h
		and	[ecx+52h], cl
		push	eax
		and	[edi+69h], dh
		jz	short loc_A516F3

loc_A5168B:				; CODE XREF: PAGEVRFY:loc_A51617j
		and	[eax+ebp*2+69h], dh
		jnb	short loc_A516B1
		jbe	short loc_A516F4
		insb
		jnz	short near ptr loc_A516FA+1
; 
		dw 2Eh
; 

??_C@_0IF@NPBIADHN@Non?9successful?5non?9STATUS_NOT_S@GHGBBCHJ@:
					; CODE XREF: PAGEVRFY:00A51676j
					; DATA XREF: PAGEVRFD:00AA83D0o
		dec	esi
		outsd
		outsb
		sub	eax, 63637573h
		db	65h
		jnb	short near ptr loc_A51715+1
		db	66h
		jnz	short loc_A51712
		and	[esi+6Fh], ch
		outsb
		sub	eax, 54415453h
		push	ebp
		push	ebx

loc_A516B1:				; CODE XREF: PAGEVRFY:00A5168Fj
		pop	edi
		dec	esi
		dec	edi
		push	esp
		pop	edi
		push	ebx
		push	ebp
		push	eax
		push	eax
		dec	edi
		push	edx

loc_A516BC:				; CODE XREF: PAGEVRFY:00A51645j
		push	esp
		inc	ebp
		inc	esp
		and	[ecx+52h], cl
		push	eax
		and	[ebx+74h], dh
		popa

loc_A516C7:				; CODE XREF: PAGEVRFY:loc_A51650j
		jz	short loc_A5173E
		jnb	short near ptr loc_A516EA+1
		outsw

loc_A516CD:				; CODE XREF: PAGEVRFY:loc_A51659j
		jb	short loc_A516EF
		dec	ecx
		push	edx
		push	eax
		pop	edi

loc_A516D3:				; CODE XREF: PAGEVRFY:00A5166Cj
		dec	ebp
		dec	edx
		pop	edi
		push	eax
		dec	edi
		push	edi
		inc	ebp
		push	edx
		and	[ecx+73h], ch
		or	ah, [edx+65h]

loc_A516E1:				; CODE XREF: PAGEVRFY:00A5166Ej
		imul	ebp, [esi+67h],	73617020h
		jnb	short loc_A5174F

loc_A516EA:				; CODE XREF: PAGEVRFY:00A516C9j
		and	fs:[edi+ebp*2+77h], ah

loc_A516EF:				; CODE XREF: PAGEVRFY:loc_A516CDj
		outsb
		and	[ebx+74h], dh

loc_A516F3:				; CODE XREF: PAGEVRFY:00A51689j
		popa

loc_A516F4:				; CODE XREF: PAGEVRFY:00A51691j
		arpl	[ebx+2Eh], bp
		and	[esi+61h], al

loc_A516FA:				; CODE XREF: PAGEVRFY:00A51694j
		imul	ebp, [ebp+64h],	574F5020h
		inc	ebp
		push	edx
		and	[ecx+52h], cl
		push	eax
		jnb	short near ptr loc_A51726+4
		insd
		jnz	short near ptr loc_A5177E+2
		jz	short loc_A5172F
		bound	esp, [ebp+20h]

loc_A51712:				; CODE XREF: PAGEVRFY:00A516A3j
		arpl	[edi+6Dh], bp

loc_A51715:				; CODE XREF: PAGEVRFY:00A516A0j
		jo	short near ptr loc_A51781+2
		db	65h
		jz	short near ptr loc_A5177E+1
		db	64h
		add	cs:[eax], al
; 
		dw 0
; 

??_C@_0GN@LKFBHJBE@The?5driver?5has?5responded?5to?5an?5@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA83C4o
		push	esp
		push	72642065h

loc_A51726:				; CODE XREF: PAGEVRFY:00A51708j
		imul	esi, [esi+65h],	61682072h
		jnb	short loc_A5174F

loc_A5172F:				; CODE XREF: PAGEVRFY:00A5170Dj
		jb	short near ptr loc_A51794+2
		jnb	short near ptr loc_A517A1+2
		outsd
		outsb
		db	64h, 65h
		and	fs:[edi+ebp*2+20h], dh
		popa
		outsb

loc_A5173E:				; CODE XREF: PAGEVRFY:loc_A516C7j
		and	[ecx+52h], cl
		push	eax
		and	[eax+ebp*2+61h], dh
		jz	short near ptr loc_A51766+2
		imul	esi, [ebx+20h],	74616874h

loc_A5174F:				; CODE XREF: PAGEVRFY:00A516E8j
					; PAGEVRFY:00A5172Dj
		and	[ecx+73h], ch
		and	[edx+65h], dh
		jnb	short loc_A517BC
		jb	short near ptr loc_A517CC+3
		db	65h
		and	fs:[esi+6Fh], ah
		jb	short near ptr loc_A5177E+2
		outsd
		jz	short near ptr loc_A517CA+1
		db	65h
		jb	short near ptr loc_A5176E+2

loc_A51766:				; CODE XREF: PAGEVRFY:00A51746j
		db	64h, 65h
		jbe	short loc_A517D3
		arpl	[ebp+20h], sp
		outsd

loc_A5176E:				; CODE XREF: PAGEVRFY:00A51763j
		bound	ebp, [edx+65h]
		arpl	[ebx+esi*2+20h], si
		db	65h
		insb
		jnb	short near ptr loc_A517DC+2
		ja	short near ptr loc_A517DF+4
		db	65h
		jb	short near ptr loc_A517DF+4

loc_A5177E:				; CODE XREF: PAGEVRFY:00A51717j
					; PAGEVRFY:00A5170Bj ...
		and	[ecx+6Eh], ch

loc_A51781:				; CODE XREF: PAGEVRFY:loc_A51715j
		and	[eax+ebp*2+65h], dh
		and	[ebx+74h], dh
		popa
		arpl	[ebx+2Eh], bp
; 
		dd 0
; 

??_C@_0EG@GLGNNGEN@Caller?5has?5changed?5the?5status?5f@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8388o
					; PAGEVRFD:00AA84CCo
		inc	ebx
		popa
		insb
		insb

loc_A51794:				; CODE XREF: PAGEVRFY:loc_A5172Fj
		db	65h
		jb	short near ptr loc_A517B5+2
		push	63207361h
		push	65676E61h

loc_A517A1:				; CODE XREF: PAGEVRFY:00A51731j
		and	fs:[eax+ebp*2+65h], dh
		and	[ebx+74h], dh
		popa
		jz	short near ptr loc_A51820+1
		jnb	short near ptr loc_A517CC+2
		imul	sp, [ebp+6Ch], 2064h
		outsd

loc_A517B5:				; CODE XREF: PAGEVRFY:loc_A51794j
		db	66h
		and	[ecx+6Eh], ah
		and	[ecx+52h], cl

loc_A517BC:				; CODE XREF: PAGEVRFY:00A51755j
		push	eax
		and	[ecx+74h], ch
		and	[edi+ebp*2+65h], ah
		jnb	short loc_A517E6
		outsb
		outsd
		jz	short near ptr loc_A517E8+2

loc_A517CA:				; CODE XREF: PAGEVRFY:00A51761j
		jnz	short loc_A5183A

loc_A517CC:				; CODE XREF: PAGEVRFY:00A517ACj
					; PAGEVRFY:00A51757j
		db	64h, 65h
		jb	short loc_A51843
		jz	short loc_A51833
		outsb

loc_A517D3:				; CODE XREF: PAGEVRFY:loc_A51766j
		db	64h
		add	cs:[eax], al
; 
		db 0
; 

??_C@_0DL@FGNPLCIG@Caller?5has?5trashed?5or?5has?5not?5p@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA837Co
		inc	ebx
		popa
		insb
		insb

loc_A517DC:				; CODE XREF: PAGEVRFY:00A51777j
		db	65h
		jb	short loc_A517FF

loc_A517DF:				; CODE XREF: PAGEVRFY:00A51779j
					; PAGEVRFY:00A5177Bj
		push	74207361h
		jb	short loc_A51847

loc_A517E6:				; CODE XREF: PAGEVRFY:00A517C4j
		jnb	short loc_A51850

loc_A517E8:				; CODE XREF: PAGEVRFY:00A517C8j
		db	65h
		and	fs:[edi+72h], ch
		and	[eax+61h], ch
		jnb	short near ptr word_A51812
		outsb
		outsd
		jz	short near ptr word_A51816
		jo	short near ptr loc_A51868+2
		outsd
		jo	short near ptr loc_A5185F+1
		jb	short near ptr loc_A51868+1
		jns	short near ptr loc_A5181B+4

loc_A517FF:				; CODE XREF: PAGEVRFY:loc_A517DCj
		arpl	[edi+70h], bp
		imul	esp, [ebp+64h],	50524920h
		daa
		jnb	short near ptr loc_A5182A+2
		jnb	short near ptr loc_A51880+2
		popa
		arpl	[ebx+2Eh], bp
; 
word_A51812	dw 0			; CODE XREF: PAGEVRFY:00A517F0j
		db 2 dup(0)
word_A51816	dw 0			; CODE XREF: PAGEVRFY:00A517F4j
; 

??_C@_0IB@PJMEMPIA@Non?9successful?5non?9STATUS_NOT_S@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA83A0o
		dec	esi
		outsd
		outsb

loc_A5181B:				; CODE XREF: PAGEVRFY:00A517FDj
		sub	eax, 63637573h

loc_A51820:				; CODE XREF: PAGEVRFY:00A517AAj
		db	65h
		jnb	short loc_A51896
		db	66h
		jnz	short near ptr loc_A51891+1
		and	[esi+6Fh], ch
		outsb

loc_A5182A:				; CODE XREF: PAGEVRFY:00A5180Aj
		sub	eax, 54415453h
		push	ebp
		push	ebx
		pop	edi
		dec	esi

loc_A51833:				; CODE XREF: PAGEVRFY:00A517D0j
		dec	edi
		push	esp
		pop	edi
		push	ebx
		push	ebp
		push	eax
		push	eax

loc_A5183A:				; CODE XREF: PAGEVRFY:loc_A517CAj
		dec	edi
		push	edx
		push	esp
		inc	ebp
		inc	esp
		and	[ecx+52h], cl
		push	eax

loc_A51843:				; CODE XREF: PAGEVRFY:loc_A517CCj
		and	[ebx+74h], dh
		popa

loc_A51847:				; CODE XREF: PAGEVRFY:00A517E4j
		jz	short loc_A518BE
		jnb	short near ptr loc_A51868+3
		outsw
		jb	short near ptr loc_A5186E+1
		dec	ecx

loc_A51850:				; CODE XREF: PAGEVRFY:loc_A517E6j
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	eax
		dec	esi
		push	eax
		and	[ecx+73h], ch
		or	ah, [edx+65h]

loc_A5185F:				; CODE XREF: PAGEVRFY:00A517F9j
		imul	ebp, [esi+67h],	73617020h
		jnb	short near ptr loc_A518CB+2

loc_A51868:				; CODE XREF: PAGEVRFY:00A517FBj
					; PAGEVRFY:00A517F6j ...
		and	fs:[edi+ebp*2+77h], ah
		outsb

loc_A5186E:				; CODE XREF: PAGEVRFY:00A5184Dj
		and	[ebx+74h], dh
		popa
		arpl	[ebx+2Eh], bp
		and	[esi+61h], al
		imul	ebp, [ebp+64h],	504E5020h

loc_A51880:				; CODE XREF: PAGEVRFY:00A5180Cj
		and	[ecx+52h], cl
		push	eax
		jnb	short near ptr loc_A518A4+2
		insd
		jnz	short loc_A518FC
		jz	short near ptr loc_A518A7+4
		bound	esp, [ebp+20h]
		arpl	[edi+6Dh], bp

loc_A51891:				; CODE XREF: PAGEVRFY:00A51823j
		jo	short near ptr loc_A518FE+1
		db	65h
		jz	short near ptr loc_A518FA+1

loc_A51896:				; CODE XREF: PAGEVRFY:loc_A51820j
		db	64h
		add	cs:[eax], al
; 
		dw 0
		align 10h

??_C@_0EL@EIMEGHKG@Caller?5has?5changed?5the?5informat@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8394o
		inc	ebx
		popa
		insb
		insb

loc_A518A4:				; CODE XREF: PAGEVRFY:00A51884j
		db	65h
		jb	short loc_A518C7

loc_A518A7:				; CODE XREF: PAGEVRFY:00A51889j
		push	63207361h
		push	65676E61h
		and	fs:[eax+ebp*2+65h], dh
		and	[ecx+6Eh], ch
		outsw
		jb	short loc_A5192A
		popa

loc_A518BE:				; CODE XREF: PAGEVRFY:loc_A51847j
		jz	short near ptr loc_A51928+1
		outsd
		outsb
		and	[esi+69h], ah
		db	65h
		insb

loc_A518C7:				; CODE XREF: PAGEVRFY:loc_A518A4j
		and	fs:[edi+66h], ch

loc_A518CB:				; CODE XREF: PAGEVRFY:00A51866j
		and	[ecx+6Eh], ah
		and	[ecx+52h], cl
		push	eax
		and	[ecx+74h], ch
		and	[edi+ebp*2+65h], ah
		jnb	short near ptr loc_A518FA+1
		outsb
		outsd
		jz	short near ptr loc_A518FE+1
		jnz	short near ptr loc_A5194A+5
		db	64h, 65h
		jb	short near ptr loc_A51956+2
		jz	short near ptr loc_A51947+1
		outsb
		db	64h
		add	cs:[eax], al
; 
		dd 0
; 

??_C@_0JM@MCIEPMAO@An?5IRP?5dispatch?5handler?5for?5a?5b@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8418o
		inc	ecx
		outsb
		and	[ecx+52h], cl
		push	eax
		and	[ecx+ebp*2+73h], ah

loc_A518FA:				; CODE XREF: PAGEVRFY:00A51893j
					; PAGEVRFY:00A518D9j
		jo	short near ptr loc_A5195B+2

loc_A518FC:				; CODE XREF: PAGEVRFY:00A51887j
		jz	short near ptr loc_A5195B+6

loc_A518FE:				; CODE XREF: PAGEVRFY:loc_A51891j
					; PAGEVRFY:00A518DDj
		push	6E616820h
		db	64h
		insb
		db	65h
		jb	short loc_A51928
		outsw
		jb	short near ptr loc_A5192A+2
		popa
		and	[edx+75h], ah
		jnb	short loc_A51932
		imul	bp, [esp+esi*2+65h], 2072h
		push	64207361h
		db	65h
		insb
		db	65h
		jz	short loc_A51988
		and	fs:[ecx+74h], ch
		daa

loc_A51928:				; CODE XREF: PAGEVRFY:00A51905j
					; PAGEVRFY:loc_A518BEj
		jnb	short loc_A5194A

loc_A5192A:				; CODE XREF: PAGEVRFY:00A518BBj
					; PAGEVRFY:00A5190Aj
		db	64h, 65h
		jbe	short near ptr loc_A51996+1
		arpl	[ebp+20h], sp
		outsd

loc_A51932:				; CODE XREF: PAGEVRFY:00A51910j
		bound	ebp, [edx+65h]
		arpl	[esp+ebp+0Ah], si
		bound	esi, [ebp+74h]
		and	[eax+ebp*2+65h], dh
		and	[eax+44h], dl
		dec	edi
		and	[ecx+73h], ch

loc_A51947:				; CODE XREF: PAGEVRFY:00A518E5j
		and	[ebx+74h], dh

loc_A5194A:				; CODE XREF: PAGEVRFY:loc_A51928j
					; PAGEVRFY:00A518DFj
		imul	ebp, [esp+ebp*2+20h], 73657270h
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_A51976+1

loc_A51956:				; CODE XREF: PAGEVRFY:00A518E1j
		and	[edx+75h], al
		jnb	short loc_A5197B

loc_A5195B:				; CODE XREF: PAGEVRFY:loc_A518FAj
					; PAGEVRFY:loc_A518FCj
		imul	bp, [esp+esi*2+65h], 7372h
		and	[ebp+75h], ch
		jnb	short near ptr loc_A519D9+2
		and	[ebx+6Ch], ah
		db	65h
		popa
		outsb
		and	[ebp+70h], dh
		and	[ecx+6Eh], ch
		and	[esi+61h], al

loc_A51976:				; CODE XREF: PAGEVRFY:00A51954j
		jnb	short near ptr loc_A519EB+1
		dec	ecx
		outsd
		inc	esp

loc_A5197B:				; CODE XREF: PAGEVRFY:00A51959j
		db	65h
		jz	short near ptr loc_A519DE+1
		arpl	[eax+0Ah], bp
		arpl	[ecx+6Ch], sp
		insb
		bound	esp, [ecx+63h]

loc_A51988:				; CODE XREF: PAGEVRFY:00A51920j
		imul	esi, [ebx+2Eh],	0
; 
		dd 0
; 

??_C@_0IP@KANHJCGE@An?5IRP?5dispatch?5handler?5for?5a?5P@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA840Co
		inc	ecx
		outsb
		and	[ecx+52h], cl
		push	eax

loc_A51996:				; CODE XREF: PAGEVRFY:loc_A5192Aj
		and	[ecx+ebp*2+73h], ah
		jo	short near ptr loc_A519FB+2
		jz	short near ptr loc_A51A00+1
		push	6E616820h
		db	64h
		insb
		db	65h
		jb	short near ptr loc_A519C7+1
		outsw
		jb	short near ptr loc_A519CB+1
		popa
		and	[eax+44h], dl
		dec	edi
		and	[eax+61h], ch
		jnb	short near ptr loc_A519D5+1
		db	64h, 65h
		insb
		db	65h
		jz	short loc_A51A21
		and	fs:[ecx+74h], ch
		daa
		jnb	short near ptr loc_A519E2+1
		db	64h, 65h
		jbe	short near ptr loc_A51A2E+2

loc_A519C7:				; CODE XREF: PAGEVRFY:00A519A5j
		arpl	[ebp+20h], sp
		outsd

loc_A519CB:				; CODE XREF: PAGEVRFY:00A519AAj
		bound	ebp, [edx+65h]
		arpl	[esp+ebp+20h], si
		bound	esi, [ebp+74h]

loc_A519D5:				; CODE XREF: PAGEVRFY:00A519B4j
		or	dh, [eax+ebp*2+65h]

loc_A519D9:				; CODE XREF: PAGEVRFY:00A51965j
		and	[eax+61h], ch
		jb	short loc_A51A42

loc_A519DE:				; CODE XREF: PAGEVRFY:loc_A5197Bj
		ja	short near ptr loc_A51A40+1
		jb	short loc_A51A47

loc_A519E2:				; CODE XREF: PAGEVRFY:00A519C1j
		and	[eax+61h], ch
		jnb	short loc_A51A07
		outsb
		outsd
		jz	short loc_A51A0B

loc_A519EB:				; CODE XREF: PAGEVRFY:loc_A51976j
		bound	esp, [ebp+65h]
		outsb
		and	[edx+65h], dh
		jo	short near ptr loc_A51A61+2
		jb	short loc_A51A6A
		db	65h
		and	fs:[ecx+73h], ah

loc_A519FB:				; CODE XREF: PAGEVRFY:00A5199Aj
		and	[ebp+69h], ch
		jnb	short loc_A51A73

loc_A51A00:				; CODE XREF: PAGEVRFY:00A5199Cj
		imul	ebp, [esi+67h],	206E6920h

loc_A51A07:				; CODE XREF: PAGEVRFY:00A519E5j
		popa
		and	[edx+75h], ah

loc_A51A0B:				; CODE XREF: PAGEVRFY:00A519E9j
		jnb	short near ptr loc_A51A2C+1
		jb	short near ptr loc_A51A73+1
		insb
		popa
		jz	short near ptr loc_A51A7B+1
		outsd
		outsb
		jnb	short near ptr loc_A51A35+2
		jno	short near ptr loc_A51A8B+3
		db	65h
		jb	short near ptr loc_A51A92+3
		or	al, cs:[eax]
; 
		db 0
; 

??_C@_0IH@LNPJCCI@An?5IRP?5dispatch?5handler?5has?5ret@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8430o
		inc	ecx

loc_A51A21:				; CODE XREF: PAGEVRFY:00A519B9j
		outsb
		and	[ecx+52h], cl
		push	eax
		and	[ecx+ebp*2+73h], ah
		jo	short near ptr loc_A51A8B+2

loc_A51A2C:				; CODE XREF: PAGEVRFY:loc_A51A0Bj
		jz	short near ptr loc_A51A8B+6

loc_A51A2E:				; CODE XREF: PAGEVRFY:00A519C3j
		push	6E616820h
		db	64h
		insb

loc_A51A35:				; CODE XREF: PAGEVRFY:00A51A15j
		db	65h
		jb	short near ptr loc_A51A53+5
		push	72207361h
		db	65h
		jz	short near ptr loc_A51AB4+1

loc_A51A40:				; CODE XREF: PAGEVRFY:loc_A519DEj
		jb	short near ptr loc_A51AAE+2

loc_A51A42:				; CODE XREF: PAGEVRFY:00A519DCj
		db	65h
		and	fs:[ecx+20h], ah

loc_A51A47:				; CODE XREF: PAGEVRFY:00A519E0j
		jnb	short loc_A51ABD
		popa
		jz	short near ptr loc_A51AC0+1
		jnb	short near ptr loc_A51A6D+1
		jz	short near ptr loc_A51AB6+2
		popa
		jz	short loc_A51A73

loc_A51A53:				; CODE XREF: PAGEVRFY:loc_A51A35j
		imul	esi, [ebx+20h],	6F636E69h
		jb	short near ptr loc_A51ACA+4
		arpl	gs:[edx+ecx+28h], si

loc_A51A61:				; CODE XREF: PAGEVRFY:00A519F2j
		xor	[eax+46h], bh
		inc	esi
		inc	esi
		inc	esi
		inc	esi
		inc	esi
		inc	esi

loc_A51A6A:				; CODE XREF: PAGEVRFY:00A519F4j
		inc	esi
		sub	[esi], ebp

loc_A51A6D:				; CODE XREF: PAGEVRFY:00A51A4Cj
		and	[eax+ebp*2+69h], dl
		jnb	short near ptr loc_A51A92+1

loc_A51A73:				; CODE XREF: PAGEVRFY:00A519FEj
					; PAGEVRFY:00A51A51j ...
		imul	esi, [ebx+20h],	626F7270h
		popa

loc_A51A7B:				; CODE XREF: PAGEVRFY:00A51A11j
		bound	ebp, [ecx+edi*2+20h]
		db	64h
		jnz	short loc_A51AE7
		and	[edi+ebp*2+20h], dh
		popa
		outsb
		and	[ebp+6Eh], dh

loc_A51A8B:				; CODE XREF: PAGEVRFY:00A51A2Aj
					; PAGEVRFY:00A51A17j ...
		imul	ebp, [esi+69h],	6C616974h

loc_A51A92:				; CODE XREF: PAGEVRFY:00A51A71j
					; PAGEVRFY:00A51A19j
		imul	edi, [edx+65h],	74732064h
		popa
		arpl	[ebx+20h], bp
		jbe	short near ptr loc_A51AFF+1
		jb	short loc_A51B0A
		popa
		bound	ebp, [ebp+2Eh]
; 
		dw 0
; 

??_C@_0GJ@CHFCEDME@An?5IRP?5dispatch?5handler?5has?5ret@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8424o
		inc	ecx
		outsb
		and	[ecx+52h], cl
		push	eax

loc_A51AAE:				; CODE XREF: PAGEVRFY:loc_A51A40j
		and	[ecx+ebp*2+73h], ah
		jo	short near ptr byte_A51B15

loc_A51AB4:				; CODE XREF: PAGEVRFY:00A51A3Dj
		jz	short loc_A51B19

loc_A51AB6:				; CODE XREF: PAGEVRFY:00A51A4Ej
		push	6E616820h
		db	64h
		insb

loc_A51ABD:				; CODE XREF: PAGEVRFY:loc_A51A47j
		db	65h
		jb	short near ptr loc_A51ADB+5

loc_A51AC0:				; CODE XREF: PAGEVRFY:00A51A4Aj
		push	72207361h
		db	65h
		jz	short loc_A51B3D
		jb	short loc_A51B38

loc_A51ACA:				; CODE XREF: PAGEVRFY:00A51A5Aj
		db	65h
		and	fs:[ecx+20h], ah
		jnb	short loc_A51B45
		popa
		jz	short near ptr loc_A51B48+1
		jnb	short loc_A51AF6
		jz	short near ptr loc_A51B3F+1
		popa
		jz	short loc_A51AFB

loc_A51ADB:				; CODE XREF: PAGEVRFY:loc_A51ABDj
		imul	esi, [ebx+0Ah],	6F636E69h
		outsb
		jnb	short loc_A51B4E
		jnb	short near ptr loc_A51B59+2

loc_A51AE7:				; CODE XREF: PAGEVRFY:00A51A7Fj
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_A51B0A+1
		ja	short loc_A51B56
		jz	short near ptr loc_A51B56+1
		and	[eax+ebp*2+65h], dh
		and	[ecx+72h], cl

loc_A51AF6:				; CODE XREF: PAGEVRFY:00A51AD4j
		jo	short near ptr loc_A51B1E+1
		jnb	short loc_A51B1A
		dec	ecx

loc_A51AFB:				; CODE XREF: PAGEVRFY:00A51AD9j
		outsd
		push	ebx
		jz	short near ptr loc_A51B5F+1

loc_A51AFF:				; CODE XREF: PAGEVRFY:00A51A9Dj
		jz	short loc_A51B76
		jnb	short near ptr loc_A51B30+1
		push	ebx
		jz	short loc_A51B67
		jz	short loc_A51B7D
		jnb	short near ptr loc_A51B26+4

loc_A51B0A:				; CODE XREF: PAGEVRFY:00A51A9Fj
					; PAGEVRFY:00A51AE9j
		imul	sp, [ebp+6Ch], 2E64h
; 
		dd 0
		db 0
byte_A51B15	db 3 dup(0)		; CODE XREF: PAGEVRFY:00A51AB2j
; 

??_C@_0GH@OGPGLNOD@An?5IRP?5dispatch?5handler?5has?5not@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA83E8o
		inc	ecx

loc_A51B19:				; CODE XREF: PAGEVRFY:loc_A51AB4j
		outsb

loc_A51B1A:				; CODE XREF: PAGEVRFY:00A51AF8j
		and	[ecx+52h], cl
		push	eax

loc_A51B1E:				; CODE XREF: PAGEVRFY:loc_A51AF6j
		and	[ecx+ebp*2+73h], ah
		jo	short loc_A51B85
		jz	short loc_A51B89

loc_A51B26:				; CODE XREF: PAGEVRFY:00A51B08j
		push	6E616820h
		db	64h
		insb
		db	65h
		jb	short near ptr loc_A51B4E+2

loc_A51B30:				; CODE XREF: PAGEVRFY:00A51B01j
		push	6E207361h
		outsd
		jz	short near ptr loc_A51B56+2

loc_A51B38:				; CODE XREF: PAGEVRFY:00A51AC8j
		jo	short near ptr loc_A51BAB+1
		outsd
		jo	short near ptr loc_A51BA1+1

loc_A51B3D:				; CODE XREF: PAGEVRFY:00A51AC5j
		jb	short loc_A51BAB

loc_A51B3F:				; CODE XREF: PAGEVRFY:00A51AD6j
		jns	short near ptr loc_A51B5F+2
		db	64h, 65h
		jz	short near ptr loc_A51BA3+3

loc_A51B45:				; CODE XREF: PAGEVRFY:00A51ACFj
		arpl	[eax+65h], bp

loc_A51B48:				; CODE XREF: PAGEVRFY:00A51AD2j
		and	fs:[esi+72h], ah
		outsd
		insd

loc_A51B4E:				; CODE XREF: PAGEVRFY:00A51AE3j
					; PAGEVRFY:00A51B2Dj
		and	[eax+ebp*2+65h], dh
		and	[ebx+74h], dh
		popa

loc_A51B56:				; CODE XREF: PAGEVRFY:00A51AEBj
					; PAGEVRFY:00A51AEDj ...
		arpl	[ebx+20h], bp

loc_A51B59:				; CODE XREF: PAGEVRFY:00A51AE5j
		bound	esp, [ebp+6Ch]
		outsd
		ja	short loc_A51B69

loc_A51B5F:				; CODE XREF: PAGEVRFY:00A51AFDj
					; PAGEVRFY:loc_A51B3Fj
		imul	esi, [eax+75h],	206E6F70h

loc_A51B67:				; CODE XREF: PAGEVRFY:00A51B04j
		jb	short near ptr loc_A51BCD+1

loc_A51B69:				; CODE XREF: PAGEVRFY:00A51B5Dj
		arpl	[ebp+69h], sp
		jbe	short near ptr loc_A51BD6+1
		outsb
		and	[bx+di+20h], ah
		jb	short near ptr loc_A51BD6+4
		insd

loc_A51B76:				; CODE XREF: PAGEVRFY:loc_A51AFFj
		outsd
		jbe	short loc_A51BDE
		and	[ecx+52h], cl
		push	eax

loc_A51B7D:				; CODE XREF: PAGEVRFY:00A51B06j
		add	cs:[eax], al

??_C@_0LE@MAMIKHOC@Previously?5set?5IRP_MJ_POWER?5sta@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA83DCo
		push	eax
		jb	short near ptr loc_A51BE3+5
		jbe	short near ptr loc_A51BEC+2

loc_A51B85:				; CODE XREF: PAGEVRFY:00A51B22j
		outsd
		jnz	short near ptr loc_A51BF9+2
		insb

loc_A51B89:				; CODE XREF: PAGEVRFY:00A51B24j
		jns	short loc_A51BAB
		jnb	short near ptr loc_A51BF1+1
		jz	short loc_A51BAF
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	eax
		dec	edi
		push	edi
		inc	ebp
		push	edx
		and	[ebx+74h], dh
		popa
		jz	short near ptr loc_A51C14+2

loc_A51BA1:				; CODE XREF: PAGEVRFY:00A51B3Bj
		jnb	short loc_A51BC3

loc_A51BA3:				; CODE XREF: PAGEVRFY:00A51B41j
		push	62207361h
		db	65h
		outs	dx, byte ptr gs:[esi]

loc_A51BAB:				; CODE XREF: PAGEVRFY:loc_A51B3Dj
					; PAGEVRFY:loc_A51B89j	...
		and	[ebx+6Fh], ah
		outsb

loc_A51BAF:				; CODE XREF: PAGEVRFY:00A51B8Dj
		jbe	short near ptr loc_A51C14+2
		jb	short loc_A51C27
		db	65h
		and	fs:[edi+ebp*2+0Ah], dh
		push	ebx
		push	esp
		inc	ecx
		push	esp
		push	ebp
		push	ebx
		pop	edi
		dec	esi
		dec	edi
		push	esp

loc_A51BC3:				; CODE XREF: PAGEVRFY:loc_A51BA1j
		pop	edi
		push	ebx
		push	ebp
		push	eax
		push	eax
		dec	edi
		push	edx
		push	esp
		inc	ebp
		inc	esp

loc_A51BCD:				; CODE XREF: PAGEVRFY:loc_A51B67j
		and	cs:[eax+ebp*2+69h], dl
		jnb	short near ptr loc_A51BF3+1
		popaw

loc_A51BD6:				; CODE XREF: PAGEVRFY:00A51B6Cj
					; PAGEVRFY:00A51B73j
		imul	ebp, [ebp+esi*2+72h], 74732065h

loc_A51BDE:				; CODE XREF: PAGEVRFY:00A51B77j
		popa
		jz	short loc_A51C56
		jnb	short near ptr loc_A51C00+3

loc_A51BE3:				; CODE XREF: PAGEVRFY:00A51B81j
		imul	esi, [ebx+20h],	65736572h
		jb	short near ptr loc_A51C5F+3

loc_A51BEC:				; CODE XREF: PAGEVRFY:00A51B83j
		db	65h
		and	fs:[esi+6Fh], ah

loc_A51BF1:				; CODE XREF: PAGEVRFY:00A51B8Bj
		jb	short near ptr loc_A51C12+1

loc_A51BF3:				; CODE XREF: PAGEVRFY:00A51BD2j
		jnz	short near ptr loc_A51C67+1
		and	gs:[edi+66h], ch

loc_A51BF9:				; CODE XREF: PAGEVRFY:00A51B86j
		and	[eax+ebp*2+65h], dh
		and	[edi+53h], cl

loc_A51C00:				; CODE XREF: PAGEVRFY:00A51BE1j
		or	ch, ds:69726420h
		jbe	short near ptr loc_A51C6A+3
		jb	short loc_A51C7D
		and	[ebx+61h], ah
		outsb
		outsb
		outsd
		jz	short loc_A51C32

loc_A51C12:				; CODE XREF: PAGEVRFY:loc_A51BF1j
		popaw

loc_A51C14:				; CODE XREF: PAGEVRFY:00A51B9Fj
					; PAGEVRFY:loc_A51BAFj
		imul	ebp, [eax+61h],	776F5020h
		db	65h
		jb	short loc_A51C3F
		dec	ecx
		push	edx
		push	eax
		and	[edi+69h], dh
		jz	short loc_A51C8F

loc_A51C27:				; CODE XREF: PAGEVRFY:00A51BB1j
		and	[eax+ebp*2+69h], dh
		jnb	short loc_A51C4D
		jbe	short near ptr loc_A51C8F+1
		insb
		jnz	short near ptr loc_A51C95+2

loc_A51C32:				; CODE XREF: PAGEVRFY:00A51C10j
		add	cs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_0KD@FCHOPAD@IRP_MJ_SYSTEM_CONTROL?5has?5been?5@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8400o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi

loc_A51C3F:				; CODE XREF: PAGEVRFY:00A51C1Cj
		push	ebx
		pop	ecx
		push	ebx
		push	esp
		inc	ebp
		dec	ebp
		pop	edi
		inc	ebx
		dec	edi
		dec	esi
		push	esp
		push	edx
		dec	edi
		dec	esp

loc_A51C4D:				; CODE XREF: PAGEVRFY:00A51C2Bj
		and	[eax+61h], ch
		jnb	short near ptr loc_A51C6E+4
		bound	esp, [ebp+65h]
		outsb

loc_A51C56:				; CODE XREF: PAGEVRFY:00A51BDFj
		and	[ebx+6Fh], ah
		insd
		jo	short loc_A51CC8
		db	65h
		jz	short near ptr loc_A51CC2+2

loc_A51C5F:				; CODE XREF: PAGEVRFY:00A51BEAj
		and	fs:[edx+79h], ah
		and	[ebx+6Fh], dh
		insd

loc_A51C67:				; CODE XREF: PAGEVRFY:loc_A51BF3j
		outs	dx, dword ptr gs:[esi]
		outsb

loc_A51C6A:				; CODE XREF: PAGEVRFY:00A51C06j
		and	gs:[edi+74h], ch

loc_A51C6E:				; CODE XREF: PAGEVRFY:00A51C50j
		push	74207265h
		push	74206E61h
		push	72500A65h

loc_A51C7D:				; CODE XREF: PAGEVRFY:00A51C08j
		outsd
		jbe	short near ptr loc_A51CE8+1
		db	64h, 65h
		jb	short loc_A51CCD
		db	64h
		and	cs:[eax+ebp*2+69h], dl
		jnb	short near ptr loc_A51CAB+1
		dec	ecx
		push	edx
		push	eax

loc_A51C8F:				; CODE XREF: PAGEVRFY:00A51C25j
					; PAGEVRFY:00A51C2Dj
		and	[ebx+68h], dh
		outsd
		jnz	short loc_A51D01

loc_A51C95:				; CODE XREF: PAGEVRFY:00A51C30j
		and	fs:[ebp+69h], ah
		jz	short near ptr loc_A51D01+2
		db	65h
		jb	short near ptr loc_A51CBD+1
		push	20657661h
		bound	esp, [ebp+65h]
		outsb
		and	[ebx+6Fh], ah
		insd

loc_A51CAB:				; CODE XREF: PAGEVRFY:00A51C8Aj
		jo	short near ptr loc_A51D18+1
		db	65h
		jz	short loc_A51D15
		and	fs:[ebp+61h], ah
		jb	short near ptr loc_A51D1C+6
		imul	esp, [ebp+72h],	0A726F20h

loc_A51CBD:				; CODE XREF: PAGEVRFY:00A51C9Bj
		jnb	short loc_A51D27
		outsd
		jnz	short loc_A51D2E

loc_A51CC2:				; CODE XREF: PAGEVRFY:00A51C5Cj
		and	fs:[eax+61h], ch
		jbe	short near ptr loc_A51D2B+2

loc_A51CC8:				; CODE XREF: PAGEVRFY:00A51C5Aj
		and	[edx+65h], ah
		outs	dx, byte ptr gs:[esi]

loc_A51CCD:				; CODE XREF: PAGEVRFY:00A51C80j
		and	[eax+61h], dh
		jnb	short loc_A51D45
		db	65h
		and	fs:[edi+ebp*2+77h], ah
		outsb
		add	cs:[eax], al
; 
		dd 0
; 

??_C@_0FF@GJLNIOPM@This?5driver?5has?5not?5filled?5out?5@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA83F4o
		push	esp
		push	64207369h
		jb	short loc_A51D51

loc_A51CE8:				; CODE XREF: PAGEVRFY:00A51C7Ej
		jbe	short loc_A51D4F
		jb	short loc_A51D0C
		push	6E207361h
		outsd
		jz	short near ptr loc_A51D0E+6
		imul	bp, [esp+ebp*2+65h], 2064h
		outsd
		jnz	short near ptr loc_A51D71+1
		and	[ecx+20h], ah

loc_A51D01:				; CODE XREF: PAGEVRFY:00A51C93j
					; PAGEVRFY:00A51C99j
		imul	esi, fs:[ebx+70h], 68637461h
		and	[edx+6Fh], dh

loc_A51D0C:				; CODE XREF: PAGEVRFY:00A51CEAj
		jnz	short near ptr loc_A51D7E+4

loc_A51D0E:				; CODE XREF: PAGEVRFY:00A51CF2j
		imul	ebp, [esi+65h],	726F6620h

loc_A51D15:				; CODE XREF: PAGEVRFY:00A51CADj
		and	[ecx+20h], ah

loc_A51D18:				; CODE XREF: PAGEVRFY:loc_A51CABj
		jb	short near ptr loc_A51D7E+1
		jno	short loc_A51D91

loc_A51D1C:				; CODE XREF: PAGEVRFY:00A51CB4j
		imul	esi, [edx+65h],	52492064h
		push	eax
		or	ch, [ebp+61h]

loc_A51D27:				; CODE XREF: PAGEVRFY:loc_A51CBDj
		push	6Fh
		jb	short loc_A51D4B

loc_A51D2B:				; CODE XREF: PAGEVRFY:00A51CC6j
		db	66h
		jnz	short loc_A51D9C

loc_A51D2E:				; CODE XREF: PAGEVRFY:00A51CC0j
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		add	cs:[eax], al
; 
		dw 0
; 

??_C@_0FD@KJGCMDHB@Caller?5has?5completed?5a?5IRP_MJ_P@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8478o
		inc	ebx
		popa
		insb
		insb
		db	65h
		jb	short near ptr loc_A51D5C+3
		push	63207361h
		outsd

loc_A51D45:				; CODE XREF: PAGEVRFY:00A51CD0j
		insd
		jo	short near ptr loc_A51DB0+4
		db	65h
		jz	short loc_A51DB0

loc_A51D4B:				; CODE XREF: PAGEVRFY:00A51D29j
		and	fs:[ecx+20h], ah

loc_A51D4F:				; CODE XREF: PAGEVRFY:loc_A51CE8j
		dec	ecx
		push	edx

loc_A51D51:				; CODE XREF: PAGEVRFY:00A51CE6j
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	eax
		dec	esi
		push	eax
		and	[ecx+74h], ch

loc_A51D5C:				; CODE XREF: PAGEVRFY:00A51D3Cj
		and	[ecx+ebp*2+64h], ah
		outsb
		daa
		jz	short near ptr loc_A51D7E+6
		jnz	short near ptr loc_A51DD3+1
		db	64h, 65h
		jb	short near ptr loc_A51DDA+3
		jz	short near ptr loc_A51DCB+2
		outsb
		and	fs:[ecx+6Eh], ch

loc_A51D71:				; CODE XREF: PAGEVRFY:00A51CFCj
		jnb	short near ptr loc_A51DE6+1
		db	65h
		popa
		and	fs:[edi+66h], ch
		or	dh, [eax+61h]
		jnb	short near ptr loc_A51DF0+1

loc_A51D7E:				; CODE XREF: PAGEVRFY:loc_A51D18j
					; PAGEVRFY:loc_A51D0Cj	...
		imul	ebp, [esi+67h],	20746920h
		outs	dx, dword ptr fs:[esi]
		ja	short near ptr loc_A51DF6+1
		add	cs:[eax], al
; 
		dd 0
; 

??_C@_0GI@OCOIHPDH@PDO?5has?5forgotten?5to?5fill?5out?5t@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA846Co
		push	eax

loc_A51D91:				; CODE XREF: PAGEVRFY:00A51D1Aj
		inc	esp
		dec	edi
		and	[eax+61h], ch
		jnb	short near ptr loc_A51DB5+3
		outsw
		jb	short near ptr loc_A51DFF+4

loc_A51D9C:				; CODE XREF: PAGEVRFY:loc_A51D2Bj
		outsd
		jz	short loc_A51E13
		outs	dx, byte ptr gs:[esi]
		and	[edi+ebp*2+20h], dh
		imul	bp, [esp+ebp*2+20h], 756Fh
		jz	short near ptr loc_A51DCB+3
		jz	short loc_A51E18

loc_A51DB0:				; CODE XREF: PAGEVRFY:00A51D48j
					; PAGEVRFY:00A51D46j
		and	gs:[ebp+76h], ah

loc_A51DB5:				; CODE XREF: PAGEVRFY:00A51D96j
		imul	esp, [ebx+65h],	6C657220h
		popa
		jz	short near ptr loc_A51E23+5
		outsd
		outsb
		and	[ecx+ebp*2+73h], ch
		jz	short near ptr loc_A51DE6+1
		ja	short loc_A51E32
		jz	short near ptr loc_A51E32+1

loc_A51DCB:				; CODE XREF: PAGEVRFY:00A51D6Aj
					; PAGEVRFY:00A51DACj
		and	[eax+ebp*2+65h], dh
		and	[eax+44h], dl
		dec	edi

loc_A51DD3:				; CODE XREF: PAGEVRFY:00A51D64j
		and	[esi+6Fh], ah
		jb	short near ptr loc_A51DDF+3
		jz	short loc_A51E42

loc_A51DDA:				; CODE XREF: PAGEVRFY:00A51D66j
		and	gs:[ecx+72h], dl

loc_A51DDF:				; CODE XREF: PAGEVRFY:00A51DD6j
		db	67h, 65h
		jz	near ptr 1E27h
		db	65h
		jbe	short loc_A51E4F

loc_A51DE6:				; CODE XREF: PAGEVRFY:loc_A51D71j
					; PAGEVRFY:00A51DC5j
		arpl	[ebp+52h], sp
		db	65h
		insb
		popa
		jz	short near ptr loc_A51E55+2
		outsd
		outsb

loc_A51DF0:				; CODE XREF: PAGEVRFY:00A51D7Cj
		and	[ecx+75h], dh
		db	65h
		jb	short near ptr loc_A51E6E+1

loc_A51DF6:				; CODE XREF: PAGEVRFY:00A51D87j
					; DATA XREF: PAGEVRFD:00AA8490o
		add	cs:[ebx+61h], al
		insb
		insb
		db	65h
		jb	short loc_A51E1F

loc_A51DFF:				; CODE XREF: PAGEVRFY:00A51D9Aj
		push	63207361h
		outsd
		insd
		jo	short loc_A51E74
		db	65h
		jz	short near ptr loc_A51E6E+2
		and	fs:[ebp+6Eh], dh
		jz	short loc_A51E80
		jnz	short near ptr loc_A51E75+1

loc_A51E13:				; CODE XREF: PAGEVRFY:00A51D9Dj
		push	49206465h

loc_A51E18:				; CODE XREF: PAGEVRFY:00A51DAEj
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	eax

loc_A51E1F:				; CODE XREF: PAGEVRFY:00A51DFCj
		dec	esi
		push	eax
		and	[eax], ch

loc_A51E23:				; CODE XREF: PAGEVRFY:00A51DBDj
		imul	ebp, [esi+73h],	64616574h
		and	[edi+66h], ch
		and	[eax+61h], dh
		jnb	short loc_A51EA5

loc_A51E32:				; CODE XREF: PAGEVRFY:00A51DC7j
					; PAGEVRFY:00A51DC9j
		imul	ebp, [esi+67h],	65687420h
		and	[ecx+72h], ch
		jo	short loc_A51E48
		outs	dx, dword ptr fs:[esi]
		ja	short near ptr loc_A51EAF+1

loc_A51E42:				; CODE XREF: PAGEVRFY:00A51DD8j
		sub	[eax], esp
		outsd
		jb	short near ptr loc_A51E64+3
		outsb

loc_A51E48:				; CODE XREF: PAGEVRFY:00A51E3Cj
		outsd
		outsb
		sub	eax, 204F4450h

loc_A51E4F:				; CODE XREF: PAGEVRFY:00A51DE3j
		push	66207361h
		popa

loc_A51E55:				; CODE XREF: PAGEVRFY:00A51DECj
		imul	ebp, [ebp+64h],	65687420h
		and	[ecx+72h], ch
		jo	short loc_A51E82
		jnz	short near ptr loc_A51ED2+5

loc_A51E64:				; CODE XREF: PAGEVRFY:00A51E45j
		imul	ebp, [esi+67h],	636E6920h
		outsd
		jb	short ??_C@_0EJ@JIGELGGO@IRP?5completion?5routines?5must?5be@GHGBBCHJ@

loc_A51E6E:				; CODE XREF: PAGEVRFY:00A51DF3j
					; PAGEVRFY:00A51E08j
		arpl	gs:[eax+76h], si
		popa

loc_A51E74:				; CODE XREF: PAGEVRFY:00A51E06j
		insb

loc_A51E75:				; CODE XREF: PAGEVRFY:00A51E11j
		jnz	short near ptr loc_A51EDB+1
		and	[edi+66h], ch
		or	dl, [ebx+54h]
		inc	ecx
		push	esp
		push	ebp

loc_A51E80:				; CODE XREF: PAGEVRFY:00A51E0Fj
		push	ebx
		pop	edi

loc_A51E82:				; CODE XREF: PAGEVRFY:00A51E60j
		dec	esi
		dec	edi
		push	esp
		pop	edi
		push	ebx
		push	ebp
		push	eax
		push	eax
		dec	edi
		push	edx
		push	esp
		inc	ebp
		inc	esp
		add	cs:[eax], al
; 
		dw 0
		align 8

??_C@_0EH@POJDIHLF@Caller?5has?5completed?5successful@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8484o
		inc	ebx
		popa
		insb
		insb
		db	65h
		jb	short loc_A51EBF
		push	63207361h
		outsd

loc_A51EA5:				; CODE XREF: PAGEVRFY:00A51E30j
		insd
		jo	short loc_A51F14
		db	65h
		jz	short near ptr loc_A51F0E+2
		and	fs:[ebx+75h], dh

loc_A51EAF:				; CODE XREF: PAGEVRFY:00A51E40j
		arpl	[ebx+65h], sp
		jnb	short near ptr loc_A51F26+1
		db	66h
		jnz	short loc_A51F23
		and	[ecx+52h], cl
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi

loc_A51EBF:				; CODE XREF: PAGEVRFY:00A51E9Cj
		push	eax
		dec	esi
		push	eax
		and	[ecx+6Eh], ch
		jnb	short near ptr loc_A51F3A+1
		db	65h
		popa
		and	fs:[edi+66h], ch
		and	[eax+61h], dh
		jnb	short loc_A51F45

loc_A51ED2:				; CODE XREF: PAGEVRFY:00A51E62j
		imul	ebp, [esi+67h],	20746920h
		outs	dx, dword ptr fs:[esi]

loc_A51EDB:				; CODE XREF: PAGEVRFY:loc_A51E75j
		ja	short near ptr loc_A51F48+3
		add	cs:[eax], al

??_C@_0EJ@JIGELGGO@IRP?5completion?5routines?5must?5be@GHGBBCHJ@:
					; CODE XREF: PAGEVRFY:00A51E6Cj
					; DATA XREF: PAGEVRFD:00AA8448o
		dec	ecx
		push	edx
		push	eax
		and	[ebx+6Fh], ah
		insd
		jo	short near ptr loc_A51F52+3
		db	65h
		jz	short near ptr loc_A51F52+3
		outsd
		outsb
		and	[edx+6Fh], dh
		jnz	short near ptr loc_A51F61+6
		imul	ebp, [esi+65h],	756D2073h
		jnb	short loc_A51F70
		and	[edx+65h], ah
		and	[ecx+6Eh], ch
		and	[esi+6Fh], ch
		outsb
		jo	short loc_A51F69
		db	67h
		popa
		bound	ebp, [ebp+20h]

loc_A51F0E:				; CODE XREF: PAGEVRFY:00A51EA8j
		arpl	[edi+64h], bp
		db	65h
		sub	al, 20h

loc_A51F14:				; CODE XREF: PAGEVRFY:00A51EA6j
		popa
		outsb
		and	fs:[eax+ebp*2+69h], dh
		jnb	short near ptr loc_A51F3C+1
		outsd
		outsb
		and	gs:[ecx+73h], ch

loc_A51F23:				; CODE XREF: PAGEVRFY:00A51EB4j
		and	[esi+6Fh], ch

loc_A51F26:				; CODE XREF: PAGEVRFY:00A51EB2j
		jz	short near ptr loc_A51F52+4
; 
		dd 2 dup(0)
; 

??_C@_0HN@KNMBPLEM@An?5IRP?5dispatch?5handler?5has?5ret@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA843Co
		inc	ecx
		outsb
		and	[ecx+52h], cl
		push	eax
		and	[ecx+ebp*2+73h], ah

loc_A51F3A:				; CODE XREF: PAGEVRFY:00A51EC5j
		jo	short near ptr loc_A51F9C+1

loc_A51F3C:				; CODE XREF: PAGEVRFY:00A51F1Bj
		jz	short loc_A51FA1
		push	6E616820h
		db	64h
		insb

loc_A51F45:				; CODE XREF: PAGEVRFY:00A51ED0j
		db	65h
		jb	short loc_A51F68

loc_A51F48:				; CODE XREF: PAGEVRFY:loc_A51EDBj
		push	72207361h
		db	65h
		jz	short near ptr loc_A51FC2+3
		jb	short loc_A51FC0

loc_A51F52:				; CODE XREF: PAGEVRFY:00A51EE7j
					; PAGEVRFY:00A51EE9j ...
		db	65h
		and	fs:[edi+69h], dh
		jz	short loc_A51FC1
		outsd
		jnz	short near ptr loc_A51FCF+1
		and	[eax+61h], dh
		jnb	short near ptr loc_A51FCF+5

loc_A51F61:				; CODE XREF: PAGEVRFY:00A51EF1j
		imul	ebp, [esi+67h],	776F6420h

loc_A51F68:				; CODE XREF: PAGEVRFY:loc_A51F45j
		outsb

loc_A51F69:				; CODE XREF: PAGEVRFY:00A51F06j
		and	[edi+72h], ch
		and	[ebx+6Fh], ah
		insd

loc_A51F70:				; CODE XREF: PAGEVRFY:00A51EFAj
		jo	short near ptr word_A51FDE
		db	65h
		jz	short near ptr word_A51FDE
		outsb
		or	dh, [si+68h]
		imul	esi, [ebx+20h],	20707249h
		outsd
		jb	short loc_A51FA4
		jnb	short loc_A51FF5
		insd
		outs	dx, dword ptr gs:[esi]
		outsb
		and	gs:[esi+6Fh], ah
		jb	short near ptr loc_A51FF5+2
		outsd
		jz	short loc_A51FB3
		jz	short loc_A52004
		and	[edx+65h], dh
		jz	short near ptr loc_A5200A+5
		jb	short loc_A5200A

loc_A51F9C:				; CODE XREF: PAGEVRFY:loc_A51F3Aj
		and	[ebx+54h], dl
		inc	ecx
		push	esp

loc_A51FA1:				; CODE XREF: PAGEVRFY:loc_A51F3Cj
		push	ebp
		push	ebx
		pop	edi

loc_A51FA4:				; CODE XREF: PAGEVRFY:00A51F82j
		push	eax
		inc	ebp
		dec	esi
		inc	esp
		dec	ecx
		dec	esi
		inc	edi
		add	cs:[eax], al
; 
		dw 0
; 

??_C@_0CJ@JBAABAAL@PDO?5has?5not?5responded?5to?5a?5requ@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8460o
		push	eax
		inc	esp
		dec	edi

loc_A51FB3:				; CODE XREF: PAGEVRFY:00A51F91j
		and	[eax+61h], ch
		jnb	short near ptr loc_A51FD7+1
		outsb
		outsd
		jz	short near ptr byte_A51FDC
		jb	short near ptr loc_A52022+1
		jnb	short near ptr loc_A5202F+1

loc_A51FC0:				; CODE XREF: PAGEVRFY:00A51F50j
		outsd

loc_A51FC1:				; CODE XREF: PAGEVRFY:00A51F57j
		outsb

loc_A51FC2:				; CODE XREF: PAGEVRFY:00A51F4Dj
		db	64h, 65h
		and	fs:[edi+ebp*2+20h], dh
		popa
		and	[edx+65h], dh
		jno	short near ptr loc_A52042+2

loc_A51FCF:				; CODE XREF: PAGEVRFY:00A51F5Aj
					; PAGEVRFY:00A51F5Fj
		imul	esi, [edx+65h],	52492064h
		push	eax

loc_A51FD7:				; CODE XREF: PAGEVRFY:00A51FB6j
		add	cs:[eax], al
; 
		dw 0
byte_A51FDC	db 2 dup(0)		; CODE XREF: PAGEVRFY:00A51FBAj
word_A51FDE	dw 0			; CODE XREF: PAGEVRFY:loc_A51F70j
					; PAGEVRFY:00A51F72j
; 

??_C@_0MO@FJJAIIEL@A?5driver?8s?5completion?5routine?5h@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8454o
		inc	ecx
		and	[edx+esi*2+69h], ah
		jbe	short loc_A5204C
		jb	short loc_A52010
		jnb	short near ptr loc_A5200A+1
		arpl	[edi+6Dh], bp
		jo	short near ptr loc_A52057+5
		db	65h
		jz	short near ptr loc_A52057+5
		outsd
		outsb

loc_A51FF5:				; CODE XREF: PAGEVRFY:00A51F84j
					; PAGEVRFY:00A51F8Ej
		and	[edx+6Fh], dh
		jnz	short near ptr loc_A5206D+1
		imul	ebp, [esi+65h],	73616820h
		and	[esi+6Fh], ch

loc_A52004:				; CODE XREF: PAGEVRFY:00A51F93j
		jz	short loc_A52026
		insd
		popa
		jb	short near ptr loc_A52074+1

loc_A5200A:				; CODE XREF: PAGEVRFY:00A51F9Aj
					; PAGEVRFY:00A51FE9j ...
		db	65h
		and	fs:[eax+ebp*2+65h], dh

loc_A52010:				; CODE XREF: PAGEVRFY:00A51FE7j
		and	[ecx+52h], cl
		push	eax
		or	dh, [eax+65h]
		outsb
		imul	ebp, fs:[esi+67h], 20666920h
		jz	short near ptr loc_A52087+3

loc_A52022:				; CODE XREF: PAGEVRFY:00A51FBCj
		and	gs:[eax+65h], dl

loc_A52026:				; CODE XREF: PAGEVRFY:loc_A52004j
		outsb
		imul	ebp, fs:[esi+67h], 75746552h

loc_A5202F:				; CODE XREF: PAGEVRFY:00A51FBEj
		jb	short near ptr loc_A5209C+3
		db	65h
		and	fs:[esi+69h], ah
		db	65h
		insb
		and	fs:[edi+61h], dh
		jnb	short near ptr loc_A52057+7
		jnb	short loc_A520A5
		jz	short loc_A52062

loc_A52042:				; CODE XREF: PAGEVRFY:00A51FCDj
		imul	ebp, [esi+20h],	20656874h
		dec	ecx
		push	edx
		push	eax

loc_A5204C:				; CODE XREF: PAGEVRFY:00A51FE5j
		and	[eax+61h], dh
		jnb	short near ptr loc_A520C1+3
		db	65h
		and	fs:[edi+ebp*2+20h], dh

loc_A52057:				; CODE XREF: PAGEVRFY:00A51FEEj
					; PAGEVRFY:00A51FF0j ...
		imul	esi, [esi+ebp+0Ah], 73696854h
		and	[ebp+61h], ch

loc_A52062:				; CODE XREF: PAGEVRFY:00A52040j
		jns	short loc_A52084
		arpl	[ecx+75h], sp
		jnb	short loc_A520CE
		and	[eax+ebp*2+65h], dh

loc_A5206D:				; CODE XREF: PAGEVRFY:00A51FF8j
		and	[edi+53h], cl
		and	[edi+ebp*2+20h], dh

loc_A52074:				; CODE XREF: PAGEVRFY:00A52008j
		db	66h
		jb	short loc_A520DC
		db	65h
		jp	short near ptr loc_A520DE+1
		sub	al, 20h
		db	65h
		jnb	short loc_A520EF
		arpl	gs:[ecx+61h], bp
		insb

loc_A52084:				; CODE XREF: PAGEVRFY:loc_A52062j
		insb
		jns	short loc_A520A7

loc_A52087:				; CODE XREF: PAGEVRFY:00A52020j
		imul	esp, [esi+20h],	65206E61h
		jb	short near ptr loc_A52101+1
		outsd
		jb	short near ptr loc_A520B1+2
		imul	esi, [ebx+20h],	75746572h
		jb	short near ptr loc_A52109+1

loc_A5209C:				; CODE XREF: PAGEVRFY:loc_A5202Fj
		db	65h
		and	fs:[edx+79h], ah
		and	[eax+ebp*2+65h], dh

loc_A520A5:				; CODE XREF: PAGEVRFY:00A5203Ej
		or	ah, [eax]

loc_A520A7:				; CODE XREF: PAGEVRFY:00A52085j
		jnb	short near ptr loc_A5211C+1
		popa
		arpl	[ebx+2Eh], bp
; 
		db 3 dup(0)
; 

??_C@_0EF@NPONJEJK@A?5driver?5has?5marked?5an?5IRP?5pend@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA84E4o
		inc	ecx

loc_A520B1:				; CODE XREF: PAGEVRFY:00A52091j
		and	[edx+esi*2+69h], ah
		jbe	short loc_A5211C
		jb	short near ptr loc_A520D6+3
		push	6D207361h
		popa
		jb	short near ptr loc_A5212B+1

loc_A520C1:				; CODE XREF: PAGEVRFY:00A5204Fj
		db	65h
		and	fs:[ecx+6Eh], ah
		and	[ecx+52h], cl
		push	eax
		and	[eax+65h], dh
		outsb

loc_A520CE:				; CODE XREF: PAGEVRFY:00A52067j
		imul	ebp, fs:[esi+67h], 74756220h

loc_A520D6:				; CODE XREF: PAGEVRFY:00A520B7j
		and	[ecx+ebp*2+64h], ah
		outsb
		daa

loc_A520DC:				; CODE XREF: PAGEVRFY:loc_A52074j
		jz	short near ptr loc_A520FD+1

loc_A520DE:				; CODE XREF: PAGEVRFY:00A52077j
		jb	short near ptr loc_A52144+1
		jz	short near ptr loc_A52156+1
		jb	short loc_A52152
		and	[ebx+54h], dl
		inc	ecx
		push	esp
		push	ebp
		push	ebx
		pop	edi
		push	eax
		inc	ebp
		dec	esi

loc_A520EF:				; CODE XREF: PAGEVRFY:00A5207Cj
		inc	esp
		dec	ecx
		dec	esi
		inc	edi
		add	cs:[eax], al
; 
		dw 0
; 

??_C@_0GG@OBKMPCPM@A?5driver?5has?5returned?5STATUS_PE@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA84D8o
					; PAGEVRFD:00AA8544o
		inc	ecx
		and	[edx+esi*2+69h], ah

loc_A520FD:				; CODE XREF: PAGEVRFY:loc_A520DCj
		jbe	short near ptr loc_A52161+3
		jb	short loc_A52121

loc_A52101:				; CODE XREF: PAGEVRFY:00A5208Ej
		push	72207361h
		db	65h
		jz	short near ptr loc_A5217B+3

loc_A52109:				; CODE XREF: PAGEVRFY:00A5209Aj
		jb	short loc_A52179
		db	65h
		and	fs:[ebx+54h], dl
		inc	ecx
		push	esp
		push	ebp
		push	ebx
		pop	edi
		push	eax
		inc	ebp
		dec	esi
		inc	esp
		dec	ecx
		dec	esi
		inc	edi

loc_A5211C:				; CODE XREF: PAGEVRFY:00A520B5j
					; PAGEVRFY:loc_A520A7j
		and	[edx+75h], ah
		jz	short loc_A52141

loc_A52121:				; CODE XREF: PAGEVRFY:00A520FFj
		imul	esp, fs:[eax+6Eh], 6D20746Fh
		popa

loc_A5212B:				; CODE XREF: PAGEVRFY:00A520BFj
		jb	short near ptr loc_A52197+1
		and	[eax+ebp*2+65h], dh
		and	[ecx+52h], cl
		push	eax
		and	[eax+65h], dh
		outsb
		imul	ebp, fs:[esi+67h], 6169760Ah

loc_A52141:				; CODE XREF: PAGEVRFY:00A5211Fj
		and	[ecx+20h], ah

loc_A52144:				; CODE XREF: PAGEVRFY:loc_A520DEj
		arpl	[ecx+6Ch], sp
		insb
		and	[edi+ebp*2+20h], dh
		dec	ecx
		outsd
		dec	ebp
		popa
		jb	short near ptr loc_A521BB+2

loc_A52152:				; CODE XREF: PAGEVRFY:00A520E2j
		dec	ecx
		jb	short loc_A521C5
		push	eax

loc_A52156:				; CODE XREF: PAGEVRFY:00A520E0j
		outs	dx, byte ptr gs:[esi]
		imul	ebp, fs:[esi+67h], 2Eh

??_C@_0EH@OPFCDOOB@A?5driver?5has?5detached?5it?8s?5devi@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA84FCo
		inc	ecx

loc_A52161:				; CODE XREF: PAGEVRFY:loc_A520FDj
		and	[edx+esi*2+69h], ah
		jbe	short near ptr loc_A521CB+1
		jb	short near ptr loc_A52186+3
		push	64207361h
		db	65h
		jz	short loc_A521D2
		arpl	[eax+65h], bp
		and	fs:[ecx+74h], ch
		daa

loc_A52179:				; CODE XREF: PAGEVRFY:loc_A52109j
		jnb	short near ptr loc_A52197+4

loc_A5217B:				; CODE XREF: PAGEVRFY:00A52106j
		db	64h, 65h
		jbe	short near ptr loc_A521E7+1
		arpl	[ebp+20h], sp
		outsd
		bound	ebp, [edx+65h]

loc_A52186:				; CODE XREF: PAGEVRFY:00A52167j
		arpl	[eax+64h], si
		jnz	short near ptr loc_A521FD+1
		imul	ebp, [esi+67h],	73206120h
		jnz	short loc_A52207
		jo	short near ptr loc_A52207+2

loc_A52197:				; CODE XREF: PAGEVRFY:loc_A5212Bj
					; PAGEVRFY:loc_A52179j
		imul	esi, [ebx+65h],	6D657220h
		outsd
		jbe	short loc_A52206
		and	[ecx+52h], cl
		push	eax
		add	cs:[eax], al

??_C@_0HD@DCFDNNOF@A?5driver?5is?5attempting?5to?5delet@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA84F0o
		inc	ecx
		and	[edx+esi*2+69h], ah
		jbe	short loc_A52214
		jb	short near ptr loc_A521CF+2
		imul	esi, [ebx+20h],	65747461h
		insd
		jo	short near ptr loc_A5222D+2

loc_A521BB:				; CODE XREF: PAGEVRFY:00A52150j
		imul	ebp, [esi+67h],	206F7420h
		db	64h, 65h
		insb

loc_A521C5:				; CODE XREF: PAGEVRFY:00A52153j
		db	65h
		jz	short loc_A5222D
		and	[ecx+20h], ah

loc_A521CB:				; CODE XREF: PAGEVRFY:00A52165j
		db	64h, 65h
		jbe	short loc_A52238

loc_A521CF:				; CODE XREF: PAGEVRFY:00A521AFj
		arpl	[ebp+20h], sp

loc_A521D2:				; CODE XREF: PAGEVRFY:00A5216Ej
		outsd
		bound	ebp, [edx+65h]
		arpl	[eax+74h], si
		push	68207461h
		popa
		jnb	short near ptr loc_A521FF+3
		popa
		insb
		jb	short loc_A5224B
		popa

loc_A521E7:				; CODE XREF: PAGEVRFY:loc_A5217Bj
		db	64h
		jns	short near ptr loc_A52207+3
		bound	esp, [ebp+65h]
		outsb
		or	ah, [ebp+6Ch]
		db	65h
		jz	short loc_A5225A
		and	fs:[esi+69h], dh
		popa
		and	[ecx+20h], ah

loc_A521FD:				; CODE XREF: PAGEVRFY:00A5218Aj
		jo	short loc_A52271

loc_A521FF:				; CODE XREF: PAGEVRFY:00A521E0j
		imul	ebp, [edi+72h],	6C616320h

loc_A52206:				; CODE XREF: PAGEVRFY:00A5219Fj
		insb

loc_A52207:				; CODE XREF: PAGEVRFY:00A52193j
					; PAGEVRFY:00A52195j ...
		and	[edi+ebp*2+20h], dh
		dec	ecx
		outsd
		inc	esp
		db	65h
		insb
		db	65h
		jz	short near ptr loc_A52277+1
		inc	esp

loc_A52214:				; CODE XREF: PAGEVRFY:00A521ADj
		db	65h
		jbe	short loc_A52280
		arpl	[ebp+2Eh], sp
; 
		dw 0
		align 10h

??_C@_0GN@IGCBEFPO@The?5size?5field?5of?5the?5query?5cap@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA84A8o
		push	esp
		push	69732065h
		jp	short near ptr loc_A52287+6
		and	[esi+69h], ah
		db	65h
		insb

loc_A5222D:				; CODE XREF: PAGEVRFY:loc_A521C5j
					; PAGEVRFY:00A521B9j
		and	fs:[edi+66h], ch
		and	[eax+ebp*2+65h], dh
		and	[ecx+75h], dh

loc_A52238:				; CODE XREF: PAGEVRFY:loc_A521CBj
		db	65h
		jb	short near ptr loc_A522B3+1
		and	[ebx+61h], ah
		jo	short near ptr loc_A522A0+1
		bound	ebp, [ecx+6Ch]
		imul	esi, [ecx+ebp*2+65h], 74732073h

loc_A5224B:				; CODE XREF: PAGEVRFY:00A521E4j
		jb	short near ptr loc_A522C0+2
		arpl	[ebp+esi*2+72h], si
		and	gs:[ecx+6Eh], ch
		and	[ecx+20h], ah
		jno	short near ptr loc_A522CD+2

loc_A5225A:				; CODE XREF: PAGEVRFY:00A521F2j
		db	65h
		jb	short near ptr loc_A522D5+1
		or	ah, [ebx+61h]
		jo	short near ptr loc_A522C0+3
		bound	ebp, [ecx+6Ch]
		imul	esi, [ecx+ebp*2+65h], 52492073h
		push	eax
		and	[edi+61h], dh

loc_A52271:				; CODE XREF: PAGEVRFY:loc_A521FDj
		jnb	short near ptr loc_A52291+2
		outsb
		outsd
		jz	short near ptr loc_A52296+1

loc_A52277:				; CODE XREF: PAGEVRFY:00A52210j
		jo	short near ptr loc_A522EA+1
		outsd
		jo	short loc_A522E1
		jb	short loc_A522EA
		jns	short loc_A522A0

loc_A52280:				; CODE XREF: PAGEVRFY:loc_A52214j
		imul	ebp, [esi+69h],	6C616974h

loc_A52287:				; CODE XREF: PAGEVRFY:00A52226j
		imul	edi, [edx+65h],	2E64h
; 
		dw 0
; 

??_C@_0HA@EJDHFGKM@The?5version?5field?5of?5the?5query?5@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA849Co
		push	esp

loc_A52291:				; CODE XREF: PAGEVRFY:loc_A52271j
		push	65762065h

loc_A52296:				; CODE XREF: PAGEVRFY:00A52275j
		jb	short near ptr loc_A5230A+1
		imul	ebp, [edi+6Eh],	65696620h
		insb

loc_A522A0:				; CODE XREF: PAGEVRFY:00A5227Ej
					; PAGEVRFY:00A5223Ej
		and	fs:[edi+66h], ch
		and	[eax+ebp*2+65h], dh
		and	[ecx+75h], dh
		db	65h
		jb	short near ptr loc_A52325+2
		and	[ebx+61h], ah
		jo	short near ptr loc_A52312+2

loc_A522B3:				; CODE XREF: PAGEVRFY:loc_A52238j
		bound	ebp, [ecx+6Ch]
		imul	esi, [ecx+ebp*2+65h], 74732073h
		jb	short near ptr loc_A52332+3

loc_A522C0:				; CODE XREF: PAGEVRFY:loc_A5224Bj
					; PAGEVRFY:00A52260j
		arpl	[ebp+esi*2+72h], si
		and	gs:[ecx+6Eh], ch
		and	[ecx+20h], ah
		jno	short loc_A52342

loc_A522CD:				; CODE XREF: PAGEVRFY:00A52258j
		db	65h
		jb	short near ptr loc_A52347+2
		or	ah, [ebx+61h]
		jo	short loc_A52336

loc_A522D5:				; CODE XREF: PAGEVRFY:loc_A5225Aj
		bound	ebp, [ecx+6Ch]
		imul	esi, [ecx+ebp*2+65h], 52492073h
		push	eax

loc_A522E1:				; CODE XREF: PAGEVRFY:00A5227Aj
		and	[edi+61h], dh
		jnb	short loc_A52306
		outsb
		outsd
		jz	short loc_A5230A

loc_A522EA:				; CODE XREF: PAGEVRFY:00A5227Cj
					; PAGEVRFY:loc_A52277j
		jo	short loc_A5235E
		outsd
		jo	short near ptr loc_A52353+1
		jb	short near ptr loc_A5235C+1
		jns	short near ptr loc_A52312+1
		imul	ebp, [esi+69h],	6C616974h
; 
		dw 7A69h
		dd 2E6465h
; 

??_C@_0HI@ECOBHJPP@The?5UI?5Number?5field?5of?5the?5quer@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA84C0o
		push	esp
		push	49552065h

loc_A52306:				; CODE XREF: PAGEVRFY:00A522E4j
		and	[esi+75h], cl
		insd

loc_A5230A:				; CODE XREF: PAGEVRFY:00A522E8j
					; PAGEVRFY:loc_A52296j
		bound	esp, [ebp+72h]
		and	[esi+69h], ah
		db	65h
		insb

loc_A52312:				; CODE XREF: PAGEVRFY:00A522F1j
					; PAGEVRFY:00A522B1j
		and	fs:[edi+66h], ch
		and	[eax+ebp*2+65h], dh
		and	[ecx+75h], dh
		db	65h
		jb	short loc_A52399
		and	[ebx+61h], ah
		jo	short loc_A52386

loc_A52325:				; CODE XREF: PAGEVRFY:00A522ABj
		bound	ebp, [ecx+6Ch]
		imul	esi, [ecx+ebp*2+65h], 74732073h
		jb	short near ptr loc_A523A6+1

loc_A52332:				; CODE XREF: PAGEVRFY:00A522BEj
		arpl	[ebp+esi*2+72h], si

loc_A52336:				; CODE XREF: PAGEVRFY:00A522D3j
		and	gs:[ecx+6Eh], ch
		and	[ecx+20h], ah
		jno	short near ptr loc_A523B3+1
		db	65h
		jb	short loc_A523BB

loc_A52342:				; CODE XREF: PAGEVRFY:00A522CBj
		or	ah, [ebx+61h]
		jo	short loc_A523A8

loc_A52347:				; CODE XREF: PAGEVRFY:loc_A522CDj
		bound	ebp, [ecx+6Ch]
		imul	esi, [ecx+ebp*2+65h], 52492073h
		push	eax

loc_A52353:				; CODE XREF: PAGEVRFY:00A522EDj
		and	[edi+61h], dh
		jnb	short ??_C@_0HG@GIODMEEC@The?5address?5field?5of?5the?5query?5@GHGBBCHJ@
		outsb
		outsd
		jz	short near ptr loc_A52379+3

loc_A5235C:				; CODE XREF: PAGEVRFY:00A522EFj
		jo	short loc_A523D0

loc_A5235E:				; CODE XREF: PAGEVRFY:loc_A522EAj
		outsd
		jo	short near ptr loc_A523C0+6
		jb	short loc_A523CF
		jns	short near ptr loc_A52383+2
		imul	ebp, [esi+69h],	6C616974h
		imul	edi, [edx+65h],	6F742064h
; 
		db 20h
		dd 2E312Dh
; 

??_C@_0HG@GIODMEEC@The?5address?5field?5of?5the?5query?5@GHGBBCHJ@:
					; CODE XREF: PAGEVRFY:00A52356j
					; DATA XREF: PAGEVRFD:00AA84B4o
		push	esp

loc_A52379:				; CODE XREF: PAGEVRFY:00A5235Aj
		push	64612065h
		db	64h
		jb	short near ptr loc_A523E2+4
		jnb	short near ptr loc_A523F5+1

loc_A52383:				; CODE XREF: PAGEVRFY:00A52363j
		and	[esi+69h], ah

loc_A52386:				; CODE XREF: PAGEVRFY:00A52323j
		db	65h
		insb
		and	fs:[edi+66h], ch
		and	[eax+ebp*2+65h], dh
		and	[ecx+75h], dh
		db	65h
		jb	short near ptr loc_A5240C+3
		and	[ebx+61h], ah

loc_A52399:				; CODE XREF: PAGEVRFY:00A5231Dj
		jo	short near ptr loc_A523F9+3
		bound	ebp, [ecx+6Ch]
		imul	esi, [ecx+ebp*2+65h], 74732073h

loc_A523A6:				; CODE XREF: PAGEVRFY:00A52330j
		jb	short near ptr loc_A5241A+3

loc_A523A8:				; CODE XREF: PAGEVRFY:00A52345j
		arpl	[ebp+esi*2+72h], si
		and	gs:[ecx+6Eh], ch
		and	[ecx+20h], ah

loc_A523B3:				; CODE XREF: PAGEVRFY:00A5233Dj
		jno	short loc_A5242A
		db	65h
		jb	short near ptr loc_A52430+1
		or	ah, [ebx+61h]

loc_A523BB:				; CODE XREF: PAGEVRFY:00A5233Fj
		jo	short loc_A5241E
		bound	ebp, [ecx+6Ch]

loc_A523C0:				; CODE XREF: PAGEVRFY:00A5235Fj
		imul	esi, [ecx+ebp*2+65h], 52492073h
		push	eax
		and	[edi+61h], dh
		jnb	short near ptr loc_A523E9+5
		outsb

loc_A523CF:				; CODE XREF: PAGEVRFY:00A52361j
		outsd

loc_A523D0:				; CODE XREF: PAGEVRFY:loc_A5235Cj
		jz	short near ptr loc_A523F1+1
		jo	short near ptr loc_A52445+1
		outsd
		jo	short loc_A5243C
		jb	short loc_A52445
		jns	short near ptr loc_A523F9+2
		imul	ebp, [esi+69h],	6C616974h

loc_A523E2:				; CODE XREF: PAGEVRFY:00A5237Ej
		imul	edi, [edx+65h],	6F742064h

loc_A523E9:				; CODE XREF: PAGEVRFY:00A523CCj
		and	large ds:2E31h,	ch
; 
		db 0
; 

??_C@_0FA@FLNPJEGA@A?5driver?5has?5passed?5an?5invalid?5@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8550o
		inc	ecx

loc_A523F1:				; CODE XREF: PAGEVRFY:loc_A523D0j
		and	[edx+esi*2+69h], ah

loc_A523F5:				; CODE XREF: PAGEVRFY:00A52381j
		jbe	short loc_A5245C
		jb	short near ptr loc_A52418+1

loc_A523F9:				; CODE XREF: PAGEVRFY:00A523D9j
					; PAGEVRFY:loc_A52399j
		push	70207361h
		popa
		jnb	short loc_A52474
		db	65h
		and	fs:[ecx+6Eh], ah
		and	[ecx+6Eh], ch
		jbe	short loc_A5246C
		insb

loc_A5240C:				; CODE XREF: PAGEVRFY:00A52393j
		imul	esp, [eax+64h],	63697665h
		and	gs:[edi+62h], ch

loc_A52418:				; CODE XREF: PAGEVRFY:00A523F7j
		push	65h

loc_A5241A:				; CODE XREF: PAGEVRFY:loc_A523A6j
		arpl	[eax+74h], si

loc_A5241E:				; CODE XREF: PAGEVRFY:loc_A523BBj
		outsd
		and	[ecx+20h], ah
		db	66h
		jnz	short loc_A52493
		arpl	[ecx+ebp*2+6Fh], si
		outsb

loc_A5242A:				; CODE XREF: PAGEVRFY:loc_A523B3j
		and	[eax+ebp*2+61h], dh
		jz	short loc_A52450

loc_A52430:				; CODE XREF: PAGEVRFY:00A523B5j
		jb	short near ptr loc_A52495+2
		jno	short near ptr loc_A524A5+4
		imul	esi, [edx+65h],	20610A73h
		push	eax

loc_A5243C:				; CODE XREF: PAGEVRFY:00A523D5j
		inc	esp
		dec	edi

loc_A5243E:				; DATA XREF: PAGEVRFD:00AA8538o
		add	cs:[ecx+20h], al
		db	64h
		jb	short loc_A524AE

loc_A52445:				; CODE XREF: PAGEVRFY:00A523D7j
					; PAGEVRFY:00A523D2j
		jbe	short loc_A524AC
		jb	short loc_A52469
		push	73207361h
		jnz	short near ptr loc_A524B0+3

loc_A52450:				; CODE XREF: PAGEVRFY:00A5242Ej
		arpl	[ebp+65h], sp
		db	64h, 65h
		and	fs:[ecx+52h], cl
		push	eax
		pop	edi
		dec	ebp

loc_A5245C:				; CODE XREF: PAGEVRFY:loc_A523F5j
		dec	edx
		pop	edi
		push	eax
		dec	esi
		push	eax
		db	2Eh
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi

loc_A52469:				; CODE XREF: PAGEVRFY:00A52447j
		push	ecx
		push	ebp
		inc	ebp

loc_A5246C:				; CODE XREF: PAGEVRFY:00A52409j
		push	edx
		pop	ecx
		pop	edi
		inc	esp
		inc	ebp
		push	esi
		dec	ecx
		inc	ebx

loc_A52474:				; CODE XREF: PAGEVRFY:00A523FFj
		inc	ebp
		pop	edi
		push	edx
		inc	ebp
		dec	esp
		inc	ecx
		push	esp
		dec	ecx
		dec	edi
		dec	esi
		push	ebx
		sub	[ecx+72h], dl
		db	67h, 65h
		jz	near ptr 24D9h
		db	65h
		insb
		popa
		jz	short loc_A524F5
		outsd
		outsb
		jnb	short loc_A524B9
		or	ah, [edx+75h]

loc_A52493:				; CODE XREF: PAGEVRFY:00A52422j
		jz	short near ptr loc_A524B4+1

loc_A52495:				; CODE XREF: PAGEVRFY:loc_A52430j
		imul	esp, fs:[esi+ebp*2+27h], 72702074h
		outsd
		jo	short near ptr loc_A52504+2
		jb	short near ptr loc_A5250D+2
		jns	short near ptr loc_A524C4+1

loc_A524A5:				; CODE XREF: PAGEVRFY:00A52432j
		imul	bp, [esp+ebp*2+20h], 756Fh

loc_A524AC:				; CODE XREF: PAGEVRFY:loc_A52445j
		jz	short near ptr loc_A524CC+2

loc_A524AE:				; CODE XREF: PAGEVRFY:00A52442j
		jz	short near ptr loc_A52517+1

loc_A524B0:				; CODE XREF: PAGEVRFY:00A5244Ej
		and	gs:[edx+65h], dh

loc_A524B4:				; CODE XREF: PAGEVRFY:loc_A52493j
		jno	short loc_A5252B
		db	65h
		jnb	short loc_A5252D

loc_A524B9:				; CODE XREF: PAGEVRFY:00A5248Ej
		and	[edi+72h], ch
		and	[esi+6Fh], ah
		jb	short near ptr loc_A52537+1
		popa
		jb	short near ptr loc_A52526+2

loc_A524C4:				; CODE XREF: PAGEVRFY:00A524A3j
		and	[eax+ebp*2+65h], dh
		and	[ecx+52h], cl
		push	eax

loc_A524CC:				; CODE XREF: PAGEVRFY:loc_A524ACj
		and	[edi+ebp*2+20h], dh
		jz	short near ptr loc_A52539+1
		or	dh, gs:[ebp+6Eh]
		db	64h, 65h
		jb	short near ptr loc_A52542+4
		jns	short near ptr loc_A52542+3
		outsb
		and	[bx+si+61h], ch
		jb	short near ptr loc_A52542+5
		ja	short near ptr loc_A52542+4
		jb	short loc_A5254C
		and	[ebx+74h], dh
		popa
		arpl	[ebx+2Eh], bp
; 
		dw 0
; 

??_C@_0DI@GGKLPOHH@A?5driver?5has?5forwarded?5an?5IRP?5a@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8568o
		inc	ecx
		and	[edx+esi*2+69h], ah

loc_A524F5:				; CODE XREF: PAGEVRFY:00A5248Aj
		jbe	short near ptr loc_A52556+6
		jb	short near ptr loc_A52517+2
		push	66207361h
		outsd
		jb	short near ptr loc_A52575+3
		popa
		jb	short near ptr loc_A52565+3

loc_A52504:				; CODE XREF: PAGEVRFY:00A5249Fj
		db	65h
		and	fs:[ecx+6Eh], ah
		and	[ecx+52h], cl
		push	eax

loc_A5250D:				; CODE XREF: PAGEVRFY:00A524A1j
		and	[ecx+74h], ah
		and	[ecx+52h], cl
		push	ecx
		dec	esp
		and	[esi], bh

loc_A52517:				; CODE XREF: PAGEVRFY:loc_A524AEj
					; PAGEVRFY:00A524F7j
		and	[ecx+ecx*2+53h], al
		push	eax
		inc	ecx
		push	esp
		inc	ebx
		dec	eax
		pop	edi
		dec	esp
		inc	ebp
		push	esi
		inc	ebp
		dec	esp

loc_A52526:				; CODE XREF: PAGEVRFY:00A524C2j
					; DATA XREF: PAGEVRFD:00AA855Co
		add	cs:[edx+esi*2+69h], al

loc_A5252B:				; CODE XREF: PAGEVRFY:loc_A524B4j
		jbe	short near ptr loc_A52591+1

loc_A5252D:				; CODE XREF: PAGEVRFY:00A524B6j
		jb	short near ptr loc_A5254E+1
		push	72207361h
		db	65h
		jz	short near ptr loc_A525A6+6

loc_A52537:				; CODE XREF: PAGEVRFY:00A524BFj
		jb	short near ptr loc_A525A6+1

loc_A52539:				; CODE XREF: PAGEVRFY:00A524D0j
		db	65h
		and	fs:[ecx+20h], ah
		jnb	short loc_A525B5
		jnb	short near ptr loc_A525B1+1

loc_A52542:				; CODE XREF: PAGEVRFY:00A524DAj
					; PAGEVRFY:00A524D6j ...
		imul	esp, [ebx+69h],	2073756Fh
		jnb	short near ptr loc_A525BC+3
		popa

loc_A5254C:				; CODE XREF: PAGEVRFY:00A524E5j
		jz	short loc_A525C3

loc_A5254E:				; CODE XREF: PAGEVRFY:loc_A5252Dj
		jnb	short loc_A5257E
		and	[eax+ebp*2+69h], dl
		jnb	short near ptr loc_A52575+1

loc_A52556:				; CODE XREF: PAGEVRFY:loc_A524F5j
		imul	esi, [ebx+20h],	626F7270h
		popa
		bound	ebp, [ecx+edi*2+20h]
		db	64h
		jnz	short near ptr loc_A525C8+2

loc_A52565:				; CODE XREF: PAGEVRFY:00A52502j
		and	[edi+ebp*2+20h], dh
		popa
		outsb
		or	dh, [ebp+6Eh]
		imul	ebp, [esi+69h],	6C616974h

loc_A52575:				; CODE XREF: PAGEVRFY:00A52554j
					; PAGEVRFY:00A524FFj
		imul	edi, [edx+65h],	61762064h
		jb	short near ptr loc_A525E5+2

loc_A5257E:				; CODE XREF: PAGEVRFY:loc_A5254Ej
		popa
		bound	ebp, [ebp+20h]
		bound	esi, [ebp+67h]
		and	[ecx+6Eh], ch
		and	[eax+ebp*2+65h], dh
		and	[edx+esi*2+69h], ah

loc_A52591:				; CODE XREF: PAGEVRFY:loc_A5252Bj
		jbe	short near ptr loc_A525F7+1
		jb	short loc_A525C3
; 
		db 3 dup(0)
; 

??_C@_0FC@GLNEHKBH@A?5driver?5has?5added?5a?5device?5obj@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8514o
		inc	ecx
		and	[edx+esi*2+69h], ah
		jbe	short near ptr loc_A52603+1
		jb	short loc_A525C1
		push	61207361h

loc_A525A6:				; CODE XREF: PAGEVRFY:loc_A52537j
					; PAGEVRFY:00A52534j
		db	64h, 64h, 65h
		and	fs:[ecx+20h], ah
		db	64h, 65h
		jbe	short near ptr loc_A52619+1

loc_A525B1:				; CODE XREF: PAGEVRFY:00A52540j
		arpl	[ebp+20h], sp
		outsd

loc_A525B5:				; CODE XREF: PAGEVRFY:00A5253Ej
		bound	ebp, [edx+65h]
		arpl	[eax+74h], si

loc_A525BC:				; CODE XREF: PAGEVRFY:00A52549j
		push	69207461h

loc_A525C1:				; CODE XREF: PAGEVRFY:00A5259Fj
		jnb	short loc_A525E3

loc_A525C3:				; CODE XREF: PAGEVRFY:loc_A5254Cj
					; PAGEVRFY:00A52593j
		outsb
		outsd
		jz	short near ptr loc_A525E5+2
		popa

loc_A525C8:				; CODE XREF: PAGEVRFY:00A52562j
		and	[eax+44h], dl
		dec	edi
		and	[edi+ebp*2+20h], dh
		popa
		and	[ebp+76h], ah
		imul	esp, [ebx+65h],	6C65720Ah
		popa
		jz	short near ptr loc_A52646+2
		outsd
		outsb
		jnb	short loc_A52603

loc_A525E3:				; CODE XREF: PAGEVRFY:loc_A525C1j
		jno	short near ptr loc_A52659+1

loc_A525E5:				; CODE XREF: PAGEVRFY:00A5257Cj
					; PAGEVRFY:00A525C5j
		db	65h
		jb	short loc_A52661
		add	cs:[eax], al
; 
		db 0
		align 10h

??_C@_0EG@HHAJHKPH@A?5driver?5has?5deleted?5it?8s?5devic@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8508o
		inc	ecx
		and	[edx+esi*2+69h], ah
		jbe	short near ptr loc_A52659+3

loc_A525F7:				; CODE XREF: PAGEVRFY:loc_A52591j
		jb	short loc_A52619
		push	64207361h
		db	65h
		insb
		db	65h
		jz	short near ptr loc_A52665+3

loc_A52603:				; CODE XREF: PAGEVRFY:00A525E1j
					; PAGEVRFY:00A5259Dj
		and	fs:[ecx+74h], ch
		daa
		jnb	short near ptr loc_A52626+4
		db	64h, 65h
		jbe	short near ptr loc_A52675+2
		arpl	[ebp+20h], sp
		outsd
		bound	ebp, [edx+65h]
		arpl	[eax+64h], si

loc_A52619:				; CODE XREF: PAGEVRFY:loc_A525F7j
					; PAGEVRFY:00A525ADj
		jnz	short loc_A5268D
		imul	ebp, [esi+67h],	73206120h
		jnz	short near ptr loc_A52695+1
		jo	short near ptr loc_A52697+1

loc_A52626:				; CODE XREF: PAGEVRFY:00A52608j
		imul	esi, [ebx+65h],	6D657220h
		outsd
		jbe	short loc_A52695
		and	[ecx+52h], cl
		push	eax
		add	cs:[eax], al

loc_A52637:				; DATA XREF: PAGEVRFD:00AA852Co
		add	[ecx+20h], al
		db	64h
		jb	short loc_A526A6
		jbe	short loc_A526A4
		jb	short loc_A52661
		push	6D207361h

loc_A52646:				; CODE XREF: PAGEVRFY:00A525DDj
		imul	esi, [ebx+74h],	6E656B61h
		insb
		jns	short loc_A52670
		arpl	[ecx+6Ch], sp
		insb
		db	65h
		and	fs:[ecx+20h], ah

loc_A52659:				; CODE XREF: PAGEVRFY:loc_A525E3j
					; PAGEVRFY:00A525F5j
		imul	bp, [ebp+20h], 2F49h
		dec	edi

loc_A52661:				; CODE XREF: PAGEVRFY:loc_A525E5j
					; PAGEVRFY:00A5263Fj
		and	[esi+75h], ah
		outsb

loc_A52665:				; CODE XREF: PAGEVRFY:00A52600j
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		and	[ecx+74h], ah
		and	[ecx+6Eh], ah

loc_A52670:				; CODE XREF: PAGEVRFY:00A5264Ej
		and	[ecx+52h], cl
		push	ecx
		dec	esp

loc_A52675:				; CODE XREF: PAGEVRFY:00A5260Aj
		and	[edi+74h], ch
		push	740A7265h
		push	50206E61h
		inc	ecx
		push	ebx
		push	ebx
		dec	ecx
		push	esi
		inc	ebp
		pop	edi
		dec	esp
		inc	ebp
		push	esi
		inc	ebp

loc_A5268D:				; CODE XREF: PAGEVRFY:loc_A52619j
		dec	esp
; 
		dw 2Eh
; 

??_C@_0EN@NKFGKOMF@A?5driver?5has?5enumerated?5two?5chi@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8520o
		inc	ecx
		and	[edx+esi*2+69h], ah

loc_A52695:				; CODE XREF: PAGEVRFY:00A5262Ej
					; PAGEVRFY:00A52622j
		jbe	short near ptr loc_A526FB+1

loc_A52697:				; CODE XREF: PAGEVRFY:00A52624j
		jb	short near ptr loc_A526B8+1
		push	65207361h
		outsb
		jnz	short loc_A5270E
		db	65h
		jb	short loc_A52705

loc_A526A4:				; CODE XREF: PAGEVRFY:00A5263Dj
		jz	short near ptr loc_A5270A+1

loc_A526A6:				; CODE XREF: PAGEVRFY:00A5263Aj
		and	fs:[edi+esi*2+6Fh], dh
		and	[ebx+68h], ah
		imul	ebp, [esp+20h],	274F4450h
		jnb	short near ptr loc_A526D3+5

loc_A526B8:				; CODE XREF: PAGEVRFY:loc_A52697j
		jz	short near ptr loc_A52721+1
		popa
		jz	short near ptr byte_A526DD
		jb	short near ptr loc_A52721+3
		jz	short loc_A52736
		jb	short near ptr loc_A52730+1
		db	65h
		and	fs:[ecx+64h], ch
		outs	dx, byte ptr gs:[esi]
		jz	short loc_A52735
		arpl	[ecx+6Ch], sp
		and	[ebp+76h], al

loc_A526D3:				; CODE XREF: PAGEVRFY:00A526B6j
		imul	esp, [ebx+65h],	2744490Ah
		jnb	short loc_A5270A
; 
		db 0
byte_A526DD	db 3 dup(0)		; CODE XREF: PAGEVRFY:00A526BBj
; 

??_C@_0IA@NIBJJKPO@The?5caller?5provided?5the?5IRP?5Sta@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA85B0o
		push	esp
		push	61632065h
		insb
		insb
		db	65h
		jb	short near ptr loc_A5270A+1
		jo	short near ptr byte_A5275F
		outsd
		jbe	short near ptr loc_A52757+2
		db	64h, 65h
		and	fs:[eax+ebp*2+65h], dh
		and	[ecx+52h], cl
		push	eax

loc_A526FB:				; CODE XREF: PAGEVRFY:loc_A52695j
		and	[ebx+74h], dl
		popa
		jz	short near ptr loc_A52770+6
		jnb	short near ptr loc_A52721+2
		dec	ecx
		outsb

loc_A52705:				; CODE XREF: PAGEVRFY:00A526A1j
		outsw
		jb	short near ptr loc_A52770+6
		popa

loc_A5270A:				; CODE XREF: PAGEVRFY:00A526DAj
					; PAGEVRFY:loc_A526A4j	...
		jz	short near ptr loc_A52770+5
		outsd
		outsb

loc_A5270E:				; CODE XREF: PAGEVRFY:00A5269Fj
		and	[esi+69h], ah
		db	65h
		insb
		and	fs:[edi+69h], dh
		jz	short near ptr loc_A5277F+2
		and	[ecx+20h], ah
		jbe	short loc_A5277F
		insb
		jnz	short near ptr loc_A52783+3

loc_A52721:				; CODE XREF: PAGEVRFY:loc_A526B8j
					; PAGEVRFY:00A52701j ...
		and	[eax+ebp*2+61h], dh
		jz	short near ptr loc_A52730+1
		imul	esi, [ebx+20h],	61657267h
		jz	short near ptr loc_A52793+2

loc_A52730:				; CODE XREF: PAGEVRFY:00A526C1j
					; PAGEVRFY:00A52725j
		jb	short near ptr loc_A52750+2
		jz	short loc_A5279C
		popa

loc_A52735:				; CODE XREF: PAGEVRFY:00A526CAj
		outsb

loc_A52736:				; CODE XREF: PAGEVRFY:00A526BFj
		and	[eax+ebp*2+65h], dh
		and	[edi+75h], ch
		jz	short loc_A527AF
		jnz	short loc_A527B5
		and	[ebx+65h], dh
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		and	[edi+66h], ch
		and	[eax+ebp*2+65h], dh

loc_A52750:				; CODE XREF: PAGEVRFY:loc_A52730j
		and	[ebx+79h], dh
		jnb	short loc_A527C9
		db	65h
		insd

loc_A52757:				; CODE XREF: PAGEVRFY:00A526EEj
		and	[edx+75h], ah
		db	66h, 66h, 65h
		jb	short loc_A5278D
; 
byte_A5275F	db 0			; CODE XREF: PAGEVRFY:00A526EBj
; 

??_C@_0KO@HDNONPKD@The?5driver?5is?5reinitializing?5an@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA85A4o
		push	esp
		push	72642065h
		imul	esi, [esi+65h],	73692072h
		and	[edx+65h], dh

loc_A52770:				; CODE XREF: PAGEVRFY:loc_A5270Aj
					; PAGEVRFY:00A526FFj ...
		imul	ebp, [esi+69h],	6C616974h
		imul	edi, [edx+69h],	6120676Eh
		outsb

loc_A5277F:				; CODE XREF: PAGEVRFY:00A5271Cj
					; PAGEVRFY:00A52717j
		and	[ecx+52h], cl
		push	eax

loc_A52783:				; CODE XREF: PAGEVRFY:00A5271Fj
		and	[eax+ebp*2+61h], dh
		jz	short loc_A527A9
		ja	short loc_A527EC
		jnb	short loc_A527AD

loc_A5278D:				; CODE XREF: PAGEVRFY:00A5275Aj
		arpl	[edx+65h], si
		popa
		jz	short near ptr loc_A527F7+1

loc_A52793:				; CODE XREF: PAGEVRFY:00A5272Ej
		and	fs:[edi+69h], dh
		jz	short loc_A52801
		or	cl, [ecx+6Fh]

loc_A5279C:				; CODE XREF: PAGEVRFY:00A52732j
		dec	ebp
		popa
		imul	esp, [ebp+41h],	73h
		jnb	short loc_A52813
		arpl	[ecx+61h], bp
		jz	short near ptr loc_A5280C+2

loc_A527A9:				; CODE XREF: PAGEVRFY:00A52787j
		db	64h
		dec	ecx
		jb	short near ptr loc_A5281B+2

loc_A527AD:				; CODE XREF: PAGEVRFY:00A5278Bj
		sub	al, 0Ah

loc_A527AF:				; CODE XREF: PAGEVRFY:00A5273Dj
		dec	ecx
		outsd
		inc	edx
		jnz	short near ptr loc_A5281B+2
		insb

loc_A527B5:				; CODE XREF: PAGEVRFY:00A5273Fj
		db	64h
		inc	ecx
		jnb	short loc_A52832
		outsb
		arpl	[eax+72h], bp
		outsd
		outsb
		outsd
		jnz	short loc_A52835
		inc	esi
		jnb	short near ptr loc_A52827+2
		push	edx
		db	65h
		jno	short loc_A5283E

loc_A527C9:				; CODE XREF: PAGEVRFY:00A52753j
		db	65h
		jnb	short loc_A52840
		sub	al, 0Ah
		dec	ecx
		outsd
		inc	edx
		jnz	short loc_A5283C
		insb
		db	64h
		push	ebx
		jns	short loc_A52846
		arpl	[eax+72h], bp
		outsd
		outsb
		outsd
		jnz	short loc_A52853
		inc	esi
		jnb	short loc_A52847
		push	edx
		db	65h
		jno	short near ptr loc_A5285B+1
		db	65h
		jnb	short near ptr loc_A5285D+1
		sub	al, 20h

loc_A527EC:				; CODE XREF: PAGEVRFY:00A52789j
		outsd
		jb	short near ptr loc_A527F7+2
		dec	ecx
		outsd
		inc	edx
		jnz	short loc_A5285D
		insb
		db	64h
		inc	esp

loc_A527F7:				; CODE XREF: PAGEVRFY:00A52791j
					; PAGEVRFY:00A527EDj
		db	65h
		jbe	short near ptr loc_A5285D+6
		arpl	[ebp+49h], sp
		outsd
		inc	ebx
		outsd
		outsb

loc_A52801:				; CODE XREF: PAGEVRFY:00A52797j
		jz	short loc_A52875
		outsd
		insb
		push	edx
		db	65h
		jno	short loc_A5287E
		db	65h
		jnb	short near ptr loc_A5287F+1

loc_A5280C:				; CODE XREF: PAGEVRFY:00A527A7j
		add	cs:[eax], al

loc_A5280F:				; DATA XREF: PAGEVRFD:00AA8580o
		add	[eax+ebp*2+65h], dl

loc_A52813:				; CODE XREF: PAGEVRFY:00A527A2j
		and	[edx+esi*2+69h], ah
		jbe	short loc_A5287E
		jb	short loc_A5283B

loc_A5281B:				; CODE XREF: PAGEVRFY:00A527ABj
					; PAGEVRFY:00A527B2j
		imul	esi, [ebx+20h],	706D6F63h
		insb
		db	65h
		jz	short near ptr loc_A5288D+2
		outsb

loc_A52827:				; CODE XREF: PAGEVRFY:00A527C3j
		and	[bx+di+6Eh], ah
		and	[ecx+52h], cl
		push	eax
		pop	edi
		dec	ebp
		dec	edx

loc_A52832:				; CODE XREF: PAGEVRFY:00A527B7j
		pop	edi
		push	eax
		dec	esi

loc_A52835:				; CODE XREF: PAGEVRFY:00A527C0j
		push	eax
		db	2Eh
		dec	ecx
		push	edx
		push	eax
		pop	edi

loc_A5283B:				; CODE XREF: PAGEVRFY:00A52819j
		dec	ebp

loc_A5283C:				; CODE XREF: PAGEVRFY:00A527D1j
		dec	esi
		pop	edi

loc_A5283E:				; CODE XREF: PAGEVRFY:00A527C6j
		push	edx
		inc	ebp

loc_A52840:				; CODE XREF: PAGEVRFY:loc_A527C9j
		dec	ebp
		dec	edi
		push	esi
		inc	ebp
		pop	edi
		inc	esp

loc_A52846:				; CODE XREF: PAGEVRFY:00A527D6j
		inc	ebp

loc_A52847:				; CODE XREF: PAGEVRFY:00A527E1j
		push	esi
		dec	ecx
		inc	ebx
		inc	ebp
		or	dh, [edx+65h]
		jno	short near ptr loc_A528BF+6
		db	65h
		jnb	short loc_A528C7

loc_A52853:				; CODE XREF: PAGEVRFY:00A527DEj
		and	[edi+69h], dh
		jz	short near ptr loc_A528BF+1
		and	[ecx+20h], ah

loc_A5285B:				; CODE XREF: PAGEVRFY:00A527E4j
		popaw

loc_A5285D:				; CODE XREF: PAGEVRFY:00A527F2j
					; PAGEVRFY:00A527E7j ...
		imul	ebp, [ebp+esi*2+72h], 74732065h
		popa
		jz	short loc_A528DD
		jnb	short near ptr loc_A52889+1
		arpl	[edi+64h], bp

loc_A5286D:				; DATA XREF: PAGEVRFD:00AA8574o
		db	65h
		add	cs:[ecx+20h], al
		db	64h
		jb	short near ptr loc_A528DD+1

loc_A52875:				; CODE XREF: PAGEVRFY:loc_A52801j
		jbe	short near ptr loc_A528DA+2
		jb	short near ptr loc_A52897+2
		push	66207361h

loc_A5287E:				; CODE XREF: PAGEVRFY:00A52806j
					; PAGEVRFY:00A52817j
		outsd

loc_A5287F:				; CODE XREF: PAGEVRFY:00A52809j
		jb	short near ptr loc_A528F2+6
		popa
		jb	short near ptr dword_A528E8
		db	65h
		and	fs:[ecx+6Eh], ah

loc_A52889:				; CODE XREF: PAGEVRFY:00A52868j
		and	[ecx+52h], cl
		push	eax

loc_A5288D:				; CODE XREF: PAGEVRFY:00A52823j
		and	[ecx+74h], ah
		and	[ecx+52h], cl
		push	ecx
		dec	esp
		and	[esi], bh

loc_A52897:				; CODE XREF: PAGEVRFY:00A52877j
		cmp	eax, 43504120h
		pop	edi
		dec	esp
		inc	ebp
		push	esi
		inc	ebp
		dec	esp
		or	dl, cs:[eax+ebp*2+65h]
		and	[ecx+2Fh], cl
		dec	edi
		and	[ebx+6Fh], al
		insd
		jo	short loc_A5291D
		db	65h
		jz	short loc_A5291D
		outsd
		outsb
		and	[ecx+50h], al
		inc	ebx
		and	[edx+6Fh], dh
		jnz	short loc_A52933

loc_A528BF:				; CODE XREF: PAGEVRFY:00A52856j
					; PAGEVRFY:00A5284Ej
		imul	ebp, [esi+65h],	6C697720h
		insb

loc_A528C7:				; CODE XREF: PAGEVRFY:00A52850j
		and	[esi+6Fh], ch
		jz	short ??_C@_0DK@HKDHJBHB@The?5driver?5is?5reinitializing?5an@GHGBBCHJ@
		bound	esp, [ebp+20h]
		popa
		bound	ebp, [ebp+20h]
		jz	short loc_A52945
		and	[edx+75h], dh
		outsb

loc_A528DA:				; CODE XREF: PAGEVRFY:loc_A52875j
		and	[esi+6Fh], ah

loc_A528DD:				; CODE XREF: PAGEVRFY:00A52866j
					; PAGEVRFY:00A52872j
		jb	short near ptr loc_A528FC+3
		jz	short near ptr loc_A52948+1
		imul	esi, [ebx+20h],	2E505249h
; 
dword_A528E8	dd 0			; CODE XREF: PAGEVRFY:00A52882j
; 

??_C@_0DK@HKDHJBHB@The?5driver?5is?5reinitializing?5an@GHGBBCHJ@:
					; CODE XREF: PAGEVRFY:00A528CAj
					; DATA XREF: PAGEVRFD:00AA8598o
		push	esp
		push	72642065h

loc_A528F2:				; CODE XREF: PAGEVRFY:loc_A5287Fj
		imul	esi, [esi+65h],	73692072h
		and	[edx+65h], dh

loc_A528FC:				; CODE XREF: PAGEVRFY:loc_A528DDj
		imul	ebp, [esi+69h],	6C616974h
		imul	edi, [edx+69h],	6120676Eh
		outsb
		and	[ecx+52h], cl
		push	eax
		and	[eax+ebp*2+61h], dh
		jz	short near ptr loc_A52933+2
		imul	esi, [ebx+20h],	6C697473h
		insb

loc_A5291D:				; CODE XREF: PAGEVRFY:00A528AFj
					; PAGEVRFY:00A528B1j
		and	[ecx+6Eh], ch
		and	[ebp+73h], dh
		db	65h
		add	cs:[eax], al

loc_A52927:				; DATA XREF: PAGEVRFD:00AA858Co
		add	[eax+ebp*2+65h], dl
		and	[edx+esi*2+69h], ah
		jbe	short loc_A52996
		jb	short loc_A52953

loc_A52933:				; CODE XREF: PAGEVRFY:00A528BDj
					; PAGEVRFY:00A52913j
		imul	esi, [ebx+73h],	20646575h
		popa
		outsb
		and	[ecx+2Fh], cl
		dec	edi
		and	[edx+65h], dh
		jno	short near ptr loc_A529B3+7

loc_A52945:				; CODE XREF: PAGEVRFY:00A528D4j
		db	65h
		jnb	short loc_A529BC

loc_A52948:				; CODE XREF: PAGEVRFY:00A528DFj
		and	[edi+69h], dh
		jz	short near ptr loc_A529B3+2
		and	[ecx+6Eh], ah
		and	[ebp+76h], ah

loc_A52953:				; CODE XREF: PAGEVRFY:00A52931j
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_A52974+3
		jz	short near ptr loc_A529BE+3
		popa
		jz	short near ptr loc_A5297B+1
		ja	short near ptr loc_A529BE+1
		jnb	short near ptr loc_A5297D+3
		popa
		insb
		jb	short loc_A529C9
		popa
		db	64h
		jns	short loc_A52988
		jnb	short near ptr loc_A529D2+1
		outs	dx, byte ptr [si]
		popa
		insb
		insb
		db	65h
		or	ah, fs:[ecx+6Eh]

loc_A52974:				; CODE XREF: PAGEVRFY:00A52955j
		and	fs:[edx+65h], dh
		arpl	[ebp+69h], sp

loc_A5297B:				; CODE XREF: PAGEVRFY:00A5295Aj
		jbe	short loc_A529E2

loc_A5297D:				; CODE XREF: PAGEVRFY:00A5295Ej
		and	fs:[ecx+20h], ah
		push	ebx
		push	esp
		inc	ecx
		push	esp
		push	ebp
		push	ebx
		pop	edi

loc_A52988:				; CODE XREF: PAGEVRFY:00A52965j
		push	eax
		inc	ebp
		dec	esi
		inc	esp
		dec	ecx
		dec	esi
		inc	edi
		and	[edx+65h], dh
		jnb	short near ptr loc_A52A03+1
		outsd
		outsb

loc_A52996:				; CODE XREF: PAGEVRFY:00A5292Fj
		jnb	short loc_A529FD
		and	cs:[eax], ah
		push	esp
		push	63207369h
		popa
		outsb
		and	[edx+65h], dh
		jnb	short loc_A52A1D
		insb
		jz	short near ptr loc_A529C9+2
		imul	ebp, [esi+20h],	69776E75h
		outsb

loc_A529B3:				; CODE XREF: PAGEVRFY:00A5294Bj
					; PAGEVRFY:00A52943j
		imul	ebp, fs:[esi+67h], 6665620Ah
		outsd

loc_A529BC:				; CODE XREF: PAGEVRFY:loc_A52945j
		jb	short near ptr loc_A52A1F+4

loc_A529BE:				; CODE XREF: PAGEVRFY:00A5295Cj
					; PAGEVRFY:00A52957j
		and	[eax+ebp*2+65h], dh
		and	[ecx+2Fh], cl
		dec	edi
		and	[ecx+73h], ch

loc_A529C9:				; CODE XREF: PAGEVRFY:00A52962j
					; PAGEVRFY:00A529A9j
		and	[ebx+6Fh], ah
		insd
		jo	short loc_A52A3B
		db	65h
		jz	short near ptr byte_A52A37

loc_A529D2:				; CODE XREF: PAGEVRFY:00A52968j
					; DATA XREF: PAGEVRFD:00AAAB78o
		add	cs:[ebp+78h], al
		inc	ecx
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h
		push	eax
		outsd
		outsd
		insb

loc_A529E2:				; CODE XREF: PAGEVRFY:loc_A5297Bj
		xor	eax, [eax]

??_C@_0BA@HAHFAAIP@ExAllocatePool2@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAAB60o
		inc	ebp
		js	short near ptr loc_A52A27+1
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h
		push	eax
		outsd
		outsd
		insb
		xor	al, [eax]

??_C@_0BL@DHNBKPBH@ExAllocatePoolWithQuotaTag@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAABA8o
		inc	ebp
		js	short ??_C@_0CG@LANCDJAB@ExAllocateCacheAwareRundownProt@GHGBBCHJ@
		insb
		insb
		outsd
		arpl	[ecx+74h], sp

loc_A529FD:				; CODE XREF: PAGEVRFY:loc_A52996j
		db	65h
		push	eax
		outsd
		outsd
		insb
		push	edi

loc_A52A03:				; CODE XREF: PAGEVRFY:00A52992j
		imul	esi, [eax+ebp*2+51h], 61746F75h
		push	esp
		popa
		add	[bx+si], al

??_C@_0BI@MFNAEHDK@ExAllocatePoolWithQuota@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAAB90o
		inc	ebp
		js	short loc_A52A54
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h
		push	eax
		outsd
		outsd

loc_A52A1D:				; CODE XREF: PAGEVRFY:00A529A6j
		insb
		push	edi

loc_A52A1F:				; CODE XREF: PAGEVRFY:loc_A529BCj
		imul	esi, [eax+ebp*2+51h], 61746F75h

loc_A52A27:				; CODE XREF: PAGEVRFY:00A529E5j
					; DATA XREF: PAGEVRFD:00AAAB48o
		add	[ebp+78h], al
		inc	ecx
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h
		push	eax
		outsd
		outsd
		insb
; 
		db 0
byte_A52A37	db 0			; CODE XREF: PAGEVRFY:00A529CFj
; 

??_C@_0CG@LANCDJAB@ExAllocateCacheAwareRundownProt@GHGBBCHJ@:
					; CODE XREF: PAGEVRFY:00A529F5j
					; DATA XREF: PAGEVRFD:_VfPoolThunkso
		inc	ebp
		js	short near ptr loc_A52A7B+1

loc_A52A3B:				; CODE XREF: PAGEVRFY:00A529CDj
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h
		inc	ebx
		popa
		arpl	[eax+65h], bp
		inc	ecx
		ja	short near ptr loc_A52AAA+1
		jb	short loc_A52AB1
		push	edx
		jnz	short loc_A52ABD
		outs	dx, dword ptr fs:[esi]
		ja	short loc_A52AC1
		push	eax

loc_A52A54:				; CODE XREF: PAGEVRFY:00A52A11j
		jb	short loc_A52AC5
		jz	short loc_A52ABD
		arpl	[ecx+ebp*2+6Fh], si
		outsb
; 
		db 3 dup(0)
; 

??_C@_0O@MANEEFN@IoAllocateMdl@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAAC38o
		dec	ecx
		outsd
		inc	ecx
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h
		dec	ebp
		db	64h
		insb
; 
		db 3 dup(0)
; 

??_C@_0O@HNLDFBJF@IoAllocateIrp@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAAC20o
		dec	ecx
		outsd
		inc	ecx
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h
		dec	ecx

loc_A52A7B:				; CODE XREF: PAGEVRFY:00A52A39j
		jb	short near ptr loc_A52AEB+2
; 
		db 3 dup(0)
; 

??_C@_0BN@PPLEAEDO@RtlAnsiStringToUnicodeString@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAAC68o
		push	edx
		jz	short near ptr loc_A52AEB+4
		inc	ecx
		outsb
		jnb	short near ptr loc_A52AEB+5
		push	ebx
		jz	short loc_A52AFC
		imul	ebp, [esi+67h],	6E556F54h
		imul	esp, [ebx+6Fh],	74536564h
		jb	short near ptr loc_A52AFF+4
		outsb
		add	[bx+si], al
; 
		dw 0
; 

??_C@_0BJ@HCEIIDF@IoSetCompletionRoutineEx@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAAC50o
		dec	ecx
		outsd
		push	ebx
		db	65h
		jz	short loc_A52AE9
		outsd
		insd
		jo	short near ptr loc_A52B15+1

loc_A52AAA:				; CODE XREF: PAGEVRFY:00A52A48j
		db	65h
		jz	short near ptr loc_A52B15+1
		outsd
		outsb
		push	edx
		outsd

loc_A52AB1:				; CODE XREF: PAGEVRFY:00A52A4Aj
		jnz	short near ptr loc_A52B26+1
		imul	ebp, [esi+65h],	7845h
; 
		dw 0
; 

??_C@_0BO@MJMFJFMG@ExAllocatePoolWithTagPriority@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAABD8o
		inc	ebp

loc_A52ABD:				; CODE XREF: PAGEVRFY:00A52A4Dj
					; PAGEVRFY:00A52A56j
		js	short near ptr loc_A52AFF+1
		insb
		insb

loc_A52AC1:				; CODE XREF: PAGEVRFY:00A52A51j
		outsd
		arpl	[ecx+74h], sp

loc_A52AC5:				; CODE XREF: PAGEVRFY:loc_A52A54j
		db	65h
		push	eax
		outsd
		outsd
		insb
		push	edi
		imul	esi, [eax+ebp*2+54h], 72506761h
		imul	ebp, [edi+72h],	797469h
; 
		dw 0
; 

??_C@_0BG@HPOEIOMD@ExAllocatePoolWithTag@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAABC0o
		inc	ebp
		js	short near ptr loc_A52B1D+3
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h
		push	eax
		outsd
		outsd

loc_A52AE9:				; CODE XREF: PAGEVRFY:00A52AA3j
		insb
		push	edi

loc_A52AEB:				; CODE XREF: PAGEVRFY:loc_A52A7Bj
					; PAGEVRFY:00A52A81j ...
		imul	esi, [eax+ebp*2+54h], 6761h
; 
		db 0
; 

??_C@_0BC@LGLGINHN@ExFreePoolWithTag@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAAC08o
		inc	ebp
		js	short near ptr loc_A52B3C+1
		jb	short near ptr loc_A52B5D+1
		db	65h
		push	eax
		outsd

loc_A52AFC:				; CODE XREF: PAGEVRFY:00A52A88j
		outsd
		insb
		push	edi

loc_A52AFF:				; CODE XREF: PAGEVRFY:loc_A52ABDj
					; PAGEVRFY:00A52A98j
		imul	esi, [eax+ebp*2+54h], 6761h

loc_A52B07:				; DATA XREF: PAGEVRFD:00AAABF0o
		add	[ebp+78h], al
		inc	esi
		jb	short near ptr loc_A52B71+1
		db	65h
		push	eax
		outsd
		outsd
		insb
; 
		dw 0
; 

??_C@_0CD@GPJEMFLM@RtlOemStringToCountedUnicodeStr@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AAACF8o
		push	edx

loc_A52B15:				; CODE XREF: PAGEVRFY:00A52AA8j
					; PAGEVRFY:loc_A52AAAj
		jz	short near ptr loc_A52B81+2
		dec	edi
		db	65h
		insd
		push	ebx
		jz	short near ptr loc_A52B8D+2

loc_A52B1D:				; CODE XREF: PAGEVRFY:00A52ADDj
		imul	ebp, [esi+67h],	6F436F54h
		jnz	short loc_A52B94

loc_A52B26:				; CODE XREF: PAGEVRFY:loc_A52AB1j
		jz	short loc_A52B8D
		db	64h
		push	ebp
		outsb
		imul	esp, [ebx+6Fh],	74536564h
		jb	short near ptr loc_A52B9C+1
		outsb
		add	[bx+si], al

??_C@_0CC@HOCCNKKP@RtlUpcaseUnicodeStringToOemStri@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AAACE0o
		push	edx
		jz	short loc_A52BA7
		push	ebp

loc_A52B3C:				; CODE XREF: PAGEVRFY:00A52AF5j
		jo	short near ptr loc_A52BA0+1
		popa
		jnb	short near ptr loc_A52BA5+1
		push	ebp
		outsb
		imul	esp, [ebx+6Fh],	74536564h
		jb	short loc_A52BB5
		outsb
		db	67h
		push	esp
		outsd
		dec	edi
		db	65h
		insd
		push	ebx
		jz	short loc_A52BC8
; 
		dw 6E69h
		dd 67h
; 

??_C@_0CJ@JNBPJCLI@RtlUpcaseUnicodeStringToCounted@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AAAD28o
		push	edx

loc_A52B5D:				; CODE XREF: PAGEVRFY:00A52AF7j
		jz	short loc_A52BCB
		push	ebp
		jo	short loc_A52BC5
		popa
		jnb	short near ptr loc_A52BC9+1
		push	ebp
		outsb
		imul	esp, [ebx+6Fh],	74536564h
		jb	short near ptr loc_A52BD5+4
		outsb

loc_A52B71:				; CODE XREF: PAGEVRFY:00A52B0Bj
		db	67h
		push	esp
		outsd
		inc	ebx
		outsd
		jnz	short loc_A52BE6
		jz	short loc_A52BDF
		db	64h
		dec	edi
		db	65h
		insd
		push	ebx
		jz	short loc_A52BF3

loc_A52B81:				; CODE XREF: PAGEVRFY:loc_A52B15j
		imul	ebp, [esi+67h],	0

??_C@_0CD@KEEJKOLL@RtlUnicodeStringToCountedOemStr@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AAAD10o
		push	edx
		jz	short near ptr loc_A52BF5+2
		push	ebp
		outsb

loc_A52B8D:				; CODE XREF: PAGEVRFY:loc_A52B26j
					; PAGEVRFY:00A52B1Bj
		imul	esp, [ebx+6Fh],	74536564h

loc_A52B94:				; CODE XREF: PAGEVRFY:00A52B24j
		jb	short loc_A52BFF
		outsb
		db	67h
		push	esp
		outsd
		inc	ebx
		outsd

loc_A52B9C:				; CODE XREF: PAGEVRFY:00A52B32j
		jnz	short near ptr loc_A52C08+4
		jz	short loc_A52C05

loc_A52BA0:				; CODE XREF: PAGEVRFY:loc_A52B3Cj
		db	64h
		dec	edi
		db	65h
		insd
		push	ebx

loc_A52BA5:				; CODE XREF: PAGEVRFY:00A52B3Fj
		jz	short near ptr loc_A52C15+4

loc_A52BA7:				; CODE XREF: PAGEVRFY:00A52B39j
					; DATA XREF: PAGEVRFD:00AAAC98o
		imul	ebp, [esi+67h],	74520000h
		insb
		push	ebp
		jo	short loc_A52C15
		popa
		jnb	short near ptr loc_A52C15+5

loc_A52BB5:				; CODE XREF: PAGEVRFY:00A52B4Aj
		push	ebp
		outsb
		imul	esp, [ebx+6Fh],	74536564h
		jb	short near ptr loc_A52C26+3
		outsb
		db	67h
		push	esp
		outsd
		inc	ecx

loc_A52BC5:				; CODE XREF: PAGEVRFY:00A52B60j
		outsb
		jnb	short near ptr loc_A52C2C+5

loc_A52BC8:				; CODE XREF: PAGEVRFY:00A52B54j
		push	ebx

loc_A52BC9:				; CODE XREF: PAGEVRFY:00A52B63j
		jz	short loc_A52C3D

loc_A52BCB:				; CODE XREF: PAGEVRFY:loc_A52B5Dj
					; DATA XREF: PAGEVRFD:00AAAC80o
		imul	ebp, [esi+67h],	74520000h
		insb
		push	ebp
		outsb

loc_A52BD5:				; CODE XREF: PAGEVRFY:00A52B6Ej
		imul	esp, [ebx+6Fh],	74536564h
		jb	short near ptr byte_A52C47
		outsb

loc_A52BDF:				; CODE XREF: PAGEVRFY:00A52B78j
		db	67h
		push	esp
		outsd
		inc	ecx
		outsb
		jnb	short near ptr loc_A52C4C+3

loc_A52BE6:				; CODE XREF: PAGEVRFY:00A52B76j
		push	ebx
		jz	short loc_A52C5B
		imul	ebp, [esi+67h],	0

??_C@_0BM@DEEFKKDE@RtlUnicodeStringToOemString@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAACC8o
		push	edx
		jz	short near ptr loc_A52C5C+3

loc_A52BF3:				; CODE XREF: PAGEVRFY:00A52B7Fj
		push	ebp
		outsb

loc_A52BF5:				; CODE XREF: PAGEVRFY:00A52B89j
		imul	esp, [ebx+6Fh],	74536564h
		jb	short near ptr loc_A52C63+4
		outsb

loc_A52BFF:				; CODE XREF: PAGEVRFY:loc_A52B94j
		db	67h
		push	esp
		outsd
		dec	edi
		db	65h
		insd

loc_A52C05:				; CODE XREF: PAGEVRFY:00A52B9Ej
		push	ebx
		jz	short near ptr loc_A52C79+1

loc_A52C08:				; CODE XREF: PAGEVRFY:loc_A52B9Cj
					; DATA XREF: PAGEVRFD:00AAACB0o
		imul	ebp, [esi+67h],	6C745200h
		dec	edi
		db	65h
		insd
		push	ebx
		jz	short loc_A52C87

loc_A52C15:				; CODE XREF: PAGEVRFY:00A52BB0j
					; PAGEVRFY:loc_A52BA5j	...
		imul	ebp, [esi+67h],	6E556F54h
		imul	esp, [ebx+6Fh],	74536564h
		jb	short loc_A52C8E
		outsb

loc_A52C26:				; CODE XREF: PAGEVRFY:00A52BBEj
					; DATA XREF: PAGEVRFD:00AAADD0o
		add	[di+78h], al
		dec	ecx
		outsb

loc_A52C2C:				; CODE XREF: PAGEVRFY:00A52BC6j
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		dec	esi
		push	eax
		popa
		db	67h, 65h, 64h
		dec	esp
		outsd
		outsd

loc_A52C3D:				; CODE XREF: PAGEVRFY:loc_A52BC9j
		imul	esp, [ecx+73h],	69h
		db	64h, 65h
		dec	esp
; 
		db 69h,	73h, 74h
byte_A52C47	db 0			; CODE XREF: PAGEVRFY:00A52BDCj
; 

??_C@_0BP@GNCMKEPO@ExInitializePagedLookasideList@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:_VfMandatoryThunkso
		inc	ebp
		js	short loc_A52C94
		outsb

loc_A52C4C:				; CODE XREF: PAGEVRFY:00A52BE4j
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		push	eax
		popa
		db	67h, 65h, 64h
		dec	esp
		outsd

loc_A52C5B:				; CODE XREF: PAGEVRFY:00A52BE7j
		outsd

loc_A52C5C:				; CODE XREF: PAGEVRFY:00A52BF1j
		imul	esp, [ecx+73h],	69h
		db	64h, 65h
		dec	esp

loc_A52C63:				; CODE XREF: PAGEVRFY:00A52BFCj
					; DATA XREF: PAGEVRFD:00AAAE00o
		imul	esi, [ebx+74h],	78450000h
		inc	esp
		db	65h
		insb
		db	65h
		jz	short loc_A52CD5
		dec	esi
		push	eax
		popa
		db	67h, 65h, 64h
		dec	esp
		outsd
		outsd

loc_A52C79:				; CODE XREF: PAGEVRFY:00A52C06j
		imul	esp, [ecx+73h],	69h
		db	64h, 65h
		dec	esp

loc_A52C80:				; DATA XREF: PAGEVRFD:00AAADE8o
		imul	esi, [ebx+74h],	44784500h

loc_A52C87:				; CODE XREF: PAGEVRFY:00A52C13j
		db	65h
		insb
		db	65h
		jz	short near ptr loc_A52CEF+2
		push	eax
		popa

loc_A52C8E:				; CODE XREF: PAGEVRFY:00A52C23j
		db	67h, 65h, 64h
		dec	esp
		outsd
		outsd

loc_A52C94:				; CODE XREF: PAGEVRFY:00A52C49j
		imul	esp, [ecx+73h],	69h
		db	64h, 65h
		dec	esp

loc_A52C9B:				; DATA XREF: PAGEVRFD:00AAAD58o
		imul	esi, [ebx+74h],	74520000h
		insb
		inc	esp
		outsd
		ja	short loc_A52D15
		arpl	[ecx+73h], sp
		db	65h
		push	ebp
		outsb
		imul	esp, [ebx+6Fh],	74536564h
		jb	short near ptr loc_A52D1C+3
		outsb
		add	[bx+si], al
; 
		dw 0
; 

??_C@_0BH@MCOIMNMM@RtlUpcaseUnicodeString@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAAD40o
		push	edx
		jz	short loc_A52D2B
		push	ebp
		jo	short near ptr loc_A52D24+1
		popa
		jnb	short near ptr loc_A52D26+4
		push	ebp
		outsb
		imul	esp, [ebx+6Fh],	74536564h
		jb	short loc_A52D39
		outsb
		add	[bx+si], al

??_C@_0BK@BKMPPJLP@RtlDuplicateUnicodeString@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAAD88o
		push	edx

loc_A52CD5:				; CODE XREF: PAGEVRFY:00A52C6Dj
		jz	short loc_A52D43
		inc	esp
		jnz	short loc_A52D4A
		insb
		imul	esp, [ebx+61h],	6E556574h
		imul	esp, [ebx+6Fh],	74536564h
		jb	short ??_C@_0BE@LEBEIBPC@HalFreeCommonBuffer@GHGBBCHJ@
		outsb
		add	[bx+si], al

loc_A52CEF:				; CODE XREF: PAGEVRFY:00A52C89j
					; DATA XREF: PAGEVRFD:00AAAD70o
		add	[edx+74h], dl
		insb
		inc	ebx
		jb	short near ptr loc_A52D5A+1
		popa
		jz	short loc_A52D5E
		push	ebp
		outsb
		imul	esp, [ebx+6Fh],	74536564h
		jb	short loc_A52D6D
		outsb
		add	[bx+si], al

??_C@_0BI@NNECMFPB@HalAllocateCommonBuffer@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAAE90o
		dec	eax
		popa
		insb
		inc	ecx
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h
		inc	ebx
		outsd

loc_A52D15:				; CODE XREF: PAGEVRFY:00A52CA5j
		insd
		insd
		outsd
		outsb
		inc	edx
		jnz	short near ptr loc_A52D81+1

loc_A52D1C:				; CODE XREF: PAGEVRFY:00A52CB4j
		db	66h, 65h
		jb	short $+4

??_C@_0BG@ICCJOPAF@IoFlushAdapterBuffers@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAAE78o
		dec	ecx
		outsd
		inc	esi
		insb

loc_A52D24:				; CODE XREF: PAGEVRFY:00A52CC0j
		jnz	short near ptr loc_A52D96+3

loc_A52D26:				; CODE XREF: PAGEVRFY:00A52CC3j
		push	70616441h

loc_A52D2B:				; CODE XREF: PAGEVRFY:00A52CBDj
		jz	short near ptr loc_A52D8F+3
		jb	short loc_A52D71
		jnz	short near ptr loc_A52D96+1
		db	66h, 65h
		jb	short near ptr loc_A52DA7+1
; 
		db 3 dup(0)
; 

??_C@_0BJ@KFCEPHJG@IoAllocateAdapterChannel@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAAEC0o
		dec	ecx

loc_A52D39:				; CODE XREF: PAGEVRFY:00A52CCEj
		outsd
		inc	ecx
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h
		inc	ecx

loc_A52D43:				; CODE XREF: PAGEVRFY:loc_A52CD5j
		db	64h
		popa
		jo	short near ptr loc_A52DBA+1
		db	65h
		jb	short loc_A52D8D

loc_A52D4A:				; CODE XREF: PAGEVRFY:00A52CD8j
		push	656E6E61h
		insb
; 
		dd 0
; 

??_C@_0BE@LEBEIBPC@HalFreeCommonBuffer@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:00A52CE9j
					; DATA XREF: PAGEVRFD:00AAAEA8o
		dec	eax
		popa
		insb
		inc	esi
		jb	short loc_A52DBF

loc_A52D5A:				; CODE XREF: PAGEVRFY:00A52CF4j
		db	65h
		inc	ebx
		outsd
		insd

loc_A52D5E:				; CODE XREF: PAGEVRFY:00A52CF7j
		insd
		outsd
		outsb
		inc	edx
		jnz	short near ptr word_A52DCA
		db	66h, 65h
		jb	short $+4

??_C@_0BI@KLGPHBAP@ExDeleteLookasideListEx@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAAE30o
		inc	ebp
		js	short loc_A52DAF
		db	65h
		insb

loc_A52D6D:				; CODE XREF: PAGEVRFY:00A52D02j
		db	65h
		jz	short near ptr loc_A52DD3+2
		dec	esp

loc_A52D71:				; CODE XREF: PAGEVRFY:00A52D2Dj
		outsd
		outsd
		imul	esp, [ecx+73h],	69h
		db	64h, 65h
		dec	esp

loc_A52D7A:				; DATA XREF: PAGEVRFD:00AAAE18o
		imul	esi, [ebx+74h],	45007845h

loc_A52D81:				; CODE XREF: PAGEVRFY:00A52D1Aj
		js	short ??_C@_0BJ@KINNKGCF@ExfAcquirePushLockShared@GHGBBCHJ@
		outsb
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		dec	esp

loc_A52D8D:				; CODE XREF: PAGEVRFY:00A52D47j
		outsd
		outsd

loc_A52D8F:				; CODE XREF: PAGEVRFY:loc_A52D2Bj
		imul	esp, [ecx+73h],	69h
		db	64h, 65h
		dec	esp

loc_A52D96:				; CODE XREF: PAGEVRFY:00A52D2Fj
					; PAGEVRFY:loc_A52D24j
					; DATA XREF: ...
		imul	esi, [ebx+74h],	49007845h
		outsd
		dec	ebp
		popa
		jo	short loc_A52DF6
		jb	short near ptr loc_A52E00+5
		outsb
		jnb	short near ptr loc_A52E0C+1

loc_A52DA7:				; CODE XREF: PAGEVRFY:00A52D31j
		db	65h
		jb	short $+3
; 
		dw 0
; 

??_C@_0BO@OCNLMHJA@HalAllocateCrashDumpRegisters@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAAE48o
		dec	eax
		popa
		insb

loc_A52DAF:				; CODE XREF: PAGEVRFY:00A52D69j
		inc	ecx
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h
		inc	ebx
		jb	short loc_A52E1B

loc_A52DBA:				; CODE XREF: PAGEVRFY:00A52D45j
		jnb	short near ptr loc_A52E22+2
		inc	esp
		jnz	short near ptr loc_A52E2B+1

loc_A52DBF:				; CODE XREF: PAGEVRFY:00A52D58j
		jo	short near ptr loc_A52E11+2
		imul	esi, gs:[bp+di+74h], 737265h
; 
word_A52DCA	dw 0			; CODE XREF: PAGEVRFY:00A52D62j
; 

??_C@_0BJ@KINNKGCF@ExfAcquirePushLockShared@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:loc_A52D81j
					; DATA XREF: PAGEVRFD:00AAAF68o
		inc	ebp
		js	short near ptr loc_A52E33+2
		inc	ecx
		arpl	[ecx+75h], si

loc_A52DD3:				; CODE XREF: PAGEVRFY:loc_A52D6Dj
		imul	esi, [edx+65h],	68737550h
		dec	esp
		outsd
		arpl	[ebx+53h], bp
		push	64657261h
; 
		dd 0
; 

??_C@_0BM@BCMDBIBF@ExfAcquirePushLockExclusive@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAAF50o
		inc	ebp
		js	short loc_A52E51
		inc	ecx
		arpl	[ecx+75h], si
		imul	esi, [edx+65h],	68737550h

loc_A52DF6:				; CODE XREF: PAGEVRFY:00A52DA0j
		dec	esp
		outsd
		arpl	[ebx+45h], bp
		js	short ??_C@_0BF@KLLIHMHG@ExDeleteResourceLite@GHGBBCHJ@
		insb
		jnz	short loc_A52E73

loc_A52E00:				; CODE XREF: PAGEVRFY:00A52DA2j
					; DATA XREF: PAGEVRFD:00AAAF98o
		imul	esi, [esi+65h],	66784500h
		push	edx
		db	65h
		insb
		db	65h
		popa

loc_A52E0C:				; CODE XREF: PAGEVRFY:00A52DA5j
		jnb	short loc_A52E73
		push	eax
		jnz	short loc_A52E84

loc_A52E11:				; CODE XREF: PAGEVRFY:loc_A52DBFj
		push	6B636F4Ch
; 
		dw 0
; 

??_C@_0BM@NMMKABDM@ExfTryAcquirePushLockShared@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAAF80o
		inc	ebp
		js	short near ptr loc_A52E7C+5

loc_A52E1B:				; CODE XREF: PAGEVRFY:00A52DB8j
		push	esp
		jb	short loc_A52E97
		inc	ecx
		arpl	[ecx+75h], si

loc_A52E22:				; CODE XREF: PAGEVRFY:loc_A52DBAj
		imul	esi, [edx+65h],	68737550h
		dec	esp
		outsd

loc_A52E2B:				; CODE XREF: PAGEVRFY:00A52DBDj
		arpl	[ebx+53h], bp
		push	64657261h

loc_A52E33:				; CODE XREF: PAGEVRFY:00A52DCDj
					; DATA XREF: PAGEVRFD:00AAAEF0o
		add	[ecx+6Fh], cl
		inc	esi
		jb	short loc_A52E9E
		db	65h
		dec	ebp
		popa
		jo	short near ptr loc_A52E8D+3
		imul	esi, gs:[bp+di+74h], 737265h

loc_A52E47:				; DATA XREF: PAGEVRFD:00AAAED8o
		add	[ecx+6Fh], cl
		inc	esi
		jb	short near ptr loc_A52EB0+2
		db	65h
		inc	ecx
		db	64h
		popa

loc_A52E51:				; CODE XREF: PAGEVRFY:00A52DE9j
		jo	short loc_A52EC7
		db	65h
		jb	short near ptr loc_A52E98+1
		push	656E6E61h
		insb
; 
		dd 0
; 

??_C@_0BF@KLLIHMHG@ExDeleteResourceLite@GHGBBCHJ@: ; CODE XREF:	PAGEVRFY:00A52DFBj
					; DATA XREF: PAGEVRFD:00AAAF38o
		inc	ebp
		js	short loc_A52EA7
		db	65h
		insb
		db	65h
		jz	short loc_A52ECD
		push	edx
		db	65h
		jnb	short loc_A52EDB
		jnz	short near ptr loc_A52EDE+2
		arpl	[ebp+4Ch], sp
; 
		db 69h,	74h
; 

loc_A52E73:				; CODE XREF: PAGEVRFY:00A52DFEj
					; PAGEVRFY:loc_A52E0Cj
		add	gs:[eax], al
; 
		dw 0
; 

??_C@_0BJ@KHMECDBK@ExInitializeResourceLite@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:_VfRegularThunkso
		inc	ebp
		js	short loc_A52EC4
		outsb

loc_A52E7C:				; CODE XREF: PAGEVRFY:00A52E19j
		imul	esi, [ecx+ebp*2+61h], 657A696Ch

loc_A52E84:				; CODE XREF: PAGEVRFY:00A52E0Fj
		push	edx
		db	65h
		jnb	short loc_A52EF7
		jnz	short near ptr byte_A52EFC
		arpl	[ebp+4Ch], sp

loc_A52E8D:				; CODE XREF: PAGEVRFY:00A52E3Cj
					; DATA XREF: PAGEVRFD:00AAB028o
		imul	esi, [ebp+0], 4D000000h
		insd
		dec	ebp

loc_A52E97:				; CODE XREF: PAGEVRFY:00A52E1Cj
		popa

loc_A52E98:				; CODE XREF: PAGEVRFY:00A52E53j
		jo	short loc_A52EE3
		outsd
		push	ebx
		jo	short near ptr byte_A52EFF

loc_A52E9E:				; CODE XREF: PAGEVRFY:00A52E37j
		arpl	[ebp+0], sp
; 
		db 3 dup(0)
; 

??_C@_0BL@ONDJLGP@MmProbeAndLockProcessPages@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAB010o
		dec	ebp
		insd
		push	eax

loc_A52EA7:				; CODE XREF: PAGEVRFY:00A52E61j
		jb	short ??_C@_0BE@ILDAPLFN@MmProbeAndLockPages@GHGBBCHJ@
		bound	esp, [ebp+41h]
		outsb
		db	64h
		dec	esp
		outsd

loc_A52EB0:				; CODE XREF: PAGEVRFY:00A52E4Bj
		arpl	[ebx+50h], bp
		jb	short loc_A52F24
		arpl	[ebp+73h], sp
		jnb	short loc_A52F0A
		popa
		db	67h, 65h
		jnb	near ptr 2EBFh

loc_A52EBF:				; DATA XREF: PAGEVRFD:00AAB058o
		add	[ebp+6Dh], cl
		dec	ebp
		popa

loc_A52EC4:				; CODE XREF: PAGEVRFY:00A52E79j
		jo	short loc_A52F12
		outsd

loc_A52EC7:				; CODE XREF: PAGEVRFY:loc_A52E51j
		arpl	[ebx+65h], bp
		db	64h
		push	eax
		popa

loc_A52ECD:				; CODE XREF: PAGEVRFY:00A52E65j
		db	67h, 65h
		jnb	near ptr 2ED1h
; 
		db 3 dup(0)
; 

??_C@_0P@MEELKFMN@MmMapIoSpaceEx@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB040o
		dec	ebp
		insd
		dec	ebp
		popa
		jo	short loc_A52F23
		outsd

loc_A52EDB:				; CODE XREF: PAGEVRFY:00A52E69j
		push	ebx
		jo	short near ptr loc_A52F3E+1

loc_A52EDE:				; CODE XREF: PAGEVRFY:00A52E6Cj
		arpl	[ebp+45h], sp
		js	short $+2

loc_A52EE3:				; CODE XREF: PAGEVRFY:loc_A52E98j
					; DATA XREF: PAGEVRFD:00AAAFC8o
		add	[ebp+78h], al
		push	dx
		db	65h
		insb
		db	65h
		popa
		jnb	short near ptr loc_A52F52+1
		push	eax
		jnz	short loc_A52F64
		push	6B636F4Ch
		push	ebx

loc_A52EF7:				; CODE XREF: PAGEVRFY:00A52E85j
		push	64657261h
; 
byte_A52EFC	db 3 dup(0)		; CODE XREF: PAGEVRFY:00A52E88j
byte_A52EFF	db 0			; CODE XREF: PAGEVRFY:00A52E9Cj
; 

??_C@_0BF@IOOBINIL@ExfTryToWakePushLock@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAAFB0o
		inc	ebp
		js	short near ptr loc_A52F67+2
		push	esp
		jb	short near ptr loc_A52F7E+1
		push	esp
		outsd
		push	edi
		popa

loc_A52F0A:				; CODE XREF: PAGEVRFY:00A52EB8j
		imul	esp, [ebp+50h],	75h
		jnb	short loc_A52F78
		dec	esp
		outsd

loc_A52F12:				; CODE XREF: PAGEVRFY:loc_A52EC4j
		arpl	[ebx+0], bp
; 
		db 3 dup(0)
; 

??_C@_0BE@ILDAPLFN@MmProbeAndLockPages@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:loc_A52EA7j
					; DATA XREF: PAGEVRFD:00AAAFF8o
		dec	ebp
		insd
		push	eax
		jb	short loc_A52F8C
		bound	esp, [ebp+41h]
		outsb
		db	64h
		dec	esp

loc_A52F23:				; CODE XREF: PAGEVRFY:00A52ED8j
		outsd

loc_A52F24:				; CODE XREF: PAGEVRFY:00A52EB3j
		arpl	[ebx+50h], bp
		popa
		db	67h, 65h
		jnb	near ptr 2F2Ch

??_C@_0BK@HCAFDBOA@MmBuildMdlForNonPagedPool@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAAFE0o
		dec	ebp
		insd
		inc	edx
		jnz	short loc_A52F9A
		insb
		db	64h
		dec	ebp
		db	64h
		insb
		inc	esi
		outsd
		jb	short near ptr loc_A52F87+1
		outsd
		outsb
		push	eax
		popa

loc_A52F3E:				; CODE XREF: PAGEVRFY:00A52EDCj
		db	67h, 65h, 64h
		push	eax
		outsd
		outsd
		insb
; 
		db 3 dup(0)
; 

??_C@_0P@EMJLEDGK@MmUnmapIoSpace@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB0E8o
		dec	ebp
		insd
		push	ebp
		outsb
		insd
		popa
		jo	short loc_A52F99
		outsd
		push	ebx

loc_A52F52:				; CODE XREF: PAGEVRFY:00A52EECj
		jo	short near ptr loc_A52FB4+1
		arpl	[ebp+0], sp

loc_A52F57:				; DATA XREF: PAGEVRFD:00AAB0D0o
		add	[ebp+6Dh], cl
		push	ebp
		outsb
		insd
		popa
		jo	short loc_A52FAC
		outsd
		arpl	[ebx+65h], bp

loc_A52F64:				; CODE XREF: PAGEVRFY:00A52EEFj
		db	64h
		push	eax
		popa

loc_A52F67:				; CODE XREF: PAGEVRFY:00A52F01j
		db	67h, 65h
		jnb	near ptr 2F6Bh

loc_A52F6B:				; DATA XREF: PAGEVRFD:00AAB118o
		add	[ebp+6Dh], cl
		inc	ecx
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h
		inc	ebx
		outsd

loc_A52F78:				; CODE XREF: PAGEVRFY:00A52F0Ej
		outsb
		jz	short ??_C@_0O@OMFFIEBC@MmUnlockPages@GHGBBCHJ@
		db	67h
		jnz	near ptr 2FEDh

loc_A52F7E:				; CODE XREF: PAGEVRFY:00A52F04j
		jnz	short near ptr byte_A52FF3
		dec	ebp
		db	65h
		insd
		outsd
		jb	short near ptr loc_A52FFA+5
		push	ebx

loc_A52F87:				; CODE XREF: PAGEVRFY:00A52F38j
		jo	short loc_A52FEE
		arpl	[ecx+66h], bp

loc_A52F8C:				; CODE XREF: PAGEVRFY:00A52F1Bj
		jns	short loc_A52FD1
		popa
		arpl	[eax+65h], bp
; 
		dw 0
; 

??_C@_0BL@KMIOEMCL@MmAllocateContiguousMemory@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAB100o
		dec	ebp
		insd
		inc	ecx
		insb
		insb

loc_A52F99:				; CODE XREF: PAGEVRFY:00A52F4Ej
		outsd

loc_A52F9A:				; CODE XREF: PAGEVRFY:00A52F2Fj
		arpl	[ecx+74h], sp
		db	65h
		inc	ebx
		outsd
		outsb
		jz	short near ptr loc_A5300B+1
		db	67h
		jnz	near ptr 3015h
		jnz	short loc_A5301B
		dec	ebp
		db	65h
		insd
		outsd

loc_A52FAC:				; CODE XREF: PAGEVRFY:00A52F5Ej
		jb	short loc_A53027
; 
		dw 0
; 

??_C@_0BD@JKHIDLLH@MmMapViewOfSection@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAB088o
		dec	ebp
		insd
		dec	ebp
		popa

loc_A52FB4:				; CODE XREF: PAGEVRFY:loc_A52F52j
		jo	short near ptr loc_A5300B+1
		imul	esp, [ebp+77h],	6553664Fh
		arpl	[ecx+ebp*2+6Fh], si
		outsb
; 
		dw 0
; 

??_C@_0BN@PIHKKIFN@MmMapLockedPagesSpecifyCache@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAB070o
		dec	ebp
		insd
		dec	ebp
		popa
		jo	short loc_A53016
		outsd
		arpl	[ebx+65h], bp
		db	64h
		push	eax
		popa

loc_A52FD1:				; CODE XREF: PAGEVRFY:loc_A52F8Cj
		db	67h, 65h
		jnb	near ptr 3028h
		jo	short loc_A5303C
		arpl	[ecx+66h], bp
		jns	short near ptr byte_A5301F
		popa
		arpl	[eax+65h], bp
; 
		dd 0
; 

??_C@_0O@OMFFIEBC@MmUnlockPages@GHGBBCHJ@: ; CODE XREF:	PAGEVRFY:00A52F79j
					; DATA XREF: PAGEVRFD:00AAB0B8o
		dec	ebp
		insd
		push	ebp
		outsb
		insb
		outsd
		arpl	[ebx+50h], bp
		popa

loc_A52FEE:				; CODE XREF: PAGEVRFY:loc_A52F87j
		db	67h, 65h
		jnb	near ptr 2FF2h
; 
		db 0
byte_A52FF3	db 0			; CODE XREF: PAGEVRFY:loc_A52F7Ej
; 

??_C@_0BD@OPIOPJOL@NtMapViewOfSection@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAB0A0o
		dec	esi
		jz	short ??_C@_0BI@HGCOAHOC@MmAllocatePagesForMdlEx@GHGBBCHJ@
		popa
		jo	short loc_A53050

loc_A52FFA:				; CODE XREF: PAGEVRFY:00A52F84j
		imul	esp, [ebp+77h],	6553664Fh
		arpl	[ecx+ebp*2+6Fh], si
		outsb
; 
		dw 0
; 

??_C@_0BG@OOBECNLI@MmFreeNonCachedMemory@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB1A8o
		dec	ebp
		insd
		inc	esi

loc_A5300B:				; CODE XREF: PAGEVRFY:00A52FA1j
					; PAGEVRFY:loc_A52FB4j
		jb	short near ptr word_A53072
		db	65h
		dec	esi
		outsd
		outsb
		inc	ebx
		popa
		arpl	[eax+65h], bp

loc_A53016:				; CODE XREF: PAGEVRFY:00A52FC8j
		db	64h
		dec	ebp
		db	65h
		insd
		outsd

loc_A5301B:				; CODE XREF: PAGEVRFY:00A52FA6j
		jb	short loc_A53096
; 
		db 2 dup(0)
byte_A5301F	db 0			; CODE XREF: PAGEVRFY:00A52FDAj
; 

??_C@_0CD@IDDLAELJ@MmFreeContiguousMemorySpecifyCa@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AAB190o
		dec	ebp
		insd
		inc	esi
		jb	short loc_A5308A
		db	65h
		inc	ebx

loc_A53027:				; CODE XREF: PAGEVRFY:loc_A52FACj
		outsd
		outsb
		jz	short ??_C@_0CL@NMGHDAJA@MmAllocateContiguousMemorySpeci@GHGBBCHJ@
		db	67h
		jnz	near ptr 309Dh
		jnz	short loc_A530A3
		dec	ebp
		db	65h
		insd
		outsd
		jb	short loc_A530AF
		push	ebx
		jo	short near ptr loc_A5309D+1
		arpl	[ecx+66h], bp

loc_A5303C:				; CODE XREF: PAGEVRFY:00A52FD5j
		jns	short loc_A53081
		popa
		arpl	[eax+65h], bp
; 
		dw 0
; 

??_C@_0BI@HGCOAHOC@MmAllocatePagesForMdlEx@GHGBBCHJ@: ;	CODE XREF: PAGEVRFY:00A52FF5j
					; DATA XREF: PAGEVRFD:00AAB1D8o
		dec	ebp
		insd
		inc	ecx
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h
		push	eax
		popa

loc_A53050:				; CODE XREF: PAGEVRFY:00A52FF8j
		db	67h, 65h
		jnb	near ptr 309Ah
		outsd
		jb	short near ptr loc_A530A3+1
		db	64h
		insb
		inc	ebp
		js	short $+2

??_C@_0BG@CCMELLDE@MmAllocatePagesForMdl@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB1C0o
		dec	ebp
		insd
		inc	ecx
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h
		push	eax
		popa
		db	67h, 65h
		jnb	near ptr 30B2h
		outsd
		jb	short loc_A530BC
		db	64h
		insb
; 
		db 0
word_A53072	dw 0			; CODE XREF: PAGEVRFY:loc_A5300Bj
; 

??_C@_0BP@EGCAGHLF@MmAllocateContiguousNodeMemory@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB148o
		dec	ebp
		insd
		inc	ecx
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h
		inc	ebx
		outsd
		outsb

loc_A53081:				; CODE XREF: PAGEVRFY:loc_A5303Cj
		jz	short loc_A530EC
		db	67h
		jnz	near ptr 30F5h
		jnz	short near ptr loc_A530FA+1
		dec	esi
		outsd

loc_A5308A:				; CODE XREF: PAGEVRFY:00A53023j
		db	64h, 65h
		dec	ebp
		db	65h
		insd
		outsd
		jb	short near ptr loc_A5310A+1
; 
		dw 0
; 

??_C@_0CL@NMGHDAJA@MmAllocateContiguousMemorySpeci@GHGBBCHJ@:
					; CODE XREF: PAGEVRFY:00A53029j
					; DATA XREF: PAGEVRFD:00AAB130o
		dec	ebp
		insd

loc_A53096:				; CODE XREF: PAGEVRFY:loc_A5301Bj
		inc	ecx
		insb
		insb
		outsd
		arpl	[ecx+74h], sp

loc_A5309D:				; CODE XREF: PAGEVRFY:00A53037j
		db	65h
		inc	ebx
		outsd
		outsb
		jz	short loc_A5310C

loc_A530A3:				; CODE XREF: PAGEVRFY:00A5302Ej
					; PAGEVRFY:00A53055j
		db	67h
		jnz	near ptr 3115h
		jnz	short loc_A5311B
		dec	ebp
		db	65h
		insd
		outsd
		jb	short loc_A53127
		push	ebx

loc_A530AF:				; CODE XREF: PAGEVRFY:00A53034j
		jo	short loc_A53116
		arpl	[ecx+66h], bp
		jns	short loc_A530F9
		popa
		arpl	[eax+65h], bp
		dec	esi
		outsd

loc_A530BC:				; CODE XREF: PAGEVRFY:00A5306Dj
		db	64h
		add	gs:[eax], al

??_C@_0BH@CDFCIAHF@MmFreeContiguousMemory@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB178o
		dec	ebp
		insd
		inc	esi
		jb	short near ptr loc_A53127+3
		db	65h
		inc	ebx
		outsd
		outsb
		jz	short near ptr loc_A53133+1
		db	67h
		jnz	near ptr 313Dh
		jnz	short near ptr loc_A5313F+4
		dec	ebp
		db	65h
		insd
		outsd
		jb	short loc_A5314F
; 
		dw 0
; 

??_C@_0BK@FHEGIMGE@MmAllocateNonCachedMemory@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAB160o
		dec	ebp
		insd
		inc	ecx
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h
		dec	esi
		outsd
		outsb
		inc	ebx
		popa
		arpl	[eax+65h], bp
		db	64h
		dec	ebp

loc_A530EC:				; CODE XREF: PAGEVRFY:loc_A53081j
		db	65h
		insd
		outsd
		jb	short near ptr loc_A53169+1
; 
		db 3 dup(0)
; 

??_C@_0BA@MANLHNBJ@NtCreateSection@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAB268o
		dec	esi
		jz	short loc_A5313A
		jb	short near ptr word_A5315E

loc_A530F9:				; CODE XREF: PAGEVRFY:00A530B4j
		popa

loc_A530FA:				; CODE XREF: PAGEVRFY:00A53086j
		jz	short loc_A53161
		push	ebx
		arpl	gs:[ecx+ebp*2+6Fh], si
		outsb
; 
		db 0
; 

??_C@_0BA@NLADEBML@MmCreateSection@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAB250o
		dec	ebp
		insd
		inc	ebx
		jb	short near ptr loc_A5316C+2
		popa

loc_A5310A:				; CODE XREF: PAGEVRFY:00A53090j
		jz	short near ptr loc_A53170+1

loc_A5310C:				; CODE XREF: PAGEVRFY:00A530A1j
		push	ebx
		arpl	gs:[ecx+ebp*2+6Fh], si
		outsb

loc_A53113:				; DATA XREF: PAGEVRFD:00AAB298o
		add	[ebp+6Dh], cl

loc_A53116:				; CODE XREF: PAGEVRFY:loc_A530AFj
		push	eax
		jb	short loc_A53188
		jz	short loc_A53180

loc_A5311B:				; CODE XREF: PAGEVRFY:00A530A6j
		arpl	[ebp+ecx*2+64h], si
		insb
		push	ebx
		jns	short near ptr word_A53196
		jz	short loc_A5318A
		insd
		inc	ecx

loc_A53127:				; CODE XREF: PAGEVRFY:00A530ACj
					; PAGEVRFY:00A530C3j
		db	64h, 64h
		jb	short near ptr loc_A5318A+6
		jnb	short loc_A531A0
; 
		db 3 dup(0)
; 

??_C@_0BK@EOAPMLDF@MmGetSystemRoutineAddress@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAB280o
		dec	ebp
		insd
		inc	edi

loc_A53133:				; CODE XREF: PAGEVRFY:00A530C9j
		db	65h
		jz	short near ptr loc_A53188+1
		jns	short near ptr loc_A531A8+3
		jz	short near ptr loc_A5319E+1

loc_A5313A:				; CODE XREF: PAGEVRFY:00A530F5j
		insd
		push	edx
		outsd
		jnz	short loc_A531B3

loc_A5313F:				; CODE XREF: PAGEVRFY:00A530CEj
		imul	ebp, [esi+65h],	72646441h
		db	65h
		jnb	short ??_C@_0M@NCFLJKKN@KeLowerIrql@GHGBBCHJ@
; 
		db 3 dup(0)
; 

??_C@_0BD@EOFIHELD@MmFreePagesFromMdl@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAB208o
		dec	ebp
		insd
		inc	esi

loc_A5314F:				; CODE XREF: PAGEVRFY:00A530D4j
		jb	short loc_A531B6
		db	65h
		push	eax
		popa
		db	67h, 65h
		jnb	near ptr 319Eh
		jb	short near ptr loc_A531C7+2
		insd
		dec	ebp
		db	64h
		insb
; 
word_A5315E	dw 0			; CODE XREF: PAGEVRFY:00A530F7j
; 

??_C@_0BM@ILMHMAJC@MmAllocateNodePagesForMdlEx@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB1F0o
		dec	ebp

loc_A53161:				; CODE XREF: PAGEVRFY:loc_A530FAj
		insd
		inc	ecx
		insb
		insb
		outsd
		arpl	[ecx+74h], sp

loc_A53169:				; CODE XREF: PAGEVRFY:00A530EFj
		db	65h
		dec	esi
		outsd

loc_A5316C:				; CODE XREF: PAGEVRFY:00A53107j
		db	64h, 65h
		push	eax
		popa

loc_A53170:				; CODE XREF: PAGEVRFY:loc_A5310Aj
		db	67h, 65h
		jnb	near ptr 31BAh
		outsd
		jb	short loc_A531C4
		db	64h
		insb
		inc	ebp
		js	short $+2

??_C@_0BJ@CGBIGMNF@MmAllocateMappingAddress@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB238o
		dec	ebp
		insd
		inc	ecx
		insb

loc_A53180:				; CODE XREF: PAGEVRFY:00A53119j
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h
		dec	ebp
		popa

loc_A53188:				; CODE XREF: PAGEVRFY:00A53117j
					; PAGEVRFY:loc_A53133j
		jo	short loc_A531FA

loc_A5318A:				; CODE XREF: PAGEVRFY:00A53123j
					; PAGEVRFY:loc_A53127j
		imul	ebp, [esi+67h],	72646441h
		db	65h
		jnb	short near ptr loc_A53206+1
; 
		db 2 dup(0)
word_A53196	dw 0			; CODE XREF: PAGEVRFY:00A53121j
; 

??_C@_0M@IBDNJKJC@MmCreateMdl@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAB220o
		dec	ebp
		insd
		inc	ebx
		jb	short near ptr loc_A53201+1
		popa

loc_A5319E:				; CODE XREF: PAGEVRFY:00A53138j
		jz	short near ptr loc_A53203+2

loc_A531A0:				; CODE XREF: PAGEVRFY:00A5312Bj
		dec	ebp
		db	64h
		insb

loc_A531A3:				; DATA XREF: PAGEVRFD:00AAB328o
		add	[ebx+65h], cl
		push	edx
		popa

loc_A531A8:				; CODE XREF: PAGEVRFY:00A53136j
		imul	esi, [ebx+65h],	6C717249h

loc_A531AF:				; DATA XREF: PAGEVRFD:00AAB310o
		add	[ebx+66h], cl
		dec	esp

loc_A531B3:				; CODE XREF: PAGEVRFY:00A5313Dj
		outsd
		ja	short loc_A5321B

loc_A531B6:				; CODE XREF: PAGEVRFY:loc_A5314Fj
		jb	short loc_A53201
		jb	short near ptr loc_A5322A+1
		insb
; 
		db 0
; 

??_C@_0M@NCFLJKKN@KeLowerIrql@GHGBBCHJ@: ; CODE	XREF: PAGEVRFY:00A53146j
					; DATA XREF: PAGEVRFD:00AAB358o
		dec	ebx
		db	65h
		dec	esp
		outsd
		ja	short near ptr loc_A53226+1
		jb	short near ptr loc_A5320B+2

loc_A531C4:				; CODE XREF: PAGEVRFY:00A53175j
		jb	short loc_A53237
		insb

loc_A531C7:				; CODE XREF: PAGEVRFY:00A53158j
					; DATA XREF: PAGEVRFD:00AAB340o
		add	[ebx+65h], cl
		push	edx
		popa
		imul	esi, [ebx+65h],	6C717249h
		push	esp
		outsd
		inc	esp
		jo	short loc_A5323B
		dec	esp
		db	65h
		jbe	short near ptr loc_A53240+1
		insb
; 
		db 3 dup(0)
; 

??_C@_0BN@IPNABLFG@KeSaveExtendedProcessorState@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAB2C8o
		dec	ebx
		db	65h
		push	ebx
		popa
		jbe	short near ptr loc_A53248+3
		inc	ebp
		js	short near ptr loc_A5325C+1
		outs	dx, byte ptr gs:[esi]
		db	64h, 65h, 64h
		push	eax
		jb	short loc_A53260
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_A53260+5
		jb	short near ptr loc_A53248+3
		jz	short near ptr loc_A5325A+1

loc_A531FA:				; CODE XREF: PAGEVRFY:loc_A53188j
		jz	short near ptr loc_A53260+1
; 
		dd 0
; 

??_C@_0L@LBMJOLIB@KeSetEvent@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAB2B0o
		dec	ebx

loc_A53201:				; CODE XREF: PAGEVRFY:loc_A531B6j
					; PAGEVRFY:00A5319Bj
		db	65h
		push	ebx

loc_A53203:				; CODE XREF: PAGEVRFY:loc_A5319Ej
		db	65h
		jz	short near ptr loc_A53248+3

loc_A53206:				; CODE XREF: PAGEVRFY:00A53191j
		jbe	short loc_A5326D
		outsb
		jz	short $+2

loc_A5320B:				; CODE XREF: PAGEVRFY:00A531C2j
					; DATA XREF: PAGEVRFD:00AAB2F8o
		add	[ebx+66h], cl
		push	edx
		popa
		imul	esi, [ebx+65h],	6C717249h
; 
		db 0
; 

??_C@_0CA@OHCIBDML@KeRestoreExtendedProcessorState@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AAB2E0o
		dec	ebx
		db	65h
		push	edx

loc_A5321B:				; CODE XREF: PAGEVRFY:00A531B4j
		db	65h
		jnb	short near ptr loc_A53291+1
		outsd
		jb	short near ptr loc_A53285+1
		inc	ebp
		js	short near ptr loc_A53294+4
		outs	dx, byte ptr gs:[esi]

loc_A53226:				; CODE XREF: PAGEVRFY:00A531C0j
		db	64h, 65h, 64h
		push	eax

loc_A5322A:				; CODE XREF: PAGEVRFY:00A531B8j
		jb	short near ptr loc_A53294+7
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_A5329D+3
		jb	short near ptr loc_A53285+1
		jz	short near ptr loc_A53294+2
		jz	short loc_A5329C

loc_A53237:				; CODE XREF: PAGEVRFY:loc_A531C4j
					; DATA XREF: PAGEVRFD:00AAB3E8o
		add	[ebx+65h], cl
		dec	esp

loc_A5323B:				; CODE XREF: PAGEVRFY:00A531D6j
		db	65h
		popa
		jbe	short ??_C@_0BH@LEMIKANE@KeSynchronizeExecution@GHGBBCHJ@
		inc	ebx

loc_A53240:				; CODE XREF: PAGEVRFY:00A531D9j
		jb	short near ptr loc_A532A9+2
		jz	short loc_A532AD
		arpl	[ecx+6Ch], sp
		push	edx

loc_A53248:				; CODE XREF: PAGEVRFY:00A531E4j
					; PAGEVRFY:00A531F6j ...
		imul	ebp, gs:[bx+6Eh], 4B000000h
		db	65h
		inc	ebp
		outsb
		jz	short near ptr loc_A532B7+4
		jb	short near ptr loc_A53294+7
		jb	short near ptr loc_A532C2+1

loc_A5325A:				; CODE XREF: PAGEVRFY:00A531F8j
		jz	short near ptr loc_A532C4+1

loc_A5325C:				; CODE XREF: PAGEVRFY:00A531E7j
		arpl	[ecx+6Ch], sp
		push	edx

loc_A53260:				; CODE XREF: PAGEVRFY:00A531EFj
					; PAGEVRFY:loc_A531FAj	...
		imul	ebp, gs:[bx+6Eh], 4B000000h
		db	65h
		push	edx
		db	65h
		insd

loc_A5326D:				; CODE XREF: PAGEVRFY:loc_A53206j
		outsd
		jbe	short loc_A532D5
		push	ecx
		jnz	short loc_A532D8
		jnz	short near ptr loc_A532D8+2
		inc	esp
		jo	short near ptr loc_A532D8+3
; 
		dd 0
; 

??_C@_0BB@NEFFAOJG@KeInsertQueueDpc@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB400o
		dec	ebx
		db	65h
		dec	ecx
		outsb
		jnb	short near ptr loc_A532E1+6
		jb	short near ptr loc_A532F7+1
		push	ecx

loc_A53285:				; CODE XREF: PAGEVRFY:00A5321Fj
					; PAGEVRFY:00A53231j
		jnz	short loc_A532EC
		jnz	short near ptr loc_A532EC+2
		inc	esp
		jo	short near ptr loc_A532EC+3
; 
		dd 0
; 

??_C@_0BE@MADIFMFE@KeInitializeTimerEx@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB388o
		dec	ebx

loc_A53291:				; CODE XREF: PAGEVRFY:loc_A5321Bj
		db	65h
		dec	ecx
		outsb

loc_A53294:				; CODE XREF: PAGEVRFY:00A53233j
					; PAGEVRFY:00A53222j ...
		imul	esi, [ecx+ebp*2+61h], 657A696Ch

loc_A5329C:				; CODE XREF: PAGEVRFY:00A53235j
		push	esp

loc_A5329D:				; CODE XREF: PAGEVRFY:00A5322Fj
		imul	ebp, [ebp+65h],	784572h

??_C@_0BH@LEMIKANE@KeSynchronizeExecution@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:00A5323Dj
					; DATA XREF: PAGEVRFD:00AAB370o
		dec	ebx
		db	65h
		push	ebx
		jns	short loc_A53317

loc_A532A9:				; CODE XREF: PAGEVRFY:loc_A53240j
		arpl	[eax+72h], bp
		outsd

loc_A532AD:				; CODE XREF: PAGEVRFY:00A53242j
		outsb
		imul	edi, [edx+65h],	63657845h
		jnz	short near ptr byte_A5332B

loc_A532B7:				; CODE XREF: PAGEVRFY:00A53254j
					; DATA XREF: PAGEVRFD:00AAB3B8o
		imul	ebp, [edi+6Eh],	654B0000h
		inc	esp
		db	65h
		insb
		popa

loc_A532C2:				; CODE XREF: PAGEVRFY:00A53258j
		jns	short near ptr loc_A53308+1

loc_A532C4:				; CODE XREF: PAGEVRFY:loc_A5325Aj
		js	short near ptr byte_A5332B
		arpl	[ebp+74h], si
		imul	ebp, [edi+6Eh],	65726854h
		popa
		add	fs:[eax], al

??_C@_0BC@DOLLALDB@KeInitializeTimer@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAB3A0o
		dec	ebx

loc_A532D5:				; CODE XREF: PAGEVRFY:00A5326Ej
		db	65h
		dec	ecx
		outsb

loc_A532D8:				; CODE XREF: PAGEVRFY:00A53271j
					; PAGEVRFY:00A53273j ...
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		push	esp

loc_A532E1:				; CODE XREF: PAGEVRFY:00A53280j
		imul	ebp, [ebp+65h],	72h

??_C@_0BL@FCIHCOLE@ObReferenceObjectByPointer@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAB4A8o
		dec	edi
		bound	edx, [edx+65h]

loc_A532EC:				; CODE XREF: PAGEVRFY:loc_A53285j
					; PAGEVRFY:00A53287j ...
		db	66h, 65h
		jb	short loc_A53355
		outsb
		arpl	[ebp+4Fh], sp
		bound	ebp, [edx+65h]

loc_A532F7:				; CODE XREF: PAGEVRFY:00A53282j
		arpl	[edx+eax*2+79h], si
		push	eax
		outsd
		imul	ebp, [esi+74h],	7265h

??_C@_0BK@PAFEOPMG@ObReferenceObjectByHandle@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAB490o
		dec	edi
		bound	edx, [edx+65h]

loc_A53308:				; CODE XREF: PAGEVRFY:loc_A532C2j
		db	66h, 65h
		jb	short loc_A53371
		outsb
		arpl	[ebp+4Fh], sp
		bound	ebp, [edx+65h]
		arpl	[edx+eax*2+79h], si

loc_A53317:				; CODE XREF: PAGEVRFY:00A532A7j
		dec	eax
		popa
		outsb
		db	64h
		insb
		add	gs:[eax], al

loc_A5331F:				; DATA XREF: PAGEVRFD:00AAB4D8o
		add	[ecx+6Fh], cl
		inc	esi
		jb	short near ptr loc_A53388+2
		db	65h
		dec	ebp
		db	64h
		insb
; 
		db 2 dup(0)
byte_A5332B	db 0			; CODE XREF: PAGEVRFY:00A532B5j
					; PAGEVRFY:loc_A532C4j
; 

??_C@_09POLIELFF@IoFreeIrp@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAB4C0o
		dec	ecx
		outsd
		inc	esi
		jb	short near ptr loc_A53391+5
		db	65h
		dec	ecx
		jb	short loc_A533A5
; 
		db 3 dup(0)
; 

??_C@_0M@NBHOGDOK@NtWriteFile@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAB448o
		dec	esi
		jz	short near ptr loc_A53391+1
		jb	short near ptr loc_A533A5+1
		jz	short loc_A533A4
		inc	esi
; 
		dd 656C69h
; 

??_C@_0N@KPMLACHP@NtCreateFile@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB430o
		dec	esi
		jz	short near ptr loc_A53388+2
		jb	short near ptr loc_A533AC+2
		popa
		jz	short near ptr byte_A533B1
		inc	esi
; 
		db 69h,	6Ch, 65h
		dd 0
; 

??_C@_0BD@LGNDLMOF@ObfReferenceObject@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAB478o
		dec	edi

loc_A53355:				; CODE XREF: PAGEVRFY:loc_A532ECj
		bound	esp, [esi+52h]
		db	65h, 66h, 65h
		jb	short near ptr word_A533C2
		outsb
		arpl	[ebp+4Fh], sp
		bound	ebp, [edx+65h]
		arpl	[eax+eax+0], si

??_C@_0L@FNDFCMOM@NtReadFile@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAB460o
		dec	esi
		jz	short loc_A533BD
		db	65h
		popa
		db	64h
		inc	esi
; 
		db 69h
		db 6Ch
; 

loc_A53371:				; CODE XREF: PAGEVRFY:loc_A53308j
		add	gs:[eax], al

??_C@_0BA@PIHPIHIM@IoGetDmaAdapter@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAB568o
		dec	ecx
		outsd
		inc	edi
		db	65h
		jz	short near ptr loc_A533BD+1
		insd
		popa
		inc	ecx
		db	64h
		popa
		jo	short near ptr loc_A533F3+2
		db	65h
		jb	short $+3

??_C@_0BC@JEDLPOL@IoInitializeTimer@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB550o
		dec	ecx
		outsd
		dec	ecx
		outsb

loc_A53388:				; CODE XREF: PAGEVRFY:00A53323j
					; PAGEVRFY:00A53345j
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		push	esp

loc_A53391:				; CODE XREF: PAGEVRFY:00A53339j
					; PAGEVRFY:00A5332Fj
		imul	ebp, [ebp+65h],	72h

??_C@_0BJ@CGEBKANA@IoInitializeRemoveLockEx@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB598o
		dec	ecx
		outsd
		dec	ecx
		outsb
		imul	esi, [ecx+ebp*2+61h], 657A696Ch

loc_A533A4:				; CODE XREF: PAGEVRFY:00A5333Dj
		push	edx

loc_A533A5:				; CODE XREF: PAGEVRFY:00A53333j
					; PAGEVRFY:00A5333Bj
		db	65h
		insd
		outsd
		jbe	short near ptr loc_A5340E+1
		dec	esp
		outsd

loc_A533AC:				; CODE XREF: PAGEVRFY:00A53347j
		arpl	[ebx+45h], bp
		js	short $+2
; 
byte_A533B1	db 3 dup(0)		; CODE XREF: PAGEVRFY:00A5334Aj
; 

??_C@_0O@NAJHKPON@HalGetAdapter@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAB580o
		dec	eax
		popa
		insb
		inc	edi
		db	65h
		jz	short near ptr loc_A533FB+1
		db	64h
		popa

loc_A533BD:				; CODE XREF: PAGEVRFY:00A53369j
					; PAGEVRFY:00A53377j
		jo	short near ptr loc_A53432+1
		db	65h
		jb	short $+3
; 
word_A533C2	dw 0			; CODE XREF: PAGEVRFY:00A53358j
; 

??_C@_0BO@CPCKJMEP@IoBuildDeviceIoControlRequest@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB508o
		dec	ecx
		outsd
		inc	edx
		jnz	short loc_A53432
		insb
		db	64h
		inc	esp
		db	65h
		jbe	short ??_C@_0BD@GODPMFCO@IoAllocateWorkItem@GHGBBCHJ@
		arpl	[ebp+49h], sp
		outsd
		inc	ebx
		outsd
		outsb
		jz	short near ptr word_A5344A
		outsd
		insb
		push	edx
		db	65h
		jno	short near ptr loc_A53452+1
		db	65h
		jnb	short loc_A53455
; 
		db 3 dup(0)
; 

??_C@_0BD@CIFKDNMJ@IofCompleteRequest@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAB4F0o
		dec	ecx
		outsd
		inc	bx
		outsd
		insd
		jo	short near ptr loc_A53457+1
		db	65h
		jz	short near ptr loc_A53452+2
		push	edx
		db	65h
		jno	short loc_A53468

loc_A533F3:				; CODE XREF: PAGEVRFY:00A5337Fj
		db	65h
		jnb	short loc_A5346A
; 
		dw 0
; 

??_C@_0BN@OEFIMPJC@IoBuildSynchronousFsdRequest@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAB538o
		dec	ecx
		outsd
		inc	edx

loc_A533FB:				; CODE XREF: PAGEVRFY:00A533B8j
		jnz	short loc_A53466
		insb
		db	64h
		push	ebx
		jns	short near ptr loc_A5346A+6
		arpl	[eax+72h], bp
		outsd
		outsb
		outsd
		jnz	short near ptr byte_A5347D
		inc	esi
		jnb	short near ptr loc_A5346A+7
		push	edx

loc_A5340E:				; CODE XREF: PAGEVRFY:00A533A8j
		db	65h
		jno	short near ptr loc_A53484+2
		db	65h
		jnb	short near ptr loc_A53484+4
; 
		dd 0
; 

??_C@_0BO@PAOFNJIG@IoBuildAsynchronousFsdRequest@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB520o
		dec	ecx
		outsd
		inc	edx
		jnz	short near ptr loc_A53484+2
		insb
		db	64h
		inc	ecx
		jnb	short loc_A5349B
		outsb
		arpl	[eax+72h], bp
		outsd
		outsb
		outsd
		jnz	short near ptr loc_A5349D+1
		inc	esi
		jnb	short near ptr loc_A53491+1
		push	edx
		db	65h
		jno	short loc_A534A7

loc_A53432:				; CODE XREF: PAGEVRFY:00A533C7j
					; PAGEVRFY:loc_A533BDj
		db	65h
		jnb	short loc_A534A9
; 
		db 3 dup(0)
; 

??_C@_0BD@GODPMFCO@IoAllocateWorkItem@GHGBBCHJ@: ; CODE	XREF: PAGEVRFY:00A533CCj
					; DATA XREF: PAGEVRFD:00AAB628o
		dec	ecx
		outsd
		inc	ecx
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h
		push	edi
		outsd
		jb	short loc_A534B1
		dec	ecx
		jz	short near ptr word_A534AE
		insd
; 
word_A5344A	dw 0			; CODE XREF: PAGEVRFY:00A533D6j
; 

??_C@_0BI@CLANGFAI@IoAllocateErrorLogEntry@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAB610o
		dec	ecx
		outsd
		inc	ecx
		insb
		insb
		outsd

loc_A53452:				; CODE XREF: PAGEVRFY:00A533DBj
					; PAGEVRFY:00A533ECj
		arpl	[ecx+74h], sp

loc_A53455:				; CODE XREF: PAGEVRFY:00A533DEj
		db	65h
		inc	ebp

loc_A53457:				; CODE XREF: PAGEVRFY:00A533EAj
		jb	short loc_A534CB
		outsd
		jb	short loc_A534A8
		outsd
		db	67h
		inc	ebp
		outsb
		jz	short near ptr loc_A534D3+1
		jns	short $+2

??_C@_0BJ@PAEJOFEI@IoWMIRegistrationControl@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB658o
		dec	ecx
		outsd

loc_A53466:				; CODE XREF: PAGEVRFY:loc_A533FBj
		push	edi
		dec	ebp

loc_A53468:				; CODE XREF: PAGEVRFY:00A533F0j
		dec	ecx
		push	edx

loc_A5346A:				; CODE XREF: PAGEVRFY:loc_A533F3j
					; PAGEVRFY:00A53400j ...
		imul	esi, gs:[bp+di+74h], 69746172h
		outsd
		outsb
		inc	ebx
		outsd
		outsb
		jz	short near ptr loc_A534EB+1
		outsd
		insb
; 
		db 0
byte_A5347D	db 3 dup(0)		; CODE XREF: PAGEVRFY:00A53408j
; 

??_C@_0BF@NBKCIHHN@IoInitializeWorkItem@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAB640o
		dec	ecx
		outsd
		dec	ecx
		outsb

loc_A53484:				; CODE XREF: PAGEVRFY:loc_A5340Ej
					; PAGEVRFY:00A5341Bj ...
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		push	edi
		outsd
		jb	short near ptr loc_A534F9+2
		dec	ecx

loc_A53491:				; CODE XREF: PAGEVRFY:00A5342Cj
		jz	short loc_A534F8
		insd
; 
		dd 0
; 

??_C@_0BG@CAEIPNB@IoReleaseRemoveLockEx@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAB5C8o
		dec	ecx
		outsd
		push	edx

loc_A5349B:				; CODE XREF: PAGEVRFY:00A53420j
		db	65h
		insb

loc_A5349D:				; CODE XREF: PAGEVRFY:00A53429j
		db	65h
		popa
		jnb	short near ptr loc_A53500+6
		push	edx
		db	65h
		insd
		outsd
		jbe	short near ptr loc_A5350B+1

loc_A534A7:				; CODE XREF: PAGEVRFY:00A5342Fj
		dec	esp

loc_A534A8:				; CODE XREF: PAGEVRFY:00A5345Aj
		outsd

loc_A534A9:				; CODE XREF: PAGEVRFY:loc_A53432j
		arpl	[ebx+45h], bp
		js	short $+2
; 
word_A534AE	dw 0			; CODE XREF: PAGEVRFY:00A53447j
; 

??_C@_0BG@NAAGCMAE@IoAcquireRemoveLockEx@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB5B0o
		dec	ecx

loc_A534B1:				; CODE XREF: PAGEVRFY:00A53444j
		outsd
		inc	ecx
		arpl	[ecx+75h], si
		imul	esi, [edx+65h],	6F6D6552h
		jbe	short near ptr loc_A5351F+5
		dec	esp
		outsd
		arpl	[ebx+45h], bp
		js	short $+2
; 
		dw 0
; 

??_C@_0CA@MNOBIDIL@IoAllocateDriverObjectExtension@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AAB5F8o
		dec	ecx
		outsd
		inc	ecx

loc_A534CB:				; CODE XREF: PAGEVRFY:loc_A53457j
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h
		inc	esp

loc_A534D3:				; CODE XREF: PAGEVRFY:00A53460j
		jb	short loc_A5353E
		jbe	short near ptr loc_A5353B+1
		jb	short near ptr loc_A53527+1
		bound	ebp, [edx+65h]
		arpl	[ebp+eax*2+78h], si
		jz	short loc_A53547
		outsb
		jnb	short near ptr loc_A5354D+1
		outsd
		outsb
; 
		db 0
; 

??_C@_0BN@PLFJGAJD@IoReleaseRemoveLockAndWaitEx@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAB5E0o
		dec	ecx
		outsd
		push	edx

loc_A534EB:				; CODE XREF: PAGEVRFY:00A53478j
		db	65h
		insb
		db	65h
		popa
		jnb	short loc_A53556
		push	edx
		db	65h
		insd
		outsd
		jbe	short near ptr loc_A5355A+2
		dec	esp

loc_A534F8:				; CODE XREF: PAGEVRFY:loc_A53491j
		outsd

loc_A534F9:				; CODE XREF: PAGEVRFY:00A5348Ej
		arpl	[ebx+41h], bp
		outsb
		db	64h
		push	edi
		popa

loc_A53500:				; CODE XREF: PAGEVRFY:00A5349Fj
		imul	esi, [ebp+eax*2+78h], 0

??_C@_0P@CGOCKIBH@IoCreateDevice@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB6E8o
		dec	ecx
		outsd
		inc	ebx

loc_A5350B:				; CODE XREF: PAGEVRFY:00A534A5j
		jb	short near ptr word_A53572
		popa
		jz	short loc_A53575
		inc	esp
		db	65h
		jbe	short near ptr loc_A5357C+1
		arpl	[ebp+0], sp
; 
		db 0
; 

??_C@_0O@CJIIPCHG@EtwUnregister@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAB6D0o
		inc	ebp
		jz	short loc_A53592
		push	ebp
		outsb
		jb	short ??_C@_0BL@KFEKKDAO@EtwRegisterClassicProvider@GHGBBCHJ@

loc_A5351F:				; CODE XREF: PAGEVRFY:00A534BDj
		imul	esi, [bp+di+74h], 7265h

loc_A53527:				; CODE XREF: PAGEVRFY:00A534D7j
					; DATA XREF: PAGEVRFD:00AAB718o
		add	[edx+74h], dl
		insb
		push	esi
		outsd
		insb
		jnz	short near ptr loc_A5359B+2
		db	65h
		inc	esp
		db	65h
		jbe	short near ptr loc_A5359B+3
		arpl	[ebp+54h], sp
		outsd
		inc	esp
		outsd

loc_A5353B:				; CODE XREF: PAGEVRFY:00A534D5j
		jnb	short near ptr loc_A53588+3
		popa

loc_A5353E:				; CODE XREF: PAGEVRFY:loc_A534D3j
		insd
		add	gs:[eax], al
; 
		dw 0
; 

??_C@_0BI@HDNIGKKP@IoVolumeDeviceToDosName@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAB700o
		dec	ecx
		outsd
		push	esi

loc_A53547:				; CODE XREF: PAGEVRFY:00A534E0j
		outsd
		insb
		jnz	short near ptr loc_A535B7+1
		db	65h
		inc	esp

loc_A5354D:				; CODE XREF: PAGEVRFY:00A534E3j
		db	65h
		jbe	short loc_A535B9
		arpl	[ebp+54h], sp
		outsd
		inc	esp
		outsd

loc_A53556:				; CODE XREF: PAGEVRFY:00A534EFj
		jnb	short near ptr loc_A535A4+2
		popa
		insd

loc_A5355A:				; CODE XREF: PAGEVRFY:00A534F5j
					; DATA XREF: PAGEVRFD:00AAB688o
		add	gs:[ecx+6Fh], cl
		push	edi
		jb	short near ptr loc_A535C9+1
		jz	short near ptr loc_A535C6+2
		inc	ebp
		jb	short near ptr loc_A535D2+6
		outsd
		jb	short loc_A535B5
		outsd
		db	67h
		inc	ebp
		outsb
		jz	short loc_A535E1
		jns	short $+2
; 
		db 0
word_A53572	dw 0			; CODE XREF: PAGEVRFY:loc_A5350Bj
; 

??_C@_0BA@GNNCFCJF@IoWMIWriteEvent@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAB670o
		dec	ecx

loc_A53575:				; CODE XREF: PAGEVRFY:00A5350Ej
		outsd
		push	edi
		dec	ebp
		dec	ecx
		push	edi
		jb	short near ptr loc_A535E3+2

loc_A5357C:				; CODE XREF: PAGEVRFY:00A53511j
		jz	short loc_A535E3
		inc	ebp
		jbe	short loc_A535E6
		outsb
		jz	short $+2

??_C@_0BL@KFEKKDAO@EtwRegisterClassicProvider@GHGBBCHJ@: ; CODE	XREF: PAGEVRFY:00A5351Dj
					; DATA XREF: PAGEVRFD:00AAB6B8o
		inc	ebp
		jz	short loc_A535FE
		push	edx

loc_A53588:				; CODE XREF: PAGEVRFY:loc_A5353Bj
		imul	esi, gs:[bp+di+74h], 6C437265h
		popa

loc_A53592:				; CODE XREF: PAGEVRFY:00A53519j
		jnb	short near ptr loc_A53603+4
		imul	esp, [ebx+50h],	69766F72h

loc_A5359B:				; CODE XREF: PAGEVRFY:00A5352Ej
					; PAGEVRFY:00A53532j
		db	64h, 65h
		jb	short $+4

loc_A5359F:				; DATA XREF: PAGEVRFD:00AAB6A0o
		add	[ebp+74h], al
		ja	short loc_A535F6

loc_A535A4:				; CODE XREF: PAGEVRFY:loc_A53556j
					; DATA XREF: PAGEVRFD:00AAB7A8o
		imul	esi, gs:[bp+di+74h], 6D007265h
		db	65h
		insd
		arpl	[eax+79h], si
; 
		dw 0
; 

??_C@_0CJ@KINHPDIA@KeTryToAcquireQueuedSpinLockRai@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AAB790o
		dec	ebx

loc_A535B5:				; CODE XREF: PAGEVRFY:00A53567j
		db	65h
		push	esp

loc_A535B7:				; CODE XREF: PAGEVRFY:00A53549j
		jb	short near ptr loc_A53631+1

loc_A535B9:				; CODE XREF: PAGEVRFY:loc_A5354Dj
		push	esp
		outsd
		inc	ecx
		arpl	[ecx+75h], si
		imul	esi, [edx+65h],	75657551h

loc_A535C6:				; CODE XREF: PAGEVRFY:00A53561j
		db	65h, 64h
		push	ebx

loc_A535C9:				; CODE XREF: PAGEVRFY:00A5355Fj
		jo	short loc_A53634
		outsb
		dec	esp
		outsd
		arpl	[ebx+52h], bp
		popa

loc_A535D2:				; CODE XREF: PAGEVRFY:00A53564j
		imul	esi, [ebx+65h],	79536F54h
		outsb
		arpl	[eax+0], bp
; 
		db 3 dup(0)
; 

??_C@_0P@NJGBECCE@ZwAddBootEntry@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB7D8o
		pop	edx

loc_A535E1:				; CODE XREF: PAGEVRFY:00A5356Dj
		ja	short ??_C@_0BC@ILDKLKNE@KeInitializeEvent@GHGBBCHJ@

loc_A535E3:				; CODE XREF: PAGEVRFY:loc_A5357Cj
					; PAGEVRFY:00A5357Aj
		db	64h, 64h
		inc	edx

loc_A535E6:				; CODE XREF: PAGEVRFY:00A5357Fj
		outsd
		outsd
		jz	short near ptr loc_A53628+7
		outsb
		jz	short loc_A5365F
		jns	short $+2
; 
		db 0
; 

??_C@_0BL@LBCFAPLA@ZwAccessCheckAndAuditAlarm@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAB7C0o
		pop	edx
		ja	short loc_A53634
		arpl	[ebx+65h], sp

loc_A535F6:				; CODE XREF: PAGEVRFY:00A535A2j
		jnb	short near ptr loc_A53667+4
		inc	ebx
		push	416B6365h

loc_A535FE:				; CODE XREF: PAGEVRFY:00A53585j
		outsb
		db	64h
		inc	ecx
		jnz	short loc_A53667

loc_A53603:				; CODE XREF: PAGEVRFY:loc_A53592j
		imul	esi, [ecx+eax*2+6Ch], 6D7261h

loc_A5360B:				; DATA XREF: PAGEVRFD:00AAB748o
		add	[ebx+65h], cl
		dec	ecx
		outsb
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		push	ebx
		db	65h
		insd
		popa
		jo	short near ptr loc_A53684+2
		outsd
		jb	short near ptr loc_A53684+2
; 
		db 3 dup(0)
; 

??_C@_0BC@ILDKLKNE@KeInitializeEvent@GHGBBCHJ@:	; CODE XREF: PAGEVRFY:loc_A535E1j
					; DATA XREF: PAGEVRFD:00AAB730o
		dec	ebx
		db	65h
		dec	ecx
		outsb

loc_A53628:				; CODE XREF: PAGEVRFY:00A535E8j
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		inc	ebp

loc_A53631:				; CODE XREF: PAGEVRFY:loc_A535B7j
		jbe	short loc_A53698
		outsb

loc_A53634:				; CODE XREF: PAGEVRFY:loc_A535C9j
					; PAGEVRFY:00A535F1j
		jz	short $+2
; 
		dw 0
; 

??_C@_0CE@HCAAJOFM@KeAcquireQueuedSpinLockRaiseToS@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AAB778o
		dec	ebx
		db	65h
		inc	ecx
		arpl	[ecx+75h], si
		imul	esi, [edx+65h],	75657551h
		db	65h, 64h
		push	ebx
		jo	short near ptr loc_A536AD+6
		outsb
		dec	esp
		outsd
		arpl	[ebx+52h], bp
		popa
		imul	esi, [ebx+65h],	79536F54h
		outsb
		arpl	[eax+0], bp

??_C@_0BN@BEJKANHH@KeTryToAcquireQueuedSpinLock@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAB760o
		dec	ebx
		db	65h
		push	esp

loc_A5365F:				; CODE XREF: PAGEVRFY:00A535EBj
		jb	short loc_A536DA
		push	esp
		outsd
		inc	ecx
		arpl	[ecx+75h], si

loc_A53667:				; CODE XREF: PAGEVRFY:00A53601j
					; PAGEVRFY:loc_A535F6j
		imul	esi, [edx+65h],	75657551h
		db	65h, 64h
		push	ebx
		jo	short near ptr loc_A536DA+2
		outsb
		dec	esp
		outsd
		arpl	[ebx+0], bp
; 
		db 3 dup(0)
; 

??_C@_0BI@IDLCOIHA@ZwCloseObjectAuditAlarm@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAB868o
		pop	edx
		ja	short loc_A536C2
		insb
		outsd
		jnb	short near ptr loc_A536E7+1
		dec	edi

loc_A53684:				; CODE XREF: PAGEVRFY:00A5361Cj
					; PAGEVRFY:00A5361Fj
		bound	ebp, [edx+65h]
		arpl	[ecx+eax*2+75h], si
		imul	esi, fs:[ecx+eax*2+6Ch], 6D7261h

??_C@_0O@CNOBKCEK@ZwCancelTimer@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAB850o
		pop	edx
		ja	short loc_A536DA
		popa

loc_A53698:				; CODE XREF: PAGEVRFY:loc_A53631j
		outsb
		arpl	[ebp+6Ch], sp
		push	esp
		imul	ebp, [ebp+65h],	72h

??_C@_0BI@BPIHCBGG@ZwCreateDirectoryObject@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAB898o
		pop	edx
		ja	short loc_A536EA
		jb	short loc_A5370E
		popa
		jz	short loc_A53711
		inc	esp

loc_A536AD:				; CODE XREF: PAGEVRFY:00A53648j
		imul	esi, [edx+65h],	726F7463h
		jns	short loc_A53705
		bound	ebp, [edx+65h]

loc_A536B9:				; DATA XREF: PAGEVRFD:00AAB880o
		arpl	[eax+eax+5Ah], si
		ja	short loc_A53702
		outsd
		outsb
		outsb

loc_A536C2:				; CODE XREF: PAGEVRFY:00A5367Dj
		arpl	gs:[eax+edx*2+6Fh], si
		jb	short loc_A5373D
; 
		db 3 dup(0)
; 

??_C@_0BI@PGLJEMKC@ZwAdjustPrivilegesToken@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAB808o
		pop	edx
		ja	short near ptr loc_A5370E+2
		db	64h
		push	75h
		jnb	short near ptr loc_A53745+3
		push	eax
		jb	short near ptr loc_A5373F+1
		jbe	short loc_A53742
		insb

loc_A536DA:				; CODE XREF: PAGEVRFY:loc_A5365Fj
					; PAGEVRFY:00A53695j ...
		db	65h, 67h, 65h
		jnb	near ptr 3733h
		outsd
		imul	esp, [ebp+6Eh],	0

??_C@_0BB@KIFBPAKN@ZwAddDriverEntry@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB7F0o
		pop	edx
		ja	short loc_A53728

loc_A536E7:				; CODE XREF: PAGEVRFY:00A53681j
		db	64h, 64h
		inc	esp

loc_A536EA:				; CODE XREF: PAGEVRFY:00A536A5j
		jb	short loc_A53755
		jbe	short near ptr loc_A53751+2
		jb	short loc_A53735
		outsb
		jz	short loc_A53765
		jns	short $+2
; 
		db 3 dup(0)
; 

??_C@_0P@LEIBOHAK@ZwCancelIoFile@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB838o
		pop	edx
		ja	short near ptr loc_A5373D+1
		popa
		outsb
		arpl	[ebp+6Ch], sp
		dec	ecx
		outsd

loc_A53702:				; CODE XREF: PAGEVRFY:00A536BDj
		inc	esi
; 
		db 69h
		db 6Ch
; 

loc_A53705:				; CODE XREF: PAGEVRFY:00A536B4j
		add	gs:[eax], al

??_C@_0BI@HKENIFPC@ZwAllocateVirtualMemory@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAB820o
		pop	edx
		ja	short near ptr loc_A5374B+1
		insb
		insb
		outsd

loc_A5370E:				; CODE XREF: PAGEVRFY:00A536A7j
					; PAGEVRFY:00A536CDj
		arpl	[ecx+74h], sp

loc_A53711:				; CODE XREF: PAGEVRFY:00A536AAj
		db	65h
		push	esi
		imul	esi, [edx+74h],	4D6C6175h
		db	65h
		insd
		outsd
		jb	short loc_A53798

loc_A5371F:				; DATA XREF: PAGEVRFD:00AAB928o
		add	[edx+77h], bl
		inc	ebx
		jb	short near ptr loc_A53789+1
		popa
		jz	short near ptr loc_A5378C+1

loc_A53728:				; CODE XREF: PAGEVRFY:00A536E5j
		push	ebx
		jns	short loc_A53798
		bound	ebp, [edi+6Ch]
		imul	esp, [ebx+4Ch],	4F6B6E69h

loc_A53735:				; CODE XREF: PAGEVRFY:00A536EEj
		bound	ebp, [edx+65h]
		arpl	[eax+eax+0], si

??_C@_0BA@ODLAGFHJ@ZwCreateSection@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAB910o
		pop	edx

loc_A5373D:				; CODE XREF: PAGEVRFY:00A536C7j
					; PAGEVRFY:00A536F9j
		ja	short near ptr loc_A53781+1

loc_A5373F:				; CODE XREF: PAGEVRFY:00A536D5j
		jb	short loc_A537A6
		popa

loc_A53742:				; CODE XREF: PAGEVRFY:00A536D7j
		jz	short loc_A537A9
		push	ebx

loc_A53745:				; CODE XREF: PAGEVRFY:00A536D2j
		arpl	gs:[ecx+ebp*2+6Fh], si
		outsb

loc_A5374B:				; CODE XREF: PAGEVRFY:00A53709j
					; DATA XREF: PAGEVRFD:00AAB958o
		add	[edx+77h], bl
		inc	esp
		db	65h
		insb

loc_A53751:				; CODE XREF: PAGEVRFY:00A536ECj
		db	65h
		jz	short near ptr loc_A537B6+3
		inc	edx

loc_A53755:				; CODE XREF: PAGEVRFY:loc_A536EAj
		outsd
		outsd
		jz	short near ptr loc_A5379D+1
		outsb
		jz	short near ptr loc_A537CA+4
		jns	short $+2
; 
		dw 0
; 

??_C@_0O@OJGKKHJH@ZwCreateTimer@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAB940o
		pop	edx
		ja	short loc_A537A6
		jb	short loc_A537CA

loc_A53765:				; CODE XREF: PAGEVRFY:00A536F1j
		popa
		jz	short near ptr loc_A537CA+3
		push	esp
		imul	ebp, [ebp+65h],	72h

??_C@_0N@KMOLBMMD@ZwCreateFile@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB8C8o
		pop	edx
		ja	short loc_A537B6
		jb	short near ptr loc_A537D9+1
		popa
		jz	short near ptr loc_A537DC+1
		inc	esi

loc_A53779:				; DATA XREF: PAGEVRFD:00AAB8B0o
		imul	ebp, [ebp+0], 5A000000h

loc_A53781:				; CODE XREF: PAGEVRFY:loc_A5373Dj
		ja	short near ptr loc_A537C5+1
		jb	short loc_A537EA
		popa
		jz	short loc_A537ED
		inc	ebp

loc_A53789:				; CODE XREF: PAGEVRFY:00A53723j
		jbe	short near ptr loc_A537ED+3
		outsb

loc_A5378C:				; CODE XREF: PAGEVRFY:00A53726j
		jz	short $+2
; 
		dw 0
; 

??_C@_0M@KGPINBFB@ZwCreateKey@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAB8F8o
		pop	edx
		ja	short near ptr loc_A537D3+3
		jb	short loc_A537FA
		popa
		jz	short loc_A537FD

loc_A53798:				; CODE XREF: PAGEVRFY:00A5371Dj
					; PAGEVRFY:00A53729j
		dec	ebx
		db	65h
		jns	short $+3

??_C@_0BC@JPJKFEGL@ZwCreateJobObject@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAB8E0o
		pop	edx

loc_A5379D:				; CODE XREF: PAGEVRFY:00A53757j
		ja	short near ptr loc_A537E1+1
		jb	short near ptr loc_A53805+1
		popa
		jz	short near ptr loc_A53807+2
		dec	edx
		outsd

loc_A537A6:				; CODE XREF: PAGEVRFY:loc_A5373Fj
					; PAGEVRFY:00A53761j
		bound	ecx, [edi+62h]

loc_A537A9:				; CODE XREF: PAGEVRFY:loc_A53742j
		push	65h
		arpl	[eax+eax+0], si
; 
		db 0
; 

??_C@_0BB@KLKOBDFJ@ZwDuplicateToken@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAB9E8o
		pop	edx
		ja	short loc_A537F7
		jnz	short loc_A53825
		insb

loc_A537B6:				; CODE XREF: PAGEVRFY:00A53771j
					; PAGEVRFY:loc_A53751j
		imul	esp, [ebx+61h],	6F546574h
		imul	esp, [ebp+6Eh],	0
; 
		db 3 dup(0)
; 

??_C@_0BC@LFLAJKLI@ZwDuplicateObject@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAB9D0o
		pop	edx

loc_A537C5:				; CODE XREF: PAGEVRFY:loc_A53781j
		ja	short near ptr loc_A53807+4
		jnz	short near ptr loc_A53833+6
		insb

loc_A537CA:				; CODE XREF: PAGEVRFY:00A53763j
					; PAGEVRFY:00A53766j ...
		imul	esp, [ebx+61h],	624F6574h
		push	65h

loc_A537D3:				; CODE XREF: PAGEVRFY:00A53791j
		arpl	[eax+eax+0], si
; 
		db 0
; 

??_C@_0BJ@IOALJHII@ZwEnumerateDriverEntries@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AABA18o
		pop	edx

loc_A537D9:				; CODE XREF: PAGEVRFY:00A53773j
		ja	short ??_C@_0N@GIELCLHA@ZwDeleteFile@GHGBBCHJ@
		outsb

loc_A537DC:				; CODE XREF: PAGEVRFY:00A53776j
		jnz	short loc_A5384B
		db	65h
		jb	short near ptr loc_A5383C+6

loc_A537E1:				; CODE XREF: PAGEVRFY:loc_A5379Dj
		jz	short near ptr loc_A53846+2
		inc	esp
		jb	short loc_A5384F
		jbe	short loc_A5384D
		jb	short near ptr byte_A5382F

loc_A537EA:				; CODE XREF: PAGEVRFY:00A53783j
		outsb
		jz	short loc_A5385F

loc_A537ED:				; CODE XREF: PAGEVRFY:00A53786j
					; PAGEVRFY:loc_A53789j
		imul	esp, [ebp+73h],	0

??_C@_0BH@ENILHPP@ZwEnumerateBootEntries@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AABA00o
		pop	edx
		ja	short loc_A5383C

loc_A537F7:				; CODE XREF: PAGEVRFY:00A537B1j
		outsb
		jnz	short near ptr loc_A53864+3

loc_A537FA:				; CODE XREF: PAGEVRFY:00A53793j
		db	65h
		jb	short loc_A5385E

loc_A537FD:				; CODE XREF: PAGEVRFY:00A53796j
		jz	short loc_A53864
		inc	edx
		outsd
		outsd
		jz	short loc_A53849
		outsb

loc_A53805:				; CODE XREF: PAGEVRFY:00A5379Fj
		jz	short loc_A53879

loc_A53807:				; CODE XREF: PAGEVRFY:00A537A2j
					; PAGEVRFY:loc_A537C5j
					; DATA XREF: ...
		imul	esp, [ebp+73h],	775A0000h
		inc	esp
		db	65h
		insb
		db	65h
		jz	short loc_A53879
		push	esi
		popa
		insb
		jnz	short loc_A5387E
		dec	ebx
		db	65h
		jns	short $+3
; 
		db 3 dup(0)
; 

??_C@_0N@GIELCLHA@ZwDeleteFile@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:loc_A537D9j
					; DATA XREF: PAGEVRFD:00AAB970o
		pop	edx
		ja	short near ptr loc_A53864+3
		db	65h
		insb

loc_A53825:				; CODE XREF: PAGEVRFY:00A537B3j
		db	65h
		jz	short loc_A5388D
		inc	esi
; 
		db 69h,	6Ch, 65h
		db 3 dup(0)
byte_A5382F	db 0			; CODE XREF: PAGEVRFY:00A537E8j
; 

??_C@_0BA@NCONONMM@ZwDisplayString@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAB9B8o
		pop	edx
		ja	short near ptr loc_A53876+1

loc_A53833:				; CODE XREF: PAGEVRFY:00A537C7j
		imul	esi, [ebx+70h],	5379616Ch
		jz	short near ptr loc_A538AD+1

loc_A5383C:				; CODE XREF: PAGEVRFY:00A537F5j
					; PAGEVRFY:00A537DEj
					; DATA XREF: ...
		imul	ebp, [esi+67h],	44775A00h
		db	65h
		jbe	short loc_A538AF

loc_A53846:				; CODE XREF: PAGEVRFY:loc_A537E1j
		arpl	[ebp+49h], sp

loc_A53849:				; CODE XREF: PAGEVRFY:00A53802j
		outsd
		inc	ebx

loc_A5384B:				; CODE XREF: PAGEVRFY:loc_A537DCj
		outsd
		outsb

loc_A5384D:				; CODE XREF: PAGEVRFY:00A537E6j
		jz	short near ptr loc_A538C0+1

loc_A5384F:				; CODE XREF: PAGEVRFY:00A537E4j
		outsd
		insb
		inc	esi

loc_A53852:				; DATA XREF: PAGEVRFD:00AABAA8o
		imul	ebp, [ebp+0], 775A0000h
		inc	esi
		jnb	short near ptr loc_A5389E+2
		outsd

loc_A5385E:				; CODE XREF: PAGEVRFY:loc_A537FAj
		outsb

loc_A5385F:				; CODE XREF: PAGEVRFY:00A537EBj
		jz	short near ptr byte_A538D3
		outsd
		insb
		inc	esi

loc_A53864:				; CODE XREF: PAGEVRFY:loc_A537FDj
					; PAGEVRFY:00A537F8j ...
		imul	ebp, [ebp+0], 7246775Ah
		db	65h, 65h
		push	esi
		imul	esi, [edx+74h],	4D6C6175h

loc_A53876:				; CODE XREF: PAGEVRFY:00A53831j
		db	65h
		insd
		outsd

loc_A53879:				; CODE XREF: PAGEVRFY:loc_A53805j
					; PAGEVRFY:00A53811j
		jb	short near ptr loc_A538F3+1

loc_A5387B:				; DATA XREF: PAGEVRFD:00AABAD8o
		add	[edx+77h], bl

loc_A5387E:				; CODE XREF: PAGEVRFY:00A53817j
		dec	esp
		outsd
		popa
		db	64h
		dec	ebx
		db	65h
		jns	short $+3
; 
		dw 0
; 

??_C@_0N@PEGGKEB@ZwLoadDriver@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AABAC0o
		pop	edx
		ja	short loc_A538D7
		outsd
		popa

loc_A5388D:				; CODE XREF: PAGEVRFY:loc_A53825j
		db	64h
		inc	esp
		jb	short near ptr loc_A538F9+1
		jbe	short ??_C@_0BG@EBIHBOPF@ZwOpenDirectoryObject@GHGBBCHJ@
		jb	short $+2
; 
		db 3 dup(0)
; 

??_C@_0BE@IIIKCKBL@ZwEnumerateValueKey@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AABA48o
		pop	edx
		ja	short near ptr loc_A538DF+1
		outsb
		jnz	short loc_A5390B

loc_A5389E:				; CODE XREF: PAGEVRFY:00A5385Bj
		db	65h
		jb	short near ptr loc_A538FF+3
		jz	short loc_A53908
		push	esi
		popa
		insb
		jnz	short near ptr loc_A5390B+2
		dec	ebx
		db	65h
		jns	short $+3

??_C@_0P@GMGACGJD@ZwEnumerateKey@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AABA30o
		pop	edx

loc_A538AD:				; CODE XREF: PAGEVRFY:00A5383Aj
		ja	short near ptr loc_A538F3+1

loc_A538AF:				; CODE XREF: PAGEVRFY:00A53843j
		outsb
		jnz	short near ptr loc_A5391D+2
		db	65h
		jb	short loc_A53916
		jz	short near ptr loc_A5391B+1
		dec	ebx
		db	65h
		jns	short $+3

loc_A538BB:				; DATA XREF: PAGEVRFD:00AABA78o
		add	[edx+77h], bl
		inc	esi
		insb

loc_A538C0:				; CODE XREF: PAGEVRFY:loc_A5384Dj
		jnz	short near ptr loc_A53930+5
		push	74726956h
		jnz	short near ptr loc_A53927+3
		insb
		dec	ebp
		db	65h
		insd
		outsd
		jb	short near ptr loc_A53946+3
; 
		db 3 dup(0)
byte_A538D3	db 0			; CODE XREF: PAGEVRFY:loc_A5385Fj
; 

??_C@_0BI@LEEJKIGN@ZwFlushInstructionCache@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AABA60o
		pop	edx
		ja	short loc_A5391D

loc_A538D7:				; CODE XREF: PAGEVRFY:00A53889j
		insb
		jnz	short loc_A5394D
		push	74736E49h

loc_A538DF:				; CODE XREF: PAGEVRFY:00A53899j
		jb	short near ptr loc_A53955+1
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		inc	ebx
		popa
		arpl	[eax+65h], bp

loc_A538EB:				; DATA XREF: PAGEVRFD:00AABB68o
		add	[edx+77h], bl
		dec	edi
		jo	short near ptr loc_A53955+1
		outsb
		inc	ebp

loc_A538F3:				; CODE XREF: PAGEVRFY:loc_A53879j
					; PAGEVRFY:loc_A538ADj
		jbe	short loc_A5395A
		outsb
		jz	short $+2

??_C@_0BG@EBIHBOPF@ZwOpenDirectoryObject@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:00A53891j
					; DATA XREF: PAGEVRFD:00AABB50o
		pop	edx

loc_A538F9:				; CODE XREF: PAGEVRFY:00A5388Fj
		ja	short near ptr loc_A53946+4
		jo	short loc_A53962
		outsb
		inc	esp

loc_A538FF:				; CODE XREF: PAGEVRFY:loc_A5389Ej
		imul	esi, [edx+65h],	726F7463h
		jns	short loc_A53957

loc_A53908:				; CODE XREF: PAGEVRFY:00A538A1j
		bound	ebp, [edx+65h]

loc_A5390B:				; CODE XREF: PAGEVRFY:00A5389Cj
					; PAGEVRFY:00A538A6j
		arpl	[eax+eax+0], si

loc_A5390F:				; DATA XREF: PAGEVRFD:00AABB98o
		add	[edx+77h], bl
		dec	edi
		jo	short loc_A5397A
		outsb

loc_A53916:				; CODE XREF: PAGEVRFY:00A538B2j
		dec	edx
		outsd
		bound	ecx, [edi+62h]

loc_A5391B:				; CODE XREF: PAGEVRFY:00A538B5j
		push	65h

loc_A5391D:				; CODE XREF: PAGEVRFY:00A538D5j
					; PAGEVRFY:00A538B0j
					; DATA XREF: ...
		arpl	[eax+eax+5Ah], si
		ja	short near ptr loc_A5396C+6
		jo	short near ptr loc_A53988+2
		outsb
		inc	esi

loc_A53927:				; CODE XREF: PAGEVRFY:00A538C7j
					; DATA XREF: PAGEVRFD:00AABB08o
		imul	ebp, [ebp+0], 4D775A00h
		outsd

loc_A53930:				; CODE XREF: PAGEVRFY:loc_A538C0j
		imul	esp, fs:[esi+79h], 746F6F42h
		inc	ebp
		outsb
		jz	short loc_A539AE
		jns	short $+2
; 
		dw 0
; 

??_C@_0BD@PPCCBCGB@ZwMapViewOfSection@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AABAF0o
		pop	edx
		ja	short near ptr loc_A5398F+1
		popa
		jo	short near ptr loc_A5399B+1

loc_A53946:				; CODE XREF: PAGEVRFY:00A538CEj
					; PAGEVRFY:loc_A538F9j
		imul	esp, [ebp+77h],	6553664Fh

loc_A5394D:				; CODE XREF: PAGEVRFY:00A538D8j
		arpl	[ecx+ebp*2+6Fh], si
		outsb
; 
		dw 0
; 

??_C@_0BC@JHKPHPDB@ZwNotifyChangeKey@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AABB38o
		pop	edx

loc_A53955:				; CODE XREF: PAGEVRFY:loc_A538DFj
					; PAGEVRFY:00A538EFj
		ja	short near ptr byte_A539A5

loc_A53957:				; CODE XREF: PAGEVRFY:00A53906j
		outsd
		jz	short loc_A539C3

loc_A5395A:				; CODE XREF: PAGEVRFY:loc_A538F3j
		db	66h
		jns	short near ptr loc_A5399F+1
		push	65676E61h

loc_A53962:				; CODE XREF: PAGEVRFY:00A538FBj
		dec	ebx
		db	65h
		jns	short $+3
; 
		dw 0
; 

??_C@_0BE@MACMJJBB@ZwModifyDriverEntry@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AABB20o
		pop	edx
		ja	short near ptr loc_A539B6+2
		outsd

loc_A5396C:				; CODE XREF: PAGEVRFY:00A53921j
		imul	esp, fs:[esi+79h], 76697244h
		db	65h
		jb	short ??_C@_0N@HLDGFDL@ZwOpenThread@GHGBBCHJ@
		outsb
		jz	short near ptr loc_A539EB+1

loc_A5397A:				; CODE XREF: PAGEVRFY:00A53913j
		jns	short $+2

??_C@_0BJ@CLLKOGDP@ZwOpenSymbolicLinkObject@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AABC28o
		pop	edx
		ja	short near ptr loc_A539CD+1
		jo	short near ptr word_A539E6
		outsb
		push	ebx
		jns	short near ptr loc_A539F1+1
		bound	ebp, [edi+6Ch]

loc_A53988:				; CODE XREF: PAGEVRFY:00A53923j
		imul	esp, [ebx+4Ch],	4F6B6E69h

loc_A5398F:				; CODE XREF: PAGEVRFY:00A53941j
		bound	ebp, [edx+65h]
		arpl	[eax+eax+0], si
; 
		dw 0
; 

??_C@_0O@HNILNMLD@ZwOpenSection@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AABC10o
		pop	edx
		ja	short near ptr loc_A539E9+1

loc_A5399B:				; CODE XREF: PAGEVRFY:00A53944j
		jo	short near ptr loc_A53A01+1
		outsb
		push	ebx

loc_A5399F:				; CODE XREF: PAGEVRFY:loc_A5395Aj
		arpl	gs:[ecx+ebp*2+6Fh], si
		outsb
; 
byte_A539A5	db 3 dup(0)		; CODE XREF: PAGEVRFY:loc_A53955j
; 

??_C@_0BC@IHGIMNLF@ZwOpenThreadToken@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AABC58o
		pop	edx
		ja	short near ptr loc_A539F7+3
		jo	short near ptr loc_A53A0F+3
		outsb

loc_A539AE:				; CODE XREF: PAGEVRFY:00A5393Aj
		push	esp
		push	64616572h
		push	esp
		outsd

loc_A539B6:				; CODE XREF: PAGEVRFY:00A53969j
		imul	esp, [ebp+6Eh],	0
; 
		dw 0
; 

??_C@_0N@HLDGFDL@ZwOpenThread@GHGBBCHJ@: ; CODE	XREF: PAGEVRFY:00A53974j
					; DATA XREF: PAGEVRFD:00AABC40o
		pop	edx
		ja	short loc_A53A0E
		jo	short near ptr loc_A53A25+1
		outsb
		push	esp

loc_A539C3:				; CODE XREF: PAGEVRFY:00A53958j
		push	64616572h
; 
		dd 0
; 

??_C@_0O@FEPJHLEJ@ZwOpenProcess@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AABBC8o
		pop	edx

loc_A539CD:				; CODE XREF: PAGEVRFY:00A5397Dj
		ja	short loc_A53A1E
		jo	short loc_A53A36
		outsb
		push	eax
		jb	short loc_A53A44
		arpl	[ebp+73h], sp
		jnb	short $+2
; 
		dw 0
; 

??_C@_09LIJLGMPD@ZwOpenKey@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AABBB0o
		pop	edx
		ja	short near ptr loc_A53A2D+1
		jo	short near ptr loc_A53A44+2
		outsb
		dec	ebx
		db	65h
		jns	short $+3
; 
word_A539E6	dw 0			; CODE XREF: PAGEVRFY:00A5397Fj
; 

??_C@_0BF@GEAAJNAA@ZwOpenProcessTokenEx@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AABBF8o
		pop	edx

loc_A539E9:				; CODE XREF: PAGEVRFY:00A53999j
		ja	short near ptr word_A53A3A

loc_A539EB:				; CODE XREF: PAGEVRFY:00A53978j
		jo	short near ptr word_A53A52
		outsb
		push	eax
		jb	short loc_A53A60

loc_A539F1:				; CODE XREF: PAGEVRFY:00A53983j
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_A53A49+1
		outsd

loc_A539F7:				; CODE XREF: PAGEVRFY:00A539A9j
		imul	esp, [ebp+6Eh],	45h
		js	short $+2
; 
		db 3 dup(0)
; 

??_C@_0BD@FICHFIDH@ZwOpenProcessToken@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AABBE0o
		pop	edx

loc_A53A01:				; CODE XREF: PAGEVRFY:loc_A5399Bj
		ja	short near ptr word_A53A52
		jo	short near ptr loc_A53A69+1
		outsb
		push	eax
		jb	short near ptr loc_A53A77+1
		arpl	[ebp+73h], sp
		jnb	short near ptr word_A53A62

loc_A53A0E:				; CODE XREF: PAGEVRFY:00A539BDj
		outsd

loc_A53A0F:				; CODE XREF: PAGEVRFY:00A539ABj
		imul	esp, [ebp+6Eh],	0

loc_A53A13:				; DATA XREF: PAGEVRFD:00AABCE8o
		add	[edx+77h], bl
		push	ecx
		jnz	short near ptr loc_A53A7B+3
		jb	short near ptr loc_A53A93+1
		inc	edx
		outsd
		outsd

loc_A53A1E:				; CODE XREF: PAGEVRFY:loc_A539CDj
		jz	short loc_A53A65
		outsb
		jz	short loc_A53A95
		jns	short near ptr loc_A53A6F+5

loc_A53A25:				; CODE XREF: PAGEVRFY:00A539BFj
		jb	short loc_A53A8B
		db	65h
		jb	short $+3
; 
		dw 0
; 

??_C@_0N@JGLBEHHB@ZwPulseEvent@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AABCD0o
		pop	edx

loc_A53A2D:				; CODE XREF: PAGEVRFY:00A539DDj
		ja	short near ptr loc_A53A7B+4
		jnz	short near ptr loc_A53A9C+1
		jnb	short loc_A53A98
		inc	ebp
		jbe	short loc_A53A9B

loc_A53A36:				; CODE XREF: PAGEVRFY:00A539CFj
		outsb
		jz	short $+2
; 
		db 0
word_A53A3A	dw 0			; CODE XREF: PAGEVRFY:loc_A539E9j
; 

??_C@_0BF@EEAHCEJ@ZwQueryDefaultLocale@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AABD18o
		pop	edx
		ja	short near ptr loc_A53A8F+1
		jnz	short loc_A53AA6
		jb	short loc_A53ABC
		inc	esp

loc_A53A44:				; CODE XREF: PAGEVRFY:00A539D3j
					; PAGEVRFY:00A539DFj
		db	65h
		popaw
		jnz	short loc_A53AB5

loc_A53A49:				; CODE XREF: PAGEVRFY:00A539F4j
		jz	short loc_A53A97
		outsd
		arpl	[ecx+6Ch], sp
		add	gs:[eax], al
; 
word_A53A52	dw 0			; CODE XREF: PAGEVRFY:loc_A539EBj
					; PAGEVRFY:loc_A53A01j
; 

??_C@_0BD@KODEDALN@ZwQueryBootOptions@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AABD00o
		pop	edx
		ja	short loc_A53AA8
		jnz	short loc_A53ABE
		jb	short near ptr loc_A53AD3+1
		inc	edx
		outsd
		outsd
		jz	short near ptr loc_A53AAE+1

loc_A53A60:				; CODE XREF: PAGEVRFY:00A539EFj
		jo	short near ptr loc_A53AD5+1
; 
word_A53A62	dw 6F69h		; CODE XREF: PAGEVRFY:00A53A0Cj
		db 6Eh
; 

loc_A53A65:				; CODE XREF: PAGEVRFY:loc_A53A1Ej
		jnb	short $+2
; 
		db 0
; 

??_C@_0M@MAILKIKO@ZwOpenTimer@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AABC88o
		pop	edx

loc_A53A69:				; CODE XREF: PAGEVRFY:00A53A03j
		ja	short near ptr loc_A53AB9+1
		jo	short near ptr loc_A53ACC+6
		outsb
		push	esp

loc_A53A6F:				; CODE XREF: PAGEVRFY:00A53A23j
					; DATA XREF: PAGEVRFD:00AABC70o
		imul	ebp, [ebp+65h],	775A0072h
		dec	edi

loc_A53A77:				; CODE XREF: PAGEVRFY:00A53A07j
		jo	short near ptr loc_A53ADD+1
		outsb
		push	esp

loc_A53A7B:				; CODE XREF: PAGEVRFY:00A53A17j
					; PAGEVRFY:loc_A53A2Dj
		push	64616572h
		push	esp
		outsd
		imul	esp, [ebp+6Eh],	45h
		js	short $+2

??_C@_0BH@HLJMLBBA@ZwProtectVirtualMemory@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AABCB8o
		pop	edx
		ja	short near ptr loc_A53AD8+3

loc_A53A8B:				; CODE XREF: PAGEVRFY:loc_A53A25j
		jb	short loc_A53AFC
		jz	short near ptr loc_A53AEF+5

loc_A53A8F:				; CODE XREF: PAGEVRFY:00A53A3Dj
		arpl	[esi+edx*2+69h], si

loc_A53A93:				; CODE XREF: PAGEVRFY:00A53A19j
		jb	short near ptr loc_A53B07+2

loc_A53A95:				; CODE XREF: PAGEVRFY:00A53A21j
		jnz	short near ptr loc_A53AF7+1

loc_A53A97:				; CODE XREF: PAGEVRFY:loc_A53A49j
		insb

loc_A53A98:				; CODE XREF: PAGEVRFY:00A53A31j
		dec	ebp
		db	65h
		insd

loc_A53A9B:				; CODE XREF: PAGEVRFY:00A53A34j
		outsd

loc_A53A9C:				; CODE XREF: PAGEVRFY:00A53A2Fj
		jb	short loc_A53B17
; 
		dw 0
; 

??_C@_0BD@FJKHNGHL@ZwPowerInformation@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AABCA0o
		pop	edx
		ja	short near ptr loc_A53AEF+4
		outsd
		ja	short near ptr loc_A53B0A+1

loc_A53AA6:				; CODE XREF: PAGEVRFY:00A53A3Fj
		jb	short near ptr loc_A53AEF+2

loc_A53AA8:				; CODE XREF: PAGEVRFY:00A53A55j
		outsb
		outsw
		jb	short loc_A53B1A
		popa

loc_A53AAE:				; CODE XREF: PAGEVRFY:00A53A5Ej
		jz	short near ptr loc_A53B18+1
		outsd
		outsb
; 
		dw 0
; 

??_C@_0O@HDJBJFAL@ZwQueryEaFile@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AABDA8o
		pop	edx

loc_A53AB5:				; CODE XREF: PAGEVRFY:00A53A47j
		ja	short near ptr loc_A53B07+1
		jnz	short loc_A53B1E

loc_A53AB9:				; CODE XREF: PAGEVRFY:loc_A53A69j
		jb	short near ptr loc_A53B33+1
		inc	ebp

loc_A53ABC:				; CODE XREF: PAGEVRFY:00A53A41j
		popa
		inc	esi

loc_A53ABE:				; CODE XREF: PAGEVRFY:00A53A57j
					; DATA XREF: PAGEVRFD:00AABD90o
		imul	ebp, [ebp+0], 775A0000h
		push	ecx
		jnz	short near ptr loc_A53B2D+1
		jb	short ??_C@_0BF@NMACOFBK@ZwQueryDirectoryFile@GHGBBCHJ@
		inc	esp

loc_A53ACC:				; CODE XREF: PAGEVRFY:00A53A6Bj
		imul	esi, [edx+65h],	726F7463h

loc_A53AD3:				; CODE XREF: PAGEVRFY:00A53A59j
		jns	short near ptr loc_A53B23+1

loc_A53AD5:				; CODE XREF: PAGEVRFY:loc_A53A60j
		bound	ebp, [edx+65h]

loc_A53AD8:				; CODE XREF: PAGEVRFY:00A53A89j
		arpl	[eax+eax+0], si

??_C@_0BH@DLOJOCLP@ZwQueryInformationFile@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AABDD8o
		pop	edx

loc_A53ADD:				; CODE XREF: PAGEVRFY:loc_A53A77j
		ja	short loc_A53B30
		jnz	short near ptr loc_A53B45+1
		jb	short ??_C@_0BJ@GJJANIEK@ZwQueryInstallUILanguage@GHGBBCHJ@
		dec	ecx
		outsb
		outsw
		jb	short loc_A53B56
		popa
		jz	short near ptr byte_A53B55
		outsd
		outsb
		inc	esi

loc_A53AEF:				; CODE XREF: PAGEVRFY:loc_A53AA6j
					; PAGEVRFY:00A53AA1j ...
		imul	ebp, [ebp+0], 51775A00h

loc_A53AF7:				; CODE XREF: PAGEVRFY:loc_A53A95j
		jnz	short near ptr loc_A53B5D+1
		jb	short near ptr loc_A53B72+2
		inc	esi

loc_A53AFC:				; CODE XREF: PAGEVRFY:loc_A53A8Bj
		jnz	short loc_A53B6A
		insb
		inc	ecx
		jz	short near ptr word_A53B76
		jb	short loc_A53B6D
		bound	esi, [ebp+74h]

loc_A53B07:				; CODE XREF: PAGEVRFY:loc_A53AB5j
					; PAGEVRFY:loc_A53A93j
		db	65h
		jnb	short near ptr loc_A53B4C+4

loc_A53B0A:				; CODE XREF: PAGEVRFY:00A53AA4j
					; DATA XREF: PAGEVRFD:00AABD48o
		imul	ebp, [ebp+0], 775A0000h
		push	ecx
		jnz	short near ptr loc_A53B79+1
		jb	short loc_A53B90

loc_A53B17:				; CODE XREF: PAGEVRFY:loc_A53A9Cj
		inc	esp

loc_A53B18:				; CODE XREF: PAGEVRFY:loc_A53AAEj
		jb	short loc_A53B83

loc_A53B1A:				; CODE XREF: PAGEVRFY:00A53AABj
		jbe	short near ptr loc_A53B80+1
		jb	short loc_A53B63

loc_A53B1E:				; CODE XREF: PAGEVRFY:00A53AB7j
		outsb
		jz	short loc_A53B93
		jns	short loc_A53B72

loc_A53B23:				; CODE XREF: PAGEVRFY:loc_A53AD3j
		jb	short near ptr loc_A53B87+2
		db	65h
		jb	short $+3

??_C@_0BJ@LBCAOJIC@ZwQueryDefaultUILanguage@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AABD30o
		pop	edx
		ja	short near ptr loc_A53B7B+1
		jnz	short near ptr loc_A53B90+2

loc_A53B2D:				; CODE XREF: PAGEVRFY:00A53AC7j
		jb	short loc_A53BA8
		inc	esp

loc_A53B30:				; CODE XREF: PAGEVRFY:loc_A53ADDj
		db	65h
		popaw

loc_A53B33:				; CODE XREF: PAGEVRFY:loc_A53AB9j
		jnz	short near ptr loc_A53BA0+1
		jz	short near ptr loc_A53B8B+1
		dec	ecx
		dec	esp
		popa
		outsb
		db	67h
		jnz	near ptr 3B9Fh
		add	gs:[bx+si], al
; 
		dw 0
; 

??_C@_0BF@NMACOFBK@ZwQueryDirectoryFile@GHGBBCHJ@: ; CODE XREF:	PAGEVRFY:00A53AC9j
					; DATA XREF: PAGEVRFD:00AABD78o
		pop	edx

loc_A53B45:				; CODE XREF: PAGEVRFY:00A53ADFj
		ja	short near ptr loc_A53B97+1
		jnz	short near ptr loc_A53BAD+1
		jb	short loc_A53BC4
		inc	esp

loc_A53B4C:				; CODE XREF: PAGEVRFY:loc_A53B07j
		imul	esi, [edx+65h],	726F7463h
		jns	short loc_A53B9B
; 
byte_A53B55	db 69h			; CODE XREF: PAGEVRFY:00A53AEAj
; 

loc_A53B56:				; CODE XREF: PAGEVRFY:00A53AE7j
		insb
		add	gs:[eax], al
; 
		dw 0
; 

??_C@_0BJ@GJJANIEK@ZwQueryInstallUILanguage@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:00A53AE1j
					; DATA XREF: PAGEVRFD:00AABD60o
		pop	edx

loc_A53B5D:				; CODE XREF: PAGEVRFY:loc_A53AF7j
		ja	short near ptr loc_A53BAF+1
		jnz	short near ptr loc_A53BC5+1
		jb	short near ptr loc_A53BDB+1

loc_A53B63:				; CODE XREF: PAGEVRFY:00A53B1Cj
		dec	ecx
		outsb
		jnb	short loc_A53BDB
		popa
		insb
		insb

loc_A53B6A:				; CODE XREF: PAGEVRFY:loc_A53AFCj
		push	ebp
		dec	ecx
		dec	esp

loc_A53B6D:				; CODE XREF: PAGEVRFY:00A53B02j
		popa
		outsb
		db	67h
		jnz	near ptr 3BD3h

loc_A53B72:				; CODE XREF: PAGEVRFY:00A53B21j
					; PAGEVRFY:00A53AF9j
		add	gs:[bx+si], al
; 
word_A53B76	dw 0			; CODE XREF: PAGEVRFY:00A53B00j
; 

??_C@_0O@EHBHKBHL@ZwQueryObject@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AABE68o
		pop	edx

loc_A53B79:				; CODE XREF: PAGEVRFY:00A53B13j
		ja	short loc_A53BCC

loc_A53B7B:				; CODE XREF: PAGEVRFY:00A53B29j
		jnz	short near ptr loc_A53BE1+1
		jb	short near ptr loc_A53BF7+1
		dec	edi

loc_A53B80:				; CODE XREF: PAGEVRFY:loc_A53B1Aj
		bound	ebp, [edx+65h]

loc_A53B83:				; CODE XREF: PAGEVRFY:loc_A53B18j
		arpl	[eax+eax+0], si

loc_A53B87:				; CODE XREF: PAGEVRFY:loc_A53B23j
					; DATA XREF: PAGEVRFD:00AABE50o
		add	[edx+77h], bl
		push	ecx

loc_A53B8B:				; CODE XREF: PAGEVRFY:00A53B35j
		jnz	short near ptr loc_A53BF1+1
		jb	short loc_A53C08
		dec	ebx

loc_A53B90:				; CODE XREF: PAGEVRFY:00A53B15j
					; PAGEVRFY:00A53B2Bj
		db	65h
		jns	short $+3

loc_A53B93:				; CODE XREF: PAGEVRFY:00A53B1Fj
					; DATA XREF: PAGEVRFD:00AABE98o
		add	[edx+77h], bl
		push	ecx

loc_A53B97:				; CODE XREF: PAGEVRFY:loc_A53B45j
		jnz	short near ptr loc_A53BFD+1
		jb	short loc_A53C14

loc_A53B9B:				; CODE XREF: PAGEVRFY:00A53B53j
		push	ebx
		arpl	gs:[ebp+72h], si

loc_A53BA0:				; CODE XREF: PAGEVRFY:loc_A53B33j
		imul	esi, [ecx+edi*2+4Fh], 63656A62h

loc_A53BA8:				; CODE XREF: PAGEVRFY:loc_A53B2Dj
		jz	short $+2
; 
		dw 0
; 

??_C@_0P@NHBMKANJ@ZwQuerySection@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AABE80o
		pop	edx

loc_A53BAD:				; CODE XREF: PAGEVRFY:00A53B47j
		ja	short near ptr loc_A53BFF+1

loc_A53BAF:				; CODE XREF: PAGEVRFY:loc_A53B5Dj
		jnz	short near ptr loc_A53C15+1
		jb	short near ptr loc_A53C2B+1
		push	ebx
		arpl	gs:[ecx+ebp*2+6Fh], si
		outsb
; 
		dw 0
; 

??_C@_0BK@PDBIPODP@ZwQueryInformationProcess@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AABE08o
		pop	edx
		ja	short near ptr loc_A53C0F+1
		jnz	short near ptr word_A53C26
		jb	short near ptr loc_A53C3B+1
		dec	ecx

loc_A53BC4:				; CODE XREF: PAGEVRFY:00A53B49j
		outsb

loc_A53BC5:				; CODE XREF: PAGEVRFY:00A53B5Fj
		outsw
		jb	short near ptr word_A53C36
		popa
		jz	short near ptr byte_A53C35

loc_A53BCC:				; CODE XREF: PAGEVRFY:loc_A53B79j
		outsd
		outsb
		push	eax
		jb	short near ptr loc_A53C3F+1
		arpl	[ebp+73h], sp
		jnb	short $+2
; 
		dw 0
; 

??_C@_0BM@PIIFPAIC@ZwQueryInformationJobObject@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AABDF0o
		pop	edx
		ja	short near ptr loc_A53C2B+1

loc_A53BDB:				; CODE XREF: PAGEVRFY:00A53B65j
					; PAGEVRFY:00A53B61j
		jnz	short near ptr loc_A53C3F+3
		jb	short near ptr loc_A53C57+1
		dec	ecx
		outsb

loc_A53BE1:				; CODE XREF: PAGEVRFY:loc_A53B7Bj
		outsw
		jb	short near ptr word_A53C52
		popa
		jz	short near ptr byte_A53C51
		outsd
		outsb
		dec	edx
		outsd
		bound	ecx, [edi+62h]
		push	65h

loc_A53BF1:				; CODE XREF: PAGEVRFY:loc_A53B8Bj
					; DATA XREF: PAGEVRFD:00AABE38o
		arpl	[eax+eax+5Ah], si
		ja	short near ptr loc_A53C47+1

loc_A53BF7:				; CODE XREF: PAGEVRFY:00A53B7Dj
		jnz	short loc_A53C5E
		jb	short loc_A53C74
		dec	ecx
		outsb

loc_A53BFD:				; CODE XREF: PAGEVRFY:loc_A53B97j
		outsw

loc_A53BFF:				; CODE XREF: PAGEVRFY:loc_A53BADj
		jb	short near ptr loc_A53C6D+1
		popa
		jz	short loc_A53C6D
		outsd
		outsb
		push	esp
		outsd

loc_A53C08:				; CODE XREF: PAGEVRFY:00A53B8Dj
		imul	esp, [ebp+6Eh],	0

??_C@_0BJ@IBBAHCNP@ZwQueryInformationThread@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AABE20o
		pop	edx
		ja	short near ptr loc_A53C5F+1

loc_A53C0F:				; CODE XREF: PAGEVRFY:00A53BBDj
		jnz	short loc_A53C76
		jb	short near ptr loc_A53C8B+1
		dec	ecx

loc_A53C14:				; CODE XREF: PAGEVRFY:00A53B99j
		outsb

loc_A53C15:				; CODE XREF: PAGEVRFY:loc_A53BAFj
		outsw
		jb	short near ptr word_A53C86
		popa
		jz	short near ptr byte_A53C85
		outsd
		outsb
		push	esp
		push	64616572h
; 
		db 2 dup(0)
word_A53C26	dw 0			; CODE XREF: PAGEVRFY:00A53BBFj
; 

??_C@_0N@PNPAILHB@ZwReplaceKey@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AABF28o
		pop	edx
		ja	short loc_A53C7D

loc_A53C2B:				; CODE XREF: PAGEVRFY:00A53BB1j
					; PAGEVRFY:00A53BD9j
		db	65h
		jo	short near ptr loc_A53C95+5
		popa
		arpl	[ebp+4Bh], sp
		db	65h
		jns	short $+3
; 
byte_A53C35	db 0			; CODE XREF: PAGEVRFY:00A53BCAj
word_A53C36	dw 0			; CODE XREF: PAGEVRFY:00A53BC7j
; 

??_C@_0L@KICNCAKG@ZwReadFile@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AABF10o
		pop	edx
		ja	short loc_A53C8D

loc_A53C3B:				; CODE XREF: PAGEVRFY:00A53BC1j
		db	65h
		popa
		db	64h
		inc	esi

loc_A53C3F:				; CODE XREF: PAGEVRFY:00A53BCFj
					; PAGEVRFY:loc_A53BDBj
					; DATA XREF: ...
		imul	ebp, [ebp+0], 52775A00h

loc_A53C47:				; CODE XREF: PAGEVRFY:00A53BF5j
		db	65h
		jnb	short near ptr loc_A53CAE+1
		jz	short near ptr loc_A53C90+1
		jbe	short loc_A53CB3
		outsb
		jz	short $+2
; 
byte_A53C51	db 0			; CODE XREF: PAGEVRFY:00A53BE6j
word_A53C52	dw 0			; CODE XREF: PAGEVRFY:00A53BE3j
; 

??_C@_0BH@IAKOPMKC@ZwRequestWaitReplyPort@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AABF40o
		pop	edx
		ja	short loc_A53CA9

loc_A53C57:				; CODE XREF: PAGEVRFY:00A53BDDj
		db	65h
		jno	short near ptr loc_A53CCE+1
		db	65h
		jnb	short loc_A53CD1
		push	edi

loc_A53C5E:				; CODE XREF: PAGEVRFY:loc_A53BF7j
		popa

loc_A53C5F:				; CODE XREF: PAGEVRFY:00A53C0Dj
		imul	esi, [edx+edx*2+65h], 50796C70h
		outsd
		jb	short near ptr loc_A53CDD+1
; 
		dw 0
; 

??_C@_0BJ@CIAKDCJK@ZwQuerySystemInformation@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AABEC8o
		pop	edx

loc_A53C6D:				; CODE XREF: PAGEVRFY:00A53C02j
					; PAGEVRFY:loc_A53BFFj
		ja	short near ptr loc_A53CBD+3
		jnz	short near ptr loc_A53CD5+1
		jb	short near ptr loc_A53CE8+4
		push	ebx

loc_A53C74:				; CODE XREF: PAGEVRFY:00A53BF9j
		jns	short near ptr loc_A53CE8+1

loc_A53C76:				; CODE XREF: PAGEVRFY:loc_A53C0Fj
		jz	short loc_A53CDD
		insd
		dec	ecx
		outsb
		outsw

loc_A53C7D:				; CODE XREF: PAGEVRFY:00A53C29j
		jb	short near ptr loc_A53CE8+4
		popa
		jz	short near ptr loc_A53CE8+3
		outsd
		outsb
; 
		db 0
byte_A53C85	db 0			; CODE XREF: PAGEVRFY:00A53C1Aj
word_A53C86	dw 0			; CODE XREF: PAGEVRFY:00A53C17j
; 

??_C@_0BK@OAMNJJCG@ZwQuerySymbolicLinkObject@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AABEB0o
		pop	edx
		ja	short loc_A53CDC

loc_A53C8B:				; CODE XREF: PAGEVRFY:00A53C11j
		jnz	short loc_A53CF2

loc_A53C8D:				; CODE XREF: PAGEVRFY:00A53C39j
		jb	short near ptr loc_A53D07+1
		push	ebx

loc_A53C90:				; CODE XREF: PAGEVRFY:00A53C4Aj
		jns	short near ptr loc_A53CFE+1
		bound	ebp, [edi+6Ch]

loc_A53C95:				; CODE XREF: PAGEVRFY:loc_A53C2Bj
		imul	esp, [ebx+4Ch],	4F6B6E69h
		bound	ebp, [edx+65h]
		arpl	[eax+eax+0], si
; 
		db 0
; 

??_C@_0BN@LODIJCKM@ZwQueryVolumeInformationFile@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AABEF8o
		pop	edx
		ja	short loc_A53CF8
		jnz	short loc_A53D0E

loc_A53CA9:				; CODE XREF: PAGEVRFY:00A53C55j
		jb	short near ptr loc_A53D23+1
		push	esi
		outsd
		insb

loc_A53CAE:				; CODE XREF: PAGEVRFY:loc_A53C47j
		jnz	short near ptr loc_A53D19+4
		db	65h
		dec	ecx
		outsb

loc_A53CB3:				; CODE XREF: PAGEVRFY:00A53C4Cj
		outsw
		jb	short near ptr loc_A53D23+1
		popa
		jz	short loc_A53D23
		outsd
		outsb
		inc	esi

loc_A53CBD:				; CODE XREF: PAGEVRFY:loc_A53C6Dj
					; DATA XREF: PAGEVRFD:00AABEE0o
		imul	ebp, [ebp+0], 5A000000h
		ja	short loc_A53D18
		jnz	short near ptr loc_A53D2D+1
		jb	short ??_C@_0BG@EMHFEHPC@ZwSetDriverEntryOrder@GHGBBCHJ@
		push	esi
		popa
		insb

loc_A53CCE:				; CODE XREF: PAGEVRFY:loc_A53C57j
		jnz	short loc_A53D35
		dec	ebx

loc_A53CD1:				; CODE XREF: PAGEVRFY:00A53C5Aj
		db	65h
		jns	short $+3

??_C@_0L@PNOKKBFP@ZwSetEvent@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AABFE8o
		pop	edx

loc_A53CD5:				; CODE XREF: PAGEVRFY:00A53C6Fj
		ja	short loc_A53D2A
		db	65h
		jz	short near ptr loc_A53D19+6
		jbe	short near ptr byte_A53D41

loc_A53CDC:				; CODE XREF: PAGEVRFY:00A53C89j
		outsb

loc_A53CDD:				; CODE XREF: PAGEVRFY:loc_A53C76j
					; PAGEVRFY:00A53C68j
		jz	short $+2

loc_A53CDF:				; DATA XREF: PAGEVRFD:00AABFD0o
		add	[edx+77h], bl
		push	ebx
		db	65h
		jz	short loc_A53D2B
		popa
		inc	esi

loc_A53CE8:				; CODE XREF: PAGEVRFY:loc_A53C74j
					; PAGEVRFY:00A53C80j ...
		imul	ebp, [ebp+0], 6553775Ah
		jz	short loc_A53D3B

loc_A53CF2:				; CODE XREF: PAGEVRFY:loc_A53C8Bj
		outsb
		outsw
		jb	short loc_A53D64
		popa

loc_A53CF8:				; CODE XREF: PAGEVRFY:00A53CA5j
		jz	short loc_A53D63
		outsd
		outsb
		dec	edx
		outsd

loc_A53CFE:				; CODE XREF: PAGEVRFY:loc_A53C90j
		bound	ecx, [edi+62h]
		push	65h
		arpl	[eax+eax+0], si

loc_A53D07:				; CODE XREF: PAGEVRFY:loc_A53C8Dj
					; DATA XREF: PAGEVRFD:00AAC000o
		add	[edx+77h], bl
		push	ebx
		db	65h
		jz	short loc_A53D57

loc_A53D0E:				; CODE XREF: PAGEVRFY:00A53CA7j
		outsb
		outsw
		jb	short near ptr loc_A53D7C+4
		popa
		jz	short near ptr loc_A53D7C+3
		outsd
		outsb

loc_A53D18:				; CODE XREF: PAGEVRFY:00A53CC5j
		inc	esi

loc_A53D19:				; CODE XREF: PAGEVRFY:loc_A53CAEj
					; PAGEVRFY:00A53CD7j
					; DATA XREF: ...
		imul	ebp, [ebp+0], 5A000000h
		ja	short loc_A53D76

loc_A53D23:				; CODE XREF: PAGEVRFY:00A53CB8j
					; PAGEVRFY:loc_A53CA9j	...
		db	65h
		jz	short loc_A53D68
		outsd
		outsd
		jz	short loc_A53D6F

loc_A53D2A:				; CODE XREF: PAGEVRFY:loc_A53CD5j
		outsb

loc_A53D2B:				; CODE XREF: PAGEVRFY:00A53CE3j
		jz	short loc_A53D9F

loc_A53D2D:				; CODE XREF: PAGEVRFY:00A53CC7j
		jns	short near ptr loc_A53D7C+2
		jb	short loc_A53D95
		db	65h
		jb	short $+3

??_C@_0N@PDJGDHEJ@ZwRestoreKey@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AABF70o
		pop	edx

loc_A53D35:				; CODE XREF: PAGEVRFY:loc_A53CCEj
		ja	short near ptr loc_A53D88+1
		db	65h
		jnb	short loc_A53DAE
		outsd

loc_A53D3B:				; CODE XREF: PAGEVRFY:00A53CF0j
		jb	short loc_A53DA2
		dec	ebx
		db	65h
		jns	short $+3
; 
byte_A53D41	db 3 dup(0)		; CODE XREF: PAGEVRFY:00A53CDAj
; 

??_C@_0BG@EMHFEHPC@ZwSetDriverEntryOrder@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:00A53CC9j
					; DATA XREF: PAGEVRFD:00AABFB8o
		pop	edx
		ja	short near ptr loc_A53D99+1
		db	65h
		jz	short near ptr loc_A53D8D+1
		jb	short loc_A53DB5
		jbe	short near ptr loc_A53DAE+5
		jb	short loc_A53D95
		outsb
		jz	short loc_A53DC5
		jns	short near ptr loc_A53DA3+1
		jb	short loc_A53DBB

loc_A53D57:				; CODE XREF: PAGEVRFY:00A53D0Bj
		db	65h
		jb	short $+3
; 
		dw 0
; 

??_C@_0BB@COOOOIJN@ZwSetBootOptions@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AABFA0o
		pop	edx
		ja	short near ptr loc_A53DAE+4
		db	65h
		jz	short near ptr loc_A53DA3+1
		outsd

loc_A53D63:				; CODE XREF: PAGEVRFY:loc_A53CF8j
		outsd

loc_A53D64:				; CODE XREF: PAGEVRFY:00A53CF5j
		jz	short loc_A53DB5
		jo	short loc_A53DDC

loc_A53D68:				; CODE XREF: PAGEVRFY:loc_A53D23j
		imul	ebp, [edi+6Eh],	73h

loc_A53D6F:				; CODE XREF: PAGEVRFY:00A53D28j
					; DATA XREF: PAGEVRFD:00AAC0A8o
		add	[edx+77h], bl
		push	ebx
		db	65h
		jz	short near ptr loc_A53DC7+2

loc_A53D76:				; CODE XREF: PAGEVRFY:00A53D21j
		jns	short near ptr loc_A53DEA+1
		jz	short near ptr loc_A53DDD+2
		insd
		push	esp

loc_A53D7C:				; CODE XREF: PAGEVRFY:loc_A53D2Dj
					; PAGEVRFY:00A53D14j ...
		imul	ebp, [ebp+65h],	53775A00h
		db	65h
		jz	short near ptr loc_A53DD8+1
		jns	short loc_A53DFB

loc_A53D88:				; CODE XREF: PAGEVRFY:loc_A53D35j
		jz	short near ptr loc_A53DEE+1
		insd
		dec	ecx
		outsb

loc_A53D8D:				; CODE XREF: PAGEVRFY:00A53D47j
		outsw
		jb	short loc_A53DFE
		popa
		jz	short near ptr loc_A53DFB+2
		outsd

loc_A53D95:				; CODE XREF: PAGEVRFY:00A53D2Fj
					; PAGEVRFY:00A53D4Ej
		outsb
; 
		dw 0
; 

??_C@_0O@COONLEMJ@ZwSetValueKey@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAC0D8o
		pop	edx

loc_A53D99:				; CODE XREF: PAGEVRFY:00A53D45j
		ja	short loc_A53DEE
		db	65h
		jz	short near ptr loc_A53DEE+6
		popa

loc_A53D9F:				; CODE XREF: PAGEVRFY:loc_A53D2Bj
		insb
		jnz	short loc_A53E07

loc_A53DA2:				; CODE XREF: PAGEVRFY:loc_A53D3Bj
		dec	ebx

loc_A53DA3:				; CODE XREF: PAGEVRFY:00A53D53j
					; PAGEVRFY:00A53D5Fj
		db	65h
		jns	short $+3
; 
		dw 0
; 

??_C@_0L@EIGLBALK@ZwSetTimer@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAC0C0o
		pop	edx
		ja	short loc_A53DFE
		db	65h
		jz	short near ptr loc_A53E01+1

loc_A53DAE:				; CODE XREF: PAGEVRFY:00A53D37j
					; PAGEVRFY:00A53D5Dj ...
		imul	ebp, [ebp+65h],	5A000072h

loc_A53DB5:				; CODE XREF: PAGEVRFY:00A53D4Aj
					; PAGEVRFY:loc_A53D64j
		ja	short near ptr loc_A53E09+1
		db	65h
		jz	short loc_A53E03
		outsb

loc_A53DBB:				; CODE XREF: PAGEVRFY:00A53D55j
		outsw
		jb	short loc_A53E2C
		popa
		jz	short loc_A53E2B
		outsd
		outsb
		push	eax

loc_A53DC5:				; CODE XREF: PAGEVRFY:00A53D51j
		jb	short loc_A53E36

loc_A53DC7:				; CODE XREF: PAGEVRFY:00A53D73j
		arpl	[ebp+73h], sp
		jnb	short $+2

??_C@_0BH@EKHBPACC@ZwSetInformationObject@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAC030o
		pop	edx
		ja	short near ptr loc_A53E20+2
		db	65h
		jz	short near ptr loc_A53E14+7
		outsb
		outsw
		jb	short ??_C@_0BB@OMGJBGBF@ZwAlpcCreatePort@GHGBBCHJ@
		popa

loc_A53DD8:				; CODE XREF: PAGEVRFY:00A53D83j
		jz	short near ptr byte_A53E43
		outsd
		outsb

loc_A53DDC:				; CODE XREF: PAGEVRFY:00A53D66j
		dec	edi

loc_A53DDD:				; CODE XREF: PAGEVRFY:00A53D78j
		bound	ebp, [edx+65h]
		arpl	[eax+eax+0], si

??_C@_0BE@JGCEKJAC@ZwSetSecurityObject@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAC078o
		pop	edx
		ja	short loc_A53E3A
		db	65h
		jz	short loc_A53E3D

loc_A53DEA:				; CODE XREF: PAGEVRFY:loc_A53D76j
		arpl	gs:[ebp+72h], si

loc_A53DEE:				; CODE XREF: PAGEVRFY:loc_A53D99j
					; PAGEVRFY:loc_A53D88j	...
		imul	esi, [ecx+edi*2+4Fh], 63656A62h
		jz	short $+2

??_C@_0BH@JHOFABAM@ZwSetInformationThread@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAC060o
		pop	edx
		ja	short loc_A53E4E

loc_A53DFB:				; CODE XREF: PAGEVRFY:00A53D86j
					; PAGEVRFY:00A53D92j
		db	65h
		jz	short loc_A53E47

loc_A53DFE:				; CODE XREF: PAGEVRFY:00A53D8Fj
					; PAGEVRFY:00A53DA9j
		outsb
		outsw

loc_A53E01:				; CODE XREF: PAGEVRFY:00A53DABj
		jb	short loc_A53E70

loc_A53E03:				; CODE XREF: PAGEVRFY:00A53DB7j
		popa
		jz	short loc_A53E6F
		outsd

loc_A53E07:				; CODE XREF: PAGEVRFY:00A53DA0j
		outsb
		push	esp

loc_A53E09:				; CODE XREF: PAGEVRFY:loc_A53DB5j
		push	64616572h
; 
		dw 0
; 

??_C@_0BG@DJNHKNCA@ZwWaitForSingleObject@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAC168o
		pop	edx
		ja	short loc_A53E6A
		popa

loc_A53E14:				; CODE XREF: PAGEVRFY:00A53DCFj
		imul	esi, [esi+eax*2+6Fh], 6E695372h
		ins	byte ptr es:[di], dx
		db	65h
		dec	edi

loc_A53E20:				; CODE XREF: PAGEVRFY:00A53DCDj
		bound	ebp, [edx+65h]
		arpl	[eax+eax+0], si

loc_A53E27:				; DATA XREF: PAGEVRFD:00AAC150o
		add	[edx+77h], bl
		push	edi

loc_A53E2B:				; CODE XREF: PAGEVRFY:00A53DC0j
		popa

loc_A53E2C:				; CODE XREF: PAGEVRFY:00A53DBDj
		imul	esi, [esi+eax*2+6Fh], 6C754D72h
		jz	short near ptr loc_A53E9D+2

loc_A53E36:				; CODE XREF: PAGEVRFY:loc_A53DC5j
		jo	short loc_A53EA4
		db	65h
		dec	edi

loc_A53E3A:				; CODE XREF: PAGEVRFY:00A53DE5j
		bound	ebp, [edx+65h]

loc_A53E3D:				; CODE XREF: PAGEVRFY:00A53DE7j
		arpl	[ebx+esi*2+0], si
; 
		db 2 dup(0)
byte_A53E43	db 0			; CODE XREF: PAGEVRFY:loc_A53DD8j
; 

??_C@_0BB@OMGJBGBF@ZwAlpcCreatePort@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:00A53DD5j
					; DATA XREF: PAGEVRFD:00AAC198o
		pop	edx
		ja	short near ptr loc_A53E87+1

loc_A53E47:				; CODE XREF: PAGEVRFY:loc_A53DFBj
		insb
		jo	short loc_A53EAD
		inc	ebx
		jb	short loc_A53EB2
		popa

loc_A53E4E:				; CODE XREF: PAGEVRFY:00A53DF9j
		jz	short near ptr loc_A53EB4+1
		push	eax
		outsd
		jb	short ??_C@_0BI@JGCMGHHC@ZwAlpcCreatePortSection@GHGBBCHJ@
; 
		dd 0
; 

??_C@_0M@EHICNDGI@ZwWriteFile@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAC180o
		pop	edx
		ja	short loc_A53EB2
		jb	short loc_A53EC6
		jz	short near ptr byte_A53EC4
		inc	esi

loc_A53E60:				; DATA XREF: PAGEVRFD:00AAC108o
		imul	ebp, [ebp+0], 7254775Ah
		popa
		outsb

loc_A53E6A:				; CODE XREF: PAGEVRFY:00A53E11j
		jnb	short loc_A53ED8
		popa
		jz	short loc_A53ED4

loc_A53E6F:				; CODE XREF: PAGEVRFY:00A53E04j
		inc	esi

loc_A53E70:				; CODE XREF: PAGEVRFY:loc_A53E01j
		imul	ebp, [ebp+50h],	687461h

??_C@_0BL@EBHBPCHL@ZwSetVolumeInformationFile@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAC0F0o
		pop	edx
		ja	short loc_A53ECE
		db	65h
		jz	short loc_A53ED4
		outsd
		insb
		jnz	short loc_A53EEF
		db	65h
		dec	ecx
		outsb
		outsw

loc_A53E87:				; CODE XREF: PAGEVRFY:00A53E45j
		jb	short near ptr word_A53EF6
		popa
		jz	short near ptr byte_A53EF5
		outsd
		outsb
		inc	esi
; 
		db 69h
		dd 656Ch
; 

??_C@_0M@OHLHELHF@ZwUnloadKey@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAC138o
		pop	edx
		ja	short near ptr loc_A53EEB+1
		outsb
		insb
		outsd
		popa
		db	64h
		dec	ebx

loc_A53E9D:				; CODE XREF: PAGEVRFY:00A53E34j
		db	65h
		jns	short $+3

??_C@_0P@IBIICCAK@ZwUnloadDriver@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAC120o
		pop	edx
		ja	short ??_C@_0BM@FCGKKLHP@ZwAlpcCreateResourceReserve@GHGBBCHJ@
		outsb

loc_A53EA4:				; CODE XREF: PAGEVRFY:loc_A53E36j
		insb
		outsd
		popa
		db	64h
		inc	esp
		jb	short near ptr loc_A53F12+2
		jbe	short loc_A53F12

loc_A53EAD:				; CODE XREF: PAGEVRFY:00A53E48j
		jb	short $+2

loc_A53EAF:				; DATA XREF: PAGEVRFD:00AAC228o
		add	[edx+77h], bl

loc_A53EB2:				; CODE XREF: PAGEVRFY:00A53E4Bj
					; PAGEVRFY:00A53E59j
		inc	ecx
		insb

loc_A53EB4:				; CODE XREF: PAGEVRFY:loc_A53E4Ej
		jo	short near ptr loc_A53F18+1
		inc	ebx
		jb	short loc_A53F1E
		popa
		jz	short loc_A53F21
		push	ebx
		arpl	gs:[ecx+ebp*2+6Fh], si
		outsb
		push	esi
; 
byte_A53EC4	db 69h,	65h		; CODE XREF: PAGEVRFY:00A53E5Dj
; 

loc_A53EC6:				; CODE XREF: PAGEVRFY:00A53E5Bj
		ja	short $+2

??_C@_0BI@JGCMGHHC@ZwAlpcCreatePortSection@GHGBBCHJ@: ;	CODE XREF: PAGEVRFY:00A53E52j
					; DATA XREF: PAGEVRFD:00AAC210o
		pop	edx
		ja	short near ptr loc_A53F0A+2
		insb
		jo	short near ptr loc_A53F30+1

loc_A53ECE:				; CODE XREF: PAGEVRFY:00A53E79j
		inc	ebx
		jb	short loc_A53F36
		popa
		jz	short near ptr loc_A53F36+3

loc_A53ED4:				; CODE XREF: PAGEVRFY:00A53E6Dj
					; PAGEVRFY:00A53E7Bj
		push	eax
		outsd
		jb	short loc_A53F4C

loc_A53ED8:				; CODE XREF: PAGEVRFY:loc_A53E6Aj
		push	ebx
		arpl	gs:[ecx+ebp*2+6Fh], si
		outsb

loc_A53EDF:				; DATA XREF: PAGEVRFD:00AAC258o
		add	[edx+77h], bl
		inc	ecx
		insb
		jo	short loc_A53F49
		push	ebx
		db	65h
		jz	short loc_A53F33
		outsb

loc_A53EEB:				; CODE XREF: PAGEVRFY:00A53E95j
		outsw
		jb	short near ptr loc_A53F5B+1

loc_A53EEF:				; CODE XREF: PAGEVRFY:00A53E80j
		popa
		jz	short loc_A53F5B
		outsd
		outsb
; 
		db 0
byte_A53EF5	db 0			; CODE XREF: PAGEVRFY:00A53E8Aj
word_A53EF6	dw 0			; CODE XREF: PAGEVRFY:loc_A53E87j
; 

??_C@_0BM@FCGKKLHP@ZwAlpcCreateResourceReserve@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:00A53EA1j
					; DATA XREF: PAGEVRFD:00AAC240o
		pop	edx
		ja	short near ptr loc_A53F3B+1
		insb
		jo	short near ptr loc_A53F60+1
		inc	ebx
		jb	short near ptr loc_A53F65+1
		popa
		jz	short near ptr loc_A53F68+1
		push	edx
		db	65h
		jnb	short near ptr byte_A53F77
		jnz	short near ptr loc_A53F7B+1

loc_A53F0A:				; CODE XREF: PAGEVRFY:00A53EC9j
		arpl	[ebp+52h], sp
		db	65h
		jnb	short near ptr byte_A53F75
		jb	short near ptr loc_A53F86+2

loc_A53F12:				; CODE XREF: PAGEVRFY:00A53EABj
					; PAGEVRFY:00A53EA9j
					; DATA XREF: ...
		add	gs:[edx+77h], bl
		inc	ecx
		insb

loc_A53F18:				; CODE XREF: PAGEVRFY:loc_A53EB4j
		jo	short loc_A53F7D
		inc	ecx
		arpl	[ebx+65h], sp

loc_A53F1E:				; CODE XREF: PAGEVRFY:00A53EB7j
		jo	short loc_A53F94
		inc	ebx

loc_A53F21:				; CODE XREF: PAGEVRFY:00A53EBAj
		outsd
		outsb
		outsb
		arpl	gs:[eax+edx*2+6Fh], si
		jb	short loc_A53F9F

loc_A53F2B:				; DATA XREF: PAGEVRFD:00AAC1B0o
		add	[edx+77h], bl
		inc	ecx
		insb

loc_A53F30:				; CODE XREF: PAGEVRFY:00A53ECCj
		jo	short loc_A53F95
		inc	ebx

loc_A53F33:				; CODE XREF: PAGEVRFY:00A53EE7j
		outsd
		outsb
		outsb

loc_A53F36:				; CODE XREF: PAGEVRFY:00A53ECFj
					; PAGEVRFY:00A53ED2j
		arpl	gs:[eax+edx*2+6Fh], si

loc_A53F3B:				; CODE XREF: PAGEVRFY:00A53EF9j
		jb	short near ptr byte_A53FB1
; 
		db 3 dup(0)
; 

??_C@_0BM@BOHDK@ZwAlpcCreateSecurityContext@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAC1F8o
		pop	edx
		ja	short loc_A53F84
		insb
		jo	short loc_A53FA9
		inc	ebx
		jb	short near ptr loc_A53FAD+1

loc_A53F49:				; CODE XREF: PAGEVRFY:00A53EE4j
		popa
		jz	short near ptr byte_A53FB1

loc_A53F4C:				; CODE XREF: PAGEVRFY:00A53ED6j
		push	ebx
		arpl	gs:[ebp+72h], si
		imul	esi, [ecx+edi*2+43h], 65746E6Fh
		js	short near ptr loc_A53FCC+3

loc_A53F5B:				; CODE XREF: PAGEVRFY:00A53EF0j
					; PAGEVRFY:00A53EEDj
					; DATA XREF: ...
		add	[edx+77h], bl
		inc	ecx
		insb

loc_A53F60:				; CODE XREF: PAGEVRFY:00A53EFCj
		jo	short loc_A53FC5
		push	ebx
		outs	dx, byte ptr gs:[esi]

loc_A53F65:				; CODE XREF: PAGEVRFY:00A53EFFj
		db	64h
		push	edi
		popa

loc_A53F68:				; CODE XREF: PAGEVRFY:00A53F02j
		imul	esi, [edx+edx*2+65h], 76696563h
		db	65h
		push	eax
		outsd
		jb	short loc_A53FE9
; 
byte_A53F75	db 2 dup(0)		; CODE XREF: PAGEVRFY:00A53F0Dj
byte_A53F77	db 0			; CODE XREF: PAGEVRFY:00A53F05j
; 

??_C@_0BE@LIPAKKGA@ZwCreateTransaction@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAC2E8o
		pop	edx
		ja	short near ptr loc_A53FBD+1

loc_A53F7B:				; CODE XREF: PAGEVRFY:00A53F08j
		jb	short near ptr loc_A53FE0+2

loc_A53F7D:				; CODE XREF: PAGEVRFY:loc_A53F18j
		popa
		jz	short near ptr byte_A53FE5
		push	esp
		jb	short loc_A53FE4
		outsb

loc_A53F84:				; CODE XREF: PAGEVRFY:00A53F41j
		jnb	short near ptr byte_A53FE7

loc_A53F86:				; CODE XREF: PAGEVRFY:00A53F10j
		arpl	[ecx+ebp*2+6Fh], si
		outsb
; 
		db 0
; 

??_C@_0CF@GDCHDIPJ@ZwQueryInformationTransactionMa@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AAC2D0o
		pop	edx
		ja	short loc_A53FE0
		jnz	short near ptr loc_A53FF5+1
		jb	short loc_A5400C
		dec	ecx

loc_A53F94:				; CODE XREF: PAGEVRFY:loc_A53F1Ej
		outsb

loc_A53F95:				; CODE XREF: PAGEVRFY:loc_A53F30j
		outsw
		jb	short loc_A54006
		popa
		jz	short near ptr loc_A54004+1
		outsd
		outsb
		push	esp

loc_A53F9F:				; CODE XREF: PAGEVRFY:00A53F29j
		jb	short loc_A54002
		outsb
		jnb	short near ptr loc_A54004+1
		arpl	[ecx+ebp*2+6Fh], si
		outsb

loc_A53FA9:				; CODE XREF: PAGEVRFY:00A53F44j
		dec	ebp
		popa
		outsb
		popa

loc_A53FAD:				; CODE XREF: PAGEVRFY:00A53F47j
		db	67h, 65h
		jb	near ptr 3FB1h
; 
byte_A53FB1	db 3 dup(0)		; CODE XREF: PAGEVRFY:loc_A53F3Bj
					; PAGEVRFY:00A53F4Aj
; 

??_C@_0BO@OGPHOCCL@ZwQueryInformationTransaction@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAC318o
		pop	edx
		ja	short near ptr loc_A54007+1
		jnz	short loc_A5401E
		jb	short ??_C@_0BL@FPNCDFPK@ZwCreateTransactionManager@GHGBBCHJ@
		dec	ecx
		outsb

loc_A53FBD:				; CODE XREF: PAGEVRFY:00A53F79j
		outsw
		jb	short near ptr loc_A5402D+1
		popa
		jz	short loc_A5402D
		outsd

loc_A53FC5:				; CODE XREF: PAGEVRFY:loc_A53F60j
		outsb
		push	esp
		jb	short loc_A5402A
		outsb
		jnb	short loc_A5402D

loc_A53FCC:				; CODE XREF: PAGEVRFY:00A53F59j
		arpl	[ecx+ebp*2+6Fh], si
		outsb
; 
		db 3 dup(0)
; 

??_C@_0BC@EAIKDAOG@ZwOpenTransaction@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAC300o
		pop	edx
		ja	short near ptr loc_A54024+2
		jo	short near ptr loc_A5403D+1
		outsb
		push	esp
		jb	short near ptr loc_A5403D+1
		outsb
		jnb	short near ptr loc_A54040+1

loc_A53FE0:				; CODE XREF: PAGEVRFY:00A53F8Dj
					; PAGEVRFY:loc_A53F7Bj
		arpl	[ecx+ebp*2+6Fh], si

loc_A53FE4:				; CODE XREF: PAGEVRFY:00A53F81j
		outsb
; 
byte_A53FE5	db 2 dup(0)		; CODE XREF: PAGEVRFY:00A53F7Ej
byte_A53FE7	db 0			; CODE XREF: PAGEVRFY:loc_A53F84j
; 

??_C@_0BH@GNBHINHE@ZwRemoveIoCompletionEx@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAC288o
		pop	edx

loc_A53FE9:				; CODE XREF: PAGEVRFY:00A53F73j
		ja	short loc_A5403D
		db	65h
		insd
		outsd
		jbe	short loc_A54055
		dec	ecx
		outsd
		inc	ebx
		outsd
		insd

loc_A53FF5:				; CODE XREF: PAGEVRFY:00A53F8Fj
		jo	short near ptr byte_A54063
		db	65h
		jz	short near ptr byte_A54063
		outsd
		outsb
		inc	ebp
		js	short $+2

loc_A53FFF:				; DATA XREF: PAGEVRFD:00AAC270o
		add	[edx+77h], bl

loc_A54002:				; CODE XREF: PAGEVRFY:loc_A53F9Fj
		inc	ecx
		insb

loc_A54004:				; CODE XREF: PAGEVRFY:00A53F9Aj
					; PAGEVRFY:00A53FA2j
		jo	short loc_A54069

loc_A54006:				; CODE XREF: PAGEVRFY:00A53F97j
		push	ecx

loc_A54007:				; CODE XREF: PAGEVRFY:00A53FB5j
		jnz	short near ptr loc_A5406D+1
		jb	short loc_A54084
		dec	ecx

loc_A5400C:				; CODE XREF: PAGEVRFY:00A53F91j
		outsb
		outsw
		jb	short near ptr loc_A5407D+1
		popa
		jz	short loc_A5407D
		outsd
		outsb
; 
		dw 0
; 

??_C@_0BJ@PIFJBJDB@ZwOpenTransactionManager@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAC2B8o
		pop	edx
		ja	short loc_A5406A
		jo	short loc_A54082
		outsb

loc_A5401E:				; CODE XREF: PAGEVRFY:00A53FB7j
		push	esp
		jb	short loc_A54082
		outsb
		jnb	short loc_A54085

loc_A54024:				; CODE XREF: PAGEVRFY:00A53FD5j
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		dec	ebp

loc_A5402A:				; CODE XREF: PAGEVRFY:00A53FC7j
		popa
		outsb
		popa

loc_A5402D:				; CODE XREF: PAGEVRFY:00A53FC2j
					; PAGEVRFY:00A53FCAj ...
		db	67h, 65h
		jb	near ptr 4031h
; 
		db 3 dup(0)
; 

??_C@_0BL@FPNCDFPK@ZwCreateTransactionManager@GHGBBCHJ@: ; CODE	XREF: PAGEVRFY:00A53FB9j
					; DATA XREF: PAGEVRFD:00AAC2A0o
		pop	edx
		ja	short near ptr word_A5407A
		jb	short near ptr loc_A5409B+3
		popa
		jz	short near ptr loc_A5409B+6
		push	esp

loc_A5403D:				; CODE XREF: PAGEVRFY:loc_A53FE9j
					; PAGEVRFY:00A53FD7j ...
		jb	short near ptr loc_A5409B+5
		outsb

loc_A54040:				; CODE XREF: PAGEVRFY:00A53FDEj
		jnb	short near ptr byte_A540A3
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		dec	ebp
		popa
		outsb
		popa
		db	67h, 65h
		jb	near ptr 404Fh

loc_A5404F:				; DATA XREF: PAGEVRFD:00AAC3A8o
		add	[edx+77h], bl
		push	eax
		jb	short near ptr word_A540BA

loc_A54055:				; CODE XREF: PAGEVRFY:00A53FEEj
		jo	short near ptr loc_A540B3+5
		jb	short near ptr loc_A540BD+1
		inc	ebx
		outsd
		insd
		jo	short loc_A540CA
		db	65h
		jz	short near ptr loc_A540C5+1
; 
		db 2 dup(0)
byte_A54063	db 0			; CODE XREF: PAGEVRFY:loc_A53FF5j
					; PAGEVRFY:00A53FF7j
; 

??_C@_0BF@IILIILLD@ZwRollbackEnlistment@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAC390o
		pop	edx
		ja	short near ptr loc_A540B3+6
		outsd
		insb

loc_A54069:				; CODE XREF: PAGEVRFY:loc_A54004j
		insb

loc_A5406A:				; CODE XREF: PAGEVRFY:00A54019j
		bound	esp, [ecx+63h]

loc_A5406D:				; CODE XREF: PAGEVRFY:loc_A54007j
		imul	eax, [ebp+6Eh],	6Ch
		imul	esi, [ebx+74h],	746E656Dh
; 
		db 2 dup(0)
word_A5407A	dw 0			; CODE XREF: PAGEVRFY:00A54035j
; 

??_C@_0BB@POKGJIDK@ZwOpenEnlistment@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAC3D8o
		pop	edx

loc_A5407D:				; CODE XREF: PAGEVRFY:00A54012j
					; PAGEVRFY:00A5400Fj
		ja	short near ptr loc_A540CD+1
		jo	short loc_A540E6
		outsb

loc_A54082:				; CODE XREF: PAGEVRFY:00A5401Bj
					; PAGEVRFY:00A5401Fj
		inc	ebp
		outsb

loc_A54084:				; CODE XREF: PAGEVRFY:00A54009j
		insb

loc_A54085:				; CODE XREF: PAGEVRFY:00A54022j
		imul	esi, [ebx+74h],	746E656Dh
; 
		dd 0
; 

??_C@_0BD@OGJCHHOH@ZwCreateEnlistment@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAC3C0o
		pop	edx
		ja	short loc_A540D6
		jb	short near ptr loc_A540F8+2
		popa
		jz	short near ptr loc_A540F8+5
		inc	ebp
		outsb
		insb

loc_A5409B:				; CODE XREF: PAGEVRFY:00A54037j
					; PAGEVRFY:loc_A5403Dj	...
		imul	esi, [ebx+74h],	746E656Dh
; 
		db 0
byte_A540A3	db 0			; CODE XREF: PAGEVRFY:loc_A54040j
; 

??_C@_0BH@CLOABDGB@ZwPrePrepareEnlistment@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAC348o
		pop	edx
		ja	short loc_A540F7
		jb	short near ptr loc_A5410D+1
		push	eax
		jb	short near ptr loc_A5410F+2
		jo	short loc_A5410F
		jb	short loc_A54115
		inc	ebp
		outsb
		insb

loc_A540B3:				; CODE XREF: PAGEVRFY:loc_A54055j
					; PAGEVRFY:00A54065j
		imul	esi, [ebx+74h],	746E656Dh
; 
word_A540BA	dw 0			; CODE XREF: PAGEVRFY:00A54053j
; 

??_C@_0BM@POLPOMDM@ZwSetInformationTransaction@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAC330o
		pop	edx

loc_A540BD:				; CODE XREF: PAGEVRFY:00A54057j
		ja	short near ptr word_A54112
		db	65h
		jz	short near ptr loc_A54104+7
		outsb
		outsw

loc_A540C5:				; CODE XREF: PAGEVRFY:00A5405Ej
		jb	short near ptr loc_A54133+1
		popa
		jz	short loc_A54133

loc_A540CA:				; CODE XREF: PAGEVRFY:00A5405Cj
		outsd
		outsb
		push	esp

loc_A540CD:				; CODE XREF: PAGEVRFY:loc_A5407Dj
		jb	short ??_C@_0P@PPGAEJBD@KeReleaseMutex@GHGBBCHJ@
		outsb
		jnb	short loc_A54133
		arpl	[ecx+ebp*2+6Fh], si

loc_A540D6:				; CODE XREF: PAGEVRFY:00A54091j
		outsb

loc_A540D7:				; DATA XREF: PAGEVRFD:00AAC378o
		add	[edx+77h], bl
		inc	ebx
		outsd
		insd
		insd
		imul	esi, [ebp+eax*2+6Eh], 7473696Ch

loc_A540E6:				; CODE XREF: PAGEVRFY:00A5407Fj
		insd
		outs	dx, byte ptr gs:[esi]
		jz	short $+2

loc_A540EB:				; DATA XREF: PAGEVRFD:00AAC360o
		add	[edx+77h], bl
		push	eax
		jb	short loc_A54156
		jo	short near ptr loc_A54153+1
		jb	short loc_A5415A
		inc	ebp
		outsb

loc_A540F7:				; CODE XREF: PAGEVRFY:00A540A5j
		insb

loc_A540F8:				; CODE XREF: PAGEVRFY:00A54093j
					; PAGEVRFY:00A54096j
		imul	esi, [ebx+74h],	746E656Dh

loc_A540FF:				; DATA XREF: PAGEVRFD:00AA85F0o
		add	[ebx+65h], cl
		dec	ecx
		outsb

loc_A54104:				; CODE XREF: PAGEVRFY:00A540BFj
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		dec	ebp

loc_A5410D:				; CODE XREF: PAGEVRFY:00A540A7j
		jnz	short loc_A54183

loc_A5410F:				; CODE XREF: PAGEVRFY:00A540ACj
					; PAGEVRFY:00A540AAj
		db	65h
		js	short $+3
; 
word_A54112	dw 0			; CODE XREF: PAGEVRFY:loc_A540BDj
; 

??_C@_0BJ@LIMAPCOO@KeWaitForMultipleObjects@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA85D4o
		dec	ebx

loc_A54115:				; CODE XREF: PAGEVRFY:00A540AEj
		db	65h
		push	edi
		popa
		imul	esi, [esi+eax*2+6Fh], 6C754D72h
		jz	short near ptr loc_A54185+6
		jo	short ??_C@_0BG@CICIJADA@KeWaitForSingleObject@GHGBBCHJ@
		db	65h
		dec	edi
		bound	ebp, [edx+65h]
		arpl	[ebx+esi*2+0], si
; 
		db 3 dup(0)
; 

??_C@_0P@PPGAEJBD@KeReleaseMutex@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:loc_A540CDj
					; DATA XREF: PAGEVRFD:00AA8628o
		dec	ebx
		db	65h
		push	edx

loc_A54133:				; CODE XREF: PAGEVRFY:00A540C8j
					; PAGEVRFY:00A540D0j ...
		db	65h
		insb
		db	65h
		popa
		jnb	short loc_A5419E
		dec	ebp
		jnz	short loc_A541B0
		db	65h
		js	short $+3

loc_A5413F:				; DATA XREF: PAGEVRFD:00AA860Co
		add	[ebx+65h], cl
		dec	ecx
		outsb
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		dec	ebp
		jnz	short loc_A541C3
		popa
		outsb
		jz	short $+2

loc_A54153:				; CODE XREF: PAGEVRFY:00A540F1j
					; DATA XREF: PAGEVRFD:00AAC408o
		add	[edx+77h], bl

loc_A54156:				; CODE XREF: PAGEVRFY:00A540EFj
		push	ebx
		db	65h
		jz	short loc_A541A3

loc_A5415A:				; CODE XREF: PAGEVRFY:00A540F3j
		outsb
		outsw
		jb	short loc_A541CC
		popa
		jz	short near ptr loc_A541CA+1
		outsd
		outsb
		inc	ebp
		outsb
		insb
		imul	esi, [ebx+74h],	746E656Dh
; 
		dw 0
; 

??_C@_0BN@DPCDDCJP@ZwQueryInformationEnlistment@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAC3F0o
		pop	edx
		ja	short near ptr loc_A541C3+1
		jnz	short near ptr loc_A541D8+2
		jb	short near ptr loc_A541EF+1
		dec	ecx
		outsb
		outsw
		jb	short near ptr loc_A541E9+1
		popa
		jz	short loc_A541E9
		outsd
		outsb
		inc	ebp

loc_A54183:				; CODE XREF: PAGEVRFY:loc_A5410Dj
		outsb
		insb

loc_A54185:				; CODE XREF: PAGEVRFY:00A54120j
		imul	esi, [ebx+74h],	746E656Dh
; 
		dd 0
; 

??_C@_0BG@CICIJADA@KeWaitForSingleObject@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:00A54122j
					; DATA XREF: PAGEVRFD:_VfOrderDependentThunkso
		dec	ebx
		db	65h
		push	edi
		popa
		imul	esi, [esi+eax*2+6Fh], 6E695372h
		ins	byte ptr es:[di], dx

loc_A5419E:				; CODE XREF: PAGEVRFY:00A54137j
		db	65h
		dec	edi
		bound	ebp, [edx+65h]

loc_A541A3:				; CODE XREF: PAGEVRFY:00A54157j
		arpl	[eax+eax+0], si
; 
		db 0
; 

??_C@_0BE@EEGNAMPL@ZwQueryLicenseValue@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAC420o
		pop	edx
		ja	short near ptr loc_A541FB+1
		jnz	short near ptr loc_A5420C+6
		jb	short near ptr loc_A54226+2
		dec	esp

loc_A541B0:				; CODE XREF: PAGEVRFY:00A5413Aj
		imul	esp, [ebx+65h],	5665736Eh
		popa
		insb
		jnz	short ??_C@_0BJ@DJCIABGN@ExAcquireFastMutexUnsafe@GHGBBCHJ@

loc_A541BB:				; DATA XREF: PAGEVRFD:00AA86D0o
		add	[ebp+78h], al
		push	edx
		db	65h
		insb
		db	65h
		popa

loc_A541C3:				; CODE XREF: PAGEVRFY:00A5414Dj
					; PAGEVRFY:00A54171j
		jnb	short near ptr loc_A54226+4
		inc	esi
		popa
		jnb	short loc_A5423D
		dec	ebp

loc_A541CA:				; CODE XREF: PAGEVRFY:00A54160j
		jnz	short near ptr loc_A5423F+1

loc_A541CC:				; CODE XREF: PAGEVRFY:00A5415Dj
		db	65h
		js	short $+3

loc_A541CF:				; DATA XREF: PAGEVRFD:00AA86B4o
		add	[ebp+78h], al
		push	esp
		jb	short near ptr loc_A5424D+1
		push	esp
		outsd
		inc	ecx

loc_A541D8:				; CODE XREF: PAGEVRFY:00A54173j
		arpl	[ecx+75h], si
		imul	esi, [edx+65h],	74736146h
		dec	ebp
		jnz	short loc_A54259
		db	65h
		js	short $+3

??_C@_0BN@OIFLEHDD@KefAcquireSpinLockAtDpcLevel@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA8708o
		dec	ebx

loc_A541E9:				; CODE XREF: PAGEVRFY:00A5417Ej
					; PAGEVRFY:00A5417Bj
		db	65h
		inc	cx
		arpl	[ecx+75h], si

loc_A541EF:				; CODE XREF: PAGEVRFY:00A54175j
		imul	esi, [edx+65h],	6E697053h
		dec	esp
		outsd
		arpl	[ebx+41h], bp

loc_A541FB:				; CODE XREF: PAGEVRFY:00A541A9j
		jz	short loc_A54241
		jo	short near ptr loc_A54261+1
		dec	esp
		db	65h
		jbe	short near ptr loc_A54267+1
		insb
; 
		dd 0
; 

??_C@_0BF@LCDPIJOI@KeInitializeSpinLock@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA86ECo
		dec	ebx
		db	65h
		dec	ecx
		outsb

loc_A5420C:				; CODE XREF: PAGEVRFY:00A541ABj
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		push	ebx
		jo	short near ptr loc_A5427F+1
		outsb
		dec	esp
		outsd
		arpl	[ebx+0], bp
; 
		db 3 dup(0)
; 

??_C@_0BJ@DJCIABGN@ExAcquireFastMutexUnsafe@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:00A541B9j
					; DATA XREF: PAGEVRFD:00AA8660o
		inc	ebp
		js	short near ptr loc_A54263+1
		arpl	[ecx+75h], si

loc_A54226:				; CODE XREF: PAGEVRFY:00A541ADj
					; PAGEVRFY:loc_A541C3j
		imul	esi, [edx+65h],	74736146h
		dec	ebp
		jnz	short near ptr dword_A542A4
		db	65h
		js	short near ptr loc_A54282+6
		outsb
		jnb	short loc_A54297
		db	66h
		add	gs:[eax], al
; 
		dw 0
; 

??_C@_0BA@FINLNFPA@KeReleaseMutant@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AA8644o
		dec	ebx

loc_A5423D:				; CODE XREF: PAGEVRFY:00A541C7j
		db	65h
		push	edx

loc_A5423F:				; CODE XREF: PAGEVRFY:loc_A541CAj
		db	65h
		insb

loc_A54241:				; CODE XREF: PAGEVRFY:loc_A541FBj
		db	65h
		popa
		jnb	short near ptr loc_A542A9+1
		dec	ebp
		jnz	short near ptr loc_A542BB+1
		popa
		outsb
		jz	short $+2

??_C@_0BD@NOMNOIPH@ExAcquireFastMutex@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AA8698o
		inc	ebp

loc_A5424D:				; CODE XREF: PAGEVRFY:00A541D3j
		js	short near ptr loc_A5428F+1
		arpl	[ecx+75h], si
		imul	esi, [edx+65h],	74736146h

loc_A54259:				; CODE XREF: PAGEVRFY:00A541E3j
		dec	ebp
		jnz	short near ptr loc_A542CF+1
		db	65h
		js	short $+3
; 
		db 0
; 

??_C@_0BJ@NJEOHIGC@ExReleaseFastMutexUnsafe@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA867Co
		inc	ebp

loc_A54261:				; CODE XREF: PAGEVRFY:00A541FDj
		js	short loc_A542B5

loc_A54263:				; CODE XREF: PAGEVRFY:00A54221j
		db	65h
		insb
		db	65h
		popa

loc_A54267:				; CODE XREF: PAGEVRFY:00A54200j
		jnb	short near ptr loc_A542CD+1
		inc	esi
		popa
		jnb	short loc_A542E1
		dec	ebp
		jnz	short loc_A542E4
		db	65h
		js	short ??_C@_0BP@NHDELBBL@KeReleaseInStackQueuedSpinLock@GHGBBCHJ@
		outsb
		jnb	short near ptr loc_A542D6+1
		db	66h
		add	gs:[eax], al
; 
		dw 0
; 

??_C@_0CJ@FGKMMJIG@KeAcquireInStackQueuedSpinLockA@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA87B0o
		dec	ebx
		db	65h
		inc	ecx

loc_A5427F:				; CODE XREF: PAGEVRFY:00A54215j
		arpl	[ecx+75h], si

loc_A54282:				; CODE XREF: PAGEVRFY:00A54230j
		imul	esi, [edx+65h],	74536E49h
		popa
		arpl	[ebx+51h], bp
		jnz	short near ptr loc_A542EE+6

loc_A5428F:				; CODE XREF: PAGEVRFY:loc_A5424Dj
		jnz	short loc_A542F6
		db	64h
		push	ebx
		jo	short near ptr loc_A542FD+1
		outsb
		dec	esp

loc_A54297:				; CODE XREF: PAGEVRFY:00A54234j
		outsd
		arpl	[ebx+41h], bp
		jz	short loc_A542E1
		jo	short loc_A54302
		dec	esp
		db	65h
		jbe	short loc_A54308
		insb
; 
dword_A542A4	dd 0			; CODE XREF: PAGEVRFY:00A5422Ej
; 

??_C@_0BP@GFAPPJAP@KeAcquireInStackQueuedSpinLock@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA8794o
		dec	ebx

loc_A542A9:				; CODE XREF: PAGEVRFY:00A54243j
		db	65h
		inc	ecx
		arpl	[ecx+75h], si
		imul	esi, [edx+65h],	74536E49h

loc_A542B5:				; CODE XREF: PAGEVRFY:loc_A54261j
		popa
		arpl	[ebx+51h], bp
		jnz	short near ptr loc_A5431F+1

loc_A542BB:				; CODE XREF: PAGEVRFY:00A54246j
		jnz	short near ptr word_A54322
		db	64h
		push	ebx
		jo	short loc_A5432A
		outsb
		dec	esp
		outsd
		arpl	[ebx+0], bp
; 
		db 0
; 

??_C@_0BP@NHDELBBL@KeReleaseInStackQueuedSpinLock@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:00A54270j
					; DATA XREF: PAGEVRFD:00AA87E8o
		dec	ebx
		db	65h
		push	edx
		db	65h
		insb

loc_A542CD:				; CODE XREF: PAGEVRFY:loc_A54267j
		db	65h
		popa

loc_A542CF:				; CODE XREF: PAGEVRFY:00A5425Aj
		jnb	short near ptr loc_A54334+2
		dec	ecx
		outsb
		push	ebx
		jz	short loc_A54337

loc_A542D6:				; CODE XREF: PAGEVRFY:00A54274j
		arpl	[ebx+51h], bp
		jnz	short near ptr loc_A5433E+2
		jnz	short near ptr word_A54342
		db	64h
		push	ebx
		jo	short loc_A5434A

loc_A542E1:				; CODE XREF: PAGEVRFY:00A5426Bj
					; PAGEVRFY:00A5429Bj
		outsb
		dec	esp
		outsd

loc_A542E4:				; CODE XREF: PAGEVRFY:00A5426Ej
		arpl	[ebx+0], bp

loc_A542E7:				; DATA XREF: PAGEVRFD:00AA87CCo
		add	[ebx+65h], cl
		inc	ecx
		arpl	[ecx+75h], si

loc_A542EE:				; CODE XREF: PAGEVRFY:00A5428Dj
		imul	esi, [edx+65h],	74536E49h
		popa

loc_A542F6:				; CODE XREF: PAGEVRFY:loc_A5428Fj
		arpl	[ebx+51h], bp
		jnz	short loc_A54360
		jnz	short near ptr loc_A54360+2

loc_A542FD:				; CODE XREF: PAGEVRFY:00A54293j
		db	64h
		push	ebx
		jo	short near ptr loc_A54369+1
		outsb

loc_A54302:				; CODE XREF: PAGEVRFY:00A5429Dj
		dec	esp
		outsd
		arpl	[ebx+46h], bp
		outsd

loc_A54308:				; CODE XREF: PAGEVRFY:00A542A0j
		jb	short near ptr loc_A5434C+2
		jo	short loc_A5436F
; 
		dd 0
; 

??_C@_0BC@NFHLGKEH@KfAcquireSpinLock@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AA8740o
		dec	ebx
		inc	cx
		arpl	[ecx+75h], si
		imul	esi, [edx+65h],	6E697053h
		dec	esp
		outsd

loc_A5431F:				; CODE XREF: PAGEVRFY:00A542B9j
		arpl	[ebx+0], bp
; 
word_A54322	dw 0			; CODE XREF: PAGEVRFY:loc_A542BBj
; 

??_C@_0BP@DFAAOGKA@KefReleaseSpinLockFromDpcLevel@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA8724o
		dec	ebx
		db	65h
		push	dx
		db	65h
		insb

loc_A5432A:				; CODE XREF: PAGEVRFY:00A542BFj
		db	65h
		popa
		jnb	short near ptr loc_A5438C+7
		push	ebx
		jo	short near ptr loc_A54398+2
		outsb
		dec	esp
		outsd

loc_A54334:				; CODE XREF: PAGEVRFY:loc_A542CFj
		arpl	[ebx+46h], bp

loc_A54337:				; CODE XREF: PAGEVRFY:00A542D4j
		jb	short near ptr loc_A543A7+1
		insd
		inc	esp
		jo	short near ptr loc_A5439F+1
		dec	esp

loc_A5433E:				; CODE XREF: PAGEVRFY:00A542D9j
		db	65h
		jbe	short loc_A543A6
		insb
; 
word_A54342	dw 0			; CODE XREF: PAGEVRFY:00A542DBj
; 

??_C@_0CB@INHJPAIB@KeTryToAcquireSpinLockAtDpcLeve@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8778o
		dec	ebx
		db	65h
		push	esp
		jb	short near ptr loc_A543C0+2
		push	esp

loc_A5434A:				; CODE XREF: PAGEVRFY:00A542DFj
		outsd
		inc	ecx

loc_A5434C:				; CODE XREF: PAGEVRFY:loc_A54308j
		arpl	[ecx+75h], si
		imul	esi, [edx+65h],	6E697053h
		dec	esp
		outsd
		arpl	[ebx+41h], bp
		jz	short loc_A543A1
		jo	short near ptr loc_A543C0+2
		dec	esp

loc_A54360:				; CODE XREF: PAGEVRFY:00A542F9j
					; PAGEVRFY:00A542FBj
		db	65h
		jbe	short near ptr loc_A543C0+8
		insb
; 
		dd 0
; 

??_C@_0BC@JKKDHHAK@KfReleaseSpinLock@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AA875Co
		dec	ebx

loc_A54369:				; CODE XREF: PAGEVRFY:00A542FFj
		push	dx
		db	65h
		insb
		db	65h
		popa

loc_A5436F:				; CODE XREF: PAGEVRFY:00A5430Aj
		jnb	short near ptr loc_A543D5+1
		push	ebx
		jo	short loc_A543DD
		outsb
		dec	esp
		outsd
		arpl	[ebx+0], bp
; 
		dw 0
; 

??_C@_0DB@CDPOFDFI@ExEnterPriorityRegionAndAcquire@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8890o
		inc	ebp
		js	short near ptr loc_A543C0+4
		outsb
		jz	short loc_A543E7
		jb	short near ptr loc_A543D3+1
		jb	short near ptr loc_A543EE+1
		outsd
		jb	short near ptr loc_A543F0+2
		jz	short near ptr loc_A54400+4
		push	edx

loc_A5438C:				; CODE XREF: PAGEVRFY:00A5432Cj
		imul	ebp, gs:[bx+6Eh], 41646E41h
		arpl	[ecx+75h], si

loc_A54398:				; CODE XREF: PAGEVRFY:00A5432Fj
		imul	esi, [edx+65h],	6F736552h

loc_A5439F:				; CODE XREF: PAGEVRFY:00A5433Bj
		jnz	short near ptr byte_A54413

loc_A543A1:				; CODE XREF: PAGEVRFY:00A5435Bj
		arpl	[ebp+45h], sp
		js	short loc_A54409

loc_A543A6:				; CODE XREF: PAGEVRFY:loc_A5433Ej
		insb

loc_A543A7:				; CODE XREF: PAGEVRFY:loc_A54337j
		jnz	short near ptr loc_A5441A+2
		imul	esi, [esi+65h],	0

??_C@_0DB@PMJGDHMB@ExEnterCriticalRegionAndAcquire@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8874o
		inc	ebp
		js	short near ptr loc_A543F4+4
		outsb
		jz	short near ptr loc_A5441A+1
		jb	short near ptr loc_A543F4+7
		jb	short loc_A54423
		jz	short near ptr loc_A54423+2
		arpl	[ecx+6Ch], sp
		push	edx

loc_A543C0:				; CODE XREF: PAGEVRFY:00A54347j
					; PAGEVRFY:00A5435Dj ...
		imul	ebp, gs:[bx+6Eh], 41646E41h
		arpl	[ecx+75h], si
		imul	esi, [edx+65h],	6F736552h

loc_A543D3:				; CODE XREF: PAGEVRFY:00A54382j
		jnz	short loc_A54447

loc_A543D5:				; CODE XREF: PAGEVRFY:loc_A5436Fj
		arpl	[ebp+45h], sp
		js	short near ptr loc_A5443C+1
		insb
		jnz	short loc_A54450

loc_A543DD:				; CODE XREF: PAGEVRFY:00A54372j
		imul	esi, [esi+65h],	0

??_C@_0CO@EBNPIICK@ExEnterCriticalRegionAndAcquire@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA88C8o
		inc	ebp
		js	short near ptr byte_A5442C

loc_A543E7:				; CODE XREF: PAGEVRFY:00A54380j
		outsb
		jz	short loc_A5444F
		jb	short near ptr byte_A5442F
		jb	short near ptr byte_A54457

loc_A543EE:				; CODE XREF: PAGEVRFY:00A54384j
		jz	short loc_A54459

loc_A543F0:				; CODE XREF: PAGEVRFY:00A54387j
		arpl	[ecx+6Ch], sp
		push	edx

loc_A543F4:				; CODE XREF: PAGEVRFY:00A543B1j
					; PAGEVRFY:00A543B6j
		imul	ebp, gs:[bx+6Eh], 41646E41h
		arpl	[ecx+75h], si

loc_A54400:				; CODE XREF: PAGEVRFY:00A54389j
		imul	esi, [edx+65h],	6F736552h
		jnz	short loc_A5447B

loc_A54409:				; CODE XREF: PAGEVRFY:00A543A4j
		arpl	[ebp+53h], sp
		push	64657261h
; 
		db 2 dup(0)
byte_A54413	db 0			; CODE XREF: PAGEVRFY:loc_A5439Fj
; 

??_C@_0BM@NNOBLDPG@ExAcquireResourceSharedLite@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA88ACo
		inc	ebp
		js	short ??_C@_0CL@LFOFCPMJ@KeReleaseInStackQueuedSpinLockF@GHGBBCHJ@
		arpl	[ecx+75h], si

loc_A5441A:				; CODE XREF: PAGEVRFY:00A543B4j
					; PAGEVRFY:loc_A543A7j
		imul	esi, [edx+65h],	6F736552h
		jnz	short near ptr loc_A54493+2

loc_A54423:				; CODE XREF: PAGEVRFY:00A543B8j
					; PAGEVRFY:00A543BAj
		arpl	[ebp+53h], sp
		push	64657261h
		dec	esp
; 
byte_A5442C	db 69h,	74h, 65h	; CODE XREF: PAGEVRFY:00A543E5j
byte_A5442F	db 0			; CODE XREF: PAGEVRFY:00A543EAj
; 

??_C@_0CF@OAAFEOIC@KeReleaseInStackQueuedSpinLockF@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8820o
		dec	ebx
		db	65h
		push	edx
		db	65h
		insb
		db	65h
		popa
		jnb	short near ptr loc_A5449B+3
		dec	ecx
		outsb
		push	ebx

loc_A5443C:				; CODE XREF: PAGEVRFY:00A543D8j
		jz	short near ptr loc_A5449B+4
		arpl	[ebx+51h], bp
		jnz	short near ptr loc_A544A7+1
		jnz	short loc_A544AA
		db	64h
		push	ebx

loc_A54447:				; CODE XREF: PAGEVRFY:loc_A543D3j
		jo	short loc_A544B2
		outsb
		dec	esp
		outsd
		arpl	[ebx+46h], bp

loc_A5444F:				; CODE XREF: PAGEVRFY:00A543E8j
		outsd

loc_A54450:				; CODE XREF: PAGEVRFY:00A543DBj
		jb	short loc_A54496
		jo	short loc_A544B7
; 
		db 3 dup(0)
byte_A54457	db 0			; CODE XREF: PAGEVRFY:00A543ECj
; 

??_C@_0CL@LFOFCPMJ@KeReleaseInStackQueuedSpinLockF@GHGBBCHJ@:
					; CODE XREF: PAGEVRFY:00A54415j
					; DATA XREF: PAGEVRFD:00AA8804o
		dec	ebx

loc_A54459:				; CODE XREF: PAGEVRFY:loc_A543EEj
		db	65h
		push	edx
		db	65h
		insb
		db	65h
		popa
		jnb	short near ptr loc_A544C4+2
		dec	ecx
		outsb
		push	ebx
		jz	short near ptr loc_A544C4+3
		arpl	[ebx+51h], bp
		jnz	short ??_C@_0CI@GAEBGJPP@ExReleaseResourceAndLeavePriori@GHGBBCHJ@
		jnz	short near ptr loc_A544D1+1
		db	64h
		push	ebx
		jo	short loc_A544DA
		outsb
		dec	esp
		outsd
		arpl	[ebx+46h], bp
		jb	short near ptr loc_A544E7+1
		insd
		inc	esp

loc_A5447B:				; CODE XREF: PAGEVRFY:00A54407j
		jo	short near ptr loc_A544DF+1
		dec	esp
		db	65h
		jbe	short near ptr loc_A544E5+1
		insb
; 
		dw 0
; 

??_C@_0BP@FFGINFJB@ExAcquireResourceExclusiveLite@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA8858o
		inc	ebp
		js	short near ptr loc_A544C4+4
		arpl	[ecx+75h], si
		imul	esi, [edx+65h],	6F736552h
		jnz	short loc_A54505

loc_A54493:				; CODE XREF: PAGEVRFY:00A54421j
		arpl	[ebp+45h], sp

loc_A54496:				; CODE XREF: PAGEVRFY:loc_A54450j
		js	short loc_A544FB
		insb
		jnz	short near ptr loc_A5450D+1

loc_A5449B:				; CODE XREF: PAGEVRFY:00A54437j
					; PAGEVRFY:loc_A5443Cj
		imul	esi, [esi+65h],	6574694Ch
; 
		dw 0
; 

??_C@_0CL@HDNBIEFP@KeAcquireInStackQueuedSpinLockR@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA883Co
		dec	ebx
		db	65h
		inc	ecx

loc_A544A7:				; CODE XREF: PAGEVRFY:00A54441j
		arpl	[ecx+75h], si

loc_A544AA:				; CODE XREF: PAGEVRFY:00A54443j
		imul	esi, [edx+65h],	74536E49h
		popa

loc_A544B2:				; CODE XREF: PAGEVRFY:loc_A54447j
		arpl	[ebx+51h], bp
		jnz	short near ptr loc_A5451A+2

loc_A544B7:				; CODE XREF: PAGEVRFY:00A54452j
		jnz	short near ptr loc_A5451A+4
		db	64h
		push	ebx
		jo	short loc_A54526
		outsb
		dec	esp
		outsd
		arpl	[ebx+52h], bp
		popa

loc_A544C4:				; CODE XREF: PAGEVRFY:00A5445Fj
					; PAGEVRFY:00A54464j ...
		imul	esi, [ebx+65h],	79536F54h
		outsb
		arpl	[eax+0], bp
; 
		db 0
; 

??_C@_0CI@GAEBGJPP@ExReleaseResourceAndLeavePriori@GHGBBCHJ@:
					; CODE XREF: PAGEVRFY:00A54469j
					; DATA XREF: PAGEVRFD:00AA8970o
		inc	ebp

loc_A544D1:				; CODE XREF: PAGEVRFY:00A5446Bj
		js	short loc_A54525
		db	65h
		insb
		db	65h
		popa
		jnb	short loc_A5453E
		push	edx

loc_A544DA:				; CODE XREF: PAGEVRFY:00A5446Fj
		db	65h
		jnb	short near ptr loc_A54549+3
		jnz	short near ptr loc_A5454F+2

loc_A544DF:				; CODE XREF: PAGEVRFY:loc_A5447Bj
		arpl	[ebp+41h], sp
		outsb
		db	64h
		dec	esp

loc_A544E5:				; CODE XREF: PAGEVRFY:00A5447Ej
		db	65h
		popa

loc_A544E7:				; CODE XREF: PAGEVRFY:00A54477j
		jbe	short loc_A5454E
		push	eax
		jb	short near ptr loc_A5454F+6
		outsd
		jb	short near ptr loc_A54557+1
		jz	short loc_A5456A
		push	edx

loc_A544F2:				; DATA XREF: PAGEVRFD:00AA8954o
		imul	ebp, gs:[bx+6Eh], 52784500h

loc_A544FB:				; CODE XREF: PAGEVRFY:loc_A54496j
		db	65h
		insb
		db	65h
		popa
		jnb	short loc_A54566
		push	edx
		db	65h
		jnb	short ??_C@_0CO@EFACMEGF@ExEnterPriorityRegionAndAcquire@GHGBBCHJ@

loc_A54505:				; CODE XREF: PAGEVRFY:00A54491j
		jnz	short near ptr loc_A54578+1
		arpl	[ebp+41h], sp
		outsb
		db	64h
		dec	esp

loc_A5450D:				; CODE XREF: PAGEVRFY:00A54499j
		db	65h
		popa
		jbe	short near ptr loc_A54575+1
		inc	ebx
		jb	short near ptr loc_A5457C+1
		jz	short loc_A5457F
		arpl	[ecx+6Ch], sp
		push	edx

loc_A5451A:				; CODE XREF: PAGEVRFY:00A544B5j
					; PAGEVRFY:loc_A544B7j
					; DATA XREF: ...
		imul	ebp, gs:[bx+6Eh], 436F4900h
		outsd
		outsb

loc_A54525:				; CODE XREF: PAGEVRFY:loc_A544D1j
		outsb

loc_A54526:				; CODE XREF: PAGEVRFY:00A544BBj
		arpl	gs:[ecx+ecx*2+6Eh], si
		jz	short near ptr loc_A54590+2
		jb	short near ptr byte_A545A1
		jnz	short near ptr byte_A545A1
		jz	short $+2

loc_A54533:				; DATA XREF: PAGEVRFD:00AA898Co
		add	[ebp+78h], al
		push	edx
		db	65h
		insb
		db	65h
		popa
		jnb	short near ptr word_A545A2
		push	edx

loc_A5453E:				; CODE XREF: PAGEVRFY:00A544D7j
		db	65h
		jnb	short near ptr loc_A545AE+2
		jnz	short near ptr loc_A545B3+2
		arpl	[ebp+46h], sp
		outsd
		jb	short near ptr loc_A5459C+1

loc_A54549:				; CODE XREF: PAGEVRFY:loc_A544DAj
		push	64616572h

loc_A5454E:				; CODE XREF: PAGEVRFY:loc_A544E7j
		dec	esp

loc_A5454F:				; CODE XREF: PAGEVRFY:00A544DDj
					; PAGEVRFY:00A544EAj
					; DATA XREF: ...
		imul	esi, [ebp+0], 41784500h

loc_A54557:				; CODE XREF: PAGEVRFY:00A544EDj
		arpl	[ecx+75h], si
		imul	esi, [edx+65h],	72616853h
		db	65h, 64h
		push	ebx
		jz	short near ptr loc_A545C2+5

loc_A54566:				; CODE XREF: PAGEVRFY:00A544FFj
		jb	short near ptr loc_A545D8+6
		db	65h
		inc	ebp

loc_A5456A:				; CODE XREF: PAGEVRFY:00A544EFj
		js	short near ptr loc_A545CD+2
		insb
		jnz	short near ptr loc_A545DF+3
; 
		db 69h
		dd 6576h
; 

??_C@_0CO@EFACMEGF@ExEnterPriorityRegionAndAcquire@GHGBBCHJ@:
					; CODE XREF: PAGEVRFY:00A54502j
					; DATA XREF: PAGEVRFD:00AA88E4o
		inc	ebp

loc_A54575:				; CODE XREF: PAGEVRFY:00A5450Fj
		js	short near ptr loc_A545B6+6
		outsb

loc_A54578:				; CODE XREF: PAGEVRFY:loc_A54505j
		jz	short loc_A545DF
		jb	short loc_A545CC

loc_A5457C:				; CODE XREF: PAGEVRFY:00A54512j
		jb	short near ptr loc_A545E6+1
		outsd

loc_A5457F:				; CODE XREF: PAGEVRFY:00A54514j
		jb	short near ptr word_A545EA
		jz	short ??_C@_0CD@HBHLHMC@CcWaitForCurrentLazyWriterActiv@GHGBBCHJ@
		push	edx
		imul	ebp, gs:[bx+6Eh], 41646E41h
		arpl	[ecx+75h], si

loc_A54590:				; CODE XREF: PAGEVRFY:00A5452Bj
		imul	esi, [edx+65h],	6F736552h
		jnz	short loc_A5460B
		arpl	[ebp+53h], sp

loc_A5459C:				; CODE XREF: PAGEVRFY:00A54547j
		push	64657261h
; 
byte_A545A1	db 0			; CODE XREF: PAGEVRFY:00A5452Dj
					; PAGEVRFY:00A5452Fj
word_A545A2	dw 0			; CODE XREF: PAGEVRFY:00A5453Bj
; 

??_C@_0BG@NNKFLMKJ@ExReleaseResourceLite@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA8938o
		inc	ebp
		js	short near ptr loc_A545F8+1
		db	65h
		insb
		db	65h
		popa
		jnb	short near ptr loc_A54611+1
		push	edx

loc_A545AE:				; CODE XREF: PAGEVRFY:loc_A5453Ej
		db	65h
		jnb	short near ptr loc_A5461B+5
		jnz	short near ptr loc_A54624+1

loc_A545B3:				; CODE XREF: PAGEVRFY:00A54541j
		arpl	[ebp+4Ch], sp

loc_A545B6:				; CODE XREF: PAGEVRFY:loc_A54575j
					; DATA XREF: PAGEVRFD:00AA891Co
		imul	esi, [ebp+0], 78450000h
		inc	ecx
		arpl	[ecx+75h], si

loc_A545C2:				; CODE XREF: PAGEVRFY:00A54564j
		imul	esi, [edx+65h],	72616853h
		db	65h, 64h
		push	edi

loc_A545CC:				; CODE XREF: PAGEVRFY:00A5457Aj
		popa

loc_A545CD:				; CODE XREF: PAGEVRFY:loc_A5456Aj
		imul	esi, [esi+eax*2+6Fh], 63784572h
		insb
		jnz	short loc_A5464B

loc_A545D8:				; CODE XREF: PAGEVRFY:loc_A54566j
					; DATA XREF: PAGEVRFD:00AA8C88o
		imul	esi, [esi+65h],	44634300h

loc_A545DF:				; CODE XREF: PAGEVRFY:loc_A54578j
					; PAGEVRFY:00A5456Dj
		db	65h, 66h, 65h
		jb	short loc_A5463B
		jb	short near ptr loc_A5464B+4

loc_A545E6:				; CODE XREF: PAGEVRFY:loc_A5457Cj
		jz	short near ptr loc_A5464B+2
; 
		db 2 dup(0)
word_A545EA	dw 0			; CODE XREF: PAGEVRFY:loc_A5457Fj
; 

??_C@_0O@BEMPINMO@CcCopyWriteEx@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA8C70o
		inc	ebx
		arpl	[ebx+6Fh], ax
		jo	short near ptr byte_A5466B
		push	edi
		jb	short near ptr word_A5465E
		jz	short loc_A5465C
		inc	ebp

loc_A545F8:				; CODE XREF: PAGEVRFY:00A545A5j
		js	short $+2
; 
		dw 0
; 

??_C@_0CD@HBHLHMC@CcWaitForCurrentLazyWriterActiv@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:00A54581j
					; DATA XREF: PAGEVRFD:00AA8CB8o
		inc	ebx
		arpl	[edi+61h], dx
		imul	esi, [esi+eax*2+6Fh], 72754372h
		jb	short loc_A5466F
		outsb

loc_A5460B:				; CODE XREF: PAGEVRFY:00A54597j
		jz	short near ptr loc_A54658+1
		popa
		jp	short near ptr loc_A54687+2
		push	edi

loc_A54611:				; CODE XREF: PAGEVRFY:00A545ABj
		jb	short loc_A5467C
		jz	short loc_A5467A
		jb	short loc_A54658
		arpl	[ecx+ebp*2+76h], si

loc_A5461B:				; CODE XREF: PAGEVRFY:loc_A545AEj
					; DATA XREF: PAGEVRFD:00AA8CA0o
		imul	esi, [ecx+edi*2+0], 46634300h
		popa

loc_A54624:				; CODE XREF: PAGEVRFY:00A545B1j
		jnb	short near ptr loc_A54699+1
		inc	ebx
		outsd
		jo	short loc_A546A3
		push	edi
		jb	short near ptr loc_A54695+1
		jz	short loc_A54694

loc_A5462F:				; DATA XREF: PAGEVRFD:00AA89E0o
		add	[ecx+6Fh], cl
		inc	ebx
		outsd
		outsb
		outsb
		arpl	gs:[ecx+ecx*2+6Eh], si

loc_A5463B:				; CODE XREF: PAGEVRFY:loc_A545DFj
		jz	short near ptr loc_A546A0+2
		jb	short near ptr loc_A546AF+2
		jnz	short near ptr loc_A546AF+2
		jz	short near ptr loc_A54687+1
		js	short $+2
; 
		db 3 dup(0)
; 

??_C@_0BG@NOOELEK@IoDisconnectInterrupt@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA89C4o
		dec	ecx
		outsd
		inc	esp

loc_A5464B:				; CODE XREF: PAGEVRFY:00A545D6j
					; PAGEVRFY:loc_A545E6j	...
		imul	esi, [ebx+63h],	656E6E6Fh
		arpl	[ecx+ecx*2+6Eh], si
		jz	short loc_A546BD

loc_A54658:				; CODE XREF: PAGEVRFY:00A54615j
					; PAGEVRFY:loc_A5460Bj
		jb	short near ptr loc_A546CB+1
		jnz	short near ptr loc_A546CB+1

loc_A5465C:				; CODE XREF: PAGEVRFY:00A545F5j
		jz	short $+2
; 
word_A5465E	dw 0			; CODE XREF: PAGEVRFY:00A545F3j
; 

??_C@_0M@LGNDDGBA@CcCopyWrite@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:_VfXdvThunkso
		inc	ebx
		arpl	[ebx+6Fh], ax
		jo	short near ptr loc_A546DD+2
		push	edi
		jb	short near ptr loc_A546CE+4
		jz	short near ptr loc_A546CE+2
; 
byte_A5466B	db 0			; CODE XREF: PAGEVRFY:00A545F0j
; 

??_C@_0BI@HKCPIOKM@IoDisconnectInterruptEx@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AA89FCo
		dec	ecx
		outsd
		inc	esp

loc_A5466F:				; CODE XREF: PAGEVRFY:00A54608j
		imul	esi, [ebx+63h],	656E6E6Fh
		arpl	[ecx+ecx*2+6Eh], si

loc_A5467A:				; CODE XREF: PAGEVRFY:00A54613j
		jz	short loc_A546E1

loc_A5467C:				; CODE XREF: PAGEVRFY:loc_A54611j
		jb	short near ptr loc_A546EE+2
		jnz	short near ptr loc_A546EE+2
		jz	short near ptr byte_A546C7
		js	short $+2

??_C@_0CF@PDAFLPOK@ExAcquireRundownProtectionCache@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8D48o
		inc	ebp
		js	short ??_C@_0BN@JJGKAPKO@ExAcquireRundownProtectionEx@GHGBBCHJ@

loc_A54687:				; CODE XREF: PAGEVRFY:00A54641j
					; PAGEVRFY:00A5460Ej
		arpl	[ecx+75h], si
		imul	esi, [edx+65h],	646E7552h
		outsd
		ja	short loc_A54702

loc_A54694:				; CODE XREF: PAGEVRFY:00A5462Dj
		push	eax

loc_A54695:				; CODE XREF: PAGEVRFY:00A5462Bj
		jb	short near ptr loc_A54704+2
		jz	short near ptr loc_A546FD+1

loc_A54699:				; CODE XREF: PAGEVRFY:loc_A54624j
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		inc	ebx
		popa

loc_A546A0:				; CODE XREF: PAGEVRFY:loc_A5463Bj
		arpl	[eax+65h], bp

loc_A546A3:				; CODE XREF: PAGEVRFY:00A54628j
		inc	ecx
		ja	short loc_A54707
		jb	short loc_A5470D
; 
		dd 0
; 

??_C@_0BL@FOMOGPHK@ExAcquireRundownProtection@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AA8D30o
		inc	ebp
		js	short near ptr loc_A546EE+2

loc_A546AF:				; CODE XREF: PAGEVRFY:00A5463Dj
					; PAGEVRFY:00A5463Fj
		arpl	[ecx+75h], si
		imul	esi, [edx+65h],	646E7552h
		outsd
		ja	short loc_A5472A
		push	eax

loc_A546BD:				; CODE XREF: PAGEVRFY:00A54656j
		jb	short near ptr loc_A5472B+3
		jz	short near ptr word_A54726
		arpl	[ecx+ebp*2+6Fh], si
		outsb
; 
		db 0
byte_A546C7	db 0			; CODE XREF: PAGEVRFY:00A54680j
; 

??_C@_0BN@JJGKAPKO@ExAcquireRundownProtectionEx@GHGBBCHJ@: ; CODE XREF:	PAGEVRFY:00A54685j
					; DATA XREF: PAGEVRFD:00AA8D78o
		inc	ebp
		js	short loc_A5470C

loc_A546CB:				; CODE XREF: PAGEVRFY:loc_A54658j
					; PAGEVRFY:00A5465Aj
		arpl	[ecx+75h], si

loc_A546CE:				; CODE XREF: PAGEVRFY:00A54669j
					; PAGEVRFY:00A54667j
		imul	esi, [edx+65h],	646E7552h
		outsd
		ja	short near ptr loc_A54743+3
		push	eax
		jb	short loc_A5474A
		jz	short loc_A54742

loc_A546DD:				; CODE XREF: PAGEVRFY:00A54664j
		arpl	[ecx+ebp*2+6Fh], si

loc_A546E1:				; CODE XREF: PAGEVRFY:loc_A5467Aj
		outsb
		inc	ebp
		js	short $+2
; 
		db 3 dup(0)
; 

??_C@_0CH@GOPIPKKL@ExAcquireRundownProtectionCache@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8D60o
		inc	ebp
		js	short near ptr loc_A5472B+1
		arpl	[ecx+75h], si

loc_A546EE:				; CODE XREF: PAGEVRFY:loc_A5467Cj
					; PAGEVRFY:00A5467Ej ...
		imul	esi, [edx+65h],	646E7552h
		outsd
		ja	short near ptr loc_A54765+1
		push	eax
		jb	short near ptr byte_A5476A
		jz	short loc_A54762

loc_A546FD:				; CODE XREF: PAGEVRFY:00A54697j
		arpl	[ecx+ebp*2+6Fh], si
		outsb

loc_A54702:				; CODE XREF: PAGEVRFY:00A54692j
		inc	ebx
		popa

loc_A54704:				; CODE XREF: PAGEVRFY:loc_A54695j
		arpl	[eax+65h], bp

loc_A54707:				; CODE XREF: PAGEVRFY:00A546A4j
		inc	ecx
		ja	short near ptr byte_A5476B
		jb	short loc_A54771

loc_A5470C:				; CODE XREF: PAGEVRFY:00A546C9j
		inc	ebp

loc_A5470D:				; CODE XREF: PAGEVRFY:00A546A6j
		js	short $+2

loc_A5470F:				; DATA XREF: PAGEVRFD:00AA8CE8o
		add	[ebx+6Dh], al
		push	ebp
		outsb
		push	edx
		imul	esi, gs:[bp+di+74h], 61437265h
		insb
		insb
		bound	esp, [ecx+63h]
		imul	eax, [eax], 0
; 
word_A54726	dw 0			; CODE XREF: PAGEVRFY:00A546BFj
; 

??_C@_0BD@GOINJNPC@CmRegisterCallback@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AA8CD0o
		inc	ebx
		insd

loc_A5472A:				; CODE XREF: PAGEVRFY:00A546BAj
		push	edx

loc_A5472B:				; CODE XREF: PAGEVRFY:00A546E9j
					; PAGEVRFY:loc_A546BDj
		imul	esi, gs:[bp+di+74h], 61437265h
		insb
		insb
		bound	esp, [ecx+63h]
		imul	eax, [eax], 0

??_C@_0BI@DJCOJKLC@DbgBreakPointWithStatus@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AA8D18o
		inc	esp
		bound	esp, [edi+42h]
		jb	short near ptr loc_A547A5+2

loc_A54742:				; CODE XREF: PAGEVRFY:00A546DBj
		popa

loc_A54743:				; CODE XREF: PAGEVRFY:00A546D6j
		imul	edx, [eax+6Fh],	69h
		outsb
		jz	short loc_A547A1

loc_A5474A:				; CODE XREF: PAGEVRFY:00A546D9j
		imul	esi, [eax+ebp*2+53h], 75746174h
		jnb	short $+2

??_C@_0BF@DJIDLOJO@CmRegisterCallbackEx@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA8D00o
		inc	ebx
		insd
		push	edx
		imul	esi, gs:[bp+di+74h], 61437265h
		insb
		insb

loc_A54762:				; CODE XREF: PAGEVRFY:00A546FBj
		bound	esp, [ecx+63h]

loc_A54765:				; CODE XREF: PAGEVRFY:00A546F6j
		imul	eax, [ebp+78h],	0
; 
		db 0
byte_A5476A	db 0			; CODE XREF: PAGEVRFY:00A546F9j
byte_A5476B	db 0			; CODE XREF: PAGEVRFY:00A54708j
; 

??_C@_0BN@MKPKNHFK@ExfInterlockedInsertTailList@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA8E08o
					; PAGEVRFD:00AA8EC8o
		inc	ebp
		js	short loc_A547D5
		dec	ecx
		outsb

loc_A54771:				; CODE XREF: PAGEVRFY:00A5470Aj
		jz	short loc_A547D8
		jb	short near ptr loc_A547DF+2
		outsd
		arpl	[ebx+65h], bp
		db	64h
		dec	ecx
		outsb
		jnb	short near ptr loc_A547DF+4
		jb	short near ptr loc_A547F3+1
		push	esp
		popa
		imul	ebp, [esp+ecx*2+69h], 7473h
; 
		dw 0
; 

??_C@_0BN@NLPIKEMP@ExfInterlockedInsertHeadList@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA8DF0o
					; PAGEVRFD:00AA8EB0o
		inc	ebp
		js	short near ptr loc_A547F3+2
		dec	ecx
		outsb
		jz	short ??_C@_0BP@JFLIDJPC@ExConvertExclusiveToSharedLite@GHGBBCHJ@
		jb	short loc_A54801
		outsd
		arpl	[ebx+65h], bp
		db	64h
		dec	ecx
		outsb
		jnb	short near ptr loc_A54802+1
		jb	short loc_A54814
		dec	eax

loc_A547A1:				; CODE XREF: PAGEVRFY:00A54748j
		db	65h
		popa
		db	64h
		dec	esp

loc_A547A5:				; CODE XREF: PAGEVRFY:00A54740j
		imul	esi, [ebx+74h],	0

??_C@_0BM@FAEJIFNP@ExfInterlockedPushEntryList@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA8E38o
					; PAGEVRFD:00AA8EF8o
		inc	ebp
		js	short near ptr loc_A54814+1
		dec	ecx
		outsb
		jz	short ??_C@_0CA@IDJMNCCA@ExfInterlockedCompareExchange64@GHGBBCHJ@
		jb	short loc_A54821
		outsd
		arpl	[ebx+65h], bp
		db	64h
		push	eax
		jnz	short loc_A54830
		push	72746E45h
		jns	short near ptr loc_A5480F+1
; 
		dd 747369h
; 

??_C@_0BL@JKOHJBFG@ExfInterlockedPopEntryList@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AA8E20o
					; PAGEVRFD:00AA8EE0o
		inc	ebp
		js	short near ptr loc_A54830+1
		dec	ecx
		outsb
		jz	short near ptr loc_A54830+4
		jb	short near ptr loc_A5483C+1
		outsd
		arpl	[ebx+65h], bp

loc_A547D5:				; CODE XREF: PAGEVRFY:00A5476Dj
		db	64h
		push	eax
		outsd

loc_A547D8:				; CODE XREF: PAGEVRFY:loc_A54771j
		jo	short loc_A5481F
		outsb
		jz	short near ptr loc_A54848+7
		jns	short loc_A5482B

loc_A547DF:				; CODE XREF: PAGEVRFY:00A54773j
					; PAGEVRFY:00A5477Cj
					; DATA XREF: ...
		imul	esi, [ebx+74h],	78450000h
		inc	ebx
		jb	short near ptr loc_A54848+6
		popa
		jz	short loc_A54851
		inc	ebx
		popa
		insb
		insb
		bound	esp, [ecx+63h]

loc_A547F3:				; CODE XREF: PAGEVRFY:00A5477Ej
					; PAGEVRFY:00A5478Dj
		imul	eax, [eax], 0
; 
		dw 0
; 

??_C@_0BP@JFLIDJPC@ExConvertExclusiveToSharedLite@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:00A54791j
					; DATA XREF: PAGEVRFD:00AA8D90o
		inc	ebp
		js	short loc_A5483E
		outsd
		outsb
		jbe	short near ptr loc_A5485F+5
		jb	short loc_A54875

loc_A54801:				; CODE XREF: PAGEVRFY:00A54793j
		inc	ebp

loc_A54802:				; CODE XREF: PAGEVRFY:00A5479Cj
		js	short loc_A54867
		insb
		jnz	short loc_A5487A
		imul	esi, [esi+65h],	68536F54h
		popa

loc_A5480F:				; CODE XREF: PAGEVRFY:00A547C2j
		jb	short near ptr loc_A54875+1
		db	64h
		dec	esp
; 
		db 69h
; 

loc_A54814:				; CODE XREF: PAGEVRFY:00A5479Ej
					; PAGEVRFY:00A547ADj
		jz	short near ptr loc_A5487A+1
; 
		dw 0
; 

??_C@_0CA@IDJMNCCA@ExfInterlockedCompareExchange64@GHGBBCHJ@:
					; CODE XREF: PAGEVRFY:00A547B1j
					; DATA XREF: PAGEVRFD:00AA8DD8o
		inc	ebp
		js	short near ptr loc_A54880+1
		dec	ecx
		outsb
		jz	short near ptr loc_A54880+4

loc_A5481F:				; CODE XREF: PAGEVRFY:loc_A547D8j
		jb	short near ptr loc_A5488A+3

loc_A54821:				; CODE XREF: PAGEVRFY:00A547B3j
		outsd
		arpl	[ebx+65h], bp
		db	64h
		inc	ebx
		outsd
		insd
		jo	short near ptr loc_A5488A+2

loc_A5482B:				; CODE XREF: PAGEVRFY:00A547DDj
		jb	short near ptr byte_A54892
		inc	ebp
		js	short near ptr byte_A54893

loc_A54830:				; CODE XREF: PAGEVRFY:00A547BBj
					; PAGEVRFY:00A547C9j ...
		push	65676E61h
		db	36h
		xor	al, 0

??_C@_0DG@EGKHCHCC@ExEnterCriticalRegionAndAcquire@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA8DC0o
		inc	ebp
		js	short loc_A54880
		outsb

loc_A5483C:				; CODE XREF: PAGEVRFY:00A547CFj
		jz	short near ptr loc_A548A2+1

loc_A5483E:				; CODE XREF: PAGEVRFY:00A547F9j
		jb	short near ptr loc_A54880+3
		jb	short loc_A548AB
		jz	short loc_A548AD
		arpl	[ecx+6Ch], sp
		push	edx

loc_A54848:				; CODE XREF: PAGEVRFY:00A547E7j
					; PAGEVRFY:00A547DBj
		imul	ebp, gs:[bx+6Eh], 41646E41h

loc_A54851:				; CODE XREF: PAGEVRFY:00A547EAj
		arpl	[ecx+75h], si
		imul	esi, [edx+65h],	72616853h
		db	65h, 64h
		push	edi
		popa

loc_A5485F:				; CODE XREF: PAGEVRFY:00A547FDj
		imul	esi, [esi+eax*2+6Fh], 63784572h

loc_A54867:				; CODE XREF: PAGEVRFY:loc_A54802j
		insb
		jnz	short near ptr loc_A548D8+5

loc_A5486A:				; DATA XREF: PAGEVRFD:00AA8F40o
		imul	esi, [esi+65h],	45000000h
		js	short near ptr loc_A548BB+1
		jnb	short near ptr byte_A548C7

loc_A54875:				; CODE XREF: PAGEVRFY:00A547FFj
					; PAGEVRFY:loc_A5480Fj
		db	65h
		jnb	short near ptr loc_A548E3+4
		jnz	short near ptr loc_A548EB+1

loc_A5487A:				; CODE XREF: PAGEVRFY:00A54805j
					; PAGEVRFY:loc_A54814j
		arpl	[ebp+41h], sp
		arpl	[ecx+75h], si

loc_A54880:				; CODE XREF: PAGEVRFY:00A54839j
					; PAGEVRFY:00A54819j ...
		imul	esi, [edx+65h],	63784564h
		insb
		jnz	short loc_A548FD

loc_A5488A:				; CODE XREF: PAGEVRFY:00A54829j
					; PAGEVRFY:loc_A5481Fj
		imul	esi, [esi+65h],	6574694Ch
; 
		db 0
byte_A54892	db 0			; CODE XREF: PAGEVRFY:loc_A5482Bj
byte_A54893	db 0			; CODE XREF: PAGEVRFY:00A5482Ej
; 

??_C@_0BM@BAHDCHON@ExIsProcessorFeaturePresent@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA8F28o
		inc	ebp
		js	short near ptr loc_A548DF+1
		jnb	short near ptr loc_A548E3+6
		jb	short near ptr loc_A54909+1
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_A5490E+1
		jb	short near ptr loc_A548E3+5

loc_A548A2:				; CODE XREF: PAGEVRFY:loc_A5483Cj
		db	65h
		popa
		jz	short loc_A5491B
		jb	short loc_A5490D
		push	eax
		jb	short near ptr loc_A5490E+2

loc_A548AB:				; CODE XREF: PAGEVRFY:00A54840j
		jnb	short near ptr loc_A54911+1

loc_A548AD:				; CODE XREF: PAGEVRFY:00A54842j
		outsb
		jz	short $+2

??_C@_0BH@HFAAGFHI@ExRaiseAccessViolation@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA8F70o
		inc	ebp
		js	short loc_A54905
		popa
		imul	esi, [ebx+65h],	65636341h

loc_A548BB:				; CODE XREF: PAGEVRFY:00A54871j
		jnb	short loc_A54930
		push	esi
		imul	ebp, [edi+6Ch],	6F697461h
		outsb
; 
		db 0
byte_A548C7	db 0			; CODE XREF: PAGEVRFY:00A54873j
; 

??_C@_0BP@NANGKPJA@ExIsResourceAcquiredSharedLite@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA8F58o
		inc	ebp
		js	short near ptr loc_A54913+1
		jnb	short near ptr loc_A5491D+2
		db	65h
		jnb	short near ptr loc_A5493D+2
		jnz	short ??_C@_0BH@CAMGGGDG@ExGetSharedWaiterCount@GHGBBCHJ@
		arpl	[ebp+41h], sp
		arpl	[ecx+75h], si

loc_A548D8:				; CODE XREF: PAGEVRFY:00A54868j
		imul	esi, [edx+65h],	61685364h

loc_A548DF:				; CODE XREF: PAGEVRFY:00A54895j
		jb	short near ptr loc_A54945+1
		db	64h
		dec	esp

loc_A548E3:				; CODE XREF: PAGEVRFY:loc_A54875j
					; PAGEVRFY:00A548A0j ...
		imul	esi, [ebp+0], 47784500h

loc_A548EB:				; CODE XREF: PAGEVRFY:00A54878j
		db	65h
		jz	short near ptr loc_A54932+1
		js	short near ptr loc_A54951+2
		insb
		jnz	short loc_A54966
		imul	esi, [esi+65h],	74696157h
		db	65h
		jb	short near ptr loc_A5493D+3

loc_A548FD:				; CODE XREF: PAGEVRFY:00A54888j
		outsd
		jnz	short near ptr loc_A5496D+1
		jz	short $+2
; 
		dw 0
; 

??_C@_0BN@NCDFHNMM@ExfInterlockedRemoveHeadList@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA8E50o
					; PAGEVRFD:00AA8F10o
		inc	ebp

loc_A54905:				; CODE XREF: PAGEVRFY:00A548B1j
		js	short loc_A5496D
		dec	ecx
		outsb

loc_A54909:				; CODE XREF: PAGEVRFY:00A54899j
		jz	short near ptr loc_A5496F+1
		jb	short near ptr loc_A54978+1

loc_A5490D:				; CODE XREF: PAGEVRFY:00A548A6j
		outsd

loc_A5490E:				; CODE XREF: PAGEVRFY:00A5489Ej
					; PAGEVRFY:00A548A9j
		arpl	[ebx+65h], bp

loc_A54911:				; CODE XREF: PAGEVRFY:loc_A548ABj
		db	64h
		push	edx

loc_A54913:				; CODE XREF: PAGEVRFY:00A548C9j
		db	65h
		insd
		outsd
		jbe	short near ptr loc_A5497C+1
		dec	eax
		db	65h
		popa

loc_A5491B:				; CODE XREF: PAGEVRFY:00A548A4j
		db	64h
		dec	esp

loc_A5491D:				; CODE XREF: PAGEVRFY:00A548CBj
		imul	esi, [ebx+74h],	0

??_C@_0BN@HOOCFJHF@ExInterlockedAddLargeInteger@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA8E98o
		inc	ebp
		js	short near ptr loc_A5496F+1
		outsb
		jz	short near ptr loc_A5498E+1
		jb	short near ptr loc_A54997+1
		outsd
		arpl	[ebx+65h], bp

loc_A54930:				; CODE XREF: PAGEVRFY:loc_A548BBj
		db	64h
		inc	ecx

loc_A54932:				; CODE XREF: PAGEVRFY:loc_A548EBj
		db	64h, 64h
		dec	esp
		popa
		jb	short near ptr byte_A5499F
		db	65h
		dec	ecx
		outsb
		jz	short near ptr loc_A549A1+1

loc_A5493D:				; CODE XREF: PAGEVRFY:00A548CDj
					; PAGEVRFY:00A548FAj
		db	67h, 65h
		jb	near ptr 4941h
; 
		db 3 dup(0)
; 

??_C@_0BH@CAMGGGDG@ExGetSharedWaiterCount@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:00A548D0j
					; DATA XREF: PAGEVRFD:00AA8E80o
		inc	ebp

loc_A54945:				; CODE XREF: PAGEVRFY:loc_A548DFj
		js	short loc_A5498E
		db	65h
		jz	short loc_A5499D
		push	64657261h
		push	edi
		popa

loc_A54951:				; CODE XREF: PAGEVRFY:00A548EEj
		imul	esi, [ebp+72h],	6E756F43h
		jz	short $+2

loc_A5495B:				; DATA XREF: PAGEVRFD:00AA9000o
		add	[ebp+78h], al
		push	edx
		db	65h
		insb
		db	65h
		popa
		jnb	short loc_A549CA
		push	edx

loc_A54966:				; CODE XREF: PAGEVRFY:00A548F1j
		jnz	short loc_A549D6
		outs	dx, dword ptr fs:[esi]
		ja	short near ptr word_A549DA
		push	eax

loc_A5496D:				; CODE XREF: PAGEVRFY:loc_A54905j
					; PAGEVRFY:00A548FEj
		jb	short near ptr loc_A549DD+1

loc_A5496F:				; CODE XREF: PAGEVRFY:loc_A54909j
					; PAGEVRFY:00A54925j
		jz	short loc_A549D6
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		inc	ebx
		popa

loc_A54978:				; CODE XREF: PAGEVRFY:00A5490Bj
		arpl	[eax+65h], bp
		inc	ecx

loc_A5497C:				; CODE XREF: PAGEVRFY:00A54916j
		ja	short loc_A549DF
		jb	short near ptr loc_A549E0+5
; 
		dd 0
; 

??_C@_0BL@PAIPFKEL@ExReleaseRundownProtection@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AA8FE8o
		inc	ebp
		js	short near ptr byte_A549D9
		db	65h
		insb
		db	65h
		popa
		jnb	short near ptr loc_A549F0+2
		push	edx

loc_A5498E:				; CODE XREF: PAGEVRFY:loc_A54945j
					; PAGEVRFY:00A54928j
		jnz	short near ptr loc_A549FC+2
		outs	dx, dword ptr fs:[esi]
		ja	short near ptr loc_A549FC+6
		push	eax
		jb	short loc_A54A06

loc_A54997:				; CODE XREF: PAGEVRFY:00A5492Aj
		jz	short near ptr loc_A549FC+2
		arpl	[ecx+ebp*2+6Fh], si

loc_A5499D:				; CODE XREF: PAGEVRFY:00A54947j
		outsb
; 
		db 0
byte_A5499F	db 0			; CODE XREF: PAGEVRFY:00A54936j
; 

??_C@_0BK@LNIMOKHD@ExSetResourceOwnerPointer@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AA9030o
		inc	ebp

loc_A549A1:				; CODE XREF: PAGEVRFY:00A5493Bj
		js	short near ptr loc_A549F0+6
		db	65h
		jz	short near ptr loc_A549F7+1
		db	65h
		jnb	short near ptr loc_A54A13+5
		jnz	short near ptr loc_A54A1C+1
		arpl	[ebp+4Fh], sp
		ja	short near ptr loc_A54A1C+2
		db	65h
		jb	short loc_A54A03
		outsd
		imul	ebp, [esi+74h],	7265h

loc_A549BB:				; DATA XREF: PAGEVRFD:00AA9018o
		add	[ebp+78h], al
		push	edx
		db	65h
		insb
		db	65h
		popa
		jnb	short near ptr loc_A54A27+3
		push	edx
		jnz	short near ptr loc_A54A35+1
		outs	dx, dword ptr fs:[esi]

loc_A549CA:				; CODE XREF: PAGEVRFY:00A54963j
		ja	short near ptr loc_A54A39+1
		push	eax
		jb	short near ptr loc_A54A3C+2
		jz	short near ptr loc_A54A35+1
		arpl	[ecx+ebp*2+6Fh], si
		outsb

loc_A549D6:				; CODE XREF: PAGEVRFY:loc_A54966j
					; PAGEVRFY:loc_A5496Fj
		inc	ebp
		js	short $+2
; 
byte_A549D9	db 0			; CODE XREF: PAGEVRFY:00A54985j
word_A549DA	dw 0			; CODE XREF: PAGEVRFY:00A5496Aj
; 

??_C@_0O@KCMNBGBG@ExRaiseStatus@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA8FA0o
		inc	ebp

loc_A549DD:				; CODE XREF: PAGEVRFY:loc_A5496Dj
		js	short loc_A54A31

loc_A549DF:				; CODE XREF: PAGEVRFY:loc_A5497Cj
		popa

loc_A549E0:				; CODE XREF: PAGEVRFY:00A5497Ej
		imul	esi, [ebx+65h],	74617453h
		jnz	short near ptr loc_A54A5B+1
; 
		db 3 dup(0)
; 

??_C@_0BM@OFICDNGI@ExRaiseDatatypeMisalignment@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA8F88o
		inc	ebp
		js	short near ptr loc_A54A3C+5
		popa

loc_A549F0:				; CODE XREF: PAGEVRFY:00A5498Bj
					; PAGEVRFY:loc_A549A1j
		imul	esi, [ebx+65h],	61746144h

loc_A549F7:				; CODE XREF: PAGEVRFY:00A549A3j
		jz	short loc_A54A72
		jo	short near ptr loc_A54A5F+1
		dec	ebp

loc_A549FC:				; CODE XREF: PAGEVRFY:loc_A5498Ej
					; PAGEVRFY:loc_A54997j	...
		imul	esi, [ebx+61h],	6E67696Ch

loc_A54A03:				; CODE XREF: PAGEVRFY:00A549B0j
		insd
		outs	dx, byte ptr gs:[esi]

loc_A54A06:				; CODE XREF: PAGEVRFY:00A54995j
		jz	short $+2

??_C@_0BL@JMIMGKME@ExReinitializeResourceLite@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AA8FD0o
		inc	ebp
		js	short near ptr loc_A54A5B+2
		imul	ebp, gs:[esi+69h], 6C616974h

loc_A54A13:				; CODE XREF: PAGEVRFY:00A549A6j
		imul	edi, [edx+65h],	6F736552h
		jnz	short loc_A54A8E

loc_A54A1C:				; CODE XREF: PAGEVRFY:00A549A9j
					; PAGEVRFY:00A549AEj
		arpl	[ebp+4Ch], sp
; 
		db 69h
		dd 6574h
; 

??_C@_0BD@DJAIKLBO@ExRegisterCallback@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AA8FB8o
		inc	ebp
		js	short loc_A54A79

loc_A54A27:				; CODE XREF: PAGEVRFY:00A549C3j
		imul	esi, gs:[bp+di+74h], 61437265h
		insb

loc_A54A31:				; CODE XREF: PAGEVRFY:loc_A549DDj
		insb
		bound	esp, [ecx+63h]

loc_A54A35:				; CODE XREF: PAGEVRFY:00A549C6j
					; PAGEVRFY:00A549CFj
		imul	eax, [eax], 0

??_C@_0CM@OCEPCOBP@ExWaitForRundownProtectionRelea@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA90C0o
		inc	ebp

loc_A54A39:				; CODE XREF: PAGEVRFY:loc_A549CAj
		js	short loc_A54A92
		popa

loc_A54A3C:				; CODE XREF: PAGEVRFY:00A549CDj
					; PAGEVRFY:00A549EDj
		imul	esi, [esi+eax*2+6Fh], 6E755272h
		outs	dx, dword ptr fs:[esi]
		ja	short near ptr loc_A54AB5+1
		push	eax
		jb	short loc_A54ABA
		jz	short near ptr word_A54AB2
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		push	edx
		db	65h
		insb
		db	65h
		popa
		jnb	short near ptr loc_A54ABA+4
		inc	ebx
		popa

loc_A54A5B:				; CODE XREF: PAGEVRFY:00A549E7j
					; PAGEVRFY:00A54A09j
		arpl	[eax+65h], bp
		inc	ecx

loc_A54A5F:				; CODE XREF: PAGEVRFY:00A549F9j
		ja	short loc_A54AC2
		jb	short near ptr loc_A54AC5+3
; 
		db 0
; 

??_C@_0CC@FNHEKDGE@ExWaitForRundownProtectionRelea@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA90A8o
		inc	ebp
		js	short near ptr loc_A54ABA+4
		popa
		imul	esi, [esi+eax*2+6Fh], 6E755272h
		outs	dx, dword ptr fs:[esi]

loc_A54A72:				; CODE XREF: PAGEVRFY:loc_A549F7j
		ja	short near ptr loc_A54AE0+2
		push	eax
		jb	short near ptr loc_A54AE0+6
		jz	short near ptr loc_A54ADC+2

loc_A54A79:				; CODE XREF: PAGEVRFY:00A54A25j
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		push	edx
		db	65h
		insb
		db	65h
		popa
		jnb	short near ptr loc_A54AE9+1
; 
		db 3 dup(0)
; 

??_C@_0BD@OHLCPLIJ@FsRtlAreNamesEqual@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AA90F0o
		inc	esi
		jnb	short near ptr loc_A54ADC+1
		jz	short loc_A54AF9
		inc	ecx

loc_A54A8E:				; CODE XREF: PAGEVRFY:00A54A1Aj
		jb	short near ptr byte_A54AF5
		dec	esi
		popa

loc_A54A92:				; CODE XREF: PAGEVRFY:loc_A54A39j
		insd
		db	65h
		jnb	short near ptr loc_A54ADA+1
		jno	short near ptr loc_A54B0B+2
		popa
		insb
; 
		dw 0
; 

??_C@_0BG@GNPJBMLA@FsRtlAllocateFileLock@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA90D8o
		inc	esi
		jnb	short loc_A54AF1
		jz	short near ptr loc_A54B0B+2
		inc	ecx
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h
		inc	esi
		imul	ebp, [ebp+4Ch],	6B636Fh
; 
word_A54AB2	dw 0			; CODE XREF: PAGEVRFY:00A54A4Bj
; 

??_C@_0BF@IGJGFLBG@ExSetTimerResolution@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA9060o
		inc	ebp

loc_A54AB5:				; CODE XREF: PAGEVRFY:00A54A46j
		js	short near ptr loc_A54B08+2
		db	65h
		jz	short near ptr word_A54B0E

loc_A54ABA:				; CODE XREF: PAGEVRFY:00A54A49j
					; PAGEVRFY:00A54A57j ...
		imul	ebp, [ebp+65h],	73655272h
		outsd

loc_A54AC2:				; CODE XREF: PAGEVRFY:loc_A54A5Fj
		insb
		jnz	short near ptr loc_A54B37+2

loc_A54AC5:				; CODE XREF: PAGEVRFY:00A54A61j
		imul	ebp, [edi+6Eh],	0

??_C@_0BM@NFHKCAAK@ExSetResourceOwnerPointerEx@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9048o
		inc	ebp
		js	short near ptr loc_A54B21+1
		db	65h
		jz	short near ptr loc_A54B23+1
		db	65h
		jnb	short near ptr loc_A54B43+1
		jnz	short near ptr loc_A54B46+3
		arpl	[ebp+4Fh], sp

loc_A54ADA:				; CODE XREF: PAGEVRFY:00A54A93j
		ja	short near ptr loc_A54B46+4

loc_A54ADC:				; CODE XREF: PAGEVRFY:00A54A89j
					; PAGEVRFY:00A54A77j
		db	65h
		jb	short loc_A54B2F
		outsd

loc_A54AE0:				; CODE XREF: PAGEVRFY:loc_A54A72j
					; PAGEVRFY:00A54A75j
		imul	ebp, [esi+74h],	78457265h
; 
		db 0
; 

??_C@_0N@GFLEDONA@ExUuidCreate@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9090o
		inc	ebp

loc_A54AE9:				; CODE XREF: PAGEVRFY:00A54A83j
		js	short ??_C@_0BB@DJMPDCBL@FsRtlDissectName@GHGBBCHJ@
		jnz	short near ptr loc_A54B55+1
		db	64h
		inc	ebx
		jb	short near ptr loc_A54B55+1

loc_A54AF1:				; CODE XREF: PAGEVRFY:00A54A9Dj
		popa
		jz	short loc_A54B59
; 
		db 0
byte_A54AF5	db 3 dup(0)		; CODE XREF: PAGEVRFY:loc_A54A8Ej
; 

??_C@_0BF@JEOBAJMJ@ExUnregisterCallback@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA9078o
		inc	ebp

loc_A54AF9:				; CODE XREF: PAGEVRFY:00A54A8Bj
		js	short near ptr loc_A54B4F+1
		outsb
		jb	short near ptr loc_A54B5D+6
		imul	esi, [bp+di+74h], 61437265h
		insb
		insb

loc_A54B08:				; CODE XREF: PAGEVRFY:loc_A54AB5j
		bound	esp, [ecx+63h]

loc_A54B0B:				; CODE XREF: PAGEVRFY:00A54A96j
					; PAGEVRFY:00A54A9Fj
		imul	eax, [eax], 0
; 
word_A54B0E	dw 0			; CODE XREF: PAGEVRFY:00A54AB7j
; 

??_C@_0P@POEFGDPO@FsRtlCopyWrite@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9180o
		inc	esi
		jnb	short loc_A54B65
		jz	short loc_A54B81
		inc	ebx
		outsd
		jo	short near ptr loc_A54B90+2
		push	edi
		jb	short near ptr loc_A54B82+3
		jz	short near ptr loc_A54B82+1
; 
		dw 0
; 

??_C@_0BN@BPHMNNJL@FsRtlCheckLockForWriteAccess@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA9168o
		inc	esi

loc_A54B21:				; CODE XREF: PAGEVRFY:00A54ACDj
		jnb	short loc_A54B75

loc_A54B23:				; CODE XREF: PAGEVRFY:00A54ACFj
		jz	short near ptr loc_A54B90+1
		inc	ebx
		push	4C6B6365h
		outsd
		arpl	[ebx+46h], bp

loc_A54B2F:				; CODE XREF: PAGEVRFY:loc_A54ADCj
		outsd
		jb	short near ptr loc_A54B82+7
		jb	short loc_A54B9D
		jz	short loc_A54B9B
		inc	ecx

loc_A54B37:				; CODE XREF: PAGEVRFY:00A54AC3j
		arpl	[ebx+65h], sp
		jnb	short loc_A54BAF
; 
		dd 0
; 

??_C@_0BB@DJMPDCBL@FsRtlDissectName@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:loc_A54AE9j
					; DATA XREF: PAGEVRFD:00AA91B0o
		inc	esi
		jnb	short near ptr loc_A54B93+2

loc_A54B43:				; CODE XREF: PAGEVRFY:00A54AD2j
		jz	short loc_A54BB1
		inc	esp

loc_A54B46:				; CODE XREF: PAGEVRFY:00A54AD5j
					; PAGEVRFY:loc_A54ADAj
		imul	esi, [ebx+73h],	4E746365h
		popa
		insd

loc_A54B4F:				; CODE XREF: PAGEVRFY:loc_A54AF9j
		add	gs:[eax], al
; 
		dw 0
; 

??_C@_0BL@BFPOBLIK@FsRtlDeregisterUncProvider@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AA9198o
		inc	esi

loc_A54B55:				; CODE XREF: PAGEVRFY:00A54AEBj
					; PAGEVRFY:00A54AEFj
		jnb	short near ptr loc_A54BA7+2
		jz	short loc_A54BC5

loc_A54B59:				; CODE XREF: PAGEVRFY:00A54AF2j
		inc	esp
		db	65h
		jb	short loc_A54BC2

loc_A54B5D:				; CODE XREF: PAGEVRFY:00A54AFCj
		imul	esi, [bp+di+74h], 6E557265h

loc_A54B65:				; CODE XREF: PAGEVRFY:00A54B11j
		arpl	[eax+72h], dx
		outsd
		jbe	short loc_A54BD4
		db	64h, 65h
		jb	short $+4

loc_A54B6F:				; DATA XREF: PAGEVRFD:00AA9120o
		add	[esi+73h], al
		push	edx
		jz	short near ptr loc_A54BDA+7

loc_A54B75:				; CODE XREF: PAGEVRFY:loc_A54B21j
		inc	ebx
		popa
		outsb
		arpl	[ebp+6Ch], sp
		insb
		popa
		bound	ebp, [ebp+57h]

loc_A54B81:				; CODE XREF: PAGEVRFY:00A54B13j
		popa

loc_A54B82:				; CODE XREF: PAGEVRFY:00A54B1Cj
					; PAGEVRFY:00A54B1Aj ...
		imul	esi, [esi+eax*2+6Fh], 6C754D72h
		jz	short loc_A54BF5
		jo	short near ptr loc_A54BF9+1
		db	65h
		dec	edi

loc_A54B90:				; CODE XREF: PAGEVRFY:loc_A54B23j
					; PAGEVRFY:00A54B17j
		bound	ebp, [edx+65h]

loc_A54B93:				; CODE XREF: PAGEVRFY:00A54B41j
		arpl	[ebx+esi*2+0], si

loc_A54B97:				; DATA XREF: PAGEVRFD:00AA9108o
		add	[esi+73h], al
		push	edx

loc_A54B9B:				; CODE XREF: PAGEVRFY:00A54B34j
		jz	short loc_A54C09

loc_A54B9D:				; CODE XREF: PAGEVRFY:00A54B32j
		inc	edx
		popa
		insb
		popa
		outsb
		arpl	[ebp+52h], sp
		db	65h
		popa

loc_A54BA7:				; CODE XREF: PAGEVRFY:loc_A54B55j
		db	64h
		jnb	short $+3
; 
		dw 0
; 

??_C@_0BM@FAECEJBJ@FsRtlCheckLockForReadAccess@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9150o
		inc	esi
		jnb	short near ptr loc_A54BFC+5

loc_A54BAF:				; CODE XREF: PAGEVRFY:00A54B3Aj
		jz	short loc_A54C1D

loc_A54BB1:				; CODE XREF: PAGEVRFY:loc_A54B43j
		inc	ebx
		push	4C6B6365h
		outsd
		arpl	[ebx+46h], bp
		outsd
		jb	short loc_A54C10
		db	65h
		popa
		db	64h
		inc	ecx

loc_A54BC2:				; CODE XREF: PAGEVRFY:00A54B5Aj
		arpl	[ebx+65h], sp

loc_A54BC5:				; CODE XREF: PAGEVRFY:00A54B57j
		jnb	short loc_A54C3A
; 
		db 0
; 

??_C@_0CE@ILDFIMGE@FsRtlCancellableWaitForSingleOb@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA9138o
		inc	esi
		jnb	short loc_A54C1D
		jz	short near ptr loc_A54C38+1
		inc	ebx
		popa
		outsb
		arpl	[ebp+6Ch], sp
		insb

loc_A54BD4:				; CODE XREF: PAGEVRFY:00A54B69j
		popa
		bound	ebp, [ebp+57h]
		popa

loc_A54BDA:				; CODE XREF: PAGEVRFY:00A54B73j
		imul	esi, [esi+eax*2+6Fh], 6E695372h
		ins	byte ptr es:[di], dx
		db	65h
		dec	edi
		bound	ebp, [edx+65h]
; 
		db 63h,	74h, 0
; 

??_C@_0BG@ODJOIKFM@FsRtlFastUnlockSingle@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9240o
		inc	esi
		jnb	short near ptr loc_A54C3A+7
		jz	short near ptr loc_A54C5C+1
		inc	esi
		popa
		jnb	short near ptr loc_A54C67+2

loc_A54BF5:				; CODE XREF: PAGEVRFY:00A54B8Aj
		push	ebp
		outsb
		insb
		outsd

loc_A54BF9:				; CODE XREF: PAGEVRFY:00A54B8Cj
		arpl	[ebx+53h], bp

loc_A54BFC:				; CODE XREF: PAGEVRFY:00A54BADj
		imul	ebp, [esi+67h],	656Ch

loc_A54C03:				; DATA XREF: PAGEVRFD:00AA9228o
		add	[esi+73h], al
		push	edx
		jz	short near ptr loc_A54C72+3

loc_A54C09:				; CODE XREF: PAGEVRFY:loc_A54B9Bj
		inc	esi
		popa
		jnb	short loc_A54C81
		push	ebp
		outsb
		insb

loc_A54C10:				; CODE XREF: PAGEVRFY:00A54BBCj
		outsd
		arpl	[ebx+41h], bp
		insb
		insb
		inc	edx
		jns	short near ptr loc_A54C63+1
		db	65h
		jns	short $+3

??_C@_0BB@OPPBJGHJ@FsRtlGetFileSize@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9270o
		inc	esi

loc_A54C1D:				; CODE XREF: PAGEVRFY:loc_A54BAFj
					; PAGEVRFY:00A54BC9j
		jnb	short near ptr loc_A54C70+1
		jz	short loc_A54C8D
		inc	edi
		db	65h
		jz	short loc_A54C6B
		imul	ebp, [ebp+53h],	657A69h
; 
		db 3 dup(0)
; 

??_C@_0BC@PJEDGNFC@FsRtlFreeFileLock@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AA9258o
		inc	esi
		jnb	short loc_A54C85
		jz	short near ptr loc_A54C9E+3
		inc	esi
		jb	short loc_A54C9D

loc_A54C38:				; CODE XREF: PAGEVRFY:00A54BCBj
		db	65h
		inc	esi

loc_A54C3A:				; CODE XREF: PAGEVRFY:loc_A54BC5j
					; PAGEVRFY:00A54BEDj
		imul	ebp, [ebp+4Ch],	6B636Fh
; 
		dw 0
; 

??_C@_0BK@FBOMMING@FsRtlFastCheckLockForRead@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AA91E0o
		inc	esi
		jnb	short loc_A54C99
		jz	short loc_A54CB5
		inc	esi
		popa
		jnb	short loc_A54CC1
		inc	ebx
		push	4C6B6365h
		outsd
		arpl	[ebx+46h], bp
		outsd
		jb	short loc_A54CAC
		db	65h
		popa

loc_A54C5C:				; CODE XREF: PAGEVRFY:00A54BEFj
		add	fs:[eax], al
; 
		db 0
; 

??_C@_0BO@PPHBFGCH@FsRtlDoesNameContainWildCards@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA91C8o
		inc	esi
		jnb	short loc_A54CB5

loc_A54C63:				; CODE XREF: PAGEVRFY:00A54C17j
		jz	short loc_A54CD1
		inc	esp
		outsd

loc_A54C67:				; CODE XREF: PAGEVRFY:00A54BF3j
		db	65h
		jnb	short loc_A54CB8
		popa

loc_A54C6B:				; CODE XREF: PAGEVRFY:00A54C22j
		insd
		db	65h
		inc	ebx
		outsd
		outsb

loc_A54C70:				; CODE XREF: PAGEVRFY:loc_A54C1Dj
		jz	short near ptr loc_A54CD2+1

loc_A54C72:				; CODE XREF: PAGEVRFY:00A54C07j
		imul	ebp, [esi+57h],	43646C69h
		popa
		jb	short ??_C@_0CB@MGNNBAJE@FsRtlNotifyFilterChangeDirector@GHGBBCHJ@
		jnb	short $+2
; 
		dw 0
; 

??_C@_0BD@MJMCKGGC@FsRtlFastUnlockAll@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AA9210o
		inc	esi

loc_A54C81:				; CODE XREF: PAGEVRFY:00A54C0Bj
		jnb	short loc_A54CD5
		jz	short near ptr loc_A54CEC+5

loc_A54C85:				; CODE XREF: PAGEVRFY:00A54C31j
		inc	esi
		popa
		jnb	short near ptr loc_A54CF8+5
		push	ebp
		outsb
		insb
		outsd

loc_A54C8D:				; CODE XREF: PAGEVRFY:00A54C1Fj
		arpl	[ebx+41h], bp
		insb
		insb
; 
		dw 0
; 

??_C@_0BL@CMPEFFHF@FsRtlFastCheckLockForWrite@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AA91F8o
		inc	esi
		jnb	short loc_A54CE9
		jz	short loc_A54D05

loc_A54C99:				; CODE XREF: PAGEVRFY:00A54C45j
		inc	esi
		popa
		jnb	short loc_A54D11

loc_A54C9D:				; CODE XREF: PAGEVRFY:00A54C36j
		inc	ebx

loc_A54C9E:				; CODE XREF: PAGEVRFY:00A54C33j
		push	4C6B6365h
		outsd
		arpl	[ebx+46h], bp
		outsd
		jb	short near ptr byte_A54D01
		jb	short near ptr loc_A54D14+1

loc_A54CAC:				; CODE XREF: PAGEVRFY:00A54C58j
		jz	short loc_A54D13
; 
		dw 0
; 

??_C@_0BI@EMCCICON@FsRtlMdlReadCompleteDev@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AA9300o
		inc	esi
		jnb	short loc_A54D05
		jz	short loc_A54D21

loc_A54CB5:				; CODE XREF: PAGEVRFY:00A54C47j
					; PAGEVRFY:00A54C61j
		dec	ebp
		db	64h
		insb

loc_A54CB8:				; CODE XREF: PAGEVRFY:loc_A54C67j
		push	edx
		db	65h
		popa
		db	64h
		inc	ebx
		outsd
		insd
		jo	short loc_A54D2D

loc_A54CC1:				; CODE XREF: PAGEVRFY:00A54C4Bj
		db	65h
		jz	short near ptr loc_A54D27+2
		inc	esp
		db	65h
		jbe	short $+3

??_C@_0BI@PJFLOEO@FsRtlIsNameInExpression@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA92E8o
		inc	esi
		jnb	short near ptr byte_A54D1D
		jz	short loc_A54D39
		dec	ecx
		jnb	short near ptr word_A54D1E
		popa

loc_A54CD1:				; CODE XREF: PAGEVRFY:loc_A54C63j
		insd

loc_A54CD2:				; CODE XREF: PAGEVRFY:loc_A54C70j
		db	65h
		dec	ecx
		outsb

loc_A54CD5:				; CODE XREF: PAGEVRFY:loc_A54C81j
		inc	ebp
		js	short near ptr loc_A54D46+2
		jb	short near ptr byte_A54D3F
		jnb	short near ptr loc_A54D4D+2
; 
		dd offset unk_6E6F69
; 

??_C@_0CB@MGNNBAJE@FsRtlNotifyFilterChangeDirector@GHGBBCHJ@:
					; CODE XREF: PAGEVRFY:00A54C7Aj
					; DATA XREF: PAGEVRFD:00AA9330o
		inc	esi
		jnb	short loc_A54D35
		jz	short near ptr loc_A54D4D+4
		dec	esi
		outsd
		jz	short near ptr loc_A54D4D+5

loc_A54CE9:				; CODE XREF: PAGEVRFY:00A54C95j
		db	66h
		jns	short loc_A54D32

loc_A54CEC:				; CODE XREF: PAGEVRFY:00A54C83j
		imul	ebp, [esp+esi*2+65h], 61684372h
		outsb
		db	67h, 65h
		inc	esp

loc_A54CF8:				; CODE XREF: PAGEVRFY:00A54C87j
		imul	esi, [edx+65h],	726F7463h
		jns	short $+2
; 
byte_A54D01	db 3 dup(0)		; CODE XREF: PAGEVRFY:00A54CA8j
; 

??_C@_0BJ@MDJCDGLP@FsRtlMdlWriteCompleteDev@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9318o
		inc	esi

loc_A54D05:				; CODE XREF: PAGEVRFY:00A54C97j
					; PAGEVRFY:00A54CB1j
		jnb	short loc_A54D59
		jz	short loc_A54D75
		dec	ebp
		db	64h
		insb
		push	edi
		jb	short near ptr loc_A54D77+1
		jz	short loc_A54D76

loc_A54D11:				; CODE XREF: PAGEVRFY:00A54C9Bj
		inc	ebx
		outsd

loc_A54D13:				; CODE XREF: PAGEVRFY:loc_A54CACj
		insd

loc_A54D14:				; CODE XREF: PAGEVRFY:00A54CAAj
		jo	short loc_A54D82
		db	65h
		jz	short near ptr loc_A54D7D+1
		inc	esp
		db	65h
		jbe	short $+3
; 
byte_A54D1D	db 0			; CODE XREF: PAGEVRFY:00A54CC9j
word_A54D1E	dw 0			; CODE XREF: PAGEVRFY:00A54CCEj
; 

??_C@_0BP@DCJLOKDE@FsRtlIncrementCcFastReadNoWait@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA92A0o
		inc	esi

loc_A54D21:				; CODE XREF: PAGEVRFY:00A54CB3j
		jnb	short loc_A54D75
		jz	short loc_A54D91
		dec	ecx
		outsb

loc_A54D27:				; CODE XREF: PAGEVRFY:loc_A54CC1j
		arpl	[edx+65h], si
		insd
		outs	dx, byte ptr gs:[esi]

loc_A54D2D:				; CODE XREF: PAGEVRFY:00A54CBFj
		jz	short near ptr loc_A54D71+1
		arpl	[esi+61h], ax

loc_A54D32:				; CODE XREF: PAGEVRFY:loc_A54CE9j
		jnb	short near ptr loc_A54DA5+3
		push	edx

loc_A54D35:				; CODE XREF: PAGEVRFY:00A54CE1j
		db	65h
		popa
		db	64h
		dec	esi

loc_A54D39:				; CODE XREF: PAGEVRFY:00A54CCBj
		outsd
		push	edi
		popa
; 
		db 69h,	74h, 0
byte_A54D3F	db 0			; CODE XREF: PAGEVRFY:00A54CD8j
; 

??_C@_0BF@ILHGPMPA@FsRtlGetNextFileLock@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA9288o
		inc	esi
		jnb	short loc_A54D95
		jz	short loc_A54DB1
		inc	edi

loc_A54D46:				; CODE XREF: PAGEVRFY:00A54CD6j
		db	65h
		jz	short near ptr loc_A54D96+1
		db	65h
		js	short near ptr loc_A54DB9+7
		inc	esi

loc_A54D4D:				; CODE XREF: PAGEVRFY:00A54CDAj
					; PAGEVRFY:00A54CE3j ...
		imul	ebp, [ebp+4Ch],	6B636Fh
; 
		db 3 dup(0)
; 

??_C@_0BI@COJDIDMN@FsRtlInitializeFileLock@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AA92D0o
		inc	esi

loc_A54D59:				; CODE XREF: PAGEVRFY:loc_A54D05j
		jnb	short loc_A54DAD
		jz	short loc_A54DC9
		dec	ecx
		outsb
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		inc	esi
		imul	ebp, [ebp+4Ch],	6B636Fh

??_C@_0BN@EPDPDDKO@FsRtlIncrementCcFastReadWait@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA92B8o
		inc	esi

loc_A54D71:				; CODE XREF: PAGEVRFY:loc_A54D2Dj
		jnb	short loc_A54DC5
		jz	short loc_A54DE1

loc_A54D75:				; CODE XREF: PAGEVRFY:00A54D07j
					; PAGEVRFY:loc_A54D21j
		dec	ecx

loc_A54D76:				; CODE XREF: PAGEVRFY:00A54D0Fj
		outsb

loc_A54D77:				; CODE XREF: PAGEVRFY:00A54D0Dj
		arpl	[edx+65h], si
		insd
		outs	dx, byte ptr gs:[esi]

loc_A54D7D:				; CODE XREF: PAGEVRFY:00A54D16j
		jz	short near ptr word_A54DC2
		arpl	[esi+61h], ax

loc_A54D82:				; CODE XREF: PAGEVRFY:loc_A54D14j
		jnb	short ??_C@_0BP@OICFPFBH@FsRtlNotifyFullChangeDirectory@GHGBBCHJ@
		push	edx
		db	65h
		popa
		db	64h
		push	edi
		popa
; 
		dw 7469h
		align 10h

??_C@_0BJ@BGFBDDHN@FsRtlRegisterUncProvider@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA93C0o
		inc	esi

loc_A54D91:				; CODE XREF: PAGEVRFY:00A54D23j
		jnb	short near ptr loc_A54DE2+3
		jz	short loc_A54E01

loc_A54D95:				; CODE XREF: PAGEVRFY:00A54D41j
		push	edx

loc_A54D96:				; CODE XREF: PAGEVRFY:loc_A54D46j
		imul	esi, gs:[bp+di+74h], 6E557265h
		arpl	[eax+72h], dx
		outsd
		jbe	short loc_A54E0E

loc_A54DA5:				; CODE XREF: PAGEVRFY:loc_A54D32j
		db	64h, 65h
		jb	short $+4
; 
		db 3 dup(0)
; 

??_C@_0BF@FDOOBKHJ@FsRtlProcessFileLock@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA93A8o
		inc	esi

loc_A54DAD:				; CODE XREF: PAGEVRFY:loc_A54D59j
		jnb	short loc_A54E01
		jz	short loc_A54E1D

loc_A54DB1:				; CODE XREF: PAGEVRFY:00A54D43j
		push	eax
		jb	short near ptr loc_A54E21+2
		arpl	[ebp+73h], sp
		jnb	short loc_A54DFF

loc_A54DB9:				; CODE XREF: PAGEVRFY:00A54D49j
		imul	ebp, [ebp+4Ch],	6B636Fh
; 
		db 0
word_A54DC2	dw 0			; CODE XREF: PAGEVRFY:loc_A54D7Dj
; 

??_C@_0BI@FJCEAIHK@FsRtlRemoveDotsFromPath@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AA93F0o
		inc	esi

loc_A54DC5:				; CODE XREF: PAGEVRFY:loc_A54D71j
		jnb	short near ptr loc_A54E17+2
		jz	short near ptr byte_A54E35

loc_A54DC9:				; CODE XREF: PAGEVRFY:00A54D5Bj
		push	edx
		db	65h
		insd
		outsd
		jbe	short near ptr loc_A54E30+4
		inc	esp
		outsd
		jz	short loc_A54E46
		inc	esi
		jb	short loc_A54E45
		insd
		push	eax
		popa
		jz	short near ptr loc_A54E42+1
; 
		db 0
; 

??_C@_0BL@LEPGMMCJ@FsRtlRegisterUncProviderEx@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AA93D8o
		inc	esi
		jnb	short near ptr loc_A54E30+1
		jz	short loc_A54E4D

loc_A54DE1:				; CODE XREF: PAGEVRFY:00A54D73j
		push	edx

loc_A54DE2:				; CODE XREF: PAGEVRFY:loc_A54D91j
		imul	esi, gs:[bp+di+74h], 6E557265h
		arpl	[eax+72h], dx
		outsd
		jbe	short loc_A54E5A
		db	64h, 65h
		jb	short near ptr loc_A54E39+1
		js	short $+2
; 
		db 0
; 

??_C@_0BP@OICFPFBH@FsRtlNotifyFullChangeDirectory@GHGBBCHJ@:
					; CODE XREF: PAGEVRFY:loc_A54D82j
					; DATA XREF: PAGEVRFD:00AA9360o
		inc	esi
		jnb	short loc_A54E4D
		jz	short loc_A54E69
		dec	esi
		outsd

loc_A54DFF:				; CODE XREF: PAGEVRFY:00A54DB7j
		jz	short loc_A54E6A

loc_A54E01:				; CODE XREF: PAGEVRFY:00A54D93j
					; PAGEVRFY:loc_A54DADj
		db	66h
		jns	short near ptr word_A54E4A
		jnz	short loc_A54E72
		insb
		inc	ebx
		push	65676E61h
		inc	esp

loc_A54E0E:				; CODE XREF: PAGEVRFY:00A54DA3j
		imul	esi, [edx+65h],	726F7463h
		jns	short $+2

loc_A54E17:				; CODE XREF: PAGEVRFY:loc_A54DC5j
					; DATA XREF: PAGEVRFD:00AA9348o
		add	[esi+73h], al
		push	edx
		jz	short near ptr loc_A54E88+1

loc_A54E1D:				; CODE XREF: PAGEVRFY:00A54DAFj
		dec	esi
		outsd
		jz	short loc_A54E8A

loc_A54E21:				; CODE XREF: PAGEVRFY:00A54DB2j
		db	66h
		jns	short loc_A54E6A
		imul	ebp, [esp+esi*2+65h], 70655272h
		outsd
		jb	short loc_A54EA3
		inc	ebx

loc_A54E30:				; CODE XREF: PAGEVRFY:00A54DDDj
					; PAGEVRFY:00A54DCDj
		push	65676E61h
; 
byte_A54E35	db 3 dup(0)		; CODE XREF: PAGEVRFY:00A54DC7j
; 

??_C@_0BB@CBKGKKCK@FsRtlPrivateLock@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9390o
		inc	esi

loc_A54E39:				; CODE XREF: PAGEVRFY:00A54DF1j
		jnb	short near ptr loc_A54E8B+2
		jz	short near ptr loc_A54EA6+3
		push	eax
		jb	short near ptr loc_A54EA6+3
		jbe	short loc_A54EA3

loc_A54E42:				; CODE XREF: PAGEVRFY:00A54DD9j
		jz	short near ptr loc_A54EA6+3
		dec	esp

loc_A54E45:				; CODE XREF: PAGEVRFY:00A54DD4j
		outsd

loc_A54E46:				; CODE XREF: PAGEVRFY:00A54DD1j
		arpl	[ebx+0], bp
; 
		db 0
word_A54E4A	dw 0			; CODE XREF: PAGEVRFY:loc_A54E01j
; 

??_C@_0BM@LMDMPMBC@FsRtlNotifyFullReportChange@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9378o
		inc	esi

loc_A54E4D:				; CODE XREF: PAGEVRFY:00A54DDFj
					; PAGEVRFY:00A54DF9j
		jnb	short loc_A54EA1
		jz	short near ptr loc_A54EBB+2
		dec	esi
		outsd
		jz	short loc_A54EBE
		db	66h
		jns	short near ptr loc_A54E99+5
		jnz	short near ptr loc_A54EC5+1

loc_A54E5A:				; CODE XREF: PAGEVRFY:00A54DEFj
		insb
		push	edx
		db	65h
		jo	short near ptr loc_A54ECD+1
		jb	short loc_A54ED5
		inc	ebx
		push	65676E61h
; 
		db 0
; 

??_C@_0BK@JFGGAIOA@InterlockedPushEntrySList@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AA9480o
		dec	ecx

loc_A54E69:				; CODE XREF: PAGEVRFY:00A54DFBj
		outsb

loc_A54E6A:				; CODE XREF: PAGEVRFY:loc_A54DFFj
					; PAGEVRFY:loc_A54E21j
		jz	short loc_A54ED1
		jb	short near ptr loc_A54ED8+2
		outsd
		arpl	[ebx+65h], bp

loc_A54E72:				; CODE XREF: PAGEVRFY:00A54E04j
		db	64h
		push	eax
		jnz	short near ptr loc_A54EE6+3
		push	72746E45h
		jns	short ??_C@_0CA@IFJAMBAM@FsRtlValidateReparsePointBuffer@GHGBBCHJ@
		dec	esp

loc_A54E7E:				; DATA XREF: PAGEVRFD:00AA9468o
		imul	esi, [ebx+74h],	49000000h
		outsb
		jz	short loc_A54EED

loc_A54E88:				; CODE XREF: PAGEVRFY:00A54E1Bj
		jb	short loc_A54EF6

loc_A54E8A:				; CODE XREF: PAGEVRFY:00A54E1Fj
		outsd

loc_A54E8B:				; CODE XREF: PAGEVRFY:loc_A54E39j
		arpl	[ebx+65h], bp
		db	64h
		push	eax
		outsd
		jo	short loc_A54ED8
		outsb
		jz	short near ptr loc_A54F07+1
		jns	short near ptr loc_A54EE6+5
		dec	esp

loc_A54E99:				; CODE XREF: PAGEVRFY:00A54E55j
		imul	esi, [ebx+74h],	0

??_C@_0BF@FPEFEEGA@IoAcquireVpbSpinLock@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA94B0o
		dec	ecx

loc_A54EA1:				; CODE XREF: PAGEVRFY:loc_A54E4Dj
		outsd
		inc	ecx

loc_A54EA3:				; CODE XREF: PAGEVRFY:00A54E2Dj
					; PAGEVRFY:00A54E40j
		arpl	[ecx+75h], si

loc_A54EA6:				; CODE XREF: PAGEVRFY:00A54E3Bj
					; PAGEVRFY:00A54E3Ej ...
		imul	esi, [edx+65h],	53627056h
		jo	short loc_A54F18
		outsb
		dec	esp
		outsd
		arpl	[ebx+0], bp
; 
		db 3 dup(0)
; 

??_C@_0BI@OPFJLAIK@IoAcquireCancelSpinLock@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AA9498o
		dec	ecx
		outsd
		inc	ecx

loc_A54EBB:				; CODE XREF: PAGEVRFY:00A54E4Fj
		arpl	[ecx+75h], si

loc_A54EBE:				; CODE XREF: PAGEVRFY:00A54E53j
		imul	esi, [edx+65h],	636E6143h

loc_A54EC5:				; CODE XREF: PAGEVRFY:00A54E58j
		db	65h
		insb
		push	ebx
		jo	short near ptr byte_A54F33
		outsb
		dec	esp
		outsd

loc_A54ECD:				; CODE XREF: PAGEVRFY:00A54E5Cj
		arpl	[ebx+0], bp

??_C@_0CA@IFJAMBAM@FsRtlValidateReparsePointBuffer@GHGBBCHJ@:
					; CODE XREF: PAGEVRFY:00A54E7Bj
					; DATA XREF: PAGEVRFD:00AA9420o
		inc	esi

loc_A54ED1:				; CODE XREF: PAGEVRFY:loc_A54E6Aj
		jnb	short loc_A54F25
		jz	short loc_A54F41

loc_A54ED5:				; CODE XREF: PAGEVRFY:00A54E5Fj
		push	esi
		popa
		insb

loc_A54ED8:				; CODE XREF: PAGEVRFY:00A54E91j
					; PAGEVRFY:00A54E6Cj
		imul	esp, [ecx+74h],	70655265h
		popa
		jb	short loc_A54F56
		db	65h
		push	eax
		outsd

loc_A54EE6:				; CODE XREF: PAGEVRFY:00A54E74j
					; PAGEVRFY:00A54E96j
		imul	ebp, [esi+74h],	66667542h

loc_A54EED:				; CODE XREF: PAGEVRFY:00A54E86j
		db	65h
		jb	short $+3

??_C@_0BK@NBBFHCEF@FsRtlUninitializeFileLock@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AA9408o
		inc	esi
		jnb	short near ptr loc_A54F44+1
		jz	short near ptr byte_A54F61
		push	ebp

loc_A54EF6:				; CODE XREF: PAGEVRFY:loc_A54E88j
		outsb
		imul	ebp, [esi+69h],	6C616974h
		imul	edi, [edx+65h],	656C6946h
		dec	esp
		outsd

loc_A54F07:				; CODE XREF: PAGEVRFY:00A54E94j
		arpl	[ebx+0], bp
; 
		dw 0
; 

??_C@_0BG@FBGBLDDB@HalGetInterruptVector@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9450o
		dec	eax
		popa
		insb
		inc	edi
		db	65h
		jz	short loc_A54F5C
		outsb
		jz	short loc_A54F7B
		jb	short loc_A54F8A

loc_A54F18:				; CODE XREF: PAGEVRFY:00A54EADj
		jnz	short loc_A54F8A
		jz	short loc_A54F72
		arpl	gs:[edi+ebp*2+72h], si
; 
		db 3 dup(0)
; 

??_C@_0O@PABGEFI@HalExamineMBR@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9438o
		dec	eax

loc_A54F25:				; CODE XREF: PAGEVRFY:loc_A54ED1j
		popa
		insb
		inc	ebp
		js	short loc_A54F8B
		insd
		imul	ebp, [esi+65h],	52424Dh
; 
		db 0
byte_A54F33	db 0			; CODE XREF: PAGEVRFY:00A54EC8j
; 

??_C@_0BD@LOODBDGI@IoCheckShareAccess@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AA9540o
		dec	ecx
		outsd
		inc	ebx
		push	536B6365h
		push	41657261h

loc_A54F41:				; CODE XREF: PAGEVRFY:00A54ED3j
		arpl	[ebx+65h], sp

loc_A54F44:				; CODE XREF: PAGEVRFY:00A54EF1j
		jnb	short loc_A54FB9
; 
		dw 0
; 

??_C@_0M@DBMLMNGA@IoCancelIrp@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AA9528o
		dec	ecx
		outsd
		inc	ebx
		popa
		outsb
		arpl	[ebp+6Ch], sp
		dec	ecx
		jb	short loc_A54FC3

loc_A54F53:				; DATA XREF: PAGEVRFD:00AA9570o
		add	[ecx+6Fh], cl

loc_A54F56:				; CODE XREF: PAGEVRFY:00A54EE1j
		inc	ebx
		jb	short near ptr word_A54FBE
		popa
		jz	short loc_A54FC1

loc_A54F5C:				; CODE XREF: PAGEVRFY:00A54F10j
		inc	esi
; 
		db 69h,	6Ch, 65h
		db 0
byte_A54F61	db 3 dup(0)		; CODE XREF: PAGEVRFY:00A54EF3j
; 

??_C@_0BD@HEEKECOA@IoCreateController@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AA9558o
		dec	ecx
		outsd
		inc	ebx
		jb	short near ptr loc_A54FCC+2
		popa
		jz	short loc_A54FD1
		inc	ebx
		outsd
		outsb
		jz	short near ptr loc_A54FE2+1
		outsd

loc_A54F72:				; CODE XREF: PAGEVRFY:00A54F1Aj
		insb
		insb
		db	65h
		jb	short $+3
; 
		db 0
; 

??_C@_0P@JFFPJJNO@IoAttachDevice@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA94E0o
		dec	ecx
		outsd
		inc	ecx

loc_A54F7B:				; CODE XREF: PAGEVRFY:00A54F14j
		jz	short near ptr loc_A54FF0+1
		popa
		arpl	[eax+44h], bp
		db	65h
		jbe	short near ptr loc_A54FEB+2
		arpl	[ebp+0], sp

loc_A54F87:				; DATA XREF: PAGEVRFD:00AA94C8o
		add	[ecx+6Fh], cl

loc_A54F8A:				; CODE XREF: PAGEVRFY:00A54F16j
					; PAGEVRFY:loc_A54F18j
		inc	ecx

loc_A54F8B:				; CODE XREF: PAGEVRFY:00A54F28j
		insb
		insb
		outsd
		arpl	[ecx+74h], sp
		db	65h
		inc	ebx
		outsd
		outsb
		jz	short near ptr loc_A55007+2
		outsd
		insb
		insb
		db	65h
		jb	short $+3
; 
		db 3 dup(0)
; 

??_C@_0CA@LKEHFBCD@IoAttachDeviceToDeviceStackSafe@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA9510o
		dec	ecx
		outsd
		inc	ecx
		jz	short near ptr byte_A55019
		popa
		arpl	[eax+44h], bp
		db	65h
		jbe	short near ptr loc_A55014+1
		arpl	[ebp+54h], sp
		outsd
		inc	esp
		db	65h
		jbe	short loc_A5501D
		arpl	[ebp+53h], sp
		jz	short near ptr word_A5501A

loc_A54FB9:				; CODE XREF: PAGEVRFY:loc_A54F44j
		arpl	[ebx+53h], bp
		popa
; 
		db 66h
word_A54FBE	dw 65h			; CODE XREF: PAGEVRFY:00A54F57j
; 

??_C@_0BM@COEBFMBD@IoAttachDeviceToDeviceStack@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA94F8o
		dec	ecx

loc_A54FC1:				; CODE XREF: PAGEVRFY:00A54F5Aj
		outsd
		inc	ecx

loc_A54FC3:				; CODE XREF: PAGEVRFY:00A54F51j
		jz	short loc_A55039
		popa
		arpl	[eax+44h], bp
		db	65h
		jbe	short loc_A55035

loc_A54FCC:				; CODE XREF: PAGEVRFY:00A54F67j
		arpl	[ebp+54h], sp
		outsd
		inc	esp

loc_A54FD1:				; CODE XREF: PAGEVRFY:00A54F6Aj
		db	65h
		jbe	short near ptr loc_A5503C+1
		arpl	[ebp+53h], sp
		jz	short loc_A5503A
		arpl	[ebx+0], bp

??_C@_0CA@GCGLGGID@IoCreateUnprotectedSymbolicLink@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA9600o
		dec	ecx
		outsd
		inc	ebx
		jb	short loc_A55046
		popa

loc_A54FE2:				; CODE XREF: PAGEVRFY:00A54F6Fj
		jz	short loc_A55049
		push	ebp
		outsb
		jo	short loc_A5505A
		outsd
		jz	short near ptr loc_A55049+7

loc_A54FEB:				; CODE XREF: PAGEVRFY:00A54F81j
		arpl	[ebp+64h], si
		push	ebx

loc_A54FF0:				; CODE XREF: PAGEVRFY:loc_A54F7Bj
		jns	short near ptr loc_A5505D+2
		bound	ebp, [edi+6Ch]
		imul	esp, [ebx+4Ch],	6B6E69h

??_C@_0BN@EBFKCIKM@IoCreateSynchronizationEvent@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA95E8o
		dec	ecx
		outsd
		inc	ebx
		jb	short loc_A55066
		popa
		jz	short loc_A55069
		push	ebx
		jns	short loc_A55075

loc_A55007:				; CODE XREF: PAGEVRFY:00A54F95j
		arpl	[eax+72h], bp
		outsd
		outsb
		imul	edi, [edx+61h],	6E6F6974h
		inc	ebp

loc_A55014:				; CODE XREF: PAGEVRFY:00A54FA9j
		jbe	short near ptr loc_A5507A+1
		outsb
		jz	short $+2
; 
byte_A55019	db 0			; CODE XREF: PAGEVRFY:00A54FA3j
word_A5501A	dw 0			; CODE XREF: PAGEVRFY:00A54FB7j
; 

??_C@_0P@FBLHDEMD@IoDeleteDevice@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9630o
		dec	ecx

loc_A5501D:				; CODE XREF: PAGEVRFY:00A54FB1j
		outsd
		inc	esp
		db	65h
		insb
		db	65h
		jz	short near ptr byte_A55089
		inc	esp
		db	65h
		jbe	short loc_A55091
		arpl	[ebp+0], sp

loc_A5502B:				; DATA XREF: PAGEVRFD:00AA9618o
		add	[ecx+6Fh], cl
		inc	esp
		db	65h
		insb
		db	65h
		jz	short near ptr loc_A55098+1
		inc	ebx

loc_A55035:				; CODE XREF: PAGEVRFY:00A54FC9j
		outsd
		outsb
		jz	short loc_A550AB

loc_A55039:				; CODE XREF: PAGEVRFY:loc_A54FC3j
		outsd

loc_A5503A:				; CODE XREF: PAGEVRFY:00A54FD7j
		insb
		insb

loc_A5503C:				; CODE XREF: PAGEVRFY:loc_A54FD1j
		db	65h
		jb	short $+3

loc_A5503F:				; DATA XREF: PAGEVRFD:00AA95A0o
		add	[ecx+6Fh], cl
		inc	ebx
		jb	short loc_A550AA
		popa

loc_A55046:				; CODE XREF: PAGEVRFY:00A54FDFj
		jz	short near ptr loc_A550AB+2
		inc	esi

loc_A55049:				; CODE XREF: PAGEVRFY:loc_A54FE2j
					; PAGEVRFY:00A54FE9j
		imul	ebp, [ebp+53h],	69636570h
		db	66h
		jns	short loc_A55098
		db	65h
		jbe	short ??_C@_0BO@HOJPAIDH@IoGetConfigurationInformation@GHGBBCHJ@
		arpl	[ebp+4Fh], sp

loc_A5505A:				; CODE XREF: PAGEVRFY:00A54FE6j
		bound	ebp, [edx+65h]

loc_A5505D:				; CODE XREF: PAGEVRFY:loc_A54FF0j
		arpl	[eax+ecx*2+69h], si
		outsb
		jz	short $+2

??_C@_0P@GFJFBPJA@IoCreateFileEx@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9588o
		dec	ecx
		outsd

loc_A55066:				; CODE XREF: PAGEVRFY:00A54FFFj
		inc	ebx
		jb	short loc_A550CE

loc_A55069:				; CODE XREF: PAGEVRFY:00A55002j
		popa
		jz	short loc_A550D1
		inc	esi

loc_A5506D:				; DATA XREF: PAGEVRFD:00AA95D0o
		imul	ebp, [ebp+45h],	49000078h

loc_A55075:				; CODE XREF: PAGEVRFY:00A55005j
		outsd
		inc	ebx
		jb	short near ptr word_A550DE
		popa

loc_A5507A:				; CODE XREF: PAGEVRFY:loc_A55014j
		jz	short loc_A550E1
		push	ebx
		jns	short loc_A550EC
		bound	ebp, [edi+6Ch]
		imul	esp, [ebx+4Ch],	6B6E69h
; 
byte_A55089	db 3 dup(0)		; CODE XREF: PAGEVRFY:00A55021j
; 

??_C@_0BK@JANIACBJ@IoCreateNotificationEvent@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AA95B8o
		dec	ecx
		outsd
		inc	ebx
		jb	short near ptr word_A550F6

loc_A55091:				; CODE XREF: PAGEVRFY:00A55025j
		popa
		jz	short near ptr byte_A550F9
		dec	esi
		outsd
		jz	short near ptr loc_A550FF+2

loc_A55098:				; CODE XREF: PAGEVRFY:00A55051j
					; PAGEVRFY:00A55031j
		imul	sp, [ebx+61h], 6974h
		outsd
		outsb
		inc	ebp
		jbe	short loc_A55108
		outsb
		jz	short $+2
; 
		dw 0
; 

??_C@_0BF@MGPFHAEO@IoGetDeviceDirectory@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA96C0o
		dec	ecx
		outsd

loc_A550AA:				; CODE XREF: PAGEVRFY:00A55043j
		inc	edi

loc_A550AB:				; CODE XREF: PAGEVRFY:00A55037j
					; PAGEVRFY:loc_A55046j
		db	65h
		jz	short loc_A550F2
		db	65h
		jbe	short loc_A5511A
		arpl	[ebp+44h], sp
		imul	esi, [edx+65h],	726F7463h
		jns	short $+2
; 
		db 3 dup(0)
; 

??_C@_0BO@HOJPAIDH@IoGetConfigurationInformation@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:00A55054j
					; DATA XREF: PAGEVRFD:00AA96A8o
		dec	ecx
		outsd
		inc	edi
		db	65h
		jz	short near ptr loc_A55108+1
		outsd
		outsb
		imul	sp, [edi+75h], 6172h

loc_A550CE:				; CODE XREF: PAGEVRFY:00A55067j
		jz	short near ptr byte_A55139
		outsd

loc_A550D1:				; CODE XREF: PAGEVRFY:00A5506Aj
		outsb
		dec	ecx
		outsb
		outsw
		jb	short loc_A55145
		popa
		jz	short loc_A55144
		outsd
		outsb
; 
		db 0
word_A550DE	dw 0			; CODE XREF: PAGEVRFY:00A55077j
; 

??_C@_0BK@JMBEKGDL@IoGetDeviceInterfaceAlias@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AA96F0o
		dec	ecx

loc_A550E1:				; CODE XREF: PAGEVRFY:loc_A5507Aj
		outsd
		inc	edi
		db	65h
		jz	short near ptr loc_A55129+1
		db	65h
		jbe	short near ptr loc_A55150+2
		arpl	[ebp+49h], sp

loc_A550EC:				; CODE XREF: PAGEVRFY:00A5507Dj
		outsb
		jz	short near ptr loc_A55150+4
		jb	short near ptr loc_A55156+1
		popa

loc_A550F2:				; CODE XREF: PAGEVRFY:loc_A550ABj
		arpl	[ebp+41h], sp
		insb
; 
word_A550F6	dw 6169h		; CODE XREF: PAGEVRFY:00A5508Fj
		db 73h
byte_A550F9	db 3 dup(0)		; CODE XREF: PAGEVRFY:00A55092j
; 

??_C@_0BF@NCDHGPMG@IoGetDriverDirectory@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA96D8o
		dec	ecx
		outsd
		inc	edi

loc_A550FF:				; CODE XREF: PAGEVRFY:00A55096j
		db	65h
		jz	short near ptr loc_A55145+1
		jb	short near ptr byte_A5516D
		jbe	short near ptr loc_A5516A+1
		jb	short near ptr loc_A5514A+2

loc_A55108:				; CODE XREF: PAGEVRFY:00A550A1j
					; PAGEVRFY:00A550C3j
		imul	esi, [edx+65h],	726F7463h
		jns	short $+2
; 
		db 3 dup(0)
; 

??_C@_0P@BPMNILFO@IoDetachDevice@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9660o
		dec	ecx
		outsd
		inc	esp
		db	65h
		jz	short near ptr loc_A55179+2

loc_A5511A:				; CODE XREF: PAGEVRFY:00A550AEj
		arpl	[eax+44h], bp
		db	65h
		jbe	short near ptr loc_A55187+2
		arpl	[ebp+0], sp
; 
		db 0
; 

??_C@_0BF@ONAPDNAF@IoDeleteSymbolicLink@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA9648o
		dec	ecx
		outsd
		inc	esp
		db	65h
		insb

loc_A55129:				; CODE XREF: PAGEVRFY:00A550E3j
		db	65h
		jz	short near ptr loc_A55190+1
		push	ebx
		jns	short near ptr loc_A5519B+1
		bound	ebp, [edi+6Ch]
		imul	esp, [ebx+4Ch],	6B6E69h
; 
byte_A55139	db 3 dup(0)		; CODE XREF: PAGEVRFY:loc_A550CEj
; 

??_C@_0BN@NMJJBDEK@IoGetAttachedDeviceReference@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA9690o
		dec	ecx
		outsd
		inc	edi
		db	65h
		jz	short near ptr loc_A55181+2
		jz	short near ptr loc_A551B6+2

loc_A55144:				; CODE XREF: PAGEVRFY:00A550D9j
		popa

loc_A55145:				; CODE XREF: PAGEVRFY:00A550D6j
					; PAGEVRFY:loc_A550FFj
		arpl	[eax+65h], bp
		db	64h
		inc	esp

loc_A5514A:				; CODE XREF: PAGEVRFY:00A55106j
		db	65h
		jbe	short loc_A551B6
		arpl	[ebp+52h], sp

loc_A55150:				; CODE XREF: PAGEVRFY:00A550E6j
					; PAGEVRFY:00A550EDj
		db	65h, 66h, 65h
		jb	short near ptr loc_A551B6+4
		outsb

loc_A55156:				; CODE XREF: PAGEVRFY:00A550EFj
		arpl	[ebp+0], sp
; 
		db 3 dup(0)
; 

??_C@_0BB@NCOJPGGO@IoFreeController@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9678o
		dec	ecx
		outsd
		inc	esi
		jb	short near ptr loc_A551C5+1
		db	65h
		inc	ebx
		outsd
		outsb
		jz	short loc_A551D9
		outsd
		insb
		insb

loc_A5516A:				; CODE XREF: PAGEVRFY:00A55104j
		db	65h
		jb	short $+3
; 
byte_A5516D	db 3 dup(0)		; CODE XREF: PAGEVRFY:00A55102j
; 

??_C@_0BE@JCPLLAOP@IoGetDeviceToVerify@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9780o
		dec	ecx
		outsd
		inc	edi
		db	65h
		jz	short near ptr loc_A551B6+4
		db	65h
		jbe	short near ptr loc_A551E1+1

loc_A55179:				; CODE XREF: PAGEVRFY:00A55117j
		arpl	[ebp+54h], sp
		outsd
		push	esi
		db	65h
		jb	short loc_A551EA

loc_A55181:				; CODE XREF: PAGEVRFY:00A5513Fj
		db	66h
		jns	short $+3

??_C@_0BI@HKGDKHHG@IoGetDevicePropertyData@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AA9768o
		dec	ecx
		outsd
		inc	edi

loc_A55187:				; CODE XREF: PAGEVRFY:00A5511Dj
		db	65h
		jz	short near ptr loc_A551CD+1
		db	65h
		jbe	short loc_A551F6
		arpl	[ebp+50h], sp

loc_A55190:				; CODE XREF: PAGEVRFY:loc_A55129j
		jb	short near ptr loc_A551FF+2
		jo	short near ptr byte_A551F9
		jb	short loc_A5520A
		jns	short loc_A551DC
		popa
		jz	short ??_C@_0BE@MDDFKKC@IoGetDeviceProperty@GHGBBCHJ@

loc_A5519B:				; CODE XREF: PAGEVRFY:00A5512Dj
					; DATA XREF: PAGEVRFD:00AA97B0o
		add	[ecx+6Fh], cl
		inc	edi
		db	65h
		jz	short near ptr loc_A551E7+1
		imul	ebp, [ebp+4Fh],	63656A62h
		jz	short loc_A551F3
		outs	dx, byte ptr gs:[esi]
		db	65h
		jb	short near ptr loc_A55219+1
		arpl	[ebp+61h], cx
		jo	short near ptr loc_A55223+3

loc_A551B6:				; CODE XREF: PAGEVRFY:loc_A5514Aj
					; PAGEVRFY:00A55142j ...
		imul	ebp, [esi+67h],	49000000h
		outsd
		push	ebx
		db	65h
		jz	short near ptr loc_A55205+1
		db	65h
		jbe	short loc_A5522E

loc_A551C5:				; CODE XREF: PAGEVRFY:00A5515Fj
		arpl	[ebp+54h], sp
		outsd
		push	esi
		db	65h
		jb	short loc_A55236

loc_A551CD:				; CODE XREF: PAGEVRFY:loc_A55187j
		db	66h
		jns	short $+3

??_C@_0BE@NDNCGFDF@IoGetDeviceNumaNode@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9720o
		dec	ecx
		outsd
		inc	edi
		db	65h
		jz	short near ptr loc_A55219+1
		db	65h
		jbe	short loc_A55242

loc_A551D9:				; CODE XREF: PAGEVRFY:00A55165j
		arpl	[ebp+4Eh], sp

loc_A551DC:				; CODE XREF: PAGEVRFY:00A55196j
		jnz	short loc_A5524B
		popa
		dec	esi
		outsd

loc_A551E1:				; CODE XREF: PAGEVRFY:00A55176j
					; DATA XREF: PAGEVRFD:00AA9708o
		db	64h
		add	gs:[ecx+6Fh], cl
		inc	edi

loc_A551E7:				; CODE XREF: PAGEVRFY:00A5519Fj
		db	65h
		jz	short loc_A5522E

loc_A551EA:				; CODE XREF: PAGEVRFY:00A5517Ej
		db	65h
		jbe	short loc_A55256
		arpl	[ebp+49h], sp
		outsb
		jz	short near ptr loc_A55257+1

loc_A551F3:				; CODE XREF: PAGEVRFY:00A551AAj
		jb	short near ptr loc_A5525A+1
		popa

loc_A551F6:				; CODE XREF: PAGEVRFY:00A5518Aj
		arpl	[ebp+73h], sp
; 
byte_A551F9	db 3 dup(0)		; CODE XREF: PAGEVRFY:00A55192j
; 

??_C@_0BE@MDDFKKC@IoGetDeviceProperty@GHGBBCHJ@: ; CODE	XREF: PAGEVRFY:00A55199j
					; DATA XREF: PAGEVRFD:00AA9750o
		dec	ecx
		outsd
		inc	edi

loc_A551FF:				; CODE XREF: PAGEVRFY:loc_A55190j
		db	65h
		jz	short loc_A55246
		db	65h
		jbe	short near ptr loc_A5526C+2

loc_A55205:				; CODE XREF: PAGEVRFY:00A551BFj
		arpl	[ebp+50h], sp
		jb	short loc_A55279

loc_A5520A:				; CODE XREF: PAGEVRFY:00A55194j
		jo	short near ptr loc_A5526C+5
		jb	short near ptr loc_A55281+1
		jns	short $+2

??_C@_0BJ@FOGLHIHD@IoGetDeviceObjectPointer@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9738o
		dec	ecx
		outsd
		inc	edi
		db	65h
		jz	short loc_A5525A
		db	65h
		jbe	short near ptr loc_A55281+1

loc_A55219:				; CODE XREF: PAGEVRFY:00A551AEj
					; PAGEVRFY:00A551D3j
		arpl	[ebp+4Fh], sp
		bound	ebp, [edx+65h]
		arpl	[eax+edx*2+6Fh], si

loc_A55223:				; CODE XREF: PAGEVRFY:00A551B4j
		imul	ebp, [esi+74h],	7265h
; 
		dw 0
; 

??_C@_0BI@LGCKGMHL@IoOpenDeviceRegistryKey@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AA9840o
		dec	ecx
		outsd

loc_A5522E:				; CODE XREF: PAGEVRFY:00A551C2j
					; PAGEVRFY:loc_A551E7j
		dec	edi
		jo	short loc_A55296
		outsb
		inc	esp
		db	65h
		jbe	short loc_A5529F

loc_A55236:				; CODE XREF: PAGEVRFY:00A551CAj
		arpl	[ebp+52h], sp
		imul	esi, gs:[bp+di+74h], 654B7972h

loc_A55242:				; CODE XREF: PAGEVRFY:00A551D6j
		jns	short $+2

??_C@_0CB@OENKMFNC@IoOpenDeviceInterfaceRegistryKe@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA9828o
		dec	ecx
		outsd

loc_A55246:				; CODE XREF: PAGEVRFY:loc_A551FFj
		dec	edi
		jo	short loc_A552AE
		outsb
		inc	esp

loc_A5524B:				; CODE XREF: PAGEVRFY:loc_A551DCj
		db	65h
		jbe	short near ptr loc_A552B3+4
		arpl	[ebp+49h], sp
		outsb
		jz	short near ptr loc_A552B3+6
		jb	short near ptr loc_A552BB+1

loc_A55256:				; CODE XREF: PAGEVRFY:loc_A551EAj
		popa

loc_A55257:				; CODE XREF: PAGEVRFY:00A551F1j
		arpl	[ebp+52h], sp

loc_A5525A:				; CODE XREF: PAGEVRFY:00A55213j
					; PAGEVRFY:loc_A551F3j
		imul	esi, gs:[bp+di+74h], 654B7972h
		jns	short $+2
; 
		db 3 dup(0)
; 

??_C@_0BO@GEKAHKHC@IoRaiseInformationalHardError@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9870o
		dec	ecx
		outsd
		push	edx
		popa

loc_A5526C:				; CODE XREF: PAGEVRFY:00A55202j
					; PAGEVRFY:loc_A5520Aj
		imul	esi, [ebx+65h],	6F666E49h
		jb	short near ptr loc_A552DF+3
		popa
		jz	short near ptr loc_A552DF+2
		outsd

loc_A55279:				; CODE XREF: PAGEVRFY:00A55208j
		outsb
		popa
		insb
		dec	eax
		popa
		jb	short near ptr loc_A552DF+5
		inc	ebp

loc_A55281:				; CODE XREF: PAGEVRFY:00A5520Cj
					; PAGEVRFY:00A55216j
		jb	short loc_A552F5
		outsd
		jb	short $+2
; 
		dw 0
; 

??_C@_0BB@GFHNHMEE@IoRaiseHardError@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9858o
		dec	ecx
		outsd
		push	edx
		popa
		imul	esi, [ebx+65h],	64726148h
		inc	ebp
		jb	short loc_A55308

loc_A55296:				; CODE XREF: PAGEVRFY:00A5522Fj
		outsd
		jb	short $+2
; 
		db 3 dup(0)
; 

??_C@_0BA@IMLAGBDN@IoInitializeIrp@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AA97E0o
		dec	ecx
		outsd
		dec	ecx

loc_A5529F:				; CODE XREF: PAGEVRFY:00A55233j
		outsb
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		dec	ecx
		jb	short loc_A5531B

loc_A552AB:				; DATA XREF: PAGEVRFD:00AA97C8o
		add	[ecx+6Fh], cl

loc_A552AE:				; CODE XREF: PAGEVRFY:00A55247j
		inc	edi
		db	65h
		jz	short near ptr loc_A552F7+4
		outsb

loc_A552B3:				; CODE XREF: PAGEVRFY:loc_A5524Bj
					; PAGEVRFY:00A55252j
		imul	esi, [ecx+ebp*2+61h], 6174536Ch

loc_A552BB:				; CODE XREF: PAGEVRFY:00A55254j
		arpl	[ebx+0], bp
; 
		dw 0
; 

??_C@_0BI@GJKCPIFF@IoIsWdmVersionAvailable@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AA9810o
		dec	ecx
		outsd
		dec	ecx
		jnb	short near ptr dword_A5531C
		db	64h
		insd
		push	esi
		db	65h
		jb	short loc_A5533E
		imul	ebp, [edi+6Eh],	69617641h
		insb
		popa
		bound	ebp, [ebp+0]

??_C@_0BM@JJJEEJD@IoInvalidateDeviceRelations@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AA97F8o
		dec	ecx
		outsd
		dec	ecx
		outsb
		jbe	short loc_A5533F
		insb

loc_A552DF:				; CODE XREF: PAGEVRFY:00A55276j
					; PAGEVRFY:00A55273j ...
		imul	esp, [ecx+74h],	76654465h
		imul	esp, [ebx+65h],	616C6552h
		jz	short near ptr loc_A55358+1
		outsd
		outsb
		jnb	short $+2

??_C@_0CJ@KDAFGIAG@IoRegisterLastChanceShutdownNot@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA9900o
		dec	ecx

loc_A552F5:				; CODE XREF: PAGEVRFY:loc_A55281j
		outsd
		push	edx

loc_A552F7:				; CODE XREF: PAGEVRFY:00A552AFj
		imul	esi, gs:[bp+di+74h], 614C7265h
		jnb	short near ptr loc_A55375+1
		inc	ebx
		push	65636E61h

loc_A55308:				; CODE XREF: PAGEVRFY:00A55294j
		push	ebx
		push	6F647475h
		ja	short near ptr loc_A5537A+4
		dec	esi
		outsd
		jz	short near ptr loc_A5537A+3
		imul	sp, [ebx+61h], 6974h
		outsd

loc_A5531B:				; CODE XREF: PAGEVRFY:00A552A9j
		outsb
; 
dword_A5531C	dd 0			; CODE XREF: PAGEVRFY:00A552C3j
; 

??_C@_0CB@BGGBOBIP@IoRegisterDriverReinitializatio@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA98E8o
		dec	ecx
		outsd
		push	edx
		imul	esi, gs:[bp+di+74h], 72447265h
		imul	esi, [esi+65h],	69655272h
		outsb
		imul	esi, [ecx+ebp*2+61h], 617A696Ch
		jz	short near ptr loc_A553A6+1

loc_A5533E:				; CODE XREF: PAGEVRFY:00A552C8j
		outsd

loc_A5533F:				; CODE XREF: PAGEVRFY:00A552DCj
		outsb
; 
		dd 0
; 

??_C@_0BP@LAPIKGHO@IoRegisterShutdownNotification@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9930o
		dec	ecx
		outsd
		push	edx
		imul	esi, gs:[bp+di+74h], 68537265h
		jnz	short loc_A553C6
		outs	dx, dword ptr fs:[esi]
		ja	short near ptr loc_A553C2+2
		dec	esi
		outsd

loc_A55358:				; CODE XREF: PAGEVRFY:00A552EEj
		jz	short near ptr loc_A553C2+1
		imul	sp, [ebx+61h], 6974h
		outsd
		outsb
; 
		dw 0
; 

??_C@_0BP@EHPLKLBF@IoRegisterPlugPlayNotification@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9918o
		dec	ecx
		outsd
		push	edx
		imul	esi, gs:[bp+di+74h], 6C507265h
		jnz	short near ptr loc_A553D3+6
		push	eax
		insb
		popa

loc_A55375:				; CODE XREF: PAGEVRFY:00A55300j
		jns	short loc_A553C5
		outsd
		jz	short loc_A553E3

loc_A5537A:				; CODE XREF: PAGEVRFY:00A55312j
					; PAGEVRFY:00A5530Ej
		imul	sp, [ebx+61h], 6974h
		outsd
		outsb
; 
		dw 0
; 

??_C@_0BH@ELJDPMEO@IoReadPartitionTableEx@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA98A0o
		dec	ecx
		outsd
		push	edx
		db	65h
		popa
		db	64h
		push	eax
		popa
		jb	short loc_A55402
		imul	esi, [ecx+ebp*2+6Fh], 6261546Eh
		insb
		db	65h
		inc	ebp
		js	short $+2
; 
		db 0
; 

??_C@_0BF@PMGGBIGM@IoReadPartitionTable@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA9888o
		dec	ecx
		outsd
		push	edx
		db	65h
		popa
		db	64h
		push	eax
		popa
		jb	short loc_A5541A

loc_A553A6:				; CODE XREF: PAGEVRFY:00A5533Cj
		imul	esi, [ecx+ebp*2+6Fh], 6261546Eh
		insb
		add	gs:[eax], al
; 
		dw 0
; 

??_C@_0BK@IHKFBDEL@IoRegisterDeviceInterface@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AA98D0o
		dec	ecx
		outsd
		push	edx
		imul	esi, gs:[bp+di+74h], 65447265h
		jbe	short near ptr byte_A5542B

loc_A553C2:				; CODE XREF: PAGEVRFY:loc_A55358j
					; PAGEVRFY:00A55354j
		arpl	[ebp+49h], sp

loc_A553C5:				; CODE XREF: PAGEVRFY:loc_A55375j
		outsb

loc_A553C6:				; CODE XREF: PAGEVRFY:00A55350j
		jz	short loc_A5542D
		jb	short near ptr loc_A5542F+1
		popa
		arpl	[ebp+0], sp
; 
		dw 0
; 

??_C@_0CF@CEMHENBB@IoRegisterBootDriverReinitializ@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA98B8o
		dec	ecx
		outsd
		push	edx

loc_A553D3:				; CODE XREF: PAGEVRFY:00A55370j
		imul	esi, gs:[bp+di+74h], 6F427265h
		outsd
		jz	short near ptr loc_A55420+3
		jb	short loc_A5544A
		jbe	short near ptr loc_A55447+1

loc_A553E3:				; CODE XREF: PAGEVRFY:00A55378j
		jb	short near ptr byte_A55437
		imul	ebp, gs:[esi+69h], 6C616974h
		imul	edi, [edx+61h],	6E6F6974h
; 
		dd 0
; 

??_C@_0BL@ECMBKMFH@IoReportTargetDeviceChange@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AA99C0o
		dec	ecx
		outsd
		push	edx
		db	65h
		jo	short loc_A5546D
		jb	short near ptr loc_A55472+2
		push	esp
		popa

loc_A55402:				; CODE XREF: PAGEVRFY:00A5538Cj
		jb	short near ptr loc_A5546A+1
		db	65h
		jz	short near ptr loc_A5544A+1
		db	65h
		jbe	short near ptr loc_A55472+1
		arpl	[ebp+43h], sp
		push	65676E61h
; 
		dw 0
; 

??_C@_0BH@HMKABFKE@IoReportDetectedDevice@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA99A8o
		dec	ecx
		outsd
		push	edx
		db	65h
		jo	short near ptr loc_A55488+1

loc_A5541A:				; CODE XREF: PAGEVRFY:00A553A4j
		jb	short ??_C@_0BH@JBHGNMDM@IoReplacePartitionUnit@GHGBBCHJ@
		inc	esp
		db	65h
		jz	short near ptr loc_A55484+1

loc_A55420:				; CODE XREF: PAGEVRFY:00A553DDj
		arpl	[ebp+64h], si
		inc	esp
		db	65h
		jbe	short loc_A55491
		arpl	[ebp+0], sp
; 
byte_A5542B	db 0			; CODE XREF: PAGEVRFY:00A553C0j
; 

??_C@_0L@CBFMFLAK@IoReuseIrp@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AA99F0o
		dec	ecx

loc_A5542D:				; CODE XREF: PAGEVRFY:loc_A553C6j
		outsd
		push	edx

loc_A5542F:				; CODE XREF: PAGEVRFY:00A553C8j
		db	65h
		jnz	short loc_A554A5
		db	65h
		dec	ecx
		jb	short near ptr loc_A554A5+1
; 
		db 0
byte_A55437	db 0			; CODE XREF: PAGEVRFY:loc_A553E3j
; 

??_C@_0CH@FKMJECJI@IoReportTargetDeviceChangeAsync@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA99D8o
		dec	ecx
		outsd
		push	edx
		db	65h
		jo	short loc_A554AD
		jb	short near ptr loc_A554B1+3
		push	esp
		popa
		jb	short loc_A554AB
		db	65h
		jz	short loc_A5548B

loc_A55447:				; CODE XREF: PAGEVRFY:00A553E1j
		db	65h
		jbe	short near ptr loc_A554B1+2

loc_A5544A:				; CODE XREF: PAGEVRFY:00A553DFj
					; PAGEVRFY:00A55404j
		arpl	[ebp+43h], sp
		push	65676E61h
		inc	ecx
		jnb	short near ptr loc_A554CD+1
		outsb
		arpl	[eax+72h], bp
		outsd
		outsb
		outsd
		jnz	short near ptr loc_A554D0+1
; 
		dw 0
; 

??_C@_0BF@FAGDGMEG@IoReleaseVpbSpinLock@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA9960o
		dec	ecx
		outsd
		push	edx
		db	65h
		insb
		db	65h
		popa
		jnb	short near ptr loc_A554CD+1
		push	esi

loc_A5546A:				; CODE XREF: PAGEVRFY:loc_A55402j
		jo	short near ptr loc_A554CD+1
		push	ebx

loc_A5546D:				; CODE XREF: PAGEVRFY:00A553FBj
		jo	short near ptr loc_A554D7+1
		outsb
		dec	esp
		outsd

loc_A55472:				; CODE XREF: PAGEVRFY:00A55407j
					; PAGEVRFY:00A553FEj
		arpl	[ebx+0], bp
; 
		db 3 dup(0)
; 

??_C@_0BI@FMMJKBIA@IoReleaseCancelSpinLock@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AA9948o
		dec	ecx
		outsd
		push	edx
		db	65h
		insb
		db	65h
		popa
		jnb	short near ptr word_A554E6
		inc	ebx
		popa
		outsb

loc_A55484:				; CODE XREF: PAGEVRFY:00A5541Dj
		arpl	[ebp+6Ch], sp
		push	ebx

loc_A55488:				; CODE XREF: PAGEVRFY:00A55417j
		jo	short near ptr loc_A554EE+5
		outsb

loc_A5548B:				; CODE XREF: PAGEVRFY:00A55444j
		dec	esp
		outsd
		arpl	[ebx+0], bp

??_C@_0BH@JBHGNMDM@IoReplacePartitionUnit@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:loc_A5541Aj
					; DATA XREF: PAGEVRFD:00AA9990o
		dec	ecx

loc_A55491:				; CODE XREF: PAGEVRFY:00A55425j
		outsd
		push	edx
		db	65h
		jo	short near ptr loc_A55500+2
		popa
		arpl	[ebp+50h], sp
		popa
		jb	short loc_A55511
		imul	esi, [ecx+ebp*2+6Fh], 696E556Eh

loc_A554A5:				; CODE XREF: PAGEVRFY:loc_A5542Fj
					; PAGEVRFY:00A55434j
		jz	short $+2

loc_A554A7:				; DATA XREF: PAGEVRFD:00AA9978o
		add	[ecx+6Fh], cl
		push	edx

loc_A554AB:				; CODE XREF: PAGEVRFY:00A55442j
		db	65h
		insd

loc_A554AD:				; CODE XREF: PAGEVRFY:00A5543Bj
		outsd
		jbe	short near ptr loc_A55514+1
		push	ebx

loc_A554B1:				; CODE XREF: PAGEVRFY:loc_A55447j
					; PAGEVRFY:00A5543Ej
		push	41657261h
		arpl	[ebx+65h], sp
		jnb	short loc_A5552E

loc_A554BB:				; DATA XREF: PAGEVRFD:00AA9A80o
		add	[ecx+6Fh], cl
		push	ebx
		db	65h
		jz	short near ptr loc_A55514+1
		jz	short near ptr loc_A55523+2
		jb	short loc_A5553A
		dec	ecx
		outsd
		inc	ecx
		jz	short near ptr loc_A5553E+1
		jb	short near ptr loc_A55535+1

loc_A554CD:				; CODE XREF: PAGEVRFY:00A55453j
					; PAGEVRFY:00A55467j ...
		bound	esi, [ebp+74h]

loc_A554D0:				; CODE XREF: PAGEVRFY:00A5545Cj
		db	65h
		jnb	short $+3

loc_A554D3:				; DATA XREF: PAGEVRFD:00AA9A68o
		add	[ecx+6Fh], cl
		push	ebx

loc_A554D7:				; CODE XREF: PAGEVRFY:loc_A5546Dj
		db	65h
		jz	short near ptr loc_A5552C+1
		push	41657261h
		arpl	[ebx+65h], sp
		jnb	short loc_A55557
; 
		db 2 dup(0)
word_A554E6	dw 0			; CODE XREF: PAGEVRFY:00A5547Fj
; 

??_C@_0CB@IDFPPJGA@IoUnregisterPlugPlayNotificatio@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA9AB0o
		dec	ecx
		outsd
		push	ebp
		outsb
		jb	short near ptr byte_A55553

loc_A554EE:				; CODE XREF: PAGEVRFY:loc_A55488j
		imul	esi, [bp+di+74h], 6C507265h
		jnz	short near ptr loc_A5555D+2
		push	eax
		insb
		popa
		jns	short near ptr loc_A5554A+1
		outsd
		jz	short loc_A55569

loc_A55500:				; CODE XREF: PAGEVRFY:00A55493j
		imul	sp, [ebx+61h], 6974h
		outsd
		outsb
; 
		dd 0
; 

??_C@_0BC@OJJMBMDC@IoStartNextPacket@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AA9A98o
		dec	ecx
		outsd
		push	ebx
		jz	short loc_A55572

loc_A55511:				; CODE XREF: PAGEVRFY:00A5549Bj
		jb	short loc_A55587
		dec	esi

loc_A55514:				; CODE XREF: PAGEVRFY:00A554AEj
					; PAGEVRFY:00A554BFj
		db	65h
		js	short near ptr byte_A5558B
		push	eax
		popa
		arpl	[ebx+65h], bp
		jz	short $+2
; 
		dw 0
; 

??_C@_0BI@IPDFHODH@IoSetDevicePropertyData@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AA9A20o
		dec	ecx
		outsd
		push	ebx

loc_A55523:				; CODE XREF: PAGEVRFY:00A554C2j
		db	65h
		jz	short near ptr loc_A55569+1
		db	65h
		jbe	short near ptr loc_A55591+1
		arpl	[ebp+50h], sp

loc_A5552C:				; CODE XREF: PAGEVRFY:loc_A554D7j
		jb	short near ptr loc_A55597+6

loc_A5552E:				; CODE XREF: PAGEVRFY:00A554B9j
		jo	short loc_A55595
		jb	short loc_A555A6
		jns	short near ptr loc_A55577+1
		popa

loc_A55535:				; CODE XREF: PAGEVRFY:00A554CBj
		jz	short near ptr loc_A55597+1

loc_A55537:				; DATA XREF: PAGEVRFD:00AA9A08o
		add	[ecx+6Fh], cl

loc_A5553A:				; CODE XREF: PAGEVRFY:00A554C4j
		push	ebx
		db	65h
		jz	short loc_A55582

loc_A5553E:				; CODE XREF: PAGEVRFY:00A554C9j
		db	65h
		jbe	short near ptr loc_A555A9+1
		arpl	[ebp+49h], sp
		outsb
		jz	short loc_A555AC
		jb	short loc_A555AF
		popa

loc_A5554A:				; CODE XREF: PAGEVRFY:00A554FBj
		arpl	[ebp+53h], sp
		jz	short near ptr loc_A555AF+1
		jz	short near ptr loc_A555AF+7
; 
		db 2 dup(0)
byte_A55553	db 0			; CODE XREF: PAGEVRFY:00A554ECj
; 

??_C@_0BM@EMDPLNBB@IoSetPartitionInformationEx@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9A50o
		dec	ecx
		outsd
		push	ebx

loc_A55557:				; CODE XREF: PAGEVRFY:00A554E2j
		db	65h
		jz	short near ptr loc_A555A9+1
		popa
		jb	short near ptr loc_A555CF+2

loc_A5555D:				; CODE XREF: PAGEVRFY:00A554F6j
		imul	esi, [ecx+ebp*2+6Fh], 666E496Eh
		outsd
		jb	short loc_A555D5
		popa

loc_A55569:				; CODE XREF: PAGEVRFY:00A554FEj
					; PAGEVRFY:loc_A55523j
		jz	short near ptr loc_A555D3+1
		outsd
		outsb
		inc	ebp
		js	short $+2

??_C@_0BK@BIDNLHFC@IoSetPartitionInformation@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AA9A38o
		dec	ecx
		outsd

loc_A55572:				; CODE XREF: PAGEVRFY:00A5550Fj
		push	ebx
		db	65h
		jz	short near ptr loc_A555C2+4
		popa

loc_A55577:				; CODE XREF: PAGEVRFY:00A55532j
		jb	short near ptr loc_A555EB+2
		imul	esi, [ecx+ebp*2+6Fh], 666E496Eh
		outsd

loc_A55582:				; CODE XREF: PAGEVRFY:00A5553Bj
		jb	short loc_A555F1
		popa
		jz	short ??_C@_0CB@HEFMPEAL@IoUnregisterShutdownNotificatio@GHGBBCHJ@

loc_A55587:				; CODE XREF: PAGEVRFY:loc_A55511j
		outsd
		outsb
; 
		db 2 dup(0)
byte_A5558B	db 0			; CODE XREF: PAGEVRFY:loc_A55514j
; 

??_C@_0BI@BOGGCJAE@IoWritePartitionTableEx@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AA9B40o
		dec	ecx
		outsd
		push	edi
		jb	short near ptr loc_A555F6+4

loc_A55591:				; CODE XREF: PAGEVRFY:00A55526j
		jz	short near ptr loc_A555F6+2
		push	eax
		popa

loc_A55595:				; CODE XREF: PAGEVRFY:loc_A5552Ej
		jb	short near ptr loc_A55608+3

loc_A55597:				; CODE XREF: PAGEVRFY:loc_A55535j
					; PAGEVRFY:loc_A5552Cj
		imul	esi, [ecx+ebp*2+6Fh], 6261546Eh
		insb
		db	65h
		inc	ebp
		js	short $+2

??_C@_0BG@JAOLPM@IoWritePartitionTable@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9B28o
		dec	ecx
		outsd

loc_A555A6:				; CODE XREF: PAGEVRFY:00A55530j
		push	edi
		jb	short near ptr word_A55612

loc_A555A9:				; CODE XREF: PAGEVRFY:loc_A5553Ej
					; PAGEVRFY:loc_A55557j
		jz	short near ptr byte_A55610
		push	eax

loc_A555AC:				; CODE XREF: PAGEVRFY:00A55545j
		popa
		jb	short near ptr loc_A55622+1

loc_A555AF:				; CODE XREF: PAGEVRFY:00A55547j
					; PAGEVRFY:00A5554Dj ...
		imul	esi, [ecx+ebp*2+6Fh], 6261546Eh
		insb
		add	gs:[eax], al
; 
		db 0
; 

??_C@_0BM@JLACCBKP@KeAcquireGuardedMutexUnsafe@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9B70o
		dec	ebx
		db	65h
		inc	ecx
		arpl	[ecx+75h], si

loc_A555C2:				; CODE XREF: PAGEVRFY:00A55573j
		imul	esi, [edx+65h],	72617547h
		db	64h, 65h, 64h
		dec	ebp
		jnz	short near ptr loc_A55641+2

loc_A555CF:				; CODE XREF: PAGEVRFY:00A5555Bj
		db	65h
		js	short loc_A55627
		outsb

loc_A555D3:				; CODE XREF: PAGEVRFY:loc_A55569j
		jnb	short near ptr loc_A55635+1

loc_A555D5:				; CODE XREF: PAGEVRFY:00A55566j
					; DATA XREF: PAGEVRFD:00AA9B58o
		db	66h
		add	gs:[ebx+65h], cl
		inc	ecx
		arpl	[ecx+75h], si
		imul	esi, [edx+65h],	72617547h
		db	64h, 65h, 64h
		dec	ebp
		jnz	short near ptr loc_A5565D+2

loc_A555EB:				; CODE XREF: PAGEVRFY:loc_A55577j
		db	65h
		js	short $+3
; 
		dw 0
; 

??_C@_0CB@HEFMPEAL@IoUnregisterShutdownNotificatio@GHGBBCHJ@:
					; CODE XREF: PAGEVRFY:00A55585j
					; DATA XREF: PAGEVRFD:00AA9AE0o
		dec	ecx

loc_A555F1:				; CODE XREF: PAGEVRFY:loc_A55582j
		outsd
		push	ebp
		outsb
		jb	short near ptr loc_A5565A+1

loc_A555F6:				; CODE XREF: PAGEVRFY:loc_A55591j
					; PAGEVRFY:00A5558Fj
		imul	esi, [bp+di+74h], 68537265h
		jnz	short near ptr loc_A55671+3
		outs	dx, dword ptr fs:[esi]
		ja	short near ptr loc_A55671+1
		dec	esi
		outsd
		jz	short loc_A55671

loc_A55608:				; CODE XREF: PAGEVRFY:loc_A55595j
		imul	sp, [ebx+61h], 6974h
		outsd
		outsb
; 
byte_A55610	db 2 dup(0)		; CODE XREF: PAGEVRFY:loc_A555A9j
word_A55612	dw 0			; CODE XREF: PAGEVRFY:00A555A7j
; 

??_C@_0CD@DACLBOJF@IoUnregisterPlugPlayNotificatio@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AA9AC8o
		dec	ecx
		outsd
		push	ebp
		outsb
		jb	short near ptr loc_A5567E+1
		imul	esi, [bp+di+74h], 6C507265h

loc_A55622:				; CODE XREF: PAGEVRFY:00A555ADj
		jnz	short near ptr byte_A5568B
		push	eax
		insb
		popa

loc_A55627:				; CODE XREF: PAGEVRFY:loc_A555CFj
		jns	short near ptr loc_A55671+6
		outsd
		jz	short near ptr loc_A55692+3
		imul	sp, [ebx+61h], 6974h
		outsd
		outsb
		inc	ebp

loc_A55635:				; CODE XREF: PAGEVRFY:loc_A555D3j
		js	short $+2

loc_A55637:				; DATA XREF: PAGEVRFD:00AA9B10o
		add	[ecx+6Fh], cl
		push	edi
		dec	ebp
		dec	ecx
		inc	ecx
		insb
		insb
		outsd

loc_A55641:				; CODE XREF: PAGEVRFY:00A555CDj
		arpl	[ecx+74h], sp
		db	65h
		dec	ecx
		outsb
		jnb	short near ptr loc_A556BA+3
		popa
		outsb
		arpl	[ebp+49h], sp
		db	64h
		jnb	short $+3
; 
		db 3 dup(0)
; 

??_C@_0BE@MCONIMHM@IoUpdateShareAccess@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9AF8o
		dec	ecx
		outsd
		push	ebp
		jo	short near ptr loc_A556BA+3
		popa

loc_A5565A:				; CODE XREF: PAGEVRFY:00A555F4j
		jz	short loc_A556C1
		push	ebx

loc_A5565D:				; CODE XREF: PAGEVRFY:00A555E9j
		push	41657261h
		arpl	[ebx+65h], sp
		jnb	short near ptr loc_A556D9+1

loc_A55667:				; DATA XREF: PAGEVRFD:00AA9C00o
		add	[ebx+65h], cl
		inc	ebx
		popa
		outsb
		arpl	[ebp+6Ch], sp
		push	esp

loc_A55671:				; CODE XREF: PAGEVRFY:00A55606j
					; PAGEVRFY:00A55602j ...
		imul	ebp, [ebp+65h],	72h

??_C@_0BC@GBCDFGHI@KeAreApcsDisabled@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AA9BE8o
		dec	ebx
		db	65h
		inc	ecx
		jb	short loc_A556E2
		inc	ecx

loc_A5567E:				; CODE XREF: PAGEVRFY:00A55618j
		jo	short loc_A556E3
		jnb	short loc_A556C6
		imul	esi, [ebx+61h],	64656C62h
; 
		db 2 dup(0)
byte_A5568B	db 0			; CODE XREF: PAGEVRFY:loc_A55622j
; 

??_C@_0BI@PDJOHFMA@KeDeregisterNmiCallback@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AA9C30o
		dec	ebx
		db	65h
		inc	esp
		db	65h
		jb	short near ptr loc_A556F5+2

loc_A55692:				; CODE XREF: PAGEVRFY:00A5562Aj
		imul	esi, [bp+di+74h], 6D4E7265h
		imul	eax, [ebx+61h],	61626C6Ch
		arpl	[ebx+0], bp

??_C@_0N@MDOIGBOI@KeClearEvent@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9C18o
		dec	ebx
		db	65h
		inc	ebx
		insb
		db	65h
		popa
		jb	short loc_A556F1
		jbe	short loc_A55713
		outsb
		jz	short $+2
; 
		db 3 dup(0)
; 

??_C@_0BI@FPIMMGKI@KeAcquireQueuedSpinLock@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AA9BA0o
		dec	ebx
		db	65h
		inc	ecx
		arpl	[ecx+75h], si

loc_A556BA:				; CODE XREF: PAGEVRFY:00A55647j
					; PAGEVRFY:00A55657j
		imul	esi, [edx+65h],	75657551h

loc_A556C1:				; CODE XREF: PAGEVRFY:loc_A5565Aj
		db	65h, 64h
		push	ebx
		jo	short loc_A5572F

loc_A556C6:				; CODE XREF: PAGEVRFY:00A55680j
		outsb
		dec	esp
		outsd
		arpl	[ebx+0], bp

??_C@_0BL@FGOPDJL@KeAcquireInterruptSpinLock@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AA9B88o
		dec	ebx
		db	65h
		inc	ecx
		arpl	[ecx+75h], si
		imul	esi, [edx+65h],	65746E49h

loc_A556D9:				; CODE XREF: PAGEVRFY:00A55665j
		jb	short near ptr loc_A5574C+1
		jnz	short near ptr loc_A5574C+1
		jz	short loc_A55732
		jo	short near ptr loc_A55749+1
		outsb

loc_A556E2:				; CODE XREF: PAGEVRFY:00A5567Bj
		dec	esp

loc_A556E3:				; CODE XREF: PAGEVRFY:loc_A5567Ej
		outsd
		arpl	[ebx+0], bp
; 
		db 0
; 

??_C@_0BF@PPPEFCBH@KeAreAllApcsDisabled@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA9BD0o
		dec	ebx
		db	65h
		inc	ecx
		jb	short near ptr loc_A55751+1
		inc	ecx
		insb
		insb
		inc	ecx

loc_A556F1:				; CODE XREF: PAGEVRFY:00A556AAj
		jo	short near ptr word_A55756
		jnb	short near ptr loc_A55737+2

loc_A556F5:				; CODE XREF: PAGEVRFY:00A5568Fj
		imul	esi, [ebx+61h],	64656C62h
; 
		dd 0
; 

??_C@_0BI@NDHKGNHO@KeAcquireSpinLockForDpc@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AA9BB8o
		dec	ebx
		db	65h
		inc	ecx
		arpl	[ecx+75h], si
		imul	esi, [edx+65h],	6E697053h
		dec	esp
		outsd
		arpl	[ebx+46h], bp
		outsd

loc_A55713:				; CODE XREF: PAGEVRFY:00A556ACj
		jb	short loc_A55759
		jo	short loc_A5577A
; 
		db 0
; 

??_C@_0BE@KIBCELM@KeInsertDeviceQueue@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AA9CC0o
		dec	ebx
		db	65h
		dec	ecx
		outsb
		jnb	short loc_A55783
		jb	short near ptr loc_A5578F+5
		inc	esp
		db	65h
		jbe	short near ptr loc_A5578C+1
		arpl	[ebp+51h], sp
		jnz	short near ptr loc_A5578C+2
		jnz	short near ptr loc_A5578F+1
; 
		db 0
; 

??_C@_0BJ@IOBCMFCE@KeInsertByKeyDeviceQueue@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9CA8o
		dec	ebx
		db	65h
		dec	ecx

loc_A5572F:				; CODE XREF: PAGEVRFY:00A556C4j
		outsb
		jnb	short near ptr loc_A5578F+8

loc_A55732:				; CODE XREF: PAGEVRFY:00A556DDj
		jb	short near ptr loc_A557A7+1
		inc	edx
		jns	short near ptr loc_A55781+1

loc_A55737:				; CODE XREF: PAGEVRFY:00A556F3j
		db	65h
		jns	short near ptr word_A5577E
		db	65h
		jbe	short near ptr loc_A557A5+1
		arpl	[ebp+51h], sp
		jnz	short loc_A557A7
		jnz	short loc_A557A9
; 
		dd 0
; 

??_C@_0O@NBABANBG@KeInsertQueue@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA9CF0o
		dec	ebx

loc_A55749:				; CODE XREF: PAGEVRFY:00A556DFj
		db	65h
		dec	ecx
		outsb

loc_A5574C:				; CODE XREF: PAGEVRFY:loc_A556D9j
					; PAGEVRFY:00A556DBj
		jnb	short near ptr byte_A557B3
		jb	short loc_A557C4
		push	ecx

loc_A55751:				; CODE XREF: PAGEVRFY:00A556EBj
		jnz	short loc_A557B8
		jnz	short near ptr loc_A557B8+2
; 
		db 0
word_A55756	dw 0			; CODE XREF: PAGEVRFY:loc_A556F1j
; 

??_C@_0BC@EPGMCBKM@KeInsertHeadQueue@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AA9CD8o
		dec	ebx

loc_A55759:				; CODE XREF: PAGEVRFY:loc_A55713j
		db	65h
		dec	ecx
		outsb
		jnb	short near ptr loc_A557C1+2
		jb	short loc_A557D4
		dec	eax
		db	65h
		popa
		db	64h
		push	ecx
		jnz	short ??_C@_0BG@IDJHMIOP@KeQueryPriorityThread@GHGBBCHJ@
		jnz	short near ptr loc_A557CD+1
; 
		db 3 dup(0)
; 

??_C@_0BC@PMENBEMD@KeFlushQueuedDpcs@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AA9C60o
		dec	ebx
		db	65h
		inc	esi
		insb
		jnz	short loc_A557E5
		push	75657551h
		db	65h, 64h
		inc	esp

loc_A5577A:				; CODE XREF: PAGEVRFY:00A55715j
		jo	short near ptr loc_A557DC+3
		jnb	short $+2
; 
word_A5577E	dw 0			; CODE XREF: PAGEVRFY:loc_A55737j
; 

??_C@_0BF@FCJHJNIN@KeEnterGuardedRegion@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA9C48o
		dec	ebx

loc_A55781:				; CODE XREF: PAGEVRFY:00A55735j
		db	65h
		inc	ebp

loc_A55783:				; CODE XREF: PAGEVRFY:00A5571Cj
		outsb
		jz	short near ptr loc_A557EA+1
		jb	short loc_A557CF
		jnz	short near ptr loc_A557EA+1
		jb	short loc_A557F0

loc_A5578C:				; CODE XREF: PAGEVRFY:00A55721j
					; PAGEVRFY:00A55727j
		db	65h, 64h
		push	edx

loc_A5578F:				; CODE XREF: PAGEVRFY:00A55729j
					; PAGEVRFY:00A5571Ej ...
		imul	ebp, gs:[bx+6Eh], 0

??_C@_0BJ@CLPMMMKM@KeInitializeGuardedMutex@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9C90o
		dec	ebx
		db	65h
		dec	ecx
		outsb
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		inc	edi

loc_A557A5:				; CODE XREF: PAGEVRFY:00A5573Aj
		jnz	short near ptr loc_A55807+1

loc_A557A7:				; CODE XREF: PAGEVRFY:00A55740j
					; PAGEVRFY:loc_A55732j
		jb	short near ptr loc_A5580C+1

loc_A557A9:				; CODE XREF: PAGEVRFY:00A55742j
		db	65h, 64h
		dec	ebp
		jnz	short near ptr loc_A55821+1
		db	65h
		js	short $+3
; 
		db 2 dup(0)
byte_A557B3	db 0			; CODE XREF: PAGEVRFY:loc_A5574Cj
; 

??_C@_0BI@LKDPMGFK@KeInitializeDeviceQueue@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AA9C78o
		dec	ebx
		db	65h
		dec	ecx
		outsb

loc_A557B8:				; CODE XREF: PAGEVRFY:loc_A55751j
					; PAGEVRFY:00A55753j
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		inc	esp

loc_A557C1:				; CODE XREF: PAGEVRFY:00A5575Cj
		db	65h
		jbe	short loc_A5582D

loc_A557C4:				; CODE XREF: PAGEVRFY:00A5574Ej
		arpl	[ebp+51h], sp
		jnz	short near ptr loc_A5582D+1
		jnz	short near ptr loc_A5582F+1
; 
		db 0
; 

??_C@_0BG@IDJHMIOP@KeQueryPriorityThread@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:00A55765j
					; DATA XREF: PAGEVRFD:00AA9D80o
		dec	ebx

loc_A557CD:				; CODE XREF: PAGEVRFY:00A55767j
		db	65h
		push	ecx

loc_A557CF:				; CODE XREF: PAGEVRFY:00A55786j
		jnz	short loc_A55836
		jb	short near ptr loc_A5584B+1
		push	eax

loc_A557D4:				; CODE XREF: PAGEVRFY:00A5575Ej
		jb	short loc_A5583F
		outsd
		jb	short near ptr loc_A55841+1
		jz	short ??_C@_0BP@PMJCKHHK@KeRevertToUserAffinityThreadEx@GHGBBCHJ@
		push	esp

loc_A557DC:				; CODE XREF: PAGEVRFY:loc_A5577Aj
		push	64616572h
; 
		db 3 dup(0)
; 

??_C@_0BK@MIHAMOIA@KeSetSystemAffinityThread@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AA9D68o
		dec	ebx

loc_A557E5:				; CODE XREF: PAGEVRFY:00A55770j
		db	65h
		push	ebx
		db	65h
		jz	short loc_A5583D

loc_A557EA:				; CODE XREF: PAGEVRFY:00A55784j
					; PAGEVRFY:00A55788j
		jns	short loc_A5585F
		jz	short near ptr loc_A5584B+8
		insd
		inc	ecx

loc_A557F0:				; CODE XREF: PAGEVRFY:00A5578Aj
		db	66h, 66h
		imul	ebp, [esi+69h],	68547974h
		jb	short near ptr loc_A5585F+1
		popa
		add	fs:[eax], al

loc_A557FF:				; DATA XREF: PAGEVRFD:00AA9DB0o
		add	[ebx+65h], cl
		push	edx
		db	65h
		popa
		db	64h
		push	ebx

loc_A55807:				; CODE XREF: PAGEVRFY:loc_A557A5j
		jz	short near ptr loc_A55863+7
		jz	short near ptr loc_A5586F+1
		inc	ebp

loc_A5580C:				; CODE XREF: PAGEVRFY:loc_A557A7j
		jbe	short near ptr byte_A55873
		outsb
		jz	short $+2
; 
		db 3 dup(0)
; 

??_C@_0BF@BJEBNMBD@KeQueryRuntimeThread@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA9D98o
		dec	ebx
		db	65h
		push	ecx
		jnz	short near ptr loc_A5587C+2
		jb	short near ptr loc_A55893+1
		push	edx
		jnz	short near ptr loc_A5588B+1
		jz	short loc_A55889
		insd

loc_A55821:				; CODE XREF: PAGEVRFY:00A557ACj
		db	65h
		push	esp
		push	64616572h
; 
		dd 0
; 

??_C@_0N@BPADELEN@KePulseEvent@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9D20o
		dec	ebx

loc_A5582D:				; CODE XREF: PAGEVRFY:loc_A557C1j
					; PAGEVRFY:00A557C7j
		db	65h
		push	eax

loc_A5582F:				; CODE XREF: PAGEVRFY:00A557C9j
		jnz	short loc_A5589D
		jnb	short loc_A55898
		inc	ebp
		jbe	short near ptr loc_A5589A+1

loc_A55836:				; CODE XREF: PAGEVRFY:loc_A557CFj
		outsb
		jz	short $+2
; 
		db 3 dup(0)
; 

??_C@_0BF@ICHABMPG@KeLeaveGuardedRegion@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA9D08o
		dec	ebx

loc_A5583D:				; CODE XREF: PAGEVRFY:00A557E7j
		db	65h
		dec	esp

loc_A5583F:				; CODE XREF: PAGEVRFY:loc_A557D4j
		db	65h
		popa

loc_A55841:				; CODE XREF: PAGEVRFY:00A557D7j
		jbe	short near ptr loc_A558A5+3
		inc	edi
		jnz	short near ptr loc_A558A5+2
		jb	short near ptr loc_A558AB+1
		db	65h, 64h
		push	edx

loc_A5584B:				; CODE XREF: PAGEVRFY:00A557D1j
					; PAGEVRFY:00A557ECj
		imul	ebp, gs:[bx+6Eh], 0

??_C@_0BP@PMJCKHHK@KeRevertToUserAffinityThreadEx@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:00A557D9j
					; DATA XREF: PAGEVRFD:00AA9D50o
		dec	ebx
		db	65h
		push	edx
		db	65h
		jbe	short near ptr byte_A558BF
		jb	short loc_A558D0
		push	esp
		outsd
		push	ebp

loc_A5585F:				; CODE XREF: PAGEVRFY:loc_A557EAj
					; PAGEVRFY:00A557F9j
		jnb	short near ptr loc_A558C5+1
		jb	short near ptr loc_A558A3+1

loc_A55863:				; CODE XREF: PAGEVRFY:loc_A55807j
		db	66h, 66h
		imul	ebp, [esi+69h],	68547974h
		jb	short loc_A558D3
		popa

loc_A5586F:				; CODE XREF: PAGEVRFY:00A55809j
		db	64h
		inc	ebp
		js	short $+2
; 
byte_A55873	db 0			; CODE XREF: PAGEVRFY:loc_A5580Cj
; 

??_C@_0BI@MHOHIJDA@KeQueryActiveProcessors@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AA9D38o
		dec	ebx
		db	65h
		push	ecx
		jnz	short near ptr loc_A558DD+1
		jb	short near ptr loc_A558F3+1
		inc	ecx

loc_A5587C:				; CODE XREF: PAGEVRFY:00A55817j
		arpl	[ecx+ebp*2+76h], si
		db	65h
		push	eax
		jb	short loc_A558F3
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_A558F7+1

loc_A55889:				; CODE XREF: PAGEVRFY:00A5581Ej
		jb	short near ptr loc_A558FD+1

loc_A5588B:				; CODE XREF: PAGEVRFY:00A5581Cj
					; DATA XREF: PAGEVRFD:00AA9E40o
		add	[ebx+65h], cl
		push	edx
		db	65h
		insb
		db	65h
		popa

loc_A55893:				; CODE XREF: PAGEVRFY:00A55819j
		jnb	short near ptr loc_A558F9+1
		inc	edi
		jnz	short loc_A558F9

loc_A55898:				; CODE XREF: PAGEVRFY:00A55831j
		jb	short near ptr loc_A558FD+1

loc_A5589A:				; CODE XREF: PAGEVRFY:00A55834j
		db	65h, 64h
		dec	ebp

loc_A5589D:				; CODE XREF: PAGEVRFY:loc_A5582Fj
		jnz	short loc_A55913
		db	65h
		js	short loc_A558F7
		outsb

loc_A558A3:				; CODE XREF: PAGEVRFY:00A55861j
		jnb	short loc_A55906

loc_A558A5:				; CODE XREF: PAGEVRFY:00A55844j
					; PAGEVRFY:loc_A55841j
					; DATA XREF: ...
		db	66h
		add	gs:[ebx+65h], cl
		push	edx

loc_A558AB:				; CODE XREF: PAGEVRFY:00A55846j
		db	65h
		insb
		db	65h
		popa
		jnb	short near ptr loc_A55915+1
		inc	edi
		jnz	short loc_A55915
		jb	short loc_A5591A
		db	65h, 64h
		dec	ebp
		jnz	short near ptr loc_A5592C+3
		db	65h
		js	short $+3
; 
		db 0
byte_A558BF	db 0			; CODE XREF: PAGEVRFY:00A55857j
; 

??_C@_0BI@OMBMNHKC@KeReleaseQueuedSpinLock@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AA9E70o
		dec	ebx
		db	65h
		push	edx
		db	65h
		insb

loc_A558C5:				; CODE XREF: PAGEVRFY:loc_A5585Fj
		db	65h
		popa
		jnb	short near ptr loc_A5592C+2
		push	ecx
		jnz	short near ptr loc_A5592C+5
		jnz	short loc_A55933
		db	64h
		push	ebx

loc_A558D0:				; CODE XREF: PAGEVRFY:00A5585Aj
		jo	short loc_A5593B
		outsb

loc_A558D3:				; CODE XREF: PAGEVRFY:00A5586Cj
		dec	esp
		outsd
		arpl	[ebx+0], bp

??_C@_0BL@KLCPMGKK@KeReleaseInterruptSpinLock@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AA9E58o
		dec	ebx
		db	65h
		push	edx
		db	65h
		insb

loc_A558DD:				; CODE XREF: PAGEVRFY:00A55877j
		db	65h
		popa
		jnb	short near ptr loc_A55944+2
		dec	ecx
		outsb
		jz	short near ptr loc_A55944+6
		jb	short near ptr byte_A55959
		jnz	short near ptr byte_A55959
		jz	short near ptr loc_A5593D+1
		jo	short near ptr loc_A55955+1
		outsb
		dec	esp
		outsd
		arpl	[ebx+0], bp

loc_A558F3:				; CODE XREF: PAGEVRFY:00A55882j
					; PAGEVRFY:00A55879j
					; DATA XREF: ...
		add	[ebx+65h], cl
		push	edx

loc_A558F7:				; CODE XREF: PAGEVRFY:00A5589Fj
					; PAGEVRFY:00A55887j
		db	65h
		popa

loc_A558F9:				; CODE XREF: PAGEVRFY:00A55896j
					; PAGEVRFY:loc_A55893j
		db	64h
		push	ebx
		jz	short near ptr loc_A5595D+1

loc_A558FD:				; CODE XREF: PAGEVRFY:loc_A55889j
					; PAGEVRFY:loc_A55898j
		jz	short loc_A55964
		push	ebx
		db	65h
		insd
		popa
		jo	short loc_A5596D
		outsd

loc_A55906:				; CODE XREF: PAGEVRFY:loc_A558A3j
		jb	short loc_A5596D
; 
		dd 0
; 

??_C@_0BB@CALFIDIN@KeReadStateMutex@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9DC8o
		dec	ebx
		db	65h
		push	edx
		db	65h
		popa
		db	64h
		push	ebx

loc_A55913:				; CODE XREF: PAGEVRFY:loc_A5589Dj
		jz	short near ptr word_A55976

loc_A55915:				; CODE XREF: PAGEVRFY:00A558B2j
					; PAGEVRFY:00A558AFj
		jz	short loc_A5597C
		dec	ebp
		jnz	short near ptr loc_A55988+6

loc_A5591A:				; CODE XREF: PAGEVRFY:00A558B4j
		db	65h
		js	short $+3
; 
		db 3 dup(0)
; 

??_C@_0BG@ONPHHIH@KeRegisterNmiCallback@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA9E10o
		dec	ebx
		db	65h
		push	edx
		imul	esi, gs:[bp+di+74h], 6D4E7265h

loc_A5592C:				; CODE XREF: PAGEVRFY:00A558C7j
					; PAGEVRFY:00A558B9j ...
		imul	eax, [ebx+61h],	61626C6Ch

loc_A55933:				; CODE XREF: PAGEVRFY:00A558CCj
		arpl	[ebx+0], bp
; 
		dw 0
; 

??_C@_0BB@HGICFKMC@KeReadStateTimer@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9DF8o
		dec	ebx
		db	65h
		push	edx

loc_A5593B:				; CODE XREF: PAGEVRFY:loc_A558D0j
		db	65h
		popa

loc_A5593D:				; CODE XREF: PAGEVRFY:00A558E9j
		db	64h
		push	ebx
		jz	short near ptr word_A559A2
		jz	short near ptr loc_A559A7+1
		push	esp

loc_A55944:				; CODE XREF: PAGEVRFY:00A558DFj
					; PAGEVRFY:00A558E3j
		imul	ebp, [ebp+65h],	72h
; 
		db 0
; 

??_C@_0O@GGAAGBOF@KeRemoveQueue@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA9F00o
		dec	ebx
		db	65h
		push	edx
		db	65h
		insd
		outsd
		jbe	short loc_A559B9
		push	ecx

loc_A55955:				; CODE XREF: PAGEVRFY:00A558EBj
		jnz	short ??_C@_0BD@BOKPENEF@KeReleaseSemaphore@GHGBBCHJ@
		jnz	short near ptr loc_A559BD+1
; 
byte_A55959	db 3 dup(0)		; CODE XREF: PAGEVRFY:00A558E5j
					; PAGEVRFY:00A558E7j
; 

??_C@_0BJ@DOLMKFAK@KeRemoveEntryDeviceQueue@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9EE8o
		dec	ebx

loc_A5595D:				; CODE XREF: PAGEVRFY:00A558FBj
		db	65h
		push	edx
		db	65h
		insd
		outsd
		jbe	short loc_A559C9

loc_A55964:				; CODE XREF: PAGEVRFY:loc_A558FDj
		inc	ebp
		outsb
		jz	short near ptr loc_A559D9+1
		jns	short loc_A559AE
		db	65h
		jbe	short loc_A559D6

loc_A5596D:				; CODE XREF: PAGEVRFY:00A55903j
					; PAGEVRFY:loc_A55906j
		arpl	[ebp+51h], sp
		jnz	short near ptr loc_A559D6+1
		jnz	short loc_A559D9
; 
		db 2 dup(0)
word_A55976	dw 0			; CODE XREF: PAGEVRFY:loc_A55913j
; 

??_C@_0BJ@ENKACOPE@KeSaveFloatingPointState@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9F30o
		dec	ebx
		db	65h
		push	ebx
		popa

loc_A5597C:				; CODE XREF: PAGEVRFY:loc_A55915j
		jbe	short loc_A559E3
		inc	esi
		insb
		outsd
		popa
		jz	short loc_A559ED
		outsb
		db	67h
		push	eax
		outsd

loc_A55988:				; CODE XREF: PAGEVRFY:00A55918j
		imul	ebp, [esi+74h],	74617453h
		add	gs:[eax], al
; 
		dw 0
; 

??_C@_0N@GIMFFBBC@KeResetEvent@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9F18o
		dec	ebx
		db	65h
		push	edx
		db	65h
		jnb	short near ptr byte_A559FF
		jz	short loc_A559E1
		jbe	short loc_A55A03
		outsb
		jz	short $+2
; 
		db 0
word_A559A2	dw 0			; CODE XREF: PAGEVRFY:00A5593Fj
; 

??_C@_0BI@GAOKHMHE@KeReleaseSpinLockForDpc@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AA9EA0o
		dec	ebx
		db	65h
		push	edx

loc_A559A7:				; CODE XREF: PAGEVRFY:00A55941j
		db	65h
		insb
		db	65h
		popa
		jnb	short near ptr loc_A55A11+1
		push	ebx

loc_A559AE:				; CODE XREF: PAGEVRFY:00A55968j
		jo	short loc_A55A19
		outsb
		dec	esp
		outsd
		arpl	[ebx+46h], bp
		outsd
		jb	short near ptr byte_A559FD

loc_A559B9:				; CODE XREF: PAGEVRFY:00A55952j
		jo	short near ptr loc_A55A1C+2
; 
		db 0
; 

??_C@_0BD@BOKPENEF@KeReleaseSemaphore@GHGBBCHJ@: ; CODE	XREF: PAGEVRFY:loc_A55955j
					; DATA XREF: PAGEVRFD:00AA9E88o
		dec	ebx

loc_A559BD:				; CODE XREF: PAGEVRFY:00A55957j
		db	65h
		push	edx
		db	65h
		insb
		db	65h
		popa
		jnb	short loc_A55A2A
		push	ebx
		db	65h
		insd
		popa

loc_A559C9:				; CODE XREF: PAGEVRFY:00A55962j
		jo	short loc_A55A33
		outsd
		jb	short loc_A55A33
; 
		dw 0
; 

??_C@_0BE@LNOIFKLH@KeRemoveDeviceQueue@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9ED0o
		dec	ebx
		db	65h
		push	edx
		db	65h
		insd
		outsd

loc_A559D6:				; CODE XREF: PAGEVRFY:00A5596Aj
					; PAGEVRFY:00A55970j
		jbe	short near ptr loc_A55A37+6
		inc	esp

loc_A559D9:				; CODE XREF: PAGEVRFY:00A55972j
					; PAGEVRFY:00A55966j
		db	65h
		jbe	short loc_A55A45
		arpl	[ebp+51h], sp
		jnz	short near ptr loc_A55A45+1

loc_A559E1:				; CODE XREF: PAGEVRFY:00A5599Aj
		jnz	short near ptr loc_A55A47+1

loc_A559E3:				; CODE XREF: PAGEVRFY:loc_A5597Cj
					; DATA XREF: PAGEVRFD:00AA9EB8o
		add	[ebx+65h], cl
		push	edx
		db	65h
		insd
		outsd
		jbe	short loc_A55A51
		inc	edx

loc_A559ED:				; CODE XREF: PAGEVRFY:00A55982j
		jns	short near ptr loc_A55A37+3
		db	65h
		jns	short near ptr loc_A55A34+2
		db	65h
		jbe	short loc_A55A5E
		arpl	[ebp+51h], sp
		jnz	short near ptr loc_A55A5E+1
		jnz	short loc_A55A61
; 
		db 0
byte_A559FD	db 2 dup(0)		; CODE XREF: PAGEVRFY:00A559B7j
byte_A559FF	db 0			; CODE XREF: PAGEVRFY:00A55997j
; 

??_C@_0BE@MDFBHIGK@MmAddPhysicalMemory@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9FC0o
		dec	ebp
		insd
		inc	ecx

loc_A55A03:				; CODE XREF: PAGEVRFY:00A5599Cj
		db	64h, 64h
		push	eax
		push	63697379h
		popa
		insb
		dec	ebp
		db	65h
		insd
		outsd

loc_A55A11:				; CODE XREF: PAGEVRFY:00A559ABj
		jb	short near ptr loc_A55A85+7
; 
		db 0
; 

??_C@_0BL@BPMCCEG@KeTryToAcquireGuardedMutex@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AA9FA8o
		dec	ebx
		db	65h
		push	esp
		jb	short near ptr loc_A55A91+1

loc_A55A19:				; CODE XREF: PAGEVRFY:loc_A559AEj
		push	esp
		outsd
		inc	ecx

loc_A55A1C:				; CODE XREF: PAGEVRFY:loc_A559B9j
		arpl	[ecx+75h], si
		imul	esi, [edx+65h],	72617547h
		db	64h, 65h, 64h
		dec	ebp

loc_A55A2A:				; CODE XREF: PAGEVRFY:00A559C3j
		jnz	short loc_A55AA0
		db	65h
		js	short $+3

loc_A55A2F:				; DATA XREF: PAGEVRFD:00AA9FF0o
		add	[ebp+6Dh], cl
		inc	esp

loc_A55A33:				; CODE XREF: PAGEVRFY:loc_A559C9j
					; PAGEVRFY:00A559CCj
		outsd

loc_A55A34:				; CODE XREF: PAGEVRFY:00A559EFj
		db	65h
		jnb	short near ptr loc_A55A7C+1

loc_A55A37:				; CODE XREF: PAGEVRFY:loc_A559EDj
					; PAGEVRFY:loc_A559D6j
		imul	ebp, [ebp+48h],	55657661h
		jnb	short loc_A55AA6
		jb	short loc_A55A9A
		jb	short near ptr loc_A55AAA+4

loc_A55A45:				; CODE XREF: PAGEVRFY:loc_A559D9j
					; PAGEVRFY:00A559DFj
		jz	short near ptr loc_A55AA7+1

loc_A55A47:				; CODE XREF: PAGEVRFY:loc_A559E1j
		bound	ebp, [ebp+52h]
		db	65h, 66h, 65h
		jb	short loc_A55AB5
		outsb

loc_A55A51:				; CODE XREF: PAGEVRFY:00A559EAj
		arpl	[ebp+73h], sp
; 
		dd 0
; 

??_C@_0P@NBKLIHNN@MmCreateMirror@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9FD8o
		dec	ebp
		insd
		inc	ebx
		jb	short loc_A55AC2
		popa

loc_A55A5E:				; CODE XREF: PAGEVRFY:00A559F2j
					; PAGEVRFY:00A559F8j
		jz	short loc_A55AC5
		dec	ebp

loc_A55A61:				; CODE XREF: PAGEVRFY:00A559FAj
		imul	esi, [edx+72h],	726Fh

??_C@_0L@EEIFKGE@KeSetTimer@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AA9F60o
		dec	ebx
		db	65h
		push	ebx
		db	65h
		jz	short loc_A55AC2

loc_A55A6E:				; DATA XREF: PAGEVRFD:00AA9F48o
		imul	ebp, [ebp+65h],	4B000072h
		db	65h
		push	ebx
		db	65h
		jz	short near ptr loc_A55ACC+1
		jns	short loc_A55AEF

loc_A55A7C:				; CODE XREF: PAGEVRFY:loc_A55A34j
		jz	short near ptr loc_A55AE2+1
		insd
		inc	edi
		jb	short loc_A55AF1
		jnz	short loc_A55AF4
		inc	ecx

loc_A55A85:				; CODE XREF: PAGEVRFY:loc_A55A11j
		db	66h, 66h
		imul	ebp, [esi+69h],	68547974h
		jb	short loc_A55AF5
		popa

loc_A55A91:				; CODE XREF: PAGEVRFY:00A55A17j
		add	fs:[eax], al

??_C@_0P@CMHMIJAH@KeTestSpinLock@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA9F90o
		dec	ebx
		db	65h
		push	esp
		db	65h
		jnb	short loc_A55B0E

loc_A55A9A:				; CODE XREF: PAGEVRFY:00A55A41j
		push	ebx
		jo	short loc_A55B06
		outsb
		dec	esp
		outsd

loc_A55AA0:				; CODE XREF: PAGEVRFY:loc_A55A2Aj
		arpl	[ebx+0], bp

loc_A55AA3:				; DATA XREF: PAGEVRFD:00AA9F78o
		add	[ebx+65h], cl

loc_A55AA6:				; CODE XREF: PAGEVRFY:00A55A3Fj
		push	ebx

loc_A55AA7:				; CODE XREF: PAGEVRFY:loc_A55A45j
		db	65h
		jz	short near ptr loc_A55AFD+1

loc_A55AAA:				; CODE XREF: PAGEVRFY:00A55A43j
		imul	ebp, [ebp+65h],	784572h
; 
		db 3 dup(0)
; 

??_C@_0BA@EHOMDAKO@MmPrefetchPages@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAA080o
		dec	ebp

loc_A55AB5:				; CODE XREF: PAGEVRFY:00A55A4Bj
		insd
		push	eax
		jb	short near ptr word_A55B1E
		db	66h, 65h
		jz	short ??_C@_0BK@LPDDDECA@MmGetPhysicalMemoryRanges@GHGBBCHJ@
		push	65676150h

loc_A55AC2:				; CODE XREF: PAGEVRFY:00A55A5Bj
					; PAGEVRFY:00A55A6Bj
		jnb	short $+2

??_C@_0BD@HMJANFJE@MmPageEntireDriver@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAA068o
		dec	ebp

loc_A55AC5:				; CODE XREF: PAGEVRFY:loc_A55A5Ej
		insd
		push	eax
		popa
		db	67h, 65h
		inc	ebp
		outsb

loc_A55ACC:				; CODE XREF: PAGEVRFY:00A55A77j
		jz	short near ptr loc_A55B36+1
		jb	short loc_A55B35
		inc	esp
		jb	short ??_C@_0CE@MOKIDCPN@MmMapLockedPagesWithReservedMap@GHGBBCHJ@
		jbe	short near ptr word_A55B3A
		jb	short $+2
; 
		db 0
; 

??_C@_0BE@DFPPCCIK@MmResetDriverPaging@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA0B0o
		dec	ebp
		insd
		push	edx
		db	65h
		jnb	short loc_A55B43
		jz	short near ptr loc_A55B23+1
		jb	short near ptr loc_A55B49+2

loc_A55AE2:				; CODE XREF: PAGEVRFY:loc_A55A7Cj
		jbe	short loc_A55B49
		jb	short loc_A55B36
		popa
; 
aGing		db 'ging',0
; 

??_C@_0BH@GFOLFMHN@MmRemovePhysicalMemory@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA098o
		dec	ebp
		insd
		push	edx

loc_A55AEF:				; CODE XREF: PAGEVRFY:00A55A7Aj
		db	65h
		insd

loc_A55AF1:				; CODE XREF: PAGEVRFY:00A55A80j
		outsd
		jbe	short loc_A55B59

loc_A55AF4:				; CODE XREF: PAGEVRFY:00A55A82j
		push	eax

loc_A55AF5:				; CODE XREF: PAGEVRFY:00A55A8Ej
		push	63697379h
		popa
		insb
		dec	ebp

loc_A55AFD:				; CODE XREF: PAGEVRFY:loc_A55AA7j
		db	65h
		insd
		outsd
		jb	short loc_A55B7B
; 
		dw 0
; 

??_C@_0BJ@GKLIFAE@MmLockPagableDataSection@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAA020o
		dec	ebp
		insd

loc_A55B06:				; CODE XREF: PAGEVRFY:00A55A9Bj
		dec	esp
		outsd
		arpl	[ebx+50h], bp
		popa
		db	67h
		popa

loc_A55B0E:				; CODE XREF: PAGEVRFY:00A55A97j
		bound	ebp, [ebp+44h]
		popa
		jz	short near ptr loc_A55B75+1
		push	ebx
		arpl	gs:[ecx+ebp*2+6Fh], si
		outsb
; 
		db 2 dup(0)
word_A55B1E	dw 0			; CODE XREF: PAGEVRFY:00A55AB7j
; 

??_C@_0BK@LPDDDECA@MmGetPhysicalMemoryRanges@GHGBBCHJ@:	; CODE XREF: PAGEVRFY:00A55AB9j
					; DATA XREF: PAGEVRFD:00AAA008o
		dec	ebp
		insd
		inc	edi

loc_A55B23:				; CODE XREF: PAGEVRFY:00A55ADEj
		db	65h
		jz	short near ptr loc_A55B75+1
		push	63697379h
		popa
		insb
		dec	ebp
		db	65h
		insd
		outsd
		jb	short loc_A55BAC
		push	edx
		popa

loc_A55B35:				; CODE XREF: PAGEVRFY:00A55ACEj
		outsb

loc_A55B36:				; CODE XREF: PAGEVRFY:00A55AE4j
					; PAGEVRFY:loc_A55ACCj
		db	67h, 65h
		jnb	near ptr 5B3Ah
; 
word_A55B3A	dw 0			; CODE XREF: PAGEVRFY:00A55AD3j
; 

??_C@_0CE@MOKIDCPN@MmMapLockedPagesWithReservedMap@GHGBBCHJ@:
					; CODE XREF: PAGEVRFY:00A55AD1j
					; DATA XREF: PAGEVRFD:00AAA050o
		dec	ebp
		insd
		dec	ebp
		popa
		jo	short near ptr loc_A55B89+5
		outsd

loc_A55B43:				; CODE XREF: PAGEVRFY:00A55ADBj
		arpl	[ebx+65h], bp
		db	64h
		push	eax
		popa

loc_A55B49:				; CODE XREF: PAGEVRFY:loc_A55AE2j
					; PAGEVRFY:00A55AE0j
		db	67h, 65h
		jnb	near ptr 5BA4h
		imul	esi, [eax+ebp*2+52h], 72657365h
		jbe	short near ptr loc_A55BBA+2
		db	64h
		dec	ebp

loc_A55B59:				; CODE XREF: PAGEVRFY:00A55AF2j
		popa
		jo	short near ptr loc_A55BCB+1
; 
		dd 676E69h
; 

??_C@_0BN@PGLJKPN@MmLockPagableSectionByHandle@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA038o
		dec	ebp
		insd
		dec	esp
		outsd
		arpl	[ebx+50h], bp
		popa
		db	67h
		popa
		bound	ebp, [ebp+53h]
		arpl	gs:[ecx+ebp*2+6Fh], si
		outsb
		inc	edx

loc_A55B75:				; CODE XREF: PAGEVRFY:00A55B13j
					; PAGEVRFY:loc_A55B23j
		jns	short near ptr loc_A55BBE+1
		popa
		outsb
		db	64h
		insb

loc_A55B7B:				; CODE XREF: PAGEVRFY:00A55B00j
		add	gs:[eax], al
; 
		dw 0
; 

??_C@_0N@PFEAAKMI@NtUnlockFile@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA140o
		dec	esi
		jz	short near ptr loc_A55BD6+2
		outsb
		insb
		outsd
		arpl	[ebx+46h], bp

loc_A55B89:				; CODE XREF: PAGEVRFY:00A55B40j
					; DATA XREF: PAGEVRFD:00AAA128o
		imul	ebp, [ebp+0], 4E000000h
		jz	short loc_A55BE6
		db	65h
		jz	short loc_A55BDF
		outsb
		outsw
		jb	short loc_A55C08
		popa
		jz	short near ptr loc_A55C01+6
		outsd
		outsb
		inc	esi
; 
		db 69h,	6Ch, 65h
		align 8

??_C@_0BM@KBNOOIAM@ObfDereferenceObjectWithTag@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA170o
		dec	edi
		bound	esp, [esi+44h]

loc_A55BAC:				; CODE XREF: PAGEVRFY:00A55B31j
		db	65h
		jb	short loc_A55C14
		db	66h, 65h
		jb	short near ptr loc_A55C17+1
		outsb
		arpl	[ebp+4Fh], sp
		bound	ebp, [edx+65h]

loc_A55BBA:				; CODE XREF: PAGEVRFY:00A55B55j
		arpl	[edi+edx*2+69h], si

loc_A55BBE:				; CODE XREF: PAGEVRFY:loc_A55B75j
		jz	short near ptr loc_A55C27+1
		push	esp
		popa

loc_A55BC2:				; DATA XREF: PAGEVRFD:00AAA158o
		add	[bx+62h], cl
		inc	sp
		db	65h
		jb	short loc_A55C30

loc_A55BCB:				; CODE XREF: PAGEVRFY:00A55B5Aj
		db	66h, 65h
		jb	short near ptr loc_A55C33+1
		outsb
		arpl	[ebp+4Fh], sp
		bound	ebp, [edx+65h]

loc_A55BD6:				; CODE XREF: PAGEVRFY:00A55B81j
		arpl	[eax+eax+0], si
; 
		dw 0
; 

??_C@_0BM@BMLEJECB@MmUnlockPagableImageSection@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA0E0o
		dec	ebp
		insd
		push	ebp

loc_A55BDF:				; CODE XREF: PAGEVRFY:00A55B93j
		outsb
		insb
		outsd
		arpl	[ebx+50h], bp
		popa

loc_A55BE6:				; CODE XREF: PAGEVRFY:00A55B91j
		db	67h
		popa
		bound	ebp, [ebp+49h]
		insd
		popa
		db	67h, 65h
		push	ebx
		arpl	gs:[ecx+ebp*2+6Fh], si
		outsb

loc_A55BF7:				; DATA XREF: PAGEVRFD:00AAA0C8o
		add	[ebp+6Dh], cl
		push	ebx
		arpl	gs:[ebp+72h], si
		db	65h
		push	esi

loc_A55C01:				; CODE XREF: PAGEVRFY:00A55B9Cj
		imul	esi, [edx+74h],	4D6C6175h

loc_A55C08:				; CODE XREF: PAGEVRFY:00A55B99j
		db	65h
		insd
		outsd
		jb	short near ptr loc_A55C85+1
; 
		db 3 dup(0)
; 

??_C@_0L@MODOAKDL@NtLockFile@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAA110o
		dec	esi
		jz	short loc_A55C5F
		outsd

loc_A55C14:				; CODE XREF: PAGEVRFY:loc_A55BACj
		arpl	[ebx+46h], bp

loc_A55C17:				; CODE XREF: PAGEVRFY:00A55BAFj
					; DATA XREF: PAGEVRFD:00AAA0F8o
		imul	ebp, [ebp+0], 556D4D00h
		outsb
		jnb	short near ptr loc_A55C85+2
		arpl	[ebp+72h], si
		db	65h
		push	esi

loc_A55C27:				; CODE XREF: PAGEVRFY:loc_A55BBEj
		imul	esi, [edx+74h],	4D6C6175h
		db	65h
		insd

loc_A55C30:				; CODE XREF: PAGEVRFY:00A55BC8j
		outsd
		jb	short near ptr loc_A55CA8+4

loc_A55C33:				; CODE XREF: PAGEVRFY:loc_A55BCBj
					; DATA XREF: PAGEVRFD:00AAA200o
		add	[eax+6Fh], dl
		inc	ebx
		popa
		insb
		insb
		inc	esp
		jb	short near ptr loc_A55CA5+1
		jbe	short near ptr loc_A55CA1+3
		jb	short $+2
; 
		db 3 dup(0)
; 

??_C@_0BI@BOGDLNOD@ObReleaseObjectSecurity@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAA1E8o
		dec	edi
		bound	edx, [edx+65h]
		insb
		db	65h
		popa
		jnb	short near ptr loc_A55CB0+2
		dec	edi
		bound	ebp, [edx+65h]
		arpl	[ebx+edx*2+65h], si
		arpl	[ebp+72h], si
; 
		dd 797469h
; 

??_C@_0CD@LBIPMALL@PoFxCompleteDevicePowerNotRequi@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AAA230o
		push	eax
		outsd
		inc	esi

loc_A55C5F:				; CODE XREF: PAGEVRFY:00A55C11j
		js	short near ptr loc_A55CA1+3
		outsd
		insd
		jo	short loc_A55CD1
		db	65h
		jz	short near ptr loc_A55CCB+2
		inc	esp
		db	65h
		jbe	short near ptr loc_A55CD4+1
		arpl	[ebp+50h], sp
		outsd
		ja	short loc_A55CD7
		jb	short loc_A55CC2
		outsd
		jz	short near ptr loc_A55CC7+2
		db	65h
		jno	short loc_A55CEF
; 
aIred		db 'ired',0
		align 10h

??_C@_0BG@NNMIODPD@PoFxActivateComponent@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA218o
		push	eax
		outsd
		inc	esi
		js	short near ptr loc_A55CC4+2

loc_A55C85:				; CODE XREF: PAGEVRFY:00A55C0Bj
					; PAGEVRFY:00A55C20j
		arpl	[ecx+ebp*2+76h], si
		popa
		jz	short near ptr loc_A55CEF+2
		inc	ebx
		outsd
		insd
		jo	short loc_A55D00
		outsb
		outs	dx, byte ptr gs:[esi]
		jz	short $+2
; 
		dw 0
; 

??_C@_0BE@GKJPIHDM@ObGetObjectSecurity@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA1A0o
		dec	edi
		bound	eax, [edi+65h]
		jz	short near ptr loc_A55CEB+2
		bound	ebp, [edx+65h]

loc_A55CA1:				; CODE XREF: PAGEVRFY:00A55C3Dj
					; PAGEVRFY:loc_A55C5Fj
		arpl	[ebx+edx*2+65h], si

loc_A55CA5:				; CODE XREF: PAGEVRFY:00A55C3Bj
		arpl	[ebp+72h], si

loc_A55CA8:				; CODE XREF: PAGEVRFY:00A55C31j
					; DATA XREF: PAGEVRFD:00AAA188o
		imul	esi, [ecx+edi*2+0], 5266624Fh

loc_A55CB0:				; CODE XREF: PAGEVRFY:00A55C4Bj
		db	65h, 66h, 65h
		jb	short near ptr loc_A55D15+5
		outsb
		arpl	[ebp+4Fh], sp
		bound	ebp, [edx+65h]
		arpl	[edi+edx*2+69h], si
		jz	short loc_A55D2A

loc_A55CC2:				; CODE XREF: PAGEVRFY:00A55C72j
		push	esp
		popa

loc_A55CC4:				; CODE XREF: PAGEVRFY:00A55C83j
		add	[bx+si], al

loc_A55CC7:				; CODE XREF: PAGEVRFY:00A55C75j
					; DATA XREF: PAGEVRFD:00AAA1D0o
		add	[edi+62h], cl
		push	edx

loc_A55CCB:				; CODE XREF: PAGEVRFY:00A55C65j
		db	65h, 66h, 65h
		jb	short near ptr byte_A55D35
		outsb

loc_A55CD1:				; CODE XREF: PAGEVRFY:00A55C63j
		arpl	[ebp+4Fh], sp

loc_A55CD4:				; CODE XREF: PAGEVRFY:00A55C69j
		bound	ebp, [edx+65h]

loc_A55CD7:				; CODE XREF: PAGEVRFY:00A55C70j
		arpl	[edx+eax*2+79h], si
		push	eax
		outsd
		imul	ebp, [esi+74h],	69577265h
		jz	short near ptr loc_A55D4D+1
		push	esp
		popa
		add	[bx+si], al

loc_A55CEB:				; CODE XREF: PAGEVRFY:00A55C9Cj
					; DATA XREF: PAGEVRFD:00AAA1B8o
		add	[edi+62h], cl
		push	edx

loc_A55CEF:				; CODE XREF: PAGEVRFY:00A55C77j
					; PAGEVRFY:00A55C8Aj
		db	65h, 66h, 65h
		jb	short near ptr loc_A55D58+1
		outsb
		arpl	[ebp+4Fh], sp
		bound	ebp, [edx+65h]
		arpl	[edx+eax*2+79h], si
		dec	eax

loc_A55D00:				; CODE XREF: PAGEVRFY:00A55C8Fj
		popa
		outsb
		db	64h
		insb
		db	65h
		push	edi
		imul	esi, [eax+ebp*2+54h], 6761h
; 
		dw 0
; 

??_C@_0BD@DOCNIGLA@PoFxRegisterDevice@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAA2C0o
		push	eax
		outsd
		inc	esi
		js	short near ptr loc_A55D66+1

loc_A55D15:				; CODE XREF: PAGEVRFY:loc_A55CB0j
		imul	esi, gs:[bp+di+74h], 65447265h
		jbe	short loc_A55D89
		arpl	[ebp+0], sp
; 
		db 0
; 

??_C@_0BB@DIOAKMBD@PoFxPowerControl@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA2A8o
		push	eax
		outsd
		inc	esi
		js	short loc_A55D79
		outsd

loc_A55D2A:				; CODE XREF: PAGEVRFY:00A55CC0j
		ja	short loc_A55D91
		jb	short loc_A55D71
		outsd
		outsb
		jz	short near ptr loc_A55DA3+1
		outsd
		insb
; 
		db 0
byte_A55D35	db 3 dup(0)		; CODE XREF: PAGEVRFY:loc_A55CCBj
; 

??_C@_0BI@JHFKAKCH@PoFxSetComponentLatency@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAA2F0o
		push	eax
		outsd
		inc	esi
		js	short loc_A55D90
		db	65h
		jz	short near ptr byte_A55D83
		outsd
		insd
		jo	short near ptr loc_A55DAF+4
		outsb
		outs	dx, byte ptr gs:[esi]
		jz	short loc_A55D95
		popa
		jz	short near ptr loc_A55DAF+2
		outsb

loc_A55D4D:				; CODE XREF: PAGEVRFY:00A55CE4j
		arpl	[ecx+0], di

??_C@_0BK@NAJHNHGP@PoFxReportDevicePoweredOn@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAA2D8o
		push	eax
		outsd
		inc	esi
		js	short near ptr loc_A55DA6+1
		db	65h
		jo	short loc_A55DC7

loc_A55D58:				; CODE XREF: PAGEVRFY:loc_A55CEFj
		jb	short near ptr word_A55DCE
		inc	esp
		db	65h
		jbe	short loc_A55DC7
		arpl	[ebp+50h], sp
		outsd
		ja	short loc_A55DC9
		jb	short near ptr loc_A55DCA+1

loc_A55D66:				; CODE XREF: PAGEVRFY:00A55D13j
		db	64h
		dec	edi
		outsb
; 
		db 3 dup(0)
; 

??_C@_0BG@MIKNLDNH@PoFxCompleteIdleState@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA260o
		push	eax
		outsd
		inc	esi
		js	short near ptr loc_A55DAF+5

loc_A55D71:				; CODE XREF: PAGEVRFY:00A55D2Cj
		outsd
		insd
		jo	short near ptr byte_A55DE1
		db	65h
		jz	short loc_A55DDD
		dec	ecx

loc_A55D79:				; CODE XREF: PAGEVRFY:00A55D27j
		db	64h
		insb
		db	65h
		push	ebx
		jz	short near ptr loc_A55DDF+1
		jz	short loc_A55DE6
; 
		db 2 dup(0)
byte_A55D83	db 0			; CODE XREF: PAGEVRFY:00A55D3Dj
; 

??_C@_0BK@MAADGOKA@PoFxCompleteIdleCondition@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAA248o
		push	eax
		outsd
		inc	esi
		js	short loc_A55DCC

loc_A55D89:				; CODE XREF: PAGEVRFY:00A55D1Ej
		outsd
		insd
		jo	short near ptr byte_A55DF9
		db	65h
		jz	short near ptr loc_A55DF4+1

loc_A55D90:				; CODE XREF: PAGEVRFY:00A55D3Bj
		dec	ecx

loc_A55D91:				; CODE XREF: PAGEVRFY:loc_A55D2Aj
		db	64h
		insb
		db	65h
		inc	ebx

loc_A55D95:				; CODE XREF: PAGEVRFY:00A55D47j
		outsd
		outsb
		imul	esi, fs:[ecx+ebp*2+6Fh], 6Eh

??_C@_0BK@BCCNDOAG@PoFxNotifySurprisePowerOn@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAA290o
		push	eax
		outsd
		inc	esi

loc_A55DA3:				; CODE XREF: PAGEVRFY:00A55D30j
		js	short near ptr loc_A55DEC+7
		outsd

loc_A55DA6:				; CODE XREF: PAGEVRFY:00A55D53j
		jz	short near ptr loc_A55E0F+2
		db	66h
		jns	short near ptr loc_A55DFD+1
		jnz	short loc_A55E1F
		jo	short loc_A55E21

loc_A55DAF:				; CODE XREF: PAGEVRFY:00A55D4Aj
					; PAGEVRFY:00A55D42j ...
		imul	esi, [ebx+65h],	65776F50h
		jb	short loc_A55E07
		outsb
; 
		db 3 dup(0)
; 

??_C@_0BC@KLHKOMHD@PoFxIdleComponent@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAA278o
		push	eax
		outsd
		inc	esi
		js	short near ptr word_A55E0A
		db	64h
		insb
		db	65h
		inc	ebx
		outsd
		insd

loc_A55DC7:				; CODE XREF: PAGEVRFY:00A55D55j
					; PAGEVRFY:00A55D5Bj
		jo	short near ptr loc_A55E37+1

loc_A55DC9:				; CODE XREF: PAGEVRFY:00A55D62j
		outsb

loc_A55DCA:				; CODE XREF: PAGEVRFY:00A55D64j
		outs	dx, byte ptr gs:[esi]

loc_A55DCC:				; CODE XREF: PAGEVRFY:00A55D87j
		jz	short $+2
; 
word_A55DCE	dw 0			; CODE XREF: PAGEVRFY:loc_A55D58j
; 

??_C@_0BC@GIOOBLCP@PoRequestPowerIrp@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAA380o
		push	eax
		outsd
		push	edx
		db	65h
		jno	short loc_A55E4B
		db	65h
		jnb	short near ptr loc_A55E4B+2
		push	eax
		outsd
		ja	short near ptr loc_A55E41+1

loc_A55DDD:				; CODE XREF: PAGEVRFY:00A55D75j
		jb	short loc_A55E28

loc_A55DDF:				; CODE XREF: PAGEVRFY:00A55D7Dj
		jb	short loc_A55E51
; 
byte_A55DE1	db 3 dup(0)		; CODE XREF: PAGEVRFY:00A55D73j
; 

??_C@_0BF@HBBEJIAN@PoFxUnregisterDevice@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAA368o
		push	eax
		outsd

loc_A55DE6:				; CODE XREF: PAGEVRFY:00A55D7Fj
		inc	esi
		js	short loc_A55E3E
		outsb
		jb	short loc_A55E51

loc_A55DEC:				; CODE XREF: PAGEVRFY:loc_A55DA3j
		imul	esi, [bp+di+74h], 65447265h

loc_A55DF4:				; CODE XREF: PAGEVRFY:00A55D8Dj
		jbe	short near ptr loc_A55E5D+2
		arpl	[ebp+0], sp
; 
byte_A55DF9	db 3 dup(0)		; CODE XREF: PAGEVRFY:00A55D8Bj
; 

??_C@_0O@PGCGPCEB@ProbeForWrite@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAA3B0o
		push	eax

loc_A55DFD:				; CODE XREF: PAGEVRFY:00A55DA8j
		jb	short near ptr loc_A55E6D+1
		bound	esp, [ebp+46h]
		outsd
		jb	short near ptr loc_A55E5A+2
		jb	short ??_C@_0BJ@IIMIFLIN@PoFxSetDeviceIdleTimeout@GHGBBCHJ@

loc_A55E07:				; CODE XREF: PAGEVRFY:00A55DB6j
		jz	short near ptr loc_A55E6D+1
; 
		db 0
word_A55E0A	dw 0			; CODE XREF: PAGEVRFY:00A55DBFj
; 

??_C@_0N@ODPDCMLN@ProbeForRead@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA398o
		push	eax
		jb	short loc_A55E7E

loc_A55E0F:				; CODE XREF: PAGEVRFY:loc_A55DA6j
		bound	esp, [ebp+46h]
		outsd
		jb	short loc_A55E67
		db	65h
		popa
		add	fs:[eax], al
; 
		dw 0
; 

??_C@_0BF@OEGEHJMI@PoFxSetComponentWake@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAA320o
		push	eax
		outsd
		inc	esi

loc_A55E1F:				; CODE XREF: PAGEVRFY:00A55DABj
		js	short near ptr loc_A55E73+1

loc_A55E21:				; CODE XREF: PAGEVRFY:00A55DADj
		db	65h
		jz	short loc_A55E67
		outsd
		insd
		jo	short near ptr loc_A55E95+2

loc_A55E28:				; CODE XREF: PAGEVRFY:loc_A55DDDj
		outsb
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_A55E82+2
		popa
		imul	esp, [ebp+0], 0
; 
		dw 0
; 

??_C@_0BK@MEIHEBDN@PoFxSetComponentResidency@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAA308o
		push	eax
		outsd
		inc	esi

loc_A55E37:				; CODE XREF: PAGEVRFY:loc_A55DC7j
		js	short ??_C@_0N@IDKDFBOC@PsGetVersion@GHGBBCHJ@
		db	65h
		jz	short near ptr loc_A55E7E+1
		outsd
		insd

loc_A55E3E:				; CODE XREF: PAGEVRFY:00A55DE7j
		jo	short near ptr loc_A55EAE+1
		outsb

loc_A55E41:				; CODE XREF: PAGEVRFY:00A55DDBj
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_A55E95+2
		db	65h
		jnb	short loc_A55EB1
		db	64h
		outs	dx, byte ptr gs:[esi]

loc_A55E4B:				; CODE XREF: PAGEVRFY:00A55DD3j
					; PAGEVRFY:00A55DD6j
		arpl	[ecx+0], di
; 
		dw 0
; 

??_C@_0BP@KEDIMJIF@PoFxStartDevicePowerManagement@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA350o
		push	eax

loc_A55E51:				; CODE XREF: PAGEVRFY:loc_A55DDFj
					; PAGEVRFY:00A55DEAj
		outsd
		inc	esi
		js	short near ptr loc_A55EA7+1
		jz	short near ptr loc_A55EB7+1
		jb	short loc_A55ECD
		inc	esp

loc_A55E5A:				; CODE XREF: PAGEVRFY:00A55E03j
		db	65h
		jbe	short loc_A55EC6

loc_A55E5D:				; CODE XREF: PAGEVRFY:loc_A55DF4j
		arpl	[ebp+50h], sp
		outsd
		ja	short loc_A55EC8
		jb	short near ptr word_A55EB2
		popa
		outsb

loc_A55E67:				; CODE XREF: PAGEVRFY:00A55E13j
					; PAGEVRFY:loc_A55E21j
		popa
		db	65h
		ins	dword ptr es:[di], dx
		outs	dx, byte ptr gs:[esi]

loc_A55E6D:				; CODE XREF: PAGEVRFY:loc_A55DFDj
					; PAGEVRFY:loc_A55E07j
		jz	short $+2
; 
		db 0
; 

??_C@_0BJ@IIMIFLIN@PoFxSetDeviceIdleTimeout@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:00A55E05j
					; DATA XREF: PAGEVRFD:00AAA338o
		push	eax
		outsd
		inc	esi

loc_A55E73:				; CODE XREF: PAGEVRFY:loc_A55E1Fj
		js	short loc_A55EC8
		db	65h
		jz	short loc_A55EBC
		db	65h
		jbe	short near ptr loc_A55EE3+1
		arpl	[ebp+49h], sp

loc_A55E7E:				; CODE XREF: PAGEVRFY:00A55E0Dj
					; PAGEVRFY:00A55E39j
		db	64h
		insb
		db	65h
		push	esp

loc_A55E82:				; CODE XREF: PAGEVRFY:00A55E2Bj
		imul	ebp, [ebp+65h],	74756Fh
; 
		db 3 dup(0)
; 

??_C@_0N@IDKDFBOC@PsGetVersion@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:loc_A55E37j
					; DATA XREF: PAGEVRFD:00AAA440o
		push	eax
		jnb	short near ptr loc_A55ED5+1
		db	65h
		jz	short near ptr loc_A55EE3+5
		db	65h
		jb	short near ptr loc_A55F05+3

loc_A55E95:				; CODE XREF: PAGEVRFY:00A55E26j
					; PAGEVRFY:00A55E43j
		imul	ebp, [edi+6Eh],	0

??_C@_0BH@IKBDLDOJ@PsDisableImpersonation@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA428o
		push	eax
		jnb	short loc_A55EE3
		imul	esi, [ebx+61h],	49656C62h
		insd

loc_A55EA7:				; CODE XREF: PAGEVRFY:00A55E53j
		jo	short loc_A55F0E
		jb	short loc_A55F1E
		outsd
		outsb
		popa

loc_A55EAE:				; CODE XREF: PAGEVRFY:loc_A55E3Ej
		jz	short near ptr loc_A55F17+2
		outsd

loc_A55EB1:				; CODE XREF: PAGEVRFY:00A55E45j
		outsb
; 
word_A55EB2	dw 0			; CODE XREF: PAGEVRFY:00A55E63j
; 

??_C@_0BO@MPBOCLON@PsReferenceImpersonationToken@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA470o
		push	eax
		jnb	short near ptr loc_A55F05+4

loc_A55EB7:				; CODE XREF: PAGEVRFY:00A55E55j
		db	65h, 66h, 65h
		jb	short near ptr loc_A55F1F+2

loc_A55EBC:				; CODE XREF: PAGEVRFY:00A55E75j
		outsb
		arpl	[ebp+49h], sp
		insd
		jo	short near ptr loc_A55F27+1
		jb	short ??_C@_0CA@OLJHELGG@PsDereferenceImpersonationToken@GHGBBCHJ@
		outsd

loc_A55EC6:				; CODE XREF: PAGEVRFY:loc_A55E5Aj
		outsb
		popa

loc_A55EC8:				; CODE XREF: PAGEVRFY:00A55E61j
					; PAGEVRFY:loc_A55E73j
		jz	short near ptr loc_A55F32+1
		outsd
		outsb
		push	esp

loc_A55ECD:				; CODE XREF: PAGEVRFY:00A55E57j
		outsd
		imul	esp, [ebp+6Eh],	0
; 
		dw 0
; 

??_C@_0BE@LHKJAOID@PsImpersonateClient@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA458o
		push	eax

loc_A55ED5:				; CODE XREF: PAGEVRFY:00A55E8Dj
		jnb	short near ptr loc_A55F1F+1
		insd
		jo	short near ptr loc_A55F3E+1
		jb	short near ptr loc_A55F4E+1
		outsd
		outsb
		popa
		jz	short loc_A55F46
		inc	ebx
		insb

loc_A55EE3:				; CODE XREF: PAGEVRFY:00A55E9Dj
					; PAGEVRFY:00A55E78j ...
		imul	esp, [ebp+6Eh],	73500074h
		inc	ebx
		jb	short loc_A55F52
		popa
		jz	short near ptr loc_A55F54+1
		push	ebx
		jns	short loc_A55F66
		jz	short near ptr loc_A55F59+1
		insd
		push	esp
		push	64616572h
; 
		dd 0
; 

??_C@_0BL@KCEAPHIA@PsAssignImpersonationToken@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAA3C8o
		push	eax
		jnb	short near ptr loc_A55F43+1
		jnb	short near ptr loc_A55F74+4

loc_A55F05:				; CODE XREF: PAGEVRFY:00A55E92j
					; PAGEVRFY:00A55EB5j
		imul	esp, [edi+6Eh],	65706D49h
		jb	short near ptr loc_A55F7F+2

loc_A55F0E:				; CODE XREF: PAGEVRFY:loc_A55EA7j
		outsd
		outsb
		popa
		jz	short near ptr loc_A55F7B+1
		outsd
		outsb
		push	esp
		outsd

loc_A55F17:				; CODE XREF: PAGEVRFY:loc_A55EAEj
		imul	esp, [ebp+6Eh],	0

loc_A55F1B:				; DATA XREF: PAGEVRFD:00AAA410o
		add	[eax+73h], dl

loc_A55F1E:				; CODE XREF: PAGEVRFY:00A55EA9j
		inc	esp

loc_A55F1F:				; CODE XREF: PAGEVRFY:loc_A55ED5j
					; PAGEVRFY:loc_A55EB7j
		db	65h
		jb	short loc_A55F87
		db	66h, 65h
		jb	short near ptr loc_A55F8A+1
		outsb

loc_A55F27:				; CODE XREF: PAGEVRFY:00A55EC1j
		arpl	[ebp+50h], sp
		jb	short loc_A55F95
		insd
		popa
		jb	short near ptr loc_A55FA8+1
		push	esp
		outsd

loc_A55F32:				; CODE XREF: PAGEVRFY:loc_A55EC8j
		imul	esp, [ebp+6Eh],	0
; 
		dw 0
; 

??_C@_0CA@OLJHELGG@PsDereferenceImpersonationToken@GHGBBCHJ@:
					; CODE XREF: PAGEVRFY:00A55EC3j
					; DATA XREF: PAGEVRFD:00AAA3F8o
		push	eax
		jnb	short loc_A55F7F
		db	65h
		jb	short loc_A55FA3

loc_A55F3E:				; CODE XREF: PAGEVRFY:00A55ED8j
		db	66h, 65h
		jb	short loc_A55FA7
		outsb

loc_A55F43:				; CODE XREF: PAGEVRFY:00A55F01j
		arpl	[ebp+49h], sp

loc_A55F46:				; CODE XREF: PAGEVRFY:00A55EDFj
		insd
		jo	short loc_A55FAE
		jb	short loc_A55FBE
		outsd
		outsb
		popa

loc_A55F4E:				; CODE XREF: PAGEVRFY:00A55EDAj
		jz	short loc_A55FB9
		outsd
		outsb

loc_A55F52:				; CODE XREF: PAGEVRFY:00A55EEBj
		push	esp
		outsd

loc_A55F54:				; CODE XREF: PAGEVRFY:00A55EEEj
		imul	esp, [ebp+6Eh],	0

??_C@_0CC@DOJIFMGM@PsSetCreateProcessNotifyRoutine@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AAA500o
		push	eax

loc_A55F59:				; CODE XREF: PAGEVRFY:00A55EF3j
		jnb	short loc_A55FAE
		db	65h
		jz	short near ptr loc_A55F9F+2
		jb	short near ptr loc_A55FC4+1
		popa
		jz	short near ptr loc_A55FC4+4
		push	eax
		jb	short near ptr loc_A55FD3+2

loc_A55F66:				; CODE XREF: PAGEVRFY:00A55EF1j
		arpl	[ebp+73h], sp
		jnb	short loc_A55FB9
		outsd
		jz	short near ptr loc_A55FD3+4
		db	66h
		jns	short loc_A55FC3
		outsd
		jnz	short near ptr loc_A55FE7+1

loc_A55F74:				; CODE XREF: PAGEVRFY:00A55F03j
		imul	ebp, [esi+65h],	7845h

loc_A55F7B:				; CODE XREF: PAGEVRFY:00A55F11j
					; DATA XREF: PAGEVRFD:00AAA4E8o
		add	[eax+73h], dl
		push	ebx

loc_A55F7F:				; CODE XREF: PAGEVRFY:00A55F39j
					; PAGEVRFY:00A55F0Cj
		db	65h
		jz	short near ptr loc_A55FC4+1
		jb	short near ptr loc_A55FE7+2
		popa
		jz	short near ptr loc_A55FEB+1

loc_A55F87:				; CODE XREF: PAGEVRFY:loc_A55F1Fj
		push	eax
		jb	short near ptr loc_A55FF3+6

loc_A55F8A:				; CODE XREF: PAGEVRFY:00A55F22j
		arpl	[ebp+73h], sp
		jnb	short loc_A55FDD
		outsd
		jz	short loc_A55FFB
		db	66h
		jns	short loc_A55FE7

loc_A55F95:				; CODE XREF: PAGEVRFY:00A55F2Aj
		outsd
		jnz	short loc_A5600C
; 
		dd 656E69h
; 

??_C@_0BM@DDLPPFME@PsSetLoadImageNotifyRoutine@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA530o
		push	eax
		jnb	short near ptr loc_A55FF1+1

loc_A55F9F:				; CODE XREF: PAGEVRFY:00A55F5Bj
		db	65h
		jz	short near ptr loc_A55FED+1
		outsd

loc_A55FA3:				; CODE XREF: PAGEVRFY:00A55F3Bj
		popa
		db	64h
		dec	ecx
		insd

loc_A55FA7:				; CODE XREF: PAGEVRFY:loc_A55F3Ej
		popa

loc_A55FA8:				; CODE XREF: PAGEVRFY:00A55F2Ej
		db	67h, 65h
		dec	esi
		outsd
		jz	short near ptr loc_A56016+1

loc_A55FAE:				; CODE XREF: PAGEVRFY:00A55F47j
					; PAGEVRFY:loc_A55F59j
		db	66h
		jns	short near ptr loc_A56001+2
		outsd
		jnz	short near ptr loc_A56027+1
; 
		dd 656E69h
; 

??_C@_0BP@HBCNNCAP@PsSetCreateThreadNotifyRoutine@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA518o
		push	eax

loc_A55FB9:				; CODE XREF: PAGEVRFY:loc_A55F4Ej
					; PAGEVRFY:00A55F69j
		jnb	short near ptr loc_A5600C+2
		db	65h
		jz	short loc_A56001

loc_A55FBE:				; CODE XREF: PAGEVRFY:00A55F49j
		jb	short near ptr loc_A56023+2
		popa
		jz	short near ptr loc_A56027+1

loc_A55FC3:				; CODE XREF: PAGEVRFY:00A55F6Ej
		push	esp

loc_A55FC4:				; CODE XREF: PAGEVRFY:00A55F5Ej
					; PAGEVRFY:loc_A55F7Fj	...
		push	64616572h
		dec	esi
		outsd
		jz	short near ptr word_A56036
		db	66h
		jns	short near ptr loc_A56021+1
		outsd
		jnz	short loc_A56047

loc_A55FD3:				; CODE XREF: PAGEVRFY:00A55F64j
					; PAGEVRFY:00A55F6Cj
					; DATA XREF: ...
		imul	ebp, [esi+65h],	73500000h
		push	edx
		db	65h
		insd

loc_A55FDD:				; CODE XREF: PAGEVRFY:00A55F8Dj
		outsd
		jbe	short near ptr loc_A56044+1
		dec	esp
		outsd
		popa
		db	64h
		dec	ecx
		insd
		popa

loc_A55FE7:				; CODE XREF: PAGEVRFY:00A55F92j
					; PAGEVRFY:00A55F72j ...
		db	67h, 65h
		dec	esi
		outsd

loc_A55FEB:				; CODE XREF: PAGEVRFY:00A55F85j
		jz	short loc_A56056

loc_A55FED:				; CODE XREF: PAGEVRFY:loc_A55F9Fj
		db	66h
		jns	short loc_A56042
		outsd

loc_A55FF1:				; CODE XREF: PAGEVRFY:00A55F9Dj
		jnz	short loc_A56067

loc_A55FF3:				; CODE XREF: PAGEVRFY:00A55F88j
					; DATA XREF: PAGEVRFD:00AAA488o
		imul	ebp, [esi+65h],	73500000h
		push	edx

loc_A55FFB:				; CODE XREF: PAGEVRFY:00A55F90j
		db	65h, 66h, 65h
		jb	short near ptr loc_A56064+1
		outsb

loc_A56001:				; CODE XREF: PAGEVRFY:00A55FBBj
					; PAGEVRFY:loc_A55FAEj
		arpl	[ebp+50h], sp
		jb	short near ptr loc_A5606A+5
		insd
		popa
		jb	short near ptr loc_A56082+1
		push	esp
		outsd

loc_A5600C:				; CODE XREF: PAGEVRFY:00A55F96j
					; PAGEVRFY:loc_A55FB9j
		imul	esp, [ebp+6Eh],	0

??_C@_0P@BBJDAIEP@PsRevertToSelf@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA4D0o
		push	eax
		jnb	short near ptr loc_A56064+1
		db	65h
		jbe	short loc_A5607B

loc_A56016:				; CODE XREF: PAGEVRFY:00A55FACj
		jb	short loc_A5608C
		push	esp
		outsd
		push	ebx
		db	65h
		insb
		db	66h
		add	[eax], al

??_C@_0BH@PKLOMPPA@PsRestoreImpersonation@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA4B8o
		push	eax

loc_A56021:				; CODE XREF: PAGEVRFY:00A55FCDj
		jnb	short near ptr byte_A56075

loc_A56023:				; CODE XREF: PAGEVRFY:loc_A55FBEj
		db	65h
		jnb	short loc_A5609A
		outsd

loc_A56027:				; CODE XREF: PAGEVRFY:00A55FB2j
					; PAGEVRFY:00A55FC1j
		jb	short near ptr loc_A5608C+2
		dec	ecx
		insd
		jo	short loc_A56092
		jb	short near ptr loc_A5609D+5
		outsd
		outsb
		popa
		jz	short loc_A5609D
		outsd
		outsb
; 
word_A56036	dw 0			; CODE XREF: PAGEVRFY:00A55FCBj
; 

??_C@_0CH@LCNLDEMI@RtlCreateSystemVolumeInformatio@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AAA5C0o
		push	edx
		jz	short loc_A560A7
		inc	ebx
		jb	short near ptr loc_A5609D+6
		popa
		jz	short near ptr loc_A560A5+1
		push	ebx

loc_A56042:				; CODE XREF: PAGEVRFY:loc_A55FEDj
		jns	short near ptr loc_A560B4+3

loc_A56044:				; CODE XREF: PAGEVRFY:00A55FDEj
		jz	short loc_A560AB
		insd

loc_A56047:				; CODE XREF: PAGEVRFY:00A55FD1j
		push	esi
		outsd
		insb
		jnz	short near ptr loc_A560B4+5
		db	65h
		dec	ecx
		outsb
		outsw
		jb	short near ptr loc_A560BE+2
		popa
		jz	short near ptr loc_A560BE+1

loc_A56056:				; CODE XREF: PAGEVRFY:loc_A55FEBj
		outsd
		outsb
		inc	esi
		outsd
		insb
		db	64h, 65h
		jb	short $+4
; 
		db 0
; 

??_C@_0BF@BBANLIHJ@RtlCreateRegistryKey@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAA5A8o
		push	edx
		jz	short loc_A560CF
		inc	ebx

loc_A56064:				; CODE XREF: PAGEVRFY:loc_A55FFBj
					; PAGEVRFY:00A56011j
		jb	short near ptr loc_A560C6+5
		popa

loc_A56067:				; CODE XREF: PAGEVRFY:loc_A55FF1j
		jz	short near ptr loc_A560CD+1
		push	edx

loc_A5606A:				; CODE XREF: PAGEVRFY:00A56004j
		imul	esi, gs:[bp+di+74h], 654B7972h
		jns	short $+2
; 
byte_A56075	db 3 dup(0)		; CODE XREF: PAGEVRFY:loc_A56021j
; 

??_C@_0BG@DECGJEOB@RtlEqualUnicodeString@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA5F0o
		push	edx
		jz	short near ptr loc_A560E1+6

loc_A5607B:				; CODE XREF: PAGEVRFY:00A56013j
		inc	ebp
		jno	short loc_A560F3
		popa
		insb
		push	ebp
		outsb

loc_A56082:				; CODE XREF: PAGEVRFY:00A56008j
		imul	esp, [ebx+6Fh],	74536564h
		jb	short loc_A560F4
		outsb

loc_A5608C:				; CODE XREF: PAGEVRFY:loc_A56016j
					; PAGEVRFY:loc_A56027j
		add	[bx+si], al

loc_A5608F:				; DATA XREF: PAGEVRFD:00AAA5D8o
		add	[edx+74h], dl

loc_A56092:				; CODE XREF: PAGEVRFY:00A5602Bj
		insb
		inc	esp
		outsd
		ja	short near ptr loc_A56104+1
		arpl	[ecx+73h], sp

loc_A5609A:				; CODE XREF: PAGEVRFY:loc_A56023j
		db	65h
		push	ebp
		outsb

loc_A5609D:				; CODE XREF: PAGEVRFY:00A56032j
					; PAGEVRFY:00A5602Dj ...
		imul	esp, [ebx+6Fh],	68436564h
		popa

loc_A560A5:				; CODE XREF: PAGEVRFY:00A5603Fj
		jb	short $+2

loc_A560A7:				; CODE XREF: PAGEVRFY:00A56039j
					; DATA XREF: PAGEVRFD:00AAA560o
		add	[edx+74h], dl
		insb

loc_A560AB:				; CODE XREF: PAGEVRFY:loc_A56044j
		inc	ebx
		outsd
		insd
		jo	short near ptr loc_A5610D+4
		jb	short loc_A56117
		push	ebp
		outsb

loc_A560B4:				; CODE XREF: PAGEVRFY:loc_A56042j
					; PAGEVRFY:00A5604Aj
		imul	esp, [ebx+6Fh],	74536564h
		jb	short near ptr loc_A56122+4
		outsb

loc_A560BE:				; CODE XREF: PAGEVRFY:00A56054j
					; PAGEVRFY:00A56051j
					; DATA XREF: ...
		add	[bx+si+73h], dl
		push	esp
		db	65h
		jb	short loc_A56133

loc_A560C6:				; CODE XREF: PAGEVRFY:loc_A56064j
		imul	ebp, [esi+61h],	79536574h

loc_A560CD:				; CODE XREF: PAGEVRFY:loc_A56067j
		jnb	short near ptr byte_A56143

loc_A560CF:				; CODE XREF: PAGEVRFY:00A56061j
		db	65h
		insd
		push	esp
		push	64616572h
; 
		db 0
; 

??_C@_0BG@KMNHAFPD@RtlWriteRegistryValue@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA590o
		push	edx
		jz	short loc_A56147
		push	edi
		jb	short loc_A56147
		jz	short loc_A56145
		push	edx

loc_A560E1:				; CODE XREF: PAGEVRFY:00A56079j
		imul	esi, gs:[bp+di+74h], 61567972h
		insb
		jnz	short near ptr loc_A5614F+3
; 
		db 3 dup(0)
; 

??_C@_0BH@GPMLOEIN@RtlDeleteRegistryValue@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA578o
		push	edx
		jz	short loc_A5615F

loc_A560F3:				; CODE XREF: PAGEVRFY:00A5607Cj
		inc	esp

loc_A560F4:				; CODE XREF: PAGEVRFY:00A56089j
		db	65h
		insb
		db	65h
		jz	short near ptr loc_A5615D+1
		push	edx
		imul	esi, gs:[bp+di+74h], 61567972h
		insb

loc_A56104:				; CODE XREF: PAGEVRFY:00A56095j
		jnz	short near ptr loc_A5616A+1
; 
		dw 0
; 

??_C@_0BC@GGFIMMMG@RtlUnicodeToUTF8N@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAA680o
		push	edx
		jz	short loc_A56177
		push	ebp
		outsb

loc_A5610D:				; CODE XREF: PAGEVRFY:00A560AEj
		imul	esp, [ebx+6Fh],	6F546564h
		push	ebp
		push	esp
		inc	esi

loc_A56117:				; CODE XREF: PAGEVRFY:00A560B0j
		cmp	[esi+0], cl
; 
		dw 0
; 

??_C@_0BC@MFBLMEKB@RtlStringFromGUID@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAA668o
		push	edx
		jz	short near ptr byte_A5618B
		push	ebx
		jz	short loc_A56194

loc_A56122:				; CODE XREF: PAGEVRFY:00A560BBj
		imul	ebp, [esi+67h],	6D6F7246h
		inc	edi
		push	ebp
		dec	ecx
		inc	esp
; 
		db 3 dup(0)
; 

??_C@_0BC@GJEAIKI@RtlUTF8ToUnicodeN@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA6B0o
		push	edx
		jz	short loc_A5619F

loc_A56133:				; CODE XREF: PAGEVRFY:00A560C3j
		push	ebp
		push	esp
		inc	esi
		cmp	[edi+ebp*2+55h], dl
		outsb
		imul	esp, [ebx+6Fh],	4E6564h
; 
		db 0
byte_A56143	db 0			; CODE XREF: PAGEVRFY:loc_A560CDj
; 

??_C@_0BF@OABOIEII@RtlUpcaseUnicodeChar@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAA698o
		push	edx

loc_A56145:				; CODE XREF: PAGEVRFY:00A560DEj
		jz	short near ptr loc_A561B2+1

loc_A56147:				; CODE XREF: PAGEVRFY:00A560D9j
					; PAGEVRFY:00A560DCj
		push	ebp
		jo	short near ptr loc_A561AC+1
		popa
		jnb	short loc_A561B2
		push	ebp
		outsb

loc_A5614F:				; CODE XREF: PAGEVRFY:00A560EBj
		imul	esp, [ebx+6Fh],	68436564h
		popa
		jb	short $+2
; 
		db 3 dup(0)
; 

??_C@_0BG@EIHHCKPD@RtlGenerateClass5Guid@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA620o
		push	edx

loc_A5615D:				; CODE XREF: PAGEVRFY:00A560F6j
		jz	short near ptr byte_A561CB

loc_A5615F:				; CODE XREF: PAGEVRFY:00A560F1j
		inc	edi
		outs	dx, byte ptr gs:[esi]
		db	65h
		jb	short loc_A561C6
		jz	short ??_C@_0BD@PIMPBIIE@SeAssignSecurityEx@GHGBBCHJ@
		inc	ebx
		insb
		popa

loc_A5616A:				; CODE XREF: PAGEVRFY:loc_A56104j
		jnb	short near ptr byte_A561DF
		xor	eax, 64697547h
; 
		db 3 dup(0)
; 

??_C@_0BF@GENHDPCD@RtlFreeUnicodeString@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAA608o
		push	edx
		jz	short loc_A561E3

loc_A56177:				; CODE XREF: PAGEVRFY:00A56109j
		inc	esi
		jb	short near ptr byte_A561DF
		db	65h
		push	ebp
		outsb
		imul	esp, [ebx+6Fh],	74536564h
		jb	short near ptr loc_A561EE+1
		outsb
		add	[bx+si], al
; 
		db 0
byte_A5618B	db 0			; CODE XREF: PAGEVRFY:00A5611Dj
; 

??_C@_0BF@HAIJMKCF@RtlHashUnicodeString@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAA650o
		push	edx
		jz	short loc_A561FB
		dec	eax
		popa
		jnb	short loc_A561FB
		push	ebp

loc_A56194:				; CODE XREF: PAGEVRFY:00A56120j
		outsb
		imul	esp, [ebx+6Fh],	74536564h
		jb	short loc_A56207
		outsb

loc_A5619F:				; CODE XREF: PAGEVRFY:00A56131j
		add	[bx+si], al
; 
		dw 0
; 

??_C@_0BC@FANMNHGG@RtlGUIDFromString@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAA638o
		push	edx
		jz	short loc_A56213
		inc	edi
		push	ebp
		dec	ecx
		inc	esp
		inc	esi

loc_A561AC:				; CODE XREF: PAGEVRFY:00A56148j
		jb	short loc_A5621D
		insd
		push	ebx
		jz	short loc_A56224

loc_A561B2:				; CODE XREF: PAGEVRFY:00A5614Bj
					; PAGEVRFY:loc_A56145j
					; DATA XREF: ...
		imul	ebp, [esi+67h],	53000000h
		db	65h
		inc	esp
		db	65h
		popa
		jnb	short loc_A56232
		imul	esp, [edi+6Eh],	75636553h

loc_A561C6:				; CODE XREF: PAGEVRFY:00A56162j
		jb	short loc_A56231
		jz	short near ptr loc_A5623E+5
; 
		db 0
byte_A561CB	db 0			; CODE XREF: PAGEVRFY:loc_A5615Dj
; 

??_C@_0BD@PIMPBIIE@SeAssignSecurityEx@GHGBBCHJ@: ; CODE	XREF: PAGEVRFY:00A56165j
					; DATA XREF: PAGEVRFD:00AAA728o
		push	ebx
		db	65h
		inc	ecx
		jnb	short near ptr loc_A5623E+6
		imul	esp, [edi+6Eh],	75636553h
		jb	short near ptr loc_A5623E+5
		jz	short near ptr loc_A56254+1
		inc	ebp
		js	short $+2
; 
byte_A561DF	db 0			; CODE XREF: PAGEVRFY:loc_A5616Aj
					; PAGEVRFY:00A56178j
; 

??_C@_0BI@KFBIJFPO@SeReleaseSubjectContext@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAA770o
		push	ebx
		db	65h
		push	edx

loc_A561E3:				; CODE XREF: PAGEVRFY:00A56175j
		db	65h
		insb
		db	65h
		popa
		jnb	short near ptr loc_A5624D+1
		push	ebx
		jnz	short near ptr loc_A5624D+1
		push	65h

loc_A561EE:				; CODE XREF: PAGEVRFY:00A56184j
		arpl	[ebx+eax*2+6Fh], si
		outsb
		jz	short near ptr word_A5625A
		js	short near ptr byte_A5626B
; 
		db 0
; 

??_C@_0BF@JDAJABIM@SeLockSubjectContext@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAA758o
		push	ebx
		db	65h
		dec	esp

loc_A561FB:				; CODE XREF: PAGEVRFY:00A5618Dj
					; PAGEVRFY:00A56191j
		outsd
		arpl	[ebx+53h], bp
		jnz	short near ptr loc_A56262+1
		push	65h
		arpl	[ebx+eax*2+6Fh], si

loc_A56207:				; CODE XREF: PAGEVRFY:00A5619Cj
		outsb
		jz	short loc_A5626F
		js	short ??_C@_07IPICGNAN@ZwClose@GHGBBCHJ@
; 
		dd 0
; 

??_C@_0BM@EFEAIGKK@RtlxUnicodeStringToAnsiSize@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA6E0o
		push	edx
		jz	short near ptr byte_A5627F

loc_A56213:				; CODE XREF: PAGEVRFY:00A561A5j
		js	short near ptr byte_A5626A
		outsb
		imul	esp, [ebx+6Fh],	74536564h

loc_A5621D:				; CODE XREF: PAGEVRFY:loc_A561ACj
		jb	short ??_C@_0BG@ICJHAGLN@ZwCreateKeyTransacted@GHGBBCHJ@
		outsb
		db	67h
		push	esp
		outsd
		inc	ecx

loc_A56224:				; CODE XREF: PAGEVRFY:00A561B0j
		outsb
		jnb	short loc_A56290
		push	ebx
; 
		dd 657A69h
; 

??_C@_0BM@HMPGFOLH@RtlxAnsiStringToUnicodeSize@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA6C8o
		push	edx
		jz	short near ptr loc_A56299+2
		js	short loc_A56272

loc_A56231:				; CODE XREF: PAGEVRFY:loc_A561C6j
		outsb

loc_A56232:				; CODE XREF: PAGEVRFY:00A561BDj
		jnb	short near ptr byte_A5629D
		push	ebx
		jz	short near ptr loc_A562A6+3
		imul	ebp, [esi+67h],	6E556F54h

loc_A5623E:				; CODE XREF: PAGEVRFY:00A561C8j
					; PAGEVRFY:00A561D8j ...
		imul	esp, [ebx+6Fh],	69536564h
		jp	short near ptr loc_A562A6+6

loc_A56247:				; DATA XREF: PAGEVRFD:00AAA710o
		add	[ebx+65h], dl
		inc	ecx
		jnb	short near ptr loc_A562BF+1

loc_A5624D:				; CODE XREF: PAGEVRFY:00A561E7j
					; PAGEVRFY:00A561EAj
		imul	esp, [edi+6Eh],	75636553h

loc_A56254:				; CODE XREF: PAGEVRFY:00A561DAj
		jb	short loc_A562BF
		jz	short near ptr loc_A562CF+2
; 
		db 2 dup(0)
word_A5625A	dw 0			; CODE XREF: PAGEVRFY:00A561F3j
; 

??_C@_0O@DHJHKJKC@SeAccessCheck@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAA6F8o
		push	ebx
		db	65h
		inc	ecx
		arpl	[ebx+65h], sp

loc_A56262:				; CODE XREF: PAGEVRFY:00A561FFj
		jnb	short near ptr loc_A562D6+1
		inc	ebx
		push	offset unk_6B6365
; 
byte_A5626A	db 0			; CODE XREF: PAGEVRFY:loc_A56213j
byte_A5626B	db 0			; CODE XREF: PAGEVRFY:00A561F5j
; 

??_C@_0BB@FCLNHJJO@ZwCommitComplete@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA800o
		pop	edx
		ja	short loc_A562B2

loc_A5626F:				; CODE XREF: PAGEVRFY:00A56208j
		outsd
		insd
		insd

loc_A56272:				; CODE XREF: PAGEVRFY:00A5622Fj
		imul	esi, [ebx+eax*2+6Fh], 656C706Dh
		jz	short near ptr loc_A562DE+3
; 
		db 3 dup(0)
byte_A5627F	db 0			; CODE XREF: PAGEVRFY:00A56211j
; 

??_C@_07IPICGNAN@ZwClose@GHGBBCHJ@:	; CODE XREF: PAGEVRFY:00A5620Aj
					; DATA XREF: PAGEVRFD:00AAA7E8o
		pop	edx
		ja	short loc_A562C6
		insb
		outsd
		jnb	short near ptr loc_A562EA+2
; 
		db 0
; 

??_C@_0BG@ICJHAGLN@ZwCreateKeyTransacted@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:loc_A5621Dj
					; DATA XREF: PAGEVRFD:00AAA830o
		pop	edx
		ja	short near ptr loc_A562CD+1
		jb	short near ptr loc_A562F0+2
		popa
		jz	short near ptr loc_A562F4+1

loc_A56290:				; CODE XREF: PAGEVRFY:00A56225j
		dec	ebx
		db	65h
		jns	short loc_A562E8
		jb	short loc_A562F7
		outsb
		jnb	short near ptr loc_A562F7+3

loc_A56299:				; CODE XREF: PAGEVRFY:00A5622Dj
		arpl	[ebp+64h], si
; 
byte_A5629D	db 3 dup(0)		; CODE XREF: PAGEVRFY:loc_A56232j
; 

??_C@_0BE@DDCAJFMM@ZwCommitTransaction@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA818o
		pop	edx
		ja	short loc_A562E6
		outsd
		insd
		insd

loc_A562A6:				; CODE XREF: PAGEVRFY:00A56235j
					; PAGEVRFY:00A56245j
		imul	esi, [esp+edx*2+72h], 61736E61h
		arpl	[ecx+ebp*2+6Fh], si

loc_A562B2:				; CODE XREF: PAGEVRFY:00A5626Dj
		outsb

loc_A562B3:				; DATA XREF: PAGEVRFD:00AAA7A0o
		add	[ebx+65h], dl
		push	ebp
		outsb
		insb
		outsd
		arpl	[ebx+53h], bp
		jnz	short near ptr loc_A56320+1

loc_A562BF:				; CODE XREF: PAGEVRFY:loc_A56254j
					; PAGEVRFY:00A5624Bj
		push	65h
		arpl	[ebx+eax*2+6Fh], si
		outsb

loc_A562C6:				; CODE XREF: PAGEVRFY:00A56281j
		jz	short near ptr loc_A5632C+1
		js	short near ptr loc_A56337+7
; 
		dw 0
; 

??_C@_0BH@GLHJHLCD@SeSinglePrivilegeCheck@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA788o
		push	ebx

loc_A562CD:				; CODE XREF: PAGEVRFY:00A56289j
		db	65h
		push	ebx

loc_A562CF:				; CODE XREF: PAGEVRFY:00A56256j
		imul	ebp, [esi+67h],	7250656Ch

loc_A562D6:				; CODE XREF: PAGEVRFY:loc_A56262j
		imul	esi, [esi+69h],	6567656Ch
		inc	ebx

loc_A562DE:				; CODE XREF: PAGEVRFY:00A5627Aj
		push	offset unk_6B6365

loc_A562E3:				; DATA XREF: PAGEVRFD:00AAA7D0o
		add	[edx+77h], bl

loc_A562E6:				; CODE XREF: PAGEVRFY:00A562A1j
		inc	ecx
		insb

loc_A562E8:				; CODE XREF: PAGEVRFY:00A56291j
		insb
		outsd

loc_A562EA:				; CODE XREF: PAGEVRFY:00A56285j
		arpl	[ecx+74h], sp
		db	65h
		dec	esp
		outsd

loc_A562F0:				; CODE XREF: PAGEVRFY:00A5628Bj
		arpl	[ecx+6Ch], sp
		insb

loc_A562F4:				; CODE XREF: PAGEVRFY:00A5628Ej
		jns	short near ptr byte_A5634B
		outsb

loc_A562F7:				; CODE XREF: PAGEVRFY:00A56294j
					; PAGEVRFY:00A56297j
		imul	esi, [ecx+75h],	644965h
; 
		dw 0
; 

??_C@_0BK@BGHCEEON@SeValidSecurityDescriptor@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAA7B8o
		push	ebx
		db	65h
		push	esi
		popa
		insb
		imul	esp, [ebx+edx*2+65h], 69727563h
		jz	short loc_A56388
		inc	esp
		db	65h
		jnb	short near ptr loc_A56375+1
		jb	short near ptr loc_A5637D+1
		jo	short near ptr loc_A5638A+1
		outsd
		jb	short $+2
; 
		dw 0
; 

??_C@_0L@FGGADCAM@ZwFlushKey@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAA8C0o
		pop	edx
		ja	short near ptr loc_A56363+2
		insb

loc_A56320:				; CODE XREF: PAGEVRFY:00A562BDj
		jnz	short loc_A56395
		push	offset loc_79654B
; 
		db 0
; 

??_C@_0BF@FEEAIOON@ZwFlushBuffersFileEx@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAA8A8o
		pop	edx
		ja	short loc_A56371
		insb

loc_A5632C:				; CODE XREF: PAGEVRFY:loc_A562C6j
		jnz	short near ptr loc_A5639F+2
		push	66667542h
		db	65h
		jb	short loc_A563A9
		inc	esi

loc_A56337:				; CODE XREF: PAGEVRFY:00A562C8j
		imul	ebp, [ebp+45h],	78h
; 
		db 0
; 

??_C@_0L@DLCGAGHB@ZwLockFile@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAA8F0o
		pop	edx
		ja	short loc_A5638F
		outsd
		arpl	[ebx+46h], bp
; 
		db 69h
		db 6Ch,	65h, 0
byte_A5634B	db 0			; CODE XREF: PAGEVRFY:loc_A562F4j
; 

??_C@_0CB@JEGANOH@ZwGetNotificationResourceManage@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA8D8o
		pop	edx
		ja	short near ptr loc_A56395+1
		db	65h
		jz	short near ptr loc_A5639F+1
		outsd
		jz	short loc_A563BE
		imul	sp, [ebx+61h], 6974h
		outsd
		outsb
		push	edx
		db	65h
		jnb	short loc_A563D0
		jnz	short loc_A563D5

loc_A56363:				; CODE XREF: PAGEVRFY:00A5631Dj
		arpl	[ebp+4Dh], sp
		popa
		outsb
		popa
		db	67h, 65h
		jb	near ptr 636Dh
; 
		db 3 dup(0)
; 

??_C@_0M@GHIFNKKI@ZwDeleteKey@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAA860o
		pop	edx

loc_A56371:				; CODE XREF: PAGEVRFY:00A56329j
		ja	short loc_A563B7
		db	65h
		insb

loc_A56375:				; CODE XREF: PAGEVRFY:00A56310j
		db	65h
		jz	short near ptr byte_A563DD
		dec	ebx
		db	65h
		jns	short $+3

??_C@_0BI@PHFAOIFC@ZwCreateResourceManager@GHGBBCHJ@: ;	DATA XREF: PAGEVRFD:00AAA848o
		pop	edx

loc_A5637D:				; CODE XREF: PAGEVRFY:00A56313j
		ja	short loc_A563C2
		jb	short loc_A563E6
		popa
		jz	short near ptr loc_A563E7+2
		push	edx
		db	65h
		jnb	short near ptr byte_A563F7

loc_A56388:				; CODE XREF: PAGEVRFY:00A5630Dj
		jnz	short near ptr loc_A563FB+1

loc_A5638A:				; CODE XREF: PAGEVRFY:00A56315j
		arpl	[ebp+4Dh], sp
		popa
		outsb

loc_A5638F:				; CODE XREF: PAGEVRFY:00A56341j
		popa
		db	67h, 65h
		jb	near ptr 6394h

??_C@_0BD@LLOHOAGA@ZwFlushBuffersFile@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAA890o
		pop	edx

loc_A56395:				; CODE XREF: PAGEVRFY:loc_A56320j
					; PAGEVRFY:00A5634Dj
		ja	short near ptr byte_A563DD
		insb
		jnz	short loc_A5640D
		push	66667542h

loc_A5639F:				; CODE XREF: PAGEVRFY:00A5634Fj
					; PAGEVRFY:loc_A5632Cj
		db	65h
		jb	short near ptr loc_A56410+5
		inc	esi
; 
		db 69h
		dd 656Ch
; 

??_C@_0BN@DLBDDIJG@ZwEnumerateTransactionObject@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAA878o
		pop	edx

loc_A563A9:				; CODE XREF: PAGEVRFY:00A56333j
		ja	short loc_A563F0
		outsb
		jnz	short loc_A5641B
		db	65h
		jb	short near ptr loc_A56410+2
		jz	short loc_A56418
		push	esp
		jb	short near ptr loc_A56410+7
		outsb

loc_A563B7:				; CODE XREF: PAGEVRFY:loc_A56371j
		jnb	short near ptr loc_A56418+2
		arpl	[ecx+ebp*2+6Fh], si
		outsb

loc_A563BE:				; CODE XREF: PAGEVRFY:00A56353j
		dec	edi
		bound	ebp, [edx+65h]

loc_A563C2:				; CODE XREF: PAGEVRFY:loc_A5637Dj
		arpl	[eax+eax+0], si
; 
		dw 0
; 

??_C@_0BF@BJFCFGHI@ZwPrePrepareComplete@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAA980o
		pop	edx
		ja	short loc_A5641B
		jb	short loc_A56432
		push	eax
		jb	short near ptr loc_A56432+3

loc_A563D0:				; CODE XREF: PAGEVRFY:00A5635Ej
		jo	short near ptr loc_A56432+1
		jb	short loc_A56439
		inc	ebx

loc_A563D5:				; CODE XREF: PAGEVRFY:00A56361j
		outsd
		insd
		jo	short loc_A56445
		db	65h
		jz	short near ptr loc_A5643F+2
; 
		db 0
byte_A563DD	db 3 dup(0)		; CODE XREF: PAGEVRFY:loc_A56375j
					; PAGEVRFY:loc_A56395j
; 

??_C@_0BG@KJFANHMB@ZwOpenResourceManager@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA968o
		pop	edx
		ja	short loc_A56432
		jo	short near ptr loc_A56448+2
		outsb

loc_A563E6:				; CODE XREF: PAGEVRFY:00A5637Fj
		push	edx

loc_A563E7:				; CODE XREF: PAGEVRFY:00A56382j
		db	65h
		jnb	short near ptr loc_A56457+2
		jnz	short loc_A5645E
		arpl	[ebp+4Dh], sp
		popa

loc_A563F0:				; CODE XREF: PAGEVRFY:loc_A563A9j
		outsb
		popa
		db	67h, 65h
		jb	near ptr 63F6h
; 
		db 0
byte_A563F7	db 0			; CODE XREF: PAGEVRFY:00A56385j
; 

??_C@_0BM@NMGOCKNF@ZwQueryQuotaInformationFile@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA9B0o
		pop	edx
		ja	short loc_A5644C

loc_A563FB:				; CODE XREF: PAGEVRFY:loc_A56388j
		jnz	short loc_A56462
		jb	short near ptr loc_A56477+1
		push	ecx
		jnz	short near ptr loc_A56470+1
		jz	short near ptr loc_A56463+2
		dec	ecx
		outsb
		outsw
		jb	short loc_A56477
		popa
		jz	short near ptr loc_A56475+1

loc_A5640D:				; CODE XREF: PAGEVRFY:00A56398j
		outsd
		outsb
		inc	esi

loc_A56410:				; CODE XREF: PAGEVRFY:00A563AEj
					; PAGEVRFY:loc_A5639Fj	...
		imul	ebp, [ebp+0], 7551775Ah

loc_A56418:				; CODE XREF: PAGEVRFY:00A563B1j
					; PAGEVRFY:loc_A563B7j
		db	65h
		jb	short near ptr loc_A56491+3

loc_A5641B:				; CODE XREF: PAGEVRFY:00A563ACj
					; PAGEVRFY:00A563C9j
		dec	ecx
		outsb
		outsw
		jb	short loc_A5648E
		popa
		jz	short loc_A5648D
		outsd
		outsb
		push	edx
		db	65h
		jnb	short near ptr loc_A56497+2
		jnz	short near ptr loc_A5649D+1
		arpl	[ebp+4Dh], sp
		popa
		outsb
		popa

loc_A56432:				; CODE XREF: PAGEVRFY:00A563CBj
					; PAGEVRFY:00A563E1j ...
		db	67h, 65h
		jb	near ptr 6436h
; 
		dw 0
; 

??_C@_0M@OKCCJLED@ZwOpenKeyEx@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAA920o
		pop	edx

loc_A56439:				; CODE XREF: PAGEVRFY:00A563D2j
		ja	short loc_A5648A
		jo	short loc_A564A2
		outsb
		dec	ebx

loc_A5643F:				; CODE XREF: PAGEVRFY:00A563D9j
		db	65h
		jns	short loc_A56487
		js	short $+2

??_C@_0BG@CKOEGIOA@ZwMakeTemporaryObject@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA908o
		pop	edx

loc_A56445:				; CODE XREF: PAGEVRFY:00A563D7j
		ja	short near ptr loc_A56491+3
		popa

loc_A56448:				; CODE XREF: PAGEVRFY:00A563E3j
		imul	esp, [ebp+54h],	65h

loc_A5644C:				; CODE XREF: PAGEVRFY:00A563F9j
		insd
		jo	short loc_A564BE
		jb	short near ptr loc_A564B1+1
		jb	short loc_A564CC
		dec	edi
		bound	ebp, [edx+65h]

loc_A56457:				; CODE XREF: PAGEVRFY:loc_A563E7j
		arpl	[eax+eax+0], si

loc_A5645B:				; DATA XREF: PAGEVRFD:00AAA950o
		add	[edx+77h], bl

loc_A5645E:				; CODE XREF: PAGEVRFY:00A563EAj
		dec	edi
		jo	short loc_A564C6
		outsb

loc_A56462:				; CODE XREF: PAGEVRFY:loc_A563FBj
		dec	ebx

loc_A56463:				; CODE XREF: PAGEVRFY:00A56402j
		db	65h
		jns	short near ptr loc_A564B9+1
		jb	short loc_A564C9
		outsb
		jnb	short loc_A564CC
		arpl	[ebp+64h], si
		inc	ebp

loc_A56470:				; CODE XREF: PAGEVRFY:00A56400j
		js	short $+2
; 
		dw 0
; 

??_C@_0BE@PPJELLFA@ZwOpenKeyTransacted@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA938o
		pop	edx

loc_A56475:				; CODE XREF: PAGEVRFY:00A5640Bj
		ja	short loc_A564C6

loc_A56477:				; CODE XREF: PAGEVRFY:00A56408j
					; PAGEVRFY:00A563FDj
		jo	short loc_A564DE
		outsb
		dec	ebx
		db	65h
		jns	short near ptr loc_A564D1+1
		jb	short near ptr loc_A564E0+1
		outsb
		jnb	short loc_A564E4
		arpl	[ebp+64h], si

loc_A56487:				; CODE XREF: PAGEVRFY:loc_A5643Fj
					; DATA XREF: PAGEVRFD:00AAAA40o
		add	[edx+77h], bl

loc_A5648A:				; CODE XREF: PAGEVRFY:loc_A56439j
		push	edx
		outsd
		insb

loc_A5648D:				; CODE XREF: PAGEVRFY:00A56422j
		insb

loc_A5648E:				; CODE XREF: PAGEVRFY:00A5641Fj
		bound	esp, [ecx+63h]

loc_A56491:				; CODE XREF: PAGEVRFY:loc_A56418j
					; PAGEVRFY:loc_A56445j
		imul	eax, [ebx+6Fh],	6Dh
		jo	short loc_A56503

loc_A56497:				; CODE XREF: PAGEVRFY:00A56427j
		db	65h
		jz	short loc_A564FF
; 
		dw 0
; 

??_C@_0BE@GBHFBHOH@ZwSetInformationKey@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAAA28o
		pop	edx

loc_A5649D:				; CODE XREF: PAGEVRFY:00A5642Aj
		ja	short loc_A564F2
		db	65h
		jz	short loc_A564EB

loc_A564A2:				; CODE XREF: PAGEVRFY:00A5643Bj
		outsb
		outsw
		jb	short ??_C@_0M@NPIGFLDK@ZwRenameKey@GHGBBCHJ@
		popa
		jz	short near ptr byte_A56513
		outsd
		outsb
		dec	ebx
		db	65h
		jns	short $+3

??_C@_0CA@OKMCBOFF@ZwSetInformationResourceManager@GHGBBCHJ@:
					; DATA XREF: PAGEVRFD:00AAAA70o
		pop	edx

loc_A564B1:				; CODE XREF: PAGEVRFY:00A5644Fj
		ja	short near ptr loc_A56505+1
		db	65h
		jz	short loc_A564FF
		outsb
		outsw

loc_A564B9:				; CODE XREF: PAGEVRFY:loc_A56463j
		jb	short near ptr loc_A56527+1
		popa
		jz	short loc_A56527

loc_A564BE:				; CODE XREF: PAGEVRFY:00A5644Dj
		outsd
		outsb
		push	edx
		db	65h
		jnb	short loc_A56533
		jnz	short loc_A56538

loc_A564C6:				; CODE XREF: PAGEVRFY:00A5645Fj
					; PAGEVRFY:loc_A56475j
		arpl	[ebp+4Dh], sp

loc_A564C9:				; CODE XREF: PAGEVRFY:00A56466j
		popa
		outsb
		popa

loc_A564CC:				; CODE XREF: PAGEVRFY:00A56451j
					; PAGEVRFY:00A56469j
		db	67h, 65h
		jb	near ptr 64D0h

??_C@_0BG@NEJIBFHB@ZwRollbackTransaction@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAAA58o
		pop	edx

loc_A564D1:				; CODE XREF: PAGEVRFY:00A5647Bj
		ja	short near ptr loc_A56523+2
		outsd
		insb
		insb
		bound	esp, [ecx+63h]
		imul	edx, [edx+esi*2+61h], 6Eh

loc_A564DE:				; CODE XREF: PAGEVRFY:loc_A56477j
		jnb	short loc_A56541

loc_A564E0:				; CODE XREF: PAGEVRFY:00A5647Ej
		arpl	[ecx+ebp*2+6Fh], si

loc_A564E4:				; CODE XREF: PAGEVRFY:00A56481j
		outsb
; 
		db 3 dup(0)
; 

??_C@_0BE@KNMOALJP@ZwRecoverEnlistment@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA9E0o
		pop	edx
		ja	short loc_A5653D

loc_A564EB:				; CODE XREF: PAGEVRFY:00A5649Fj
		arpl	gs:[edi+76h], bp
		db	65h
		jb	short loc_A56537

loc_A564F2:				; CODE XREF: PAGEVRFY:loc_A5649Dj
		outsb
		insb
		imul	esi, [ebx+74h],	746E656Dh

loc_A564FB:				; DATA XREF: PAGEVRFD:00AAA9C8o
		add	[edx+77h], bl
		push	edx

loc_A564FF:				; CODE XREF: PAGEVRFY:loc_A56497j
					; PAGEVRFY:00A564B3j
		db	65h
		popa
		db	64h
		dec	edi

loc_A56503:				; CODE XREF: PAGEVRFY:00A56495j
		outsb
		insb

loc_A56505:				; CODE XREF: PAGEVRFY:loc_A564B1j
		jns	short near ptr loc_A5654B+1
		outsb
		insb
		imul	esi, [ebx+74h],	746E656Dh
; 
		db 3 dup(0)
byte_A56513	db 0			; CODE XREF: PAGEVRFY:00A564A8j
; 

??_C@_0M@NPIGFLDK@ZwRenameKey@GHGBBCHJ@: ; CODE	XREF: PAGEVRFY:00A564A5j
					; DATA XREF: PAGEVRFD:00AAAA10o
		pop	edx
		ja	short near ptr loc_A56568+1
		outs	dx, byte ptr gs:[esi]
		popa
		insd
		db	65h
		dec	ebx
		db	65h
		jns	short $+3

??_C@_0BM@FPMAKEFE@ZwRecoverTransactionManager@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAA9F8o
		pop	edx
		ja	short loc_A56575

loc_A56523:				; CODE XREF: PAGEVRFY:loc_A564D1j
		arpl	gs:[edi+76h], bp

loc_A56527:				; CODE XREF: PAGEVRFY:00A564BCj
					; PAGEVRFY:loc_A564B9j
		db	65h
		jb	short near ptr loc_A5657D+1
		jb	short loc_A5658D
		outsb
		jnb	short loc_A56590
		arpl	[ecx+ebp*2+6Fh], si

loc_A56533:				; CODE XREF: PAGEVRFY:00A564C1j
		outsb
		dec	ebp
		popa
		outsb

loc_A56537:				; CODE XREF: PAGEVRFY:00A564EFj
		popa

loc_A56538:				; CODE XREF: PAGEVRFY:00A564C4j
		db	67h, 65h
		jb	near ptr 653Ch

??_C@_0BF@IPAHFEPJ@ZwUnmapViewOfSection@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AAAB00o
		pop	edx

loc_A5653D:				; CODE XREF: PAGEVRFY:00A564E9j
		ja	short near ptr loc_A56592+2
		outsb
		insd

loc_A56541:				; CODE XREF: PAGEVRFY:loc_A564DEj
		popa
		jo	short loc_A5659A
		imul	esp, [ebp+77h],	6553664Fh

loc_A5654B:				; CODE XREF: PAGEVRFY:loc_A56505j
		arpl	[ecx+ebp*2+6Fh], si
		outsb
; 
		dd 0
; 

??_C@_0N@PGGABEHE@ZwUnlockFile@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAAAE8o
		pop	edx
		ja	short near ptr loc_A565AA+2
		outsb
		insb
		outsd
		arpl	[ebx+46h], bp

loc_A5655D:				; DATA XREF: PAGEVRFD:00AA8C08o
		imul	ebp, [ebp+0], 41000000h
		db	64h, 64h
		inc	esp

loc_A56568:				; CODE XREF: PAGEVRFY:00A56515j
		db	65h
		jbe	short ??_C@_0N@FJJBIINI@DriverUnload@GHGBBCHJ@
		arpl	[ebp+0], sp
; 
		dw 0
; 

??_C@_0M@GIPELPKM@DriverEntry@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AA8BF8o
		inc	esp
		jb	short loc_A565DC
		jbe	short near ptr loc_A565D9+1

loc_A56575:				; CODE XREF: PAGEVRFY:00A56521j
		jb	short near ptr loc_A565B6+6
		outsb
		jz	short near ptr loc_A565EB+1
		jns	short $+2

??_C@_0BK@JKGEINAM@ZwSetQuotaInformationFile@GHGBBCHJ@:	; DATA XREF: PAGEVRFD:00AAAAA0o
		pop	edx

loc_A5657D:				; CODE XREF: PAGEVRFY:loc_A56527j
		ja	short near ptr byte_A565D2
		db	65h
		jz	short near ptr byte_A565D3
		jnz	short near ptr byte_A565F3
		jz	short loc_A565E7
		dec	ecx
		outsb
		outsw
		jb	short loc_A565F9
		popa

loc_A5658D:				; CODE XREF: PAGEVRFY:00A5652Aj
		jz	short near ptr loc_A565F7+1
		outsd

loc_A56590:				; CODE XREF: PAGEVRFY:00A5652Dj
		outsb
		inc	esi

loc_A56592:				; CODE XREF: PAGEVRFY:loc_A5653Dj
					; DATA XREF: PAGEVRFD:00AAAA88o
		imul	ebp, [ebp+0], 775A0000h

loc_A5659A:				; CODE XREF: PAGEVRFY:00A56542j
		push	ebx
		db	65h
		jz	short loc_A565E7
		outsb
		outsw
		jb	short _VfDriverInitStarting@0 ;	VfDriverInitStarting()
		popa
		jz	short near ptr byte_A5660F
		outsd
		outsb
		push	esp
		outsd

loc_A565AA:				; CODE XREF: PAGEVRFY:00A56555j
		imul	esp, [ebp+6Eh],	0
; 
		dw 0
; 

??_C@_0BD@KGKBMFPI@ZwTerminateProcess@GHGBBCHJ@: ; DATA	XREF: PAGEVRFD:00AAAAD0o
		pop	edx
		ja	short near ptr byte_A56607
		db	65h
		jb	short near ptr loc_A56621+2

loc_A565B6:				; CODE XREF: PAGEVRFY:loc_A56575j
		imul	ebp, [esi+61h],	72506574h
		outsd
		arpl	[ebp+73h], sp
		jnb	short $+2
; 
		db 0
; 

??_C@_0N@JCCKKCOI@ZwSetTimerEx@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AAAAB8o
		pop	edx
		ja	short near ptr loc_A56619+1
		db	65h
		jz	short loc_A5661E
		imul	ebp, [ebp+65h],	784572h
; 
		db 0
byte_A565D2	db 0			; CODE XREF: PAGEVRFY:loc_A5657Dj
byte_A565D3	db 0			; CODE XREF: PAGEVRFY:00A5657Fj
; 

??_C@_0N@FJJBIINI@DriverUnload@GHGBBCHJ@: ; CODE XREF: PAGEVRFY:loc_A56568j
					; DATA XREF: PAGEVRFD:00AA8C28o
		inc	esp
		jb	short _VfUtilGetOriginalDriverUnloadCallback@4 ; VfUtilGetOriginalDriverUnloadCallback(x)
		jbe	short near ptr locret_A5663D+1

loc_A565D9:				; CODE XREF: PAGEVRFY:00A56573j
		jb	short near ptr loc_A5662F+1
		outsb

loc_A565DC:				; CODE XREF: PAGEVRFY:00A56571j
		insb
		outsd
		popa
		add	fs:[eax], al
; 
		dw 0
; 

??_C@_0O@BMEJEEPC@DriverStartIo@GHGBBCHJ@: ; DATA XREF:	PAGEVRFD:00AA8C18o
		inc	esp
		jb	short near ptr loc_A5664E+2

loc_A565E7:				; CODE XREF: PAGEVRFY:00A56584j
					; PAGEVRFY:00A5659Bj
		jbe	short loc_A5664E
		jb	short near ptr locret_A5663D+1

loc_A565EB:				; CODE XREF: PAGEVRFY:00A56578j
		jz	short loc_A5664E
		jb	short near ptr loc_A56661+2
		dec	ecx
		outsd
; 
		db 2 dup(0)
byte_A565F3	db 0			; CODE XREF: PAGEVRFY:00A56582j
; 

??_C@_0N@FDAPFNPF@DriverCancel@GHGBBCHJ@: ; DATA XREF: PAGEVRFD:00AA8C38o
		inc	esp
		jb	short near ptr loc_A5665E+2

loc_A565F7:				; CODE XREF: PAGEVRFY:loc_A5658Dj
		jbe	short loc_A5665E

loc_A565F9:				; CODE XREF: PAGEVRFY:00A5658Aj
		jb	short near ptr locret_A5663D+1
		popa
		outsb
		arpl	[ebp+6Ch], sp
; 
		dd 0
		db 3 dup(0)
byte_A56607	db 0			; CODE XREF: PAGEVRFY:00A565B1j
		dd 0
		db 3 dup(0)
byte_A5660F	db 0			; CODE XREF: PAGEVRFY:00A565A4j

;  S U B	R O U T	I N E 


; __stdcall VfDriverInitStarting()
_VfDriverInitStarting@0	proc near	; CODE XREF: MmCallDllInitialize+136p
					; PAGEVRFY:00A565A1j ...
		mov	eax, _ViActiveVerifierThunks
		retn
_VfDriverInitStarting@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilGetOriginalAddDeviceCallback(x, x)
_VfUtilGetOriginalAddDeviceCallback@8 proc near	; DATA XREF: PAGEVRFD:00AA801Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp

loc_A56619:				; CODE XREF: PAGEVRFY:00A565C5j
		mov	ebp, esp
		mov	eax, [ebp+arg_0]

loc_A5661E:				; CODE XREF: PAGEVRFY:00A565C7j
		mov	eax, [eax+18h]

loc_A56621:				; CODE XREF: PAGEVRFY:00A565B3j
		mov	eax, [eax+20h]
		mov	eax, [eax+0Ch]
		pop	ebp
		retn	8
_VfUtilGetOriginalAddDeviceCallback@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilGetOriginalDriverInitCallback(x, x)
_VfUtilGetOriginalDriverInitCallback@8 proc near ; DATA	XREF: PAGEVRFD:00AA8010o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp

loc_A5662F:				; CODE XREF: PAGEVRFY:loc_A565D9j
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+18h]
		mov	eax, [eax+20h]
		mov	eax, [eax]
		pop	ebp

locret_A5663D:				; CODE XREF: PAGEVRFY:00A565D7j
					; PAGEVRFY:00A565E9j ...
		retn	8
_VfUtilGetOriginalDriverInitCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilGetOriginalDriverUnloadCallback(x)
_VfUtilGetOriginalDriverUnloadCallback@4 proc near ; CODE XREF:	PAGEVRFY:00A565D5j
					; DATA XREF: PAGEVRFD:00AA8018o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+18h]
		mov	eax, [eax+20h]

loc_A5664E:				; CODE XREF: PAGEVRFY:loc_A565E7j
					; PAGEVRFY:loc_A565EBj	...
		mov	eax, [eax+8]
		pop	ebp
		retn	4
_VfUtilGetOriginalDriverUnloadCallback@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilGetOriginalIrpMajorCallback(x, x)
_VfUtilGetOriginalIrpMajorCallback@8 proc near ; DATA XREF: PAGEVRFD:00AA8020o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]

loc_A5665E:				; CODE XREF: PAGEVRFY:loc_A565F7j
					; PAGEVRFY:00A565F5j
		mov	eax, [ebp+arg_4]

loc_A56661:				; CODE XREF: PAGEVRFY:00A565EDj
		mov	ecx, [ecx+8]
		mov	eax, [eax+60h]
		mov	ecx, [ecx+18h]
		movzx	edx, byte ptr [eax]
		mov	eax, [ecx+20h]
		mov	eax, [eax+edx*4+10h]
		pop	ebp
		retn	8
_VfUtilGetOriginalIrpMajorCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilGetOriginalStartIoCallback(x,	x)
_VfUtilGetOriginalStartIoCallback@8 proc near ;	DATA XREF: PAGEVRFD:00AA8014o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+8]
		mov	eax, [eax+18h]
		mov	eax, [eax+20h]
		mov	eax, [eax+4]
		pop	ebp
		retn	8
_VfUtilGetOriginalStartIoCallback@8 endp


;  S U B	R O U T	I N E 


; __stdcall VfUtilGetSPAllocSizeLimit()
_VfUtilGetSPAllocSizeLimit@0 proc near	; DATA XREF: PAGEVRFD:00AA803Co
		mov	eax, 0FF0h
		retn
_VfUtilGetSPAllocSizeLimit@0 endp


;  S U B	R O U T	I N E 


; __fastcall ViGenericVerifyFinalIrpStack(x, x)
@ViGenericVerifyFinalIrpStack@8	proc near ; DATA XREF: VfInitVerifierComponents(x,x,x)+1F2o
		retn	0
@ViGenericVerifyFinalIrpStack@8	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __fastcall ViGenericVerifyNewRequest(x, x, x,	x, x, x)
@ViGenericVerifyNewRequest@24 proc near	; DATA XREF: VfInitVerifierComponents(x,x,x)+1A0o
		retn	10h
@ViGenericVerifyNewRequest@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViLookasideDelayFreeAvlNode(x, x)
_ViLookasideDelayFreeAvlNode@8 proc near ; DATA	XREF: VfInitVerifierComponents(x,x,x)+61o
					; VfInitVerifierComponents(x,x,x)+BDo ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		mov	[eax+3Ch], ecx
		pop	ebp
		retn	8
_ViLookasideDelayFreeAvlNode@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeIsApcRunningThread(x)
_VerifierKeIsApcRunningThread@4	proc near ; DATA XREF: .data:006B36FCo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_KeIsApcRunningThread@4	; KeIsApcRunningThread(x)
		pop	ebp
		retn	4
_VerifierKeIsApcRunningThread@4	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall VerifierKeIsExecutingLegacyDpc()
_VerifierKeIsExecutingLegacyDpc@0 proc near ; DATA XREF: .data:006B3700o
		mov	al, large fs:235Ch
		and	eax, 1
		retn
_VerifierKeIsExecutingLegacyDpc@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall ViFilterAddDevice(x, x)
_ViFilterAddDevice@8 proc near		; DATA XREF: ViFilterDriverEntry(x,x)+1Ao
		mov	eax, 0C0000001h
		retn	8
_ViFilterAddDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VfDriverLoadImage proc near		; CODE XREF: MmLoadSystemImageEx(x,x,x,x,x,x)+4E1p
					; VfDriverEnableVerifier(x,x,x)+10Fp ...

var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 00A58624 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+3Ch]
		test	ecx, ecx
		jz	short loc_A56720
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	eax, [eax]
		mov	al, [eax+0Bh]
		shr	al, 4
		mov	byte ptr [ebp+var_4], al

loc_A566F8:				; CODE XREF: VfDriverLoadImage+4Cj
		cmp	_ViVerifierDriverAddedThunkListHead, 0
		jnz	loc_A58624
		cmp	[ebp+arg_4], 0
		jnz	short loc_A5671B
		mov	edx, [esi+20h]
		mov	ecx, [esi+18h]
		push	0
		push	[ebp+var_4]
		call	VfTargetDriversAdd

loc_A5671B:				; CODE XREF: VfDriverLoadImage+31j
					; VfDriverLoadImage+1F60j
		pop	esi
		leave
		retn	8
; 

loc_A56720:				; CODE XREF: VfDriverLoadImage+Ej
		mov	byte ptr [ebp+var_4], 0Ch
		jmp	short loc_A566F8
VfDriverLoadImage endp


;  S U B	R O U T	I N E 


VfThunkAddTargetNotify proc near	; CODE XREF: VfTargetDriversAdd+69p

; FUNCTION CHUNK AT 00A5863D SIZE 00000027 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	edx, offset _VfRegularThunks
		push	edi
		mov	ecx, [esi]
		lea	edi, [esi+0Ch]
		push	edi
		push	offset _VfRegularThunksBitMapHeader
		push	18h
		call	_ViThunkCreateSharedExportInformation@20 ; ViThunkCreateSharedExportInformation(x,x,x,x,x)
		test	eax, eax
		jz	loc_A5863D
		mov	ecx, [esi]
		lea	eax, [esi+10h]
		push	eax
		push	offset _VfPoolThunksBitMapHeader
		push	18h
		mov	edx, offset _VfPoolThunks
		call	_ViThunkCreateSharedExportInformation@20 ; ViThunkCreateSharedExportInformation(x,x,x,x,x)
		test	eax, eax
		jz	loc_A5863D
		mov	ecx, [esi]
		lea	eax, [esi+14h]
		push	eax
		push	offset _VfOrderDependentThunksBitMapHeader
		push	1Ch
		mov	edx, offset _VfOrderDependentThunks
		call	_ViThunkCreateSharedExportInformation@20 ; ViThunkCreateSharedExportInformation(x,x,x,x,x)
		test	eax, eax
		jz	loc_A5863D
		mov	ecx, [esi]
		lea	eax, [esi+18h]
		push	eax
		push	offset _VfXdvThunksBitMapHeader
		push	18h
		mov	edx, offset _VfXdvThunks
		call	_ViThunkCreateSharedExportInformation@20 ; ViThunkCreateSharedExportInformation(x,x,x,x,x)
		test	eax, eax
		jz	loc_A5863D

loc_A567A8:				; CODE XREF: VfThunkAddTargetNotify+1F39j
		pop	edi
		pop	esi
		retn
VfThunkAddTargetNotify endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViThunkCreateSharedExportInformation(x, x, x, x, x)
_ViThunkCreateSharedExportInformation@20 proc near ; CODE XREF:	VfThunkAddTargetNotify+18p
					; VfThunkAddTargetNotify+37p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		push	[ebp+arg_4]
		xor	esi, esi
		mov	[ebp+var_8], edx
		mov	[ebp+var_C], ecx
		inc	esi
		call	_RtlNumberOfClearBits@4	; RtlNumberOfClearBits(x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_A56825
		push	ebx
		push	edi
		mov	edi, eax
		push	54496656h
		shl	edi, 4
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, [ebp+arg_8]
		mov	[ebx], eax
		test	eax, eax
		jz	short loc_A5682D
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+var_8]
		add	esp, 0Ch
		mov	ecx, [ebp+var_C]
		push	dword ptr [ebx]	; char *
		push	[ebp+var_4]	; int
		push	[ebp+arg_4]	; int
		push	[ebp+arg_0]	; int
		call	_ViThunkSnapSharedExports@24 ; ViThunkSnapSharedExports(x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_A5681C

loc_A56813:				; CODE XREF: ViThunkCreateSharedExportInformation(x,x,x,x,x)+77j
					; ViThunkCreateSharedExportInformation(x,x,x,x,x)+83j
		pop	edi
		pop	ebx

loc_A56815:				; CODE XREF: ViThunkCreateSharedExportInformation(x,x,x,x,x)+7Fj
		mov	eax, esi
		pop	esi
		leave
		retn	0Ch
; 

loc_A5681C:				; CODE XREF: ViThunkCreateSharedExportInformation(x,x,x,x,x)+65j
		mov	ecx, ebx
		call	_ViThunkFreeSharedThunksArray@4	; ViThunkFreeSharedThunksArray(x)
		jmp	short loc_A56813
; 

loc_A56825:				; CODE XREF: ViThunkCreateSharedExportInformation(x,x,x,x,x)+1Fj
		mov	eax, [ebp+arg_8]
		and	dword ptr [eax], 0
		jmp	short loc_A56815
; 

loc_A5682D:				; CODE XREF: ViThunkCreateSharedExportInformation(x,x,x,x,x)+3Fj
		xor	esi, esi
		jmp	short loc_A56813
_ViThunkCreateSharedExportInformation@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ViThunkSnapSharedExports(int,int,int,char *)
_ViThunkSnapSharedExports@24 proc near	; CODE XREF: ViThunkCreateSharedExportInformation(x,x,x,x,x)+5Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_8], edx
		xor	ebx, ebx
		mov	[ebp+var_C], ecx
		xor	edi, edi
		mov	[ebp+var_4], esi
		cmp	[ebp+arg_8], ebx
		jbe	short loc_A5689C
		xor	eax, eax

loc_A56853:				; CODE XREF: ViThunkSnapSharedExports(x,x,x,x,x,x)+68j
		mov	ecx, [ebp+arg_4]
		cmp	eax, [ecx]
		jnb	short loc_A5689C
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		push	ecx
		call	RtlFindNextForwardRunClear
		test	eax, eax
		jz	short loc_A5689C
		mov	esi, [ebp+var_4]
		mov	edx, esi
		imul	edx, [ebp+arg_0]
		push	[ebp+arg_C]	; char *
		push	ecx		; int
		mov	ecx, [ebp+var_C]
		add	edx, [ebp+var_8]
		call	ViThunkSnapSharedExportByName
		test	edi, edi
		jnz	short loc_A56889
		test	eax, eax
		jz	short loc_A5688C

loc_A56889:				; CODE XREF: ViThunkSnapSharedExports(x,x,x,x,x,x)+51j
		xor	edi, edi
		inc	edi

loc_A5688C:				; CODE XREF: ViThunkSnapSharedExports(x,x,x,x,x,x)+55j
		add	[ebp+arg_C], 10h
		inc	esi
		inc	ebx
		mov	[ebp+var_4], esi
		mov	eax, esi
		cmp	ebx, [ebp+arg_8]
		jb	short loc_A56853

loc_A5689C:				; CODE XREF: ViThunkSnapSharedExports(x,x,x,x,x,x)+1Dj
					; ViThunkSnapSharedExports(x,x,x,x,x,x)+26j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_ViThunkSnapSharedExports@24 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ViThunkSnapSharedExportByName(int,char *)
ViThunkSnapSharedExportByName proc near	; CODE XREF: ViThunkSnapSharedExports(x,x,x,x,x,x)+4Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00A58664 SIZE 00000074 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	eax, ecx
		push	edi
		lea	ecx, [ebp+arg_4]
		mov	[ebp+var_C], edx
		push	ecx
		push	1
		push	1
		xor	edi, edi
		mov	[ebp+var_4], eax
		push	eax
		mov	[esi], edi
		mov	[esi+4], edi
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_A56982

loc_A568DB:				; CODE XREF: ViThunkSnapSharedExportByName+76j
		cmp	[ebx+0Ch], edi
		jz	loc_A56982
		cmp	[ebx], edi
		jz	loc_A56982
		mov	eax, [ebx+0Ch]
		add	eax, [ebp+var_4]
		push	offset ??_C@_0N@FJBNMICO@ntoskrnl?4exe@JKADOLAD@ ; char	*
		push	eax		; char *
		mov	[ebp+arg_4], eax
		call	__stricmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A5691E
		push	offset ??_C@_07IJBEPEDG@hal?4dll@JKADOLAD@ ; char *
		push	[ebp+arg_4]	; char *
		call	__stricmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A5691E

loc_A56919:				; CODE XREF: ViThunkSnapSharedExportByName+8Dj
		add	ebx, 14h
		jmp	short loc_A568DB
; 

loc_A5691E:				; CODE XREF: ViThunkSnapSharedExportByName+5Ej
					; ViThunkSnapSharedExportByName+71j
		mov	eax, [ebx]
		mov	edx, [ebx+10h]
		add	eax, [ebp+var_4]
		add	edx, [ebp+var_4]

loc_A56929:				; CODE XREF: ViThunkSnapSharedExportByName+B6j
		mov	ecx, [eax]
		mov	[ebp+arg_4], edx
		mov	[ebp+var_8], eax
		test	ecx, ecx
		jz	short loc_A56919
		js	short loc_A56956
		mov	eax, [ebp+var_C]
		push	dword ptr [eax]	; char *
		mov	eax, [ebp+var_4]
		add	eax, 2
		add	eax, ecx
		push	eax		; char *
		call	__stricmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A5695E
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+arg_4]

loc_A56956:				; CODE XREF: ViThunkSnapSharedExportByName+8Fj
		add	eax, 4
		add	edx, 4
		jmp	short loc_A56929
; 

loc_A5695E:				; CODE XREF: ViThunkSnapSharedExportByName+A8j
		mov	ebx, [ebp+var_C]
		mov	eax, [ebp+arg_4]
		mov	[esi], eax
		mov	eax, [ebx+4]
		mov	[esi+4], eax
		mov	ecx, dword_6FDE00
		test	cl, 8
		jnz	loc_A58664

loc_A5697B:				; CODE XREF: ViThunkSnapSharedExportByName+1DD1j
					; ViThunkSnapSharedExportByName+1DDAj
		or	dword ptr [esi+0Ch], 1

loc_A5697F:				; CODE XREF: ViThunkSnapSharedExportByName+1DE6j
					; ViThunkSnapSharedExportByName+1DF2j ...
		xor	edi, edi
		inc	edi

loc_A56982:				; CODE XREF: ViThunkSnapSharedExportByName+2Fj
					; ViThunkSnapSharedExportByName+38j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
ViThunkSnapSharedExportByName endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ViThunkFreeSharedThunksArray(x)
_ViThunkFreeSharedThunksArray@4	proc near
					; CODE XREF: ViThunkCreateSharedExportInformation(x,x,x,x,x)+72p
					; VfThunkRemoveTargetNotify(x)+Dp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_A569A5
		push	54496656h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi], 0

loc_A569A5:				; CODE XREF: ViThunkFreeSharedThunksArray(x)+9j
		pop	esi
		retn
_ViThunkFreeSharedThunksArray@4	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall VfThunkRemoveTargetNotify(x)
_VfThunkRemoveTargetNotify@4 proc near	; CODE XREF: VfTargetDriversRemove+95p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		lea	ecx, [esi+0Ch]
		test	byte ptr [ecx],	1
		jnz	short loc_A569D3
		call	_ViThunkFreeSharedThunksArray@4	; ViThunkFreeSharedThunksArray(x)
		lea	ecx, [esi+10h]
		call	_ViThunkFreeSharedThunksArray@4	; ViThunkFreeSharedThunksArray(x)
		lea	ecx, [esi+14h]
		call	_ViThunkFreeSharedThunksArray@4	; ViThunkFreeSharedThunksArray(x)
		lea	ecx, [esi+18h]
		pop	esi
		jmp	_ViThunkFreeSharedThunksArray@4	; ViThunkFreeSharedThunksArray(x)
; 

loc_A569D3:				; CODE XREF: VfThunkRemoveTargetNotify(x)+Bj
		pop	esi
		retn
_VfThunkRemoveTargetNotify@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VfDriverUnloadImage proc near		; CODE XREF: MiUnloadSystemImage+20Ap
					; MiUnloadSystemImage+46Bp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00A586D8 SIZE 0000007F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		call	_VfIsVerifierEnabled@0 ; VfIsVerifierEnabled()
		test	eax, eax
		jnz	loc_A586D8

loc_A569EE:				; CODE XREF: VfDriverUnloadImage+1D1Aj
		cmp	_ViActiveVerifierThunks, 0
		jnz	loc_A586F5

loc_A569FB:				; CODE XREF: VfDriverUnloadImage+1D77j
		mov	ecx, ebx
		call	VfTargetDriversRemove
		test	dword ptr [ebx+34h], 2000000h
		jnz	short loc_A56A10

loc_A56A0B:				; CODE XREF: VfDriverUnloadImage+41j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_A56A10:				; CODE XREF: VfDriverUnloadImage+33j
		mov	ecx, ebx
		call	_VfSuspectDriversUnloadCallback@4 ; VfSuspectDriversUnloadCallback(x)
		jmp	short loc_A56A0B
VfDriverUnloadImage endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1426. MmIsVerifierEnabled

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public MmIsVerifierEnabled
MmIsVerifierEnabled proc near		; CODE XREF: PopVerifierFlushMemoryBeforeSleep+Fp

arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00A58757 SIZE 00000034 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_A56A3A
		cmp	_ViVerifierDriverAddedThunkListHead, 0
		jnz	loc_A58757

loc_A56A37:				; CODE XREF: MmIsVerifierEnabled+1D40j
					; MmIsVerifierEnabled+1D59j
		and	dword ptr [ecx], 0

loc_A56A3A:				; CODE XREF: MmIsVerifierEnabled+Aj
		mov	eax, 0C00000BBh

loc_A56A3F:				; CODE XREF: MmIsVerifierEnabled+1D68j
		pop	ebp
		retn	4
MmIsVerifierEnabled endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall VfDriverInitSuccess(x, x)
_VfDriverInitSuccess@8 proc near	; CODE XREF: MmCallDllInitialize+162p
					; PnpInitializeBootStartDriver+F7p
		mov	edi, edi
		push	ecx
		cmp	_ViActiveVerifierThunks, ecx
		jnz	short loc_A56A51
		pop	ecx
		retn
; 

loc_A56A51:				; CODE XREF: VfDriverInitSuccess(x,x)+9j
		mov	ecx, edx
		call	_ViDriverReApplyVerifierForAll@4 ; ViDriverReApplyVerifierForAll(x)
		pop	ecx
		retn
_VfDriverInitSuccess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VfAvlInitializeTreeEx proc near		; CODE XREF: VfAvlInitializeTree(x,x,x,x)+Dp
					; VfTargetDriversInit()+1Cp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00A585D6 SIZE 0000004E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	bl, byte ptr [ebp+arg_4]
		push	esi
		mov	esi, ecx
		mov	ecx, [ebp+arg_0]
		push	edi
		mov	edi, edx
		mov	dword ptr [esi+4], 0
		mov	[esi], edi
		mov	[esi+10h], bl
		test	ecx, ecx
		jz	loc_A585D6
		xor	edx, edx

loc_A56A82:				; CODE XREF: VfAvlInitializeTreeEx+1B98j
		xor	eax, eax
		inc	eax
		test	edx, edx
		jnz	loc_A585F7
		add	ecx, 10h

loc_A56A90:				; CODE XREF: VfAvlInitializeTreeEx+1B9Fj
		mov	[esi+14h], ecx
		test	edi, edi
		jnz	loc_A585FE

loc_A56A9B:				; CODE XREF: VfAvlInitializeTreeEx+1BB1j
					; VfAvlInitializeTreeEx+1BBCj ...
		mov	[esi+0Ch], eax
		push	54416656h
		shl	eax, 7
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+8], eax
		test	eax, eax
		jz	short loc_A56B12
		xor	ecx, ecx
		mov	[ebp+arg_4], ecx
		cmp	[esi+0Ch], ecx
		jbe	short loc_A56B09
		mov	edi, ecx

loc_A56AC4:				; CODE XREF: VfAvlInitializeTreeEx+ADj
		mov	eax, [esi+8]
		mov	[eax+edi+38h], ecx
		mov	eax, [esi+8]
		mov	[eax+edi+40h], ecx
		mov	eax, [esi+8]
		mov	[eax+edi+3Ch], ecx
		mov	eax, offset _ViAvlCompareNodeUseSessionId@12 ; ViAvlCompareNodeUseSessionId(x,x,x)
		test	bl, bl
		jz	short loc_A56B19

loc_A56AE2:				; CODE XREF: VfAvlInitializeTreeEx+C4j
		push	esi		; int
		push	[ebp+arg_8]	; int
		push	offset _ViAvlAllocateNode@8 ; int
		push	eax		; int
		mov	eax, [esi+8]
		add	eax, edi
		push	eax		; void *
		call	_RtlInitializeGenericTableAvl@20 ; RtlInitializeGenericTableAvl(x,x,x,x,x)
		mov	ecx, [ebp+arg_4]
		sub	edi, 0FFFFFF80h
		inc	ecx
		cmp	ecx, [esi+0Ch]
		push	0
		mov	[ebp+arg_4], ecx
		pop	ecx
		jb	short loc_A56AC4

loc_A56B09:				; CODE XREF: VfAvlInitializeTreeEx+66j
		xor	eax, eax

loc_A56B0B:				; CODE XREF: VfAvlInitializeTreeEx+BDj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_A56B12:				; CODE XREF: VfAvlInitializeTreeEx+5Cj
		mov	eax, 0C0000017h
		jmp	short loc_A56B0B
; 

loc_A56B19:				; CODE XREF: VfAvlInitializeTreeEx+86j
		mov	eax, offset _ViAvlCompareNode@12 ; ViAvlCompareNode(x,x,x)
		jmp	short loc_A56AE2
VfAvlInitializeTreeEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfLookasideInitializeInternalNPagedList(x, x, x, x,	x, x, x)
_VfLookasideInitializeInternalNPagedList@28 proc near
					; CODE XREF: VfInitBootDriversLoaded+38p

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	offset ExInitializeNPagedLookasideListInternal
		push	_VfInitializedWithoutReboot
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	200h
		push	[ebp+arg_0]
		push	edx
		push	ecx
		call	ds:_pXdvExInitializeNPagedLookasideList	; XdvExInitializeNPagedLookasideListInternal(x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	14h
_VfLookasideInitializeInternalNPagedList@28 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall XdvExInitializeNPagedLookasideListInternal(x, x, x,	x, x, x, x, x, x)
_XdvExInitializeNPagedLookasideListInternal@36 proc near
					; CODE XREF: VfLookasideInitializeInternalNPagedList(x,x,x,x,x,x,x)+23p
					; VfInitVerifierComponents(x,x,x)+B7p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	[ebp+arg_20]
		pop	ebp
		retn	24h
_XdvExInitializeNPagedLookasideListInternal@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeEnterCriticalRegion()
_VerifierKeEnterCriticalRegion@0 proc near ; DATA XREF:	PAGEVRFD:00AAB3D4o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	[ebp+var_1], 0
		mov	eax, _MmVerifierData
		and	eax, 2
		jz	short loc_A56B91
		mov	[ebp+var_8], 1
		jmp	short loc_A56B95
; 

loc_A56B91:				; CODE XREF: VerifierKeEnterCriticalRegion()+14j
		and	[ebp+var_8], 0

loc_A56B95:				; CODE XREF: VerifierKeEnterCriticalRegion()+1Dj
		cmp	[ebp+var_8], 0
		jz	short loc_A56BE4
		mov	eax, _MmVerifierData
		and	eax, 20000h
		jz	short loc_A56BB0
		mov	[ebp+var_C], 1
		jmp	short loc_A56BB4
; 

loc_A56BB0:				; CODE XREF: VerifierKeEnterCriticalRegion()+33j
		and	[ebp+var_C], 0

loc_A56BB4:				; CODE XREF: VerifierKeEnterCriticalRegion()+3Cj
		cmp	[ebp+var_C], 0
		jnz	short loc_A56BE4
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[ebp+var_1], al
		movzx	eax, [ebp+var_1]
		cmp	eax, 1
		jle	short loc_A56BE4
		push	0
		push	0
		movzx	eax, [ebp+var_1]
		push	eax
		mov	edx, 11Ah
		mov	ecx, 0C4h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A56BE4:				; CODE XREF: VerifierKeEnterCriticalRegion()+27j
					; VerifierKeEnterCriticalRegion()+46j ...
		call	ds:_pXdvKeEnterCriticalRegion
		mov	eax, _MmVerifierData
		and	eax, 400000h
		jz	short loc_A56BFF
		mov	[ebp+var_10], 1
		jmp	short loc_A56C03
; 

loc_A56BFF:				; CODE XREF: VerifierKeEnterCriticalRegion()+82j
		and	[ebp+var_10], 0

loc_A56C03:				; CODE XREF: VerifierKeEnterCriticalRegion()+8Bj
		cmp	[ebp+var_10], 0
		jz	short loc_A56C24
		mov	eax, _VfFlightOptions
		and	eax, 20h
		jnz	short loc_A56C1D
		mov	eax, _VfFlightOptions
		and	eax, 1
		jz	short loc_A56C22

loc_A56C1D:				; CODE XREF: VerifierKeEnterCriticalRegion()+9Fj
		call	_ViKeLogCriticalRegionStackTrace@0 ; ViKeLogCriticalRegionStackTrace()

loc_A56C22:				; CODE XREF: VerifierKeEnterCriticalRegion()+A9j
		jmp	short locret_A56C29
; 

loc_A56C24:				; CODE XREF: VerifierKeEnterCriticalRegion()+95j
		call	_ViKeLogCriticalRegionStackTrace@0 ; ViKeLogCriticalRegionStackTrace()

locret_A56C29:				; CODE XREF: VerifierKeEnterCriticalRegion():loc_A56C22j
		leave
		retn
_VerifierKeEnterCriticalRegion@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeLeaveCriticalRegion()
_VerifierKeLeaveCriticalRegion@0 proc near ; DATA XREF:	PAGEVRFD:00AAB3ECo

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_8], 0
		mov	[ebp+var_1], 0
		mov	eax, _MmVerifierData
		and	eax, 2
		jz	short loc_A56C4F
		mov	[ebp+var_C], 1
		jmp	short loc_A56C53
; 

loc_A56C4F:				; CODE XREF: VerifierKeLeaveCriticalRegion()+18j
		and	[ebp+var_C], 0

loc_A56C53:				; CODE XREF: VerifierKeLeaveCriticalRegion()+21j
		cmp	[ebp+var_C], 0
		jz	short loc_A56CA2
		mov	eax, _MmVerifierData
		and	eax, 20000h
		jz	short loc_A56C6E
		mov	[ebp+var_10], 1
		jmp	short loc_A56C72
; 

loc_A56C6E:				; CODE XREF: VerifierKeLeaveCriticalRegion()+37j
		and	[ebp+var_10], 0

loc_A56C72:				; CODE XREF: VerifierKeLeaveCriticalRegion()+40j
		cmp	[ebp+var_10], 0
		jnz	short loc_A56CA2
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[ebp+var_1], al
		movzx	eax, [ebp+var_1]
		cmp	eax, 1
		jle	short loc_A56CA2
		push	0
		push	0
		movzx	eax, [ebp+var_1]
		push	eax
		mov	edx, 11Bh
		mov	ecx, 0C4h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A56CA2:				; CODE XREF: VerifierKeLeaveCriticalRegion()+2Bj
					; VerifierKeLeaveCriticalRegion()+4Aj ...
		mov	eax, _MmVerifierData
		and	eax, 2
		jz	short loc_A56CB5
		mov	[ebp+var_14], 1
		jmp	short loc_A56CB9
; 

loc_A56CB5:				; CODE XREF: VerifierKeLeaveCriticalRegion()+7Ej
		and	[ebp+var_14], 0

loc_A56CB9:				; CODE XREF: VerifierKeLeaveCriticalRegion()+87j
		cmp	[ebp+var_14], 0
		jz	short loc_A56CFA
		mov	eax, large fs:124h
		mov	[ebp+var_8], eax
		mov	eax, [ebp+var_8]
		movsx	eax, word ptr [eax+13Ch]
		test	eax, eax
		jg	short loc_A56CE7
		mov	eax, [ebp+var_8]
		movsx	eax, word ptr [eax+13Ch]
		cmp	eax, 8000h
		jnz	short loc_A56CFA

loc_A56CE7:				; CODE XREF: VerifierKeLeaveCriticalRegion()+A8j
		push	0
		push	0
		push	0
		push	3Eh
		pop	edx
		mov	ecx, 0C4h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A56CFA:				; CODE XREF: VerifierKeLeaveCriticalRegion()+91j
					; VerifierKeLeaveCriticalRegion()+B9j
		mov	eax, _MmVerifierData
		and	eax, 400000h
		jz	short loc_A56D0F
		mov	[ebp+var_18], 1
		jmp	short loc_A56D13
; 

loc_A56D0F:				; CODE XREF: VerifierKeLeaveCriticalRegion()+D8j
		and	[ebp+var_18], 0

loc_A56D13:				; CODE XREF: VerifierKeLeaveCriticalRegion()+E1j
		cmp	[ebp+var_18], 0
		jz	short loc_A56D34
		mov	eax, _VfFlightOptions
		and	eax, 20h
		jnz	short loc_A56D2D
		mov	eax, _VfFlightOptions
		and	eax, 1
		jz	short loc_A56D32

loc_A56D2D:				; CODE XREF: VerifierKeLeaveCriticalRegion()+F5j
		call	_ViKeLogCriticalRegionStackTrace@0 ; ViKeLogCriticalRegionStackTrace()

loc_A56D32:				; CODE XREF: VerifierKeLeaveCriticalRegion()+FFj
		jmp	short loc_A56D39
; 

loc_A56D34:				; CODE XREF: VerifierKeLeaveCriticalRegion()+EBj
		call	_ViKeLogCriticalRegionStackTrace@0 ; ViKeLogCriticalRegionStackTrace()

loc_A56D39:				; CODE XREF: VerifierKeLeaveCriticalRegion():loc_A56D32j
		call	ds:_pXdvKeLeaveCriticalRegion
		leave
		retn
_VerifierKeLeaveCriticalRegion@0 endp

; 
		align 2

; char ??_C
??_C@_0DJ@OMMFBNNI@Failed?5to?5initialize?5branch?5tra@JKADOLAD@:
					; DATA XREF: VfNotifyVerifierOfEvent(x)+E8o
		inc	esi
		popa
		imul	ebp, [ebp+64h],	206F7420h
		imul	ebp, [esi+69h],	6C616974h
		imul	edi, [edx+65h],	61726220h
		outsb
		arpl	[eax+20h], bp
		jz	short loc_A56DD2
		popa
		arpl	[ecx+6Eh], bp
		and	cs:[si], bh
		push	ebx
		jz	short loc_A56DCC
		jz	short near ptr loc_A56DE1+1
		jnb	short near ptr loc_A56D8D+2
		cmp	eax, 7830203Dh
		and	eax, 3E583830h
		or	al, [eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0BG@PLAAJABH@?0?5build?5?$CFld?0?5key?5?$CFwZ?6@JKADOLAD@:
					; DATA XREF: VfUtilPrintCheckinString(x)+172o
		sub	al, 20h
		bound	esi, [ebp+69h]
		insb
		and	fs:202C646Ch, ah
		imul	esp, [ebp+79h],	20h

loc_A56D8D:				; CODE XREF: PAGEVRFY:00A56D6Dj
		and	eax, 0A5A77h

; char ??_C
??_C@_09HGKBJBHL@?0?5?$CFd?30x?$CFx@JKADOLAD@: ; DATA XREF: VfUtilPrintCheckinString(x)+150o
		sub	al, 20h
		and	eax, 78303A64h
		and	eax, 72440078h	; DATA XREF: VfNotifyVerifierOfEvent(x)+63o
		imul	esi, [esi+65h],	65562072h
		jb	short near ptr loc_A56E0F+1
		imul	sp, [ebp+72h], 203Ah
		push	esi
		inc	ebp
		push	edx
		dec	ecx
		inc	esi
		dec	ecx
		inc	ebp
		push	edx
		pop	edi
		dec	edi
		push	eax
		push	esp
		dec	ecx
		dec	edi
		dec	esi
		pop	edi
		dec	edi
		dec	esi
		inc	ebp
		inc	edx
		dec	edi
		dec	edi
		push	esp
		and	[ebx+65h], dh
		jz	short loc_A56DE9
		bound	esp, [ebp+66h]

loc_A56DCC:				; CODE XREF: PAGEVRFY:00A56D69j
		outsd
		jb	short ??_C@_0CB@PLOEDOB@Driver?5Verifier?3?5Enabled?5for?5?$CFw@JKADOLAD@
		and	[edx+6Fh], ah

loc_A56DD2:				; CODE XREF: PAGEVRFY:00A56D5Ej
		outsd
		jz	short near ptr loc_A56E02+1
		and	[ebx+6Ch], al
		db	65h
		popa
		jb	short loc_A56E45
		outsb
		and	[bp+65h], dl

loc_A56DE1:				; CODE XREF: PAGEVRFY:00A56D6Bj
		jb	short loc_A56E4C
		imul	sp, [ebp+72h], 6F20h

loc_A56DE9:				; CODE XREF: PAGEVRFY:00A56DC7j
		jo	short near ptr loc_A56E5E+1
		imul	ebp, [edi+6Eh],	72662073h
		outsd
		insd
		and	[edx+65h], dl
		imul	esi, [bp+di+74h], 0A2E7972h
		add	[esi+61h], al	; DATA XREF: VfNotifyVerifierOfEvent(x)+4Eo

loc_A56E02:				; CODE XREF: PAGEVRFY:00A56DD3j
		imul	ebp, [ebp+64h],	206F7420h
		jnb	short near ptr loc_A56E7E+2
		popa
		jb	short loc_A56E83

loc_A56E0F:				; CODE XREF: PAGEVRFY:00A56DA5j
		and	[edx+72h], ah
		popa
		outsb
		arpl	[eax+20h], bp
		jz	short near ptr loc_A56E86+5
		popa
		arpl	[ecx+6Eh], bp
		and	cs:[si], bh
		push	ebx
		jz	short near ptr loc_A56E83+2
		jz	short loc_A56E9B
		jnb	short loc_A56E48
		cmp	eax, 7830203Dh
		and	eax, 3E583830h
		or	al, [eax]

; char ??_C
??_C@_0CB@PLOEDOB@Driver?5Verifier?3?5Enabled?5for?5?$CFw@JKADOLAD@:
					; CODE XREF: PAGEVRFY:00A56DCDj
					; DATA XREF: VfUtilPrintCheckinString(x)+13Co
		inc	esp
		jb	short loc_A56EA0
		jbe	short loc_A56E9E
		jb	short loc_A56E5B
		push	esi
		db	65h
		jb	short loc_A56EA8
		imul	sp, [ebp+72h], 203Ah

loc_A56E45:				; CODE XREF: PAGEVRFY:00A56DDAj
		inc	ebp
		outsb
		popa

loc_A56E48:				; CODE XREF: PAGEVRFY:00A56E26j
		bound	ebp, [ebp+64h]

loc_A56E4C:				; CODE XREF: PAGEVRFY:loc_A56DE1j
		and	[esi+6Fh], ah
		jb	short loc_A56E71
		and	eax, 0CC005A77h

; char ??_C
??_C@_0EC@ODEBKLLI@Driver?5Verifier?3?5Enabled?5for?5?$CFw@JKADOLAD@:
					; DATA XREF: VfUtilPrintCheckinString(x)+11Do
		inc	esp
		jb	short near ptr loc_A56EC1+1
		jbe	short near ptr loc_A56EBF+1

loc_A56E5B:				; CODE XREF: PAGEVRFY:00A56E39j
		jb	short near ptr loc_A56E7B+2
		push	esi

loc_A56E5E:				; CODE XREF: PAGEVRFY:loc_A56DE9j
		db	65h
		jb	short loc_A56ECA
		imul	sp, [ebp+72h], 203Ah
		inc	ebp
		outsb
		popa
		bound	ebp, [ebp+64h]
		and	[esi+6Fh], ah

loc_A56E71:				; CODE XREF: PAGEVRFY:00A56E4Fj
		jb	short loc_A56E93
		and	eax, 202C5A77h
		db	66h
		insb
		popa

loc_A56E7B:				; CODE XREF: PAGEVRFY:loc_A56E5Bj
		db	67h
		jnb	near ptr 6E9Eh

loc_A56E7E:				; CODE XREF: PAGEVRFY:00A56E0Aj
		xor	[eax+25h], bh
		js	short loc_A56EAF

loc_A56E83:				; CODE XREF: PAGEVRFY:00A56E0Dj
					; PAGEVRFY:00A56E22j
		and	[edx+75h], ah

loc_A56E86:				; CODE XREF: PAGEVRFY:00A56E17j
		imul	ebp, [esp+20h],	2C646C25h
		and	[ebx+65h], ch
		jns	short near ptr loc_A56EB1+2

loc_A56E93:				; CODE XREF: PAGEVRFY:loc_A56E71j
		and	eax, 0A5A77h

??_C@_0N@NHOKDNA@IRP_MJ_BOGUS@JKADOLAD@: ; DATA	XREF: ViGenericDumpIrpStack(x)+25o
		dec	ecx
		push	edx
		push	eax

loc_A56E9B:				; CODE XREF: PAGEVRFY:00A56E24j
		pop	edi
		dec	ebp
		dec	edx

loc_A56E9E:				; CODE XREF: PAGEVRFY:00A56E37j
		pop	edi
		inc	edx

loc_A56EA0:				; CODE XREF: PAGEVRFY:00A56E35j
		dec	edi
		inc	edi
		push	ebp
		push	ebx
		add	ah, cl

??_C@_0M@LKFLJLP@IRP_MJ_SCSI@JKADOLAD@:	; DATA XREF: ViGenericDumpIrpStack(x)+Co
		dec	ecx
		push	edx

loc_A56EA8:				; CODE XREF: PAGEVRFY:00A56E3Cj
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	ebx
		inc	ebx

loc_A56EAF:				; CODE XREF: PAGEVRFY:00A56E81j
		push	ebx
		dec	ecx

loc_A56EB1:				; CODE XREF: PAGEVRFY:00A56E91j
					; DATA XREF: ViGenericDumpIrpStack(x)+2Co
		add	[ecx+52h], cl
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		aas
		aas
		add	[edx], ch	; DATA XREF: ViCiPreprocessOptions(x,x,x,x,x,x):loc_A5AF92o
		sub	ch, [edx]

loc_A56EBF:				; CODE XREF: PAGEVRFY:00A56E59j
		sub	ch, [edx]

loc_A56EC1:				; CODE XREF: PAGEVRFY:00A56E57j
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		and	[esi+65h], dl

loc_A56ECA:				; CODE XREF: PAGEVRFY:loc_A56E5Ej
		jb	short near ptr loc_A56F33+2
		imul	sp, [ebp+72h], 4420h
		db	65h
		jz	short near ptr loc_A56F38+2
		arpl	[ebp+64h], si
		and	[ecx+20h], ah
		inc	ebx
		outsd
		db	64h
		and	gs:[ecx+6Eh], cl
		jz	short near ptr loc_A56F49+1
		db	67h
		jb	near ptr 6F51h
		jz	short near ptr loc_A56F60+3
		and	[ecx+73h], cl
		jnb	short loc_A56F64
		and	gs:[edx], ch
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	cl, [edx]
		add	ah, cl

??_C@_03LBGKIICN@?$CK?$CK?5@JKADOLAD@:	; DATA XREF: ViCiPreprocessOptions(x,x,x,x,x,x)+4Ao
					; ViDeadlockPreprocessOptions(x,x,x,x,x,x)+76o
		sub	ch, [edx]
		and	[eax], al

; char ??_C
??_C@_03NOABEEAF@?$CK?$CK?6@JKADOLAD@:	; DATA XREF: ViCiPreprocessOptions(x,x,x,x,x,x)+3Fo
					; ViHalPreprocessOptions(x,x,x,x,x,x)+4Eo ...
		sub	ch, [edx]
		or	al, [eax]

??_C@_0EF@HIFMIKLM@The?5caller?50x?$CFp?5specified?5an?5ex@JKADOLAD@:
					; DATA XREF: VfCheckPagePriority(x,x)+24o
		push	esp
		push	61632065h
		insb
		insb
		db	65h
		jb	short loc_A56F33
		xor	[eax+25h], bh
		jo	short loc_A56F38
		jnb	short near ptr loc_A56F89+1
		arpl	gs:[ecx+66h], bp
		imul	esp, [ebp+64h],	206E6120h
		db	65h
		js	short near ptr loc_A56F8B+2
		arpl	[ebp+74h], si
		popa
		bound	ebp, [ebp+20h]
		dec	ebp
		inc	esp
		dec	esp

loc_A56F33:				; CODE XREF: PAGEVRFY:00A56F10j
					; PAGEVRFY:loc_A56ECAj
		and	[ebp+61h], ch
		jo	short near ptr loc_A56FA6+2

loc_A56F38:				; CODE XREF: PAGEVRFY:00A56F16j
					; PAGEVRFY:00A56ED2j
		imul	ebp, [esi+67h],	72702820h
		imul	ebp, [edi+72h],	20797469h
		xor	[eax+25h], bh

loc_A56F49:				; CODE XREF: PAGEVRFY:00A56EE3j
		js	short near ptr loc_A56F72+2
		db	2Eh
		add	ah, cl

??_C@_0DO@IIHDKJB@The?5caller?50x?$CFp?5specified?5an?5ex@JKADOLAD@:
					; DATA XREF: VfCheckPageProtection(x,x)+21o
		push	esp
		push	61632065h
		insb
		insb
		db	65h
		jb	short near ptr loc_A56F78+1
		xor	[eax+25h], bh
		jo	short loc_A56F7E
		jnb	short near ptr loc_A56FCF+1

loc_A56F60:				; CODE XREF: PAGEVRFY:00A56EE8j
		arpl	gs:[ecx+66h], bp

loc_A56F64:				; CODE XREF: PAGEVRFY:00A56EEDj
		imul	esp, [ebp+64h],	206E6120h
		db	65h
		js	short near ptr loc_A56FCF+4
		arpl	[ebp+74h], si
		popa

loc_A56F72:				; CODE XREF: PAGEVRFY:loc_A56F49j
		bound	ebp, [ebp+20h]
		jo	short loc_A56FD9

loc_A56F78:				; CODE XREF: PAGEVRFY:00A56F56j
		and	gs:[bx+si+72h],	dh
		outsd

loc_A56F7E:				; CODE XREF: PAGEVRFY:00A56F5Cj
		jz	short near ptr loc_A56FE4+1
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		and	[eax], dh
		js	short near ptr loc_A56FAD+1

loc_A56F89:				; CODE XREF: PAGEVRFY:00A56F18j
		js	short near ptr loc_A56FB7+2

loc_A56F8B:				; CODE XREF: PAGEVRFY:00A56F25j
					; DATA XREF: VfCheckImageCompliance(x)+BEo
		add	[eax+ebp*2+65h], dl
		and	[ecx+6Dh], ch
		popa
		and	gs:[di], ah
		ja	short near ptr loc_A56FF2+1
		and	[ebx+6Fh], ah
		outsb
		jz	short loc_A57000
		imul	ebp, [esi+73h],	206E6120h

loc_A56FA6:				; CODE XREF: PAGEVRFY:00A56F36j
		db	65h
		js	short loc_A5700E
		arpl	[ebp+74h], si
		popa

loc_A56FAD:				; CODE XREF: PAGEVRFY:00A56F87j
		bound	ebp, [ebp+20h]
		popa
		outsb
		and	fs:[edi+72h], dh

loc_A56FB7:				; CODE XREF: PAGEVRFY:loc_A56F89j
		imul	esi, [ecx+62h],	7320656Ch
		arpl	gs:[ecx+ebp*2+6Fh], si
		outsb
		and	[eax], dh
		js	short loc_A56FEE
		jo	short near ptr loc_A56FEA+1
		sub	[esi+61h], ch
		insd

loc_A56FCF:				; CODE XREF: PAGEVRFY:00A56F5Ej
					; PAGEVRFY:00A56F6Bj
		and	gs:2E2973h, ah

; char ??_C
??_C@_04LGGJDDML@INIT@JKADOLAD@:	; DATA XREF: VfCheckImageCompliance(x)+90o
		dec	ecx
		dec	esi
		dec	ecx

loc_A56FD9:				; CODE XREF: PAGEVRFY:00A56F76j
		push	esp
		add	ah, cl

??_C@_0ED@OBFNHIMC@?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK@JKADOLAD@:
					; DATA XREF: ViCiPreprocessOptions(x,x,x,x,x,x)+82o
					; ViHalPreprocessOptions(x,x,x,x,x,x)+A4o ...
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]

loc_A56FE4:				; CODE XREF: PAGEVRFY:loc_A56F7Ej
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]

loc_A56FEA:				; CODE XREF: PAGEVRFY:00A56FC9j
		sub	ch, [edx]
		sub	ch, [edx]

loc_A56FEE:				; CODE XREF: PAGEVRFY:00A56FC7j
		sub	ch, [edx]
		sub	ch, [edx]

loc_A56FF2:				; CODE XREF: PAGEVRFY:00A56F97j
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]

loc_A57000:				; CODE XREF: PAGEVRFY:00A56F9Dj
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]

loc_A5700E:				; CODE XREF: PAGEVRFY:loc_A56FA6j
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	cl, [edx]
		add	ah, cl

; char ??_C
??_C@_01EEMJAFIK@?6@JKADOLAD@:		; DATA XREF: ViCiPreprocessOptions(x,x,x,x,x,x):loc_A5AFCFo
					; ViHalPreprocessOptions(x,x,x,x,x,x):loc_A608E4o ...
		or	al, [eax]

??_C@_0ED@LNNBCONM@The?5caller?50x?$CFp?5specified?5an?5ex@JKADOLAD@:
					; DATA XREF: VfCheckPoolType(x,x,x)+30o
		push	esp
		push	61632065h
		insb
		insb
		db	65h
		jb	short loc_A5704D
		xor	[eax+25h], bh
		jo	short loc_A57052
		jnb	short loc_A570A4
		arpl	gs:[ecx+66h], bp
		imul	esp, [ebp+64h],	206E6120h
		db	65h
		js	short near ptr loc_A570A5+2
		arpl	[ebp+74h], si
		popa
		bound	ebp, [ebp+20h]
		jo	short loc_A570BB
		outsd

loc_A5704D:				; CODE XREF: PAGEVRFY:00A5702Aj
		insb
		and	[ecx+edi*2+70h], dh

loc_A57052:				; CODE XREF: PAGEVRFY:00A57030j
		and	gs:[eax], dh
		js	short loc_A5707C
		js	short near ptr loc_A57078+1
		sub	[ecx+67h], dh
		and	[eax], dh
		js	short loc_A57086
		js	short near ptr loc_A5708A+2
		db	2Eh
		add	ah, cl

??_C@_0DI@LHLOLGDN@The?5caller?50x?$CFp?5specified?5an?5ex@JKADOLAD@:
					; DATA XREF: VfCheckPoolType(x,x,x)+29o
		push	esp
		push	61632065h
		insb
		insb
		db	65h
		jb	short loc_A57091
		xor	[eax+25h], bh
		jo	short loc_A57096
		jnb	short near ptr loc_A570E7+1

loc_A57078:				; CODE XREF: PAGEVRFY:00A57057j
		arpl	gs:[ecx+66h], bp

loc_A5707C:				; CODE XREF: PAGEVRFY:00A57055j
		imul	esp, [ebp+64h],	206E6120h
		db	65h
		js	short near ptr loc_A570E7+4

loc_A57086:				; CODE XREF: PAGEVRFY:00A5705Fj
		arpl	[ebp+74h], si
		popa

loc_A5708A:				; CODE XREF: PAGEVRFY:00A57061j
		bound	ebp, [ebp+20h]
		jo	short near ptr loc_A570F9+6
		outsd

loc_A57091:				; CODE XREF: PAGEVRFY:00A5706Ej
		insb
		and	[ecx+edi*2+70h], dh

loc_A57096:				; CODE XREF: PAGEVRFY:00A57074j
		and	gs:[eax], dh
		js	short loc_A570C0
		js	short near ptr loc_A570C7+4
		add	[eax+ebp*2+65h], dl ; DATA XREF: VfCheckImageCompliance(x)+1E3o
		and	[ecx+6Dh], ch

loc_A570A4:				; CODE XREF: PAGEVRFY:00A57032j
		popa

loc_A570A5:				; CODE XREF: PAGEVRFY:00A5703Fj
		and	gs:[di], ah
		ja	short loc_A57105
		and	[ebx+6Fh], ah
		outsb
		jz	short near ptr loc_A57111+1
		imul	ebp, [esi+73h],	63657320h
		jz	short loc_A57123
		outsd

loc_A570BB:				; CODE XREF: PAGEVRFY:00A5704Aj
		outsb
		and	[eax], dh
		js	short near ptr loc_A570DF+6

loc_A570C0:				; CODE XREF: PAGEVRFY:00A57099j
		jo	short near ptr loc_A570DF+3
		jz	short near ptr ??_C@_11LOCGONAA@@JKADOLAD@
		popa
		jz	short loc_A570E7

loc_A570C7:				; CODE XREF: PAGEVRFY:00A5709Bj
		imul	esi, [ebx+20h],	20746F6Eh
		jo	short loc_A57131
		and	gs:[bx+di+6Ch],	ah
		imul	esp, [edi+6Eh],	28206465h
		outsb
		popa
		insd

loc_A570DF:				; CODE XREF: PAGEVRFY:loc_A570C0j
					; PAGEVRFY:00A570BEj
		and	gs:2E2973h, ah

??_C@_0EF@PNLFLEKE@The?5image?5?$CFwZ?5contains?5an?5IAT?0?5@JKADOLAD@:
					; DATA XREF: VfCheckImageCompliance(x)+141o
		push	esp

loc_A570E7:				; CODE XREF: PAGEVRFY:00A570C5j
					; PAGEVRFY:00A57076j ...
		push	6D692065h
		popa
		and	gs:[di], ah
		ja	short loc_A5714D
		and	[ebx+6Fh], ah
		outsb
		jz	short near ptr loc_A57159+1

loc_A570F9:				; CODE XREF: PAGEVRFY:00A5708Ej
		imul	ebp, [esi+73h],	206E6120h
		dec	ecx
		inc	ecx
		push	esp
		sub	al, 20h

loc_A57105:				; CODE XREF: PAGEVRFY:00A570A9j
		xor	[eax+25h], bh
		jo	short near ptr loc_A57124+6
		imul	ebp, [esi+20h],	63657865h

loc_A57111:				; CODE XREF: PAGEVRFY:00A570AFj
		jnz	short near ptr loc_A57184+3
		popa
		bound	ebp, [ebp+20h]
		jnb	short loc_A5717F
		arpl	[ecx+ebp*2+6Fh], si
		outsb
		and	[eax], ch
		outsb
		popa

loc_A57123:				; CODE XREF: PAGEVRFY:00A570B8j
		insd

loc_A57124:				; CODE XREF: PAGEVRFY:00A57108j
		and	gs:2E2973h, ah
		int	3		; Trap to Debugger
; 
??_C@_11LOCGONAA@@JKADOLAD@ db 2 dup(0)	; CODE XREF: PAGEVRFY:00A570C2j
					; DATA XREF: VfDdiExposeWmiObjects()+10o

;  S U B	R O U T	I N E 


; char ??_C
??_C@_0EJ@LIJLCKCA@XDV?5entry?5point?5version?5mismatc@JKADOLAD@ proc near
					; DATA XREF: ViXdvBindXdvDriverEntryWrappers(x)+C4o
		pop	eax
		inc	esp
		push	esi

loc_A57131:				; CODE XREF: PAGEVRFY:00A570CEj
		and	[ebp+6Eh], ah
		jz	short near ptr loc_A571A6+2
		jns	short near ptr loc_A57156+2
		jo	short loc_A571A9
		imul	ebp, [esi+74h],	72657620h
		jnb	short near ptr loc_A571AB+1
		outsd
		outsb
		and	[ebp+69h], ch
		jnb	short near ptr loc_A571B1+6
		popa
		jz	short near ptr loc_A571AF+1

loc_A5714D:				; CODE XREF: PAGEVRFY:00A570F1j
		push	656B203Ah
		jb	short loc_A571C2
		db	65h
		insb

loc_A57156:				; CODE XREF: ??_C@_0EJ@LIJLCKCA@XDV?5entry?5point?5version?5mismatc@JKADOLAD@+8j
		and	[esi+65h], dh

loc_A57159:				; CODE XREF: PAGEVRFY:00A570F7j
		jb	short near ptr loc_A571CD+1
		imul	ebp, [edi+6Eh],	20642520h
		and	[eax], ah
		db	64h
		jb	short near ptr loc_A571CF+1
		jbe	short near ptr loc_A571CD+1
		jb	short loc_A5718B
		jbe	short near ptr loc_A571D1+1
		jb	short near ptr loc_A571DE+4
		imul	ebp, [edi+6Eh],	0A642520h
		add	ah, cl
??_C@_0EJ@LIJLCKCA@XDV?5entry?5point?5version?5mismatc@JKADOLAD@ endp


;  S U B	R O U T	I N E 


; char ??_C
??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@ proc near
					; DATA XREF: ViXdvBindXdvDDIWrappers(x)+95o

arg_45		= byte ptr  49h

		pop	eax
		inc	esp
		push	esi
		and	[esp+eax*2+arg_45], al

loc_A5717F:				; CODE XREF: PAGEVRFY:00A57118j
		and	[esi+65h], dh
		jb	short near ptr loc_A571F6+1

loc_A57184:				; CODE XREF: PAGEVRFY:loc_A57111j
		imul	ebp, [edi+6Eh],	73696D20h

loc_A5718B:				; CODE XREF: ??_C@_0EJ@LIJLCKCA@XDV?5entry?5point?5version?5mismatc@JKADOLAD@+3Bj
		insd
		popa
		jz	short ??_C@_0BK@JHIFHJKE@GetXdvDriverEntryWrappers@JKADOLAD@
		push	656B203Ah
		jb	short loc_A57204
		db	65h
		insb
		and	[esi+65h], dh
		jb	short loc_A57210
		imul	ebp, [edi+6Eh],	20642520h
		and	[eax], ah

loc_A571A6:				; CODE XREF: ??_C@_0EJ@LIJLCKCA@XDV?5entry?5point?5version?5mismatc@JKADOLAD@+6j
		db	64h
		jb	short loc_A57212

loc_A571A9:				; CODE XREF: ??_C@_0EJ@LIJLCKCA@XDV?5entry?5point?5version?5mismatc@JKADOLAD@+Aj
		jbe	short loc_A57210

loc_A571AB:				; CODE XREF: ??_C@_0EJ@LIJLCKCA@XDV?5entry?5point?5version?5mismatc@JKADOLAD@+13j
		jb	short loc_A571CD
		jbe	short loc_A57214

loc_A571AF:				; CODE XREF: ??_C@_0EJ@LIJLCKCA@XDV?5entry?5point?5version?5mismatc@JKADOLAD@+1Dj
		jb	short near ptr loc_A57223+1

loc_A571B1:				; CODE XREF: ??_C@_0EJ@LIJLCKCA@XDV?5entry?5point?5version?5mismatc@JKADOLAD@+1Aj
		imul	ebp, [edi+6Eh],	0A642520h
		add	ah, cl

??_C@_0DH@BPOIEAAH@Error?5on?5Verifier?5Extention?5ent@JKADOLAD@:
					; DATA XREF: ViXdvDriverLoadImage(x)+1ABo
		inc	ebp
		jb	short near ptr loc_A57228+7
		outsd
		jb	short near ptr loc_A571DE+2
		outsd
		outsb

loc_A571C2:				; CODE XREF: ??_C@_0EJ@LIJLCKCA@XDV?5entry?5point?5version?5mismatc@JKADOLAD@+24j
		and	[esi+65h], dl
		jb	short loc_A57230
		imul	sp, [ebp+72h], 4520h

loc_A571CD:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@:loc_A571ABj
					; ??_C@_0EJ@LIJLCKCA@XDV?5entry?5point?5version?5mismatc@JKADOLAD@:loc_A57159j	...
		js	short near ptr loc_A57241+2

loc_A571CF:				; CODE XREF: ??_C@_0EJ@LIJLCKCA@XDV?5entry?5point?5version?5mismatc@JKADOLAD@+36j
		outs	dx, byte ptr gs:[esi]

loc_A571D1:				; CODE XREF: ??_C@_0EJ@LIJLCKCA@XDV?5entry?5point?5version?5mismatc@JKADOLAD@+3Dj
		jz	short near ptr loc_A5723B+1
		outsd
		outsb
		and	[ebp+6Eh], ah
		jz	short near ptr loc_A5724A+2
		jns	short near ptr loc_A571FB+1
		jo	short near ptr loc_A5724A+3

loc_A571DE:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@+46j
					; ??_C@_0EJ@LIJLCKCA@XDV?5entry?5point?5version?5mismatc@JKADOLAD@+3Fj
		imul	ebp, [esi+74h],	756F6220h
		outsb
		and	fs:[eax+72h], dh
		outsd
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_A571F9+1
		add	ah, cl

??_C@_0BK@JHIFHJKE@GetXdvDriverEntryWrappers@JKADOLAD@:
					; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@+15j
					; DATA XREF: ViXdvDriverLoadImage(x):loc_A5BD87o ...
		inc	edi
		db	65h
		jz	short near ptr loc_A5724A+4

loc_A571F6:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@+Aj
		db	64h
		jbe	short near ptr loc_A5723B+2

loc_A571F9:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@+76j
		jb	short loc_A57264

loc_A571FB:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@+62j
		jbe	short near ptr loc_A5725D+5
		jb	short loc_A57244
		outsb
		jz	short near ptr loc_A57271+3
		jns	short loc_A5725B

loc_A57204:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@+1Cj
		jb	short loc_A57267
		jo	short loc_A57278
		db	65h
		jb	short loc_A5727E
		add	[ebp+72h], al	; DATA XREF: ViXdvDriverLoadImage(x)+1F3o
		jb	short near ptr loc_A5727E+1

loc_A57210:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@+23j
					; ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@:loc_A571A9j
		jb	short loc_A57232

loc_A57212:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@:loc_A571A6j
		outsd
		outsb

loc_A57214:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@+35j
		and	[eax+72h], dh
		outsd
		jbe	short loc_A57283
		imul	ebp, fs:[esi+67h], 72656B20h
		outsb

loc_A57223:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@:loc_A571AFj
		db	65h
		insb
		and	[ebp+74h], dh

loc_A57228:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@+43j
		imul	ebp, [ecx+ebp*2+74h], 20736569h

loc_A57230:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@+4Dj
		jz	short near ptr loc_A5729F+2

loc_A57232:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@:loc_A57210j
		and	[eax], ah
		pop	eax
		inc	esp
		push	esi
		or	al, cs:[eax]
??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@ endp


;  S U B	R O U T	I N E 


??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@ proc	near
					; DATA XREF: ViXdvDriverLoadImage(x):loc_A5BDD2o
					; ViXdvDriverLoadImage(x)+1C3o

arg_57		= byte ptr  5Fh

; FUNCTION CHUNK AT 00A57352 SIZE 00000830 BYTES
; FUNCTION CHUNK AT 00A57BD4 SIZE 00000022 BYTES

		push	ebx

loc_A5723B:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@:loc_A571D1j
					; ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@:loc_A571F6j
		db	65h
		jz	short near ptr loc_A57295+1
		db	64h
		jbe	short near ptr loc_A5728B+1

loc_A57241:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@:loc_A571CDj
		db	65h
		jb	short loc_A572B2

loc_A57244:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@+85j
		db	65h
		insb
		push	ebp
		jz	short loc_A572B2
		insb

loc_A5724A:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@+60j
					; ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@+64j ...
		imul	esi, [ecx+ebp*2+65h], 69440073h
		push	bp
		jo	short loc_A572BA
		popa
		jz	short loc_A572BE
		push	eax
		insb

loc_A5725B:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@+8Aj
		jnz	short near ptr loc_A572C3+1

loc_A5725D:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@:loc_A571FBj
		imul	ebp, [esi+53h],	65746174h

loc_A57264:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@:loc_A571F9j
		add	ah, cl

??_C@_0P@EEGBCGGL@DifLoadPlugins@JKADOLAD@: ; DATA XREF: ViXdvDriverLoadImage(x)+53o
					; ViXdvDriverLoadImage(x)+67o
		inc	esp

loc_A57267:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@:loc_A57204j
		imul	esp, [esi+4Ch],	5064616Fh
		insb
		jnz	short near ptr loc_A572D2+6

loc_A57271:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@+88j
					; DATA XREF: ViXdvDriverLoadImage(x)+15Ao
		imul	ebp, [esi+73h],	7245CC00h

loc_A57278:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@+8Ej
		jb	short loc_A572E9
		jb	short near ptr loc_A5729A+2
		outsd
		outsb

loc_A5727E:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@+90j
					; ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@+96j
		and	[esi+65h], dl
		jb	short near ptr loc_A572EB+1

loc_A57283:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@+A0j
		imul	sp, [ebp+72h], 4520h
		js	short near ptr loc_A572FE+1

loc_A5728B:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+4j
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_A572F7+1
		outsd
		outsb
		and	[esp+eax*2-16h+arg_57],	al

loc_A57295:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A5723Bj
		and	[edx+6Fh], ah
		jnz	short near ptr loc_A57307+1

loc_A5729A:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+40j
		and	fs:[eax+72h], dh
		outsd

loc_A5729F:				; CODE XREF: ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@:loc_A57230j
		arpl	[ebp+73h], sp
		jnb	short loc_A572AE
		add	ah, cl

??_C@_0BC@MOJIMOML@GetXdvDDIWrappers@JKADOLAD@:
					; DATA XREF: ViXdvDriverLoadImage(x):loc_A5BD33o
					; ViXdvDriverLoadImage(x)+124o
		inc	edi
		db	65h
		jz	short loc_A57302
		db	64h
		jbe	short near ptr loc_A572EF+2
		inc	esp

loc_A572AE:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+68j
		dec	ecx
		push	edi
		jb	short near ptr loc_A57311+2

loc_A572B2:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57241j
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+Dj
		jo	short near ptr loc_A57323+1
		db	65h
		jb	short loc_A5732A
		add	[ebp+72h], al	; DATA XREF: ViXdvDriverLoadImage(x):loc_A5BEF3o

loc_A572BA:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+1Aj
		jb	short near ptr loc_A5732A+1
		jb	short near ptr loc_A572DB+3

loc_A572BE:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+1Dj
		outsd
		outsb
		and	[edi+65h], ah

loc_A572C3:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A5725Bj
		jz	short loc_A57339
		imul	ebp, [esi+67h],	76645820h
		push	ecx
		jnz	short near ptr loc_A5732F+5
		jb	short near ptr loc_A57349+1
		inc	esp

loc_A572D2:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+35j
		imul	esi, [ebx+70h],	68637461h
		push	esp
		popa

loc_A572DB:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+82j
		bound	ebp, [ebp+20h]
		jnz	short loc_A57355
		imul	ebp, [ecx+ebp*2+74h], 72662079h

loc_A572E9:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57278j
		outsd
		insd

loc_A572EB:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+47j
		and	[eax+44h], bl
		push	esi

loc_A572EF:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+70j
		or	al, cs:[eax]

??_C@_0BE@HPGODKBJ@XdvNotifyExtensions@JKADOLAD@:
					; DATA XREF: ViXdvDriverLoadImage(x):loc_A5BE59o
					; ViXdvDriverLoadImage(x)+24Ao
		pop	eax
		db	64h
		jbe	short loc_A57344
		outsd

loc_A572F7:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+53j
		jz	short ??_C@_0EO@LICNNLJA@Driver?5has?5attempted?5to?5access?5@JKADOLAD@
		db	66h
		jns	short loc_A57341
		js	short loc_A57372

loc_A572FE:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+4Fj
		outs	dx, byte ptr gs:[esi]
		jnb	short near ptr loc_A57369+2

loc_A57302:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+6Dj
		outsd
		outsb
		jnb	short $+2

??_C@_0BL@CNCPDNEB@XdvHibernationNotification@JKADOLAD@:
					; DATA XREF: ViXdvDriverLoadImage(x):loc_A5BE1Do
					; ViXdvDriverLoadImage(x)+20Eo
		pop	eax

loc_A57307:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+5Ej
		db	64h
		jbe	short loc_A57352
		imul	esp, [edx+65h],	74616E72h

loc_A57311:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+76j
		imul	ebp, [edi+6Eh],	69746F4Eh
		imul	sp, [ebx+61h], 6974h
		outsd
		outsb
		add	ah, cl

??_C@_0CK@CCLFBIBJ@Error?5on?5getting?5TiP?5utilities?5@JKADOLAD@:
					; DATA XREF: ViXdvDriverLoadImage(x)+2C9o
		inc	ebp

loc_A57323:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A572B2j
		jb	short loc_A57397
		outsd
		jb	short loc_A57348
		outsd
		outsb

loc_A5732A:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+7Aj
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A572BAj
		and	[edi+65h], ah
		jz	short near ptr loc_A573A2+1

loc_A5732F:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+93j
		imul	ebp, [esi+67h],	50695420h
		and	[ebp+74h], dh

loc_A57339:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A572C3j
		imul	ebp, [ecx+ebp*2+74h], 20736569h

loc_A57341:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+BFj
		db	66h
		jb	short loc_A573B3

loc_A57344:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+B9j
		insd
		and	[eax+44h], bl

loc_A57348:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+ECj
		push	esi

loc_A57349:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+95j
		or	al, cs:[eax]
??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@ endp


;  S U B	R O U T	I N E 


??_C@_0BG@EOHDJONM@XdvQueryDispatchTable@JKADOLAD@ proc	near
					; CODE XREF: ViXdvDriverLoadImage(x)+2B8p
					; DATA XREF: ViXdvDriverLoadImage(x):loc_A5BE95o ...
		pop	eax
		db	64h
		jbe	short near ptr loc_A5739F+2
		jnz	short loc_A573B7
??_C@_0BG@EOHDJONM@XdvQueryDispatchTable@JKADOLAD@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@

loc_A57352:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57307j
		jb	short near ptr loc_A573CC+1
		inc	esp

loc_A57355:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+A5j
		imul	esi, [ebx+70h],	68637461h
		push	esp
		popa
		bound	ebp, [ebp+0]

??_C@_0EO@LICNNLJA@Driver?5has?5attempted?5to?5access?5@JKADOLAD@:
					; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A572F7j
					; DATA XREF: ViGetAdapterInformationInternal(x,x)+C5o
		inc	esp
		jb	short near ptr loc_A573CC+2
		jbe	short loc_A573CC
		jb	short loc_A57389

loc_A57369:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+C6j
		push	61207361h
		jz	short loc_A573E4
		db	65h
		insd

loc_A57372:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+C2j
		jo	short near ptr loc_A573E7+1
		db	65h
		and	fs:[edi+ebp*2+20h], dh
		popa
		arpl	[ebx+65h], sp
		jnb	short loc_A573F3
		and	[ecx+6Eh], ah
		and	[ecx+64h], ah
		popa
		jo	short loc_A573FD

loc_A57389:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+12Dj
		db	65h
		jb	short loc_A573AC
		sub	ds:74202970h, ah
		push	68207461h

loc_A57397:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57323j
		popa
		jnb	short loc_A573BA
		popa
		insb
		jb	short near ptr loc_A57402+1
		popa

loc_A5739F:				; CODE XREF: ??_C@_0BG@EOHDJONM@XdvQueryDispatchTable@JKADOLAD@+1j
		db	64h
		jns	short near ptr loc_A573C0+2

loc_A573A2:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+F3j
		bound	esp, [ebp+65h]
		outsb
		and	[edx+65h], dh
		insb
		db	65h
		popa

loc_A573AC:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57389j
		jnb	short near ptr loc_A57412+1
		add	fs:[edi+ebp*2+6Fh], dl ; DATA XREF: ViReleaseDmaAdapter(x)+A6o

loc_A573B3:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57341j
		and	[ebp+61h], ch
		outsb

loc_A573B7:				; CODE XREF: ??_C@_0BG@EOHDJONM@XdvQueryDispatchTable@JKADOLAD@+4j
		jns	short near ptr loc_A573D7+2
		outsd

loc_A573BA:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+15Ej
		jnz	short near ptr loc_A5742F+1
		jnb	short loc_A57432
		popa
		outsb

loc_A573C0:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A5739Fj
		imul	ebp, fs:[esi+67h], 66657220h
		db	65h
		jb	short near ptr loc_A5742F+1
		outsb

loc_A573CC:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+12Bj
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57352j ...
		arpl	[ebp+20h], sp
		arpl	[edi+75h], bp
		outsb
		jz	short near ptr loc_A57447+1
		and	[eax], ch

loc_A573D7:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A573B7j
		and	eax, 66202978h
		outsd
		jb	short near ptr loc_A573FD+2
		popa
		db	64h
		popa
		jo	short loc_A57458

loc_A573E4:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+134j
		db	65h
		jb	short near ptr loc_A57405+2

loc_A573E7:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57372j
					; DATA XREF: VfPutDmaAdapter(x)+148o
		and	eax, 61430070h
		outsb
		outsb
		outsd
		jz	short near ptr loc_A5740F+2
		jo	short loc_A57468

loc_A573F3:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+144j
		jz	short near ptr loc_A57414+1
		popa
		db	64h
		popa
		jo	short near ptr loc_A5746D+1
		db	65h
		jb	short near ptr loc_A5741A+3

loc_A573FD:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+14Dj
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+1A3j
		and	eax, 6E752070h

loc_A57402:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+162j
		jz	short loc_A5746D
		insb

loc_A57405:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A573E4j
		and	[ecx+6Ch], ah
		insb
		and	[ebx+63h], dh
		popa
		jz	short near ptr loc_A57481+2

loc_A5740F:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+1B5j
		db	65h
		jb	short loc_A57432

loc_A57412:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A573ACj
		db	67h
		popa

loc_A57414:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A573F3j
		jz	short loc_A5747E
		db	65h
		jb	short loc_A57439
		insb

loc_A5741A:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+1C0j
		imul	esi, [ebx+74h],	72612073h
		and	gs:[esi+72h], ah
		db	65h, 65h
		and	fs:[eax], ch
		and	eax, 656C2078h

loc_A5742F:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A573BAj
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+18Ej
		db	66h
		jz	short near ptr loc_A5745A+1

loc_A57432:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+182j
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A5740Fj
					; DATA XREF: ...
		add	cs:[ebx+61h], al
		outsb
		outsb
		outsd

loc_A57439:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+1DCj
		jz	short near ptr loc_A5745A+1
		jo	short near ptr loc_A574B1+1
		jz	short near ptr loc_A5745A+5
		popa
		db	64h
		popa
		jo	short near ptr loc_A574B7+1
		db	65h
		jb	short near ptr loc_A57465+2

loc_A57447:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+199j
		and	eax, 6E752070h
		jz	short loc_A574B7
		insb
		and	[ecx+6Ch], ah
		insb
		and	[ebp+61h], ch
		jo	short ??_C@_0ED@BJJMKJGC@The?5provided?5MDL?5is?5not?5suffici@JKADOLAD@

loc_A57458:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+1A8j
		jb	short loc_A574BF

loc_A5745A:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A5742Fj
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57439j ...
		imul	esi, [bp+di+74h], 20737265h
		popa
		jb	short near ptr loc_A574C7+3

loc_A57465:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+20Aj
		and	[esi+72h], ah

loc_A57468:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+1B7j
		db	65h, 65h
		and	fs:[eax], ch

loc_A5746D:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57402j
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+1BEj
		and	eax, 656C2078h
		db	66h
		jz	short near ptr loc_A5749D+1
		db	2Eh
		add	ah, cl

??_C@_0ED@BJJMKJGC@The?5provided?5MDL?5is?5not?5suffici@JKADOLAD@:
					; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+21Cj
					; DATA XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+78o	...
		push	esp
		push	72702065h

loc_A5747E:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57414j
		outsd
		jbe	short near ptr loc_A574E9+1

loc_A57481:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+1D3j
		db	64h, 65h
		and	fs:[ebp+44h], cl
		dec	esp
		and	[ecx+73h], ch
		and	[esi+6Fh], ch
		jz	short near ptr loc_A574AE+2
		jnb	short near ptr loc_A57504+3
		db	66h, 66h
		imul	esp, [ebx+69h],	20746E65h
		jz	short near ptr loc_A5750A+2

loc_A5749D:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+238j
		and	[ebx+61h], dh
		jz	short near ptr loc_A5750A+1
		jnb	short loc_A5750A
		jns	short near ptr loc_A574C5+1
		jz	short loc_A57510
		and	gs:[edx+65h], dh
		jno	short loc_A57523

loc_A574AE:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+254j
		db	65h
		jnb	short loc_A57525

loc_A574B1:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+201j
		db	65h
		and	fs:[ebp+6Eh], ch

loc_A574B7:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+212j
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+208j
		db	67h
		jz	near ptr 7522h
		add	ah, cl

??_C@_0GB@BNKDPEHI@Cannot?5flush?5map?5register?5that?5@JKADOLAD@:
					; DATA XREF: VfFlushAdapterBuffers(x,x,x,x,x,x)+81o
		inc	ebx
		popa
		outsb

loc_A574BF:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57458j
		outsb
		outsd
		jz	short loc_A574E3
		db	66h
		insb

loc_A574C5:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+26Aj
		jnz	short loc_A5753A

loc_A574C7:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+229j
		push	70616D20h
		and	[edx+65h], dh
		imul	esi, [bp+di+74h], 74207265h
		push	69207461h
		jnb	short near ptr loc_A57548+4
		daa
		jz	short loc_A57501
		insd
		popa

loc_A574E3:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+287j
		jo	short near ptr loc_A57554+1
		db	65h
		and	fs:[eax], esp

loc_A574E9:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+245j
		sub	[ebp+61h], cl
		jo	short loc_A5750E
		jb	short near ptr loc_A57554+1
		imul	esi, [bp+di+74h], 62207265h
		popa
		jnb	short near ptr loc_A5755E+2
		and	ds:66202C70h, ah

loc_A57501:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+2A5j
		insb
		jnz	short loc_A57577

loc_A57504:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+256j
		push	20676E69h
		popa

loc_A5750A:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+268j
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+266j ...
		db	64h, 64h
		jb	short near ptr loc_A57571+2

loc_A5750E:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+2B2j
		jnb	short near ptr loc_A57582+1

loc_A57510:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+26Cj
		and	ds:4D202C70h, ah
		inc	esp
		dec	esp
		and	ds:0CC002970h, ah

??_C@_0EP@PLLALHLD@Driver?5has?5attempted?5to?5access?5@JKADOLAD@:
					; DATA XREF: VfPutDmaAdapter(x)+69o
		inc	esp
		jb	short near ptr loc_A57589+1
		jbe	short near ptr loc_A57587+1

loc_A57523:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+272j
		jb	short loc_A57545

loc_A57525:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A574AEj
		push	61207361h
		jz	short loc_A575A0
		db	65h
		insd
		jo	short near ptr loc_A575A3+1
		db	65h
		and	fs:[edi+ebp*2+20h], dh
		popa
		arpl	[ebx+65h], sp

loc_A5753A:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A574C5j
		jnb	short near ptr loc_A575AE+1
		and	[ecx+6Eh], ah
		and	[ecx+64h], ah
		popa
		jo	short loc_A575B9

loc_A57545:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57523j
		db	65h
		jb	short loc_A57568

loc_A57548:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+2A2j
		sub	ds:74202970h, ah
		push	68207461h
		popa

loc_A57554:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A574E3j
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+2B4j
		jnb	short near ptr loc_A57575+1
		popa
		insb
		jb	short near ptr loc_A575BD+2
		popa
		db	64h
		jns	short near ptr loc_A5757D+1

loc_A5755E:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+2BFj
		bound	esp, [ebp+65h]
		outsb
		and	[edx+65h], dh
		insb
		db	65h
		popa

loc_A57568:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57545j
		jnb	short loc_A575CF
		db	64h, 2Eh
		add	ah, cl

??_C@_0DA@MKAOPBB@DMA?5adapters?5aren?8t?5supposed?5to@JKADOLAD@:
					; DATA XREF: ViGetRealDmaOperation(x,x)+20o
		inc	esp
		dec	ebp
		inc	ecx

loc_A57571:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A5750Aj
		and	[ecx+64h], ah
		popa

loc_A57575:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57554j
		jo	short loc_A575EB

loc_A57577:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+2C8j
		db	65h
		jb	short loc_A575ED
		and	[ecx+72h], ah

loc_A5757D:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+321j
		outs	dx, byte ptr gs:[esi]
		daa
		jz	short loc_A575A2

loc_A57582:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A5750Ej
		jnb	short near ptr loc_A575F5+4
		jo	short near ptr loc_A575F5+1
		outsd

loc_A57587:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+2E7j
		jnb	short loc_A575EE

loc_A57589:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+2E5j
		and	fs:[edi+ebp*2+20h], dh
		bound	esp, [ebp+20h]
		dec	esi
		push	ebp
		dec	esp
		dec	esp
		and	[ecx+6Eh], ah
		jns	short loc_A57607
		outsd
		jb	short near ptr loc_A57601+1
		add	[ebx+61h], al	; DATA XREF: VfPutDmaAdapter(x)+DCo

loc_A575A0:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+2F0j
		outsb
		outsb

loc_A575A2:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+346j
		outsd

loc_A575A3:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+2F4j
		jz	short near ptr loc_A575C4+1
		jo	short near ptr loc_A57619+3
		jz	short near ptr loc_A575C7+2
		popa
		db	64h
		popa
		jo	short near ptr loc_A5761E+4

loc_A575AE:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A5753Aj
		db	65h
		jb	short near ptr loc_A575CF+2
		and	eax, 6E752070h
		jz	short near ptr loc_A5761E+3
		insb

loc_A575B9:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+309j
		and	[ecx+6Ch], ah
		insb

loc_A575BD:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+31Ej
		and	[ebx+6Fh], ah
		insd
		insd
		outsd
		outsb

loc_A575C4:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A575A3j
		and	[edx+75h], ah

loc_A575C7:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+36Dj
		db	66h, 66h, 65h
		jb	short near ptr loc_A5763D+2
		and	[ecx+72h], ah

loc_A575CF:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57568j
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A575AEj
		and	gs:[esi+72h], ah
		db	65h, 65h
		and	fs:[eax], ch
		and	eax, 656C2078h
		db	66h
		jz	short near ptr loc_A57607+2
		add	cs:[ebx+61h], al ; DATA	XREF: VfPutDmaAdapter(x)+A1o
		outsb
		outsb
		outsd
		jz	short near ptr loc_A57607+2
		jo	short loc_A57660

loc_A575EB:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57575j
		jz	short loc_A5760D

loc_A575ED:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57577j
		popa

loc_A575EE:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57587j
		db	64h
		popa
		jo	short loc_A57666
		db	65h
		jb	short near ptr loc_A57614+1

loc_A575F5:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+34Aj
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57582j
		and	eax, 6E752070h
		jz	short near ptr loc_A57663+2
		insb
		and	[ecx+6Ch], ah
		insb

loc_A57601:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+361j
		and	[ecx+64h], ah
		popa
		jo	short loc_A5767B

loc_A57607:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+35Ej
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+3A3j ...
		db	65h
		jb	short loc_A5762A
		arpl	[eax+61h], bp

loc_A5760D:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A575EBj
		outsb
		outsb
		db	65h
		insb
		jnb	short loc_A57633
		popa

loc_A57614:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+3B8j
		jb	short loc_A5767B
		and	[esi+72h], ah

loc_A57619:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+36Bj
		db	65h, 65h
		and	fs:[eax], ch

loc_A5761E:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+37Cj
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+372j
		and	eax, 656C2078h
		db	66h
		jz	short near ptr loc_A5764C+3
		add	cs:[ebx+6Fh], al
					; DATA XREF: ViSpecialAllocateCommonBuffer(x,x,x,x,x,x)+4Bo

loc_A5762A:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57607j
		jnz	short near ptr loc_A57697+1
		outs	dx, byte ptr fs:[esi]
		daa
		jz	short near ptr loc_A5764C+5
		jz	short near ptr loc_A576A4+1

loc_A57633:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+3D7j
		popa
		arpl	[ebx+20h], bp
		arpl	[edi+6Dh], bp
		insd
		outsd
		outsb

loc_A5763D:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A575C7j
		and	[edx+75h], ah
		db	66h, 66h, 65h
		jb	short near ptr loc_A57663+2
		popa
		insb
		insb
		outsd
		arpl	[ecx+74h], sp

loc_A5764C:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+3E9j
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+3F5j
					; DATA XREF: ...
		imul	ebp, [edi+6Eh],	48CC000Ah
		popa
		insb
		inc	edi
		db	65h
		jz	short loc_A5769A
		db	64h
		popa
		jo	short near ptr loc_A576D0+1
		db	65h
		jb	short near ptr loc_A5767F+1

loc_A57660:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+3AFj
		inc	ecx
		push	eax
		dec	ecx

loc_A57663:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+3C0j
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+406j
		and	[edi+62h], ch

loc_A57666:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+3B6j
		jnb	short loc_A576D7
		insb
		db	65h
		jz	short near ptr loc_A576D0+1
		and	ds:7375202Dh, ch
		and	gs:[ecx+6Fh], cl
		inc	edi
		db	65h
		jz	short loc_A576BE
		insd

loc_A5767B:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+3CBj
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57614j
		popa
		inc	ecx
		db	64h
		popa

loc_A5767F:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+423j
		jo	short loc_A576F5
		db	65h
		jb	short loc_A576A4
		imul	ebp, [esi+73h],	64616574h
		add	[ebp+61h], cl	; DATA XREF: ViAdapterCallback(x,x,x,x)+9Fo
		jnb	short loc_A57704
		db	65h
		jb	short near ptr loc_A576B2+1
		db	64h, 65h
		jbe	short near ptr loc_A576FB+5

loc_A57697:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A5762Aj
		arpl	[ebp+73h], sp

loc_A5769A:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+41Cj
		and	[ebx+68h], dh
		outsd
		jnz	short loc_A5770C
		and	fs:[edx+65h], dh

loc_A576A4:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+447j
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+3F7j
		jz	short near ptr loc_A57716+5
		jb	short loc_A57716
		and	[ebp+61h], al
		insb
		insb
		outsd
		arpl	[ecx+74h], sp

loc_A576B2:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+456j
		db	65h
		dec	edi
		bound	ebp, [edx+65h]
		arpl	[ebx+ecx*2+65h], si
		db	65h
		jo	short near ptr loc_A5770F+1

loc_A576BE:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+43Dj
		imul	esi, gs:[bp+di+74h], 0A737265h
		add	[edx+esi*2+69h], al ; DATA XREF: ViAdapterCallback(x,x,x,x)+95o
		jbe	short near ptr loc_A5772D+5
		jb	short near ptr loc_A576ED+2
		popa

loc_A576D0:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+421j
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+42Fj
		jz	short near ptr loc_A576ED+5
		popa
		db	64h, 64h
		jb	short near ptr loc_A5773B+1

loc_A576D7:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57666j
		jnb	short loc_A5774C
		and	ds:61682070h, ah
		jnb	short loc_A57701
		popa
		and	[eax+72h], dh
		outsd
		bound	ebp, [ebp+6Dh]
		or	al, [eax]

??_C@_0CP@KAKNJBNN@Virtual?5address?5?$CFp?5is?5before?5th@JKADOLAD@:
					; DATA XREF: ViMapDoubleBuffer(x,x,x,x,x)+80o
		push	esi

loc_A576ED:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+493j
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A576D0j
		imul	esi, [edx+74h],	206C6175h
		popa

loc_A576F5:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A5767Fj
		db	64h, 64h
		jb	short loc_A5775E
		jnb	short near ptr loc_A5776D+1

loc_A576FB:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+459j
		and	ds:73692070h, ah

loc_A57701:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+4A5j
		and	[edx+65h], ah

loc_A57704:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+454j
		outsw
		jb	short loc_A5776D
		and	[eax+ebp*2+65h], dh

loc_A5770C:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+464j
		and	[esi+69h], ah

loc_A5770F:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+481j
		jb	short near ptr loc_A5777D+7
		jz	short near ptr loc_A5772D+6
		dec	ebp
		inc	esp
		dec	esp

loc_A57716:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+46Cj
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A576A4j
		and	ds:0CC002E70h, ah

??_C@_0DB@OELHKNHO@Driver?5is?5attempting?5to?5map?5a?50@JKADOLAD@:
					; DATA XREF: ViMapDoubleBuffer(x,x,x,x,x)+26o
		inc	esp
		jb	short near ptr loc_A57785+3
		jbe	short near ptr loc_A57785+1
		jb	short near ptr loc_A57742+1
		imul	esi, [ebx+20h],	65747461h
		insd
		jo	short loc_A577A1

loc_A5772D:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+491j
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+4D7j
		imul	ebp, [esi+67h],	206F7420h
		insd
		popa
		jo	short loc_A57758
		popa
		and	[eax], dh

loc_A5773B:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+499j
		sub	eax, 676E656Ch
		jz	short near ptr loc_A577A8+2

loc_A57742:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+4E7j
		and	[edx+esi*2+61h], dh
		outsb
		jnb	short near ptr loc_A577AC+3
		db	65h
		jb	short near ptr loc_A57779+1

loc_A5774C:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A576D7j
		add	ah, cl

??_C@_0EK@KMJLBFKL@FLUSH?3?5Can?5only?5flush?5?$CFx?5bytes?5@JKADOLAD@:
					; DATA XREF: ViFlushDoubleBuffer(x,x,x,x,x)+B7o
		inc	esi
		dec	esp
		push	ebp
		push	ebx
		dec	eax
		cmp	ah, [eax]
		inc	ebx
		popa
		outsb

loc_A57758:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+4FCj
		and	[edi+6Eh], ch
		insb
		jns	short near ptr loc_A5777D+1

loc_A5775E:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A576F5j
		db	66h
		insb
		jnz	short near ptr loc_A577D3+2
		push	20782520h
		bound	edi, [ecx+74h]
		db	65h
		jnb	short loc_A5778D

loc_A5776D:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+4CCj
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+4BFj
		jz	short near ptr loc_A577DB+3
		and	[ebp+6Eh], ah
		and	fs:[edi+66h], ch
		and	[ebp+61h], ch

loc_A57779:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+50Fj
		jo	short loc_A5779B
		jb	short loc_A577E2

loc_A5777D:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+522j
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A5770Fj
		imul	esi, [bp+di+74h], 66207265h

loc_A57785:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+4E5j
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+4E3j
		imul	ebp, [ebp+20h],	20782528h

loc_A5778D:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+530j
		popa
		jz	short loc_A57804
		db	65h
		insd
		jo	short loc_A57808
		db	65h
		sub	fs:[eax], eax

??_C@_0DD@MALFEKON@Cannot?5flush?5buffers?5that?5aren?8@JKADOLAD@:
					; DATA XREF: ViFlushDoubleBuffer(x,x,x,x,x)+43o
		inc	ebx
		popa
		outsb

loc_A5779B:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57779j
		outsb
		outsd
		jz	short near ptr loc_A577BD+2
		db	66h
		insb

loc_A577A1:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+4F1j
		jnz	short loc_A57816
		push	66756220h

loc_A577A8:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+506j
		db	66h, 65h
		jb	short near ptr loc_A5781E+1

loc_A577AC:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+50Dj
		and	[eax+ebp*2+61h], dh
		jz	short near ptr loc_A577D1+1
		popa
		jb	short near ptr loc_A57819+1
		outsb
		daa
		jz	short near ptr loc_A577D3+6
		insd
		popa
		jo	short near ptr loc_A5782C+1

loc_A577BD:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+563j
		db	65h
		and	fs:[eax], ch
		inc	ecx
		db	64h, 64h
		jb	short loc_A577E6
		and	eax, 2E2970h
		int	3		; Trap to Debugger

??_C@_0FA@OOMHDMHL@Driver?5is?5trying?5to?5map?5an?5addr@JKADOLAD@:
					; DATA XREF: ViAllocateMapRegistersFromFile(x,x,x,x,x)+99o
		inc	esp
		jb	short near ptr loc_A57834+4
		jbe	short near ptr loc_A57834+2

loc_A577D1:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+576j
		jb	short near ptr loc_A577F2+1

loc_A577D3:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+526j
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+57Dj
		imul	esi, [ebx+20h],	69797274h
		outsb

loc_A577DB:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A5776Dj
		and	[si+6Fh], dh
		and	[ebp+61h], ch

loc_A577E2:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+541j
		jo	short loc_A57804
		popa
		outsb

loc_A577E6:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+588j
		and	[ecx+64h], ah
		db	64h
		jb	short near ptr loc_A57850+1
		jnb	short near ptr loc_A57860+1
		and	[edx+61h], dh
		outsb

loc_A577F2:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A577D1j
		sub	gs:[di], ah
		jo	short loc_A57825
		and	eax, 74202970h
		push	69207461h
		jnb	short near ptr loc_A57820+4

loc_A57804:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+554j
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A577E2j
		popa
		insb
		jb	short loc_A5786D

loc_A57808:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+558j
		popa
		db	64h
		jns	short loc_A5782C
		insd
		popa
		jo	short near ptr loc_A5787B+5
		db	65h
		and	fs:[eax], ah
		and	[eax], ah

loc_A57816:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A577A1j
		popa
		jz	short near ptr loc_A57834+5

loc_A57819:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+579j
					; DATA XREF: ViFlushDoubleBuffer(x,x,x,x,x)+115o
		and	eax, 6C460070h

loc_A5781E:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A577A8j
		jnz	short near ptr loc_A5788F+4

loc_A57820:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+5C8j
		push	20676E69h

loc_A57825:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+5BCj
		jz	short near ptr loc_A57895+1
		outsd
		and	[ebp+61h], ch
		outsb

loc_A5782C:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+5CFj
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+581j
		jns	short loc_A5784E
		insd
		popa
		jo	short near ptr loc_A57850+2
		jb	short near ptr loc_A57898+1

loc_A57834:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+595j
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+593j ...
		imul	esi, [bp+di+74h], 0A737265h
		add	ah, cl

??_C@_0EC@CIOODOFP@Extra?5transfer?5length?5crosses?5a@JKADOLAD@:
					; DATA XREF: ViMapDoubleBuffer(x,x,x,x,x)+1D3o
		inc	ebp
		js	short near ptr loc_A578B3+2
		jb	short loc_A578A4
		and	[edx+esi*2+61h], dh
		outsb
		jnb	short near ptr loc_A578AF+1
		db	65h
		jb	short loc_A5786D
		insb

loc_A5784E:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A5782Cj
		outs	dx, byte ptr gs:[esi]

loc_A57850:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+5AFj
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+5F6j
		db	67h
		jz	near ptr 78BBh
		and	[ebx+72h], ah
		outsd
		jnb	short loc_A578CC
		db	65h
		jnb	short near ptr loc_A5787B+1
		popa
		and	[eax+61h], dh

loc_A57860:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+5B2j
		and	gs:[bp+si+6Fh],	ah
		jnz	short loc_A578D5
		db	64h
		popa
		jb	short near ptr loc_A578E0+4
		cmp	ah, [eax]

loc_A5786D:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+5CCj
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+610j
		dec	ebp
		db	64h
		insb
		and	ds:4C202C70h, ah
		outs	dx, byte ptr gs:[esi]
		db	67h
		jz	near ptr 78E3h

loc_A5787B:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+61Fj
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+5D4j
					; DATA XREF: ...
		and	ds:56002E78h, ah
		imul	esi, [edx+74h],	206C6175h
		popa
		db	64h, 64h
		jb	short loc_A578F2
		jnb	short loc_A57902

loc_A5788F:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A5781Ej
		and	ds:73692070h, ah

loc_A57895:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57825j
		and	[ecx+66h], ah

loc_A57898:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+5F8j
		jz	short loc_A578FF
		jb	short near ptr loc_A578BA+2
		jz	short near ptr loc_A57905+1
		and	gs:[esi+69h], ah
		jb	short loc_A57917

loc_A578A4:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+607j
		jz	short loc_A578C6
		dec	ebp
		inc	esp
		dec	esp
		and	ds:45002E70h, ah ; DATA	XREF: ViMapDoubleBuffer(x,x,x,x,x)+21Bo

loc_A578AF:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+60Ej
		js	short near ptr loc_A57924+1
		jb	short near ptr loc_A57913+1

loc_A578B3:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+605j
		and	[edx+esi*2+61h], dh
		outsb
		jnb	short loc_A57920

loc_A578BA:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+660j
		db	65h
		jb	short loc_A578DD
		insb
		outs	dx, byte ptr gs:[esi]
		db	67h
		jz	near ptr 792Bh
		and	[ebx+72h], ah

loc_A578C6:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A578A4j
		outsd
		jnb	short near ptr loc_A57934+8
		db	65h
		jnb	short near ptr loc_A578EB+1

loc_A578CC:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+61Dj
		popa
		and	[eax+61h], dh
		and	gs:[bp+si+6Fh],	ah

loc_A578D5:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+62Bj
		jnz	short loc_A57945
		db	64h
		popa
		jb	short loc_A57954
		cmp	ah, [eax]

loc_A578DD:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A578BAj
		dec	ebp
		db	64h
		insb

loc_A578E0:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+62Fj
		and	ds:4C202C70h, ah
		outs	dx, byte ptr gs:[esi]
		db	67h
		jz	near ptr 7953h

loc_A578EB:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+68Fj
					; DATA XREF: ViCheckPadding(x,x,x,x)+105o
		and	ds:50CC0078h, ah
		popa

loc_A578F2:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+64Fj
		db	64h
		imul	ebp, fs:[esi+67h], 74666120h
		db	65h
		jb	short loc_A5791E
		popa

loc_A578FF:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57898j
		insb
		insb
		outsd

loc_A57902:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+653j
		arpl	[ecx+74h], sp

loc_A57905:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+662j
		imul	ebp, [edi+6Eh],	20746120h
		and	eax, 61682070h
		jnb	short loc_A57933

loc_A57913:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+677j
		bound	esp, [ebp+65h]
		outsb

loc_A57917:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+668j
		and	[ecx+6Ch], ch
		insb
		db	65h, 67h
		popa

loc_A5791E:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+6C1j
		insb
		insb

loc_A57920:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+67Ej
		jns	short near ptr loc_A57940+2
		insd
		outsd

loc_A57924:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A578AFj
		imul	esp, fs:[esi+69h], 61206465h
		jz	short near ptr loc_A57948+6
		and	eax, 50002E70h	; DATA XREF: ViCheckPadding(x,x,x,x)+C6o

loc_A57933:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+6D7j
		popa

loc_A57934:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+68Dj
		db	64h
		imul	ebp, fs:[esi+67h], 66656220h
		outsd
		jb	short near ptr loc_A579A4+1

loc_A57940:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57920j
		and	[ecx+6Ch], ah
		insb
		outsd

loc_A57945:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A578D5j
		arpl	[ecx+74h], sp

loc_A57948:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+6F2j
		imul	ebp, [edi+6Eh],	20746120h
		and	eax, 61682070h

loc_A57954:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+69Fj
		jnb	short ??_C@_07CLFOEEIC@?$CK?$CK?5VF?3?5@JKADOLAD@
		bound	esp, [ebp+65h]
		outsb
		and	[ecx+6Ch], ch
		insb
		db	65h, 67h
		popa
		insb
		insb
		jns	short loc_A57985
		insd
		outsd
		imul	esp, fs:[esi+69h], 61206465h
		jz	short loc_A57991
		and	eax, 0CC002E70h

??_C@_07CLFOEEIC@?$CK?$CK?5VF?3?5@JKADOLAD@:
					; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57954j
					; DATA XREF: ViHalPreprocessOptions(x,x,x,x,x,x)+5Ao
		sub	ch, [edx]
		and	[esi+46h], dl
		cmp	ah, [eax]
		add	[edx], ch	; DATA XREF: ViHalPreprocessOptions(x,x,x,x,x,x):loc_A6089Ao
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]

loc_A57985:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+729j
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ah, [eax]
		dec	eax
		inc	ecx

loc_A57991:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+735j
		dec	esp
		and	[esi+65h], dl
		jb	short loc_A57A00
		imul	sp, [ebp+72h], 4420h
		db	65h
		jz	short near ptr loc_A57A00+5
		arpl	[ebp+64h], si

loc_A579A4:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+704j
		and	[esi+69h], dl
		outsd
		insb
		popa
		jz	short loc_A57A15
		outsd
		outsb
		and	[edx], ch
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	cl, [edx]
		add	ah, cl

??_C@_0DI@KHHAGFFI@Area?5before?5?$CFx?5byte?5allocation?5@JKADOLAD@:
					; DATA XREF: ViCheckTag(x,x,x,x)+3Co
		inc	ecx
		jb	short near ptr loc_A57A26+4
		popa
		and	[edx+65h], ah
		outsw
		jb	short loc_A57A32
		and	ds:79622078h, ah
		jz	short loc_A57A3A
		and	[ecx+6Ch], ah
		insb
		outsd
		arpl	[ecx+74h], sp
		imul	ebp, [edi+6Eh],	20746120h
		and	eax, 61682070h
		jnb	short near ptr loc_A57A09+2
		bound	esp, [ebp+65h]
		outsb
		and	[ebp+6Fh], ch
		imul	esp, fs:[esi+69h], 2E6465h

??_C@_0CH@KJCAEBLJ@Map?5registers?5needed?3?5?$CFx?5availa@JKADOLAD@:
					; DATA XREF: ViAllocateMapRegistersFromFile(x,x,x,x,x)+10Fo
		dec	ebp
		popa
		jo	short loc_A57A1E
		jb	short loc_A57A65

loc_A57A00:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+75Bj
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+763j
		imul	esi, [bp+di+74h], 20737265h
		outsb

loc_A57A09:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+7AFj
		db	65h, 65h, 64h, 65h
		cmp	ah, fs:[eax]
		and	eax, 76612078h

loc_A57A15:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+770j
		popa
		imul	ebp, [ecx+62h],	203A656Ch

loc_A57A1E:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+7C2j
					; DATA XREF: ViCheckPadding(x,x,x,x)+39o
		and	eax, 56CC0078h
		db	65h
		jb	short near ptr loc_A57A89+6

loc_A57A26:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+789j
		imul	sp, [ebp+64h], 6420h
		jb	short near ptr loc_A57A96+1
		jbe	short loc_A57A95
		jb	short loc_A57A52

loc_A57A32:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+791j
		outsd
		jb	short loc_A57A55
		push	77647261h

loc_A57A3A:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+799j
		popa
		jb	short near ptr loc_A57AA0+2
		and	[eax+61h], ch
		jnb	short near ptr loc_A57A61+1
		arpl	[edi+72h], bp
		jb	short loc_A57ABC
		jo	short near ptr loc_A57ABC+1
		db	65h
		and	fs:[ebp+65h], ch
		insd
		outsd
		jb	short near ptr loc_A57AC7+4

loc_A57A52:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+7F6j
		and	[ecx+74h], ah

loc_A57A55:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+7F9j
					; DATA XREF: ViCheckTag(x,x,x,x)+86o
		and	ds:41002E70h, ah
		jb	short near ptr loc_A57ABF+3
		popa
		and	[ecx+66h], ah

loc_A57A61:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+806j
		jz	short near ptr loc_A57AC7+1
		jb	short loc_A57A85

loc_A57A65:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+7C4j
		and	eax, 79622078h
		jz	short near ptr loc_A57ACE+3
		and	[ecx+6Ch], ah
		insb
		outsd
		arpl	[ecx+74h], sp
		imul	ebp, [edi+6Eh],	20746120h
		and	eax, 61682070h
		jnb	short near ptr loc_A57AA0+2
		bound	esp, [ebp+65h]

loc_A57A85:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+829j
		outsb
		and	[ebp+6Fh], ch

loc_A57A89:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+7E9j
		imul	esp, fs:[esi+69h], 2E6465h
		int	3		; Trap to Debugger

??_C@_0DK@NOLCPOII@Allocating?5too?5many?5map?5registe@JKADOLAD@:
					; DATA XREF: ADD_MAP_REGISTERS(x,x,x)+32o
		inc	ecx
		insb
		insb

loc_A57A95:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+7F4j
		outsd

loc_A57A96:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+7F2j
		arpl	[ecx+74h], sp
		imul	ebp, [esi+67h],	6F6F7420h

loc_A57AA0:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+801j
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+846j
		and	[ebp+61h], ch
		outsb
		jns	short near ptr loc_A57AC5+1
		insd
		popa
		jo	short near ptr loc_A57AC7+3
		jb	short loc_A57B11
		imul	esi, [bp+di+74h], 20737265h
		popa
		jz	short near ptr loc_A57AD4+3
		popa
		and	[ecx+ebp*2+6Dh], dh

loc_A57ABC:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+80Bj
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+80Dj
		cmp	ah, gs:[eax]

loc_A57ABF:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+821j
		and	eax, 6D282078h
		popa

loc_A57AC5:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+86Aj
		js	short near ptr loc_A57AE4+3

loc_A57AC7:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57A61j
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+86Ej ...
		and	eax, 2E2978h

??_C@_0CH@OICBHBJF@Bad?5IRQL?5?9?9?5needed?5?$CFx?5or?5less?0?5@JKADOLAD@:
					; DATA XREF: VF_ASSERT_MAX_IRQL(x)+1Eo
		inc	edx
		popa

loc_A57ACE:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+830j
		and	fs:[ecx+52h], cl
		push	ecx
		dec	esp

loc_A57AD4:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+87Bj
		and	ds:656E202Dh, ch
		db	65h, 64h, 65h
		and	fs:726F2078h, ah

loc_A57AE4:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57AC5j
		and	[ebp+73h], ch
		jnb	short near ptr loc_A57B11+5
		and	[edi+6Fh], ah
		jz	short near ptr loc_A57B09+6
		and	eax, 0CC002E78h

??_C@_0CD@DFOPLOLM@Freed?5too?5many?5map?5registers?3?5?9@JKADOLAD@:
					; DATA XREF: SUBTRACT_MAP_REGISTERS(x,x)+24o
		inc	esi
		jb	short near ptr loc_A57B57+5
		db	65h
		and	fs:[edi+ebp*2+6Fh], dh
		and	[ebp+61h], ch
		outsb
		jns	short near ptr loc_A57B1F+4
		insd
		popa
		jo	short near ptr loc_A57B25+2
		jb	short loc_A57B6E

loc_A57B09:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+8B3j
		imul	esi, [bp+di+74h], 3A737265h

loc_A57B11:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+870j
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+8AEj
		and	ds:2E7825h, ch
		int	3		; Trap to Debugger

??_C@_0DA@CMGHAJAF@Allocated?5too?5many?5map?5register@JKADOLAD@:
					; DATA XREF: ADD_MAP_REGISTERS(x,x,x)+6Co
		inc	ecx
		insb
		insb
		outsd
		arpl	[ecx+74h], sp

loc_A57B1F:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+8C7j
		db	65h
		and	fs:[edi+ebp*2+6Fh], dh

loc_A57B25:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+8CBj
		and	[ebp+61h], ch
		outsb
		jns	short near ptr loc_A57B49+2
		insd
		popa
		jo	short near ptr loc_A57B49+6
		jb	short near ptr ??_C@_0BP@JBIBOOJN@Bad?5IRQL?5?9?9?5needed?5?$CFx?0?5got?5?$CFx?4@JKADOLAD@+12h
		imul	esi, [bp+di+74h], 20737265h
		cmp	ah, [eax]
		and	eax, 6D282078h
		popa
		js	short near ptr loc_A57B60+3
		and	eax, 2E2978h

??_C@_0CL@HDDFKFCN@Virtual?5address?5?$CFp?5out?5of?5bound@JKADOLAD@:
					; DATA XREF: ViGetMdlBufferSa(x,x)+6Co
		push	esi

loc_A57B49:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+8EFj
					; ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+8F3j
		imul	esi, [edx+74h],	206C6175h
		popa
		db	64h, 64h
		jb	short near ptr loc_A57BB7+3
		jnb	short near ptr loc_A57BC6+4

loc_A57B57:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+8BBj
		and	ds:756F2070h, ah
		jz	short near ptr loc_A57B7E+1
		outsd

loc_A57B60:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+907j
		db	66h
		and	[edx+6Fh], ah
		jnz	short loc_A57BD4
		db	64h
		jnb	short near ptr ??_C@_0BP@JBIBOOJN@Bad?5IRQL?5?9?9?5needed?5?$CFx?0?5got?5?$CFx?4@JKADOLAD@+5
		outsd
		db	66h
		and	[ebp+44h], cl

loc_A57B6E:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+8CDj
		dec	esp
		and	ds:50CC0070h, ah ; DATA	XREF: VfIsPCIBus(x)+38o
		add	[ebx+0], al
		dec	ecx
		add	[eax], ah
		add	[edx+0], ah

loc_A57B7E:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+923j
		jnz	short $+2
		jnb	short $+2
; END OF FUNCTION CHUNK	FOR ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@
; 
		dw 0
??_C@_0BP@JBIBOOJN@Bad?5IRQL?5?9?9?5needed?5?$CFx?0?5got?5?$CFx?4@JKADOLAD@ db 'Bad IRQL -- needed %x, got %x.',0
					; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+92Cj
					; DATA XREF: VF_ASSERT_IRQL(x)+14o
		align 4

;  S U B	R O U T	I N E 


??_C@_0CE@HDMMGAEC@Dma?5MDL?5?$CFp?5not?5mapped?5in?5system@JKADOLAD@ proc near
					; DATA XREF: ViGetMdlBufferSa(x,x)+4Ao
		inc	esp
		insd
		popa
		and	[ebp+44h], cl
		dec	esp
		and	ds:6F6E2070h, ah
		jz	short loc_A57BD3
		insd
		popa
		jo	short near ptr ??_C@_0EH@BDLHAGJH@Driver?5has?5freed?5too?5many?5scatt@JKADOLAD@+2Fh

loc_A57BB7:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+917j
		db	65h
		and	fs:[ecx+6Eh], ch
		and	[ebx+79h], dh
		jnb	short near ptr ??_C@_0EH@BDLHAGJH@Driver?5has?5freed?5too?5many?5scatt@JKADOLAD@+3Dh
		db	65h
		insd
		and	[esi+41h], dl

loc_A57BC6:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+91Bj
					; DATA XREF: VERIFY_BUFFER_LOCKED(x)+32o
		add	cs:[ebp+ecx*2+41h], al
		and	[eax+61h], dl
		db	67h, 65h
		jnb	near ptr 7BF2h
		dec	esi

loc_A57BD3:				; CODE XREF: ??_C@_0CE@HDMMGAEC@Dma?5MDL?5?$CFp?5not?5mapped?5in?5system@JKADOLAD@+Dj
		outsd
??_C@_0CE@HDMMGAEC@Dma?5MDL?5?$CFp?5not?5mapped?5in?5system@JKADOLAD@ endp

; START	OF FUNCTION CHUNK FOR ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@

loc_A57BD4:				; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@+92Aj
		jz	short near ptr word_A57BF6
		dec	esp
		outsd
		arpl	[ebx+65h], bp
		and	fs:[eax], esp
		dec	ebp
		inc	esp
		dec	esp
		and	ds:6F662070h, ah
		jb	short near ptr ??_C@_0EH@BDLHAGJH@Driver?5has?5freed?5too?5many?5scatt@JKADOLAD@+11h
		inc	esp
		dec	ebp
		inc	ecx
		and	[esi+6Fh], ch
		jz	short near ptr ??_C@_0EH@BDLHAGJH@Driver?5has?5freed?5too?5many?5scatt@JKADOLAD@+19h
		insb
		outsd
		arpl	[ebx+65h], bp
; END OF FUNCTION CHUNK	FOR ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@
; 
word_A57BF6	dw 64h			; CODE XREF: ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@:loc_A57BD4j
??_C@_0EH@BDLHAGJH@Driver?5has?5freed?5too?5many?5scatt@JKADOLAD@ db 'Driver has freed too many scatter gather lists %x allocated, %x f'
					; DATA XREF: DECREMENT_SCATTER_GATHER_LISTS(x)+24o
		db 'reed.',0
		align 10h

;  S U B	R O U T	I N E 


??_C@_0CP@GMOPKIEC@Unknown?5version?5?$CFx?5for?5DEVICE_D@JKADOLAD@ proc near
					; DATA XREF: ViCopyDeviceDescription(x,x,x)+19o
		push	ebp
		outsb
??_C@_0CP@GMOPKIEC@Unknown?5version?5?$CFx?5for?5DEVICE_D@JKADOLAD@ endp

		imul	ebp, [esi+6Fh],	77h
		outsb
		and	[esi+65h], dh
		jb	short near ptr ??_C@_0BP@HDCOJAJB@Freed?5too?5many?5common?5buffers?4@JKADOLAD@+0Bh
		imul	ebp, [edi+6Eh],	20782520h
		outsw
		jb	short near ptr ??_C@_0ED@LALDMKKB@Driver?5did?5not?5flush?5adapter?5bu@JKADOLAD@+7
		inc	esp
		inc	ebp
		push	esi
		dec	ecx
		inc	ebx
		inc	ebp
		pop	edi
		inc	esp
		inc	ebp
		push	ebx
		inc	ebx
		push	edx
		dec	ecx
		push	eax
		push	esp
		dec	ecx
		dec	edi
		dec	esi
		and	[eax], ch
		and	eax, 0CC002970h
; 
??_C@_0ED@LALDMKKB@Driver?5did?5not?5flush?5adapter?5bu@JKADOLAD@ db 'Driver did not flush adapter buffers -- bytes mapped: %x (%x max)'
					; CODE XREF: PAGEVRFY:00A57C55j
					; DATA XREF: INCREASE_MAPPED_TRANSFER_BYTE_COUNT(x,x,x)+2Co
		db '.',0
		align 4
??_C@_0BP@HDCOJAJB@Freed?5too?5many?5common?5buffers?4@JKADOLAD@ db 'Freed too many common buffers.',0
					; CODE XREF: PAGEVRFY:00A57C4Aj
					; DATA XREF: DECREMENT_COMMON_BUFFERS(x)+24o
		align 4
??_C@_0DJ@GDLHDGDG@Driver?5has?5freed?5too?5many?5simul@JKADOLAD@ db 'Driver has freed too many simultaneous adapter channels.',0
					; DATA XREF: DECREMENT_ADAPTER_CHANNELS(x)+26o
		align 2
??_C@_0DN@EBMPKFDN@Driver?5has?5allocated?5too?5many?5s@JKADOLAD@ db 'Driver has allocated too many simultaneous adapter channels.',0
					; DATA XREF: INCREMENT_ADAPTER_CHANNELS(x)+2Do
		align 4
; char ??_C[]
??_C@_0GD@FPCOLGIN@?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK@JKADOLAD@ db '************************************************************',0Ah
					; DATA XREF: ViErrorDisplayDescription(x)+3o
		db 'Driver Verifier detected violation:',0Ah
		db 0Ah,0
		align 10h
; char ??_C[]
??_C@_0DP@JBIHBAKA@?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK@JKADOLAD@ db '************************************************************',0Ah
					; DATA XREF: ViErrorFinishReport(x,x,x,x)+9o
		db 0Ah,0
		align 10h

; char ??_C
??_C@_04LOAOMKLI@?$CFs?6?6@JKADOLAD@:	; DATA XREF: ViErrorDisplayDescription(x)+32o
		and	eax, 0A0A73h
		int	3		; Trap to Debugger

??_C@_0FE@LMJJFJKF@How?5would?5you?5like?5to?5proceed?3?5@JKADOLAD@:
					; DATA XREF: ViErrorFinishReport(x,x,x,x)+5Fo
		dec	eax
		outsd
		ja	short loc_A57E1A
		ja	short loc_A57E6B
		jnz	short near ptr loc_A57E66+4
		and	fs:[ecx+6Fh], bh
		jnz	short near ptr loc_A57E22+2
		insb
		imul	ebp, [ebx+65h],	206F7420h
		jo	short near ptr loc_A57E7E+2
		outsd
		arpl	[ebp+65h], sp
		cmp	ah, fs:[eax]
		push	edx
		db	65h
		jnb	short loc_A57E8E
		insd

loc_A57E1A:				; CODE XREF: PAGEVRFY:00A57DF8j
		and	gs:[ebp+78h], ah
		arpl	gs:[ebp+74h], si

loc_A57E22:				; CODE XREF: PAGEVRFY:00A57E02j
		imul	ebp, [edi+6Eh],	6944202Ch
		jnb	short near ptr ??_C@_07IJBEPEDG@hal?4dll@JKADOLAD@+4
		bound	ebp, [ebp+20h]
		bound	esi, [edx+65h]
		popa
		imul	ebp, [eax], 6Fh
		jb	short near ptr loc_A57E57+2
		inc	edx
		jnz	short near ptr loc_A57EA2+1
		arpl	[eax+65h], bp
		arpl	[ebx+20h], bp
		sub	[edx+64h], dh
		bound	ebp, [ecx]
		aas
		and	[eax], al

??_C@_0DN@MJACJDEH@This?5is?5a?5non?9BTS?5processor?5?9?5n@JKADOLAD@:
					; DATA XREF: ViIsBTSSupported():loc_A654D9o
		push	esp
		push	69207369h
		jnb	short loc_A57E72
		popa
		and	[esi+6Fh], ch
		outsb

loc_A57E57:				; CODE XREF: PAGEVRFY:00A57E37j
		sub	eax, 20535442h
		jo	short loc_A57ED0
		outsd
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_A57ED0+3
		jb	short near ptr loc_A57E84+2

loc_A57E66:				; CODE XREF: PAGEVRFY:00A57DFCj
		sub	eax, 206F6E20h

loc_A57E6B:				; CODE XREF: PAGEVRFY:00A57DFAj
		bound	esi, [edx+61h]
		outsb
		arpl	[eax+20h], bp

loc_A57E72:				; CODE XREF: PAGEVRFY:00A57E50j
		jz	short near ptr loc_A57EE4+2
		popa
		arpl	[ecx+6Eh], bp
		and	[bx+69h], dh
		insb
		insb

loc_A57E7E:				; CODE XREF: PAGEVRFY:00A57E0Cj
		and	[edi+63h], ch
		arpl	[ebp+72h], si

loc_A57E84:				; CODE XREF: PAGEVRFY:00A57E64j
		or	al, cs:[eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_07IJBEPEDG@hal?4dll@JKADOLAD@:	; CODE XREF: PAGEVRFY:00A57E29j
					; DATA XREF: ViThunkSnapSharedExportByName+60o
		push	642E6C61h
		insb

loc_A57E8E:				; CODE XREF: PAGEVRFY:00A57E16j
		insb
; 
		db 0
; 

; char ??_C
??_C@_0N@FJBNMICO@ntoskrnl?4exe@JKADOLAD@: ; DATA XREF:	ViThunkSnapSharedExportByName+4Co
		outsb
		jz	short near ptr loc_A57F01+1
		jnb	short near ptr loc_A57EFD+3
		jb	short near ptr loc_A57F01+4
		insb
		db	2Eh, 65h
		js	short loc_A57F01
		add	ah, cl

; char ??_C
??_C@_0PF@ELCJCDPF@?6Driver?5Verifier?5detected?5that?5@JKADOLAD@:
					; DATA XREF: ViShutdownWatchdogExecuteDpc(x,x,x,x)+73o
		or	al, [edx+esi*2+69h]

loc_A57EA2:				; CODE XREF: PAGEVRFY:00A57E3Aj
		jbe	short loc_A57F09
		jb	short loc_A57EC6
		push	esi
		db	65h
		jb	short loc_A57F13
		imul	sp, [ebp+72h], 6420h
		db	65h
		jz	short loc_A57F18
		arpl	[ebp+64h], si
		and	[eax+ebp*2+61h], dh
		jz	short loc_A57EDD
		jz	short near ptr loc_A57F24+3
		imul	esi, [ebx+20h],	74737973h

loc_A57EC6:				; CODE XREF: PAGEVRFY:00A57EA4j
		db	65h
		insd
		and	[ecx+ebp*2+64h], ah
		outsb
		daa
		jz	short loc_A57EF0

loc_A57ED0:				; CODE XREF: PAGEVRFY:00A57E5Cj
					; PAGEVRFY:00A57E62j
		imul	bp, [esi+69h], 6873h
		and	[ebx+68h], dh
		jnz	short loc_A57F4F
		jz	short near ptr loc_A57F45+1

loc_A57EDD:				; CODE XREF: PAGEVRFY:00A57EBBj
		outsb
		and	[si+6Fh], ah
		ja	short near ptr loc_A57F4F+3

loc_A57EE4:				; CODE XREF: PAGEVRFY:loc_A57E72j
		or	ch, [ecx+6Eh]
		and	[ebp+6Fh], ch
		jb	short near ptr loc_A57F4F+2
		and	[eax+ebp*2+61h], dh

loc_A57EF0:				; CODE XREF: PAGEVRFY:00A57ECEj
		outsb
		and	[edx], dh
		xor	[eax], ah
		insd
		imul	ebp, [esi+75h],	2E736574h

loc_A57EFD:				; CODE XREF: PAGEVRFY:00A57E93j
		and	[edi+ebp*2+20h], dl

loc_A57F01:				; CODE XREF: PAGEVRFY:00A57E98j
					; PAGEVRFY:00A57E91j ...
		imul	esi, fs:[ebx+70h], 2079616Ch

loc_A57F09:				; CODE XREF: PAGEVRFY:loc_A57EA2j
		imul	ebp, [esi+66h],	616D726Fh
		jz	short loc_A57F7B
		outsd

loc_A57F13:				; CODE XREF: PAGEVRFY:00A57EA7j
		outsb
		and	[ecx+62h], ah
		outsd

loc_A57F18:				; CODE XREF: PAGEVRFY:00A57EB0j
		jnz	short near ptr loc_A57F8B+3
		and	[eax+ebp*2+65h], dh
		and	[eax+ebp*2+72h], dh
		db	65h
		popa

loc_A57F24:				; CODE XREF: PAGEVRFY:00A57EBDj
		and	fs:[eax+ebp*2+61h], dh
		jz	short loc_A57F4B
		imul	esi, [ebx+0Ah],	70736572h
		outsd
		outsb
		jnb	short near ptr ??_C@_0CC@BLAEAHBE@Re?9initializing?5active?5lock?50x?$CF@JKADOLAD@+0Bh
		bound	ebp, [ebp+20h]
		outsw
		jb	short near ptr loc_A57F5C+2
		jnb	short near ptr ??_C@_0CC@BLAEAHBE@Re?9initializing?5active?5lock?50x?$CF@JKADOLAD@+14h
		jnz	short ??_C@_0DF@NCFOMPGE@Type?5?$CBdeadlock?5in?5the?5debugger?5@JKADOLAD@
		jz	short near ptr ??_C@_0CC@BLAEAHBE@Re?9initializing?5active?5lock?50x?$CF@JKADOLAD@+19h
		outsb

loc_A57F45:				; CODE XREF: PAGEVRFY:00A57EDBj
		and	[si+6Fh], ah
		ja	short loc_A57FB9

loc_A57F4B:				; CODE XREF: PAGEVRFY:00A57F29j
		sub	al, 20h
		jnz	short loc_A57FC2

loc_A57F4F:				; CODE XREF: PAGEVRFY:00A57ED9j
					; PAGEVRFY:00A57EEAj ...
		and	gs:[eax+ebp*2+65h], dh
		jnb	short near ptr loc_A57FB9+2
		and	[ebp+62h], ah
		jnz	short near ptr loc_A57FC2+1

loc_A57F5C:				; CODE XREF: PAGEVRFY:00A57F3Cj
		db	67h, 65h
		jb	near ptr 7F80h
		arpl	[edi+6Dh], bp
		insd
		popa
		outsb
		db	64h
		jnb	short near ptr ??_C@_0CC@BLAEAHBE@Re?9initializing?5active?5lock?50x?$CF@JKADOLAD@+0Fh
		or	cl, [edx]
		db	64h
		jo	short near ptr loc_A57F8B+3
		outsb
		jz	short near ptr loc_A57F91+1
		push	esi
		push	bx
		push	6F647475h
		ja	short loc_A57FE9

loc_A57F7B:				; CODE XREF: PAGEVRFY:00A57F10j
		push	esp
		push	64616572h
		and	[ecx+esi+3Bh], ch
		and	[eax+ebp*2+72h], esi
		db	65h
		popa

loc_A57F8B:				; CODE XREF: PAGEVRFY:loc_A57F18j
					; PAGEVRFY:00A57F6Bj
		and	fs:[eax+24h], al
		jo	short near ptr ??_C@_0CC@BLAEAHBE@Re?9initializing?5active?5lock?50x?$CF@JKADOLAD@+7

loc_A57F91:				; CODE XREF: PAGEVRFY:00A57F6Fj
		or	al, [eax]
		int	3		; Trap to Debugger
; 
??_C@_0CC@BLAEAHBE@Re?9initializing?5active?5lock?50x?$CF@JKADOLAD@ db 'Re-initializing active lock 0x%p.',0
					; CODE XREF: PAGEVRFY:00A57F8Fj
					; PAGEVRFY:00A57F34j ...
; 

??_C@_0DF@NCFOMPGE@Type?5?$CBdeadlock?5in?5the?5debugger?5@JKADOLAD@:
					; CODE XREF: PAGEVRFY:00A57F40j
					; DATA XREF: ViDeadlockAnalyze(x,x,x,x,x)+1AAo
		push	esp
		jns	short near ptr ??_C@_0FP@OGKKGCMG@Resource?5?$CFp?5acquired?5before?5res@JKADOLAD@+3Dh

loc_A57FB9:				; CODE XREF: PAGEVRFY:00A57F49j
					; PAGEVRFY:00A57F54j
		and	gs:[ecx], ah
		db	64h, 65h
		popa
		db	64h
		insb
		outsd

loc_A57FC2:				; CODE XREF: PAGEVRFY:00A57F4Dj
					; PAGEVRFY:00A57F5Aj
		arpl	[ebx+20h], bp
		imul	ebp, [esi+20h],	20656874h
		db	64h
		bound	esi, gs:[ebp+67h]
		db	67h, 65h
		jb	near ptr 7FF5h
		outsw
		jb	short near ptr ??_C@_0FP@OGKKGCMG@Resource?5?$CFp?5acquired?5before?5res@JKADOLAD@+0Dh
		insd
		outsd
		jb	short near ptr ??_C@_0FP@OGKKGCMG@Resource?5?$CFp?5acquired?5before?5res@JKADOLAD@+56h
		and	[ecx+6Eh], ch
		outsw
		jb	short near ptr ??_C@_0DN@HFKEJOAN@Deadlock?5detection?3?5Must?5releas@JKADOLAD@+5
		popa
		jz	short near ptr ??_C@_0DN@HFKEJOAN@Deadlock?5detection?3?5Must?5releas@JKADOLAD@+4
		outsd
		outsb

loc_A57FE9:				; CODE XREF: PAGEVRFY:00A57F79j
		db	2Eh
		add	ah, cl
; 
; char ??_C[]
??_C@_0FP@OGKKGCMG@Resource?5?$CFp?5acquired?5before?5res@JKADOLAD@ db 'Resource %p acquired before resource %p -- ',0Ah
					; CODE XREF: PAGEVRFY:00A57FD7j
					; DATA XREF: VfDeadlockReleaseResource(x,x,x,x)+255o
		db 'Current thread (%p) is trying to release %p first',0Ah,0
		align 4
; char ??_C[]
??_C@_0DN@HFKEJOAN@Deadlock?5detection?3?5Must?5releas@JKADOLAD@ db 'Deadlock detection: Must release resources in reverse-order',0Ah,0
					; CODE XREF: PAGEVRFY:00A57FE5j
					; PAGEVRFY:00A57FE2j
					; DATA XREF: ...
		align 2
??_C@_0CC@EOCKMKPD@Terminated?5thread?50x?$CFp?5owns?5loc@JKADOLAD@ db 'Terminated thread 0x%p owns lock.',0
					; DATA XREF: ViDeadlockRemoveThread(x,x)+40o
??_C@_0DH@BBHHIKMG@Releasing?5two?5locks?5in?5reverse?5@JKADOLAD@ db 'Releasing two locks in reverse order of their acquire.',0
					; DATA XREF: VfDeadlockReleaseResource(x,x,x,x)+268o
		align 4
??_C@_0CN@IOPJFNJD@Lock?50x?$CFp?5doesn?8t?5support?5recur@JKADOLAD@ db	'Lock 0x%p doesn',27h,'t support recursive acquire.',0
					; DATA XREF: VfDeadlockAcquireResource(x,x,x,x,x)+2A9o
		align 2
??_C@_0DN@MIFLGLIP@Acquiring?5lock?50x?$CFp?5using?5misma@JKADOLAD@ db 'Acquiring lock 0x%p using mismatched API for this lock type.',0
					; DATA XREF: VfDeadlockAcquireResource(x,x,x,x,x)+201o
		align 10h

??_C@_0DN@JJNOFEAB@Releasing?5lock?50x?$CFp?5that?5is?5not@JKADOLAD@:
					; DATA XREF: VfDeadlockReleaseResource(x,x,x,x)+14Fo
		push	edx
		db	65h
		insb
		db	65h
		popa
		jnb	short near ptr loc_A581BD+3
		outsb
		and	[si+6Fh], ch
		arpl	[ebx+20h], bp
		xor	[eax+25h], bh
		jo	short near ptr loc_A58183+1
		jz	short near ptr loc_A581CD+1
		popa
		jz	short loc_A58189
		imul	esi, [ebx+20h],	20746F6Eh
		outsd
		ja	short near ptr loc_A581DE+3
		db	65h
		and	fs:[edx+79h], ah
		and	[eax+ebp*2+65h], dh
		and	[ebx+75h], ah
		jb	short loc_A581F3
		outs	dx, byte ptr gs:[esi]

loc_A58183:				; CODE XREF: PAGEVRFY:00A58162j
		jz	short near ptr loc_A581A4+1
		jz	short loc_A581EF
		jb	short near ptr loc_A581EA+4

loc_A58189:				; CODE XREF: PAGEVRFY:00A58167j
		popa
		db	64h, 2Eh
		add	ah, cl

??_C@_0DN@EKAJEALB@Releasing?5lock?50x?$CFp?5using?5misma@JKADOLAD@:
					; DATA XREF: VfDeadlockReleaseResource(x,x,x,x)+1A7o
		push	edx
		db	65h
		insb
		db	65h
		popa
		jnb	short loc_A581FE
		outsb
		and	[si+6Fh], ch
		arpl	[ebx+20h], bp
		xor	[eax+25h], bh
		jo	short near ptr loc_A581BD+5
		jnz	short near ptr loc_A58213+4

loc_A581A4:				; CODE XREF: PAGEVRFY:loc_A58183j
		imul	ebp, [esi+67h],	73696D20h
		insd
		popa
		jz	short near ptr loc_A58211+1
		push	41206465h
		push	eax
		dec	ecx
		and	[esi+6Fh], ah
		jb	short near ptr loc_A581DA+1
		jz	short loc_A58225

loc_A581BD:				; CODE XREF: PAGEVRFY:00A58155j
					; PAGEVRFY:00A581A0j
		imul	esi, [ebx+20h],	6B636F6Ch
		and	[ecx+edi*2+70h], dh
		db	65h, 2Eh
		add	ah, cl

??_C@_0DF@IGILFCMF@Deleted?5lock?50x?$CFp?5is?5still?5owne@JKADOLAD@:
					; DATA XREF: ViDeadlockRemoveResource(x,x,x)+53o
		inc	esp

loc_A581CD:				; CODE XREF: PAGEVRFY:00A58164j
		db	65h
		insb
		db	65h
		jz	short near ptr loc_A58236+1
		and	fs:[edi+ebp*2+63h], ch
		imul	esp, [eax], 30h

loc_A581DA:				; CODE XREF: PAGEVRFY:00A581B9j
		js	short near ptr loc_A58200+1
		jo	short loc_A581FE

loc_A581DE:				; CODE XREF: PAGEVRFY:00A58171j
		imul	esi, [ebx+20h],	6C697473h
		insb
		and	[edi+77h], ch
		outsb

loc_A581EA:				; CODE XREF: PAGEVRFY:00A58187j
		db	65h
		and	fs:[edx+79h], ah

loc_A581EF:				; CODE XREF: PAGEVRFY:00A58185j
		and	[eax+ebp*2+65h], dh

loc_A581F3:				; CODE XREF: PAGEVRFY:00A5817Fj
		and	[eax+ebp*2+72h], dh
		db	65h
		popa
		and	fs:[eax], dh
		js	short loc_A58223

loc_A581FE:				; CODE XREF: PAGEVRFY:00A58193j
					; PAGEVRFY:00A581DCj
		jo	short near ptr loc_A5822C+2

loc_A58200:				; CODE XREF: PAGEVRFY:loc_A581DAj
		add	ah, cl

; char ??_C
??_C@_0ED@JMFNLGBD@?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?5Verifier?5Detected?5@JKADOLAD@:
					; DATA XREF: ViDeadlockPreprocessOptions(x,x,x,x,x,x)+5Ao
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		and	[esi+65h], dl

loc_A58211:				; CODE XREF: PAGEVRFY:00A581ADj
		jb	short loc_A5827C

loc_A58213:				; CODE XREF: PAGEVRFY:00A581A2j
		imul	sp, [ebp+72h], 4420h
		db	65h
		jz	short near ptr loc_A58280+1
		arpl	[ebp+64h], si
		and	[ecx+20h], ah

loc_A58223:				; CODE XREF: PAGEVRFY:00A581FCj
		push	eax
		outsd

loc_A58225:				; CODE XREF: PAGEVRFY:00A581BBj
		jz	short near ptr loc_A58289+3
		outsb
		jz	short near ptr loc_A5828F+4
		popa
		insb

loc_A5822C:				; CODE XREF: PAGEVRFY:loc_A581FEj
		and	[ebp+61h], al
		db	64h
		insb
		outsd
		arpl	[ebx+20h], bp

loc_A58236:				; CODE XREF: PAGEVRFY:00A581CFj
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	ch, [edx]
		sub	cl, [edx]
		add	ah, cl

; char ??_C
??_C@_0DL@FIPDGFLD@DVRF?3?5Driver?5switched?5stacks?5us@JKADOLAD@:
					; DATA XREF: ViDeadlockCheckStackLimits()+45o
		inc	esp
		push	esi
		push	edx
		inc	esi
		cmp	ah, [eax]
		inc	esp
		jb	short near ptr loc_A582B5+3
		jbe	short near ptr loc_A582B5+1
		jb	short loc_A58273
		jnb	short near ptr loc_A582CB+1
		imul	esi, [ebx+68h],	73206465h
		jz	short near ptr loc_A582BF+1
		arpl	[ebx+73h], bp
		and	[ebp+73h], dh
		imul	ebp, [esi+67h],	206E6120h
		jnz	short near ptr loc_A582DB+1
		jnb	short loc_A582E5
		jo	short loc_A582E2
		outsd

loc_A58273:				; CODE XREF: PAGEVRFY:00A58251j
		jb	short near ptr loc_A582E8+1
		db	65h
		and	fs:[ebp+65h], ch
		jz	short loc_A582E4

loc_A5827C:				; CODE XREF: PAGEVRFY:loc_A58211j
		outsd
		and	fs:[edx], ecx

loc_A58280:				; CODE XREF: PAGEVRFY:00A58219j
		add	ah, cl

; char ??_C
??_C@_0CP@NKLEOPOO@Cancelled?5IRP?5?$CFp?5didn?8t?5complet@JKADOLAD@:
					; DATA XREF: ViWdIrpTimedOut(x)+3Ao
		inc	ebx
		popa
		outsb
		arpl	[ebp+6Ch], sp
		insb

loc_A58289:				; CODE XREF: PAGEVRFY:loc_A58225j
		db	65h
		and	fs:[ecx+52h], cl
		push	eax

loc_A5828F:				; CODE XREF: PAGEVRFY:00A58228j
		and	ds:69642070h, ah
		outs	dx, byte ptr fs:[esi]
		daa
		jz	short loc_A582BA
		arpl	[edi+6Dh], bp
		jo	short loc_A5830B
		db	65h
		jz	short near ptr loc_A58306+1
		and	[ecx+6Eh], ch
		and	[ebp+esi*2+65h], ah
		and	[ecx+ebp*2+6Dh], dh
		db	65h
		or	al, cs:[eax]
		int	3		; Trap to Debugger

??_C@_0BE@HEPEIJAK@?$CIEjectionRelations?$CJ@JKADOLAD@:
					; DATA XREF: VfPnpDumpIrpStack(x):loc_A6C772o
		sub	[ebp+6Ah], al

loc_A582B5:				; CODE XREF: PAGEVRFY:00A5824Fj
					; PAGEVRFY:00A5824Dj
		arpl	gs:[ecx+ebp*2+6Fh], si

loc_A582BA:				; CODE XREF: PAGEVRFY:00A58298j
		outsb
		push	edx
		db	65h
		insb
		popa

loc_A582BF:				; CODE XREF: PAGEVRFY:00A5825Dj
		jz	short loc_A5832A
		outsd
		outsb
		jnb	short near ptr loc_A582ED+1
		add	[eax], ch	; DATA XREF: VfPnpDumpIrpStack(x):loc_A6C779o
		inc	edx
		jnz	short loc_A5833D
		push	edx

loc_A582CB:				; CODE XREF: PAGEVRFY:00A58253j
		db	65h
		insb
		popa
		jz	short loc_A58339
		outsd
		outsb
		jnb	short loc_A582FD
		add	ah, cl

??_C@_0BD@ICPCMINJ@?$CIRemovalRelations?$CJ@JKADOLAD@:
					; DATA XREF: VfPnpDumpIrpStack(x):loc_A6C764o
		sub	[edx+65h], dl
		insd
		outsd

loc_A582DB:				; CODE XREF: PAGEVRFY:00A5826Cj
		jbe	short near ptr loc_A5833D+1
		insb
		push	edx
		db	65h
		insb
		popa

loc_A582E2:				; CODE XREF: PAGEVRFY:00A58270j
		jz	short loc_A5834D

loc_A582E4:				; CODE XREF: PAGEVRFY:00A5827Aj
		outsd

loc_A582E5:				; CODE XREF: PAGEVRFY:00A5826Ej
		outsb
		jnb	short loc_A58311

loc_A582E8:				; CODE XREF: PAGEVRFY:loc_A58273j
		add	ah, cl

??_C@_0BB@CAPPKIDP@?$CIPowerRelations?$CJ@JKADOLAD@:
					; DATA XREF: VfPnpDumpIrpStack(x):loc_A6C76Bo
		sub	[eax+6Fh], dl

loc_A582ED:				; CODE XREF: PAGEVRFY:00A582C3j
		ja	short loc_A58354
		jb	short loc_A58343
		db	65h
		insb
		popa
		jz	short near ptr loc_A5835C+3
		outsd
		outsb
		jnb	short near ptr loc_A58322+1
		add	ah, cl

; char ??_C
??_C@_0M@JGJFFIIL@IRP_MJ_PNP?4@JKADOLAD@: ; DATA XREF: VfPnpDumpIrpStack(x)+5o
		dec	ecx

loc_A582FD:				; CODE XREF: PAGEVRFY:00A582D2j
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	eax
		dec	esi
		push	eax

loc_A58306:				; CODE XREF: PAGEVRFY:00A5829Fj
					; DATA XREF: VfPnpDumpIrpStack(x)+1Co ...
		add	cs:[eax], ch
		inc	edx
		outsd

loc_A5830B:				; CODE XREF: PAGEVRFY:00A5829Dj
		db	67h
		jnz	near ptr 8381h
		sub	[eax], eax

??_C@_0N@IJDEKNCK@IRP_MN_BOGUS@JKADOLAD@: ; DATA XREF: VfPnpDumpIrpStack(x)+33o
					; VfPowerDumpIrpStack(x)+92o ...
		dec	ecx

loc_A58311:				; CODE XREF: PAGEVRFY:00A582E6j
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	esi
		pop	edi
		inc	edx
		dec	edi
		inc	edi
		push	ebp
		push	ebx
		add	ah, cl

??_C@_07HLCPMGNH@?$CIFalse?$CJ@JKADOLAD@: ; DATA XREF: VfPnpDumpIrpStack(x)+106o
		sub	[esi+61h], al
		insb

loc_A58322:				; CODE XREF: PAGEVRFY:00A582F8j
		jnb	short near ptr ??_C@_0DB@BFCAKHEG@?$CIWhichSpace?$DN?$CFx?0?5Buffer?$DN?$CFp?0?5Offs@JKADOLAD@+1
		sub	[eax], eax

??_C@_06NMHHGILK@?$CITrue?$CJ@JKADOLAD@: ; DATA	XREF: VfPnpDumpIrpStack(x):loc_A6C6F9o
		sub	[edx+esi*2+75h], dl

loc_A5832A:				; CODE XREF: PAGEVRFY:loc_A582BFj
		sub	gs:[eax], eax
		int	3		; Trap to Debugger

??_C@_0BG@NJHABFNM@?$CIBusQueryHardwareIDs?$CJ@JKADOLAD@:
					; DATA XREF: VfPnpDumpIrpStack(x):loc_A6C6E7o
		sub	[edx+75h], al
		jnb	short loc_A58384
		jnz	short near ptr loc_A58399+1
		jb	short near ptr loc_A583AF+1
		dec	eax
		popa

loc_A58339:				; CODE XREF: PAGEVRFY:00A582CEj
		jb	short loc_A5839F
		ja	short near ptr loc_A5839B+3

loc_A5833D:				; CODE XREF: PAGEVRFY:00A582C8j
					; PAGEVRFY:loc_A582DBj
		jb	short loc_A583A4
		dec	ecx
		inc	esp
		jnb	short near ptr loc_A5836B+1

loc_A58343:				; CODE XREF: PAGEVRFY:00A582EFj
					; DATA XREF: VfPnpDumpIrpStack(x):loc_A6C6EEo
		add	[eax], ch
		inc	edx
		jnz	short near ptr ??_C@_0CA@CFIKFPAL@?$CIDeviceTextLocationInformation?$CJ@JKADOLAD@+1
		push	ecx
		jnz	short near ptr loc_A583AF+1
		jb	short loc_A583C6

loc_A5834D:				; CODE XREF: PAGEVRFY:loc_A582E2j
		inc	esp
		db	65h
		jbe	short ??_C@_0CA@CFIKFPAL@?$CIDeviceTextLocationInformation?$CJ@JKADOLAD@
		arpl	[ebp+49h], sp

loc_A58354:				; CODE XREF: PAGEVRFY:loc_A582EDj
		inc	esp
		sub	[eax], eax
		int	3		; Trap to Debugger

??_C@_0BI@PCAOFACF@?$CIDeviceTextDescription?$CJ@JKADOLAD@:
					; DATA XREF: VfPnpDumpIrpStack(x):loc_A6C73Bo
		sub	[ebp+76h], al

loc_A5835C:				; CODE XREF: PAGEVRFY:00A582F4j
		imul	esp, [ebx+65h],	74786554h
		inc	esp
		db	65h
		jnb	short loc_A583CA
		jb	short near ptr loc_A583D1+1
		jo	short near ptr loc_A583DE+1

loc_A5836B:				; CODE XREF: PAGEVRFY:00A58341j
					; DATA XREF: VfPnpDumpIrpStack(x)+160o
		imul	ebp, [edi+6Eh],	54280029h
		popa
		jb	short near ptr ??_C@_0BJ@DKELLOBA@?$CIDeviceUsageTypeDumpFile@JKADOLAD@+2
		db	65h
		jz	short near ptr ??_C@_0CA@CFIKFPAL@?$CIDeviceTextLocationInformation?$CJ@JKADOLAD@+2
		db	65h
		jbe	short near ptr loc_A583DE+6
		arpl	[ebp+52h], sp
		db	65h
		insb
		popa
		jz	short near ptr loc_A583EB+1
		outsd

loc_A58384:				; CODE XREF: PAGEVRFY:00A58331j
		outsb
		sub	[eax], eax
		int	3		; Trap to Debugger

; char ??_C
??_C@_0DB@BFCAKHEG@?$CIWhichSpace?$DN?$CFx?0?5Buffer?$DN?$CFp?0?5Offs@JKADOLAD@:
					; CODE XREF: PAGEVRFY:loc_A58322j
					; DATA XREF: VfPnpDumpIrpStack(x)+119o
		sub	[edi+68h], dl
		imul	esp, [ebx+68h],	63617053h
		db	65h
		cmp	eax, 202C7825h
		inc	edx

loc_A58399:				; CODE XREF: PAGEVRFY:00A58333j
		jnz	short loc_A58401

loc_A5839B:				; CODE XREF: PAGEVRFY:00A5833Bj
		db	66h, 65h
		jb	short near ptr ??_C@_0BJ@DKELLOBA@?$CIDeviceUsageTypeDumpFile@JKADOLAD@+2

loc_A5839F:				; CODE XREF: PAGEVRFY:loc_A58339j
		and	eax, 4F202C70h

loc_A583A4:				; CODE XREF: PAGEVRFY:loc_A5833Dj
		db	66h, 66h
		jnb	short near ptr loc_A5840C+1
		jz	short loc_A583E7
		and	eax, 4C202C78h

loc_A583AF:				; CODE XREF: PAGEVRFY:00A58335j
					; PAGEVRFY:00A58349j
		outs	dx, byte ptr gs:[esi]
		db	67h
		jz	near ptr 841Ch
		cmp	eax, 297825h
		int	3		; Trap to Debugger

??_C@_0CA@CFIKFPAL@?$CIDeviceTextLocationInformation?$CJ@JKADOLAD@:
					; CODE XREF: PAGEVRFY:00A5834Ej
					; PAGEVRFY:00A58346j ...
		sub	[ebp+76h], al
		imul	esp, [ebx+65h],	74786554h
		dec	esp

loc_A583C6:				; CODE XREF: PAGEVRFY:00A5834Bj
		outsd
		arpl	[ecx+74h], sp

loc_A583CA:				; CODE XREF: PAGEVRFY:00A58364j
		imul	ebp, [edi+6Eh],	6F666E49h

loc_A583D1:				; CODE XREF: PAGEVRFY:00A58367j
		jb	short near ptr loc_A5843F+1
		popa
		jz	short loc_A5843F
		outsd
		outsb
		sub	[eax], eax

??_C@_0BJ@DKELLOBA@?$CIDeviceUsageTypeDumpFile@JKADOLAD@: ; CODE XREF: PAGEVRFY:00A58373j
					; PAGEVRFY:loc_A5839Bj
					; DATA XREF: ...
		sub	[ebp+76h], al

loc_A583DE:				; CODE XREF: PAGEVRFY:00A58369j
					; PAGEVRFY:00A58378j
		imul	esp, [ebx+65h],	67617355h
		db	65h
		push	esp

loc_A583E7:				; CODE XREF: PAGEVRFY:00A583A8j
		jns	short near ptr loc_A58456+3
		db	65h
		inc	esp

loc_A583EB:				; CODE XREF: PAGEVRFY:00A58381j
		jnz	short loc_A5845A
		jo	short loc_A58435
		imul	ebp, [ebp+0], 654428CCh
					; DATA XREF: VfPnpDumpIrpStack(x):loc_A6C694o
		jbe	short near ptr loc_A58460+2
		arpl	[ebp+55h], sp
		jnb	short loc_A5845F
		db	67h, 65h
		push	esp

loc_A58401:				; CODE XREF: PAGEVRFY:loc_A58399j
		jns	short near ptr loc_A58470+3
		db	65h
		dec	eax
		imul	esp, [edx+65h],	74616E72h

loc_A5840C:				; CODE XREF: PAGEVRFY:loc_A583A4j
					; DATA XREF: VfPnpDumpIrpStack(x)+BBo
		imul	ebp, [edi+6Eh],	49202C00h
		outsb
		push	eax
		popa
		jz	short loc_A58480
		cmp	eax, 534C4146h
		inc	ebp
		sub	[eax], eax

??_C@_0P@OJGFJBNK@?0?5InPath?$DNTRUE?$CJ@JKADOLAD@: ; DATA XREF: VfPnpDumpIrpStack(x)+B0o
		sub	al, 20h
		dec	ecx
		outsb
		push	eax
		popa
		jz	short ??_C@_0O@EMKDICJG@IRP_MJ_POWER?4@JKADOLAD@
		cmp	eax, 45555254h
		sub	[eax], eax
		int	3		; Trap to Debugger

??_C@_0BF@GLOACFMG@?$CIBusQueryInstanceID?$CJ@JKADOLAD@:
					; DATA XREF: VfPnpDumpIrpStack(x)+DCo
		sub	[edx+75h], al
		jnb	short near ptr loc_A58485+1

loc_A58435:				; CODE XREF: PAGEVRFY:00A583EDj
		jnz	short loc_A5849C
		jb	short loc_A584B2
		dec	ecx
		outsb
		jnb	short loc_A584B1
		popa
		outsb

loc_A5843F:				; CODE XREF: PAGEVRFY:00A583D4j
					; PAGEVRFY:loc_A583D1j
		arpl	[ebp+49h], sp
		inc	esp
		sub	[eax], eax
		int	3		; Trap to Debugger

??_C@_0BI@LJLHGLI@?$CIBusQueryCompatibleIDs?$CJ@JKADOLAD@:
					; DATA XREF: VfPnpDumpIrpStack(x):loc_A6C6E0o
		sub	[edx+75h], al
		jnb	short loc_A5849C
		jnz	short loc_A584B2
		jb	short near ptr loc_A584C7+1
		inc	ebx
		outsd
		insd
		jo	short loc_A584B5
		jz	short loc_A584BF

loc_A58456:				; CODE XREF: PAGEVRFY:loc_A583E7j
		bound	ebp, [ebp+49h]

loc_A5845A:				; CODE XREF: PAGEVRFY:loc_A583EBj
		inc	esp
		jnb	short near ptr loc_A58485+1
		add	[eax], ch	; DATA XREF: VfPnpDumpIrpStack(x):loc_A6C69Bo

loc_A5845F:				; CODE XREF: PAGEVRFY:00A583FCj
		inc	esp

loc_A58460:				; CODE XREF: PAGEVRFY:00A583F7j
		db	65h
		jbe	short ??_C@_0GN@DPOIDMGL@Interrupt?5Service?5Routine?5?$CFp?5ha@JKADOLAD@
		arpl	[ebp+55h], sp
		jnb	short near ptr loc_A584C7+2
		db	67h, 65h
		push	esp
		jns	short near ptr loc_A584DA+3
		db	65h
		push	eax
		popa

loc_A58470:				; CODE XREF: PAGEVRFY:loc_A58401j
					; DATA XREF: VfPnpDumpIrpStack(x):loc_A6C6A2o
		imul	ebp, [bp+67h], 4428CC00h
		db	65h
		jbe	short loc_A584E4
		arpl	[ebp+55h], sp
		jnb	short loc_A584E1

loc_A58480:				; CODE XREF: PAGEVRFY:00A58416j
		db	67h, 65h
		push	esp
		jns	short near ptr loc_A584F1+4

loc_A58485:				; CODE XREF: PAGEVRFY:00A58433j
					; PAGEVRFY:00A5845Bj
		db	65h
		push	ebp
		outsb
		db	64h
		imul	bp, gs:[esi+65h], 64h

; char ??_C
??_C@_0O@EMKDICJG@IRP_MJ_POWER?4@JKADOLAD@: ; CODE XREF: PAGEVRFY:00A58426j
					; DATA XREF: VfPowerDumpIrpStack(x)+3o
		dec	ecx
		push	edx
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	eax
		dec	edi
		push	edi
		inc	ebp
		push	edx

loc_A5849C:				; CODE XREF: PAGEVRFY:loc_A58435j
					; PAGEVRFY:00A58449j
					; DATA XREF: ...
		add	cs:[ecx], ch
		add	[eax], ch	; DATA XREF: VfPowerDumpIrpStack(x):loc_A6CEC6o
		add	[ecx+52h], cl	; DATA XREF: VfWmiDumpIrpStack(x)+3o
		push	eax
		pop	edi
		dec	ebp
		dec	edx
		pop	edi
		push	ebx
		pop	ecx
		push	ebx
		push	esp
		inc	ebp
		dec	ebp
		pop	edi
		inc	ebx

loc_A584B1:				; CODE XREF: PAGEVRFY:00A5843Bj
		dec	edi

loc_A584B2:				; CODE XREF: PAGEVRFY:00A58437j
					; PAGEVRFY:00A5844Bj
		dec	esi
		push	esp
		push	edx

loc_A584B5:				; CODE XREF: PAGEVRFY:00A58452j
		dec	edi
		dec	esp
		db	2Eh
		add	ah, cl

??_C@_1BC@KGNJPLCF@?$AAV?$AAE?$AAR?$AAI?$AAF?$AAI?$AAE?$AAR@JKADOLAD@:
					; DATA XREF: VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+164o
		push	esi
		add	[ebp+0], al
		push	edx

loc_A584BF:				; CODE XREF: PAGEVRFY:00A58454j
		add	[ecx+0], cl
		inc	esi
		add	[ecx+0], cl
		inc	ebp

loc_A584C7:				; CODE XREF: PAGEVRFY:00A5844Dj
					; PAGEVRFY:00A58466j
		add	[edx+0], dl
; 
		dw 0
; 

; char ??_C
??_C@_0GN@DPOIDMGL@Interrupt?5Service?5Routine?5?$CFp?5ha@JKADOLAD@:
					; CODE XREF: PAGEVRFY:loc_A58460j
					; DATA XREF: ViCtxCheckAndReleaseIsrState(x,x)+5Bo
		dec	ecx
		outsb
		jz	short near ptr loc_A58534+1
		jb	short loc_A58544
		jnz	short loc_A58544
		jz	short near ptr loc_A584F1+5
		push	ebx
		db	65h
		jb	short near ptr loc_A5854F+1

loc_A584DA:				; CODE XREF: PAGEVRFY:00A5846Bj
		imul	esp, [ebx+65h],	756F5220h

loc_A584E1:				; CODE XREF: PAGEVRFY:00A5847Ej
		jz	short near ptr loc_A58548+4
		outsb

loc_A584E4:				; CODE XREF: PAGEVRFY:00A58478j
		and	gs:61682070h, ah
		jnb	short loc_A5850D
		arpl	[eax+61h], bp
		outsb

loc_A584F1:				; CODE XREF: PAGEVRFY:00A58483j
					; PAGEVRFY:00A584D4j
		db	65h
		and	fs:[bx+di+52h],	cl
		push	ecx
		dec	esp
		or	cl, cs:[ecx+52h]
		push	ecx
		dec	esp
		and	[edx+65h], ah
		outsw
		jb	short near ptr loc_A58568+3
		and	[ebp+78h], ah
		arpl	gs:[ebp+74h], si

loc_A5850D:				; CODE XREF: PAGEVRFY:00A584EBj
		imul	ebp, [esi+67h],	52534920h
		cmp	ah, [eax]
		and	eax, 49202E64h
		push	edx
		push	ecx
		dec	esp
		and	[ecx+66h], ah
		jz	short loc_A58588
		jb	short loc_A58545
		db	65h
		js	short near ptr loc_A5858C+1
		arpl	[ebp+74h], si
		imul	ebp, [esi+67h],	52534920h
		cmp	ah, [eax]

loc_A58534:				; CODE XREF: PAGEVRFY:00A584CEj
		and	eax, 0A2E64h
		int	3		; Trap to Debugger

; char ??_C
??_C@_0JG@BKPPEEMD@Interrupt?5Service?5Routine?5?$CFp?5ha@JKADOLAD@:
					; DATA XREF: ViCtxCheckAndReleaseIsrState(x,x)+7Bo
		dec	ecx
		outsb
		jz	short loc_A585A3
		jb	short loc_A585B2
		jnz	short loc_A585B2
		jz	short near ptr loc_A5855F+5

loc_A58544:				; CODE XREF: PAGEVRFY:00A584D0j
					; PAGEVRFY:00A584D2j
		push	ebx

loc_A58545:				; CODE XREF: PAGEVRFY:00A58523j
		db	65h
		jb	short near ptr loc_A585BD+1

loc_A58548:				; CODE XREF: PAGEVRFY:loc_A584E1j
		imul	esp, [ebx+65h],	756F5220h

loc_A5854F:				; CODE XREF: PAGEVRFY:00A584D7j
		jz	short loc_A585BA
		outsb
		and	gs:61682070h, ah
		jnb	short near ptr loc_A5857A+1
		arpl	[eax+61h], bp
		outsb

loc_A5855F:				; CODE XREF: PAGEVRFY:00A58542j
		db	65h
		and	fs:[di+78h], ah
		jz	short loc_A585CC
		outsb

loc_A58568:				; CODE XREF: PAGEVRFY:00A58504j
		db	64h, 65h
		and	fs:[eax+ebp*2+72h], dh
		db	65h
		popa
		and	fs:[ebx+6Fh], ah
		outsb
		jz	short near ptr loc_A585DA+3
		js	short near ptr loc_A585EB+3

loc_A5857A:				; CODE XREF: PAGEVRFY:00A58559j
		or	al, cs:[ebx+6Fh]
		outsb
		jz	short loc_A585E6
		js	short loc_A585F7
		and	[ebx+61h], dh
		jbe	short near ptr loc_A585EB+2

loc_A58588:				; CODE XREF: PAGEVRFY:00A58521j
		and	fs:[edx+65h], ah

loc_A5858C:				; CODE XREF: PAGEVRFY:00A58525j
		outsw
		jb	short near ptr loc_A585F2+3
		and	[ebp+78h], ah
		arpl	gs:[ebp+74h], si
		imul	ebp, [esi+67h],	52534920h
		cmp	ah, [eax]
		xor	[eax+25h], bh

loc_A585A3:				; CODE XREF: PAGEVRFY:00A5853Cj
		jo	short near ptr ??_C@_13BBDEGPLJ@?$AA?$CK@JKADOLAD@+1
		and	[ebx+6Fh], al
		outsb
		jz	short near ptr loc_A5860B+5
		js	short near ptr loc_A5861F+2
		and	[ebx+61h], dh
		jbe	short near ptr loc_A58616+1

loc_A585B2:				; CODE XREF: PAGEVRFY:00A5853Ej
					; PAGEVRFY:00A58540j
		and	fs:[ecx+66h], ah
		jz	short near ptr loc_A5861C+1
		jb	short loc_A585DA

loc_A585BA:				; CODE XREF: PAGEVRFY:loc_A5854Fj
		db	65h
		js	short near ptr loc_A5861F+3

loc_A585BD:				; CODE XREF: PAGEVRFY:loc_A58545j
		arpl	[ebp+74h], si
		imul	ebp, [esi+67h],	52534920h
		cmp	ah, [eax]
		xor	[eax+25h], bh

loc_A585CC:				; CODE XREF: PAGEVRFY:00A58565j
		jo	short near ptr loc_A585F9+3
		or	al, [eax]

??_C@_00CNPNBAHC@@JKADOLAD@:		; DATA XREF: ViFilterDispatchGeneric(x,x)+2Do
					; ViFilterDispatchPnp(x,x)+2Eo	...
		add	ah, cl

??_C@_13BBDEGPLJ@?$AA?$CK@JKADOLAD@:	; CODE XREF: PAGEVRFY:loc_A585A3j
					; DATA XREF: VfAddVerifierEntry(x)+44o
		sub	al, [eax]
; 
		db 2 dup(0)
; 
; START	OF FUNCTION CHUNK FOR VfAvlInitializeTreeEx

loc_A585D6:				; CODE XREF: VfAvlInitializeTreeEx+20j
		test	bl, bl
		jnz	short loc_A585E2

loc_A585DA:				; CODE XREF: PAGEVRFY:00A585B8j
					; PAGEVRFY:00A58576j
		mov	edx, _ViAvlInitialized
		jmp	short loc_A585E4
; 

loc_A585E2:				; CODE XREF: VfAvlInitializeTreeEx+1B7Ej
		xor	edx, edx

loc_A585E4:				; CODE XREF: VfAvlInitializeTreeEx+1B86j
		xor	ecx, ecx

loc_A585E6:				; CODE XREF: PAGEVRFY:00A5857Fj
		test	bl, bl
		setnz	cl

loc_A585EB:				; CODE XREF: PAGEVRFY:00A58586j
					; PAGEVRFY:00A58578j
		lea	ecx, ds:8[ecx*4]

loc_A585F2:				; CODE XREF: PAGEVRFY:00A5858Ej
		jmp	loc_A56A82
; 

loc_A585F7:				; CODE XREF: VfAvlInitializeTreeEx+2Dj
					; PAGEVRFY:00A58581j
		mov	ecx, eax

loc_A585F9:				; CODE XREF: PAGEVRFY:loc_A585CCj
		jmp	loc_A56A90
; 

loc_A585FE:				; CODE XREF: VfAvlInitializeTreeEx+3Bj
		call	ds:__imp__HalQueryMaximumProcessorCount@0 ; HalQueryMaximumProcessorCount()
		mov	ecx, eax
		push	40h
		pop	eax
		cmp	ecx, eax

loc_A5860B:				; CODE XREF: PAGEVRFY:00A585A9j
		jnb	loc_A56A9B
		push	20h
		pop	eax
		cmp	ecx, eax

loc_A58616:				; CODE XREF: PAGEVRFY:00A585B0j
		jnb	loc_A56A9B

loc_A5861C:				; CODE XREF: PAGEVRFY:00A585B6j
		push	10h
		pop	eax

loc_A5861F:				; CODE XREF: PAGEVRFY:00A585ABj
					; PAGEVRFY:loc_A585BAj
		jmp	loc_A56A9B
; END OF FUNCTION CHUNK	FOR VfAvlInitializeTreeEx
; 
; START	OF FUNCTION CHUNK FOR VfDriverLoadImage

loc_A58624:				; CODE XREF: VfDriverLoadImage+27j
		movzx	eax, [ebp+arg_4]
		mov	ecx, esi
		push	eax
		movzx	eax, [ebp+arg_0]
		push	eax
		push	[ebp+var_4]
		call	_VfSuspectDriversLoadCallback@20 ; VfSuspectDriversLoadCallback(x,x,x,x,x)
		jmp	loc_A5671B
; END OF FUNCTION CHUNK	FOR VfDriverLoadImage
; 
; START	OF FUNCTION CHUNK FOR VfThunkAddTargetNotify

loc_A5863D:				; CODE XREF: VfThunkAddTargetNotify+1Fj
					; VfThunkAddTargetNotify+3Ej ...
		mov	ecx, edi
		call	_ViThunkFreeSharedThunksArray@4	; ViThunkFreeSharedThunksArray(x)
		lea	ecx, [esi+10h]
		call	_ViThunkFreeSharedThunksArray@4	; ViThunkFreeSharedThunksArray(x)
		lea	ecx, [esi+14h]
		call	_ViThunkFreeSharedThunksArray@4	; ViThunkFreeSharedThunksArray(x)
		lea	ecx, [esi+18h]
		call	_ViThunkFreeSharedThunksArray@4	; ViThunkFreeSharedThunksArray(x)
		or	dword ptr [edi], 1
		jmp	loc_A567A8
; END OF FUNCTION CHUNK	FOR VfThunkAddTargetNotify
; 
; START	OF FUNCTION CHUNK FOR ViThunkSnapSharedExportByName

loc_A58664:				; CODE XREF: ViThunkSnapSharedExportByName+CFj
		call	_VfIsVerifierEnabled@0 ; VfIsVerifierEnabled()
		test	eax, eax
		jz	short loc_A58686
		test	_VfRuleClasses,	0FFAFFFFFh
		jnz	loc_A5697B
		test	cl, 6
		jnz	loc_A5697B

loc_A58686:				; CODE XREF: ViThunkSnapSharedExportByName+1DC5j
		cmp	ds:_XdvEnabled,	edi
		jz	loc_A5697F
		cmp	ds:_VfDifAPIThunkContextHead, edi
		jz	loc_A5697F
		mov	eax, [ebx+10h]
		lea	edx, [ebp+arg_4]
		mov	[esi+8], eax
		mov	ecx, [ebx]	; char *
		mov	[ebp+arg_4], edi
		call	_ViThunkFindAPIContextByName@8 ; ViThunkFindAPIContextByName(x,x)
		cmp	[ebp+arg_4], edi
		jz	loc_A5697F
		mov	eax, [esi+0Ch]
		or	eax, 1
		mov	[esi+0Ch], eax
		test	byte ptr [ebx+0Ch], 4
		jz	loc_A5697F
		or	eax, 4
		mov	[esi+0Ch], eax
		jmp	loc_A5697F
; END OF FUNCTION CHUNK	FOR ViThunkSnapSharedExportByName
; 
; START	OF FUNCTION CHUNK FOR VfDriverUnloadImage

loc_A586D8:				; CODE XREF: VfDriverUnloadImage+12j
		mov	esi, [ebx+20h]
		mov	edx, esi
		mov	edi, [ebx+18h]
		mov	ecx, edi
		call	_VfDeadlockDeleteMemoryRange@8 ; VfDeadlockDeleteMemoryRange(x,x)
		mov	edx, esi
		mov	ecx, edi
		call	_VfRemLockDeleteMemoryRange@8 ;	VfRemLockDeleteMemoryRange(x,x)
		jmp	loc_A569EE
; 

loc_A586F5:				; CODE XREF: VfDriverUnloadImage+1Fj
		mov	edx, ebx
		mov	ecx, offset _ViVerifierDriverAddedThunkListHead
		call	_ViThunkRemoveImportEntry@8 ; ViThunkRemoveImportEntry(x,x)
		mov	edi, _ViVerifierDriverAddedSpecialThunkListHead
		jmp	short loc_A58745
; 

loc_A58709:				; CODE XREF: VfDriverUnloadImage+1D75j
		lea	esi, [edi+0Ch]
		mov	[ebp+var_4], edi
		mov	edx, ebx
		mov	ecx, esi
		call	_ViThunkRemoveImportEntry@8 ; ViThunkRemoveImportEntry(x,x)
		mov	eax, [edi]
		cmp	[esi], esi
		jnz	short loc_A58743
		cmp	[eax+4], edi
		jnz	short loc_A58752
		mov	ecx, [edi+4]
		cmp	[ecx], edi
		jnz	short loc_A58752
		push	0
		push	[ebp+var_4]
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	edi, [edi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		dec	_ViVerifierSpecialThunkTables
		jmp	short loc_A58745
; 

loc_A58743:				; CODE XREF: VfDriverUnloadImage+1D46j
		mov	edi, eax

loc_A58745:				; CODE XREF: VfDriverUnloadImage+1D31j
					; VfDriverUnloadImage+1D6Bj
		cmp	edi, offset _ViVerifierDriverAddedSpecialThunkListHead
		jnz	short loc_A58709
		jmp	loc_A569FB
; 

loc_A58752:				; CODE XREF: VfDriverUnloadImage+1D4Bj
					; VfDriverUnloadImage+1D52j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
; END OF FUNCTION CHUNK	FOR VfDriverUnloadImage	; AL = character to display
; START	OF FUNCTION CHUNK FOR MmIsVerifierEnabled

loc_A58757:				; CODE XREF: MmIsVerifierEnabled+13j
		call	_VfIsVerifierEnabled@0 ; VfIsVerifierEnabled()
		test	eax, eax
		jz	loc_A56A37
		test	_VfRuleClasses,	0FFAFFFFFh
		jnz	short loc_A5877D
		test	byte ptr dword_6FDE00, 6
		jz	loc_A56A37

loc_A5877D:				; CODE XREF: MmIsVerifierEnabled+1D50j
		mov	eax, _MmVerifierData
		mov	[ecx], eax
		xor	eax, eax
		jmp	loc_A56A3F
; END OF FUNCTION CHUNK	FOR MmIsVerifierEnabled

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall IovCallDriver(x, x, x)
@IovCallDriver@12 proc near		; CODE XREF: IofCallDriverSpecifyReturn+849B8j
					; IofCallDriver+C67F2p

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, edx
		mov	ebx, ecx
		mov	[ebp+var_8], edi
		cmp	_IovpEnabledInThePast, edi
		jnz	short loc_A587CC
		test	byte ptr _MmVerifierData, 20h
		jnz	short loc_A587CC
		test	byte ptr _IopFunctionPointerMask, 2
		jz	short loc_A587C2
		call	@IopPerfCallDriver@8 ; IopPerfCallDriver(x,x)
		jmp	loc_A5899C
; 

loc_A587C2:				; CODE XREF: IovCallDriver(x,x,x)+2Bj
		call	IopfCallDriver
		jmp	loc_A5899C
; 

loc_A587CC:				; CODE XREF: IovCallDriver(x,x,x)+19j
					; IovCallDriver(x,x,x)+22j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[ebp+var_1], al
		cmp	al, 2
		jbe	short loc_A5881D
		test	_MmVerifierData, 400000h
		jnz	short loc_A5881D
		mov	ecx, offset _VfBugcheckTmpDataLock
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		movzx	eax, [ebp+var_1]
		mov	ds:_VfBugcheckTmpData, 0C9h
		mov	ds:dword_AB1D04, 10h
		mov	ds:dword_AB1D08, eax
		mov	ds:dword_AB1D0C, edi
		mov	ds:dword_AB1D10, edi

loc_A58818:				; CODE XREF: IovCallDriver(x,x,x)+120j
					; IovCallDriver(x,x,x)+1C5j
		call	_VfBugCheckNoStackUsage@0 ; VfBugCheckNoStackUsage()

loc_A5881D:				; CODE XREF: IovCallDriver(x,x,x)+4Cj
					; IovCallDriver(x,x,x)+58j
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	_VfIrpAllocateCallDriverData@8 ; VfIrpAllocateCallDriverData(x,x)
		test	eax, eax
		jnz	short loc_A5883C
		push	[ebp+arg_0]
		mov	edx, esi
		mov	ecx, ebx
		call	@IovpCallDriverWithStackBuffer@12 ; IovpCallDriverWithStackBuffer(x,x,x)
		jmp	loc_A5899C
; 

loc_A5883C:				; CODE XREF: IovCallDriver(x,x,x)+9Ej
		mov	edi, [ebp+var_8]
		test	edi, edi
		jnz	short loc_A58852
		push	ecx
		mov	edx, esi
		mov	ecx, ebx
		call	@IovpCallDriverNoIrpTracking@12	; IovpCallDriverNoIrpTracking(x,x,x)
		jmp	loc_A5899C
; 

loc_A58852:				; CODE XREF: IovCallDriver(x,x,x)+B6j
		mov	eax, [ebp+arg_0]
		mov	edx, 400000h
		mov	[edi+58h], ebx
		mov	[edi+5Ch], esi
		mov	[edi+60h], eax
		mov	eax, [edi+5Ch]
		cmp	word ptr [eax],	6
		jz	short loc_A588B0
		test	_MmVerifierData, edx
		jnz	short loc_A588B0
		mov	ecx, offset _VfBugcheckTmpDataLock
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	[edi+55h], al
		mov	eax, [edi+5Ch]
		mov	ds:_VfBugcheckTmpData, 0C9h
		mov	ds:dword_AB1D04, 3

loc_A58898:				; CODE XREF: IovCallDriver(x,x,x)+15Cj
		and	ds:dword_AB1D0C, 0
		and	ds:dword_AB1D10, 0
		mov	ds:dword_AB1D08, eax
		jmp	loc_A58818
; 

loc_A588B0:				; CODE XREF: IovCallDriver(x,x,x)+DFj
					; IovCallDriver(x,x,x)+E7j
		mov	ecx, ebx
		call	_IovpValidateDeviceObject@4 ; IovpValidateDeviceObject(x)
		test	al, al
		jnz	short loc_A588E9
		test	_MmVerifierData, edx
		jnz	short loc_A588E9
		mov	ecx, offset _VfBugcheckTmpDataLock
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	[edi+55h], al
		mov	eax, [edi+58h]
		mov	ds:_VfBugcheckTmpData, 0C9h
		mov	ds:dword_AB1D04, 4
		jmp	short loc_A58898
; 

loc_A588E9:				; CODE XREF: IovCallDriver(x,x,x)+12Ej
					; IovCallDriver(x,x,x)+136j
		mov	eax, [esi+60h]
		sub	eax, 24h
		mov	[ebp+arg_0], eax
		cmp	byte ptr [eax],	0
		jnz	short loc_A58955
		mov	eax, [eax+18h]
		test	eax, eax
		jz	short loc_A58955
		mov	eax, [eax+2Ch]
		mov	ecx, 204000h
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_A58955
		test	_MmVerifierData, edx
		jnz	short loc_A58955
		mov	ecx, offset _VfBugcheckTmpDataLock
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	[edi+55h], al
		mov	eax, [edi+58h]
		mov	ds:dword_AB1D08, eax
		mov	eax, [edi+5Ch]
		mov	ds:dword_AB1D0C, eax
		mov	eax, [ebp+arg_0]
		mov	ds:_VfBugcheckTmpData, 0C9h
		mov	ds:dword_AB1D04, 0Fh
		mov	eax, [eax+18h]
		mov	ds:dword_AB1D10, eax
		jmp	loc_A58818
; 

loc_A58955:				; CODE XREF: IovCallDriver(x,x,x)+16Aj
					; IovCallDriver(x,x,x)+171j ...
		push	edi
		mov	edx, esi
		mov	ecx, ebx
		call	_VfBeforeCallDriver@12 ; VfBeforeCallDriver(x,x,x)
		test	byte ptr _IopFunctionPointerMask, 2
		mov	edx, esi
		mov	[ebp+arg_0], eax
		mov	ecx, ebx
		jz	short loc_A58976
		call	@IopPerfCallDriver@8 ; IopPerfCallDriver(x,x)
		jmp	short loc_A5897B
; 

loc_A58976:				; CODE XREF: IovCallDriver(x,x,x)+1E2j
		call	IopfCallDriver

loc_A5897B:				; CODE XREF: IovCallDriver(x,x,x)+1E9j
		push	[ebp+arg_0]
		lea	esi, [edi+64h]
		mov	ecx, edi
		mov	edx, esi
		mov	[esi], eax
		call	_VfAfterCallDriver@12 ;	VfAfterCallDriver(x,x,x)
		mov	esi, [esi]
		mov	edx, edi
		mov	ecx, offset _ViIrpCallDriverDataList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		mov	eax, esi

loc_A5899C:				; CODE XREF: IovCallDriver(x,x,x)+32j
					; IovCallDriver(x,x,x)+3Cj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
@IovCallDriver@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall IovCompleteRequest(x, x)
@IovCompleteRequest@8 proc near		; CODE XREF: IofCompleteRequest:loc_5ECC99p

var_54		= dword	ptr -54h
var_40		= dword	ptr -40h
var_39		= byte ptr -39h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		mov	ebx, ecx
		mov	[ebp+var_39], dl
		pop	esi
		xor	eax, eax
		lea	edi, [ebp+var_54]
		mov	ecx, esi
		rep stosd
		mov	ecx, ebx
		call	_IovpLogStackTrace@4 ; IovpLogStackTrace(x)
		xor	edi, edi
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_A58A59
		cmp	_IovpDisabledWithoutReboot, edi
		jnz	short loc_A58A59
		mov	al, [ebx+22h]
		inc	al
		cmp	[ebx+23h], al
		jg	short loc_A589F2
		cmp	[ebx], si
		jz	short loc_A58A03

loc_A589F2:				; CODE XREF: IovCompleteRequest(x,x)+48j
		push	edi
		push	edi
		push	486h
		push	44h
		mov	edx, ebx
		pop	ecx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A58A03:				; CODE XREF: IovCompleteRequest(x,x)+4Dj
		mov	eax, [ebx+38h]
		test	eax, eax
		jz	short loc_A58A1A
		push	edi
		push	ebx
		push	eax
		push	7
		pop	edx
		mov	ecx, 0C9h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A58A1A:				; CODE XREF: IovCompleteRequest(x,x)+65j
		mov	eax, [ebx+18h]
		cmp	eax, 103h
		jz	short loc_A58A29
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_A58A38

loc_A58A29:				; CODE XREF: IovCompleteRequest(x,x)+7Fj
		push	edi
		push	ebx
		push	eax
		mov	edx, esi
		mov	ecx, 0C9h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A58A38:				; CODE XREF: IovCompleteRequest(x,x)+84j
		mov	esi, ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		call	esi
		cmp	al, 2
		jbe	short loc_A58A59
		push	edi
		push	ebx
		call	esi
		movzx	eax, al
		mov	ecx, 0C9h
		push	eax
		push	0Eh
		pop	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A58A59:				; CODE XREF: IovCompleteRequest(x,x)+36j
					; IovCompleteRequest(x,x)+3Ej ...
		mov	eax, [ebp+4]
		mov	ecx, ebx
		mov	dl, [ebp+var_39]
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_54]
		push	eax
		call	_IovpCompleteRequest1@12 ; IovpCompleteRequest1(x,x,x)
		cmp	_IovpDisabledWithoutReboot, edi
		jz	short loc_A58A7A
		cmp	[ebp+var_54], edi
		jz	short loc_A58ABE

loc_A58A7A:				; CODE XREF: IovCompleteRequest(x,x)+D0j
		mov	al, [ebx+23h]
		cmp	al, [ebx+22h]
		jg	short loc_A58ABE
		cmp	dword ptr [ebx+18h], 0
		lea	eax, [ebp+var_54]
		mov	edx, [ebx+60h]
		lea	edi, [ebp+var_28]
		mov	[ebp+var_30], eax
		mov	esi, edx
		push	9
		pop	ecx
		mov	eax, [edx+20h]
		mov	[ebp+var_34], eax
		mov	[ebp+var_38], edx
		rep movsd
		mov	al, [edx+3]
		jl	short loc_A58AD3
		test	al, 40h
		jz	short loc_A58AD7

loc_A58AAB:				; CODE XREF: IovCompleteRequest(x,x)+132j
					; IovCompleteRequest(x,x)+13Cj
		mov	eax, [edx+1Ch]
		mov	[ebp+var_2C], eax

loc_A58AB1:				; CODE XREF: IovCompleteRequest(x,x)+146j
		lea	eax, [ebp+var_38]
		mov	dword ptr [edx+1Ch], offset _IovpLocalCompletionRoutine@12 ; IovpLocalCompletionRoutine(x,x,x)
		mov	[edx+20h], eax

loc_A58ABE:				; CODE XREF: IovCompleteRequest(x,x)+D5j
					; IovCompleteRequest(x,x)+DDj
		test	byte ptr _IopFunctionPointerMask, 2
		mov	ecx, ebx
		mov	dl, [ebp+var_39]
		jz	short loc_A58AEB
		call	@IopPerfCompleteRequest@8 ; IopPerfCompleteRequest(x,x)
		jmp	short loc_A58AF0
; 

loc_A58AD3:				; CODE XREF: IovCompleteRequest(x,x)+102j
		test	al, al
		js	short loc_A58AAB

loc_A58AD7:				; CODE XREF: IovCompleteRequest(x,x)+106j
		cmp	byte ptr [ebx+24h], 0
		jz	short loc_A58AE1
		test	al, 20h
		jnz	short loc_A58AAB

loc_A58AE1:				; CODE XREF: IovCompleteRequest(x,x)+138j
		and	[ebp+var_2C], 0
		or	byte ptr [edx+3], 0E0h
		jmp	short loc_A58AB1
; 

loc_A58AEB:				; CODE XREF: IovCompleteRequest(x,x)+127j
		call	@IopfCompleteRequest@8 ; IopfCompleteRequest(x,x)

loc_A58AF0:				; CODE XREF: IovCompleteRequest(x,x)+12Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
@IovCompleteRequest@8 endp


;  S U B	R O U T	I N E 


; __fastcall IovpCallDriverNoIrpTracking(x, x, x)
@IovpCallDriverNoIrpTracking@12	proc near ; CODE XREF: IovCallDriver(x,x,x)+BDp
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	0
		mov	esi, edx
		mov	edi, ecx
		call	_VfBeforeCallDriver@12 ; VfBeforeCallDriver(x,x,x)
		test	byte ptr _IopFunctionPointerMask, 2
		mov	ebx, eax
		mov	edx, esi
		mov	ecx, edi
		jz	short loc_A58B26
		call	@IopPerfCallDriver@8 ; IopPerfCallDriver(x,x)
		jmp	short loc_A58B2B
; 

loc_A58B26:				; CODE XREF: IovpCallDriverNoIrpTracking(x,x,x)+1Ej
		call	IopfCallDriver

loc_A58B2B:				; CODE XREF: IovpCallDriverNoIrpTracking(x,x,x)+25j
		mov	ecx, ebx
		mov	esi, eax
		call	_VfDeadlockAfterCallDriver@4 ; VfDeadlockAfterCallDriver(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ecx
		retn	4
@IovpCallDriverNoIrpTracking@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall IovpCallDriverWithStackBuffer(x, x, x)
@IovpCallDriverWithStackBuffer@12 proc near ; CODE XREF: IovCallDriver(x,x,x)+A7p

var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_23		= byte ptr -23h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [ebp+var_78]
		push	edi
		push	6Ch		; size_t
		push	0		; int
		push	eax		; void *
		mov	edi, edx
		mov	ebx, ecx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_20], ebx
		cmp	word ptr [edi],	6
		mov	edx, 400000h
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], esi
		jz	short loc_A58BC2
		test	_MmVerifierData, edx
		jnz	short loc_A58BC2
		mov	ecx, offset _VfBugcheckTmpDataLock
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	[ebp+var_23], al
		mov	ds:_VfBugcheckTmpData, 0C9h
		mov	ds:dword_AB1D04, 3
		mov	ds:dword_AB1D08, edi

loc_A58BAF:				; CODE XREF: IovpCallDriverWithStackBuffer(x,x,x)+BFj
		and	ds:dword_AB1D0C, 0
		and	ds:dword_AB1D10, 0

loc_A58BBD:				; CODE XREF: IovpCallDriverWithStackBuffer(x,x,x)+11Cj
		call	_VfBugCheckNoStackUsage@0 ; VfBugCheckNoStackUsage()

loc_A58BC2:				; CODE XREF: IovpCallDriverWithStackBuffer(x,x,x)+41j
					; IovpCallDriverWithStackBuffer(x,x,x)+49j
		mov	ecx, ebx
		call	_IovpValidateDeviceObject@4 ; IovpValidateDeviceObject(x)
		test	al, al
		jnz	short loc_A58BFE
		test	_MmVerifierData, edx
		jnz	short loc_A58BFE
		mov	ecx, offset _VfBugcheckTmpDataLock
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	[ebp+var_23], al
		mov	ds:_VfBugcheckTmpData, 0C9h
		mov	ds:dword_AB1D04, 4
		mov	ds:dword_AB1D08, ebx
		jmp	short loc_A58BAF
; 

loc_A58BFE:				; CODE XREF: IovpCallDriverWithStackBuffer(x,x,x)+8Ej
					; IovpCallDriverWithStackBuffer(x,x,x)+96j
		mov	esi, [edi+60h]
		cmp	byte ptr [esi-24h], 0
		jnz	short loc_A58C5E
		mov	eax, [esi-0Ch]
		test	eax, eax
		jz	short loc_A58C5E
		mov	eax, [eax+2Ch]
		mov	ecx, 204000h
		and	eax, ecx
		cmp	eax, ecx
		jnz	short loc_A58C5E
		test	_MmVerifierData, edx
		jnz	short loc_A58C5E
		mov	ecx, offset _VfBugcheckTmpDataLock
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	[ebp+var_23], al
		mov	eax, [esi-0Ch]
		mov	ds:_VfBugcheckTmpData, 0C9h
		mov	ds:dword_AB1D04, 0Fh
		mov	ds:dword_AB1D08, ebx
		mov	ds:dword_AB1D0C, edi
		mov	ds:dword_AB1D10, eax
		jmp	loc_A58BBD
; 

loc_A58C5E:				; CODE XREF: IovpCallDriverWithStackBuffer(x,x,x)+C8j
					; IovpCallDriverWithStackBuffer(x,x,x)+CFj ...
		lea	eax, [ebp+var_78]
		mov	edx, edi
		push	eax
		mov	ecx, ebx
		call	_VfBeforeCallDriver@12 ; VfBeforeCallDriver(x,x,x)
		test	byte ptr _IopFunctionPointerMask, 2
		mov	esi, eax
		mov	edx, edi
		mov	ecx, ebx
		jz	short loc_A58C81
		call	@IopPerfCallDriver@8 ; IopPerfCallDriver(x,x)
		jmp	short loc_A58C86
; 

loc_A58C81:				; CODE XREF: IovpCallDriverWithStackBuffer(x,x,x)+13Bj
		call	IopfCallDriver

loc_A58C86:				; CODE XREF: IovpCallDriverWithStackBuffer(x,x,x)+142j
		push	esi
		lea	edx, [ebp+var_7C]
		mov	[ebp+var_7C], eax
		lea	ecx, [ebp+var_78]
		call	_VfAfterCallDriver@12 ;	VfAfterCallDriver(x,x,x)
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_7C]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
@IovpCallDriverWithStackBuffer@12 endp


;  S U B	R O U T	I N E 


; __stdcall IoVerifierCheckForSettingsChange(x)
_IoVerifierCheckForSettingsChange@4 proc near ;	CODE XREF: IoVerifierInit(x)+1Bj
					; ViSettingsIoCheckForChanges(x)+31p
		xor	eax, eax
		inc	eax
		push	esi
		test	cl, 10h
		jz	short loc_A58D17
		mov	ecx, offset _IovpEnabledInThePast
		xchg	eax, [ecx]
		xor	eax, eax
		mov	ecx, offset _IovpDisabledWithoutReboot
		xchg	eax, [ecx]
		cmp	_IovIrpTraces, 0
		jnz	short loc_A58D1E
		mov	eax, _IovIrpTracesLength
		test	eax, eax
		jz	short loc_A58D1E
		push	2
		pop	esi

loc_A58CD7:				; CODE XREF: IoVerifierCheckForSettingsChange(x)+3Aj
		cmp	esi, eax
		jnb	short loc_A58CE5
		add	esi, esi
		cmp	esi, 100000h
		jb	short loc_A58CD7

loc_A58CE5:				; CODE XREF: IoVerifierCheckForSettingsChange(x)+30j
		push	20h
		mov	_IovIrpTracesLength, esi
		push	54496656h
		shl	esi, 6
		push	esi
		push	200h
		call	ExAllocatePoolWithTagPriority
		mov	_IovIrpTraces, eax
		test	eax, eax
		jz	short loc_A58D1E
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		pop	esi
		retn
; 

loc_A58D17:				; CODE XREF: IoVerifierCheckForSettingsChange(x)+7j
		mov	ecx, offset _IovpDisabledWithoutReboot
		xchg	eax, [ecx]

loc_A58D1E:				; CODE XREF: IoVerifierCheckForSettingsChange(x)+20j
					; IoVerifierCheckForSettingsChange(x)+29j ...
		pop	esi
		retn
_IoVerifierCheckForSettingsChange@4 endp


;  S U B	R O U T	I N E 


; __stdcall IoVerifierInit(x)
_IoVerifierInit@4 proc near		; CODE XREF: VfInitSystemNoRebootNeeded(x,x)+EBp
					; sub_AE213B+43p
		test	byte ptr _MmVerifierData, 10h
		push	esi
		mov	esi, ecx
		jz	short loc_A58D40
		xor	ecx, ecx
		mov	dl, 1
		push	0
		inc	ecx
		call	_IopUpdateFunctionPointers@12 ;	IopUpdateFunctionPointers(x,x,x)
		mov	ecx, esi
		pop	esi
		jmp	_IoVerifierCheckForSettingsChange@4 ; IoVerifierCheckForSettingsChange(x)
; 

loc_A58D40:				; CODE XREF: IoVerifierInit(x)+Aj
		pop	esi
		retn
_IoVerifierInit@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovAllocateIrp(x, x, x, x)
_IovAllocateIrp@16 proc	near		; CODE XREF: IoAllocateIrp+1756F1p
					; IopAllocateIrpExReturn+C6B8Dp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	ecx, ecx
		call	_IovpLogStackTrace@4 ; IovpLogStackTrace(x)
		mov	esi, eax
		mov	[ebp+var_8], esi
		test	esi, esi
		jnz	short loc_A58D61
		xor	edi, edi
		jmp	short loc_A58D64
; 

loc_A58D61:				; CODE XREF: IovAllocateIrp(x,x,x,x)+19j
		lea	edi, [esi+10h]

loc_A58D64:				; CODE XREF: IovAllocateIrp(x,x,x,x)+1Dj
		mov	cl, byte ptr [ebp+arg_4]
		xor	ebx, ebx
		add	cl, 2
		mov	[ebp+var_4], edi
		mov	byte ptr [ebp+arg_4], cl
		cmp	ds:_VfIoDisabled, ebx
		jnz	short loc_A58DAE
		mov	eax, [ebp+arg_8]
		push	[ebp+arg_C]
		movzx	edx, al
		call	_ViIrpAllocateLockedPacket@12 ;	ViIrpAllocateLockedPacket(x,x,x)
		test	eax, eax
		jz	short loc_A58DAE
		mov	ebx, [eax]
		test	edi, edi
		jnz	short loc_A58D97
		and	[eax+4Ch], edi
		jmp	short loc_A58DA7
; 

loc_A58D97:				; CODE XREF: IovAllocateIrp(x,x,x,x)+4Ej
		mov	esi, edi
		lea	edi, [eax+4Ch]
		push	8
		pop	ecx
		rep movsd
		mov	esi, [ebp+var_8]
		mov	edi, [ebp+var_4]

loc_A58DA7:				; CODE XREF: IovAllocateIrp(x,x,x,x)+53j
		mov	ecx, eax
		call	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)

loc_A58DAE:				; CODE XREF: IovAllocateIrp(x,x,x,x)+36j
					; IovAllocateIrp(x,x,x,x)+48j
		test	ebx, ebx
		jnz	short loc_A58DD9
		push	offset IopAllocateIrpPrivate
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvIoAllocateIrp ;	XdvIoAllocateIrp(x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_A58DD9
		push	ecx
		mov	edx, edi
		mov	ecx, ebx
		call	_VfIoAllocateIrp2@12 ; VfIoAllocateIrp2(x,x,x)

loc_A58DD9:				; CODE XREF: IovAllocateIrp(x,x,x,x)+6Ej
					; IovAllocateIrp(x,x,x,x)+8Bj
		test	esi, esi
		jz	short loc_A58DDF
		mov	[esi], ebx

loc_A58DDF:				; CODE XREF: IovAllocateIrp(x,x,x,x)+99j
		test	ebx, ebx
		jz	short loc_A58E05
		add	dword ptr [ebx+60h], 0FFFFFFB8h
		mov	eax, [ebx+60h]
		add	byte ptr [ebx+23h], 0FEh
		add	byte ptr [ebx+22h], 0FEh
		mov	[ebx+68h], eax
		call	IopIsActivityTracingEnabled
		test	al, al
		jz	short loc_A58E05
		mov	ecx, ebx
		call	_IopInitActivityIdIrp@4	; IopInitActivityIdIrp(x)

loc_A58E05:				; CODE XREF: IovAllocateIrp(x,x,x,x)+9Fj
					; IovAllocateIrp(x,x,x,x)+BAj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
_IovAllocateIrp@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovAllocateMdl(x, x, x, x, x, x)
_IovAllocateMdl@24 proc	near		; DATA XREF: VerifierIoAllocateMdl(x,x,x,x,x):loc_A5D10Ao
					; VerifierPortIoAllocateMdl(x,x,x,x,x,x):loc_A5D3B1o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, ebx
		push	[ebp+arg_14]
		add	edi, 0FFFh
		and	esi, 0FFFh
		add	edi, esi
		shr	edi, 0Ch
		push	20h
		push	6C644D56h
		lea	eax, ds:1Ch[edi*4]
		push	eax
		push	280h
		call	_VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_A58E9E
		and	dword ptr [edx], 0
		lea	ecx, ds:1Ch[edi*4]
		xor	eax, eax
		mov	[edx+18h], esi
		mov	esi, [ebp+arg_10]
		and	ebx, 0FFFFF000h
		mov	[edx+6], ax
		mov	eax, [ebp+arg_4]
		mov	[edx+4], cx
		mov	[edx+10h], ebx
		mov	[edx+14h], eax
		test	esi, esi
		jz	short loc_A58E9E
		cmp	[ebp+arg_8], 0
		jnz	short loc_A58E89
		mov	[esi+4], edx
		jmp	short loc_A58E9E
; 

loc_A58E89:				; CODE XREF: IovAllocateMdl(x,x,x,x,x,x)+74j
		mov	esi, [esi+4]
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_A58E9C

loc_A58E92:				; CODE XREF: IovAllocateMdl(x,x,x,x,x,x)+8Cj
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_A58E92

loc_A58E9C:				; CODE XREF: IovAllocateMdl(x,x,x,x,x,x)+82j
		mov	[esi], edx

loc_A58E9E:				; CODE XREF: IovAllocateMdl(x,x,x,x,x,x)+41j
					; IovAllocateMdl(x,x,x,x,x,x)+6Ej ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		pop	ebp
		retn	18h
_IovAllocateMdl@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovAllocateWorkItem(x, x)
_IovAllocateWorkItem@8 proc near	; DATA XREF: VerifierIoAllocateWorkItem(x)+5o
					; VerifierPortIoAllocateWorkItem(x,x)+5o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		push	20h
		push	69776656h
		push	34h
		push	280h
		call	_VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		test	eax, eax
		jz	short loc_A58EE4
		mov	ecx, [ebp+arg_0]
		and	dword ptr [eax+1Ch], 0
		and	dword ptr [eax], 0
		mov	[eax+14h], ecx
		mov	dword ptr [eax+20h], 1
		mov	dword ptr [eax+8], offset IopProcessWorkItem
		mov	[eax+0Ch], eax

loc_A58EE4:				; CODE XREF: IovAllocateWorkItem(x,x)+1Dj
		pop	ebp
		retn	8
_IovAllocateWorkItem@8 endp


;  S U B	R O U T	I N E 


; __stdcall IovAttachDeviceToDeviceStack(x, x)
_IovAttachDeviceToDeviceStack@8	proc near
					; CODE XREF: IopAttachDeviceToDeviceStackSafe+D4039p
		cmp	ds:_VfIoDisabled, 0
		push	esi
		mov	esi, edx
		jnz	short loc_A58F04
		mov	ecx, [ecx+8]
		call	_VfXdvDriverCaptureIoCallbacks@4 ; VfXdvDriverCaptureIoCallbacks(x)
		mov	ecx, esi
		pop	esi
		jmp	_IovUtilFlushStackCache@8 ; IovUtilFlushStackCache(x,x)
; 

loc_A58F04:				; CODE XREF: IovAttachDeviceToDeviceStack(x,x)+Aj
		pop	esi
		retn
_IovAttachDeviceToDeviceStack@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovBuildAsynchronousFsdRequest(x, x, x, x, x, x)
_IovBuildAsynchronousFsdRequest@24 proc	near ; DATA XREF: PAGEVRFD:00AAB524o

var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		push	10h
		push	offset dword_6A8290
		call	__SEH_prolog4
		and	[ebp+ms_exc.disabled], 0
		push	offset IopBuildAsynchronousFsdRequest
		push	dword ptr [ebp+4]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_XdvIopBuildAsynchronousFsdRequest@32 ;	XdvIopBuildAsynchronousFsdRequest(x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		jz	short loc_A58F45
		mov	ecx, esi
		call	_VfSetIoBuildRequest@4 ; VfSetIoBuildRequest(x)

loc_A58F45:				; CODE XREF: IovBuildAsynchronousFsdRequest(x,x,x,x,x,x)+36j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_IovBuildAsynchronousFsdRequest@24 endp


;  S U B	R O U T	I N E 


sub_A58F60	proc near		; DATA XREF: .text:006A82A4o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_A58F60	endp


;  S U B	R O U T	I N E 


sub_A58F6E	proc near		; DATA XREF: .text:006A82A8o
		mov	esp, [ebp-18h]
		push	dword ptr [ebp-1Ch]
		push	dword ptr [ebp+8]
		push	dword ptr [ebp+0Ch]
		push	8
		push	0C9h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
sub_A58F6E	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovBuildDeviceIoControlRequest(x, x, x, x, x, x, x,	x, x)
_IovBuildDeviceIoControlRequest@36 proc	near ; DATA XREF: PAGEVRFD:00AAB50Co

var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		push	10h
		push	offset dword_6A8250
		call	__SEH_prolog4
		and	[ebp+ms_exc.disabled], 0
		push	offset IopBuildDeviceIoControlRequest
		push	dword ptr [ebp+4]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvIoBuildDeviceIoControlRequest ;	XdvIoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		jz	short loc_A58FD0
		mov	ecx, esi
		call	_VfSetIoBuildRequest@4 ; VfSetIoBuildRequest(x)

loc_A58FD0:				; CODE XREF: IovBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)+40j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
_IovBuildDeviceIoControlRequest@36 endp


;  S U B	R O U T	I N E 


sub_A58FEB	proc near		; DATA XREF: .text:006A8264o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_A58FEB	endp


;  S U B	R O U T	I N E 


sub_A58FF9	proc near		; DATA XREF: .text:006A8268o
		mov	esp, [ebp-18h]
		push	dword ptr [ebp-1Ch]
		push	dword ptr [ebp+8]
		push	dword ptr [ebp+0Ch]
		push	9
		push	0C9h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
sub_A58FF9	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovBuildSynchronousFsdRequest(x, x,	x, x, x, x, x)
_IovBuildSynchronousFsdRequest@28 proc near ; DATA XREF: PAGEVRFD:00AAB53Co

var_20		= dword	ptr -20h
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		push	10h
		push	offset dword_6A8270
		call	__SEH_prolog4
		and	[ebp+ms_exc.disabled], 0
		push	offset _IopBuildSynchronousFsdRequest@32 ; IopBuildSynchronousFsdRequest(x,x,x,x,x,x,x,x)
		push	dword ptr [ebp+4]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_XdvIoBuildSynchronousFsdRequest@36 ; XdvIoBuildSynchronousFsdRequest(x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_20], esi
		test	esi, esi
		jz	short loc_A59054
		mov	ecx, esi
		call	_VfSetIoBuildRequest@4 ; VfSetIoBuildRequest(x)

loc_A59054:				; CODE XREF: IovBuildSynchronousFsdRequest(x,x,x,x,x,x,x)+39j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, esi
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_IovBuildSynchronousFsdRequest@28 endp


;  S U B	R O U T	I N E 


sub_A5906F	proc near		; DATA XREF: .text:006A8284o
		mov	eax, [ebp-14h]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp-1Ch], eax
		xor	eax, eax
		inc	eax
		retn
sub_A5906F	endp


;  S U B	R O U T	I N E 


sub_A5907D	proc near		; DATA XREF: .text:006A8288o
		mov	esp, [ebp-18h]
		push	dword ptr [ebp-1Ch]
		push	dword ptr [ebp+8]
		push	dword ptr [ebp+0Ch]
		push	8
		push	0C9h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
sub_A5907D	endp


;  S U B	R O U T	I N E 


; __stdcall IovCancelIrp(x)
_IovCancelIrp@4	proc near		; CODE XREF: IoCancelIrp+E2F3Bp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_IovpLogStackTrace@4 ; IovpLogStackTrace(x)
		mov	ecx, esi
		call	_VfIrpDatabaseEntryFindAndLock@4 ; VfIrpDatabaseEntryFindAndLock(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A590C4
		mov	ecx, [esi+90h]
		test	ecx, ecx
		jz	short loc_A590BC
		call	_ViWdBeforeCancelIrp@4 ; ViWdBeforeCancelIrp(x)

loc_A590BC:				; CODE XREF: IovCancelIrp(x)+1Fj
		mov	ecx, esi
		pop	esi
		jmp	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)
; 

loc_A590C4:				; CODE XREF: IovCancelIrp(x)+15j
		pop	esi
		retn
_IovCancelIrp@4	endp


;  S U B	R O U T	I N E 


; __stdcall IovDeleteDevice(x, x)
_IovDeleteDevice@8 proc	near		; CODE XREF: IoDeleteDevice+D414Fp
		mov	edi, edi
		push	ecx
		call	_VfIoDeleteDevice@8 ; VfIoDeleteDevice(x,x)
		pop	ecx
		retn
_IovDeleteDevice@8 endp


;  S U B	R O U T	I N E 


; int __fastcall IovDetachDevice(int)
_IovDetachDevice@8 proc	near		; CODE XREF: IoDetachDevice+D41D1p
		cmp	ds:_VfIoDisabled, 0
		push	esi
		mov	esi, ecx
		jnz	short loc_A590F5
		cmp	dword ptr [esi+10h], 0
		jnz	short loc_A590ED
		push	esi		; int
		mov	ecx, 202h	; int
		call	_ViErrorReport8@12 ; ViErrorReport8(x,x,x)

loc_A590ED:				; CODE XREF: IovDetachDevice(x,x)+10j
		mov	ecx, esi
		pop	esi
		jmp	_IovUtilFlushStackCache@8 ; IovUtilFlushStackCache(x,x)
; 

loc_A590F5:				; CODE XREF: IovDetachDevice(x,x)+Aj
		pop	esi
		retn
_IovDetachDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovFreeIrpPrivate(x)
_IovFreeIrpPrivate@4 proc near		; CODE XREF: .text:loc_5248F6p
					; IoFreeIrp(x):loc_5263EFp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr _MmVerifierData, 10h
		push	esi
		push	edi
		mov	esi, ecx
		jz	short loc_A59140
		xor	edi, edi
		cmp	_IovpDisabledWithoutReboot, edi
		jnz	short loc_A59140
		cmp	word ptr [esi],	6
		jz	short loc_A59129
		push	edi
		push	edi
		xor	edx, edx
		mov	ecx, 0C9h
		push	esi
		inc	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A59129:				; CODE XREF: IovFreeIrpPrivate(x)+20j
		lea	eax, [esi+10h]
		cmp	[eax], eax
		jz	short loc_A59140
		push	edi
		push	edi
		push	esi
		push	2
		pop	edx
		mov	ecx, 0C9h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A59140:				; CODE XREF: IovFreeIrpPrivate(x)+10j
					; IovFreeIrpPrivate(x)+1Aj ...
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	_VfIoFreeIrp@8	; VfIoFreeIrp(x,x)
		test	eax, eax
		jnz	short loc_A59158
		mov	ecx, esi
		pop	edi
		pop	esi
		pop	ebp
		jmp	IopFreeIrp
; 

loc_A59158:				; CODE XREF: IovFreeIrpPrivate(x)+55j
		pop	edi
		pop	esi
		pop	ebp
		retn
_IovFreeIrpPrivate@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovInitializeIrp(x,	x, x, x)
_IovInitializeIrp@16 proc near		; CODE XREF: IoInitializeIrp+D0F34p

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_VfIoDisabled, 0
		jnz	short loc_A59174
		mov	edx, [ebp+arg_4]
		push	0
		call	_VfIoInitializeIrp@12 ;	VfIoInitializeIrp(x,x,x)

loc_A59174:				; CODE XREF: IovInitializeIrp(x,x,x,x)+Cj
		pop	ebp
		retn	8
_IovInitializeIrp@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovInitializeTimer(x, x, x)
_IovInitializeTimer@12 proc near	; DATA XREF: PAGEVRFD:00AAB554o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr _MmVerifierData, 10h
		push	esi
		mov	esi, [ebp+arg_0]
		jz	short loc_A591A1
		xor	eax, eax
		cmp	[esi+18h], eax
		jz	short loc_A591A1
		push	eax
		push	eax
		push	esi
		push	0Ah
		pop	edx
		mov	ecx, 0C9h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A591A1:				; CODE XREF: IovInitializeTimer(x,x,x)+10j
					; IovInitializeTimer(x,x,x)+17j
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	ds:_pXdvIoInitializeTimer
		pop	esi
		pop	ebp
		retn	0Ch
_IovInitializeTimer@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovUnloadDrivers()
_IovUnloadDrivers@0 proc near		; CODE XREF: IoShutdownSystem(x)+BFp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		cmp	_PopShutdownCleanly, 0
		push	ebx
		push	esi
		push	edi
		jnz	short loc_A591D1
		mov	eax, 0C0000001h
		jmp	loc_A59293
; 

loc_A591D1:				; CODE XREF: IovUnloadDrivers()+12j
		and	_IovDriverListHead, 0
		xor	esi, esi
		push	ecx
		call	_ObEnumerateObjectsByType@12 ; ObEnumerateObjectsByType(x,x,x)
		mov	[ebp+var_8], eax

loc_A591E3:				; CODE XREF: IovUnloadDrivers()+61j
					; IovUnloadDrivers()+67j
		mov	edi, _IovDriverListHead
		test	edi, edi
		jz	short loc_A5921C
		mov	ecx, [edi]
		mov	_IovDriverListHead, ecx
		mov	ecx, [edi+4]
		call	_IovpUnloadDriver@4 ; IovpUnloadDriver(x)
		cmp	eax, 103h
		jz	short loc_A59216
		mov	ecx, [edi+4]
		call	ObfDereferenceObject
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A591E3
; 

loc_A59216:				; CODE XREF: IovUnloadDrivers()+4Fj
		mov	[edi], esi
		mov	esi, edi
		jmp	short loc_A591E3
; 

loc_A5921C:				; CODE XREF: IovUnloadDrivers()+38j
					; IovUnloadDrivers()+C1j
		xor	al, al
		xor	edi, edi
		mov	[ebp+var_1], al

loc_A59223:				; CODE XREF: IovUnloadDrivers()+90j
					; IovUnloadDrivers()+96j
		mov	ebx, esi
		test	esi, esi
		jz	short loc_A5924B
		mov	ecx, [ebx+4]
		mov	esi, [esi]
		test	byte ptr [ecx+8], 1
		jz	short loc_A59245
		call	ObfDereferenceObject
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	al, 1
		jmp	short loc_A59223
; 

loc_A59245:				; CODE XREF: IovUnloadDrivers()+7Fj
		mov	[ebx], edi
		mov	edi, ebx
		jmp	short loc_A59223
; 

loc_A5924B:				; CODE XREF: IovUnloadDrivers()+74j
		test	al, al
		jz	short loc_A59269
		or	[ebp+var_C], 0FFFFFFFFh
		lea	eax, [ebp+var_10]
		push	eax
		push	0
		mov	[ebp+var_10], 0FA0A1F00h
		call	_ZwDelayExecution@8 ; ZwDelayExecution(x,x)
		mov	al, 1
		jmp	short loc_A5926C
; 

loc_A59269:				; CODE XREF: IovUnloadDrivers()+9Aj
		mov	al, [ebp+var_1]

loc_A5926C:				; CODE XREF: IovUnloadDrivers()+B4j
		mov	esi, edi
		cmp	al, 1
		jnz	short loc_A59276
		test	edi, edi
		jnz	short loc_A5921C

loc_A59276:				; CODE XREF: IovUnloadDrivers()+BDj
					; IovUnloadDrivers()+DBj
		mov	edi, esi
		test	esi, esi
		jz	short loc_A59290
		mov	ecx, [edi+4]
		mov	esi, [esi]
		call	ObfDereferenceObject
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A59276
; 

loc_A59290:				; CODE XREF: IovUnloadDrivers()+C7j
		mov	eax, [ebp+var_8]

loc_A59293:				; CODE XREF: IovUnloadDrivers()+19j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IovUnloadDrivers@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovpBuildDriverObjectList(x, x, x, x, x)
_IovpBuildDriverObjectList@20 proc near	; CODE XREF: ObEnumerateObjectsByType(x,x,x)+7Ap

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		call	_PnpIsLegacyDriver@4 ; PnpIsLegacyDriver(x)
		test	eax, eax
		jz	short loc_A592ED
		push	offset unk_6F7649
		push	8
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A592C8
		xor	al, al
		jmp	short loc_A592EF
; 

loc_A592C8:				; CODE XREF: IovpBuildDriverObjectList(x,x,x,x,x)+2Aj
		mov	ecx, edi
		call	@ObReferenceObjectSafe@4 ; ObReferenceObjectSafe(x)
		test	al, al
		jz	short loc_A592E5
		mov	[esi+4], edi
		mov	eax, _IovDriverListHead
		mov	[esi], eax
		mov	_IovDriverListHead, esi
		jmp	short loc_A592ED
; 

loc_A592E5:				; CODE XREF: IovpBuildDriverObjectList(x,x,x,x,x)+39j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A592ED:				; CODE XREF: IovpBuildDriverObjectList(x,x,x,x,x)+13j
					; IovpBuildDriverObjectList(x,x,x,x,x)+4Bj
		mov	al, 1

loc_A592EF:				; CODE XREF: IovpBuildDriverObjectList(x,x,x,x,x)+2Ej
		pop	edi
		pop	esi
		pop	ebp
		retn	14h
_IovpBuildDriverObjectList@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovpCompleteRequest(x, x, x)
_IovpCompleteRequest@12	proc near	; CODE XREF: .text:00522A22p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, large fs:124h
		push	esi
		push	edi
		lea	esi, [ecx-40h]
		mov	edi, [eax+24h]
		mov	eax, [esi+28h]
		cmp	eax, edi
		jbe	short loc_A59331
		lea	ecx, [ebp+var_4]
		cmp	eax, ecx
		ja	short loc_A59331
		test	dword ptr [esi+8], 2000h
		jnz	short loc_A59331
		push	0
		push	esi
		push	eax
		push	0Ch
		pop	edx
		mov	ecx, 0C9h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A59331:				; CODE XREF: IovpCompleteRequest(x,x,x)+19j
					; IovpCompleteRequest(x,x,x)+20j ...
		mov	eax, [esi+2Ch]
		cmp	eax, edi
		jbe	short loc_A59350
		lea	edx, [ebp+var_4]
		cmp	eax, edx
		ja	short loc_A59350
		push	0
		push	esi
		push	eax
		push	0Dh
		pop	edx
		mov	ecx, 0C9h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A59350:				; CODE XREF: IovpCompleteRequest(x,x,x)+41j
					; IovpCompleteRequest(x,x,x)+48j
		pop	edi
		pop	esi
		leave
		retn	4
_IovpCompleteRequest@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovpLocalCompletionRoutine(x, x, x)
_IovpLocalCompletionRoutine@12 proc near ; DATA	XREF: IovCompleteRequest(x,x)+111o
					; IovpLocalCompletionRoutine(x,x,x)+197o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ecx, edi
		mov	ebx, [esi]
		mov	al, [esi+11h]
		mov	[ebx+1], al
		mov	al, [esi+12h]
		mov	[ebx+2], al
		mov	al, [ebx+3]
		and	al, 2
		or	al, [esi+13h]
		mov	[ebx+3], al
		mov	eax, [esi+14h]
		mov	[ebx+4], eax
		mov	eax, [esi+18h]
		mov	[ebx+8], eax
		mov	eax, [esi+1Ch]
		mov	[ebx+0Ch], eax
		mov	eax, [esi+20h]
		mov	[ebx+10h], eax
		mov	eax, [esi+28h]
		mov	[ebx+18h], eax
		mov	eax, [esi+0Ch]
		mov	[ebx+1Ch], eax
		mov	eax, [esi+4]
		mov	[ebx+20h], eax
		mov	al, [edi+22h]
		mov	edx, [esi+8]
		inc	al
		mov	[ebp+var_2], al
		mov	al, [edi+23h]
		mov	[ebp+var_1], al
		call	_IovpCompleteRequest2@8	; IovpCompleteRequest2(x,x)
		xor	ecx, ecx
		cmp	byte ptr [ebx],	16h
		jz	short loc_A593E3
		mov	al, [ebx+3]
		and	al, 2
		mov	[ebx+1], cx
		or	al, 10h
		mov	[ebx+4], ecx
		mov	[ebx+3], al
		mov	[ebx+8], ecx
		mov	[ebx+0Ch], ecx
		mov	[ebx+18h], ecx

loc_A593E3:				; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+71j
		mov	edx, [ebx+1Ch]
		test	edx, edx
		jnz	short loc_A59420
		cmp	[edi+21h], cl
		jz	short loc_A593FE
		mov	al, [edi+23h]
		cmp	al, [edi+22h]
		jg	short loc_A593FE
		mov	eax, [edi+60h]
		or	byte ptr [eax+3], 1

loc_A593FE:				; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+97j
					; IovpLocalCompletionRoutine(x,x,x)+9Fj
		push	dword ptr [ebx+20h]
		push	ecx
		push	ebx
		push	edi
		push	[ebp+arg_0]
		call	_VfPendingMoreProcessingRequired@20 ; VfPendingMoreProcessingRequired(x,x,x,x,x)
		mov	esi, eax
		neg	esi
		sbb	esi, esi
		and	esi, 0C0000016h
		mov	[ebp+arg_0], esi
		jmp	loc_A594A0
; 

loc_A59420:				; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+92j
		push	dword ptr [esi+8]
		mov	ecx, edi
		call	_IovpCompleteRequest3@12 ; IovpCompleteRequest3(x,x,x)
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_A5943D
		call	_VfIoCompletionSnapState@0 ; VfIoCompletionSnapState()
		mov	[ebp+var_C], eax
		jmp	short loc_A59441
; 

loc_A5943D:				; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+DBj
		and	[ebp+var_C], 0

loc_A59441:				; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+E5j
		mov	esi, [ebx+1Ch]
		mov	eax, [ebx+20h]
		push	eax
		push	esi
		push	ebx
		push	edi
		push	[ebp+arg_0]
		mov	[ebp+var_8], esi
		mov	[ebp+var_10], eax
		call	_VfPendingMoreProcessingRequired@20 ; VfPendingMoreProcessingRequired(x,x,x,x,x)
		test	eax, eax
		jz	short loc_A5946F
		mov	esi, 0C0000016h
		mov	eax, offset _VfPendingMoreProcessingRequired@20	; VfPendingMoreProcessingRequired(x,x,x,x,x)
		mov	[ebp+arg_0], esi
		mov	[ebp+var_8], eax
		jmp	short loc_A59480
; 

loc_A5946F:				; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+105j
		push	[ebp+var_10]
		push	edi
		push	[ebp+arg_0]
		call	esi
		mov	esi, eax
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_8]

loc_A59480:				; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+117j
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jz	short loc_A5948E
		mov	edx, eax
		call	_VfIoCompletionCheckState@8 ; VfIoCompletionCheckState(x,x)

loc_A5948E:				; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+12Fj
		mov	eax, [ebp+arg_8]
		mov	edx, esi
		mov	ecx, edi
		push	dword ptr [eax+8]
		push	[ebp+var_8]
		call	_IovpCompleteRequest4@16 ; IovpCompleteRequest4(x,x,x,x)

loc_A594A0:				; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+C5j
		mov	eax, [ebp+arg_8]
		mov	ecx, [eax+8]
		call	_IovpCompleteRequest5@4	; IovpCompleteRequest5(x)
		cmp	esi, 0C0000016h
		jz	short loc_A594F7
		mov	al, [ebp+var_1]
		cmp	al, [ebp+var_2]
		jz	short loc_A594F7
		mov	edx, [ebp+arg_8]
		add	ebx, 24h
		push	9
		pop	ecx
		mov	esi, ebx
		mov	[edx], ebx
		lea	edi, [edx+10h]
		mov	eax, [ebx+20h]
		mov	[edx+4], eax
		mov	eax, [ebp+arg_4]
		rep movsd
		cmp	dword ptr [eax+18h], 0
		mov	cl, [ebx+3]
		jl	short loc_A59500
		test	cl, 40h
		jz	short loc_A59504

loc_A594E4:				; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+1ACj
					; IovpLocalCompletionRoutine(x,x,x)+1B7j
		mov	eax, [ebx+1Ch]
		mov	[edx+0Ch], eax

loc_A594EA:				; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+1C1j
		mov	esi, [ebp+arg_0]
		mov	dword ptr [ebx+1Ch], offset _IovpLocalCompletionRoutine@12 ; IovpLocalCompletionRoutine(x,x,x)
		mov	[ebx+20h], edx

loc_A594F7:				; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+15Bj
					; IovpLocalCompletionRoutine(x,x,x)+163j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_A59500:				; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+187j
		test	cl, cl
		js	short loc_A594E4

loc_A59504:				; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+18Cj
		cmp	byte ptr [eax+24h], 0
		jz	short loc_A5950F
		test	cl, 20h
		jnz	short loc_A594E4

loc_A5950F:				; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+1B2j
		and	dword ptr [edx+0Ch], 0
		or	byte ptr [ebx+3], 0E0h
		jmp	short loc_A594EA
_IovpLocalCompletionRoutine@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovpLogStackCallout(x)
_IovpLogStackCallout@4 proc near	; CODE XREF: IovpLogStackTrace(x)+72p
					; DATA XREF: IovpLogStackTrace(x)+5Do

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	0
		lea	eax, [esi+10h]
		push	eax
		push	0Ch
		push	2
		call	RtlCaptureStackBackTrace
		movzx	eax, ax
		cmp	eax, 0Ch
		jnb	short loc_A5953E
		and	dword ptr [esi+eax*4+10h], 0

loc_A5953E:				; CODE XREF: IovpLogStackCallout(x)+1Ej
		pop	esi
		pop	ebp
		retn	4
_IovpLogStackCallout@4 endp


;  S U B	R O U T	I N E 


; __stdcall IovpLogStackTrace(x)
_IovpLogStackTrace@4 proc near		; CODE XREF: IoReuseIrp(x,x)+49p
					; IovCompleteRequest(x,x)+28p ...
		cmp	_IovIrpTraces, 0
		mov	edx, ecx
		jnz	short loc_A59551
		xor	eax, eax
		retn
; 

loc_A59551:				; CODE XREF: IovpLogStackTrace(x)+9j
		xor	ecx, ecx
		push	esi
		inc	ecx
		lock xadd _IovIrpTracesIndex, ecx
		inc	ecx
		mov	esi, _IovIrpTracesLength
		mov	eax, large fs:124h
		dec	esi
		and	esi, ecx
		shl	esi, 6
		add	esi, _IovIrpTraces
		mov	[esi], edx
		mov	[esi+4], eax
		mov	eax, [eax+13Ch]
		mov	[esi+8], eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[esi+0Ch], al
		cmp	al, 1
		ja	short loc_A595B4
		call	_RtlEnoughStackSpaceForStackCapture@0 ;	RtlEnoughStackSpaceForStackCapture()
		test	eax, eax
		jnz	short loc_A595B4
		push	218h
		push	esi
		push	offset _IovpLogStackCallout@4 ;	IovpLogStackCallout(x)
		call	_KeExpandKernelStackAndCallout@12 ; KeExpandKernelStackAndCallout(x,x,x)
		test	eax, eax
		jns	short loc_A595BA
		and	dword ptr [esi+10h], 0
		jmp	short loc_A595BA
; 

loc_A595B4:				; CODE XREF: IovpLogStackTrace(x)+4Cj
					; IovpLogStackTrace(x)+55j
		push	esi
		call	_IovpLogStackCallout@4 ; IovpLogStackCallout(x)

loc_A595BA:				; CODE XREF: IovpLogStackTrace(x)+69j
					; IovpLogStackTrace(x)+6Fj
		mov	eax, esi
		pop	esi
		retn
_IovpLogStackTrace@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovpUnloadDriver(x)
_IovpUnloadDriver@4 proc near		; CODE XREF: IovUnloadDrivers()+45p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		mov	byte ptr [ebp+var_1], bl
		cmp	[esi+34h], ebx
		jnz	short loc_A595DE
		mov	eax, 0C0000010h
		jmp	loc_A59675
; 

loc_A595DE:				; CODE XREF: IovpUnloadDriver(x)+14j
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		lea	edx, [ebp+var_1]
		mov	ecx, esi
		call	IopCheckUnloadDriver
		test	eax, eax
		jns	short loc_A59670
		mov	ecx, esi
		call	ObfDereferenceObject
		cmp	byte ptr [ebp+var_1], bl
		jz	short loc_A59670
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	eax, ds:_PsInitialSystemProcess
		jnz	short loc_A59617
		push	esi
		call	dword ptr [esi+34h]
		jmp	short loc_A5965F
; 

loc_A59617:				; CODE XREF: IovpUnloadDriver(x)+51j
		push	ebx
		push	ebx
		lea	eax, [ebp+var_20]
		mov	[ebp+var_2C], ebx
		push	eax
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [ebp+var_30]
		mov	[ebp+var_10], esi
		push	1
		push	eax
		mov	[ebp+var_28], offset _IopLoadUnloadDriver@4 ; IopLoadUnloadDriver(x)
		mov	[ebp+var_24], eax
		mov	[ebp+var_30], ebx
		call	ExQueueWorkItem
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_20]
		push	eax
		call	KeWaitForSingleObject

loc_A5965F:				; CODE XREF: IovpUnloadDriver(x)+57j
		push	esi
		call	_ObMakeTemporaryObject@4 ; ObMakeTemporaryObject(x)
		mov	ecx, esi
		call	ObfDereferenceObject
		xor	eax, eax
		jmp	short loc_A59675
; 

loc_A59670:				; CODE XREF: IovpUnloadDriver(x)+31j
					; IovpUnloadDriver(x)+3Dj
		mov	eax, 103h

loc_A59675:				; CODE XREF: IovpUnloadDriver(x)+1Bj
					; IovpUnloadDriver(x)+B0j
		pop	esi
		pop	ebx
		leave
		retn
_IovpUnloadDriver@4 endp


;  S U B	R O U T	I N E 


; __stdcall IovpValidateDeviceObject(x)
_IovpValidateDeviceObject@4 proc near	; CODE XREF: IovCallDriver(x,x,x)+127p
					; IovpCallDriverWithStackBuffer(x,x,x)+87p
		test	ecx, ecx
		jz	short loc_A59692
		cmp	word ptr [ecx],	3
		jnz	short loc_A59692
		cmp	dword ptr [ecx+8], 0
		jz	short loc_A59692
		cmp	dword ptr [ecx+4], 0
		jl	short loc_A59692
		mov	al, 1
		retn
; 

loc_A59692:				; CODE XREF: IovpValidateDeviceObject(x)+2j
					; IovpValidateDeviceObject(x)+8j ...
		xor	al, al
		retn
_IovpValidateDeviceObject@4 endp


;  S U B	R O U T	I N E 


; __fastcall PpvUtilGetDevnodeRemovalOption(x)
@PpvUtilGetDevnodeRemovalOption@4 proc near ; CODE XREF: IovpCallDriver2(x,x)+8Ep
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_A596BA
		mov	eax, [eax+10Ch]
		test	al, 10h
		jz	short loc_A596B0
		xor	eax, eax
		inc	eax
		retn
; 

loc_A596B0:				; CODE XREF: PpvUtilGetDevnodeRemovalOption(x)+15j
		test	eax, 10000h
		jz	short loc_A596BA
		xor	eax, eax
		retn
; 

loc_A596BA:				; CODE XREF: PpvUtilGetDevnodeRemovalOption(x)+Bj
					; PpvUtilGetDevnodeRemovalOption(x)+20j
		push	2
		pop	eax
		retn
@PpvUtilGetDevnodeRemovalOption@4 endp


;  S U B	R O U T	I N E 


; __fastcall PpvUtilIsHardwareBeingVerified(x)
@PpvUtilIsHardwareBeingVerified@4 proc near ; CODE XREF: VfFailDeviceNode+8183Ap
					; VfIsVerificationEnabled+81891p
		test	ecx, ecx
		jz	short loc_A596E6
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_A596E6
		mov	eax, [eax+10Ch]
		test	eax, 20000h
		jnz	short loc_A596E6
		test	eax, 8000h
		jz	short loc_A596E6
		mov	al, 1
		retn
; 

loc_A596E6:				; CODE XREF: PpvUtilIsHardwareBeingVerified(x)+2j
					; PpvUtilIsHardwareBeingVerified(x)+Fj	...
		xor	al, al
		retn
@PpvUtilIsHardwareBeingVerified@4 endp


;  S U B	R O U T	I N E 


; __fastcall PpvUtilIsPdo(x)
@PpvUtilIsPdo@4	proc near		; CODE XREF: IovUtilIsPdo(x):loc_A6405Ep
					; IovUtilIsWdmStack(x)+Ap
		test	ecx, ecx
		jz	short loc_A59709
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+14h]
		test	eax, eax
		jz	short loc_A59709
		test	dword ptr [eax+10Ch], 20000h
		jnz	short loc_A59709
		mov	al, 1
		retn
; 

loc_A59709:				; CODE XREF: PpvUtilIsPdo(x)+2j
					; PpvUtilIsPdo(x)+Fj ...
		xor	al, al
		retn
@PpvUtilIsPdo@4	endp


;  S U B	R O U T	I N E 


; __stdcall MmEnableVerifierAllDrivers()
_MmEnableVerifierAllDrivers@0 proc near	; CODE XREF: VfAddVerifierEntry(x)+62p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		call	_MmAcquireLoadLock@0 ; MmAcquireLoadLock()
		mov	esi, eax
		call	_VfDriverEnableVerifierForAll@0	; VfDriverEnableVerifierForAll()
		mov	ecx, esi
		mov	edi, eax
		call	_MmReleaseLoadLock@4 ; MmReleaseLoadLock(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ecx
		retn
_MmEnableVerifierAllDrivers@0 endp


;  S U B	R O U T	I N E 


; __stdcall MmEnableVerifierForDriver(x, x)
_MmEnableVerifierForDriver@8 proc near	; CODE XREF: VfAddVerifierEntry(x)+84p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		and	dword ptr [esi], 0
		call	_MmAcquireLoadLock@0 ; MmAcquireLoadLock()
		push	esi
		xor	edx, edx
		mov	ecx, ebx
		mov	edi, eax
		call	_VfDriverEnableVerifier@12 ; VfDriverEnableVerifier(x,x,x)
		mov	ecx, edi
		mov	esi, eax
		call	_MmReleaseLoadLock@4 ; MmReleaseLoadLock(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_MmEnableVerifierForDriver@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmVerifierTrimMemory()
_MmVerifierTrimMemory@0	proc near	; CODE XREF: ViKeRaiseIrqlSanityChecks(x,x)+AAp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_10]
		push	eax
		call	KeQueryTickCount
		mov	eax, _MmVerifierTrimFrequency
		test	[ebp+var_10], eax
		jnz	locret_A5980C
		lea	edx, [ebp+var_8]
		lea	ecx, [ebp+var_4]
		call	_RtlpGetStackLimits@8 ;	RtlpGetStackLimits(x,x)
		test	al, al
		jz	short locret_A5980C
		call	_KeGetCurrentStackPointer@0 ; KeGetCurrentStackPointer()
		sub	eax, [ebp+var_4]
		cmp	eax, 818h
		jbe	short locret_A5980C
		inc	dword_6C6E60
		xor	eax, eax
		push	ebx
		mov	ebx, _ViTrimSpaces
		test	ebx, ebx
		sets	al
		mov	[ebp+var_4], eax
		test	bl, 1
		jz	short loc_A597D6
		mov	edx, eax
		xor	ecx, ecx
		call	_MiTrimAllSystemPagableMemory@8	; MiTrimAllSystemPagableMemory(x,x)
		cmp	eax, 1
		mov	eax, [ebp+var_4]
		jnz	short loc_A597D6
		inc	dword_6C6E64

loc_A597D6:				; CODE XREF: MmVerifierTrimMemory()+65j
					; MmVerifierTrimMemory()+76j
		test	bl, 2
		jz	short loc_A597F0
		xor	ecx, ecx
		mov	edx, eax
		inc	ecx
		call	_MiTrimAllSystemPagableMemory@8	; MiTrimAllSystemPagableMemory(x,x)
		cmp	eax, 1
		jnz	short loc_A597F0
		inc	dword_6C6E7C

loc_A597F0:				; CODE XREF: MmVerifierTrimMemory()+81j
					; MmVerifierTrimMemory()+90j
		test	bl, 4
		pop	ebx
		jz	short locret_A5980C
		mov	edx, [ebp+var_4]
		push	2
		pop	ecx
		call	_MiTrimAllSystemPagableMemory@8	; MiTrimAllSystemPagableMemory(x,x)
		cmp	eax, 1
		jnz	short locret_A5980C
		inc	dword_6C6EA4

locret_A5980C:				; CODE XREF: MmVerifierTrimMemory()+27j
					; MmVerifierTrimMemory()+3Aj ...
		leave
		retn
_MmVerifierTrimMemory@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmAreMdlPagesLocked(x)
_MmAreMdlPagesLocked@4 proc near	; CODE XREF: VERIFY_BUFFER_LOCKED(x)+17p
					; VerifierMmBuildMdlForNonPagedPool(x)+60p

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	edx, [ecx+18h]
		add	edx, [ecx+10h]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ecx+14h]
		lea	ebx, [ecx+1Ch]
		and	edx, 0FFFh
		add	edi, 0FFFh
		add	edi, edx
		shr	edi, 0Ch

loc_A59835:				; CODE XREF: MmAreMdlPagesLocked(x)+7Aj
		mov	esi, [ebx]
		mov	ecx, esi
		call	_MiIsPfn@4	; MiIsPfn(x)
		test	eax, eax
		jz	short loc_A59882
		imul	esi, 1Ch
		add	esi, ds:_MmPfnDatabase
		cmp	dword_6D3034, 2
		jz	short loc_A59860
		mov	ecx, esi
		call	_MiLockPage@4	; MiLockPage(x)
		mov	[ebp+var_1], al
		jmp	short loc_A59864
; 

loc_A59860:				; CODE XREF: MmAreMdlPagesLocked(x)+44j
		mov	[ebp+var_1], 21h

loc_A59864:				; CODE XREF: MmAreMdlPagesLocked(x)+50j
		mov	ecx, esi
		call	MiIsPfnLocked
		mov	[ebp+var_8], eax
		mov	al, [ebp+var_1]
		cmp	al, 21h
		jz	short loc_A5987C
		mov	dl, al
		call	_MiUnlockPage@8	; MiUnlockPage(x,x)

loc_A5987C:				; CODE XREF: MmAreMdlPagesLocked(x)+65j
		cmp	[ebp+var_8], 0
		jz	short loc_A59892

loc_A59882:				; CODE XREF: MmAreMdlPagesLocked(x)+32j
		add	ebx, 4
		sub	edi, 1
		jnz	short loc_A59835
		xor	eax, eax
		inc	eax

loc_A5988D:				; CODE XREF: MmAreMdlPagesLocked(x)+86j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_A59892:				; CODE XREF: MmAreMdlPagesLocked(x)+72j
		xor	eax, eax
		jmp	short loc_A5988D
_MmAreMdlPagesLocked@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmCheckMdlPages(x)
_MmCheckMdlPages@4 proc	near		; CODE XREF: ViMmMapLockedPagesSanityChecks(x,x)+C4j

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edx, [ebx+18h]
		lea	esi, [ebx+1Ch]
		add	edx, [ebx+10h]
		mov	eax, [ebx+14h]
		and	edx, 0FFFh
		add	eax, 0FFFh
		add	eax, edx
		shr	eax, 0Ch
		mov	[ebp+var_8], eax
		lea	eax, [esi+eax*4]
		mov	[ebp+var_C], eax
		movzx	eax, word ptr [ebx+6]
		and	eax, 800h
		mov	[ebp+var_4], eax

loc_A598D4:				; CODE XREF: MmCheckMdlPages(x)+9Bj
		mov	edi, [esi]
		mov	ecx, edi
		call	_MiIsPfn@4	; MiIsPfn(x)
		cmp	word ptr [ebp+var_4], 0
		jnz	short loc_A598FC
		test	eax, eax
		jnz	short loc_A59901
		push	edi
		mov	edx, 89h
		push	esi
		push	ebx
		lea	ecx, [edx+3Bh]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)
		mov	edi, [esi]
		jmp	short loc_A59901
; 

loc_A598FC:				; CODE XREF: MmCheckMdlPages(x)+4Cj
		cmp	eax, 1
		jnz	short loc_A5992B

loc_A59901:				; CODE XREF: MmCheckMdlPages(x)+50j
					; MmCheckMdlPages(x)+64j
		mov	ecx, ds:_MmPfnDatabase
		imul	eax, edi, 1Ch
		add	eax, ecx
		cmp	word ptr [eax+14h], 0
		jnz	short loc_A5992B
		sub	eax, ecx
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		lea	edx, [ecx+69h]
		push	eax
		push	[ebp+var_8]
		lea	ecx, [edx+3Fh]
		push	ebx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A5992B:				; CODE XREF: MmCheckMdlPages(x)+69j
					; MmCheckMdlPages(x)+7Bj
		add	esi, 4
		cmp	esi, [ebp+var_C]
		jb	short loc_A598D4
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MmCheckMdlPages@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmCheckMapIoSpace(x, x, x)
_MmCheckMapIoSpace@12 proc near		; CODE XREF: VerifierMmMapIoSpace(x,x,x,x)+40p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	ebx, [ecx+0FFFh]
		shrd	edi, eax, 0Ch
		mov	eax, [ebp+arg_0]
		and	eax, 0FFFh
		imul	esi, edi, 1Ch
		add	ebx, eax
		mov	[ebp+var_4], ecx
		shr	ebx, 0Ch
		add	esi, ds:_MmPfnDatabase

loc_A5996A:				; CODE XREF: MmCheckMapIoSpace(x,x,x)+6Ej
		mov	ecx, edi
		call	_MiIsPfn@4	; MiIsPfn(x)
		cmp	eax, 1
		jnz	short loc_A5999D
		cmp	word ptr [esi+14h], 0
		jnz	short loc_A5999D
		push	1Ch
		pop	ecx
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	ecx
		lea	edx, [ecx+67h]
		push	eax
		push	[ebp+var_4]
		lea	ecx, [edx+41h]
		push	[ebp+arg_0]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A5999D:				; CODE XREF: MmCheckMapIoSpace(x,x,x)+3Cj
					; MmCheckMapIoSpace(x,x,x)+43j
		push	1Ch
		pop	eax
		add	esi, eax
		inc	edi
		sub	ebx, 1
		jnz	short loc_A5996A
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MmCheckMapIoSpace@12 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 1419. MmIsDriverSuspectForVerifier

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmIsDriverSuspectForVerifier(x)
		public _MmIsDriverSuspectForVerifier@4
_MmIsDriverSuspectForVerifier@4	proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, [eax+14h]
		test	esi, esi
		jnz	short loc_A599C8
		xor	eax, eax
		jmp	short loc_A599EE
; 

loc_A599C8:				; CODE XREF: MmIsDriverSuspectForVerifier(x)+Ej
		call	_VfDriverLock@0	; VfDriverLock()
		mov	ecx, esi
		call	_ViIsDriverSuspectForVerifier@4	; ViIsDriverSuspectForVerifier(x)
		push	0
		push	offset _ViDriversLoadLock
		mov	esi, eax
		mov	_ViDriversLoadLockOwner, 0
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, esi

loc_A599EE:				; CODE XREF: MmIsDriverSuspectForVerifier(x)+12j
		pop	esi
		pop	ebp
		retn	4
_MmIsDriverSuspectForVerifier@4	endp


;  S U B	R O U T	I N E 


; __stdcall VfFreeCapturedUnicodeString(x)
_VfFreeCapturedUnicodeString@4 proc near ; CODE	XREF: PAGE:loc_7B3E64p
					; PAGE:007B427Cp ...
		xor	eax, eax
		cmp	[ecx], ax
		jz	short locret_A59A03
		push	eax
		push	dword ptr [ecx+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

locret_A59A03:				; CODE XREF: VfFreeCapturedUnicodeString(x)+5j
		retn
_VfFreeCapturedUnicodeString@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfFreeMemoryNotification(x,	x)
_VfFreeMemoryNotification@8 proc near	; CODE XREF: sub_5D7B16+1Ap
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	_VfDeadlockDeleteMemoryRange@8 ; VfDeadlockDeleteMemoryRange(x,x)
		mov	edx, esi
		mov	ecx, edi
		call	_VfRemLockDeleteMemoryRange@8 ;	VfRemLockDeleteMemoryRange(x,x)
		pop	edi
		pop	esi
		pop	ecx
		retn
_VfFreeMemoryNotification@8 endp

; 
		align 10h
		dd 0CCCCCCCCh
; Exported entry 2585. VfIsRuleClassEnabled

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfIsRuleClassEnabled(x)
		public _VfIsRuleClassEnabled@4
_VfIsRuleClassEnabled@4	proc near	; CODE XREF: ViDifCheckCallbackInterception+91F0Fp
					; ViDifCheckCallbackInterception+91F1Ap ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		cmp	edx, 40h
		jb	short loc_A59A35
		xor	al, al
		jmp	short loc_A59A4C
; 

loc_A59A35:				; CODE XREF: VfIsRuleClassEnabled(x)+Bj
		xor	eax, eax
		mov	ecx, edx
		inc	eax
		shr	edx, 5
		and	ecx, 1Fh
		shl	eax, cl
		test	_VfRuleClasses[edx*4], eax
		setnz	al

loc_A59A4C:				; CODE XREF: VfIsRuleClassEnabled(x)+Fj
		pop	ebp
		retn	4
_VfIsRuleClassEnabled@4	endp


;  S U B	R O U T	I N E 


; __stdcall VfNotifyVerifierOfEvent(x)
_VfNotifyVerifierOfEvent@4 proc	near	; CODE XREF: KeBugCheck2(x,x,x,x,x,x)+250p
					; IoShutdownSystem(x)+2Ap ...
		mov	edi, edi
		push	esi		; char
		sub	ecx, 0
		jz	loc_A59B1B
		sub	ecx, 1
		jz	loc_A59B12
		sub	ecx, 1
		jz	loc_A59AF1
		sub	ecx, 1
		jz	short loc_A59AE4
		sub	ecx, 1
		jz	short loc_A59AD7
		sub	ecx, 1
		jnz	loc_A59B44
		lock inc dword_6BE454
		call	_VfStartBranchTracing@0	; VfStartBranchTracing()
		test	eax, eax
		jns	short loc_A59AAA
		test	_MmVerifierData, 8000000h
		jz	short loc_A59AAA
		push	eax		; char
		push	(offset	loc_A56DFF+1) ;	char *
		call	_VfUtilDbgPrint
		pop	ecx
		pop	ecx

loc_A59AAA:				; CODE XREF: VfNotifyVerifierOfEvent(x)+3Fj
					; VfNotifyVerifierOfEvent(x)+4Bj
		test	byte ptr _VfOptionFlags, 10h
		jz	short loc_A59AC3
		push	(offset	loc_A56D99+3) ;	char *
		call	_VfUtilDbgPrint
		pop	ecx
		call	_VfClearVerifierSettings@0 ; VfClearVerifierSettings()

loc_A59AC3:				; CODE XREF: VfNotifyVerifierOfEvent(x)+61j
		push	2
		pop	edx
		xor	ecx, ecx
		call	_VfNotifyVerifierExtensions@8 ;	VfNotifyVerifierExtensions(x,x)
		xor	edx, edx
		xor	ecx, ecx
		pop	esi
		jmp	_VfNotifyDifPlugins@8 ;	VfNotifyDifPlugins(x,x)
; 

loc_A59AD7:				; CODE XREF: VfNotifyVerifierOfEvent(x)+26j
		lock inc dword_6BE450
		pop	esi
		jmp	_VfStartBranchTracing@0	; VfStartBranchTracing()
; 

loc_A59AE4:				; CODE XREF: VfNotifyVerifierOfEvent(x)+21j
		lock inc dword_6BE44C

loc_A59AEB:				; CODE XREF: VfNotifyVerifierOfEvent(x)+C9j
		pop	esi
		jmp	_VfStopBranchTracing@0 ; VfStopBranchTracing()
; 

loc_A59AF1:				; CODE XREF: VfNotifyVerifierOfEvent(x)+18j
		lock inc dword_6BE448
		xor	esi, esi
		mov	ecx, offset _ViKeTrackIrqlDisabled
		inc	esi
		mov	eax, esi
		xchg	eax, [ecx]
		call	_VfStopBranchTracing@0 ; VfStopBranchTracing()
		mov	eax, offset _ViFaultsDisabled
		xchg	esi, [eax]
		pop	esi
		retn
; 

loc_A59B12:				; CODE XREF: VfNotifyVerifierOfEvent(x)+Fj
		lock inc dword_6BE444
		jmp	short loc_A59AEB
; 

loc_A59B1B:				; CODE XREF: VfNotifyVerifierOfEvent(x)+6j
		lock inc _ViNotifyEvent
		call	_VfInitializeBranchTracing@0 ; VfInitializeBranchTracing()
		test	eax, eax
		jns	short loc_A59B44
		test	_MmVerifierData, 8000000h
		jz	short loc_A59B44
		push	eax		; char
		push	offset ??_C@_0DJ@OMMFBNNI@Failed?5to?5initialize?5branch?5tra@JKADOLAD@	; char *
		call	_VfUtilDbgPrint
		pop	ecx
		pop	ecx

loc_A59B44:				; CODE XREF: VfNotifyVerifierOfEvent(x)+2Bj
					; VfNotifyVerifierOfEvent(x)+D9j ...
		pop	esi
		retn
_VfNotifyVerifierOfEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfProbeAndCaptureUnicodeString(x, x, x)
_VfProbeAndCaptureUnicodeString@12 proc	near ; CODE XREF: PAGE:007B3E0Dp
					; VfSetVerifierInformationEx(x)+68p

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8

		push	0Ch
		push	offset dword_6A9AF0
		call	__SEH_prolog4
		and	[ebp+ms_exc.disabled], 0
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		jb	short loc_A59B61
		mov	edx, eax

loc_A59B61:				; CODE XREF: VfProbeAndCaptureUnicodeString(x,x,x)+17j
		nop
		mov	eax, [edx]
		mov	[ecx], eax
		mov	eax, [edx+4]
		mov	[ecx+4], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edx, [ebp+arg_0]
		call	_VfProbeAndCaptureUnicodeStringBuffer@8	; VfProbeAndCaptureUnicodeStringBuffer(x,x)
		jmp	short loc_A59B98
; 

loc_A59B7D:				; DATA XREF: .text:006A9B04o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A59B8B:				; DATA XREF: .text:006A9B08o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]

loc_A59B98:				; CODE XREF: VfProbeAndCaptureUnicodeString(x,x,x)+35j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_VfProbeAndCaptureUnicodeString@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfProbeAndCaptureUnicodeStringBuffer(x, x)
_VfProbeAndCaptureUnicodeStringBuffer@8	proc near ; CODE XREF: PAGE:007B425Bp
					; PAGE:007B426Ep ...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	14h
		push	offset dword_6A9B10
		call	__SEH_prolog4
		mov	edi, edx
		mov	esi, ecx
		movzx	eax, word ptr [esi]
		test	al, 1
		jz	short loc_A59BCB
		mov	eax, 0C000000Dh
		jmp	loc_A59C85
; 

loc_A59BCB:				; CODE XREF: VfProbeAndCaptureUnicodeStringBuffer(x,x)+15j
		test	ax, ax
		jnz	short loc_A59BDC
		mov	eax, ds:_MmBadPointer
		mov	[esi+4], eax
		xor	eax, eax
		jmp	short loc_A59C3B
; 

loc_A59BDC:				; CODE XREF: VfProbeAndCaptureUnicodeStringBuffer(x,x)+24j
		and	[ebp+ms_exc.disabled], 0
		mov	ecx, [esi+4]
		lea	edx, [ecx+eax]
		mov	eax, ds:_MmUserProbeAddress
		cmp	edx, eax
		ja	short loc_A59BF3
		cmp	edx, ecx
		jnb	short loc_A59BF6

loc_A59BF3:				; CODE XREF: VfProbeAndCaptureUnicodeStringBuffer(x,x)+43j
		mov	byte ptr [eax],	0

loc_A59BF6:				; CODE XREF: VfProbeAndCaptureUnicodeStringBuffer(x,x)+47j
		push	0FFFFFFFEh
		pop	ebx
		mov	[ebp+ms_exc.disabled], ebx
		push	43536656h
		movzx	eax, word ptr [esi]
		push	eax
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_1C], edi
		test	edi, edi
		jnz	short loc_A59C1B
		mov	eax, 0C0000017h
		jmp	short loc_A59C85
; 

loc_A59C1B:				; CODE XREF: VfProbeAndCaptureUnicodeStringBuffer(x,x)+68j
		mov	[ebp+ms_exc.disabled], 1
		movzx	eax, word ptr [esi]
		push	eax		; size_t
		push	dword ptr [esi+4] ; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], ebx
		mov	[esi+4], edi
		movzx	eax, word ptr [esi]

loc_A59C3B:				; CODE XREF: VfProbeAndCaptureUnicodeStringBuffer(x,x)+30j
		mov	[esi+2], ax
		xor	eax, eax
		jmp	short loc_A59C85
; 

loc_A59C43:				; DATA XREF: .text:006A9B30o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A59C51:				; DATA XREF: .text:006A9B34o
		mov	esp, [ebp+ms_exc.old_esp]
		push	0
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_20]
		jmp	short loc_A59C85
; 

loc_A59C6A:				; DATA XREF: .text:006A9B24o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A59C78:				; DATA XREF: .text:006A9B28o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_24]

loc_A59C85:				; CODE XREF: VfProbeAndCaptureUnicodeStringBuffer(x,x)+1Cj
					; VfProbeAndCaptureUnicodeStringBuffer(x,x)+6Fj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VfProbeAndCaptureUnicodeStringBuffer@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfRandomGetNumber(x, x)
_VfRandomGetNumber@8 proc near		; CODE XREF: VfPendingShouldForce(x,x,x,x,x,x)+63p
					; VfFaultsInjectResourceFailure(x)+C0p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	offset _ViRandomSeed
		call	_RtlRandomEx@4	; RtlRandomEx(x)
		mov	ecx, [ebp+arg_4]
		cmp	ecx, [ebp+arg_0]
		jb	short loc_A59CB9
		sub	ecx, [ebp+arg_0]
		xor	edx, edx
		inc	ecx
		div	ecx
		add	edx, [ebp+arg_0]
		mov	eax, edx

loc_A59CB9:				; CODE XREF: VfRandomGetNumber(x,x)+15j
		pop	ebp
		retn	8
_VfRandomGetNumber@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilAddressRangeAdd(x, x,	x)
_VfUtilAddressRangeAdd@12 proc near	; CODE XREF: ViDeadlockAddResource(x,x,x,x,x,x)+13Ap
					; ViDeadlockAddThread(x,x)+71p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx]
		test	eax, eax
		jnz	short loc_A59CD1
		mov	eax, [ebp+arg_0]
		mov	[ecx], edx
		add	eax, edx
		jmp	short loc_A59CE1
; 

loc_A59CD1:				; CODE XREF: VfUtilAddressRangeAdd(x,x,x)+9j
		cmp	edx, eax
		jnb	short loc_A59CD7
		mov	[ecx], edx

loc_A59CD7:				; CODE XREF: VfUtilAddressRangeAdd(x,x,x)+16j
		mov	eax, [ebp+arg_0]
		add	eax, edx
		cmp	eax, [ecx+4]
		jbe	short loc_A59CE4

loc_A59CE1:				; CODE XREF: VfUtilAddressRangeAdd(x,x,x)+12j
		mov	[ecx+4], eax

loc_A59CE4:				; CODE XREF: VfUtilAddressRangeAdd(x,x,x)+22j
		pop	ebp
		retn	4
_VfUtilAddressRangeAdd@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilAddressRangeFit(x, x,	x)
_VfUtilAddressRangeFit@12 proc near	; CODE XREF: ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+5Cp
					; ViDeadlockRemoveMemoryRangeThreads(x,x,x,x)+5Fp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx]
		push	esi
		mov	esi, edx
		test	eax, eax
		jz	short loc_A59D19
		mov	edx, [ebp+arg_0]
		cmp	esi, eax
		ja	short loc_A59D06
		cmp	edx, [ecx+4]
		jnb	short loc_A59D14
		cmp	esi, eax
		jb	short loc_A59D0B

loc_A59D06:				; CODE XREF: VfUtilAddressRangeFit(x,x,x)+13j
		cmp	esi, [ecx+4]
		jb	short loc_A59D14

loc_A59D0B:				; CODE XREF: VfUtilAddressRangeFit(x,x,x)+1Cj
		cmp	edx, eax
		jbe	short loc_A59D19
		cmp	edx, [ecx+4]
		ja	short loc_A59D19

loc_A59D14:				; CODE XREF: VfUtilAddressRangeFit(x,x,x)+18j
					; VfUtilAddressRangeFit(x,x,x)+21j
		xor	eax, eax
		inc	eax
		jmp	short loc_A59D1B
; 

loc_A59D19:				; CODE XREF: VfUtilAddressRangeFit(x,x,x)+Cj
					; VfUtilAddressRangeFit(x,x,x)+25j ...
		xor	eax, eax

loc_A59D1B:				; CODE XREF: VfUtilAddressRangeFit(x,x,x)+2Fj
		pop	esi
		pop	ebp
		retn	4
_VfUtilAddressRangeFit@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilAddressRangeFitNoLock(x, x, x)
_VfUtilAddressRangeFitNoLock@12	proc near ; CODE XREF: VfIrpDatabaseCheckExFreePool(x)+2Fp
					; VfIrpDatabaseEntryFindAndLock(x)+31p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ecx]
		mov	eax, [ecx+4]
		cmp	esi, eax
		jnb	short loc_A59D4F
		cmp	edx, esi
		ja	short loc_A59D3C
		cmp	[ebp+arg_0], eax
		jnb	short loc_A59D4A
		cmp	edx, esi
		jb	short loc_A59D40

loc_A59D3C:				; CODE XREF: VfUtilAddressRangeFitNoLock(x,x,x)+11j
		cmp	edx, eax
		jb	short loc_A59D4A

loc_A59D40:				; CODE XREF: VfUtilAddressRangeFitNoLock(x,x,x)+1Aj
		cmp	[ebp+arg_0], esi
		jbe	short loc_A59D4F
		cmp	[ebp+arg_0], eax
		ja	short loc_A59D4F

loc_A59D4A:				; CODE XREF: VfUtilAddressRangeFitNoLock(x,x,x)+16j
					; VfUtilAddressRangeFitNoLock(x,x,x)+1Ej
		xor	eax, eax
		inc	eax
		jmp	short loc_A59D51
; 

loc_A59D4F:				; CODE XREF: VfUtilAddressRangeFitNoLock(x,x,x)+Dj
					; VfUtilAddressRangeFitNoLock(x,x,x)+23j ...
		xor	eax, eax

loc_A59D51:				; CODE XREF: VfUtilAddressRangeFitNoLock(x,x,x)+2Dj
		pop	esi
		pop	ebp
		retn	4
_VfUtilAddressRangeFitNoLock@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilAddressRangeRemove(x,	x, x)
_VfUtilAddressRangeRemove@12 proc near	; CODE XREF: VfUtilAddressRangeRemoveCheckEmpty(x,x,x)+17p
					; ViDeadlockRemoveResource(x,x,x)+FFp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [ebp+arg_0]
		mov	eax, [esi]
		cmp	edx, eax
		jnz	short loc_A59D6C
		add	eax, edi
		mov	[esi], eax

loc_A59D6C:				; CODE XREF: VfUtilAddressRangeRemove(x,x,x)+10j
		mov	ecx, [esi+4]
		lea	eax, [edx+edi]
		cmp	eax, ecx
		jnz	short loc_A59D7B
		sub	ecx, edi
		mov	[esi+4], ecx

loc_A59D7B:				; CODE XREF: VfUtilAddressRangeRemove(x,x,x)+1Ej
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_VfUtilAddressRangeRemove@12 endp


;  S U B	R O U T	I N E 


; __stdcall VfUtilAddressRangeRemoveCheckEmpty(x, x, x)
_VfUtilAddressRangeRemoveCheckEmpty@12 proc near
					; CODE XREF: VfIrpDatabaseEntryDereference(x,x)+42p
					; VfIrpDatabaseEntryReleaseLock(x)+42p
		cmp	edx, [ecx]
		jnz	short loc_A59D96
		lea	eax, [edx+70h]
		cmp	eax, [ecx+4]
		jnz	short loc_A59D96
		and	dword ptr [ecx], 0
		and	dword ptr [ecx+4], 0
		jmp	short locret_A59D9D
; 

loc_A59D96:				; CODE XREF: VfUtilAddressRangeRemoveCheckEmpty(x,x,x)+2j
					; VfUtilAddressRangeRemoveCheckEmpty(x,x,x)+Aj
		push	70h
		call	_VfUtilAddressRangeRemove@12 ; VfUtilAddressRangeRemove(x,x,x)

locret_A59D9D:				; CODE XREF: VfUtilAddressRangeRemoveCheckEmpty(x,x,x)+13j
		retn	4
_VfUtilAddressRangeRemoveCheckEmpty@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilCaptureViolationKernelStack(x, x)
_VfUtilCaptureViolationKernelStack@8 proc near ; DATA XREF: PAGEVRFD:_ViUtilsForXDVo

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		push	esi
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		test	esi, esi
		jnz	short loc_A59DC2
		xor	al, al
		jmp	loc_A59E9B
; 

loc_A59DC2:				; CODE XREF: VfUtilCaptureViolationKernelStack(x,x)+19j
		push	ebx
		mov	cl, 1Fh
		mov	bl, 1
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	byte ptr [ebp+arg_0+3],	al
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		push	esi
		mov	bh, al
		call	_RtlCaptureContext@4 ; RtlCaptureContext(x)
		lea	eax, [ebp+var_C]
		push	eax
		lea	edx, [ebp+var_4]
		lea	ecx, [ebp+var_8]
		call	_KeQueryCurrentStackInformation@12 ; KeQueryCurrentStackInformation(x,x,x)
		test	al, al
		jz	loc_A59E88
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	loc_A59E88
		cmp	eax, 5
		jz	loc_A59E88
		cmp	eax, 7
		jz	short loc_A59E88
		cmp	eax, 8
		jz	short loc_A59E88
		cmp	eax, 9
		jz	short loc_A59E88
		push	edi
		call	_KeGetCurrentStackPointer@0 ; KeGetCurrentStackPointer()
		sub	eax, [ebp+var_4]
		mov	edi, 3000h
		mov	[ebp+var_8], eax
		mov	eax, [esi+0B4h]
		sub	eax, [ebp+var_4]
		push	edi		; size_t
		push	0		; int
		push	offset _VfRuleViolationStackSavedArea ;	void *
		mov	[ebp+var_10], eax
		call	_memset
		mov	eax, [ebp+var_C]
		add	esp, 0Ch
		sub	eax, [ebp+var_4]
		cmp	eax, edi
		ja	short loc_A59E50
		mov	edi, eax

loc_A59E50:				; CODE XREF: VfUtilCaptureViolationKernelStack(x,x)+ACj
		push	edi		; size_t
		push	[ebp+var_4]	; void *
		mov	edi, offset _VfRuleViolationStackSavedArea
		push	edi		; void *
		call	_memcpy
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		mov	[eax], edi
		mov	eax, [ebp+var_8]
		pop	edi
		lea	eax, _VfRuleViolationStackSavedArea[eax]
		mov	[esi+0C4h], eax
		mov	eax, [ebp+var_10]
		lea	eax, _VfRuleViolationStackSavedArea[eax]
		mov	[esi+0B4h], eax
		jmp	short loc_A59E8A
; 

loc_A59E88:				; CODE XREF: VfUtilCaptureViolationKernelStack(x,x)+4Ej
					; VfUtilCaptureViolationKernelStack(x,x)+59j ...
		xor	bl, bl

loc_A59E8A:				; CODE XREF: VfUtilCaptureViolationKernelStack(x,x)+E6j
		test	bh, bh
		jz	short loc_A59E8F
		sti

loc_A59E8F:				; CODE XREF: VfUtilCaptureViolationKernelStack(x,x)+ECj
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	al, bl
		pop	ebx

loc_A59E9B:				; CODE XREF: VfUtilCaptureViolationKernelStack(x,x)+1Dj
		pop	esi
		leave
		retn	8
_VfUtilCaptureViolationKernelStack@8 endp


;  S U B	R O U T	I N E 


; __stdcall VfUtilCheckKernelAddress(x,	x)
_VfUtilCheckKernelAddress@8 proc near	; CODE XREF: VfUtilSynchronizationObjectSanityChecks(x,x)+6p
					; VerifierIoFreeMdl(x)+Fp ...
		test	_MmVerifierData, 800h
		lea	eax, [ecx+edx]
		jz	short locret_A59ECC
		cmp	ecx, ds:_MmHighestUserAddress
		jb	short loc_A59EBB
		cmp	eax, ecx
		jnb	short locret_A59ECC

loc_A59EBB:				; CODE XREF: VfUtilCheckKernelAddress(x,x)+15j
		push	0
		push	edx
		mov	edx, 0E0h
		push	ecx
		lea	ecx, [edx-1Ch]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

locret_A59ECC:				; CODE XREF: VfUtilCheckKernelAddress(x,x)+Dj
					; VfUtilCheckKernelAddress(x,x)+19j
		retn
_VfUtilCheckKernelAddress@8 endp


;  S U B	R O U T	I N E 


; __stdcall VfUtilCheckRuleEnforcement(x)
_VfUtilCheckRuleEnforcement@4 proc near	; CODE XREF: VerifierMmBuildMdlForNonPagedPool(x)+6Cp
					; VerifierMmUnmapLockedPages(x,x)+107p
		cmp	_VerifierTipDisable, 1
		jnz	short loc_A59EED
		call	_VfTargetDriversGetVerifierData@4 ; VfTargetDriversGetVerifierData(x)
		test	eax, eax
		jz	short loc_A59EEA
		mov	al, [eax+18h]
		cmp	al, 0Ch
		jz	short loc_A59EEA
		cmp	al, 8
		jnz	short loc_A59EED

loc_A59EEA:				; CODE XREF: VfUtilCheckRuleEnforcement(x)+10j
					; VfUtilCheckRuleEnforcement(x)+17j
		xor	eax, eax
		retn
; 

loc_A59EED:				; CODE XREF: VfUtilCheckRuleEnforcement(x)+7j
					; VfUtilCheckRuleEnforcement(x)+1Bj
		xor	eax, eax
		inc	eax
		retn
_VfUtilCheckRuleEnforcement@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfUtilEqualUnicodeString(x,	x)
_VfUtilEqualUnicodeString@8 proc near	; CODE XREF: ViDifCheckCallbackInterception+91F34p
					; ViDifCheckCallbackInterception+91F48p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		movzx	eax, word ptr [esi]
		cmp	ax, [edx]
		jnz	short loc_A59F16
		push	eax		; Length
		push	dword ptr [edx+4] ; Source2
		push	dword ptr [esi+4] ; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		movzx	ecx, word ptr [esi]
		cmp	eax, ecx
		jnz	short loc_A59F16
		xor	eax, eax
		inc	eax
		pop	esi
		retn
; 

loc_A59F16:				; CODE XREF: VfUtilEqualUnicodeString(x,x)+Bj
					; VfUtilEqualUnicodeString(x,x)+1Ej
		xor	eax, eax
		pop	esi
		retn
_VfUtilEqualUnicodeString@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilFillPluginRequestedData(x)
_VfUtilFillPluginRequestedData@4 proc near ; DATA XREF:	PAGEVRFD:_ViUtilsForDIFo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_A59F5E
		cmp	dword ptr [eax], 0
		jnz	short loc_A59F52
		mov	ecx, _ViTipControlLimitDenominator
		test	ecx, ecx
		jz	short loc_A59F38
		mov	[eax+8], ecx

loc_A59F38:				; CODE XREF: VfUtilFillPluginRequestedData(x)+19j
		mov	ecx, _ViTipControlLimitNumerator
		test	ecx, ecx
		jz	short loc_A59F45
		mov	[eax+4], ecx

loc_A59F45:				; CODE XREF: VfUtilFillPluginRequestedData(x)+26j
		mov	ecx, _ViTipControlSparseness
		test	ecx, ecx
		jz	short loc_A59F52
		mov	[eax+0Ch], ecx

loc_A59F52:				; CODE XREF: VfUtilFillPluginRequestedData(x)+Fj
					; VfUtilFillPluginRequestedData(x)+33j
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jz	short loc_A59F5E
		call	_VfUtilFillPluginRequestedSubData@4 ; VfUtilFillPluginRequestedSubData(x)

loc_A59F5E:				; CODE XREF: VfUtilFillPluginRequestedData(x)+Aj
					; VfUtilFillPluginRequestedData(x)+3Dj
		pop	ebp
		retn	4
_VfUtilFillPluginRequestedData@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfUtilFillPluginRequestedSubData(x)
_VfUtilFillPluginRequestedSubData@4 proc near
					; CODE XREF: VfUtilFillPluginRequestedData(x)+3Fp
		test	ecx, ecx
		jz	short locret_A59F90
		cmp	dword ptr [ecx], 27h
		jnz	short locret_A59F90
		mov	edx, _ViLwspPoolTags
		xor	eax, eax
		test	edx, edx
		jz	short loc_A59F8D
		push	esi
		lea	esi, [ecx+8]

loc_A59F7B:				; CODE XREF: VfUtilFillPluginRequestedSubData(x)+28j
		inc	eax
		mov	[esi], edx
		lea	esi, [esi+4]
		mov	edx, _ViLwspPoolTags[eax*4]
		test	edx, edx
		jnz	short loc_A59F7B
		pop	esi

loc_A59F8D:				; CODE XREF: VfUtilFillPluginRequestedSubData(x)+13j
		mov	[ecx+4], eax

locret_A59F90:				; CODE XREF: VfUtilFillPluginRequestedSubData(x)+2j
					; VfUtilFillPluginRequestedSubData(x)+7j
		retn
_VfUtilFillPluginRequestedSubData@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilGetAvailableSystemPages(x)
_VfUtilGetAvailableSystemPages@4 proc near ; DATA XREF:	PAGEVRFD:00AA8028o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		test	esi, esi
		jnz	short loc_A59FAB
		mov	eax, 0C000000Dh
		jmp	short loc_A5A006
; 

loc_A59FAB:				; CODE XREF: VfUtilGetAvailableSystemPages(x)+11j
		xor	edx, edx
		mov	ebx, offset _ViSystemPartition
		inc	edx
		mov	ecx, ebx
		call	_MmCreatePartition@8 ; MmCreatePartition(x,x)
		test	eax, eax
		js	short loc_A5A006
		cmp	_ViSystemPartition, 0
		jnz	short loc_A59FCE
		mov	eax, 0C0000022h
		jmp	short loc_A5A006
; 

loc_A59FCE:				; CODE XREF: VfUtilGetAvailableSystemPages(x)+34j
		push	80h		; size_t
		push	0		; int
		mov	edi, offset _ViSystemPartitionMemoryInfo
		push	edi		; void *
		call	_memset
		or	dword_6BE464, 0FFFFFFFFh
		add	esp, 0Ch
		or	dword_6BE468, 0FFFFFFFFh
		mov	edx, edi
		mov	ecx, ebx
		call	MmManagePartitionMemoryInformation
		test	eax, eax
		js	short loc_A5A006
		mov	ecx, dword_6BE484
		mov	[esi], ecx

loc_A5A006:				; CODE XREF: VfUtilGetAvailableSystemPages(x)+18j
					; VfUtilGetAvailableSystemPages(x)+2Bj	...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_VfUtilGetAvailableSystemPages@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilGetDriverName(x)
_VfUtilGetDriverName@4 proc near	; DATA XREF: PAGEVRFD:00AA8004o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_VfTargetDriversGetVerifierData@4 ; VfTargetDriversGetVerifierData(x)
		test	eax, eax
		jz	short loc_A5A027
		mov	eax, [eax]
		mov	eax, [eax+14h]
		jmp	short loc_A5A029
; 

loc_A5A027:				; CODE XREF: VfUtilGetDriverName(x)+Fj
		xor	eax, eax

loc_A5A029:				; CODE XREF: VfUtilGetDriverName(x)+16j
		pop	ebp
		retn	4
_VfUtilGetDriverName@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilGetSigningLevel(x)
_VfUtilGetSigningLevel@4 proc near	; DATA XREF: PAGEVRFD:00AA8008o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_VfTargetDriversGetVerifierData@4 ; VfTargetDriversGetVerifierData(x)
		test	eax, eax
		jz	short loc_A5A043
		mov	al, [eax+18h]
		jmp	short loc_A5A045
; 

loc_A5A043:				; CODE XREF: VfUtilGetSigningLevel(x)+Fj
		xor	al, al

loc_A5A045:				; CODE XREF: VfUtilGetSigningLevel(x)+14j
		pop	ebp
		retn	4
_VfUtilGetSigningLevel@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilIsBootDriver(x)
_VfUtilIsBootDriver@4 proc near		; DATA XREF: PAGEVRFD:00AA800Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_VfTargetDriversGetVerifierData@4 ; VfTargetDriversGetVerifierData(x)
		test	eax, eax
		jz	short loc_A5A064
		mov	eax, [eax+10h]
		shr	eax, 1
		and	eax, 1
		jmp	short loc_A5A066
; 

loc_A5A064:				; CODE XREF: VfUtilIsBootDriver(x)+Fj
		xor	eax, eax

loc_A5A066:				; CODE XREF: VfUtilIsBootDriver(x)+19j
		pop	ebp
		retn	4
_VfUtilIsBootDriver@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilIsLocalSystem(x)
_VfUtilIsLocalSystem@4 proc near	; CODE XREF: VfCheckUserHandle(x)+F5p
					; ViKeInjectStatusAlerted(x)+35p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+20h+var_10]
		stosd
		mov	esi, ecx
		stosd
		stosd
		stosd
		xor	edi, edi
		mov	[esp+20h+var_14], edi
		mov	[esp+20h+var_18], edi
		call	_ViInitializeLocalSystemDescriptor@0 ; ViInitializeLocalSystemDescriptor()
		test	eax, eax
		jnz	short loc_A5A09B
		xor	esi, esi
		inc	esi
		jmp	short loc_A5A0DB
; 

loc_A5A09B:				; CODE XREF: VfUtilIsLocalSystem(x)+2Aj
		lea	eax, [esp+20h+var_10]
		push	eax
		push	esi
		push	edi
		call	SeCaptureSubjectContextEx
		lea	eax, [esp+20h+var_18]
		push	eax
		lea	eax, [esp+24h+var_14]
		push	eax
		push	1
		call	_IoGetFileObjectGenericMapping@0 ; IoGetFileObjectGenericMapping()
		push	eax
		push	edi
		push	edi
		push	1
		push	edi
		lea	eax, [esp+40h+var_10]
		push	eax
		push	ds:_ViLocalSystemDescriptor
		call	_SeAccessCheck@40 ; SeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		movzx	esi, al
		lea	eax, [esp+20h+var_10]
		push	eax
		call	SeReleaseSubjectContext

loc_A5A0DB:				; CODE XREF: VfUtilIsLocalSystem(x)+2Fj
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_VfUtilIsLocalSystem@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilIsSpecialPoolAddress(x)
_VfUtilIsSpecialPoolAddress@4 proc near	; DATA XREF: PAGEVRFD:00AA8034o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	short loc_A5A0F3
		xor	eax, eax
		jmp	short loc_A5A0F8
; 

loc_A5A0F3:				; CODE XREF: VfUtilIsSpecialPoolAddress(x)+Aj
		call	_ExIsSpecialPoolAddress@4 ; ExIsSpecialPoolAddress(x)

loc_A5A0F8:				; CODE XREF: VfUtilIsSpecialPoolAddress(x)+Ej
		pop	ebp
		retn	4
_VfUtilIsSpecialPoolAddress@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilPrintCheckinString(x)
_VfUtilPrintCheckinString@4 proc near	; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+29Cp

var_78		= dword	ptr -78h
var_70		= byte ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, _MmVerifierData
		mov	edx, _NtBuildNumber
		push	ebx
		mov	[ebp+var_5C], eax
		push	esi
		push	edi
		xor	edi, edi
		mov	dword ptr [ebp+var_70],	ecx
		inc	eax
		mov	[ebp+var_6C], edi
		imul	eax, edx
		mov	[ebp+var_68], edi
		mov	[ebp+var_60], edx
		mov	[ebp+var_58], edi
		imul	eax, 75BCD15h
		mov	[ebp+var_54], eax
		movzx	eax, word ptr [ecx]
		mov	ecx, [ecx+4]
		shr	eax, 1
		mov	[ebp+var_78], ecx
		mov	ecx, eax
		mov	[ebp+var_64], eax
		cmp	eax, 10h
		jnb	short loc_A5A158
		push	10h
		pop	ecx
		mov	[ebp+var_64], ecx

loc_A5A158:				; CODE XREF: VfUtilPrintCheckinString(x)+54j
		mov	ebx, edi
		test	ecx, ecx
		jz	short loc_A5A184
		mov	edi, eax

loc_A5A160:				; CODE XREF: VfUtilPrintCheckinString(x)+84j
		xor	edx, edx
		mov	ecx, [ebp+var_78]
		mov	eax, ebx
		mov	esi, ebx
		div	edi
		and	esi, 0Fh
		movzx	eax, word ptr [ecx+edx*2]
		push	eax
		call	_RtlUpcaseUnicodeChar@4	; RtlUpcaseUnicodeChar(x)
		xor	byte ptr [ebp+esi+var_60], al
		inc	ebx
		cmp	ebx, [ebp+var_64]
		jb	short loc_A5A160
		xor	edi, edi

loc_A5A184:				; CODE XREF: VfUtilPrintCheckinString(x)+60j
		mov	esi, edi

loc_A5A186:				; CODE XREF: VfUtilPrintCheckinString(x)+D3j
		mov	[ebp+var_64], 1
		mov	edx, edi
		mov	ebx, edi

loc_A5A191:				; CODE XREF: VfUtilPrintCheckinString(x)+BCj
		movzx	eax, byte ptr [ebp+ebx+var_60]
		shl	edx, 8
		add	eax, edx
		xor	edx, edx
		push	3Eh
		pop	ecx
		div	ecx
		mov	byte ptr [ebp+ebx+var_60], al
		test	al, al
		jz	short loc_A5A1B1
		mov	ecx, edi
		mov	[ebp+var_64], ecx
		jmp	short loc_A5A1B4
; 

loc_A5A1B1:				; CODE XREF: VfUtilPrintCheckinString(x)+ACj
		mov	ecx, [ebp+var_64]

loc_A5A1B4:				; CODE XREF: VfUtilPrintCheckinString(x)+B3j
		inc	ebx
		cmp	ebx, 10h
		jb	short loc_A5A191
		mov	ax, word ptr ds:_Printable[edx*2]
		mov	word ptr [ebp+esi*2+var_50], ax
		inc	esi
		cmp	esi, 21h
		jnb	short loc_A5A226
		test	ecx, ecx
		jz	short loc_A5A186
		lea	eax, [esi+esi]
		cmp	eax, 42h
		jnb	loc_A5A27D
		xor	ecx, ecx
		test	_VfRuleClasses,	100000h
		mov	word ptr [ebp+eax+var_50], cx
		lea	eax, [esi+esi]
		mov	word ptr [ebp+var_6C+2], ax
		mov	word ptr [ebp+var_6C], ax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_68], eax
		jnz	short loc_A5A235
		lea	eax, [ebp+var_6C]
		push	eax
		mov	eax, _NtBuildNumber
		and	eax, 0FFFFFFFh
		push	eax
		push	_MmVerifierData
		push	dword ptr [ebp+var_70] ; char
		push	offset ??_C@_0EC@ODEBKLLI@Driver?5Verifier?3?5Enabled?5for?5?$CFw@JKADOLAD@ ; char *
		call	_VfUtilDbgPrint
		add	esp, 14h

loc_A5A226:				; CODE XREF: VfUtilPrintCheckinString(x)+CFj
					; VfUtilPrintCheckinString(x)+17Fj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_A5A235:				; CODE XREF: VfUtilPrintCheckinString(x)+103j
		push	dword ptr [ebp+var_70] ; char
		push	offset ??_C@_0CB@PLOEDOB@Driver?5Verifier?3?5Enabled?5for?5?$CFw@JKADOLAD@ ; char *
		call	_VfUtilDbgPrint
		pop	ecx
		pop	ecx

loc_A5A244:				; CODE XREF: VfUtilPrintCheckinString(x)+161j
		push	_VfRuleClasses[edi*4]
		push	edi		; char
		push	offset ??_C@_09HGKBJBHL@?0?5?$CFd?30x?$CFx@JKADOLAD@ ; char *
		call	_VfUtilDbgPrint
		add	esp, 0Ch
		inc	edi
		cmp	edi, 2
		jb	short loc_A5A244
		lea	eax, [ebp+var_6C]
		push	eax
		mov	eax, _NtBuildNumber
		and	eax, 0FFFFFFFh
		push	eax		; char
		push	offset ??_C@_0BG@PLAAJABH@?0?5build?5?$CFld?0?5key?5?$CFwZ?6@JKADOLAD@ ; char *
		call	_VfUtilDbgPrint
		add	esp, 0Ch
		jmp	short loc_A5A226
; 

loc_A5A27D:				; CODE XREF: VfUtilPrintCheckinString(x)+DBj
		call	___report_rangecheckfailure
		int	3		; Trap to Debugger
_VfUtilPrintCheckinString@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfUtilSynchronizationObjectSanityChecks(x, x)
_VfUtilSynchronizationObjectSanityChecks@8 proc	near
					; CODE XREF: VerifierKeInitializeEvent(x,x,x)+Bp
					; VerifierKeInitializeMutant(x,x)+Bp ...
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, ecx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		xor	edi, edi
		test	_MmVerifierData, 800h
		jz	short loc_A5A2DD
		mov	ecx, esi
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		test	eax, eax
		jz	short loc_A5A2B7
		push	edi
		mov	edx, 0DFh
		push	edi
		push	esi
		lea	ecx, [edx-1Bh]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A5A2B7:				; CODE XREF: VfUtilSynchronizationObjectSanityChecks(x,x)+22j
		test	_MmVerifierData, 800h
		jz	short loc_A5A2DD
		push	esi
		call	_MmIsNonPagedSystemAddressValid@4 ; MmIsNonPagedSystemAddressValid(x)
		test	al, al
		jnz	short loc_A5A2DD
		push	edi
		mov	edx, 0E1h
		push	edi
		push	esi
		lea	ecx, [edx-1Dh]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A5A2DD:				; CODE XREF: VfUtilSynchronizationObjectSanityChecks(x,x)+17j
					; VfUtilSynchronizationObjectSanityChecks(x,x)+3Ej ...
		pop	edi
		pop	esi
		retn
_VfUtilSynchronizationObjectSanityChecks@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfUtilUpdateSpecialPoolSetting(x)
_VfUtilUpdateSpecialPoolSetting@4 proc near ; DATA XREF: PAGEVRFD:00AA8030o

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr dword_6FDE00, 80h
		jz	short loc_A5A303
		mov	eax, ds:_VfDifSetting
		movzx	ecx, [ebp+arg_0]
		xor	ecx, eax
		and	ecx, 1
		xor	eax, ecx
		mov	ds:_VfDifSetting, eax

loc_A5A303:				; CODE XREF: VfUtilUpdateSpecialPoolSetting(x)+Cj
		pop	ebp
		retn	4
_VfUtilUpdateSpecialPoolSetting@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViInitializeLocalSystemDescriptor()
_ViInitializeLocalSystemDescriptor@0 proc near ; CODE XREF: VfUtilIsLocalSystem(x)+23p
		cmp	ds:_ViLocalSystemDescriptor, 0
		jnz	loc_A5A3DA
		cmp	_SeLocalSystemSid, 0
		jz	loc_A5A3DA
		push	edi
		push	55667256h
		push	14h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_A5A3D9
		push	ebx
		push	esi
		push	1
		push	edi
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		test	eax, eax
		js	loc_A5A3CC
		push	_SeLocalSystemSid
		call	_RtlLengthSid@4	; RtlLengthSid(x)
		push	55667256h
		lea	esi, [eax+14h]
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_A5A3CC
		push	2		; int
		push	esi		; size_t
		push	ebx		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A5A3BD
		push	_SeLocalSystemSid
		push	1
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A5A3BD
		push	0
		push	ebx
		push	1
		push	edi
		call	RtlSetDaclSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	short loc_A5A3BD
		mov	ecx, edi
		mov	edx, offset _ViLocalSystemDescriptor
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	short loc_A5A3B9
		mov	esi, 0C00000E5h

loc_A5A3B9:				; CODE XREF: ViInitializeLocalSystemDescriptor()+ABj
		test	esi, esi
		jns	short loc_A5A3D7

loc_A5A3BD:				; CODE XREF: ViInitializeLocalSystemDescriptor()+73j
					; ViInitializeLocalSystemDescriptor()+89j ...
		push	55667256h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		jns	short loc_A5A3D7

loc_A5A3CC:				; CODE XREF: ViInitializeLocalSystemDescriptor()+3Fj
					; ViInitializeLocalSystemDescriptor()+64j
		push	55667256h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A5A3D7:				; CODE XREF: ViInitializeLocalSystemDescriptor()+B4j
					; ViInitializeLocalSystemDescriptor()+C3j
		pop	esi
		pop	ebx

loc_A5A3D9:				; CODE XREF: ViInitializeLocalSystemDescriptor()+2Dj
		pop	edi

loc_A5A3DA:				; CODE XREF: ViInitializeLocalSystemDescriptor()+7j
					; ViInitializeLocalSystemDescriptor()+14j
		mov	eax, ds:_ViLocalSystemDescriptor
		retn
_ViInitializeLocalSystemDescriptor@0 endp


;  S U B	R O U T	I N E 


; __stdcall ViIsDriverSuspectForVerifier(x)
_ViIsDriverSuspectForVerifier@4	proc near ; CODE XREF: VfIsVerificationEnabledForImage(x)+Cp
					; MmIsDriverSuspectForVerifier(x)+1Bp ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, _VfSuspectDriversList
		mov	ebx, offset _VfSuspectDriversList
		xor	eax, eax
		cmp	esi, ebx
		jz	short loc_A5A413
		push	edi
		lea	edi, [ecx+2Ch]

loc_A5A3F9:				; CODE XREF: ViIsDriverSuspectForVerifier(x)+30j
		push	1
		push	edi
		lea	eax, [esi+10h]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		movzx	eax, al
		test	eax, eax
		jnz	short loc_A5A412
		mov	esi, [esi]
		cmp	esi, ebx
		jnz	short loc_A5A3F9

loc_A5A412:				; CODE XREF: ViIsDriverSuspectForVerifier(x)+2Aj
		pop	edi

loc_A5A413:				; CODE XREF: ViIsDriverSuspectForVerifier(x)+13j
		pop	esi
		pop	ebx
		retn
_ViIsDriverSuspectForVerifier@4	endp


;  S U B	R O U T	I N E 


; __stdcall VfInitPickCurrentRandomTarget()
_VfInitPickCurrentRandomTarget@0 proc near
					; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+1ECp
		mov	edi, edi
		push	esi
		mov	esi, ds:_VfRandomVerifiedDrivers
		test	esi, esi
		jz	short loc_A5A452
		mov	ecx, ds:_ViLoadedDriversCount
		mov	eax, ds:dword_AB0C9C
		inc	ecx
		mov	edx, ecx
		mov	ds:_ViLoadedDriversCount, ecx
		shr	edx, 3
		and	cl, 7
		mov	al, [edx+eax]
		sar	al, cl
		test	al, 1
		jz	short loc_A5A452
		dec	esi
		xor	eax, eax
		mov	ds:_VfRandomVerifiedDrivers, esi
		inc	eax
		pop	esi
		retn
; 

loc_A5A452:				; CODE XREF: VfInitPickCurrentRandomTarget()+Bj
					; VfInitPickCurrentRandomTarget()+2Ej
		xor	eax, eax
		pop	esi
		retn
_VfInitPickCurrentRandomTarget@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfInitSystemNoRebootNeeded(x, x)
_VfInitSystemNoRebootNeeded@8 proc near	; CODE XREF: VfAddVerifierEntry(x)+2Ep
					; VfSetVerifierInformation(x,x,x)+64p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		cmp	_ViFullyInitialized, 0
		push	ebx
		push	esi
		push	edi
		mov	edi, _KernelVerifier
		mov	esi, edx
		jnz	loc_A5A54C
		xor	ebx, ebx
		inc	ebx
		test	esi, esi
		jnz	short loc_A5A4A2
		push	offset _VfInitVerifierComponents@12 ; VfInitVerifierComponents(x,x,x)
		mov	_VfInitializedWithoutReboot, ebx
		call	MmLockPagableDataSection
		push	offset _ViLoadedDriversCount
		call	MmLockPagableDataSection
		push	offset _ViShortTime
		call	MmLockPagableDataSection

loc_A5A4A2:				; CODE XREF: VfInitSystemNoRebootNeeded(x,x)+26j
		test	edi, edi
		jnz	short loc_A5A4AA
		test	esi, esi
		jnz	short loc_A5A4AF

loc_A5A4AA:				; CODE XREF: VfInitSystemNoRebootNeeded(x,x)+4Ej
		call	_ExDisableAllLookasideLists@0 ;	ExDisableAllLookasideLists()

loc_A5A4AF:				; CODE XREF: VfInitSystemNoRebootNeeded(x,x)+52j
		mov	ecx, _MmVerifyDriverLevel
		mov	eax, 9BBh
		mov	_VerifierModifyableOptions, 1FFFh
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_A5A4CB
		mov	eax, ecx

loc_A5A4CB:				; CODE XREF: VfInitSystemNoRebootNeeded(x,x)+71j
		mov	_MmVerifierData, eax
		cmp	edi, ebx
		jnz	short loc_A5A4F3
		and	ecx, 0FFFFFFDFh
		mov	_ViVerifyAllDrivers, ebx
		push	8
		mov	_MmVerifyDriverLevel, ecx
		and	eax, 0FFFFFFDFh
		pop	ecx
		mov	_MmVerifierData, eax
		call	_ExSetPoolFlags@4 ; ExSetPoolFlags(x)

loc_A5A4F3:				; CODE XREF: VfInitSystemNoRebootNeeded(x,x)+7Cj
		mov	eax, offset _ViVerifierDriverAddedThunkListHead
		mov	dword_6BE42C, eax
		mov	_ViVerifierDriverAddedThunkListHead, eax
		mov	eax, offset _ViVerifierDriverAddedSpecialThunkListHead
		mov	dword_6BE35C, eax
		mov	_ViVerifierDriverAddedSpecialThunkListHead, eax
		test	esi, esi
		jnz	short loc_A5A546
		push	_KernelVerifier
		push	_ViVerifyAllDrivers
		push	_MmVerifierData
		call	_VfInitVerifierComponents@12 ; VfInitVerifierComponents(x,x,x)
		call	_VfPoolInitPhase1@0 ; VfPoolInitPhase1()
		call	_VfSettingsMiscellaneousChecksInitPhase1@0 ; VfSettingsMiscellaneousChecksInitPhase1()
		call	_VfPendingInitPhase1@0 ; VfPendingInitPhase1()
		mov	ecx, _MmVerifierData
		call	_IoVerifierInit@4 ; IoVerifierInit(x)

loc_A5A546:				; CODE XREF: VfInitSystemNoRebootNeeded(x,x)+BDj
		mov	_ViFullyInitialized, ebx

loc_A5A54C:				; CODE XREF: VfInitSystemNoRebootNeeded(x,x)+1Bj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_VfInitSystemNoRebootNeeded@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfInitVerifierComponents(x,	x, x)
_VfInitVerifierComponents@12 proc near	; CODE XREF: VfInitSystemNoRebootNeeded(x,x)+D1p
					; sub_AE213B+38p
					; DATA XREF: ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, _MmVerifierData
		push	ebx
		push	esi
		mov	esi, 400000h
		test	eax, esi
		jz	short loc_A5A576
		test	al, 10h
		jnz	short loc_A5A576
		test	byte ptr _VfFlightOptions, 9
		jz	short loc_A5A57E

loc_A5A576:				; CODE XREF: VfInitVerifierComponents(x,x,x)+14j
					; VfInitVerifierComponents(x,x,x)+18j
		push	10h
		pop	ecx
		call	_ExSetPoolFlags@4 ; ExSetPoolFlags(x)

loc_A5A57E:				; CODE XREF: VfInitVerifierComponents(x,x,x)+21j
		mov	eax, _MmVerifierData
		test	eax, esi
		jz	short loc_A5A58B
		test	al, 10h
		jz	short loc_A5A590

loc_A5A58B:				; CODE XREF: VfInitVerifierComponents(x,x,x)+32j
		call	_VfIrpDatabaseInit@0 ; VfIrpDatabaseInit()

loc_A5A590:				; CODE XREF: VfInitVerifierComponents(x,x,x)+36j
		mov	eax, _MmVerifierData
		test	eax, esi
		jz	short loc_A5A59D
		test	al, 10h
		jz	short loc_A5A5A2

loc_A5A59D:				; CODE XREF: VfInitVerifierComponents(x,x,x)+44j
		call	_VfWdInit@0	; VfWdInit()

loc_A5A5A2:				; CODE XREF: VfInitVerifierComponents(x,x,x)+48j
		mov	ecx, [ebp+arg_0]
		call	_VfSettingsInit@4 ; VfSettingsInit(x)
		call	_VfPoolInitPhase0@0 ; VfPoolInitPhase0()
		call	_VfFaultsInitPhase0@0 ;	VfFaultsInitPhase0()
		push	offset _ViLookasideDelayFreeAvlNode@8 ;	ViLookasideDelayFreeAvlNode(x,x)
		xor	esi, esi
		mov	ecx, offset _ViLookasideAvl
		push	esi
		push	48h
		pop	edx
		call	_VfAvlInitializeTree@16	; VfAvlInitializeTree(x,x,x,x)
		mov	ecx, offset _ViLookasideInitialized
		test	eax, eax
		jns	short loc_A5A5D7
		mov	ecx, offset _ViLookasideAllocationFailures

loc_A5A5D7:				; CODE XREF: VfInitVerifierComponents(x,x,x)+7Dj
		xor	ebx, ebx
		inc	ebx
		mov	eax, ebx
		xchg	eax, [ecx]
		call	_VfSessionDataInit@0 ; VfSessionDataInit()
		push	offset ExInitializeNPagedLookasideListInternal
		push	_VfInitializedWithoutReboot
		push	10h
		push	74707249h
		push	94h
		push	200h
		push	offset _VfUtilFreePoolCheckIRQL@4 ; VfUtilFreePoolCheckIRQL(x)
		push	esi
		push	offset _ViPacketLookaside
		call	ds:_pXdvExInitializeNPagedLookasideList	; XdvExInitializeNPagedLookasideListInternal(x,x,x,x,x,x,x,x,x)
		push	offset _ViLookasideDelayFreeAvlNode@8 ;	ViLookasideDelayFreeAvlNode(x,x)
		push	esi
		push	38h
		pop	edx
		mov	ecx, offset _ViResourceAvl
		call	_VfAvlInitializeTree@16	; VfAvlInitializeTree(x,x,x,x)
		mov	ecx, offset _ViResourceInitialized
		test	eax, eax
		jns	short loc_A5A631
		mov	ecx, offset _ViResourceNotTracked

loc_A5A631:				; CODE XREF: VfInitVerifierComponents(x,x,x)+D7j
		mov	eax, ebx
		xchg	eax, [ecx]
		push	offset ExInitializeNPagedLookasideListInternal
		push	_VfInitializedWithoutReboot
		push	10h
		push	43707249h
		push	6Ch
		push	200h
		push	offset _VfUtilFreePoolCheckIRQL@4 ; VfUtilFreePoolCheckIRQL(x)
		push	esi
		push	offset _ViIrpCallDriverDataList
		call	ds:_pXdvExInitializeNPagedLookasideList	; XdvExInitializeNPagedLookasideListInternal(x,x,x,x,x,x,x,x,x)
		push	5A0h		; size_t
		push	esi		; int
		push	offset _ViMajorVerifierRoutines	; void *
		call	_memset
		add	esp, 0Ch
		mov	edx, offset @VfPnpDumpIrpStack@4 ; VfPnpDumpIrpStack(x)
		mov	cl, 1Bh
		push	esi
		push	offset @VfPnpTestStartedPdoStack@4 ; VfPnpTestStartedPdoStack(x)
		push	esi
		push	esi
		push	esi
		push	esi
		push	offset @VfPnpAdvanceIrpStatus@12 ; VfPnpAdvanceIrpStatus(x,x,x)
		push	offset @VfPnpIsSystemRestrictedIrp@4 ; VfPnpIsSystemRestrictedIrp(x)
		push	offset @VfPnpVerifyIrpStackUpward@24 ; VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)
		push	offset @VfPnpVerifyIrpStackDownward@28 ; VfPnpVerifyIrpStackDownward(x,x,x,x,x,x,x)
		push	offset @VfPnpVerifyNewRequest@24 ; VfPnpVerifyNewRequest(x,x,x,x,x,x)
		call	_VfMajorRegisterHandlers@52 ; VfMajorRegisterHandlers(x,x,x,x,x,x,x,x,x,x,x,x,x)
		push	esi
		push	offset @VfPowerTestStartedPdoStack@4 ; VfPowerTestStartedPdoStack(x)
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	offset @VfPowerIsSystemRestrictedIrp@4 ; VfPowerIsSystemRestrictedIrp(x)
		push	offset @VfPowerVerifyIrpStackUpward@24 ; VfPowerVerifyIrpStackUpward(x,x,x,x,x,x)
		push	offset @VfPowerVerifyIrpStackDownward@28 ; VfPowerVerifyIrpStackDownward(x,x,x,x,x,x,x)
		push	offset @VfPowerVerifyNewRequest@24 ; VfPowerVerifyNewRequest(x,x,x,x,x,x)
		mov	edx, offset @VfPowerDumpIrpStack@4 ; VfPowerDumpIrpStack(x)
		mov	cl, 16h
		call	_VfMajorRegisterHandlers@52 ; VfMajorRegisterHandlers(x,x,x,x,x,x,x,x,x,x,x,x,x)
		push	esi
		push	offset @VfWmiTestStartedPdoStack@4 ; VfWmiTestStartedPdoStack(x)
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	offset @VfWmiVerifyIrpStackUpward@24 ; VfWmiVerifyIrpStackUpward(x,x,x,x,x,x)
		push	offset @VfWmiVerifyIrpStackDownward@28 ; VfWmiVerifyIrpStackDownward(x,x,x,x,x,x,x)
		push	offset @VfWmiVerifyNewRequest@24 ; VfWmiVerifyNewRequest(x,x,x,x,x,x)
		mov	edx, offset @VfWmiDumpIrpStack@4 ; VfWmiDumpIrpStack(x)
		mov	cl, 17h
		call	_VfMajorRegisterHandlers@52 ; VfMajorRegisterHandlers(x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ds:dword_AB059C, offset	@ViGenericVerifyNewRequest@24 ;	ViGenericVerifyNewRequest(x,x,x,x,x,x)
		mov	ds:dword_AB05A0, offset	@ViGenericVerifyIrpStackDownward@28 ; ViGenericVerifyIrpStackDownward(x,x,x,x,x,x,x)
		mov	ds:dword_AB05A4, offset	@ViGenericVerifyIrpStackUpward@24 ; ViGenericVerifyIrpStackUpward(x,x,x,x,x,x)
		mov	ds:dword_AB0598, offset	@ViGenericDumpIrpStack@4 ; ViGenericDumpIrpStack(x)
		mov	ds:dword_AB05A8, esi
		mov	ds:dword_AB05AC, esi
		mov	ds:dword_AB05B0, offset	@ViGenericIsValidIrpStatus@8 ; ViGenericIsValidIrpStatus(x,x)
		mov	ds:dword_AB05B4, offset	@ViGenericIsNewRequest@8 ; ViGenericIsNewRequest(x,x)
		mov	ds:dword_AB05B8, offset	@ViGenericVerifyNewIrp@20 ; ViGenericVerifyNewIrp(x,x,x,x,x)
		mov	ds:dword_AB05BC, offset	@ViGenericVerifyFinalIrpStack@8	; ViGenericVerifyFinalIrpStack(x,x)
		mov	ds:dword_AB05C0, esi
		mov	ds:dword_AB05C4, offset	@ViGenericBuildIrpLogEntry@16 ;	ViGenericBuildIrpLogEntry(x,x,x,x)
		call	_VfHalVerifierInitialize@0 ; VfHalVerifierInitialize()
		call	_VfIrpLogInit@0	; VfIrpLogInit()
		push	offset _ViLookasideDelayFreeAvlNode@8 ;	ViLookasideDelayFreeAvlNode(x,x)
		push	60h
		push	18h
		pop	edx
		mov	ecx, offset _ViRemLockAvl
		mov	_ViDdiInitialized, ebx
		call	_VfAvlInitializeTree@16	; VfAvlInitializeTree(x,x,x,x)
		test	eax, eax
		mov	ecx, offset _ViRemLockInitialized
		jns	short loc_A5A791
		mov	ecx, offset _ViRemLockAllocationFailures

loc_A5A791:				; CODE XREF: VfInitVerifierComponents(x,x,x)+237j
		mov	eax, ebx
		xchg	eax, [ecx]
		push	offset _ViLookasideDelayFreeAvlNode@8 ;	ViLookasideDelayFreeAvlNode(x,x)
		push	0Ch
		mov	edx, 0B8h
		mov	ecx, offset _ViDevObjAvl
		call	_VfAvlInitializeTree@16	; VfAvlInitializeTree(x,x,x,x)
		mov	ecx, offset _ViDevObjInitialized
		test	eax, eax
		jns	short loc_A5A7B9
		mov	ecx, offset _ViDevObjAllocationFailures

loc_A5A7B9:				; CODE XREF: VfInitVerifierComponents(x,x,x)+25Fj
		mov	eax, ebx
		xchg	eax, [ecx]
		call	_VfIoCallbacksInit@0 ; VfIoCallbacksInit()
		call	_VfCtxInit@0	; VfCtxInit()
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_4]
		call	_VfDeadlockInitialize@8	; VfDeadlockInitialize(x,x)
		mov	ecx, [ebp+arg_0]
		call	_VfSettingsApplyMiscellaneousChecks@4 ;	VfSettingsApplyMiscellaneousChecks(x)
		test	byte ptr _MmVerifierData, 10h
		mov	_IovUtilVerifierEnabled, ebx
		jz	short loc_A5A7EF
		mov	_PpvUtilVerifierEnabled, bl

loc_A5A7EF:				; CODE XREF: VfInitVerifierComponents(x,x,x)+294j
		pop	esi
		mov	_ViVerifierEnabled, ebx
		pop	ebx
		pop	ecx
		pop	ebp
		retn	0Ch
_VfInitVerifierComponents@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ViGenericBuildIrpLogEntry(x, x, x,	x)
@ViGenericBuildIrpLogEntry@16 proc near	; DATA XREF: VfInitVerifierComponents(x,x,x)+202o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ecx+60h]
		cmp	byte ptr [esi-24h], 0Eh
		jz	short loc_A5A80F
		xor	eax, eax
		jmp	short loc_A5A85B
; 

loc_A5A80F:				; CODE XREF: ViGenericBuildIrpLogEntry(x,x,x,x)+Dj
		mov	ecx, [ebp+arg_4]
		mov	dword ptr [ecx], 1
		mov	al, [esi-24h]
		mov	[ecx+4], al
		mov	al, [esi-23h]
		mov	[ecx+5], al
		mov	al, [esi-22h]
		mov	[ecx+6], al
		mov	al, [esi-21h]
		mov	[ecx+7], al
		mov	eax, [esi-20h]
		cdq
		mov	[ecx+8], eax
		mov	[ecx+0Ch], edx
		mov	eax, [esi-1Ch]
		cdq
		mov	[ecx+10h], eax
		mov	[ecx+14h], edx
		mov	eax, [esi-18h]
		cdq
		mov	[ecx+18h], eax
		mov	[ecx+1Ch], edx
		mov	eax, [esi-14h]
		cdq
		mov	[ecx+20h], eax
		xor	eax, eax
		mov	[ecx+24h], edx
		inc	eax

loc_A5A85B:				; CODE XREF: ViGenericBuildIrpLogEntry(x,x,x,x)+11j
		pop	esi
		pop	ebp
		retn	8
@ViGenericBuildIrpLogEntry@16 endp


;  S U B	R O U T	I N E 


; __fastcall ViGenericDumpIrpStack(x)
@ViGenericDumpIrpStack@4 proc near	; DATA XREF: VfInitVerifierComponents(x,x,x)+1BEo
		mov	al, [ecx]
		cmp	al, 0Fh
		jnz	short loc_A5A873
		cmp	byte ptr [ecx+1], 1
		jnz	short loc_A5A877
		mov	eax, offset ??_C@_0M@LKFLJLP@IRP_MJ_SCSI@JKADOLAD@
		jmp	short loc_A5A891
; 

loc_A5A873:				; CODE XREF: ViGenericDumpIrpStack(x)+4j
		cmp	al, 1Bh
		ja	short loc_A5A883

loc_A5A877:				; CODE XREF: ViGenericDumpIrpStack(x)+Aj
		movzx	eax, al
		mov	eax, ds:_IrpMajorNames[eax*4]
		jmp	short loc_A5A891
; 

loc_A5A883:				; CODE XREF: ViGenericDumpIrpStack(x)+15j
		cmp	al, 0FFh
		mov	eax, offset ??_C@_0N@NHOKDNA@IRP_MJ_BOGUS@JKADOLAD@
		jz	short loc_A5A891
		mov	eax, (offset loc_A56EB1+1)

loc_A5A891:				; CODE XREF: ViGenericDumpIrpStack(x)+11j
					; ViGenericDumpIrpStack(x)+21j	...
		push	eax		; char *
		call	_VfUtilDbgPrint
		pop	ecx
		retn
@ViGenericDumpIrpStack@4 endp


;  S U B	R O U T	I N E 


; __fastcall ViGenericIsNewRequest(x, x)
@ViGenericIsNewRequest@8 proc near	; DATA XREF: VfInitVerifierComponents(x,x,x)+1DEo
		test	ecx, ecx
		jz	short loc_A5A8AE
		mov	al, [edx]
		cmp	al, [ecx]
		jnz	short loc_A5A8AE
		mov	al, [edx+1]
		cmp	al, [ecx+1]
		jnz	short loc_A5A8AE
		xor	eax, eax
		retn
; 

loc_A5A8AE:				; CODE XREF: ViGenericIsNewRequest(x,x)+2j
					; ViGenericIsNewRequest(x,x)+8j ...
		xor	eax, eax
		inc	eax
		retn
@ViGenericIsNewRequest@8 endp


;  S U B	R O U T	I N E 


; __fastcall ViGenericIsValidIrpStatus(x, x)
@ViGenericIsValidIrpStatus@8 proc near	; DATA XREF: VfInitVerifierComponents(x,x,x)+1D4o
		mov	edi, edi
		push	edx
		call	_IoIsValidIrpStatus@4 ;	IoIsValidIrpStatus(x)
		retn
@ViGenericIsValidIrpStatus@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ViGenericVerifyIrpStackDownward(x,	x, x, x, x, x, x)
@ViGenericVerifyIrpStackDownward@28 proc near
					; DATA XREF: VfInitVerifierComponents(x,x,x)+1AAo

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	edx, ebx
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ecx]
		mov	[ebp+var_4], ecx
		mov	eax, [edi+18h]
		mov	[ebp+var_8], eax
		mov	eax, [esi+40h]
		mov	[ebp+var_14], eax
		mov	eax, [edi+1Ch]
		mov	[ebp+var_1C], eax
		mov	eax, [esi+44h]
		mov	[ebp+var_18], eax
		mov	eax, [esi+4]
		and	eax, 8000000h
		mov	[ebp+var_10], eax
		mov	eax, [ecx+8Ch]
		mov	ecx, [ebp+arg_0]
		mov	[ebp+arg_8], eax
		call	@VfMajorIsNewRequest@8 ; VfMajorIsNewRequest(x,x)
		mov	cl, [ebx]
		mov	ebx, [ebp+arg_10]
		mov	[ebp+var_C], eax
		cmp	cl, 3
		jb	short loc_A5A928
		cmp	cl, 4
		jbe	short loc_A5A95F
		cmp	cl, 0Dh
		jbe	short loc_A5A928
		cmp	cl, 0Fh
		jbe	short loc_A5A95F
		cmp	cl, 16h
		jz	short loc_A5A95F

loc_A5A928:				; CODE XREF: ViGenericVerifyIrpStackDownward(x,x,x,x,x,x,x)+57j
					; ViGenericVerifyIrpStackDownward(x,x,x,x,x,x,x)+61j
		mov	eax, [ebp+arg_8]
		cmp	dword ptr [eax+1Ch], 2
		mov	eax, [ebp+var_4]
		jnz	short loc_A5A962
		mov	cl, [eax+28h]
		cmp	cl, 2
		jb	short loc_A5A962
		test	dword ptr [eax+24h], 2000000h
		jnz	short loc_A5A962
		push	ecx		; char
		push	edi		; int
		mov	edx, ebx	; int
		mov	ecx, 301h	; int
		call	_ViErrorReport11@16 ; ViErrorReport11(x,x,x,x)
		mov	eax, [ebp+var_4]
		or	dword ptr [eax+24h], 2000000h
		jmp	short loc_A5A962
; 

loc_A5A95F:				; CODE XREF: ViGenericVerifyIrpStackDownward(x,x,x,x,x,x,x)+5Cj
					; ViGenericVerifyIrpStackDownward(x,x,x,x,x,x,x)+66j ...
		mov	eax, [ebp+var_4]

loc_A5A962:				; CODE XREF: ViGenericVerifyIrpStackDownward(x,x,x,x,x,x,x)+77j
					; ViGenericVerifyIrpStackDownward(x,x,x,x,x,x,x)+7Fj ...
		cmp	[ebp+arg_0], 0
		jz	loc_A5AA06
		test	byte ptr [eax+24h], 20h
		mov	edx, [esi+4]
		setnz	cl
		bt	edx, 18h
		setnb	al
		test	cl, al
		jz	short loc_A5A9E7
		cmp	[ebp+var_C], 0
		jz	short loc_A5A9A3
		cmp	[ebp+var_10], 0
		jnz	short loc_A5A9A3
		or	edx, 1000000h
		mov	ecx, 212h	; int
		mov	[esi+4], edx
		mov	edx, ebx	; int
		push	edi		; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A5A9A3:				; CODE XREF: ViGenericVerifyIrpStackDownward(x,x,x,x,x,x,x)+CAj
					; ViGenericVerifyIrpStackDownward(x,x,x,x,x,x,x)+D0j
		mov	eax, [ebp+var_14]
		cmp	[ebp+var_8], eax
		jz	short loc_A5A9CB
		mov	eax, [ebp+arg_4]
		mov	edx, ebx	; int
		or	dword ptr [esi+4], 1000000h
		mov	ecx, 23Bh
		push	edi		; int
		cmp	byte ptr [eax+1], 0FFh
		jz	short loc_A5A9C6
		add	ecx, 0FFFFFFD8h	; int

loc_A5A9C6:				; CODE XREF: ViGenericVerifyIrpStackDownward(x,x,x,x,x,x,x)+106j
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A5A9CB:				; CODE XREF: ViGenericVerifyIrpStackDownward(x,x,x,x,x,x,x)+EEj
		mov	eax, [ebp+var_18]
		cmp	[ebp+var_1C], eax
		jz	short loc_A5A9E7
		or	dword ptr [esi+4], 1000000h
		mov	edx, ebx	; int
		push	edi		; int
		mov	ecx, 214h	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A5A9E7:				; CODE XREF: ViGenericVerifyIrpStackDownward(x,x,x,x,x,x,x)+C4j
					; ViGenericVerifyIrpStackDownward(x,x,x,x,x,x,x)+116j
		mov	esi, [ebp+var_8]
		mov	edx, esi
		mov	ecx, [ebp+arg_4]
		call	@VfMajorIsValidIrpStatus@8 ; VfMajorIsValidIrpStatus(x,x)
		test	eax, eax
		jnz	short loc_A5AA06
		push	esi		; int
		push	edi		; int
		mov	edx, ebx	; int
		mov	ecx, 300h	; int
		call	_ViErrorReport6@16 ; ViErrorReport6(x,x,x,x)

loc_A5AA06:				; CODE XREF: ViGenericVerifyIrpStackDownward(x,x,x,x,x,x,x)+ABj
					; ViGenericVerifyIrpStackDownward(x,x,x,x,x,x,x)+13Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
@ViGenericVerifyIrpStackDownward@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ViGenericVerifyIrpStackUpward(x, x, x, x, x, x)
@ViGenericVerifyIrpStackUpward@24 proc near
					; DATA XREF: VfInitVerifierComponents(x,x,x)+1B4o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		test	byte ptr [ecx+24h], 20h
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		mov	esi, [ecx]
		mov	ebx, [eax+18h]
		mov	[ebp+var_4], edx
		push	edi
		mov	edx, [esi+18h]
		mov	[ebp+var_8], edx
		jz	short loc_A5AA7D
		mov	edi, [ebp+arg_0]
		mov	eax, [edi+4]
		test	eax, 1000000h
		jnz	short loc_A5AA7D
		cmp	edx, [edi+40h]
		jz	short loc_A5AA61
		or	eax, 1000000h
		mov	edx, ebx	; int
		mov	[edi+4], eax
		mov	ecx, 23Bh
		mov	eax, [ebp+var_4]
		push	esi		; int
		cmp	byte ptr [eax+1], 0FFh
		jz	short loc_A5AA5C
		add	ecx, 0FFFFFFD8h	; int

loc_A5AA5C:				; CODE XREF: ViGenericVerifyIrpStackUpward(x,x,x,x,x,x)+4Aj
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A5AA61:				; CODE XREF: ViGenericVerifyIrpStackUpward(x,x,x,x,x,x)+31j
		mov	eax, [esi+1Ch]
		cmp	eax, [edi+44h]
		jz	short loc_A5AA7D
		or	dword ptr [edi+4], 1000000h
		mov	edx, ebx	; int
		push	esi		; int
		mov	ecx, 214h	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A5AA7D:				; CODE XREF: ViGenericVerifyIrpStackUpward(x,x,x,x,x,x)+1Fj
					; ViGenericVerifyIrpStackUpward(x,x,x,x,x,x)+2Cj ...
		mov	edi, [ebp+var_8]
		mov	edx, edi
		mov	ecx, [ebp+var_4]
		call	@VfMajorIsValidIrpStatus@8 ; VfMajorIsValidIrpStatus(x,x)
		test	eax, eax
		jnz	short loc_A5AA9C
		push	edi		; int
		push	esi		; int
		mov	edx, ebx	; int
		mov	ecx, 300h	; int
		call	_ViErrorReport6@16 ; ViErrorReport6(x,x,x,x)

loc_A5AA9C:				; CODE XREF: ViGenericVerifyIrpStackUpward(x,x,x,x,x,x)+7Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
@ViGenericVerifyIrpStackUpward@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ViGenericVerifyNewIrp(int,int,int,int,int)
@ViGenericVerifyNewIrp@20 proc near	; DATA XREF: VfInitVerifierComponents(x,x,x)+1E8o

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dword ptr [edx+28h], 0
		push	edi
		mov	edi, ecx
		jnz	short loc_A5AAB7
		cmp	dword ptr [edx+2Ch], 0
		jz	short loc_A5AB06

loc_A5AAB7:				; CODE XREF: ViGenericVerifyNewIrp(x,x,x,x,x)+Cj
		mov	eax, [edx+8]
		test	eax, 440h
		setnz	cl
		test	eax, 402h
		setnz	al
		test	cl, al
		jnz	short loc_A5AB06
		movsx	eax, byte ptr [edx+23h]
		mov	ecx, [edx+60h]
		dec	eax
		push	esi
		movsx	esi, byte ptr [edx+22h]
		cmp	eax, esi
		jg	short loc_A5AAEF
		add	ecx, 0FFFFFFF8h

loc_A5AAE2:				; CODE XREF: ViGenericVerifyNewIrp(x,x,x,x,x)+4Aj
		cmp	dword ptr [ecx], 0
		jnz	short loc_A5AB05
		add	ecx, 24h
		inc	eax
		cmp	eax, esi
		jle	short loc_A5AAE2

loc_A5AAEF:				; CODE XREF: ViGenericVerifyNewIrp(x,x,x,x,x)+3Aj
		mov	al, [edi+28h]
		test	al, al
		jz	short loc_A5AB05
		push	eax		; char
		push	edx		; int
		mov	edx, [ebp+arg_8] ; int
		mov	ecx, 302h	; int
		call	_ViErrorReport11@16 ; ViErrorReport11(x,x,x,x)

loc_A5AB05:				; CODE XREF: ViGenericVerifyNewIrp(x,x,x,x,x)+42j
					; ViGenericVerifyNewIrp(x,x,x,x,x)+51j
		pop	esi

loc_A5AB06:				; CODE XREF: ViGenericVerifyNewIrp(x,x,x,x,x)+12j
					; ViGenericVerifyNewIrp(x,x,x,x,x)+29j
		pop	edi
		pop	ebp
		retn	0Ch
@ViGenericVerifyNewIrp@20 endp

; 
		align 10h
; Exported entry 904. IoIsValidIrpStatus

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IoIsValidIrpStatus(x)
		public _IoIsValidIrpStatus@4
_IoIsValidIrpStatus@4 proc near		; CODE XREF: ViGenericIsValidIrpStatus(x,x)+3p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		movzx	edx, ax
		push	esi
		test	eax, 20000000h
		jnz	short loc_A5AB75
		mov	ecx, eax
		and	ecx, 0FFF0000h
		cmp	ecx, 0ED0000h
		jnb	short loc_A5AB71
		shr	eax, 1Eh
		xor	esi, esi
		sub	eax, esi
		jz	short loc_A5AB65
		sub	eax, 1
		jz	short loc_A5AB5D
		sub	eax, 1
		jnz	short loc_A5AB75
		cmp	ecx, 70000h
		jz	short loc_A5AB56
		cmp	edx, 400h
		jnb	short loc_A5AB59

loc_A5AB56:				; CODE XREF: IoIsValidIrpStatus(x)+3Cj
		xor	esi, esi
		inc	esi

loc_A5AB59:				; CODE XREF: IoIsValidIrpStatus(x)+44j
		mov	eax, esi
		jmp	short loc_A5AB78
; 

loc_A5AB5D:				; CODE XREF: IoIsValidIrpStatus(x)+2Fj
		cmp	edx, 400h
		jmp	short loc_A5AB6B
; 

loc_A5AB65:				; CODE XREF: IoIsValidIrpStatus(x)+2Aj
		cmp	edx, 250h

loc_A5AB6B:				; CODE XREF: IoIsValidIrpStatus(x)+53j
		sbb	eax, eax
		neg	eax
		jmp	short loc_A5AB78
; 

loc_A5AB71:				; CODE XREF: IoIsValidIrpStatus(x)+21j
		xor	eax, eax
		jmp	short loc_A5AB78
; 

loc_A5AB75:				; CODE XREF: IoIsValidIrpStatus(x)+11j
					; IoIsValidIrpStatus(x)+34j
		xor	eax, eax
		inc	eax

loc_A5AB78:				; CODE XREF: IoIsValidIrpStatus(x)+4Bj
					; IoIsValidIrpStatus(x)+5Fj ...
		pop	esi
		pop	ebp
		retn	4
_IoIsValidIrpStatus@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfCheckImageCompliance(x)
_VfCheckImageCompliance@4 proc near	; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+2B6p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		test	_MmVerifierData, 2000000h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_18], 1
		push	edi
		mov	[ebp+var_14], esi
		jz	loc_A5ADE0
		push	dword ptr [esi+18h]
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	edi, eax
		test	edi, edi
		jz	loc_A5ADE0
		movzx	ebx, word ptr [edi+14h]
		lea	edx, [edi+0D8h]
		add	ebx, 18h
		xor	ecx, ecx
		add	ebx, edi
		cmp	[edx], ecx
		jz	short loc_A5ABDA
		cmp	[edx+4], ecx
		jnz	short loc_A5ABDD

loc_A5ABDA:				; CODE XREF: VfCheckImageCompliance(x)+56j
		mov	[ebp+var_18], ecx

loc_A5ABDD:				; CODE XREF: VfCheckImageCompliance(x)+5Bj
		xor	eax, eax
		mov	[ebp+var_1C], ecx
		cmp	ax, [edi+6]
		jnb	loc_A5ADE0

loc_A5ABEC:				; CODE XREF: VfCheckImageCompliance(x)+25Dj
		mov	eax, [ebx+24h]
		and	eax, 0A0000000h
		cmp	eax, 0A0000000h
		jnz	loc_A5AC8D
		mov	eax, [ebx]
		mov	[ebp+var_10], eax
		mov	eax, [ebx+4]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_10]
		push	offset ??_C@_04LGGJDDML@INIT@JKADOLAD@ ; char *
		push	eax		; char *
		mov	[ebp+var_8], cl
		call	__stricmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A5AC2D
		test	_VfOptionFlags,	100h
		jz	short loc_A5AC87

loc_A5AC2D:				; CODE XREF: VfCheckImageCompliance(x)+A2j
		lea	eax, [ebp+var_10]
		add	esi, 2Ch
		push	eax		; int
		push	ebx		; int
		push	esi		; char
		push	2003h		; int
		mov	edx, (offset loc_A56F8B+1) ; int
		mov	ecx, offset unk_6B6790 ; int
		call	_ViCiPreprocessOptions@24 ; ViCiPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B6790 ; int
		lea	eax, [ebp+var_10]
		mov	edx, 2003h	; int
		push	eax		; int
		push	ebx		; int
		push	esi		; int
		mov	ecx, 0C4h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		test	_MmVerifierData, 1000h
		mov	esi, [ebp+var_14]
		mov	ecx, [esi+1Ch]
		jz	short loc_A5AC80
		mov	edx, 0A8h
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A5AC80:				; CODE XREF: VfCheckImageCompliance(x)+F7j
		lock inc dword_6C6EC4

loc_A5AC87:				; CODE XREF: VfCheckImageCompliance(x)+AEj
		lea	edx, [edi+0D8h]

loc_A5AC8D:				; CODE XREF: VfCheckImageCompliance(x)+7Cj
		cmp	[ebp+var_18], 0
		jz	loc_A5AD2B
		mov	ecx, [ebx+0Ch]
		mov	edx, [edx]
		cmp	ecx, edx
		ja	loc_A5AD2B
		mov	eax, [ebx+8]
		add	eax, ecx
		cmp	eax, edx
		jbe	short loc_A5AD2B
		test	dword ptr [ebx+24h], 20000000h
		jz	short loc_A5AD2B
		mov	eax, [ebx]
		add	esi, 2Ch
		mov	[ebp+var_10], eax
		mov	edx, offset ??_C@_0EF@PNLFLEKE@The?5image?5?$CFwZ?5contains?5an?5IAT?0?5@JKADOLAD@ ; int
		mov	eax, [ebx+4]
		mov	ecx, offset unk_6B6784 ; int
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_10]
		push	eax		; int
		lea	eax, [edi+0D8h]
		mov	[ebp+var_8], 0
		push	eax		; int
		push	esi		; char
		push	2005h		; int
		call	_ViCiPreprocessOptions@24 ; ViCiPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B6784 ; int
		lea	eax, [ebp+var_10]
		mov	edx, 2005h	; int
		push	eax		; int
		lea	eax, [edi+0D8h]
		mov	ecx, 0C4h	; int
		push	eax		; int
		push	esi		; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		test	_MmVerifierData, 1000h
		mov	esi, [ebp+var_14]
		mov	ecx, [esi+1Ch]
		jz	short loc_A5AD24
		mov	edx, 0B0h
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A5AD24:				; CODE XREF: VfCheckImageCompliance(x)+19Bj
		lock inc dword_6C6ECC

loc_A5AD2B:				; CODE XREF: VfCheckImageCompliance(x)+114j
					; VfCheckImageCompliance(x)+121j ...
		movzx	eax, word ptr [edi+18h]
		mov	ecx, 10Bh
		cmp	ax, cx
		jz	short loc_A5AD43
		mov	ecx, 20Bh
		cmp	ax, cx
		jnz	short loc_A5AD48

loc_A5AD43:				; CODE XREF: VfCheckImageCompliance(x)+1BAj
		mov	eax, [edi+38h]
		jmp	short loc_A5AD4D
; 

loc_A5AD48:				; CODE XREF: VfCheckImageCompliance(x)+1C4j
		mov	eax, 1000h

loc_A5AD4D:				; CODE XREF: VfCheckImageCompliance(x)+1C9j
		test	eax, eax
		jz	short loc_A5AD58
		test	eax, 0FFFh
		jz	short loc_A5ADC1

loc_A5AD58:				; CODE XREF: VfCheckImageCompliance(x)+1D2j
		mov	eax, [ebx]
		add	esi, 2Ch
		mov	[ebp+var_10], eax
		mov	edx, (offset loc_A5709D+1) ; int
		mov	eax, [ebx+4]
		mov	ecx, offset unk_6B6788 ; int
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_10]
		push	eax		; int
		push	ebx		; int
		push	esi		; char
		push	2004h		; int
		mov	[ebp+var_8], 0
		call	_ViCiPreprocessOptions@24 ; ViCiPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B6788 ; int
		lea	eax, [ebp+var_10]
		mov	edx, 2004h	; int
		push	eax		; int
		push	ebx		; int
		push	esi		; int
		mov	ecx, 0C4h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		test	_MmVerifierData, 1000h
		mov	esi, [ebp+var_14]
		mov	ecx, [esi+1Ch]
		jz	short loc_A5ADBA
		mov	edx, 0ACh
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A5ADBA:				; CODE XREF: VfCheckImageCompliance(x)+231j
		lock inc dword_6C6EC8

loc_A5ADC1:				; CODE XREF: VfCheckImageCompliance(x)+1D9j
		mov	ecx, [ebp+var_1C]
		lea	edx, [edi+0D8h]
		movzx	eax, word ptr [edi+6]
		add	ebx, 28h
		inc	ecx
		push	0
		mov	[ebp+var_1C], ecx
		cmp	ecx, eax
		pop	ecx
		jb	loc_A5ABEC

loc_A5ADE0:				; CODE XREF: VfCheckImageCompliance(x)+2Bj
					; VfCheckImageCompliance(x)+3Dj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_VfCheckImageCompliance@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfCheckPagePriority(x, x)
_VfCheckPagePriority@8 proc near	; CODE XREF: VfCheckNxPagePriority(x,x)+14p
					; VerifierMmMapLockedPagesSpecifyCache(x,x,x,x,x,x)+23p
		test	_MmVerifierData, 2000000h
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		jz	short loc_A5AE58
		test	esi, 40000000h
		jnz	short loc_A5AE58
		push	ebx
		push	0		; int
		push	esi		; int
		push	edi		; char
		mov	ebx, offset unk_6B678C
		mov	edx, offset ??_C@_0EF@HIFMIKLM@The?5caller?50x?$CFp?5specified?5an?5ex@JKADOLAD@ ; int
		push	2002h		; int
		mov	ecx, ebx	; int
		call	_ViCiPreprocessOptions@24 ; ViCiPreprocessOptions(x,x,x,x,x,x)
		push	ebx		; int
		push	0		; int
		push	esi		; int
		push	edi		; int
		mov	edx, 2002h	; int
		mov	ecx, 0C4h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		test	_MmVerifierData, 1000h
		pop	ebx
		jz	short loc_A5AE51
		mov	edx, 0A4h
		mov	ecx, edi
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A5AE51:				; CODE XREF: VfCheckPagePriority(x,x)+54j
		lock inc dword_6C6EC0

loc_A5AE58:				; CODE XREF: VfCheckPagePriority(x,x)+10j
					; VfCheckPagePriority(x,x)+18j
		pop	edi
		pop	esi
		retn
_VfCheckPagePriority@8 endp


;  S U B	R O U T	I N E 


; __stdcall VfCheckPageProtection(x, x)
_VfCheckPageProtection@8 proc near	; CODE XREF: VfCheckNxPageProtection(x,x)+14p
					; VerifierMmAllocateContiguousNodeMemory(x,x,x,x,x,x,x,x,x)+Bp	...
		test	_MmVerifierData, 2000000h
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		jz	short loc_A5AEC1
		test	bl, 0F0h
		jz	short loc_A5AEC1
		push	edi
		push	0		; int
		push	ebx		; int
		push	esi		; char
		mov	edi, offset unk_6B6794
		mov	edx, offset ??_C@_0DO@IIHDKJB@The?5caller?50x?$CFp?5specified?5an?5ex@JKADOLAD@	; int
		push	2001h		; int
		mov	ecx, edi	; int
		call	_ViCiPreprocessOptions@24 ; ViCiPreprocessOptions(x,x,x,x,x,x)
		push	edi		; int
		push	0		; int
		push	ebx		; int
		push	esi		; int
		mov	edx, 2001h	; int
		mov	ecx, 0C4h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		test	_MmVerifierData, 1000h
		pop	edi
		jz	short loc_A5AEBA
		mov	edx, 0A0h
		mov	ecx, esi
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A5AEBA:				; CODE XREF: VfCheckPageProtection(x,x)+51j
		lock inc dword_6C6EBC

loc_A5AEC1:				; CODE XREF: VfCheckPageProtection(x,x)+10j
					; VfCheckPageProtection(x,x)+15j
		pop	esi
		pop	ebx
		retn
_VfCheckPageProtection@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfCheckPoolType(x, x, x)
_VfCheckPoolType@12 proc near		; CODE XREF: VfCheckNxPoolType(x,x,x)+17p
					; VerifierExAllocatePool2(x,x,x,x)+74p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	_MmVerifierData, 2000000h
		push	ebx
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		jz	short loc_A5AF45
		test	bl, 1
		jnz	short loc_A5AF45
		test	ebx, 200h
		jnz	short loc_A5AF45
		cmp	[ebp+arg_0], 0
		mov	edx, offset ??_C@_0DI@LHLOLGDN@The?5caller?50x?$CFp?5specified?5an?5ex@JKADOLAD@
		jz	short loc_A5AEF9
		mov	edx, offset ??_C@_0ED@LNNBCONM@The?5caller?50x?$CFp?5specified?5an?5ex@JKADOLAD@ ; int

loc_A5AEF9:				; CODE XREF: VfCheckPoolType(x,x,x)+2Ej
		push	[ebp+arg_0]	; int
		mov	ecx, offset unk_6B6798 ; int
		push	ebx		; int
		push	edi		; char
		push	2000h		; int
		call	_ViCiPreprocessOptions@24 ; ViCiPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B6798 ; int
		push	[ebp+arg_0]	; int
		mov	edx, 2000h	; int
		mov	ecx, 0C4h	; int
		push	ebx		; int
		push	edi		; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		test	_MmVerifierData, 1000h
		jz	short loc_A5AF3E
		mov	edx, 9Ch
		mov	ecx, edi
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A5AF3E:				; CODE XREF: VfCheckPoolType(x,x,x)+6Cj
		lock inc dword_6C6EB8

loc_A5AF45:				; CODE XREF: VfCheckPoolType(x,x,x)+16j
					; VfCheckPoolType(x,x,x)+1Bj ...
		pop	edi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	4
_VfCheckPoolType@12 endp


;  S U B	R O U T	I N E 


; __stdcall VfDisableCodeIntegrityBreaks()
_VfDisableCodeIntegrityBreaks@0	proc near ; CODE XREF: ViInitSystemPhase0:loc_AE6A99p
		mov	edi, edi
		push	edi
		push	6
		pop	ecx
		push	2
		pop	eax
		mov	edi, offset _ViCiDefaultActions
		rep stosd
		pop	edi
		retn
_VfDisableCodeIntegrityBreaks@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ViCiPreprocessOptions(int,int,int,char,int,int)
_ViCiPreprocessOptions@24 proc near	; CODE XREF: VfCheckImageCompliance(x)+C8p
					; VfCheckImageCompliance(x)+166p ...

var_C		= dword	ptr -0Ch
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx]
		push	esi
		mov	esi, edx
		push	edi		; char
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_A5AF87
		mov	eax, [ebp+arg_0]
		and	eax, 0Fh
		cmp	eax, 6
		jnb	short loc_A5AF82
		mov	eax, ds:_ViCiDefaultActions[eax*4]
		jmp	short loc_A5AF85
; 

loc_A5AF82:				; CODE XREF: ViCiPreprocessOptions(x,x,x,x,x,x)+19j
		push	4
		pop	eax

loc_A5AF85:				; CODE XREF: ViCiPreprocessOptions(x,x,x,x,x,x)+22j
		mov	[ecx], eax

loc_A5AF87:				; CODE XREF: ViCiPreprocessOptions(x,x,x,x,x,x)+Ej
		test	eax, eax
		jz	short loc_A5AFED
		test	al, 10h
		jz	short loc_A5AF92
		and	dword ptr [ecx], 0

loc_A5AF92:				; CODE XREF: ViCiPreprocessOptions(x,x,x,x,x,x)+2Fj
		push	(offset	loc_A56EBB+1) ;	char *
		call	_VfUtilDbgPrint
		pop	ecx
		mov	edi, offset ??_C@_03NOABEEAF@?$CK?$CK?6@JKADOLAD@
		push	edi		; char *
		call	_VfUtilDbgPrint
		mov	[esp+0Ch+var_C], offset	??_C@_03LBGKIICN@?$CK?$CK?5@JKADOLAD@
		call	_VfUtilDbgPrint
		pop	ecx
		test	esi, esi
		jz	short loc_A5AFCF
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	dword ptr [ebp+arg_4] ;	char
		push	esi		; char *
		push	0		; int
		push	65h		; int
		call	_DbgPrintEx
		add	esp, 18h

loc_A5AFCF:				; CODE XREF: ViCiPreprocessOptions(x,x,x,x,x,x)+59j
		push	offset ??_C@_01EEMJAFIK@?6@JKADOLAD@ ; char *
		call	_VfUtilDbgPrint
		pop	ecx
		push	edi		; char *
		call	_VfUtilDbgPrint
		mov	[esp+0Ch+var_C], offset	??_C@_0ED@OBFNHIMC@?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK@JKADOLAD@
		call	_VfUtilDbgPrint
		pop	ecx

loc_A5AFED:				; CODE XREF: ViCiPreprocessOptions(x,x,x,x,x,x)+2Bj
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
_ViCiPreprocessOptions@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfDdiExposeWmiObjects()
_VfDdiExposeWmiObjects@0 proc near	; CODE XREF: ViIrpLogExposeWmiCallback(x)+5p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		mov	esi, offset ??_C@_11LOCGONAA@@JKADOLAD@
		push	esi
		push	offset _ViDdiWmiMofKey
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		push	offset _ViDdiWmiMofResourceName
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset _VerifierDdiDriverName
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset _ViDdiDriverEntry@8 ; ViDdiDriverEntry(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		call	IoCreateDriver
		pop	esi
		leave
		retn
_VfDdiExposeWmiObjects@0 endp


;  S U B	R O U T	I N E 


; __stdcall ViDdiBuildWmiRegInfoData(x,	x)
_ViDdiBuildWmiRegInfoData@8 proc near	; CODE XREF: ViDdiDispatchWmiRegInfoEx(x,x)+25p
					; ViDdiDispatchWmiRegInfoEx(x,x)+4Fp
		mov	edi, edi
		push	ebx
		mov	ebx, edx
		push	esi
		test	ebx, ebx
		jz	short loc_A5B068
		push	edi
		mov	dword ptr [ebx+10h], 1
		lea	edi, [ebx+14h]
		mov	esi, offset _GUID_VERIFIER_WMI_INTERFACE
		movsd
		movsd
		movsd
		movsd
		and	dword ptr [ebx+24h], 0
		and	dword ptr [ebx+28h], 0
		and	dword ptr [ebx+2Ch], 0
		pop	edi

loc_A5B068:				; CODE XREF: ViDdiBuildWmiRegInfoData(x,x)+8j
		push	30h
		pop	eax
		test	ecx, ecx
		jnz	loc_A5B100
		test	ebx, ebx
		jz	short loc_A5B0AB
		mov	[ebx+8], eax
		lea	ecx, [ebx+38h]
		mov	ax, ds:_ViDdiWmiMofKey
		mov	[ebx+30h], ax
		mov	ax, ds:_ViDdiWmiMofKey
		mov	[ebx+32h], ax
		mov	[ebx+34h], ecx
		movzx	eax, ds:_ViDdiWmiMofKey
		push	eax		; size_t
		push	ds:dword_AB0B44	; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_A5B0AB:				; CODE XREF: ViDdiBuildWmiRegInfoData(x,x)+38j
		movzx	esi, ds:_ViDdiWmiMofKey
		add	esi, 39h
		and	esi, 0FFFFFFFEh
		test	ebx, ebx
		jz	short loc_A5B0F4
		mov	[ebx+0Ch], esi
		lea	ecx, [ebx+8]
		mov	ax, ds:_ViDdiWmiMofResourceName
		add	ecx, esi
		mov	[esi+ebx], ax
		mov	ax, ds:_ViDdiWmiMofResourceName
		mov	[esi+ebx+2], ax
		mov	[esi+ebx+4], ecx
		movzx	eax, ds:_ViDdiWmiMofResourceName
		push	eax		; size_t
		push	ds:dword_AB0A6C	; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch

loc_A5B0F4:				; CODE XREF: ViDdiBuildWmiRegInfoData(x,x)+7Dj
		movzx	eax, ds:_ViDdiWmiMofResourceName
		add	eax, 8
		add	eax, esi

loc_A5B100:				; CODE XREF: ViDdiBuildWmiRegInfoData(x,x)+30j
		test	ebx, ebx
		jz	short loc_A5B10A
		and	dword ptr [ebx+4], 0
		mov	[ebx], eax

loc_A5B10A:				; CODE XREF: ViDdiBuildWmiRegInfoData(x,x)+C5j
		pop	esi
		pop	ebx
		retn
_ViDdiBuildWmiRegInfoData@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViDdiDispatchWmi(x,	x)
_ViDdiDispatchWmi@8 proc near		; DATA XREF: ViDdiDriverEntry(x,x)+18o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ebx, 0C00000BBh
		mov	eax, [edi+60h]
		mov	al, [eax+1]
		test	al, al
		jz	short loc_A5B13B
		cmp	al, 0Bh
		jz	short loc_A5B12F
		mov	esi, ebx
		jmp	short loc_A5B147
; 

loc_A5B12F:				; CODE XREF: ViDdiDispatchWmi(x,x)+1Cj
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		call	_ViDdiDispatchWmiRegInfoEx@8 ; ViDdiDispatchWmiRegInfoEx(x,x)
		jmp	short loc_A5B145
; 

loc_A5B13B:				; CODE XREF: ViDdiDispatchWmi(x,x)+18j
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		call	_ViDdiDispatchWmiQueryAllData@8	; ViDdiDispatchWmiQueryAllData(x,x)

loc_A5B145:				; CODE XREF: ViDdiDispatchWmi(x,x)+2Cj
		mov	esi, eax

loc_A5B147:				; CODE XREF: ViDdiDispatchWmi(x,x)+20j
		cmp	esi, ebx
		jnz	short loc_A5B150
		mov	esi, [edi+18h]
		jmp	short loc_A5B153
; 

loc_A5B150:				; CODE XREF: ViDdiDispatchWmi(x,x)+3Cj
		mov	[edi+18h], esi

loc_A5B153:				; CODE XREF: ViDdiDispatchWmi(x,x)+41j
		xor	dl, dl
		mov	ecx, edi
		call	IofCompleteRequest
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_ViDdiDispatchWmi@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViDdiDispatchWmiQueryAllData(x, x)
_ViDdiDispatchWmiQueryAllData@8	proc near ; CODE XREF: ViDdiDispatchWmi(x,x)+33p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, edx
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_18], eax
		mov	esi, [eax+60h]
		xor	ecx, ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], ecx
		cmp	[esi+4], ebx
		jz	short loc_A5B196
		mov	eax, 0C00000BBh
		jmp	loc_A5B2B5
; 

loc_A5B196:				; CODE XREF: ViDdiDispatchWmiQueryAllData(x,x)+25j
		push	10h		; Length
		push	offset _GUID_VERIFIER_WMI_INTERFACE ; Source2
		push	dword ptr [esi+8] ; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 10h
		jz	short loc_A5B1B4
		mov	eax, 0C0000295h
		jmp	loc_A5B2B5
; 

loc_A5B1B4:				; CODE XREF: ViDdiDispatchWmiQueryAllData(x,x)+43j
		mov	eax, [esi+0Ch]
		mov	ebx, [ebx+28h]
		mov	[ebp+var_1C], eax
		cmp	eax, 38h
		jnb	short loc_A5B1CC
		mov	eax, 0C0000023h
		jmp	loc_A5B2B5
; 

loc_A5B1CC:				; CODE XREF: ViDdiDispatchWmiQueryAllData(x,x)+5Bj
		mov	esi, [esi+10h]
		lea	eax, [esi+10h]
		push	eax
		call	KeQuerySystemTime
		mov	ecx, [ebx]
		call	_VfIrpLogLockDatabase@4	; VfIrpLogLockDatabase(x)
		test	eax, eax
		js	loc_A5B2B5
		mov	ecx, [ebx]
		lea	eax, [ebp+var_4]
		push	edi
		push	eax
		lea	eax, [ebp+var_C]
		xor	edx, edx
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_VfIrpLogRetrieveWmiData@24 ; VfIrpLogRetrieveWmiData(x,x,x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_14], edi
		test	edi, edi
		jns	short loc_A5B218
		mov	ecx, [ebx]
		call	_VfIrpLogUnlockDatabase@4 ; VfIrpLogUnlockDatabase(x)
		mov	eax, edi
		jmp	loc_A5B2B4
; 

loc_A5B218:				; CODE XREF: ViDdiDispatchWmiQueryAllData(x,x)+A3j
		mov	edi, [ebp+var_4]
		add	edi, 48h
		mov	[ebp+var_4], edi
		cmp	edi, [ebp+var_1C]
		jbe	short loc_A5B240
		mov	ecx, [ebx]
		call	_VfIrpLogUnlockDatabase@4 ; VfIrpLogUnlockDatabase(x)
		mov	eax, [ebp+var_18]
		or	dword ptr [esi+2Ch], 20h
		mov	[esi+30h], edi
		mov	dword ptr [eax+1Ch], 38h
		jmp	short loc_A5B2B2
; 

loc_A5B240:				; CODE XREF: ViDdiDispatchWmiQueryAllData(x,x)+BFj
		cmp	[ebp+var_8], 0
		jz	short loc_A5B265
		mov	ecx, [ebx]
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_C]
		mov	edx, esi
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_VfIrpLogRetrieveWmiData@24 ; VfIrpLogRetrieveWmiData(x,x,x,x,x,x)
		mov	edi, [ebp+var_4]
		mov	[ebp+var_14], eax

loc_A5B265:				; CODE XREF: ViDdiDispatchWmiQueryAllData(x,x)+DFj
		mov	ecx, [ebx]
		call	_VfIrpLogUnlockDatabase@4 ; VfIrpLogUnlockDatabase(x)
		mov	eax, [ebp+var_14]
		test	eax, eax
		js	short loc_A5B2B4
		cmp	[ebp+var_8], 0
		jnz	short loc_A5B295
		mov	eax, [esi+2Ch]
		and	eax, 0FFFFFFEFh
		mov	[esi], edi
		or	eax, 1
		mov	[esi+2Ch], eax
		mov	eax, [ebp+var_C]
		mov	[esi+30h], eax
		mov	eax, [ebp+var_10]
		mov	[esi+38h], eax
		jmp	short loc_A5B2A8
; 

loc_A5B295:				; CODE XREF: ViDdiDispatchWmiQueryAllData(x,x)+112j
		push	48h
		pop	eax
		mov	[esi], eax
		mov	edi, eax
		and	dword ptr [esi+3Ch], 0
		and	dword ptr [esi+30h], 0
		and	dword ptr [esi+38h], 0

loc_A5B2A8:				; CODE XREF: ViDdiDispatchWmiQueryAllData(x,x)+12Ej
		mov	eax, [ebp+var_18]
		and	dword ptr [esi+34h], 0
		mov	[eax+1Ch], edi

loc_A5B2B2:				; CODE XREF: ViDdiDispatchWmiQueryAllData(x,x)+D9j
		xor	eax, eax

loc_A5B2B4:				; CODE XREF: ViDdiDispatchWmiQueryAllData(x,x)+AEj
					; ViDdiDispatchWmiQueryAllData(x,x)+10Cj
		pop	edi

loc_A5B2B5:				; CODE XREF: ViDdiDispatchWmiQueryAllData(x,x)+2Cj
					; ViDdiDispatchWmiQueryAllData(x,x)+4Aj ...
		pop	esi
		pop	ebx
		leave
		retn
_ViDdiDispatchWmiQueryAllData@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViDdiDispatchWmiRegInfoEx(x, x)
_ViDdiDispatchWmiRegInfoEx@8 proc near	; CODE XREF: ViDdiDispatchWmi(x,x)+27p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, [edi+60h]
		cmp	[esi+4], ecx
		jnz	short loc_A5B314
		mov	eax, [esi+10h]
		xor	edx, edx
		mov	ecx, [esi+8]
		mov	[ebp+var_4], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_8], eax
		call	_ViDdiBuildWmiRegInfoData@8 ; ViDdiBuildWmiRegInfoData(x,x)
		mov	ebx, eax
		mov	eax, [ebp+var_8]
		cmp	ebx, eax
		jbe	short loc_A5B302
		push	4
		pop	ecx
		cmp	eax, ecx
		jb	short loc_A5B314
		mov	edx, [ebp+var_4]
		mov	eax, 0C0000023h
		mov	[edx], ebx
		mov	[edi+1Ch], ecx
		jmp	short loc_A5B319
; 

loc_A5B302:				; CODE XREF: ViDdiDispatchWmiRegInfoEx(x,x)+31j
		mov	edx, [ebp+var_4]
		mov	ecx, [esi+8]
		call	_ViDdiBuildWmiRegInfoData@8 ; ViDdiBuildWmiRegInfoData(x,x)
		mov	[edi+1Ch], ebx
		xor	eax, eax
		jmp	short loc_A5B319
; 

loc_A5B314:				; CODE XREF: ViDdiDispatchWmiRegInfoEx(x,x)+12j
					; ViDdiDispatchWmiRegInfoEx(x,x)+38j
		mov	eax, 0C00000BBh

loc_A5B319:				; CODE XREF: ViDdiDispatchWmiRegInfoEx(x,x)+47j
					; ViDdiDispatchWmiRegInfoEx(x,x)+59j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ViDdiDispatchWmiRegInfoEx@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViDdiDriverEntry(x,	x)
_ViDdiDriverEntry@8 proc near		; DATA XREF: VfDdiExposeWmiObjects()+39o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		push	edi
		push	61446656h
		push	4
		xor	esi, esi
		mov	dword ptr [ebx+94h], offset _ViDdiDispatchWmi@8	; ViDdiDispatchWmi(x,x)
		push	200h
		mov	[esp+1Ch+var_4], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ds:_ViDdiDeviceObjectArray, eax
		test	eax, eax
		jnz	short loc_A5B361
		mov	eax, 0C000009Ah
		jmp	loc_A5B3EB
; 

loc_A5B361:				; CODE XREF: ViDdiDriverEntry(x,x)+37j
		mov	edi, esi

loc_A5B363:				; CODE XREF: ViDdiDriverEntry(x,x)+79j
		lea	eax, [esp+10h+var_4]
		push	eax
		push	esi
		push	180h
		push	22h
		push	esi
		push	4
		push	ebx
		call	IoCreateDevice
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A5B3E5
		mov	eax, ds:_ViDdiDeviceObjectArray
		mov	ecx, [esp+10h+var_4]
		mov	ebx, [ebp+arg_0]
		mov	[eax+edi*4], ecx
		mov	eax, [ecx+28h]
		mov	[eax], edi
		inc	edi
		cmp	edi, 1
		jb	short loc_A5B363

loc_A5B399:				; CODE XREF: ViDdiDriverEntry(x,x)+9Cj
		mov	eax, ds:_ViDdiDeviceObjectArray
		push	1
		mov	edi, [eax+esi*4]
		push	edi
		and	dword ptr [edi+1Ch], 0FFFFFF7Fh
		call	IoWMIRegistrationControl
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A5B3C0
		inc	esi
		cmp	esi, 1
		jb	short loc_A5B399
		xor	eax, eax
		jmp	short loc_A5B3EB
; 

loc_A5B3C0:				; CODE XREF: ViDdiDriverEntry(x,x)+96j
		push	edi
		jmp	short loc_A5B3CC
; 

loc_A5B3C3:				; CODE XREF: ViDdiDriverEntry(x,x)+B5j
		mov	eax, ds:_ViDdiDeviceObjectArray
		dec	esi
		push	dword ptr [eax+esi*4]

loc_A5B3CC:				; CODE XREF: ViDdiDriverEntry(x,x)+A3j
		call	IoDeleteDevice
		test	esi, esi
		jnz	short loc_A5B3C3
		jmp	short loc_A5B3E9
; 

loc_A5B3D7:				; CODE XREF: ViDdiDriverEntry(x,x)+C9j
		mov	eax, ds:_ViDdiDeviceObjectArray
		dec	edi
		push	dword ptr [eax+edi*4]
		call	IoDeleteDevice

loc_A5B3E5:				; CODE XREF: ViDdiDriverEntry(x,x)+5Fj
		test	edi, edi
		jnz	short loc_A5B3D7

loc_A5B3E9:				; CODE XREF: ViDdiDriverEntry(x,x)+B7j
		mov	eax, ebx

loc_A5B3EB:				; CODE XREF: ViDdiDriverEntry(x,x)+3Ej
					; ViDdiDriverEntry(x,x)+A0j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_ViDdiDriverEntry@8 endp


;  S U B	R O U T	I N E 


; __fastcall ViGetContextPointer(x, x)
@ViGetContextPointer@8 proc near	; CODE XREF: VfInsertContext(x)+3Bp
					; VfRemoveContext(x)+42p ...
		mov	edi, edi
		push	esi
		xor	esi, esi
		sub	edx, esi
		jz	short loc_A5B42D
		sub	edx, 1
		jz	short loc_A5B425
		sub	edx, 1
		jz	short loc_A5B414
		sub	edx, 1
		jnz	short loc_A5B436
		lea	esi, [ecx+364h]
		jmp	short loc_A5B436
; 

loc_A5B414:				; CODE XREF: ViGetContextPointer(x,x)+11j
		push	3
		pop	edx
		call	IopAllocateIrpExtension
		test	eax, eax
		jz	short loc_A5B436
		lea	esi, [eax+8]
		jmp	short loc_A5B436
; 

loc_A5B425:				; CODE XREF: ViGetContextPointer(x,x)+Cj
		mov	esi, [ecx+18h]
		add	esi, 24h
		jmp	short loc_A5B436
; 

loc_A5B42D:				; CODE XREF: ViGetContextPointer(x,x)+7j
		mov	esi, [ecx+0B0h]
		add	esi, 38h

loc_A5B436:				; CODE XREF: ViGetContextPointer(x,x)+16j
					; ViGetContextPointer(x,x)+1Ej	...
		mov	eax, esi
		pop	esi
		retn
@ViGetContextPointer@8 endp


;  S U B	R O U T	I N E 


; __fastcall ViIsContextIdValid(x, x)
@ViIsContextIdValid@8 proc near		; CODE XREF: VfInsertContext(x)+26p
					; VfQueryDeviceContext(x,x)+13p ...
		xor	eax, eax
		sub	ecx, eax
		jz	short loc_A5B454
		sub	ecx, 1
		jz	short loc_A5B454
		sub	ecx, 1
		jz	short loc_A5B454
		sub	ecx, 1
		jnz	short locret_A5B45A
		cmp	edx, 2
		jmp	short loc_A5B457
; 

loc_A5B454:				; CODE XREF: ViIsContextIdValid(x,x)+4j
					; ViIsContextIdValid(x,x)+9j ...
		cmp	edx, 1

loc_A5B457:				; CODE XREF: ViIsContextIdValid(x,x)+18j
		setl	al

locret_A5B45A:				; CODE XREF: ViIsContextIdValid(x,x)+13j
		retn
@ViIsContextIdValid@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall ViLockContextPointer(x)
@ViLockContextPointer@4	proc near	; CODE XREF: VfInsertContext(x)+70p
					; VfRemoveContext(x)+56p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx

loc_A5B468:				; CODE XREF: ViLockContextPointer(x)+1Fj
					; ViLockContextPointer(x)+31j
		mov	edx, [esi]
		test	dl, 1
		jz	short loc_A5B480
		lea	ecx, [edx-1]
		mov	eax, edx
		lock cmpxchg [esi], ecx
		cmp	eax, edx
		jnz	short loc_A5B468
		mov	al, 1
		jmp	short loc_A5B490
; 

loc_A5B480:				; CODE XREF: ViLockContextPointer(x)+12j
		test	edx, edx
		jz	short loc_A5B48E
		lea	ecx, [ebp+var_4]
		call	KeYieldProcessorEx
		jmp	short loc_A5B468
; 

loc_A5B48E:				; CODE XREF: ViLockContextPointer(x)+27j
		xor	al, al

loc_A5B490:				; CODE XREF: ViLockContextPointer(x)+23j
		pop	esi
		leave
		retn
@ViLockContextPointer@4	endp


;  S U B	R O U T	I N E 


; __fastcall ViUnlockContextPointer(x)
@ViUnlockContextPointer@4 proc near	; CODE XREF: VfInsertContext(x)+A3p
					; VfRemoveContext(x)+9Fp
		xor	eax, eax
		inc	eax
		lock xadd [ecx], eax
		retn
@ViUnlockContextPointer@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfObjectContextInit()
_VfObjectContextInit@0 proc near	; CODE XREF: VfInitBootDriversLoaded:loc_AB7CD8p
		push	offset ExInitializeNPagedLookasideListInternal
		push	_VfInitializedWithoutReboot
		push	0
		push	634F6656h
		push	10h
		push	200h
		push	offset _VfUtilFreePoolCheckIRQL@4 ; VfUtilFreePoolCheckIRQL(x)
		push	0
		push	offset _ViObjectContextTableLookaside
		call	ds:_pXdvExInitializeNPagedLookasideList	; XdvExInitializeNPagedLookasideListInternal(x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	ecx, offset _ViObjectContextInitialized
		inc	eax
		xchg	eax, [ecx]
		retn
_VfObjectContextInit@0 endp


;  S U B	R O U T	I N E 


; __stdcall ViAllocateContextTable(x)
_ViAllocateContextTable@4 proc near	; CODE XREF: VfInsertContext(x)+50p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, offset _ViObjectContextTableLookaside
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		test	eax, eax
		jz	short loc_A5B4F9
		push	4
		pop	ecx
		mov	[eax+2], cx
		xor	ecx, ecx
		mov	[eax], si
		mov	[eax+4], ecx
		mov	[eax+8], ecx
		mov	[eax+0Ch], ecx

loc_A5B4F9:				; CODE XREF: ViAllocateContextTable(x)+11j
		pop	esi
		retn
_ViAllocateContextTable@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViFreeContextTable(x)
_ViFreeContextTable@4 proc near		; CODE XREF: VfInsertContext(x)+69p
					; VfRemoveContext(x):loc_67769Fp
		mov	edx, ecx
		mov	ecx, offset _ViObjectContextTableLookaside
		jmp	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
_ViFreeContextTable@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViQueryObjectContext(x, x, x)
_ViQueryObjectContext@12 proc near	; CODE XREF: VfQueryDeviceContext(x,x)+22p
					; VfQueryDriverContext(x,x)+24p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		xor	edi, edi
		call	@ViGetContextPointer@8 ; ViGetContextPointer(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A5B542
		mov	ecx, esi
		call	@ViLockContextPointer@4	; ViLockContextPointer(x)
		test	al, al
		jz	short loc_A5B540
		mov	ecx, [esi]
		mov	eax, [ebp+arg_0]
		mov	eax, [ecx+eax*4+8]
		test	eax, eax
		jz	short loc_A5B539
		mov	edi, eax
		lock inc dword ptr [edi+4]

loc_A5B539:				; CODE XREF: ViQueryObjectContext(x,x,x)+2Aj
		xor	ecx, ecx
		inc	ecx
		lock xadd [esi], ecx

loc_A5B540:				; CODE XREF: ViQueryObjectContext(x,x,x)+1Dj
		mov	eax, edi

loc_A5B542:				; CODE XREF: ViQueryObjectContext(x,x,x)+12j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_ViQueryObjectContext@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfDriverEnableVerifier(x, x, x)
_VfDriverEnableVerifier@12 proc	near	; CODE XREF: MmEnableVerifierForDriver(x,x)+18p
					; VfDriverEnableVerifierForAll()+71p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, ecx
		xor	ecx, ecx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_14], ebx
		push	edi		; struct _exception *
		mov	edi, edx
		mov	[eax], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_10], esi
		call	_VfDriverLock@0	; VfDriverLock()
		lea	eax, [ebx+10h]
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	_ViSuspectDriversLookupEntry@4 ; ViSuspectDriversLookupEntry(x)
		test	eax, eax
		jnz	loc_A5B672
		test	edi, edi
		jnz	short loc_A5B5ED
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceSharedLite
		mov	edi, _PsLoadedModuleList
		mov	[ebp+var_8], 1
		cmp	edi, offset _PsLoadedModuleList
		jz	short loc_A5B5E2
		mov	ebx, esi
		mov	esi, [ebp+var_C]

loc_A5B5B3:				; CODE XREF: VfDriverEnableVerifier(x,x,x)+87j
		push	1
		lea	eax, [edi+2Ch]
		mov	[ebp+var_C], edi
		push	eax
		push	esi
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_A5B5D1
		mov	edi, [edi]
		inc	ebx
		cmp	edi, offset _PsLoadedModuleList
		jnz	short loc_A5B5B3

loc_A5B5D1:				; CODE XREF: VfDriverEnableVerifier(x,x,x)+7Cj
		mov	esi, [ebp+var_10]
		mov	[ebp+var_4], ebx
		mov	ebx, [ebp+var_14]
		cmp	edi, offset _PsLoadedModuleList
		jnz	short loc_A5B5E6

loc_A5B5E2:				; CODE XREF: VfDriverEnableVerifier(x,x,x)+64j
		xor	edi, edi
		jmp	short loc_A5B5E9
; 

loc_A5B5E6:				; CODE XREF: VfDriverEnableVerifier(x,x,x)+98j
		mov	edi, [ebp+var_C]

loc_A5B5E9:				; CODE XREF: VfDriverEnableVerifier(x,x,x)+9Cj
		test	edi, edi
		jz	short loc_A5B61F

loc_A5B5ED:				; CODE XREF: VfDriverEnableVerifier(x,x,x)+43j
		mov	eax, _VerifierModifyableOptions
		not	eax
		test	_MmVerifierData, eax
		jz	short loc_A5B603

loc_A5B5FC:				; CODE XREF: VfDriverEnableVerifier(x,x,x)+C5j
		mov	esi, 0C000010Eh
		jmp	short loc_A5B662
; 

loc_A5B603:				; CODE XREF: VfDriverEnableVerifier(x,x,x)+B2j
		cmp	[ebp+var_8], 0
		jz	short loc_A5B60F
		cmp	[ebp+var_4], 1
		jbe	short loc_A5B5FC

loc_A5B60F:				; CODE XREF: VfDriverEnableVerifier(x,x,x)+BFj
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A5B662
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_A5B622
; 

loc_A5B61F:				; CODE XREF: VfDriverEnableVerifier(x,x,x)+A3j
		mov	ecx, [ebp+var_18]

loc_A5B622:				; CODE XREF: VfDriverEnableVerifier(x,x,x)+D5j
		mov	eax, dword_6BE524
		mov	edx, offset _VfSuspectDriversList
		cmp	[eax], edx
		jz	short loc_A5B635
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A5B635:				; CODE XREF: VfDriverEnableVerifier(x,x,x)+E6j
		mov	[ebx+4], eax
		mov	[ebx], edx
		mov	[eax], ebx
		mov	eax, [ebp+arg_0]
		mov	dword_6BE524, ebx
		mov	dword ptr [eax], 1
		test	ecx, ecx
		jz	short loc_A5B65C
		push	1
		push	0
		mov	edx, ebx
		mov	ecx, edi
		call	VfDriverLoadImage

loc_A5B65C:				; CODE XREF: VfDriverEnableVerifier(x,x,x)+105j
		inc	dword_6C6EA8

loc_A5B662:				; CODE XREF: VfDriverEnableVerifier(x,x,x)+B9j
					; VfDriverEnableVerifier(x,x,x)+D0j
		cmp	[ebp+var_8], 0
		jz	short loc_A5B672
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite

loc_A5B672:				; CODE XREF: VfDriverEnableVerifier(x,x,x)+3Bj
					; VfDriverEnableVerifier(x,x,x)+11Ej
		push	0
		push	offset _ViDriversLoadLock
		mov	_ViDriversLoadLockOwner, 0
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_VfDriverEnableVerifier@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfDriverEnableVerifierForAll()
_VfDriverEnableVerifierForAll@0	proc near ; CODE XREF: MmEnableVerifierAllDrivers()+Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_4], 0
		and	[esp+0Ch+var_8], 0
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		call	_VfDriverLock@0	; VfDriverLock()
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceSharedLite
		mov	eax, _PsLoadedModuleList
		mov	esi, [eax]
		jmp	short loc_A5B71E
; 

loc_A5B6C5:				; CODE XREF: VfDriverEnableVerifierForAll()+93j
		mov	ecx, [esi+18h]
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		test	eax, eax
		jnz	short loc_A5B6E6
		lea	eax, [esp+18h+var_4]
		push	eax
		push	0
		push	0
		push	ecx
		push	1
		call	RtlImageNtHeaderEx
		test	eax, eax
		js	short loc_A5B71C

loc_A5B6E6:				; CODE XREF: VfDriverEnableVerifierForAll()+3Ej
		lea	ecx, [esi+2Ch]
		call	_VfSuspectDriversAllocateEntry@4 ; VfSuspectDriversAllocateEntry(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_A5B728
		and	[esp+18h+var_8], 0
		lea	eax, [esp+18h+var_8]
		push	eax
		mov	edx, esi
		mov	ecx, ebx
		call	_VfDriverEnableVerifier@12 ; VfDriverEnableVerifier(x,x,x)
		cmp	[esp+18h+var_8], 0
		mov	edi, eax
		jnz	short loc_A5B718
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A5B718:				; CODE XREF: VfDriverEnableVerifierForAll()+7Dj
		test	edi, edi
		js	short loc_A5B72D

loc_A5B71C:				; CODE XREF: VfDriverEnableVerifierForAll()+53j
		mov	esi, [esi]

loc_A5B71E:				; CODE XREF: VfDriverEnableVerifierForAll()+32j
		cmp	esi, offset _PsLoadedModuleList
		jnz	short loc_A5B6C5
		jmp	short loc_A5B72D
; 

loc_A5B728:				; CODE XREF: VfDriverEnableVerifierForAll()+61j
		mov	edi, 0C000009Ah

loc_A5B72D:				; CODE XREF: VfDriverEnableVerifierForAll()+89j
					; VfDriverEnableVerifierForAll()+95j
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite
		push	0
		push	offset _ViDriversLoadLock
		mov	_ViDriversLoadLockOwner, 0
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_VfDriverEnableVerifierForAll@0	endp


;  S U B	R O U T	I N E 


; __stdcall VfDriverIsKernelImageAddress(x)
_VfDriverIsKernelImageAddress@4	proc near ; CODE XREF: VfPendingShouldForce(x,x,x,x,x,x)+30p
					; VfTargetDriversGetVerifierData(x)p ...
		mov	eax, _ViDriverKernelBase
		test	eax, eax
		jz	short loc_A5B76F
		cmp	ecx, eax
		jb	short loc_A5B76F
		cmp	ecx, _ViDriverKernelEnd
		jnb	short loc_A5B76F
		xor	eax, eax
		inc	eax
		retn
; 

loc_A5B76F:				; CODE XREF: VfDriverIsKernelImageAddress(x)+7j
					; VfDriverIsKernelImageAddress(x)+Bj ...
		xor	eax, eax
		retn
_VfDriverIsKernelImageAddress@4	endp


;  S U B	R O U T	I N E 


; __stdcall VfDriverLock()
_VfDriverLock@0	proc near		; CODE XREF: VfIsVerificationEnabledForImage(x)+5p
					; MmIsDriverSuspectForVerifier(x):loc_A599C8p ...
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	12h
		push	offset _ViDriversLoadLock
		call	KeWaitForSingleObject
		mov	eax, large fs:124h
		mov	_ViDriversLoadLockOwner, eax
		retn
_VfDriverLock@0	endp


;  S U B	R O U T	I N E 


; __stdcall VfDriverUnlock()
_VfDriverUnlock@0 proc near		; CODE XREF: VfIsVerificationEnabledForImage(x)+13p
					; VfSuspectDriversAdd(x)+1Dp ...
		mov	edi, edi
		push	ecx
		push	0
		push	offset _ViDriversLoadLock
		mov	_ViDriversLoadLockOwner, 0
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		pop	ecx
		retn
_VfDriverUnlock@0 endp


;  S U B	R O U T	I N E 


; __stdcall VfGetHookAddressForOriginal(x)
_VfGetHookAddressForOriginal@4 proc near ; CODE	XREF: KsepPatchDriverImportsTable(x,x)+DCp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, offset _VfXdvThunks
		push	esi
		push	18h
		pop	edx
		call	_ViLookupThunkArray@12 ; ViLookupThunkArray(x,x,x)
		test	eax, eax
		jnz	short loc_A5B805
		push	esi
		push	18h
		pop	edx
		mov	ecx, offset _VfPoolThunks
		call	_ViLookupThunkArray@12 ; ViLookupThunkArray(x,x,x)
		test	eax, eax
		jnz	short loc_A5B805
		push	esi
		push	18h
		pop	edx
		mov	ecx, offset _VfMandatoryThunks
		call	_ViLookupThunkArray@12 ; ViLookupThunkArray(x,x,x)
		test	eax, eax
		jnz	short loc_A5B805
		push	esi
		push	18h
		pop	edx
		mov	ecx, offset _VfRegularThunks
		call	_ViLookupThunkArray@12 ; ViLookupThunkArray(x,x,x)
		test	eax, eax
		jnz	short loc_A5B805
		push	esi
		push	1Ch
		pop	edx
		mov	ecx, offset _VfOrderDependentThunks
		call	_ViLookupThunkArray@12 ; ViLookupThunkArray(x,x,x)

loc_A5B805:				; CODE XREF: VfGetHookAddressForOriginal(x)+15j
					; VfGetHookAddressForOriginal(x)+27j ...
		pop	esi
		retn
_VfGetHookAddressForOriginal@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfNotifyDifPlugins(x, x)
_VfNotifyDifPlugins@8 proc near		; CODE XREF: VfTargetDriversAdd+922AEp
					; VfNotifyVerifierOfEvent(x)+82j

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	esi
		mov	esi, ds:_PFnViUpdateDIFPlugins
		push	edi
		lea	edi, [ebp+var_C]
		stosd
		stosd
		stosd
		test	esi, esi
		jz	loc_A5B8B5
		cmp	ds:_XdvEnabled,	0
		jz	loc_A5B8B5
		mov	eax, dword_6FDE00
		test	al, 8
		jz	short loc_A5B8B5
		xor	edi, edi
		sub	ecx, edi
		jz	short loc_A5B85D
		sub	ecx, 1
		jnz	short loc_A5B8B5
		lea	eax, [edx+30h]
		mov	[ebp+var_C], 1
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_C]
		push	eax
		call	esi
		jmp	short loc_A5B8B4
; 

loc_A5B85D:				; CODE XREF: VfNotifyDifPlugins(x,x)+3Aj
		cmp	_ViSystemPartition, edi
		jz	short loc_A5B8B5
		test	al, al
		jns	short loc_A5B8B5
		push	80h		; size_t
		push	edi		; int
		mov	esi, offset _ViSystemPartitionMemoryInfo
		push	esi		; void *
		call	_memset
		or	dword_6BE464, 0FFFFFFFFh
		add	esp, 0Ch
		or	dword_6BE468, 0FFFFFFFFh
		mov	edx, esi
		mov	ecx, offset _ViSystemPartition
		call	MmManagePartitionMemoryInformation
		test	eax, eax
		js	short loc_A5B8B5
		mov	eax, dword_6BE484
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_A5B8B5
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], edi
		push	eax
		call	ds:_PFnViUpdateDIFPlugins

loc_A5B8B4:				; CODE XREF: VfNotifyDifPlugins(x,x)+54j
		pop	ecx

loc_A5B8B5:				; CODE XREF: VfNotifyDifPlugins(x,x)+1Aj
					; VfNotifyDifPlugins(x,x)+27j ...
		pop	edi
		pop	esi
		leave
		retn
_VfNotifyDifPlugins@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfNotifyVerifierExtensions(x, x)
_VfNotifyVerifierExtensions@8 proc near	; CODE XREF: VfNotifyVerifierOfEvent(x)+78p
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+2AFp	...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		xor	eax, eax
		push	esi
		mov	esi, ds:_ViFnXdvNotifyExtensions
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		test	esi, esi
		jz	short loc_A5B916
		test	ecx, ecx
		jz	short loc_A5B909
		lea	eax, [ecx-1]
		cmp	eax, 1
		ja	short loc_A5B916
		lea	eax, [edx+2Ch]
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], eax
		mov	eax, [edx+18h]
		mov	[ebp+var_10], eax
		mov	eax, [edx+20h]
		mov	[ebp+var_C], eax
		mov	eax, [edx+58h]
		mov	[ebp+var_8], eax
		mov	eax, [edx+40h]
		mov	[ebp+var_4], eax
		jmp	short loc_A5B90F
; 

loc_A5B909:				; CODE XREF: VfNotifyVerifierExtensions(x,x)+23j
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], edx

loc_A5B90F:				; CODE XREF: VfNotifyVerifierExtensions(x,x)+4Ej
		lea	eax, [ebp+var_18]
		push	eax
		call	esi
		pop	ecx

loc_A5B916:				; CODE XREF: VfNotifyVerifierExtensions(x,x)+1Fj
					; VfNotifyVerifierExtensions(x,x)+2Bj
		pop	esi
		leave
		retn
_VfNotifyVerifierExtensions@8 endp


;  S U B	R O U T	I N E 


; __stdcall VfXdvDriverCaptureIoCallbacks(x)
_VfXdvDriverCaptureIoCallbacks@4 proc near ; CODE XREF:	IovAttachDeviceToDeviceStack(x,x)+Fp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, [esi+18h]
		call	ViDifCheckCallbackInterception
		test	al, al
		jz	short loc_A5B956
		cmp	dword ptr [edi+20h], 0
		jnz	short loc_A5B956
		call	_ViDifAllocateCallbackStorage@0	; ViDifAllocateCallbackStorage()
		test	eax, eax
		jz	short loc_A5B956
		mov	ecx, esi
		mov	[edi+20h], eax
		call	_ViDifCaptureDriverEntry@4 ; ViDifCaptureDriverEntry(x)
		test	al, al
		jz	short loc_A5B956
		call	_ViDifCaptureIoCallbacks@4 ; ViDifCaptureIoCallbacks(x)
		test	al, al
		jz	short loc_A5B956
		xor	eax, eax
		inc	eax
		jmp	short loc_A5B958
; 

loc_A5B956:				; CODE XREF: VfXdvDriverCaptureIoCallbacks(x)+10j
					; VfXdvDriverCaptureIoCallbacks(x)+16j	...
		xor	eax, eax

loc_A5B958:				; CODE XREF: VfXdvDriverCaptureIoCallbacks(x)+3Bj
		pop	edi
		pop	esi
		retn
_VfXdvDriverCaptureIoCallbacks@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViDriverReApplyVerifierForAll(x)
_ViDriverReApplyVerifierForAll@4 proc near ; CODE XREF:	VfDriverInitSuccess(x,x)+Fp
		cmp	_ViVerifierDriverAddedThunkListHead, 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		jz	short loc_A5B9BD
		mov	esi, [edi]
		jmp	short loc_A5B9B9
; 

loc_A5B96D:				; CODE XREF: ViDriverReApplyVerifierForAll(x)+60j
		push	1
		lea	ebx, [esi+2Ch]
		push	ebx
		push	(offset	loc_A5042F+1)
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_A5B9B7
		test	dword ptr [esi+34h], 2000000h
		jz	short loc_A5B9B7
		call	_VfDriverLock@0	; VfDriverLock()
		mov	ecx, ebx
		call	_VfSuspectDriversIsLoaded@4 ; VfSuspectDriversIsLoaded(x)
		test	eax, eax
		jz	short loc_A5B9A1
		mov	ecx, esi
		call	_VfThunkApplyDriverAddedThunks@4 ; VfThunkApplyDriverAddedThunks(x)

loc_A5B9A1:				; CODE XREF: ViDriverReApplyVerifierForAll(x)+3Dj
		push	0
		push	offset _ViDriversLoadLock
		mov	_ViDriversLoadLockOwner, 0
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)

loc_A5B9B7:				; CODE XREF: ViDriverReApplyVerifierForAll(x)+24j
					; ViDriverReApplyVerifierForAll(x)+2Dj
		mov	esi, [esi]

loc_A5B9B9:				; CODE XREF: ViDriverReApplyVerifierForAll(x)+10j
		cmp	esi, edi
		jnz	short loc_A5B96D

loc_A5B9BD:				; CODE XREF: ViDriverReApplyVerifierForAll(x)+Cj
		pop	edi
		pop	esi
		pop	ebx
		retn
_ViDriverReApplyVerifierForAll@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViLookupThunkArray(x, x, x)
_ViLookupThunkArray@12 proc near	; CODE XREF: VfGetHookAddressForOriginal(x)+Ep
					; VfGetHookAddressForOriginal(x)+20p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		jmp	short loc_A5B9FA
; 

loc_A5B9CC:				; CODE XREF: ViLookupThunkArray(x,x,x)+3Dj
		mov	edx, [ebp+arg_0]

loc_A5B9CF:				; CODE XREF: ViLookupThunkArray(x,x,x)+28j
		mov	bl, [eax]
		cmp	bl, [edx]
		jnz	short loc_A5B9EF
		test	bl, bl
		jz	short loc_A5B9EB
		mov	bl, [eax+1]
		cmp	bl, [edx+1]
		jnz	short loc_A5B9EF
		add	eax, 2
		add	edx, 2
		test	bl, bl
		jnz	short loc_A5B9CF

loc_A5B9EB:				; CODE XREF: ViLookupThunkArray(x,x,x)+16j
		xor	eax, eax
		jmp	short loc_A5B9F4
; 

loc_A5B9EF:				; CODE XREF: ViLookupThunkArray(x,x,x)+12j
					; ViLookupThunkArray(x,x,x)+1Ej
		sbb	eax, eax
		or	eax, 1

loc_A5B9F4:				; CODE XREF: ViLookupThunkArray(x,x,x)+2Cj
		test	eax, eax
		jz	short loc_A5BA06
		add	ecx, esi

loc_A5B9FA:				; CODE XREF: ViLookupThunkArray(x,x,x)+9j
		mov	eax, [ecx]
		test	eax, eax
		jnz	short loc_A5B9CC

loc_A5BA00:				; CODE XREF: ViLookupThunkArray(x,x,x)+48j
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_A5BA06:				; CODE XREF: ViLookupThunkArray(x,x,x)+35j
		mov	eax, [ecx+4]
		jmp	short loc_A5BA00
_ViLookupThunkArray@12 endp


;  S U B	R O U T	I N E 


; __stdcall ViSetRequestedAPIs(x)
_ViSetRequestedAPIs@4 proc near		; CODE XREF: ViXdvSetRequestedAPIsforDIF(x)+17p
					; ViXdvSetRequestedAPIsforDIF(x)+26p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	dword ptr [esi], 0
		jz	short loc_A5BA5D
		push	edi

loc_A5BA16:				; CODE XREF: ViSetRequestedAPIs(x)+4Fj
		mov	eax, ds:_VfDifAPIThunkContextHead
		mov	edi, [eax]
		cmp	edi, eax
		jz	short loc_A5BA54

loc_A5BA21:				; CODE XREF: ViSetRequestedAPIs(x)+47j
		push	dword ptr [edi-8] ; char *
		push	dword ptr [esi]	; char *
		call	__stricmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A5BA4A
		cmp	dword ptr [esi+14h], 0FFFFh
		jz	short loc_A5BA4A
		or	dword ptr [esi+0Ch], 1
		mov	eax, [esi+0Ch]
		or	[edi-4], eax
		mov	eax, [esi+14h]
		mov	[edi+18h], eax

loc_A5BA4A:				; CODE XREF: ViSetRequestedAPIs(x)+24j
					; ViSetRequestedAPIs(x)+2Dj
		mov	edi, [edi]
		cmp	edi, ds:_VfDifAPIThunkContextHead
		jnz	short loc_A5BA21

loc_A5BA54:				; CODE XREF: ViSetRequestedAPIs(x)+14j
		add	esi, 18h
		cmp	dword ptr [esi], 0
		jnz	short loc_A5BA16
		pop	edi

loc_A5BA5D:				; CODE XREF: ViSetRequestedAPIs(x)+8j
		pop	esi
		retn
_ViSetRequestedAPIs@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViXdvBindXdvDDIWrappers(x)
_ViXdvBindXdvDDIWrappers@4 proc	near	; CODE XREF: ViXdvDriverLoadImage(x)+147p

var_20		= dword	ptr -20h
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

		push	10h
		push	offset dword_6A9B58
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	ds:_ViXdvThunksNoXdvEntry, ebx
		mov	ds:_ViXdvThunksBoundToXdv, ebx
		mov	ds:_ViXdvThunksNotFound, ebx
		mov	ds:_ViXdvThunksNotPristine, ebx
		mov	ds:_ViXdvThunksShared, ebx
		test	ecx, ecx
		jnz	short loc_A5BA96
		xor	al, al
		jmp	loc_A5BB18
; 

loc_A5BA96:				; CODE XREF: ViXdvBindXdvDDIWrappers(x)+2Ej
		mov	[ebp+ms_exc.disabled], ebx
		movzx	eax, byte ptr _CmStateSeparationEnabled
		push	eax
		push	offset _VfRuleClasses
		call	ecx
		pop	ecx
		pop	ecx
		mov	esi, eax
		test	esi, esi
		jz	short loc_A5BB0F
		mov	eax, [esi]
		cmp	eax, 4
		jnz	short loc_A5BAF1

loc_A5BAB7:				; CODE XREF: ViXdvBindXdvDDIWrappers(x)+8Cj
		mov	[ebp+var_20], ebx
		cmp	ebx, [esi+4]
		jnb	short loc_A5BAED
		mov	edx, [esi+ebx*4+8]
		test	edx, edx
		jnz	short loc_A5BAD4
		mov	eax, ds:_ViXdvThunksNoXdvEntry
		inc	eax
		mov	ds:_ViXdvThunksNoXdvEntry, eax
		jmp	short loc_A5BAEA
; 

loc_A5BAD4:				; CODE XREF: ViXdvBindXdvDDIWrappers(x)+66j
		mov	ecx, ebx
		call	_ViXdvSearchAllThunkArrays@8 ; ViXdvSearchAllThunkArrays(x,x)
		test	al, al
		jnz	short loc_A5BAEA
		mov	eax, ds:_ViXdvThunksNotFound
		inc	eax
		mov	ds:_ViXdvThunksNotFound, eax

loc_A5BAEA:				; CODE XREF: ViXdvBindXdvDDIWrappers(x)+73j
					; ViXdvBindXdvDDIWrappers(x)+7Ej
		inc	ebx
		jmp	short loc_A5BAB7
; 

loc_A5BAED:				; CODE XREF: ViXdvBindXdvDDIWrappers(x)+5Ej
		mov	bl, 1
		jmp	short loc_A5BB0C
; 

loc_A5BAF1:				; CODE XREF: ViXdvBindXdvDDIWrappers(x)+56j
		push	eax
		push	4		; char
		push	offset ??_C@_0EB@LOHMMIJF@XDV?5DDI?5version?5mismatch?3?5kerne@JKADOLAD@ ; char	*
		call	_VfUtilDbgPrint
		add	esp, 0Ch
		jmp	short loc_A5BB0F
; 

loc_A5BB03:				; DATA XREF: .text:006A9B6Co
		xor	eax, eax
		inc	eax
		retn
; 

loc_A5BB07:				; DATA XREF: .text:006A9B70o
		mov	esp, [ebp+ms_exc.old_esp]
		xor	bl, bl

loc_A5BB0C:				; CODE XREF: ViXdvBindXdvDDIWrappers(x)+90j
		mov	[ebp+var_19], bl

loc_A5BB0F:				; CODE XREF: ViXdvBindXdvDDIWrappers(x)+4Fj
					; ViXdvBindXdvDDIWrappers(x)+A2j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	al, bl

loc_A5BB18:				; CODE XREF: ViXdvBindXdvDDIWrappers(x)+32j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ViXdvBindXdvDDIWrappers@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViXdvBindXdvDriverEntryWrappers(x)
_ViXdvBindXdvDriverEntryWrappers@4 proc	near ; CODE XREF: ViXdvDriverLoadImage(x)+19Bp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1A		= byte ptr -1Ah
var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

		push	18h
		push	offset dword_6A9B38
		call	__SEH_prolog4
		xor	ebx, ebx
		mov	ds:_ViXdvEPThunksNoXdvEntry, ebx
		mov	ds:_ViXdvEPBound, ebx
		test	ecx, ecx
		jnz	short loc_A5BB4D
		xor	al, al
		jmp	loc_A5BC10
; 

loc_A5BB4D:				; CODE XREF: ViXdvBindXdvDriverEntryWrappers(x)+1Cj
		mov	[ebp+ms_exc.disabled], ebx
		call	ecx
		mov	edx, eax
		test	edx, edx
		jz	loc_A5BC07
		mov	eax, [edx]
		cmp	eax, 5
		jnz	loc_A5BBE9
		mov	ecx, ebx

loc_A5BB69:				; CODE XREF: ViXdvBindXdvDriverEntryWrappers(x)+5Bj
		mov	[ebp+var_28], ecx
		cmp	ecx, [edx+4]
		jnb	short loc_A5BBE5
		cmp	[edx+ecx*4+8], ebx
		jnz	short loc_A5BB85
		mov	eax, ds:_ViXdvEPThunksNoXdvEntry
		inc	eax
		mov	ds:_ViXdvEPThunksNoXdvEntry, eax

loc_A5BB82:				; CODE XREF: ViXdvBindXdvDriverEntryWrappers(x)+7Bj
					; ViXdvBindXdvDriverEntryWrappers(x)+7Fj
		inc	ecx
		jmp	short loc_A5BB69
; 

loc_A5BB85:				; CODE XREF: ViXdvBindXdvDriverEntryWrappers(x)+4Dj
		mov	edi, ebx
		mov	[ebp+var_24], edi
		mov	al, bl
		mov	[ebp+var_19], al
		mov	esi, offset _VfXdvIoCallbackThunks

loc_A5BB94:				; CODE XREF: ViXdvBindXdvDriverEntryWrappers(x)+BBj
		mov	ebx, [esi+0Ch]
		mov	[ebp+var_20], ebx
		cmp	ebx, 10000021h
		push	0
		pop	ebx
		jz	short loc_A5BB82
		test	al, al
		jnz	short loc_A5BB82
		lea	eax, [ecx+10000000h]
		cmp	[ebp+var_20], eax
		jnz	short loc_A5BBD1
		mov	al, 1
		mov	[ebp+var_19], al
		mov	esi, [esi+8]
		test	esi, esi
		jz	short loc_A5BBD4
		mov	eax, [edx+ecx*4+8]
		mov	[esi], eax
		mov	eax, ds:_ViXdvEPBound
		inc	eax
		mov	ds:_ViXdvEPBound, eax

loc_A5BBD1:				; CODE XREF: ViXdvBindXdvDriverEntryWrappers(x)+8Aj
		mov	al, [ebp+var_19]

loc_A5BBD4:				; CODE XREF: ViXdvBindXdvDriverEntryWrappers(x)+96j
		inc	edi
		mov	[ebp+var_24], edi
		mov	esi, edi
		shl	esi, 4
		add	esi, offset _VfXdvIoCallbackThunks
		jmp	short loc_A5BB94
; 

loc_A5BBE5:				; CODE XREF: ViXdvBindXdvDriverEntryWrappers(x)+47j
		mov	bl, 1
		jmp	short loc_A5BC04
; 

loc_A5BBE9:				; CODE XREF: ViXdvBindXdvDriverEntryWrappers(x)+39j
		push	eax
		push	5		; char
		push	offset ??_C@_0EJ@LIJLCKCA@XDV?5entry?5point?5version?5mismatc@JKADOLAD@	; char *
		call	_VfUtilDbgPrint
		add	esp, 0Ch
		jmp	short loc_A5BC07
; 

loc_A5BBFB:				; DATA XREF: .text:006A9B4Co
		xor	eax, eax
		inc	eax
		retn
; 

loc_A5BBFF:				; DATA XREF: .text:006A9B50o
		mov	esp, [ebp+ms_exc.old_esp]
		xor	bl, bl

loc_A5BC04:				; CODE XREF: ViXdvBindXdvDriverEntryWrappers(x)+BFj
		mov	[ebp+var_1A], bl

loc_A5BC07:				; CODE XREF: ViXdvBindXdvDriverEntryWrappers(x)+2Ej
					; ViXdvBindXdvDriverEntryWrappers(x)+D1j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	al, bl

loc_A5BC10:				; CODE XREF: ViXdvBindXdvDriverEntryWrappers(x)+20j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ViXdvBindXdvDriverEntryWrappers@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViXdvDriverLoadImage(x)
_ViXdvDriverLoadImage@4	proc near	; CODE XREF: ViLogAndLoadXdv(x)+3Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi		; char
		mov	edi, [ecx+18h]
		lea	eax, [ebp+var_C]
		push	eax
		push	0
		xor	ebx, ebx
		mov	[ebp+var_8], edi
		inc	ebx
		push	ebx
		push	edi
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_A5BF05
		mov	eax, [esi+18h]
		test	eax, eax
		jz	loc_A5BF05
		mov	ecx, [esi+20h]
		add	ecx, edi
		mov	[ebp+var_2], 0
		xor	edi, edi
		mov	[ebp+var_C], ecx
		mov	[ebp+var_1], 0
		test	eax, eax
		jz	loc_A5BD2A

loc_A5BC70:				; CODE XREF: ViXdvDriverLoadImage(x)+FCj
		mov	edx, [ecx+edi*4]
		mov	eax, offset ??_C@_0P@EEGBCGGL@DifLoadPlugins@JKADOLAD@
		add	edx, [ebp+var_8]
		xor	ecx, ecx

loc_A5BC7D:				; CODE XREF: ViXdvDriverLoadImage(x)+6Fj
		movzx	eax, byte ptr [eax+ecx]
		cmp	al, [edx+ecx]
		jnz	short loc_A5BC95
		inc	ecx
		mov	eax, offset ??_C@_0P@EEGBCGGL@DifLoadPlugins@JKADOLAD@
		cmp	ecx, 0Fh
		jnz	short loc_A5BC7D
		xor	eax, eax
		jmp	short loc_A5BC99
; 

loc_A5BC95:				; CODE XREF: ViXdvDriverLoadImage(x)+64j
		sbb	eax, eax
		or	eax, ebx

loc_A5BC99:				; CODE XREF: ViXdvDriverLoadImage(x)+73j
		test	eax, eax
		jnz	short loc_A5BCCD
		push	23h
		call	_VfIsRuleClassEnabled@4	; VfIsRuleClassEnabled(x)
		test	al, al
		jz	short loc_A5BD0F
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		push	edi
		call	_ViXdvGetFuncAddress@12	; ViXdvGetFuncAddress(x,x,x)
		mov	ecx, eax
		call	_ViXdvSetRequestedAPIsforDIF@4 ; ViXdvSetRequestedAPIsforDIF(x)
		mov	dl, [ebp+var_2]
		test	al, al
		mov	al, [ebp+var_1]
		jnz	short loc_A5BD15
		and	ds:_VfDifAPIThunkContextHead, 0
		jmp	short loc_A5BD15
; 

loc_A5BCCD:				; CODE XREF: ViXdvDriverLoadImage(x)+7Bj
		mov	eax, (offset loc_A5724A+6)
		xor	ecx, ecx

loc_A5BCD4:				; CODE XREF: ViXdvDriverLoadImage(x)+C6j
		movzx	eax, byte ptr [eax+ecx]
		cmp	al, [edx+ecx]
		jnz	short loc_A5BCEC
		inc	ecx
		mov	eax, (offset loc_A5724A+6)
		cmp	ecx, 15h
		jnz	short loc_A5BCD4
		xor	eax, eax
		jmp	short loc_A5BCF0
; 

loc_A5BCEC:				; CODE XREF: ViXdvDriverLoadImage(x)+BBj
		sbb	eax, eax
		or	eax, ebx

loc_A5BCF0:				; CODE XREF: ViXdvDriverLoadImage(x)+CAj
		test	eax, eax
		jnz	short loc_A5BD33
		push	23h
		call	_VfIsRuleClassEnabled@4	; VfIsRuleClassEnabled(x)
		test	al, al
		jz	short loc_A5BD0F
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		push	edi
		call	_ViXdvGetFuncAddress@12	; ViXdvGetFuncAddress(x,x,x)
		mov	ds:_PFnViUpdateDIFPlugins, eax

loc_A5BD0F:				; CODE XREF: ViXdvDriverLoadImage(x)+86j
					; ViXdvDriverLoadImage(x)+DDj ...
		mov	al, [ebp+var_1]

loc_A5BD12:				; CODE XREF: ViXdvDriverLoadImage(x)+1A5j
		mov	dl, [ebp+var_2]

loc_A5BD15:				; CODE XREF: ViXdvDriverLoadImage(x)+A2j
					; ViXdvDriverLoadImage(x)+ABj ...
		mov	ecx, [ebp+var_C]
		inc	edi
		cmp	edi, [esi+18h]
		jb	loc_A5BC70
		test	dl, dl
		jz	short loc_A5BD2A
		test	al, al
		jnz	short loc_A5BD2C

loc_A5BD2A:				; CODE XREF: ViXdvDriverLoadImage(x)+4Aj
					; ViXdvDriverLoadImage(x)+104j
		xor	bl, bl

loc_A5BD2C:				; CODE XREF: ViXdvDriverLoadImage(x)+108j
		mov	al, bl
		jmp	loc_A5BF07
; 

loc_A5BD33:				; CODE XREF: ViXdvDriverLoadImage(x)+D2j
		mov	eax, offset ??_C@_0BC@MOJIMOML@GetXdvDDIWrappers@JKADOLAD@
		xor	ecx, ecx

loc_A5BD3A:				; CODE XREF: ViXdvDriverLoadImage(x)+12Cj
		movzx	eax, byte ptr [eax+ecx]
		cmp	al, [edx+ecx]
		jnz	short loc_A5BD52
		inc	ecx
		mov	eax, offset ??_C@_0BC@MOJIMOML@GetXdvDDIWrappers@JKADOLAD@
		cmp	ecx, 12h
		jnz	short loc_A5BD3A
		xor	eax, eax
		jmp	short loc_A5BD56
; 

loc_A5BD52:				; CODE XREF: ViXdvDriverLoadImage(x)+121j
		sbb	eax, eax
		or	eax, ebx

loc_A5BD56:				; CODE XREF: ViXdvDriverLoadImage(x)+130j
		test	eax, eax
		jnz	short loc_A5BD87
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		push	edi
		call	_ViXdvGetFuncAddress@12	; ViXdvGetFuncAddress(x,x,x)
		mov	ecx, eax
		call	_ViXdvBindXdvDDIWrappers@4 ; ViXdvBindXdvDDIWrappers(x)
		mov	dl, al
		mov	[ebp+var_2], dl
		cmp	dl, 1
		jz	loc_A5BEFD
		push	(offset	loc_A57271+5) ;	char *

loc_A5BD7F:				; CODE XREF: ViXdvDriverLoadImage(x)+1B0j
					; ViXdvDriverLoadImage(x)+1F8j	...
		call	_VfUtilDbgPrint
		pop	ecx
		jmp	short loc_A5BD0F
; 

loc_A5BD87:				; CODE XREF: ViXdvDriverLoadImage(x)+138j
		mov	eax, offset ??_C@_0BK@JHIFHJKE@GetXdvDriverEntryWrappers@JKADOLAD@
		xor	ecx, ecx

loc_A5BD8E:				; CODE XREF: ViXdvDriverLoadImage(x)+180j
		movzx	eax, byte ptr [eax+ecx]
		cmp	al, [edx+ecx]
		jnz	short loc_A5BDA6
		inc	ecx
		mov	eax, offset ??_C@_0BK@JHIFHJKE@GetXdvDriverEntryWrappers@JKADOLAD@
		cmp	ecx, 1Ah
		jnz	short loc_A5BD8E
		xor	eax, eax
		jmp	short loc_A5BDAA
; 

loc_A5BDA6:				; CODE XREF: ViXdvDriverLoadImage(x)+175j
		sbb	eax, eax
		or	eax, ebx

loc_A5BDAA:				; CODE XREF: ViXdvDriverLoadImage(x)+184j
		test	eax, eax
		jnz	short loc_A5BDD2
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		push	edi
		call	_ViXdvGetFuncAddress@12	; ViXdvGetFuncAddress(x,x,x)
		mov	ecx, eax
		call	_ViXdvBindXdvDriverEntryWrappers@4 ; ViXdvBindXdvDriverEntryWrappers(x)
		mov	[ebp+var_1], al
		cmp	al, 1
		jz	loc_A5BD12
		push	offset ??_C@_0DH@BPOIEAAH@Error?5on?5Verifier?5Extention?5ent@JKADOLAD@
		jmp	short loc_A5BD7F
; 

loc_A5BDD2:				; CODE XREF: ViXdvDriverLoadImage(x)+18Cj
		mov	eax, offset ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@
		xor	ecx, ecx

loc_A5BDD9:				; CODE XREF: ViXdvDriverLoadImage(x)+1CBj
		movzx	eax, byte ptr [eax+ecx]
		cmp	al, [edx+ecx]
		jnz	short loc_A5BDF1
		inc	ecx
		mov	eax, offset ??_C@_0BG@FEEECAMO@SetXdvKernelUtilities@JKADOLAD@
		cmp	ecx, 16h
		jnz	short loc_A5BDD9
		xor	eax, eax
		jmp	short loc_A5BDF5
; 

loc_A5BDF1:				; CODE XREF: ViXdvDriverLoadImage(x)+1C0j
		sbb	eax, eax
		or	eax, ebx

loc_A5BDF5:				; CODE XREF: ViXdvDriverLoadImage(x)+1CFj
		test	eax, eax
		jnz	short loc_A5BE1D
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		push	edi
		call	_ViXdvGetFuncAddress@12	; ViXdvGetFuncAddress(x,x,x)
		mov	ecx, eax
		call	_ViXdvSetXdvKernelUtilities@4 ;	ViXdvSetXdvKernelUtilities(x)
		test	al, al
		jnz	loc_A5BD0F
		push	(offset	loc_A5720B+1)
		jmp	loc_A5BD7F
; 

loc_A5BE1D:				; CODE XREF: ViXdvDriverLoadImage(x)+1D7j
		mov	eax, offset ??_C@_0BL@CNCPDNEB@XdvHibernationNotification@JKADOLAD@
		xor	ecx, ecx

loc_A5BE24:				; CODE XREF: ViXdvDriverLoadImage(x)+216j
		movzx	eax, byte ptr [eax+ecx]
		cmp	al, [edx+ecx]
		jnz	short loc_A5BE3C
		inc	ecx
		mov	eax, offset ??_C@_0BL@CNCPDNEB@XdvHibernationNotification@JKADOLAD@
		cmp	ecx, 1Bh
		jnz	short loc_A5BE24
		xor	eax, eax
		jmp	short loc_A5BE40
; 

loc_A5BE3C:				; CODE XREF: ViXdvDriverLoadImage(x)+20Bj
		sbb	eax, eax
		or	eax, ebx

loc_A5BE40:				; CODE XREF: ViXdvDriverLoadImage(x)+21Aj
		test	eax, eax
		jnz	short loc_A5BE59
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		push	edi
		call	_ViXdvGetFuncAddress@12	; ViXdvGetFuncAddress(x,x,x)
		mov	ds:_ViFnExtensionHiberFunc, eax
		jmp	loc_A5BD0F
; 

loc_A5BE59:				; CODE XREF: ViXdvDriverLoadImage(x)+222j
		mov	eax, offset ??_C@_0BE@HPGODKBJ@XdvNotifyExtensions@JKADOLAD@
		xor	ecx, ecx

loc_A5BE60:				; CODE XREF: ViXdvDriverLoadImage(x)+252j
		movzx	eax, byte ptr [eax+ecx]
		cmp	al, [edx+ecx]
		jnz	short loc_A5BE78
		inc	ecx
		mov	eax, offset ??_C@_0BE@HPGODKBJ@XdvNotifyExtensions@JKADOLAD@
		cmp	ecx, 14h
		jnz	short loc_A5BE60
		xor	eax, eax
		jmp	short loc_A5BE7C
; 

loc_A5BE78:				; CODE XREF: ViXdvDriverLoadImage(x)+247j
		sbb	eax, eax
		or	eax, ebx

loc_A5BE7C:				; CODE XREF: ViXdvDriverLoadImage(x)+256j
		test	eax, eax
		jnz	short loc_A5BE95
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		push	edi
		call	_ViXdvGetFuncAddress@12	; ViXdvGetFuncAddress(x,x,x)
		mov	ds:_ViFnXdvNotifyExtensions, eax
		jmp	loc_A5BD0F
; 

loc_A5BE95:				; CODE XREF: ViXdvDriverLoadImage(x)+25Ej
		mov	eax, offset ??_C@_0BG@EOHDJONM@XdvQueryDispatchTable@JKADOLAD@
		xor	ecx, ecx

loc_A5BE9C:				; CODE XREF: ViXdvDriverLoadImage(x)+28Ej
		movzx	eax, byte ptr [eax+ecx]
		cmp	al, [edx+ecx]
		jnz	short loc_A5BEB4
		inc	ecx
		mov	eax, offset ??_C@_0BG@EOHDJONM@XdvQueryDispatchTable@JKADOLAD@
		cmp	ecx, 16h
		jnz	short loc_A5BE9C
		xor	eax, eax
		jmp	short loc_A5BEB8
; 

loc_A5BEB4:				; CODE XREF: ViXdvDriverLoadImage(x)+283j
		sbb	eax, eax
		or	eax, ebx

loc_A5BEB8:				; CODE XREF: ViXdvDriverLoadImage(x)+292j
		test	eax, eax
		jnz	loc_A5BD0F
		mov	ecx, [ebp+var_8]
		mov	edx, esi
		push	edi
		call	_ViXdvGetFuncAddress@12	; ViXdvGetFuncAddress(x,x,x)
		mov	ds:_ViFnXdvQueryDispatchTable, eax
		test	eax, eax
		jz	short loc_A5BEF3
		push	14h
		push	4
		call	eax ; ??_C@_0BG@EOHDJONM@XdvQueryDispatchTable@JKADOLAD@
		mov	ds:_ViXdvTipUtils, eax
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_A5BD0F
		push	offset ??_C@_0CK@CCLFBIBJ@Error?5on?5getting?5TiP?5utilities?5@JKADOLAD@
		jmp	loc_A5BD7F
; 

loc_A5BEF3:				; CODE XREF: ViXdvDriverLoadImage(x)+2B2j
		push	(offset	loc_A572B7+1)
		jmp	loc_A5BD7F
; 

loc_A5BEFD:				; CODE XREF: ViXdvDriverLoadImage(x)+154j
		mov	al, [ebp+var_1]
		jmp	loc_A5BD15
; 

loc_A5BF05:				; CODE XREF: ViXdvDriverLoadImage(x)+25j
					; ViXdvDriverLoadImage(x)+30j
		xor	al, al

loc_A5BF07:				; CODE XREF: ViXdvDriverLoadImage(x)+10Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ViXdvDriverLoadImage@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViXdvGetFuncAddress(x, x, x)
_ViXdvGetFuncAddress@12	proc near	; CODE XREF: ViXdvDriverLoadImage(x)+8Ep
					; ViXdvDriverLoadImage(x)+E5p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, [edx+24h]
		lea	eax, [esi+eax*2]
		movzx	esi, word ptr [eax+ecx]
		cmp	esi, [edx+14h]
		jb	short loc_A5BF28
		xor	eax, eax
		jmp	short loc_A5BF33
; 

loc_A5BF28:				; CODE XREF: ViXdvGetFuncAddress(x,x,x)+16j
		mov	eax, [edx+1Ch]
		lea	eax, [eax+esi*4]
		mov	eax, [eax+ecx]
		add	eax, ecx

loc_A5BF33:				; CODE XREF: ViXdvGetFuncAddress(x,x,x)+1Aj
		pop	esi
		pop	ebp
		retn	4
_ViXdvGetFuncAddress@12	endp


;  S U B	R O U T	I N E 


; __stdcall ViXdvSearchAllThunkArrays(x, x)
_ViXdvSearchAllThunkArrays@8 proc near	; CODE XREF: ViXdvBindXdvDDIWrappers(x)+77p
		mov	edi, edi
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		push	esi
		push	edi
		mov	ecx, offset _VfXdvThunks
		call	_ViXdvSearchAndReplaceThunkArray@16 ; ViXdvSearchAndReplaceThunkArray(x,x,x,x)
		test	al, al
		jnz	short loc_A5BF8C
		push	esi
		push	edi
		mov	ecx, offset _VfPoolThunks
		call	_ViXdvSearchAndReplaceThunkArray@16 ; ViXdvSearchAndReplaceThunkArray(x,x,x,x)
		test	al, al
		jnz	short loc_A5BF8C
		push	esi
		push	edi
		mov	ecx, offset _VfMandatoryThunks
		call	_ViXdvSearchAndReplaceThunkArray@16 ; ViXdvSearchAndReplaceThunkArray(x,x,x,x)
		test	al, al
		jnz	short loc_A5BF8C
		push	esi
		push	edi
		mov	ecx, offset _VfRegularThunks
		call	_ViXdvSearchAndReplaceThunkArray@16 ; ViXdvSearchAndReplaceThunkArray(x,x,x,x)
		test	al, al
		jnz	short loc_A5BF8C
		push	esi
		mov	edx, edi
		call	_ViXdvSearchAndReplaceThunkArrayOrderDependent@12 ; ViXdvSearchAndReplaceThunkArrayOrderDependent(x,x,x)
		test	al, al
		jz	short loc_A5BF8E

loc_A5BF8C:				; CODE XREF: ViXdvSearchAllThunkArrays(x,x)+16j
					; ViXdvSearchAllThunkArrays(x,x)+26j ...
		mov	al, 1

loc_A5BF8E:				; CODE XREF: ViXdvSearchAllThunkArrays(x,x)+52j
		pop	edi
		pop	esi
		retn
_ViXdvSearchAllThunkArrays@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViXdvSearchAndReplaceThunkArray(x, x, x, x)
_ViXdvSearchAndReplaceThunkArray@16 proc near ;	CODE XREF: ViXdvSearchAllThunkArrays(x,x)+Fp
					; ViXdvSearchAllThunkArrays(x,x)+1Fp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]

loc_A5BF99:				; CODE XREF: ViXdvSearchAndReplaceThunkArray(x,x,x,x)+1Aj
		cmp	[ecx+14h], eax
		jnz	short loc_A5BFA5
		mov	edx, [ecx+10h]
		test	edx, edx
		jnz	short loc_A5BFB3

loc_A5BFA5:				; CODE XREF: ViXdvSearchAndReplaceThunkArray(x,x,x,x)+Bj
		add	ecx, 18h
		cmp	dword ptr [ecx], 0
		jnz	short loc_A5BF99
		xor	al, al

loc_A5BFAF:				; CODE XREF: ViXdvSearchAndReplaceThunkArray(x,x,x,x)+48j
		pop	ebp
		retn	8
; 

loc_A5BFB3:				; CODE XREF: ViXdvSearchAndReplaceThunkArray(x,x,x,x)+12j
		mov	eax, [ecx+8]
		cmp	[edx], eax
		jz	short loc_A5BFC0
		inc	ds:_ViXdvThunksNotPristine

loc_A5BFC0:				; CODE XREF: ViXdvSearchAndReplaceThunkArray(x,x,x,x)+27j
		test	eax, eax
		jnz	short loc_A5BFCC
		inc	ds:_ViXdvThunksShared
		jmp	short loc_A5BFD2
; 

loc_A5BFCC:				; CODE XREF: ViXdvSearchAndReplaceThunkArray(x,x,x,x)+31j
		inc	ds:_ViXdvThunksBoundToXdv

loc_A5BFD2:				; CODE XREF: ViXdvSearchAndReplaceThunkArray(x,x,x,x)+39j
		mov	eax, [ebp+arg_4]
		mov	[edx], eax
		mov	al, 1
		jmp	short loc_A5BFAF
_ViXdvSearchAndReplaceThunkArray@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViXdvSearchAndReplaceThunkArrayOrderDependent(x, x,	x)
_ViXdvSearchAndReplaceThunkArrayOrderDependent@12 proc near
					; CODE XREF: ViXdvSearchAllThunkArrays(x,x)+4Bp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, offset _VfOrderDependentThunks

loc_A5BFE6:				; CODE XREF: ViXdvSearchAndReplaceThunkArrayOrderDependent(x,x,x)+1Dj
		cmp	[eax+18h], edx
		jnz	short loc_A5BFF2
		mov	ecx, [eax+10h]
		test	ecx, ecx
		jnz	short loc_A5C000

loc_A5BFF2:				; CODE XREF: ViXdvSearchAndReplaceThunkArrayOrderDependent(x,x,x)+Ej
		add	eax, 1Ch
		cmp	dword ptr [eax], 0
		jnz	short loc_A5BFE6
		xor	al, al

locret_A5BFFC:				; CODE XREF: ViXdvSearchAndReplaceThunkArrayOrderDependent(x,x,x)+4Bj
		leave
		retn	4
; 

loc_A5C000:				; CODE XREF: ViXdvSearchAndReplaceThunkArrayOrderDependent(x,x,x)+15j
		mov	eax, [eax+8]
		cmp	[ecx], eax
		jz	short loc_A5C00D
		inc	ds:_ViXdvThunksNotPristine

loc_A5C00D:				; CODE XREF: ViXdvSearchAndReplaceThunkArrayOrderDependent(x,x,x)+2Aj
		test	eax, eax
		jnz	short loc_A5C019
		inc	ds:_ViXdvThunksShared
		jmp	short loc_A5C01F
; 

loc_A5C019:				; CODE XREF: ViXdvSearchAndReplaceThunkArrayOrderDependent(x,x,x)+34j
		inc	ds:_ViXdvThunksBoundToXdv

loc_A5C01F:				; CODE XREF: ViXdvSearchAndReplaceThunkArrayOrderDependent(x,x,x)+3Cj
		mov	eax, [ebp+arg_0]
		mov	[ecx], eax
		mov	al, 1
		jmp	short locret_A5BFFC
_ViXdvSearchAndReplaceThunkArrayOrderDependent@12 endp


;  S U B	R O U T	I N E 


; __stdcall ViXdvSetRequestedAPIsforDIF(x)
_ViXdvSetRequestedAPIsforDIF@4 proc near ; CODE	XREF: ViXdvDriverLoadImage(x)+95p
		push	offset _ViUtilsForDIF
		push	offset _VfDifAPIThunkContextHead
		call	ecx
		pop	ecx
		pop	ecx
		test	eax, eax
		js	short loc_A5C06F
		mov	ecx, offset _VfRegularThunks
		call	_ViSetRequestedAPIs@4 ;	ViSetRequestedAPIs(x)
		call	_ViSetRequestedOrderDependentAPIs@4 ; ViSetRequestedOrderDependentAPIs(x)
		mov	ecx, offset _VfPoolThunks
		call	_ViSetRequestedAPIs@4 ;	ViSetRequestedAPIs(x)
		mov	ecx, offset _VfMandatoryThunks
		call	_ViSetRequestedAPIs@4 ;	ViSetRequestedAPIs(x)
		mov	ecx, offset _VfXdvThunks
		call	_ViSetRequestedAPIs@4 ;	ViSetRequestedAPIs(x)
		call	_ViSetRequestedIoCallbacks@4 ; ViSetRequestedIoCallbacks(x)
		mov	al, 1
		retn
; 

loc_A5C06F:				; CODE XREF: ViXdvSetRequestedAPIsforDIF(x)+10j
		xor	al, al
		retn
_ViXdvSetRequestedAPIsforDIF@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall IovpCancelRoutine(x, x, x)
@IovpCancelRoutine@12 proc near		; CODE XREF: IoCancelIrp+E2F81p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	_MmVerifierData, offset	loc_6A0000
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		jnz	short loc_A5C094
		push	23h
		call	_VfIsRuleClassEnabled@4	; VfIsRuleClassEnabled(x)
		test	al, al
		jz	short loc_A5C0B3

loc_A5C094:				; CODE XREF: IovpCancelRoutine(x,x,x)+15j
		test	esi, esi
		jz	short loc_A5C0B3
		mov	eax, [esi+8]
		mov	eax, [eax+18h]
		cmp	dword ptr [eax+20h], 0
		jz	short loc_A5C0B3
		mov	eax, _pXdvDriverCancel
		test	eax, eax
		jz	short loc_A5C0B3
		push	edi
		push	esi
		call	eax
		jmp	short loc_A5C0B8
; 

loc_A5C0B3:				; CODE XREF: IovpCancelRoutine(x,x,x)+20j
					; IovpCancelRoutine(x,x,x)+24j	...
		push	edi
		push	esi
		call	[ebp+arg_0]

loc_A5C0B8:				; CODE XREF: IovpCancelRoutine(x,x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
@IovpCancelRoutine@12 endp


;  S U B	R O U T	I N E 


; __fastcall VfGetPristineDispatchRoutine(x, x)
@VfGetPristineDispatchRoutine@8	proc near ; CODE XREF: IovpCallDriver1(x)+275p
					; VfBeforeCallDriver(x,x,x)+A8p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		cmp	edi, 1Bh
		jbe	short loc_A5C0CF
		xor	eax, eax
		jmp	short loc_A5C0EF
; 

loc_A5C0CF:				; CODE XREF: VfGetPristineDispatchRoutine(x,x)+Bj
		push	esi
		call	_MmIsDriverVerifying@4 ; MmIsDriverVerifying(x)
		test	eax, eax
		jz	short loc_A5C0EB
		mov	eax, [esi+18h]
		mov	eax, [eax+20h]
		test	eax, eax
		jz	short loc_A5C0EB
		mov	eax, [eax+edi*4+10h]
		test	eax, eax
		jnz	short loc_A5C0EF

loc_A5C0EB:				; CODE XREF: VfGetPristineDispatchRoutine(x,x)+19j
					; VfGetPristineDispatchRoutine(x,x)+23j
		mov	eax, [esi+edi*4+38h]

loc_A5C0EF:				; CODE XREF: VfGetPristineDispatchRoutine(x,x)+Fj
					; VfGetPristineDispatchRoutine(x,x)+2Bj
		pop	edi
		pop	esi
		retn
@VfGetPristineDispatchRoutine@8	endp


;  S U B	R O U T	I N E 


; __fastcall VfGetPristineDriverInit(x)
@VfGetPristineDriverInit@4 proc	near	; CODE XREF: VfPnpVerifyIrpStackDownward(x,x,x,x,x,x,x)+6Ep
					; VfPowerVerifyIrpStackDownward(x,x,x,x,x,x,x)+4Dp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	esi
		call	_MmIsDriverVerifying@4 ; MmIsDriverVerifying(x)
		test	eax, eax
		jz	short loc_A5C111
		mov	eax, [esi+18h]
		mov	eax, [eax+20h]
		test	eax, eax
		jz	short loc_A5C111
		mov	eax, [eax]
		test	eax, eax
		jnz	short loc_A5C114

loc_A5C111:				; CODE XREF: VfGetPristineDriverInit(x)+Dj
					; VfGetPristineDriverInit(x)+17j
		mov	eax, [esi+2Ch]

loc_A5C114:				; CODE XREF: VfGetPristineDriverInit(x)+1Dj
		pop	esi
		retn
@VfGetPristineDriverInit@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovpAdvanceStackDownwards(x, x, x, x, x, x,	x, x)
_IovpAdvanceStackDownwards@32 proc near	; CODE XREF: IovpCallDriver1(x)+1E4p
					; IovpCompleteRequest1(x,x,x)+CBp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		movsx	eax, dl
		imul	eax, 50h
		push	edi
		lea	edi, [ecx-50h]
		add	edi, eax
		mov	[ebp+var_14], edi
		cmp	byte ptr [edi],	0
		jnz	short loc_A5C153
		cmp	[ebp+arg_10], 0
		jz	short loc_A5C153
		push	50h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		lea	eax, [edi+0Ch]
		add	esp, 0Ch
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [ebp+arg_0]
		mov	[edi+14h], eax

loc_A5C153:				; CODE XREF: IovpAdvanceStackDownwards(x,x,x,x,x,x,x,x)+1Aj
					; IovpAdvanceStackDownwards(x,x,x,x,x,x,x,x)+20j
		and	[ebp+var_C], 0
		cmp	[ebp+arg_4], 0
		mov	ecx, [ebp+arg_8]
		push	ebx
		push	esi
		jnz	short loc_A5C174
		and	[ebp+var_8], 0
		and	[ebp+arg_4], 0
		and	[ebp+var_4], 0
		and	[ebp+arg_8], 0
		jmp	short loc_A5C1BF
; 

loc_A5C174:				; CODE XREF: IovpAdvanceStackDownwards(x,x,x,x,x,x,x,x)+4Aj
		test	ecx, ecx
		jle	short loc_A5C1AD
		imul	eax, ecx, 50h
		mov	edx, [eax+edi+8]
		lea	ebx, [eax+28h]
		add	ebx, edi
		mov	[ebp+arg_4], edx
		lea	esi, [eax+20h]
		mov	[ebp+var_4], ebx
		mov	ebx, [eax+edi+18h]
		add	esi, edi
		mov	[edi+8], edx
		mov	eax, [eax+edi+4]
		and	eax, 10000000h
		mov	[ebp+arg_8], esi
		or	[edi+4], eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], eax
		jmp	short loc_A5C1BF
; 

loc_A5C1AD:				; CODE XREF: IovpAdvanceStackDownwards(x,x,x,x,x,x,x,x)+60j
		and	[ebp+var_8], 0
		and	[ebp+arg_8], 0
		mov	eax, [edi+8]
		and	[ebp+var_4], 0
		mov	[ebp+arg_4], eax

loc_A5C1BF:				; CODE XREF: IovpAdvanceStackDownwards(x,x,x,x,x,x,x,x)+5Cj
					; IovpAdvanceStackDownwards(x,x,x,x,x,x,x,x)+95j
		cmp	ecx, 1
		jle	short loc_A5C22C
		dec	ecx
		lea	ebx, [edi+0Ch]
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_10], ecx

loc_A5C1CE:				; CODE XREF: IovpAdvanceStackDownwards(x,x,x,x,x,x,x,x)+111j
		add	[ebp+arg_0], 24h
		add	ebx, 50h
		push	50h		; size_t
		push	0		; int
		lea	esi, [ebx-0Ch]
		push	esi		; void *
		call	_memset
		mov	ecx, [ebp+arg_8]
		add	esp, 0Ch
		mov	eax, [ebp+arg_0]
		mov	[ebx+4], ebx
		mov	[ebx], ebx
		mov	[ebx+8], eax
		mov	byte ptr [esi],	1
		mov	[ebx-4], edi
		mov	eax, [ecx]
		mov	[ebx+14h], eax
		mov	eax, [ecx+4]
		mov	ecx, [ebp+var_4]
		mov	[ebx+18h], eax
		mov	eax, [ecx]
		mov	[ebx+1Ch], eax
		mov	eax, [ecx+4]
		mov	[ebx+20h], eax
		mov	eax, [ebp+var_8]
		mov	[ebx+0Ch], eax
		mov	eax, [ebp+var_C]
		or	eax, 800000h
		or	[ebx-8], eax
		sub	[ebp+var_10], 1
		jnz	short loc_A5C1CE
		mov	edi, [ebp+var_14]

loc_A5C22C:				; CODE XREF: IovpAdvanceStackDownwards(x,x,x,x,x,x,x,x)+ACj
		cmp	[ebp+arg_10], 0
		mov	eax, [ebp+arg_14]
		pop	esi
		pop	ebx
		mov	[eax], edi
		jnz	short loc_A5C23E
		movzx	eax, byte ptr [edi]
		jmp	short loc_A5C24D
; 

loc_A5C23E:				; CODE XREF: IovpAdvanceStackDownwards(x,x,x,x,x,x,x,x)+121j
		cmp	[ebp+arg_C], 0
		jz	short loc_A5C247
		mov	[edi+8], edi

loc_A5C247:				; CODE XREF: IovpAdvanceStackDownwards(x,x,x,x,x,x,x,x)+12Cj
		movzx	eax, byte ptr [edi]
		mov	byte ptr [edi],	1

loc_A5C24D:				; CODE XREF: IovpAdvanceStackDownwards(x,x,x,x,x,x,x,x)+126j
		pop	edi
		leave
		retn	18h
_IovpAdvanceStackDownwards@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovpCallDriver1(x)
_IovpCallDriver1@4 proc	near		; CODE XREF: VfBeforeCallDriver(x,x,x)+104p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		mov	esi, ecx
		xor	eax, eax
		push	edi
		mov	[ebp+var_24], esi
		mov	[ebp+var_10], eax
		mov	ebx, [esi+5Ch]
		mov	[ebp+var_20], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, ebx
		mov	[ebp+var_1], al
		call	_IovpPacketFromIrp@4 ; IovpPacketFromIrp(x)
		mov	edi, eax
		mov	[ebp+var_2C], edi
		test	edi, edi
		jz	loc_A5C64D
		mov	cl, [ebp+var_1]
		xor	eax, eax
		mov	[edi+29h], cl
		mov	[edi+28h], cl
		mov	edx, [esi+60h]
		push	edx
		mov	[ebp+var_34], eax
		mov	eax, [ebx+60h]
		sub	eax, 24h
		mov	[ebp+var_18], edx
		push	edi
		push	eax
		mov	dl, cl
		mov	[ebp+var_8], eax
		mov	ecx, [edi+88h]
		push	ebx
		call	_VfPendingShouldForce@24 ; VfPendingShouldForce(x,x,x,x,x,x)
		mov	ecx, [esi+58h]
		mov	edx, eax
		mov	eax, [edi+8Ch]
		mov	[ebp+var_30], edx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_C], ecx
		test	eax, eax
		jnz	short loc_A5C2FA
		mov	ecx, [edi+24h]
		test	cl, 1
		jnz	short loc_A5C2FA
		inc	eax
		or	ecx, eax
		mov	[ebp+var_14], eax
		mov	[edi+24h], ecx
		mov	ecx, [ebp+var_C]
		push	edx
		mov	edx, edi
		call	_IovpSessionDataCreate@12 ; IovpSessionDataCreate(x,x,x)
		mov	[ebp+var_1C], eax
		jmp	short loc_A5C2FE
; 

loc_A5C2FA:				; CODE XREF: IovpCallDriver1(x)+85j
					; IovpCallDriver1(x)+8Dj
		and	[ebp+var_14], 0

loc_A5C2FE:				; CODE XREF: IovpCallDriver1(x)+A6j
		mov	[esi], eax
		mov	[esi+8], edi
		test	eax, eax
		jz	loc_A5C638
		lea	eax, [ebp+var_40]
		push	eax
		call	KeQuerySystemTime
		cmp	[ebp+var_14], 0
		jz	short loc_A5C361
		mov	ecx, [ebp+var_C]
		call	_IovUtilGetBottomDeviceObjectWithTag@8 ; IovUtilGetBottomDeviceObjectWithTag(x,x)
		mov	ecx, [edi+88h]
		mov	esi, eax
		push	ebx
		mov	edx, esi
		call	_VfIrpLogRecordEvent@12	; VfIrpLogRecordEvent(x,x,x)
		mov	edx, 49667256h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		lock inc dword ptr [edi+0Ch]
		mov	ecx, [ebp+var_1C]
		inc	dword ptr [edi+10h]
		mov	eax, [ecx+4]
		test	eax, eax
		jnz	short loc_A5C35A
		mov	eax, [ecx]
		add	eax, 0Ch
		lock inc dword ptr [eax]
		mov	eax, [ecx+4]

loc_A5C35A:				; CODE XREF: IovpCallDriver1(x)+FBj
		mov	esi, [ebp+var_24]
		inc	eax
		mov	[ecx+4], eax

loc_A5C361:				; CODE XREF: IovpCallDriver1(x)+C6j
		cmp	dword ptr [ebx+38h], 0
		jz	short loc_A5C379
		mov	edx, [ebp+var_18] ; int
		mov	ecx, 203h	; int
		push	ebx		; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)
		and	dword ptr [ebx+38h], 0

loc_A5C379:				; CODE XREF: IovpCallDriver1(x)+113j
		test	byte ptr [edi+24h], 10h
		jz	short loc_A5C38D
		mov	edx, [ebp+var_18] ; int
		mov	ecx, 205h	; int
		push	ebx		; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A5C38D:				; CODE XREF: IovpCallDriver1(x)+12Bj
		mov	al, [ebx+23h]
		cmp	al, [ebx+22h]
		jg	short loc_A5C3C1
		mov	ecx, [ebp+var_8]
		mov	al, [ecx]
		cmp	al, 3
		jz	short loc_A5C3A2
		cmp	al, 4
		jnz	short loc_A5C3C1

loc_A5C3A2:				; CODE XREF: IovpCallDriver1(x)+14Aj
		mov	eax, [esi+5Ch]
		cmp	dword ptr [eax+4], 0
		jz	short loc_A5C3C1
		test	_MmVerifierData, 6000h
		jz	short loc_A5C3C1
		push	ecx
		mov	edx, edi
		mov	ecx, esi
		call	_MdlInvariantPreProcessing1@12 ; MdlInvariantPreProcessing1(x,x,x)

loc_A5C3C1:				; CODE XREF: IovpCallDriver1(x)+141j
					; IovpCallDriver1(x)+14Ej ...
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_C]
		mov	edx, [eax+18h]
		call	_IovpExamineDevObjForwarding@8 ; IovpExamineDevObjForwarding(x,x)
		mov	ecx, [ebp+var_1C]
		mov	edx, [ebp+var_14]
		mov	[ecx+1Ch], eax
		lea	eax, [ebp+var_28]
		push	eax		; int
		lea	eax, [ebp+var_20]
		push	eax		; int
		push	[ebp+var_8]	; void *
		push	[ebp+var_18]	; int
		push	ebx		; int
		push	ecx		; int
		mov	ecx, edi
		call	_IovpExamineIrpStackForwarding@32 ; IovpExamineIrpStackForwarding(x,x,x,x,x,x,x,x)
		cmp	[ebp+var_30], 0
		jz	short loc_A5C40F
		lock inc dword ptr [edi+0Ch]
		mov	eax, [ebp+var_8]
		mov	ecx, ebx
		inc	dword ptr [edi+10h]
		mov	[edi+80h], eax
		call	_VfPendingStartLogging@4 ; VfPendingStartLogging(x)
		mov	[ebp+var_34], eax

loc_A5C40F:				; CODE XREF: IovpCallDriver1(x)+1A1j
		mov	edi, [ebp+var_8]
		mov	edx, edi
		mov	ecx, [ebp+var_20]
		call	@VfMajorIsNewRequest@8 ; VfMajorIsNewRequest(x,x)
		mov	dl, [ebx+23h]
		lea	ecx, [ebp+var_10]
		push	ecx
		mov	ecx, [ebp+var_1C]
		push	1
		push	eax
		push	[ebp+var_28]
		lea	ecx, [ecx+28h]
		mov	[ebp+var_30], eax
		push	[ebp+var_20]
		push	edi
		call	_IovpAdvanceStackDownwards@32 ;	IovpAdvanceStackDownwards(x,x,x,x,x,x,x,x)
		mov	edi, [ebp+var_10]
		mov	ecx, [ebp+var_40]
		mov	edx, [ebp+var_3C]
		mov	[edi+20h], ecx
		mov	[edi+24h], edx
		test	eax, eax
		jnz	short loc_A5C49A
		or	dword ptr [esi+0Ch], 4000000h
		lea	eax, [esi+10h]
		cmp	[ebp+var_30], 0
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, large fs:124h
		mov	[edi+28h], ecx
		mov	[edi+2Ch], edx
		mov	edi, [ebp+var_10]
		mov	[edi+48h], eax
		jz	short loc_A5C49A
		cmp	[ebp+var_14], 0
		mov	eax, [ebx+18h]
		mov	[edi+38h], eax
		mov	eax, [ebx+1Ch]
		mov	[edi+3Ch], eax
		mov	eax, [ebx+18h]
		mov	[edi+40h], eax
		mov	eax, [ebx+1Ch]
		mov	[edi+44h], eax
		jz	short loc_A5C49A
		or	dword ptr [edi+4], 8000000h

loc_A5C49A:				; CODE XREF: IovpCallDriver1(x)+1FAj
					; IovpCallDriver1(x)+221j ...
		mov	ecx, [ebp+var_C]
		call	_IovUtilGetLowerDeviceObjectWithTag@8 ;	IovUtilGetLowerDeviceObjectWithTag(x,x)
		test	eax, eax
		jz	short loc_A5C4B4
		mov	edx, 49667256h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag
		jmp	short loc_A5C4BB
; 

loc_A5C4B4:				; CODE XREF: IovpCallDriver1(x)+252j
		or	dword ptr [edi+4], 10000000h

loc_A5C4BB:				; CODE XREF: IovpCallDriver1(x)+260j
		mov	eax, [ebp+var_8]
		movzx	edx, byte ptr [eax]
		mov	eax, [ebp+var_C]
		mov	ecx, [eax+8]
		call	@VfGetPristineDispatchRoutine@8	; VfGetPristineDispatchRoutine(x,x)
		mov	[edi+18h], eax
		lea	ecx, [edi+0Ch]
		and	dword ptr [edi+4], 0BFFFFFFFh
		lea	eax, [esi+10h]
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jz	short loc_A5C4E8
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A5C4E8:				; CODE XREF: IovpCallDriver1(x)+28Fj
		mov	[eax+4], ecx
		mov	[eax], edx
		mov	[edx+4], eax
		mov	[ecx], eax
		mov	eax, [ebp+var_8]
		mov	[esi+4], edi
		mov	edi, [ebp+var_24]
		mov	[esi+28h], ebx
		add	edi, 2Ch
		mov	esi, [ebx+60h]
		sub	esi, 24h
		push	9
		pop	ecx
		rep movsd
		test	byte ptr [eax+3], 1
		mov	esi, [ebp+var_24]
		jz	short loc_A5C51C
		or	dword ptr [esi+0Ch], 1000000h

loc_A5C51C:				; CODE XREF: IovpCallDriver1(x)+2C1j
		cmp	byte ptr [eax],	1Bh
		jnz	short loc_A5C571
		cmp	byte ptr [eax+1], 2
		jnz	short loc_A5C571
		mov	edi, [ebp+var_C]
		mov	ecx, edi
		or	dword ptr [esi+0Ch], 20000000h
		call	_IovUtilGetBottomDeviceObjectWithTag@8 ; IovUtilGetBottomDeviceObjectWithTag(x,x)
		mov	edx, 49667256h
		mov	[esi+24h], eax
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag
		mov	ecx, edi
		call	_IovUtilIsInFdoStack@4 ; IovUtilIsInFdoStack(x)
		test	eax, eax
		jz	short loc_A5C567
		push	3
		pop	edx
		mov	ecx, edi
		call	_IovUtilIsDeviceObjectMarked@8 ; IovUtilIsDeviceObjectMarked(x,x)
		test	eax, eax
		jnz	short loc_A5C567
		or	dword ptr [esi+0Ch], 10000000h

loc_A5C567:				; CODE XREF: IovpCallDriver1(x)+2FEj
					; IovpCallDriver1(x)+30Cj
		mov	ecx, edi
		call	_VfDevObjMarkDeviceRemoved@4 ; VfDevObjMarkDeviceRemoved(x)
		mov	eax, [ebp+var_8]

loc_A5C571:				; CODE XREF: IovpCallDriver1(x)+2CDj
					; IovpCallDriver1(x)+2D3j
		cmp	[ebp+var_14], 0
		mov	edi, [ebp+var_2C]
		jz	short loc_A5C58A
		push	[ebp+var_18]
		mov	edx, ebx
		mov	ecx, edi
		push	[ebp+var_10]
		push	eax
		call	@VfMajorVerifyNewIrp@20	; VfMajorVerifyNewIrp(x,x,x,x,x)

loc_A5C58A:				; CODE XREF: IovpCallDriver1(x)+326j
		cmp	[ebp+var_30], 0
		jz	short loc_A5C5AF
		test	dword ptr [edi+24h], 80000h
		jnz	short loc_A5C5AF
		push	[ebp+var_18]
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		push	[ebp+var_10]
		push	[ebp+var_8]
		push	[ebp+var_20]
		call	@VfMajorVerifyNewRequest@24 ; VfMajorVerifyNewRequest(x,x,x,x,x,x)

loc_A5C5AF:				; CODE XREF: IovpCallDriver1(x)+33Cj
					; IovpCallDriver1(x)+345j
		push	[ebp+var_18]
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		push	[ebp+var_10]
		push	[ebp+var_8]
		push	[ebp+var_20]
		call	@VfMajorVerifyIrpStackDownward@24 ; VfMajorVerifyIrpStackDownward(x,x,x,x,x,x)
		mov	edx, [ebp+var_1C]
		mov	eax, [ebp+var_C]
		mov	[edx+18h], eax
		mov	al, [ebx+23h]
		mov	[edi+6Eh], al
		mov	eax, [ebp+var_10]
		mov	ecx, [eax+8]
		mov	eax, [ebx+18h]
		mov	[ecx+40h], eax
		mov	eax, [ebx+1Ch]
		mov	[ecx+44h], eax
		mov	al, [ebx+23h]
		cmp	al, 2
		jle	short loc_A5C604
		add	dword ptr [ebx+60h], 0FFFFFFDCh
		dec	al
		mov	[ebx+23h], al
		mov	eax, [ebx+60h]
		or	byte ptr [eax-21h], 10h
		inc	byte ptr [ebx+23h]
		add	dword ptr [ebx+60h], 24h

loc_A5C604:				; CODE XREF: IovpCallDriver1(x)+399j
		mov	eax, [edx+4]
		test	eax, eax
		jnz	short loc_A5C616
		mov	eax, [edx]
		add	eax, 0Ch
		lock inc dword ptr [eax]
		mov	eax, [edx+4]

loc_A5C616:				; CODE XREF: IovpCallDriver1(x)+3B7j
		inc	eax
		mov	[edx+4], eax
		lock inc dword ptr [edi+0Ch]
		cmp	_VfWdCancelTimeoutTicks, 0
		mov	edx, [esi+18h]
		jz	short loc_A5C638
		lea	eax, [edi+90h]
		mov	ecx, ebx
		push	eax
		call	_ViWdBeforeCallDriver@12 ; ViWdBeforeCallDriver(x,x,x)

loc_A5C638:				; CODE XREF: IovpCallDriver1(x)+B3j
					; IovpCallDriver1(x)+3D6j
		mov	ecx, edi
		call	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)
		mov	eax, [ebp+var_34]
		test	eax, eax
		jz	short loc_A5C64D
		mov	ecx, eax
		call	_VfPendingFinishLogging@4 ; VfPendingFinishLogging(x)

loc_A5C64D:				; CODE XREF: IovpCallDriver1(x)+3Bj
					; IovpCallDriver1(x)+3F2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IovpCallDriver1@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovpCallDriver2(x, x)
_IovpCallDriver2@8 proc	near		; CODE XREF: VfAfterCallDriver(x,x,x)+153p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	edi
		mov	eax, [esi]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_A5C823
		mov	edi, [esi+8]
		mov	[ebp+var_8], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [edi+4]
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	dword ptr [edi+80h], 0
		mov	ecx, [ebp+var_4]
		mov	[edi+8], bl
		jz	short loc_A5C6A3
		test	dword ptr [esi+0Ch], 2000000h
		jz	short loc_A5C6A3
		mov	dword ptr [ecx], 103h

loc_A5C6A3:				; CODE XREF: IovpCallDriver2(x,x)+40j
					; IovpCallDriver2(x,x)+49j
		mov	eax, [esi+0Ch]
		mov	edi, [esi+58h]
		test	eax, 20000000h
		jz	loc_A5C756
		cmp	dword ptr [ecx], 103h
		jz	loc_A5C756
		test	eax, 1000000h
		jnz	loc_A5C756
		mov	ecx, edi
		call	_IovUtilGetLowerDeviceObjectWithTag@8 ;	IovUtilGetLowerDeviceObjectWithTag(x,x)
		test	dword ptr [esi+0Ch], 10000000h
		mov	ebx, eax
		jnz	short loc_A5C721
		mov	ecx, [esi+24h]
		call	@PpvUtilGetDevnodeRemovalOption@4 ; PpvUtilGetDevnodeRemovalOption(x)
		test	eax, eax
		jz	short loc_A5C721
		cmp	eax, 1
		jnz	short loc_A5C746
		xor	edx, edx
		cmp	edi, ecx
		mov	ecx, edi
		jnz	short loc_A5C706
		call	_IovUtilIsDeviceObjectMarked@8 ; IovUtilIsDeviceObjectMarked(x,x)
		test	eax, eax
		jz	short loc_A5C746
		mov	ecx, 221h
		jmp	short loc_A5C73A
; 

loc_A5C706:				; CODE XREF: IovpCallDriver2(x,x)+A2j
		call	_IovUtilIsDeviceObjectMarked@8 ; IovUtilIsDeviceObjectMarked(x,x)
		test	eax, eax
		jnz	short loc_A5C746
		xor	edx, edx
		call	_IovUtilIsDeviceObjectMarked@8 ; IovUtilIsDeviceObjectMarked(x,x)
		test	eax, eax
		jz	short loc_A5C746
		mov	ecx, 223h
		jmp	short loc_A5C73A
; 

loc_A5C721:				; CODE XREF: IovpCallDriver2(x,x)+89j
					; IovpCallDriver2(x,x)+95j
		test	ebx, ebx
		jz	short loc_A5C756
		mov	eax, [edi+8]
		mov	eax, [eax+28h]
		test	eax, eax
		jz	short loc_A5C735
		cmp	dword ptr [eax+34h], 0
		jnz	short loc_A5C746

loc_A5C735:				; CODE XREF: IovpCallDriver2(x,x)+DBj
		mov	ecx, 21Dh	; int

loc_A5C73A:				; CODE XREF: IovpCallDriver2(x,x)+B2j
					; IovpCallDriver2(x,x)+CDj
		mov	edx, [esi+18h]	; int
		push	edi		; int
		push	dword ptr [esi+28h] ; int
		call	_ViErrorReport10@16 ; ViErrorReport10(x,x,x,x)

loc_A5C746:				; CODE XREF: IovpCallDriver2(x,x)+9Aj
					; IovpCallDriver2(x,x)+ABj ...
		test	ebx, ebx
		jz	short loc_A5C756
		mov	edx, 49667256h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_A5C756:				; CODE XREF: IovpCallDriver2(x,x)+5Cj
					; IovpCallDriver2(x,x)+68j ...
		mov	eax, [esi+0Ch]
		mov	edi, 40000000h
		mov	ebx, [ebp+var_C]
		test	eax, edi
		jz	short loc_A5C7B2
		test	byte ptr [ebx+10h], 2
		jnz	short loc_A5C7B2
		mov	ecx, [ebp+var_4]
		mov	ecx, [ecx]
		test	eax, 2000000h
		jz	short loc_A5C78E
		cmp	ecx, 103h
		jz	short loc_A5C7B2
		test	eax, 1000000h
		jnz	short loc_A5C7B2
		push	ecx
		mov	ecx, 23Eh
		jmp	short loc_A5C7A3
; 

loc_A5C78E:				; CODE XREF: IovpCallDriver2(x,x)+123j
		cmp	ecx, 103h
		jz	short loc_A5C79D
		test	eax, 1000000h
		jz	short loc_A5C7B2

loc_A5C79D:				; CODE XREF: IovpCallDriver2(x,x)+142j
		push	ecx		; int
		mov	ecx, 24Ch	; int

loc_A5C7A3:				; CODE XREF: IovpCallDriver2(x,x)+13Aj
		push	dword ptr [esi+28h] ; int
		mov	edx, [esi+18h]	; int
		call	_ViErrorReport6@16 ; ViErrorReport6(x,x,x,x)
		or	dword ptr [ebx+10h], 2

loc_A5C7B2:				; CODE XREF: IovpCallDriver2(x,x)+111j
					; IovpCallDriver2(x,x)+117j ...
		mov	ecx, [ebp+var_4]
		mov	eax, [ecx]
		test	[esi+0Ch], edi
		jz	loc_A5C840
		mov	edx, [esi+1Ch]
		cmp	eax, edx
		jz	short loc_A5C828
		cmp	eax, 103h
		jz	short loc_A5C828
		mov	ecx, [ebx+10h]	; int
		test	cl, 1
		jnz	short loc_A5C7E7
		push	eax		; int
		push	edx		; int
		mov	edx, [esi+18h]	; int
		lea	eax, [esi+28h]
		push	eax		; int
		call	_ViErrorReport4@20 ; ViErrorReport4(x,x,x,x,x)
		mov	ecx, [ebx+10h]

loc_A5C7E7:				; CODE XREF: IovpCallDriver2(x,x)+182j
		or	ecx, 1
		mov	[ebx+10h], ecx

loc_A5C7ED:				; CODE XREF: IovpCallDriver2(x,x)+1ECj
		mov	ecx, [ebp+var_4]

loc_A5C7F0:				; CODE XREF: IovpCallDriver2(x,x)+1D9j
		mov	edi, [ebp+var_8]

loc_A5C7F3:				; CODE XREF: IovpCallDriver2(x,x)+240j
		mov	eax, [esi+0Ch]
		test	eax, 8000000h
		jz	short loc_A5C811
		cmp	dword ptr [ecx], 103h
		jz	short loc_A5C811
		test	eax, 1000000h
		jnz	short loc_A5C811
		mov	eax, [esi+20h]
		mov	[ecx], eax

loc_A5C811:				; CODE XREF: IovpCallDriver2(x,x)+1A9j
					; IovpCallDriver2(x,x)+1B1j ...
		mov	ecx, ebx
		call	_IovpSessionDataDereference@4 ;	IovpSessionDataDereference(x)
		lock dec dword ptr [edi+0Ch]
		mov	ecx, edi
		call	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)

loc_A5C823:				; CODE XREF: IovpCallDriver2(x,x)+17j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_A5C828:				; CODE XREF: IovpCallDriver2(x,x)+173j
					; IovpCallDriver2(x,x)+17Aj
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_A5C7F0
		mov	edx, [esi+18h]	; int
		mov	ecx, 225h	; int
		push	eax		; int
		push	dword ptr [esi+28h] ; int
		call	_ViErrorReport6@16 ; ViErrorReport6(x,x,x,x)
		jmp	short loc_A5C7ED
; 

loc_A5C840:				; CODE XREF: IovpCallDriver2(x,x)+168j
		mov	edi, [ebp+var_8]
		cmp	eax, 103h
		jz	short loc_A5C86F
		mov	eax, [edi+24h]
		test	eax, 400000h
		jnz	short loc_A5C867
		push	dword ptr [esi+28h] ; int
		mov	edx, [esi+18h]	; int
		mov	ecx, 226h	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)
		mov	eax, [edi+24h]

loc_A5C867:				; CODE XREF: IovpCallDriver2(x,x)+200j
		or	eax, 400000h
		mov	[edi+24h], eax

loc_A5C86F:				; CODE XREF: IovpCallDriver2(x,x)+1F6j
		mov	eax, [esi+4]
		or	dword ptr [eax+4], 4000000h
		lea	eax, [esi+10h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_A5C897
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_A5C897
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, [ebp+var_4]
		jmp	loc_A5C7F3
; 

loc_A5C897:				; CODE XREF: IovpCallDriver2(x,x)+22Fj
					; IovpCallDriver2(x,x)+236j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_IovpCallDriver2@8 endp			; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall IovpCheckIrpForCriticalTracking(x)
_IovpCheckIrpForCriticalTracking@4 proc	near
					; CODE XREF: VfIrpAllocateCallDriverData(x,x)+1Ap
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+8]
		and	eax, 0C0000000h
		jz	short loc_A5C8BB
		cmp	eax, 40000000h
		jnz	short loc_A5C8F6
		call	_VfIrpDatabaseEntryFindAndLock@4 ; VfIrpDatabaseEntryFindAndLock(x)
		mov	ecx, eax
		jmp	short loc_A5C8D1
; 

loc_A5C8BB:				; CODE XREF: IovpCheckIrpForCriticalTracking(x)+Dj
		call	_VfIrpDatabaseEntryFindAndLock@4 ; VfIrpDatabaseEntryFindAndLock(x)
		mov	ecx, eax
		mov	eax, [esi+8]
		test	ecx, ecx
		jz	short loc_A5C8EE
		or	eax, 40000000h
		mov	[esi+8], eax

loc_A5C8D1:				; CODE XREF: IovpCheckIrpForCriticalTracking(x)+1Dj
		xor	esi, esi
		cmp	[ecx+8Ch], esi
		jz	short loc_A5C8DE
		inc	esi
		jmp	short loc_A5C8E5
; 

loc_A5C8DE:				; CODE XREF: IovpCheckIrpForCriticalTracking(x)+3Dj
		or	dword ptr [ecx+24h], 80000h

loc_A5C8E5:				; CODE XREF: IovpCheckIrpForCriticalTracking(x)+40j
		call	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)
		mov	eax, esi
		pop	esi
		retn
; 

loc_A5C8EE:				; CODE XREF: IovpCheckIrpForCriticalTracking(x)+2Bj
		or	eax, 80000000h
		mov	[esi+8], eax

loc_A5C8F6:				; CODE XREF: IovpCheckIrpForCriticalTracking(x)+14j
		xor	eax, eax
		pop	esi
		retn
_IovpCheckIrpForCriticalTracking@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovpCompleteRequest1(x, x, x)
_IovpCompleteRequest1@12 proc near	; CODE XREF: IovCompleteRequest(x,x)+C5p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_1], dl
		mov	edi, ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, edi
		mov	bl, al
		call	_VfIrpDatabaseEntryFindAndLock@4 ; VfIrpDatabaseEntryFindAndLock(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A5C929
		mov	eax, [ebp+arg_0]
		and	[eax], esi
		jmp	loc_A5C9DF
; 

loc_A5C929:				; CODE XREF: IovpCompleteRequest1(x,x,x)+23j
		mov	[esi+29h], bl
		xor	eax, eax
		mov	[esi+28h], bl
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_C], eax
		mov	eax, [esi+8Ch]
		mov	[ebp+var_8], eax
		mov	[ebx], eax
		mov	[ebx+4], esi
		mov	ecx, [edi+60h]
		mov	[ebp+arg_0], ecx
		test	eax, eax
		jnz	short loc_A5C95B
		mov	ecx, esi
		call	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)
		jmp	loc_A5C9DF
; 

loc_A5C95B:				; CODE XREF: IovpCompleteRequest1(x,x,x)+53j
		test	byte ptr [esi+24h], 10h
		jz	short loc_A5C96F
		mov	edx, [ebx+14h]	; int
		mov	ecx, 209h	; int
		push	edi		; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A5C96F:				; CODE XREF: IovpCompleteRequest1(x,x,x)+65j
		cmp	dword ptr [esi+80h], 0
		mov	al, [ebp+var_1]
		mov	[esi+6Dh], al
		jz	short loc_A5C995
		cmp	dword ptr [esi+24h], 0
		jl	short loc_A5C995
		mov	ecx, edi
		call	_VfPendingStartLogging@4 ; VfPendingStartLogging(x)
		mov	ecx, [edi+60h]
		mov	[ebp+var_C], eax
		or	byte ptr [ecx+3], 1

loc_A5C995:				; CODE XREF: IovpCompleteRequest1(x,x,x)+82j
					; IovpCompleteRequest1(x,x,x)+88j
		mov	eax, [ebp+var_8]
		and	dword ptr [eax+18h], 0
		lea	eax, [ebp+var_10]
		movsx	ecx, byte ptr [edi+23h]
		movzx	edx, byte ptr [esi+6Eh]
		sub	edx, ecx
		mov	ecx, [ebp+arg_0]
		push	eax
		push	0
		imul	eax, edx, 24h
		push	0
		push	edx
		mov	[ebx+0Ch], edx
		mov	dl, [edi+23h]
		add	eax, ecx
		push	eax
		push	ecx
		mov	ecx, [ebp+var_8]
		lea	ecx, [ecx+28h]
		call	_IovpAdvanceStackDownwards@32 ;	IovpAdvanceStackDownwards(x,x,x,x,x,x,x,x)
		mov	ecx, esi
		call	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_A5C9DF
		mov	ecx, eax
		call	_VfPendingFinishLogging@4 ; VfPendingFinishLogging(x)

loc_A5C9DF:				; CODE XREF: IovpCompleteRequest1(x,x,x)+2Aj
					; IovpCompleteRequest1(x,x,x)+5Cj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_IovpCompleteRequest1@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovpCompleteRequest2(x, x)
_IovpCompleteRequest2@8	proc near	; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+67p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	eax, edx
		mov	[ebp+var_10], ecx
		push	esi
		push	edi
		mov	[ebp+var_14], eax
		mov	edi, [eax]
		test	edi, edi
		jz	loc_A5CC5C
		mov	esi, [eax+4]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [esi+4]
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	ecx, [esi+90h]
		mov	[esi+8], bl
		cmp	dword ptr [ecx], 0
		jz	short loc_A5CA29
		call	_ViWdIrpBeforeCompletionRoutine@4 ; ViWdIrpBeforeCompletionRoutine(x)

loc_A5CA29:				; CODE XREF: IovpCompleteRequest2(x,x)+3Cj
		mov	ebx, [ebp+var_10]
		mov	eax, [ebx+18h]
		mov	dl, [ebx+23h]
		mov	[ebp+var_8], eax
		movsx	eax, dl
		imul	eax, 50h
		add	eax, 0FFFFFFD8h
		add	eax, edi
		mov	[ebp+var_C], eax
		mov	ecx, [eax+8]
		mov	eax, [ecx+4]
		test	eax, 40000000h
		jz	short loc_A5CA56
		and	[ebp+var_10], 0
		jmp	short loc_A5CA68
; 

loc_A5CA56:				; CODE XREF: IovpCompleteRequest2(x,x)+68j
		or	eax, 40000000h
		mov	[ebp+var_10], 1
		mov	[ecx+4], eax
		mov	dl, [ebx+23h]

loc_A5CA68:				; CODE XREF: IovpCompleteRequest2(x,x)+6Ej
		cmp	[ebp+var_C], ecx
		mov	eax, [ebx+60h]
		push	0
		pop	ecx
		setz	cl
		sub	eax, 24h
		mov	[ebp+var_18], ecx
		mov	[ebp+var_4], eax
		cmp	dl, [ebx+22h]
		jg	short loc_A5CAB0
		mov	al, [eax]
		cmp	al, 4
		jz	short loc_A5CA8C
		cmp	al, 3
		jnz	short loc_A5CAAD

loc_A5CA8C:				; CODE XREF: IovpCompleteRequest2(x,x)+A0j
		cmp	dword ptr [ebx+4], 0
		jz	short loc_A5CAAD
		test	_MmVerifierData, 6000h
		jz	short loc_A5CAAD
		push	[ebp+var_4]
		mov	edx, ebx
		mov	ecx, esi
		call	_MdlInvariantPostProcessing1@12	; MdlInvariantPostProcessing1(x,x,x)
		mov	ecx, [ebp+var_18]

loc_A5CAAD:				; CODE XREF: IovpCompleteRequest2(x,x)+A4j
					; IovpCompleteRequest2(x,x)+AAj ...
		mov	eax, [ebp+var_4]

loc_A5CAB0:				; CODE XREF: IovpCompleteRequest2(x,x)+9Aj
		push	ecx
		push	[ebp+var_10]
		mov	edx, eax
		mov	ecx, esi
		push	[ebp+var_C]
		call	@VfMajorVerifyIrpStackUpward@20	; VfMajorVerifyIrpStackUpward(x,x,x,x,x)
		mov	eax, [edi+10h]
		mov	edx, [ebp+var_8]
		mov	[ebp+var_18], edx
		test	al, 2
		jnz	short loc_A5CB00
		mov	ecx, [ebp+var_C]
		test	dword ptr [ecx+4], 4000000h
		jz	short loc_A5CB00
		cmp	byte ptr [ebx+21h], 0
		jnz	short loc_A5CB00
		test	dword ptr [ebx+8], 800h
		jz	short loc_A5CAFA
		push	edx		; int
		mov	edx, [ecx+18h]	; int
		mov	ecx, 23Eh	; int
		push	ebx		; int
		call	_ViErrorReport6@16 ; ViErrorReport6(x,x,x,x)
		mov	eax, [edi+10h]

loc_A5CAFA:				; CODE XREF: IovpCompleteRequest2(x,x)+100j
		or	eax, 2
		mov	[edi+10h], eax

loc_A5CB00:				; CODE XREF: IovpCompleteRequest2(x,x)+E5j
					; IovpCompleteRequest2(x,x)+F1j ...
		mov	eax, [ebp+var_C]
		add	eax, 0Ch
		mov	[ebp+var_10], eax

loc_A5CB09:				; CODE XREF: IovpCompleteRequest2(x,x)+17Dj
					; IovpCompleteRequest2(x,x)+193j ...
		mov	ecx, [eax]
		mov	[ebp+var_1C], ecx
		cmp	ecx, eax
		jz	loc_A5CB98
		cmp	[ecx+4], eax
		jnz	short loc_A5CB93
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jnz	short loc_A5CB93
		mov	[eax], edx
		mov	[edx+4], eax
		mov	edx, [ecx-4]
		or	edx, 40000000h
		mov	[ecx-4], edx
		mov	eax, [ebp+var_8]
		mov	[ecx+0Ch], eax
		cmp	byte ptr [ebx+21h], 0
		jz	short loc_A5CB48
		or	edx, 2000000h
		mov	[ecx-4], edx

loc_A5CB48:				; CODE XREF: IovpCompleteRequest2(x,x)+157j
		mov	eax, [ebp+var_14]
		mov	edx, [ecx+18h]	; int
		push	dword ptr [eax+14h] ; int
		lea	eax, [ecx+1Ch]
		mov	ecx, esi	; int
		push	eax		; int
		call	_IovpValidateStatusInformation@16 ; IovpValidateStatusInformation(x,x,x,x)
		test	byte ptr [esi+24h], 20h
		mov	eax, [ebp+var_10]
		jnz	short loc_A5CB09
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_8]
		mov	ecx, [ebp+var_4]
		push	eax
		call	@VfMajorAdvanceIrpStatus@12 ; VfMajorAdvanceIrpStatus(x,x,x)
		test	eax, eax
		mov	eax, [ebp+var_10]
		jz	short loc_A5CB09
		mov	ecx, [ebp+var_1C]
		or	dword ptr [ecx-4], 8000000h
		mov	eax, [ebp+var_8]
		mov	[ecx+10h], eax
		mov	eax, [ebp+var_10]
		jmp	loc_A5CB09
; 

loc_A5CB93:				; CODE XREF: IovpCompleteRequest2(x,x)+133j
					; IovpCompleteRequest2(x,x)+13Aj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A5CB98:				; CODE XREF: IovpCompleteRequest2(x,x)+12Aj
		mov	eax, [ebp+var_8]
		push	50h		; size_t
		push	0		; int
		push	[ebp+var_C]	; void *
		mov	[ebx+18h], eax
		call	_memset
		mov	eax, [ebp+var_10]
		add	esp, 0Ch
		mov	[eax+4], eax
		mov	[eax], eax
		mov	al, [ebx+23h]
		movzx	ecx, byte ptr [esi+6Ch]
		inc	al
		mov	[esi+6Eh], al
		movsx	eax, byte ptr [ebx+23h]
		cmp	ecx, eax
		jnz	short loc_A5CC35
		mov	eax, [ebp+var_14]
		mov	ecx, esi
		and	dword ptr [eax], 0
		and	dword ptr [eax+4], 0
		mov	edx, [ebx+60h]
		sub	edx, 24h
		call	@VfMajorVerifyFinalIrpStack@8 ;	VfMajorVerifyFinalIrpStack(x,x)
		mov	eax, [edi]
		mov	ecx, edi
		and	dword ptr [eax+24h], 0FFFFFFFEh
		and	dword ptr [eax+8Ch], 0
		call	_IovpSessionDataDereference@4 ;	IovpSessionDataDereference(x)
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_VfIrpDatabaseEntryDereference@8 ; VfIrpDatabaseEntryDereference(x,x)
		mov	eax, [esi+84h]
		test	eax, eax
		jz	short loc_A5CC4F
		xor	ebx, ebx
		cmp	[eax], ebx
		jbe	short loc_A5CC2F
		xor	edx, edx

loc_A5CC10:				; CODE XREF: IovpCompleteRequest2(x,x)+247j
		mov	edi, [eax+4]
		add	edi, edx
		cmp	dword ptr [edi], 0
		jz	short loc_A5CC21
		push	8
		pop	ecx
		xor	eax, eax
		rep stosd

loc_A5CC21:				; CODE XREF: IovpCompleteRequest2(x,x)+232j
		mov	eax, [esi+84h]
		inc	ebx
		add	edx, 20h
		cmp	ebx, [eax]
		jb	short loc_A5CC10

loc_A5CC2F:				; CODE XREF: IovpCompleteRequest2(x,x)+226j
		and	dword ptr [eax+8], 0
		jmp	short loc_A5CC4F
; 

loc_A5CC35:				; CODE XREF: IovpCompleteRequest2(x,x)+1E1j
		mov	eax, [edi+4]
		test	eax, eax
		jnz	short loc_A5CC47
		mov	eax, [edi]
		add	eax, 0Ch
		lock inc dword ptr [eax]
		mov	eax, [edi+4]

loc_A5CC47:				; CODE XREF: IovpCompleteRequest2(x,x)+254j
		inc	eax
		mov	[edi+4], eax
		lock inc dword ptr [esi+0Ch]

loc_A5CC4F:				; CODE XREF: IovpCompleteRequest2(x,x)+220j
					; IovpCompleteRequest2(x,x)+24Dj
		mov	ecx, esi
		call	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)
		mov	eax, [ebp+var_14]
		dec	dword ptr [eax+0Ch]

loc_A5CC5C:				; CODE XREF: IovpCompleteRequest2(x,x)+17j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_IovpCompleteRequest2@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovpCompleteRequest3(x, x, x)
_IovpCompleteRequest3@12 proc near	; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+CFp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	[ebp+var_4], edx
		mov	edi, ecx
		cmp	dword ptr [esi], 0
		jz	short loc_A5CCC1
		mov	eax, [esi+4]
		push	ebx
		mov	[ebp+arg_0], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, [ebp+arg_0]
		mov	bl, al
		add	ecx, 4
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [ebp+arg_0]
		mov	[ecx+8], bl
		mov	al, [edi+23h]
		pop	ebx
		cmp	al, [edi+22h]
		jg	short loc_A5CCB1
		mov	eax, [edi+60h]
		cmp	byte ptr [eax],	1Bh
		jnz	short loc_A5CCB1
		cmp	byte ptr [eax+1], 2
		jnz	short loc_A5CCB1
		mov	al, 1
		jmp	short loc_A5CCB3
; 

loc_A5CCB1:				; CODE XREF: IovpCompleteRequest3(x,x,x)+3Cj
					; IovpCompleteRequest3(x,x,x)+44j ...
		xor	eax, eax

loc_A5CCB3:				; CODE XREF: IovpCompleteRequest3(x,x,x)+4Ej
		mov	[esi+8], al
		mov	eax, [ebp+var_4]
		mov	[esi+10h], eax
		call	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)

loc_A5CCC1:				; CODE XREF: IovpCompleteRequest3(x,x,x)+13j
		pop	edi
		pop	esi
		leave
		retn	4
_IovpCompleteRequest3@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovpCompleteRequest4(x, x, x, x)
_IovpCompleteRequest4@16 proc near	; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+145p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	esi, ecx
		mov	[ebp+var_4], edx
		cmp	dword ptr [edi], 0
		jz	loc_A5CD61
		mov	edi, [edi+4]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [edi+4]
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	[ebp+var_4], 0C0000016h
		mov	[edi+8], bl
		jz	short loc_A5CD5A
		mov	al, [esi+23h]
		mov	ebx, [esi+60h]
		cmp	al, [esi+22h]
		jg	short loc_A5CD30
		mov	al, [ebx]
		cmp	al, 3
		jz	short loc_A5CD15
		cmp	al, 4
		jnz	short loc_A5CD30

loc_A5CD15:				; CODE XREF: IovpCompleteRequest4(x,x,x,x)+48j
		cmp	dword ptr [esi+4], 0
		jz	short loc_A5CD30
		test	_MmVerifierData, 6000h
		jz	short loc_A5CD30
		mov	edx, esi
		mov	ecx, edi
		call	_MdlInvariantPostDriverCompletion@8 ; MdlInvariantPostDriverCompletion(x,x)

loc_A5CD30:				; CODE XREF: IovpCompleteRequest4(x,x,x,x)+42j
					; IovpCompleteRequest4(x,x,x,x)+4Cj ...
		cmp	dword ptr [edi+80h], 0
		jz	short loc_A5CD5A
		cmp	dword ptr [edi+24h], 0
		jl	short loc_A5CD5A
		test	byte ptr [ebx+3], 1
		jnz	short loc_A5CD5A
		mov	edx, [ebp+arg_0] ; int
		mov	ecx, 228h	; int
		push	esi		; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)
		mov	eax, [esi+60h]
		or	byte ptr [eax+3], 1

loc_A5CD5A:				; CODE XREF: IovpCompleteRequest4(x,x,x,x)+37j
					; IovpCompleteRequest4(x,x,x,x)+70j ...
		mov	ecx, edi
		call	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)

loc_A5CD61:				; CODE XREF: IovpCompleteRequest4(x,x,x,x)+14j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_IovpCompleteRequest4@16 endp


;  S U B	R O U T	I N E 


; __stdcall IovpCompleteRequest5(x)
_IovpCompleteRequest5@4	proc near	; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+150p
		mov	edi, edi
		push	edi
		mov	edi, [ecx]
		test	edi, edi
		jz	short loc_A5CD9E
		push	ebx
		push	esi
		mov	esi, [ecx+4]
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [esi+4]
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, edi
		mov	[esi+8], bl
		call	_IovpSessionDataDereference@4 ;	IovpSessionDataDereference(x)
		lock dec dword ptr [esi+0Ch]
		mov	ecx, esi
		pop	esi
		pop	ebx
		pop	edi
		jmp	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)
; 

loc_A5CD9E:				; CODE XREF: IovpCompleteRequest5(x)+7j
		pop	edi
		retn
_IovpCompleteRequest5@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovpExamineDevObjForwarding(x, x)
_IovpExamineDevObjForwarding@8 proc near ; CODE	XREF: IovpCallDriver1(x)+178p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		mov	esi, ecx
		test	edx, edx
		jnz	short loc_A5CDCF
		call	_IovUtilGetUpperDeviceObjectWithTag@8 ;	IovUtilGetUpperDeviceObjectWithTag(x,x)
		test	eax, eax
		jz	short loc_A5CDCA
		mov	edx, 49667256h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag
		push	4
		jmp	short loc_A5CE1E
; 

loc_A5CDCA:				; CODE XREF: IovpExamineDevObjForwarding(x,x)+18j
		xor	eax, eax
		inc	eax
		jmp	short loc_A5CE1F
; 

loc_A5CDCF:				; CODE XREF: IovpExamineDevObjForwarding(x,x)+Fj
		lea	eax, [ebp+var_4]
		push	eax
		call	_IovUtilRelateDeviceObjects@12 ; IovUtilRelateDeviceObjects(x,x,x)
		mov	eax, [ebp+var_4]
		sub	eax, 0
		jz	short loc_A5CE1C
		sub	eax, 1
		jz	short loc_A5CE18
		sub	eax, 1
		jz	short loc_A5CE1C
		sub	eax, 1
		jz	short loc_A5CE18
		sub	eax, 1
		jz	short loc_A5CE18
		sub	eax, 1
		jnz	short loc_A5CE1C
		mov	ecx, esi
		call	_IovUtilGetUpperDeviceObjectWithTag@8 ;	IovUtilGetUpperDeviceObjectWithTag(x,x)
		test	eax, eax
		jz	short loc_A5CE14
		mov	edx, 49667256h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag
		push	6
		jmp	short loc_A5CE1E
; 

loc_A5CE14:				; CODE XREF: IovpExamineDevObjForwarding(x,x)+62j
		push	5
		jmp	short loc_A5CE1E
; 

loc_A5CE18:				; CODE XREF: IovpExamineDevObjForwarding(x,x)+43j
					; IovpExamineDevObjForwarding(x,x)+4Dj	...
		push	3
		jmp	short loc_A5CE1E
; 

loc_A5CE1C:				; CODE XREF: IovpExamineDevObjForwarding(x,x)+3Ej
					; IovpExamineDevObjForwarding(x,x)+48j	...
		push	2

loc_A5CE1E:				; CODE XREF: IovpExamineDevObjForwarding(x,x)+28j
					; IovpExamineDevObjForwarding(x,x)+72j	...
		pop	eax

loc_A5CE1F:				; CODE XREF: IovpExamineDevObjForwarding(x,x)+2Dj
		pop	esi
		leave
		retn
_IovpExamineDevObjForwarding@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IovpExamineIrpStackForwarding(int,int,int,void *,int,int)
_IovpExamineIrpStackForwarding@32 proc near ; CODE XREF: IovpCallDriver1(x)+198p

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		test	edx, edx
		jz	short loc_A5CE39
		xor	edi, edi
		inc	edi
		xor	esi, esi
		jmp	loc_A5CEFC
; 

loc_A5CE39:				; CODE XREF: IovpExamineIrpStackForwarding(x,x,x,x,x,x,x,x)+Bj
		movzx	edi, byte ptr [ecx+6Eh]
		mov	ecx, [ebp+arg_4]
		movsx	eax, byte ptr [ecx+23h]
		mov	ecx, [ecx+60h]
		sub	edi, eax
		imul	eax, edi, 24h
		mov	[ebp+var_4], ecx
		lea	esi, [ecx-24h]
		add	esi, eax
		test	edi, edi
		jz	loc_A5CEFC
		push	3		; size_t
		push	esi		; void *
		push	[ebp+arg_C]	; void *
		call	_memcmp
		add	esp, 0Ch
		xor	ebx, ebx
		test	eax, eax
		lea	eax, [esi+4]
		setz	bl
		push	10h		; size_t
		push	eax		; void *
		mov	eax, [ebp+arg_C]
		add	eax, 4
		push	eax		; void *
		call	_memcmp
		xor	ecx, ecx
		add	esp, 0Ch
		test	eax, eax
		mov	eax, [ebp+arg_C]
		setz	cl
		and	ecx, ebx
		mov	eax, [eax+18h]
		sub	eax, [esi+18h]
		neg	eax
		sbb	eax, eax
		not	eax
		test	eax, ecx
		jz	short loc_A5CEFC
		mov	ebx, [ebp+arg_C]
		mov	ecx, [ebx+1Ch]
		cmp	ecx, [esi+1Ch]
		jnz	short loc_A5CEE7
		mov	eax, [ebx+20h]
		cmp	eax, [esi+20h]
		jnz	short loc_A5CEE7
		mov	al, [ebx+3]
		cmp	al, [esi+3]
		jnz	short loc_A5CEE7
		test	ecx, ecx
		jz	short loc_A5CEEB
		mov	ecx, [esi+14h]
		call	_IovUtilMultipleDevicesSameDriver@4 ; IovUtilMultipleDevicesSameDriver(x)
		test	eax, eax
		jnz	short loc_A5CEFC
		push	[ebp+arg_4]	; int
		mov	edx, [ebp+arg_8] ; int
		mov	ecx, 207h	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)
		and	dword ptr [ebx+1Ch], 0
		mov	byte ptr [ebx+3], 0
		jmp	short loc_A5CEFC
; 

loc_A5CEE7:				; CODE XREF: IovpExamineIrpStackForwarding(x,x,x,x,x,x,x,x)+89j
					; IovpExamineIrpStackForwarding(x,x,x,x,x,x,x,x)+91j ...
		test	ecx, ecx
		jnz	short loc_A5CEFC

loc_A5CEEB:				; CODE XREF: IovpExamineIrpStackForwarding(x,x,x,x,x,x,x,x)+9Dj
		mov	eax, [ebp+var_4]
		mov	dword ptr [eax-8], offset _IovpInternalCompletionTrap@12 ; IovpInternalCompletionTrap(x,x,x)
		mov	[eax-4], eax
		mov	byte ptr [eax-21h], 0E0h

loc_A5CEFC:				; CODE XREF: IovpExamineIrpStackForwarding(x,x,x,x,x,x,x,x)+12j
					; IovpExamineIrpStackForwarding(x,x,x,x,x,x,x,x)+34j ...
		mov	eax, [ebp+arg_10]
		mov	[eax], esi
		mov	eax, [ebp+arg_14]
		mov	[eax], edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_IovpExamineIrpStackForwarding@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovpInternalCompletionTrap(x, x, x)
_IovpInternalCompletionTrap@12 proc near
					; DATA XREF: IovpExamineIrpStackForwarding(x,x,x,x,x,x,x,x)+CCo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		cmp	byte ptr [eax+21h], 0
		jz	short loc_A5CF22
		mov	eax, [eax+60h]
		or	byte ptr [eax+3], 1

loc_A5CF22:				; CODE XREF: IovpInternalCompletionTrap(x,x,x)+Cj
		xor	eax, eax
		pop	ebp
		retn	0Ch
_IovpInternalCompletionTrap@12 endp


;  S U B	R O U T	I N E 


; __stdcall IovpPacketFromIrp(x)
_IovpPacketFromIrp@4 proc near		; CODE XREF: IovpCallDriver1(x)+2Fp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		mov	eax, [esi+8]
		and	eax, 0C0000000h
		jz	short loc_A5CF4B
		cmp	eax, 40000000h
		jnz	short loc_A5CF80
		mov	ecx, esi
		call	_VfIrpDatabaseEntryFindAndLock@4 ; VfIrpDatabaseEntryFindAndLock(x)
		mov	ecx, eax
		jmp	short loc_A5CF80
; 

loc_A5CF4B:				; CODE XREF: IovpPacketFromIrp(x)+Fj
		mov	ecx, esi
		call	_VfIrpDatabaseEntryFindAndLock@4 ; VfIrpDatabaseEntryFindAndLock(x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_A5CF61
		or	dword ptr [esi+8], 40000000h
		jmp	short loc_A5CF80
; 

loc_A5CF61:				; CODE XREF: IovpPacketFromIrp(x)+2Ej
		mov	ecx, esi
		call	_VfPacketCreateAndLock@4 ; VfPacketCreateAndLock(x)
		mov	ecx, eax
		mov	eax, [esi+8]
		test	ecx, ecx
		jz	short loc_A5CF78
		or	eax, 40000000h
		jmp	short loc_A5CF7D
; 

loc_A5CF78:				; CODE XREF: IovpPacketFromIrp(x)+47j
		or	eax, 80000000h

loc_A5CF7D:				; CODE XREF: IovpPacketFromIrp(x)+4Ej
		mov	[esi+8], eax

loc_A5CF80:				; CODE XREF: IovpPacketFromIrp(x)+16j
					; IovpPacketFromIrp(x)+21j ...
		mov	eax, ecx
		pop	esi
		retn
_IovpPacketFromIrp@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall IovpValidateStatusInformation(int,int,int,int)
_IovpValidateStatusInformation@16 proc near ; CODE XREF: IovpCompleteRequest2(x,x)+171p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [edx+8]
		push	esi
		mov	esi, ecx
		test	al, 10h
		jz	short loc_A5CFF4
		test	al, 40h
		jz	short loc_A5CFF4
		test	al, 20h
		jz	short loc_A5CFF4
		mov	eax, [edx+18h]
		cmp	eax, 80000016h
		jz	short loc_A5CFF4
		mov	ecx, 0C0000000h
		and	eax, ecx
		cmp	eax, ecx
		jz	short loc_A5CFF4
		mov	ecx, [ebp+arg_0]
		movzx	eax, byte ptr [ecx]
		add	eax, 0FFFFFFFDh
		cmp	eax, 16h
		ja	short loc_A5CFF4
		movzx	eax, ds:byte_A5D008[eax]
		jmp	ds:off_A5CFFC[eax*4]

loc_A5CFCD:				; DATA XREF: PAGEVRFY:off_A5CFFCo
		mov	eax, [ecx+4]
		jmp	short loc_A5CFE1
; 

loc_A5CFD2:				; CODE XREF: IovpValidateStatusInformation(x,x,x,x)+42j
					; DATA XREF: PAGEVRFY:00A5D000o
		mov	eax, [esi+78h]
		test	eax, eax
		jz	short loc_A5CFF4
		cmp	eax, [edx+0Ch]
		jnz	short loc_A5CFF4
		mov	eax, [esi+7Ch]

loc_A5CFE1:				; CODE XREF: IovpValidateStatusInformation(x,x,x,x)+4Cj
		cmp	[edx+1Ch], eax
		jbe	short loc_A5CFF4
		push	edx		; int
		mov	edx, [ebp+arg_4] ; int
		mov	ecx, 312h	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A5CFF4:				; CODE XREF: IovpValidateStatusInformation(x,x,x,x)+Ej
					; IovpValidateStatusInformation(x,x,x,x)+12j ...
		pop	esi
		pop	ecx
		pop	ebp
		retn	8
_IovpValidateStatusInformation@16 endp

; 
		align 4
off_A5CFFC	dd offset loc_A5CFCD	; DATA XREF: IovpValidateStatusInformation(x,x,x,x)+42r
		dd offset loc_A5CFD2
		dd offset loc_A5CFF4
byte_A5D008	db 0			; DATA XREF: IovpValidateStatusInformation(x,x,x,x)+3Br
		db 2, 0, 2
		dd 20200h, 1000002h, 2020201h, 2020202h
		db 2 dup(2), 0

;  S U B	R O U T	I N E 


; __fastcall VerifierIofCompleteRequest(x, x)
@VerifierIofCompleteRequest@8 proc near	; DATA XREF: PAGEVRFD:00AAB4F4o
		jmp	ds:_pXdvIofCompleteRequest
@VerifierIofCompleteRequest@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoAllocateDriverObjectExtension(x, x, x, x)
_VerifierIoAllocateDriverObjectExtension@16 proc near ;	DATA XREF: PAGEVRFD:00AAB5FCo

arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	ecx, ecx
		call	_VfFaultsInjectResourceFailure@4 ; VfFaultsInjectResourceFailure(x)
		test	eax, eax
		jz	short loc_A5D044
		mov	eax, [ebp+arg_C]
		and	dword ptr [eax], 0
		mov	eax, 0C000009Ah
		pop	ebp
		retn	10h
; 

loc_A5D044:				; CODE XREF: VerifierIoAllocateDriverObjectExtension(x,x,x,x)+Ej
		pop	ebp
		jmp	ds:_pXdvIoAllocateDriverObjectExtension
_VerifierIoAllocateDriverObjectExtension@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoAllocateErrorLogEntry(x, x)
_VerifierIoAllocateErrorLogEntry@8 proc	near ; DATA XREF: PAGEVRFD:00AAB614o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	ecx, ecx
		call	_VfFaultsInjectResourceFailure@4 ; VfFaultsInjectResourceFailure(x)
		test	eax, eax
		jz	short loc_A5D061
		xor	eax, eax
		pop	ebp
		retn	8
; 

loc_A5D061:				; CODE XREF: VerifierIoAllocateErrorLogEntry(x,x)+Ej
		pop	ebp
		jmp	ds:_pXdvIoAllocateErrorLogEntry
_VerifierIoAllocateErrorLogEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoAllocateIrp(x, x)
_VerifierIoAllocateIrp@8 proc near	; DATA XREF: PAGEVRFD:00AAAC24o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		cmp	[ebp+arg_4], 0
		jz	short loc_A5D0BD
		test	byte ptr _MmVerifierData, 8
		jz	short loc_A5D0BD
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	eax, ds:_PsIdleProcess
		jnz	short loc_A5D0A3
		push	esi
		mov	edx, 10Ah
		push	esi
		push	esi
		lea	ecx, [edx-46h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A5D0A3:				; CODE XREF: VerifierIoAllocateIrp(x,x)+29j
		mov	al, large fs:235Ch
		test	al, 1
		jz	short loc_A5D0BD
		push	esi
		mov	edx, 10Bh
		push	esi
		push	esi
		lea	ecx, [edx-47h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A5D0BD:				; CODE XREF: VerifierIoAllocateIrp(x,x)+Cj
					; VerifierIoAllocateIrp(x,x)+15j ...
		xor	ecx, ecx
		call	_VfFaultsInjectResourceFailure@4 ; VfFaultsInjectResourceFailure(x)
		test	eax, eax
		jz	short loc_A5D0CC
		xor	eax, eax
		jmp	short loc_A5D0E1
; 

loc_A5D0CC:				; CODE XREF: VerifierIoAllocateIrp(x,x)+5Ej
		push	offset _IovAllocateIrp@16 ; IovAllocateIrp(x,x,x,x)
		push	dword ptr [ebp+4]
		push	dword ptr [ebp+arg_4]
		push	[ebp+arg_0]
		push	esi
		call	ds:_pXdvIoAllocateIrp ;	XdvIoAllocateIrp(x,x,x,x,x)

loc_A5D0E1:				; CODE XREF: VerifierIoAllocateIrp(x,x)+62j
		pop	esi
		pop	ebp
		retn	8
_VerifierIoAllocateIrp@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoAllocateMdl(x, x,	x, x, x)
_VerifierIoAllocateMdl@20 proc near	; DATA XREF: PAGEVRFD:00AAAC3Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, _MmVerifierData
		test	eax, 400000h
		jz	short loc_A5D10A
		test	byte ptr dword_6FDE00, 8
		jnz	short loc_A5D10A
		test	al, 9
		jnz	short loc_A5D10A
		pop	ebp
		jmp	IoAllocateMdl
; 

loc_A5D10A:				; CODE XREF: VerifierIoAllocateMdl(x,x,x,x,x)+Fj
					; VerifierIoAllocateMdl(x,x,x,x,x)+18j	...
		push	offset _IovAllocateMdl@24 ; IovAllocateMdl(x,x,x,x,x,x)
		push	dword ptr [ebp+4]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvIoAllocateMdl ;	XdvIoAllocateMdl(x,x,x,x,x,x,x)
		pop	ebp
		retn	14h
_VerifierIoAllocateMdl@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoAllocateWorkItem(x)
_VerifierIoAllocateWorkItem@4 proc near	; DATA XREF: PAGEVRFD:00AAB62Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	offset _IovAllocateWorkItem@8 ;	IovAllocateWorkItem(x,x)
		push	dword ptr [ebp+4]
		push	[ebp+arg_0]
		call	ds:_pXdvIoAllocateWorkItem ; XdvIoAllocateWorkItem(x,x,x)
		pop	ebp
		retn	4
_VerifierIoAllocateWorkItem@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoConnectInterrupt(x, x, x,	x, x, x, x, x, x, x, x)
_VerifierIoConnectInterrupt@44 proc near ; DATA	XREF: PAGEVRFD:00AA89ACo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_28]
		mov	edx, [ebp+arg_4]
		push	[ebp+arg_24]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_VfCtxHookAndConnectInterrupt@44 ; VfCtxHookAndConnectInterrupt(x,x,x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	2Ch
_VerifierIoConnectInterrupt@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoConnectInterruptEx(x)
_VerifierIoConnectInterruptEx@4	proc near ; DATA XREF: PAGEVRFD:00AA89E4o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_VfCtxHookAndConnectInterruptEx@4 ; VfCtxHookAndConnectInterruptEx(x)
		pop	ebp
		retn	4
_VerifierIoConnectInterruptEx@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoDisconnectInterrupt(x)
_VerifierIoDisconnectInterrupt@4 proc near ; DATA XREF:	PAGEVRFD:00AA89C8o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		xor	esi, esi
		cmp	ds:_ViCtxInitializedIsrStateBlocks, esi
		jz	short loc_A5D19B
		mov	esi, [eax+18h]

loc_A5D19B:				; CODE XREF: VerifierIoDisconnectInterrupt(x)+11j
		push	eax
		call	ds:_pXdvIoDisconnectInterrupt
		test	esi, esi
		jz	short loc_A5D1AE
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A5D1AE:				; CODE XREF: VerifierIoDisconnectInterrupt(x)+1Fj
		pop	esi
		pop	ebp
		retn	4
_VerifierIoDisconnectInterrupt@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoDisconnectInterruptEx(x)
_VerifierIoDisconnectInterruptEx@4 proc	near ; DATA XREF: PAGEVRFD:00AA8A00o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_VfCtxUnhookAndDisconnectInterruptEx@4 ; VfCtxUnhookAndDisconnectInterruptEx(x)
		pop	ebp
		retn	4
_VerifierIoDisconnectInterruptEx@4 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierIoFreeIrp(x)
_VerifierIoFreeIrp@4 proc near		; DATA XREF: PAGEVRFD:00AAB4C4o
		jmp	ds:_pXdvIoFreeIrp
_VerifierIoFreeIrp@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoFreeMdl(x)
_VerifierIoFreeMdl@4 proc near		; DATA XREF: PAGEVRFD:00AAB4DCo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		movzx	edx, word ptr [esi+4]
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		test	_MmVerifierData, 800h
		jz	short loc_A5D20A
		movzx	ecx, word ptr [esi+6]
		mov	al, cl
		and	al, 11h
		cmp	al, 1
		jnz	short loc_A5D20A
		push	0
		movsx	eax, cx
		mov	edx, 0B8h
		push	eax
		push	esi
		lea	ecx, [edx+0Ch]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A5D20A:				; CODE XREF: VerifierIoFreeMdl(x)+1Ej
					; VerifierIoFreeMdl(x)+2Aj
		push	esi
		call	ds:_pXdvIoFreeMdl
		pop	esi
		pop	ebp
		retn	4
_VerifierIoFreeMdl@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoInitializeWorkItem(x, x)
_VerifierIoInitializeWorkItem@8	proc near ; DATA XREF: PAGEVRFD:00AAB644o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, 800h
		push	esi
		mov	esi, [ebp+arg_4]
		test	_MmVerifierData, ebx
		jz	short loc_A5D27C
		push	edi
		call	_IoSizeofWorkItem@0 ; IoSizeofWorkItem()
		mov	edx, eax
		mov	ecx, esi
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		mov	ecx, esi
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		xor	edi, edi
		test	eax, eax
		jz	short loc_A5D259
		push	edi
		mov	edx, 130h
		push	edi
		push	esi
		lea	ecx, [edx-6Ch]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A5D259:				; CODE XREF: VerifierIoInitializeWorkItem(x,x)+31j
		test	_MmVerifierData, ebx
		jz	short loc_A5D27B
		push	esi
		call	_MmIsNonPagedSystemAddressValid@4 ; MmIsNonPagedSystemAddressValid(x)
		test	al, al
		jnz	short loc_A5D27B
		push	edi
		mov	edx, 131h
		push	edi
		push	esi
		lea	ecx, [edx-6Dh]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A5D27B:				; CODE XREF: VerifierIoInitializeWorkItem(x,x)+49j
					; VerifierIoInitializeWorkItem(x,x)+53j
		pop	edi

loc_A5D27C:				; CODE XREF: VerifierIoInitializeWorkItem(x,x)+15j
		push	esi
		push	[ebp+arg_0]
		call	ds:_pXdvIoInitializeWorkItem
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_VerifierIoInitializeWorkItem@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoSetCompletionRoutineEx(x,	x, x, x, x, x, x)
_VerifierIoSetCompletionRoutineEx@28 proc near ; DATA XREF: PAGEVRFD:00AAAC54o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	ecx, ecx
		call	_VfFaultsInjectResourceFailure@4 ; VfFaultsInjectResourceFailure(x)
		test	eax, eax
		jz	short loc_A5D2A3
		mov	eax, 0C000009Ah
		jmp	short loc_A5D2FE
; 

loc_A5D2A3:				; CODE XREF: VerifierIoSetCompletionRoutineEx(x,x,x,x,x,x,x)+Ej
		push	ebx
		push	esi
		push	[ebp+arg_18]
		mov	esi, [ebp+arg_4]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	esi
		push	[ebp+arg_0]
		call	ds:_pXdvIoSetCompletionRoutineEx
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A5D2FA
		push	dword ptr [ebp+4]
		push	20h
		push	73556656h
		push	10h
		push	280h
		call	_VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		test	eax, eax
		jz	short loc_A5D2FA
		mov	ecx, [esi+60h]
		push	edi
		mov	edi, eax
		mov	edx, [ecx-4]
		mov	esi, edx
		push	edx
		movsd
		movsd
		movsd
		movsd
		mov	[ecx-4], eax
		call	_VfUtilFreePoolCheckIRQL@4 ; VfUtilFreePoolCheckIRQL(x)
		pop	edi

loc_A5D2FA:				; CODE XREF: VerifierIoSetCompletionRoutineEx(x,x,x,x,x,x,x)+39j
					; VerifierIoSetCompletionRoutineEx(x,x,x,x,x,x,x)+53j
		pop	esi
		mov	eax, ebx
		pop	ebx

loc_A5D2FE:				; CODE XREF: VerifierIoSetCompletionRoutineEx(x,x,x,x,x,x,x)+15j
		pop	ebp
		retn	1Ch
_VerifierIoSetCompletionRoutineEx@28 endp ; sp = -1Ch

; [00000006 BYTES: COLLAPSED FUNCTION VerifierIoWriteErrorLogEntry(x). PRESS KEYPAD "+"	TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPortIoAllocateIrp(x, x, x)
_VerifierPortIoAllocateIrp@12 proc near	; DATA XREF: .data:006B3730o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		cmp	byte ptr [ebp+arg_4], 0
		jz	short loc_A5D35D
		test	byte ptr _MmVerifierData, 8
		jz	short loc_A5D35D
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	eax, ds:_PsIdleProcess
		jnz	short loc_A5D343
		push	esi
		mov	edx, 10Ah
		push	esi
		push	esi
		lea	ecx, [edx-46h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A5D343:				; CODE XREF: VerifierPortIoAllocateIrp(x,x,x)+29j
		mov	al, large fs:235Ch
		test	al, 1
		jz	short loc_A5D35D
		push	esi
		mov	edx, 10Bh
		push	esi
		push	esi
		lea	ecx, [edx-47h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A5D35D:				; CODE XREF: VerifierPortIoAllocateIrp(x,x,x)+Cj
					; VerifierPortIoAllocateIrp(x,x,x)+15j	...
		xor	ecx, ecx
		call	_VfFaultsInjectResourceFailure@4 ; VfFaultsInjectResourceFailure(x)
		test	eax, eax
		jz	short loc_A5D36C
		xor	eax, eax
		jmp	short loc_A5D381
; 

loc_A5D36C:				; CODE XREF: VerifierPortIoAllocateIrp(x,x,x)+5Ej
		push	offset _IovAllocateIrp@16 ; IovAllocateIrp(x,x,x,x)
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	esi
		call	ds:_pXdvIoAllocateIrp ;	XdvIoAllocateIrp(x,x,x,x,x)

loc_A5D381:				; CODE XREF: VerifierPortIoAllocateIrp(x,x,x)+62j
		pop	esi
		pop	ebp
		retn	0Ch
_VerifierPortIoAllocateIrp@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPortIoAllocateMdl(x, x, x, x, x, x)
_VerifierPortIoAllocateMdl@24 proc near	; DATA XREF: .data:006B372Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, _MmVerifierData
		test	eax, 400000h
		jz	short loc_A5D3B1
		test	al, 9
		jnz	short loc_A5D3B1
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	IoAllocateMdl
		jmp	short loc_A5D3CE
; 

loc_A5D3B1:				; CODE XREF: VerifierPortIoAllocateMdl(x,x,x,x,x,x)+Fj
					; VerifierPortIoAllocateMdl(x,x,x,x,x,x)+13j
		push	offset _IovAllocateMdl@24 ; IovAllocateMdl(x,x,x,x,x,x)
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvIoAllocateMdl ;	XdvIoAllocateMdl(x,x,x,x,x,x,x)

loc_A5D3CE:				; CODE XREF: VerifierPortIoAllocateMdl(x,x,x,x,x,x)+29j
		pop	ebp
		retn	18h
_VerifierPortIoAllocateMdl@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPortIoAllocateWorkItem(x, x)
_VerifierPortIoAllocateWorkItem@8 proc near ; DATA XREF: .data:006B3734o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	offset _IovAllocateWorkItem@8 ;	IovAllocateWorkItem(x,x)
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvIoAllocateWorkItem ; XdvIoAllocateWorkItem(x,x,x)
		pop	ebp
		retn	8
_VerifierPortIoAllocateWorkItem@8 endp


;  S U B	R O U T	I N E 


; __stdcall VfFastIoCheckState(x, x)
_VfFastIoCheckState@8 proc near		; CODE XREF: IopCompleteUnloadOrDelete+D41CAp
					; IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+333p ...
		test	byte ptr _MmVerifierData, 10h
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		jz	short loc_A5D47A
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jnz	short loc_A5D416
		push	0
		mov	edx, 0C3h
		push	0
		push	edi
		lea	ecx, [edx+1]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A5D416:				; CODE XREF: VfFastIoCheckState(x,x)+16j
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_A5D47A
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	[esi], al
		jz	short loc_A5D445
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		mov	ecx, 0C9h
		push	eax
		movzx	eax, byte ptr [esi]
		push	eax
		push	edi
		push	11h
		pop	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A5D445:				; CODE XREF: VfFastIoCheckState(x,x)+3Bj
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_A5D47A
		mov	eax, large fs:124h
		mov	edx, [esi+4]
		cmp	edx, [eax+13Ch]
		jz	short loc_A5D47A
		mov	eax, large fs:124h
		push	edx
		mov	edx, 0C6h
		push	dword ptr [eax+13Ch]
		push	edi
		lea	ecx, [edx-2]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A5D47A:				; CODE XREF: VfFastIoCheckState(x,x)+Dj
					; VfFastIoCheckState(x,x)+31j ...
		pop	edi
		mov	edx, esi
		mov	ecx, offset _ViIoCallbackStateLookaside
		pop	esi
		jmp	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
_VfFastIoCheckState@8 endp


;  S U B	R O U T	I N E 


; __stdcall VfFastIoSnapState()
_VfFastIoSnapState@0 proc near		; CODE XREF: IopCompleteUnloadOrDelete:loc_5E82EEp
					; IopReadFile(x,x,x,x,x,x,x,x,x,x,x)+2FDp ...
		cmp	ds:_ViIoCallbacksInitialized, 0
		jz	short loc_A5D4BA
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_A5D4BA
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jnz	short loc_A5D4B5
		xor	eax, eax
		mov	edx, 0C2h
		push	eax
		push	eax
		push	eax
		lea	ecx, [edx+7]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A5D4B5:				; CODE XREF: VfFastIoSnapState()+19j
		jmp	_ViIoCallbackSnapState@0 ; ViIoCallbackSnapState()
; 

loc_A5D4BA:				; CODE XREF: VfFastIoSnapState()+7j
					; VfFastIoSnapState()+10j
		xor	eax, eax
		retn
; 

; __stdcall VfIoCallbacksInit()
_VfIoCallbacksInit@0:			; CODE XREF: VfInitVerifierComponents(x,x,x)+26Ap
		push	offset ExInitializeNPagedLookasideListInternal
		push	_VfInitializedWithoutReboot
		push	10h
		push	4F494656h
		push	8
		push	200h
		push	offset _VfUtilFreePoolCheckIRQL@4 ; VfUtilFreePoolCheckIRQL(x)
		push	0
		push	offset _ViIoCallbackStateLookaside
		call	ds:_pXdvExInitializeNPagedLookasideList	; XdvExInitializeNPagedLookasideListInternal(x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	ecx, offset _ViIoCallbacksInitialized
		inc	eax
		xchg	eax, [ecx]
		retn
; 

; __stdcall VfIoCompletionCheckState(x,	x)
_VfIoCompletionCheckState@8:		; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+133p
		test	byte ptr _MmVerifierData, 10h
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		jz	short loc_A5D55D
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	[esi], al
		jz	short loc_A5D528
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		mov	edx, 0FAh
		push	eax
		movzx	eax, byte ptr [esi]
		push	eax
		push	ebx
		lea	ecx, [edx-36h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A5D528:				; CODE XREF: VfFastIoSnapState()+82j
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_A5D55D
		mov	eax, large fs:124h
		mov	edx, [esi+4]
		cmp	edx, [eax+13Ch]
		jz	short loc_A5D55D
		mov	eax, large fs:124h
		push	edx
		mov	edx, 0FBh
		push	dword ptr [eax+13Ch]
		push	ebx
		lea	ecx, [edx-37h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A5D55D:				; CODE XREF: VfFastIoSnapState()+78j
					; VfFastIoSnapState()+A7j ...
		mov	edx, esi
		mov	ecx, offset _ViIoCallbackStateLookaside
		pop	esi
		pop	ebx
		jmp	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
; 

; __stdcall VfIoCompletionSnapState()
_VfIoCompletionSnapState@0:		; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+DDp
		cmp	ds:_ViIoCallbacksInitialized, 0
		jz	short loc_A5D581
		test	byte ptr _MmVerifierData, 10h
		jnz	_ViIoCallbackSnapState@0 ; ViIoCallbackSnapState()

loc_A5D581:				; CODE XREF: VfFastIoSnapState()+EAj
		xor	eax, eax
		retn
; 

; __stdcall ViIoCallbackSnapState()
_ViIoCallbackSnapState@0:		; CODE XREF: VfFastIoSnapState():loc_A5D4B5j
					; VfFastIoSnapState()+F3j
		mov	edi, edi
		push	esi
		mov	ecx, offset _ViIoCallbackStateLookaside
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A5D5AF
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	ecx, large fs:124h
		mov	[esi], al
		mov	ecx, [ecx+13Ch]
		mov	[esi+4], ecx

loc_A5D5AF:				; CODE XREF: VfFastIoSnapState()+10Dj
		mov	eax, esi
		pop	esi
		retn
_VfFastIoSnapState@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ADD_MAP_REGISTERS(x, x, x)
_ADD_MAP_REGISTERS@12 proc near		; CODE XREF: VfAllocateAdapterChannel(x,x,x,x,x)+A3p
					; VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+8Fp ...

var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	esi
		push	edi
		mov	edi, edx
		lea	eax, [ebx+58h]
		lock xadd [eax], edi
		add	edi, edx
		lea	eax, [ebx+54h]
		mov	esi, edx
		lock xadd [eax], esi
		mov	eax, [ebx+50h]
		cmp	edx, eax
		jbe	short loc_A5D609
		push	0		; int
		push	eax		; int
		push	edx		; char
		mov	esi, offset unk_6B67DC
		mov	edx, offset ??_C@_0DK@NOLCPOII@Allocating?5too?5many?5map?5registe@JKADOLAD@ ; int
		push	0Ch		; int
		mov	ecx, esi	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	esi		; int
		push	0		; int
		push	dword ptr [ebx+50h] ; int
		mov	ecx, 0E6h	; int
		push	[ebp+var_4]	; int
		push	0Ch
		pop	edx
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A5D609:				; CODE XREF: ADD_MAP_REGISTERS(x,x,x)+27j
		cmp	[ebp+arg_0], 0
		jnz	short loc_A5D641
		mov	eax, [ebx+50h]
		cmp	edi, eax
		jbe	short loc_A5D641
		push	0		; int
		push	eax		; int
		push	edi		; char
		mov	esi, offset unk_6B67D8
		mov	edx, offset ??_C@_0DA@CMGHAJAF@Allocated?5too?5many?5map?5register@JKADOLAD@ ; int
		push	15h		; int
		mov	ecx, esi	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	esi		; int
		push	0		; int
		push	dword ptr [ebx+50h] ; int
		mov	ecx, 0E6h	; int
		push	edi		; int
		push	15h
		pop	edx
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A5D641:				; CODE XREF: ADD_MAP_REGISTERS(x,x,x)+5Aj
					; ADD_MAP_REGISTERS(x,x,x)+61j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ADD_MAP_REGISTERS@12 endp


;  S U B	R O U T	I N E 


; __stdcall DECREMENT_ADAPTER_CHANNELS(x)
_DECREMENT_ADAPTER_CHANNELS@4 proc near	; CODE XREF: VfAllocateAdapterChannel(x,x,x,x,x)+145p
					; VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+157p ...
		mov	edi, edi
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		inc	edi
		lock xadd [esi+70h], edi
		inc	edi
		cmp	dword ptr [esi+78h], 3
		jnb	short loc_A5D698
		cmp	edi, [esi+6Ch]
		jz	short loc_A5D698
		push	ebx
		push	0		; int
		push	0		; int
		push	1		; char
		mov	ebx, offset unk_6B67BC
		mov	edx, offset ??_C@_0DJ@GDLHDGDG@Driver?5has?5freed?5too?5many?5simul@JKADOLAD@ ;	"Driver	has freed too many simultaneous	"...
		push	4		; int
		mov	ecx, ebx	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	ebx		; int
		xor	eax, eax
		mov	ecx, 0E6h	; int
		cmp	edi, [esi+6Ch]
		push	0		; int
		push	0		; int
		setnz	al
		push	eax		; int
		push	4
		pop	edx
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		pop	ebx

loc_A5D698:				; CODE XREF: DECREMENT_ADAPTER_CHANNELS(x)+13j
					; DECREMENT_ADAPTER_CHANNELS(x)+18j
		pop	edi
		pop	esi
		retn
_DECREMENT_ADAPTER_CHANNELS@4 endp


;  S U B	R O U T	I N E 


; __stdcall DECREMENT_COMMON_BUFFERS(x)
_DECREMENT_COMMON_BUFFERS@4 proc near	; CODE XREF: VfFreeCommonBuffer(x,x,x,x,x,x)+69p
					; ViSpecialFreeCommonBuffer(x,x,x,x)+AAp
		mov	edi, edi
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, ecx
		inc	esi
		lock xadd [edi+68h], esi
		inc	esi
		mov	ecx, [edi+64h]
		cmp	esi, ecx
		jbe	short loc_A5D6E5
		push	ebx
		push	0		; int
		push	0		; int
		mov	eax, esi
		mov	ebx, offset unk_6B67B8
		sub	eax, ecx
		mov	edx, offset ??_C@_0BP@HDCOJAJB@Freed?5too?5many?5common?5buffers?4@JKADOLAD@ ; "Freed too many common buffers."
		push	eax		; char
		push	3		; int
		mov	ecx, ebx	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		sub	esi, [edi+64h]
		mov	ecx, 0E6h	; int
		push	ebx		; int
		push	0		; int
		push	0		; int
		push	esi		; int
		push	3
		pop	edx
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		pop	ebx

loc_A5D6E5:				; CODE XREF: DECREMENT_COMMON_BUFFERS(x)+14j
		pop	edi
		pop	esi
		retn
_DECREMENT_COMMON_BUFFERS@4 endp


;  S U B	R O U T	I N E 


; __stdcall DECREMENT_SCATTER_GATHER_LISTS(x)
_DECREMENT_SCATTER_GATHER_LISTS@4 proc near
					; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+13Cp
					; VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+302p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		or	esi, 0FFFFFFFFh
		lock xadd [edi+60h], esi
		dec	esi
		jns	short loc_A5D732
		mov	edx, [edi+5Ch]	; int
		mov	eax, edx
		push	ebx
		push	0		; int
		sub	eax, esi
		mov	ebx, offset unk_6B67C0
		push	eax		; int
		push	edx		; char
		push	6		; int
		mov	edx, offset ??_C@_0EH@BDLHAGJH@Driver?5has?5freed?5too?5many?5scatt@JKADOLAD@ ;	"Driver	has freed too many scatter gathe"...
		mov	ecx, ebx	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		mov	ecx, [edi+5Ch]
		mov	eax, ecx
		push	ebx		; int
		push	0		; int
		sub	eax, esi
		push	eax		; int
		push	ecx		; int
		push	6
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		pop	ebx

loc_A5D732:				; CODE XREF: DECREMENT_SCATTER_GATHER_LISTS(x)+Fj
		pop	edi
		pop	esi
		retn
_DECREMENT_SCATTER_GATHER_LISTS@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall INCREASE_MAPPED_TRANSFER_BYTE_COUNT(x, x, x)
_INCREASE_MAPPED_TRANSFER_BYTE_COUNT@12	proc near
					; CODE XREF: VfMapTransfer(x,x,x,x,x,x)+109p
					; VfMapTransferEx(x,x,x,x,x,x,x,x,x,x,x,x)+B1p

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ecx+58h]
		lea	eax, [ecx+74h]
		shl	edi, 0Ch
		mov	esi, edx
		lock xadd [eax], esi
		add	esi, edx
		cmp	[ebp+arg_0], 0
		jnz	short loc_A5D782
		cmp	esi, edi
		jbe	short loc_A5D782
		push	ebx
		push	0		; int
		push	edi		; int
		push	esi		; char
		mov	ebx, offset unk_6B67B0
		mov	edx, offset ??_C@_0ED@LALDMKKB@Driver?5did?5not?5flush?5adapter?5bu@JKADOLAD@ ;	"Driver	did not	flush adapter buffers --"...
		push	0Dh		; int
		mov	ecx, ebx	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	ebx		; int
		push	0		; int
		push	edi		; int
		push	esi		; int
		push	0Dh
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		pop	ebx

loc_A5D782:				; CODE XREF: INCREASE_MAPPED_TRANSFER_BYTE_COUNT(x,x,x)+1Cj
					; INCREASE_MAPPED_TRANSFER_BYTE_COUNT(x,x,x)+20j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_INCREASE_MAPPED_TRANSFER_BYTE_COUNT@12	endp


;  S U B	R O U T	I N E 


; __stdcall INCREMENT_ADAPTER_CHANNELS(x)
_INCREMENT_ADAPTER_CHANNELS@4 proc near	; CODE XREF: VfAllocateAdapterChannel(x,x,x,x,x)+98p
					; VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+83p
		mov	edi, edi
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, ecx
		inc	esi
		lock xadd [edi+6Ch], esi
		inc	esi
		cmp	dword ptr [edi+78h], 3
		jnb	short loc_A5D7DB
		mov	ecx, [edi+70h]
		lea	eax, [ecx+1]
		cmp	esi, eax
		jz	short loc_A5D7DB
		push	ebx
		push	0		; int
		push	0		; int
		mov	eax, esi
		mov	ebx, offset unk_6B67C4
		sub	eax, ecx
		mov	edx, offset ??_C@_0DN@EBMPKFDN@Driver?5has?5allocated?5too?5many?5s@JKADOLAD@ ;	"Driver	has allocated too many simultane"...
		push	eax		; char
		push	0Bh		; int
		mov	ecx, ebx	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		sub	esi, [edi+70h]
		mov	ecx, 0E6h	; int
		push	ebx		; int
		push	0		; int
		push	0		; int
		push	esi		; int
		push	0Bh
		pop	edx
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		pop	ebx

loc_A5D7DB:				; CODE XREF: INCREMENT_ADAPTER_CHANNELS(x)+13j
					; INCREMENT_ADAPTER_CHANNELS(x)+1Dj
		pop	edi
		pop	esi
		retn
_INCREMENT_ADAPTER_CHANNELS@4 endp


;  S U B	R O U T	I N E 


; __stdcall SUBTRACT_MAP_REGISTERS(x, x)
_SUBTRACT_MAP_REGISTERS@8 proc near	; CODE XREF: ViFlushZeroMapRegisterBaseWcbs(x)+73p
					; VfAllocateAdapterChannel(x,x,x,x,x)+14Fp ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		neg	esi
		lea	eax, [edi+58h]
		lock xadd [eax], esi
		sub	esi, edx
		jns	short loc_A5D822
		push	ebx
		push	0		; int
		push	0		; int
		neg	esi
		mov	ebx, offset unk_6B67B4
		push	esi		; char
		push	5		; int
		mov	edx, offset ??_C@_0CD@DFOPLOLM@Freed?5too?5many?5map?5registers?3?5?9@JKADOLAD@	; int
		mov	ecx, ebx	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	ebx		; int
		push	0		; int
		push	0		; int
		push	esi		; int
		push	5
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		pop	ebx

loc_A5D822:				; CODE XREF: SUBTRACT_MAP_REGISTERS(x,x)+13j
		xor	ecx, ecx
		lea	eax, [edi+74h]
		xchg	ecx, [eax]
		pop	edi
		pop	esi
		retn
_SUBTRACT_MAP_REGISTERS@8 endp


;  S U B	R O U T	I N E 


; __stdcall VERIFY_BUFFER_LOCKED(x)
_VERIFY_BUFFER_LOCKED@4	proc near	; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+56p
					; VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+27Cp ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, 804h
		push	edi
		mov	ax, [esi+6]
		and	ax, cx
		mov	ecx, esi
		movzx	edi, ax
		call	_MmAreMdlPagesLocked@4 ; MmAreMdlPagesLocked(x)
		test	eax, eax
		jnz	short loc_A5D87C
		test	di, di
		jnz	short loc_A5D87C
		push	ebx
		xor	ebx, ebx
		mov	edi, offset unk_6B67A4
		push	ebx		; int
		push	ebx		; int
		push	esi		; char
		push	0Eh		; int
		mov	edx, (offset loc_A57BC6+2) ; int
		mov	ecx, edi	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	edi		; int
		push	ebx		; int
		push	ebx		; int
		push	esi		; int
		push	0Eh
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		pop	ebx

loc_A5D87C:				; CODE XREF: VERIFY_BUFFER_LOCKED(x)+1Ej
					; VERIFY_BUFFER_LOCKED(x)+23j
		pop	edi
		pop	esi
		retn
_VERIFY_BUFFER_LOCKED@4	endp


;  S U B	R O U T	I N E 


; __stdcall VF_ASSERT_IRQL(x)
_VF_ASSERT_IRQL@4 proc near		; CODE XREF: VfAllocateAdapterChannel(x,x,x,x,x)+2Fp
					; VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+20p ...
		mov	edi, edi
		push	ebx
		mov	bl, cl
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, bl
		jz	short loc_A5D8C4
		push	esi
		push	edi
		movzx	esi, al
		mov	edx, offset ??_C@_0BP@JBIBOOJN@Bad?5IRQL?5?9?9?5needed?5?$CFx?0?5got?5?$CFx?4@JKADOLAD@	; "Bad IRQL -- needed %x, got %x."
		push	esi		; int
		movzx	edi, bl
		mov	ebx, offset unk_6B67C8
		push	edi		; int
		push	1		; char
		push	10000013h	; int
		mov	ecx, ebx	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	ebx		; int
		push	esi		; int
		push	edi		; int
		push	1		; int
		push	13h
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		pop	edi
		pop	esi

loc_A5D8C4:				; CODE XREF: VF_ASSERT_IRQL(x)+Dj
		pop	ebx
		retn
_VF_ASSERT_IRQL@4 endp


;  S U B	R O U T	I N E 


; __stdcall VF_ASSERT_MAX_IRQL(x)
_VF_ASSERT_MAX_IRQL@4 proc near		; CODE XREF: VfFlushAdapterBuffers(x,x,x,x,x,x)+2Ep
					; VfFlushAdapterBuffersEx(x,x,x,x,x,x,x)+24p ...
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jbe	short locret_A5D905
		push	esi
		push	edi
		movzx	esi, al
		mov	edi, offset unk_6B67CC
		push	esi		; int
		push	2		; int
		push	2		; char
		push	10000013h	; int
		mov	edx, offset ??_C@_0CH@OICBHBJF@Bad?5IRQL?5?9?9?5needed?5?$CFx?5or?5less?0?5@JKADOLAD@ ;	int
		mov	ecx, edi	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	edi		; int
		push	esi		; int
		push	2		; int
		push	2		; int
		push	13h
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		pop	edi
		pop	esi

locret_A5D905:				; CODE XREF: VF_ASSERT_MAX_IRQL(x)+8j
		retn
_VF_ASSERT_MAX_IRQL@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VF_FIND_BUFFER(x, x)
_VF_FIND_BUFFER@8 proc near		; CODE XREF: ViSpecialFreeCommonBuffer(x,x,x,x)+14p

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], edx
		mov	ebx, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	edi, [ebx+8]
		mov	[ebp+var_1], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [ebx]
		lea	esi, [ecx-24h]
		cmp	ebx, ecx
		jz	short loc_A5D94A
		mov	edx, [ebp+var_8]

loc_A5D934:				; CODE XREF: VF_FIND_BUFFER(x,x)+42j
		movzx	eax, word ptr [esi]
		add	eax, [esi+0Ch]
		cmp	eax, edx
		jz	short loc_A5D95F
		mov	esi, [ecx]
		sub	esi, 24h
		lea	ecx, [esi+24h]
		cmp	ebx, ecx
		jnz	short loc_A5D934

loc_A5D94A:				; CODE XREF: VF_FIND_BUFFER(x,x)+29j
		test	ds:byte_70EFC6,	1
		jz	short loc_A5D97B
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A5D980
; 

loc_A5D95F:				; CODE XREF: VF_FIND_BUFFER(x,x)+36j
		test	ds:byte_70EFC6,	1
		jz	short loc_A5D974
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A5D982
; 

loc_A5D974:				; CODE XREF: VF_FIND_BUFFER(x,x)+60j
		xor	eax, eax
		lock and [edi],	eax
		jmp	short loc_A5D982
; 

loc_A5D97B:				; CODE XREF: VF_FIND_BUFFER(x,x)+4Bj
		xor	eax, eax
		lock and [edi],	eax

loc_A5D980:				; CODE XREF: VF_FIND_BUFFER(x,x)+57j
		xor	esi, esi

loc_A5D982:				; CODE XREF: VF_FIND_BUFFER(x,x)+6Cj
					; VF_FIND_BUFFER(x,x)+73j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_VF_FIND_BUFFER@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VF_FIND_DEVICE_INFORMATION_AND_REMOVE(x)
_VF_FIND_DEVICE_INFORMATION_AND_REMOVE@4 proc near ; CODE XREF:	VfHalDeleteDevice(x)+3Cp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset dword_AB06E0
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, ds:_ViAdapterList
		mov	edx, offset _ViAdapterList
		jmp	short loc_A5D9C5
; 

loc_A5D9BC:				; CODE XREF: VF_FIND_DEVICE_INFORMATION_AND_REMOVE(x)+35j
		mov	ecx, [eax]
		cmp	[eax+0Ch], edi
		jz	short loc_A5D9E1
		mov	eax, ecx

loc_A5D9C5:				; CODE XREF: VF_FIND_DEVICE_INFORMATION_AND_REMOVE(x)+28j
		cmp	eax, edx
		jnz	short loc_A5D9BC

loc_A5D9C9:				; CODE XREF: VF_FIND_DEVICE_INFORMATION_AND_REMOVE(x)+62j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset dword_AB06E0
		jz	short loc_A5D9FB
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A5DA00
; 

loc_A5D9E1:				; CODE XREF: VF_FIND_DEVICE_INFORMATION_AND_REMOVE(x)+2Fj
		mov	esi, eax
		mov	edx, [eax+4]
		cmp	[ecx+4], eax
		jnz	short loc_A5D9F6
		cmp	[edx], eax
		jnz	short loc_A5D9F6
		mov	[edx], ecx
		mov	[ecx+4], edx
		jmp	short loc_A5D9C9
; 

loc_A5D9F6:				; CODE XREF: VF_FIND_DEVICE_INFORMATION_AND_REMOVE(x)+57j
					; VF_FIND_DEVICE_INFORMATION_AND_REMOVE(x)+5Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A5D9FB:				; CODE XREF: VF_FIND_DEVICE_INFORMATION_AND_REMOVE(x)+43j
		xor	eax, eax
		lock and [ecx],	eax

loc_A5DA00:				; CODE XREF: VF_FIND_DEVICE_INFORMATION_AND_REMOVE(x)+4Dj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn
_VF_FIND_DEVICE_INFORMATION_AND_REMOVE@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VF_FIND_INACTIVE_ADAPTER_AND_REMOVE(x)
_VF_FIND_INACTIVE_ADAPTER_AND_REMOVE@4 proc near ; CODE	XREF: VfGetDmaAdapter(x,x,x)+74p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset dword_AB06E0
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, ds:_ViAdapterList
		mov	ecx, offset _ViAdapterList
		jmp	short loc_A5DA4B
; 

loc_A5DA39:				; CODE XREF: VF_FIND_INACTIVE_ADAPTER_AND_REMOVE(x)+3Ej
		cmp	[eax+0Ch], edi
		jnz	short loc_A5DA49
		cmp	[eax+14h], esi
		jle	short loc_A5DA67
		cmp	byte ptr [eax+10h], 1
		jz	short loc_A5DA67

loc_A5DA49:				; CODE XREF: VF_FIND_INACTIVE_ADAPTER_AND_REMOVE(x)+2Dj
		mov	eax, [eax]

loc_A5DA4B:				; CODE XREF: VF_FIND_INACTIVE_ADAPTER_AND_REMOVE(x)+28j
		cmp	eax, ecx
		jnz	short loc_A5DA39

loc_A5DA4F:				; CODE XREF: VF_FIND_INACTIVE_ADAPTER_AND_REMOVE(x)+6Dj
		test	ds:byte_70EFC6,	1
		mov	ecx, offset dword_AB06E0
		jz	short loc_A5DA83
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A5DA88
; 

loc_A5DA67:				; CODE XREF: VF_FIND_INACTIVE_ADAPTER_AND_REMOVE(x)+32j
					; VF_FIND_INACTIVE_ADAPTER_AND_REMOVE(x)+38j
		mov	edx, [eax]
		mov	esi, eax
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_A5DA7E
		cmp	[ecx], eax
		jnz	short loc_A5DA7E
		mov	[ecx], edx
		mov	[edx+4], ecx
		jmp	short loc_A5DA4F
; 

loc_A5DA7E:				; CODE XREF: VF_FIND_INACTIVE_ADAPTER_AND_REMOVE(x)+62j
					; VF_FIND_INACTIVE_ADAPTER_AND_REMOVE(x)+66j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A5DA83:				; CODE XREF: VF_FIND_INACTIVE_ADAPTER_AND_REMOVE(x)+4Cj
		xor	eax, eax
		lock and [ecx],	eax

loc_A5DA88:				; CODE XREF: VF_FIND_INACTIVE_ADAPTER_AND_REMOVE(x)+56j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn
_VF_FIND_INACTIVE_ADAPTER_AND_REMOVE@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VF_MARK_FOR_DEFERRED_REMOVE(x)
_VF_MARK_FOR_DEFERRED_REMOVE@4 proc near ; CODE	XREF: VfHalDeleteDevice(x)+2Ej
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset dword_AB06E0
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, ds:_ViAdapterList
		mov	eax, offset _ViAdapterList
		jmp	short loc_A5DACD
; 

loc_A5DAC2:				; CODE XREF: VF_MARK_FOR_DEFERRED_REMOVE(x)+38j
		cmp	[edx+0Ch], esi
		jnz	short loc_A5DACB
		mov	byte ptr [edx+10h], 1

loc_A5DACB:				; CODE XREF: VF_MARK_FOR_DEFERRED_REMOVE(x)+2Ej
		mov	edx, [edx]

loc_A5DACD:				; CODE XREF: VF_MARK_FOR_DEFERRED_REMOVE(x)+29j
		cmp	edx, eax
		jnz	short loc_A5DAC2
		test	ds:byte_70EFC6,	1
		jz	short loc_A5DAE6
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A5DAEB
; 

loc_A5DAE6:				; CODE XREF: VF_MARK_FOR_DEFERRED_REMOVE(x)+41j
		xor	eax, eax
		lock and [edi],	eax

loc_A5DAEB:				; CODE XREF: VF_MARK_FOR_DEFERRED_REMOVE(x)+4Dj
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_VF_MARK_FOR_DEFERRED_REMOVE@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfAllocateAdapterChannel(x,	x, x, x, x)
_VfAllocateAdapterChannel@20 proc near	; DATA XREF: PAGEVRFD:00AA8120o
					; PAGEVRFD:00AAAEC4o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	10h
		pop	edx
		xor	edi, edi
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		mov	[ebp+var_4], eax
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_A5DBB5
		mov	cl, 2
		call	_VF_ASSERT_IRQL@4 ; VF_ASSERT_IRQL(x)
		mov	ecx, offset _ViHalWaitBlockLookaside
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A5DB45
		mov	eax, 0C000009Ah
		jmp	loc_A5DC68
; 

loc_A5DB45:				; CODE XREF: VfAllocateAdapterChannel(x,x,x,x,x)+42j
		push	54h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	eax, [ebp+arg_10]
		add	esp, 0Ch
		mov	ebx, [ebp+arg_8]
		mov	[edi], eax
		mov	eax, [ebp+arg_C]
		mov	[edi+4], eax
		mov	[edi+20h], esi
		mov	[edi+18h], ebx
		cmp	byte ptr [esi+11h], 0
		jnz	short loc_A5DB7E
		cmp	dword ptr [esi+78h], 3
		jnb	short loc_A5DB7E
		mov	edx, ebx
		mov	ecx, esi
		call	_ViAllocateMapRegisterFile@8 ; ViAllocateMapRegisterFile(x,x)
		mov	[edi+34h], eax

loc_A5DB7E:				; CODE XREF: VfAllocateAdapterChannel(x,x,x,x,x)+73j
					; VfAllocateAdapterChannel(x,x,x,x,x)+79j
		cmp	dword ptr [esi+0Ch], 0
		jnz	short loc_A5DB8A
		mov	eax, [ebp+arg_4]
		mov	[esi+0Ch], eax

loc_A5DB8A:				; CODE XREF: VfAllocateAdapterChannel(x,x,x,x,x)+8Bj
		mov	ecx, esi
		mov	[ebp+arg_10], edi
		call	_INCREMENT_ADAPTER_CHANNELS@4 ;	INCREMENT_ADAPTER_CHANNELS(x)
		push	0
		mov	edx, ebx
		mov	ecx, esi
		call	_ADD_MAP_REGISTERS@12 ;	ADD_MAP_REGISTERS(x,x,x)
		lea	ebx, [esi+4Ch]
		push	ebx
		lea	edx, [edi+28h]
		lea	ecx, [esi+44h]
		call	@ExfInterlockedInsertTailList@12 ; ExfInterlockedInsertTailList(x,x,x)
		mov	eax, offset _ViAdapterCallback@16 ; ViAdapterCallback(x,x,x,x)
		jmp	short loc_A5DBC1
; 

loc_A5DBB5:				; CODE XREF: VfAllocateAdapterChannel(x,x,x,x,x)+27j
		mov	eax, [ebp+arg_10]
		lea	ebx, [esi+4Ch]
		mov	[ebp+arg_10], eax
		mov	eax, [ebp+arg_C]

loc_A5DBC1:				; CODE XREF: VfAllocateAdapterChannel(x,x,x,x,x)+BCj
		push	[ebp+arg_10]
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	[ebp+var_4]
		mov	[ebp+arg_10], eax
		test	esi, esi
		jz	loc_A5DC68
		test	eax, eax
		jz	loc_A5DC68
		mov	edx, edi
		mov	ecx, esi
		call	_ViIsActiveChannelWcb@8	; ViIsActiveChannelWcb(x,x)
		test	al, al
		jz	short loc_A5DC65
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, ebx
		mov	byte ptr [ebp+arg_0+3],	al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	ecx, [edi+28h]
		mov	eax, [ecx]
		mov	edx, [ecx+4]
		cmp	[eax+4], ecx
		jnz	short loc_A5DC6F
		cmp	[edx], ecx
		jnz	short loc_A5DC6F
		mov	[edx], eax
		mov	[eax+4], edx
		test	ds:byte_70EFC6,	1
		jz	short loc_A5DC2C
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A5DC31
; 

loc_A5DC2C:				; CODE XREF: VfAllocateAdapterChannel(x,x,x,x,x)+127j
		xor	eax, eax
		lock and [ebx],	eax

loc_A5DC31:				; CODE XREF: VfAllocateAdapterChannel(x,x,x,x,x)+133j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, esi
		call	_DECREMENT_ADAPTER_CHANNELS@4 ;	DECREMENT_ADAPTER_CHANNELS(x)
		mov	edx, [ebp+arg_8]
		mov	ecx, esi
		call	_SUBTRACT_MAP_REGISTERS@8 ; SUBTRACT_MAP_REGISTERS(x,x)
		mov	edx, [edi+34h]
		test	edx, edx
		jz	short loc_A5DC59
		mov	ecx, esi
		call	_ViFreeMapRegisterFile@8 ; ViFreeMapRegisterFile(x,x)

loc_A5DC59:				; CODE XREF: VfAllocateAdapterChannel(x,x,x,x,x)+159j
		mov	edx, edi
		mov	ecx, offset _ViHalWaitBlockLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)

loc_A5DC65:				; CODE XREF: VfAllocateAdapterChannel(x,x,x,x,x)+F8j
		mov	eax, [ebp+arg_10]

loc_A5DC68:				; CODE XREF: VfAllocateAdapterChannel(x,x,x,x,x)+49j
					; VfAllocateAdapterChannel(x,x,x,x,x)+DFj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_A5DC6F:				; CODE XREF: VfAllocateAdapterChannel(x,x,x,x,x)+115j
					; VfAllocateAdapterChannel(x,x,x,x,x)+119j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_VfAllocateAdapterChannel@20 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfAllocateAdapterChannelEx(x, x, x,	x, x, x, x, x)
_VfAllocateAdapterChannelEx@32 proc near ; DATA	XREF: PAGEVRFD:00AA8160o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_A5DD19
		mov	cl, 2
		call	_VF_ASSERT_IRQL@4 ; VF_ASSERT_IRQL(x)
		mov	ecx, offset _ViHalWaitBlockLookaside
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A5DCB3
		mov	eax, 0C000009Ah
		jmp	loc_A5DD76
; 

loc_A5DCB3:				; CODE XREF: VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+33j
		push	54h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	eax, [ebp+arg_18]
		add	esp, 0Ch
		mov	ebx, [ebp+arg_14]
		mov	ecx, [ebp+arg_C]
		mov	[esi], eax
		mov	[ebp+arg_18], eax
		mov	eax, [ebp+arg_8]
		mov	[esi+4], ebx
		mov	[esi+20h], edi
		mov	[esi+18h], ecx
		mov	[esi+14h], eax
		cmp	dword ptr [edi+0Ch], 0
		jnz	short loc_A5DCE9
		mov	eax, [ebp+arg_4]
		mov	[edi+0Ch], eax

loc_A5DCE9:				; CODE XREF: VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+6Dj
		test	ebx, ebx
		jz	short loc_A5DCF5
		mov	ebx, offset _ViAdapterCallback@16 ; ViAdapterCallback(x,x,x,x)
		mov	[ebp+arg_18], esi

loc_A5DCF5:				; CODE XREF: VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+77j
		mov	ecx, edi
		call	_INCREMENT_ADAPTER_CHANNELS@4 ;	INCREMENT_ADAPTER_CHANNELS(x)
		mov	edx, [ebp+arg_C]
		mov	ecx, edi
		push	1
		call	_ADD_MAP_REGISTERS@12 ;	ADD_MAP_REGISTERS(x,x,x)
		lea	eax, [edi+4Ch]
		push	eax
		lea	edx, [esi+28h]
		lea	ecx, [edi+44h]
		call	@ExfInterlockedInsertTailList@12 ; ExfInterlockedInsertTailList(x,x,x)
		jmp	short loc_A5DD22
; 

loc_A5DD19:				; CODE XREF: VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+18j
		mov	eax, [ebp+arg_18]
		mov	ebx, [ebp+arg_14]
		mov	[ebp+arg_18], eax

loc_A5DD22:				; CODE XREF: VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+A3j
		mov	ecx, [ebp+arg_0]
		push	50h
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		push	[ebp+arg_1C]
		mov	ecx, [ebp+arg_C]
		push	[ebp+arg_18]
		push	ebx
		push	[ebp+arg_10]
		push	ecx
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	eax
		mov	[ebp+arg_18], eax
		test	edi, edi
		jz	short loc_A5DD73
		mov	edx, esi
		mov	ecx, edi
		call	_ViIsActiveChannelWcb@8	; ViIsActiveChannelWcb(x,x)
		test	al, al
		jz	short loc_A5DD73
		cmp	[ebp+arg_18], 0
		jnz	short loc_A5DD7D
		test	ebx, ebx
		jnz	short loc_A5DD73
		mov	eax, [ebp+arg_1C]
		mov	dword ptr [esi+1Ch], 1
		mov	eax, [eax]
		mov	[esi+30h], eax

loc_A5DD73:				; CODE XREF: VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+D7j
					; VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+E4j ...
		mov	eax, [ebp+arg_18]

loc_A5DD76:				; CODE XREF: VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+3Aj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	20h
; 

loc_A5DD7D:				; CODE XREF: VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+EAj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ebx, [edi+4Ch]
		mov	byte ptr [ebp+arg_0+3],	al
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	ecx, [esi+28h]
		mov	eax, [ecx]
		mov	edx, [ecx+4]
		cmp	[eax+4], ecx
		jnz	short loc_A5DDE8
		cmp	[edx], ecx
		jnz	short loc_A5DDE8
		mov	[edx], eax
		mov	[eax+4], edx
		test	ds:byte_70EFC6,	1
		jz	short loc_A5DDBB
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A5DDC0
; 

loc_A5DDBB:				; CODE XREF: VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+139j
		xor	eax, eax
		lock and [ebx],	eax

loc_A5DDC0:				; CODE XREF: VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+145j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, edi
		call	_DECREMENT_ADAPTER_CHANNELS@4 ;	DECREMENT_ADAPTER_CHANNELS(x)
		mov	edx, [ebp+arg_C]
		mov	ecx, edi
		call	_SUBTRACT_MAP_REGISTERS@8 ; SUBTRACT_MAP_REGISTERS(x,x)
		mov	edx, esi
		mov	ecx, offset _ViHalWaitBlockLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	short loc_A5DD73
; 

loc_A5DDE8:				; CODE XREF: VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+127j
					; VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+12Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall VfAllocateCommonBuffer(x, x, x, x)
_VfAllocateCommonBuffer@16:		; DATA XREF: PAGEVRFD:00AA8118o
					; PAGEVRFD:00AAAE94o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		and	[ebp+var_4], 0
		push	esi
		push	edi
		push	8
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		mov	edi, eax
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A5DE44
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_RtlGetCallersAddress@8	; RtlGetCallersAddress(x,x)
		xor	cl, cl
		call	_VF_ASSERT_IRQL@4 ; VF_ASSERT_IRQL(x)
		push	[ebp+arg_C]	; int
		mov	edx, esi	; int
		mov	ecx, edi	; int
		push	[ebp+arg_8]	; int
		push	[ebp+arg_4]	; int
		push	[ebp+var_4]	; int
		call	_ViSpecialAllocateCommonBuffer@24 ; ViSpecialAllocateCommonBuffer(x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_A5DE5E

loc_A5DE44:				; CODE XREF: VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+1A1j
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	edi
		test	eax, eax
		jz	short loc_A5DE5E
		test	esi, esi
		jz	short loc_A5DE5E
		lock inc dword ptr [esi+64h]

loc_A5DE5E:				; CODE XREF: VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+1CEj
					; VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+1E0j ...
		pop	edi
		pop	esi
		leave
		retn	10h
_VfAllocateAdapterChannelEx@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfAllocateCommonBufferEx(x,	x, x, x, x, x)
_VfAllocateCommonBufferEx@24 proc near	; DATA XREF: PAGEVRFD:00AA815Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	esi
		push	edi
		push	4Ch
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		mov	esi, eax
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		push	[ebp+arg_14]
		mov	edi, eax
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	esi
		test	eax, eax
		jz	short loc_A5DEA4
		test	edi, edi
		jz	short loc_A5DEA4
		lock inc dword ptr [edi+64h]

loc_A5DEA4:				; CODE XREF: VfAllocateCommonBufferEx(x,x,x,x,x,x)+36j
					; VfAllocateCommonBufferEx(x,x,x,x,x,x)+3Aj
		pop	edi
		pop	esi
		pop	ebp
		retn	18h
_VfAllocateCommonBufferEx@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfAllocateCommonBufferVector(x, x, x, x, x,	x, x, x, x, x, x, x)
_VfAllocateCommonBufferVector@48 proc near ; DATA XREF:	PAGEVRFD:00AA819Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, 8Ch
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		push	[ebp+arg_2C]
		push	[ebp+arg_28]
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	eax
		pop	ebp
		retn	30h
_VfAllocateCommonBufferVector@48 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfAllocateCommonBufferWithBounds(x,	x, x, x, x, x, x, x)
_VfAllocateCommonBufferWithBounds@32 proc near ; DATA XREF: PAGEVRFD:00AA8198o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, 88h
		push	esi
		push	edi
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		mov	esi, eax
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		push	[ebp+arg_1C]
		mov	edi, eax
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	esi
		test	eax, eax
		jz	short loc_A5DF2E
		test	edi, edi
		jz	short loc_A5DF2E
		lock inc dword ptr [edi+64h]

loc_A5DF2E:				; CODE XREF: VfAllocateCommonBufferWithBounds(x,x,x,x,x,x,x,x)+3Ej
					; VfAllocateCommonBufferWithBounds(x,x,x,x,x,x,x,x)+42j
		pop	edi
		pop	esi
		pop	ebp
		retn	20h
_VfAllocateCommonBufferWithBounds@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfAllocateCrashDumpRegisters(x, x)
_VfAllocateCrashDumpRegisters@8	proc near ; DATA XREF: PAGEVRFD:00AAAE4Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jbe	short loc_A5DF48
		call	_VfDisableHalVerifier@0	; VfDisableHalVerifier()

loc_A5DF48:				; CODE XREF: VfAllocateCrashDumpRegisters(x,x)+Dj
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		push	ebx
		push	edi
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		push	[ebp+arg_4]
		mov	ebx, eax
		push	[ebp+arg_0]
		call	ds:__imp__HalAllocateCrashDumpRegisters@8 ; HalAllocateCrashDumpRegisters(x,x)
		mov	edi, eax
		test	ebx, ebx
		jz	short loc_A5DF9A
		push	esi
		mov	cl, 2
		call	_VF_ASSERT_IRQL@4 ; VF_ASSERT_IRQL(x)
		mov	eax, [ebp+arg_4]
		lea	ecx, [ebx+50h]
		mov	esi, [eax]
		lock xadd [ecx], esi
		mov	edx, [eax]
		mov	ecx, ebx
		push	0
		call	_ADD_MAP_REGISTERS@12 ;	ADD_MAP_REGISTERS(x,x,x)
		cmp	_ViVerifyDma, 0
		pop	esi
		jz	short loc_A5DF9A
		test	edi, edi
		jnz	short loc_A5DF9A
		mov	edi, 0DEADF00Dh

loc_A5DF9A:				; CODE XREF: VfAllocateCrashDumpRegisters(x,x)+32j
					; VfAllocateCrashDumpRegisters(x,x)+5Bj ...
		mov	eax, edi
		pop	edi
		pop	ebx
		pop	ebp
		retn	8
_VfAllocateCrashDumpRegisters@8	endp ; sp = -8


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfBuildMdlFromScatterGatherList(x, x, x, x)
_VfBuildMdlFromScatterGatherList@16 proc near ;	DATA XREF: PAGEVRFD:00AA814Co

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_A5E02B
		cmp	dword ptr [edi+4], 0DEADF00Dh
		jnz	short loc_A5E03E
		lea	ebx, [eax+20h]
		cmp	[ebx], ebx
		jz	short loc_A5E02B
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+arg_4+3],	al
		mov	eax, [ebp+var_4]
		add	eax, 28h
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [ebx]
		jmp	short loc_A5DFF5
; 

loc_A5DFEE:				; CODE XREF: VfBuildMdlFromScatterGatherList(x,x,x,x)+5Bj
		cmp	[ecx+24h], edi
		jz	short loc_A5E001
		mov	ecx, [edx]

loc_A5DFF5:				; CODE XREF: VfBuildMdlFromScatterGatherList(x,x,x,x)+4Aj
		sub	ecx, 28h
		lea	edx, [ecx+28h]
		cmp	ebx, edx
		jnz	short loc_A5DFEE
		jmp	short loc_A5E004
; 

loc_A5E001:				; CODE XREF: VfBuildMdlFromScatterGatherList(x,x,x,x)+4Fj
		mov	esi, [ecx+34h]

loc_A5E004:				; CODE XREF: VfBuildMdlFromScatterGatherList(x,x,x,x)+5Dj
		test	ds:byte_70EFC6,	1
		jz	short loc_A5E01A
		mov	edx, [ebp+4]
		mov	ecx, [ebp+var_4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A5E022
; 

loc_A5E01A:				; CODE XREF: VfBuildMdlFromScatterGatherList(x,x,x,x)+69j
		mov	eax, [ebp+var_4]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_A5E022:				; CODE XREF: VfBuildMdlFromScatterGatherList(x,x,x,x)+76j
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_A5E02B:				; CODE XREF: VfBuildMdlFromScatterGatherList(x,x,x,x)+1Dj
					; VfBuildMdlFromScatterGatherList(x,x,x,x)+2Dj
		cmp	dword ptr [edi+4], 0DEADF00Dh
		jnz	short loc_A5E03E
		test	esi, esi
		jz	short loc_A5E03E
		mov	eax, [esi+1Ch]
		mov	[edi+4], eax

loc_A5E03E:				; CODE XREF: VfBuildMdlFromScatterGatherList(x,x,x,x)+26j
					; VfBuildMdlFromScatterGatherList(x,x,x,x)+90j	...
		mov	ecx, [ebp+arg_0]
		push	3Ch
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	edi
		push	[ebp+arg_0]
		call	eax
		mov	ebx, eax
		test	esi, esi
		jz	short loc_A5E068
		mov	ecx, [edi+4]
		mov	[esi+1Ch], ecx
		mov	dword ptr [edi+4], 0DEADF00Dh

loc_A5E068:				; CODE XREF: VfBuildMdlFromScatterGatherList(x,x,x,x)+B7j
		test	ebx, ebx
		js	short loc_A5E0E0
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+arg_8]
		cmp	[eax], ecx
		jnz	short loc_A5E0E0
		test	esi, esi
		jz	short loc_A5E0E0
		xor	ecx, ecx
		cmp	[esi+18h], ecx
		jz	short loc_A5E088
		mov	ebx, 0C0000073h
		jmp	short loc_A5E0E0
; 

loc_A5E088:				; CODE XREF: VfBuildMdlFromScatterGatherList(x,x,x,x)+DDj
		mov	eax, [esi+20h]
		push	ecx
		push	ecx
		push	ecx
		push	dword ptr [eax+14h]
		mov	[ebp+arg_0], eax
		push	ecx
		call	IoAllocateMdl
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A5E0A7
		mov	ebx, 0C000009Ah
		jmp	short loc_A5E0E0
; 

loc_A5E0A7:				; CODE XREF: VfBuildMdlFromScatterGatherList(x,x,x,x)+FCj
		mov	ecx, [ebp+arg_0]
		mov	[esi+18h], edi
		mov	eax, [ecx+14h]
		shr	eax, 0Ch
		shl	eax, 2
		push	eax		; size_t
		lea	eax, [ecx+1Ch]
		push	eax		; void *
		lea	eax, [edi+1Ch]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+arg_8]
		add	esp, 0Ch
		mov	eax, [eax+18h]
		add	[edi+18h], eax
		mov	eax, [edi+18h]
		sub	[edi+14h], eax
		mov	eax, [ebp+arg_C]
		or	word ptr [edi+6], 2
		mov	[eax], edi

loc_A5E0E0:				; CODE XREF: VfBuildMdlFromScatterGatherList(x,x,x,x)+C8j
					; VfBuildMdlFromScatterGatherList(x,x,x,x)+D2j	...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	10h
_VfBuildMdlFromScatterGatherList@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfBuildScatterGatherList(x,	x, x, x, x, x, x, x, x,	x)
_VfBuildScatterGatherList@40 proc near	; DATA XREF: PAGEVRFD:00AA8148o

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= byte ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch
arg_38		= dword	ptr  40h
arg_3C		= dword	ptr  44h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	38h
		xor	esi, esi
		pop	edx
		mov	ebx, esi
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		mov	[ebp+var_C], eax
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		mov	edi, eax
		mov	[ebp+var_8], edi
		test	edi, edi
		jz	loc_A5E1ED
		mov	cl, 2
		call	_VF_ASSERT_IRQL@4 ; VF_ASSERT_IRQL(x)
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		jnz	short loc_A5E135
		mov	eax, 0C000000Dh
		jmp	loc_A5E310
; 

loc_A5E135:				; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+40j
		lock inc dword ptr [edi+5Ch]
		lock inc dword ptr [edi+60h]
		mov	ecx, ebx
		call	_VERIFY_BUFFER_LOCKED@4	; VERIFY_BUFFER_LOCKED(x)
		cmp	dword ptr [edi+78h], 3
		jnz	short loc_A5E185
		mov	edx, [ebp+arg_10] ; int
		mov	ecx, ebx
		push	esi
		push	esi
		call	_ViCheckMdlLength@16 ; ViCheckMdlLength(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_A5E185
		push	esi		; int
		push	esi		; int
		push	ebx		; char
		push	24h		; int
		mov	edx, offset ??_C@_0ED@BJJMKJGC@The?5provided?5MDL?5is?5not?5suffici@JKADOLAD@ ;	int
		mov	ecx, offset unk_6B6814 ; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B6814 ; int
		push	esi		; int
		push	esi		; int
		push	ebx		; int
		push	24h
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A5E185:				; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+5Fj
					; VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+71j
		mov	ecx, offset _ViHalWaitBlockLookaside
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	ebx, eax
		mov	eax, [ebp+arg_18]
		test	ebx, ebx
		jz	loc_A5E2EB
		mov	edx, [ebp+arg_10]
		mov	ecx, edi
		mov	[ebx], eax
		add	edx, 0FFFh
		mov	eax, dword ptr [ebp+arg_14]
		mov	[ebx+4], eax
		mov	eax, [ebp+arg_C]
		and	eax, 0FFFh
		mov	[ebx+24h], esi
		add	edx, eax
		mov	[ebx+20h], edi
		lea	eax, [ebx+28h]
		shr	edx, 0Ch
		mov	[ebx+18h], edx
		mov	[eax+4], eax
		mov	[eax], eax
		call	_ViAllocateMapRegisterFile@8 ; ViAllocateMapRegisterFile(x,x)
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jnz	loc_A5E285

loc_A5E1DF:				; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+1FDj
		mov	edx, ebx
		mov	ecx, offset _ViHalWaitBlockLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		mov	ebx, esi

loc_A5E1ED:				; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+2Ej
		mov	ecx, dword ptr [ebp+arg_14] ; char

loc_A5E1F0:				; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+1EEj
		mov	eax, [ebp+arg_18]

loc_A5E1F3:				; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+205j
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	eax
		push	ecx
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	[ebp+var_C]
		mov	dword ptr [ebp+arg_14],	eax
		test	edi, edi
		jz	loc_A5E310
		test	eax, eax
		jns	loc_A5E310
		mov	ecx, edi
		call	_DECREMENT_SCATTER_GATHER_LISTS@4 ; DECREMENT_SCATTER_GATHER_LISTS(x)
		test	esi, esi
		jz	short loc_A5E237
		mov	edx, esi
		mov	ecx, edi
		call	_ViFreeMapRegisterFile@8 ; ViFreeMapRegisterFile(x,x)

loc_A5E237:				; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+143j
		test	ebx, ebx
		jz	loc_A5E30D
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		add	edi, 28h
		mov	byte ptr [ebp+arg_18+3], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	ecx, [ebx+28h]
		mov	esi, [ecx]
		mov	edx, [ecx+4]
		cmp	[esi+4], ecx
		jnz	loc_A5E317
		cmp	[edx], ecx
		jnz	loc_A5E317
		mov	[edx], esi
		mov	[esi+4], edx
		test	ds:byte_70EFC6,	1
		jz	short loc_A5E2F3
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A5E2F8
; 

loc_A5E285:				; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+F0j
		push	[ebp+arg_1C]	; int
		mov	edx, [ebp+arg_10]
		lea	eax, [ebx+38h]
		mov	byte ptr [ecx+0Dh], 1
		push	edx		; int
		mov	[ebx+8], eax
		mov	eax, [ebp+arg_C]
		mov	[ebx+10h], edx
		mov	edx, [ebp+arg_8] ; int
		push	eax		; int
		mov	[ebx+34h], ecx
		mov	[ebx+0Ch], eax
		call	_ViMapDoubleBuffer@20 ;	ViMapDoubleBuffer(x,x,x,x,x)
		test	eax, eax
		jz	short loc_A5E2DC
		mov	esi, [ebp+arg_8]
		lea	eax, [ebp+arg_C]
		mov	edi, [ebx+8]
		lea	edx, [ebp+arg_8]
		push	7
		pop	ecx
		rep movsd
		mov	esi, [ebp+var_4]
		lea	ecx, [ebp+var_4]
		push	eax
		mov	[ebp+arg_18], ebx
		call	_ViSwap@12	; ViSwap(x,x,x)
		mov	edi, [ebp+var_8]
		mov	ecx, offset _ViScatterGatherCallback@16	; ViScatterGatherCallback(x,x,x,x)
		jmp	loc_A5E1F0
; 

loc_A5E2DC:				; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+1C4j
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		call	_ViFreeMapRegisterFile@8 ; ViFreeMapRegisterFile(x,x)
		jmp	loc_A5E1DF
; 

loc_A5E2EB:				; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+ADj
		mov	ecx, dword ptr [ebp+arg_14]
		jmp	loc_A5E1F3
; 

loc_A5E2F3:				; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+18Ej
		xor	eax, eax
		lock and [edi],	eax

loc_A5E2F8:				; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+19Aj
		mov	cl, byte ptr [ebp+arg_18+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, ebx
		mov	ecx, offset _ViHalWaitBlockLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)

loc_A5E30D:				; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+150j
		mov	eax, dword ptr [ebp+arg_14]

loc_A5E310:				; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+47j
					; VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+12Cj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	28h
; 

loc_A5E317:				; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+174j
					; VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+17Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall VfBuildScatterGatherListEx(x, x, x,	x, x, x, x, x, x, x, x,	x, x, x, x, x)
_VfBuildScatterGatherListEx@64:		; DATA XREF: PAGEVRFD:00AA8174o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	esi
		push	edi
		push	64h
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		mov	[ebp+var_4], eax
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		mov	edi, [ebp+arg_C]
		mov	esi, eax
		test	esi, esi
		jz	short loc_A5E3AE
		mov	cl, 2
		call	_VF_ASSERT_IRQL@4 ; VF_ASSERT_IRQL(x)
		test	edi, edi
		jnz	short loc_A5E35A
		mov	eax, 0C000000Dh
		jmp	loc_A5E3F2
; 

loc_A5E35A:				; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+265j
		push	ebx
		lock inc dword ptr [esi+5Ch]
		lock inc dword ptr [esi+60h]
		mov	ecx, edi
		call	_VERIFY_BUFFER_LOCKED@4	; VERIFY_BUFFER_LOCKED(x)
		push	dword ptr [ebp+arg_14]
		mov	edx, [ebp+arg_18]
		mov	ecx, edi
		push	[ebp+arg_10]
		call	_ViCheckMdlLength@16 ; ViCheckMdlLength(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_A5E3AD
		push	0		; int
		push	0		; int
		push	ebx		; char
		push	24h		; int
		mov	edx, offset ??_C@_0ED@BJJMKJGC@The?5provided?5MDL?5is?5not?5suffici@JKADOLAD@ ;	int
		mov	ecx, offset unk_6B67AC ; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B67AC ; int
		push	0		; int
		push	0		; int
		push	ebx		; int
		push	24h
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A5E3AD:				; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+295j
		pop	ebx

loc_A5E3AE:				; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+25Aj
		push	[ebp+arg_3C]
		push	[ebp+arg_38]
		push	[ebp+arg_34]
		push	[ebp+arg_30]
		push	[ebp+arg_2C]
		push	[ebp+arg_28]
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	dword ptr [ebp+arg_14]
		push	[ebp+arg_10]
		push	edi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	[ebp+var_4]
		mov	edi, eax
		test	esi, esi
		jz	short loc_A5E3F0
		test	edi, edi
		jns	short loc_A5E3F0
		mov	ecx, esi
		call	_DECREMENT_SCATTER_GATHER_LISTS@4 ; DECREMENT_SCATTER_GATHER_LISTS(x)

loc_A5E3F0:				; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+2FAj
					; VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+2FEj
		mov	eax, edi

loc_A5E3F2:				; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+26Cj
		pop	edi
		pop	esi
		leave
		retn	40h
_VfBuildScatterGatherList@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfCalculateScatterGatherListSize(x,	x, x, x, x, x)
_VfCalculateScatterGatherListSize@24 proc near ; DATA XREF: PAGEVRFD:00AA8144o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	34h
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		pop	ebp
		jmp	eax
_VfCalculateScatterGatherListSize@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfCancelAdapterChannel(x, x, x)
_VfCancelAdapterChannel@12 proc	near	; DATA XREF: PAGEVRFD:00AA8168o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	58h
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		mov	esi, eax
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		push	[ebp+arg_8]
		mov	edi, eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	esi
		mov	bl, al
		test	edi, edi
		jz	short loc_A5E47E
		test	bl, bl
		jz	short loc_A5E47E
		push	[ebp+arg_8]
		xor	edx, edx
		mov	ecx, edi
		call	_ViRemoveChannelWcb@12 ; ViRemoveChannelWcb(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A5E47E
		mov	ecx, edi
		call	_DECREMENT_ADAPTER_CHANNELS@4 ;	DECREMENT_ADAPTER_CHANNELS(x)
		mov	edx, [esi+18h]
		mov	ecx, edi
		call	_SUBTRACT_MAP_REGISTERS@8 ; SUBTRACT_MAP_REGISTERS(x,x)
		mov	edx, [esi+34h]
		test	edx, edx
		jz	short loc_A5E472
		mov	ecx, edi
		call	_ViFreeMapRegisterFile@8 ; ViFreeMapRegisterFile(x,x)

loc_A5E472:				; CODE XREF: VfCancelAdapterChannel(x,x,x)+5Ej
		mov	edx, esi
		mov	ecx, offset _ViHalWaitBlockLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)

loc_A5E47E:				; CODE XREF: VfCancelAdapterChannel(x,x,x)+30j
					; VfCancelAdapterChannel(x,x,x)+34j ...
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	0Ch
_VfCancelAdapterChannel@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfCancelMappedTransfer(x, x)
_VfCancelMappedTransfer@8 proc near	; DATA XREF: PAGEVRFD:00AA8180o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	70h
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		pop	ebp
		jmp	eax
_VfCancelMappedTransfer@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfConfigureAdapterChannel(x, x, x)
_VfConfigureAdapterChannel@12 proc near	; DATA XREF: PAGEVRFD:00AA8164o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	54h
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		pop	ebp
		jmp	eax
_VfConfigureAdapterChannel@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfFlushAdapterBuffers(x, x,	x, x, x, x)
_VfFlushAdapterBuffers@24 proc near	; DATA XREF: PAGEVRFD:00AA8124o
					; PAGEVRFD:00AAAE7Co

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	ecx, ebx
		push	esi
		push	edi
		push	14h
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		mov	dl, 1
		mov	[ebp+var_8], eax
		mov	ecx, ebx
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_A5E596
		call	_VF_ASSERT_MAX_IRQL@4 ;	VF_ASSERT_MAX_IRQL(x)
		mov	esi, [ebp+arg_8]
		cmp	esi, 0DEADF00Dh
		jnz	short loc_A5E4F2
		xor	esi, esi
		jmp	loc_A5E599
; 

loc_A5E4F2:				; CODE XREF: VfFlushAdapterBuffers(x,x,x,x,x,x)+3Cj
		mov	ecx, esi
		call	_ViGetMapRegisterFile@4	; ViGetMapRegisterFile(x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_A5E599
		mov	ecx, [ebp+arg_4]
		lea	eax, [ebp+arg_8]
		mov	[ebp+var_4], ecx
		lea	edx, [ebp+var_4]
		mov	ecx, [ebp+arg_C]
		mov	[ebp+arg_8], ecx
		lea	ecx, [ebp+arg_0]
		push	eax
		mov	[ebp+arg_0], esi
		call	_ViSwap@12	; ViSwap(x,x,x)
		test	eax, eax
		jnz	short loc_A5E55E
		cmp	[ebp+arg_10], eax
		jz	short loc_A5E55A
		mov	ebx, [ebp+arg_4]
		mov	edx, offset ??_C@_0GB@BNKDPEHI@Cannot?5flush?5map?5register?5that?5@JKADOLAD@ ;	int
		mov	edi, [ebp+arg_C]
		mov	ecx, offset unk_6B6834 ; int
		push	ebx		; int
		push	edi		; int
		push	esi		; char
		push	20h		; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B6834 ; int
		push	ebx		; int
		push	edi		; int
		push	esi		; int
		push	20h
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A5E55A:				; CODE XREF: VfFlushAdapterBuffers(x,x,x,x,x,x)+7Cj
		xor	al, al
		jmp	short loc_A5E5B9
; 

loc_A5E55E:				; CODE XREF: VfFlushAdapterBuffers(x,x,x,x,x,x)+77j
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_8]
		push	[ebp+arg_0]
		push	[ebp+var_4]
		push	ebx
		call	[ebp+var_8]
		push	[ebp+arg_14]
		mov	edx, [ebp+arg_4]
		mov	bl, al
		push	[ebp+arg_10]
		mov	ecx, [ebp+var_C]
		push	[ebp+arg_C]
		call	_ViFlushDoubleBuffer@20	; ViFlushDoubleBuffer(x,x,x,x,x)
		test	bl, bl
		jz	short loc_A5E592
		xor	ecx, ecx
		lea	eax, [edi+74h]
		xchg	ecx, [eax]

loc_A5E592:				; CODE XREF: VfFlushAdapterBuffers(x,x,x,x,x,x)+DCj
		mov	al, bl
		jmp	short loc_A5E5B9
; 

loc_A5E596:				; CODE XREF: VfFlushAdapterBuffers(x,x,x,x,x,x)+28j
		mov	esi, [ebp+arg_8]

loc_A5E599:				; CODE XREF: VfFlushAdapterBuffers(x,x,x,x,x,x)+40j
					; VfFlushAdapterBuffers(x,x,x,x,x,x)+51j
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	esi
		push	[ebp+arg_4]
		push	ebx
		call	[ebp+var_8]
		test	edi, edi
		jz	short loc_A5E5B9
		test	al, al
		jz	short loc_A5E5B9
		xor	edx, edx
		lea	ecx, [edi+74h]
		xchg	edx, [ecx]

loc_A5E5B9:				; CODE XREF: VfFlushAdapterBuffers(x,x,x,x,x,x)+AFj
					; VfFlushAdapterBuffers(x,x,x,x,x,x)+E7j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_VfFlushAdapterBuffers@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfFlushAdapterBuffersEx(x, x, x, x,	x, x, x)
_VfFlushAdapterBuffersEx@28 proc near	; DATA XREF: PAGEVRFD:00AA8178o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	esi
		push	edi
		push	68h
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		mov	edi, eax
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A5E5E9
		call	_VF_ASSERT_MAX_IRQL@4 ;	VF_ASSERT_MAX_IRQL(x)

loc_A5E5E9:				; CODE XREF: VfFlushAdapterBuffersEx(x,x,x,x,x,x,x)+22j
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	edi
		test	esi, esi
		jz	short loc_A5E60F
		test	eax, eax
		jnz	short loc_A5E60F
		xor	edx, edx
		lea	ecx, [esi+74h]
		xchg	edx, [ecx]

loc_A5E60F:				; CODE XREF: VfFlushAdapterBuffersEx(x,x,x,x,x,x,x)+42j
					; VfFlushAdapterBuffersEx(x,x,x,x,x,x,x)+46j
		pop	edi
		pop	esi
		pop	ebp
		retn	1Ch
_VfFlushAdapterBuffersEx@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfFreeAdapterChannel(x)
_VfFreeAdapterChannel@4	proc near	; DATA XREF: PAGEVRFD:00AA8128o
					; PAGEVRFD:00AAAEDCo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	cl, 2
		call	_VF_ASSERT_IRQL@4 ; VF_ASSERT_IRQL(x)
		mov	ecx, [ebp+arg_0]
		push	18h
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		mov	esi, eax
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		push	[ebp+arg_0]
		mov	edi, eax
		call	esi
		test	edi, edi
		jz	short loc_A5E688
		xor	edx, edx
		lea	ecx, [edi+74h]
		xchg	edx, [ecx]
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	_ViRemoveChannelWcb@12 ; ViRemoveChannelWcb(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A5E688
		mov	ecx, edi
		call	_DECREMENT_ADAPTER_CHANNELS@4 ;	DECREMENT_ADAPTER_CHANNELS(x)
		mov	edx, [esi+18h]
		mov	ecx, edi
		call	_SUBTRACT_MAP_REGISTERS@8 ; SUBTRACT_MAP_REGISTERS(x,x)
		mov	edx, [esi+34h]
		test	edx, edx
		jz	short loc_A5E67C
		mov	ecx, edi
		call	_ViFreeMapRegisterFile@8 ; ViFreeMapRegisterFile(x,x)

loc_A5E67C:				; CODE XREF: VfFreeAdapterChannel(x)+5Ej
		mov	edx, esi
		mov	ecx, offset _ViHalWaitBlockLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)

loc_A5E688:				; CODE XREF: VfFreeAdapterChannel(x)+2Ej
					; VfFreeAdapterChannel(x)+46j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_VfFreeAdapterChannel@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfFreeAdapterObject(x, x)
_VfFreeAdapterObject@8 proc near	; DATA XREF: PAGEVRFD:00AA817Co

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	6Ch
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		mov	esi, eax
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		push	[ebp+arg_4]
		mov	ebx, eax
		push	[ebp+arg_0]
		call	esi
		test	ebx, ebx
		jz	loc_A5E77A
		cmp	[ebp+arg_4], 2
		jz	short loc_A5E6CF
		cmp	[ebp+arg_4], 3
		jnz	loc_A5E77A

loc_A5E6CF:				; CODE XREF: VfFreeAdapterObject(x,x)+35j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+arg_0+3],	al
		lea	eax, [ebx+4Ch]
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	edx, [ebx+44h]
		mov	esi, [edx]
		jmp	short loc_A5E6F4
; 

loc_A5E6EC:				; CODE XREF: VfFreeAdapterObject(x,x)+6Ej
		cmp	dword ptr [esi+1Ch], 1
		jz	short loc_A5E714
		mov	esi, [ecx]

loc_A5E6F4:				; CODE XREF: VfFreeAdapterObject(x,x)+5Cj
		sub	esi, 28h
		lea	ecx, [esi+28h]
		cmp	edx, ecx
		jnz	short loc_A5E6EC

loc_A5E6FE:				; CODE XREF: VfFreeAdapterObject(x,x)+98j
					; VfFreeAdapterObject(x,x)+D4j
		test	ds:byte_70EFC6,	1
		jz	short loc_A5E769
		mov	edx, [ebp+4]
		mov	ecx, [ebp+var_4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A5E771
; 

loc_A5E714:				; CODE XREF: VfFreeAdapterObject(x,x)+62j
		mov	ecx, ebx
		call	_DECREMENT_ADAPTER_CHANNELS@4 ;	DECREMENT_ADAPTER_CHANNELS(x)
		push	3
		pop	eax
		cmp	[ebp+arg_4], eax
		jnz	short loc_A5E728
		mov	[esi+1Ch], eax
		jmp	short loc_A5E6FE
; 

loc_A5E728:				; CODE XREF: VfFreeAdapterObject(x,x)+93j
		lea	eax, [esi+28h]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	short loc_A5E764
		cmp	[ecx], eax
		jnz	short loc_A5E764
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, ebx
		mov	edx, [esi+18h]
		call	_SUBTRACT_MAP_REGISTERS@8 ; SUBTRACT_MAP_REGISTERS(x,x)
		mov	edx, [esi+34h]
		test	edx, edx
		jz	short loc_A5E756
		mov	ecx, ebx
		call	_ViFreeMapRegisterFile@8 ; ViFreeMapRegisterFile(x,x)

loc_A5E756:				; CODE XREF: VfFreeAdapterObject(x,x)+BFj
		mov	edx, esi
		mov	ecx, offset _ViHalWaitBlockLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	short loc_A5E6FE
; 

loc_A5E764:				; CODE XREF: VfFreeAdapterObject(x,x)+A5j
					; VfFreeAdapterObject(x,x)+A9j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A5E769:				; CODE XREF: VfFreeAdapterObject(x,x)+77j
		mov	eax, [ebp+var_4]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_A5E771:				; CODE XREF: VfFreeAdapterObject(x,x)+84j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_A5E77A:				; CODE XREF: VfFreeAdapterObject(x,x)+2Bj
					; VfFreeAdapterObject(x,x)+3Bj
		pop	esi
		pop	ebx
		leave
		retn	8
_VfFreeAdapterObject@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfFreeCommonBuffer(x, x, x,	x, x, x)
_VfFreeCommonBuffer@24 proc near	; DATA XREF: PAGEVRFD:00AA811Co
					; PAGEVRFD:00AAAEACo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	0Ch
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		mov	edi, eax
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		lea	ecx, [ebp+arg_8]
		mov	esi, eax
		call	_ViHalFreeDomainCommonBuffer@4 ; ViHalFreeDomainCommonBuffer(x)
		mov	bl, al
		test	esi, esi
		jz	short loc_A5E7CB
		test	bl, bl
		jnz	short loc_A5E7CB
		call	_VF_ASSERT_MAX_IRQL@4 ;	VF_ASSERT_MAX_IRQL(x)
		push	[ebp+arg_14]	; int
		mov	edx, esi
		mov	ecx, edi
		push	[ebp+arg_10]	; void *
		call	_ViSpecialFreeCommonBuffer@16 ;	ViSpecialFreeCommonBuffer(x,x,x,x)
		test	eax, eax
		jnz	short loc_A5E7EE

loc_A5E7CB:				; CODE XREF: VfFreeCommonBuffer(x,x,x,x,x,x)+2Dj
					; VfFreeCommonBuffer(x,x,x,x,x,x)+31j
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	edi
		test	esi, esi
		jz	short loc_A5E7EE
		test	bl, bl
		jnz	short loc_A5E7EE
		mov	ecx, esi
		call	_DECREMENT_COMMON_BUFFERS@4 ; DECREMENT_COMMON_BUFFERS(x)

loc_A5E7EE:				; CODE XREF: VfFreeCommonBuffer(x,x,x,x,x,x)+49j
					; VfFreeCommonBuffer(x,x,x,x,x,x)+61j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	18h
_VfFreeCommonBuffer@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfFreeCommonBufferFromVector(x, x, x)
_VfFreeCommonBufferFromVector@12 proc near ; DATA XREF:	PAGEVRFD:00AA81A4o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, 94h
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		pop	ebp
		jmp	eax
_VfFreeCommonBufferFromVector@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfFreeCommonBufferVector(x,	x)
_VfFreeCommonBufferVector@8 proc near	; DATA XREF: PAGEVRFD:00AA81A8o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, 98h
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		pop	ebp
		jmp	eax
_VfFreeCommonBufferVector@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfFreeMapRegisters(x, x, x)
_VfFreeMapRegisters@12 proc near	; DATA XREF: PAGEVRFD:00AA812Co
					; PAGEVRFD:00AAAEF4o

var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	1Ch
		xor	ebx, ebx
		pop	edx
		mov	[ebp+var_1], bl
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		mov	[ebp+var_8], eax
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		mov	edi, eax
		mov	esi, 0DEADF00Dh
		test	edi, edi
		jz	short loc_A5E87C
		mov	cl, 2
		call	_VF_ASSERT_IRQL@4 ; VF_ASSERT_IRQL(x)
		mov	ecx, [ebp+arg_4]
		mov	ebx, ecx
		cmp	ecx, esi
		jnz	short loc_A5E86B
		xor	ecx, ecx
		mov	[ebp+var_1], 1
		xor	ebx, ebx
		jmp	short loc_A5E87F
; 

loc_A5E86B:				; CODE XREF: VfFreeMapRegisters(x,x,x)+40j
		test	ecx, ecx
		jz	short loc_A5E87F
		cmp	dword ptr [ecx], 0ACEFD00Dh
		jnz	short loc_A5E87F
		mov	ecx, [ecx+1Ch]
		jmp	short loc_A5E87F
; 

loc_A5E87C:				; CODE XREF: VfFreeMapRegisters(x,x,x)+30j
		mov	ecx, [ebp+arg_4]

loc_A5E87F:				; CODE XREF: VfFreeMapRegisters(x,x,x)+4Aj
					; VfFreeMapRegisters(x,x,x)+4Ej ...
		push	[ebp+arg_8]
		push	ecx
		push	[ebp+arg_0]
		call	[ebp+var_8]
		test	edi, edi
		jz	short loc_A5E8CA
		cmp	[ebp+var_1], 1
		jz	short loc_A5E895
		mov	esi, ebx

loc_A5E895:				; CODE XREF: VfFreeMapRegisters(x,x,x)+72j
		push	0
		mov	edx, esi
		mov	ecx, edi
		call	_ViRemoveChannelWcb@12 ; ViRemoveChannelWcb(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A5E8CA
		mov	edx, [esi+18h]
		mov	ecx, edi
		call	_SUBTRACT_MAP_REGISTERS@8 ; SUBTRACT_MAP_REGISTERS(x,x)
		mov	edx, [esi+34h]
		test	edx, edx
		jz	short loc_A5E8BE
		mov	ecx, edi
		call	_ViFreeMapRegisterFile@8 ; ViFreeMapRegisterFile(x,x)

loc_A5E8BE:				; CODE XREF: VfFreeMapRegisters(x,x,x)+96j
		mov	edx, esi
		mov	ecx, offset _ViHalWaitBlockLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)

loc_A5E8CA:				; CODE XREF: VfFreeMapRegisters(x,x,x)+6Cj
					; VfFreeMapRegisters(x,x,x)+85j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_VfFreeMapRegisters@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfGetCommonBufferFromVectorByIndex(x, x, x,	x, x)
_VfGetCommonBufferFromVectorByIndex@20 proc near ; DATA	XREF: PAGEVRFD:00AA81A0o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	edx, 90h
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		pop	ebp
		jmp	eax
_VfGetCommonBufferFromVectorByIndex@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfGetDmaAdapter(x, x, x)
_VfGetDmaAdapter@12 proc near		; DATA XREF: PAGEVRFD:00AAB56Co

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	ebx
		push	esi
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_14]
		push	edi
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_RtlGetCallersAddress@8	; RtlGetCallersAddress(x,x)
		cmp	_ViVerifyDma, 0
		mov	esi, [ebp+arg_0]
		jz	loc_A5EA01
		cmp	ds:_ViDMADisabledNoRebootNeeded, 1
		jz	loc_A5EA01
		mov	ecx, esi
		call	_VfIsPCIBus@4	; VfIsPCIBus(x)
		test	eax, eax
		jnz	loc_A5EA01
		test	_MmVerifierData, 20000h
		jnz	short loc_A5E94B
		xor	cl, cl
		call	_VF_ASSERT_IRQL@4 ; VF_ASSERT_IRQL(x)

loc_A5E94B:				; CODE XREF: VfGetDmaAdapter(x,x,x)+5Cj
		test	esi, esi
		jz	short loc_A5E963
		jmp	short loc_A5E958
; 

loc_A5E951:				; CODE XREF: VfGetDmaAdapter(x,x,x)+7Bj
		mov	ecx, eax
		call	_ViReleaseDmaAdapter@4 ; ViReleaseDmaAdapter(x)

loc_A5E958:				; CODE XREF: VfGetDmaAdapter(x,x,x)+69j
		mov	ecx, esi
		call	_VF_FIND_INACTIVE_ADAPTER_AND_REMOVE@4 ; VF_FIND_INACTIVE_ADAPTER_AND_REMOVE(x)
		test	eax, eax
		jnz	short loc_A5E951

loc_A5E963:				; CODE XREF: VfGetDmaAdapter(x,x,x)+67j
		mov	ebx, [ebp+arg_8]
		push	20h
		pop	eax
		cmp	[ebx], eax
		jbe	short loc_A5E96F
		mov	[ebx], eax

loc_A5E96F:				; CODE XREF: VfGetDmaAdapter(x,x,x)+85j
		mov	eax, large fs:124h
		push	eax
		call	off_6B13D0	; ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig(x)
		test	eax, eax
		js	short loc_A5E986
		mov	byte ptr [ebp+arg_8], 0
		jmp	short loc_A5E991
; 

loc_A5E986:				; CODE XREF: VfGetDmaAdapter(x,x,x)+98j
		cmp	eax, 0C0000225h
		jnz	short loc_A5E9BE
		mov	byte ptr [ebp+arg_8], 1

loc_A5E991:				; CODE XREF: VfGetDmaAdapter(x,x,x)+9Ej
		push	ebx
		push	[ebp+arg_4]
		push	esi
		call	ds:_pXdvIoGetDmaAdapter
		mov	edi, eax
		test	edi, edi
		jz	short loc_A5E9BE
		push	[ebp+arg_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		push	dword ptr [ebx]
		call	_ViHookDmaAdapter@16 ; ViHookDmaAdapter(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A5E9C2
		mov	eax, [edi+4]
		push	edi
		call	dword ptr [eax+4]

loc_A5E9BE:				; CODE XREF: VfGetDmaAdapter(x,x,x)+A5j
					; VfGetDmaAdapter(x,x,x)+BAj
		xor	eax, eax
		jmp	short loc_A5EA0D
; 

loc_A5E9C2:				; CODE XREF: VfGetDmaAdapter(x,x,x)+CFj
		mov	eax, [ebp+var_4]
		mov	[ebx+0Ch], esi
		mov	[ebx+18h], eax
		test	esi, esi
		jz	short loc_A5E9FD
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	4
		push	0
		push	0
		push	offset _DEVPKEY_Device_Capabilities
		push	esi
		call	IoGetDevicePropertyData
		test	eax, eax
		js	short loc_A5E9FD
		test	[ebp+var_8], 400h
		jz	short loc_A5E9FD
		mov	byte ptr [ebx+13h], 1

loc_A5E9FD:				; CODE XREF: VfGetDmaAdapter(x,x,x)+E7j
					; VfGetDmaAdapter(x,x,x)+108j ...
		mov	eax, edi
		jmp	short loc_A5EA0D
; 

loc_A5EA01:				; CODE XREF: VfGetDmaAdapter(x,x,x)+30j
					; VfGetDmaAdapter(x,x,x)+3Dj ...
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	IoGetDmaAdapter

loc_A5EA0D:				; CODE XREF: VfGetDmaAdapter(x,x,x)+DAj
					; VfGetDmaAdapter(x,x,x)+119j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_VfGetDmaAdapter@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfGetDmaAdapterInfo(x, x)
_VfGetDmaAdapterInfo@8 proc near	; DATA XREF: PAGEVRFD:00AA8150o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	40h
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		pop	ebp
		jmp	eax
_VfGetDmaAdapterInfo@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfGetDmaAlignment(x)
_VfGetDmaAlignment@4 proc near		; DATA XREF: PAGEVRFD:00AA8134o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	cl, cl
		call	_VF_ASSERT_IRQL@4 ; VF_ASSERT_IRQL(x)
		mov	ecx, [ebp+arg_0]
		push	24h
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		test	eax, eax
		jnz	short loc_A5EA47
		inc	eax
		pop	ebp
		retn	4
; 

loc_A5EA47:				; CODE XREF: VfGetDmaAlignment(x)+19j
		pop	ebp
		jmp	eax
_VfGetDmaAlignment@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfGetDmaTransferInfo(x, x, x, x, x,	x, x)
_VfGetDmaTransferInfo@28 proc near	; DATA XREF: PAGEVRFD:00AA8154o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	44h
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	eax
		pop	ebp
		retn	1Ch
_VfGetDmaTransferInfo@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfGetScatterGatherList(x, x, x, x, x, x, x,	x)
_VfGetScatterGatherList@32 proc	near	; DATA XREF: PAGEVRFD:00AA813Co

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	2Ch
		xor	edi, edi
		pop	edx
		mov	ebx, edi
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		mov	[ebp+var_20], eax
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		mov	esi, eax
		mov	[ebp+var_14], esi
		test	esi, esi
		jz	loc_A5EC11
		mov	cl, 2
		call	_VF_ASSERT_IRQL@4 ; VF_ASSERT_IRQL(x)
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		jnz	short loc_A5EAC1
		mov	eax, 0C000000Dh
		jmp	loc_A5ED31
; 

loc_A5EAC1:				; CODE XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+40j
		lock inc dword ptr [esi+5Ch]
		lock inc dword ptr [esi+60h]
		mov	ecx, ebx
		call	_VERIFY_BUFFER_LOCKED@4	; VERIFY_BUFFER_LOCKED(x)
		cmp	dword ptr [esi+78h], 3
		jnz	short loc_A5EB11
		mov	edx, [ebp+arg_10] ; int
		mov	ecx, ebx
		push	edi
		push	edi
		call	_ViCheckMdlLength@16 ; ViCheckMdlLength(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_A5EB11
		push	edi		; int
		push	edi		; int
		push	ebx		; char
		push	24h		; int
		mov	edx, offset ??_C@_0ED@BJJMKJGC@The?5provided?5MDL?5is?5not?5suffici@JKADOLAD@ ;	int
		mov	ecx, offset unk_6B681C ; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B681C ; int
		push	edi		; int
		push	edi		; int
		push	ebx		; int
		push	24h
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A5EB11:				; CODE XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+5Fj
					; VfGetScatterGatherList(x,x,x,x,x,x,x,x)+71j
		mov	ecx, offset _ViHalWaitBlockLookaside
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	ebx, eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_1C], ebx
		test	ebx, ebx
		jz	loc_A5ED0C
		lea	ecx, [ebx+28h]
		mov	[ebx], eax
		mov	eax, [ebp+arg_14]
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		mov	ecx, [ebp+arg_8]
		mov	[ebx+4], eax
		mov	[ebx+24h], edi
		mov	[ebp+var_10], edi
		mov	eax, [ecx+18h]
		add	eax, [ecx+10h]
		mov	edx, [ecx+14h]
		sub	edx, [ebp+arg_C]
		add	edx, eax
		mov	eax, [ebp+arg_C]
		and	eax, 0FFFh
		mov	[ebp+var_4], edx
		mov	[ebp+var_C], edx
		mov	edx, [ebp+arg_10]
		mov	dword ptr [ebp+var_8], eax
		mov	eax, [ebp+var_4]
		cmp	eax, edx
		jnb	short loc_A5EBAB
		mov	edi, dword ptr [ebp+var_8]
		mov	esi, eax
		mov	ebx, [ebp+var_10]

loc_A5EB75:				; CODE XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+123j
		mov	ecx, [ecx]
		test	ecx, ecx
		jz	short loc_A5EB9A
		lea	eax, [edi+0FFFh]
		mov	edi, [ecx+18h]
		add	eax, esi
		mov	esi, [ecx+14h]
		shr	eax, 0Ch
		add	ebx, eax
		mov	eax, [ebp+var_4]
		add	eax, esi
		mov	[ebp+var_4], eax
		cmp	eax, edx
		jb	short loc_A5EB75

loc_A5EB9A:				; CODE XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+104j
		mov	[ebp+var_10], ebx
		mov	ebx, [ebp+var_1C]
		mov	dword ptr [ebp+var_8], edi
		xor	edi, edi
		mov	[ebp+var_C], esi
		mov	esi, [ebp+var_14]

loc_A5EBAB:				; CODE XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+F6j
		mov	ecx, dword ptr [ebp+var_8]
		add	eax, 1000h
		add	ecx, edx
		cmp	eax, ecx
		mov	ecx, esi
		jnb	short loc_A5EBD6
		call	_DECREMENT_SCATTER_GATHER_LISTS@4 ; DECREMENT_SCATTER_GATHER_LISTS(x)
		mov	edx, ebx
		mov	ecx, offset _ViHalWaitBlockLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		mov	eax, 0C0000023h
		jmp	loc_A5ED31
; 

loc_A5EBD6:				; CODE XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+144j
		mov	eax, [ebp+var_C]
		add	edx, 0FFFh
		sub	eax, [ebp+var_4]
		add	eax, dword ptr [ebp+var_8]
		add	edx, eax
		mov	[ebx+20h], esi
		shr	edx, 0Ch
		add	edx, [ebp+var_10]
		mov	[ebx+18h], edx
		call	_ViAllocateMapRegisterFile@8 ; ViAllocateMapRegisterFile(x,x)
		mov	dword ptr [ebp+var_8], eax
		test	eax, eax
		jnz	loc_A5ECA3

loc_A5EC03:				; CODE XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+292j
		mov	edx, ebx
		mov	ecx, offset _ViHalWaitBlockLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		mov	ebx, edi

loc_A5EC11:				; CODE XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+2Ej
		mov	ecx, [ebp+arg_14]

loc_A5EC14:				; CODE XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+283j
		mov	eax, [ebp+arg_18]

loc_A5EC17:				; CODE XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+29Aj
		push	[ebp+arg_1C]
		push	eax
		push	ecx
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	[ebp+var_20]
		mov	[ebp+arg_14], eax
		test	esi, esi
		jz	loc_A5ED31
		test	eax, eax
		jns	loc_A5ED31
		mov	ecx, esi
		call	_DECREMENT_SCATTER_GATHER_LISTS@4 ; DECREMENT_SCATTER_GATHER_LISTS(x)
		test	edi, edi
		jz	short loc_A5EC55
		mov	edx, edi
		mov	ecx, esi
		call	_ViFreeMapRegisterFile@8 ; ViFreeMapRegisterFile(x,x)

loc_A5EC55:				; CODE XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+1D5j
		test	ebx, ebx
		jz	loc_A5ED2E
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		add	esi, 28h
		mov	byte ptr [ebp+arg_18+3], al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	ecx, [ebx+28h]
		mov	edi, [ecx]
		mov	edx, [ecx+4]
		cmp	[edi+4], ecx
		jnz	loc_A5ED38
		cmp	[edx], ecx
		jnz	loc_A5ED38
		mov	[edx], edi
		mov	[edi+4], edx
		test	ds:byte_70EFC6,	1
		jz	short loc_A5ED14
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A5ED19
; 

loc_A5ECA3:				; CODE XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+188j
		push	[ebp+arg_1C]	; int
		mov	ecx, [ebp+arg_10]
		mov	edx, [ebp+arg_8] ; int
		mov	byte ptr [eax+0Dh], 1
		mov	[ebx+34h], eax
		lea	eax, [ebx+38h]
		push	ecx		; int
		mov	[ebx+8], eax
		mov	eax, [ebp+arg_C]
		mov	[ebx+10h], ecx
		mov	ecx, dword ptr [ebp+var_8] ; char
		push	eax		; int
		mov	[ebx+0Ch], eax
		call	_ViMapDoubleBuffer@20 ;	ViMapDoubleBuffer(x,x,x,x,x)
		test	eax, eax
		jz	short loc_A5ECFD
		mov	esi, [ebp+arg_8]
		lea	eax, [ebp+arg_C]
		mov	edi, [ebx+8]
		lea	edx, [ebp+arg_8]
		push	7
		pop	ecx
		rep movsd
		mov	edi, dword ptr [ebp+var_8]
		lea	ecx, [ebp+var_8]
		push	eax
		mov	[ebp+arg_18], ebx
		call	_ViSwap@12	; ViSwap(x,x,x)
		mov	esi, [ebp+var_14]
		mov	ecx, offset _ViScatterGatherCallback@16	; ViScatterGatherCallback(x,x,x,x)
		jmp	loc_A5EC14
; 

loc_A5ECFD:				; CODE XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+259j
		mov	edx, dword ptr [ebp+var_8]
		mov	ecx, esi
		call	_ViFreeMapRegisterFile@8 ; ViFreeMapRegisterFile(x,x)
		jmp	loc_A5EC03
; 

loc_A5ED0C:				; CODE XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+B0j
		mov	ecx, [ebp+arg_14]
		jmp	loc_A5EC17
; 

loc_A5ED14:				; CODE XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+220j
		xor	eax, eax
		lock and [esi],	eax

loc_A5ED19:				; CODE XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+22Cj
		mov	cl, byte ptr [ebp+arg_18+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, ebx
		mov	ecx, offset _ViHalWaitBlockLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)

loc_A5ED2E:				; CODE XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+1E2j
		mov	eax, [ebp+arg_14]

loc_A5ED31:				; CODE XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+47j
					; VfGetScatterGatherList(x,x,x,x,x,x,x,x)+15Cj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
; 

loc_A5ED38:				; CODE XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+206j
					; VfGetScatterGatherList(x,x,x,x,x,x,x,x)+20Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall VfGetScatterGatherListEx(x,	x, x, x, x, x, x, x, x,	x, x, x, x, x)
_VfGetScatterGatherListEx@56:		; DATA XREF: PAGEVRFD:00AA8170o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	60h
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		mov	ebx, eax
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A5EDBB
		call	_VF_ASSERT_MAX_IRQL@4 ;	VF_ASSERT_MAX_IRQL(x)
		lock inc dword ptr [esi+5Ch]
		lock inc dword ptr [esi+60h]
		mov	ecx, [ebp+arg_C]
		call	_VERIFY_BUFFER_LOCKED@4	; VERIFY_BUFFER_LOCKED(x)
		push	[ebp+arg_14]
		mov	edx, [ebp+arg_18]
		push	[ebp+arg_10]
		mov	ecx, [ebp+arg_C]
		call	_ViCheckMdlLength@16 ; ViCheckMdlLength(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A5EDBB
		push	0		; int
		push	0		; int
		push	edi		; char
		push	24h		; int
		mov	edx, offset ??_C@_0ED@BJJMKJGC@The?5provided?5MDL?5is?5not?5suffici@JKADOLAD@ ;	int
		mov	ecx, offset unk_6B67A8 ; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B67A8 ; int
		push	0		; int
		push	0		; int
		push	edi		; int
		push	24h
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A5EDBB:				; CODE XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+2EBj
					; VfGetScatterGatherList(x,x,x,x,x,x,x,x)+317j
		push	[ebp+arg_34]
		push	[ebp+arg_30]
		push	[ebp+arg_2C]
		push	[ebp+arg_28]
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ebx
		mov	edi, eax
		test	esi, esi
		jz	short loc_A5EDF8
		test	edi, edi
		jns	short loc_A5EDF8
		mov	ecx, esi
		call	_DECREMENT_SCATTER_GATHER_LISTS@4 ; DECREMENT_SCATTER_GATHER_LISTS(x)

loc_A5EDF8:				; CODE XREF: VfGetScatterGatherList(x,x,x,x,x,x,x,x)+376j
					; VfGetScatterGatherList(x,x,x,x,x,x,x,x)+37Aj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	38h
_VfGetScatterGatherList@32 endp	; sp = -3Ch


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfHalAllocateMapRegisters(x, x, x, x)
_VfHalAllocateMapRegisters@16 proc near	; DATA XREF: ViHalApplySettings()+33o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:_VfRealHalAllocateMapRegisters
		test	eax, eax
		jz	short loc_A5EE8C
		push	esi
		push	edi
		mov	edi, [ebp+arg_C]
		push	edi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	eax
		mov	esi, eax
		mov	[ebp+arg_C], esi
		test	esi, esi
		js	short loc_A5EE86
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_A5EE86
		xor	esi, esi
		cmp	[ebp+arg_8], esi
		jbe	short loc_A5EE83

loc_A5EE41:				; CODE XREF: VfHalAllocateMapRegisters(x,x,x,x)+80j
		cmp	byte ptr [eax+11h], 0
		jnz	short loc_A5EE60
		mov	edx, [ebp+arg_4]
		mov	ecx, eax
		call	_ViAllocateMapRegisterFile@8 ; ViAllocateMapRegisterFile(x,x)
		test	eax, eax
		jz	short loc_A5EE60
		mov	ecx, [edi+esi*8]
		mov	[eax+1Ch], ecx
		mov	[edi+esi*8], eax
		jmp	short loc_A5EE6D
; 

loc_A5EE60:				; CODE XREF: VfHalAllocateMapRegisters(x,x,x,x)+44j
					; VfHalAllocateMapRegisters(x,x,x,x)+52j
		cmp	dword ptr [edi+esi*8], 0
		jnz	short loc_A5EE6D
		mov	dword ptr [edi+esi*8], 0DEADF00Dh

loc_A5EE6D:				; CODE XREF: VfHalAllocateMapRegisters(x,x,x,x)+5Dj
					; VfHalAllocateMapRegisters(x,x,x,x)+63j
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	1
		call	_ADD_MAP_REGISTERS@12 ;	ADD_MAP_REGISTERS(x,x,x)
		mov	eax, [ebp+arg_0]
		inc	esi
		cmp	esi, [ebp+arg_8]
		jb	short loc_A5EE41

loc_A5EE83:				; CODE XREF: VfHalAllocateMapRegisters(x,x,x,x)+3Ej
		mov	esi, [ebp+arg_C]

loc_A5EE86:				; CODE XREF: VfHalAllocateMapRegisters(x,x,x,x)+26j
					; VfHalAllocateMapRegisters(x,x,x,x)+37j
		pop	edi
		mov	eax, esi
		pop	esi
		jmp	short loc_A5EE91
; 

loc_A5EE8C:				; CODE XREF: VfHalAllocateMapRegisters(x,x,x,x)+Cj
		mov	eax, 0C0000001h

loc_A5EE91:				; CODE XREF: VfHalAllocateMapRegisters(x,x,x,x)+89j
		pop	ebp
		retn	10h
_VfHalAllocateMapRegisters@16 endp


;  S U B	R O U T	I N E 


; __stdcall VfHalDeleteDevice(x)
_VfHalDeleteDevice@4 proc near		; CODE XREF: VfIoDeleteDevice(x,x)+9p
		cmp	_ViVerifyDma, 0
		push	esi
		mov	esi, ecx
		jz	short loc_A5EEDA
		mov	eax, [esi+0B0h]
		test	eax, eax
		jz	short loc_A5EECF

loc_A5EEAB:				; CODE XREF: VfHalDeleteDevice(x)+27j
		mov	eax, [eax+18h]
		test	eax, eax
		jz	short loc_A5EEBE
		mov	ecx, eax
		mov	eax, [ecx+0B0h]
		test	eax, eax
		jnz	short loc_A5EEAB

loc_A5EEBE:				; CODE XREF: VfHalDeleteDevice(x)+1Bj
		cmp	ecx, esi
		jz	short loc_A5EECF
		pop	esi
		jmp	_VF_MARK_FOR_DEFERRED_REMOVE@4 ; VF_MARK_FOR_DEFERRED_REMOVE(x)
; 

loc_A5EEC8:				; CODE XREF: VfHalDeleteDevice(x)+43j
		mov	ecx, eax
		call	_ViReleaseDmaAdapter@4 ; ViReleaseDmaAdapter(x)

loc_A5EECF:				; CODE XREF: VfHalDeleteDevice(x)+14j
					; VfHalDeleteDevice(x)+2Bj
		mov	ecx, esi
		call	_VF_FIND_DEVICE_INFORMATION_AND_REMOVE@4 ; VF_FIND_DEVICE_INFORMATION_AND_REMOVE(x)
		test	eax, eax
		jnz	short loc_A5EEC8

loc_A5EEDA:				; CODE XREF: VfHalDeleteDevice(x)+Aj
		pop	esi
		retn
_VfHalDeleteDevice@4 endp ; sp =  4


;  S U B	R O U T	I N E 


; __stdcall VfHalVerifierInitialize()
_VfHalVerifierInitialize@0 proc	near	; CODE XREF: VfInitVerifierComponents(x,x,x)+20Cp
		push	offset ExInitializeNPagedLookasideListInternal
		push	_VfInitializedWithoutReboot
		xor	ecx, ecx
		mov	eax, offset _ViAdapterList
		push	10h
		push	566C6148h
		push	54h
		push	200h
		push	offset _VfUtilFreePoolCheckIRQL@4 ; VfUtilFreePoolCheckIRQL(x)
		mov	ds:dword_AB06DC, eax
		mov	ds:_ViAdapterList, eax
		mov	eax, offset _ViDomainCommonBufferList
		push	ecx
		push	offset _ViHalWaitBlockLookaside
		mov	ds:dword_AB06E0, ecx
		mov	ds:dword_AB06F0, ecx
		mov	ds:dword_AB06EC, eax
		mov	ds:_ViDomainCommonBufferList, eax
		call	ds:_pXdvExInitializeNPagedLookasideList	; XdvExInitializeNPagedLookasideListInternal(x,x,x,x,x,x,x,x,x)
		jmp	_ViHalApplySettings@0 ;	ViHalApplySettings()
_VfHalVerifierInitialize@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfInitializeDmaTransferContext(x, x)
_VfInitializeDmaTransferContext@8 proc near ; DATA XREF: PAGEVRFD:00AA8158o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	48h
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		pop	ebp
		jmp	eax
_VfInitializeDmaTransferContext@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfIsPCIBus(x)
_VfIsPCIBus@4	proc near		; CODE XREF: VfGetDmaAdapter(x,x,x)+45p

var_58		= dword	ptr -58h
var_54		= word ptr -54h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		xor	esi, esi
		mov	[ebp+var_58], esi
		test	ecx, ecx
		jnz	short loc_A5EF6A
		xor	eax, eax
		jmp	short loc_A5EF98
; 

loc_A5EF6A:				; CODE XREF: VfIsPCIBus(x)+1Aj
		lea	eax, [ebp+var_58]
		push	eax
		lea	eax, [ebp+var_54]
		push	eax
		push	50h
		push	esi
		push	ecx
		call	IoGetDeviceProperty
		test	eax, eax
		jnz	short loc_A5EF96
		lea	eax, [ebp+var_54]
		push	(offset	loc_A57B6F+5) ;	wchar_t	*
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A5EF96
		xor	esi, esi
		inc	esi

loc_A5EF96:				; CODE XREF: VfIsPCIBus(x)+33j
					; VfIsPCIBus(x)+47j
		mov	eax, esi

loc_A5EF98:				; CODE XREF: VfIsPCIBus(x)+1Ej
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_VfIsPCIBus@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfLegacyGetAdapter(x, x)
_VfLegacyGetAdapter@8 proc near		; DATA XREF: PAGEVRFD:00AAB584o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		cmp	_ViVerifyDma, ebx
		jnz	short loc_A5EFCB
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:__imp__HalGetAdapter@8 ; HalGetAdapter(x,x)
		jmp	loc_A5F064
; 

loc_A5EFCB:				; CODE XREF: VfLegacyGetAdapter(x,x)+13j
		push	esi
		push	edi
		xor	cl, cl
		call	_VF_ASSERT_IRQL@4 ; VF_ASSERT_IRQL(x)
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_RtlGetCallersAddress@8	; RtlGetCallersAddress(x,x)
		push	ebx		; int
		push	ebx		; int
		push	ebx		; char
		mov	esi, offset unk_6B6824
		mov	edx, (offset loc_A5764C+6) ; int
		push	1Eh		; int
		mov	ecx, esi	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	esi		; int
		push	ebx		; int
		push	ebx		; int
		push	ebx		; int
		push	1Eh
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		mov	edi, [ebp+arg_4]
		push	20h
		pop	eax
		cmp	[edi], eax
		jbe	short loc_A5F014
		mov	[edi], eax

loc_A5F014:				; CODE XREF: VfLegacyGetAdapter(x,x)+6Bj
		mov	eax, large fs:124h
		push	eax
		call	off_6B13D0	; ext_ms_win_ntos_kcminitcfg_l1_1_0_CmSetInitMachineConfig(x)
		push	edi
		push	[ebp+arg_0]
		test	eax, eax
		sets	byte ptr [ebp+arg_4]
		call	ds:_pXdvHalGetAdapter ;	HalGetAdapter(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A5F053
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		push	dword ptr [edi]
		call	_ViHookDmaAdapter@16 ; ViHookDmaAdapter(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_A5F057
		mov	eax, [esi+4]
		push	esi
		call	dword ptr [eax+4]

loc_A5F053:				; CODE XREF: VfLegacyGetAdapter(x,x)+90j
		xor	eax, eax
		jmp	short loc_A5F062
; 

loc_A5F057:				; CODE XREF: VfLegacyGetAdapter(x,x)+A5j
		mov	eax, [ebp+var_4]
		mov	[ecx+18h], eax
		mov	eax, esi
		mov	[ecx+0Ch], ebx

loc_A5F062:				; CODE XREF: VfLegacyGetAdapter(x,x)+B0j
		pop	edi
		pop	esi

loc_A5F064:				; CODE XREF: VfLegacyGetAdapter(x,x)+21j
		pop	ebx
		leave
		retn	8
_VfLegacyGetAdapter@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfMapTransfer(x, x,	x, x, x, x)
_VfMapTransfer@24 proc near		; DATA XREF: PAGEVRFD:00AA8130o
					; PAGEVRFD:00AAAE64o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	20h
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		mov	[ebp+var_4], eax
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_A5F14B
		call	_VF_ASSERT_MAX_IRQL@4 ;	VF_ASSERT_MAX_IRQL(x)
		mov	esi, [ebp+arg_4]
		mov	ecx, esi
		call	_VERIFY_BUFFER_LOCKED@4	; VERIFY_BUFFER_LOCKED(x)
		mov	ecx, ebx
		call	_ViCheckAdapterBuffers@4 ; ViCheckAdapterBuffers(x)
		cmp	dword ptr [ebx+78h], 3
		jnz	short loc_A5F0F3
		mov	edx, [ebp+arg_10] ; int
		mov	ecx, esi
		push	0
		push	0
		mov	edx, [edx]
		call	_ViCheckMdlLength@16 ; ViCheckMdlLength(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A5F0F3
		push	0		; int
		push	0		; int
		push	edi		; char
		push	24h		; int
		mov	edx, offset ??_C@_0ED@BJJMKJGC@The?5provided?5MDL?5is?5not?5suffici@JKADOLAD@ ;	int
		mov	ecx, offset unk_6B6818 ; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B6818 ; int
		push	0		; int
		push	0		; int
		push	edi		; int
		push	24h
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A5F0F3:				; CODE XREF: VfMapTransfer(x,x,x,x,x,x)+45j
					; VfMapTransfer(x,x,x,x,x,x)+5Bj
		mov	edx, [ebp+arg_8]
		cmp	edx, 0DEADF00Dh
		jnz	short loc_A5F102
		xor	edx, edx
		jmp	short loc_A5F151
; 

loc_A5F102:				; CODE XREF: VfMapTransfer(x,x,x,x,x,x)+93j
		mov	ecx, edx
		call	_ViGetMapRegisterFile@4	; ViGetMapRegisterFile(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A5F151
		mov	eax, [ebp+arg_10]
		mov	edx, esi	; int
		push	[ebp+arg_14]	; int
		mov	ecx, edi	; char
		push	dword ptr [eax]	; int
		push	[ebp+arg_C]	; int
		call	_ViMapDoubleBuffer@20 ;	ViMapDoubleBuffer(x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_A5F12E
		mov	edx, [edi+1Ch]
		jmp	short loc_A5F151
; 

loc_A5F12E:				; CODE XREF: VfMapTransfer(x,x,x,x,x,x)+BEj
		mov	eax, [ebp+arg_10]
		lea	edx, [ebp+arg_4]
		mov	[eax], ecx
		lea	eax, [ebp+arg_C]
		push	eax
		lea	ecx, [ebp+arg_8]
		call	_ViSwap@12	; ViSwap(x,x,x)
		test	eax, eax
		jnz	short loc_A5F14B
		mov	edx, [edi+1Ch]
		jmp	short loc_A5F14E
; 

loc_A5F14B:				; CODE XREF: VfMapTransfer(x,x,x,x,x,x)+25j
					; VfMapTransfer(x,x,x,x,x,x)+DBj
		mov	edx, [ebp+arg_8]

loc_A5F14E:				; CODE XREF: VfMapTransfer(x,x,x,x,x,x)+E0j
		mov	esi, [ebp+arg_4]

loc_A5F151:				; CODE XREF: VfMapTransfer(x,x,x,x,x,x)+97j
					; VfMapTransfer(x,x,x,x,x,x)+A4j ...
		push	[ebp+arg_14]
		mov	edi, [ebp+arg_10]
		push	edi
		push	[ebp+arg_C]
		push	edx
		push	esi
		push	[ebp+arg_0]
		call	[ebp+var_4]
		mov	[ebp+arg_4], edx
		mov	esi, eax
		test	ebx, ebx
		jz	short loc_A5F177
		mov	edx, [edi]
		mov	ecx, ebx
		push	0
		call	_INCREASE_MAPPED_TRANSFER_BYTE_COUNT@12	; INCREASE_MAPPED_TRANSFER_BYTE_COUNT(x,x,x)

loc_A5F177:				; CODE XREF: VfMapTransfer(x,x,x,x,x,x)+101j
		mov	edx, [ebp+arg_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	18h
_VfMapTransfer@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfMapTransferEx(x, x, x, x,	x, x, x, x, x, x, x, x)
_VfMapTransferEx@48 proc near		; DATA XREF: PAGEVRFD:00AA816Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		push	ebx
		push	esi
		push	edi
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		mov	ebx, [ebp+arg_18]
		mov	esi, eax
		test	esi, esi
		jz	short loc_A5F1F5
		call	_VF_ASSERT_MAX_IRQL@4 ;	VF_ASSERT_MAX_IRQL(x)
		mov	ecx, [ebp+arg_4]
		call	_VERIFY_BUFFER_LOCKED@4	; VERIFY_BUFFER_LOCKED(x)
		mov	ecx, esi
		call	_ViCheckAdapterBuffers@4 ; ViCheckAdapterBuffers(x)
		push	[ebp+arg_10]
		mov	edx, [ebx]
		push	[ebp+arg_C]
		mov	ecx, [ebp+arg_4]
		call	_ViCheckMdlLength@16 ; ViCheckMdlLength(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A5F1F5
		push	0		; int
		push	0		; int
		push	edi		; char
		push	24h		; int
		mov	edx, offset ??_C@_0ED@BJJMKJGC@The?5provided?5MDL?5is?5not?5suffici@JKADOLAD@ ;	int
		mov	ecx, offset unk_6B67A0 ; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B67A0 ; int
		push	0		; int
		push	0		; int
		push	edi		; int
		push	24h
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A5F1F5:				; CODE XREF: VfMapTransferEx(x,x,x,x,x,x,x,x,x,x,x,x)+19j
					; VfMapTransferEx(x,x,x,x,x,x,x,x,x,x,x,x)+43j
		mov	ecx, [ebp+arg_0]
		push	5Ch
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		push	[ebp+arg_2C]
		push	[ebp+arg_28]
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	ebx
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	eax
		mov	edi, eax
		test	esi, esi
		jz	short loc_A5F239
		test	edi, edi
		js	short loc_A5F239
		mov	edx, [ebx]
		mov	ecx, esi
		push	1
		call	_INCREASE_MAPPED_TRANSFER_BYTE_COUNT@12	; INCREASE_MAPPED_TRANSFER_BYTE_COUNT(x,x,x)

loc_A5F239:				; CODE XREF: VfMapTransferEx(x,x,x,x,x,x,x,x,x,x,x,x)+A5j
					; VfMapTransferEx(x,x,x,x,x,x,x,x,x,x,x,x)+A9j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	30h
_VfMapTransferEx@48 endp


;  S U B	R O U T	I N E 


; __stdcall VfNotifyOfHibernate(x)
_VfNotifyOfHibernate@4 proc near	; CODE XREF: PopInvokeSystemStateHandler+CE74p
					; PopInvokeSystemStateHandler+CF13p
		mov	edi, edi
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		inc	esi
		test	bl, bl
		jz	short loc_A5F265
		cmp	_ViVerifyDma, 0
		jz	short loc_A5F29B
		mov	ds:_ViEnableAfterHibernate, esi
		call	_VfDisableHalVerifier@0	; VfDisableHalVerifier()
		jmp	short loc_A5F29B
; 

loc_A5F265:				; CODE XREF: VfNotifyOfHibernate(x)+Bj
		cmp	ds:_ViEnableAfterHibernate, 0
		jz	short loc_A5F2B1
		and	ds:_ViEnableAfterHibernate, 0
		mov	edx, offset _ViAdapterList
		mov	eax, ds:_ViAdapterList
		mov	_ViVerifyDma, esi
		jmp	short loc_A5F297
; 

loc_A5F287:				; CODE XREF: VfNotifyOfHibernate(x)+57j
		mov	ecx, [eax+8]
		test	ecx, ecx
		jz	short loc_A5F295
		mov	dword ptr [ecx+4], offset _ViDmaOperations

loc_A5F295:				; CODE XREF: VfNotifyOfHibernate(x)+4Aj
		mov	eax, [eax]

loc_A5F297:				; CODE XREF: VfNotifyOfHibernate(x)+43j
		cmp	eax, edx
		jnz	short loc_A5F287

loc_A5F29B:				; CODE XREF: VfNotifyOfHibernate(x)+14j
					; VfNotifyOfHibernate(x)+21j
		call	_VfIsVerifierExtensionEnabled@0	; VfIsVerifierExtensionEnabled()
		cmp	eax, esi
		jnz	short loc_A5F2B1
		mov	eax, ds:_ViFnExtensionHiberFunc
		test	eax, eax
		jz	short loc_A5F2B1
		push	ebx
		call	eax
		pop	ecx

loc_A5F2B1:				; CODE XREF: VfNotifyOfHibernate(x)+2Aj
					; VfNotifyOfHibernate(x)+60j ...
		pop	esi
		pop	ebx
		retn
_VfNotifyOfHibernate@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfPutDmaAdapter(x)
_VfPutDmaAdapter@4 proc	near		; DATA XREF: PAGEVRFD:00AA8114o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	edi
		call	_VF_ASSERT_MAX_IRQL@4 ;	VF_ASSERT_MAX_IRQL(x)
		mov	edi, [ebp+arg_0]
		mov	ecx, edi
		push	4
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_A5F48E
		push	ebx
		push	esi
		mov	ecx, offset dword_AB06E0
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	esi, ds:_ViAdapterList
		xor	ebx, ebx
		mov	byte ptr [ebp+arg_0+3],	al
		mov	eax, offset _ViAdapterList
		mov	[ebp+var_4], ebx
		jmp	short loc_A5F301
; 

loc_A5F2FA:				; CODE XREF: VfPutDmaAdapter(x)+4Fj
		cmp	edi, [esi+8]
		jz	short loc_A5F30A
		mov	esi, [esi]

loc_A5F301:				; CODE XREF: VfPutDmaAdapter(x)+44j
		cmp	esi, eax
		jnz	short loc_A5F2FA
		jmp	loc_A5F457
; 

loc_A5F30A:				; CODE XREF: VfPutDmaAdapter(x)+49j
		or	eax, 0FFFFFFFFh
		lock xadd [esi+14h], eax
		dec	eax
		mov	[ebp+var_4], eax
		jns	short loc_A5F341
		push	ebx		; int
		push	esi		; int
		push	edi		; char
		push	18h		; int
		mov	edx, offset ??_C@_0EP@PLLALHLD@Driver?5has?5attempted?5to?5access?5@JKADOLAD@ ;	int
		mov	ecx, offset unk_6B6830 ; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B6830 ; int
		push	ebx		; int
		push	esi		; int
		push	edi		; int
		push	18h
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A5F341:				; CODE XREF: VfPutDmaAdapter(x)+62j
		mov	ecx, esi
		call	_ViFlushZeroMapRegisterBaseWcbs@4 ; ViFlushZeroMapRegisterBaseWcbs(x)
		mov	eax, [esi+6Ch]
		mov	ecx, [esi+70h]
		cmp	eax, ecx
		jz	short loc_A5F383
		push	esi		; int
		sub	eax, ecx
		mov	edx, (offset loc_A575E0+2) ; int
		push	eax		; int
		push	edi		; char
		push	8		; int
		mov	ecx, offset unk_6B6828 ; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		mov	eax, [esi+6Ch]
		mov	ecx, 0E6h	; int
		sub	eax, [esi+70h]
		push	offset unk_6B6828 ; int
		push	esi		; int
		push	eax		; int
		push	edi		; int
		push	8
		pop	edx
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A5F383:				; CODE XREF: VfPutDmaAdapter(x)+9Cj
		mov	eax, [esi+64h]
		mov	ecx, [esi+68h]
		cmp	eax, ecx
		jz	short loc_A5F3BE
		push	esi		; int
		sub	eax, ecx
		mov	edx, (offset loc_A5759D+1) ; int
		push	eax		; int
		push	edi		; char
		push	7		; int
		mov	ecx, offset unk_6B682C ; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		mov	eax, [esi+64h]
		mov	ecx, 0E6h	; int
		sub	eax, [esi+68h]
		push	offset unk_6B682C ; int
		push	esi		; int
		push	eax		; int
		push	edi		; int
		push	7
		pop	edx
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A5F3BE:				; CODE XREF: VfPutDmaAdapter(x)+D7j
		mov	eax, [esi+58h]
		test	eax, eax
		jz	short loc_A5F3F0
		push	esi		; int
		push	eax		; int
		push	edi		; char
		push	9		; int
		mov	edx, (offset loc_A57432+2) ; int
		mov	ecx, offset unk_6B6838 ; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B6838 ; int
		push	esi		; int
		push	dword ptr [esi+58h] ; int
		mov	ecx, 0E6h	; int
		push	edi		; int
		push	9
		pop	edx
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A5F3F0:				; CODE XREF: VfPutDmaAdapter(x)+10Fj
		mov	eax, [esi+60h]
		test	eax, eax
		jz	short loc_A5F422
		push	esi		; int
		push	eax		; int
		push	edi		; char
		push	0Ah		; int
		mov	edx, (offset loc_A573E7+3) ; int
		mov	ecx, offset unk_6B683C ; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B683C ; int
		push	esi		; int
		push	dword ptr [esi+60h] ; int
		mov	ecx, 0E6h	; int
		push	edi		; int
		push	0Ah
		pop	edx
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A5F422:				; CODE XREF: VfPutDmaAdapter(x)+141j
		cmp	[esi+0Ch], ebx
		jnz	short loc_A5F43C

loc_A5F427:				; CODE XREF: VfPutDmaAdapter(x)+18Bj
					; VfPutDmaAdapter(x)+19Aj
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_A5F450
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_A5F450
		mov	[ecx], eax
		mov	[eax+4], ecx
		jmp	short loc_A5F457
; 

loc_A5F43C:				; CODE XREF: VfPutDmaAdapter(x)+171j
		cmp	[esi+12h], bl
		jnz	short loc_A5F427
		cmp	[esi+13h], bl
		jz	short loc_A5F455
		cmp	[ebp+var_4], 0
		mov	bl, 1
		jg	short loc_A5F457
		jmp	short loc_A5F427
; 

loc_A5F450:				; CODE XREF: VfPutDmaAdapter(x)+178j
					; VfPutDmaAdapter(x)+17Fj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A5F455:				; CODE XREF: VfPutDmaAdapter(x)+190j
		mov	esi, ebx

loc_A5F457:				; CODE XREF: VfPutDmaAdapter(x)+51j
					; VfPutDmaAdapter(x)+186j ...
		mov	dl, byte ptr [ebp+arg_0+3]
		mov	ecx, offset dword_AB06E0
		call	KfReleaseSpinLock
		test	esi, esi
		jz	short loc_A5F473
		test	bl, bl
		jnz	short loc_A5F473
		mov	ecx, esi
		call	_ViReleaseDmaAdapter@4 ; ViReleaseDmaAdapter(x)

loc_A5F473:				; CODE XREF: VfPutDmaAdapter(x)+1B2j
					; VfPutDmaAdapter(x)+1B6j
		push	edi
		call	[ebp+var_8]
		test	esi, esi
		jz	short loc_A5F48C
		test	bl, bl
		jz	short loc_A5F48C
		cmp	[ebp+var_4], 0
		jg	short loc_A5F48C
		mov	ecx, esi
		call	_ViReleaseDmaAdapter@4 ; ViReleaseDmaAdapter(x)

loc_A5F48C:				; CODE XREF: VfPutDmaAdapter(x)+1C5j
					; VfPutDmaAdapter(x)+1C9j ...
		pop	esi
		pop	ebx

loc_A5F48E:				; CODE XREF: VfPutDmaAdapter(x)+1Fj
		pop	edi
		leave
		retn	4
_VfPutDmaAdapter@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfPutScatterGatherList(x, x, x)
_VfPutScatterGatherList@12 proc	near	; DATA XREF: PAGEVRFD:00AA8140o

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		push	30h
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		mov	ecx, [ebp+arg_0]
		mov	dl, 1
		mov	[ebp+var_8], eax
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_A5F5DE
		mov	cl, 2
		call	_VF_ASSERT_IRQL@4 ; VF_ASSERT_IRQL(x)
		lea	ebx, [edi+20h]
		cmp	[ebx], ebx
		jz	loc_A5F5DE
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [edi+28h]
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, [ebx]
		sub	esi, 28h
		lea	ecx, [esi+28h]
		cmp	ebx, ecx
		jz	short loc_A5F502
		mov	eax, [ebp+arg_4]

loc_A5F4F1:				; CODE XREF: VfPutScatterGatherList(x,x,x)+6Dj
		cmp	[esi+24h], eax
		jz	short loc_A5F51F
		mov	esi, [ecx]
		sub	esi, 28h
		lea	ecx, [esi+28h]
		cmp	ebx, ecx
		jnz	short loc_A5F4F1

loc_A5F502:				; CODE XREF: VfPutScatterGatherList(x,x,x)+59j
		test	ds:byte_70EFC6,	1
		jz	loc_A5F5CD
		mov	edx, [ebp+4]
		lea	ecx, [edi+28h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_A5F5D5
; 

loc_A5F51F:				; CODE XREF: VfPutScatterGatherList(x,x,x)+61j
		mov	ebx, eax
		mov	eax, [ebx]
		mov	[ebp+arg_4], eax
		lea	eax, [esi+28h]
		mov	edx, [eax]
		mov	ecx, [eax+4]
		cmp	[edx+4], eax
		jnz	loc_A5F5C8
		cmp	[ecx], eax
		jnz	loc_A5F5C8
		mov	[ecx], edx
		mov	[edx+4], ecx
		test	ds:byte_70EFC6,	1
		jz	short loc_A5F55A
		mov	edx, [ebp+4]
		lea	ecx, [edi+28h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A5F562
; 

loc_A5F55A:				; CODE XREF: VfPutScatterGatherList(x,x,x)+B8j
		xor	ecx, ecx
		lea	eax, [edi+28h]
		lock and [eax],	ecx

loc_A5F562:				; CODE XREF: VfPutScatterGatherList(x,x,x)+C5j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	dword ptr [ebx+4], 0DEADF00Dh
		mov	eax, [esi+34h]
		jnz	short loc_A5F581
		test	eax, eax
		jz	short loc_A5F581
		mov	eax, [eax+1Ch]
		mov	[ebx+4], eax

loc_A5F581:				; CODE XREF: VfPutScatterGatherList(x,x,x)+E2j
					; VfPutScatterGatherList(x,x,x)+E6j
		push	[ebp+arg_8]
		push	ebx
		push	[ebp+arg_0]
		call	[ebp+var_8]
		mov	edx, [ebp+arg_4]
		mov	ecx, edi
		call	_SUBTRACT_MAP_REGISTERS@8 ; SUBTRACT_MAP_REGISTERS(x,x)
		mov	ecx, edi
		call	_DECREMENT_SCATTER_GATHER_LISTS@4 ; DECREMENT_SCATTER_GATHER_LISTS(x)
		push	[ebp+arg_8]
		mov	edx, [esi+8]
		push	dword ptr [esi+10h]
		mov	ecx, [esi+34h]
		push	dword ptr [esi+0Ch]
		call	_ViFlushDoubleBuffer@20	; ViFlushDoubleBuffer(x,x,x,x,x)
		mov	edx, [esi+34h]
		mov	ecx, edi
		call	_ViFreeMapRegisterFile@8 ; ViFreeMapRegisterFile(x,x)
		mov	edx, esi
		mov	ecx, offset _ViHalWaitBlockLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	short loc_A5F5F5
; 

loc_A5F5C8:				; CODE XREF: VfPutScatterGatherList(x,x,x)+9Ej
					; VfPutScatterGatherList(x,x,x)+A6j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A5F5CD:				; CODE XREF: VfPutScatterGatherList(x,x,x)+76j
		xor	ecx, ecx
		lea	eax, [edi+28h]
		lock and [eax],	ecx

loc_A5F5D5:				; CODE XREF: VfPutScatterGatherList(x,x,x)+87j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_A5F5DE:				; CODE XREF: VfPutScatterGatherList(x,x,x)+26j
					; VfPutScatterGatherList(x,x,x)+38j
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	[ebp+var_8]
		test	edi, edi
		jz	short loc_A5F5F5
		mov	ecx, edi
		call	_DECREMENT_SCATTER_GATHER_LISTS@4 ; DECREMENT_SCATTER_GATHER_LISTS(x)

loc_A5F5F5:				; CODE XREF: VfPutScatterGatherList(x,x,x)+133j
					; VfPutScatterGatherList(x,x,x)+159j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_VfPutScatterGatherList@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfReadDmaCounter(x)
_VfReadDmaCounter@4 proc near		; DATA XREF: PAGEVRFD:00AA8138o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_VF_ASSERT_MAX_IRQL@4 ;	VF_ASSERT_MAX_IRQL(x)
		mov	ecx, [ebp+arg_0]
		push	28h
		pop	edx
		call	_ViGetRealDmaOperation@8 ; ViGetRealDmaOperation(x,x)
		pop	ebp
		jmp	eax
_VfReadDmaCounter@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViAdapterCallback(x, x, x, x)
_ViAdapterCallback@16 proc near		; DATA XREF: VfAllocateAdapterChannel(x,x,x,x,x)+B7o
					; VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+79o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_C]
		mov	esi, [edi+20h]
		test	esi, esi
		jz	short loc_A5F666
		cmp	dword ptr [esi+78h], 3
		jnb	short loc_A5F654
		mov	ecx, [edi+34h]
		test	ecx, ecx
		jz	short loc_A5F646
		cmp	dword ptr [ecx], 0ACEFD00Dh
		jnz	short loc_A5F646
		mov	eax, [ebp+arg_8]
		mov	[ecx+1Ch], eax
		mov	ebx, [edi+34h]
		jmp	short loc_A5F657
; 

loc_A5F646:				; CODE XREF: ViAdapterCallback(x,x,x,x)+1Dj
					; ViAdapterCallback(x,x,x,x)+25j
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		jnz	short loc_A5F657
		mov	ebx, 0DEADF00Dh
		jmp	short loc_A5F657
; 

loc_A5F654:				; CODE XREF: ViAdapterCallback(x,x,x,x)+16j
		mov	ebx, [ebp+arg_8]

loc_A5F657:				; CODE XREF: ViAdapterCallback(x,x,x,x)+30j
					; ViAdapterCallback(x,x,x,x)+37j ...
		cmp	byte ptr [esi+7Ch], 0
		jz	short loc_A5F669
		mov	ecx, esi
		call	_DECREMENT_ADAPTER_CHANNELS@4 ;	DECREMENT_ADAPTER_CHANNELS(x)
		jmp	short loc_A5F669
; 

loc_A5F666:				; CODE XREF: ViAdapterCallback(x,x,x,x)+10j
		mov	ebx, [ebp+arg_8]

loc_A5F669:				; CODE XREF: ViAdapterCallback(x,x,x,x)+47j
					; ViAdapterCallback(x,x,x,x)+50j
		push	dword ptr [edi]
		mov	[edi+30h], ebx
		push	ebx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	dword ptr [edi+4]
		mov	ebx, eax
		test	esi, esi
		jz	loc_A5F761
		mov	edx, edi
		mov	ecx, esi
		call	_ViIsActiveChannelWcb@8	; ViIsActiveChannelWcb(x,x)
		test	al, al
		jz	loc_A5F761
		mov	[edi+1Ch], ebx
		mov	al, [esi+7Ch]
		cmp	ebx, 1
		jnz	short loc_A5F6D1
		test	al, al
		jz	short loc_A5F6C0
		lock dec dword ptr [esi+70h]
		push	dword ptr [esi+18h] ; char
		push	(offset	loc_A576C7+1) ;	char
		call	_VfUtilDbgPrint
		push	(offset	loc_A5768B+1) ;	char *
		call	_VfUtilDbgPrint
		add	esp, 0Ch

loc_A5F6C0:				; CODE XREF: ViAdapterCallback(x,x,x,x)+8Cj
		mov	eax, [edi+18h]
		mov	[esi+0B8h], eax
		xor	eax, eax
		inc	eax
		jmp	loc_A5F763
; 

loc_A5F6D1:				; CODE XREF: ViAdapterCallback(x,x,x,x)+88j
		test	al, al
		jnz	short loc_A5F6DC
		mov	ecx, esi
		call	_DECREMENT_ADAPTER_CHANNELS@4 ;	DECREMENT_ADAPTER_CHANNELS(x)

loc_A5F6DC:				; CODE XREF: ViAdapterCallback(x,x,x,x)+BFj
		cmp	ebx, 3
		jnz	short loc_A5F6E5
		push	ebx
		pop	eax
		jmp	short loc_A5F763
; 

loc_A5F6E5:				; CODE XREF: ViAdapterCallback(x,x,x,x)+CBj
		mov	edx, [edi+18h]
		mov	ecx, esi
		call	_SUBTRACT_MAP_REGISTERS@8 ; SUBTRACT_MAP_REGISTERS(x,x)
		mov	edx, [edi+34h]
		test	edx, edx
		jz	short loc_A5F709
		cmp	dword ptr [edx], 0ACEFD00Dh
		jnz	short loc_A5F709
		mov	ecx, esi
		call	_ViFreeMapRegisterFile@8 ; ViFreeMapRegisterFile(x,x)
		and	dword ptr [edi+34h], 0

loc_A5F709:				; CODE XREF: ViAdapterCallback(x,x,x,x)+E0j
					; ViAdapterCallback(x,x,x,x)+E8j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		add	esi, 4Ch
		mov	byte ptr [ebp+arg_8+3],	al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	eax, [edi+28h]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		cmp	[ecx+4], eax
		jnz	short loc_A5F76A
		cmp	[edx], eax
		jnz	short loc_A5F76A
		mov	[edx], ecx
		mov	[ecx+4], edx
		test	ds:byte_70EFC6,	1
		jz	short loc_A5F747
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A5F74C
; 

loc_A5F747:				; CODE XREF: ViAdapterCallback(x,x,x,x)+125j
		xor	eax, eax
		lock and [esi],	eax

loc_A5F74C:				; CODE XREF: ViAdapterCallback(x,x,x,x)+131j
		mov	cl, byte ptr [ebp+arg_8+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, edi
		mov	ecx, offset _ViHalWaitBlockLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)

loc_A5F761:				; CODE XREF: ViAdapterCallback(x,x,x,x)+68j
					; ViAdapterCallback(x,x,x,x)+79j
		mov	eax, ebx

loc_A5F763:				; CODE XREF: ViAdapterCallback(x,x,x,x)+B8j
					; ViAdapterCallback(x,x,x,x)+CFj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
; 

loc_A5F76A:				; CODE XREF: ViAdapterCallback(x,x,x,x)+113j
					; ViAdapterCallback(x,x,x,x)+117j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ViAdapterCallback@16 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViAllocateContiguousMemory(x)
_ViAllocateContiguousMemory@4 proc near	; CODE XREF: ViHookDmaAdapter(x,x,x,x)+D0p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, 0FFFFh
		push	edi
		cmp	byte ptr [esi+83h], 0
		jz	short loc_A5F796
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_4], edi
		mov	ebx, edi
		jmp	short loc_A5F7B2
; 

loc_A5F796:				; CODE XREF: ViAllocateContiguousMemory(x)+1Bj
		cmp	byte ptr [esi+80h], 0
		jz	short loc_A5F7A4
		or	ebx, 0FFFFFFFFh
		jmp	short loc_A5F7B2
; 

loc_A5F7A4:				; CODE XREF: ViAllocateContiguousMemory(x)+2Ej
		cmp	dword ptr [esi+8Ch], 1
		jnz	short loc_A5F7B2
		mov	ebx, 0FFFFFFh

loc_A5F7B2:				; CODE XREF: ViAllocateContiguousMemory(x)+25j
					; ViAllocateContiguousMemory(x)+33j ...
		lea	ecx, [esi+0D0h]
		lea	eax, [esi+0CCh]
		mov	dword ptr [ecx], 20h
		push	ecx
		mov	[ecx+4], eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		push	566C6148h
		push	80h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+0BCh], eax
		test	eax, eax
		jz	short loc_A5F844
		xor	edi, edi

loc_A5F7ED:				; CODE XREF: ViAllocateContiguousMemory(x)+D3j
		push	80000000h
		push	4
		push	0
		push	0
		push	[ebp+var_4]
		push	ebx
		push	0
		push	0
		push	3000h
		call	MmAllocateContiguousNodeMemory
		mov	ecx, [esi+0BCh]
		mov	[ecx+edi*4], eax
		mov	eax, [esi+0BCh]
		cmp	dword ptr [eax+edi*4], 0
		jnz	short loc_A5F835
		push	1
		push	edi
		lea	eax, [esi+0D0h]
		push	eax
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		mov	eax, 0C4h
		jmp	short loc_A5F83A
; 

loc_A5F835:				; CODE XREF: ViAllocateContiguousMemory(x)+AEj
		mov	eax, 0C0h

loc_A5F83A:				; CODE XREF: ViAllocateContiguousMemory(x)+C4j
		lock inc dword ptr [eax+esi]
		inc	edi
		cmp	edi, 20h
		jb	short loc_A5F7ED

loc_A5F844:				; CODE XREF: ViAllocateContiguousMemory(x)+7Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ViAllocateContiguousMemory@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViAllocateFromContiguousMemory(x, x)
_ViAllocateFromContiguousMemory@8 proc near ; CODE XREF: ViAllocateMapRegisterFile(x,x)+ABp

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_8], edx
		xor	edi, edi
		test	esi, esi
		jz	short loc_A5F8C5
		cmp	[esi+0BCh], edi
		jz	short loc_A5F8C5
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ebx, [esi+0C8h]
		mov	[ebp+var_1], al
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		push	[ebp+var_8]
		lea	eax, [esi+0D0h]
		push	1
		push	eax
		call	RtlFindClearBitsAndSet
		mov	ecx, eax
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_A5F89D
		mov	eax, [esi+0BCh]
		mov	edi, [eax+ecx*4]

loc_A5F89D:				; CODE XREF: ViAllocateFromContiguousMemory(x,x)+49j
		test	ds:byte_70EFC6,	1
		jz	short loc_A5F8B2
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A5F8B7
; 

loc_A5F8B2:				; CODE XREF: ViAllocateFromContiguousMemory(x,x)+5Bj
		xor	eax, eax
		lock and [ebx],	eax

loc_A5F8B7:				; CODE XREF: ViAllocateFromContiguousMemory(x,x)+67j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	ebx
		jmp	short loc_A5F8C7
; 

loc_A5F8C5:				; CODE XREF: ViAllocateFromContiguousMemory(x,x)+12j
					; ViAllocateFromContiguousMemory(x,x)+1Aj
		xor	eax, eax

loc_A5F8C7:				; CODE XREF: ViAllocateFromContiguousMemory(x,x)+7Aj
		pop	edi
		pop	esi
		leave
		retn
_ViAllocateFromContiguousMemory@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViAllocateMapRegisterFile(x, x)
_ViAllocateMapRegisterFile@8 proc near	; CODE XREF: VfAllocateAdapterChannel(x,x,x,x,x)+7Fp
					; VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+E4p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ecx
		push	ebx
		mov	[ebp+var_8], eax
		mov	ebx, edx
		push	esi
		mov	eax, [eax+58h]
		add	eax, ebx
		push	edi
		cmp	eax, 20h
		ja	loc_A5FA9B
		test	ebx, ebx
		jz	loc_A5FA9B
		lea	eax, [ebx-1]
		imul	edi, eax, 14h
		push	566C6148h
		add	edi, 44h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_A5FA9B
		push	edi		; size_t
		xor	edi, edi
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+10h], ebx
		mov	eax, ebx
		shl	eax, 0Ch
		mov	[ebp+var_C], eax
		push	edi
		push	edi
		push	edi
		push	eax
		push	edi
		call	IoAllocateMdl
		mov	edi, eax
		mov	[ebp+var_10], edi
		test	edi, edi
		jz	loc_A5FA37
		push	566C6148h
		push	[ebp+var_C]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+28h], eax
		test	eax, eax
		jz	loc_A5FA37
		lea	eax, [edi+1Ch]
		mov	[ebp+var_C], eax
		lea	eax, [esi+3Ch]
		mov	[ebp+var_4], eax

loc_A5F96E:				; CODE XREF: ViAllocateMapRegisterFile(x,x)+128j
		mov	edx, [esi+10h]
		mov	ecx, [ebp+var_8]
		sub	edx, ebx
		call	_ViAllocateFromContiguousMemory@8 ; ViAllocateFromContiguousMemory(x,x)
		mov	ecx, [ebp+var_4]
		mov	[ecx], eax
		test	eax, eax
		jz	short loc_A5F98B
		mov	ecx, 0D8h
		jmp	short loc_A5F9B1
; 

loc_A5F98B:				; CODE XREF: ViAllocateMapRegisterFile(x,x)+B7j
		push	566C6148h
		push	3000h
		push	204h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+var_4]
		mov	[ecx], eax
		test	eax, eax
		jz	loc_A5FA37
		mov	ecx, 0DCh

loc_A5F9B1:				; CODE XREF: ViAllocateMapRegisterFile(x,x)+BEj
		mov	eax, [ebp+var_8]
		lock inc dword ptr [ecx+eax]
		mov	eax, [ebp+var_4]
		push	3000h		; size_t
		push	0Fh		; int
		mov	eax, [eax]
		push	eax		; void *
		call	_memset
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		mov	eax, [eax]
		add	eax, 1000h
		push	eax
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		mov	ecx, [ebp+var_C]
		add	[ebp+var_4], 14h
		shrd	eax, edx, 0Ch
		mov	[ecx], eax
		add	ecx, 4
		mov	[ebp+var_C], ecx
		sub	ebx, 1
		jnz	loc_A5F96E
		or	word ptr [edi+6], 2
		push	40000010h
		push	ebx
		push	ebx
		push	1
		push	ebx
		push	edi
		call	MmMapLockedPagesSpecifyCache
		mov	[esi+24h], eax
		test	eax, eax
		jz	short loc_A5FA37
		mov	ecx, [ebp+var_8]
		lea	edx, [esi+4]
		mov	[esi+20h], edi
		mov	dword ptr [esi], 0ACEFD00Dh
		mov	[esi+2Ch], ebx
		lea	eax, [ecx+40h]
		add	ecx, 38h
		push	eax
		call	@ExfInterlockedInsertHeadList@12 ; ExfInterlockedInsertHeadList(x,x,x)
		mov	eax, esi
		jmp	short loc_A5FA9D
; 

loc_A5FA37:				; CODE XREF: ViAllocateMapRegisterFile(x,x)+74j
					; ViAllocateMapRegisterFile(x,x)+91j ...
		mov	ebx, [esi+10h]
		test	ebx, ebx
		jz	short loc_A5FA7A
		mov	edi, [ebp+var_8]
		lea	eax, [esi+3Ch]
		mov	[ebp+var_4], eax

loc_A5FA47:				; CODE XREF: ViAllocateMapRegisterFile(x,x)+1AAj
		mov	edx, [eax]
		test	edx, edx
		jz	short loc_A5FA77
		mov	eax, [esi+10h]
		mov	ecx, edi
		sub	eax, ebx
		push	eax
		call	_ViFreeToContiguousMemory@12 ; ViFreeToContiguousMemory(x,x,x)
		test	eax, eax
		jnz	short loc_A5FA69
		push	eax
		mov	eax, [ebp+var_4]
		push	dword ptr [eax]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A5FA69:				; CODE XREF: ViAllocateMapRegisterFile(x,x)+191j
		mov	eax, [ebp+var_4]
		add	eax, 14h
		mov	[ebp+var_4], eax
		sub	ebx, 1
		jnz	short loc_A5FA47

loc_A5FA77:				; CODE XREF: ViAllocateMapRegisterFile(x,x)+180j
		mov	edi, [ebp+var_10]

loc_A5FA7A:				; CODE XREF: ViAllocateMapRegisterFile(x,x)+171j
		test	edi, edi
		jz	short loc_A5FA84
		push	edi
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_A5FA84:				; CODE XREF: ViAllocateMapRegisterFile(x,x)+1B1j
		mov	eax, [esi+28h]
		test	eax, eax
		jz	short loc_A5FA93
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A5FA93:				; CODE XREF: ViAllocateMapRegisterFile(x,x)+1BEj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A5FA9B:				; CODE XREF: ViAllocateMapRegisterFile(x,x)+1Aj
					; ViAllocateMapRegisterFile(x,x)+22j ...
		xor	eax, eax

loc_A5FA9D:				; CODE XREF: ViAllocateMapRegisterFile(x,x)+16Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ViAllocateMapRegisterFile@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViAllocateMapRegistersFromFile(x, x, x, x, x)
_ViAllocateMapRegistersFromFile@20 proc	near ; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+15Ap

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	esi, [ecx+30h]
		mov	eax, edx
		mov	[ebp+var_8], ecx
		mov	dword ptr [ebp+var_10],	eax
		add	edi, 0FFFh
		and	eax, 0FFFh
		mov	[ebp+var_28], esi
		add	edi, eax
		xor	eax, eax
		mov	ebx, eax
		shr	edi, 0Ch
		mov	[ebp+var_14], edi
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_2C], ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_1], al
		lea	ecx, [ecx+2Ch]
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+arg_0] ; int
		lea	eax, [ecx+14h]
		mov	[ebp+var_30], eax
		cmp	[eax], ebx
		jz	short loc_A5FB7F
		mov	eax, dword ptr [ebp+var_10]
		imul	edi, [ecx+10h],	14h
		add	eax, edx
		mov	[ebp+var_24], eax
		mov	eax, esi
		mov	[ebp+var_C], eax
		add	edi, eax
		mov	[ebp+var_20], edi
		cmp	eax, edi
		mov	edi, [ebp+var_14]
		jnb	short loc_A5FB7F
		mov	ebx, dword ptr [ebp+var_10]
		mov	edi, [ebp+var_20]
		mov	esi, [ebp+var_24]

loc_A5FB28:				; CODE XREF: ViAllocateMapRegistersFromFile(x,x,x,x,x)+CCj
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_A5FB66
		cmp	ecx, ebx
		jb	short loc_A5FB66
		cmp	ecx, esi
		jnb	short loc_A5FB66
		push	ecx		; int
		push	esi		; int
		push	ebx		; char
		push	1Dh		; int
		mov	edx, offset ??_C@_0FA@OOMHDMHL@Driver?5is?5trying?5to?5map?5an?5addr@JKADOLAD@ ; int
		mov	ecx, offset unk_6B680C ; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		mov	eax, [ebp+var_C]
		mov	ecx, 0E6h	; int
		push	offset unk_6B680C ; int
		push	dword ptr [eax]	; int
		push	esi		; int
		push	ebx		; int
		push	1Dh
		pop	edx
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		mov	eax, [ebp+var_C]

loc_A5FB66:				; CODE XREF: ViAllocateMapRegistersFromFile(x,x,x,x,x)+8Aj
					; ViAllocateMapRegistersFromFile(x,x,x,x,x)+8Ej ...
		add	eax, 14h
		mov	[ebp+var_C], eax
		cmp	eax, edi
		jb	short loc_A5FB28
		mov	esi, [ebp+var_28]
		mov	edi, [ebp+var_14]
		mov	ebx, [ebp+var_2C]
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_8]

loc_A5FB7F:				; CODE XREF: ViAllocateMapRegistersFromFile(x,x,x,x,x)+5Ej
					; ViAllocateMapRegistersFromFile(x,x,x,x,x)+7Bj
		test	edi, edi
		jz	short loc_A5FBFF
		mov	eax, [ecx+10h]
		mov	ecx, [ebp+var_18]
		mov	[ebp+var_2C], eax

loc_A5FB8C:				; CODE XREF: ViAllocateMapRegistersFromFile(x,x,x,x,x)+102j
		mov	eax, ebx
		cmp	ecx, [ebp+var_2C]
		jz	short loc_A5FBA8
		mov	ebx, [esi]
		inc	eax
		neg	ebx
		sbb	ebx, ebx
		add	esi, 14h
		not	ebx
		and	ebx, eax
		inc	ecx
		cmp	ebx, edi
		jb	short loc_A5FB8C
		jmp	short loc_A5FC02
; 

loc_A5FBA8:				; CODE XREF: ViAllocateMapRegistersFromFile(x,x,x,x,x)+EFj
		push	ebx		; int
		push	edi		; int
		push	2		; char
		mov	esi, offset unk_6B67E8
		mov	edx, offset ??_C@_0CH@KJCAEBLJ@Map?5registers?5needed?3?5?$CFx?5availa@JKADOLAD@ ; int
		push	10000000h	; int
		mov	ecx, esi	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	esi		; int
		push	ebx		; int
		push	edi		; int
		push	2		; int
		xor	edx, edx	; int
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		test	ds:byte_70EFC6,	1
		jz	short loc_A5FBEF
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+4]
		lea	ecx, [ecx+2Ch]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	loc_A5FCA0
; 

loc_A5FBEF:				; CODE XREF: ViAllocateMapRegistersFromFile(x,x,x,x,x)+138j
		mov	eax, [ebp+var_8]
		xor	edx, edx
		add	eax, 2Ch
		lock and [eax],	edx
		jmp	loc_A5FCA0
; 

loc_A5FBFF:				; CODE XREF: ViAllocateMapRegistersFromFile(x,x,x,x,x)+DFj
		mov	ecx, [ebp+var_18]

loc_A5FC02:				; CODE XREF: ViAllocateMapRegistersFromFile(x,x,x,x,x)+104j
		imul	eax, edi, -14h
		sub	ecx, edi
		add	esi, eax
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		test	edi, edi
		jz	short loc_A5FC75
		mov	ebx, dword ptr [ebp+var_10]

loc_A5FC15:				; CODE XREF: ViAllocateMapRegistersFromFile(x,x,x,x,x)+1D1j
		mov	ecx, ebx
		mov	[esi], ebx
		and	ecx, 0FFFh
		mov	[esi+10h], ebx
		mov	eax, 1000h
		dec	edi
		sub	eax, ecx
		cmp	eax, edx
		jb	short loc_A5FC30
		mov	eax, edx

loc_A5FC30:				; CODE XREF: ViAllocateMapRegistersFromFile(x,x,x,x,x)+18Aj
		mov	[esi+4], eax
		xor	eax, eax
		cmp	[ebp+arg_4], al
		setz	al
		inc	eax
		mov	[esi+8], eax
		mov	eax, [ebp+var_30]
		lock inc dword ptr [eax]
		mov	eax, [esi+0Ch]
		mov	edx, [esi+4]
		add	eax, 1000h
		push	3
		add	ecx, eax
		call	_ViTagBuffer@12	; ViTagBuffer(x,x,x)
		mov	edx, [ebp+arg_0]
		add	ebx, 1000h
		sub	edx, [esi+4]
		and	ebx, 0FFFFF000h
		add	esi, 14h
		mov	[ebp+arg_0], edx
		test	edi, edi
		jnz	short loc_A5FC15

loc_A5FC75:				; CODE XREF: ViAllocateMapRegistersFromFile(x,x,x,x,x)+16Ej
		test	ds:byte_70EFC6,	1
		jz	short loc_A5FC8E
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+4]
		lea	ecx, [ecx+2Ch]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A5FC99
; 

loc_A5FC8E:				; CODE XREF: ViAllocateMapRegistersFromFile(x,x,x,x,x)+1DAj
		mov	eax, [ebp+var_8]
		xor	edx, edx
		add	eax, 2Ch
		lock and [eax],	edx

loc_A5FC99:				; CODE XREF: ViAllocateMapRegistersFromFile(x,x,x,x,x)+1EAj
		mov	[ebp+var_1C], 1

loc_A5FCA0:				; CODE XREF: ViAllocateMapRegistersFromFile(x,x,x,x,x)+148j
					; ViAllocateMapRegistersFromFile(x,x,x,x,x)+158j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+var_1C]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
_ViAllocateMapRegistersFromFile@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViCheckAdapterBuffers(x)
_ViCheckAdapterBuffers@4 proc near	; CODE XREF: VfMapTransfer(x,x,x,x,x,x)+3Cp
					; VfMapTransferEx(x,x,x,x,x,x,x,x,x,x,x,x)+2Ap

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_C], esi
		lea	edi, [esi+2Ch]
		cmp	[edi], edi
		jz	loc_A5FD57
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [esi+34h]
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, [edi]
		sub	esi, 24h
		lea	ecx, [esi+24h]
		mov	[ebp+var_8], ecx
		cmp	edi, ecx
		jz	short loc_A5FD2A

loc_A5FCF0:				; CODE XREF: ViCheckAdapterBuffers(x)+75j
		mov	ecx, [esi+10h]
		mov	eax, ecx
		sub	eax, [esi+0Ch]
		cmp	eax, 8
		jb	short loc_A5FD00
		or	ebx, 1

loc_A5FD00:				; CODE XREF: ViCheckAdapterBuffers(x)+48j
		mov	edx, [esi+8]
		add	eax, 8
		add	eax, edx
		cmp	eax, [esi+4]
		ja	short loc_A5FD10
		or	ebx, 2

loc_A5FD10:				; CODE XREF: ViCheckAdapterBuffers(x)+58j
		push	ebx
		push	0
		call	_ViCheckTag@16	; ViCheckTag(x,x,x,x)
		mov	esi, [ebp+var_8]
		mov	esi, [esi]
		sub	esi, 24h
		lea	eax, [esi+24h]
		mov	[ebp+var_8], eax
		cmp	edi, eax
		jnz	short loc_A5FCF0

loc_A5FD2A:				; CODE XREF: ViCheckAdapterBuffers(x)+3Bj
		test	ds:byte_70EFC6,	1
		jz	short loc_A5FD43
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+4]
		lea	ecx, [ecx+34h]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A5FD4E
; 

loc_A5FD43:				; CODE XREF: ViCheckAdapterBuffers(x)+7Ej
		mov	eax, [ebp+var_C]
		xor	edx, edx
		add	eax, 34h
		lock and [eax],	edx

loc_A5FD4E:				; CODE XREF: ViCheckAdapterBuffers(x)+8Ej
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_A5FD57:				; CODE XREF: ViCheckAdapterBuffers(x)+17j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ViCheckAdapterBuffers@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViCheckMdlLength(x,	x, x, x)
_ViCheckMdlLength@16 proc near		; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+68p
					; VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+28Cp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	edx, edx
		jnz	short loc_A5FD69
		xor	eax, eax
		jmp	short loc_A5FDAF
; 

loc_A5FD69:				; CODE XREF: ViCheckMdlLength(x,x,x,x)+7j
		push	esi
		test	ecx, ecx
		jz	short loc_A5FDAC
		mov	eax, [ebp+arg_4]
		mov	esi, [ebp+arg_0]
		push	edi

loc_A5FD75:				; CODE XREF: ViCheckMdlLength(x,x,x,x)+2Fj
		mov	edi, [ecx+14h]
		test	eax, eax
		jb	short loc_A5FD8D
		ja	short loc_A5FD82
		cmp	esi, edi
		jbe	short loc_A5FD8D

loc_A5FD82:				; CODE XREF: ViCheckMdlLength(x,x,x,x)+20j
		mov	ecx, [ecx]
		sub	esi, edi
		sbb	eax, 0
		test	ecx, ecx
		jnz	short loc_A5FD75

loc_A5FD8D:				; CODE XREF: ViCheckMdlLength(x,x,x,x)+1Ej
					; ViCheckMdlLength(x,x,x,x)+24j
		pop	edi

loc_A5FD8E:				; CODE XREF: ViCheckMdlLength(x,x,x,x)+4Ej
		test	ecx, ecx
		jz	short loc_A5FDAC
		test	edx, edx
		jz	short loc_A5FDAC
		mov	eax, [ecx+14h]
		sub	eax, esi
		cmp	eax, edx
		jb	short loc_A5FDA1
		mov	eax, edx

loc_A5FDA1:				; CODE XREF: ViCheckMdlLength(x,x,x,x)+41j
		mov	ecx, [ecx]
		xor	esi, esi
		sub	edx, eax
		and	[ebp+arg_4], esi
		jmp	short loc_A5FD8E
; 

loc_A5FDAC:				; CODE XREF: ViCheckMdlLength(x,x,x,x)+10j
					; ViCheckMdlLength(x,x,x,x)+34j ...
		mov	eax, edx
		pop	esi

loc_A5FDAF:				; CODE XREF: ViCheckMdlLength(x,x,x,x)+Bj
		pop	ebp
		retn	8
_ViCheckMdlLength@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViCheckPadding(x, x, x, x)
_ViCheckPadding@16 proc	near		; CODE XREF: ViFreeMapRegisterFile(x,x)+CFp
					; ViSpecialFreeCommonBuffer(x,x,x,x)+32p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, edx
		mov	[ebp+var_8], ecx
		mov	edx, [ebp+arg_4] ; int
		cmp	edx, eax
		jz	locret_A5FEDE
		push	esi
		push	edi
		test	edx, edx
		jnz	short loc_A5FE15
		push	ecx
		mov	edx, eax
		call	_ViHasBufferBeenTouched@12 ; ViHasBufferBeenTouched(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_A5FEDC
		push	0		; int
		push	esi		; int
		push	3		; char
		mov	edi, offset unk_6B67F0
		mov	edx, (offset loc_A57A1E+4) ; int
		push	1000000Fh	; int
		mov	ecx, edi	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	edi		; int
		push	0		; int
		push	esi		; int
		push	3		; int
		push	0Fh
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		jmp	loc_A5FEDC
; 

loc_A5FE15:				; CODE XREF: ViCheckPadding(x,x,x,x)+1Bj
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	edi, ebx
		sub	edi, ecx
		mov	[ebp+var_4], edi
		lea	esi, [ebx+edx]
		mov	[ebp+arg_4], esi
		mov	esi, ecx
		lea	ecx, [ebx+edx]
		sub	esi, ecx
		add	esi, eax
		cmp	edi, 8
		jb	short loc_A5FE37
		sub	edi, 8

loc_A5FE37:				; CODE XREF: ViCheckPadding(x,x,x,x)+7Fj
		cmp	[ebp+var_4], 8
		sbb	eax, eax
		inc	eax
		movzx	eax, ax
		cmp	esi, 8
		jb	short loc_A5FE55
		add	ecx, 8
		sub	esi, 8
		or	eax, 2
		mov	[ebp+arg_4], ecx
		movzx	eax, ax

loc_A5FE55:				; CODE XREF: ViCheckPadding(x,x,x,x)+91j
		push	eax
		push	0
		mov	ecx, ebx
		call	_ViCheckTag@16	; ViCheckTag(x,x,x,x)
		push	ecx
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_ViHasBufferBeenTouched@12 ; ViHasBufferBeenTouched(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A5FE9E
		push	edi		; int
		push	ebx		; int
		push	4		; char
		push	1000000Fh	; int
		mov	edx, (offset loc_A5792E+4) ; int
		mov	ecx, offset unk_6B67F4 ; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B67F4 ; int
		push	edi		; int
		push	ebx		; int
		push	4		; int
		push	0Fh
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A5FE9E:				; CODE XREF: ViCheckPadding(x,x,x,x)+BBj
		push	ecx
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViHasBufferBeenTouched@12 ; ViHasBufferBeenTouched(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A5FEDB
		push	esi		; int
		push	ebx		; int
		push	5		; char
		mov	edi, offset unk_6B67EC
		mov	edx, (offset loc_A578EB+5) ; int
		push	1000000Fh	; int
		mov	ecx, edi	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	edi		; int
		push	esi		; int
		push	ebx		; int
		push	5		; int
		push	0Fh
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A5FEDB:				; CODE XREF: ViCheckPadding(x,x,x,x)+FAj
		pop	ebx

loc_A5FEDC:				; CODE XREF: ViCheckPadding(x,x,x,x)+29j
					; ViCheckPadding(x,x,x,x)+5Dj
		pop	edi
		pop	esi

locret_A5FEDE:				; CODE XREF: ViCheckPadding(x,x,x,x)+11j
		leave
		retn	8
_ViCheckPadding@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViCheckTag(x, x, x,	x)
_ViCheckTag@16	proc near		; CODE XREF: ViCheckAdapterBuffers(x)+60p
					; ViCheckPadding(x,x,x,x)+A7p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	[ebp+arg_4], 1
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		mov	[ebp+var_4], edi
		mov	esi, ebx
		lea	eax, [edi+ebx]
		jz	short loc_A5FF47
		push	8		; Length
		lea	eax, [edi-8]
		push	offset _ViDmaVerifierTag ; Source2
		push	eax		; Source1
		mov	[ebp+var_4], eax
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 8
		jz	short loc_A5FF41
		push	edi		; int
		push	ebx		; int
		push	1		; char
		mov	esi, offset unk_6B67E0
		mov	edx, offset ??_C@_0DI@KHHAGFFI@Area?5before?5?$CFx?5byte?5allocation?5@JKADOLAD@ ; int
		push	1000000Fh	; int
		mov	ecx, esi	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	esi		; int
		push	edi		; int
		push	ebx		; int
		push	1		; int
		push	0Fh
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A5FF41:				; CODE XREF: ViCheckTag(x,x,x,x)+31j
		lea	esi, [ebx+8]
		lea	eax, [edi+ebx]

loc_A5FF47:				; CODE XREF: ViCheckTag(x,x,x,x)+19j
		test	[ebp+arg_4], 2
		jz	short loc_A5FF90
		push	8		; Length
		push	offset _ViDmaVerifierTag ; Source2
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 8
		jz	short loc_A5FF8D
		push	edi		; int
		push	ebx		; int
		push	2		; char
		push	1000000Fh	; int
		mov	edx, (offset loc_A57A55+5) ; int
		mov	ecx, offset unk_6B67E4 ; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B67E4 ; int
		push	edi		; int
		push	ebx		; int
		push	2		; int
		push	0Fh
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A5FF8D:				; CODE XREF: ViCheckTag(x,x,x,x)+7Bj
		add	esi, 8

loc_A5FF90:				; CODE XREF: ViCheckTag(x,x,x,x)+69j
		cmp	[ebp+arg_0], 0
		jz	short loc_A5FFA4
		push	esi		; size_t
		push	0Fh		; int
		push	[ebp+var_4]	; void *
		call	_memset
		add	esp, 0Ch

loc_A5FFA4:				; CODE XREF: ViCheckTag(x,x,x,x)+B2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_ViCheckTag@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViCommonBufferCalculatePadding(x, x, x)
_ViCommonBufferCalculatePadding@12 proc	near
					; CODE XREF: ViSpecialAllocateCommonBuffer(x,x,x,x,x,x)+68p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, 1000h
		mov	[edx], esi
		lea	edx, [ecx+8]
		cmp	edx, esi
		ja	short loc_A5FFC3
		sub	esi, ecx
		jmp	short loc_A5FFE2
; 

loc_A5FFC3:				; CODE XREF: ViCommonBufferCalculatePadding(x,x,x)+12j
		push	edi
		mov	edi, 0FFFh
		test	ecx, edi
		jz	short loc_A5FFE1
		mov	eax, edx
		and	eax, edi
		neg	eax
		sbb	eax, eax
		and	edx, 0FFFFF000h
		and	esi, eax
		add	esi, edx
		sub	esi, ecx

loc_A5FFE1:				; CODE XREF: ViCommonBufferCalculatePadding(x,x,x)+20j
		pop	edi

loc_A5FFE2:				; CODE XREF: ViCommonBufferCalculatePadding(x,x,x)+16j
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		pop	esi
		pop	ebp
		retn	4
_ViCommonBufferCalculatePadding@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ViCopyBackModifiedBuffer(void *Source1,void *Source2,SIZE_T Length)
_ViCopyBackModifiedBuffer@20 proc near	; CODE XREF: ViFlushDoubleBuffer(x,x,x,x,x)+100p

var_4		= dword	ptr -4
Source1		= dword	ptr  8
Source2		= dword	ptr  0Ch
Length		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+Length]
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		push	edi
		test	esi, esi
		jz	loc_A600B3
		mov	edi, [ebp+Source1]
		push	esi		; Length
		push	[ebp+Source2]	; Source2
		push	edi		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		mov	ecx, eax
		cmp	esi, ecx
		jbe	short loc_A60033
		lea	edx, [esi-1]
		add	edx, [ebp+Source2]
		sub	edi, [ebp+Source2]

loc_A60021:				; CODE XREF: ViCopyBackModifiedBuffer(x,x,x,x,x)+40j
		mov	al, [edi+edx]
		cmp	al, [edx]
		jnz	short loc_A6002E
		dec	esi
		dec	edx
		cmp	esi, ecx
		ja	short loc_A60021

loc_A6002E:				; CODE XREF: ViCopyBackModifiedBuffer(x,x,x,x,x)+3Aj
		mov	edi, [ebp+Source1]
		cmp	esi, ecx

loc_A60033:				; CODE XREF: ViCopyBackModifiedBuffer(x,x,x,x,x)+2Aj
		jz	short loc_A600B3
		mov	eax, [ebp+var_4]
		add	edi, ecx
		mov	[ebp+Source1], edi
		sub	esi, ecx
		mov	edi, [ebx+18h]
		add	edi, [ebx+14h]
		add	edi, [ebx+10h]
		sub	edi, eax
		jmp	short loc_A6005F
; 

loc_A6004C:				; CODE XREF: ViCopyBackModifiedBuffer(x,x,x,x,x)+75j
		mov	edx, [ebx]
		test	edx, edx
		jz	short loc_A60063
		mov	ebx, edx
		sub	ecx, edi
		mov	eax, [ebx+18h]
		add	eax, [ebx+10h]
		mov	edi, [ebx+14h]

loc_A6005F:				; CODE XREF: ViCopyBackModifiedBuffer(x,x,x,x,x)+5Ej
		cmp	ecx, edi
		jnb	short loc_A6004C

loc_A60063:				; CODE XREF: ViCopyBackModifiedBuffer(x,x,x,x,x)+64j
		add	eax, ecx
		cmp	dword ptr [ebx], 0
		jnz	short loc_A6006E
		mov	edi, esi
		jmp	short loc_A60070
; 

loc_A6006E:				; CODE XREF: ViCopyBackModifiedBuffer(x,x,x,x,x)+7Cj
		sub	edi, ecx

loc_A60070:				; CODE XREF: ViCopyBackModifiedBuffer(x,x,x,x,x)+80j
					; ViCopyBackModifiedBuffer(x,x,x,x,x)+C5j
		mov	edx, eax
		mov	ecx, ebx
		call	_ViGetMdlBufferSa@8 ; ViGetMdlBufferSa(x,x)
		test	eax, eax
		jz	short loc_A600CB
		cmp	dword ptr [ebx], 0
		jz	short loc_A600BC
		cmp	edi, esi
		jbe	short loc_A60088
		mov	edi, esi

loc_A60088:				; CODE XREF: ViCopyBackModifiedBuffer(x,x,x,x,x)+98j
		push	edi		; size_t
		push	[ebp+Source1]	; void *
		push	eax		; void *
		call	_memcpy
		add	[ebp+Source1], edi
		mov	eax, esi
		mov	ebx, [ebx]
		sub	eax, edi
		add	esp, 0Ch
		cmp	esi, edi
		sbb	esi, esi

loc_A600A2:				; DATA XREF: SecureDump_PrepareForInit+34o
		mov	edi, [ebx+14h]
		not	esi
		and	esi, eax
		mov	eax, [ebx+18h]
		add	eax, [ebx+10h]
		test	esi, esi
		jnz	short loc_A60070

loc_A600B3:				; CODE XREF: ViCopyBackModifiedBuffer(x,x,x,x,x)+13j
					; ViCopyBackModifiedBuffer(x,x,x,x,x):loc_A60033j ...
		xor	eax, eax

loc_A600B5:				; CODE XREF: ViCopyBackModifiedBuffer(x,x,x,x,x)+E4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_A600BC:				; CODE XREF: ViCopyBackModifiedBuffer(x,x,x,x,x)+94j
		push	esi		; size_t
		push	[ebp+Source1]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_A600B3
; 

loc_A600CB:				; CODE XREF: ViCopyBackModifiedBuffer(x,x,x,x,x)+8Fj
		mov	eax, 0C0000001h
		jmp	short loc_A600B5
_ViCopyBackModifiedBuffer@20 endp


;  S U B	R O U T	I N E 


; __stdcall ViCopyDeviceDescription(x, x, x)
_ViCopyDeviceDescription@12 proc near	; CODE XREF: ViHookDmaAdapter(x,x,x,x)+9Ap
		mov	edi, edi
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	eax, [esi]
		cmp	eax, 3
		jbe	short loc_A6010D
		push	ebx
		push	0		; int
		push	esi		; int
		push	eax		; char
		mov	ebx, offset unk_6B679C
		mov	edx, offset ??_C@_0CP@GMOPKIEC@Unknown?5version?5?$CFx?5for?5DEVICE_D@JKADOLAD@	; int
		push	25h		; int
		mov	ecx, ebx	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	ebx		; int
		push	0		; int
		push	esi		; int
		push	dword ptr [esi]	; int
		mov	ecx, 0E6h	; int
		push	25h
		pop	edx
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		pop	ebx

loc_A6010D:				; CODE XREF: ViCopyDeviceDescription(x,x,x)+Dj
		mov	al, [esi+4]
		mov	[edi+4], al
		mov	al, [esi+5]
		mov	[edi+5], al
		mov	al, [esi+6]
		mov	[edi+6], al
		mov	al, [esi+7]
		mov	[edi+7], al
		mov	al, [esi+8]
		mov	[edi+8], al
		mov	al, [esi+9]
		mov	[edi+9], al
		mov	al, [esi+0Ah]
		mov	[edi+0Ah], al
		mov	al, [esi+0Bh]
		mov	[edi+0Bh], al
		mov	eax, [esi+0Ch]
		mov	[edi+0Ch], eax
		mov	eax, [esi+10h]
		mov	[edi+10h], eax
		mov	eax, [esi+14h]
		mov	[edi+14h], eax
		mov	eax, [esi+18h]
		mov	[edi+18h], eax
		mov	eax, [esi+1Ch]
		mov	[edi+1Ch], eax
		mov	eax, [esi+20h]
		mov	[edi+20h], eax
		mov	eax, [esi+24h]
		mov	[edi+24h], eax
		mov	eax, [esi]
		mov	[edi], eax
		cmp	dword ptr [esi], 3
		jnz	short loc_A6018E
		mov	eax, [esi+28h]
		mov	[edi+28h], eax
		mov	eax, [esi+2Ch]
		mov	[edi+2Ch], eax
		mov	eax, [esi+30h]
		mov	[edi+30h], eax
		mov	eax, [esi+38h]
		mov	[edi+38h], eax
		mov	eax, [esi+3Ch]
		mov	[edi+3Ch], eax

loc_A6018E:				; CODE XREF: ViCopyDeviceDescription(x,x,x)+9Cj
		pop	edi
		pop	esi
		retn	4
_ViCopyDeviceDescription@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFindMappedRegisterInFile(x, x, x)
_ViFindMappedRegisterInFile@12 proc near ; CODE	XREF: ViFlushDoubleBuffer(x,x,x,x,x)+32p
					; ViFreeMapRegistersToFile(x,x,x)+2Ep ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		lea	eax, [ecx+30h]
		xor	esi, esi
		mov	ecx, [ecx+10h]
		test	ecx, ecx
		jz	short loc_A601B1

loc_A601A5:				; CODE XREF: ViFindMappedRegisterInFile(x,x,x)+1Cj
		cmp	edx, [eax]
		jz	short loc_A601B8
		add	eax, 14h
		inc	esi
		cmp	esi, ecx
		jb	short loc_A601A5

loc_A601B1:				; CODE XREF: ViFindMappedRegisterInFile(x,x,x)+10j
		xor	eax, eax

loc_A601B3:				; CODE XREF: ViFindMappedRegisterInFile(x,x,x)+2Aj
					; ViFindMappedRegisterInFile(x,x,x)+2Ej
		pop	esi
		pop	ebp
		retn	4
; 

loc_A601B8:				; CODE XREF: ViFindMappedRegisterInFile(x,x,x)+14j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_A601B3
		mov	[ecx], esi
		jmp	short loc_A601B3
_ViFindMappedRegisterInFile@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFlushDoubleBuffer(x, x, x, x, x)
_ViFlushDoubleBuffer@20	proc near	; CODE XREF: VfFlushAdapterBuffers(x,x,x,x,x,x)+D5p
					; VfPutScatterGatherList(x,x,x)+118p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
Source1		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+Source1], 0
		mov	eax, edx
		mov	edx, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], eax
		push	edi
		mov	ecx, eax
		call	_ViGetMdlBufferSa@8 ; ViGetMdlBufferSa(x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_A602E7
		push	ebx		; char
		lea	eax, [ebp+Source1]
		mov	edx, edi	; int
		push	eax
		mov	ecx, esi
		call	_ViFindMappedRegisterInFile@12 ; ViFindMappedRegisterInFile(x,x,x)
		test	eax, eax
		jnz	short loc_A6022D
		push	eax		; int
		push	esi		; int
		push	edi		; char
		mov	ebx, offset unk_6B6810
		mov	edx, offset ??_C@_0DD@MALFEKON@Cannot?5flush?5buffers?5that?5aren?8@JKADOLAD@ ;	int
		push	16h		; int
		mov	ecx, ebx	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	ebx		; int
		push	0		; int
		push	esi		; int
		push	edi		; int
		push	16h
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		xor	eax, eax
		jmp	loc_A602E6
; 

loc_A6022D:				; CODE XREF: ViFlushDoubleBuffer(x,x,x,x,x)+39j
		mov	ecx, [ebp+Source1]
		mov	eax, edi
		mov	ebx, [esi+20h]
		and	eax, 0FFFh
		shl	ecx, 0Ch
		add	eax, ecx
		mov	ecx, [esi+24h]
		add	ecx, eax
		mov	[ebp+var_8], eax
		test	byte ptr [ebx+6], 5
		mov	[ebp+Source1], ecx
		jz	short loc_A60255
		mov	eax, [ebx+0Ch]
		jmp	short loc_A60263
; 

loc_A60255:				; CODE XREF: ViFlushDoubleBuffer(x,x,x,x,x)+8Bj
		push	0
		push	ebx
		call	_MmMapLockedPages@8 ; MmMapLockedPages(x,x)
		mov	ebx, [esi+20h]
		mov	ecx, [ebp+Source1]

loc_A60263:				; CODE XREF: ViFlushDoubleBuffer(x,x,x,x,x)+90j
		mov	ebx, [ebx+14h]
		sub	ebx, ecx
		add	ebx, eax
		mov	eax, [ebp+arg_4]
		cmp	eax, ebx
		jbe	short loc_A602A8
		push	eax		; int
		push	ebx		; int
		push	1		; char
		push	10000000h	; int
		mov	edx, offset ??_C@_0EK@KMJLBFKL@FLUSH?3?5Can?5only?5flush?5?$CFx?5bytes?5@JKADOLAD@ ; int
		mov	ecx, offset unk_6B6808 ; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B6808 ; int
		push	[ebp+arg_4]	; int
		xor	edx, edx	; int
		mov	ecx, 0E6h	; int
		push	ebx		; int
		push	1		; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		mov	ecx, [ebp+Source1]
		mov	eax, ebx
		mov	[ebp+arg_4], eax

loc_A602A8:				; CODE XREF: ViFlushDoubleBuffer(x,x,x,x,x)+ACj
		cmp	[ebp+arg_8], 0
		jnz	short loc_A602C8
		mov	edx, [esi+28h]
		test	edx, edx
		jz	short loc_A602C8
		push	eax		; Length
		mov	eax, [ebp+var_8]
		add	eax, edx
		mov	edx, [ebp+arg_0]
		push	eax		; Source2
		push	ecx		; Source1
		mov	ecx, [ebp+var_C]
		call	_ViCopyBackModifiedBuffer@20 ; ViCopyBackModifiedBuffer(x,x,x,x,x)

loc_A602C8:				; CODE XREF: ViFlushDoubleBuffer(x,x,x,x,x)+E9j
					; ViFlushDoubleBuffer(x,x,x,x,x)+F0j
		push	[ebp+arg_4]
		mov	edx, edi
		mov	ecx, esi
		call	_ViFreeMapRegistersToFile@12 ; ViFreeMapRegistersToFile(x,x,x)
		test	eax, eax
		jnz	short loc_A602E3
		push	(offset	loc_A57819+3) ;	char *
		call	_VfUtilDbgPrint
		pop	ecx

loc_A602E3:				; CODE XREF: ViFlushDoubleBuffer(x,x,x,x,x)+113j
		xor	eax, eax
		inc	eax

loc_A602E6:				; CODE XREF: ViFlushDoubleBuffer(x,x,x,x,x)+65j
		pop	ebx

loc_A602E7:				; CODE XREF: ViFlushDoubleBuffer(x,x,x,x,x)+23j
		pop	edi
		pop	esi
		leave
		retn	0Ch
_ViFlushDoubleBuffer@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFreeMapRegisterFile(x, x)
_ViFreeMapRegisterFile@8 proc near	; CODE XREF: VfAllocateAdapterChannel(x,x,x,x,x)+15Dp
					; VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+149p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		mov	[ebp+var_4], edi
		test	esi, esi
		jz	loc_A6041A
		cmp	dword ptr [esi], 0ACEFD00Dh
		jnz	loc_A6041A
		push	ebx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		add	edi, 40h
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	ecx, [esi+4]
		mov	eax, [ecx]
		mov	edx, [ecx+4]
		cmp	[eax+4], ecx
		jnz	loc_A60415
		cmp	[edx], ecx
		jnz	loc_A60415
		mov	[edx], eax
		mov	[eax+4], edx
		test	ds:byte_70EFC6,	1
		jz	short loc_A60356
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A6035B
; 

loc_A60356:				; CODE XREF: ViFreeMapRegisterFile(x,x)+5Bj
		xor	eax, eax
		lock and [edi],	eax

loc_A6035B:				; CODE XREF: ViFreeMapRegisterFile(x,x)+67j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		and	dword ptr [esi], 0
		mov	edi, [esi+18h]
		test	edi, edi
		jz	short loc_A60382
		test	byte ptr [edi+6], 1
		jz	short loc_A6037C
		push	edi
		push	dword ptr [edi+0Ch]
		call	MmUnmapLockedPages

loc_A6037C:				; CODE XREF: ViFreeMapRegisterFile(x,x)+84j
		push	edi
		call	_IoFreeMdl@4	; IoFreeMdl(x)

loc_A60382:				; CODE XREF: ViFreeMapRegisterFile(x,x)+7Ej
		push	dword ptr [esi+20h]
		push	dword ptr [esi+24h]
		call	MmUnmapLockedPages
		xor	ebx, ebx
		lea	edi, [esi+30h]
		cmp	[esi+10h], ebx
		jbe	short loc_A603E7

loc_A60397:				; CODE XREF: ViFreeMapRegisterFile(x,x)+F8j
		mov	eax, [edi]
		mov	ecx, [edi+0Ch]
		test	eax, eax
		jz	short loc_A603B1
		mov	edx, [edi+4]
		and	eax, 0FFFh
		add	eax, 1000h
		add	eax, ecx
		jmp	short loc_A603B5
; 

loc_A603B1:				; CODE XREF: ViFreeMapRegisterFile(x,x)+B1j
		xor	eax, eax
		xor	edx, edx

loc_A603B5:				; CODE XREF: ViFreeMapRegisterFile(x,x)+C2j
		push	edx
		push	eax
		mov	edx, 3000h
		call	_ViCheckPadding@16 ; ViCheckPadding(x,x,x,x)
		mov	edx, [edi+0Ch]
		mov	ecx, [ebp+var_4]
		and	dword ptr [edi+8], 0
		push	ebx
		call	_ViFreeToContiguousMemory@12 ; ViFreeToContiguousMemory(x,x,x)
		test	eax, eax
		jnz	short loc_A603DE
		push	eax
		push	dword ptr [edi+0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A603DE:				; CODE XREF: ViFreeMapRegisterFile(x,x)+E6j
		inc	ebx
		add	edi, 14h
		cmp	ebx, [esi+10h]
		jb	short loc_A60397

loc_A603E7:				; CODE XREF: ViFreeMapRegisterFile(x,x)+A8j
		push	dword ptr [esi+20h]
		call	_IoFreeMdl@4	; IoFreeMdl(x)
		mov	eax, [esi+28h]
		pop	ebx
		test	eax, eax
		jz	short loc_A603FD
		push	eax
		call	_VfUtilFreePoolCheckIRQL@4 ; VfUtilFreePoolCheckIRQL(x)

loc_A603FD:				; CODE XREF: ViFreeMapRegisterFile(x,x)+108j
		push	44h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		push	esi
		call	_VfUtilFreePoolCheckIRQL@4 ; VfUtilFreePoolCheckIRQL(x)
		xor	eax, eax
		inc	eax
		jmp	short loc_A6041C
; 

loc_A60415:				; CODE XREF: ViFreeMapRegisterFile(x,x)+41j
					; ViFreeMapRegisterFile(x,x)+49j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A6041A:				; CODE XREF: ViFreeMapRegisterFile(x,x)+11j
					; ViFreeMapRegisterFile(x,x)+1Dj
		xor	eax, eax

loc_A6041C:				; CODE XREF: ViFreeMapRegisterFile(x,x)+126j
		pop	edi
		pop	esi
		leave
		retn
_ViFreeMapRegisterFile@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFreeMapRegistersToFile(x,	x, x)
_ViFreeMapRegistersToFile@12 proc near	; CODE XREF: ViFlushDoubleBuffer(x,x,x,x,x)+10Cp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	ebx, [ecx+14h]
		push	edi
		mov	edi, [ebx]
		test	esi, esi
		jz	short loc_A60459
		mov	eax, edx
		add	esi, 0FFFh
		and	eax, 0FFFh
		add	esi, eax
		shr	esi, 0Ch
		cmp	esi, edi
		jb	short loc_A6044C

loc_A6044A:				; CODE XREF: ViFreeMapRegistersToFile(x,x,x)+3Cj
		mov	esi, edi

loc_A6044C:				; CODE XREF: ViFreeMapRegistersToFile(x,x,x)+28j
					; ViFreeMapRegistersToFile(x,x,x)+41j
		push	0
		call	_ViFindMappedRegisterInFile@12 ; ViFindMappedRegisterInFile(x,x,x)
		test	eax, eax
		jnz	short loc_A60463
		jmp	short loc_A604A6
; 

loc_A60459:				; CODE XREF: ViFreeMapRegistersToFile(x,x,x)+12j
		cmp	edi, 1
		jbe	short loc_A6044A
		xor	esi, esi
		inc	esi
		jmp	short loc_A6044C
; 

loc_A60463:				; CODE XREF: ViFreeMapRegistersToFile(x,x,x)+35j
		test	esi, esi
		jz	short loc_A604A3
		lea	edi, [eax+8]

loc_A6046A:				; CODE XREF: ViFreeMapRegistersToFile(x,x,x)+81j
		mov	ecx, [edi-8]
		test	ecx, ecx
		jz	short loc_A604A3
		mov	eax, [edi+4]
		and	ecx, 0FFFh
		mov	edx, [edi-4]
		add	eax, 1000h
		push	3
		push	1
		add	ecx, eax
		call	_ViCheckTag@16	; ViCheckTag(x,x,x,x)
		and	dword ptr [edi], 0FFFFFFFCh
		and	dword ptr [edi-8], 0
		and	dword ptr [edi-4], 0
		lock dec dword ptr [ebx]
		add	edi, 14h
		sub	esi, 1
		jnz	short loc_A6046A

loc_A604A3:				; CODE XREF: ViFreeMapRegistersToFile(x,x,x)+45j
					; ViFreeMapRegistersToFile(x,x,x)+4Fj
		xor	eax, eax
		inc	eax

loc_A604A6:				; CODE XREF: ViFreeMapRegistersToFile(x,x,x)+37j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_ViFreeMapRegistersToFile@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFreeToContiguousMemory(x,	x, x)
_ViFreeToContiguousMemory@12 proc near	; CODE XREF: ViAllocateMapRegisterFile(x,x)+18Ap
					; ViFreeMapRegisterFile(x,x)+DFp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	eax, [ebx+0BCh]
		test	eax, eax
		jz	short loc_A604DC
		mov	esi, [ebp+arg_0]
		cmp	esi, 20h
		jnb	short loc_A604CD
		cmp	[eax+esi*4], edx
		jz	short loc_A604E4

loc_A604CD:				; CODE XREF: ViFreeToContiguousMemory(x,x,x)+19j
		xor	esi, esi

loc_A604CF:				; CODE XREF: ViFreeToContiguousMemory(x,x,x)+2Dj
		cmp	[eax], edx
		jz	short loc_A604E4
		inc	esi
		add	eax, 4
		cmp	esi, 20h
		jb	short loc_A604CF

loc_A604DC:				; CODE XREF: ViFreeToContiguousMemory(x,x,x)+11j
					; ViFreeToContiguousMemory(x,x,x)+3Aj
		xor	eax, eax

loc_A604DE:				; CODE XREF: ViFreeToContiguousMemory(x,x,x)+89j
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_A604E4:				; CODE XREF: ViFreeToContiguousMemory(x,x,x)+1Ej
					; ViFreeToContiguousMemory(x,x,x)+24j
		cmp	esi, 20h
		jnb	short loc_A604DC
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	edi, [ebx+0C8h]
		mov	byte ptr [ebp+arg_0+3],	al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		push	1
		push	esi
		lea	edx, [ebx+0D0h]
		push	edx
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		test	ds:byte_70EFC6,	1
		jz	short loc_A60524
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A60529
; 

loc_A60524:				; CODE XREF: ViFreeToContiguousMemory(x,x,x)+69j
		xor	ecx, ecx
		lock and [edi],	ecx

loc_A60529:				; CODE XREF: ViFreeToContiguousMemory(x,x,x)+75j
		mov	cl, byte ptr [ebp+arg_0+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	eax, eax
		inc	eax
		pop	edi
		jmp	short loc_A604DE
_ViFreeToContiguousMemory@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViGetAdapterInformationInternal(x, x)
_ViGetAdapterInformationInternal@8 proc	near
					; CODE XREF: VfAllocateAdapterChannel(x,x,x,x,x)+1Ep
					; VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+Fp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	bh, dl
		test	edi, edi
		jz	loc_A6062E
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jbe	short loc_A6056D
		cmp	_ViVerifyDma, 0
		jz	loc_A6062E
		call	_VF_ASSERT_MAX_IRQL@4 ;	VF_ASSERT_MAX_IRQL(x)
		jmp	loc_A6062E
; 

loc_A6056D:				; CODE XREF: ViGetAdapterInformationInternal(x,x)+1Cj
		cmp	_ViVerifyDma, 0
		jnz	short loc_A60583
		cmp	ds:_ViEnableAfterHibernate, 1
		jz	loc_A6062E

loc_A60583:				; CODE XREF: ViGetAdapterInformationInternal(x,x)+3Cj
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset dword_AB06E0
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, ds:_ViAdapterList
		mov	eax, offset _ViAdapterList
		jmp	short loc_A605A9
; 

loc_A605A2:				; CODE XREF: ViGetAdapterInformationInternal(x,x)+73j
		cmp	edi, [esi+8]
		jz	short loc_A605C5
		mov	esi, [esi]

loc_A605A9:				; CODE XREF: ViGetAdapterInformationInternal(x,x)+68j
		cmp	esi, eax
		jnz	short loc_A605A2
		test	ds:byte_70EFC6,	1
		mov	ecx, offset dword_AB06E0
		jz	short loc_A60621
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A60626
; 

loc_A605C5:				; CODE XREF: ViGetAdapterInformationInternal(x,x)+6Dj
		test	ds:byte_70EFC6,	1
		mov	ecx, offset dword_AB06E0
		jz	short loc_A605DD
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A605E2
; 

loc_A605DD:				; CODE XREF: ViGetAdapterInformationInternal(x,x)+99j
		xor	eax, eax
		lock and [ecx],	eax

loc_A605E2:				; CODE XREF: ViGetAdapterInformationInternal(x,x)+A3j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bh, bh
		jz	short loc_A6061D
		cmp	dword ptr [esi+14h], 0
		jg	short loc_A6061D
		push	0		; int
		push	esi		; int
		push	edi		; char
		mov	ebx, offset unk_6B6844
		mov	edx, offset ??_C@_0EO@LICNNLJA@Driver?5has?5attempted?5to?5access?5@JKADOLAD@ ;	int
		push	18h		; int
		mov	ecx, ebx	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	ebx		; int
		push	0		; int
		push	esi		; int
		push	edi		; int
		push	18h
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A6061D:				; CODE XREF: ViGetAdapterInformationInternal(x,x)+B4j
					; ViGetAdapterInformationInternal(x,x)+BAj
		mov	eax, esi
		jmp	short loc_A60630
; 

loc_A60621:				; CODE XREF: ViGetAdapterInformationInternal(x,x)+81j
		xor	eax, eax
		lock and [ecx],	eax

loc_A60626:				; CODE XREF: ViGetAdapterInformationInternal(x,x)+8Bj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_A6062E:				; CODE XREF: ViGetAdapterInformationInternal(x,x)+Ej
					; ViGetAdapterInformationInternal(x,x)+25j ...
		xor	eax, eax

loc_A60630:				; CODE XREF: ViGetAdapterInformationInternal(x,x)+E7j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
_ViGetAdapterInformationInternal@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViGetMapRegisterFile(x)
_ViGetMapRegisterFile@4	proc near	; CODE XREF: VfFlushAdapterBuffers(x,x,x,x,x,x)+47p
					; VfMapTransfer(x,x,x,x,x,x)+9Bp ...
		and	ecx, 0FFFFFFFEh
		jz	short loc_A60647
		cmp	dword ptr [ecx], 0ACEFD00Dh
		jnz	short loc_A60647
		xor	eax, eax
		inc	eax
		jmp	short loc_A60649
; 

loc_A60647:				; CODE XREF: ViGetMapRegisterFile(x)+3j
					; ViGetMapRegisterFile(x)+Bj
		xor	eax, eax

loc_A60649:				; CODE XREF: ViGetMapRegisterFile(x)+10j
		neg	eax
		sbb	eax, eax
		and	eax, ecx
		retn
_ViGetMapRegisterFile@4	endp


;  S U B	R O U T	I N E 


; __stdcall ViGetMdlBufferSa(x,	x)
_ViGetMdlBufferSa@8 proc near		; CODE XREF: ViCopyBackModifiedBuffer(x,x,x,x,x)+88p
					; ViFlushDoubleBuffer(x,x,x,x,x)+1Ap ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		push	edi
		mov	ecx, [esi+18h]
		mov	edx, [esi+10h]
		lea	eax, [edx+ecx]
		cmp	ebx, eax
		jb	short loc_A606BA
		mov	eax, [esi+14h]
		add	eax, edx
		add	eax, ecx
		cmp	ebx, eax
		jnb	short loc_A606BA
		xor	edi, edi
		test	byte ptr [esi+6], 5
		jz	short loc_A6067E
		mov	eax, [esi+0Ch]
		jmp	short loc_A6068E
; 

loc_A6067E:				; CODE XREF: ViGetMdlBufferSa(x,x)+27j
		push	40000010h
		push	edi
		push	edi
		push	1
		push	edi
		push	esi
		call	MmMapLockedPagesSpecifyCache

loc_A6068E:				; CODE XREF: ViGetMdlBufferSa(x,x)+2Cj
		test	eax, eax
		jnz	short loc_A606B0
		push	edi		; int
		push	edi		; int
		push	esi		; char
		mov	ebx, offset unk_6B67D4
		mov	edx, offset ??_C@_0CE@HDMMGAEC@Dma?5MDL?5?$CFp?5not?5mapped?5in?5system@JKADOLAD@ ; int
		push	22h		; int
		mov	ecx, ebx	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	ebx
		push	edi
		push	edi
		push	esi
		push	22h
		jmp	short loc_A606DA
; 

loc_A606B0:				; CODE XREF: ViGetMdlBufferSa(x,x)+40j
		sub	eax, [esi+10h]
		sub	eax, [esi+18h]
		add	eax, ebx
		jmp	short loc_A606E7
; 

loc_A606BA:				; CODE XREF: ViGetMdlBufferSa(x,x)+14j
					; ViGetMdlBufferSa(x,x)+1Fj
		xor	edi, edi
		mov	edx, offset ??_C@_0CL@HDDFKFCN@Virtual?5address?5?$CFp?5out?5of?5bound@JKADOLAD@ ; int
		push	edi		; int
		push	esi		; int
		push	ebx		; char
		push	1Bh		; int
		mov	ecx, offset unk_6B67D0 ; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B67D0 ; int
		push	edi		; int
		push	esi		; int
		push	ebx		; int
		push	1Bh

loc_A606DA:				; CODE XREF: ViGetMdlBufferSa(x,x)+5Ej
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		xor	eax, eax

loc_A606E7:				; CODE XREF: ViGetMdlBufferSa(x,x)+68j
		pop	edi
		pop	esi
		pop	ebx
		retn
_ViGetMdlBufferSa@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViGetRealDmaOperation(x, x)
_ViGetRealDmaOperation@8 proc near	; CODE XREF: VfAllocateDomainCommonBuffer(x,x,x,x,x,x,x,x,x)+2Cp
					; VfFlushDmaBuffer(x,x,x)+Bp ...
		cmp	_ViVerifyDma, 0
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		jz	short loc_A6072B
		test	esi, esi
		jnz	short loc_A6072B
		push	ebx
		xor	eax, eax
		mov	ebx, offset unk_6B6848
		push	eax		; int
		push	eax		; int
		push	eax		; char
		push	19h		; int
		mov	edx, offset ??_C@_0DA@MKAOPBB@DMA?5adapters?5aren?8t?5supposed?5to@JKADOLAD@ ; int
		mov	ecx, ebx	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	ebx		; int
		xor	eax, eax
		mov	ecx, 0E6h	; int
		push	eax		; int
		push	eax		; int
		push	eax		; int
		push	19h
		pop	edx
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		pop	ebx

loc_A6072B:				; CODE XREF: ViGetRealDmaOperation(x,x)+Dj
					; ViGetRealDmaOperation(x,x)+11j
		mov	dl, 1
		mov	ecx, esi
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		test	eax, eax
		jz	short loc_A60751
		cmp	dword ptr [eax+78h], 3
		jnb	short loc_A6074C
		mov	ecx, ds:_ViLegacyDmaOperations[edi]
		test	ecx, ecx
		jz	short loc_A6074C
		mov	eax, ecx
		jmp	short loc_A60757
; 

loc_A6074C:				; CODE XREF: ViGetRealDmaOperation(x,x)+51j
					; ViGetRealDmaOperation(x,x)+5Bj
		mov	eax, [eax+1Ch]
		jmp	short loc_A60754
; 

loc_A60751:				; CODE XREF: ViGetRealDmaOperation(x,x)+4Bj
		mov	eax, [esi+4]

loc_A60754:				; CODE XREF: ViGetRealDmaOperation(x,x)+64j
		mov	eax, [edi+eax]

loc_A60757:				; CODE XREF: ViGetRealDmaOperation(x,x)+5Fj
		pop	edi
		pop	esi
		retn
_ViGetRealDmaOperation@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViHalApplySettings()
_ViHalApplySettings@0 proc near		; CODE XREF: VfHalVerifierInitialize()+56j
					; VfSettingsCheckForChanges(x,x,x,x)+5Ep ...
		test	byte ptr _MmVerifierData, 80h
		jnz	short loc_A60768
		xor	eax, eax
		inc	eax
		jmp	short loc_A607A5
; 

loc_A60768:				; CODE XREF: ViHalApplySettings()+7j
		cmp	ds:_ViHalEnabledInThePast, 0
		jnz	short loc_A607A3
		xor	ecx, ecx
		inc	ecx
		cmp	_HalPrivateDispatchTable, 33h
		mov	_ViVerifyDma, ecx
		jb	short loc_A60797
		mov	eax, off_6B1240
		mov	ds:_VfRealHalAllocateMapRegisters, eax
		mov	off_6B1240, offset _VfHalAllocateMapRegisters@16 ; VfHalAllocateMapRegisters(x,x,x,x)

loc_A60797:				; CODE XREF: ViHalApplySettings()+27j
		mov	ds:_ViDoubleBufferDma, ecx
		mov	ds:_ViHalEnabledInThePast, ecx

loc_A607A3:				; CODE XREF: ViHalApplySettings()+15j
		xor	eax, eax

loc_A607A5:				; CODE XREF: ViHalApplySettings()+Cj
		mov	ds:_ViDMADisabledNoRebootNeeded, eax
		retn
_ViHalApplySettings@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViHalFreeDomainCommonBuffer(x)
_ViHalFreeDomainCommonBuffer@4 proc near ; CODE	XREF: VfFreeCommonBuffer(x,x,x,x,x,x)+24p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	bl, bl
		xor	edi, edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset dword_AB06F0
		mov	bh, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:_ViDomainCommonBufferList
		cmp	ecx, offset _ViDomainCommonBufferList
		jz	short loc_A60804
		mov	eax, [esi]
		mov	[ebp+var_4], eax
		mov	eax, [esi+4]
		mov	esi, [ebp+var_4]
		mov	[ebp+var_8], eax

loc_A607E9:				; CODE XREF: ViHalFreeDomainCommonBuffer(x)+57j
		mov	edi, ecx
		mov	edx, [ecx]
		cmp	[ecx+8], esi
		jnz	short loc_A607FA
		mov	eax, [ecx+0Ch]
		cmp	eax, [ebp+var_8]
		jz	short loc_A6081C

loc_A607FA:				; CODE XREF: ViHalFreeDomainCommonBuffer(x)+45j
		mov	ecx, edx
		cmp	ecx, offset _ViDomainCommonBufferList
		jnz	short loc_A607E9

loc_A60804:				; CODE XREF: ViHalFreeDomainCommonBuffer(x)+2Ej
					; ViHalFreeDomainCommonBuffer(x)+84j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset dword_AB06F0
		jz	short loc_A60836
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A6083B
; 

loc_A6081C:				; CODE XREF: ViHalFreeDomainCommonBuffer(x)+4Dj
		mov	bl, 1
		mov	eax, [ecx+4]
		cmp	[edx+4], ecx
		jnz	short loc_A60831
		cmp	[eax], ecx
		jnz	short loc_A60831
		mov	[eax], edx
		mov	[edx+4], eax
		jmp	short loc_A60804
; 

loc_A60831:				; CODE XREF: ViHalFreeDomainCommonBuffer(x)+79j
					; ViHalFreeDomainCommonBuffer(x)+7Dj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A60836:				; CODE XREF: ViHalFreeDomainCommonBuffer(x)+65j
		xor	eax, eax
		lock and [ecx],	eax

loc_A6083B:				; CODE XREF: ViHalFreeDomainCommonBuffer(x)+6Fj
		mov	cl, bh
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	bl, bl
		jz	short loc_A6084F
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A6084F:				; CODE XREF: ViHalFreeDomainCommonBuffer(x)+9Aj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_ViHalFreeDomainCommonBuffer@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ViHalPreprocessOptions(int,int,int,char,int,int)
_ViHalPreprocessOptions@24 proc	near	; CODE XREF: ADD_MAP_REGISTERS(x,x,x)+3Bp
					; ADD_MAP_REGISTERS(x,x,x)+75p	...

var_14		= dword	ptr -14h
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, esi
		push	edi		; char
		mov	edi, edx
		and	ebx, 10000000h
		jz	short loc_A60874
		and	esi, 0EFFFFFFFh

loc_A60874:				; CODE XREF: ViHalPreprocessOptions(x,x,x,x,x,x)+16j
		mov	eax, [ecx]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_A6088E
		cmp	esi, 26h
		jnb	short loc_A60889
		mov	eax, dword ptr ds:_ViHalDefaultActions[esi*4]
		jmp	short loc_A6088C
; 

loc_A60889:				; CODE XREF: ViHalPreprocessOptions(x,x,x,x,x,x)+28j
		push	4
		pop	eax

loc_A6088C:				; CODE XREF: ViHalPreprocessOptions(x,x,x,x,x,x)+31j
		mov	[ecx], eax

loc_A6088E:				; CODE XREF: ViHalPreprocessOptions(x,x,x,x,x,x)+23j
		test	eax, eax
		jz	short loc_A60907
		xor	esi, esi
		test	al, 10h
		jz	short loc_A6089A
		mov	[ecx], esi

loc_A6089A:				; CODE XREF: ViHalPreprocessOptions(x,x,x,x,x,x)+40j
		push	(offset	loc_A5797D+1) ;	char *
		call	_VfUtilDbgPrint
		mov	[esp+14h+var_14], offset ??_C@_03NOABEEAF@?$CK?$CK?6@JKADOLAD@
		call	_VfUtilDbgPrint
		mov	[esp+14h+var_14], offset ??_C@_07CLFOEEIC@?$CK?$CK?5VF?3?5@JKADOLAD@
		call	_VfUtilDbgPrint
		pop	ecx
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		test	ebx, ebx
		jnz	short loc_A608D8
		push	dword ptr [ebp+arg_4] ;	char
		push	edi		; char *
		push	esi		; int
		push	65h		; int
		call	_DbgPrintEx
		add	esp, 18h
		jmp	short loc_A608E4 ; char
; 

loc_A608D8:				; CODE XREF: ViHalPreprocessOptions(x,x,x,x,x,x)+6Fj
		push	edi		; char *
		push	esi		; int
		push	65h		; int
		call	_DbgPrintEx
		add	esp, 14h

loc_A608E4:				; CODE XREF: ViHalPreprocessOptions(x,x,x,x,x,x)+80j
		push	offset ??_C@_01EEMJAFIK@?6@JKADOLAD@ ; char *
		call	_VfUtilDbgPrint
		mov	[esp+14h+var_14], offset ??_C@_03NOABEEAF@?$CK?$CK?6@JKADOLAD@
		call	_VfUtilDbgPrint
		mov	[esp+14h+var_14], offset ??_C@_0ED@OBFNHIMC@?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK@JKADOLAD@
		call	_VfUtilDbgPrint
		pop	ecx

loc_A60907:				; CODE XREF: ViHalPreprocessOptions(x,x,x,x,x,x)+3Aj
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	10h
_ViHalPreprocessOptions@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViHalTrackDomainCommonBuffer(x)
_ViHalTrackDomainCommonBuffer@4	proc near
					; CODE XREF: VfAllocateDomainCommonBuffer(x,x,x,x,x,x,x,x,x)+62p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset dword_AB06F0
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, ds:_ViDomainCommonBufferList
		mov	eax, offset _ViDomainCommonBufferList
		cmp	[ecx+4], eax
		jz	short loc_A60942
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A60942:				; CODE XREF: ViHalTrackDomainCommonBuffer(x)+2Cj
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[ecx+4], esi
		test	ds:byte_70EFC6,	1
		mov	ds:_ViDomainCommonBufferList, esi
		jz	short loc_A60965
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A6096A
; 

loc_A60965:				; CODE XREF: ViHalTrackDomainCommonBuffer(x)+48j
		xor	eax, eax
		lock and [edi],	eax

loc_A6096A:				; CODE XREF: ViHalTrackDomainCommonBuffer(x)+54j
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_ViHalTrackDomainCommonBuffer@4	endp


;  S U B	R O U T	I N E 


; __stdcall ViHasBufferBeenTouched(x, x, x)
_ViHasBufferBeenTouched@12 proc	near	; CODE XREF: ViCheckPadding(x,x,x,x)+20p
					; ViCheckPadding(x,x,x,x)+B2p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	0Fh
		xor	edi, edi
		mov	esi, edx
		mov	edx, ecx
		inc	edi
		pop	ebx

loc_A60985:				; CODE XREF: ViHasBufferBeenTouched(x,x,x)+21j
		mov	ecx, edi
		mov	eax, ebx
		shl	ecx, 3
		add	edi, edi
		shl	eax, cl
		or	ebx, eax
		push	4
		pop	eax
		cmp	edi, eax
		jb	short loc_A60985
		jmp	short loc_A609A6
; 

loc_A6099B:				; CODE XREF: ViHasBufferBeenTouched(x,x,x)+33j
		test	esi, esi
		jz	short loc_A609B9
		cmp	byte ptr [edx],	0Fh
		jnz	short loc_A609AD
		inc	edx
		dec	esi

loc_A609A6:				; CODE XREF: ViHasBufferBeenTouched(x,x,x)+23j
		test	dl, 3
		jnz	short loc_A6099B
		jmp	short loc_A609B9
; 

loc_A609AD:				; CODE XREF: ViHasBufferBeenTouched(x,x,x)+2Cj
					; ViHasBufferBeenTouched(x,x,x)+3Dj ...
		mov	eax, edx
		jmp	short loc_A609CE
; 

loc_A609B1:				; CODE XREF: ViHasBufferBeenTouched(x,x,x)+45j
		cmp	[edx], ebx
		jnz	short loc_A609AD
		add	edx, eax
		sub	esi, eax

loc_A609B9:				; CODE XREF: ViHasBufferBeenTouched(x,x,x)+27j
					; ViHasBufferBeenTouched(x,x,x)+35j
		cmp	esi, eax
		jnb	short loc_A609B1
		test	esi, esi
		jz	short loc_A609CC

loc_A609C1:				; CODE XREF: ViHasBufferBeenTouched(x,x,x)+54j
		cmp	byte ptr [edx],	0Fh
		jnz	short loc_A609AD
		inc	edx
		sub	esi, 1
		jnz	short loc_A609C1

loc_A609CC:				; CODE XREF: ViHasBufferBeenTouched(x,x,x)+49j
		xor	eax, eax

loc_A609CE:				; CODE XREF: ViHasBufferBeenTouched(x,x,x)+39j
		pop	edi
		pop	esi
		pop	ebx
		retn	4
_ViHasBufferBeenTouched@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViHookDmaAdapter(x,	x, x, x)
_ViHookDmaAdapter@16 proc near		; CODE XREF: VfGetDmaAdapter(x,x,x)+C6p
					; VfLegacyGetAdapter(x,x)+9Cp

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		xor	dl, dl
		call	_ViGetAdapterInformationInternal@8 ; ViGetAdapterInformationInternal(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	loc_A60ABC
		push	566C6148h
		push	0E0h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_A60AC6
		push	0E0h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+8], ebx
		mov	edx, esi
		mov	ecx, offset _ViAdapterList
		push	offset dword_AB06E0
		call	@ExfInterlockedInsertHeadList@12 ; ExfInterlockedInsertHeadList(x,x,x)
		mov	ecx, ebx
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		xor	ecx, ecx
		lea	eax, [esi+20h]
		mov	[esi+28h], ecx
		mov	edx, edi
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+2Ch]
		mov	[esi+34h], ecx
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+38h]
		mov	[esi+40h], ecx
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+44h]
		mov	[esi+4Ch], ecx
		push	ecx
		lea	ecx, [esi+78h]
		mov	[eax+4], eax
		mov	[eax], eax
		call	_ViCopyDeviceDescription@12 ; ViCopyDeviceDescription(x,x,x)
		mov	eax, [ebp+arg_0]
		mov	[esi+50h], eax
		cmp	dword ptr [edi+14h], 1
		jnz	short loc_A60A85
		cmp	dword ptr [edi+10h], 8
		jb	short loc_A60A8B

loc_A60A85:				; CODE XREF: ViHookDmaAdapter(x,x,x,x)+A9j
		cmp	byte ptr [edi+4], 0
		jnz	short loc_A60A8F

loc_A60A8B:				; CODE XREF: ViHookDmaAdapter(x,x,x,x)+AFj
		mov	byte ptr [esi+12h], 1

loc_A60A8F:				; CODE XREF: ViHookDmaAdapter(x,x,x,x)+B5j
		and	dword ptr [esi+0C8h], 0
		cmp	byte ptr [edi+4], 0
		jz	short loc_A60AAB
		cmp	byte ptr [edi+5], 0
		jz	short loc_A60AAB
		mov	ecx, esi
		call	_ViAllocateContiguousMemory@4 ;	ViAllocateContiguousMemory(x)
		jmp	short loc_A60AAF
; 

loc_A60AAB:				; CODE XREF: ViHookDmaAdapter(x,x,x,x)+C6j
					; ViHookDmaAdapter(x,x,x,x)+CCj
		mov	byte ptr [esi+11h], 1

loc_A60AAF:				; CODE XREF: ViHookDmaAdapter(x,x,x,x)+D5j
		mov	eax, [ebx+4]
		mov	[esi+1Ch], eax
		mov	dword ptr [ebx+4], offset _ViDmaOperations

loc_A60ABC:				; CODE XREF: ViHookDmaAdapter(x,x,x,x)+17j
		cmp	[ebp+arg_4], 0
		jz	short loc_A60AC6
		lock inc dword ptr [esi+14h]

loc_A60AC6:				; CODE XREF: ViHookDmaAdapter(x,x,x,x)+35j
					; ViHookDmaAdapter(x,x,x,x)+ECj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_ViHookDmaAdapter@16 endp ; sp = -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ViInitializePadding(void *,size_t,int,int)
_ViInitializePadding@16	proc near	; CODE XREF: ViSpecialAllocateCommonBuffer(x,x,x,x,x,x)+CAp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_4]
		mov	eax, edx
		mov	[ebp+var_4], eax
		push	edi
		mov	edi, ecx
		test	ebx, ebx
		jnz	short loc_A60AF3
		push	eax		; size_t
		push	0Fh		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		jmp	short loc_A60B42
; 

loc_A60AF3:				; CODE XREF: ViInitializePadding(x,x,x,x)+14j
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, esi
		sub	eax, edi
		push	eax		; size_t
		push	0Fh		; int
		push	edi		; void *
		call	_memset
		add	esi, ebx
		mov	eax, edi
		sub	eax, esi
		add	eax, [ebp+var_4]
		push	eax		; size_t
		push	0Fh		; int
		push	esi		; void *
		call	_memset
		mov	ecx, [ebp+arg_0]
		lea	eax, [edi+8]
		add	esp, 18h
		cmp	ecx, eax
		sbb	eax, eax
		sub	esi, edi
		inc	eax
		add	esi, 8
		cmp	esi, [ebp+var_4]
		movzx	eax, ax
		mov	edx, eax
		pop	esi
		ja	short loc_A60B3A
		or	eax, 2
		movzx	edx, ax

loc_A60B3A:				; CODE XREF: ViInitializePadding(x,x,x,x)+63j
		push	edx
		mov	edx, ebx
		call	_ViTagBuffer@12	; ViTagBuffer(x,x,x)

loc_A60B42:				; CODE XREF: ViInitializePadding(x,x,x,x)+22j
		pop	edi
		pop	ebx
		leave
		retn	8
_ViInitializePadding@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ViMapDoubleBuffer(char,int,int,int,int)
_ViMapDoubleBuffer@20 proc near		; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+1BDp
					; VfGetScatterGatherList(x,x,x,x,x,x,x,x)+252p	...

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		xor	eax, eax
		mov	[ebp+var_18], eax
		mov	ebx, ecx
		mov	[ebp+var_14], ebx
		mov	esi, edx
		test	edi, edi
		jnz	short loc_A60B96
		push	eax		; int
		push	eax		; int
		push	ebx		; char
		mov	esi, offset unk_6B6820
		mov	edx, offset ??_C@_0DB@OELHKNHO@Driver?5is?5attempting?5to?5map?5a?50@JKADOLAD@ ; int
		push	21h		; int
		mov	ecx, esi	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	esi		; int
		push	edi		; int
		push	edi		; int
		push	ebx		; int
		push	21h

loc_A60B82:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+98j
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A60B8D:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+12Bj
					; ViMapDoubleBuffer(x,x,x,x,x)+161j ...
		xor	eax, eax

loc_A60B8F:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+2F2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_A60B96:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+1Cj
		cmp	[ebx+0Dh], al
		mov	ebx, [ebp+arg_0]
		jnz	short loc_A60BB2
		mov	eax, ebx
		mov	ecx, 1000h
		and	eax, 0FFFh
		sub	ecx, eax
		cmp	edi, ecx
		jb	short loc_A60BB2
		mov	edi, ecx

loc_A60BB2:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+54j
					; ViMapDoubleBuffer(x,x,x,x,x)+66j
		mov	ecx, [esi+18h]
		mov	edx, [esi+10h]
		lea	eax, [edx+ecx]
		cmp	ebx, eax
		jnb	short loc_A60BE2
		push	esi		; int
		push	ebx		; int
		push	1		; char
		mov	edi, offset unk_6B6800
		mov	edx, offset ??_C@_0CP@KAKNJBNN@Virtual?5address?5?$CFp?5is?5before?5th@JKADOLAD@ ; int
		push	1000001Fh	; int
		mov	ecx, edi	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	edi
		push	esi
		push	ebx
		push	1

loc_A60BDE:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+C4j
					; ViMapDoubleBuffer(x,x,x,x,x)+1F2j
		push	1Fh
		jmp	short loc_A60B82
; 

loc_A60BE2:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+75j
		mov	eax, ebx
		sub	eax, edx
		sub	eax, ecx
		cmp	eax, [esi+14h]
		jb	short loc_A60C0E
		push	esi		; int
		push	ebx		; int
		push	2		; char
		mov	edi, offset unk_6B6804
		mov	edx, (offset loc_A5787B+5) ; int
		push	1000001Fh	; int
		mov	ecx, edi	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	edi
		push	esi
		push	ebx
		push	2
		jmp	short loc_A60BDE
; 

loc_A60C0E:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+A3j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	byte ptr [ebp+arg_4+3],	al
		mov	eax, [ebp+var_14]
		add	eax, 2Ch
		mov	ecx, eax
		mov	[ebp+var_4], eax
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	byte ptr [esi+6], 5
		jz	short loc_A60C32
		mov	eax, [esi+0Ch]
		jmp	short loc_A60C44
; 

loc_A60C32:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+E3j
		push	40000010h
		xor	eax, eax
		push	eax
		push	eax
		push	1
		push	eax
		push	esi
		call	MmMapLockedPagesSpecifyCache

loc_A60C44:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+E8j
		test	ds:byte_70EFC6,	1
		mov	[ebp+arg_0], eax
		jz	short loc_A60C5D
		mov	edx, [ebp+4]
		mov	ecx, [ebp+var_4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A60C65
; 

loc_A60C5D:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+106j
		mov	eax, [ebp+var_4]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_A60C65:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+113j
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	loc_A60B8D
		sub	ebx, [esi+10h]
		sub	ebx, [esi+18h]
		mov	ecx, [esi+14h]
		add	eax, ebx
		sub	ecx, ebx
		mov	[ebp+var_1C], 1
		mov	ebx, [ebp+var_14]
		mov	edx, eax
		mov	[ebp+var_20], ecx
		lea	ecx, [ebp+var_18]
		push	ecx
		push	[ebp+arg_8]
		mov	ecx, ebx
		mov	[ebp+arg_0], eax
		push	edi
		call	_ViAllocateMapRegistersFromFile@20 ; ViAllocateMapRegistersFromFile(x,x,x,x,x)
		test	eax, eax
		jz	loc_A60B8D
		mov	ecx, [ebp+var_18]
		mov	eax, [ebp+arg_0]
		shl	ecx, 0Ch
		and	eax, 0FFFh
		add	eax, ecx
		mov	ecx, [ebx+24h]
		add	ecx, eax
		mov	[ebp+var_C], ecx
		mov	ecx, [ebx+28h]
		test	ecx, ecx
		jz	loc_A60B8D
		add	eax, ecx
		mov	edx, edi
		mov	[ebp+var_10], eax
		mov	eax, esi
		mov	[ebp+var_8], eax
		mov	[ebp+var_24], edx
		test	edi, edi
		jz	loc_A60E1E

loc_A60CE9:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+2CDj
		test	eax, eax
		jz	loc_A60B8D
		cmp	[ebp+var_1C], 0
		mov	ecx, [eax]
		jz	short loc_A60D47
		and	[ebp+var_1C], 0
		mov	eax, [ebp+var_20]
		test	ecx, ecx
		jnz	short loc_A60D3F
		cmp	edx, eax
		jbe	short loc_A60D41
		mov	ecx, eax
		lea	eax, [edi-1]
		sub	ecx, edx
		add	ecx, edi
		xor	ecx, eax
		test	ecx, 0FFFFF000h
		jz	short loc_A60D76
		mov	edx, offset ??_C@_0EC@CIOODOFP@Extra?5transfer?5length?5crosses?5a@JKADOLAD@ ; int
		mov	ebx, offset unk_6B67F8

loc_A60D25:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+225j
		push	edi		; int
		push	esi		; int
		push	3		; char
		push	1000001Fh	; int
		mov	ecx, ebx	; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	ebx
		push	edi
		push	esi
		push	3
		jmp	loc_A60BDE
; 

loc_A60D3F:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+1BAj
		cmp	edx, eax

loc_A60D41:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+1BEj
		jb	short loc_A60D76
		mov	ebx, eax
		jmp	short loc_A60D78
; 

loc_A60D47:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+1AFj
		test	ecx, ecx
		jnz	short loc_A60D6F
		mov	ecx, [eax+14h]
		cmp	edx, ecx
		jbe	short loc_A60D6F
		sub	ecx, edx
		lea	eax, [edi-1]
		add	ecx, edi
		xor	ecx, eax
		test	ecx, 0FFFFF000h
		jz	short loc_A60D76
		mov	edx, (offset loc_A578A9+5)
		mov	ebx, offset unk_6B67FC
		jmp	short loc_A60D25
; 

loc_A60D6F:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+201j
					; ViMapDoubleBuffer(x,x,x,x,x)+208j
		mov	ebx, [eax+14h]
		cmp	edx, ebx
		jnb	short loc_A60D78

loc_A60D76:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+1D1j
					; ViMapDoubleBuffer(x,x,x,x,x):loc_A60D41j ...
		mov	ebx, edx

loc_A60D78:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+1FDj
					; ViMapDoubleBuffer(x,x,x,x,x)+22Cj
		push	ebx		; size_t
		push	[ebp+arg_0]	; void *
		push	[ebp+var_C]	; void *
		call	_memcpy
		add	[ebp+var_C], ebx
		push	ebx		; size_t
		push	[ebp+arg_0]	; void *
		push	[ebp+var_10]	; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		add	esp, 18h
		add	[ebp+var_10], ebx
		mov	eax, [eax]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_A60E0D
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, [ebp+var_4]
		mov	byte ptr [ebp+arg_4+3],	al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [ebp+var_8]
		test	byte ptr [eax+6], 5
		jz	short loc_A60DC4
		mov	eax, [eax+0Ch]
		jmp	short loc_A60DD6
; 

loc_A60DC4:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+275j
		push	40000010h
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	1
		push	ecx
		push	eax
		call	MmMapLockedPagesSpecifyCache

loc_A60DD6:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+27Aj
		test	ds:byte_70EFC6,	1
		mov	[ebp+arg_0], eax
		jz	short loc_A60DEF
		mov	edx, [ebp+4]
		mov	ecx, [ebp+var_4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A60DF7
; 

loc_A60DEF:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+298j
		mov	eax, [ebp+var_4]
		xor	ecx, ecx
		lock and [eax],	ecx

loc_A60DF7:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+2A5j
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	[ebp+arg_0], 0
		jz	loc_A60B8D
		mov	eax, [ebp+var_8]

loc_A60E0D:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+25Bj
		mov	edx, [ebp+var_24]
		sub	edx, ebx
		mov	[ebp+var_24], edx
		jnz	loc_A60CE9
		mov	ebx, [ebp+var_14]

loc_A60E1E:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+19Bj
		mov	edx, [ebx+20h]
		test	edx, edx
		jz	short loc_A60E38
		cmp	byte ptr [ebp+arg_8], 0
		push	1
		setz	cl
		movzx	ecx, cl
		push	ecx
		push	edx
		call	KeFlushIoBuffers

loc_A60E38:				; CODE XREF: ViMapDoubleBuffer(x,x,x,x,x)+2DBj
		mov	eax, edi
		jmp	loc_A60B8F
_ViMapDoubleBuffer@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViReleaseDmaAdapter(x)
_ViReleaseDmaAdapter@4 proc near	; CODE XREF: VfGetDmaAdapter(x,x,x)+6Dp
					; VfHalDeleteDevice(x)+35p ...

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	ecx, [esi+8]
		mov	eax, [esi+1Ch]
		mov	[ebp+var_8], ecx
		mov	[ecx+4], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	edi, [esi+0C8h]
		mov	[ebp+var_1], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ebx, [esi+0BCh]
		and	dword ptr [esi+0BCh], 0
		test	ds:byte_70EFC6,	1
		jz	short loc_A60E90
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A60E95
; 

loc_A60E90:				; CODE XREF: ViReleaseDmaAdapter(x)+43j
		xor	eax, eax
		lock and [edi],	eax

loc_A60E95:				; CODE XREF: ViReleaseDmaAdapter(x)+4Fj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	ebx, ebx
		jz	short loc_A60EBF
		xor	edi, edi

loc_A60EA4:				; CODE XREF: ViReleaseDmaAdapter(x)+76j
		mov	eax, [ebx+edi*4]
		test	eax, eax
		jz	short loc_A60EB1
		push	eax
		call	MmFreeContiguousMemory

loc_A60EB1:				; CODE XREF: ViReleaseDmaAdapter(x)+6Aj
		inc	edi
		cmp	edi, 20h
		jb	short loc_A60EA4
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A60EBF:				; CODE XREF: ViReleaseDmaAdapter(x)+61j
		mov	ebx, [ebp+var_8]
		mov	ecx, ebx
		call	ObfDereferenceObject
		cmp	dword ptr [esi+14h], 0
		mov	edi, eax
		jle	short loc_A60F09
		test	edi, edi
		jz	short loc_A60F09
		cmp	edi, 1
		jnz	short loc_A60EE0
		cmp	byte ptr [esi+12h], 0
		jnz	short loc_A60F09

loc_A60EE0:				; CODE XREF: ViReleaseDmaAdapter(x)+99j
		push	esi		; int
		push	ebx		; int
		push	edi		; char
		push	11h		; int
		mov	edx, (offset loc_A573AE+2) ; int
		mov	ecx, offset unk_6B6840 ; int
		call	_ViHalPreprocessOptions@24 ; ViHalPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B6840 ; int
		push	esi		; int
		push	ebx		; int
		push	edi		; int
		push	11h
		pop	edx
		mov	ecx, 0E6h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A60F09:				; CODE XREF: ViReleaseDmaAdapter(x)+90j
					; ViReleaseDmaAdapter(x)+94j ...
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ViReleaseDmaAdapter@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViScatterGatherCallback(x, x, x, x)
_ViScatterGatherCallback@16 proc near	; DATA XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+1E9o
					; VfGetScatterGatherList(x,x,x,x,x,x,x,x)+27Eo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, [ebp+arg_C]
		mov	edx, [ebx]
		push	1
		mov	esi, [edi+20h]
		mov	ecx, esi
		call	_ADD_MAP_REGISTERS@12 ;	ADD_MAP_REGISTERS(x,x,x)
		lea	eax, [esi+28h]
		mov	[edi+24h], ebx
		push	eax
		lea	edx, [edi+28h]
		lea	ecx, [esi+20h]
		call	@ExfInterlockedInsertHeadList@12 ; ExfInterlockedInsertHeadList(x,x,x)
		mov	ecx, [edi+34h]
		test	ecx, ecx
		jz	short loc_A60F58
		mov	eax, [ebx+4]
		mov	[ecx+1Ch], eax
		mov	dword ptr [ebx+4], 0DEADF00Dh

loc_A60F58:				; CODE XREF: ViScatterGatherCallback(x,x,x,x)+33j
		push	dword ptr [edi]
		push	ebx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	dword ptr [edi+4]
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	10h
_ViScatterGatherCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ViSpecialAllocateCommonBuffer(int,int,int,int,int,int)
_ViSpecialAllocateCommonBuffer@24 proc near
					; CODE XREF: VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)+1C7p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		xor	eax, eax
		mov	[ebp+var_C], ecx
		push	ebx
		mov	ebx, edx
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	eax, [ebx+64h]
		sub	eax, [ebx+68h]
		push	esi
		push	edi		; char
		cmp	eax, 20h
		jnb	short loc_A60FC1
		mov	esi, [ebp+arg_4]
		cmp	esi, 0FFFFDFFFh
		ja	short loc_A60FC1
		push	566C6148h
		push	30h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A60FCA
		push	(offset	loc_A57626+2) ;	char *
		call	_VfUtilDbgPrint
		pop	ecx

loc_A60FC1:				; CODE XREF: ViSpecialAllocateCommonBuffer(x,x,x,x,x,x)+27j
					; ViSpecialAllocateCommonBuffer(x,x,x,x,x,x)+32j ...
		xor	eax, eax

loc_A60FC3:				; CODE XREF: ViSpecialAllocateCommonBuffer(x,x,x,x,x,x)+F9j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_A60FCA:				; CODE XREF: ViSpecialAllocateCommonBuffer(x,x,x,x,x,x)+49j
		lea	eax, [ebp+var_8]
		mov	ecx, esi
		push	eax
		lea	edx, [ebp+var_4]
		call	_ViCommonBufferCalculatePadding@12 ; ViCommonBufferCalculatePadding(x,x,x)
		push	[ebp+arg_C]
		mov	eax, [ebp+var_4]
		lea	ecx, [ebp+var_18]
		add	eax, [ebp+var_8]
		add	eax, esi
		push	ecx
		push	eax
		push	dword ptr [ebx+8]
		mov	[ebp+var_10], eax
		call	[ebp+var_C]
		mov	ecx, eax	; void *
		test	ecx, ecx
		jnz	short loc_A61000
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A60FC1
; 

loc_A61000:				; CODE XREF: ViSpecialAllocateCommonBuffer(x,x,x,x,x,x)+8Aj
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+var_8]
		push	[ebp+arg_4]	; int
		mov	[edi+8], esi
		lea	esi, [ecx+eax]
		mov	[edi+2], dx
		mov	edx, [ebp+var_10] ; size_t
		mov	[edi], ax
		mov	[edi+4], edx
		mov	[edi+0Ch], ecx
		mov	[edi+10h], esi
		mov	eax, [ebp+var_18]
		mov	[edi+18h], eax
		mov	eax, [ebp+var_14]
		mov	[edi+1Ch], eax
		mov	eax, [ebp+arg_0]
		push	esi		; int
		mov	[edi+20h], eax
		call	_ViInitializePadding@16	; ViInitializePadding(x,x,x,x)
		mov	eax, [ebp+var_4]
		xor	edx, edx
		add	eax, [ebp+var_18]
		mov	ecx, [ebp+arg_8]
		adc	edx, [ebp+var_14]
		mov	[ecx+4], edx
		lea	edx, [edi+24h]
		mov	[ecx], eax
		lea	ecx, [ebx+34h]
		push	ecx
		lea	ecx, [ebx+2Ch]
		call	@ExfInterlockedInsertHeadList@12 ; ExfInterlockedInsertHeadList(x,x,x)
		lea	eax, [ebx+64h]
		lock inc dword ptr [eax]
		mov	eax, esi
		jmp	loc_A60FC3
_ViSpecialAllocateCommonBuffer@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	ViSpecialFreeCommonBuffer(void *,int)
_ViSpecialFreeCommonBuffer@16 proc near	; CODE XREF: VfFreeCommonBuffer(x,x,x,x,x,x)+42p

var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ecx
		mov	edx, [ebp+arg_0]
		lea	ecx, [edi+2Ch]
		call	_VF_FIND_BUFFER@8 ; VF_FIND_BUFFER(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A6108E

loc_A61088:				; CODE XREF: ViSpecialFreeCommonBuffer(x,x,x,x)+BBj
		pop	edi
		pop	esi
		leave
		retn	8
; 

loc_A6108E:				; CODE XREF: ViSpecialFreeCommonBuffer(x,x,x,x)+1Dj
		mov	edx, [esi+4]
		mov	ecx, [esi+0Ch]
		push	ebx
		push	dword ptr [esi+8]
		push	dword ptr [esi+10h]
		call	_ViCheckPadding@16 ; ViCheckPadding(x,x,x,x)
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ebx, [edi+34h]
		mov	[ebp+var_1], al
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		lea	ecx, [esi+24h]
		mov	eax, [ecx]
		mov	edx, [ecx+4]
		cmp	[eax+4], ecx
		jnz	short loc_A61129
		cmp	[edx], ecx
		jnz	short loc_A61129
		mov	[edx], eax
		mov	[eax+4], edx
		test	ds:byte_70EFC6,	1
		jz	short loc_A610DE
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A610E3
; 

loc_A610DE:				; CODE XREF: ViSpecialFreeCommonBuffer(x,x,x,x)+67j
		xor	eax, eax
		lock and [ebx],	eax

loc_A610E3:				; CODE XREF: ViSpecialFreeCommonBuffer(x,x,x,x)+73j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	dword ptr [esi+8] ; size_t
		push	0		; int
		push	[ebp+arg_0]	; void *
		call	_memset
		add	esp, 0Ch
		push	[ebp+arg_4]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+1Ch]
		push	dword ptr [esi+18h]
		push	dword ptr [esi+4]
		push	dword ptr [edi+8]
		call	[ebp+var_8]
		mov	ecx, edi
		call	_DECREMENT_COMMON_BUFFERS@4 ; DECREMENT_COMMON_BUFFERS(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	eax, eax
		inc	eax
		pop	ebx
		jmp	loc_A61088
; 

loc_A61129:				; CODE XREF: ViSpecialFreeCommonBuffer(x,x,x,x)+55j
					; ViSpecialFreeCommonBuffer(x,x,x,x)+59j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ViSpecialFreeCommonBuffer@16 endp	; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViSwap(x, x, x)
_ViSwap@12	proc near		; CODE XREF: VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)+1E1p
					; VfFlushAdapterBuffers(x,x,x,x,x,x)+70p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	ecx, [ebx]
		call	_ViGetMapRegisterFile@4	; ViGetMapRegisterFile(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A6119A
		mov	edx, [ebp+arg_0]
		mov	ecx, [edi]
		mov	edx, [edx]
		call	_ViGetMdlBufferSa@8 ; ViGetMdlBufferSa(x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_A6119A
		lea	eax, [ebp+var_4]
		mov	ecx, esi
		push	eax
		call	_ViFindMappedRegisterInFile@12 ; ViFindMappedRegisterInFile(x,x,x)
		test	eax, eax
		jz	short loc_A6119A
		mov	eax, [esi+20h]
		and	edx, 0FFFh
		mov	[edi], eax
		mov	eax, [esi+20h]
		mov	ecx, [eax+18h]
		add	ecx, [eax+10h]
		mov	eax, [ebp+var_4]
		add	ecx, edx
		shl	eax, 0Ch
		add	ecx, eax
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		mov	eax, [esi+1Ch]
		mov	[ebx], eax
		xor	eax, eax
		inc	eax
		jmp	short loc_A6119C
; 

loc_A6119A:				; CODE XREF: ViSwap(x,x,x)+1Cj
					; ViSwap(x,x,x)+2Ej ...
		xor	eax, eax

loc_A6119C:				; CODE XREF: ViSwap(x,x,x)+6Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ViSwap@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViTagBuffer(x, x, x)
_ViTagBuffer@12	proc near		; CODE XREF: ViAllocateMapRegistersFromFile(x,x,x,x,x)+1B2p
					; ViInitializePadding(x,x,x,x)+6Ep

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	[ebp+arg_0], 1
		jz	short loc_A611BE
		mov	eax, dword ptr ds:_ViDmaVerifierTag
		mov	[ecx-8], eax
		mov	eax, dword ptr ds:loc_A501C4
		mov	[ecx-4], eax

loc_A611BE:				; CODE XREF: ViTagBuffer(x,x,x)+9j
		test	[ebp+arg_0], 2
		jz	short loc_A611D5
		mov	eax, dword ptr ds:_ViDmaVerifierTag
		mov	[ecx+edx], eax
		mov	eax, dword ptr ds:loc_A501C4
		mov	[ecx+edx+4], eax

loc_A611D5:				; CODE XREF: ViTagBuffer(x,x,x)+1Fj
		pop	ebp
		retn	4
_ViTagBuffer@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierBugCheckIfAppropriate(x, x,	x, x, x)
_VerifierBugCheckIfAppropriate@20 proc near ; CODE XREF: VfFailDeviceNode+81852p
					; _VfFailDriver+19p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		xor	ebx, ebx
		inc	ebx
		test	_MmVerifierData, 400000h
		jz	short loc_A6123A
		cmp	al, 2
		ja	short loc_A6122B
		mov	eax, ds:_ViXdvTipUtils
		test	eax, eax
		jz	short loc_A61232
		test	byte ptr _VfFlightOptions, bl
		jz	short loc_A61218
		push	esi
		push	edi
		call	dword ptr [eax+0Ch]
		test	eax, eax
		jnz	short loc_A6123A

loc_A61218:				; CODE XREF: VerifierBugCheckIfAppropriate(x,x,x,x,x)+34j
		push	[ebp+arg_8]
		mov	eax, ds:_ViXdvTipUtils
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	esi
		push	edi
		call	dword ptr [eax+8]

loc_A6122B:				; CODE XREF: VerifierBugCheckIfAppropriate(x,x,x,x,x)+23j
					; VerifierBugCheckIfAppropriate(x,x,x,x,x)+5Fj	...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_A61232:				; CODE XREF: VerifierBugCheckIfAppropriate(x,x,x,x,x)+2Cj
		test	_VfFlightOptions, ebx
		jz	short loc_A6122B

loc_A6123A:				; CODE XREF: VerifierBugCheckIfAppropriate(x,x,x,x,x)+1Fj
					; VerifierBugCheckIfAppropriate(x,x,x,x,x)+3Dj
		mov	ecx, (offset loc_A50437+1)
		xor	eax, eax

loc_A61241:				; CODE XREF: VerifierBugCheckIfAppropriate(x,x,x,x,x)+7Cj
		cmp	[ecx], edi
		jnz	short loc_A6124A
		cmp	[ecx+4], esi
		jz	short loc_A61267

loc_A6124A:				; CODE XREF: VerifierBugCheckIfAppropriate(x,x,x,x,x)+6Aj
		add	eax, 0Ch
		add	ecx, 0Ch
		cmp	eax, 9Ch
		jb	short loc_A61241

loc_A61257:				; CODE XREF: VerifierBugCheckIfAppropriate(x,x,x,x,x)+96j
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	esi
		push	edi
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_A61267:				; CODE XREF: VerifierBugCheckIfAppropriate(x,x,x,x,x)+6Fj
		mov	eax, _VfVerifyMode
		cmp	eax, [ecx+8]
		jge	short loc_A61257
		lock xadd ds:_ViBugcheckLogIndex, ebx
		inc	ebx
		mov	eax, [ebp+arg_0]
		and	ebx, 0Fh
		imul	ecx, ebx, 14h
		mov	ds:dword_AAFE00[ecx], eax
		mov	eax, [ebp+arg_4]
		mov	ds:dword_AAFE04[ecx], eax
		mov	eax, [ebp+arg_8]
		mov	ds:_ViBugcheckLog[ecx],	edi
		mov	ds:dword_AAFDFC[ecx], esi
		mov	ds:dword_AAFE08[ecx], eax
		jmp	short loc_A6122B
_VerifierBugCheckIfAppropriate@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfBugcheckLogWorkaround(x, x, x)
_VfBugcheckLogWorkaround@12 proc near	; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+215p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		inc	eax
		lock xadd ds:_ViBugcheckWorkaroundLogIndex, eax
		inc	eax
		and	eax, 0Fh
		imul	ecx, eax, 0Ch
		mov	eax, [ebp+arg_0]
		mov	ds:_ViBugcheckWorkaroundLog[ecx], 1
		mov	ds:dword_AAF684[ecx], edx
		mov	ds:dword_AAF688[ecx], eax
		pop	ebp
		retn	4
_VfBugcheckLogWorkaround@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfAfterCallDriver(x, x, x)
_VfAfterCallDriver@12 proc near		; CODE XREF: IovCallDriver(x,x,x)+1FCp
					; IovpCallDriverWithStackBuffer(x,x,x)+153p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jnz	short loc_A612FA
		mov	ecx, [ebp+arg_0]
		call	_VfDeadlockAfterCallDriver@4 ; VfDeadlockAfterCallDriver(x)
		jmp	loc_A61435
; 

loc_A612FA:				; CODE XREF: VfAfterCallDriver(x,x,x)+Ej
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		mov	ebx, 400000h
		test	al, al
		jnz	short loc_A6134C
		test	_MmVerifierData, ebx
		jnz	short loc_A6134C
		mov	ecx, offset _VfBugcheckTmpDataLock
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		and	ds:dword_AB1D0C, 0
		and	ds:dword_AB1D10, 0
		mov	[esi+55h], al
		mov	eax, [esi+18h]
		mov	ds:_VfBugcheckTmpData, 0C4h
		mov	ds:dword_AB1D04, 0C1h
		mov	ds:dword_AB1D08, eax

loc_A61347:				; CODE XREF: VfAfterCallDriver(x,x,x)+C6j
		call	_VfBugCheckNoStackUsage@0 ; VfBugCheckNoStackUsage()

loc_A6134C:				; CODE XREF: VfAfterCallDriver(x,x,x)+29j
					; VfAfterCallDriver(x,x,x)+31j
		mov	ecx, [ebp+arg_0]
		call	_VfDeadlockAfterCallDriver@4 ; VfDeadlockAfterCallDriver(x)
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	[esi+54h], al
		jz	short loc_A613A5
		test	_MmVerifierData, ebx
		jnz	short loc_A613A5
		mov	ecx, offset _VfBugcheckTmpDataLock
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	ecx, [esi+18h]
		mov	ds:dword_AB1D08, ecx
		movzx	ecx, byte ptr [esi+54h]
		mov	[esi+55h], al
		mov	ds:_VfBugcheckTmpData, 0C9h
		mov	ds:dword_AB1D04, 12h
		mov	ds:dword_AB1D0C, ecx
		movzx	eax, al

loc_A6139E:				; CODE XREF: VfAfterCallDriver(x,x,x)+11Fj
		mov	ds:dword_AB1D10, eax
		jmp	short loc_A61347
; 

loc_A613A5:				; CODE XREF: VfAfterCallDriver(x,x,x)+80j
					; VfAfterCallDriver(x,x,x)+88j
		mov	ecx, large fs:124h
		mov	eax, [esi+68h]
		cmp	eax, [ecx+13Ch]
		jz	short loc_A613FE
		test	_MmVerifierData, ebx
		jnz	short loc_A613FE
		mov	ecx, offset _VfBugcheckTmpDataLock
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		mov	[esi+55h], al
		mov	eax, [esi+18h]
		mov	ds:dword_AB1D08, eax
		mov	eax, large fs:124h
		mov	ds:_VfBugcheckTmpData, 0C4h
		mov	ds:dword_AB1D04, 0C5h
		mov	eax, [eax+13Ch]
		mov	ds:dword_AB1D0C, eax
		mov	eax, [esi+68h]
		jmp	short loc_A6139E
; 

loc_A613FE:				; CODE XREF: VfAfterCallDriver(x,x,x)+D8j
					; VfAfterCallDriver(x,x,x)+E0j
		test	byte ptr _MmVerifierData, 10h
		mov	eax, [esi+50h]
		jz	short loc_A61428
		test	al, 2
		jz	short loc_A61428
		cmp	dword ptr [edi], 103h
		jnz	short loc_A61428
		push	dword ptr [esi+5Ch] ; int
		mov	edx, [esi+60h]	; int
		mov	ecx, 307h	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)
		jmp	short loc_A61435
; 

loc_A61428:				; CODE XREF: VfAfterCallDriver(x,x,x)+12Bj
					; VfAfterCallDriver(x,x,x)+12Fj ...
		test	al, 1
		jz	short loc_A61435
		mov	edx, edi
		mov	ecx, esi
		call	_IovpCallDriver2@8 ; IovpCallDriver2(x,x)

loc_A61435:				; CODE XREF: VfAfterCallDriver(x,x,x)+18j
					; VfAfterCallDriver(x,x,x)+149j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_VfAfterCallDriver@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfBeforeCallDriver(x, x, x)
_VfBeforeCallDriver@12 proc near	; CODE XREF: IovCallDriver(x,x,x)+1CFp
					; IovpCallDriverNoIrpTracking(x,x,x)+Cp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		mov	ebx, ecx
		push	edi
		mov	edi, [ebp+arg_0]
		cmp	byte ptr [esi+20h], 1
		jz	short loc_A61479
		test	_MmVerifierData, 100h
		jz	short loc_A61479
		cmp	dword ptr [esi+4], 0
		jnz	short loc_A61479
		test	byte ptr [esi+8], 10h
		mov	ecx, esi
		push	edi
		jz	short loc_A61471
		mov	edx, [esi+0Ch]
		jmp	short loc_A61474
; 

loc_A61471:				; CODE XREF: VfBeforeCallDriver(x,x,x)+2Ej
		mov	edx, [esi+3Ch]

loc_A61474:				; CODE XREF: VfBeforeCallDriver(x,x,x)+33j
		call	_ViIrpCheckKernelAddressForIrp@12 ; ViIrpCheckKernelAddressForIrp(x,x,x)

loc_A61479:				; CODE XREF: VfBeforeCallDriver(x,x,x)+13j
					; VfBeforeCallDriver(x,x,x)+1Fj ...
		test	edi, edi
		jnz	short loc_A6148B
		mov	ecx, esi
		call	_VfDeadlockBeforeCallDriver@4 ;	VfDeadlockBeforeCallDriver(x)
		mov	esi, eax
		jmp	loc_A61545
; 

loc_A6148B:				; CODE XREF: VfBeforeCallDriver(x,x,x)+3Fj
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jnz	short loc_A614DA
		test	_MmVerifierData, 400000h
		jnz	short loc_A614DA
		mov	ecx, offset _VfBugcheckTmpDataLock
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		and	ds:dword_AB1D0C, 0
		and	ds:dword_AB1D10, 0
		mov	[edi+55h], al
		mov	ds:_VfBugcheckTmpData, 0C4h
		mov	ds:dword_AB1D04, 0C0h
		mov	ds:dword_AB1D08, esi
		call	_VfBugCheckNoStackUsage@0 ; VfBugCheckNoStackUsage()

loc_A614DA:				; CODE XREF: VfBeforeCallDriver(x,x,x)+56j
					; VfBeforeCallDriver(x,x,x)+62j
		mov	eax, [esi+60h]
		mov	ecx, [ebx+8]
		movzx	edx, byte ptr [eax-24h]
		call	@VfGetPristineDispatchRoutine@8	; VfGetPristineDispatchRoutine(x,x)
		mov	[edi+18h], eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[edi+54h], al
		mov	eax, large fs:124h
		mov	eax, [eax+13Ch]
		mov	[edi+68h], eax
		movsx	ecx, byte ptr [esi+22h]
		movsx	eax, byte ptr [esi+23h]
		inc	ecx
		cmp	eax, ecx
		jnz	short loc_A61528
		mov	eax, [esi+2Ch]
		test	eax, eax
		jz	short loc_A61528
		cmp	byte ptr [esi+20h], 0
		jnz	short loc_A61528
		cmp	dword ptr [eax+4], 0
		jz	short loc_A61528
		or	dword ptr [edi+50h], 2

loc_A61528:				; CODE XREF: VfBeforeCallDriver(x,x,x)+D3j
					; VfBeforeCallDriver(x,x,x)+DAj ...
		mov	ecx, esi
		call	_VfDeadlockBeforeCallDriver@4 ;	VfDeadlockBeforeCallDriver(x)
		cmp	ds:_VfIoDisabled, 0
		mov	esi, eax
		jnz	short loc_A61545
		or	dword ptr [edi+50h], 1
		mov	ecx, edi
		call	_IovpCallDriver1@4 ; IovpCallDriver1(x)

loc_A61545:				; CODE XREF: VfBeforeCallDriver(x,x,x)+4Aj
					; VfBeforeCallDriver(x,x,x)+FCj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_VfBeforeCallDriver@12 endp


;  S U B	R O U T	I N E 


; __stdcall VfIoAllocateIrp2(x,	x, x)
_VfIoAllocateIrp2@12 proc near		; CODE XREF: IovAllocateIrp(x,x,x,x)+92p
		cmp	ds:_VfIoDisabled, 0
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		jnz	short loc_A61596
		call	_VfPacketCreateAndLock@4 ; VfPacketCreateAndLock(x)
		test	eax, eax
		jz	short loc_A61596
		push	edi
		lock inc dword ptr [eax+0Ch]
		inc	dword ptr [eax+10h]
		lea	edi, [eax+4Ch]
		or	dword ptr [eax+24h], 200000h
		or	dword ptr [esi+8], 40000000h
		test	ebx, ebx
		jnz	short loc_A61587
		and	[edi], ebx
		jmp	short loc_A6158E
; 

loc_A61587:				; CODE XREF: VfIoAllocateIrp2(x,x,x)+33j
		push	8
		pop	ecx
		mov	esi, ebx
		rep movsd

loc_A6158E:				; CODE XREF: VfIoAllocateIrp2(x,x,x)+37j
		mov	ecx, eax
		call	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)
		pop	edi

loc_A61596:				; CODE XREF: VfIoAllocateIrp2(x,x,x)+Dj
					; VfIoAllocateIrp2(x,x,x)+16j
		pop	esi
		pop	ebx
		retn	4
_VfIoAllocateIrp2@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfIoFreeIrp(x, x)
_VfIoFreeIrp@8	proc near		; CODE XREF: IovFreeIrpPrivate(x)+4Ep

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	[ebp+var_4], ebx
		mov	al, [edi+27h]
		and	al, 21h
		cmp	al, 21h
		jz	loc_A61671
		call	_VfIrpDatabaseEntryFindAndLock@4 ; VfIrpDatabaseEntryFindAndLock(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_A61671
		lea	ecx, [edi+10h]
		cmp	[ecx], ecx
		jz	short loc_A615EA
		push	edi		; int
		mov	edx, ebx	; int
		mov	ecx, 20Ch	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)
		mov	ecx, esi
		call	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)

loc_A615E2:				; CODE XREF: VfIoFreeIrp(x,x)+D1j
		xor	eax, eax
		inc	eax
		jmp	loc_A61673
; 

loc_A615EA:				; CODE XREF: VfIoFreeIrp(x,x)+31j
		mov	eax, [esi+24h]
		xor	ebx, ebx
		cmp	[esi+8Ch], ebx
		jz	short loc_A61611
		test	eax, 400000h
		jnz	short loc_A6160C
		mov	edx, [ebp+var_4] ; int
		mov	ecx, 20Bh	; int
		push	edi		; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A6160C:				; CODE XREF: VfIoFreeIrp(x,x)+61j
		xor	ebx, ebx
		inc	ebx
		jmp	short loc_A61626
; 

loc_A61611:				; CODE XREF: VfIoFreeIrp(x,x)+5Aj
		test	eax, 200000h
		jz	short loc_A61626
		test	al, 8
		jnz	short loc_A61631
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_VfIrpDatabaseEntryDereference@8 ; VfIrpDatabaseEntryDereference(x,x)

loc_A61626:				; CODE XREF: VfIoFreeIrp(x,x)+74j
					; VfIoFreeIrp(x,x)+7Bj
		mov	ecx, esi
		call	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)
		mov	eax, ebx
		jmp	short loc_A61673
; 

loc_A61631:				; CODE XREF: VfIoFreeIrp(x,x)+7Fj
		xor	eax, eax
		test	byte ptr [edi+27h], 1
		mov	[edi], ax
		jz	short loc_A61654
		push	dword ptr [esi+38h]
		push	dword ptr [esi+3Ch]
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		mov	ecx, [esi+3Ch]
		mov	edx, 49667256h
		call	ObfDereferenceObjectWithTag

loc_A61654:				; CODE XREF: VfIoFreeIrp(x,x)+9Fj
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_VfIrpDatabaseEntryDereference@8 ; VfIrpDatabaseEntryDereference(x,x)
		mov	ecx, esi
		call	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_A615E2
; 

loc_A61671:				; CODE XREF: VfIoFreeIrp(x,x)+17j
					; VfIoFreeIrp(x,x)+26j
		xor	eax, eax

loc_A61673:				; CODE XREF: VfIoFreeIrp(x,x)+4Aj
					; VfIoFreeIrp(x,x)+94j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VfIoFreeIrp@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfIoInitializeIrp(x, x, x)
_VfIoInitializeIrp@12 proc near		; CODE XREF: IoReuseIrp(x,x)+42p
					; IovInitializeIrp(x,x,x,x)+13p

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		call	_VfIrpDatabaseEntryFindAndLock@4 ; VfIrpDatabaseEntryFindAndLock(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A616EA
		cmp	dword ptr [edi+8Ch], 0
		jz	short loc_A616A5
		push	esi		; int
		mov	edx, ebx	; int
		mov	ecx, 310h	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A616A5:				; CODE XREF: VfIoInitializeIrp(x,x,x)+1Ej
		cmp	[ebp+arg_0], 0
		jnz	short loc_A616C7
		test	dword ptr [edi+24h], 200000h
		jz	short loc_A616C7
		test	byte ptr [esi+27h], 1
		jz	short loc_A616C7
		push	esi		; int
		mov	edx, ebx	; int
		mov	ecx, 20Dh	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A616C7:				; CODE XREF: VfIoInitializeIrp(x,x,x)+31j
					; VfIoInitializeIrp(x,x,x)+3Aj	...
		test	byte ptr [esi+8], 8
		jnz	short loc_A616D6
		test	dword ptr [edi+24h], 1000h
		jz	short loc_A616E3

loc_A616D6:				; CODE XREF: VfIoInitializeIrp(x,x,x)+53j
		push	esi		; int
		mov	edx, ebx	; int
		mov	ecx, 311h	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A616E3:				; CODE XREF: VfIoInitializeIrp(x,x,x)+5Cj
		mov	ecx, edi
		call	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)

loc_A616EA:				; CODE XREF: VfIoInitializeIrp(x,x,x)+15j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_VfIoInitializeIrp@12 endp


;  S U B	R O U T	I N E 


; __stdcall VfIrpAllocateCallDriverData(x, x)
_VfIrpAllocateCallDriverData@8 proc near ; CODE	XREF: IovCallDriver(x,x,x)+97p
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	ecx, offset _ViIrpCallDriverDataList
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	[esi], eax
		test	eax, eax
		jnz	short loc_A61717
		mov	ecx, edi
		call	_IovpCheckIrpForCriticalTracking@4 ; IovpCheckIrpForCriticalTracking(x)
		neg	eax
		sbb	eax, eax
		inc	eax
		jmp	short loc_A61727
; 

loc_A61717:				; CODE XREF: VfIrpAllocateCallDriverData(x,x)+16j
		push	6Ch		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		add	esp, 0Ch
		inc	eax

loc_A61727:				; CODE XREF: VfIrpAllocateCallDriverData(x,x)+24j
		pop	edi
		pop	esi
		retn
_VfIrpAllocateCallDriverData@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfIrpSendSynchronousIrp(x, x, x, x,	x, x, x)
_VfIrpSendSynchronousIrp@28 proc near	; CODE XREF: VfPnpTestStartedPdoStack(x)+39p
					; VfPnpTestStartedPdoStack(x)+54p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		xor	eax, eax
		mov	[esp+20h+var_18], edx
		push	esi
		push	edi
		lea	edi, [esp+28h+var_10]
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ebp+arg_C]
		xor	edi, edi
		test	eax, eax
		jz	short loc_A61751
		mov	[eax], edi

loc_A61751:				; CODE XREF: VfIrpSendSynchronousIrp(x,x,x,x,x,x,x)+23j
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_A6175A
		mov	[eax], edi

loc_A6175A:				; CODE XREF: VfIrpSendSynchronousIrp(x,x,x,x,x,x,x)+2Cj
		push	ecx
		call	IoGetAttachedDeviceReference
		mov	esi, eax
		push	edi
		mov	[esp+2Ch+var_14], esi
		movzx	ecx, byte ptr [esi+30h]
		push	ecx
		push	esi
		call	IoAllocateIrpEx
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A61786
		mov	ecx, esi
		call	ObfDereferenceObject
		xor	eax, eax
		jmp	loc_A61821
; 

loc_A61786:				; CODE XREF: VfIrpSendSynchronousIrp(x,x,x,x,x,x,x)+4Cj
		cmp	[ebp+arg_0], edi
		jz	short loc_A61795
		push	2
		pop	edx
		mov	ecx, ebx
		call	_IovUtilWatermarkIrp@8 ; IovUtilWatermarkIrp(x,x)

loc_A61795:				; CODE XREF: VfIrpSendSynchronousIrp(x,x,x,x,x,x,x)+5Fj
		mov	eax, [ebp+arg_4]
		mov	[ebx+18h], eax
		mov	eax, [ebp+arg_8]
		push	edi
		mov	[ebx+1Ch], eax
		lea	eax, [esp+2Ch+var_10]
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	edi, [ebx+60h]
		mov	edx, ebx
		mov	esi, [esp+28h+var_18]
		sub	edi, 24h
		push	9
		pop	ecx
		rep movsd
		mov	eax, [ebx+60h]
		lea	ecx, [esp+28h+var_10]
		mov	[eax-4], ecx
		mov	ecx, [esp+28h+var_14]
		mov	dword ptr [eax-8], offset _ViIrpSynchronousCompletionRoutine@12	; ViIrpSynchronousCompletionRoutine(x,x,x)
		mov	byte ptr [eax-21h], 0E0h
		call	IofCallDriver
		mov	ecx, [esp+28h+var_14]
		mov	edi, eax
		call	ObfDereferenceObject
		cmp	edi, 103h
		jnz	short loc_A61803
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+38h+var_10]
		push	eax
		call	KeWaitForSingleObject
		mov	edi, [ebx+18h]

loc_A61803:				; CODE XREF: VfIrpSendSynchronousIrp(x,x,x,x,x,x,x)+C4j
		mov	eax, [ebp+arg_10]
		test	eax, eax
		jz	short loc_A6180C
		mov	[eax], edi

loc_A6180C:				; CODE XREF: VfIrpSendSynchronousIrp(x,x,x,x,x,x,x)+DEj
		mov	eax, [ebp+arg_C]
		test	eax, eax
		jz	short loc_A61818
		mov	ecx, [ebx+1Ch]
		mov	[eax], ecx

loc_A61818:				; CODE XREF: VfIrpSendSynchronousIrp(x,x,x,x,x,x,x)+E7j
		push	ebx
		call	_IoFreeIrp@4	; IoFreeIrp(x)
		xor	eax, eax
		inc	eax

loc_A61821:				; CODE XREF: VfIrpSendSynchronousIrp(x,x,x,x,x,x,x)+57j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
_VfIrpSendSynchronousIrp@28 endp


;  S U B	R O U T	I N E 


; __stdcall VfIrpWatermark(x, x)
_VfIrpWatermark@8 proc near		; CODE XREF: IovUtilWatermarkIrp(x,x)+7j
		mov	edi, edi
		push	ebx
		mov	ebx, edx
		call	_VfIrpDatabaseEntryFindAndLock@4 ; VfIrpDatabaseEntryFindAndLock(x)
		test	eax, eax
		jz	short loc_A61855
		test	bl, 1
		jz	short loc_A61844
		or	dword ptr [eax+24h], 100000h

loc_A61844:				; CODE XREF: VfIrpWatermark(x,x)+11j
		test	bl, 2
		jz	short loc_A6184D
		or	dword ptr [eax+24h], 20h

loc_A6184D:				; CODE XREF: VfIrpWatermark(x,x)+1Dj
		mov	ecx, eax
		pop	ebx
		jmp	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)
; 

loc_A61855:				; CODE XREF: VfIrpWatermark(x,x)+Cj
		pop	ebx
		retn
_VfIrpWatermark@8 endp


;  S U B	R O U T	I N E 


; __stdcall VfSetIoBuildRequest(x)
_VfSetIoBuildRequest@4 proc near	; CODE XREF: IovBuildAsynchronousFsdRequest(x,x,x,x,x,x)+3Ap
					; IovBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)+44p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	bl, bl
		call	_VfIrpDatabaseEntryFindAndLock@4 ; VfIrpDatabaseEntryFindAndLock(x)
		test	eax, eax
		jz	short loc_A618A6
		or	dword ptr [eax+24h], 1000h
		inc	bl
		mov	ecx, [esi+8]
		test	cl, 10h
		jz	short loc_A6189F
		test	cl, 40h
		jz	short loc_A6189F
		test	cl, 20h
		jz	short loc_A6189F
		mov	edx, [esi+60h]
		mov	cl, [edx-24h]
		cmp	cl, 0Eh
		jz	short loc_A61893
		cmp	cl, 0Fh
		jnz	short loc_A6189F

loc_A61893:				; CODE XREF: VfSetIoBuildRequest(x)+35j
		mov	ecx, [esi+0Ch]
		mov	[eax+78h], ecx
		mov	ecx, [edx-20h]
		mov	[eax+7Ch], ecx

loc_A6189F:				; CODE XREF: VfSetIoBuildRequest(x)+20j
					; VfSetIoBuildRequest(x)+25j ...
		mov	ecx, eax
		call	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)

loc_A618A6:				; CODE XREF: VfSetIoBuildRequest(x)+Fj
		pop	esi
		mov	al, bl
		pop	ebx
		retn
_VfSetIoBuildRequest@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViIrpAllocateLockedPacket(x, x, x)
_ViIrpAllocateLockedPacket@12 proc near	; CODE XREF: IovAllocateIrp(x,x,x,x)+41p

var_C		= word ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ecx
		mov	[ebp+var_4], edx
		mov	dword ptr [ebp+var_8], eax
		push	ebx
		cbw
		push	esi
		movzx	eax, ax
		xor	esi, esi
		push	edi
		push	[ebp+arg_0]
		imul	eax, 24h
		push	20h
		push	2B707249h
		add	ax, 70h
		mov	dword ptr [ebp+var_C], eax
		movzx	eax, ax
		push	eax
		push	280h
		call	_VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_A61988
		and	[ebp+arg_0], esi
		xor	ebx, ebx
		cmp	[ebp+var_4], ebx
		jz	short loc_A61923
		mov	eax, large fs:124h
		mov	ecx, 1000h
		push	ecx
		mov	[ebp+arg_0], ecx
		mov	ebx, [eax+80h]
		push	ebx
		call	_PsChargeProcessNonPagedPoolQuota@8 ; PsChargeProcessNonPagedPoolQuota(x,x)
		test	eax, eax
		jns	short loc_A61923
		push	esi
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A61988
; 

loc_A61923:				; CODE XREF: ViIrpAllocateLockedPacket(x,x,x)+4Ej
					; ViIrpAllocateLockedPacket(x,x,x)+6Dj
		push	dword ptr [ebp+var_8] ;	char
		push	dword ptr [ebp+var_C] ;	__int16
		push	edi		; void *
		call	IoInitializeIrp
		mov	ecx, edi
		call	_VfPacketCreateAndLock@4 ; VfPacketCreateAndLock(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A61954
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[ebp+var_4], esi
		jz	short loc_A61988
		mov	eax, [ebp+arg_0]
		push	eax
		push	ebx
		call	_PsReturnProcessNonPagedPoolQuota@8 ; PsReturnProcessNonPagedPoolQuota(x,x)
		jmp	short loc_A61988
; 

loc_A61954:				; CODE XREF: ViIrpAllocateLockedPacket(x,x,x)+8Fj
		or	dword ptr [esi+24h], 200008h
		lock inc dword ptr [esi+0Ch]
		inc	dword ptr [esi+10h]
		or	dword ptr [edi+8], 40000000h
		cmp	[ebp+var_4], 0
		jz	short loc_A61988
		or	byte ptr [edi+27h], 1
		mov	edx, 49667256h
		mov	eax, [ebp+arg_0]
		mov	ecx, ebx
		mov	[esi+38h], eax
		mov	[esi+3Ch], ebx
		call	ObfReferenceObjectWithTag

loc_A61988:				; CODE XREF: ViIrpAllocateLockedPacket(x,x,x)+40j
					; ViIrpAllocateLockedPacket(x,x,x)+76j	...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
_ViIrpAllocateLockedPacket@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViIrpCheckKernelAddressForIrp(x, x,	x)
_ViIrpCheckKernelAddressForIrp@12 proc near
					; CODE XREF: VfBeforeCallDriver(x,x,x):loc_A61474p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		test	esi, esi
		jz	short loc_A619E9
		cmp	esi, ds:_MmHighestUserAddress
		jnb	short loc_A619E9
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	eax, ds:_PsInitialSystemProcess
		jz	short loc_A619E9
		cmp	eax, ds:_PsIdleProcess
		jz	short loc_A619E9
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_A619D8
		mov	ecx, [ecx+60h]
		call	_VfTargetDriversIsEnabled@4 ; VfTargetDriversIsEnabled(x)
		test	eax, eax
		jz	short loc_A619E9

loc_A619D8:				; CODE XREF: ViIrpCheckKernelAddressForIrp(x,x,x)+39j
		push	0
		mov	edx, 0E2h
		push	esi
		push	edi
		lea	ecx, [edx-1Eh]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A619E9:				; CODE XREF: ViIrpCheckKernelAddressForIrp(x,x,x)+Ej
					; ViIrpCheckKernelAddressForIrp(x,x,x)+16j ...
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
_ViIrpCheckKernelAddressForIrp@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViIrpSynchronousCompletionRoutine(x, x, x)
_ViIrpSynchronousCompletionRoutine@12 proc near
					; DATA XREF: VfIrpSendSynchronousIrp(x,x,x,x,x,x,x)+A3o

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	0
		push	[ebp+arg_8]
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	eax, 0C0000016h
		pop	ebp
		retn	0Ch
_ViIrpSynchronousCompletionRoutine@12 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierExAcquireRundownProtection(x)
@VerifierExAcquireRundownProtection@4 proc near	; DATA XREF: PAGEVRFD:00AA8D34o
		jmp	ds:_pXdvExAcquireRundownProtection
@VerifierExAcquireRundownProtection@4 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierExAcquireRundownProtectionCacheAware(x). PRESS KEYPAD "+"	TO EXPAND]

;  S U B	R O U T	I N E 


; __fastcall VerifierExAcquireRundownProtectionCacheAwareEx(x, x)
@VerifierExAcquireRundownProtectionCacheAwareEx@8 proc near ; DATA XREF: PAGEVRFD:00AA8D64o
		jmp	ds:_pXdvExAcquireRundownProtectionCacheAwareEx
@VerifierExAcquireRundownProtectionCacheAwareEx@8 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierExAcquireRundownProtectionEx(x,x). PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 


; __fastcall VerifierExReleaseRundownProtection(x)
@VerifierExReleaseRundownProtection@4 proc near	; DATA XREF: PAGEVRFD:00AA8FECo
		jmp	ds:_pXdvExReleaseRundownProtection
@VerifierExReleaseRundownProtection@4 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierExReleaseRundownProtectionCacheAware(x). PRESS KEYPAD "+"	TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION VerifierExReleaseRundownProtectionEx(x,x). PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 


; __fastcall VerifierExWaitForRundownProtectionRelease(x)
@VerifierExWaitForRundownProtectionRelease@4 proc near ; DATA XREF: PAGEVRFD:00AA90ACo
		jmp	ds:_pXdvExWaitForRundownProtectionRelease
@VerifierExWaitForRundownProtectionRelease@4 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierExWaitForRundownProtectionReleaseCacheAware(x). PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierExfInterlockedCompareExchange64(x,	x, x)
@VerifierExfInterlockedCompareExchange64@12 proc near ;	DATA XREF: PAGEVRFD:00AA8DDCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvExfInterlockedCompareExchange64	; ExfInterlockedCompareExchange64(x,x,x)
@VerifierExfInterlockedCompareExchange64@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierExfInterlockedInsertHeadList(x, x,	x)
@VerifierExfInterlockedInsertHeadList@12 proc near ; DATA XREF:	PAGEVRFD:00AA8DF4o
					; PAGEVRFD:00AA8EB4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvExfInterlockedInsertHeadList ; ExfInterlockedInsertHeadList(x,x,x)
@VerifierExfInterlockedInsertHeadList@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierExfInterlockedInsertTailList(x, x,	x)
@VerifierExfInterlockedInsertTailList@12 proc near ; DATA XREF:	PAGEVRFD:00AA8E0Co
					; PAGEVRFD:00AA8ECCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvExfInterlockedInsertTailList ; ExfInterlockedInsertTailList(x,x,x)
@VerifierExfInterlockedInsertTailList@12 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierExfInterlockedPopEntryList(x, x)
@VerifierExfInterlockedPopEntryList@8 proc near	; DATA XREF: PAGEVRFD:00AA8E24o
					; PAGEVRFD:00AA8EE4o
		jmp	ds:_pXdvExfInterlockedPopEntryList ; ExfInterlockedPopEntryList(x,x)
@VerifierExfInterlockedPopEntryList@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierExfInterlockedPushEntryList(x, x, x)
@VerifierExfInterlockedPushEntryList@12	proc near ; DATA XREF: PAGEVRFD:00AA8E3Co
					; PAGEVRFD:00AA8EFCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvExfInterlockedPushEntryList ; ExfInterlockedPushEntryList(x,x,x)
@VerifierExfInterlockedPushEntryList@12	endp


;  S U B	R O U T	I N E 


; __fastcall VerifierExfInterlockedRemoveHeadList(x, x)
@VerifierExfInterlockedRemoveHeadList@8	proc near ; DATA XREF: PAGEVRFD:00AA8E54o
					; PAGEVRFD:00AA8F14o
		jmp	ds:_pXdvExfInterlockedRemoveHeadList ; ExfInterlockedRemoveHeadList(x,x)
@VerifierExfInterlockedRemoveHeadList@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierHalExamineMBR(x, x, x, x)
@VerifierHalExamineMBR@16 proc near	; DATA XREF: PAGEVRFD:00AA943Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvHalExamineMBR
@VerifierHalExamineMBR@16 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierInterlockedPopEntrySList(x)
@VerifierInterlockedPopEntrySList@4 proc near ;	DATA XREF: PAGEVRFD:00AA946Co
		jmp	ds:_pXdvInterlockedPopEntrySList ; ExInterlockedPopEntrySList(x,x)
@VerifierInterlockedPopEntrySList@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierInterlockedPushEntrySList(x, x)
@VerifierInterlockedPushEntrySList@8 proc near ; DATA XREF: PAGEVRFD:00AA9484o
		jmp	ds:_pXdvInterlockedPushEntrySList ; InterlockedPushEntrySList(x,x)
@VerifierInterlockedPushEntrySList@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierIoReadPartitionTable(x, x,	x, x)
@VerifierIoReadPartitionTable@16 proc near ; DATA XREF:	PAGEVRFD:00AA988Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoReadPartitionTable
@VerifierIoReadPartitionTable@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierIoSetPartitionInformation(x, x, x,	x)
@VerifierIoSetPartitionInformation@16 proc near	; DATA XREF: PAGEVRFD:00AA9A3Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoSetPartitionInformation
@VerifierIoSetPartitionInformation@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierIoWritePartitionTable(x, x, x, x, x)
@VerifierIoWritePartitionTable@20 proc near ; DATA XREF: PAGEVRFD:00AA9B2Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoWritePartitionTable
@VerifierIoWritePartitionTable@20 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierKeAcquireGuardedMutex(x).	PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION VerifierKeAcquireGuardedMutexUnsafe(x). PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeAcquireQueuedSpinLock(x)
@VerifierKeAcquireQueuedSpinLock@4 proc	near ; DATA XREF: PAGEVRFD:00AA9BA4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		inc	dword_6C6E48
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, [ebp+4]
		test	_MmVerifierData, 1000h
		jz	short loc_A61AEA
		push	58h
		pop	edx
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A61AEA:				; CODE XREF: VerifierKeAcquireQueuedSpinLock(x)+1Cj
		xor	edx, edx
		mov	cl, 2
		call	_ViKeRaiseIrqlSanityChecks@8 ; ViKeRaiseIrqlSanityChecks(x,x)
		mov	ecx, edi
		mov	esi, eax
		call	ds:_pXdvKeAcquireQueuedSpinLock
		test	esi, esi
		jz	short loc_A61B0D
		movzx	ecx, large byte	ptr fs:51h
		mov	[esi+6], cx

loc_A61B0D:				; CODE XREF: VerifierKeAcquireQueuedSpinLock(x)+3Bj
		pop	edi
		pop	esi
		pop	ebp
		retn
@VerifierKeAcquireQueuedSpinLock@4 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierKeAcquireSpinLockForDpc(x). PRESS	KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION VerifierKeInitializeGuardedMutex(x). PRESS KEYPAD	"+" TO EXPAND]

;  S U B	R O U T	I N E 


; __fastcall VerifierKeReleaseGuardedMutex(x)
@VerifierKeReleaseGuardedMutex@4 proc near ; DATA XREF:	PAGEVRFD:00AA9E2Co
		jmp	ds:_pXdvKeReleaseGuardedMutex
@VerifierKeReleaseGuardedMutex@4 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierKeReleaseGuardedMutexUnsafe(x). PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 


; __fastcall VerifierKeReleaseQueuedSpinLock(x,	x)
@VerifierKeReleaseQueuedSpinLock@8 proc	near ; DATA XREF: PAGEVRFD:00AA9E74o
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	bh, dl
		mov	edi, ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	_KernelVerifier, 0
		mov	bl, al
		jz	short loc_A61B6A
		test	_MmVerifierData, 800h
		jz	short loc_A61B6A
		cmp	bl, 2
		jnb	short loc_A61B6A
		movzx	eax, bh
		mov	ecx, 0C4h
		push	eax
		push	edi
		movzx	eax, bl
		push	eax
		push	36h
		pop	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A61B6A:				; CODE XREF: VerifierKeReleaseQueuedSpinLock(x,x)+18j
					; VerifierKeReleaseQueuedSpinLock(x,x)+24j ...
		mov	dl, bh
		mov	cl, bl
		call	_ViKeLowerIrqlSanityChecks@8 ; ViKeLowerIrqlSanityChecks(x,x)
		mov	dl, bh
		mov	ecx, edi
		mov	esi, eax
		call	ds:_pXdvKeReleaseQueuedSpinLock
		pop	edi
		mov	ecx, esi
		xor	edx, edx
		pop	esi
		inc	edx
		pop	ebx
		jmp	_ViKeIrqlLogCommon@8 ; ViKeIrqlLogCommon(x,x)
@VerifierKeReleaseQueuedSpinLock@8 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierKeReleaseSpinLockForDpc(x,x). PRESS KEYPAD "+" TO	EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION VerifierKeTestSpinLock(x). PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION VerifierKeTryToAcquireGuardedMutex(x). PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierCcCopyWrite(x, x, x, x, x)
_VerifierCcCopyWrite@20	proc near	; DATA XREF: PAGEVRFD:00AA8C5Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvCcCopyWrite
_VerifierCcCopyWrite@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierCcCopyWriteEx(x, x,	x, x, x, x)
_VerifierCcCopyWriteEx@24 proc near	; DATA XREF: PAGEVRFD:00AA8C74o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvCcCopyWriteEx
_VerifierCcCopyWriteEx@24 endp


;  S U B	R O U T	I N E 


; size_t VerifierCcDeferWrite
_VerifierCcDeferWrite@24 proc near	; DATA XREF: PAGEVRFD:00AA8C8Co
		jmp	ds:_pXdvCcDeferWrite
_VerifierCcDeferWrite@24 endp


;  S U B	R O U T	I N E 


; size_t VerifierCcFastCopyWrite
_VerifierCcFastCopyWrite@16 proc near	; DATA XREF: PAGEVRFD:00AA8CA4o
		jmp	ds:_pXdvCcFastCopyWrite
_VerifierCcFastCopyWrite@16 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierCcWaitForCurrentLazyWriterActivity(). PRESS KEYPAD "+" TO	EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierCmRegisterCallback(x, x, x)
_VerifierCmRegisterCallback@12 proc near ; DATA	XREF: PAGEVRFD:00AA8CD4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvCmRegisterCallback
_VerifierCmRegisterCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierCmRegisterCallbackEx(x, x, x, x, x,	x)
_VerifierCmRegisterCallbackEx@24 proc near ; DATA XREF:	PAGEVRFD:00AA8D04o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvCmRegisterCallbackEx
_VerifierCmRegisterCallbackEx@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierCmUnRegisterCallback(x, x)
_VerifierCmUnRegisterCallback@8	proc near ; DATA XREF: PAGEVRFD:00AA8CECo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvCmUnRegisterCallback
		pop	ebp
		retn	8
_VerifierCmUnRegisterCallback@8	endp


;  S U B	R O U T	I N E 


; __stdcall VerifierDbgBreakPointWithStatus(x)
_VerifierDbgBreakPointWithStatus@4 proc	near ; DATA XREF: PAGEVRFD:00AA8D1Co
		jmp	ds:_pXdvDbgBreakPointWithStatus
_VerifierDbgBreakPointWithStatus@4 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierExConvertExclusiveToSharedLite(x)
_VerifierExConvertExclusiveToSharedLite@4 proc near ; DATA XREF: PAGEVRFD:00AA8D94o
		jmp	ds:_pXdvExConvertExclusiveToSharedLite
_VerifierExConvertExclusiveToSharedLite@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExCreateCallback(x,	x, x, x)
_VerifierExCreateCallback@16 proc near	; DATA XREF: PAGEVRFD:00AA8DACo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvExCreateCallback
_VerifierExCreateCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExEnterCriticalRegionAndAcquireSharedWaitForExclusive(x)
_VerifierExEnterCriticalRegionAndAcquireSharedWaitForExclusive@4 proc near
					; DATA XREF: PAGEVRFD:00AA8DC4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:_pXdvExEnterCriticalRegionAndAcquireSharedWaitForExclusive
		test	eax, eax
		jnz	short loc_A61C21
		pop	ebp
		jmp	_ExEnterCriticalRegionAndAcquireSharedWaitForExclusive@4 ; ExEnterCriticalRegionAndAcquireSharedWaitForExclusive(x)
; 

loc_A61C21:				; CODE XREF: VerifierExEnterCriticalRegionAndAcquireSharedWaitForExclusive(x)+Cj
		pop	ebp
		jmp	eax
_VerifierExEnterCriticalRegionAndAcquireSharedWaitForExclusive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExGetExclusiveWaiterCount(x)
_VerifierExGetExclusiveWaiterCount@4 proc near ; DATA XREF: PAGEVRFD:00AA8E6Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvExGetExclusiveWaiterCount
_VerifierExGetExclusiveWaiterCount@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExGetSharedWaiterCount(x)
_VerifierExGetSharedWaiterCount@4 proc near ; DATA XREF: PAGEVRFD:00AA8E84o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvExGetSharedWaiterCount
_VerifierExGetSharedWaiterCount@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExInterlockedAddLargeInteger(x, x, x, x)
_VerifierExInterlockedAddLargeInteger@16 proc near ; DATA XREF:	PAGEVRFD:00AA8E9Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvExInterlockedAddLargeInteger
		pop	ebp
		retn	10h
_VerifierExInterlockedAddLargeInteger@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExIsProcessorFeaturePresent(x)
_VerifierExIsProcessorFeaturePresent@4 proc near ; DATA	XREF: PAGEVRFD:00AA8F2Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvExIsProcessorFeaturePresent
_VerifierExIsProcessorFeaturePresent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExIsResourceAcquiredExclusiveLite(x)
_VerifierExIsResourceAcquiredExclusiveLite@4 proc near ; DATA XREF: PAGEVRFD:00AA8F44o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvExIsResourceAcquiredExclusiveLite
_VerifierExIsResourceAcquiredExclusiveLite@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExIsResourceAcquiredSharedLite(x)
_VerifierExIsResourceAcquiredSharedLite@4 proc near ; DATA XREF: PAGEVRFD:00AA8F5Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvExIsResourceAcquiredSharedLite
_VerifierExIsResourceAcquiredSharedLite@4 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierExRaiseAccessViolation().	PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION VerifierExRaiseDatatypeMisalignment(). PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 


; __stdcall VerifierExRaiseStatus(x)
_VerifierExRaiseStatus@4 proc near	; DATA XREF: PAGEVRFD:00AA8FA4o
		jmp	ds:_pXdvExRaiseStatus
_VerifierExRaiseStatus@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExRegisterCallback(x, x, x)
_VerifierExRegisterCallback@12 proc near ; DATA	XREF: PAGEVRFD:00AA8FBCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvExRegisterCallback
_VerifierExRegisterCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExReinitializeResourceLite(x)
_VerifierExReinitializeResourceLite@4 proc near	; DATA XREF: PAGEVRFD:00AA8FD4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvExReinitializeResourceLite
_VerifierExReinitializeResourceLite@4 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierExSetResourceOwnerPointer(x,x). PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION VerifierExSetResourceOwnerPointerEx(x,x,x). PRESS	KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExSetTimerResolution(x, x)
_VerifierExSetTimerResolution@8	proc near ; DATA XREF: PAGEVRFD:00AA9064o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvExSetTimerResolution
_VerifierExSetTimerResolution@8	endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierExUnregisterCallback(x). PRESS KEYPAD "+"	TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExUuidCreate(x)
_VerifierExUuidCreate@4	proc near	; DATA XREF: PAGEVRFD:00AA9094o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvExUuidCreate
_VerifierExUuidCreate@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlAllocateFileLock(x, x)
_VerifierFsRtlAllocateFileLock@8 proc near ; DATA XREF:	PAGEVRFD:00AA90DCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlAllocateFileLock
_VerifierFsRtlAllocateFileLock@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlAreNamesEqual(x, x, x,	x)
_VerifierFsRtlAreNamesEqual@16 proc near ; DATA	XREF: PAGEVRFD:00AA90F4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlAreNamesEqual
_VerifierFsRtlAreNamesEqual@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlBalanceReads(x)
_VerifierFsRtlBalanceReads@4 proc near	; DATA XREF: PAGEVRFD:00AA910Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlBalanceReads
_VerifierFsRtlBalanceReads@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlCancellableWaitForMultipleObjects(x, x, x, x, x, x)
_VerifierFsRtlCancellableWaitForMultipleObjects@24 proc	near ; DATA XREF: PAGEVRFD:00AA9124o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlCancellableWaitForMultipleObjects
_VerifierFsRtlCancellableWaitForMultipleObjects@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlCancellableWaitForSingleObject(x, x, x)
_VerifierFsRtlCancellableWaitForSingleObject@12	proc near ; DATA XREF: PAGEVRFD:00AA913Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlCancellableWaitForSingleObject
_VerifierFsRtlCancellableWaitForSingleObject@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlCheckLockForReadAccess(x, x)
_VerifierFsRtlCheckLockForReadAccess@8 proc near ; DATA	XREF: PAGEVRFD:00AA9154o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlCheckLockForReadAccess
_VerifierFsRtlCheckLockForReadAccess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlCheckLockForWriteAccess(x, x)
_VerifierFsRtlCheckLockForWriteAccess@8	proc near ; DATA XREF: PAGEVRFD:00AA916Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlCheckLockForWriteAccess
_VerifierFsRtlCheckLockForWriteAccess@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlCopyWrite(x, x, x, x, x, x, x,	x)
_VerifierFsRtlCopyWrite@32 proc	near	; DATA XREF: PAGEVRFD:00AA9184o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlCopyWrite
_VerifierFsRtlCopyWrite@32 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierFsRtlDeregisterUncProvider(x)
_VerifierFsRtlDeregisterUncProvider@4 proc near	; DATA XREF: PAGEVRFD:00AA919Co
		jmp	ds:_pXdvFsRtlDeregisterUncProvider
_VerifierFsRtlDeregisterUncProvider@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlDissectName(x,	x, x, x)
_VerifierFsRtlDissectName@16 proc near	; DATA XREF: PAGEVRFD:00AA91B4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvFsRtlDissectName
		pop	ebp
		retn	10h
_VerifierFsRtlDissectName@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlDoesNameContainWildCards(x)
_VerifierFsRtlDoesNameContainWildCards@4 proc near ; DATA XREF:	PAGEVRFD:00AA91CCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlDoesNameContainWildCards
_VerifierFsRtlDoesNameContainWildCards@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlFastCheckLockForRead(x, x, x, x, x, x)
_VerifierFsRtlFastCheckLockForRead@24 proc near	; DATA XREF: PAGEVRFD:00AA91E4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlFastCheckLockForRead
_VerifierFsRtlFastCheckLockForRead@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlFastCheckLockForWrite(x, x, x,	x, x, x)
_VerifierFsRtlFastCheckLockForWrite@24 proc near ; DATA	XREF: PAGEVRFD:00AA91FCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlFastCheckLockForWrite
_VerifierFsRtlFastCheckLockForWrite@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlFastUnlockAll(x, x, x,	x)
_VerifierFsRtlFastUnlockAll@16 proc near ; DATA	XREF: PAGEVRFD:00AA9214o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlFastUnlockAll
_VerifierFsRtlFastUnlockAll@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlFastUnlockAllByKey(x, x, x, x,	x)
_VerifierFsRtlFastUnlockAllByKey@20 proc near ;	DATA XREF: PAGEVRFD:00AA922Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlFastUnlockAllByKey
_VerifierFsRtlFastUnlockAllByKey@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlFastUnlockSingle(x, x,	x, x, x, x, x, x)
_VerifierFsRtlFastUnlockSingle@32 proc near ; DATA XREF: PAGEVRFD:00AA9244o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlFastUnlockSingle
_VerifierFsRtlFastUnlockSingle@32 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierFsRtlFreeFileLock(x). PRESS KEYPAD "+" TO	EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlGetFileSize(x,	x)
_VerifierFsRtlGetFileSize@8 proc near	; DATA XREF: PAGEVRFD:00AA9274o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlGetFileSize
_VerifierFsRtlGetFileSize@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlGetNextFileLock(x, x)
_VerifierFsRtlGetNextFileLock@8	proc near ; DATA XREF: PAGEVRFD:00AA928Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlGetNextFileLock
_VerifierFsRtlGetNextFileLock@8	endp


;  S U B	R O U T	I N E 


; __stdcall VerifierFsRtlIncrementCcFastReadNoWait()
_VerifierFsRtlIncrementCcFastReadNoWait@0 proc near ; DATA XREF: PAGEVRFD:00AA92A4o
		jmp	ds:_pXdvFsRtlIncrementCcFastReadNoWait
_VerifierFsRtlIncrementCcFastReadNoWait@0 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierFsRtlIncrementCcFastReadWait(). PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION VerifierFsRtlInitializeFileLock(x,x,x). PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlIsNameInExpression(x, x, x, x)
_VerifierFsRtlIsNameInExpression@16 proc near ;	DATA XREF: PAGEVRFD:00AA92ECo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlIsNameInExpression
_VerifierFsRtlIsNameInExpression@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlMdlReadCompleteDev(x, x, x)
_VerifierFsRtlMdlReadCompleteDev@12 proc near ;	DATA XREF: PAGEVRFD:00AA9304o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlMdlReadCompleteDev
_VerifierFsRtlMdlReadCompleteDev@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlMdlWriteCompleteDev(x,	x, x, x)
_VerifierFsRtlMdlWriteCompleteDev@16 proc near ; DATA XREF: PAGEVRFD:00AA931Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlMdlWriteCompleteDev
_VerifierFsRtlMdlWriteCompleteDev@16 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierFsRtlNotifyFilterChangeDirectory(x,x,x,x,x,x,x,x,x,x,x). PRESS KEYPAD "+"	TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION VerifierFsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x). PRESS	KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION VerifierFsRtlNotifyFullChangeDirectory(x,x,x,x,x,x,x,x,x,x). PRESS KEYPAD	"+" TO EXPAND]

;  S U B	R O U T	I N E 


; __stdcall VerifierFsRtlNotifyFullReportChange(x, x, x, x, x, x, x, x,	x)
_VerifierFsRtlNotifyFullReportChange@36	proc near ; DATA XREF: PAGEVRFD:00AA937Co
		jmp	ds:_pXdvFsRtlNotifyFullReportChange
_VerifierFsRtlNotifyFullReportChange@36	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlPrivateLock(x,	x, x, x, x, x, x, x, x,	x, x, x)
_VerifierFsRtlPrivateLock@48 proc near	; DATA XREF: PAGEVRFD:00AA9394o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlPrivateLock
_VerifierFsRtlPrivateLock@48 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlProcessFileLock(x, x, x)
_VerifierFsRtlProcessFileLock@12 proc near ; DATA XREF:	PAGEVRFD:00AA93ACo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlProcessFileLock
_VerifierFsRtlProcessFileLock@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlRegisterUncProvider(x,	x, x)
_VerifierFsRtlRegisterUncProvider@12 proc near ; DATA XREF: PAGEVRFD:00AA93C4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlRegisterUncProvider
_VerifierFsRtlRegisterUncProvider@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlRemoveDotsFromPath(x, x, x)
_VerifierFsRtlRemoveDotsFromPath@12 proc near ;	DATA XREF: PAGEVRFD:00AA93F4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlRemoveDotsFromPath
_VerifierFsRtlRemoveDotsFromPath@12 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierFsRtlUninitializeFileLock(x)
_VerifierFsRtlUninitializeFileLock@4 proc near ; DATA XREF: PAGEVRFD:00AA940Co
		jmp	ds:_pXdvFsRtlUninitializeFileLock
_VerifierFsRtlUninitializeFileLock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierFsRtlValidateReparsePointBuffer(x, x)
_VerifierFsRtlValidateReparsePointBuffer@8 proc	near ; DATA XREF: PAGEVRFD:00AA9424o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvFsRtlValidateReparsePointBuffer
_VerifierFsRtlValidateReparsePointBuffer@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierHalGetInterruptVector(x, x,	x, x, x, x)
_VerifierHalGetInterruptVector@24 proc near ; DATA XREF: PAGEVRFD:00AA9454o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvHalGetInterruptVector ;	HalGetInterruptVector(x,x,x,x,x,x)
_VerifierHalGetInterruptVector@24 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierIoAcquireCancelSpinLock(x). PRESS	KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 


; __stdcall VerifierIoAcquireVpbSpinLock(x)
_VerifierIoAcquireVpbSpinLock@4	proc near ; DATA XREF: PAGEVRFD:00AA94B4o
		jmp	ds:_pXdvIoAcquireVpbSpinLock
_VerifierIoAcquireVpbSpinLock@4	endp


;  S U B	R O U T	I N E 


; __stdcall VerifierIoAllocateController(x, x, x, x)
_VerifierIoAllocateController@16 proc near ; DATA XREF:	PAGEVRFD:00AA94CCo
		jmp	ds:_pXdvIoAllocateController
_VerifierIoAllocateController@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoAttachDevice(x, x, x)
_VerifierIoAttachDevice@12 proc	near	; DATA XREF: PAGEVRFD:00AA94E4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoAttachDevice
_VerifierIoAttachDevice@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoAttachDeviceToDeviceStack(x, x)
_VerifierIoAttachDeviceToDeviceStack@8 proc near ; DATA	XREF: PAGEVRFD:00AA94FCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoAttachDeviceToDeviceStack
_VerifierIoAttachDeviceToDeviceStack@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoAttachDeviceToDeviceStackSafe(x, x, x)
_VerifierIoAttachDeviceToDeviceStackSafe@12 proc near ;	DATA XREF: PAGEVRFD:00AA9514o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoAttachDeviceToDeviceStackSafe
_VerifierIoAttachDeviceToDeviceStackSafe@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoCancelIrp(x)
_VerifierIoCancelIrp@4 proc near	; DATA XREF: PAGEVRFD:00AA952Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoCancelIrp
_VerifierIoCancelIrp@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoCheckShareAccess(x, x, x,	x, x)
_VerifierIoCheckShareAccess@20 proc near ; DATA	XREF: PAGEVRFD:00AA9544o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoCheckShareAccess
_VerifierIoCheckShareAccess@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoCreateController(x)
_VerifierIoCreateController@4 proc near	; DATA XREF: PAGEVRFD:00AA955Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoCreateController
_VerifierIoCreateController@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoCreateFile(x, x, x, x, x,	x, x, x, x, x, x, x, x,	x)
_VerifierIoCreateFile@56 proc near	; DATA XREF: PAGEVRFD:00AA9574o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoCreateFile
_VerifierIoCreateFile@56 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoCreateFileEx(x, x, x, x, x, x, x,	x, x, x, x, x, x, x, x)
_VerifierIoCreateFileEx@60 proc	near	; DATA XREF: PAGEVRFD:00AA958Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoCreateFileEx
_VerifierIoCreateFileEx@60 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoCreateFileSpecifyDeviceObjectHint(x, x, x, x, x, x, x, x,	x, x, x, x, x, x, x)
_VerifierIoCreateFileSpecifyDeviceObjectHint@60	proc near ; DATA XREF: PAGEVRFD:00AA95A4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoCreateFileSpecifyDeviceObjectHint
_VerifierIoCreateFileSpecifyDeviceObjectHint@60	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoCreateNotificationEvent(x, x)
_VerifierIoCreateNotificationEvent@8 proc near ; DATA XREF: PAGEVRFD:00AA95BCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoCreateNotificationEvent
_VerifierIoCreateNotificationEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoCreateSymbolicLink(x, x)
_VerifierIoCreateSymbolicLink@8	proc near ; DATA XREF: PAGEVRFD:00AA95D4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoCreateSymbolicLink
_VerifierIoCreateSymbolicLink@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoCreateSynchronizationEvent(x, x)
_VerifierIoCreateSynchronizationEvent@8	proc near ; DATA XREF: PAGEVRFD:00AA95ECo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoCreateSynchronizationEvent
_VerifierIoCreateSynchronizationEvent@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoCreateUnprotectedSymbolicLink(x, x)
_VerifierIoCreateUnprotectedSymbolicLink@8 proc	near ; DATA XREF: PAGEVRFD:00AA9604o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoCreateUnprotectedSymbolicLink
_VerifierIoCreateUnprotectedSymbolicLink@8 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierIoDeleteController(x)
_VerifierIoDeleteController@4 proc near	; DATA XREF: PAGEVRFD:00AA961Co
		jmp	ds:_pXdvIoDeleteController
_VerifierIoDeleteController@4 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierIoDeleteDevice(x)
_VerifierIoDeleteDevice@4 proc near	; DATA XREF: PAGEVRFD:00AA9634o
		jmp	ds:_pXdvIoDeleteDevice
_VerifierIoDeleteDevice@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoDeleteSymbolicLink(x)
_VerifierIoDeleteSymbolicLink@4	proc near ; DATA XREF: PAGEVRFD:00AA964Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoDeleteSymbolicLink
_VerifierIoDeleteSymbolicLink@4	endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierIoDetachDevice(x). PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 


; __stdcall VerifierIoFreeController(x)
_VerifierIoFreeController@4 proc near	; DATA XREF: PAGEVRFD:00AA967Co
		jmp	ds:_pXdvIoFreeController
_VerifierIoFreeController@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoGetAttachedDeviceReference(x)
_VerifierIoGetAttachedDeviceReference@4	proc near ; DATA XREF: PAGEVRFD:00AA9694o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoGetAttachedDeviceReference
_VerifierIoGetAttachedDeviceReference@4	endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierIoGetConfigurationInformation(). PRESS KEYPAD "+"	TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoGetDeviceDirectory(x, x, x, x, x)
_VerifierIoGetDeviceDirectory@20 proc near ; DATA XREF:	PAGEVRFD:00AA96C4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoGetDeviceDirectory
_VerifierIoGetDeviceDirectory@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoGetDeviceInterfaceAlias(x, x, x)
_VerifierIoGetDeviceInterfaceAlias@12 proc near	; DATA XREF: PAGEVRFD:00AA96F4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoGetDeviceInterfaceAlias
_VerifierIoGetDeviceInterfaceAlias@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoGetDeviceInterfaces(x, x,	x, x)
_VerifierIoGetDeviceInterfaces@16 proc near ; DATA XREF: PAGEVRFD:00AA970Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoGetDeviceInterfaces
_VerifierIoGetDeviceInterfaces@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoGetDeviceNumaNode(x, x)
_VerifierIoGetDeviceNumaNode@8 proc near ; DATA	XREF: PAGEVRFD:00AA9724o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoGetDeviceNumaNode
_VerifierIoGetDeviceNumaNode@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoGetDeviceObjectPointer(x,	x, x, x)
_VerifierIoGetDeviceObjectPointer@16 proc near ; DATA XREF: PAGEVRFD:00AA973Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoGetDeviceObjectPointer
_VerifierIoGetDeviceObjectPointer@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoGetDeviceProperty(x, x, x, x, x)
_VerifierIoGetDeviceProperty@20	proc near ; DATA XREF: PAGEVRFD:00AA9754o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoGetDeviceProperty
_VerifierIoGetDeviceProperty@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoGetDevicePropertyData(x, x, x, x,	x, x, x, x)
_VerifierIoGetDevicePropertyData@32 proc near ;	DATA XREF: PAGEVRFD:00AA976Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoGetDevicePropertyData
_VerifierIoGetDevicePropertyData@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoGetDriverDirectory(x, x, x, x)
_VerifierIoGetDriverDirectory@16 proc near ; DATA XREF:	PAGEVRFD:00AA96DCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoGetDriverDirectory
_VerifierIoGetDriverDirectory@16 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierIoGetFileObjectGenericMapping(). PRESS KEYPAD "+"	TO EXPAND]

;  S U B	R O U T	I N E 


; __stdcall VerifierIoGetInitialStack()
_VerifierIoGetInitialStack@0 proc near	; DATA XREF: PAGEVRFD:00AA97CCo
		jmp	ds:_pXdvIoGetInitialStack
_VerifierIoGetInitialStack@0 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierIoInitializeIrp(x, x, x)
_VerifierIoInitializeIrp@12 proc near	; DATA XREF: PAGEVRFD:00AA97E4o
		jmp	ds:_pXdvIoInitializeIrp
_VerifierIoInitializeIrp@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoIsWdmVersionAvailable(x, x)
_VerifierIoIsWdmVersionAvailable@8 proc	near ; DATA XREF: PAGEVRFD:00AA9814o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoIsWdmVersionAvailable
_VerifierIoIsWdmVersionAvailable@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoOpenDeviceInterfaceRegistryKey(x,	x, x)
_VerifierIoOpenDeviceInterfaceRegistryKey@12 proc near ; DATA XREF: PAGEVRFD:00AA982Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoOpenDeviceInterfaceRegistryKey
_VerifierIoOpenDeviceInterfaceRegistryKey@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoOpenDeviceRegistryKey(x, x, x, x)
_VerifierIoOpenDeviceRegistryKey@16 proc near ;	DATA XREF: PAGEVRFD:00AA9844o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoOpenDeviceRegistryKey
_VerifierIoOpenDeviceRegistryKey@16 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierIoRaiseHardError(x,	x, x)
_VerifierIoRaiseHardError@12 proc near	; DATA XREF: PAGEVRFD:00AA985Co
		jmp	ds:_pXdvIoRaiseHardError
_VerifierIoRaiseHardError@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoRaiseInformationalHardError(x, x,	x)
_VerifierIoRaiseInformationalHardError@12 proc near ; DATA XREF: PAGEVRFD:00AA9874o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoRaiseInformationalHardError
_VerifierIoRaiseInformationalHardError@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoReadPartitionTableEx(x, x)
_VerifierIoReadPartitionTableEx@8 proc near ; DATA XREF: PAGEVRFD:00AA98A4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoReadPartitionTableEx
_VerifierIoReadPartitionTableEx@8 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierIoRegisterBootDriverReinitialization(x,x,x). PRESS KEYPAD	"+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoRegisterDeviceInterface(x, x, x, x)
_VerifierIoRegisterDeviceInterface@16 proc near	; DATA XREF: PAGEVRFD:00AA98D4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoRegisterDeviceInterface
_VerifierIoRegisterDeviceInterface@16 endp

; 
		db 2 dup(0CCh)
; [00000006 BYTES: COLLAPSED FUNCTION VerifierIoRegisterDriverReinitialization(x,x,x). PRESS KEYPAD "+"	TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoRegisterLastChanceShutdownNotification(x)
_VerifierIoRegisterLastChanceShutdownNotification@4 proc near
					; DATA XREF: PAGEVRFD:00AA9904o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoRegisterLastChanceShutdownNotification
_VerifierIoRegisterLastChanceShutdownNotification@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoRegisterPlugPlayNotification(x, x, x, x, x, x, x)
_VerifierIoRegisterPlugPlayNotification@28 proc	near ; DATA XREF: PAGEVRFD:00AA991Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoRegisterPlugPlayNotification
_VerifierIoRegisterPlugPlayNotification@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoRegisterShutdownNotification(x)
_VerifierIoRegisterShutdownNotification@4 proc near ; DATA XREF: PAGEVRFD:00AA9934o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoRegisterShutdownNotification
_VerifierIoRegisterShutdownNotification@4 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierIoReleaseCancelSpinLock(x). PRESS	KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 


; __stdcall VerifierIoReleaseVpbSpinLock(x)
_VerifierIoReleaseVpbSpinLock@4	proc near ; DATA XREF: PAGEVRFD:00AA9964o
		jmp	ds:_pXdvIoReleaseVpbSpinLock
_VerifierIoReleaseVpbSpinLock@4	endp


;  S U B	R O U T	I N E 


; __stdcall VerifierIoRemoveShareAccess(x, x)
_VerifierIoRemoveShareAccess@8 proc near ; DATA	XREF: PAGEVRFD:00AA997Co
		jmp	ds:_pXdvIoRemoveShareAccess
_VerifierIoRemoveShareAccess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoReplacePartitionUnit(x, x, x)
_VerifierIoReplacePartitionUnit@12 proc	near ; DATA XREF: PAGEVRFD:00AA9994o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoReplacePartitionUnit
_VerifierIoReplacePartitionUnit@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoReportDetectedDevice(x, x, x, x, x, x, x,	x)
_VerifierIoReportDetectedDevice@32 proc	near ; DATA XREF: PAGEVRFD:00AA99ACo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoReportDetectedDevice
_VerifierIoReportDetectedDevice@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoReportTargetDeviceChange(x, x)
_VerifierIoReportTargetDeviceChange@8 proc near	; DATA XREF: PAGEVRFD:00AA99C4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoReportTargetDeviceChange
_VerifierIoReportTargetDeviceChange@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoReportTargetDeviceChangeAsynchronous(x, x, x, x)
_VerifierIoReportTargetDeviceChangeAsynchronous@16 proc	near ; DATA XREF: PAGEVRFD:00AA99DCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoReportTargetDeviceChangeAsynchronous
_VerifierIoReportTargetDeviceChangeAsynchronous@16 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierIoReuseIrp(x, x)
_VerifierIoReuseIrp@8 proc near		; DATA XREF: PAGEVRFD:00AA99F4o
		jmp	ds:_pXdvIoReuseIrp
_VerifierIoReuseIrp@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoSetDeviceInterfaceState(x, x)
_VerifierIoSetDeviceInterfaceState@8 proc near ; DATA XREF: PAGEVRFD:00AA9A0Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoSetDeviceInterfaceState
_VerifierIoSetDeviceInterfaceState@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoSetDevicePropertyData(x, x, x, x,	x, x, x)
_VerifierIoSetDevicePropertyData@28 proc near ;	DATA XREF: PAGEVRFD:00AA9A24o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoSetDevicePropertyData
_VerifierIoSetDevicePropertyData@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoSetPartitionInformationEx(x, x, x)
_VerifierIoSetPartitionInformationEx@12	proc near ; DATA XREF: PAGEVRFD:00AA9A54o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoSetPartitionInformationEx
_VerifierIoSetPartitionInformationEx@12	endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierIoSetShareAccess(x,x,x,x). PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION VerifierIoSetStartIoAttributes(x,x,x). PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION VerifierIoStartNextPacket(x,x). PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoUnregisterPlugPlayNotification(x)
_VerifierIoUnregisterPlugPlayNotification@4 proc near ;	DATA XREF: PAGEVRFD:00AA9AB4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoUnregisterPlugPlayNotification
_VerifierIoUnregisterPlugPlayNotification@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoUnregisterPlugPlayNotificationEx(x)
_VerifierIoUnregisterPlugPlayNotificationEx@4 proc near	; DATA XREF: PAGEVRFD:00AA9ACCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoUnregisterPlugPlayNotificationEx
_VerifierIoUnregisterPlugPlayNotificationEx@4 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierIoUnregisterShutdownNotification(x)
_VerifierIoUnregisterShutdownNotification@4 proc near ;	DATA XREF: PAGEVRFD:00AA9AE4o
		jmp	ds:_pXdvIoUnregisterShutdownNotification
_VerifierIoUnregisterShutdownNotification@4 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierIoUpdateShareAccess(x,x).	PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoWMIAllocateInstanceIds(x,	x, x)
_VerifierIoWMIAllocateInstanceIds@12 proc near ; DATA XREF: PAGEVRFD:00AA9B14o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoWMIAllocateInstanceIds
_VerifierIoWMIAllocateInstanceIds@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoWritePartitionTableEx(x, x)
_VerifierIoWritePartitionTableEx@8 proc	near ; DATA XREF: PAGEVRFD:00AA9B44o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvIoWritePartitionTableEx
_VerifierIoWritePartitionTableEx@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeAcquireInterruptSpinLock(x)
_VerifierKeAcquireInterruptSpinLock@4 proc near	; DATA XREF: PAGEVRFD:00AA9B8Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKeAcquireInterruptSpinLock
_VerifierKeAcquireInterruptSpinLock@4 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierKeAreAllApcsDisabled()
_VerifierKeAreAllApcsDisabled@0	proc near ; DATA XREF: PAGEVRFD:00AA9BD4o
		jmp	ds:_pXdvKeAreAllApcsDisabled
_VerifierKeAreAllApcsDisabled@0	endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierKeAreApcsDisabled(). PRESS KEYPAD	"+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeDeregisterNmiCallback(x)
_VerifierKeDeregisterNmiCallback@4 proc	near ; DATA XREF: PAGEVRFD:00AA9C34o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKeDeregisterNmiCallback
_VerifierKeDeregisterNmiCallback@4 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierKeEnterGuardedRegion()
_VerifierKeEnterGuardedRegion@0	proc near ; DATA XREF: PAGEVRFD:00AA9C4Co
		jmp	ds:_pXdvKeEnterGuardedRegion
_VerifierKeEnterGuardedRegion@0	endp


;  S U B	R O U T	I N E 


; __stdcall VerifierKeFlushQueuedDpcs()
_VerifierKeFlushQueuedDpcs@0 proc near	; DATA XREF: PAGEVRFD:00AA9C64o
		jmp	ds:_pXdvKeFlushQueuedDpcs
_VerifierKeFlushQueuedDpcs@0 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierKeInitializeDeviceQueue(x). PRESS	KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeInsertByKeyDeviceQueue(x,	x, x)
_VerifierKeInsertByKeyDeviceQueue@12 proc near ; DATA XREF: PAGEVRFD:00AA9CACo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKeInsertByKeyDeviceQueue
_VerifierKeInsertByKeyDeviceQueue@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeInsertDeviceQueue(x, x)
_VerifierKeInsertDeviceQueue@8 proc near ; DATA	XREF: PAGEVRFD:00AA9CC4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKeInsertDeviceQueue
_VerifierKeInsertDeviceQueue@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeInsertHeadQueue(x, x)
_VerifierKeInsertHeadQueue@8 proc near	; DATA XREF: PAGEVRFD:00AA9CDCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKeInsertHeadQueue
_VerifierKeInsertHeadQueue@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeInsertQueue(x, x)
_VerifierKeInsertQueue@8 proc near	; DATA XREF: PAGEVRFD:00AA9CF4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKeInsertQueue
_VerifierKeInsertQueue@8 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierKeLeaveGuardedRegion(). PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 


; __stdcall VerifierKeQueryActiveProcessors()
_VerifierKeQueryActiveProcessors@0 proc	near ; DATA XREF: PAGEVRFD:00AA9D3Co
		jmp	ds:_pXdvKeQueryActiveProcessors	; KeQueryActiveProcessors()
_VerifierKeQueryActiveProcessors@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeQueryPriorityThread(x)
_VerifierKeQueryPriorityThread@4 proc near ; DATA XREF:	PAGEVRFD:00AA9D84o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKeQueryPriorityThread
_VerifierKeQueryPriorityThread@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeQueryRuntimeThread(x, x)
_VerifierKeQueryRuntimeThread@8	proc near ; DATA XREF: PAGEVRFD:00AA9D9Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKeQueryRuntimeThread
_VerifierKeQueryRuntimeThread@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeRegisterNmiCallback(x, x)
_VerifierKeRegisterNmiCallback@8 proc near ; DATA XREF:	PAGEVRFD:00AA9E14o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKeRegisterNmiCallback
_VerifierKeRegisterNmiCallback@8 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierKeReleaseInterruptSpinLock(x, x)
_VerifierKeReleaseInterruptSpinLock@8 proc near	; DATA XREF: PAGEVRFD:00AA9E5Co
		jmp	ds:_pXdvKeReleaseInterruptSpinLock
_VerifierKeReleaseInterruptSpinLock@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeRemoveByKeyDeviceQueue(x,	x)
_VerifierKeRemoveByKeyDeviceQueue@8 proc near ;	DATA XREF: PAGEVRFD:00AA9EBCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKeRemoveByKeyDeviceQueue
_VerifierKeRemoveByKeyDeviceQueue@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeRemoveDeviceQueue(x)
_VerifierKeRemoveDeviceQueue@4 proc near ; DATA	XREF: PAGEVRFD:00AA9ED4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKeRemoveDeviceQueue
_VerifierKeRemoveDeviceQueue@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeRemoveEntryDeviceQueue(x,	x)
_VerifierKeRemoveEntryDeviceQueue@8 proc near ;	DATA XREF: PAGEVRFD:00AA9EECo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKeRemoveEntryDeviceQueue
_VerifierKeRemoveEntryDeviceQueue@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeRemoveQueue(x, x,	x)
_VerifierKeRemoveQueue@12 proc near	; DATA XREF: PAGEVRFD:00AA9F04o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKeRemoveQueue
_VerifierKeRemoveQueue@12 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierKeRevertToUserAffinityThreadEx(x)
_VerifierKeRevertToUserAffinityThreadEx@4 proc near ; DATA XREF: PAGEVRFD:00AA9D54o
		jmp	ds:_pXdvKeRevertToUserAffinityThreadEx ; KeRevertToUserAffinityThreadEx(x)
_VerifierKeRevertToUserAffinityThreadEx@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeSaveFloatingPointState(x)
_VerifierKeSaveFloatingPointState@4 proc near ;	DATA XREF: PAGEVRFD:00AA9F34o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKeSaveFloatingPointState ; KeSaveFloatingPointState(x)
_VerifierKeSaveFloatingPointState@4 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierKeSetSystemAffinityThread(x)
_VerifierKeSetSystemAffinityThread@4 proc near ; DATA XREF: PAGEVRFD:00AA9D6Co
		jmp	ds:_pXdvKeSetSystemAffinityThread ; KeSetSystemAffinityThread(x)
_VerifierKeSetSystemAffinityThread@4 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierKeSetSystemGroupAffinityThread(x,x). PRESS KEYPAD	"+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmAddPhysicalMemory(x, x)
_VerifierMmAddPhysicalMemory@8 proc near ; DATA	XREF: PAGEVRFD:00AA9FC4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvMmAddPhysicalMemory
_VerifierMmAddPhysicalMemory@8 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierMmCreateMirror()
_VerifierMmCreateMirror@0 proc near	; DATA XREF: PAGEVRFD:00AA9FDCo
		jmp	ds:_pXdvMmCreateMirror
_VerifierMmCreateMirror@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmDoesFileHaveUserWritableReferences(x)
_VerifierMmDoesFileHaveUserWritableReferences@4	proc near ; DATA XREF: PAGEVRFD:00AA9FF4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvMmDoesFileHaveUserWritableReferences
_VerifierMmDoesFileHaveUserWritableReferences@4	endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierMmGetPhysicalMemoryRanges(). PRESS KEYPAD	"+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmLockPagableDataSection(x)
_VerifierMmLockPagableDataSection@4 proc near ;	DATA XREF: PAGEVRFD:00AAA024o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvMmLockPagableDataSection
_VerifierMmLockPagableDataSection@4 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierMmLockPagableSectionByHandle(x)
_VerifierMmLockPagableSectionByHandle@4	proc near ; DATA XREF: PAGEVRFD:00AAA03Co
		jmp	ds:_pXdvMmLockPagableSectionByHandle
_VerifierMmLockPagableSectionByHandle@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmMapLockedPagesWithReservedMapping(x, x, x, x)
_VerifierMmMapLockedPagesWithReservedMapping@16	proc near ; DATA XREF: PAGEVRFD:00AAA054o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvMmMapLockedPagesWithReservedMapping
_VerifierMmMapLockedPagesWithReservedMapping@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmPageEntireDriver(x)
_VerifierMmPageEntireDriver@4 proc near	; DATA XREF: PAGEVRFD:00AAA06Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvMmPageEntireDriver
_VerifierMmPageEntireDriver@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmPrefetchPages(x, x)
_VerifierMmPrefetchPages@8 proc	near	; DATA XREF: PAGEVRFD:00AAA084o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvMmPrefetchPages
_VerifierMmPrefetchPages@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmRemovePhysicalMemory(x, x)
_VerifierMmRemovePhysicalMemory@8 proc near ; DATA XREF: PAGEVRFD:00AAA09Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvMmRemovePhysicalMemory
_VerifierMmRemovePhysicalMemory@8 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierMmResetDriverPaging(x)
_VerifierMmResetDriverPaging@4 proc near ; DATA	XREF: PAGEVRFD:00AAA0B4o
		jmp	ds:_pXdvMmResetDriverPaging
_VerifierMmResetDriverPaging@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmSecureVirtualMemory(x, x,	x)
_VerifierMmSecureVirtualMemory@12 proc near ; DATA XREF: PAGEVRFD:00AAA0CCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvMmSecureVirtualMemory
_VerifierMmSecureVirtualMemory@12 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierMmUnlockPagableImageSection(x). PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION VerifierMmUnsecureVirtualMemory(x). PRESS	KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierNtSetInformationFile(x, x, x, x, x)
_VerifierNtSetInformationFile@20 proc near ; DATA XREF:	PAGEVRFD:00AAA12Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvNtSetInformationFile
_VerifierNtSetInformationFile@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPoCallDriver(x, x)
_VerifierPoCallDriver@8	proc near	; DATA XREF: PAGEVRFD:00AAA204o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_pXdvPoCallDriver, 0
		jz	short loc_A62280
		push	offset IofCallDriverSpecifyReturn
		push	dword ptr [ebp+4]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvPoCallDriver
		jmp	short loc_A6228E
; 

loc_A62280:				; CODE XREF: VerifierPoCallDriver(x,x)+Cj
		push	dword ptr [ebp+4]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	IofCallDriverSpecifyReturn

loc_A6228E:				; CODE XREF: VerifierPoCallDriver(x,x)+22j
		pop	ebp
		retn	8
_VerifierPoCallDriver@8	endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierPoFxActivateComponent(x,x,x). PRESS KEYPAD "+" TO	EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION VerifierPoFxCompleteDevicePowerNotRequired(x). PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION VerifierPoFxCompleteIdleCondition(x,x). PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 


; __stdcall VerifierPoFxCompleteIdleState(x, x)
_VerifierPoFxCompleteIdleState@8 proc near ; DATA XREF:	PAGEVRFD:00AAA264o
		jmp	ds:_pXdvPoFxCompleteIdleState
_VerifierPoFxCompleteIdleState@8 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierPoFxIdleComponent(x, x, x)
_VerifierPoFxIdleComponent@12 proc near	; DATA XREF: PAGEVRFD:00AAA27Co
		jmp	ds:_pXdvPoFxIdleComponent
_VerifierPoFxIdleComponent@12 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierPoFxNotifySurprisePowerOn(x)
_VerifierPoFxNotifySurprisePowerOn@4 proc near ; DATA XREF: PAGEVRFD:00AAA294o
		jmp	ds:_pXdvPoFxNotifySurprisePowerOn
_VerifierPoFxNotifySurprisePowerOn@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPoFxPowerControl(x,	x, x, x, x, x, x)
_VerifierPoFxPowerControl@28 proc near	; DATA XREF: PAGEVRFD:00AAA2ACo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvPoFxPowerControl
_VerifierPoFxPowerControl@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPoFxRegisterDevice(x, x, x)
_VerifierPoFxRegisterDevice@12 proc near ; DATA	XREF: PAGEVRFD:00AAA2C4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvPoFxRegisterDevice
_VerifierPoFxRegisterDevice@12 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierPoFxReportDevicePoweredOn(x)
_VerifierPoFxReportDevicePoweredOn@4 proc near ; DATA XREF: PAGEVRFD:00AAA2DCo
		jmp	ds:_pXdvPoFxReportDevicePoweredOn
_VerifierPoFxReportDevicePoweredOn@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPoFxSetComponentLatency(x, x, x, x)
_VerifierPoFxSetComponentLatency@16 proc near ;	DATA XREF: PAGEVRFD:00AAA2F4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvPoFxSetComponentLatency
		pop	ebp
		retn	10h
_VerifierPoFxSetComponentLatency@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPoFxSetComponentResidency(x, x, x, x)
_VerifierPoFxSetComponentResidency@16 proc near	; DATA XREF: PAGEVRFD:00AAA30Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvPoFxSetComponentResidency
		pop	ebp
		retn	10h
_VerifierPoFxSetComponentResidency@16 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierPoFxSetComponentWake(x, x, x)
_VerifierPoFxSetComponentWake@12 proc near ; DATA XREF:	PAGEVRFD:00AAA324o
		jmp	ds:_pXdvPoFxSetComponentWake
_VerifierPoFxSetComponentWake@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPoFxSetDeviceIdleTimeout(x,	x, x)
_VerifierPoFxSetDeviceIdleTimeout@12 proc near ; DATA XREF: PAGEVRFD:00AAA33Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvPoFxSetDeviceIdleTimeout
		pop	ebp
		retn	0Ch
_VerifierPoFxSetDeviceIdleTimeout@12 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierPoFxStartDevicePowerManagement(x). PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 


; __stdcall VerifierPoFxUnregisterDevice(x)
_VerifierPoFxUnregisterDevice@4	proc near ; DATA XREF: PAGEVRFD:00AAA36Co
		jmp	ds:_pXdvPoFxUnregisterDevice
_VerifierPoFxUnregisterDevice@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPoRequestPowerIrp(x, x, x, x, x, x)
_VerifierPoRequestPowerIrp@24 proc near	; DATA XREF: PAGEVRFD:00AAA384o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvPoRequestPowerIrp
_VerifierPoRequestPowerIrp@24 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierProbeForRead(x, x, x)
_VerifierProbeForRead@12 proc near	; DATA XREF: PAGEVRFD:00AAA39Co
		jmp	ds:_pXdvProbeForRead
_VerifierProbeForRead@12 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierProbeForWrite(x,x,x). PRESS KEYPAD "+" TO	EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPsAssignImpersonationToken(x, x)
_VerifierPsAssignImpersonationToken@8 proc near	; DATA XREF: PAGEVRFD:00AAA3CCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvPsAssignImpersonationToken
_VerifierPsAssignImpersonationToken@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPsCreateSystemThread(x, x, x, x, x,	x, x)
_VerifierPsCreateSystemThread@28 proc near ; DATA XREF:	PAGEVRFD:00AAA3E4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvPsCreateSystemThread
_VerifierPsCreateSystemThread@28 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierPsDereferenceImpersonationToken(x). PRESS	KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION VerifierPsDereferencePrimaryToken(x). PRESS KEYPAD "+" TO	EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPsDisableImpersonation(x, x)
_VerifierPsDisableImpersonation@8 proc near ; DATA XREF: PAGEVRFD:00AAA42Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvPsDisableImpersonation
_VerifierPsDisableImpersonation@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPsGetVersion(x, x, x, x)
_VerifierPsGetVersion@16 proc near	; DATA XREF: PAGEVRFD:00AAA444o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvPsGetVersion
_VerifierPsGetVersion@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPsImpersonateClient(x, x, x, x, x)
_VerifierPsImpersonateClient@20	proc near ; DATA XREF: PAGEVRFD:00AAA45Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvPsImpersonateClient
_VerifierPsImpersonateClient@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPsReferenceImpersonationToken(x, x,	x, x)
_VerifierPsReferenceImpersonationToken@16 proc near ; DATA XREF: PAGEVRFD:00AAA474o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvPsReferenceImpersonationToken
_VerifierPsReferenceImpersonationToken@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPsReferencePrimaryToken(x)
_VerifierPsReferencePrimaryToken@4 proc	near ; DATA XREF: PAGEVRFD:00AAA48Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvPsReferencePrimaryToken
_VerifierPsReferencePrimaryToken@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPsRemoveLoadImageNotifyRoutine(x)
_VerifierPsRemoveLoadImageNotifyRoutine@4 proc near ; DATA XREF: PAGEVRFD:00AAA4A4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvPsRemoveLoadImageNotifyRoutine
_VerifierPsRemoveLoadImageNotifyRoutine@4 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierPsRestoreImpersonation(x, x)
_VerifierPsRestoreImpersonation@8 proc near ; DATA XREF: PAGEVRFD:00AAA4BCo
		jmp	ds:_pXdvPsRestoreImpersonation
_VerifierPsRestoreImpersonation@8 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierPsRevertToSelf().	PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPsSetCreateProcessNotifyRoutine(x, x)
_VerifierPsSetCreateProcessNotifyRoutine@8 proc	near ; DATA XREF: PAGEVRFD:00AAA4ECo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvPsSetCreateProcessNotifyRoutine
_VerifierPsSetCreateProcessNotifyRoutine@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPsSetCreateProcessNotifyRoutineEx(x, x)
_VerifierPsSetCreateProcessNotifyRoutineEx@8 proc near ; DATA XREF: PAGEVRFD:00AAA504o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvPsSetCreateProcessNotifyRoutineEx
_VerifierPsSetCreateProcessNotifyRoutineEx@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPsSetCreateThreadNotifyRoutine(x)
_VerifierPsSetCreateThreadNotifyRoutine@4 proc near ; DATA XREF: PAGEVRFD:00AAA51Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvPsSetCreateThreadNotifyRoutine
_VerifierPsSetCreateThreadNotifyRoutine@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPsSetLoadImageNotifyRoutine(x)
_VerifierPsSetLoadImageNotifyRoutine@4 proc near ; DATA	XREF: PAGEVRFD:00AAA534o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvPsSetLoadImageNotifyRoutine
_VerifierPsSetLoadImageNotifyRoutine@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPsTerminateSystemThread(x)
_VerifierPsTerminateSystemThread@4 proc	near ; DATA XREF: PAGEVRFD:00AAA54Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvPsTerminateSystemThread
_VerifierPsTerminateSystemThread@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlCreateRegistryKey(x, x)
_VerifierRtlCreateRegistryKey@8	proc near ; DATA XREF: PAGEVRFD:00AAA5ACo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvRtlCreateRegistryKey
_VerifierRtlCreateRegistryKey@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlCreateSystemVolumeInformationFolder(x)
_VerifierRtlCreateSystemVolumeInformationFolder@4 proc near ; DATA XREF: PAGEVRFD:00AAA5C4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvRtlCreateSystemVolumeInformationFolder
_VerifierRtlCreateSystemVolumeInformationFolder@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlDeleteRegistryValue(x, x, x)
_VerifierRtlDeleteRegistryValue@12 proc	near ; DATA XREF: PAGEVRFD:00AAA57Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvRtlDeleteRegistryValue
_VerifierRtlDeleteRegistryValue@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlWriteRegistryValue(x, x,	x, x, x, x)
_VerifierRtlWriteRegistryValue@24 proc near ; DATA XREF: PAGEVRFD:00AAA594o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvRtlWriteRegistryValue
_VerifierRtlWriteRegistryValue@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierSeAccessCheck(x, x,	x, x, x, x, x, x, x, x)
_VerifierSeAccessCheck@40 proc near	; DATA XREF: PAGEVRFD:00AAA6FCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvSeAccessCheck
_VerifierSeAccessCheck@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierSeAssignSecurity(x,	x, x, x, x, x, x)
_VerifierSeAssignSecurity@28 proc near	; DATA XREF: PAGEVRFD:00AAA714o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvSeAssignSecurity
_VerifierSeAssignSecurity@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierSeAssignSecurityEx(x, x, x,	x, x, x, x, x, x)
_VerifierSeAssignSecurityEx@36 proc near ; DATA	XREF: PAGEVRFD:00AAA72Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvSeAssignSecurityEx
_VerifierSeAssignSecurityEx@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierSeDeassignSecurity(x)
_VerifierSeDeassignSecurity@4 proc near	; DATA XREF: PAGEVRFD:00AAA744o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvSeDeassignSecurity
_VerifierSeDeassignSecurity@4 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierSeLockSubjectContext(x). PRESS KEYPAD "+"	TO EXPAND]

;  S U B	R O U T	I N E 


; __stdcall VerifierSeReleaseSubjectContext(x)
_VerifierSeReleaseSubjectContext@4 proc	near ; DATA XREF: PAGEVRFD:00AAA774o
		jmp	ds:_pXdvSeReleaseSubjectContext
_VerifierSeReleaseSubjectContext@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierSeSinglePrivilegeCheck(x, x, x)
_VerifierSeSinglePrivilegeCheck@12 proc	near ; DATA XREF: PAGEVRFD:00AAA78Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvSeSinglePrivilegeCheck
		pop	ebp
		retn	0Ch
_VerifierSeSinglePrivilegeCheck@12 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierSeUnlockSubjectContext(x). PRESS KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierSeValidSecurityDescriptor(x, x)
_VerifierSeValidSecurityDescriptor@8 proc near ; DATA XREF: PAGEVRFD:00AAA7BCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvSeValidSecurityDescriptor
_VerifierSeValidSecurityDescriptor@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwAllocateLocallyUniqueId(x)
_VerifierZwAllocateLocallyUniqueId@4 proc near ; DATA XREF: PAGEVRFD:00AAA7D4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwAllocateLocallyUniqueId
_VerifierZwAllocateLocallyUniqueId@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwClose(x)
_VerifierZwClose@4 proc	near		; DATA XREF: PAGEVRFD:00AAA7ECo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwClose
_VerifierZwClose@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwCommitComplete(x,	x)
_VerifierZwCommitComplete@8 proc near	; DATA XREF: PAGEVRFD:00AAA804o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwCommitComplete
_VerifierZwCommitComplete@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwCommitTransaction(x, x)
_VerifierZwCommitTransaction@8 proc near ; DATA	XREF: PAGEVRFD:00AAA81Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwCommitTransaction
_VerifierZwCommitTransaction@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwCreateKeyTransacted(x, x,	x, x, x, x, x, x)
_VerifierZwCreateKeyTransacted@32 proc near ; DATA XREF: PAGEVRFD:00AAA834o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwCreateKeyTransacted
_VerifierZwCreateKeyTransacted@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwCreateResourceManager(x, x, x, x,	x, x, x)
_VerifierZwCreateResourceManager@28 proc near ;	DATA XREF: PAGEVRFD:00AAA84Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwCreateResourceManager
_VerifierZwCreateResourceManager@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwDeleteKey(x)
_VerifierZwDeleteKey@4 proc near	; DATA XREF: PAGEVRFD:00AAA864o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwDeleteKey
_VerifierZwDeleteKey@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwEnumerateTransactionObject(x, x, x, x, x)
_VerifierZwEnumerateTransactionObject@20 proc near ; DATA XREF:	PAGEVRFD:00AAA87Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwEnumerateTransactionObject
_VerifierZwEnumerateTransactionObject@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwFlushBuffersFile(x, x)
_VerifierZwFlushBuffersFile@8 proc near	; DATA XREF: PAGEVRFD:00AAA894o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwFlushBuffersFile
_VerifierZwFlushBuffersFile@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwFlushBuffersFileEx(x, x, x, x, x)
_VerifierZwFlushBuffersFileEx@20 proc near ; DATA XREF:	PAGEVRFD:00AAA8ACo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwFlushBuffersFileEx
_VerifierZwFlushBuffersFileEx@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwGetNotificationResourceManager(x,	x, x, x, x, x, x)
_VerifierZwGetNotificationResourceManager@28 proc near ; DATA XREF: PAGEVRFD:00AAA8DCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwGetNotificationResourceManager
_VerifierZwGetNotificationResourceManager@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwLockFile(x, x, x,	x, x, x, x, x, x, x)
_VerifierZwLockFile@40 proc near	; DATA XREF: PAGEVRFD:00AAA8F4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwLockFile
_VerifierZwLockFile@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwMakeTemporaryObject(x)
_VerifierZwMakeTemporaryObject@4 proc near ; DATA XREF:	PAGEVRFD:00AAA90Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwMakeTemporaryObject
_VerifierZwMakeTemporaryObject@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwOpenKeyEx(x, x, x, x)
_VerifierZwOpenKeyEx@16	proc near	; DATA XREF: PAGEVRFD:00AAA924o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwOpenKeyEx
_VerifierZwOpenKeyEx@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwOpenKeyTransacted(x, x, x, x)
_VerifierZwOpenKeyTransacted@16	proc near ; DATA XREF: PAGEVRFD:00AAA93Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwOpenKeyTransacted
_VerifierZwOpenKeyTransacted@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwOpenKeyTransactedEx(x, x,	x, x, x)
_VerifierZwOpenKeyTransactedEx@20 proc near ; DATA XREF: PAGEVRFD:00AAA954o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwOpenKeyTransactedEx
_VerifierZwOpenKeyTransactedEx@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwOpenResourceManager(x, x,	x, x, x)
_VerifierZwOpenResourceManager@20 proc near ; DATA XREF: PAGEVRFD:00AAA96Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwOpenResourceManager
_VerifierZwOpenResourceManager@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwPrePrepareComplete(x, x)
_VerifierZwPrePrepareComplete@8	proc near ; DATA XREF: PAGEVRFD:00AAA984o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwPrePrepareComplete
_VerifierZwPrePrepareComplete@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwQueryInformationResourceManager(x, x, x, x, x)
_VerifierZwQueryInformationResourceManager@20 proc near	; DATA XREF: PAGEVRFD:00AAA99Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwQueryInformationResourceManager
_VerifierZwQueryInformationResourceManager@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwQueryQuotaInformationFile(x, x, x, x, x, x, x, x,	x)
_VerifierZwQueryQuotaInformationFile@36	proc near ; DATA XREF: PAGEVRFD:00AAA9B4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwQueryQuotaInformationFile
_VerifierZwQueryQuotaInformationFile@36	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwReadOnlyEnlistment(x, x)
_VerifierZwReadOnlyEnlistment@8	proc near ; DATA XREF: PAGEVRFD:00AAA9CCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwReadOnlyEnlistment
_VerifierZwReadOnlyEnlistment@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwRecoverEnlistment(x, x)
_VerifierZwRecoverEnlistment@8 proc near ; DATA	XREF: PAGEVRFD:00AAA9E4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwRecoverEnlistment
_VerifierZwRecoverEnlistment@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwRecoverTransactionManager(x)
_VerifierZwRecoverTransactionManager@4 proc near ; DATA	XREF: PAGEVRFD:00AAA9FCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwRecoverTransactionManager
_VerifierZwRecoverTransactionManager@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwRenameKey(x, x)
_VerifierZwRenameKey@8 proc near	; DATA XREF: PAGEVRFD:00AAAA14o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwRenameKey
_VerifierZwRenameKey@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwRollbackComplete(x, x)
_VerifierZwRollbackComplete@8 proc near	; DATA XREF: PAGEVRFD:00AAAA44o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwRollbackComplete
_VerifierZwRollbackComplete@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwRollbackTransaction(x, x)
_VerifierZwRollbackTransaction@8 proc near ; DATA XREF:	PAGEVRFD:00AAAA5Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwRollbackTransaction
_VerifierZwRollbackTransaction@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwSetInformationKey(x, x, x, x)
_VerifierZwSetInformationKey@16	proc near ; DATA XREF: PAGEVRFD:00AAAA2Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwSetInformationKey
_VerifierZwSetInformationKey@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwSetInformationResourceManager(x, x, x, x)
_VerifierZwSetInformationResourceManager@16 proc near ;	DATA XREF: PAGEVRFD:00AAAA74o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwSetInformationResourceManager
_VerifierZwSetInformationResourceManager@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwSetInformationToken(x, x,	x, x)
_VerifierZwSetInformationToken@16 proc near ; DATA XREF: PAGEVRFD:00AAAA8Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwSetInformationToken
_VerifierZwSetInformationToken@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwSetQuotaInformationFile(x, x, x, x)
_VerifierZwSetQuotaInformationFile@16 proc near	; DATA XREF: PAGEVRFD:00AAAAA4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwSetQuotaInformationFile
_VerifierZwSetQuotaInformationFile@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwSetTimerEx(x, x, x, x)
_VerifierZwSetTimerEx@16 proc near	; DATA XREF: PAGEVRFD:00AAAABCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwSetTimerEx
_VerifierZwSetTimerEx@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwTerminateProcess(x, x)
_VerifierZwTerminateProcess@8 proc near	; DATA XREF: PAGEVRFD:00AAAAD4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwTerminateProcess
_VerifierZwTerminateProcess@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwUnlockFile(x, x, x, x, x)
_VerifierZwUnlockFile@20 proc near	; DATA XREF: PAGEVRFD:00AAAAECo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwUnlockFile
_VerifierZwUnlockFile@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierZwUnmapViewOfSection(x, x)
_VerifierZwUnmapViewOfSection@8	proc near ; DATA XREF: PAGEVRFD:00AAAB04o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwUnmapViewOfSection
_VerifierZwUnmapViewOfSection@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall XdvExAllocatePoolInternal(x, x, x, x, x, x)
_XdvExAllocatePoolInternal@24 proc near	; CODE XREF: VerifierExAllocatePool2(x,x,x,x)+C5p
					; VerifierExAllocatePool3(x,x,x,x,x,x)+CBp ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	[ebp+arg_14]
		pop	ebp
		retn	18h
_XdvExAllocatePoolInternal@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VeAllocatePoolWithTagPriority(x, x,	x, x, x)
_VeAllocatePoolWithTagPriority@20 proc near ; CODE XREF: ExAllocateHeapPool+BBD22p
					; IovAllocateMdl(x,x,x,x,x,x)+38p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		xor	eax, eax
		push	esi
		mov	esi, eax
		mov	[esp+24h+var_4], eax
		push	edi
		mov	[esp+28h+var_18], esi
		mov	[esp+28h+var_14], eax
		call	_MmKernelVerifierEnabled@0 ; MmKernelVerifierEnabled()
		mov	ebx, [ebp+arg_0]
		mov	edi, [ebp+arg_10]
		test	eax, eax
		jz	short loc_A626AD
		test	bl, bl
		jns	short loc_A626A7
		mov	ecx, edi
		mov	[esp+28h+var_14], 1
		call	_VfTargetDriversGetVerifierData@4 ; VfTargetDriversGetVerifierData(x)
		mov	esi, eax
		mov	[esp+28h+var_18], esi
		test	esi, esi
		jnz	short loc_A626AD
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	ebx
		call	ExAllocatePoolWithTagPriority
		jmp	loc_A62904
; 

loc_A626A7:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+2Fj
		or	ebx, 80h

loc_A626AD:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+2Bj
					; VeAllocatePoolWithTagPriority(x,x,x,x,x)+48j
		push	edi
		mov	edi, [ebp+arg_4]
		lea	eax, [ebp+arg_8]
		push	eax
		mov	edx, edi
		mov	ecx, ebx
		call	_ExAllocatePoolSanityChecks@16 ; ExAllocatePoolSanityChecks(x,x,x,x)
		and	[esp+28h+var_8], 0
		xor	eax, eax
		inc	eax
		test	edi, edi
		jnz	short loc_A626D8
		cmp	_VfVerifyMode, eax
		ja	short loc_A626D8
		mov	[esp+28h+var_8], eax
		mov	edi, eax

loc_A626D8:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+7Fj
					; VeAllocatePoolWithTagPriority(x,x,x,x,x)+87j
		mov	[esp+28h+var_10], edi
		lock inc dword_6C6E50
		test	bl, 2
		jnz	short loc_A6272E
		test	byte ptr _MmVerifierData, 4
		jz	short loc_A62759
		cmp	[esp+28h+var_14], 0
		jnz	short loc_A6270A
		mov	ecx, [ebp+arg_10]
		mov	[esp+28h+var_14], eax
		call	_VfTargetDriversGetVerifierData@4 ; VfTargetDriversGetVerifierData(x)
		mov	esi, eax
		mov	[esp+28h+var_18], esi

loc_A6270A:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+ADj
		test	esi, esi
		jz	short loc_A62759
		mov	ecx, [ebp+arg_8]
		and	ecx, 7FFFFFFFh
		call	_VfFaultsInjectPoolAllocationFailure@4 ; VfFaultsInjectPoolAllocationFailure(x)
		test	eax, eax
		jz	short loc_A62759
		mov	edx, edi
		xor	ecx, ecx
		call	_VfAllocPoolNotification@8 ; VfAllocPoolNotification(x,x)
		jmp	loc_A6283D
; 

loc_A6272E:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+9Dj
		test	byte ptr _MmVerifierData, 8
		jz	short loc_A62759
		call	_VfFaultsIsSystemSufficientlyBooted@0 ;	VfFaultsIsSystemSufficientlyBooted()
		test	eax, eax
		jz	short loc_A62759
		push	[ebp+arg_8]
		mov	edx, 9Ah
		mov	eax, ebx
		push	edi
		and	eax, 0FFFFFF7Fh
		push	eax
		lea	ecx, [edx+28h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A62759:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+A6j
					; VeAllocatePoolWithTagPriority(x,x,x,x,x)+C3j	...
		test	byte ptr _VfRuleClasses, 1
		mov	ecx, [ebp+arg_C]
		mov	[esp+28h+var_C], ecx
		jnz	short loc_A62772
		test	byte ptr ds:_VfDifSetting, 1
		jz	short loc_A6278C

loc_A62772:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+11Ej
		test	cl, 9
		jnz	short loc_A6278C
		cmp	ds:_MmSpecialPoolCatchOverruns,	1
		jnz	short loc_A62785
		or	ecx, 8
		jmp	short loc_A62788
; 

loc_A62785:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+135j
		or	ecx, 9

loc_A62788:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+13Aj
		mov	[esp+28h+var_C], ecx

loc_A6278C:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+127j
					; VeAllocatePoolWithTagPriority(x,x,x,x,x)+12Cj
		xor	esi, esi
		test	byte ptr _MmVerifierData, 8
		jz	short loc_A627EF
		test	bl, 20h
		jnz	short loc_A627EF
		cmp	[esp+28h+var_14], esi
		jnz	short loc_A627B0
		mov	ecx, [ebp+arg_10]
		call	_VfTargetDriversGetVerifierData@4 ; VfTargetDriversGetVerifierData(x)
		mov	[esp+28h+var_18], eax
		jmp	short loc_A627B4
; 

loc_A627B0:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+157j
		mov	eax, [esp+28h+var_18]

loc_A627B4:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+165j
		test	eax, eax
		jz	short loc_A627C3
		lea	ecx, [edi+4]
		mov	[esp+28h+var_14], ecx
		cmp	ecx, edi
		ja	short loc_A627CB

loc_A627C3:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+16Dj
		inc	dword_6C6E78
		jmp	short loc_A627EF
; 

loc_A627CB:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+178j
		lea	ecx, [eax+28h]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A627E8
		mov	ecx, [esp+28h+var_18]
		call	_ViGrowPoolAllocation@4	; ViGrowPoolAllocation(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A627EF

loc_A627E8:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+18Ej
		mov	edi, [esp+28h+var_14]
		or	ebx, 40h

loc_A627EF:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+14Cj
					; VeAllocatePoolWithTagPriority(x,x,x,x,x)+151j ...
		push	[esp+28h+var_C]
		push	[ebp+arg_8]
		push	edi
		push	ebx
		call	ExAllocatePoolWithTagPriority
		mov	[esp+28h+var_C], eax
		test	eax, eax
		jnz	short loc_A62853
		inc	dword_6C6E68
		test	_MmVerifierData, 1000h
		jz	short loc_A62822
		mov	ecx, [ebp+arg_10]
		push	64h
		pop	edx
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A62822:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+1CCj
		mov	edx, edi
		xor	ecx, ecx
		call	_VfAllocPoolNotification@8 ; VfAllocPoolNotification(x,x)
		test	esi, esi
		jz	short loc_A6283D
		mov	ecx, [esp+28h+var_18]
		mov	edx, esi
		lea	ecx, [ecx+28h]
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)

loc_A6283D:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+E0j
					; VeAllocatePoolWithTagPriority(x,x,x,x,x)+1E4j
		test	bl, 10h
		jz	short loc_A6284C
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_A6284C:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+1F7j
		xor	eax, eax
		jmp	loc_A62904
; 

loc_A62853:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+1BAj
		cmp	[esp+28h+var_8], 0
		jz	short loc_A62867
		mov	edx, [ebp+arg_10]
		push	eax
		call	_VfBugcheckLogWorkaround@12 ; VfBugcheckLogWorkaround(x,x,x)
		mov	eax, [esp+28h+var_C]

loc_A62867:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+20Fj
		lock inc dword_6C6E54
		mov	ecx, eax
		call	_ExIsSpecialPoolAddress@4 ; ExIsSpecialPoolAddress(x)
		cmp	eax, 1
		jnz	short loc_A6288A
		xor	ecx, ecx
		inc	ecx
		mov	[esp+28h+var_4], ecx
		lock inc dword_6C6E58
		jmp	short loc_A6289B
; 

loc_A6288A:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+22Fj
		cmp	edi, 0FF0h
		jbe	short loc_A62899
		lock inc dword_6C6E58

loc_A62899:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+247j
		xor	ecx, ecx

loc_A6289B:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+23Fj
		test	esi, esi
		jz	short loc_A628CB
		mov	eax, ecx
		or	eax, [esp+28h+var_C]
		mov	[esi], eax
		mov	eax, [ebp+arg_10]
		mov	[esi+4], eax
		test	ecx, ecx
		jz	short loc_A628B5
		mov	edi, [esp+28h+var_10]

loc_A628B5:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+266j
		mov	eax, [ebp+arg_8]
		mov	edx, ebx
		mov	ecx, esi
		mov	[esi+8], edi
		mov	[esi+0Ch], eax
		call	_ViPostPoolAllocation@8	; ViPostPoolAllocation(x,x)
		mov	edi, eax
		jmp	short loc_A628CF
; 

loc_A628CB:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+254j
		mov	edi, [esp+28h+var_C]

loc_A628CF:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+280j
		mov	edx, [esp+28h+var_10]
		mov	ecx, edi
		call	_VfAllocPoolNotification@8 ; VfAllocPoolNotification(x,x)
		test	esi, esi
		jz	short loc_A62902
		cmp	[esp+28h+var_4], 0
		jnz	short loc_A62902
		test	ebx, 400h
		jnz	short loc_A62902
		mov	eax, [esp+28h+var_10]
		test	bl, 8
		jz	short loc_A628F9
		sub	eax, 4

loc_A628F9:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+2ABj
		mov	edx, eax
		mov	ecx, edi
		call	_VfFillAllocatedMemory@8 ; VfFillAllocatedMemory(x,x)

loc_A62902:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+293j
					; VeAllocatePoolWithTagPriority(x,x,x,x,x)+29Aj ...
		mov	eax, edi

loc_A62904:				; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+59j
					; VeAllocatePoolWithTagPriority(x,x,x,x,x)+205j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	14h
_VeAllocatePoolWithTagPriority@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExAllocatePool2(x, x, x, x)
_VerifierExAllocatePool2@16 proc near	; DATA XREF: PAGEVRFD:00AAAB64o

var_6		= dword	ptr -6
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [esp+14h+var_6]
		push	edi
		push	eax
		lea	eax, [esp+1Ch+var_6+1]
		xor	ebx, ebx
		push	eax
		push	[ebp+arg_4]
		lea	edx, [esp+24h+var_6+2]
		mov	[esp+24h+var_6+2], ebx
		push	esi
		xor	ecx, ecx
		call	ExpPoolFlagsToPoolType
		test	eax, eax
		jns	short loc_A62959

loc_A62941:				; CODE XREF: VerifierExAllocatePool2(x,x,x,x)+6Aj
					; VerifierExAllocatePool2(x,x,x,x)+79j
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	_ExAllocatePool2@16 ; ExAllocatePool2(x,x,x,x)

loc_A62950:				; CODE XREF: VerifierExAllocatePool2(x,x,x,x)+CDj
					; VerifierExAllocatePool2(x,x,x,x)+D8j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_A62959:				; CODE XREF: VerifierExAllocatePool2(x,x,x,x)+32j
		mov	eax, _MmVerifierData
		test	eax, 400000h
		jz	short loc_A62988
		test	byte ptr dword_6FDE00, 8
		jnz	short loc_A62988
		test	al, 1
		jnz	short loc_A62988
		test	eax, 2000000h
		jz	short loc_A62941
		mov	edx, [ebp+4]
		mov	ecx, [esp+18h+var_6+2]
		push	ebx
		call	_VfCheckPoolType@12 ; VfCheckPoolType(x,x,x)
		jmp	short loc_A62941
; 

loc_A62988:				; CODE XREF: VerifierExAllocatePool2(x,x,x,x)+56j
					; VerifierExAllocatePool2(x,x,x,x)+5Fj	...
		mov	edi, [esp+18h+var_6+2]
		mov	edx, [ebp+4]
		and	edi, 0FFFFFFE7h
		mov	[esp+18h+var_6+2], edi
		mov	ecx, [esp+18h+var_6+2]
		push	ebx
		call	_VfCheckPoolType@12 ; VfCheckPoolType(x,x,x)
		or	edi, 80h
		cmp	ds:_XdvEnabled,	ebx
		jnz	short loc_A629C1
		push	dword ptr [ebp+4]
		push	20h
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	edi
		call	_VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		jmp	short loc_A629D8
; 

loc_A629C1:				; CODE XREF: VerifierExAllocatePool2(x,x,x,x)+9Fj
		push	offset _VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		push	dword ptr [ebp+4]
		push	20h
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	edi
		call	ds:_pXdvExAllocatePool2	; XdvExAllocatePoolInternal(x,x,x,x,x,x)

loc_A629D8:				; CODE XREF: VerifierExAllocatePool2(x,x,x,x)+B2j
		test	eax, eax
		jnz	loc_A62950
		and	esi, 20h
		or	esi, ebx
		jz	loc_A62950
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger
_VerifierExAllocatePool2@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExAllocatePool3(x, x, x, x,	x, x)
_VerifierExAllocatePool3@24 proc near	; DATA XREF: PAGEVRFD:00AAAB7Co

var_6		= dword	ptr -6
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		lea	eax, [esp+14h+var_6]
		push	edi
		push	eax
		lea	eax, [esp+1Ch+var_6+1]
		xor	ebx, ebx
		push	eax
		push	[ebp+arg_4]
		lea	edx, [esp+24h+var_6+2]
		mov	[esp+24h+var_6+2], ebx
		push	esi
		xor	ecx, ecx
		call	ExpPoolFlagsToPoolType
		test	eax, eax
		jns	short loc_A62A48

loc_A62A2A:				; CODE XREF: VerifierExAllocatePool3(x,x,x,x,x,x)+70j
					; VerifierExAllocatePool3(x,x,x,x,x,x)+7Fj
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	_ExAllocatePool3@24 ; ExAllocatePool3(x,x,x,x,x,x)

loc_A62A3F:				; CODE XREF: VerifierExAllocatePool3(x,x,x,x,x,x)+D3j
					; VerifierExAllocatePool3(x,x,x,x,x,x)+DEj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	18h
; 

loc_A62A48:				; CODE XREF: VerifierExAllocatePool3(x,x,x,x,x,x)+32j
		mov	eax, _MmVerifierData
		test	eax, 400000h
		jz	short loc_A62A77
		test	byte ptr dword_6FDE00, 8
		jnz	short loc_A62A77
		test	al, 1
		jnz	short loc_A62A77
		test	eax, 2000000h
		jz	short loc_A62A2A
		mov	edx, [ebp+4]
		mov	ecx, [esp+18h+var_6+2]
		push	ebx
		call	_VfCheckPoolType@12 ; VfCheckPoolType(x,x,x)
		jmp	short loc_A62A2A
; 

loc_A62A77:				; CODE XREF: VerifierExAllocatePool3(x,x,x,x,x,x)+5Cj
					; VerifierExAllocatePool3(x,x,x,x,x,x)+65j ...
		mov	edi, [esp+18h+var_6+2]
		mov	edx, [ebp+4]
		and	edi, 0FFFFFFE7h
		mov	[esp+18h+var_6+2], edi
		mov	ecx, [esp+18h+var_6+2]
		push	ebx
		call	_VfCheckPoolType@12 ; VfCheckPoolType(x,x,x)
		or	edi, 80h
		cmp	ds:_XdvEnabled,	ebx
		jnz	short loc_A62AB0
		push	dword ptr [ebp+4]
		push	20h
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	edi
		call	_VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		jmp	short loc_A62AC7
; 

loc_A62AB0:				; CODE XREF: VerifierExAllocatePool3(x,x,x,x,x,x)+A5j
		push	offset _VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		push	dword ptr [ebp+4]
		push	20h
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	edi
		call	ds:_pXdvExAllocatePool3	; XdvExAllocatePoolInternal(x,x,x,x,x,x)

loc_A62AC7:				; CODE XREF: VerifierExAllocatePool3(x,x,x,x,x,x)+B8j
		test	eax, eax
		jnz	loc_A62A3F
		and	esi, 20h
		or	esi, ebx
		jz	loc_A62A3F
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger

; __stdcall VerifierExAllocatePool(x, x)
_VerifierExAllocatePool@8:		; DATA XREF: PAGEVRFD:00AAAB4Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, _MmVerifierData
		test	eax, 400000h
		jz	short loc_A62B1D
		test	byte ptr dword_6FDE00, 8
		jnz	short loc_A62B1D
		test	al, 1
		jnz	short loc_A62B1D
		test	eax, 2000000h
		jz	short loc_A62B17
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		push	0
		call	_VfCheckPoolType@12 ; VfCheckPoolType(x,x,x)

loc_A62B17:				; CODE XREF: VerifierExAllocatePool3(x,x,x,x,x,x)+112j
		pop	ebp
		jmp	_ExAllocatePool@8 ; ExAllocatePool(x,x)
; 

loc_A62B1D:				; CODE XREF: VerifierExAllocatePool3(x,x,x,x,x,x)+FEj
					; VerifierExAllocatePool3(x,x,x,x,x,x)+107j ...
		mov	edx, [ebp+4]
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	0
		call	_VfCheckPoolType@12 ; VfCheckPoolType(x,x,x)
		inc	dword_6C6E5C
		mov	ecx, [ebp+4]
		test	_MmVerifierData, 1000h
		jz	short loc_A62B4A
		push	60h
		pop	edx
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A62B4A:				; CODE XREF: VerifierExAllocatePool3(x,x,x,x,x,x)+14Aj
		or	esi, 80h
		cmp	ds:_XdvEnabled,	0
		jnz	short loc_A62B6E
		push	dword ptr [ebp+4]
		push	20h
		push	70617257h
		push	[ebp+arg_4]
		push	esi
		call	_VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		jmp	short loc_A62B87
; 

loc_A62B6E:				; CODE XREF: VerifierExAllocatePool3(x,x,x,x,x,x)+161j
		push	offset _VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		push	dword ptr [ebp+4]
		push	20h
		push	70617257h
		push	[ebp+arg_4]
		push	esi
		call	ds:_pXdvExAllocatePool ; XdvExAllocatePoolInternal(x,x,x,x,x,x)

loc_A62B87:				; CODE XREF: VerifierExAllocatePool3(x,x,x,x,x,x)+176j
		pop	esi
		pop	ebp
		retn	8
_VerifierExAllocatePool3@24 endp ; sp =	-20h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExAllocatePoolEx(x,	x, x, x)
_VerifierExAllocatePoolEx@16 proc near	; DATA XREF: ViLookasideTrackListEx(x,x)+16o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, _MmVerifierData
		test	eax, 400000h
		jz	short loc_A62BBB
		test	al, 1
		jnz	short loc_A62BBB
		test	eax, 2000000h
		jz	short loc_A62BB5
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		push	0
		call	_VfCheckPoolType@12 ; VfCheckPoolType(x,x,x)

loc_A62BB5:				; CODE XREF: VerifierExAllocatePoolEx(x,x,x,x)+1Aj
		pop	ebp
		jmp	_ExAllocatePoolEx@16 ; ExAllocatePoolEx(x,x,x,x)
; 

loc_A62BBB:				; CODE XREF: VerifierExAllocatePoolEx(x,x,x,x)+Fj
					; VerifierExAllocatePoolEx(x,x,x,x)+13j
		mov	edx, [ebp+4]
		push	esi
		push	[ebp+arg_8]
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	_VfCheckPoolType@12 ; VfCheckPoolType(x,x,x)
		push	offset _VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		push	dword ptr [ebp+4]
		or	esi, 80h
		push	20h
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	ds:_pXdvExAllocatePoolWithTagPriority ;	XdvExAllocatePoolInternal(x,x,x,x,x,x)
		pop	esi
		pop	ebp
		retn	10h
_VerifierExAllocatePoolEx@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExAllocatePoolWithQuota(x, x)
_VerifierExAllocatePoolWithQuota@8 proc	near ; DATA XREF: PAGEVRFD:00AAAB94o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, _MmVerifierData
		test	eax, 400000h
		jz	short loc_A62C26
		test	byte ptr dword_6FDE00, 8
		jnz	short loc_A62C26
		test	al, 1
		jnz	short loc_A62C26
		test	eax, 2000000h
		jz	short loc_A62C20
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		push	0
		call	_VfCheckPoolType@12 ; VfCheckPoolType(x,x,x)

loc_A62C20:				; CODE XREF: VerifierExAllocatePoolWithQuota(x,x)+23j
		pop	ebp
		jmp	_ExAllocatePoolWithQuota@8 ; ExAllocatePoolWithQuota(x,x)
; 

loc_A62C26:				; CODE XREF: VerifierExAllocatePoolWithQuota(x,x)+Fj
					; VerifierExAllocatePoolWithQuota(x,x)+18j ...
		mov	edx, [ebp+4]
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	edi
		xor	edi, edi
		push	edi
		call	_VfCheckPoolType@12 ; VfCheckPoolType(x,x,x)
		inc	dword_6C6E5C
		test	byte ptr _MmVerifierData, 8
		jz	short loc_A62C85
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	eax, ds:_PsIdleProcess
		jnz	short loc_A62C6B
		push	edi
		mov	edx, 10Ah
		push	edi
		push	edi
		lea	ecx, [edx-46h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A62C6B:				; CODE XREF: VerifierExAllocatePoolWithQuota(x,x)+6Bj
		mov	al, large fs:235Ch
		test	al, 1
		jz	short loc_A62C85
		push	edi
		mov	edx, 10Bh
		push	edi
		push	edi
		lea	ecx, [edx-47h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A62C85:				; CODE XREF: VerifierExAllocatePoolWithQuota(x,x)+57j
					; VerifierExAllocatePoolWithQuota(x,x)+85j
		mov	edi, esi
		and	edi, 8
		jz	short loc_A62C8F
		and	esi, 0FFFFFFF7h

loc_A62C8F:				; CODE XREF: VerifierExAllocatePoolWithQuota(x,x)+9Cj
		or	esi, 80h
		cmp	ds:_XdvEnabled,	0
		jnz	short loc_A62CB3
		push	dword ptr [ebp+4]
		push	20h
		push	70617257h
		push	[ebp+arg_4]
		push	esi
		call	_VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		jmp	short loc_A62CCC
; 

loc_A62CB3:				; CODE XREF: VerifierExAllocatePoolWithQuota(x,x)+AEj
		push	offset _VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		push	dword ptr [ebp+4]
		push	20h
		push	70617257h
		push	[ebp+arg_4]
		push	esi
		call	ds:_pXdvExAllocatePoolWithTagPriority ;	XdvExAllocatePoolInternal(x,x,x,x,x,x)

loc_A62CCC:				; CODE XREF: VerifierExAllocatePoolWithQuota(x,x)+C3j
		test	eax, eax
		jnz	short loc_A62CDE
		test	edi, edi
		jnz	short loc_A62CDE
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_A62CDE:				; CODE XREF: VerifierExAllocatePoolWithQuota(x,x)+E0j
					; VerifierExAllocatePoolWithQuota(x,x)+E4j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_VerifierExAllocatePoolWithQuota@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExAllocatePoolWithQuotaTag(x, x, x)
_VerifierExAllocatePoolWithQuotaTag@12 proc near ; DATA	XREF: ViLookasideTrackList(x,x)+27o
					; PAGEVRFD:00AAABACo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, _MmVerifierData
		test	eax, 400000h
		jz	short loc_A62D1C
		test	byte ptr dword_6FDE00, 8
		jnz	short loc_A62D1C
		test	al, 1
		jnz	short loc_A62D1C
		test	eax, 2000000h
		jz	short loc_A62D16
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		push	0
		call	_VfCheckPoolType@12 ; VfCheckPoolType(x,x,x)

loc_A62D16:				; CODE XREF: VerifierExAllocatePoolWithQuotaTag(x,x,x)+23j
		pop	ebp
		jmp	ExAllocatePoolWithQuotaTag
; 

loc_A62D1C:				; CODE XREF: VerifierExAllocatePoolWithQuotaTag(x,x,x)+Fj
					; VerifierExAllocatePoolWithQuotaTag(x,x,x)+18j ...
		mov	edx, [ebp+4]
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	edi
		push	[ebp+arg_8]
		call	_VfCheckPoolType@12 ; VfCheckPoolType(x,x,x)
		test	byte ptr _MmVerifierData, 8
		jz	short loc_A62D77
		mov	eax, large fs:124h
		xor	edi, edi
		mov	eax, [eax+80h]
		cmp	eax, ds:_PsIdleProcess
		jnz	short loc_A62D5D
		push	edi
		mov	edx, 10Ah
		push	edi
		push	edi
		lea	ecx, [edx-46h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A62D5D:				; CODE XREF: VerifierExAllocatePoolWithQuotaTag(x,x,x)+67j
		mov	al, large fs:235Ch
		test	al, 1
		jz	short loc_A62D77
		push	edi
		mov	edx, 10Bh
		push	edi
		push	edi
		lea	ecx, [edx-47h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A62D77:				; CODE XREF: VerifierExAllocatePoolWithQuotaTag(x,x,x)+51j
					; VerifierExAllocatePoolWithQuotaTag(x,x,x)+81j
		mov	edi, esi
		and	edi, 8
		jz	short loc_A62D81
		and	esi, 0FFFFFFF7h

loc_A62D81:				; CODE XREF: VerifierExAllocatePoolWithQuotaTag(x,x,x)+98j
		or	esi, 80h
		cmp	ds:_XdvEnabled,	0
		jnz	short loc_A62DA3
		push	dword ptr [ebp+4]
		push	20h
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	_VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		jmp	short loc_A62DBA
; 

loc_A62DA3:				; CODE XREF: VerifierExAllocatePoolWithQuotaTag(x,x,x)+AAj
		push	offset _VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		push	dword ptr [ebp+4]
		push	20h
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	ds:_pXdvExAllocatePoolWithQuotaTag ; XdvExAllocatePoolInternal(x,x,x,x,x,x)

loc_A62DBA:				; CODE XREF: VerifierExAllocatePoolWithQuotaTag(x,x,x)+BDj
		test	eax, eax
		jnz	short loc_A62DCC
		test	edi, edi
		jnz	short loc_A62DCC
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_A62DCC:				; CODE XREF: VerifierExAllocatePoolWithQuotaTag(x,x,x)+D8j
					; VerifierExAllocatePoolWithQuotaTag(x,x,x)+DCj
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
_VerifierExAllocatePoolWithQuotaTag@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExAllocatePoolWithTag(x, x,	x)
_VerifierExAllocatePoolWithTag@12 proc near ; DATA XREF: ViLookasideTrackList(x,x)+17o
					; PAGEVRFD:00AAABC4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, _MmVerifierData
		test	eax, 400000h
		jz	short loc_A62E0A
		test	byte ptr dword_6FDE00, 8
		jnz	short loc_A62E0A
		test	al, 1
		jnz	short loc_A62E0A
		test	eax, 2000000h
		jz	short loc_A62E04
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		push	0
		call	_VfCheckPoolType@12 ; VfCheckPoolType(x,x,x)

loc_A62E04:				; CODE XREF: VerifierExAllocatePoolWithTag(x,x,x)+23j
		pop	ebp
		jmp	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
; 

loc_A62E0A:				; CODE XREF: VerifierExAllocatePoolWithTag(x,x,x)+Fj
					; VerifierExAllocatePoolWithTag(x,x,x)+18j ...
		mov	edx, [ebp+4]
		push	esi
		push	[ebp+arg_8]
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	_VfCheckPoolType@12 ; VfCheckPoolType(x,x,x)
		or	esi, 80h
		cmp	ds:_XdvEnabled,	0
		jnz	short loc_A62E3D
		push	dword ptr [ebp+4]
		push	20h
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	_VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		jmp	short loc_A62E54
; 

loc_A62E3D:				; CODE XREF: VerifierExAllocatePoolWithTag(x,x,x)+56j
		push	offset _VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		push	dword ptr [ebp+4]
		push	20h
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	ds:_pXdvExAllocatePoolWithTag ;	XdvExAllocatePoolInternal(x,x,x,x,x,x)

loc_A62E54:				; CODE XREF: VerifierExAllocatePoolWithTag(x,x,x)+69j
		pop	esi
		pop	ebp
		retn	0Ch
_VerifierExAllocatePoolWithTag@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExAllocatePoolWithTagPriority(x, x,	x, x)
_VerifierExAllocatePoolWithTagPriority@16 proc near ; DATA XREF: PAGEVRFD:00AAABDCo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, _MmVerifierData
		test	eax, 400000h
		jz	short loc_A62E91
		test	byte ptr dword_6FDE00, 8
		jnz	short loc_A62E91
		test	al, 1
		jnz	short loc_A62E91
		test	eax, 2000000h
		jz	short loc_A62E8B
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		push	0
		call	_VfCheckPoolType@12 ; VfCheckPoolType(x,x,x)

loc_A62E8B:				; CODE XREF: VerifierExAllocatePoolWithTagPriority(x,x,x,x)+23j
		pop	ebp
		jmp	ExAllocatePoolWithTagPriority
; 

loc_A62E91:				; CODE XREF: VerifierExAllocatePoolWithTagPriority(x,x,x,x)+Fj
					; VerifierExAllocatePoolWithTagPriority(x,x,x,x)+18j ...
		mov	edx, [ebp+4]
		push	esi
		push	[ebp+arg_8]
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		call	_VfCheckPoolType@12 ; VfCheckPoolType(x,x,x)
		or	esi, 80h
		cmp	ds:_XdvEnabled,	0
		jnz	short loc_A62EC5
		push	dword ptr [ebp+4]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	_VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		jmp	short loc_A62EDD
; 

loc_A62EC5:				; CODE XREF: VerifierExAllocatePoolWithTagPriority(x,x,x,x)+56j
		push	offset _VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		push	dword ptr [ebp+4]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	ds:_pXdvExAllocatePoolWithTagPriority ;	XdvExAllocatePoolInternal(x,x,x,x,x,x)

loc_A62EDD:				; CODE XREF: VerifierExAllocatePoolWithTagPriority(x,x,x,x)+6Aj
		pop	esi
		pop	ebp
		retn	10h
_VerifierExAllocatePoolWithTagPriority@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExFreePool(x)
_VerifierExFreePool@4 proc near		; CODE XREF: VerifierExFreePoolEx(x,x)+8p
					; DATA XREF: ViLookasideTrackList(x,x):loc_A6BC04o ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		call	_MmKernelVerifierEnabled@0 ; MmKernelVerifierEnabled()
		mov	esi, [ebp+arg_0]
		test	eax, eax
		jnz	short loc_A62F26
		xor	edx, edx
		mov	ecx, esi
		call	_VfFreePoolNotification@8 ; VfFreePoolNotification(x,x)
		mov	ecx, esi
		call	_VfIrpDatabaseCheckExFreePool@4	; VfIrpDatabaseCheckExFreePool(x)
		call	_MmKernelVerifierEnabled@0 ; MmKernelVerifierEnabled()
		test	eax, eax
		jnz	short loc_A62F26
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A62F1D
		mov	ecx, esi
		call	_ExFreePoolSanityChecks@4 ; ExFreePoolSanityChecks(x)

loc_A62F1D:				; CODE XREF: VerifierExFreePool(x)+32j
		push	esi
		call	ds:_pXdvExFreePool
		jmp	short loc_A62F2E
; 

loc_A62F26:				; CODE XREF: VerifierExFreePool(x)+10j
					; VerifierExFreePool(x)+29j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A62F2E:				; CODE XREF: VerifierExFreePool(x)+42j
		pop	esi
		pop	ebp
		retn	4
_VerifierExFreePool@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExFreePoolEx(x, x)
_VerifierExFreePoolEx@8	proc near	; DATA XREF: ViLookasideTrackListEx(x,x)+1Do

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		call	_VerifierExFreePool@4 ;	VerifierExFreePool(x)
		pop	ebp
		retn	8
_VerifierExFreePoolEx@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExFreePoolWithTag(x, x)
_VerifierExFreePoolWithTag@8 proc near	; DATA XREF: PAGEVRFD:00AAAC0Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		xor	edx, edx
		mov	ecx, esi
		call	_VfFreePoolNotification@8 ; VfFreePoolNotification(x,x)
		mov	ecx, esi
		call	_VfIrpDatabaseCheckExFreePool@4	; VfIrpDatabaseCheckExFreePool(x)
		call	_MmKernelVerifierEnabled@0 ; MmKernelVerifierEnabled()
		test	eax, eax
		jz	short loc_A62F71
		push	[ebp+arg_4]
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A62F8B
; 

loc_A62F71:				; CODE XREF: VerifierExFreePoolWithTag(x,x)+20j
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A62F81
		mov	ecx, esi
		call	_ExFreePoolSanityChecks@4 ; ExFreePoolSanityChecks(x)

loc_A62F81:				; CODE XREF: VerifierExFreePoolWithTag(x,x)+34j
		push	[ebp+arg_4]
		push	esi
		call	ds:_pXdvExFreePoolWithTag

loc_A62F8B:				; CODE XREF: VerifierExFreePoolWithTag(x,x)+2Bj
		pop	esi
		pop	ebp
		retn	8
_VerifierExFreePoolWithTag@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFreeTrackedPool(x, x, x, x)
_ViFreeTrackedPool@16 proc near		; CODE XREF: VerifierFreeTrackedPool(x,x,x,x)+30p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	esi, edi
		mov	edx, 0FFFFF000h
		and	esi, 0FFFh
		cmp	[ebp+arg_4], 1
		jnz	short loc_A62FCA
		neg	esi
		mov	eax, edi
		sbb	esi, esi
		and	eax, edx
		and	esi, 0FFFFF014h
		add	esi, 0FF4h
		add	esi, eax
		jmp	short loc_A62FF5
; 

loc_A62FCA:				; CODE XREF: ViFreeTrackedPool(x,x,x,x)+20j
		test	esi, esi
		jnz	short loc_A62FD5
		lea	esi, [ebx-4]
		add	esi, edi
		jmp	short loc_A62FF5
; 

loc_A62FD5:				; CODE XREF: ViFreeTrackedPool(x,x,x,x)+3Cj
		movzx	eax, word ptr [edi-6]
		sub	ebx, 8
		test	eax, 1000h
		jz	short loc_A62FF0
		and	eax, 1FFh
		lea	esi, [edi-10h]
		lea	esi, [esi+eax*8]
		jmp	short loc_A62FF5
; 

loc_A62FF0:				; CODE XREF: ViFreeTrackedPool(x,x,x,x)+51j
		lea	esi, [edi-4]
		add	esi, ebx

loc_A62FF5:				; CODE XREF: ViFreeTrackedPool(x,x,x,x)+38j
					; ViFreeTrackedPool(x,x,x,x)+43j ...
		mov	eax, [esi]
		mov	ecx, eax
		and	ecx, edx
		mov	[ebp+arg_4], eax
		mov	[ebp+var_8], ecx
		add	ecx, 4
		test	_MmVerifierData, 800h
		mov	[ebp+var_C], ecx
		mov	ecx, [ecx]
		mov	[ebp+var_4], ecx
		jz	loc_A630DB
		test	al, 3
		jnz	short loc_A6302E
		mov	ecx, eax
		call	MmIsAddressValidEx
		test	al, al
		jnz	short loc_A6303E
		mov	eax, [ebp+arg_4]

loc_A6302E:				; CODE XREF: ViFreeTrackedPool(x,x,x,x)+8Ej
		push	esi
		mov	edx, 13Ah
		push	eax
		push	edi
		lea	ecx, [edx-76h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6303E:				; CODE XREF: ViFreeTrackedPool(x,x,x,x)+99j
		mov	eax, [ebp+var_8]
		add	eax, 8
		cmp	dword ptr [eax], 21321345h
		jz	short loc_A6305C
		push	esi
		mov	edx, 13Bh
		push	eax
		push	edi
		lea	ecx, [edx-77h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6305C:				; CODE XREF: ViFreeTrackedPool(x,x,x,x)+BAj
		mov	eax, [ebp+var_4]
		test	al, 3
		jnz	short loc_A63072
		lea	ecx, [eax+14h]
		call	MmIsAddressValidEx
		test	al, al
		jnz	short loc_A63084
		mov	eax, [ebp+var_4]

loc_A63072:				; CODE XREF: ViFreeTrackedPool(x,x,x,x)+D1j
		push	[ebp+var_C]
		mov	edx, 13Ch
		push	eax
		push	edi
		lea	ecx, [edx-78h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A63084:				; CODE XREF: ViFreeTrackedPool(x,x,x,x)+DDj
		mov	esi, [ebp+var_4]
		mov	ecx, 98761940h
		lea	eax, [esi+14h]
		cmp	[eax], ecx
		jz	short loc_A630A3
		push	ecx
		mov	edx, 13Dh
		push	eax
		push	edi
		lea	ecx, [edx-79h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A630A3:				; CODE XREF: ViFreeTrackedPool(x,x,x,x)+101j
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		cmp	ecx, edi
		jz	short loc_A630BF
		push	eax
		mov	edx, 13Eh
		push	ecx
		push	edi
		lea	ecx, [edx-7Ah]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)
		mov	eax, [ebp+arg_4]

loc_A630BF:				; CODE XREF: ViFreeTrackedPool(x,x,x,x)+11Aj
		lea	edx, [eax+8]
		cmp	[edx], ebx
		jz	short loc_A630DE
		push	edx
		mov	edx, 13Fh
		push	ebx
		push	edi
		lea	ecx, [edx-7Bh]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)
		mov	eax, [ebp+arg_4]
		jmp	short loc_A630DE
; 

loc_A630DB:				; CODE XREF: ViFreeTrackedPool(x,x,x,x)+86j
		mov	esi, [ebp+var_4]

loc_A630DE:				; CODE XREF: ViFreeTrackedPool(x,x,x,x)+134j
					; ViFreeTrackedPool(x,x,x,x)+149j
		or	dword ptr [eax+8], 1
		lea	ecx, [esi+28h]
		mov	edx, eax
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		mov	edx, [ebp+arg_0]
		neg	ebx
		and	edx, 1
		jz	short loc_A63104
		mov	edi, offset dword_6C6E80
		mov	[ebp+arg_4], offset unk_6C6E90
		jmp	short loc_A63110
; 

loc_A63104:				; CODE XREF: ViFreeTrackedPool(x,x,x,x)+164j
		mov	edi, offset dword_6C6E84
		mov	[ebp+arg_4], offset unk_6C6E94

loc_A63110:				; CODE XREF: ViFreeTrackedPool(x,x,x,x)+172j
		mov	eax, edx
		mov	ecx, ebx
		xor	eax, 1
		add	eax, 11h
		lea	eax, [esi+eax*4]
		lock xadd [eax], ecx
		xor	edx, 1
		lock dec dword ptr [esi+edx*4+34h]
		mov	eax, [ebp+arg_4]
		lock xadd [eax], ebx
		lock dec dword ptr [edi]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_ViFreeTrackedPool@16 endp


;  S U B	R O U T	I N E 


; __stdcall ViGrowPoolAllocation(x)
_ViGrowPoolAllocation@4	proc near	; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+194p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	20h
		push	70706556h
		push	1000h
		push	280h
		mov	ebx, ecx
		call	ExAllocatePoolWithTagPriority
		mov	esi, eax
		lea	edi, [ebx+28h]
		test	esi, esi
		jnz	short loc_A6316A
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
; 

loc_A6316A:				; CODE XREF: ViGrowPoolAllocation(x)+24j
		mov	edx, 1000h
		mov	ecx, esi
		call	_KeZeroPages	; KiZeroPages(x,x)
		lea	ecx, [ebx+20h]
		mov	[esi+4], ebx
		mov	edx, esi
		mov	dword ptr [esi+8], 21321345h
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		mov	ebx, 0FEh

loc_A63190:				; CODE XREF: ViGrowPoolAllocation(x)+6Cj
		add	esi, 10h
		mov	ecx, edi
		mov	edx, esi
		mov	dword ptr [esi+8], 1
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		sub	ebx, 1
		jnz	short loc_A63190
		pop	edi
		mov	dword ptr [esi+18h], 1
		lea	eax, [esi+10h]
		pop	esi
		pop	ebx
		retn
_ViGrowPoolAllocation@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViPostPoolAllocation(x, x)
_ViPostPoolAllocation@8	proc near	; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+279p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ecx
		mov	[ebp+var_C], edx
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_8], eax
		mov	esi, [eax]
		inc	ebx
		mov	ecx, esi
		mov	_VerifierIsTrackingPool, bl
		and	ecx, ebx
		and	eax, 0FFFFF000h
		mov	[ebp+var_4], ecx
		mov	ecx, esi
		push	edi
		mov	edi, [eax+4]
		call	_ExpSizeHeapPool@4 ; ExpSizeHeapPool(x)
		cmp	[ebp+var_4], 0
		mov	ecx, eax
		mov	edx, [ebp+var_8]
		mov	eax, [edx+8]
		mov	[ebp+var_10], eax
		jz	short loc_A63204
		and	esi, 0FFFFFFFEh
		mov	ecx, eax
		mov	[edx], esi
		jmp	short loc_A6320E
; 

loc_A63204:				; CODE XREF: ViPostPoolAllocation(x,x)+43j
		cmp	eax, 0FF0h
		ja	short loc_A6320E
		sub	ecx, 8

loc_A6320E:				; CODE XREF: ViPostPoolAllocation(x,x)+4Cj
					; ViPostPoolAllocation(x,x)+53j
		mov	eax, esi
		and	eax, 0FFFh
		cmp	[ebp+var_4], 0
		jz	short loc_A63248
		mov	ecx, [ebp+var_10]
		test	eax, eax
		jz	short loc_A6322E
		mov	eax, esi
		and	eax, 0FFFFF000h
		lea	edx, [eax+8]
		jmp	short loc_A6323A
; 

loc_A6322E:				; CODE XREF: ViPostPoolAllocation(x,x)+6Aj
		lea	eax, [esi+0FF8h]
		lea	edx, [esi+0FF0h]

loc_A6323A:				; CODE XREF: ViPostPoolAllocation(x,x)+76j
		or	dword ptr [eax], 4000h
		mov	[ebp+var_4], edx
		mov	edx, [ebp+var_8]
		jmp	short loc_A6326B
; 

loc_A63248:				; CODE XREF: ViPostPoolAllocation(x,x)+63j
		test	eax, eax
		jz	short loc_A63263
		test	byte ptr [ebp+var_C], 8
		jz	short loc_A63263
		movzx	eax, word ptr [esi-6]
		and	eax, 1FFh
		add	eax, 0FFFFFFFEh
		lea	eax, [esi+eax*8]
		jmp	short loc_A63268
; 

loc_A63263:				; CODE XREF: ViPostPoolAllocation(x,x)+94j
					; ViPostPoolAllocation(x,x)+9Aj
		lea	eax, [ecx-4]
		add	eax, esi

loc_A63268:				; CODE XREF: ViPostPoolAllocation(x,x)+ABj
		mov	[ebp+var_4], eax

loc_A6326B:				; CODE XREF: ViPostPoolAllocation(x,x)+90j
		test	byte ptr [ebp+var_C], 1
		mov	[edx], esi
		mov	[edx+8], ecx
		mov	edx, ecx
		jz	short loc_A632CC
		lea	eax, [edi+44h]
		lock xadd [eax], edx
		add	edx, ecx
		cmp	edx, [edi+4Ch]
		jbe	short loc_A63289
		mov	[edi+4Ch], edx

loc_A63289:				; CODE XREF: ViPostPoolAllocation(x,x)+CEj
		mov	eax, ebx
		lock xadd [edi+34h], eax
		inc	eax
		cmp	eax, [edi+3Ch]
		jbe	short loc_A63299
		mov	[edi+3Ch], eax

loc_A63299:				; CODE XREF: ViPostPoolAllocation(x,x)+DEj
		mov	eax, ecx
		mov	edx, offset unk_6C6E90
		lock xadd [edx], eax
		add	eax, ecx
		cmp	eax, dword_6C6E98
		jbe	short loc_A632B3
		mov	dword_6C6E98, eax

loc_A632B3:				; CODE XREF: ViPostPoolAllocation(x,x)+F6j
		lock xadd dword_6C6E80,	ebx
		inc	ebx
		cmp	ebx, dword_6C6E88
		jbe	short loc_A6331E
		mov	dword_6C6E88, ebx
		jmp	short loc_A6331E
; 

loc_A632CC:				; CODE XREF: ViPostPoolAllocation(x,x)+C0j
		lea	eax, [edi+48h]
		lock xadd [eax], edx
		add	edx, ecx
		cmp	edx, [edi+50h]
		jbe	short loc_A632DD
		mov	[edi+50h], edx

loc_A632DD:				; CODE XREF: ViPostPoolAllocation(x,x)+122j
		mov	eax, ebx
		lock xadd [edi+38h], eax
		inc	eax
		cmp	eax, [edi+40h]
		jbe	short loc_A632ED
		mov	[edi+40h], eax

loc_A632ED:				; CODE XREF: ViPostPoolAllocation(x,x)+132j
		mov	eax, ecx
		mov	edx, offset unk_6C6E94
		lock xadd [edx], eax
		add	eax, ecx
		cmp	eax, dword_6C6E9C
		jbe	short loc_A63307
		mov	dword_6C6E9C, eax

loc_A63307:				; CODE XREF: ViPostPoolAllocation(x,x)+14Aj
		lock xadd dword_6C6E84,	ebx
		inc	ebx
		cmp	ebx, dword_6C6E8C
		jbe	short loc_A6331E
		mov	dword_6C6E8C, ebx

loc_A6331E:				; CODE XREF: ViPostPoolAllocation(x,x)+10Cj
					; ViPostPoolAllocation(x,x)+114j ...
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		pop	edi
		mov	[eax], ecx
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_ViPostPoolAllocation@8	endp


;  S U B	R O U T	I N E 


; __stdcall VfPendingCheckForChanges(x)
_VfPendingCheckForChanges@4 proc near	; CODE XREF: VfSettingsCheckForChanges(x,x,x,x)+7Ep
					; VfSettingsInit(x)+33j
		mov	edx, 200h
		test	ecx, edx
		jz	short locret_A6337F
		cmp	_VfForcedPendingLog, 0
		jnz	short locret_A6337F
		mov	eax, 100000h
		cmp	_VfForcedPendingLogLength, eax
		jbe	short loc_A63351
		mov	_VfForcedPendingLogLength, eax

loc_A63351:				; CODE XREF: VfPendingCheckForChanges(x)+1Dj
		push	esi
		mov	esi, _VfForcedPendingLogLength
		push	20h
		push	50466656h
		shl	esi, 8
		push	esi
		push	edx
		call	ExAllocatePoolWithTagPriority
		mov	_VfForcedPendingLog, eax
		test	eax, eax
		jz	short loc_A6337E
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_A6337E:				; CODE XREF: VfPendingCheckForChanges(x)+43j
		pop	esi

locret_A6337F:				; CODE XREF: VfPendingCheckForChanges(x)+7j
					; VfPendingCheckForChanges(x)+10j
		retn
_VfPendingCheckForChanges@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfPendingFinishLogging(x)
_VfPendingFinishLogging@4 proc near	; CODE XREF: IovpCallDriver1(x)+3F6p
					; IovpCompleteRequest1(x,x,x)+E0p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	0
		lea	eax, [esi+8]
		push	eax
		push	3Eh
		push	1
		call	RtlCaptureStackBackTrace
		movzx	eax, ax
		cmp	eax, 3Eh
		jnb	short loc_A633A1
		and	dword ptr [esi+eax*4+8], 0

loc_A633A1:				; CODE XREF: VfPendingFinishLogging(x)+1Aj
		pop	esi
		retn
_VfPendingFinishLogging@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfPendingInitPhase1()
_VfPendingInitPhase1@0 proc near	; CODE XREF: VfInitSystemNoRebootNeeded(x,x)+E0p
					; ViInitSystemPhase1+1A42Dp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	edi, offset _ViPendingWorkers
		xor	ebx, ebx

loc_A633BB:				; CODE XREF: VfPendingInitPhase1()+8Fj
		push	0
		push	1
		lea	eax, [edi+8]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		xor	ecx, ecx
		mov	[ebp+var_20], 18h
		push	offset _ViPendingWorkerThread@4	; ViPendingWorkerThread(x)
		push	ecx
		push	ecx
		lea	eax, [ebp+var_20]
		mov	[ebp+var_1C], ecx
		push	eax
		push	ecx
		lea	eax, [ebp+var_4]
		mov	[ebp+var_14], 200h
		push	eax
		mov	[ebp+var_18], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A63434
		xor	ecx, ecx
		lea	eax, [ebp+var_8]
		push	ecx
		push	eax
		push	ecx
		push	ds:_PsThreadType
		mov	[ebp+var_8], ecx
		push	ecx
		push	[ebp+var_4]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	eax, [ebp+var_8]
		push	[ebp+var_4]
		mov	[edi], eax
		call	_ZwClose@4	; ZwClose(x)
		add	ebx, 1Ch
		inc	esi
		add	edi, 1Ch
		cmp	ebx, 0E0h
		jb	short loc_A633BB

loc_A63434:				; CODE XREF: VfPendingInitPhase1()+59j
		mov	eax, offset _ViPendingWorkersCount
		xchg	esi, [eax]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VfPendingInitPhase1@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfPendingMoreProcessingRequired(x, x, x, x,	x)
_VfPendingMoreProcessingRequired@20 proc near
					; CODE XREF: IovpLocalCompletionRoutine(x,x,x)+B1p
					; IovpLocalCompletionRoutine(x,x,x)+FEp
					; DATA XREF: ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		push	esi
		push	edi
		xor	edi, edi
		call	_VfIrpDatabaseEntryFindAndLock@4 ; VfIrpDatabaseEntryFindAndLock(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A634AE
		push	ebx
		mov	ebx, [ebp+arg_8]
		cmp	ebx, [esi+80h]
		jnz	short loc_A63473
		mov	eax, [esi+24h]
		test	eax, eax
		js	short loc_A63473
		or	eax, 80000000h
		inc	edi
		mov	[esi+24h], eax

loc_A63473:				; CODE XREF: VfPendingMoreProcessingRequired(x,x,x,x,x)+21j
					; VfPendingMoreProcessingRequired(x,x,x,x,x)+28j
		mov	ecx, esi
		call	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)
		test	edi, edi
		jz	short loc_A634AD
		push	[ebp+arg_10]
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		push	[ebp+arg_C]
		push	ebx
		call	_ViPendingDelayCompletion@20 ; ViPendingDelayCompletion(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A634AD
		mov	ecx, esi
		call	_VfPacketAcquireLock@4 ; VfPacketAcquireLock(x)
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_VfIrpDatabaseEntryDereference@8 ; VfIrpDatabaseEntryDereference(x,x)
		mov	ecx, esi
		call	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)

loc_A634AD:				; CODE XREF: VfPendingMoreProcessingRequired(x,x,x,x,x)+3Cj
					; VfPendingMoreProcessingRequired(x,x,x,x,x)+53j
		pop	ebx

loc_A634AE:				; CODE XREF: VfPendingMoreProcessingRequired(x,x,x,x,x)+15j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	14h
_VfPendingMoreProcessingRequired@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfPendingShouldForce(x, x, x, x, x,	x)
_VfPendingShouldForce@24 proc near	; CODE XREF: IovpCallDriver1(x)+6Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	ebx, ebx
		test	ecx, 200h
		jz	loc_A635AD
		cmp	dl, 2
		jnb	loc_A635AD
		mov	eax, [ebp+arg_8]
		cmp	[eax+80h], ebx
		jnz	loc_A635AD
		mov	ecx, [ebp+arg_C]
		call	_VfDriverIsKernelImageAddress@4	; VfDriverIsKernelImageAddress(x)
		test	eax, eax
		jnz	loc_A635AD
		call	_VfTargetDriversIsEnabled@4 ; VfTargetDriversIsEnabled(x)
		test	eax, eax
		jz	loc_A635AD
		mov	eax, [ebp+arg_0]
		test	byte ptr [eax+8], 0C0h
		jnz	loc_A635AD
		cmp	[eax+21h], bl
		jnz	loc_A635AD
		push	64h
		push	ebx
		call	_VfRandomGetNumber@8 ; VfRandomGetNumber(x,x)
		mov	ecx, eax
		mov	eax, _ViPendingProbability
		cmp	ecx, eax
		jnb	loc_A635AD
		mov	eax, [ebp+arg_4]
		movzx	ecx, byte ptr [eax]
		cmp	ecx, 0Dh
		jnz	short loc_A6353D
		mov	eax, [eax+0Ch]
		jmp	short loc_A63541
; 

loc_A6353D:				; CODE XREF: VfPendingShouldForce(x,x,x,x,x,x)+80j
		movzx	eax, byte ptr [eax+1]

loc_A63541:				; CODE XREF: VfPendingShouldForce(x,x,x,x,x,x)+85j
		sub	ecx, 0Ch
		jz	short loc_A635A5
		sub	ecx, 1
		jz	short loc_A63566
		sub	ecx, 4
		jz	short loc_A6355F
		sub	ecx, 0Ah
		jnz	short loc_A635AA
		xor	ebx, ebx
		cmp	eax, 2

loc_A6355A:				; CODE XREF: VfPendingShouldForce(x,x,x,x,x,x)+AEj
		setnz	bl
		jmp	short loc_A635AD
; 

loc_A6355F:				; CODE XREF: VfPendingShouldForce(x,x,x,x,x,x)+98j
		xor	ebx, ebx
		cmp	eax, 1
		jmp	short loc_A6355A
; 

loc_A63566:				; CODE XREF: VfPendingShouldForce(x,x,x,x,x,x)+93j
		cmp	eax, 90000h
		jz	short loc_A635AD
		cmp	eax, 90004h
		jz	short loc_A635AD
		cmp	eax, 90008h
		jz	short loc_A635AD
		cmp	eax, 9000Ch
		jz	short loc_A635AD
		cmp	eax, 90010h
		jz	short loc_A635AD
		cmp	eax, 90014h
		jz	short loc_A635AD
		cmp	eax, 90050h
		jz	short loc_A635AD
		cmp	eax, 9005Ch
		jz	short loc_A635AD
		cmp	eax, 90240h
		jmp	short loc_A635A8
; 

loc_A635A5:				; CODE XREF: VfPendingShouldForce(x,x,x,x,x,x)+8Ej
		cmp	eax, 2

loc_A635A8:				; CODE XREF: VfPendingShouldForce(x,x,x,x,x,x)+EDj
		jz	short loc_A635AD

loc_A635AA:				; CODE XREF: VfPendingShouldForce(x,x,x,x,x,x)+9Dj
		xor	ebx, ebx
		inc	ebx

loc_A635AD:				; CODE XREF: VfPendingShouldForce(x,x,x,x,x,x)+Fj
					; VfPendingShouldForce(x,x,x,x,x,x)+18j ...
		mov	eax, ebx
		pop	ebx
		pop	ecx
		pop	ebp
		retn	10h
_VfPendingShouldForce@24 endp


;  S U B	R O U T	I N E 


; __stdcall VfPendingStartLogging(x)
_VfPendingStartLogging@4 proc near	; CODE XREF: IovpCallDriver1(x)+1B5p
					; IovpCompleteRequest1(x,x,x)+8Cp
		xor	eax, eax
		mov	edx, ecx
		cmp	_VfForcedPendingLog, eax
		jz	short locret_A635ED
		inc	eax
		lock xadd _VfForcedPendingIrps,	eax
		inc	eax
		mov	ecx, _VfForcedPendingLogLength
		dec	ecx
		and	eax, ecx
		mov	ecx, large fs:124h
		shl	eax, 8
		add	eax, _VfForcedPendingLog
		mov	[eax], edx
		and	dword ptr [eax+8], 0
		mov	[eax+4], ecx

locret_A635ED:				; CODE XREF: VfPendingStartLogging(x)+Aj
		retn
_VfPendingStartLogging@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViPendingCompleteAfterWait(x)
_ViPendingCompleteAfterWait@4 proc near	; CODE XREF: ViPendingCompleteAtDPC(x,x,x,x)+8p
					; ViPendingWorkerThread(x)+1Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	esi
		mov	esi, ecx
		push	edi
		cmp	dword ptr [esi+60h], 1
		jnz	short loc_A6360F
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esi+38h]
		push	eax
		call	KeWaitForSingleObject

loc_A6360F:				; CODE XREF: ViPendingCompleteAfterWait(x)+12j
		mov	edi, [esi]
		push	ebx
		mov	[ebp+var_8], edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [edi+4]
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	eax, [edi]
		mov	[edi+8], bl
		mov	[ebp+var_4], eax
		mov	eax, [eax+60h]
		and	dword ptr [edi+24h], 0FFFFFFEFh
		mov	edi, [edi+80h]
		mov	[ebp+var_C], eax
		test	edi, edi
		jz	short loc_A63648
		mov	edi, [edi+14h]
		test	edi, edi
		jnz	short loc_A6364A

loc_A63648:				; CODE XREF: ViPendingCompleteAfterWait(x)+51j
		xor	edi, edi

loc_A6364A:				; CODE XREF: ViPendingCompleteAfterWait(x)+58j
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		inc	edx
		call	_VfIrpDatabaseEntryDereference@8 ; VfIrpDatabaseEntryDereference(x,x)
		mov	ecx, [ebp+var_8]
		call	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)
		mov	ecx, [ebp+var_C]
		mov	ebx, [ebp+var_4]
		mov	eax, [ecx-8]
		test	eax, eax
		jz	short loc_A6367A
		push	dword ptr [ecx-4]
		push	ebx
		push	dword ptr [esi+4]
		call	eax
		cmp	eax, 0C0000016h
		jz	short loc_A63684

loc_A6367A:				; CODE XREF: ViPendingCompleteAfterWait(x)+7Aj
		mov	dl, [esi+64h]
		mov	ecx, ebx
		call	IofCompleteRequest

loc_A63684:				; CODE XREF: ViPendingCompleteAfterWait(x)+8Aj
		pop	ebx
		test	edi, edi
		jz	short loc_A63690
		mov	ecx, edi
		call	ObfDereferenceObject

loc_A63690:				; CODE XREF: ViPendingCompleteAfterWait(x)+99j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		leave
		retn
_ViPendingCompleteAfterWait@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViPendingCompleteAtDPC(x, x, x, x)
_ViPendingCompleteAtDPC@16 proc	near	; DATA XREF: ViPendingDelayCompletion(x,x,x,x,x)+D0o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		call	_ViPendingCompleteAfterWait@4 ;	ViPendingCompleteAfterWait(x)
		pop	ebp
		retn	10h
_ViPendingCompleteAtDPC@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViPendingDelayCompletion(x,	x, x, x, x)
_ViPendingDelayCompletion@20 proc near	; CODE XREF: VfPendingMoreProcessingRequired(x,x,x,x,x)+4Ap

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		push	64707249h
		push	68h
		push	200h
		mov	ebx, edx
		mov	esi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_A63775
		lea	eax, [edi+38h]
		push	1
		push	eax
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		or	dword ptr [ebx+24h], 10h
		mov	eax, [ebp+arg_4]
		mov	[edi+0Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[edi+10h], eax
		mov	eax, [ebp+arg_0]
		mov	[edi], ebx
		mov	[edi+4], esi
		mov	[edi+8], eax
		mov	al, [ebx+6Dh]
		mov	[edi+64h], al
		mov	esi, [ebx+80h]
		test	esi, esi
		jz	short loc_A63711
		mov	esi, [esi+14h]
		test	esi, esi
		jnz	short loc_A63717

loc_A63711:				; CODE XREF: ViPendingDelayCompletion(x,x,x,x,x)+5Bj
		xor	esi, esi
		test	esi, esi
		jz	short loc_A6371E

loc_A63717:				; CODE XREF: ViPendingDelayCompletion(x,x,x,x,x)+62j
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)

loc_A6371E:				; CODE XREF: ViPendingDelayCompletion(x,x,x,x,x)+68j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	short loc_A6377C
		push	0FFFFFFFFh
		push	0FFFFF448h
		push	0
		push	0
		xor	edx, edx
		mov	dword ptr [edi+60h], 1
		lea	ecx, [edi+38h]
		call	KiSetTimerEx
		mov	ecx, edi
		call	_ViPendingQueuePassiveLevelCompletion@4	; ViPendingQueuePassiveLevelCompletion(x)
		mov	[ebp+arg_4], eax
		test	eax, eax
		jnz	short loc_A63775
		lea	eax, [edi+38h]
		push	eax
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [ebx+24h], 0FFFFFFEFh
		test	esi, esi
		jz	short loc_A63772
		mov	ecx, esi
		call	ObfDereferenceObject

loc_A63772:				; CODE XREF: ViPendingDelayCompletion(x,x,x,x,x)+BCj
		mov	eax, [ebp+arg_4]

loc_A63775:				; CODE XREF: ViPendingDelayCompletion(x,x,x,x,x)+21j
					; ViPendingDelayCompletion(x,x,x,x,x)+A3j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_A6377C:				; CODE XREF: ViPendingDelayCompletion(x,x,x,x,x)+79j
		push	edi
		push	offset _ViPendingCompleteAtDPC@16 ; ViPendingCompleteAtDPC(x,x,x,x)
		lea	esi, [edi+14h]
		mov	dword ptr [edi+60h], 2
		push	esi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	0FFFFFFFFh
		push	0FFFFF448h
		push	esi
		push	0
		xor	edx, edx
		lea	ecx, [edi+38h]
		call	KiSetTimerEx
		xor	eax, eax
		inc	eax
		jmp	short loc_A63775
_ViPendingDelayCompletion@20 endp


;  S U B	R O U T	I N E 


; __stdcall ViPendingQueuePassiveLevelCompletion(x)
_ViPendingQueuePassiveLevelCompletion@4	proc near
					; CODE XREF: ViPendingDelayCompletion(x,x,x,x,x)+99p
		cmp	_ViPendingWorkersCount,	0
		push	esi
		push	edi
		mov	esi, ecx
		jz	short loc_A637ED
		mov	eax, large fs:124h
		push	eax
		call	_KeQueryPriorityThread@4 ; KeQueryPriorityThread(x)
		mov	edx, large fs:124h
		mov	edi, eax
		dec	word ptr [edx+13Ch]
		nop
		mov	ecx, esi
		call	_ViPendingTryReserveWorker@4 ; ViPendingTryReserveWorker(x)
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_A637F2
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)

loc_A637ED:				; CODE XREF: ViPendingQueuePassiveLevelCompletion(x)+Bj
		xor	eax, eax

loc_A637EF:				; CODE XREF: ViPendingQueuePassiveLevelCompletion(x)+75j
		pop	edi
		pop	esi
		retn
; 

loc_A637F2:				; CODE XREF: ViPendingQueuePassiveLevelCompletion(x)+34j
		imul	esi, eax, 1Ch
		push	edi
		push	_ViPendingWorkers[esi]
		call	KeSetPriorityThread
		push	0
		push	0
		lea	eax, dword_6BE028[esi]
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		xor	eax, eax
		inc	eax
		jmp	short loc_A637EF
_ViPendingQueuePassiveLevelCompletion@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViPendingWorkerThread(x)
_ViPendingWorkerThread@4 proc near	; DATA XREF: VfPendingInitPhase1()+2Fo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		xor	edi, edi

loc_A6382E:				; CODE XREF: ViPendingWorkerThread(x)+27j
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [esi+8]
		push	eax
		call	KeWaitForSingleObject
		mov	ecx, [esi+4]
		inc	dword ptr [esi+18h]
		call	_ViPendingCompleteAfterWait@4 ;	ViPendingCompleteAfterWait(x)
		mov	[esi+4], edi
		jmp	short loc_A6382E
_ViPendingWorkerThread@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoCreateDevice(x, x, x, x, x, x, x)
_VerifierIoCreateDevice@28 proc	near	; DATA XREF: PAGEVRFD:00AAB6ECo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+arg_18]
		push	edi
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvIoCreateDevice
		mov	esi, eax
		test	esi, esi
		js	short loc_A63884
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_A63884
		mov	ecx, [edi]
		call	_ViDevObjAdd@4	; ViDevObjAdd(x)

loc_A63884:				; CODE XREF: VerifierIoCreateDevice(x,x,x,x,x,x,x)+27j
					; VerifierIoCreateDevice(x,x,x,x,x,x,x)+30j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	1Ch
_VerifierIoCreateDevice@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoVolumeDeviceToDosName(x, x)
_VerifierIoVolumeDeviceToDosName@8 proc	near ; DATA XREF: PAGEVRFD:00AAB704o
					; PAGEVRFD:00AAB71Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_A638B9
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	al, al
		jz	short loc_A638B9
		push	0
		mov	edx, 0E5h
		movzx	eax, al
		push	0
		push	eax
		lea	ecx, [edx-21h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A638B9:				; CODE XREF: VerifierIoVolumeDeviceToDosName(x,x)+Cj
					; VerifierIoVolumeDeviceToDosName(x,x)+16j
		pop	ebp
		jmp	ds:_pXdvIoVolumeDeviceToDosName
_VerifierIoVolumeDeviceToDosName@8 endp


;  S U B	R O U T	I N E 


; __stdcall VfDevObjAdjustFdoForVerifierFilters(x)
_VfDevObjAdjustFdoForVerifierFilters@4 proc near ; CODE	XREF: IovUtilMarkStack+80C5Fp
		mov	edx, [ecx]
		mov	eax, [edx+8]
		cmp	dword ptr [eax+0A4h], offset _ViFilterDispatchPnp@8 ; ViFilterDispatchPnp(x,x)
		jnz	short locret_A638D6
		mov	eax, [edx+10h]
		mov	[ecx], eax

locret_A638D6:				; CODE XREF: VfDevObjAdjustFdoForVerifierFilters(x)+Fj
		retn
_VfDevObjAdjustFdoForVerifierFilters@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfDevObjIsDeviceRemoved(x)
_VfDevObjIsDeviceRemoved@4 proc	near	; CODE XREF: VfWmiVerifyIrpStackUpward(x,x,x,x,x,x)+3Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_8], 0
		mov	eax, ecx
		and	[esp+0Ch+var_4], 0
		test	byte ptr _MmVerifierData, 10h
		push	ebx
		jnz	short loc_A638FC
		mov	al, 1
		jmp	short loc_A63933
; 

loc_A638FC:				; CODE XREF: VfDevObjIsDeviceRemoved(x)+1Fj
		xor	ebx, ebx
		lea	ecx, [esp+10h+var_8]
		inc	ebx
		mov	edx, ebx
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	0
		mov	edx, ecx
		mov	ecx, offset _ViDevObjAvl
		push	eax
		call	VfAvlLookupTreeNode
		test	eax, eax
		jz	short loc_A63928
		mov	al, [eax+8]
		and	al, 2
		neg	al
		sbb	al, al
		and	bl, al

loc_A63928:				; CODE XREF: VfDevObjIsDeviceRemoved(x)+44j
		lea	ecx, [esp+10h+var_8]
		call	VfAvlCleanupLockContext
		mov	al, bl

loc_A63933:				; CODE XREF: VfDevObjIsDeviceRemoved(x)+23j
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_VfDevObjIsDeviceRemoved@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfDevObjMarkDeviceRemoved(x)
_VfDevObjMarkDeviceRemoved@4 proc near	; CODE XREF: IovpCallDriver1(x)+317p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		and	[esp+8+var_8], 0
		mov	eax, ecx
		and	[esp+8+var_4], 0
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_A63985
		xor	edx, edx
		lea	ecx, [esp+8+var_8]
		inc	edx
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	0
		mov	edx, ecx
		mov	ecx, offset _ViDevObjAvl
		push	eax
		call	VfAvlLookupTreeNode
		test	eax, eax
		jz	short loc_A6397D
		push	2
		pop	ecx
		add	eax, 8
		lock or	[eax], ecx

loc_A6397D:				; CODE XREF: VfDevObjMarkDeviceRemoved(x)+3Aj
		lea	ecx, [esp+8+var_8]
		call	VfAvlCleanupLockContext

loc_A63985:				; CODE XREF: VfDevObjMarkDeviceRemoved(x)+1Cj
		mov	esp, ebp
		pop	ebp
		retn
_VfDevObjMarkDeviceRemoved@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfDevObjPostAddDevice(x, x,	x, x, x)
_VfDevObjPostAddDevice@20 proc near	; CODE XREF: PpvUtilCallAddDevice+82A9Bp

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_8], 0
		push	esi
		mov	esi, ecx
		jl	short loc_A639BC
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_A639BC
		push	edx
		call	_MmIsDriverVerifying@4 ; MmIsDriverVerifying(x)
		test	eax, eax
		jz	short loc_A639BC
		mov	edx, [ebp+arg_4]
		cmp	edx, 4
		jnz	short loc_A639B5
		push	5
		pop	edx

loc_A639B5:				; CODE XREF: VfDevObjPostAddDevice(x,x,x,x,x)+27j
		mov	ecx, esi
		call	_VfFilterAttach@8 ; VfFilterAttach(x,x)

loc_A639BC:				; CODE XREF: VfDevObjPostAddDevice(x,x,x,x,x)+Cj
					; VfDevObjPostAddDevice(x,x,x,x,x)+15j	...
		pop	esi
		pop	ebp
		retn	0Ch
_VfDevObjPostAddDevice@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfDevObjPreAddDevice(x, x, x, x)
_VfDevObjPreAddDevice@16 proc near	; CODE XREF: PpvUtilCallAddDevice+82A86p

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edx
		mov	esi, ecx
		call	_MmIsDriverVerifying@4 ; MmIsDriverVerifying(x)
		test	eax, eax
		jz	short loc_A639EF
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_A639EF
		mov	edx, [ebp+arg_4]
		cmp	edx, 4
		jnz	short loc_A639E8
		push	3
		pop	edx

loc_A639E8:				; CODE XREF: VfDevObjPreAddDevice(x,x,x,x)+22j
		mov	ecx, esi
		call	_VfFilterAttach@8 ; VfFilterAttach(x,x)

loc_A639EF:				; CODE XREF: VfDevObjPreAddDevice(x,x,x,x)+11j
					; VfDevObjPreAddDevice(x,x,x,x)+1Aj
		pop	esi
		pop	ecx
		pop	ebp
		retn	8
_VfDevObjPreAddDevice@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfDevObjWMIRegistrationControl(x, x)
_VfDevObjWMIRegistrationControl@8 proc near
					; CODE XREF: VerifierIoWMIRegistrationControl(x,x)+19p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		and	[esp+8+var_8], 0
		mov	eax, ecx
		and	[esp+8+var_4], 0
		test	byte ptr _MmVerifierData, 10h
		push	ebx
		push	esi
		mov	esi, edx
		jz	short loc_A63A57
		test	esi, esi
		js	short loc_A63A57
		xor	ebx, ebx
		lea	ecx, [esp+10h+var_8]
		inc	ebx
		mov	edx, ebx
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	0
		mov	edx, ecx
		mov	ecx, offset _ViDevObjAvl
		push	eax
		call	VfAvlLookupTreeNode
		test	eax, eax
		jz	short loc_A63A4E
		sub	esi, ebx
		jz	short loc_A63A48
		sub	esi, ebx
		jz	short loc_A63A5D
		sub	esi, ebx
		jnz	short loc_A63A4E

loc_A63A48:				; CODE XREF: VfDevObjWMIRegistrationControl(x,x)+49j
		add	eax, 8
		lock or	[eax], ebx

loc_A63A4E:				; CODE XREF: VfDevObjWMIRegistrationControl(x,x)+45j
					; VfDevObjWMIRegistrationControl(x,x)+51j ...
		lea	ecx, [esp+10h+var_8]
		call	VfAvlCleanupLockContext

loc_A63A57:				; CODE XREF: VfDevObjWMIRegistrationControl(x,x)+20j
					; VfDevObjWMIRegistrationControl(x,x)+24j
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_A63A5D:				; CODE XREF: VfDevObjWMIRegistrationControl(x,x)+4Dj
		push	0FFFFFFFEh
		pop	ecx
		add	eax, 8
		lock and [eax],	ecx
		jmp	short loc_A63A4E
_VfDevObjWMIRegistrationControl@8 endp


;  S U B	R O U T	I N E 


; __stdcall VfIoDeleteDevice(x,	x)
_VfIoDeleteDevice@8 proc near		; CODE XREF: IovDeleteDevice(x,x)+3p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_VfHalDeleteDevice@4 ; VfHalDeleteDevice(x)
		cmp	ds:_VfIoDisabled, 0
		jnz	short loc_A63AD5
		mov	ecx, esi
		call	_ViDevObjRemove@4 ; ViDevObjRemove(x)
		xor	edx, edx
		mov	ecx, esi
		call	_IovUtilIsDeviceObjectMarked@8 ; IovUtilIsDeviceObjectMarked(x,x)
		test	eax, eax
		jz	short loc_A63A9F
		mov	edx, edi
		mov	ecx, 240h
		call	_ViErrorReport9@8 ; ViErrorReport9(x,x)

loc_A63A9F:				; CODE XREF: VfIoDeleteDevice(x,x)+29j
		xor	edx, edx
		mov	ecx, esi
		call	_IovUtilMarkDeviceObject@8 ; IovUtilMarkDeviceObject(x,x)
		call	_IovUtilGetLowerDeviceObjectWithTag@8 ;	IovUtilGetLowerDeviceObjectWithTag(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_A63ACB
		mov	edx, edi
		mov	ecx, 201h
		call	_ViErrorReport9@8 ; ViErrorReport9(x,x)
		mov	edx, 49667256h
		mov	ecx, ebx
		call	ObfDereferenceObjectWithTag

loc_A63ACB:				; CODE XREF: VfIoDeleteDevice(x,x)+49j
		mov	ecx, esi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_VfIrpLogDeleteDeviceLogs@4 ; VfIrpLogDeleteDeviceLogs(x)
; 

loc_A63AD5:				; CODE XREF: VfIoDeleteDevice(x,x)+15j
		pop	edi
		pop	esi
		pop	ebx
		retn
_VfIoDeleteDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViDevObjAdd(x)
_ViDevObjAdd@4	proc near		; CODE XREF: VerifierIoCreateDevice(x,x,x,x,x,x,x)+34p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		push	ebx
		xor	eax, eax
		xor	ebx, ebx
		inc	ebx
		mov	[esp+0Ch+var_8], eax
		push	esi
		mov	[esp+10h+var_4], eax
		cmp	ds:_ViDevObjInitialized, eax
		jnz	short loc_A63AFE
		mov	bl, al
		jmp	short loc_A63B42
; 

loc_A63AFE:				; CODE XREF: ViDevObjAdd(x)+1Fj
		mov	edx, ecx
		mov	esi, offset _ViDevObjAvl
		push	0B8h
		mov	ecx, esi
		call	VfAvlReserveNode
		test	eax, eax
		jnz	short loc_A63B20
		mov	eax, offset _ViDevObjAllocationFailures
		xchg	ebx, [eax]
		xor	bl, bl
		jmp	short loc_A63B42
; 

loc_A63B20:				; CODE XREF: ViDevObjAdd(x)+3Aj
		and	dword ptr [eax+8], 0
		lea	ecx, [esp+10h+var_8]
		xor	edx, edx
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		mov	edx, ecx
		mov	ecx, esi
		push	eax
		call	_VfAvlInsertReservedTreeNode@12	; VfAvlInsertReservedTreeNode(x,x,x)
		lea	ecx, [esp+10h+var_8]
		call	VfAvlCleanupLockContext

loc_A63B42:				; CODE XREF: ViDevObjAdd(x)+23j
					; ViDevObjAdd(x)+45j
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_ViDevObjAdd@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViDevObjRemove(x)
_ViDevObjRemove@4 proc near		; CODE XREF: VfIoDeleteDevice(x,x)+19p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		cmp	ds:_ViDevObjInitialized, esi
		jz	short loc_A63BDE
		xor	edx, edx
		lea	ecx, [ebp+var_8]
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	esi
		mov	edx, ecx
		mov	ebx, offset _ViDevObjAvl
		push	edi
		mov	ecx, ebx
		call	VfAvlLookupTreeNode
		test	eax, eax
		jz	short loc_A63BB5
		test	byte ptr [eax+8], 1
		jz	short loc_A63BA7
		test	_MmVerifierData, 800h
		jz	short loc_A63BA7
		push	esi
		mov	edx, 0DBh
		push	esi
		push	edi
		lea	ecx, [edx-17h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A63BA7:				; CODE XREF: ViDevObjRemove(x)+3Fj
					; ViDevObjRemove(x)+4Bj
		push	esi
		push	edi
		lea	edx, [ebp+var_8]
		mov	ecx, ebx
		call	VfAvlDeleteTreeNode
		mov	esi, eax

loc_A63BB5:				; CODE XREF: ViDevObjRemove(x)+39j
		lea	ecx, [ebp+var_8]
		call	VfAvlCleanupLockContext
		test	esi, esi
		jz	short loc_A63BDE
		cmp	ds:dword_AAFF4C, 1
		jnz	short loc_A63BD8
		mov	edx, esi
		mov	ecx, offset _ViAvlNodeLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	short loc_A63BDE
; 

loc_A63BD8:				; CODE XREF: ViDevObjRemove(x)+7Ej
		push	esi
		call	_VfUtilFreePoolCheckIRQL@4 ; VfUtilFreePoolCheckIRQL(x)

loc_A63BDE:				; CODE XREF: ViDevObjRemove(x)+1Bj
					; ViDevObjRemove(x)+75j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ViDevObjRemove@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoAcquireRemoveLockEx(x, x,	x, x, x)
_VerifierIoAcquireRemoveLockEx@20 proc near ; DATA XREF: PAGEVRFD:00AAB5B4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_ViRemLockInitialized, 0
		jz	short loc_A63C1C
		cmp	[ebp+arg_10], 58h
		jz	short loc_A63C1C
		mov	ecx, [ebp+arg_0]
		call	_ViRemLockFindSurrogate@4 ; ViRemLockFindSurrogate(x)
		test	eax, eax
		jz	short loc_A63C1C
		push	58h
		push	[ebp+arg_C]
		add	eax, 8
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	eax
		call	ds:_pXdvIoAcquireRemoveLockEx
		pop	ebp
		retn	14h
; 

loc_A63C1C:				; CODE XREF: VerifierIoAcquireRemoveLockEx(x,x,x,x,x)+Cj
					; VerifierIoAcquireRemoveLockEx(x,x,x,x,x)+12j	...
		pop	ebp
		jmp	ds:_pXdvIoAcquireRemoveLockEx
_VerifierIoAcquireRemoveLockEx@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoInitializeRemoveLockEx(x,	x, x, x, x)
_VerifierIoInitializeRemoveLockEx@20 proc near ; DATA XREF: PAGEVRFD:00AAB59Co

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10h
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[esp+18h+var_8], esi
		mov	[esp+18h+var_4], esi
		cmp	ds:_ViRemLockInitialized, esi
		jz	loc_A63CFD
		mov	ecx, edi
		call	_ViRemLockFindSurrogate@4 ; ViRemLockFindSurrogate(x)
		test	eax, eax
		jz	short loc_A63C81
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_A63C70
		push	esi
		mov	edx, 0D7h
		add	eax, 8
		push	edi
		push	eax
		lea	ecx, [edx-13h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A63C70:				; CODE XREF: VerifierIoInitializeRemoveLockEx(x,x,x,x,x)+38j
		lock inc ds:_ViRemLockReusedCount
		mov	edx, [ebp+arg_10]
		mov	ecx, edi
		call	_ViRemLockDeleteFirstTreeNode@8	; ViRemLockDeleteFirstTreeNode(x,x)

loc_A63C81:				; CODE XREF: VerifierIoInitializeRemoveLockEx(x,x,x,x,x)+2Fj
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_A63CFD
		push	[ebp+arg_10]
		mov	edx, edi
		mov	ecx, offset _ViRemLockAvl
		call	VfAvlReserveNode
		mov	[esp+18h+var_C], eax
		test	eax, eax
		jnz	short loc_A63CAB
		inc	eax
		mov	ecx, offset _ViRemLockAllocationFailures
		xchg	eax, [ecx]
		jmp	short loc_A63CFD
; 

loc_A63CAB:				; CODE XREF: VerifierIoInitializeRemoveLockEx(x,x,x,x,x)+7Cj
		add	eax, 8
		cmp	[ebp+arg_10], 58h
		push	58h		; size_t
		jz	short loc_A63CCB
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	eax
		call	ds:_pXdvIoInitializeRemoveLockEx
		xor	esi, esi
		inc	esi
		jmp	short loc_A63CD5
; 

loc_A63CCB:				; CODE XREF: VerifierIoInitializeRemoveLockEx(x,x,x,x,x)+91j
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_A63CD5:				; CODE XREF: VerifierIoInitializeRemoveLockEx(x,x,x,x,x)+A6j
		xor	edx, edx
		lea	ecx, [esp+18h+var_8]
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	[esp+18h+var_C]
		mov	edx, ecx
		mov	ecx, offset _ViRemLockAvl
		call	_VfAvlInsertReservedTreeNode@12	; VfAvlInsertReservedTreeNode(x,x,x)
		lea	ecx, [esp+18h+var_8]
		call	VfAvlCleanupLockContext
		test	esi, esi
		jnz	short loc_A63D10

loc_A63CFD:				; CODE XREF: VerifierIoInitializeRemoveLockEx(x,x,x,x,x)+20j
					; VerifierIoInitializeRemoveLockEx(x,x,x,x,x)+65j ...
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	edi
		call	ds:_pXdvIoInitializeRemoveLockEx

loc_A63D10:				; CODE XREF: VerifierIoInitializeRemoveLockEx(x,x,x,x,x)+D8j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	14h
_VerifierIoInitializeRemoveLockEx@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoReleaseRemoveLockAndWaitEx(x, x, x)
_VerifierIoReleaseRemoveLockAndWaitEx@12 proc near ; DATA XREF:	PAGEVRFD:00AAB5E4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_ViRemLockInitialized, 0
		jz	short loc_A63D4B
		cmp	[ebp+arg_8], 58h
		jz	short loc_A63D4B
		mov	ecx, [ebp+arg_0]
		call	_ViRemLockFindSurrogate@4 ; ViRemLockFindSurrogate(x)
		test	eax, eax
		jz	short loc_A63D4B
		push	58h
		push	[ebp+arg_4]
		add	eax, 8
		push	eax
		call	ds:_pXdvIoReleaseRemoveLockAndWaitEx
		pop	ebp
		retn	0Ch
; 

loc_A63D4B:				; CODE XREF: VerifierIoReleaseRemoveLockAndWaitEx(x,x,x)+Cj
					; VerifierIoReleaseRemoveLockAndWaitEx(x,x,x)+12j ...
		pop	ebp
		jmp	ds:_pXdvIoReleaseRemoveLockAndWaitEx
_VerifierIoReleaseRemoveLockAndWaitEx@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoReleaseRemoveLockEx(x, x,	x)
_VerifierIoReleaseRemoveLockEx@12 proc near ; DATA XREF: PAGEVRFD:00AAB5CCo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	ds:_ViRemLockInitialized, 0
		jz	short loc_A63D85
		cmp	[ebp+arg_8], 58h
		jz	short loc_A63D85
		mov	ecx, [ebp+arg_0]
		call	_ViRemLockFindSurrogate@4 ; ViRemLockFindSurrogate(x)
		test	eax, eax
		jz	short loc_A63D85
		push	58h
		push	[ebp+arg_4]
		add	eax, 8
		push	eax
		call	ds:_pXdvIoReleaseRemoveLockEx
		pop	ebp
		retn	0Ch
; 

loc_A63D85:				; CODE XREF: VerifierIoReleaseRemoveLockEx(x,x,x)+Cj
					; VerifierIoReleaseRemoveLockEx(x,x,x)+12j ...
		pop	ebp
		jmp	ds:_pXdvIoReleaseRemoveLockEx
_VerifierIoReleaseRemoveLockEx@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfRemLockDeleteMemoryRange(x, x)
_VfRemLockDeleteMemoryRange@8 proc near	; CODE XREF: VfDriverUnloadImage+1D15p
					; VfFreeMemoryNotification(x,x)+12p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		xor	eax, eax
		mov	ebx, ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	[esp+18h+var_8], eax
		mov	[esp+18h+var_4], eax
		cmp	ds:_ViRemLockInitialized, eax
		jz	short loc_A63DF7
		cmp	ds:dword_AAFDC4, eax
		jz	short loc_A63DF7
		call	_VfPoolIsInternalFree@0	; VfPoolIsInternalFree()
		test	eax, eax
		jnz	short loc_A63DF7
		xor	edx, edx
		lea	ecx, [esp+18h+var_8]
		inc	edx
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	edi
		mov	edx, ecx
		mov	ecx, offset _ViRemLockAvl
		push	ebx
		call	VfAvlLookupTreeNode
		lea	ecx, [esp+18h+var_8]
		mov	esi, eax
		call	VfAvlCleanupLockContext
		test	esi, esi
		jz	short loc_A63DF7

loc_A63DEA:				; CODE XREF: VfRemLockDeleteMemoryRange(x,x)+69j
		mov	edx, edi
		mov	ecx, ebx
		call	_ViRemLockDeleteFirstTreeNode@8	; ViRemLockDeleteFirstTreeNode(x,x)
		test	eax, eax
		jnz	short loc_A63DEA

loc_A63DF7:				; CODE XREF: VfRemLockDeleteMemoryRange(x,x)+22j
					; VfRemLockDeleteMemoryRange(x,x)+2Aj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_VfRemLockDeleteMemoryRange@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfRemLockReportBadReleaseAndWaitTag(x, x, x)
_VfRemLockReportBadReleaseAndWaitTag@12	proc near
					; CODE XREF: IoReleaseRemoveLockAndWaitEx(x,x,x)+5Dp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		push	edx
		mov	edx, 0D6h
		push	ecx
		lea	ecx, [edx-12h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)
		xor	eax, eax
		inc	eax
		pop	ebp
		retn	4
_VfRemLockReportBadReleaseAndWaitTag@12	endp


;  S U B	R O U T	I N E 


; __stdcall VfRemLockReportBadReleaseTag(x, x)
_VfRemLockReportBadReleaseTag@8	proc near ; CODE XREF: IoReleaseRemoveLockEx+D9EC0p
		push	0
		push	edx
		mov	edx, 0D5h
		push	ecx
		lea	ecx, [edx-11h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)
		xor	eax, eax
		inc	eax
		retn
_VfRemLockReportBadReleaseTag@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViRemLockDeleteFirstTreeNode(x, x)
_ViRemLockDeleteFirstTreeNode@8	proc near
					; CODE XREF: VerifierIoInitializeRemoveLockEx(x,x,x,x,x)+59p
					; VfRemLockDeleteMemoryRange(x,x)+62p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	eax, edx
		mov	esi, ecx
		mov	[ebp+var_8], edi
		xor	edx, edx
		mov	[ebp+var_4], edi
		lea	ecx, [ebp+var_8]
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	eax
		mov	edx, ecx
		mov	ebx, offset _ViRemLockAvl
		push	esi
		mov	ecx, ebx
		call	VfAvlLookupTreeNode
		mov	esi, eax
		test	esi, esi
		jz	short loc_A63E77
		push	edi
		push	dword ptr [esi]
		lea	edx, [ebp+var_8]
		mov	ecx, ebx
		call	VfAvlDeleteTreeNode
		mov	edi, eax

loc_A63E77:				; CODE XREF: ViRemLockDeleteFirstTreeNode(x,x)+35j
		lea	ecx, [ebp+var_8]
		call	VfAvlCleanupLockContext
		test	esi, esi
		jnz	short loc_A63E87
		xor	eax, eax
		jmp	short loc_A63EAB
; 

loc_A63E87:				; CODE XREF: ViRemLockDeleteFirstTreeNode(x,x)+50j
		test	edi, edi
		jz	short loc_A63EA8
		cmp	ds:dword_AAFDD4, 1
		jnz	short loc_A63EA2
		mov	edx, edi
		mov	ecx, offset _ViAvlNodeLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	short loc_A63EA8
; 

loc_A63EA2:				; CODE XREF: ViRemLockDeleteFirstTreeNode(x,x)+61j
		push	edi
		call	_VfUtilFreePoolCheckIRQL@4 ; VfUtilFreePoolCheckIRQL(x)

loc_A63EA8:				; CODE XREF: ViRemLockDeleteFirstTreeNode(x,x)+58j
					; ViRemLockDeleteFirstTreeNode(x,x)+6Fj
		xor	eax, eax
		inc	eax

loc_A63EAB:				; CODE XREF: ViRemLockDeleteFirstTreeNode(x,x)+54j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ViRemLockDeleteFirstTreeNode@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViRemLockFindSurrogate(x)
_ViRemLockFindSurrogate@4 proc near	; CODE XREF: VerifierIoAcquireRemoveLockEx(x,x,x,x,x)+17p
					; VerifierIoInitializeRemoveLockEx(x,x,x,x,x)+28p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_8], 0
		xor	edx, edx
		and	[esp+0Ch+var_4], 0
		mov	eax, ecx
		push	esi
		inc	edx
		lea	ecx, [esp+10h+var_8]
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	18h
		mov	edx, ecx
		mov	ecx, offset _ViRemLockAvl
		push	eax
		call	VfAvlLookupTreeNode
		lea	ecx, [esp+10h+var_8]
		mov	esi, eax
		call	VfAvlCleanupLockContext
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_ViRemLockFindSurrogate@4 endp


;  S U B	R O U T	I N E 


; __stdcall IovUtilFlushStackCache(x, x)
_IovUtilFlushStackCache@8 proc near	; CODE XREF: IovAttachDeviceToDeviceStack(x,x)+17j
					; IovDetachDevice(x,x)+20j
		mov	edi, edi

loc_A63EF7:				; CODE XREF: IovUtilFlushStackCache(x,x)+Fj
		mov	eax, [ecx+0B0h]
		mov	edx, ecx
		mov	ecx, [eax+18h]
		test	ecx, ecx
		jnz	short loc_A63EF7

loc_A63F06:				; CODE XREF: IovUtilFlushStackCache(x,x)+23j
		mov	eax, [edx+0B0h]
		and	dword ptr [eax+10h], 3FFFFFFFh
		mov	edx, [edx+10h]
		test	edx, edx
		jnz	short loc_A63F06
		retn
_IovUtilFlushStackCache@8 endp


;  S U B	R O U T	I N E 


; __stdcall IovUtilGetBottomDeviceObjectWithTag(x, x)
_IovUtilGetBottomDeviceObjectWithTag@8 proc near ; CODE	XREF: IovpCallDriver1(x)+CBp
					; IovpCallDriver1(x)+2E1p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	0Ah
		mov	esi, ecx
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	bl, al

loc_A63F2C:				; CODE XREF: IovUtilGetBottomDeviceObjectWithTag(x,x)+1Ej
		mov	edx, [esi+0B0h]
		mov	edi, esi
		mov	esi, [edx+18h]
		test	esi, esi
		jnz	short loc_A63F2C
		mov	edx, 49667256h
		mov	ecx, edi
		call	ObfReferenceObjectWithTag
		push	0Ah
		mov	dl, bl
		pop	ecx
		call	KeReleaseQueuedSpinLock
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_IovUtilGetBottomDeviceObjectWithTag@8 endp


;  S U B	R O U T	I N E 


; __stdcall IovUtilGetLowerDeviceObjectWithTag(x, x)
_IovUtilGetLowerDeviceObjectWithTag@8 proc near	; CODE XREF: IovpCallDriver1(x)+24Bp
					; IovpCallDriver2(x,x)+7Bp ...
		mov	edi, edi
		push	ebx
		push	esi
		push	0Ah
		mov	esi, ecx
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	ecx, [esi+0B0h]
		mov	bl, al
		mov	esi, [ecx+18h]
		test	esi, esi
		jz	short loc_A63F80
		mov	edx, 49667256h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag

loc_A63F80:				; CODE XREF: IovUtilGetLowerDeviceObjectWithTag(x,x)+1Bj
		push	0Ah
		mov	dl, bl
		pop	ecx
		call	KeReleaseQueuedSpinLock
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_IovUtilGetLowerDeviceObjectWithTag@8 endp


;  S U B	R O U T	I N E 


; __stdcall IovUtilGetUpperDeviceObjectWithTag(x, x)
_IovUtilGetUpperDeviceObjectWithTag@8 proc near
					; CODE XREF: IovpExamineDevObjForwarding(x,x)+11p
					; IovpExamineDevObjForwarding(x,x)+5Bp
		mov	edi, edi
		push	ebx
		push	esi
		push	0Ah
		mov	esi, ecx
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	esi, [esi+10h]
		mov	bl, al
		test	esi, esi
		jz	short loc_A63FB2
		mov	edx, 49667256h
		mov	ecx, esi
		call	ObfReferenceObjectWithTag

loc_A63FB2:				; CODE XREF: IovUtilGetUpperDeviceObjectWithTag(x,x)+15j
		push	0Ah
		mov	dl, bl
		pop	ecx
		call	KeReleaseQueuedSpinLock
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_IovUtilGetUpperDeviceObjectWithTag@8 endp


;  S U B	R O U T	I N E 


; __stdcall IovUtilIsDeviceObjectMarked(x, x)
_IovUtilIsDeviceObjectMarked@8 proc near ; CODE	XREF: IovpCallDriver1(x)+305p
					; IovpCallDriver2(x,x)+A4p ...
		mov	eax, [ecx+0B0h]
		mov	eax, [eax+10h]
		sub	edx, 0
		jz	short loc_A64004
		sub	edx, 1
		jz	short loc_A63FFF
		sub	edx, 1
		jz	short loc_A63FFA
		sub	edx, 1
		jz	short loc_A63FF5
		sub	edx, 1
		jz	short loc_A63FF0
		sub	edx, 1
		jz	short loc_A63FEB
		xor	eax, eax
		retn
; 

loc_A63FEB:				; CODE XREF: IovUtilIsDeviceObjectMarked(x,x)+25j
		shr	eax, 18h
		jmp	short loc_A64007
; 

loc_A63FF0:				; CODE XREF: IovUtilIsDeviceObjectMarked(x,x)+20j
		shr	eax, 19h
		jmp	short loc_A64007
; 

loc_A63FF5:				; CODE XREF: IovUtilIsDeviceObjectMarked(x,x)+1Bj
		shr	eax, 1Bh
		jmp	short loc_A64007
; 

loc_A63FFA:				; CODE XREF: IovUtilIsDeviceObjectMarked(x,x)+16j
		shr	eax, 1Dh
		jmp	short loc_A64007
; 

loc_A63FFF:				; CODE XREF: IovUtilIsDeviceObjectMarked(x,x)+11j
		shr	eax, 1Ch
		jmp	short loc_A64007
; 

loc_A64004:				; CODE XREF: IovUtilIsDeviceObjectMarked(x,x)+Cj
		shr	eax, 1Ah

loc_A64007:				; CODE XREF: IovUtilIsDeviceObjectMarked(x,x)+2Dj
					; IovUtilIsDeviceObjectMarked(x,x)+32j	...
		and	eax, 1
		retn
_IovUtilIsDeviceObjectMarked@8 endp


;  S U B	R O U T	I N E 


; __stdcall IovUtilIsInFdoStack(x)
_IovUtilIsInFdoStack@4 proc near	; CODE XREF: IovpCallDriver1(x)+2F7p
		mov	edi, edi
		push	ebx
		push	esi
		push	0Ah
		mov	esi, ecx
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	bl, al

loc_A6401B:				; CODE XREF: IovUtilIsInFdoStack(x)+29j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_IovUtilIsDeviceObjectMarked@8 ; IovUtilIsDeviceObjectMarked(x,x)
		test	eax, eax
		jnz	short loc_A64036
		mov	eax, [esi+0B0h]
		mov	esi, [eax+18h]
		test	esi, esi
		jnz	short loc_A6401B

loc_A64036:				; CODE XREF: IovUtilIsInFdoStack(x)+1Cj
		push	0Ah
		mov	dl, bl
		pop	ecx
		call	KeReleaseQueuedSpinLock
		xor	eax, eax
		test	esi, esi
		pop	esi
		setnz	al
		pop	ebx
		retn
_IovUtilIsInFdoStack@4 endp


;  S U B	R O U T	I N E 


; __stdcall IovUtilIsPdo(x)
_IovUtilIsPdo@4	proc near		; CODE XREF: VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)+15Bp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_IovUtilGetBottomDeviceObjectWithTag@8 ; IovUtilGetBottomDeviceObjectWithTag(x,x)
		mov	ecx, eax
		cmp	ecx, esi
		jz	short loc_A6405E
		xor	esi, esi
		jmp	short loc_A64066
; 

loc_A6405E:				; CODE XREF: IovUtilIsPdo(x)+Ej
		call	@PpvUtilIsPdo@4	; PpvUtilIsPdo(x)
		movzx	esi, al

loc_A64066:				; CODE XREF: IovUtilIsPdo(x)+12j
		mov	edx, 49667256h
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		pop	esi
		retn
_IovUtilIsPdo@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovUtilIsVerifiedDeviceStack(x)
_IovUtilIsVerifiedDeviceStack@4	proc near ; CODE XREF: VfMajorTestStartedPdoStack(x)+5p
					; IovpSessionDataCreate(x,x,x)+11p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ecx
		mov	eax, [esi+0B0h]
		mov	eax, [eax+10h]
		test	eax, eax
		jns	short loc_A64092
		shr	eax, 1Eh
		and	eax, 1
		jmp	short loc_A6410C
; 

loc_A64092:				; CODE XREF: IovUtilIsVerifiedDeviceStack(x)+14j
		push	ebx
		push	edi
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	[ebp+var_1], al
		xor	edi, edi

loc_A640A1:				; CODE XREF: IovUtilIsVerifiedDeviceStack(x)+5Bj
		mov	ecx, [esi+0B0h]
		mov	ebx, esi
		push	dword ptr [ebx+8]
		mov	esi, [ecx+18h]
		call	_MmIsDriverVerifying@4 ; MmIsDriverVerifying(x)
		test	eax, eax
		jz	short loc_A640BB
		xor	edi, edi
		inc	edi

loc_A640BB:				; CODE XREF: IovUtilIsVerifiedDeviceStack(x)+42j
		mov	edx, 40000000h
		test	esi, esi
		jz	short loc_A640D8
		mov	eax, [esi+0B0h]
		mov	eax, [eax+10h]
		test	eax, eax
		jns	short loc_A640A1
		test	eax, edx
		jz	short loc_A640D8
		xor	edi, edi
		inc	edi

loc_A640D8:				; CODE XREF: IovUtilIsVerifiedDeviceStack(x)+4Ej
					; IovUtilIsVerifiedDeviceStack(x)+5Fj ...
		mov	ecx, [ebx+0B0h]
		mov	eax, [ecx+10h]
		test	edi, edi
		jz	short loc_A640E9
		or	eax, edx
		jmp	short loc_A640EE
; 

loc_A640E9:				; CODE XREF: IovUtilIsVerifiedDeviceStack(x)+6Fj
		and	eax, 0BFFFFFFFh

loc_A640EE:				; CODE XREF: IovUtilIsVerifiedDeviceStack(x)+73j
		or	eax, 80000000h
		mov	[ecx+10h], eax
		mov	ebx, [ebx+10h]
		test	ebx, ebx
		jnz	short loc_A640D8
		mov	dl, [ebp+var_1]
		push	0Ah
		pop	ecx
		call	KeReleaseQueuedSpinLock
		mov	eax, edi
		pop	edi
		pop	ebx

loc_A6410C:				; CODE XREF: IovUtilIsVerifiedDeviceStack(x)+1Cj
		pop	esi
		leave
		retn
_IovUtilIsVerifiedDeviceStack@4	endp


;  S U B	R O U T	I N E 


; __stdcall IovUtilIsWdmStack(x)
_IovUtilIsWdmStack@4 proc near		; CODE XREF: VfPnpVerifyIrpStackDownward(x,x,x,x,x,x,x)+15p
					; VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)+14p
		mov	edi, edi
		push	esi
		call	_IovUtilGetBottomDeviceObjectWithTag@8 ; IovUtilGetBottomDeviceObjectWithTag(x,x)
		mov	ecx, eax
		call	@PpvUtilIsPdo@4	; PpvUtilIsPdo(x)
		mov	edx, 49667256h
		movzx	esi, al
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		pop	esi
		retn
_IovUtilIsWdmStack@4 endp


;  S U B	R O U T	I N E 


; __stdcall IovUtilMultipleDevicesSameDriver(x)
_IovUtilMultipleDevicesSameDriver@4 proc near
					; CODE XREF: IovpExamineIrpStackForwarding(x,x,x,x,x,x,x,x)+A2p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		push	0Ah
		pop	ecx
		mov	ebx, [esi+8]
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	dl, al
		mov	eax, [esi+10h]
		jmp	short loc_A64152
; 

loc_A6414A:				; CODE XREF: IovUtilMultipleDevicesSameDriver(x)+25j
		cmp	[eax+8], ebx
		jz	short loc_A64158
		mov	eax, [eax+10h]

loc_A64152:				; CODE XREF: IovUtilMultipleDevicesSameDriver(x)+19j
		test	eax, eax
		jnz	short loc_A6414A
		jmp	short loc_A6415B
; 

loc_A64158:				; CODE XREF: IovUtilMultipleDevicesSameDriver(x)+1Ej
		xor	edi, edi
		inc	edi

loc_A6415B:				; CODE XREF: IovUtilMultipleDevicesSameDriver(x)+27j
		push	0Ah
		pop	ecx
		call	KeReleaseQueuedSpinLock
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_IovUtilMultipleDevicesSameDriver@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovUtilRelateDeviceObjects(x, x, x)
_IovUtilRelateDeviceObjects@12 proc near ; CODE	XREF: IovpExamineDevObjForwarding(x,x)+33p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		cmp	esi, edi
		jnz	short loc_A64181
		mov	eax, [ebp+arg_0]
		and	dword ptr [eax], 0
		jmp	short loc_A641EE
; 

loc_A64181:				; CODE XREF: IovUtilRelateDeviceObjects(x,x,x)+Ej
		push	0Ah
		pop	ecx
		call	@KeAcquireQueuedSpinLock@4 ; KeAcquireQueuedSpinLock(x)
		mov	bl, al
		cmp	esi, [edi+10h]
		jnz	short loc_A6419B
		mov	edx, [ebp+arg_0]
		mov	dword ptr [edx], 1
		jmp	short loc_A641E4
; 

loc_A6419B:				; CODE XREF: IovUtilRelateDeviceObjects(x,x,x)+25j
		mov	ecx, [esi+10h]
		cmp	ecx, edi
		jnz	short loc_A641AD
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 2
		jmp	short loc_A641E4
; 

loc_A641AD:				; CODE XREF: IovUtilRelateDeviceObjects(x,x,x)+37j
					; IovUtilRelateDeviceObjects(x,x,x)+53j
		cmp	esi, edi
		jz	short loc_A641BE
		mov	eax, [esi+0B0h]
		mov	esi, [eax+18h]
		test	esi, esi
		jnz	short loc_A641AD

loc_A641BE:				; CODE XREF: IovUtilRelateDeviceObjects(x,x,x)+46j
		test	esi, esi
		jz	short loc_A641D4
		mov	eax, [ebp+arg_0]
		mov	dword ptr [eax], 3
		jmp	short loc_A641E4
; 

loc_A641CD:				; CODE XREF: IovUtilRelateDeviceObjects(x,x,x)+6Dj
		cmp	ecx, edi
		jz	short loc_A641D8
		mov	ecx, [ecx+10h]

loc_A641D4:				; CODE XREF: IovUtilRelateDeviceObjects(x,x,x)+57j
		test	ecx, ecx
		jnz	short loc_A641CD

loc_A641D8:				; CODE XREF: IovUtilRelateDeviceObjects(x,x,x)+66j
		mov	eax, [ebp+arg_0]
		neg	ecx
		sbb	ecx, ecx
		add	ecx, 5
		mov	[eax], ecx

loc_A641E4:				; CODE XREF: IovUtilRelateDeviceObjects(x,x,x)+30j
					; IovUtilRelateDeviceObjects(x,x,x)+42j ...
		push	0Ah
		mov	dl, bl
		pop	ecx
		call	KeReleaseQueuedSpinLock

loc_A641EE:				; CODE XREF: IovUtilRelateDeviceObjects(x,x,x)+16j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_IovUtilRelateDeviceObjects@12 endp


;  S U B	R O U T	I N E 


; __stdcall IovpUtilMarkDeviceObject(x,	x)
_IovpUtilMarkDeviceObject@8 proc near	; CODE XREF: IovUtilMarkStack+80C52p
					; IovUtilMarkStack+80C7Bp ...
		mov	eax, [ecx+0B0h]
		sub	edx, 0
		jz	short loc_A64241
		sub	edx, 1
		jz	short loc_A64239
		sub	edx, 1
		jz	short loc_A64231
		sub	edx, 1
		jz	short loc_A64229
		sub	edx, 1
		jz	short loc_A64221
		sub	edx, 1
		jnz	short locret_A64248
		or	dword ptr [eax+10h], 1000000h
		retn
; 

loc_A64221:				; CODE XREF: IovpUtilMarkDeviceObject(x,x)+1Dj
		or	dword ptr [eax+10h], 2000000h
		retn
; 

loc_A64229:				; CODE XREF: IovpUtilMarkDeviceObject(x,x)+18j
		or	dword ptr [eax+10h], 8000000h
		retn
; 

loc_A64231:				; CODE XREF: IovpUtilMarkDeviceObject(x,x)+13j
		or	dword ptr [eax+10h], 20000000h
		retn
; 

loc_A64239:				; CODE XREF: IovpUtilMarkDeviceObject(x,x)+Ej
		or	dword ptr [eax+10h], 10000000h
		retn
; 

loc_A64241:				; CODE XREF: IovpUtilMarkDeviceObject(x,x)+9j
		or	dword ptr [eax+10h], 4000000h

locret_A64248:				; CODE XREF: IovpUtilMarkDeviceObject(x,x)+22j
		retn
_IovpUtilMarkDeviceObject@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfTargetDriversEnableVerifier(x, x)
_VfTargetDriversEnableVerifier@8 proc near
					; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+24Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		push	edi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		cmp	_VfSafeMode, esi
		jnz	short loc_A642B9
		cmp	_ViTargetInitialized, esi
		jz	short loc_A642B9
		mov	ecx, edx
		call	_ViTargetDriversAllocateVerifiedData@4 ; ViTargetDriversAllocateVerifiedData(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A642B9
		xor	edx, edx
		lea	ecx, [ebp+var_8]
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	1
		mov	edx, ecx
		mov	ecx, offset _ViTargetDriversAvl
		push	ebx
		call	VfAvlLookupTreeNode
		test	eax, eax
		jz	short loc_A642A2
		mov	[eax+1Ch], edi
		inc	dword_6BE398
		inc	esi

loc_A642A2:				; CODE XREF: VfTargetDriversEnableVerifier(x,x)+4Dj
		lea	ecx, [ebp+var_8]
		call	VfAvlCleanupLockContext
		test	esi, esi
		jnz	short loc_A642B9
		push	44566656h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A642B9:				; CODE XREF: VfTargetDriversEnableVerifier(x,x)+1Bj
					; VfTargetDriversEnableVerifier(x,x)+23j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_VfTargetDriversEnableVerifier@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfTargetDriversGetCounters(x, x, x)
_VfTargetDriversGetCounters@12 proc near
					; CODE XREF: VfSuspectDriversGetVerifierInformation(x,x,x,x,x)+143p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		call	_VfTargetDriversGetZeroCounters@8 ; VfTargetDriversGetZeroCounters(x,x)
		mov	[ebp+var_C], edx
		lea	ecx, [ebp+var_8]
		xor	edx, edx
		mov	[ebp+var_14], esi
		inc	edx
		mov	[ebp+var_10], edi
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		lea	eax, [ebp+var_14]
		mov	edx, ecx
		push	eax
		push	offset _ViTargetAddCountersCallback@8 ;	ViTargetAddCountersCallback(x,x)
		call	_VfAvlEnumerateNodes@16	; VfAvlEnumerateNodes(x,x,x,x)
		lea	ecx, [ebp+var_8]
		call	VfAvlCleanupLockContext
		pop	edi
		pop	esi
		leave
		retn	4
_VfTargetDriversGetCounters@12 endp


;  S U B	R O U T	I N E 


; __stdcall VfTargetDriversGetVerifierData(x)
_VfTargetDriversGetVerifierData@4 proc near ; CODE XREF: VfUtilGetDifPluginDriverData(x)+8p
					; VfUtilCheckRuleEnforcement(x)+9p ...
		call	_VfDriverIsKernelImageAddress@4	; VfDriverIsKernelImageAddress(x)
		test	eax, eax
		jz	short loc_A64327
		cmp	_KernelVerifier, 0
		jnz	short loc_A64344

loc_A64324:				; CODE XREF: VfTargetDriversGetVerifierData(x)+27j
					; VfTargetDriversGetVerifierData(x)+30j ...
		xor	eax, eax
		retn
; 

loc_A64327:				; CODE XREF: VfTargetDriversGetVerifierData(x)+7j
		cmp	_KernelVerifier, 0
		jz	short loc_A6433B
		cmp	dword_6BE398, 2
		jge	short loc_A64344
		jmp	short loc_A64324
; 

loc_A6433B:				; CODE XREF: VfTargetDriversGetVerifierData(x)+1Cj
		cmp	dword_6BE398, 0
		jz	short loc_A64324

loc_A64344:				; CODE XREF: VfTargetDriversGetVerifierData(x)+10j
					; VfTargetDriversGetVerifierData(x)+25j
		call	_VfTargetDriversGetNode@4 ; VfTargetDriversGetNode(x)
		test	eax, eax
		jz	short loc_A64324
		mov	eax, [eax+1Ch]
		retn
_VfTargetDriversGetVerifierData@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfTargetDriversGetZeroCounters(x, x)
_VfTargetDriversGetZeroCounters@8 proc near
					; CODE XREF: VfTargetDriversGetCounters(x,x,x)+1Bp
					; VfSuspectDriversGetVerifierInformation(x,x,x,x,x)+14Fp
		xor	eax, eax
		mov	[ecx+58h], eax
		mov	[ecx+5Ch], eax
		mov	[ecx+60h], eax
		mov	[ecx+64h], eax
		mov	[ecx+68h], eax
		mov	[ecx+6Ch], eax
		mov	[ecx+70h], eax
		mov	[ecx+74h], eax
		test	edx, edx
		jz	short locret_A643ED
		mov	[ecx+78h], eax
		mov	[ecx+7Ch], eax
		mov	[ecx+80h], eax
		mov	[ecx+84h], eax
		mov	[ecx+88h], eax
		mov	[ecx+8Ch], eax
		mov	[ecx+90h], eax
		mov	[ecx+94h], eax
		mov	[ecx+98h], eax
		mov	[ecx+9Ch], eax
		mov	[ecx+0A0h], eax
		mov	[ecx+0A4h], eax
		mov	[ecx+0A8h], eax
		mov	[ecx+0ACh], eax
		mov	[ecx+0B0h], eax
		mov	[ecx+0B4h], eax
		mov	[ecx+0B8h], eax
		mov	[ecx+0BCh], eax
		mov	[ecx+0C0h], eax
		mov	[ecx+0C4h], eax
		mov	[ecx+0C8h], eax
		mov	[ecx+0CCh], eax

locret_A643ED:				; CODE XREF: VfTargetDriversGetZeroCounters(x,x)+1Cj
		retn
_VfTargetDriversGetZeroCounters@8 endp


;  S U B	R O U T	I N E 


; __stdcall VfTargetDriversIsEnabled(x)
_VfTargetDriversIsEnabled@4 proc near	; CODE XREF: PipDmgGetDriverDmarCompatLevel+8D3CCp
					; ViIrpCheckKernelAddressForIrp(x,x,x)+3Ep ...
		mov	edi, edi
		push	ecx
		xor	eax, eax
		cmp	_VfSafeMode, eax
		jnz	short loc_A6440E
		cmp	_ViTargetInitialized, eax
		jz	short loc_A6440E
		call	_VfTargetDriversGetVerifierData@4 ; VfTargetDriversGetVerifierData(x)
		neg	eax
		sbb	eax, eax
		neg	eax

loc_A6440E:				; CODE XREF: VfTargetDriversIsEnabled(x)+Bj
					; VfTargetDriversIsEnabled(x)+13j
		pop	ecx
		retn
_VfTargetDriversIsEnabled@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfTargetEtwRegister(x, x, x)
_VfTargetEtwRegister@12	proc near	; CODE XREF: VerifierEtwRegister(x,x,x,x)+28p
					; VerifierEtwRegisterClassicProvider(x,x,x,x,x)+2Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, ecx
		mov	[esp+18h+var_8], edi
		mov	[esp+18h+var_4], edi
		cmp	_VfSafeMode, edi
		jnz	loc_A644BF
		push	54456656h
		push	18h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		xor	edx, edx
		lea	ecx, [esp+18h+var_8]
		mov	esi, eax
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	1
		mov	edx, ecx
		mov	ecx, offset _ViTargetDriversAvl
		push	ebx
		call	VfAvlLookupTreeNode
		test	eax, eax
		jz	short loc_A644A3
		mov	ecx, [eax+1Ch]
		test	ecx, ecx
		jz	short loc_A644A3
		test	esi, esi
		jnz	short loc_A64478
		or	dword ptr [ecx+10h], 1
		jmp	short loc_A644A3
; 

loc_A64478:				; CODE XREF: VfTargetEtwRegister(x,x,x)+60j
		mov	eax, [ebp+arg_0]
		add	ecx, 8
		mov	[esi+8], eax
		mov	eax, [ebp+arg_4]
		mov	[esi+0Ch], eax
		mov	[esi+10h], ebx
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jz	short loc_A64496
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A64496:				; CODE XREF: VfTargetEtwRegister(x,x,x)+7Fj
		mov	[esi], ecx
		xor	edi, edi
		mov	[esi+4], eax
		inc	edi
		mov	[eax], esi
		mov	[ecx+4], esi

loc_A644A3:				; CODE XREF: VfTargetEtwRegister(x,x,x)+55j
					; VfTargetEtwRegister(x,x,x)+5Cj ...
		lea	ecx, [esp+18h+var_8]
		call	VfAvlCleanupLockContext
		test	edi, edi
		jnz	short loc_A644BF
		test	esi, esi
		jz	short loc_A644BF
		push	54456656h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A644BF:				; CODE XREF: VfTargetEtwRegister(x,x,x)+20j
					; VfTargetEtwRegister(x,x,x)+9Ej ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_VfTargetEtwRegister@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfTargetEtwUnregister(x, x,	x)
_VfTargetEtwUnregister@12 proc near	; CODE XREF: VerifierEtwUnregister(x,x)+Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	eax, ecx
		mov	[esp+18h+var_8], edi
		mov	[esp+18h+var_4], edi
		cmp	_VfSafeMode, edi
		jnz	loc_A6457D
		xor	edx, edx
		mov	[esp+18h+var_C], edi
		lea	ecx, [esp+18h+var_8]
		mov	ebx, edi
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	1
		mov	edx, ecx
		mov	ecx, offset _ViTargetDriversAvl
		push	eax
		call	VfAvlLookupTreeNode
		test	eax, eax
		jz	short loc_A64566
		mov	esi, [eax+1Ch]
		test	esi, esi
		jz	short loc_A64566
		lea	edi, [esi+8]
		mov	ecx, [edi]
		jmp	short loc_A64536
; 

loc_A64520:				; CODE XREF: VfTargetEtwUnregister(x,x,x)+70j
		mov	eax, [ecx+8]
		mov	ebx, ecx
		mov	edx, [ecx]
		cmp	eax, [ebp+arg_0]
		jnz	short loc_A64534
		mov	eax, [ecx+0Ch]
		cmp	eax, [ebp+arg_4]
		jz	short loc_A64586

loc_A64534:				; CODE XREF: VfTargetEtwUnregister(x,x,x)+62j
		mov	ecx, edx

loc_A64536:				; CODE XREF: VfTargetEtwUnregister(x,x,x)+56j
		cmp	ecx, edi
		jnz	short loc_A64520
		xor	edi, edi
		cmp	dword_6C6EA8, edi
		jnz	short loc_A64566
		test	byte ptr [esi+10h], 1
		jnz	short loc_A64566
		test	_MmVerifierData, 800h
		jz	short loc_A64566
		push	edi
		mov	edx, 0DCh
		push	edi
		push	edi
		lea	ecx, [edx-18h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A64566:				; CODE XREF: VfTargetEtwUnregister(x,x,x)+48j
					; VfTargetEtwUnregister(x,x,x)+4Fj ...
		lea	ecx, [esp+18h+var_8]
		call	VfAvlCleanupLockContext
		cmp	[esp+18h+var_C], 0
		jz	short loc_A6457D
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A6457D:				; CODE XREF: VfTargetEtwUnregister(x,x,x)+20j
					; VfTargetEtwUnregister(x,x,x)+ACj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
; 

loc_A64586:				; CODE XREF: VfTargetEtwUnregister(x,x,x)+6Aj
		mov	[esp+18h+var_C], 1
		cmp	[edx+4], ecx
		jnz	short loc_A645A3
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	short loc_A645A3
		mov	[eax], edx
		xor	edi, edi
		mov	[edx+4], eax
		jmp	short loc_A64566
; 

loc_A645A3:				; CODE XREF: VfTargetEtwUnregister(x,x,x)+C9j
					; VfTargetEtwUnregister(x,x,x)+D0j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall VfTargetWMIRegistrationControl(x, x, x)
_VfTargetWMIRegistrationControl@12:	; CODE XREF: VerifierIoWMIRegistrationControl(x,x)+Ep
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		cmp	_VfSafeMode, 0
		push	esi
		mov	esi, ecx
		jnz	short loc_A645E8
		test	edx, edx
		jns	short loc_A645E8
		and	edx, 7FFFFFFFh
		sub	edx, 1
		jz	short loc_A645DE
		sub	edx, 1
		jz	short loc_A645EF
		sub	edx, 1
		jnz	short loc_A645E8
		mov	edx, [ebp+arg_0]
		call	_ViTargetWMIDeregister@8 ; ViTargetWMIDeregister(x,x)

loc_A645DE:				; CODE XREF: VfTargetEtwUnregister(x,x,x)+102j
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_ViTargetWMIRegister@8 ; ViTargetWMIRegister(x,x)

loc_A645E8:				; CODE XREF: VfTargetEtwUnregister(x,x,x)+F3j
					; VfTargetEtwUnregister(x,x,x)+F7j ...
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_A645EF:				; CODE XREF: VfTargetEtwUnregister(x,x,x)+107j
		mov	edx, [ebp+arg_0]
		call	_ViTargetWMIDeregister@8 ; ViTargetWMIDeregister(x,x)
		jmp	short loc_A645E8
_VfTargetEtwUnregister@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViTargetAddCountersCallback(x, x)
_ViTargetAddCountersCallback@8 proc near ; DATA	XREF: VfTargetDriversGetCounters(x,x,x)+3Ao

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	edx, [eax+1Ch]
		test	edx, edx
		jz	loc_A64739
		mov	eax, [edx]
		push	esi
		mov	esi, [ebp+arg_4]
		cmp	eax, [esi]
		jnz	loc_A64738
		mov	eax, [edx+34h]
		mov	ecx, [esi+4]
		add	[ecx+58h], eax
		mov	eax, [edx+38h]
		add	[ecx+5Ch], eax
		mov	eax, [edx+3Ch]
		add	[ecx+60h], eax
		mov	eax, [edx+40h]
		add	[ecx+64h], eax
		mov	eax, [edx+44h]
		add	[ecx+68h], eax
		mov	eax, [edx+48h]
		add	[ecx+6Ch], eax
		mov	eax, [edx+4Ch]
		add	[ecx+70h], eax
		mov	eax, [edx+50h]
		add	[ecx+74h], eax
		cmp	dword ptr [esi+8], 0
		jz	loc_A64738
		mov	eax, [edx+54h]
		add	[ecx+78h], eax
		mov	eax, [edx+58h]
		add	[ecx+7Ch], eax
		mov	eax, [edx+5Ch]
		add	[ecx+80h], eax
		mov	eax, [edx+60h]
		add	[ecx+84h], eax
		mov	eax, [edx+64h]
		add	[ecx+88h], eax
		mov	eax, [edx+68h]
		add	[ecx+8Ch], eax
		mov	eax, [edx+6Ch]
		add	[ecx+90h], eax
		mov	eax, [edx+70h]
		add	[ecx+94h], eax
		mov	eax, [edx+74h]
		add	[ecx+98h], eax
		mov	eax, [edx+78h]
		add	[ecx+9Ch], eax
		mov	eax, [edx+7Ch]
		add	[ecx+0A0h], eax
		mov	eax, [edx+80h]
		add	[ecx+0A4h], eax
		mov	eax, [edx+84h]
		add	[ecx+0A8h], eax
		mov	eax, [edx+88h]
		add	[ecx+0ACh], eax
		mov	eax, [edx+8Ch]
		add	[ecx+0B0h], eax
		mov	eax, [edx+90h]
		add	[ecx+0B4h], eax
		mov	eax, [edx+9Ch]
		add	[ecx+0B8h], eax
		mov	eax, [edx+0A0h]
		add	[ecx+0BCh], eax
		mov	eax, [edx+0A4h]
		add	[ecx+0C0h], eax
		mov	eax, [edx+0A8h]
		add	[ecx+0C4h], eax
		mov	eax, [edx+0ACh]
		add	[ecx+0C8h], eax
		mov	eax, [edx+0B0h]
		add	[ecx+0CCh], eax

loc_A64738:				; CODE XREF: ViTargetAddCountersCallback(x,x)+1Bj
					; ViTargetAddCountersCallback(x,x)+58j
		pop	esi

loc_A64739:				; CODE XREF: ViTargetAddCountersCallback(x,x)+Dj
		xor	eax, eax
		inc	eax
		pop	ebp
		retn	8
_ViTargetAddCountersCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViTargetAddToCounter(x, x, x, x)
_ViTargetAddToCounter@16 proc near	; CODE XREF: VerifierMmAllocateNodePagesForMdlEx(x,x,x,x,x,x,x,x,x,x)+7Ap
					; VerifierMmAllocatePagesForMdl(x,x,x,x,x,x,x)+6Ep ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		and	[esp+8+var_8], 0
		and	[esp+8+var_4], 0
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_ViTargetUpdateTreeAllowed@0 ; ViTargetUpdateTreeAllowed()
		test	eax, eax
		jz	short loc_A647B6
		xor	edx, edx
		lea	ecx, [esp+10h+var_8]
		inc	edx
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	edx
		mov	edx, ecx
		mov	ecx, offset _ViTargetDriversAvl
		push	esi
		call	VfAvlLookupTreeNode
		test	eax, eax
		jz	short loc_A647AD
		mov	ecx, [eax+1Ch]
		test	ecx, ecx
		jz	short loc_A647AD
		mov	esi, [ebp+arg_4]
		lea	eax, [ecx+edi]
		lock xadd [eax], esi
		mov	edi, [ebp+arg_0]
		add	esi, [ebp+arg_4]
		add	edi, ecx
		jmp	short loc_A647A7
; 

loc_A6479B:				; CODE XREF: ViTargetAddToCounter(x,x,x,x)+6Bj
		mov	ecx, esi
		mov	eax, edx
		lock cmpxchg [edi], ecx
		cmp	eax, edx
		jz	short loc_A647AD

loc_A647A7:				; CODE XREF: ViTargetAddToCounter(x,x,x,x)+59j
		mov	edx, [edi]
		cmp	edx, esi
		jbe	short loc_A6479B

loc_A647AD:				; CODE XREF: ViTargetAddToCounter(x,x,x,x)+3Ej
					; ViTargetAddToCounter(x,x,x,x)+45j ...
		lea	ecx, [esp+10h+var_8]
		call	VfAvlCleanupLockContext

loc_A647B6:				; CODE XREF: ViTargetAddToCounter(x,x,x,x)+20j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
_ViTargetAddToCounter@16 endp


;  S U B	R O U T	I N E 


; __stdcall ViTargetDriversAllocateVerifiedData(x)
_ViTargetDriversAllocateVerifiedData@4 proc near ; CODE	XREF: VfTargetDriversAdd:loc_5DC6C8p
					; VfTargetDriversEnableVerifier(x,x)+27p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	44566656h
		mov	ebx, 0B8h
		mov	edi, ecx
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A647EC
		xor	ecx, ecx
		mov	eax, offset _ViTargetAllocationFailures
		inc	ecx
		xchg	ecx, [eax]
		jmp	short loc_A6481D
; 

loc_A647EC:				; CODE XREF: ViTargetDriversAllocateVerifiedData(x)+20j
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	[esi], edi
		lea	eax, [esi+8]
		mov	[eax+4], eax
		lea	edi, [esi+20h]
		mov	[eax], eax
		add	esp, 0Ch
		mov	dword ptr [esi+14h], 98761940h
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esi+94h]
		mov	[eax+4], eax
		mov	[eax], eax

loc_A6481D:				; CODE XREF: ViTargetDriversAllocateVerifiedData(x)+2Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_ViTargetDriversAllocateVerifiedData@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViTargetFreeContiguousMemory(x, x)
_ViTargetFreeContiguousMemory@8	proc near ; CODE XREF: VerifierMmFreeContiguousMemory(x)+14p
					; VerifierMmFreeContiguousMemorySpecifyCache(x,x,x)+14p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		and	[esp+8+var_8], 0
		and	[esp+8+var_4], 0
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		call	_ViTargetUpdateTreeAllowed@0 ; ViTargetUpdateTreeAllowed()
		test	eax, eax
		jz	short loc_A64888
		xor	edx, edx
		lea	ecx, [esp+10h+var_8]
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	1
		mov	edx, ecx
		mov	ecx, offset _ViTargetDriversAvl
		push	edi
		call	VfAvlLookupTreeNode
		test	eax, eax
		jz	short loc_A64870
		mov	edx, eax
		mov	ecx, esi
		call	_ViTargetFreeContiguousMemoryFromNode@8	; ViTargetFreeContiguousMemoryFromNode(x,x)
		test	eax, eax
		jnz	short loc_A6487F

loc_A64870:				; CODE XREF: ViTargetFreeContiguousMemory(x,x)+3Ej
		push	esi
		push	offset _ViTargetFreeContiguousMemoryCallback@8 ; ViTargetFreeContiguousMemoryCallback(x,x)
		lea	edx, [esp+18h+var_8]
		call	_VfAvlEnumerateNodes@16	; VfAvlEnumerateNodes(x,x,x,x)

loc_A6487F:				; CODE XREF: ViTargetFreeContiguousMemory(x,x)+4Bj
		lea	ecx, [esp+10h+var_8]
		call	VfAvlCleanupLockContext

loc_A64888:				; CODE XREF: ViTargetFreeContiguousMemory(x,x)+20j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_ViTargetFreeContiguousMemory@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViTargetFreeContiguousMemoryCallback(x, x)
_ViTargetFreeContiguousMemoryCallback@8	proc near
					; DATA XREF: ViTargetFreeContiguousMemory(x,x)+4Eo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+arg_4]
		call	_ViTargetFreeContiguousMemoryFromNode@8	; ViTargetFreeContiguousMemoryFromNode(x,x)
		neg	eax
		sbb	eax, eax
		inc	eax
		pop	ebp
		retn	8
_ViTargetFreeContiguousMemoryCallback@8	endp


;  S U B	R O U T	I N E 


; __stdcall ViTargetFreeContiguousMemoryFromNode(x, x)
_ViTargetFreeContiguousMemoryFromNode@8	proc near
					; CODE XREF: ViTargetFreeContiguousMemory(x,x)+44p
					; ViTargetFreeContiguousMemoryCallback(x,x)+Bp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, [edx+1Ch]
		test	edi, edi
		jz	short loc_A648C9
		lea	esi, [edi+94h]
		mov	edx, [esi]
		jmp	short loc_A648C5
; 

loc_A648BC:				; CODE XREF: ViTargetFreeContiguousMemoryFromNode(x,x)+20j
		mov	eax, [edx]
		cmp	[edx+8], ecx
		jz	short loc_A648CE
		mov	edx, eax

loc_A648C5:				; CODE XREF: ViTargetFreeContiguousMemoryFromNode(x,x)+13j
		cmp	edx, esi
		jnz	short loc_A648BC

loc_A648C9:				; CODE XREF: ViTargetFreeContiguousMemoryFromNode(x,x)+9j
		xor	eax, eax

loc_A648CB:				; CODE XREF: ViTargetFreeContiguousMemoryFromNode(x,x)+4Aj
		pop	edi
		pop	esi
		retn
; 

loc_A648CE:				; CODE XREF: ViTargetFreeContiguousMemoryFromNode(x,x)+1Aj
		cmp	[eax+4], edx
		jnz	short loc_A648F3
		mov	ecx, [edx+4]
		cmp	[ecx], edx
		jnz	short loc_A648F3
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	eax, [edx+0Ch]
		sub	[edi+8Ch], eax
		push	edx
		call	_VfUtilFreePoolDispatchLevel@4 ; VfUtilFreePoolDispatchLevel(x)
		xor	eax, eax
		inc	eax
		jmp	short loc_A648CB
; 

loc_A648F3:				; CODE XREF: ViTargetFreeContiguousMemoryFromNode(x,x)+2Aj
					; ViTargetFreeContiguousMemoryFromNode(x,x)+31j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ViTargetFreeContiguousMemoryFromNode@8	endp ; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViTargetIncrementCounter(x,	x)
_ViTargetIncrementCounter@8 proc near	; CODE XREF: VfCheckImageCompliance(x)+FEp
					; VfCheckImageCompliance(x)+1A2p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		and	[esp+8+var_8], 0
		and	[esp+8+var_4], 0
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_ViTargetUpdateTreeAllowed@0 ; ViTargetUpdateTreeAllowed()
		test	eax, eax
		jz	short loc_A64957
		mov	ecx, esi
		call	_VfDriverIsKernelImageAddress@4	; VfDriverIsKernelImageAddress(x)
		test	eax, eax
		jnz	short loc_A64957
		xor	edx, edx
		lea	ecx, [esp+10h+var_8]
		inc	edx
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	edx
		mov	edx, ecx
		mov	ecx, offset _ViTargetDriversAvl
		push	esi
		call	VfAvlLookupTreeNode
		test	eax, eax
		jz	short loc_A6494E
		mov	eax, [eax+1Ch]
		test	eax, eax
		jz	short loc_A6494E
		lock inc dword ptr [eax+edi]

loc_A6494E:				; CODE XREF: ViTargetIncrementCounter(x,x)+49j
					; ViTargetIncrementCounter(x,x)+50j
		lea	ecx, [esp+10h+var_8]
		call	VfAvlCleanupLockContext

loc_A64957:				; CODE XREF: ViTargetIncrementCounter(x,x)+20j
					; ViTargetIncrementCounter(x,x)+2Bj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_ViTargetIncrementCounter@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViTargetRemovingCheckContiguousMemory(x, x)
_ViTargetRemovingCheckContiguousMemory@8 proc near ; CODE XREF:	VfTargetDriversRemove+91F59p
		test	_MmVerifierData, 800h
		push	esi
		lea	esi, [ecx+94h]
		jz	short loc_A64989
		cmp	[esi], esi
		jz	short loc_A64989
		push	dword ptr [ecx+8Ch]
		push	ecx
		push	dword ptr [edx+30h]
		push	62h
		pop	edx
		lea	ecx, [edx+62h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A64989:				; CODE XREF: ViTargetRemovingCheckContiguousMemory(x,x)+11j
					; ViTargetRemovingCheckContiguousMemory(x,x)+15j ...
		mov	eax, [esi]
		cmp	eax, esi
		jz	short loc_A649AF
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_A649AA
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_A649AA
		mov	[ecx], edx
		push	eax
		mov	[edx+4], ecx
		call	_VfUtilFreePoolDispatchLevel@4 ; VfUtilFreePoolDispatchLevel(x)
		jmp	short loc_A64989
; 

loc_A649AA:				; CODE XREF: ViTargetRemovingCheckContiguousMemory(x,x)+37j
					; ViTargetRemovingCheckContiguousMemory(x,x)+3Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A649AF:				; CODE XREF: ViTargetRemovingCheckContiguousMemory(x,x)+30j
		pop	esi
		retn
_ViTargetRemovingCheckContiguousMemory@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViTargetRemovingCheckEtwWmi(x, x)
_ViTargetRemovingCheckEtwWmi@8 proc near ; CODE	XREF: VfTargetDriversRemove+91F47p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, 800h
		push	edi
		mov	edi, edx
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_A649DF
		test	_MmVerifierData, ebx
		jz	short loc_A649DF
		push	0
		mov	edx, 0DAh
		push	eax
		push	edi
		lea	ecx, [edx-16h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A649DF:				; CODE XREF: ViTargetRemovingCheckEtwWmi(x,x)+13j
					; ViTargetRemovingCheckEtwWmi(x,x)+1Bj
		add	esi, 8
		mov	eax, [esi]
		cmp	eax, esi
		jz	short loc_A64A27
		test	_MmVerifierData, ebx
		jz	short loc_A64A06
		push	dword ptr [eax+8]
		mov	edx, 0DDh
		push	edi
		push	dword ptr [eax+10h]
		lea	ecx, [edx-19h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)
		mov	eax, [esi]

loc_A64A06:				; CODE XREF: ViTargetRemovingCheckEtwWmi(x,x)+3Dj
					; ViTargetRemovingCheckEtwWmi(x,x)+74j
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_A64A2B
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_A64A2B
		push	0
		mov	[edx], ecx
		push	eax
		mov	[ecx+4], edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esi]
		cmp	eax, esi
		jnz	short loc_A64A06

loc_A64A27:				; CODE XREF: ViTargetRemovingCheckEtwWmi(x,x)+35j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_A64A2B:				; CODE XREF: ViTargetRemovingCheckEtwWmi(x,x)+5Aj
					; ViTargetRemovingCheckEtwWmi(x,x)+61j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall ViTargetTrackContiguousMemory(x, x,	x)
_ViTargetTrackContiguousMemory@12:	; CODE XREF: VerifierMmAllocateContiguousMemory(x,x,x)+6Fp
					; VerifierMmAllocateContiguousMemorySpecifyCache(x,x,x,x,x,x,x,x)+94p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+20h+var_14], ecx
		mov	ebx, edx
		mov	[esp+20h+var_10], edi
		mov	[esp+20h+var_C], edi
		call	_ViTargetUpdateTreeAllowed@0 ; ViTargetUpdateTreeAllowed()
		test	eax, eax
		jz	loc_A64B01
		push	61436656h
		push	14h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_A64B01
		mov	eax, [esp+20h+var_14]
		lea	ecx, [esp+20h+var_10]
		mov	[esi+8], ebx
		xor	edx, edx
		mov	ebx, [ebp+8]
		mov	[esi+0Ch], ebx
		mov	[esi+10h], eax
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	1
		mov	edx, ecx
		mov	ecx, offset _ViTargetDriversAvl
		push	eax
		call	VfAvlLookupTreeNode
		test	eax, eax
		jz	short loc_A64AEE
		mov	eax, [eax+1Ch]
		test	eax, eax
		jz	short loc_A64AEE
		add	dword_6BE39C, ebx
		mov	ecx, [eax+8Ch]
		add	ecx, ebx
		mov	[eax+8Ch], ecx
		cmp	[eax+90h], ecx
		jnb	short loc_A64ACD
		mov	[eax+90h], ecx

loc_A64ACD:				; CODE XREF: ViTargetRemovingCheckEtwWmi(x,x)+114j
		mov	ecx, [eax+98h]
		add	eax, 94h
		cmp	[ecx], eax
		jz	short loc_A64AE1
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A64AE1:				; CODE XREF: ViTargetRemovingCheckEtwWmi(x,x)+129j
		mov	[esi], eax
		xor	edi, edi
		mov	[esi+4], ecx
		inc	edi
		mov	[ecx], esi
		mov	[eax+4], esi

loc_A64AEE:				; CODE XREF: ViTargetRemovingCheckEtwWmi(x,x)+F1j
					; ViTargetRemovingCheckEtwWmi(x,x)+F8j
		lea	ecx, [esp+20h+var_10]
		call	VfAvlCleanupLockContext
		test	edi, edi
		jnz	short loc_A64B01
		push	esi
		call	_VfUtilFreePoolCheckIRQL@4 ; VfUtilFreePoolCheckIRQL(x)

loc_A64B01:				; CODE XREF: ViTargetRemovingCheckEtwWmi(x,x)+A4j
					; ViTargetRemovingCheckEtwWmi(x,x)+BFj	...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_ViTargetRemovingCheckEtwWmi@8 endp ; sp = -4


;  S U B	R O U T	I N E 


; __stdcall ViTargetUpdateTreeAllowed()
_ViTargetUpdateTreeAllowed@0 proc near	; CODE XREF: ViTargetAddToCounter(x,x,x,x)+19p
					; ViTargetFreeContiguousMemory(x,x)+19p ...
		mov	edi, edi
		push	esi
		xor	esi, esi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		ja	short loc_A64B22
		cmp	_ViTargetInitialized, esi
		jz	short loc_A64B22
		inc	esi

loc_A64B22:				; CODE XREF: ViTargetUpdateTreeAllowed()+Dj
					; ViTargetUpdateTreeAllowed()+15j
		mov	eax, esi
		pop	esi
		retn
_ViTargetUpdateTreeAllowed@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViTargetWMIDeregister(x, x)
_ViTargetWMIDeregister@8 proc near	; CODE XREF: VfTargetEtwUnregister(x,x,x)+111p
					; VfTargetEtwUnregister(x,x,x)+12Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		mov	eax, edx
		and	[ebp+var_4], 0
		xor	edx, edx
		push	esi
		mov	esi, ecx
		lea	ecx, [ebp+var_8]
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	1
		mov	edx, ecx
		mov	ecx, offset _ViTargetDriversAvl
		push	eax
		call	VfAvlLookupTreeNode
		test	eax, eax
		jz	short loc_A64B6A
		mov	eax, [eax+1Ch]
		test	eax, eax
		jz	short loc_A64B6A
		cmp	[eax+4], esi
		jnz	short loc_A64B6A
		and	dword ptr [eax+4], 0
		jmp	short loc_A64B7E
; 

loc_A64B6A:				; CODE XREF: ViTargetWMIDeregister(x,x)+30j
					; ViTargetWMIDeregister(x,x)+37j ...
		inc	ds:_ViTargetWMIRegistrationMismatches
		lea	edx, [ebp+var_8]
		push	esi
		push	offset _ViTargetWMIDeregisterCallback@8	; ViTargetWMIDeregisterCallback(x,x)
		call	_VfAvlEnumerateNodes@16	; VfAvlEnumerateNodes(x,x,x,x)

loc_A64B7E:				; CODE XREF: ViTargetWMIDeregister(x,x)+42j
		lea	ecx, [ebp+var_8]
		call	VfAvlCleanupLockContext
		pop	esi
		leave
		retn
_ViTargetWMIDeregister@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViTargetWMIDeregisterCallback(x, x)
_ViTargetWMIDeregisterCallback@8 proc near ; DATA XREF:	ViTargetWMIDeregister(x,x)+4Eo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+1Ch]
		test	ecx, ecx
		jz	short loc_A64BAE
		mov	eax, [ecx+4]
		cmp	eax, [ebp+arg_4]
		jnz	short loc_A64BAE
		and	dword ptr [ecx+4], 0
		inc	ds:dword_AAF4F4
		xor	eax, eax
		jmp	short loc_A64BB1
; 

loc_A64BAE:				; CODE XREF: ViTargetWMIDeregisterCallback(x,x)+Dj
					; ViTargetWMIDeregisterCallback(x,x)+15j
		xor	eax, eax
		inc	eax

loc_A64BB1:				; CODE XREF: ViTargetWMIDeregisterCallback(x,x)+23j
		pop	ebp
		retn	8
_ViTargetWMIDeregisterCallback@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViTargetWMIRegister(x, x)
_ViTargetWMIRegister@8 proc near	; CODE XREF: VfTargetEtwUnregister(x,x,x)+11Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		mov	eax, edx
		and	[ebp+var_4], 0
		xor	edx, edx
		push	esi
		mov	esi, ecx
		inc	edx
		lea	ecx, [ebp+var_8]
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	edx
		mov	edx, ecx
		mov	ecx, offset _ViTargetDriversAvl
		push	eax
		call	VfAvlLookupTreeNode
		test	eax, eax
		jz	short loc_A64BF1
		mov	eax, [eax+1Ch]
		test	eax, eax
		jz	short loc_A64BF1
		mov	[eax+4], esi

loc_A64BF1:				; CODE XREF: ViTargetWMIRegister(x,x)+30j
					; ViTargetWMIRegister(x,x)+37j
		lea	ecx, [ebp+var_8]
		call	VfAvlCleanupLockContext
		pop	esi
		leave
		retn
_ViTargetWMIRegister@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VfMajorAdvanceIrpStatus(x,	x, x)
@VfMajorAdvanceIrpStatus@12 proc near	; CODE XREF: IovpCompleteRequest2(x,x)+189p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	_VfVerifyMode, 2
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		jle	short loc_A64C64
		test	_MmVerifierData, 1000h
		jz	short loc_A64C64
		push	ebx
		mov	bl, [esi]
		cmp	bl, 1Bh
		ja	short loc_A64C29
		movzx	eax, bl
		jmp	short loc_A64C34
; 

loc_A64C29:				; CODE XREF: VfMajorAdvanceIrpStatus(x,x,x)+26j
		xor	eax, eax
		cmp	bl, 0FFh
		setnz	al
		add	eax, 1Ch

loc_A64C34:				; CODE XREF: VfMajorAdvanceIrpStatus(x,x,x)+2Bj
		imul	eax, 30h
		pop	ebx
		mov	eax, ds:dword_AB006C[eax]
		test	eax, eax
		jz	short loc_A64C50
		push	[ebp+arg_0]
		call	eax
		test	eax, eax
		jz	short loc_A64C50
		xor	eax, eax
		inc	eax
		jmp	short loc_A64C66
; 

loc_A64C50:				; CODE XREF: VfMajorAdvanceIrpStatus(x,x,x)+44j
					; VfMajorAdvanceIrpStatus(x,x,x)+4Dj
		mov	eax, ds:dword_AB05AC
		test	eax, eax
		jz	short loc_A64C64
		push	[ebp+arg_0]
		mov	edx, edi
		mov	ecx, esi
		call	eax
		jmp	short loc_A64C66
; 

loc_A64C64:				; CODE XREF: VfMajorAdvanceIrpStatus(x,x,x)+12j
					; VfMajorAdvanceIrpStatus(x,x,x)+1Ej ...
		xor	eax, eax

loc_A64C66:				; CODE XREF: VfMajorAdvanceIrpStatus(x,x,x)+52j
					; VfMajorAdvanceIrpStatus(x,x,x)+66j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
@VfMajorAdvanceIrpStatus@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VfMajorBuildIrpLogEntry(x,	x, x, x)
@VfMajorBuildIrpLogEntry@16 proc near	; CODE XREF: VfIrpLogRecordEvent(x,x,x)+16Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, ds:dword_AB05C4
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, edx
		push	edi
		mov	edi, ecx
		test	eax, eax
		jz	short loc_A64C8D
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	eax
		mov	esi, eax

loc_A64C8D:				; CODE XREF: VfMajorBuildIrpLogEntry(x,x,x,x)+15j
		mov	ecx, [edi+60h]
		movzx	ecx, byte ptr [ecx-24h]
		cmp	ecx, 1Bh
		jbe	short loc_A64CA7
		xor	eax, eax
		cmp	ecx, 0FFh
		setnz	al
		lea	ecx, [eax+1Ch]

loc_A64CA7:				; CODE XREF: VfMajorBuildIrpLogEntry(x,x,x,x)+2Bj
		imul	eax, ecx, 30h
		mov	eax, ds:dword_AB0084[eax]
		test	eax, eax
		jz	short loc_A64CC2
		push	[ebp+arg_4]
		mov	edx, ebx
		mov	ecx, edi
		push	[ebp+arg_0]
		call	eax
		mov	esi, eax

loc_A64CC2:				; CODE XREF: VfMajorBuildIrpLogEntry(x,x,x,x)+46j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
@VfMajorBuildIrpLogEntry@16 endp


;  S U B	R O U T	I N E 


; __fastcall VfMajorIsNewRequest(x, x)
@VfMajorIsNewRequest@8 proc near	; CODE XREF: ViGenericVerifyIrpStackDownward(x,x,x,x,x,x,x)+47p
					; IovpCallDriver1(x)+1C5p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	bl, [esi]
		cmp	bl, 1Bh
		ja	short loc_A64CE0
		movzx	eax, bl
		jmp	short loc_A64CEB
; 

loc_A64CE0:				; CODE XREF: VfMajorIsNewRequest(x,x)+Ej
		xor	eax, eax
		cmp	bl, 0FFh
		setnz	al
		add	eax, 1Ch

loc_A64CEB:				; CODE XREF: VfMajorIsNewRequest(x,x)+13j
		imul	eax, 30h
		mov	eax, ds:dword_AB0074[eax]
		test	eax, eax
		jz	short loc_A64D03
		call	eax
		test	eax, eax
		jz	short loc_A64D03
		xor	eax, eax
		inc	eax
		jmp	short loc_A64D17
; 

loc_A64D03:				; CODE XREF: VfMajorIsNewRequest(x,x)+2Bj
					; VfMajorIsNewRequest(x,x)+31j
		mov	eax, ds:dword_AB05B4
		test	eax, eax
		jz	short loc_A64D15
		mov	ecx, edi
		mov	edx, esi
		pop	edi
		pop	esi
		pop	ebx
		jmp	eax
; 

loc_A64D15:				; CODE XREF: VfMajorIsNewRequest(x,x)+3Fj
		xor	eax, eax

loc_A64D17:				; CODE XREF: VfMajorIsNewRequest(x,x)+36j
		pop	edi
		pop	esi
		pop	ebx
		retn
@VfMajorIsNewRequest@8 endp


;  S U B	R O U T	I N E 


; __fastcall VfMajorIsValidIrpStatus(x,	x)
@VfMajorIsValidIrpStatus@8 proc	near	; CODE XREF: ViGenericVerifyIrpStackDownward(x,x,x,x,x,x,x)+134p
					; ViGenericVerifyIrpStackUpward(x,x,x,x,x,x)+78p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	bl, [esi]
		cmp	bl, 1Bh
		ja	short loc_A64D30
		movzx	eax, bl
		jmp	short loc_A64D3B
; 

loc_A64D30:				; CODE XREF: VfMajorIsValidIrpStatus(x,x)+Ej
		xor	eax, eax
		cmp	bl, 0FFh
		setnz	al
		add	eax, 1Ch

loc_A64D3B:				; CODE XREF: VfMajorIsValidIrpStatus(x,x)+13j
		imul	eax, 30h
		mov	eax, ds:dword_AB0070[eax]
		test	eax, eax
		jz	short loc_A64D4E
		call	eax
		test	eax, eax
		jz	short loc_A64D60

loc_A64D4E:				; CODE XREF: VfMajorIsValidIrpStatus(x,x)+2Bj
		mov	eax, ds:dword_AB05B0
		test	eax, eax
		jz	short loc_A64D60
		mov	edx, edi
		mov	ecx, esi
		pop	edi
		pop	esi
		pop	ebx
		jmp	eax
; 

loc_A64D60:				; CODE XREF: VfMajorIsValidIrpStatus(x,x)+31j
					; VfMajorIsValidIrpStatus(x,x)+3Aj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		retn
@VfMajorIsValidIrpStatus@8 endp


;  S U B	R O U T	I N E 


; __fastcall VfMajorTestStartedPdoStack(x)
@VfMajorTestStartedPdoStack@4 proc near	; CODE XREF: PpvUtilTestStartedPdoStack(x)+7j
		mov	edi, edi
		push	edi
		mov	edi, ecx
		call	_IovUtilIsVerifiedDeviceStack@4	; IovUtilIsVerifiedDeviceStack(x)
		test	eax, eax
		jz	short loc_A64DBD
		cmp	_VfVerifyMode, 2
		jle	short loc_A64DBD
		push	esi
		xor	esi, esi
		cmp	esi, 1Bh
		ja	short loc_A64D89

loc_A64D85:				; CODE XREF: VfMajorTestStartedPdoStack(x)+46j
		mov	eax, esi
		jmp	short loc_A64D97
; 

loc_A64D89:				; CODE XREF: VfMajorTestStartedPdoStack(x)+1Dj
		xor	eax, eax
		cmp	esi, 0FFh
		setnz	al
		add	eax, 1Ch

loc_A64D97:				; CODE XREF: VfMajorTestStartedPdoStack(x)+21j
		imul	eax, 30h
		mov	eax, ds:dword_AB0080[eax]
		test	eax, eax
		jz	short loc_A64DA8
		mov	ecx, edi
		call	eax

loc_A64DA8:				; CODE XREF: VfMajorTestStartedPdoStack(x)+3Cj
		inc	esi
		cmp	esi, 1Bh
		jbe	short loc_A64D85
		mov	eax, ds:dword_AB05C0
		pop	esi
		test	eax, eax
		jz	short loc_A64DBD
		mov	ecx, edi
		pop	edi
		jmp	eax
; 

loc_A64DBD:				; CODE XREF: VfMajorTestStartedPdoStack(x)+Cj
					; VfMajorTestStartedPdoStack(x)+15j ...
		pop	edi
		retn
@VfMajorTestStartedPdoStack@4 endp


;  S U B	R O U T	I N E 


; __fastcall VfMajorVerifyFinalIrpStack(x, x)
@VfMajorVerifyFinalIrpStack@8 proc near	; CODE XREF: IovpCompleteRequest2(x,x)+1F5p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	bl, [esi]
		cmp	bl, 1Bh
		ja	short loc_A64DD4
		movzx	eax, bl
		jmp	short loc_A64DDF
; 

loc_A64DD4:				; CODE XREF: VfMajorVerifyFinalIrpStack(x,x)+Ej
		xor	eax, eax
		cmp	bl, 0FFh
		setnz	al
		add	eax, 1Ch

loc_A64DDF:				; CODE XREF: VfMajorVerifyFinalIrpStack(x,x)+13j
		imul	eax, 30h
		mov	eax, ds:dword_AB007C[eax]
		test	eax, eax
		jz	short loc_A64DEE
		call	eax

loc_A64DEE:				; CODE XREF: VfMajorVerifyFinalIrpStack(x,x)+2Bj
		mov	eax, ds:dword_AB05BC
		test	eax, eax
		jz	short loc_A64E00
		mov	ecx, edi
		mov	edx, esi
		pop	edi
		pop	esi
		pop	ebx
		jmp	eax
; 

loc_A64E00:				; CODE XREF: VfMajorVerifyFinalIrpStack(x,x)+36j
		pop	edi
		pop	esi
		pop	ebx
		retn
@VfMajorVerifyFinalIrpStack@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VfMajorVerifyIrpStackDownward(x, x, x, x, x, x)
@VfMajorVerifyIrpStackDownward@24 proc near ; CODE XREF: IovpCallDriver1(x)+36Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], ecx
		mov	bl, [edi]
		cmp	bl, 1Bh
		ja	short loc_A64E23
		movzx	eax, bl
		jmp	short loc_A64E2E
; 

loc_A64E23:				; CODE XREF: VfMajorVerifyIrpStackDownward(x,x,x,x,x,x)+18j
		xor	eax, eax
		cmp	bl, 0FFh
		setnz	al
		add	eax, 1Ch

loc_A64E2E:				; CODE XREF: VfMajorVerifyIrpStackDownward(x,x,x,x,x,x)+1Dj
		mov	esi, [ebp+arg_8]
		imul	eax, 30h
		mov	eax, ds:dword_AB0060[eax]
		test	eax, eax
		jz	short loc_A64E51
		push	[ebp+arg_C]
		push	esi
		push	dword ptr [esi+8]
		push	edi
		push	[ebp+arg_0]
		call	eax
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]

loc_A64E51:				; CODE XREF: VfMajorVerifyIrpStackDownward(x,x,x,x,x,x)+38j
		mov	eax, ds:dword_AB05A0
		test	eax, eax
		jz	short loc_A64E67
		push	[ebp+arg_C]
		push	esi
		push	dword ptr [esi+8]
		push	edi
		push	[ebp+arg_0]
		call	eax

loc_A64E67:				; CODE XREF: VfMajorVerifyIrpStackDownward(x,x,x,x,x,x)+54j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
@VfMajorVerifyIrpStackDownward@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VfMajorVerifyIrpStackUpward(x, x, x, x, x)
@VfMajorVerifyIrpStackUpward@20	proc near ; CODE XREF: IovpCompleteRequest2(x,x)+D5p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		mov	bl, [edi]
		cmp	bl, 1Bh
		ja	short loc_A64E88
		movzx	eax, bl
		jmp	short loc_A64E93
; 

loc_A64E88:				; CODE XREF: VfMajorVerifyIrpStackUpward(x,x,x,x,x)+13j
		xor	eax, eax
		cmp	bl, 0FFh
		setnz	al
		add	eax, 1Ch

loc_A64E93:				; CODE XREF: VfMajorVerifyIrpStackUpward(x,x,x,x,x)+18j
		mov	esi, [ebp+arg_0]
		imul	eax, 30h
		mov	eax, ds:dword_AB0064[eax]
		test	eax, eax
		jz	short loc_A64EB2
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		push	dword ptr [esi+8]
		call	eax
		mov	ecx, [ebp+var_4]

loc_A64EB2:				; CODE XREF: VfMajorVerifyIrpStackUpward(x,x,x,x,x)+33j
		mov	eax, ds:dword_AB05A4
		test	eax, eax
		jz	short loc_A64EC9
		push	[ebp+arg_8]
		mov	edx, edi
		push	[ebp+arg_4]
		push	esi
		push	dword ptr [esi+8]
		call	eax

loc_A64EC9:				; CODE XREF: VfMajorVerifyIrpStackUpward(x,x,x,x,x)+4Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
@VfMajorVerifyIrpStackUpward@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VfMajorVerifyNewIrp(x, x, x, x, x)
@VfMajorVerifyNewIrp@20	proc near	; CODE XREF: IovpCallDriver1(x)+333p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		mov	bl, [esi]
		cmp	bl, 1Bh
		ja	short loc_A64EED
		movzx	eax, bl
		jmp	short loc_A64EF8
; 

loc_A64EED:				; CODE XREF: VfMajorVerifyNewIrp(x,x,x,x,x)+16j
		xor	eax, eax
		cmp	bl, 0FFh
		setnz	al
		add	eax, 1Ch

loc_A64EF8:				; CODE XREF: VfMajorVerifyNewIrp(x,x,x,x,x)+1Bj
		imul	eax, 30h
		mov	eax, ds:dword_AB0078[eax]
		test	eax, eax
		jz	short loc_A64F11
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	eax
		mov	ecx, [ebp+var_4]

loc_A64F11:				; CODE XREF: VfMajorVerifyNewIrp(x,x,x,x,x)+33j
		mov	eax, ds:dword_AB05B8
		test	eax, eax
		jz	short loc_A64F25
		push	[ebp+arg_8]
		mov	edx, edi
		push	[ebp+arg_4]
		push	esi
		call	eax

loc_A64F25:				; CODE XREF: VfMajorVerifyNewIrp(x,x,x,x,x)+48j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
@VfMajorVerifyNewIrp@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VfMajorVerifyNewRequest(x,	x, x, x, x, x)
@VfMajorVerifyNewRequest@24 proc near	; CODE XREF: IovpCallDriver1(x)+358p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		mov	bl, [esi]
		cmp	bl, 1Bh
		ja	short loc_A64F49
		movzx	eax, bl
		jmp	short loc_A64F54
; 

loc_A64F49:				; CODE XREF: VfMajorVerifyNewRequest(x,x,x,x,x,x)+16j
		xor	eax, eax
		cmp	bl, 0FFh
		setnz	al
		add	eax, 1Ch

loc_A64F54:				; CODE XREF: VfMajorVerifyNewRequest(x,x,x,x,x,x)+1Bj
		imul	eax, 30h
		mov	eax, ds:dword_AB005C[eax]
		test	eax, eax
		jz	short loc_A64F70
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	esi
		push	[ebp+arg_0]
		call	eax
		mov	ecx, [ebp+var_4]

loc_A64F70:				; CODE XREF: VfMajorVerifyNewRequest(x,x,x,x,x,x)+33j
		mov	eax, ds:dword_AB059C
		test	eax, eax
		jz	short loc_A64F87
		push	[ebp+arg_C]
		mov	edx, edi
		push	[ebp+arg_8]
		push	esi
		push	[ebp+arg_0]
		call	eax

loc_A64F87:				; CODE XREF: VfMajorVerifyNewRequest(x,x,x,x,x,x)+4Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
@VfMajorVerifyNewRequest@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfMajorRegisterHandlers(x, x, x, x,	x, x, x, x, x, x, x, x,	x)
_VfMajorRegisterHandlers@52 proc near	; CODE XREF: VfInitVerifierComponents(x,x,x)+149p
					; VfInitVerifierComponents(x,x,x)+174p	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	cl, 0FFh
		jz	short loc_A64F9D
		cmp	cl, 1Bh
		ja	short loc_A64FFF

loc_A64F9D:				; CODE XREF: VfMajorRegisterHandlers(x,x,x,x,x,x,x,x,x,x,x,x,x)+8j
		cmp	cl, 1Bh
		ja	short loc_A64FA7
		movzx	eax, cl
		jmp	short loc_A64FB2
; 

loc_A64FA7:				; CODE XREF: VfMajorRegisterHandlers(x,x,x,x,x,x,x,x,x,x,x,x,x)+12j
		xor	eax, eax
		cmp	cl, 0FFh
		setnz	al
		add	eax, 1Ch

loc_A64FB2:				; CODE XREF: VfMajorRegisterHandlers(x,x,x,x,x,x,x,x,x,x,x,x,x)+17j
		imul	ecx, eax, 30h
		mov	eax, [ebp+arg_0]
		add	ecx, offset _ViMajorVerifierRoutines
		mov	[ecx+4], eax
		mov	eax, [ebp+arg_4]
		mov	[ecx+8], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+0Ch], eax
		mov	eax, [ebp+arg_C]
		mov	[ecx+10h], eax
		mov	eax, [ebp+arg_10]
		mov	[ecx+14h], eax
		mov	eax, [ebp+arg_14]
		mov	[ecx+18h], eax
		mov	eax, [ebp+arg_18]
		mov	[ecx+1Ch], eax
		mov	eax, [ebp+arg_1C]
		mov	[ecx+20h], eax
		mov	eax, [ebp+arg_20]
		mov	[ecx+24h], eax
		mov	eax, [ebp+arg_24]
		mov	[ecx+28h], eax
		mov	eax, [ebp+arg_28]
		mov	[ecx], edx
		mov	[ecx+2Ch], eax

loc_A64FFF:				; CODE XREF: VfMajorRegisterHandlers(x,x,x,x,x,x,x,x,x,x,x,x,x)+Dj
		pop	ebp
		retn	2Ch
_VfMajorRegisterHandlers@52 endp


;  S U B	R O U T	I N E 


; __stdcall VfErrorReleaseTriageInformation()
_VfErrorReleaseTriageInformation@0 proc	near
					; CODE XREF: VfReportIssueWithOptions(x,x,x,x,x,x)+A0p
		xor	eax, eax
		mov	ecx, offset _VfErrorBugcheckDataReady
		xchg	eax, [ecx]
		retn
_VfErrorReleaseTriageInformation@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfErrorReport7(x, x, x, x)
_VfErrorReport7@16 proc	near		; CODE XREF: PpvUtilFailDriver(x,x,x,x)+36j
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	_ViErrorReport7@16 ; ViErrorReport7(x,x,x,x)
_VfErrorReport7@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfErrorReport8(x, x, x)
_VfErrorReport8@12 proc	near		; CODE XREF: PpvUtilFailDriver(x,x,x,x)+2Cp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	[ebp+arg_0]	; int
		call	_ViErrorReport8@12 ; ViErrorReport8(x,x,x)
		pop	ecx
		pop	ebp
		retn	4
_VfErrorReport8@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfErrorStoreTriageInformation(x, x,	x, x, x)
_VfErrorStoreTriageInformation@20 proc near
					; CODE XREF: VfReportIssueWithOptions(x,x,x,x,x,x)+95p
					; ViErrorFinishReport(x,x,x,x)+45p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		inc	esi
		push	edi
		mov	eax, esi
		mov	edi, offset _VfErrorBugcheckDataReady
		xchg	eax, [edi]
		test	eax, eax
		jnz	short loc_A65068
		mov	eax, [ebp+arg_0]
		mov	ds:_VfErrorBugcheckData, ecx
		mov	ds:dword_AB0BD4, edx
		mov	ds:dword_AB0BD8, eax
		mov	eax, [ebp+arg_4]
		mov	ds:dword_AB0BDC, eax
		mov	eax, [ebp+arg_8]
		mov	ds:dword_AB0BE0, eax
		jmp	short loc_A6506A
; 

loc_A65068:				; CODE XREF: VfErrorStoreTriageInformation(x,x,x,x,x)+15j
		xor	esi, esi

loc_A6506A:				; CODE XREF: VfErrorStoreTriageInformation(x,x,x,x,x)+3Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	0Ch
_VfErrorStoreTriageInformation@20 endp


;  S U B	R O U T	I N E 


; __stdcall ViErrorDisableBreak(x)
_ViErrorDisableBreak@4 proc near	; CODE XREF: ViErrorFinishReport(x,x,x,x)+91p
		xor	edx, edx
		mov	eax, edx

loc_A65076:				; CODE XREF: ViErrorDisableBreak(x)+15j
		cmp	ds:_ViErrorDescriptions[eax], ecx
		jz	short loc_A6508A
		add	eax, 0Ch
		inc	edx
		cmp	eax, 2F4h
		jb	short loc_A65076
		retn
; 

loc_A6508A:				; CODE XREF: ViErrorDisableBreak(x)+Aj
		imul	eax, edx, 0Ch
		xor	ecx, ecx
		inc	ecx
		add	eax, offset byte_AA82C4
		lock or	[eax], ecx
		retn
_ViErrorDisableBreak@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViErrorDisplayDescription(x)
_ViErrorDisplayDescription@4 proc near	; CODE XREF: ViErrorReport10(x,x,x,x)+22p
					; ViErrorReport11(x,x,x,x)+1Cp	...
		mov	edi, edi
		push	esi		; char
		push	offset ??_C@_0GD@FPCOLGIN@?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK@JKADOLAD@ ; "***************************************"...
		mov	esi, ecx
		call	_VfUtilDbgPrint
		xor	edx, edx
		pop	ecx
		mov	eax, edx

loc_A650AD:				; CODE XREF: ViErrorDisplayDescription(x)+25j
		cmp	ds:_ViErrorDescriptions[eax], esi
		jz	short loc_A650C2
		add	eax, 0Ch
		inc	edx
		cmp	eax, 2F4h
		jb	short loc_A650AD
		pop	esi
		retn
; 

loc_A650C2:				; CODE XREF: ViErrorDisplayDescription(x)+1Aj
		imul	eax, edx, 0Ch
		push	ds:off_AA82C8[eax] ; char
		push	offset ??_C@_04LOAOMKLI@?$CFs?6?6@JKADOLAD@ ; char *
		call	_VfUtilDbgPrint
		pop	ecx
		pop	ecx
		pop	esi
		retn
_ViErrorDisplayDescription@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ViErrorFinishReport(int,int,int,int)
_ViErrorFinishReport@16	proc near	; CODE XREF: ViErrorReport10(x,x,x,x)+55p
					; ViErrorReport11(x,x,x,x)+54p	...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi		; char
		push	offset ??_C@_0DP@JBIHBAKA@?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK@JKADOLAD@ ; "***************************************"...
		mov	edi, edx
		mov	esi, ecx
		call	_VfUtilDbgPrint
		pop	ecx
		mov	ecx, esi
		call	_ViErrorIsBreakDisabled@4 ; ViErrorIsBreakDisabled(x)
		test	eax, eax
		jnz	loc_A6518D
		cmp	_KdDebuggerEnabled, al
		jz	short loc_A65171
		cmp	_KdDebuggerNotPresent, al
		jnz	short loc_A65171
		push	[ebp+arg_4]
		mov	edx, esi
		mov	ecx, 0C9h
		push	[ebp+arg_0]
		push	edi
		call	_VfErrorStoreTriageInformation@20 ; VfErrorStoreTriageInformation(x,x,x,x,x)
		nop
		int	3		; Trap to Debugger
		test	eax, eax
		jz	short loc_A65132
		xor	eax, eax
		mov	ecx, offset _VfErrorBugcheckDataReady
		xchg	eax, [ecx]

loc_A65132:				; CODE XREF: ViErrorFinishReport(x,x,x,x)+4Ej
					; ViErrorFinishReport(x,x,x,x)+8Bj
		push	2
		lea	eax, [ebp+var_4]
		push	eax
		push	offset ??_C@_0FE@LMJJFJKF@How?5would?5you?5like?5to?5proceed?3?5@JKADOLAD@
		call	_DbgPrompt@12	; DbgPrompt(x,x,x)
		movsx	eax, byte ptr [ebp+var_4]
		sub	eax, 42h
		jz	short loc_A65171
		dec	eax
		sub	eax, 1
		jz	short loc_A65168
		sub	eax, 0Eh
		jz	short loc_A6518D
		sub	eax, 10h
		jz	short loc_A65171
		dec	eax
		sub	eax, 1
		jz	short loc_A65168
		sub	eax, 0Eh
		jnz	short loc_A65132
		jmp	short loc_A6518D
; 

loc_A65168:				; CODE XREF: ViErrorFinishReport(x,x,x,x)+76j
					; ViErrorFinishReport(x,x,x,x)+86j
		mov	ecx, esi
		call	_ViErrorDisableBreak@4 ; ViErrorDisableBreak(x)
		jmp	short loc_A6518D
; 

loc_A65171:				; CODE XREF: ViErrorFinishReport(x,x,x,x)+2Dj
					; ViErrorFinishReport(x,x,x,x)+35j ...
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_A6518D
		push	[ebp+arg_4]
		mov	edx, esi
		mov	ecx, 0C9h
		push	[ebp+arg_0]
		push	edi
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6518D:				; CODE XREF: ViErrorFinishReport(x,x,x,x)+21j
					; ViErrorFinishReport(x,x,x,x)+7Bj ...
		pop	edi
		pop	esi
		leave
		retn	8
_ViErrorFinishReport@16	endp


;  S U B	R O U T	I N E 


; __stdcall ViErrorIsBreakDisabled(x)
_ViErrorIsBreakDisabled@4 proc near	; CODE XREF: ViErrorFinishReport(x,x,x,x)+1Ap
		mov	edi, edi
		push	esi
		xor	esi, esi
		inc	esi
		xor	edx, edx
		mov	eax, edx

loc_A6519D:				; CODE XREF: ViErrorIsBreakDisabled(x)+1Bj
		cmp	ds:_ViErrorDescriptions[eax], ecx
		jz	short loc_A651B2
		add	eax, 0Ch
		inc	edx
		cmp	eax, 2F4h
		jb	short loc_A6519D
		jmp	short loc_A651C6
; 

loc_A651B2:				; CODE XREF: ViErrorIsBreakDisabled(x)+10j
		imul	eax, edx, 0Ch
		mov	al, ds:byte_AA82C4[eax]
		and	al, 1
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	esi, eax

loc_A651C6:				; CODE XREF: ViErrorIsBreakDisabled(x)+1Dj
		mov	eax, esi
		pop	esi
		retn
_ViErrorIsBreakDisabled@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfInitializeBranchTracing()
_VfInitializeBranchTracing@0 proc near	; CODE XREF: VfNotifyVerifierOfEvent(x)+D2p
		test	_MmVerifierData, 8000000h
		push	ebx
		push	esi
		push	edi
		jnz	short loc_A651E3
		mov	eax, 0C0000002h
		jmp	loc_A65325
; 

loc_A651E3:				; CODE XREF: VfInitializeBranchTracing()+Dj
		xor	edi, edi
		cmp	ds:_VfBTSInitialized, edi
		jz	short loc_A651F7
		mov	eax, 0C000042Ah
		jmp	loc_A65325
; 

loc_A651F7:				; CODE XREF: VfInitializeBranchTracing()+21j
		call	_ViIsBTSSupported@0 ; ViIsBTSSupported()
		test	eax, eax
		jz	loc_A65320
		push	80h		; size_t
		push	edi		; int
		push	offset _VfBTSDataManagementArea	; void *
		call	_memset
		mov	eax, ds:_ViVerifyBTSBufferSize
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A65227
		mov	eax, 1D4C0h
		jmp	short loc_A6522A
; 

loc_A65227:				; CODE XREF: VfInitializeBranchTracing()+54j
		imul	eax, 0Ch

loc_A6522A:				; CODE XREF: VfInitializeBranchTracing()+5Bj
		mov	esi, edi
		mov	ds:_ViVerifyBTSBufferSize, eax
		cmp	ds:_KeNumberProcessors,	edi
		jbe	loc_A652CD
		mov	ebx, edi

loc_A6523F:				; CODE XREF: VfInitializeBranchTracing()+FDj
		cmp	ebx, 80h
		jnb	loc_A65320
		push	6D535442h
		push	34h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ds:_VfBTSDataManagementArea[ebx], eax
		test	eax, eax
		jz	short loc_A652D6
		push	62535442h
		push	ds:_ViVerifyBTSBufferSize
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, ds:_VfBTSDataManagementArea[ebx]
		mov	[ecx], eax
		mov	eax, ds:_VfBTSDataManagementArea[ebx]
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_A652D6
		mov	[eax+4], ecx
		mov	eax, ds:_VfBTSDataManagementArea[ebx]
		push	0
		mov	[eax+0Ch], edi
		mov	edx, ds:_VfBTSDataManagementArea[ebx]
		mov	eax, ds:_ViVerifyBTSBufferSize
		inc	eax
		add	eax, [edx]
		mov	[edx+8], eax
		xor	eax, eax
		mov	edi, ds:_VfBTSDataManagementArea[ebx]
		add	ebx, 4
		add	edi, 28h
		inc	esi
		stosd
		stosd
		stosd
		pop	edi
		cmp	esi, ds:_KeNumberProcessors
		jb	loc_A6523F

loc_A652CD:				; CODE XREF: VfInitializeBranchTracing()+6Dj
		call	_ViSetupBTSPerProcNoEnable@0 ; ViSetupBTSPerProcNoEnable()
		test	eax, eax
		jnz	short loc_A65329

loc_A652D6:				; CODE XREF: VfInitializeBranchTracing()+9Aj
					; VfInitializeBranchTracing()+C3j
		cmp	esi, 20h
		jnb	short loc_A65320

loc_A652DB:				; CODE XREF: VfInitializeBranchTracing()+154j
		mov	eax, ds:_VfBTSDataManagementArea[esi*4]
		test	eax, eax
		jz	short loc_A65319
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_A65307
		push	62535442h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, ds:_VfBTSDataManagementArea[esi*4]
		mov	[eax], edi
		mov	eax, ds:_VfBTSDataManagementArea[esi*4]

loc_A65307:				; CODE XREF: VfInitializeBranchTracing()+120j
		push	6D535442h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ds:_VfBTSDataManagementArea[esi*4], edi

loc_A65319:				; CODE XREF: VfInitializeBranchTracing()+11Aj
		mov	eax, esi
		dec	esi
		test	eax, eax
		jnz	short loc_A652DB

loc_A65320:				; CODE XREF: VfInitializeBranchTracing()+34j
					; VfInitializeBranchTracing()+7Bj ...
		mov	eax, 0C0000429h

loc_A65325:				; CODE XREF: VfInitializeBranchTracing()+14j
					; VfInitializeBranchTracing()+28j ...
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_A65329:				; CODE XREF: VfInitializeBranchTracing()+10Aj
		mov	ds:_VfBTSInitialized, 1
		xor	eax, eax
		jmp	short loc_A65325
_VfInitializeBranchTracing@0 endp


;  S U B	R O U T	I N E 


; __stdcall VfStartBranchTracing()
_VfStartBranchTracing@0	proc near	; CODE XREF: KiFreezeTargetExecution(x,x)+1D6p
					; VfNotifyVerifierOfEvent(x)+38p ...
		test	_MmVerifierData, 8000000h
		jz	short loc_A653AD
		cmp	ds:_VfBTSSupported, 0
		jz	short loc_A653AD
		cmp	ds:_VfBTSInitialized, 0
		jz	short loc_A653A7
		mov	eax, large fs:20h
		mov	eax, [eax+3CCh]
		cmp	ds:_VfBTSStarted[eax*4], 0
		jnz	short loc_A653A7
		mov	eax, ds:_VfBTSProcessorFamily
		cmp	eax, 0Fh
		jnz	short loc_A6537A
		push	0Ch
		pop	eax
		jmp	short loc_A65384
; 

loc_A6537A:				; CODE XREF: VfStartBranchTracing()+3Cj
		cmp	eax, 6
		jnz	short loc_A6538D
		mov	eax, 0C0h

loc_A65384:				; CODE XREF: VfStartBranchTracing()+41j
		xor	edx, edx
		mov	ecx, 1D9h
		wrmsr

loc_A6538D:				; CODE XREF: VfStartBranchTracing()+46j
		mov	eax, large fs:20h
		mov	eax, [eax+3CCh]
		mov	ds:_VfBTSStarted[eax*4], 1
		xor	eax, eax
		retn
; 

loc_A653A7:				; CODE XREF: VfStartBranchTracing()+1Cj
					; VfStartBranchTracing()+32j
		mov	eax, 0C000042Ah
		retn
; 

loc_A653AD:				; CODE XREF: VfStartBranchTracing()+Aj
					; VfStartBranchTracing()+13j
		mov	eax, 0C0000002h
		retn
_VfStartBranchTracing@0	endp


;  S U B	R O U T	I N E 


; __stdcall VfStopBranchTracing()
_VfStopBranchTracing@0 proc near	; CODE XREF: KiFreezeTargetExecution(x,x)+58p
					; VfNotifyVerifierOfEvent(x)+9Cj ...
		test	_MmVerifierData, 8000000h
		jz	short loc_A6540E
		cmp	ds:_VfBTSSupported, 0
		jz	short loc_A6540E
		cmp	ds:_VfBTSInitialized, 0
		jz	short loc_A65408
		mov	eax, large fs:20h
		mov	eax, [eax+3CCh]
		cmp	ds:_VfBTSStarted[eax*4], 0
		jz	short loc_A65408
		xor	eax, eax
		xor	edx, edx
		mov	ecx, 1D9h
		wrmsr
		mov	eax, large fs:20h
		mov	eax, [eax+3CCh]
		mov	ds:_VfBTSStarted[eax*4], edx
		xor	eax, eax
		retn
; 

loc_A65408:				; CODE XREF: VfStopBranchTracing()+1Cj
					; VfStopBranchTracing()+32j
		mov	eax, 0C000042Ah
		retn
; 

loc_A6540E:				; CODE XREF: VfStopBranchTracing()+Aj
					; VfStopBranchTracing()+13j
		mov	eax, 0C0000002h
		retn
_VfStopBranchTracing@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViIsBTSSupported()
_ViIsBTSSupported@0 proc near		; CODE XREF: VfInitializeBranchTracing():loc_A651F7p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		xor	ebx, ebx
		mov	esi, ebx
		stosd
		stosd
		mov	edi, large fs:20h
		cmp	ds:_KeNumberProcessors,	ebx
		jbe	short loc_A654B3

loc_A65444:				; CODE XREF: ViIsBTSSupported()+9Dj
		xor	eax, eax
		mov	[ebp+var_18], ebx
		inc	eax
		mov	[ebp+var_14], ebx
		mov	ecx, esi
		shl	eax, cl
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	KeSetSystemGroupAffinityThread
		mov	eax, large fs:20h
		mov	ecx, [eax+3D50h]
		mov	eax, large fs:20h
		cmp	byte ptr [eax+3BEh], 1
		jnz	short loc_A654D9
		mov	al, [edi+14h]
		cmp	al, 0Fh
		jz	short loc_A65487
		cmp	al, 6
		jnz	short loc_A654D9

loc_A65487:				; CODE XREF: ViIsBTSSupported()+6Dj
		and	ecx, 20000h
		or	ecx, ebx
		jz	short loc_A654E4
		mov	ecx, 1A0h
		rdmsr
		and	eax, 800h
		or	eax, ebx
		jnz	short loc_A654E4
		lea	eax, [ebp+var_10]
		push	eax
		call	KeRevertToUserGroupAffinityThread
		inc	esi
		cmp	esi, ds:_KeNumberProcessors
		jb	short loc_A65444

loc_A654B3:				; CODE XREF: ViIsBTSSupported()+2Ej
		movsx	ecx, byte ptr [edi+14h]
		xor	eax, eax
		mov	ds:_VfBTSProcessorFamily, ecx
		inc	eax
		mov	ds:_VfBTSSupported, 1

loc_A654CA:				; CODE XREF: ViIsBTSSupported()+DBj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_A654D9:				; CODE XREF: ViIsBTSSupported()+66j
					; ViIsBTSSupported()+71j
		push	offset ??_C@_0DN@MJACJDEH@This?5is?5a?5non?9BTS?5processor?5?9?5n@JKADOLAD@
		call	_DbgPrint
		pop	ecx

loc_A654E4:				; CODE XREF: ViIsBTSSupported()+7Bj
					; ViIsBTSSupported()+8Bj
		lea	eax, [ebp+var_10]
		push	eax
		call	KeRevertToUserGroupAffinityThread
		xor	eax, eax
		jmp	short loc_A654CA
_ViIsBTSSupported@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViSetupBTSPerProcNoEnable()
_ViSetupBTSPerProcNoEnable@0 proc near	; CODE XREF: VfInitializeBranchTracing():loc_A652CDp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		xor	edi, edi
		mov	esi, edi
		cmp	ds:_KeNumberProcessors,	edi
		jbe	short loc_A65558

loc_A65519:				; CODE XREF: ViSetupBTSPerProcNoEnable()+65j
		xor	eax, eax
		mov	[ebp+var_18], edi
		inc	eax
		mov	[ebp+var_14], edi
		mov	ecx, esi
		shl	eax, cl
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_10]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	KeSetSystemGroupAffinityThread
		mov	eax, ds:_VfBTSDataManagementArea[esi*4]
		mov	ecx, 600h
		xor	edx, edx
		wrmsr
		lea	ecx, [ebp+var_10]
		push	ecx
		call	KeRevertToUserGroupAffinityThread
		inc	esi
		cmp	esi, ds:_KeNumberProcessors
		jb	short loc_A65519

loc_A65558:				; CODE XREF: ViSetupBTSPerProcNoEnable()+26j
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		pop	edi
		xor	ecx, ebp
		inc	eax
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_ViSetupBTSPerProcNoEnable@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfThunkAddDriverThunks(x, x, x)
_VfThunkAddDriverThunks@12 proc	near	; CODE XREF: MmAddVerifierThunks(x,x)+C9p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	[ebp+arg_0]
		call	_ViThunkCreateThunkTable@12 ; ViThunkCreateThunkTable(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A65584
		mov	eax, 0C000009Ah
		jmp	short loc_A655D6
; 

loc_A65584:				; CODE XREF: VfThunkAddDriverThunks(x,x,x)+12j
		call	_VfDriverLock@0	; VfDriverLock()
		xor	edx, edx
		mov	_VfThunksExtended, 1
		mov	[ebp+arg_0], edx
		lea	eax, [ebp+arg_0]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	eax, dword_6BE42C
		mov	ecx, offset _ViVerifierDriverAddedThunkListHead
		inc	_ViActiveVerifierThunks
		cmp	[eax], ecx
		jz	short loc_A655B6
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A655B6:				; CODE XREF: VfThunkAddDriverThunks(x,x,x)+46j
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		push	edx
		mov	dword_6BE42C, esi
		push	offset _ViDriversLoadLock
		mov	_ViDriversLoadLockOwner, edx
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		xor	eax, eax

loc_A655D6:				; CODE XREF: VfThunkAddDriverThunks(x,x,x)+19j
		pop	esi
		pop	ebp
		retn	4
_VfThunkAddDriverThunks@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfThunkAddSpecialDriverThunks(x, x,	x, x)
_VfThunkAddSpecialDriverThunks@16 proc near
					; CODE XREF: MmAddVerifierSpecialThunks(x,x,x)+ACp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	eax, edx
		mov	edx, [ebp+arg_0]
		mov	ebx, ecx
		push	edi
		mov	ecx, eax
		mov	[ebp+var_4], ebx
		call	_ViThunkCreateThunkTable@12 ; ViThunkCreateThunkTable(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A65609

loc_A655FF:				; CODE XREF: VfThunkAddSpecialDriverThunks(x,x,x,x)+7Bj
		mov	eax, 0C000009Ah
		jmp	loc_A656CA
; 

loc_A65609:				; CODE XREF: VfThunkAddSpecialDriverThunks(x,x,x,x)+22j
		call	_VfDriverLock@0	; VfDriverLock()
		test	dword ptr [edi+34h], 2000000h
		jz	short loc_A6561E
		mov	ecx, esi
		call	_ViThunkRecoverPristines@4 ; ViThunkRecoverPristines(x)

loc_A6561E:				; CODE XREF: VfThunkAddSpecialDriverThunks(x,x,x,x)+3Aj
		xor	edi, edi
		lea	ecx, [ebp+var_4]
		xor	edx, edx
		push	edi
		inc	edx
		call	_ViThunkFindNextSpecialTable@12	; ViThunkFindNextSpecialTable(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_A65686
		push	74566D4Dh
		push	14h
		push	edx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_A65658
		push	edi
		push	offset _ViDriversLoadLock
		mov	_ViDriversLoadLockOwner, edi
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		jmp	short loc_A655FF
; 

loc_A65658:				; CODE XREF: VfThunkAddSpecialDriverThunks(x,x,x,x)+68j
		lea	eax, [ecx+0Ch]
		mov	[ecx+8], ebx
		mov	[eax+4], eax
		mov	edx, offset _ViVerifierDriverAddedSpecialThunkListHead
		mov	[eax], eax
		mov	eax, _ViVerifierDriverAddedSpecialThunkListHead
		cmp	[eax+4], edx
		jnz	short loc_A656A8
		inc	_ViVerifierSpecialThunkTables
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	[eax+4], ecx
		mov	_ViVerifierDriverAddedSpecialThunkListHead, ecx

loc_A65686:				; CODE XREF: VfThunkAddSpecialDriverThunks(x,x,x,x)+55j
		mov	_VfThunksExtended, 1
		lea	eax, [ebp+arg_4]
		mov	[ebp+arg_4], edi
		xor	edx, edx
		lock or	[eax], edx
		mov	eax, [ecx+10h]
		add	ecx, 0Ch
		inc	_ViActiveVerifierThunks
		cmp	[eax], ecx
		jz	short loc_A656AD

loc_A656A8:				; CODE XREF: VfThunkAddSpecialDriverThunks(x,x,x,x)+95j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A656AD:				; CODE XREF: VfThunkAddSpecialDriverThunks(x,x,x,x)+CBj
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		push	edi
		mov	[ecx+4], esi
		push	offset _ViDriversLoadLock
		mov	_ViDriversLoadLockOwner, edi
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		xor	eax, eax

loc_A656CA:				; CODE XREF: VfThunkAddSpecialDriverThunks(x,x,x,x)+29j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_VfThunkAddSpecialDriverThunks@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfThunkAdjustExportAddressIfHooked(x, x)
_VfThunkAdjustExportAddressIfHooked@8 proc near
					; CODE XREF: VerifierMmGetSystemRoutineAddress(x)+17p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	esi
		push	18h
		mov	[esp+0Ch+var_4], ecx
		mov	esi, edx
		push	offset _VfRegularThunks
		lea	ecx, [esp+10h+var_4]
		call	_ViThunkAdjustExportAddressIfHooked@16 ; ViThunkAdjustExportAddressIfHooked(x,x,x,x)
		test	eax, eax
		jnz	short loc_A65749
		push	1Ch
		push	offset _VfOrderDependentThunks
		mov	edx, esi
		lea	ecx, [esp+10h+var_4]
		call	_ViThunkAdjustExportAddressIfHooked@16 ; ViThunkAdjustExportAddressIfHooked(x,x,x,x)
		test	eax, eax
		jnz	short loc_A65749
		push	18h
		push	offset _VfMandatoryThunks
		mov	edx, esi
		lea	ecx, [esp+10h+var_4]
		call	_ViThunkAdjustExportAddressIfHooked@16 ; ViThunkAdjustExportAddressIfHooked(x,x,x,x)
		test	eax, eax
		jnz	short loc_A65749
		push	18h
		push	offset _VfPoolThunks
		mov	edx, esi
		lea	ecx, [esp+10h+var_4]
		call	_ViThunkAdjustExportAddressIfHooked@16 ; ViThunkAdjustExportAddressIfHooked(x,x,x,x)
		test	eax, eax
		jnz	short loc_A65749
		push	18h
		push	offset _VfXdvThunks
		mov	edx, esi
		lea	ecx, [esp+10h+var_4]
		call	_ViThunkAdjustExportAddressIfHooked@16 ; ViThunkAdjustExportAddressIfHooked(x,x,x,x)

loc_A65749:				; CODE XREF: VfThunkAdjustExportAddressIfHooked(x,x)+22j
					; VfThunkAdjustExportAddressIfHooked(x,x)+38j ...
		mov	eax, [esp+8+var_4]
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_VfThunkAdjustExportAddressIfHooked@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfThunkApplyDriverAddedThunks(x)
_VfThunkApplyDriverAddedThunks@4 proc near ; CODE XREF:	ViDriverReApplyVerifierForAll(x)+41p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		push	esi
		push	edi
		push	eax
		push	0Ch
		push	1
		push	dword ptr [ecx+18h]
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A657E6
		mov	ebx, [ebp+var_4]
		mov	ecx, esi
		shr	ebx, 2
		mov	edx, ebx
		mov	[ebp+var_4], ebx
		call	_ViThunkFindAllSpecialTables@8 ; ViThunkFindAllSpecialTables(x,x)
		mov	edi, eax
		test	ebx, ebx
		jz	short loc_A657D7

loc_A6578F:				; CODE XREF: VfThunkApplyDriverAddedThunks(x)+83j
		test	edi, edi
		jz	short loc_A657C0
		and	[ebp+var_8], 0
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_A657C0
		mov	ebx, [ebp+var_8]

loc_A657A0:				; CODE XREF: VfThunkApplyDriverAddedThunks(x)+65j
		lea	ecx, [eax+0Ch]
		mov	edx, esi
		call	_ViThunkReplaceImportEntry@8 ; ViThunkReplaceImportEntry(x,x)
		mov	ecx, eax
		cmp	ecx, 1
		jz	short loc_A657B9
		inc	ebx
		mov	eax, [edi+ebx*4]
		test	eax, eax
		jnz	short loc_A657A0

loc_A657B9:				; CODE XREF: VfThunkApplyDriverAddedThunks(x)+5Dj
		mov	ebx, [ebp+var_4]
		test	ecx, ecx
		jnz	short loc_A657CC

loc_A657C0:				; CODE XREF: VfThunkApplyDriverAddedThunks(x)+3Fj
					; VfThunkApplyDriverAddedThunks(x)+49j
		mov	edx, esi
		mov	ecx, offset _ViVerifierDriverAddedThunkListHead
		call	_ViThunkReplaceImportEntry@8 ; ViThunkReplaceImportEntry(x,x)

loc_A657CC:				; CODE XREF: VfThunkApplyDriverAddedThunks(x)+6Cj
		add	esi, 4
		sub	ebx, 1
		mov	[ebp+var_4], ebx
		jnz	short loc_A6578F

loc_A657D7:				; CODE XREF: VfThunkApplyDriverAddedThunks(x)+3Bj
		test	edi, edi
		jz	short loc_A657E3
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A657E3:				; CODE XREF: VfThunkApplyDriverAddedThunks(x)+87j
		xor	eax, eax
		inc	eax

loc_A657E6:				; CODE XREF: VfThunkApplyDriverAddedThunks(x)+23j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VfThunkApplyDriverAddedThunks@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfThunkApplyMandatoryThunks(x, x)
_VfThunkApplyMandatoryThunks@8 proc near
					; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+182p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		lea	edi, [ebp+var_1C]
		mov	ebx, ecx
		mov	[ebp+var_20], esi
		push	6
		xor	eax, eax
		pop	ecx
		rep stosd
		test	esi, esi
		jz	short loc_A65879
		mov	ecx, [ebx+18h]
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		test	eax, eax
		jz	short loc_A65879
		xor	edi, edi
		inc	edi
		xor	ecx, ecx
		jmp	short loc_A65861
; 

loc_A65828:				; CODE XREF: VfThunkApplyMandatoryThunks(x,x)+7Fj
		lea	edx, [ebp+var_1C]
		mov	ecx, esi
		call	MmAttachSession
		test	eax, eax
		js	short loc_A6585F
		mov	ecx, [ebx+18h]
		xor	edi, edi
		inc	edi
		call	_MmIsDriverLoadedCurrentSession@4 ; MmIsDriverLoadedCurrentSession(x)
		test	eax, eax
		jz	short loc_A65851
		mov	edx, [ebp+var_20]
		mov	ecx, ebx
		call	_ViThunkApplyMandatoryThunksCurrentSession@8 ; ViThunkApplyMandatoryThunksCurrentSession(x,x)
		mov	edi, eax

loc_A65851:				; CODE XREF: VfThunkApplyMandatoryThunks(x,x)+58j
		lea	edx, [ebp+var_1C]
		mov	ecx, esi
		call	MmDetachSession
		test	edi, edi
		jz	short loc_A6586E

loc_A6585F:				; CODE XREF: VfThunkApplyMandatoryThunks(x,x)+49j
		mov	ecx, esi

loc_A65861:				; CODE XREF: VfThunkApplyMandatoryThunks(x,x)+3Bj
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A65828
		jmp	short loc_A65875
; 

loc_A6586E:				; CODE XREF: VfThunkApplyMandatoryThunks(x,x)+72j
		mov	ecx, esi
		call	_MmQuitNextSession@4 ; MmQuitNextSession(x)

loc_A65875:				; CODE XREF: VfThunkApplyMandatoryThunks(x,x)+81j
		mov	eax, edi
		jmp	short loc_A65882
; 

loc_A65879:				; CODE XREF: VfThunkApplyMandatoryThunks(x,x)+28j
					; VfThunkApplyMandatoryThunks(x,x)+34j
		mov	edx, esi
		mov	ecx, ebx
		call	_ViThunkApplyMandatoryThunksCurrentSession@8 ; ViThunkApplyMandatoryThunksCurrentSession(x,x)

loc_A65882:				; CODE XREF: VfThunkApplyMandatoryThunks(x,x)+8Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_VfThunkApplyMandatoryThunks@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfThunkApplyThunks(x, x)
_VfThunkApplyThunks@8 proc near		; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+27Dp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		lea	edi, [ebp+var_1C]
		mov	ebx, ecx
		mov	[ebp+var_20], esi
		push	6
		xor	eax, eax
		pop	ecx
		rep stosd
		test	esi, esi
		jz	short loc_A6591F
		mov	ecx, [ebx+18h]
		call	_MmIsSessionAddress@4 ;	MmIsSessionAddress(x)
		test	eax, eax
		jz	short loc_A6591F
		xor	edi, edi
		inc	edi
		xor	ecx, ecx
		jmp	short loc_A65907
; 

loc_A658CE:				; CODE XREF: VfThunkApplyThunks(x,x)+7Fj
		lea	edx, [ebp+var_1C]
		mov	ecx, esi
		call	MmAttachSession
		test	eax, eax
		js	short loc_A65905
		mov	ecx, [ebx+18h]
		xor	edi, edi
		inc	edi
		call	_MmIsDriverLoadedCurrentSession@4 ; MmIsDriverLoadedCurrentSession(x)
		test	eax, eax
		jz	short loc_A658F7
		mov	edx, [ebp+var_20]
		mov	ecx, ebx
		call	_ViThunkApplyThunksCurrentSession@8 ; ViThunkApplyThunksCurrentSession(x,x)
		mov	edi, eax

loc_A658F7:				; CODE XREF: VfThunkApplyThunks(x,x)+58j
		lea	edx, [ebp+var_1C]
		mov	ecx, esi
		call	MmDetachSession
		test	edi, edi
		jz	short loc_A65914

loc_A65905:				; CODE XREF: VfThunkApplyThunks(x,x)+49j
		mov	ecx, esi

loc_A65907:				; CODE XREF: VfThunkApplyThunks(x,x)+3Bj
		call	_MmGetNextSession@4 ; MmGetNextSession(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A658CE
		jmp	short loc_A6591B
; 

loc_A65914:				; CODE XREF: VfThunkApplyThunks(x,x)+72j
		mov	ecx, esi
		call	_MmQuitNextSession@4 ; MmQuitNextSession(x)

loc_A6591B:				; CODE XREF: VfThunkApplyThunks(x,x)+81j
		mov	eax, edi
		jmp	short loc_A65928
; 

loc_A6591F:				; CODE XREF: VfThunkApplyThunks(x,x)+28j
					; VfThunkApplyThunks(x,x)+34j
		mov	edx, esi
		mov	ecx, ebx
		call	_ViThunkApplyThunksCurrentSession@8 ; ViThunkApplyThunksCurrentSession(x,x)

loc_A65928:				; CODE XREF: VfThunkApplyThunks(x,x)+8Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_VfThunkApplyThunks@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViThunkAdjustExportAddressIfHooked(x, x, x,	x)
_ViThunkAdjustExportAddressIfHooked@16 proc near
					; CODE XREF: VfThunkAdjustExportAddressIfHooked(x,x)+1Bp
					; VfThunkAdjustExportAddressIfHooked(x,x)+31p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		mov	ebx, ecx
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], ebx
		mov	edx, esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		cmp	[edi], esi
		jz	loc_A65A06

loc_A6595F:				; CODE XREF: ViThunkAdjustExportAddressIfHooked(x,x,x,x)+B2j
		mov	eax, [edi+8]
		cmp	eax, [ebx]
		jz	loc_A659F1
		test	eax, eax
		jnz	short loc_A659E4
		test	edx, edx
		jnz	short loc_A659A6
		push	1
		push	[ebp+var_8]
		lea	eax, [ebp+var_10]
		push	eax
		call	RtlUnicodeStringToAnsiString
		test	eax, eax
		jns	short loc_A659A3
		mov	ebx, [ebp+var_8]

loc_A65987:				; CODE XREF: ViThunkAdjustExportAddressIfHooked(x,x,x,x)+6Aj
		push	offset _ViShortTime
		push	esi
		push	esi
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		push	1
		push	ebx
		lea	eax, [ebp+var_10]
		push	eax
		call	RtlUnicodeStringToAnsiString
		test	eax, eax
		js	short loc_A65987

loc_A659A3:				; CODE XREF: ViThunkAdjustExportAddressIfHooked(x,x,x,x)+4Bj
		xor	edx, edx
		inc	edx

loc_A659A6:				; CODE XREF: ViThunkAdjustExportAddressIfHooked(x,x,x,x)+39j
		mov	ecx, [ebp+var_C]
		mov	eax, [edi]

loc_A659AB:				; CODE XREF: ViThunkAdjustExportAddressIfHooked(x,x,x,x)+9Ej
		mov	bl, [eax]
		cmp	bl, [ecx]
		mov	byte ptr [ebp+arg_0+3],	bl
		mov	ebx, [ebp+var_4]
		jnz	short loc_A659DB
		cmp	byte ptr [ebp+arg_0+3],	0
		jz	short loc_A659D7
		mov	bl, [eax+1]
		cmp	bl, [ecx+1]
		mov	byte ptr [ebp+arg_0+3],	bl
		mov	ebx, [ebp+var_4]
		jnz	short loc_A659DB
		add	eax, 2
		add	ecx, 2
		cmp	byte ptr [ebp+arg_0+3],	0
		jnz	short loc_A659AB

loc_A659D7:				; CODE XREF: ViThunkAdjustExportAddressIfHooked(x,x,x,x)+84j
		mov	eax, esi
		jmp	short loc_A659E0
; 

loc_A659DB:				; CODE XREF: ViThunkAdjustExportAddressIfHooked(x,x,x,x)+7Ej
					; ViThunkAdjustExportAddressIfHooked(x,x,x,x)+92j
		sbb	eax, eax
		or	eax, 1

loc_A659E0:				; CODE XREF: ViThunkAdjustExportAddressIfHooked(x,x,x,x)+A2j
		test	eax, eax
		jz	short loc_A659F1

loc_A659E4:				; CODE XREF: ViThunkAdjustExportAddressIfHooked(x,x,x,x)+35j
		add	edi, [ebp+arg_4]
		cmp	[edi], esi
		jnz	loc_A6595F
		jmp	short loc_A659F9
; 

loc_A659F1:				; CODE XREF: ViThunkAdjustExportAddressIfHooked(x,x,x,x)+2Dj
					; ViThunkAdjustExportAddressIfHooked(x,x,x,x)+ABj
		mov	eax, [edi+4]
		xor	esi, esi
		inc	esi
		mov	[ebx], eax

loc_A659F9:				; CODE XREF: ViThunkAdjustExportAddressIfHooked(x,x,x,x)+B8j
		test	edx, edx
		jz	short loc_A65A06
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlFreeAnsiString@4 ; RtlFreeAnsiString(x)

loc_A65A06:				; CODE XREF: ViThunkAdjustExportAddressIfHooked(x,x,x,x)+22j
					; ViThunkAdjustExportAddressIfHooked(x,x,x,x)+C4j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
_ViThunkAdjustExportAddressIfHooked@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViThunkApplyMandatoryThunksCurrentSession(x, x)
_ViThunkApplyMandatoryThunksCurrentSession@8 proc near
					; CODE XREF: VfThunkApplyMandatoryThunks(x,x)+5Fp
					; VfThunkApplyMandatoryThunks(x,x)+92p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx
		push	esi
		push	edi
		push	eax
		push	0Ch
		push	1
		push	dword ptr [ecx+18h]
		mov	ebx, edx
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A65A6E
		mov	esi, [ebp+var_4]
		test	esi, esi
		jz	short loc_A65A6E
		test	ebx, ebx
		jz	short loc_A65A53
		xor	eax, eax
		mov	ecx, offset _ViLookasideAlreadyLoadedDrivers
		inc	eax
		xchg	eax, [ecx]
		xor	eax, eax
		mov	ecx, offset _ViResourcesAlreadyLoadedDrivers
		inc	eax
		xchg	eax, [ecx]

loc_A65A53:				; CODE XREF: ViThunkApplyMandatoryThunksCurrentSession(x,x)+2Ej
		shr	esi, 2
		test	esi, esi
		jz	short loc_A65A6E

loc_A65A5A:				; CODE XREF: ViThunkApplyMandatoryThunksCurrentSession(x,x)+5Dj
		mov	edx, offset _VfMandatoryThunks
		mov	ecx, edi
		call	_ViThunkReplaceImportIfThunkedRegular@8	; ViThunkReplaceImportIfThunkedRegular(x,x)
		add	edi, 4
		sub	esi, 1
		jnz	short loc_A65A5A

loc_A65A6E:				; CODE XREF: ViThunkApplyMandatoryThunksCurrentSession(x,x)+23j
					; ViThunkApplyMandatoryThunksCurrentSession(x,x)+2Aj ...
		pop	edi
		xor	eax, eax
		pop	esi
		inc	eax
		pop	ebx
		leave
		retn
_ViThunkApplyMandatoryThunksCurrentSession@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViThunkApplyThunksCurrentSession(x,	x)
_ViThunkApplyThunksCurrentSession@8 proc near ;	CODE XREF: VfThunkApplyThunks(x,x)+5Fp
					; VfThunkApplyThunks(x,x)+92p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ecx
		mov	[ebp+var_8], edx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], eax
		xor	edi, edi
		mov	eax, [eax+18h]
		mov	ecx, eax
		mov	[ebp+var_4], edi
		mov	[ebp+var_C], eax
		call	_VfTargetDriversGetNode@4 ; VfTargetDriversGetNode(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_A65B05
		test	byte ptr [ebx+0Ch], 1
		jnz	short loc_A65B05
		lea	eax, [ebp+var_4]
		xor	esi, esi
		push	eax
		push	0Ch
		inc	esi
		push	esi
		push	[ebp+var_C]
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_A65B05
		cmp	[ebp+var_4], edi
		jz	short loc_A65B05
		cmp	[ebp+var_8], edi
		jz	short loc_A65ADA
		mov	eax, esi
		mov	ecx, offset _ViLookasideAlreadyLoadedDrivers
		xchg	eax, [ecx]
		mov	eax, offset _ViResourcesAlreadyLoadedDrivers
		xchg	esi, [eax]

loc_A65ADA:				; CODE XREF: ViThunkApplyThunksCurrentSession(x,x)+52j
		mov	ecx, [ebp+var_10]
		call	_ViIsDriverSuspectForVerifier@4	; ViIsDriverSuspectForVerifier(x)
		mov	edx, [ebp+var_4]
		mov	esi, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		push	eax
		push	esi
		shr	edx, 2
		call	_ViThunkReplaceAllThunkedImports@16 ; ViThunkReplaceAllThunkedImports(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A65B05
		push	ecx
		mov	edx, esi
		mov	ecx, ebx
		call	_ViThunkReplaceAllSharedExports@12 ; ViThunkReplaceAllSharedExports(x,x,x)

loc_A65B05:				; CODE XREF: ViThunkApplyThunksCurrentSession(x,x)+29j
					; ViThunkApplyThunksCurrentSession(x,x)+2Fj ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ViThunkApplyThunksCurrentSession@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViThunkCreateThunkTable(x, x, x)
_ViThunkCreateThunkTable@12 proc near	; CODE XREF: VfThunkAddDriverThunks(x,x,x)+9p
					; VfThunkAddSpecialDriverThunks(x,x,x,x)+19p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		shr	edi, 3
		push	74566D4Dh
		lea	eax, ds:10h[edi*8]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A65B53
		mov	eax, edi
		shl	eax, 3
		push	eax		; size_t
		lea	eax, [esi+10h]
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		mov	[esi+8], eax
		mov	eax, esi
		mov	[esi+0Ch], edi

loc_A65B53:				; CODE XREF: ViThunkCreateThunkTable(x,x,x)+27j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_ViThunkCreateThunkTable@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ViThunkFindAPIContextByName(char *)
_ViThunkFindAPIContextByName@8 proc near ; CODE	XREF: ViThunkSnapSharedExportByName+1E06p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	[ebp+var_4], ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		test	ecx, ecx
		jz	short loc_A65BA2
		mov	eax, ds:_VfDifAPIThunkContextHead
		test	eax, eax
		jz	short loc_A65BA2
		and	dword ptr [edi], 0
		mov	esi, [eax]
		cmp	esi, eax
		jz	short loc_A65BA5

loc_A65B7E:				; CODE XREF: ViThunkFindAPIContextByName(x,x)+40j
		push	ecx		; char *
		lea	ebx, [esi-8]
		push	dword ptr [ebx]	; char *
		call	__stricmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A65B9E
		mov	esi, [esi]
		mov	ecx, [ebp+var_4]
		cmp	esi, ds:_VfDifAPIThunkContextHead
		jnz	short loc_A65B7E
		jmp	short loc_A65BA5
; 

loc_A65B9E:				; CODE XREF: ViThunkFindAPIContextByName(x,x)+33j
		mov	[edi], ebx
		jmp	short loc_A65BA5
; 

loc_A65BA2:				; CODE XREF: ViThunkFindAPIContextByName(x,x)+10j
					; ViThunkFindAPIContextByName(x,x)+19j
		and	dword ptr [edi], 0

loc_A65BA5:				; CODE XREF: ViThunkFindAPIContextByName(x,x)+22j
					; ViThunkFindAPIContextByName(x,x)+42j	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ViThunkFindAPIContextByName@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViThunkFindAllSpecialTables(x, x)
_ViThunkFindAllSpecialTables@8 proc near ; CODE	XREF: VfThunkApplyDriverAddedThunks(x)+32p
					; ViThunkReplaceAllThunkedImports(x,x,x,x)+19p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		push	edi
		mov	eax, edx
		mov	[ebp+var_8], ecx
		push	0
		mov	[ebp+var_4], eax
		call	_ViThunkFindNextSpecialTable@12	; ViThunkFindNextSpecialTable(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A65C28
		mov	ecx, _ViVerifierSpecialThunkTables
		push	74566D4Dh
		lea	ecx, ds:4[ecx*4]
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_C], esi
		test	esi, esi
		jz	short loc_A65C28
		mov	ecx, _ViVerifierSpecialThunkTables
		push	ebx
		lea	ecx, ds:4[ecx*4]
		push	ecx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		mov	edx, [ebp+var_4]
		mov	ebx, esi
		mov	esi, [ebp+var_8]
		add	esp, 0Ch

loc_A65C0E:				; CODE XREF: ViThunkFindAllSpecialTables(x,x)+76j
		mov	[ebx], edi
		mov	ecx, esi
		push	dword ptr [edi]
		call	_ViThunkFindNextSpecialTable@12	; ViThunkFindNextSpecialTable(x,x,x)
		mov	edi, eax
		lea	ebx, [ebx+4]
		test	edi, edi
		jnz	short loc_A65C0E
		mov	eax, [ebp+var_C]
		pop	ebx
		jmp	short loc_A65C2A
; 

loc_A65C28:				; CODE XREF: ViThunkFindAllSpecialTables(x,x)+1Dj
					; ViThunkFindAllSpecialTables(x,x)+40j
		xor	eax, eax

loc_A65C2A:				; CODE XREF: ViThunkFindAllSpecialTables(x,x)+7Cj
		pop	edi
		pop	esi
		leave
		retn
_ViThunkFindAllSpecialTables@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViThunkFindNextSpecialTable(x, x, x)
_ViThunkFindNextSpecialTable@12	proc near
					; CODE XREF: VfThunkAddSpecialDriverThunks(x,x,x,x)+4Cp
					; ViThunkFindAllSpecialTables(x,x)+14p	...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		test	eax, eax
		jnz	short loc_A65C45
		mov	eax, _ViVerifierDriverAddedSpecialThunkListHead

loc_A65C45:				; CODE XREF: ViThunkFindNextSpecialTable(x,x,x)+10j
		cmp	eax, offset _ViVerifierDriverAddedSpecialThunkListHead
		jz	short loc_A65C6E
		push	edi

loc_A65C4D:				; CODE XREF: ViThunkFindNextSpecialTable(x,x,x)+39j
		mov	ecx, esi
		test	edx, edx
		jz	short loc_A65C60
		mov	edi, [eax+8]

loc_A65C56:				; CODE XREF: ViThunkFindNextSpecialTable(x,x,x)+30j
		cmp	[ebx+ecx*4], edi
		jz	short loc_A65C6B
		inc	ecx
		cmp	ecx, edx
		jb	short loc_A65C56

loc_A65C60:				; CODE XREF: ViThunkFindNextSpecialTable(x,x,x)+23j
		mov	eax, [eax]
		cmp	eax, offset _ViVerifierDriverAddedSpecialThunkListHead
		jnz	short loc_A65C4D
		jmp	short loc_A65C6D
; 

loc_A65C6B:				; CODE XREF: ViThunkFindNextSpecialTable(x,x,x)+2Bj
		mov	esi, eax

loc_A65C6D:				; CODE XREF: ViThunkFindNextSpecialTable(x,x,x)+3Bj
		pop	edi

loc_A65C6E:				; CODE XREF: ViThunkFindNextSpecialTable(x,x,x)+1Cj
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_ViThunkFindNextSpecialTable@12	endp


;  S U B	R O U T	I N E 


; __stdcall ViThunkRecoverPristines(x)
_ViThunkRecoverPristines@4 proc	near	; CODE XREF: VfThunkAddSpecialDriverThunks(x,x,x,x)+3Ep
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, ecx
		push	edi
		xor	edi, edi
		lea	esi, [ebx+10h]
		cmp	[ebx+0Ch], edi
		jbe	short loc_A65CF0

loc_A65C87:				; CODE XREF: ViThunkRecoverPristines(x)+78j
		mov	ecx, esi
		call	_ViThunkReplaceSpecialPristine@4 ; ViThunkReplaceSpecialPristine(x)
		cmp	eax, 1
		jz	short loc_A65CE7
		push	esi
		push	18h
		pop	edx
		mov	ecx, offset _VfRegularThunks
		call	_ViThunkReplacePristine@12 ; ViThunkReplacePristine(x,x,x)
		cmp	eax, 1
		jz	short loc_A65CE7
		push	esi
		push	1Ch
		pop	edx
		mov	ecx, offset _VfOrderDependentThunks
		call	_ViThunkReplacePristine@12 ; ViThunkReplacePristine(x,x,x)
		cmp	eax, 1
		jz	short loc_A65CE7
		push	esi
		push	18h
		pop	edx
		mov	ecx, offset _VfPoolThunks
		call	_ViThunkReplacePristine@12 ; ViThunkReplacePristine(x,x,x)
		cmp	eax, 1
		jz	short loc_A65CE7
		push	esi
		mov	ecx, offset _VfMandatoryThunks
		call	_ViThunkReplacePristine@12 ; ViThunkReplacePristine(x,x,x)
		cmp	eax, 1
		jz	short loc_A65CE7
		push	esi
		mov	ecx, offset _VfXdvThunks
		call	_ViThunkReplacePristine@12 ; ViThunkReplacePristine(x,x,x)

loc_A65CE7:				; CODE XREF: ViThunkRecoverPristines(x)+1Bj
					; ViThunkRecoverPristines(x)+2Ej ...
		add	esi, 8
		inc	edi
		cmp	edi, [ebx+0Ch]
		jb	short loc_A65C87

loc_A65CF0:				; CODE XREF: ViThunkRecoverPristines(x)+Fj
		pop	edi
		pop	esi
		pop	ebx
		retn
_ViThunkRecoverPristines@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViThunkRemoveImportEntry(x,	x)
_ViThunkRemoveImportEntry@8 proc near	; CODE XREF: VfDriverUnloadImage+1D26p
					; VfDriverUnloadImage+1D3Dp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	esi, [edi]
		jmp	short loc_A65D2F
; 

loc_A65D01:				; CODE XREF: ViThunkRemoveImportEntry(x,x)+3Dj
		mov	edx, esi
		mov	eax, [esi]
		cmp	[esi+8], ebx
		jnz	short loc_A65D2D
		cmp	[eax+4], esi
		jnz	short loc_A65D37
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_A65D37
		mov	[ecx], eax
		push	0
		mov	[eax+4], ecx
		mov	esi, [esi]
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		dec	_ViActiveVerifierThunks
		jmp	short loc_A65D2F
; 

loc_A65D2D:				; CODE XREF: ViThunkRemoveImportEntry(x,x)+14j
		mov	esi, eax

loc_A65D2F:				; CODE XREF: ViThunkRemoveImportEntry(x,x)+Bj
					; ViThunkRemoveImportEntry(x,x)+37j
		cmp	esi, edi
		jnz	short loc_A65D01
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_A65D37:				; CODE XREF: ViThunkRemoveImportEntry(x,x)+19j
					; ViThunkRemoveImportEntry(x,x)+20j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ViThunkRemoveImportEntry@8 endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall ViThunkReplaceAllSharedExports(x, x, x)
_ViThunkReplaceAllSharedExports@12 proc	near
					; CODE XREF: ViThunkApplyThunksCurrentSession(x,x)+8Ap
		mov	edi, edi
		push	esi
		push	edi
		push	ecx
		push	offset _VfPoolThunksBitMapHeader
		mov	edi, edx
		mov	esi, ecx
		call	_RtlNumberOfClearBits@4	; RtlNumberOfClearBits(x)
		mov	ecx, [esi+10h]
		mov	edx, eax
		call	_ViThunkReplaceSharedExports@12	; ViThunkReplaceSharedExports(x,x,x)
		cmp	_KernelVerifier, 0
		jnz	short loc_A65DA5
		push	ecx
		push	offset _VfRegularThunksBitMapHeader
		call	_RtlNumberOfClearBits@4	; RtlNumberOfClearBits(x)
		mov	ecx, [esi+0Ch]
		mov	edx, eax
		call	_ViThunkReplaceSharedExports@12	; ViThunkReplaceSharedExports(x,x,x)
		test	edi, edi
		jnz	short loc_A65DA5
		push	ecx
		push	offset _VfOrderDependentThunksBitMapHeader
		call	_RtlNumberOfClearBits@4	; RtlNumberOfClearBits(x)
		mov	ecx, [esi+14h]
		mov	edx, eax
		call	_ViThunkReplaceSharedExports@12	; ViThunkReplaceSharedExports(x,x,x)
		push	ecx
		push	offset _VfXdvThunksBitMapHeader
		call	_RtlNumberOfClearBits@4	; RtlNumberOfClearBits(x)
		mov	ecx, [esi+18h]
		mov	edx, eax
		call	_ViThunkReplaceSharedExports@12	; ViThunkReplaceSharedExports(x,x,x)

loc_A65DA5:				; CODE XREF: ViThunkReplaceAllSharedExports(x,x,x)+24j
					; ViThunkReplaceAllSharedExports(x,x,x)+3Dj
		pop	edi
		pop	esi
		retn	4
_ViThunkReplaceAllSharedExports@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViThunkReplaceAllThunkedImports(x, x, x, x)
_ViThunkReplaceAllThunkedImports@16 proc near
					; CODE XREF: ViThunkApplyThunksCurrentSession(x,x)+7Ap

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	[ebp+arg_0], 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx
		jnz	short loc_A65DCC
		cmp	[ebp+arg_4], 1
		jnz	short loc_A65DCC
		call	_ViThunkFindAllSpecialTables@8 ; ViThunkFindAllSpecialTables(x,x)
		mov	edi, eax
		jmp	short loc_A65DCE
; 

loc_A65DCC:				; CODE XREF: ViThunkReplaceAllThunkedImports(x,x,x,x)+11j
					; ViThunkReplaceAllThunkedImports(x,x,x,x)+17j
		xor	edi, edi

loc_A65DCE:				; CODE XREF: ViThunkReplaceAllThunkedImports(x,x,x,x)+20j
		test	ebx, ebx
		jz	loc_A65E69

loc_A65DD6:				; CODE XREF: ViThunkReplaceAllThunkedImports(x,x,x,x)+B9j
		test	edi, edi
		jz	short loc_A65DFF
		and	[ebp+var_4], 0
		mov	eax, [edi]
		jmp	short loc_A65DFB
; 

loc_A65DE2:				; CODE XREF: ViThunkReplaceAllThunkedImports(x,x,x,x)+53j
		lea	ecx, [eax+0Ch]
		mov	edx, esi
		call	_ViThunkReplaceImportEntry@8 ; ViThunkReplaceImportEntry(x,x)
		cmp	eax, 1
		jz	short loc_A65E5D
		mov	eax, [ebp+var_4]
		inc	eax
		mov	[ebp+var_4], eax
		mov	eax, [edi+eax*4]

loc_A65DFB:				; CODE XREF: ViThunkReplaceAllThunkedImports(x,x,x,x)+36j
		test	eax, eax
		jnz	short loc_A65DE2

loc_A65DFF:				; CODE XREF: ViThunkReplaceAllThunkedImports(x,x,x,x)+2Ej
		cmp	_KernelVerifier, 0
		jnz	short loc_A65E36
		mov	edx, offset _VfRegularThunks
		mov	ecx, esi
		call	_ViThunkReplaceImportIfThunkedRegular@8	; ViThunkReplaceImportIfThunkedRegular(x,x)
		test	eax, eax
		jnz	short loc_A65E5D
		push	[ebp+arg_0]
		mov	ecx, esi
		call	_ViThunkReplaceImportIfThunkedOrderDependent@12	; ViThunkReplaceImportIfThunkedOrderDependent(x,x,x)
		test	eax, eax
		jnz	short loc_A65E5D
		mov	edx, offset _VfXdvThunks
		mov	ecx, esi
		call	_ViThunkReplaceImportIfThunkedRegular@8	; ViThunkReplaceImportIfThunkedRegular(x,x)
		test	eax, eax
		jnz	short loc_A65E5D

loc_A65E36:				; CODE XREF: ViThunkReplaceAllThunkedImports(x,x,x,x)+5Cj
		mov	edx, offset _VfPoolThunks
		mov	ecx, esi
		call	_ViThunkReplaceImportIfThunkedRegular@8	; ViThunkReplaceImportIfThunkedRegular(x,x)
		test	eax, eax
		jnz	short loc_A65E5D
		cmp	[ebp+arg_0], eax
		jnz	short loc_A65E5D
		cmp	[ebp+arg_4], 1
		jnz	short loc_A65E5D
		mov	edx, esi
		mov	ecx, offset _ViVerifierDriverAddedThunkListHead
		call	_ViThunkReplaceImportEntry@8 ; ViThunkReplaceImportEntry(x,x)

loc_A65E5D:				; CODE XREF: ViThunkReplaceAllThunkedImports(x,x,x,x)+45j
					; ViThunkReplaceAllThunkedImports(x,x,x,x)+6Cj	...
		add	esi, 4
		sub	ebx, 1
		jnz	loc_A65DD6

loc_A65E69:				; CODE XREF: ViThunkReplaceAllThunkedImports(x,x,x,x)+26j
		test	edi, edi
		jz	short loc_A65E75
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A65E75:				; CODE XREF: ViThunkReplaceAllThunkedImports(x,x,x,x)+C1j
		pop	edi
		xor	eax, eax
		pop	esi
		inc	eax
		pop	ebx
		leave
		retn	8
_ViThunkReplaceAllThunkedImports@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViThunkReplaceImportEntry(x, x)
_ViThunkReplaceImportEntry@8 proc near	; CODE XREF: VfThunkApplyDriverAddedThunks(x)+53p
					; VfThunkApplyDriverAddedThunks(x)+75p	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edi
		xor	eax, eax
		mov	esi, [edi]
		jmp	short loc_A65EDB
; 

loc_A65E98:				; CODE XREF: ViThunkReplaceImportEntry(x,x)+5Ej
		mov	ebx, [esi+0Ch]
		lea	edx, [esi+10h]
		xor	ecx, ecx
		mov	[ebp+var_C], ebx
		test	ebx, ebx
		jz	short loc_A65ED4
		mov	edi, [ebp+var_8]
		mov	ebx, [edi]
		mov	[ebp+var_10], ebx
		mov	ebx, [ebp+var_C]

loc_A65EB2:				; CODE XREF: ViThunkReplaceImportEntry(x,x)+43j
		mov	edi, [ebp+var_10]
		cmp	edi, [edx]
		mov	edi, [ebp+var_4]
		jz	short loc_A65EC6
		add	edx, 8
		inc	ecx
		cmp	ecx, ebx
		jb	short loc_A65EB2
		jmp	short loc_A65ED4
; 

loc_A65EC6:				; CODE XREF: ViThunkReplaceImportEntry(x,x)+3Bj
		mov	edx, [edx+4]
		mov	ecx, [ebp+var_8]
		call	_MmReplaceImportEntry@8	; MmReplaceImportEntry(x,x)
		xor	eax, eax
		inc	eax

loc_A65ED4:				; CODE XREF: ViThunkReplaceImportEntry(x,x)+26j
					; ViThunkReplaceImportEntry(x,x)+45j
		cmp	eax, 1
		jz	short loc_A65EDF
		mov	esi, [esi]

loc_A65EDB:				; CODE XREF: ViThunkReplaceImportEntry(x,x)+17j
		cmp	esi, edi
		jnz	short loc_A65E98

loc_A65EDF:				; CODE XREF: ViThunkReplaceImportEntry(x,x)+58j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ViThunkReplaceImportEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViThunkReplaceImportIfThunkedOrderDependent(x, x, x)
_ViThunkReplaceImportIfThunkedOrderDependent@12	proc near
					; CODE XREF: ViThunkReplaceAllThunkedImports(x,x,x,x)+73p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		xor	eax, eax
		mov	edx, offset _VfOrderDependentThunks
		push	ebx
		push	esi
		cmp	ds:_VfOrderDependentThunks, eax
		jz	short loc_A65F71
		mov	esi, [ecx]

loc_A65EFD:				; CODE XREF: ViThunkReplaceImportIfThunkedOrderDependent(x,x,x)+27j
		test	esi, esi
		jz	short loc_A65F06
		cmp	esi, [edx+8]
		jz	short loc_A65F0F

loc_A65F06:				; CODE XREF: ViThunkReplaceImportIfThunkedOrderDependent(x,x,x)+1Bj
		add	edx, 1Ch
		cmp	[edx], eax
		jnz	short loc_A65EFD
		jmp	short loc_A65F71
; 

loc_A65F0F:				; CODE XREF: ViThunkReplaceImportIfThunkedOrderDependent(x,x,x)+20j
		cmp	[ebp+arg_0], eax
		jnz	short loc_A65F62
		mov	ebx, dword_6FDE00
		test	bl, 8
		jz	short loc_A65F56
		call	_VfIsVerifierEnabled@0 ; VfIsVerifierEnabled()
		test	eax, eax
		jz	short loc_A65F39
		test	_VfRuleClasses,	0FFAFFFFFh
		jnz	short loc_A65F56
		test	bl, 6
		jnz	short loc_A65F56

loc_A65F39:				; CODE XREF: ViThunkReplaceImportIfThunkedOrderDependent(x,x,x)+42j
		cmp	ds:_XdvEnabled,	0
		jz	short loc_A65F6E
		cmp	ds:_VfDifAPIThunkContextHead, 0
		jz	short loc_A65F6E
		mov	eax, [edx+0Ch]
		test	al, 1
		jz	short loc_A65F6E
		test	al, 4
		jz	short loc_A65F5B

loc_A65F56:				; CODE XREF: ViThunkReplaceImportIfThunkedOrderDependent(x,x,x)+39j
					; ViThunkReplaceImportIfThunkedOrderDependent(x,x,x)+4Ej ...
		mov	edx, [edx+4]
		jmp	short loc_A65F69
; 

loc_A65F5B:				; CODE XREF: ViThunkReplaceImportIfThunkedOrderDependent(x,x,x)+70j
		mov	eax, [edx+10h]
		mov	edx, [eax]
		jmp	short loc_A65F65
; 

loc_A65F62:				; CODE XREF: ViThunkReplaceImportIfThunkedOrderDependent(x,x,x)+2Ej
		mov	edx, [edx+14h]

loc_A65F65:				; CODE XREF: ViThunkReplaceImportIfThunkedOrderDependent(x,x,x)+7Cj
		test	edx, edx
		jz	short loc_A65F6E

loc_A65F69:				; CODE XREF: ViThunkReplaceImportIfThunkedOrderDependent(x,x,x)+75j
		call	_MmReplaceImportEntry@8	; MmReplaceImportEntry(x,x)

loc_A65F6E:				; CODE XREF: ViThunkReplaceImportIfThunkedOrderDependent(x,x,x)+5Cj
					; ViThunkReplaceImportIfThunkedOrderDependent(x,x,x)+65j ...
		xor	eax, eax
		inc	eax

loc_A65F71:				; CODE XREF: ViThunkReplaceImportIfThunkedOrderDependent(x,x,x)+15j
					; ViThunkReplaceImportIfThunkedOrderDependent(x,x,x)+29j
		pop	esi
		pop	ebx
		leave
		retn	4
_ViThunkReplaceImportIfThunkedOrderDependent@12	endp


;  S U B	R O U T	I N E 


; __stdcall ViThunkReplaceImportIfThunkedRegular(x, x)
_ViThunkReplaceImportIfThunkedRegular@8	proc near
					; CODE XREF: ViThunkApplyMandatoryThunksCurrentSession(x,x)+52p
					; ViThunkReplaceAllThunkedImports(x,x,x,x)+65p	...
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ecx]
		xor	eax, eax
		test	esi, esi
		jz	short loc_A65FEC
		jmp	short loc_A65F8E
; 

loc_A65F86:				; CODE XREF: ViThunkReplaceImportIfThunkedRegular(x,x)+19j
		cmp	esi, [edx+8]
		jz	short loc_A65F94
		add	edx, 18h

loc_A65F8E:				; CODE XREF: ViThunkReplaceImportIfThunkedRegular(x,x)+Dj
		cmp	[edx], eax
		jnz	short loc_A65F86
		jmp	short loc_A65FEC
; 

loc_A65F94:				; CODE XREF: ViThunkReplaceImportIfThunkedRegular(x,x)+12j
		mov	ebx, dword_6FDE00
		test	bl, 8
		jz	short loc_A65FE1
		call	_VfIsVerifierEnabled@0 ; VfIsVerifierEnabled()
		test	eax, eax
		jz	short loc_A65FB9
		test	_VfRuleClasses,	0FFAFFFFFh
		jnz	short loc_A65FE1
		test	bl, 6
		jnz	short loc_A65FE1

loc_A65FB9:				; CODE XREF: ViThunkReplaceImportIfThunkedRegular(x,x)+2Fj
		cmp	ds:_XdvEnabled,	0
		jz	short loc_A65FE9
		cmp	ds:_VfDifAPIThunkContextHead, 0
		jz	short loc_A65FE9
		mov	eax, [edx+0Ch]
		test	al, 1
		jz	short loc_A65FE9
		test	al, 4
		jnz	short loc_A65FE1
		mov	eax, [edx+10h]
		mov	edx, [eax]
		test	edx, edx
		jz	short loc_A65FE9
		jmp	short loc_A65FE4
; 

loc_A65FE1:				; CODE XREF: ViThunkReplaceImportIfThunkedRegular(x,x)+26j
					; ViThunkReplaceImportIfThunkedRegular(x,x)+3Bj ...
		mov	edx, [edx+4]

loc_A65FE4:				; CODE XREF: ViThunkReplaceImportIfThunkedRegular(x,x)+68j
		call	_MmReplaceImportEntry@8	; MmReplaceImportEntry(x,x)

loc_A65FE9:				; CODE XREF: ViThunkReplaceImportIfThunkedRegular(x,x)+49j
					; ViThunkReplaceImportIfThunkedRegular(x,x)+52j ...
		xor	eax, eax
		inc	eax

loc_A65FEC:				; CODE XREF: ViThunkReplaceImportIfThunkedRegular(x,x)+Bj
					; ViThunkReplaceImportIfThunkedRegular(x,x)+1Bj
		pop	esi
		pop	ebx
		pop	ecx
		retn
_ViThunkReplaceImportIfThunkedRegular@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViThunkReplacePristine(x, x, x)
_ViThunkReplacePristine@12 proc	near	; CODE XREF: ViThunkRecoverPristines(x)+26p
					; ViThunkRecoverPristines(x)+39p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	eax, eax
		cmp	[ecx], eax
		jz	short loc_A66019
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [esi]

loc_A66002:				; CODE XREF: ViThunkReplacePristine(x,x,x)+1Bj
		cmp	edi, [ecx+4]
		jz	short loc_A6600F
		add	ecx, edx
		cmp	[ecx], eax
		jnz	short loc_A66002
		jmp	short loc_A66017
; 

loc_A6600F:				; CODE XREF: ViThunkReplacePristine(x,x,x)+15j
		mov	eax, [ecx+8]
		mov	[esi], eax
		xor	eax, eax
		inc	eax

loc_A66017:				; CODE XREF: ViThunkReplacePristine(x,x,x)+1Dj
		pop	edi
		pop	esi

loc_A66019:				; CODE XREF: ViThunkReplacePristine(x,x,x)+9j
		pop	ebp
		retn	4
_ViThunkReplacePristine@12 endp


;  S U B	R O U T	I N E 


; __stdcall ViThunkReplaceSharedExports(x, x, x)
_ViThunkReplaceSharedExports@12	proc near
					; CODE XREF: ViThunkReplaceAllSharedExports(x,x,x)+18p
					; ViThunkReplaceAllSharedExports(x,x,x)+36p ...
		mov	edi, edi
		push	ecx
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		test	ecx, ecx
		jz	short loc_A66099
		test	ebx, ebx
		jz	short loc_A66099
		lea	esi, [ecx+4]

loc_A66030:				; CODE XREF: ViThunkReplaceSharedExports(x,x,x)+7Aj
		mov	edi, [esi-4]
		test	edi, edi
		jz	short loc_A66091
		push	23h
		call	_VfIsRuleClassEnabled@4	; VfIsRuleClassEnabled(x)
		test	al, al
		jz	short loc_A66088
		call	_VfIsVerifierEnabled@0 ; VfIsVerifierEnabled()
		test	eax, eax
		jz	short loc_A66060
		test	_VfRuleClasses,	0FFAFFFFFh
		jnz	short loc_A66088
		test	byte ptr dword_6FDE00, 6
		jnz	short loc_A66088

loc_A66060:				; CODE XREF: ViThunkReplaceSharedExports(x,x,x)+2Cj
		cmp	ds:_XdvEnabled,	0
		jz	short loc_A66091
		cmp	ds:_VfDifAPIThunkContextHead, 0
		jz	short loc_A66091
		mov	eax, [esi+8]
		test	al, 1
		jz	short loc_A66091
		test	al, 4
		jnz	short loc_A66088
		mov	eax, [esi+4]
		mov	edx, [eax]
		test	edx, edx
		jz	short loc_A66091
		jmp	short loc_A6608A
; 

loc_A66088:				; CODE XREF: ViThunkReplaceSharedExports(x,x,x)+23j
					; ViThunkReplaceSharedExports(x,x,x)+38j ...
		mov	edx, [esi]

loc_A6608A:				; CODE XREF: ViThunkReplaceSharedExports(x,x,x)+69j
		mov	ecx, edi
		call	_MmReplaceImportEntry@8	; MmReplaceImportEntry(x,x)

loc_A66091:				; CODE XREF: ViThunkReplaceSharedExports(x,x,x)+18j
					; ViThunkReplaceSharedExports(x,x,x)+4Aj ...
		add	esi, 10h
		sub	ebx, 1
		jnz	short loc_A66030

loc_A66099:				; CODE XREF: ViThunkReplaceSharedExports(x,x,x)+Aj
					; ViThunkReplaceSharedExports(x,x,x)+Ej
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		retn	4
_ViThunkReplaceSharedExports@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViThunkReplaceSpecialPristine(x)
_ViThunkReplaceSpecialPristine@4 proc near ; CODE XREF:	ViThunkRecoverPristines(x)+13p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	edx, _ViVerifierDriverAddedSpecialThunkListHead
		xor	eax, eax
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], edx
		cmp	edx, offset _ViVerifierDriverAddedSpecialThunkListHead
		jz	short locret_A66128
		push	ebx
		push	esi
		push	edi

loc_A660C1:				; CODE XREF: ViThunkReplaceSpecialPristine(x)+83j
		lea	esi, [edx+0Ch]
		mov	ecx, [esi]
		jmp	short loc_A6610F
; 

loc_A660C8:				; CODE XREF: ViThunkReplaceSpecialPristine(x)+71j
		mov	esi, [ecx+0Ch]
		lea	edi, [ecx+10h]
		xor	ebx, ebx
		mov	[ebp+var_10], esi
		test	esi, esi
		lea	esi, [edx+0Ch]
		jz	short loc_A66108
		mov	esi, [ebp+var_8]
		mov	edx, [esi]
		mov	esi, [ebp+var_4]
		mov	[ebp+var_C], edx
		add	esi, 0Ch

loc_A660E8:				; CODE XREF: ViThunkReplaceSpecialPristine(x)+5Aj
		mov	edx, [ebp+var_C]
		cmp	edx, [edi+4]
		mov	edx, [ebp+var_4]
		jz	short loc_A660FE
		add	edi, 8
		inc	ebx
		cmp	ebx, [ebp+var_10]
		jb	short loc_A660E8
		jmp	short loc_A66108
; 

loc_A660FE:				; CODE XREF: ViThunkReplaceSpecialPristine(x)+51j
		mov	ebx, [ebp+var_8]
		mov	eax, [edi]
		mov	[ebx], eax
		xor	eax, eax
		inc	eax

loc_A66108:				; CODE XREF: ViThunkReplaceSpecialPristine(x)+38j
					; ViThunkReplaceSpecialPristine(x)+5Cj
		cmp	eax, 1
		jz	short loc_A66125
		mov	ecx, [ecx]

loc_A6610F:				; CODE XREF: ViThunkReplaceSpecialPristine(x)+26j
		cmp	ecx, esi
		jnz	short loc_A660C8
		cmp	eax, 1
		jz	short loc_A66125
		mov	edx, [edx]
		mov	[ebp+var_4], edx
		cmp	edx, offset _ViVerifierDriverAddedSpecialThunkListHead
		jnz	short loc_A660C1

loc_A66125:				; CODE XREF: ViThunkReplaceSpecialPristine(x)+6Bj
					; ViThunkReplaceSpecialPristine(x)+76j
		pop	edi
		pop	esi
		pop	ebx

locret_A66128:				; CODE XREF: ViThunkReplaceSpecialPristine(x)+1Cj
		leave
		retn
_ViThunkReplaceSpecialPristine@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfSetVerifierRunningMode(x)
_VfSetVerifierRunningMode@4 proc near	; CODE XREF: VfSetVerifierInformationEx(x)+34p
					; ViInitSystemPhase0+1A319p
		lea	eax, [ecx-1]
		cmp	eax, 3
		ja	short loc_A66141
		mov	_VfVerifyMode, ecx
		xor	eax, eax
		mov	dword_6C6EAC, ecx
		retn
; 

loc_A66141:				; CODE XREF: VfSetVerifierRunningMode(x)+6j
		mov	eax, 0C000000Dh
		retn
_VfSetVerifierRunningMode@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfCheckUserHandle(x)
_VfCheckUserHandle@4 proc near		; CODE XREF: ObCloseHandle+16B026p
					; ObpReferenceObjectByHandleWithTag+10A751p ...

var_76		= byte ptr -76h
var_75		= byte ptr -75h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_48		= dword	ptr -48h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+7Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edx, ecx
		lea	edi, [esp+88h+var_68]
		push	8
		xor	eax, eax
		mov	[esp+8Ch+var_70], edx
		test	_MmVerifierData, 100h
		pop	ecx
		rep stosd
		jz	loc_A662E3
		mov	eax, large fs:124h
		mov	edi, [eax+80h]
		mov	eax, ds:_PsInitialSystemProcess
		test	eax, eax
		jz	loc_A662E3
		cmp	edi, eax
		jz	loc_A662E3
		cmp	edi, ds:_PsIdleProcess
		jz	loc_A662E3
		test	edx, edx
		jz	loc_A662E3
		push	0
		lea	eax, [esp+8Ch+var_68]
		push	eax
		push	8
		push	2
		call	RtlCaptureStackBackTrace
		movzx	eax, ax
		xor	esi, esi
		mov	[esp+88h+var_74], eax
		test	eax, eax
		jz	loc_A662E3

loc_A661D7:				; CODE XREF: VfCheckUserHandle(x)+E7j
		mov	ebx, [esp+esi*4+88h+var_68]
		mov	ecx, ebx
		call	_VfDriverIsKernelImageAddress@4	; VfDriverIsKernelImageAddress(x)
		test	eax, eax
		jz	short loc_A661F1
		cmp	_KernelVerifier, 0
		jnz	short loc_A66230
		jmp	short loc_A66229
; 

loc_A661F1:				; CODE XREF: VfCheckUserHandle(x)+9Dj
		mov	ecx, ebx
		call	_VfTargetDriversIsEnabled@4 ; VfTargetDriversIsEnabled(x)
		test	eax, eax
		jnz	short loc_A66230
		mov	eax, _ViDriverXDVBase
		test	eax, eax
		jz	loc_A662E3
		mov	ecx, _ViDriverXDVImageSize
		test	ecx, ecx
		jz	loc_A662E3
		cmp	ebx, eax
		jb	loc_A662E3
		add	eax, ecx
		cmp	ebx, eax
		jnb	loc_A662E3

loc_A66229:				; CODE XREF: VfCheckUserHandle(x)+A8j
		inc	esi
		cmp	esi, [esp+88h+var_74]
		jb	short loc_A661D7

loc_A66230:				; CODE XREF: VfCheckUserHandle(x)+A6j
					; VfCheckUserHandle(x)+B3j
		cmp	esi, [esp+88h+var_74]
		jnb	loc_A662E3
		mov	ecx, edi
		call	_VfUtilIsLocalSystem@4 ; VfUtilIsLocalSystem(x)
		test	eax, eax
		jnz	loc_A662E3
		mov	ebx, [esp+88h+var_70]
		lea	eax, [esp+88h+var_74]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	1
		push	ecx
		push	ecx
		push	ebx
		mov	[esp+0A0h+var_74], ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, [esp+88h+var_74]
		mov	[esp+88h+var_70], ecx
		test	eax, eax
		js	short loc_A662C7
		lea	eax, [esp+88h+var_6C]
		mov	[esp+88h+var_75], 0
		push	eax
		push	40h
		lea	edx, [esp+90h+var_48]
		call	_ObQueryTypeName@16 ; ObQueryTypeName(x,x,x,x)
		test	eax, eax
		js	short loc_A662B7
		push	0
		push	(offset	loc_A50127+1)
		lea	eax, [esp+90h+var_48]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_A662B2
		push	0
		push	offset _ViWindowStationTypeName
		lea	eax, [esp+90h+var_48]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_A662B7

loc_A662B2:				; CODE XREF: VfCheckUserHandle(x)+154j
		mov	[esp+88h+var_75], 1

loc_A662B7:				; CODE XREF: VfCheckUserHandle(x)+13Fj
					; VfCheckUserHandle(x)+169j
		mov	ecx, [esp+88h+var_70]
		call	ObfDereferenceObject
		cmp	[esp+88h+var_75], 0
		jnz	short loc_A662E3

loc_A662C7:				; CODE XREF: VfCheckUserHandle(x)+126j
		cmp	ds:_ViHandleBreaksEnabled, 0
		jz	short loc_A662E3
		push	[esp+esi*4+88h+var_68]
		mov	edx, 0F6h
		push	edi
		push	ebx
		lea	ecx, [edx-32h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A662E3:				; CODE XREF: VfCheckUserHandle(x)+34j
					; VfCheckUserHandle(x)+4Dj ...
		mov	ecx, [esp+88h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_VfCheckUserHandle@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViShutdownScheduleWatchdog()
_ViShutdownScheduleWatchdog@0 proc near	; CODE XREF: VfShutdownScheduleWatchdog()+7j
					; ViShutdownWatchdogExecuteDpc(x,x,x,x):loc_A663F8p
		cmp	ds:_VfShutdownThread, 0
		jnz	short loc_A6630C
		mov	eax, large fs:124h
		mov	ds:_VfShutdownThread, eax

loc_A6630C:				; CODE XREF: ViShutdownScheduleWatchdog()+7j
		push	esi
		push	edi
		push	0
		push	offset _ViShutdownWatchdogExecuteDpc@16	; ViShutdownWatchdogExecuteDpc(x,x,x,x)
		mov	edi, offset _ViShutdownWatchdogDpc
		push	edi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	0
		mov	esi, offset _ViShutdownWatchdogTimer
		push	esi
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	0FFFFFFFEh
		push	9A5F4400h
		push	edi
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	KiSetTimerEx
		pop	edi
		pop	esi
		retn
_ViShutdownScheduleWatchdog@0 endp


;  S U B	R O U T	I N E 


; int __fastcall ViShutdownWatchdogExecuteDpc(int,int,int,int,int,int)
_ViShutdownWatchdogExecuteDpc@16 proc near ; DATA XREF:	ViShutdownScheduleWatchdog()+18o
		mov	ecx, ds:_ViShutdownTimeoutCount
		inc	ecx
		cmp	ds:_VfZeroAllPagesRunning, 1
		mov	ds:_ViShutdownTimeoutCount, ecx
		jnz	short loc_A66362
		cmp	ecx, 4
		jb	loc_A663F8

loc_A66362:				; CODE XREF: ViShutdownWatchdogExecuteDpc(x,x,x,x)+14j
		mov	eax, _EtwpStopTraceCount
		test	eax, eax
		jz	short loc_A6637A
		cmp	eax, ds:_ViEtwLastStopTraceCount
		jz	short loc_A6637A
		mov	ds:_ViEtwLastStopTraceCount, eax
		jmp	short loc_A663F8
; 

loc_A6637A:				; CODE XREF: ViShutdownWatchdogExecuteDpc(x,x,x,x)+26j
					; ViShutdownWatchdogExecuteDpc(x,x,x,x)+2Ej
		cmp	ecx, 1
		jbe	short loc_A6638C
		push	0FFFFFFFDh
		pop	ecx
		mov	eax, offset _MmVerifierData
		lock and [eax],	ecx
		jmp	short loc_A663F8
; 

loc_A6638C:				; CODE XREF: ViShutdownWatchdogExecuteDpc(x,x,x,x)+3Aj
		cmp	_KdDebuggerEnabled, 0
		jz	short loc_A663D5
		cmp	_KdDebuggerNotPresent, 0
		jnz	short loc_A663D5
		push	esi		; char
		push	0
		mov	edx, 115h
		push	0
		push	ds:_VfShutdownThread
		lea	ecx, [edx-51h]
		call	_VfErrorStoreTriageInformation@20 ; VfErrorStoreTriageInformation(x,x,x,x,x)
		push	offset ??_C@_0PF@ELCJCDPF@?6Driver?5Verifier?5detected?5that?5@JKADOLAD@ ; char	*
		mov	esi, eax
		call	_VfUtilDbgPrint
		pop	ecx
		nop
		int	3		; Trap to Debugger
		test	esi, esi
		pop	esi
		jz	short loc_A663F8
		xor	eax, eax
		mov	ecx, offset _VfErrorBugcheckDataReady
		xchg	eax, [ecx]
		jmp	short loc_A663F8
; 

loc_A663D5:				; CODE XREF: ViShutdownWatchdogExecuteDpc(x,x,x,x)+50j
					; ViShutdownWatchdogExecuteDpc(x,x,x,x)+59j
		test	_MmVerifierData, 800h
		jz	short loc_A663F8
		push	0
		mov	edx, 115h
		push	0
		push	ds:_VfShutdownThread
		lea	ecx, [edx-51h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A663F8:				; CODE XREF: ViShutdownWatchdogExecuteDpc(x,x,x,x)+19j
					; ViShutdownWatchdogExecuteDpc(x,x,x,x)+35j ...
		call	_ViShutdownScheduleWatchdog@0 ;	ViShutdownScheduleWatchdog()
		retn	10h
_ViShutdownWatchdogExecuteDpc@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeAcquireInStackQueuedSpinLock(x, x)
@VerifierKeAcquireInStackQueuedSpinLock@8 proc near ; DATA XREF: PAGEVRFD:00AA8798o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edx
		mov	edx, [ebp+4]
		mov	esi, ecx
		call	@VerifierKeAcquireInStackQueuedSpinLockCommon@12 ; VerifierKeAcquireInStackQueuedSpinLockCommon(x,x,x)
		push	dword ptr [ebp+4]
		mov	eax, large fs:124h
		mov	ecx, esi
		push	0
		push	eax
		push	6
		pop	edx
		call	_VfDeadlockAcquireResource@20 ;	VfDeadlockAcquireResource(x,x,x,x,x)
		pop	esi
		pop	ebp
		retn
@VerifierKeAcquireInStackQueuedSpinLock@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeAcquireInStackQueuedSpinLockAtDpcLevel(x, x)
@VerifierKeAcquireInStackQueuedSpinLockAtDpcLevel@8 proc near
					; DATA XREF: PAGEVRFD:00AA87B4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edx
		mov	edx, [ebp+4]
		mov	esi, ecx
		call	@VerifierKeAcquireInStackQueuedSpinLockAtDpcLevelCommon@12 ; VerifierKeAcquireInStackQueuedSpinLockAtDpcLevelCommon(x,x,x)
		push	dword ptr [ebp+4]
		mov	eax, large fs:124h
		mov	ecx, esi
		push	0
		push	eax
		push	6
		pop	edx
		call	_VfDeadlockAcquireResource@20 ;	VfDeadlockAcquireResource(x,x,x,x,x)
		pop	esi
		pop	ebp
		retn
@VerifierKeAcquireInStackQueuedSpinLockAtDpcLevel@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeAcquireInStackQueuedSpinLockAtDpcLevelCommon(x, x, x)
@VerifierKeAcquireInStackQueuedSpinLockAtDpcLevelCommon@12 proc	near
					; CODE XREF: VerifierKeAcquireInStackQueuedSpinLockAtDpcLevel(x,x)+Cp
					; VerifierKeAcquireInStackQueuedSpinLockAtDpcLevelNoReboot(x,x)+9p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		inc	dword_6C6E48
		mov	eax, edx
		test	_MmVerifierData, 1000h
		push	ebx
		push	esi
		mov	esi, ecx
		jz	short loc_A6647B
		push	58h
		pop	edx
		mov	ecx, eax
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A6647B:				; CODE XREF: VerifierKeAcquireInStackQueuedSpinLockAtDpcLevelCommon(x,x,x)+1Bj
		push	4
		pop	edx
		mov	ecx, esi
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		mov	ecx, [ebp+arg_0]
		push	0Ch
		pop	edx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	byte ptr _MmVerifierData, 2
		mov	bl, al
		jz	short loc_A664C5
		cmp	bl, 2
		jnb	short loc_A664C5
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_A664C5
		push	0
		push	[ebp+arg_0]
		movzx	eax, bl
		mov	ecx, 0C4h
		push	eax
		push	40h
		pop	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A664C5:				; CODE XREF: VerifierKeAcquireInStackQueuedSpinLockAtDpcLevelCommon(x,x,x)+4Bj
					; VerifierKeAcquireInStackQueuedSpinLockAtDpcLevelCommon(x,x,x)+50j ...
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	ds:_pXdvKeAcquireInStackQueuedSpinLockAtDpcLevel
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
@VerifierKeAcquireInStackQueuedSpinLockAtDpcLevelCommon@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeAcquireInStackQueuedSpinLockAtDpcLevelNoReboot(x, x)
@VerifierKeAcquireInStackQueuedSpinLockAtDpcLevelNoReboot@8 proc near
					; DATA XREF: PAGEVRFD:00AA87C4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edx
		mov	edx, [ebp+4]
		call	@VerifierKeAcquireInStackQueuedSpinLockAtDpcLevelCommon@12 ; VerifierKeAcquireInStackQueuedSpinLockAtDpcLevelCommon(x,x,x)
		pop	ebp
		retn
@VerifierKeAcquireInStackQueuedSpinLockAtDpcLevelNoReboot@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeAcquireInStackQueuedSpinLockCommon(x, x,	x)
@VerifierKeAcquireInStackQueuedSpinLockCommon@12 proc near
					; CODE XREF: VerifierKeAcquireInStackQueuedSpinLock(x,x)+Cp
					; VerifierKeAcquireInStackQueuedSpinLockNoReboot(x,x)+9p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		inc	dword_6C6E48
		mov	eax, edx
		test	_MmVerifierData, 1000h
		push	esi
		push	edi
		mov	edi, ecx
		jz	short loc_A6650D
		push	58h
		pop	edx
		mov	ecx, eax
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A6650D:				; CODE XREF: VerifierKeAcquireInStackQueuedSpinLockCommon(x,x,x)+1Bj
		push	4
		pop	edx
		mov	ecx, edi
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		mov	ecx, [ebp+arg_0]
		push	0Ch
		pop	edx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		xor	edx, edx
		mov	cl, 2
		call	_ViKeRaiseIrqlSanityChecks@8 ; ViKeRaiseIrqlSanityChecks(x,x)
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		mov	esi, eax
		call	ds:_pXdvKeAcquireInStackQueuedSpinLock
		test	esi, esi
		jz	short loc_A66548
		movzx	ecx, large byte	ptr fs:51h
		mov	[esi+6], cx

loc_A66548:				; CODE XREF: VerifierKeAcquireInStackQueuedSpinLockCommon(x,x,x)+54j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
@VerifierKeAcquireInStackQueuedSpinLockCommon@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeAcquireInStackQueuedSpinLockForDpc(x, x)
@VerifierKeAcquireInStackQueuedSpinLockForDpc@8	proc near ; DATA XREF: PAGEVRFD:00AA87D0o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edx
		mov	edx, [ebp+4]
		mov	esi, ecx
		call	@VerifierKeAcquireInStackQueuedSpinLockForDpcCommon@12 ; VerifierKeAcquireInStackQueuedSpinLockForDpcCommon(x,x,x)
		push	dword ptr [ebp+4]
		mov	eax, large fs:124h
		mov	ecx, esi
		push	0
		push	eax
		push	6
		pop	edx
		call	_VfDeadlockAcquireResource@20 ;	VfDeadlockAcquireResource(x,x,x,x,x)
		pop	esi
		pop	ebp
		retn
@VerifierKeAcquireInStackQueuedSpinLockForDpc@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeAcquireInStackQueuedSpinLockForDpcCommon(x, x, x)
@VerifierKeAcquireInStackQueuedSpinLockForDpcCommon@12 proc near
					; CODE XREF: VerifierKeAcquireInStackQueuedSpinLockForDpc(x,x)+Cp
					; VerifierKeAcquireInStackQueuedSpinLockForDpcNoReboot(x,x)+9p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		inc	dword_6C6E48
		mov	eax, edx
		test	_MmVerifierData, 1000h
		push	esi
		mov	esi, ecx
		jz	short loc_A6659E
		push	58h
		pop	edx
		mov	ecx, eax
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A6659E:				; CODE XREF: VerifierKeAcquireInStackQueuedSpinLockForDpcCommon(x,x,x)+1Aj
		push	4
		pop	edx
		mov	ecx, esi
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		mov	ecx, [ebp+arg_0]
		push	0Ch
		pop	edx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	ds:_pXdvKeAcquireInStackQueuedSpinLockForDpc
		pop	esi
		pop	ebp
		retn	4
@VerifierKeAcquireInStackQueuedSpinLockForDpcCommon@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeAcquireInStackQueuedSpinLockForDpcNoReboot(x, x)
@VerifierKeAcquireInStackQueuedSpinLockForDpcNoReboot@8	proc near
					; DATA XREF: PAGEVRFD:00AA87E0o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edx
		mov	edx, [ebp+4]
		call	@VerifierKeAcquireInStackQueuedSpinLockForDpcCommon@12 ; VerifierKeAcquireInStackQueuedSpinLockForDpcCommon(x,x,x)
		pop	ebp
		retn
@VerifierKeAcquireInStackQueuedSpinLockForDpcNoReboot@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeAcquireInStackQueuedSpinLockNoReboot(x, x)
@VerifierKeAcquireInStackQueuedSpinLockNoReboot@8 proc near ; DATA XREF: PAGEVRFD:00AA87A8o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edx
		mov	edx, [ebp+4]
		call	@VerifierKeAcquireInStackQueuedSpinLockCommon@12 ; VerifierKeAcquireInStackQueuedSpinLockCommon(x,x,x)
		pop	ebp
		retn
@VerifierKeAcquireInStackQueuedSpinLockNoReboot@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeAcquireInStackQueuedSpinLockRaiseToSynch(x, x)
@VerifierKeAcquireInStackQueuedSpinLockRaiseToSynch@8 proc near
					; DATA XREF: PAGEVRFD:00AA8840o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edx
		mov	edx, [ebp+4]
		mov	esi, ecx
		call	@VerifierKeAcquireInStackQueuedSpinLockRaiseToSynchCommon@12 ; VerifierKeAcquireInStackQueuedSpinLockRaiseToSynchCommon(x,x,x)
		push	dword ptr [ebp+4]
		mov	eax, large fs:124h
		mov	ecx, esi
		push	0
		push	eax
		push	6
		pop	edx
		call	_VfDeadlockAcquireResource@20 ;	VfDeadlockAcquireResource(x,x,x,x,x)
		pop	esi
		pop	ebp
		retn
@VerifierKeAcquireInStackQueuedSpinLockRaiseToSynch@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeAcquireInStackQueuedSpinLockRaiseToSynchCommon(x, x, x)
@VerifierKeAcquireInStackQueuedSpinLockRaiseToSynchCommon@12 proc near
					; CODE XREF: VerifierKeAcquireInStackQueuedSpinLockRaiseToSynch(x,x)+Cp
					; VerifierKeAcquireInStackQueuedSpinLockRaiseToSynchNoReboot(x,x)+9p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		inc	dword_6C6E48
		mov	eax, edx
		test	_MmVerifierData, 1000h
		push	esi
		push	edi
		mov	edi, ecx
		jz	short loc_A66634
		push	58h
		pop	edx
		mov	ecx, eax
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A66634:				; CODE XREF: VerifierKeAcquireInStackQueuedSpinLockRaiseToSynchCommon(x,x,x)+1Bj
		push	4
		pop	edx
		mov	ecx, edi
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		mov	ecx, [ebp+arg_0]
		push	0Ch
		pop	edx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		xor	edx, edx
		mov	cl, 1Bh
		call	_ViKeRaiseIrqlSanityChecks@8 ; ViKeRaiseIrqlSanityChecks(x,x)
		mov	edx, [ebp+arg_0]
		mov	ecx, edi
		mov	esi, eax
		call	@KeAcquireInStackQueuedSpinLockRaiseToSynch@8 ;	KeAcquireInStackQueuedSpinLockRaiseToSynch(x,x)
		test	esi, esi
		jz	short loc_A6666E
		movzx	ecx, large byte	ptr fs:51h
		mov	[esi+6], cx

loc_A6666E:				; CODE XREF: VerifierKeAcquireInStackQueuedSpinLockRaiseToSynchCommon(x,x,x)+53j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
@VerifierKeAcquireInStackQueuedSpinLockRaiseToSynchCommon@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeAcquireInStackQueuedSpinLockRaiseToSynchNoReboot(x, x)
@VerifierKeAcquireInStackQueuedSpinLockRaiseToSynchNoReboot@8 proc near
					; DATA XREF: PAGEVRFD:00AA8850o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edx
		mov	edx, [ebp+4]
		call	@VerifierKeAcquireInStackQueuedSpinLockRaiseToSynchCommon@12 ; VerifierKeAcquireInStackQueuedSpinLockRaiseToSynchCommon(x,x,x)
		pop	ebp
		retn
@VerifierKeAcquireInStackQueuedSpinLockRaiseToSynchNoReboot@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeAcquireQueuedSpinLockRaiseToSynch(x)
@VerifierKeAcquireQueuedSpinLockRaiseToSynch@4 proc near ; DATA	XREF: PAGEVRFD:00AAB77Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		inc	dword_6C6E48
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, [ebp+4]
		test	_MmVerifierData, 1000h
		jz	short loc_A666AA
		push	58h
		pop	edx
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A666AA:				; CODE XREF: VerifierKeAcquireQueuedSpinLockRaiseToSynch(x)+1Cj
		xor	edx, edx
		mov	cl, 1Bh
		call	_ViKeRaiseIrqlSanityChecks@8 ; ViKeRaiseIrqlSanityChecks(x,x)
		mov	ecx, edi
		mov	esi, eax
		call	@KeAcquireQueuedSpinLockRaiseToSynch@4 ; KeAcquireQueuedSpinLockRaiseToSynch(x)
		test	esi, esi
		jz	short loc_A666CC
		movzx	ecx, large byte	ptr fs:51h
		mov	[esi+6], cx

loc_A666CC:				; CODE XREF: VerifierKeAcquireQueuedSpinLockRaiseToSynch(x)+3Aj
		pop	edi
		pop	esi
		pop	ebp
		retn
@VerifierKeAcquireQueuedSpinLockRaiseToSynch@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeAcquireSpinLockAtDpcLevel(x)
@VerifierKeAcquireSpinLockAtDpcLevel@4 proc near ; DATA	XREF: PAGEVRFD:00AA870Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+4]
		push	esi
		mov	esi, ecx
		call	_ViKeAcquireSpinLockAtDpcLevelCommon@8 ; ViKeAcquireSpinLockAtDpcLevelCommon(x,x)
		push	dword ptr [ebp+4]
		mov	eax, large fs:124h
		mov	ecx, esi
		push	0
		push	eax
		push	5
		pop	edx
		call	_VfDeadlockAcquireResource@20 ;	VfDeadlockAcquireResource(x,x,x,x,x)
		pop	esi
		pop	ebp
		retn
@VerifierKeAcquireSpinLockAtDpcLevel@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeAcquireSpinLockAtDpcLevelNoReboot(x)
@VerifierKeAcquireSpinLockAtDpcLevelNoReboot@4 proc near ; DATA	XREF: PAGEVRFD:00AA871Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+4]
		pop	ebp
		jmp	_ViKeAcquireSpinLockAtDpcLevelCommon@8 ; ViKeAcquireSpinLockAtDpcLevelCommon(x,x)
@VerifierKeAcquireSpinLockAtDpcLevelNoReboot@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeReleaseInStackQueuedSpinLock(x)
@VerifierKeReleaseInStackQueuedSpinLock@4 proc near ; DATA XREF: PAGEVRFD:00AA87ECo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+4]
		push	dword ptr [ebp+4]
		mov	eax, large fs:124h
		and	ecx, 0FFFFFFFCh
		push	eax
		push	6
		pop	edx
		call	_VfDeadlockReleaseResource@16 ;	VfDeadlockReleaseResource(x,x,x,x)
		mov	ecx, esi
		pop	esi
		pop	ebp
		jmp	$+5
@VerifierKeReleaseInStackQueuedSpinLock@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierKeReleaseInStackQueuedSpinLockCommon(x)
@VerifierKeReleaseInStackQueuedSpinLockCommon@4	proc near
					; CODE XREF: VerifierKeReleaseInStackQueuedSpinLockNoReboot(x)j
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	byte ptr _MmVerifierData, 2
		mov	bl, al
		jz	short loc_A66761
		cmp	bl, 2
		jnb	short loc_A66761
		push	0
		push	edi
		movzx	ecx, bl
		push	ecx
		push	32h
		pop	edx
		mov	ecx, 0C4h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A66761:				; CODE XREF: VerifierKeReleaseInStackQueuedSpinLockCommon(x)+16j
					; VerifierKeReleaseInStackQueuedSpinLockCommon(x)+1Bj
		mov	dl, [edi+8]
		mov	cl, bl
		call	_ViKeLowerIrqlSanityChecks@8 ; ViKeLowerIrqlSanityChecks(x,x)
		mov	ecx, edi
		mov	esi, eax
		call	ds:_pXdvKeReleaseInStackQueuedSpinLock
		pop	edi
		mov	ecx, esi
		xor	edx, edx
		pop	esi
		inc	edx
		pop	ebx
		jmp	_ViKeIrqlLogCommon@8 ; ViKeIrqlLogCommon(x,x)
@VerifierKeReleaseInStackQueuedSpinLockCommon@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeReleaseInStackQueuedSpinLockForDpc(x)
@VerifierKeReleaseInStackQueuedSpinLockForDpc@4	proc near ; DATA XREF: PAGEVRFD:00AA8824o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+4]
		push	dword ptr [ebp+4]
		mov	eax, large fs:124h
		and	ecx, 0FFFFFFFCh
		push	eax
		push	6
		pop	edx
		call	_VfDeadlockReleaseResource@16 ;	VfDeadlockReleaseResource(x,x,x,x)
		mov	ecx, esi
		pop	esi
		pop	ebp
		jmp	$+5
@VerifierKeReleaseInStackQueuedSpinLockForDpc@4	endp


;  S U B	R O U T	I N E 


; __fastcall VerifierKeReleaseInStackQueuedSpinLockForDpcCommon(x)
@VerifierKeReleaseInStackQueuedSpinLockForDpcCommon@4 proc near
					; CODE XREF: VerifierKeReleaseInStackQueuedSpinLockForDpcNoReboot(x)j
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	byte ptr _MmVerifierData, 2
		mov	bl, al
		jz	short loc_A667E4
		cmp	bl, 2
		jnb	short loc_A667E4
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_A667E4
		push	0
		push	esi
		movzx	eax, bl
		mov	ecx, 0C4h
		push	eax
		push	32h
		pop	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A667E4:				; CODE XREF: VerifierKeReleaseInStackQueuedSpinLockForDpcCommon(x)+15j
					; VerifierKeReleaseInStackQueuedSpinLockForDpcCommon(x)+1Aj ...
		mov	ecx, esi
		pop	esi
		pop	ebx
		jmp	ds:_pXdvKeReleaseInStackQueuedSpinLockForDpc
@VerifierKeReleaseInStackQueuedSpinLockForDpcCommon@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierKeReleaseInStackQueuedSpinLockForDpcNoReboot(x)
@VerifierKeReleaseInStackQueuedSpinLockForDpcNoReboot@4	proc near
					; DATA XREF: PAGEVRFD:00AA8834o
		jmp	@VerifierKeReleaseInStackQueuedSpinLockForDpcCommon@4 ;	VerifierKeReleaseInStackQueuedSpinLockForDpcCommon(x)
@VerifierKeReleaseInStackQueuedSpinLockForDpcNoReboot@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeReleaseInStackQueuedSpinLockFromDpcLevel(x)
@VerifierKeReleaseInStackQueuedSpinLockFromDpcLevel@4 proc near
					; DATA XREF: PAGEVRFD:00AA8808o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+4]
		push	dword ptr [ebp+4]
		mov	eax, large fs:124h
		and	ecx, 0FFFFFFFCh
		push	eax
		push	6
		pop	edx
		call	_VfDeadlockReleaseResource@16 ;	VfDeadlockReleaseResource(x,x,x,x)
		mov	ecx, esi
		pop	esi
		pop	ebp
		jmp	$+5
@VerifierKeReleaseInStackQueuedSpinLockFromDpcLevel@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierKeReleaseInStackQueuedSpinLockFromDpcLevelCommon(x)
@VerifierKeReleaseInStackQueuedSpinLockFromDpcLevelCommon@4 proc near
					; CODE XREF: VerifierKeReleaseInStackQueuedSpinLockFromDpcLevelNoReboot(x)j
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	byte ptr _MmVerifierData, 2
		mov	bl, al
		jz	short loc_A66855
		cmp	bl, 2
		jnb	short loc_A66855
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_A66855
		push	0
		push	esi
		movzx	eax, bl
		mov	ecx, 0C4h
		push	eax
		push	32h
		pop	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A66855:				; CODE XREF: VerifierKeReleaseInStackQueuedSpinLockFromDpcLevelCommon(x)+15j
					; VerifierKeReleaseInStackQueuedSpinLockFromDpcLevelCommon(x)+1Aj ...
		mov	ecx, esi
		pop	esi
		pop	ebx
		jmp	ds:_pXdvKeReleaseInStackQueuedSpinLockFromDpcLevel
@VerifierKeReleaseInStackQueuedSpinLockFromDpcLevelCommon@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierKeReleaseInStackQueuedSpinLockFromDpcLevelNoReboot(x)
@VerifierKeReleaseInStackQueuedSpinLockFromDpcLevelNoReboot@4 proc near
					; DATA XREF: PAGEVRFD:00AA8818o
		jmp	@VerifierKeReleaseInStackQueuedSpinLockFromDpcLevelCommon@4 ; VerifierKeReleaseInStackQueuedSpinLockFromDpcLevelCommon(x)
@VerifierKeReleaseInStackQueuedSpinLockFromDpcLevelNoReboot@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierKeReleaseInStackQueuedSpinLockNoReboot(x)
@VerifierKeReleaseInStackQueuedSpinLockNoReboot@4 proc near ; DATA XREF: PAGEVRFD:00AA87FCo
		jmp	@VerifierKeReleaseInStackQueuedSpinLockCommon@4	; VerifierKeReleaseInStackQueuedSpinLockCommon(x)
@VerifierKeReleaseInStackQueuedSpinLockNoReboot@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeReleaseSpinLockFromDpcLevel(x)
@VerifierKeReleaseSpinLockFromDpcLevel@4 proc near ; DATA XREF:	PAGEVRFD:00AA8728o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	4
		pop	edx
		mov	esi, ecx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	_MmVerifierData, 800h
		mov	bl, al
		jz	short loc_A668B0
		cmp	bl, 2
		jnb	short loc_A668B0
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_A668B0
		push	0
		push	esi
		movzx	eax, bl
		mov	ecx, 0C4h
		push	eax
		push	41h
		pop	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A668B0:				; CODE XREF: VerifierKeReleaseSpinLockFromDpcLevel(x)+23j
					; VerifierKeReleaseSpinLockFromDpcLevel(x)+28j	...
		push	dword ptr [ebp+4]
		mov	eax, large fs:124h
		mov	ecx, esi
		push	eax
		push	5
		pop	edx
		call	_VfDeadlockReleaseResource@16 ;	VfDeadlockReleaseResource(x,x,x,x)
		mov	ecx, esi
		pop	esi
		pop	ebx
		pop	ebp
		jmp	ds:_pXdvKefReleaseSpinLockFromDpcLevel ; KefReleaseSpinLockFromDpcLevel(x)
@VerifierKeReleaseSpinLockFromDpcLevel@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierKeReleaseSpinLockFromDpcLevelNoReboot(x)
@VerifierKeReleaseSpinLockFromDpcLevelNoReboot@4 proc near ; DATA XREF:	PAGEVRFD:00AA8738o
		mov	edi, edi
		push	ebx
		push	esi
		push	4
		pop	edx
		mov	esi, ecx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	byte ptr _MmVerifierData, 2
		mov	bl, al
		jz	short loc_A66910
		cmp	bl, 2
		jnb	short loc_A66910
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_A66910
		push	0
		push	esi
		movzx	eax, bl
		mov	ecx, 0C4h
		push	eax
		push	41h
		pop	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A66910:				; CODE XREF: VerifierKeReleaseSpinLockFromDpcLevelNoReboot(x)+1Dj
					; VerifierKeReleaseSpinLockFromDpcLevelNoReboot(x)+22j	...
		mov	ecx, esi
		pop	esi
		pop	ebx
		jmp	ds:_pXdvKefReleaseSpinLockFromDpcLevel ; KefReleaseSpinLockFromDpcLevel(x)
@VerifierKeReleaseSpinLockFromDpcLevelNoReboot@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeTryToAcquireQueuedSpinLock(x, x)
@VerifierKeTryToAcquireQueuedSpinLock@8	proc near ; DATA XREF: PAGEVRFD:00AAB764o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		inc	dword_6C6E48
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	ecx, [ebp+4]
		test	_MmVerifierData, 1000h
		push	edi
		mov	edi, edx
		jz	short loc_A66943
		push	58h
		pop	edx
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A66943:				; CODE XREF: VerifierKeTryToAcquireQueuedSpinLock(x,x)+1Fj
		xor	edx, edx
		mov	cl, 2
		call	_ViKeRaiseIrqlSanityChecks@8 ; ViKeRaiseIrqlSanityChecks(x,x)
		mov	edx, edi
		mov	ecx, ebx
		mov	esi, eax
		call	ds:_pXdvKeTryToAcquireQueuedSpinLock
		test	esi, esi
		jz	short loc_A66968
		movzx	ecx, large byte	ptr fs:51h
		mov	[esi+6], cx

loc_A66968:				; CODE XREF: VerifierKeTryToAcquireQueuedSpinLock(x,x)+40j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
@VerifierKeTryToAcquireQueuedSpinLock@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeTryToAcquireQueuedSpinLockRaiseToSynch(x, x)
@VerifierKeTryToAcquireQueuedSpinLockRaiseToSynch@8 proc near
					; DATA XREF: PAGEVRFD:00AAB794o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		inc	dword_6C6E48
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	ecx, [ebp+4]
		test	_MmVerifierData, 1000h
		push	edi
		mov	edi, edx
		jz	short loc_A66996
		push	58h
		pop	edx
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A66996:				; CODE XREF: VerifierKeTryToAcquireQueuedSpinLockRaiseToSynch(x,x)+1Fj
		xor	edx, edx
		mov	cl, 1Bh
		call	_ViKeRaiseIrqlSanityChecks@8 ; ViKeRaiseIrqlSanityChecks(x,x)
		mov	edx, edi
		mov	ecx, ebx
		mov	esi, eax
		call	@KeTryToAcquireQueuedSpinLockRaiseToSynch@8 ; KeTryToAcquireQueuedSpinLockRaiseToSynch(x,x)
		test	esi, esi
		jz	short loc_A669BA
		movzx	ecx, large byte	ptr fs:51h
		mov	[esi+6], cx

loc_A669BA:				; CODE XREF: VerifierKeTryToAcquireQueuedSpinLockRaiseToSynch(x,x)+3Fj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
@VerifierKeTryToAcquireQueuedSpinLockRaiseToSynch@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeTryToAcquireSpinLockAtDpcLevel(x)
@VerifierKeTryToAcquireSpinLockAtDpcLevel@4 proc near ;	DATA XREF: PAGEVRFD:00AA877Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+4]
		push	ebx
		push	esi
		mov	esi, ecx
		call	_ViKeTryToAcquireSpinLockAtDpcLevelCommon@8 ; ViKeTryToAcquireSpinLockAtDpcLevelCommon(x,x)
		mov	bl, al
		test	bl, bl
		jz	short loc_A669ED
		push	dword ptr [ebp+4]
		mov	ecx, large fs:124h
		push	1
		push	ecx
		push	5
		pop	edx
		mov	ecx, esi
		call	_VfDeadlockAcquireResource@20 ;	VfDeadlockAcquireResource(x,x,x,x,x)

loc_A669ED:				; CODE XREF: VerifierKeTryToAcquireSpinLockAtDpcLevel(x)+15j
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn
@VerifierKeTryToAcquireSpinLockAtDpcLevel@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKeTryToAcquireSpinLockAtDpcLevelNoReboot(x)
@VerifierKeTryToAcquireSpinLockAtDpcLevelNoReboot@4 proc near
					; DATA XREF: PAGEVRFD:00AA878Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+4]
		pop	ebp
		jmp	_ViKeTryToAcquireSpinLockAtDpcLevelCommon@8 ; ViKeTryToAcquireSpinLockAtDpcLevelCommon(x,x)
@VerifierKeTryToAcquireSpinLockAtDpcLevelNoReboot@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKfAcquireSpinLock(x)
@VerifierKfAcquireSpinLock@4 proc near	; DATA XREF: PAGEVRFD:00AA8744o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+4]
		push	ebx
		push	esi
		mov	esi, ecx
		call	_ViKfAcquireSpinLockCommon@8 ; ViKfAcquireSpinLockCommon(x,x)
		push	dword ptr [ebp+4]
		mov	edx, large fs:124h
		mov	ecx, esi
		push	0
		push	edx
		push	5
		pop	edx
		mov	bl, al
		call	_VfDeadlockAcquireResource@20 ;	VfDeadlockAcquireResource(x,x,x,x,x)
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn
@VerifierKfAcquireSpinLock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKfAcquireSpinLockNoReboot(x)
@VerifierKfAcquireSpinLockNoReboot@4 proc near ; DATA XREF: PAGEVRFD:00AA8754o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+4]
		pop	ebp
		jmp	_ViKfAcquireSpinLockCommon@8 ; ViKfAcquireSpinLockCommon(x,x)
@VerifierKfAcquireSpinLockNoReboot@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierKfLowerIrql(x)
@VerifierKfLowerIrql@4 proc near	; DATA XREF: PAGEVRFD:00AAB314o
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ds:_pXdvKfLowerIrql
		mov	bl, cl
		push	edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	dl, bl
		mov	cl, al
		call	_ViKeLowerIrqlSanityChecks@8 ; ViKeLowerIrqlSanityChecks(x,x)
		mov	edx, dword_6BE344
		mov	edi, eax
		test	edx, edx
		jz	short loc_A66A69
		mov	esi, edx

loc_A66A69:				; CODE XREF: VerifierKfLowerIrql(x)+26j
		mov	cl, bl
		call	esi
		mov	ecx, edi
		xor	edx, edx
		pop	edi
		pop	esi
		inc	edx
		pop	ebx
		jmp	_ViKeIrqlLogCommon@8 ; ViKeIrqlLogCommon(x,x)
@VerifierKfLowerIrql@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKfRaiseIrql(x)
@VerifierKfRaiseIrql@4 proc near	; DATA XREF: PAGEVRFD:00AAB2FCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ds:_pXdvKfRaiseIrql
		mov	bl, cl
		push	edi
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_A66AB0
		inc	dword_6C6E44
		mov	ecx, [ebp+4]
		test	_MmVerifierData, 1000h
		jz	short loc_A66AB0
		push	54h
		pop	edx
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A66AB0:				; CODE XREF: VerifierKfRaiseIrql(x)+17j
					; VerifierKfRaiseIrql(x)+2Cj
		xor	edx, edx
		mov	cl, bl
		call	_ViKeRaiseIrqlSanityChecks@8 ; ViKeRaiseIrqlSanityChecks(x,x)
		mov	edi, eax
		mov	eax, _ViKernelVerifierOriginalCalls
		test	eax, eax
		jz	short loc_A66AC6
		mov	esi, eax

loc_A66AC6:				; CODE XREF: VerifierKfRaiseIrql(x)+48j
		mov	cl, bl
		call	esi
		test	edi, edi
		jz	short loc_A66ADA
		movzx	ecx, large byte	ptr fs:51h
		mov	[edi+6], cx

loc_A66ADA:				; CODE XREF: VerifierKfRaiseIrql(x)+52j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn
@VerifierKfRaiseIrql@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKfReleaseSpinLock(x, x)
@VerifierKfReleaseSpinLock@8 proc near	; DATA XREF: PAGEVRFD:00AA8760o

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	eax, ecx
		mov	bl, dl
		push	edi
		mov	[ebp+var_4], eax
		call	_ViKfReleaseSpinLockCommon@8 ; ViKfReleaseSpinLockCommon(x,x)
		push	dword ptr [ebp+4]
		mov	esi, large fs:124h
		mov	edi, eax
		mov	ecx, [ebp+var_4]
		push	esi
		push	5
		pop	edx
		call	_VfDeadlockReleaseResource@16 ;	VfDeadlockReleaseResource(x,x,x,x)
		mov	ecx, [ebp+var_4]
		mov	dl, bl
		call	ds:_pXdvKfReleaseSpinLock
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	_ViKeIrqlLogCommon@8 ; ViKeIrqlLogCommon(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
@VerifierKfReleaseSpinLock@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierKfReleaseSpinLockNoReboot(x, x)
@VerifierKfReleaseSpinLockNoReboot@8 proc near ; DATA XREF: PAGEVRFD:00AA8770o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	bl, dl
		mov	esi, ecx
		call	_ViKfReleaseSpinLockCommon@8 ; ViKfReleaseSpinLockCommon(x,x)
		test	ds:byte_70EFC6,	1
		mov	edi, eax
		jz	short loc_A66B4E
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A66B53
; 

loc_A66B4E:				; CODE XREF: VerifierKfReleaseSpinLockNoReboot(x,x)+1Aj
		xor	eax, eax
		lock and [esi],	eax

loc_A66B53:				; CODE XREF: VerifierKfReleaseSpinLockNoReboot(x,x)+26j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, edi
		xor	edx, edx
		pop	edi
		pop	esi
		inc	edx
		pop	ebx
		pop	ebp
		jmp	_ViKeIrqlLogCommon@8 ; ViKeIrqlLogCommon(x,x)
@VerifierKfReleaseSpinLockNoReboot@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeCancelTimer(x)
_VerifierKeCancelTimer@4 proc near	; DATA XREF: PAGEVRFD:00AA9C04o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKeCancelTimer
_VerifierKeCancelTimer@4 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierKeClearEvent(x)
_VerifierKeClearEvent@4	proc near	; DATA XREF: PAGEVRFD:00AA9C1Co
		jmp	ds:_pXdvKeClearEvent
_VerifierKeClearEvent@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeDelayExecutionThread(x, x, x)
_VerifierKeDelayExecutionThread@12 proc	near ; DATA XREF: PAGEVRFD:00AAB3BCo

arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	cl, [ebp+arg_4]
		call	_ViKeInjectStatusAlerted@4 ; ViKeInjectStatusAlerted(x)
		test	eax, eax
		jz	short loc_A66B95
		mov	eax, 101h
		pop	ebp
		retn	0Ch
; 

loc_A66B95:				; CODE XREF: VerifierKeDelayExecutionThread(x,x,x)+Fj
		pop	ebp
		jmp	ds:_pXdvKeDelayExecutionThread
_VerifierKeDelayExecutionThread@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeInitializeEvent(x, x, x)
_VerifierKeInitializeEvent@12 proc near	; DATA XREF: PAGEVRFD:00AAB734o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	10h
		pop	edx
		call	_VfUtilSynchronizationObjectSanityChecks@8 ; VfUtilSynchronizationObjectSanityChecks(x,x)
		pop	ebp
		jmp	ds:_pXdvKeInitializeEvent
_VerifierKeInitializeEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeInitializeMutant(x, x)
_VerifierKeInitializeMutant@8 proc near	; DATA XREF: PAGEVRFD:00AA8610o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	20h
		pop	edx
		call	_VfUtilSynchronizationObjectSanityChecks@8 ; VfUtilSynchronizationObjectSanityChecks(x,x)
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvKeInitializeMutant
		push	ecx
		push	dword ptr [ebp+4]
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		inc	edx
		call	_VfDeadlockInitializeResource@16 ; VfDeadlockInitializeResource(x,x,x,x)
		cmp	byte ptr [ebp+arg_4], 0
		jz	short loc_A66BFB
		push	dword ptr [ebp+4]
		mov	eax, large fs:124h
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		inc	edx
		push	0
		push	eax
		call	_VfDeadlockAcquireResource@20 ;	VfDeadlockAcquireResource(x,x,x,x,x)

loc_A66BFB:				; CODE XREF: VerifierKeInitializeMutant(x,x)+2Fj
		pop	ebp
		retn	8
_VerifierKeInitializeMutant@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeInitializeMutantNoReboot(x, x)
_VerifierKeInitializeMutantNoReboot@8 proc near	; DATA XREF: PAGEVRFD:00AA8620o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	20h
		pop	edx
		call	_VfUtilSynchronizationObjectSanityChecks@8 ; VfUtilSynchronizationObjectSanityChecks(x,x)
		pop	ebp
		jmp	ds:_pXdvKeInitializeMutant
_VerifierKeInitializeMutantNoReboot@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeInitializeMutex(x, x)
_VerifierKeInitializeMutex@8 proc near	; DATA XREF: PAGEVRFD:00AA85F4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	20h
		pop	edx
		call	_VfUtilSynchronizationObjectSanityChecks@8 ; VfUtilSynchronizationObjectSanityChecks(x,x)
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvKeInitializeMutex
		push	ecx
		push	dword ptr [ebp+4]
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		inc	edx
		call	_VfDeadlockInitializeResource@16 ; VfDeadlockInitializeResource(x,x,x,x)
		pop	ebp
		retn	8
_VerifierKeInitializeMutex@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeInitializeMutexNoReboot(x, x)
_VerifierKeInitializeMutexNoReboot@8 proc near ; DATA XREF: PAGEVRFD:00AA8604o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	20h
		pop	edx
		call	_VfUtilSynchronizationObjectSanityChecks@8 ; VfUtilSynchronizationObjectSanityChecks(x,x)
		pop	ebp
		jmp	ds:_pXdvKeInitializeMutex
_VerifierKeInitializeMutexNoReboot@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeInitializeSemaphore(x, x,	x)
_VerifierKeInitializeSemaphore@12 proc near ; DATA XREF: PAGEVRFD:00AAB74Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	14h
		pop	edx
		call	_VfUtilSynchronizationObjectSanityChecks@8 ; VfUtilSynchronizationObjectSanityChecks(x,x)
		pop	ebp
		jmp	ds:_pXdvKeInitializeSemaphore
_VerifierKeInitializeSemaphore@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeInitializeSpinLock(x)
_VerifierKeInitializeSpinLock@4	proc near ; DATA XREF: PAGEVRFD:00AA86F0o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	4
		pop	edx
		call	_VfUtilSynchronizationObjectSanityChecks@8 ; VfUtilSynchronizationObjectSanityChecks(x,x)
		push	[ebp+arg_0]
		call	_KzInitializeSpinLock@4	; KzInitializeSpinLock(x)
		push	ecx
		push	dword ptr [ebp+4]
		mov	ecx, [ebp+arg_0]
		push	7
		pop	edx
		call	_VfDeadlockInitializeResource@16 ; VfDeadlockInitializeResource(x,x,x,x)
		pop	ebp
		retn	4
_VerifierKeInitializeSpinLock@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeInitializeSpinLockNoReboot(x)
_VerifierKeInitializeSpinLockNoReboot@4	proc near ; DATA XREF: PAGEVRFD:00AA8700o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	4
		pop	edx
		call	_VfUtilSynchronizationObjectSanityChecks@8 ; VfUtilSynchronizationObjectSanityChecks(x,x)
		pop	ebp
		jmp	_KzInitializeSpinLock@4	; KzInitializeSpinLock(x)
_VerifierKeInitializeSpinLockNoReboot@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeInitializeTimer(x)
_VerifierKeInitializeTimer@4 proc near	; DATA XREF: PAGEVRFD:00AAB3A4o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	0
		push	[ebp+arg_0]
		call	_VerifierKeInitializeTimerEx@8 ; VerifierKeInitializeTimerEx(x,x)
		pop	ebp
		retn	4
_VerifierKeInitializeTimer@4 endp ; sp = -8


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeInitializeTimerEx(x, x)
_VerifierKeInitializeTimerEx@8 proc near ; CODE	XREF: VerifierKeInitializeTimer(x)+Ap
					; DATA XREF: PAGEVRFD:00AAB38Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	28h
		pop	edx
		call	_VfUtilSynchronizationObjectSanityChecks@8 ; VfUtilSynchronizationObjectSanityChecks(x,x)
		test	_MmVerifierData, 400000h
		jnz	short loc_A66CEE
		mov	ecx, [ebp+arg_0]
		push	28h
		pop	edx
		call	_KeCheckForTimer@8 ; KeCheckForTimer(x,x)

loc_A66CEE:				; CODE XREF: VerifierKeInitializeTimerEx(x,x)+1Aj
		pop	ebp
		jmp	ds:_pXdvKeInitializeTimerEx
_VerifierKeInitializeTimerEx@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeLowerIrql(x)
_VerifierKeLowerIrql@4 proc near	; DATA XREF: PAGEVRFD:00AAB35Co

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	dl, [ebp+arg_0]
		mov	cl, al
		call	_ViKeLowerIrqlSanityChecks@8 ; ViKeLowerIrqlSanityChecks(x,x)
		mov	ecx, dword_6BE350
		mov	esi, eax
		test	ecx, ecx
		jz	short loc_A66D1E
		push	dword ptr [ebp+arg_0]
		call	ecx
		jmp	short loc_A66D27
; 

loc_A66D1E:				; CODE XREF: VerifierKeLowerIrql(x)+20j
		mov	cl, [ebp+arg_0]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_A66D27:				; CODE XREF: VerifierKeLowerIrql(x)+27j
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_ViKeIrqlLogCommon@8 ; ViKeIrqlLogCommon(x,x)
		pop	esi
		pop	ebp
		retn	4
_VerifierKeLowerIrql@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKePulseEvent(x, x, x)
_VerifierKePulseEvent@12 proc near	; DATA XREF: PAGEVRFD:00AA9D24o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKePulseEvent
_VerifierKePulseEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeRaiseIrql(x, x)
_VerifierKeRaiseIrql@8 proc near	; DATA XREF: PAGEVRFD:00AAB32Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		inc	dword_6C6E44
		mov	ecx, [ebp+4]
		test	_MmVerifierData, 1000h
		jz	short loc_A66D64
		push	54h
		pop	edx
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A66D64:				; CODE XREF: VerifierKeRaiseIrql(x,x)+18j
		mov	cl, byte ptr [ebp+arg_0]
		xor	edx, edx
		push	esi
		call	_ViKeRaiseIrqlSanityChecks@8 ; ViKeRaiseIrqlSanityChecks(x,x)
		mov	esi, eax
		mov	eax, dword_6BE348
		test	eax, eax
		jz	short loc_A66D84
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	eax
		jmp	short loc_A66D92
; 

loc_A66D84:				; CODE XREF: VerifierKeRaiseIrql(x,x)+36j
		mov	cl, byte ptr [ebp+arg_0]
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	ecx, [ebp+arg_4]
		mov	[ecx], al

loc_A66D92:				; CODE XREF: VerifierKeRaiseIrql(x,x)+40j
		test	esi, esi
		jz	short loc_A66DA2
		movzx	eax, large byte	ptr fs:51h
		mov	[esi+6], ax

loc_A66DA2:				; CODE XREF: VerifierKeRaiseIrql(x,x)+52j
		pop	esi
		pop	ebp
		retn	8
_VerifierKeRaiseIrql@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeRaiseIrqlToDpcLevel()
_VerifierKeRaiseIrqlToDpcLevel@0 proc near ; DATA XREF:	PAGEVRFD:00AAB344o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ds:_pXdvKeRaiseIrqlToDpcLevel
		inc	dword_6C6E44
		mov	ecx, [ebp+4]
		test	_MmVerifierData, 1000h
		push	edi
		jz	short loc_A66DD1
		push	54h
		pop	edx
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A66DD1:				; CODE XREF: VerifierKeRaiseIrqlToDpcLevel()+20j
		mov	edx, _MmVerifierData
		mov	cl, 2
		shr	edx, 11h
		and	edx, 1
		call	_ViKeRaiseIrqlSanityChecks@8 ; ViKeRaiseIrqlSanityChecks(x,x)
		mov	edi, eax
		mov	eax, dword_6BE34C
		test	eax, eax
		jz	short loc_A66DF1
		mov	esi, eax

loc_A66DF1:				; CODE XREF: VerifierKeRaiseIrqlToDpcLevel()+46j
		call	esi
		test	edi, edi
		jz	short loc_A66E03
		movzx	ecx, large byte	ptr fs:51h
		mov	[edi+6], cx

loc_A66E03:				; CODE XREF: VerifierKeRaiseIrqlToDpcLevel()+4Ej
		pop	edi
		pop	esi
		pop	ebp
		retn
_VerifierKeRaiseIrqlToDpcLevel@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeReadStateEvent(x)
_VerifierKeReadStateEvent@4 proc near	; DATA XREF: PAGEVRFD:00AA9DB4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKeReadStateEvent
_VerifierKeReadStateEvent@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeReadStateMutex(x)
_VerifierKeReadStateMutex@4 proc near	; DATA XREF: PAGEVRFD:00AA9DCCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKeReadStateMutex
_VerifierKeReadStateMutex@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeReadStateSemaphore(x)
_VerifierKeReadStateSemaphore@4	proc near ; DATA XREF: PAGEVRFD:00AA9DE4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKeReadStateSemaphore
_VerifierKeReadStateSemaphore@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeReadStateTimer(x)
_VerifierKeReadStateTimer@4 proc near	; DATA XREF: PAGEVRFD:00AA9DFCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKeReadStateTimer
_VerifierKeReadStateTimer@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeReleaseMutant(x, x, x, x)
_VerifierKeReleaseMutant@16 proc near	; DATA XREF: PAGEVRFD:00AA8648o

arg_0		= dword	ptr  8
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	20h
		pop	edx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		push	dword ptr [ebp+4]
		mov	eax, large fs:124h
		xor	edx, edx
		cmp	[ebp+arg_8], dl
		mov	ecx, [ebp+arg_0]
		setnz	dl
		push	eax
		inc	edx
		call	_VfDeadlockReleaseResource@16 ;	VfDeadlockReleaseResource(x,x,x,x)
		pop	ebp
		jmp	ds:_pXdvKeReleaseMutant
_VerifierKeReleaseMutant@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeReleaseMutantNoReboot(x, x, x, x)
_VerifierKeReleaseMutantNoReboot@16 proc near ;	DATA XREF: PAGEVRFD:00AA8658o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	20h
		pop	edx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		pop	ebp
		jmp	ds:_pXdvKeReleaseMutant
_VerifierKeReleaseMutantNoReboot@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeReleaseMutex(x, x)
_VerifierKeReleaseMutex@8 proc near	; DATA XREF: PAGEVRFD:00AA862Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	20h
		pop	edx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		push	dword ptr [ebp+4]
		mov	eax, large fs:124h
		xor	edx, edx
		mov	ecx, [ebp+arg_0]
		inc	edx
		push	eax
		call	_VfDeadlockReleaseResource@16 ;	VfDeadlockReleaseResource(x,x,x,x)
		pop	ebp
		jmp	ds:_pXdvKeReleaseMutex
_VerifierKeReleaseMutex@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeReleaseMutexNoReboot(x, x)
_VerifierKeReleaseMutexNoReboot@8 proc near ; DATA XREF: PAGEVRFD:00AA863Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	20h
		pop	edx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		pop	ebp
		jmp	ds:_pXdvKeReleaseMutex
_VerifierKeReleaseMutexNoReboot@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeReleaseSemaphore(x, x, x,	x)
_VerifierKeReleaseSemaphore@16 proc near ; DATA	XREF: PAGEVRFD:00AA9E8Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKeReleaseSemaphore
_VerifierKeReleaseSemaphore@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeResetEvent(x)
_VerifierKeResetEvent@4	proc near	; DATA XREF: PAGEVRFD:00AA9F1Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvKeResetEvent
_VerifierKeResetEvent@4	endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierKeRestoreExtendedProcessorState(x). PRESS	KEYPAD "+" TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeSaveExtendedProcessorState(x, x, x)
_VerifierKeSaveExtendedProcessorState@12 proc near ; DATA XREF:	PAGEVRFD:00AAB2CCo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvKeSaveExtendedProcessorState
		pop	ebp
		retn	0Ch
_VerifierKeSaveExtendedProcessorState@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeSetEvent(x, x, x)
_VerifierKeSetEvent@12 proc near	; DATA XREF: PAGEVRFD:00AAB2B4o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	_MmVerifierData, 800h
		jz	short loc_A66F35
		mov	ecx, [ebp+arg_0]
		push	10h
		pop	edx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jbe	short loc_A66F35
		push	0
		push	[ebp+arg_0]
		mov	edx, 80h
		movzx	eax, al
		push	eax
		lea	ecx, [edx+44h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A66F35:				; CODE XREF: VerifierKeSetEvent(x,x,x)+Fj
					; VerifierKeSetEvent(x,x,x)+24j
		pop	ebp
		jmp	ds:_pXdvKeSetEvent
_VerifierKeSetEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeSetTimer(x, x, x,	x)
_VerifierKeSetTimer@16 proc near	; DATA XREF: PAGEVRFD:00AA9F64o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvKeSetTimer
		pop	ebp
		retn	10h
_VerifierKeSetTimer@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeSetTimerEx(x, x, x, x, x)
_VerifierKeSetTimerEx@20 proc near	; DATA XREF: PAGEVRFD:00AA9F7Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvKeSetTimerEx
		pop	ebp
		retn	14h
_VerifierKeSetTimerEx@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeSynchronizeExecution(x, x, x)
_VerifierKeSynchronizeExecution@12 proc	near ; DATA XREF: PAGEVRFD:00AAB374o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		inc	dword_6C6E4C
		mov	ecx, [ebp+4]
		test	_MmVerifierData, 1000h
		jz	short loc_A66F97
		push	5Ch
		pop	edx
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A66F97:				; CODE XREF: VerifierKeSynchronizeExecution(x,x,x)+18j
		push	esi
		mov	esi, [ebp+arg_0]
		xor	edx, edx
		mov	cl, [esi+31h]
		call	_ViKeRaiseIrqlSanityChecks@8 ; ViKeRaiseIrqlSanityChecks(x,x)
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	ds:_pXdvKeSynchronizeExecution
		pop	esi
		pop	ebp
		retn	0Ch
_VerifierKeSynchronizeExecution@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeWaitForMultipleObjects(x,	x, x, x, x, x, x, x)
_VerifierKeWaitForMultipleObjects@32 proc near ; DATA XREF: PAGEVRFD:00AA85D8o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_18]
		push	esi
		mov	esi, [ebp+arg_4]
		mov	edx, esi
		push	edi
		mov	edi, [ebp+arg_0]
		push	ecx
		push	[ebp+arg_1C]
		mov	ecx, edi
		push	ebx
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_ViKeWaitForMultipleObjectsCommon@36 ; ViKeWaitForMultipleObjectsCommon(x,x,x,x,x,x,x,x,x)
		test	_MmVerifierData, 400000h
		mov	ecx, eax
		mov	[ebp+arg_1C], ecx
		jz	short loc_A67025
		cmp	ds:_ViDeadlockDetectionEnabled,	0
		jz	short loc_A67052
		mov	esi, ecx
		and	esi, 0FFFFFF7Fh
		cmp	byte ptr [ebp+arg_10], 0
		jnz	short loc_A67015
		test	esi, esi
		jnz	short loc_A67052
		mov	edx, [ebp+arg_4]

loc_A67011:				; CODE XREF: VerifierKeWaitForMultipleObjects(x,x,x,x,x,x,x,x)+7Fj
		mov	ecx, edi
		jmp	short loc_A67046
; 

loc_A67015:				; CODE XREF: VerifierKeWaitForMultipleObjects(x,x,x,x,x,x,x,x)+51j
		test	esi, esi
		js	short loc_A67052
		cmp	esi, edi
		jge	short loc_A67052
		mov	eax, [ebp+arg_4]
		lea	edx, [eax+esi*4]
		jmp	short loc_A67043
; 

loc_A67025:				; CODE XREF: VerifierKeWaitForMultipleObjects(x,x,x,x,x,x,x,x)+3Aj
		and	eax, 0FFFFFF7Fh
		cmp	byte ptr [ebp+arg_10], 0
		jnz	short loc_A67038
		test	eax, eax
		jnz	short loc_A67052
		mov	edx, esi
		jmp	short loc_A67011
; 

loc_A67038:				; CODE XREF: VerifierKeWaitForMultipleObjects(x,x,x,x,x,x,x,x)+77j
		test	eax, eax
		js	short loc_A67052
		cmp	eax, edi
		jge	short loc_A67052
		lea	edx, [esi+eax*4]

loc_A67043:				; CODE XREF: VerifierKeWaitForMultipleObjects(x,x,x,x,x,x,x,x)+6Cj
		xor	ecx, ecx
		inc	ecx

loc_A67046:				; CODE XREF: VerifierKeWaitForMultipleObjects(x,x,x,x,x,x,x,x)+5Cj
		push	dword ptr [ebp+4]
		push	ebx
		call	_ViKeObjectAcquired@16 ; ViKeObjectAcquired(x,x,x,x)
		mov	ecx, [ebp+arg_1C]

loc_A67052:				; CODE XREF: VerifierKeWaitForMultipleObjects(x,x,x,x,x,x,x,x)+43j
					; VerifierKeWaitForMultipleObjects(x,x,x,x,x,x,x,x)+55j ...
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		pop	ebp
		retn	20h
_VerifierKeWaitForMultipleObjects@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeWaitForMultipleObjectsNoReboot(x,	x, x, x, x, x, x, x)
_VerifierKeWaitForMultipleObjectsNoReboot@32 proc near ; DATA XREF: PAGEVRFD:00AA85E8o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ecx
		push	[ebp+arg_1C]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_ViKeWaitForMultipleObjectsCommon@36 ; ViKeWaitForMultipleObjectsCommon(x,x,x,x,x,x,x,x,x)
		pop	ebp
		retn	20h
_VerifierKeWaitForMultipleObjectsNoReboot@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeWaitForSingleObject(x, x,	x, x, x)
_VerifierKeWaitForSingleObject@20 proc near ; DATA XREF: PAGEVRFD:00AA85BCo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	esi
		push	ecx
		push	[ebp+arg_10]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_ViKeWaitForSingleObjectCommon@24 ; ViKeWaitForSingleObjectCommon(x,x,x,x,x,x)
		test	_MmVerifierData, 400000h
		mov	esi, eax
		jz	short loc_A670B4
		cmp	ds:_ViDeadlockDetectionEnabled,	0
		jz	short loc_A670CD

loc_A670B4:				; CODE XREF: VerifierKeWaitForSingleObject(x,x,x,x,x)+27j
		test	esi, 0FFFFFF7Fh
		jnz	short loc_A670CD
		push	dword ptr [ebp+4]
		xor	ecx, ecx
		lea	edx, [ebp+arg_0]
		push	[ebp+arg_10]
		inc	ecx
		call	_ViKeObjectAcquired@16 ; ViKeObjectAcquired(x,x,x,x)

loc_A670CD:				; CODE XREF: VerifierKeWaitForSingleObject(x,x,x,x,x)+30j
					; VerifierKeWaitForSingleObject(x,x,x,x,x)+38j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	14h
_VerifierKeWaitForSingleObject@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierKeWaitForSingleObjectNoReboot(x, x,	x, x, x)
_VerifierKeWaitForSingleObjectNoReboot@20 proc near ; DATA XREF: PAGEVRFD:00AA85CCo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_4]
		push	ecx
		push	[ebp+arg_10]
		mov	ecx, [ebp+arg_0]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		call	_ViKeWaitForSingleObjectCommon@24 ; ViKeWaitForSingleObjectCommon(x,x,x,x,x,x)
		pop	ebp
		retn	14h
_VerifierKeWaitForSingleObjectNoReboot@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPortKeAcquireSpinLock(x, x,	x)
_VerifierPortKeAcquireSpinLock@12 proc near ; DATA XREF: .data:006B3714o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_8]
		mov	ecx, [ebp+arg_0]
		call	_ViKeAcquireSpinLockCommon@12 ;	ViKeAcquireSpinLockCommon(x,x,x)
		pop	ebp
		retn	0Ch
_VerifierPortKeAcquireSpinLock@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPortKeAcquireSpinLockNoXdv(x, x, x)
_VerifierPortKeAcquireSpinLockNoXdv@12 proc near ; DATA	XREF: .data:006B371Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		inc	dword_6C6E48
		test	_MmVerifierData, 1000h
		jz	short loc_A6712B
		mov	ecx, [ebp+arg_8]
		push	58h
		pop	edx
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A6712B:				; CODE XREF: VerifierPortKeAcquireSpinLockNoXdv(x,x,x)+15j
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	4
		pop	edx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		xor	edx, edx
		mov	cl, 2
		call	_ViKeRaiseIrqlSanityChecks@8 ; ViKeRaiseIrqlSanityChecks(x,x)
		mov	esi, eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, [ebp+arg_0]
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, [ebp+arg_4]
		mov	[ecx], bl
		test	esi, esi
		jz	short loc_A67168
		movzx	eax, large byte	ptr fs:51h
		mov	[esi+6], ax

loc_A67168:				; CODE XREF: VerifierPortKeAcquireSpinLockNoXdv(x,x,x)+51j
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_VerifierPortKeAcquireSpinLockNoXdv@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPortKeReleaseSpinLock(x, x,	x)
_VerifierPortKeReleaseSpinLock@12 proc near ; DATA XREF: .data:006B3718o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	dl, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		call	_ViKeReleaseSpinLockCommon@8 ; ViKeReleaseSpinLockCommon(x,x)
		mov	dl, [ebp+arg_4]
		mov	esi, eax
		mov	ecx, [ebp+arg_0]
		call	ds:_pXdvKfReleaseSpinLock
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_ViKeIrqlLogCommon@8 ; ViKeIrqlLogCommon(x,x)
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_VerifierPortKeReleaseSpinLock@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPortKeReleaseSpinLockNoXdv(x, x, x)
_VerifierPortKeReleaseSpinLockNoXdv@12 proc near ; DATA	XREF: .data:006B3720o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	bl, [ebp+arg_4]
		push	esi
		mov	esi, [ebp+arg_0]
		mov	dl, bl
		push	edi
		mov	ecx, esi
		call	_ViKeReleaseSpinLockCommon@8 ; ViKeReleaseSpinLockCommon(x,x)
		test	ds:byte_70EFC6,	1
		mov	edi, eax
		jz	short loc_A671CC
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A671D1
; 

loc_A671CC:				; CODE XREF: VerifierPortKeReleaseSpinLockNoXdv(x,x,x)+20j
		xor	eax, eax
		lock and [esi],	eax

loc_A671D1:				; CODE XREF: VerifierPortKeReleaseSpinLockNoXdv(x,x,x)+2Cj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	edx, edx
		mov	ecx, edi
		inc	edx
		call	_ViKeIrqlLogCommon@8 ; ViKeIrqlLogCommon(x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
_VerifierPortKeReleaseSpinLockNoXdv@12 endp


;  S U B	R O U T	I N E 


; __stdcall VfKeCheckForChanges(x)
_VfKeCheckForChanges@4 proc near	; CODE XREF: VfSettingsCheckForChanges(x,x,x,x)+14p
					; VfSettingsInit(x)+5p
		test	_MmVerifierData, 0FBFh
		push	ebx
		mov	ebx, ecx
		jz	loc_A672B5
		mov	eax, ds:_ViTrackIrqlQueue
		push	esi
		push	edi
		test	eax, eax
		jnz	short loc_A6725C
		test	bl, 2
		jnz	short loc_A67216
		cmp	_VfVerifyMode, 3
		jl	short loc_A6725C

loc_A67216:				; CODE XREF: VfKeCheckForChanges(x)+21j
		mov	edi, ds:_ViTrackIrqlQueueLength
		push	20h
		push	6C717249h
		shl	edi, 5
		push	edi
		push	200h
		call	ExAllocatePoolWithTagPriority
		mov	esi, eax
		test	esi, esi
		jz	short loc_A6725C
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, esi
		mov	edx, offset _ViTrackIrqlQueue
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	short loc_A6725C
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A6725C:				; CODE XREF: VfKeCheckForChanges(x)+1Cj
					; VfKeCheckForChanges(x)+2Aj ...
		mov	eax, ds:_VfKeCriticalRegionTraces
		test	eax, eax
		jnz	short loc_A672B3
		test	ebx, 800h
		jz	short loc_A672B3
		mov	edi, ds:_VfKeCriticalRegionTracesLength
		push	20h
		push	52436656h
		shl	edi, 5
		push	edi
		push	200h
		call	ExAllocatePoolWithTagPriority
		mov	esi, eax
		test	esi, esi
		jz	short loc_A672B3
		push	edi		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, esi
		mov	edx, offset _VfKeCriticalRegionTraces
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jz	short loc_A672B3
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A672B3:				; CODE XREF: VfKeCheckForChanges(x)+79j
					; VfKeCheckForChanges(x)+81j ...
		pop	edi
		pop	esi

loc_A672B5:				; CODE XREF: VfKeCheckForChanges(x)+Dj
		pop	ebx
		retn
_VfKeCheckForChanges@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfKeInsertQueueDpc(x, x, x)
_VfKeInsertQueueDpc@12 proc near	; DATA XREF: PAGEVRFD:00AAB404o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	20h
		pop	edx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		pop	ebp
		jmp	ds:_pXdvKeInsertQueueDpc
_VfKeInsertQueueDpc@12 endp


;  S U B	R O U T	I N E 


; __stdcall VfKeIrqlTransitionReserveLogEntry(x, x)
_VfKeIrqlTransitionReserveLogEntry@8 proc near
					; CODE XREF: ViKeLowerIrqlSanityChecks(x,x)+6Dj
					; ViKeRaiseIrqlSanityChecks(x,x)+7Dp ...
		xor	eax, eax
		push	ebx
		mov	bl, cl
		cmp	ds:_ViTrackIrqlQueue, eax
		jz	short loc_A6731B
		cmp	ds:_ViKeTrackIrqlDisabled, eax
		jz	short loc_A672EC
		lock inc ds:_ViKeTrackIrqlSkipped
		pop	ebx
		retn
; 

loc_A672EC:				; CODE XREF: VfKeIrqlTransitionReserveLogEntry(x,x)+13j
		xor	ecx, ecx
		inc	ecx
		lock xadd ds:_ViTrackIrqlIndex,	ecx
		inc	ecx
		mov	eax, ds:_ViTrackIrqlQueueLength
		dec	eax
		and	eax, ecx
		movzx	ecx, large byte	ptr fs:51h
		shl	eax, 5
		add	eax, ds:_ViTrackIrqlQueue
		mov	[eax+4], bl
		mov	[eax+5], dl
		mov	[eax+6], cx

loc_A6731B:				; CODE XREF: VfKeIrqlTransitionReserveLogEntry(x,x)+Bj
		pop	ebx
		retn
_VfKeIrqlTransitionReserveLogEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfKeRemoveQueueDpc(x)
_VfKeRemoveQueueDpc@4 proc near		; DATA XREF: PAGEVRFD:00AAB41Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	20h
		pop	edx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		pop	ebp
		jmp	ds:_pXdvKeRemoveQueueDpc
_VfKeRemoveQueueDpc@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViKeAcquireSpinLockAtDpcLevelCommon(x, x)
_ViKeAcquireSpinLockAtDpcLevelCommon@8 proc near
					; CODE XREF: VerifierKeAcquireSpinLockAtDpcLevel(x)+Bp
					; VerifierKeAcquireSpinLockAtDpcLevelNoReboot(x)+9j
		inc	dword_6C6E48
		mov	eax, edx
		test	_MmVerifierData, 1000h
		push	esi
		mov	esi, ecx
		jz	short loc_A67355
		push	58h
		pop	edx
		mov	ecx, eax
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A67355:				; CODE XREF: ViKeAcquireSpinLockAtDpcLevelCommon(x,x)+15j
		push	4
		pop	edx
		mov	ecx, esi
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		test	byte ptr _MmVerifierData, 2
		jz	short loc_A67394
		push	ebx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, al
		cmp	bl, 2
		jnb	short loc_A67393
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_A67393
		push	0
		push	esi
		movzx	eax, bl
		mov	ecx, 0C4h
		push	eax
		push	40h
		pop	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A67393:				; CODE XREF: ViKeAcquireSpinLockAtDpcLevelCommon(x,x)+40j
					; ViKeAcquireSpinLockAtDpcLevelCommon(x,x)+49j
		pop	ebx

loc_A67394:				; CODE XREF: ViKeAcquireSpinLockAtDpcLevelCommon(x,x)+32j
		mov	ecx, esi
		pop	esi
		jmp	ds:_pXdvKefAcquireSpinLockAtDpcLevel ; KxAcquireSpinLock(x)
_ViKeAcquireSpinLockAtDpcLevelCommon@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViKeAcquireSpinLockCommon(x, x, x)
_ViKeAcquireSpinLockCommon@12 proc near	; CODE XREF: VerifierPortKeAcquireSpinLock(x,x,x)+Ep

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		inc	dword_6C6E48
		mov	eax, edx
		test	_MmVerifierData, 1000h
		push	esi
		push	edi
		mov	edi, ecx
		jz	short loc_A673C4
		push	58h
		pop	edx
		mov	ecx, eax
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A673C4:				; CODE XREF: ViKeAcquireSpinLockCommon(x,x,x)+1Bj
		push	4
		pop	edx
		mov	ecx, edi
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		xor	edx, edx
		mov	cl, 2
		call	_ViKeRaiseIrqlSanityChecks@8 ; ViKeRaiseIrqlSanityChecks(x,x)
		mov	ecx, edi
		mov	esi, eax
		call	ds:_pXdvKfAcquireSpinLock ; KfAcquireSpinLock(x)
		mov	ecx, [ebp+arg_0]
		mov	[ecx], al
		test	esi, esi
		jz	short loc_A673F6
		movzx	ecx, large byte	ptr fs:51h
		mov	[esi+6], cx

loc_A673F6:				; CODE XREF: ViKeAcquireSpinLockCommon(x,x,x)+4Bj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_ViKeAcquireSpinLockCommon@12 endp


;  S U B	R O U T	I N E 


; __stdcall ViKeInjectStatusAlerted(x)
_ViKeInjectStatusAlerted@4 proc	near	; CODE XREF: VerifierKeDelayExecutionThread(x,x,x)+8p
					; ViKeWaitForMultipleObjectsCommon(x,x,x,x,x,x,x,x,x)+4Bp ...
		mov	edi, edi
		push	esi
		test	cl, cl
		jz	short loc_A6743D
		mov	eax, large fs:124h
		mov	esi, [eax+80h]
		mov	eax, ds:_PsInitialSystemProcess
		test	eax, eax
		jz	short loc_A6743D
		cmp	esi, eax
		jz	short loc_A6743D
		cmp	esi, ds:_PsIdleProcess
		jz	short loc_A6743D
		xor	ecx, ecx
		call	_VfFaultsInjectResourceFailure@4 ; VfFaultsInjectResourceFailure(x)
		test	eax, eax
		jz	short loc_A6743D
		mov	ecx, esi
		call	_VfUtilIsLocalSystem@4 ; VfUtilIsLocalSystem(x)
		test	eax, eax
		jnz	short loc_A6743D
		inc	eax
		pop	esi
		retn
; 

loc_A6743D:				; CODE XREF: ViKeInjectStatusAlerted(x)+5j
					; ViKeInjectStatusAlerted(x)+1Aj ...
		xor	eax, eax
		pop	esi
		retn
_ViKeInjectStatusAlerted@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViKeIrqlLogCommon(x, x)
_ViKeIrqlLogCommon@8 proc near		; CODE XREF: VerifierKeReleaseQueuedSpinLock(x,x)+5Ej
					; VerifierKeReleaseInStackQueuedSpinLockCommon(x)+4Dj ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	short loc_A67498
		mov	eax, large fs:124h
		mov	[esi], eax
		lea	eax, [ebp+var_8]
		push	eax
		call	KeQueryTickCount
		mov	eax, [ebp+var_8]
		mov	[esi+8], eax
		lea	eax, [esi+0Ch]
		test	byte ptr _VfOptionFlags, 40h
		jz	short loc_A67482
		mov	[eax], ebx
		jmp	short loc_A67498
; 

loc_A67482:				; CODE XREF: ViKeIrqlLogCommon(x,x)+3Bj
		push	ebx
		push	eax
		push	5
		push	edi
		call	RtlCaptureStackBackTrace
		movzx	eax, ax
		cmp	eax, 5
		jnb	short loc_A67498
		mov	[esi+eax*4+0Ch], ebx

loc_A67498:				; CODE XREF: ViKeIrqlLogCommon(x,x)+18j
					; ViKeIrqlLogCommon(x,x)+3Fj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ViKeIrqlLogCommon@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViKeLowerIrqlSanityChecks(x, x)
_ViKeLowerIrqlSanityChecks@8 proc near	; CODE XREF: VerifierKeReleaseQueuedSpinLock(x,x)+45p
					; VerifierKeReleaseInStackQueuedSpinLockCommon(x)+36p ...
		test	byte ptr _MmVerifierData, 2
		push	ebx
		mov	bl, dl
		mov	bh, cl
		jz	short loc_A67505
		push	esi
		movzx	esi, bh
		push	edi
		movzx	edi, bl
		cmp	bh, bl
		jnb	short loc_A674C8
		push	0
		push	edi
		push	esi
		push	31h
		pop	edx
		mov	ecx, 0C4h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A674C8:				; CODE XREF: ViKeLowerIrqlSanityChecks(x,x)+18j
		cmp	bh, 2
		jb	short loc_A674ED
		cmp	bl, 2
		jnb	short loc_A674ED
		mov	al, large fs:235Ch
		test	al, 1
		jz	short loc_A674ED
		push	1
		push	edi
		push	esi
		push	31h
		pop	edx
		mov	ecx, 0C4h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A674ED:				; CODE XREF: ViKeLowerIrqlSanityChecks(x,x)+2Ej
					; ViKeLowerIrqlSanityChecks(x,x)+33j ...
		cmp	bl, 1Fh
		jbe	short loc_A67503
		push	0
		push	edi
		push	esi
		push	31h
		pop	edx
		mov	ecx, 0C4h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A67503:				; CODE XREF: ViKeLowerIrqlSanityChecks(x,x)+53j
		pop	edi
		pop	esi

loc_A67505:				; CODE XREF: ViKeLowerIrqlSanityChecks(x,x)+Cj
		mov	dl, bl
		mov	cl, bh
		pop	ebx
		jmp	_VfKeIrqlTransitionReserveLogEntry@8 ; VfKeIrqlTransitionReserveLogEntry(x,x)
_ViKeLowerIrqlSanityChecks@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViKeObjectAcquired(x, x, x,	x)
_ViKeObjectAcquired@16 proc near	; CODE XREF: VerifierKeWaitForMultipleObjects(x,x,x,x,x,x,x,x)+93p
					; VerifierKeWaitForSingleObject(x,x,x,x,x)+46p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	esi, esi
		mov	ebx, edx
		test	edi, edi
		jz	short loc_A6754C

loc_A67521:				; CODE XREF: ViKeObjectAcquired(x,x,x,x)+3Bj
		mov	ecx, [ebx+esi*4]
		mov	al, [ecx]
		and	al, 7Fh
		cmp	al, 2
		jnz	short loc_A67547
		push	[ebp+arg_4]
		xor	eax, eax
		cmp	[ebp+arg_0], eax
		setnz	al
		xor	edx, edx
		push	eax
		mov	eax, large fs:124h
		inc	edx
		push	eax
		call	_VfDeadlockAcquireResource@20 ;	VfDeadlockAcquireResource(x,x,x,x,x)

loc_A67547:				; CODE XREF: ViKeObjectAcquired(x,x,x,x)+1Bj
		inc	esi
		cmp	esi, edi
		jb	short loc_A67521

loc_A6754C:				; CODE XREF: ViKeObjectAcquired(x,x,x,x)+10j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_ViKeObjectAcquired@16 endp


;  S U B	R O U T	I N E 


; __stdcall ViKeRaiseIrqlSanityChecks(x, x)
_ViKeRaiseIrqlSanityChecks@8 proc near	; CODE XREF: VerifierKeAcquireQueuedSpinLock(x)+2Ap
					; VerifierKeAcquireInStackQueuedSpinLockCommon(x,x,x)+40p ...
		mov	eax, _MmVerifierData
		push	ebx
		push	esi
		push	edi
		mov	edi, 400000h
		mov	esi, edx
		mov	bh, cl
		test	eax, edi
		jz	short loc_A6756C
		test	al, 2
		jz	short loc_A675C8

loc_A6756C:				; CODE XREF: ViKeRaiseIrqlSanityChecks(x,x)+13j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	byte ptr _MmVerifierData, 2
		mov	bl, al
		jz	short loc_A675B7
		cmp	bl, bh
		jbe	short loc_A6759B
		test	esi, esi
		jnz	short loc_A6759B
		push	esi
		movzx	eax, bh
		mov	ecx, 0C4h
		push	eax
		movzx	eax, bl
		push	eax
		push	30h
		pop	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6759B:				; CODE XREF: ViKeRaiseIrqlSanityChecks(x,x)+2Cj
					; ViKeRaiseIrqlSanityChecks(x,x)+30j
		cmp	bh, 1Fh
		jbe	short loc_A675B7
		push	0
		movzx	eax, bh
		mov	ecx, 0C4h
		push	eax
		movzx	eax, bl
		push	eax
		push	30h
		pop	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A675B7:				; CODE XREF: ViKeRaiseIrqlSanityChecks(x,x)+28j
					; ViKeRaiseIrqlSanityChecks(x,x)+4Bj
		test	_MmVerifierData, edi
		jz	short loc_A675CC
		test	byte ptr _VfFlightOptions, 9
		jnz	short loc_A675CC

loc_A675C8:				; CODE XREF: ViKeRaiseIrqlSanityChecks(x,x)+17j
		xor	eax, eax
		jmp	short loc_A67604
; 

loc_A675CC:				; CODE XREF: ViKeRaiseIrqlSanityChecks(x,x)+6Aj
					; ViKeRaiseIrqlSanityChecks(x,x)+73j
		mov	cl, bl
		mov	dl, bh
		call	_VfKeIrqlTransitionReserveLogEntry@8 ; VfKeIrqlTransitionReserveLogEntry(x,x)
		mov	esi, eax
		push	2
		pop	edx
		mov	ecx, esi
		call	_ViKeIrqlLogCommon@8 ; ViKeIrqlLogCommon(x,x)
		test	byte ptr _MmVerifierData, 2
		jz	short loc_A67602
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_A67602
		cmp	bl, 2
		jnb	short loc_A67602
		cmp	bh, 2
		jb	short loc_A67602
		call	_MmVerifierTrimMemory@0	; MmVerifierTrimMemory()

loc_A67602:				; CODE XREF: ViKeRaiseIrqlSanityChecks(x,x)+95j
					; ViKeRaiseIrqlSanityChecks(x,x)+9Ej ...
		mov	eax, esi

loc_A67604:				; CODE XREF: ViKeRaiseIrqlSanityChecks(x,x)+77j
		pop	edi
		pop	esi
		pop	ebx
		retn
_ViKeRaiseIrqlSanityChecks@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViKeReleaseSpinLockCommon(x, x)
_ViKeReleaseSpinLockCommon@8 proc near	; CODE XREF: VerifierPortKeReleaseSpinLock(x,x,x)+Dp
					; VerifierPortKeReleaseSpinLockNoXdv(x,x,x)+12p
		mov	edi, edi
		push	ebx
		push	esi
		push	4
		mov	bh, dl
		mov	esi, ecx
		pop	edx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	byte ptr _MmVerifierData, 2
		mov	bl, al
		jz	short loc_A67642
		cmp	bl, 2
		jnb	short loc_A67642
		push	0
		push	esi
		movzx	ecx, bl
		push	ecx
		push	32h
		pop	edx
		mov	ecx, 0C4h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A67642:				; CODE XREF: ViKeReleaseSpinLockCommon(x,x)+1Fj
					; ViKeReleaseSpinLockCommon(x,x)+24j
		pop	esi
		mov	dl, bh
		mov	cl, bl
		pop	ebx
		jmp	_ViKeLowerIrqlSanityChecks@8 ; ViKeLowerIrqlSanityChecks(x,x)
_ViKeReleaseSpinLockCommon@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViKeTryToAcquireSpinLockAtDpcLevelCommon(x,	x)
_ViKeTryToAcquireSpinLockAtDpcLevelCommon@8 proc near
					; CODE XREF: VerifierKeTryToAcquireSpinLockAtDpcLevel(x)+Cp
					; VerifierKeTryToAcquireSpinLockAtDpcLevelNoReboot(x)+9j
		inc	dword_6C6E48
		mov	eax, edx
		test	_MmVerifierData, 1000h
		push	esi
		mov	esi, ecx
		jz	short loc_A6766E
		push	58h
		pop	edx
		mov	ecx, eax
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A6766E:				; CODE XREF: ViKeTryToAcquireSpinLockAtDpcLevelCommon(x,x)+15j
		push	4
		pop	edx
		mov	ecx, esi
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		test	byte ptr _MmVerifierData, 2
		jz	short loc_A676AD
		push	ebx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, al
		cmp	bl, 2
		jnb	short loc_A676AC
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_A676AC
		push	0
		push	esi
		movzx	eax, bl
		mov	ecx, 0C4h
		push	eax
		push	40h
		pop	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A676AC:				; CODE XREF: ViKeTryToAcquireSpinLockAtDpcLevelCommon(x,x)+40j
					; ViKeTryToAcquireSpinLockAtDpcLevelCommon(x,x)+49j
		pop	ebx

loc_A676AD:				; CODE XREF: ViKeTryToAcquireSpinLockAtDpcLevelCommon(x,x)+32j
		mov	ecx, esi
		pop	esi
		jmp	ds:_pXdvKeTryToAcquireSpinLockAtDpcLevel
_ViKeTryToAcquireSpinLockAtDpcLevelCommon@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViKeWaitForMultipleObjectsCommon(x,	x, x, x, x, x, x, x, x)
_ViKeWaitForMultipleObjectsCommon@36 proc near
					; CODE XREF: VerifierKeWaitForMultipleObjects(x,x,x,x,x,x,x,x)+26p
					; VerifierKeWaitForMultipleObjectsNoReboot(x,x,x,x,x,x,x,x)+1Ep

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, large fs:124h
		mov	ebx, ecx
		push	edi
		mov	edi, edx
		test	byte ptr [esi+58h], 4
		jz	short loc_A676D8
		mov	al, [esi+92h]
		jmp	short loc_A676DE
; 

loc_A676D8:				; CODE XREF: ViKeWaitForMultipleObjectsCommon(x,x,x,x,x,x,x,x,x)+18j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()

loc_A676DE:				; CODE XREF: ViKeWaitForMultipleObjectsCommon(x,x,x,x,x,x,x,x,x)+20j
		mov	byte ptr [ebp+var_4], al
		mov	edx, edi
		mov	eax, [esi+5Ch]
		push	ecx
		push	[ebp+var_4]
		shr	eax, 6
		mov	ecx, ebx
		and	eax, 1
		push	eax
		push	[ebp+arg_10]
		push	[ebp+arg_8]
		call	_ViKeWaitSanityChecks@28 ; ViKeWaitSanityChecks(x,x,x,x,x,x,x)
		mov	cl, byte ptr [ebp+arg_C]
		call	_ViKeInjectStatusAlerted@4 ; ViKeInjectStatusAlerted(x)
		test	eax, eax
		jz	short loc_A67711
		mov	eax, 101h
		jmp	short loc_A6772B
; 

loc_A67711:				; CODE XREF: ViKeWaitForMultipleObjectsCommon(x,x,x,x,x,x,x,x,x)+52j
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edi
		push	ebx
		call	ds:_pXdvKeWaitForMultipleObjects

loc_A6772B:				; CODE XREF: ViKeWaitForMultipleObjectsCommon(x,x,x,x,x,x,x,x,x)+59j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
_ViKeWaitForMultipleObjectsCommon@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViKeWaitForSingleObjectCommon(x, x,	x, x, x, x)
_ViKeWaitForSingleObjectCommon@24 proc near
					; CODE XREF: VerifierKeWaitForSingleObject(x,x,x,x,x)+16p
					; VerifierKeWaitForSingleObjectNoReboot(x,x,x,x,x)+15p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		mov	esi, large fs:124h
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ecx
		test	byte ptr [esi+58h], 4
		jz	short loc_A67755
		mov	al, [esi+92h]
		jmp	short loc_A6775B
; 

loc_A67755:				; CODE XREF: ViKeWaitForSingleObjectCommon(x,x,x,x,x,x)+19j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()

loc_A6775B:				; CODE XREF: ViKeWaitForSingleObjectCommon(x,x,x,x,x,x)+21j
		push	ecx
		mov	byte ptr [ebp+var_4], al
		lea	edx, [ebp+var_8]
		mov	eax, [esi+5Ch]
		xor	ecx, ecx
		push	[ebp+var_4]
		shr	eax, 6
		inc	ecx
		and	eax, ecx
		push	eax
		push	[ebp+arg_8]
		push	[ebp+arg_0]
		call	_ViKeWaitSanityChecks@28 ; ViKeWaitSanityChecks(x,x,x,x,x,x,x)
		mov	cl, byte ptr [ebp+arg_4]
		call	_ViKeInjectStatusAlerted@4 ; ViKeInjectStatusAlerted(x)
		test	eax, eax
		jz	short loc_A6778F
		mov	eax, 101h
		jmp	short loc_A677A2
; 

loc_A6778F:				; CODE XREF: ViKeWaitForSingleObjectCommon(x,x,x,x,x,x)+54j
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		push	edi
		push	[ebp+var_8]
		call	ds:_pXdvKeWaitForSingleObject

loc_A677A2:				; CODE XREF: ViKeWaitForSingleObjectCommon(x,x,x,x,x,x)+5Bj
		pop	edi
		pop	esi
		leave
		retn	10h
_ViKeWaitForSingleObjectCommon@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViKeWaitSanityChecks(x, x, x, x, x,	x, x)
_ViKeWaitSanityChecks@28 proc near	; CODE XREF: ViKeWaitForMultipleObjectsCommon(x,x,x,x,x,x,x,x,x)+43p
					; ViKeWaitForSingleObjectCommon(x,x,x,x,x,x)+45p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		and	[ebp+var_8], 0
		mov	eax, edx
		and	[ebp+var_C], 0
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], eax
		mov	ecx, _MmVerifierData
		mov	[ebp+var_10], edi
		test	ecx, 400000h
		jz	short loc_A677E2
		test	cl, 2
		jnz	short loc_A677E2
		test	ecx, 800h
		jz	loc_A6789B

loc_A677E2:				; CODE XREF: ViKeWaitSanityChecks(x,x,x,x,x,x,x)+27j
					; ViKeWaitSanityChecks(x,x,x,x,x,x,x)+2Cj
		push	ebx
		mov	bl, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+arg_4]
		cmp	bl, 2
		jbe	short loc_A677F6
		mov	edx, 120h
		jmp	short loc_A67812
; 

loc_A677F6:				; CODE XREF: ViKeWaitSanityChecks(x,x,x,x,x,x,x)+45j
		jnz	short loc_A67828
		test	esi, esi
		jnz	short loc_A67803
		mov	edx, 121h
		jmp	short loc_A67812
; 

loc_A67803:				; CODE XREF: ViKeWaitSanityChecks(x,x,x,x,x,x,x)+52j
		mov	eax, [esi]
		or	eax, [esi+4]
		jz	short loc_A67828
		mov	eax, [ebp+var_4]
		mov	edx, 122h

loc_A67812:				; CODE XREF: ViKeWaitSanityChecks(x,x,x,x,x,x,x)+4Cj
					; ViKeWaitSanityChecks(x,x,x,x,x,x,x)+59j
		test	cl, 2
		jz	short loc_A67828
		push	esi
		push	dword ptr [eax]
		movzx	eax, bl
		mov	ecx, 0C4h
		push	eax
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A67828:				; CODE XREF: ViKeWaitSanityChecks(x,x,x,x,x,x,x):loc_A677F6j
					; ViKeWaitSanityChecks(x,x,x,x,x,x,x)+60j ...
		cmp	[ebp+arg_0], 1
		jnz	short loc_A6784F
		test	esi, esi
		jz	short loc_A67839
		mov	eax, [esi]
		or	eax, [esi+4]
		jz	short loc_A6784F

loc_A67839:				; CODE XREF: ViKeWaitSanityChecks(x,x,x,x,x,x,x)+88j
		cmp	[ebp+arg_8], 0
		jz	short loc_A6784F
		lea	edx, [ebp+var_C]
		lea	ecx, [ebp+var_8]
		call	_RtlpGetStackLimits@8 ;	RtlpGetStackLimits(x,x)
		movzx	ebx, al
		jmp	short loc_A67851
; 

loc_A6784F:				; CODE XREF: ViKeWaitSanityChecks(x,x,x,x,x,x,x)+84j
					; ViKeWaitSanityChecks(x,x,x,x,x,x,x)+8Fj ...
		xor	ebx, ebx

loc_A67851:				; CODE XREF: ViKeWaitSanityChecks(x,x,x,x,x,x,x)+A5j
		xor	esi, esi
		test	edi, edi
		jz	short loc_A67899

loc_A67857:				; CODE XREF: ViKeWaitSanityChecks(x,x,x,x,x,x,x)+EFj
		mov	eax, [ebp+var_4]
		xor	edx, edx
		inc	edx
		mov	edi, [eax+esi*4]
		mov	ecx, edi
		call	_VfUtilSynchronizationObjectSanityChecks@8 ; VfUtilSynchronizationObjectSanityChecks(x,x)
		test	_MmVerifierData, 800h
		jz	short loc_A67893
		test	ebx, ebx
		jz	short loc_A67893
		cmp	edi, [ebp+var_8]
		jb	short loc_A67893
		cmp	edi, [ebp+var_C]
		jnb	short loc_A67893
		push	0
		mov	edx, 123h
		push	0
		push	edi
		lea	ecx, [edx-5Fh]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A67893:				; CODE XREF: ViKeWaitSanityChecks(x,x,x,x,x,x,x)+C9j
					; ViKeWaitSanityChecks(x,x,x,x,x,x,x)+CDj ...
		inc	esi
		cmp	esi, [ebp+var_10]
		jb	short loc_A67857

loc_A67899:				; CODE XREF: ViKeWaitSanityChecks(x,x,x,x,x,x,x)+ADj
		pop	esi
		pop	ebx

loc_A6789B:				; CODE XREF: ViKeWaitSanityChecks(x,x,x,x,x,x,x)+34j
		pop	edi
		leave
		retn	14h
_ViKeWaitSanityChecks@28 endp


;  S U B	R O U T	I N E 


; __stdcall ViKfAcquireSpinLockCommon(x, x)
_ViKfAcquireSpinLockCommon@8 proc near	; CODE XREF: VerifierKfAcquireSpinLock(x)+Cp
					; VerifierKfAcquireSpinLockNoReboot(x)+9j
		inc	dword_6C6E48
		mov	eax, edx
		test	_MmVerifierData, 1000h
		push	esi
		push	edi
		mov	edi, ecx
		jz	short loc_A678C2
		push	58h
		pop	edx
		mov	ecx, eax
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A678C2:				; CODE XREF: ViKfAcquireSpinLockCommon(x,x)+16j
		push	4
		pop	edx
		mov	ecx, edi
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		mov	edx, _MmVerifierData
		mov	cl, 2
		shr	edx, 11h
		and	edx, 1
		call	_ViKeRaiseIrqlSanityChecks@8 ; ViKeRaiseIrqlSanityChecks(x,x)
		mov	ecx, edi
		mov	esi, eax
		call	ds:_pXdvKfAcquireSpinLock ; KfAcquireSpinLock(x)
		test	esi, esi
		jz	short loc_A678F9
		movzx	ecx, large byte	ptr fs:51h
		mov	[esi+6], cx

loc_A678F9:				; CODE XREF: ViKfAcquireSpinLockCommon(x,x)+4Bj
		pop	edi
		pop	esi
		retn
_ViKfAcquireSpinLockCommon@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViKfReleaseSpinLockCommon(x, x)
_ViKfReleaseSpinLockCommon@8 proc near	; CODE XREF: VerifierKfReleaseSpinLock(x,x)+10p
					; VerifierKfReleaseSpinLockNoReboot(x,x)+Cp
		mov	edi, edi
		push	ebx
		push	esi
		push	4
		mov	bh, dl
		mov	esi, ecx
		pop	edx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	byte ptr _MmVerifierData, 2
		mov	bl, al
		jz	short loc_A67938
		cmp	bl, 2
		jnb	short loc_A67938
		movzx	ecx, bh
		push	ecx
		push	esi
		movzx	eax, bl
		mov	ecx, 0C4h
		push	eax
		push	35h
		pop	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A67938:				; CODE XREF: ViKfReleaseSpinLockCommon(x,x)+1Fj
					; ViKfReleaseSpinLockCommon(x,x)+24j
		pop	esi
		mov	dl, bh
		mov	cl, bl
		pop	ebx
		jmp	_ViKeLowerIrqlSanityChecks@8 ; ViKeLowerIrqlSanityChecks(x,x)
_ViKfReleaseSpinLockCommon@8 endp


;  S U B	R O U T	I N E 


; __stdcall VfFaultsInitPhase0()
_VfFaultsInitPhase0@0 proc near		; CODE XREF: VfInitVerifierComponents(x,x,x)+5Cp
		mov	eax, _VfFaultInjectionBootMinutes
		mov	ecx, 0EA60h
		and	_ViFaultInjectionLock, 0
		mul	ecx
		mov	ds:_ViRequiredTimeSinceBootInMsecs, eax
		mov	ds:dword_AB0004, edx
		call	_ViFaultsTracesInitialize@0 ; ViFaultsTracesInitialize()
		call	_ViFaultsInitializeTagsList@0 ;	ViFaultsInitializeTagsList()
		call	_ViFaultsInitializeAppsList@0 ;	ViFaultsInitializeAppsList()
		mov	ds:_ViFaultsInitialized, 1
		retn
_VfFaultsInitPhase0@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfFaultsInjectPoolAllocationFailure(x)
_VfFaultsInjectPoolAllocationFailure@4 proc near
					; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+CEp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	byte ptr _MmVerifierData, 4
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jnz	short loc_A67993

loc_A6798F:				; CODE XREF: VfFaultsInjectPoolAllocationFailure(x)+27j
					; VfFaultsInjectPoolAllocationFailure(x)+38j
		xor	eax, eax
		jmp	short loc_A67A04
; 

loc_A67993:				; CODE XREF: VfFaultsInjectPoolAllocationFailure(x)+12j
		cmp	ds:_ViFaultsInitialized, 0
		jnz	short loc_A679A4
		inc	ds:dword_AB0024
		jmp	short loc_A6798F
; 

loc_A679A4:				; CODE XREF: VfFaultsInjectPoolAllocationFailure(x)+1Fj
		cmp	ds:_ViFaultsDisabled, 0
		jz	short loc_A679B5
		inc	ds:dword_AB004C
		jmp	short loc_A6798F
; 

loc_A679B5:				; CODE XREF: VfFaultsInjectPoolAllocationFailure(x)+30j
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _ViFaultInjectionLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, esi
		call	_ViFaultsIsTagTarget@4 ; ViFaultsIsTagTarget(x)
		test	ds:byte_70EFC6,	1
		mov	esi, eax
		jz	short loc_A679E7
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A679EC
; 

loc_A679E7:				; CODE XREF: VfFaultsInjectPoolAllocationFailure(x)+5Ej
		xor	eax, eax
		lock and [edi],	eax

loc_A679EC:				; CODE XREF: VfFaultsInjectPoolAllocationFailure(x)+6Aj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		test	esi, esi
		jz	short loc_A67A02
		xor	ecx, ecx
		inc	ecx
		call	_VfFaultsInjectResourceFailure@4 ; VfFaultsInjectResourceFailure(x)
		mov	esi, eax

loc_A67A02:				; CODE XREF: VfFaultsInjectPoolAllocationFailure(x)+7Bj
		mov	eax, esi

loc_A67A04:				; CODE XREF: VfFaultsInjectPoolAllocationFailure(x)+16j
		pop	edi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn
_VfFaultsInjectPoolAllocationFailure@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfFaultsInjectResourceFailure(x)
_VfFaultsInjectResourceFailure@4 proc near
					; CODE XREF: VerifierIoAllocateDriverObjectExtension(x,x,x,x)+7p
					; VerifierIoAllocateErrorLogEntry(x,x)+7p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		cmp	ds:_ViFaultsInitialized, 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		jnz	short loc_A67A35
		inc	ds:_ViFaultsDecisions

loc_A67A2E:				; CODE XREF: VfFaultsInjectResourceFailure(x)+3Aj
					; VfFaultsInjectResourceFailure(x)+4Cj	...
		xor	eax, eax

loc_A67A30:				; CODE XREF: VfFaultsInjectResourceFailure(x)+79j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_A67A35:				; CODE XREF: VfFaultsInjectResourceFailure(x)+1Cj
		cmp	ds:_ViFaultsDisabled, 0
		jz	short loc_A67A46
		inc	ds:dword_AB004C
		jmp	short loc_A67A2E
; 

loc_A67A46:				; CODE XREF: VfFaultsInjectResourceFailure(x)+32j
		test	byte ptr _MmVerifierData, 4
		jnz	short loc_A67A85
		cmp	_ViInjectInPagePathOnly, 1
		jnz	short loc_A67A2E
		mov	eax, large fs:124h
		cmp	byte ptr [eax+30Ah], 0
		jz	short loc_A67A2E
		xor	ecx, ecx
		test	edi, edi
		setnz	cl
		lea	ecx, ds:1[ecx*2]
		call	_ViFaultsInjectionNotification@4 ; ViFaultsInjectionNotification(x)
		inc	ds:dword_AB0028

loc_A67A80:				; CODE XREF: VfFaultsInjectResourceFailure(x)+E2j
		xor	eax, eax
		inc	eax
		jmp	short loc_A67A30
; 

loc_A67A85:				; CODE XREF: VfFaultsInjectResourceFailure(x)+43j
		mov	esi, _VfFaultInjectionProbability
		mov	ebx, _VfFaultInjectionMaxProbability
		test	esi, esi
		jz	short loc_A67A2E
		cmp	esi, ebx
		ja	short loc_A67A2E
		call	_VfFaultsIsSystemSufficientlyBooted@0 ;	VfFaultsIsSystemSufficientlyBooted()
		test	eax, eax
		jz	short loc_A67A2E
		test	edi, edi
		jnz	short loc_A67ABA
		cmp	_ViHaveFaultTags, edi
		jz	short loc_A67ABA
		cmp	_ViFaultsForceAllAPIs, edi
		jz	loc_A67A2E

loc_A67ABA:				; CODE XREF: VfFaultsInjectResourceFailure(x)+9Aj
					; VfFaultsInjectResourceFailure(x)+A2j
		call	_ViFaultsIsCurrentAppTarget@0 ;	ViFaultsIsCurrentAppTarget()
		test	eax, eax
		jz	loc_A67A2E
		push	ebx
		push	0
		call	_VfRandomGetNumber@8 ; VfRandomGetNumber(x,x)
		cmp	eax, esi
		jnb	short loc_A67AEE
		inc	ds:dword_AB0038

loc_A67AD9:				; CODE XREF: VfFaultsInjectResourceFailure(x)+124j
		xor	ecx, ecx
		test	edi, edi
		setnz	cl
		lea	ecx, ds:1[ecx*2]
		call	_ViFaultsInjectionNotification@4 ; ViFaultsInjectionNotification(x)
		jmp	short loc_A67A80
; 

loc_A67AEE:				; CODE XREF: VfFaultsInjectResourceFailure(x)+C7j
		inc	ds:dword_AB003C
		cmp	esi, 258h
		jnz	loc_A67A2E
		cmp	ebx, 2710h
		jnz	loc_A67A2E
		lea	eax, [ebp+var_8]
		push	eax
		call	KeQueryTickCount
		mov	eax, [ebp+var_8]
		and	eax, 7FFFh
		cmp	eax, 400h
		jnb	loc_A67A2E
		inc	ds:dword_AB0040
		jmp	short loc_A67AD9
_VfFaultsInjectResourceFailure@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfFaultsIsSystemSufficientlyBooted()
_VfFaultsIsSystemSufficientlyBooted@0 proc near
					; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+EEp
					; VfFaultsInjectResourceFailure(x)+8Fp	...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	ds:_ViSystemSufficientlyBooted,	0
		jz	short loc_A67B45
		xor	eax, eax
		inc	eax
		leave
		retn
; 

loc_A67B45:				; CODE XREF: VfFaultsIsSystemSufficientlyBooted()+Ej
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	eax
		call	KeQuerySystemTime
		mov	ecx, [ebp+var_8]
		sub	ecx, ds:_KeBootTime
		mov	eax, [ebp+var_4]
		sbb	eax, ds:dword_70E2EC
		push	0
		push	2710h
		push	eax
		push	ecx
		call	__aulldiv
		cmp	edx, ds:dword_AB0004
		jb	short loc_A67B94
		ja	short loc_A67B88
		cmp	eax, ds:_ViRequiredTimeSinceBootInMsecs
		jbe	short loc_A67B94

loc_A67B88:				; CODE XREF: VfFaultsIsSystemSufficientlyBooted()+4Ej
		mov	ds:_ViSystemSufficientlyBooted,	1
		jmp	short loc_A67B9A
; 

loc_A67B94:				; CODE XREF: VfFaultsIsSystemSufficientlyBooted()+4Cj
					; VfFaultsIsSystemSufficientlyBooted()+56j
		inc	ds:dword_AB002C

loc_A67B9A:				; CODE XREF: VfFaultsIsSystemSufficientlyBooted()+62j
		mov	eax, ds:_ViSystemSufficientlyBooted
		leave
		retn
_VfFaultsIsSystemSufficientlyBooted@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfFaultsSetParameters(x)
_VfFaultsSetParameters@4 proc near	; CODE XREF: PAGE:007B4290p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _MmVerifierData
		push	esi
		push	edi
		push	4
		pop	edx
		mov	esi, ecx
		or	eax, edx
		push	1
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_4], eax
		call	_VfSetVerifierInformation@12 ; VfSetVerifierInformation(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_A67C4E
		cmp	ds:_ViFaultsProcessNotifyRoutineSet, 0
		jnz	short loc_A67BEC
		push	0
		push	offset ViCreateProcessCallback
		call	_PsSetCreateProcessNotifyRoutine@8 ; PsSetCreateProcessNotifyRoutine(x,x)
		mov	ds:_ViFaultsProcessNotifyRoutineSet, 1

loc_A67BEC:				; CODE XREF: VfFaultsSetParameters(x)+33j
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_A67BF8
		mov	_VfFaultInjectionMaxProbability, eax

loc_A67BF8:				; CODE XREF: VfFaultsSetParameters(x)+50j
		mov	eax, [esi]
		test	eax, eax
		jnz	short loc_A67C0D
		mov	_VfFaultInjectionMaxProbability, 2710h
		mov	eax, 258h

loc_A67C0D:				; CODE XREF: VfFaultsSetParameters(x)+5Bj
		mov	_VfFaultInjectionProbability, eax
		call	_ViFaultsRemoveAllTags@0 ; ViFaultsRemoveAllTags()
		call	_ViFaultsRemoveAllApps@0 ; ViFaultsRemoveAllApps()
		movzx	eax, word ptr [esi+10h]
		test	ax, ax
		jz	short loc_A67C33
		mov	ecx, [esi+14h]
		mov	edx, eax
		shr	edx, 1
		call	_ViFaultsAddAllApps@8 ;	ViFaultsAddAllApps(x,x)
		mov	edi, eax

loc_A67C33:				; CODE XREF: VfFaultsSetParameters(x)+82j
		test	edi, edi
		js	short loc_A67C4E
		movzx	eax, word ptr [esi+8]
		test	ax, ax
		jz	short loc_A67C4E
		mov	ecx, [esi+0Ch]
		mov	edx, eax
		shr	edx, 1
		call	_ViFaultsAddAllTags@8 ;	ViFaultsAddAllTags(x,x)
		mov	edi, eax

loc_A67C4E:				; CODE XREF: VfFaultsSetParameters(x)+26j
					; VfFaultsSetParameters(x)+94j	...
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn
_VfFaultsSetParameters@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViCreateProcessCallbackInternal(x, x)
_ViCreateProcessCallbackInternal@8 proc	near ; CODE XREF: ViCreateProcessCallback+CECD3p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[esp+20h+var_C], edi
		mov	[esp+20h+var_10], edi
		mov	[esp+20h+var_8], edi
		mov	[esp+20h+var_4], edi
		test	dl, dl
		jz	loc_A67CFE
		lea	eax, [esp+20h+var_C]
		push	eax
		push	ecx
		call	PsLookupProcessByProcessId
		test	eax, eax
		js	short loc_A67CFE
		mov	esi, [esp+20h+var_C]
		lea	edx, [esp+20h+var_10]
		mov	ecx, esi
		call	_PsGetAllocatedFullProcessImageName@8 ;	PsGetAllocatedFullProcessImageName(x,x)
		test	eax, eax
		js	short loc_A67CF2
		mov	ecx, [esp+20h+var_10]
		lea	edx, [esp+20h+var_8]
		call	_ViFaultsGetBaseImageName@8 ; ViFaultsGetBaseImageName(x,x)
		push	edi
		mov	eax, edx
		push	eax
		push	eax
		call	RtlUpcaseUnicodeString
		mov	ecx, offset _ViFaultInjectionLock
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		lea	ecx, [esp+20h+var_8]
		mov	bl, al
		call	_ViFaultsIsAppTarget@4 ; ViFaultsIsAppTarget(x)
		test	eax, eax
		jz	short loc_A67CDC
		mov	eax, 10000h
		lea	edx, [esi+0F8h]
		lock or	[edx], eax

loc_A67CDC:				; CODE XREF: ViCreateProcessCallbackInternal(x,x)+78j
		mov	dl, bl
		mov	ecx, offset _ViFaultInjectionLock
		call	KfReleaseSpinLock
		push	edi
		push	[esp+24h+var_10]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A67CF2:				; CODE XREF: ViCreateProcessCallbackInternal(x,x)+48j
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_A67CFE:				; CODE XREF: ViCreateProcessCallbackInternal(x,x)+22j
					; ViCreateProcessCallbackInternal(x,x)+35j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_ViCreateProcessCallbackInternal@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFaultsAddAllApps(x, x)
_ViFaultsAddAllApps@8 proc near		; CODE XREF: VfFaultsSetParameters(x)+8Bp
					; ViFaultsInitializeAppsList()+6Cp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	edi
		lea	edi, [ecx+edx*2]
		xor	ebx, ebx
		cmp	ecx, edi
		jnb	loc_A67DBF
		push	esi
		push	9
		pop	edx
		push	0Ah
		pop	esi
		mov	[ebp+var_4], 0Dh
		mov	[ebp+var_8], 20h
		mov	[ebp+var_C], 3000h

loc_A67D38:				; CODE XREF: ViFaultsAddAllApps(x,x)+B3j
		movzx	eax, word ptr [ecx]
		cmp	ax, dx
		jz	short loc_A67DAE
		cmp	ax, si
		jz	short loc_A67DAE
		push	0Dh
		pop	esi
		cmp	ax, si
		jz	short loc_A67DAE
		push	20h
		pop	esi
		cmp	ax, si
		jz	short loc_A67DAE
		mov	esi, 3000h
		cmp	ax, si
		jz	short loc_A67DAE
		test	ax, ax
		jz	short loc_A67DAE
		mov	esi, ecx
		cmp	ecx, edi
		jnb	short loc_A67D98
		push	0Ah
		pop	ebx

loc_A67D6D:				; CODE XREF: ViFaultsAddAllApps(x,x)+91j
		movzx	eax, word ptr [esi]
		cmp	ax, dx
		jz	short loc_A67D98
		cmp	ax, bx
		jz	short loc_A67D98
		cmp	ax, word ptr [ebp+var_4]
		jz	short loc_A67D98
		cmp	ax, word ptr [ebp+var_8]
		jz	short loc_A67D98
		cmp	ax, word ptr [ebp+var_C]
		jz	short loc_A67D98
		test	ax, ax
		jz	short loc_A67D98
		add	esi, 2
		cmp	esi, edi
		jb	short loc_A67D6D

loc_A67D98:				; CODE XREF: ViFaultsAddAllApps(x,x)+63j
					; ViFaultsAddAllApps(x,x)+6Ej ...
		mov	edx, esi
		sub	edx, ecx
		sar	edx, 1
		call	_ViFaultsAddAppNoDuplicates@8 ;	ViFaultsAddAppNoDuplicates(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A67DBE
		push	9
		pop	edx
		jmp	short loc_A67DB0
; 

loc_A67DAE:				; CODE XREF: ViFaultsAddAllApps(x,x)+39j
					; ViFaultsAddAllApps(x,x)+3Ej ...
		mov	esi, ecx

loc_A67DB0:				; CODE XREF: ViFaultsAddAllApps(x,x)+A7j
		lea	ecx, [esi+2]
		push	0Ah
		pop	esi
		cmp	ecx, edi
		jb	loc_A67D38

loc_A67DBE:				; CODE XREF: ViFaultsAddAllApps(x,x)+A2j
		pop	esi

loc_A67DBF:				; CODE XREF: ViFaultsAddAllApps(x,x)+11j
		pop	edi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_ViFaultsAddAllApps@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFaultsAddAllTags(x, x)
_ViFaultsAddAllTags@8 proc near		; CODE XREF: VfFaultsSetParameters(x)+A6p
					; ViFaultsInitializeTagsList()+72p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	edi
		lea	edi, [ecx+edx*2]
		xor	ebx, ebx
		cmp	ecx, edi
		jnb	loc_A67E7F
		push	esi
		push	9
		pop	edx
		push	0Ah
		pop	esi
		mov	[ebp+var_4], 0Dh
		mov	[ebp+var_8], 20h
		mov	[ebp+var_C], 3000h

loc_A67DF8:				; CODE XREF: ViFaultsAddAllTags(x,x)+B3j
		movzx	eax, word ptr [ecx]
		cmp	ax, dx
		jz	short loc_A67E6E
		cmp	ax, si
		jz	short loc_A67E6E
		push	0Dh
		pop	esi
		cmp	ax, si
		jz	short loc_A67E6E
		push	20h
		pop	esi
		cmp	ax, si
		jz	short loc_A67E6E
		mov	esi, 3000h
		cmp	ax, si
		jz	short loc_A67E6E
		test	ax, ax
		jz	short loc_A67E6E
		mov	esi, ecx
		cmp	ecx, edi
		jnb	short loc_A67E58
		push	0Ah
		pop	ebx

loc_A67E2D:				; CODE XREF: ViFaultsAddAllTags(x,x)+91j
		movzx	eax, word ptr [esi]
		cmp	ax, dx
		jz	short loc_A67E58
		cmp	ax, bx
		jz	short loc_A67E58
		cmp	ax, word ptr [ebp+var_4]
		jz	short loc_A67E58
		cmp	ax, word ptr [ebp+var_8]
		jz	short loc_A67E58
		cmp	ax, word ptr [ebp+var_C]
		jz	short loc_A67E58
		test	ax, ax
		jz	short loc_A67E58
		add	esi, 2
		cmp	esi, edi
		jb	short loc_A67E2D

loc_A67E58:				; CODE XREF: ViFaultsAddAllTags(x,x)+63j
					; ViFaultsAddAllTags(x,x)+6Ej ...
		mov	edx, esi
		sub	edx, ecx
		sar	edx, 1
		call	_ViFaultsAddTagNoDuplicates@8 ;	ViFaultsAddTagNoDuplicates(x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A67E7E
		push	9
		pop	edx
		jmp	short loc_A67E70
; 

loc_A67E6E:				; CODE XREF: ViFaultsAddAllTags(x,x)+39j
					; ViFaultsAddAllTags(x,x)+3Ej ...
		mov	esi, ecx

loc_A67E70:				; CODE XREF: ViFaultsAddAllTags(x,x)+A7j
		lea	ecx, [esi+2]
		push	0Ah
		pop	esi
		cmp	ecx, edi
		jb	loc_A67DF8

loc_A67E7E:				; CODE XREF: ViFaultsAddAllTags(x,x)+A2j
		pop	esi

loc_A67E7F:				; CODE XREF: ViFaultsAddAllTags(x,x)+11j
		pop	edi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_ViFaultsAddAllTags@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFaultsAddAppNoDuplicates(x, x)
_ViFaultsAddAppNoDuplicates@8 proc near	; CODE XREF: ViFaultsAddAllApps(x,x)+99p

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		lea	edi, [edx+edx]
		mov	[ebp+var_8], ecx
		push	41466656h
		lea	eax, [edi+12h]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A67EB8
		mov	esi, 0C000009Ah
		jmp	loc_A67F4F
; 

loc_A67EB8:				; CODE XREF: ViFaultsAddAppNoDuplicates(x,x)+27j
		push	edi		; size_t
		push	[ebp+var_8]	; void *
		lea	esi, [ebx+10h]
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax
		mov	[edi+esi], ax
		lea	edi, [ebx+8]
		push	esi
		push	edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	esi, esi
		push	esi
		push	edi
		push	edi
		call	RtlUpcaseUnicodeString
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _ViFaultInjectionLock
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, edi
		call	_ViFaultsIsAppTarget@4 ; ViFaultsIsAppTarget(x)
		test	eax, eax
		jz	short loc_A67F09
		push	esi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A67F29
; 

loc_A67F09:				; CODE XREF: ViFaultsAddAppNoDuplicates(x,x)+79j
		mov	eax, dword_6BDF6C
		mov	ecx, offset _ViFaultApplicationsList
		cmp	[eax], ecx
		jz	short loc_A67F1C
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A67F1C:				; CODE XREF: ViFaultsAddAppNoDuplicates(x,x)+90j
		mov	[ebx], ecx
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	dword_6BDF6C, ebx

loc_A67F29:				; CODE XREF: ViFaultsAddAppNoDuplicates(x,x)+82j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _ViFaultInjectionLock
		jz	short loc_A67F41
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A67F46
; 

loc_A67F41:				; CODE XREF: ViFaultsAddAppNoDuplicates(x,x)+B0j
		xor	eax, eax
		lock and [ecx],	eax

loc_A67F46:				; CODE XREF: ViFaultsAddAppNoDuplicates(x,x)+BAj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_A67F4F:				; CODE XREF: ViFaultsAddAppNoDuplicates(x,x)+2Ej
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_ViFaultsAddAppNoDuplicates@8 endp

; 
		db 0CCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFaultsAddTagNoDuplicates(x, x)
_ViFaultsAddTagNoDuplicates@8 proc near	; CODE XREF: ViFaultsAddAllTags(x,x)+99p

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, ecx
		cmp	edx, 4
		jbe	short loc_A67F73
		mov	ebx, 0C000000Dh
		jmp	loc_A68025
; 

loc_A67F73:				; CODE XREF: ViFaultsAddTagNoDuplicates(x,x)+10j
		mov	eax, ebx

loc_A67F75:				; CODE XREF: ViFaultsAddTagNoDuplicates(x,x)+2Fj
		mov	cl, 20h
		cmp	eax, edx
		jnb	short loc_A67F7E
		mov	cl, [esi+eax*2]

loc_A67F7E:				; CODE XREF: ViFaultsAddTagNoDuplicates(x,x)+22j
		mov	byte ptr [ebp+eax+var_8], cl
		inc	eax
		cmp	eax, 4
		jb	short loc_A67F75
		push	edi
		push	54466656h
		push	0Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A67FA7
		mov	ebx, 0C000009Ah
		jmp	short loc_A68024
; 

loc_A67FA7:				; CODE XREF: ViFaultsAddTagNoDuplicates(x,x)+47j
		mov	esi, [ebp+var_8]
		mov	[edi+8], esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, offset _ViFaultInjectionLock
		mov	[ebp+var_1], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, esi
		call	_ViFaultsIsTagPresentInList@4 ;	ViFaultsIsTagPresentInList(x)
		test	eax, eax
		jz	short loc_A67FD4
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A67FFE
; 

loc_A67FD4:				; CODE XREF: ViFaultsAddTagNoDuplicates(x,x)+72j
		mov	eax, dword_6BDF64
		mov	ecx, offset _ViFaultTagsList
		mov	_ViHaveFaultTags, 1
		cmp	[eax], ecx
		jz	short loc_A67FF1
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A67FF1:				; CODE XREF: ViFaultsAddTagNoDuplicates(x,x)+93j
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	dword_6BDF64, edi

loc_A67FFE:				; CODE XREF: ViFaultsAddTagNoDuplicates(x,x)+7Bj
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _ViFaultInjectionLock
		jz	short loc_A68016
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A6801B
; 

loc_A68016:				; CODE XREF: ViFaultsAddTagNoDuplicates(x,x)+B3j
		xor	eax, eax
		lock and [ecx],	eax

loc_A6801B:				; CODE XREF: ViFaultsAddTagNoDuplicates(x,x)+BDj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_A68024:				; CODE XREF: ViFaultsAddTagNoDuplicates(x,x)+4Ej
		pop	edi

loc_A68025:				; CODE XREF: ViFaultsAddTagNoDuplicates(x,x)+17j
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
_ViFaultsAddTagNoDuplicates@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViFaultsGetBaseImageName(x,	x)
_ViFaultsGetBaseImageName@8 proc near	; CODE XREF: ViCreateProcessCallbackInternal(x,x)+52p
		movzx	eax, word ptr [ecx]
		push	edi
		mov	edi, eax
		test	ax, ax
		jnz	short loc_A68042
		mov	eax, [ecx]
		mov	[edx], eax
		mov	eax, [ecx+4]
		mov	[edx+4], eax
		pop	edi
		retn
; 

loc_A68042:				; CODE XREF: ViFaultsGetBaseImageName(x,x)+9j
		push	esi
		mov	esi, [ecx+4]
		mov	ecx, eax
		shr	ecx, 1
		dec	ecx
		lea	ecx, [esi+ecx*2]
		jmp	short loc_A68059
; 

loc_A68050:				; CODE XREF: ViFaultsGetBaseImageName(x,x)+30j
		cmp	word ptr [ecx],	5Ch
		jz	short loc_A6805D
		sub	ecx, 2

loc_A68059:				; CODE XREF: ViFaultsGetBaseImageName(x,x)+23j
		cmp	ecx, esi
		jnb	short loc_A68050

loc_A6805D:				; CODE XREF: ViFaultsGetBaseImageName(x,x)+29j
		add	ecx, 2
		sub	edi, ecx
		mov	[edx+4], ecx
		lea	eax, [edi+esi]
		pop	esi
		mov	[edx], ax
		mov	[edx+2], ax
		pop	edi
		retn
_ViFaultsGetBaseImageName@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFaultsInitializeAppsList()
_ViFaultsInitializeAppsList@0 proc near	; CODE XREF: VfFaultsInitPhase0()+28p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _ViFaultInjectionLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	ds:byte_70EFC6,	1
		mov	eax, offset _ViFaultApplicationsList
		mov	dword_6BDF6C, eax
		mov	_ViFaultApplicationsList, eax
		jz	short loc_A680B4
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A680B9
; 

loc_A680B4:				; CODE XREF: ViFaultsInitializeAppsList()+34j
		xor	eax, eax
		lock and [edi],	eax

loc_A680B9:				; CODE XREF: ViFaultsInitializeAppsList()+40j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, _VerifierFaultApplicationsBufferSize
		cmp	edx, 0FFFFFFFFh
		jz	short loc_A680E5
		add	edx, 0FFFFFFFEh
		cmp	edx, 0FEh
		ja	short loc_A680E5
		shr	edx, 1
		mov	ecx, offset _VerifierFaultApplicationsBuffer
		call	_ViFaultsAddAllApps@8 ;	ViFaultsAddAllApps(x,x)
		mov	esi, eax

loc_A680E5:				; CODE XREF: ViFaultsInitializeAppsList()+58j
					; ViFaultsInitializeAppsList()+63j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn
_ViFaultsInitializeAppsList@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFaultsInitializeTagsList()
_ViFaultsInitializeTagsList@0 proc near	; CODE XREF: VfFaultsInitPhase0()+23p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _ViFaultInjectionLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		test	ds:byte_70EFC6,	1
		mov	eax, offset _ViFaultTagsList
		mov	_ViHaveFaultTags, esi
		mov	dword_6BDF64, eax
		mov	_ViFaultTagsList, eax
		jz	short loc_A68134
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A68139
; 

loc_A68134:				; CODE XREF: ViFaultsInitializeTagsList()+3Aj
		xor	eax, eax
		lock and [edi],	eax

loc_A68139:				; CODE XREF: ViFaultsInitializeTagsList()+46j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, _VerifierFaultTagsBufferSize
		cmp	edx, 0FFFFFFFFh
		jz	short loc_A68165
		add	edx, 0FFFFFFFEh
		cmp	edx, 0FEh
		ja	short loc_A68165
		shr	edx, 1
		mov	ecx, offset _VerifierFaultTagsBuffer
		call	_ViFaultsAddAllTags@8 ;	ViFaultsAddAllTags(x,x)
		mov	esi, eax

loc_A68165:				; CODE XREF: ViFaultsInitializeTagsList()+5Ej
					; ViFaultsInitializeTagsList()+69j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn
_ViFaultsInitializeTagsList@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFaultsInjectionNotification(x)
_ViFaultsInjectionNotification@4 proc near ; CODE XREF:	VfFaultsInjectResourceFailure(x)+6Bp
					; VfFaultsInjectResourceFailure(x)+DDp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		inc	dword_6C6E6C
		push	esi
		mov	esi, ecx
		mov	ecx, [ebp+4]
		test	_MmVerifierData, 1000h
		jz	short loc_A68192
		push	68h
		pop	edx
		call	_ViTargetIncrementCounter@8 ; ViTargetIncrementCounter(x,x)

loc_A68192:				; CODE XREF: ViFaultsInjectionNotification(x)+1Cj
		lea	ecx, [esi+1]
		call	_ViFaultsTracesLog@4 ; ViFaultsTracesLog(x)
		pop	esi
		pop	ecx
		pop	ebp
		retn
_ViFaultsInjectionNotification@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViFaultsIsAppTarget(x)
_ViFaultsIsAppTarget@4 proc near	; CODE XREF: ViCreateProcessCallbackInternal(x,x)+71p
					; ViFaultsAddAppNoDuplicates(x,x)+72p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, _ViFaultApplicationsList
		mov	ebx, ecx
		push	edi
		xor	edi, edi
		jmp	short loc_A681BF
; 

loc_A681AF:				; CODE XREF: ViFaultsIsAppTarget(x)+27j
		lea	ecx, [esi+8]
		mov	edx, ebx
		call	_VfUtilEqualUnicodeString@8 ; VfUtilEqualUnicodeString(x,x)
		test	eax, eax
		jnz	short loc_A681C9
		mov	esi, [esi]

loc_A681BF:				; CODE XREF: ViFaultsIsAppTarget(x)+Fj
		cmp	esi, offset _ViFaultApplicationsList
		jnz	short loc_A681AF
		jmp	short loc_A681CC
; 

loc_A681C9:				; CODE XREF: ViFaultsIsAppTarget(x)+1Dj
		xor	edi, edi
		inc	edi

loc_A681CC:				; CODE XREF: ViFaultsIsAppTarget(x)+29j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_ViFaultsIsAppTarget@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFaultsIsCurrentAppTarget()
_ViFaultsIsCurrentAppTarget@0 proc near	; CODE XREF: VfFaultsInjectResourceFailure(x):loc_A67ABAp

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _ViFaultInjectionLock
		mov	[ebp+var_1], al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		xor	ebx, ebx
		cmp	_ViFaultApplicationsList, offset _ViFaultApplicationsList
		setz	bl
		test	ds:byte_70EFC6,	1
		jz	short loc_A68213
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A68218
; 

loc_A68213:				; CODE XREF: ViFaultsIsCurrentAppTarget()+33j
		xor	eax, eax
		lock and [esi],	eax

loc_A68218:				; CODE XREF: ViFaultsIsCurrentAppTarget()+3Fj
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	esi
		test	ebx, ebx
		pop	ebx
		jnz	short loc_A6824F
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+0F8h], 10000h
		jnz	short loc_A68249
		inc	ds:dword_AB0030
		xor	eax, eax
		leave
		retn
; 

loc_A68249:				; CODE XREF: ViFaultsIsCurrentAppTarget()+6Bj
		inc	ds:dword_AB0034

loc_A6824F:				; CODE XREF: ViFaultsIsCurrentAppTarget()+53j
		xor	eax, eax
		inc	eax
		leave
		retn
_ViFaultsIsCurrentAppTarget@0 endp


;  S U B	R O U T	I N E 


; __stdcall ViFaultsIsTagPresentInList(x)
_ViFaultsIsTagPresentInList@4 proc near	; CODE XREF: ViFaultsAddTagNoDuplicates(x,x)+6Bp
					; ViFaultsIsTagTarget(x)+34p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, _ViFaultTagsList
		mov	ebx, ecx
		push	edi
		xor	edi, edi
		jmp	short loc_A68275
; 

loc_A68265:				; CODE XREF: ViFaultsIsTagPresentInList(x)+27j
		mov	edx, [esi+8]
		mov	ecx, ebx
		call	_ExCheckSingleFilter@8 ; ExCheckSingleFilter(x,x)
		test	eax, eax
		jnz	short loc_A6827F
		mov	esi, [esi]

loc_A68275:				; CODE XREF: ViFaultsIsTagPresentInList(x)+Fj
		cmp	esi, offset _ViFaultTagsList
		jnz	short loc_A68265
		jmp	short loc_A68282
; 

loc_A6827F:				; CODE XREF: ViFaultsIsTagPresentInList(x)+1Dj
		xor	edi, edi
		inc	edi

loc_A68282:				; CODE XREF: ViFaultsIsTagPresentInList(x)+29j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_ViFaultsIsTagPresentInList@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViFaultsIsTagTarget(x)
_ViFaultsIsTagTarget@4 proc near	; CODE XREF: VfFaultsInjectPoolAllocationFailure(x)+50p
		mov	edi, edi
		push	esi
		mov	edx, 6A764D46h
		mov	esi, ecx
		call	_ExCheckSingleFilter@8 ; ExCheckSingleFilter(x,x)
		test	eax, eax
		jnz	short loc_A682D5
		mov	edx, 6C764D46h
		mov	ecx, esi
		call	_ExCheckSingleFilter@8 ; ExCheckSingleFilter(x,x)
		test	eax, eax
		jnz	short loc_A682D5
		cmp	_ViFaultTagsList, offset _ViFaultTagsList
		jnz	short loc_A682BA
		inc	eax
		pop	esi
		retn
; 

loc_A682BA:				; CODE XREF: ViFaultsIsTagTarget(x)+2Dj
		mov	ecx, esi
		call	_ViFaultsIsTagPresentInList@4 ;	ViFaultsIsTagPresentInList(x)
		test	eax, eax
		jnz	short loc_A682CD
		inc	ds:dword_AB0044
		pop	esi
		retn
; 

loc_A682CD:				; CODE XREF: ViFaultsIsTagTarget(x)+3Bj
		inc	ds:dword_AB0048
		pop	esi
		retn
; 

loc_A682D5:				; CODE XREF: ViFaultsIsTagTarget(x)+11j
					; ViFaultsIsTagTarget(x)+21j
		xor	eax, eax
		pop	esi
		retn
_ViFaultsIsTagTarget@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFaultsRemoveAllApps()
_ViFaultsRemoveAllApps@0 proc near	; CODE XREF: VfFaultsSetParameters(x)+76p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _ViFaultInjectionLock
		mov	bl, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, _ViFaultApplicationsList
		mov	edi, offset _ViFaultApplicationsList
		cmp	ecx, edi
		jz	short loc_A68319

loc_A68304:				; CODE XREF: ViFaultsRemoveAllApps()+39j
		mov	esi, [ecx]
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, esi
		cmp	esi, edi
		jnz	short loc_A68304
		mov	esi, offset _ViFaultInjectionLock

loc_A68319:				; CODE XREF: ViFaultsRemoveAllApps()+29j
		test	ds:byte_70EFC6,	1
		mov	dword_6BDF6C, edi
		mov	_ViFaultApplicationsList, edi
		jz	short loc_A6833A
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A6833F
; 

loc_A6833A:				; CODE XREF: ViFaultsRemoveAllApps()+53j
		xor	eax, eax
		lock and [esi],	eax

loc_A6833F:				; CODE XREF: ViFaultsRemoveAllApps()+5Fj
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_ViFaultsRemoveAllApps@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFaultsRemoveAllTags()
_ViFaultsRemoveAllTags@0 proc near	; CODE XREF: VfFaultsSetParameters(x)+71p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	esi, offset _ViFaultInjectionLock
		mov	bl, al
		mov	ecx, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ecx, _ViFaultTagsList
		mov	edi, offset _ViFaultTagsList
		cmp	ecx, edi
		jz	short loc_A6838B

loc_A68376:				; CODE XREF: ViFaultsRemoveAllTags()+39j
		mov	esi, [ecx]
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, esi
		cmp	esi, edi
		jnz	short loc_A68376
		mov	esi, offset _ViFaultInjectionLock

loc_A6838B:				; CODE XREF: ViFaultsRemoveAllTags()+29j
		and	_ViHaveFaultTags, 0
		test	ds:byte_70EFC6,	1
		mov	dword_6BDF64, edi
		mov	_ViFaultTagsList, edi
		jz	short loc_A683B3
		mov	edx, [ebp+4]
		mov	ecx, esi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A683B8
; 

loc_A683B3:				; CODE XREF: ViFaultsRemoveAllTags()+5Aj
		xor	eax, eax
		lock and [esi],	eax

loc_A683B8:				; CODE XREF: ViFaultsRemoveAllTags()+66j
		pop	edi
		pop	esi
		mov	cl, bl
		pop	ebx
		pop	ebp
		jmp	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
_ViFaultsRemoveAllTags@0 endp


;  S U B	R O U T	I N E 


; __stdcall ViFaultsTracesInitialize()
_ViFaultsTracesInitialize@0 proc near	; CODE XREF: VfFaultsInitPhase0()+1Ep
		mov	eax, ds:_ViFaultTracesLength
		mov	ecx, 101000h
		cmp	eax, ecx
		jbe	short loc_A683D9
		mov	eax, ecx
		mov	ds:_ViFaultTracesLength, eax

loc_A683D9:				; CODE XREF: ViFaultsTracesInitialize()+Cj
		push	20h
		imul	eax, 24h
		push	74746C46h
		push	eax
		push	200h
		call	ExAllocatePoolWithTagPriority
		mov	ds:_ViFaultTraces, eax
		retn
_ViFaultsTracesInitialize@0 endp


;  S U B	R O U T	I N E 


; __stdcall ViFaultsTracesLog(x)
_ViFaultsTracesLog@4 proc near		; CODE XREF: ViFaultsInjectionNotification(x)+29p
		cmp	ds:_ViFaultTraces, 0
		jz	short locret_A6843F
		xor	edx, edx
		push	esi
		inc	edx
		lock xadd ds:_ViFaultTracesIndex, edx
		inc	edx
		mov	eax, ds:_ViFaultTracesLength
		dec	eax
		and	eax, edx
		imul	esi, eax, 24h
		mov	eax, large fs:124h
		push	0
		add	esi, ds:_ViFaultTraces
		mov	[esi], eax
		lea	eax, [esi+4]
		push	eax
		push	8
		push	ecx
		call	RtlCaptureStackBackTrace
		movzx	eax, ax
		cmp	eax, 8
		jnb	short loc_A6843E
		and	dword ptr [esi+eax*4+4], 0

loc_A6843E:				; CODE XREF: ViFaultsTracesLog(x)+43j
		pop	esi

locret_A6843F:				; CODE XREF: ViFaultsTracesLog(x)+7j
		retn
_ViFaultsTracesLog@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfDeadlockAcquireResource(x, x, x, x, x)
_VfDeadlockAcquireResource@20 proc near	; CODE XREF: VerifierKeAcquireInStackQueuedSpinLock(x,x)+22p
					; VerifierKeAcquireInStackQueuedSpinLockAtDpcLevel(x,x)+22p ...

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	esi, edx
		mov	[ebp+var_2C], eax
		mov	edx, ecx
		mov	[ebp+var_40], esi
		push	8
		xor	eax, eax
		mov	[ebp+var_28], edx
		pop	ecx
		lea	edi, [ebp+var_24]
		mov	[ebp+var_58], ebx
		rep stosd
		xor	edi, edi
		mov	[ebp+var_5C], edi
		mov	[ebp+var_48], edi
		mov	[ebp+var_70], edi
		mov	[ebp+var_6C], edi
		mov	[ebp+var_68], edi
		mov	[ebp+var_64], edi
		mov	[ebp+var_60], edi
		mov	[ebp+var_38], edi
		cmp	esi, 8
		jnz	short loc_A684B9
		mov	ecx, ds:_VfWin32kDllBase
		test	ecx, ecx
		jz	loc_A68974
		cmp	ecx, ebx
		ja	loc_A68974
		mov	eax, ds:_VfWin32kSizeOfImage
		add	eax, ecx
		cmp	eax, ebx
		jbe	loc_A68974

loc_A684B9:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+52j
		mov	ecx, edx
		call	_ViDeadlockCanProceed@8	; ViDeadlockCanProceed(x,x)
		test	eax, eax
		jz	loc_A68974
		call	_ViIsThreadInsidePagingCodePaths@0 ; ViIsThreadInsidePagingCodePaths()
		test	eax, eax
		jnz	loc_A68974
		mov	eax, ds:_ViDeadlockGlobals
		cmp	[eax+4010h], edi
		ja	loc_A68974
		mov	eax, ds:_ViDeadlockGlobals
		cmp	dword ptr [eax+40DCh], 400h
		jg	loc_A68974
		mov	eax, ds:_ViDeadlockResourceTypeInfo[esi*4]
		mov	ebx, edi
		push	3
		pop	ecx
		mov	[ebp+var_44], edi
		mov	[ebp+var_34], eax
		call	_ViDeadlockAllocate@4 ;	ViDeadlockAllocate(x)
		push	2
		pop	ecx
		mov	[ebp+var_54], eax
		call	_ViDeadlockAllocate@4 ;	ViDeadlockAllocate(x)
		mov	[ebp+var_50], eax
		xor	eax, eax
		lea	ecx, [eax+1]
		call	_ViDeadlockAllocate@4 ;	ViDeadlockAllocate(x)
		push	edi
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	8
		push	2
		call	RtlCaptureStackBackTrace
		movzx	eax, ax
		test	eax, eax
		jnz	short loc_A6854B
		mov	eax, [ebp+var_58]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax

loc_A6854B:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+100j
		cmp	eax, 8
		jnb	short loc_A68554
		mov	[ebp+eax*4+var_24], edi

loc_A68554:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+10Ej
		call	_ViRaiseIrqlToDpcLevel@0 ; ViRaiseIrqlToDpcLevel()
		mov	[ebp+var_2D], al
		xor	eax, eax
		lea	ecx, [eax+1]
		call	_ViDeadlockDetectionLock@4 ; ViDeadlockDetectionLock(x)
		lea	eax, [ebp+var_70]
		push	eax
		call	KeQueryTickCount
		cmp	ds:_ViDeadlockDetectionEnabled,	edi
		jz	loc_A688C1
		mov	eax, [ebp+var_50]
		mov	[ebp+var_44], eax
		mov	[ebp+var_50], edi
		test	eax, eax
		jz	loc_A688C1
		mov	ecx, [ebp+var_2C]
		call	_ViDeadlockSearchThread@4 ; ViDeadlockSearchThread(x)
		mov	ebx, eax
		mov	[ebp+var_3C], ebx
		test	ebx, ebx
		jnz	short loc_A685C0
		mov	edx, [ebp+var_54]
		mov	ecx, [ebp+var_2C]
		call	_ViDeadlockAddThread@8 ; ViDeadlockAddThread(x,x)
		mov	ebx, eax
		mov	[ebp+var_54], edi
		mov	[ebp+var_3C], ebx
		test	ebx, ebx
		jz	loc_A688C1
		xor	eax, eax
		inc	eax
		mov	[ebp+var_48], eax
		jmp	short loc_A685C3
; 

loc_A685C0:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+15Bj
		xor	eax, eax
		inc	eax

loc_A685C3:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+17Ej
		cmp	esi, 8
		jnz	short loc_A685D0
		mov	[ebx+1Ch], al
		jmp	loc_A688C1
; 

loc_A685D0:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+186j
		mov	ecx, [ebp+var_28]
		lea	edx, [ebp+var_38]
		call	_ViDeadlockSearchResource@8 ; ViDeadlockSearchResource(x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A68610
		mov	esi, [ebp+var_28]
		lea	eax, [ebp+var_38]
		mov	edx, [ebp+var_40]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_4C]
		call	_ViDeadlockAddResource@24 ; ViDeadlockAddResource(x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_A68677
		lea	edx, [ebp+var_38]
		mov	[ebp+var_4C], edi
		mov	ecx, esi
		call	_ViDeadlockSearchResource@8 ; ViDeadlockSearchResource(x,x)
		mov	esi, eax

loc_A68610:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+19Fj
		mov	ecx, [esi]
		mov	eax, [ebp+var_40]
		cmp	ecx, eax
		jz	short loc_A68695
		cmp	eax, 3
		jz	short loc_A68623
		cmp	eax, 4
		jnz	short loc_A6862D

loc_A68623:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+1DCj
		cmp	ecx, 3
		jz	short loc_A68693
		cmp	ecx, 4
		jz	short loc_A68693

loc_A6862D:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+1E1j
		cmp	ecx, 7
		jnz	short loc_A6863C
		cmp	eax, 6
		jz	short loc_A68693
		cmp	eax, 5
		jz	short loc_A68693

loc_A6863C:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+1F0j
		push	eax		; int
		push	ecx		; int
		push	[ebp+var_28]	; int
		mov	edx, offset ??_C@_0DN@MIFLGLIP@Acquiring?5lock?50x?$CFp?5using?5misma@JKADOLAD@	; "Acquiring lock 0x%p using mismatched	AP"...
		mov	ecx, offset unk_6B6898 ; int
		push	1008h		; int
		call	_ViDeadlockPreprocessOptions@24	; ViDeadlockPreprocessOptions(x,x,x,x,x,x)
		mov	ecx, [ebp+var_40]
		mov	edx, 1008h	; int
		push	offset unk_6B6898 ; int
		push	ecx		; int
		push	dword ptr [esi]	; int

loc_A68665:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+2C9j
		push	[ebp+var_28]	; int
		mov	ecx, 0C4h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		jmp	loc_A688C1
; 

loc_A68677:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+1BFj
		xor	esi, esi
		inc	esi
		cmp	[ebp+var_48], edi
		jz	loc_A688C4
		xor	edx, edx
		mov	ecx, ebx	; int
		mov	edi, esi
		call	_ViDeadlockRemoveThread@8 ; ViDeadlockRemoveThread(x,x)
		jmp	loc_A688C4
; 

loc_A68693:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+1E6j
					; VfDeadlockAcquireResource(x,x,x,x,x)+1EBj ...
		mov	[esi], eax

loc_A68695:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+1D7j
		cmp	eax, 5
		jz	short loc_A686A4
		cmp	eax, 6
		jz	short loc_A686A4
		mov	ecx, [ebx+8]
		jmp	short loc_A686A7
; 

loc_A686A4:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+258j
					; VfDeadlockAcquireResource(x,x,x,x,x)+25Dj
		mov	ecx, [ebx+4]

loc_A686A7:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+262j
		mov	eax, [esi+0Ch]
		mov	[ebp+var_2C], ecx
		test	eax, eax
		jz	short loc_A686BB
		cmp	eax, ebx
		jz	short loc_A686BB
		xor	eax, eax
		mov	[esi+6], ax

loc_A686BB:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+26Fj
					; VfDeadlockAcquireResource(x,x,x,x,x)+273j
		mov	ax, [esi+6]
		inc	ax
		mov	[esi+0Ch], ebx
		movzx	eax, ax
		mov	[esi+6], ax
		test	ecx, ecx
		jz	loc_A6877B
		xor	edx, edx
		inc	edx
		cmp	ax, dx
		jbe	short loc_A6870E
		test	byte ptr [ebp+var_34], dl
		jnz	loc_A688C1
		push	ebx		; int
		push	esi		; int
		push	[ebp+var_28]	; int
		mov	edx, offset ??_C@_0CN@IOPJFNJD@Lock?50x?$CFp?5doesn?8t?5support?5recur@JKADOLAD@ ; "Lock 0x%p doesn't support recursive acq"...
		mov	ecx, offset unk_6B689C ; int
		push	1000h		; int
		call	_ViDeadlockPreprocessOptions@24	; ViDeadlockPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B689C
		push	ebx
		push	esi
		mov	edx, 1000h
		jmp	loc_A68665
; 

loc_A6870E:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+299j
		lea	edx, [ecx+4]
		mov	eax, [edx]
		cmp	eax, edx
		mov	[ebp+var_48], edx
		mov	edx, [ebp+arg_4]
		jz	short loc_A68740

loc_A6871D:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+2F8j
		mov	ecx, [ebp+var_28]
		lea	ebx, [eax-0Ch]
		mov	eax, [eax]
		push	ebx
		mov	[ebp+var_34], eax
		call	_ViDeadlockSimilarNode@12 ; ViDeadlockSimilarNode(x,x,x)
		test	eax, eax
		jnz	short loc_A68768
		mov	eax, [ebp+var_34]
		cmp	eax, [ebp+var_48]
		jnz	short loc_A6871D
		mov	ebx, [ebp+var_3C]
		mov	ecx, [ebp+var_2C]

loc_A68740:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+2DBj
		movzx	eax, word ptr [esi+4]
		test	eax, eax
		jz	short loc_A687B3
		test	edx, edx
		jnz	short loc_A687B3
		push	[ebp+var_58]
		xor	eax, eax
		mov	edx, ecx
		mov	ecx, [ebp+var_28]
		inc	eax
		push	edi
		push	eax
		call	_ViDeadlockAnalyze@20 ;	ViDeadlockAnalyze(x,x,x,x,x)
		test	eax, eax
		jnz	loc_A688C1
		jmp	short loc_A687B3
; 

loc_A68768:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+2F0j
		mov	ecx, [ebp+var_2C]
		lea	eax, [ebp+var_38]
		push	eax
		mov	edx, ebx
		call	_ViDeadlockCheckDuplicatesAmongChildren@12 ; ViDeadlockCheckDuplicatesAmongChildren(x,x,x)
		jmp	loc_A6886A
; 

loc_A6877B:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+28Dj
		lea	ecx, [esi+10h]
		mov	eax, [ecx]
		jmp	short loc_A687A9
; 

loc_A68782:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+36Bj
		lea	ebx, [eax-14h]
		mov	eax, [ebx+14h]
		mov	[ebp+var_34], eax
		cmp	[ebx], edi
		jnz	short loc_A687A9
		mov	ecx, [ebp+var_28]
		mov	edx, [ebp+arg_4]
		push	ebx
		call	_ViDeadlockSimilarNode@12 ; ViDeadlockSimilarNode(x,x,x)
		test	eax, eax
		jnz	loc_A68841
		mov	eax, [ebp+var_34]
		lea	ecx, [esi+10h]

loc_A687A9:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+340j
					; VfDeadlockAcquireResource(x,x,x,x,x)+34Dj
		cmp	eax, ecx
		jnz	short loc_A68782
		xor	eax, eax
		inc	eax
		mov	[ebp+var_5C], eax

loc_A687B3:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+306j
					; VfDeadlockAcquireResource(x,x,x,x,x)+30Aj ...
		mov	ebx, [ebp+var_44]
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_44], edi
		mov	[ebx], eax
		lea	edx, [ebx+0Ch]
		mov	eax, ds:_ViDeadlockGlobals
		mov	[ebx+24h], edi
		mov	[ebx+20h], edi
		mov	[ebx+2Ch], edi
		mov	[ebx+4Ch], edi
		mov	[ebx+28h], edi
		mov	[ebx+1Ch], esi
		mov	ecx, [eax+4024h]
		lea	eax, [ebx+4]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, ecx
		mov	ecx, [ebp+arg_4]
		shl	eax, 2
		and	ecx, 1
		or	eax, ecx
		mov	[edx+4], edx
		add	eax, eax
		mov	[edx], edx
		mov	[ebx+24h], eax
		cmp	[ebp+var_5C], edi
		jnz	short loc_A6882F
		mov	eax, [ebp+var_2C]
		add	eax, 4
		mov	edx, [eax]
		mov	[ebp+var_34], edx
		cmp	[edx+4], eax
		lea	edx, [ebx+0Ch]
		jnz	short loc_A6883C
		mov	ecx, [ebp+var_34]
		mov	[edx], ecx
		mov	[edx+4], eax
		mov	[ecx+4], edx
		mov	ecx, [ebp+var_2C]
		mov	[eax], edx
		xor	eax, eax
		lea	edx, [eax+1]
		call	_ViDeadlockUpdateChildrenCount@8 ; ViDeadlockUpdateChildrenCount(x,x)

loc_A6882F:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+3C0j
		lea	edx, [esi+10h]
		mov	ecx, [edx]
		lea	eax, [ebx+14h]
		cmp	[ecx+4], edx
		jz	short loc_A6884D

loc_A6883C:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+3D3j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A68841:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+35Dj
		lea	edx, [ebp+var_38]
		mov	ecx, ebx
		call	_ViDeadlockCheckDuplicatesAmongRoots@8 ; ViDeadlockCheckDuplicatesAmongRoots(x,x)
		jmp	short loc_A6886A
; 

loc_A6884D:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+3FAj
		mov	[eax], ecx
		mov	[eax+4], edx
		mov	[ecx+4], eax
		mov	[edx], eax
		inc	word ptr [esi+4]
		cmp	word ptr [esi+4], 0FFF0h
		jbe	short loc_A6886A
		or	ds:_ViDeadlockState, 20h

loc_A6886A:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+336j
					; VfDeadlockAcquireResource(x,x,x,x,x)+40Bj ...
		test	ebx, ebx
		jz	short loc_A688BE
		mov	ecx, [ebp+var_40]
		xor	eax, eax
		inc	eax
		or	[ebx+24h], eax
		mov	eax, [ebp+var_3C]
		mov	[ebx+20h], eax
		cmp	ecx, 5
		jz	short loc_A6888C
		cmp	ecx, 6
		jz	short loc_A6888C
		mov	[eax+8], ebx
		jmp	short loc_A6888F
; 

loc_A6888C:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+440j
					; VfDeadlockAcquireResource(x,x,x,x,x)+445j
		mov	[eax+4], ebx

loc_A6888F:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+44Aj
		inc	dword ptr [eax+14h]
		mov	esi, [ebx]
		test	esi, esi
		jz	short loc_A688A3
		push	8
		add	esi, 2Ch
		lea	edi, [ebx+4Ch]
		pop	ecx
		rep movsd

loc_A688A3:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+456j
		push	8
		pop	ecx
		lea	edi, [ebx+2Ch]
		lea	esi, [ebp+var_24]
		rep movsd
		mov	edi, [ebx+1Ch]
		lea	esi, [ebp+var_24]
		push	8
		add	edi, 40h
		pop	ecx
		rep movsd
		xor	edi, edi

loc_A688BE:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+42Cj
		mov	ebx, [ebp+var_3C]

loc_A688C1:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+135j
					; VfDeadlockAcquireResource(x,x,x,x,x)+146j ...
		xor	esi, esi
		inc	esi

loc_A688C4:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+23Dj
					; VfDeadlockAcquireResource(x,x,x,x,x)+24Ej
		lea	eax, [ebp+var_68]
		push	eax
		call	KeQueryTickCount
		mov	ecx, [ebp+var_68]
		sub	ecx, [ebp+var_70]
		mov	eax, ds:_ViDeadlockGlobals
		mov	edx, [ebp+var_64]
		sbb	edx, [ebp+var_6C]
		cmp	edx, [eax+4]
		jl	short loc_A688EE
		jg	short loc_A688E9
		cmp	ecx, [eax]
		jbe	short loc_A688EE

loc_A688E9:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+4A3j
		mov	[eax], ecx
		mov	[eax+4], edx

loc_A688EE:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+4A1j
					; VfDeadlockAcquireResource(x,x,x,x,x)+4A7j
		mov	ecx, esi
		call	_ViDeadlockDetectionUnlock@4 ; ViDeadlockDetectionUnlock(x)
		mov	cl, [ebp+var_2D]
		call	_ViLowerIrql@4	; ViLowerIrql(x)
		mov	ecx, [ebp+var_38]
		test	ecx, ecx
		jz	short loc_A68915

loc_A68904:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+4D2j
		mov	esi, [ecx]
		push	2
		pop	edx
		call	_ViDeadlockFree@8 ; ViDeadlockFree(x,x)
		mov	ecx, esi
		test	esi, esi
		jnz	short loc_A68904
		inc	esi

loc_A68915:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+4C2j
		mov	ecx, [ebp+var_60]
		test	ecx, ecx
		jz	short loc_A68923
		mov	edx, esi
		call	_ViDeadlockFree@8 ; ViDeadlockFree(x,x)

loc_A68923:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+4DAj
		test	edi, edi
		jz	short loc_A68931
		push	3
		pop	edx
		mov	ecx, ebx
		call	_ViDeadlockFree@8 ; ViDeadlockFree(x,x)

loc_A68931:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+4E5j
		mov	eax, [ebp+var_44]
		test	eax, eax
		jz	short loc_A68942
		push	2
		pop	edx
		mov	ecx, eax
		call	_ViDeadlockFree@8 ; ViDeadlockFree(x,x)

loc_A68942:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+4F6j
		mov	eax, [ebp+var_4C]
		test	eax, eax
		jz	short loc_A68952
		mov	edx, esi
		mov	ecx, eax
		call	_ViDeadlockFree@8 ; ViDeadlockFree(x,x)

loc_A68952:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+507j
		mov	eax, [ebp+var_50]
		test	eax, eax
		jz	short loc_A68963
		push	2
		pop	edx
		mov	ecx, eax
		call	_ViDeadlockFree@8 ; ViDeadlockFree(x,x)

loc_A68963:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+517j
		mov	eax, [ebp+var_54]
		test	eax, eax
		jz	short loc_A68974
		push	3
		pop	edx
		mov	ecx, eax
		call	_ViDeadlockFree@8 ; ViDeadlockFree(x,x)

loc_A68974:				; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+5Cj
					; VfDeadlockAcquireResource(x,x,x,x,x)+64j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_VfDeadlockAcquireResource@20 endp


;  S U B	R O U T	I N E 


; __stdcall VfDeadlockAfterCallDriver(x)
_VfDeadlockAfterCallDriver@4 proc near	; CODE XREF: IovpCallDriverNoIrpTracking(x,x,x)+30p
					; VfAfterCallDriver(x,x,x)+13p	...
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		test	ecx, ecx
		jz	short loc_A689D2
		cmp	ds:_ViDeadlockDetectionEnabled,	0
		jz	short loc_A689D2
		cmp	ds:_KeNumberProcessors,	4
		ja	short loc_A689D2
		mov	esi, large fs:124h
		call	_ViRaiseIrqlToDpcLevel@0 ; ViRaiseIrqlToDpcLevel()
		xor	ecx, ecx
		mov	bl, al
		call	_ViDeadlockDetectionLock@4 ; ViDeadlockDetectionLock(x)
		mov	ecx, esi
		call	_ViDeadlockSearchThread@4 ; ViDeadlockSearchThread(x)
		test	eax, eax
		jz	short loc_A689C4
		lock dec dword ptr [eax+18h]

loc_A689C4:				; CODE XREF: VfDeadlockAfterCallDriver(x)+39j
		xor	ecx, ecx
		call	_ViDeadlockDetectionUnlock@4 ; ViDeadlockDetectionUnlock(x)
		mov	cl, bl
		call	_ViLowerIrql@4	; ViLowerIrql(x)

loc_A689D2:				; CODE XREF: VfDeadlockAfterCallDriver(x)+7j
					; VfDeadlockAfterCallDriver(x)+10j ...
		pop	esi
		pop	ebx
		pop	ecx
		retn
_VfDeadlockAfterCallDriver@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfDeadlockBeforeCallDriver(x)
_VfDeadlockBeforeCallDriver@4 proc near	; CODE XREF: VfBeforeCallDriver(x,x,x)+43p
					; VfBeforeCallDriver(x,x,x)+EEp

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	esi, esi
		test	byte ptr [ecx+8], 2
		push	edi
		mov	edi, esi
		jz	loc_A68A97
		cmp	ds:_KeNumberProcessors,	4
		ja	loc_A68A97
		cmp	ds:_ViDeadlockGlobals, esi
		jz	loc_A68A97
		mov	eax, large fs:124h
		mov	[ebp+var_8], eax
		cmp	ds:_ViDeadlockDetectionEnabled,	esi
		jz	short loc_A68A27
		push	3
		pop	ecx
		call	_ViDeadlockAllocate@4 ;	ViDeadlockAllocate(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A68A97

loc_A68A27:				; CODE XREF: VfDeadlockBeforeCallDriver(x)+41j
		mov	ebx, esi
		call	_ViRaiseIrqlToDpcLevel@0 ; ViRaiseIrqlToDpcLevel()
		mov	[ebp+var_1], al

loc_A68A31:				; CODE XREF: VfDeadlockBeforeCallDriver(x)+8Bj
		mov	ecx, ebx
		call	_ViDeadlockDetectionLock@4 ; ViDeadlockDetectionLock(x)
		mov	ecx, [ebp+var_8]
		call	_ViDeadlockSearchThread@4 ; ViDeadlockSearchThread(x)
		test	eax, eax
		jnz	short loc_A68A6F
		cmp	ds:_ViDeadlockDetectionEnabled,	esi
		jz	short loc_A68A76
		test	ebx, ebx
		jnz	short loc_A68A63
		inc	ebx
		call	_ViDeadlockDetectionTryConvertSharedToExclusive@0 ; ViDeadlockDetectionTryConvertSharedToExclusive()
		test	eax, eax
		jnz	short loc_A68A63
		xor	ecx, ecx
		call	_ViDeadlockDetectionUnlock@4 ; ViDeadlockDetectionUnlock(x)
		jmp	short loc_A68A31
; 

loc_A68A63:				; CODE XREF: VfDeadlockBeforeCallDriver(x)+78j
					; VfDeadlockBeforeCallDriver(x)+82j
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_ViDeadlockAddThread@8 ; ViDeadlockAddThread(x,x)
		mov	edi, esi

loc_A68A6F:				; CODE XREF: VfDeadlockBeforeCallDriver(x)+6Cj
		lock inc dword ptr [eax+18h]
		xor	esi, esi
		inc	esi

loc_A68A76:				; CODE XREF: VfDeadlockBeforeCallDriver(x)+74j
		mov	ecx, ebx
		call	_ViDeadlockDetectionUnlock@4 ; ViDeadlockDetectionUnlock(x)
		mov	cl, [ebp+var_1]
		call	_ViLowerIrql@4	; ViLowerIrql(x)
		test	edi, edi
		jz	short loc_A68A93
		push	3
		pop	edx
		mov	ecx, edi
		call	_ViDeadlockFree@8 ; ViDeadlockFree(x,x)

loc_A68A93:				; CODE XREF: VfDeadlockBeforeCallDriver(x)+B1j
		mov	eax, esi
		jmp	short loc_A68A99
; 

loc_A68A97:				; CODE XREF: VfDeadlockBeforeCallDriver(x)+13j
					; VfDeadlockBeforeCallDriver(x)+20j ...
		xor	eax, eax

loc_A68A99:				; CODE XREF: VfDeadlockBeforeCallDriver(x)+BFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VfDeadlockBeforeCallDriver@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfDeadlockDeleteMemoryRange(x, x)
_VfDeadlockDeleteMemoryRange@8 proc near ; CODE	XREF: VfDriverUnloadImage+1D0Cp
					; VfFreeMemoryNotification(x,x)+9p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		xor	ecx, ecx
		call	_ViDeadlockCanProceed@8	; ViDeadlockCanProceed(x,x)
		test	eax, eax
		jz	short loc_A68B01
		mov	eax, edi
		lea	ebx, [edi+esi]
		and	eax, 0FFFh
		mov	ecx, edi
		add	eax, 0FFFh
		add	eax, esi
		shr	eax, 0Ch
		mov	[ebp+var_8], eax
		test	eax, eax
		jmp	short loc_A68AFC
; 

loc_A68AD5:				; CODE XREF: VfDeadlockDeleteMemoryRange(x,x)+61j
		lea	esi, [ecx+1000h]
		cmp	esi, ebx
		jbe	short loc_A68AE1
		mov	esi, ebx

loc_A68AE1:				; CODE XREF: VfDeadlockDeleteMemoryRange(x,x)+3Fj
		push	ebx
		push	edi
		mov	edx, esi
		call	_ViDeadlockRemoveMemoryRangeResources@16 ; ViDeadlockRemoveMemoryRangeResources(x,x,x,x)
		mov	ecx, [ebp+var_4]
		mov	edx, esi
		push	ebx
		push	edi
		call	_ViDeadlockRemoveMemoryRangeThreads@16 ; ViDeadlockRemoveMemoryRangeThreads(x,x,x,x)
		sub	[ebp+var_8], 1
		mov	ecx, esi

loc_A68AFC:				; CODE XREF: VfDeadlockDeleteMemoryRange(x,x)+35j
		mov	[ebp+var_4], ecx
		jnz	short loc_A68AD5

loc_A68B01:				; CODE XREF: VfDeadlockDeleteMemoryRange(x,x)+18j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VfDeadlockDeleteMemoryRange@8 endp


;  S U B	R O U T	I N E 


; __stdcall VfDeadlockInitialize(x, x)
_VfDeadlockInitialize@8	proc near	; CODE XREF: VfInitVerifierComponents(x,x,x)+27Ap
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	6B636C44h
		mov	esi, 40F0h
		mov	edi, edx
		push	esi
		push	200h
		mov	ebx, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ds:_ViDeadlockGlobals, eax
		test	eax, eax
		jz	loc_A68D23
		push	esi		; size_t
		xor	esi, esi
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	6B636C44h
		push	1FF8h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, ds:_ViDeadlockGlobals
		mov	[ecx+10h], eax
		test	eax, eax
		jz	loc_A68CED
		push	6B636C44h
		push	1FF8h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, ds:_ViDeadlockGlobals
		mov	[ecx+2010h], eax
		test	eax, eax
		jz	loc_A68CED
		mov	_ViDeadlockDatabaseLock, esi

loc_A68B91:				; CODE XREF: VfDeadlockInitialize(x,x)+ABj
		mov	eax, [ecx+10h]
		add	eax, esi
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, [ecx+2010h]
		add	eax, esi
		add	esi, 8
		mov	[eax+4], eax
		mov	[eax], eax
		cmp	esi, 1FF8h
		jb	short loc_A68B91
		mov	ecx, ds:_ViRecursionDepthLimitFromRegistry
		mov	eax, ds:_ViDeadlockGlobals
		test	ecx, ecx
		jz	short loc_A68BCA
		mov	[eax+4028h], ecx
		jmp	short loc_A68BD4
; 

loc_A68BCA:				; CODE XREF: VfDeadlockInitialize(x,x)+BAj
		mov	dword ptr [eax+4028h], 4

loc_A68BD4:				; CODE XREF: VfDeadlockInitialize(x,x)+C2j
		mov	ecx, ds:_ViSearchedNodesLimitFromRegistry
		test	ecx, ecx
		jz	short loc_A68BE6
		mov	[eax+402Ch], ecx
		jmp	short loc_A68BF0
; 

loc_A68BE6:				; CODE XREF: VfDeadlockInitialize(x,x)+D6j
		mov	dword ptr [eax+402Ch], 3E8h

loc_A68BF0:				; CODE XREF: VfDeadlockInitialize(x,x)+DEj
		mov	esi, edi
		mov	eax, edi
		neg	esi
		push	offset ExInitializeNPagedLookasideListInternal
		push	_VfInitializedWithoutReboot
		sbb	esi, esi
		and	esi, offset _ViDeadlockKernelVerifierLookasideAllocate@12 ; ViDeadlockKernelVerifierLookasideAllocate(x,x,x)
		neg	eax
		sbb	eax, eax
		and	eax, 1E0h
		add	eax, 20h
		push	eax
		push	72685456h
		push	20h
		push	200h
		push	offset _VfUtilFreePoolCheckIRQL@4 ; VfUtilFreePoolCheckIRQL(x)
		push	esi
		push	offset _ViDeadlockThreadLookaside
		call	ds:_pXdvExInitializeNPagedLookasideList	; XdvExInitializeNPagedLookasideListInternal(x,x,x,x,x,x,x,x,x)
		push	offset ExInitializeNPagedLookasideListInternal
		push	_VfInitializedWithoutReboot
		mov	eax, edi
		neg	eax
		sbb	eax, eax
		and	eax, 1FC0h
		add	eax, 40h
		push	eax
		push	73655256h
		push	80h
		push	200h
		push	offset _VfUtilFreePoolCheckIRQL@4 ; VfUtilFreePoolCheckIRQL(x)
		push	esi
		push	offset _ViDeadlockResourceLookaside
		call	ds:_pXdvExInitializeNPagedLookasideList	; XdvExInitializeNPagedLookasideListInternal(x,x,x,x,x,x,x,x,x)
		push	offset ExInitializeNPagedLookasideListInternal
		push	_VfInitializedWithoutReboot
		mov	eax, edi
		neg	eax
		sbb	eax, eax
		and	eax, 3FC0h
		add	eax, 40h
		push	eax
		push	646F4E56h
		push	6Ch
		push	200h
		push	offset _VfUtilFreePoolCheckIRQL@4 ; VfUtilFreePoolCheckIRQL(x)
		push	esi
		mov	esi, offset _ViDeadlockNodeLookaside
		push	esi
		call	ds:_pXdvExInitializeNPagedLookasideList	; XdvExInitializeNPagedLookasideListInternal(x,x,x,x,x,x,x,x,x)
		test	edi, edi
		jz	short loc_A68CDA
		mov	edx, 200h
		mov	ecx, offset _ViDeadlockThreadLookaside
		call	_ViDeadlockPopulateLookasideCache@8 ; ViDeadlockPopulateLookasideCache(x,x)
		mov	edx, 4000h
		mov	ecx, esi
		call	_ViDeadlockPopulateLookasideCache@8 ; ViDeadlockPopulateLookasideCache(x,x)
		mov	edx, 2000h
		mov	ecx, offset _ViDeadlockResourceLookaside
		call	_ViDeadlockPopulateLookasideCache@8 ; ViDeadlockPopulateLookasideCache(x,x)
		or	ds:_ViDeadlockState, 2

loc_A68CDA:				; CODE XREF: VfDeadlockInitialize(x,x)+1A1j
		test	ebx, ebx
		jz	short loc_A68CE5
		or	ds:_ViDeadlockState, 4

loc_A68CE5:				; CODE XREF: VfDeadlockInitialize(x,x)+1D6j
		pop	edi
		pop	esi
		pop	ebx
		jmp	_ViDeadlockDetectionApplySettings@0 ; ViDeadlockDetectionApplySettings()
; 

loc_A68CED:				; CODE XREF: VfDeadlockInitialize(x,x)+57j
					; VfDeadlockInitialize(x,x)+7Fj
		mov	eax, [ecx+10h]
		test	eax, eax
		jz	short loc_A68CFB
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A68CFB:				; CODE XREF: VfDeadlockInitialize(x,x)+1ECj
		mov	eax, ds:_ViDeadlockGlobals
		mov	eax, [eax+2010h]
		test	eax, eax
		jz	short loc_A68D11
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A68D11:				; CODE XREF: VfDeadlockInitialize(x,x)+202j
		push	esi
		push	ds:_ViDeadlockGlobals
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ds:_ViDeadlockGlobals, esi

loc_A68D23:				; CODE XREF: VfDeadlockInitialize(x,x)+25j
		pop	edi
		pop	esi
		pop	ebx
		retn
_VfDeadlockInitialize@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfDeadlockInitializeResource(x, x, x, x)
_VfDeadlockInitializeResource@16 proc near ; CODE XREF:	VerifierKeInitializeMutant(x,x)+26p
					; VerifierKeInitializeMutex(x,x)+26p ...

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_30], edx
		lea	edi, [ebp+var_24]
		mov	edx, ecx
		xor	eax, eax
		push	8
		pop	ecx
		rep stosd
		xor	ebx, ebx
		mov	[ebp+var_34], edx
		mov	ecx, edx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_2C], ebx
		call	_ViDeadlockCanProceed@8	; ViDeadlockCanProceed(x,x)
		test	eax, eax
		jz	loc_A68E34
		mov	eax, ds:_ViDeadlockGlobals
		cmp	[eax+4010h], ebx
		ja	loc_A68E34
		mov	eax, ds:_ViDeadlockGlobals
		cmp	dword ptr [eax+40DCh], 400h
		jg	loc_A68E34
		xor	ecx, ecx
		inc	ecx
		call	_ViDeadlockAllocate@4 ;	ViDeadlockAllocate(x)
		mov	esi, eax
		test	esi, esi
		jz	loc_A68E34
		push	ebx
		lea	eax, [ebp+var_24]
		push	eax
		push	8
		push	2
		call	RtlCaptureStackBackTrace
		movzx	eax, ax
		test	eax, eax
		jnz	short loc_A68DBB
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax

loc_A68DBB:				; CODE XREF: VfDeadlockInitializeResource(x,x,x,x)+89j
		cmp	eax, 8
		jnb	short loc_A68DC4
		mov	[ebp+eax*4+var_24], ebx

loc_A68DC4:				; CODE XREF: VfDeadlockInitializeResource(x,x,x,x)+97j
		call	_ViRaiseIrqlToDpcLevel@0 ; ViRaiseIrqlToDpcLevel()
		xor	ecx, ecx
		mov	bl, al
		inc	ecx
		call	_ViDeadlockDetectionLock@4 ; ViDeadlockDetectionLock(x)
		mov	edx, [ebp+var_30]
		lea	eax, [ebp+var_2C]
		mov	ecx, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		push	esi
		call	_ViDeadlockAddResource@24 ; ViDeadlockAddResource(x,x,x,x,x,x)
		xor	ecx, ecx
		mov	edi, eax
		inc	ecx
		call	_ViDeadlockDetectionUnlock@4 ; ViDeadlockDetectionUnlock(x)
		mov	cl, bl
		call	_ViLowerIrql@4	; ViLowerIrql(x)
		test	edi, edi
		jnz	short loc_A68E0A
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_ViDeadlockFree@8 ; ViDeadlockFree(x,x)

loc_A68E0A:				; CODE XREF: VfDeadlockInitializeResource(x,x,x,x)+D7j
		mov	ecx, [ebp+var_28]
		test	ecx, ecx
		jz	short loc_A68E19
		xor	edx, edx
		inc	edx
		call	_ViDeadlockFree@8 ; ViDeadlockFree(x,x)

loc_A68E19:				; CODE XREF: VfDeadlockInitializeResource(x,x,x,x)+E8j
		mov	ecx, [ebp+var_2C]
		test	ecx, ecx
		jz	short loc_A68E30

loc_A68E20:				; CODE XREF: VfDeadlockInitializeResource(x,x,x,x)+107j
		mov	esi, [ecx]
		push	2
		pop	edx
		call	_ViDeadlockFree@8 ; ViDeadlockFree(x,x)
		mov	ecx, esi
		test	esi, esi
		jnz	short loc_A68E20

loc_A68E30:				; CODE XREF: VfDeadlockInitializeResource(x,x,x,x)+F7j
		mov	eax, edi
		jmp	short loc_A68E36
; 

loc_A68E34:				; CODE XREF: VfDeadlockInitializeResource(x,x,x,x)+38j
					; VfDeadlockInitializeResource(x,x,x,x)+49j ...
		xor	eax, eax

loc_A68E36:				; CODE XREF: VfDeadlockInitializeResource(x,x,x,x)+10Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_VfDeadlockInitializeResource@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfDeadlockReleaseResource(x, x, x, x)
_VfDeadlockReleaseResource@16 proc near	; CODE XREF: VerifierKeReleaseInStackQueuedSpinLock(x)+1Bp
					; VerifierKeReleaseInStackQueuedSpinLockForDpc(x)+1Bp ...

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_25		= byte ptr -25h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		mov	[ebp+var_3C], edx
		lea	edi, [ebp+var_24]
		mov	edx, ecx
		mov	[ebp+var_38], eax
		push	8
		xor	esi, esi
		mov	[ebp+var_2C], edx
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_44], esi
		rep stosd
		mov	ecx, edx
		mov	[ebp+var_54], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], esi
		mov	[ebp+var_48], esi
		mov	[ebp+var_40], esi
		call	_ViDeadlockCanProceed@8	; ViDeadlockCanProceed(x,x)
		test	eax, eax
		jz	loc_A6920E
		call	_ViIsThreadInsidePagingCodePaths@0 ; ViIsThreadInsidePagingCodePaths()
		test	eax, eax
		jnz	loc_A6920E
		mov	eax, ds:_ViDeadlockGlobals
		cmp	[eax+4010h], esi
		ja	loc_A6920E
		mov	eax, ds:_ViDeadlockGlobals
		cmp	dword ptr [eax+40DCh], 400h
		jg	loc_A6920E
		push	ebx		; char
		push	esi
		lea	eax, [ebp+var_24]
		mov	[ebp+var_34], esi
		push	eax
		push	8
		push	2
		mov	ebx, esi
		call	RtlCaptureStackBackTrace
		xor	edi, edi
		movzx	eax, ax
		inc	edi
		test	eax, eax
		jnz	short loc_A68EEF
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_24], eax
		mov	eax, edi

loc_A68EEF:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+9Ej
		cmp	eax, 8
		jnb	short loc_A68EF8
		mov	[ebp+eax*4+var_24], esi

loc_A68EF8:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+ABj
		call	_ViRaiseIrqlToDpcLevel@0 ; ViRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	[ebp+var_25], al
		call	_ViDeadlockDetectionLock@4 ; ViDeadlockDetectionLock(x)
		lea	eax, [ebp+var_54]
		push	eax
		call	KeQueryTickCount
		cmp	ds:_ViDeadlockDetectionEnabled,	esi
		jz	loc_A691AB
		mov	ecx, [ebp+var_2C]
		lea	edx, [ebp+var_40]
		call	_ViDeadlockSearchResource@8 ; ViDeadlockSearchResource(x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jz	loc_A691AB
		mov	eax, [ecx]
		mov	edi, [ebp+var_3C]
		cmp	eax, edi
		jz	short loc_A68F58
		cmp	eax, 7
		jnz	loc_A68FC7
		cmp	edi, 6
		jz	short loc_A68F54
		cmp	edi, 5
		jnz	loc_A68FE4

loc_A68F54:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+102j
		mov	[ecx], edi
		mov	eax, edi

loc_A68F58:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+F4j
					; VfDeadlockReleaseResource(x,x,x,x)+198j
		movzx	edx, word ptr [ecx+6]
		test	dx, dx
		jnz	loc_A6901F
		mov	eax, ds:_ViDeadlockGlobals
		cmp	[eax+4010h], esi
		jnz	loc_A6919D
		mov	eax, ds:_ViDeadlockGlobals
		cmp	dword ptr [eax+40DCh], 400h
		jg	loc_A6919D
		mov	ecx, [ebp+var_38]
		call	_ViDeadlockSearchThread@4 ; ViDeadlockSearchThread(x)
		mov	esi, [ebp+var_30]
		mov	edx, offset ??_C@_0DN@JJNOFEAB@Releasing?5lock?50x?$CFp?5that?5is?5not@JKADOLAD@ ; int
		mov	edi, [ebp+var_2C]
		mov	ecx, offset unk_6B6894 ; int
		push	eax		; int
		push	esi		; int
		push	edi		; int
		push	1007h		; int
		call	_ViDeadlockPreprocessOptions@24	; ViDeadlockPreprocessOptions(x,x,x,x,x,x)
		mov	ecx, [ebp+var_38]
		push	offset unk_6B6894
		call	_ViDeadlockSearchThread@4 ; ViDeadlockSearchThread(x)
		push	eax
		push	esi
		push	edi
		mov	edx, 1007h
		jmp	short loc_A6900E
; 

loc_A68FC7:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+F9j
		xor	edx, edx
		inc	edx
		cmp	eax, edx
		jnz	short loc_A68FE4
		cmp	edi, 2
		jnz	short loc_A68FE4
		cmp	[ecx+6], dx
		jbe	short loc_A68FDD
		mov	[ecx+6], dx

loc_A68FDD:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+190j
		mov	eax, edx
		jmp	loc_A68F58
; 

loc_A68FE4:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+107j
					; VfDeadlockReleaseResource(x,x,x,x)+185j ...
		push	edi		; int
		push	eax		; int
		push	[ebp+var_2C]	; int
		mov	esi, offset unk_6B6890
		mov	edx, offset ??_C@_0DN@EKAJEALB@Releasing?5lock?50x?$CFp?5using?5misma@JKADOLAD@	; int
		push	1009h		; int
		mov	ecx, esi	; int
		call	_ViDeadlockPreprocessOptions@24	; ViDeadlockPreprocessOptions(x,x,x,x,x,x)
		push	esi		; int
		mov	esi, [ebp+var_30]
		mov	edx, 1009h	; int
		push	edi		; int
		push	dword ptr [esi]	; int
		push	[ebp+var_2C]	; int

loc_A6900E:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+17Ej
		mov	ecx, 0C4h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		mov	ecx, esi
		jmp	loc_A6919D
; 

loc_A6901F:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+118j
		mov	ebx, [ecx+0Ch]
		mov	esi, [ebx]
		mov	[ebp+var_3C], esi
		cmp	eax, 5
		jz	short loc_A69036
		cmp	eax, 6
		jz	short loc_A69036
		mov	esi, [ebx+8]
		jmp	short loc_A69039
; 

loc_A69036:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+1E3j
					; VfDeadlockReleaseResource(x,x,x,x)+1E8j
		mov	esi, [ebx+4]

loc_A69039:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+1EDj
		lea	eax, [edx-1]
		mov	[ecx+6], ax
		test	ax, ax
		jnz	loc_A6919D
		mov	eax, ds:_ViDeadlockGlobals
		xor	edi, edi
		mov	[ecx+0Ch], edi
		inc	dword ptr [eax+4048h]
		cmp	[esi+1Ch], ecx
		jz	loc_A6911C
		inc	dword ptr [eax+4040h]
		mov	eax, [esi+1Ch]
		mov	eax, [eax]
		test	byte ptr ds:_ViDeadlockResourceTypeInfo[eax*4],	4
		jnz	short loc_A690EB
		mov	eax, [ecx]
		test	byte ptr ds:_ViDeadlockResourceTypeInfo[eax*4],	4
		jnz	short loc_A690EB
		push	offset ??_C@_0DN@HFKEJOAN@Deadlock?5detection?3?5Must?5releas@JKADOLAD@	; "Deadlock detection: Must release resour"...
		push	edi		; int
		push	5Dh		; int
		call	_DbgPrintEx
		mov	ecx, [ebp+var_2C]
		mov	eax, [esi+1Ch]
		push	ecx
		push	ebx
		push	dword ptr [eax+8]
		push	ecx		; char
		push	offset ??_C@_0FP@OGKKGCMG@Resource?5?$CFp?5acquired?5before?5res@JKADOLAD@ ; "Resource %p acquired before resource %p"...
		push	edi		; int
		push	5Dh		; int
		call	_DbgPrintEx
		mov	eax, [esi+1Ch]
		add	esp, 28h
		mov	edx, offset ??_C@_0DH@BBHHIKMG@Releasing?5two?5locks?5in?5reverse?5@JKADOLAD@ ;	"Releasing two locks in	reverse	order of"...
		mov	ecx, offset unk_6B6880 ; int
		push	ebx		; int
		push	dword ptr [eax+8] ; int
		push	[ebp+var_2C]	; int
		push	1003h		; int
		call	_ViDeadlockPreprocessOptions@24	; ViDeadlockPreprocessOptions(x,x,x,x,x,x)
		mov	eax, [esi+1Ch]
		mov	edx, 1003h	; int
		push	offset unk_6B6880 ; int
		push	ebx		; int
		mov	ecx, 0C4h	; int
		push	dword ptr [eax+8] ; int
		push	[ebp+var_2C]	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		mov	ecx, [ebp+var_30]

loc_A690EB:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+22Ej
					; VfDeadlockReleaseResource(x,x,x,x)+23Aj ...
		cmp	[esi+1Ch], ecx
		jz	short loc_A690F8
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_A690EB
		jmp	short loc_A69123
; 

loc_A690F8:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+2A7j
		and	dword ptr [esi+24h], 0FFFFFFFEh
		mov	eax, [esi+24h]
		mov	[ebp+var_34], esi
		test	al, 4
		jnz	short loc_A69114
		mov	eax, ds:_ViDeadlockGlobals
		inc	dword ptr [eax+4044h]
		mov	eax, [esi+24h]

loc_A69114:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+2BDj
		or	eax, 4
		mov	[esi+24h], eax
		jmp	short loc_A69123
; 

loc_A6911C:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+215j
		and	dword ptr [esi+24h], 0FFFFFFFEh
		mov	[ebp+var_34], esi

loc_A69123:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+2AFj
					; VfDeadlockReleaseResource(x,x,x,x)+2D3j
		mov	eax, [ecx]
		cmp	eax, 5
		jz	short loc_A6914C
		cmp	eax, 6
		jz	short loc_A6914C
		mov	edx, [ebx+8]
		jmp	short loc_A69146
; 

loc_A69134:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+301j
		test	byte ptr [edx+24h], 1
		jz	short loc_A6913F
		cmp	[edx+20h], ebx
		jz	short loc_A69167

loc_A6913F:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+2F1j
		mov	eax, [edx]
		mov	edx, eax
		mov	[ebx+8], eax

loc_A69146:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+2EBj
		test	edx, edx
		jnz	short loc_A69134
		jmp	short loc_A69167
; 

loc_A6914C:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+2E1j
					; VfDeadlockReleaseResource(x,x,x,x)+2E6j
		mov	edx, [ebx+4]
		jmp	short loc_A69163
; 

loc_A69151:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+31Ej
		test	byte ptr [edx+24h], 1
		jz	short loc_A6915C
		cmp	[edx+20h], ebx
		jz	short loc_A69167

loc_A6915C:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+30Ej
		mov	eax, [edx]
		mov	edx, eax
		mov	[ebx+4], eax

loc_A69163:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+308j
		test	edx, edx
		jnz	short loc_A69151

loc_A69167:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+2F6j
					; VfDeadlockReleaseResource(x,x,x,x)+303j ...
		mov	edx, [ebp+var_34]
		test	edx, edx
		jz	short loc_A6919D
		mov	esi, [ebp+var_38]
		mov	[edx+20h], edi
		dec	dword ptr [ebx+14h]
		mov	eax, [ebx+14h]
		cmp	[ebp+var_3C], esi
		jz	short loc_A69186
		or	dword ptr [edx+24h], 4
		mov	eax, [ebx+14h]

loc_A69186:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+336j
		test	eax, eax
		jnz	short loc_A6919D
		xor	edx, edx
		mov	[ebp+var_44], 1
		mov	ecx, ebx	; int
		call	_ViDeadlockRemoveThread@8 ; ViDeadlockRemoveThread(x,x)
		mov	ecx, [ebp+var_30]

loc_A6919D:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+129j
					; VfDeadlockReleaseResource(x,x,x,x)+13Ej ...
		lea	edi, [ecx+60h]
		push	8
		pop	ecx
		lea	esi, [ebp+var_24]
		rep movsd
		xor	edi, edi
		inc	edi

loc_A691AB:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+CFj
					; VfDeadlockReleaseResource(x,x,x,x)+E7j
		lea	eax, [ebp+var_4C]
		push	eax
		call	KeQueryTickCount
		mov	edx, [ebp+var_4C]
		sub	edx, [ebp+var_54]
		mov	eax, ds:_ViDeadlockGlobals
		mov	esi, [ebp+var_48]
		sbb	esi, [ebp+var_50]
		cmp	esi, [eax+0Ch]
		jl	short loc_A691D7
		jg	short loc_A691D1
		cmp	edx, [eax+8]
		jbe	short loc_A691D7

loc_A691D1:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+383j
		mov	[eax+8], edx
		mov	[eax+0Ch], esi

loc_A691D7:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+381j
					; VfDeadlockReleaseResource(x,x,x,x)+388j
		mov	ecx, edi
		call	_ViDeadlockDetectionUnlock@4 ; ViDeadlockDetectionUnlock(x)
		mov	cl, [ebp+var_25]
		call	_ViLowerIrql@4	; ViLowerIrql(x)
		mov	ecx, [ebp+var_40]
		test	ecx, ecx
		jz	short loc_A691FD

loc_A691ED:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+3B4j
		mov	esi, [ecx]
		push	2
		pop	edx
		call	_ViDeadlockFree@8 ; ViDeadlockFree(x,x)
		mov	ecx, esi
		test	esi, esi
		jnz	short loc_A691ED

loc_A691FD:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+3A4j
		cmp	[ebp+var_44], 0
		jz	short loc_A6920D
		push	3
		pop	edx
		mov	ecx, ebx
		call	_ViDeadlockFree@8 ; ViDeadlockFree(x,x)

loc_A6920D:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+3BAj
		pop	ebx

loc_A6920E:				; CODE XREF: VfDeadlockReleaseResource(x,x,x,x)+49j
					; VfDeadlockReleaseResource(x,x,x,x)+56j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_VfDeadlockReleaseResource@16 endp


;  S U B	R O U T	I N E 


; __stdcall ViDeadlockAddParticipant(x)
_ViDeadlockAddParticipant@4 proc near	; CODE XREF: ViDeadlockAnalyze(x,x,x,x,x)+F3p
					; ViDeadlockAnalyze(x,x,x,x,x)+165p ...
		mov	eax, ds:_ViDeadlockGlobals
		mov	edx, [eax+4058h]
		cmp	edx, 20h
		jb	short loc_A69236
		or	ds:_ViDeadlockState, 10h
		retn
; 

loc_A69236:				; CODE XREF: ViDeadlockAddParticipant(x)+Ej
		mov	[eax+edx*4+405Ch], ecx
		inc	dword ptr [eax+4058h]
		retn
_ViDeadlockAddParticipant@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViDeadlockAddResource(x, x,	x, x, x, x)
_ViDeadlockAddResource@24 proc near	; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+1B8p
					; VfDeadlockInitializeResource(x,x,x,x)+BFp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, edx
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, ecx
		cmp	eax, 8
		ja	loc_A6938F
		mov	edx, [ebp+arg_C]
		push	esi
		push	edi
		call	_ViDeadlockSearchResource@8 ; ViDeadlockSearchResource(x,x)
		mov	edi, eax
		xor	esi, esi
		test	edi, edi
		jz	loc_A692F2
		mov	eax, [ebp+var_4]
		test	byte ptr ds:_ViDeadlockResourceTypeInfo[eax*4],	8
		jnz	short loc_A692AC
		push	esi		; int
		push	edi		; int
		push	ebx		; int
		push	1005h		; int
		mov	edx, offset ??_C@_0CC@BLAEAHBE@Re?9initializing?5active?5lock?50x?$CF@JKADOLAD@	; "Re-initializing active lock 0x%p."
		mov	ecx, offset unk_6B688C ; int
		call	_ViDeadlockPreprocessOptions@24	; ViDeadlockPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B688C ; int
		push	esi		; int
		push	edi		; int
		push	ebx		; int
		mov	edx, 1005h	; int
		mov	ecx, 0C4h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A692AC:				; CODE XREF: ViDeadlockAddResource(x,x,x,x,x,x)+38j
		cmp	[edi+0Ch], esi
		jz	short loc_A692E1
		push	1		; int
		push	edi		; int
		push	ebx		; int
		push	1005h		; int
		mov	edx, offset ??_C@_0CC@BLAEAHBE@Re?9initializing?5active?5lock?50x?$CF@JKADOLAD@	; "Re-initializing active lock 0x%p."
		mov	ecx, offset unk_6B6888 ; int
		call	_ViDeadlockPreprocessOptions@24	; ViDeadlockPreprocessOptions(x,x,x,x,x,x)
		push	offset unk_6B6888 ; int
		push	1		; int
		push	edi		; int
		push	ebx		; int
		mov	edx, 1005h	; int
		mov	ecx, 0C4h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)

loc_A692E1:				; CODE XREF: ViDeadlockAddResource(x,x,x,x,x,x)+6Bj
		push	[ebp+arg_C]	; int
		xor	edx, edx	; int
		mov	ecx, edi	; int
		call	_ViDeadlockRemoveResource@12 ; ViDeadlockRemoveResource(x,x,x)
		mov	eax, [ebp+arg_8]
		mov	[eax], edi

loc_A692F2:				; CODE XREF: ViDeadlockAddResource(x,x,x,x,x,x)+27j
		mov	eax, large fs:124h
		cmp	ebx, [eax+20h]
		jnb	short loc_A69306
		cmp	ebx, [eax+24h]
		ja	loc_A69389

loc_A69306:				; CODE XREF: ViDeadlockAddResource(x,x,x,x,x,x)+B7j
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jz	short loc_A69389
		xor	eax, eax
		mov	[ecx+0Ch], esi
		mov	[ecx+4], eax
		lea	edi, [ecx+20h]
		mov	eax, [ebp+var_4]
		xor	edx, edx
		mov	[ecx], eax
		lea	eax, [ecx+10h]
		mov	[ecx+40h], esi
		mov	[ecx+60h], esi
		mov	esi, [ebp+arg_4]
		mov	[ecx+8], ebx
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, ebx
		push	8
		pop	ecx
		rep movsd
		shr	eax, 0Ch
		mov	ecx, 3FFh
		div	ecx
		mov	esi, ds:_ViDeadlockGlobals
		mov	eax, [esi+10h]
		lea	ecx, [eax+edx*8]
		mov	eax, [ebp+arg_0]
		mov	edi, [ecx]
		add	eax, 18h
		cmp	[edi+4], ecx
		jz	short loc_A69362
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A69362:				; CODE XREF: ViDeadlockAddResource(x,x,x,x,x,x)+117j
		mov	[eax+4], ecx
		add	edx, 3
		mov	[eax], edi
		mov	[edi+4], eax
		mov	[ecx], eax
		mov	eax, [ebp+var_4]
		lea	ecx, [esi+edx*8]
		mov	edx, ebx
		push	ds:_ViDeadlockResourceTypeSizeInfo[eax*4]
		call	_VfUtilAddressRangeAdd@12 ; VfUtilAddressRangeAdd(x,x,x)
		inc	dword ptr [esi+14h]
		xor	esi, esi
		inc	esi

loc_A69389:				; CODE XREF: ViDeadlockAddResource(x,x,x,x,x,x)+BCj
					; ViDeadlockAddResource(x,x,x,x,x,x)+C7j
		pop	edi
		mov	eax, esi
		pop	esi
		jmp	short loc_A69391
; 

loc_A6938F:				; CODE XREF: ViDeadlockAddResource(x,x,x,x,x,x)+11j
		xor	eax, eax

loc_A69391:				; CODE XREF: ViDeadlockAddResource(x,x,x,x,x,x)+149j
		pop	ebx
		leave
		retn	10h
_ViDeadlockAddResource@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViDeadlockAddThread(x, x)
_ViDeadlockAddThread@8 proc near	; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+163p
					; VfDeadlockBeforeCallDriver(x)+92p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, edx
		xor	eax, eax
		push	edi
		mov	edi, ecx
		test	esi, esi
		jz	short loc_A69415
		mov	[esi+4], eax
		xor	edx, edx
		mov	[esi+8], eax
		mov	ecx, 3FFh
		mov	[esi+14h], eax
		mov	[esi+18h], eax
		mov	[esi+1Ch], al
		mov	eax, edi
		shr	eax, 0Ch
		div	ecx
		push	ebx
		mov	ebx, ds:_ViDeadlockGlobals
		mov	ecx, edx
		mov	[esi], edi
		mov	[ebp+var_4], ecx
		mov	eax, [ebx+2010h]
		lea	ecx, [eax+ecx*8]
		mov	edx, [ecx]
		lea	eax, [esi+0Ch]
		cmp	[edx+4], ecx
		jz	short loc_A693EB
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A693EB:				; CODE XREF: ViDeadlockAddThread(x,x)+4Ej
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[edx+4], eax
		mov	edx, edi
		mov	[ecx], eax
		mov	eax, [ebp+var_4]
		add	eax, 403h
		push	4E0h
		lea	ecx, [ebx+eax*8]
		call	_VfUtilAddressRangeAdd@12 ; VfUtilAddressRangeAdd(x,x,x)
		inc	dword ptr [ebx+2014h]
		mov	eax, esi
		pop	ebx

loc_A69415:				; CODE XREF: ViDeadlockAddThread(x,x)+10j
		pop	edi
		pop	esi
		leave
		retn
_ViDeadlockAddThread@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViDeadlockAllocate(x)
_ViDeadlockAllocate@4 proc near		; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+CDp
					; VfDeadlockAcquireResource(x,x,x,x,x)+D8p ...
		sub	ecx, 1
		jz	short loc_A69439
		sub	ecx, 1
		jz	short loc_A69432
		sub	ecx, 1
		jz	short loc_A6942B
		xor	eax, eax
		retn
; 

loc_A6942B:				; CODE XREF: ViDeadlockAllocate(x)+Dj
		mov	ecx, offset _ViDeadlockThreadLookaside
		jmp	short loc_A6943E
; 

loc_A69432:				; CODE XREF: ViDeadlockAllocate(x)+8j
		mov	ecx, offset _ViDeadlockNodeLookaside
		jmp	short loc_A6943E
; 

loc_A69439:				; CODE XREF: ViDeadlockAllocate(x)+3j
		mov	ecx, offset _ViDeadlockResourceLookaside

loc_A6943E:				; CODE XREF: ViDeadlockAllocate(x)+17j
					; ViDeadlockAllocate(x)+1Ej
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		test	eax, eax
		jnz	short locret_A6945B
		or	ds:_ViDeadlockState, 1
		mov	ecx, ds:_ViDeadlockGlobals
		lock inc dword ptr [ecx+4010h]

locret_A6945B:				; CODE XREF: ViDeadlockAllocate(x)+2Cj
		retn
_ViDeadlockAllocate@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViDeadlockAnalyze(x, x, x, x, x)
_ViDeadlockAnalyze@20 proc near		; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+319p
					; ViDeadlockAnalyze(x,x,x,x,x)+148p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, ecx
		mov	esi, edx
		mov	[esp+20h+var_10], ebx
		cmp	[ebp+arg_0], edi
		jz	short loc_A694C2
		mov	ecx, ds:_ViDeadlockGlobals
		inc	dword ptr [ecx+4024h]
		cmp	dword ptr [ecx+4024h], 3FFFFFFEh
		mov	[ecx+401Ch], edi
		mov	[ecx+4058h], edi
		mov	[ecx+4054h], edi
		jnz	short loc_A694AA
		or	ds:_ViDeadlockState, 8

loc_A694AA:				; CODE XREF: ViDeadlockAnalyze(x,x,x,x,x)+45j
		lea	eax, [ecx+40E8h]
		lea	edx, [ecx+40E4h]
		add	ecx, 40E0h
		push	eax
		call	_KeQueryCurrentStackInformation@12 ; KeQueryCurrentStackInformation(x,x,x)

loc_A694C2:				; CODE XREF: ViDeadlockAnalyze(x,x,x,x,x)+1Bj
		mov	edx, ds:_ViDeadlockGlobals
		mov	eax, [esi+24h]
		shr	eax, 3
		mov	ecx, [edx+4024h]
		cmp	eax, ecx
		jnz	short loc_A694DF

loc_A694D8:				; CODE XREF: ViDeadlockAnalyze(x,x,x,x,x)+A8j
					; ViDeadlockAnalyze(x,x,x,x,x)+BEj ...
		xor	eax, eax
		jmp	loc_A69654
; 

loc_A694DF:				; CODE XREF: ViDeadlockAnalyze(x,x,x,x,x)+7Aj
		inc	dword ptr [edx+401Ch]
		mov	eax, [esi+24h]
		and	eax, 7
		shl	ecx, 3
		or	ecx, eax
		mov	eax, [ebp+arg_4]
		mov	[esi+24h], ecx
		cmp	eax, [edx+4028h]
		jbe	short loc_A69506
		inc	dword ptr [edx+4030h]
		jmp	short loc_A694D8
; 

loc_A69506:				; CODE XREF: ViDeadlockAnalyze(x,x,x,x,x)+A0j
		mov	eax, [edx+401Ch]
		cmp	eax, [edx+402Ch]
		jb	short loc_A6951C
		inc	dword ptr [edx+4034h]
		jmp	short loc_A694D8
; 

loc_A6951C:				; CODE XREF: ViDeadlockAnalyze(x,x,x,x,x)+B6j
		call	_KeGetCurrentStackPointer@0 ; KeGetCurrentStackPointer()
		mov	ecx, ds:_ViDeadlockGlobals
		sub	eax, [ecx+40E4h]
		cmp	eax, 818h
		ja	short loc_A6953C
		inc	dword ptr [ecx+4038h]
		jmp	short loc_A694D8
; 

loc_A6953C:				; CODE XREF: ViDeadlockAnalyze(x,x,x,x,x)+D6j
		mov	eax, [esi+1Ch]
		cmp	ebx, [eax+8]
		jnz	short loc_A69559
		test	byte ptr [esi+24h], 4
		jnz	short loc_A69559
		xor	edi, edi
		mov	ecx, esi
		inc	edi
		call	_ViDeadlockAddParticipant@4 ; ViDeadlockAddParticipant(x)
		jmp	loc_A695DF
; 

loc_A69559:				; CODE XREF: ViDeadlockAnalyze(x,x,x,x,x)+E6j
					; ViDeadlockAnalyze(x,x,x,x,x)+ECj
		add	eax, 10h
		mov	[esp+20h+var_C], eax
		mov	ebx, [eax]
		cmp	ebx, eax
		jz	loc_A69633

loc_A6956A:				; CODE XREF: ViDeadlockAnalyze(x,x,x,x,x)+15Dj
		mov	eax, ds:_ViDeadlockGlobals
		lea	edx, [ebx-14h]
		mov	[esp+20h+var_8], edx
		mov	ecx, [eax+4024h]
		mov	eax, [edx+24h]
		shl	ecx, 3
		and	eax, 7
		or	ecx, eax
		mov	[edx+24h], ecx
		mov	ecx, [edx]
		test	ecx, ecx
		jz	short loc_A695B3
		mov	eax, [ebp+arg_4]
		cmp	edx, esi
		jz	short loc_A69598
		inc	eax

loc_A69598:				; CODE XREF: ViDeadlockAnalyze(x,x,x,x,x)+139j
		push	[ebp+arg_8]
		mov	edx, ecx
		mov	ecx, [esp+24h+var_10]
		push	eax
		push	0
		call	_ViDeadlockAnalyze@20 ;	ViDeadlockAnalyze(x,x,x,x,x)
		mov	[esp+20h+var_4], eax
		mov	edi, eax
		test	eax, eax
		jnz	short loc_A695BD

loc_A695B3:				; CODE XREF: ViDeadlockAnalyze(x,x,x,x,x)+132j
		mov	ebx, [ebx]
		cmp	ebx, [esp+20h+var_C]
		jnz	short loc_A6956A
		jmp	short loc_A695D7
; 

loc_A695BD:				; CODE XREF: ViDeadlockAnalyze(x,x,x,x,x)+155j
		mov	ecx, [esp+20h+var_8]
		call	_ViDeadlockAddParticipant@4 ; ViDeadlockAddParticipant(x)
		mov	ebx, [esp+20h+var_4]
		mov	edi, ebx
		cmp	ecx, esi
		jz	short loc_A695D7
		mov	ecx, esi
		call	_ViDeadlockAddParticipant@4 ; ViDeadlockAddParticipant(x)

loc_A695D7:				; CODE XREF: ViDeadlockAnalyze(x,x,x,x,x)+15Fj
					; ViDeadlockAnalyze(x,x,x,x,x)+172j
		test	edi, edi
		jz	short loc_A69633
		mov	ebx, [esp+20h+var_10]

loc_A695DF:				; CODE XREF: ViDeadlockAnalyze(x,x,x,x,x)+F8j
		cmp	[ebp+arg_0], 0
		jz	short loc_A69652
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViDeadlockCertify@8 ; ViDeadlockCertify(x,x)
		test	eax, eax
		jz	short loc_A69631
		mov	eax, ds:_ViDeadlockGlobals
		mov	edi, offset unk_6B68A0
		push	0		; int
		push	esi		; int
		push	ebx		; int
		push	1001h		; int
		mov	edx, offset ??_C@_0DF@NCFOMPGE@Type?5?$CBdeadlock?5in?5the?5debugger?5@JKADOLAD@ ; int
		mov	[eax+4054h], ebx
		mov	ecx, edi	; int
		call	_ViDeadlockPreprocessOptions@24	; ViDeadlockPreprocessOptions(x,x,x,x,x,x)
		push	edi		; int
		push	0		; int
		push	esi		; int
		push	ebx		; int
		mov	edx, 1001h	; int
		mov	ecx, 0C4h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		jmp	loc_A694D8
; 

loc_A69631:				; CODE XREF: ViDeadlockAnalyze(x,x,x,x,x)+195j
		xor	edi, edi

loc_A69633:				; CODE XREF: ViDeadlockAnalyze(x,x,x,x,x)+108j
					; ViDeadlockAnalyze(x,x,x,x,x)+17Dj
		cmp	[ebp+arg_0], 0
		jz	short loc_A69652
		mov	eax, ds:_ViDeadlockGlobals
		mov	ecx, [eax+401Ch]
		cmp	ecx, [eax+4020h]
		jbe	short loc_A69652
		mov	[eax+4020h], ecx

loc_A69652:				; CODE XREF: ViDeadlockAnalyze(x,x,x,x,x)+187j
					; ViDeadlockAnalyze(x,x,x,x,x)+1DBj ...
		mov	eax, edi

loc_A69654:				; CODE XREF: ViDeadlockAnalyze(x,x,x,x,x)+7Ej
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_ViDeadlockAnalyze@20 endp


;  S U B	R O U T	I N E 


; __stdcall ViDeadlockCanProceed(x, x)
_ViDeadlockCanProceed@8	proc near	; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+7Bp
					; VfDeadlockDeleteMemoryRange(x,x)+11p	...
		cmp	ds:_ViDeadlockDetectionEnabled,	0
		push	esi
		mov	esi, ecx
		jz	short loc_A696AE
		cmp	ds:_KeNumberProcessors,	4
		ja	short loc_A696AE
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		ja	short loc_A696AE
		call	_KeAreInterruptsEnabled@0 ; KeAreInterruptsEnabled()
		test	al, al
		jz	short loc_A696AE
		cmp	ds:_ViDeadlockGlobals, 0
		jz	short loc_A696AE
		call	_ViDeadlockCheckStackLimits@0 ;	ViDeadlockCheckStackLimits()
		cmp	esi, offset _ViDeadlockDatabaseLock
		jz	short loc_A696AE
		mov	eax, _ViDeadlockDatabaseOwner
		cmp	eax, large fs:124h
		jz	short loc_A696AE
		xor	eax, eax
		inc	eax
		pop	esi
		retn
; 

loc_A696AE:				; CODE XREF: ViDeadlockCanProceed(x,x)+Aj
					; ViDeadlockCanProceed(x,x)+13j ...
		xor	eax, eax
		pop	esi
		retn
_ViDeadlockCanProceed@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViDeadlockCertify(x, x)
_ViDeadlockCertify@8 proc near		; CODE XREF: ViDeadlockAnalyze(x,x,x,x,x)+18Ep

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ds:_VfWin32kDllBase
		push	edi
		test	esi, esi
		jz	short loc_A696E3
		cmp	esi, ecx
		ja	short loc_A696E3
		mov	eax, ds:_VfWin32kSizeOfImage
		add	eax, esi
		cmp	eax, ecx
		jbe	short loc_A696E3
		mov	eax, [edx+20h]
		cmp	byte ptr [eax+1Ch], 0
		jnz	loc_A69883

loc_A696E3:				; CODE XREF: ViDeadlockCertify(x,x)+13j
					; ViDeadlockCertify(x,x)+17j ...
		mov	ebx, ds:_ViDeadlockGlobals
		mov	[ebp+var_4], ebx
		mov	edx, [ebx+4058h]
		cmp	edx, 3
		jb	loc_A697D1
		mov	eax, [ebx+4060h]
		push	5
		mov	esi, [eax+1Ch]
		mov	eax, [ebx+405Ch]
		mov	eax, [eax+1Ch]
		mov	edi, [eax]
		pop	eax
		mov	[ebp+var_8], edi
		cmp	edi, eax
		jnz	short loc_A69720
		mov	edi, [esi]
		cmp	edi, 6
		jz	short loc_A69730

loc_A69720:				; CODE XREF: ViDeadlockCertify(x,x)+65j
		mov	esi, [esi]
		cmp	esi, eax
		jnz	short loc_A6978C
		cmp	[ebp+var_8], 6
		mov	edi, eax
		mov	esi, eax
		jnz	short loc_A6978C

loc_A69730:				; CODE XREF: ViDeadlockCertify(x,x)+6Cj
		mov	esi, ds:_VfTcpIpDllBase
		test	esi, esi
		jz	short loc_A6974D
		cmp	esi, ecx
		ja	short loc_A6974D
		mov	eax, ds:_VfTcpIpSizeOfImage
		add	eax, esi
		cmp	eax, ecx
		ja	loc_A69883

loc_A6974D:				; CODE XREF: ViDeadlockCertify(x,x)+86j
					; ViDeadlockCertify(x,x)+8Aj
		mov	esi, ds:_VfTdxDllBase
		test	esi, esi
		jz	short loc_A6976A
		cmp	esi, ecx
		ja	short loc_A6976A
		mov	eax, ds:_VfTdxSizeOfImage
		add	eax, esi
		cmp	eax, ecx
		ja	loc_A69883

loc_A6976A:				; CODE XREF: ViDeadlockCertify(x,x)+A3j
					; ViDeadlockCertify(x,x)+A7j
		mov	ebx, ds:_VfMrxsmbDllBase
		mov	esi, edi
		test	ebx, ebx
		jz	short loc_A69789
		cmp	ebx, ecx
		ja	short loc_A69789
		mov	eax, ds:_VfMrxsmbSizeOfImage
		add	eax, ebx
		cmp	eax, ecx
		ja	loc_A69883

loc_A69789:				; CODE XREF: ViDeadlockCertify(x,x)+C2j
					; ViDeadlockCertify(x,x)+C6j
		mov	ebx, [ebp+var_4]

loc_A6978C:				; CODE XREF: ViDeadlockCertify(x,x)+72j
					; ViDeadlockCertify(x,x)+7Cj
		cmp	[ebp+var_8], 1
		jnz	short loc_A697D1
		cmp	esi, 1
		jnz	short loc_A697D1
		mov	esi, ds:_VfTmDllBase
		test	esi, esi
		jz	short loc_A697B4
		cmp	esi, ecx
		ja	short loc_A697B4
		mov	eax, ds:_VfTmSizeOfImage
		add	eax, esi
		cmp	eax, ecx
		ja	loc_A69883

loc_A697B4:				; CODE XREF: ViDeadlockCertify(x,x)+EDj
					; ViDeadlockCertify(x,x)+F1j
		mov	esi, ds:_VfKsDllBase
		test	esi, esi
		jz	short loc_A697D1
		cmp	esi, ecx
		ja	short loc_A697D1
		mov	eax, ds:_VfKsSizeOfImage
		add	eax, esi
		cmp	eax, ecx
		ja	loc_A69883

loc_A697D1:				; CODE XREF: ViDeadlockCertify(x,x)+43j
					; ViDeadlockCertify(x,x)+DEj ...
		xor	edi, edi
		inc	edi
		cmp	edx, edi
		jbe	loc_A69870
		lea	esi, [ebx+405Ch]

loc_A697E2:				; CODE XREF: ViDeadlockCertify(x,x)+153j
		mov	eax, [esi+4]
		mov	ebx, [esi]
		mov	eax, [eax+1Ch]
		mov	ecx, [ebx+1Ch]
		mov	eax, [eax+8]
		cmp	eax, [ecx+8]
		jnz	short loc_A697FF
		test	byte ptr [ebx+24h], 2
		jnz	loc_A69883

loc_A697FF:				; CODE XREF: ViDeadlockCertify(x,x)+141j
		inc	edi
		add	esi, 4
		cmp	edi, edx
		jb	short loc_A697E2
		cmp	edx, 1
		jbe	short loc_A69870
		mov	esi, ds:_ViDeadlockGlobals
		add	esi, 405Ch
		lea	esi, [esi+edx*4]

loc_A6981B:				; CODE XREF: ViDeadlockCertify(x,x)+1BCj
		dec	edx
		sub	esi, 4
		mov	[ebp+var_4], esi
		mov	eax, [esi]
		mov	ecx, [eax]
		jmp	short loc_A69867
; 

loc_A69828:				; CODE XREF: ViDeadlockCertify(x,x)+1B7j
		lea	ebx, [edx-1]
		test	ebx, ebx
		jz	short loc_A69865
		lea	eax, [esi-4]

loc_A69832:				; CODE XREF: ViDeadlockCertify(x,x)+1B1j
		sub	eax, 4
		dec	ebx
		mov	[ebp+var_C], eax
		mov	eax, [eax]
		mov	edi, [eax]
		test	edi, edi
		jz	short loc_A6985E
		mov	eax, [ecx+1Ch]
		mov	eax, [eax+8]
		mov	[ebp+var_8], eax

loc_A6984A:				; CODE XREF: ViDeadlockCertify(x,x)+1AAj
		mov	eax, [edi+1Ch]
		mov	esi, [ebp+var_8]
		cmp	[eax+8], esi
		mov	esi, [ebp+var_4]
		jz	short loc_A69878
		mov	edi, [edi]
		test	edi, edi
		jnz	short loc_A6984A

loc_A6985E:				; CODE XREF: ViDeadlockCertify(x,x)+18Dj
		mov	eax, [ebp+var_C]
		test	ebx, ebx
		jnz	short loc_A69832

loc_A69865:				; CODE XREF: ViDeadlockCertify(x,x)+17Bj
		mov	ecx, [ecx]

loc_A69867:				; CODE XREF: ViDeadlockCertify(x,x)+174j
		test	ecx, ecx
		jnz	short loc_A69828
		cmp	edx, 1
		ja	short loc_A6981B

loc_A69870:				; CODE XREF: ViDeadlockCertify(x,x)+124j
					; ViDeadlockCertify(x,x)+158j
		xor	eax, eax
		inc	eax

loc_A69873:				; CODE XREF: ViDeadlockCertify(x,x)+1D3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_A69878:				; CODE XREF: ViDeadlockCertify(x,x)+1A4j
		mov	eax, ds:_ViDeadlockGlobals
		inc	dword ptr [eax+403Ch]

loc_A69883:				; CODE XREF: ViDeadlockCertify(x,x)+2Bj
					; ViDeadlockCertify(x,x)+95j ...
		xor	eax, eax
		jmp	short loc_A69873
_ViDeadlockCertify@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViDeadlockCheckDuplicatesAmongChildren(x, x, x)
_ViDeadlockCheckDuplicatesAmongChildren@12 proc	near
					; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+331p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	eax, edx
		lea	edi, [ecx+4]
		mov	esi, [edi]
		xor	ebx, ebx
		mov	[ebp+var_4], eax
		jmp	short loc_A698C5
; 

loc_A6989E:				; CODE XREF: ViDeadlockCheckDuplicatesAmongChildren(x,x,x)+40j
		lea	ecx, [esi-0Ch]
		mov	edx, eax
		mov	esi, [esi]
		call	_ViDeadlockSimilarNodes@8 ; ViDeadlockSimilarNodes(x,x)
		test	eax, eax
		jz	short loc_A698C2
		test	ebx, ebx
		jnz	short loc_A698B5
		inc	ebx
		jmp	short loc_A698C2
; 

loc_A698B5:				; CODE XREF: ViDeadlockCheckDuplicatesAmongChildren(x,x,x)+29j
		push	[ebp+arg_0]
		mov	edx, ecx
		mov	ecx, [ebp+var_4]
		call	_ViDeadlockMergeNodes@12 ; ViDeadlockMergeNodes(x,x,x)

loc_A698C2:				; CODE XREF: ViDeadlockCheckDuplicatesAmongChildren(x,x,x)+25j
					; ViDeadlockCheckDuplicatesAmongChildren(x,x,x)+2Cj
		mov	eax, [ebp+var_4]

loc_A698C5:				; CODE XREF: ViDeadlockCheckDuplicatesAmongChildren(x,x,x)+15j
		cmp	esi, edi
		jnz	short loc_A6989E
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ViDeadlockCheckDuplicatesAmongChildren@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViDeadlockCheckDuplicatesAmongRoots(x, x)
_ViDeadlockCheckDuplicatesAmongRoots@8 proc near
					; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+406p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	[ebp+var_8], edx
		xor	ebx, ebx
		mov	edx, ecx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	edi, [edx+1Ch]
		add	edi, 10h
		mov	esi, [edi]
		jmp	short loc_A69918
; 

loc_A698EE:				; CODE XREF: ViDeadlockCheckDuplicatesAmongRoots(x,x)+4Aj
		lea	ecx, [esi-14h]
		mov	esi, [esi]
		cmp	dword ptr [ecx], 0
		jnz	short loc_A69918
		call	_ViDeadlockSimilarNodes@8 ; ViDeadlockSimilarNodes(x,x)
		test	eax, eax
		jz	short loc_A69918
		test	ebx, ebx
		jnz	short loc_A69908
		inc	ebx
		jmp	short loc_A69918
; 

loc_A69908:				; CODE XREF: ViDeadlockCheckDuplicatesAmongRoots(x,x)+33j
		push	[ebp+var_8]
		mov	edx, ecx
		mov	ecx, [ebp+var_4]
		call	_ViDeadlockMergeNodes@12 ; ViDeadlockMergeNodes(x,x,x)
		mov	edx, [ebp+var_4]

loc_A69918:				; CODE XREF: ViDeadlockCheckDuplicatesAmongRoots(x,x)+1Cj
					; ViDeadlockCheckDuplicatesAmongRoots(x,x)+26j	...
		cmp	esi, edi
		jnz	short loc_A698EE
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ViDeadlockCheckDuplicatesAmongRoots@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViDeadlockCheckStackLimits()
_ViDeadlockCheckStackLimits@0 proc near	; CODE XREF: ViDeadlockCanProceed(x,x)+31p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi		; char
		xor	esi, esi
		lea	eax, [ebp+var_4]
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	IoGetStackLimits
		mov	eax, [ebp+var_4]
		cmp	eax, [ebp+var_8]
		jb	short loc_A69955
		mov	eax, [ebp+var_4]
		cmp	eax, [ebp+var_C]
		jbe	short loc_A69980

loc_A69955:				; CODE XREF: ViDeadlockCheckStackLimits()+2Aj
		cmp	_VfVerifyMode, 2
		jle	short loc_A69980
		cmp	ds:_ViStackSwitchAlreadyReported, esi
		jnz	short loc_A69980
		push	offset ??_C@_0DL@FIPDGFLD@DVRF?3?5Driver?5switched?5stacks?5us@JKADOLAD@ ; char	*
		push	esi		; int
		push	5Dh		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		mov	ds:_ViStackSwitchAlreadyReported, 1

loc_A69980:				; CODE XREF: ViDeadlockCheckStackLimits()+32j
					; ViDeadlockCheckStackLimits()+3Bj ...
		pop	esi
		leave
		retn
_ViDeadlockCheckStackLimits@0 endp


;  S U B	R O U T	I N E 


; __stdcall ViDeadlockDatabaseHashIndex(x)
_ViDeadlockDatabaseHashIndex@4 proc near
					; CODE XREF: ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+18p
					; ViDeadlockRemoveMemoryRangeThreads(x,x,x,x)+15p
		shr	ecx, 0Ch
		xor	edx, edx
		mov	eax, ecx
		mov	ecx, 3FFh
		div	ecx
		mov	eax, edx
		retn
_ViDeadlockDatabaseHashIndex@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViDeadlockDetectionApplySettings()
_ViDeadlockDetectionApplySettings@0 proc near ;	CODE XREF: VfDeadlockInitialize(x,x)+1E2j
					; VfSettingsCheckForChanges(x,x,x,x)+39p ...
		mov	edi, edi
		push	ecx
		test	byte ptr _MmVerifierData, 20h
		push	ebx
		push	esi
		jz	short loc_A699C9
		call	_ViRaiseIrqlToDpcLevel@0 ; ViRaiseIrqlToDpcLevel()
		xor	esi, esi
		mov	bl, al
		inc	esi
		mov	ecx, esi
		call	_ViDeadlockDetectionLock@4 ; ViDeadlockDetectionLock(x)
		mov	ecx, esi
		mov	ds:_ViDeadlockDetectionEnabled,	esi
		call	_ViDeadlockDetectionUnlock@4 ; ViDeadlockDetectionUnlock(x)
		mov	cl, bl
		call	_ViLowerIrql@4	; ViLowerIrql(x)
		jmp	short loc_A699CE
; 

loc_A699C9:				; CODE XREF: ViDeadlockDetectionApplySettings()+Cj
		call	_ViDeadlockEmptyDatabase@0 ; ViDeadlockEmptyDatabase()

loc_A699CE:				; CODE XREF: ViDeadlockDetectionApplySettings()+33j
		pop	esi
		pop	ebx
		pop	ecx
		retn
_ViDeadlockDetectionApplySettings@0 endp


;  S U B	R O U T	I N E 


; __stdcall ViDeadlockDetectionLock(x)
_ViDeadlockDetectionLock@4 proc	near	; CODE XREF: ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+34p
					; ViDeadlockRemoveMemoryRangeThreads(x,x,x,x)+31p ...
		push	offset _ViDeadlockDatabaseLock
		test	ecx, ecx
		jnz	short loc_A699E1
		call	ExAcquireSpinLockSharedAtDpcLevel
		retn
; 

loc_A699E1:				; CODE XREF: ViDeadlockDetectionLock(x)+7j
		call	ExAcquireSpinLockExclusiveAtDpcLevel
		mov	eax, large fs:124h
		mov	_ViDeadlockDatabaseOwner, eax
		retn
_ViDeadlockDetectionLock@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViDeadlockDetectionUnlock(x)
_ViDeadlockDetectionUnlock@4 proc near	; CODE XREF: ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+A8p
					; ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+B4p ...
		mov	edi, edi
		push	ecx
		push	offset _ViDeadlockDatabaseLock
		test	ecx, ecx
		jnz	short loc_A69A05
		call	ExReleaseSpinLockSharedFromDpcLevel
		pop	ecx
		retn
; 

loc_A69A05:				; CODE XREF: ViDeadlockDetectionUnlock(x)+Aj
		and	_ViDeadlockDatabaseOwner, 0
		call	ExReleaseSpinLockExclusiveFromDpcLevel
		pop	ecx
		retn
_ViDeadlockDetectionUnlock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViDeadlockEmptyDatabase()
_ViDeadlockEmptyDatabase@0 proc	near	; CODE XREF: ViDeadlockDetectionApplySettings():loc_A699C9p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_C], ebx
		call	_ViRaiseIrqlToDpcLevel@0 ; ViRaiseIrqlToDpcLevel()
		xor	ecx, ecx
		mov	[ebp+var_1], al
		inc	ecx
		call	_ViDeadlockDetectionLock@4 ; ViDeadlockDetectionLock(x)
		mov	ecx, ds:_ViDeadlockGlobals
		mov	ds:_ViDeadlockDetectionEnabled,	edi
		test	ecx, ecx
		jz	loc_A69AE1
		mov	edx, [ecx+10h]

loc_A69A4F:				; CODE XREF: ViDeadlockEmptyDatabase()+7Dj
		lea	eax, [ebx+edx]
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_A69A87

loc_A69A58:				; CODE XREF: ViDeadlockEmptyDatabase()+6Fj
		lea	esi, [ecx-18h]
		xor	edx, edx
		mov	ecx, [ecx]
		lea	eax, [ebp+var_C]
		mov	[ebp+var_8], ecx
		inc	edx		; int
		push	eax		; int
		mov	ecx, esi	; int
		call	_ViDeadlockRemoveResource@12 ; ViDeadlockRemoveResource(x,x,x)
		mov	eax, ds:_ViDeadlockGlobals
		mov	ecx, [ebp+var_8]
		mov	[esi], edi
		mov	edi, esi
		mov	edx, [eax+10h]
		lea	eax, [ebx+edx]
		cmp	ecx, eax
		jnz	short loc_A69A58
		mov	[ebp+var_8], edi

loc_A69A87:				; CODE XREF: ViDeadlockEmptyDatabase()+43j
		add	ebx, 8
		cmp	ebx, 1FF8h
		jb	short loc_A69A4F
		mov	eax, ds:_ViDeadlockGlobals
		xor	edi, edi
		mov	ebx, edi
		mov	edx, [eax+2010h]

loc_A69AA1:				; CODE XREF: ViDeadlockEmptyDatabase()+C9j
		lea	eax, [ebx+edx]
		mov	ecx, [eax]
		jmp	short loc_A69ACF
; 

loc_A69AA8:				; CODE XREF: ViDeadlockEmptyDatabase()+BEj
		lea	esi, [ecx-0Ch]
		xor	edx, edx
		mov	ecx, [ecx]
		inc	edx
		mov	[ebp+var_10], ecx
		mov	ecx, esi	; int
		call	_ViDeadlockRemoveThread@8 ; ViDeadlockRemoveThread(x,x)
		mov	eax, ds:_ViDeadlockGlobals
		mov	ecx, [ebp+var_10]
		mov	[esi], edi
		mov	edi, esi
		mov	edx, [eax+2010h]
		lea	eax, [ebx+edx]

loc_A69ACF:				; CODE XREF: ViDeadlockEmptyDatabase()+93j
		cmp	ecx, eax
		jnz	short loc_A69AA8
		add	ebx, 8
		cmp	ebx, 1FF8h
		jb	short loc_A69AA1
		mov	ebx, [ebp+var_C]

loc_A69AE1:				; CODE XREF: ViDeadlockEmptyDatabase()+33j
		xor	ecx, ecx
		inc	ecx
		call	_ViDeadlockDetectionUnlock@4 ; ViDeadlockDetectionUnlock(x)
		mov	cl, [ebp+var_1]
		call	_ViLowerIrql@4	; ViLowerIrql(x)
		test	edi, edi
		jz	short loc_A69B07

loc_A69AF5:				; CODE XREF: ViDeadlockEmptyDatabase()+F2j
		mov	esi, [edi]
		mov	ecx, edi
		push	3
		pop	edx
		call	_ViDeadlockFree@8 ; ViDeadlockFree(x,x)
		mov	edi, esi
		test	esi, esi
		jnz	short loc_A69AF5

loc_A69B07:				; CODE XREF: ViDeadlockEmptyDatabase()+E0j
		test	ebx, ebx
		jz	short loc_A69B1D

loc_A69B0B:				; CODE XREF: ViDeadlockEmptyDatabase()+108j
		mov	esi, [ebx]
		mov	ecx, ebx
		push	2
		pop	edx
		call	_ViDeadlockFree@8 ; ViDeadlockFree(x,x)
		mov	ebx, esi
		test	esi, esi
		jnz	short loc_A69B0B

loc_A69B1D:				; CODE XREF: ViDeadlockEmptyDatabase()+F6j
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_A69B36

loc_A69B24:				; CODE XREF: ViDeadlockEmptyDatabase()+121j
		mov	esi, [eax]
		xor	edx, edx
		inc	edx
		mov	ecx, eax
		call	_ViDeadlockFree@8 ; ViDeadlockFree(x,x)
		mov	eax, esi
		test	esi, esi
		jnz	short loc_A69B24

loc_A69B36:				; CODE XREF: ViDeadlockEmptyDatabase()+10Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ViDeadlockEmptyDatabase@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViDeadlockForgetResourceHistory(x, x, x, x)
_ViDeadlockForgetResourceHistory@16 proc near ;	CODE XREF: ViDeadlockTrimResources(x,x)+27p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], ebx
		mov	edx, edi
		mov	[ebp+var_4], edx
		cmp	[ebx+0Ch], edi
		jnz	loc_A69C26
		cmp	word ptr [ebx+4], 100h
		jb	loc_A69C26
		mov	eax, ds:_ViDeadlockGlobals
		push	esi
		lea	esi, [ebx+10h]
		mov	eax, [eax+4024h]
		mov	[ebp+var_8], eax
		mov	eax, [esi]
		cmp	eax, esi
		jz	short loc_A69BD4
		mov	edi, [ebp+arg_4]
		mov	ebx, eax

loc_A69B83:				; CODE XREF: ViDeadlockForgetResourceHistory(x,x,x,x)+92j
		lea	eax, [ebx-14h]
		mov	ebx, [ebx]
		mov	ecx, [eax+24h]
		shr	ecx, 3
		mov	[ebp+var_C], eax
		cmp	[ebp+var_8], ecx
		jbe	short loc_A69BA7
		mov	eax, [ebp+var_8]
		sub	eax, ecx
		cmp	eax, 2000h
		jbe	short loc_A69BCB
		mov	ecx, [ebp+var_C]
		jmp	short loc_A69BB4
; 

loc_A69BA7:				; CODE XREF: ViDeadlockForgetResourceHistory(x,x,x,x)+59j
		sub	ecx, [ebp+var_8]
		cmp	ecx, 2000h
		jnb	short loc_A69BCB
		mov	ecx, eax

loc_A69BB4:				; CODE XREF: ViDeadlockForgetResourceHistory(x,x,x,x)+6Aj
		xor	edx, edx
		call	_ViDeadlockRemoveNode@8	; ViDeadlockRemoveNode(x,x)
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+var_4]
		mov	eax, [edi]
		inc	edx
		mov	[edi], ecx
		mov	[ecx], eax
		mov	[ebp+var_4], edx

loc_A69BCB:				; CODE XREF: ViDeadlockForgetResourceHistory(x,x,x,x)+65j
					; ViDeadlockForgetResourceHistory(x,x,x,x)+75j
		cmp	ebx, esi
		jnz	short loc_A69B83
		mov	ebx, [ebp+var_10]
		xor	edi, edi

loc_A69BD4:				; CODE XREF: ViDeadlockForgetResourceHistory(x,x,x,x)+41j
		mov	eax, ds:_ViDeadlockGlobals
		add	[eax+4014h], edx
		cmp	word ptr [ebx+4], 100h
		jb	short loc_A69C25
		mov	ecx, [esi]
		cmp	ecx, esi
		jz	short loc_A69C1A

loc_A69BED:				; CODE XREF: ViDeadlockForgetResourceHistory(x,x,x,x)+DDj
		cmp	word ptr [ebx+4], 100h
		jb	short loc_A69C1A
		lea	esi, [ecx-14h]
		xor	edx, edx
		mov	ecx, [ecx]
		mov	[ebp+var_10], ecx
		mov	ecx, esi
		call	_ViDeadlockRemoveNode@8	; ViDeadlockRemoveNode(x,x)
		mov	ecx, [ebp+arg_4]
		inc	edi
		mov	eax, [ecx]
		mov	[esi], eax
		lea	eax, [ebx+10h]
		mov	[ecx], esi
		mov	ecx, [ebp+var_10]
		cmp	ecx, eax
		jnz	short loc_A69BED

loc_A69C1A:				; CODE XREF: ViDeadlockForgetResourceHistory(x,x,x,x)+B0j
					; ViDeadlockForgetResourceHistory(x,x,x,x)+B8j
		mov	eax, ds:_ViDeadlockGlobals
		add	[eax+4018h], edi

loc_A69C25:				; CODE XREF: ViDeadlockForgetResourceHistory(x,x,x,x)+AAj
		pop	esi

loc_A69C26:				; CODE XREF: ViDeadlockForgetResourceHistory(x,x,x,x)+19j
					; ViDeadlockForgetResourceHistory(x,x,x,x)+25j
		pop	edi
		pop	ebx
		leave
		retn	8
_ViDeadlockForgetResourceHistory@16 endp


;  S U B	R O U T	I N E 


; __stdcall ViDeadlockFree(x, x)
_ViDeadlockFree@8 proc near		; CODE XREF: ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+D8p
					; ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+EEp ...
		sub	edx, 1
		jz	short loc_A69C50
		sub	edx, 1
		jz	short loc_A69C47
		sub	edx, 1
		jnz	short locret_A69C59
		mov	edx, ecx
		mov	ecx, offset _ViDeadlockThreadLookaside

loc_A69C42:				; CODE XREF: ViDeadlockFree(x,x)+22j
					; ViDeadlockFree(x,x)+2Bj
		jmp	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
; 

loc_A69C47:				; CODE XREF: ViDeadlockFree(x,x)+8j
		mov	edx, ecx
		mov	ecx, offset _ViDeadlockNodeLookaside
		jmp	short loc_A69C42
; 

loc_A69C50:				; CODE XREF: ViDeadlockFree(x,x)+3j
		mov	edx, ecx
		mov	ecx, offset _ViDeadlockResourceLookaside
		jmp	short loc_A69C42
; 

locret_A69C59:				; CODE XREF: ViDeadlockFree(x,x)+Dj
		retn
_ViDeadlockFree@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViDeadlockKernelVerifierLookasideAllocate(x, x, x)
_ViDeadlockKernelVerifierLookasideAllocate@12 proc near
					; DATA XREF: VfDeadlockInitialize(x,x)+FDo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr ds:_ViDeadlockState, 2
		jz	short loc_A69C6E
		xor	eax, eax
		pop	ebp
		retn	0Ch
; 

loc_A69C6E:				; CODE XREF: ViDeadlockKernelVerifierLookasideAllocate(x,x,x)+Cj
		pop	ebp
		jmp	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
_ViDeadlockKernelVerifierLookasideAllocate@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViDeadlockMergeNodes(x, x, x)
_ViDeadlockMergeNodes@12 proc near	; CODE XREF: ViDeadlockCheckDuplicatesAmongChildren(x,x,x)+36p
					; ViDeadlockCheckDuplicatesAmongRoots(x,x)+40p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	edi, ecx
		mov	eax, [ebx+20h]
		mov	[ebp+var_4], edi
		test	eax, eax
		jz	short loc_A69CAB
		mov	[edi+20h], eax
		lea	esi, [ebx+2Ch]
		add	edi, 2Ch
		push	8
		pop	ecx
		rep movsd
		mov	edi, [ebp+var_4]
		lea	esi, [ebx+4Ch]
		push	8
		add	edi, 4Ch
		pop	ecx
		rep movsd
		mov	edi, [ebp+var_4]

loc_A69CAB:				; CODE XREF: ViDeadlockMergeNodes(x,x,x)+16j
		mov	ecx, [ebx+24h]
		and	ecx, 1
		jz	short loc_A69CBE
		mov	eax, [edi+24h]
		and	eax, 0FFFFFFFEh
		or	eax, ecx
		mov	[edi+24h], eax

loc_A69CBE:				; CODE XREF: ViDeadlockMergeNodes(x,x,x)+3Dj
		lea	ecx, [ebx+4]
		mov	eax, [ecx]
		jmp	short loc_A69D21
; 

loc_A69CC5:				; CODE XREF: ViDeadlockMergeNodes(x,x,x)+AFj
		mov	esi, eax
		lea	edx, [eax-0Ch]
		mov	eax, [eax]
		mov	[ebp+var_4], edx
		mov	[ebp+var_8], eax
		cmp	[eax+4], esi
		jnz	loc_A69D7C
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	loc_A69D7C
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	ecx, ebx
		mov	edx, [edx+28h]
		not	edx
		call	_ViDeadlockUpdateChildrenCount@8 ; ViDeadlockUpdateChildrenCount(x,x)
		mov	edx, [ebp+var_4]
		lea	eax, [edi+4]
		mov	[edx], edi
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_A69D7C
		mov	[esi+4], ecx
		mov	[esi], eax
		mov	[ecx], esi
		mov	ecx, edi
		mov	[eax+4], esi
		mov	edx, [edx+28h]
		inc	edx
		call	_ViDeadlockUpdateChildrenCount@8 ; ViDeadlockUpdateChildrenCount(x,x)
		mov	eax, [ebp+var_8]
		lea	ecx, [ebx+4]

loc_A69D21:				; CODE XREF: ViDeadlockMergeNodes(x,x,x)+4Fj
		cmp	eax, ecx
		jnz	short loc_A69CC5
		cmp	dword ptr [ebx], 0
		jz	short loc_A69D4A
		lea	eax, [ebx+0Ch]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_A69D7C
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_A69D7C
		mov	[ecx], edx
		mov	[edx+4], ecx
		or	edx, 0FFFFFFFFh
		mov	ecx, [ebx]
		call	_ViDeadlockUpdateChildrenCount@8 ; ViDeadlockUpdateChildrenCount(x,x)

loc_A69D4A:				; CODE XREF: ViDeadlockMergeNodes(x,x,x)+B4j
		mov	eax, [ebx+1Ch]
		mov	ecx, 0FFFFh
		add	[eax+4], cx
		lea	eax, [ebx+14h]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_A69D7C
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_A69D7C
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	ecx, [ebp+arg_0]
		pop	edi
		pop	esi
		mov	eax, [ecx]
		mov	[ebx], eax
		mov	[ecx], ebx
		pop	ebx
		leave
		retn	4
; 

loc_A69D7C:				; CODE XREF: ViDeadlockMergeNodes(x,x,x)+61j
					; ViDeadlockMergeNodes(x,x,x)+6Cj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall ViDeadlockPopulateLookasideCache(x,	x)
_ViDeadlockPopulateLookasideCache@8:	; CODE XREF: VfDeadlockInitialize(x,x)+1ADp
					; VfDeadlockInitialize(x,x)+1B9p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	ebx, ecx
		xor	edi, edi

loc_A69D8C:				; CODE XREF: ViDeadlockMergeNodes(x,x,x)+130j
		mov	ecx, ebx
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		test	eax, eax
		jz	short loc_A69DA6
		add	esi, 0FFFFh
		mov	[eax], edi
		mov	edi, eax
		test	si, si
		jnz	short loc_A69D8C

loc_A69DA6:				; CODE XREF: ViDeadlockMergeNodes(x,x,x)+121j
		test	edi, edi
		jz	short loc_A69DBB

loc_A69DAA:				; CODE XREF: ViDeadlockMergeNodes(x,x,x)+145j
		mov	esi, [edi]
		mov	edx, edi
		mov	ecx, ebx
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		mov	edi, esi
		test	esi, esi
		jnz	short loc_A69DAA

loc_A69DBB:				; CODE XREF: ViDeadlockMergeNodes(x,x,x)+134j
		pop	edi
		pop	esi
		pop	ebx
		retn
_ViDeadlockMergeNodes@12 endp ;	sp = -18h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ViDeadlockPreprocessOptions(int,int,int,int,int,int)
_ViDeadlockPreprocessOptions@24	proc near
					; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+210p
					; VfDeadlockAcquireResource(x,x,x,x,x)+2B8p ...

var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ecx]
		mov	[ebp+var_4], edx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi		; char
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_A69DEF
		mov	eax, esi
		and	eax, 0FFFh
		cmp	eax, 0Ch
		jnb	short loc_A69DEA
		mov	eax, ds:_ViDeadlockDefaultActions[eax*4]
		jmp	short loc_A69DED
; 

loc_A69DEA:				; CODE XREF: ViDeadlockPreprocessOptions(x,x,x,x,x,x)+20j
		push	4
		pop	eax

loc_A69DED:				; CODE XREF: ViDeadlockPreprocessOptions(x,x,x,x,x,x)+29j
		mov	[ecx], eax

loc_A69DEF:				; CODE XREF: ViDeadlockPreprocessOptions(x,x,x,x,x,x)+14j
		test	eax, eax
		jz	loc_A69E7C
		test	al, 10h
		jz	short loc_A69DFE
		and	dword ptr [ecx], 0

loc_A69DFE:				; CODE XREF: ViDeadlockPreprocessOptions(x,x,x,x,x,x)+3Aj
		mov	edi, [ebp+arg_8]
		mov	ebx, [ebp+arg_C]
		mov	_ViDeadlockIssue, esi
		mov	esi, [ebp+arg_4]
		mov	dword_6BDC24, esi
		mov	dword_6BDC28, edi
		push	offset ??_C@_0ED@JMFNLGBD@?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?5Verifier?5Detected?5@JKADOLAD@ ; char *
		mov	dword_6BDC2C, ebx
		call	_VfUtilDbgPrint
		mov	[esp+14h+var_14], offset ??_C@_03NOABEEAF@?$CK?$CK?6@JKADOLAD@
		call	_VfUtilDbgPrint
		mov	[esp+14h+var_14], offset ??_C@_03LBGKIICN@?$CK?$CK?5@JKADOLAD@
		call	_VfUtilDbgPrint
		mov	eax, [ebp+var_4]
		pop	ecx
		test	eax, eax
		jz	short loc_A69E59
		push	ebx
		push	edi
		push	esi		; char
		push	eax		; char *
		push	0		; int
		push	65h		; int
		call	_DbgPrintEx
		add	esp, 18h

loc_A69E59:				; CODE XREF: ViDeadlockPreprocessOptions(x,x,x,x,x,x)+88j
		push	offset ??_C@_01EEMJAFIK@?6@JKADOLAD@ ; char *
		call	_VfUtilDbgPrint
		mov	[esp+14h+var_14], offset ??_C@_03NOABEEAF@?$CK?$CK?6@JKADOLAD@
		call	_VfUtilDbgPrint
		mov	[esp+14h+var_14], offset ??_C@_0ED@OBFNHIMC@?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK?$CK@JKADOLAD@
		call	_VfUtilDbgPrint
		pop	ecx

loc_A69E7C:				; CODE XREF: ViDeadlockPreprocessOptions(x,x,x,x,x,x)+32j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_ViDeadlockPreprocessOptions@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViDeadlockRemoveNode(x, x)
_ViDeadlockRemoveNode@8	proc near	; CODE XREF: ViDeadlockForgetResourceHistory(x,x,x,x)+7Bp
					; ViDeadlockForgetResourceHistory(x,x,x,x)+C6p	...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		test	edx, edx
		jz	short loc_A69EB3

loc_A69E91:				; CODE XREF: ViDeadlockRemoveNode(x,x)+F5j
		add	esi, 14h
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	loc_A69F7D
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	loc_A69F7D
		pop	esi
		mov	[eax], ecx
		mov	[ecx+4], eax
		pop	ebx
		leave
		retn
; 

loc_A69EB3:				; CODE XREF: ViDeadlockRemoveNode(x,x)+Cj
		cmp	dword ptr [esi], 0
		push	edi
		lea	edi, [esi+4]
		mov	ecx, [edi]
		jz	loc_A69F67
		jmp	short loc_A69F0F
; 

loc_A69EC4:				; CODE XREF: ViDeadlockRemoveNode(x,x)+8Ej
		lea	eax, [ecx-0Ch]
		mov	edx, ecx
		mov	[ebp+var_4], eax
		mov	eax, [ecx]
		mov	ecx, eax
		cmp	[eax+4], edx
		jnz	loc_A69F7D
		mov	ebx, [edx+4]
		cmp	[ebx], edx
		jnz	loc_A69F7D
		mov	[ebx], eax
		mov	[eax+4], ebx
		or	eax, 0FFFFFFFFh
		mov	ebx, [ebp+var_4]
		sub	eax, [ebx+28h]
		add	[esi+28h], eax
		mov	eax, [esi]
		mov	[ebx], eax
		mov	eax, [esi]
		add	eax, 4
		mov	ebx, [eax+4]
		cmp	[ebx], eax
		jnz	short loc_A69F7D
		mov	[edx], eax
		mov	[edx+4], ebx
		mov	[ebx], edx
		mov	[eax+4], edx

loc_A69F0F:				; CODE XREF: ViDeadlockRemoveNode(x,x)+3Fj
		cmp	ecx, edi
		jnz	short loc_A69EC4
		lea	eax, [esi+0Ch]
		mov	edi, [eax]
		cmp	[edi+4], eax
		jnz	short loc_A69F7D
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_A69F7D
		mov	[ecx], edi
		or	edx, 0FFFFFFFFh
		mov	[edi+4], ecx
		mov	ecx, [esi]
		call	_ViDeadlockUpdateChildrenCount@8 ; ViDeadlockUpdateChildrenCount(x,x)
		jmp	short loc_A69F6B
; 

loc_A69F35:				; CODE XREF: ViDeadlockRemoveNode(x,x)+E6j
		lea	eax, [ecx-0Ch]
		mov	edx, ecx
		mov	[ebp+var_4], eax
		mov	eax, [ecx]
		mov	ecx, eax
		cmp	[eax+4], edx
		jnz	short loc_A69F7D
		mov	ebx, [edx+4]
		cmp	[ebx], edx
		jnz	short loc_A69F7D
		mov	[ebx], eax
		mov	[eax+4], ebx
		or	eax, 0FFFFFFFFh
		mov	ebx, [ebp+var_4]
		sub	eax, [ebx+28h]
		add	[esi+28h], eax
		xor	eax, eax
		mov	[ebx], eax
		mov	[edx], eax
		mov	[ebx+10h], eax

loc_A69F67:				; CODE XREF: ViDeadlockRemoveNode(x,x)+39j
		cmp	ecx, edi
		jnz	short loc_A69F35

loc_A69F6B:				; CODE XREF: ViDeadlockRemoveNode(x,x)+B0j
		mov	eax, [esi+1Ch]
		mov	ecx, 0FFFFh
		pop	edi
		add	[eax+4], cx
		jmp	loc_A69E91
; 

loc_A69F7D:				; CODE XREF: ViDeadlockRemoveNode(x,x)+16j
					; ViDeadlockRemoveNode(x,x)+21j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ViDeadlockRemoveNode@8	endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ViDeadlockRemoveResource(int,int,int)
_ViDeadlockRemoveResource@12 proc near	; CODE XREF: ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+98p
					; ViDeadlockAddResource(x,x,x,x,x,x)+A4p ...

var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ds:_ViDeadlockGlobals
		push	ebx
		push	esi
		push	edi
		cmp	dword ptr [eax+4010h], 0
		mov	edi, ecx
		mov	[ebp+var_4], edx
		mov	[ebp+var_C], edi
		jnz	short loc_A69FB4
		mov	eax, ds:_ViDeadlockGlobals
		cmp	dword ptr [eax+40DCh], 400h
		jle	short loc_A69FBA

loc_A69FB4:				; CODE XREF: ViDeadlockRemoveResource(x,x,x)+1Fj
		xor	edx, edx
		inc	edx
		mov	[ebp+var_4], edx

loc_A69FBA:				; CODE XREF: ViDeadlockRemoveResource(x,x,x)+30j
		test	edx, edx
		jnz	short loc_A69FFB
		mov	eax, [edi+0Ch]
		test	eax, eax
		jz	short loc_A69FFB
		push	edi		; int
		push	dword ptr [eax]	; int
		mov	ebx, 100Bh
		mov	esi, offset unk_6B687C
		push	dword ptr [edi+8] ; int
		mov	edx, offset ??_C@_0DF@IGILFCMF@Deleted?5lock?50x?$CFp?5is?5still?5owne@JKADOLAD@ ; int
		mov	ecx, esi	; int
		push	ebx		; int
		call	_ViDeadlockPreprocessOptions@24	; ViDeadlockPreprocessOptions(x,x,x,x,x,x)
		mov	eax, [edi+0Ch]
		mov	edx, ebx	; int
		push	esi		; int
		push	edi		; int
		mov	ecx, 0C4h	; int
		push	dword ptr [eax]	; int
		push	dword ptr [edi+8] ; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		mov	edx, [ebp+var_4]

loc_A69FFB:				; CODE XREF: ViDeadlockRemoveResource(x,x,x)+3Aj
					; ViDeadlockRemoveResource(x,x,x)+41j
		lea	eax, [edi+10h]
		mov	ebx, [eax]
		cmp	ebx, eax
		jz	short loc_A6A025
		mov	edi, eax

loc_A6A006:				; CODE XREF: ViDeadlockRemoveResource(x,x,x)+9Ej
		lea	esi, [ebx-14h]
		mov	ebx, [ebx]
		mov	ecx, esi
		call	_ViDeadlockRemoveNode@8	; ViDeadlockRemoveNode(x,x)
		mov	ecx, [ebp+arg_0]
		mov	edx, [ebp+var_4]
		mov	eax, [ecx]
		mov	[esi], eax
		mov	[ecx], esi
		cmp	ebx, edi
		jnz	short loc_A6A006
		mov	edi, [ebp+var_C]

loc_A6A025:				; CODE XREF: ViDeadlockRemoveResource(x,x,x)+80j
		mov	ecx, ds:_ViDeadlockGlobals
		lea	eax, [edi+18h]
		dec	dword ptr [ecx+14h]
		mov	esi, [eax]
		cmp	[esi+4], eax
		jnz	short loc_A6A088
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_A6A088
		mov	[edx], esi
		mov	ebx, 3FFh
		mov	[esi+4], edx
		xor	edx, edx
		mov	esi, [edi+8]
		mov	eax, esi
		shr	eax, 0Ch
		div	ebx
		mov	eax, [ecx+10h]
		lea	eax, [eax+edx*8]
		cmp	[eax], eax
		jnz	short loc_A6A070
		and	dword ptr [ecx+edx*8+18h], 0
		and	dword ptr [ecx+edx*8+1Ch], 0

loc_A6A069:				; CODE XREF: ViDeadlockRemoveResource(x,x,x)+104j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_A6A070:				; CODE XREF: ViDeadlockRemoveResource(x,x,x)+DBj
		mov	eax, [edi]
		lea	ecx, [ecx+edx*8]
		add	ecx, 18h
		mov	edx, esi
		push	ds:_ViDeadlockResourceTypeSizeInfo[eax*4]
		call	_VfUtilAddressRangeRemove@12 ; VfUtilAddressRangeRemove(x,x,x)
		jmp	short loc_A6A069
; 

loc_A6A088:				; CODE XREF: ViDeadlockRemoveResource(x,x,x)+B4j
					; ViDeadlockRemoveResource(x,x,x)+BBj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ViDeadlockRemoveResource@12 endp	; AL = character to display


;  S U B	R O U T	I N E 


; int __fastcall ViDeadlockRemoveThread(int)
_ViDeadlockRemoveThread@8 proc near	; CODE XREF: ViDeadlockRemoveMemoryRangeThreads(x,x,x,x)+96p
					; VfDeadlockAcquireResource(x,x,x,x,x)+249p ...
		mov	eax, ds:_ViDeadlockGlobals
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		push	edi
		cmp	[eax+4010h], ebx
		jnz	short loc_A6A0B2
		mov	eax, ds:_ViDeadlockGlobals
		cmp	dword ptr [eax+40DCh], 400h
		jle	short loc_A6A0B5

loc_A6A0B2:				; CODE XREF: ViDeadlockRemoveThread(x,x)+12j
		xor	edx, edx
		inc	edx

loc_A6A0B5:				; CODE XREF: ViDeadlockRemoveThread(x,x)+23j
		test	edx, edx
		jnz	short loc_A6A0ED
		cmp	[esi+14h], ebx
		jz	short loc_A6A0ED
		push	ebx		; int
		push	esi		; int
		push	dword ptr [esi]	; int
		mov	ebx, 100Ah
		mov	edi, offset unk_6B6884
		push	ebx		; int
		mov	edx, offset ??_C@_0CC@EOCKMKPD@Terminated?5thread?50x?$CFp?5owns?5loc@JKADOLAD@	; "Terminated thread 0x%p owns lock."
		mov	ecx, edi	; int
		call	_ViDeadlockPreprocessOptions@24	; ViDeadlockPreprocessOptions(x,x,x,x,x,x)
		push	edi		; int
		push	0		; int
		push	esi		; int
		push	dword ptr [esi]	; int
		mov	edx, ebx	; int
		mov	ecx, 0C4h	; int
		call	_VfReportIssueWithOptions@24 ; VfReportIssueWithOptions(x,x,x,x,x,x)
		xor	ebx, ebx

loc_A6A0ED:				; CODE XREF: ViDeadlockRemoveThread(x,x)+2Aj
					; ViDeadlockRemoveThread(x,x)+2Fj
		mov	ecx, ds:_ViDeadlockGlobals
		lea	eax, [esi+0Ch]
		dec	dword ptr [ecx+2014h]
		mov	edi, [eax]
		cmp	[edi+4], eax
		jnz	short loc_A6A155
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_A6A155
		mov	[edx], edi
		mov	[edi+4], edx
		xor	edx, edx
		mov	esi, [esi]
		mov	edi, 3FFh
		mov	eax, esi
		shr	eax, 0Ch
		div	edi
		mov	eax, [ecx+2010h]
		lea	eax, [eax+edx*8]
		cmp	[eax], eax
		jnz	short loc_A6A13E
		mov	[ecx+edx*8+2018h], ebx
		mov	[ecx+edx*8+201Ch], ebx

loc_A6A13A:				; CODE XREF: ViDeadlockRemoveThread(x,x)+C6j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_A6A13E:				; CODE XREF: ViDeadlockRemoveThread(x,x)+9Dj
		lea	ecx, [ecx+edx*8]
		mov	edx, esi
		push	4E0h
		add	ecx, 2018h
		call	_VfUtilAddressRangeRemove@12 ; VfUtilAddressRangeRemove(x,x,x)
		jmp	short loc_A6A13A
; 

loc_A6A155:				; CODE XREF: ViDeadlockRemoveThread(x,x)+74j
					; ViDeadlockRemoveThread(x,x)+7Bj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ViDeadlockRemoveThread@8 endp		; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall ViDeadlockSearchResource(x,	x)
_ViDeadlockSearchResource@8 proc near	; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+196p
					; VfDeadlockAcquireResource(x,x,x,x,x)+1C9p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		mov	eax, edi
		xor	edx, edx
		shr	eax, 0Ch
		mov	ecx, 3FFh
		div	ecx
		mov	ecx, ds:_ViDeadlockGlobals
		mov	eax, [ecx+10h]
		lea	esi, [eax+edx*8]
		cmp	[esi], esi
		jz	short loc_A6A1AE
		lea	ecx, [ecx+edx*8]
		mov	edx, edi
		lea	eax, [edi+1]
		add	ecx, 18h
		push	eax
		call	_VfUtilAddressRangeFit@12 ; VfUtilAddressRangeFit(x,x,x)
		test	eax, eax
		jz	short loc_A6A1AE
		mov	edx, ebx
		mov	ecx, esi
		call	_ViDeadlockTrimResources@8 ; ViDeadlockTrimResources(x,x)
		mov	eax, [esi]
		jmp	short loc_A6A1AA
; 

loc_A6A1A3:				; CODE XREF: ViDeadlockSearchResource(x,x)+52j
		cmp	[eax-10h], edi
		jz	short loc_A6A1B4
		mov	eax, [eax]

loc_A6A1AA:				; CODE XREF: ViDeadlockSearchResource(x,x)+47j
		cmp	eax, esi
		jnz	short loc_A6A1A3

loc_A6A1AE:				; CODE XREF: ViDeadlockSearchResource(x,x)+25j
					; ViDeadlockSearchResource(x,x)+3Aj
		xor	eax, eax

loc_A6A1B0:				; CODE XREF: ViDeadlockSearchResource(x,x)+5Dj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_A6A1B4:				; CODE XREF: ViDeadlockSearchResource(x,x)+4Cj
		add	eax, 0FFFFFFE8h
		jmp	short loc_A6A1B0
_ViDeadlockSearchResource@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViDeadlockSearchThread(x)
_ViDeadlockSearchThread@4 proc near	; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+14Fp
					; VfDeadlockAfterCallDriver(x)+32p ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		xor	edx, edx
		mov	eax, edi
		mov	ecx, 3FFh
		shr	eax, 0Ch
		div	ecx
		mov	ecx, ds:_ViDeadlockGlobals
		mov	eax, [ecx+2010h]
		lea	ebx, [eax+edx*8]
		mov	esi, [ebx]
		cmp	esi, ebx
		jz	short loc_A6A208
		lea	ecx, [ecx+edx*8]
		mov	edx, edi
		lea	eax, [edi+1]
		add	ecx, 2018h
		push	eax
		call	_VfUtilAddressRangeFit@12 ; VfUtilAddressRangeFit(x,x,x)
		test	eax, eax
		jz	short loc_A6A208

loc_A6A1FB:				; CODE XREF: ViDeadlockSearchThread(x)+4Dj
		lea	eax, [esi-0Ch]
		cmp	[eax], edi
		jz	short loc_A6A20A
		mov	esi, [esi]
		cmp	esi, ebx
		jnz	short loc_A6A1FB

loc_A6A208:				; CODE XREF: ViDeadlockSearchThread(x)+28j
					; ViDeadlockSearchThread(x)+40j
		xor	eax, eax

loc_A6A20A:				; CODE XREF: ViDeadlockSearchThread(x)+47j
		pop	edi
		pop	esi
		pop	ebx
		retn
_ViDeadlockSearchThread@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViDeadlockSimilarNode(x, x,	x)
_ViDeadlockSimilarNode@12 proc near	; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+2E9p
					; VfDeadlockAcquireResource(x,x,x,x,x)+356p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, [esi+1Ch]
		cmp	ecx, [eax+8]
		jnz	short loc_A6A22D
		mov	ecx, [esi+24h]
		xor	eax, eax
		shr	ecx, 1
		inc	eax
		and	ecx, eax
		cmp	edx, ecx
		jz	short loc_A6A22F

loc_A6A22D:				; CODE XREF: ViDeadlockSimilarNode(x,x,x)+Fj
		xor	eax, eax

loc_A6A22F:				; CODE XREF: ViDeadlockSimilarNode(x,x,x)+1Dj
		pop	esi
		pop	ebp
		retn	4
_ViDeadlockSimilarNode@12 endp


;  S U B	R O U T	I N E 


; __stdcall ViDeadlockSimilarNodes(x, x)
_ViDeadlockSimilarNodes@8 proc near	; CODE XREF: ViDeadlockCheckDuplicatesAmongChildren(x,x,x)+1Ep
					; ViDeadlockCheckDuplicatesAmongRoots(x,x)+28p
		mov	eax, [ecx+1Ch]
		cmp	eax, [edx+1Ch]
		jnz	short loc_A6A24A
		mov	eax, [ecx+24h]
		xor	eax, [edx+24h]
		test	al, 2
		jnz	short loc_A6A24A
		xor	eax, eax
		inc	eax
		retn
; 

loc_A6A24A:				; CODE XREF: ViDeadlockSimilarNodes(x,x)+6j
					; ViDeadlockSimilarNodes(x,x)+10j
		xor	eax, eax
		retn
_ViDeadlockSimilarNodes@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViDeadlockTrimResources(x, x)
_ViDeadlockTrimResources@8 proc	near	; CODE XREF: ViDeadlockSearchResource(x,x)+40p
		mov	eax, ds:_ViDeadlockGlobals
		push	ebx
		push	edi
		mov	ebx, edx
		mov	edi, ecx
		inc	dword ptr [eax+4050h]
		mov	eax, [eax+4050h]
		test	al, 0Fh
		jnz	short loc_A6A27E
		push	esi
		mov	esi, [edi]
		jmp	short loc_A6A279
; 

loc_A6A26D:				; CODE XREF: ViDeadlockTrimResources(x,x)+2Ej
		lea	ecx, [esi-18h]
		mov	esi, [esi]
		push	ebx
		push	ecx
		call	_ViDeadlockForgetResourceHistory@16 ; ViDeadlockForgetResourceHistory(x,x,x,x)

loc_A6A279:				; CODE XREF: ViDeadlockTrimResources(x,x)+1Ej
		cmp	esi, edi
		jnz	short loc_A6A26D
		pop	esi

loc_A6A27E:				; CODE XREF: ViDeadlockTrimResources(x,x)+19j
		pop	edi
		pop	ebx
		retn
_ViDeadlockTrimResources@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViDeadlockUpdateChildrenCount(x, x)
_ViDeadlockUpdateChildrenCount@8 proc near
					; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+3EAp
					; ViDeadlockMergeNodes(x,x,x)+7Ep ...
		mov	edi, edi

loc_A6A283:				; CODE XREF: ViDeadlockUpdateChildrenCount(x,x)+Ej
		mov	eax, [ecx+28h]
		add	eax, edx
		mov	[ecx+28h], eax
		mov	ecx, [ecx]
		test	ecx, ecx
		jnz	short loc_A6A283
		mov	ecx, ds:_ViDeadlockGlobals
		cmp	eax, [ecx+40DCh]
		jle	short locret_A6A2A5
		mov	[ecx+40DCh], eax

locret_A6A2A5:				; CODE XREF: ViDeadlockUpdateChildrenCount(x,x)+1Cj
		retn
_ViDeadlockUpdateChildrenCount@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViIsThreadInsidePagingCodePaths()
_ViIsThreadInsidePagingCodePaths@0 proc	near
					; CODE XREF: VfDeadlockAcquireResource(x,x,x,x,x)+88p
					; VfDeadlockReleaseResource(x,x,x,x)+4Fp
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, large fs:124h
		push	edi
		xor	edi, edi
		call	_ViRaiseIrqlToDpcLevel@0 ; ViRaiseIrqlToDpcLevel()
		xor	ecx, ecx
		mov	bl, al
		call	_ViDeadlockDetectionLock@4 ; ViDeadlockDetectionLock(x)
		mov	ecx, esi
		call	_ViDeadlockSearchThread@4 ; ViDeadlockSearchThread(x)
		test	eax, eax
		jz	short loc_A6A2D3
		cmp	[eax+18h], edi
		jbe	short loc_A6A2D3
		inc	edi

loc_A6A2D3:				; CODE XREF: ViIsThreadInsidePagingCodePaths()+25j
					; ViIsThreadInsidePagingCodePaths()+2Aj
		xor	ecx, ecx
		call	_ViDeadlockDetectionUnlock@4 ; ViDeadlockDetectionUnlock(x)
		mov	cl, bl
		call	_ViLowerIrql@4	; ViLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
_ViIsThreadInsidePagingCodePaths@0 endp


;  S U B	R O U T	I N E 


; __stdcall VfAllocPoolNotification(x, x)
_VfAllocPoolNotification@8 proc	near	; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+DBp
					; VeAllocatePoolWithTagPriority(x,x,x,x,x)+1DDp ...
		mov	eax, _MmVerifierData
		test	eax, 400000h
		jz	short loc_A6A300
		test	al, 9
		jz	short locret_A6A30D
		test	byte ptr _VfFlightOptions, 9
		jz	short locret_A6A30D

loc_A6A300:				; CODE XREF: VfAllocPoolNotification(x,x)+Aj
		cmp	ds:_VfPoolTraces, 0
		jnz	_ViPoolLogStackTrace@8 ; ViPoolLogStackTrace(x,x)

locret_A6A30D:				; CODE XREF: VfAllocPoolNotification(x,x)+Ej
					; VfAllocPoolNotification(x,x)+17j
		retn
_VfAllocPoolNotification@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfFillAllocatedMemory(x, x)
_VfFillAllocatedMemory@8 proc near	; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+2B4p
					; VerifierMmAllocateContiguousMemory(x,x,x)+59p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		push	0
		mov	esi, edx
		mov	edi, ecx
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	edx, 100h
		cmp	esi, edx
		jb	short loc_A6A350
		mov	esi, edx
		cmp	esi, edx
		jnz	short loc_A6A350
		movzx	ecx, al
		or	ecx, 1
		mov	eax, ecx
		shl	eax, 8
		or	ecx, eax
		mov	eax, ecx
		shl	eax, 10h
		or	eax, ecx
		push	eax
		push	edx
		push	edi
		call	_RtlFillMemoryUlong@12 ; RtlFillMemoryUlong(x,x,x)
		jmp	short loc_A6A361
; 

loc_A6A350:				; CODE XREF: VfFillAllocatedMemory(x,x)+1Cj
					; VfFillAllocatedMemory(x,x)+22j
		movzx	eax, al
		push	esi		; size_t
		or	eax, 1
		push	eax		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch

loc_A6A361:				; CODE XREF: VfFillAllocatedMemory(x,x)+40j
		pop	edi
		pop	esi
		leave
		retn
_VfFillAllocatedMemory@8 endp


;  S U B	R O U T	I N E 


; __stdcall VfFreePoolNotification(x, x)
_VfFreePoolNotification@8 proc near	; CODE XREF: ExpFreePoolChecks+D1D05p
					; ExFreeHeapPool+C75B1p ...
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		test	edi, edi
		jnz	short loc_A6A3A3
		test	byte ptr _VfRuleClasses, 8
		jz	short loc_A6A3EA
		test	_MmVerifierData, 400000h
		jz	short loc_A6A390
		test	byte ptr _VfFlightOptions, 9
		jz	short loc_A6A3EA

loc_A6A390:				; CODE XREF: VfFreePoolNotification(x,x)+20j
		cmp	ds:_VfPoolTraces, 0
		jz	short loc_A6A3EA
		push	8
		pop	edx
		call	_ViPoolLogStackTrace@8 ; ViPoolLogStackTrace(x,x)
		jmp	short loc_A6A3EA
; 

loc_A6A3A3:				; CODE XREF: VfFreePoolNotification(x,x)+Bj
		test	byte ptr _VfRuleClasses, 8
		jz	short loc_A6A3BA
		cmp	ds:_VfPoolTraces, 0
		jz	short loc_A6A3BA
		call	_ViPoolLogStackTrace@8 ; ViPoolLogStackTrace(x,x)

loc_A6A3BA:				; CODE XREF: VfFreePoolNotification(x,x)+45j
					; VfFreePoolNotification(x,x)+4Ej
		call	_VfIsVerifierEnabled@0 ; VfIsVerifierEnabled()
		test	eax, eax
		jz	short loc_A6A3EA
		test	_VfRuleClasses,	0FFAFFFFFh
		jnz	short loc_A6A3D8
		test	byte ptr dword_6FDE00, 6
		jz	short loc_A6A3EA

loc_A6A3D8:				; CODE XREF: VfFreePoolNotification(x,x)+68j
		mov	edx, edi
		mov	ecx, esi
		call	_VfDeadlockDeleteMemoryRange@8 ; VfDeadlockDeleteMemoryRange(x,x)
		mov	edx, edi
		mov	ecx, esi
		call	_VfRemLockDeleteMemoryRange@8 ;	VfRemLockDeleteMemoryRange(x,x)

loc_A6A3EA:				; CODE XREF: VfFreePoolNotification(x,x)+14j
					; VfFreePoolNotification(x,x)+29j ...
		pop	edi
		pop	esi
		pop	ecx
		retn
_VfFreePoolNotification@8 endp


;  S U B	R O U T	I N E 


; __stdcall VfPoolCheckForLeaks(x, x)
_VfPoolCheckForLeaks@8 proc near	; CODE XREF: VfTargetDriversRemove+91F50p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		cmp	dword ptr [esi+44h], 0
		jnz	short loc_A6A3FF
		cmp	dword ptr [esi+48h], 0
		jz	short loc_A6A428

loc_A6A3FF:				; CODE XREF: VfPoolCheckForLeaks(x,x)+9j
		test	byte ptr _MmVerifierData, 8
		jz	short loc_A6A428
		mov	eax, [esi+38h]
		add	eax, [esi+34h]
		push	eax
		push	esi
		push	dword ptr [edx+30h]
		push	62h
		pop	edx
		lea	ecx, [edx+62h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)
		jmp	short loc_A6A428
; 

loc_A6A420:				; CODE XREF: VfPoolCheckForLeaks(x,x)+44j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A6A428:				; CODE XREF: VfPoolCheckForLeaks(x,x)+Fj
					; VfPoolCheckForLeaks(x,x)+18j	...
		lea	ecx, [esi+20h]
		call	@ExInterlockedPopEntrySList@8 ;	ExInterlockedPopEntrySList(x,x)
		test	eax, eax
		jnz	short loc_A6A420
		pop	esi
		retn
_VfPoolCheckForLeaks@8 endp


;  S U B	R O U T	I N E 


; __stdcall VfPoolInitPhase0()
_VfPoolInitPhase0@0 proc near		; CODE XREF: VfInitVerifierComponents(x,x,x)+57p
		mov	eax, _MmVerifierData
		test	eax, 0FBFh
		jz	short locret_A6A49D
		test	eax, 400000h
		jz	short loc_A6A44D
		test	al, 8
		jz	short locret_A6A49D

loc_A6A44D:				; CODE XREF: VfPoolInitPhase0()+11j
		mov	eax, ds:_VfPoolTracesLength
		push	esi
		mov	esi, 10000h
		cmp	eax, esi
		jnb	short loc_A6A460
		mov	eax, esi
		jmp	short loc_A6A47D
; 

loc_A6A460:				; CODE XREF: VfPoolInitPhase0()+24j
		mov	ecx, 100000h
		cmp	eax, ecx
		jbe	short loc_A6A46D
		mov	eax, ecx
		jmp	short loc_A6A47D
; 

loc_A6A46D:				; CODE XREF: VfPoolInitPhase0()+31j
					; VfPoolInitPhase0()+41j
		mov	edx, eax
		and	edx, ecx
		jnz	short loc_A6A47B
		sar	ecx, 1
		cmp	ecx, esi
		jge	short loc_A6A46D
		jmp	short loc_A6A482
; 

loc_A6A47B:				; CODE XREF: VfPoolInitPhase0()+3Bj
		mov	eax, edx

loc_A6A47D:				; CODE XREF: VfPoolInitPhase0()+28j
					; VfPoolInitPhase0()+35j
		mov	ds:_VfPoolTracesLength,	eax

loc_A6A482:				; CODE XREF: VfPoolInitPhase0()+43j
		push	20h
		push	54506656h
		shl	eax, 6
		push	eax
		push	200h
		call	ExAllocatePoolWithTagPriority
		mov	ds:_VfPoolTraces, eax
		pop	esi

locret_A6A49D:				; CODE XREF: VfPoolInitPhase0()+Aj
					; VfPoolInitPhase0()+15j
		retn
_VfPoolInitPhase0@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfPoolInitPhase1()
_VfPoolInitPhase1@0 proc near		; CODE XREF: VfInitSystemNoRebootNeeded(x,x)+D6p
					; ViInitSystemPhase1:loc_AE709Bp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, _MmVerifierData
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_4], ebx
		push	esi
		push	edi
		test	eax, 400000h
		jz	short loc_A6A4C2
		test	al, 1
		jz	loc_A6A547

loc_A6A4C2:				; CODE XREF: VfPoolInitPhase1()+1Aj
		mov	esi, offset unk_6BE3D8

loc_A6A4C7:				; CODE XREF: VfPoolInitPhase1()+A7j
		push	ebx
		push	1
		lea	eax, [esi-10h]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	edi, [esi-18h]
		mov	[ebp+var_20], 18h
		push	edi
		push	offset _ViPoolDelayFreeTrimThreadRoutine@4 ; ViPoolDelayFreeTrimThreadRoutine(x)
		push	ebx
		push	ebx
		lea	eax, [ebp+var_20]
		mov	[ebp+var_1C], ebx
		push	eax
		push	ebx
		lea	eax, [ebp+var_4]
		mov	[ebp+var_14], 200h
		push	eax
		mov	[ebp+var_18], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A6A53C
		push	ebx
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], ebx
		push	eax
		push	ebx
		push	ds:_PsThreadType
		push	ebx
		push	[ebp+var_4]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	eax, [ebp+var_8]
		push	[ebp+var_4]
		mov	[esi], eax
		call	_ZwClose@4	; ZwClose(x)
		xor	ecx, ecx
		mov	[edi], ebx
		mov	[edi+4], ebx
		lea	eax, [esi+4]
		inc	ecx
		xchg	ecx, [eax]

loc_A6A53C:				; CODE XREF: VfPoolInitPhase1()+6Aj
		add	esi, 30h
		cmp	esi, offset unk_6BE438
		jl	short loc_A6A4C7

loc_A6A547:				; CODE XREF: VfPoolInitPhase1()+1Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VfPoolInitPhase1@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViPoolDelayFreeTrimThreadRoutine(x)
_ViPoolDelayFreeTrimThreadRoutine@4 proc near ;	DATA XREF: VfPoolInitPhase1()+40o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	ebx, [edi+8]

loc_A6A55A:				; CODE XREF: ViPoolDelayFreeTrimThreadRoutine(x)+28j
					; ViPoolDelayFreeTrimThreadRoutine(x)+3Aj
		push	0
		push	0
		push	0
		push	0
		push	ebx
		call	KeWaitForSingleObject
		inc	dword ptr [edi+28h]
		mov	ecx, edi
		call	@ExInterlockedFlushSList@4 ; ExInterlockedFlushSList(x)
		test	eax, eax
		jz	short loc_A6A55A

loc_A6A576:				; CODE XREF: ViPoolDelayFreeTrimThreadRoutine(x)+38j
		mov	esi, [eax]
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi
		test	esi, esi
		jnz	short loc_A6A576
		jmp	short loc_A6A55A
_ViPoolDelayFreeTrimThreadRoutine@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViPoolLogStackCallout(x)
_ViPoolLogStackCallout@4 proc near	; CODE XREF: ViPoolLogStackTrace(x,x)+71p
					; DATA XREF: ViPoolLogStackTrace(x,x)+5Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	0
		lea	eax, [esi+0Ch]
		push	eax
		push	0Dh
		push	2
		call	RtlCaptureStackBackTrace
		movzx	eax, ax
		cmp	eax, 0Dh
		jnb	short loc_A6A5AD
		and	dword ptr [esi+eax*4+0Ch], 0

loc_A6A5AD:				; CODE XREF: ViPoolLogStackCallout(x)+1Ej
		pop	esi
		pop	ebp
		retn	4
_ViPoolLogStackCallout@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViPoolLogStackTrace(x, x)
_ViPoolLogStackTrace@8 proc near	; CODE XREF: VfAllocPoolNotification(x,x)+20j
					; VfFreePoolNotification(x,x)+37p ...
		cmp	ds:_VfPoolTraces, 0
		jz	short locret_A6A62A
		push	esi
		xor	esi, esi
		push	edi
		inc	esi
		lock xadd ds:_VfPoolTracesIndex, esi
		inc	esi
		mov	edi, ds:_VfPoolTracesLength
		mov	eax, large fs:124h
		dec	edi
		and	edi, esi
		shl	edi, 6
		add	edi, ds:_VfPoolTraces
		mov	[edi+8], eax
		mov	[edi], ecx
		mov	[edi+4], edx
		test	byte ptr _VfOptionFlags, 2
		jnz	short loc_A6A61C
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 1
		ja	short loc_A6A622
		call	_RtlEnoughStackSpaceForStackCapture@0 ;	RtlEnoughStackSpaceForStackCapture()
		test	eax, eax
		jnz	short loc_A6A622
		push	eax
		push	1
		push	218h
		push	edi
		push	offset _ViPoolLogStackCallout@4	; ViPoolLogStackCallout(x)
		call	_KeExpandKernelStackAndCalloutEx@20 ; KeExpandKernelStackAndCalloutEx(x,x,x,x,x)
		test	eax, eax
		jns	short loc_A6A628

loc_A6A61C:				; CODE XREF: ViPoolLogStackTrace(x,x)+3Ej
		and	dword ptr [edi+0Ch], 0
		jmp	short loc_A6A628
; 

loc_A6A622:				; CODE XREF: ViPoolLogStackTrace(x,x)+48j
					; ViPoolLogStackTrace(x,x)+51j
		push	edi
		call	_ViPoolLogStackCallout@4 ; ViPoolLogStackCallout(x)

loc_A6A628:				; CODE XREF: ViPoolLogStackTrace(x,x)+68j
					; ViPoolLogStackTrace(x,x)+6Ej
		pop	edi
		pop	esi

locret_A6A62A:				; CODE XREF: ViPoolLogStackTrace(x,x)+7j
		retn
_ViPoolLogStackTrace@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfSuspectDriversAllocateEntry(x)
_VfSuspectDriversAllocateEntry@4 proc near ; CODE XREF:	VfDriverEnableVerifierForAll()+58p
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+214p	...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		movzx	ecx, word ptr [ebx+2]
		lea	eax, [ecx+2]
		movzx	eax, ax
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	2
		pop	edx
		call	_RtlUShortAdd@12 ; RtlUShortAdd(x,x,x)
		mov	edi, 0FFFFh
		cmp	eax, 0C0000095h
		jz	short loc_A6A65E
		mov	edi, [ebp+var_4]

loc_A6A65E:				; CODE XREF: VfSuspectDriversAllocateEntry(x)+2Ej
		movzx	eax, di
		mov	[ebp+var_4], eax
		add	eax, 18h
		push	44536656h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A6A6B2
		push	[ebp+var_4]	; size_t
		xor	edx, edx
		lea	ecx, [esi+18h]
		mov	[esi+8], edx
		mov	[esi+0Ch], edx
		mov	[esi+14h], ecx
		mov	ax, [ebx]
		push	edx		; int
		push	ecx		; void *
		mov	[esi+10h], ax
		mov	[esi+12h], di
		call	_memset
		movzx	eax, word ptr [ebx]
		push	eax		; size_t
		push	dword ptr [ebx+4] ; void *
		push	dword ptr [esi+14h] ; void *
		call	_memcpy
		add	esp, 18h

loc_A6A6B2:				; CODE XREF: VfSuspectDriversAllocateEntry(x)+50j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_VfSuspectDriversAllocateEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfSuspectDriversGetVerifierInformation(x, x, x, x, x)
_VfSuspectDriversGetVerifierInformation@20 proc	near
					; CODE XREF: VfGetVerifierInformation(x,x,x,x)+5Ep

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	esi, ecx
		neg	edi
		mov	[esp+28h+var_10], edx
		mov	[esp+28h+var_8], ecx
		sbb	edi, edi
		and	dword ptr [eax], 0
		and	edi, 58h
		xor	eax, eax
		add	edi, 78h
		mov	[esp+28h+var_14], eax
		xor	ebx, ebx
		call	_VfDriverLock@0	; VfDriverLock()
		mov	eax, _VfSuspectDriversList
		jmp	loc_A6A853
; 

loc_A6A6FB:				; CODE XREF: VfSuspectDriversGetVerifierInformation(x,x,x,x,x)+19Fj
		mov	edx, eax
		add	esi, ebx
		mov	eax, [eax]
		lea	ebx, [edi+5]
		mov	[esp+28h+var_4], eax
		mov	[esp+28h+var_1C], edx
		movzx	eax, word ptr [edx+10h]
		mov	[esp+28h+var_C], eax
		movzx	eax, ax
		add	ebx, eax
		mov	[esp+28h+var_18], eax
		mov	eax, [ebp+arg_0]
		and	ebx, 0FFFFFFFCh
		add	[eax], ebx
		mov	eax, [eax]
		cmp	eax, [esp+28h+var_10]
		ja	loc_A6A860
		mov	[esi], ebx
		lea	edx, [esi+8]
		mov	eax, _MmVerifierData
		xor	ecx, ecx
		mov	[esi+4], eax

loc_A6A740:				; CODE XREF: VfSuspectDriversGetVerifierInformation(x,x,x,x,x)+98j
		mov	eax, _VfRuleClasses[ecx]
		add	ecx, 4
		mov	[edx], eax
		lea	edx, [edx+4]
		cmp	ecx, 8
		jb	short loc_A6A740
		mov	eax, _VfTriageContext
		mov	ecx, _VfClearanceFlag
		mov	[esi+10h], eax
		and	ecx, 1
		mov	eax, _ViVerifyAllDrivers
		add	ecx, ecx
		and	eax, 1
		mov	edx, [esp+28h+var_1C]
		or	ecx, eax
		mov	eax, [esi+14h]
		and	eax, 0FFFFFFFCh
		or	ecx, eax
		mov	[esi+14h], ecx
		mov	eax, dword_6C6E44
		mov	[esi+20h], eax
		mov	eax, dword_6C6E48
		mov	[esi+24h], eax
		mov	eax, dword_6C6E78
		mov	[esi+54h], eax
		mov	eax, dword_6C6E4C
		mov	[esi+28h], eax
		mov	eax, dword_6C6E50
		mov	[esi+2Ch], eax
		mov	eax, dword_6C6E54
		mov	[esi+30h], eax
		mov	eax, dword_6C6E58
		mov	[esi+34h], eax
		mov	eax, dword_6C6E5C
		mov	[esi+38h], eax
		mov	eax, dword_6C6E60
		mov	[esi+3Ch], eax
		mov	eax, dword_6C6E64
		mov	[esi+40h], eax
		mov	eax, dword_6C6E68
		mov	[esi+44h], eax
		mov	eax, dword_6C6E6C
		mov	[esi+48h], eax
		mov	eax, [edx+8]
		mov	[esi+4Ch], eax
		mov	eax, [edx+0Ch]
		mov	[esi+50h], eax
		mov	eax, [edx+8]
		cmp	eax, [edx+0Ch]
		jbe	short loc_A6A803
		push	[ebp+arg_8]
		mov	ecx, [esp+2Ch+var_1C]
		mov	edx, esi
		call	_VfTargetDriversGetCounters@12 ; VfTargetDriversGetCounters(x,x,x)
		jmp	short loc_A6A80D
; 

loc_A6A803:				; CODE XREF: VfSuspectDriversGetVerifierInformation(x,x,x,x,x)+138j
		mov	edx, [ebp+arg_8]
		mov	ecx, esi
		call	_VfTargetDriversGetZeroCounters@8 ; VfTargetDriversGetZeroCounters(x,x)

loc_A6A80D:				; CODE XREF: VfSuspectDriversGetVerifierInformation(x,x,x,x,x)+148j
		mov	eax, [esp+28h+var_C]
		mov	ecx, [esp+28h+var_1C]
		push	[esp+28h+var_18] ; size_t
		mov	[esi+18h], ax
		add	eax, 2
		mov	[esi+1Ah], ax
		lea	eax, [edi+esi]
		mov	[esi+1Ch], eax
		push	dword ptr [ecx+14h] ; void *
		push	eax		; void *
		call	_memcpy
		mov	ecx, [esp+34h+var_18]
		xor	edx, edx
		mov	eax, [esi+1Ch]
		add	esp, 0Ch
		shr	ecx, 1
		mov	[eax+ecx*2], dx
		mov	eax, [ebp+arg_4]
		sub	eax, [esp+28h+var_8]
		add	[esi+1Ch], eax
		mov	eax, [esp+28h+var_4]

loc_A6A853:				; CODE XREF: VfSuspectDriversGetVerifierInformation(x,x,x,x,x)+3Dj
		cmp	eax, offset _VfSuspectDriversList
		jnz	loc_A6A6FB
		jmp	short loc_A6A868
; 

loc_A6A860:				; CODE XREF: VfSuspectDriversGetVerifierInformation(x,x,x,x,x)+72j
		mov	[esp+28h+var_14], 0C0000004h

loc_A6A868:				; CODE XREF: VfSuspectDriversGetVerifierInformation(x,x,x,x,x)+1A5j
		xor	ebx, ebx
		push	ebx
		push	offset _ViDriversLoadLock
		mov	_ViDriversLoadLockOwner, ebx
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, [esp+28h+var_14]
		test	eax, eax
		js	short loc_A6A885
		mov	[esi], ebx

loc_A6A885:				; CODE XREF: VfSuspectDriversGetVerifierInformation(x,x,x,x,x)+1C8j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_VfSuspectDriversGetVerifierInformation@20 endp


;  S U B	R O U T	I N E 


; __stdcall VfSuspectDriversInsert(x)
_VfSuspectDriversInsert@4 proc near	; CODE XREF: VfSuspectDriversAdd(x)+18p
					; VfSuspectDriversParseRegistryString()+146p
		mov	eax, dword_6BE524
		mov	edx, offset _VfSuspectDriversList
		cmp	[eax], edx
		jz	short loc_A6A8A1
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A6A8A1:				; CODE XREF: VfSuspectDriversInsert(x)+Cj
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[eax], ecx
		mov	dword_6BE524, ecx
		retn
_VfSuspectDriversInsert@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfSuspectDriversLoadCallback(x, x, x, x, x)
_VfSuspectDriversLoadCallback@20 proc near ; CODE XREF:	VfDriverLoadImage+1F5Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_VfDriverLock@0	; VfDriverLock()
		test	byte ptr _VfOptionFlags, 1
		jz	short loc_A6A906
		mov	ebx, _VfExcludedDriversList
		cmp	ebx, offset _VfExcludedDriversList
		jz	short loc_A6A906
		lea	eax, [esi+2Ch]

loc_A6A8E5:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+55j
		push	1
		push	eax
		lea	eax, [ebx+8]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	loc_A6AB6A
		mov	ebx, [ebx]
		lea	eax, [esi+2Ch]
		cmp	ebx, offset _VfExcludedDriversList
		jnz	short loc_A6A8E5

loc_A6A906:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+23j
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+31j
		test	_MmVerifyDriverLevel, 0EF8000h
		jnz	short loc_A6A91B
		test	byte ptr dword_6FDE00, 8
		jz	short loc_A6A94D

loc_A6A91B:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+61j
		mov	ebx, _VfXdvExcludedDriversList
		cmp	ebx, offset _VfXdvExcludedDriversList
		jz	short loc_A6A94D
		lea	eax, [esi+2Ch]

loc_A6A92C:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+9Cj
		push	1
		push	eax
		lea	eax, [ebx+8]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	loc_A6AB6A
		mov	ebx, [ebx]
		lea	eax, [esi+2Ch]
		cmp	ebx, offset _VfXdvExcludedDriversList
		jnz	short loc_A6A92C

loc_A6A94D:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+6Aj
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+78j
		push	1
		lea	ebx, [esi+2Ch]
		push	ebx
		push	(offset	loc_A50407+1)
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		cmp	al, 1
		jnz	short loc_A6A976
		mov	eax, [esi+18h]
		mov	ds:_VfTcpIpDllBase, eax
		mov	eax, [esi+20h]
		mov	ds:_VfTcpIpSizeOfImage,	eax
		jmp	loc_A6AA26
; 

loc_A6A976:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+B0j
		push	1
		push	ebx
		push	(offset	loc_A5040C+4)
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		cmp	al, 1
		jnz	short loc_A6A99C
		mov	eax, [esi+18h]
		mov	ds:_VfTdxDllBase, eax
		mov	eax, [esi+20h]
		mov	ds:_VfTdxSizeOfImage, eax
		jmp	loc_A6AA26
; 

loc_A6A99C:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+D6j
		push	1
		push	ebx
		push	(offset	loc_A503FD+3)
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		cmp	al, 1
		jnz	short loc_A6A9BF
		mov	eax, [esi+18h]
		mov	ds:_VfMrxsmbDllBase, eax
		mov	eax, [esi+20h]
		mov	ds:_VfMrxsmbSizeOfImage, eax
		jmp	short loc_A6AA26
; 

loc_A6A9BF:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+FCj
		push	1
		push	ebx
		push	(offset	loc_A50423+5)
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		cmp	al, 1
		jnz	short loc_A6A9E2
		mov	eax, [esi+18h]
		mov	ds:_VfTmDllBase, eax
		mov	eax, [esi+20h]
		mov	ds:_VfTmSizeOfImage, eax
		jmp	short loc_A6AA26
; 

loc_A6A9E2:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+11Fj
		push	1
		push	ebx
		push	(offset	loc_A50417+1)
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		cmp	al, 1
		jnz	short loc_A6AA05
		mov	eax, [esi+18h]
		mov	ds:_VfWin32kDllBase, eax
		mov	eax, [esi+20h]
		mov	ds:_VfWin32kSizeOfImage, eax
		jmp	short loc_A6AA26
; 

loc_A6AA05:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+142j
		push	1
		push	ebx
		push	(offset	loc_A5041B+5)
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		cmp	al, 1
		jnz	short loc_A6AA26
		mov	eax, [esi+18h]
		mov	ds:_VfKsDllBase, eax
		mov	eax, [esi+20h]
		mov	ds:_VfKsSizeOfImage, eax

loc_A6AA26:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+C2j
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+E8j ...
		cmp	[ebp+arg_4], 0
		jnz	short loc_A6AA42
		mov	edx, [ebp+arg_8]
		mov	ecx, esi
		call	_VfThunkApplyMandatoryThunks@8 ; VfThunkApplyMandatoryThunks(x,x)
		mov	[esp+18h+var_4], eax
		test	eax, eax
		jz	loc_A6AB6A

loc_A6AA42:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+17Bj
		xor	eax, eax
		test	edi, edi
		jz	short loc_A6AA4F

loc_A6AA48:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+241j
		inc	eax
		mov	[esp+18h+var_8], eax
		jmp	short loc_A6AAAA
; 

loc_A6AA4F:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+197j
		mov	edi, _VfSuspectDriversList
		mov	[esp+18h+var_8], eax
		jmp	short loc_A6AA74
; 

loc_A6AA5B:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+1CBj
		push	1
		push	ebx
		lea	eax, [edi+10h]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		movzx	eax, al
		mov	[esp+18h+var_8], eax
		test	eax, eax
		jnz	short loc_A6AAAA
		mov	edi, [edi]

loc_A6AA74:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+1AAj
		cmp	edi, offset _VfSuspectDriversList
		jnz	short loc_A6AA5B
		cmp	_KernelVerifier, 0
		jz	short loc_A6AA92
		cmp	[ebp+arg_4], 0
		jnz	short loc_A6AAC1
		mov	eax, _ViForceAllDriversSuspect
		jmp	short loc_A6AAA0
; 

loc_A6AA92:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+1D4j
		cmp	_ViVerifyAllDrivers, 1
		jz	short loc_A6AAC1
		call	_VfInitPickCurrentRandomTarget@0 ; VfInitPickCurrentRandomTarget()

loc_A6AAA0:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+1E1j
		test	eax, eax
		jnz	short loc_A6AAC1
		xor	edi, edi

loc_A6AAA6:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+21Dj
		mov	eax, [esp+18h+var_8]

loc_A6AAAA:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+19Ej
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+1C1j
		cmp	[ebp+arg_8], 0
		jnz	short loc_A6AAF5
		mov	edx, [esi+20h]
		mov	ecx, [esi+18h]
		push	edi
		push	[ebp+arg_0]
		call	VfTargetDriversAdd
		jmp	short loc_A6AB03
; 

loc_A6AAC1:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+1DAj
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+1EAj	...
		mov	ecx, ebx
		call	_VfSuspectDriversAllocateEntry@4 ; VfSuspectDriversAllocateEntry(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A6AAA6
		mov	eax, dword_6BE524
		mov	ecx, offset _VfSuspectDriversList
		cmp	[eax], ecx
		jz	short loc_A6AAE1
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A6AAE1:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+22Bj
		mov	[edi+4], eax
		mov	[edi], ecx
		mov	[eax], edi
		xor	eax, eax
		mov	dword_6BE524, edi
		jmp	loc_A6AA48
; 

loc_A6AAF5:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+1FFj
		test	eax, eax
		jz	short loc_A6AB0B
		mov	ecx, [esi+18h]
		mov	edx, edi
		call	_VfTargetDriversEnableVerifier@8 ; VfTargetDriversEnableVerifier(x,x)

loc_A6AB03:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+210j
		mov	ecx, eax
		mov	eax, [esp+18h+var_8]
		jmp	short loc_A6AB0E
; 

loc_A6AB0B:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+248j
		xor	ecx, ecx
		inc	ecx

loc_A6AB0E:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+25Aj
		test	eax, eax
		jnz	short loc_A6AB1E
		and	[esp+18h+var_4], eax
		cmp	_KernelVerifier, eax
		jz	short loc_A6AB6A

loc_A6AB1E:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+261j
		and	[esp+18h+var_4], 0
		test	ecx, ecx
		jz	short loc_A6AB6A
		mov	edx, [ebp+arg_8]
		mov	ecx, esi
		call	_VfThunkApplyThunks@8 ;	VfThunkApplyThunks(x,x)
		mov	[esp+18h+var_4], eax
		test	eax, eax
		jnz	short loc_A6AB42
		mov	ecx, esi
		call	VfTargetDriversRemove
		jmp	short loc_A6AB6A
; 

loc_A6AB42:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+288j
		cmp	[esp+18h+var_8], 0
		jz	short loc_A6AB6A
		mov	ecx, ebx
		call	_VfUtilPrintCheckinString@4 ; VfUtilPrintCheckinString(x)
		inc	dword_6C6E70
		xor	ecx, ecx
		inc	dword ptr [edi+8]
		mov	edx, esi
		inc	ecx
		call	_VfNotifyVerifierExtensions@8 ;	VfNotifyVerifierExtensions(x,x)
		mov	ecx, esi
		call	_VfCheckImageCompliance@4 ; VfCheckImageCompliance(x)

loc_A6AB6A:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+44j
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+8Bj ...
		push	0
		push	offset _ViDriversLoadLock
		mov	_ViDriversLoadLockOwner, 0
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		cmp	[esp+18h+var_4], 0
		jz	short loc_A6AB8E
		or	dword ptr [esi+34h], 2000000h

loc_A6AB8E:				; CODE XREF: VfSuspectDriversLoadCallback(x,x,x,x,x)+2D6j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_VfSuspectDriversLoadCallback@20 endp


;  S U B	R O U T	I N E 


; __stdcall VfSuspectDriversRemove(x)
_VfSuspectDriversRemove@4 proc near	; CODE XREF: VfRemoveVerifierEntry(x):loc_A71A8Ap
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	esi, ecx
		xor	edi, edi
		call	_VfDriverLock@0	; VfDriverLock()
		mov	ecx, esi
		call	_ViSuspectDriversLookupEntry@4 ; ViSuspectDriversLookupEntry(x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_A6ABBF
		mov	eax, [ecx+8]
		cmp	eax, [ecx+0Ch]
		jz	short loc_A6ABDB
		mov	edi, 0C000010Eh

loc_A6ABBF:				; CODE XREF: VfSuspectDriversRemove(x)+19j
					; VfSuspectDriversRemove(x)+62j
		push	0
		push	offset _ViDriversLoadLock
		mov	_ViDriversLoadLockOwner, 0
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_A6ABDB:				; CODE XREF: VfSuspectDriversRemove(x)+21j
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_A6ABFB
		mov	edx, [ecx+4]
		cmp	[edx], ecx
		jnz	short loc_A6ABFB
		push	44536656h
		mov	[edx], eax
		push	ecx
		mov	[eax+4], edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A6ABBF
; 

loc_A6ABFB:				; CODE XREF: VfSuspectDriversRemove(x)+49j
					; VfSuspectDriversRemove(x)+50j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_VfSuspectDriversRemove@4 endp		; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall VfSuspectDriversUnloadCallback(x)
_VfSuspectDriversUnloadCallback@4 proc near ; CODE XREF: VfDriverUnloadImage+3Cp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		call	_VfDriverLock@0	; VfDriverLock()
		push	1
		lea	esi, [ebx+2Ch]
		push	esi
		push	(offset	loc_A50407+1)
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		xor	edi, edi
		cmp	al, 1
		jnz	short loc_A6AC2A
		mov	ds:_VfTcpIpDllBase, edi
		jmp	short loc_A6ACA5
; 

loc_A6AC2A:				; CODE XREF: VfSuspectDriversUnloadCallback(x)+20j
		push	1
		push	esi
		push	(offset	loc_A5040C+4)
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		cmp	al, 1
		jnz	short loc_A6AC43
		mov	ds:_VfTdxDllBase, edi
		jmp	short loc_A6ACA5
; 

loc_A6AC43:				; CODE XREF: VfSuspectDriversUnloadCallback(x)+39j
		push	1
		push	esi
		push	(offset	loc_A503FD+3)
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		cmp	al, 1
		jnz	short loc_A6AC5C
		mov	ds:_VfMrxsmbDllBase, edi
		jmp	short loc_A6ACA5
; 

loc_A6AC5C:				; CODE XREF: VfSuspectDriversUnloadCallback(x)+52j
		push	1
		push	esi
		push	(offset	loc_A50423+5)
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		cmp	al, 1
		jnz	short loc_A6AC75
		mov	ds:_VfTmDllBase, edi
		jmp	short loc_A6ACA5
; 

loc_A6AC75:				; CODE XREF: VfSuspectDriversUnloadCallback(x)+6Bj
		push	1
		push	esi
		push	(offset	loc_A50417+1)
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		cmp	al, 1
		jnz	short loc_A6AC8E
		mov	ds:_VfWin32kDllBase, edi
		jmp	short loc_A6ACA5
; 

loc_A6AC8E:				; CODE XREF: VfSuspectDriversUnloadCallback(x)+84j
		push	1
		push	esi
		push	(offset	loc_A5041B+5)
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		cmp	al, 1
		jnz	short loc_A6ACA5
		mov	ds:_VfKsDllBase, edi

loc_A6ACA5:				; CODE XREF: VfSuspectDriversUnloadCallback(x)+28j
					; VfSuspectDriversUnloadCallback(x)+41j ...
		mov	edi, _VfSuspectDriversList
		jmp	short loc_A6ACBF
; 

loc_A6ACAD:				; CODE XREF: VfSuspectDriversUnloadCallback(x)+C5j
		push	1
		push	esi
		lea	eax, [edi+10h]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_A6ACC9
		mov	edi, [edi]

loc_A6ACBF:				; CODE XREF: VfSuspectDriversUnloadCallback(x)+ABj
		cmp	edi, offset _VfSuspectDriversList
		jnz	short loc_A6ACAD
		jmp	short loc_A6ACDC
; 

loc_A6ACC9:				; CODE XREF: VfSuspectDriversUnloadCallback(x)+BBj
		inc	dword_6C6E74
		mov	edx, ebx
		inc	dword ptr [edi+0Ch]
		push	2
		pop	ecx
		call	_VfNotifyVerifierExtensions@8 ;	VfNotifyVerifierExtensions(x,x)

loc_A6ACDC:				; CODE XREF: VfSuspectDriversUnloadCallback(x)+C7j
		push	0
		push	offset _ViDriversLoadLock
		mov	_ViDriversLoadLockOwner, 0
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		pop	edi
		pop	esi
		pop	ebx
		retn
_VfSuspectDriversUnloadCallback@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfSuspectExcludedDriversAllocateEntry(x, x)
_VfSuspectExcludedDriversAllocateEntry@8 proc near
					; CODE XREF: VfSuspectDriversParseRegistryString()+152p
					; VfSuspectDriversParseRegistryString()+2D8p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	edi
		push	edx
		movzx	eax, word ptr [ebx+2]
		add	eax, 10h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A6AD39
		movzx	edx, word ptr [ebx]
		mov	cx, [ebx+2]
		push	esi
		push	edx		; size_t
		push	dword ptr [ebx+4] ; void *
		lea	esi, [edi+10h]
		mov	[edi+8], dx
		push	esi		; void *
		mov	[edi+0Ch], esi
		mov	[edi+0Ah], cx
		call	_memcpy
		add	esp, 0Ch
		pop	esi

loc_A6AD39:				; CODE XREF: VfSuspectExcludedDriversAllocateEntry(x,x)+1Dj
		mov	eax, edi
		pop	edi
		pop	ebx
		retn
_VfSuspectExcludedDriversAllocateEntry@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViSuspectDriversLookupEntry(x)
_ViSuspectDriversLookupEntry@4 proc near ; CODE	XREF: VfDriverEnableVerifier(x,x,x)+34p
					; VfSuspectDriversRemove(x)+10p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, _VfSuspectDriversList
		mov	ebx, offset _VfSuspectDriversList
		push	edi
		mov	edi, ecx
		jmp	short loc_A6AD64
; 

loc_A6AD52:				; CODE XREF: ViSuspectDriversLookupEntry(x)+28j
		push	1
		push	edi
		lea	eax, [esi+10h]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_A6AD6E
		mov	esi, [esi]

loc_A6AD64:				; CODE XREF: ViSuspectDriversLookupEntry(x)+12j
		cmp	esi, ebx
		jnz	short loc_A6AD52
		xor	eax, eax

loc_A6AD6A:				; CODE XREF: ViSuspectDriversLookupEntry(x)+32j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_A6AD6E:				; CODE XREF: ViSuspectDriversLookupEntry(x)+22j
		mov	eax, esi
		jmp	short loc_A6AD6A
_ViSuspectDriversLookupEntry@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfSettingsApplyMiscellaneousChecks(x)
_VfSettingsApplyMiscellaneousChecks@4 proc near
					; CODE XREF: VfInitVerifierComponents(x,x,x)+282p
					; ViSettingsMiscellaneousCheckForChanges(x,x,x)+43p
		mov	eax, _MmVerifierData
		and	eax, 400000h
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFDFAh
		test	ecx, 800h
		lea	ecx, [eax+206h]
		jnz	_ExSetPoolFlags@4 ; ExSetPoolFlags(x)
		jmp	_ExClearPoolFlags@4 ; ExClearPoolFlags(x)
_VfSettingsApplyMiscellaneousChecks@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfSettingsCheckForChanges(x, x, x, x)
_VfSettingsCheckForChanges@16 proc near	; CODE XREF: VfSetVerifierInformation(x,x,x)+93p

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		mov	ecx, [ebp+arg_4]
		mov	[ebp+var_8], ebx
		call	_VfKeCheckForChanges@4 ; VfKeCheckForChanges(x)
		push	[ebp+arg_0]
		mov	edx, [ebp+var_4]
		mov	ecx, ebx
		call	_ViSettingsPoolTrackingCheckForChanges@12 ; ViSettingsPoolTrackingCheckForChanges(x,x,x)
		mov	ecx, [ebp+arg_4]
		call	_ViSettingsIoCheckForChanges@4 ; ViSettingsIoCheckForChanges(x)
		test	byte ptr [ebp+var_4], 20h
		jz	short loc_A6ADDF
		test	bl, 20h
		jnz	short loc_A6ADDA
		call	_ViDeadlockDetectionApplySettings@0 ; ViDeadlockDetectionApplySettings()

loc_A6ADDA:				; CODE XREF: VfSettingsCheckForChanges(x,x,x,x)+37j
		and	ebx, [ebp+arg_0]
		jmp	short loc_A6ADEC
; 

loc_A6ADDF:				; CODE XREF: VfSettingsCheckForChanges(x,x,x,x)+32j
		and	ebx, [ebp+arg_0]
		test	bl, 20h
		jz	short loc_A6ADEC
		call	_ViDeadlockDetectionApplySettings@0 ; ViDeadlockDetectionApplySettings()

loc_A6ADEC:				; CODE XREF: VfSettingsCheckForChanges(x,x,x,x)+41j
					; VfSettingsCheckForChanges(x,x,x,x)+49j
		mov	edx, [ebp+var_4]
		test	dl, dl
		jns	short loc_A6AE01
		mov	ebx, [ebp+var_8]
		test	bl, bl
		js	short loc_A6AE0D
		call	_ViHalApplySettings@0 ;	ViHalApplySettings()
		jmp	short loc_A6AE0D
; 

loc_A6AE01:				; CODE XREF: VfSettingsCheckForChanges(x,x,x,x)+55j
		test	bl, bl
		jns	short loc_A6AE0A
		call	_ViHalApplySettings@0 ;	ViHalApplySettings()

loc_A6AE0A:				; CODE XREF: VfSettingsCheckForChanges(x,x,x,x)+67j
		mov	ebx, [ebp+var_8]

loc_A6AE0D:				; CODE XREF: VfSettingsCheckForChanges(x,x,x,x)+5Cj
					; VfSettingsCheckForChanges(x,x,x,x)+63j
		push	[ebp+arg_0]
		mov	ecx, ebx
		call	_ViSettingsMiscellaneousCheckForChanges@12 ; ViSettingsMiscellaneousCheckForChanges(x,x,x)
		mov	ecx, [ebp+arg_4]
		call	_VfPendingCheckForChanges@4 ; VfPendingCheckForChanges(x)
		pop	ebx
		leave
		retn	8
_VfSettingsCheckForChanges@16 endp


;  S U B	R O U T	I N E 


; __stdcall VfSettingsInit(x)
_VfSettingsInit@4 proc near		; CODE XREF: VfInitVerifierComponents(x,x,x)+52p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		call	_VfKeCheckForChanges@4 ; VfKeCheckForChanges(x)
		mov	eax, _MmVerifierData
		test	eax, 400000h
		jz	short loc_A6AE3E
		test	al, 10h
		jz	short loc_A6AE45

loc_A6AE3E:				; CODE XREF: VfSettingsInit(x)+14j
		mov	ecx, ebx
		call	_ViSettingsIoCheckForChanges@4 ; ViSettingsIoCheckForChanges(x)

loc_A6AE45:				; CODE XREF: VfSettingsInit(x)+18j
		test	bl, 8
		jz	short loc_A6AE54
		mov	ds:_MmTrackLockedPages,	1

loc_A6AE54:				; CODE XREF: VfSettingsInit(x)+24j
		mov	ecx, ebx
		pop	ebx
		jmp	_VfPendingCheckForChanges@4 ; VfPendingCheckForChanges(x)
_VfSettingsInit@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfSettingsMiscellaneousChecksInitPhase1()
_VfSettingsMiscellaneousChecksInitPhase1@0 proc	near
					; CODE XREF: VfInitSystemNoRebootNeeded(x,x)+DBp
					; ViInitSystemPhase1+1A428p
		mov	edi, edi
		push	ecx
		mov	eax, _MmVerifierData
		test	eax, 800h
		jz	short loc_A6AE7A
		test	eax, 400000h
		jnz	short loc_A6AE7A
		xor	ecx, ecx
		inc	ecx
		call	_ViSettingsEnableKernelHandleChecking@4	; ViSettingsEnableKernelHandleChecking(x)

loc_A6AE7A:				; CODE XREF: VfSettingsMiscellaneousChecksInitPhase1()+Dj
					; VfSettingsMiscellaneousChecksInitPhase1()+14j
		pop	ecx
		retn
_VfSettingsMiscellaneousChecksInitPhase1@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViSettingsEnableKernelHandleChecking(x)
_ViSettingsEnableKernelHandleChecking@4	proc near
					; CODE XREF: VfSettingsMiscellaneousChecksInitPhase1()+19p
					; ViSettingsMiscellaneousCheckForChanges(x,x,x)+36p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		test	ecx, ecx
		mov	ecx, ds:_PsInitialSystemProcess
		jnz	short loc_A6AEA3
		xor	edx, edx
		call	_PsSetProcessHandleTracingInformation@8	; PsSetProcessHandleTracingInformation(x,x)
		mov	ecx, 0BFFFFFFFh
		mov	eax, offset _NtGlobalFlag
		lock and [eax],	ecx
		leave
		retn
; 

loc_A6AEA3:				; CODE XREF: ViSettingsEnableKernelHandleChecking(x)+Fj
		mov	eax, _VfHandleTracingEntries
		test	eax, eax
		jnz	short loc_A6AEB0
		xor	edx, edx
		jmp	short loc_A6AEBA
; 

loc_A6AEB0:				; CODE XREF: ViSettingsEnableKernelHandleChecking(x)+2Ej
		and	[ebp+var_8], 0
		lea	edx, [ebp+var_8]
		mov	[ebp+var_4], eax

loc_A6AEBA:				; CODE XREF: ViSettingsEnableKernelHandleChecking(x)+32j
		call	_PsSetProcessHandleTracingInformation@8	; PsSetProcessHandleTracingInformation(x,x)
		mov	ecx, 40000000h
		mov	eax, offset _NtGlobalFlag
		lock or	[eax], ecx
		leave
		retn
_ViSettingsEnableKernelHandleChecking@4	endp


;  S U B	R O U T	I N E 


; __stdcall ViSettingsIoCheckForChanges(x)
_ViSettingsIoCheckForChanges@4 proc near ; CODE	XREF: VfSettingsCheckForChanges(x,x,x,x)+29p
					; VfSettingsInit(x)+1Cp
		cmp	_VfIrpDatabaseInitialized, 0
		push	ebx
		mov	ebx, ecx
		jnz	short loc_A6AEDD
		and	ebx, 0FFFFFFEFh

loc_A6AEDD:				; CODE XREF: ViSettingsIoCheckForChanges(x)+Aj
		xor	ecx, ecx
		test	bl, 10h
		jnz	short loc_A6AEF7
		inc	ecx
		cmp	ds:_VfIoDisabled, 0
		jnz	short loc_A6AEF7
		mov	eax, ecx
		mov	edx, offset _VfIoSwitchedOffNoReboot
		xchg	eax, [edx]

loc_A6AEF7:				; CODE XREF: ViSettingsIoCheckForChanges(x)+14j
					; ViSettingsIoCheckForChanges(x)+1Ej
		mov	ds:_VfIoDisabled, ecx
		mov	ecx, ebx
		call	_IoVerifierCheckForSettingsChange@4 ; IoVerifierCheckForSettingsChange(x)
		mov	ecx, ebx
		pop	ebx
		jmp	_VfWdCheckForSettingsChange@4 ;	VfWdCheckForSettingsChange(x)
_ViSettingsIoCheckForChanges@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViSettingsMiscellaneousCheckForChanges(x, x, x)
_ViSettingsMiscellaneousCheckForChanges@12 proc	near
					; CODE XREF: VfSettingsCheckForChanges(x,x,x,x)+76p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	ebx, edx
		mov	esi, ecx
		push	edi
		mov	edi, [ebp+arg_0]
		test	ebx, 800h
		jz	short loc_A6AF2F
		shr	ecx, 0Bh
		not	ecx
		and	ecx, 1
		mov	eax, ecx
		jmp	short loc_A6AF3E
; 

loc_A6AF2F:				; CODE XREF: ViSettingsMiscellaneousCheckForChanges(x,x,x)+15j
		mov	eax, esi
		and	eax, edi
		bt	eax, 0Bh
		jnb	short loc_A6AF54
		xor	eax, eax
		inc	eax
		xor	ecx, ecx

loc_A6AF3E:				; CODE XREF: ViSettingsMiscellaneousCheckForChanges(x,x,x)+21j
		test	eax, eax
		jz	short loc_A6AF54
		call	_ViSettingsEnableKernelHandleChecking@4	; ViSettingsEnableKernelHandleChecking(x)
		or	esi, ebx
		not	edi
		and	esi, edi
		mov	ecx, esi
		call	_VfSettingsApplyMiscellaneousChecks@4 ;	VfSettingsApplyMiscellaneousChecks(x)

loc_A6AF54:				; CODE XREF: ViSettingsMiscellaneousCheckForChanges(x,x,x)+2Bj
					; ViSettingsMiscellaneousCheckForChanges(x,x,x)+34j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_ViSettingsMiscellaneousCheckForChanges@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViSettingsPoolTrackingCheckForChanges(x, x,	x)
_ViSettingsPoolTrackingCheckForChanges@12 proc near
					; CODE XREF: VfSettingsCheckForChanges(x,x,x,x)+21p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	dl, 8
		jz	short loc_A6AF71
		shr	ecx, 3
		not	ecx
		and	ecx, 1
		mov	eax, ecx
		jmp	short loc_A6AF7E
; 

loc_A6AF71:				; CODE XREF: ViSettingsPoolTrackingCheckForChanges(x,x,x)+8j
		and	ecx, [ebp+arg_0]
		test	cl, 8
		jz	short loc_A6AF9C
		xor	eax, eax
		inc	eax
		xor	ecx, ecx

loc_A6AF7E:				; CODE XREF: ViSettingsPoolTrackingCheckForChanges(x,x,x)+14j
		test	eax, eax
		jz	short loc_A6AF9C
		test	ecx, ecx
		jz	short loc_A6AF92
		mov	ds:_MmTrackLockedPages,	1
		jmp	short loc_A6AF9C
; 

loc_A6AF92:				; CODE XREF: ViSettingsPoolTrackingCheckForChanges(x,x,x)+29j
		or	ds:_MmTrackLockedPages,	10000000h

loc_A6AF9C:				; CODE XREF: ViSettingsPoolTrackingCheckForChanges(x,x,x)+1Cj
					; ViSettingsPoolTrackingCheckForChanges(x,x,x)+25j ...
		pop	ebp
		retn	4
_ViSettingsPoolTrackingCheckForChanges@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfAvlEnumerateNodes(x, x, x, x)
_VfAvlEnumerateNodes@16	proc near	; CODE XREF: VfTargetDriversGetCounters(x,x,x)+3Fp
					; ViTargetFreeContiguousMemory(x,x)+57p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, edx
		push	edi
		test	byte ptr [esi+5], 1
		jnz	short loc_A6AFC0
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		or	byte ptr [esi+5], 1
		mov	[esi+4], al

loc_A6AFC0:				; CODE XREF: VfAvlEnumerateNodes(x,x,x,x)+Fj
		mov	eax, dword_6BE38C
		xor	ebx, ebx
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	short loc_A6B01B
		xor	edi, edi

loc_A6AFD0:				; CODE XREF: VfAvlEnumerateNodes(x,x,x,x)+79j
		mov	ecx, dword_6BE388
		mov	edx, esi
		lea	ecx, [edi+ecx]
		call	ViAvlAcquireTableLockAtDpcLevelSafe
		push	1
		jmp	short loc_A6AFF1
; 

loc_A6AFE4:				; CODE XREF: VfAvlEnumerateNodes(x,x,x,x)+60j
		push	[ebp+arg_4]
		push	eax
		call	[ebp+arg_0]
		test	eax, eax
		jz	short loc_A6B01B
		push	0

loc_A6AFF1:				; CODE XREF: VfAvlEnumerateNodes(x,x,x,x)+42j
		mov	eax, dword_6BE388
		add	eax, edi
		push	eax
		call	_RtlEnumerateGenericTableAvl@8 ; RtlEnumerateGenericTableAvl(x,x)
		test	eax, eax
		jnz	short loc_A6AFE4
		mov	ecx, dword_6BE388
		mov	edx, esi
		lea	ecx, [edi+ecx]
		call	_ViAvlReleaseTableLockFromDpcLevel@8 ; ViAvlReleaseTableLockFromDpcLevel(x,x)
		inc	ebx
		sub	edi, 0FFFFFF80h
		cmp	ebx, [ebp+var_4]
		jb	short loc_A6AFD0

loc_A6B01B:				; CODE XREF: VfAvlEnumerateNodes(x,x,x,x)+2Cj
					; VfAvlEnumerateNodes(x,x,x,x)+4Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_VfAvlEnumerateNodes@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfIrpDatabaseCheckExFreePool(x)
_VfIrpDatabaseCheckExFreePool@4	proc near ; CODE XREF: VerifierExFreePool(x)+1Dp
					; VerifierExFreePoolWithTag(x,x)+14p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	_VfIrpDatabaseInitialized, 0
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1], 0
		jz	short loc_A6B094
		lea	eax, [edi+1]
		mov	edx, edi
		push	eax
		mov	eax, edi
		shr	eax, 0Ch
		imul	eax, -7Dh
		movzx	ecx, al
		mov	eax, _ViIrpDatabaseAddressRanges
		lea	ecx, [eax+ecx*8]
		call	_VfUtilAddressRangeFitNoLock@12	; VfUtilAddressRangeFitNoLock(x,x,x)
		test	eax, eax
		jz	short loc_A6B094
		push	esi
		lea	ecx, [ebp-1]
		call	_ViIrpDatabaseAcquireLockShared@4 ; ViIrpDatabaseAcquireLockShared(x)
		mov	ecx, edi
		call	_ViIrpDatabaseFindPointer@4 ; ViIrpDatabaseFindPointer(x)
		mov	cl, [ebp+var_1]
		mov	esi, eax
		call	_ViIrpDatabaseReleaseLockShared@4 ; ViIrpDatabaseReleaseLockShared(x)
		test	esi, esi
		pop	esi
		jz	short loc_A6B094
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_A6B094
		push	0
		mov	edx, 105h
		push	0
		push	edi
		lea	ecx, [edx-41h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6B094:				; CODE XREF: VfIrpDatabaseCheckExFreePool(x)+14j
					; VfIrpDatabaseCheckExFreePool(x)+36j ...
		pop	edi
		leave
		retn
_VfIrpDatabaseCheckExFreePool@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfIrpDatabaseEntryDereference(x, x)
_VfIrpDatabaseEntryDereference@8 proc near ; CODE XREF:	IovpCompleteRequest2(x,x)+213p
					; VfIoFreeIrp(x,x)+86p	...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	[ebp+var_1], 0
		push	edi
		mov	edi, ecx
		cmp	edx, 1
		jnz	short loc_A6B0E7
		sub	[edi+10h], edx
		jnz	short loc_A6B0E7
		push	esi
		lea	ecx, [ebp-1]
		call	_ViIrpDatabaseAcquireLockExclusive@4 ; ViIrpDatabaseAcquireLockExclusive(x)
		mov	esi, [edi]
		push	1
		push	esi
		push	edi
		call	dword ptr [edi+20h]
		and	dword ptr [edi], 0
		mov	eax, esi
		shr	eax, 0Ch
		mov	edx, esi
		imul	eax, -7Dh
		push	ecx
		movzx	ecx, al
		mov	eax, _ViIrpDatabaseAddressRanges
		lea	ecx, [eax+ecx*8]
		call	_VfUtilAddressRangeRemoveCheckEmpty@12 ; VfUtilAddressRangeRemoveCheckEmpty(x,x,x)
		mov	cl, [ebp+var_1]
		call	_ViIrpDatabaseReleaseLockExclusive@4 ; ViIrpDatabaseReleaseLockExclusive(x)
		pop	esi

loc_A6B0E7:				; CODE XREF: VfIrpDatabaseEntryDereference(x,x)+10j
					; VfIrpDatabaseEntryDereference(x,x)+15j
		lock dec dword ptr [edi+0Ch]
		pop	edi
		leave
		retn
_VfIrpDatabaseEntryDereference@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfIrpDatabaseEntryFindAndLock(x)
_VfIrpDatabaseEntryFindAndLock@4 proc near ; CODE XREF:	IovCancelIrp(x)+Cp
					; IovpCheckIrpForCriticalTracking(x)+16p ...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_1], 0
		mov	esi, ecx
		cmp	_VfIrpDatabaseInitialized, edi
		jz	short loc_A6B17C
		lea	eax, [esi+70h]
		mov	edx, esi
		push	eax
		mov	eax, esi
		shr	eax, 0Ch
		imul	eax, -7Dh
		movzx	ecx, al
		mov	eax, _ViIrpDatabaseAddressRanges
		lea	ecx, [eax+ecx*8]
		call	_VfUtilAddressRangeFitNoLock@12	; VfUtilAddressRangeFitNoLock(x,x,x)
		test	eax, eax
		jz	short loc_A6B17C
		lea	ecx, [ebp-1]
		call	_ViIrpDatabaseAcquireLockShared@4 ; ViIrpDatabaseAcquireLockShared(x)
		mov	ecx, esi
		call	_ViIrpDatabaseFindPointer@4 ; ViIrpDatabaseFindPointer(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A6B147
		mov	cl, [ebp+var_1]
		call	_ViIrpDatabaseReleaseLockShared@4 ; ViIrpDatabaseReleaseLockShared(x)
		jmp	short loc_A6B17C
; 

loc_A6B147:				; CODE XREF: VfIrpDatabaseEntryFindAndLock(x)+4Dj
		push	ebx
		lea	esi, [edi+0Ch]
		lock inc dword ptr [esi]
		mov	bl, [ebp+var_1]
		mov	cl, bl
		call	_ViIrpDatabaseReleaseLockShared@4 ; ViIrpDatabaseReleaseLockShared(x)
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [edi+4]
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	[edi+8], bl
		lock dec dword ptr [esi]
		cmp	dword ptr [edi+10h], 0
		pop	ebx
		jnz	short loc_A6B17C
		mov	ecx, edi
		call	_VfIrpDatabaseEntryReleaseLock@4 ; VfIrpDatabaseEntryReleaseLock(x)
		xor	edi, edi

loc_A6B17C:				; CODE XREF: VfIrpDatabaseEntryFindAndLock(x)+16j
					; VfIrpDatabaseEntryFindAndLock(x)+38j	...
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn
_VfIrpDatabaseEntryFindAndLock@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfIrpDatabaseEntryInsertAndLock(x, x, x)
_VfIrpDatabaseEntryInsertAndLock@12 proc near ;	CODE XREF: VfPacketCreateAndLock(x)+71p

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	ebx, ecx
		xor	edx, edx
		push	edi
		mov	edi, [ebp+arg_0]
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_1], dl
		mov	[edi], ebx
		lea	esi, [edi+18h]
		mov	[edi+4], edx
		mov	[edi+10h], ecx
		mov	[edi+0Ch], ecx
		lea	ecx, [ebp-1]
		mov	[edi+14h], edx
		mov	[esi+4], esi
		mov	[esi], esi
		mov	dword ptr [edi+20h], offset _ViPacketNotificationCallback@12 ; ViPacketNotificationCallback(x,x,x)
		call	_ViIrpDatabaseAcquireLockExclusive@4 ; ViIrpDatabaseAcquireLockExclusive(x)
		mov	eax, ebx
		shr	eax, 0Ch
		imul	eax, -7Dh
		movzx	edx, al
		mov	eax, _ViIrpDatabase
		lea	eax, [eax+edx*8]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jz	short loc_A6B1DC
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A6B1DC:				; CODE XREF: VfIrpDatabaseEntryInsertAndLock(x,x,x)+53j
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[ecx+4], esi
		mov	[eax], esi
		mov	eax, _ViIrpDatabaseAddressRanges
		push	70h
		lea	ecx, [eax+edx*8]
		mov	edx, ebx
		call	_VfUtilAddressRangeAdd@12 ; VfUtilAddressRangeAdd(x,x,x)
		mov	cl, [ebp+var_1]
		call	_ViIrpDatabaseReleaseLockExclusive@4 ; ViIrpDatabaseReleaseLockExclusive(x)
		mov	ecx, ebx
		call	_VfIrpDatabaseEntryFindAndLock@4 ; VfIrpDatabaseEntryFindAndLock(x)
		lea	eax, [edi+0Ch]
		lock dec dword ptr [eax]
		dec	dword ptr [edi+10h]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_VfIrpDatabaseEntryInsertAndLock@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfIrpDatabaseEntryReleaseLock(x)
_VfIrpDatabaseEntryReleaseLock@4 proc near ; CODE XREF:	IovAllocateIrp(x,x,x,x)+67p
					; IovCancelIrp(x)+29j ...

var_2		= byte ptr -2
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	byte ptr [ebp+var_1], bl
		cmp	[esi+10h], ebx
		jnz	short loc_A6B265
		lea	ecx, [ebp-1]
		call	_ViIrpDatabaseAcquireLockExclusive@4 ; ViIrpDatabaseAcquireLockExclusive(x)
		mov	edi, [esi]
		test	edi, edi
		jz	short loc_A6B25D
		push	1
		push	edi
		push	esi
		call	dword ptr [esi+20h]
		mov	eax, edi
		mov	[esi], ebx
		shr	eax, 0Ch
		mov	edx, edi
		imul	eax, -7Dh
		movzx	ecx, al
		mov	eax, _ViIrpDatabaseAddressRanges
		push	ecx
		lea	ecx, [eax+ecx*8]
		call	_VfUtilAddressRangeRemoveCheckEmpty@12 ; VfUtilAddressRangeRemoveCheckEmpty(x,x,x)

loc_A6B25D:				; CODE XREF: VfIrpDatabaseEntryReleaseLock(x)+21j
		mov	cl, byte ptr [ebp+var_1]
		call	_ViIrpDatabaseReleaseLockExclusive@4 ; ViIrpDatabaseReleaseLockExclusive(x)

loc_A6B265:				; CODE XREF: VfIrpDatabaseEntryReleaseLock(x)+13j
		cmp	[esi+0Ch], ebx
		jnz	short loc_A6B2B3
		lea	ecx, [ebp+var_1]
		call	_ViIrpDatabaseAcquireLockExclusive@4 ; ViIrpDatabaseAcquireLockExclusive(x)
		cmp	[esi+0Ch], ebx
		jnz	short loc_A6B2AB
		lea	eax, [esi+18h]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		cmp	[ecx+4], eax
		jnz	short loc_A6B2D6
		cmp	[edx], eax
		jnz	short loc_A6B2D6
		mov	[edx], ecx
		mov	[ecx+4], edx
		mov	[eax+4], eax
		mov	[eax], eax
		cmp	[ecx], ecx
		jnz	short loc_A6B2AB
		sub	ecx, _ViIrpDatabase
		mov	eax, _ViIrpDatabaseAddressRanges
		sar	ecx, 3
		mov	[eax+ecx*8], ebx
		mov	[eax+ecx*8+4], ebx

loc_A6B2AB:				; CODE XREF: VfIrpDatabaseEntryReleaseLock(x)+5Fj
					; VfIrpDatabaseEntryReleaseLock(x)+7Ej
		mov	cl, byte ptr [ebp+var_1]
		call	_ViIrpDatabaseReleaseLockExclusive@4 ; ViIrpDatabaseReleaseLockExclusive(x)

loc_A6B2B3:				; CODE XREF: VfIrpDatabaseEntryReleaseLock(x)+52j
		test	ds:byte_70EFC6,	1
		lea	edi, [esi+18h]
		mov	al, [esi+8]
		mov	ebx, [edi]
		mov	[ebp+var_2], al
		lea	eax, [esi+4]
		jz	short loc_A6B2DB
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A6B2E0
; 

loc_A6B2D6:				; CODE XREF: VfIrpDatabaseEntryReleaseLock(x)+6Cj
					; VfIrpDatabaseEntryReleaseLock(x)+70j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A6B2DB:				; CODE XREF: VfIrpDatabaseEntryReleaseLock(x)+B2j
		xor	ecx, ecx
		lock and [eax],	ecx

loc_A6B2E0:				; CODE XREF: VfIrpDatabaseEntryReleaseLock(x)+BEj
		mov	cl, [ebp+var_2]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		cmp	ebx, edi
		jnz	short loc_A6B2FC
		or	dword ptr [esi+14h], 80000000h
		push	2
		push	dword ptr [esi]
		push	esi
		call	dword ptr [esi+20h]

loc_A6B2FC:				; CODE XREF: VfIrpDatabaseEntryReleaseLock(x)+D5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VfIrpDatabaseEntryReleaseLock@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfIrpDatabaseInit()
_VfIrpDatabaseInit@0 proc near		; CODE XREF: VfInitVerifierComponents(x,x,x):loc_A5A58Bp
		push	74546F49h
		push	1000h
		push	200h
		mov	_ViIrpDatabaseLock, 0
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	_ViIrpDatabase,	eax
		test	eax, eax
		jz	short locret_A6B358
		mov	ecx, 100h

loc_A6B32D:				; CODE XREF: VfIrpDatabaseInit()+37j
		mov	[eax+4], eax
		mov	[eax], eax
		add	eax, 8
		sub	ecx, 1
		jnz	short loc_A6B32D
		push	800h		; size_t
		push	ecx		; int
		push	eax		; void *
		mov	_ViIrpDatabaseAddressRanges, eax
		call	_memset
		xor	eax, eax
		add	esp, 0Ch
		inc	eax
		mov	ecx, offset _VfIrpDatabaseInitialized
		xchg	eax, [ecx]

locret_A6B358:				; CODE XREF: VfIrpDatabaseInit()+25j
		retn
_VfIrpDatabaseInit@0 endp


;  S U B	R O U T	I N E 


; __stdcall ViIrpDatabaseFindPointer(x)
_ViIrpDatabaseFindPointer@4 proc near	; CODE XREF: VfIrpDatabaseCheckExFreePool(x)+43p
					; VfIrpDatabaseEntryFindAndLock(x)+44p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, esi
		mov	edx, esi
		shr	eax, 0Ch
		imul	eax, -7Dh
		push	edi
		movzx	edi, al
		lea	eax, [esi+70h]
		push	eax
		mov	eax, _ViIrpDatabaseAddressRanges
		lea	ecx, [eax+edi*8]
		call	_VfUtilAddressRangeFit@12 ; VfUtilAddressRangeFit(x,x,x)
		test	eax, eax
		jz	short loc_A6B398
		mov	eax, _ViIrpDatabase
		lea	ecx, [eax+edi*8]
		mov	eax, [ecx]
		jmp	short loc_A6B394
; 

loc_A6B38D:				; CODE XREF: ViIrpDatabaseFindPointer(x)+3Dj
		cmp	[eax-18h], esi
		jz	short loc_A6B39D
		mov	eax, [eax]

loc_A6B394:				; CODE XREF: ViIrpDatabaseFindPointer(x)+32j
		cmp	eax, ecx
		jnz	short loc_A6B38D

loc_A6B398:				; CODE XREF: ViIrpDatabaseFindPointer(x)+26j
		xor	eax, eax

loc_A6B39A:				; CODE XREF: ViIrpDatabaseFindPointer(x)+47j
		pop	edi
		pop	esi
		retn
; 

loc_A6B39D:				; CODE XREF: ViIrpDatabaseFindPointer(x)+37j
		add	eax, 0FFFFFFE8h
		jmp	short loc_A6B39A
_ViIrpDatabaseFindPointer@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfWdCheckForSettingsChange(x)
_VfWdCheckForSettingsChange@4 proc near	; CODE XREF: ViSettingsIoCheckForChanges(x)+39j
					; VfWdSetCancelTimeout(x)+3Ep
		cmp	_VfSafeMode, 0
		push	ebx
		mov	ebx, ecx
		jnz	short loc_A6B3FC
		push	esi
		xor	eax, eax
		mov	esi, offset _ViWdCancelling
		push	edi
		inc	eax
		xchg	eax, [esi]
		mov	edi, offset _ViWdIrpTimer
		push	edi
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		push	1
		push	offset _ViWdIrpTimerDpc
		call	KeRemoveQueueDpcEx
		xor	eax, eax
		xchg	eax, [esi]
		test	bl, 10h
		jz	short loc_A6B3FA
		cmp	_VfWdCancelTimeoutTicks, 0
		jz	short loc_A6B3FA
		push	0FFFFFFFFh
		push	0FF676980h
		push	offset _ViWdIrpTimerDpc
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	KiSetTimerEx

loc_A6B3FA:				; CODE XREF: VfWdCheckForSettingsChange(x)+36j
					; VfWdCheckForSettingsChange(x)+3Fj
		pop	edi
		pop	esi

loc_A6B3FC:				; CODE XREF: VfWdCheckForSettingsChange(x)+Aj
		pop	ebx
		retn
_VfWdCheckForSettingsChange@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfWdInit()
_VfWdInit@0	proc near		; CODE XREF: VfInitVerifierComponents(x,x,x):loc_A5A59Dp
		cmp	_VfSafeMode, 0
		jnz	short locret_A6B47A
		push	esi
		push	offset ExInitializeNPagedLookasideListInternal
		push	_VfInitializedWithoutReboot
		xor	esi, esi
		mov	eax, offset _VfWdIrpListHead
		push	10h
		push	64576656h
		push	14h
		push	200h
		push	offset _VfUtilFreePoolDispatchLevel@4 ;	VfUtilFreePoolDispatchLevel(x)
		push	esi
		push	offset _ViWdIrpLookasideList
		mov	ds:dword_AB0A5C, eax
		mov	ds:_VfWdIrpListHead, eax
		mov	ds:_VfWdIrpListLock, esi
		call	ds:_pXdvExInitializeNPagedLookasideList	; XdvExInitializeNPagedLookasideListInternal(x,x,x,x,x,x,x,x,x)
		push	esi
		push	offset _ViWdIrpTimer
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	esi
		push	offset _ViWdIrpTimerDpcRoutine@16 ; ViWdIrpTimerDpcRoutine(x,x,x,x)
		push	offset _ViWdIrpTimerDpc
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	ecx, ds:_VfWdIrpTimeoutMsec
		call	_VfWdSetCancelTimeout@4	; VfWdSetCancelTimeout(x)
		xor	eax, eax
		mov	ecx, offset _ViWdInitialized
		inc	eax
		xchg	eax, [ecx]
		pop	esi

locret_A6B47A:				; CODE XREF: VfWdInit()+7j
		retn
_VfWdInit@0	endp


;  S U B	R O U T	I N E 


; __stdcall VfWdSetCancelTimeout(x)
_VfWdSetCancelTimeout@4	proc near	; CODE XREF: VfWdInit()+6Cp
					; VfSetVerifierInformationEx(x)+4Cp
		mov	edi, edi
		push	esi
		xor	esi, esi
		test	ecx, ecx
		jnz	short loc_A6B488
		mov	eax, esi
		jmp	short loc_A6B4A6
; 

loc_A6B488:				; CODE XREF: VfWdSetCancelTimeout(x)+7j
		cmp	ecx, 0EA60h
		jbe	short loc_A6B497
		mov	esi, 0C000000Dh
		jmp	short loc_A6B4BE
; 

loc_A6B497:				; CODE XREF: VfWdSetCancelTimeout(x)+13j
		lea	eax, [ecx+3E7h]
		xor	edx, edx
		mov	ecx, 3E8h
		div	ecx

loc_A6B4A6:				; CODE XREF: VfWdSetCancelTimeout(x)+Bj
		mov	_VfWdCancelTimeoutTicks, eax
		cmp	_ViVerifierDriverAddedThunkListHead, esi
		jz	short loc_A6B4BE
		mov	ecx, _MmVerifierData
		call	_VfWdCheckForSettingsChange@4 ;	VfWdCheckForSettingsChange(x)

loc_A6B4BE:				; CODE XREF: VfWdSetCancelTimeout(x)+1Aj
					; VfWdSetCancelTimeout(x)+36j
		mov	eax, esi
		pop	esi
		retn
_VfWdSetCancelTimeout@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViWdBeforeCallDriver(x, x, x)
_ViWdBeforeCallDriver@12 proc near	; CODE XREF: IovpCallDriver1(x)+3E1p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	esi, ecx
		cmp	dword ptr [edi], 0
		jnz	short loc_A6B50B
		cmp	byte ptr [esi+20h], 1
		jnz	short loc_A6B50B
		mov	ecx, edx
		call	_VfTargetDriversIsEnabled@4 ; VfTargetDriversIsEnabled(x)
		test	eax, eax
		jz	short loc_A6B50B
		cmp	ds:_ViWdInitialized, 0
		jz	short loc_A6B50B
		mov	ecx, offset _ViWdIrpLookasideList
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		test	eax, eax
		jz	short loc_A6B50B
		mov	[eax+8], esi
		mov	cl, [esi+23h]
		mov	[eax+11h], cl
		mov	byte ptr [eax+10h], 0
		mov	[edi], eax

loc_A6B50B:				; CODE XREF: ViWdBeforeCallDriver(x,x,x)+10j
					; ViWdBeforeCallDriver(x,x,x)+16j ...
		pop	edi
		pop	esi
		pop	ecx
		pop	ebp
		retn	4
_ViWdBeforeCallDriver@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViWdBeforeCancelIrp(x)
_ViWdBeforeCancelIrp@4 proc near	; CODE XREF: IovCancelIrp(x)+21p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, _VfWdCancelTimeoutTicks
		mov	esi, ecx
		test	edi, edi
		jz	short loc_A6B594
		inc	ds:_ViWdCancelIrpCount
		mov	ecx, offset _VfWdIrpListLock
		push	ebx
		mov	ebx, ds:_ViWdTickCount
		add	ebx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	byte ptr [esi+10h], 0
		jz	short loc_A6B562
		cmp	[esi+0Ch], ebx
		jbe	short loc_A6B570
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	short loc_A6B58A
		cmp	[eax], esi
		jnz	short loc_A6B58A
		mov	[eax], ecx
		mov	[ecx+4], eax
		dec	ds:_ViWdIrpListLength

loc_A6B562:				; CODE XREF: ViWdBeforeCancelIrp(x)+30j
		mov	ecx, esi
		mov	[esi+0Ch], ebx
		mov	[esi+12h], di
		call	_ViWdInsertSortIrp@4 ; ViWdInsertSortIrp(x)

loc_A6B570:				; CODE XREF: ViWdBeforeCancelIrp(x)+35j
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _VfWdIrpListLock
		pop	ebx
		jz	short loc_A6B58F
		mov	edx, [ebp+4]
		pop	edi
		pop	esi
		pop	ebp
		jmp	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
; 

loc_A6B58A:				; CODE XREF: ViWdBeforeCancelIrp(x)+3Fj
					; ViWdBeforeCancelIrp(x)+43j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A6B58F:				; CODE XREF: ViWdBeforeCancelIrp(x)+6Bj
		xor	eax, eax
		lock and [ecx],	eax

loc_A6B594:				; CODE XREF: ViWdBeforeCancelIrp(x)+11j
		pop	edi
		pop	esi
		pop	ebp
		retn
_ViWdBeforeCancelIrp@4 endp ; sp = -4


;  S U B	R O U T	I N E 


; __stdcall ViWdFlushIrpList()
_ViWdFlushIrpList@0 proc near		; CODE XREF: ViWdIrpTimerDpcRoutine(x,x,x,x)+33p
		mov	eax, ds:_VfWdIrpListHead
		mov	ecx, offset _VfWdIrpListHead
		jmp	short loc_A6B5AA
; 

loc_A6B5A4:				; CODE XREF: ViWdFlushIrpList()+14j
		mov	byte ptr [eax+10h], 0
		mov	eax, [eax]

loc_A6B5AA:				; CODE XREF: ViWdFlushIrpList()+Aj
		cmp	eax, ecx
		jnz	short loc_A6B5A4
		mov	ds:dword_AB0A5C, ecx
		mov	ds:_VfWdIrpListHead, ecx
		mov	ds:_ViWdIrpListLength, 0
		retn
_ViWdFlushIrpList@0 endp


;  S U B	R O U T	I N E 


; __stdcall ViWdInsertSortIrp(x)
_ViWdInsertSortIrp@4 proc near		; CODE XREF: ViWdBeforeCancelIrp(x)+59p
		mov	edx, ds:dword_AB0A5C
		push	esi
		mov	esi, offset _VfWdIrpListHead
		cmp	edx, esi
		jz	short loc_A6B5E4
		mov	eax, [ecx+0Ch]

loc_A6B5D8:				; CODE XREF: ViWdInsertSortIrp(x)+1Dj
		cmp	[edx+0Ch], eax
		jbe	short loc_A6B5E4
		mov	edx, [edx+4]
		cmp	edx, esi
		jnz	short loc_A6B5D8

loc_A6B5E4:				; CODE XREF: ViWdInsertSortIrp(x)+Ej
					; ViWdInsertSortIrp(x)+16j
		mov	[ecx+4], edx
		mov	eax, [edx]
		mov	[ecx], eax
		mov	eax, [edx]
		pop	esi
		mov	[eax+4], ecx
		mov	[edx], ecx
		mov	byte ptr [ecx+10h], 1
		inc	ds:_ViWdIrpListLength
		mov	eax, ds:_ViWdIrpListLengthMaximum
		cmp	ds:_ViWdIrpListLength, eax
		jle	short locret_A6B614
		mov	eax, ds:_ViWdIrpListLength
		mov	ds:_ViWdIrpListLengthMaximum, eax

locret_A6B614:				; CODE XREF: ViWdInsertSortIrp(x)+43j
		retn
_ViWdInsertSortIrp@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViWdIrpBeforeCompletionRoutine(x)
_ViWdIrpBeforeCompletionRoutine@4 proc near ; CODE XREF: IovpCompleteRequest2(x,x)+3Ep
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi]
		mov	eax, [esi+8]
		mov	al, [eax+23h]
		cmp	al, [esi+11h]
		jl	short loc_A6B68A
		push	ebx
		mov	ebx, offset _VfWdIrpListLock
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	byte ptr [esi+10h], 0
		jz	short loc_A6B65B
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	short loc_A6B670
		cmp	[eax], esi
		jnz	short loc_A6B670
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	byte ptr [esi+10h], 0
		dec	ds:_ViWdIrpListLength

loc_A6B65B:				; CODE XREF: ViWdIrpBeforeCompletionRoutine(x)+27j
		test	ds:byte_70EFC6,	1
		jz	short loc_A6B675
		mov	edx, [ebp+4]
		mov	ecx, ebx
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A6B67A
; 

loc_A6B670:				; CODE XREF: ViWdIrpBeforeCompletionRoutine(x)+31j
					; ViWdIrpBeforeCompletionRoutine(x)+35j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A6B675:				; CODE XREF: ViWdIrpBeforeCompletionRoutine(x)+4Dj
		xor	eax, eax
		lock and [ebx],	eax

loc_A6B67A:				; CODE XREF: ViWdIrpBeforeCompletionRoutine(x)+59j
		mov	edx, esi
		mov	ecx, offset _ViWdIrpLookasideList
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		and	dword ptr [edi], 0
		pop	ebx

loc_A6B68A:				; CODE XREF: ViWdIrpBeforeCompletionRoutine(x)+14j
		pop	edi
		pop	esi
		pop	ebp
		retn
_ViWdIrpBeforeCompletionRoutine@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViWdIrpTimedOut(x)
_ViWdIrpTimedOut@4 proc	near		; CODE XREF: ViWdIrpTimerDpcRoutine(x,x,x,x)+6Dp
		xor	edx, edx
		cmp	ds:_ViWdBreaksEnabled, edx
		jz	short locret_A6B702
		movzx	eax, word ptr [ecx+12h]
		imul	eax, 3E8h
		push	edi
		mov	edi, [ecx+8]
		cmp	_KdDebuggerEnabled, dl
		jz	short loc_A6B6E8
		cmp	_KdDebuggerNotPresent, dl
		jnz	short loc_A6B6E8
		push	esi
		push	edx
		mov	edx, 135h
		push	eax
		push	edi
		lea	ecx, [edx-71h]
		call	_VfErrorStoreTriageInformation@20 ; VfErrorStoreTriageInformation(x,x,x,x,x)
		push	edi		; char
		push	offset ??_C@_0CP@NKLEOPOO@Cancelled?5IRP?5?$CFp?5didn?8t?5complet@JKADOLAD@ ; char *
		mov	esi, eax
		call	_VfUtilDbgPrint
		pop	ecx
		pop	ecx
		nop
		int	3		; Trap to Debugger
		test	esi, esi
		pop	esi
		jz	short loc_A6B701
		xor	eax, eax
		mov	ecx, offset _VfErrorBugcheckDataReady
		xchg	eax, [ecx]
		pop	edi
		retn
; 

loc_A6B6E8:				; CODE XREF: ViWdIrpTimedOut(x)+1Ej
					; ViWdIrpTimedOut(x)+26j
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_A6B701
		push	edx
		mov	edx, 135h
		push	eax
		push	edi
		lea	ecx, [edx-71h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6B701:				; CODE XREF: ViWdIrpTimedOut(x)+4Dj
					; ViWdIrpTimedOut(x)+61j
		pop	edi

locret_A6B702:				; CODE XREF: ViWdIrpTimedOut(x)+8j
		retn
_ViWdIrpTimedOut@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViWdIrpTimerDpcRoutine(x, x, x, x)
_ViWdIrpTimerDpcRoutine@16 proc	near	; DATA XREF: VfWdInit()+57o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		xor	ebx, ebx
		cmp	ds:_ViWdIrpListLength, ebx
		jz	loc_A6B79D
		push	esi
		push	edi
		mov	edi, ds:_ViWdTickCount
		mov	ecx, offset _VfWdIrpListLock
		lea	esi, [edi+1]
		mov	ds:_ViWdTickCount, esi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		cmp	esi, edi
		jnb	short loc_A6B755
		call	_ViWdFlushIrpList@0 ; ViWdFlushIrpList()

loc_A6B73B:				; CODE XREF: ViWdIrpTimerDpcRoutine(x,x,x,x)+58j
					; ViWdIrpTimerDpcRoutine(x,x,x,x)+69j ...
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _VfWdIrpListLock
		pop	edi
		pop	esi
		jz	short loc_A6B798
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A6B79D
; 

loc_A6B755:				; CODE XREF: ViWdIrpTimerDpcRoutine(x,x,x,x)+31j
		cmp	ds:_ViWdIrpListLength, ebx
		jz	short loc_A6B73B
		mov	esi, ds:_VfWdIrpListHead
		mov	eax, [esi+0Ch]
		cmp	eax, ds:_ViWdTickCount
		jnb	short loc_A6B73B
		mov	ecx, esi
		call	_ViWdIrpTimedOut@4 ; ViWdIrpTimedOut(x)
		mov	ecx, [esi]
		mov	eax, [esi+4]
		cmp	[ecx+4], esi
		jnz	short loc_A6B793
		cmp	[eax], esi
		jnz	short loc_A6B793
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	[esi+10h], bl
		dec	ds:_ViWdIrpListLength
		jmp	short loc_A6B73B
; 

loc_A6B793:				; CODE XREF: ViWdIrpTimerDpcRoutine(x,x,x,x)+7Aj
					; ViWdIrpTimerDpcRoutine(x,x,x,x)+7Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A6B798:				; CODE XREF: ViWdIrpTimerDpcRoutine(x,x,x,x)+46j
		xor	eax, eax
		lock and [ecx],	eax

loc_A6B79D:				; CODE XREF: ViWdIrpTimerDpcRoutine(x,x,x,x)+Ej
					; ViWdIrpTimerDpcRoutine(x,x,x,x)+50j
		cmp	ds:_ViWdCancelling, ebx
		jnz	short loc_A6B7BE
		push	0FFFFFFFFh
		push	0FF676980h
		push	offset _ViWdIrpTimerDpc
		push	ebx
		xor	edx, edx
		mov	ecx, offset _ViWdIrpTimer
		call	KiSetTimerEx

loc_A6B7BE:				; CODE XREF: ViWdIrpTimerDpcRoutine(x,x,x,x)+A0j
		pop	ebx
		pop	ebp
		retn	10h
_ViWdIrpTimerDpcRoutine@16 endp	; sp = -8


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExDeleteLookasideListEx(x)
_VerifierExDeleteLookasideListEx@4 proc	near ; DATA XREF: PAGEVRFD:00AAAE34o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_ViLookasideDelete@4 ; ViLookasideDelete(x)
		pop	ebp
		jmp	ds:_pXdvExDeleteLookasideListEx
_VerifierExDeleteLookasideListEx@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExDeleteNPagedLookasideList(x)
_VerifierExDeleteNPagedLookasideList@4 proc near ; DATA	XREF: PAGEVRFD:00AAAE04o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_ViLookasideDelete@4 ; ViLookasideDelete(x)
		pop	ebp
		jmp	ds:_pXdvExDeleteNPagedLookasideList
_VerifierExDeleteNPagedLookasideList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExDeletePagedLookasideList(x)
_VerifierExDeletePagedLookasideList@4 proc near	; DATA XREF: PAGEVRFD:00AAADECo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	_ViLookasideDelete@4 ; ViLookasideDelete(x)
		pop	ebp
		jmp	ds:_pXdvExDeletePagedLookasideList
_VerifierExDeletePagedLookasideList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExInitializeLookasideListEx(x, x, x, x, x, x, x, x)
_VerifierExInitializeLookasideListEx@32	proc near ; DATA XREF: PAGEVRFD:00AAAE1Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+4]
		push	ebx
		push	edi
		call	_VfTargetDriversIsEnabled@4 ; VfTargetDriversIsEnabled(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A6B851
		push	[ebp+arg_18]
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_C]
		call	_VfCheckPoolType@12 ; VfCheckPoolType(x,x,x)
		cmp	[ebp+arg_14], 4
		jnb	short loc_A6B846
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A6B846
		push	4
		push	[ebp+arg_14]
		mov	edx, 0CDh
		push	[ebp+arg_0]
		lea	ecx, [edx-9]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6B846:				; CODE XREF: VerifierExInitializeLookasideListEx(x,x,x,x,x,x,x,x)+27j
					; VerifierExInitializeLookasideListEx(x,x,x,x,x,x,x,x)+30j
		mov	ecx, [ebp+arg_0]
		push	48h
		pop	edx
		call	_VfUtilSynchronizationObjectSanityChecks@8 ; VfUtilSynchronizationObjectSanityChecks(x,x)

loc_A6B851:				; CODE XREF: VerifierExInitializeLookasideListEx(x,x,x,x,x,x,x,x)+13j
		push	offset ExInitializeLookasideListExInternal
		push	edi
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvExInitializeLookasideListEx ; XdvExInitializeLookasideListExInternal(x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A6B896
		test	edi, edi
		jnz	short loc_A6B88B
		cmp	_KernelVerifier, edi
		jnz	short loc_A6B88B
		xor	edx, edx
		jmp	short loc_A6B88E
; 

loc_A6B88B:				; CODE XREF: VerifierExInitializeLookasideListEx(x,x,x,x,x,x,x,x)+7Ej
					; VerifierExInitializeLookasideListEx(x,x,x,x,x,x,x,x)+86j
		xor	edx, edx
		inc	edx

loc_A6B88E:				; CODE XREF: VerifierExInitializeLookasideListEx(x,x,x,x,x,x,x,x)+8Aj
		mov	ecx, [ebp+arg_0]
		call	_ViLookasideTrackListEx@8 ; ViLookasideTrackListEx(x,x)

loc_A6B896:				; CODE XREF: VerifierExInitializeLookasideListEx(x,x,x,x,x,x,x,x)+7Aj
		pop	edi
		mov	eax, ebx
		pop	ebx
		pop	ebp
		retn	20h
_VerifierExInitializeLookasideListEx@32	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExInitializeNPagedLookasideList(x, x, x, x,	x, x, x)
_VerifierExInitializeNPagedLookasideList@28 proc near ;	DATA XREF: PAGEVRFD:00AAADD4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+4]
		push	ebx
		push	edi
		call	_VfTargetDriversIsEnabled@4 ; VfTargetDriversIsEnabled(x)
		mov	ebx, eax
		xor	edi, edi
		test	ebx, ebx
		jz	short loc_A6B8F8
		push	[ebp+arg_14]
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_C]
		call	_VfCheckPoolType@12 ; VfCheckPoolType(x,x,x)
		cmp	[ebp+arg_10], 4
		jnb	short loc_A6B8E7
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A6B8E7
		push	4
		push	[ebp+arg_10]
		mov	edx, 0CDh
		push	[ebp+arg_0]
		lea	ecx, [edx-9]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6B8E7:				; CODE XREF: VerifierExInitializeNPagedLookasideList(x,x,x,x,x,x,x)+29j
					; VerifierExInitializeNPagedLookasideList(x,x,x,x,x,x,x)+32j
		mov	ecx, [ebp+arg_0]
		mov	edx, 0C0h
		call	_VfUtilSynchronizationObjectSanityChecks@8 ; VfUtilSynchronizationObjectSanityChecks(x,x)
		mov	eax, edi
		jmp	short loc_A6B8FB
; 

loc_A6B8F8:				; CODE XREF: VerifierExInitializeNPagedLookasideList(x,x,x,x,x,x,x)+15j
		mov	eax, [ebp+arg_18]

loc_A6B8FB:				; CODE XREF: VerifierExInitializeNPagedLookasideList(x,x,x,x,x,x,x)+58j
		push	offset ExInitializeNPagedLookasideListInternal
		push	ebx
		push	eax
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvExInitializeNPagedLookasideList	; XdvExInitializeNPagedLookasideListInternal(x,x,x,x,x,x,x,x,x)
		test	ebx, ebx
		jnz	short loc_A6B926
		cmp	_KernelVerifier, edi
		jz	short loc_A6B929

loc_A6B926:				; CODE XREF: VerifierExInitializeNPagedLookasideList(x,x,x,x,x,x,x)+7Ej
		xor	edi, edi
		inc	edi

loc_A6B929:				; CODE XREF: VerifierExInitializeNPagedLookasideList(x,x,x,x,x,x,x)+86j
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		call	_ViLookasideTrackList@8	; ViLookasideTrackList(x,x)
		pop	edi
		pop	ebx
		pop	ebp
		retn	1Ch
_VerifierExInitializeNPagedLookasideList@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExInitializePagedLookasideList(x, x, x, x, x, x, x)
_VerifierExInitializePagedLookasideList@28 proc	near ; DATA XREF: PAGEVRFD:00AAADBCo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+4]
		push	ebx
		push	edi
		call	_VfTargetDriversIsEnabled@4 ; VfTargetDriversIsEnabled(x)
		mov	ebx, eax
		xor	edi, edi
		test	ebx, ebx
		jz	short loc_A6B985
		cmp	[ebp+arg_10], 4
		jnb	short loc_A6B974
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A6B974
		push	4
		push	[ebp+arg_10]
		mov	edx, 0CDh
		push	[ebp+arg_0]
		lea	ecx, [edx-9]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6B974:				; CODE XREF: VerifierExInitializePagedLookasideList(x,x,x,x,x,x,x)+1Bj
					; VerifierExInitializePagedLookasideList(x,x,x,x,x,x,x)+24j
		mov	ecx, [ebp+arg_0]
		mov	edx, 0C0h
		call	_VfUtilSynchronizationObjectSanityChecks@8 ; VfUtilSynchronizationObjectSanityChecks(x,x)
		mov	eax, edi
		jmp	short loc_A6B988
; 

loc_A6B985:				; CODE XREF: VerifierExInitializePagedLookasideList(x,x,x,x,x,x,x)+15j
		mov	eax, [ebp+arg_18]

loc_A6B988:				; CODE XREF: VerifierExInitializePagedLookasideList(x,x,x,x,x,x,x)+4Aj
		push	offset ExInitializePagedLookasideListInternal
		push	ebx
		push	eax
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvExInitializePagedLookasideList ; XdvExInitializeNPagedLookasideListInternal(x,x,x,x,x,x,x,x,x)
		test	ebx, ebx
		jnz	short loc_A6B9B3
		cmp	_KernelVerifier, edi
		jz	short loc_A6B9B6

loc_A6B9B3:				; CODE XREF: VerifierExInitializePagedLookasideList(x,x,x,x,x,x,x)+70j
		xor	edi, edi
		inc	edi

loc_A6B9B6:				; CODE XREF: VerifierExInitializePagedLookasideList(x,x,x,x,x,x,x)+78j
		mov	ecx, [ebp+arg_0]
		mov	edx, edi
		call	_ViLookasideTrackList@8	; ViLookasideTrackList(x,x)
		pop	edi
		pop	ebx
		pop	ebp
		retn	1Ch
_VerifierExInitializePagedLookasideList@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfCheckForLookaside(x, x)
_VfCheckForLookaside@8 proc near	; CODE XREF: ExpCheckForLookaside(x,x)+15p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		and	[esp+8+var_8], 0
		and	[esp+8+var_4], 0
		cmp	ds:_ViLookasideInitialized, 0
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		jnz	short loc_A6B9EC
		xor	eax, eax
		jmp	short loc_A6BA3C
; 

loc_A6B9EC:				; CODE XREF: VfCheckForLookaside(x,x)+20j
		call	_VfPoolIsInternalFree@0	; VfPoolIsInternalFree()
		test	eax, eax
		jnz	short loc_A6BA39
		xor	edx, edx
		lea	ecx, [esp+10h+var_8]
		inc	edx
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	esi
		mov	edx, ecx
		mov	ecx, offset _ViLookasideAvl
		push	edi
		call	VfAvlLookupTreeNode
		test	eax, eax
		jz	short loc_A6BA30
		test	_MmVerifierData, 800h
		jz	short loc_A6BA30
		push	esi
		mov	edx, 0CCh
		push	edi
		push	dword ptr [eax]
		lea	ecx, [edx-8]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6BA30:				; CODE XREF: VfCheckForLookaside(x,x)+4Bj
					; VfCheckForLookaside(x,x)+57j
		lea	ecx, [esp+10h+var_8]
		call	VfAvlCleanupLockContext

loc_A6BA39:				; CODE XREF: VfCheckForLookaside(x,x)+2Dj
		xor	eax, eax
		inc	eax

loc_A6BA3C:				; CODE XREF: VfCheckForLookaside(x,x)+24j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_VfCheckForLookaside@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViLookasideAdd(x)
_ViLookasideAdd@4 proc near		; CODE XREF: ViLookasideTrackList(x,x):loc_A6BC0Bj
					; ViLookasideTrackListEx(x,x):loc_A6BC34j

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, ecx
		mov	[esp+18h+var_8], esi
		mov	[esp+18h+var_4], esi
		cmp	ds:_ViLookasideInitialized, esi
		jz	loc_A6BB1C
		push	esi
		mov	edx, edi
		mov	ecx, offset _ViLookasideAvl
		call	VfAvlReserveNode
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A6BA88
		inc	eax
		mov	ecx, offset _ViLookasideAllocationFailures
		xchg	eax, [ecx]
		jmp	loc_A6BB1C
; 

loc_A6BA88:				; CODE XREF: ViLookasideAdd(x)+37j
		xor	edx, edx
		lea	ecx, [esp+18h+var_8]
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	esi
		mov	edx, ecx
		mov	ecx, offset _ViLookasideAvl
		push	edi
		call	VfAvlLookupTreeNode
		test	eax, eax
		jz	short loc_A6BAE3
		cmp	ds:_ViLookasideAllocationFailures, esi
		jnz	short loc_A6BAD1
		cmp	ds:_ViLookasideAlreadyLoadedDrivers, esi
		jnz	short loc_A6BAD1
		test	_MmVerifierData, 800h
		jz	short loc_A6BAD1
		push	esi
		mov	edx, 0CAh
		push	esi
		push	edi
		lea	ecx, [edx-6]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6BAD1:				; CODE XREF: ViLookasideAdd(x)+69j
					; ViLookasideAdd(x)+71j ...
		push	esi
		push	edi
		lea	edx, [esp+20h+var_8]
		mov	ecx, offset _ViLookasideAvl
		call	VfAvlDeleteTreeNode
		mov	esi, eax

loc_A6BAE3:				; CODE XREF: ViLookasideAdd(x)+61j
		push	ebx
		lea	edx, [esp+1Ch+var_8]
		mov	ecx, offset _ViLookasideAvl
		call	_VfAvlInsertReservedTreeNode@12	; VfAvlInsertReservedTreeNode(x,x,x)
		lea	ecx, [esp+18h+var_8]
		call	VfAvlCleanupLockContext
		test	esi, esi
		jz	short loc_A6BB1C
		cmp	ds:dword_AAFFFC, 1
		jnz	short loc_A6BB16
		mov	edx, esi
		mov	ecx, offset _ViAvlNodeLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	short loc_A6BB1C
; 

loc_A6BB16:				; CODE XREF: ViLookasideAdd(x)+C4j
		push	esi
		call	_VfUtilFreePoolCheckIRQL@4 ; VfUtilFreePoolCheckIRQL(x)

loc_A6BB1C:				; CODE XREF: ViLookasideAdd(x)+20j
					; ViLookasideAdd(x)+41j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_ViLookasideAdd@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViLookasideDelete(x)
_ViLookasideDelete@4 proc near		; CODE XREF: VerifierExDeleteLookasideListEx(x)+8p
					; VerifierExDeleteNPagedLookasideList(x)+8p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, ecx
		mov	[esp+18h+var_8], esi
		mov	[esp+18h+var_4], esi
		cmp	ds:_ViLookasideInitialized, esi
		jz	loc_A6BBCF
		xor	edx, edx
		lea	ecx, [esp+18h+var_8]
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	esi
		mov	edx, ecx
		mov	ebx, offset _ViLookasideAvl
		push	edi
		mov	ecx, ebx
		call	VfAvlLookupTreeNode
		test	eax, eax
		jnz	short loc_A6BB96
		cmp	ds:_ViLookasideAllocationFailures, esi
		jnz	short loc_A6BBA5
		cmp	ds:_ViLookasideAlreadyLoadedDrivers, esi
		jnz	short loc_A6BBA5
		test	_MmVerifierData, 800h
		jz	short loc_A6BBA5
		push	esi
		mov	edx, 0CBh
		push	esi
		push	edi
		lea	ecx, [edx-7]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)
		jmp	short loc_A6BBA5
; 

loc_A6BB96:				; CODE XREF: ViLookasideDelete(x)+43j
		push	esi
		push	edi
		lea	edx, [esp+20h+var_8]
		mov	ecx, ebx
		call	VfAvlDeleteTreeNode
		mov	esi, eax

loc_A6BBA5:				; CODE XREF: ViLookasideDelete(x)+4Bj
					; ViLookasideDelete(x)+53j ...
		lea	ecx, [esp+18h+var_8]
		call	VfAvlCleanupLockContext
		test	esi, esi
		jz	short loc_A6BBCF
		cmp	ds:dword_AAFFFC, 1
		jnz	short loc_A6BBC9
		mov	edx, esi
		mov	ecx, offset _ViAvlNodeLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	short loc_A6BBCF
; 

loc_A6BBC9:				; CODE XREF: ViLookasideDelete(x)+96j
		push	esi
		call	_VfUtilFreePoolCheckIRQL@4 ; VfUtilFreePoolCheckIRQL(x)

loc_A6BBCF:				; CODE XREF: ViLookasideDelete(x)+20j
					; ViLookasideDelete(x)+8Dj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_ViLookasideDelete@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViLookasideTrackList(x, x)
_ViLookasideTrackList@8	proc near	; CODE XREF: VerifierExInitializeNPagedLookasideList(x,x,x,x,x,x,x)+90p
					; VerifierExInitializePagedLookasideList(x,x,x,x,x,x,x)+82p
		test	edx, edx
		jz	short loc_A6BC0B
		cmp	dword ptr [ecx+2Ch], offset _ExFreePool@4 ; ExFreePool(x)
		jnz	short loc_A6BC0B
		mov	eax, [ecx+28h]
		cmp	eax, offset _ExAllocatePoolWithTag@12 ;	ExAllocatePoolWithTag(x,x,x)
		jnz	short loc_A6BBF6
		mov	dword ptr [ecx+28h], offset _VerifierExAllocatePoolWithTag@12 ;	VerifierExAllocatePoolWithTag(x,x,x)
		jmp	short loc_A6BC04
; 

loc_A6BBF6:				; CODE XREF: ViLookasideTrackList(x,x)+15j
		cmp	eax, offset ExAllocatePoolWithQuotaTag
		jnz	short loc_A6BC0B
		mov	dword ptr [ecx+28h], offset _VerifierExAllocatePoolWithQuotaTag@12 ; VerifierExAllocatePoolWithQuotaTag(x,x,x)

loc_A6BC04:				; CODE XREF: ViLookasideTrackList(x,x)+1Ej
		mov	dword ptr [ecx+2Ch], offset _VerifierExFreePool@4 ; VerifierExFreePool(x)

loc_A6BC0B:				; CODE XREF: ViLookasideTrackList(x,x)+2j
					; ViLookasideTrackList(x,x)+Bj	...
		jmp	_ViLookasideAdd@4 ; ViLookasideAdd(x)
_ViLookasideTrackList@8	endp


;  S U B	R O U T	I N E 


; __stdcall ViLookasideTrackListEx(x, x)
_ViLookasideTrackListEx@8 proc near	; CODE XREF: VerifierExInitializeLookasideListEx(x,x,x,x,x,x,x,x)+92p
		test	edx, edx
		jz	short loc_A6BC34
		cmp	dword ptr [ecx+28h], offset _ExAllocatePoolEx@16 ; ExAllocatePoolEx(x,x,x,x)
		jnz	short loc_A6BC34
		cmp	dword ptr [ecx+2Ch], offset _ExFreePoolEx@8 ; ExFreePoolEx(x,x)
		jnz	short loc_A6BC34
		mov	dword ptr [ecx+28h], offset _VerifierExAllocatePoolEx@16 ; VerifierExAllocatePoolEx(x,x,x,x)
		mov	dword ptr [ecx+2Ch], offset _VerifierExFreePoolEx@8 ; VerifierExFreePoolEx(x,x)

loc_A6BC34:				; CODE XREF: ViLookasideTrackListEx(x,x)+2j
					; ViLookasideTrackListEx(x,x)+Bj ...
		jmp	_ViLookasideAdd@4 ; ViLookasideAdd(x)
_ViLookasideTrackListEx@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IovpSessionDataCreate(x, x,	x)
_IovpSessionDataCreate@12 proc near	; CODE XREF: IovpCallDriver1(x)+9Ep

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	[ebp+arg_0], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		jnz	short loc_A6BC53
		call	_IovUtilIsVerifiedDeviceStack@4	; IovUtilIsVerifiedDeviceStack(x)
		test	eax, eax
		jz	short loc_A6BC9F

loc_A6BC53:				; CODE XREF: IovpSessionDataCreate(x,x,x)+Fj
		mov	eax, [edi]
		mov	[ebp+var_4], eax
		mov	cl, [eax+22h]
		movsx	eax, cl
		imul	ebx, eax, 50h
		add	ebx, 78h
		cmp	cl, 14h
		jg	short loc_A6BC85
		cmp	ds:_ViSessionDataInitialized, 0
		jz	short loc_A6BC85
		mov	ecx, offset _ViSessionDataLookaside
		mov	[ebp+arg_0], 1
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		jmp	short loc_A6BC99
; 

loc_A6BC85:				; CODE XREF: IovpSessionDataCreate(x,x,x)+2Ej
					; IovpSessionDataCreate(x,x,x)+37j
		and	[ebp+arg_0], 0
		push	73707249h
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)

loc_A6BC99:				; CODE XREF: IovpSessionDataCreate(x,x,x)+4Aj
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A6BCA3

loc_A6BC9F:				; CODE XREF: IovpSessionDataCreate(x,x,x)+18j
		xor	eax, eax
		jmp	short loc_A6BD01
; 

loc_A6BCA3:				; CODE XREF: IovpSessionDataCreate(x,x,x)+64j
		push	ebx		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		cmp	[ebp+arg_0], 0
		jz	short loc_A6BCB9
		or	dword ptr [esi+10h], 4

loc_A6BCB9:				; CODE XREF: IovpSessionDataCreate(x,x,x)+7Aj
		mov	eax, _MmVerifierData
		lea	ecx, [esi+8]
		mov	[esi+24h], eax
		lea	eax, [edi+2Ch]
		mov	[esi], edi
		mov	edx, [eax]
		cmp	[edx+4], eax
		jz	short loc_A6BCD5
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A6BCD5:				; CODE XREF: IovpSessionDataCreate(x,x,x)+95j
		mov	[ecx+4], eax
		mov	[ecx], edx
		mov	[edx+4], ecx
		mov	[eax], ecx
		mov	ecx, [ebp+var_4]
		mov	[edi+8Ch], esi
		mov	al, [ecx+23h]
		mov	[edi+6Ch], al
		mov	eax, [edi+24h]
		and	eax, 0FFFFFE2Fh
		or	eax, 1
		mov	[edi+24h], eax
		mov	eax, esi
		mov	[esi+20h], ecx

loc_A6BD01:				; CODE XREF: IovpSessionDataCreate(x,x,x)+68j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_IovpSessionDataCreate@12 endp


;  S U B	R O U T	I N E 


; __stdcall IovpSessionDataDereference(x)
_IovpSessionDataDereference@4 proc near	; CODE XREF: IovpCallDriver2(x,x)+1C1p
					; IovpCompleteRequest2(x,x)+209p ...
		sub	dword ptr [ecx+4], 1
		push	edi
		mov	edi, [ecx]
		jnz	short loc_A6BD4B
		lea	eax, [ecx+8]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_A6BD4D
		push	esi
		mov	esi, [eax+4]
		cmp	[esi], eax
		jnz	short loc_A6BD4D
		mov	[esi], edx
		mov	[edx+4], esi
		mov	[eax+4], eax
		mov	[eax], eax
		lock dec dword ptr [edi+0Ch]
		test	byte ptr [ecx+10h], 4
		pop	esi
		jz	short loc_A6BD45
		mov	edx, ecx
		mov	ecx, offset _ViSessionDataLookaside
		pop	edi
		jmp	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
; 

loc_A6BD45:				; CODE XREF: IovpSessionDataDereference(x)+2Ej
		push	ecx
		call	_VfUtilFreePoolDispatchLevel@4 ; VfUtilFreePoolDispatchLevel(x)

loc_A6BD4B:				; CODE XREF: IovpSessionDataDereference(x)+7j
		pop	edi
		retn
; 

loc_A6BD4D:				; CODE XREF: IovpSessionDataDereference(x)+11j
					; IovpSessionDataDereference(x)+19j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_IovpSessionDataDereference@4 endp	; AL = character to display


;  S U B	R O U T	I N E 


; __stdcall VfSessionDataInit()
_VfSessionDataInit@0 proc near		; CODE XREF: VfInitVerifierComponents(x,x,x)+8Bp
		push	offset ExInitializeNPagedLookasideListInternal
		push	_VfInitializedWithoutReboot
		push	10h
		push	73707249h
		push	6B8h
		push	200h
		push	offset _VfUtilFreePoolDispatchLevel@4 ;	VfUtilFreePoolDispatchLevel(x)
		push	0
		push	offset _ViSessionDataLookaside
		call	ds:_pXdvExInitializeNPagedLookasideList	; XdvExInitializeNPagedLookasideListInternal(x,x,x,x,x,x,x,x,x)
		xor	eax, eax
		mov	ecx, offset _ViSessionDataInitialized
		inc	eax
		xchg	eax, [ecx]
		retn
_VfSessionDataInit@0 endp


;  S U B	R O U T	I N E 


; __stdcall VfPacketAcquireLock(x)
_VfPacketAcquireLock@4 proc near	; CODE XREF: VfPendingMoreProcessingRequired(x,x,x,x,x)+57p
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		lea	ecx, [esi+4]
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	[esi+8], bl
		pop	esi
		pop	ebx
		retn
_VfPacketAcquireLock@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfPacketCreateAndLock(x)
_VfPacketCreateAndLock@4 proc near	; CODE XREF: IovpPacketFromIrp(x)+3Bp
					; VfIoAllocateIrp2(x,x,x)+Fp ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		mov	ecx, offset _ViPacketLookaside
		call	_ExAllocateFromNPagedLookasideList@4 ; ExAllocateFromNPagedLookasideList(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A6BE1F
		xor	ecx, ecx
		lea	eax, [esi+2Ch]
		mov	[esi+24h], ecx
		mov	[eax+4], eax
		mov	[eax], eax
		mov	al, [edi+22h]
		mov	[esi+40h], ecx
		mov	[esi+44h], cl
		mov	[esi+48h], ecx
		mov	[esi+6Ch], cx
		mov	[esi+6Eh], cl
		mov	[esi+70h], ecx
		mov	[esi+8Ch], ecx
		mov	[esi+38h], ecx
		mov	[esi+3Ch], ecx
		mov	[esi+74h], ecx
		mov	[esi+78h], ecx
		mov	[esi+7Ch], ecx
		mov	[esi+80h], ecx
		mov	[esi+90h], ecx
		mov	[esi+84h], ecx
		mov	ecx, edi
		mov	[esi+34h], al
		mov	eax, _MmVerifierData
		push	esi
		mov	[esi+88h], eax
		call	_VfIrpDatabaseEntryInsertAndLock@12 ; VfIrpDatabaseEntryInsertAndLock(x,x,x)
		mov	eax, esi

loc_A6BE1F:				; CODE XREF: VfPacketCreateAndLock(x)+14j
		pop	edi
		pop	esi
		retn
_VfPacketCreateAndLock@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViPacketFree(x)
_ViPacketFree@4	proc near		; CODE XREF: ViPacketNotificationCallback(x,x,x)+15p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	eax, [esi+84h]
		test	eax, eax
		jz	short loc_A6BE3C
		push	6D646C56h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A6BE3C:				; CODE XREF: ViPacketFree(x)+Dj
		mov	edx, esi
		mov	ecx, offset _ViPacketLookaside
		pop	esi
		jmp	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
_ViPacketFree@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViPacketNotificationCallback(x, x, x)
_ViPacketNotificationCallback@12 proc near
					; DATA XREF: VfIrpDatabaseEntryInsertAndLock(x,x,x)+2Fo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_8]
		sub	eax, 1
		jz	short loc_A6BE65
		sub	eax, 1
		jnz	short loc_A6BE73
		mov	ecx, [ebp+arg_0]
		call	_ViPacketFree@4	; ViPacketFree(x)
		jmp	short loc_A6BE73
; 

loc_A6BE65:				; CODE XREF: ViPacketNotificationCallback(x,x,x)+Bj
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_A6BE73
		and	dword ptr [eax+8], 3FFFFFFFh

loc_A6BE73:				; CODE XREF: ViPacketNotificationCallback(x,x,x)+10j
					; ViPacketNotificationCallback(x,x,x)+1Aj ...
		pop	ebp
		retn	0Ch
_ViPacketNotificationCallback@12 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierExReleaseResourceAndLeaveCriticalRegion(x)
@VerifierExReleaseResourceAndLeaveCriticalRegion@4 proc	near ; DATA XREF: PAGEVRFD:00AA8958o
		mov	eax, _MmVerifierData
		push	esi
		mov	esi, ecx
		test	eax, 400000h
		jz	short loc_A6BE8D
		test	eax, 800h
		jz	short loc_A6BE92

loc_A6BE8D:				; CODE XREF: VerifierExReleaseResourceAndLeaveCriticalRegion(x)+Dj
		call	@ViResourceReleaseSanityChecks@4 ; ViResourceReleaseSanityChecks(x)

loc_A6BE92:				; CODE XREF: VerifierExReleaseResourceAndLeaveCriticalRegion(x)+14j
		mov	ecx, esi
		pop	esi
		jmp	ds:_pXdvExReleaseResourceAndLeaveCriticalRegion
@VerifierExReleaseResourceAndLeaveCriticalRegion@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierExReleaseResourceAndLeaveCriticalRegionNoReboot(x)
@VerifierExReleaseResourceAndLeaveCriticalRegionNoReboot@4 proc	near
					; DATA XREF: PAGEVRFD:00AA8968o
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	@ViResourceReleaseSanityChecks@4 ; ViResourceReleaseSanityChecks(x)
		mov	ecx, esi
		pop	esi
		jmp	ds:_pXdvExReleaseResourceAndLeaveCriticalRegion
@VerifierExReleaseResourceAndLeaveCriticalRegionNoReboot@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierExReleaseResourceAndLeavePriorityRegionNoReboot(x)
@VerifierExReleaseResourceAndLeavePriorityRegionNoReboot@4 proc	near
					; DATA XREF: PAGEVRFD:00AA8974o
					; PAGEVRFD:00AA8984o
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	@ViResourceReleaseSanityChecks@4 ; ViResourceReleaseSanityChecks(x)
		mov	ecx, esi
		pop	esi
		jmp	ds:_pXdvExReleaseResourceAndLeavePriorityRegion
@VerifierExReleaseResourceAndLeavePriorityRegionNoReboot@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierExReleaseResourceLiteNoReboot(x)
@VerifierExReleaseResourceLiteNoReboot@4 proc near ; DATA XREF:	PAGEVRFD:00AA893Co
					; PAGEVRFD:00AA894Co
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	@ViResourceReleaseSanityChecks@4 ; ViResourceReleaseSanityChecks(x)
		mov	ecx, esi
		pop	esi
		jmp	ds:_pXdvExReleaseResourceLite
@VerifierExReleaseResourceLiteNoReboot@4 endp


;  S U B	R O U T	I N E 


; __fastcall ViResourceReleaseSanityChecks(x)
@ViResourceReleaseSanityChecks@4 proc near
					; CODE XREF: VerifierExReleaseResourceAndLeaveCriticalRegion(x):loc_A6BE8Dp
					; VerifierExReleaseResourceAndLeaveCriticalRegionNoReboot(x)+5p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, al
		cmp	bl, 1
		jz	short loc_A6BF36
		mov	edx, large fs:124h
		test	dword ptr [edx+58h], 400h
		jnz	short loc_A6BF36
		mov	ecx, large fs:124h
		cmp	dword ptr [ecx+13Ch], 0
		jnz	short loc_A6BF36
		cmp	bl, 2
		jz	short loc_A6BF36
		test	_MmVerifierData, 800h
		jz	short loc_A6BF36
		mov	eax, large fs:124h
		mov	ecx, 0C4h
		push	esi
		push	dword ptr [eax+13Ch]
		movzx	eax, bl
		push	eax
		push	38h
		pop	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6BF36:				; CODE XREF: ViResourceReleaseSanityChecks(x)+11j
					; ViResourceReleaseSanityChecks(x)+21j	...
		pop	esi
		pop	ebx
		retn
@ViResourceReleaseSanityChecks@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExAcquireResourceExclusiveLite(x, x)
_VerifierExAcquireResourceExclusiveLite@8 proc near ; DATA XREF: PAGEVRFD:00AA885Co

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, _MmVerifierData
		mov	dl, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		shr	eax, 11h
		push	ebx
		and	eax, 1
		push	eax
		call	_ViResourceAcquireSanityChecks@12 ; ViResourceAcquireSanityChecks(x,x,x)
		push	dword ptr [ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvExAcquireResourceExclusiveLite
		mov	bl, al
		test	bl, bl
		jz	short loc_A6BF87
		push	dword ptr [ebp+4]
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		cmp	[ebp+arg_4], dl
		setz	dl
		push	edx
		mov	edx, large fs:124h
		push	edx
		push	8
		pop	edx
		call	_VfDeadlockAcquireResource@20 ;	VfDeadlockAcquireResource(x,x,x,x,x)

loc_A6BF87:				; CODE XREF: VerifierExAcquireResourceExclusiveLite(x,x)+2Dj
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	8
_VerifierExAcquireResourceExclusiveLite@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExAcquireResourceExclusiveLiteNoReboot(x, x)
_VerifierExAcquireResourceExclusiveLiteNoReboot@8 proc near ; DATA XREF: PAGEVRFD:00AA886Co

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	dl, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		call	_ViResourceAcquireSanityChecks@12 ; ViResourceAcquireSanityChecks(x,x,x)
		pop	ebp
		jmp	ds:_pXdvExAcquireResourceExclusiveLite
_VerifierExAcquireResourceExclusiveLiteNoReboot@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExAcquireResourceSharedLite(x, x)
_VerifierExAcquireResourceSharedLite@8 proc near ; DATA	XREF: PAGEVRFD:00AA88B0o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, _MmVerifierData
		mov	dl, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		shr	eax, 11h
		push	ebx
		and	eax, 1
		push	eax
		call	_ViResourceAcquireSanityChecks@12 ; ViResourceAcquireSanityChecks(x,x,x)
		push	dword ptr [ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvExAcquireResourceSharedLite
		mov	bl, al
		test	bl, bl
		jz	short loc_A6BFF5
		push	dword ptr [ebp+4]
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		cmp	[ebp+arg_4], dl
		setz	dl
		push	edx
		mov	edx, large fs:124h
		push	edx
		push	8
		pop	edx
		call	_VfDeadlockAcquireResource@20 ;	VfDeadlockAcquireResource(x,x,x,x,x)

loc_A6BFF5:				; CODE XREF: VerifierExAcquireResourceSharedLite(x,x)+2Dj
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	8
_VerifierExAcquireResourceSharedLite@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExAcquireResourceSharedLiteNoReboot(x, x)
_VerifierExAcquireResourceSharedLiteNoReboot@8 proc near ; DATA	XREF: PAGEVRFD:00AA88C0o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	dl, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		call	_ViResourceAcquireSanityChecks@12 ; ViResourceAcquireSanityChecks(x,x,x)
		pop	ebp
		jmp	ds:_pXdvExAcquireResourceSharedLite
_VerifierExAcquireResourceSharedLiteNoReboot@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExAcquireSharedStarveExclusive(x, x)
_VerifierExAcquireSharedStarveExclusive@8 proc near ; DATA XREF: PAGEVRFD:00AA8904o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, _MmVerifierData
		mov	dl, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		shr	eax, 11h
		push	ebx
		and	eax, 1
		push	eax
		call	_ViResourceAcquireSanityChecks@12 ; ViResourceAcquireSanityChecks(x,x,x)
		push	dword ptr [ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvExAcquireSharedStarveExclusive
		mov	bl, al
		test	bl, bl
		jz	short loc_A6C063
		push	dword ptr [ebp+4]
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		cmp	[ebp+arg_4], dl
		setz	dl
		push	edx
		mov	edx, large fs:124h
		push	edx
		push	8
		pop	edx
		call	_VfDeadlockAcquireResource@20 ;	VfDeadlockAcquireResource(x,x,x,x,x)

loc_A6C063:				; CODE XREF: VerifierExAcquireSharedStarveExclusive(x,x)+2Dj
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	8
_VerifierExAcquireSharedStarveExclusive@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExAcquireSharedStarveExclusiveNoReboot(x, x)
_VerifierExAcquireSharedStarveExclusiveNoReboot@8 proc near ; DATA XREF: PAGEVRFD:00AA8914o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	dl, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		call	_ViResourceAcquireSanityChecks@12 ; ViResourceAcquireSanityChecks(x,x,x)
		pop	ebp
		jmp	ds:_pXdvExAcquireSharedStarveExclusive
_VerifierExAcquireSharedStarveExclusiveNoReboot@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExAcquireSharedWaitForExclusive(x, x)
_VerifierExAcquireSharedWaitForExclusive@8 proc	near ; DATA XREF: PAGEVRFD:00AA8920o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, _MmVerifierData
		mov	dl, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		shr	eax, 11h
		push	ebx
		and	eax, 1
		push	eax
		call	_ViResourceAcquireSanityChecks@12 ; ViResourceAcquireSanityChecks(x,x,x)
		push	dword ptr [ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvExAcquireSharedWaitForExclusive
		mov	bl, al
		test	bl, bl
		jz	short loc_A6C0D1
		push	dword ptr [ebp+4]
		mov	ecx, [ebp+arg_0]
		xor	edx, edx
		cmp	[ebp+arg_4], dl
		setz	dl
		push	edx
		mov	edx, large fs:124h
		push	edx
		push	8
		pop	edx
		call	_VfDeadlockAcquireResource@20 ;	VfDeadlockAcquireResource(x,x,x,x,x)

loc_A6C0D1:				; CODE XREF: VerifierExAcquireSharedWaitForExclusive(x,x)+2Dj
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	8
_VerifierExAcquireSharedWaitForExclusive@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExAcquireSharedWaitForExclusiveNoReboot(x, x)
_VerifierExAcquireSharedWaitForExclusiveNoReboot@8 proc	near ; DATA XREF: PAGEVRFD:00AA8930o

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	dl, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	0
		call	_ViResourceAcquireSanityChecks@12 ; ViResourceAcquireSanityChecks(x,x,x)
		pop	ebp
		jmp	ds:_pXdvExAcquireSharedWaitForExclusive
_VerifierExAcquireSharedWaitForExclusiveNoReboot@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExDeleteResourceLite(x)
_VerifierExDeleteResourceLite@4	proc near ; DATA XREF: PAGEVRFD:00AAAF3Co

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	[esp+18h+var_8], esi
		mov	[esp+18h+var_4], esi
		cmp	ds:_ViResourceInitialized, esi
		jz	loc_A6C1AD
		cmp	ds:dword_AAFFC4, esi
		jz	loc_A6C1AD
		xor	edx, edx
		lea	ecx, [esp+18h+var_8]
		mov	ebx, esi
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	esi
		mov	edx, ecx
		mov	ecx, offset _ViResourceAvl
		push	edi
		call	VfAvlLookupTreeNode
		test	eax, eax
		jnz	short loc_A6C171
		cmp	ds:_ViResourceNotTracked, esi
		jnz	short loc_A6C183
		cmp	ds:_ViResourcesAlreadyLoadedDrivers, esi
		jnz	short loc_A6C183
		test	_MmVerifierData, 800h
		jz	short loc_A6C183
		push	esi
		mov	edx, 0D1h
		push	esi
		push	edi
		lea	ecx, [edx-0Dh]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)
		jmp	short loc_A6C183
; 

loc_A6C171:				; CODE XREF: VerifierExDeleteResourceLite(x)+50j
		push	esi
		push	edi
		lea	edx, [esp+20h+var_8]
		mov	ecx, offset _ViResourceAvl
		call	VfAvlDeleteTreeNode
		mov	ebx, eax

loc_A6C183:				; CODE XREF: VerifierExDeleteResourceLite(x)+58j
					; VerifierExDeleteResourceLite(x)+60j ...
		lea	ecx, [esp+18h+var_8]
		call	VfAvlCleanupLockContext
		test	ebx, ebx
		jz	short loc_A6C1AD
		cmp	ds:dword_AAFFD4, 1
		jnz	short loc_A6C1A7
		mov	edx, ebx
		mov	ecx, offset _ViAvlNodeLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	short loc_A6C1AD
; 

loc_A6C1A7:				; CODE XREF: VerifierExDeleteResourceLite(x)+A6j
		push	ebx
		call	_VfUtilFreePoolCheckIRQL@4 ; VfUtilFreePoolCheckIRQL(x)

loc_A6C1AD:				; CODE XREF: VerifierExDeleteResourceLite(x)+21j
					; VerifierExDeleteResourceLite(x)+2Dj ...
		push	edi
		call	ds:_pXdvExDeleteResourceLite
		test	_MmVerifierData, 800h
		mov	edx, eax
		jz	short loc_A6C1E4
		test	edx, edx
		js	short loc_A6C1E4
		lea	ecx, [edi+38h]
		cmp	ecx, edi
		sbb	ecx, ecx
		and	ecx, 0FFFFFFF2h
		add	ecx, 0Eh
		jz	short loc_A6C1E4

loc_A6C1D5:				; CODE XREF: VerifierExDeleteResourceLite(x)+F1j
		mov	eax, ds:_MmBadPointer
		inc	esi
		mov	[edi], eax
		lea	edi, [edi+4]
		cmp	esi, ecx
		jb	short loc_A6C1D5

loc_A6C1E4:				; CODE XREF: VerifierExDeleteResourceLite(x)+CFj
					; VerifierExDeleteResourceLite(x)+D3j ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_VerifierExDeleteResourceLite@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExEnterCriticalRegionAndAcquireResourceExclusive(x)
_VerifierExEnterCriticalRegionAndAcquireResourceExclusive@4 proc near
					; DATA XREF: PAGEVRFD:00AA8878o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	[ebp+arg_0]
		call	ds:_pXdvExEnterCriticalRegionAndAcquireResourceExclusive
		test	_MmVerifierData, 400000h
		mov	esi, eax
		jz	short loc_A6C215
		cmp	ds:_ViDeadlockDetectionEnabled,	0
		jz	short loc_A6C22C

loc_A6C215:				; CODE XREF: VerifierExEnterCriticalRegionAndAcquireResourceExclusive(x)+1Bj
		push	dword ptr [ebp+4]
		mov	eax, large fs:124h
		mov	ecx, [ebp+arg_0]
		push	0
		push	eax
		push	8
		pop	edx
		call	_VfDeadlockAcquireResource@20 ;	VfDeadlockAcquireResource(x,x,x,x,x)

loc_A6C22C:				; CODE XREF: VerifierExEnterCriticalRegionAndAcquireResourceExclusive(x)+24j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_VerifierExEnterCriticalRegionAndAcquireResourceExclusive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExEnterCriticalRegionAndAcquireResourceExclusiveNoReboot(x)
_VerifierExEnterCriticalRegionAndAcquireResourceExclusiveNoReboot@4 proc near
					; DATA XREF: PAGEVRFD:00AA8888o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvExEnterCriticalRegionAndAcquireResourceExclusive
_VerifierExEnterCriticalRegionAndAcquireResourceExclusiveNoReboot@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExEnterCriticalRegionAndAcquireResourceShared(x)
_VerifierExEnterCriticalRegionAndAcquireResourceShared@4 proc near
					; DATA XREF: PAGEVRFD:00AA88CCo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	[ebp+arg_0]
		call	ds:_pXdvExEnterCriticalRegionAndAcquireResourceShared
		test	_MmVerifierData, 400000h
		mov	esi, eax
		jz	short loc_A6C265
		cmp	ds:_ViDeadlockDetectionEnabled,	0
		jz	short loc_A6C27C

loc_A6C265:				; CODE XREF: VerifierExEnterCriticalRegionAndAcquireResourceShared(x)+1Bj
		push	dword ptr [ebp+4]
		mov	eax, large fs:124h
		mov	ecx, [ebp+arg_0]
		push	0
		push	eax
		push	8
		pop	edx
		call	_VfDeadlockAcquireResource@20 ;	VfDeadlockAcquireResource(x,x,x,x,x)

loc_A6C27C:				; CODE XREF: VerifierExEnterCriticalRegionAndAcquireResourceShared(x)+24j
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_VerifierExEnterCriticalRegionAndAcquireResourceShared@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExEnterCriticalRegionAndAcquireResourceSharedNoReboot(x)
_VerifierExEnterCriticalRegionAndAcquireResourceSharedNoReboot@4 proc near
					; DATA XREF: PAGEVRFD:00AA88DCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvExEnterCriticalRegionAndAcquireResourceShared
_VerifierExEnterCriticalRegionAndAcquireResourceSharedNoReboot@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExEnterPriorityRegionAndAcquireResourceExclusive(x)
_VerifierExEnterPriorityRegionAndAcquireResourceExclusive@4 proc near
					; DATA XREF: PAGEVRFD:00AA8894o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	[ebp+arg_0]
		call	ds:_pXdvExEnterPriorityRegionAndAcquireResourceExclusive
		push	dword ptr [ebp+4]
		mov	edx, large fs:124h
		mov	esi, eax
		mov	ecx, [ebp+arg_0]
		push	0
		push	edx
		push	8
		pop	edx
		call	_VfDeadlockAcquireResource@20 ;	VfDeadlockAcquireResource(x,x,x,x,x)
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_VerifierExEnterPriorityRegionAndAcquireResourceExclusive@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExEnterPriorityRegionAndAcquireResourceExclusiveNoReboot(x)
_VerifierExEnterPriorityRegionAndAcquireResourceExclusiveNoReboot@4 proc near
					; DATA XREF: PAGEVRFD:00AA88A4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvExEnterPriorityRegionAndAcquireResourceExclusive
_VerifierExEnterPriorityRegionAndAcquireResourceExclusiveNoReboot@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExEnterPriorityRegionAndAcquireResourceShared(x)
_VerifierExEnterPriorityRegionAndAcquireResourceShared@4 proc near
					; DATA XREF: PAGEVRFD:00AA88E8o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	[ebp+arg_0]
		call	ds:_pXdvExEnterPriorityRegionAndAcquireResourceShared
		push	dword ptr [ebp+4]
		mov	edx, large fs:124h
		mov	esi, eax
		mov	ecx, [ebp+arg_0]
		push	0
		push	edx
		push	8
		pop	edx
		call	_VfDeadlockAcquireResource@20 ;	VfDeadlockAcquireResource(x,x,x,x,x)
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_VerifierExEnterPriorityRegionAndAcquireResourceShared@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExEnterPriorityRegionAndAcquireResourceSharedNoReboot(x)
_VerifierExEnterPriorityRegionAndAcquireResourceSharedNoReboot@4 proc near
					; DATA XREF: PAGEVRFD:00AA88F8o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvExEnterPriorityRegionAndAcquireResourceShared
_VerifierExEnterPriorityRegionAndAcquireResourceSharedNoReboot@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExInitializeResourceLite(x)
_VerifierExInitializeResourceLite@4 proc near ;	DATA XREF: PAGEVRFD:00AAAF24o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		xor	esi, esi
		push	38h
		pop	edx
		mov	ecx, edi
		mov	[esp+18h+var_8], esi
		mov	[esp+18h+var_4], esi
		call	_VfUtilSynchronizationObjectSanityChecks@8 ; VfUtilSynchronizationObjectSanityChecks(x,x)
		push	edi
		call	ds:_pXdvExInitializeResourceLite
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A6C41D
		test	_MmVerifierData, 800h
		jnz	short loc_A6C366
		mov	ecx, ds:_ViResourceNotTracked
		test	ecx, ecx
		jnz	loc_A6C41D

loc_A6C357:				; CODE XREF: VerifierExInitializeResourceLite(x)+7Ej
		xor	eax, eax
		mov	ecx, offset _ViResourceNotTracked
		inc	eax
		xchg	eax, [ecx]
		jmp	loc_A6C41D
; 

loc_A6C366:				; CODE XREF: VerifierExInitializeResourceLite(x)+40j
		cmp	ds:_ViResourceInitialized, esi
		jz	loc_A6C41D
		push	esi
		mov	edx, edi
		mov	ecx, offset _ViResourceAvl
		call	VfAvlReserveNode
		mov	[esp+1Ch+var_10], eax
		test	eax, eax
		jz	short loc_A6C357
		xor	edx, edx
		lea	ecx, [esp+1Ch+var_C]
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	esi
		mov	edx, ecx
		mov	ecx, offset _ViResourceAvl
		push	edi
		call	VfAvlLookupTreeNode
		test	eax, eax
		jz	short loc_A6C3E1
		cmp	ds:_ViResourcesAlreadyLoadedDrivers, esi
		jnz	short loc_A6C3C8
		test	_MmVerifierData, 800h
		jz	short loc_A6C3C8
		push	esi
		mov	edx, 0D0h
		push	esi
		push	edi
		lea	ecx, [edx-0Ch]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6C3C8:				; CODE XREF: VerifierExInitializeResourceLite(x)+A3j
					; VerifierExInitializeResourceLite(x)+AFj
		lock inc ds:_ViResourceStaleNodes
		push	esi
		push	edi
		lea	edx, [esp+24h+var_C]
		mov	ecx, offset _ViResourceAvl
		call	VfAvlDeleteTreeNode
		mov	esi, eax

loc_A6C3E1:				; CODE XREF: VerifierExInitializeResourceLite(x)+9Bj
		push	[esp+1Ch+var_10]
		lea	edx, [esp+20h+var_C]
		mov	ecx, offset _ViResourceAvl
		call	_VfAvlInsertReservedTreeNode@12	; VfAvlInsertReservedTreeNode(x,x,x)
		lea	ecx, [esp+1Ch+var_C]
		call	VfAvlCleanupLockContext
		test	esi, esi
		jz	short loc_A6C41D
		cmp	ds:dword_AAFFD4, 1
		jnz	short loc_A6C417
		mov	edx, esi
		mov	ecx, offset _ViAvlNodeLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)
		jmp	short loc_A6C41D
; 

loc_A6C417:				; CODE XREF: VerifierExInitializeResourceLite(x)+100j
		push	esi
		call	_VfUtilFreePoolCheckIRQL@4 ; VfUtilFreePoolCheckIRQL(x)

loc_A6C41D:				; CODE XREF: VerifierExInitializeResourceLite(x)+30j
					; VerifierExInitializeResourceLite(x)+4Aj ...
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
_VerifierExInitializeResourceLite@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExReleaseResourceForThreadLite(x, x)
_VerifierExReleaseResourceForThreadLite@8 proc near ; DATA XREF: PAGEVRFD:00AA8990o
					; PAGEVRFD:00AA89A0o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		call	@ViResourceReleaseSanityChecks@4 ; ViResourceReleaseSanityChecks(x)
		pop	ebp
		jmp	ds:_pXdvExReleaseResourceForThreadLite
_VerifierExReleaseResourceForThreadLite@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfCheckForResource(x, x)
_VfCheckForResource@8 proc near		; CODE XREF: ExpCheckForResource(x,x)+29p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		xor	edx, edx
		mov	[esp+18h+var_8], edx
		mov	[esp+18h+var_4], edx
		cmp	ds:_ViResourceInitialized, edx
		jz	loc_A6C523
		call	_VfPoolIsInternalFree@0	; VfPoolIsInternalFree()
		test	eax, eax
		jnz	loc_A6C534
		cmp	ds:dword_AAFFC4, edx
		jz	loc_A6C534
		mov	[esp+18h+var_C], edx
		lea	ecx, [esp+18h+var_8]
		inc	edx
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	edi
		mov	edx, ecx
		mov	ecx, offset _ViResourceAvl
		push	ebx
		call	VfAvlLookupTreeNode
		mov	esi, eax
		test	esi, esi
		jz	short loc_A6C4CB
		cmp	ds:_ViResourcesAlreadyLoadedDrivers, 0
		jnz	short loc_A6C4C5
		test	_MmVerifierData, 800h
		jz	short loc_A6C4C5
		push	edi
		mov	edx, 0D2h
		push	ebx
		push	dword ptr [esi]
		lea	ecx, [edx-0Eh]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6C4C5:				; CODE XREF: VfCheckForResource(x,x)+6Aj
					; VfCheckForResource(x,x)+76j
		mov	eax, [esi]
		mov	[esp+18h+var_C], eax

loc_A6C4CB:				; CODE XREF: VfCheckForResource(x,x)+61j
		lea	ecx, [esp+18h+var_8]
		call	VfAvlCleanupLockContext
		cmp	[esp+18h+var_C], 0
		jz	short loc_A6C534
		lock inc ds:_ViResourceStaleNodes
		xor	edx, edx
		lea	ecx, [esp+18h+var_8]
		call	_VfAvlInitializeLockContext@8 ;	VfAvlInitializeLockContext(x,x)
		push	edx
		lea	eax, [esp+1Ch+var_C]
		mov	edx, ecx
		push	eax
		mov	ecx, offset _ViResourceAvl
		call	VfAvlDeleteTreeNode
		lea	ecx, [esp+18h+var_8]
		mov	esi, eax
		call	VfAvlCleanupLockContext
		test	esi, esi
		jz	short loc_A6C523
		cmp	ds:dword_AAFFD4, 1
		jnz	short loc_A6C52C
		mov	edx, esi
		mov	ecx, offset _ViAvlNodeLookaside
		call	_ExFreeToNPagedLookasideList@8 ; ExFreeToNPagedLookasideList(x,x)

loc_A6C523:				; CODE XREF: VfCheckForResource(x,x)+22j
					; VfCheckForResource(x,x)+D0j ...
		xor	eax, eax

loc_A6C525:				; CODE XREF: VfCheckForResource(x,x)+FBj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_A6C52C:				; CODE XREF: VfCheckForResource(x,x)+D9j
		push	esi
		call	_VfUtilFreePoolCheckIRQL@4 ; VfUtilFreePoolCheckIRQL(x)
		jmp	short loc_A6C523
; 

loc_A6C534:				; CODE XREF: VfCheckForResource(x,x)+2Fj
					; VfCheckForResource(x,x)+3Bj ...
		xor	eax, eax
		inc	eax
		jmp	short loc_A6C525
_VfCheckForResource@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViResourceAcquireSanityChecks(x, x,	x)
_ViResourceAcquireSanityChecks@12 proc near
					; CODE XREF: VerifierExAcquireResourceExclusiveLite(x,x)+18p
					; VerifierExAcquireResourceExclusiveLiteNoReboot(x,x)+Dp ...

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_1], dl
		push	edi
		mov	edi, 800h
		test	bl, 3
		jz	short loc_A6C56A
		test	_MmVerifierData, edi
		jz	short loc_A6C56A
		push	ebx
		push	0
		push	0
		push	3Dh
		pop	edx
		mov	ecx, 0C4h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6C56A:				; CODE XREF: ViResourceAcquireSanityChecks(x,x,x)+15j
					; ViResourceAcquireSanityChecks(x,x,x)+1Dj
		cmp	[ebp+arg_0], 0
		jnz	short loc_A6C5CE
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	dl, al
		cmp	dl, 1
		jz	short loc_A6C5CE
		mov	ecx, large fs:124h
		test	dword ptr [ecx+58h], 400h
		jnz	short loc_A6C5CE
		mov	ecx, large fs:124h
		cmp	dword ptr [ecx+13Ch], 0
		jnz	short loc_A6C5CE
		cmp	dl, 2
		jnz	short loc_A6C5A8
		cmp	[ebp+var_1], 0
		jz	short loc_A6C5CE

loc_A6C5A8:				; CODE XREF: ViResourceAcquireSanityChecks(x,x,x)+67j
		test	_MmVerifierData, edi
		jz	short loc_A6C5CE
		mov	eax, large fs:124h
		mov	ecx, 0C4h
		push	ebx
		push	dword ptr [eax+13Ch]
		movzx	eax, dl
		push	eax
		push	37h
		pop	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6C5CE:				; CODE XREF: ViResourceAcquireSanityChecks(x,x,x)+35j
					; ViResourceAcquireSanityChecks(x,x,x)+42j ...
		pop	edi
		pop	ebx
		leave
		retn	4
_ViResourceAcquireSanityChecks@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VfPnpAdvanceIrpStatus(x, x, x)
@VfPnpAdvanceIrpStatus@12 proc near	; DATA XREF: VfInitVerifierComponents(x,x,x)+130o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	edx, 100h
		jb	short loc_A6C5E5
		xor	eax, eax
		jmp	short loc_A6C5F9
; 

loc_A6C5E5:				; CODE XREF: VfPnpAdvanceIrpStatus(x,x,x)+Bj
		mov	ecx, [ebp+arg_0]
		inc	dword ptr [ecx]
		mov	eax, [ecx]
		cmp	eax, 103h
		jnz	short loc_A6C5F6
		inc	eax
		mov	[ecx], eax

loc_A6C5F6:				; CODE XREF: VfPnpAdvanceIrpStatus(x,x,x)+1Dj
		xor	eax, eax
		inc	eax

loc_A6C5F9:				; CODE XREF: VfPnpAdvanceIrpStatus(x,x,x)+Fj
		pop	ebp
		retn	4
@VfPnpAdvanceIrpStatus@12 endp


;  S U B	R O U T	I N E 


; __fastcall VfPnpDumpIrpStack(x)
@VfPnpDumpIrpStack@4 proc near		; DATA XREF: VfInitVerifierComponents(x,x,x)+11Fo
		mov	edi, edi
		push	ebx
		push	esi
		push	edi		; char
		push	offset ??_C@_0M@JGJFFIIL@IRP_MJ_PNP?4@JKADOLAD@	; char *
		xor	ebx, ebx
		mov	edi, ecx
		push	ebx		; int
		push	5Dh		; int
		call	_DbgPrintEx
		mov	al, [edi+1]
		add	esp, 0Ch
		mov	esi, (offset loc_A58306+2)
		cmp	al, 18h
		ja	short loc_A6C62E
		movzx	eax, al
		mov	eax, ds:_PnPIrpNames[eax*4]
		jmp	short loc_A6C639
; 

loc_A6C62E:				; CODE XREF: VfPnpDumpIrpStack(x)+23j
		cmp	al, 0FFh
		mov	eax, offset ??_C@_0N@IJDEKNCK@IRP_MN_BOGUS@JKADOLAD@
		jz	short loc_A6C639
		mov	eax, esi

loc_A6C639:				; CODE XREF: VfPnpDumpIrpStack(x)+2Fj
					; VfPnpDumpIrpStack(x)+38j
		push	eax		; char *
		call	_VfUtilDbgPrint
		mov	al, [edi+1]
		pop	ecx
		cmp	al, 7
		jz	loc_A6C742
		cmp	al, 0Ch
		jz	loc_A6C728
		cmp	al, 0Eh
		jbe	loc_A6C784
		cmp	al, 10h
		jbe	loc_A6C70A
		cmp	al, 12h
		jz	loc_A6C6F9
		cmp	al, 13h
		jz	short loc_A6C6C3
		cmp	al, 16h
		jnz	loc_A6C784
		mov	eax, [edi+8]
		sub	eax, ebx
		jz	short loc_A6C6A2
		sub	eax, 1
		jz	short loc_A6C69B
		sub	eax, 1
		jz	short loc_A6C694
		sub	eax, 1
		jnz	short loc_A6C6A7
		mov	esi, offset ??_C@_0BJ@DKELLOBA@?$CIDeviceUsageTypeDumpFile@JKADOLAD@
		jmp	short loc_A6C6A7
; 

loc_A6C694:				; CODE XREF: VfPnpDumpIrpStack(x)+89j
		mov	esi, (offset loc_A583EF+5)
		jmp	short loc_A6C6A7
; 

loc_A6C69B:				; CODE XREF: VfPnpDumpIrpStack(x)+84j
		mov	esi, (offset loc_A5845D+1)
		jmp	short loc_A6C6A7
; 

loc_A6C6A2:				; CODE XREF: VfPnpDumpIrpStack(x)+7Fj
		mov	esi, (offset loc_A58470+6)

loc_A6C6A7:				; CODE XREF: VfPnpDumpIrpStack(x)+8Ej
					; VfPnpDumpIrpStack(x)+95j ...
		push	esi		; char *
		call	_VfUtilDbgPrint
		mov	eax, offset ??_C@_0P@OJGFJBNK@?0?5InPath?$DNTRUE?$CJ@JKADOLAD@
		pop	ecx
		cmp	[edi+4], bl
		jnz	short loc_A6C6BD
		mov	eax, (offset loc_A5840C+4)

loc_A6C6BD:				; CODE XREF: VfPnpDumpIrpStack(x)+B9j
					; VfPnpDumpIrpStack(x)+104j ...
		push	eax
		jmp	loc_A6C77E
; 

loc_A6C6C3:				; CODE XREF: VfPnpDumpIrpStack(x)+70j
		mov	eax, [edi+4]
		sub	eax, ebx
		jz	short loc_A6C6EE
		sub	eax, 1
		jz	short loc_A6C6E7
		sub	eax, 1
		jz	short loc_A6C6E0
		sub	eax, 1
		jnz	short loc_A6C6F3
		mov	esi, offset ??_C@_0BF@GLOACFMG@?$CIBusQueryInstanceID?$CJ@JKADOLAD@
		jmp	short loc_A6C6F3
; 

loc_A6C6E0:				; CODE XREF: VfPnpDumpIrpStack(x)+D5j
		mov	esi, offset ??_C@_0BI@LJLHGLI@?$CIBusQueryCompatibleIDs?$CJ@JKADOLAD@
		jmp	short loc_A6C6F3
; 

loc_A6C6E7:				; CODE XREF: VfPnpDumpIrpStack(x)+D0j
		mov	esi, offset ??_C@_0BG@NJHABFNM@?$CIBusQueryHardwareIDs?$CJ@JKADOLAD@
		jmp	short loc_A6C6F3
; 

loc_A6C6EE:				; CODE XREF: VfPnpDumpIrpStack(x)+CBj
		mov	esi, (offset loc_A58343+1)

loc_A6C6F3:				; CODE XREF: VfPnpDumpIrpStack(x)+DAj
					; VfPnpDumpIrpStack(x)+E1j ...
		push	esi
		jmp	loc_A6C77E
; 

loc_A6C6F9:				; CODE XREF: VfPnpDumpIrpStack(x)+68j
		mov	eax, offset ??_C@_06NMHHGILK@?$CITrue?$CJ@JKADOLAD@
		cmp	[edi+4], bl
		jnz	short loc_A6C6BD
		mov	eax, offset ??_C@_07HLCPMGNH@?$CIFalse?$CJ@JKADOLAD@
		jmp	short loc_A6C6BD
; 

loc_A6C70A:				; CODE XREF: VfPnpDumpIrpStack(x)+60j
		push	dword ptr [edi+10h]
		push	dword ptr [edi+0Ch]
		push	dword ptr [edi+8]
		push	dword ptr [edi+4] ; char
		push	offset ??_C@_0DB@BFCAKHEG@?$CIWhichSpace?$DN?$CFx?0?5Buffer?$DN?$CFp?0?5Offs@JKADOLAD@ ; char *
		push	ebx		; int
		push	5Dh		; int
		call	_DbgPrintEx
		add	esp, 1Ch
		jmp	short loc_A6C784
; 

loc_A6C728:				; CODE XREF: VfPnpDumpIrpStack(x)+50j
		mov	eax, [edi+4]
		sub	eax, ebx
		jz	short loc_A6C73B
		sub	eax, 1
		jnz	short loc_A6C6F3
		mov	esi, offset ??_C@_0CA@CFIKFPAL@?$CIDeviceTextLocationInformation?$CJ@JKADOLAD@
		jmp	short loc_A6C6F3
; 

loc_A6C73B:				; CODE XREF: VfPnpDumpIrpStack(x)+130j
		mov	esi, offset ??_C@_0BI@PCAOFACF@?$CIDeviceTextDescription?$CJ@JKADOLAD@
		jmp	short loc_A6C6F3
; 

loc_A6C742:				; CODE XREF: VfPnpDumpIrpStack(x)+48j
		mov	eax, [edi+4]
		sub	eax, ebx
		jz	short loc_A6C779
		sub	eax, 1
		jz	short loc_A6C772
		sub	eax, 1
		jz	short loc_A6C76B
		sub	eax, 1
		jz	short loc_A6C764
		sub	eax, 1
		jnz	short loc_A6C6F3
		push	(offset	loc_A5836B+5)
		jmp	short loc_A6C77E
; 

loc_A6C764:				; CODE XREF: VfPnpDumpIrpStack(x)+159j
		push	offset ??_C@_0BD@ICPCMINJ@?$CIRemovalRelations?$CJ@JKADOLAD@
		jmp	short loc_A6C77E
; 

loc_A6C76B:				; CODE XREF: VfPnpDumpIrpStack(x)+154j
		push	offset ??_C@_0BB@CAPPKIDP@?$CIPowerRelations?$CJ@JKADOLAD@
		jmp	short loc_A6C77E
; 

loc_A6C772:				; CODE XREF: VfPnpDumpIrpStack(x)+14Fj
		push	offset ??_C@_0BE@HEPEIJAK@?$CIEjectionRelations?$CJ@JKADOLAD@
		jmp	short loc_A6C77E
; 

loc_A6C779:				; CODE XREF: VfPnpDumpIrpStack(x)+14Aj
		push	(offset	loc_A582C5+1) ;	char *

loc_A6C77E:				; CODE XREF: VfPnpDumpIrpStack(x)+C1j
					; VfPnpDumpIrpStack(x)+F7j ...
		call	_VfUtilDbgPrint
		pop	ecx

loc_A6C784:				; CODE XREF: VfPnpDumpIrpStack(x)+58j
					; VfPnpDumpIrpStack(x)+74j ...
		pop	edi
		pop	esi
		pop	ebx
		retn
@VfPnpDumpIrpStack@4 endp


;  S U B	R O U T	I N E 


; __fastcall VfPnpIsSystemRestrictedIrp(x)
@VfPnpIsSystemRestrictedIrp@4 proc near	; DATA XREF: VfInitVerifierComponents(x,x,x)+135o
		movzx	eax, byte ptr [ecx+1]
		cmp	eax, 18h
		ja	short loc_A6C7B5
		movzx	eax, ds:byte_A6C7E4[eax]
		jmp	ds:off_A6C7D0[eax*4]

loc_A6C79F:				; DATA XREF: PAGEVRFY:00A6C7D4o
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_A6C7B5
		cmp	eax, 1
		jz	short loc_A6C7CC
		cmp	eax, 2
		jle	short loc_A6C7B5
		cmp	eax, 4
		jle	short loc_A6C7CC

loc_A6C7B5:				; CODE XREF: VfPnpIsSystemRestrictedIrp(x)+7j
					; VfPnpIsSystemRestrictedIrp(x)+10j ...
		xor	eax, eax
		inc	eax
		retn
; 

loc_A6C7B9:				; CODE XREF: VfPnpIsSystemRestrictedIrp(x)+10j
					; DATA XREF: PAGEVRFY:00A6C7DCo
		mov	eax, [ecx+4]
		test	eax, eax
		jz	short loc_A6C7CC
		jle	short loc_A6C7B5
		cmp	eax, 2
		jle	short loc_A6C7B5
		cmp	eax, 3
		jnz	short loc_A6C7B5

loc_A6C7CC:				; CODE XREF: VfPnpIsSystemRestrictedIrp(x)+10j
					; VfPnpIsSystemRestrictedIrp(x)+21j ...
		xor	eax, eax
		retn
@VfPnpIsSystemRestrictedIrp@4 endp

; 
		align 10h
off_A6C7D0	dd offset loc_A6C7B5	; DATA XREF: VfPnpIsSystemRestrictedIrp(x)+10r
		dd offset loc_A6C79F
		dd offset loc_A6C7CC
		dd offset loc_A6C7B9
		dd offset loc_A6C7B5
byte_A6C7E4	db 0			; DATA XREF: VfPnpIsSystemRestrictedIrp(x)+9r
		align 4
		dd 1000000h, 202h, 2040000h, 3000002h, 20000h
		db 0

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VfPnpTestStartedPdoStack(x)
@VfPnpTestStartedPdoStack@4 proc near	; DATA XREF: VfInitVerifierComponents(x,x,x)+127o

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_1A		= word ptr -1Ah
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		push	9
		mov	ebx, ecx
		lea	edi, [esp+4Ch+var_24]
		pop	ecx
		xor	esi, esi
		lea	edx, [esp+48h+var_24]
		push	esi
		xor	eax, eax
		mov	[esp+4Ch+var_3C], esi
		rep stosd
		push	esi
		push	esi
		mov	edi, 0C00000BBh
		mov	word ptr [esp+54h+var_24], 0FF1Bh
		push	edi
		inc	eax
		mov	ecx, ebx
		push	eax
		call	_VfIrpSendSynchronousIrp@28 ; VfIrpSendSynchronousIrp(x,x,x,x,x,x,x)
		or	[esp+48h+var_20], 0FFFFFFFFh
		lea	edx, [esp+48h+var_24]
		push	esi
		push	esi
		push	esi
		push	edi
		push	1
		mov	ecx, ebx
		mov	byte ptr [esp+5Ch+var_24+1], 7
		call	_VfIrpSendSynchronousIrp@28 ; VfIrpSendSynchronousIrp(x,x,x,x,x,x,x)
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_A6C87B
		or	[esp+48h+var_20], 0FFFFFFFFh
		lea	edx, [esp+48h+var_24]
		push	esi
		push	esi
		push	0FFFFFFFFh
		push	edi
		push	1
		mov	ecx, ebx
		mov	byte ptr [esp+5Ch+var_24+1], 7
		call	_VfIrpSendSynchronousIrp@28 ; VfIrpSendSynchronousIrp(x,x,x,x,x,x,x)

loc_A6C87B:				; CODE XREF: VfPnpTestStartedPdoStack(x)+60j
		or	[esp+48h+var_20], 0FFFFFFFFh
		lea	edx, [esp+48h+var_24]
		push	esi
		push	esi
		push	esi
		push	edi
		push	1
		mov	ecx, ebx
		mov	byte ptr [esp+5Ch+var_24+1], 0Ch
		call	_VfIrpSendSynchronousIrp@28 ; VfIrpSendSynchronousIrp(x,x,x,x,x,x,x)
		or	[esp+48h+var_20], 0FFFFFFFFh
		lea	edx, [esp+48h+var_24]
		push	esi
		push	esi
		push	esi
		push	edi
		push	1
		mov	ecx, ebx
		mov	byte ptr [esp+5Ch+var_24+1], 13h
		call	_VfIrpSendSynchronousIrp@28 ; VfIrpSendSynchronousIrp(x,x,x,x,x,x,x)
		lea	eax, [esp+48h+var_3C]
		mov	byte ptr [esp+48h+var_24+1], 7
		push	eax
		lea	eax, [esp+4Ch+var_38]
		mov	[esp+4Ch+var_20], 4
		push	eax
		push	esi
		push	edi
		push	esi
		lea	edx, [esp+5Ch+var_24]
		mov	[esp+5Ch+var_38], esi
		mov	ecx, ebx
		call	_VfIrpSendSynchronousIrp@28 ; VfIrpSendSynchronousIrp(x,x,x,x,x,x,x)
		test	eax, eax
		jz	short loc_A6C8F8
		cmp	[esp+48h+var_3C], esi
		jl	short loc_A6C8F8
		mov	esi, [esp+48h+var_38]
		mov	ecx, [esi+4]
		call	ObfDereferenceObject
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A6C8F8:				; CODE XREF: VfPnpTestStartedPdoStack(x)+DFj
					; VfPnpTestStartedPdoStack(x)+E5j
		xor	eax, eax
		or	[esp+48h+var_14], 0FFFFFFFFh
		lea	edi, [esp+48h+var_34]
		mov	byte ptr [esp+48h+var_24+1], 8
		stosd
		lea	edx, [esp+48h+var_24]
		xor	ecx, ecx
		mov	esi, offset _GUID_BOGUS_INTERFACE
		inc	ecx
		mov	[esp+48h+var_20], esi
		mov	[esp+48h+var_1A], cx
		stosd
		stosd
		stosd
		mov	eax, 0FFFFh
		mov	[esp+48h+var_1C], ax
		lea	eax, [esp+48h+var_34]
		mov	[esp+48h+var_18], eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	0C00000BBh
		push	ecx
		mov	ecx, ebx
		call	_VfIrpSendSynchronousIrp@28 ; VfIrpSendSynchronousIrp(x,x,x,x,x,x,x)
		xor	eax, eax
		or	[esp+48h+var_14], 0FFFFFFFFh
		lea	edi, [esp+48h+var_34]
		mov	byte ptr [esp+48h+var_24+1], 8
		stosd
		lea	edx, [esp+48h+var_24]
		xor	ecx, ecx
		mov	[esp+48h+var_20], esi
		inc	ecx
		mov	[esp+48h+var_1A], cx
		stosd
		stosd
		stosd
		mov	eax, 0FFFFh
		mov	[esp+48h+var_1C], ax
		lea	eax, [esp+48h+var_34]
		mov	[esp+48h+var_18], eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	ecx
		mov	ecx, ebx
		call	_VfIrpSendSynchronousIrp@28 ; VfIrpSendSynchronousIrp(x,x,x,x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
@VfPnpTestStartedPdoStack@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VfPnpVerifyIrpStackDownward(x, x, x, x, x,	x, x)
@VfPnpVerifyIrpStackDownward@28	proc near ; DATA XREF: VfInitVerifierComponents(x,x,x)+13Fo

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, edx
		push	ebx
		mov	ebx, ecx
		mov	[ebp+var_8], eax
		mov	ecx, eax
		mov	[ebp+var_4], ebx
		call	_IovUtilIsWdmStack@4 ; IovUtilIsWdmStack(x)
		test	eax, eax
		jz	loc_A6CAC7
		mov	ebx, [ebx]
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		mov	edi, [ebx+18h]
		mov	[ebp+var_C], ebx
		mov	eax, [esi+40h]
		mov	[ebp+arg_8], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+8Ch]
		mov	[ebp+var_4], eax
		cmp	dword ptr [eax+1Ch], 3
		jnz	short loc_A6C9E5
		mov	edx, [ebp+arg_10] ; int
		mov	ecx, 211h	; int
		push	ebx		; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A6C9E5:				; CODE XREF: VfPnpVerifyIrpStackDownward(x,x,x,x,x,x,x)+45j
		mov	eax, [ebp+var_8]
		mov	ecx, [eax+8]
		cmp	dword ptr [ecx+0A4h], offset _IopInvalidDeviceRequest@8	; IopInvalidDeviceRequest(x,x)
		jnz	short loc_A6CA1A
		or	dword ptr [esi+4], 1000000h
		call	@VfGetPristineDriverInit@4 ; VfGetPristineDriverInit(x)
		push	ebx		; int
		mov	edx, eax	; int
		mov	ecx, 21Fh	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)
		mov	eax, [ebp+arg_C]
		or	dword ptr [eax+4], 80000000h

loc_A6CA1A:				; CODE XREF: VfPnpVerifyIrpStackDownward(x,x,x,x,x,x,x)+65j
		cmp	[ebp+arg_0], 0
		jz	loc_A6CAC5
		mov	eax, 2000000h
		test	edi, edi
		jns	short loc_A6CA50
		cmp	edi, 0C00000BBh
		jz	short loc_A6CA58
		test	[esi+4], eax
		jnz	short loc_A6CA50
		mov	edx, [ebp+arg_10] ; int
		mov	ecx, 215h	; int
		push	ebx		; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)
		mov	eax, 2000000h
		or	[esi+4], eax

loc_A6CA50:				; CODE XREF: VfPnpVerifyIrpStackDownward(x,x,x,x,x,x,x)+9Bj
					; VfPnpVerifyIrpStackDownward(x,x,x,x,x,x,x)+A8j
		cmp	edi, 0C00000BBh
		jnz	short loc_A6CA77

loc_A6CA58:				; CODE XREF: VfPnpVerifyIrpStackDownward(x,x,x,x,x,x,x)+A3j
		cmp	edi, [ebp+arg_8]
		jz	short loc_A6CA77
		test	[esi+4], eax
		jnz	short loc_A6CA77
		mov	edx, [ebp+arg_10] ; int
		mov	ecx, 216h	; int
		push	ebx		; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)
		or	dword ptr [esi+4], 2000000h

loc_A6CA77:				; CODE XREF: VfPnpVerifyIrpStackDownward(x,x,x,x,x,x,x)+C6j
					; VfPnpVerifyIrpStackDownward(x,x,x,x,x,x,x)+CBj ...
		mov	ecx, [ebp+var_4]
		mov	ecx, [ecx+18h]
		test	ecx, ecx
		jz	short loc_A6CAC5
		push	2
		pop	ebx
		mov	edx, ebx
		call	_IovUtilIsDeviceObjectMarked@8 ; IovUtilIsDeviceObjectMarked(x,x)
		test	eax, eax
		jz	short loc_A6CAC5
		mov	esi, [ebp+arg_4]
		cmp	edi, 0C00000BBh
		jnz	short loc_A6CAA2
		xor	ebx, ebx
		cmp	[esi+1Ch], ebx
		setnz	bl

loc_A6CAA2:				; CODE XREF: VfPnpVerifyIrpStackDownward(x,x,x,x,x,x,x)+108j
		push	3
		pop	edx
		call	_IovUtilIsDeviceObjectMarked@8 ; IovUtilIsDeviceObjectMarked(x,x)
		mov	ecx, [ebp+var_C] ; int
		neg	eax
		push	1		; int
		push	[ebp+arg_10]	; int
		sbb	eax, eax
		mov	edx, esi	; int
		and	eax, 0FFFFFFFCh
		push	ebx		; int
		add	eax, 4
		push	eax		; int
		call	_ViPnpVerifyMinorWasProcessedProperly@24 ; ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)

loc_A6CAC5:				; CODE XREF: VfPnpVerifyIrpStackDownward(x,x,x,x,x,x,x)+8Ej
					; VfPnpVerifyIrpStackDownward(x,x,x,x,x,x,x)+EFj ...
		pop	edi
		pop	esi

loc_A6CAC7:				; CODE XREF: VfPnpVerifyIrpStackDownward(x,x,x,x,x,x,x)+1Cj
		pop	ebx
		leave
		retn	14h
@VfPnpVerifyIrpStackDownward@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VfPnpVerifyIrpStackUpward(x, x, x,	x, x, x)
@VfPnpVerifyIrpStackUpward@24 proc near	; DATA XREF: VfInitVerifierComponents(x,x,x)+13Ao

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], edi
		mov	ecx, [esi+14h]
		call	_IovUtilIsWdmStack@4 ; IovUtilIsWdmStack(x)
		test	eax, eax
		jz	loc_A6CC0C
		cmp	[ebp+arg_8], 0
		mov	ecx, [edi]
		mov	edx, [ebp+arg_4]
		mov	eax, [edi+8Ch]
		push	ebx
		mov	ebx, [ecx+18h]
		mov	edi, [edx+18h]
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], eax
		jz	loc_A6CB9C
		mov	eax, [ebp+var_C]
		mov	eax, [eax+24h]
		and	eax, 20h
		mov	[ebp+arg_4], eax
		mov	eax, [edx+4]
		mov	edx, eax
		and	edx, 10000000h
		mov	[ebp+arg_8], edx
		test	eax, eax
		js	short loc_A6CB7F
		test	edx, edx
		jnz	short loc_A6CB83
		cmp	byte ptr [esi+1], 8
		jz	short loc_A6CB7F
		cmp	[ebp+arg_4], edx
		jnz	loc_A6CC12
		test	ebx, ebx
		jns	short loc_A6CB4C
		cmp	ebx, 0C00000BBh
		jnz	short loc_A6CB7F

loc_A6CB4C:				; CODE XREF: VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)+76j
		cmp	_VfIoSwitchedOffNoReboot, 0
		jnz	short loc_A6CB9C
		test	ebx, ebx
		js	short loc_A6CB64
		push	ecx
		mov	ecx, 22Eh
		jmp	loc_A6CC18
; 

loc_A6CB64:				; CODE XREF: VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)+8Bj
		cmp	ebx, 0C00000BBh
		jnz	short loc_A6CBCC
		push	ecx		; int
		mov	edx, edi	; int
		mov	ecx, 22Fh	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)
		mov	ecx, [ebp+var_8] ; int
		mov	edx, [ebp+arg_8]

loc_A6CB7F:				; CODE XREF: VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)+5Fj
					; VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)+69j ...
		test	edx, edx
		jz	short loc_A6CB9C

loc_A6CB83:				; CODE XREF: VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)+63j
		xor	eax, eax
		mov	edx, esi	; int
		cmp	ebx, 0C00000BBh
		push	0		; int
		setnz	al
		push	edi		; int
		inc	eax
		push	eax		; int
		push	0		; int
		call	_ViPnpVerifyMinorWasProcessedProperly@24 ; ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)

loc_A6CB9C:				; CODE XREF: VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)+3Dj
					; VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)+87j ...
		mov	ecx, 0C00000BBh
		cmp	ebx, ecx
		jnz	short loc_A6CBCC
		mov	ebx, [ebp+arg_0]
		test	dword ptr [ebx+4], 2000000h
		jnz	short loc_A6CBCC
		cmp	[ebx+40h], ecx
		jz	short loc_A6CBCC
		push	[ebp+var_8]	; int
		mov	edx, edi	; int
		mov	ecx, 216h	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)
		or	dword ptr [ebx+4], 2000000h

loc_A6CBCC:				; CODE XREF: VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)+9Ej
					; VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)+D7j ...
		cmp	byte ptr [esi+1], 17h
		jnz	short loc_A6CC0B
		mov	ecx, [esi+14h]
		call	_IovUtilGetLowerDeviceObjectWithTag@8 ;	IovUtilGetLowerDeviceObjectWithTag(x,x)
		test	eax, eax
		jz	short loc_A6CC24
		mov	edx, 49667256h
		mov	ecx, eax
		call	ObfDereferenceObjectWithTag

loc_A6CBEA:				; CODE XREF: VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)+162j
		mov	ebx, [ebp+var_4]

loc_A6CBED:				; CODE XREF: VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)+179j
		mov	ecx, [esi+14h]
		xor	edx, edx
		call	_IovUtilIsDeviceObjectMarked@8 ; IovUtilIsDeviceObjectMarked(x,x)
		test	eax, eax
		jz	short loc_A6CC0B
		push	ecx		; int
		push	dword ptr [ebx+20h] ; int
		mov	edx, edi	; int
		mov	ecx, 242h	; int
		call	_ViErrorReport10@16 ; ViErrorReport10(x,x,x,x)

loc_A6CC0B:				; CODE XREF: VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)+104j
					; VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)+12Dj
		pop	ebx

loc_A6CC0C:				; CODE XREF: VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)+1Bj
		pop	edi
		pop	esi
		leave
		retn	10h
; 

loc_A6CC12:				; CODE XREF: VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)+6Ej
		push	ecx		; int
		mov	ecx, 22Dh	; int

loc_A6CC18:				; CODE XREF: VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)+93j
		mov	edx, edi	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)
		jmp	loc_A6CB9C
; 

loc_A6CC24:				; CODE XREF: VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)+110j
		mov	ecx, [esi+14h]
		call	_IovUtilIsPdo@4	; IovUtilIsPdo(x)
		test	eax, eax
		jnz	short loc_A6CBEA
		mov	ebx, [ebp+var_4]
		mov	edx, edi	; int
		push	dword ptr [esi+14h] ; int
		mov	ecx, 241h	; int
		push	dword ptr [ebx+20h] ; int
		call	_ViErrorReport10@16 ; ViErrorReport10(x,x,x,x)
		jmp	short loc_A6CBED
@VfPnpVerifyIrpStackUpward@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VfPnpVerifyNewRequest(x, x, x, x, x, x)
@VfPnpVerifyNewRequest@24 proc near	; DATA XREF: VfInitVerifierComponents(x,x,x)+144o

var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		mov	edi, [ecx]
		mov	eax, [edi+18h]
		mov	[ebp+var_4], eax
		cmp	eax, 0C00000BBh
		jz	short loc_A6CC8F
		cmp	byte ptr [esi+1], 0Dh
		jz	short loc_A6CC81
		test	byte ptr [ecx+24h], 20h
		jnz	short loc_A6CC81
		push	edi		; int
		mov	edx, ebx	; int
		mov	ecx, 20Eh	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)
		mov	eax, [ebp+var_4]

loc_A6CC81:				; CODE XREF: VfPnpVerifyNewRequest(x,x,x,x,x,x)+22j
					; VfPnpVerifyNewRequest(x,x,x,x,x,x)+28j
		test	eax, eax
		jns	short loc_A6CC8F
		mov	eax, [ebp+arg_8]
		or	dword ptr [eax+4], 2000000h

loc_A6CC8F:				; CODE XREF: VfPnpVerifyNewRequest(x,x,x,x,x,x)+1Cj
					; VfPnpVerifyNewRequest(x,x,x,x,x,x)+3Cj
		cmp	byte ptr [esi+1], 9
		jnz	short loc_A6CCEF
		mov	esi, [esi+4]
		push	esi
		call	_MmIsNonPagedSystemAddressValid@4 ; MmIsNonPagedSystemAddressValid(x)
		test	al, al
		jz	short loc_A6CCEF
		cmp	word ptr [esi+2], 1
		jnb	short loc_A6CCB6
		push	edi		; int
		mov	edx, ebx	; int
		mov	ecx, 233h	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A6CCB6:				; CODE XREF: VfPnpVerifyNewRequest(x,x,x,x,x,x)+60j
		cmp	word ptr [esi],	40h
		jnb	short loc_A6CCC9
		push	edi		; int
		mov	edx, ebx	; int
		mov	ecx, 234h	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A6CCC9:				; CODE XREF: VfPnpVerifyNewRequest(x,x,x,x,x,x)+73j
		cmp	dword ptr [esi+8], 0FFFFFFFFh
		jz	short loc_A6CCDC
		push	edi		; int
		mov	edx, ebx	; int
		mov	ecx, 235h	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A6CCDC:				; CODE XREF: VfPnpVerifyNewRequest(x,x,x,x,x,x)+86j
		cmp	dword ptr [esi+0Ch], 0FFFFFFFFh
		jz	short loc_A6CCEF
		push	edi		; int
		mov	edx, ebx	; int
		mov	ecx, 236h	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A6CCEF:				; CODE XREF: VfPnpVerifyNewRequest(x,x,x,x,x,x)+4Cj
					; VfPnpVerifyNewRequest(x,x,x,x,x,x)+59j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
@VfPnpVerifyNewRequest@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall ViPnpVerifyMinorWasProcessedProperly(int,int,int,int,int,int)
_ViPnpVerifyMinorWasProcessedProperly@24 proc near
					; CODE XREF: VfPnpVerifyIrpStackDownward(x,x,x,x,x,x,x)+130p
					; VfPnpVerifyIrpStackUpward(x,x,x,x,x,x)+CBp

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		movzx	eax, byte ptr [edx+1]
		mov	[ebp+var_4], edx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		cmp	eax, 15h
		ja	loc_A6CE5D
		movzx	eax, ds:byte_A6CE7E[eax]
		jmp	ds:off_A6CE66[eax*4]

loc_A6CD1F:				; DATA XREF: PAGEVRFY:00A6CE6Ao
		cmp	[ebp+arg_C], 0
		jnz	loc_A6CE5D
		cmp	[ebp+arg_4], 2
		jz	loc_A6CE5D
		mov	ecx, 306h
		jmp	loc_A6CE54
; 

loc_A6CD3D:				; CODE XREF: ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)+22j
					; DATA XREF: PAGEVRFY:off_A6CE66o
		cmp	[ebp+arg_C], 0
		jnz	loc_A6CE5D
		cmp	[ebp+arg_4], 0
		jnz	loc_A6CE5D
		mov	ecx, 217h
		jmp	loc_A6CE54
; 

loc_A6CD5B:				; CODE XREF: ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)+22j
					; DATA XREF: PAGEVRFY:00A6CE6Eo
		xor	edi, edi
		cmp	dword ptr [edx+4], 4
		jnz	short loc_A6CD9C
		cmp	[ebp+arg_0], edi
		jz	short loc_A6CD75
		cmp	[ebp+arg_4], 2
		jnz	short loc_A6CD9C
		mov	ecx, 218h
		jmp	short loc_A6CD90
; 

loc_A6CD75:				; CODE XREF: ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)+70j
		cmp	[ebp+arg_4], edi
		jnz	short loc_A6CD81
		mov	ecx, 22Ah
		jmp	short loc_A6CD90
; 

loc_A6CD81:				; CODE XREF: ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)+82j
		cmp	[esi+18h], edi
		jl	short loc_A6CD9C
		cmp	[esi+1Ch], edi
		jnz	short loc_A6CD9C
		mov	ecx, 22Bh	; int

loc_A6CD90:				; CODE XREF: ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)+7Dj
					; ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)+89j
		mov	edx, [ebp+arg_8] ; int
		push	esi		; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)
		mov	edx, [ebp+var_4]

loc_A6CD9C:				; CODE XREF: ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)+6Bj
					; ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)+76j ...
		cmp	ds:_VfIoDisabled, edi
		jnz	loc_A6CE5D
		cmp	[esi+18h], edi
		jl	loc_A6CE5D
		mov	ebx, [esi+1Ch]
		test	ebx, ebx
		jz	loc_A6CE5D
		cmp	dword ptr [edx+4], 4
		ja	loc_A6CE5D
		push	ebx
		call	_MmIsNonPagedSystemAddressValid@4 ; MmIsNonPagedSystemAddressValid(x)
		test	al, al
		jz	loc_A6CE5D
		cmp	[ebx], edi
		jbe	loc_A6CE5D
		lea	eax, [ebx+4]
		mov	[ebp+arg_0], eax

loc_A6CDE2:				; CODE XREF: ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)+143j
		mov	ecx, [eax]
		push	5
		pop	edx
		mov	[ebp+arg_4], ecx
		call	_IovUtilIsDeviceObjectMarked@8 ; IovUtilIsDeviceObjectMarked(x,x)
		test	eax, eax
		jnz	short loc_A6CE2D
		call	_IovUtilGetBottomDeviceObjectWithTag@8 ; IovUtilGetBottomDeviceObjectWithTag(x,x)
		mov	ecx, eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+arg_C], ecx
		cmp	ecx, eax
		jz	short loc_A6CE16
		mov	edx, [ebp+arg_8] ; int
		mov	ecx, 248h	; int
		push	eax		; int
		push	esi		; int
		call	_ViErrorReport10@16 ; ViErrorReport10(x,x,x,x)
		mov	eax, [ebp+arg_4]

loc_A6CE16:				; CODE XREF: ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)+10Cj
		push	5
		pop	edx
		mov	ecx, eax
		call	_IovUtilMarkDeviceObject@8 ; IovUtilMarkDeviceObject(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, 49667256h
		call	ObfDereferenceObjectWithTag

loc_A6CE2D:				; CODE XREF: ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)+FBj
		mov	eax, [ebp+arg_0]
		inc	edi
		add	eax, 4
		mov	[ebp+arg_0], eax
		cmp	edi, [ebx]
		jb	short loc_A6CDE2
		jmp	short loc_A6CE5D
; 

loc_A6CE3D:				; CODE XREF: ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)+22j
					; DATA XREF: PAGEVRFY:00A6CE76o
		cmp	dword ptr [edx+4], 3
		ja	short loc_A6CE5D

loc_A6CE43:				; CODE XREF: ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)+22j
					; DATA XREF: PAGEVRFY:00A6CE72o
		cmp	[ebp+arg_0], 0
		jz	short loc_A6CE5D
		cmp	[ebp+arg_4], 2
		jnz	short loc_A6CE5D
		mov	ecx, 218h	; int

loc_A6CE54:				; CODE XREF: ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)+42j
					; ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)+60j
		mov	edx, [ebp+arg_8] ; int
		push	esi		; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A6CE5D:				; CODE XREF: ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)+15j
					; ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)+22j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_ViPnpVerifyMinorWasProcessedProperly@24 endp

; 
		db 8Bh,	0FFh
off_A6CE66	dd offset loc_A6CD3D	; DATA XREF: ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)+22r
		dd offset loc_A6CD1F
		dd offset loc_A6CD5B
		dd offset loc_A6CE43
		dd offset loc_A6CE3D
		dd offset loc_A6CE5D
byte_A6CE7E	db 0			; DATA XREF: ViPnpVerifyMinorWasProcessedProperly(x,x,x,x,x,x)+1Br
		align 10h
		dd 1, 5050200h,	5030303h, 3030305h, 3050403h

;  S U B	R O U T	I N E 


; __fastcall VfPowerDumpIrpStack(x)
@VfPowerDumpIrpStack@4 proc near	; DATA XREF: VfInitVerifierComponents(x,x,x)+16Do
		mov	edi, edi
		push	esi		; char
		push	offset ??_C@_0O@EMKDICJG@IRP_MJ_POWER?4@JKADOLAD@ ; char *
		mov	esi, ecx
		call	_VfUtilDbgPrint
		mov	al, [esi+1]
		pop	ecx
		cmp	al, 3
		ja	short loc_A6CF22
		movzx	eax, al
		push	ds:_PowerIrpNames[eax*4] ; char	*
		call	_VfUtilDbgPrint
		mov	al, [esi+1]
		pop	ecx
		cmp	al, 3
		jz	short loc_A6CEC6
		cmp	al, 2
		jnz	short loc_A6CF38

loc_A6CEC6:				; CODE XREF: VfPowerDumpIrpStack(x)+2Cj
		push	(offset	loc_A5849F+1) ;	char *
		call	_VfUtilDbgPrint
		cmp	dword ptr [esi+8], 0
		mov	eax, [esi+0Ch]
		pop	ecx
		jnz	short loc_A6CEEC
		cmp	eax, 6
		jg	short loc_A6CF02
		test	eax, eax
		js	short loc_A6CF38
		push	dword ptr ds:_SystemStateNames[eax*4]
		jmp	short loc_A6CEFC
; 

loc_A6CEEC:				; CODE XREF: VfPowerDumpIrpStack(x)+44j
		cmp	eax, 4
		jg	short loc_A6CF02
		test	eax, eax
		js	short loc_A6CF38
		push	dword ptr ds:_DeviceStateNames[eax*4] ;	char *

loc_A6CEFC:				; CODE XREF: VfPowerDumpIrpStack(x)+56j
		call	_VfUtilDbgPrint
		pop	ecx

loc_A6CF02:				; CODE XREF: VfPowerDumpIrpStack(x)+49j
					; VfPowerDumpIrpStack(x)+5Bj
		mov	eax, [esi+10h]
		cmp	eax, 7
		jg	short loc_A6CF1B
		test	eax, eax
		js	short loc_A6CF38
		push	dword ptr ds:(loc_A5012D+3)[eax*4] ; char *
		call	_VfUtilDbgPrint
		pop	ecx

loc_A6CF1B:				; CODE XREF: VfPowerDumpIrpStack(x)+74j
		push	(offset	loc_A5849C+2)
		jmp	short loc_A6CF32
; 

loc_A6CF22:				; CODE XREF: VfPowerDumpIrpStack(x)+15j
		cmp	al, 0FFh
		jnz	short loc_A6CF2D
		push	offset ??_C@_0N@IJDEKNCK@IRP_MN_BOGUS@JKADOLAD@
		jmp	short loc_A6CF32
; 

loc_A6CF2D:				; CODE XREF: VfPowerDumpIrpStack(x)+90j
		push	(offset	loc_A58306+2) ;	char *

loc_A6CF32:				; CODE XREF: VfPowerDumpIrpStack(x)+8Cj
					; VfPowerDumpIrpStack(x)+97j
		call	_VfUtilDbgPrint
		pop	ecx

loc_A6CF38:				; CODE XREF: VfPowerDumpIrpStack(x)+30j
					; VfPowerDumpIrpStack(x)+4Dj ...
		pop	esi
		retn
@VfPowerDumpIrpStack@4 endp


;  S U B	R O U T	I N E 


; __fastcall VfPowerIsSystemRestrictedIrp(x)
@VfPowerIsSystemRestrictedIrp@4	proc near ; DATA XREF: VfInitVerifierComponents(x,x,x)+159o
		mov	al, [ecx+1]
		test	al, al
		jz	short loc_A6CF48
		cmp	al, 1
		jnz	short loc_A6CF48
		xor	eax, eax
		retn
; 

loc_A6CF48:				; CODE XREF: VfPowerIsSystemRestrictedIrp(x)+5j
					; VfPowerIsSystemRestrictedIrp(x)+9j
		xor	eax, eax
		inc	eax
		retn
@VfPowerIsSystemRestrictedIrp@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VfPowerTestStartedPdoStack(x)
@VfPowerTestStartedPdoStack@4 proc near	; DATA XREF: VfInitVerifierComponents(x,x,x)+14Fo

var_24		= dword	ptr -24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		xor	eax, eax
		test	byte ptr _MmVerifierData, 10h
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_24]
		push	9
		pop	ecx
		rep stosd
		jz	short loc_A6CF85
		push	eax
		push	eax
		push	eax
		push	0C00000BBh
		push	1
		lea	edx, [ebp+var_24]
		mov	word ptr [ebp+var_24], 0FF16h
		mov	ecx, esi
		call	_VfIrpSendSynchronousIrp@28 ; VfIrpSendSynchronousIrp(x,x,x,x,x,x,x)

loc_A6CF85:				; CODE XREF: VfPowerTestStartedPdoStack(x)+1Dj
		pop	edi
		pop	esi
		leave
		retn
@VfPowerTestStartedPdoStack@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VfPowerVerifyIrpStackDownward(x, x, x, x, x, x, x)
@VfPowerVerifyIrpStackDownward@28 proc near
					; DATA XREF: VfInitVerifierComponents(x,x,x)+163o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		mov	edi, [ecx]
		mov	eax, [ebx+40h]
		mov	[ebp+arg_8], eax
		mov	eax, [ecx+8Ch]
		mov	esi, [edi+18h]
		mov	[ebp+var_4], edx
		cmp	dword ptr [eax+1Ch], 3
		jnz	short loc_A6CFBD
		mov	edx, [ebp+arg_10] ; int
		mov	ecx, 211h	; int
		push	edi		; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A6CFBD:				; CODE XREF: VfPowerVerifyIrpStackDownward(x,x,x,x,x,x,x)+24j
		mov	ecx, [ebp+var_4]
		mov	ecx, [ecx+8]
		cmp	dword ptr [ecx+90h], offset _IopInvalidDeviceRequest@8 ; IopInvalidDeviceRequest(x,x)
		jnz	short loc_A6CFF2
		or	dword ptr [ebx+4], 1000000h
		call	@VfGetPristineDriverInit@4 ; VfGetPristineDriverInit(x)
		push	edi		; int
		mov	edx, eax	; int
		mov	ecx, 21Fh	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)
		mov	eax, [ebp+arg_C]
		or	dword ptr [eax+4], 80000000h

loc_A6CFF2:				; CODE XREF: VfPowerVerifyIrpStackDownward(x,x,x,x,x,x,x)+44j
		cmp	[ebp+arg_0], 0
		jz	short loc_A6D03D
		test	esi, esi
		jns	short loc_A6D022
		cmp	esi, 0C00000BBh
		jz	short loc_A6D02A
		test	dword ptr [ebx+4], 2000000h
		jnz	short loc_A6D022
		mov	edx, [ebp+arg_10] ; int
		mov	ecx, 219h	; int
		push	edi		; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)
		or	dword ptr [ebx+4], 2000000h

loc_A6D022:				; CODE XREF: VfPowerVerifyIrpStackDownward(x,x,x,x,x,x,x)+71j
					; VfPowerVerifyIrpStackDownward(x,x,x,x,x,x,x)+82j
		cmp	esi, 0C00000BBh
		jnz	short loc_A6D03D

loc_A6D02A:				; CODE XREF: VfPowerVerifyIrpStackDownward(x,x,x,x,x,x,x)+79j
		cmp	esi, [ebp+arg_8]
		jz	short loc_A6D03D
		mov	edx, [ebp+arg_10] ; int
		mov	ecx, 21Ah	; int
		push	edi		; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A6D03D:				; CODE XREF: VfPowerVerifyIrpStackDownward(x,x,x,x,x,x,x)+6Dj
					; VfPowerVerifyIrpStackDownward(x,x,x,x,x,x,x)+9Fj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
@VfPowerVerifyIrpStackDownward@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VfPowerVerifyIrpStackUpward(x, x, x, x, x,	x)
@VfPowerVerifyIrpStackUpward@24	proc near ; DATA XREF: VfInitVerifierComponents(x,x,x)+15Eo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ecx]
		mov	edx, 0C00000BBh
		cmp	[ecx+18h], edx
		jnz	short loc_A6D06E
		mov	eax, [ebp+arg_0]
		cmp	[eax+40h], edx
		jz	short loc_A6D06E
		mov	edx, [ebp+arg_4]
		push	ecx		; int
		mov	ecx, 21Ah	; int
		mov	edx, [edx+18h]	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A6D06E:				; CODE XREF: VfPowerVerifyIrpStackUpward(x,x,x,x,x,x)+Fj
					; VfPowerVerifyIrpStackUpward(x,x,x,x,x,x)+17j
		pop	ebp
		retn	10h
@VfPowerVerifyIrpStackUpward@24	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VfPowerVerifyNewRequest(x,	x, x, x, x, x)
@VfPowerVerifyNewRequest@24 proc near	; DATA XREF: VfInitVerifierComponents(x,x,x)+168o

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx]
		push	esi
		mov	esi, [eax+18h]
		cmp	esi, 0C00000BBh
		jz	short loc_A6D0A1
		mov	edx, [ebp+arg_C] ; int
		mov	ecx, 20Fh	; int
		push	eax		; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)
		test	esi, esi
		jns	short loc_A6D0A1
		mov	eax, [ebp+arg_8]
		or	dword ptr [eax+4], 2000000h

loc_A6D0A1:				; CODE XREF: VfPowerVerifyNewRequest(x,x,x,x,x,x)+11j
					; VfPowerVerifyNewRequest(x,x,x,x,x,x)+23j
		pop	esi
		pop	ebp
		retn	10h
@VfPowerVerifyNewRequest@24 endp


;  S U B	R O U T	I N E 


; __fastcall VfWmiDumpIrpStack(x)
@VfWmiDumpIrpStack@4 proc near		; DATA XREF: VfInitVerifierComponents(x,x,x)+194o
		mov	edi, edi
		push	esi		; char
		push	(offset	loc_A584A1+1) ;	char *
		mov	esi, ecx
		call	_VfUtilDbgPrint
		mov	al, [esi+1]
		pop	ecx
		pop	esi
		cmp	al, 9
		ja	short loc_A6D0CA
		movzx	eax, al
		mov	eax, dword ptr ds:(loc_A50083+1)[eax*4]
		jmp	short loc_A6D0D8
; 

loc_A6D0CA:				; CODE XREF: VfWmiDumpIrpStack(x)+16j
		cmp	al, 0FFh
		mov	eax, offset ??_C@_0N@IJDEKNCK@IRP_MN_BOGUS@JKADOLAD@
		jz	short loc_A6D0D8
		mov	eax, (offset loc_A58306+2)

loc_A6D0D8:				; CODE XREF: VfWmiDumpIrpStack(x)+22j
					; VfWmiDumpIrpStack(x)+2Bj
		push	eax		; char *
		call	_VfUtilDbgPrint
		pop	ecx
		retn
@VfWmiDumpIrpStack@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VfWmiTestStartedPdoStack(x)
@VfWmiTestStartedPdoStack@4 proc near	; DATA XREF: VfInitVerifierComponents(x,x,x)+17Ao

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		xor	eax, eax
		test	byte ptr _MmVerifierData, 10h
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_24]
		push	9
		pop	ecx
		rep stosd
		jz	short loc_A6D11C
		push	eax
		push	eax
		push	eax
		push	0C00000BBh
		push	1
		lea	edx, [ebp+var_24]
		mov	word ptr [ebp+var_24], 0FF17h
		mov	ecx, esi
		mov	[ebp+var_20], esi
		call	_VfIrpSendSynchronousIrp@28 ; VfIrpSendSynchronousIrp(x,x,x,x,x,x,x)

loc_A6D11C:				; CODE XREF: VfWmiTestStartedPdoStack(x)+1Dj
		pop	edi
		pop	esi
		leave
		retn
@VfWmiTestStartedPdoStack@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VfWmiVerifyIrpStackDownward(x, x, x, x, x,	x, x)
@VfWmiVerifyIrpStackDownward@28	proc near ; DATA XREF: VfInitVerifierComponents(x,x,x)+18Ao

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+8Ch]
		push	esi
		mov	esi, [ecx]
		push	edi
		cmp	dword ptr [eax+1Ch], 3
		mov	edi, edx
		jnz	short loc_A6D145
		mov	edx, [ebp+arg_10] ; int
		mov	ecx, 211h	; int
		push	esi		; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)

loc_A6D145:				; CODE XREF: VfWmiVerifyIrpStackDownward(x,x,x,x,x,x,x)+15j
		mov	ecx, [edi+8]
		cmp	dword ptr [ecx+94h], offset _IopInvalidDeviceRequest@8 ; IopInvalidDeviceRequest(x,x)
		jnz	short loc_A6D17A
		mov	eax, [ebp+arg_8]
		or	dword ptr [eax+4], 1000000h
		call	@VfGetPristineDriverInit@4 ; VfGetPristineDriverInit(x)
		push	esi		; int
		mov	edx, eax	; int
		mov	ecx, 21Fh	; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)
		mov	eax, [ebp+arg_C]
		or	dword ptr [eax+4], 80000000h

loc_A6D17A:				; CODE XREF: VfWmiVerifyIrpStackDownward(x,x,x,x,x,x,x)+32j
		pop	edi
		pop	esi
		pop	ebp
		retn	14h
@VfWmiVerifyIrpStackDownward@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VfWmiVerifyIrpStackUpward(x, x, x,	x, x, x)
@VfWmiVerifyIrpStackUpward@24 proc near	; DATA XREF: VfInitVerifierComponents(x,x,x)+185o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr _MmVerifierData, 10h
		push	esi
		mov	esi, edx
		jz	short loc_A6D1E0
		cmp	[ebp+arg_8], 0
		mov	eax, [ebp+arg_4]
		push	ebx
		push	edi
		mov	edi, [ecx]
		mov	ebx, [eax+18h]
		jz	short loc_A6D1DE
		mov	eax, [eax+4]
		mov	ecx, eax
		and	ecx, 10000000h
		test	eax, eax
		js	short loc_A6D1DE
		test	ecx, ecx
		jnz	short loc_A6D1DE
		mov	ecx, [esi+14h]
		cmp	[esi+4], ecx
		jz	short loc_A6D1DE
		call	_VfDevObjIsDeviceRemoved@4 ; VfDevObjIsDeviceRemoved(x)
		test	al, al
		jnz	short loc_A6D1DE
		cmp	_VfIoSwitchedOffNoReboot, 0
		jnz	short loc_A6D1DE
		push	dword ptr [esi+4] ; int
		mov	edx, ebx	; int
		mov	ecx, 220h	; int
		push	edi		; int
		call	_ViErrorReport10@16 ; ViErrorReport10(x,x,x,x)

loc_A6D1DE:				; CODE XREF: VfWmiVerifyIrpStackUpward(x,x,x,x,x,x)+1Fj
					; VfWmiVerifyIrpStackUpward(x,x,x,x,x,x)+2Ej ...
		pop	edi
		pop	ebx

loc_A6D1E0:				; CODE XREF: VfWmiVerifyIrpStackUpward(x,x,x,x,x,x)+Fj
		pop	esi
		pop	ebp
		retn	10h
@VfWmiVerifyIrpStackUpward@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VfWmiVerifyNewRequest(x, x, x, x, x, x)
@VfWmiVerifyNewRequest@24 proc near	; DATA XREF: VfInitVerifierComponents(x,x,x)+18Fo

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx]
		push	esi
		mov	esi, [eax+18h]
		cmp	esi, 0C00000BBh
		jz	short loc_A6D214
		mov	edx, [ebp+arg_C] ; int
		mov	ecx, 210h	; int
		push	eax		; int
		call	_ViErrorReport1@12 ; ViErrorReport1(x,x,x)
		test	esi, esi
		jns	short loc_A6D214
		mov	eax, [ebp+arg_8]
		or	dword ptr [eax+4], 2000000h

loc_A6D214:				; CODE XREF: VfWmiVerifyNewRequest(x,x,x,x,x,x)+11j
					; VfWmiVerifyNewRequest(x,x,x,x,x,x)+23j
		pop	esi
		pop	ebp
		retn	10h
@VfWmiVerifyNewRequest@24 endp


;  S U B	R O U T	I N E 


; __fastcall ViIrpLogDatabaseFindPointer(x, x)
@ViIrpLogDatabaseFindPointer@8 proc near ; CODE	XREF: VfIrpLogDeleteDeviceLogs(x)+1Fp
					; VfIrpLogRecordEvent(x,x,x)+D2p
		mov	eax, _ViIrpLogDatabase
		push	esi
		mov	[edx], eax
		lea	esi, [eax+4]
		mov	edx, [esi]
		cmp	edx, esi
		jz	short loc_A6D239

loc_A6D22A:				; CODE XREF: ViIrpLogDatabaseFindPointer(x,x)+1Ej
		lea	eax, [edx-4]
		cmp	[eax], ecx
		jz	short loc_A6D23B
		mov	eax, [edx]
		mov	edx, eax
		cmp	eax, esi
		jnz	short loc_A6D22A

loc_A6D239:				; CODE XREF: ViIrpLogDatabaseFindPointer(x,x)+Fj
		xor	eax, eax

loc_A6D23B:				; CODE XREF: ViIrpLogDatabaseFindPointer(x,x)+16j
		pop	esi
		retn
@ViIrpLogDatabaseFindPointer@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfIrpLogDeleteDeviceLogs(x)
_VfIrpLogDeleteDeviceLogs@4 proc near	; CODE XREF: VfIoDeleteDevice(x,x)+68j

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ecx, offset _ViIrpLogDatabaseLock
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		lea	edx, [ebp+var_4]
		mov	ecx, esi
		mov	bl, al
		call	@ViIrpLogDatabaseFindPointer@8 ; ViIrpLogDatabaseFindPointer(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A6D29F
		mov	ecx, [ebp+var_4]
		cmp	dword ptr [ecx], 0
		jnz	short loc_A6D29B
		mov	ecx, [esi]
		call	ObfDereferenceObject
		lea	eax, [esi+4]
		mov	edx, [eax]
		cmp	[edx+4], eax
		jnz	short loc_A6D296
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_A6D296
		push	0
		mov	[ecx], edx
		push	esi
		mov	[edx+4], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A6D29F
; 

loc_A6D296:				; CODE XREF: VfIrpLogDeleteDeviceLogs(x)+41j
					; VfIrpLogDeleteDeviceLogs(x)+48j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A6D29B:				; CODE XREF: VfIrpLogDeleteDeviceLogs(x)+30j
		or	dword ptr [esi+0Ch], 4

loc_A6D29F:				; CODE XREF: VfIrpLogDeleteDeviceLogs(x)+28j
					; VfIrpLogDeleteDeviceLogs(x)+57j
		mov	dl, bl
		mov	ecx, offset _ViIrpLogDatabaseLock
		call	KfReleaseSpinLock
		pop	esi
		pop	ebx
		leave
		retn
_VfIrpLogDeleteDeviceLogs@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfIrpLogInit()
_VfIrpLogInit@0	proc near		; CODE XREF: VfInitVerifierComponents(x,x,x)+211p
		and	_ViIrpLogDatabaseLock, 0
		push	64496656h
		push	0Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	_ViIrpLogDatabase, eax
		test	eax, eax
		jz	short locret_A6D2DB
		and	dword ptr [eax], 0
		add	eax, 4
		mov	[eax+4], eax
		mov	[eax], eax

locret_A6D2DB:				; CODE XREF: VfIrpLogInit()+1Fj
		retn
_VfIrpLogInit@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfIrpLogLockDatabase(x)
_VfIrpLogLockDatabase@4	proc near	; CODE XREF: ViDdiDispatchWmiQueryAllData(x,x)+75p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _ViIrpLogDatabaseLock
		mov	bl, al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	edx, _ViIrpLogDatabase
		imul	ecx, esi, 0Ch
		xor	esi, esi
		cmp	[ecx+edx], esi
		jz	short loc_A6D311
		mov	esi, 0C000022Dh
		jmp	short loc_A6D318
; 

loc_A6D311:				; CODE XREF: VfIrpLogLockDatabase(x)+2Cj
		mov	dword ptr [ecx+edx], 1

loc_A6D318:				; CODE XREF: VfIrpLogLockDatabase(x)+33j
		test	ds:byte_70EFC6,	1
		jz	short loc_A6D32D
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A6D332
; 

loc_A6D32D:				; CODE XREF: VfIrpLogLockDatabase(x)+43j
		xor	eax, eax
		lock and [edi],	eax

loc_A6D332:				; CODE XREF: VfIrpLogLockDatabase(x)+4Fj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ebp
		retn
_VfIrpLogLockDatabase@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfIrpLogRecordEvent(x, x, x)
_VfIrpLogRecordEvent@12	proc near	; CODE XREF: IovpCallDriver1(x)+DBp

var_3E		= byte ptr -3Eh
var_3D		= byte ptr -3Dh
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+44h+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[esp+50h+var_34], eax
		push	0Ah
		xor	ebx, ebx
		mov	[esp+54h+var_38], edx
		xor	eax, eax
		mov	[esp+54h+var_3C], ebx
		lea	edi, [esp+54h+var_30]
		pop	ecx
		rep stosd
		test	esi, 400h
		jz	loc_A6D503
		cmp	_ViIrpLogDdiLock, 2
		jz	short loc_A6D3CE
		xor	ecx, ecx
		mov	edx, offset _ViIrpLogDdiLock
		inc	ecx
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	short loc_A6D3CE
		push	77496656h
		push	10h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_A6D3C8
		push	1
		push	eax
		mov	dword ptr [eax+8], offset _ViIrpLogExposeWmiCallback@4 ; ViIrpLogExposeWmiCallback(x)
		mov	[eax+0Ch], eax
		mov	[eax], ebx
		call	ExQueueWorkItem
		jmp	short loc_A6D3CE
; 

loc_A6D3C8:				; CODE XREF: VfIrpLogRecordEvent(x,x,x)+6Fj
		mov	_ViIrpLogDdiLock, ebx

loc_A6D3CE:				; CODE XREF: VfIrpLogRecordEvent(x,x,x)+4Aj
					; VfIrpLogRecordEvent(x,x,x)+5Aj ...
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ebx, offset _ViIrpLogDatabaseLock
		mov	[esp+50h+var_3D], al
		mov	ecx, ebx
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	esi, [esp+50h+var_38]
		xor	edx, edx
		mov	ecx, esi
		call	_IovUtilIsDeviceObjectMarked@8 ; IovUtilIsDeviceObjectMarked(x,x)
		test	eax, eax
		jz	short loc_A6D40F
		test	ds:byte_70EFC6,	1
		jz	short loc_A6D405
		mov	ecx, ebx
		jmp	loc_A6D4EA
; 

loc_A6D405:				; CODE XREF: VfIrpLogRecordEvent(x,x,x)+BBj
		xor	eax, eax
		lock and [ebx],	eax
		jmp	loc_A6D4F9
; 

loc_A6D40F:				; CODE XREF: VfIrpLogRecordEvent(x,x,x)+B2j
		lea	edx, [esp+50h+var_3C]
		call	@ViIrpLogDatabaseFindPointer@8 ; ViIrpLogDatabaseFindPointer(x,x)
		mov	edi, [esp+50h+var_3C]
		mov	ebx, eax
		cmp	dword ptr [edi], 0
		jnz	loc_A6D4DC
		test	ebx, ebx
		jnz	short loc_A6D483
		push	65496656h
		push	340h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_A6D4DC
		mov	ecx, esi
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		and	dword ptr [ebx+0Ch], 0
		lea	ecx, [edi+4]
		mov	[ebx], esi
		mov	eax, [esi+2Ch]
		and	dword ptr [ebx+18h], 0
		mov	[ebx+10h], eax
		lea	eax, [ebx+4]
		mov	dword ptr [ebx+14h], 14h
		mov	edx, [ecx]
		cmp	[edx+4], ecx
		jz	short loc_A6D479
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A6D479:				; CODE XREF: VfIrpLogRecordEvent(x,x,x)+131j
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[edx+4], eax
		mov	[ecx], eax

loc_A6D483:				; CODE XREF: VfIrpLogRecordEvent(x,x,x)+E8j
		mov	eax, [ebx+0Ch]
		test	al, 6
		jnz	short loc_A6D4DC
		cmp	eax, 1
		jnz	short loc_A6D497
		mov	edx, [ebx+14h]
		mov	eax, [ebx+18h]
		jmp	short loc_A6D49C
; 

loc_A6D497:				; CODE XREF: VfIrpLogRecordEvent(x,x,x)+14Cj
		mov	edx, [ebx+18h]
		mov	eax, edx

loc_A6D49C:				; CODE XREF: VfIrpLogRecordEvent(x,x,x)+154j
		imul	eax, 28h
		lea	ecx, [esp+50h+var_30]
		push	ecx
		mov	ecx, [esp+54h+var_34]
		add	eax, 20h
		add	eax, ebx
		push	eax
		call	@VfMajorBuildIrpLogEntry@16 ; VfMajorBuildIrpLogEntry(x,x,x,x)
		test	eax, eax
		jz	short loc_A6D4DC
		imul	edi, [ebx+18h],	28h
		lea	esi, [esp+50h+var_30]
		push	0Ah
		pop	ecx
		add	edi, 20h
		add	edi, ebx
		rep movsd
		inc	dword ptr [ebx+18h]
		mov	eax, [ebx+18h]
		cmp	eax, [ebx+14h]
		jnz	short loc_A6D4DC
		or	dword ptr [ebx+0Ch], 1
		and	dword ptr [ebx+18h], 0

loc_A6D4DC:				; CODE XREF: VfIrpLogRecordEvent(x,x,x)+E0j
					; VfIrpLogRecordEvent(x,x,x)+102j ...
		test	ds:byte_70EFC6,	1
		mov	ecx, offset _ViIrpLogDatabaseLock
		jz	short loc_A6D4F4

loc_A6D4EA:				; CODE XREF: VfIrpLogRecordEvent(x,x,x)+BFj
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A6D4F9
; 

loc_A6D4F4:				; CODE XREF: VfIrpLogRecordEvent(x,x,x)+1A7j
		xor	eax, eax
		lock and [ecx],	eax

loc_A6D4F9:				; CODE XREF: VfIrpLogRecordEvent(x,x,x)+C9j
					; VfIrpLogRecordEvent(x,x,x)+1B1j
		mov	cl, [esp+50h+var_3D]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_A6D503:				; CODE XREF: VfIrpLogRecordEvent(x,x,x)+3Dj
		mov	ecx, [esp+50h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	4
_VfIrpLogRecordEvent@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfIrpLogRetrieveWmiData(x, x, x, x,	x, x)
_VfIrpLogRetrieveWmiData@24 proc near	; CODE XREF: ViDdiDispatchWmiQueryAllData(x,x)+97p
					; ViDdiDispatchWmiQueryAllData(x,x)+F5p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		mov	eax, [ebp+arg_0]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_C], edx
		push	esi
		mov	[eax], ebx
		mov	eax, [ebp+arg_4]
		push	edi
		push	8
		mov	edi, ecx
		mov	[ebp+var_10], ebx
		mov	[eax], ebx
		mov	eax, [ebp+arg_8]
		mov	[eax], ebx
		mov	eax, [ebp+arg_C]
		mov	[eax], ebx
		pop	eax
		push	74496656h
		push	eax
		push	1
		mov	[ebp+var_24], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_14], esi
		test	esi, esi
		jnz	short loc_A6D566

loc_A6D55C:				; CODE XREF: VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+E0j
		mov	eax, 0C000009Ah
		jmp	loc_A6D792
; 

loc_A6D566:				; CODE XREF: VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+43j
		mov	eax, _ViIrpLogDatabase
		mov	ecx, ebx
		imul	edx, edi, 0Ch
		add	eax, 4
		mov	[ebp+var_38], edx
		add	edx, eax
		mov	[ebp+var_34], edx
		mov	edi, [edx]
		cmp	edi, edx
		jz	short loc_A6D58C
		mov	esi, edi

loc_A6D583:				; CODE XREF: VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+73j
		mov	eax, [esi]
		inc	ecx
		mov	esi, eax
		cmp	eax, edx
		jnz	short loc_A6D583

loc_A6D58C:				; CODE XREF: VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+68j
		lea	esi, ds:3Ch[ecx*8]
		mov	[ebp+var_20], ebx
		lea	eax, [esi+ecx*4]
		mov	[ebp+var_3C], esi
		mov	ecx, [ebp+var_C]
		add	esi, ecx
		mov	[ebp+var_1C], esi
		mov	[ebp+var_8], eax
		add	eax, ecx
		mov	[ebp+var_4], eax
		mov	[ebp+var_28], edx
		lea	esi, [ecx+3Ch]
		mov	[ebp+var_18], esi
		mov	esi, [ebp+var_14]
		cmp	edi, edx
		jz	loc_A6D6CB

loc_A6D5C0:				; CODE XREF: VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+1AEj
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_24]
		push	esi
		push	dword ptr [edi-4]
		call	_ObQueryNameString@16 ;	ObQueryNameString(x,x,x,x)
		mov	[ebp+var_20], eax
		cmp	eax, 0C0000004h
		jnz	short loc_A6D614
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	74496656h
		push	[ebp+var_10]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_14], esi
		test	esi, esi
		jz	loc_A6D55C
		mov	eax, [ebp+var_10]
		lea	ecx, [ebp+var_10]
		push	ecx
		push	eax
		push	esi
		push	dword ptr [edi-4]
		mov	[ebp+var_24], eax
		call	_ObQueryNameString@16 ;	ObQueryNameString(x,x,x,x)
		mov	[ebp+var_20], eax

loc_A6D614:				; CODE XREF: VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+C1j
		test	eax, eax
		js	loc_A6D6CB
		movzx	eax, word ptr [esi]
		test	ax, ax
		jnz	short loc_A6D62D
		or	dword ptr [edi+8], 2
		jmp	loc_A6D6B8
; 

loc_A6D62D:				; CODE XREF: VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+10Bj
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		mov	edi, [ebp+var_1C]
		test	edx, edx
		jz	short loc_A6D63F
		mov	[edi], ecx
		movzx	eax, word ptr [esi]

loc_A6D63F:				; CODE XREF: VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+121j
		add	edi, 4
		movzx	eax, ax
		add	eax, 12h
		mov	[ebp+var_1C], edi
		mov	edi, eax
		mov	[ebp+var_30], eax
		shr	edi, 1
		test	edx, edx
		jz	short loc_A6D65F
		mov	esi, [ebp+var_4]
		mov	[esi], ax
		mov	esi, [ebp+var_14]

loc_A6D65F:				; CODE XREF: VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+13Dj
		mov	edx, [ebp+var_4]
		add	ecx, 2
		add	edx, 2
		mov	[ebp+var_8], ecx
		mov	[ebp+var_4], edx
		lea	edi, [edx+edi*2]
		mov	[ebp+var_2C], edi
		cmp	[ebp+var_C], ebx
		jz	short loc_A6D6B0
		mov	ecx, edx
		mov	esi, offset ??_C@_1BC@KGNJPLCF@?$AAV?$AAE?$AAR?$AAI?$AAF?$AAI?$AAE?$AAR@JKADOLAD@
		mov	edi, ecx
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_14]
		movzx	eax, word ptr [esi]
		push	eax		; size_t
		push	dword ptr [esi+4] ; void *
		lea	eax, [ecx+10h]
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_2C]
		add	esp, 0Ch
		xor	ecx, ecx
		mov	[ebp+var_4], eax
		mov	[eax-2], cx
		mov	eax, [ebp+var_30]
		mov	ecx, [ebp+var_8]
		jmp	short loc_A6D6B3
; 

loc_A6D6B0:				; CODE XREF: VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+160j
		mov	[ebp+var_4], edi

loc_A6D6B3:				; CODE XREF: VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+197j
		add	ecx, eax
		mov	[ebp+var_8], ecx

loc_A6D6B8:				; CODE XREF: VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+111j
		mov	eax, [ebp+var_28]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		mov	edi, [eax]
		cmp	edi, [ebp+var_34]
		jnz	loc_A6D5C0

loc_A6D6CB:				; CODE XREF: VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+A3j
					; VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+FFj
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_20]
		test	eax, eax
		js	loc_A6D792
		mov	edi, [ebp+var_8]
		mov	ecx, [ebp+var_38]
		add	edi, 7
		mov	esi, [ebp+var_C]
		and	edi, 0FFFFFFF8h
		mov	eax, _ViIrpLogDatabase
		add	ecx, 4
		add	esi, edi
		mov	[ebp+var_34], edi
		add	eax, ecx
		mov	[ebp+var_38], eax
		mov	[ebp+var_20], eax
		mov	ecx, [eax]
		jmp	short loc_A6D772
; 

loc_A6D705:				; CODE XREF: VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+25Dj
		mov	edx, [ecx+8]
		test	dl, 2
		jnz	short loc_A6D76D
		inc	ebx
		test	dl, 1
		jz	short loc_A6D718
		mov	eax, [ecx+10h]
		jmp	short loc_A6D71B
; 

loc_A6D718:				; CODE XREF: VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+1FAj
		mov	eax, [ecx+14h]

loc_A6D71B:				; CODE XREF: VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+1FFj
		imul	edx, eax, 28h
		cmp	[ebp+var_C], 0
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], edx
		jz	short loc_A6D760
		mov	eax, [ebp+var_18]
		mov	[eax], edi
		lea	eax, [edx+8]
		mov	edx, [ebp+var_18]
		add	[ebp+var_18], 8
		mov	[edx+4], eax
		mov	eax, [ecx+0Ch]
		mov	edx, [ebp+var_24]
		mov	[esi], eax
		mov	eax, [ebp+var_28]
		mov	[esi+4], eax
		add	esi, 8
		push	edx		; size_t
		lea	eax, [ecx+1Ch]
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		mov	edx, [ebp+var_24]
		add	esp, 0Ch
		add	esi, edx

loc_A6D760:				; CODE XREF: VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+211j
		mov	ecx, [ebp+var_20]
		add	edi, 8
		mov	eax, [ebp+var_38]
		add	edi, edx
		mov	ecx, [ecx]

loc_A6D76D:				; CODE XREF: VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+1F4j
		mov	[ebp+var_20], ecx
		mov	ecx, [ecx]

loc_A6D772:				; CODE XREF: VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+1ECj
		cmp	ecx, eax
		jnz	short loc_A6D705
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_3C]
		mov	[eax], ecx
		mov	eax, [ebp+arg_4]
		mov	ecx, [ebp+arg_8]
		mov	[eax], ebx
		mov	eax, [ebp+var_34]
		mov	[ecx], eax
		mov	eax, [ebp+arg_C]
		mov	[eax], edi
		xor	eax, eax

loc_A6D792:				; CODE XREF: VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+4Aj
					; VfIrpLogRetrieveWmiData(x,x,x,x,x,x)+1C0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_VfIrpLogRetrieveWmiData@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfIrpLogUnlockDatabase(x)
_VfIrpLogUnlockDatabase@4 proc near	; CODE XREF: ViDdiDispatchWmiQueryAllData(x,x)+A7p
					; ViDdiDispatchWmiQueryAllData(x,x)+C3p ...

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, _ViIrpLogDatabase
		push	ebx
		push	esi
		imul	esi, ecx, 0Ch
		push	edi
		and	dword ptr [esi+eax], 0
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	edi, offset _ViIrpLogDatabaseLock
		mov	[ebp+var_1], al
		mov	ecx, edi
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	ebx, _ViIrpLogDatabase
		add	ebx, 4
		add	ebx, esi
		mov	esi, [ebx]
		cmp	esi, ebx
		jz	short loc_A6D80D

loc_A6D7D4:				; CODE XREF: VfIrpLogUnlockDatabase(x)+6Dj
		lea	edi, [esi-4]
		mov	esi, [esi]
		test	byte ptr [edi+0Ch], 4
		jz	short loc_A6D804
		mov	ecx, [edi]
		call	ObfDereferenceObject
		lea	ecx, [edi+4]
		mov	edx, [ecx]
		mov	eax, [ecx+4]
		cmp	[edx+4], ecx
		jnz	short loc_A6D822
		cmp	[eax], ecx
		jnz	short loc_A6D822
		push	0
		mov	[eax], edx
		push	edi
		mov	[edx+4], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A6D804:				; CODE XREF: VfIrpLogUnlockDatabase(x)+44j
		cmp	esi, ebx
		jnz	short loc_A6D7D4
		mov	edi, offset _ViIrpLogDatabaseLock

loc_A6D80D:				; CODE XREF: VfIrpLogUnlockDatabase(x)+39j
		test	ds:byte_70EFC6,	1
		jz	short loc_A6D827
		mov	edx, [ebp+4]
		mov	ecx, edi
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A6D82C
; 

loc_A6D822:				; CODE XREF: VfIrpLogUnlockDatabase(x)+58j
					; VfIrpLogUnlockDatabase(x)+5Cj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_A6D827:				; CODE XREF: VfIrpLogUnlockDatabase(x)+7Bj
		xor	eax, eax
		lock and [edi],	eax

loc_A6D82C:				; CODE XREF: VfIrpLogUnlockDatabase(x)+87j
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VfIrpLogUnlockDatabase@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViIrpLogExposeWmiCallback(x)
_ViIrpLogExposeWmiCallback@4 proc near	; DATA XREF: VfIrpLogRecordEvent(x,x,x)+74o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_VfDdiExposeWmiObjects@0 ; VfDdiExposeWmiObjects()
		push	0
		push	[ebp+arg_0]
		mov	_ViIrpLogDdiLock, 2
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	ebp
		retn	4
_ViIrpLogExposeWmiCallback@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfCtxHookAndConnectInterrupt(x, x, x, x, x,	x, x, x, x, x, x)
_VfCtxHookAndConnectInterrupt@44 proc near
					; CODE XREF: VerifierIoConnectInterrupt(x,x,x,x,x,x,x,x,x,x,x)+26p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		mov	eax, edx
		push	edi
		mov	edi, ecx
		cmp	ds:_ViCtxInitializedIsrStateBlocks, esi
		jz	short loc_A6D892
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		push	esi
		call	_ViCtxAllocateIsrContext@12 ; ViCtxAllocateIsrContext(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A6D889
		mov	eax, 0C000009Ah
		jmp	short loc_A6D8CA
; 

loc_A6D889:				; CODE XREF: VfCtxHookAndConnectInterrupt(x,x,x,x,x,x,x,x,x,x,x)+24j
		mov	eax, offset _ViCtxIsr@8	; ViCtxIsr(x,x)
		mov	ecx, esi
		jmp	short loc_A6D895
; 

loc_A6D892:				; CODE XREF: VfCtxHookAndConnectInterrupt(x,x,x,x,x,x,x,x,x,x,x)+13j
		mov	ecx, [ebp+arg_0]

loc_A6D895:				; CODE XREF: VfCtxHookAndConnectInterrupt(x,x,x,x,x,x,x,x,x,x,x)+34j
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	ecx
		push	eax
		push	edi
		call	ds:_pXdvIoConnectInterrupt
		mov	edi, eax
		test	edi, edi
		jns	short loc_A6D8C8
		test	esi, esi
		jz	short loc_A6D8C8
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A6D8C8:				; CODE XREF: VfCtxHookAndConnectInterrupt(x,x,x,x,x,x,x,x,x,x,x)+5Ej
					; VfCtxHookAndConnectInterrupt(x,x,x,x,x,x,x,x,x,x,x)+62j
		mov	eax, edi

loc_A6D8CA:				; CODE XREF: VfCtxHookAndConnectInterrupt(x,x,x,x,x,x,x,x,x,x,x)+2Bj
		pop	edi
		pop	esi
		pop	ebp
		retn	24h
_VfCtxHookAndConnectInterrupt@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfCtxHookAndConnectInterruptEx(x)
_VfCtxHookAndConnectInterruptEx@4 proc near ; CODE XREF: VerifierIoConnectInterruptEx(x)+8p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		push	30h		; size_t
		xor	ebx, ebx
		lea	eax, [esp+44h+var_30]
		push	ebx		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		add	esp, 0Ch
		mov	[esp+40h+var_34], ebx
		cmp	ds:_ViCtxInitializedIsrStateBlocks, ebx
		jz	short loc_A6D954
		mov	eax, [edi]
		cmp	eax, 1
		jz	short loc_A6D90F
		cmp	eax, 2
		jz	short loc_A6D90F
		cmp	eax, 3
		jnz	short loc_A6D954

loc_A6D90F:				; CODE XREF: VfCtxHookAndConnectInterruptEx(x)+33j
					; VfCtxHookAndConnectInterruptEx(x)+38j
		lea	eax, [esp+40h+var_34]
		mov	edx, edi
		push	eax
		lea	ecx, [esp+44h+var_30]
		call	_ViCtxSetPrivateConnectParameters@12 ; ViCtxSetPrivateConnectParameters(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A6D95D
		lea	eax, [esp+40h+var_30]
		push	eax
		call	ds:_pXdvIoConnectInterruptEx
		mov	esi, eax
		cmp	[esp+44h+var_38], ebx
		jz	short loc_A6D95D
		push	esi
		lea	edx, [esp+48h+var_34]
		mov	ecx, edi
		call	_ViCtxGetPrivateConnectParameters@12 ; ViCtxGetPrivateConnectParameters(x,x,x)
		test	esi, esi
		jns	short loc_A6D95D
		push	ebx
		push	[esp+48h+var_38]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A6D95D
; 

loc_A6D954:				; CODE XREF: VfCtxHookAndConnectInterruptEx(x)+2Cj
					; VfCtxHookAndConnectInterruptEx(x)+3Dj
		push	edi
		call	ds:_pXdvIoConnectInterruptEx
		mov	esi, eax

loc_A6D95D:				; CODE XREF: VfCtxHookAndConnectInterruptEx(x)+53j
					; VfCtxHookAndConnectInterruptEx(x)+66j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_VfCtxHookAndConnectInterruptEx@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfCtxInit()
_VfCtxInit@0	proc near		; CODE XREF: VfInitVerifierComponents(x,x,x)+26Fp
		test	_MmVerifierData, 800h
		jz	short locret_A6D9E0
		mov	eax, ds:_KeFeatureBits
		and	eax, 400000h
		or	eax, 0
		jz	short loc_A6D9A9
		mov	ecx, ds:0FFDF03D8h
		mov	eax, ecx
		mov	edx, ds:0FFDF03DCh
		or	eax, edx
		jz	short loc_A6D9A9
		mov	ds:_ViCtxXStateEnabledMask, ecx
		mov	ds:dword_AAF4FC, edx
		mov	eax, ds:0FFDF03E8h
		mov	ds:_ViCtxXStateSize, eax

loc_A6D9A9:				; CODE XREF: VfCtxInit()+19j
					; VfCtxInit()+2Bj
		push	esi
		push	edi
		push	10h
		mov	esi, offset unk_AAF804
		pop	edi

loc_A6D9B3:				; CODE XREF: VfCtxInit()+76j
		mov	eax, ds:_ViCtxXStateEnabledMask
		or	eax, ds:dword_AAF4FC
		jz	short loc_A6D9CF
		lea	ecx, [esi-4]
		call	_ViCtxAllocateXStateContexts@4 ; ViCtxAllocateXStateContexts(x)
		test	eax, eax
		jz	short loc_A6D9CF
		or	dword ptr [esi], 1

loc_A6D9CF:				; CODE XREF: VfCtxInit()+58j
					; VfCtxInit()+64j
		lock inc ds:_ViCtxInitializedIsrStateBlocks
		add	esi, 50h
		sub	edi, 1
		jnz	short loc_A6D9B3
		pop	edi
		pop	esi

locret_A6D9E0:				; CODE XREF: VfCtxInit()+Aj
		retn
_VfCtxInit@0	endp


;  S U B	R O U T	I N E 


; __stdcall VfCtxUnhookAndDisconnectInterruptEx(x)
_VfCtxUnhookAndDisconnectInterruptEx@4 proc near
					; CODE XREF: VerifierIoDisconnectInterruptEx(x)+8p
		mov	eax, [ecx]
		push	esi
		xor	esi, esi
		cmp	ds:_ViCtxInitializedIsrStateBlocks, esi
		jz	short loc_A6DA0F
		cmp	eax, 1
		jz	short loc_A6DA05
		cmp	eax, 2
		jz	short loc_A6DA05
		cmp	eax, 3
		jnz	short loc_A6DA0F
		mov	eax, [ecx+4]
		mov	eax, [eax+14h]
		jmp	short loc_A6DA08
; 

loc_A6DA05:				; CODE XREF: VfCtxUnhookAndDisconnectInterruptEx(x)+10j
					; VfCtxUnhookAndDisconnectInterruptEx(x)+15j
		mov	eax, [ecx+4]

loc_A6DA08:				; CODE XREF: VfCtxUnhookAndDisconnectInterruptEx(x)+22j
		test	eax, eax
		jz	short loc_A6DA0F
		mov	esi, [eax+18h]

loc_A6DA0F:				; CODE XREF: VfCtxUnhookAndDisconnectInterruptEx(x)+Bj
					; VfCtxUnhookAndDisconnectInterruptEx(x)+1Aj ...
		push	ecx
		call	ds:_pXdvIoDisconnectInterruptEx
		test	esi, esi
		jz	short loc_A6DA22
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A6DA22:				; CODE XREF: VfCtxUnhookAndDisconnectInterruptEx(x)+37j
		pop	esi
		retn
_VfCtxUnhookAndDisconnectInterruptEx@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViCtxAllocateIsrContext(x, x, x)
_ViCtxAllocateIsrContext@12 proc near	; CODE XREF: VfCtxHookAndConnectInterrupt(x,x,x,x,x,x,x,x,x,x,x)+1Bp
					; ViCtxSetPrivateConnectParameters(x,x,x)+60p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	72734956h
		push	0Ch
		push	200h
		mov	esi, edx
		mov	edi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_A6DA4F
		mov	ecx, [ebp+arg_0]
		mov	[eax], edi
		mov	[eax+4], esi
		mov	[eax+8], ecx

loc_A6DA4F:				; CODE XREF: ViCtxAllocateIsrContext(x,x,x)+1Ej
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_ViCtxAllocateIsrContext@12 endp


;  S U B	R O U T	I N E 


; __stdcall ViCtxAllocateXStateContexts(x)
_ViCtxAllocateXStateContexts@4 proc near ; CODE	XREF: VfCtxInit()+5Dp
		mov	edi, edi
		push	edi
		push	ds:_ViCtxXStateSize
		mov	edi, ecx
		lea	ecx, [edi+10h]
		call	_KeAllocateXStateContext@12 ; KeAllocateXStateContext(x,x,x)
		test	eax, eax
		jns	short loc_A6DA70
		xor	eax, eax
		pop	edi
		retn
; 

loc_A6DA70:				; CODE XREF: ViCtxAllocateXStateContexts(x)+15j
		push	esi
		push	ds:_ViCtxXStateSize
		lea	ecx, [edi+30h]
		call	_KeAllocateXStateContext@12 ; KeAllocateXStateContext(x,x,x)
		test	eax, eax
		jns	short loc_A6DA8F
		lea	ecx, [edi+30h]
		call	_KeFreeXStateContext@4 ; KeFreeXStateContext(x)
		xor	eax, eax
		jmp	short loc_A6DAB1
; 

loc_A6DA8F:				; CODE XREF: ViCtxAllocateXStateContexts(x)+2Cj
		mov	esi, ds:_ViCtxXStateSize
		push	esi		; size_t
		push	0		; int
		push	dword ptr [edi+20h] ; void *
		call	_memset
		push	esi		; size_t
		push	0		; int
		push	dword ptr [edi+40h] ; void *
		call	_memset
		xor	eax, eax
		add	esp, 18h
		inc	eax

loc_A6DAB1:				; CODE XREF: ViCtxAllocateXStateContexts(x)+38j
		pop	esi
		pop	edi
		retn
_ViCtxAllocateXStateContexts@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViCtxCaptureInitialIsrState(x)
_ViCtxCaptureInitialIsrState@4 proc near ; CODE	XREF: ViCtxIsr(x,x)+Bp
					; ViCtxIsrMessageBased(x,x,x)+Bp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		lock inc ds:_ViCtxInterrupts
		call	_ViCtxReserveIsrStateBlock@0 ; ViCtxReserveIsrStateBlock()
		mov	esi, eax
		test	esi, esi
		jz	short loc_A6DB09
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	edx, ds:dword_AAF4FC
		mov	[esi+8], al
		mov	eax, ds:_ViCtxXStateEnabledMask
		mov	ecx, eax
		and	ecx, 0FFFFFFFCh
		or	ecx, edx
		jnz	short loc_A6DAEE
		cmp	[edi+32h], cl
		jnz	short loc_A6DB02

loc_A6DAEE:				; CODE XREF: ViCtxCaptureInitialIsrState(x)+33j
		test	byte ptr [esi+4], 1
		jz	short loc_A6DB02
		mov	ecx, [esi+20h]
		push	edx
		push	eax
		call	RtlXSave
		or	dword ptr [esi+4], 2

loc_A6DB02:				; CODE XREF: ViCtxCaptureInitialIsrState(x)+38j
					; ViCtxCaptureInitialIsrState(x)+3Ej
		lock inc ds:_ViCtxInterruptsChecked

loc_A6DB09:				; CODE XREF: ViCtxCaptureInitialIsrState(x)+16j
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_ViCtxCaptureInitialIsrState@4 endp ; sp = -8


;  S U B	R O U T	I N E 


; __stdcall ViCtxCheckAndReleaseIsrState(x, x)
_ViCtxCheckAndReleaseIsrState@8	proc near ; CODE XREF: ViCtxIsr(x,x)+27p
					; ViCtxIsrMessageBased(x,x,x)+2Cp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	[esi+9], al
		cmp	[esi+8], al
		jnz	short loc_A6DB56
		test	byte ptr [esi+4], 2
		jz	short loc_A6DB4F
		push	ds:dword_AAF4FC
		mov	ecx, [esi+40h]
		push	ds:_ViCtxXStateEnabledMask
		call	RtlXSave
		mov	edx, [esi+40h]
		push	ecx
		mov	ecx, [esi+20h]
		call	_ViCtxEqualExtendedState@12 ; ViCtxEqualExtendedState(x,x,x)
		movzx	eax, al
		jmp	short loc_A6DB52
; 

loc_A6DB4F:				; CODE XREF: ViCtxCheckAndReleaseIsrState(x,x)+1Aj
		xor	eax, eax
		inc	eax

loc_A6DB52:				; CODE XREF: ViCtxCheckAndReleaseIsrState(x,x)+3Fj
		test	eax, eax
		jnz	short loc_A6DBBE

loc_A6DB56:				; CODE XREF: ViCtxCheckAndReleaseIsrState(x,x)+14j
		mov	cl, [esi+8]
		mov	al, [esi+9]
		cmp	cl, al
		jz	short loc_A6DB82
		movzx	eax, al
		push	eax
		movzx	eax, cl
		push	eax
		push	edi		; char
		push	offset ??_C@_0GN@DPOIDMGL@Interrupt?5Service?5Routine?5?$CFp?5ha@JKADOLAD@ ; char *
		call	_VfUtilDbgPrint
		movzx	eax, byte ptr [esi+8]
		mov	edx, 111h
		movzx	ecx, byte ptr [esi+9]
		jmp	short loc_A6DB9E
; 

loc_A6DB82:				; CODE XREF: ViCtxCheckAndReleaseIsrState(x,x)+50j
		push	dword ptr [esi+40h]
		push	dword ptr [esi+20h]
		push	edi		; char
		push	offset ??_C@_0JG@BKPPEEMD@Interrupt?5Service?5Routine?5?$CFp?5ha@JKADOLAD@ ; char *
		call	_VfUtilDbgPrint
		mov	eax, [esi+20h]
		mov	edx, 110h
		mov	ecx, [esi+40h]

loc_A6DB9E:				; CODE XREF: ViCtxCheckAndReleaseIsrState(x,x)+72j
		add	esp, 10h
		push	ecx
		push	eax
		push	edi
		mov	ecx, 0C4h
		call	_VfErrorStoreTriageInformation@20 ; VfErrorStoreTriageInformation(x,x,x,x,x)
		nop
		int	2Ch		; Internal routine for MSDOS (IRET)
		test	eax, eax
		jz	short loc_A6DBBE
		xor	eax, eax
		mov	ecx, offset _VfErrorBugcheckDataReady
		xchg	eax, [ecx]

loc_A6DBBE:				; CODE XREF: ViCtxCheckAndReleaseIsrState(x,x)+46j
					; ViCtxCheckAndReleaseIsrState(x,x)+A5j
		and	dword ptr [esi+4], 0FFFFFFFDh
		xor	eax, eax
		xchg	eax, [esi]
		pop	edi
		pop	esi
		retn
_ViCtxCheckAndReleaseIsrState@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViCtxEqualExtendedState(x, x, x)
_ViCtxEqualExtendedState@12 proc near	; CODE XREF: ViCtxCheckAndReleaseIsrState(x,x)+37p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		mov	eax, [edi+204h]
		and	eax, [esi+204h]
		mov	ebx, [edi+200h]
		and	eax, ds:0FFDF03DCh
		and	ebx, [esi+200h]
		and	ebx, ds:0FFDF03D8h
		mov	[ebp+var_8], eax
		mov	eax, ebx
		and	eax, 1
		mov	[ebp+var_4], ebx
		or	eax, 0
		jz	short loc_A6DC4E
		mov	ax, [edi]
		cmp	ax, [esi]
		jnz	loc_A6DCD0
		mov	ax, [edi+2]
		cmp	ax, [esi+2]
		jnz	loc_A6DCD0
		mov	al, [edi+4]
		cmp	al, [esi+4]
		jnz	loc_A6DCD0
		push	80h		; size_t
		lea	eax, [esi+20h]
		push	eax		; void *
		lea	eax, [edi+20h]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_A6DCD0

loc_A6DC4E:				; CODE XREF: ViCtxEqualExtendedState(x,x,x)+40j
		mov	eax, ebx
		push	2
		pop	ebx
		and	eax, ebx
		or	eax, 0
		jz	short loc_A6DC89
		mov	eax, [edi+18h]
		cmp	eax, [esi+18h]
		jnz	short loc_A6DCD0
		mov	eax, [edi+1Ch]
		cmp	eax, [esi+1Ch]
		jnz	short loc_A6DCD0
		push	80h		; size_t
		lea	eax, [esi+0A0h]
		push	eax		; void *
		lea	eax, [edi+0A0h]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A6DCD0

loc_A6DC89:				; CODE XREF: ViCtxEqualExtendedState(x,x,x)+8Fj
					; ViCtxEqualExtendedState(x,x,x)+FCj
		xor	eax, eax
		xor	edx, edx
		inc	eax
		mov	ecx, ebx
		call	__allshl
		and	eax, [ebp+var_4]
		and	edx, [ebp+var_8]
		or	eax, edx
		jz	short loc_A6DCC1
		mov	ecx, ds:0FFDF03F0h[ebx*8]
		push	dword ptr ds:0FFDF03F4h[ebx*8] ; size_t
		lea	eax, [ecx+esi]
		push	eax		; void *
		lea	eax, [ecx+edi]
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_A6DCD0

loc_A6DCC1:				; CODE XREF: ViCtxEqualExtendedState(x,x,x)+D4j
		inc	ebx
		cmp	ebx, 40h
		jb	short loc_A6DC89
		mov	al, 1

loc_A6DCC9:				; CODE XREF: ViCtxEqualExtendedState(x,x,x)+109j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_A6DCD0:				; CODE XREF: ViCtxEqualExtendedState(x,x,x)+48j
					; ViCtxEqualExtendedState(x,x,x)+56j ...
		xor	al, al
		jmp	short loc_A6DCC9
_ViCtxEqualExtendedState@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViCtxGetPrivateConnectParameters(x,	x, x)
_ViCtxGetPrivateConnectParameters@12 proc near
					; CODE XREF: VfCtxHookAndConnectInterruptEx(x)+6Fp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		mov	eax, [edx]
		mov	[ecx], eax
		jl	short loc_A6DCFA
		mov	eax, [edx]
		sub	eax, 1
		jz	short loc_A6DCF4
		sub	eax, 1
		jz	short loc_A6DCF4
		sub	eax, 1
		jnz	short loc_A6DCFA

loc_A6DCF4:				; CODE XREF: ViCtxGetPrivateConnectParameters(x,x,x)+14j
					; ViCtxGetPrivateConnectParameters(x,x,x)+19j
		mov	eax, [edx+8]
		mov	[ecx+8], eax

loc_A6DCFA:				; CODE XREF: ViCtxGetPrivateConnectParameters(x,x,x)+Dj
					; ViCtxGetPrivateConnectParameters(x,x,x)+1Ej
		pop	ebp
		retn	4
_ViCtxGetPrivateConnectParameters@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViCtxIsr(x,	x)
_ViCtxIsr@8	proc near		; DATA XREF: VfCtxHookAndConnectInterrupt(x,x,x,x,x,x,x,x,x,x,x):loc_A6D889o
					; ViCtxSetPrivateConnectParameters(x,x,x):loc_A6DE2Eo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		call	_ViCtxCaptureInitialIsrState@4 ; ViCtxCaptureInitialIsrState(x)
		mov	esi, [ebp+arg_4]
		mov	edi, eax
		push	dword ptr [esi+4]
		push	[ebp+arg_0]
		call	dword ptr [esi]
		mov	bl, al
		test	edi, edi
		jz	short loc_A6DD2A
		mov	edx, [esi]
		mov	ecx, edi
		call	_ViCtxCheckAndReleaseIsrState@8	; ViCtxCheckAndReleaseIsrState(x,x)

loc_A6DD2A:				; CODE XREF: ViCtxIsr(x,x)+21j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	8
_ViCtxIsr@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViCtxIsrMessageBased(x, x, x)
_ViCtxIsrMessageBased@12 proc near	; DATA XREF: ViCtxSetPrivateConnectParameters(x,x,x)+7Fo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		call	_ViCtxCaptureInitialIsrState@4 ; ViCtxCaptureInitialIsrState(x)
		mov	esi, [ebp+arg_4]
		mov	edi, eax
		push	[ebp+arg_8]
		push	dword ptr [esi+4]
		push	[ebp+arg_0]
		call	dword ptr [esi+8]
		mov	bl, al
		test	edi, edi
		jz	short loc_A6DD64
		mov	edx, [esi+8]
		mov	ecx, edi
		call	_ViCtxCheckAndReleaseIsrState@8	; ViCtxCheckAndReleaseIsrState(x,x)

loc_A6DD64:				; CODE XREF: ViCtxIsrMessageBased(x,x,x)+25j
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	0Ch
_ViCtxIsrMessageBased@12 endp


;  S U B	R O U T	I N E 


; __stdcall ViCtxReserveIsrStateBlock()
_ViCtxReserveIsrStateBlock@0 proc near	; CODE XREF: ViCtxCaptureInitialIsrState(x)+Dp
		xor	edx, edx
		push	esi

loc_A6DD70:				; CODE XREF: ViCtxReserveIsrStateBlock()+2Cj
		xor	eax, eax
		inc	eax
		lock xadd ds:_ViCtxHintIndex, eax
		inc	eax
		and	eax, 0Fh
		xor	ecx, ecx
		imul	eax, 50h
		inc	ecx
		lea	esi, _ViCtxIsrStateBlocks[eax]
		xor	eax, eax
		lock cmpxchg [esi], ecx
		test	eax, eax
		jz	short loc_A6DD9F
		inc	edx
		cmp	edx, 10h
		jb	short loc_A6DD70
		xor	eax, eax
		pop	esi
		retn
; 

loc_A6DD9F:				; CODE XREF: ViCtxReserveIsrStateBlock()+26j
		mov	eax, esi
		pop	esi
		retn
_ViCtxReserveIsrStateBlock@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViCtxSetPrivateConnectParameters(x,	x, x)
_ViCtxSetPrivateConnectParameters@12 proc near
					; CODE XREF: VfCtxHookAndConnectInterruptEx(x)+4Ap

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_0]
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		and	dword ptr [eax], 0
		mov	ebx, ecx
		push	edi
		push	0Ch
		pop	eax
		mov	ecx, eax
		mov	[ebp+var_4], eax
		mov	esi, edx
		mov	edi, ebx
		rep movsd
		mov	ecx, [ebx]
		sub	ecx, 1
		jz	short loc_A6DDEC
		sub	ecx, 1
		jz	short loc_A6DDE7
		sub	ecx, 1
		jz	short loc_A6DDDF
		mov	eax, 0C00000BBh
		jmp	short loc_A6DE37
; 

loc_A6DDDF:				; CODE XREF: ViCtxSetPrivateConnectParameters(x,x,x)+33j
		push	1Ch
		lea	esi, [ebx+0Ch]
		pop	eax
		jmp	short loc_A6DDEF
; 

loc_A6DDE7:				; CODE XREF: ViCtxSetPrivateConnectParameters(x,x,x)+2Ej
		mov	esi, [ebp+var_8]
		jmp	short loc_A6DDF2
; 

loc_A6DDEC:				; CODE XREF: ViCtxSetPrivateConnectParameters(x,x,x)+29j
		mov	esi, [ebp+var_8]

loc_A6DDEF:				; CODE XREF: ViCtxSetPrivateConnectParameters(x,x,x)+42j
		mov	[ebp+var_4], eax

loc_A6DDF2:				; CODE XREF: ViCtxSetPrivateConnectParameters(x,x,x)+47j
		test	esi, esi
		jz	short loc_A6DDFA
		mov	ecx, [esi]
		jmp	short loc_A6DDFC
; 

loc_A6DDFA:				; CODE XREF: ViCtxSetPrivateConnectParameters(x,x,x)+51j
		xor	ecx, ecx

loc_A6DDFC:				; CODE XREF: ViCtxSetPrivateConnectParameters(x,x,x)+55j
		mov	edx, [ebx+10h]
		push	ecx
		mov	ecx, [eax+ebx]
		call	_ViCtxAllocateIsrContext@12 ; ViCtxAllocateIsrContext(x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		test	eax, eax
		jnz	short loc_A6DE18
		mov	eax, 0C000009Ah
		jmp	short loc_A6DE37
; 

loc_A6DE18:				; CODE XREF: ViCtxSetPrivateConnectParameters(x,x,x)+6Cj
		mov	[ebx+10h], eax
		mov	eax, [ebp+var_4]
		test	esi, esi
		jz	short loc_A6DE2E
		mov	dword ptr [esi], offset	_ViCtxIsrMessageBased@12 ; ViCtxIsrMessageBased(x,x,x)
		cmp	dword ptr [eax+ebx], 0
		jz	short loc_A6DE35

loc_A6DE2E:				; CODE XREF: ViCtxSetPrivateConnectParameters(x,x,x)+7Dj
		mov	dword ptr [eax+ebx], offset _ViCtxIsr@8	; ViCtxIsr(x,x)

loc_A6DE35:				; CODE XREF: ViCtxSetPrivateConnectParameters(x,x,x)+89j
		xor	eax, eax

loc_A6DE37:				; CODE XREF: ViCtxSetPrivateConnectParameters(x,x,x)+3Aj
					; ViCtxSetPrivateConnectParameters(x,x,x)+73j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_ViCtxSetPrivateConnectParameters@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierExAcquireFastMutex(x)
@VerifierExAcquireFastMutex@4 proc near	; DATA XREF: PAGEVRFD:00AA869Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, _MmVerifierData
		push	ebx
		push	esi
		mov	esi, ecx
		test	eax, 800h
		jz	short loc_A6DE63
		shr	eax, 11h
		mov	edx, esi
		and	eax, 1
		push	eax
		call	_ViExCheckAPCLevelOrBelow@12 ; ViExCheckAPCLevelOrBelow(x,x,x)
		jmp	short loc_A6DE69
; 

loc_A6DE63:				; CODE XREF: VerifierExAcquireFastMutex(x)+13j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()

loc_A6DE69:				; CODE XREF: VerifierExAcquireFastMutex(x)+23j
		mov	ecx, esi
		mov	bl, al
		call	ds:_pXdvExAcquireFastMutex
		cmp	_KernelVerifier, 0
		jnz	short loc_A6DEA4
		test	_MmVerifierData, 400000h
		jz	short loc_A6DE91
		test	byte ptr _VfFlightOptions, 9
		jz	short loc_A6DEA4

loc_A6DE91:				; CODE XREF: VerifierExAcquireFastMutex(x)+48j
		mov	dl, 1
		mov	cl, bl
		call	_VfKeIrqlTransitionReserveLogEntry@8 ; VfKeIrqlTransitionReserveLogEntry(x,x)
		push	2
		pop	edx
		mov	ecx, eax
		call	_ViKeIrqlLogCommon@8 ; ViKeIrqlLogCommon(x,x)

loc_A6DEA4:				; CODE XREF: VerifierExAcquireFastMutex(x)+3Cj
					; VerifierExAcquireFastMutex(x)+51j
		push	dword ptr [ebp+4]
		mov	eax, large fs:124h
		mov	ecx, esi
		push	0
		push	eax
		push	3
		pop	edx
		call	_VfDeadlockAcquireResource@20 ;	VfDeadlockAcquireResource(x,x,x,x,x)
		pop	esi
		pop	ebx
		pop	ebp
		retn
@VerifierExAcquireFastMutex@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierExAcquireFastMutexNoReboot(x)
@VerifierExAcquireFastMutexNoReboot@4 proc near	; DATA XREF: PAGEVRFD:00AA86ACo
		test	_MmVerifierData, 800h
		push	ebx
		push	esi
		mov	esi, ecx
		jz	short loc_A6DED9
		push	0
		mov	edx, esi
		call	_ViExCheckAPCLevelOrBelow@12 ; ViExCheckAPCLevelOrBelow(x,x,x)
		jmp	short loc_A6DEDF
; 

loc_A6DED9:				; CODE XREF: VerifierExAcquireFastMutexNoReboot(x)+Ej
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()

loc_A6DEDF:				; CODE XREF: VerifierExAcquireFastMutexNoReboot(x)+19j
		mov	ecx, esi
		mov	bl, al
		call	ds:_pXdvExAcquireFastMutex
		cmp	_KernelVerifier, 0
		jnz	short loc_A6DF1C
		test	_MmVerifierData, 400000h
		jz	short loc_A6DF07
		test	byte ptr _VfFlightOptions, 9
		jz	short loc_A6DF1C

loc_A6DF07:				; CODE XREF: VerifierExAcquireFastMutexNoReboot(x)+3Ej
		mov	dl, 1
		mov	cl, bl
		call	_VfKeIrqlTransitionReserveLogEntry@8 ; VfKeIrqlTransitionReserveLogEntry(x,x)
		push	2
		pop	edx
		pop	esi
		mov	ecx, eax
		pop	ebx
		jmp	_ViKeIrqlLogCommon@8 ; ViKeIrqlLogCommon(x,x)
; 

loc_A6DF1C:				; CODE XREF: VerifierExAcquireFastMutexNoReboot(x)+32j
					; VerifierExAcquireFastMutexNoReboot(x)+47j
		pop	esi
		pop	ebx
		retn
@VerifierExAcquireFastMutexNoReboot@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierExAcquireFastMutexUnsafe(x)
@VerifierExAcquireFastMutexUnsafe@4 proc near ;	DATA XREF: PAGEVRFD:00AA8664o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		call	@VerifierExAcquireFastMutexUnsafeNoReboot@4 ; VerifierExAcquireFastMutexUnsafeNoReboot(x)
		push	dword ptr [ebp+4]
		mov	eax, large fs:124h
		mov	ecx, esi
		push	0
		push	eax
		push	4
		pop	edx
		call	_VfDeadlockAcquireResource@20 ;	VfDeadlockAcquireResource(x,x,x,x,x)
		pop	esi
		pop	ebp
		retn
@VerifierExAcquireFastMutexUnsafe@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierExAcquireFastMutexUnsafeNoReboot(x)
@VerifierExAcquireFastMutexUnsafeNoReboot@4 proc near
					; CODE XREF: VerifierExAcquireFastMutexUnsafe(x)+8p
					; DATA XREF: PAGEVRFD:00AA8674o
		test	_MmVerifierData, 800h
		push	esi
		mov	esi, ecx
		jz	short loc_A6DF5E
		push	39h
		mov	edx, esi
		pop	ecx
		call	_ViExCheckAPCsDisabled@8 ; ViExCheckAPCsDisabled(x,x)

loc_A6DF5E:				; CODE XREF: VerifierExAcquireFastMutexUnsafeNoReboot(x)+Dj
		mov	ecx, esi
		pop	esi
		jmp	ds:_pXdvExAcquireFastMutexUnsafe
@VerifierExAcquireFastMutexUnsafeNoReboot@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierExReleaseFastMutex(x)
@VerifierExReleaseFastMutex@4 proc near	; DATA XREF: PAGEVRFD:00AA86D4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, ecx
		call	_ViExReleaseFastMutexCommon@4 ;	ViExReleaseFastMutexCommon(x)
		push	dword ptr [ebp+4]
		mov	edx, large fs:124h
		mov	ecx, edi
		push	edx
		push	3
		pop	edx
		mov	esi, eax
		call	_VfDeadlockReleaseResource@16 ;	VfDeadlockReleaseResource(x,x,x,x)
		mov	ecx, edi
		call	ds:_pXdvExReleaseFastMutex
		xor	edx, edx
		mov	ecx, esi
		pop	edi
		inc	edx
		pop	esi
		pop	ebp
		jmp	_ViKeIrqlLogCommon@8 ; ViKeIrqlLogCommon(x,x)
@VerifierExReleaseFastMutex@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierExReleaseFastMutexNoReboot(x)
@VerifierExReleaseFastMutexNoReboot@4 proc near	; DATA XREF: PAGEVRFD:00AA86E4o
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_ViExReleaseFastMutexCommon@4 ;	ViExReleaseFastMutexCommon(x)
		mov	ecx, esi
		pop	esi
		jmp	ds:_pXdvExReleaseFastMutex
@VerifierExReleaseFastMutexNoReboot@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierExReleaseFastMutexUnsafe(x)
@VerifierExReleaseFastMutexUnsafe@4 proc near ;	DATA XREF: PAGEVRFD:00AA8680o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	_MmVerifierData, 800h
		push	esi
		mov	esi, ecx
		jz	short loc_A6DFD2
		push	3Ah
		mov	edx, esi
		pop	ecx
		call	_ViExCheckAPCsDisabled@8 ; ViExCheckAPCsDisabled(x,x)

loc_A6DFD2:				; CODE XREF: VerifierExReleaseFastMutexUnsafe(x)+12j
		push	dword ptr [ebp+4]
		mov	eax, large fs:124h
		mov	ecx, esi
		push	eax
		push	4
		pop	edx
		call	_VfDeadlockReleaseResource@16 ;	VfDeadlockReleaseResource(x,x,x,x)
		mov	ecx, esi
		pop	esi
		pop	ebp
		jmp	ds:_pXdvExReleaseFastMutexUnsafe
@VerifierExReleaseFastMutexUnsafe@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierExReleaseFastMutexUnsafeNoReboot(x)
@VerifierExReleaseFastMutexUnsafeNoReboot@4 proc near ;	DATA XREF: PAGEVRFD:00AA8690o
		test	_MmVerifierData, 800h
		push	esi
		mov	esi, ecx
		jz	short loc_A6E009
		push	3Ah
		mov	edx, esi
		pop	ecx
		call	_ViExCheckAPCsDisabled@8 ; ViExCheckAPCsDisabled(x,x)

loc_A6E009:				; CODE XREF: VerifierExReleaseFastMutexUnsafeNoReboot(x)+Dj
		mov	ecx, esi
		pop	esi
		jmp	ds:_pXdvExReleaseFastMutexUnsafe
@VerifierExReleaseFastMutexUnsafeNoReboot@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __fastcall VerifierExTryToAcquireFastMutex(x)
@VerifierExTryToAcquireFastMutex@4 proc	near ; DATA XREF: PAGEVRFD:00AA86B8o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, _MmVerifierData
		push	ebx
		shr	edx, 11h
		push	esi
		and	edx, 1
		mov	esi, ecx
		call	_ViExTryToAcquireFastMutexCommon@8 ; ViExTryToAcquireFastMutexCommon(x,x)
		mov	bl, al
		test	bl, bl
		jz	short loc_A6E049
		push	dword ptr [ebp+4]
		mov	ecx, large fs:124h
		push	1
		push	ecx
		push	3
		pop	edx
		mov	ecx, esi
		call	_VfDeadlockAcquireResource@20 ;	VfDeadlockAcquireResource(x,x,x,x,x)

loc_A6E049:				; CODE XREF: VerifierExTryToAcquireFastMutex(x)+1Ej
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn
@VerifierExTryToAcquireFastMutex@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierExTryToAcquireFastMutexNoReboot(x)
@VerifierExTryToAcquireFastMutexNoReboot@4 proc	near ; DATA XREF: PAGEVRFD:00AA86C8o
		xor	edx, edx
		jmp	_ViExTryToAcquireFastMutexCommon@8 ; ViExTryToAcquireFastMutexCommon(x,x)
@VerifierExTryToAcquireFastMutexNoReboot@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierExfAcquirePushLockExclusive(x)
@VerifierExfAcquirePushLockExclusive@4 proc near ; DATA	XREF: PAGEVRFD:00AAAF54o
		test	_MmVerifierData, 800h
		push	esi
		mov	esi, ecx
		jz	short loc_A6E071
		mov	edx, esi
		mov	ecx, 0EAh
		call	_ViExCheckAPCsDisabled@8 ; ViExCheckAPCsDisabled(x,x)

loc_A6E071:				; CODE XREF: VerifierExfAcquirePushLockExclusive(x)+Dj
		mov	ecx, esi
		pop	esi
		jmp	ds:_pXdvExfAcquirePushLockExclusive
@VerifierExfAcquirePushLockExclusive@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierExfAcquirePushLockShared(x)
@VerifierExfAcquirePushLockShared@4 proc near ;	DATA XREF: PAGEVRFD:00AAAF6Co
		test	_MmVerifierData, 800h
		push	esi
		mov	esi, ecx
		jz	short loc_A6E095
		mov	edx, esi
		mov	ecx, 0EAh
		call	_ViExCheckAPCsDisabled@8 ; ViExCheckAPCsDisabled(x,x)

loc_A6E095:				; CODE XREF: VerifierExfAcquirePushLockShared(x)+Dj
		mov	ecx, esi
		pop	esi
		jmp	ds:_pXdvExfAcquirePushLockShared
@VerifierExfAcquirePushLockShared@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierExfReleasePushLock(x)
@VerifierExfReleasePushLock@4 proc near	; DATA XREF: PAGEVRFD:00AAAF9Co
		test	_MmVerifierData, 800h
		push	esi
		mov	esi, ecx
		jz	short loc_A6E0B9
		mov	edx, esi
		mov	ecx, 0EBh
		call	_ViExCheckAPCsDisabled@8 ; ViExCheckAPCsDisabled(x,x)

loc_A6E0B9:				; CODE XREF: VerifierExfReleasePushLock(x)+Dj
		mov	ecx, esi
		pop	esi
		jmp	ds:_pXdvExfReleasePushLock
@VerifierExfReleasePushLock@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierExfReleasePushLockShared(x)
@VerifierExfReleasePushLockShared@4 proc near ;	DATA XREF: PAGEVRFD:00AAAFCCo
		test	_MmVerifierData, 800h
		push	esi
		mov	esi, ecx
		jz	short loc_A6E0DD
		mov	edx, esi
		mov	ecx, 0EBh
		call	_ViExCheckAPCsDisabled@8 ; ViExCheckAPCsDisabled(x,x)

loc_A6E0DD:				; CODE XREF: VerifierExfReleasePushLockShared(x)+Dj
		mov	ecx, esi
		pop	esi
		jmp	ds:_pXdvExfReleasePushLockShared
@VerifierExfReleasePushLockShared@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierExfTryAcquirePushLockShared(x)
@VerifierExfTryAcquirePushLockShared@4 proc near ; DATA	XREF: PAGEVRFD:00AAAF84o
		test	_MmVerifierData, 800h
		push	esi
		mov	esi, ecx
		jz	short loc_A6E101
		mov	edx, esi
		mov	ecx, 0EAh
		call	_ViExCheckAPCsDisabled@8 ; ViExCheckAPCsDisabled(x,x)

loc_A6E101:				; CODE XREF: VerifierExfTryAcquirePushLockShared(x)+Dj
		mov	ecx, esi
		pop	esi
		jmp	ds:_pXdvExfTryAcquirePushLockShared
@VerifierExfTryAcquirePushLockShared@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierExfTryToWakePushLock(x)
@VerifierExfTryToWakePushLock@4	proc near ; DATA XREF: PAGEVRFD:00AAAFB4o
		test	_MmVerifierData, 800h
		push	esi
		mov	esi, ecx
		jz	short loc_A6E125
		mov	edx, esi
		mov	ecx, 0EBh
		call	_ViExCheckAPCsDisabled@8 ; ViExCheckAPCsDisabled(x,x)

loc_A6E125:				; CODE XREF: VerifierExfTryToWakePushLock(x)+Dj
		mov	ecx, esi
		pop	esi
		jmp	ds:_pXdvExfTryToWakePushLock
@VerifierExfTryToWakePushLock@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierExAllocateCacheAwareRundownProtection(x, x)
_VerifierExAllocateCacheAwareRundownProtection@8 proc near ; DATA XREF:	PAGEVRFD:00AAAB34o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	_VfCheckPoolType@12 ; VfCheckPoolType(x,x,x)
		pop	ebp
		jmp	ds:_pXdvExAllocateCacheAwareRundownProtection
_VerifierExAllocateCacheAwareRundownProtection@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPortExAllocatePoolWithQuotaTag(x, x, x, x)
_VerifierPortExAllocatePoolWithQuotaTag@16 proc	near ; DATA XREF: .data:006B3724o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr _MmVerifierData, 8
		jz	short loc_A6E198
		mov	eax, large fs:124h
		push	esi
		xor	esi, esi
		mov	eax, [eax+80h]
		cmp	eax, ds:_PsIdleProcess
		jnz	short loc_A6E17D
		push	esi
		mov	edx, 10Ah
		push	esi
		push	esi
		lea	ecx, [edx-46h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6E17D:				; CODE XREF: VerifierPortExAllocatePoolWithQuotaTag(x,x,x,x)+23j
		mov	al, large fs:235Ch
		test	al, 1
		jz	short loc_A6E197
		push	esi
		mov	edx, 10Bh
		push	esi
		push	esi
		lea	ecx, [edx-47h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6E197:				; CODE XREF: VerifierPortExAllocatePoolWithQuotaTag(x,x,x,x)+3Dj
		pop	esi

loc_A6E198:				; CODE XREF: VerifierPortExAllocatePoolWithQuotaTag(x,x,x,x)+Cj
		mov	eax, [ebp+arg_0]
		test	al, 8
		jz	short loc_A6E1A2
		and	eax, 0FFFFFFF7h

loc_A6E1A2:				; CODE XREF: VerifierPortExAllocatePoolWithQuotaTag(x,x,x,x)+55j
		mov	ecx, _MmVerifierData
		test	ecx, 400000h
		jz	short loc_A6E1C3
		test	cl, 1
		jnz	short loc_A6E1C3
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	eax
		call	ExAllocatePoolWithQuotaTag
		jmp	short loc_A6E1DF
; 

loc_A6E1C3:				; CODE XREF: VerifierPortExAllocatePoolWithQuotaTag(x,x,x,x)+66j
					; VerifierPortExAllocatePoolWithQuotaTag(x,x,x,x)+6Bj
		push	offset _VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		push	[ebp+arg_C]
		or	eax, 80h
		push	20h
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	eax
		call	ds:_pXdvExAllocatePoolWithTagPriority ;	XdvExAllocatePoolInternal(x,x,x,x,x,x)

loc_A6E1DF:				; CODE XREF: VerifierPortExAllocatePoolWithQuotaTag(x,x,x,x)+79j
		pop	ebp
		retn	10h
_VerifierPortExAllocatePoolWithQuotaTag@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierPortExAllocatePoolWithTagPriority(x, x, x, x, x)
_VerifierPortExAllocatePoolWithTagPriority@20 proc near	; DATA XREF: .data:006B3728o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, _MmVerifierData
		test	eax, 400000h
		jz	short loc_A6E20B
		test	al, 1
		jnz	short loc_A6E20B
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ExAllocatePoolWithTagPriority
		jmp	short loc_A6E22B
; 

loc_A6E20B:				; CODE XREF: VerifierPortExAllocatePoolWithTagPriority(x,x,x,x,x)+Fj
					; VerifierPortExAllocatePoolWithTagPriority(x,x,x,x,x)+13j
		mov	eax, [ebp+arg_0]
		push	offset _VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		push	[ebp+arg_10]
		or	eax, 80h
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	eax
		call	ds:_pXdvExAllocatePoolWithTagPriority ;	XdvExAllocatePoolInternal(x,x,x,x,x,x)

loc_A6E22B:				; CODE XREF: VerifierPortExAllocatePoolWithTagPriority(x,x,x,x,x)+26j
		pop	ebp
		retn	14h
_VerifierPortExAllocatePoolWithTagPriority@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViExCheckAPCLevelOrBelow(x,	x, x)
_ViExCheckAPCLevelOrBelow@12 proc near	; CODE XREF: VerifierExAcquireFastMutex(x)+1Ep
					; VerifierExAcquireFastMutexNoReboot(x)+14p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, edx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	[ebp+arg_0], 0
		mov	bl, al
		jnz	short loc_A6E25F
		cmp	bl, 1
		jbe	short loc_A6E25F
		push	0
		push	esi
		movzx	ecx, bl
		push	ecx
		push	33h
		pop	edx
		mov	ecx, 0C4h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6E25F:				; CODE XREF: ViExCheckAPCLevelOrBelow(x,x,x)+15j
					; ViExCheckAPCLevelOrBelow(x,x,x)+1Aj
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	4
_ViExCheckAPCLevelOrBelow@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViExCheckAPCsDisabled(x, x)
_ViExCheckAPCsDisabled@8 proc near	; CODE XREF: VerifierExAcquireFastMutexUnsafeNoReboot(x)+14p
					; VerifierExReleaseFastMutexUnsafe(x)+19p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	bl, al
		cmp	bl, 1
		jz	short loc_A6E2C1
		push	esi
		mov	esi, large fs:124h
		test	dword ptr [esi+58h], 400h
		pop	esi
		jnz	short loc_A6E2C1
		mov	ecx, large fs:124h
		cmp	dword ptr [ecx+13Ch], 0
		jnz	short loc_A6E2C1
		mov	eax, large fs:124h
		mov	ecx, 0C4h
		mov	edx, [ebp+var_4]
		push	edi
		push	dword ptr [eax+13Ch]
		movzx	eax, bl
		push	eax
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6E2C1:				; CODE XREF: ViExCheckAPCsDisabled(x,x)+18j
					; ViExCheckAPCsDisabled(x,x)+2Aj ...
		pop	edi
		mov	al, bl
		pop	ebx
		leave
		retn
_ViExCheckAPCsDisabled@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViExReleaseFastMutexCommon(x)
_ViExReleaseFastMutexCommon@4 proc near	; CODE XREF: VerifierExReleaseFastMutex(x)+9p
					; VerifierExReleaseFastMutexNoReboot(x)+5p
		mov	edi, edi
		push	esi
		xor	esi, esi
		test	_MmVerifierData, 800h
		push	edi
		mov	edi, ecx
		jz	short loc_A6E2E7
		push	34h
		mov	edx, edi
		pop	ecx
		call	_ViExCheckAPCsDisabled@8 ; ViExCheckAPCsDisabled(x,x)
		jmp	short loc_A6E2ED
; 

loc_A6E2E7:				; CODE XREF: ViExReleaseFastMutexCommon(x)+12j
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()

loc_A6E2ED:				; CODE XREF: ViExReleaseFastMutexCommon(x)+1Ej
		cmp	_KernelVerifier, esi
		jnz	short loc_A6E301
		mov	dl, [edi+1Ch]
		mov	cl, al
		call	_VfKeIrqlTransitionReserveLogEntry@8 ; VfKeIrqlTransitionReserveLogEntry(x,x)
		mov	esi, eax

loc_A6E301:				; CODE XREF: ViExReleaseFastMutexCommon(x)+2Cj
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_ViExReleaseFastMutexCommon@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViExTryToAcquireFastMutexCommon(x, x)
_ViExTryToAcquireFastMutexCommon@8 proc	near
					; CODE XREF: VerifierExTryToAcquireFastMutex(x)+15p
					; VerifierExTryToAcquireFastMutexNoReboot(x)+2j
		test	_MmVerifierData, 800h
		push	ebx
		push	esi
		mov	esi, ecx
		jz	short loc_A6E320
		push	edx
		mov	edx, esi
		call	_ViExCheckAPCLevelOrBelow@12 ; ViExCheckAPCLevelOrBelow(x,x,x)
		jmp	short loc_A6E326
; 

loc_A6E320:				; CODE XREF: ViExTryToAcquireFastMutexCommon(x,x)+Ej
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()

loc_A6E326:				; CODE XREF: ViExTryToAcquireFastMutexCommon(x,x)+18j
		mov	ecx, esi
		mov	bl, al
		call	ds:_pXdvExTryToAcquireFastMutex
		mov	bh, al
		test	bh, bh
		jz	short loc_A6E367
		cmp	_KernelVerifier, 0
		jnz	short loc_A6E367
		test	_MmVerifierData, 400000h
		jz	short loc_A6E354
		test	byte ptr _VfFlightOptions, 9
		jz	short loc_A6E367

loc_A6E354:				; CODE XREF: ViExTryToAcquireFastMutexCommon(x,x)+43j
		mov	dl, 1
		mov	cl, bl
		call	_VfKeIrqlTransitionReserveLogEntry@8 ; VfKeIrqlTransitionReserveLogEntry(x,x)
		push	2
		pop	edx
		mov	ecx, eax
		call	_ViKeIrqlLogCommon@8 ; ViKeIrqlLogCommon(x,x)

loc_A6E367:				; CODE XREF: ViExTryToAcquireFastMutexCommon(x,x)+2Ej
					; ViExTryToAcquireFastMutexCommon(x,x)+37j ...
		pop	esi
		mov	al, bh
		pop	ebx
		retn
_ViExTryToAcquireFastMutexCommon@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfFilterAttach(x, x)
_VfFilterAttach@8 proc near		; CODE XREF: VfDevObjPostAddDevice(x,x,x,x,x)+2Ep
					; VfDevObjPreAddDevice(x,x,x,x)+29p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		cmp	ds:_VfFilterCreated, 0
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], 0
		mov	ebx, ecx
		mov	[ebp+var_C], 0
		mov	[ebp+var_8], 0
		jnz	short loc_A6E3BF
		push	offset _VerifierFilterDriverName
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset _ViFilterDriverEntry@8 ;	ViFilterDriverEntry(x,x)
		lea	eax, [ebp+var_C]
		push	eax
		call	IoCreateDriver
		mov	ds:_VfFilterCreated, 1

loc_A6E3BF:				; CODE XREF: VfFilterAttach(x,x)+2Bj
		mov	esi, _VfFilterDriverObject
		test	esi, esi
		jz	loc_A6E4D1	; default
		lea	eax, [edi-2]	; switch 5 cases
		cmp	eax, 4
		ja	loc_A6E4D1	; default
		jmp	ds:off_A6E4D8[eax*4] ; switch jump

loc_A6E3E0:				; DATA XREF: PAGEVRFY:off_A6E4D8o
		push	ebx		; case 0x2
		call	_IoGetAttachedDevice@4 ; IoGetAttachedDevice(x)
		mov	edi, eax
		cmp	[edi+8], esi
		jz	loc_A6E4D1	; default
		call	HviIsAnyHypervisorPresent
		test	al, al
		jz	short loc_A6E446
		mov	eax, [edi+8]
		mov	esi, [eax+14h]
		test	esi, esi
		jz	short loc_A6E446
		push	1
		add	esi, 2Ch
		push	esi
		push	(offset	loc_A503EB+5)
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	loc_A6E4D1	; default
		push	1
		push	esi
		push	(offset	loc_A503DF+1)
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	loc_A6E4D1	; default
		push	1
		push	esi
		push	(offset	loc_A503E3+5)
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	loc_A6E4D1	; default

loc_A6E446:				; CODE XREF: VfFilterAttach(x,x)+8Cj
					; VfFilterAttach(x,x)+96j
		lea	eax, [ebp+var_4]
		push	eax
		mov	eax, _VfFilterDriverObject
		push	0
		push	100h
		push	22h
		push	0
		push	44h
		push	eax
		call	IoCreateDevice
		test	eax, eax
		js	short loc_A6E4D1 ; default
		mov	esi, [ebp+var_4]
		push	18h
		push	0
		push	0
		mov	edi, [esi+28h]
		push	4C526656h
		lea	eax, [edi+10h]
		push	eax
		call	IoInitializeRemoveLockEx
		push	ebx
		push	esi
		mov	dword ptr [edi+38h], 0
		call	_IoAttachDeviceToDeviceStack@8 ; IoAttachDeviceToDeviceStack(x,x)
		mov	[edi+4], eax
		test	eax, eax
		jnz	short loc_A6E49D
		push	esi
		call	IoDeleteDevice
		jmp	short loc_A6E4D1 ; default
; 

loc_A6E49D:				; CODE XREF: VfFilterAttach(x,x)+127j
		mov	eax, [eax+1Ch]
		mov	ecx, 1
		and	eax, 86014h
		or	[esi+1Ch], eax
		mov	eax, [edi+4]
		mov	eax, [eax+2Ch]
		mov	[esi+2Ch], eax
		mov	eax, [edi+4]
		mov	eax, [eax+20h]
		mov	[esi+20h], eax
		lea	eax, [edi+40h]
		and	dword ptr [esi+1Ch], 0FFFFFF7Fh
		mov	[edi+8], esi
		mov	[edi], ebx
		lock or	[eax], ecx

loc_A6E4D1:				; CODE XREF: VfFilterAttach(x,x)+5Bj
					; VfFilterAttach(x,x)+67j ...
		pop	edi		; default
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_VfFilterAttach@8 endp

; 
off_A6E4D8	dd offset loc_A6E3E0	; DATA XREF: VfFilterAttach(x,x)+6Dr
		dd offset loc_A6E3E0	; jump table for switch	statement
		dd offset loc_A6E4D1
		dd offset loc_A6E3E0
		dd offset loc_A6E3E0

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFilterDeviceUsageNotificationCompletion(x, x, x)
_ViFilterDeviceUsageNotificationCompletion@12 proc near
					; DATA XREF: ViFilterDispatchPnp(x,x):loc_A6E6DFo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		push	edi
		cmp	byte ptr [esi+21h], 0
		jz	short loc_A6E504
		mov	eax, [esi+60h]
		or	byte ptr [eax+3], 1

loc_A6E504:				; CODE XREF: ViFilterDeviceUsageNotificationCompletion(x,x,x)+Fj
		cmp	dword ptr [esi+18h], 0
		mov	edi, [ebp+arg_0]
		mov	ebx, [edi+28h]
		jl	loc_A6E59A
		mov	eax, [esi+60h]
		mov	[ebp+arg_0], eax
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		test	ds:byte_70EFC6,	21h
		lea	ecx, [ebx+38h]
		mov	byte ptr [ebp+arg_4+3],	al
		jz	short loc_A6E536
		call	@KiAcquireSpinLockInstrumented@4 ; KiAcquireSpinLockInstrumented(x)
		jmp	short loc_A6E542
; 

loc_A6E536:				; CODE XREF: ViFilterDeviceUsageNotificationCompletion(x,x,x)+41j
		lock bts dword ptr [ecx], 0
		jnb	short loc_A6E545
		call	KxWaitForSpinLockAndAcquire

loc_A6E542:				; CODE XREF: ViFilterDeviceUsageNotificationCompletion(x,x,x)+48j
		lea	ecx, [ebx+38h]

loc_A6E545:				; CODE XREF: ViFilterDeviceUsageNotificationCompletion(x,x,x)+4Fj
		mov	edx, [ebp+arg_0]
		mov	eax, [ebx+3Ch]
		cmp	byte ptr [edx+4], 0
		jz	short loc_A6E563
		inc	eax
		mov	[ebx+3Ch], eax
		cmp	eax, 1
		jnz	short loc_A6E579
		and	dword ptr [edi+1Ch], 0FFFFDFFFh
		jmp	short loc_A6E579
; 

loc_A6E563:				; CODE XREF: ViFilterDeviceUsageNotificationCompletion(x,x,x)+63j
		add	eax, 0FFFFFFFFh
		mov	[ebx+3Ch], eax
		jnz	short loc_A6E579
		mov	eax, [ebx+4]
		mov	eax, [eax+1Ch]
		and	eax, 2000h
		or	[edi+1Ch], eax

loc_A6E579:				; CODE XREF: ViFilterDeviceUsageNotificationCompletion(x,x,x)+6Cj
					; ViFilterDeviceUsageNotificationCompletion(x,x,x)+75j	...
		test	ds:byte_70EFC6,	1
		jz	short loc_A6E58C
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A6E591
; 

loc_A6E58C:				; CODE XREF: ViFilterDeviceUsageNotificationCompletion(x,x,x)+94j
		xor	eax, eax
		lock and [ecx],	eax

loc_A6E591:				; CODE XREF: ViFilterDeviceUsageNotificationCompletion(x,x,x)+9Ej
		mov	cl, byte ptr [ebp+arg_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_A6E59A:				; CODE XREF: ViFilterDeviceUsageNotificationCompletion(x,x,x)+22j
		push	18h
		push	esi
		lea	eax, [ebx+10h]
		push	eax
		call	IoReleaseRemoveLockEx
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	0Ch
_ViFilterDeviceUsageNotificationCompletion@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFilterDispatchGeneric(x, x)
_ViFilterDispatchGeneric@8 proc	near	; DATA XREF: ViFilterDriverEntry(x,x)+21o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+28h]
		mov	[ebp+arg_0], ecx
		mov	eax, [ecx+40h]
		test	al, 1
		jnz	short loc_A6E5CD

loc_A6E5C4:				; CODE XREF: ViFilterDispatchGeneric(x,x)+1Cj
		pause
		mov	eax, [ecx+40h]
		test	al, 1
		jz	short loc_A6E5C4

loc_A6E5CD:				; CODE XREF: ViFilterDispatchGeneric(x,x)+13j
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		add	eax, 10h
		push	esi
		push	18h
		push	1
		push	offset ??_C@_00CNPNBAHC@@JKADOLAD@
		push	ebx
		push	eax
		call	IoAcquireRemoveLockEx
		mov	esi, eax
		test	esi, esi
		jns	short loc_A6E5FE
		xor	dl, dl
		mov	[ebx+18h], esi
		mov	ecx, ebx
		call	IofCompleteRequest
		mov	eax, esi
		jmp	short loc_A6E634
; 

loc_A6E5FE:				; CODE XREF: ViFilterDispatchGeneric(x,x)+3Dj
		mov	esi, [ebx+60h]
		mov	ecx, 7
		push	edi
		mov	edx, ebx
		lea	eax, [esi-24h]
		mov	edi, eax
		rep movsd
		mov	byte ptr [eax+3], 0
		lea	ecx, [ebp+arg_0]
		mov	eax, [ebx+60h]
		mov	dword ptr [eax-8], offset _ViFilterGenericCompletionRoutine@12 ; ViFilterGenericCompletionRoutine(x,x,x)
		mov	[eax-4], ecx
		mov	byte ptr [eax-21h], 0E0h
		mov	ecx, [ebp+arg_0]
		mov	ecx, [ecx+4]
		call	IofCallDriver
		pop	edi

loc_A6E634:				; CODE XREF: ViFilterDispatchGeneric(x,x)+4Dj
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_ViFilterDispatchGeneric@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFilterDispatchPnp(x, x)
_ViFilterDispatchPnp@8 proc near	; DATA XREF: VfDevObjAdjustFdoForVerifierFilters(x)+5o
					; ViFilterDriverEntry(x,x)+28o

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, [ebp+arg_0]
		mov	ecx, [ecx+28h]
		mov	[ebp+var_4], ecx
		mov	eax, [ecx+40h]
		test	al, 1
		jnz	short loc_A6E659

loc_A6E650:				; CODE XREF: ViFilterDispatchPnp(x,x)+1Dj
		pause
		mov	eax, [ecx+40h]
		test	al, 1
		jz	short loc_A6E650

loc_A6E659:				; CODE XREF: ViFilterDispatchPnp(x,x)+14j
		mov	eax, [ebp+var_4]
		push	ebx
		mov	ebx, [ebp+arg_4]
		add	eax, 10h
		push	esi
		push	18h
		push	1
		push	offset ??_C@_00CNPNBAHC@@JKADOLAD@
		push	ebx
		push	eax
		call	IoAcquireRemoveLockEx
		mov	esi, eax
		test	esi, esi
		jns	short loc_A6E68D
		xor	dl, dl
		mov	[ebx+18h], esi
		mov	ecx, ebx
		call	IofCompleteRequest
		mov	eax, esi
		jmp	loc_A6E785
; 

loc_A6E68D:				; CODE XREF: ViFilterDispatchPnp(x,x)+3Ej
		mov	esi, [ebx+60h]
		mov	ecx, 7
		mov	eax, [ebp+var_4]
		push	edi
		lea	edx, [esi-24h]
		mov	eax, [eax+4]
		mov	edi, edx
		mov	[ebp+arg_4], eax
		movzx	eax, byte ptr [esi+1]
		rep movsd
		mov	byte ptr [edx+3], 0
		sub	eax, 0
		jz	loc_A6E766
		sub	eax, 2
		jz	short loc_A6E6EB
		sub	eax, 14h
		lea	ecx, [ebp+var_4]
		mov	eax, [ebx+60h]
		mov	edx, ebx
		mov	[eax-4], ecx
		mov	ecx, [ebp+arg_4]
		mov	byte ptr [eax-21h], 0E0h
		jz	short loc_A6E6DF
		mov	dword ptr [eax-8], offset _ViFilterGenericCompletionRoutine@12 ; ViFilterGenericCompletionRoutine(x,x,x)
		jmp	loc_A6E77F
; 

loc_A6E6DF:				; CODE XREF: ViFilterDispatchPnp(x,x)+97j
		mov	dword ptr [eax-8], offset _ViFilterDeviceUsageNotificationCompletion@12	; ViFilterDeviceUsageNotificationCompletion(x,x,x)
		jmp	loc_A6E77F
; 

loc_A6E6EB:				; CODE XREF: ViFilterDispatchPnp(x,x)+80j
		mov	eax, [ebp+var_4]
		push	0
		push	0
		add	eax, 28h
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [ebx+60h]
		lea	ecx, [ebp+var_4]
		mov	esi, [ebp+arg_4]
		mov	edx, ebx
		mov	[eax-4], ecx
		mov	ecx, esi
		mov	dword ptr [eax-8], offset _ViFilterRemoveNotificationCompletion@12 ; ViFilterRemoveNotificationCompletion(x,x,x)
		mov	byte ptr [eax-21h], 0E0h
		call	IofCallDriver
		mov	edi, eax
		cmp	edi, 103h
		jnz	short loc_A6E73C
		mov	eax, [ebp+var_4]
		push	0
		push	0
		push	0
		push	0
		add	eax, 28h
		push	eax
		call	KeWaitForSingleObject
		mov	edi, [ebx+18h]

loc_A6E73C:				; CODE XREF: ViFilterDispatchPnp(x,x)+E9j
		mov	eax, [ebp+var_4]
		push	18h
		push	ebx
		add	eax, 10h
		push	eax
		call	_IoReleaseRemoveLockAndWaitEx@12 ; IoReleaseRemoveLockAndWaitEx(x,x,x)
		push	esi
		call	IoDetachDevice
		push	[ebp+arg_0]
		call	IoDeleteDevice
		xor	dl, dl
		mov	ecx, ebx
		call	IofCompleteRequest
		mov	eax, edi
		jmp	short loc_A6E784
; 

loc_A6E766:				; CODE XREF: ViFilterDispatchPnp(x,x)+77j
		mov	eax, [ebx+60h]
		lea	ecx, [ebp+var_4]
		mov	edx, ebx
		mov	[eax-4], ecx
		mov	ecx, [ebp+arg_4]
		mov	dword ptr [eax-8], offset _ViFilterStartCompletionRoutine@12 ; ViFilterStartCompletionRoutine(x,x,x)
		mov	byte ptr [eax-21h], 0E0h

loc_A6E77F:				; CODE XREF: ViFilterDispatchPnp(x,x)+A0j
					; ViFilterDispatchPnp(x,x)+ACj
		call	IofCallDriver

loc_A6E784:				; CODE XREF: ViFilterDispatchPnp(x,x)+12Aj
		pop	edi

loc_A6E785:				; CODE XREF: ViFilterDispatchPnp(x,x)+4Ej
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
_ViFilterDispatchPnp@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFilterDispatchPower(x, x)
_ViFilterDispatchPower@8 proc near	; DATA XREF: ViFilterDriverEntry(x,x)+34o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+28h]
		mov	[ebp+arg_0], ecx
		mov	eax, [ecx+40h]
		test	al, 1
		jnz	short loc_A6E7AB

loc_A6E7A2:				; CODE XREF: ViFilterDispatchPower(x,x)+1Cj
		pause
		mov	eax, [ecx+40h]
		test	al, 1
		jz	short loc_A6E7A2

loc_A6E7AB:				; CODE XREF: ViFilterDispatchPower(x,x)+13j
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	ebx, [ebp+arg_4]
		add	eax, 10h
		push	esi
		push	18h
		push	1
		push	offset ??_C@_00CNPNBAHC@@JKADOLAD@
		push	ebx
		push	eax
		call	IoAcquireRemoveLockEx
		mov	esi, eax
		test	esi, esi
		jns	short loc_A6E7DC
		xor	dl, dl
		mov	[ebx+18h], esi
		mov	ecx, ebx
		call	IofCompleteRequest
		mov	eax, esi
		jmp	short loc_A6E812
; 

loc_A6E7DC:				; CODE XREF: ViFilterDispatchPower(x,x)+3Dj
		mov	esi, [ebx+60h]
		mov	ecx, 7
		push	edi
		push	ebx
		lea	eax, [esi-24h]
		mov	edi, eax
		rep movsd
		mov	byte ptr [eax+3], 0
		lea	ecx, [ebp+arg_0]
		mov	eax, [ebx+60h]
		mov	dword ptr [eax-8], offset _ViFilterGenericCompletionRoutine@12 ; ViFilterGenericCompletionRoutine(x,x,x)
		mov	[eax-4], ecx
		mov	byte ptr [eax-21h], 0E0h
		mov	eax, [ebp+arg_0]
		mov	eax, [eax+4]
		push	eax
		call	_PoCallDriver@8	; PoCallDriver(x,x)
		pop	edi

loc_A6E812:				; CODE XREF: ViFilterDispatchPower(x,x)+4Dj
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
_ViFilterDispatchPower@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFilterDriverEntry(x, x)
_ViFilterDriverEntry@8 proc near	; DATA XREF: VfFilterAttach(x,x)+3Bo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_0]
		mov	ecx, 1Ch
		push	edi
		mov	_VfFilterDriverObject, edx
		mov	eax, [edx+18h]
		lea	edi, [edx+38h]
		mov	dword ptr [eax+4], offset _ViFilterAddDevice@8 ; ViFilterAddDevice(x,x)
		mov	eax, offset _ViFilterDispatchGeneric@8 ; ViFilterDispatchGeneric(x,x)
		rep stosd
		mov	dword ptr [edx+0A4h], offset _ViFilterDispatchPnp@8 ; ViFilterDispatchPnp(x,x)
		xor	eax, eax
		mov	dword ptr [edx+90h], offset _ViFilterDispatchPower@8 ; ViFilterDispatchPower(x,x)
		pop	edi
		pop	ebp
		retn	8
_ViFilterDriverEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFilterGenericCompletionRoutine(x,	x, x)
_ViFilterGenericCompletionRoutine@12 proc near ; DATA XREF: ViFilterDispatchGeneric(x,x)+6Bo
					; ViFilterDispatchPnp(x,x)+99o	...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_4]
		cmp	byte ptr [ecx+21h], 0
		jz	short loc_A6E870
		mov	eax, [ecx+60h]
		or	byte ptr [eax+3], 1

loc_A6E870:				; CODE XREF: ViFilterGenericCompletionRoutine(x,x,x)+Cj
		mov	eax, [ebp+arg_0]
		push	18h
		push	ecx
		mov	eax, [eax+28h]
		add	eax, 10h
		push	eax
		call	IoReleaseRemoveLockEx
		xor	eax, eax
		pop	ebp
		retn	0Ch
_ViFilterGenericCompletionRoutine@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFilterRemoveNotificationCompletion(x, x, x)
_ViFilterRemoveNotificationCompletion@12 proc near ; DATA XREF:	ViFilterDispatchPnp(x,x)+D1o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		cmp	byte ptr [eax+21h], 0
		jz	short loc_A6E8A9
		mov	eax, [ebp+arg_0]
		push	0
		push	0
		mov	eax, [eax+28h]
		add	eax, 28h
		push	eax
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_A6E8A9:				; CODE XREF: ViFilterRemoveNotificationCompletion(x,x,x)+Cj
		mov	eax, 0C0000016h
		pop	ebp
		retn	0Ch
_ViFilterRemoveNotificationCompletion@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFilterStartCompletionRoutine(x, x, x)
_ViFilterStartCompletionRoutine@12 proc	near ; DATA XREF: ViFilterDispatchPnp(x,x)+13Ao

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_4]
		cmp	byte ptr [esi+21h], 0
		jz	short loc_A6E8C8
		mov	eax, [esi+60h]
		or	byte ptr [eax+3], 1

loc_A6E8C8:				; CODE XREF: ViFilterStartCompletionRoutine(x,x,x)+Dj
		mov	ecx, [ebp+arg_0]
		push	18h
		push	esi
		mov	edx, [ecx+28h]
		mov	eax, [edx+4]
		mov	eax, [eax+20h]
		and	eax, 5010Fh
		or	[ecx+20h], eax
		lea	eax, [edx+10h]
		push	eax
		call	IoReleaseRemoveLockEx
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	0Ch
_ViFilterStartCompletionRoutine@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlAnsiStringToUnicodeString(x, x, x)
_VerifierRtlAnsiStringToUnicodeString@12 proc near ; DATA XREF:	PAGEVRFD:00AAAC6Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvRtlAnsiStringToUnicodeString
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	short loc_A6E921
		cmp	byte ptr [ebp+arg_8], 0
		jz	short loc_A6E921
		push	dword ptr [ebp+4]
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+arg_4]
		call	_ViRtlReplaceStringBuffer@12 ; ViRtlReplaceStringBuffer(x,x,x)
		mov	eax, [ebp+arg_4]

loc_A6E921:				; CODE XREF: VerifierRtlAnsiStringToUnicodeString(x,x,x)+19j
					; VerifierRtlAnsiStringToUnicodeString(x,x,x)+1Fj
		pop	ebp
		retn	0Ch
_VerifierRtlAnsiStringToUnicodeString@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlCompareUnicodeString(x, x, x)
_VerifierRtlCompareUnicodeString@12 proc near ;	DATA XREF: PAGEVRFD:00AAA564o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvRtlCompareUnicodeString
_VerifierRtlCompareUnicodeString@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlCreateUnicodeString(x, x)
_VerifierRtlCreateUnicodeString@8 proc near ; DATA XREF: PAGEVRFD:00AAAD74o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvRtlCreateUnicodeString
		mov	bl, al
		test	bl, bl
		jz	short loc_A6E966
		push	dword ptr [ebp+4]
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+arg_4]
		and	[ebp+arg_4], 0
		call	_ViRtlReplaceStringBuffer@12 ; ViRtlReplaceStringBuffer(x,x,x)
		cmp	[ebp+arg_4], 0
		setl	al
		dec	al
		and	bl, al

loc_A6E966:				; CODE XREF: VerifierRtlCreateUnicodeString(x,x)+16j
		mov	al, bl
		pop	ebx
		pop	ebp
		retn	8
_VerifierRtlCreateUnicodeString@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlDowncaseUnicodeChar(x)
_VerifierRtlDowncaseUnicodeChar@4 proc near ; DATA XREF: PAGEVRFD:00AAA5DCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvRtlDowncaseUnicodeChar
_VerifierRtlDowncaseUnicodeChar@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlDowncaseUnicodeString(x,	x, x)
_VerifierRtlDowncaseUnicodeString@12 proc near ; DATA XREF: PAGEVRFD:00AAAD5Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvRtlDowncaseUnicodeString
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	short loc_A6E9AB
		cmp	byte ptr [ebp+arg_8], 0
		jz	short loc_A6E9AB
		push	dword ptr [ebp+4]
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+arg_4]
		call	_ViRtlReplaceStringBuffer@12 ; ViRtlReplaceStringBuffer(x,x,x)
		mov	eax, [ebp+arg_4]

loc_A6E9AB:				; CODE XREF: VerifierRtlDowncaseUnicodeString(x,x,x)+19j
					; VerifierRtlDowncaseUnicodeString(x,x,x)+1Fj
		pop	ebp
		retn	0Ch
_VerifierRtlDowncaseUnicodeString@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlDuplicateUnicodeString(x, x, x)
_VerifierRtlDuplicateUnicodeString@12 proc near	; DATA XREF: PAGEVRFD:00AAAD8Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvRtlDuplicateUnicodeString
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	short loc_A6E9DB
		push	dword ptr [ebp+4]
		mov	ecx, [ebp+arg_8]
		lea	edx, [ebp+arg_4]
		call	_ViRtlReplaceStringBuffer@12 ; ViRtlReplaceStringBuffer(x,x,x)
		mov	eax, [ebp+arg_4]

loc_A6E9DB:				; CODE XREF: VerifierRtlDuplicateUnicodeString(x,x,x)+19j
		pop	ebp
		retn	0Ch
_VerifierRtlDuplicateUnicodeString@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlEqualUnicodeString(x, x,	x)
_VerifierRtlEqualUnicodeString@12 proc near ; DATA XREF: PAGEVRFD:00AAA5F4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvRtlEqualUnicodeString
_VerifierRtlEqualUnicodeString@12 endp

; [00000006 BYTES: COLLAPSED FUNCTION VerifierRtlFreeUnicodeString(x). PRESS KEYPAD "+"	TO EXPAND]

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlGUIDFromString(x, x)
_VerifierRtlGUIDFromString@8 proc near	; DATA XREF: PAGEVRFD:00AAA63Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvRtlGUIDFromString
_VerifierRtlGUIDFromString@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlGenerateClass5Guid(x, x,	x, x)
_VerifierRtlGenerateClass5Guid@16 proc near ; DATA XREF: PAGEVRFD:00AAA624o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvRtlGenerateClass5Guid
_VerifierRtlGenerateClass5Guid@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlHashUnicodeString(x, x, x, x)
_VerifierRtlHashUnicodeString@16 proc near ; DATA XREF:	PAGEVRFD:00AAA654o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvRtlHashUnicodeString
_VerifierRtlHashUnicodeString@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlOemStringToCountedUnicodeString(x, x, x)
_VerifierRtlOemStringToCountedUnicodeString@12 proc near ; DATA	XREF: PAGEVRFD:00AAACFCo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvRtlOemStringToCountedUnicodeString
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	short loc_A6EA47
		cmp	byte ptr [ebp+arg_8], 0
		jz	short loc_A6EA47
		push	dword ptr [ebp+4]
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+arg_4]
		call	_ViRtlReplaceStringBuffer@12 ; ViRtlReplaceStringBuffer(x,x,x)
		mov	eax, [ebp+arg_4]

loc_A6EA47:				; CODE XREF: VerifierRtlOemStringToCountedUnicodeString(x,x,x)+19j
					; VerifierRtlOemStringToCountedUnicodeString(x,x,x)+1Fj
		pop	ebp
		retn	0Ch
_VerifierRtlOemStringToCountedUnicodeString@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlOemStringToUnicodeString(x, x, x)
_VerifierRtlOemStringToUnicodeString@12	proc near ; DATA XREF: PAGEVRFD:00AAACB4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvRtlOemStringToUnicodeString
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	short loc_A6EA7D
		cmp	byte ptr [ebp+arg_8], 0
		jz	short loc_A6EA7D
		push	dword ptr [ebp+4]
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+arg_4]
		call	_ViRtlReplaceStringBuffer@12 ; ViRtlReplaceStringBuffer(x,x,x)
		mov	eax, [ebp+arg_4]

loc_A6EA7D:				; CODE XREF: VerifierRtlOemStringToUnicodeString(x,x,x)+19j
					; VerifierRtlOemStringToUnicodeString(x,x,x)+1Fj
		pop	ebp
		retn	0Ch
_VerifierRtlOemStringToUnicodeString@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlStringFromGUID(x, x)
_VerifierRtlStringFromGUID@8 proc near	; DATA XREF: PAGEVRFD:00AAA66Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvRtlStringFromGUID
_VerifierRtlStringFromGUID@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlUTF8ToUnicodeN(x, x, x, x, x)
_VerifierRtlUTF8ToUnicodeN@20 proc near	; DATA XREF: PAGEVRFD:00AAA6B4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvRtlUTF8ToUnicodeN
_VerifierRtlUTF8ToUnicodeN@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlUnicodeStringToAnsiString(x, x, x)
_VerifierRtlUnicodeStringToAnsiString@12 proc near ; DATA XREF:	PAGEVRFD:00AAAC84o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvRtlUnicodeStringToAnsiString
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	short loc_A6EACB
		cmp	byte ptr [ebp+arg_8], 0
		jz	short loc_A6EACB
		push	dword ptr [ebp+4]
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+arg_4]
		call	_ViRtlReplaceStringBuffer@12 ; ViRtlReplaceStringBuffer(x,x,x)
		mov	eax, [ebp+arg_4]

loc_A6EACB:				; CODE XREF: VerifierRtlUnicodeStringToAnsiString(x,x,x)+19j
					; VerifierRtlUnicodeStringToAnsiString(x,x,x)+1Fj
		pop	ebp
		retn	0Ch
_VerifierRtlUnicodeStringToAnsiString@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlUnicodeStringToCountedOemString(x, x, x)
_VerifierRtlUnicodeStringToCountedOemString@12 proc near ; DATA	XREF: PAGEVRFD:00AAAD14o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvRtlUnicodeStringToCountedOemString
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	short loc_A6EB01
		cmp	byte ptr [ebp+arg_8], 0
		jz	short loc_A6EB01
		push	dword ptr [ebp+4]
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+arg_4]
		call	_ViRtlReplaceStringBuffer@12 ; ViRtlReplaceStringBuffer(x,x,x)
		mov	eax, [ebp+arg_4]

loc_A6EB01:				; CODE XREF: VerifierRtlUnicodeStringToCountedOemString(x,x,x)+19j
					; VerifierRtlUnicodeStringToCountedOemString(x,x,x)+1Fj
		pop	ebp
		retn	0Ch
_VerifierRtlUnicodeStringToCountedOemString@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlUnicodeStringToOemString(x, x, x)
_VerifierRtlUnicodeStringToOemString@12	proc near ; DATA XREF: PAGEVRFD:00AAACCCo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvRtlUnicodeStringToOemString
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	short loc_A6EB37
		cmp	byte ptr [ebp+arg_8], 0
		jz	short loc_A6EB37
		push	dword ptr [ebp+4]
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+arg_4]
		call	_ViRtlReplaceStringBuffer@12 ; ViRtlReplaceStringBuffer(x,x,x)
		mov	eax, [ebp+arg_4]

loc_A6EB37:				; CODE XREF: VerifierRtlUnicodeStringToOemString(x,x,x)+19j
					; VerifierRtlUnicodeStringToOemString(x,x,x)+1Fj
		pop	ebp
		retn	0Ch
_VerifierRtlUnicodeStringToOemString@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlUnicodeToUTF8N(x, x, x, x, x)
_VerifierRtlUnicodeToUTF8N@20 proc near	; DATA XREF: PAGEVRFD:00AAA684o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvRtlUnicodeToUTF8N
_VerifierRtlUnicodeToUTF8N@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlUpcaseUnicodeChar(x)
_VerifierRtlUpcaseUnicodeChar@4	proc near ; DATA XREF: PAGEVRFD:00AAA69Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvRtlUpcaseUnicodeChar
_VerifierRtlUpcaseUnicodeChar@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlUpcaseUnicodeString(x, x, x)
_VerifierRtlUpcaseUnicodeString@12 proc	near ; DATA XREF: PAGEVRFD:00AAAD44o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvRtlUpcaseUnicodeString
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	short loc_A6EB85
		cmp	byte ptr [ebp+arg_8], 0
		jz	short loc_A6EB85
		push	dword ptr [ebp+4]
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+arg_4]
		call	_ViRtlReplaceStringBuffer@12 ; ViRtlReplaceStringBuffer(x,x,x)
		mov	eax, [ebp+arg_4]

loc_A6EB85:				; CODE XREF: VerifierRtlUpcaseUnicodeString(x,x,x)+19j
					; VerifierRtlUpcaseUnicodeString(x,x,x)+1Fj
		pop	ebp
		retn	0Ch
_VerifierRtlUpcaseUnicodeString@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlUpcaseUnicodeStringToAnsiString(x, x, x)
_VerifierRtlUpcaseUnicodeStringToAnsiString@12 proc near ; DATA	XREF: PAGEVRFD:00AAAC9Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvRtlUpcaseUnicodeStringToAnsiString
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	short loc_A6EBBB
		cmp	byte ptr [ebp+arg_8], 0
		jz	short loc_A6EBBB
		push	dword ptr [ebp+4]
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+arg_4]
		call	_ViRtlReplaceStringBuffer@12 ; ViRtlReplaceStringBuffer(x,x,x)
		mov	eax, [ebp+arg_4]

loc_A6EBBB:				; CODE XREF: VerifierRtlUpcaseUnicodeStringToAnsiString(x,x,x)+19j
					; VerifierRtlUpcaseUnicodeStringToAnsiString(x,x,x)+1Fj
		pop	ebp
		retn	0Ch
_VerifierRtlUpcaseUnicodeStringToAnsiString@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlUpcaseUnicodeStringToCountedOemString(x,	x, x)
_VerifierRtlUpcaseUnicodeStringToCountedOemString@12 proc near
					; DATA XREF: PAGEVRFD:00AAAD2Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvRtlUpcaseUnicodeStringToCountedOemString
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	short loc_A6EBF1
		cmp	byte ptr [ebp+arg_8], 0
		jz	short loc_A6EBF1
		push	dword ptr [ebp+4]
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+arg_4]
		call	_ViRtlReplaceStringBuffer@12 ; ViRtlReplaceStringBuffer(x,x,x)
		mov	eax, [ebp+arg_4]

loc_A6EBF1:				; CODE XREF: VerifierRtlUpcaseUnicodeStringToCountedOemString(x,x,x)+19j
					; VerifierRtlUpcaseUnicodeStringToCountedOemString(x,x,x)+1Fj
		pop	ebp
		retn	0Ch
_VerifierRtlUpcaseUnicodeStringToCountedOemString@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlUpcaseUnicodeStringToOemString(x, x, x)
_VerifierRtlUpcaseUnicodeStringToOemString@12 proc near	; DATA XREF: PAGEVRFD:00AAACE4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvRtlUpcaseUnicodeStringToOemString
		mov	[ebp+arg_4], eax
		test	eax, eax
		js	short loc_A6EC27
		cmp	byte ptr [ebp+arg_8], 0
		jz	short loc_A6EC27
		push	dword ptr [ebp+4]
		mov	ecx, [ebp+arg_0]
		lea	edx, [ebp+arg_4]
		call	_ViRtlReplaceStringBuffer@12 ; ViRtlReplaceStringBuffer(x,x,x)
		mov	eax, [ebp+arg_4]

loc_A6EC27:				; CODE XREF: VerifierRtlUpcaseUnicodeStringToOemString(x,x,x)+19j
					; VerifierRtlUpcaseUnicodeStringToOemString(x,x,x)+1Fj
		pop	ebp
		retn	0Ch
_VerifierRtlUpcaseUnicodeStringToOemString@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlxAnsiStringToUnicodeSize(x)
_VerifierRtlxAnsiStringToUnicodeSize@4 proc near ; DATA	XREF: PAGEVRFD:00AAA6CCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvRtlxAnsiStringToUnicodeSize
_VerifierRtlxAnsiStringToUnicodeSize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierRtlxUnicodeStringToAnsiSize(x)
_VerifierRtlxUnicodeStringToAnsiSize@4 proc near ; DATA	XREF: PAGEVRFD:00AAA6E4o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvRtlxUnicodeStringToAnsiSize
_VerifierRtlxUnicodeStringToAnsiSize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViRtlReplaceStringBuffer(x,	x, x)
_ViRtlReplaceStringBuffer@12 proc near	; CODE XREF: VerifierRtlAnsiStringToUnicodeString(x,x,x)+2Ap
					; VerifierRtlCreateUnicodeString(x,x)+25p ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	byte ptr _MmVerifierData, 9
		push	esi
		mov	[ebp+var_4], edx
		mov	esi, ecx
		jz	short loc_A6ECA7
		movzx	eax, word ptr [esi+2]
		test	ax, ax
		jz	short loc_A6ECA7
		push	ebx
		push	edi
		push	[ebp+arg_0]
		mov	ebx, eax
		push	20h
		push	72745356h
		push	ebx
		push	81h
		call	_VeAllocatePoolWithTagPriority@20 ; VeAllocatePoolWithTagPriority(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A6EC8F
		push	ebx		; size_t
		push	dword ptr [esi+4] ; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	short loc_A6EC98
; 

loc_A6EC8F:				; CODE XREF: ViRtlReplaceStringBuffer(x,x,x)+3Bj
		mov	eax, [ebp+var_4]
		mov	dword ptr [eax], 0C0000017h

loc_A6EC98:				; CODE XREF: ViRtlReplaceStringBuffer(x,x,x)+4Aj
		push	0
		push	dword ptr [esi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[esi+4], edi
		pop	edi
		pop	ebx

loc_A6ECA7:				; CODE XREF: ViRtlReplaceStringBuffer(x,x,x)+13j
					; ViRtlReplaceStringBuffer(x,x,x)+1Cj
		pop	esi
		leave
		retn	4
_ViRtlReplaceStringBuffer@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmAllocateContiguousMemory(x, x, x)
_VerifierMmAllocateContiguousMemory@12 proc near ; DATA	XREF: PAGEVRFD:00AAB104o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	ecx, ecx
		call	_VfFaultsInjectResourceFailure@4 ; VfFaultsInjectResourceFailure(x)
		test	eax, eax
		jz	short loc_A6ECC0
		xor	eax, eax
		jmp	short loc_A6ED23
; 

loc_A6ECC0:				; CODE XREF: VerifierMmAllocateContiguousMemory(x,x,x)+Ej
		mov	eax, _MmVerifierData
		xor	ecx, ecx
		and	eax, 2000000h
		push	esi
		neg	eax
		push	80000000h
		sbb	eax, eax
		and	eax, 0FFFFFFC4h
		add	eax, 40h
		push	eax
		push	ecx
		push	ecx
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	ecx
		push	ecx
		push	[ebp+arg_0]
		call	ds:_pXdvMmAllocateContiguousNodeMemory
		mov	edx, [ebp+arg_0]
		mov	esi, eax
		mov	ecx, esi
		call	_VfAllocPoolNotification@8 ; VfAllocPoolNotification(x,x)
		test	esi, esi
		jz	short loc_A6ED20
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_VfFillAllocatedMemory@8 ; VfFillAllocatedMemory(x,x)
		mov	ecx, [ebp+4]
		test	byte ptr _MmVerifierData, 8
		jz	short loc_A6ED20
		push	[ebp+arg_0]
		mov	edx, esi
		call	_ViTargetTrackContiguousMemory@12 ; ViTargetTrackContiguousMemory(x,x,x)

loc_A6ED20:				; CODE XREF: VerifierMmAllocateContiguousMemory(x,x,x)+52j
					; VerifierMmAllocateContiguousMemory(x,x,x)+68j
		mov	eax, esi
		pop	esi

loc_A6ED23:				; CODE XREF: VerifierMmAllocateContiguousMemory(x,x,x)+12j
		pop	ebp
		retn	0Ch
_VerifierMmAllocateContiguousMemory@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmAllocateContiguousMemorySpecifyCache(x, x, x, x, x, x, x,	x)
_VerifierMmAllocateContiguousMemorySpecifyCache@32 proc	near ; DATA XREF: PAGEVRFD:00AAB11Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	ecx, ecx
		call	_VfFaultsInjectResourceFailure@4 ; VfFaultsInjectResourceFailure(x)
		test	eax, eax
		jz	short loc_A6ED3E
		xor	eax, eax
		jmp	loc_A6EDC3
; 

loc_A6ED3E:				; CODE XREF: VerifierMmAllocateContiguousMemorySpecifyCache(x,x,x,x,x,x,x,x)+Ej
		cmp	[ebp+arg_1C], 1
		jnz	short loc_A6ED5A
		mov	eax, _MmVerifierData
		and	eax, 2000000h
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFFC4h
		add	eax, 40h
		jmp	short loc_A6ED6E
; 

loc_A6ED5A:				; CODE XREF: VerifierMmAllocateContiguousMemorySpecifyCache(x,x,x,x,x,x,x,x)+1Bj
		xor	eax, eax
		cmp	[ebp+arg_1C], 2
		setnz	al
		dec	eax
		and	eax, 200h
		add	eax, 204h

loc_A6ED6E:				; CODE XREF: VerifierMmAllocateContiguousMemorySpecifyCache(x,x,x,x,x,x,x,x)+31j
		push	esi
		push	80000000h
		push	eax
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvMmAllocateContiguousNodeMemory
		mov	edx, [ebp+arg_0]
		mov	esi, eax
		mov	ecx, esi
		call	_VfAllocPoolNotification@8 ; VfAllocPoolNotification(x,x)
		test	esi, esi
		jz	short loc_A6EDC0
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_VfFillAllocatedMemory@8 ; VfFillAllocatedMemory(x,x)
		mov	ecx, [ebp+4]
		test	byte ptr _MmVerifierData, 8
		jz	short loc_A6EDC0
		push	[ebp+arg_0]
		mov	edx, esi
		call	_ViTargetTrackContiguousMemory@12 ; ViTargetTrackContiguousMemory(x,x,x)

loc_A6EDC0:				; CODE XREF: VerifierMmAllocateContiguousMemorySpecifyCache(x,x,x,x,x,x,x,x)+77j
					; VerifierMmAllocateContiguousMemorySpecifyCache(x,x,x,x,x,x,x,x)+8Dj
		mov	eax, esi
		pop	esi

loc_A6EDC3:				; CODE XREF: VerifierMmAllocateContiguousMemorySpecifyCache(x,x,x,x,x,x,x,x)+12j
		pop	ebp
		retn	20h
_VerifierMmAllocateContiguousMemorySpecifyCache@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmAllocateContiguousMemorySpecifyCacheNode(x, x, x,	x, x, x, x, x, x)
_VerifierMmAllocateContiguousMemorySpecifyCacheNode@36 proc near
					; DATA XREF: PAGEVRFD:00AAB134o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	ecx, ecx
		call	_VfFaultsInjectResourceFailure@4 ; VfFaultsInjectResourceFailure(x)
		test	eax, eax
		jz	short loc_A6EDDE
		xor	eax, eax
		jmp	loc_A6EE61
; 

loc_A6EDDE:				; CODE XREF: VerifierMmAllocateContiguousMemorySpecifyCacheNode(x,x,x,x,x,x,x,x,x)+Ej
		cmp	[ebp+arg_1C], 1
		jnz	short loc_A6EDFA
		mov	eax, _MmVerifierData
		and	eax, 2000000h
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFFC4h
		add	eax, 40h
		jmp	short loc_A6EE0E
; 

loc_A6EDFA:				; CODE XREF: VerifierMmAllocateContiguousMemorySpecifyCacheNode(x,x,x,x,x,x,x,x,x)+1Bj
		xor	eax, eax
		cmp	[ebp+arg_1C], 2
		setnz	al
		dec	eax
		and	eax, 200h
		add	eax, 204h

loc_A6EE0E:				; CODE XREF: VerifierMmAllocateContiguousMemorySpecifyCacheNode(x,x,x,x,x,x,x,x,x)+31j
		push	esi
		push	[ebp+arg_20]
		push	eax
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvMmAllocateContiguousNodeMemory
		mov	edx, [ebp+arg_0]
		mov	esi, eax
		mov	ecx, esi
		call	_VfAllocPoolNotification@8 ; VfAllocPoolNotification(x,x)
		test	esi, esi
		jz	short loc_A6EE5E
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_VfFillAllocatedMemory@8 ; VfFillAllocatedMemory(x,x)
		mov	ecx, [ebp+4]
		test	byte ptr _MmVerifierData, 8
		jz	short loc_A6EE5E
		push	[ebp+arg_0]
		mov	edx, esi
		call	_ViTargetTrackContiguousMemory@12 ; ViTargetTrackContiguousMemory(x,x,x)

loc_A6EE5E:				; CODE XREF: VerifierMmAllocateContiguousMemorySpecifyCacheNode(x,x,x,x,x,x,x,x,x)+75j
					; VerifierMmAllocateContiguousMemorySpecifyCacheNode(x,x,x,x,x,x,x,x,x)+8Bj
		mov	eax, esi
		pop	esi

loc_A6EE61:				; CODE XREF: VerifierMmAllocateContiguousMemorySpecifyCacheNode(x,x,x,x,x,x,x,x,x)+12j
		pop	ebp
		retn	24h
_VerifierMmAllocateContiguousMemorySpecifyCacheNode@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmAllocateContiguousNodeMemory(x, x, x, x, x, x, x,	x, x)
_VerifierMmAllocateContiguousNodeMemory@36 proc	near ; DATA XREF: PAGEVRFD:00AAB14Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_1C]
		call	_VfCheckPageProtection@8 ; VfCheckPageProtection(x,x)
		xor	ecx, ecx
		call	_VfFaultsInjectResourceFailure@4 ; VfFaultsInjectResourceFailure(x)
		test	eax, eax
		jz	short loc_A6EE84
		xor	eax, eax
		jmp	short loc_A6EED9
; 

loc_A6EE84:				; CODE XREF: VerifierMmAllocateContiguousNodeMemory(x,x,x,x,x,x,x,x,x)+19j
		push	esi
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvMmAllocateContiguousNodeMemory
		mov	edx, [ebp+arg_0]
		mov	esi, eax
		mov	ecx, esi
		call	_VfAllocPoolNotification@8 ; VfAllocPoolNotification(x,x)
		test	esi, esi
		jz	short loc_A6EED6
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_VfFillAllocatedMemory@8 ; VfFillAllocatedMemory(x,x)
		mov	ecx, [ebp+4]
		test	byte ptr _MmVerifierData, 8
		jz	short loc_A6EED6
		push	[ebp+arg_0]
		mov	edx, esi
		call	_ViTargetTrackContiguousMemory@12 ; ViTargetTrackContiguousMemory(x,x,x)

loc_A6EED6:				; CODE XREF: VerifierMmAllocateContiguousNodeMemory(x,x,x,x,x,x,x,x,x)+4Fj
					; VerifierMmAllocateContiguousNodeMemory(x,x,x,x,x,x,x,x,x)+65j
		mov	eax, esi
		pop	esi

loc_A6EED9:				; CODE XREF: VerifierMmAllocateContiguousNodeMemory(x,x,x,x,x,x,x,x,x)+1Dj
		pop	ebp
		retn	24h
_VerifierMmAllocateContiguousNodeMemory@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmAllocateMappingAddress(x,	x)
_VerifierMmAllocateMappingAddress@8 proc near ;	DATA XREF: PAGEVRFD:00AAB23Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	ecx, ecx
		call	_VfFaultsInjectResourceFailure@4 ; VfFaultsInjectResourceFailure(x)
		test	eax, eax
		jz	short loc_A6EEF1
		xor	eax, eax
		jmp	short loc_A6EF0D
; 

loc_A6EEF1:				; CODE XREF: VerifierMmAllocateMappingAddress(x,x)+Ej
		push	esi
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvMmAllocateMappingAddress
		mov	edx, [ebp+arg_0]
		mov	esi, eax
		mov	ecx, esi
		call	_VfAllocPoolNotification@8 ; VfAllocPoolNotification(x,x)
		mov	eax, esi
		pop	esi

loc_A6EF0D:				; CODE XREF: VerifierMmAllocateMappingAddress(x,x)+12j
		pop	ebp
		retn	8
_VerifierMmAllocateMappingAddress@8 endp ; sp =	-8


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmAllocateNodePagesForMdlEx(x, x, x, x, x, x, x, x,	x, x)
_VerifierMmAllocateNodePagesForMdlEx@40	proc near ; DATA XREF: PAGEVRFD:00AAB1F4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	cl, cl
		call	_ViMmValidateIrql@4 ; ViMmValidateIrql(x)
		xor	ecx, ecx
		call	_VfFaultsInjectResourceFailure@4 ; VfFaultsInjectResourceFailure(x)
		test	eax, eax
		jz	short loc_A6EF2C
		xor	eax, eax
		jmp	short loc_A6EF9D
; 

loc_A6EF2C:				; CODE XREF: VerifierMmAllocateNodePagesForMdlEx(x,x,x,x,x,x,x,x,x,x)+15j
		push	esi
		push	edi
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvMmAllocateNodePagesForMdlEx
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A6EF5D
		push	1Ch
		pop	edi
		jmp	short loc_A6EF90
; 

loc_A6EF5D:				; CODE XREF: VerifierMmAllocateNodePagesForMdlEx(x,x,x,x,x,x,x,x,x,x)+45j
		push	[ebp+arg_24]
		mov	edx, [ebp+arg_1C]
		mov	ecx, esi
		movsx	edi, word ptr [esi+4]
		call	_VfFillAllocatePagesForMdl@12 ;	VfFillAllocatePagesForMdl(x,x,x)
		mov	ecx, [ebp+4]
		test	_MmVerifierData, 1000h
		mov	eax, [esi+14h]
		jz	short loc_A6EF90
		push	eax
		push	88h
		mov	edx, 84h
		call	_ViTargetAddToCounter@16 ; ViTargetAddToCounter(x,x,x,x)

loc_A6EF90:				; CODE XREF: VerifierMmAllocateNodePagesForMdlEx(x,x,x,x,x,x,x,x,x,x)+4Aj
					; VerifierMmAllocateNodePagesForMdlEx(x,x,x,x,x,x,x,x,x,x)+6Dj
		mov	edx, edi
		mov	ecx, esi
		call	_VfAllocPoolNotification@8 ; VfAllocPoolNotification(x,x)
		pop	edi
		mov	eax, esi
		pop	esi

loc_A6EF9D:				; CODE XREF: VerifierMmAllocateNodePagesForMdlEx(x,x,x,x,x,x,x,x,x,x)+19j
		pop	ebp
		retn	28h
_VerifierMmAllocateNodePagesForMdlEx@40	endp ; sp = -28h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmAllocateNonCachedMemory(x)
_VerifierMmAllocateNonCachedMemory@4 proc near ; DATA XREF: PAGEVRFD:00AAB164o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		xor	ecx, ecx
		call	_VfFaultsInjectResourceFailure@4 ; VfFaultsInjectResourceFailure(x)
		test	eax, eax
		jz	short loc_A6EFB5
		xor	eax, eax
		jmp	short loc_A6EFF2
; 

loc_A6EFB5:				; CODE XREF: VerifierMmAllocateNonCachedMemory(x)+Ej
		push	esi
		push	[ebp+arg_0]
		call	ds:_pXdvMmAllocateNonCachedMemory
		mov	edx, [ebp+arg_0]
		mov	esi, eax
		mov	ecx, esi
		call	_VfAllocPoolNotification@8 ; VfAllocPoolNotification(x,x)
		test	esi, esi
		jz	short loc_A6EFEF
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	_VfFillAllocatedMemory@8 ; VfFillAllocatedMemory(x,x)
		mov	ecx, [ebp+4]
		test	byte ptr _MmVerifierData, 8
		jz	short loc_A6EFEF
		push	[ebp+arg_0]
		mov	edx, esi
		call	_ViTargetTrackContiguousMemory@12 ; ViTargetTrackContiguousMemory(x,x,x)

loc_A6EFEF:				; CODE XREF: VerifierMmAllocateNonCachedMemory(x)+2Cj
					; VerifierMmAllocateNonCachedMemory(x)+42j
		mov	eax, esi
		pop	esi

loc_A6EFF2:				; CODE XREF: VerifierMmAllocateNonCachedMemory(x)+12j
		pop	ebp
		retn	4
_VerifierMmAllocateNonCachedMemory@4 endp

; 
		align 4
		db 0CCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmAllocatePagesForMdl(x, x,	x, x, x, x, x)
_VerifierMmAllocatePagesForMdl@28 proc near ; DATA XREF: PAGEVRFD:00AAB1C4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, _MmVerifierData
		shr	ecx, 11h
		and	cl, 1
		call	_ViMmValidateIrql@4 ; ViMmValidateIrql(x)
		xor	ecx, ecx
		call	_VfFaultsInjectResourceFailure@4 ; VfFaultsInjectResourceFailure(x)
		test	eax, eax
		jz	short loc_A6F01E
		xor	eax, eax
		jmp	short loc_A6F079
; 

loc_A6F01E:				; CODE XREF: VerifierMmAllocatePagesForMdl(x,x,x,x,x,x,x)+1Fj
		push	esi
		push	edi
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvMmAllocatePagesForMdl
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A6F046
		push	1Ch
		pop	edi
		jmp	short loc_A6F06C
; 

loc_A6F046:				; CODE XREF: VerifierMmAllocatePagesForMdl(x,x,x,x,x,x,x)+46j
		mov	ecx, [ebp+4]
		test	_MmVerifierData, 1000h
		movsx	edi, word ptr [esi+4]
		mov	eax, [esi+14h]
		jz	short loc_A6F06C
		push	eax
		push	88h
		mov	edx, 84h
		call	_ViTargetAddToCounter@16 ; ViTargetAddToCounter(x,x,x,x)

loc_A6F06C:				; CODE XREF: VerifierMmAllocatePagesForMdl(x,x,x,x,x,x,x)+4Bj
					; VerifierMmAllocatePagesForMdl(x,x,x,x,x,x,x)+61j
		mov	edx, edi
		mov	ecx, esi
		call	_VfAllocPoolNotification@8 ; VfAllocPoolNotification(x,x)
		pop	edi
		mov	eax, esi
		pop	esi

loc_A6F079:				; CODE XREF: VerifierMmAllocatePagesForMdl(x,x,x,x,x,x,x)+23j
		pop	ebp
		retn	1Ch
_VerifierMmAllocatePagesForMdl@28 endp ; sp = -1Ch


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmAllocatePagesForMdlEx(x, x, x, x,	x, x, x, x, x)
_VerifierMmAllocatePagesForMdlEx@36 proc near ;	DATA XREF: PAGEVRFD:00AAB1DCo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, _MmVerifierData
		shr	ecx, 11h
		and	cl, 1
		call	_ViMmValidateIrql@4 ; ViMmValidateIrql(x)
		xor	ecx, ecx
		call	_VfFaultsInjectResourceFailure@4 ; VfFaultsInjectResourceFailure(x)
		test	eax, eax
		jz	short loc_A6F0A2
		xor	eax, eax
		jmp	short loc_A6F110
; 

loc_A6F0A2:				; CODE XREF: VerifierMmAllocatePagesForMdlEx(x,x,x,x,x,x,x,x,x)+1Fj
		push	esi
		push	edi
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvMmAllocatePagesForMdlEx
		mov	esi, eax
		test	esi, esi
		jnz	short loc_A6F0D0
		push	1Ch
		pop	edi
		jmp	short loc_A6F103
; 

loc_A6F0D0:				; CODE XREF: VerifierMmAllocatePagesForMdlEx(x,x,x,x,x,x,x,x,x)+4Cj
		push	[ebp+arg_20]
		mov	edx, [ebp+arg_1C]
		mov	ecx, esi
		movsx	edi, word ptr [esi+4]
		call	_VfFillAllocatePagesForMdl@12 ;	VfFillAllocatePagesForMdl(x,x,x)
		mov	ecx, [ebp+4]
		test	_MmVerifierData, 1000h
		mov	eax, [esi+14h]
		jz	short loc_A6F103
		push	eax
		push	88h
		mov	edx, 84h
		call	_ViTargetAddToCounter@16 ; ViTargetAddToCounter(x,x,x,x)

loc_A6F103:				; CODE XREF: VerifierMmAllocatePagesForMdlEx(x,x,x,x,x,x,x,x,x)+51j
					; VerifierMmAllocatePagesForMdlEx(x,x,x,x,x,x,x,x,x)+74j
		mov	edx, edi
		mov	ecx, esi
		call	_VfAllocPoolNotification@8 ; VfAllocPoolNotification(x,x)
		pop	edi
		mov	eax, esi
		pop	esi

loc_A6F110:				; CODE XREF: VerifierMmAllocatePagesForMdlEx(x,x,x,x,x,x,x,x,x)+23j
		pop	ebp
		retn	24h
_VerifierMmAllocatePagesForMdlEx@36 endp ; sp =	-24h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmBuildMdlForNonPagedPool(x)
_VerifierMmBuildMdlForNonPagedPool@4 proc near ; DATA XREF: PAGEVRFD:00AAAFE4o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	esi, [ebp+arg_0]
		mov	bl, al
		mov	edi, 800h
		test	bl, bl
		jnz	short loc_A6F155
		mov	edx, [esi+10h]
		mov	ecx, edx
		call	_MmDeterminePoolType@4 ; MmDeterminePoolType(x)
		test	eax, eax
		jz	short loc_A6F155
		test	_MmVerifierData, edi
		jz	short loc_A6F155
		push	edx
		push	esi
		push	0
		push	7Fh
		pop	edx
		lea	ecx, [edx+45h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6F155:				; CODE XREF: VerifierMmBuildMdlForNonPagedPool(x)+1Aj
					; VerifierMmBuildMdlForNonPagedPool(x)+28j ...
		push	esi
		call	ds:_pXdvMmBuildMdlForNonPagedPool
		cmp	bl, 2
		ja	short loc_A6F19F
		test	_MmVerifierData, edi
		jz	short loc_A6F19F
		cmp	_VerifierNewRuleWorkaround, 0
		ja	short loc_A6F19F
		mov	ecx, esi
		call	_MmAreMdlPagesLocked@4 ; MmAreMdlPagesLocked(x)
		test	eax, eax
		jnz	short loc_A6F19F
		mov	ecx, [ebp+4]
		call	_VfUtilCheckRuleEnforcement@4 ;	VfUtilCheckRuleEnforcement(x)
		cmp	eax, 1
		jnz	short loc_A6F19F
		push	dword ptr [esi+10h]
		mov	edx, 140h
		movzx	eax, bl
		push	esi
		push	eax
		lea	ecx, [edx-7Ch]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6F19F:				; CODE XREF: VerifierMmBuildMdlForNonPagedPool(x)+4Bj
					; VerifierMmBuildMdlForNonPagedPool(x)+53j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
_VerifierMmBuildMdlForNonPagedPool@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmCreateMdl(x, x, x)
_VerifierMmCreateMdl@12	proc near	; DATA XREF: PAGEVRFD:00AAB224o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	[ebp+arg_0], 0
		jnz	short loc_A6F1C0
		xor	ecx, ecx
		call	_VfFaultsInjectResourceFailure@4 ; VfFaultsInjectResourceFailure(x)
		test	eax, eax
		jz	short loc_A6F1C0
		xor	eax, eax
		jmp	short loc_A6F1F3
; 

loc_A6F1C0:				; CODE XREF: VerifierMmCreateMdl(x,x,x)+9j
					; VerifierMmCreateMdl(x,x,x)+14j
		push	esi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvMmCreateMdl
		mov	esi, eax
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		ja	short loc_A6F1F0
		test	esi, esi
		jnz	short loc_A6F1E5
		push	1Ch
		pop	edx
		jmp	short loc_A6F1E9
; 

loc_A6F1E5:				; CODE XREF: VerifierMmCreateMdl(x,x,x)+38j
		movsx	edx, word ptr [esi+4]

loc_A6F1E9:				; CODE XREF: VerifierMmCreateMdl(x,x,x)+3Dj
		mov	ecx, esi
		call	_VfAllocPoolNotification@8 ; VfAllocPoolNotification(x,x)

loc_A6F1F0:				; CODE XREF: VerifierMmCreateMdl(x,x,x)+34j
		mov	eax, esi
		pop	esi

loc_A6F1F3:				; CODE XREF: VerifierMmCreateMdl(x,x,x)+18j
		pop	ebp
		retn	0Ch
_VerifierMmCreateMdl@12	endp ; sp = -0Ch


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmCreateSection(x, x, x, x,	x, x, x, x)
_VerifierMmCreateSection@32 proc near	; DATA XREF: PAGEVRFD:00AAB254o

arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_10]
		call	_VfCheckPageProtection@8 ; VfCheckPageProtection(x,x)
		pop	ebp
		jmp	ds:_pXdvMmCreateSection
_VerifierMmCreateSection@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmFreeContiguousMemory(x)
_VerifierMmFreeContiguousMemory@4 proc near ; DATA XREF: PAGEVRFD:00AAB17Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dword_6BE39C, 0
		jz	short loc_A6F227
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+4]
		call	_ViTargetFreeContiguousMemory@8	; ViTargetFreeContiguousMemory(x,x)

loc_A6F227:				; CODE XREF: VerifierMmFreeContiguousMemory(x)+Cj
		pop	ebp
		jmp	ds:_pXdvMmFreeContiguousMemory
_VerifierMmFreeContiguousMemory@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmFreeContiguousMemorySpecifyCache(x, x, x)
_VerifierMmFreeContiguousMemorySpecifyCache@12 proc near ; DATA	XREF: PAGEVRFD:00AAB194o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dword_6BE39C, 0
		jz	short loc_A6F247
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+4]
		call	_ViTargetFreeContiguousMemory@8	; ViTargetFreeContiguousMemory(x,x)

loc_A6F247:				; CODE XREF: VerifierMmFreeContiguousMemorySpecifyCache(x,x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvMmFreeContiguousMemorySpecifyCache
_VerifierMmFreeContiguousMemorySpecifyCache@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmFreeNonCachedMemory(x, x)
_VerifierMmFreeNonCachedMemory@8 proc near ; DATA XREF:	PAGEVRFD:00AAB1ACo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		cmp	dword_6BE39C, 0
		jz	short loc_A6F267
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+4]
		call	_ViTargetFreeContiguousMemory@8	; ViTargetFreeContiguousMemory(x,x)

loc_A6F267:				; CODE XREF: VerifierMmFreeNonCachedMemory(x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvMmFreeNonCachedMemory
_VerifierMmFreeNonCachedMemory@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmFreePagesFromMdl(x)
_VerifierMmFreePagesFromMdl@4 proc near	; DATA XREF: PAGEVRFD:00AAB20Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, _MmVerifierData
		shr	ecx, 11h
		push	esi
		and	cl, 1
		call	_ViMmValidateIrql@4 ; ViMmValidateIrql(x)
		mov	esi, [ebp+arg_0]
		mov	ecx, [ebp+4]
		mov	eax, [esi+14h]
		neg	eax
		test	_MmVerifierData, 1000h
		jz	short loc_A6F2AC
		push	eax
		push	88h
		mov	edx, 84h
		call	_ViTargetAddToCounter@16 ; ViTargetAddToCounter(x,x,x,x)

loc_A6F2AC:				; CODE XREF: VerifierMmFreePagesFromMdl(x)+2Cj
		push	esi
		call	ds:_pXdvMmFreePagesFromMdl
		pop	esi
		pop	ebp
		retn	4
_VerifierMmFreePagesFromMdl@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmGetSystemRoutineAddress(x)
_VerifierMmGetSystemRoutineAddress@4 proc near ; DATA XREF: PAGEVRFD:00AAB284o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		call	ds:_pXdvMmGetSystemRoutineAddress
		test	eax, eax
		jz	short loc_A6F2D4
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		call	_VfThunkAdjustExportAddressIfHooked@8 ;	VfThunkAdjustExportAddressIfHooked(x,x)

loc_A6F2D4:				; CODE XREF: VerifierMmGetSystemRoutineAddress(x)+10j
		pop	ebp
		retn	4
_VerifierMmGetSystemRoutineAddress@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmMapIoSpace(x, x, x, x)
_VerifierMmMapIoSpace@16 proc near	; DATA XREF: PAGEVRFD:00AAB02Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	esi, [ebp+arg_8]
		mov	edi, [ebp+arg_0]
		cmp	al, 2
		jbe	short loc_A6F309
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A6F31D
		push	esi
		push	edi
		movzx	eax, al
		push	eax
		push	73h
		pop	edx
		lea	ecx, [edx+51h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6F309:				; CODE XREF: VerifierMmMapIoSpace(x,x,x,x)+15j
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A6F31D
		push	[ebp+arg_4]
		mov	ecx, esi
		push	edi
		call	_MmCheckMapIoSpace@12 ;	MmCheckMapIoSpace(x,x,x)

loc_A6F31D:				; CODE XREF: VerifierMmMapIoSpace(x,x,x,x)+1Ej
					; VerifierMmMapIoSpace(x,x,x,x)+38j
		xor	ecx, ecx
		call	_VfFaultsInjectResourceFailure@4 ; VfFaultsInjectResourceFailure(x)
		cmp	eax, 1
		jnz	short loc_A6F32D
		xor	eax, eax
		jmp	short loc_A6F39F
; 

loc_A6F32D:				; CODE XREF: VerifierMmMapIoSpace(x,x,x,x)+4Fj
		test	_MmVerifierData, 2000000h
		jz	short loc_A6F363
		cmp	[ebp+arg_C], 1
		push	4
		pop	eax
		jz	short loc_A6F356
		xor	eax, eax
		cmp	[ebp+arg_C], 2
		setnz	al
		dec	eax
		and	eax, 200h
		add	eax, 204h

loc_A6F356:				; CODE XREF: VerifierMmMapIoSpace(x,x,x,x)+68j
		push	eax
		push	esi
		push	[ebp+arg_4]
		push	edi
		call	_MmMapIoSpaceEx@16 ; MmMapIoSpaceEx(x,x,x,x)
		jmp	short loc_A6F371
; 

loc_A6F363:				; CODE XREF: VerifierMmMapIoSpace(x,x,x,x)+5Fj
		push	[ebp+arg_C]
		push	esi
		push	[ebp+arg_4]
		push	edi
		call	ds:_pXdvMmMapIoSpace

loc_A6F371:				; CODE XREF: VerifierMmMapIoSpace(x,x,x,x)+89j
		mov	edi, eax
		mov	edx, esi
		mov	ecx, edi
		call	_VfAllocPoolNotification@8 ; VfAllocPoolNotification(x,x)
		test	edi, edi
		jz	short loc_A6F39D
		mov	ecx, [ebp+4]
		test	_MmVerifierData, 1000h
		jz	short loc_A6F39D
		push	esi
		push	80h
		push	7Ch
		pop	edx
		call	_ViTargetAddToCounter@16 ; ViTargetAddToCounter(x,x,x,x)

loc_A6F39D:				; CODE XREF: VerifierMmMapIoSpace(x,x,x,x)+A6j
					; VerifierMmMapIoSpace(x,x,x,x)+B5j
		mov	eax, edi

loc_A6F39F:				; CODE XREF: VerifierMmMapIoSpace(x,x,x,x)+53j
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
_VerifierMmMapIoSpace@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmMapIoSpaceEx(x, x, x, x)
_VerifierMmMapIoSpaceEx@16 proc	near	; DATA XREF: PAGEVRFD:00AAB044o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	_MmVerifierData, 400000h
		jz	short loc_A6F3C1
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_C]
		call	_VfCheckPageProtection@8 ; VfCheckPageProtection(x,x)

loc_A6F3C1:				; CODE XREF: VerifierMmMapIoSpaceEx(x,x,x,x)+Fj
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_MmMapIoSpaceEx@16 ; MmMapIoSpaceEx(x,x,x,x)
		pop	ebp
		retn	10h
_VerifierMmMapIoSpaceEx@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmMapLockedPages(x,	x)
_VerifierMmMapLockedPages@8 proc near	; DATA XREF: PAGEVRFD:00AAB05Co

arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr _MmVerifierData, 1
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		jz	short loc_A6F3F3
		mov	dl, [ebp+arg_4]
		mov	ecx, esi
		call	_ViMmMapLockedPagesSanityChecks@8 ; ViMmMapLockedPagesSanityChecks(x,x)

loc_A6F3F3:				; CODE XREF: VerifierMmMapLockedPages(x,x)+11j
		mov	eax, 2000h
		test	[esi+6], ax
		jnz	short loc_A6F425
		call	_VfFaultsIsSystemSufficientlyBooted@0 ;	VfFaultsIsSystemSufficientlyBooted()
		test	eax, eax
		jz	short loc_A6F425
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A6F425
		movsx	eax, word ptr [esi+6]
		mov	edx, 81h
		push	0
		push	eax
		push	esi
		lea	ecx, [edx+43h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6F425:				; CODE XREF: VerifierMmMapLockedPages(x,x)+26j
					; VerifierMmMapLockedPages(x,x)+2Fj ...
		mov	eax, _MmVerifierData
		and	eax, 2000000h
		or	eax, 1
		shl	eax, 5
		push	eax
		push	1
		push	0
		push	1
		push	dword ptr [ebp+arg_4]
		push	esi
		call	ds:_pXdvMmMapLockedPagesSpecifyCache
		mov	edx, [esi+14h]
		mov	edi, eax
		mov	ecx, edi
		call	_VfAllocPoolNotification@8 ; VfAllocPoolNotification(x,x)
		test	edi, edi
		jz	short loc_A6F473
		mov	ecx, [ebp+4]
		test	_MmVerifierData, 1000h
		mov	eax, [esi+14h]
		jz	short loc_A6F473
		push	eax
		push	78h
		push	74h
		pop	edx
		call	_ViTargetAddToCounter@16 ; ViTargetAddToCounter(x,x,x,x)

loc_A6F473:				; CODE XREF: VerifierMmMapLockedPages(x,x)+7Ej
					; VerifierMmMapLockedPages(x,x)+90j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_VerifierMmMapLockedPages@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmMapLockedPagesSpecifyCache(x, x, x, x, x,	x)
_VerifierMmMapLockedPagesSpecifyCache@24 proc near ; DATA XREF:	PAGEVRFD:00AAB074o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr _MmVerifierData, 1
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		jz	short loc_A6F498
		mov	dl, byte ptr [ebp+arg_4]
		mov	ecx, esi
		call	_ViMmMapLockedPagesSanityChecks@8 ; ViMmMapLockedPagesSanityChecks(x,x)

loc_A6F498:				; CODE XREF: VerifierMmMapLockedPagesSpecifyCache(x,x,x,x,x,x)+11j
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_14]
		call	_VfCheckPagePriority@8 ; VfCheckPagePriority(x,x)
		mov	edi, [ebp+arg_10]
		mov	eax, 2000h
		test	[esi+6], ax
		jnz	short loc_A6F523
		test	edi, edi
		jz	short loc_A6F523
		call	_VfFaultsIsSystemSufficientlyBooted@0 ;	VfFaultsIsSystemSufficientlyBooted()
		test	eax, eax
		jz	short loc_A6F4DB
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A6F4DB
		movsx	eax, word ptr [esi+6]
		mov	edx, 82h
		push	edi
		push	eax
		push	esi
		lea	ecx, [edx+42h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6F4DB:				; CODE XREF: VerifierMmMapLockedPagesSpecifyCache(x,x,x,x,x,x)+41j
					; VerifierMmMapLockedPagesSpecifyCache(x,x,x,x,x,x)+4Aj ...
		push	[ebp+arg_14]
		push	edi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	MmMapLockedPagesSpecifyCache
		mov	edx, [esi+14h]
		mov	edi, eax
		mov	ecx, edi
		call	_VfAllocPoolNotification@8 ; VfAllocPoolNotification(x,x)
		test	edi, edi
		jz	short loc_A6F51B
		mov	ecx, [ebp+4]
		test	_MmVerifierData, 1000h
		mov	eax, [esi+14h]
		jz	short loc_A6F51B
		push	eax
		push	78h
		push	74h
		pop	edx
		call	_ViTargetAddToCounter@16 ; ViTargetAddToCounter(x,x,x,x)

loc_A6F51B:				; CODE XREF: VerifierMmMapLockedPagesSpecifyCache(x,x,x,x,x,x)+81j
					; VerifierMmMapLockedPagesSpecifyCache(x,x,x,x,x,x)+93j
		mov	eax, edi

loc_A6F51D:				; CODE XREF: VerifierMmMapLockedPagesSpecifyCache(x,x,x,x,x,x)+BCj
		pop	edi
		pop	esi
		pop	ebp
		retn	18h
; 

loc_A6F523:				; CODE XREF: VerifierMmMapLockedPagesSpecifyCache(x,x,x,x,x,x)+34j
					; VerifierMmMapLockedPagesSpecifyCache(x,x,x,x,x,x)+38j
		xor	ecx, ecx
		call	_VfFaultsInjectResourceFailure@4 ; VfFaultsInjectResourceFailure(x)
		cmp	eax, 1
		jnz	short loc_A6F4DB
		cmp	byte ptr [ebp+arg_4], 0
		jnz	short loc_A6F539
		xor	eax, eax
		jmp	short loc_A6F51D
; 

loc_A6F539:				; CODE XREF: VerifierMmMapLockedPagesSpecifyCache(x,x,x,x,x,x)+B8j
		push	0C000009Ah
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)
		int	3		; Trap to Debugger

; __stdcall VerifierMmMapViewOfSection(x, x, x,	x, x, x, x, x, x, x)
_VerifierMmMapViewOfSection@40:		; DATA XREF: PAGEVRFD:00AAB08Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_24]
		call	_VfCheckPageProtection@8 ; VfCheckPageProtection(x,x)
		pop	ebp
		jmp	ds:_pXdvMmMapViewOfSection
_VerifierMmMapLockedPagesSpecifyCache@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmProbeAndLockPages(x, x, x)
_VerifierMmProbeAndLockPages@12	proc near ; DATA XREF: PAGEVRFD:00AAAFFCo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	esi, [ebp+arg_0]
		mov	cl, al
		mov	ebx, [ebp+arg_4]
		cmp	cl, 2
		jbe	short loc_A6F592
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A6F592
		movsx	eax, bl
		push	eax
		push	esi
		movzx	eax, cl
		push	eax
		push	70h
		pop	edx
		lea	ecx, [edx+54h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6F592:				; CODE XREF: VerifierMmProbeAndLockPages(x,x,x)+18j
					; VerifierMmProbeAndLockPages(x,x,x)+21j
		cmp	_VfVerifyMode, 3
		mov	ecx, 817h
		jnb	short loc_A6F5A3
		add	ecx, 0FFFFFFFCh

loc_A6F5A3:				; CODE XREF: VerifierMmProbeAndLockPages(x,x,x)+43j
		movzx	edx, word ptr [esi+6]
		mov	eax, edx
		and	eax, ecx
		test	ax, ax
		jz	short loc_A6F5D1
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A6F5D1
		movsx	edx, dx
		movzx	eax, cx
		and	eax, edx
		push	eax
		push	edx
		mov	edx, 0B0h
		push	esi
		lea	ecx, [edx+14h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6F5D1:				; CODE XREF: VerifierMmProbeAndLockPages(x,x,x)+53j
					; VerifierMmProbeAndLockPages(x,x,x)+5Cj
		xor	ecx, ecx
		call	_VfFaultsInjectResourceFailure@4 ; VfFaultsInjectResourceFailure(x)
		cmp	eax, 1
		jnz	short loc_A6F5E7
		push	0C00000A1h
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_A6F5E7:				; CODE XREF: VerifierMmProbeAndLockPages(x,x,x)+80j
		push	[ebp+arg_8]
		push	ebx
		push	esi
		call	ds:_pXdvMmProbeAndLockPages
		mov	eax, [esi+14h]
		mov	ecx, [ebp+4]
		test	_MmVerifierData, 1000h
		pop	esi
		pop	ebx
		jz	short loc_A6F611
		push	eax
		push	70h
		push	6Ch
		pop	edx
		call	_ViTargetAddToCounter@16 ; ViTargetAddToCounter(x,x,x,x)

loc_A6F611:				; CODE XREF: VerifierMmProbeAndLockPages(x,x,x)+A9j
		pop	ebp
		retn	0Ch
_VerifierMmProbeAndLockPages@12	endp ; sp = -8


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmProbeAndLockProcessPages(x, x, x,	x)
_VerifierMmProbeAndLockProcessPages@16 proc near ; DATA	XREF: PAGEVRFD:00AAB014o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	esi, [ebp+arg_0]
		cmp	al, 2
		jbe	short loc_A6F644
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A6F644
		push	[ebp+arg_4]
		movzx	eax, al
		push	esi
		push	eax
		push	71h
		pop	edx
		lea	ecx, [edx+53h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6F644:				; CODE XREF: VerifierMmProbeAndLockProcessPages(x,x,x,x)+11j
					; VerifierMmProbeAndLockProcessPages(x,x,x,x)+1Aj
		cmp	_VfVerifyMode, 3
		mov	ecx, 817h
		jnb	short loc_A6F655
		add	ecx, 0FFFFFFFCh

loc_A6F655:				; CODE XREF: VerifierMmProbeAndLockProcessPages(x,x,x,x)+3Bj
		movzx	edx, word ptr [esi+6]
		mov	eax, edx
		and	eax, ecx
		test	ax, ax
		jz	short loc_A6F683
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A6F683
		movsx	edx, dx
		movzx	eax, cx
		and	eax, edx
		push	eax
		push	edx
		mov	edx, 0B1h
		push	esi
		lea	ecx, [edx+13h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6F683:				; CODE XREF: VerifierMmProbeAndLockProcessPages(x,x,x,x)+4Bj
					; VerifierMmProbeAndLockProcessPages(x,x,x,x)+54j
		xor	ecx, ecx
		call	_VfFaultsInjectResourceFailure@4 ; VfFaultsInjectResourceFailure(x)
		cmp	eax, 1
		jnz	short loc_A6F699
		push	0C00000A1h
		call	_RtlRaiseStatus@4 ; RtlRaiseStatus(x)

loc_A6F699:				; CODE XREF: VerifierMmProbeAndLockProcessPages(x,x,x,x)+78j
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	ds:_pXdvMmProbeAndLockProcessPages
		mov	ecx, [ebp+4]
		test	_MmVerifierData, 1000h
		mov	eax, [esi+14h]
		pop	esi
		jz	short loc_A6F6C7
		push	eax
		push	70h
		push	6Ch
		pop	edx
		call	_ViTargetAddToCounter@16 ; ViTargetAddToCounter(x,x,x,x)

loc_A6F6C7:				; CODE XREF: VerifierMmProbeAndLockProcessPages(x,x,x,x)+A5j
		pop	ebp
		retn	10h
_VerifierMmProbeAndLockProcessPages@16 endp ; sp = -10h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmProtectMdlSystemAddress(x, x)
_VerifierMmProtectMdlSystemAddress@8 proc near ; DATA XREF: PAGEVRFD:00AAB29Co

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_4]
		call	_VfCheckPageProtection@8 ; VfCheckPageProtection(x,x)
		pop	ebp
		jmp	ds:_pXdvMmProtectMdlSystemAddress
_VerifierMmProtectMdlSystemAddress@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmUnlockPages(x)
_VerifierMmUnlockPages@4 proc near	; DATA XREF: PAGEVRFD:00AAB0BCo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	esi, [ebp+arg_0]
		mov	edi, 0C4h
		cmp	al, 2
		jbe	short loc_A6F715
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A6F715
		push	0
		push	esi
		movzx	eax, al
		mov	ecx, edi
		push	eax
		push	78h
		pop	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6F715:				; CODE XREF: VerifierMmUnlockPages(x)+17j
					; VerifierMmUnlockPages(x)+20j
		push	ebx
		movzx	ebx, word ptr [esi+6]
		test	bl, 2
		jnz	short loc_A6F739
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A6F739
		push	0
		movsx	eax, bx
		mov	ecx, edi
		push	eax
		push	esi
		push	7Ch
		pop	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6F739:				; CODE XREF: VerifierMmUnlockPages(x)+3Bj
					; VerifierMmUnlockPages(x)+44j
		cmp	_VfVerifyMode, 3
		jb	short loc_A6F761
		test	bl, 4
		jz	short loc_A6F761
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A6F761
		push	0
		movsx	eax, bx
		mov	ecx, edi
		push	eax
		push	esi
		push	7Dh
		pop	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6F761:				; CODE XREF: VerifierMmUnlockPages(x)+5Ej
					; VerifierMmUnlockPages(x)+63j	...
		test	bl, 10h
		jz	short loc_A6F782
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A6F782
		push	10h
		movsx	eax, bx
		mov	edx, 0B4h
		push	eax
		push	esi
		mov	ecx, edi
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6F782:				; CODE XREF: VerifierMmUnlockPages(x)+82j
					; VerifierMmUnlockPages(x)+8Bj
		test	bl, 1
		mov	edi, 1000h
		pop	ebx
		jz	short loc_A6F7A8
		mov	eax, [esi+14h]
		mov	ecx, [ebp+4]
		neg	eax
		test	_MmVerifierData, edi
		jz	short loc_A6F7A8
		push	eax
		push	78h
		push	74h
		pop	edx
		call	_ViTargetAddToCounter@16 ; ViTargetAddToCounter(x,x,x,x)

loc_A6F7A8:				; CODE XREF: VerifierMmUnlockPages(x)+A9j
					; VerifierMmUnlockPages(x)+B9j
		mov	eax, [esi+14h]
		mov	ecx, [ebp+4]
		neg	eax
		test	_MmVerifierData, edi
		jz	short loc_A6F7C3
		push	eax
		push	70h
		push	6Ch
		pop	edx
		call	_ViTargetAddToCounter@16 ; ViTargetAddToCounter(x,x,x,x)

loc_A6F7C3:				; CODE XREF: VerifierMmUnlockPages(x)+D4j
		push	esi
		call	ds:_pXdvMmUnlockPages
		pop	edi
		pop	esi
		pop	ebp
		retn	4
_VerifierMmUnlockPages@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmUnmapIoSpace(x, x)
_VerifierMmUnmapIoSpace@8 proc near	; DATA XREF: PAGEVRFD:00AAB0ECo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jbe	short loc_A6F7FD
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A6F7FD
		push	[ebp+arg_4]
		movzx	eax, al
		push	[ebp+arg_0]
		push	eax
		push	7Bh
		pop	edx
		lea	ecx, [edx+49h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6F7FD:				; CODE XREF: VerifierMmUnmapIoSpace(x,x)+Dj
					; VerifierMmUnmapIoSpace(x,x)+16j
		mov	ecx, [ebp+4]
		test	_MmVerifierData, 1000h
		jz	short loc_A6F81F
		mov	eax, [ebp+arg_4]
		neg	eax
		push	eax
		push	80h
		push	7Ch
		pop	edx
		call	_ViTargetAddToCounter@16 ; ViTargetAddToCounter(x,x,x,x)

loc_A6F81F:				; CODE XREF: VerifierMmUnmapIoSpace(x,x)+3Aj
		pop	ebp
		jmp	ds:_pXdvMmUnmapIoSpace
_VerifierMmUnmapIoSpace@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierMmUnmapLockedPages(x, x)
_VerifierMmUnmapLockedPages@8 proc near	; DATA XREF: PAGEVRFD:00AAB0D4o

var_1C		= dword	ptr -1Ch
var_14		= byte ptr -14h
var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		xor	eax, eax
		push	esi
		push	edi
		push	7
		pop	ecx
		lea	edi, [ebp+var_1C]
		rep stosd
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	edi, [ebp+arg_0]
		mov	esi, [ebp+arg_4]
		cmp	edi, ds:_MmHighestUserAddress
		jbe	short loc_A6F865
		cmp	al, 2
		jbe	short loc_A6F885
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A6F885
		push	esi
		push	edi
		movzx	eax, al
		push	eax
		push	79h
		jmp	short loc_A6F87A
; 

loc_A6F865:				; CODE XREF: VerifierMmUnmapLockedPages(x,x)+26j
		cmp	al, 1
		jbe	short loc_A6F885
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A6F885
		push	esi
		push	edi
		movzx	eax, al
		push	eax
		push	7Ah

loc_A6F87A:				; CODE XREF: VerifierMmUnmapLockedPages(x,x)+3Dj
		pop	edx
		mov	ecx, 0C4h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6F885:				; CODE XREF: VerifierMmUnmapLockedPages(x,x)+2Aj
					; VerifierMmUnmapLockedPages(x,x)+33j ...
		cmp	edi, ds:_MmHighestUserAddress
		jbe	short loc_A6F8C0
		movzx	eax, word ptr [esi+6]
		test	al, 1
		jnz	loc_A6F949
		test	_MmVerifierData, 800h
		jz	loc_A6F949
		push	1
		mov	edx, 0B6h
		cwde
		push	eax
		push	esi
		lea	ecx, [edx+0Eh]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)
		jmp	loc_A6F949
; 

loc_A6F8C0:				; CODE XREF: VerifierMmUnmapLockedPages(x,x)+65j
		test	_MmVerifierData, 800h
		jz	short loc_A6F949
		mov	eax, large fs:124h
		push	dword ptr [eax+80h]
		call	_PsGetProcessExitProcessCalled@4 ; PsGetProcessExitProcessCalled(x)
		test	al, al
		jnz	short loc_A6F949
		mov	ecx, [esi+18h]
		lea	eax, [ebp+var_1C]
		add	ecx, [esi+10h]
		push	ebx
		mov	ebx, [esi+14h]
		and	ecx, 0FFFh
		push	0
		push	1Ch
		push	eax
		push	7
		push	edi
		add	ebx, 0FFFh
		push	0FFFFFFFFh
		add	ebx, ecx
		call	_ZwQueryVirtualMemory@24 ; ZwQueryVirtualMemory(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_A6F92A
		mov	eax, edi
		mov	ecx, 0FFFFF000h
		and	eax, ecx
		cmp	[ebp+var_1C], eax
		jnz	short loc_A6F92A
		and	ebx, ecx
		cmp	[ebp+var_10], ebx
		jnz	short loc_A6F92A
		test	[ebp+var_14], 1
		jnz	short loc_A6F948

loc_A6F92A:				; CODE XREF: VerifierMmUnmapLockedPages(x,x)+E7j
					; VerifierMmUnmapLockedPages(x,x)+F5j ...
		mov	ecx, [ebp+4]
		call	_VfUtilCheckRuleEnforcement@4 ;	VfUtilCheckRuleEnforcement(x)
		cmp	eax, 1
		jnz	short loc_A6F948
		push	0
		mov	edx, 0B9h
		push	esi
		push	edi
		lea	ecx, [edx+0Bh]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6F948:				; CODE XREF: VerifierMmUnmapLockedPages(x,x)+102j
					; VerifierMmUnmapLockedPages(x,x)+10Fj
		pop	ebx

loc_A6F949:				; CODE XREF: VerifierMmUnmapLockedPages(x,x)+6Dj
					; VerifierMmUnmapLockedPages(x,x)+7Dj ...
		mov	eax, [esi+14h]
		mov	ecx, [ebp+4]
		neg	eax
		test	_MmVerifierData, 1000h
		jz	short loc_A6F968
		push	eax
		push	78h
		push	74h
		pop	edx
		call	_ViTargetAddToCounter@16 ; ViTargetAddToCounter(x,x,x,x)

loc_A6F968:				; CODE XREF: VerifierMmUnmapLockedPages(x,x)+135j
		push	esi
		push	edi
		call	ds:_pXdvMmUnmapLockedPages
		pop	edi
		pop	esi
		leave
		retn	8
_VerifierMmUnmapLockedPages@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierNtCreateSection(x, x, x, x,	x, x, x)
_VerifierNtCreateSection@28 proc near	; DATA XREF: PAGEVRFD:00AAB26Co

arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_10]
		call	_VfCheckPageProtection@8 ; VfCheckPageProtection(x,x)
		pop	ebp
		jmp	ds:_pXdvNtCreateSection
_VerifierNtCreateSection@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierNtMapViewOfSection(x, x, x,	x, x, x, x, x, x, x)
_VerifierNtMapViewOfSection@40 proc near ; DATA	XREF: PAGEVRFD:00AAB0A4o

arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_24]
		call	_VfCheckPageProtection@8 ; VfCheckPageProtection(x,x)
		pop	ebp
		jmp	ds:_pXdvNtMapViewOfSection
_VerifierNtMapViewOfSection@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

_Verifiermemcpy	proc near		; DATA XREF: PAGEVRFD:00AAB7ACo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	_MmVerifierData, 800h
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_4]
		jz	short loc_A6F9DC
		cmp	[ebp+arg_0], esi
		jbe	short loc_A6F9DC
		lea	eax, [esi+ebx]
		cmp	[ebp+arg_0], eax
		jnb	short loc_A6F9DC
		push	ebx
		mov	edx, 0F0h
		push	esi
		push	[ebp+arg_0]
		lea	ecx, [edx-2Ch]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6F9DC:				; CODE XREF: _Verifiermemcpy+17j
					; _Verifiermemcpy+1Cj ...
		push	ebx
		push	esi
		push	[ebp+arg_0]
		call	ds:_pXdvmemcpy
		add	esp, 0Ch
		pop	esi
		pop	ebx
		pop	ebp
		retn
_Verifiermemcpy	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfFillAllocatePagesForMdl(x, x, x)
_VfFillAllocatePagesForMdl@12 proc near	; CODE XREF: VerifierMmAllocateNodePagesForMdlEx(x,x,x,x,x,x,x,x,x,x)+58p
					; VerifierMmAllocatePagesForMdlEx(x,x,x,x,x,x,x,x,x)+5Fp

var_4		= dword	ptr -4
arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		test	[ebp+arg_0], 1
		push	esi
		mov	esi, ecx
		jz	short loc_A6FA50
		cmp	edx, 1
		jnz	short loc_A6FA50
		mov	eax, [esi+0Ch]
		push	ebx
		push	edi
		mov	edi, [esi+14h]
		mov	ebx, 1000h
		push	40000010h
		mov	[ebp+var_4], eax
		xor	eax, eax
		push	eax
		push	eax
		push	edx
		push	eax
		push	esi
		mov	[esi+14h], ebx
		call	MmMapLockedPagesSpecifyCache
		mov	dword ptr [ebp+arg_0], eax
		test	eax, eax
		jz	short loc_A6FA4B
		cmp	edi, ebx
		jnb	short loc_A6FA33
		mov	ebx, edi

loc_A6FA33:				; CODE XREF: VfFillAllocatePagesForMdl(x,x,x)+41j
		mov	edx, ebx
		mov	ecx, eax
		call	_VfFillAllocatedMemory@8 ; VfFillAllocatedMemory(x,x)
		push	esi
		push	dword ptr [ebp+arg_0]
		call	MmUnmapLockedPages
		mov	eax, [ebp+var_4]
		mov	[esi+0Ch], eax

loc_A6FA4B:				; CODE XREF: VfFillAllocatePagesForMdl(x,x,x)+3Dj
		mov	[esi+14h], edi
		pop	edi
		pop	ebx

loc_A6FA50:				; CODE XREF: VfFillAllocatePagesForMdl(x,x,x)+Dj
					; VfFillAllocatePagesForMdl(x,x,x)+12j
		pop	esi
		leave
		retn	4
_VfFillAllocatePagesForMdl@12 endp


;  S U B	R O U T	I N E 


; __stdcall ViMmMapLockedPagesSanityChecks(x, x)
_ViMmMapLockedPagesSanityChecks@8 proc near ; CODE XREF: VerifierMmMapLockedPages(x,x)+18p
					; VerifierMmMapLockedPagesSpecifyCache(x,x,x,x,x,x)+18p
		test	byte ptr _MmVerifierData, 1
		push	ebx
		push	esi
		mov	bl, dl
		mov	esi, ecx
		jz	loc_A6FB1E
		push	edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	cl, al
		mov	edi, 0C4h
		test	bl, bl
		jnz	short loc_A6FA92
		cmp	cl, 2
		jbe	short loc_A6FAAF
		push	0
		push	esi
		movzx	eax, cl
		mov	ecx, edi
		push	eax
		push	74h
		pop	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)
		jmp	short loc_A6FAAF
; 

loc_A6FA92:				; CODE XREF: ViMmMapLockedPagesSanityChecks(x,x)+23j
		cmp	cl, 1
		jbe	short loc_A6FAAA
		movsx	eax, bl
		push	eax
		push	esi
		movzx	eax, cl
		mov	ecx, edi
		push	eax
		push	75h
		pop	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6FAAA:				; CODE XREF: ViMmMapLockedPagesSanityChecks(x,x)+40j
		cmp	bl, 1
		jz	short loc_A6FAE2

loc_A6FAAF:				; CODE XREF: ViMmMapLockedPagesSanityChecks(x,x)+28j
					; ViMmMapLockedPagesSanityChecks(x,x)+3Bj
		cmp	_VfVerifyMode, 3
		push	25h
		pop	edx
		jnb	short loc_A6FABE
		push	21h
		pop	edx

loc_A6FABE:				; CODE XREF: ViMmMapLockedPagesSanityChecks(x,x)+64j
		movzx	ecx, word ptr [esi+6]
		mov	eax, ecx
		and	eax, edx
		test	ax, ax
		jz	short loc_A6FAE2
		movsx	ecx, cx
		movzx	eax, dx
		mov	edx, 0B2h
		and	eax, ecx
		push	eax
		push	ecx
		push	esi
		mov	ecx, edi
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6FAE2:				; CODE XREF: ViMmMapLockedPagesSanityChecks(x,x)+58j
					; ViMmMapLockedPagesSanityChecks(x,x)+74j
		movzx	edi, word ptr [esi+6]
		xor	eax, eax
		cmp	bl, 1
		setz	al
		dec	eax
		and	eax, 0FFFFFFFBh
		add	eax, 17h
		movzx	edx, ax
		mov	eax, edx
		and	eax, edi
		test	ax, ax
		jnz	short loc_A6FB14
		push	edx
		mov	edx, 0B3h
		movsx	eax, di
		push	eax
		push	esi
		lea	ecx, [edx+11h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6FB14:				; CODE XREF: ViMmMapLockedPagesSanityChecks(x,x)+AAj
		pop	edi
		mov	ecx, esi
		pop	esi
		pop	ebx
		jmp	_MmCheckMdlPages@4 ; MmCheckMdlPages(x)
; 

loc_A6FB1E:				; CODE XREF: ViMmMapLockedPagesSanityChecks(x,x)+Dj
		pop	esi
		pop	ebx
		retn
_ViMmMapLockedPagesSanityChecks@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViMmValidateIrql(x)
_ViMmValidateIrql@4 proc near		; CODE XREF: VerifierMmAllocateNodePagesForMdlEx(x,x,x,x,x,x,x,x,x,x)+7p
					; VerifierMmAllocatePagesForMdl(x,x,x,x,x,x,x)+11p ...
		test	cl, cl
		jnz	short locret_A6FB4E
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jbe	short locret_A6FB4E
		test	_MmVerifierData, 20000h
		jz	short locret_A6FB4E
		push	0
		push	2
		movzx	eax, al
		push	eax
		push	7Eh
		pop	edx
		lea	ecx, [edx+46h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

locret_A6FB4E:				; CODE XREF: ViMmValidateIrql(x)+2j
					; ViMmValidateIrql(x)+Cj ...
		retn
_ViMmValidateIrql@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierNtCreateFile(x, x, x, x, x,	x, x, x, x, x, x)
_VerifierNtCreateFile@44 proc near	; DATA XREF: PAGEVRFD:00AAB434o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_A6FB74
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	al, al
		jz	short loc_A6FB74
		mov	edx, [ebp+4]
		mov	ecx, 24Ah
		call	_ViErrorReport9@8 ; ViErrorReport9(x,x)

loc_A6FB74:				; CODE XREF: VerifierNtCreateFile(x,x,x,x,x,x,x,x,x,x,x)+Cj
					; VerifierNtCreateFile(x,x,x,x,x,x,x,x,x,x,x)+16j
		pop	ebp
		jmp	ds:_pXdvNtCreateFile
_VerifierNtCreateFile@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierNtLockFile(x, x, x,	x, x, x, x, x, x, x)
_VerifierNtLockFile@40 proc near	; DATA XREF: PAGEVRFD:00AAA114o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvNtLockFile
_VerifierNtLockFile@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierNtReadFile(x, x, x,	x, x, x, x, x, x)
_VerifierNtReadFile@36 proc near	; DATA XREF: PAGEVRFD:00AAB464o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_A6FBAC
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	al, al
		jz	short loc_A6FBAC
		mov	edx, [ebp+4]
		mov	ecx, 24Ah
		call	_ViErrorReport9@8 ; ViErrorReport9(x,x)

loc_A6FBAC:				; CODE XREF: VerifierNtReadFile(x,x,x,x,x,x,x,x,x)+Cj
					; VerifierNtReadFile(x,x,x,x,x,x,x,x,x)+16j
		pop	ebp
		jmp	ds:_pXdvNtReadFile
_VerifierNtReadFile@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierNtUnlockFile(x, x, x, x, x)
_VerifierNtUnlockFile@20 proc near	; DATA XREF: PAGEVRFD:00AAA144o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvNtUnlockFile
_VerifierNtUnlockFile@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierNtWriteFile(x, x, x, x, x, x, x, x,	x)
_VerifierNtWriteFile@36	proc near	; DATA XREF: PAGEVRFD:00AAB44Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		test	byte ptr _MmVerifierData, 10h
		jz	short loc_A6FBE4
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	al, al
		jz	short loc_A6FBE4
		mov	edx, [ebp+4]
		mov	ecx, 24Ah
		call	_ViErrorReport9@8 ; ViErrorReport9(x,x)

loc_A6FBE4:				; CODE XREF: VerifierNtWriteFile(x,x,x,x,x,x,x,x,x)+Cj
					; VerifierNtWriteFile(x,x,x,x,x,x,x,x,x)+16j
		pop	ebp
		jmp	ds:_pXdvNtWriteFile
_VerifierNtWriteFile@36	endp


;  S U B	R O U T	I N E 


; __fastcall VerifierObfDereferenceObject(x)
@VerifierObfDereferenceObject@4	proc near ; DATA XREF: PAGEVRFD:00AAA15Co
		mov	edi, edi
		push	esi
		push	8
		pop	edx
		mov	esi, ecx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		mov	ecx, esi
		pop	esi
		jmp	ds:_pXdvObfDereferenceObject
@VerifierObfDereferenceObject@4	endp


;  S U B	R O U T	I N E 


; __fastcall VerifierObfDereferenceObjectWithTag(x, x)
@VerifierObfDereferenceObjectWithTag@8 proc near ; DATA	XREF: PAGEVRFD:00AAA174o
		mov	edi, edi
		push	esi
		push	edi
		push	8
		mov	esi, edx
		mov	edi, ecx
		pop	edx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		mov	ecx, edi
		mov	edx, esi
		pop	edi
		pop	esi
		jmp	ds:_pXdvObfDereferenceObjectWithTag
@VerifierObfDereferenceObjectWithTag@8 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierObfReferenceObject(x)
@VerifierObfReferenceObject@4 proc near	; DATA XREF: PAGEVRFD:00AAB47Co
		mov	edi, edi
		push	esi
		push	edi
		push	8
		pop	edx
		mov	esi, ecx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		mov	ecx, esi
		call	ds:_pXdvObfReferenceObject
		mov	edi, eax
		cmp	edi, 1
		jnz	short loc_A6FC57
		test	_MmVerifierData, 800h
		jz	short loc_A6FC57
		push	0
		push	eax
		push	esi
		push	3Fh
		pop	edx
		mov	ecx, 0C4h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6FC57:				; CODE XREF: VerifierObfReferenceObject(x)+1Bj
					; VerifierObfReferenceObject(x)+27j
		mov	eax, edi
		pop	edi
		pop	esi
		retn
@VerifierObfReferenceObject@4 endp


;  S U B	R O U T	I N E 


; __fastcall VerifierObfReferenceObjectWithTag(x, x)
@VerifierObfReferenceObjectWithTag@8 proc near ; DATA XREF: PAGEVRFD:00AAA18Co
		mov	edi, edi
		push	esi
		push	edi
		push	8
		mov	esi, edx
		mov	edi, ecx
		pop	edx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		mov	ecx, edi
		mov	edx, esi
		pop	edi
		pop	esi
		jmp	ds:_pXdvObfReferenceObjectWithTag
@VerifierObfReferenceObjectWithTag@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierObGetObjectSecurity(x, x, x)
_VerifierObGetObjectSecurity@12	proc near ; DATA XREF: PAGEVRFD:00AAA1A4o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	8
		pop	edx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		pop	ebp
		jmp	ds:_pXdvObGetObjectSecurity
_VerifierObGetObjectSecurity@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierObReferenceObjectByHandle(x, x, x, x, x, x)
_VerifierObReferenceObjectByHandle@24 proc near	; DATA XREF: PAGEVRFD:00AAB494o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	[ebp+arg_14]
		mov	esi, [ebp+arg_0]
		push	[ebp+arg_10]
		push	ebx
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	ds:_pXdvObReferenceObjectByHandle
		mov	[ebp+arg_14], eax
		cmp	eax, 0C0000008h
		jz	short loc_A6FCC1
		cmp	eax, 0C0000024h
		jnz	short loc_A6FD24

loc_A6FCC1:				; CODE XREF: VerifierObReferenceObjectByHandle(x,x,x,x,x,x)+29j
		test	bl, bl
		jz	short loc_A6FCD4
		mov	eax, large fs:124h
		test	dword ptr [eax+58h], 400h
		jz	short loc_A6FD24

loc_A6FCD4:				; CODE XREF: VerifierObReferenceObjectByHandle(x,x,x,x,x,x)+34j
		test	_MmVerifierData, 800h
		jz	short loc_A6FD24
		test	esi, esi
		jnz	short loc_A6FCF0
		push	esi
		push	[ebp+arg_8]
		mov	edx, 0F5h
		push	esi
		jmp	short loc_A6FD1A
; 

loc_A6FCF0:				; CODE XREF: VerifierObReferenceObjectByHandle(x,x,x,x,x,x)+53j
		test	bl, bl
		jz	short loc_A6FD11
		test	esi, esi
		jns	short loc_A6FD11
		cmp	esi, 0FFFFFFFEh
		jz	short loc_A6FD11
		cmp	esi, 0FFFFFFFFh
		jz	short loc_A6FD11
		movsx	eax, bl
		mov	edx, 0F7h
		push	eax
		push	[ebp+arg_8]
		push	esi
		jmp	short loc_A6FD1A
; 

loc_A6FD11:				; CODE XREF: VerifierObReferenceObjectByHandle(x,x,x,x,x,x)+63j
					; VerifierObReferenceObjectByHandle(x,x,x,x,x,x)+67j ...
		push	0
		push	[ebp+arg_8]
		push	esi
		push	3Ch
		pop	edx

loc_A6FD1A:				; CODE XREF: VerifierObReferenceObjectByHandle(x,x,x,x,x,x)+5Fj
					; VerifierObReferenceObjectByHandle(x,x,x,x,x,x)+80j
		mov	ecx, 0C4h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6FD24:				; CODE XREF: VerifierObReferenceObjectByHandle(x,x,x,x,x,x)+30j
					; VerifierObReferenceObjectByHandle(x,x,x,x,x,x)+43j ...
		mov	eax, [ebp+arg_14]
		pop	esi
		pop	ebx
		pop	ebp
		retn	18h
_VerifierObReferenceObjectByHandle@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierObReferenceObjectByHandleWithTag(x,	x, x, x, x, x, x)
_VerifierObReferenceObjectByHandleWithTag@28 proc near ; DATA XREF: PAGEVRFD:00AAA1BCo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvObReferenceObjectByHandleWithTag
_VerifierObReferenceObjectByHandleWithTag@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierObReferenceObjectByPointer(x, x, x,	x)
_VerifierObReferenceObjectByPointer@16 proc near ; DATA	XREF: PAGEVRFD:00AAB4ACo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ecx, esi
		push	8
		pop	edx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		cmp	dword ptr [esi-18h], 0
		jnz	short loc_A6FD70
		test	_MmVerifierData, 800h
		jz	short loc_A6FD70
		push	0
		push	1
		push	esi
		push	3Fh
		pop	edx
		mov	ecx, 0C4h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A6FD70:				; CODE XREF: VerifierObReferenceObjectByPointer(x,x,x,x)+17j
					; VerifierObReferenceObjectByPointer(x,x,x,x)+23j
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	esi
		call	ds:_pXdvObReferenceObjectByPointer
		pop	esi
		pop	ebp
		retn	10h
_VerifierObReferenceObjectByPointer@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierObReferenceObjectByPointerWithTag(x, x, x, x, x)
_VerifierObReferenceObjectByPointerWithTag@20 proc near	; DATA XREF: PAGEVRFD:00AAA1D4o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	8
		pop	edx
		call	_VfUtilCheckKernelAddress@8 ; VfUtilCheckKernelAddress(x,x)
		pop	ebp
		jmp	ds:_pXdvObReferenceObjectByPointerWithTag
_VerifierObReferenceObjectByPointerWithTag@20 endp


;  S U B	R O U T	I N E 


; __stdcall VerifierObReleaseObjectSecurity(x, x)
_VerifierObReleaseObjectSecurity@8 proc	near ; DATA XREF: PAGEVRFD:00AAA1ECo
		jmp	ds:_pXdvObReleaseObjectSecurity
_VerifierObReleaseObjectSecurity@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierEtwRegister(x, x, x, x)
_VerifierEtwRegister@16	proc near	; DATA XREF: PAGEVRFD:00AAB6A4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_C]
		push	edi
		push	esi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvEtwRegister
		mov	edi, eax
		test	edi, edi
		js	short loc_A6FDCF
		mov	ecx, [ebp+4]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		call	_VfTargetEtwRegister@12	; VfTargetEtwRegister(x,x,x)

loc_A6FDCF:				; CODE XREF: VerifierEtwRegister(x,x,x,x)+1Ej
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
_VerifierEtwRegister@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierEtwRegisterClassicProvider(x, x, x,	x, x)
_VerifierEtwRegisterClassicProvider@20 proc near ; DATA	XREF: PAGEVRFD:00AAB6BCo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_10]
		push	edi
		push	esi
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvEtwRegisterClassicProvider
		mov	edi, eax
		test	edi, edi
		js	short loc_A6FE07
		mov	ecx, [ebp+4]
		push	dword ptr [esi+4]
		push	dword ptr [esi]
		call	_VfTargetEtwRegister@12	; VfTargetEtwRegister(x,x,x)

loc_A6FE07:				; CODE XREF: VerifierEtwRegisterClassicProvider(x,x,x,x,x)+21j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebp
		retn	14h
_VerifierEtwRegisterClassicProvider@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierEtwUnregister(x, x)
_VerifierEtwUnregister@8 proc near	; DATA XREF: PAGEVRFD:00AAB6D4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_4]
		mov	ecx, [ebp+4]
		push	[ebp+arg_0]
		call	_VfTargetEtwUnregister@12 ; VfTargetEtwUnregister(x,x,x)
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvEtwUnregister
		pop	ebp
		retn	8
_VerifierEtwUnregister@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoWMIRegistrationControl(x,	x)
_VerifierIoWMIRegistrationControl@8 proc near ;	DATA XREF: PAGEVRFD:00AAB65Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	dword ptr [ebp+4]
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	_VfTargetWMIRegistrationControl@12 ; VfTargetWMIRegistrationControl(x,x,x)
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		call	_VfDevObjWMIRegistrationControl@8 ; VfDevObjWMIRegistrationControl(x,x)
		pop	ebp
		jmp	ds:_pXdvIoWMIRegistrationControl
_VerifierIoWMIRegistrationControl@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VerifierIoWMIWriteEvent(x)
_VerifierIoWMIWriteEvent@4 proc	near	; DATA XREF: PAGEVRFD:00AAB674o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		push	esi
		call	_WmiVerifierTakeEventOwnership@4 ; WmiVerifierTakeEventOwnership(x)
		test	al, al
		jnz	short loc_A6FE74
		push	ecx
		call	ds:_pXdvIoWMIWriteEvent
		mov	esi, eax
		jmp	short loc_A6FEA2
; 

loc_A6FE74:				; CODE XREF: VerifierIoWMIWriteEvent(x)+10j
		push	ebx
		call	_WmiVerifierCopyEvent@4	; WmiVerifierCopyEvent(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_A6FE87
		mov	esi, 0C000009Ah
		jmp	short loc_A6FEA1
; 

loc_A6FE87:				; CODE XREF: VerifierIoWMIWriteEvent(x)+27j
		push	ebx
		call	ds:_pXdvIoWMIWriteEvent
		mov	esi, eax
		push	0
		test	esi, esi
		js	short loc_A6FE9B
		push	[ebp+arg_0]
		jmp	short loc_A6FE9C
; 

loc_A6FE9B:				; CODE XREF: VerifierIoWMIWriteEvent(x)+3Dj
		push	ebx

loc_A6FE9C:				; CODE XREF: VerifierIoWMIWriteEvent(x)+42j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A6FEA1:				; CODE XREF: VerifierIoWMIWriteEvent(x)+2Ej
		pop	ebx

loc_A6FEA2:				; CODE XREF: VerifierIoWMIWriteEvent(x)+1Bj
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_VerifierIoWMIWriteEvent@4 endp	; sp = -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwAccessCheckAndAuditAlarm(x, x, x, x, x,	x, x, x, x, x, x)
_VfZwAccessCheckAndAuditAlarm@44 proc near ; DATA XREF:	PAGEVRFD:00AAB7C4o

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h
arg_20		= dword	ptr  28h
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A6FF01
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckUnicodeString@8 ; ViZwCheckUnicodeString(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckUnicodeString@8 ; ViZwCheckUnicodeString(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckUnicodeString@8 ; ViZwCheckUnicodeString(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_18]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_20]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_28]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A6FF01:				; CODE XREF: VfZwAccessCheckAndAuditAlarm(x,x,x,x,x,x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwAccessCheckAndAuditAlarm
_VfZwAccessCheckAndAuditAlarm@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwAddBootEntry(x,	x)
_VfZwAddBootEntry@8 proc near		; DATA XREF: PAGEVRFD:00AAB7DCo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A6FF2F
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A6FF2F:				; CODE XREF: VfZwAddBootEntry(x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwAddBootEntry
_VfZwAddBootEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwAddDriverEntry(x, x)
_VfZwAddDriverEntry@8 proc near		; DATA XREF: PAGEVRFD:00AAB7F4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A6FF5D
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A6FF5D:				; CODE XREF: VfZwAddDriverEntry(x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwAddDriverEntry
_VfZwAddDriverEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwAdjustPrivilegesToken(x, x, x, x, x, x)
_VfZwAdjustPrivilegesToken@24 proc near	; DATA XREF: PAGEVRFD:00AAB80Co

arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A6FF95
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_14]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A6FF95:				; CODE XREF: VfZwAdjustPrivilegesToken(x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwAdjustPrivilegesToken
_VfZwAdjustPrivilegesToken@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwAllocateVirtualMemory(x, x, x, x, x, x)
_VfZwAllocateVirtualMemory@24 proc near	; DATA XREF: PAGEVRFD:00AAB824o

arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_14]
		push	esi
		mov	esi, [ebp+4]
		mov	edx, esi
		call	_VfCheckPageProtection@8 ; VfCheckPageProtection(x,x)
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A6FFCD
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A6FFCD:				; CODE XREF: VfZwAllocateVirtualMemory(x,x,x,x,x,x)+1Aj
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwAllocateVirtualMemory
_VfZwAllocateVirtualMemory@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwAlpcAcceptConnectPort(x, x, x, x, x, x,	x, x, x)
_VfZwAlpcAcceptConnectPort@36 proc near	; DATA XREF: PAGEVRFD:00AAC1CCo

arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70019
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_18]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_1C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)

loc_A70019:				; CODE XREF: VfZwAlpcAcceptConnectPort(x,x,x,x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwAlpcAcceptConnectPort
_VfZwAlpcAcceptConnectPort@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwAlpcConnectPort(x, x, x, x, x, x, x, x,	x, x, x)
_VfZwAlpcConnectPort@44	proc near	; DATA XREF: PAGEVRFD:00AAC1B4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70097
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_14]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_18]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_1C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_20]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_24]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_28]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckUnicodeString@8 ; ViZwCheckUnicodeString(x,x)

loc_A70097:				; CODE XREF: VfZwAlpcConnectPort(x,x,x,x,x,x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwAlpcConnectPort
_VfZwAlpcConnectPort@44	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwAlpcCreatePort(x, x, x)
_VfZwAlpcCreatePort@12 proc near	; DATA XREF: PAGEVRFD:00AAC19Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A700CF
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)

loc_A700CF:				; CODE XREF: VfZwAlpcCreatePort(x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwAlpcCreatePort
_VfZwAlpcCreatePort@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwAlpcCreatePortSection(x, x, x, x, x, x)
_VfZwAlpcCreatePortSection@24 proc near	; DATA XREF: PAGEVRFD:00AAC214o

arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A700FD
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_14]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A700FD:				; CODE XREF: VfZwAlpcCreatePortSection(x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwAlpcCreatePortSection
_VfZwAlpcCreatePortSection@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwAlpcCreateResourceReserve(x, x,	x, x)
_VfZwAlpcCreateResourceReserve@16 proc near ; DATA XREF: PAGEVRFD:00AAC244o

arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7011E
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_C]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A7011E:				; CODE XREF: VfZwAlpcCreateResourceReserve(x,x,x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwAlpcCreateResourceReserve
_VfZwAlpcCreateResourceReserve@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwAlpcCreateSectionView(x, x, x)
_VfZwAlpcCreateSectionView@12 proc near	; DATA XREF: PAGEVRFD:00AAC22Co

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7013E
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_8]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A7013E:				; CODE XREF: VfZwAlpcCreateSectionView(x,x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwAlpcCreateSectionView
_VfZwAlpcCreateSectionView@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwAlpcCreateSecurityContext(x, x,	x)
_VfZwAlpcCreateSecurityContext@12 proc near ; DATA XREF: PAGEVRFD:00AAC1FCo

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7015E
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_8]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A7015E:				; CODE XREF: VfZwAlpcCreateSecurityContext(x,x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwAlpcCreateSecurityContext
_VfZwAlpcCreateSecurityContext@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwAlpcQueryInformation(x,	x, x, x, x)
_VfZwAlpcQueryInformation@20 proc near	; DATA XREF: PAGEVRFD:00AAC274o

arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7018B
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A7018B:				; CODE XREF: VfZwAlpcQueryInformation(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwAlpcQueryInformation
_VfZwAlpcQueryInformation@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwAlpcSendWaitReceivePort(x, x, x, x, x, x, x, x)
_VfZwAlpcSendWaitReceivePort@32	proc near ; DATA XREF: PAGEVRFD:00AAC1E4o

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A701E1
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_14]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_18]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_1C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A701E1:				; CODE XREF: VfZwAlpcSendWaitReceivePort(x,x,x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwAlpcSendWaitReceivePort
_VfZwAlpcSendWaitReceivePort@32	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwAlpcSetInformation(x, x, x, x)
_VfZwAlpcSetInformation@16 proc	near	; DATA XREF: PAGEVRFD:00AAC25Co

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70202
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_8]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70202:				; CODE XREF: VfZwAlpcSetInformation(x,x,x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwAlpcSetInformation
_VfZwAlpcSetInformation@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwCancelIoFile(x,	x)
_VfZwCancelIoFile@8 proc near		; DATA XREF: PAGEVRFD:00AAB83Co

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70222
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_4]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70222:				; CODE XREF: VfZwCancelIoFile(x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwCancelIoFile
_VfZwCancelIoFile@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwCancelTimer(x, x)
_VfZwCancelTimer@8 proc	near		; DATA XREF: PAGEVRFD:00AAB854o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70242
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_4]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70242:				; CODE XREF: VfZwCancelTimer(x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwCancelTimer
_VfZwCancelTimer@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwCloseObjectAuditAlarm(x, x, x)
_VfZwCloseObjectAuditAlarm@12 proc near	; DATA XREF: PAGEVRFD:00AAB86Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70262
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	_ViZwCheckUnicodeString@8 ; ViZwCheckUnicodeString(x,x)

loc_A70262:				; CODE XREF: VfZwCloseObjectAuditAlarm(x,x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwCloseObjectAuditAlarm
_VfZwCloseObjectAuditAlarm@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwCommitEnlistment(x, x)
_VfZwCommitEnlistment@8	proc near	; DATA XREF: PAGEVRFD:00AAC37Co

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70282
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_4]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70282:				; CODE XREF: VfZwCommitEnlistment(x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwCommitEnlistment
_VfZwCommitEnlistment@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwConnectPort(x, x, x, x,	x, x, x, x)
_VfZwConnectPort@32 proc near		; DATA XREF: PAGEVRFD:00AAB884o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A702EB
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckUnicodeString@8 ; ViZwCheckUnicodeString(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_14]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_18]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_1C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A702EB:				; CODE XREF: VfZwConnectPort(x,x,x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwConnectPort
_VfZwConnectPort@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwCreateDirectoryObject(x, x, x)
_VfZwCreateDirectoryObject@12 proc near	; DATA XREF: PAGEVRFD:00AAB89Co

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70319
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)

loc_A70319:				; CODE XREF: VfZwCreateDirectoryObject(x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwCreateDirectoryObject
_VfZwCreateDirectoryObject@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwCreateEnlistment(x, x, x, x, x,	x, x, x)
_VfZwCreateEnlistment@32 proc near	; DATA XREF: PAGEVRFD:00AAC3C4o

arg_0		= dword	ptr  8
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70347
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)

loc_A70347:				; CODE XREF: VfZwCreateEnlistment(x,x,x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwCreateEnlistment
_VfZwCreateEnlistment@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwCreateEvent(x, x, x, x,	x)
_VfZwCreateEvent@20 proc near		; DATA XREF: PAGEVRFD:00AAB8B4o

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70375
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)

loc_A70375:				; CODE XREF: VfZwCreateEvent(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwCreateEvent
_VfZwCreateEvent@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwCreateFile(x, x, x, x, x, x, x,	x, x, x, x)
_VfZwCreateFile@44 proc	near		; DATA XREF: PAGEVRFD:00AAB8CCo

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A703C1
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_24]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A703C1:				; CODE XREF: VfZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwCreateFile
_VfZwCreateFile@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwCreateJobObject(x, x, x)
_VfZwCreateJobObject@12	proc near	; DATA XREF: PAGEVRFD:00AAB8E4o

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A703EF
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)

loc_A703EF:				; CODE XREF: VfZwCreateJobObject(x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwCreateJobObject
_VfZwCreateJobObject@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwCreateKey(x, x,	x, x, x, x, x)
_VfZwCreateKey@28 proc near		; DATA XREF: PAGEVRFD:00AAB8FCo

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70431
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckUnicodeString@8 ; ViZwCheckUnicodeString(x,x)
		mov	ecx, [ebp+arg_18]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70431:				; CODE XREF: VfZwCreateKey(x,x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwCreateKey
_VfZwCreateKey@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwCreateSection(x, x, x, x, x, x,	x)
_VfZwCreateSection@28 proc near		; DATA XREF: PAGEVRFD:00AAB914o

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_10]
		push	esi
		mov	esi, [ebp+4]
		mov	edx, esi
		call	_VfCheckPageProtection@8 ; VfCheckPageProtection(x,x)
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70473
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70473:				; CODE XREF: VfZwCreateSection(x,x,x,x,x,x,x)+1Aj
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwCreateSection
_VfZwCreateSection@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwCreateSymbolicLinkObject(x, x, x, x)
_VfZwCreateSymbolicLinkObject@16 proc near ; DATA XREF:	PAGEVRFD:00AAB92Co

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A704AB
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckUnicodeString@8 ; ViZwCheckUnicodeString(x,x)

loc_A704AB:				; CODE XREF: VfZwCreateSymbolicLinkObject(x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwCreateSymbolicLinkObject
_VfZwCreateSymbolicLinkObject@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwCreateTimer(x, x, x, x)
_VfZwCreateTimer@16 proc near		; DATA XREF: PAGEVRFD:00AAB944o

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A704D9
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)

loc_A704D9:				; CODE XREF: VfZwCreateTimer(x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwCreateTimer
_VfZwCreateTimer@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwCreateTransaction(x, x,	x, x, x, x, x, x, x, x)
_VfZwCreateTransaction@40 proc near	; DATA XREF: PAGEVRFD:00AAC2ECo

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70525
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_20]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)
		mov	ecx, [ebp+arg_24]
		mov	edx, esi
		call	_ViZwCheckUnicodeString@8 ; ViZwCheckUnicodeString(x,x)

loc_A70525:				; CODE XREF: VfZwCreateTransaction(x,x,x,x,x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwCreateTransaction
_VfZwCreateTransaction@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwCreateTransactionManager(x, x, x, x, x,	x)
_VfZwCreateTransactionManager@24 proc near ; DATA XREF:	PAGEVRFD:00AAC2A4o

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7055D
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckUnicodeString@8 ; ViZwCheckUnicodeString(x,x)

loc_A7055D:				; CODE XREF: VfZwCreateTransactionManager(x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwCreateTransactionManager
_VfZwCreateTransactionManager@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwDeleteBootEntry(x)
_VfZwDeleteBootEntry@4 proc near	; DATA XREF: PAGEVRFD:00AAB95Co
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwDeleteBootEntry
_VfZwDeleteBootEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwDeleteFile(x)
_VfZwDeleteFile@4 proc near		; DATA XREF: PAGEVRFD:00AAB974o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7058A
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)

loc_A7058A:				; CODE XREF: VfZwDeleteFile(x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwDeleteFile
_VfZwDeleteFile@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwDeleteValueKey(x, x)
_VfZwDeleteValueKey@8 proc near		; DATA XREF: PAGEVRFD:00AAB98Co

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A705AA
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_4]
		call	_ViZwCheckUnicodeString@8 ; ViZwCheckUnicodeString(x,x)

loc_A705AA:				; CODE XREF: VfZwDeleteValueKey(x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwDeleteValueKey
_VfZwDeleteValueKey@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwDeviceIoControlFile(x, x, x, x,	x, x, x, x, x, x)
_VfZwDeviceIoControlFile@40 proc near	; DATA XREF: PAGEVRFD:00AAB9A4o

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A705FC
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_18]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_20]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, esi
		call	_ViZwCheckApcRequirement@4 ; ViZwCheckApcRequirement(x)

loc_A705FC:				; CODE XREF: VfZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwDeviceIoControlFile
_VfZwDeviceIoControlFile@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwDisplayString(x)
_VfZwDisplayString@4 proc near		; DATA XREF: PAGEVRFD:00AAB9BCo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7061D
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	_ViZwCheckUnicodeString@8 ; ViZwCheckUnicodeString(x,x)

loc_A7061D:				; CODE XREF: VfZwDisplayString(x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwDisplayString
_VfZwDisplayString@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwDuplicateObject(x, x, x, x, x, x, x)
_VfZwDuplicateObject@28	proc near	; DATA XREF: PAGEVRFD:00AAB9D4o

arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7063D
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_C]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A7063D:				; CODE XREF: VfZwDuplicateObject(x,x,x,x,x,x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwDuplicateObject
_VfZwDuplicateObject@28	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwDuplicateToken(x, x, x,	x, x, x)
_VfZwDuplicateToken@24 proc near	; DATA XREF: PAGEVRFD:00AAB9ECo

arg_8		= dword	ptr  10h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7066A
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)
		mov	ecx, [ebp+arg_14]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A7066A:				; CODE XREF: VfZwDuplicateToken(x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwDuplicateToken
_VfZwDuplicateToken@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwEnumerateBootEntries(x,	x)
_VfZwEnumerateBootEntries@8 proc near	; DATA XREF: PAGEVRFD:00AABA04o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70698
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70698:				; CODE XREF: VfZwEnumerateBootEntries(x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwEnumerateBootEntries
_VfZwEnumerateBootEntries@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwEnumerateDriverEntries(x, x)
_VfZwEnumerateDriverEntries@8 proc near	; DATA XREF: PAGEVRFD:00AABA1Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A706C6
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A706C6:				; CODE XREF: VfZwEnumerateDriverEntries(x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwEnumerateDriverEntries
_VfZwEnumerateDriverEntries@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwEnumerateKey(x,	x, x, x, x, x)
_VfZwEnumerateKey@24 proc near		; DATA XREF: PAGEVRFD:00AABA34o

arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A706F4
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_14]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A706F4:				; CODE XREF: VfZwEnumerateKey(x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwEnumerateKey
_VfZwEnumerateKey@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwEnumerateValueKey(x, x,	x, x, x, x)
_VfZwEnumerateValueKey@24 proc near	; DATA XREF: PAGEVRFD:00AABA4Co

arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70722
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_14]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70722:				; CODE XREF: VfZwEnumerateValueKey(x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwEnumerateValueKey
_VfZwEnumerateValueKey@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwFlushInstructionCache(x, x, x)
_VfZwFlushInstructionCache@12 proc near	; DATA XREF: PAGEVRFD:00AABA64o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70743
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_4]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70743:				; CODE XREF: VfZwFlushInstructionCache(x,x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwFlushInstructionCache
_VfZwFlushInstructionCache@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwFlushVirtualMemory(x, x, x, x)
_VfZwFlushVirtualMemory@16 proc	near	; DATA XREF: PAGEVRFD:00AABA7Co

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7077A
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A7077A:				; CODE XREF: VfZwFlushVirtualMemory(x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwFlushVirtualMemory
_VfZwFlushVirtualMemory@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwFreeVirtualMemory(x, x,	x, x)
_VfZwFreeVirtualMemory@16 proc near	; DATA XREF: PAGEVRFD:00AABA94o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A707A8
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A707A8:				; CODE XREF: VfZwFreeVirtualMemory(x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwFreeVirtualMemory
_VfZwFreeVirtualMemory@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwFsControlFile(x, x, x, x, x, x,	x, x, x, x)
_VfZwFsControlFile@40 proc near		; DATA XREF: PAGEVRFD:00AABAACo

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A707FB
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_18]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_20]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, esi
		call	_ViZwCheckApcRequirement@4 ; ViZwCheckApcRequirement(x)

loc_A707FB:				; CODE XREF: VfZwFsControlFile(x,x,x,x,x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwFsControlFile
_VfZwFsControlFile@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwLoadDriver(x)
_VfZwLoadDriver@4 proc near		; DATA XREF: PAGEVRFD:00AABAC4o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7081C
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	_ViZwCheckUnicodeString@8 ; ViZwCheckUnicodeString(x,x)

loc_A7081C:				; CODE XREF: VfZwLoadDriver(x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwLoadDriver
_VfZwLoadDriver@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwLoadKey(x, x)
_VfZwLoadKey@8	proc near		; DATA XREF: PAGEVRFD:00AABADCo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70849
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)

loc_A70849:				; CODE XREF: VfZwLoadKey(x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwLoadKey
_VfZwLoadKey@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwMapViewOfSection(x, x, x, x, x,	x, x, x, x, x)
_VfZwMapViewOfSection@40 proc near	; DATA XREF: PAGEVRFD:00AABAF4o

arg_8		= dword	ptr  10h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_24]
		push	esi
		mov	esi, [ebp+4]
		mov	edx, esi
		call	_VfCheckPageProtection@8 ; VfCheckPageProtection(x,x)
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7088B
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_14]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_18]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A7088B:				; CODE XREF: VfZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x)+1Aj
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwMapViewOfSection
_VfZwMapViewOfSection@40 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwModifyBootEntry(x)
_VfZwModifyBootEntry@4 proc near	; DATA XREF: PAGEVRFD:00AABB0Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A708AC
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A708AC:				; CODE XREF: VfZwModifyBootEntry(x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwModifyBootEntry
_VfZwModifyBootEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwModifyDriverEntry(x)
_VfZwModifyDriverEntry@4 proc near	; DATA XREF: PAGEVRFD:00AABB24o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A708CC
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A708CC:				; CODE XREF: VfZwModifyDriverEntry(x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwModifyDriverEntry
_VfZwModifyDriverEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwNotifyChangeKey(x, x, x, x, x, x, x, x,	x, x)
_VfZwNotifyChangeKey@40	proc near	; DATA XREF: PAGEVRFD:00AABB3Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		mov	esi, [ebp+arg_C]
		test	eax, eax
		jz	short loc_A7092F
		cmp	[ebp+arg_8], 0
		jz	short loc_A7091B
		mov	ecx, [ebp+arg_8]
		mov	edx, edi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		test	esi, esi
		js	short loc_A70902
		cmp	esi, 7
		jl	short loc_A7091B

loc_A70902:				; CODE XREF: VfZwNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)+28j
		lea	eax, [esi-20h]
		cmp	eax, 1Fh
		jbe	short loc_A7091B
		push	0
		mov	edx, 0FCh
		push	esi
		push	edi
		lea	ecx, [edx-38h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A7091B:				; CODE XREF: VfZwNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)+1Aj
					; VfZwNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)+2Dj	...
		mov	ecx, [ebp+arg_10]
		mov	edx, edi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_1C]
		mov	edx, edi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A7092F:				; CODE XREF: VfZwNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)+14j
		push	[ebp+arg_24]
		push	[ebp+arg_20]
		push	[ebp+arg_1C]
		push	[ebp+arg_18]
		push	[ebp+arg_14]
		push	[ebp+arg_10]
		push	esi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	ds:_pXdvZwNotifyChangeKey
		pop	edi
		pop	esi
		pop	ebp
		retn	28h
_VfZwNotifyChangeKey@40	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwOpenDirectoryObject(x, x, x)
_VfZwOpenDirectoryObject@12 proc near	; DATA XREF: PAGEVRFD:00AABB54o

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7097D
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)

loc_A7097D:				; CODE XREF: VfZwOpenDirectoryObject(x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwOpenDirectoryObject
_VfZwOpenDirectoryObject@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwOpenEnlistment(x, x, x,	x, x)
_VfZwOpenEnlistment@20 proc near	; DATA XREF: PAGEVRFD:00AAC3DCo

arg_0		= dword	ptr  8
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A709AB
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)

loc_A709AB:				; CODE XREF: VfZwOpenEnlistment(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwOpenEnlistment
_VfZwOpenEnlistment@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwOpenEvent(x, x,	x)
_VfZwOpenEvent@12 proc near		; DATA XREF: PAGEVRFD:00AABB6Co

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A709D9
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)

loc_A709D9:				; CODE XREF: VfZwOpenEvent(x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwOpenEvent
_VfZwOpenEvent@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwOpenFile(x, x, x, x, x,	x)
_VfZwOpenFile@24 proc near		; DATA XREF: PAGEVRFD:00AABB84o

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70A11
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70A11:				; CODE XREF: VfZwOpenFile(x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwOpenFile
_VfZwOpenFile@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwOpenJobObject(x, x, x)
_VfZwOpenJobObject@12 proc near		; DATA XREF: PAGEVRFD:00AABB9Co

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70A3F
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)

loc_A70A3F:				; CODE XREF: VfZwOpenJobObject(x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwOpenJobObject
_VfZwOpenJobObject@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwOpenKey(x, x, x)
_VfZwOpenKey@12	proc near		; DATA XREF: PAGEVRFD:00AABBB4o

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70A6D
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)

loc_A70A6D:				; CODE XREF: VfZwOpenKey(x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwOpenKey
_VfZwOpenKey@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwOpenProcess(x, x, x, x)
_VfZwOpenProcess@16 proc near		; DATA XREF: PAGEVRFD:00AABBCCo

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70AA5
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70AA5:				; CODE XREF: VfZwOpenProcess(x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwOpenProcess
_VfZwOpenProcess@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwOpenProcessToken(x, x, x)
_VfZwOpenProcessToken@12 proc near	; DATA XREF: PAGEVRFD:00AABBE4o

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70AC6
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_8]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70AC6:				; CODE XREF: VfZwOpenProcessToken(x,x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwOpenProcessToken
_VfZwOpenProcessToken@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwOpenProcessTokenEx(x, x, x, x)
_VfZwOpenProcessTokenEx@16 proc	near	; DATA XREF: PAGEVRFD:00AABBFCo

arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70AE6
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_C]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70AE6:				; CODE XREF: VfZwOpenProcessTokenEx(x,x,x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwOpenProcessTokenEx
_VfZwOpenProcessTokenEx@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwOpenSection(x, x, x)
_VfZwOpenSection@12 proc near		; DATA XREF: PAGEVRFD:00AABC14o

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70B13
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)

loc_A70B13:				; CODE XREF: VfZwOpenSection(x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwOpenSection
_VfZwOpenSection@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwOpenSymbolicLinkObject(x, x, x)
_VfZwOpenSymbolicLinkObject@12 proc near ; DATA	XREF: PAGEVRFD:00AABC2Co

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70B41
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)

loc_A70B41:				; CODE XREF: VfZwOpenSymbolicLinkObject(x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwOpenSymbolicLinkObject
_VfZwOpenSymbolicLinkObject@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwOpenThread(x, x, x, x)
_VfZwOpenThread@16 proc	near		; DATA XREF: PAGEVRFD:00AABC44o

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70B79
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70B79:				; CODE XREF: VfZwOpenThread(x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwOpenThread
_VfZwOpenThread@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwOpenThreadToken(x, x, x, x)
_VfZwOpenThreadToken@16	proc near	; DATA XREF: PAGEVRFD:00AABC5Co

arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70B9A
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_C]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70B9A:				; CODE XREF: VfZwOpenThreadToken(x,x,x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwOpenThreadToken
_VfZwOpenThreadToken@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwOpenThreadTokenEx(x, x,	x, x, x)
_VfZwOpenThreadTokenEx@20 proc near	; DATA XREF: PAGEVRFD:00AABC74o

arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70BBA
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_10]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70BBA:				; CODE XREF: VfZwOpenThreadTokenEx(x,x,x,x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwOpenThreadTokenEx
_VfZwOpenThreadTokenEx@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwOpenTimer(x, x,	x)
_VfZwOpenTimer@12 proc near		; DATA XREF: PAGEVRFD:00AABC8Co

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70BE7
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)

loc_A70BE7:				; CODE XREF: VfZwOpenTimer(x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwOpenTimer
_VfZwOpenTimer@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwOpenTransaction(x, x, x, x, x)
_VfZwOpenTransaction@20	proc near	; DATA XREF: PAGEVRFD:00AAC304o

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70C1F
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)

loc_A70C1F:				; CODE XREF: VfZwOpenTransaction(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwOpenTransaction
_VfZwOpenTransaction@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwOpenTransactionManager(x, x, x,	x, x, x)
_VfZwOpenTransactionManager@24 proc near ; DATA	XREF: PAGEVRFD:00AAC2BCo

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70C61
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckUnicodeString@8 ; ViZwCheckUnicodeString(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70C61:				; CODE XREF: VfZwOpenTransactionManager(x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwOpenTransactionManager
_VfZwOpenTransactionManager@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwPowerInformation(x, x, x, x, x)
_VfZwPowerInformation@20 proc near	; DATA XREF: PAGEVRFD:00AABCA4o

arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70C8F
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70C8F:				; CODE XREF: VfZwPowerInformation(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwPowerInformation
_VfZwPowerInformation@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwPrePrepareEnlistment(x,	x)
_VfZwPrePrepareEnlistment@8 proc near	; DATA XREF: PAGEVRFD:00AAC34Co

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70CB0
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_4]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70CB0:				; CODE XREF: VfZwPrePrepareEnlistment(x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwPrePrepareEnlistment
_VfZwPrePrepareEnlistment@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwPrepareComplete(x, x)
_VfZwPrepareComplete@8 proc near	; DATA XREF: PAGEVRFD:00AAC3ACo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70CD0
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_4]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70CD0:				; CODE XREF: VfZwPrepareComplete(x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwPrepareComplete
_VfZwPrepareComplete@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwPrepareEnlistment(x, x)
_VfZwPrepareEnlistment@8 proc near	; DATA XREF: PAGEVRFD:00AAC364o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70CF0
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_4]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70CF0:				; CODE XREF: VfZwPrepareEnlistment(x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwPrepareEnlistment
_VfZwPrepareEnlistment@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwProtectVirtualMemory(x,	x, x, x, x)
_VfZwProtectVirtualMemory@20 proc near	; DATA XREF: PAGEVRFD:00AABCBCo

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_C]
		push	esi
		mov	esi, [ebp+4]
		mov	edx, esi
		call	_VfCheckPageProtection@8 ; VfCheckPageProtection(x,x)
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70D31
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70D31:				; CODE XREF: VfZwProtectVirtualMemory(x,x,x,x,x)+1Aj
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwProtectVirtualMemory
_VfZwProtectVirtualMemory@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwPulseEvent(x, x)
_VfZwPulseEvent@8 proc near		; DATA XREF: PAGEVRFD:00AABCD4o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70D52
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_4]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70D52:				; CODE XREF: VfZwPulseEvent(x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwPulseEvent
_VfZwPulseEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryBootEntryOrder(x, x)
_VfZwQueryBootEntryOrder@8 proc	near	; DATA XREF: PAGEVRFD:00AABCECo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70D7F
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70D7F:				; CODE XREF: VfZwQueryBootEntryOrder(x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQueryBootEntryOrder
_VfZwQueryBootEntryOrder@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryBootOptions(x, x)
_VfZwQueryBootOptions@8	proc near	; DATA XREF: PAGEVRFD:00AABD04o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70DAD
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70DAD:				; CODE XREF: VfZwQueryBootOptions(x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQueryBootOptions
_VfZwQueryBootOptions@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryDefaultLocale(x, x)
_VfZwQueryDefaultLocale@8 proc near	; DATA XREF: PAGEVRFD:00AABD1Co

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70DCE
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_4]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70DCE:				; CODE XREF: VfZwQueryDefaultLocale(x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwQueryDefaultLocale
_VfZwQueryDefaultLocale@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryDefaultUILanguage(x)
_VfZwQueryDefaultUILanguage@4 proc near	; DATA XREF: PAGEVRFD:00AABD34o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70DEE
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70DEE:				; CODE XREF: VfZwQueryDefaultUILanguage(x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwQueryDefaultUILanguage
_VfZwQueryDefaultUILanguage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryDirectoryFile(x, x, x, x, x, x, x,	x, x, x, x)
_VfZwQueryDirectoryFile@44 proc	near	; DATA XREF: PAGEVRFD:00AABD7Co

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_24		= dword	ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70E40
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_14]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_24]
		mov	edx, esi
		call	_ViZwCheckUnicodeString@8 ; ViZwCheckUnicodeString(x,x)
		mov	ecx, esi
		call	_ViZwCheckApcRequirement@4 ; ViZwCheckApcRequirement(x)

loc_A70E40:				; CODE XREF: VfZwQueryDirectoryFile(x,x,x,x,x,x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQueryDirectoryFile
_VfZwQueryDirectoryFile@44 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryDirectoryObject(x,	x, x, x, x, x, x)
_VfZwQueryDirectoryObject@28 proc near	; DATA XREF: PAGEVRFD:00AABD94o

arg_4		= dword	ptr  0Ch
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70E78
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_14]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_18]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70E78:				; CODE XREF: VfZwQueryDirectoryObject(x,x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQueryDirectoryObject
_VfZwQueryDirectoryObject@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryDriverEntryOrder(x, x)
_VfZwQueryDriverEntryOrder@8 proc near	; DATA XREF: PAGEVRFD:00AABD4Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70EA6
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70EA6:				; CODE XREF: VfZwQueryDriverEntryOrder(x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQueryDriverEntryOrder
_VfZwQueryDriverEntryOrder@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryEaFile(x, x, x, x,	x, x, x, x, x)
_VfZwQueryEaFile@36 proc near		; DATA XREF: PAGEVRFD:00AABDACo

arg_8		= dword	ptr  10h
arg_14		= dword	ptr  1Ch
arg_1C		= dword	ptr  24h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70EDE
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_14]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_1C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70EDE:				; CODE XREF: VfZwQueryEaFile(x,x,x,x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQueryEaFile
_VfZwQueryEaFile@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryFullAttributesFile(x, x)
_VfZwQueryFullAttributesFile@8 proc near ; DATA	XREF: PAGEVRFD:00AABDC4o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70F0C
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70F0C:				; CODE XREF: VfZwQueryFullAttributesFile(x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQueryFullAttributesFile
_VfZwQueryFullAttributesFile@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryInformationEnlistment(x, x, x, x, x)
_VfZwQueryInformationEnlistment@20 proc	near ; DATA XREF: PAGEVRFD:00AAC3F4o

arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70F3A
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70F3A:				; CODE XREF: VfZwQueryInformationEnlistment(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQueryInformationEnlistment
_VfZwQueryInformationEnlistment@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryInformationFile(x,	x, x, x, x)
_VfZwQueryInformationFile@20 proc near	; DATA XREF: PAGEVRFD:00AABDDCo

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70F68
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70F68:				; CODE XREF: VfZwQueryInformationFile(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQueryInformationFile
_VfZwQueryInformationFile@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryInformationJobObject(x, x,	x, x, x)
_VfZwQueryInformationJobObject@20 proc near ; DATA XREF: PAGEVRFD:00AABDF4o

arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70F96
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70F96:				; CODE XREF: VfZwQueryInformationJobObject(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQueryInformationJobObject
_VfZwQueryInformationJobObject@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryInformationProcess(x, x, x, x, x)
_VfZwQueryInformationProcess@20	proc near ; DATA XREF: PAGEVRFD:00AABE0Co

arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70FC4
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70FC4:				; CODE XREF: VfZwQueryInformationProcess(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQueryInformationProcess
_VfZwQueryInformationProcess@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryInformationThread(x, x, x,	x, x)
_VfZwQueryInformationThread@20 proc near ; DATA	XREF: PAGEVRFD:00AABE24o

arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A70FF2
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A70FF2:				; CODE XREF: VfZwQueryInformationThread(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQueryInformationThread
_VfZwQueryInformationThread@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryInformationToken(x, x, x, x, x)
_VfZwQueryInformationToken@20 proc near	; DATA XREF: PAGEVRFD:00AABE3Co

arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A71020
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A71020:				; CODE XREF: VfZwQueryInformationToken(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQueryInformationToken
_VfZwQueryInformationToken@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryInformationTransaction(x, x, x, x,	x)
_VfZwQueryInformationTransaction@20 proc near ;	DATA XREF: PAGEVRFD:00AAC31Co

arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7104E
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A7104E:				; CODE XREF: VfZwQueryInformationTransaction(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQueryInformationTransaction
_VfZwQueryInformationTransaction@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryInformationTransactionManager(x, x, x, x, x)
_VfZwQueryInformationTransactionManager@20 proc	near ; DATA XREF: PAGEVRFD:00AAC2D4o

arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7107C
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A7107C:				; CODE XREF: VfZwQueryInformationTransactionManager(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQueryInformationTransactionManager
_VfZwQueryInformationTransactionManager@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryInstallUILanguage(x)
_VfZwQueryInstallUILanguage@4 proc near	; DATA XREF: PAGEVRFD:00AABD64o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7109D
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A7109D:				; CODE XREF: VfZwQueryInstallUILanguage(x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwQueryInstallUILanguage
_VfZwQueryInstallUILanguage@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryKey(x, x, x, x, x)
_VfZwQueryKey@20 proc near		; DATA XREF: PAGEVRFD:00AABE54o

arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A710CA
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A710CA:				; CODE XREF: VfZwQueryKey(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQueryKey
_VfZwQueryKey@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryLicenseValue(x, x,	x, x, x)
_VfZwQueryLicenseValue@20 proc near	; DATA XREF: PAGEVRFD:00AAC424o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7110C
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckUnicodeString@8 ; ViZwCheckUnicodeString(x,x)

loc_A7110C:				; CODE XREF: VfZwQueryLicenseValue(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQueryLicenseValue
_VfZwQueryLicenseValue@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryObject(x, x, x, x,	x)
_VfZwQueryObject@20 proc near		; DATA XREF: PAGEVRFD:00AABE6Co

arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7113A
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A7113A:				; CODE XREF: VfZwQueryObject(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQueryObject
_VfZwQueryObject@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQuerySection(x,	x, x, x, x)
_VfZwQuerySection@20 proc near		; DATA XREF: PAGEVRFD:00AABE84o

arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A71168
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A71168:				; CODE XREF: VfZwQuerySection(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQuerySection
_VfZwQuerySection@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQuerySecurityObject(x, x, x, x,	x)
_VfZwQuerySecurityObject@20 proc near	; DATA XREF: PAGEVRFD:00AABE9Co

arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A71196
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A71196:				; CODE XREF: VfZwQuerySecurityObject(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQuerySecurityObject
_VfZwQuerySecurityObject@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQuerySymbolicLinkObject(x, x, x)
_VfZwQuerySymbolicLinkObject@12	proc near ; DATA XREF: PAGEVRFD:00AABEB4o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A711C4
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckUnicodeString@8 ; ViZwCheckUnicodeString(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A711C4:				; CODE XREF: VfZwQuerySymbolicLinkObject(x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQuerySymbolicLinkObject
_VfZwQuerySymbolicLinkObject@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQuerySystemInformation(x, x, x,	x)
_VfZwQuerySystemInformation@16 proc near ; DATA	XREF: PAGEVRFD:00AABECCo

arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A711F2
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A711F2:				; CODE XREF: VfZwQuerySystemInformation(x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQuerySystemInformation
_VfZwQuerySystemInformation@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryValueKey(x, x, x, x, x, x)
_VfZwQueryValueKey@24 proc near		; DATA XREF: PAGEVRFD:00AABEE4o

arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7122A
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckUnicodeString@8 ; ViZwCheckUnicodeString(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_14]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A7122A:				; CODE XREF: VfZwQueryValueKey(x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQueryValueKey
_VfZwQueryValueKey@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwQueryVolumeInformationFile(x, x, x, x, x)
_VfZwQueryVolumeInformationFile@20 proc	near ; DATA XREF: PAGEVRFD:00AABEFCo

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A71258
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A71258:				; CODE XREF: VfZwQueryVolumeInformationFile(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwQueryVolumeInformationFile
_VfZwQueryVolumeInformationFile@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwReadFile(x, x, x, x, x,	x, x, x, x)
_VfZwReadFile@36 proc near		; DATA XREF: PAGEVRFD:00AABF14o

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A712B5
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_14]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_1C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_20]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, esi
		call	_ViZwCheckApcRequirement@4 ; ViZwCheckApcRequirement(x)

loc_A712B5:				; CODE XREF: VfZwReadFile(x,x,x,x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwReadFile
_VfZwReadFile@36 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwRemoveIoCompletionEx(x,	x, x, x, x, x)
_VfZwRemoveIoCompletionEx@24 proc near	; DATA XREF: PAGEVRFD:00AAC28Co

arg_4		= dword	ptr  0Ch
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A712ED
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A712ED:				; CODE XREF: VfZwRemoveIoCompletionEx(x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwRemoveIoCompletionEx
_VfZwRemoveIoCompletionEx@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwReplaceKey(x, x, x)
_VfZwReplaceKey@12 proc	near		; DATA XREF: PAGEVRFD:00AABF2Co

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7131B
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)

loc_A7131B:				; CODE XREF: VfZwReplaceKey(x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwReplaceKey
_VfZwReplaceKey@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwRequestWaitReplyPort(x,	x, x)
_VfZwRequestWaitReplyPort@12 proc near	; DATA XREF: PAGEVRFD:00AABF44o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A71349
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A71349:				; CODE XREF: VfZwRequestWaitReplyPort(x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwRequestWaitReplyPort
_VfZwRequestWaitReplyPort@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwResetEvent(x, x)
_VfZwResetEvent@8 proc near		; DATA XREF: PAGEVRFD:00AABF5Co

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7136A
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_4]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A7136A:				; CODE XREF: VfZwResetEvent(x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwResetEvent
_VfZwResetEvent@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwRestoreKey(x, x, x)
_VfZwRestoreKey@12 proc	near		; DATA XREF: PAGEVRFD:00AABF74o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		pop	ebp
		jmp	ds:_pXdvZwRestoreKey
_VfZwRestoreKey@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwRollbackEnlistment(x, x)
_VfZwRollbackEnlistment@8 proc near	; DATA XREF: PAGEVRFD:00AAC394o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A71396
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_4]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A71396:				; CODE XREF: VfZwRollbackEnlistment(x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwRollbackEnlistment
_VfZwRollbackEnlistment@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwSetBootEntryOrder(x, x)
_VfZwSetBootEntryOrder@8 proc near	; DATA XREF: PAGEVRFD:00AABF8Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A713B6
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A713B6:				; CODE XREF: VfZwSetBootEntryOrder(x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwSetBootEntryOrder
_VfZwSetBootEntryOrder@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwSetBootOptions(x, x)
_VfZwSetBootOptions@8 proc near		; DATA XREF: PAGEVRFD:00AABFA4o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A713D6
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A713D6:				; CODE XREF: VfZwSetBootOptions(x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwSetBootOptions
_VfZwSetBootOptions@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwSetDriverEntryOrder(x, x)
_VfZwSetDriverEntryOrder@8 proc	near	; DATA XREF: PAGEVRFD:00AABFBCo

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A713F6
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A713F6:				; CODE XREF: VfZwSetDriverEntryOrder(x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwSetDriverEntryOrder
_VfZwSetDriverEntryOrder@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwSetEaFile(x, x,	x, x)
_VfZwSetEaFile@16 proc near		; DATA XREF: PAGEVRFD:00AABFD4o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A71423
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A71423:				; CODE XREF: VfZwSetEaFile(x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwSetEaFile
_VfZwSetEaFile@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwSetEvent(x, x)
_VfZwSetEvent@8	proc near		; DATA XREF: PAGEVRFD:00AABFECo

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A71444
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_4]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A71444:				; CODE XREF: VfZwSetEvent(x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwSetEvent
_VfZwSetEvent@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwSetInformationEnlistment(x, x, x, x)
_VfZwSetInformationEnlistment@16 proc near ; DATA XREF:	PAGEVRFD:00AAC40Co

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A71464
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_8]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A71464:				; CODE XREF: VfZwSetInformationEnlistment(x,x,x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwSetInformationEnlistment
_VfZwSetInformationEnlistment@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwSetInformationFile(x, x, x, x, x)
_VfZwSetInformationFile@20 proc	near	; DATA XREF: PAGEVRFD:00AAC004o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A71491
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A71491:				; CODE XREF: VfZwSetInformationFile(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwSetInformationFile
_VfZwSetInformationFile@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwSetInformationJobObject(x, x, x, x)
_VfZwSetInformationJobObject@16	proc near ; DATA XREF: PAGEVRFD:00AAC01Co

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A714B2
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_8]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A714B2:				; CODE XREF: VfZwSetInformationJobObject(x,x,x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwSetInformationJobObject
_VfZwSetInformationJobObject@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwSetInformationObject(x,	x, x, x)
_VfZwSetInformationObject@16 proc near	; DATA XREF: PAGEVRFD:00AAC034o

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A714D2
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_8]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A714D2:				; CODE XREF: VfZwSetInformationObject(x,x,x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwSetInformationObject
_VfZwSetInformationObject@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwSetInformationProcess(x, x, x, x)
_VfZwSetInformationProcess@16 proc near	; DATA XREF: PAGEVRFD:00AAC04Co

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A714F2
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_8]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A714F2:				; CODE XREF: VfZwSetInformationProcess(x,x,x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwSetInformationProcess
_VfZwSetInformationProcess@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwSetInformationThread(x,	x, x, x)
_VfZwSetInformationThread@16 proc near	; DATA XREF: PAGEVRFD:00AAC064o

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A71512
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_8]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A71512:				; CODE XREF: VfZwSetInformationThread(x,x,x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwSetInformationThread
_VfZwSetInformationThread@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwSetInformationTransaction(x, x,	x, x)
_VfZwSetInformationTransaction@16 proc near ; DATA XREF: PAGEVRFD:00AAC334o

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A71532
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_8]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A71532:				; CODE XREF: VfZwSetInformationTransaction(x,x,x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwSetInformationTransaction
_VfZwSetInformationTransaction@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwSetSecurityObject(x, x,	x)
_VfZwSetSecurityObject@12 proc near	; DATA XREF: PAGEVRFD:00AAC07Co

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A71552
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_8]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A71552:				; CODE XREF: VfZwSetSecurityObject(x,x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwSetSecurityObject
_VfZwSetSecurityObject@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwSetSystemInformation(x,	x, x)
_VfZwSetSystemInformation@12 proc near	; DATA XREF: PAGEVRFD:00AAC094o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A71572
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_4]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A71572:				; CODE XREF: VfZwSetSystemInformation(x,x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwSetSystemInformation
_VfZwSetSystemInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwSetSystemTime(x, x)
_VfZwSetSystemTime@8 proc near		; DATA XREF: PAGEVRFD:00AAC0ACo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7159F
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A7159F:				; CODE XREF: VfZwSetSystemTime(x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwSetSystemTime
_VfZwSetSystemTime@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwSetTimer(x, x, x, x, x,	x, x)
_VfZwSetTimer@28 proc near		; DATA XREF: PAGEVRFD:00AAC0C4o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_18		= dword	ptr  20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A715E1
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_18]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A715E1:				; CODE XREF: VfZwSetTimer(x,x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwSetTimer
_VfZwSetTimer@28 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwSetValueKey(x, x, x, x,	x, x)
_VfZwSetValueKey@24 proc near		; DATA XREF: PAGEVRFD:00AAC0DCo

arg_4		= dword	ptr  0Ch
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7160F
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckUnicodeString@8 ; ViZwCheckUnicodeString(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A7160F:				; CODE XREF: VfZwSetValueKey(x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwSetValueKey
_VfZwSetValueKey@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwSetVolumeInformationFile(x, x, x, x, x)
_VfZwSetVolumeInformationFile@20 proc near ; DATA XREF:	PAGEVRFD:00AAC0F4o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A7163D
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A7163D:				; CODE XREF: VfZwSetVolumeInformationFile(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwSetVolumeInformationFile
_VfZwSetVolumeInformationFile@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwTranslateFilePath(x, x,	x, x)
_VfZwTranslateFilePath@16 proc near	; DATA XREF: PAGEVRFD:00AAC10Co

arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A71675
		mov	ecx, [ebp+arg_0]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A71675:				; CODE XREF: VfZwTranslateFilePath(x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwTranslateFilePath
_VfZwTranslateFilePath@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwUnloadDriver(x)
_VfZwUnloadDriver@4 proc near		; DATA XREF: PAGEVRFD:00AAC124o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A71696
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	_ViZwCheckUnicodeString@8 ; ViZwCheckUnicodeString(x,x)

loc_A71696:				; CODE XREF: VfZwUnloadDriver(x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwUnloadDriver
_VfZwUnloadDriver@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwUnloadKey(x)
_VfZwUnloadKey@4 proc near		; DATA XREF: PAGEVRFD:00AAC13Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A716B6
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_0]
		call	_ViZwCheckObjectAttributes@8 ; ViZwCheckObjectAttributes(x,x)

loc_A716B6:				; CODE XREF: VfZwUnloadKey(x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwUnloadKey
_VfZwUnloadKey@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwWaitForMultipleObjects(x, x, x,	x, x)
_VfZwWaitForMultipleObjects@20 proc near ; DATA	XREF: PAGEVRFD:00AAC154o

arg_4		= dword	ptr  0Ch
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A716E3
		mov	ecx, [ebp+arg_4]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A716E3:				; CODE XREF: VfZwWaitForMultipleObjects(x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwWaitForMultipleObjects
_VfZwWaitForMultipleObjects@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwWaitForSingleObject(x, x, x)
_VfZwWaitForSingleObject@12 proc near	; DATA XREF: PAGEVRFD:00AAC16Co

arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A71704
		mov	edx, [ebp+4]
		mov	ecx, [ebp+arg_8]
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)

loc_A71704:				; CODE XREF: VfZwWaitForSingleObject(x,x,x)+Cj
		pop	ebp
		jmp	ds:_pXdvZwWaitForSingleObject
_VfZwWaitForSingleObject@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfZwWriteFile(x, x,	x, x, x, x, x, x, x)
_VfZwWriteFile@36 proc near		; DATA XREF: PAGEVRFD:00AAC184o

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+4]
		call	_ViZwShouldCheck@0 ; ViZwShouldCheck()
		test	eax, eax
		jz	short loc_A71760
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_10]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_14]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_1C]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [ebp+arg_20]
		mov	edx, esi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, esi
		call	_ViZwCheckApcRequirement@4 ; ViZwCheckApcRequirement(x)

loc_A71760:				; CODE XREF: VfZwWriteFile(x,x,x,x,x,x,x,x,x)+10j
		pop	esi
		pop	ebp
		jmp	ds:_pXdvZwWriteFile
_VfZwWriteFile@36 endp


;  S U B	R O U T	I N E 


; __stdcall ViZwCheckApcRequirement(x)
_ViZwCheckApcRequirement@4 proc	near	; CODE XREF: VfZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)+46p
					; VfZwFsControlFile(x,x,x,x,x,x,x,x,x,x)+46p ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	_MmVerifierData, 100h
		mov	bl, al
		jz	short loc_A717AF
		test	bl, bl
		jnz	short loc_A7178F
		call	_KeAreAllApcsDisabled@0	; KeAreAllApcsDisabled()
		test	al, al
		jz	short loc_A717AF

loc_A7178F:				; CODE XREF: ViZwCheckApcRequirement(x)+1Cj
		mov	eax, large fs:124h
		mov	edx, 0E6h
		movsx	eax, word ptr [eax+13Eh]
		lea	ecx, [edx-22h]
		push	eax
		movzx	eax, bl
		push	eax
		push	esi
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A717AF:				; CODE XREF: ViZwCheckApcRequirement(x)+18j
					; ViZwCheckApcRequirement(x)+25j
		pop	esi
		pop	ebx
		retn
_ViZwCheckApcRequirement@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViZwCheckObjectAttributes(x, x)
_ViZwCheckObjectAttributes@8 proc near	; CODE XREF: VfZwAlpcAcceptConnectPort(x,x,x,x,x,x,x,x,x)+3Fp
					; VfZwAlpcConnectPort(x,x,x,x,x,x,x,x,x,x,x)+67p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	short loc_A717E3
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [esi+8]
		mov	edx, edi
		call	_ViZwCheckUnicodeString@8 ; ViZwCheckUnicodeString(x,x)
		mov	ecx, [esi+10h]
		mov	edx, edi
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ecx, [esi+14h]
		mov	edx, edi
		pop	edi
		pop	esi
		jmp	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
; 

loc_A717E3:				; CODE XREF: ViZwCheckObjectAttributes(x,x)+Aj
		pop	edi
		pop	esi
		retn
_ViZwCheckObjectAttributes@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViZwCheckUnicodeString(x, x)
_ViZwCheckUnicodeString@8 proc near	; CODE XREF: VfZwAccessCheckAndAuditAlarm(x,x,x,x,x,x,x,x,x,x,x)+17p
					; VfZwAccessCheckAndAuditAlarm(x,x,x,x,x,x,x,x,x,x,x)+21p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		test	esi, esi
		jz	short loc_A7183F
		push	ebx
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		mov	ebx, [esi+4]
		mov	edx, edi
		mov	ecx, ebx
		call	_ViZwCheckVirtualAddress@8 ; ViZwCheckVirtualAddress(x,x)
		test	_MmVerifierData, 100h
		movzx	ecx, word ptr [esi]
		lea	eax, [ebx+ecx]
		jz	short loc_A7183E
		cmp	eax, ebx
		jb	short loc_A7182D
		movzx	eax, word ptr [esi+2]
		cmp	ax, cx
		jb	short loc_A7182D
		or	eax, ecx
		xor	ecx, ecx
		bt	ax, cx
		jnb	short loc_A7183E

loc_A7182D:				; CODE XREF: ViZwCheckUnicodeString(x,x)+32j
					; ViZwCheckUnicodeString(x,x)+3Bj
		push	0
		mov	edx, 0E4h
		push	esi
		push	edi
		lea	ecx, [edx-20h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A7183E:				; CODE XREF: ViZwCheckUnicodeString(x,x)+2Ej
					; ViZwCheckUnicodeString(x,x)+45j
		pop	ebx

loc_A7183F:				; CODE XREF: ViZwCheckUnicodeString(x,x)+Aj
		pop	edi
		pop	esi
		retn
_ViZwCheckUnicodeString@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViZwCheckVirtualAddress(x, x)
_ViZwCheckVirtualAddress@8 proc	near	; CODE XREF: VfZwAccessCheckAndAuditAlarm(x,x,x,x,x,x,x,x,x,x,x)+35p
					; VfZwAccessCheckAndAuditAlarm(x,x,x,x,x,x,x,x,x,x,x)+3Fp ...
		test	ecx, ecx
		jz	short locret_A7186B
		test	_MmVerifierData, 100h
		jz	short locret_A7186B
		cmp	ecx, ds:_MmHighestUserAddress
		jnb	short locret_A7186B
		push	0
		push	ecx
		push	edx
		mov	edx, 0E3h
		lea	ecx, [edx-1Fh]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

locret_A7186B:				; CODE XREF: ViZwCheckVirtualAddress(x,x)+2j
					; ViZwCheckVirtualAddress(x,x)+Ej ...
		retn
_ViZwCheckVirtualAddress@8 endp


;  S U B	R O U T	I N E 


; __stdcall ViZwShouldCheck()
_ViZwShouldCheck@0 proc	near		; CODE XREF: VfZwAccessCheckAndAuditAlarm(x,x,x,x,x,x,x,x,x,x,x)+9p
					; VfZwAddBootEntry(x,x)+9p ...
		xor	ecx, ecx
		test	_MmVerifierData, 100h
		jz	short loc_A7189D
		mov	eax, large fs:124h
		mov	edx, ds:_PsInitialSystemProcess
		mov	eax, [eax+80h]
		test	edx, edx
		jz	short loc_A7189D
		cmp	eax, edx
		jz	short loc_A7189D
		cmp	eax, ds:_PsIdleProcess
		jz	short loc_A7189D
		inc	ecx

loc_A7189D:				; CODE XREF: ViZwShouldCheck()+Cj
					; ViZwShouldCheck()+22j ...
		mov	eax, ecx
		retn
_ViZwShouldCheck@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfAddVerifierEntry(x)
_VfAddVerifierEntry@4 proc near		; CODE XREF: PAGE:007B3E50p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], ebx
		push	edi
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		cmp	_VfSafeMode, ebx
		jz	short loc_A718C7
		mov	esi, 0C000035Fh
		jmp	short loc_A71937
; 

loc_A718C7:				; CODE XREF: VfAddVerifierEntry(x)+1Ej
		call	_VfDriverLock@0	; VfDriverLock()
		xor	edx, edx
		call	_VfInitSystemNoRebootNeeded@8 ;	VfInitSystemNoRebootNeeded(x,x)
		push	ebx
		push	offset _ViDriversLoadLock
		mov	_ViDriversLoadLockOwner, ebx
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		push	offset ??_C@_13BBDEGPLJ@?$AA?$CK@JKADOLAD@
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	1
		push	esi
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_A7190B
		call	_MmEnableVerifierAllDrivers@0 ;	MmEnableVerifierAllDrivers()
		mov	esi, eax
		jmp	short loc_A71937
; 

loc_A7190B:				; CODE XREF: VfAddVerifierEntry(x)+60j
		mov	ecx, esi
		call	_VfSuspectDriversAllocateEntry@4 ; VfSuspectDriversAllocateEntry(x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_A7191F
		mov	esi, 0C000009Ah
		jmp	short loc_A71937
; 

loc_A7191F:				; CODE XREF: VfAddVerifierEntry(x)+76j
		lea	edx, [ebp+var_4]
		mov	ecx, edi
		call	_MmEnableVerifierForDriver@8 ; MmEnableVerifierForDriver(x,x)
		mov	esi, eax
		cmp	[ebp+var_4], ebx
		jnz	short loc_A71937
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A71937:				; CODE XREF: VfAddVerifierEntry(x)+25j
					; VfAddVerifierEntry(x)+69j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_VfAddVerifierEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfGetVerifierInformation(x,	x, x, x)
_VfGetVerifierInformation@16 proc near	; CODE XREF: PAGE:00780152p
					; PAGE:007801C3p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		push	14h
		push	offset dword_6A9BB8
		call	__SEH_prolog4
		mov	esi, edx
		mov	[ebp+var_1C], ecx
		mov	ebx, [ebp+arg_0]
		and	dword ptr [ebx], 0
		mov	eax, 0A00000h
		cmp	esi, eax
		jbe	short loc_A71960
		mov	esi, eax

loc_A71960:				; CODE XREF: VfGetVerifierInformation(x,x,x,x)+1Ej
		push	706D5456h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_24], edi
		test	edi, edi
		jnz	short loc_A71980
		mov	ebx, 0C0000017h
		jmp	short loc_A719EE
; 

loc_A71980:				; CODE XREF: VfGetVerifierInformation(x,x,x,x)+39j
		mov	ecx, esi
		mov	eax, edi
		test	esi, esi
		jz	short loc_A71991

loc_A71988:				; CODE XREF: VfGetVerifierInformation(x,x,x,x)+51j
		mov	byte ptr [eax],	0
		inc	eax
		sub	ecx, 1
		jnz	short loc_A71988

loc_A71991:				; CODE XREF: VfGetVerifierInformation(x,x,x,x)+48j
		push	[ebp+arg_4]
		push	[ebp+var_1C]
		push	ebx
		mov	edx, esi
		mov	ecx, edi
		call	_VfSuspectDriversGetVerifierInformation@20 ; VfSuspectDriversGetVerifierInformation(x,x,x,x,x)
		mov	ebx, eax
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		cmp	eax, esi
		ja	short loc_A719AE
		mov	esi, eax

loc_A719AE:				; CODE XREF: VfGetVerifierInformation(x,x,x,x)+6Cj
		and	[ebp+ms_exc.disabled], 0
		push	esi		; size_t
		push	edi		; void *
		push	[ebp+var_1C]	; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		jmp	short loc_A719E6
; 

loc_A719C8:				; DATA XREF: .text:006A9BCCo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_20], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A719D6:				; DATA XREF: .text:006A9BD0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	ebx, [ebp+var_20]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	edi, [ebp+var_24]

loc_A719E6:				; CODE XREF: VfGetVerifierInformation(x,x,x,x)+88j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A719EE:				; CODE XREF: VfGetVerifierInformation(x,x,x,x)+40j
		mov	eax, ebx
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_VfGetVerifierInformation@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfGetVerifierInformationEx(x)
_VfGetVerifierInformationEx@4 proc near	; CODE XREF: PAGE:00780226p

var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	0Ch
		push	offset dword_6A9B98
		call	__SEH_prolog4
		mov	edx, ecx
		and	[ebp+ms_exc.disabled], 0
		push	9
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd
		mov	eax, _VfVerifyMode
		mov	[edx], eax
		mov	eax, dword_6C6EA8
		mov	[edx+4], eax
		imul	eax, _VfWdCancelTimeoutTicks, 3E8h
		mov	[edx+10h], eax
		mov	eax, ds:_XdvEnabled
		mov	[edx+14h], eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		xor	eax, eax
		jmp	short loc_A71A67
; 

loc_A71A4C:				; DATA XREF: .text:006A9BACo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_1C], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A71A5A:				; DATA XREF: .text:006A9BB0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_1C]

loc_A71A67:				; CODE XREF: VfGetVerifierInformationEx(x)+48j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VfGetVerifierInformationEx@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfRemoveVerifierEntry(x)
_VfRemoveVerifierEntry@4 proc near	; CODE XREF: PAGE:007B3E47p
		mov	edi, edi
		push	ecx
		cmp	_ViVerifierDriverAddedThunkListHead, 0
		jnz	short loc_A71A8A
		mov	eax, 0C00000BBh
		pop	ecx
		retn
; 

loc_A71A8A:				; CODE XREF: VfRemoveVerifierEntry(x)+Aj
		call	_VfSuspectDriversRemove@4 ; VfSuspectDriversRemove(x)
		pop	ecx
		retn
_VfRemoveVerifierEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfSetVerifierInformation(x,	x, x)
_VfSetVerifierInformation@12 proc near	; CODE XREF: PAGE:007B3D9Dp
					; VfFaultsSetParameters(x)+1Dp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h
arg_0		= byte ptr  8

		push	1Ch
		push	offset dword_6A9BD8
		call	__SEH_prolog4
		mov	ebx, ecx
		cmp	edx, 4
		jnb	short loc_A71AAE
		mov	eax, 0C0000004h
		jmp	loc_A71B9D
; 

loc_A71AAE:				; CODE XREF: VfSetVerifierInformation(x,x,x)+11j
		cmp	_VfSafeMode, 0
		jz	short loc_A71AC1
		mov	eax, 0C000035Fh
		jmp	loc_A71B9D
; 

loc_A71AC1:				; CODE XREF: VfSetVerifierInformation(x,x,x)+24j
		cmp	[ebp+arg_0], 0
		jz	short loc_A71ACE
		mov	esi, [ebx]
		mov	[ebp+var_20], esi
		jmp	short loc_A71ADE
; 

loc_A71ACE:				; CODE XREF: VfSetVerifierInformation(x,x,x)+34j
		and	[ebp+ms_exc.disabled], 0
		mov	esi, [ebx]
		mov	[ebp+var_20], esi
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A71ADE:				; CODE XREF: VfSetVerifierInformation(x,x,x)+3Bj
		call	_VfDriverLock@0	; VfDriverLock()
		cmp	_MmVerifierData, 0
		jnz	short loc_A71AF3
		and	_MmVerifyDriverLevel, 0

loc_A71AF3:				; CODE XREF: VfSetVerifierInformation(x,x,x)+59j
		xor	edx, edx
		call	_VfInitSystemNoRebootNeeded@8 ;	VfInitSystemNoRebootNeeded(x,x)
		mov	edx, _VerifierModifyableOptions
		and	edx, esi
		not	esi
		and	esi, _VerifierModifyableOptions
		mov	ecx, _MmVerifierData
		mov	edi, ecx
		or	edi, edx
		mov	eax, esi
		not	eax
		and	edi, eax
		and	[ebp+var_1C], 0
		cmp	edi, ecx
		jz	short loc_A71B67
		push	edi
		push	esi
		call	_VfSettingsCheckForChanges@16 ;	VfSettingsCheckForChanges(x,x,x,x)
		xor	eax, eax
		inc	eax
		add	dword_6C6EA8, eax
		mov	_MmVerifierData, edi
		cmp	[ebp+arg_0], 0
		jz	short loc_A71B42
		mov	[ebx], edi
		jmp	short loc_A71B67
; 

loc_A71B42:				; CODE XREF: VfSetVerifierInformation(x,x,x)+ABj
		mov	[ebp+ms_exc.disabled], eax
		mov	[ebx], edi
		jmp	short loc_A71B60
; 

loc_A71B49:				; DATA XREF: .text:006A9BF8o
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A71B57:				; DATA XREF: .text:006A9BFCo
		mov	esp, [ebp+ms_exc.old_esp]
		mov	eax, [ebp+var_24]
		mov	[ebp+var_1C], eax

loc_A71B60:				; CODE XREF: VfSetVerifierInformation(x,x,x)+B6j
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh

loc_A71B67:				; CODE XREF: VfSetVerifierInformation(x,x,x)+8Fj
					; VfSetVerifierInformation(x,x,x)+AFj
		mov	_ViDriversLoadLockOwner, 0
		push	0
		push	offset _ViDriversLoadLock
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		mov	eax, [ebp+var_1C]
		jmp	short loc_A71B9D
; 

loc_A71B82:				; DATA XREF: .text:006A9BECo
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_28], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A71B90:				; DATA XREF: .text:006A9BF0o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_28]

loc_A71B9D:				; CODE XREF: VfSetVerifierInformation(x,x,x)+18j
					; VfSetVerifierInformation(x,x,x)+2Bj ...
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_VfSetVerifierInformation@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfSetVerifierInformationEx(x)
_VfSetVerifierInformationEx@4 proc near	; CODE XREF: PAGE:007B3DD0p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
ms_exc		= CPPEH_RECORD ptr -18h

		push	28h
		push	offset dword_6A9B78
		call	__SEH_prolog4
		mov	esi, ecx
		xor	eax, eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+ms_exc.disabled], eax
		mov	eax, [esi]
		mov	[ebp+var_20], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_1C], eax
		mov	edx, eax
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	ecx, [ebp+var_20]
		test	ecx, ecx
		jz	short loc_A71BEE
		call	_VfSetVerifierRunningMode@4 ; VfSetVerifierRunningMode(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A71C6C

loc_A71BEE:				; CODE XREF: VfSetVerifierInformationEx(x)+32j
		test	edx, edx
		jz	short loc_A71C06
		lea	ecx, [edx+1]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, edx
		call	_VfWdSetCancelTimeout@4	; VfWdSetCancelTimeout(x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A71C6C

loc_A71C06:				; CODE XREF: VfSetVerifierInformationEx(x)+41j
		inc	dword_6C6EA8
		push	200h
		lea	edx, [esi+8]
		lea	ecx, [ebp+var_2C]
		call	_VfProbeAndCaptureUnicodeString@12 ; VfProbeAndCaptureUnicodeString(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A71C6C
		call	_VfDriverLock@0	; VfDriverLock()
		mov	esi, dword_6C6EB0
		mov	[ebp+var_34], esi
		mov	ebx, dword_6C6EB4
		mov	[ebp+var_30], ebx
		mov	eax, [ebp+var_2C]
		mov	dword_6C6EB0, eax
		mov	eax, [ebp+var_28]
		mov	dword_6C6EB4, eax
		mov	_ViDriversLoadLockOwner, 0
		push	0
		push	offset _ViDriversLoadLock
		call	_KeReleaseMutex@8 ; KeReleaseMutex(x,x)
		test	si, si
		jz	short loc_A71C6C
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A71C6C:				; CODE XREF: VfSetVerifierInformationEx(x)+3Dj
					; VfSetVerifierInformationEx(x)+55j ...
		mov	eax, edi
		jmp	short loc_A71C8B
; 

loc_A71C70:				; DATA XREF: .text:006A9B8Co
		mov	eax, [ebp+ms_exc.exc_ptr]
		mov	eax, [eax]
		mov	eax, [eax]
		mov	[ebp+var_24], eax
		xor	eax, eax
		inc	eax
		retn
; 

loc_A71C7E:				; DATA XREF: .text:006A9B90o
		mov	esp, [ebp+ms_exc.old_esp]
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	eax, [ebp+var_24]

loc_A71C8B:				; CODE XREF: VfSetVerifierInformationEx(x)+BFj
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VfSetVerifierInformationEx@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExAllocatePoolSanityChecks(x, x, x,	x)
_ExAllocatePoolSanityChecks@16 proc near
					; CODE XREF: VeAllocatePoolWithTagPriority(x,x,x,x,x)+70p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	eax, edx
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_4], eax
		mov	ecx, 0FFFFFF7Fh
		mov	edi, [esi]
		test	edi, edi
		jnz	short loc_A71CE0
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A71CD8
		push	[ebp+arg_4]
		mov	edx, 9Bh
		push	eax
		mov	eax, ebx
		and	eax, ecx
		push	eax
		lea	ecx, [edx+27h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A71CD8:				; CODE XREF: ExAllocatePoolSanityChecks(x,x,x,x)+25j
		mov	dword ptr [esi], 30646142h
		jmp	short loc_A71D42
; 

loc_A71CE0:				; CODE XREF: ExAllocatePoolSanityChecks(x,x,x,x)+1Cj
		cmp	edi, 20474942h
		jnz	short loc_A71D0F
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A71D07
		push	[ebp+arg_4]
		mov	edx, 9Ch
		push	eax
		mov	eax, ebx
		and	eax, ecx
		push	eax
		lea	ecx, [edx+26h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A71D07:				; CODE XREF: ExAllocatePoolSanityChecks(x,x,x,x)+54j
		mov	dword ptr [esi], 31646142h
		jmp	short loc_A71D42
; 

loc_A71D0F:				; CODE XREF: ExAllocatePoolSanityChecks(x,x,x,x)+4Bj
		mov	ecx, edi
		call	_ExpIsPoolTagPrintable@4 ; ExpIsPoolTagPrintable(x)
		test	eax, eax
		jnz	short loc_A71D42
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A71D3C
		push	[ebp+arg_4]
		mov	eax, ebx
		mov	edx, 9Dh
		and	eax, 0FFFFFF7Fh
		push	eax
		push	edi
		lea	ecx, [edx+25h]
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A71D3C:				; CODE XREF: ExAllocatePoolSanityChecks(x,x,x,x)+86j
		mov	dword ptr [esi], 32646142h

loc_A71D42:				; CODE XREF: ExAllocatePoolSanityChecks(x,x,x,x)+43j
					; ExAllocatePoolSanityChecks(x,x,x,x)+72j ...
		mov	edi, [ebp+var_4]
		mov	esi, ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		test	edi, edi
		jnz	short loc_A71D74
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A71D74
		mov	eax, ebx
		push	0
		and	eax, 0FFFFFF7Fh
		push	eax
		call	esi
		movzx	eax, al
		xor	edx, edx
		push	eax
		mov	ecx, 0C4h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A71D74:				; CODE XREF: ExAllocatePoolSanityChecks(x,x,x,x)+B2j
					; ExAllocatePoolSanityChecks(x,x,x,x)+BBj
		call	esi
		test	bl, 1
		jnz	short loc_A71D9B
		cmp	al, 2
		jbe	short loc_A71DC3
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A71DC3
		push	edi
		and	ebx, 0FFFFFF7Fh
		push	ebx
		call	esi
		movzx	eax, al
		push	eax
		push	2
		pop	edx
		jmp	short loc_A71DB9
; 

loc_A71D9B:				; CODE XREF: ExAllocatePoolSanityChecks(x,x,x,x)+DEj
		cmp	al, 1
		jbe	short loc_A71DC3
		test	byte ptr _MmVerifierData, 1
		jz	short loc_A71DC3
		push	edi
		and	ebx, 0FFFFFF7Fh
		push	ebx
		call	esi
		movzx	eax, al
		xor	edx, edx
		push	eax
		inc	edx

loc_A71DB9:				; CODE XREF: ExAllocatePoolSanityChecks(x,x,x,x)+FEj
		mov	ecx, 0C4h
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A71DC3:				; CODE XREF: ExAllocatePoolSanityChecks(x,x,x,x)+E2j
					; ExAllocatePoolSanityChecks(x,x,x,x)+EBj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_ExAllocatePoolSanityChecks@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExFreePoolSanityChecks(x)
_ExFreePoolSanityChecks@4 proc near	; CODE XREF: VerifierExFreePool(x)+36p
					; VerifierExFreePoolWithTag(x,x)+38p

var_2		= byte ptr -2
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ecx
		call	_KevSkipVerification@0 ; KevSkipVerification()
		test	eax, eax
		jnz	loc_A71EEB
		push	esi
		xor	esi, esi
		push	edi
		mov	edi, 0C4h
		cmp	ebx, ds:_MmHighestUserAddress
		ja	short loc_A71DFE
		push	esi
		push	esi
		push	ebx
		push	10h
		pop	edx
		mov	ecx, edi
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A71DFE:				; CODE XREF: ExFreePoolSanityChecks(x)+25j
		mov	eax, _ExpSpecialAllocations
		test	eax, eax
		jz	short loc_A71E16
		mov	ecx, ebx
		call	_ExIsSpecialPoolAddress@4 ; ExIsSpecialPoolAddress(x)
		test	eax, eax
		jnz	loc_A71EE9

loc_A71E16:				; CODE XREF: ExFreePoolSanityChecks(x)+3Bj
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		mov	dl, al
		mov	[ebp+var_1], dl
		test	ebx, 0FFFh
		jnz	short loc_A71E60
		mov	ecx, ebx
		call	_MmDeterminePoolType@4 ; MmDeterminePoolType(x)
		test	al, 1
		jnz	short loc_A71E4A
		cmp	dl, 2
		jbe	loc_A71EE9
		push	ebx
		push	eax
		movzx	eax, dl
		push	eax
		push	12h
		jmp	loc_A71EE1
; 

loc_A71E4A:				; CODE XREF: ExFreePoolSanityChecks(x)+68j
		cmp	dl, 1
		jbe	loc_A71EE9
		push	ebx
		push	eax
		movzx	eax, dl
		push	eax
		push	11h
		jmp	loc_A71EE1
; 

loc_A71E60:				; CODE XREF: ExFreePoolSanityChecks(x)+5Dj
		test	bl, 7
		jz	short loc_A71E76
		push	esi
		push	ebx
		push	15A9h
		push	16h
		pop	edx
		mov	ecx, edi
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A71E76:				; CODE XREF: ExFreePoolSanityChecks(x)+99j
		lea	esi, [ebx-8]
		movzx	eax, word ptr [esi+2]
		mov	ecx, eax
		test	eax, 600h
		jnz	short loc_A71E9C
		push	dword ptr [esi]
		mov	ecx, edi
		push	esi
		push	15B3h
		push	13h
		pop	edx
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)
		movzx	ecx, word ptr [esi+2]

loc_A71E9C:				; CODE XREF: ExFreePoolSanityChecks(x)+BAj
		mov	al, [ebp+var_1]
		shr	ecx, 9
		and	ecx, 3
		test	cl, 1
		jz	short loc_A71EB8
		cmp	al, 1
		jbe	short loc_A71ECC
		push	ebx
		push	ecx
		movzx	eax, al
		push	eax
		push	11h
		jmp	short loc_A71EC4
; 

loc_A71EB8:				; CODE XREF: ExFreePoolSanityChecks(x)+DEj
		cmp	al, 2
		jbe	short loc_A71ECC
		push	ebx
		push	ecx
		movzx	eax, al
		push	eax
		push	12h

loc_A71EC4:				; CODE XREF: ExFreePoolSanityChecks(x)+ECj
		pop	edx
		mov	ecx, edi
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A71ECC:				; CODE XREF: ExFreePoolSanityChecks(x)+E2j
					; ExFreePoolSanityChecks(x)+F0j
		mov	eax, 400h
		test	[esi+2], ax
		jnz	short loc_A71EE9
		push	0
		push	esi
		push	15D0h
		push	14h

loc_A71EE1:				; CODE XREF: ExFreePoolSanityChecks(x)+7Bj
					; ExFreePoolSanityChecks(x)+91j
		pop	edx
		mov	ecx, edi
		call	_VerifierBugCheckIfAppropriate@20 ; VerifierBugCheckIfAppropriate(x,x,x,x,x)

loc_A71EE9:				; CODE XREF: ExFreePoolSanityChecks(x)+46j
					; ExFreePoolSanityChecks(x)+6Dj ...
		pop	edi
		pop	esi

loc_A71EEB:				; CODE XREF: ExFreePoolSanityChecks(x)+10j
		pop	ebx
		leave
		retn
_ExFreePoolSanityChecks@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpIsPoolTagPrintable(x)
_ExpIsPoolTagPrintable@4 proc near	; CODE XREF: ExAllocatePoolSanityChecks(x,x,x,x)+76p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		push	edi
		mov	edi, esi
		mov	ecx, esi

loc_A71EFF:				; CODE XREF: ExpIsPoolTagPrintable(x)+3Aj
		mov	edx, ebx
		shr	edx, cl
		lea	eax, [edx-61h]
		cmp	al, 19h
		ja	short loc_A71F0D
		sub	dl, 20h

loc_A71F0D:				; CODE XREF: ExpIsPoolTagPrintable(x)+1Aj
		cmp	dl, 41h
		jb	short loc_A71F17
		cmp	dl, 5Ah
		jbe	short loc_A71F2C

loc_A71F17:				; CODE XREF: ExpIsPoolTagPrintable(x)+22j
		cmp	dl, 30h
		jb	short loc_A71F21
		cmp	dl, 39h
		jbe	short loc_A71F2C

loc_A71F21:				; CODE XREF: ExpIsPoolTagPrintable(x)+2Cj
		add	ecx, 8
		inc	edi
		cmp	ecx, 20h
		jb	short loc_A71EFF
		jmp	short loc_A71F2F
; 

loc_A71F2C:				; CODE XREF: ExpIsPoolTagPrintable(x)+27j
					; ExpIsPoolTagPrintable(x)+31j
		xor	esi, esi
		inc	esi

loc_A71F2F:				; CODE XREF: ExpIsPoolTagPrintable(x)+3Cj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_ExpIsPoolTagPrintable@4 endp

; 
		align 100h
PAGEVRFY	ends

; Section 14. (virtual address 00672000)
; Virtual size			: 00001EAD (   7853.)
; Section size in file		: 00002000 (   8192.)
; Offset to raw	data for section: 0060D200
; Flags	60000020: Text Executable Readable
; Alignment	: default
; 

; Segment type:	Pure code
; Segment permissions: Read/Execute
PAGEHDLS	segment	para public 'CODE' use32
		assume cs:PAGEHDLS
		;org 0A72000h
		assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing

??_C@_04FAHFFIM@?$BL?$FL0K@CIFEBFPJ@:	; DATA XREF: HdlspDispatch(x,x,x,x,x):loc_A7304Ao
		sbb	ebx, [ebx+30h]
		dec	ebx
		add	ah, cl

??_C@_04MGNJNGKI@?$BL?$FL0m@CIFEBFPJ@:	; DATA XREF: HdlspDispatch(x,x,x,x,x):loc_A73043o
		sbb	ebx, [ebx+30h]
		insd
		add	ah, cl

??_C@_04BPJILAKD@?$BL?$FL2J@CIFEBFPJ@:	; DATA XREF: HdlspDispatch(x,x,x,x,x):loc_A73058o
					; HdlspEnableTerminal(x):loc_A731E9o
		sbb	ebx, [ebx+32h]
		dec	edx
		add	ah, cl

??_C@_04BMBMGEMN@?$BL?$FL0J@CIFEBFPJ@:	; DATA XREF: HdlspDispatch(x,x,x,x,x):loc_A73051o
		sbb	ebx, [ebx+30h]
		dec	edx
		add	ah, cl

??_C@_06MJDCIMPN@reboot@CIFEBFPJ@:	; DATA XREF: HdlspDispatch(x,x,x,x,x)+167o
		jb	short near ptr loc_A72079+6
		bound	ebp, [edi+6Fh]
		jz	short $+2
		int	3		; Trap to Debugger

??_C@_08FIACBBDA@shutdown@CIFEBFPJ@:	; DATA XREF: HdlspDispatch(x,x,x,x,x)+198o
		jnb	short near ptr loc_A72089+1
		jnz	short near ptr loc_A72097+1
		outs	dx, dword ptr fs:[esi]
		ja	short near ptr loc_A72090+6
		add	ah, cl

??_C@_03OLJLMEOE@?$AI?5?$AI@CIFEBFPJ@:	; DATA XREF: HdlspGetLine(x,x)+1A7o
		or	[eax], ah
		or	[eax], al

??_C@_01PBGHHLMH@?$AH@CIFEBFPJ@:	; DATA XREF: HdlspGetLine(x,x):loc_A733DDo
		pop	es
; 
		db 0
; 

??_C@_03BOKPECB@?$BL?$FLH@CIFEBFPJ@:	; DATA XREF: HdlspEnableTerminal(x)+77o
		sbb	ebx, [ebx+48h]
		add	ds:1BCC000Ah, cl ; DATA	XREF: HdlspBugCheckProcessing():loc_A72BA2o
					; HdlspGetLine(x,x):loc_A73400o ...
		pop	ebx
		and	eax, 64253B64h
		dec	eax
		add	ah, cl

??_C@_07MJDICJKK@?6?$AN?$CBSAC?$DO@CIFEBFPJ@:
					; DATA XREF: HdlspBugCheckProcessing():loc_A72BDDo
					; HdlspDispatch(x,x,x,x,x)+4A6o
		or	cl, ds:43415321h
		db	3Eh		; DATA XREF: HdlspDispatch(x,x,x,x,x):loc_A7303Co
		add	[ebx], bl
		pop	ebx
		aaa
		insd
		add	ah, cl

??_C@_08OPFPCDJH@?$BL?$FL?$CFd?$DL?$CFdm@CIFEBFPJ@:
					; DATA XREF: HdlspDispatch(x,x,x,x,x)+430o
		sbb	ebx, [ebx+25h]
		cmp	esp, fs:0CC006D64h

??_C@_0CL@JFJLBLFC@restart?5?5Restart?5the?5system?5imm@CIFEBFPJ@:
					; DATA XREF: HdlspBugCheckProcessing()+C3o
		jb	short loc_A720C1
		jnb	short loc_A720D2
		popa
		jb	short near ptr loc_A720D2+3
		and	[eax], ah
		push	edx
		db	65h
		jnb	short loc_A720DB
		popa
		jb	short near ptr loc_A720DD+1
		and	[eax+ebp*2+65h], dh
		and	[ebx+79h], dh
		jnb	short loc_A720E7
		db	65h
		insd
		and	[ecx+6Dh], ch
		insd

loc_A72079:				; CODE XREF: PAGEHDLS:??_C@_06MJDCIMPN@reboot@CIFEBFPJ@j
		db	65h
		imul	esp, fs:[ecx+74h], 2E796C65h
; 
		dw 0A0Dh
; 
		add	ah, cl

??_C@_0BO@FBOFAKEJ@?$DP?5?5?5?5?5?5?5?5Display?5this?5list?4?$AN?6@CIFEBFPJ@:
					; DATA XREF: HdlspBugCheckProcessing()+CDo
		aas
		and	[eax], ah

loc_A72089:				; CODE XREF: PAGEHDLS:??_C@_08FIACBBDA@shutdown@CIFEBFPJ@j
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		inc	esp

loc_A72090:				; CODE XREF: PAGEHDLS:00A72026j
		imul	esi, [ebx+70h],	2079616Ch

loc_A72097:				; CODE XREF: PAGEHDLS:00A72022j
		jz	short near ptr ??_C@_03GLFJLEGD@?$AI?$CFc@CIFEBFPJ@+5
		imul	esi, [ebx+20h],	7473696Ch
		db	2Eh		; DATA XREF: HdlspBugCheckProcessing()+AFo
		or	eax, 2064000Ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[ecx+ebp*2+73h], al
		jo	short loc_A7211E
		popa
		jns	short near ptr loc_A720D2+3
		popa
		insb
		insb
		and	[edi+ebp*2+67h], ch
		and	[ebp+6Eh], ah
		jz	short loc_A72133

loc_A720C1:				; CODE XREF: PAGEHDLS:??_C@_0CL@JFJLBLFC@restart?5?5Restart?5the?5system?5imm@CIFEBFPJ@j
		imul	esp, [ebp+73h],	6170202Ch
		imul	ebp, [bp+67h], 20736920h
		outsd
		outsb

loc_A720D2:				; CODE XREF: PAGEHDLS:00A7205Cj
					; PAGEHDLS:00A7205Fj ...
		db	2Eh
		or	eax, 6568000Ah
		insb
		jo	short loc_A720FB

loc_A720DB:				; CODE XREF: PAGEHDLS:00A72064j
		and	[eax], ah

loc_A720DD:				; CODE XREF: PAGEHDLS:00A72068j
		and	[eax], ah
		inc	esp
		imul	esi, [ebx+70h],	2079616Ch

loc_A720E7:				; CODE XREF: PAGEHDLS:00A72071j
		jz	short loc_A72151
		imul	esi, [ebx+20h],	7473696Ch
		db	2Eh		; DATA XREF: HdlspBugCheckProcessing()+29o
		or	eax, 3F000Ah

; char ??_C
??_C@_04PCJFHION@help@CIFEBFPJ@:	; DATA XREF: HdlspBugCheckProcessing()+3Do
		push	offset unk_706C65

loc_A720FB:				; CODE XREF: PAGEHDLS:00A720D9j
		int	3		; Trap to Debugger

??_C@_03GLFJLEGD@?$AI?$CFc@CIFEBFPJ@:	; CODE XREF: PAGEHDLS:loc_A72097j
					; DATA XREF: HdlspGetLine(x,x)+14Co ...
		or	ds:63250063h, ah
		add	ah, cl

??_C@_0BP@PHPPKGHL@?9?9?9?9Press?5?$DMEnter?$DO?5for?5more?9?9?9?9@CIFEBFPJ@:
					; DATA XREF: HdlspPutMore(x)+20o
		sub	eax, 502D2D2Dh
		jb	short loc_A72170
		jnb	short loc_A72180
		and	ds:7265746Eh[eax*2], bh
		db	3Eh
		and	[esi+6Fh], ah
		jb	short near ptr loc_A72137+3
		insd
		outsd
		jb	short near ptr loc_A72181+2

loc_A7211E:				; CODE XREF: PAGEHDLS:00A720B0j
		sub	eax, 2D2D2Dh
		int	3		; Trap to Debugger

??_C@_1GI@FHFHINE@?$AAE?$AAn?$AAt?$AAr?$AAy?$AA?5?$AAc?$AAo?$AAu?$AAl?$AAd?$AA?5?$AAn?$AAo?$AAt@CIFEBFPJ@:
					; DATA XREF: HdlspAddLogEntry(x)+FEo
					; HdlspAddLogEntry(x)+189o
		inc	ebp
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		jns	short $+2
		and	[eax], al
		arpl	[eax], ax
		outsd

loc_A72133:				; CODE XREF: PAGEHDLS:00A720BFj
		add	[ebp+0], dh
		insb

loc_A72137:				; CODE XREF: PAGEHDLS:00A72118j
		add	[eax+eax+20h], ah
		add	[esi+0], ch
		outsd
		add	[eax+eax+20h], dh
		add	[edx+0], ah
		add	gs:[eax], ah
		add	[edx+0], dh
		add	gs:[ebx+0], ah
		outsd

loc_A72151:				; CODE XREF: PAGEHDLS:loc_A720E7j
		add	[edx+0], dh
		add	fs:[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+75h], ah
		add	[ebp+0], ah
		and	[eax], al
		jz	short $+2
		outsd
		add	[eax], ah
		add	[eax+eax+61h], ch
		add	[ebx+0], ah

loc_A72170:				; CODE XREF: PAGEHDLS:00A72109j
		imul	eax, [eax], 20h
		add	[edi+0], ch
		db	66h
		add	[eax], ah
		add	[ebp+0], ch
		add	gs:[ebp+0], ch

loc_A72180:				; CODE XREF: PAGEHDLS:00A7210Bj
		outsd

loc_A72181:				; CODE XREF: PAGEHDLS:00A7211Cj
		add	[edx+0], dh
		jns	short $+2
		add	cs:[edx], cl
; 
		db 3 dup(0)
??_C@_0EA@MJJMGNOC@New?5log?5entries?5have?5been?5added@CIFEBFPJ@ db 'New log entries have been added during dump, command aborted.',0Dh,0Ah,0
					; DATA XREF: HdlspProcessDumpCommand(x):loc_A73948o
; 

??_C@_0EC@GFFMIAOL@New?5log?5entries?5have?5been?5added@CIFEBFPJ@:
					; DATA XREF: HdlspProcessDumpCommand(x):loc_A73925o
		dec	esi
		db	65h
		ja	short near ptr loc_A721EE+2
		insb
		outsd
		and	[di+6Eh], ah
		jz	short near ptr loc_A72247+3
		imul	esp, [ebp+73h],	76616820h
		and	gs:[edx+65h], ah
		outs	dx, byte ptr gs:[esi]
		and	[ecx+64h], ah
		db	64h, 65h
		and	fs:[edi+68h], dh

loc_A721EE:				; CODE XREF: PAGEHDLS:00A721CDj
		imul	ebp, [ebp+20h],	74696177h
		imul	ebp, [esi+67h],	6F63202Ch
		insd
		insd
		popa
		outsb
		and	fs:[ecx+62h], ah
		outsd
		jb	short near ptr loc_A7227A+2
		db	65h, 64h, 2Eh	; DATA XREF: HdlspBugCheckProcessing():loc_A72B9Bo
		or	eax, 7954000Ah
		jo	short loc_A72277
		and	[edi], bh
		and	[edi+72h], ch
		and	[eax+65h], cl
		insb
		jo	short near ptr loc_A7223B+2
		outsw
		jb	short near ptr loc_A7223B+6
		popa
		and	[ecx+ebp*2+73h], ch
		jz	short near ptr loc_A72247+1
		outsd
		db	66h
		and	[ebx+6Fh], ah
		insd
		insd
		popa
		outsb
		db	64h
		jnb	short near ptr loc_A72261+1
		or	eax, 25CC000Ah	; DATA XREF: HdlspProcessDumpCommand(x)+10Do
		xor	[edx], dh

loc_A7223B:				; CODE XREF: PAGEHDLS:00A7221Bj
					; PAGEHDLS:00A7221Fj
		cmp	ah, fs:3A643230h
		and	eax, 2E643230h

loc_A72247:				; CODE XREF: PAGEHDLS:00A72226j
					; PAGEHDLS:00A721D6j
		and	eax, 20643330h
		cmp	ah, [eax]
		add	ah, cl

; char ??_C
??_C@_01LPLHEDKD@d@CIFEBFPJ@:		; DATA XREF: HdlspBugCheckProcessing()+51o
					; HdlspBugCheckProcessing()+6Eo
		add	fs:[edx+65h], dh
		jnb	short near ptr ??_C@_1BO@HNCBPND@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAL?$AAo?$AAa?$AAd?$AAi?$AAn?$AAg?$AA?5@CIFEBFPJ@+0Eh
		popa
		jb	short near ptr ??_C@_1BO@HNCBPND@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAL?$AAo?$AAa?$AAd?$AAi?$AAn?$AAg?$AA?5@CIFEBFPJ@+11h
		add	[ebx+0], cl	; DATA XREF: HdlspKernelAddLogEntry(x,x):loc_A73533o
		push	edx
		add	[esi+0], cl
		dec	esp

loc_A72261:				; CODE XREF: PAGEHDLS:00A72231j
		add	[edx], bh
		add	[eax], ah
		add	[eax+eax+6Fh], cl
		add	[ecx+0], ah
		add	fs:[eax], ah
		add	[esi+0], ah
		popa
		add	[ecx+0], ch
		insb

loc_A72277:				; CODE XREF: PAGEHDLS:00A72210j
		add	[ebp+0], ah

loc_A7227A:				; CODE XREF: PAGEHDLS:00A72206j
		add	fs:[esi], ch
; 
		db 3 dup(0)
??_C@_1DM@DNAMACPI@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo@CIFEBFPJ@:
					; DATA XREF: HdlspKernelAddLogEntry(x,x):loc_A7353Ao
		unicode	0, <KRNL: Failed to create event.>,0
??_C@_1BO@HNCBPND@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAL?$AAo?$AAa?$AAd?$AAi?$AAn?$AAg?$AA?5@CIFEBFPJ@:
					; CODE XREF: PAGEHDLS:00A72254j
					; DATA XREF: HdlspKernelAddLogEntry(x,x):loc_A73522o
		unicode	0, <KRNL: Loading >,0
; 

??_C@_1CM@LNJBNIAA@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAL?$AAo?$AAa?$AAd?$AA?5?$AAs?$AAu?$AAc?$AAc@CIFEBFPJ@:
					; DATA XREF: HdlspKernelAddLogEntry(x,x):loc_A7352Co
		dec	ebx
		add	[edx+0], dl
		dec	esi
		add	[eax+eax+3Ah], cl
		add	[eax], ah
		add	[eax+eax+6Fh], cl
		add	[ecx+0], ah
		add	fs:[eax], ah
		add	[ebx+0], dh
		jnz	short $+2
		arpl	[eax], ax
		arpl	[eax], ax
		add	gs:[ebp+0], ah
		add	fs:[ebp+0], ah
		add	fs:[esi], ch
; 
		db 0
		db 2 dup(0)
??_C@_0EM@KIELOMMK@?$AN?6?$DMPROPERTY?5NAME?$DN?$CCSTOPCODE?$CC?5TYP@CIFEBFPJ@ db 0Dh,0Ah
					; DATA XREF: HdlspSendBlueScreenInfo(x)+2Do
		db '<PROPERTY NAME="STOPCODE" TYPE="string"><VALUE>"0x%0X"</VALUE></P'
		db 'ROPERTY>',0
??_C@_0BG@OPJMIJNF@?$AN?6?$DM?1INSTANCE?$DO?$AN?6?$DM?1BP?$DO?$AH@CIFEBFPJ@ db 0Dh,0Ah
					; DATA XREF: HdlspSendBlueScreenInfo(x)+6Ao
		db '</INSTANCE>',0Dh,0Ah
		db '</BP>',7,0
; 

??_C@_0P@FDDIJDOF@?$AH?$AH?$AH?$DM?$DPxml?$DO?$AH?$DMBP?$DO@CIFEBFPJ@:
					; DATA XREF: HdlspSendBlueScreenInfo(x)+18o
		pop	es
		pop	es
		pop	es
		cmp	al, 3Fh
		js	short near ptr ??_C@_1FG@JJHPAIEG@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo@CIFEBFPJ@+40h
		insb
		db	3Eh
		pop	es
		cmp	al, 42h
		push	eax
		db	3Eh
		add	ah, cl
; 
??_C@_0CE@LODDICKA@?$AN?6?$DMINSTANCE?5CLASSNAME?$DN?$CCBLUESCRE@CIFEBFPJ@ db 0Dh,0Ah
					; DATA XREF: HdlspSendBlueScreenInfo(x)+22o
		db '<INSTANCE CLASSNAME="BLUESCREEN">',0
??_C@_1FG@JJHPAIEG@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo@CIFEBFPJ@:
					; DATA XREF: HdlspKernelAddLogEntry(x,x):loc_A7356Bo
		unicode	0, <KRNL: Failed to initialize system drivers.>,0
??_C@_1EM@LAIHKMAN@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo@CIFEBFPJ@ db 'K',0
					; DATA XREF: HdlspKernelAddLogEntry(x,x):loc_A73572o
aRnlFailedToRea:
		unicode	0, <RNL: Failed	to reassign system root.>,0
; 

??_C@_1FC@DGPBKEEE@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo@CIFEBFPJ@:
					; DATA XREF: HdlspKernelAddLogEntry(x,x):loc_A7355Do
		dec	ebx
		add	[edx+0], dl
		dec	esi
		add	[eax+eax+3Ah], cl
		add	[eax], ah
		add	[esi+0], al
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ch
		jz	short $+2
		imul	eax, [eax], 6C0061h
		imul	eax, [eax], 65007Ah
		and	[eax], al
		bound	eax, [eax]
		outsd
		add	[edi+0], ch
		jz	short $+2
		and	[eax], al
		add	fs:[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		jnb	short $+2
		add	cs:[eax], al
; 
		db 0
; 

??_C@_1EG@LDLJLBAN@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo@CIFEBFPJ@:
					; DATA XREF: HdlspKernelAddLogEntry(x,x):loc_A73564o
		dec	ebx
		add	[edx+0], dl
		dec	esi
		add	[eax+eax+3Ah], cl
		add	[eax], ah
		add	[esi+0], al
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[eax+eax+6Fh], ch
		add	[ebx+0], ah
		popa
		add	[eax+eax+65h], dh
		add	[eax], ah
		add	[ebx+0], dh
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		and	[eax], al
		add	fs:[eax+eax+6Ch], ch
		add	[esi], ch
; 
		db 0
		db 2 dup(0)
; 

??_C@_1HK@MDKAGEAH@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo@CIFEBFPJ@:
					; DATA XREF: HdlspKernelAddLogEntry(x,x):loc_A7354Fo
		dec	ebx
		add	[edx+0], dl
		dec	esi
		add	[eax+eax+3Ah], cl
		add	[eax], ah
		add	[esi+0], al
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ch
		jz	short $+2
		imul	eax, [eax], 6C0061h
		imul	eax, [eax], 65007Ah
		and	[eax], al
		sub	[eax], al
		jo	short $+2
		push	73006100h
		add	[ebp+0], ah
		and	[eax], al
		xor	[eax], al
		sub	[eax], eax
		and	[eax], al
		jo	short $+2
		insb
		add	[ebp+0], dh
		add	[bx+si], ah
		add	[ecx+0], ah
		outsb
		add	[eax+eax+20h], ah
		add	[eax+0], dh
		insb
		add	[ecx+0], ah
		jns	short $+2
		and	[eax], al
		jnb	short $+2
		add	gs:[edx+0], dh
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
		add	cs:[eax], al
		add	[ebx+0], cl	; DATA XREF: HdlspKernelAddLogEntry(x,x):loc_A73556o
		push	edx
		add	[esi+0], cl
		dec	esp
		add	[edx], bh
		add	[eax], ah
		add	[esi+0], al
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ch
		jz	short $+2
		imul	eax, [eax], 6C0061h
		imul	eax, [eax], 65007Ah
		and	[eax], al
		sub	[eax], al
		jo	short $+2
		push	73006100h
		add	[ebp+0], ah
		and	[eax], al
		xor	[eax], eax
		sub	[eax], eax
		and	[eax], al
		jo	short $+2
		insb
		add	[ebp+0], dh
		add	[bx+si], ah
		add	[ecx+0], ah
		outsb
		add	[eax+eax+20h], ah
		add	[eax+0], dh
		insb
		add	[ecx+0], ah
		jns	short $+2
		and	[eax], al
		jnb	short $+2
		add	gs:[edx+0], dh
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
		add	cs:[eax], al
		add	[ebx+0], cl	; DATA XREF: HdlspKernelAddLogEntry(x,x):loc_A73541o
		push	edx
		add	[esi+0], cl
		dec	esp
		add	[edx], bh
		add	[eax], ah
		add	[esi+0], al
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ebx+0], ah
		jb	short $+2
		add	gs:[ecx+0], ah
		jz	short $+2
		add	gs:[eax], ah
		add	[edi+0], ch
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		and	[eax], al
		jz	short $+2
		jns	short $+2
		jo	short $+2
		add	gs:[ebx+0], dh
		add	cs:[eax], al
		add	[ebx+0], cl	; DATA XREF: HdlspKernelAddLogEntry(x,x):loc_A73548o
		push	edx
		add	[esi+0], cl
		dec	esp
		add	[edx], bh
		add	[eax], ah
		add	[esi+0], al
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ebx+0], ah
		jb	short $+2
		add	gs:[ecx+0], ah
		jz	short $+2
		add	gs:[eax], ah
		add	[edx+0], dh
		outsd
		add	[edi+0], ch
		jz	short $+2
		and	[eax], al
		add	fs:[ecx+0], ch
		jb	short $+2
		add	gs:[ebx+0], ah
		jz	short $+2
		outsd
		add	[edx+0], dh
		imul	eax, [eax], 730065h
		add	cs:[eax], al
		add	[ebx+0], cl	; DATA XREF: HdlspKernelAddLogEntry(x,x):loc_A735A3o
		push	edx
		add	[esi+0], cl
		dec	esp
		add	[edx], bh
		add	[eax], ah
		add	[esi+0], al
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[edi+0], dh
		popa
		add	[ecx+0], ch
		jz	short $+2
		imul	eax, [eax], 67006Eh
		and	[eax], al
		db	66h
		add	[edi+0], ch
		jb	short $+2
		and	[eax], al
		bound	eax, [eax]
		outsd
		add	[edi+0], ch
		jz	short $+2
		and	[eax], al
		add	fs:[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
		and	[eax], al
		jz	short $+2
		outsd
		add	[eax], ah
		add	[edx+0], dh
		add	gs:[ecx+0], ch
		outsb
		add	[ecx+0], ch
		jz	short $+2
		add	cs:[eax], al
		add	[ebx+0], cl	; DATA XREF: HdlspKernelAddLogEntry(x,x):loc_A735AAo
		push	edx
		add	[esi+0], cl
		dec	esp
		add	[edx], bh
		add	[eax], ah
		add	[esi+0], al
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[ebp+0], ch
		popa
		add	[edx+0], dh
		imul	eax, [eax], 69h
		add	[esi+0], ch
		add	[bx+si], ah
		add	[edx+0], ah
		outsd
		add	[edi+0], ch
		jz	short $+2
		and	[eax], al
		jo	short $+2
		popa
		add	[edx+0], dh
		jz	short $+2
		imul	eax, [eax], 690074h
		outsd
		add	[esi+0], ch
		add	cs:[eax], al
		add	[ebx+0], cl	; DATA XREF: HdlspKernelAddLogEntry(x,x):loc_A73595o
		push	edx
		add	[esi+0], cl
		dec	esp
		add	[edx], bh
		add	[eax], ah
		add	[esi+0], al
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[edi+0], dh
		popa
		add	[ecx+0], ch
		jz	short $+2
		imul	eax, [eax], 67006Eh
		and	[eax], al
		db	66h
		add	[edi+0], ch
		jb	short $+2
		and	[eax], al
		bound	eax, [eax]
		outsd
		add	[edi+0], ch
		jz	short $+2
		and	[eax], al
		add	fs:[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
		and	[eax], al
		jz	short $+2
		outsd
		add	[eax], ah
		add	[eax+eax+65h], ah
		add	[eax+eax+65h], ch
		add	[eax+eax+65h], dh
		add	[esi], ch
; 
		db 3 dup(0)
??_C@_1GA@PAMHFMK@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAw?$AAa@CIFEBFPJ@:
					; DATA XREF: HdlspKernelAddLogEntry(x,x):loc_A7359Co
		unicode	0, <KRNL: Failed waiting for boot devices to start.>,0
??_C@_1FG@PBPPIIAB@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo@CIFEBFPJ@:
					; DATA XREF: HdlspKernelAddLogEntry(x,x):loc_A73587o
		unicode	0, <KRNL: Failed to AnsiToUnicode system root.>,0
??_C@_1EC@MNOJDMA@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo@CIFEBFPJ@ db 'K',0
					; DATA XREF: HdlspKernelAddLogEntry(x,x):loc_A7358Eo
aRnlFailedToFin:
		unicode	0, <RNL: Failed	to find	any groups.>,0
; 

??_C@_1FE@LMPCMHP@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo@CIFEBFPJ@:
					; DATA XREF: HdlspKernelAddLogEntry(x,x):loc_A73579o
		dec	ebx
		add	[edx+0], dl
		dec	esi
		add	[eax+eax+3Ah], cl
		add	[eax], ah
		add	[esi+0], al
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[eax+0], dh
		jb	short $+2
		outsd
		add	[eax+eax+65h], dh
		add	[ebx+0], ah
		jz	short $+2
		and	[eax], al
		jnb	short $+2
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		and	[eax], al
		jo	short $+2
		popa
		add	[edx+0], dh
		jz	short $+2
		imul	eax, [eax], 690074h
		outsd
		add	[esi+0], ch
		add	cs:[eax], al
		add	[ebx+0], cl	; DATA XREF: HdlspKernelAddLogEntry(x,x):loc_A73580o
		push	edx
		add	[esi+0], cl
		dec	esp
		add	[edx], bh
		add	[eax], ah
		add	[esi+0], al
		popa
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		add	fs:[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[ebp+0], dl
		outsb
		add	[ecx+0], ch
		arpl	[eax], ax
		outsd
		add	[eax+eax+65h], ah
		add	[eax+eax+6Fh], dl
		add	[ecx+0], al
		outsb
		add	[ebx+0], dh
		imul	eax, [eax], 730020h
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		and	[eax], al
		jb	short $+2
		outsd
		add	[edi+0], ch
		jz	short $+2
		add	cs:[eax], al
; 
		db 0

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HdlspAddLogEntry(x)
_HdlspAddLogEntry@4 proc near		; CODE XREF: HdlspDispatch(x,x,x,x,x)+38Ep

var_46		= byte ptr -46h
var_45		= byte ptr -45h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		lea	eax, [esp+58h+var_38]
		push	30h		; size_t
		push	esi		; int
		push	eax		; void *
		mov	edi, ecx
		mov	ebx, esi
		call	_memset
		mov	ecx, edi
		add	esp, 0Ch
		lea	edx, [ecx+2]

loc_A7294A:				; CODE XREF: HdlspAddLogEntry(x)+3Dj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_A7294A
		sub	ecx, edx
		sar	ecx, 1
		lea	esi, ds:2[ecx*2]
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_A72AED
		push	0
		push	30h
		lea	eax, [esp+60h+var_38]
		push	eax
		push	3
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		jns	short loc_A72993
		push	30h		; size_t
		lea	eax, [esp+5Ch+var_38]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_A72993:				; CODE XREF: HdlspAddLogEntry(x)+6Aj
		push	736C6448h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+58h+var_3C], eax
		test	eax, eax
		jz	short loc_A729B6
		push	esi		; size_t
		push	edi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_A729B6:				; CODE XREF: HdlspAddLogEntry(x)+93j
		mov	esi, _HeadlessGlobals
		mov	eax, 0FFh
		test	byte ptr [esi+18h], 2
		jnz	short loc_A729DA
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	[esp+58h+var_45], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		jmp	short loc_A729DE
; 

loc_A729DA:				; CODE XREF: HdlspAddLogEntry(x)+AFj
		mov	[esp+58h+var_45], al

loc_A729DE:				; CODE XREF: HdlspAddLogEntry(x)+C2j
		mov	edx, _HeadlessGlobals
		mov	ecx, 0FFh
		mov	ax, [edx+3Ch]
		or	dword ptr [edx+18h], 4
		inc	ax
		movzx	esi, word ptr [edx+3Eh]
		and	ax, cx
		movzx	eax, ax
		mov	[esp+58h+var_40], eax
		mov	[edx+3Ch], ax
		cmp	ax, si
		jnz	short loc_A72A60
		mov	eax, [edx+8]
		imul	ecx, esi, 38h
		mov	eax, [ecx+eax+30h]
		mov	ecx, offset ??_C@_1GI@FHFHINE@?$AAE?$AAn?$AAt?$AAr?$AAy?$AA?5?$AAc?$AAo?$AAu?$AAl?$AAd?$AA?5?$AAn?$AAo?$AAt@CIFEBFPJ@
		mov	[esp+58h+var_44], eax

loc_A72A1D:				; CODE XREF: HdlspAddLogEntry(x)+127j
		mov	di, [eax]
		cmp	di, [ecx]
		jnz	short loc_A72A43
		test	di, di
		jz	short loc_A72A3F
		mov	di, [eax+2]
		cmp	di, [ecx+2]
		jnz	short loc_A72A43
		add	eax, 4
		add	ecx, 4
		test	di, di
		jnz	short loc_A72A1D

loc_A72A3F:				; CODE XREF: HdlspAddLogEntry(x)+112j
		xor	ebx, ebx
		jmp	short loc_A72A48
; 

loc_A72A43:				; CODE XREF: HdlspAddLogEntry(x)+10Dj
					; HdlspAddLogEntry(x)+11Cj
		sbb	ebx, ebx
		or	ebx, 1

loc_A72A48:				; CODE XREF: HdlspAddLogEntry(x)+12Bj
		neg	ebx
		lea	eax, [esi+1]
		movzx	eax, al
		sbb	ebx, ebx
		mov	[edx+3Eh], ax
		and	ebx, [esp+58h+var_44]
		mov	eax, [esp+58h+var_40]
		jmp	short loc_A72A70
; 

loc_A72A60:				; CODE XREF: HdlspAddLogEntry(x)+F2j
		mov	ecx, 0FFFFh
		cmp	si, cx
		jnz	short loc_A72A70
		xor	ecx, ecx
		mov	[edx+3Eh], cx

loc_A72A70:				; CODE XREF: HdlspAddLogEntry(x)+148j
					; HdlspAddLogEntry(x)+152j
		movzx	eax, ax
		lea	esi, [esp+58h+var_38]
		imul	edi, eax, 38h
		mov	eax, _HeadlessGlobals
		push	0Ch
		pop	ecx
		add	edi, [eax+8]
		rep movsd
		mov	edx, _HeadlessGlobals
		mov	esi, [esp+58h+var_3C]
		movzx	eax, word ptr [edx+3Ch]
		imul	ecx, eax, 38h
		mov	eax, [edx+8]
		test	esi, esi
		jnz	short loc_A72AA9
		mov	dword ptr [ecx+eax+30h], offset	??_C@_1GI@FHFHINE@?$AAE?$AAn?$AAt?$AAr?$AAy?$AA?5?$AAc?$AAo?$AAu?$AAl?$AAd?$AA?5?$AAn?$AAo?$AAt@CIFEBFPJ@
		jmp	short loc_A72AAD
; 

loc_A72AA9:				; CODE XREF: HdlspAddLogEntry(x)+187j
		mov	[ecx+eax+30h], esi

loc_A72AAD:				; CODE XREF: HdlspAddLogEntry(x)+191j
		mov	eax, 0FFh
		cmp	[esp+58h+var_45], al
		jz	short loc_A72AE1
		test	ds:byte_70EFC6,	1
		mov	eax, _HeadlessGlobals
		jz	short loc_A72AD2
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A72AD7
; 

loc_A72AD2:				; CODE XREF: HdlspAddLogEntry(x)+1AEj
		xor	ecx, ecx
		lock and [eax],	ecx

loc_A72AD7:				; CODE XREF: HdlspAddLogEntry(x)+1BAj
		mov	cl, [esp+58h+var_45]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_A72AE1:				; CODE XREF: HdlspAddLogEntry(x)+1A0j
		test	ebx, ebx
		jz	short loc_A72AED
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A72AED:				; CODE XREF: HdlspAddLogEntry(x)+52j
					; HdlspAddLogEntry(x)+1CDj
		mov	ecx, [esp+58h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_HdlspAddLogEntry@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HdlspBugCheckProcessing()
_HdlspBugCheckProcessing@0 proc	near	; CODE XREF: HdlspDispatch(x,x,x,x,x)+310p

var_58		= byte ptr -58h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	50h
		pop	edx
		lea	ecx, [ebp+var_58]
		call	_HdlspGetLine@8	; HdlspGetLine(x,x)
		test	al, al
		jz	loc_A72BE7
		lea	eax, [ebp+var_58]
		push	(offset	loc_A720F0+4) ;	char *
		push	eax		; char *
		call	__stricmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A72BA2
		lea	eax, [ebp+var_58]
		push	offset ??_C@_04PCJFHION@help@CIFEBFPJ@ ; char *
		push	eax		; char *
		call	__stricmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_A72BA2
		lea	eax, [ebp+var_58]
		push	offset ??_C@_01LPLHEDKD@d@CIFEBFPJ@ ; char *
		push	eax		; char *
		call	__stricmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A72B6A
		mov	cl, 1
		call	_HdlspProcessDumpCommand@4 ; HdlspProcessDumpCommand(x)
		jmp	short loc_A72BDD
; 

loc_A72B6A:				; CODE XREF: HdlspBugCheckProcessing()+60j
		lea	eax, [ebp+var_58]
		push	(offset	??_C@_01LPLHEDKD@d@CIFEBFPJ@+2)	; char *
		push	eax		; char *
		call	__stricmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_A72B9B
		push	0Ah
		pop	esi

loc_A72B81:				; CODE XREF: HdlspBugCheckProcessing()+90j
		push	186A0h
		call	ds:__imp__KeStallExecutionProcessor@4 ;	KeStallExecutionProcessor(x)
		sub	esi, 1
		jnz	short loc_A72B81
		push	3
		call	ds:__imp__HalReturnToFirmware@4	; HalReturnToFirmware(x)
		jmp	short loc_A72BDD
; 

loc_A72B9B:				; CODE XREF: HdlspBugCheckProcessing()+7Dj
		mov	ecx, (offset loc_A72208+6)
		jmp	short loc_A72BD8
; 

loc_A72BA2:				; CODE XREF: HdlspBugCheckProcessing()+38j
					; HdlspBugCheckProcessing()+4Cj
		mov	esi, (offset loc_A72033+1)
		mov	ecx, esi
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		mov	ecx, (offset loc_A720A0+4)
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		mov	ecx, (offset loc_A720D2+4)
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		mov	ecx, offset ??_C@_0CL@JFJLBLFC@restart?5?5Restart?5the?5system?5imm@CIFEBFPJ@
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		mov	ecx, offset ??_C@_0BO@FBOFAKEJ@?$DP?5?5?5?5?5?5?5?5Display?5this?5list?4?$AN?6@CIFEBFPJ@
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		mov	ecx, esi

loc_A72BD8:				; CODE XREF: HdlspBugCheckProcessing()+A1j
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)

loc_A72BDD:				; CODE XREF: HdlspBugCheckProcessing()+69j
					; HdlspBugCheckProcessing()+9Aj
		mov	ecx, offset ??_C@_07MJDICJKK@?6?$AN?$CBSAC?$DO@CIFEBFPJ@
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)

loc_A72BE7:				; CODE XREF: HdlspBugCheckProcessing()+20j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_HdlspBugCheckProcessing@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HdlspDispatch(x, x,	x, x, x)
_HdlspDispatch@20 proc near		; CODE XREF: HeadlessDispatch+88E1Bp
					; HdlspKernelAddLogEntry(x,x)+181p
					; DATA XREF: ...

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_5D		= byte ptr -5Dh
var_5C		= dword	ptr -5Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 70h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	edx, [ebp+arg_0]
		xor	ecx, ecx
		mov	eax, [ebp+arg_10]
		inc	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	ebx, ebx
		mov	[ebp+var_68], esi
		mov	[ebp+var_6C], eax
		push	edi
		mov	edi, [ebp+arg_C]
		cmp	edx, 11h
		jz	loc_A72CF3
		cmp	edx, 0Eh
		jz	loc_A72CF3
		cmp	edx, 14h
		jz	loc_A72CF3
		cmp	edx, 0Fh
		jz	loc_A72CF3
		mov	ebx, _HeadlessGlobals
		test	byte ptr [ebx+18h], 2
		jnz	short loc_A72C68
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, ebx
		mov	[ebp+var_5D], al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		mov	dl, [ebp+var_5D]
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_A72C6E
; 

loc_A72C68:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+5Aj
		or	dl, 0FFh
		mov	[ebp+var_5D], dl

loc_A72C6E:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+72j
		mov	eax, _HeadlessGlobals
		push	0
		mov	ebx, [eax+18h]
		test	bl, 40h
		mov	[ebp+var_64], ebx
		pop	ebx
		jz	short loc_A72CB5
		cmp	dl, 0FFh
		jz	short loc_A72CAB
		test	ds:byte_70EFC6,	1
		jz	short loc_A72C9E
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	dl, [ebp+var_5D]
		jmp	short loc_A72CA3
; 

loc_A72C9E:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+99j
		xor	ecx, ecx
		lock and [eax],	ecx

loc_A72CA3:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+A8j
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_A72CAB:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+90j
		mov	eax, 0C0000001h
		jmp	loc_A73108
; 

loc_A72CB5:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+8Bj
		mov	esi, [ebp+var_64]
		or	esi, 40h
		mov	[eax+18h], esi
		mov	esi, [ebp+var_68]
		cmp	dl, 0FFh
		jz	short loc_A72CEA
		test	ds:byte_70EFC6,	cl
		jz	short loc_A72CDD
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		mov	dl, [ebp+var_5D]
		jmp	short loc_A72CE2
; 

loc_A72CDD:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+D8j
		xor	ecx, ecx
		lock and [eax],	ecx

loc_A72CE2:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+E7j
		mov	cl, dl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_A72CEA:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+D0j
		mov	eax, [ebp+var_6C]
		xor	ecx, ecx
		mov	edx, [ebp+arg_0]
		inc	ecx

loc_A72CF3:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+2Fj
					; HdlspDispatch(x,x,x,x,x)+38j	...
		dec	edx
		cmp	edx, 17h	; switch 24 cases
		ja	loc_A730E1	; default
		jmp	ds:off_A7311C[edx*4] ; switch jump

loc_A72D04:				; DATA XREF: PAGEHDLS:off_A7311Co
		test	esi, esi	; case 0x0
		jz	loc_A730E1	; default
		cmp	[ebp+arg_8], ecx
		jnz	loc_A730E1	; default
		mov	cl, [esi]
		call	_HdlspEnableTerminal@4 ; HdlspEnableTerminal(x)

loc_A72D1C:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+481j
		mov	ebx, eax
		jmp	loc_A730E6
; 

loc_A72D23:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+109j
					; DATA XREF: PAGEHDLS:off_A7311Co
		test	edi, edi	; case 0x1
		jz	loc_A730E1	; default
		test	eax, eax
		jz	loc_A730E1	; default
		cmp	[eax], ecx
		jnz	loc_A730E1	; default
		mov	eax, _HeadlessGlobals
		test	[eax+18h], cl
		jz	short loc_A72DB4
		push	50h
		pop	edx
		lea	ecx, [ebp+var_5C]
		call	_HdlspGetLine@8	; HdlspGetLine(x,x)
		test	al, al
		jz	loc_A730E6
		lea	edx, [ebp+var_5C]
		mov	esi, offset ??_C@_06MJDCIMPN@reboot@CIFEBFPJ@
		mov	ecx, ebx

loc_A72D62:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+17Bj
		movzx	eax, byte ptr [edx+ecx]
		cmp	al, [esi+ecx]
		jnz	short loc_A72D78
		inc	ecx
		cmp	ecx, 7
		jnz	short loc_A72D62
		xor	ecx, ecx
		mov	eax, ebx
		inc	ecx
		jmp	short loc_A72D7F
; 

loc_A72D78:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+175j
		sbb	eax, eax
		xor	ecx, ecx
		inc	ecx
		or	eax, ecx

loc_A72D7F:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+182j
		test	eax, eax
		jz	short loc_A72DAD
		lea	esi, [ebp+var_5C]
		mov	edx, ebx

loc_A72D88:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+1A9j
		movzx	eax, byte ptr [esi+edx]
		mov	esi, offset ??_C@_08FIACBBDA@shutdown@CIFEBFPJ@
		cmp	al, [esi+edx]
		lea	esi, [ebp+var_5C]
		jnz	short loc_A72DA3
		inc	edx
		cmp	edx, 9
		jnz	short loc_A72D88
		mov	eax, ebx
		jmp	short loc_A72DA7
; 

loc_A72DA3:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+1A3j
		sbb	eax, eax
		or	eax, ecx

loc_A72DA7:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+1ADj
		test	eax, eax
		jz	short loc_A72DAD
		mov	cl, bl

loc_A72DAD:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+18Dj
					; HdlspDispatch(x,x,x,x,x)+1B5j
		mov	[edi], cl
		jmp	loc_A730E6
; 

loc_A72DB4:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+14Fj
					; HdlspDispatch(x,x,x,x,x)+28Dj ...
		mov	[edi], bl
		jmp	loc_A730E6
; 

loc_A72DBB:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+109j
					; DATA XREF: PAGEHDLS:off_A7311Co
		test	esi, esi	; case 0x2
		jz	loc_A730E1	; default
		mov	eax, _HeadlessGlobals
		test	[eax+18h], cl
		jz	loc_A730E6
		mov	ecx, esi
		call	_HdlspPutString@4 ; HdlspPutString(x)
		jmp	loc_A730E6
; 

loc_A72DDD:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+109j
					; DATA XREF: PAGEHDLS:off_A7311Co
		test	esi, esi	; case 0x16
		jz	loc_A730E1	; default
		mov	eax, _HeadlessGlobals
		test	[eax+18h], cl
		jz	loc_A730E6
		mov	ecx, esi
		call	_HdlspPutWideString@4 ;	HdlspPutWideString(x)
		jmp	loc_A730E6
; 

loc_A72DFF:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+109j
					; DATA XREF: PAGEHDLS:off_A7311Co
		test	esi, esi	; case 0x15
		jz	loc_A730E1	; default
		mov	edx, [ebp+arg_8]
		test	edx, edx
		jz	loc_A730E1	; default
		mov	eax, _HeadlessGlobals
		test	[eax+18h], cl
		jz	loc_A730E6
		mov	ecx, esi
		call	_HdlspPutData@8	; HdlspPutData(x,x)
		jmp	loc_A730E6
; 

loc_A72E2C:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+109j
					; DATA XREF: PAGEHDLS:off_A7311Co
		test	edi, edi	; case 0xA
		jz	loc_A730E1	; default
		test	eax, eax
		jz	loc_A730E1	; default
		cmp	[eax], ecx
		jnz	loc_A730E1	; default
		mov	eax, _HeadlessGlobals
		test	[eax+18h], cl
		jz	short loc_A72E58
		mov	ecx, [eax+20h]
		call	_InbvPortPollOnly@4 ; InbvPortPollOnly(x)
		jmp	short loc_A72E5A
; 

loc_A72E58:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+258j
					; HdlspDispatch(x,x,x,x,x)+2DBj
		mov	al, bl

loc_A72E5A:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+262j
					; HdlspDispatch(x,x,x,x,x)+2E6j
		mov	[edi], al
		jmp	loc_A730E6
; 

loc_A72E61:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+109j
					; DATA XREF: PAGEHDLS:off_A7311Co
		test	edi, edi	; case 0xB
		jz	loc_A730E1	; default
		test	eax, eax
		jz	loc_A730E1	; default
		cmp	[eax], ecx
		jnz	loc_A730E1	; default
		mov	eax, _HeadlessGlobals
		test	[eax+18h], cl
		jz	loc_A72DB4
		mov	ecx, [eax+20h]
		call	_InbvPortPollOnly@4 ; InbvPortPollOnly(x)
		test	al, al
		jz	loc_A72DB4
		mov	ecx, _HeadlessGlobals
		mov	edx, edi
		mov	ecx, [ecx+20h]
		call	_InbvPortGetByte@8 ; InbvPortGetByte(x,x)
		jmp	loc_A730E6
; 

loc_A72EAC:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+109j
					; DATA XREF: PAGEHDLS:off_A7311Co
		test	edi, edi	; case 0xC
		jz	loc_A730E1	; default
		test	eax, eax
		jz	loc_A730E1	; default
		mov	edx, [eax]
		cmp	edx, 2
		jb	loc_A730E1	; default
		mov	eax, _HeadlessGlobals
		test	[eax+18h], cl
		jz	short loc_A72E58
		dec	edx
		lea	ecx, [edi+1]
		call	_HdlspGetLine@8	; HdlspGetLine(x,x)
		jmp	loc_A72E5A
; 

loc_A72EDF:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+109j
					; DATA XREF: PAGEHDLS:off_A7311Co
		mov	ecx, _HeadlessGlobals ;	case 0xD
		mov	eax, [ecx+18h]
		and	eax, 0FFFFFFBFh
		or	eax, 2
		mov	[ecx+18h], eax
		jmp	loc_A730E6
; 

loc_A72EF6:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+109j
					; DATA XREF: PAGEHDLS:off_A7311Co
		mov	eax, _HeadlessGlobals ;	case 0xE
		test	[eax+18h], cl
		jz	loc_A730E6
		call	_HdlspBugCheckProcessing@0 ; HdlspBugCheckProcessing()
		jmp	loc_A730E6
; 

loc_A72F0E:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+109j
					; DATA XREF: PAGEHDLS:off_A7311Co
		test	edi, edi	; case 0xF
		jz	loc_A730E1	; default
		test	eax, eax
		jz	loc_A730E1	; default
		cmp	dword ptr [eax], 18h
		jb	loc_A730E1	; default
		mov	edx, _HeadlessGlobals
		mov	[edi], ecx
		mov	[edi+4], cl
		mov	eax, [edx+18h]
		shr	eax, 3
		and	al, cl
		mov	[edi+5], al
		mov	eax, [edx+1Ch]
		mov	[edi+10h], eax
		mov	eax, [edx+18h]
		mov	[ebp+var_64], eax
		shr	eax, 9
		and	eax, 7
		cmp	eax, ecx
		jnb	short loc_A72F64
		shr	[ebp+var_64], 3
		test	byte ptr [ebp+var_64], cl
		jnz	short loc_A72F64
		mov	[edi+8], ebx
		mov	[edi+0Ch], ebx
		jmp	short loc_A72F6D
; 

loc_A72F64:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+35Dj
					; HdlspDispatch(x,x,x,x,x)+366j
		mov	[edi+8], eax
		mov	eax, [edx+24h]
		mov	[edi+0Ch], eax

loc_A72F6D:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+36Ej
		mov	al, [edx+34h]
		mov	[edi+14h], al
		jmp	loc_A730E6
; 

loc_A72F78:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+109j
					; DATA XREF: PAGEHDLS:off_A7311Co
		test	esi, esi	; case 0x10
		jz	loc_A730E1	; default
		mov	ecx, esi
		call	_HdlspAddLogEntry@4 ; HdlspAddLogEntry(x)
		jmp	loc_A730E6
; 

loc_A72F8C:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+109j
					; DATA XREF: PAGEHDLS:off_A7311Co
		test	esi, esi	; case 0x11
		jz	loc_A730E1	; default
		cmp	[ebp+arg_8], ecx
		jnz	loc_A730E1	; default
		mov	cl, [esi]
		call	_HdlspProcessDumpCommand@4 ; HdlspProcessDumpCommand(x)
		jmp	loc_A730E6
; 

loc_A72FA9:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+109j
					; DATA XREF: PAGEHDLS:off_A7311Co
		mov	eax, _HeadlessGlobals ;	case 0x3
		mov	edi, [ebp+arg_0]
		test	[eax+18h], cl
		jz	loc_A730E9
		mov	eax, edi
		sub	eax, 4
		jz	loc_A73058
		sub	eax, 1
		jz	loc_A73051
		sub	eax, 1
		jz	short loc_A7304A
		sub	eax, 1
		jz	short loc_A73043
		sub	eax, 1
		jz	short loc_A7303C
		sub	eax, 1
		jz	short loc_A73015
		sub	eax, 1
		jz	short loc_A72FF1
		mov	ebx, 0C000000Dh
		jmp	loc_A730E9
; 

loc_A72FF1:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+3F1j
		test	esi, esi
		jz	short loc_A7300B
		cmp	[ebp+arg_8], 8
		jnz	short loc_A7300B
		mov	eax, [esi]
		inc	eax
		push	eax
		mov	eax, [esi+4]
		inc	eax
		push	eax
		push	(offset	loc_A72033+5)
		jmp	short loc_A73029
; 

loc_A7300B:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+3FFj
					; HdlspDispatch(x,x,x,x,x)+405j ...
		mov	ebx, 0C000000Dh
		jmp	loc_A730FD
; 

loc_A73015:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+3ECj
		test	esi, esi
		jz	short loc_A7300B
		cmp	[ebp+arg_8], 8
		jnz	short loc_A7300B
		push	dword ptr [esi]
		push	dword ptr [esi+4]
		push	offset ??_C@_08OPFPCDJH@?$BL?$FL?$CFd?$DL?$CFdm@CIFEBFPJ@

loc_A73029:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+415j
		lea	eax, [ebp+var_5C]
		push	50h
		push	eax
		call	_sprintf_s
		add	esp, 14h
		lea	ecx, [ebp+var_5C]
		jmp	short loc_A7305D
; 

loc_A7303C:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+3E7j
		mov	ecx, (offset loc_A72048+2)
		jmp	short loc_A7305D
; 

loc_A73043:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+3E2j
		mov	ecx, offset ??_C@_04MGNJNGKI@?$BL?$FL0m@CIFEBFPJ@
		jmp	short loc_A7305D
; 

loc_A7304A:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+3DDj
		mov	ecx, offset ??_C@_04FAHFFIM@?$BL?$FL0K@CIFEBFPJ@
		jmp	short loc_A7305D
; 

loc_A73051:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+3D4j
		mov	ecx, offset ??_C@_04BMBMGEMN@?$BL?$FL0J@CIFEBFPJ@
		jmp	short loc_A7305D
; 

loc_A73058:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+3CBj
		mov	ecx, offset ??_C@_04BPJILAKD@?$BL?$FL2J@CIFEBFPJ@

loc_A7305D:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+446j
					; HdlspDispatch(x,x,x,x,x)+44Dj ...
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		jmp	loc_A730E9
; 

loc_A73067:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+109j
					; DATA XREF: PAGEHDLS:off_A7311Co
		test	esi, esi	; case 0x12
		jz	short loc_A730A6
		mov	edx, [ebp+arg_8]
		mov	ecx, esi
		call	_HdlspSetBlueScreenInformation@8 ; HdlspSetBlueScreenInformation(x,x)
		jmp	loc_A72D1C
; 

loc_A7307A:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+109j
					; DATA XREF: PAGEHDLS:off_A7311Co
		mov	eax, _HeadlessGlobals ;	case 0x13
		mov	eax, [eax+18h]
		and	eax, 3
		cmp	al, 3
		jnz	short loc_A730E6
		test	esi, esi
		jz	short loc_A730A6
		cmp	[ebp+arg_8], 4
		jnz	short loc_A730A6
		mov	ecx, [esi]
		call	_HdlspSendBlueScreenInfo@4 ; HdlspSendBlueScreenInfo(x)
		mov	ecx, offset ??_C@_07MJDICJKK@?6?$AN?$CBSAC?$DO@CIFEBFPJ@
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		jmp	short loc_A730E6
; 

loc_A730A6:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+475j
					; HdlspDispatch(x,x,x,x,x)+497j ...
		mov	eax, 0C000000Dh
		jmp	short loc_A73108
; 

loc_A730AD:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+109j
					; DATA XREF: PAGEHDLS:off_A7311Co
		test	edi, edi	; case 0x14
		jz	short loc_A730E1 ; default
		test	eax, eax
		jz	short loc_A730E1 ; default
		cmp	dword ptr [eax], 10h
		jb	short loc_A730E1 ; default
		mov	esi, _HeadlessGlobals
		lea	esi, [esi+40h]
		movsd

loc_A730C4:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+4EBj
		movsd
		movsd
		movsd
		jmp	short loc_A730E6
; 

loc_A730C9:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+109j
					; DATA XREF: PAGEHDLS:off_A7311Co
		test	edi, edi	; case 0x17
		jz	short loc_A730E1 ; default
		test	eax, eax
		jz	short loc_A730E1 ; default
		cmp	dword ptr [eax], 0Ch
		jb	short loc_A730E1 ; default
		mov	esi, _HeadlessGlobals
		lea	esi, [esi+52h]
		jmp	short loc_A730C4
; 

loc_A730E1:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+103j
					; HdlspDispatch(x,x,x,x,x)+112j ...
		mov	ebx, 0C000000Dh	; default

loc_A730E6:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+12Aj
					; HdlspDispatch(x,x,x,x,x)+15Ej ...
		mov	edi, [ebp+arg_0]

loc_A730E9:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+3C0j
					; HdlspDispatch(x,x,x,x,x)+3F8j ...
		cmp	edi, 11h
		jz	short loc_A73106
		cmp	edi, 0Eh
		jz	short loc_A73106
		cmp	edi, 14h
		jz	short loc_A73106
		cmp	edi, 0Fh
		jz	short loc_A73106

loc_A730FD:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+41Cj
		mov	eax, _HeadlessGlobals
		and	dword ptr [eax+18h], 0FFFFFFBFh

loc_A73106:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+4F8j
					; HdlspDispatch(x,x,x,x,x)+4FDj ...
		mov	eax, ebx

loc_A73108:				; CODE XREF: HdlspDispatch(x,x,x,x,x)+BCj
					; HdlspDispatch(x,x,x,x,x)+4B7j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
_HdlspDispatch@20 endp

; 
		align 4
off_A7311C	dd offset loc_A72D04	; DATA XREF: HdlspDispatch(x,x,x,x,x)+109r
		dd offset loc_A72D23	; jump table for switch	statement
		dd offset loc_A72DBB
		dd offset loc_A72FA9
		dd offset loc_A72FA9
		dd offset loc_A72FA9
		dd offset loc_A72FA9
		dd offset loc_A72FA9
		dd offset loc_A72FA9
		dd offset loc_A72FA9
		dd offset loc_A72E2C
		dd offset loc_A72E61
		dd offset loc_A72EAC
		dd offset loc_A72EDF
		dd offset loc_A72EF6
		dd offset loc_A72F0E
		dd offset loc_A72F78
		dd offset loc_A72F8C
		dd offset loc_A73067
		dd offset loc_A7307A
		dd offset loc_A730AD
		dd offset loc_A72DFF
		dd offset loc_A72DDD
		dd offset loc_A730C9

;  S U B	R O U T	I N E 


; __stdcall HdlspEnableTerminal(x)
_HdlspEnableTerminal@4 proc near	; CODE XREF: HdlspDispatch(x,x,x,x,x)+123p
					; HeadlessInit+1A4A1p
		mov	edi, edi
		push	ecx
		push	ebx
		push	esi
		cmp	cl, 1
		jnz	short loc_A731FF
		mov	ecx, _HeadlessGlobals
		mov	edx, [ecx+18h]
		test	dl, 1
		jnz	loc_A73219
		mov	bl, [ecx+50h]
		test	bl, bl
		jz	short loc_A731A4
		test	dl, 2
		jnz	short loc_A73219

loc_A731A4:				; CODE XREF: HdlspEnableTerminal(x)+21j
		movzx	eax, byte ptr [ecx+37h]
		push	eax
		movzx	eax, byte ptr [ecx+36h]
		push	eax
		movzx	eax, byte ptr [ecx+35h]
		push	eax
		push	ebx
		lea	eax, [ecx+20h]
		shr	edx, 9
		push	eax
		push	dword ptr [ecx+24h]
		mov	ecx, [ecx+1Ch]
		and	edx, 7
		call	_InbvPortInitialize@32 ; InbvPortInitialize(x,x,x,x,x,x,x,x)
		mov	ecx, _HeadlessGlobals
		movzx	eax, al
		xor	eax, [ecx+18h]
		and	eax, 1
		xor	[ecx+18h], eax
		mov	eax, [ecx+18h]
		test	al, 1
		jnz	short loc_A731E9
		mov	eax, 0C0000001h
		jmp	short loc_A7321B
; 

loc_A731E9:				; CODE XREF: HdlspEnableTerminal(x)+64j
		mov	ecx, offset ??_C@_04BPJILAKD@?$BL?$FL2J@CIFEBFPJ@
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		mov	ecx, offset ??_C@_03BOKPECB@?$BL?$FLH@CIFEBFPJ@
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		jmp	short loc_A73219
; 

loc_A731FF:				; CODE XREF: HdlspEnableTerminal(x)+8j
		test	cl, cl
		jnz	short loc_A73219
		mov	esi, _HeadlessGlobals
		mov	ecx, [esi+20h]
		call	_InbvPortTerminate@4 ; InbvPortTerminate(x)
		and	dword ptr [esi+20h], 0
		and	dword ptr [esi+18h], 0FFFFFFFEh

loc_A73219:				; CODE XREF: HdlspEnableTerminal(x)+16j
					; HdlspEnableTerminal(x)+26j ...
		xor	eax, eax

loc_A7321B:				; CODE XREF: HdlspEnableTerminal(x)+6Bj
		pop	esi
		pop	ebx
		pop	ecx
		retn
_HdlspEnableTerminal@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HdlspGetLine(x, x)
_HdlspGetLine@8	proc near		; CODE XREF: HdlspBugCheckProcessing()+19p
					; HdlspDispatch(x,x,x,x,x)+157p ...

var_8		= dword	ptr -8
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, _HeadlessGlobals
		push	edi
		mov	edi, edx
		mov	[ebp+var_8], ecx
		mov	byte ptr [ebp+var_1], 0
		test	byte ptr [esi+18h], 2
		jnz	short loc_A73250
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		jmp	short loc_A73253
; 

loc_A73250:				; CODE XREF: HdlspGetLine(x,x)+1Ej
		or	bl, 0FFh

loc_A73253:				; CODE XREF: HdlspGetLine(x,x)+2Fj
		mov	eax, _HeadlessGlobals
		mov	ecx, [eax+18h]
		test	cl, 10h
		jz	short loc_A7328E
		cmp	bl, 0FFh
		jz	short loc_A73287
		test	ds:byte_70EFC6,	1
		jz	short loc_A7327A
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A7327F
; 

loc_A7327A:				; CODE XREF: HdlspGetLine(x,x)+4Dj
		xor	ecx, ecx
		lock and [eax],	ecx

loc_A7327F:				; CODE XREF: HdlspGetLine(x,x)+59j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_A73287:				; CODE XREF: HdlspGetLine(x,x)+44j
					; HdlspGetLine(x,x)+1D1j
		xor	al, al
		jmp	loc_A734E5
; 

loc_A7328E:				; CODE XREF: HdlspGetLine(x,x)+3Fj
		or	ecx, 10h
		mov	[eax+18h], ecx
		cmp	bl, 0FFh
		jz	short loc_A732BB
		test	ds:byte_70EFC6,	1
		jz	short loc_A732AE
		mov	edx, [ebp+4]
		mov	ecx, eax
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A732B3
; 

loc_A732AE:				; CODE XREF: HdlspGetLine(x,x)+81j
		xor	ecx, ecx
		lock and [eax],	ecx

loc_A732B3:				; CODE XREF: HdlspGetLine(x,x)+8Dj
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_A732BB:				; CODE XREF: HdlspGetLine(x,x)+78j
		mov	eax, _HeadlessGlobals
		xor	ebx, ebx
		test	byte ptr [eax+18h], 20h
		jnz	loc_A73482

loc_A732CC:				; CODE XREF: HdlspGetLine(x,x)+109j
					; HdlspGetLine(x,x)+16Cj ...
		mov	ecx, _HeadlessGlobals
		mov	ecx, [ecx+20h]
		call	_InbvPortPollOnly@4 ; InbvPortPollOnly(x)
		test	al, al
		jz	short loc_A732F8
		mov	ecx, _HeadlessGlobals
		lea	edx, [ebp+var_1]
		mov	ecx, [ecx+20h]
		call	_InbvPortGetByte@8 ; InbvPortGetByte(x,x)
		test	al, al
		jz	short loc_A732F8
		mov	dl, byte ptr [ebp+var_1]
		jmp	short loc_A732FD
; 

loc_A732F8:				; CODE XREF: HdlspGetLine(x,x)+BDj
					; HdlspGetLine(x,x)+D2j
		mov	dl, bl
		mov	byte ptr [ebp+var_1], dl

loc_A732FD:				; CODE XREF: HdlspGetLine(x,x)+D7j
		mov	eax, _HeadlessGlobals
		test	dl, dl
		jz	loc_A733EC
		mov	ecx, [eax+38h]
		mov	eax, [eax+10h]
		mov	[ecx+eax], dl
		mov	edx, _HeadlessGlobals
		mov	al, byte ptr [ebp+var_1]
		cmp	[edx+51h], bl
		jz	short loc_A7332A
		cmp	al, 0Ah
		jnz	short loc_A7332A
		mov	[edx+51h], bl
		jmp	short loc_A732CC
; 

loc_A7332A:				; CODE XREF: HdlspGetLine(x,x)+100j
					; HdlspGetLine(x,x)+104j
		cmp	al, 0Dh
		setz	al
		mov	[edx+51h], al
		mov	al, byte ptr [ebp+var_1]
		cmp	al, 0Ah
		jz	loc_A73400
		cmp	al, 0Dh
		jz	loc_A73400
		cmp	al, 8
		jz	short loc_A733BD
		cmp	al, 7Fh
		jz	short loc_A733BD
		cmp	al, 3
		jz	loc_A733F5
		cmp	al, 9
		jz	loc_A733DD
		cmp	al, 1Bh
		jz	short loc_A733DD
		cmp	dword ptr [edx+38h], 4Eh
		movzx	eax, al
		push	eax
		jnz	short loc_A73390
		push	offset ??_C@_03GLFJLEGD@?$AI?$CFc@CIFEBFPJ@
		push	50h
		push	dword ptr [edx+0Ch]
		call	_sprintf_s
		mov	ecx, _HeadlessGlobals
		add	esp, 10h
		mov	ecx, [ecx+0Ch]
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		jmp	loc_A732CC
; 

loc_A73390:				; CODE XREF: HdlspGetLine(x,x)+14Aj
		push	(offset	??_C@_03GLFJLEGD@?$AI?$CFc@CIFEBFPJ@+4)
		push	50h
		push	dword ptr [edx+0Ch]
		call	_sprintf_s
		mov	ecx, _HeadlessGlobals
		add	esp, 10h
		mov	ecx, [ecx+0Ch]
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		mov	eax, _HeadlessGlobals
		inc	dword ptr [eax+38h]
		jmp	loc_A732CC
; 

loc_A733BD:				; CODE XREF: HdlspGetLine(x,x)+128j
					; HdlspGetLine(x,x)+12Cj
		cmp	[edx+38h], ebx
		jbe	loc_A732CC
		mov	ecx, offset ??_C@_03OLJLMEOE@?$AI?5?$AI@CIFEBFPJ@
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		mov	eax, _HeadlessGlobals
		dec	dword ptr [eax+38h]
		jmp	loc_A732CC
; 

loc_A733DD:				; CODE XREF: HdlspGetLine(x,x)+138j
					; HdlspGetLine(x,x)+140j
		mov	ecx, offset ??_C@_01PBGHHLMH@?$AH@CIFEBFPJ@
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		mov	eax, _HeadlessGlobals

loc_A733EC:				; CODE XREF: HdlspGetLine(x,x)+E5j
		and	dword ptr [eax+18h], 0FFFFFFEFh
		jmp	loc_A73287
; 

loc_A733F5:				; CODE XREF: HdlspGetLine(x,x)+130j
		inc	dword ptr [edx+38h]
		mov	ecx, [edx+38h]
		mov	eax, [edx+10h]
		jmp	short loc_A73415
; 

loc_A73400:				; CODE XREF: HdlspGetLine(x,x)+118j
					; HdlspGetLine(x,x)+120j
		mov	ecx, (offset loc_A72033+1)
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		mov	eax, _HeadlessGlobals
		mov	ecx, [eax+38h]
		mov	eax, [eax+10h]

loc_A73415:				; CODE XREF: HdlspGetLine(x,x)+1DFj
		mov	[ecx+eax], bl
		mov	eax, _HeadlessGlobals
		inc	dword ptr [eax+38h]
		mov	ecx, [eax+38h]
		sub	ecx, 1
		jz	short loc_A7343F
		mov	edx, [eax+10h]

loc_A7342B:				; CODE XREF: HdlspGetLine(x,x)+21Ej
		mov	al, [edx+ecx]
		test	al, al
		jz	short loc_A7343A
		cmp	al, 20h
		jz	short loc_A7343A
		cmp	al, 9
		jnz	short loc_A7343F

loc_A7343A:				; CODE XREF: HdlspGetLine(x,x)+211j
					; HdlspGetLine(x,x)+215j
		sub	ecx, 1
		jnz	short loc_A7342B

loc_A7343F:				; CODE XREF: HdlspGetLine(x,x)+207j
					; HdlspGetLine(x,x)+219j
		mov	eax, _HeadlessGlobals
		mov	eax, [eax+10h]
		cmp	[eax+ecx], bl
		jz	short loc_A73450
		mov	[eax+ecx+1], bl

loc_A73450:				; CODE XREF: HdlspGetLine(x,x)+22Bj
		mov	eax, _HeadlessGlobals
		mov	ecx, ebx
		mov	edx, [eax+10h]
		cmp	[edx], cl
		jz	short loc_A73482

loc_A7345E:				; CODE XREF: HdlspGetLine(x,x)+24Ej
		mov	al, [edx+ecx]
		cmp	al, 9
		jz	short loc_A73469
		cmp	al, 20h
		jnz	short loc_A7346F

loc_A73469:				; CODE XREF: HdlspGetLine(x,x)+244j
		inc	ecx
		cmp	[edx+ecx], bl
		jnz	short loc_A7345E

loc_A7346F:				; CODE XREF: HdlspGetLine(x,x)+248j
		test	ecx, ecx
		jz	short loc_A73482
		lea	eax, [edx+ecx]
		push	eax
		push	50h
		push	edx
		call	_strcpy_s
		add	esp, 0Ch

loc_A73482:				; CODE XREF: HdlspGetLine(x,x)+A7j
					; HdlspGetLine(x,x)+23Dj ...
		mov	esi, _HeadlessGlobals
		mov	eax, [esi+38h]
		cmp	edi, eax
		jb	short loc_A734A9
		push	eax		; size_t
		push	dword ptr [esi+10h] ; void *
		push	[ebp+var_8]	; void *
		call	_memcpy
		lea	ecx, [esi+18h]
		mov	[esi+38h], ebx
		add	esp, 0Ch
		and	dword ptr [ecx], 0FFFFFFDFh
		jmp	short loc_A734DC
; 

loc_A734A9:				; CODE XREF: HdlspGetLine(x,x)+26Ej
		push	edi		; size_t
		push	dword ptr [esi+10h] ; void *
		push	[ebp+var_8]	; void *
		call	_memcpy
		mov	ecx, [esi+10h]
		add	esp, 0Ch
		mov	eax, [esi+38h]
		sub	eax, edi
		push	eax		; size_t
		lea	eax, [ecx+edi]
		push	eax		; void *
		push	ecx		; void *
		call	_memcpy
		mov	eax, _HeadlessGlobals
		add	esp, 0Ch
		lea	ecx, [eax+18h]
		or	dword ptr [ecx], 20h
		sub	[eax+38h], edi

loc_A734DC:				; CODE XREF: HdlspGetLine(x,x)+288j
		mov	edx, [ecx]
		mov	al, 1
		and	edx, 0FFFFFFEFh
		mov	[ecx], edx

loc_A734E5:				; CODE XREF: HdlspGetLine(x,x)+6Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_HdlspGetLine@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HdlspKernelAddLogEntry(x, x)
_HdlspKernelAddLogEntry@8 proc near	; CODE XREF: HeadlessKernelAddLogEntry+924E4p
					; IoInitSystem+247ABp

var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_B4], edx
		push	edi
		xor	ecx, ecx
		push	50h
		lea	eax, [esi-1]
		pop	ebx
		cmp	eax, 14h	; switch 21 cases
		ja	loc_A735C8	; default
		jmp	ds:off_A73682[eax*4] ; switch jump

loc_A73522:				; DATA XREF: PAGEHDLS:off_A73682o
		mov	edi, offset ??_C@_1BO@HNCBPND@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAL?$AAo?$AAa?$AAd?$AAi?$AAn?$AAg?$AA?5@CIFEBFPJ@ ; case 0x0
		jmp	loc_A735AF
; 

loc_A7352C:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+31j
					; DATA XREF: PAGEHDLS:00A73686o
		mov	edi, offset ??_C@_1CM@LNJBNIAA@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAL?$AAo?$AAa?$AAd?$AA?5?$AAs?$AAu?$AAc?$AAc@CIFEBFPJ@	; case 0x1
		jmp	short loc_A735AF
; 

loc_A73533:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+31j
					; DATA XREF: PAGEHDLS:00A7368Ao
		mov	edi, (offset loc_A72259+1) ; case 0x2
		jmp	short loc_A735AF
; 

loc_A7353A:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+31j
					; DATA XREF: PAGEHDLS:00A7368Eo
		mov	edi, offset ??_C@_1DM@DNAMACPI@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo@CIFEBFPJ@	; case 0x3
		jmp	short loc_A735AF
; 

loc_A73541:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+31j
					; DATA XREF: PAGEHDLS:00A73692o
		mov	edi, (offset loc_A725C9+1) ; case 0x4
		jmp	short loc_A735AF
; 

loc_A73548:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+31j
					; DATA XREF: PAGEHDLS:00A73696o
		mov	edi, (offset loc_A72613+1) ; case 0x5
		jmp	short loc_A735AF
; 

loc_A7354F:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+31j
					; DATA XREF: PAGEHDLS:00A7369Ao
		mov	edi, offset ??_C@_1HK@MDKAGEAH@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo@CIFEBFPJ@	; case 0x6
		jmp	short loc_A735AF
; 

loc_A73556:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+31j
					; DATA XREF: PAGEHDLS:00A7369Eo
		mov	edi, (offset loc_A7254F+1) ; case 0x7
		jmp	short loc_A735AF
; 

loc_A7355D:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+31j
					; DATA XREF: PAGEHDLS:00A736A2o
		mov	edi, offset ??_C@_1FC@DGPBKEEE@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo@CIFEBFPJ@	; case 0x8
		jmp	short loc_A735AF
; 

loc_A73564:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+31j
					; DATA XREF: PAGEHDLS:00A736A6o
		mov	edi, offset ??_C@_1EG@LDLJLBAN@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo@CIFEBFPJ@	; case 0x9
		jmp	short loc_A735AF
; 

loc_A7356B:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+31j
					; DATA XREF: PAGEHDLS:00A736AAo
		mov	edi, offset ??_C@_1FG@JJHPAIEG@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo@CIFEBFPJ@	; case 0xA
		jmp	short loc_A735AF
; 

loc_A73572:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+31j
					; DATA XREF: PAGEHDLS:00A736AEo
		mov	edi, offset ??_C@_1EM@LAIHKMAN@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo@CIFEBFPJ@	; case 0xB
		jmp	short loc_A735AF
; 

loc_A73579:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+31j
					; DATA XREF: PAGEHDLS:00A736B2o
		mov	edi, offset ??_C@_1FE@LMPCMHP@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo@CIFEBFPJ@ ; case 0xC
		jmp	short loc_A735AF
; 

loc_A73580:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+31j
					; DATA XREF: PAGEHDLS:00A736B6o
		mov	edi, (offset loc_A728BF+1) ; case 0xD
		jmp	short loc_A735AF
; 

loc_A73587:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+31j
					; DATA XREF: PAGEHDLS:00A736BAo
		mov	edi, offset ??_C@_1FG@PBPPIIAB@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo@CIFEBFPJ@	; case 0xE
		jmp	short loc_A735AF
; 

loc_A7358E:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+31j
					; DATA XREF: PAGEHDLS:00A736BEo
		mov	edi, offset ??_C@_1EC@MNOJDMA@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAt?$AAo@CIFEBFPJ@ ; case 0xF
		jmp	short loc_A735AF
; 

loc_A73595:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+31j
					; DATA XREF: PAGEHDLS:00A736C6o
		mov	edi, (offset loc_A72711+1) ; case 0x11
		jmp	short loc_A735AF
; 

loc_A7359C:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+31j
					; DATA XREF: PAGEHDLS:00A736CAo
		mov	edi, offset ??_C@_1GA@PAMHFMK@?$AAK?$AAR?$AAN?$AAL?$AA?3?$AA?5?$AAF?$AAa?$AAi?$AAl?$AAe?$AAd?$AA?5?$AAw?$AAa@CIFEBFPJ@ ; case 0x12
		jmp	short loc_A735AF
; 

loc_A735A3:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+31j
					; DATA XREF: PAGEHDLS:00A736CEo
		mov	edi, (offset loc_A72665+1) ; case 0x13
		jmp	short loc_A735AF
; 

loc_A735AA:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+31j
					; DATA XREF: PAGEHDLS:00A736D2o
		mov	edi, (offset loc_A726C7+1) ; case 0x14

loc_A735AF:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+3Dj
					; HdlspKernelAddLogEntry(x,x)+47j ...
		push	edi
		lea	eax, [ebp+var_B0]
		push	ebx
		push	eax
		call	_wcscpy_s
		mov	edx, [ebp+var_B4]
		add	esp, 0Ch
		jmp	short loc_A735D3
; 

loc_A735C8:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+2Bj
					; HdlspKernelAddLogEntry(x,x)+31j
					; DATA XREF: ...
		xor	eax, eax	; default
		mov	edi, ecx
		mov	word ptr [ebp+var_B0], ax

loc_A735D3:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+DCj
		cmp	esi, 1
		jnz	short loc_A7363E
		test	edx, edx
		jz	short loc_A7363E
		lea	ecx, [edi+2]
		xor	esi, esi

loc_A735E1:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+100j
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, si
		jnz	short loc_A735E1
		movzx	eax, word ptr [edx]
		sub	edi, ecx
		sar	edi, 1
		shr	eax, 1
		sub	ebx, edi
		mov	[ebp+var_B4], eax
		cmp	eax, ebx
		jb	short loc_A73608
		push	4Fh
		pop	ebx
		sub	ebx, edi
		jmp	short loc_A7360A
; 

loc_A73608:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+115j
		mov	ebx, eax

loc_A7360A:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+11Cj
		mov	esi, [edx+4]
		lea	eax, [ebx+ebx]
		push	eax		; size_t
		lea	eax, [ebp+var_B0]
		lea	eax, [eax+edi*2]
		push	esi		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_B4]
		xor	ecx, ecx
		add	esp, 0Ch
		cmp	[esi+eax*2-2], cx
		jz	short loc_A7363E
		lea	eax, [edi+ebx]
		mov	word ptr [ebp+eax*2+var_B0], cx

loc_A7363E:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+ECj
					; HdlspKernelAddLogEntry(x,x)+F0j ...
		lea	ecx, [ebp+var_B0]
		xor	ebx, ebx
		lea	edx, [ecx+2]

loc_A73649:				; CODE XREF: HdlspKernelAddLogEntry(x,x)+168j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_A73649
		sub	ecx, edx
		sar	ecx, 1
		push	ebx
		push	ebx
		lea	eax, ds:2[ecx*2]
		push	eax
		lea	eax, [ebp+var_B0]
		push	eax
		push	11h
		call	_HdlspDispatch@20 ; HdlspDispatch(x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_HdlspKernelAddLogEntry@8 endp

; 
		db 8Dh
		db 49h,	0
off_A73682	dd offset loc_A73522	; DATA XREF: HdlspKernelAddLogEntry(x,x)+31r
					; jump table for switch	statement
		dd offset loc_A7352C	; case 0x1
		dd offset loc_A73533	; case 0x2
		dd offset loc_A7353A	; case 0x3
		dd offset loc_A73541	; case 0x4
		dd offset loc_A73548	; case 0x5
		dd offset loc_A7354F	; case 0x6
		dd offset loc_A73556	; case 0x7
		dd offset loc_A7355D	; case 0x8
		dd offset loc_A73564	; case 0x9
		dd offset loc_A7356B	; case 0xA
		dd offset loc_A73572	; case 0xB
		dd offset loc_A73579	; case 0xC
		dd offset loc_A73580	; case 0xD
		dd offset loc_A73587	; case 0xE
		dd offset loc_A7358E	; case 0xF
		dd offset loc_A735C8	; default
		dd offset loc_A73595	; case 0x11
		dd offset loc_A7359C	; case 0x12
		dd offset loc_A735A3	; case 0x13
		dd offset loc_A735AA	; case 0x14

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HdlspProcessDumpCommand(x)
_HdlspProcessDumpCommand@4 proc	near	; CODE XREF: HdlspBugCheckProcessing()+64p
					; HdlspDispatch(x,x,x,x,x)+3ABp

var_2E		= byte ptr -2Eh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_A		= word ptr -0Ah
var_8		= word ptr -8
var_6		= word ptr -6
var_4		= word ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		push	esi
		mov	esi, _HeadlessGlobals
		xor	eax, eax
		push	edi
		lea	edi, [esp+40h+var_10]
		mov	[esp+13h], cl
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		test	byte ptr [esi+18h], 2
		mov	[esp+40h+var_24], eax
		mov	[esp+40h+var_20], eax
		mov	[esp+40h+var_1C], eax
		mov	[esp+40h+var_2E], al
		jnz	short loc_A73721
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, esi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		jmp	short loc_A73724
; 

loc_A73721:				; CODE XREF: HdlspProcessDumpCommand(x)+38j
		or	bl, 0FFh

loc_A73724:				; CODE XREF: HdlspProcessDumpCommand(x)+49j
		mov	ecx, _HeadlessGlobals
		mov	eax, 0FFFFh
		cmp	[ecx+3Eh], ax
		jnz	short loc_A73763
		cmp	bl, 0FFh
		jz	loc_A7397A
		test	ds:byte_70EFC6,	1
		jz	short loc_A73751
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A73756
; 

loc_A73751:				; CODE XREF: HdlspProcessDumpCommand(x)+6Fj
		xor	eax, eax
		lock and [ecx],	eax

loc_A73756:				; CODE XREF: HdlspProcessDumpCommand(x)+79j
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		jmp	loc_A7397A
; 

loc_A73763:				; CODE XREF: HdlspProcessDumpCommand(x)+5Dj
		and	dword ptr [ecx+18h], 0FFFFFFFBh
		xor	eax, eax
		mov	esi, ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
		mov	word ptr [esp+40h+var_18], ax
		push	50h
		pop	eax
		mov	word ptr [esp+40h+var_18+2], ax
		mov	eax, [ecx+0Ch]
		mov	[esp+40h+var_14], eax
		xor	eax, eax
		movzx	edx, word ptr [ecx+3Eh]
		mov	[esp+40h+var_2C], eax

loc_A7378D:				; CODE XREF: HdlspProcessDumpCommand(x)+24Aj
		imul	edi, edx, 38h
		mov	[esp+40h+var_28], edx
		add	edi, [ecx+8]
		cmp	bl, 0FFh
		jz	short loc_A737B8
		test	ds:byte_70EFC6,	1
		jz	short loc_A737AF
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A737B4
; 

loc_A737AF:				; CODE XREF: HdlspProcessDumpCommand(x)+CDj
		xor	eax, eax
		lock and [ecx],	eax

loc_A737B4:				; CODE XREF: HdlspProcessDumpCommand(x)+D7j
		mov	cl, bl
		call	esi

loc_A737B8:				; CODE XREF: HdlspProcessDumpCommand(x)+C4j
		lea	eax, [esp+40h+var_10]
		push	eax
		lea	eax, [edi+8]
		push	eax
		call	_RtlTimeToTimeFields@8 ; RtlTimeToTimeFields(x,x)
		movsx	eax, [esp+40h+var_4]
		push	eax
		movsx	eax, [esp+44h+var_6]
		push	eax
		movsx	eax, [esp+48h+var_8]
		push	eax
		movsx	eax, [esp+4Ch+var_A]
		push	eax
		mov	eax, _HeadlessGlobals
		push	(offset	loc_A72234+4)
		push	50h
		push	dword ptr [eax+0Ch]
		call	_sprintf_s
		mov	ecx, _HeadlessGlobals
		add	esp, 1Ch
		mov	ecx, [ecx+0Ch]
		call	_HdlspPutString@4 ; HdlspPutString(x)
		mov	edx, [edi+30h]
		mov	ecx, edx
		lea	ebx, [ecx+2]

loc_A7380B:				; CODE XREF: HdlspProcessDumpCommand(x)+140j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+40h+var_24]
		jnz	short loc_A7380B
		sub	ecx, ebx
		sar	ecx, 1
		cmp	ecx, 4Fh
		jb	short loc_A7382D
		xor	eax, eax
		mov	[edx+9Eh], ax
		mov	edx, [edi+30h]

loc_A7382D:				; CODE XREF: HdlspProcessDumpCommand(x)+149j
		push	edx
		lea	eax, [esp+44h+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		push	eax
		lea	eax, [esp+44h+var_20]
		push	eax
		lea	eax, [esp+48h+var_18]
		push	eax
		call	RtlUnicodeStringToAnsiString
		mov	edi, _HeadlessGlobals
		test	byte ptr [edi+18h], 2
		jnz	short loc_A73867
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		jmp	short loc_A7386A
; 

loc_A73867:				; CODE XREF: HdlspProcessDumpCommand(x)+17Ej
		or	bl, 0FFh

loc_A7386A:				; CODE XREF: HdlspProcessDumpCommand(x)+18Fj
		mov	ecx, _HeadlessGlobals
		test	byte ptr [ecx+18h], 4
		jnz	loc_A73948
		mov	ecx, [ecx+0Ch]
		call	_HdlspPutString@4 ; HdlspPutString(x)
		mov	ecx, (offset loc_A72033+1)
		call	_HdlspPutString@4 ; HdlspPutString(x)
		mov	ecx, _HeadlessGlobals
		mov	edx, [esp+40h+var_2C]
		inc	edx
		mov	[esp+40h+var_2C], edx
		movzx	eax, word ptr [ecx+3Ch]
		cmp	[esp+40h+var_28], eax
		jz	loc_A73933
		cmp	byte ptr [esp+13h], 0
		jz	short loc_A73918
		cmp	edx, 14h
		jbe	short loc_A73918
		cmp	bl, 0FFh
		jz	short loc_A738D6
		test	ds:byte_70EFC6,	1
		jz	short loc_A738CD
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A738D2
; 

loc_A738CD:				; CODE XREF: HdlspProcessDumpCommand(x)+1EBj
		xor	eax, eax
		lock and [ecx],	eax

loc_A738D2:				; CODE XREF: HdlspProcessDumpCommand(x)+1F5j
		mov	cl, bl
		call	esi

loc_A738D6:				; CODE XREF: HdlspProcessDumpCommand(x)+1E2j
		lea	ecx, [esp+40h+var_2E]
		call	_HdlspPutMore@4	; HdlspPutMore(x)
		mov	edi, _HeadlessGlobals
		test	byte ptr [edi+18h], 2
		jnz	short loc_A738FC
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
		mov	ecx, edi
		mov	bl, al
		call	_KxAcquireSpinLock@4 ; KxAcquireSpinLock(x)
		jmp	short loc_A738FF
; 

loc_A738FC:				; CODE XREF: HdlspProcessDumpCommand(x)+213j
		or	bl, 0FFh

loc_A738FF:				; CODE XREF: HdlspProcessDumpCommand(x)+224j
		cmp	[esp+40h+var_2E], 0
		jnz	short loc_A7392C
		mov	ecx, _HeadlessGlobals
		test	byte ptr [ecx+18h], 4
		jnz	short loc_A73925
		xor	eax, eax
		mov	[esp+40h+var_2C], eax

loc_A73918:				; CODE XREF: HdlspProcessDumpCommand(x)+1D8j
					; HdlspProcessDumpCommand(x)+1DDj
		mov	eax, [esp+40h+var_28]
		inc	eax
		movzx	edx, al
		jmp	loc_A7378D
; 

loc_A73925:				; CODE XREF: HdlspProcessDumpCommand(x)+23Aj
		mov	ecx, offset ??_C@_0EC@GFFMIAOL@New?5log?5entries?5have?5been?5added@CIFEBFPJ@
		jmp	short loc_A7394D
; 

loc_A7392C:				; CODE XREF: HdlspProcessDumpCommand(x)+22Ej
		mov	ecx, (offset loc_A72033+1)
		jmp	short loc_A7394D
; 

loc_A73933:				; CODE XREF: HdlspProcessDumpCommand(x)+1CDj
		cmp	bl, 0FFh
		jz	short loc_A7397A
		test	ds:byte_70EFC6,	1
		jnz	short loc_A73967
		xor	eax, eax
		lock and [ecx],	eax
		jmp	short loc_A73976
; 

loc_A73948:				; CODE XREF: HdlspProcessDumpCommand(x)+19Ej
		mov	ecx, offset ??_C@_0EA@MJJMGNOC@New?5log?5entries?5have?5been?5added@CIFEBFPJ@ ;	"New log entries have been added during	"...

loc_A7394D:				; CODE XREF: HdlspProcessDumpCommand(x)+254j
					; HdlspProcessDumpCommand(x)+25Bj
		call	_HdlspPutString@4 ; HdlspPutString(x)
		cmp	bl, 0FFh
		jz	short loc_A7397A
		test	ds:byte_70EFC6,	1
		mov	eax, _HeadlessGlobals
		jz	short loc_A73971
		mov	ecx, eax

loc_A73967:				; CODE XREF: HdlspProcessDumpCommand(x)+269j
		mov	edx, [ebp+4]
		call	@KiReleaseSpinLockInstrumented@8 ; KiReleaseSpinLockInstrumented(x,x)
		jmp	short loc_A73976
; 

loc_A73971:				; CODE XREF: HdlspProcessDumpCommand(x)+28Dj
		xor	ecx, ecx
		lock and [eax],	ecx

loc_A73976:				; CODE XREF: HdlspProcessDumpCommand(x)+270j
					; HdlspProcessDumpCommand(x)+299j
		mov	cl, bl
		call	esi

loc_A7397A:				; CODE XREF: HdlspProcessDumpCommand(x)+62j
					; HdlspProcessDumpCommand(x)+88j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_HdlspProcessDumpCommand@4 endp


;  S U B	R O U T	I N E 


; __stdcall HdlspPutData(x, x)
_HdlspPutData@8	proc near		; CODE XREF: HdlspDispatch(x,x,x,x,x)+22Ep
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	esi, esi
		mov	ebx, ecx
		test	edi, edi
		jz	short loc_A739A6

loc_A73990:				; CODE XREF: HdlspPutData(x,x)+23j
		mov	ecx, _HeadlessGlobals
		mov	dl, [esi+ebx]
		mov	ecx, [ecx+20h]
		call	_InbvPortPutByte@8 ; InbvPortPutByte(x,x)
		inc	esi
		cmp	esi, edi
		jb	short loc_A73990

loc_A739A6:				; CODE XREF: HdlspPutData(x,x)+Dj
		pop	edi
		pop	esi
		pop	ebx
		retn
_HdlspPutData@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HdlspPutMore(x)
_HdlspPutMore@4	proc near		; CODE XREF: HdlspProcessDumpCommand(x)+204p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		or	[ebp+var_14], 0FFFFFFFFh
		push	esi
		mov	esi, ecx
		mov	[ebp+var_18], 0FFFE7960h
		mov	ecx, offset ??_C@_0BP@PHPPKGHL@?9?9?9?9Press?5?$DMEnter?$DO?5for?5more?9?9?9?9@CIFEBFPJ@
		call	_HdlspPutString@4 ; HdlspPutString(x)
		jmp	short loc_A739EE
; 

loc_A739D6:				; CODE XREF: HdlspPutMore(x)+51j
		mov	eax, _HeadlessGlobals
		test	byte ptr [eax+18h], 2
		jnz	short loc_A739EE
		lea	eax, [ebp+var_18]
		push	eax
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)

loc_A739EE:				; CODE XREF: HdlspPutMore(x)+2Aj
					; HdlspPutMore(x)+35j
		push	0Ah
		pop	edx
		lea	ecx, [ebp+var_10]
		call	_HdlspGetLine@8	; HdlspGetLine(x,x)
		test	al, al
		jz	short loc_A739D6
		cmp	byte ptr [ebp+var_10], 3
		setz	al
		mov	[esi], al

loc_A73A06:				; CODE XREF: HdlspPutMore(x)+69j
		push	0Ah
		pop	edx
		lea	ecx, [ebp+var_10]
		call	_HdlspGetLine@8	; HdlspGetLine(x,x)
		test	al, al
		jnz	short loc_A73A06
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_HdlspPutMore@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HdlspPutString(x)
_HdlspPutString@4 proc near		; CODE XREF: HdlspDispatch(x,x,x,x,x)+1DFp
					; HdlspProcessDumpCommand(x)+128p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, _HeadlessGlobals
		xor	edx, edx
		push	esi
		push	edi
		mov	edi, ecx
		add	ebx, 0Ch
		mov	esi, [ebx]
		cmp	[edi], dl
		jz	short loc_A73A8C

loc_A73A3E:				; CODE XREF: HdlspPutString(x)+68j
		mov	eax, [ebx]
		add	eax, 4Fh
		cmp	esi, eax
		jb	short loc_A73A5D
		mov	[eax], dl
		mov	ecx, [ebx]
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		mov	ebx, _HeadlessGlobals
		add	ebx, 0Ch
		mov	esi, [ebx]
		jmp	short loc_A73A84
; 

loc_A73A5D:				; CODE XREF: HdlspPutString(x)+23j
		mov	cl, [edi]
		test	cl, cl
		jns	short loc_A73A80
		movzx	eax, cl
		add	eax, 0FFFFFF57h
		cmp	eax, 36h
		ja	short loc_A73AB3
		movzx	eax, ds:byte_A73B06[eax]
		jmp	ds:off_A73AEA[eax*4]

loc_A73A7E:				; DATA XREF: PAGEHDLS:00A73AEEo
		mov	cl, 7Ch

loc_A73A80:				; CODE XREF: HdlspPutString(x)+3Fj
					; HdlspPutString(x)+81j ...
		mov	[esi], cl
		inc	esi

loc_A73A83:				; CODE XREF: HdlspPutString(x)+C5j
		inc	edi

loc_A73A84:				; CODE XREF: HdlspPutString(x)+39j
		cmp	byte ptr [edi],	0
		push	0
		pop	edx
		jnz	short loc_A73A3E

loc_A73A8C:				; CODE XREF: HdlspPutString(x)+1Aj
		mov	ecx, _HeadlessGlobals
		mov	[esi], dl
		mov	ecx, [ecx+0Ch]
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_A73AA1:				; CODE XREF: HdlspPutString(x)+55j
					; DATA XREF: PAGEHDLS:00A73AF2o
		mov	cl, 25h
		jmp	short loc_A73A80
; 

loc_A73AA5:				; CODE XREF: HdlspPutString(x)+55j
					; DATA XREF: PAGEHDLS:00A73AF6o
		mov	cl, 23h
		jmp	short loc_A73A80
; 

loc_A73AA9:				; CODE XREF: HdlspPutString(x)+55j
					; DATA XREF: PAGEHDLS:off_A73AEAo
		mov	cl, 2Bh
		jmp	short loc_A73A80
; 

loc_A73AAD:				; CODE XREF: HdlspPutString(x)+55j
					; DATA XREF: PAGEHDLS:00A73AFAo
		mov	cl, 2Dh
		jmp	short loc_A73A80
; 

loc_A73AB1:				; CODE XREF: HdlspPutString(x)+55j
					; DATA XREF: PAGEHDLS:00A73AFEo
		mov	cl, 3Dh

loc_A73AB3:				; CODE XREF: HdlspPutString(x)+4Cj
					; HdlspPutString(x)+55j
					; DATA XREF: ...
		test	cl, cl
		jns	short loc_A73A80
		movzx	eax, cl
		and	eax, 7Fh
		mov	word ptr [ebp+var_4], dx
		mov	byte ptr [ebp+var_4+2],	dl
		lea	edx, [ebp+var_4]
		mov	cx, ds:_HdlpsPcAnsiToUnicode[eax*2]
		call	_HdlspUTF8Encode@8 ; HdlspUTF8Encode(x,x)
		xor	eax, eax

loc_A73AD6:				; CODE XREF: HdlspPutString(x)+C3j
		mov	cl, byte ptr [ebp+eax+var_4]
		test	cl, cl
		jz	short loc_A73AE1
		mov	[esi], cl
		inc	esi

loc_A73AE1:				; CODE XREF: HdlspPutString(x)+BAj
		inc	eax
		cmp	eax, 3
		jb	short loc_A73AD6
		jmp	short loc_A73A83
_HdlspPutString@4 endp

; 
		align 2
off_A73AEA	dd offset loc_A73AA9	; DATA XREF: HdlspPutString(x)+55r
		dd offset loc_A73A7E
		dd offset loc_A73AA1
		dd offset loc_A73AA5
		dd offset loc_A73AAD
		dd offset loc_A73AB1
		dd offset loc_A73AB3
byte_A73B06	db 0			; DATA XREF: HdlspPutString(x)+4Er
		align 4
		dd 6060606h, 3020106h, 6060601h, 1060606h, 2 dup(6060000h)
		dd 6060406h, 6000006h, 6050606h, 2 dup(6060606h), 606h
		dd 2020203h
		db 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HdlspPutWideString(x)
_HdlspPutWideString@4 proc near		; CODE XREF: HdlspDispatch(x,x,x,x,x)+201p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, _HeadlessGlobals
		xor	edx, edx
		push	ebx
		push	esi
		push	edi
		mov	ebx, [eax+0Ch]
		mov	edi, ecx
		mov	word ptr [ebp+var_4], dx
		mov	esi, ebx
		mov	byte ptr [ebp+var_4+2],	dl
		lea	eax, [ebx+4Fh]
		cmp	[edi], dx
		jz	short loc_A73BB7

loc_A73B63:				; CODE XREF: HdlspPutWideString(x)+73j
		cmp	esi, eax
		jb	short loc_A73B7C
		mov	ecx, ebx
		mov	[eax], dl
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		mov	eax, _HeadlessGlobals
		xor	edx, edx
		mov	esi, [eax+0Ch]
		jmp	short loc_A73BA8
; 

loc_A73B7C:				; CODE XREF: HdlspPutWideString(x)+28j
		mov	cx, [edi]
		lea	edx, [ebp+var_4]
		call	_HdlspUTF8Encode@8 ; HdlspUTF8Encode(x,x)
		xor	edx, edx
		mov	eax, edx

loc_A73B8B:				; CODE XREF: HdlspPutWideString(x)+66j
		mov	cl, byte ptr [ebp+eax+var_4]
		test	cl, cl
		jz	short loc_A73B9F
		mov	[esi], cl
		inc	esi
		cmp	eax, 3
		jnb	short loc_A73BB2
		mov	byte ptr [ebp+eax+var_4], dl

loc_A73B9F:				; CODE XREF: HdlspPutWideString(x)+54j
		inc	eax
		cmp	eax, 3
		jb	short loc_A73B8B
		add	edi, 2

loc_A73BA8:				; CODE XREF: HdlspPutWideString(x)+3Dj
		cmp	[edi], dx
		jz	short loc_A73BB7
		lea	eax, [ebx+4Fh]
		jmp	short loc_A73B63
; 

loc_A73BB2:				; CODE XREF: HdlspPutWideString(x)+5Cj
		call	___report_rangecheckfailure

loc_A73BB7:				; CODE XREF: HdlspPutWideString(x)+24j
					; HdlspPutWideString(x)+6Ej
		mov	ecx, ebx
		mov	[esi], dl
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_HdlspPutWideString@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HdlspSendBlueScreenInfo(x)
_HdlspSendBlueScreenInfo@4 proc	near	; CODE XREF: HdlspDispatch(x,x,x,x,x)+4A1p

var_A4		= dword	ptr -0A4h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		mov	esi, ecx
		mov	ecx, offset ??_C@_0P@FDDIJDOF@?$AH?$AH?$AH?$DM?$DPxml?$DO?$AH?$DMBP?$DO@CIFEBFPJ@
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		mov	ecx, offset ??_C@_0CE@LODDICKA@?$AN?6?$DMINSTANCE?5CLASSNAME?$DN?$CCBLUESCRE@CIFEBFPJ@ ; "\r\n<INSTANCE	CLASSNAME=\"BLUESCREEN\">"
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		push	esi
		push	offset ??_C@_0EM@KIELOMMK@?$AN?6?$DMPROPERTY?5NAME?$DN?$CCSTOPCODE?$CC?5TYP@CIFEBFPJ@ ;	"\r\n<PROPERTY NAME=\"STOPCODE\" TYPE=\"strin"...
		lea	eax, [ebp+var_A4]
		push	0A0h
		push	eax
		call	_sprintf_s
		add	esp, 10h
		lea	ecx, [ebp+var_A4]
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		mov	eax, _HeadlessGlobals
		mov	esi, [eax+14h]
		jmp	short loc_A73C2B
; 

loc_A73C20:				; CODE XREF: HdlspSendBlueScreenInfo(x)+68j
		mov	ecx, [esi+4]
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		mov	esi, [esi+8]

loc_A73C2B:				; CODE XREF: HdlspSendBlueScreenInfo(x)+59j
		test	esi, esi
		jnz	short loc_A73C20
		mov	ecx, offset ??_C@_0BG@OPJMIJNF@?$AN?6?$DM?1INSTANCE?$DO?$AN?6?$DM?1BP?$DO?$AH@CIFEBFPJ@	; "\r\n</INSTANCE>\r\n</BP>\a"
		call	_HdlspSendStringAtBaud@4 ; HdlspSendStringAtBaud(x)
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_HdlspSendBlueScreenInfo@4 endp


;  S U B	R O U T	I N E 


; __stdcall HdlspSendStringAtBaud(x)
_HdlspSendStringAtBaud@4 proc near	; CODE XREF: HdlspBugCheckProcessing()+AAp
					; HdlspBugCheckProcessing()+B4p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		jmp	short loc_A73C5E
; 

loc_A73C4D:				; CODE XREF: HdlspSendStringAtBaud(x)+1Cj
		mov	ecx, _HeadlessGlobals
		mov	dl, al
		mov	ecx, [ecx+20h]
		call	_InbvPortPutByte@8 ; InbvPortPutByte(x,x)
		inc	esi

loc_A73C5E:				; CODE XREF: HdlspSendStringAtBaud(x)+5j
		mov	al, [esi]
		test	al, al
		jnz	short loc_A73C4D
		pop	esi
		retn
_HdlspSendStringAtBaud@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HdlspSetBlueScreenInformation(x, x)
_HdlspSetBlueScreenInformation@8 proc near ; CODE XREF:	HdlspDispatch(x,x,x,x,x)+47Cp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		mov	esi, edx
		mov	[ebp+var_C], ecx
		mov	edx, _HeadlessGlobals
		mov	[ebp+var_18], edx
		test	byte ptr [edx+18h], 2
		jz	short loc_A73C8D
		mov	eax, 0C0000001h
		jmp	loc_A73EAA
; 

loc_A73C8D:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+1Bj
		push	edi
		test	ecx, ecx
		jz	loc_A73EA4
		mov	edi, [ecx]
		cmp	edi, 2
		jb	loc_A73EA4
		lea	eax, [esi-8]
		cmp	edi, eax
		jnb	loc_A73EA4
		cmp	byte ptr [edi+ecx+3], 0
		jnz	loc_A73EA4
		cmp	byte ptr [ecx+esi-4], 0
		jnz	loc_A73EA4
		mov	eax, [edx+14h]
		mov	esi, eax
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], ebx
		test	eax, eax
		jz	short loc_A73D33
		lea	edx, [ecx+4]

loc_A73CD7:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+C8j
		mov	eax, [esi]
		mov	[ebp+var_8], edx

loc_A73CDC:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+B1j
		mov	cl, [eax]
		mov	[ebp+var_1], cl
		mov	ecx, [ebp+var_8]
		mov	bl, [ebp+var_1]
		cmp	bl, [ecx]
		mov	ebx, [ebp+var_10]
		mov	ecx, [ebp+var_C]
		jnz	short loc_A73D1D
		cmp	[ebp+var_1], bl
		jz	short loc_A73D19
		mov	cl, [eax+1]
		mov	[ebp+var_1], cl
		mov	ecx, [ebp+var_8]
		mov	bl, [ebp+var_1]
		cmp	bl, [ecx+1]
		mov	ebx, [ebp+var_10]
		mov	ecx, [ebp+var_C]
		jnz	short loc_A73D1D
		add	[ebp+var_8], 2
		add	eax, 2
		cmp	[ebp+var_1], bl
		jnz	short loc_A73CDC

loc_A73D19:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+8Ej
		xor	eax, eax
		jmp	short loc_A73D22
; 

loc_A73D1D:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+89j
					; HdlspSetBlueScreenInformation(x,x)+A5j
		sbb	eax, eax
		or	eax, 1

loc_A73D22:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+B5j
		test	eax, eax
		jz	short loc_A73D30
		mov	[ebp+var_14], esi
		mov	esi, [esi+8]
		test	esi, esi
		jnz	short loc_A73CD7

loc_A73D30:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+BEj
		mov	edx, [ebp+var_18]

loc_A73D33:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+6Cj
		lea	eax, [edi+4]
		add	eax, ecx
		mov	edi, eax
		mov	[ebp+var_10], eax
		lea	ecx, [edi+1]

loc_A73D40:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+DFj
		mov	al, [edi]
		inc	edi
		test	al, al
		jnz	short loc_A73D40
		sub	edi, ecx
		test	esi, esi
		jz	loc_A73DDB
		test	edi, edi
		jz	short loc_A73DA7
		lea	eax, [edi+1]
		push	736C6448h
		push	eax
		push	200h
		mov	[ebp+var_18], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_A73D9D
		push	[ebp+var_10]
		push	[ebp+var_18]
		push	edi
		call	_strcpy_s
		mov	eax, _HeadlessGlobals
		add	esp, 0Ch
		mov	ecx, [esi+4]
		mov	[esi+4], edi
		test	byte ptr [eax+18h], 2
		jnz	loc_A73E9F
		push	0
		push	ecx
		jmp	loc_A73E93
; 

loc_A73D9D:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+109j
		mov	ebx, 0C0000017h
		jmp	loc_A73E9F
; 

loc_A73DA7:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+EDj
		mov	ecx, [ebp+var_14]
		mov	eax, [esi+8]
		mov	[ecx+8], eax
		cmp	[edx+14h], esi
		jnz	short loc_A73DB8
		mov	[edx+14h], eax

loc_A73DB8:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+14Dj
		test	byte ptr [edx+18h], 2
		jnz	loc_A73E9F
		xor	edi, edi
		push	edi
		push	dword ptr [esi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	edi
		push	dword ptr [esi]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	edi
		jmp	loc_A73E92
; 

loc_A73DDB:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+E5j
		test	edi, edi
		jz	loc_A73E9A
		push	736C6448h
		push	0Ch
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_A73E9F
		push	736C6448h
		inc	edi
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+4], eax
		test	eax, eax
		jz	short loc_A73E8B
		push	[ebp+var_10]
		push	edi
		push	eax
		call	_strcpy_s
		mov	eax, [ebp+var_C]
		add	esp, 0Ch
		add	eax, 4
		mov	ecx, eax
		mov	[ebp+var_18], eax
		lea	edx, [ecx+1]

loc_A73E31:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+1D0j
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_A73E31
		sub	ecx, edx
		jz	short loc_A73E84
		push	736C6448h
		lea	edi, [ecx+1]
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi], eax
		test	eax, eax
		jz	short loc_A73E73
		push	[ebp+var_18]
		push	edi
		push	eax
		call	_strcpy_s
		mov	ecx, _HeadlessGlobals
		add	esp, 0Ch
		mov	eax, [ecx+14h]
		mov	[esi+8], eax
		mov	[ecx+14h], esi
		jmp	short loc_A73E9F
; 

loc_A73E73:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+1EDj
		mov	ebx, 0C0000017h

loc_A73E78:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+223j
		push	0
		push	dword ptr [esi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A73E90
; 

loc_A73E84:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+1D4j
		mov	ebx, 0C000000Dh
		jmp	short loc_A73E78
; 

loc_A73E8B:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+1AEj
		mov	ebx, 0C0000017h

loc_A73E90:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+21Cj
		push	0

loc_A73E92:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+170j
		push	esi

loc_A73E93:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+132j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_A73E9F
; 

loc_A73E9A:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+177j
		mov	ebx, 0C000000Dh

loc_A73E9F:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+129j
					; HdlspSetBlueScreenInformation(x,x)+13Cj ...
		mov	eax, ebx
		pop	ebx
		jmp	short loc_A73EA9
; 

loc_A73EA4:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+2Aj
					; HdlspSetBlueScreenInformation(x,x)+35j ...
		mov	eax, 0C000000Dh

loc_A73EA9:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+23Cj
		pop	edi

loc_A73EAA:				; CODE XREF: HdlspSetBlueScreenInformation(x,x)+22j
		pop	esi
		leave
		retn
_HdlspSetBlueScreenInformation@8 endp

; 
		align 200h
PAGEHDLS	ends

; Section 15. (virtual address 00674000)
; Virtual size			: 00005B21 (  23329.)
; Section size in file		: 00005C00 (  23552.)
; Offset to raw	data for section: 0060F200
; Flags	60000020: Text Executable Readable
; Alignment	: default
; 

; Segment type:	Pure code
; Segment permissions: Read/Execute
PAGEBGFX	segment	para public 'CODE' use32
		assume cs:PAGEBGFX
		;org 0A74000h
		assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgSetFrameBufferAccess(x, x, x)
_BgSetFrameBufferAccess@12 proc	near	; CODE XREF: BgkNotifyDisplayOwnershipChange+B4p
					; BgkSetVirtualFrameBuffer+11Bp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	dword_6B6CE4, ecx
		mov	dword_6B6CEC, edx
		mov	dword_6B6CF0, eax
		pop	ebp
		retn	4
_BgSetFrameBufferAccess@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall BgGetDisplayContext()
_BgGetDisplayContext@0 proc near	; CODE XREF: BgkSetVirtualFrameBuffer+2Ep
					; Phase1InitializationDiscard(x)+AA1p
		mov	eax, offset _BgInternal
		retn
_BgGetDisplayContext@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgFreeContext(x)
_BgFreeContext@4 proc near		; CODE XREF: BgkResumeFinished():loc_7204A7p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, dword_6D4AB4
		call	_BgpFwGetCurrentIrql@0 ; BgpFwGetCurrentIrql()
		cmp	al, 2
		ja	short loc_A74058
		test	esi, esi
		jz	short loc_A74058
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		test	byte ptr dword_6B6BB8, 1
		jz	short loc_A74053
		mov	ecx, esi
		call	ResFwFreeContext

loc_A74053:				; CODE XREF: BgFreeContext(x)+26j
		call	BgpFwReleaseLock

loc_A74058:				; CODE XREF: BgFreeContext(x)+14j
					; BgFreeContext(x)+18j
		pop	esi
		leave
		retn
_BgFreeContext@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


ResFwFreeContext proc near		; CODE XREF: BgFreeContext(x)+2Ap
		test	dword_6B6BB8, 100000h
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		jz	near ptr loc_A77B51+1
		call	_TxtpClearCache@4 ; TxtpClearCache(x)
		cmp	_RasterizerInitialized,	0
		jz	short loc_A74084
		call	_RaspClearCache@4 ; RaspClearCache(x)

loc_A74084:				; CODE XREF: ResFwFreeContext+21j
		xor	ebx, ebx
		cmp	byte_6CEA90, bl
		jnz	loc_A77B6D

loc_A74092:				; CODE XREF: TxtpAddCacheEntry+16E7j
		call	AnFwFadeCompletion
		call	LogFwReport
		cmp	[esi+8], ebx
		jz	short loc_A740BE
		push	ebx
		xor	ecx, ecx
		xor	edx, edx
		push	ebx
		inc	ecx
		call	_BgpFwReservePoolSwap@16 ; BgpFwReservePoolSwap(x,x,x,x)
		push	dword ptr [esi+4]
		call	_MmFreePagesFromMdl@4 ;	MmFreePagesFromMdl(x)
		push	ebx
		push	dword ptr [esi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A740BE:				; CODE XREF: ResFwFreeContext+43j
		mov	eax, _BgpAnimationRegionSave
		mov	edi, offset _BgInternal
		and	dword_6B6BB8, 0FFEFF7FDh
		mov	dword_6B6C54, eax
		mov	eax, _BgpTextRegionSave
		mov	dword_6B6C58, eax
		xor	eax, eax
		push	7
		pop	ecx
		rep stosd
		pop	edi
		pop	esi
		pop	ebx
		jmp	ResFwpPageOutBackground
ResFwFreeContext endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpFwReservePoolSwap(x, x, x, x)
_BgpFwReservePoolSwap@16 proc near	; CODE XREF: ResFwFreeContext+4Cp
					; BgpFwLibraryInitialize+B6p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		sub	ecx, 0
		jz	short loc_A74139
		sub	ecx, 1
		jnz	short loc_A74134
		mov	eax, dword_6D4C08
		mov	dword_6D4BF8, eax
		mov	eax, dword_6D4C1C
		mov	dword_6D4C0C, eax
		mov	eax, dword_6D4C20
		mov	dword_6D4C10, eax
		mov	eax, dword_6D4C00
		mov	dword_6D4C14, eax
		mov	eax, dword_6D4BFC
		mov	dword_6D4C04, eax

loc_A74134:				; CODE XREF: BgpFwReservePoolSwap(x,x,x,x)+10j
					; BgpFwReservePoolSwap(x,x,x,x)+88j
		pop	esi
		pop	ebp
		retn	8
; 

loc_A74139:				; CODE XREF: BgpFwReservePoolSwap(x,x,x,x)+Bj
		mov	eax, dword_6D4C04
		mov	ecx, esi
		push	[ebp+arg_4]
		mov	edx, [ebp+arg_0]
		mov	dword_6D4BFC, eax
		mov	eax, dword_6D4BF8
		mov	dword_6D4C08, eax
		mov	eax, dword_6D4C0C
		mov	dword_6D4C1C, eax
		mov	eax, dword_6D4C10
		mov	dword_6D4C20, eax
		mov	eax, dword_6D4C14
		mov	dword_6D4C00, eax
		call	_BgpFwInitializeReservePool@12 ; BgpFwInitializeReservePool(x,x,x)
		jmp	short loc_A74134
_BgpFwReservePoolSwap@16 endp


;  S U B	R O U T	I N E 


; __stdcall BgMarkHiberPhase()
_BgMarkHiberPhase@0 proc near		; CODE XREF: BgkResumePrepare:loc_720CB1p
		mov	edi, edi
		push	esi
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		test	byte ptr dword_6B6BB8, 1
		jz	short loc_A7419B
		call	_BgpFwMarkHiberPhase@0 ; BgpFwMarkHiberPhase()
		mov	esi, eax

loc_A74192:				; CODE XREF: BgMarkHiberPhase()+26j
		call	BgpFwReleaseLock
		mov	eax, esi
		pop	esi
		retn
; 

loc_A7419B:				; CODE XREF: BgMarkHiberPhase()+Fj
		mov	esi, 0C0000001h
		jmp	short loc_A74192
_BgMarkHiberPhase@0 endp


;  S U B	R O U T	I N E 


; __stdcall BgpFwMarkHiberPhase()
_BgpFwMarkHiberPhase@0 proc near	; CODE XREF: BgMarkHiberPhase()+11p
		mov	edi, edi
		push	esi
		mov	esi, dword_6B6C5C
		push	edi
		mov	edi, offset dword_6B6C5C
		jmp	short loc_A741CD
; 

loc_A741B3:				; CODE XREF: BgpFwMarkHiberPhase()+2Dj
		push	4B424742h
		push	dword ptr [esi+0Ch]
		lea	eax, [esi-0Ch]
		push	eax
		push	10000h
		push	0
		call	PoSetHiberRange
		mov	esi, [esi]

loc_A741CD:				; CODE XREF: BgpFwMarkHiberPhase()+Fj
		cmp	esi, edi
		jnz	short loc_A741B3
		pop	edi
		xor	eax, eax
		pop	esi
		retn
_BgpFwMarkHiberPhase@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgGetContext()
_BgGetContext@0	proc near		; CODE XREF: BgkResumePrepare+12p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		call	_BgpFwGetCurrentIrql@0 ; BgpFwGetCurrentIrql()
		cmp	al, 2
		ja	short loc_A7420E
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], esi
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		test	byte ptr dword_6B6BB8, 1
		jz	short loc_A74204
		lea	ecx, [ebp+var_4]
		call	ResFwGetContext
		mov	esi, [ebp+var_4]

loc_A74204:				; CODE XREF: BgGetContext()+21j
		call	BgpFwReleaseLock
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_A7420E:				; CODE XREF: BgGetContext()+Dj
		xor	eax, eax
		leave
		retn
_BgGetContext@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ResFwGetContext	proc near		; CODE XREF: BgGetContext()+26p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	edi
		mov	edi, ecx
		test	edi, edi
		jz	loc_A77B82
		push	esi
		xor	esi, esi
		test	byte ptr dword_6B6BB8, 1
		mov	[edi], esi
		jz	loc_A77B8C
		mov	ecx, dword_6B6BD8
		mov	eax, dword_6B6BD4
		cmp	ecx, eax
		jnb	short loc_A74248
		mov	ecx, eax

loc_A74248:				; CODE XREF: ResFwGetContext+32j
		mov	eax, dword_6B6BE0
		mov	edx, 0FFFFF000h
		add	ecx, dword_6B6BE4
		add	eax, 4FFFh
		add	ecx, eax
		and	ecx, edx
		push	ebx
		mov	eax, ecx
		mov	[ebp+var_8], ecx
		shr	eax, 3
		push	5
		add	eax, 0FFFh
		push	1
		and	eax, edx
		mov	[ebp+var_4], eax
		add	eax, ecx
		push	eax
		push	esi
		push	esi
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		push	esi
		push	esi
		mov	[ebp+var_C], eax
		call	_MmAllocatePagesForMdlEx@36 ; MmAllocatePagesForMdlEx(x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_A742A9
		test	byte ptr [ebx+6], 5
		jnz	short loc_A742FE
		push	40000020h
		push	esi
		push	esi
		push	1
		push	esi
		push	ebx
		call	MmMapLockedPagesSpecifyCache
		mov	esi, eax

loc_A742A9:				; CODE XREF: ResFwGetContext+7Dj
					; ResFwGetContext+EFj
		mov	eax, [ebp+var_4]
		mov	ecx, esi
		mov	edx, dword_6B6BE8
		add	eax, esi
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		mov	[edx+8], esi
		mov	eax, esi
		mov	[edx+4], ebx
		neg	eax
		pop	ebx
		sbb	eax, eax
		and	eax, [ebp+var_8]
		neg	esi
		sbb	esi, esi
		and	esi, [ebp+var_C]
		mov	[edx+0Ch], esi
		mov	[edx+0B4h], eax
		mov	[edx+0B0h], ecx
		mov	eax, dword_6B6C54
		mov	_BgpAnimationRegionSave, eax
		mov	eax, dword_6B6C58
		mov	_BgpTextRegionSave, eax
		xor	eax, eax
		mov	[edi], edx

loc_A742FA:				; CODE XREF: TxtpAddCacheEntry+16FBj
		pop	esi

loc_A742FB:				; CODE XREF: TxtpAddCacheEntry+16F1j
		pop	edi
		leave
		retn
; 

loc_A742FE:				; CODE XREF: ResFwGetContext+83j
		mov	esi, [ebx+0Ch]
		jmp	short loc_A742A9
ResFwGetContext	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AnFwpProgressAnimationManual proc near	; CODE XREF: AnFwDisplayProgressIndicator:loc_A763A3p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		xor	esi, esi
		lea	ecx, [ebp+var_20]
		push	edi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		call	_BgpFwQueryPerformanceCounter@4	; BgpFwQueryPerformanceCounter(x)
		push	esi
		push	21h
		push	[ebp+var_1C]
		mov	ebx, eax
		mov	[ebp+var_4], edx
		push	[ebp+var_20]
		mov	[ebp+var_14], ebx
		call	__alldiv
		push	esi
		mov	ecx, edx
		mov	[ebp+var_C], eax
		push	0Ah
		push	ecx
		push	eax
		mov	[ebp+var_8], ecx
		call	__allmul
		push	esi
		push	64h
		push	edx
		push	eax
		call	__alldiv
		mov	edi, dword_6D4B40
		mov	esi, edi
		add	esi, [ebp+var_C]
		mov	[ebp+var_10], edx
		mov	edx, dword_6D4B44
		mov	ecx, edx
		adc	ecx, [ebp+var_8]
		add	ebx, eax
		mov	[ebp+var_18], eax
		mov	eax, [ebp+var_4]
		adc	eax, [ebp+var_10]
		cmp	eax, ecx
		jl	short loc_A7437F
		jg	short loc_A74384
		cmp	ebx, esi
		jnb	short loc_A74384

loc_A7437F:				; CODE XREF: AnFwpProgressAnimationManual+73j
					; AnFwpProgressAnimationManual+14Bj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_A74384:				; CODE XREF: AnFwpProgressAnimationManual+75j
					; AnFwpProgressAnimationManual+79j
		mov	si, word_6B3EAC
		mov	eax, 0E0CBh
		mov	ebx, [ebp+var_14]
		cmp	si, ax
		jz	loc_A74468
		push	[ebp+var_8]
		sub	edi, ebx
		push	[ebp+var_C]
		sbb	edx, [ebp+var_4]
		sub	edi, [ebp+var_18]
		sbb	edx, [ebp+var_10]
		push	edx
		push	edi
		call	__alldiv
		xor	edi, edi
		cmp	edx, edi
		jl	short loc_A743C9
		jg	loc_A77B96
		cmp	eax, 2
		jnb	loc_A77B96

loc_A743C9:				; CODE XREF: AnFwpProgressAnimationManual+B4j
					; AnFwpProgressAnimationManual+166j ...
		mov	eax, 1FAEh
		add	ax, si
		cmp	ax, 79h
		ja	short loc_A7440C
		xor	edx, edx
		xor	ecx, ecx
		push	edi
		inc	edx
		inc	ecx
		call	LogFwStat
		mov	dx, word_6B3EAC
		push	edi
		push	ecx
		mov	ecx, dword_6B6C54
		push	edi
		push	edi
		push	edi
		call	BgpTxtDisplayCharacter
		xor	edx, edx
		xor	ecx, ecx
		push	edi
		inc	edx
		call	LogFwStat
		mov	si, word_6B3EAC

loc_A7440C:				; CODE XREF: AnFwpProgressAnimationManual+D1j
		mov	eax, 0E0CBh
		cmp	si, ax
		jz	short loc_A7446F
		inc	si
		movzx	eax, si

loc_A7441B:				; CODE XREF: AnFwpProgressAnimationManual+170j
		push	edi
		push	2
		push	[ebp+var_8]
		mov	word_6B3EAC, ax
		mov	eax, [ebp+var_4]
		push	[ebp+var_C]
		mov	dword_6D4B40, ebx
		mov	dword_6D4B44, eax
		call	__alldiv
		xor	ecx, ecx
		mov	esi, eax
		mov	edi, edx
		call	_BgpFwQueryPerformanceCounter@4	; BgpFwQueryPerformanceCounter(x)
		sub	eax, ebx
		sbb	edx, [ebp+var_4]
		cmp	edx, edi
		jl	loc_A7437F
		jg	loc_A77BA4
		cmp	eax, esi
		jbe	loc_A7437F
		jmp	loc_A77BA4
; 

loc_A74468:				; CODE XREF: AnFwpProgressAnimationManual+92j
		xor	edi, edi
		jmp	loc_A743C9
; 

loc_A7446F:				; CODE XREF: AnFwpProgressAnimationManual+110j
		mov	eax, 0E04Ah
		jmp	short loc_A7441B
AnFwpProgressAnimationManual endp


;  S U B	R O U T	I N E 


; __stdcall AnFwProgressIndicatorTransition()
_AnFwProgressIndicatorTransition@0 proc	near ; CODE XREF: BgpFwLibraryInitialize+16Bp
		cmp	byte_6D4B3C, 0
		jz	short locret_A744B0
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edi, offset unk_6FC468
		push	ebx
		push	edi
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	ebx
		push	offset AnFwpProgressIndicatorTimer
		mov	esi, offset unk_6FC428
		push	esi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	esi
		push	ebx
		push	1Eh
		push	ebx
		push	ebx
		push	edi
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx

locret_A744B0:				; CODE XREF: AnFwProgressIndicatorTransition()+7j
		retn
_AnFwProgressIndicatorTransition@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall LogFwInitialize()
_LogFwInitialize@0 proc	near		; CODE XREF: BgpFwLibraryInitialize:loc_A75047p
		xor	ecx, ecx
		or	dword_6B6BB8, 80h
		or	dword_6B3F18, 0FFFFFFFFh
		mov	eax, 7FFFFFFFh
		or	dword_6B3F28, 0FFFFFFFFh
		push	48h		; size_t
		push	ecx		; int
		push	offset dword_6D4C28 ; void *
		mov	dword_6B3F20, 1
		mov	dword_6B3F24, ecx
		mov	dword_6D4B68, ecx
		mov	dword_6D4B6C, ecx
		mov	dword_6D4BA8, ecx
		mov	dword_6D4BAC, ecx
		mov	dword_6D4BC8, ecx
		mov	dword_6D4BCC, ecx
		mov	dword_6B3F1C, eax
		mov	dword_6D4BC0, ecx
		mov	dword_6D4B78, ecx
		mov	dword_6D4B7C, ecx
		mov	dword_6D4BB8, ecx
		mov	dword_6D4BBC, ecx
		mov	dword_6D4B58, ecx
		mov	dword_6D4B5C, ecx
		mov	dword_6D4B80, ecx
		mov	dword_6D4B84, ecx
		mov	dword_6D4B50, ecx
		mov	dword_6D4B54, ecx
		mov	dword_6B3F2C, eax
		mov	dword_6D4B88, ecx
		mov	dword_6D4B8C, ecx
		mov	dword_6D4B90, ecx
		mov	dword_6D4B94, ecx
		mov	dword_6D4BE8, ecx
		mov	dword_6D4BEC, ecx
		mov	dword_6D4BE0, ecx
		mov	dword_6D4BE4, ecx
		mov	dword_6D4BD8, ecx
		mov	dword_6D4BDC, ecx
		mov	dword_6D4B98, ecx
		mov	dword_6D4B9C, ecx
		mov	dword_6D4B70, ecx
		mov	dword_6D4B64, ecx
		mov	dword_6D4BD0, ecx
		mov	dword_6D4BF0, ecx
		mov	dword_6D4BB0, ecx
		mov	dword_6D4B60, ecx
		call	_memset
		add	esp, 0Ch
		retn
_LogFwInitialize@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BgkpLockBgfxCodeSection	proc near	; CODE XREF: BgkNotifyDisplayOwnershipChange+126p
					; BgkResumePrepare+Dp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset dword_6FC680
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, dword_6D4AB0
		test	eax, eax
		jnz	short loc_A74611
		push	offset BgkpLockBgfxCodeSection
		call	MmLockPagableDataSection
		mov	dword_6D4AA8, eax
		mov	eax, dword_6D4AB0

loc_A74611:				; CODE XREF: BgkpLockBgfxCodeSection+2Dj
		inc	eax
		mov	dword_6D4AB0, eax
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_A77BBF

loc_A74626:				; CODE XREF: TxtpAddCacheEntry+172Bj
					; TxtpAddCacheEntry+1738j
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
BgkpLockBgfxCodeSection	endp


;  S U B	R O U T	I N E 


BgkpUnlockBgfxCodeSection proc near	; CODE XREF: BgkNotifyDisplayOwnershipChange+B9p
					; BgkResumeFinished()+Cp ...
		mov	eax, large fs:124h
		push	esi
		dec	word ptr [eax+13Ch]
		nop
		mov	esi, offset dword_6FC680
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		sub	dword_6D4AB0, 1
		jnz	short loc_A74676
		push	dword_6D4AA8
		call	_MmUnlockPagableImageSection@4 ; MmUnlockPagableImageSection(x)
		and	dword_6D4AA8, 0

loc_A74676:				; CODE XREF: BgkpUnlockBgfxCodeSection+24j
		or	eax, 0FFFFFFFFh
		lock xadd [esi], eax
		test	al, 2
		jnz	loc_A77BD3

loc_A74685:				; CODE XREF: TxtpAddCacheEntry+173Fj
					; TxtpAddCacheEntry+174Cj
		mov	ecx, esi
		call	KeAbPostRelease
		mov	ecx, large fs:124h
		pop	esi
		jmp	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
BgkpUnlockBgfxCodeSection endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpFwInitializeReservePool(x, x, x)
_BgpFwInitializeReservePool@12 proc near ; CODE	XREF: BgpFwReservePoolSwap(x,x,x,x)+83p
					; BgpFwLibraryInitialize+143p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		and	dword_6D4C04, 0
		mov	dword_6D4BF8, ecx
		mov	dword_6D4C14, edx
		mov	dword_6D4C0C, edx
		mov	dword_6D4C10, eax
		test	eax, eax
		jz	short loc_A746CE
		push	offset dword_6D4C0C
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)

loc_A746CE:				; CODE XREF: BgpFwInitializeReservePool(x,x,x)+28j
		pop	ebp
		retn	4
_BgpFwInitializeReservePool@12 endp


;  S U B	R O U T	I N E 


ResFwpPageOutBackground	proc near	; CODE XREF: ResFwFreeContext+8Fj
					; ResFwBackgroundTransition+Aj	...
		mov	eax, dword_6B6BB8
		mov	ecx, 0C00h
		and	eax, ecx
		cmp	eax, ecx
		jz	locret_A74777
		push	edi
		mov	edi, dword_6B6BFC
		test	edi, edi
		jz	loc_A77BFB
		cmp	dword_6B6C00, 0
		jnz	short loc_A74763
		push	ebx
		push	esi
		call	BgpFwReleaseLock
		mov	ebx, 4B494742h
		push	ebx
		push	dword_6B6C04
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_A74733
		push	dword_6B6C04	; size_t
		push	dword_6B6BFC	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_A74733:				; CODE XREF: ResFwpPageOutBackground+4Aj
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		test	esi, esi
		jz	short loc_A74770
		cmp	dword_6B6C00, 0
		jnz	loc_A77BE7
		mov	eax, offset dword_6B6C00
		xchg	esi, [eax]
		xor	eax, eax
		mov	ecx, offset dword_6B6BFC
		xchg	eax, [ecx]
		pop	esi
		mov	ecx, edi
		pop	ebx

loc_A7475D:				; CODE XREF: ResFwpPageOutBackground+9Cj
		pop	edi
		jmp	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
; 

loc_A74763:				; CODE XREF: ResFwpPageOutBackground+2Aj
		xor	eax, eax
		mov	ecx, offset dword_6B6BFC
		xchg	eax, [ecx]
		mov	ecx, edi
		jmp	short loc_A7475D
; 

loc_A74770:				; CODE XREF: ResFwpPageOutBackground+68j
		pop	esi
		pop	ebx
		jmp	loc_A77BFB
; 

locret_A74777:				; CODE XREF: ResFwpPageOutBackground+Ej
					; TxtpAddCacheEntry+1766j
		retn
ResFwpPageOutBackground	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LogFwReport	proc near		; CODE XREF: ResFwFreeContext+3Bp
					; TxtpAddCacheEntry:loc_A77296p

var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, dword_6B6BB8
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		test	al, al
		jns	loc_A7487A
		and	eax, 0FFFFFF7Fh
		mov	ecx, offset dword_6B3F20
		mov	dword_6B6BB8, eax
		call	_BgpFwQueryPerformanceCounter@4	; BgpFwQueryPerformanceCounter(x)
		lea	eax, [ebp+var_10]
		push	eax
		call	_BgpGetResolution@0 ; BgpGetResolution()
		mov	esi, eax
		mov	edi, offset dword_6D4B98
		movsd
		movsd
		movsd
		call	_BgpGetBitsPerPixel@0 ;	BgpGetBitsPerPixel()
		xor	ebx, ebx
		mov	dword_6D4B70, eax
		mov	eax, dword_6B6BB8
		push	ebx
		push	0F4240h
		push	dword_6D4B5C
		mov	dword_6D4BD0, eax
		push	dword_6D4B58
		call	__allmul
		mov	edi, dword_6B3F24
		mov	esi, dword_6B3F20
		push	edi
		push	esi
		push	edx
		push	eax
		call	__alldiv
		push	ebx
		push	0F4240h
		push	dword_6D4BE4
		mov	dword_6D4BF0, eax
		push	dword_6D4BE0
		call	__allmul
		push	edi
		push	esi
		push	edx
		push	eax
		call	__alldiv
		push	ebx
		push	0F4240h
		push	dword_6D4BDC
		mov	dword_6D4BB0, eax
		push	dword_6D4BD8
		call	__allmul
		push	edi
		push	esi
		push	edx
		push	eax
		call	__alldiv
		push	1
		push	offset dword_6FC4C8
		mov	dword_6D4B60, eax
		mov	dword_6FC4D0, offset _LogFwpRegisterWorker@4 ; LogFwpRegisterWorker(x)
		mov	dword_6FC4D4, ebx
		mov	dword_6FC4C8, ebx
		call	ExQueueWorkItem
		test	dword_6B6BB8, 10000h
		jnz	loc_A77C01

loc_A7487A:				; CODE XREF: LogFwReport+12j
					; TxtpAddCacheEntry+1A7Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
LogFwReport	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall BgDisplayFade()
_BgDisplayFade@0 proc near		; CODE XREF: BgkNotifyDisplayOwnershipChange:loc_559151p
					; BgkDisplayStringEx(x)+60p ...
		mov	edi, edi
		push	esi
		call	_BgpFwGetCurrentIrql@0 ; BgpFwGetCurrentIrql()
		cmp	al, 2
		ja	short loc_A748AA
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		test	byte ptr dword_6B6BB8, 1
		jz	short loc_A748B1
		call	AnFwDisplayFade
		mov	esi, eax

loc_A748A1:				; CODE XREF: BgDisplayFade()+36j
		call	BgpFwReleaseLock
		mov	eax, esi
		pop	esi
		retn
; 

loc_A748AA:				; CODE XREF: BgDisplayFade()+Aj
		mov	eax, 0C0000001h
		pop	esi
		retn
; 

loc_A748B1:				; CODE XREF: BgDisplayFade()+18j
		mov	esi, 0C0000001h
		jmp	short loc_A748A1
_BgDisplayFade@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ResFwConfigureDisplayStringResources proc near ; CODE XREF: BgpFwLibraryInitialize+C1p
					; BgpFwLibraryInitialize+533p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		mov	[ebp+var_4], edi
		mov	[ebp+var_10], edi
		test	esi, esi
		jz	short loc_A7492D
		test	byte ptr [esi+18h], 1
		jz	short loc_A7492D
		lea	edx, [ebp+var_10]
		xor	ecx, ecx	; wchar_t *
		call	BgpFoGetFontHandle
		test	eax, eax
		js	short loc_A7492D
		cmp	byte_6B6CF4, 0
		jnz	loc_A77F17
		or	[ebp+var_14], 0FFFFFFFFh
		mov	[ebp+var_18], edi

loc_A748F8:				; CODE XREF: TxtpAddCacheEntry+1A91j
		mov	eax, [esi+14h]
		lea	edx, [esi+8]
		push	ecx
		mov	[ebp+var_C], eax
		mov	ecx, esi
		push	edi
		lea	eax, [ebp+var_4]
		mov	[ebp+var_8], edi
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	BgpTxtCreateRegion
		test	eax, eax
		js	short loc_A7492D
		mov	ecx, [ebp+var_4]
		call	_BgpTxtRegionSize@4 ; BgpTxtRegionSize(x)
		mov	dword_6B6BE4, eax
		mov	eax, [ebp+var_4]

loc_A74929:				; CODE XREF: ResFwConfigureDisplayStringResources+77j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_A7492D:				; CODE XREF: ResFwConfigureDisplayStringResources+16j
					; ResFwConfigureDisplayStringResources+1Cj ...
		xor	eax, eax
		jmp	short loc_A74929
ResFwConfigureDisplayStringResources endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AnFwConfigureProgressResources(x)
_AnFwConfigureProgressResources@4 proc near ; CODE XREF: BgpFwLibraryInitialize+D1p
					; BgpFwLibraryInitialize+543p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		push	edi
		xor	edi, edi
		xor	eax, eax
		inc	edi
		mov	[ebp+var_4], eax
		push	edi
		push	eax
		push	offset unk_6FC4B8
		mov	esi, ecx
		mov	[ebp+var_10], eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		test	esi, esi
		jz	loc_A749DF
		test	byte ptr [esi+18h], 1
		jz	short loc_A749DF
		lea	edx, [ebp+var_10]
		xor	ecx, ecx	; wchar_t *
		call	BgpFoGetFontHandle
		test	eax, eax
		js	short loc_A749DF
		mov	eax, dword_6B6CF8
		lea	edx, [esi+8]
		mov	[ebp+var_18], eax
		mov	eax, dword_6B6CFC
		mov	[ebp+var_14], eax
		mov	eax, [esi+14h]
		push	ecx
		mov	[ebp+var_C], eax
		mov	ecx, esi
		push	0Ah
		lea	eax, [ebp+var_4]
		mov	[ebp+var_8], edi
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		call	BgpTxtCreateRegion
		test	eax, eax
		js	short loc_A749DF
		call	_BgpGetBitsPerPixel@0 ;	BgpGetBitsPerPixel()
		mov	ecx, [esi+0Ch]
		mov	edx, [esi+8]
		push	eax
		call	_BgpGxRectangleSize@12 ; BgpGxRectangleSize(x,x,x)
		add	eax, 0Fh
		and	eax, 0FFFFFFF0h
		add	eax, 50h
		imul	ecx, eax, 7Ah
		mov	dword_6B6BDC, eax
		mov	dword_6B6BD8, ecx
		mov	ecx, [ebp+var_4]
		call	_BgpTxtRegionSize@4 ; BgpTxtRegionSize(x)
		mov	dword_6B6BE0, eax
		mov	eax, [ebp+var_4]

loc_A749DB:				; CODE XREF: AnFwConfigureProgressResources(x)+AFj
		pop	edi
		pop	esi
		leave
		retn
; 

loc_A749DF:				; CODE XREF: AnFwConfigureProgressResources(x)+25j
					; AnFwConfigureProgressResources(x)+2Fj ...
		xor	eax, eax
		jmp	short loc_A749DB
_AnFwConfigureProgressResources@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpGxReservePoolRectangleSize(x, x,	x)
_BgpGxReservePoolRectangleSize@12 proc near ; CODE XREF: BgpTxtRegionSize(x)+22p
					; BgpTxtRegionSize(x)+38p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	[ebp+arg_0]
		call	_BgpGxRectangleSize@12 ; BgpGxRectangleSize(x,x,x)
		add	eax, 0Fh
		and	eax, 0FFFFFFF0h
		add	eax, 10h
		pop	ebp
		retn	4
_BgpGxReservePoolRectangleSize@12 endp


;  S U B	R O U T	I N E 


; __stdcall BgConsoleGetInterface(x)
_BgConsoleGetInterface@4 proc near	; CODE XREF: BgkNotifyDisplayOwnershipChange:loc_55923Ap
					; BgkInitialize+51p ...
		mov	edi, edi
		push	esi
		xor	esi, esi
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		test	byte ptr dword_6B6BB8, 1
		jz	short loc_A74A1E
		cmp	dword_6B6C48, esi
		jz	short loc_A74A1E
		mov	esi, offset _BgpConsoleInterface

loc_A74A1E:				; CODE XREF: BgConsoleGetInterface(x)+11j
					; BgConsoleGetInterface(x)+19j
		call	BgpFwReleaseLock
		mov	eax, esi
		pop	esi
		retn
_BgConsoleGetInterface@4 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall AnFwpDisableProgressTimer()
_AnFwpDisableProgressTimer@0 proc near	; CODE XREF: AnFwDisplayFade+DCp
					; TxtpAddCacheEntry:loc_A78480p ...
		cmp	byte_6D4B3C, 0
		jz	short locret_A74A78
		mov	eax, dword_6B6BB8
		xor	cl, cl
		test	eax, 100000h
		jz	short loc_A74A46
		test	eax, 1000h
		jnz	short loc_A74A79

loc_A74A46:				; CODE XREF: AnFwpDisableProgressTimer()+15j
					; AnFwpDisableProgressTimer()+53j
		mov	edx, 0C00h
		mov	byte_6D4B3C, 0
		and	eax, edx
		cmp	eax, edx
		jz	short loc_A74A66
		test	cl, cl
		jnz	short loc_A74A66
		push	offset unk_6FC468
		call	_KeCancelTimer@4 ; KeCancelTimer(x)

loc_A74A66:				; CODE XREF: AnFwpDisableProgressTimer()+2Ej
					; AnFwpDisableProgressTimer()+32j
		call	_TxtpClearCache@4 ; TxtpClearCache(x)
		cmp	_RasterizerInitialized,	0
		jnz	_RaspClearCache@4 ; RaspClearCache(x)

locret_A74A78:				; CODE XREF: AnFwpDisableProgressTimer()+7j
		retn
; 

loc_A74A79:				; CODE XREF: AnFwpDisableProgressTimer()+1Cj
		mov	cl, 1
		jmp	short loc_A74A46
_AnFwpDisableProgressTimer@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall RaspClearCache(x)
_RaspClearCache@4 proc near		; CODE XREF: ResFwFreeContext+23p
					; AnFwpDisableProgressTimer()+4Aj ...
		mov	edi, edi
		push	esi
		mov	esi, offset _RaspBitmapCache
		jmp	short loc_A74A8F
; 

loc_A74A88:				; CODE XREF: RaspClearCache(x)+2Dj
		mov	ecx, eax
		call	_RaspDestroyCachedBitmap@4 ; RaspDestroyCachedBitmap(x)

loc_A74A8F:				; CODE XREF: RaspClearCache(x)+8j
		mov	eax, _RaspBitmapCache
		mov	ecx, [eax]
		cmp	[eax+4], esi
		jnz	short loc_A74AB6
		cmp	[ecx+4], eax
		jnz	short loc_A74AB6
		mov	_RaspBitmapCache, ecx
		mov	[ecx+4], esi
		cmp	eax, esi
		jnz	short loc_A74A88
		and	dword_6B6AE0, 0
		pop	esi
		retn
; 

loc_A74AB6:				; CODE XREF: RaspClearCache(x)+1Bj
					; RaspClearCache(x)+20j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_RaspClearCache@4 endp


;  S U B	R O U T	I N E 


ResFwBackgroundTransition proc near	; CODE XREF: BgpFwLibraryEnable+4Dp
					; TxtpAddCacheEntry+CEEp
		sub	ecx, 0
		jz	short loc_A74ACB
		sub	ecx, 1
		jnz	short loc_A74AD0
		jmp	ResFwpPageOutBackground
; 

loc_A74ACB:				; CODE XREF: ResFwBackgroundTransition+3j
		jmp	_ResFwpPageInBackground@0 ; ResFwpPageInBackground()
; 

loc_A74AD0:				; CODE XREF: ResFwBackgroundTransition+8j
		sub	ecx, 1
		jnz	short locret_A74AE9
		mov	eax, dword_6B6BB8
		mov	ecx, 0C00h
		and	eax, ecx
		cmp	eax, ecx
		jnz	loc_A77F2C

locret_A74AE9:				; CODE XREF: ResFwBackgroundTransition+17j
		retn
; 

; __stdcall ResFwpPageInBackground()
_ResFwpPageInBackground@0:		; CODE XREF: ResFwBackgroundTransition:loc_A74ACBj
		mov	ecx, dword_6B6BB8
		mov	edx, 0C00h
		mov	eax, ecx
		and	eax, edx
		cmp	eax, edx
		jz	short locret_A74B50
		test	ecx, 100000h
		jnz	short locret_A74B50
		cmp	dword_6B6C00, 0
		jz	short locret_A74B50
		mov	ecx, dword_6B6C04
		push	esi
		call	BgpFwAllocateMemory
		mov	esi, eax
		test	esi, esi
		jz	short loc_A74B4F
		call	BgpFwReleaseLock
		push	dword_6B6C04	; size_t
		push	dword_6B6C00	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		cmp	dword_6B6BFC, 0
		jnz	short loc_A74B51
		mov	eax, offset dword_6B6BFC
		xchg	esi, [eax]

loc_A74B4F:				; CODE XREF: ResFwBackgroundTransition+62j
		pop	esi

locret_A74B50:				; CODE XREF: ResFwBackgroundTransition+3Fj
					; ResFwBackgroundTransition+47j ...
		retn
; 

loc_A74B51:				; CODE XREF: ResFwBackgroundTransition+8Aj
		mov	ecx, esi
		pop	esi
		jmp	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
ResFwBackgroundTransition endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BgpGxParseBitmap proc near		; CODE XREF: KeRegisterBugCheckCallback+C2p
					; AnFwDisplayFade+124p	...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	ebx, edx
		xor	edx, edx
		cmp	dword ptr [ecx+2], 2Ch
		push	edi
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edx
		jb	short loc_A74BD3
		mov	eax, 4D42h
		push	esi
		lea	esi, [ecx+0Eh]
		cmp	[ecx], ax
		jnz	short loc_A74BE1
		cmp	[esi+10h], edx
		jnz	short loc_A74BE1
		movzx	edx, word ptr [esi+0Eh]
		cmp	edx, 18h
		jnz	loc_A77F76

loc_A74B94:				; CODE XREF: TxtpAddCacheEntry+1AE9j
		cmp	dword ptr [esi], 28h
		jnz	short loc_A74BDA
		mov	eax, [esi+4]
		lea	ecx, [ebp+var_10]
		mov	[ebp+var_10], eax
		mov	eax, [esi+8]
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_BgpGxRectangleCreate@12 ; BgpGxRectangleCreate(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_A77F84
		mov	edx, esi
		mov	esi, [ebp+var_4]
		push	ecx
		mov	ecx, esi
		call	_BgpGxCopyBitmapToRectangle@12 ; BgpGxCopyBitmapToRectangle(x,x,x)
		mov	[ebx], esi

loc_A74BCA:				; CODE XREF: BgpGxParseBitmap+85j
					; BgpGxParseBitmap+8Cj	...
		pop	esi

loc_A74BCB:				; CODE XREF: BgpGxParseBitmap+7Ej
		mov	eax, edi
		pop	edi
		pop	ebx
		leave
		retn	4
; 

loc_A74BD3:				; CODE XREF: BgpGxParseBitmap+18j
		mov	edi, 0C000000Dh
		jmp	short loc_A74BCB
; 

loc_A74BDA:				; CODE XREF: BgpGxParseBitmap+3Dj
					; TxtpAddCacheEntry+1AE3j
		mov	edi, 0C00000BBh
		jmp	short loc_A74BCA
; 

loc_A74BE1:				; CODE XREF: BgpGxParseBitmap+26j
					; BgpGxParseBitmap+2Bj
		mov	edi, 0C000000Dh
		jmp	short loc_A74BCA
BgpGxParseBitmap endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpGxCopyBitmapToRectangle(x, x, x)
_BgpGxCopyBitmapToRectangle@12 proc near ; CODE	XREF: BgpGxParseBitmap+69p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax+8]
		mov	esi, [eax]
		shr	edi, 3
		imul	edi, [eax+4]
		mov	[ebp+var_C], eax
		lea	ebx, [esi-1]
		push	4
		imul	ebx, edi
		mov	ecx, edi
		and	ecx, 3
		add	ebx, [eax+14h]
		pop	eax
		sub	eax, ecx
		neg	ecx
		sbb	ecx, ecx
		and	[ebp+var_8], 0
		and	ecx, eax
		lea	eax, [edx+28h]
		test	esi, esi
		mov	[ebp+var_4], eax
		mov	esi, [ebp+var_C]
		jz	short loc_A74C54
		add	ecx, edi
		mov	[ebp+var_10], ecx

loc_A74C33:				; CODE XREF: BgpGxCopyBitmapToRectangle(x,x,x)+6Aj
		push	edi		; size_t
		push	eax		; void *
		push	ebx		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		add	eax, [ebp+var_10]
		sub	ebx, edi
		mov	ecx, [ebp+var_8]
		inc	ecx
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], ecx
		cmp	ecx, [esi]
		jb	short loc_A74C33

loc_A74C54:				; CODE XREF: BgpGxCopyBitmapToRectangle(x,x,x)+44j
		mov	ecx, esi
		call	_BgpGxMarkClean@4 ; BgpGxMarkClean(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_BgpGxCopyBitmapToRectangle@12 endp


;  S U B	R O U T	I N E 


; __stdcall BgLibraryInitialize(x, x)
_BgLibraryInitialize@8 proc near	; CODE XREF: BgkResumeInitialize()+17p
					; PopInvokeSystemStateHandler+50Ep ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		push	edi
		mov	edi, ecx
		cmp	esi, 0FFFFFFFFh
		jz	short loc_A74C78
		call	_BgpFwGetCurrentIrql@0 ; BgpFwGetCurrentIrql()
		cmp	al, 2
		ja	short loc_A74C83

loc_A74C78:				; CODE XREF: BgLibraryInitialize(x,x)+Bj
		mov	edx, esi
		mov	ecx, edi
		pop	edi
		pop	esi
		jmp	BgpFwLibraryInitialize
; 

loc_A74C83:				; CODE XREF: BgLibraryInitialize(x,x)+14j
		pop	edi
		mov	eax, 0C0000001h
		pop	esi
		retn
_BgLibraryInitialize@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BgpGxReadRectangle proc	near		; CODE XREF: AnFwDisplayFade+242p
					; AnFwDisplayFade+290p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		mov	esi, edx
		and	dword ptr [ebx], 0
		call	_BgpGetBitsPerPixel@0 ;	BgpGetBitsPerPixel()
		lea	ecx, [ebp+var_4]
		mov	edx, eax
		push	ecx
		mov	ecx, [ebp+arg_0]
		call	_BgpGxRectangleCreate@12 ; BgpGxRectangleCreate(x,x,x)
		test	eax, eax
		js	short loc_A74CD2
		mov	edx, esi
		mov	esi, [ebp+var_4]
		push	edi
		mov	ecx, esi
		call	GxpReadFrameBufferPixels
		mov	edi, eax
		test	edi, edi
		js	loc_A77FA3
		mov	[ebx], esi

loc_A74CCF:				; CODE XREF: TxtpAddCacheEntry+1B0Fj
					; TxtpAddCacheEntry+1B19j ...
		mov	eax, edi
		pop	edi

loc_A74CD2:				; CODE XREF: BgpGxReadRectangle+28j
		pop	esi
		pop	ebx
		leave
		retn	4
BgpGxReadRectangle endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall BgpFoGetFontHandle(wchar_t *)
BgpFoGetFontHandle proc	near		; CODE XREF: ResFwConfigureDisplayStringResources+23p
					; AnFwConfigureProgressResources(x)+36p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, edx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, 0C0000225h
		test	eax, eax
		jz	loc_A77FC1
		cmp	_FontLibraryInitialized, 0
		jz	loc_A77FC1
		and	dword ptr [eax], 0
		push	edi
		mov	edi, _FopFontFileListHead
		cmp	edi, offset _FopFontFileListHead
		jz	short loc_A74D34
		push	esi

loc_A74D15:				; CODE XREF: BgpFoGetFontHandle+6Ej
		lea	eax, [edi+18h]
		mov	esi, [eax]

loc_A74D1A:				; CODE XREF: BgpFoGetFontHandle+64j
		cmp	esi, eax
		jz	short loc_A74D2F
		test	ecx, ecx
		jnz	short loc_A74D4A
		test	byte ptr [edi+10h], 1
		jz	short loc_A74D3A

loc_A74D28:				; CODE XREF: BgpFoGetFontHandle+82j
		mov	eax, [ebp+var_8]
		xor	ebx, ebx
		mov	[eax], esi

loc_A74D2F:				; CODE XREF: BgpFoGetFontHandle+44j
		test	ebx, ebx
		js	short loc_A74D3E

loc_A74D33:				; CODE XREF: BgpFoGetFontHandle+70j
		pop	esi

loc_A74D34:				; CODE XREF: BgpFoGetFontHandle+3Aj
		mov	eax, ebx
		pop	edi

loc_A74D37:				; CODE XREF: TxtpAddCacheEntry+1B30j
		pop	ebx
		leave
		retn
; 

loc_A74D3A:				; CODE XREF: BgpFoGetFontHandle+4Ej
					; BgpFoGetFontHandle+87j
		mov	esi, [esi]
		jmp	short loc_A74D1A
; 

loc_A74D3E:				; CODE XREF: BgpFoGetFontHandle+59j
		mov	edi, [edi]
		cmp	edi, offset _FopFontFileListHead
		jnz	short loc_A74D15
		jmp	short loc_A74D33
; 

loc_A74D4A:				; CODE XREF: BgpFoGetFontHandle+48j
		push	ecx		; wchar_t *
		push	dword ptr [esi+10h] ; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		mov	ecx, [ebp+var_4]
		test	eax, eax
		jz	short loc_A74D28
		lea	eax, [edi+18h]
		jmp	short loc_A74D3A
BgpFoGetFontHandle endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpTxtGetRegionContext(x)
_BgpTxtGetRegionContext@4 proc near	; CODE XREF: AnFwDisplayFade+88p
					; AnFwDisplayFade+99p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		test	ebx, ebx
		jz	short loc_A74DDA
		test	byte ptr [ebx+30h], 1
		jz	short loc_A74DDA
		lea	edx, [ebp+var_4]
		xor	ecx, ecx	; wchar_t *
		call	BgpFoGetFontHandle
		test	eax, eax
		js	short loc_A74DDA
		mov	eax, [ebx+24h]
		cmp	eax, [ebp+var_4]
		jnz	short loc_A74D9C
		mov	[ebp+var_8], 1

loc_A74D9C:				; CODE XREF: BgpTxtGetRegionContext(x)+31j
		push	1Ch
		pop	ecx
		call	BgpFwAllocateMemory
		mov	edx, eax
		test	edx, edx
		jz	short loc_A74DD4
		push	edi
		push	7
		xor	eax, eax
		lea	esi, [ebx+8]
		pop	ecx
		mov	edi, edx
		rep stosd
		mov	ecx, [ebx]
		lea	edi, [edx+8]
		mov	[edx], ecx
		mov	eax, [ebx+4]
		mov	[edx+4], eax
		movsd
		movsd
		movsd
		mov	eax, [ebx+28h]
		mov	[edx+14h], eax
		mov	eax, [ebp+var_8]
		mov	[edx+18h], eax
		pop	edi

loc_A74DD4:				; CODE XREF: BgpTxtGetRegionContext(x)+46j
		mov	eax, edx

loc_A74DD6:				; CODE XREF: BgpTxtGetRegionContext(x)+7Aj
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_A74DDA:				; CODE XREF: BgpTxtGetRegionContext(x)+15j
					; BgpTxtGetRegionContext(x)+1Bj ...
		xor	eax, eax
		jmp	short loc_A74DD6
_BgpTxtGetRegionContext@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

GxpReadFrameBufferPixels proc near	; CODE XREF: BgpGxReadRectangle+32p

var_64		= dword	ptr -64h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_18], edx
		lea	edi, [ebp+var_44]
		mov	ebx, ecx
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		call	_BgpGetBitsPerPixel@0 ;	BgpGetBitsPerPixel()
		mov	edx, eax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_64]
		shr	edx, 3
		push	eax
		mov	[ebp+var_1C], edx
		call	_BgpGetResolution@0 ; BgpGetResolution()
		lea	edi, [ebp+var_38]
		mov	esi, eax
		movsd
		movsd
		movsd
		test	ebx, ebx
		jz	loc_A7809F
		mov	esi, [ebx+4]
		test	esi, esi
		jz	loc_A7809F
		mov	ecx, [ebx]
		test	ecx, ecx
		jz	loc_A7809F
		mov	eax, [ebp+var_C]
		cmp	[ebx+8], eax
		jnz	loc_A7809F
		mov	edi, [ebp+var_18]
		test	edi, edi
		jz	loc_A7809F
		mov	eax, [edi]
		add	eax, esi
		cmp	eax, [ebp+var_38]
		ja	loc_A7809F
		mov	eax, [edi+4]
		add	eax, ecx
		cmp	eax, [ebp+var_34]
		ja	loc_A7809F
		mov	eax, dword_6B6BB8
		test	al, 8
		jnz	loc_A77FCD
		imul	ecx, esi
		imul	ecx, edx
		cmp	[ebx+0Ch], ecx
		jb	loc_A77FD7
		test	al, 2
		jz	loc_A77FE1
		push	0
		lea	eax, [ebp+var_2C]
		mov	edx, edi
		push	eax
		lea	eax, [ebp+var_44]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_38]
		push	eax
		call	GxpAdjustRectangleToFrameBuffer
		test	eax, eax
		js	loc_A74F5C
		and	[ebp+var_20], 0
		cmp	byte ptr _BgInternal, 0
		jz	loc_A77FEB
		cmp	byte_6B6B62, 0
		mov	eax, dword_6B6B78
		mov	ecx, [ebx+14h]
		mov	edx, [ebx]
		mov	[ebp+var_14], eax
		mov	[ebp+var_8], ecx
		mov	[ebp+var_10], edx
		jnz	loc_A78020
		mov	esi, [edi+4]
		imul	esi, [ebp+var_30]
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebx+4]
		imul	ecx, eax
		add	esi, [edi]
		imul	esi, eax
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+var_8]
		add	esi, [ebp+var_14]
		test	edx, edx
		jz	short loc_A74F43
		mov	edx, [ebp+var_30]
		mov	edi, eax
		imul	edx, eax
		mov	[ebp+var_14], edx

loc_A74F1C:				; CODE XREF: GxpReadFrameBufferPixels+160j
		push	[ebp+var_C]	; size_t
		push	esi		; void *
		push	ecx		; void *
		call	_memcpy
		mov	eax, [ebx+4]
		add	esp, 0Ch
		mov	ecx, [ebp+var_8]
		add	esi, [ebp+var_14]
		imul	eax, edi
		add	ecx, eax
		sub	[ebp+var_10], 1
		mov	[ebp+var_8], ecx
		jnz	short loc_A74F1C
		mov	edi, [ebp+var_18]

loc_A74F43:				; CODE XREF: GxpReadFrameBufferPixels+131j
					; TxtpAddCacheEntry+1B85j ...
		mov	eax, [ebp+var_40]
		mov	[ebx], eax
		mov	eax, [ebp+var_44]
		mov	[ebx+4], eax
		mov	eax, [ebp+var_2C]
		mov	[edi], eax
		mov	eax, [ebp+var_28]
		mov	[edi+4], eax
		mov	eax, [ebp+var_20]

loc_A74F5C:				; CODE XREF: GxpReadFrameBufferPixels+DAj
					; TxtpAddCacheEntry+1B3Cj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
GxpReadFrameBufferPixels endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BgpFwLibraryInitialize proc near	; CODE XREF: BgLibraryInitialize(x,x)+1Cj

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	edi, edx
		mov	[esp+38h+var_8], edi
		test	ebx, ebx
		jz	loc_A78220
		push	4
		pop	esi
		cmp	[ebx+50h], esi
		jb	loc_A780A9
		mov	ecx, [ebx+54h]
		mov	edx, 100000h
		mov	eax, dword_6B6BB8
		and	ecx, 16FF0000h
		mov	[esp+38h+var_4], ecx
		test	al, 1
		jz	short loc_A74FBD
		test	al, 4
		jnz	short loc_A74FBD
		test	ecx, edx
		jz	loc_A78220

loc_A74FBD:				; CODE XREF: BgpFwLibraryInitialize+43j
					; BgpFwLibraryInitialize+47j
		test	ecx, edx
		jz	loc_A75067
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		xor	esi, esi
		cmp	edi, 0FFFFFFFFh
		jnz	loc_A750CD
		and	dword_6B6BB8, 0FFFFFFFDh
		xor	eax, eax
		push	7
		pop	ecx
		mov	edi, offset _BgInternal
		rep stosd
		or	dword_6B6BB8, 101800h
		lea	ecx, [ebx+10h]
		call	BgpFwLibraryEnable
		test	eax, eax
		js	short loc_A75060
		and	dword_6B6BB8, 0FFFFDFFFh
		mov	eax, [ebx+8]
		test	eax, eax
		jz	loc_A780B3
		mov	edx, [ebx+0B0h]
		xor	ecx, ecx
		push	eax
		push	dword ptr [ebx+0B4h]
		call	_BgpFwReservePoolSwap@16 ; BgpFwReservePoolSwap(x,x,x,x)
		mov	ecx, [ebx+0B8h]
		call	ResFwConfigureDisplayStringResources
		mov	dword_6B6C58, eax
		mov	ecx, [ebx+0BCh]
		call	_AnFwConfigureProgressResources@4 ; AnFwConfigureProgressResources(x)
		mov	dword_6B6C54, eax

loc_A75047:				; CODE XREF: TxtpAddCacheEntry+1C29j
		call	_LogFwInitialize@0 ; LogFwInitialize()

loc_A7504C:				; CODE XREF: BgpFwLibraryInitialize+170j
		call	BgpFwReleaseLock

loc_A75051:				; CODE XREF: BgpFwLibraryInitialize+581j
					; TxtpAddCacheEntry+1CB3j
		or	dword_6B6BB8, 1
		mov	edi, esi

loc_A7505A:				; CODE XREF: TxtpAddCacheEntry+1CD6j
		test	edi, edi
		js	short loc_A750C6

loc_A7505E:				; CODE XREF: BgpFwLibraryInitialize+15Fj
		mov	eax, edi

loc_A75060:				; CODE XREF: BgpFwLibraryInitialize+90j
					; TxtpAddCacheEntry+1C18j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_A75067:				; CODE XREF: BgpFwLibraryInitialize+53j
		cmp	edi, 0FFFFFFFFh
		jnz	short loc_A750E1
		call	_BgpFwInitializeLock@0 ; BgpFwInitializeLock()
		or	eax, 0C04h
		mov	dword_6B6BB8, eax
		mov	eax, offset dword_6B6C5C
		mov	dword_6B6C60, eax
		mov	dword_6B6C5C, eax
		mov	ecx, [ebx+0B0h]
		test	ecx, ecx
		jz	loc_A7815D
		cmp	dword ptr [ebx+0B4h], 0
		jz	loc_A7815D
		push	offset unk_6FBC28
		mov	edx, 4000h
		call	_BgpFwInitializeReservePool@12 ; BgpFwInitializeReservePool(x,x,x)
		lea	ecx, [ebx+10h]
		call	BgpFwLibraryEnable
		mov	edi, eax
		test	edi, edi
		jns	loc_A780C4

loc_A750C6:				; CODE XREF: BgpFwLibraryInitialize+F0j
					; TxtpAddCacheEntry+1C78j ...
		call	BgpFwLibraryDestroy
		jmp	short loc_A7505E
; 

loc_A750CD:				; CODE XREF: BgpFwLibraryInitialize+63j
		and	dword_6B6BB8, 0FFFFEFFFh
		call	_AnFwProgressIndicatorTransition@0 ; AnFwProgressIndicatorTransition()
		jmp	loc_A7504C
; 

loc_A750E1:				; CODE XREF: BgpFwLibraryInitialize+FEj
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		lea	ecx, [ebx+10h]
		call	BgpFwLibraryEnable
		mov	edi, eax
		test	edi, edi
		js	loc_A78167
		push	dword_6B6B78
		call	_MmGetPhysicalAddress@4	; MmGetPhysicalAddress(x)
		mov	ecx, dword_6B6B70
		mov	dword_6B6B98, eax
		mov	eax, dword_6B6B68
		mov	dword_6B6BA0, eax
		mov	eax, dword_6B6B64
		mov	dword_6B6BA4, eax
		mov	eax, dword_6B6B6C
		mov	dword_6B6BA8, eax
		mov	dword_6B6B9C, edx
		push	0
		pop	eax
		sub	ecx, esi
		jz	loc_A7817B
		sub	ecx, 1
		jnz	loc_A78171
		mov	dword_6B6BB0, esi

loc_A7514C:				; CODE XREF: TxtpAddCacheEntry+1CE0j
					; TxtpAddCacheEntry+1CEFj
		push	20h
		lea	esi, [ebx+0C0h]
		mov	[esp+3Ch+var_24], eax
		pop	ecx
		mov	edi, offset unk_6B6C64
		mov	[esp+38h+var_28], eax
		rep movsd
		mov	ecx, eax
		mov	esi, 150h
		mov	edi, eax
		mov	[esp+38h+var_18], ecx
		cmp	[ebx+2Ch], eax
		jz	short loc_A75197
		mov	ecx, [ebx+34h]
		mov	[esp+38h+var_28], ecx
		mov	ecx, [ebx+30h]
		add	ecx, 0Fh
		and	ecx, 0FFFFFFF0h
		push	10h
		pop	edi
		mov	[esp+38h+var_24], edi
		mov	[esp+38h+var_18], ecx
		lea	esi, [ecx+160h]

loc_A75197:				; CODE XREF: BgpFwLibraryInitialize+208j
		mov	edx, eax
		mov	[esp+38h+var_20], eax
		mov	[esp+38h+var_1C], edx
		cmp	[ebx+5Ch], eax
		jz	short loc_A751C0
		mov	edx, [ebx+60h]
		add	esi, 10h
		add	edx, 0Fh
		mov	[esp+38h+var_20], 10h
		and	edx, 0FFFFFFF0h
		mov	[esp+38h+var_1C], edx
		add	esi, edx

loc_A751C0:				; CODE XREF: BgpFwLibraryInitialize+238j
		mov	eax, [esp+38h+var_28]
		add	eax, 4050h
		add	esi, eax
		mov	eax, esi
		sub	eax, ecx
		sub	eax, [esp+38h+var_20]
		sub	eax, edx
		sub	eax, edi
		sub	eax, 150h
		mov	[esp+38h+var_C], eax
		shr	eax, 3
		add	eax, 0Fh
		and	eax, 0FFFFFFF0h
		add	esi, eax
		mov	[esp+38h+var_10], eax
		mov	ecx, esi
		mov	[esp+38h+var_14], esi
		call	BgpFwAllocateMemory
		mov	[esp+38h+var_28], eax
		mov	dword_6B6BE8, eax
		test	eax, eax
		jz	loc_A7814E
		mov	edx, [esp+38h+var_C]
		mov	edi, eax
		push	54h
		pop	ecx
		mov	esi, ebx
		rep movsd
		mov	esi, [esp+38h+var_18]
		xor	edi, edi
		mov	ecx, [esp+38h+var_14]
		mov	[eax], ecx
		or	dword ptr [eax+54h], 100000h
		mov	[eax+0B0h], edi
		lea	ecx, [esi+150h]
		add	ecx, eax
		mov	[eax+0B4h], edi
		mov	[eax+0BCh], edi
		mov	[eax+0B8h], edi
		mov	eax, [esp+38h+var_20]
		add	eax, ecx
		mov	[esp+38h+var_14], ecx
		add	eax, [esp+38h+var_1C]
		add	eax, [esp+38h+var_24]
		mov	ecx, [esp+38h+var_10]
		push	eax
		add	ecx, eax
		call	_BgpFwInitializeReservePool@12 ; BgpFwInitializeReservePool(x,x,x)
		mov	dword_6B6C4C, edi
		test	esi, esi
		jz	loc_A7818A
		push	dword ptr [ebx+30h] ; size_t
		mov	eax, [esp+3Ch+var_28]
		mov	esi, [esp+3Ch+var_24]
		add	eax, 150h
		push	dword ptr [ebx+2Ch] ; void *
		add	esi, eax
		push	esi		; void *
		call	_memcpy
		mov	ecx, [esp+44h+var_28]
		xor	edx, edx
		add	ecx, 150h
		inc	edx
		add	esp, 0Ch
		mov	[ecx+8], edx
		mov	[ecx], esi
		mov	eax, [ebx+30h]
		mov	[ecx+4], eax
		mov	[ecx+0Ch], esi
		or	dword_6B6BB8, 800h
		call	BgpFoInitialize
		and	dword_6B6BB8, 0FFFFF7FFh
		test	eax, eax
		js	short loc_A752DB
		mov	eax, [esp+38h+var_28]
		add	eax, 150h
		mov	dword_6B6C4C, eax

loc_A752DB:				; CODE XREF: BgpFwLibraryInitialize+35Fj
		cmp	dword_6B6C4C, edi
		jz	loc_A7818A

loc_A752E7:				; CODE XREF: TxtpAddCacheEntry+1D04j
		mov	dword_6B6C50, edi
		cmp	[esp+38h+var_1C], edi
		jz	short loc_A7532A
		push	dword ptr [ebx+60h] ; size_t
		mov	edi, [esp+3Ch+var_14]
		add	edi, [esp+3Ch+var_24]
		mov	esi, [esp+3Ch+var_20]
		push	dword ptr [ebx+5Ch] ; void *
		add	esi, edi
		push	esi		; void *
		call	_memcpy
		mov	dword ptr [edi+8], 1
		add	esp, 0Ch
		mov	[edi], esi
		mov	eax, [ebx+60h]
		mov	[edi+4], eax
		mov	[edi+0Ch], esi
		mov	dword_6B6C50, edi
		xor	edi, edi

loc_A7532A:				; CODE XREF: BgpFwLibraryInitialize+385j
		push	40h		; size_t
		push	edi		; int
		push	offset dword_6B6BFC ; void *
		call	_memset
		add	esp, 0Ch
		cmp	[ebx+64h], edi
		jz	short loc_A75377
		mov	ecx, [ebx+6Ch]
		call	BgpFwAllocateMemory
		mov	dword_6B6BFC, eax
		test	eax, eax
		jz	short loc_A75377
		push	dword ptr [ebx+6Ch] ; size_t
		push	dword ptr [ebx+64h] ; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebx+6Ch]
		add	esp, 0Ch
		mov	dword_6B6C04, eax
		mov	eax, [ebx+70h]
		mov	dword_6B6C08, eax
		mov	eax, [ebx+74h]
		mov	dword_6B6C0C, eax

loc_A75377:				; CODE XREF: BgpFwLibraryInitialize+3D1j
					; BgpFwLibraryInitialize+3E2j
		mov	ecx, [ebx+84h]
		test	ecx, ecx
		jz	short loc_A75393
		mov	edx, offset dword_6B6C30
		call	_BgpGxProcessQrCodeBitmap@8 ; BgpGxProcessQrCodeBitmap(x,x)
		test	eax, eax
		js	loc_A7819F

loc_A75393:				; CODE XREF: BgpFwLibraryInitialize+413j
					; TxtpAddCacheEntry+1D0Fj
		mov	ecx, [ebx+9Ch]
		test	ecx, ecx
		jnz	loc_A781AA

loc_A753A1:				; CODE XREF: TxtpAddCacheEntry+1D39j
					; TxtpAddCacheEntry+1D6Cj
		mov	dword_6B6C48, edi
		cmp	[ebx+38h], edi
		jz	short loc_A75406
		mov	ecx, [ebx+3Ch]
		call	BgpFwAllocateMemory
		mov	[esp+24h+var_4], eax
		test	eax, eax
		jz	short loc_A75406
		push	dword ptr [ebx+3Ch] ; size_t
		push	dword ptr [ebx+38h] ; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		push	10h
		pop	ecx
		call	BgpFwAllocateMemory
		mov	esi, eax
		test	esi, esi
		jz	loc_A78207
		mov	[esi+8], edi
		xor	edx, edx
		mov	edi, [esp+24h+var_4]
		mov	ecx, esi
		mov	[esi], edi
		mov	eax, [ebx+3Ch]
		mov	[esi+4], eax
		mov	[esi+0Ch], edi
		call	BgpFoInitialize
		test	eax, eax
		js	loc_A7820D
		mov	dword_6B6C48, esi

loc_A75406:				; CODE XREF: BgpFwLibraryInitialize+43Ej
					; BgpFwLibraryInitialize+44Ej ...
		cmp	dword ptr [ebx+50h], 3
		jb	short loc_A7541A
		mov	edi, offset byte_6B6CF4
		lea	esi, [ebx+144h]
		movsd
		movsd
		movsd

loc_A7541A:				; CODE XREF: BgpFwLibraryInitialize+49Ej
		mov	eax, [ebx+140h]
		mov	ecx, ebx
		mov	edx, [esp+24h+arg_4]
		or	dword_6B6BB8, 8000h
		mov	dword_6B6CE8, eax
		call	BgpBcInitializeCriticalMode
		mov	eax, dword_6B6BB8
		and	eax, 0FFFF7FFFh
		push	38h
		or	eax, 800h
		pop	ecx
		mov	dword_6B6BB8, eax
		call	BgpFwAllocateMemory
		and	dword_6B6BB8, 0FFFFF7FFh
		test	eax, eax
		jz	short loc_A75499
		mov	esi, [ebx+0B8h]
		mov	edx, [esp+24h+var_14]
		test	esi, esi
		jz	short loc_A75482
		push	7
		mov	edi, eax
		pop	ecx
		rep movsd
		mov	[edx+0B8h], eax
		add	eax, 1Ch

loc_A75482:				; CODE XREF: BgpFwLibraryInitialize+504j
		mov	esi, [ebx+0BCh]
		test	esi, esi
		jz	short loc_A75499
		push	7
		pop	ecx
		mov	edi, eax
		rep movsd
		mov	[edx+0BCh], eax

loc_A75499:				; CODE XREF: BgpFwLibraryInitialize+4F6j
					; BgpFwLibraryInitialize+51Ej
		mov	ecx, [ebx+0B8h]
		call	ResFwConfigureDisplayStringResources
		mov	dword_6B6C58, eax
		mov	ecx, [ebx+0BCh]
		call	_AnFwConfigureProgressResources@4 ; AnFwConfigureProgressResources(x)
		mov	dword_6B6C54, eax
		mov	eax, [ebx+58h]
		mov	dword_6B6BBC, eax
		mov	eax, [esp+24h+arg_8]
		or	eax, 80h
		or	dword_6B6BB8, eax
		call	BgpFwReleaseLock
		mov	eax, [ebx+0A8h]
		xor	esi, esi
		mov	dword_6B6C40, eax
		mov	eax, [ebx+0ACh]
		mov	dword_6B6C44, eax
		jmp	loc_A75051
BgpFwLibraryInitialize endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BgpTxtCreateRegion proc	near		; CODE XREF: ResFwConfigureDisplayStringResources+58p
					; AnFwConfigureProgressResources(x)+68p ...

var_38		= dword	ptr -38h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, [ebp+arg_4]
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], ecx
		mov	[eax], ebx
		mov	eax, ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], ebx
		push	esi
		push	edi
		test	ecx, ecx
		jz	loc_A782BA
		test	edx, edx
		jz	loc_A782BA
		lea	eax, [ebp+var_38]
		push	eax
		call	_BgpGetResolution@0 ; BgpGetResolution()
		mov	esi, eax
		lea	edi, [ebp+var_2C]
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_10]
		mov	eax, [ebp+var_2C]
		cmp	[edi], eax
		ja	loc_A782BA
		mov	eax, [ebp+var_28]
		cmp	[edi+4], eax
		ja	loc_A782BA
		push	38h
		pop	ecx
		call	BgpFwAllocateMemory
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_A7822A
		push	38h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		mov	esi, [ebp+arg_0]
		add	esp, 0Ch
		test	esi, esi
		jz	loc_A78234
		mov	edx, [ebp+var_4]
		lea	eax, [ebx+1Ch]
		push	5
		pop	ecx
		mov	edi, eax
		rep movsd
		mov	edi, [ebp+var_10]

loc_A75593:				; CODE XREF: TxtpAddCacheEntry+1DCCj
		test	[ebp+arg_8], 1
		jnz	loc_A75654
		lea	edx, [ebp+var_20]
		mov	ecx, eax
		call	_BgpFoGetTextMetrics@8 ; BgpFoGetTextMetrics(x,x)
		mov	edx, eax
		mov	[ebp+var_4], edx
		test	edx, edx
		js	loc_A782AB
		mov	esi, [ebp+var_18]
		mov	eax, [ebp+var_1C]
		cmp	[esi+4], eax
		jb	loc_A78267

loc_A755C3:				; CODE XREF: TxtpAddCacheEntry+1DD4j
		mov	eax, [ebp+var_20]
		cmp	[esi], eax
		jb	loc_A7826F

loc_A755CE:				; CODE XREF: BgpTxtCreateRegion+165j
					; TxtpAddCacheEntry+1DDBj
		mov	eax, [edi]
		add	eax, [esi]
		cmp	eax, [ebp+var_2C]
		ja	loc_A78276
		mov	eax, [esi+4]
		add	eax, [edi+4]
		cmp	eax, [ebp+var_28]
		ja	loc_A78276
		test	[ebp+arg_8], 2
		jz	short loc_A7565C

loc_A755F0:				; CODE XREF: BgpTxtCreateRegion+192j
		test	[ebp+arg_8], 9
		jz	short loc_A75617
		lea	eax, [ebp+var_C]
		mov	ecx, esi
		push	eax
		push	20h
		pop	edx
		call	_BgpGxRectangleCreate@12 ; BgpGxRectangleCreate(x,x,x)
		mov	edx, eax
		mov	[ebp+var_4], edx
		test	edx, edx
		js	loc_A78283
		mov	eax, [ebp+var_C]
		mov	[ebx+18h], eax

loc_A75617:				; CODE XREF: BgpTxtCreateRegion+102j
		mov	eax, [edi]
		mov	[ebx], eax
		mov	eax, [edi+4]
		lea	edi, [ebx+8]
		mov	[ebx+4], eax
		mov	eax, [ebp+var_8]
		movsd
		movsd
		movsd
		and	dword ptr [ebx+34h], 0
		test	[ebp+arg_8], 4
		mov	[ebx+14h], eax
		mov	dword ptr [ebx+30h], 1
		jnz	short loc_A75689

loc_A7563E:				; CODE XREF: BgpTxtCreateRegion+19Ej
					; TxtpAddCacheEntry+1DE8j
		test	edx, edx
		js	loc_A78283

loc_A75646:				; CODE XREF: TxtpAddCacheEntry+1D99j
					; TxtpAddCacheEntry+1E1Fj
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx
		mov	eax, edx

loc_A7564D:				; CODE XREF: TxtpAddCacheEntry+1E29j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_A75654:				; CODE XREF: BgpTxtCreateRegion+A5j
		mov	esi, [ebp+var_18]
		jmp	loc_A755CE
; 

loc_A7565C:				; CODE XREF: BgpTxtCreateRegion+FCj
		lea	eax, [ebp+var_8]
		mov	ecx, esi
		push	eax
		push	20h
		pop	edx
		call	_BgpGxRectangleCreate@12 ; BgpGxRectangleCreate(x,x,x)
		mov	[ebp+var_4], eax
		test	eax, eax
		js	loc_A78283
		mov	eax, [ebx+1Ch]
		mov	ecx, [ebp+var_8]
		push	eax
		call	_BgpGxFillRectangle@8 ;	BgpGxFillRectangle(x,x)
		mov	edx, [ebp+var_4]
		jmp	loc_A755F0
; 

loc_A75689:				; CODE XREF: BgpTxtCreateRegion+14Aj
		mov	dword ptr [ebx+30h], 5
		jmp	short loc_A7563E
BgpTxtCreateRegion endp


;  S U B	R O U T	I N E 


AnFwFadeCompletion proc	near		; CODE XREF: ResFwFreeContext:loc_A74092p
					; TxtpAddCacheEntry:loc_A7720Cp ...
		mov	eax, dword_6B6BB8
		mov	ecx, 0C00h
		and	eax, ecx
		cmp	eax, ecx
		jz	locret_A75756
		push	ebx
		push	esi
		xor	esi, esi
		xor	ecx, ecx
		push	esi
		push	7
		pop	edx
		call	LogFwStat
		call	BgpFwReleaseLock
		push	esi
		push	esi
		push	esi
		push	esi
		push	offset unk_6FC4B8
		call	KeWaitForSingleObject
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		mov	ecx, dword_6B3EC4
		xor	ebx, ebx
		inc	ebx
		test	ecx, ecx
		jz	short loc_A756EA
		test	[ecx+10h], bl
		jnz	short loc_A756E4
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A756E4:				; CODE XREF: AnFwFadeCompletion+4Bj
		mov	dword_6B3EC4, esi

loc_A756EA:				; CODE XREF: AnFwFadeCompletion+46j
		mov	ecx, dword_6B3EE4
		test	ecx, ecx
		jz	short loc_A75704
		test	[ecx+10h], bl
		jnz	short loc_A756FE
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A756FE:				; CODE XREF: AnFwFadeCompletion+65j
		mov	dword_6B3EE4, esi

loc_A75704:				; CODE XREF: AnFwFadeCompletion+60j
		mov	ecx, dword_6B3EE8
		test	ecx, ecx
		jz	short loc_A7571E
		test	[ecx+10h], bl
		jnz	short loc_A75718
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A75718:				; CODE XREF: AnFwFadeCompletion+7Fj
		mov	dword_6B3EE8, esi

loc_A7571E:				; CODE XREF: AnFwFadeCompletion+7Aj
		mov	ecx, dword_6B3EEC
		test	ecx, ecx
		jz	short loc_A75738
		test	[ecx+10h], bl
		jnz	short loc_A75732
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A75732:				; CODE XREF: AnFwFadeCompletion+99j
		mov	dword_6B3EEC, esi

loc_A75738:				; CODE XREF: AnFwFadeCompletion+94j
		mov	ecx, dword_6B3F0C
		test	ecx, ecx
		jnz	loc_A782C4

loc_A75746:				; CODE XREF: TxtpAddCacheEntry+1E3Ej
		mov	ecx, dword_6B3F10
		test	ecx, ecx
		jnz	loc_A782D9

loc_A75754:				; CODE XREF: TxtpAddCacheEntry+1E53j
		pop	esi
		pop	ebx

locret_A75756:				; CODE XREF: AnFwFadeCompletion+Ej
		retn
AnFwFadeCompletion endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall BgkQueryBootGraphicsInformation(x, x)
_BgkQueryBootGraphicsInformation@8 proc	near ; CODE XREF: PAGE:00781211p
					; PAGE:007812FBp ...
		cmp	byte_6D4D58, 0
		jnz	_BgQueryBootGraphicsInformation@8 ; BgQueryBootGraphicsInformation(x,x)
		mov	eax, 0C0000001h
		retn
_BgkQueryBootGraphicsInformation@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AnFwDisplayFade	proc near		; CODE XREF: BgDisplayFade()+1Ap

var_7C		= byte ptr -7Ch
var_7A		= byte ptr -7Ah
var_79		= byte ptr -79h
var_77		= byte ptr -77h
var_76		= byte ptr -76h
var_74		= dword	ptr -74h
var_70		= byte ptr -70h
var_6E		= byte ptr -6Eh
var_6D		= byte ptr -6Dh
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+74h+var_4], eax
		push	ebx
		xor	eax, eax
		xor	ebx, ebx
		push	esi
		push	edi
		lea	edi, [esp+80h+var_14]
		mov	[esp+80h+var_70], bl
		stosd
		mov	[esp+80h+var_18], ebx
		mov	[esp+80h+var_40], ebx
		mov	[esp+80h+var_3C], ebx
		stosd
		mov	[esp+80h+var_4C], ebx
		mov	[esp+80h+var_34], ebx
		mov	[esp+80h+var_6C], ebx
		stosd
		stosd
		mov	eax, ebx
		mov	esi, eax
		mov	[esp+80h+var_64], eax
		mov	[esp+80h+var_58], eax
		mov	edi, eax
		mov	[esp+80h+var_30], eax
		mov	[esp+80h+var_68], eax
		mov	[esp+80h+var_2C], eax
		mov	[esp+80h+var_48], eax
		mov	eax, dword_6B6BB8
		mov	[esp+80h+var_60], esi
		mov	[esp+80h+var_54], esi
		test	eax, 2000h
		jnz	loc_A75C8A
		test	eax, 200000h
		jnz	loc_A78480
		mov	ecx, dword_6B6C54
		call	_BgpTxtGetRegionContext@4 ; BgpTxtGetRegionContext(x)
		mov	ecx, dword_6B6C58
		mov	edi, eax
		mov	[esp+80h+var_50], edi
		call	_BgpTxtGetRegionContext@4 ; BgpTxtGetRegionContext(x)
		mov	[esp+80h+var_44], eax
		test	edi, edi
		jz	loc_A78476
		test	eax, eax
		jz	loc_A78476
		push	7
		mov	esi, edi
		mov	edi, offset dword_6B3EC8
		pop	ecx
		rep movsd
		push	7
		pop	ecx
		mov	esi, eax
		mov	edi, offset dword_6B3EF0
		rep movsd
		mov	ecx, [esp+80h+var_50]
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		mov	ecx, [esp+80h+var_44]
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		call	_AnFwpDisableProgressTimer@0 ; AnFwpDisableProgressTimer()
		cmp	byte_6CEA90, bl
		jnz	loc_A782EE

loc_A75859:				; CODE XREF: TxtpAddCacheEntry+1E68j
		mov	[esp+11h], bl
		mov	[esp+80h+var_6E], bl
		call	_BgpGetBitsPerPixel@0 ;	BgpGetBitsPerPixel()
		push	0
		push	5
		xor	ecx, ecx
		mov	esi, eax
		pop	edx
		inc	ecx
		mov	[esp+84h+var_5C], esi
		call	LogFwStat
		mov	ecx, dword_6B6BFC
		test	ecx, ecx
		jz	loc_A78303
		push	ecx
		lea	edx, [esp+84h+var_6C]
		mov	[esp+84h+var_6D], bl
		call	BgpGxParseBitmap
		mov	ebx, [esp+80h+var_6C]
		mov	edi, eax
		test	edi, edi
		js	loc_A75CE0
		mov	eax, [ebx+8]
		cmp	esi, eax
		jz	loc_A7830F
		mov	ecx, [ebx]
		mov	edx, [ebx+4]
		push	eax
		call	_BgpGxRectangleSize@12 ; BgpGxRectangleSize(x,x,x)
		mov	edx, [esp+80h+var_5C]
		mov	ecx, ebx
		and	[esp+80h+var_6C], 0
		push	0
		lea	esi, [eax+0Fh]
		lea	eax, [esp+84h+var_6C]
		and	esi, 0FFFFFFF0h
		push	eax
		add	esi, 10h
		call	BgpGxConvertRectangleEx
		mov	edi, eax
		test	edi, edi
		js	loc_A75CE0
		mov	[esp+80h+var_14], ebx
		mov	ebx, [esp+80h+var_6C]
		mov	[esp+80h+var_68], 1

loc_A758F3:				; CODE XREF: TxtpAddCacheEntry+1E7Dj
		push	[esp+80h+var_5C]
		mov	ecx, [ebx]
		mov	edx, [ebx+4]
		call	_BgpGxRectangleSize@12 ; BgpGxRectangleSize(x,x,x)
		mov	ecx, dword_6B6C08
		add	eax, 0Fh
		mov	edx, dword_6B6C10
		and	eax, 0FFFFFFF0h
		add	eax, 10h
		mov	[esp+80h+var_38], ecx
		imul	eax, 3
		add	edx, ecx
		mov	ecx, dword_6B6C0C
		mov	[esp+80h+var_6C], edx
		mov	[esp+80h+var_24], ecx
		add	esi, eax
		mov	eax, dword_6B6C14
		add	eax, ecx
		mov	[esp+80h+var_48], esi
		mov	[esp+80h+var_50], eax
		mov	eax, dword_6B3ED0
		add	eax, dword_6B3EC8
		mov	[esp+80h+var_44], eax
		mov	eax, dword_6B3ED4
		add	eax, dword_6B3ECC
		mov	[esp+80h+var_28], eax
		mov	eax, dword_6B3EC8
		cmp	eax, edx
		jbe	loc_A78318

loc_A75969:				; CODE XREF: TxtpAddCacheEntry+1E86j
					; TxtpAddCacheEntry+1E92j ...
		mov	edx, dword_6B3EF0
		mov	eax, dword_6B3EF8
		mov	ecx, dword_6B3EF4
		add	eax, edx
		mov	[esp+80h+var_28], eax
		mov	eax, dword_6B3EFC
		add	eax, ecx
		mov	[esp+80h+var_44], eax
		cmp	edx, [esp+80h+var_38]
		jnb	loc_A78372

loc_A75995:				; CODE XREF: TxtpAddCacheEntry+1EE0j
					; TxtpAddCacheEntry+1EECj ...
		cmp	byte ptr [esp+11h], 0
		jnz	short loc_A759E7

loc_A7599C:				; CODE XREF: TxtpAddCacheEntry+1E74j
		push	offset dword_6B3ED0
		mov	edx, offset dword_6B3EC8
		mov	[esp+84h+var_24], esi
		lea	ecx, [esp+84h+var_58]
		call	BgpGxReadRectangle
		mov	edi, eax
		mov	eax, [esp+80h+var_58]
		mov	[esp+80h+var_64], eax
		test	edi, edi
		js	loc_A75CE0
		push	[esp+80h+var_5C]
		mov	ecx, [eax]
		mov	edx, [eax+4]
		call	_BgpGxRectangleSize@12 ; BgpGxRectangleSize(x,x,x)
		add	eax, 0Fh
		and	eax, 0FFFFFFF0h
		add	eax, 10h
		imul	esi, eax, 3
		add	esi, [esp+80h+var_24]
		mov	[esp+80h+var_48], esi

loc_A759E7:				; CODE XREF: AnFwDisplayFade+22Ej
		cmp	[esp+80h+var_6E], 0
		jnz	short loc_A75A33
		push	offset dword_6B3EF8
		mov	edx, offset dword_6B3EF0
		lea	ecx, [esp+84h+var_54]
		call	BgpGxReadRectangle
		mov	edi, eax
		test	edi, edi
		js	loc_A75CDA
		mov	ecx, [esp+80h+var_54]
		push	[esp+80h+var_5C]
		mov	[esp+84h+var_60], ecx
		mov	edx, [ecx+4]
		mov	ecx, [ecx]
		call	_BgpGxRectangleSize@12 ; BgpGxRectangleSize(x,x,x)
		add	eax, 0Fh
		and	eax, 0FFFFFFF0h
		add	eax, 10h
		imul	eax, 3
		add	eax, esi
		mov	[esp+80h+var_48], eax

loc_A75A33:				; CODE XREF: AnFwDisplayFade+280j
		cmp	[esp+80h+var_6D], 0
		mov	eax, dword_6B6C08
		mov	esi, dword_6B6CF8
		mov	[esp+80h+var_54], eax
		mov	eax, dword_6B6C0C
		mov	[esp+80h+var_58], eax
		jnz	short loc_A75AA2
		lea	eax, [esp+80h+var_70]
		mov	ecx, ebx
		push	eax
		lea	eax, [esp+84h+var_40]
		push	eax
		push	esi
		lea	edx, [esp+8Ch+var_4C]
		call	BgpGxFindSubRectangle
		mov	edi, eax
		test	edi, edi
		js	short loc_A75AA2
		mov	eax, [esp+84h+var_6C]
		mov	[esp+eax*4+84h+var_18],	ebx
		inc	eax
		cmp	byte ptr [esp+84h+var_74], 0
		mov	[esp+84h+var_6C], eax
		jnz	loc_A783BA
		mov	eax, [esp+84h+var_58]
		add	eax, [esp+84h+var_44]
		mov	ebx, [esp+84h+var_50]
		mov	[esp+84h+var_58], eax
		mov	eax, [esp+84h+var_5C]
		add	eax, [esp+84h+var_40]
		mov	[esp+84h+var_5C], eax

loc_A75AA2:				; CODE XREF: AnFwDisplayFade+2E4j
					; AnFwDisplayFade+300j	...
		cmp	byte ptr [esp+84h+var_74+1], 0
		jnz	short loc_A75ACB
		mov	ecx, [esp+84h+var_68]
		lea	eax, [esp+84h+var_74]
		push	eax
		lea	eax, [esp+88h+var_44]
		push	eax
		push	esi
		lea	edx, [esp+90h+var_50]
		call	BgpGxFindSubRectangle
		mov	edi, eax
		test	edi, edi
		jns	loc_A783C6

loc_A75ACB:				; CODE XREF: AnFwDisplayFade+33Bj
					; TxtpAddCacheEntry+1F52j ...
		cmp	[esp+88h+var_76], 0
		jnz	loc_A7842B
		lea	eax, [esp+10h]
		push	eax
		lea	eax, [esp+8Ch+var_48]
		push	eax
		push	esi
		mov	esi, [esp+94h+var_68]
		lea	edx, [esp+94h+var_54]
		mov	ecx, esi
		call	BgpGxFindSubRectangle
		mov	edi, eax
		test	edi, edi
		js	short loc_A75B15
		mov	eax, [esp+8Ch+var_74]
		mov	[esp+eax*4+8Ch+var_20],	esi
		inc	eax
		cmp	[esp+8Ch+var_7C], 0
		mov	[esp+8Ch+var_74], eax
		jz	loc_A7840E
		mov	[esp+8Ch+var_7A], 1
		xor	esi, esi

loc_A75B15:				; CODE XREF: AnFwDisplayFade+388j
					; TxtpAddCacheEntry+1F90j ...
		cmp	[esp+8Ch+var_79], 0
		jnz	short loc_A75B59
		mov	eax, [ebx+4]
		lea	ecx, [esp+8Ch+var_2C]
		mov	edx, [esp+8Ch+var_68]
		mov	[esp+8Ch+var_2C], eax
		mov	eax, [ebx]
		mov	[esp+8Ch+var_28], eax
		lea	eax, [esp+8Ch+var_3C]
		push	eax
		call	_BgpGxRectangleCreate@12 ; BgpGxRectangleCreate(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_A75C8A
		mov	eax, [esp+88h+var_38]
		push	dword ptr [eax+0Ch] ; size_t
		push	0		; int
		push	dword ptr [eax+14h] ; void *
		call	_memset
		add	esp, 0Ch

loc_A75B59:				; CODE XREF: AnFwDisplayFade+3AEj
		cmp	[esp+88h+var_77], 0
		jnz	short loc_A75BA1
		mov	ecx, [esp+88h+var_6C]
		mov	edx, [esp+88h+var_64]
		mov	eax, [ecx+4]
		mov	[esp+88h+var_28], eax
		mov	eax, [ecx]
		lea	ecx, [esp+88h+var_28]
		mov	[esp+88h+var_24], eax
		lea	eax, [esp+88h+var_3C]
		push	eax
		call	_BgpGxRectangleCreate@12 ; BgpGxRectangleCreate(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_A75C8A
		mov	eax, [esp+84h+var_38]
		push	dword ptr [eax+0Ch] ; size_t
		push	0		; int
		push	dword ptr [eax+14h] ; void *
		call	_memset
		add	esp, 0Ch

loc_A75BA1:				; CODE XREF: AnFwDisplayFade+3F2j
		cmp	byte ptr [esp+84h+var_74+2], 0
		jz	loc_A78434

loc_A75BAC:				; CODE XREF: TxtpAddCacheEntry+1FDBj
		push	0
		push	5
		pop	edx
		xor	ecx, ecx
		call	LogFwStat
		mov	eax, [esp+84h+var_58]
		and	dword_6B3EB4, 0
		mov	dword_6B3EB8, eax
		mov	eax, [esp+84h+var_5C]
		mov	dword_6B3EBC, eax
		mov	al, byte ptr [esp+84h+var_74+1]
		mov	byte_6B3EC0, al
		mov	al, byte ptr [esp+84h+var_74+2]
		mov	byte_6B3EC1, al
		mov	al, byte ptr [esp+84h+var_74+3]
		mov	byte_6B3EC2, al
		mov	eax, [esp+84h+var_68]
		mov	dword_6B3EC4, eax
		mov	eax, [esp+84h+var_38]
		mov	dword_6B3EE4, eax
		mov	eax, [esp+84h+var_34]
		mov	dword_6B3EEC, eax
		mov	eax, [esp+84h+var_30]
		push	offset unk_6FC4B8
		mov	dword_6B3EB0, 64h
		mov	dword_6B3EE8, ebx
		mov	dword_6B3F0C, esi
		mov	dword_6B3F10, eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		push	0
		push	offset unk_6FC490
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	0
		push	offset AnFwpFadeAnimationTimer
		push	offset unk_6FC448
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	0
		push	7
		xor	ecx, ecx
		mov	byte_6D4B48, 1
		pop	edx
		inc	ecx
		call	LogFwStat
		push	offset unk_6FC448
		xor	eax, eax
		push	eax
		push	1Eh
		push	eax
		push	eax
		push	offset unk_6FC490
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)
		mov	eax, [esp+84h+var_4C]
		or	dword_6B6BB8, 2000h
		mov	dword_6B6BD4, eax

loc_A75C8A:				; CODE XREF: AnFwDisplayFade+71j
					; AnFwDisplayFade+3D3j	...
		mov	ecx, [esp+84h+var_6C]
		xor	eax, eax
		mov	[esp+84h+var_54], eax
		test	ecx, ecx
		jz	short loc_A75CBE

loc_A75C98:				; CODE XREF: AnFwDisplayFade+550j
		mov	edx, [esp+eax*4+84h+var_18]
		test	edx, edx
		jz	short loc_A75CB5
		test	byte ptr [edx+10h], 1
		jnz	short loc_A75CB5
		mov	ecx, edx
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		mov	eax, [esp+84h+var_54]
		mov	ecx, [esp+84h+var_6C]

loc_A75CB5:				; CODE XREF: AnFwDisplayFade+532j
					; AnFwDisplayFade+538j
		inc	eax
		mov	[esp+84h+var_54], eax
		cmp	eax, ecx
		jb	short loc_A75C98

loc_A75CBE:				; CODE XREF: AnFwDisplayFade+52Aj
		test	edi, edi
		js	loc_A78480

loc_A75CC6:				; CODE XREF: TxtpAddCacheEntry+207Cj
					; TxtpAddCacheEntry+2086j ...
		mov	ecx, [esp+84h+var_8]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_A75CDA:				; CODE XREF: AnFwDisplayFade+299j
		mov	esi, [esp+80h+var_54]
		jmp	short loc_A75C8A
; 

loc_A75CE0:				; CODE XREF: AnFwDisplayFade+131j
					; AnFwDisplayFade+171j	...
		mov	esi, [esp+80h+var_60]
		jmp	short loc_A75C8A
AnFwDisplayFade	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AnFwpFadeAnimationTimer	proc near	; DATA XREF: AnFwDisplayFade+4D2o

var_38		= byte ptr -38h
var_37		= byte ptr -37h
var_36		= byte ptr -36h
var_35		= byte ptr -35h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		push	ebx
		xor	ebx, ebx
		push	esi
		push	edi
		mov	[esp+48h+var_8], ebx
		mov	[esp+48h+var_4], ebx
		mov	[esp+48h+var_10], ebx
		mov	[esp+48h+var_C], ebx
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		cmp	byte_6D4B48, bl
		jz	loc_A75F72
		push	ebx
		push	6
		xor	ecx, ecx
		pop	edx
		inc	ecx
		call	LogFwStat
		push	ebx
		push	4
		xor	ecx, ecx
		pop	edx
		inc	ecx
		call	LogFwStat
		mov	eax, dword_6B3EB8
		mov	edx, dword_6B3EB4
		mov	ecx, dword_6B6BBC
		mov	esi, dword_6B3EB0
		sub	ecx, edx
		mov	[esp+48h+var_10], eax
		mov	eax, dword_6B3EBC
		mov	[esp+48h+var_C], eax
		mov	al, byte_6B3EC0
		mov	[esp+48h+var_37], al
		mov	al, byte_6B3EC1
		mov	[esp+48h+var_36], al
		mov	al, byte_6B3EC2
		mov	[esp+48h+var_35], al
		mov	eax, dword_6B3EC4
		mov	[esp+48h+var_2C], eax
		mov	eax, dword_6B3EE4
		mov	[esp+48h+var_20], eax
		mov	eax, dword_6B3EEC
		mov	[esp+48h+var_24], eax
		mov	eax, dword_6B3F0C
		mov	[esp+48h+var_28], eax
		mov	eax, dword_6B3F10
		mov	[esp+48h+var_1C], eax
		mov	eax, esi
		mov	[esp+48h+var_18], edx
		xor	edx, edx
		div	ecx
		sub	esi, eax
		imul	ebx, esi, 0Ah
		mov	[esp+48h+var_30], ebx
		call	_BgpGetBitsPerPixel@0 ;	BgpGetBitsPerPixel()
		and	[esp+48h+var_34], 0
		cmp	eax, 18h
		jz	loc_A7852E
		cmp	[esp+48h+var_35], 0
		jnz	short loc_A75E32
		mov	edi, dword_6B3EE8
		xor	ecx, ecx
		mov	eax, [esp+48h+var_24]
		mov	edx, [edi+14h]
		mov	esi, [eax+14h]
		cmp	[edi+0Ch], ecx
		jbe	short loc_A75E32

loc_A75DE1:				; CODE XREF: AnFwpFadeAnimationTimer+14Aj
		cmp	dword ptr [edx+ecx], 0
		jz	short loc_A75E2A
		movzx	eax, byte ptr [edx+ecx]
		imul	eax, ebx
		shr	eax, 0Ah
		mov	[esi+ecx], al
		test	eax, eax
		jz	short loc_A75DFC
		inc	[esp+48h+var_34]

loc_A75DFC:				; CODE XREF: AnFwpFadeAnimationTimer+110j
		movzx	eax, byte ptr [edx+ecx+1]
		imul	eax, ebx
		shr	eax, 0Ah
		mov	[esi+ecx+1], al
		test	eax, eax
		jz	short loc_A75E13
		inc	[esp+48h+var_34]

loc_A75E13:				; CODE XREF: AnFwpFadeAnimationTimer+127j
		movzx	eax, byte ptr [edx+ecx+2]
		imul	eax, ebx
		shr	eax, 0Ah
		mov	[esi+ecx+2], al
		test	eax, eax
		jnz	loc_A78609

loc_A75E2A:				; CODE XREF: AnFwpFadeAnimationTimer+FFj
					; TxtpAddCacheEntry+2177j
		add	ecx, 4
		cmp	ecx, [edi+0Ch]
		jb	short loc_A75DE1

loc_A75E32:				; CODE XREF: AnFwpFadeAnimationTimer+E2j
					; AnFwpFadeAnimationTimer+F9j
		xor	edi, edi
		cmp	[esp+48h+var_37], 0
		jnz	short loc_A75EA5
		mov	ecx, [esp+48h+var_20]
		mov	eax, [esp+48h+var_2C]
		mov	esi, [ecx+14h]
		xor	ecx, ecx
		mov	edx, [eax+14h]
		cmp	[eax+0Ch], ecx
		jbe	short loc_A75EA5

loc_A75E50:				; CODE XREF: AnFwpFadeAnimationTimer+1BDj
		cmp	dword ptr [edx+ecx], 0
		jz	short loc_A75E9D
		movzx	eax, byte ptr [edx+ecx]
		imul	eax, ebx
		shr	eax, 0Ah
		mov	[esi+ecx], al
		test	eax, eax
		jnz	loc_A75F80

loc_A75E6B:				; CODE XREF: AnFwpFadeAnimationTimer+29Bj
		movzx	eax, byte ptr [edx+ecx+1]
		imul	eax, ebx
		shr	eax, 0Ah
		mov	[esi+ecx+1], al
		test	eax, eax
		jnz	loc_A75F86

loc_A75E82:				; CODE XREF: AnFwpFadeAnimationTimer+2A1j
		movzx	eax, byte ptr [edx+ecx+2]
		imul	eax, ebx
		shr	eax, 0Ah
		mov	[esi+ecx+2], al
		test	eax, eax
		mov	eax, [esp+48h+var_2C]
		jnz	loc_A75F8C

loc_A75E9D:				; CODE XREF: AnFwpFadeAnimationTimer+16Ej
					; AnFwpFadeAnimationTimer+2A7j
		add	ecx, 4
		cmp	ecx, [eax+0Ch]
		jb	short loc_A75E50

loc_A75EA5:				; CODE XREF: AnFwpFadeAnimationTimer+153j
					; AnFwpFadeAnimationTimer+168j
		xor	esi, esi
		cmp	[esp+48h+var_36], 0
		jz	loc_A78612

loc_A75EB2:				; CODE XREF: TxtpAddCacheEntry+212Aj
					; TxtpAddCacheEntry+21E7j
		push	0
		push	4
		pop	edx
		xor	ecx, ecx
		call	LogFwStat
		push	0
		push	3
		xor	ecx, ecx
		pop	edx
		inc	ecx
		call	LogFwStat
		cmp	[esp+48h+var_35], 0
		jnz	short loc_A75EEA
		mov	ecx, [esp+48h+var_24]
		lea	edx, [esp+48h+var_10]
		call	BgpGxDrawRectangle
		cmp	[esp+48h+var_34], 0
		jz	loc_A75F92

loc_A75EEA:				; CODE XREF: AnFwpFadeAnimationTimer+1EAj
					; AnFwpFadeAnimationTimer+2B1j
		cmp	[esp+48h+var_37], 0
		jnz	short loc_A75F12
		cmp	[esp+48h+var_18], 0
		jz	loc_A75F9C

loc_A75EFC:				; CODE XREF: AnFwpFadeAnimationTimer+2B8j
		mov	ecx, [esp+48h+var_20]
		mov	edx, offset dword_6B3EC8
		call	BgpGxDrawRectangle
		test	edi, edi
		jz	loc_A75FA4

loc_A75F12:				; CODE XREF: AnFwpFadeAnimationTimer+209j
					; AnFwpFadeAnimationTimer+2C3j
		cmp	[esp+48h+var_36], 0
		jz	loc_A78682

loc_A75F1D:				; CODE XREF: TxtpAddCacheEntry+2207j
					; TxtpAddCacheEntry+2212j
		push	0
		push	3
		pop	edx
		xor	ecx, ecx
		call	LogFwStat
		lea	eax, [esp+48h+var_8]
		xor	ecx, ecx
		push	eax
		push	6
		pop	edx
		call	LogFwStat
		cmp	[esp+48h+var_34], 0
		jz	short loc_A75FAE

loc_A75F3F:				; CODE XREF: AnFwpFadeAnimationTimer+2CAj
					; AnFwpFadeAnimationTimer+2CEj
		push	0Ah
		xor	edx, edx
		mov	eax, ebx
		pop	ecx
		div	ecx
		mov	dword_6B3EB0, eax
		mov	eax, [esp+48h+var_18]
		inc	eax
		mov	dword_6B3EB4, eax
		mov	al, [esp+48h+var_37]
		mov	byte_6B3EC0, al
		mov	al, [esp+48h+var_36]
		mov	byte_6B3EC1, al
		mov	al, [esp+48h+var_35]
		mov	byte_6B3EC2, al

loc_A75F72:				; CODE XREF: AnFwpFadeAnimationTimer+2Bj
					; AnFwpFadeAnimationTimer+2EEj
		call	BgpFwReleaseLock
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_A75F80:				; CODE XREF: AnFwpFadeAnimationTimer+17Fj
		inc	edi
		jmp	loc_A75E6B
; 

loc_A75F86:				; CODE XREF: AnFwpFadeAnimationTimer+196j
		inc	edi
		jmp	loc_A75E82
; 

loc_A75F8C:				; CODE XREF: AnFwpFadeAnimationTimer+1B1j
		inc	edi
		jmp	loc_A75E9D
; 

loc_A75F92:				; CODE XREF: AnFwpFadeAnimationTimer+1FEj
		mov	[esp+48h+var_35], 1
		jmp	loc_A75EEA
; 

loc_A75F9C:				; CODE XREF: AnFwpFadeAnimationTimer+210j
		test	edi, edi
		jnz	loc_A75EFC

loc_A75FA4:				; CODE XREF: AnFwpFadeAnimationTimer+226j
		mov	[esp+48h+var_37], 1
		jmp	loc_A75F12
; 

loc_A75FAE:				; CODE XREF: AnFwpFadeAnimationTimer+257j
		test	esi, esi
		jnz	short loc_A75F3F
		test	edi, edi
		jnz	short loc_A75F3F
		xor	ebx, ebx
		push	offset unk_6FC490
		mov	byte_6D4B48, bl
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		push	ebx
		push	ebx
		push	offset unk_6FC4B8
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	short loc_A75F72
AnFwpFadeAnimationTimer	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AnFwpProgressIndicatorTimer proc near	; DATA XREF: AnFwProgressIndicatorTransition()+1Bo
					; AnFwDisplayProgressIndicator+114o

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		xor	esi, esi
		push	edi
		mov	[esp+20h+var_8], esi
		mov	[esp+20h+var_4], esi
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		cmp	byte_6D4B3C, 0
		jz	loc_A760EC
		lea	ecx, [esp+20h+var_8]
		call	_BgpFwQueryPerformanceCounter@4	; BgpFwQueryPerformanceCounter(x)
		push	esi
		push	21h
		push	[esp+28h+var_4]
		mov	edi, eax
		mov	ebx, edx
		push	[esp+2Ch+var_8]
		call	__alldiv
		mov	si, word_6B3EAC
		mov	ecx, edx
		mov	edx, 0E0CBh
		mov	[esp+20h+var_C], eax
		mov	[esp+20h+var_10], ecx
		cmp	si, dx
		jz	short loc_A76080
		push	0
		push	0Ah
		push	ecx
		push	eax
		call	__allmul
		push	0
		push	64h
		push	edx
		push	eax
		call	__alldiv
		push	[esp+20h+var_10]
		sub	eax, edi
		push	[esp+24h+var_C]
		sbb	edx, ebx
		add	eax, dword_6D4B40
		adc	edx, dword_6D4B44
		push	edx
		push	eax
		call	__alldiv
		test	edx, edx
		jl	short loc_A76080
		jg	loc_A786AD
		cmp	eax, 2
		jnb	loc_A786AD

loc_A76080:				; CODE XREF: AnFwpProgressIndicatorTimer+60j
					; AnFwpProgressIndicatorTimer+99j ...
		mov	eax, 1FAEh
		add	ax, si
		cmp	ax, 79h
		ja	short loc_A760CB
		lea	eax, [esp+20h+var_8]
		xor	ecx, ecx
		push	eax
		xor	edx, edx
		inc	ecx
		call	LogFwStat
		mov	dx, word_6B3EAC
		xor	eax, eax
		push	eax
		push	ecx
		mov	ecx, dword_6B6C54
		push	eax
		push	eax
		push	eax
		call	BgpTxtDisplayCharacter
		lea	eax, [esp+20h+var_8]
		xor	edx, edx
		push	eax
		xor	ecx, ecx
		call	LogFwStat
		mov	si, word_6B3EAC

loc_A760CB:				; CODE XREF: AnFwpProgressIndicatorTimer+B6j
		mov	eax, 0E0CBh
		cmp	si, ax
		jz	short loc_A760FA
		inc	si
		movzx	eax, si

loc_A760DA:				; CODE XREF: AnFwpProgressIndicatorTimer+129j
		mov	word_6B3EAC, ax
		mov	dword_6D4B40, edi
		mov	dword_6D4B44, ebx

loc_A760EC:				; CODE XREF: AnFwpProgressIndicatorTimer+24j
		call	BgpFwReleaseLock
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_A760FA:				; CODE XREF: AnFwpProgressIndicatorTimer+FDj
		mov	eax, 0E04Ah
		jmp	short loc_A760DA
AnFwpProgressIndicatorTimer endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

LogFwStat	proc near		; CODE XREF: AnFwpProgressAnimationManual+DAp
					; AnFwpProgressAnimationManual+FCp ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		mov	ecx, [ebp+arg_0]
		push	edi
		mov	edi, edx
		call	_BgpFwQueryPerformanceCounter@4	; BgpFwQueryPerformanceCounter(x)
		mov	dword_6D4B90, eax
		mov	dword_6D4B94, edx
		test	esi, esi
		jz	short loc_A76138
		mov	dword_6D4C28[edi*8], eax
		mov	dword_6D4C2C[edi*8], edx

loc_A76132:				; CODE XREF: LogFwStat+BFj
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_A76138:				; CODE XREF: LogFwStat+20j
		xor	ecx, ecx
		call	_BgpFwQueryPerformanceCounter@4	; BgpFwQueryPerformanceCounter(x)
		sub	eax, dword_6D4C28[edi*8]
		mov	dword_6D4BE8, eax
		sbb	edx, dword_6D4C2C[edi*8]
		mov	dword_6D4BEC, edx
		cmp	edi, 8		; switch 9 cases
		ja	short loc_A761B6 ; default
		jmp	ds:off_A7630E[edi*4] ; switch jump

loc_A76164:				; DATA XREF: PAGEBGFX:off_A7630Eo
		cmp	edx, dword_6B3F1C ; case 0x0
		jg	short loc_A7617E
		jl	loc_A76297
		cmp	eax, dword_6B3F18
		jb	loc_A76297

loc_A7617E:				; CODE XREF: LogFwStat+68j
					; LogFwStat+1A0j
		cmp	edx, dword_6D4B6C
		jl	short loc_A76198
		jg	loc_A762B4
		cmp	eax, dword_6D4B68
		ja	loc_A762B4

loc_A76198:				; CODE XREF: LogFwStat+82j
					; LogFwStat+1BDj
		add	dword_6D4B78, eax
		adc	dword_6D4B7C, edx

loc_A761A4:				; CODE XREF: LogFwStat+108j
		inc	dword_6D4BC0

loc_A761AA:				; CODE XREF: LogFwStat+1D9j
					; LogFwStat+205j
		add	dword_6D4B88, eax
		adc	dword_6D4B8C, edx

loc_A761B6:				; CODE XREF: LogFwStat+59j
					; LogFwStat+123j ...
		mov	eax, dword_6D4B90 ; default
		mov	edx, dword_6D4B94
		jmp	loc_A76132
; 

loc_A761C6:				; CODE XREF: LogFwStat+5Bj
					; DATA XREF: PAGEBGFX:off_A7630Eo
		cmp	edx, dword_6B3F1C ; case 0x1
		jg	short loc_A761E0
		jl	loc_A76287
		cmp	eax, dword_6B3F18
		jb	loc_A76287

loc_A761E0:				; CODE XREF: LogFwStat+CAj
					; LogFwStat+190j
		cmp	edx, dword_6D4B6C
		jl	short loc_A761F2
		jg	short loc_A7620C
		cmp	eax, dword_6D4B68
		ja	short loc_A7620C

loc_A761F2:				; CODE XREF: LogFwStat+E4j
					; LogFwStat+115j
		add	dword_6D4B78, eax
		adc	dword_6D4B7C, edx
		add	dword_6D4BC8, eax
		adc	dword_6D4BCC, edx
		jmp	short loc_A761A4
; 

loc_A7620C:				; CODE XREF: LogFwStat+E6j
					; LogFwStat+EEj
		mov	dword_6D4B68, eax
		mov	dword_6D4B6C, edx
		jmp	short loc_A761F2
; 

loc_A76219:				; CODE XREF: LogFwStat+5Bj
					; DATA XREF: PAGEBGFX:off_A7630Eo
		add	dword_6D4BE0, eax ; case 0x3
		adc	dword_6D4BE4, edx
		jmp	short loc_A761B6 ; default
; 

loc_A76227:				; CODE XREF: LogFwStat+5Bj
					; DATA XREF: PAGEBGFX:off_A7630Eo
		add	dword_6D4BD8, eax ; case 0x4
		adc	dword_6D4BDC, edx
		jmp	short loc_A761B6 ; default
; 

loc_A76235:				; CODE XREF: LogFwStat+5Bj
					; DATA XREF: PAGEBGFX:off_A7630Eo
		cmp	edx, dword_6B3F2C ; case 0x6
		jg	short loc_A76247
		jl	short loc_A762A7
		cmp	eax, dword_6B3F28
		jb	short loc_A762A7

loc_A76247:				; CODE XREF: LogFwStat+139j
					; LogFwStat+1B0j
		cmp	edx, dword_6D4B54
		jl	short loc_A76264
		jg	short loc_A76259
		cmp	eax, dword_6D4B50
		jbe	short loc_A76264

loc_A76259:				; CODE XREF: LogFwStat+14Dj
		mov	dword_6D4B50, eax
		mov	dword_6D4B54, edx

loc_A76264:				; CODE XREF: LogFwStat+14Bj
					; LogFwStat+155j
		add	dword_6D4B80, eax
		adc	dword_6D4B84, edx
		add	dword_6D4B88, eax
		adc	dword_6D4B8C, edx
		inc	dword_6D4B64
		jmp	loc_A761B6	; default
; 

loc_A76287:				; CODE XREF: LogFwStat+CCj
					; LogFwStat+D8j
		mov	dword_6B3F18, eax
		mov	dword_6B3F1C, edx
		jmp	loc_A761E0
; 

loc_A76297:				; CODE XREF: LogFwStat+6Aj
					; LogFwStat+76j
		mov	dword_6B3F18, eax
		mov	dword_6B3F1C, edx
		jmp	loc_A7617E
; 

loc_A762A7:				; CODE XREF: LogFwStat+13Bj
					; LogFwStat+143j
		mov	dword_6B3F28, eax
		mov	dword_6B3F2C, edx
		jmp	short loc_A76247
; 

loc_A762B4:				; CODE XREF: LogFwStat+84j
					; LogFwStat+90j
		mov	dword_6D4B68, eax
		mov	dword_6D4B6C, edx
		jmp	loc_A76198
; 

loc_A762C4:				; CODE XREF: LogFwStat+5Bj
					; DATA XREF: PAGEBGFX:off_A7630Eo
		add	dword_6D4B80, eax ; case 0x5
		mov	dword_6D4BB8, eax
		adc	dword_6D4B84, edx
		mov	dword_6D4BBC, edx
		jmp	loc_A761AA
; 

loc_A762E0:				; CODE XREF: LogFwStat+5Bj
					; DATA XREF: PAGEBGFX:off_A7630Eo
		mov	dword_6D4B58, eax ; case 0x7
		mov	dword_6D4B5C, edx
		jmp	loc_A761B6	; default
; 

loc_A762F0:				; CODE XREF: LogFwStat+5Bj
					; DATA XREF: PAGEBGFX:off_A7630Eo
		add	dword_6D4B78, eax ; case 0x2
		mov	dword_6D4BA8, eax
		adc	dword_6D4B7C, edx
		mov	dword_6D4BAC, edx
		jmp	loc_A761AA
LogFwStat	endp

; 
		db 8Bh,	0FFh
off_A7630E	dd offset loc_A76164	; DATA XREF: LogFwStat+5Br
		dd offset loc_A761C6	; jump table for switch	statement
		dd offset loc_A762F0
		dd offset loc_A76219
		dd offset loc_A76227
		dd offset loc_A762C4
		dd offset loc_A76235
		dd offset loc_A762E0
		dd offset loc_A786BB

;  S U B	R O U T	I N E 


; __stdcall BgDisplayProgressIndicator(x)
_BgDisplayProgressIndicator@4 proc near	; CODE XREF: PopDecompressHiberBlocks+3FEp
					; TxtpAddCacheEntry+23ADp ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	bl, cl
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		test	byte ptr dword_6B6BB8, 1
		jz	short loc_A76359
		mov	cl, bl
		call	AnFwDisplayProgressIndicator
		mov	esi, eax

loc_A7634F:				; CODE XREF: BgDisplayProgressIndicator(x)+2Cj
		call	BgpFwReleaseLock
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_A76359:				; CODE XREF: BgDisplayProgressIndicator(x)+12j
		mov	esi, 0C0000001h
		jmp	short loc_A7634F
_BgDisplayProgressIndicator@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

AnFwDisplayProgressIndicator proc near	; CODE XREF: BgDisplayProgressIndicator(x)+16p
					; TxtpAddCacheEntry+DA3p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	dl, byte_6D4B3C
		push	ebx
		mov	bl, cl
		push	esi
		push	edi
		test	bl, bl
		jz	short loc_A763EF

loc_A76378:				; CODE XREF: AnFwDisplayProgressIndicator+93j
		mov	eax, dword_6B6BB8
		xor	cl, cl
		test	eax, 100000h
		jz	short loc_A7638F
		test	eax, 1000h
		jz	short loc_A7638F
		inc	cl

loc_A7638F:				; CODE XREF: AnFwDisplayProgressIndicator+24j
					; AnFwDisplayProgressIndicator+2Bj
		test	bl, bl
		jz	loc_A786EA
		test	dl, dl
		jz	short loc_A763B1
		test	cl, cl
		jz	loc_A786CC

loc_A763A3:				; CODE XREF: AnFwDisplayProgressIndicator+8Dj
		call	AnFwpProgressAnimationManual

loc_A763A8:				; CODE XREF: AnFwDisplayProgressIndicator+91j
					; AnFwDisplayProgressIndicator+130j ...
		xor	eax, eax

loc_A763AA:				; CODE XREF: TxtpAddCacheEntry+223Bj
					; TxtpAddCacheEntry+2245j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_A763B1:				; CODE XREF: AnFwDisplayProgressIndicator+39j
		cmp	dword_6B6C54, 0
		jz	loc_A786D6
		test	eax, 40000h
		jnz	loc_A786E0
		mov	byte_6D4B3C, 1
		test	cl, cl
		jz	short loc_A763F5
		and	dword_6D4B40, 0
		mov	eax, 0E051h
		and	dword_6D4B44, 0
		mov	word_6B3EAC, ax
		jmp	short loc_A763A3
; 

loc_A763EF:				; CODE XREF: AnFwDisplayProgressIndicator+16j
		test	dl, dl
		jz	short loc_A763A8
		jmp	short loc_A76378
; 

loc_A763F5:				; CODE XREF: AnFwDisplayProgressIndicator+72j
		xor	ebx, ebx
		xor	ecx, ecx
		push	ebx
		push	2
		mov	eax, 0E052h
		inc	ecx
		pop	edx
		mov	word_6B3EAC, ax
		call	LogFwStat
		mov	ax, word_6B3EAC
		mov	esi, 0E0CBh
		jmp	short loc_A76433
; 

loc_A7641B:				; CODE XREF: AnFwDisplayProgressIndicator+E0j
		push	1
		mov	dx, ax
		call	BgpTxtDisplayCharacter
		mov	ax, word_6B3EAC
		inc	ax
		mov	word_6B3EAC, ax

loc_A76433:				; CODE XREF: AnFwDisplayProgressIndicator+B9j
		push	ebx
		push	ecx
		mov	ecx, dword_6B6C54
		push	ebx
		push	ebx
		cmp	ax, si
		jbe	short loc_A7641B
		push	ebx
		mov	edx, esi
		mov	word_6B3EAC, si
		call	BgpTxtDisplayCharacter
		push	ebx
		push	2
		pop	edx
		xor	ecx, ecx
		call	LogFwStat
		push	ebx
		mov	edi, offset unk_6FC468
		mov	dword_6D4B40, eax
		push	edi
		mov	dword_6D4B44, edx
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	ebx
		push	offset AnFwpProgressIndicatorTimer
		mov	esi, offset unk_6FC428
		push	esi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	esi
		push	ebx
		push	1Eh
		push	ebx
		push	ebx
		push	edi
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)
		jmp	loc_A763A8
AnFwDisplayProgressIndicator endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

TxtpAddCacheEntry proc near		; CODE XREF: BgpTxtDisplayCharacter+1DFp

var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_58		= byte ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= byte ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_18		= byte ptr  20h
arg_59		= dword	ptr  61h
arg_5D		= dword	ptr  65h
arg_6A		= dword	ptr  72h
arg_198		= byte ptr  1A0h
arg_199		= byte ptr  1A1h
arg_19A		= byte ptr  1A2h
arg_19B		= byte ptr  1A3h
arg_19C		= dword	ptr  1A4h
arg_1A0		= dword	ptr  1A8h
arg_1A4		= dword	ptr  1ACh
arg_1A8		= dword	ptr  1B0h
arg_1AC		= dword	ptr  1B4h
arg_1B0		= dword	ptr  1B8h
arg_1B4		= dword	ptr  1BCh
arg_1B8		= dword	ptr  1C0h
arg_1BC		= dword	ptr  1C4h
arg_1C0		= dword	ptr  1C8h
arg_1C4		= dword	ptr  1CCh
arg_1C8		= dword	ptr  1D0h
arg_1CC		= dword	ptr  1D4h
arg_1D0		= dword	ptr  1D8h
arg_1D8		= dword	ptr  1E0h
arg_1DC		= dword	ptr  1E4h
arg_1E0		= dword	ptr  1E8h
arg_1E4		= dword	ptr  1ECh
arg_1E8		= dword	ptr  1F0h
arg_1EC		= dword	ptr  1F4h
arg_1F4		= dword	ptr  1FCh

; FUNCTION CHUNK AT 00A78773 SIZE 00000343 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	24h
		mov	ebx, ecx
		mov	si, dx
		pop	ecx
		call	BgpFwAllocateMemory
		mov	edx, eax
		test	edx, edx
		jz	short loc_A764F0
		mov	eax, [ebp+arg_4]
		push	edi
		mov	[edx+8], si
		lea	edi, [edx+0Ch]
		mov	esi, [ebp+arg_0]
		push	5
		pop	ecx
		rep movsd
		mov	[edx+20h], eax
		mov	eax, [ebx]
		pop	edi
		cmp	[eax+4], ebx
		jnz	short loc_A764F7
		mov	[edx], eax
		mov	[edx+4], ebx
		mov	[eax+4], edx
		mov	[ebx], edx
		mov	eax, [ebx+8]
		cmp	eax, 7Dh
		jz	loc_A7873A
		inc	eax
		mov	[ebx+8], eax

loc_A764E8:				; CODE XREF: TxtpAddCacheEntry+22D8j
		xor	eax, eax

loc_A764EA:				; CODE XREF: TxtpAddCacheEntry+5Fj
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_A764F0:				; CODE XREF: TxtpAddCacheEntry+18j
		mov	eax, 0C0000017h
		jmp	short loc_A764EA
; 

loc_A764F7:				; CODE XREF: TxtpAddCacheEntry+36j
					; TxtpAddCacheEntry+22A9j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall BgpGxRectangleCreate(x, x, x)
_BgpGxRectangleCreate@12:		; CODE XREF: BgpGxConvertRectangleEx+3Cp
					; BgpGxParseBitmap+52p	...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		xor	esi, esi
		mov	ecx, [edi]
		imul	ecx, ebx
		imul	ecx, [edi+4]
		call	_GxpBitsToBytes@4 ; GxpBitsToBytes(x)
		mov	[ebp+var_4], eax
		lea	ecx, [eax+40h]
		call	BgpFwAllocateMemory
		mov	edx, eax
		test	edx, edx
		jz	short loc_A76554
		mov	eax, [edi+4]
		lea	ecx, [edx+40h]
		mov	[edx], eax
		mov	eax, [edi]
		mov	[edx+14h], ecx
		mov	ecx, [ebp+arg_0]
		mov	[edx+4], eax
		mov	eax, [ebp+var_4]
		mov	[edx+8], ebx
		mov	[edx+10h], esi
		mov	[edx+0Ch], eax
		mov	[ecx], edx

loc_A7654B:				; CODE XREF: TxtpAddCacheEntry+C3j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_A76554:				; CODE XREF: TxtpAddCacheEntry+92j
		mov	esi, 0C0000017h
		jmp	short loc_A7654B
; 
		align 4

; __stdcall TxtpClearCache(x)
_TxtpClearCache@4:			; CODE XREF: ResFwFreeContext+15p
					; AnFwpDisableProgressTimer():loc_A74A66p ...
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, offset _TxtpTextCache

loc_A76565:				; CODE XREF: TxtpAddCacheEntry+106j
		mov	esi, _TxtpTextCache
		mov	eax, [esi]
		cmp	[esi+4], edi
		jnz	short loc_A765A8
		cmp	[eax+4], esi
		jnz	short loc_A765A8
		mov	_TxtpTextCache,	eax
		mov	[eax+4], edi
		cmp	esi, edi
		jz	short loc_A7659E
		mov	ecx, [esi+20h]
		test	ecx, ecx
		jz	short loc_A76595
		test	byte ptr [ecx+10h], 1
		jnz	short loc_A76595
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A76595:				; CODE XREF: TxtpAddCacheEntry+F2j
					; TxtpAddCacheEntry+F8j
		mov	ecx, esi
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		jmp	short loc_A76565
; 

loc_A7659E:				; CODE XREF: TxtpAddCacheEntry+EBj
		and	dword_6B2AC0, 0
		pop	edi
		pop	esi
		retn
; 

loc_A765A8:				; CODE XREF: TxtpAddCacheEntry+DAj
					; TxtpAddCacheEntry+DFj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

BgpGxFindSubRectangle:			; CODE XREF: AnFwDisplayFade+2F7p
					; AnFwDisplayFade+350p	...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_28], edx
		mov	esi, ecx
		mov	[ebp+var_34], eax
		push	edi
		mov	[ebp+var_24], esi
		cmp	[ebp+arg_4], eax
		jz	loc_A7877C
		test	esi, esi
		jz	loc_A7877C
		mov	edx, [esi+8]
		mov	[ebp+var_30], edx
		cmp	edx, 20h
		jnz	loc_A78773

loc_A765E6:				; CODE XREF: TxtpAddCacheEntry+22E0j
		mov	ecx, [esi]
		mov	edi, ecx
		and	[ebp+var_C], 0
		mov	byte ptr [ebp+var_4+3],	al
		mov	[ebp+var_10], eax
		mov	eax, [esi+4]
		mov	ebx, eax
		mov	[ebp+var_14], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_2C], eax
		mov	eax, edx
		shr	eax, 3
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], edi
		mov	[ebp+var_8], ebx
		cmp	eax, 0FF000000h
		jnz	loc_A78786
		cmp	[ebp+var_20], 4
		jnz	loc_A78786
		xor	ecx, ecx
		test	edi, edi
		jbe	loc_A76744
		mov	esi, [ebp+var_2C]
		mov	edx, edi

loc_A7663A:				; CODE XREF: TxtpAddCacheEntry+1C6j
		xor	eax, eax
		cmp	[ebp+var_14], eax
		jbe	short loc_A76659

loc_A76641:				; CODE XREF: TxtpAddCacheEntry+1BBj
		cmp	dword ptr [esi], 0
		jnz	loc_A766CE

loc_A7664A:				; CODE XREF: TxtpAddCacheEntry+24Ej
		add	esi, 4
		inc	eax
		cmp	eax, [ebp+var_14]
		jb	short loc_A76641
		mov	[ebp+var_18], edi
		mov	[ebp+var_8], ebx

loc_A76659:				; CODE XREF: TxtpAddCacheEntry+1A9j
		inc	ecx
		cmp	ecx, edx
		jb	short loc_A7663A

loc_A7665E:				; CODE XREF: TxtpAddCacheEntry+234Dj
		cmp	byte ptr [ebp+var_4+3],	0
		mov	edx, [ebp+var_30]
		mov	esi, [ebp+var_24]
		jz	loc_A76744
		mov	edi, [ebp+var_C]
		mov	eax, [ebp+var_18]
		sub	edi, ebx
		mov	ebx, [ebp+var_10]
		inc	edi
		sub	ebx, eax
		mov	[ebp+var_3C], edi
		inc	ebx
		mov	[ebp+var_38], ebx
		test	eax, eax
		jnz	short loc_A7668C
		cmp	[ebp+var_8], eax
		jz	short loc_A766FB

loc_A7668C:				; CODE XREF: TxtpAddCacheEntry+1EFj
					; TxtpAddCacheEntry+268j ...
		push	[ebp+var_28]
		lea	ecx, [ebp+var_3C]
		call	_BgpGxRectangleCreate@12 ; BgpGxRectangleCreate(x,x,x)
		test	eax, eax
		js	loc_A7673D
		mov	eax, [esi+4]
		mov	ecx, [ebp+var_20]
		mov	esi, [ebp+var_18]
		imul	eax, ecx
		imul	edi, ecx
		imul	esi, eax
		mov	[ebp+var_30], eax
		mov	eax, [ebp+var_8]
		imul	eax, ecx
		add	esi, eax
		mov	eax, [ebp+var_24]
		add	esi, [eax+14h]
		test	ebx, ebx
		mov	eax, [ebp+var_28]
		mov	eax, [eax]
		mov	eax, [eax+14h]
		jmp	short loc_A76722
; 

loc_A766CE:				; CODE XREF: TxtpAddCacheEntry+1AEj
		cmp	eax, ebx
		jb	short loc_A766F3

loc_A766D2:				; CODE XREF: TxtpAddCacheEntry+25Fj
		cmp	eax, [ebp+var_C]
		ja	short loc_A766EE

loc_A766D7:				; CODE XREF: TxtpAddCacheEntry+25Bj
		cmp	ecx, edi
		jb	short loc_A766F7

loc_A766DB:				; CODE XREF: TxtpAddCacheEntry+263j
		cmp	ecx, [ebp+var_10]
		ja	short loc_A766E9

loc_A766E0:				; CODE XREF: TxtpAddCacheEntry+256j
		mov	byte ptr [ebp+var_4+3],	1
		jmp	loc_A7664A
; 

loc_A766E9:				; CODE XREF: TxtpAddCacheEntry+248j
		mov	[ebp+var_10], ecx
		jmp	short loc_A766E0
; 

loc_A766EE:				; CODE XREF: TxtpAddCacheEntry+23Fj
		mov	[ebp+var_C], eax
		jmp	short loc_A766D7
; 

loc_A766F3:				; CODE XREF: TxtpAddCacheEntry+23Aj
		mov	ebx, eax
		jmp	short loc_A766D2
; 

loc_A766F7:				; CODE XREF: TxtpAddCacheEntry+243j
		mov	edi, ecx
		jmp	short loc_A766DB
; 

loc_A766FB:				; CODE XREF: TxtpAddCacheEntry+1F4j
		cmp	edi, [ebp+var_14]
		jnz	short loc_A7668C
		cmp	ebx, [ebp+var_1C]
		jnz	short loc_A7668C
		mov	eax, 0C0000225h
		jmp	short loc_A7673D
; 

loc_A7670C:				; CODE XREF: TxtpAddCacheEntry+28Fj
		push	edi		; size_t
		push	esi		; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+arg_0]
		add	esp, 0Ch
		add	esi, [ebp+var_30]
		add	eax, edi
		sub	ebx, 1

loc_A76722:				; CODE XREF: TxtpAddCacheEntry+236j
		mov	[ebp+arg_0], eax
		jnz	short loc_A7670C
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_8]
		mov	[ecx], eax
		mov	eax, [ebp+var_18]
		mov	[ecx+4], eax
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	0

loc_A7673B:				; CODE XREF: TxtpAddCacheEntry+2BAj
		xor	eax, eax

loc_A7673D:				; CODE XREF: TxtpAddCacheEntry+203j
					; TxtpAddCacheEntry+274j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_A76744:				; CODE XREF: TxtpAddCacheEntry+199j
					; TxtpAddCacheEntry+1D2j ...
		mov	eax, [ebp+arg_8]
		mov	byte ptr [eax],	1
		mov	eax, [ebp+var_28]
		and	dword ptr [eax], 0
		jmp	short loc_A7673B
; 

; __stdcall LogFwpRegisterWorker(x)
_LogFwpRegisterWorker@4:		; DATA XREF: LogFwReport+D7o
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [esp+0B4h+var_94]
		push	offset ??_C@_1GG@IBGAEKLO@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@CIJCHKMG@
		push	eax
		mov	[esp+0BCh+var_98], edi
		mov	[esp+0BCh+var_94], edi
		mov	[esp+0BCh+var_90], edi
		mov	[esp+0BCh+var_9C], edi
		mov	[esp+0BCh+var_A0], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	18h
		pop	esi
		lea	eax, [esp+0B4h+var_94]
		mov	[esp+0B4h+var_8C], esi
		mov	[esp+0B4h+var_84], eax
		mov	ebx, 240h
		lea	eax, [esp+0B4h+var_8C]
		mov	[esp+0B4h+var_88], edi
		push	eax
		push	20019h
		lea	eax, [esp+0BCh+var_9C]
		mov	[esp+0BCh+var_80], ebx
		push	eax
		mov	[esp+0C0h+var_7C], edi
		mov	[esp+0C0h+var_78], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_A76E07
		push	offset ??_C@_19HCNKEFNM@?$AAB?$AAG?$AAF?$AAX@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [esp+0B4h+var_9C]
		mov	[esp+0B4h+var_88], eax
		lea	eax, [esp+0B4h+var_94]
		mov	[esp+0B4h+var_84], eax
		lea	eax, [esp+0B4h+var_98]
		push	eax
		mov	[esp+0B8h+var_80], ebx
		lea	eax, [esp+0B8h+var_8C]
		xor	ebx, ebx
		mov	[esp+0B8h+var_8C], esi
		inc	ebx
		mov	[esp+0B8h+var_7C], edi
		push	ebx
		push	edi
		push	edi
		push	eax
		push	20019h
		lea	eax, [esp+0CCh+var_A0]
		mov	[esp+0CCh+var_78], edi
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		push	[esp+0B4h+var_9C]
		test	eax, eax
		js	loc_A76E02
		mov	esi, dword_6D4BD0
		call	_ZwClose@4	; ZwClose(x)
		push	offset ??_C@_1O@BJIMCIMK@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[esp+0B4h+var_A4], edi
		and	esi, 100000h
		jz	short loc_A76849
		mov	[esp+0B4h+var_A4], ebx

loc_A76849:				; CODE XREF: TxtpAddCacheEntry+3ADj
		push	4
		pop	esi
		push	esi
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1M@NLLLJLND@?$AAW?$AAi?$AAd?$AAt?$AAh@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, dword_6D4B98
		push	esi
		mov	[esp+0B8h+var_A4], eax
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1O@BLHDEIAD@?$AAH?$AAe?$AAi?$AAg?$AAh?$AAt@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, dword_6D4B9C
		push	esi
		mov	[esp+0B8h+var_A4], eax
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_17DGOGOCFD@?$AAB?$AAP?$AAP@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, dword_6D4B70
		push	esi
		mov	[esp+0B8h+var_A4], eax
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BC@BCLKKLI@?$AAL?$AAo?$AAg?$AAo?$AAS?$AAi?$AAz?$AAe@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, dword_6B6C04
		push	esi
		mov	[esp+0B8h+var_A4], eax
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BO@MKBPMCCO@?$AAP?$AAr?$AAo?$AAg?$AAr?$AAe?$AAs?$AAs?$AAF?$AAr?$AAa?$AAm?$AAe?$AAs@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, dword_6D4BC0
		mov	[esp+0B4h+var_A4], eax
		lea	eax, [esp+0B4h+var_A4]
		push	esi
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BO@NENAMIAE@?$AAP?$AAr?$AAo?$AAg?$AAr?$AAe?$AAs?$AAs?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, dword_6B6BD8
		push	esi
		mov	[esp+0B8h+var_A4], eax
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BO@PIOMGGHH@?$AAP?$AAr?$AAo?$AAg?$AAr?$AAe?$AAs?$AAs?$AAP?$AAr?$AAo?$AAl?$AAo?$AAg@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		mov	ebx, 0F4240h
		push	ebx
		push	dword_6D4BAC
		push	dword_6D4BA8
		call	__allmul
		push	dword_6B3F24
		push	dword_6B3F20
		push	edx
		push	eax
		call	__alldiv
		push	esi
		mov	[esp+0B8h+var_A4], eax
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BI@PKOLCIDD@?$AAP?$AAr?$AAo?$AAg?$AAr?$AAe?$AAs?$AAs?$AAL?$AAo?$AAw@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		push	ebx
		push	dword_6B3F1C
		push	dword_6B3F18
		call	__allmul
		push	dword_6B3F24
		push	dword_6B3F20
		push	edx
		push	eax
		call	__alldiv
		push	esi
		mov	[esp+0B8h+var_A4], eax
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BK@PDBOEDKL@?$AAP?$AAr?$AAo?$AAg?$AAr?$AAe?$AAs?$AAs?$AAH?$AAi?$AAg?$AAh@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		push	ebx
		push	dword_6D4B6C
		push	dword_6D4B68
		call	__allmul
		push	dword_6B3F24
		push	dword_6B3F20
		push	edx
		push	eax
		call	__alldiv
		push	esi
		mov	[esp+0B8h+var_A4], eax
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		cmp	dword_6B6BE8, edi
		jz	short loc_A76AA0
		push	offset ??_C@_1BK@OKKJACAK@?$AAR?$AAe?$AAs?$AAi?$AAd?$AAe?$AAn?$AAt?$AAS?$AAi?$AAz?$AAe@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, dword_6B6BE8
		push	esi
		mov	eax, [eax]
		mov	[esp+0B8h+var_A4], eax
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_A76AA0:				; CODE XREF: TxtpAddCacheEntry+5D8j
		push	offset ??_C@_1BM@COBHJJH@?$AAP?$AAr?$AAo?$AAg?$AAr?$AAe?$AAs?$AAs?$AAT?$AAo?$AAt?$AAa?$AAl@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		push	ebx
		push	dword_6D4B7C
		push	dword_6D4B78
		call	__allmul
		push	dword_6B3F24
		push	dword_6B3F20
		push	edx
		push	eax
		call	__alldiv
		push	esi
		mov	[esp+0B8h+var_A4], eax
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BO@DDBPLCAD@?$AAP?$AAr?$AAo?$AAg?$AAr?$AAe?$AAs?$AAs?$AAM?$AAa?$AAn?$AAu?$AAa?$AAl@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		push	ebx
		push	dword_6D4BCC
		push	dword_6D4BC8
		call	__allmul
		push	dword_6B3F24
		push	dword_6B3F20
		push	edx
		push	eax
		call	__alldiv
		push	esi
		mov	[esp+0B8h+var_A4], eax
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BG@BNPAPPAO@?$AAF?$AAa?$AAd?$AAe?$AAP?$AAr?$AAo?$AAl?$AAo?$AAg@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		push	ebx
		push	dword_6D4BBC
		push	dword_6D4BB8
		call	__allmul
		push	dword_6B3F24
		push	dword_6B3F20
		push	edx
		push	eax
		call	__alldiv
		push	esi
		mov	[esp+0B8h+var_A4], eax
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BI@CCFJBEBE@?$AAF?$AAa?$AAd?$AAe?$AAO?$AAv?$AAe?$AAr?$AAl?$AAa?$AAp@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, dword_6D4BF0
		mov	[esp+0B4h+var_A4], eax
		lea	eax, [esp+0B4h+var_A4]
		push	esi
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1O@CPNNKMDM@?$AAF?$AAa?$AAd?$AAe?$AAI?$AAo@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, dword_6D4BB0
		push	esi
		mov	[esp+0B8h+var_A4], eax
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BA@JDDCEFMJ@?$AAF?$AAa?$AAd?$AAe?$AAC?$AAp?$AAu@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, dword_6D4B60
		push	esi
		mov	[esp+0B8h+var_A4], eax
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BG@CPADFLFH@?$AAF?$AAa?$AAd?$AAe?$AAF?$AAr?$AAa?$AAm?$AAe?$AAs@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, dword_6D4B64
		push	esi
		mov	[esp+0B8h+var_A4], eax
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BG@DBMMFBHN@?$AAF?$AAa?$AAd?$AAe?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, dword_6B6BD4
		push	esi
		mov	[esp+0B8h+var_A4], eax
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BA@BCJLCPKA@?$AAF?$AAa?$AAd?$AAe?$AAL?$AAo?$AAw@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		push	ebx
		push	dword_6B3F2C
		push	dword_6B3F28
		call	__allmul
		push	dword_6B3F24
		push	dword_6B3F20
		push	edx
		push	eax
		call	__alldiv
		mov	[esp+0B4h+var_A4], eax
		push	esi
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BC@DHBGOHKB@?$AAF?$AAa?$AAd?$AAe?$AAH?$AAi?$AAg?$AAh@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		push	ebx
		push	dword_6D4B54
		push	dword_6D4B50
		call	__allmul
		push	dword_6B3F24
		push	dword_6B3F20
		push	edx
		push	eax
		call	__alldiv
		push	esi
		mov	[esp+0B8h+var_A4], eax
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BE@CJLFDCOE@?$AAF?$AAa?$AAd?$AAe?$AAT?$AAo?$AAt?$AAa?$AAl@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		push	ebx
		push	dword_6D4B84
		push	dword_6D4B80
		call	__allmul
		push	dword_6B3F24
		push	dword_6B3F20
		push	edx
		push	eax
		call	__alldiv
		push	esi
		mov	[esp+0B8h+var_A4], eax
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BO@CNLGPJFB@?$AAA?$AAn?$AAi?$AAm?$AAa?$AAt?$AAi?$AAo?$AAn?$AAT?$AAo?$AAt?$AAa?$AAl@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		push	ebx
		push	dword_6D4B8C
		push	dword_6D4B88
		call	__allmul
		push	dword_6B3F24
		push	dword_6B3F20
		push	edx
		push	eax
		call	__alldiv
		push	esi
		mov	[esp+0B8h+var_A4], eax
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1CA@EMPMDDHK@?$AAC?$AAo?$AAm?$AAp?$AAr?$AAe?$AAs?$AAs?$AAB?$AAi?$AAt?$AAm?$AAa?$AAp?$AAs@CIJCHKMG@
		lea	eax, [esp+0B8h+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		push	ebx
		push	dword_6FDE34
		push	dword_6FDE30
		call	__allmul
		push	dword_6B3F24
		push	dword_6B3F20
		push	edx
		push	eax
		call	__alldiv
		push	esi
		mov	[esp+0B8h+var_A4], eax
		lea	eax, [esp+0B8h+var_A4]
		push	eax
		push	esi
		push	edi
		lea	eax, [esp+0C4h+var_94]
		push	eax
		push	[esp+0C8h+var_A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[esp+0B4h+var_A0]

loc_A76E02:				; CODE XREF: TxtpAddCacheEntry+383j
		call	_ZwClose@4	; ZwClose(x)

loc_A76E07:				; CODE XREF: TxtpAddCacheEntry+329j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

; __stdcall RaspAddCacheEntry(x, x)
_RaspAddCacheEntry@8:			; CODE XREF: RaspGetXExtent+135p
					; BgpRasPrintGlyph+87BF5p
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_A76E4E
		mov	[edx], eax
		mov	[edx+4], ecx
		mov	[eax+4], edx
		mov	[ecx], edx
		mov	edx, [ecx+1Ch]
		test	edx, edx
		jz	short locret_A76E4D
		mov	eax, [ecx+20h]
		cmp	eax, edx
		jnz	short loc_A76E49
		mov	eax, [ecx+4]
		cmp	[eax], ecx
		jnz	short loc_A76E4E
		mov	edx, [eax+4]
		cmp	[edx], eax
		jnz	short loc_A76E4E
		mov	[ecx+4], edx
		mov	[edx], ecx
		mov	ecx, eax
		jmp	_RaspDestroyCachedBitmap@4 ; RaspDestroyCachedBitmap(x)
; 

loc_A76E49:				; CODE XREF: TxtpAddCacheEntry+997j
		inc	eax
		mov	[ecx+20h], eax

locret_A76E4D:				; CODE XREF: TxtpAddCacheEntry+990j
		retn
; 

loc_A76E4E:				; CODE XREF: TxtpAddCacheEntry+97Fj
					; TxtpAddCacheEntry+99Ej ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall RaspDestroyCachedBitmap(x)
_RaspDestroyCachedBitmap@4:		; CODE XREF: BgpRasPrintGlyph+87B4Cp
					; RaspClearCache(x)+Cp	...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		mov	ecx, [esi+8]
		stosd
		stosd
		call	_RaspFreeMemory@8 ; RaspFreeMemory(x,x)
		lea	edx, [ebp+var_C]
		mov	ecx, esi
		call	_RaspFreeMemory@8 ; RaspFreeMemory(x,x)
		pop	edi
		pop	esi
		leave
		retn
; 
		align 2

; __stdcall ResFwFindMessage(x)
_ResFwFindMessage@4:			; CODE XREF: BcpFindMessage:loc_AF1FDEp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		mov	eax, dword_6B6C50
		test	eax, eax
		jz	short loc_A76EBD
		mov	eax, [eax]
		test	eax, eax
		jz	short loc_A76EBD
		lea	edx, [ebp+var_4]
		push	edx
		push	ecx
		push	0
		push	0Bh
		push	eax
		call	_RtlFindMessage@20 ; RtlFindMessage(x,x,x,x,x)
		test	eax, eax
		js	short loc_A76EBD
		mov	eax, [ebp+var_4]
		test	byte ptr [eax+2], 1
		jz	short loc_A76EBD
		add	eax, 4
		leave
		retn
; 

loc_A76EBD:				; CODE XREF: TxtpAddCacheEntry+9FEj
					; TxtpAddCacheEntry+A04j ...
		xor	eax, eax
		leave
		retn
; 
		align 2

BgpConsoleInitialize:			; DATA XREF: .data:_BgpConsoleInterfaceo
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		xor	eax, eax
		push	esi
		push	edi
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		mov	ecx, 5E08h
		call	BgpFwAllocateMemory
		mov	edx, eax
		mov	dword_6F9AF0, edx
		test	edx, edx
		jz	loc_A787E8
		mov	ebx, [ebp+arg_0]
		movzx	eax, bx
		or	[edx+8], eax
		mov	eax, [ebp+arg_4]
		mov	[edx+0Ch], eax
		mov	eax, [ebp+arg_8]
		mov	[edx+10h], eax
		lea	eax, [ebp+var_20]
		push	eax
		mov	dword ptr [edx], 50h
		mov	dword ptr [edx+4], 19h
		call	_BgpGetResolution@0 ; BgpGetResolution()
		mov	esi, eax
		lea	edi, [edx+14h]
		xor	eax, eax
		push	5DC0h		; size_t
		push	eax		; int
		movsd
		movsd
		movsd
		mov	[edx+24h], eax
		mov	[edx+30h], eax
		lea	eax, [edx+48h]
		push	eax		; void *
		mov	dword ptr [edx+20h], 0Fh
		mov	dword ptr [edx+28h], 0Ch
		mov	dword ptr [edx+2Ch], 16h
		call	_memset
		mov	eax, [ebp+arg_8]
		lea	edx, [ebp+var_4]
		mov	ecx, dword_6B6CE8
		add	esp, 0Ch
		mov	[ebp+var_34], eax
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_30], eax
		mov	al, bl
		not	al
		movzx	eax, al
		shr	eax, 1
		and	eax, 1
		mov	[ebp+var_24], eax
		call	_BgpConsoleGetFontName@8 ; BgpConsoleGetFontName(x,x)
		mov	ecx, [ebp+var_4] ; wchar_t *
		lea	edx, [ebp+var_2C]
		call	BgpFoGetFontHandle
		mov	esi, dword_6F9AF0
		mov	edi, eax
		test	edi, edi
		js	loc_A787F7
		mov	edx, [esi]
		lea	eax, [ebp+var_C]
		mov	ecx, [esi+4]
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		push	dword ptr [esi+14h]
		push	dword ptr [esi+18h]
		call	_BgpConsoleSetPointSize@24 ; BgpConsoleSetPointSize(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_A787F7
		mov	eax, [ebp+var_28]
		lea	edi, [esi+28h]
		mov	[esi+20h], eax
		lea	ecx, [ebp+var_34]
		mov	eax, [ebp+var_C]
		mov	edx, edi
		mov	[edi], eax
		mov	eax, [ebp+var_8]
		mov	[edi+4], eax
		mov	eax, ebx
		shr	eax, 1
		not	eax
		and	eax, 2
		or	eax, 1
		push	eax
		call	BgpDisplayCharacterGetContext
		mov	esi, dword_6F9AF0
		mov	[esi+24h], eax
		test	eax, eax
		jz	loc_A787F2
		mov	eax, [edi]
		mov	edx, [esi]
		mov	ecx, [esi+14h]
		imul	eax, edx
		sub	ecx, eax
		mov	eax, [esi+4]
		shr	ecx, 1
		mov	[esi+34h], ecx
		imul	eax, [edi+4]
		xor	edi, edi
		mov	ecx, [esi+18h]
		and	dword ptr [esi+44h], 0
		and	dword ptr [esi+3Ch], 0
		and	dword ptr [esi+40h], 0
		sub	ecx, eax
		mov	[ebp+var_4], edi
		shr	ecx, 1
		mov	[esi+38h], ecx
		test	edx, edx
		jz	short loc_A7707C
		mov	ebx, [ebp+arg_4]
		lea	ecx, [esi+4Ch]
		mov	[ebp+var_8], ecx

loc_A77041:				; CODE XREF: TxtpAddCacheEntry+BE1j
		xor	edx, edx
		cmp	[esi+4], edx
		jbe	short loc_A77068
		mov	eax, ecx
		mov	ecx, [ebp+arg_8]

loc_A7704D:				; CODE XREF: TxtpAddCacheEntry+BCAj
		push	20h
		pop	edi
		mov	[eax+4], di
		inc	edx
		mov	[eax], ecx
		lea	eax, [eax+0Ch]
		mov	[eax-10h], ebx
		cmp	edx, [esi+4]
		jb	short loc_A7704D
		mov	ecx, [ebp+var_8]
		mov	edi, [ebp+var_4]

loc_A77068:				; CODE XREF: TxtpAddCacheEntry+BB0j
		inc	edi
		add	ecx, 12Ch
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], ecx
		cmp	edi, [esi]
		jb	short loc_A77041
		mov	ebx, [ebp+arg_0]

loc_A7707C:				; CODE XREF: TxtpAddCacheEntry+BA0j
		test	bl, 1
		jnz	short loc_A77091

loc_A77081:				; CODE XREF: TxtpAddCacheEntry+C00j
		xor	edi, edi

loc_A77083:				; CODE XREF: TxtpAddCacheEntry+2357j
					; TxtpAddCacheEntry+2363j ...
		call	BgpFwReleaseLock
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_A77091:				; CODE XREF: TxtpAddCacheEntry+BE9j
		call	_BgpConsoleClearScreenEx@0 ; BgpConsoleClearScreenEx()
		jmp	short loc_A77081
; 

BgpDisplayCharacterGetContext:		; CODE XREF: TxtpAddCacheEntry+B55p
					; BgpBcInitializeCriticalMode+2AEp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		push	18h
		mov	edi, edx
		mov	[ebp+var_8], ecx
		xor	esi, esi
		mov	[ebp+var_C], edi
		pop	ecx
		mov	[ebp+var_4], esi
		call	BgpFwAllocateMemory
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_A7710F
		mov	ecx, [edi]
		lea	edx, [ebp+var_20]
		mov	eax, [edi+4]
		push	ecx
		push	[ebp+arg_0]
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_8]
		mov	[ebp+var_20], ecx
		mov	[ebp+var_18], ecx
		lea	ecx, [ebp+var_14]
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		call	BgpTxtCreateRegion
		test	eax, eax
		js	loc_A78812
		mov	esi, [ebp+var_C]
		lea	edi, [ebx+8]
		mov	ecx, [ebp+var_8]
		movsd
		movsd
		movsd
		mov	eax, [ecx+8]
		mov	esi, ebx
		mov	[ebx], eax
		mov	eax, [ecx+0Ch]
		mov	[ebx+4], eax
		mov	eax, [ebp+var_4]
		mov	[ebx+14h], eax

loc_A7710F:				; CODE XREF: TxtpAddCacheEntry+C26j
					; TxtpAddCacheEntry+2388j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

BgkDestroy:				; CODE XREF: BgkNotifyDisplayOwnershipChange:loc_5E10D8p
					; BgkInitialize+26p
		cmp	byte_6D4D58, 0
		push	ebx
		jnz	loc_A7882E
		xor	eax, eax
		pop	ebx
		retn
; 

; __stdcall BgLibraryDisable()
_BgLibraryDisable@0:			; CODE XREF: BgkNotifyDisplayOwnershipChange+7Fp
		call	_BgpFwGetCurrentIrql@0 ; BgpFwGetCurrentIrql()
		test	al, al
		jnz	short loc_A7714E
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		test	byte ptr dword_6B6BB8, 1
		jz	short loc_A77146
		call	BgpFwLibraryDisable

loc_A77146:				; CODE XREF: TxtpAddCacheEntry+CA9j
		call	BgpFwReleaseLock
		xor	eax, eax
		retn
; 

loc_A7714E:				; CODE XREF: TxtpAddCacheEntry+C9Bj
		mov	eax, 0C0000001h
		retn
; 

BgpFwLibraryDestroy:			; CODE XREF: BgpFwLibraryInitialize:loc_A750C6p
					; BgLibraryDestroy()+41p
		mov	edi, edi
		push	esi
		xor	ecx, ecx
		call	_BgpFoDestroy@4	; BgpFoDestroy(x)
		mov	ecx, dword_6B6C48
		xor	esi, esi
		test	ecx, ecx
		jnz	loc_A7887C

loc_A7716E:				; CODE XREF: TxtpAddCacheEntry+2412j
		mov	ecx, dword_6B6BE8
		test	ecx, ecx
		jnz	loc_A788AD

loc_A7717C:				; CODE XREF: TxtpAddCacheEntry+243Ej
		call	BgpFwLibraryDisable
		push	2
		pop	ecx
		call	ResFwBackgroundTransition
		mov	dword_6B6BB8, esi
		xor	eax, eax
		pop	esi
		retn
; 
		align 4

; __stdcall BgConsoleDestroyInterface(x)
_BgConsoleDestroyInterface@4:		; CODE XREF: BgkNotifyDisplayOwnershipChange+A4p
					; TxtpAddCacheEntry+23D5p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		cmp	esi, offset _BgpConsoleInterface
		jnz	short loc_A771D8
		mov	ecx, dword_6F9AF0
		test	ecx, ecx
		jz	short loc_A771D8
		mov	esi, [ecx+24h]
		test	esi, esi
		jz	short loc_A771CC
		mov	ecx, [esi+14h]
		call	_BgpTxtDestroyRegion@4 ; BgpTxtDestroyRegion(x)
		mov	ecx, esi
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		mov	ecx, dword_6F9AF0

loc_A771CC:				; CODE XREF: TxtpAddCacheEntry+D1Fj
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		and	dword_6F9AF0, 0

loc_A771D8:				; CODE XREF: TxtpAddCacheEntry+D0Ej
					; TxtpAddCacheEntry+D18j
		pop	esi
		jmp	BgpFwReleaseLock
; 

BgpFwLibraryDisable:			; CODE XREF: TxtpAddCacheEntry+CABp
					; TxtpAddCacheEntry:loc_A7717Cp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		mov	eax, dword_6B6BB8
		push	ebx
		push	edi
		test	al, 2
		jz	loc_A772B3
		xor	ebx, ebx
		mov	[esp+10h+var_8], ebx
		mov	[esp+10h+var_4], ebx
		test	eax, 4000000h
		jnz	loc_A788D9

loc_A7720C:				; CODE XREF: TxtpAddCacheEntry+2449j
					; TxtpAddCacheEntry+245Fj
		call	AnFwFadeCompletion
		mov	ecx, dword_6B6C58
		test	ecx, ecx
		jz	short loc_A77237
		call	_BgpTxtDestroyRegion@4 ; BgpTxtDestroyRegion(x)
		mov	eax, _BgpTextRegionSave
		cmp	eax, dword_6B6C58
		jz	loc_A788FA

loc_A77231:				; CODE XREF: TxtpAddCacheEntry+246Aj
		mov	dword_6B6C58, ebx

loc_A77237:				; CODE XREF: TxtpAddCacheEntry+D83j
		xor	cl, cl
		call	AnFwDisplayProgressIndicator
		mov	ecx, dword_6B6C54
		test	ecx, ecx
		jz	short loc_A77260
		call	_BgpTxtDestroyRegion@4 ; BgpTxtDestroyRegion(x)
		mov	eax, _BgpAnimationRegionSave
		cmp	eax, dword_6B6C54
		jz	short loc_A772B9

loc_A7725A:				; CODE XREF: TxtpAddCacheEntry+E29j
		mov	dword_6B6C54, ebx

loc_A77260:				; CODE XREF: TxtpAddCacheEntry+DB0j
		mov	ecx, dword_6B6C48
		test	ecx, ecx
		jz	short loc_A77296
		call	_BgpFoDestroy@4	; BgpFoDestroy(x)
		mov	eax, dword_6B6C48
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_A77285
		test	byte ptr [eax+8], 1
		jnz	short loc_A77285
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A77285:				; CODE XREF: TxtpAddCacheEntry+DE2j
					; TxtpAddCacheEntry+DE8j
		mov	ecx, dword_6B6C48
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		mov	dword_6B6C48, ebx

loc_A77296:				; CODE XREF: TxtpAddCacheEntry+DD2j
		call	LogFwReport
		call	ResFwpPageOutBackground
		push	7
		xor	eax, eax
		mov	edi, offset _BgInternal
		pop	ecx
		rep stosd
		and	dword_6B6BB8, 0FFFFFFFDh

loc_A772B3:				; CODE XREF: TxtpAddCacheEntry+D5Bj
		pop	edi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_A772B9:				; CODE XREF: TxtpAddCacheEntry+DC2j
		mov	_BgpAnimationRegionSave, ebx
		jmp	short loc_A7725A
; 
		align 2

; __stdcall BgpTxtDestroyRegion(x)
_BgpTxtDestroyRegion@4:			; CODE XREF: TxtpAddCacheEntry+D24p
					; TxtpAddCacheEntry+D85p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_A77318
		test	byte ptr [esi+30h], 1
		jz	short loc_A77318
		mov	ecx, [esi+14h]
		test	ecx, ecx
		jnz	short loc_A7730B

loc_A772D8:				; CODE XREF: TxtpAddCacheEntry+E79j
					; TxtpAddCacheEntry+E80j
		mov	ecx, [esi+18h]
		test	ecx, ecx
		jz	short loc_A772EA
		test	byte ptr [ecx+10h], 1
		jnz	short loc_A772EA
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A772EA:				; CODE XREF: TxtpAddCacheEntry+E47j
					; TxtpAddCacheEntry+E4Dj
		test	byte ptr [esi+2Ch], 1
		jz	short loc_A77303
		call	_TxtpClearCache@4 ; TxtpClearCache(x)
		cmp	_RasterizerInitialized,	0
		jz	short loc_A77303
		call	_RaspClearCache@4 ; RaspClearCache(x)

loc_A77303:				; CODE XREF: TxtpAddCacheEntry+E58j
					; TxtpAddCacheEntry+E66j
		mov	ecx, esi
		pop	esi
		jmp	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
; 

loc_A7730B:				; CODE XREF: TxtpAddCacheEntry+E40j
		test	byte ptr [ecx+10h], 1
		jnz	short loc_A772D8
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		jmp	short loc_A772D8
; 

loc_A77318:				; CODE XREF: TxtpAddCacheEntry+E33j
					; TxtpAddCacheEntry+E39j
		pop	esi
		retn
; 

; __stdcall BgpFoDestroy(x)
_BgpFoDestroy@4:			; CODE XREF: TxtpAddCacheEntry+CC3p
					; TxtpAddCacheEntry+DD4p ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	_FontLibraryInitialized, 0
		push	ebx
		mov	ebx, ecx
		jz	short loc_A77354
		push	esi
		mov	esi, _FopFontFileListHead
		cmp	esi, offset _FopFontFileListHead
		jz	short loc_A77353
		push	edi

loc_A7733C:				; CODE XREF: TxtpAddCacheEntry+EBAj
		mov	[ebp+var_4], esi
		test	ebx, ebx
		jz	short loc_A77357
		cmp	[esi+8], ebx
		jz	short loc_A77357
		mov	esi, [esi]

loc_A7734A:				; CODE XREF: TxtpAddCacheEntry+EFFj
		cmp	esi, offset _FopFontFileListHead
		jnz	short loc_A7733C
		pop	edi

loc_A77353:				; CODE XREF: TxtpAddCacheEntry+EA3j
		pop	esi

loc_A77354:				; CODE XREF: TxtpAddCacheEntry+E94j
		pop	ebx
		leave
		retn
; 

loc_A77357:				; CODE XREF: TxtpAddCacheEntry+EABj
					; TxtpAddCacheEntry+EB0j
		lea	edi, [esi+18h]

loc_A7735A:				; CODE XREF: TxtpAddCacheEntry+EE0j
		mov	ecx, [edi]
		cmp	ecx, edi
		jz	short loc_A77378
		cmp	[ecx+4], edi
		jnz	short loc_A77397
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_A77397
		mov	[edi], eax
		mov	[eax+4], edi
		call	FopFreeFontData
		jmp	short loc_A7735A
; 

loc_A77378:				; CODE XREF: TxtpAddCacheEntry+EC8j
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_A77397
		mov	edx, [esi+4]
		cmp	[edx], esi
		jnz	short loc_A77397
		mov	ecx, [ebp+var_4]
		mov	[edx], eax
		mov	[eax+4], edx
		mov	esi, [esi]
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		jmp	short loc_A7734A
; 

loc_A77397:				; CODE XREF: TxtpAddCacheEntry+ECDj
					; TxtpAddCacheEntry+ED4j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

FopFreeFontData:			; CODE XREF: TxtpAddCacheEntry+EDBp
					; FopInitializeFonts+F8p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		lea	eax, [edi+50h]
		mov	esi, [eax]
		cmp	esi, eax
		jnz	short loc_A773E0

loc_A773AF:				; CODE XREF: TxtpAddCacheEntry+24ADj
		mov	ecx, [edi+10h]
		test	ecx, ecx
		jz	short loc_A773BB
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A773BB:				; CODE XREF: TxtpAddCacheEntry+F1Ej
		mov	esi, [edi+0Ch]
		test	esi, esi
		jz	short loc_A773D5
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_A773CE
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A773CE:				; CODE XREF: TxtpAddCacheEntry+F31j
		mov	ecx, esi
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A773D5:				; CODE XREF: TxtpAddCacheEntry+F2Aj
		mov	ecx, edi
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		pop	edi
		pop	esi
		leave
		retn
; 

loc_A773E0:				; CODE XREF: TxtpAddCacheEntry+F17j
		push	ebx
		jmp	loc_A78905
; 

; __stdcall BgDisplayBackgroundUpdate(x)
_BgDisplayBackgroundUpdate@4:		; CODE XREF: TxtpAddCacheEntry+23BAp
					; BgkDisplayBackgroundUpdate()+17p
		mov	edi, edi
		push	ebx
		push	esi
		mov	bl, cl
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		test	byte ptr dword_6B6BB8, 1
		jz	short loc_A7740D
		mov	cl, bl
		call	AnFwDisplayBackgroundUpdate
		mov	esi, eax

loc_A77403:				; CODE XREF: TxtpAddCacheEntry+F7Cj
		call	BgpFwReleaseLock
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_A7740D:				; CODE XREF: TxtpAddCacheEntry+F62j
		mov	esi, 0C0000001h
		jmp	short loc_A77403
; 

AnFwDisplayBackgroundUpdate:		; CODE XREF: TxtpAddCacheEntry+F66p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		xor	ebx, ebx
		test	dword_6B6BB8, 4000000h
		push	esi
		push	edi
		mov	[esp+5Ch+var_3C], ebx
		mov	[esp+5Ch+var_38], ebx
		mov	[esp+5Ch+var_44], ebx
		mov	dword ptr [esp+5Ch+var_40], ebx
		mov	[esp+5Ch+var_4C], ebx
		mov	[esp+5Ch+var_48], ebx
		jnz	loc_A78948

loc_A7744C:				; CODE XREF: TxtpAddCacheEntry+25FBj
					; TxtpAddCacheEntry+2611j
		xor	eax, eax

loc_A7744E:				; CODE XREF: TxtpAddCacheEntry+24C7j
					; TxtpAddCacheEntry+24EAj ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 
		align 2

; __stdcall BgReleaseSpinLock()
_BgReleaseSpinLock@0:			; CODE XREF: BgkSetVirtualFrameBuffer+127p
		jmp	BgpFwReleaseLock
; 
		align 4

; __stdcall BgAcquireSpinLock()
_BgAcquireSpinLock@0:			; CODE XREF: BgkSetVirtualFrameBuffer:loc_57C046p
					; BgkSetVirtualFrameBuffer:loc_5FA730p
		jmp	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
; 
		align 2

BgGetIsColorOverridden:			; CODE XREF: BgkSetVirtualFrameBuffer+38p
		cmp	byte_6B6CF4, 0
		jnz	loc_A78AAC
		xor	al, al
		retn
; 

; __stdcall BgpGxRectangleDestroy(x)
_BgpGxRectangleDestroy@4:		; CODE XREF: KeRegisterBugCheckCallback:loc_57CFF9p
					; BgpGxConvertRectangle(x,x)+28p ...
		test	ecx, ecx
		jz	short loc_A77481
		test	byte ptr [ecx+10h], 1
		jnz	short loc_A77481
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A77481:				; CODE XREF: TxtpAddCacheEntry+FDEj
					; TxtpAddCacheEntry+FE4j
		xor	eax, eax
		retn
; 

; char ??_C
??_C@_0CK@KDGCPFMN@BGFX?5system?5font?5initialization@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry:loc_A7818Ao
		inc	edx
		inc	edi
		inc	esi
		pop	eax
		and	[ebx+79h], dh
		jnb	short loc_A77501
		db	65h
		insd
		and	[esi+6Fh], ah
		outsb
		jz	short near ptr loc_A774B2+3
		imul	ebp, [esi+69h],	6C616974h
		imul	edi, [edx+61h],	6E6F6974h
		and	[esi+61h], ah
		imul	ebp, [ebp+esi*2+arg_6A], 0A2165h

; char ??_C
??_C@_0CC@EIIJKON@BGFX?5Display?5Ready?5Time?5?$CIms?$CJ?3?5?$CF@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+2527o
		inc	edx
		inc	edi
		inc	esi
		pop	eax

loc_A774B2:				; CODE XREF: TxtpAddCacheEntry+FFDj
		and	[ecx+ebp*2+73h], al
		jo	short loc_A77524
		popa
		jns	short near ptr loc_A774DA+1
		push	edx
		db	65h
		popa
		db	64h
		jns	short near ptr loc_A774DE+3
		push	esp
		imul	ebp, [ebp+arg_5D], 736D2820h
		sub	[edx], edi
; 
		db 20h
		dd 0A6425h
; 

; char ??_C
??_C@_0DH@PPDDDJGB@BGFX?5Secondary?5Logo?5Bitmap?5Disp@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+2539o
		inc	edx
		inc	edi
		inc	esi
		pop	eax
		and	[ebx+65h], dl
		arpl	[edi+6Eh], bp

loc_A774DA:				; CODE XREF: TxtpAddCacheEntry+1023j
		db	64h
		popa
		jb	short near ptr loc_A77553+4

loc_A774DE:				; CODE XREF: TxtpAddCacheEntry+1028j
		and	[edi+ebp*2+67h], cl
		outsd
		and	[edx+69h], al
		jz	short near ptr loc_A77553+2
		popa
		jo	short loc_A7750B
		inc	esp
		imul	esi, [ebx+70h],	2079616Ch
		push	esp
		imul	ebp, [ebp+arg_5D], 414F4720h
		dec	esp
		and	[eax], ch
		insd
		jnb	short near ptr loc_A77524+6

loc_A77501:				; CODE XREF: TxtpAddCacheEntry+FF5j
		cmp	ah, [eax]
		and	eax, 0CC000A64h

; char ??_C
??_C@_0DC@GCMNOGDC@BGFX?5Secondary?5Logo?5Bitmap?5Disp@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+2568o
					; AnFwpBackgroundUpdateTimer(x,x,x,x)+85o
		inc	edx
		inc	edi
		inc	esi

loc_A7750B:				; CODE XREF: TxtpAddCacheEntry+1053j
		pop	eax
		and	[ebx+65h], dl
		arpl	[edi+6Eh], bp
		db	64h
		popa
		jb	short near ptr loc_A7758A+5
		and	[edi+ebp*2+67h], cl
		outsd
		and	[edx+69h], al
		jz	short near ptr loc_A7758A+3
		popa
		jo	short near ptr loc_A77542+1
		inc	esp

loc_A77524:				; CODE XREF: TxtpAddCacheEntry+1020j
					; TxtpAddCacheEntry+1069j
		imul	esi, [ebx+70h],	2079616Ch
		push	esp
		imul	ebp, [ebp+arg_5D], 736D2820h
		sub	[edx], edi
; 
		db 20h,	25h, 64h
; 
		or	al, [eax]

; char ??_C
??_C@_0EE@GCGMJBFL@?6?$CL?9?9BGFX?9REPORT?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry:loc_A77C01o
		or	ch, [ebx]
		sub	eax, 4647422Dh
		pop	eax

loc_A77542:				; CODE XREF: TxtpAddCacheEntry+108Bj
		sub	eax, 4F504552h
		push	edx
		push	esp
		sub	eax, 2D2D2D2Dh
		sub	eax, 2D2D2D2Dh

loc_A77553:				; CODE XREF: TxtpAddCacheEntry+1050j
					; TxtpAddCacheEntry+1046j
		sub	eax, 2D2D2D2Dh
		sub	eax, 7C0A2B2Dh
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		jl	short loc_A77587
; 
		db 0
; 

; char ??_C
??_C@_0BN@ODGFCIO@?$HM?5?5ProgressHigh?3?5?5?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+186Co
		jl	short near ptr loc_A7759E+2
		and	[eax+72h], dl
		outsd
		db	67h
		jb	near ptr 75ECh

loc_A77587:				; CODE XREF: TxtpAddCacheEntry+10E5j
		jnb	short loc_A775FC
		dec	eax

loc_A7758A:				; CODE XREF: TxtpAddCacheEntry+1088j
					; TxtpAddCacheEntry+107Ej
		imul	esp, [edi+68h],	2020203Ah
		and	[eax], ah
		and	eax, 20207538h
		jl	short near ptr loc_A775A2+2
		add	ah, cl

; char ??_C
??_C@_0FK@OGIJBCGD@?$HM?5?5ProgressManual?3?5?5?5?$CF8u?5?5?$HM?6?$HM?5?5@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+18C5o
		jl	short loc_A775BE

loc_A7759E:				; CODE XREF: TxtpAddCacheEntry:??_C@_0BN@ODGFCIO@?$HM?5?5ProgressHigh?3?5?5?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@j
		and	[eax+72h], dl
		outsd

loc_A775A2:				; CODE XREF: TxtpAddCacheEntry+1102j
		db	67h
		jb	near ptr 760Ah
		jnb	short loc_A7761A
		dec	ebp
		popa
		outsb
		jnz	short near ptr loc_A7760B+2
		insb
		cmp	ah, [eax]
		and	[eax], ah
		and	eax, 20207538h
		jl	short near ptr loc_A775C1+1
		jl	short loc_A775DA
		and	[eax+72h], dl
		outsd

loc_A775BE:				; CODE XREF: TxtpAddCacheEntry:??_C@_0FK@OGIJBCGD@?$HM?5?5ProgressManual?3?5?5?5?$CF8u?5?5?$HM?6?$HM?5?5@CIJCHKMG@j
		db	67h
		jb	near ptr 7626h

loc_A775C1:				; CODE XREF: TxtpAddCacheEntry+1120j
		jnb	short near ptr loc_A77634+2
		push	esp
		outsd
		jz	short near ptr loc_A77627+1
		insb
		cmp	ah, [eax]
		and	[eax], ah
		and	ds:20207538h, ah
		jl	short loc_A775DE
		jl	short ??_C@_0BN@KLGDPMN@?$HM?5?5ProgressMemory?3?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@
		and	[eax], ah
		and	[eax], ah

loc_A775DA:				; CODE XREF: TxtpAddCacheEntry+1122j
		and	[eax], ah
		and	[eax], ah

loc_A775DE:				; CODE XREF: TxtpAddCacheEntry+113Cj
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[edx+ecx+0], bh

; char ??_C
??_C@_0BN@KLGDPMN@?$HM?5?5ProgressMemory?3?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@:
					; CODE XREF: TxtpAddCacheEntry+113Ej
					; DATA XREF: TxtpAddCacheEntry+1800o
		jl	short near ptr loc_A77616+2
		and	[eax+72h], dl
		outsd

loc_A775FC:				; CODE XREF: TxtpAddCacheEntry:loc_A77587j
		db	67h
		jb	near ptr 7664h
		jnb	short loc_A77674
		dec	ebp
		db	65h
		insd
		outsd
		jb	short near ptr loc_A7767E+2
		cmp	ah, [eax]
		and	[eax], ah

loc_A7760B:				; CODE XREF: TxtpAddCacheEntry+1114j
		and	eax, 20207538h
		jl	short near ptr loc_A7761A+2
		add	ah, cl

; char ??_C
??_C@_0BN@NGBHLPEK@?$HM?5?5ProgressLow?3?5?5?5?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+1836o
		jl	short near ptr loc_A77634+2

loc_A77616:				; CODE XREF: TxtpAddCacheEntry:??_C@_0BN@KLGDPMN@?$HM?5?5ProgressMemory?3?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@j
		and	[eax+72h], dl
		outsd

loc_A7761A:				; CODE XREF: TxtpAddCacheEntry+110Fj
					; TxtpAddCacheEntry+117Aj
		db	67h
		jb	near ptr 7682h
		jnb	short loc_A77692
		dec	esp
		outsd
		ja	short near ptr loc_A7765C+1
		and	[eax], ah
		and	[eax], ah

loc_A77627:				; CODE XREF: TxtpAddCacheEntry+112Fj
		and	[eax], ah
		and	eax, 20207538h
		jl	short near ptr loc_A77638+2
		add	ah, cl

; char ??_C
??_C@_0BN@OJAJOAEP@?$HM?5?5ProgressProlog?3?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+17DCo
		jl	short near ptr loc_A77652+2

loc_A77634:				; CODE XREF: TxtpAddCacheEntry:loc_A775C1j
					; TxtpAddCacheEntry:??_C@_0BN@NGBHLPEK@?$HM?5?5ProgressLow?3?5?5?5?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@j
		and	[eax+72h], dl
		outsd

loc_A77638:				; CODE XREF: TxtpAddCacheEntry+1198j
		db	67h
		jb	near ptr 76A0h
		jnb	short loc_A776B0
		push	eax
		jb	short near ptr loc_A776AE+1
		insb
		outsd
		cmp	ah, [bx+si]
		and	[eax], ah
		and	eax, 20207538h
		jl	short near ptr loc_A77656+2
		add	ah, cl

; char ??_C
??_C@_0BN@PGCGDLEG@?$HM?5?5ProgressFrames?3?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+17EEo
		jl	short near ptr loc_A77670+2

loc_A77652:				; CODE XREF: TxtpAddCacheEntry:??_C@_0BN@OJAJOAEP@?$HM?5?5ProgressProlog?3?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@j
		and	[eax+72h], dl
		outsd

loc_A77656:				; CODE XREF: TxtpAddCacheEntry+11B6j
		db	67h
		jb	near ptr 76BEh
		jnb	short ??_C@_0DN@JGDHGKIJ@?$HM?5?5AnimationTotal?3?5?5?5?$CF8u?5?5?$HM?6?$HM?5?5@CIJCHKMG@
		inc	esi

loc_A7765C:				; CODE XREF: TxtpAddCacheEntry+118Bj
		jb	short near ptr loc_A776BE+1
		insd
		db	65h
		jnb	short near ptr loc_A77698+4
		and	[eax], ah
		and	ds:20207538h, ah
		jl	short loc_A77676
		add	ah, cl

; char ??_C
??_C@_0CB@DMAFNDNC@?$HM?5?5DisplayMode?3?5?5?$CF4ux?$CF4ux?$CF2u?5?5?$HM@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+178Fo
		jl	short ??_C@_0DO@PACHIGEC@?$HM?5?5LogoSize?3?5?5?5?5?5?5?5?5?5?$CF8u?5?5?$HM?6?$HM?5?5@CIJCHKMG@

loc_A77670:				; CODE XREF: TxtpAddCacheEntry:??_C@_0BN@PGCGDLEG@?$HM?5?5ProgressFrames?3?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@j
		and	[ecx+ebp*2+73h], al

loc_A77674:				; CODE XREF: TxtpAddCacheEntry+1169j
		jo	short near ptr loc_A776E1+1

loc_A77676:				; CODE XREF: TxtpAddCacheEntry+11D4j
		popa
		jns	short loc_A776C6
		outsd
		db	64h
		cmp	ah, gs:[eax]

loc_A7767E:				; CODE XREF: TxtpAddCacheEntry+116Fj
		and	ds:25787534h, ah
		xor	al, 75h
		js	short near ptr loc_A776AC+1
		xor	dh, [ebp+arg_18]
		and	[edx+ecx+0], bh
		int	3		; Trap to Debugger

; char ??_C
??_C@_0DO@PACHIGEC@?$HM?5?5LogoSize?3?5?5?5?5?5?5?5?5?5?$CF8u?5?5?$HM?6?$HM?5?5@CIJCHKMG@:
					; CODE XREF: TxtpAddCacheEntry:??_C@_0CB@DMAFNDNC@?$HM?5?5DisplayMode?3?5?5?$CF4ux?$CF4ux?$CF2u?5?5?$HM@CIJCHKMG@j
					; DATA XREF: TxtpAddCacheEntry+17A1o
		jl	short loc_A776B2

loc_A77692:				; CODE XREF: TxtpAddCacheEntry+1187j
		and	[edi+ebp*2+67h], cl
		outsd
		push	ebx

loc_A77698:				; CODE XREF: TxtpAddCacheEntry+11C9j
		imul	edi, [edx+65h],	2020203Ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	eax, 20207538h
		jl	short loc_A776B6

loc_A776AC:				; CODE XREF: TxtpAddCacheEntry+11F0j
		jl	short ??_C@_0DN@JGDHGKIJ@?$HM?5?5AnimationTotal?3?5?5?5?$CF8u?5?5?$HM?6?$HM?5?5@CIJCHKMG@

loc_A776AE:				; CODE XREF: TxtpAddCacheEntry+11A8j
		and	[eax], ah

loc_A776B0:				; CODE XREF: TxtpAddCacheEntry+11A5j
		and	[eax], ah

loc_A776B2:				; CODE XREF: TxtpAddCacheEntry:??_C@_0DO@PACHIGEC@?$HM?5?5LogoSize?3?5?5?5?5?5?5?5?5?5?$CF8u?5?5?$HM?6?$HM?5?5@CIJCHKMG@j
		and	[eax], ah
		and	[eax], ah

loc_A776B6:				; CODE XREF: TxtpAddCacheEntry+1214j
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah

loc_A776BE:				; CODE XREF: TxtpAddCacheEntry:loc_A7765Cj
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah

loc_A776C6:				; CODE XREF: TxtpAddCacheEntry+11E1j
		and	[eax], ah
		and	[eax], ah
		and	[edx+ecx+0], bh

; char ??_C
??_C@_0DN@JGDHGKIJ@?$HM?5?5AnimationTotal?3?5?5?5?$CF8u?5?5?$HM?6?$HM?5?5@CIJCHKMG@:
					; CODE XREF: TxtpAddCacheEntry+11C3j
					; TxtpAddCacheEntry:loc_A776ACj
					; DATA XREF: ...
		jl	short loc_A776F0
		and	[ecx+6Eh], al
		imul	ebp, [ebp+arg_59], 6E6F6974h
		push	esp
		outsd
		jz	short loc_A7773F
		insb
		cmp	ah, [eax]

loc_A776E1:				; CODE XREF: TxtpAddCacheEntry:loc_A77674j
		and	[eax], ah
		and	eax, 20207538h
		jl	short loc_A776F4
		jl	short ??_C@_0DO@OKNIDDAM@?6?$HM?5?5ResidentSize?3?5?5?5?5?5?$CF8u?5?5?$HM?6?$HM?5@CIJCHKMG@
		and	[eax], ah
		and	[eax], ah

loc_A776F0:				; CODE XREF: TxtpAddCacheEntry:??_C@_0DN@JGDHGKIJ@?$HM?5?5AnimationTotal?3?5?5?5?$CF8u?5?5?$HM?6?$HM?5?5@CIJCHKMG@j
		and	[eax], ah
		and	[eax], ah

loc_A776F4:				; CODE XREF: TxtpAddCacheEntry+1252j
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax+eax-34h], bh

; char ??_C
??_C@_0DO@OKNIDDAM@?6?$HM?5?5ResidentSize?3?5?5?5?5?5?$CF8u?5?5?$HM?6?$HM?5@CIJCHKMG@:
					; CODE XREF: TxtpAddCacheEntry+1254j
					; DATA XREF: TxtpAddCacheEntry+1A2Bo
		or	bh, [eax+20h]
		push	edx
		db	65h
		jnb	short loc_A7777D
		db	64h
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_A7776A+2
		imul	edi, [edx+65h],	2020203Ah
		and	[eax], ah
		and	eax, 20207538h
		jl	short loc_A77733
		jl	short near ptr ??_C@_0BN@JFBHJIPA@?$HM?5?5FadeHigh?3?5?5?5?5?5?5?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@+1
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah

loc_A77733:				; CODE XREF: TxtpAddCacheEntry+1291j
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah

loc_A7773F:				; CODE XREF: TxtpAddCacheEntry+1246j
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
; 
		db 20h
; 
		jl	short $+2

; char ??_C
??_C@_0BN@JFBHJIPA@?$HM?5?5FadeHigh?3?5?5?5?5?5?5?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@:
					; CODE XREF: TxtpAddCacheEntry+1293j
					; DATA XREF: TxtpAddCacheEntry+199Fo
		jl	short near ptr loc_A7776A+2
		and	[esi+61h], al
		db	64h, 65h
		dec	eax
		imul	esp, [edi+68h],	2020203Ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	eax, 20207538h
		jl	short loc_A77770
		add	ah, cl

; char ??_C
??_C@_0FK@GKFDBAK@?$HM?5?5FadeOverlap?3?5?5?5?5?5?5?$CF8u?5?5?$HM?6?$HM?5?5@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+19DBo
		jl	short near ptr loc_A77789+1

loc_A7776A:				; CODE XREF: TxtpAddCacheEntry+1281j
					; TxtpAddCacheEntry:??_C@_0BN@JFBHJIPA@?$HM?5?5FadeHigh?3?5?5?5?5?5?5?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@j
		and	[esi+61h], al
		db	64h, 65h
		dec	edi

loc_A77770:				; CODE XREF: TxtpAddCacheEntry+12CEj
		jbe	short loc_A777D7
		jb	short loc_A777E0
		popa
		jo	short near ptr loc_A777B0+1
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah

loc_A7777D:				; CODE XREF: TxtpAddCacheEntry+127Bj
		and	eax, 20207538h
		jl	short near ptr loc_A7778D+1
		jl	short loc_A777A6
		and	[esi+61h], al

loc_A77789:				; CODE XREF: TxtpAddCacheEntry:??_C@_0FK@GKFDBAK@?$HM?5?5FadeOverlap?3?5?5?5?5?5?5?$CF8u?5?5?$HM?6?$HM?5?5@CIJCHKMG@j
		db	64h, 65h
		push	esp
		outsd

loc_A7778D:				; CODE XREF: TxtpAddCacheEntry+12ECj
		jz	short near ptr loc_A777EF+1
		insb
		cmp	ah, [eax]
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	ds:20207538h, ah
		jl	short loc_A777AA
		jl	short ??_C@_0FF@NNGMNLHE@?$HM?5?5FadeMemory?3?5?5?5?5?5?5?5?$CF8u?5?5?$HM?6?$HM?5?5@CIJCHKMG@
		and	[eax], ah
		and	[eax], ah

loc_A777A6:				; CODE XREF: TxtpAddCacheEntry+12EEj
		and	[eax], ah
		and	[eax], ah

loc_A777AA:				; CODE XREF: TxtpAddCacheEntry+1308j
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah

loc_A777B0:				; CODE XREF: TxtpAddCacheEntry+12DFj
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[edx+ecx+0], bh

; char ??_C
??_C@_0FF@NNGMNLHE@?$HM?5?5FadeMemory?3?5?5?5?5?5?5?5?$CF8u?5?5?$HM?6?$HM?5?5@CIJCHKMG@:
					; CODE XREF: TxtpAddCacheEntry+130Aj
					; DATA XREF: TxtpAddCacheEntry+1933o
		jl	short near ptr loc_A777E3+1
		and	[esi+61h], al
		db	64h, 65h
		dec	ebp
		db	65h
		insd
		outsd
		jb	short near ptr loc_A77847+1
		cmp	ah, [eax]
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah

loc_A777D7:				; CODE XREF: TxtpAddCacheEntry:loc_A77770j
		and	eax, 20207538h
		jl	short near ptr loc_A777E7+1
		jl	short near ptr loc_A777FF+1

loc_A777E0:				; CODE XREF: TxtpAddCacheEntry+12DCj
		and	[esi+61h], al

loc_A777E3:				; CODE XREF: TxtpAddCacheEntry:??_C@_0FF@NNGMNLHE@?$HM?5?5FadeMemory?3?5?5?5?5?5?5?5?$CF8u?5?5?$HM?6?$HM?5?5@CIJCHKMG@j
		db	64h, 65h
		dec	ecx
		outsd

loc_A777E7:				; CODE XREF: TxtpAddCacheEntry+1346j
		cmp	ah, [eax]
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah

loc_A777EF:				; CODE XREF: TxtpAddCacheEntry:loc_A7778Dj
		and	[eax], ah
		and	[eax], ah
		and	eax, 20207538h
		jl	short loc_A77804
		jl	short near ptr loc_A7781A+2
		and	[esi+61h], al

loc_A777FF:				; CODE XREF: TxtpAddCacheEntry+1348j
		db	64h, 65h
		inc	ebx
		jo	short near ptr loc_A77876+3

loc_A77804:				; CODE XREF: TxtpAddCacheEntry+1362j
		cmp	ah, [eax]
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	ds:20207538h, ah
		jl	short loc_A77820
		add	ah, cl

; char ??_C
??_C@_0BN@MJJFONFH@?$HM?5?5FadeLow?3?5?5?5?5?5?5?5?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+1969o
		jl	short near ptr loc_A77838+2

loc_A7781A:				; CODE XREF: TxtpAddCacheEntry+1364j
		and	[esi+61h], al
		db	64h, 65h
		dec	esp

loc_A77820:				; CODE XREF: TxtpAddCacheEntry+137Ej
		outsd
		ja	short near ptr loc_A7785C+1
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	eax, 20207538h
		jl	short loc_A7783E
		add	ah, cl

; char ??_C
??_C@_0BN@PLIMGGAK@?$HM?5?5FadeProlog?3?5?5?5?5?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+1903o
		jl	short near ptr loc_A77856+2

loc_A77838:				; CODE XREF: TxtpAddCacheEntry:??_C@_0BN@MJJFONFH@?$HM?5?5FadeLow?3?5?5?5?5?5?5?5?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@j
		and	[esi+61h], al
		db	64h, 65h
		push	eax

loc_A7783E:				; CODE XREF: TxtpAddCacheEntry+139Cj
		jb	short loc_A778AF
		insb
		outsd
		cmp	ah, [bx+si]
		and	[eax], ah

loc_A77847:				; CODE XREF: TxtpAddCacheEntry+1337j
		and	[eax], ah
		and	[eax], ah
		and	eax, 20207538h
		jl	short loc_A7785C
		add	ah, cl

; char ??_C
??_C@_0BN@JIEMMGMJ@?$HM?5?5FadeFrames?3?5?5?5?5?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+1915o
		jl	short loc_A77876

loc_A77856:				; CODE XREF: TxtpAddCacheEntry:??_C@_0BN@PLIMGGAK@?$HM?5?5FadeProlog?3?5?5?5?5?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@j
		and	[esi+61h], al
		db	64h, 65h
		inc	esi

loc_A7785C:				; CODE XREF: TxtpAddCacheEntry+13BAj
					; TxtpAddCacheEntry+138Bj
		jb	short loc_A778BF
		insd
		db	65h
		jnb	short near ptr loc_A7789A+2
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	ds:20207538h, ah
		jl	short near ptr loc_A77876+4
		add	ah, cl

??_C@_1O@BLHDEIAD@?$AAH?$AAe?$AAi?$AAg?$AAh?$AAt@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+3FAo
		dec	eax
		add	[ebp+0], ah

loc_A77876:				; CODE XREF: TxtpAddCacheEntry:??_C@_0BN@JIEMMGMJ@?$HM?5?5FadeFrames?3?5?5?5?5?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@j
					; TxtpAddCacheEntry+136Cj ...
		imul	eax, [eax], 680067h
		jz	short $+2
; 
		dw 0
; 

??_C@_17DGOGOCFD@?$AAB?$AAP?$AAP@CIJCHKMG@: ; DATA XREF: TxtpAddCacheEntry+428o
		inc	edx
		add	[eax+0], dl
		push	eax
; 
		db 3 dup(0)
; 

??_C@_1O@BJIMCIMK@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+394o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
; 
		db 2 dup(0)
; 

??_C@_1M@NLLLJLND@?$AAW?$AAi?$AAd?$AAt?$AAh@CIJCHKMG@: ; DATA XREF: TxtpAddCacheEntry+3CCo
		push	edi
		add	[ecx+0], ch

loc_A7789A:				; CODE XREF: TxtpAddCacheEntry+13C9j
		add	fs:[eax+eax+68h], dh
; 
		db 0
		db 2 dup(0)
; 

??_C@_1GG@IBGAEKLO@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+2D0o
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp

loc_A778AF:				; CODE XREF: TxtpAddCacheEntry:loc_A7783Ej
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx

loc_A778BF:				; CODE XREF: TxtpAddCacheEntry:loc_A7785Cj
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+0], ch
; 
		db 0
; 

??_C@_19HCNKEFNM@?$AAB?$AAG?$AAF?$AAX@CIJCHKMG@: ; DATA	XREF: TxtpAddCacheEntry+32Fo
		inc	edx
		add	[edi+0], al
		inc	esi
		add	[eax+0], bl
; 
		db 2 dup(0)
; 

; char ??_C
??_C@_0DO@FFIMIMLK@?6?$HM?5?5CompressBitmapsCPU?3?5?$CF8u?$HM?6?$HM?5@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+1A61o
		or	bh, [eax+20h]
		inc	ebx
		outsd
		insd
		jo	short near ptr byte_A7798D
		db	65h
		jnb	short near ptr loc_A7798F+2
		inc	edx
		imul	esi, [ebp+ebp*2+arg_59], 50437370h
		push	ebp
		cmp	ah, [eax]
		and	eax, 0A7C7538h
		jl	short near ptr ??_C@_0CE@OCMPJNJB@?6?$CL?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9@CIJCHKMG@+1
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
		and	[eax], ah
; 
		db 20h,	7Ch, 0
; 

; char ??_C
??_C@_0CE@OCMPJNJB@?6?$CL?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9@CIJCHKMG@:
					; CODE XREF: TxtpAddCacheEntry+1499j
					; DATA XREF: TxtpAddCacheEntry+1A6Do
		or	ch, [ebx]
		sub	eax, 2D2D2D2Dh
		sub	eax, 2D2D2D2Dh
		sub	eax, 2D2D2D2Dh
		sub	eax, 2D2D2D2Dh
		sub	eax, 2D2D2D2Dh
		sub	eax, 2D2D2D2Dh
		sub	ecx, [edx]
		or	al, [eax]

??_C@_1BK@OKKJACAK@?$AAR?$AAe?$AAs?$AAi?$AAd?$AAe?$AAn?$AAt?$AAS?$AAi?$AAz?$AAe@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+5DAo
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		imul	eax, [eax], 650064h
		outsb
		add	[eax+eax+53h], dh
		add	[ecx+0], ch
		jp	short $+2
		add	gs:[eax], al
; 
byte_A7798D	db 0			; CODE XREF: TxtpAddCacheEntry+1483j
; 

??_C@_1BM@COBHJJH@?$AAP?$AAr?$AAo?$AAg?$AAr?$AAe?$AAs?$AAs?$AAT?$AAo?$AAt?$AAa?$AAl@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry:loc_A76AA0o
		push	eax

loc_A7798F:				; CODE XREF: TxtpAddCacheEntry+1485j
		add	[edx+0], dh
		outsd
		add	[edi+0], ah
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
		push	esp
		add	[edi+0], ch
		jz	short $+2
		popa
		add	[eax+eax+0], ch
; 
		db 0
; 

??_C@_1BI@PKOLCIDD@?$AAP?$AAr?$AAo?$AAg?$AAr?$AAe?$AAs?$AAs?$AAL?$AAo?$AAw@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+534o
		push	eax
		add	[edx+0], dh
		outsd
		add	[edi+0], ah
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
		dec	esp
		add	[edi+0], ch
		ja	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BK@PDBOEDKL@?$AAP?$AAr?$AAo?$AAg?$AAr?$AAe?$AAs?$AAs?$AAH?$AAi?$AAg?$AAh@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+583o
		push	eax
		add	[edx+0], dh
		outsd
		add	[edi+0], ah
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
		dec	eax
		add	[ecx+0], ch
		add	[bx+si+0], ch
; 
		dw 0
; 

??_C@_1BO@NENAMIAE@?$AAP?$AAr?$AAo?$AAg?$AAr?$AAe?$AAs?$AAs?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+4B2o
		push	eax
		add	[edx+0], dh
		outsd
		add	[edi+0], ah
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
		dec	ebp
		add	[ebp+0], ah
		insd
		add	[edi+0], ch
		jb	short $+2
		jns	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BO@PIOMGGHH@?$AAP?$AAr?$AAo?$AAg?$AAr?$AAe?$AAs?$AAs?$AAP?$AAr?$AAo?$AAl?$AAo?$AAg@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+4E0o
		push	eax
		add	[edx+0], dh
		outsd
		add	[edi+0], ah
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+6Fh], ch
		add	[edi+0], ah
; 
		dw 0
; 

??_C@_1BC@BCLKKLI@?$AAL?$AAo?$AAg?$AAo?$AAS?$AAi?$AAz?$AAe@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+456o
		dec	esp
		add	[edi+0], ch
		add	[bx+0],	ch
		push	ebx
		add	[ecx+0], ch
		jp	short $+2
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1BO@MKBPMCCO@?$AAP?$AAr?$AAo?$AAg?$AAr?$AAe?$AAs?$AAs?$AAF?$AAr?$AAa?$AAm?$AAe?$AAs@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+484o
		push	eax
		add	[edx+0], dh
		outsd
		add	[edi+0], ah
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
		inc	esi
		add	[edx+0], dh
		popa
		add	[ebp+0], ch
		add	gs:[ebx+0], dh
; 
		dw 0
; 

??_C@_1BG@DBMMFBHN@?$AAF?$AAa?$AAd?$AAe?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+7AFo
		inc	esi
		add	[ecx+0], ah
		add	fs:[ebp+0], ah
		dec	ebp
		add	[ebp+0], ah
		insd
		add	[edi+0], ch
		jb	short $+2
		jns	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BA@BCJLCPKA@?$AAF?$AAa?$AAd?$AAe?$AAL?$AAo?$AAw@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+7DDo
		inc	esi
		add	[ecx+0], ah
		add	fs:[ebp+0], ah
		dec	esp
		add	[edi+0], ch
		ja	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BA@JDDCEFMJ@?$AAF?$AAa?$AAd?$AAe?$AAC?$AAp?$AAu@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+753o
		inc	esi
		add	[ecx+0], ah
		add	fs:[ebp+0], ah
		inc	ebx
		add	[eax+0], dh
		jnz	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BG@CPADFLFH@?$AAF?$AAa?$AAd?$AAe?$AAF?$AAr?$AAa?$AAm?$AAe?$AAs@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+781o
		inc	esi
		add	[ecx+0], ah
		add	fs:[ebp+0], ah
		inc	esi
		add	[edx+0], dh
		popa
		add	[ebp+0], ch
		add	gs:[ebx+0], dh
; 
		dw 0
; 

??_C@_1BI@CCFJBEBE@?$AAF?$AAa?$AAd?$AAe?$AAO?$AAv?$AAe?$AAr?$AAl?$AAa?$AAp@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+6F7o
		inc	esi
		add	[ecx+0], ah
		add	fs:[ebp+0], ah
		dec	edi
		add	[esi+0], dh
		add	gs:[edx+0], dh
		insb
		add	[ecx+0], ah
		jo	short $+2
; 
		dw 0
; 

??_C@_1O@CPNNKMDM@?$AAF?$AAa?$AAd?$AAe?$AAI?$AAo@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+725o
		inc	esi
		add	[ecx+0], ah
		add	fs:[ebp+0], ah
		dec	ecx
		add	[edi+0], ch
; 
		db 2 dup(0)
; 

??_C@_1BO@DDBPLCAD@?$AAP?$AAr?$AAo?$AAg?$AAr?$AAe?$AAs?$AAs?$AAM?$AAa?$AAn?$AAu?$AAa?$AAl@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+659o
		push	eax
		add	[edx+0], dh
		outsd
		add	[edi+0], ah
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ebp+0], dh
		popa
		add	[eax+eax+0], ch
; 
		db 0
; 

??_C@_1BG@BNPAPPAO@?$AAF?$AAa?$AAd?$AAe?$AAP?$AAr?$AAo?$AAl?$AAo?$AAg@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+6A8o
		inc	esi
		add	[ecx+0], ah
		add	fs:[ebp+0], ah
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+6Fh], ch
		add	[edi+0], ah
; 
		db 2 dup(0)
; 

??_C@_1BO@CNLGPJFB@?$AAA?$AAn?$AAi?$AAm?$AAa?$AAt?$AAi?$AAo?$AAn?$AAT?$AAo?$AAt?$AAa?$AAl@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+8CAo
		inc	ecx
		add	[esi+0], ch
		imul	eax, [eax], 61006Dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		push	esp
		add	[edi+0], ch
		jz	short $+2
		popa
		add	[eax+eax+0], ch
; 
		db 0
; 

??_C@_1CA@EMPMDDHK@?$AAC?$AAo?$AAm?$AAp?$AAr?$AAe?$AAs?$AAs?$AAB?$AAi?$AAt?$AAm?$AAa?$AAp?$AAs@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+919o
		inc	ebx
		add	[edi+0], ch
		insd
		add	[eax+0], dh
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
		inc	edx
		add	[ecx+0], ch
		jz	short $+2
		insd
		add	[ecx+0], ah
		jo	short $+2
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BC@DHBGOHKB@?$AAF?$AAa?$AAd?$AAe?$AAH?$AAi?$AAg?$AAh@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+82Co
		inc	esi
		add	[ecx+0], ah
		add	fs:[ebp+0], ah
		dec	eax
		add	[ecx+0], ch
		add	[bx+si+0], ch
; 
		db 2 dup(0)
; 

??_C@_1BE@CJLFDCOE@?$AAF?$AAa?$AAd?$AAe?$AAT?$AAo?$AAt?$AAa?$AAl@CIJCHKMG@:
					; DATA XREF: TxtpAddCacheEntry+87Bo
		inc	esi
		add	[ecx+0], ah
		add	fs:[ebp+0], ah
		push	esp
		add	[edi+0], ch
		jz	short $+2
		popa
		add	[eax+eax+0], ch

loc_A77B51:				; CODE XREF: ResFwFreeContext+Fj
		add	[ebx-3F7AFBBAh], cl
		jz	short loc_A77B69
		push	eax
		call	_MmFreePagesFromMdl@4 ;	MmFreePagesFromMdl(x)
		push	0
		push	dword ptr [esi+4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_A77B69:				; CODE XREF: TxtpAddCacheEntry+16C1j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_A77B6D:				; CODE XREF: ResFwFreeContext+30j
		push	offset unk_6F9F80
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		mov	byte_6CEA90, bl
		jmp	loc_A74092
; 

loc_A77B82:				; CODE XREF: ResFwGetContext+Dj
		mov	eax, 0C000000Dh
		jmp	loc_A742FB
; 

loc_A77B8C:				; CODE XREF: ResFwGetContext+1Fj
		mov	eax, 0C0000001h
		jmp	loc_A742FA
; 

loc_A77B96:				; CODE XREF: AnFwpProgressAnimationManual+B6j
					; AnFwpProgressAnimationManual+BFj
		inc	si
		mov	word_6B3EAC, si
		jmp	loc_A743C9
; 

loc_A77BA4:				; CODE XREF: AnFwpProgressAnimationManual+151j
					; AnFwpProgressAnimationManual+15Fj
		xor	ecx, ecx
		call	_BgpFwQueryPerformanceCounter@4	; BgpFwQueryPerformanceCounter(x)
		sub	eax, esi
		mov	dword_6D4B40, eax
		sbb	edx, edi
		mov	dword_6D4B44, edx
		jmp	loc_A7437F
; 

loc_A77BBF:				; CODE XREF: BgkpLockBgfxCodeSection+52j
		test	al, 4
		jnz	loc_A74626
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_A74626
; 

loc_A77BD3:				; CODE XREF: BgkpUnlockBgfxCodeSection+41j
		test	al, 4
		jnz	loc_A74685
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		jmp	loc_A74685
; 

loc_A77BE7:				; CODE XREF: ResFwpPageOutBackground+71j
		call	BgpFwReleaseLock
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		pop	ebx
		pop	edi
		jmp	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
; 

loc_A77BFB:				; CODE XREF: ResFwpPageOutBackground+1Dj
					; ResFwpPageOutBackground+A0j
		pop	edi
		jmp	locret_A74777
; 

loc_A77C01:				; CODE XREF: LogFwReport+FCj
		push	offset ??_C@_0EE@GCGMJBFL@?6?$CL?9?9BGFX?9REPORT?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9@CIJCHKMG@ ; char *
		push	ebx		; int
		push	65h
		pop	esi
		push	esi		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		push	dword_6D4B70
		push	dword_6D4B9C
		push	dword_6D4B98	; char
		push	offset ??_C@_0CB@DMAFNDNC@?$HM?5?5DisplayMode?3?5?5?$CF4ux?$CF4ux?$CF2u?5?5?$HM@CIJCHKMG@ ; char *
		push	ebx		; int
		push	esi		; int
		call	_DbgPrintEx
		push	dword_6B6C04	; char
		push	offset ??_C@_0DO@PACHIGEC@?$HM?5?5LogoSize?3?5?5?5?5?5?5?5?5?5?$CF8u?5?5?$HM?6?$HM?5?5@CIJCHKMG@ ; char	*
		push	ebx		; int
		push	esi		; int
		call	_DbgPrintEx
		add	esp, 28h
		mov	edi, 0F4240h
		push	ebx
		push	edi
		push	dword_6D4BAC
		push	dword_6D4BA8
		call	__allmul
		push	dword_6B3F24
		push	dword_6B3F20
		push	edx
		push	eax
		call	__alldiv
		push	eax		; char
		push	offset ??_C@_0BN@OJAJOAEP@?$HM?5?5ProgressProlog?3?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@ ; char *
		push	ebx		; int
		push	esi		; int
		call	_DbgPrintEx
		push	dword_6D4BC0	; char
		push	offset ??_C@_0BN@PGCGDLEG@?$HM?5?5ProgressFrames?3?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@ ; char *
		push	ebx		; int
		push	esi		; int
		call	_DbgPrintEx
		push	dword_6B6BD8	; char
		push	offset ??_C@_0BN@KLGDPMN@?$HM?5?5ProgressMemory?3?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@ ; char *
		push	ebx		; int
		push	esi		; int
		call	_DbgPrintEx
		add	esp, 30h
		push	ebx
		push	edi
		push	dword_6B3F1C
		push	dword_6B3F18
		call	__allmul
		push	dword_6B3F24
		push	dword_6B3F20
		push	edx
		push	eax
		call	__alldiv
		push	eax		; char
		push	offset ??_C@_0BN@NGBHLPEK@?$HM?5?5ProgressLow?3?5?5?5?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@ ;	char *
		push	ebx		; int
		push	esi		; int
		call	_DbgPrintEx
		add	esp, 10h
		push	ebx
		push	edi
		push	dword_6D4B6C
		push	dword_6D4B68
		call	__allmul
		push	dword_6B3F24
		push	dword_6B3F20
		push	edx
		push	eax
		call	__alldiv
		push	eax		; char
		push	offset ??_C@_0BN@ODGFCIO@?$HM?5?5ProgressHigh?3?5?5?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@ ; char *
		push	ebx		; int
		push	esi		; int
		call	_DbgPrintEx
		add	esp, 10h
		push	ebx
		push	edi
		push	dword_6D4B7C
		push	dword_6D4B78
		call	__allmul
		mov	edi, dword_6B3F24
		mov	esi, dword_6B3F20
		push	edi
		push	esi
		push	edx
		push	eax
		call	__alldiv
		push	eax
		push	ebx
		push	0F4240h
		push	dword_6D4BCC
		push	dword_6D4BC8
		call	__allmul
		push	edi
		push	esi
		push	edx
		push	eax
		call	__alldiv
		push	eax		; char
		push	offset ??_C@_0FK@OGIJBCGD@?$HM?5?5ProgressManual?3?5?5?5?$CF8u?5?5?$HM?6?$HM?5?5@CIJCHKMG@ ; char *
		push	ebx		; int
		push	65h
		pop	esi
		push	esi		; int
		call	_DbgPrintEx
		add	esp, 14h
		mov	edi, 0F4240h
		push	ebx
		push	edi
		push	dword_6D4BBC
		push	dword_6D4BB8
		call	__allmul
		push	dword_6B3F24
		push	dword_6B3F20
		push	edx
		push	eax
		call	__alldiv
		push	eax		; char
		push	offset ??_C@_0BN@PLIMGGAK@?$HM?5?5FadeProlog?3?5?5?5?5?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@ ; char *
		push	ebx		; int
		push	esi		; int
		call	_DbgPrintEx
		push	dword_6D4B64	; char
		push	offset ??_C@_0BN@JIEMMGMJ@?$HM?5?5FadeFrames?3?5?5?5?5?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@ ; char *
		push	ebx		; int
		push	esi		; int
		call	_DbgPrintEx
		push	dword_6D4B60
		push	dword_6D4BB0
		push	dword_6B6BD4	; char
		push	offset ??_C@_0FF@NNGMNLHE@?$HM?5?5FadeMemory?3?5?5?5?5?5?5?5?$CF8u?5?5?$HM?6?$HM?5?5@CIJCHKMG@ ; char *
		push	ebx		; int
		push	esi		; int
		call	_DbgPrintEx
		add	esp, 38h
		push	ebx
		push	edi
		push	dword_6B3F2C
		push	dword_6B3F28
		call	__allmul
		push	dword_6B3F24
		push	dword_6B3F20
		push	edx
		push	eax
		call	__alldiv
		push	eax		; char
		push	offset ??_C@_0BN@MJJFONFH@?$HM?5?5FadeLow?3?5?5?5?5?5?5?5?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@ ; char *
		push	ebx		; int
		push	esi		; int
		call	_DbgPrintEx
		add	esp, 10h
		push	ebx
		push	edi
		push	dword_6D4B54
		push	dword_6D4B50
		call	__allmul
		push	dword_6B3F24
		push	dword_6B3F20
		push	edx
		push	eax
		call	__alldiv
		push	eax		; char
		push	offset ??_C@_0BN@JFBHJIPA@?$HM?5?5FadeHigh?3?5?5?5?5?5?5?5?5?5?$CF8u?5?5?$HM?6@CIJCHKMG@ ; char	*
		push	ebx		; int
		push	esi		; int
		call	_DbgPrintEx
		add	esp, 10h
		push	ebx
		push	edi
		push	dword_6D4B84
		push	dword_6D4B80
		call	__allmul
		push	dword_6B3F24
		push	dword_6B3F20
		push	edx
		push	eax
		call	__alldiv
		push	eax
		push	dword_6D4BF0	; char
		push	offset ??_C@_0FK@GKFDBAK@?$HM?5?5FadeOverlap?3?5?5?5?5?5?5?$CF8u?5?5?$HM?6?$HM?5?5@CIJCHKMG@ ; char *
		push	ebx		; int
		push	esi		; int
		call	_DbgPrintEx
		add	esp, 14h
		push	ebx
		push	edi
		push	dword_6D4B8C
		push	dword_6D4B88
		call	__allmul
		push	dword_6B3F24
		push	dword_6B3F20
		push	edx
		push	eax
		call	__alldiv
		push	eax		; char
		push	offset ??_C@_0DN@JGDHGKIJ@?$HM?5?5AnimationTotal?3?5?5?5?$CF8u?5?5?$HM?6?$HM?5?5@CIJCHKMG@ ; char *
		push	ebx		; int
		push	esi		; int
		call	_DbgPrintEx
		mov	eax, dword_6B6BE8
		add	esp, 10h
		test	eax, eax
		jz	short loc_A77ED0
		push	dword ptr [eax]	; char
		push	offset ??_C@_0DO@OKNIDDAM@?6?$HM?5?5ResidentSize?3?5?5?5?5?5?$CF8u?5?5?$HM?6?$HM?5@CIJCHKMG@ ; char *
		push	ebx		; int
		push	esi		; int
		call	_DbgPrintEx
		add	esp, 10h

loc_A77ED0:				; CODE XREF: TxtpAddCacheEntry+1A27j
		push	ebx
		push	edi
		push	dword_6FDE34
		push	dword_6FDE30
		call	__allmul
		push	dword_6B3F24
		push	dword_6B3F20
		push	edx
		push	eax
		call	__alldiv
		push	eax		; char
		push	offset ??_C@_0DO@FFIMIMLK@?6?$HM?5?5CompressBitmapsCPU?3?5?$CF8u?$HM?6?$HM?5@CIJCHKMG@ ; char *
		push	ebx		; int
		push	esi		; char
		call	_DbgPrintEx
		push	offset ??_C@_0CE@OCMPJNJB@?6?$CL?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9?9@CIJCHKMG@ ; char *
		push	ebx		; int
		push	esi		; int
		call	_DbgPrintEx
		add	esp, 1Ch
		jmp	loc_A7487A
; 

loc_A77F17:				; CODE XREF: ResFwConfigureDisplayStringResources+33j
		mov	eax, dword_6B6CF8
		mov	[ebp+var_18], eax
		mov	eax, dword_6B6CFC
		mov	[ebp+var_14], eax
		jmp	loc_A748F8
; 

loc_A77F2C:				; CODE XREF: ResFwBackgroundTransition+27j
		mov	ecx, dword_6B6BFC
		test	ecx, ecx
		jz	short loc_A77F44
		xor	eax, eax
		mov	edx, offset dword_6B6BFC
		xchg	eax, [edx]
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A77F44:				; CODE XREF: TxtpAddCacheEntry+1A9Ej
		push	esi
		mov	esi, dword_6B6C00
		test	esi, esi
		jz	short loc_A77F6D
		xor	eax, eax
		mov	ecx, offset dword_6B6C00
		xchg	eax, [ecx]
		call	BgpFwReleaseLock
		push	4B494742h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()

loc_A77F6D:				; CODE XREF: TxtpAddCacheEntry+1AB7j
		and	dword_6B6C04, 0
		pop	esi
		retn
; 

loc_A77F76:				; CODE XREF: BgpGxParseBitmap+34j
		cmp	edx, 20h
		jnz	loc_A74BDA
		jmp	loc_A74B94
; 

loc_A77F84:				; CODE XREF: BgpGxParseBitmap+5Bj
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	loc_A74BCA
		test	byte ptr [ecx+10h], 1
		jnz	loc_A74BCA
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		jmp	loc_A74BCA
; 

loc_A77FA3:				; CODE XREF: BgpGxReadRectangle+3Bj
		test	esi, esi
		jz	loc_A74CCF
		test	byte ptr [esi+10h], 1
		jnz	loc_A74CCF
		mov	ecx, esi
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		jmp	loc_A74CCF
; 

loc_A77FC1:				; CODE XREF: BgpFoGetFontHandle+17j
					; BgpFoGetFontHandle+24j
		mov	eax, 0C000000Dh
		jmp	loc_A74D37
; 
		align 4
		db 0CCh
; 

loc_A77FCD:				; CODE XREF: GxpReadFrameBufferPixels+A4j
		mov	eax, 0C00000BBh
		jmp	loc_A74F5C
; 

loc_A77FD7:				; CODE XREF: GxpReadFrameBufferPixels+B3j
		mov	eax, 0C0000023h
		jmp	loc_A74F5C
; 

loc_A77FE1:				; CODE XREF: GxpReadFrameBufferPixels+BBj
		mov	eax, 0C0000001h
		jmp	loc_A74F5C
; 

loc_A77FEB:				; CODE XREF: GxpReadFrameBufferPixels+EBj
		mov	eax, [ebx]
		lea	ecx, [ebp+var_58]
		mov	dword ptr [ebp+var_58],	eax
		mov	eax, [ebx+4]
		mov	[ebp+var_54], eax
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_4C], eax
		mov	eax, dword_6B6B70
		push	1
		mov	[ebp+var_50], eax
		mov	eax, [ebx+14h]
		push	edi
		mov	[ebp+var_48], eax
		mov	eax, dword_6B6B78
		push	ecx		; char
		call	eax
		mov	[ebp+var_20], eax
		jmp	loc_A74F43
; 

loc_A78020:				; CODE XREF: GxpReadFrameBufferPixels+10Bj
		xor	eax, eax
		mov	[ebp+var_C], eax
		test	edx, edx
		jz	loc_A74F43

loc_A7802D:				; CODE XREF: TxtpAddCacheEntry+1C02j
		xor	ecx, ecx
		mov	[ebp+var_10], ecx
		cmp	[ebx+4], ecx
		jbe	short loc_A78092

loc_A78037:				; CODE XREF: TxtpAddCacheEntry+1BFAj
		push	eax
		push	ecx
		sub	esp, 0Ch
		lea	esi, [ebp+var_38]
		mov	edi, esp
		lea	edx, [ebp+var_24]
		sub	esp, 0Ch
		movsd
		movsd
		movsd
		mov	edi, esp
		lea	esi, [ebp+var_44]
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_18]
		mov	ecx, edi
		call	_GxpGetRotatedPixelOffset@40 ; GxpGetRotatedPixelOffset(x,x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_20], eax
		test	eax, eax
		js	loc_A74F43
		mov	esi, [ebp+var_1C]
		mov	eax, [ebp+var_24]
		imul	eax, esi
		push	esi		; size_t
		add	eax, [ebp+var_14]
		push	eax		; void *
		push	[ebp+var_8]	; void *
		call	_memcpy
		mov	ecx, [ebp+var_10]
		add	esp, 0Ch
		add	[ebp+var_8], esi
		inc	ecx
		mov	eax, [ebp+var_C]
		mov	[ebp+var_10], ecx
		cmp	ecx, [ebx+4]
		jb	short loc_A78037

loc_A78092:				; CODE XREF: TxtpAddCacheEntry+1B9Fj
		inc	eax
		mov	[ebp+var_C], eax
		cmp	eax, [ebx]
		jb	short loc_A7802D
		jmp	loc_A74F43
; 

loc_A7809F:				; CODE XREF: GxpReadFrameBufferPixels+50j
					; GxpReadFrameBufferPixels+5Bj	...
		mov	eax, 0C000000Dh
		jmp	loc_A74F5C
; 

loc_A780A9:				; CODE XREF: BgpFwLibraryInitialize+24j
		mov	eax, 0C0000059h
		jmp	loc_A75060
; 

loc_A780B3:				; CODE XREF: BgpFwLibraryInitialize+A1j
		mov	dword_6B6C58, esi
		mov	dword_6B6C54, esi
		jmp	loc_A75047
; 

loc_A780C4:				; CODE XREF: BgpFwLibraryInitialize+154j
		mov	edi, offset unk_6B6BEC
		lea	esi, [ebx+40h]
		movsd
		movsd
		movsd
		movsd
		xor	esi, esi
		cmp	[ebx+38h], esi
		jz	short loc_A78114
		push	10h
		pop	ecx
		call	BgpFwAllocateMemory
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_A78153
		mov	eax, [ebx+38h]
		xor	edx, edx
		mov	[ecx], eax
		mov	eax, [ebx+3Ch]
		mov	[ecx+4], eax
		mov	eax, [ebx+38h]
		mov	[ecx+0Ch], eax
		mov	dword ptr [ecx+8], 1
		mov	dword_6B6C48, ecx
		call	BgpFoInitialize
		mov	edi, eax
		test	edi, edi
		js	loc_A750C6

loc_A78114:				; CODE XREF: TxtpAddCacheEntry+1C3Fj
		cmp	dword ptr [ebx+50h], 3
		jb	short loc_A7812A
		mov	edi, offset byte_6B6CF4
		lea	esi, [ebx+144h]
		movsd
		movsd
		movsd
		xor	esi, esi

loc_A7812A:				; CODE XREF: TxtpAddCacheEntry+1C82j
		mov	eax, [ebx+140h]
		or	edx, 0FFFFFFFFh
		mov	ecx, ebx
		mov	dword_6B6CE8, eax
		call	BgpBcInitializeCriticalMode
		mov	edi, eax
		test	edi, edi
		js	loc_A750C6
		jmp	loc_A75051
; 

loc_A7814E:				; CODE XREF: BgpFwLibraryInitialize+299j
		call	BgpFwReleaseLock

loc_A78153:				; CODE XREF: TxtpAddCacheEntry+1C4Dj
		mov	edi, 0C0000017h
		jmp	loc_A750C6
; 

loc_A7815D:				; CODE XREF: BgpFwLibraryInitialize+126j
					; BgpFwLibraryInitialize+133j
		mov	eax, 0C000009Ah
		jmp	loc_A75060
; 

loc_A78167:				; CODE XREF: BgpFwLibraryInitialize+186j
		call	BgpFwReleaseLock
		jmp	loc_A7505A
; 

loc_A78171:				; CODE XREF: BgpFwLibraryInitialize+1D4j
		mov	dword_6B6BB0, eax
		jmp	loc_A7514C
; 

loc_A7817B:				; CODE XREF: BgpFwLibraryInitialize+1CBj
		mov	dword_6B6BB0, 3
		jmp	loc_A7514C
; 

loc_A7818A:				; CODE XREF: BgpFwLibraryInitialize+305j
					; BgpFwLibraryInitialize+375j
		push	offset ??_C@_0CK@KDGCPFMN@BGFX?5system?5font?5initialization@CIJCHKMG@ ; char *
		push	edi		; int
		push	65h		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		jmp	loc_A752E7
; 

loc_A7819F:				; CODE XREF: BgpFwLibraryInitialize+421j
		mov	dword_6B6C30, edi
		jmp	loc_A75393
; 

loc_A781AA:				; CODE XREF: BgpFwLibraryInitialize+42Fj
		lea	edx, [ecx+2]

loc_A781AD:				; CODE XREF: TxtpAddCacheEntry+1D20j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_A781AD
		sub	ecx, edx
		sar	ecx, 1
		lea	ecx, ds:2[ecx*2]
		call	BgpFwAllocateMemory
		mov	dword_6B6C34, eax
		test	eax, eax
		jz	loc_A753A1
		mov	edx, [ebx+9Ch]
		mov	ecx, edx
		lea	esi, [ecx+2]

loc_A781E0:				; CODE XREF: TxtpAddCacheEntry+1D53j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_A781E0
		sub	ecx, esi
		sar	ecx, 1
		push	edx
		lea	eax, [ecx+1]
		push	eax
		push	dword_6B6C34
		call	_wcscpy_s
		add	esp, 0Ch
		jmp	loc_A753A1
; 

loc_A78207:				; CODE XREF: BgpFwLibraryInitialize+46Bj
		mov	ecx, [esp-190h+arg_1A8]
		jmp	short loc_A78216
; 

loc_A7820D:				; CODE XREF: BgpFwLibraryInitialize+48Ej
		mov	ecx, edi
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		mov	ecx, esi

loc_A78216:				; CODE XREF: TxtpAddCacheEntry+1D75j
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		jmp	loc_A75406
; 

loc_A78220:				; CODE XREF: BgpFwLibraryInitialize+18j
					; BgpFwLibraryInitialize+4Bj
		mov	eax, 0C000000Dh
		jmp	loc_A75060
; 

loc_A7822A:				; CODE XREF: BgpTxtCreateRegion+73j
		mov	edx, 0C0000017h
		jmp	loc_A75646
; 

loc_A78234:				; CODE XREF: BgpTxtCreateRegion+8Bj
		lea	edx, [ebp+var_14]
		xor	ecx, ecx	; wchar_t *
		call	BgpFoGetFontHandle
		mov	edx, eax
		mov	[ebp+var_4], edx
		test	edx, edx
		js	short loc_A782AB
		or	dword ptr [ebx+20h], 0FFFFFFFFh
		lea	eax, [ebx+1Ch]
		and	dword ptr [eax], 0
		mov	ecx, [ebp+var_14]
		and	dword ptr [ebx+2Ch], 0
		mov	[ebx+24h], ecx
		mov	dword ptr [ebx+28h], 12h
		jmp	loc_A75593
; 

loc_A78267:				; CODE XREF: BgpTxtCreateRegion+CBj
		mov	[esi+4], eax
		jmp	loc_A755C3
; 

loc_A7826F:				; CODE XREF: BgpTxtCreateRegion+D6j
		mov	[esi], eax
		jmp	loc_A755CE
; 

loc_A78276:				; CODE XREF: BgpTxtCreateRegion+E3j
					; BgpTxtCreateRegion+F2j
		mov	edx, 0C000000Dh
		mov	[ebp+var_4], edx
		jmp	loc_A7563E
; 

loc_A78283:				; CODE XREF: BgpTxtCreateRegion+119j
					; BgpTxtCreateRegion+14Ej ...
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_A78297
		test	byte ptr [eax+10h], 1
		jnz	short loc_A78297
		mov	ecx, eax
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A78297:				; CODE XREF: TxtpAddCacheEntry+1DF2j
					; TxtpAddCacheEntry+1DF8j
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_A782AB
		test	byte ptr [eax+10h], 1
		jnz	short loc_A782AB
		mov	ecx, eax
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A782AB:				; CODE XREF: BgpTxtCreateRegion+BCj
					; TxtpAddCacheEntry+1DAFj ...
		mov	ecx, ebx
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		mov	edx, [ebp+var_4]
		jmp	loc_A75646
; 

loc_A782BA:				; CODE XREF: BgpTxtCreateRegion+2Ej
					; BgpTxtCreateRegion+36j ...
		mov	eax, 0C000000Dh
		jmp	loc_A7564D
; 

loc_A782C4:				; CODE XREF: AnFwFadeCompletion+AEj
		test	[ecx+10h], bl
		jnz	short loc_A782CE
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A782CE:				; CODE XREF: TxtpAddCacheEntry+1E31j
		mov	dword_6B3F0C, esi
		jmp	loc_A75746
; 

loc_A782D9:				; CODE XREF: AnFwFadeCompletion+BCj
		test	[ecx+10h], bl
		jnz	short loc_A782E3
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A782E3:				; CODE XREF: TxtpAddCacheEntry+1E46j
		mov	dword_6B3F10, esi
		jmp	loc_A75754
; 

loc_A782EE:				; CODE XREF: AnFwDisplayFade+E7j
		push	offset unk_6F9F80
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		mov	byte_6CEA90, bl
		jmp	loc_A75859
; 

loc_A78303:				; CODE XREF: AnFwDisplayFade+115j
		mov	[esp-190h+arg_19B], 1
		mov	esi, ebx
		jmp	loc_A7599C
; 

loc_A7830F:				; CODE XREF: AnFwDisplayFade+13Cj
		mov	esi, [esp-190h+arg_1C0]
		jmp	loc_A758F3
; 

loc_A78318:				; CODE XREF: AnFwDisplayFade+1F7j
		cmp	eax, [esp-190h+arg_1D0]
		jb	loc_A75969
		cmp	dword_6B3ECC, ecx
		jb	loc_A75969
		mov	eax, [esp-190h+arg_1B8]
		cmp	dword_6B3ECC, eax
		ja	loc_A75969
		mov	edx, [esp-190h+arg_1D0]
		cmp	[esp-190h+arg_1C4], edx
		mov	edx, [esp-190h+arg_19C]
		jb	short loc_A78368
		cmp	[esp-190h+arg_1C4], edx
		ja	short loc_A78368
		mov	edx, [esp-190h+arg_1E0]
		cmp	edx, ecx
		jb	short loc_A78368
		cmp	edx, eax
		ja	short loc_A78368
		mov	[esp-190h+arg_199], 1
		jmp	loc_A75969
; 

loc_A78368:				; CODE XREF: TxtpAddCacheEntry+1EB4j
					; TxtpAddCacheEntry+1EBAj ...
		mov	edi, 0C0000001h
		jmp	loc_A75CE0
; 

loc_A78372:				; CODE XREF: AnFwDisplayFade+223j
		cmp	edx, [esp-190h+arg_19C]
		ja	loc_A75995
		mov	eax, [esp-190h+arg_1E4]
		cmp	ecx, eax
		jb	loc_A75995
		mov	edx, [esp-190h+arg_1B8]
		cmp	ecx, edx
		ja	loc_A75995
		mov	ecx, [esp-190h+arg_1E0]
		cmp	ecx, [esp-190h+arg_1D0]
		jb	short loc_A78368
		cmp	ecx, [esp-190h+arg_19C]
		ja	short loc_A78368
		mov	ecx, [esp-190h+arg_1C4]
		cmp	ecx, eax
		jb	short loc_A78368
		cmp	ecx, edx
		ja	short loc_A78368
		mov	[esp-190h+arg_19A], 1
		jmp	loc_A75995
; 

loc_A783BA:				; CODE XREF: AnFwDisplayFade+314j
		mov	[esp-190h+arg_19B], 1
		xor	ebx, ebx
		jmp	loc_A75AA2
; 

loc_A783C6:				; CODE XREF: AnFwDisplayFade+359j
		mov	ecx, [esp-190h+arg_1A0]
		mov	eax, [esp-190h+arg_1A4]
		mov	[esp+ecx*4-190h+arg_1F4], eax
		inc	ecx
		cmp	[esp-190h+arg_198], 0
		mov	[esp-190h+arg_1A0], ecx
		jz	short loc_A783ED
		and	[esp-190h+arg_1A4], 0
		mov	[esp-190h+arg_199], 1
		jmp	loc_A75ACB
; 

loc_A783ED:				; CODE XREF: TxtpAddCacheEntry+1F46j
		mov	eax, [esp-190h+arg_1BC]
		mov	[esp-190h+arg_1A4], eax
		mov	eax, [esp-190h+arg_1C8]
		add	dword_6B3EC8, eax
		mov	eax, [esp-190h+arg_1CC]
		add	dword_6B3ECC, eax
		jmp	loc_A75ACB
; 

loc_A7840E:				; CODE XREF: AnFwDisplayFade+39Cj
		mov	eax, [esp-190h+arg_1C8]
		add	dword_6B3EF0, eax
		mov	eax, [esp-190h+arg_1CC]
		mov	esi, [esp-190h+arg_1BC]
		add	dword_6B3EF4, eax
		jmp	loc_A75B15
; 

loc_A7842B:				; CODE XREF: AnFwDisplayFade+364j
		mov	esi, [esp-190h+arg_1A8]
		jmp	loc_A75B15
; 

loc_A78434:				; CODE XREF: AnFwDisplayFade+43Aj
		mov	eax, [esi+4]
		lea	ecx, [esp-190h+arg_1E8]
		mov	edx, [esp-190h+arg_1AC]
		mov	[esp-190h+arg_1E8], eax
		mov	eax, [esi]
		mov	[esp-190h+arg_1EC], eax
		lea	eax, [esp-190h+arg_1DC]
		push	eax
		call	_BgpGxRectangleCreate@12 ; BgpGxRectangleCreate(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_A75C8A
		mov	eax, [esp-194h+arg_1E0]
		push	dword ptr [eax+0Ch] ; size_t
		push	0		; int
		push	dword ptr [eax+14h] ; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_A75BAC
; 

loc_A78476:				; CODE XREF: AnFwDisplayFade+A4j
					; AnFwDisplayFade+ACj
		mov	edi, 0C000009Ah
		jmp	loc_A75C8A
; 

loc_A78480:				; CODE XREF: AnFwDisplayFade+7Cj
					; AnFwDisplayFade+554j
		call	_AnFwpDisableProgressTimer@0 ; AnFwpDisableProgressTimer()
		cmp	byte_6CEA90, 0
		jz	short loc_A7849F
		push	offset unk_6F9F80
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		mov	byte_6CEA90, 0

loc_A7849F:				; CODE XREF: TxtpAddCacheEntry+1FF6j
		mov	ecx, 0FF000000h
		call	_BgpClearScreen@4 ; BgpClearScreen(x)
		mov	edi, eax
		mov	eax, [esp-194h+arg_1A8]
		test	eax, eax
		jz	short loc_A784C0
		test	byte ptr [eax+10h], 1
		jnz	short loc_A784C0
		mov	ecx, eax
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A784C0:				; CODE XREF: TxtpAddCacheEntry+201Bj
					; TxtpAddCacheEntry+2021j
		mov	eax, [esp-194h+arg_1D8]
		test	eax, eax
		jz	short loc_A784D5
		test	byte ptr [eax+10h], 1
		jnz	short loc_A784D5
		mov	ecx, eax
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A784D5:				; CODE XREF: TxtpAddCacheEntry+2030j
					; TxtpAddCacheEntry+2036j
		test	ebx, ebx
		jz	short loc_A784E6
		test	byte ptr [ebx+10h], 1
		jnz	short loc_A784E6
		mov	ecx, ebx
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A784E6:				; CODE XREF: TxtpAddCacheEntry+2041j
					; TxtpAddCacheEntry+2047j
		mov	eax, [esp-194h+arg_1DC]
		test	eax, eax
		jz	short loc_A784FB
		test	byte ptr [eax+10h], 1
		jnz	short loc_A784FB
		mov	ecx, eax
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A784FB:				; CODE XREF: TxtpAddCacheEntry+2056j
					; TxtpAddCacheEntry+205Cj
		test	esi, esi
		jz	short loc_A7850C
		test	byte ptr [esi+10h], 1
		jnz	short loc_A7850C
		mov	ecx, esi
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A7850C:				; CODE XREF: TxtpAddCacheEntry+2067j
					; TxtpAddCacheEntry+206Dj
		mov	eax, [esp-194h+arg_1E0]
		test	eax, eax
		jz	loc_A75CC6
		test	byte ptr [eax+10h], 1
		jnz	loc_A75CC6
		mov	ecx, eax
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		jmp	loc_A75CC6
; 

loc_A7852E:				; CODE XREF: AnFwpFadeAnimationTimer+D7j
		cmp	byte ptr [esp-194h+arg_19C+3], 0
		jnz	short loc_A7856F
		mov	esi, dword_6B3EE8
		xor	edx, edx
		mov	eax, [esp-194h+arg_1B0]
		mov	edi, [esi+14h]
		mov	ecx, [eax+14h]
		cmp	[esi+0Ch], edx
		jbe	short loc_A7856F
		sub	edi, ecx

loc_A7854E:				; CODE XREF: TxtpAddCacheEntry+20D7j
		mov	al, [edi+ecx]
		test	al, al
		jz	short loc_A78568
		movzx	eax, al
		imul	eax, ebx
		shr	eax, 0Ah
		mov	[ecx], al
		test	eax, eax
		jz	short loc_A78568
		inc	[esp-194h+arg_1A0]

loc_A78568:				; CODE XREF: TxtpAddCacheEntry+20BDj
					; TxtpAddCacheEntry+20CCj
		inc	edx
		inc	ecx
		cmp	edx, [esi+0Ch]
		jb	short loc_A7854E

loc_A7856F:				; CODE XREF: TxtpAddCacheEntry+209Dj
					; TxtpAddCacheEntry+20B4j
		xor	edi, edi
		cmp	byte ptr [esp-194h+arg_19C+1], 0
		mov	[esp-194h+arg_1C0], edi
		jnz	short loc_A785B9
		mov	eax, [esp-194h+arg_1A8]
		xor	edx, edx
		mov	ecx, [esp-194h+arg_1B4]
		mov	esi, [eax+14h]
		mov	ecx, [ecx+14h]
		cmp	[eax+0Ch], edx
		jbe	short loc_A785B9
		sub	esi, ecx

loc_A78593:				; CODE XREF: TxtpAddCacheEntry+211Dj
		mov	al, [ecx+esi]
		test	al, al
		jz	short loc_A785AA
		movzx	eax, al
		imul	eax, ebx
		shr	eax, 0Ah
		mov	[ecx], al
		test	eax, eax
		jz	short loc_A785AA
		inc	edi

loc_A785AA:				; CODE XREF: TxtpAddCacheEntry+2102j
					; TxtpAddCacheEntry+2111j
		mov	eax, [esp-194h+arg_1A8]
		inc	edx
		inc	ecx
		cmp	edx, [eax+0Ch]
		jb	short loc_A78593
		mov	[esp-194h+arg_1C0], edi

loc_A785B9:				; CODE XREF: TxtpAddCacheEntry+20E4j
					; TxtpAddCacheEntry+20F9j
		xor	esi, esi
		cmp	byte ptr [esp-194h+arg_19C+2], 0
		jnz	loc_A75EB2
		mov	eax, [esp-194h+arg_1AC]
		xor	edx, edx
		mov	ecx, [esp-194h+arg_1B8]
		mov	ebx, [eax+14h]
		mov	ecx, [ecx+14h]
		cmp	[eax+0Ch], edx
		jbe	loc_A78679
		sub	ebx, ecx
		mov	edi, eax

loc_A785E3:				; CODE XREF: TxtpAddCacheEntry+216Bj
		mov	al, [ecx+ebx]
		test	al, al
		jz	short loc_A785FC
		movzx	eax, al
		imul	eax, [esp-194h+arg_1A4]
		shr	eax, 0Ah
		mov	[ecx], al
		test	eax, eax
		jz	short loc_A785FC
		inc	esi

loc_A785FC:				; CODE XREF: TxtpAddCacheEntry+2152j
					; TxtpAddCacheEntry+2163j
		inc	edx
		inc	ecx
		cmp	edx, [edi+0Ch]
		jb	short loc_A785E3
		mov	edi, [esp-194h+arg_1C0]
		jmp	short loc_A78679
; 

loc_A78609:				; CODE XREF: AnFwpFadeAnimationTimer+13Ej
		inc	[esp-194h+arg_1A0]
		jmp	loc_A75E2A
; 

loc_A78612:				; CODE XREF: AnFwpFadeAnimationTimer+1C6j
		mov	ecx, [esp-194h+arg_1B8]
		mov	eax, [esp-194h+arg_1AC]
		mov	ebx, [ecx+14h]
		xor	ecx, ecx
		mov	edx, [eax+14h]
		cmp	[eax+0Ch], ecx
		jbe	short loc_A78679

loc_A78627:				; CODE XREF: TxtpAddCacheEntry+21E1j
		cmp	dword ptr [edx+ecx], 0
		jz	short loc_A78671
		movzx	eax, byte ptr [edx+ecx]
		imul	eax, [esp-194h+arg_1A4]
		shr	eax, 0Ah
		mov	[ebx+ecx], al
		test	eax, eax
		jz	short loc_A78641
		inc	esi

loc_A78641:				; CODE XREF: TxtpAddCacheEntry+21A8j
		movzx	eax, byte ptr [edx+ecx+1]
		imul	eax, [esp-194h+arg_1A4]
		shr	eax, 0Ah
		mov	[ebx+ecx+1], al
		test	eax, eax
		jz	short loc_A78657
		inc	esi

loc_A78657:				; CODE XREF: TxtpAddCacheEntry+21BEj
		movzx	eax, byte ptr [edx+ecx+2]
		imul	eax, [esp-194h+arg_1A4]
		shr	eax, 0Ah
		mov	[ebx+ecx+2], al
		test	eax, eax
		mov	eax, [esp-194h+arg_1AC]
		jz	short loc_A78671
		inc	esi

loc_A78671:				; CODE XREF: TxtpAddCacheEntry+2195j
					; TxtpAddCacheEntry+21D8j
		add	ecx, 4
		cmp	ecx, [eax+0Ch]
		jb	short loc_A78627

loc_A78679:				; CODE XREF: TxtpAddCacheEntry+2143j
					; TxtpAddCacheEntry+2171j ...
		mov	ebx, [esp-194h+arg_1A4]
		jmp	loc_A75EB2
; 

loc_A78682:				; CODE XREF: AnFwpFadeAnimationTimer+231j
		cmp	[esp-194h+arg_1BC], 0
		jnz	short loc_A7868D
		test	esi, esi
		jz	short loc_A786A3

loc_A7868D:				; CODE XREF: TxtpAddCacheEntry+21F1j
		mov	ecx, [esp-194h+arg_1B8]
		mov	edx, offset dword_6B3EF0
		call	BgpGxDrawRectangle
		test	esi, esi
		jnz	loc_A75F1D

loc_A786A3:				; CODE XREF: TxtpAddCacheEntry+21F5j
		mov	byte ptr [esp-194h+arg_19C+2], 1
		jmp	loc_A75F1D
; 

loc_A786AD:				; CODE XREF: AnFwpProgressIndicatorTimer+9Bj
					; AnFwpProgressIndicatorTimer+A4j
		inc	si
		mov	word_6B3EAC, si
		jmp	loc_A76080
; 

loc_A786BB:				; CODE XREF: LogFwStat+5Bj
					; DATA XREF: PAGEBGFX:off_A7630Eo
		add	dword_6FDE30, eax ; case 0x8
		adc	dword_6FDE34, edx
		jmp	loc_A761B6	; default
; 

loc_A786CC:				; CODE XREF: AnFwDisplayProgressIndicator+3Dj
		mov	eax, 0C00000BBh
		jmp	loc_A763AA
; 

loc_A786D6:				; CODE XREF: AnFwDisplayProgressIndicator+58j
		mov	eax, 0C000009Ah
		jmp	loc_A763AA
; 

loc_A786E0:				; CODE XREF: AnFwDisplayProgressIndicator+63j
		mov	eax, 0C0000001h
		jmp	loc_A763AA
; 

loc_A786EA:				; CODE XREF: AnFwDisplayProgressIndicator+31j
		mov	edx, 0C00h
		and	eax, edx
		cmp	eax, edx
		jz	short loc_A786FE
		test	cl, cl
		jnz	short loc_A786FE
		call	_AnFwpDisableProgressTimer@0 ; AnFwpDisableProgressTimer()

loc_A786FE:				; CODE XREF: TxtpAddCacheEntry+225Dj
					; TxtpAddCacheEntry+2261j
		xor	eax, eax
		mov	esi, 0E0CBh
		push	eax
		push	ecx
		mov	ecx, dword_6B6C54
		mov	edx, esi
		push	eax
		push	eax
		push	eax
		mov	word_6B3EAC, si
		call	BgpTxtDisplayCharacter
		call	_TxtpClearCache@4 ; TxtpClearCache(x)
		cmp	_RasterizerInitialized,	0
		jz	loc_A763A8
		call	_RaspClearCache@4 ; RaspClearCache(x)
		jmp	loc_A763A8
; 

loc_A7873A:				; CODE XREF: TxtpAddCacheEntry+48j
		mov	esi, [ebx+4]
		cmp	[esi], ebx
		jnz	loc_A764F7
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	loc_A764F7
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	ecx, [esi+20h]
		test	ecx, ecx
		jz	short loc_A78767
		test	byte ptr [ecx+10h], 1
		jnz	short loc_A78767
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A78767:				; CODE XREF: TxtpAddCacheEntry+22C4j
					; TxtpAddCacheEntry+22CAj
		mov	ecx, esi
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		jmp	loc_A764E8
TxtpAddCacheEntry endp

; 
; START	OF FUNCTION CHUNK FOR TxtpAddCacheEntry

loc_A78773:				; CODE XREF: TxtpAddCacheEntry+14Aj
		cmp	edx, 18h
		jz	loc_A765E6

loc_A7877C:				; CODE XREF: TxtpAddCacheEntry+133j
					; TxtpAddCacheEntry+13Bj
		mov	eax, 0C000000Dh
		jmp	loc_A7673D
; 

loc_A78786:				; CODE XREF: TxtpAddCacheEntry+185j
					; TxtpAddCacheEntry+18Fj
		xor	edx, edx
		test	ecx, ecx
		jz	loc_A76744
		mov	esi, [ebp+var_2C]

loc_A78793:				; CODE XREF: TxtpAddCacheEntry+234Bj
		xor	ecx, ecx
		cmp	[ebp+var_14], ecx
		jbe	short loc_A787DD

loc_A7879A:				; CODE XREF: TxtpAddCacheEntry+2342j
		mov	bl, byte ptr [ebp+arg_0+2]
		cmp	[esi+2], bl
		mov	ebx, [ebp+var_8]
		jnz	short loc_A787AE
		cmp	[esi+1], ah
		jnz	short loc_A787AE
		cmp	[esi], al
		jz	short loc_A787D1

loc_A787AE:				; CODE XREF: TxtpAddCacheEntry+230Dj
					; TxtpAddCacheEntry+2312j
		cmp	ecx, ebx
		jnb	short loc_A787B7
		mov	ebx, ecx
		mov	[ebp+var_8], ebx

loc_A787B7:				; CODE XREF: TxtpAddCacheEntry+231Aj
		cmp	ecx, [ebp+var_C]
		jbe	short loc_A787BF
		mov	[ebp+var_C], ecx

loc_A787BF:				; CODE XREF: TxtpAddCacheEntry+2324j
		cmp	edx, edi
		jnb	short loc_A787C5
		mov	edi, edx

loc_A787C5:				; CODE XREF: TxtpAddCacheEntry+232Bj
		cmp	edx, [ebp+var_10]
		jbe	short loc_A787CD
		mov	[ebp+var_10], edx

loc_A787CD:				; CODE XREF: TxtpAddCacheEntry+2332j
		mov	byte ptr [ebp+var_4+3],	1

loc_A787D1:				; CODE XREF: TxtpAddCacheEntry+2316j
		add	esi, [ebp+var_20]
		inc	ecx
		cmp	ecx, [ebp+var_14]
		jb	short loc_A7879A
		mov	[ebp+var_18], edi

loc_A787DD:				; CODE XREF: TxtpAddCacheEntry+2302j
		inc	edx
		cmp	edx, [ebp+var_1C]
		jb	short loc_A78793
		jmp	loc_A7665E
; 

loc_A787E8:				; CODE XREF: TxtpAddCacheEntry+A61j
		mov	edi, 0C0000017h
		jmp	loc_A77083
; 

loc_A787F2:				; CODE XREF: TxtpAddCacheEntry+B65j
		mov	edi, 0C0000001h

loc_A787F7:				; CODE XREF: TxtpAddCacheEntry+B07j
					; TxtpAddCacheEntry+B29j
		test	esi, esi
		jz	loc_A77083
		mov	ecx, esi
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		and	dword_6F9AF0, 0
		jmp	loc_A77083
; 

loc_A78812:				; CODE XREF: TxtpAddCacheEntry+C54j
		mov	ecx, ebx
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	loc_A7710F
		call	_BgpTxtDestroyRegion@4 ; BgpTxtDestroyRegion(x)
		jmp	loc_A7710F
; 

loc_A7882E:				; CODE XREF: TxtpAddCacheEntry+C8Aj
		call	_BgkpDisableConsole@0 ;	BgkpDisableConsole()
		xor	ebx, ebx
		xor	cl, cl
		mov	byte_6D4C7B, bl
		mov	byte_6D4D58, bl
		call	_BgDisplayProgressIndicator@4 ;	BgDisplayProgressIndicator(x)
		xor	cl, cl
		mov	byte_6D4C7A, bl
		call	_BgDisplayBackgroundUpdate@4 ; BgDisplayBackgroundUpdate(x)
		mov	ecx, dword_6D4C74
		mov	byte_6D4C79, bl
		mov	byte_6D4C78, bl
		test	ecx, ecx
		jz	short loc_A78876
		call	_BgConsoleDestroyInterface@4 ; BgConsoleDestroyInterface(x)
		mov	dword_6D4C74, ebx

loc_A78876:				; CODE XREF: TxtpAddCacheEntry+23D3j
		pop	ebx
		jmp	_BgLibraryDestroy@0 ; BgLibraryDestroy()
; 

loc_A7887C:				; CODE XREF: TxtpAddCacheEntry+CD2j
		call	_BgpFoDestroy@4	; BgpFoDestroy(x)
		mov	eax, dword_6B6C48
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_A78897
		test	byte ptr [eax+8], 1
		jnz	short loc_A78897
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A78897:				; CODE XREF: TxtpAddCacheEntry+23F4j
					; TxtpAddCacheEntry+23FAj
		mov	ecx, dword_6B6C48
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		mov	dword_6B6C48, esi
		jmp	loc_A7716E
; 

loc_A788AD:				; CODE XREF: TxtpAddCacheEntry+CE0j
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		push	esi
		xor	edx, edx
		mov	dword_6B6BE8, esi
		xor	ecx, ecx
		call	_BgpFwInitializeReservePool@12 ; BgpFwInitializeReservePool(x,x,x)
		mov	dword_6B6C4C, esi
		mov	dword_6B6C58, esi
		mov	dword_6B6C54, esi
		jmp	loc_A7717C
; 

loc_A788D9:				; CODE XREF: TxtpAddCacheEntry+D70j
		cmp	byte_6CEA90, bl
		jz	loc_A7720C
		push	offset unk_6F9F80
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		mov	byte_6CEA90, bl
		jmp	loc_A7720C
; 

loc_A788FA:				; CODE XREF: TxtpAddCacheEntry+D95j
		mov	_BgpTextRegionSave, ebx
		jmp	loc_A77231
; 

loc_A78905:				; CODE XREF: TxtpAddCacheEntry+F4Bj
					; TxtpAddCacheEntry+24AAj
		mov	eax, esi
		mov	esi, [esi]
		mov	[ebp+var_4], eax
		mov	ebx, [eax+40h]
		test	ebx, ebx
		jz	short loc_A78934
		mov	ecx, [ebx]
		test	ecx, ecx
		jz	short loc_A7891E
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A7891E:				; CODE XREF: TxtpAddCacheEntry+2481j
		mov	ecx, [ebx+0Ch]
		test	ecx, ecx
		jz	short loc_A7892A
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A7892A:				; CODE XREF: TxtpAddCacheEntry+248Dj
		mov	ecx, ebx
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		mov	eax, [ebp+var_4]

loc_A78934:				; CODE XREF: TxtpAddCacheEntry+247Bj
		mov	ecx, eax
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		lea	eax, [edi+50h]
		cmp	esi, eax
		jnz	short loc_A78905
		pop	ebx
		jmp	loc_A773AF
; 

loc_A78948:				; CODE XREF: TxtpAddCacheEntry+FB0j
		test	cl, cl
		jz	loc_A78A8B
		cmp	byte_6CEA90, bl
		jz	short loc_A78962
		mov	eax, 0C0000001h
		jmp	loc_A7744E
; 

loc_A78962:				; CODE XREF: TxtpAddCacheEntry+24C0j
		lea	eax, [esp+5Ch+var_4C]
		push	eax
		call	off_6B1340	; xHalTimerQueryCycleCounter(x)
		push	ebx
		push	3E8h
		push	edx
		push	eax
		lea	ecx, [esp+70h+var_48]
		call	_RtlULongLongMult@20 ; RtlULongLongMult(x,x,x,x,x)
		test	eax, eax
		js	loc_A7744E
		push	[esp+60h+var_4C]
		push	[esp+64h+var_50]
		push	[esp+68h+var_44]
		push	[esp+6Ch+var_48]
		call	__aulldiv
		push	dword_6B6C44
		mov	esi, eax
		lea	ecx, [esp+64h+var_40]
		push	dword_6B6C40
		push	edx
		push	esi
		call	_RtlULongLongAdd@20 ; RtlULongLongAdd(x,x,x,x,x)
		test	eax, eax
		js	loc_A7744E
		push	esi		; char
		push	offset ??_C@_0CC@EIIJKON@BGFX?5Display?5Ready?5Time?5?$CIms?$CJ?3?5?$CF@CIJCHKMG@ ; char *
		push	ebx		; int
		push	65h		; int
		call	_DbgPrintEx
		mov	edi, dword ptr [esp+70h+var_40]
		push	edi		; char
		push	offset ??_C@_0DH@PPDDDJGB@BGFX?5Secondary?5Logo?5Bitmap?5Disp@CIJCHKMG@	; char *
		push	ebx		; int
		push	65h		; int
		call	_DbgPrintEx
		add	esp, 20h
		cmp	dword_6B6C44, ebx
		ja	short loc_A78A22
		jb	short loc_A789F2
		cmp	dword_6B6C40, 64h
		jnb	short loc_A78A22

loc_A789F2:				; CODE XREF: TxtpAddCacheEntry+2551j
		mov	ecx, dword_6B6CF8
		call	_BgpClearScreen@4 ; BgpClearScreen(x)
		push	esi		; char
		push	offset ??_C@_0DC@GCMNOGDC@BGFX?5Secondary?5Logo?5Bitmap?5Disp@CIJCHKMG@	; char *
		push	ebx		; int
		push	65h		; int
		call	_DbgPrintEx
		mov	ecx, dword_6B6BFC
		add	esp, 0Ch
		mov	edx, offset dword_6B6C08
		call	_BgpGxDrawBitmapImage@12 ; BgpGxDrawBitmapImage(x,x,x)
		mov	ebx, eax
		jmp	short loc_A78A73
; 

loc_A78A22:				; CODE XREF: TxtpAddCacheEntry+254Fj
					; TxtpAddCacheEntry+255Aj
		mov	eax, [esp+60h+var_3C]
		mov	dword_6B6C40, edi
		mov	edi, offset unk_6F9F80
		push	ebx
		push	edi
		mov	dword_6B6C44, eax
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	ebx
		push	offset _AnFwpBackgroundUpdateTimer@16 ;	AnFwpBackgroundUpdateTimer(x,x,x,x)
		mov	esi, offset unk_7012D8
		push	esi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	esi
		push	ebx
		push	64h
		push	ebx
		push	ebx
		push	edi
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)
		test	al, al
		jz	short loc_A78A6C
		push	edi
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		mov	byte_6CEA90, bl
		jmp	short loc_A78A77
; 

loc_A78A6C:				; CODE XREF: TxtpAddCacheEntry+25C6j
		mov	byte_6CEA90, 1

loc_A78A73:				; CODE XREF: TxtpAddCacheEntry+258Aj
		test	ebx, ebx
		jns	short loc_A78A84

loc_A78A77:				; CODE XREF: TxtpAddCacheEntry+25D4j
		mov	ecx, dword_6B6CF8
		call	_BgpClearScreen@4 ; BgpClearScreen(x)
		mov	ebx, eax

loc_A78A84:				; CODE XREF: TxtpAddCacheEntry+25DFj
		mov	eax, ebx
		jmp	loc_A7744E
; 

loc_A78A8B:				; CODE XREF: TxtpAddCacheEntry+24B4j
		cmp	byte_6CEA90, bl
		jz	loc_A7744C
		push	offset unk_6F9F80
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		mov	byte_6CEA90, bl
		jmp	loc_A7744C
; 

loc_A78AAC:				; CODE XREF: TxtpAddCacheEntry+FD3j
		mov	eax, dword_6B6CF8
		mov	[ecx], eax
		mov	al, 1
		retn
; END OF FUNCTION CHUNK	FOR TxtpAddCacheEntry
; 
		align 4
		db 3 dup(0CCh)
; Exported entry 178. BgkDisplayCharacter

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgkDisplayCharacter(x, x, x, x, x)
		public _BgkDisplayCharacter@20
_BgkDisplayCharacter@20	proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_BgkpAcquireConsole@0 ;	BgkpAcquireConsole()
		test	al, al
		jnz	short loc_A78AD0
		mov	eax, 0C0000001h
		jmp	short loc_A78B17
; 

loc_A78AD0:				; CODE XREF: BgkDisplayCharacter(x,x,x,x,x)+Cj
		cmp	byte_6D4C7A, 0
		jnz	short loc_A78AE2
		cmp	byte_6D4C79, 0
		jz	short loc_A78AF5

loc_A78AE2:				; CODE XREF: BgkDisplayCharacter(x,x,x,x,x)+1Cj
		mov	byte_6D4C7A, 0
		mov	byte_6D4C79, 0
		call	_BgDisplayFade@0 ; BgDisplayFade()

loc_A78AF5:				; CODE XREF: BgkDisplayCharacter(x,x,x,x,x)+25j
		mov	eax, dword_6D4C74
		push	esi
		push	[ebp+arg_10]
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	dword ptr [eax+10h]
		mov	esi, eax
		call	_BgkpReleaseConsole@0 ;	BgkpReleaseConsole()
		mov	eax, esi
		pop	esi

loc_A78B17:				; CODE XREF: BgkDisplayCharacter(x,x,x,x,x)+13j
		pop	ebp
		retn	14h
_BgkDisplayCharacter@20	endp ; sp = -14h


;  S U B	R O U T	I N E 


; __stdcall BgkDrawText(x)
_BgkDrawText@4	proc near		; CODE XREF: NtDrawText(x)+18Ap
		cmp	byte_6D4D58, 0
		jz	short loc_A78B31
		cmp	byte_6D4C7B, 0
		jnz	_BgDisplayString@4 ; BgDisplayString(x)

loc_A78B31:				; CODE XREF: BgkDrawText(x)+7j
		mov	eax, 0C0000001h
		retn
_BgkDrawText@4	endp

; 
		align 4
		dd 0CCCCCCCCh
; Exported entry 179. BgkGetConsoleState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgkGetConsoleState(x)
		public _BgkGetConsoleState@4
_BgkGetConsoleState@4 proc near

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_BgkpAcquireConsole@0 ;	BgkpAcquireConsole()
		test	al, al
		jnz	short loc_A78B51
		mov	eax, 0C0000001h
		jmp	short loc_A78B67
; 

loc_A78B51:				; CODE XREF: BgkGetConsoleState(x)+Cj
		mov	eax, dword_6D4C74
		push	esi
		push	[ebp+arg_0]
		call	dword ptr [eax+14h]
		mov	esi, eax
		call	_BgkpReleaseConsole@0 ;	BgkpReleaseConsole()
		mov	eax, esi
		pop	esi

loc_A78B67:				; CODE XREF: BgkGetConsoleState(x)+13j
		pop	ebp
		retn	4
_BgkGetConsoleState@4 endp ; sp	= -4

; 
		align 10h
; Exported entry 180. BgkGetCursorState

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgkGetCursorState(x, x, x)
		public _BgkGetCursorState@12
_BgkGetCursorState@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_BgkpAcquireConsole@0 ;	BgkpAcquireConsole()
		test	al, al
		jnz	short loc_A78B85
		mov	eax, 0C0000001h
		jmp	short loc_A78BA1
; 

loc_A78B85:				; CODE XREF: BgkGetCursorState(x,x,x)+Cj
		mov	eax, dword_6D4C74
		push	esi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	dword ptr [eax+18h]
		mov	esi, eax
		call	_BgkpReleaseConsole@0 ;	BgkpReleaseConsole()
		mov	eax, esi
		pop	esi

loc_A78BA1:				; CODE XREF: BgkGetCursorState(x,x,x)+13j
		pop	ebp
		retn	0Ch
_BgkGetCursorState@12 endp ; sp	= -0Ch


;  S U B	R O U T	I N E 


; __stdcall BgkSetBootGraphicsInformation(x, x)
_BgkSetBootGraphicsInformation@8 proc near ; CODE XREF:	PAGE:loc_7B4623p
		cmp	byte_6D4D58, 0
		jnz	short loc_A78BB4
		mov	eax, 0C0000001h
		retn
; 

loc_A78BB4:				; CODE XREF: BgkSetBootGraphicsInformation(x,x)+7j
		jmp	_BgSetBootGraphicsInformation@8	; BgSetBootGraphicsInformation(x,x)
_BgkSetBootGraphicsInformation@8 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 181. BgkSetCursor

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgkSetCursor(x, x, x)
		public _BgkSetCursor@12
_BgkSetCursor@12 proc near

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_BgkpAcquireConsole@0 ;	BgkpAcquireConsole()
		test	al, al
		jnz	short loc_A78BD3
		mov	eax, 0C0000001h
		jmp	short loc_A78BEF
; 

loc_A78BD3:				; CODE XREF: BgkSetCursor(x,x,x)+Cj
		mov	eax, dword_6D4C74
		push	esi
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	dword ptr [eax+1Ch]
		mov	esi, eax
		call	_BgkpReleaseConsole@0 ;	BgkpReleaseConsole()
		mov	eax, esi
		pop	esi

loc_A78BEF:				; CODE XREF: BgkSetCursor(x,x,x)+13j
		pop	ebp
		retn	0Ch
_BgkSetCursor@12 endp ;	sp = -0Ch


;  S U B	R O U T	I N E 


; __stdcall BgConvertResources(x)
_BgConvertResources@4 proc near		; CODE XREF: BgkSetVirtualFrameBuffer:loc_57C0B1p
		mov	edx, ecx
		mov	ecx, offset dword_6B6C30
		jmp	_BgpGxConvertRectangle@8 ; BgpGxConvertRectangle(x,x)
_BgConvertResources@4 endp


;  S U B	R O U T	I N E 


; __stdcall BgDisplayString(x)
_BgDisplayString@4 proc	near		; CODE XREF: BgkDrawText(x)+10j
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_BgpFwGetCurrentIrql@0 ; BgpFwGetCurrentIrql()
		cmp	al, 2
		jbe	short loc_A78C14
		mov	eax, 0C0000001h
		pop	esi
		retn
; 

loc_A78C14:				; CODE XREF: BgDisplayString(x)+Cj
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		mov	eax, dword_6B6BB8
		test	al, 1
		jnz	short loc_A78C29

loc_A78C22:				; CODE XREF: BgDisplayString(x)+2Fj
		mov	esi, 0C0000001h
		jmp	short loc_A78C56
; 

loc_A78C29:				; CODE XREF: BgDisplayString(x)+21j
		test	eax, 100h
		jnz	short loc_A78C22
		cmp	dword_6B6C4C, 0
		jz	short loc_A78C51
		mov	ecx, dword_6B6C58
		test	ecx, ecx
		jz	short loc_A78C51
		sub	esp, 0Ch
		mov	edx, esi
		call	_BgpTxtDisplayString@20	; BgpTxtDisplayString(x,x,x,x,x)
		mov	esi, eax
		jmp	short loc_A78C56
; 

loc_A78C51:				; CODE XREF: BgDisplayString(x)+38j
					; BgDisplayString(x)+42j
		mov	esi, 0C000009Ah

loc_A78C56:				; CODE XREF: BgDisplayString(x)+28j
					; BgDisplayString(x)+50j
		call	BgpFwReleaseLock
		mov	eax, esi
		pop	esi
		retn
_BgDisplayString@4 endp


;  S U B	R O U T	I N E 


; __stdcall BgLibraryDestroy()
_BgLibraryDestroy@0 proc near		; CODE XREF: TxtpAddCacheEntry+23E1j
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		call	_BgpFwGetCurrentIrql@0 ; BgpFwGetCurrentIrql()
		cmp	al, 2
		jbe	short loc_A78C74
		mov	eax, 0C0000001h
		jmp	short loc_A78CB2
; 

loc_A78C74:				; CODE XREF: BgLibraryDestroy()+Cj
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		mov	ebx, dword_6B6BB8
		test	bl, 1
		jnz	short loc_A78C88
		xor	esi, esi
		jmp	short loc_A78CAB
; 

loc_A78C88:				; CODE XREF: BgLibraryDestroy()+23j
		xor	eax, eax
		mov	edi, 0C00h
		and	ebx, edi
		mov	dword_6B6CE4, eax
		mov	dword_6B6CEC, eax
		mov	dword_6B6CF0, eax
		call	BgpFwLibraryDestroy
		mov	esi, eax
		cmp	ebx, edi
		jz	short loc_A78CB0

loc_A78CAB:				; CODE XREF: BgLibraryDestroy()+27j
		call	BgpFwReleaseLock

loc_A78CB0:				; CODE XREF: BgLibraryDestroy()+4Aj
		mov	eax, esi

loc_A78CB2:				; CODE XREF: BgLibraryDestroy()+13j
		pop	edi
		pop	esi
		pop	ebx
		retn
_BgLibraryDestroy@0 endp ; sp =	 8


;  S U B	R O U T	I N E 


; __stdcall BgSetBootGraphicsInformation(x, x)
_BgSetBootGraphicsInformation@8	proc near
					; CODE XREF: BgkSetBootGraphicsInformation(x,x):loc_A78BB4j
		mov	edi, edi
		push	esi
		mov	esi, edx
		call	_BgpFwGetCurrentIrql@0 ; BgpFwGetCurrentIrql()
		test	al, al
		jz	short loc_A78CCB
		mov	eax, 0C0000001h
		pop	esi
		retn
; 

loc_A78CCB:				; CODE XREF: BgSetBootGraphicsInformation(x,x)+Cj
		test	esi, esi
		jz	short loc_A78CF6
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		test	byte ptr dword_6B6BB8, 1
		jnz	short loc_A78CE4
		mov	esi, 0C0000001h
		jmp	short loc_A78CED
; 

loc_A78CE4:				; CODE XREF: BgSetBootGraphicsInformation(x,x)+25j
		mov	edx, esi
		call	_BgpFwSetBootGraphicsInformation@8 ; BgpFwSetBootGraphicsInformation(x,x)
		mov	esi, eax

loc_A78CED:				; CODE XREF: BgSetBootGraphicsInformation(x,x)+2Cj
		call	BgpFwReleaseLock
		mov	eax, esi
		pop	esi
		retn
; 

loc_A78CF6:				; CODE XREF: BgSetBootGraphicsInformation(x,x)+17j
		mov	eax, 0C000000Dh
		pop	esi
		retn
_BgSetBootGraphicsInformation@8	endp


;  S U B	R O U T	I N E 


; __stdcall BgpDisplayCharacterDestroyContext(x)
_BgpDisplayCharacterDestroyContext@4 proc near
					; CODE XREF: BgpBcInitializeCriticalMode+1123p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_A78D16
		mov	ecx, [esi+14h]
		call	_BgpTxtDestroyRegion@4 ; BgpTxtDestroyRegion(x)
		mov	ecx, esi
		pop	esi
		jmp	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
; 

loc_A78D16:				; CODE XREF: BgpDisplayCharacterDestroyContext(x)+7j
		pop	esi
		retn
_BgpDisplayCharacterDestroyContext@4 endp


;  S U B	R O U T	I N E 


; __stdcall BgpConsoleClearScreen()
_BgpConsoleClearScreen@0 proc near	; DATA XREF: .data:006B2B84o
		mov	edi, edi
		push	esi
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		cmp	dword_6F9AF0, 0
		jnz	short loc_A78D30
		mov	esi, 0C0000001h
		jmp	short loc_A78D37
; 

loc_A78D30:				; CODE XREF: BgpConsoleClearScreen()+Fj
		call	_BgpConsoleClearScreenEx@0 ; BgpConsoleClearScreenEx()
		mov	esi, eax

loc_A78D37:				; CODE XREF: BgpConsoleClearScreen()+16j
		call	BgpFwReleaseLock
		mov	eax, esi
		pop	esi
		retn
_BgpConsoleClearScreen@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpConsoleClearScreenEx()
_BgpConsoleClearScreenEx@0 proc	near	; CODE XREF: TxtpAddCacheEntry:loc_A77091p
					; BgpConsoleClearScreen():loc_A78D30p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, dword_6F9AF0
		push	ebx
		push	esi
		push	edi
		and	dword ptr [ecx+3Ch], 0
		and	dword ptr [ecx+40h], 0
		mov	ecx, [ecx+10h]
		call	_BgpClearScreen@4 ; BgpClearScreen(x)
		mov	esi, eax
		mov	[ebp+var_4], esi
		test	esi, esi
		js	short loc_A78DAA
		mov	ecx, dword_6F9AF0
		push	50h
		pop	ebx
		mov	eax, [ecx+4]
		lea	edx, [ecx+4Ch]

loc_A78D77:				; CODE XREF: BgpConsoleClearScreenEx()+65j
		xor	esi, esi
		test	eax, eax
		jz	short loc_A78D9C
		mov	edi, edx

loc_A78D7F:				; CODE XREF: BgpConsoleClearScreenEx()+5Aj
		push	20h
		pop	eax
		mov	[edi+4], ax
		inc	esi
		mov	eax, [ecx+10h]
		mov	[edi], eax
		lea	edi, [edi+0Ch]
		mov	eax, [ecx+0Ch]
		mov	[edi-10h], eax
		mov	eax, [ecx+4]
		cmp	esi, eax
		jb	short loc_A78D7F

loc_A78D9C:				; CODE XREF: BgpConsoleClearScreenEx()+3Bj
		add	edx, 12Ch
		sub	ebx, 1
		jnz	short loc_A78D77
		mov	esi, [ebp+var_4]

loc_A78DAA:				; CODE XREF: BgpConsoleClearScreenEx()+26j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_BgpConsoleClearScreenEx@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpConsoleDisplayCharacter(x, x, x,	x, x)
_BgpConsoleDisplayCharacter@20 proc near ; DATA	XREF: .data:006B2B90o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	edi
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		mov	edx, dword_6F9AF0
		test	edx, edx
		jnz	short loc_A78DD0
		mov	edi, 0C0000001h
		jmp	loc_A78E62
; 

loc_A78DD0:				; CODE XREF: BgpConsoleDisplayCharacter(x,x,x,x,x)+13j
		test	dword ptr [edx+8], 10000h
		jz	short loc_A78DEB
		call	AnFwFadeCompletion
		mov	edx, dword_6F9AF0
		and	dword ptr [edx+8], 0FFFEFFFFh

loc_A78DEB:				; CODE XREF: BgpConsoleDisplayCharacter(x,x,x,x,x)+26j
		imul	eax, [ebp+arg_4], arg_10+1
		mov	ecx, [ebp+arg_8]
		mov	edi, [ebp+arg_C]
		add	ecx, 6
		push	ebx
		mov	ebx, [ebp+arg_10]
		add	eax, ecx
		push	esi
		imul	esi, eax, 0Ch
		mov	eax, [ebp+arg_0]
		add	esi, edx
		cmp	[esi+8], ax
		jnz	short loc_A78E1A
		cmp	[esi], edi
		jnz	short loc_A78E1A
		cmp	[esi+4], ebx
		jnz	short loc_A78E1A
		xor	edi, edi
		jmp	short loc_A78E60
; 

loc_A78E1A:				; CODE XREF: BgpConsoleDisplayCharacter(x,x,x,x,x)+5Aj
					; BgpConsoleDisplayCharacter(x,x,x,x,x)+5Ej ...
		mov	ecx, [edx+2Ch]
		lea	ebx, [ebp+arg_8]
		imul	ecx, [ebp+arg_8]
		mov	eax, [edx+28h]
		imul	eax, [ebp+arg_4]
		push	0
		add	ecx, [edx+38h]
		push	ecx
		add	eax, [edx+34h]
		mov	edx, [edx+24h]
		push	ebx
		lea	ebx, [ebp+arg_4]
		push	ebx
		mov	ebx, [ebp+arg_10]
		push	edi
		push	ebx
		push	ecx
		mov	ecx, [ebp+arg_0]
		push	eax
		call	_BgpDisplayCharacterEx@40 ; BgpDisplayCharacterEx(x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_A78E60
		mov	eax, [ebp+arg_0]
		mov	[esi+8], ax
		mov	eax, [ebp+arg_C]
		mov	[esi], eax
		mov	[esi+4], ebx

loc_A78E60:				; CODE XREF: BgpConsoleDisplayCharacter(x,x,x,x,x)+67j
					; BgpConsoleDisplayCharacter(x,x,x,x,x)+9Ej
		pop	esi
		pop	ebx

loc_A78E62:				; CODE XREF: BgpConsoleDisplayCharacter(x,x,x,x,x)+1Aj
		call	BgpFwReleaseLock
		mov	eax, edi
		pop	edi
		pop	ebp
		retn	14h
_BgpConsoleDisplayCharacter@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpConsoleDisplayCharacterEx(x, x, x, x, x,	x)
_BgpConsoleDisplayCharacterEx@24 proc near ; CODE XREF:	BgpConsoleDisplayString(x)+77p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		mov	esi, ecx
		cmp	edx, 50h
		ja	loc_A79063
		mov	edx, dword_6F9AF0
		mov	eax, [ebp+arg_0]
		cmp	eax, [edx+4]
		ja	loc_A79063
		lea	eax, [edx+28h]
		mov	[ebp+arg_0], eax
		lea	ecx, [edx+34h]
		push	ebx
		movzx	eax, si
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		push	edi
		lea	edi, [edx+3Ch]
		sub	eax, 8
		jz	loc_A78FCD
		sub	eax, 1
		jz	loc_A78F3F
		sub	eax, 1
		jz	short loc_A78F38
		sub	eax, 3
		jz	short loc_A78F31
		mov	eax, [ebp+arg_0]
		mov	ebx, [ebp+var_4]
		mov	edx, [edx+24h]
		push	0
		mov	ecx, [eax+4]
		mov	eax, [eax]
		imul	ecx, [edi+4]
		imul	eax, [edi]
		add	ecx, [ebx+4]
		add	eax, [ebx]
		lea	ebx, [ebp+arg_0]
		push	ecx
		push	ebx
		lea	ebx, [ebp+var_8]
		push	ebx
		push	[ebp+arg_4]
		push	[ebp+arg_8]
		push	ecx
		push	eax
		mov	ecx, esi
		call	_BgpDisplayCharacterEx@40 ; BgpDisplayCharacterEx(x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_A7903B
		imul	edx, [edi], 19h
		mov	ecx, [edi+4]
		mov	eax, [ebp+arg_4]
		add	edx, 6
		add	ecx, edx
		mov	edx, dword_6F9AF0
		imul	ecx, 0Ch
		mov	[ecx+edx], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+edx+8], si
		mov	[ecx+edx+4], eax
		inc	dword ptr [edi]
		jmp	loc_A79041
; 

loc_A78F31:				; CODE XREF: BgpConsoleDisplayCharacterEx(x,x,x,x,x,x)+56j
		and	[edi], ebx
		jmp	loc_A7904C
; 

loc_A78F38:				; CODE XREF: BgpConsoleDisplayCharacterEx(x,x,x,x,x,x)+51j
		and	[edi], ebx
		jmp	loc_A79049
; 

loc_A78F3F:				; CODE XREF: BgpConsoleDisplayCharacterEx(x,x,x,x,x,x)+48j
		mov	ecx, [edi]
		push	50h
		pop	eax
		push	5
		sub	eax, ecx
		mov	[ebp+var_8], ecx
		pop	esi
		cmp	eax, esi
		jnb	short loc_A78F5A
		mov	esi, eax
		test	esi, esi
		jz	loc_A79041

loc_A78F5A:				; CODE XREF: BgpConsoleDisplayCharacterEx(x,x,x,x,x,x)+E0j
					; BgpConsoleDisplayCharacterEx(x,x,x,x,x,x)+15Bj
		mov	eax, [ebp+arg_0]
		mov	ecx, [edi+4]
		mov	ebx, [ebp+var_4]
		mov	edx, [edx+24h]
		imul	ecx, [eax+4]
		mov	eax, [eax]
		imul	eax, [ebp+var_8]
		push	0
		add	ecx, [ebx+4]
		push	ecx
		add	eax, [ebx]
		lea	ebx, [ebp+var_8]
		push	ebx
		lea	ebx, [ebp+var_C]
		push	ebx
		push	[ebp+arg_4]
		push	[ebp+arg_8]
		push	ecx
		push	eax
		push	20h
		pop	ecx
		call	_BgpDisplayCharacterEx@40 ; BgpDisplayCharacterEx(x,x,x,x,x,x,x,x,x,x)
		mov	edx, dword_6F9AF0
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A78FBF
		imul	ecx, [edi], 19h
		mov	eax, [edi+4]
		push	20h
		add	ecx, 6
		add	eax, ecx
		imul	eax, 0Ch
		pop	ecx
		mov	[eax+edx+8], cx
		mov	ecx, [ebp+arg_4]
		mov	[eax+edx], ecx
		mov	ecx, [ebp+arg_8]
		mov	[eax+edx+4], ecx

loc_A78FBF:				; CODE XREF: BgpConsoleDisplayCharacterEx(x,x,x,x,x,x)+12Cj
		inc	dword ptr [edi]
		mov	eax, [edi]
		mov	[ebp+var_8], eax
		sub	esi, 1
		jnz	short loc_A78F5A
		jmp	short loc_A79041
; 

loc_A78FCD:				; CODE XREF: BgpConsoleDisplayCharacterEx(x,x,x,x,x,x)+3Fj
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_A79041
		mov	ebx, [ebp+arg_0]
		dec	eax
		mov	[edi], eax
		mov	edx, [edx+24h]
		push	0
		mov	esi, [ebx+4]
		imul	esi, [edi+4]
		add	esi, [ecx+4]
		mov	ecx, [ebx]
		mov	ebx, [ebp+var_4]
		imul	ecx, eax
		lea	eax, [ebp+arg_0]
		add	ecx, [ebx]
		push	ecx
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_8]
		push	esi
		push	ecx
		push	20h
		pop	esi
		mov	ecx, esi
		call	_BgpDisplayCharacterEx@40 ; BgpDisplayCharacterEx(x,x,x,x,x,x,x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_A7903B
		imul	ecx, [edi], 19h
		mov	eax, [edi+4]
		mov	edx, dword_6F9AF0
		add	ecx, 6
		add	eax, ecx
		mov	ecx, [ebp+arg_4]
		imul	eax, 0Ch
		mov	[eax+edx], ecx
		mov	ecx, [ebp+arg_8]
		mov	[eax+edx+8], si
		mov	[eax+edx+4], ecx
		jmp	short loc_A79041
; 

loc_A7903B:				; CODE XREF: BgpConsoleDisplayCharacterEx(x,x,x,x,x,x)+90j
					; BgpConsoleDisplayCharacterEx(x,x,x,x,x,x)+1A3j
		mov	edx, dword_6F9AF0

loc_A79041:				; CODE XREF: BgpConsoleDisplayCharacterEx(x,x,x,x,x,x)+BEj
					; BgpConsoleDisplayCharacterEx(x,x,x,x,x,x)+E6j ...
		cmp	dword ptr [edi], 50h
		jb	short loc_A7904C
		and	dword ptr [edi], 0

loc_A79049:				; CODE XREF: BgpConsoleDisplayCharacterEx(x,x,x,x,x,x)+CCj
		inc	dword ptr [edi+4]

loc_A7904C:				; CODE XREF: BgpConsoleDisplayCharacterEx(x,x,x,x,x,x)+C5j
					; BgpConsoleDisplayCharacterEx(x,x,x,x,x,x)+1D6j
		mov	eax, [edi+4]
		cmp	eax, [edx+4]
		jb	short loc_A7905D
		dec	eax
		mov	[edi+4], eax
		call	_BgpConsoleScrollScreen@0 ; BgpConsoleScrollScreen()

loc_A7905D:				; CODE XREF: BgpConsoleDisplayCharacterEx(x,x,x,x,x,x)+1E4j
		pop	edi
		mov	eax, ebx
		pop	ebx
		jmp	short loc_A79068
; 

loc_A79063:				; CODE XREF: BgpConsoleDisplayCharacterEx(x,x,x,x,x,x)+Ej
					; BgpConsoleDisplayCharacterEx(x,x,x,x,x,x)+20j
		mov	eax, 0C000000Dh

loc_A79068:				; CODE XREF: BgpConsoleDisplayCharacterEx(x,x,x,x,x,x)+1F3j
		pop	esi
		leave
		retn	10h
_BgpConsoleDisplayCharacterEx@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpConsoleDisplayString(x)
_BgpConsoleDisplayString@4 proc	near	; DATA XREF: .data:006B2B8Co

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		mov	edx, dword_6F9AF0
		test	edx, edx
		jnz	short loc_A79089
		mov	esi, 0C0000001h
		jmp	short loc_A79097
; 

loc_A79089:				; CODE XREF: BgpConsoleDisplayString(x)+13j
		push	edi
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jnz	short loc_A790A3
		mov	esi, 0C000000Dh

loc_A79096:				; CODE XREF: BgpConsoleDisplayString(x)+40j
					; BgpConsoleDisplayString(x)+65j ...
		pop	edi

loc_A79097:				; CODE XREF: BgpConsoleDisplayString(x)+1Aj
		call	BgpFwReleaseLock
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
; 

loc_A790A3:				; CODE XREF: BgpConsoleDisplayString(x)+22j
		movzx	eax, word ptr [edi]
		test	ax, ax
		jnz	short loc_A790AF
		xor	esi, esi
		jmp	short loc_A79096
; 

loc_A790AF:				; CODE XREF: BgpConsoleDisplayString(x)+3Cj
		test	dword ptr [edx+8], 10000h
		jz	short loc_A790CD
		call	AnFwFadeCompletion
		mov	edx, dword_6F9AF0
		and	dword ptr [edx+8], 0FFFEFFFFh
		movzx	eax, word ptr [edi]

loc_A790CD:				; CODE XREF: BgpConsoleDisplayString(x)+49j
		xor	esi, esi
		test	ax, ax
		jz	short loc_A79096
		movzx	ecx, ax

loc_A790D7:				; CODE XREF: BgpConsoleDisplayString(x)+99j
		push	ecx
		push	dword ptr [edx+10h]
		push	dword ptr [edx+0Ch]
		push	dword ptr [edx+40h]
		mov	edx, [edx+3Ch]
		call	_BgpConsoleDisplayCharacterEx@24 ; BgpConsoleDisplayCharacterEx(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_A790F3
		test	esi, esi
		js	short loc_A790F3
		mov	esi, eax

loc_A790F3:				; CODE XREF: BgpConsoleDisplayString(x)+7Ej
					; BgpConsoleDisplayString(x)+82j
		add	edi, 2
		movzx	eax, word ptr [edi]
		mov	ecx, eax
		test	ax, ax
		jz	short loc_A79096
		mov	edx, dword_6F9AF0
		jmp	short loc_A790D7
_BgpConsoleDisplayString@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpConsoleDrawCursor()
_BgpConsoleDrawCursor@0	proc near	; CODE XREF: BgpConsoleSetCursor(x,x,x)+52p
					; BgpConsoleSetCursor(x,x,x)+6Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	edx, dword_6F9AF0
		push	esi
		push	edi
		mov	eax, [edx+44h]
		test	eax, eax
		jnz	short loc_A7913C
		imul	ecx, [edx+3Ch],	19h
		add	ecx, [edx+40h]
		imul	eax, ecx, 0Ch
		movzx	esi, word ptr [eax+edx+50h]
		mov	edi, [eax+edx+4Ch]
		lea	eax, [ecx+6]
		imul	eax, 0Ch
		mov	ecx, [eax+edx]
		jmp	short loc_A7915A
; 

loc_A7913C:				; CODE XREF: BgpConsoleDrawCursor()+14j
		mov	edi, [edx+10h]
		mov	ecx, [edx+0Ch]
		cmp	eax, 22h
		jnb	short loc_A7914C
		push	5Fh
		pop	esi
		jmp	short loc_A7915A
; 

loc_A7914C:				; CODE XREF: BgpConsoleDrawCursor()+3Dj
		cmp	eax, 43h
		sbb	esi, esi
		and	esi, 0FFFFFFFCh
		add	esi, 2588h

loc_A7915A:				; CODE XREF: BgpConsoleDrawCursor()+32j
					; BgpConsoleDrawCursor()+42j
		push	0
		push	ecx
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		mov	eax, [edx+2Ch]
		imul	eax, [edx+40h]
		push	ecx
		push	edi
		mov	ecx, esi
		add	eax, [edx+38h]
		push	eax
		mov	eax, [edx+28h]
		imul	eax, [edx+3Ch]
		add	eax, [edx+34h]
		mov	edx, [edx+24h]
		push	eax
		call	_BgpDisplayCharacterEx@40 ; BgpDisplayCharacterEx(x,x,x,x,x,x,x,x,x,x)
		pop	edi
		pop	esi
		leave
		retn
_BgpConsoleDrawCursor@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpConsoleGetCursorState(x,	x, x)
_BgpConsoleGetCursorState@12 proc near	; DATA XREF: .data:006B2B98o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		mov	edx, dword_6F9AF0
		test	edx, edx
		jnz	short loc_A791A7
		mov	esi, 0C0000001h
		jmp	short loc_A791C1
; 

loc_A791A7:				; CODE XREF: BgpConsoleGetCursorState(x,x,x)+13j
		mov	eax, [ebp+arg_0]
		xor	esi, esi
		mov	ecx, [edx+3Ch]
		mov	[eax], ecx
		mov	eax, [ebp+arg_4]
		mov	ecx, [edx+40h]
		mov	[eax], ecx
		mov	eax, [ebp+arg_8]
		mov	ecx, [edx+44h]
		mov	[eax], ecx

loc_A791C1:				; CODE XREF: BgpConsoleGetCursorState(x,x,x)+1Aj
		call	BgpFwReleaseLock
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	0Ch
_BgpConsoleGetCursorState@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpConsoleGetState(x)
_BgpConsoleGetState@4 proc near		; DATA XREF: .data:006B2B94o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		mov	edx, dword_6F9AF0
		test	edx, edx
		jnz	short loc_A791E9
		mov	esi, 0C0000001h
		jmp	short loc_A7921C
; 

loc_A791E9:				; CODE XREF: BgpConsoleGetState(x)+13j
		mov	ecx, [ebp+arg_0]
		xor	esi, esi
		mov	eax, [edx+14h]
		mov	[ecx], eax
		mov	eax, [edx+18h]
		mov	[ecx+4], eax
		mov	eax, [edx]
		mov	[ecx+8], eax
		mov	eax, [edx+4]
		mov	[ecx+0Ch], eax
		mov	eax, [edx+28h]
		mov	[ecx+10h], eax
		mov	eax, [edx+2Ch]
		mov	[ecx+14h], eax
		mov	eax, [edx+34h]
		mov	[ecx+18h], eax
		mov	eax, [edx+38h]
		mov	[ecx+1Ch], eax

loc_A7921C:				; CODE XREF: BgpConsoleGetState(x)+1Aj
		call	BgpFwReleaseLock
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_BgpConsoleGetState@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpConsoleScrollScreen()
_BgpConsoleScrollScreen@0 proc near	; CODE XREF: BgpConsoleDisplayCharacterEx(x,x,x,x,x,x)+1EAp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	edx, dword_6F9AF0
		push	ebx
		push	esi
		push	edi
		lea	eax, [edx+34h]
		xor	esi, esi
		push	6
		mov	[ebp+var_C], eax
		xor	ebx, ebx
		lea	eax, [edx+28h]
		mov	[ebp+var_4], esi
		pop	ecx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_8], ecx
		mov	[ebp+var_18], ebx

loc_A79255:				; CODE XREF: BgpConsoleScrollScreen()+106j
		mov	eax, [edx+4]
		xor	edi, edi
		sub	eax, 1
		jz	loc_A79315
		mov	esi, ebx

loc_A79265:				; CODE XREF: BgpConsoleScrollScreen()+E1j
		movzx	eax, word ptr [esi+edx+5Ch]
		mov	[ebp+var_10], eax
		cmp	[esi+edx+50h], ax
		jnz	short loc_A79290
		lea	eax, [ecx+edi]
		imul	eax, 0Ch
		mov	eax, [eax+edx]
		cmp	eax, [esi+edx+54h]
		jnz	short loc_A7928D
		mov	eax, [esi+edx+4Ch]
		cmp	eax, [esi+edx+58h]
		jz	short loc_A792FF

loc_A7928D:				; CODE XREF: BgpConsoleScrollScreen()+59j
		mov	eax, [ebp+var_10]

loc_A79290:				; CODE XREF: BgpConsoleScrollScreen()+4Aj
		mov	ecx, [esi+edx+54h]
		mov	ebx, [ebp+var_C]
		movzx	eax, ax
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_20], ecx
		mov	ecx, [esi+edx+58h]
		mov	edx, [edx+24h]
		mov	[ebp+var_14], ecx
		mov	ecx, [eax+4]
		mov	eax, [eax]
		imul	eax, [ebp+var_4]
		imul	ecx, edi
		push	0
		add	eax, [ebx]
		add	ecx, [ebx+4]
		lea	ebx, [ebp+var_24]
		push	ecx
		push	ebx
		lea	ebx, [ebp+var_28]
		push	ebx
		mov	ebx, [ebp+var_20]
		push	ebx
		push	[ebp+var_14]
		push	ecx
		mov	ecx, [ebp+var_10]
		push	eax
		call	_BgpDisplayCharacterEx@40 ; BgpDisplayCharacterEx(x,x,x,x,x,x,x,x,x,x)
		mov	edx, dword_6F9AF0
		mov	ecx, [ebp+var_8]
		test	eax, eax
		js	short loc_A792FF
		mov	eax, [ebp+var_10]
		mov	[esi+edx+50h], ax
		mov	eax, [ebp+var_14]
		mov	[esi+edx+4Ch], eax
		lea	eax, [ecx+edi]
		imul	eax, 0Ch
		mov	[eax+edx], ebx

loc_A792FF:				; CODE XREF: BgpConsoleScrollScreen()+63j
					; BgpConsoleScrollScreen()+BDj
		mov	eax, [edx+4]
		inc	edi
		add	esi, 0Ch
		dec	eax
		cmp	edi, eax
		jb	loc_A79265
		mov	ebx, [ebp+var_18]
		mov	esi, [ebp+var_4]

loc_A79315:				; CODE XREF: BgpConsoleScrollScreen()+35j
		add	ebx, 12Ch
		inc	esi
		add	ecx, 19h
		mov	[ebp+var_4], esi
		mov	[ebp+var_18], ebx
		mov	[ebp+var_8], ecx
		cmp	ebx, 5DC0h
		jb	loc_A79255
		mov	ebx, [edx+4]
		xor	edi, edi
		mov	eax, [edx+10h]
		dec	ebx
		mov	[ebp+var_18], eax
		mov	eax, [edx+0Ch]
		mov	[ebp+var_20], ebx
		mov	[ebp+var_14], eax
		imul	esi, ebx, 0Ch

loc_A7934C:				; CODE XREF: BgpConsoleScrollScreen()+190j
		mov	edx, [ebp+var_1C]
		mov	eax, [ebp+var_C]
		push	0
		mov	ecx, [edx+4]
		imul	ecx, ebx
		lea	ebx, [ebp+var_28]
		add	ecx, [eax+4]
		mov	eax, [edx]
		mov	edx, [ebp+var_C]
		push	ecx
		push	ebx
		lea	ebx, [ebp+var_24]
		imul	eax, edi
		push	ebx
		push	[ebp+var_14]
		push	[ebp+var_18]
		add	eax, [edx]
		mov	edx, dword_6F9AF0
		push	ecx
		push	eax
		push	20h
		mov	edx, [edx+24h]
		pop	eax
		mov	ecx, eax
		call	_BgpDisplayCharacterEx@40 ; BgpDisplayCharacterEx(x,x,x,x,x,x,x,x,x,x)
		mov	edx, dword_6F9AF0
		mov	ebx, [ebp+var_20]
		test	eax, eax
		js	short loc_A793AE
		push	20h
		pop	eax
		mov	[esi+edx+50h], ax
		mov	eax, [ebp+var_18]
		mov	[esi+edx+4Ch], eax
		mov	eax, [ebp+var_14]
		mov	[esi+edx+48h], eax

loc_A793AE:				; CODE XREF: BgpConsoleScrollScreen()+16Ej
		inc	edi
		add	esi, 12Ch
		cmp	edi, 50h
		jb	short loc_A7934C
		mov	eax, [edx+4]
		and	dword ptr [edx+3Ch], 0
		dec	eax
		pop	edi
		pop	esi
		mov	[edx+40h], eax
		pop	ebx
		leave
		retn
_BgpConsoleScrollScreen@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpConsoleSetCursor(x, x, x)
_BgpConsoleSetCursor@12	proc near	; DATA XREF: .data:006B2B9Co

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		mov	eax, dword_6F9AF0
		test	eax, eax
		jnz	short loc_A793E5
		mov	esi, 0C0000001h
		jmp	short loc_A79444
; 

loc_A793E5:				; CODE XREF: BgpConsoleSetCursor(x,x,x)+12j
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	edi
		cmp	ebx, 50h
		jnb	short loc_A7943D
		mov	ecx, [ebp+arg_4]
		cmp	ecx, [eax+4]
		jnb	short loc_A7943D
		mov	edi, [ebp+arg_8]
		cmp	edi, 64h
		ja	short loc_A7943D
		cmp	[eax+3Ch], ebx
		jnz	short loc_A79412
		cmp	[eax+40h], ecx
		jnz	short loc_A79412
		cmp	[eax+44h], edi
		jnz	short loc_A79412
		xor	esi, esi
		jmp	short loc_A79442
; 

loc_A79412:				; CODE XREF: BgpConsoleSetCursor(x,x,x)+38j
					; BgpConsoleSetCursor(x,x,x)+3Dj ...
		xor	esi, esi
		cmp	[eax+44h], esi
		jz	short loc_A79429
		mov	[eax+44h], esi
		call	_BgpConsoleDrawCursor@0	; BgpConsoleDrawCursor()
		mov	eax, dword_6F9AF0
		mov	ecx, [ebp+arg_4]

loc_A79429:				; CODE XREF: BgpConsoleSetCursor(x,x,x)+4Dj
		mov	[eax+3Ch], ebx
		mov	[eax+40h], ecx
		mov	[eax+44h], edi
		test	edi, edi
		jz	short loc_A79442
		call	_BgpConsoleDrawCursor@0	; BgpConsoleDrawCursor()
		jmp	short loc_A79442
; 

loc_A7943D:				; CODE XREF: BgpConsoleSetCursor(x,x,x)+23j
					; BgpConsoleSetCursor(x,x,x)+2Bj ...
		mov	esi, 0C000000Dh

loc_A79442:				; CODE XREF: BgpConsoleSetCursor(x,x,x)+46j
					; BgpConsoleSetCursor(x,x,x)+6Aj ...
		pop	edi
		pop	ebx

loc_A79444:				; CODE XREF: BgpConsoleSetCursor(x,x,x)+19j
		call	BgpFwReleaseLock
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	0Ch
_BgpConsoleSetCursor@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpConsoleSetTextColor(x, x)
_BgpConsoleSetTextColor@8 proc near	; DATA XREF: .data:006B2B88o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		mov	ecx, dword_6F9AF0
		test	ecx, ecx
		jnz	short loc_A7946C
		mov	esi, 0C0000001h
		jmp	short loc_A79486
; 

loc_A7946C:				; CODE XREF: BgpConsoleSetTextColor(x,x)+13j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jz	short loc_A79478
		mov	eax, [eax]
		mov	[ecx+0Ch], eax

loc_A79478:				; CODE XREF: BgpConsoleSetTextColor(x,x)+21j
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_A79484
		mov	eax, [eax]
		mov	[ecx+10h], eax

loc_A79484:				; CODE XREF: BgpConsoleSetTextColor(x,x)+2Dj
		xor	esi, esi

loc_A79486:				; CODE XREF: BgpConsoleSetTextColor(x,x)+1Aj
		call	BgpFwReleaseLock
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	8
_BgpConsoleSetTextColor@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall AnFwpBackgroundUpdateTimer(x, x, x,	x)
_AnFwpBackgroundUpdateTimer@16 proc near ; DATA	XREF: TxtpAddCacheEntry+25A8o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	eax, [esp+1Ch+var_8]
		push	edi
		push	eax
		mov	[esp+24h+var_10], ebx
		mov	[esp+24h+var_C], ebx
		mov	[esp+24h+var_8], ebx
		mov	[esp+24h+var_4], ebx
		call	off_6B1340	; xHalTimerQueryCycleCounter(x)
		push	ebx
		push	3E8h
		push	edx
		push	eax
		lea	ecx, [esp+34h+var_14]
		call	_RtlULongLongMult@20 ; RtlULongLongMult(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_A7957D
		push	[esp+24h+var_8]
		push	[esp+28h+var_C]
		push	[esp+2Ch+var_10]
		push	[esp+30h+var_14]
		call	__aulldiv
		mov	ebx, eax
		mov	esi, edx
		call	_BgpFwAcquireLock@0 ; BgpFwAcquireLock()
		cmp	esi, dword_6B6C44
		jb	short loc_A79578
		ja	short loc_A79508
		cmp	ebx, dword_6B6C40
		jb	short loc_A79578

loc_A79508:				; CODE XREF: AnFwpBackgroundUpdateTimer(x,x,x,x)+6Cj
		cmp	byte_6CEA90, 0
		jz	short loc_A79578
		call	_AnFwpDisableProgressTimer@0 ; AnFwpDisableProgressTimer()
		push	ebx		; char
		push	offset ??_C@_0DC@GCMNOGDC@BGFX?5Secondary?5Logo?5Bitmap?5Disp@CIJCHKMG@	; char *
		push	0		; int
		push	65h		; int
		call	_DbgPrintEx
		add	esp, 10h
		cmp	dword_6B6BFC, 0
		jz	short loc_A7954F
		mov	ecx, dword_6B6CF8
		call	_BgpClearScreen@4 ; BgpClearScreen(x)
		push	ecx
		mov	ecx, dword_6B6BFC
		mov	edx, offset dword_6B6C08
		call	_BgpGxDrawBitmapImage@12 ; BgpGxDrawBitmapImage(x,x,x)
		mov	edi, eax

loc_A7954F:				; CODE XREF: AnFwpBackgroundUpdateTimer(x,x,x,x)+9Dj
		test	edi, edi
		jns	short loc_A7955E
		mov	ecx, dword_6B6CF8
		call	_BgpClearScreen@4 ; BgpClearScreen(x)

loc_A7955E:				; CODE XREF: AnFwpBackgroundUpdateTimer(x,x,x,x)+BFj
		cmp	byte_6CEA90, 0
		jz	short loc_A79578
		push	offset unk_6F9F80
		call	_KeCancelTimer@4 ; KeCancelTimer(x)
		mov	byte_6CEA90, 0

loc_A79578:				; CODE XREF: AnFwpBackgroundUpdateTimer(x,x,x,x)+6Aj
					; AnFwpBackgroundUpdateTimer(x,x,x,x)+74j ...
		call	BgpFwReleaseLock

loc_A7957D:				; CODE XREF: AnFwpBackgroundUpdateTimer(x,x,x,x)+40j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_AnFwpBackgroundUpdateTimer@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpGxBlendRectangle(x, x, x, x)
_BgpGxBlendRectangle@16	proc near	; CODE XREF: BgpTxtDisplayCharacter+87DBEp
					; BgpTxtDisplayString(x,x,x,x,x)+1CEp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		and	[ebp+var_30], 0
		mov	eax, ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_C], edx
		xor	esi, esi
		mov	[ebp+var_4], eax
		push	edi
		mov	[ebp+var_8], esi
		mov	[ebp+var_28], ebx
		cmp	[ebp+arg_4], ebx
		jz	loc_A7974B
		mov	ecx, [eax]
		mov	[ebp+var_24], ecx
		test	ecx, ecx
		jz	loc_A7974B
		mov	ecx, [edx]
		test	ecx, ecx
		jz	loc_A7974B
		mov	edi, [eax+4]
		mov	[ebp+var_20], edi
		test	edi, edi
		jz	loc_A7974B
		mov	edx, [edx+4]
		test	edx, edx
		jz	loc_A7974B
		cmp	dword ptr [eax+8], 20h
		jnz	loc_A7974B
		mov	eax, [ebp+var_C]
		cmp	dword ptr [eax+8], 20h
		jnz	loc_A7974B
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		mov	[ebp+var_14], eax
		add	eax, edx
		cmp	edi, eax
		jb	loc_A7974B
		mov	eax, [ebp+arg_0]
		mov	edi, [eax+4]
		lea	eax, [edi+ecx]
		cmp	[ebp+var_24], eax
		jb	loc_A7974B
		mov	esi, [ebp+arg_4]
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_A7965C
		lea	eax, [ebp+var_8]
		mov	[ebp+var_34], ecx
		push	eax
		push	20h
		mov	[ebp+var_38], edx
		lea	ecx, [ebp+var_38]
		pop	edx
		call	_BgpGxRectangleCreate@12 ; BgpGxRectangleCreate(x,x,x)
		mov	esi, [ebp+var_8]
		mov	ebx, eax
		mov	[ebp+var_28], ebx
		test	ebx, ebx
		js	loc_A79754
		mov	edx, [ebp+arg_0]
		mov	eax, [ebp+var_4]
		mov	edi, [edx+4]
		mov	edx, [edx]
		mov	ecx, [eax+4]
		mov	[ebp+var_14], edx
		jmp	short loc_A79673
; 

loc_A7965C:				; CODE XREF: BgpGxBlendRectangle(x,x,x,x)+9Cj
		cmp	[esi+4], edx
		jnz	loc_A79744
		cmp	[esi], ecx
		jnz	loc_A79744
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_20]

loc_A79673:				; CODE XREF: BgpGxBlendRectangle(x,x,x,x)+D4j
		mov	edx, [ebp+var_C]
		imul	edi, ecx
		mov	edx, [edx+14h]
		mov	[ebp+var_8], edx
		mov	edx, [esi+14h]
		add	edi, [ebp+var_14]
		mov	[ebp+var_10], edx
		mov	edx, [esi+8]
		shr	edx, 3
		imul	edi, edx
		mov	[ebp+var_18], edx
		add	edi, [eax+14h]
		mov	eax, [esi]
		mov	[ebp+var_1C], edi
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	loc_A79750
		mov	ecx, [esi+4]
		mov	ebx, [ebp+var_4]
		mov	[ebp+var_24], ecx

loc_A796B0:				; CODE XREF: BgpGxBlendRectangle(x,x,x,x)+1B3j
		and	[ebp+var_14], 0
		mov	eax, [ebp+var_8]
		mov	[ebp+arg_0], eax
		test	ecx, ecx
		jz	short loc_A7970E
		mov	ecx, [ebp+var_10]
		mov	edx, eax
		mov	ebx, [ebp+var_18]
		sub	ecx, eax
		mov	[ebp+var_24], ecx
		mov	ecx, edi
		mov	edi, [ebp+var_24]
		sub	ecx, eax
		mov	[ebp+var_2C], ecx

loc_A796D5:				; CODE XREF: BgpGxBlendRectangle(x,x,x,x)+17Bj
		movzx	eax, byte ptr [edx+3]
		mov	edx, [edx]
		push	eax
		mov	eax, [ebp+arg_0]
		mov	ecx, [ecx+eax]
		call	_BgpGxBlendColor@12 ; BgpGxBlendColor(x,x,x)
		mov	edx, [ebp+arg_0]
		mov	ecx, [ebp+var_14]
		mov	[edi+edx], eax
		add	edx, ebx
		mov	eax, [esi+4]
		inc	ecx
		mov	[ebp+var_14], ecx
		cmp	ecx, eax
		mov	ecx, [ebp+var_2C]
		mov	[ebp+arg_0], edx
		jb	short loc_A796D5
		mov	edi, [ebp+var_1C]
		mov	ebx, [ebp+var_4]
		mov	edx, [ebp+var_18]
		jmp	short loc_A79711
; 

loc_A7970E:				; CODE XREF: BgpGxBlendRectangle(x,x,x,x)+136j
		mov	eax, [ebp+var_24]

loc_A79711:				; CODE XREF: BgpGxBlendRectangle(x,x,x,x)+186j
		mov	ecx, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_24], ecx
		mov	eax, [eax+4]
		imul	eax, edx
		add	[ebp+var_8], eax
		mov	eax, [ebx+4]
		imul	eax, edx
		add	edi, eax
		mov	eax, ecx
		imul	eax, edx
		mov	[ebp+var_1C], edi
		add	[ebp+var_10], eax
		sub	[ebp+var_20], 1
		jnz	loc_A796B0
		mov	ebx, [ebp+var_28]
		jmp	short loc_A79750
; 

loc_A79744:				; CODE XREF: BgpGxBlendRectangle(x,x,x,x)+D9j
					; BgpGxBlendRectangle(x,x,x,x)+E1j
		mov	ebx, 0C000009Ah
		jmp	short loc_A79754
; 

loc_A7974B:				; CODE XREF: BgpGxBlendRectangle(x,x,x,x)+24j
					; BgpGxBlendRectangle(x,x,x,x)+31j ...
		mov	ebx, 0C000000Dh

loc_A79750:				; CODE XREF: BgpGxBlendRectangle(x,x,x,x)+11Bj
					; BgpGxBlendRectangle(x,x,x,x)+1BCj
		test	ebx, ebx
		jns	short loc_A7976F

loc_A79754:				; CODE XREF: BgpGxBlendRectangle(x,x,x,x)+BDj
					; BgpGxBlendRectangle(x,x,x,x)+1C3j
		mov	eax, [ebp+arg_4]
		cmp	dword ptr [eax], 0
		jnz	short loc_A79779
		test	esi, esi
		jz	short loc_A7976F
		test	byte ptr [esi+10h], 1
		jnz	short loc_A7976D
		mov	ecx, esi
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A7976D:				; CODE XREF: BgpGxBlendRectangle(x,x,x,x)+1DEj
		xor	esi, esi

loc_A7976F:				; CODE XREF: BgpGxBlendRectangle(x,x,x,x)+1CCj
					; BgpGxBlendRectangle(x,x,x,x)+1D8j
		mov	eax, [ebp+arg_4]
		cmp	dword ptr [eax], 0
		jnz	short loc_A79779
		mov	[eax], esi

loc_A79779:				; CODE XREF: BgpGxBlendRectangle(x,x,x,x)+1D4j
					; BgpGxBlendRectangle(x,x,x,x)+1EFj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	8
_BgpGxBlendRectangle@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpGxCopyRectangle(x, x, x,	x)
_BgpGxCopyRectangle@16 proc near	; CODE XREF: BgpRasPrintGlyph+87BE4p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	eax, edx
		push	edi
		mov	[ebp+var_4], eax
		mov	edx, [esi+8]
		mov	ecx, [eax+4]
		mov	ebx, [esi+4]
		shr	edx, 3
		mov	[ebp+var_14], edx
		mov	[ebp+var_8], ecx
		mov	[ebp+var_C], ebx
		cmp	ecx, ebx
		jb	short loc_A797AF
		mov	ecx, ebx

loc_A797AF:				; CODE XREF: BgpGxCopyRectangle(x,x,x,x)+29j
		mov	edi, [eax]
		mov	eax, [esi]
		cmp	edi, eax
		jb	short loc_A797B9
		mov	edi, eax

loc_A797B9:				; CODE XREF: BgpGxCopyRectangle(x,x,x,x)+33j
		mov	eax, [ebp+arg_4]
		imul	ecx, edx
		mov	ebx, [eax+4]
		imul	ebx, [ebp+var_8]
		mov	[ebp+var_10], ecx
		add	ebx, [eax]
		mov	eax, [ebp+var_4]
		imul	ebx, edx
		add	ebx, [eax+14h]
		mov	eax, [ebp+arg_0]
		mov	ecx, [eax+4]
		imul	ecx, [ebp+var_C]
		add	ecx, [eax]
		imul	ecx, edx
		add	ecx, [esi+14h]
		test	edi, edi
		jmp	short loc_A79812
; 

loc_A797EA:				; CODE XREF: BgpGxCopyRectangle(x,x,x,x)+93j
		push	[ebp+var_10]	; size_t
		push	ebx		; void *
		push	ecx		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		mov	ecx, [ebp+arg_4]
		mov	eax, [eax+4]
		imul	eax, [ebp+var_14]
		add	ebx, eax
		mov	eax, [esi+4]
		imul	eax, [ebp+var_14]
		add	ecx, eax
		sub	edi, 1

loc_A79812:				; CODE XREF: BgpGxCopyRectangle(x,x,x,x)+66j
		mov	[ebp+arg_4], ecx
		jnz	short loc_A797EA
		mov	ecx, esi
		call	_BgpGxMarkClean@4 ; BgpGxMarkClean(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_BgpGxCopyRectangle@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpGxDrawBitmapImage(x, x, x)
_BgpGxDrawBitmapImage@12 proc near	; CODE XREF: TxtpAddCacheEntry+2583p
					; AnFwpBackgroundUpdateTimer(x,x,x,x)+B6p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	esi, edx
		lea	edx, [ebp+var_4]
		push	ecx
		call	BgpGxParseBitmap
		mov	edi, eax
		test	edi, edi
		js	short loc_A79861
		mov	edx, esi
		mov	esi, [ebp+var_4]
		mov	ecx, esi
		call	BgpGxDrawRectangle
		mov	edi, eax
		test	esi, esi
		jz	short loc_A79861
		test	byte ptr [esi+10h], 1
		jnz	short loc_A79861
		mov	ecx, esi
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A79861:				; CODE XREF: BgpGxDrawBitmapImage(x,x,x)+1Bj
					; BgpGxDrawBitmapImage(x,x,x)+2Dj ...
		mov	eax, edi
		pop	edi
		pop	esi
		leave
		retn	4
_BgpGxDrawBitmapImage@12 endp


;  S U B	R O U T	I N E 


; __stdcall FopFreeMappingTable(x)
_FopFreeMappingTable@4 proc near	; CODE XREF: FopReadMappingTable+13Ep
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_A7987A
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A7987A:				; CODE XREF: FopFreeMappingTable(x)+Aj
		mov	ecx, esi
		pop	esi
		jmp	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
_FopFreeMappingTable@4 endp


;  S U B	R O U T	I N E 


; __stdcall BgpTxtClearRegion(x)
_BgpTxtClearRegion@4 proc near		; CODE XREF: BgpTxtDisplayString(x,x,x,x,x)+54p
					; BgpTxtDisplayString(x,x,x,x,x)+1DFp
		mov	edi, edi
		push	ecx
		test	ecx, ecx
		jz	short loc_A7989B
		test	byte ptr [ecx+30h], 1
		jz	short loc_A7989B
		mov	edx, ecx
		mov	ecx, [ecx+14h]
		call	BgpGxDrawRectangle
		pop	ecx
		retn
; 

loc_A7989B:				; CODE XREF: BgpTxtClearRegion(x)+5j
					; BgpTxtClearRegion(x)+Bj
		mov	eax, 0C000000Dh
		pop	ecx
		retn
_BgpTxtClearRegion@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpTxtDisplayString(x, x, x, x, x)
_BgpTxtDisplayString@20	proc near	; CODE XREF: BgDisplayString(x)+49p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+34h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+40h+var_20], edx
		lea	edi, [esp+40h+var_18]
		xor	esi, esi
		stosd
		mov	ebx, ecx
		mov	[esp+40h+var_1C], esi
		mov	[esp+40h+var_34], esi
		mov	[esp+40h+var_30], esi
		stosd
		mov	[esp+40h+var_8], esi
		mov	[esp+40h+var_28], esi
		stosd
		test	ebx, ebx
		jz	loc_A79AD0
		test	byte ptr [ebx+30h], 1
		jz	loc_A79AD0
		test	edx, edx
		jnz	short loc_A79902
		call	_BgpTxtClearRegion@4 ; BgpTxtClearRegion(x)
		mov	esi, eax
		jmp	loc_A79ACC
; 

loc_A79902:				; CODE XREF: BgpTxtDisplayString(x,x,x,x,x)+52j
		cmp	[ebx+34h], esi
		jz	short loc_A79911
		mov	esi, 0C000000Dh
		jmp	loc_A79ACC
; 

loc_A79911:				; CODE XREF: BgpTxtDisplayString(x,x,x,x,x)+63j
		mov	edi, edx
		lea	ecx, [edi+2]

loc_A79916:				; CODE XREF: BgpTxtDisplayString(x,x,x,x,x)+7Dj
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, si
		jnz	short loc_A79916
		sub	edi, ecx
		mov	[esp+40h+var_2C], esi
		sar	edi, 1
		mov	eax, esi
		mov	[esp+40h+var_24], eax
		jz	short loc_A79971
		lea	ecx, [ebx+1Ch]

loc_A79934:				; CODE XREF: BgpTxtDisplayString(x,x,x,x,x)+CDj
		mov	dx, [edx+eax*2]
		push	esi
		push	ecx
		lea	esi, [esp+48h+var_1C]
		push	esi
		call	_BgpFoGetAdvanceWidth@20 ; BgpFoGetAdvanceWidth(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A79ACC
		mov	eax, [esp+40h+var_2C]
		lea	ecx, [ebx+1Ch]
		add	eax, [esp+40h+var_1C]
		mov	edx, [esp+40h+var_20]
		mov	[esp+40h+var_2C], eax
		mov	eax, [esp+40h+var_24]
		inc	eax
		mov	[esp+40h+var_24], eax
		push	0
		pop	esi
		cmp	eax, edi
		jb	short loc_A79934

loc_A79971:				; CODE XREF: BgpTxtDisplayString(x,x,x,x,x)+8Dj
		lea	ecx, [ebx+1Ch]
		lea	edx, [esp+40h+var_C]
		call	_BgpFoGetTextMetrics@8 ; BgpFoGetTextMetrics(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A79ACC
		mov	eax, [esp+40h+var_8]
		mov	ecx, [esp+40h+var_2C]
		mov	edx, [ebx+0Ch]
		mov	[esp+40h+var_14], eax
		mov	[esp+40h+var_18], ecx
		mov	[esp+40h+var_10], ecx
		cmp	eax, edx
		jbe	short loc_A799A6
		mov	[esp+40h+var_14], edx

loc_A799A6:				; CODE XREF: BgpTxtDisplayString(x,x,x,x,x)+FEj
		mov	eax, [ebx+8]
		cmp	ecx, eax
		jbe	short loc_A799B5
		mov	[esp+40h+var_2C], eax
		mov	[esp+40h+var_18], eax

loc_A799B5:				; CODE XREF: BgpTxtDisplayString(x,x,x,x,x)+109j
		lea	eax, [esp+40h+var_28]
		push	eax
		push	20h
		pop	edx
		lea	ecx, [esp+44h+var_18]
		call	_BgpGxRectangleCreate@12 ; BgpGxRectangleCreate(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_A79AB7
		push	dword ptr [ebx+1Ch]
		mov	ecx, [esp+40h+var_24]
		call	_BgpGxFillRectangle@8 ;	BgpGxFillRectangle(x,x)
		xor	eax, eax
		xor	esi, esi
		xor	edx, edx
		mov	[esp+3Ch+var_30], eax
		mov	[esp+3Ch+var_2C], esi
		mov	[esp+3Ch+var_20], edx
		test	edi, edi
		jz	short loc_A79A4A

loc_A799F2:				; CODE XREF: BgpTxtDisplayString(x,x,x,x,x)+1A6j
		push	0
		push	ecx
		lea	ecx, [esp+44h+var_18]
		push	ecx
		mov	ecx, [esp+48h+var_24]
		push	0
		push	esi
		push	eax
		mov	eax, [esp+54h+var_1C]
		movzx	eax, word ptr [eax+edx*2]
		lea	edx, [ebx+1Ch]
		push	eax
		call	BgpRasPrintGlyph
		mov	esi, eax
		cmp	esi, 80000005h
		jz	short loc_A79A4A
		test	esi, esi
		js	loc_A79AB7
		mov	eax, [esp+3Ch+var_30]
		add	eax, [esp+3Ch+var_18]
		mov	[esp+3Ch+var_30], eax
		cmp	eax, [esp+3Ch+var_28]
		ja	short loc_A79A4A
		mov	edx, [esp+3Ch+var_20]
		inc	edx
		mov	[esp+3Ch+var_20], edx
		cmp	edx, edi
		jnb	short loc_A79A4A
		mov	esi, [esp+3Ch+var_2C]
		jmp	short loc_A799F2
; 

loc_A79A4A:				; CODE XREF: BgpTxtDisplayString(x,x,x,x,x)+14Ej
					; BgpTxtDisplayString(x,x,x,x,x)+179j ...
		lea	eax, [esp+3Ch+var_30]
		mov	ecx, ebx
		push	eax
		lea	edx, [esp+40h+var_14]
		call	_TxtpJustifyRectangle@12 ; TxtpJustifyRectangle(x,x,x)
		mov	edx, [esp+3Ch+var_24]
		lea	eax, [esp+3Ch+var_1C]
		mov	ecx, [ebx+14h]
		and	[esp+3Ch+var_1C], 0
		push	eax
		lea	eax, [esp+40h+var_30]
		push	eax
		call	_BgpGxBlendRectangle@16	; BgpGxBlendRectangle(x,x,x,x)
		mov	edi, [esp+3Ch+var_1C]
		mov	esi, eax
		test	esi, esi
		js	short loc_A79AA6
		mov	ecx, ebx
		call	_BgpTxtClearRegion@4 ; BgpTxtClearRegion(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_A79AA6
		mov	eax, [ebx+4]
		lea	edx, [esp+3Ch+var_30]
		mov	[esp+3Ch+var_2C], eax
		mov	ecx, edi
		mov	eax, [ebx]
		add	[esp+3Ch+var_30], eax
		call	BgpGxDrawRectangle
		mov	esi, eax

loc_A79AA6:				; CODE XREF: BgpTxtDisplayString(x,x,x,x,x)+1DBj
					; BgpTxtDisplayString(x,x,x,x,x)+1E8j
		test	edi, edi
		jz	short loc_A79AB7
		test	byte ptr [edi+10h], 1
		jnz	short loc_A79AB7
		mov	ecx, edi
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A79AB7:				; CODE XREF: BgpTxtDisplayString(x,x,x,x,x)+128j
					; BgpTxtDisplayString(x,x,x,x,x)+17Dj ...
		mov	eax, [esp+3Ch+var_24]
		test	eax, eax
		jz	short loc_A79ACC
		test	byte ptr [eax+10h], 1
		jnz	short loc_A79ACC
		mov	ecx, eax
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_A79ACC:				; CODE XREF: BgpTxtDisplayString(x,x,x,x,x)+5Bj
					; BgpTxtDisplayString(x,x,x,x,x)+6Aj ...
		mov	eax, esi
		jmp	short loc_A79AD5
; 

loc_A79AD0:				; CODE XREF: BgpTxtDisplayString(x,x,x,x,x)+40j
					; BgpTxtDisplayString(x,x,x,x,x)+4Aj
		mov	eax, 0C000000Dh

loc_A79AD5:				; CODE XREF: BgpTxtDisplayString(x,x,x,x,x)+22Cj
		mov	ecx, [esp+40h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_BgpTxtDisplayString@20	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TxtpJustifyRectangle(x, x, x)
_TxtpJustifyRectangle@12 proc near	; CODE XREF: BgpTxtDisplayCharacter+87DA9p
					; BgpTxtDisplayString(x,x,x,x,x)+1B3p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, edx
		and	dword ptr [esi+4], 0
		mov	edx, [ecx+30h]
		test	dl, 4
		jz	short loc_A79B06
		mov	eax, [ecx+34h]
		jmp	short loc_A79B19
; 

loc_A79B06:				; CODE XREF: TxtpJustifyRectangle(x,x,x)+16j
		mov	eax, [ecx+8]
		sub	eax, [edi]
		test	dl, 8
		jz	short loc_A79B17
		mov	[esi], eax
		sub	eax, [ecx+34h]
		jmp	short loc_A79B19
; 

loc_A79B17:				; CODE XREF: TxtpJustifyRectangle(x,x,x)+25j
		shr	eax, 1

loc_A79B19:				; CODE XREF: TxtpJustifyRectangle(x,x,x)+1Bj
					; TxtpJustifyRectangle(x,x,x)+2Cj
		pop	edi
		mov	[esi], eax
		pop	esi
		pop	ebp
		retn	4
_TxtpJustifyRectangle@12 endp

; 
		align 100h
PAGEBGFX	ends

; Section 17. (virtual address 00693000)
; Virtual size			: 00007C38 (  31800.)
; Section size in file		: 00001200 (   4608.)
; Offset to raw	data for section: 0062D600
; Flags	C0000040: Data Readable	Writable
; Alignment	: default
; 

; Segment type:	Pure data
; Segment permissions: Read/Write
PAGEDATA	segment	para public 'DATA' use32
		assume cs:PAGEDATA
		;org 0A93000h
OpcodeIndex	db 0			; DATA XREF: Ki386DispatchOpcode(x)+67r
					; OpcodeGenericPrefix+1Br ...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    6
		db    7
		db    8
		db    9
		db    0
		db    0
		db    0
		db    0
		db  0Ah
		db  0Bh
		db  0Ch
		db  0Dh
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  13h
		db  0Eh
		db  0Fh
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  10h
		db  11h
		db  12h
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  13h
		db  13h
		db  13h
		db  13h
		db  13h
		db  13h
		db  13h
		db  13h
		db    0
		db    0
		db    0
		db    0
		db  14h
		db  15h
		db  16h
		db  17h
		db    0
		db    0
		db    0
		db    0
		db  18h
		db  19h
		db  1Ah
		db  1Bh
		db  1Ch
		db    0
		db  1Dh
		db  1Eh
		db  21h	; !
		db    0
		db    0
		db    0
		db    0
		db    0
		db  1Fh
		db  20h
		db    0
		db    0
		db    0
		db    0
OpcodeDispatch	dd offset OpcodeInvalid	; DATA XREF: Ki386DispatchOpcode(x)+89r
					; OpcodeGenericPrefix+2Br
		dd offset Opcode0F
		dd offset OpcodeESPrefix
		dd offset OpcodeCSPrefix
		dd offset OpcodeSSPrefix
		dd offset OpcodeDSPrefix
		dd offset OpcodeFSPrefix
		dd offset OpcodeGSPrefix
		dd offset OpcodeOPER32Prefix
		dd offset OpcodeADDR32Prefix
		dd offset OpcodeINSB
		dd offset OpcodeINSW
		dd offset OpcodeOUTSB
		dd offset OpcodeOUTSW
		dd offset OpcodeInvalid
		dd offset OpcodeInvalid
		dd offset OpcodeINTnn
		dd offset OpcodeINTO
		dd offset OpcodeInvalid
		dd offset OpcodeInvalid
		dd offset OpcodeINBimm
		dd offset OpcodeINWimm
		dd offset OpcodeOUTBimm
		dd offset OpcodeOUTWimm
		dd offset OpcodeINB
		dd offset OpcodeINW
		dd offset OpcodeOUTB
		dd offset OpcodeOUTW
		dd offset OpcodeLOCKPrefix
		dd offset OpcodeREPNEPrefix
		dd offset OpcodeREPPrefix
		dd offset OpcodeCLI
		dd offset OpcodeSTI
		dd offset OpcodeInvalid
		dd offset OpcodeInvalid
_ExVdmOpcodeDispatchCounts dd 0		; DATA XREF: Ki386DispatchOpcode(x)+74w
					; OpcodeGenericPrefix+23w ...
dword_A93190	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+11r
dword_A93194	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+1Cr
dword_A93198	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+27r
dword_A9319C	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+32r
dword_A931A0	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+3Dr
dword_A931A4	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+48r
dword_A931A8	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+53r
dword_A931AC	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+5Er
dword_A931B0	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+69r
dword_A931B4	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+74r
dword_A931B8	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+7Cr
dword_A931BC	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+84r
dword_A931C0	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+8Cr
dword_A931C4	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+94r
dword_A931C8	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+9Cr
dword_A931CC	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+A4r
dword_A931D0	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+ACr
dword_A931D4	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+B4r
		db    0
		db    0
		db    0
		db    0
dword_A931DC	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+BCr
dword_A931E0	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+C4r
dword_A931E4	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+CCr
dword_A931E8	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+D4r
dword_A931EC	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+DCr
dword_A931F0	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+E4r
dword_A931F4	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+ECr
dword_A931F8	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+F4r
dword_A931FC	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+FCr
dword_A93200	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+104r
dword_A93204	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+10Cr
dword_A93208	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+11Cr
dword_A9320C	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+124r
dword_A93210	dd 0			; DATA XREF: ExpGetInstemulInformation(x)+114r
_ExVdmSegmentNotPresent	dd 0		; DATA XREF: ExpGetInstemulInformation(x)+134r
					; Ki386VdmReflectException(x)+B0w ...
OpcodeDispatchV86 dd offset OpcodeInvalidV86 ; DATA XREF: Ki386DispatchOpcodeV86(x)+45r
					; OpcodeGenericPrefixV86+13r
		dd offset Opcode0FV86
		dd offset OpcodeESPrefixV86
		dd offset OpcodeCSPrefixV86
		dd offset OpcodeSSPrefixV86
		dd offset OpcodeDSPrefixV86
		dd offset OpcodeFSPrefixV86
		dd offset OpcodeGSPrefixV86
		dd offset OpcodeOPER32PrefixV86
		dd offset OpcodeADDR32PrefixV86
		dd offset OpcodeINSBV86
		dd offset OpcodeINSWV86
		dd offset OpcodeOUTSBV86
		dd offset OpcodeOUTSWV86
		dd offset OpcodePUSHFV86
		dd offset OpcodePOPFV86
		dd offset OpcodeINTnnV86
		dd offset OpcodeINTOV86
		dd offset OpcodeIRETV86
		dd offset OpcodeNPXV86
		dd offset OpcodeINBimmV86
		dd offset OpcodeINWimmV86
		dd offset OpcodeOUTBimmV86
		dd offset OpcodeOUTWimmV86
		dd offset OpcodeINBV86
		dd offset OpcodeINWV86
		dd offset OpcodeOUTBV86
		dd offset OpcodeOUTWV86
		dd offset OpcodeLOCKPrefixV86
		dd offset OpcodeREPNEPrefixV86
		dd offset OpcodeREPPrefixV86
		dd offset OpcodeCLIV86
		dd offset OpcodeSTIV86
		dd offset OpcodeHLTV86
off_A932A0	dd offset sub_A48DC0	; DATA XREF: VdmDecodeOperand+61r
		dd offset sub_A48DEF
		dd offset sub_A48E0C
		dd offset sub_A48E2C
off_A932B0	dd offset sub_A48E3B	; DATA XREF: sub_A48DC0+28r
					; sub_A48DEF+16r ...
		dd offset sub_A48E49
		dd offset sub_A48E57
		dd offset sub_A48E82
		dd offset sub_A48E7A
		dd offset sub_A48E4F
		dd offset sub_A48E88
		dd offset sub_A48E41
off_A932D0	dd offset sub_A48F71	; DATA XREF: VdmDecodeOperand:loc_A48F6Ar
		dd offset sub_A48F8F
		dd offset sub_A48FA0
		dd offset sub_A48FB1
RegTab		dd 40h			; DATA XREF: VdmOpcodeGetCrx+43r
					; VdmOpcodeSetCrx+3Dr ...
		db  3Ch	; <
		db    0
		db    0
		db    0
		db  38h	; 8
		db    0
		db    0
		db    0
		db  5Ch	; \
		db    0
		db    0
		db    0
		db  74h	; t
		db    0
		db    0
		db    0
		db  60h	; `
		db    0
		db    0
		db    0
		db  58h	; X
		db    0
		db    0
		db    0
		db  54h	; T
		db    0
		db    0
		db    0
_CmpSelfHeal	db 1			; DATA XREF: CmpValidateHiveSecurityDescriptors(x,x,x,x,x)+28Cr
					; CmpCheckRegistry2(x,x,x,x,x,x,x,x):loc_80A72Ar ...
_CmpForceSynchronousMachineHiveLoad db 0 ; DATA	XREF: CmpInitializeSystemHivesLoad+154r
					; CmCompleteRegistryInitialization+83r	...
_CmpShareSystemHives db	0		; DATA XREF: CmpInitializeSystemHivesLoad+11Br
					; CmpInitVirtualEngine()r ...
_CmpMiniNTBoot	db 0			; DATA XREF: CmpTransSilentIgnore()r
					; CmpInitCmRM+91r ...
_CmBootAcceptFirstTime db    1		; DATA XREF: CmpAcceptBoot+15o
		db    0
		db    0
		db    0
_CmpPuntBoot	db 0			; DATA XREF: CmEnumerateValueKey+89r
					; CmEnumerateValueKey:loc_80A222r ...
_CmpSpecialBootCondition db 0		; DATA XREF: CmpInitializeSystemHivesLoad:loc_884FADw
					; CmpFinishSystemHivesLoad(x)+548w ...
_CmpNoWrite	db 1			; DATA XREF: CmpDoFileFlush+Fr
					; CmpDoFlushAll(x)+6r ...
_FsRtlpVolumeStartupApplicationsComplete db 0 ;	DATA XREF: PfSnBeginTrace+1Fr
					; FsRtlAreVolumeStartupApplicationsComplete()r	...
_CmFirstTime	db 1			; DATA XREF: CmCompleteRegistryInitialization+1Eo
					; CmBootLastKnownGood(x,x,x,x)+5r ...
		align 10h
_CmpLoadHiveLockOwner dd 0		; DATA XREF: UNLOCK_HIVE_LOAD()+Cw
					; LOCK_HIVE_LOAD()+1Ew	...
_CmpWellKnownVolumeList	dd offset loc_A3F513+1
					; DATA XREF: CmpHandlePageFileOpenNotification+42r
					; CmpHandlePageFileOpenNotification+4Ao ...
		db    0
		db    0
		db    0
		db    0
		dd offset loc_A3F50B+1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_CmpConfigurationAreaSize dd 4000h	; DATA XREF: CmpInitializeRegistryNode+24Br
					; CmpInitializeRegistryNode+9B9AEw ...
_CmpLKGEnabled	dd 0			; DATA XREF: CmpAcceptBoot+34r
					; CmInitSystem1(x):loc_AC7E4Er	...
_CmpTraceTxrRoutine dd 0		; DATA XREF: CmpEtwDumpTxR+6r
					; CmpEtwGetHivePathr ...
_CmpTraceRoutine dd 0			; DATA XREF: CmpLinkHiveToMaster:loc_74C695r
					; NtDeleteKey+51r ...
_CmpAsyncKernelPostList	dd 0		; DATA XREF: CmpNotifyChangeKey+14Eo
					; CmpNotifyChangeKey+15Ao ...
dword_A93340	dd 0			; DATA XREF: CmpNotifyChangeKey:loc_7F46B5r
					; CmpNotifyChangeKey+165w ...
_CmpTrustedInstallerSid	dd 0		; DATA XREF: CmpCheckKeyOwnerForPca(x,x)+Br
					; CmpCheckKeyOwnerForPca(x,x)+39r ...
_CmRegistrySizeLimitType dd 0		; DATA XREF: CmpInitGlobalQuotaAllowed:loc_AEA504r
					; INIT:00AF4F78o
_CmRegistrySizeLimit dd	0		; DATA XREF: CmpInitGlobalQuotaAllowed+F4FBr
					; INIT:00AF4F70o
_CmRegistrySizeLimitLength dd 4		; DATA XREF: CmpInitGlobalQuotaAllowed+1Br
					; INIT:00AF4F74o
_CmpGlobalQuotaAllowed dd 7FFFFFFFh	; DATA XREF: CmpClaimGlobalQuota+Er
					; CmpSetGlobalQuotaAllowed()+5w ...
_CmpGlobalQuotaWarning dd 7FFFFFFFh	; DATA XREF: CmpClaimGlobalQuota+2Br
					; CmpUpdateGlobalQuotaAllowed+186EF1w ...
_CmpGlobalQuota	dd 7FFFFFFFh		; DATA XREF: CmpSetGlobalQuotaAllowed()r
					; CmpUpdateGlobalQuotaAllowed+186EDFw ...
_CmpCheckHiveIndex dd 7			; DATA XREF: PAGE:0088872Ar
					; PAGE:00888D75r
_FsRtlPagingIoResourceSelector dd 0	; DATA XREF: FsRtlAllocateResource()r
					; FsRtlAllocateResource()+15w
_FsRtlSafeExtensions db	1		; DATA XREF: RtlGenerate8dot3Name:loc_7BFBBFr
					; FsRtlInitSystem()+9Ew
_PpBootDDBInitialized db 0		; DATA XREF: PpCheckInDriverDatabase+20r
					; PpInitializeBootDDB:loc_AC5B77w
_PnpNotificationInProgress db 0		; DATA XREF: PnpUnregisterPlugPlayNotification+24r
					; PAGE:00763F02w ...
_PsContinueWaiting db 0			; DATA XREF: PsShutdownSystem()+130r
_TunnelMaxAge	dd 0Fh			; DATA XREF: FsRtlPruneTunnelCache(x,x)+28r
					; FsRtlInitializeTunnels+43o ...
_TunnelMaxEntries dd 100h		; DATA XREF: FsRtlDeleteKeyFromTunnelCache(x,x,x)+15r
					; PAGE:007AE085r ...
_FsRtlpRedirs	dd 0			; DATA XREF: FsRtlpRegisterUncProvider+8Bw
					; FsRtlDeregisterUncProvider(x)+2Ew
_pFsRtlpMupCalls dd 0			; DATA XREF: FsRtlRegisterMupCalls(x)+8o
					; FsRtlMupGetProviderIdFromName(x,x)+5r ...
unk_A9337C	db    0			; DATA XREF: IoGetConfigurationInformation()o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  28h	; (
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_A933A4	dd 0			; DATA XREF: IopBootLog+61r
					; IopCopyBootLogRegistryToFile+6Er ...
_IopUseCompletionOptimization db    1
		db    0
		db    0
		db    0
off_A933AC	dd offset _DEVPKEY_Device_GenericDriverInstalled
					; DATA XREF: PiDevCfgConfigurePropertyMatchCallback(x,x):loc_972E47r
off_A933B0	dd offset _DEVPKEY_Device_FriendlyName
					; DATA XREF: PiDevCfgResetDeviceDriverSettings(x,x,x,x,x)+57r
		dd offset _DEVPKEY_Device_DriverInfSectionExt
		dd offset _DEVPKEY_Device_DriverCoInstallers
		dd offset _DEVPKEY_Device_DriverPropPageProvider
		dd offset _DEVPKEY_Device_DriverLogoLevel
		dd offset _DEVPKEY_Device_GenericDriverInstalled
		dd offset _DEVPKEY_Device_AdditionalSoftwareRequested
		dd offset _DEVPKEY_Device_UserSelectedDriverInstalled
		dd offset _DEVPKEY_Device_PendingSoftwareInstall
		dd offset _DEVPKEY_Device_InvalidatedDrivers
		dd offset _DEVPKEY_Device_DmaRemappingPolicy
		dd offset _DEVPKEY_Device_UpperFilterCache
		dd offset loc_427ECF+1
		dd offset loc_427EF4+4
		dd offset _DEVPKEY_Device_LowerFilterCache
		dd offset _DEVPKEY_Device_LowerFilterLevels
		dd offset _DEVPKEY_Device_LowerFilterDefaultLevel
; void *off_A933F4
off_A933F4	dd offset _DEVPKEY_Device_FriendlyName
					; DATA XREF: PiDevCfgConfigurePropertyMatchCallback(x,x)+18r
					; PiDevCfgConfigurePropertyMatchCallback(x,x):loc_972E19r
		dd offset _DEVPKEY_Device_UINumber
		dd offset _DEVPKEY_Device_UpperFilters
		dd offset _DEVPKEY_Device_LowerFilters
		dd offset _DEVPKEY_Device_SecuritySDS
		dd offset _DEVPKEY_Device_DevType
		dd offset _DEVPKEY_Device_Exclusive
		dd offset _DEVPKEY_Device_Characteristics
		dd offset _DEVPKEY_Device_UINumberDescFormat
		dd offset _DEVPKEY_Device_RemovalPolicyOverride
off_A9341C	dd offset loc_4069E3+5	; DATA XREF: PiDevCfgInitDeviceContext(x,x,x):loc_976643r
		dd offset _DEVPKEY_Device_CompatibleIds
		dd offset _DEVPKEY_Device_LocationPaths
off_A93428	dd offset _DEVPKEY_Device_LowerFilters
					; DATA XREF: PpDevCfgProcessDeviceExtensions(x)+2EBr
					; PpDevCfgProcessDeviceExtensions(x)+382r
		dd offset _DEVPKEY_Device_UpperFilters
		dd offset _DEVPKEY_Device_DriverIncludedInfs
		dd offset _DEVPKEY_Device_DriverIncludedConfigs
_PiDevCfgMode	dd 3			; DATA XREF: PpDevCfgProcessDevices+Er
					; PiConfigureDevice(x):loc_96BE98r ...
_PiDevCfgFlags	dd 0			; DATA XREF: PiDevCfgProcessDeviceCallback+6C3AEr
					; PiDevCfgCheckDeviceNeedsUpdate(x,x)+5BCr ...
_PiDevCfgOptions dd 0			; DATA XREF: PiDevCfgConfigureDevice(x,x,x,x,x)+53Dr
					; PiDevCfgConfigureDevice(x,x,x,x,x)+872r ...
_PnpDeviceEventList dd 0		; DATA XREF: PAGE:00763DD3r
					; PAGE:loc_763DE9r ...
_PfSnAppLaunchScenarioTypePrefix dd offset ??_C@_1BE@MLPDMAIF@?$AAA?$AAp?$AAp?$AAL?$AAa?$AAu?$AAn?$AAc?$AAh@LBKOJDO@
_PfSnActivityScenarioTypePrefix	dd offset ??_C@_1BC@CJPNELAP@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAi?$AAt?$AAy@LBKOJDO@
_PopPowerRequestActiveAudioEnablesExecutionRequired dd 1
					; DATA XREF: PopPowerRequestNotifyAudioStateChanged:loc_901F40r
					; PopExecutionRequiredSettingCallback:loc_9377B6r ...
_PopPowerRequestConvertSystemToExecution dd 1
					; DATA XREF: PopPowerRequestIsExecutionRequiredStatusHeld(x)+7r
					; INIT:00AF4B08o
_PopExecutionRequiredTimeout dd	12Ch	; DATA XREF: PopPowerRequestNotifyAudioStateChanged+3Cr
					; PopExecutionRequiredSettingCallback+61w ...
_PopPowerAggregatorModernStandbyResourceMasks dd 1Ah
					; DATA XREF: PopPowerAggregatorScreenOffEnterStateHandler(x):loc_9B3E9Er
		db  1Fh
		db    0
		db    0
		db    0
		db  12h
		db    0
		db    0
		db    0
		db  17h
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
_PopPowerAggregatorIntentHandlers dd 0	; DATA XREF: PopPowerAggregatorHandleIntentUnsafe(x,x,x)+8Ar
		dd offset _PopPowerAggregatorHandleActiveIntent@12 ; PopPowerAggregatorHandleActiveIntent(x,x,x)
		dd offset _PopPowerAggregatorHandleModernStandbyIntent@12 ; PopPowerAggregatorHandleModernStandbyIntent(x,x,x)
		dd offset _PopPowerAggregatorHandleModernStandbyIntent@12 ; PopPowerAggregatorHandleModernStandbyIntent(x,x,x)
		dd offset _PopPowerAggregatorHandleDirectedDripsIntent@12 ; PopPowerAggregatorHandleDirectedDripsIntent(x,x,x)
		dd offset _PopPowerAggregatorHandleModernStandbySuspendIntent@12 ; PopPowerAggregatorHandleModernStandbySuspendIntent(x,x,x)
		dd offset _PopPowerAggregatorHandleModernStandbyResumeIntent@12	; PopPowerAggregatorHandleModernStandbyResumeIntent(x,x,x)
		dd offset _PopPowerAggregatorHandleSystemTransitionStartIntent@12 ; PopPowerAggregatorHandleSystemTransitionStartIntent(x,x,x)
		dd offset _PopPowerAggregatorHandleSystemTransitionEndIntent@12	; PopPowerAggregatorHandleSystemTransitionEndIntent(x,x,x)
_PopPowerAggregatorInternalStateContexts dd offset _NtCompleteConnectPort@4
					; DATA XREF: PopPowerAggregatorInvokeStateMachine(x)+4Cr
					; NtCompleteConnectPort(x)
		dd offset _PopPowerAggregatorActiveToScreenOffStateHandler@4 ; PopPowerAggregatorActiveToScreenOffStateHandler(x)
		dd offset _NtCompleteConnectPort@4 ; NtCompleteConnectPort(x)
		dd offset PopPowerAggregatorSystemTransitionEnterStateHandler
		dd offset _PopPowerAggregatorModernStandbyExitStateHandler@4 ; PopPowerAggregatorModernStandbyExitStateHandler(x)
		dd offset _PopPowerAggregatorModernStandbyEnterStateHandler@4 ;	PopPowerAggregatorModernStandbyEnterStateHandler(x)
		dd offset _PopPowerAggregatorModernStandbyExitStateHandler@4 ; PopPowerAggregatorModernStandbyExitStateHandler(x)
		dd offset _PopPowerAggregatorModernStandbyExitStateHandler@4 ; PopPowerAggregatorModernStandbyExitStateHandler(x)
		dd offset _PopPowerAggregatorDisplayPoweringOnStateHandler@4 ; PopPowerAggregatorDisplayPoweringOnStateHandler(x)
		dd offset _PopPowerAggregatorInvalidStateHandler@4 ; PopPowerAggregatorInvalidStateHandler(x)
		dd offset _PopPowerAggregatorDisplayPoweringOnStateHandler@4 ; PopPowerAggregatorDisplayPoweringOnStateHandler(x)
		dd offset PopPowerAggregatorSystemTransitionEnterStateHandler
		dd offset _PopPowerAggregatorScreenOffActiveToActiveStateHandler@4 ; PopPowerAggregatorScreenOffActiveToActiveStateHandler(x)
		dd offset _PopPowerAggregatorScreenOffEnterStateHandler@4 ; PopPowerAggregatorScreenOffEnterStateHandler(x)
		dd offset _PopPowerAggregatorScreenOffActiveToActiveStateHandler@4 ; PopPowerAggregatorScreenOffActiveToActiveStateHandler(x)
		dd offset PopPowerAggregatorSystemTransitionEnterStateHandler
		dd offset _PopPowerAggregatorScreenOffExitStateHandler@4 ; PopPowerAggregatorScreenOffExitStateHandler(x)
		dd offset _PopPowerAggregatorScreenOffEnterStateHandler@4 ; PopPowerAggregatorScreenOffEnterStateHandler(x)
		dd offset _PopPowerAggregatorScreenOffExitStateHandler@4 ; PopPowerAggregatorScreenOffExitStateHandler(x)
		dd offset _PopPowerAggregatorScreenOffExitStateHandler@4 ; PopPowerAggregatorScreenOffExitStateHandler(x)
		dd offset _PopPowerAggregatorSystemTransitionExitStateHandler@4	; PopPowerAggregatorSystemTransitionExitStateHandler(x)
		dd offset _PopPowerAggregatorSystemTransitionExitStateHandler@4	; PopPowerAggregatorSystemTransitionExitStateHandler(x)
		dd offset _PopPowerAggregatorInvalidStateHandler@4 ; PopPowerAggregatorInvalidStateHandler(x)
		dd offset PopPowerAggregatorSystemTransitionEnterStateHandler
_PopPowerEventTable db	  0		; DATA XREF: PopDiagTracePowerStateEventRundown+E601Bo
					; PopGetPowerEventFromId(x)+6o
		db    0
		db    0
		db    0
		dd offset loc_4286BB+5
		db    0
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    1
		db    0
		db    0
		db    0
		dd offset aUnknown	; "Unknown"
		db    0
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		dd offset loc_4286CF+1
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    3
		db    0
		db    0
		db    0
		dd offset aSleepbutton	; "SleepButton"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset aLid		; "Lid"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    5
		db    0
		db    0
		db    0
		dd offset aAcdcburst	; "AcDcBurst"
		db    0
		db    0
		db    0
		db    0
		dd offset _PopDisplayBurstEventHandler@8 ; PopDisplayBurstEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    6
		db    0
		db    0
		db    0
		dd offset aRemoteconnecti ; "RemoteConnection"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    7
		db    0
		db    0
		db    0
		dd offset aUserdisplaybur ; "UserDisplayBurst"
		db    0
		db    0
		db    0
		db    0
		dd offset _PopDisplayBurstEventHandler@8 ; PopDisplayBurstEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset aScmonitorpower ; "ScMonitorPower"
		db    0
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    9
		db    0
		db    0
		db    0
		dd offset aPosetsystemsta ; "PoSetSystemState"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  0Ah
		db    0
		db    0
		db    0
		dd offset aSetthreadexecu ; "SetThreadExecutionState"
		db    0
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  0Bh
		db    0
		db    0
		db    0
		dd offset aFullwake	; "FullWake"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  0Ch
		db    0
		db    0
		db    0
		dd offset aSessionunlock ; "SessionUnlock"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  0Dh
		db    0
		db    0
		db    0
		dd offset aScreenoffreque ; "ScreenOffRequest"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  0Eh
		db    0
		db    0
		db    0
		dd offset aScreenofftimeo ; "ScreenOffTimeout"
		db    0
		db    0
		db    0
		db    0
		dd offset _PopSystemIdleEventHandler@8 ; PopSystemIdleEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  0Fh
		db    0
		db    0
		db    0
		dd offset aPolicychange	; "PolicyChange"
		db    0
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		dd offset aBatterycountch ; "BatteryCountChange"
		db    0
		db    0
		db    0
		db    0
		dd offset _PopDisplayBurstEventHandler@8 ; PopDisplayBurstEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  11h
		db    0
		db    0
		db    0
		dd offset aScreenoffgrace ; "ScreenOffGracePeriod"
		db    0
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  12h
		db    0
		db    0
		db    0
		dd offset aScreenofftherm ; "ScreenOffThermal"
		db    2
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  13h
		db    0
		db    0
		db    0
		dd offset aDynamicpartiti ; "DynamicPartitioning"
		db    0
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  14h
		db    0
		db    0
		db    0
		dd offset aSxtransition	; "SxTransition"
		db    2
		db    0
		db    0
		db    0
		dd offset _PopSxTransitionEventHandler@8 ; PopSxTransitionEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  15h
		db    0
		db    0
		db    0
		dd offset aSystemidle	; "SystemIdle"
		db    0
		db    0
		db    0
		db    0
		dd offset _PopSystemIdleEventHandler@8 ; PopSystemIdleEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  16h
		db    0
		db    0
		db    0
		dd offset aProximity	; "Proximity"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  17h
		db    0
		db    0
		db    0
		dd offset aResumes4	; "ResumeS4"
		db    0
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  18h
		db    0
		db    0
		db    0
		dd offset aTerminal	; "Terminal"
		db    0
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  19h
		db    0
		db    0
		db    0
		dd offset aWinrt	; "WinRT"
		db    0
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  1Ah
		db    0
		db    0
		db    0
		dd offset aUserinput	; "UserInput"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  1Bh
		db    0
		db    0
		db    0
		dd offset aInputkeyboard ; "InputKeyboard"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  1Ch
		db    0
		db    0
		db    0
		dd offset aInputmouse	; "InputMouse"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  1Dh
		db    0
		db    0
		db    0
		dd offset aInputtouch	; "InputTouch"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  1Eh
		db    0
		db    0
		db    0
		dd offset aInputpen	; "InputPen"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  1Fh
		db    0
		db    0
		db    0
		dd offset aInputaccelerom ; "InputAccelerometer"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  20h
		db    0
		db    0
		db    0
		dd offset aInputhid	; "InputHid"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  21h	; !
		db    0
		db    0
		db    0
		dd offset aInputpouserpre ; "InputPoUserPresent"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  22h	; "
		db    0
		db    0
		db    0
		dd offset aInputsessionsw ; "InputSessionSwitch"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  23h	; #
		db    0
		db    0
		db    0
		dd offset aInputinitializ ; "InputInitialization"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  24h	; $
		db    0
		db    0
		db    0
		dd offset aSignal	; "Signal"
		db    0
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  25h	; %
		db    0
		db    0
		db    0
		dd offset aSignalpwrnotif ; "SignalPwrNotif"
		db    0
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  26h	; &
		db    0
		db    0
		db    0
		dd offset aSignalmobilesh ; "SignalMobileShell"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  27h	; '
		db    0
		db    0
		db    0
		dd offset aSignalheycorta ; "SignalHeyCortana"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  28h	; (
		db    0
		db    0
		db    0
		dd offset aSignalholograp ; "SignalHolographicShell"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  29h	; )
		db    0
		db    0
		db    0
		dd offset aSignalfingerpr ; "SignalFingerprint"
		db    1
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  2Ah	; *
		db    0
		db    0
		db    0
		dd offset aDirecteddrips ; "DirectedDrips"
		db    0
		db    0
		db    0
		db    0
		dd offset _PopDirectedDripsEventHandler@8 ; PopDirectedDripsEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  2Bh	; +
		db    0
		db    0
		db    0
		dd offset aAcdcdisplaybur ; "AcDcDisplayBurstSuppressed"
		db    0
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  2Ch	; ,
		db    0
		db    0
		db    0
		dd offset aBuiltinpanel	; "BuiltinPanel"
		db    0
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  2Dh	; -
		db    0
		db    0
		db    0
		dd offset aBatteryprecrit ; "BatteryPreCritical"
		db    0
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  2Eh	; .
		db    0
		db    0
		db    0
		dd offset aBatterycount_1 ; "BatteryCountChangeSuppressed"
		db    0
		db    0
		db    0
		db    0
		dd offset _PopGenericEventHandler@8 ; PopGenericEventHandler(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  2Fh	; /
		db    0
		db    0
		db    0
		dd offset aSleepexit	; "SleepExit"
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_PopAdpmLockThread dd 0			; DATA XREF: PopReleaseAdaptiveLock+1Bw
					; PopAcquireAdaptiveLock+4Cw
_AUDIO_STATS_ID:			; DATA XREF: PopAvlFindOrMakeStatsForScenarioType+4Ao
		unicode	0, <Audio>,0
dword_A93B08	dd 0			; DATA XREF: PopDirectedDripsDiagNotifySessionStop(x,x,x)+7Ar
					; PopDirectedDripsDiagNotifySessionStop(x,x,x)+8Eo ...
		dd offset loc_424EC2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_MOBILE_HOTSPOT_STATS_ID:		; DATA XREF: PopAvlFindOrMakeStatsForScenarioType+A987Do
		unicode	0, <Mobile Hotspot>,0
; Exported entry 1491. NlsMbCodePageTag
		public _NlsMbCodePageTag
_NlsMbCodePageTag db 0			; DATA XREF: ExpSystemErrorHandler(x,x,x,x,x)+1E6r
					; RtlMultiByteToUnicodeN+1Cr ...
_NlsActiveCodePageIsUTF8 db 1		; DATA XREF: RtlpIsUtf8Process+39r
					; RtlResetRtlTranslations+9Ew ...
_UNIDENTIFIED_DRIVER:			; DATA XREF: PopAvlGetPowerRequestKey(x,x):loc_84227Ao
		unicode	0, <Unidentified Driver>,0
_UNIDENTIFIED_PROCESS:			; DATA XREF: PopAvlGetPowerRequestKey(x,x):loc_8422B5o
		unicode	0, <Unidentified Process>,0
_NlsOemCodePageIsUTF8 db 1		; DATA XREF: RtlpIsUtf8Process:loc_74884Dr
					; RtlResetRtlTranslations+E0w ...
; Exported entry 1492. NlsMbOemCodePageTag
		public _NlsMbOemCodePageTag
_NlsMbOemCodePageTag db	0		; DATA XREF: RtlIsNameLegalDOS8Dot3:loc_747DEDr
					; RtlUpcaseUnicodeToOemN+20r ...
_PspNativeSystemDllData	db    0		; DATA XREF: PAGEDATA:_PspSystemDllso
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  13h
		db    0
		db    0
		db    0
		db  3Ch	; <
		db    0
		db  3Eh	; >
		db    0
		dd offset ??_C@_1DO@PDFEEOKF@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@LBKOJDO@
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_1BE@GJOFHIHD@?$AAn?$AAt?$AAd?$AAl?$AAl?$AA?4?$AAd?$AAl?$AAl@LBKOJDO@
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_A93BC8	dd 0			; DATA XREF: TtmInit+58o
					; TtmiLogCalloutStart(x,x,x,x,x)+15r ...
		dd offset loc_424FA5+2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_TtmpBreakOnError db 0			; DATA XREF: TtmiLogError(x,x,x,x)+1Cr
		align 4
dword_A93BF4	dd 0			; DATA XREF: TtmiLogError(x,x,x,x)+34r
dword_A93BF8	dd 0			; DATA XREF: TtmiLogError(x,x,x,x):loc_9C5458r
dword_A93BFC	dd 0			; DATA XREF: TtmiLogError(x,x,x,x):loc_9C5465r
dword_A93C00	dd 0			; DATA XREF: TtmInit+65o
					; TtmiLogCalloutStop(x,x,x,x,x,x,x,x):loc_9C4262r ...
		dd offset loc_424F62+2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_PspMinimumWorkingSet dd 14h		; DATA XREF: MmCreateProcessAddressSpace+12r
					; sub_759647+179BA3r ...
_PspMaximumWorkingSet dd 2Dh		; DATA XREF: PsGetDefaultWsMaximum()r
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+FD7r ...
_PspSystemDlls	dd offset _PspNativeSystemDllData
					; DATA XREF: PspPrepareSystemDllInitBlock+6Er
					; PsMapSystemDlls:loc_761803r ...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
; size_t PspMemoryReserveObjectSizes
_PspMemoryReserveObjectSizes dd	34h	; DATA XREF: NtAllocateReserveObject+52r
					; NtAllocateReserveObject+7Dr ...
		db  2Ch	; ,
		db    0
		db    0
		db    0
_PspSystemThreadAssignment dd 0		; DATA XREF: PsCreateSystemThreadEx+F3w
_PspAffinityUpdateLock dd 0		; DATA XREF: PspSetProcessAffinityUpdateMode(x,x)+B8o
					; PsUpdateActiveProcessAffinity()+14o ...
_PspEnforcementSequenceNumber dd 0	; DATA XREF: PspRemoveProcessFromJobChain+1A9r
					; PspEnforceLimits+28w	...
_PspNoWakeChargeReferencedProcess dd 0	; DATA XREF: PspEnforceLimits:loc_757E9Ar
					; PspEnforceLimits+17AE66r ...
_PspJobAssignmentLock dd 0		; DATA XREF: PspUnlockJobAssignment(x)+9o
					; PspLockJobAssignment(x)+Eo ...
_PspJobListLock	dd 0			; DATA XREF: PspGetNextJob(x)+1Co
					; PspGetNextJob(x)+55o	...
_PspJobList	dd 0			; DATA XREF: PspGetNextJob(x):loc_757EDDo
					; PspGetNextJob(x):loc_757F44r	...
dword_A93C6C	dd 0			; DATA XREF: NtCreateJobObject+15Br
					; NtCreateJobObject+175w ...
_PspUniqueJobIdTable dd	0		; DATA XREF: .text:0051176Br
					; .text:0051177Cr ...
_PspProcessNodeAssignment dd 0FFFFFFFFh	; DATA XREF: PspSelectNodeForProcess()+Cw
					; PspSelectNodeForProcess()+88o
_PspLegoNotifyRoutine dd 0		; DATA XREF: PspExitThread:loc_8D97B0r
					; PsSetLegoNotifyRoutine(x)+8w
_PspRundownProcessCache	dd 0		; DATA XREF: PspProcessRundownWorkerSingle(x):loc_847E9Er
					; PspProcessRundownWorkerSingle(x)+1Fo	...
_PspRundownNeededCount dd 0		; DATA XREF: PspRundownProcess+B36B5w
					; PspProcessRundownWorker(x)+Ao
_PspRundownNeededCountCache dd 0	; DATA XREF: PspProcessRundownWorkerSingle(x)+Ao
					; PspRundownProcess+3Aw
_Nls844UnicodeLowercaseTable dd	0	; DATA XREF: NLS_DOWNCASE+Fr
					; RtlResetRtlTranslations+125w
_Nls844UnicodeUpcaseTable dd 0		; DATA XREF: UpcaseUnicodeToSingleByteNHelper:loc_433C8Cr
					; NLS_UPCASE(x)+Fr ...
_NlsUnicodeToAnsiData dd 0		; DATA XREF: RtlUnicodeToMultiByteN:loc_7485EAr
					; RtlUpcaseUnicodeToMultiByteN+32r ...
_OemDefaultChar	dw 3Fh			; DATA XREF: RtlpDidUnicodeToOemWork+35r
					; RtlResetRtlTranslations+F8w ...
_EtwpRegTracingEnabled db 0		; DATA XREF: EtwpRegTraceEnableCallback(x,x,x,x,x,x,x,x,x)+3Er
					; EtwpRegTraceEnableCallback(x,x,x,x,x,x,x,x,x)+71w ...
_ExpUuidCacheValid db 0			; DATA XREF: NtAllocateUuids+107r
					; ExUuidCreate+39r ...
_NlsOemToUnicodeData dd	0		; DATA XREF: RtlUpcaseUnicodeToOemN+2Cr
					; RtlOemToUnicodeN:loc_86D55Dr	...
_NlsAnsiToUnicodeData dd 0		; DATA XREF: UpcaseUnicodeToMultiByteNHelper(x,x,x,x,x):loc_660489r
					; RtlMultiByteToUnicodeN:loc_74810Er ...
; Exported entry 1489. NlsAnsiCodePage
		public _NlsAnsiCodePage
_NlsAnsiCodePage dw 0FDE9h		; DATA XREF: RtlGetDefaultCodePage(x,x)+8r
					; RtlResetRtlTranslations+30w ...
_ExpUuidSequenceNumberNotSaved db 0	; DATA XREF: ExpUuidSaveSequenceNumberIf()+5r
					; ExpUuidSaveSequenceNumberIf()+19w ...
_ExpUuidSequenceNumberValid db 0	; DATA XREF: ExpAllocateUuids+Fr
					; ExpAllocateUuids+FDw
_NlsUnicodeToMbAnsiData	dd 0		; DATA XREF: UpcaseUnicodeToMultiByteNHelper(x,x,x,x,x)+1Er
					; RtlResetRtlTranslations+89w ...
_NlsMbOemCodePageTables	dd 0		; DATA XREF: RtlResetRtlTranslations+CDw
					; RtlOemToUnicodeN+9E3B9r ...
_NlsMbAnsiCodePageTables dd 0		; DATA XREF: UpcaseUnicodeToMultiByteNHelper(x,x,x,x,x)+4Cr
					; RtlResetRtlTranslations+69w ...
_NlsUnicodeToOemData dd	0		; DATA XREF: RtlUpcaseUnicodeToOemN+32r
					; RtlUnicodeToOemN:loc_748F2Fr	...
_OemTransUniDefaultChar	dw 0FFFDh	; DATA XREF: RtlResetRtlTranslations+104w
					; RtlpDidUnicodeToOemWork+185CC9r ...
		align 4
; Exported entry 1493. NlsOemCodePage
		public _NlsOemCodePage
_NlsOemCodePage	dw 0FDE9h		; DATA XREF: RtlGetDefaultCodePage(x,x)+14r
					; RtlResetRtlTranslations+91w ...
		align 4
_NlsUnicodeToMbOemData dd 0		; DATA XREF: RtlResetRtlTranslations+11Fw
					; RtlUnicodeToOemN+18541Er ...
_SeTokenLeakTracking dd	0		; DATA XREF: SepCreateTokenEx+3D5r
					; SepCreateTokenEx+6DDr ...
_SeTokenDoesNotTrackSessionObject dd 0	; DATA XREF: SepSetTokenSessionById(x,x,x,x,x)+19r
					; SeSetSessionIdToken+19r ...
_SepAllowSessionImpersonationCap dd 0	; DATA XREF: SepIsImpersonationAllowedDueToCapability:loc_9192A9r
					; INIT:00AF6488o
_SepAllowAllApplicationAceRemoval dd 0	; DATA XREF: SepCheckForCriticalAceRemoval(x,x,x,x,x):loc_4343ACr
					; INIT:00AF6410o
_SepProcessAccessesToAudit dd 0		; DATA XREF: SepInitProcessAuditSd:loc_56EE3Ar
					; SepInitProcessAuditSd+86B86r	...
_g_SepSidMapping dd offset _SepSidMapping ; DATA XREF: SepInitializeSharedSidMap()r
					; SepDeReferenceSharedSidEntries(x,x)+1Er ...
_GenericMappingForMembershipCheck db	0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db    2
		db    0
		db    0
		db    0
		db  1Fh
		db    0
_SepFilterPrivileges dd	offset _SepFilterPrivilegesShort
					; DATA XREF: SepFilterPrivilegeAudits+8r
					; SepAdtInitializePrivilegeAuditing():loc_8A3842w
; Exported entry 2521. SeTokenObjectType
		public _SeTokenObjectType
_SeTokenObjectType dd 0			; DATA XREF: RtlCheckTokenMembershipEx(x,x,x,x)+22Br
					; SepCreateTokenEx+4CEr ...
_SeLpacCapabilitySids dd offset	_SeLpacAppExperienceCapabilitySid
					; DATA XREF: SepIsLpacCapabilitySid(x):loc_7D776Er
		dd offset _SeLpacComCapabilitySid
		dd offset _SeLpacCryptoServicesCapabilitySid
		dd offset _SeLpacIdentityServicesCapabilitySid
		dd offset _SeLpacInstrumentationCapabilitySid
		dd offset _SeLpacEnterprisePolicyChangeNotificationsCapabilitySid
		dd offset _SeLpacMediaCapabilitySid
		dd offset _SeLpacPnpNotificationsCapabilitySid
		dd offset _SeRegistryReadCapabilitySid
		dd offset _SeLpacServicesManagementCapabilitySid
		dd offset _SeLpacSessionManagementCapabilitySid
		dd offset _SeLpacPrintingCapabilitySid
		dd offset _SeLpacWebPlatformCapabilitySid
		dd offset _SeLpacPaymentsCapabilitySid
		dd offset _SeLpacClipboardCapabilitySid
		dd offset _SeLpacImeCapabilitySid
		dd offset _SeLpacPackageManagerOperationCapabilitySid
		dd offset _SeLpacDeviceAccessCapabilitySid
_SeFileSystemNotifyRoutinesHead	dd 0	; DATA XREF: SepNotifyFileSystems+20r
					; SeRegisterLogonSessionTerminatedRoutine(x)+4Br ...
		align 10h
_SeFileSystemNotifyRoutinesExHead dd 0	; DATA XREF: SepNotifyFileSystems:loc_870643r
					; SeRegisterLogonSessionTerminatedRoutineEx(x,x)+3Dr ...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_SeLuidToIndexMapping dd offset	_SeLuidToIndexMappingData
					; DATA XREF: SepCleanupMarkedForDeletionEntries()+5r
					; SepCleanupMarkedForDeletionEntries()+43r ...
_SepAdtRegNotifyHandle dd 0		; DATA XREF: SepAdtRegNotificationCallback(x)+27r
					; SepAdtInitializeBounds()+12r	...
_CapePredicate	db  12h			; DATA XREF: SepReadAndPopulateCapes+8CD37o
					; SepReadAndPopulateCapes+8CF74o
		db    0
		db  14h
		db    0
		dd offset aAppliesto	; "AppliesTo"
_CapeSD		db    4			; DATA XREF: SepReadAndPopulateCapes+8CD70o
					; SepReadAndPopulateCapes+8CFDBo
		db    0
		db    6
		db    0
		dd offset aSd		; "SD"
_CapeStagedSD	db  10h			; DATA XREF: SepReadAndPopulateCapes+8CDAFo
					; SepReadAndPopulateCapes+8D055o
		db    0
		db  12h
		db    0
		dd offset aStagedsd	; "StagedSD"
_CapeFlags	db  0Ah			; DATA XREF: SepReadAndPopulateCapes+8CECEo
					; SepReadSingleCap(x,x,x,x,x)+EDo
		db    0
		db  0Ch
		db    0
		dd offset aFlags	; "Flags"
_CapeName	db    8			; DATA XREF: SepReadAndPopulateCapes+8CCFAo
					; SepReadAndPopulateCapes+8CF08o ...
		db    0
		db  0Ah
		db    0
		dd offset aName		; "Name"
_SepRmCapTable	dd 0			; DATA XREF: SepRmReferenceCapTable()+1Er
					; SepRmCapUpdateWrkr+4Dr ...
_DefaultCapeName dd 180016h		; DATA XREF: SepBuildDefaultCape(x)+1Cr
off_A93D84	dd offset aDefaultcape	; DATA XREF: SepBuildDefaultCape(x)+29r
					; "DefaultCape"
_ContainedCapes	db  0Ah			; DATA XREF: SepReadSingleCap(x,x,x,x,x)+43o
					; SepReadSingleCap(x,x,x,x,x)+1CEo
		db    0
		db  0Ch
		db    0
		dd offset aCapes	; "CAPEs"
_CapSid		db  0Ah			; DATA XREF: SepReadSingleCap(x,x,x,x,x)+A3o
					; SepReadSingleCap(x,x,x,x,x)+18Do
		db    0
		db  0Ch
		db    0
		dd offset aCapid	; "CAPID"
_DefaultCapName	dd 160014h		; DATA XREF: SepBuildDefaultCap+41r
off_A93D9C	dd offset aDefaultcap	; DATA XREF: SepBuildDefaultCap+49r
					; "DefaultCap"
_SepRmDefaultCap dd 0			; DATA XREF: SeComputeCreatorDeniedRights(x,x,x,x)+CDr
					; SeAccessCheckWithHintWithAdminlessChecks+CF3D0r ...
; size_t WmipSMBiosTableLength
_WmipSMBiosTableLength dd 0		; DATA XREF: WmipGetSMBiosTableData:loc_7BF58Br
					; WmipGetSMBiosTableData:loc_7BF59Ar ...
_WmipSMBiosVersionInfo dd 0		; DATA XREF: WmipGetSMBiosTableData:loc_7BF5CFr
					; WmipGetSMBiosFromLoaderBlock(x)+45w ...
_EtwpFileSystemReady dd	0		; DATA XREF: EtwpEnableKernelTrace:loc_7E37A1r
					; EtwpLogger(x):loc_7F2A90r ...
_WmipSMBiosTablePhysicalAddress	dd 0	; DATA XREF: WmipGetSMBiosTableData:loc_7BF5D8r
					; PopUpdateSmbiosData(x,x,x,x,x)+9r ...
dword_A93DB4	dd 0			; DATA XREF: WmipGetSMBiosTableData+92r
					; PopUpdateSmbiosData(x,x,x,x,x)+35r ...
_EtwpMaxPmcCounter dd 8			; DATA XREF: NtTraceControl(x,x,x,x,x,x)+84Er
					; EtwpAllocatePmcData(x)+3Er ...
_EtwpMaxProfilingSources dd 8		; DATA XREF: EtwpSetPmcProfileSource(x,x)+1Dr
					; EtwSetPerformanceTraceInformation(x,x,x)+A44r ...
_EtwpSpinLockCountersCount dd 0		; DATA XREF: EtwDereferenceSpinLockCounters()+16w
					; EtwReferenceSpinLockCounters()+16r ...
; void *EtwpRTBacklogFileRoot
_EtwpRTBacklogFileRoot dd offset aSystemrootSyst
					; DATA XREF: EtwpRealtimeCreateLogfile:loc_7F285Cr
					; EtwpReadConfigParameters:loc_AD9E4Aw
					; "%SystemRoot%\\system32\\Logfiles\\WMI\\RtBa"...
_EtwpMaxNonPagedPoolUsage dd 0Ah	; DATA XREF: EtwpGetSystemMaximumBufferCount(x)+28r
					; EtwpGetSystemMaximumBufferCount(x)+34r ...
_ExpPlatformBinaryTableInformation dd 0	; DATA XREF: ExNotifyPlatformBinaryExecuted+22r
					; ExNotifyPlatformBinaryExecuted+2Bw ...
_EtwpRegTraceHandle dd 0		; DATA XREF: CmpTraceHiveFlushWrotePrimaryFile+30r
					; CmpTraceHiveUnloadStart+26r ...
dword_A93DD4	dd 0			; DATA XREF: CmpTraceHiveFlushWrotePrimaryFile+2Ar
					; CmpTraceHiveUnloadStart+32r ...
_EtwpRegTraceCookie dd 0		; DATA XREF: EtwpRegTraceCallback(x,x,x)+170o
					; EtwpRegTraceEnableCallback(x,x,x,x,x,x,x,x,x)+55o ...
dword_A93DDC	dd 0			; DATA XREF: EtwpRegTraceEnableCallback(x,x,x,x,x,x,x,x,x)+82r
_EtwpRegTraceOptions dd	0		; DATA XREF: EtwpRegTraceCallback(x,x,x)+DCr
					; EtwpRegTraceCallback(x,x,x):loc_9F6613r ...
dword_A93DE4	dd 0			; DATA XREF: EtwpRegTraceEnableCallback(x,x,x,x,x,x,x,x,x)+25w
_ExpConDrvLoadLock dd 0			; DATA XREF: PAGE:007B4543o
					; ExpInitSystemPhase0()+A8w
_ExpFullProcessInfoInit	db    0		; DATA XREF: ExCheckFullProcessInformationAccess+20o
		db    0
		db    0
		db    0
_ExpBootEntropyInit db	  0		; DATA XREF: ExQueryBootEntropyInformation(x)+15o
		db    0
		db    0
		db    0
_ExpPlatformBinaryLock dd 0		; DATA XREF: ExNotifyPlatformBinaryExecuted+14o
					; ExpGetSystemPlatformBinary+76o ...
_NlsTableVersion dd 0			; DATA XREF: ExpGetGlobalLocaleSection+1E4w
_NlsLocaleSectionPointer dd 0		; DATA XREF: ExpGetGlobalLocaleSection+25r
					; ExpGetGlobalLocaleSection+1CBr ...
_NlsSectionLock	dd 0			; DATA XREF: ExpGetGlobalLocaleSection+1C1o
					; ExpGetGlobalLocaleSection+1F7o ...
_ExpUuidTimeSequenceNumber dd 0		; DATA XREF: ExpAllocateUuids+63r
					; ExpAllocateUuids:loc_8F7D92r	...
_ExpUuidLastTimeAllocated dd 0		; DATA XREF: ExpAllocateUuids+36r
					; ExpAllocateUuids+C0w	...
dword_A93E0C	dd 0			; DATA XREF: ExpAllocateUuids+41r
					; ExpAllocateUuids+C7w	...
_ExpUuidCachedValues dd	0		; DATA XREF: ExUuidCreate+1Dr
					; ExUuidCreate+52r ...
dword_A93E14	dd 0			; DATA XREF: ExUuidCreate+28r
					; ExUuidCreate+5Ar ...
dword_A93E18	dd 0FFFFFFFFh		; DATA XREF: ExUuidCreate+46w
dword_A93E1C	dd 6E800000h		; DATA XREF: ExUuidCreate+23r
					; NtAllocateUuids+154r	...
dword_A93E20	dd 63696E6Fh		; DATA XREF: ExUuidCreate+31r
					; NtAllocateUuids+15Br	...
		align 8
_ExpUuidSequenceNumber dd 0		; DATA XREF: ExpAllocateUuids+D0r
					; ExpAllocateUuids+F0r	...
_ExpPcwEnableState dd 0			; DATA XREF: ExpPcwDisabledStatus()+8r
					; ExpPcwDisabledStatus()+7Bw
_ExpPcwExtensionHost dd	0		; DATA XREF: PcwCloseInstance(x)+5r
					; PcwCloseInstance(x)+1Ar ...
_ExpWnfProcessesListHead dd offset _ExpWnfProcessesListHead
					; DATA XREF: ExpWnfCreateProcessContext+9Fo
					; PAGEDATA:_ExpWnfProcessesListHeado ...
off_A93E38	dd offset _ExpWnfProcessesListHead
					; DATA XREF: ExpWnfCreateProcessContext:loc_7CEF9Cr
					; ExpWnfCreateProcessContext+AFw
_WheaRegPolicyTableChanged db 0		; DATA XREF: PAGE:loc_A12930r
					; PAGE:00A12947w ...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_A93E4C	dd 0			; DATA XREF: sub_787DE0+7E0r
					; SPCallServerHandleWaitForDisplayWindow:loc_853579w
_g_kernelCallbacks db	 0		; DATA XREF: ClipInitHandles()+8o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_A93E5C	dd 0			; DATA XREF: sub_A18362:loc_A184F3r
dword_A93E60	dd 0			; DATA XREF: sub_A19A09+171r
dword_A93E64	dd 0			; DATA XREF: sub_A19E9C+171r
dword_A93E68	dd 0			; DATA XREF: sub_A14D17+BDr
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_A93E84	dd 0			; DATA XREF: SPCallServerHandleIsAppLicensed+3B2r
					; ExpGenuinePolicyPostProcess(x,x,x,x,x,x)+DDr	...
dword_A93E88	dd 0			; DATA XREF: sub_A17A38:loc_A17EAFr
dword_A93E8C	dd 0			; DATA XREF: SPCallServerHandleGetAppPolicyValue:loc_7835C0r
					; SLQueryLicenseValueInternal+1BEr ...
dword_A93E90	dd 0			; DATA XREF: sub_A19468+29Fr
dword_A93E94	dd 0			; DATA XREF: sub_69349C:loc_6936ACr
dword_A93E98	dd 0			; DATA XREF: sub_A1650D+308r
dword_A93E9C	dd 0			; DATA XREF: sub_A1506F+1D0r
dword_A93EA0	dd 0			; DATA XREF: SPCallServerHandleClepKdf+24Cr
					; sub_A139D9+27Fr
dword_A93EA4	dd 0			; DATA XREF: ExpGenuinePolicyPostProcess(x,x,x,x,x,x):loc_A067EEr
dword_A93EA8	dd 0			; DATA XREF: PAGE:007A2DA6r
dword_A93EAC	dd 0			; DATA XREF: sub_A155DC:loc_A1588Ar
dword_A93EB0	dd 0			; DATA XREF: sub_A15D28:loc_A1606Fr
dword_A93EB4	dd 0			; DATA XREF: sub_A18CA8+55Fr
dword_A93EB8	dd 0			; DATA XREF: sub_A1A21B+2EBr
dword_A93EBC	dd 0			; DATA XREF: sub_A14998+171r
		db    0
		db    0
		db    0
		db    0
dword_A93EC4	dd 0			; DATA XREF: sub_693B86:loc_693D1Fr
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_A93ED4	dd 0			; DATA XREF: sub_785212+1E2Dr
dword_A93ED8	dd 0			; DATA XREF: sub_A13F62:loc_A140F3r
dword_A93EDC	dd 0			; DATA XREF: sub_A139D9+29Cr
dword_A93EE0	dd 0			; DATA XREF: ClipInitHandles()+Fw
					; SPCallServerHandleUpdatePolicies+1CBr
dword_A93EE4	dd 0			; DATA XREF: ClipInitHandles()+19w
					; sub_787DE0+370r ...
dword_A93EE8	dd 0			; DATA XREF: ClipInitHandles()+23w
					; sub_A1A21B+2DBr
dword_A93EEC	dd 0			; DATA XREF: ClipInitHandles()+2Dw
					; sub_785212+10FCr ...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_A93F00	dd 0			; DATA XREF: ExpTimeRefreshWork(x)+34r
dword_A93F04	dd 0			; DATA XREF: ExpWatchProductTypeWork+232r
dword_A93F08	dd 0			; DATA XREF: ntoskrnl_27+1Ar
					; PAGE:00788D63r
dword_A93F0C	dd 0			; DATA XREF: ExUpdateOsPfnInRegistry(x,x,x,x)+16r
		db    0
		db    0
		db    0
		db    0
dword_A93F14	dd 0			; DATA XREF: sub_A06A0E+Br
dword_A93F18	dd 0			; DATA XREF: ExUpdateLicenseData+13r
					; ExInitLicenseData+198r
dword_A93F1C	dd 0			; DATA XREF: sub_787DE0:loc_7886A9r
					; sub_787DE0:loc_7886B8w ...
dword_A93F20	dd 0			; DATA XREF: sub_787DE0+795w
					; sub_787DE0+7A3r ...
dword_A93F24	dd 0			; DATA XREF: sub_787DE0+79Aw
					; sub_787DE0+7ACr ...
unk_A93F28	db  18h			; DATA XREF: sub_787DE0+7F9o
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset dword_A426C8+20h
		db  40h	; @
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_g_qwSystemInitTime dd 0		; DATA XREF: sub_787DE0+666w
					; sub_787DE0:loc_788457r ...
dword_A93F44	dd 0			; DATA XREF: sub_787DE0+66Bw
					; sub_787DE0+680r ...
unk_A93F48	db  4Ch	; L		; DATA XREF: sub_787DE0+899o
		db    0
		db  4Eh	; N
		db    0
		dd offset ??_C@_1EO@LEFKKHLK@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAN?$AAo?$AAn?$AAG?$AAe?$AAn?$AAu?$AAi@LBKOJDO@
_g_ulOldGenuineState dd	0		; DATA XREF: sub_787DE0+74Dr
					; sub_787DE0+7B2w
unk_A93F54	db  42h	; B		; DATA XREF: sub_787DE0+83Bo
		db    0
		db  44h	; D
		db    0
		dd offset ??_C@_1EE@DCEFFCO@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAN?$AAo?$AAn?$AAG?$AAe?$AAn?$AAu?$AAi@LBKOJDO@
_g_bWNFEventFired dd 0			; DATA XREF: sub_787DE0+6CCr
					; sub_787DE0+6E3w
_g_ulOldGenuineStateForWnf dd 0F423Fh	; DATA XREF: sub_787DE0+65Er
					; sub_787DE0+671w
dword_A93F64	dd 0			; DATA XREF: sub_A1894B+118r
					; sub_A1894B+15Ew
dword_A93F68	dd 0			; DATA XREF: SPCallServerHandleAuthenticateCaller+DDw
					; SPCallServerHandleUpdatePolicies:loc_782C31r
dword_A93F6C	dd 0			; DATA XREF: SPCallServerHandleAuthenticateCaller+E2w
					; SPCallServerHandleUpdatePolicies+134r ...
off_A93F70	dd offset sub_7851A2	; DATA XREF: WarbirdKmDecryptPointer+EEr
					; WarbirdKmDecryptPointer+11Br	...
		dd offset sub_784D80
		dd offset sub_784990
		dd offset sub_784DE0
		dd offset sub_A1AA6A
		dd offset sub_7849F0
		dd offset sub_784E60
		dd offset sub_78463C
		dd offset sub_78508E
		dd offset sub_784CE0
		dd offset sub_785142
		dd offset sub_784C10
		dd offset sub_784FC0
		dd offset sub_7845E6
		dd offset sub_784A50
		dd offset sub_784AD0
		dd offset sub_784694
		dd offset sub_78458E
		dd offset sub_7850F0
		dd offset sub_783FE8
		dd offset sub_784EF0
		dd offset sub_784F6C
		dd offset sub_78503C
		dd offset sub_7850F0
		dd offset sub_784B80
		dd offset sub_784930
		dd offset sub_7848D0
		dd offset sub_784B50
		dd offset sub_784E3E
		dd offset sub_784CB0
		dd offset sub_784BE0
_AdtpPerCategoryCount dw 5		; DATA XREF: AdtpGetCategoryAndSubCategoryId:loc_89EDFBr
					; SepRmSetAuditEventWrkr+38o ...
		db  0Ch
		db    0
		db  0Eh
		db    0
		db    3
		db    0
		db    6
		db    0
		db    6
		db    0
		db    6
		db    0
		db    4
		db    0
		db    4
		db    0
		db    0
		db    0
		db  39h	; 9
		db  1Fh
		db  45h	; E
		db  6Bh	; k
		db  5Ah	; Z
		db  85h	; 
unk_A94006	db  32h	; 2		; DATA XREF: WarbirdKmDecryptPointer+90o
					; WarbirdKmEncryptPointer+90o
		db 0D8h	; 
		db  3Dh	; =
		db 0BAh	; 
		db 0CFh	; 
		db 0D0h	; 
		db 0CCh	; 
		db  84h	; 
		db 0D0h	; 
		db 0C5h	; 
		db  78h	; x
		db 0E8h	; 
		db 0A1h	; 
		db  45h	; E
		db 0B2h	; 
		db  7Dh	; }
		db 0D2h	; 
		db 0A7h	; 
		db  58h	; X
		db  25h	; %
		db  45h	; E
		db  23h	; #
		db  72h	; r
		db 0CAh	; 
		db 0A8h	; 
		db 0A5h	; 
		db  7Ah	; z
		db  7Ah	; z
		db  34h	; 4
		db  33h	; 3
		db 0BCh	; 
		db  56h	; V
		db 0A8h	; 
		db  5Fh	; _
		db  11h
		db  8Eh	; 
		db  90h	; 
		db 0F1h	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
unk_A9407E	db    0			; DATA XREF: WarbirdKmDecryptPointer+68o
					; WarbirdKmEncryptPointer+68o
		db    0
byte_A94080	db 8			; DATA XREF: WarbirdKmDecryptPointer:loc_784813r
					; WarbirdKmEncryptPointer:loc_8AD501r
byte_A94081	db 1Ah			; DATA XREF: WarbirdKmDecryptPointer:loc_784809r
					; WarbirdKmEncryptPointer:loc_8AD4F7r
		db  17h
		db  0Bh
		db    6
		db  0Ah
		db  0Ch
		db  12h
		db  0Fh
		db  14h
		db  1Ch
		db  1Fh
		db  1Fh
		db  1Fh
		db  1Fh
		db  1Fh
		db  1Fh
		db  1Fh
		db  1Fh
		db  1Fh
		db  1Fh
		db  1Fh
		db  1Fh
		db  1Fh
		db  1Fh
		db  1Fh
		db  1Fh
		db  1Fh
		db  1Fh
		db  1Fh
		db  1Fh
		db  1Fh
dword_A940A0	dd 299C6CA8h		; DATA XREF: WarbirdKmDecryptPointer+1Er
					; WarbirdKmEncryptPointer+1Er
dword_A940A4	dd 0E72F05EEh		; DATA XREF: WarbirdKmDecryptPointer+26r
					; WarbirdKmEncryptPointer+26r
		align 10h
_InitConsoleFlags dd 0			; DATA XREF: BgkInitialize+6Br
					; INIT:00AF6428o
_InitUnicodeCaseTableDataOffset	dd 0	; DATA XREF: PAGE:loc_75B496r
					; Phase1InitializationDiscard(x):loc_AC0D51r ...
_InitAnsiCodePageDataOffset dd 0	; DATA XREF: PAGE:loc_75B4B8r
					; Phase1InitializationDiscard(x)+9F5r ...
_InitOemCodePageDataOffset dd 0		; DATA XREF: PAGE:0075B4C5r
					; Phase1InitializationDiscard(x):loc_AC0D5Dr ...
_InitNlsSectionPointer dd 0		; DATA XREF: PAGE:0075B364r
					; Phase1InitializationDiscard(x)+962w ...
_CmpNoMasterCreates db 0		; DATA XREF: CmpDoParseKey(x,x,x,x,x,x,x,x,x)+1640r
					; CmInitSystem1(x)+4AAw
_HvShutdownComplete db 0		; DATA XREF: PAGE:0080F731r
					; PAGE:loc_8EE107r ...
_CmpSystemQuotaWarningPopupDisplayed db	0 ; DATA XREF: CmpCanGrowHive:loc_8CC4BAr
					; CmpCanGrowHive+18AA47w
_CmpQuotaWarningPopupDisplayed db 0	; DATA XREF: CmpClaimGlobalQuota:loc_8CDA0Fr
					; CmpClaimGlobalQuota+186ED6w
_CmRegistryMachineSystemCurrentControlSet db	0 ; DATA XREF: PopOpenKey(x,x,x)+41o
					; PopInitializePowerPolicySimulate+20o	...
		db    0
		db    0
		db    0
dword_A940CC	dd 0			; DATA XREF: CreateMiniNtBootKey()+40r
_CmRegistryMachineSystemCurrentControlSetControlSafeBoot db    0
					; DATA XREF: IopSafebootDriverLoad(x,x)+CFo
					; CmpInitializeRegistryNames()+126o ...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_CmSymbolicLinkValueName db    0	; DATA XREF: CmpGetSymbolicLinkTarget+597o
					; CmpGetSymbolicLinkTarget+A46o ...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_CmpVolumeManager dd 0			; DATA XREF: CmpVolumeManagerGetContextForFile+93o
					; CmpVolumeManagerInitialize(x)w ...
dword_A940E4	dd 0			; DATA XREF: CmpVolumeManagerGetContextForFile+129o
					; CmpVolumeManagerInitialize(x)+7o ...
dword_A940E8	dd 0			; DATA XREF: CmpVolumeManagerGetContextForFile:loc_74A4B7r
					; CmpVolumeManagerGetContextForFile+13Ew ...
_CmpMasterHive	dd 0			; DATA XREF: CmpFindPathByNameEx(x,x,x,x,x,x):loc_733B05r
					; CmpFindPathByNameEx(x,x,x,x,x,x)+199r ...
_CmpHiveListHead dd 0			; DATA XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+1F1o
					; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)+821o ...
dword_A940F4	dd 0			; DATA XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+1E5r
					; CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+206w	...
_CmTypeName	db    0			; DATA XREF: CmpInitializeRegistryNode:loc_88E2A0o
					; CmpInitializeRegistryNames()+18Ao
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpConfigurationData dd ?		; DATA XREF: CmpInitializeRegistryNode+1EDr
					; CmpInitializeRegistryNode:loc_88E44Fr ...
_CmpQuotaExplicitlySet db ?		; DATA XREF: CmpUpdateGlobalQuotaAllowed+6r
					; CmSetRegistryQuotaInformation(x)+1Cw	...
_CmpProfileLoaded db ?			; DATA XREF: CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+2C4r
					; CmpLoadKeyCommon(x,x,x,x,x,x,x,x,x,x,x)+2D6w	...
_CmpCannotWriteConfiguration db	?	; DATA XREF: CmpLazyWriteWorker+71r
					; CmpLazyWriteWorker+839BFw ...
_CmpDiskFullWorkerPopupDisplayed db ?	; DATA XREF: CmpDiskFullWarning()r
					; CmpDiskFullWarning()+3Fw
_SystemHiveFullPathName	dd ?		; DATA XREF: PAGE:00888C25w
					; PAGE:00888C2Fo ...
dword_A94254	dd ?			; DATA XREF: PAGE:00888C34w
					; PAGE:00888CA7w
_SystemHiveFullPathBuffer db	? ;	; DATA XREF: PAGE:00888C34o
					; PAGE:00888CA7o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmMpsSvcKeySubstring db    ? ;		; DATA XREF: CmpTraceSecurityChanging+52o
					; CmpInitializeRegistryNames()+171o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmRegistryProcessName db    ? ;	; DATA XREF: CmpInitializeRegistryProcess()+4Co
					; CmpInitializeRegistryNames()+180o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmRegistryContainersName db	? ;	; DATA XREF: CmInitSystem1(x)+470o
					; CmpInitializeRegistryNames()+AEo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmRegistryAppName db	 ? ;		; DATA XREF: CmInitSystem1(x)+3B7o
					; CmpInitializeRegistryNames()+BDo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpSystemFileName db	 ? ;		; DATA XREF: CmpInitializeSystemHive+55o
					; CmGetSystemDriverList+142o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmRegistryUserName db	  ? ;		; DATA XREF: CmInitSystem1(x)+35Bo
					; CmpInitializeRegistryNames()+9Fo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmRegistryMachineSystemCurrentControlSetServicesEventLog db	? ;
					; DATA XREF: INIT:00AC2A1Bo
					; CmpInitializeRegistryNames()+153o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmRegistryMachineSystemCurrentControlSetControlBootLog	db    ?	;
					; DATA XREF: IopBootLog+AF36Ao
					; IopCopyBootLogRegistryToFile+A1CAFo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmRegistryMachineSystemCurrentControlSetControlSessionManagerMemoryManagement db    ? ;
					; DATA XREF: VfClearVerifierSettings()+43o
					; CmpInitializeMachineDependentConfiguration+9Fo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmRegistryMachineSystemCurrentControlSetControlClass db    ? ;
					; DATA XREF: CmpInitializeRegistryNames()+117o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmRegistryMachineSystemCurrentControlSetHardwareProfilesCurrent db    ? ;
					; DATA XREF: CmpInitializeRegistryNames()+108o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmRegistryMachineSystemCurrentControlSetServices dd ? ; DATA XREF: MmCallDllInitialize+83r
					; MmCallDllInitialize+C7r ...
; void *dword_A94334
dword_A94334	dd ?			; DATA XREF: MmCallDllInitialize+D4r
					; PnpUnloadAttachedDriver+87C5Ar
_CmRegistryMachineSystemCurrentControlSetEnumRootName db    ? ;
					; DATA XREF: CmpInitializeRegistryNames()+EAo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmRegistryMachineSystemCurrentControlSetEnumName db	? ;
					; DATA XREF: CmpInitializeRegistryNames()+DBo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmRegistryMachineSystemName db	   ? ;	; DATA XREF: IopStoreSystemPartitionInformation+132o
					; CmpInitializeSystemHive+DAo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmRegistryMachineHardwareOwnerMapName db    ? ;
					; DATA XREF: CmpInitializeRegistryNames()+72o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmRegistryMachineHardwareResourceMapName db	? ; ; DATA XREF: PnpBuildCmResourceList+351o
					; IopInitializeResourceMap+232o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmRegistryMachineHardwareDeviceMapName	db    ?	;
					; DATA XREF: CmpInitializeHardwareConfiguration(x)+3Ao
					; CmpInitializeRegistryNames()+54o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmRegistryMachineHardwareDescriptionSystemName	db    ?	; ; DATA XREF: IopLoadDriver+393o
					; IoQueryDeviceDescription+7Fo	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmRegistryMachineHardwareDescriptionName db	? ;
					; DATA XREF: CmpInitializeHardwareConfiguration(x)+7Do
					; CmpInitializeRegistryNames()+36o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmRegistryMachineHardwareName db    ? ; ; DATA	XREF: CmInitSystem1(x)+574o
					; CmpInitializeRegistryNames()+27o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmRegistryMachineName dw ?		; DATA XREF: IopQueryRegistryKeySystemPath+BFr
					; IopQueryRegistryKeySystemPath+D7o ...
		align 8
_CmRegistryRootName dw ?		; DATA XREF: VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+22Ar
					; VrpHandleIoctlInitializeJobForVreg(x,x,x,x,x,x)+247o	...
		align 10h
_CmPerfCounters	dd ?			; DATA XREF: CmpFreeKeyControlBlock+Ao
					; CmpFreeKeyControlBlock:loc_740140r ...
dword_A94394	dd ?			; DATA XREF: CmpFreeKeyControlBlock+28r
					; CmpCreateKeyControlBlock+D8r	...
dword_A94398	dd ?			; DATA XREF: CmpRemoveFromDelayedClose(x)+3Ew
					; PAGE:007C6C68w ...
dword_A9439C	dd ?			; DATA XREF: CmpRemoveFromDelayedClose(x)+45w
					; PAGE:007C6C74w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_A943B0	dd ?			; DATA XREF: CmpFreeKeyControlBlock:loc_7401CAo
					; CmpFreeKeyControlBlock:loc_7401D1r ...
dword_A943B4	dd ?			; DATA XREF: CmpFreeKeyControlBlock+B9r
					; CmpCreateKeyControlBlock+129r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmpGlobalQuotaUsed dd ?		; DATA XREF: CmpReleaseGlobalQuotar
					; CmpReleaseGlobalQuota+Eo ...
_CmpSizeOfPagedPoolInBytes dd ?		; DATA XREF: CmpUpdateGlobalQuotaAllowed+1Ar
					; CmpUpdateGlobalQuotaAllowed+186ED6w ...
_CmRegistryIODebug dd ?			; DATA XREF: CmpDoFileFlush:loc_5A8FB6w
					; CmpDoFileRead+176433w ...
dword_A943F4	dd ?			; DATA XREF: CmpDoFileFlush+1771A2w
					; CmpDoFileRead+176447w ...
dword_A943F8	dd ?			; DATA XREF: CmpDoFileFlush+1771A8w
					; CmpDoFileRead+17643Dw ...
_CmpRegistryRootObject dd ?		; DATA XREF: CmpGetSymbolicLinkTarget+858r
					; CmpStartSiloRegistryNamespace(x)+8Ar	...
_IoLoaderArcBootDeviceName dd ?		; DATA XREF: IopCreateArcNames(x)+CEw
_IopLinkTrackingServiceEvent dd	?	; DATA XREF: IopConnectLinkTrackingPort(x)+3Cr
					; IopSendMessageToTrackService(x,x,x)+5Br ...
_IoArcHalDeviceName dw ?		; DATA XREF: IopStoreSystemPartitionInformation+50r
					; IopCreateArcNames(x)+6Eo
		align 4
dword_A9440C	dd ?			; DATA XREF: IopStoreSystemPartitionInformation+18r
_IoArcBootDeviceName db	   ? ;		; DATA XREF: IopLoadCrashdumpDriver+68o
					; IopCreateArcNames(x)+A8o ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_A94414	dd ?			; DATA XREF: PopPdcCsCheckSystemVolumeDevice:loc_AEB542r
_IoArcTableListHead dd ?		; DATA XREF: IopCreateArcName+3Bo
					; IopCreateArcName+70r	...
dword_A9441C	dd ?			; DATA XREF: IopStoreArcInformation+1Cw
					; IopStoreArcInformation:loc_AD9A94r ...
_IopLinkTrackingServiceObject dd ?	; DATA XREF: IopConnectLinkTrackingPort(x)+1Fr
					; IopConnectLinkTrackingPort(x)+B4w ...
_PiLoggedErrorEventsMask dd ?		; DATA XREF: PpCheckInDriverDatabase:loc_8FCD14r
					; PpCheckInDriverDatabase+B0987w ...
_PnpDeferredRegistrationList dd	?	; DATA XREF: PnpUnregisterPlugPlayNotification+81E99r
					; PnpUnregisterPlugPlayNotification:loc_5E54D8o ...
dword_A9442C	dd ?			; DATA XREF: PnpDeferNotification(x)+55r
					; PnpDeferNotification(x)+71w ...
_PnpProfileNotifyList dd ?		; DATA XREF: IoRegisterPlugPlayNotification+30Bo
					; IoReportTargetDeviceChange(x,x)+22Br	...
dword_A94434	dd ?			; DATA XREF: IoRegisterPlugPlayNotification+306r
					; IoRegisterPlugPlayNotification+31Dw ...
_PnpDeviceClassNotifyList db	? ;	; DATA XREF: PnpNotifyDeviceClassChange+67o
					; IoRegisterPlugPlayNotification+D6o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PpDDBPatchHandle dd ?			; DATA XREF: PiLookupInDDB+Br
					; PpReleaseBootDDB:loc_8A5755r	...
_PpDDBHandle	dd ?			; DATA XREF: PiLookupInDDB+1Ar
					; PiLookupInDDB+4Br ...
_PpBootDDBPatch	dd ?			; DATA XREF: PpReleaseBootDDB+8C566r
					; PpReleaseBootDDB+8C577w ...
_PpBootDDB	dd ?			; DATA XREF: PpReleaseBootDDB+30r
					; PpReleaseBootDDB+41w	...
; void PiDDBCacheTable
_PiDDBCacheTable db    ? ;		; DATA XREF: PiLookupInDDBCache+2Fo
					; PiLookupInDDBCache+95o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_A944E4	dd ?			; DATA XREF: PiLookupInDDBCache+28w
					; PiUpdateDriverDBCache+35w
_PiDDBCacheList	dd ?			; DATA XREF: PiLookupInDDBCache+C9o
					; PiUpdateDriverDBCache+88o ...
dword_A944EC	dd ?			; DATA XREF: PiLookupInDDBCache+CEr
					; PiLookupInDDBCache+E2w ...
_TtmpEnabled	dd ?			; DATA XREF: TtmIsEnabled()r
					; PopNotifySessionUserPowerRequestCreated+81r ...
_TtmpProximityEscapeMsec dd ?		; DATA XREF: TtmInit:loc_938584r
					; TtmInit+83698w ...
_TtmpTerminalObjectType	dd ?		; DATA XREF: TtmInit+4Cw
					; TtmInit+83708o ...
_TtmpSession	dd ?			; DATA XREF: TtmInit+3Aw
					; TtmCleanupCurrentSession()+39r ...
_TtmpQueueObjectType dd	?		; DATA XREF: TtmiCreateEventQueue(x,x)+2Fr
					; TtmInit+23w ...
_PsEmbeddedNTMask db ?			; DATA XREF: PsLocateSystemDlls:loc_931ED2r
					; INIT:00AF6278o
		align 4
_PspSystemDllInitBlock dd ?		; DATA XREF: PspPrepareSystemDllInitBlock+Fr
					; INIT:00AF6B3Co
_PspLoaderInitRoutine dd ?		; DATA XREF: PspInitializeThunkContext+111r
					; PspInitializeThunkContext:loc_8D8ED2r
_PspUserFiberStart db	 ? ;
		db    ?	;
		db    ?	;
		db    ?	;
_PspUserThreadStart dd ?		; DATA XREF: NtCreateThreadEx+123r
					; PAGE:007A32F7r
_PspWorkOnBehalfEncodingKey dd ?	; DATA XREF: PsEncodeThreadWorkOnBehalfTicket(x,x)+11r
					; PspThreadFromTicket(x,x)+Dr ...
dword_A9451C	dd ?			; DATA XREF: PsEncodeThreadWorkOnBehalfTicket(x,x)+18r
					; PspThreadFromTicket(x,x)+13r	...
_PspUseJobSchedulingClasses db ?	; DATA XREF: PspApplyJobLimitsToProcess:loc_75218Ar
					; PspComputeQuantum:loc_760A7Fr ...
_EtwpKsrPrepared db ?			; DATA XREF: EtwpKsrCallback(x,x,x):loc_A023BCw
					; EtwpSetSoftRestartInformation(x,x)+17Er
_ExpShuttingDown db ?			; DATA XREF: ExShutdownSystem(x)+2Cw
					; ExInitializeTimeRefresh+41w
_AdtpRegisteredWithEtw db ?		; DATA XREF: SepRmCallLsa+42r
					; AdtpInitializeAuditingCommon()+Cw
_PspForegroundQuantum dw ?		; DATA XREF: PspComputeQuantum+20r
					; PsChangeQuantumTable+6Bw
byte_A94526	db ?			; DATA XREF: PsChangeQuantumTable+7Bw
		align 4
_PspGlobalFlags	dd ?			; DATA XREF: PspSetupUserProcessAddressSpace+64r
					; PspUpdateCreateInfo+E5r ...
; Exported entry 1924. PsUILanguageComitted
		public _PsUILanguageComitted
_PsUILanguageComitted dd ?		; DATA XREF: _RtlpMuiRegLoadInstalled+11r
					; _RtlpMuiRegValidateInstalled+86r ...
_PsDefaultLoaderThreads	dd ?		; DATA XREF: PspSetupUserProcessAddressSpace+7Dr
					; PsBootPhaseComplete+CFo
_PsNoRemoteThreadBeforeProcessInit dd ?	; DATA XREF: PspIsProcessReadyForRemoteThread+18r
					; PsBootPhaseComplete+E2o
_PspShutdownThread db	 ? ;		; DATA XREF: PsShutdownSystem()+3Do
		db    ?	;
		db    ?	;
		db    ?	;
_PspActiveProcessLock dd ?		; DATA XREF: PspUnlockProcessListExclusive+27o
					; PspUnlockProcessListExclusive+60o ...
_PsInstallUILanguageId dw ?		; DATA XREF: MigrateOOBELanguageToInstallationLanguage()+D3r
					; NtGetMUIRegistryInfo+1CBr ...
		align 4
_PsDefaultSystemLocaleId dd ?		; DATA XREF: NtQueryDefaultLocale+3Dr
					; LdrResFallbackLangList:loc_8440F2r ...
_PsDefaultThreadLocaleId dd ?		; DATA XREF: MmGetSessionLocaleId():loc_76F5ACr
					; MmSetSessionLocaleId(x):loc_871C60w ...
; Exported entry 2988. psMUITest
		public _psMUITest
_psMUITest	dd ?			; DATA XREF: CmpGetSystemControlValues:loc_AE64E6r
_PsMachineUILanguageId dw ?		; DATA XREF: NtGetMUIRegistryInfo+1D8r
					; LdrResFallbackLangList:loc_844040r ...
		align 4
_PspQuotaDatabaseKey dd	?		; DATA XREF: PspReadUserQuotaLimits+32r
					; PspReadUserQuotaLimits:loc_7D1A6Ao
_PspDefaultResourceLimits dd ?		; DATA XREF: PspRegisterResource:loc_56E624w
					; PspRegisterResource:loc_5F5818r ...
unk_A9455C	db    ?	;		; DATA XREF: INIT:00AF3620o
		db    ?	;
		db    ?	;
		db    ?	;
unk_A94560	db    ?	;		; DATA XREF: INIT:00AF3650o
		db    ?	;
		db    ?	;
		db    ?	;
unk_A94564	db    ?	;		; DATA XREF: INIT:00AF3668o
		db    ?	;
		db    ?	;
		db    ?	;
_PspQuotaBlockTable dd ?		; DATA XREF: PspAssignProcessQuotaBlock+B9r
					; PspLookupProcessQuotaBlock+24r ...
_PspDefaultQuotaBlock dd ?		; DATA XREF: PspAssignProcessQuotaBlock+D4r
					; PspLookupProcessQuotaBlock+9Aw ...
_PspLoadImageNotifyRoutineCount	dd ?	; DATA XREF: PsRemoveLoadImageNotifyRoutine+51w
					; PsSetLoadImageNotifyRoutineEx+40w
_PspNotifyEnableMask dd	?		; DATA XREF: PspCallProcessNotifyRoutines+34r
					; PspCallProcessNotifyRoutines:loc_77800Dr ...
_PspCreateThreadNotifyRoutineCount dd ?	; DATA XREF: PsRemoveCreateThreadNotifyRoutine+4Fo
					; PspSetCreateThreadNotifyRoutine+48w
_PspCreateThreadNotifyRoutineNonSystemCount dd ?
					; DATA XREF: PsRemoveCreateThreadNotifyRoutine+48o
					; PspSetCreateThreadNotifyRoutine:loc_856911w
_PspCreateProcessNotifyRoutineCount dd ?
					; DATA XREF: PspSetCreateProcessNotifyRoutine:loc_8569D0w
					; PspSetCreateProcessNotifyRoutine+11Ao
_PspCreateProcessNotifyRoutineExCount dd ? ; DATA XREF:	PspSetCreateProcessNotifyRoutine+75w
					; PspSetCreateProcessNotifyRoutine+123o
_PspStorageBitmapBits db    ? ;		; DATA XREF: PspInitializeStorageStructures()+11o
		db    ?	;
		db    ?	;
		db    ?	;
_RtlpModernAppKey db	? ;
		db    ?	;
		db    ?	;
		db    ?	;
_PspStorageExpansionBitmapBits db    ? ; ; DATA	XREF: PspInitializeStorageStructures()+25o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void NlsOemLeadByteInfoTable
_NlsOemLeadByteInfoTable dw ?		; DATA XREF: RtlResetRtlTranslations+B6o
					; RtlIsNameLegalDOS8Dot3+185F01r ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void NlsLeadByteInfoTable
_NlsLeadByteInfoTable dw ?		; DATA XREF: UpcaseUnicodeToMultiByteNHelper(x,x,x,x,x)+3Cr
					; RtlAnsiCharToUnicodeChar+2Br	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SeTcbPrivilege	dd ?			; DATA XREF: SepCheckForCriticalAceRemoval(x,x,x,x,x)+3Er
					; SepVerifyDesktopAppPolicyOverrideCaller(x)+56r ...
dword_A949B4	dd ?			; DATA XREF: SepCheckForCriticalAceRemoval(x,x,x,x,x)+33r
					; SepVerifyDesktopAppPolicyOverrideCaller(x)+4Cr ...
_SeShutdownPrivilege dd	?		; DATA XREF: NtReplacePartitionUnit(x,x,x)+46r
					; PAGELK:0071EB19r ...
dword_A949BC	dd ?			; DATA XREF: NtReplacePartitionUnit(x,x,x)+40r
					; PAGELK:0071EB13r ...
; void *SePublicOpenDacl
_SePublicOpenDacl dd ?			; DATA XREF: IopCreateSecurityDescriptorPerType:loc_910628r
					; SepInitSystemDacls()+F6w ...
; void *SePublicOpenUnrestrictedDacl
_SePublicOpenUnrestrictedDacl dd ?	; DATA XREF: IopCreateSecurityDescriptorPerType+63r
					; SepInitSystemDacls()+10Aw ...
; Exported entry 2485. SePublicDefaultDacl
		public _SePublicDefaultDacl
; void *SePublicDefaultDacl
_SePublicDefaultDacl dd	?		; DATA XREF: IopCreateSecurityDescriptorPerType:loc_910633r
					; SepInitSystemDacls()+D0w ...
; Exported entry 2514. SeSystemDefaultDacl
		public _SeSystemDefaultDacl
; void *SeSystemDefaultDacl
_SeSystemDefaultDacl dd	?		; DATA XREF: IopCreateSecurityDescriptorPerType:loc_91061Dr
					; SeMakeSystemToken+538r ...
; void *SePublicDefaultUnrestrictedDacl
_SePublicDefaultUnrestrictedDacl dd ?	; DATA XREF: IopCreateSecurityDescriptorPerType+1Er
					; IopCreateDefaultDeviceSecurityDescriptor:loc_91051Er	...
_SeCompatFlags	db    ?	;		; DATA XREF: INIT:00AF64D0o
		db    ?	;
		db    ?	;
		db    ?	;
_SeRestorePrivilege dd ?		; DATA XREF: VrpHandleIoctlLoadDifferencingHive+54r
					; CmUnloadKey+F9r ...
dword_A949DC	dd ?			; DATA XREF: VrpHandleIoctlLoadDifferencingHive+4Er
					; CmUnloadKey+F3r ...
_SeBackupPrivilege dd ?			; DATA XREF: VrpHandleIoctlLoadDifferencingHive+1Dr
					; IopCheckBackupRestorePrivilege+6Er ...
dword_A949E4	dd ?			; DATA XREF: VrpHandleIoctlLoadDifferencingHive+12r
					; IopCheckBackupRestorePrivilege+76r ...
_SeProfileSingleProcessPrivilege dd ?	; DATA XREF: PfpPrivSourceEnum(x,x,x)+10Ar
					; PAGE:0077D27Fr ...
dword_A949EC	dd ?			; DATA XREF: PfpPrivSourceEnum(x,x,x)+104r
					; PAGE:0077D279r ...
_SeIncreaseBasePriorityPrivilege dd ?	; DATA XREF: ExCpuSetResourceManagerAccessCheck(x)+2Fr
					; PAGE:007A7211r ...
dword_A949F4	dd ?			; DATA XREF: ExCpuSetResourceManagerAccessCheck(x)+29r
					; PAGE:007A720Br ...
_SeIncreaseWorkingSetPrivilege dd ?	; DATA XREF: SeMakeSystemToken+3D3r
					; SepVariableInitialization()+166Bw
dword_A949FC	dd ?			; DATA XREF: SeMakeSystemToken+3DBr
					; SepVariableInitialization()+1671w
_SeAssignPrimaryTokenPrivilege dd ?	; DATA XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+E36r
					; PspAssignPrimaryToken+8ECFCr	...
dword_A94A04	dd ?			; DATA XREF: PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+E30r
					; PspAssignPrimaryToken:loc_9302F9r ...
_SeCreatePagefilePrivilege dd ?		; DATA XREF: MiCreatePagingFile+A6r
					; NtPowerInformation+171B2Cr ...
dword_A94A0C	dd ?			; DATA XREF: MiCreatePagingFile+A0r
					; NtPowerInformation+171B31r ...
_SeDebugPrivilege dd ?			; DATA XREF: PAGE:00780D33r
					; PAGE:007A81AEr ...
dword_A94A14	dd ?			; DATA XREF: PAGE:00780D2Dr
					; PAGE:007A81A8r ...
_SeIncreaseQuotaPrivilege dd ?		; DATA XREF: PsQueryCpuQuotaInformation+7DE69r
					; PsSetCpuQuotaInformation(x,x,x)+49r ...
dword_A94A1C	dd ?			; DATA XREF: PsQueryCpuQuotaInformation+7DE63r
					; PsSetCpuQuotaInformation(x,x,x)+43r ...
; Exported entry 2464. SeExports
		public _SeExports
_SeExports	dd ?			; DATA XREF: RtlpOwnerAcesPresent+8r
					; SeAccessCheckWithHintWithAdminlessChecks:loc_51C260r	...
_SeAtomSd	dd ?			; DATA XREF: RtlpAllowsLowBoxAccess(x)+164r
					; SepInitSystemDacls()+572w
_SeCreateGlobalPrivilege dd ?		; DATA XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1296r
					; SeMakeSystemToken+3A3r ...
dword_A94A2C	dd ?			; DATA XREF: ObpLookupObjectName(x,x,x,x,x,x,x,x,x,x,x,x,x)+1290r
					; SeMakeSystemToken+3ABr ...
_SeCreatePermanentPrivilege dd ?	; DATA XREF: NtCreateWnfStateName+23Cr
					; ObCreateObjectEx+F8r	...
dword_A94A34	dd ?			; DATA XREF: NtCreateWnfStateName+236r
					; ObCreateObjectEx+F2r	...
_SeSecurityPrivilege dd	?		; DATA XREF: SepAccessCheck+5F9r
					; SePrivilegePolicyCheck+B873Dr ...
dword_A94A3C	dd ?			; DATA XREF: SepAccessCheck+60Ar
					; SePrivilegePolicyCheck+B874Cr ...
_SeMediumDaclSd	dd ?			; DATA XREF: RtlIsSandboxedToken+48r
					; ExIsRestrictedCaller(x)+61r ...
_SeRestrictedSid dd ?			; DATA XREF: CmpGenerateAppHiveSecurityDescriptor(x)+116r
					; SepCreateImpersonationTokenDacl:loc_82CEC4r ...
_SeRelabelPrivilege dd ?		; DATA XREF: SepAccessCheck+462r
					; SePrivilegePolicyCheck+A8r ...
dword_A94A4C	dd ?			; DATA XREF: SepAccessCheck+475r
					; SePrivilegePolicyCheck+B7r ...
_SePublicDefaultUnrestrictedSd dd ?	; DATA XREF: IoCreateSymbolicLink(x,x)+14r
					; IopProcessSetInterfaceState+28Cr ...
; void *SepDefaultRecoveryCapeDacl
_SepDefaultRecoveryCapeDacl dd ?	; DATA XREF: SepInitSystemDacls()+16Cw
					; SepInitSystemDacls()+209r
_SeLockMemoryPrivilege dd ?		; DATA XREF: .text:005225EDr
					; MiCreatePagingFileMap(x)+97r	...
dword_A94A5C	dd ?			; DATA XREF: .text:005225E7r
					; MiCreatePagingFileMap(x)+91r	...
_SepSidMapping	db    ?	;		; DATA XREF: PAGEDATA:_g_SepSidMappingo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void *SepDefaultCapeDacl
_SepDefaultCapeDacl dd ?		; DATA XREF: SepInitSystemDacls()+15Aw
					; SepInitSystemDacls()+1F6r
_SeManageVolumePrivilege dd ?		; DATA XREF: SeMakeSystemToken+380r
					; SepVariableInitialization()+1628w
dword_A94A74	dd ?			; DATA XREF: SeMakeSystemToken+38Br
					; SepVariableInitialization()+1632w
_SeEnableDelegationPrivilege dd	?	; DATA XREF: SepVariableInitialization()+161Dw
dword_A94A7C	dd ?			; DATA XREF: SepVariableInitialization()+1623w
_SeTrustedCredManAccessPrivilege dd ?	; DATA XREF: SeMakeSystemToken+3B3r
					; SepVariableInitialization()+1651w
dword_A94A84	dd ?			; DATA XREF: SeMakeSystemToken+3BBr
					; SepVariableInitialization()+1657w
_SeImpersonatePrivilege	dd ?		; DATA XREF: SeMakeSystemToken+393r
					; SepVariableInitialization()+1637w
dword_A94A8C	dd ?			; DATA XREF: SeMakeSystemToken+39Br
					; SepVariableInitialization()+163Dw
_SeRemoteShutdownPrivilege dd ?		; DATA XREF: SepVariableInitialization()+15F0w
dword_A94A94	dd ?			; DATA XREF: SepVariableInitialization()+15FAw
_SeChangeNotifyPrivilege dd ?		; DATA XREF: PAGE:_SepFilterPrivilegesShorto
					; PAGE:_SepFilterPrivilegesLongo ...
dword_A94A9C	dd ?			; DATA XREF: SeMakeSystemToken+27Br
					; SepVariableInitialization()+15EBw
_SeSyncAgentPrivilege dd ?		; DATA XREF: SepVariableInitialization()+160Ew
dword_A94AA4	dd ?			; DATA XREF: SepVariableInitialization()+1618w
_SeUndockPrivilege dd ?			; DATA XREF: SeMakeSystemToken+30Ar
					; SepVariableInitialization()+15FFw
dword_A94AAC	dd ?			; DATA XREF: SeMakeSystemToken+375r
					; SepVariableInitialization()+1609w
_SeCreateSymbolicLinkPrivilege dd ?	; DATA XREF: SeMakeSystemToken+3F3r
					; SepVariableInitialization()+17F2w
dword_A94AB4	dd ?			; DATA XREF: SeMakeSystemToken+3FBr
					; SepVariableInitialization()+1687w
_SeTimeZonePrivilege dd	?		; DATA XREF: PAGE:007B361Fr
					; PAGE:007B367Fr ...
dword_A94ABC	dd ?			; DATA XREF: PAGE:007B3619r
					; PAGE:007B3679r ...
_SepExports	dd ?			; DATA XREF: SepVariableInitialization()+1802w
					; SepVariableInitialization()+19FBo
dword_A94AC4	dd ?			; DATA XREF: SepVariableInitialization()+180Cw
dword_A94AC8	dd ?			; DATA XREF: SepVariableInitialization()+1811w
dword_A94ACC	dd ?			; DATA XREF: SepVariableInitialization()+181Bw
dword_A94AD0	dd ?			; DATA XREF: SepVariableInitialization()+1820w
dword_A94AD4	dd ?			; DATA XREF: SepVariableInitialization()+182Aw
dword_A94AD8	dd ?			; DATA XREF: SepVariableInitialization()+182Fw
dword_A94ADC	dd ?			; DATA XREF: SepVariableInitialization()+1839w
dword_A94AE0	dd ?			; DATA XREF: SepVariableInitialization()+183Ew
dword_A94AE4	dd ?			; DATA XREF: SepVariableInitialization()+1848w
dword_A94AE8	dd ?			; DATA XREF: SepVariableInitialization()+184Dw
dword_A94AEC	dd ?			; DATA XREF: SepVariableInitialization()+1857w
dword_A94AF0	dd ?			; DATA XREF: SepVariableInitialization()+185Cw
dword_A94AF4	dd ?			; DATA XREF: SepVariableInitialization()+1866w
dword_A94AF8	dd ?			; DATA XREF: SepVariableInitialization()+186Bw
dword_A94AFC	dd ?			; DATA XREF: SepVariableInitialization()+1875w
dword_A94B00	dd ?			; DATA XREF: SepVariableInitialization()+187Aw
dword_A94B04	dd ?			; DATA XREF: SepVariableInitialization()+1884w
dword_A94B08	dd ?			; DATA XREF: SepVariableInitialization()+1889w
dword_A94B0C	dd ?			; DATA XREF: SepVariableInitialization()+1893w
dword_A94B10	dd ?			; DATA XREF: SepVariableInitialization()+1898w
dword_A94B14	dd ?			; DATA XREF: SepVariableInitialization()+18A2w
dword_A94B18	dd ?			; DATA XREF: SepVariableInitialization()+18A7w
dword_A94B1C	dd ?			; DATA XREF: SepVariableInitialization()+18B1w
dword_A94B20	dd ?			; DATA XREF: SepVariableInitialization()+18B6w
dword_A94B24	dd ?			; DATA XREF: SepVariableInitialization()+18C0w
dword_A94B28	dd ?			; DATA XREF: SepVariableInitialization()+18C5w
dword_A94B2C	dd ?			; DATA XREF: SepVariableInitialization()+18CFw
dword_A94B30	dd ?			; DATA XREF: SepVariableInitialization()+18D4w
dword_A94B34	dd ?			; DATA XREF: SepVariableInitialization()+18DEw
dword_A94B38	dd ?			; DATA XREF: SepVariableInitialization()+18E3w
dword_A94B3C	dd ?			; DATA XREF: SepVariableInitialization()+18EDw
dword_A94B40	dd ?			; DATA XREF: SepVariableInitialization()+18F2w
dword_A94B44	dd ?			; DATA XREF: SepVariableInitialization()+18FCw
dword_A94B48	dd ?			; DATA XREF: SepVariableInitialization()+1901w
dword_A94B4C	dd ?			; DATA XREF: SepVariableInitialization()+190Bw
dword_A94B50	dd ?			; DATA XREF: SepVariableInitialization()+1910w
dword_A94B54	dd ?			; DATA XREF: SepVariableInitialization()+191Aw
dword_A94B58	dd ?			; DATA XREF: SepVariableInitialization()+191Fw
dword_A94B5C	dd ?			; DATA XREF: SepVariableInitialization()+1929w
dword_A94B60	dd ?			; DATA XREF: SepVariableInitialization()+192Ew
dword_A94B64	dd ?			; DATA XREF: SepVariableInitialization()+1938w
dword_A94B68	dd ?			; DATA XREF: SepVariableInitialization()+193Dw
dword_A94B6C	dd ?			; DATA XREF: SepVariableInitialization()+1947w
dword_A94B70	dd ?			; DATA XREF: SepVariableInitialization()+194Cw
dword_A94B74	dd ?			; DATA XREF: SepVariableInitialization()+1956w
dword_A94B78	dd ?			; DATA XREF: SepVariableInitialization()+1696w
dword_A94B7C	dd ?			; DATA XREF: SepVariableInitialization()+16A0w
dword_A94B80	dd ?			; DATA XREF: SepVariableInitialization()+16AAw
dword_A94B84	dd ?			; DATA XREF: SepVariableInitialization()+16B4w
dword_A94B88	dd ?			; DATA XREF: SepVariableInitialization()+16BEw
dword_A94B8C	dd ?			; DATA XREF: SepVariableInitialization()+16D2w
dword_A94B90	dd ?			; DATA XREF: SepVariableInitialization()+16DCw
dword_A94B94	dd ?			; DATA XREF: SepVariableInitialization()+16E6w
dword_A94B98	dd ?			; DATA XREF: SepVariableInitialization()+16F0w
dword_A94B9C	dd ?			; DATA XREF: SepVariableInitialization()+16FAw
dword_A94BA0	dd ?			; DATA XREF: SepVariableInitialization()+1704w
dword_A94BA4	dd ?			; DATA XREF: SepVariableInitialization()+174Aw
dword_A94BA8	dd ?			; DATA XREF: SepVariableInitialization()+1754w
dword_A94BAC	dd ?			; DATA XREF: SepVariableInitialization()+175Ew
dword_A94BB0	dd ?			; DATA XREF: SepVariableInitialization()+1768w
dword_A94BB4	dd ?			; DATA XREF: SepVariableInitialization()+1772w
dword_A94BB8	dd ?			; DATA XREF: SepVariableInitialization()+177Cw
dword_A94BBC	dd ?			; DATA XREF: SepVariableInitialization()+1786w
dword_A94BC0	dd ?			; DATA XREF: SepVariableInitialization()+1790w
dword_A94BC4	dd ?			; DATA XREF: SepVariableInitialization()+170Ew
dword_A94BC8	dd ?			; DATA XREF: SepVariableInitialization()+1718w
dword_A94BCC	dd ?			; DATA XREF: SepVariableInitialization()+1722w
dword_A94BD0	dd ?			; DATA XREF: SepVariableInitialization()+195Bw
dword_A94BD4	dd ?			; DATA XREF: SepVariableInitialization()+1965w
dword_A94BD8	dd ?			; DATA XREF: SepVariableInitialization()+196Aw
dword_A94BDC	dd ?			; DATA XREF: SepVariableInitialization()+1974w
dword_A94BE0	dd ?			; DATA XREF: SepVariableInitialization()+1979w
dword_A94BE4	dd ?			; DATA XREF: SepVariableInitialization()+197Fw
dword_A94BE8	dd ?			; DATA XREF: SepVariableInitialization()+172Cw
dword_A94BEC	dd ?			; DATA XREF: SepVariableInitialization()+1736w
dword_A94BF0	dd ?			; DATA XREF: SepVariableInitialization()+1984w
dword_A94BF4	dd ?			; DATA XREF: SepVariableInitialization()+198Ew
dword_A94BF8	dd ?			; DATA XREF: SepVariableInitialization()+1993w
dword_A94BFC	dd ?			; DATA XREF: SepVariableInitialization()+1999w
dword_A94C00	dd ?			; DATA XREF: SepVariableInitialization()+199Ew
dword_A94C04	dd ?			; DATA XREF: SepVariableInitialization()+19A8w
dword_A94C08	dd ?			; DATA XREF: SepVariableInitialization()+19ADw
dword_A94C0C	dd ?			; DATA XREF: SepVariableInitialization()+19B3w
dword_A94C10	dd ?			; DATA XREF: SepVariableInitialization()+19B8w
dword_A94C14	dd ?			; DATA XREF: SepVariableInitialization()+19C2w
dword_A94C18	dd ?			; DATA XREF: SepVariableInitialization()+19C7w
dword_A94C1C	dd ?			; DATA XREF: SepVariableInitialization()+19CDw
dword_A94C20	dd ?			; DATA XREF: SepVariableInitialization()+19D2w
dword_A94C24	dd ?			; DATA XREF: SepVariableInitialization()+19DCw
dword_A94C28	dd ?			; DATA XREF: SepVariableInitialization()+19E1w
dword_A94C2C	dd ?			; DATA XREF: SepVariableInitialization()+19E7w
dword_A94C30	dd ?			; DATA XREF: SepVariableInitialization()+1740w
dword_A94C34	dd ?			; DATA XREF: SepVariableInitialization()+179Aw
dword_A94C38	dd ?			; DATA XREF: SepVariableInitialization()+17A4w
dword_A94C3C	dd ?			; DATA XREF: SepVariableInitialization()+17AEw
dword_A94C40	dd ?			; DATA XREF: SepVariableInitialization()+17B8w
dword_A94C44	dd ?			; DATA XREF: SepVariableInitialization()+17C2w
dword_A94C48	dd ?			; DATA XREF: SepVariableInitialization()+16C8w
dword_A94C4C	dd ?			; DATA XREF: SepVariableInitialization()+17CCw
dword_A94C50	dd ?			; DATA XREF: SepVariableInitialization()+17D6w
dword_A94C54	dd ?			; DATA XREF: SepVariableInitialization()+17E0w
dword_A94C58	dd ?			; DATA XREF: SepVariableInitialization()+17EAw
dword_A94C5C	dd ?			; DATA XREF: SepVariableInitialization()+19ECw
dword_A94C60	dd ?			; DATA XREF: SepVariableInitialization()+19F6w
; void *SeMediumSacl
_SeMediumSacl	dd ?			; DATA XREF: SepInitSystemDacls()+17Fw
					; SepInitSystemDacls()+21Dr ...
_SeDelegateSessionUserImpersonatePrivilege dd ?	; DATA XREF: SeMakeSystemToken+413r
					; SepVariableInitialization()+17F8w
dword_A94C6C	dd ?			; DATA XREF: SeMakeSystemToken+41Br
					; SepVariableInitialization()+168Cw
; void *SeLocalServicePublicDacl
_SeLocalServicePublicDacl dd ?		; DATA XREF: SepInitSystemDacls()+132w
					; SepInitSystemDacls()+1D2r
; void *SeAtomDacl
_SeAtomDacl	dd ?			; DATA XREF: SepInitSystemDacls()+146w
					; SepInitSystemDacls()+1E5r
_SepAtomSd	db    ?	;		; DATA XREF: SepInitSystemDacls()+56Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SeLocalServicePublicSd	dd ?		; DATA XREF: SepInitSystemDacls()+552w
_SeSystemtimePrivilege dd ?		; DATA XREF: PAGE:007B33CAr
					; PAGE:007B3465r ...
dword_A94C94	dd ?			; DATA XREF: PAGE:007B33C4r
					; PAGE:007B345Fr ...
_SeSystemProfilePrivilege dd ?		; DATA XREF: EtwpUpdateGroupMasks+12A1B8r
					; EtwSetPerformanceTraceInformation(x,x,x)+934r ...
dword_A94C9C	dd ?			; DATA XREF: EtwpUpdateGroupMasks+12A1B2r
					; EtwSetPerformanceTraceInformation(x,x,x)+92Er ...
_SeSystemEnvironmentPrivilege dd ?	; DATA XREF: NtQuerySystemEnvironmentValueEx+79r
					; ExpSetBootEntry(x,x,x)+C1r ...
dword_A94CA4	dd ?			; DATA XREF: NtQuerySystemEnvironmentValueEx+73r
					; ExpSetBootEntry(x,x,x)+BBr ...
_SeAuditPrivilege dd ?			; DATA XREF: SeCheckAuditPrivilege(x,x)+12r
					; PAGE:00A40F08o ...
dword_A94CAC	dd ?			; DATA XREF: SeCheckAuditPrivilege(x,x)+22r
					; SeMakeSystemToken+239r ...
_SeCreateTokenPrivilege	dd ?		; DATA XREF: SepLinkLogonSessions+2Er
					; NtCreateTokenEx+12Br	...
dword_A94CB4	dd ?			; DATA XREF: SepLinkLogonSessions+22r
					; NtCreateTokenEx+125r	...
_SeTakeOwnershipPrivilege dd ?		; DATA XREF: SepAccessCheck+3CCr
					; SePrivilegePolicyCheck+7Cr ...
dword_A94CBC	dd ?			; DATA XREF: SepAccessCheck+3DFr
					; SePrivilegePolicyCheck+8Br ...
_SeUnsolicitedInputPrivilege dd	?	; DATA XREF: SepVariableInitialization()+14F0w
dword_A94CC4	dd ?			; DATA XREF: SepVariableInitialization()+14FAw
_SepSystemDefaultSd db	  ? ;		; DATA XREF: SepInitSystemDacls()+523o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SeNullDaclSd	dd ?			; DATA XREF: SeIsAppContainerOrIdentifyLevelContext(x,x)+70r
					; SepInitSystemDacls()+603w
_SepLocalServicePublicSd db    ? ;	; DATA XREF: SepInitSystemDacls()+54Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SePublicOpenSd	dd ?			; DATA XREF: SepInitSystemDacls()+4EBw
_SepPublicOpenUnrestrictedSd db	   ? ;	; DATA XREF: SepInitSystemDacls()+503o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; Exported entry 2515. SeSystemDefaultSd
		public _SeSystemDefaultSd
_SeSystemDefaultSd dd ?			; DATA XREF: SepInitSystemDacls()+52Bw
					; SepInitSystemDacls()+53Fr
_SepPublicOpenSd db    ? ;		; DATA XREF: SepInitSystemDacls()+4E3o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SeDefaultRecoveryCapeSd dd ?		; DATA XREF: SepRmCapUpdateWrkr+8CB15r
					; SepInitSystemDacls()+5CFw
_SepDefaultRecoveryCapeSd db	? ;	; DATA XREF: SepInitSystemDacls()+5C7o
					; SepInitSystemDacls()+5DEo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SepImportantProcessSd dd ?		; DATA XREF: SepInitProcessAuditSd+86C8Dw
					; SepInitProcessAuditSd+86CC6w
_SepProcessAuditSd dd ?			; DATA XREF: SepInitProcessAuditSd+6r
					; SepInitProcessAuditSd+86B33w	...
_SeDefaultCapeSd dd ?			; DATA XREF: SepBuildDefaultCape(x)+21r
					; SepInitSystemDacls()+592w
_SepMediumDaclSd db    ? ;		; DATA XREF: SepInitSystemDacls()+60Do
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SeAliasBackupOpsSid dd	?		; DATA XREF: SepVariableInitialization()+6BDw
					; SepVariableInitialization()+ADCr ...
_SepNullDaclSd	db    ?	;		; DATA XREF: SepInitSystemDacls()+5FBo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SeAliasPrintOpsSid dd ?		; DATA XREF: SepVariableInitialization()+6A8w
					; SepVariableInitialization()+AC9r ...
_SepDefaultCapeSd db	? ;		; DATA XREF: SepInitSystemDacls()+58Ao
					; SepInitSystemDacls()+5B0o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SeLocalServiceSid dd ?			; DATA XREF: SepInitProcessAuditSd+86BDBr
					; SepInitProcessAuditSd+86C36r	...
; void *SeAnonymousLogonSid
_SeAnonymousLogonSid dd	?		; DATA XREF: SeExamineSacl(x,x,x,x,x,x,x)+59r
					; SepExamineSaclEx(x,x,x,x,x,x,x,x,x,x,x,x,x)+5Dr ...
_SeAliasPowerUsersSid dd ?		; DATA XREF: SepVariableInitialization()+672w
					; SepVariableInitialization()+A96r ...
_SeAliasGuestsSid dd ?			; DATA XREF: SepVariableInitialization()+660w
					; SepVariableInitialization()+A86r ...
_SeAliasSystemOpsSid dd	?		; DATA XREF: SepVariableInitialization()+694w
					; SepVariableInitialization()+AB6r ...
_SeAliasAccountOpsSid dd ?		; DATA XREF: SepVariableInitialization()+684w
					; SepVariableInitialization()+AA6r ...
_SePublicDefaultSd dd ?			; DATA XREF: SepInitializationPhase1()+19Fr
					; SepInitSystemDacls()+4A7w ...
_SepPublicDefaultSd db	  ? ;		; DATA XREF: SepInitSystemDacls()+49Fo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SePublicOpenUnrestrictedSd dd ?	; DATA XREF: SepInitSystemDacls()+50Bw
_SepPublicDefaultUnrestrictedSd	db    ?	; ; DATA XREF: SepInitSystemDacls()+4C2o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SeIUserSid	dd ?			; DATA XREF: SepInitProcessAuditSd+86BBCr
					; SepInitProcessAuditSd+86C5Er	...
_SeNetworkServiceSid dd	?		; DATA XREF: SepInitProcessAuditSd+86BD0r
					; SepInitProcessAuditSd+86C4Ar	...
_SeAnonymousLogonTokenNoEveryone dd ?	; DATA XREF: SepGetAnonymousToken(x,x)+38r
					; PspAddSchedulingGroupToJobChain:loc_7E4FD4r ...
_SeAnonymousLogonToken dd ?		; DATA XREF: PspAddSchedulingGroupToJobChain+1F8r
					; SepInitializationPhase1()+65w
_SeServiceSid	dd ?			; DATA XREF: SepVariableInitialization()+5ACw
					; SepVariableInitialization()+9D3r ...
_SeDialupSid	dd ?			; DATA XREF: SepVariableInitialization()+546w
					; SepVariableInitialization()+98Ar ...
_SeAliasUsersSid dd ?			; DATA XREF: WmipInitializeSecurity+34r
					; WmipInitializeSecurity+9Er ...
_SeAuthenticatedUsersSid dd ?		; DATA XREF: SeMakeSystemToken+89r
					; SepVariableInitialization()+5D0w ...
_SeNtAuthoritySid dd ?			; DATA XREF: SepVariableInitialization()+531w
					; SepVariableInitialization()+974r ...
_SeAliasAdminsSid dd ?			; DATA XREF: SepSidInTokenSidHash+F0D35r
					; SepMaximumAccessCheck+EC116r	...
_SeNullSid	dd ?			; DATA XREF: SeLogAccessFailure+D5F49r
					; SeLogAccessFailure+D5F97r ...
_SeLoadDriverPrivilege dd ?		; DATA XREF: IopLoadDriverImage+51r
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+15BDr ...
dword_A94E04	dd ?			; DATA XREF: IopLoadDriverImage+4Br
					; PspAllocateProcess(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+15B7r ...
_SeLuidToIndexMappingData db	? ;	; DATA XREF: PAGEDATA:_SeLuidToIndexMappingo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SepLogonSessions dd ?			; DATA XREF: SepReferenceLogonSessionSilo(x,x,x)+17r
					; SepUpdateLogonSessionTrack+3Dr ...
_SepRmLsaCallProcess dd	?		; DATA XREF: SepRmCallLsa+59r
					; SepAdtLogAuditRecord(x)+13Er	...
_SepRmState	db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_A94E24	dd ?			; DATA XREF: SeRmInitPhase1()+53o
					; SeRmInitPhase1()+66r	...
dword_A94E28	dd ?			; DATA XREF: SepRmCommandServerThread+A0r
					; SepRmCommandServerThread:loc_930B8Ar	...
		align 10h
dword_A94E30	dd ?			; DATA XREF: SepRmDbInitialization()+B6w
_EtwpKsrCallbackObject dd ?		; DATA XREF: EtwpGetSoftRestartInformation(x,x,x)+15r
					; EtwpIsSoftRestartSupported()r ...
_WmipSystemSubjectContext db	? ;	; DATA XREF: WmipCreateGuidObject(x,x,x,x)+114o
					; WmipInitializeSecurity+173o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_EtwpLoggerSaveState db	   ? ;		; DATA XREF: EtwpSavePersistedLoggers()+Bo
					; EtwpSavePersistedLoggersWorker()+BCo
		db    ?	;
		db    ?	;
		db    ?	;
_ExLeapSecondDataLastParseResult dd ?	; DATA XREF: ExpReadLeapSecondData(x,x)+151w
					; INIT:loc_AC2E83r
_ExLeapSecondDataSectionPointer	dd ?	; DATA XREF: PAGE:0075B3CAr
					; ExInitializeLeapSecondData+11Fw
_ExpLeapSecondDataRegistryNotify dd ?	; DATA XREF: ExpReadLeapSecondData(x,x)+40r
					; ExpReadLeapSecondData(x,x)+19Br ...
_ExpLeapSecondDataLock dd ?		; DATA XREF: ExpReadLeapSecondData(x,x)+36o
					; ExpReadLeapSecondData(x,x)+1B3o ...
_ExpTimerResolutionCount dd ?		; DATA XREF: NtSetTimerResolution(x,x,x):loc_73DFFAw
					; NtSetTimerResolution(x,x,x)+104w
_ExpNtExpirationDate dd	?		; DATA XREF: ExInitializeTimeRefresh+1Bo
					; ExInitializeTimeRefresh:loc_ABBD6Br ...
dword_A94E64	dd ?			; DATA XREF: ExInitializeTimeRefresh+37r
					; ExInitializeTimeRefresh+2729Ew
_ExpAltTimeZoneBias dd ?		; DATA XREF: Phase1InitializationDiscard(x)+42Dr
					; INIT:00AF3578o
_ExpTotalTraceBuffers db    ? ;		; DATA XREF: ExDereferenceHandleDebugInfo(x,x)+39o
					; ExEnableHandleTracing(x,x)+4Eo ...
		db    ?	;
		db    ?	;
		db    ?	;
_HandleTableListHead dd	?		; DATA XREF: ExDupHandleTable+1BBo
					; ExDupHandleTable+1C7o ...
dword_A94E74	dd ?			; DATA XREF: ExDupHandleTable+1B0r
					; ExDupHandleTable+1D2w ...
_HandleTableListLock dd	?		; DATA XREF: ExpRemoveHandleTable(x)+16o
					; ExDupHandleTable+19Co ...
_ExpFreeListCount dd ?			; DATA XREF: ExHandleTableQuery+1Ar
					; ExpAllocateHandleTableEntry(x,x):loc_7A657Er	...
dword_A94E80	dd ?			; DATA XREF: ExpInitLicensing(x)+Ao
					; ExpInitLicensing(x)+1Fw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ExpHostListLock dd ?			; CODE XREF: ExRegisterExtension+19Ap
					; ExRegisterExtension+1A6p
					; DATA XREF: ...
_ExpHostList	dd ?			; DATA XREF: ExRegisterHost+A2o
					; ExpFindHost(x,x)r ...
dword_A9AABC	dd ?			; DATA XREF: ExRegisterHost+9Dr
					; ExRegisterHost+B7w ...
_ExpWnfSubcriptionIdCounter dd ?	; DATA XREF: PAGE:loc_7A1758r
					; PAGE:007A1771o
dword_A9AAC4	dd ?			; DATA XREF: PAGE:007A175Fr
_ExpWnfWellKnownNameStoreRootKey db    ? ; ; DATA XREF:	ExpWnfGetNameStoreRegistryRoot+28o
		db    ?	;
		db    ?	;
		db    ?	;
_ExpWnfProcessesListLock db    ? ;	; DATA XREF: ExpWnfDeleteProcessContext+11Ao
					; ExpWnfCreateProcessContext+51o ...
		db    ?	;
		db    ?	;
		db    ?	;
_AdtpNullSid	db    ?	;		; DATA XREF: AdtpPackageParameters+2ADo
					; AdtpPackageParameters:loc_573046o ...
byte_A9AAD1	db ?			; DATA XREF: AdtpPackageParameters:loc_572F41r
		align 10h
_AdtpNullGuid	db    ?	;		; DATA XREF: AdtpPackageParameters+83FB5o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_AdtpNullLuid	db    ?	;		; DATA XREF: AdtpPackageParameters+2D2o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_DriveMappingArray dw ?			; DATA XREF: AdtpLookupDriveLetter(x,x,x)+6Er
		align 4
unk_A9AAFC	db    ?	;		; DATA XREF: AdtpLookupDriveLetter(x,x,x)+21o
					; AdtpInitializeDriveLetters+40o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_A9AC28	db    ?	;		; DATA XREF: AdtpLookupDriveLetter(x,x,x)+12o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void *dword_A9AC30
dword_A9AC30	dd ?			; DATA XREF: SeQueryHSTIResults+9BAC6r
					; BapdpProcessHSTIResults+14D2Bw
dword_A9AC34	dd ?			; DATA XREF: SeQueryHSTIResults+Cr
					; BapdpProcessHSTIResults+14D33w
PAGEDATA	ends

; Section 18. (virtual address 0069B000)
; Virtual size			: 0000C2B8 (  49848.)
; Section size in file		: 00000200 (	512.)
; Offset to raw	data for section: 0062E800
; Flags	C0000040: Data Readable	Writable
; Alignment	: default
; 

; Segment type:	Pure data
; Segment permissions: Read/Write
PAGEKDD		segment	para public 'DATA' use32
		assume cs:PAGEKDD
		;org 0A9B000h
_KdpBootedNodebug db 1			; DATA XREF: .data:006B1E78o
					; PAGE:0077FA4Fr ...
_KdpBreakpointInstruction db 0CCh ; 
		db    0
		db    0
_KdTransportMaxPacketSize dd 0FA0h	; DATA XREF: KdPowerTransitionEx(x,x):loc_617045r
					; EtwpSendTraceEvent(x,x)+5Dr ...
_KdpSearchCheckPoint db	0BAh ; 
		db 0DCh	; 
		db 0CDh	; 
		db 0ABh	; 
_TraceDataBufferPosition dd 1		; DATA XREF: KdpReportExceptionStateChange(x,x,x)+B1r
					; KdpReportExceptionStateChange(x,x,x)+C9w ...
; void *KdPrintCircularBuffer
_KdPrintCircularBuffer dd offset _KdPrintDefaultCircularBuffer
					; DATA XREF: KdSetDbgPrintBufferSize(x)+C4r
					; KdSetDbgPrintBufferSize(x)+16Aw ...
_KdPrintBufferSize dd 1000h		; DATA XREF: KdSetDbgPrintBufferSize(x)+B6r
					; KdSetDbgPrintBufferSize(x)+171w ...
_KdPrintWritePointer dd	offset _KdPrintDefaultCircularBuffer
					; DATA XREF: KdSetDbgPrintBufferSize(x)+D0r
					; KdSetDbgPrintBufferSize(x)+177w ...
		align 10h
_KdTimerStart	dd 0			; DATA XREF: KdRegisterDebuggerDataBlock+5A4w
					; KdEnterDebugger(x,x)+48r ...
dword_A9B024	dd 0			; DATA XREF: KdRegisterDebuggerDataBlock+59Ew
					; KdEnterDebugger(x,x)+54r ...
_KdPerformanceCounterRate db	0	; DATA XREF: KdInitSystem:loc_A4A28Do
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_KdpDebuggerStructuresInitialized db 0	; DATA XREF: KdRegisterDebuggerDataBlock:loc_A4A7EFr
					; KdRegisterDebuggerDataBlock+591w
_SymbolRecorded	db 0			; DATA XREF: KdpCheckTracePoint(x,x):loc_A4B996r
					; KdpCheckTracePoint(x,x)+89w ...
_InstrCountInternal db 0		; DATA XREF: KdSetSpecialCall(x,x)+34r
					; KdpCheckTracePoint(x,x):loc_A4B9BAr ...
_KdpControlCPressed db 0		; DATA XREF: sub_5FB8A3+C8w
					; KdpReport(x,x,x,x,x,x)+C3w
_KdPrintBufferAllocateSize dd 0		; DATA XREF: KdInitSystem+17Dw
					; KdRegisterDebuggerDataBlock+35Fw ...
_KdpPowerListHead dd 0			; DATA XREF: KdDeregisterPowerHandler(x)+1Fr
					; KdDeregisterPowerHandler(x)+2Ao ...
dword_A9B03C	dd 0			; DATA XREF: KdRegisterPowerHandler(x,x,x)+48r
					; KdRegisterPowerHandler(x,x,x)+6Aw ...
_KdpDebuggerDataListHead dd 0		; DATA XREF: KdInitSystem:loc_A4A099r
					; KdInitSystem+92o ...
dword_A9B044	dd 0			; DATA XREF: KdInitSystem+B3w
					; KdRegisterDebuggerDataBlock+3Fr ...
_KdpRemoteFiles	dd 0			; DATA XREF: KdpCloseRemoteFile(x)+42r
					; KdpCloseRemoteFile(x)+A5r ...
dword_A9B04C	dd 0			; DATA XREF: KdpCloseRemoteFile(x)+4Br
					; KdpCloseRemoteFile(x)+B1r ...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
word_A9B0C6	dw 0			; DATA XREF: KdpCreateRemoteFile(x,x,x,x,x,x,x,x)+109w
_KdpMessageBuffer db	0		; DATA XREF: KdpCloseRemoteFile(x)+79o
					; KdpCreateRemoteFile(x,x,x,x,x,x,x,x)+C1o ...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KdpSearchPageHitIndex dd ?		; DATA XREF: KdpSearchPhysicalPage(x,x,x,x,x)+7Er
					; KdpSearchPhysicalPage(x,x,x,x,x)+8Ar	...
_KdpSearchStartPageFrame dd ?		; DATA XREF: KdpSearchPhysicalPageRange(x):loc_A4CC40r
					; KdpSearchPhysicalPageRange(x):loc_A4CC56r
_KdpSearchPageHitOffsets dd ?		; DATA XREF: KdpSearchPhysicalPage(x,x,x,x,x)+9Fw
					; KdpSearchPhysicalPage(x,x,x,x,x)+185w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_AA0000	db    ?	;		; DATA XREF: .text:00423E18o
					; IoGetDevicePropertyData+125C31o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_AA00A8	db    ?	;		; DATA XREF: CcUpdateDynamicRegistrySettings+83o
					; MmZeroPageFileAtShutdown()+17o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KdpSearchInProgress dd	?		; DATA XREF: KdpCheckLowMemory(x)+1Ar
					; KdpSearchPhysicalPage(x,x,x,x,x):loc_A4CB39r	...
_KdpSearchAddressRangeStart dd ?	; DATA XREF: KdpSearchPhysicalPageRange(x)+3Br
_KdpSearchEndPageFrame dd ?		; DATA XREF: KdpSearchPhysicalPageRange(x)+1Ar
					; KdpSearchPhysicalPageRange(x)+22w ...
_KdpSearchPfnValue dd ?			; DATA XREF: KdpSearchPhysicalPage(x,x,x,x,x)+29r
_KdpSearchAddressRangeEnd dd ?		; DATA XREF: KdpSearchPhysicalPageRange(x)+35r
_CallLevelChange dd ?			; DATA XREF: KdpCheckTracePoint(x,x)+194r
					; KdpCheckTracePoint(x,x)+1A7w	...
_oldpc		dd ?			; DATA XREF: KdpCheckTracePoint(x,x)+45Ew
					; PotentialNewSymbol(x)+Dr
_BreakpointsSuspended db ?		; DATA XREF: KdSetInternalBreakpoint(x):loc_A4B888r
					; KdpRestoreAllBreakpoints()+6w ...
_BreakPointTimerStarted	db ?		; DATA XREF: KdpProcessInternalBreakpoint(x)+Fr
					; KdpProcessInternalBreakpoint(x)+41w
_WatchStepOver	db ?			; DATA XREF: KdpCheckTracePoint(x,x)+1C2w
					; KdpCheckTracePoint(x,x)+211r	...
_WatchStepOverSuspended	db ?		; DATA XREF: KdpCheckTracePoint(x,x)+33r
					; KdpCheckTracePoint(x,x)+4Fw ...
_KdpSearchPageHits dd ?			; DATA XREF: KdpSearchPhysicalPage(x,x,x,x,x)+93w
					; KdpSearchPhysicalPage(x,x,x,x,x)+175w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db ?
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_WSOEsp		dd ?			; DATA XREF: KdpCheckTracePoint(x,x)+1F0w
					; KdpCheckTracePoint(x,x)+22Fr
_WSOThread	dd ?			; DATA XREF: KdpCheckTracePoint(x,x)+1E3w
					; KdpCheckTracePoint(x,x)+221r	...
_WatchStepOverBreakAddr	dd ?		; DATA XREF: KdpCheckTracePoint(x,x)+3Dr
					; KdpCheckTracePoint(x,x)+1D0w	...
_WatchStepOverHandle dd	?		; DATA XREF: KdpCheckTracePoint(x,x):loc_A4B980w
					; KdpCheckTracePoint(x,x)+249r	...
_InstructionsTraced dd ?		; DATA XREF: KdpCheckTracePoint(x,x)+12Aw
					; KdpCheckTracePoint(x,x)+19Aw	...
_NextTraceDataSym db ?			; DATA XREF: KdSetSpecialCall(x,x)+1Bw
					; PotentialNewSymbol(x):loc_A4D788r ...
_NumTraceDataSyms db ?			; DATA XREF: KdSetSpecialCall(x,x)+26w
					; PotentialNewSymbol(x)+95r ...
		align 4
_InternalBreakpointCheckDpc db	  ? ;	; DATA XREF: InternalBreakpointCheck(x,x,x,x)+7o
					; KdpProcessInternalBreakpoint(x)+1Co
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_InternalBreakpointTimer db    ? ;	; DATA XREF: InternalBreakpointCheck(x,x,x,x)+10o
					; KdpProcessInternalBreakpoint(x)+2Eo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_TraceDataBuffer dd ?			; DATA XREF: KdpReportExceptionStateChange(x,x,x)+9Ao
					; KdpReportExceptionStateChange(x,x,x)+B6w ...
dword_AA4154	dd ?			; DATA XREF: TraceDataRecordCallInfo(x,x,x)+54w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_TraceDataSyms	dd ?			; DATA XREF: PotentialNewSymbol(x)+43r
					; PotentialNewSymbol(x)+7Aw ...
dword_AA41F4	dd ?			; DATA XREF: PotentialNewSymbol(x)+51r
					; PotentialNewSymbol(x)+86w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IntBPsSkipping	dd ?			; DATA XREF: KdpCheckTracePoint(x,x)+C3w
					; KdpCheckTracePoint(x,x)+2D3w	...
_KdpCurrentSymbolStart dd ?		; DATA XREF: KdpIsTryFinallyReturn(x,x)+36r
					; KdpCheckTracePoint(x,x)+74r ...
_KdTimerDifference dd ?			; DATA XREF: PopAllocateHiberContext+A5818o
					; KdEnterDebugger(x,x)+5Aw
dword_AA49FC	dd ?			; DATA XREF: KdEnterDebugger(x,x)+5Fw
_KdpNextCallLevelChange	dd ?		; DATA XREF: KdSetSpecialCall(x,x)+2Bw
					; TraceDataRecordCallInfo(x,x,x)+1Er ...
_KdpCurrentSymbolEnd dd	?		; DATA XREF: KdpIsTryFinallyReturn(x,x)+3Er
					; KdpCheckTracePoint(x,x)+7Cr ...
_KdNumberOfSpecialCalls	dd ?		; DATA XREF: KdSetSpecialCall(x,x)+3r
					; KdSetSpecialCall(x,x)+20w ...
_KdpNumInternalBreakpoints dd ?		; DATA XREF: InternalBreakpointCheck(x,x,x,x)+1Ar
					; KdGetInternalBreakpoint(x)+1Dr ...
_KdSpecialCalls	dd ?			; DATA XREF: KdSetSpecialCall(x,x)+11w
					; KdpIsSpecialCall(x,x,x,x):loc_A4E9BDr
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_InitialSP	dd ?			; DATA XREF: KdSetSpecialCall(x,x)+42w
					; KdpCheckTracePoint(x,x)+125w	...
_KdPrintTruncatedCount dd ?		; DATA XREF: KdLogDbgPrint(x)+73w
_KdPrintBufferChanges dd ?		; DATA XREF: KdSetDbgPrintBufferSize(x)+161w
_KdPrintSkippedCount dd	?		; DATA XREF: KdLogDbgPrint(x)+1Aw
_KdpBreakpointTable db	  ? ;		; DATA XREF: KdpAddBreakpoint(x,x,x,x,x)+72o
					; KdpAddBreakpoint(x,x,x,x,x)+AEo ...
		db    ?	;
		db    ?	;
		db    ?	;
unk_AA4A4C	db    ?	;		; DATA XREF: KdpSetOwedBreakpoints(x)+3Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_AA4A60	dd ?			; DATA XREF: KdpDeleteBreakpoint(x)+12r
					; KdpDeleteBreakpoint(x)+22w ...
		db    ?	;
unk_AA4A65	db    ?	;		; DATA XREF: KdpSetOwedBreakpoints(x)+AAo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
byte_AA4E47	db ?			; DATA XREF: KdpReportLoadSymbolsStateChange(x,x,x,x)+CBw
_KdpPathBuffer	db    ?	;		; DATA XREF: KdpReportLoadSymbolsStateChange(x,x,x,x)+A8o
					; KdpReportLoadSymbolsStateChange(x,x,x,x)+C3o
		db    ?	;
		db    ?	;
		db    ?	;
unk_AA4E4C	db    ?	;		; DATA XREF: KdpSetOwedBreakpoints(x)+85o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_AA4E65	db    ?	;		; DATA XREF: KdpSetOwedBreakpoints(x)+11Co
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KdpBreakpointChangeCount dd ?		; DATA XREF: KdpAddBreakpoint(x,x,x,x,x):loc_A4E142w
					; KdpDeleteBreakpoint(x)+29w ...
_KdPrintRolloverCount dd ?		; DATA XREF: KdSetDbgPrintBufferSize(x)+DFw
					; KdSetDbgPrintBufferSize(x)+EDr ...
_KdTimerStop	dd ?			; DATA XREF: KdEnterDebugger(x,x):loc_A4B33Aw
					; KdEnterDebugger(x,x):loc_A4B35Ew ...
dword_AA5E54	dd ?			; DATA XREF: KdEnterDebugger(x,x)+4Ew
					; KdEnterDebugger(x,x)+6Ew ...
_KdpInternalBPs	db    ?	;		; DATA XREF: KdGetInternalBreakpoint(x)+27o
					; KdGetInternalBreakpoint(x)+4Eo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_AA5E60	dd ?			; DATA XREF: KdSetInternalBreakpoint(x)+50o
					; KdpCheckTracePoint(x,x)+BAr ...
dword_AA5E64	dd ?			; DATA XREF: KdpCheckTracePoint(x,x)+36Dw
					; KdpProcessInternalBreakpoint(x):loc_A4C03Dw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_AA5E6C	db    ?	;		; DATA XREF: InternalBreakpointCheck(x,x,x,x)+24o
		db    ?	;
		db    ?	;
		db    ?	;
dword_AA5E70	dd ?			; DATA XREF: KdpCheckTracePoint(x,x)+373r
					; KdpCheckTracePoint(x,x)+380w
dword_AA5E74	dd ?			; DATA XREF: KdpCheckTracePoint(x,x):loc_A4BCB0r
					; KdpCheckTracePoint(x,x)+393w
dword_AA5E78	dd ?			; DATA XREF: KdpCheckTracePoint(x,x):loc_A4BCC3w
dword_AA5E7C	dd ?			; DATA XREF: KdpCheckTracePoint(x,x)+ECr
					; KdpCheckTracePoint(x,x)+3BAr
dword_AA5E80	dd ?			; DATA XREF: KdpCheckTracePoint(x,x)+D8w
					; KdpCheckTracePoint(x,x)+2D9w	...
		align 8
dword_AA5E88	dd ?			; DATA XREF: KdpCheckTracePoint(x,x):loc_A4BA2Dr
					; KdpCheckTracePoint(x,x)+309w
dword_AA5E8C	dd ?			; DATA XREF: KdpCheckTracePoint(x,x)+302w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_KdPrintDefaultCircularBuffer db    ? ;	; DATA XREF: KdSetDbgPrintBufferSize(x):loc_617547o
					; KdSetDbgPrintBufferSize(x)+19Bo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
PAGEKDD		ends

; Section 19. (virtual address 006A8000)
; Virtual size			: 0000A660 (  42592.)
; Section size in file		: 00004600 (  17920.)
; Offset to raw	data for section: 0062EA00
; Flags	C0000040: Data Readable	Writable
; Alignment	: default
; 

; Segment type:	Pure data
; Segment permissions: Read/Write
PAGEVRFD	segment	para public 'DATA' use32
		assume cs:PAGEVRFD
		;org 0AA8000h
_ViUtilsForXDV	dd offset _VfUtilCaptureViolationKernelStack@8
					; DATA XREF: ViXdvSetXdvKernelUtilities(x):loc_677976o
					; VfUtilCaptureViolationKernelStack(x,x)
		dd offset _VfUtilGetDriverName@4 ; VfUtilGetDriverName(x)
		dd offset _VfUtilGetSigningLevel@4 ; VfUtilGetSigningLevel(x)
		dd offset _VfUtilIsBootDriver@4	; VfUtilIsBootDriver(x)
		dd offset _VfUtilGetOriginalDriverInitCallback@8 ; VfUtilGetOriginalDriverInitCallback(x,x)
		dd offset _VfUtilGetOriginalStartIoCallback@8 ;	VfUtilGetOriginalStartIoCallback(x,x)
		dd offset _VfUtilGetOriginalDriverUnloadCallback@4 ; VfUtilGetOriginalDriverUnloadCallback(x)
		dd offset _VfUtilGetOriginalAddDeviceCallback@8	; VfUtilGetOriginalAddDeviceCallback(x,x)
		dd offset _VfUtilGetOriginalIrpMajorCallback@8 ; VfUtilGetOriginalIrpMajorCallback(x,x)
_ViUtilsForDIF	dd offset _VfUtilFillPluginRequestedData@4
					; DATA XREF: ViXdvSetRequestedAPIsforDIF(x)o
					; VfUtilFillPluginRequestedData(x)
		dd offset _VfUtilGetAvailableSystemPages@4 ; VfUtilGetAvailableSystemPages(x)
		dd offset _VfIsRuleClassEnabled@4 ; VfIsRuleClassEnabled(x)
		dd offset _VfUtilUpdateSpecialPoolSetting@4 ; VfUtilUpdateSpecialPoolSetting(x)
		dd offset _VfUtilIsSpecialPoolAddress@4	; VfUtilIsSpecialPoolAddress(x)
		dd offset _VfRandomGetNumber@8 ; VfRandomGetNumber(x,x)
		dd offset _VfUtilGetSPAllocSizeLimit@0 ; VfUtilGetSPAllocSizeLimit()
		dd offset _VfUtilGetDifPluginDriverData@4 ; VfUtilGetDifPluginDriverData(x)
_ViCiDefaultActions dd 4		; DATA XREF: VfDisableCodeIntegrityBreaks()+9o
					; ViCiPreprocessOptions(x,x,x,x,x,x)+1Br
		db    4
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
_ViMemoryFillSize db	0
		db    1
		db    0
		db    0
_VfKeCriticalRegionTracesLength	dd 80h	; DATA XREF: ViKeLogCriticalRegionStackTrace()+16r
					; VfKeCheckForChanges(x)+83r
_ViTrackIrqlQueueLength	dd 100h		; DATA XREF: PopMarkComponentsBootPhase+86D8r
					; VfKeCheckForChanges(x):loc_A67216r ...
_ViFaultTracesLength dd	80h		; DATA XREF: ViFaultsTracesInitialize()r
					; ViFaultsTracesInitialize()+10w ...
_ViHandleBreaksEnabled dd 1		; DATA XREF: VfCheckUserHandle(x):loc_A662C7r
_ViLegacyDmaOperations dd 9Ch		; DATA XREF: ViGetRealDmaOperation(x,x)+53r
		align 8
		dd offset _HalAllocateCommonBuffer@16 ;	HalAllocateCommonBuffer(x,x,x,x)
		dd offset _HalFreeCommonBuffer@24 ; HalFreeCommonBuffer(x,x,x,x,x,x)
		dd offset _IoAllocateAdapterChannel@20 ; IoAllocateAdapterChannel(x,x,x,x,x)
		dd offset _IoFlushAdapterBuffers@24 ; IoFlushAdapterBuffers(x,x,x,x,x,x)
		dd offset _IoFreeAdapterChannel@4 ; IoFreeAdapterChannel(x)
		dd offset _IoFreeMapRegisters@12 ; IoFreeMapRegisters(x,x,x)
		dd offset _IoMapTransfer@24 ; IoMapTransfer(x,x,x,x,x,x)
		align 8
		dd offset _HalReadDmaCounter@4 ; HalReadDmaCounter(x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_ViDoubleBufferDma dd 1			; DATA XREF: ViHalApplySettings():loc_A60797w
_ViDmaOperations db  9Ch ; 		; DATA XREF: VfNotifyOfHibernate(x)+4Co
					; ViHookDmaAdapter(x,x,x,x)+E1o
		db    0
		db    0
		db    0
		dd offset _VfPutDmaAdapter@4 ; VfPutDmaAdapter(x)
		dd offset _VfAllocateCommonBuffer@16 ; VfAllocateCommonBuffer(x,x,x,x)
		dd offset _VfFreeCommonBuffer@24 ; VfFreeCommonBuffer(x,x,x,x,x,x)
		dd offset _VfAllocateAdapterChannel@20 ; VfAllocateAdapterChannel(x,x,x,x,x)
		dd offset _VfFlushAdapterBuffers@24 ; VfFlushAdapterBuffers(x,x,x,x,x,x)
		dd offset _VfFreeAdapterChannel@4 ; VfFreeAdapterChannel(x)
		dd offset _VfFreeMapRegisters@12 ; VfFreeMapRegisters(x,x,x)
		dd offset _VfMapTransfer@24 ; VfMapTransfer(x,x,x,x,x,x)
		dd offset _VfGetDmaAlignment@4 ; VfGetDmaAlignment(x)
		dd offset _VfReadDmaCounter@4 ;	VfReadDmaCounter(x)
		dd offset _VfGetScatterGatherList@32 ; VfGetScatterGatherList(x,x,x,x,x,x,x,x)
		dd offset _VfPutScatterGatherList@12 ; VfPutScatterGatherList(x,x,x)
		dd offset _VfCalculateScatterGatherListSize@24 ; VfCalculateScatterGatherListSize(x,x,x,x,x,x)
		dd offset _VfBuildScatterGatherList@40 ; VfBuildScatterGatherList(x,x,x,x,x,x,x,x,x,x)
		dd offset _VfBuildMdlFromScatterGatherList@16 ;	VfBuildMdlFromScatterGatherList(x,x,x,x)
		dd offset _VfGetDmaAdapterInfo@8 ; VfGetDmaAdapterInfo(x,x)
		dd offset _VfGetDmaTransferInfo@28 ; VfGetDmaTransferInfo(x,x,x,x,x,x,x)
		dd offset _VfInitializeDmaTransferContext@8 ; VfInitializeDmaTransferContext(x,x)
		dd offset _VfAllocateCommonBufferEx@24 ; VfAllocateCommonBufferEx(x,x,x,x,x,x)
		dd offset _VfAllocateAdapterChannelEx@32 ; VfAllocateAdapterChannelEx(x,x,x,x,x,x,x,x)
		dd offset _VfConfigureAdapterChannel@12	; VfConfigureAdapterChannel(x,x,x)
		dd offset _VfCancelAdapterChannel@12 ; VfCancelAdapterChannel(x,x,x)
		dd offset _VfMapTransferEx@48 ;	VfMapTransferEx(x,x,x,x,x,x,x,x,x,x,x,x)
		dd offset _VfGetScatterGatherListEx@56 ; VfGetScatterGatherListEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		dd offset _VfBuildScatterGatherListEx@64 ; VfBuildScatterGatherListEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		dd offset _VfFlushAdapterBuffersEx@28 ;	VfFlushAdapterBuffersEx(x,x,x,x,x,x,x)
		dd offset _VfFreeAdapterObject@8 ; VfFreeAdapterObject(x,x)
		dd offset _VfCancelMappedTransfer@8 ; VfCancelMappedTransfer(x,x)
		dd offset _VfAllocateDomainCommonBuffer@36 ; VfAllocateDomainCommonBuffer(x,x,x,x,x,x,x,x,x)
		dd offset _VfFlushDmaBuffer@12 ; VfFlushDmaBuffer(x,x,x)
		dd offset _VfJoinDmaDomain@8 ; VfJoinDmaDomain(x,x)
		dd offset _VfLeaveDmaDomain@4 ;	VfLeaveDmaDomain(x)
		dd offset _VfGetDmaDomain@4 ; VfGetDmaDomain(x)
		dd offset _VfAllocateCommonBufferWithBounds@32 ; VfAllocateCommonBufferWithBounds(x,x,x,x,x,x,x,x)
		dd offset _VfAllocateCommonBufferVector@48 ; VfAllocateCommonBufferVector(x,x,x,x,x,x,x,x,x,x,x,x)
		dd offset _VfGetCommonBufferFromVectorByIndex@20 ; VfGetCommonBufferFromVectorByIndex(x,x,x,x,x)
		dd offset _VfFreeCommonBufferFromVector@12 ; VfFreeCommonBufferFromVector(x,x,x)
		dd offset _VfFreeCommonBufferVector@8 ;	VfFreeCommonBufferVector(x,x)
_ViProtectBuffers db	1
		db    0
		db    0
		db    0
_ViDeadlockAgeWindow db	   0
		db  20h
		db    0
		db    0
_ViDeadlockTrimThreshold db    0
		db    1
		db    0
		db    0
_ViWdBreaksEnabled dd 1			; DATA XREF: ViWdIrpTimedOut(x)+2r
_VfBTSProcessorFamily dd 0		; DATA XREF: VfStartBranchTracing()+34r
					; ViIsBTSSupported()+A5w
_ViLoadedDriversCount dd 0FFFFFFFFh	; DATA XREF: VfInitPickCurrentRandomTarget()+Dr
					; VfInitPickCurrentRandomTarget()+1Bw ...
_VfPoolTracesLength dd 10000h		; DATA XREF: VfPoolInitPhase0():loc_A6A44Dr
					; VfPoolInitPhase0():loc_A6A47Dw ...
_ViVerifyTriageRulesSize dd 1000h	; DATA XREF: VfTriageSystem:loc_AE6FC9r
					; VfTriageSystem:loc_AE7004r ...
_VfIoDisabled	dd 1			; DATA XREF: IovAllocateIrp(x,x,x,x)+30r
					; IovAttachDeviceToDeviceStack(x,x)r ...
_pXdvIoAllocateMdl dd offset _XdvIoAllocateMdl@28
					; DATA XREF: VerifierIoAllocateMdl(x,x,x,x,x)+3Br
					; VerifierPortIoAllocateMdl(x,x,x,x,x,x)+42r ...
					; XdvIoAllocateMdl(x,x,x,x,x,x,x)
_pXdvExAllocatePoolWithTagPriority dd offset _XdvExAllocatePoolInternal@24
					; DATA XREF: VerifierExAllocatePoolEx(x,x,x,x)+57r
					; VerifierExAllocatePoolWithQuota(x,x)+D8r ...
					; XdvExAllocatePoolInternal(x,x,x,x,x,x)
_pXdvIoAllocateWorkItem	dd offset _XdvIoAllocateWorkItem@12
					; DATA XREF: VerifierIoAllocateWorkItem(x)+10r
					; VerifierPortIoAllocateWorkItem(x,x)+10r ...
					; XdvIoAllocateWorkItem(x,x,x)
_pXdvExAllocatePool dd offset _XdvExAllocatePoolInternal@24
					; DATA XREF: VerifierExAllocatePool3(x,x,x,x,x,x)+18Br
					; PAGEVRFD:00AAAB58o
					; XdvExAllocatePoolInternal(x,x,x,x,x,x)
_pXdvExAllocatePool2 dd	offset _XdvExAllocatePoolInternal@24
					; DATA XREF: VerifierExAllocatePool2(x,x,x,x)+C5r
					; PAGEVRFD:00AAAB70o
					; XdvExAllocatePoolInternal(x,x,x,x,x,x)
_pXdvExAllocatePool3 dd	offset _XdvExAllocatePoolInternal@24
					; DATA XREF: VerifierExAllocatePool3(x,x,x,x,x,x)+CBr
					; PAGEVRFD:00AAAB88o
					; XdvExAllocatePoolInternal(x,x,x,x,x,x)
_pXdvExAllocatePoolWithQuota dd	offset _XdvExAllocatePoolInternal@24
					; DATA XREF: PAGEVRFD:00AAABA0o
					; XdvExAllocatePoolInternal(x,x,x,x,x,x)
_pXdvExAllocatePoolWithQuotaTag	dd offset _XdvExAllocatePoolInternal@24
					; DATA XREF: VerifierExAllocatePoolWithQuotaTag(x,x,x)+D0r
					; PAGEVRFD:00AAABB8o
					; XdvExAllocatePoolInternal(x,x,x,x,x,x)
_pXdvExAllocatePoolWithTag dd offset _XdvExAllocatePoolInternal@24
					; DATA XREF: VerifierExAllocatePoolWithTag(x,x,x)+7Cr
					; PAGEVRFD:00AAABD0o
					; XdvExAllocatePoolInternal(x,x,x,x,x,x)
_pXdvExInitializeLookasideListEx dd offset _XdvExInitializeLookasideListExInternal@40
					; DATA XREF: VerifierExInitializeLookasideListEx(x,x,x,x,x,x,x,x)+70r
					; PAGEVRFD:00AAAE28o
					; XdvExInitializeLookasideListExInternal(x,x,x,x,x,x,x,x,x,x)
_pXdvExInitializePagedLookasideList dd offset _XdvExInitializeNPagedLookasideListInternal@36
					; DATA XREF: VerifierExInitializePagedLookasideList(x,x,x,x,x,x,x)+68r
					; PAGEVRFD:00AAADC8o
					; XdvExInitializeNPagedLookasideListInternal(x,x,x,x,x,x,x,x,x)
_pXdvExInitializeNPagedLookasideList dd	offset _XdvExInitializeNPagedLookasideListInternal@36
					; DATA XREF: VfLookasideInitializeInternalNPagedList(x,x,x,x,x,x,x)+23r
					; VfInitVerifierComponents(x,x,x)+B7r ...
					; XdvExInitializeNPagedLookasideListInternal(x,x,x,x,x,x,x,x,x)
_pXdvZwSetInformationKey dd 0		; DATA XREF: VerifierZwSetInformationKey(x,x,x,x)+6r
					; PAGEVRFD:00AAAA38o
_pXdvZwFlushBuffersFileEx dd 0		; DATA XREF: VerifierZwFlushBuffersFileEx(x,x,x,x,x)+6r
					; PAGEVRFD:00AAA8B8o
_pXdvRtlCreateRegistryKey dd 0		; DATA XREF: VerifierRtlCreateRegistryKey(x,x)+6r
					; PAGEVRFD:00AAA5B8o
_pXdvRtlCreateSystemVolumeInformationFolder dd 0
					; DATA XREF: VerifierRtlCreateSystemVolumeInformationFolder(x)+6r
					; PAGEVRFD:00AAA5D0o
_pXdvRtlWriteRegistryValue dd 0		; DATA XREF: VerifierRtlWriteRegistryValue(x,x,x,x,x,x)+6r
					; PAGEVRFD:00AAA5A0o
_pXdvPoCallDriver dd 1			; DATA XREF: VerifierPoCallDriver(x,x)+5r
					; VerifierPoCallDriver(x,x)+1Cr ...
_pXdvKeQueryActiveProcessors dd	offset _KeQueryActiveProcessors@0
					; DATA XREF: VerifierKeQueryActiveProcessors()r
					; PAGEVRFD:00AA9D48o
					; KeQueryActiveProcessors()
_pXdvKeRevertToUserAffinityThreadEx dd offset _KeRevertToUserAffinityThreadEx@4
					; DATA XREF: VerifierKeRevertToUserAffinityThreadEx(x)r
					; PAGEVRFD:00AA9D60o
					; KeRevertToUserAffinityThreadEx(x)
_pXdvKeSetSystemAffinityThread dd offset _KeSetSystemAffinityThread@4
					; DATA XREF: VerifierKeSetSystemAffinityThread(x)r
					; PAGEVRFD:00AA9D78o
					; KeSetSystemAffinityThread(x)
_pXdvKeSaveFloatingPointState dd offset	_KeSaveFloatingPointState@4
					; DATA XREF: VerifierKeSaveFloatingPointState(x)+6r
					; PAGEVRFD:00AA9F40o
					; KeSaveFloatingPointState(x)
_pXdvIoGetDriverDirectory dd 0		; DATA XREF: VerifierIoGetDriverDirectory(x,x,x,x)+6r
					; PAGEVRFD:00AA96E8o
_pXdvIoGetDeviceDirectory dd 0		; DATA XREF: VerifierIoGetDeviceDirectory(x,x,x,x,x)+6r
					; PAGEVRFD:00AA96D0o
_pXdvHalGetInterruptVector dd offset _HalGetInterruptVector@24
					; DATA XREF: VerifierHalGetInterruptVector(x,x,x,x,x,x)+6r
					; PAGEVRFD:00AA9460o
					; HalGetInterruptVector(x,x,x,x,x,x)
_pXdvInterlockedPopEntrySList dd offset	@ExInterlockedPopEntrySList@8
					; DATA XREF: VerifierInterlockedPopEntrySList(x)r
					; PAGEVRFD:00AA9478o
					; ExInterlockedPopEntrySList(x,x)
_pXdvInterlockedPushEntrySList dd offset @InterlockedPushEntrySList@8
					; DATA XREF: VerifierInterlockedPushEntrySList(x,x)r
					; PAGEVRFD:00AA9490o
					; InterlockedPushEntrySList(x,x)
_pXdvIoCreateFileEx dd 0		; DATA XREF: VerifierIoCreateFileEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AA9598o
_pXdvIoCreateFileSpecifyDeviceObjectHint dd 0
					; DATA XREF: VerifierIoCreateFileSpecifyDeviceObjectHint(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AA95B0o
_pXdvExfInterlockedRemoveHeadList dd offset @ExfInterlockedRemoveHeadList@8
					; DATA XREF: VerifierExfInterlockedRemoveHeadList(x,x)r
					; PAGEVRFD:00AA8E60o ...
					; ExfInterlockedRemoveHeadList(x,x)
_pXdvExfInterlockedPopEntryList	dd offset @ExfInterlockedPopEntryList@8
					; DATA XREF: VerifierExfInterlockedPopEntryList(x,x)r
					; PAGEVRFD:00AA8E30o ...
					; ExfInterlockedPopEntryList(x,x)
_pXdvExfInterlockedPushEntryList dd offset @ExfInterlockedPushEntryList@12
					; DATA XREF: VerifierExfInterlockedPushEntryList(x,x,x)+6r
					; PAGEVRFD:00AA8E48o ...
					; ExfInterlockedPushEntryList(x,x,x)
_pXdvExfInterlockedCompareExchange64 dd	offset @ExfInterlockedCompareExchange64@12
					; DATA XREF: VerifierExfInterlockedCompareExchange64(x,x,x)+6r
					; PAGEVRFD:00AA8DE8o
					; ExfInterlockedCompareExchange64(x,x,x)
_pXdvExfInterlockedInsertHeadList dd offset @ExfInterlockedInsertHeadList@12
					; DATA XREF: VerifierExfInterlockedInsertHeadList(x,x,x)+6r
					; PAGEVRFD:00AA8E00o ...
					; ExfInterlockedInsertHeadList(x,x,x)
_pXdvExfInterlockedInsertTailList dd offset @ExfInterlockedInsertTailList@12
					; DATA XREF: VerifierExfInterlockedInsertTailList(x,x,x)+6r
					; PAGEVRFD:00AA8E18o ...
					; ExfInterlockedInsertTailList(x,x,x)
_pXdvCcCopyWrite dd 0			; DATA XREF: VerifierCcCopyWrite(x,x,x,x,x)+6r
					; PAGEVRFD:00AA8C68o
_pXdvCcCopyWriteEx dd 0			; DATA XREF: VerifierCcCopyWriteEx(x,x,x,x,x,x)+6r
					; PAGEVRFD:00AA8C80o
_pXdvCcDeferWrite dd 0			; DATA XREF: VerifierCcDeferWrite(x,x,x,x,x,x)r
					; PAGEVRFD:00AA8C98o
_pXdvCcFastCopyWrite dd	0		; DATA XREF: VerifierCcFastCopyWrite(x,x,x,x)r
					; PAGEVRFD:00AA8CB0o
_pXdvIopBuildSynchronousFsdRequest dd offset _XdvIoBuildSynchronousFsdRequest@36 ; XdvIoBuildSynchronousFsdRequest(x,x,x,x,x,x,x,x,x)
_pXdvIoBuildDeviceIoControlRequest dd offset _XdvIoBuildDeviceIoControlRequest@44
					; DATA XREF: IovBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)+33r
					; PAGEVRFD:00AAB518o
					; XdvIoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x,x,x)
_pXdvIoAllocateIrp dd offset _XdvIoAllocateIrp@20 ; DATA XREF: IovAllocateIrp(x,x,x,x)+81r
					; VerifierIoAllocateIrp(x,x)+73r ...
					; XdvIoAllocateIrp(x,x,x,x,x)
_pXdvIopBuildAsynchronousFsdRequest dd offset _XdvIopBuildAsynchronousFsdRequest@32 ; XdvIopBuildAsynchronousFsdRequest(x,x,x,x,x,x,x,x)
_pXdvHalGetAdapter dd offset _HalGetAdapter@8 ;	DATA XREF: VfLegacyGetAdapter(x,x)+86r
					; PAGEVRFD:00AAB590o
					; HalGetAdapter(x,x)
_pXdvKefReleaseSpinLockFromDpcLevel dd offset @KefReleaseSpinLockFromDpcLevel@4
					; DATA XREF: VerifierKeReleaseSpinLockFromDpcLevel(x)+60r
					; VerifierKeReleaseSpinLockFromDpcLevelNoReboot(x)+45r	...
					; KefReleaseSpinLockFromDpcLevel(x)
_pXdvKfAcquireSpinLock dd offset @KfAcquireSpinLock@4
					; DATA XREF: ViKeAcquireSpinLockCommon(x,x,x)+3Er
					; ViKfAcquireSpinLockCommon(x,x)+43r ...
					; KfAcquireSpinLock(x)
_pXdvKfReleaseSpinLock dd offset KfReleaseSpinLock
					; DATA XREF: VerifierKfReleaseSpinLock(x,x)+32r
					; VerifierPortKeReleaseSpinLock(x,x,x)+1Ar ...
_pXdvKeInitializeSpinLock dd offset _KzInitializeSpinLock@4 ; KzInitializeSpinLock(x)
_pXdvKefAcquireSpinLockAtDpcLevel dd offset _KxAcquireSpinLock@4
					; DATA XREF: ViKeAcquireSpinLockAtDpcLevelCommon(x,x)+63r
					; PAGEVRFD:00AA8718o
					; KxAcquireSpinLock(x)
_pXdvZwModifyBootEntry dd 1		; DATA XREF: VfZwModifyBootEntry(x)+1Ar
					; PAGEVRFD:00AABB18o
_pXdvmemcpy	dd offset _memcpy	; DATA XREF: _Verifiermemcpy+3Dr
					; PAGEVRFD:00AAB7B8o
_pXdvKfLowerIrql dd offset @KfLowerIrql@4 ; DATA XREF: VerifierKfLowerIrql(x)+4r
					; PAGEVRFD:00AAB320o
					; KfLowerIrql(x)
_pXdvIoFlushAdapterBuffers dd offset _IoFlushAdapterBuffers@24
					; DATA XREF: PAGEVRFD:00AAAE88o
					; IoFlushAdapterBuffers(x,x,x,x,x,x)
_pXdvHalAllocateCommonBuffer dd	offset _HalAllocateCommonBuffer@16
					; DATA XREF: PAGEVRFD:00AAAEA0o
					; HalAllocateCommonBuffer(x,x,x,x)
_pXdvHalFreeCommonBuffer dd offset _HalFreeCommonBuffer@24 ; DATA XREF:	PAGEVRFD:00AAAEB8o
					; HalFreeCommonBuffer(x,x,x,x,x,x)
_pXdvIoAllocateAdapterChannel dd offset	_IoAllocateAdapterChannel@20
					; DATA XREF: PAGEVRFD:00AAAED0o
					; IoAllocateAdapterChannel(x,x,x,x,x)
_pXdvIoMapTransfer dd offset _IoMapTransfer@24 ; DATA XREF: PAGEVRFD:00AAAE70o
					; IoMapTransfer(x,x,x,x,x,x)
_pXdvIoFreeAdapterChannel dd offset _IoFreeAdapterChannel@4 ; DATA XREF: PAGEVRFD:00AAAEE8o
					; IoFreeAdapterChannel(x)
_pXdvIoFreeMapRegisters	dd offset _IoFreeMapRegisters@12 ; DATA	XREF: PAGEVRFD:00AAAF00o
					; IoFreeMapRegisters(x,x,x)
		align 10h
_ViErrorDescriptions dd	201h		; DATA XREF: ViErrorDisableBreak(x):loc_A65076r
					; ViErrorDisplayDescription(x):loc_A650ADr ...
byte_AA82C4	db 0			; DATA XREF: ViErrorDisableBreak(x)+1Eo
					; ViErrorIsBreakDisabled(x)+22r
		align 4
off_AA82C8	dd offset ??_C@_0NO@HIIMOMJF@A?5device?5is?5deleting?5itself?5whi@GHGBBCHJ@
					; DATA XREF: ViErrorDisplayDescription(x)+2Cr
		db    2
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0JM@HCHJENOP@Driver?5has?5attempted?5to?5detach?5@GHGBBCHJ@
		db    3
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset loc_A510D7+1
		db    4
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0CN@NJIDPCJN@Caller?5has?5passed?5in?5NULL?5as?5a?5@GHGBBCHJ@
		db    5
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0JG@OMGDOMDM@Caller?5is?5forwarding?5an?5IRP?5tha@GHGBBCHJ@
		db    7
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0JI@KJDDBKCF@Caller?5has?5manually?5copied?5the?5@GHGBBCHJ@
		db    8
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0GJ@CBLDFCND@This?5IRP?5is?5about?5to?5run?5out?5of@GHGBBCHJ@
		db    9
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0JG@HCCABFLA@Caller?5is?5completing?5an?5IRP?5tha@GHGBBCHJ@
		db  0Bh
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0DM@NPFEJNDC@Caller?5of?5IoFreeIrp?5is?5freeing?5@GHGBBCHJ@
		db  0Ch
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0EI@FAPBLNMK@Caller?5of?5IoFreeIrp?5is?5freeing?5@GHGBBCHJ@
		db  0Dh
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0NK@IACMPAPC@Caller?5of?5IoInitializeIrp?5has?5p@GHGBBCHJ@
		db  0Eh
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0EC@KEEIEOFO@Any?5PNP?5IRP?5must?5have?5status?5in@GHGBBCHJ@
		db  0Fh
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0EE@FEPECPDC@Any?5Power?5IRP?5must?5have?5status?5@GHGBBCHJ@
		db  10h
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0EC@KHGHABEE@Any?5WMI?5IRP?5must?5have?5status?5in@GHGBBCHJ@
		db  11h
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0LK@FDCFOCJA@Caller?5has?5forwarded?5an?5Irp?5whi@GHGBBCHJ@
		db  12h
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0DL@FGNPLCIG@Caller?5has?5trashed?5or?5has?5not?5p@GHGBBCHJ@
		db  13h
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0EG@GLGNNGEN@Caller?5has?5changed?5the?5status?5f@GHGBBCHJ@
		db  14h
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0EL@EIMEGHKG@Caller?5has?5changed?5the?5informat@GHGBBCHJ@
		db  15h
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0IB@PJMEMPIA@Non?9successful?5non?9STATUS_NOT_S@GHGBBCHJ@
		db  16h
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0LA@FLFOPMBH@Previously?5set?5IRP_MJ_PNP?5statu@GHGBBCHJ@
		db  17h
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0IG@IOKDIEAF@The?5driver?5has?5not?5handled?5a?5re@GHGBBCHJ@
		db  18h
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0GN@LKFBHJBE@The?5driver?5has?5responded?5to?5an?5@GHGBBCHJ@
		db  19h
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0IF@NPBIADHN@Non?9successful?5non?9STATUS_NOT_S@GHGBBCHJ@
		db  1Ah
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0LE@MAMIKHOC@Previously?5set?5IRP_MJ_POWER?5sta@GHGBBCHJ@
		db  1Dh
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0GH@OGPGLNOD@An?5IRP?5dispatch?5handler?5has?5not@GHGBBCHJ@
		db  1Fh
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0FF@GJLNIOPM@This?5driver?5has?5not?5filled?5out?5@GHGBBCHJ@
		db  20h
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0KD@FCHOPAD@IRP_MJ_SYSTEM_CONTROL?5has?5been?5@GHGBBCHJ@
		db  21h	; !
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0IP@KANHJCGE@An?5IRP?5dispatch?5handler?5for?5a?5P@GHGBBCHJ@
		db  23h	; #
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0JM@MCIEPMAO@An?5IRP?5dispatch?5handler?5for?5a?5b@GHGBBCHJ@
		db  24h	; $
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0GJ@CHFCEDME@An?5IRP?5dispatch?5handler?5has?5ret@GHGBBCHJ@
		db  25h	; %
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0IH@LNPJCCI@An?5IRP?5dispatch?5handler?5has?5ret@GHGBBCHJ@
		db  26h	; &
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0HN@KNMBPLEM@An?5IRP?5dispatch?5handler?5has?5ret@GHGBBCHJ@
		db  27h	; '
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0EJ@JIGELGGO@IRP?5completion?5routines?5must?5be@GHGBBCHJ@
		db  28h	; (
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0MO@FJJAIIEL@A?5driver?8s?5completion?5routine?5h@GHGBBCHJ@
		db  2Ah	; *
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0CJ@JBAABAAL@PDO?5has?5not?5responded?5to?5a?5requ@GHGBBCHJ@
		db  2Bh	; +
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0GI@OCOIHPDH@PDO?5has?5forgotten?5to?5fill?5out?5t@GHGBBCHJ@
		db  2Dh	; -
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0FD@KJGCMDHB@Caller?5has?5completed?5a?5IRP_MJ_P@GHGBBCHJ@
		db  2Eh	; .
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0EH@POJDIHLF@Caller?5has?5completed?5successful@GHGBBCHJ@
		db  2Fh	; /
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset loc_A51DF6+2
		db  33h	; 3
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0HA@EJDHFGKM@The?5version?5field?5of?5the?5query?5@GHGBBCHJ@
		db  34h	; 4
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0GN@IGCBEFPO@The?5size?5field?5of?5the?5query?5cap@GHGBBCHJ@
		db  35h	; 5
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0HG@GIODMEEC@The?5address?5field?5of?5the?5query?5@GHGBBCHJ@
		db  36h	; 6
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0HI@ECOBHJPP@The?5UI?5Number?5field?5of?5the?5quer@GHGBBCHJ@
		db  3Bh	; ;
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0EG@GLGNNGEN@Caller?5has?5changed?5the?5status?5f@GHGBBCHJ@
		db  3Dh	; =
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0GG@OBKMPCPM@A?5driver?5has?5returned?5STATUS_PE@GHGBBCHJ@
		db  3Eh	; >
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0EF@NPONJEJK@A?5driver?5has?5marked?5an?5IRP?5pend@GHGBBCHJ@
		db  40h	; @
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0HD@DCFDNNOF@A?5driver?5is?5attempting?5to?5delet@GHGBBCHJ@
		db  41h	; A
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0EH@OPFCDOOB@A?5driver?5has?5detached?5it?8s?5devi@GHGBBCHJ@
		db  42h	; B
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0EG@HHAJHKPH@A?5driver?5has?5deleted?5it?8s?5devic@GHGBBCHJ@
		db  48h	; H
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0FC@GLNEHKBH@A?5driver?5has?5added?5a?5device?5obj@GHGBBCHJ@
		db  49h	; I
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0EN@NKFGKOMF@A?5driver?5has?5enumerated?5two?5chi@GHGBBCHJ@
		db  4Ah	; J
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset loc_A52637+1
		db  4Bh	; K
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset loc_A5243E+2
		db  4Ch	; L
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0GG@OBKMPCPM@A?5driver?5has?5returned?5STATUS_PE@GHGBBCHJ@
		db  4Dh	; M
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0FA@FLNPJEGA@A?5driver?5has?5passed?5an?5invalid?5@GHGBBCHJ@
		db    0
		db    3
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset loc_A52526+2
		db    1
		db    3
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0DI@GGKLPOHH@A?5driver?5has?5forwarded?5an?5IRP?5a@GHGBBCHJ@
		db    2
		db    3
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset loc_A5286D+3
		db    6
		db    3
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset loc_A5280F+1
		db    7
		db    3
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset loc_A52927+1
		db  10h
		db    3
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0DK@HKDHJBHB@The?5driver?5is?5reinitializing?5an@GHGBBCHJ@
		db  11h
		db    3
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0KO@HDNONPKD@The?5driver?5is?5reinitializing?5an@GHGBBCHJ@
		db  12h
		db    3
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset ??_C@_0IA@NIBJJKPO@The?5caller?5provided?5the?5IRP?5Sta@GHGBBCHJ@
		align 8
_VfOrderDependentThunks	dd offset ??_C@_0BG@CICIJADA@KeWaitForSingleObject@GHGBBCHJ@
					; DATA XREF: ViSetRequestedOrderDependentAPIs(x)+6r
					; ViSetRequestedOrderDependentAPIs(x)+Eo ...
		dd offset _VerifierKeWaitForSingleObject@20 ; VerifierKeWaitForSingleObject(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvKeWaitForSingleObject
		dd offset _VerifierKeWaitForSingleObjectNoReboot@20 ; VerifierKeWaitForSingleObjectNoReboot(x,x,x,x,x)
		db  2Bh	; +
		db    1
		db    0
		db    0
		dd offset ??_C@_0BJ@LIMAPCOO@KeWaitForMultipleObjects@GHGBBCHJ@
		dd offset _VerifierKeWaitForMultipleObjects@32 ; VerifierKeWaitForMultipleObjects(x,x,x,x,x,x,x,x)
		align 10h
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvKeWaitForMultipleObjects
		dd offset _VerifierKeWaitForMultipleObjectsNoReboot@32 ; VerifierKeWaitForMultipleObjectsNoReboot(x,x,x,x,x,x,x,x)
		db  2Ah	; *
		db    1
		db    0
		db    0
		dd offset loc_A540FF+1
		dd offset _VerifierKeInitializeMutex@8 ; VerifierKeInitializeMutex(x,x)
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvKeInitializeMutex
		dd offset _VerifierKeInitializeMutexNoReboot@8 ; VerifierKeInitializeMutexNoReboot(x,x)
		db 0F4h	; 
		db    0
		db    0
		db    0
		dd offset loc_A5413F+1
		dd offset _VerifierKeInitializeMutant@8	; VerifierKeInitializeMutant(x,x)
		align 8
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvKeInitializeMutant
		dd offset _VerifierKeInitializeMutantNoReboot@8	; VerifierKeInitializeMutantNoReboot(x,x)
		db 0F3h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0P@PPGAEJBD@KeReleaseMutex@GHGBBCHJ@
		dd offset _VerifierKeReleaseMutex@8 ; VerifierKeReleaseMutex(x,x)
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvKeReleaseMutex
		dd offset _VerifierKeReleaseMutexNoReboot@8 ; VerifierKeReleaseMutexNoReboot(x,x)
		db  12h
		db    1
		db    0
		db    0
		dd offset ??_C@_0BA@FINLNFPA@KeReleaseMutant@GHGBBCHJ@
		dd offset _VerifierKeReleaseMutant@16 ;	VerifierKeReleaseMutant(x,x,x,x)
		align 10h
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvKeReleaseMutant
		dd offset _VerifierKeReleaseMutantNoReboot@16 ;	VerifierKeReleaseMutantNoReboot(x,x,x,x)
		db  11h
		db    1
		db    0
		db    0
		dd offset ??_C@_0BJ@DJCIABGN@ExAcquireFastMutexUnsafe@GHGBBCHJ@
		dd offset @VerifierExAcquireFastMutexUnsafe@4 ;	VerifierExAcquireFastMutexUnsafe(x)
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvExAcquireFastMutexUnsafe
		dd offset @VerifierExAcquireFastMutexUnsafeNoReboot@4 ;	VerifierExAcquireFastMutexUnsafeNoReboot(x)
		db  0Ch
		db    0
		db    0
		db    0
		dd offset ??_C@_0BJ@NJEOHIGC@ExReleaseFastMutexUnsafe@GHGBBCHJ@
		dd offset @VerifierExReleaseFastMutexUnsafe@4 ;	VerifierExReleaseFastMutexUnsafe(x)
		align 8
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvExReleaseFastMutexUnsafe
		dd offset @VerifierExReleaseFastMutexUnsafeNoReboot@4 ;	VerifierExReleaseFastMutexUnsafeNoReboot(x)
		db  3Ah	; :
		db    0
		db    0
		db    0
		dd offset ??_C@_0BD@NOMNOIPH@ExAcquireFastMutex@GHGBBCHJ@
		dd offset @VerifierExAcquireFastMutex@4	; VerifierExAcquireFastMutex(x)
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvExAcquireFastMutex
		dd offset @VerifierExAcquireFastMutexNoReboot@4	; VerifierExAcquireFastMutexNoReboot(x)
		db  0Bh
		db    0
		db    0
		db    0
		dd offset loc_A541CF+1
		dd offset @VerifierExTryToAcquireFastMutex@4 ; VerifierExTryToAcquireFastMutex(x)
		align 10h
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvExTryToAcquireFastMutex
		dd offset @VerifierExTryToAcquireFastMutexNoReboot@4 ; VerifierExTryToAcquireFastMutexNoReboot(x)
		db  46h	; F
		db    0
		db    0
		db    0
		dd offset loc_A541BB+1
		dd offset @VerifierExReleaseFastMutex@4	; VerifierExReleaseFastMutex(x)
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvExReleaseFastMutex
		dd offset @VerifierExReleaseFastMutexNoReboot@4	; VerifierExReleaseFastMutexNoReboot(x)
		db  39h	; 9
		db    0
		db    0
		db    0
		dd offset ??_C@_0BF@LCDPIJOI@KeInitializeSpinLock@GHGBBCHJ@
		dd offset _VerifierKeInitializeSpinLock@4 ; VerifierKeInitializeSpinLock(x)
		align 10h
		dd offset _VerifierKeInitializeSpinLockNoReboot@4 ; VerifierKeInitializeSpinLockNoReboot(x)
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BN@OIFLEHDD@KefAcquireSpinLockAtDpcLevel@GHGBBCHJ@
		dd offset @VerifierKeAcquireSpinLockAtDpcLevel@4 ; VerifierKeAcquireSpinLockAtDpcLevel(x)
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvKefAcquireSpinLockAtDpcLevel
		dd offset @VerifierKeAcquireSpinLockAtDpcLevelNoReboot@4 ; VerifierKeAcquireSpinLockAtDpcLevelNoReboot(x)
		db  2Ch	; ,
		db    1
		db    0
		db    0
		dd offset ??_C@_0BP@DFAAOGKA@KefReleaseSpinLockFromDpcLevel@GHGBBCHJ@
		dd offset @VerifierKeReleaseSpinLockFromDpcLevel@4 ; VerifierKeReleaseSpinLockFromDpcLevel(x)
		align 10h
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvKefReleaseSpinLockFromDpcLevel
		dd offset @VerifierKeReleaseSpinLockFromDpcLevelNoReboot@4 ; VerifierKeReleaseSpinLockFromDpcLevelNoReboot(x)
		db  2Dh	; -
		db    1
		db    0
		db    0
		dd offset ??_C@_0BC@NFHLGKEH@KfAcquireSpinLock@GHGBBCHJ@
		dd offset @VerifierKfAcquireSpinLock@4 ; VerifierKfAcquireSpinLock(x)
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvKfAcquireSpinLock
		dd offset @VerifierKfAcquireSpinLockNoReboot@4 ; VerifierKfAcquireSpinLockNoReboot(x)
		db  2Eh	; .
		db    1
		db    0
		db    0
		dd offset ??_C@_0BC@JKKDHHAK@KfReleaseSpinLock@GHGBBCHJ@
		dd offset @VerifierKfReleaseSpinLock@8 ; VerifierKfReleaseSpinLock(x,x)
		align 8
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvKfReleaseSpinLock
		dd offset @VerifierKfReleaseSpinLockNoReboot@8 ; VerifierKfReleaseSpinLockNoReboot(x,x)
		db  31h	; 1
		db    1
		db    0
		db    0
		dd offset ??_C@_0CB@INHJPAIB@KeTryToAcquireSpinLockAtDpcLeve@GHGBBCHJ@
		dd offset @VerifierKeTryToAcquireSpinLockAtDpcLevel@4 ;	VerifierKeTryToAcquireSpinLockAtDpcLevel(x)
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvKeTryToAcquireSpinLockAtDpcLevel
		dd offset @VerifierKeTryToAcquireSpinLockAtDpcLevelNoReboot@4 ;	VerifierKeTryToAcquireSpinLockAtDpcLevelNoReboot(x)
		db  29h	; )
		db    1
		db    0
		db    0
		dd offset ??_C@_0BP@GFAPPJAP@KeAcquireInStackQueuedSpinLock@GHGBBCHJ@
		dd offset @VerifierKeAcquireInStackQueuedSpinLock@8 ; VerifierKeAcquireInStackQueuedSpinLock(x,x)
		align 10h
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvKeAcquireInStackQueuedSpinLock
		dd offset @VerifierKeAcquireInStackQueuedSpinLockNoReboot@8 ; VerifierKeAcquireInStackQueuedSpinLockNoReboot(x,x)
		db 0E1h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0CJ@FGKMMJIG@KeAcquireInStackQueuedSpinLockA@GHGBBCHJ@
		dd offset @VerifierKeAcquireInStackQueuedSpinLockAtDpcLevel@8 ;	VerifierKeAcquireInStackQueuedSpinLockAtDpcLevel(x,x)
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvKeAcquireInStackQueuedSpinLockAtDpcLevel
		dd offset @VerifierKeAcquireInStackQueuedSpinLockAtDpcLevelNoReboot@8 ;	VerifierKeAcquireInStackQueuedSpinLockAtDpcLevelNoReboot(x,x)
		db 0E2h	; 
		db    0
		db    0
		db    0
		dd offset loc_A542E7+1
		dd offset @VerifierKeAcquireInStackQueuedSpinLockForDpc@8 ; VerifierKeAcquireInStackQueuedSpinLockForDpc(x,x)
		align 8
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvKeAcquireInStackQueuedSpinLockForDpc
		dd offset @VerifierKeAcquireInStackQueuedSpinLockForDpcNoReboot@8 ; VerifierKeAcquireInStackQueuedSpinLockForDpcNoReboot(x,x)
		db 0E3h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BP@NHDELBBL@KeReleaseInStackQueuedSpinLock@GHGBBCHJ@
		dd offset @VerifierKeReleaseInStackQueuedSpinLock@4 ; VerifierKeReleaseInStackQueuedSpinLock(x)
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvKeReleaseInStackQueuedSpinLock
		dd offset @VerifierKeReleaseInStackQueuedSpinLockNoReboot@4 ; VerifierKeReleaseInStackQueuedSpinLockNoReboot(x)
		db  0Dh
		db    1
		db    0
		db    0
		dd offset ??_C@_0CL@LFOFCPMJ@KeReleaseInStackQueuedSpinLockF@GHGBBCHJ@
		dd offset @VerifierKeReleaseInStackQueuedSpinLockFromDpcLevel@4	; VerifierKeReleaseInStackQueuedSpinLockFromDpcLevel(x)
		align 10h
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvKeReleaseInStackQueuedSpinLockFromDpcLevel
		dd offset @VerifierKeReleaseInStackQueuedSpinLockFromDpcLevelNoReboot@4	; VerifierKeReleaseInStackQueuedSpinLockFromDpcLevelNoReboot(x)
		db  0Fh
		db    1
		db    0
		db    0
		dd offset ??_C@_0CF@OAAFEOIC@KeReleaseInStackQueuedSpinLockF@GHGBBCHJ@
		dd offset @VerifierKeReleaseInStackQueuedSpinLockForDpc@4 ; VerifierKeReleaseInStackQueuedSpinLockForDpc(x)
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvKeReleaseInStackQueuedSpinLockForDpc
		dd offset @VerifierKeReleaseInStackQueuedSpinLockForDpcNoReboot@4 ; VerifierKeReleaseInStackQueuedSpinLockForDpcNoReboot(x)
		db  0Eh
		db    1
		db    0
		db    0
		dd offset ??_C@_0CL@HDNBIEFP@KeAcquireInStackQueuedSpinLockR@GHGBBCHJ@
		dd offset @VerifierKeAcquireInStackQueuedSpinLockRaiseToSynch@8	; VerifierKeAcquireInStackQueuedSpinLockRaiseToSynch(x,x)
		align 10h
		dd offset @VerifierKeAcquireInStackQueuedSpinLockRaiseToSynchNoReboot@8	; VerifierKeAcquireInStackQueuedSpinLockRaiseToSynchNoReboot(x,x)
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BP@FFGINFJB@ExAcquireResourceExclusiveLite@GHGBBCHJ@
		dd offset _VerifierExAcquireResourceExclusiveLite@8 ; VerifierExAcquireResourceExclusiveLite(x,x)
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvExAcquireResourceExclusiveLite
		dd offset _VerifierExAcquireResourceExclusiveLiteNoReboot@8 ; VerifierExAcquireResourceExclusiveLiteNoReboot(x,x)
		db  0Dh
		db    0
		db    0
		db    0
		dd offset ??_C@_0DB@PMJGDHMB@ExEnterCriticalRegionAndAcquire@GHGBBCHJ@
		dd offset _VerifierExEnterCriticalRegionAndAcquireResourceExclusive@4 ;	VerifierExEnterCriticalRegionAndAcquireResourceExclusive(x)
		align 10h
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvExEnterCriticalRegionAndAcquireResourceExclusive
		dd offset _VerifierExEnterCriticalRegionAndAcquireResourceExclusiveNoReboot@4 ;	VerifierExEnterCriticalRegionAndAcquireResourceExclusiveNoReboot(x)
		db  22h	; "
		db    0
		db    0
		db    0
		dd offset ??_C@_0DB@CDPOFDFI@ExEnterPriorityRegionAndAcquire@GHGBBCHJ@
		dd offset _VerifierExEnterPriorityRegionAndAcquireResourceExclusive@4 ;	VerifierExEnterPriorityRegionAndAcquireResourceExclusive(x)
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvExEnterPriorityRegionAndAcquireResourceExclusive
		dd offset _VerifierExEnterPriorityRegionAndAcquireResourceExclusiveNoReboot@4 ;	VerifierExEnterPriorityRegionAndAcquireResourceExclusiveNoReboot(x)
		db  25h	; %
		db    0
		db    0
		db    0
		dd offset ??_C@_0BM@NNOBLDPG@ExAcquireResourceSharedLite@GHGBBCHJ@
		dd offset _VerifierExAcquireResourceSharedLite@8 ; VerifierExAcquireResourceSharedLite(x,x)
		align 8
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvExAcquireResourceSharedLite
		dd offset _VerifierExAcquireResourceSharedLiteNoReboot@8 ; VerifierExAcquireResourceSharedLiteNoReboot(x,x)
		db  0Eh
		db    0
		db    0
		db    0
		dd offset ??_C@_0CO@EBNPIICK@ExEnterCriticalRegionAndAcquire@GHGBBCHJ@
		dd offset _VerifierExEnterCriticalRegionAndAcquireResourceShared@4 ; VerifierExEnterCriticalRegionAndAcquireResourceShared(x)
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvExEnterCriticalRegionAndAcquireResourceShared
		dd offset _VerifierExEnterCriticalRegionAndAcquireResourceSharedNoReboot@4 ; VerifierExEnterCriticalRegionAndAcquireResourceSharedNoReboot(x)
		db  23h	; #
		db    0
		db    0
		db    0
		dd offset ??_C@_0CO@EFACMEGF@ExEnterPriorityRegionAndAcquire@GHGBBCHJ@
		dd offset _VerifierExEnterPriorityRegionAndAcquireResourceShared@4 ; VerifierExEnterPriorityRegionAndAcquireResourceShared(x)
		align 10h
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvExEnterPriorityRegionAndAcquireResourceShared
		dd offset _VerifierExEnterPriorityRegionAndAcquireResourceSharedNoReboot@4 ; VerifierExEnterPriorityRegionAndAcquireResourceSharedNoReboot(x)
		db  26h	; &
		db    0
		db    0
		db    0
		dd offset loc_A5454F+5
		dd offset _VerifierExAcquireSharedStarveExclusive@8 ; VerifierExAcquireSharedStarveExclusive(x,x)
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvExAcquireSharedStarveExclusive
		dd offset _VerifierExAcquireSharedStarveExclusiveNoReboot@8 ; VerifierExAcquireSharedStarveExclusiveNoReboot(x,x)
		db  13h
		db    0
		db    0
		db    0
		dd offset loc_A545B6+6
		dd offset _VerifierExAcquireSharedWaitForExclusive@8 ; VerifierExAcquireSharedWaitForExclusive(x,x)
		align 8
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvExAcquireSharedWaitForExclusive
		dd offset _VerifierExAcquireSharedWaitForExclusiveNoReboot@8 ; VerifierExAcquireSharedWaitForExclusiveNoReboot(x,x)
		db  14h
		db    0
		db    0
		db    0
		dd offset ??_C@_0BG@NNKFLMKJ@ExReleaseResourceLite@GHGBBCHJ@
		dd offset @VerifierExReleaseResourceLiteNoReboot@4 ; VerifierExReleaseResourceLiteNoReboot(x)
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvExReleaseResourceLite
		dd offset @VerifierExReleaseResourceLiteNoReboot@4 ; VerifierExReleaseResourceLiteNoReboot(x)
		db  3Eh	; >
		db    0
		db    0
		db    0
		dd offset loc_A544F2+6
		dd offset @VerifierExReleaseResourceAndLeaveCriticalRegion@4 ; VerifierExReleaseResourceAndLeaveCriticalRegion(x)
		align 10h
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvExReleaseResourceAndLeaveCriticalRegion
		dd offset @VerifierExReleaseResourceAndLeaveCriticalRegionNoReboot@4 ; VerifierExReleaseResourceAndLeaveCriticalRegionNoReboot(x)
		db  3Bh	; ;
		db    0
		db    0
		db    0
		dd offset ??_C@_0CI@GAEBGJPP@ExReleaseResourceAndLeavePriori@GHGBBCHJ@
		dd offset @VerifierExReleaseResourceAndLeavePriorityRegionNoReboot@4 ; VerifierExReleaseResourceAndLeavePriorityRegionNoReboot(x)
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvExReleaseResourceAndLeavePriorityRegion
		dd offset @VerifierExReleaseResourceAndLeavePriorityRegionNoReboot@4 ; VerifierExReleaseResourceAndLeavePriorityRegionNoReboot(x)
		db  3Ch	; <
		db    0
		db    0
		db    0
		dd offset loc_A54533+1
		dd offset _VerifierExReleaseResourceForThreadLite@8 ; VerifierExReleaseResourceForThreadLite(x,x)
		align 8
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvExReleaseResourceForThreadLite
		dd offset _VerifierExReleaseResourceForThreadLite@8 ; VerifierExReleaseResourceForThreadLite(x,x)
		db  3Dh	; =
		db    0
		db    0
		db    0
		dd offset loc_A5451A+6
		dd offset _VerifierIoConnectInterrupt@44 ; VerifierIoConnectInterrupt(x,x,x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvIoConnectInterrupt
		align 10h
		db  8Ah	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BG@NOOELEK@IoDisconnectInterrupt@GHGBBCHJ@
		dd offset _VerifierIoDisconnectInterrupt@4 ; VerifierIoDisconnectInterrupt(x)
		align 10h
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvIoDisconnectInterrupt
		db    0
		db    0
		db    0
		db    0
		db  99h	; 
		db    0
		db    0
		db    0
		dd offset loc_A5462F+1
		dd offset _VerifierIoConnectInterruptEx@4 ; VerifierIoConnectInterruptEx(x)
		db    0
		db    0
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvIoConnectInterruptEx
		align 8
		db  8Bh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BI@HKCPIOKM@IoDisconnectInterruptEx@GHGBBCHJ@
		dd offset _VerifierIoDisconnectInterruptEx@4 ; VerifierIoDisconnectInterruptEx(x)
		align 8
		db  10h
		db    0
		db    0
		db    0
		dd offset _pXdvIoDisconnectInterruptEx
		db    0
		db    0
		db    0
		db    0
		db  9Ah	; 
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_VfXdvIoCallbackThunks dd offset ??_C@_0O@LCBLIIOL@IRP_MJ_CREATE@GHGBBCHJ@
					; DATA XREF: ViSetRequestedIoCallbacks(x)+6r
					; ViSetRequestedIoCallbacks(x)+Eo ...
		db  20h
		db    0
		db    0
		db    0
off_AA8A40	dd offset _pXdvIRP_MJ_CREATE ; DATA XREF: ViDifCaptureIoCallbacks(x)+8Ar
		db    0
		db    0
		db    0
		db  10h
		dd offset ??_C@_0BJ@MMKIHFHH@IRP_MJ_CREATE_NAMED_PIPE@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_CREATE_NAMED_PIPE
		db    1
		db    0
		db    0
		db  10h
		dd offset ??_C@_0N@FMCDOLCP@IRP_MJ_CLOSE@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_CLOSE
		db    2
		db    0
		db    0
		db  10h
		dd offset ??_C@_0M@LJKCMGIA@IRP_MJ_READ@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_READ
		db    3
		db    0
		db    0
		db  10h
		dd offset ??_C@_0N@DLJAMLBI@IRP_MJ_WRITE@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_WRITE
		db    4
		db    0
		db    0
		db  10h
		dd offset ??_C@_0BJ@FPMLIFJJ@IRP_MJ_QUERY_INFORMATION@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_QUERY_INFORMATION
		db    5
		db    0
		db    0
		db  10h
		dd offset ??_C@_0BH@GNAPBNMO@IRP_MJ_SET_INFORMATION@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_SET_INFORMATION
		db    6
		db    0
		db    0
		db  10h
		dd offset ??_C@_0BA@LFPMCNA@IRP_MJ_QUERY_EA@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_QUERY_EA
		db    7
		db    0
		db    0
		db  10h
		dd offset ??_C@_0O@FPNILENL@IRP_MJ_SET_EA@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_SET_EA
		db    8
		db    0
		db    0
		db  10h
		dd offset loc_A5065B+1
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_FLUSH_BUFFERS
		db    9
		db    0
		db    0
		db  10h
		dd offset ??_C@_0CA@FDGJPBOD@IRP_MJ_QUERY_VOLUME_INFORMATION@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_QUERY_VOLUME_INFORMATION
		db  0Ah
		db    0
		db    0
		db  10h
		dd offset ??_C@_0BO@CJJMMMF@IRP_MJ_SET_VOLUME_INFORMATION@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_SET_VOLUME_INFORMATION
		db  0Bh
		db    0
		db    0
		db  10h
		dd offset ??_C@_0BJ@NCGIANAN@IRP_MJ_DIRECTORY_CONTROL@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_DIRECTORY_CONTROL
		db  0Ch
		db    0
		db    0
		db  10h
		dd offset ??_C@_0BL@MFHGBIDL@IRP_MJ_FILE_SYSTEM_CONTROL@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_FILE_SYSTEM_CONTROL
		db  0Dh
		db    0
		db    0
		db  10h
		dd offset ??_C@_0BG@HAFCIBGJ@IRP_MJ_DEVICE_CONTROL@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_DEVICE_CONTROL
		db  0Eh
		db    0
		db    0
		db  10h
		dd offset loc_A5079B+1
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_INTERNAL_DEVICE_CONTROL
		db  0Fh
		db    0
		db    0
		db  10h
		dd offset ??_C@_0BA@CDMDNOAC@IRP_MJ_SHUTDOWN@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_SHUTDOWN
		db  10h
		db    0
		db    0
		db  10h
		dd offset ??_C@_0BE@LODBBEFP@IRP_MJ_LOCK_CONTROL@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_LOCK_CONTROL
		db  11h
		db    0
		db    0
		db  10h
		dd offset ??_C@_0P@JJLCIODE@IRP_MJ_CLEANUP@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_CLEANUP
		db  12h
		db    0
		db    0
		db  10h
		dd offset ??_C@_0BH@CKPKPKHL@IRP_MJ_CREATE_MAILSLOT@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_CREATE_MAILSLOT
		db  13h
		db    0
		db    0
		db  10h
		dd offset loc_A50727+1
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_QUERY_SECURITY
		db  14h
		db    0
		db    0
		db  10h
		dd offset ??_C@_0BE@MPINJCAP@IRP_MJ_SET_SECURITY@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_SET_SECURITY
		db  15h
		db    0
		db    0
		db  10h
		dd offset ??_C@_0N@BGEEMFOO@IRP_MJ_POWER@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_POWER
		db  16h
		db    0
		db    0
		db  10h
		dd offset ??_C@_0BG@JHIMGJML@IRP_MJ_SYSTEM_CONTROL@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_SYSTEM_CONTROL
		db  17h
		db    0
		db    0
		db  10h
		dd offset loc_A5082F+1
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_DEVICE_CHANGE
		db  18h
		db    0
		db    0
		db  10h
		dd offset ??_C@_0BD@MDBGANBO@IRP_MJ_QUERY_QUOTA@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_QUERY_QUOTA
		db  19h
		db    0
		db    0
		db  10h
		dd offset ??_C@_0BB@MFPKCKFI@IRP_MJ_SET_QUOTA@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_SET_QUOTA
		db  1Ah
		db    0
		db    0
		db  10h
		dd offset ??_C@_0L@EACGAIIF@IRP_MJ_PNP@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvIRP_MJ_PNP
		db  1Bh
		db    0
		db    0
		db  10h
		dd offset ??_C@_0M@GIPELPKM@DriverEntry@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvDriverEntry
		db  1Ch
		db    0
		db    0
		db  10h
		dd offset loc_A5655D+7
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvAddDevice
		db  1Eh
		db    0
		db    0
		db  10h
		dd offset ??_C@_0O@BMEJEEPC@DriverStartIo@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvDriverStartIo
		db  1Dh
		db    0
		db    0
		db  10h
		dd offset ??_C@_0N@FJJBIINI@DriverUnload@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvDriverUnload
		db  1Fh
		db    0
		db    0
		db  10h
		dd offset ??_C@_0N@FDAPFNPF@DriverCancel@GHGBBCHJ@
		db  20h
		db    0
		db    0
		db    0
		dd offset _pXdvDriverCancel
		db  20h
		db    0
		db    0
		db  10h
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db  21h	; !
		db    0
		db    0
		db  10h
_VfXdvThunks	dd offset ??_C@_0M@LGNDDGBA@CcCopyWrite@GHGBBCHJ@
					; DATA XREF: VfThunkAddTargetNotify+70o
					; VfGetHookAddressForOriginal(x)+5o ...
		dd offset _VerifierCcCopyWrite@20 ; VerifierCcCopyWrite(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvCcCopyWrite
		align 10h
		dd offset ??_C@_0O@BEMPINMO@CcCopyWriteEx@GHGBBCHJ@
		dd offset _VerifierCcCopyWriteEx@24 ; VerifierCcCopyWriteEx(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvCcCopyWriteEx
		db    1
		db    0
		db    0
		db    0
		dd offset loc_A545D8+4
		dd offset _VerifierCcDeferWrite@24 ; VerifierCcDeferWrite(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvCcDeferWrite
		db    2
		db    0
		db    0
		db    0
		dd offset loc_A5461B+5
		dd offset _VerifierCcFastCopyWrite@16 ;	VerifierCcFastCopyWrite(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvCcFastCopyWrite
		db    3
		db    0
		db    0
		db    0
		dd offset ??_C@_0CD@HBHLHMC@CcWaitForCurrentLazyWriterActiv@GHGBBCHJ@
		dd offset _VerifierCcWaitForCurrentLazyWriterActivity@0	; VerifierCcWaitForCurrentLazyWriterActivity()
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvCcWaitForCurrentLazyWriterActivity
		db    4
		db    0
		db    0
		db    0
		dd offset ??_C@_0BD@GOINJNPC@CmRegisterCallback@GHGBBCHJ@
		dd offset _VerifierCmRegisterCallback@12 ; VerifierCmRegisterCallback(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvCmRegisterCallback
		db    5
		db    0
		db    0
		db    0
		dd offset loc_A5470F+1
		dd offset _VerifierCmUnRegisterCallback@8 ; VerifierCmUnRegisterCallback(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvCmUnRegisterCallback
		db    7
		db    0
		db    0
		db    0
		dd offset ??_C@_0BF@DJIDLOJO@CmRegisterCallbackEx@GHGBBCHJ@
		dd offset _VerifierCmRegisterCallbackEx@24 ; VerifierCmRegisterCallbackEx(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvCmRegisterCallbackEx
		db    6
		db    0
		db    0
		db    0
		dd offset ??_C@_0BI@DJCOJKLC@DbgBreakPointWithStatus@GHGBBCHJ@
		dd offset _VerifierDbgBreakPointWithStatus@4 ; VerifierDbgBreakPointWithStatus(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvDbgBreakPointWithStatus
		db    8
		db    0
		db    0
		db    0
		dd offset ??_C@_0BL@FOMOGPHK@ExAcquireRundownProtection@GHGBBCHJ@
		dd offset @VerifierExAcquireRundownProtection@4	; VerifierExAcquireRundownProtection(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExAcquireRundownProtection
		db  0Fh
		db    0
		db    0
		db    0
		dd offset ??_C@_0CF@PDAFLPOK@ExAcquireRundownProtectionCache@GHGBBCHJ@
		dd offset @VerifierExAcquireRundownProtectionCacheAware@4 ; VerifierExAcquireRundownProtectionCacheAware(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExAcquireRundownProtectionCacheAware
		db  10h
		db    0
		db    0
		db    0
		dd offset ??_C@_0CH@GOPIPKKL@ExAcquireRundownProtectionCache@GHGBBCHJ@
		dd offset @VerifierExAcquireRundownProtectionCacheAwareEx@8 ; VerifierExAcquireRundownProtectionCacheAwareEx(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExAcquireRundownProtectionCacheAwareEx
		db  11h
		db    0
		db    0
		db    0
		dd offset ??_C@_0BN@JJGKAPKO@ExAcquireRundownProtectionEx@GHGBBCHJ@
		dd offset @VerifierExAcquireRundownProtectionEx@8 ; VerifierExAcquireRundownProtectionEx(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExAcquireRundownProtectionEx
		db  12h
		db    0
		db    0
		db    0
		dd offset ??_C@_0BP@JFLIDJPC@ExConvertExclusiveToSharedLite@GHGBBCHJ@
		dd offset _VerifierExConvertExclusiveToSharedLite@4 ; VerifierExConvertExclusiveToSharedLite(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExConvertExclusiveToSharedLite
		db  1Ch
		db    0
		db    0
		db    0
		dd offset loc_A547DF+5
		dd offset _VerifierExCreateCallback@16 ; VerifierExCreateCallback(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExCreateCallback
		db  1Dh
		db    0
		db    0
		db    0
		dd offset ??_C@_0DG@EGKHCHCC@ExEnterCriticalRegionAndAcquire@GHGBBCHJ@
		dd offset _VerifierExEnterCriticalRegionAndAcquireSharedWaitForExclusive@4 ; VerifierExEnterCriticalRegionAndAcquireSharedWaitForExclusive(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExEnterCriticalRegionAndAcquireSharedWaitForExclusive
		db  24h	; $
		db    0
		db    0
		db    0
		dd offset ??_C@_0CA@IDJMNCCA@ExfInterlockedCompareExchange64@GHGBBCHJ@
		dd offset @VerifierExfInterlockedCompareExchange64@12 ;	VerifierExfInterlockedCompareExchange64(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExfInterlockedCompareExchange64
		db  4Bh	; K
		db    0
		db    0
		db    0
		dd offset ??_C@_0BN@NLPIKEMP@ExfInterlockedInsertHeadList@GHGBBCHJ@
		dd offset @VerifierExfInterlockedInsertHeadList@12 ; VerifierExfInterlockedInsertHeadList(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExfInterlockedInsertHeadList
		db  4Ch	; L
		db    0
		db    0
		db    0
		dd offset ??_C@_0BN@MKPKNHFK@ExfInterlockedInsertTailList@GHGBBCHJ@
		dd offset @VerifierExfInterlockedInsertTailList@12 ; VerifierExfInterlockedInsertTailList(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExfInterlockedInsertTailList
		db  4Dh	; M
		db    0
		db    0
		db    0
		dd offset ??_C@_0BL@JKOHJBFG@ExfInterlockedPopEntryList@GHGBBCHJ@
		dd offset @VerifierExfInterlockedPopEntryList@8	; VerifierExfInterlockedPopEntryList(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExfInterlockedPopEntryList
		db  4Eh	; N
		db    0
		db    0
		db    0
		dd offset ??_C@_0BM@FAEJIFNP@ExfInterlockedPushEntryList@GHGBBCHJ@
		dd offset @VerifierExfInterlockedPushEntryList@12 ; VerifierExfInterlockedPushEntryList(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExfInterlockedPushEntryList
		db  4Fh	; O
		db    0
		db    0
		db    0
		dd offset ??_C@_0BN@NCDFHNMM@ExfInterlockedRemoveHeadList@GHGBBCHJ@
		dd offset @VerifierExfInterlockedRemoveHeadList@8 ; VerifierExfInterlockedRemoveHeadList(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExfInterlockedRemoveHeadList
		db  50h	; P
		db    0
		db    0
		db    0
		dd offset loc_A548E3+5
		dd offset _VerifierExGetExclusiveWaiterCount@4 ; VerifierExGetExclusiveWaiterCount(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExGetExclusiveWaiterCount
		db  29h	; )
		db    0
		db    0
		db    0
		dd offset ??_C@_0BH@CAMGGGDG@ExGetSharedWaiterCount@GHGBBCHJ@
		dd offset _VerifierExGetSharedWaiterCount@4 ; VerifierExGetSharedWaiterCount(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExGetSharedWaiterCount
		db  2Ah	; *
		db    0
		db    0
		db    0
		dd offset ??_C@_0BN@HOOCFJHF@ExInterlockedAddLargeInteger@GHGBBCHJ@
		dd offset _VerifierExInterlockedAddLargeInteger@16 ; VerifierExInterlockedAddLargeInteger(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExInterlockedAddLargeInteger
		db  2Fh	; /
		db    0
		db    0
		db    0
		dd offset ??_C@_0BN@NLPIKEMP@ExfInterlockedInsertHeadList@GHGBBCHJ@
		dd offset @VerifierExfInterlockedInsertHeadList@12 ; VerifierExfInterlockedInsertHeadList(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExfInterlockedInsertHeadList
		db  4Ch	; L
		db    0
		db    0
		db    0
		dd offset ??_C@_0BN@MKPKNHFK@ExfInterlockedInsertTailList@GHGBBCHJ@
		dd offset @VerifierExfInterlockedInsertTailList@12 ; VerifierExfInterlockedInsertTailList(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExfInterlockedInsertTailList
		db  4Dh	; M
		db    0
		db    0
		db    0
		dd offset ??_C@_0BL@JKOHJBFG@ExfInterlockedPopEntryList@GHGBBCHJ@
		dd offset @VerifierExfInterlockedPopEntryList@8	; VerifierExfInterlockedPopEntryList(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExfInterlockedPopEntryList
		db  4Eh	; N
		db    0
		db    0
		db    0
		dd offset ??_C@_0BM@FAEJIFNP@ExfInterlockedPushEntryList@GHGBBCHJ@
		dd offset @VerifierExfInterlockedPushEntryList@12 ; VerifierExfInterlockedPushEntryList(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExfInterlockedPushEntryList
		db  4Fh	; O
		db    0
		db    0
		db    0
		dd offset ??_C@_0BN@NCDFHNMM@ExfInterlockedRemoveHeadList@GHGBBCHJ@
		dd offset @VerifierExfInterlockedRemoveHeadList@8 ; VerifierExfInterlockedRemoveHeadList(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExfInterlockedRemoveHeadList
		db  50h	; P
		db    0
		db    0
		db    0
		dd offset ??_C@_0BM@BAHDCHON@ExIsProcessorFeaturePresent@GHGBBCHJ@
		dd offset _VerifierExIsProcessorFeaturePresent@4 ; VerifierExIsProcessorFeaturePresent(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExIsProcessorFeaturePresent
		db  31h	; 1
		db    0
		db    0
		db    0
		dd offset loc_A5486A+6
		dd offset _VerifierExIsResourceAcquiredExclusiveLite@4 ; VerifierExIsResourceAcquiredExclusiveLite(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExIsResourceAcquiredExclusiveLite
		db  32h	; 2
		db    0
		db    0
		db    0
		dd offset ??_C@_0BP@NANGKPJA@ExIsResourceAcquiredSharedLite@GHGBBCHJ@
		dd offset _VerifierExIsResourceAcquiredSharedLite@4 ; VerifierExIsResourceAcquiredSharedLite(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExIsResourceAcquiredSharedLite
		db  33h	; 3
		db    0
		db    0
		db    0
		dd offset ??_C@_0BH@HFAAGFHI@ExRaiseAccessViolation@GHGBBCHJ@
		dd offset _VerifierExRaiseAccessViolation@0 ; VerifierExRaiseAccessViolation()
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExRaiseAccessViolation
		db  34h	; 4
		db    0
		db    0
		db    0
		dd offset ??_C@_0BM@OFICDNGI@ExRaiseDatatypeMisalignment@GHGBBCHJ@
		dd offset _VerifierExRaiseDatatypeMisalignment@0 ; VerifierExRaiseDatatypeMisalignment()
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExRaiseDatatypeMisalignment
		db  35h	; 5
		db    0
		db    0
		db    0
		dd offset ??_C@_0O@KCMNBGBG@ExRaiseStatus@GHGBBCHJ@
		dd offset _VerifierExRaiseStatus@4 ; VerifierExRaiseStatus(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExRaiseStatus
		db  36h	; 6
		db    0
		db    0
		db    0
		dd offset ??_C@_0BD@DJAIKLBO@ExRegisterCallback@GHGBBCHJ@
		dd offset _VerifierExRegisterCallback@12 ; VerifierExRegisterCallback(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExRegisterCallback
		db  37h	; 7
		db    0
		db    0
		db    0
		dd offset ??_C@_0BL@JMIMGKME@ExReinitializeResourceLite@GHGBBCHJ@
		dd offset _VerifierExReinitializeResourceLite@4	; VerifierExReinitializeResourceLite(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExReinitializeResourceLite
		db  38h	; 8
		db    0
		db    0
		db    0
		dd offset ??_C@_0BL@PAIPFKEL@ExReleaseRundownProtection@GHGBBCHJ@
		dd offset @VerifierExReleaseRundownProtection@4	; VerifierExReleaseRundownProtection(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExReleaseRundownProtection
		db  3Fh	; ?
		db    0
		db    0
		db    0
		dd offset loc_A5495B+1
		dd offset @VerifierExReleaseRundownProtectionCacheAware@4 ; VerifierExReleaseRundownProtectionCacheAware(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExReleaseRundownProtectionCacheAware
		db  40h	; @
		db    0
		db    0
		db    0
		dd offset loc_A549BB+1
		dd offset @VerifierExReleaseRundownProtectionEx@8 ; VerifierExReleaseRundownProtectionEx(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExReleaseRundownProtectionEx
		db  42h	; B
		db    0
		db    0
		db    0
		dd offset ??_C@_0BK@LNIMOKHD@ExSetResourceOwnerPointer@GHGBBCHJ@
		dd offset _VerifierExSetResourceOwnerPointer@8 ; VerifierExSetResourceOwnerPointer(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExSetResourceOwnerPointer
		db  43h	; C
		db    0
		db    0
		db    0
		dd offset ??_C@_0BM@NFHKCAAK@ExSetResourceOwnerPointerEx@GHGBBCHJ@
		dd offset _VerifierExSetResourceOwnerPointerEx@12 ; VerifierExSetResourceOwnerPointerEx(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExSetResourceOwnerPointerEx
		db  44h	; D
		db    0
		db    0
		db    0
		dd offset ??_C@_0BF@IGJGFLBG@ExSetTimerResolution@GHGBBCHJ@
		dd offset _VerifierExSetTimerResolution@8 ; VerifierExSetTimerResolution(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExSetTimerResolution
		db  45h	; E
		db    0
		db    0
		db    0
		dd offset ??_C@_0BF@JEOBAJMJ@ExUnregisterCallback@GHGBBCHJ@
		dd offset _VerifierExUnregisterCallback@4 ; VerifierExUnregisterCallback(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExUnregisterCallback
		db  47h	; G
		db    0
		db    0
		db    0
		dd offset ??_C@_0N@GFLEDONA@ExUuidCreate@GHGBBCHJ@
		dd offset _VerifierExUuidCreate@4 ; VerifierExUuidCreate(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExUuidCreate
		db  48h	; H
		db    0
		db    0
		db    0
		dd offset ??_C@_0CC@FNHEKDGE@ExWaitForRundownProtectionRelea@GHGBBCHJ@
		dd offset @VerifierExWaitForRundownProtectionRelease@4 ; VerifierExWaitForRundownProtectionRelease(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExWaitForRundownProtectionRelease
		db  49h	; I
		db    0
		db    0
		db    0
		dd offset ??_C@_0CM@OCEPCOBP@ExWaitForRundownProtectionRelea@GHGBBCHJ@
		dd offset @VerifierExWaitForRundownProtectionReleaseCacheAware@4 ; VerifierExWaitForRundownProtectionReleaseCacheAware(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExWaitForRundownProtectionReleaseCacheAware
		db  4Ah	; J
		db    0
		db    0
		db    0
		dd offset ??_C@_0BG@GNPJBMLA@FsRtlAllocateFileLock@GHGBBCHJ@
		dd offset _VerifierFsRtlAllocateFileLock@8 ; VerifierFsRtlAllocateFileLock(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlAllocateFileLock
		db  51h	; Q
		db    0
		db    0
		db    0
		dd offset ??_C@_0BD@OHLCPLIJ@FsRtlAreNamesEqual@GHGBBCHJ@
		dd offset _VerifierFsRtlAreNamesEqual@16 ; VerifierFsRtlAreNamesEqual(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlAreNamesEqual
		db  52h	; R
		db    0
		db    0
		db    0
		dd offset loc_A54B97+1
		dd offset _VerifierFsRtlBalanceReads@4 ; VerifierFsRtlBalanceReads(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlBalanceReads
		db  53h	; S
		db    0
		db    0
		db    0
		dd offset loc_A54B6F+1
		dd offset _VerifierFsRtlCancellableWaitForMultipleObjects@24 ; VerifierFsRtlCancellableWaitForMultipleObjects(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlCancellableWaitForMultipleObjects
		db  54h	; T
		db    0
		db    0
		db    0
		dd offset ??_C@_0CE@ILDFIMGE@FsRtlCancellableWaitForSingleOb@GHGBBCHJ@
		dd offset _VerifierFsRtlCancellableWaitForSingleObject@12 ; VerifierFsRtlCancellableWaitForSingleObject(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlCancellableWaitForSingleObject
		db  55h	; U
		db    0
		db    0
		db    0
		dd offset ??_C@_0BM@FAECEJBJ@FsRtlCheckLockForReadAccess@GHGBBCHJ@
		dd offset _VerifierFsRtlCheckLockForReadAccess@8 ; VerifierFsRtlCheckLockForReadAccess(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlCheckLockForReadAccess
		db  56h	; V
		db    0
		db    0
		db    0
		dd offset ??_C@_0BN@BPHMNNJL@FsRtlCheckLockForWriteAccess@GHGBBCHJ@
		dd offset _VerifierFsRtlCheckLockForWriteAccess@8 ; VerifierFsRtlCheckLockForWriteAccess(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlCheckLockForWriteAccess
		db  57h	; W
		db    0
		db    0
		db    0
		dd offset ??_C@_0P@POEFGDPO@FsRtlCopyWrite@GHGBBCHJ@
		dd offset _VerifierFsRtlCopyWrite@32 ; VerifierFsRtlCopyWrite(x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlCopyWrite
		db  58h	; X
		db    0
		db    0
		db    0
		dd offset ??_C@_0BL@BFPOBLIK@FsRtlDeregisterUncProvider@GHGBBCHJ@
		dd offset _VerifierFsRtlDeregisterUncProvider@4	; VerifierFsRtlDeregisterUncProvider(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlDeregisterUncProvider
		db  59h	; Y
		db    0
		db    0
		db    0
		dd offset ??_C@_0BB@DJMPDCBL@FsRtlDissectName@GHGBBCHJ@
		dd offset _VerifierFsRtlDissectName@16 ; VerifierFsRtlDissectName(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlDissectName
		db  5Ah	; Z
		db    0
		db    0
		db    0
		dd offset ??_C@_0BO@PPHBFGCH@FsRtlDoesNameContainWildCards@GHGBBCHJ@
		dd offset _VerifierFsRtlDoesNameContainWildCards@4 ; VerifierFsRtlDoesNameContainWildCards(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlDoesNameContainWildCards
		db  5Bh	; [
		db    0
		db    0
		db    0
		dd offset ??_C@_0BK@FBOMMING@FsRtlFastCheckLockForRead@GHGBBCHJ@
		dd offset _VerifierFsRtlFastCheckLockForRead@24	; VerifierFsRtlFastCheckLockForRead(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlFastCheckLockForRead
		db  5Ch	; \
		db    0
		db    0
		db    0
		dd offset ??_C@_0BL@CMPEFFHF@FsRtlFastCheckLockForWrite@GHGBBCHJ@
		dd offset _VerifierFsRtlFastCheckLockForWrite@24 ; VerifierFsRtlFastCheckLockForWrite(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlFastCheckLockForWrite
		db  5Dh	; ]
		db    0
		db    0
		db    0
		dd offset ??_C@_0BD@MJMCKGGC@FsRtlFastUnlockAll@GHGBBCHJ@
		dd offset _VerifierFsRtlFastUnlockAll@16 ; VerifierFsRtlFastUnlockAll(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlFastUnlockAll
		db  5Eh	; ^
		db    0
		db    0
		db    0
		dd offset loc_A54C03+1
		dd offset _VerifierFsRtlFastUnlockAllByKey@20 ;	VerifierFsRtlFastUnlockAllByKey(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlFastUnlockAllByKey
		db  5Fh	; _
		db    0
		db    0
		db    0
		dd offset ??_C@_0BG@ODJOIKFM@FsRtlFastUnlockSingle@GHGBBCHJ@
		dd offset _VerifierFsRtlFastUnlockSingle@32 ; VerifierFsRtlFastUnlockSingle(x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlFastUnlockSingle
		db  60h	; `
		db    0
		db    0
		db    0
		dd offset ??_C@_0BC@PJEDGNFC@FsRtlFreeFileLock@GHGBBCHJ@
		dd offset _VerifierFsRtlFreeFileLock@4 ; VerifierFsRtlFreeFileLock(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlFreeFileLock
		db  61h	; a
		db    0
		db    0
		db    0
		dd offset ??_C@_0BB@OPPBJGHJ@FsRtlGetFileSize@GHGBBCHJ@
		dd offset _VerifierFsRtlGetFileSize@8 ;	VerifierFsRtlGetFileSize(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlGetFileSize
		db  62h	; b
		db    0
		db    0
		db    0
		dd offset ??_C@_0BF@ILHGPMPA@FsRtlGetNextFileLock@GHGBBCHJ@
		dd offset _VerifierFsRtlGetNextFileLock@8 ; VerifierFsRtlGetNextFileLock(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlGetNextFileLock
		db  63h	; c
		db    0
		db    0
		db    0
		dd offset ??_C@_0BP@DCJLOKDE@FsRtlIncrementCcFastReadNoWait@GHGBBCHJ@
		dd offset _VerifierFsRtlIncrementCcFastReadNoWait@0 ; VerifierFsRtlIncrementCcFastReadNoWait()
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlIncrementCcFastReadNoWait
		db  64h	; d
		db    0
		db    0
		db    0
		dd offset ??_C@_0BN@EPDPDDKO@FsRtlIncrementCcFastReadWait@GHGBBCHJ@
		dd offset _VerifierFsRtlIncrementCcFastReadWait@0 ; VerifierFsRtlIncrementCcFastReadWait()
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlIncrementCcFastReadWait
		db  65h	; e
		db    0
		db    0
		db    0
		dd offset ??_C@_0BI@COJDIDMN@FsRtlInitializeFileLock@GHGBBCHJ@
		dd offset _VerifierFsRtlInitializeFileLock@12 ;	VerifierFsRtlInitializeFileLock(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlInitializeFileLock
		db  66h	; f
		db    0
		db    0
		db    0
		dd offset ??_C@_0BI@PJFLOEO@FsRtlIsNameInExpression@GHGBBCHJ@
		dd offset _VerifierFsRtlIsNameInExpression@16 ;	VerifierFsRtlIsNameInExpression(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlIsNameInExpression
		db  67h	; g
		db    0
		db    0
		db    0
		dd offset ??_C@_0BI@EMCCICON@FsRtlMdlReadCompleteDev@GHGBBCHJ@
		dd offset _VerifierFsRtlMdlReadCompleteDev@12 ;	VerifierFsRtlMdlReadCompleteDev(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlMdlReadCompleteDev
		db  68h	; h
		db    0
		db    0
		db    0
		dd offset ??_C@_0BJ@MDJCDGLP@FsRtlMdlWriteCompleteDev@GHGBBCHJ@
		dd offset _VerifierFsRtlMdlWriteCompleteDev@16 ; VerifierFsRtlMdlWriteCompleteDev(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlMdlWriteCompleteDev
		db  69h	; i
		db    0
		db    0
		db    0
		dd offset ??_C@_0CB@MGNNBAJE@FsRtlNotifyFilterChangeDirector@GHGBBCHJ@
		dd offset _VerifierFsRtlNotifyFilterChangeDirectory@44 ; VerifierFsRtlNotifyFilterChangeDirectory(x,x,x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlNotifyFilterChangeDirectory
		db  6Ah	; j
		db    0
		db    0
		db    0
		dd offset loc_A54E17+1
		dd offset _VerifierFsRtlNotifyFilterReportChange@40 ; VerifierFsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlNotifyFilterReportChange
		db  6Bh	; k
		db    0
		db    0
		db    0
		dd offset ??_C@_0BP@OICFPFBH@FsRtlNotifyFullChangeDirectory@GHGBBCHJ@
		dd offset _VerifierFsRtlNotifyFullChangeDirectory@40 ; VerifierFsRtlNotifyFullChangeDirectory(x,x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlNotifyFullChangeDirectory
		db  6Ch	; l
		db    0
		db    0
		db    0
		dd offset ??_C@_0BM@LMDMPMBC@FsRtlNotifyFullReportChange@GHGBBCHJ@
		dd offset _VerifierFsRtlNotifyFullReportChange@36 ; VerifierFsRtlNotifyFullReportChange(x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlNotifyFullReportChange
		db  6Dh	; m
		db    0
		db    0
		db    0
		dd offset ??_C@_0BB@CBKGKKCK@FsRtlPrivateLock@GHGBBCHJ@
		dd offset _VerifierFsRtlPrivateLock@48 ; VerifierFsRtlPrivateLock(x,x,x,x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlPrivateLock
		db  6Eh	; n
		db    0
		db    0
		db    0
		dd offset ??_C@_0BF@FDOOBKHJ@FsRtlProcessFileLock@GHGBBCHJ@
		dd offset _VerifierFsRtlProcessFileLock@12 ; VerifierFsRtlProcessFileLock(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlProcessFileLock
		db  6Fh	; o
		db    0
		db    0
		db    0
		dd offset ??_C@_0BJ@BGFBDDHN@FsRtlRegisterUncProvider@GHGBBCHJ@
		dd offset _VerifierFsRtlRegisterUncProvider@12 ; VerifierFsRtlRegisterUncProvider(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlRegisterUncProvider
		db  70h	; p
		db    0
		db    0
		db    0
		dd offset ??_C@_0BL@LEPGMMCJ@FsRtlRegisterUncProviderEx@GHGBBCHJ@
		dd offset _VerifierFsRtlRegisterUncProviderEx@16 ; VerifierFsRtlRegisterUncProviderEx(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlRegisterUncProviderEx
		db  71h	; q
		db    0
		db    0
		db    0
		dd offset ??_C@_0BI@FJCEAIHK@FsRtlRemoveDotsFromPath@GHGBBCHJ@
		dd offset _VerifierFsRtlRemoveDotsFromPath@12 ;	VerifierFsRtlRemoveDotsFromPath(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlRemoveDotsFromPath
		db  72h	; r
		db    0
		db    0
		db    0
		dd offset ??_C@_0BK@NBBFHCEF@FsRtlUninitializeFileLock@GHGBBCHJ@
		dd offset _VerifierFsRtlUninitializeFileLock@4 ; VerifierFsRtlUninitializeFileLock(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlUninitializeFileLock
		db  73h	; s
		db    0
		db    0
		db    0
		dd offset ??_C@_0CA@IFJAMBAM@FsRtlValidateReparsePointBuffer@GHGBBCHJ@
		dd offset _VerifierFsRtlValidateReparsePointBuffer@8 ; VerifierFsRtlValidateReparsePointBuffer(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvFsRtlValidateReparsePointBuffer
		db  74h	; t
		db    0
		db    0
		db    0
		dd offset ??_C@_0O@PABGEFI@HalExamineMBR@GHGBBCHJ@
		dd offset @VerifierHalExamineMBR@16 ; VerifierHalExamineMBR(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvHalExamineMBR
		db  75h	; u
		db    0
		db    0
		db    0
		dd offset ??_C@_0BG@FBGBLDDB@HalGetInterruptVector@GHGBBCHJ@
		dd offset _VerifierHalGetInterruptVector@24 ; VerifierHalGetInterruptVector(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvHalGetInterruptVector
		db  77h	; w
		db    0
		db    0
		db    0
		dd offset loc_A54E7E+6
		dd offset @VerifierInterlockedPopEntrySList@4 ;	VerifierInterlockedPopEntrySList(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvInterlockedPopEntrySList
		db  78h	; x
		db    0
		db    0
		db    0
		dd offset ??_C@_0BK@JFGGAIOA@InterlockedPushEntrySList@GHGBBCHJ@
		dd offset @VerifierInterlockedPushEntrySList@8 ; VerifierInterlockedPushEntrySList(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvInterlockedPushEntrySList
		db  79h	; y
		db    0
		db    0
		db    0
		dd offset ??_C@_0BI@OPFJLAIK@IoAcquireCancelSpinLock@GHGBBCHJ@
		dd offset _VerifierIoAcquireCancelSpinLock@4 ; VerifierIoAcquireCancelSpinLock(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoAcquireCancelSpinLock
		db  7Ah	; z
		db    0
		db    0
		db    0
		dd offset ??_C@_0BF@FPEFEEGA@IoAcquireVpbSpinLock@GHGBBCHJ@
		dd offset _VerifierIoAcquireVpbSpinLock@4 ; VerifierIoAcquireVpbSpinLock(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoAcquireVpbSpinLock
		db  7Ch	; |
		db    0
		db    0
		db    0
		dd offset loc_A54F87+1
		dd offset _VerifierIoAllocateController@16 ; VerifierIoAllocateController(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoAllocateController
		db  7Dh	; }
		db    0
		db    0
		db    0
		dd offset ??_C@_0P@JFFPJJNO@IoAttachDevice@GHGBBCHJ@
		dd offset _VerifierIoAttachDevice@12 ; VerifierIoAttachDevice(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoAttachDevice
		db  82h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BM@COEBFMBD@IoAttachDeviceToDeviceStack@GHGBBCHJ@
		dd offset _VerifierIoAttachDeviceToDeviceStack@8 ; VerifierIoAttachDeviceToDeviceStack(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoAttachDeviceToDeviceStack
		db  83h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0CA@LKEHFBCD@IoAttachDeviceToDeviceStackSafe@GHGBBCHJ@
		dd offset _VerifierIoAttachDeviceToDeviceStackSafe@12 ;	VerifierIoAttachDeviceToDeviceStackSafe(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoAttachDeviceToDeviceStackSafe
		db  84h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0M@DBMLMNGA@IoCancelIrp@GHGBBCHJ@
		dd offset _VerifierIoCancelIrp@4 ; VerifierIoCancelIrp(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoCancelIrp
		db  88h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BD@LOODBDGI@IoCheckShareAccess@GHGBBCHJ@
		dd offset _VerifierIoCheckShareAccess@20 ; VerifierIoCheckShareAccess(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoCheckShareAccess
		db  89h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BD@HEEKECOA@IoCreateController@GHGBBCHJ@
		dd offset _VerifierIoCreateController@4	; VerifierIoCreateController(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoCreateController
		db  8Ch	; 
		db    0
		db    0
		db    0
		dd offset loc_A54F53+1
		dd offset _VerifierIoCreateFile@56 ; VerifierIoCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoCreateFile
		db  8Eh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0P@GFJFBPJA@IoCreateFileEx@GHGBBCHJ@
		dd offset _VerifierIoCreateFileEx@60 ; VerifierIoCreateFileEx(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoCreateFileEx
		db  8Fh	; 
		db    0
		db    0
		db    0
		dd offset loc_A5503F+1
		dd offset _VerifierIoCreateFileSpecifyDeviceObjectHint@60 ; VerifierIoCreateFileSpecifyDeviceObjectHint(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoCreateFileSpecifyDeviceObjectHint
		db  90h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BK@JANIACBJ@IoCreateNotificationEvent@GHGBBCHJ@
		dd offset _VerifierIoCreateNotificationEvent@8 ; VerifierIoCreateNotificationEvent(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoCreateNotificationEvent
		db  91h	; 
		db    0
		db    0
		db    0
		dd offset loc_A5506D+7
		dd offset _VerifierIoCreateSymbolicLink@8 ; VerifierIoCreateSymbolicLink(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoCreateSymbolicLink
		db  92h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BN@EBFKCIKM@IoCreateSynchronizationEvent@GHGBBCHJ@
		dd offset _VerifierIoCreateSynchronizationEvent@8 ; VerifierIoCreateSynchronizationEvent(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoCreateSynchronizationEvent
		db  93h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0CA@GCGLGGID@IoCreateUnprotectedSymbolicLink@GHGBBCHJ@
		dd offset _VerifierIoCreateUnprotectedSymbolicLink@8 ; VerifierIoCreateUnprotectedSymbolicLink(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoCreateUnprotectedSymbolicLink
		db  94h	; 
		db    0
		db    0
		db    0
		dd offset loc_A5502B+1
		dd offset _VerifierIoDeleteController@4	; VerifierIoDeleteController(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoDeleteController
		db  95h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0P@FBLHDEMD@IoDeleteDevice@GHGBBCHJ@
		dd offset _VerifierIoDeleteDevice@4 ; VerifierIoDeleteDevice(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoDeleteDevice
		db  96h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BF@ONAPDNAF@IoDeleteSymbolicLink@GHGBBCHJ@
		dd offset _VerifierIoDeleteSymbolicLink@4 ; VerifierIoDeleteSymbolicLink(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoDeleteSymbolicLink
		db  97h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0P@BPMNILFO@IoDetachDevice@GHGBBCHJ@
		dd offset _VerifierIoDetachDevice@4 ; VerifierIoDetachDevice(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoDetachDevice
		db  98h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BB@NCOJPGGO@IoFreeController@GHGBBCHJ@
		dd offset _VerifierIoFreeController@4 ;	VerifierIoFreeController(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoFreeController
		db  9Bh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BN@NMJJBDEK@IoGetAttachedDeviceReference@GHGBBCHJ@
		dd offset _VerifierIoGetAttachedDeviceReference@4 ; VerifierIoGetAttachedDeviceReference(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoGetAttachedDeviceReference
		db  9Eh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BO@HOJPAIDH@IoGetConfigurationInformation@GHGBBCHJ@
		dd offset _VerifierIoGetConfigurationInformation@0 ; VerifierIoGetConfigurationInformation()
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoGetConfigurationInformation
		db  9Fh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BF@MGPFHAEO@IoGetDeviceDirectory@GHGBBCHJ@
		dd offset _VerifierIoGetDeviceDirectory@20 ; VerifierIoGetDeviceDirectory(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoGetDeviceDirectory
		db 0A0h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BF@NCDHGPMG@IoGetDriverDirectory@GHGBBCHJ@
		dd offset _VerifierIoGetDriverDirectory@16 ; VerifierIoGetDriverDirectory(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoGetDriverDirectory
		db 0A9h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BK@JMBEKGDL@IoGetDeviceInterfaceAlias@GHGBBCHJ@
		dd offset _VerifierIoGetDeviceInterfaceAlias@12	; VerifierIoGetDeviceInterfaceAlias(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoGetDeviceInterfaceAlias
		db 0A1h	; 
		db    0
		db    0
		db    0
		dd offset loc_A551E1+3
		dd offset _VerifierIoGetDeviceInterfaces@16 ; VerifierIoGetDeviceInterfaces(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoGetDeviceInterfaces
		db 0A2h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BE@NDNCGFDF@IoGetDeviceNumaNode@GHGBBCHJ@
		dd offset _VerifierIoGetDeviceNumaNode@8 ; VerifierIoGetDeviceNumaNode(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoGetDeviceNumaNode
		db 0A3h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BJ@FOGLHIHD@IoGetDeviceObjectPointer@GHGBBCHJ@
		dd offset _VerifierIoGetDeviceObjectPointer@16 ; VerifierIoGetDeviceObjectPointer(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoGetDeviceObjectPointer
		db 0A4h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BE@MDDFKKC@IoGetDeviceProperty@GHGBBCHJ@
		dd offset _VerifierIoGetDeviceProperty@20 ; VerifierIoGetDeviceProperty(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoGetDeviceProperty
		db 0A5h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BI@HKGDKHHG@IoGetDevicePropertyData@GHGBBCHJ@
		dd offset _VerifierIoGetDevicePropertyData@32 ;	VerifierIoGetDevicePropertyData(x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoGetDevicePropertyData
		db 0A6h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BE@JCPLLAOP@IoGetDeviceToVerify@GHGBBCHJ@
		dd offset _VerifierIoGetDeviceToVerify@4 ; VerifierIoGetDeviceToVerify(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoGetDeviceToVerify
		db 0A7h	; 
		db    0
		db    0
		db    0
		dd offset loc_A551B6+6
		dd offset _VerifierIoSetDeviceToVerify@8 ; VerifierIoSetDeviceToVerify(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoSetDeviceToVerify
		db 0CCh	; 
		db    0
		db    0
		db    0
		dd offset loc_A5519B+1
		dd offset _VerifierIoGetFileObjectGenericMapping@0 ; VerifierIoGetFileObjectGenericMapping()
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoGetFileObjectGenericMapping
		db 0AAh	; 
		db    0
		db    0
		db    0
		dd offset loc_A552AB+1
		dd offset _VerifierIoGetInitialStack@0 ; VerifierIoGetInitialStack()
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoGetInitialStack
		db 0ABh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BA@IMLAGBDN@IoInitializeIrp@GHGBBCHJ@
		dd offset _VerifierIoInitializeIrp@12 ;	VerifierIoInitializeIrp(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoInitializeIrp
		db 0ACh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BM@JJJEEJD@IoInvalidateDeviceRelations@GHGBBCHJ@
		dd offset _VerifierIoInvalidateDeviceRelations@8 ; VerifierIoInvalidateDeviceRelations(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoInvalidateDeviceRelations
		db 0B0h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BI@GJKCPIFF@IoIsWdmVersionAvailable@GHGBBCHJ@
		dd offset _VerifierIoIsWdmVersionAvailable@8 ; VerifierIoIsWdmVersionAvailable(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoIsWdmVersionAvailable
		db 0B1h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0CB@OENKMFNC@IoOpenDeviceInterfaceRegistryKe@GHGBBCHJ@
		dd offset _VerifierIoOpenDeviceInterfaceRegistryKey@12 ; VerifierIoOpenDeviceInterfaceRegistryKey(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoOpenDeviceInterfaceRegistryKey
		db 0B3h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BI@LGCKGMHL@IoOpenDeviceRegistryKey@GHGBBCHJ@
		dd offset _VerifierIoOpenDeviceRegistryKey@16 ;	VerifierIoOpenDeviceRegistryKey(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoOpenDeviceRegistryKey
		db 0B4h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BB@GFHNHMEE@IoRaiseHardError@GHGBBCHJ@
		dd offset _VerifierIoRaiseHardError@12 ; VerifierIoRaiseHardError(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoRaiseHardError
		db 0B5h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BO@GEKAHKHC@IoRaiseInformationalHardError@GHGBBCHJ@
		dd offset _VerifierIoRaiseInformationalHardError@12 ; VerifierIoRaiseInformationalHardError(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoRaiseInformationalHardError
		db 0B6h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BF@PMGGBIGM@IoReadPartitionTable@GHGBBCHJ@
		dd offset @VerifierIoReadPartitionTable@16 ; VerifierIoReadPartitionTable(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoReadPartitionTable
		db 0B7h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BH@ELJDPMEO@IoReadPartitionTableEx@GHGBBCHJ@
		dd offset _VerifierIoReadPartitionTableEx@8 ; VerifierIoReadPartitionTableEx(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoReadPartitionTableEx
		db 0B8h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0CF@CEMHENBB@IoRegisterBootDriverReinitializ@GHGBBCHJ@
		dd offset _VerifierIoRegisterBootDriverReinitialization@12 ; VerifierIoRegisterBootDriverReinitialization(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoRegisterBootDriverReinitialization
		db 0B9h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BK@IHKFBDEL@IoRegisterDeviceInterface@GHGBBCHJ@
		dd offset _VerifierIoRegisterDeviceInterface@16	; VerifierIoRegisterDeviceInterface(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoRegisterDeviceInterface
		db 0BAh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0CB@BGGBOBIP@IoRegisterDriverReinitializatio@GHGBBCHJ@
		dd offset _VerifierIoRegisterDriverReinitialization@12 ; VerifierIoRegisterDriverReinitialization(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoRegisterDriverReinitialization
		db 0BBh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0CJ@KDAFGIAG@IoRegisterLastChanceShutdownNot@GHGBBCHJ@
		dd offset _VerifierIoRegisterLastChanceShutdownNotification@4 ;	VerifierIoRegisterLastChanceShutdownNotification(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoRegisterLastChanceShutdownNotification
		db 0BCh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BP@EHPLKLBF@IoRegisterPlugPlayNotification@GHGBBCHJ@
		dd offset _VerifierIoRegisterPlugPlayNotification@28 ; VerifierIoRegisterPlugPlayNotification(x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoRegisterPlugPlayNotification
		db 0BDh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BP@LAPIKGHO@IoRegisterShutdownNotification@GHGBBCHJ@
		dd offset _VerifierIoRegisterShutdownNotification@4 ; VerifierIoRegisterShutdownNotification(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoRegisterShutdownNotification
		db 0BEh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BI@FMMJKBIA@IoReleaseCancelSpinLock@GHGBBCHJ@
		dd offset _VerifierIoReleaseCancelSpinLock@4 ; VerifierIoReleaseCancelSpinLock(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoReleaseCancelSpinLock
		db 0BFh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BF@FAGDGMEG@IoReleaseVpbSpinLock@GHGBBCHJ@
		dd offset _VerifierIoReleaseVpbSpinLock@4 ; VerifierIoReleaseVpbSpinLock(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoReleaseVpbSpinLock
		db 0C2h	; 
		db    0
		db    0
		db    0
		dd offset loc_A554A7+1
		dd offset _VerifierIoRemoveShareAccess@8 ; VerifierIoRemoveShareAccess(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoRemoveShareAccess
		db 0C3h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BH@JBHGNMDM@IoReplacePartitionUnit@GHGBBCHJ@
		dd offset _VerifierIoReplacePartitionUnit@12 ; VerifierIoReplacePartitionUnit(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoReplacePartitionUnit
		db 0C4h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BH@HMKABFKE@IoReportDetectedDevice@GHGBBCHJ@
		dd offset _VerifierIoReportDetectedDevice@32 ; VerifierIoReportDetectedDevice(x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoReportDetectedDevice
		db 0C5h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BL@ECMBKMFH@IoReportTargetDeviceChange@GHGBBCHJ@
		dd offset _VerifierIoReportTargetDeviceChange@8	; VerifierIoReportTargetDeviceChange(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoReportTargetDeviceChange
		db 0C6h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0CH@FKMJECJI@IoReportTargetDeviceChangeAsync@GHGBBCHJ@
		dd offset _VerifierIoReportTargetDeviceChangeAsynchronous@16 ; VerifierIoReportTargetDeviceChangeAsynchronous(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoReportTargetDeviceChangeAsynchronous
		db 0C7h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0L@CBFMFLAK@IoReuseIrp@GHGBBCHJ@
		dd offset _VerifierIoReuseIrp@8	; VerifierIoReuseIrp(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoReuseIrp
		db 0C8h	; 
		db    0
		db    0
		db    0
		dd offset loc_A55537+1
		dd offset _VerifierIoSetDeviceInterfaceState@8 ; VerifierIoSetDeviceInterfaceState(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoSetDeviceInterfaceState
		db 0CAh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BI@IPDFHODH@IoSetDevicePropertyData@GHGBBCHJ@
		dd offset _VerifierIoSetDevicePropertyData@28 ;	VerifierIoSetDevicePropertyData(x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoSetDevicePropertyData
		db 0CBh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BK@BIDNLHFC@IoSetPartitionInformation@GHGBBCHJ@
		dd offset @VerifierIoSetPartitionInformation@16	; VerifierIoSetPartitionInformation(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoSetPartitionInformation
		db 0CDh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BM@EMDPLNBB@IoSetPartitionInformationEx@GHGBBCHJ@
		dd offset _VerifierIoSetPartitionInformationEx@12 ; VerifierIoSetPartitionInformationEx(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoSetPartitionInformationEx
		db 0CEh	; 
		db    0
		db    0
		db    0
		dd offset loc_A554D3+1
		dd offset _VerifierIoSetShareAccess@16 ; VerifierIoSetShareAccess(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoSetShareAccess
		db 0CFh	; 
		db    0
		db    0
		db    0
		dd offset loc_A554BB+1
		dd offset _VerifierIoSetStartIoAttributes@12 ; VerifierIoSetStartIoAttributes(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoSetStartIoAttributes
		db 0D0h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BC@OJJMBMDC@IoStartNextPacket@GHGBBCHJ@
		dd offset _VerifierIoStartNextPacket@8 ; VerifierIoStartNextPacket(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoStartNextPacket
		db 0D1h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0CB@IDFPPJGA@IoUnregisterPlugPlayNotificatio@GHGBBCHJ@
		dd offset _VerifierIoUnregisterPlugPlayNotification@4 ;	VerifierIoUnregisterPlugPlayNotification(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoUnregisterPlugPlayNotification
		db 0D2h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0CD@DACLBOJF@IoUnregisterPlugPlayNotificatio@GHGBBCHJ@
		dd offset _VerifierIoUnregisterPlugPlayNotificationEx@4	; VerifierIoUnregisterPlugPlayNotificationEx(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoUnregisterPlugPlayNotificationEx
		db 0D3h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0CB@HEFMPEAL@IoUnregisterShutdownNotificatio@GHGBBCHJ@
		dd offset _VerifierIoUnregisterShutdownNotification@4 ;	VerifierIoUnregisterShutdownNotification(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoUnregisterShutdownNotification
		db 0D4h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BE@MCONIMHM@IoUpdateShareAccess@GHGBBCHJ@
		dd offset _VerifierIoUpdateShareAccess@8 ; VerifierIoUpdateShareAccess(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoUpdateShareAccess
		db 0D5h	; 
		db    0
		db    0
		db    0
		dd offset loc_A55637+1
		dd offset _VerifierIoWMIAllocateInstanceIds@12 ; VerifierIoWMIAllocateInstanceIds(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoWMIAllocateInstanceIds
		db 0D7h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BG@JAOLPM@IoWritePartitionTable@GHGBBCHJ@
		dd offset @VerifierIoWritePartitionTable@20 ; VerifierIoWritePartitionTable(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoWritePartitionTable
		db 0DBh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BI@BOGGCJAE@IoWritePartitionTableEx@GHGBBCHJ@
		dd offset _VerifierIoWritePartitionTableEx@8 ; VerifierIoWritePartitionTableEx(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoWritePartitionTableEx
		db 0DCh	; 
		db    0
		db    0
		db    0
		dd offset loc_A555D5+3
		dd offset @VerifierKeAcquireGuardedMutex@4 ; VerifierKeAcquireGuardedMutex(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeAcquireGuardedMutex
		db 0DFh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BM@JLACCBKP@KeAcquireGuardedMutexUnsafe@GHGBBCHJ@
		dd offset @VerifierKeAcquireGuardedMutexUnsafe@4 ; VerifierKeAcquireGuardedMutexUnsafe(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeAcquireGuardedMutexUnsafe
		db 0E0h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BL@FGOPDJL@KeAcquireInterruptSpinLock@GHGBBCHJ@
		dd offset _VerifierKeAcquireInterruptSpinLock@4	; VerifierKeAcquireInterruptSpinLock(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeAcquireInterruptSpinLock
		db 0E4h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BI@FPIMMGKI@KeAcquireQueuedSpinLock@GHGBBCHJ@
		dd offset @VerifierKeAcquireQueuedSpinLock@4 ; VerifierKeAcquireQueuedSpinLock(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeAcquireQueuedSpinLock
		db 0E5h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BI@NDHKGNHO@KeAcquireSpinLockForDpc@GHGBBCHJ@
		dd offset @VerifierKeAcquireSpinLockForDpc@4 ; VerifierKeAcquireSpinLockForDpc(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeAcquireSpinLockForDpc
		db 0E6h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BF@PPPEFCBH@KeAreAllApcsDisabled@GHGBBCHJ@
		dd offset _VerifierKeAreAllApcsDisabled@0 ; VerifierKeAreAllApcsDisabled()
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeAreAllApcsDisabled
		db 0E7h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BC@GBCDFGHI@KeAreApcsDisabled@GHGBBCHJ@
		dd offset _VerifierKeAreApcsDisabled@0 ; VerifierKeAreApcsDisabled()
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeAreApcsDisabled
		db 0E8h	; 
		db    0
		db    0
		db    0
		dd offset loc_A55667+1
		dd offset _VerifierKeCancelTimer@4 ; VerifierKeCancelTimer(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeCancelTimer
		db 0E9h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0N@MDOIGBOI@KeClearEvent@GHGBBCHJ@
		dd offset _VerifierKeClearEvent@4 ; VerifierKeClearEvent(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeClearEvent
		db 0EAh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BI@PDJOHFMA@KeDeregisterNmiCallback@GHGBBCHJ@
		dd offset _VerifierKeDeregisterNmiCallback@4 ; VerifierKeDeregisterNmiCallback(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeDeregisterNmiCallback
		db 0ECh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BF@FCJHJNIN@KeEnterGuardedRegion@GHGBBCHJ@
		dd offset _VerifierKeEnterGuardedRegion@0 ; VerifierKeEnterGuardedRegion()
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeEnterGuardedRegion
		db 0EEh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BC@PMENBEMD@KeFlushQueuedDpcs@GHGBBCHJ@
		dd offset _VerifierKeFlushQueuedDpcs@0 ; VerifierKeFlushQueuedDpcs()
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeFlushQueuedDpcs
		db 0EFh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BI@LKDPMGFK@KeInitializeDeviceQueue@GHGBBCHJ@
		dd offset _VerifierKeInitializeDeviceQueue@4 ; VerifierKeInitializeDeviceQueue(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeInitializeDeviceQueue
		db 0F0h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BJ@CLPMMMKM@KeInitializeGuardedMutex@GHGBBCHJ@
		dd offset @VerifierKeInitializeGuardedMutex@4 ;	VerifierKeInitializeGuardedMutex(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeInitializeGuardedMutex
		db 0F2h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BJ@IOBCMFCE@KeInsertByKeyDeviceQueue@GHGBBCHJ@
		dd offset _VerifierKeInsertByKeyDeviceQueue@12 ; VerifierKeInsertByKeyDeviceQueue(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeInsertByKeyDeviceQueue
		db 0F8h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BE@KIBCELM@KeInsertDeviceQueue@GHGBBCHJ@
		dd offset _VerifierKeInsertDeviceQueue@8 ; VerifierKeInsertDeviceQueue(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeInsertDeviceQueue
		db 0F9h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BC@EPGMCBKM@KeInsertHeadQueue@GHGBBCHJ@
		dd offset _VerifierKeInsertHeadQueue@8 ; VerifierKeInsertHeadQueue(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeInsertHeadQueue
		db 0FAh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0O@NBABANBG@KeInsertQueue@GHGBBCHJ@
		dd offset _VerifierKeInsertQueue@8 ; VerifierKeInsertQueue(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeInsertQueue
		db 0FBh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BF@ICHABMPG@KeLeaveGuardedRegion@GHGBBCHJ@
		dd offset _VerifierKeLeaveGuardedRegion@0 ; VerifierKeLeaveGuardedRegion()
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeLeaveGuardedRegion
		db 0FEh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0N@BPADELEN@KePulseEvent@GHGBBCHJ@
		dd offset _VerifierKePulseEvent@12 ; VerifierKePulseEvent(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKePulseEvent
		db    0
		db    1
		db    0
		db    0
		dd offset ??_C@_0BI@MHOHIJDA@KeQueryActiveProcessors@GHGBBCHJ@
		dd offset _VerifierKeQueryActiveProcessors@0 ; VerifierKeQueryActiveProcessors()
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeQueryActiveProcessors
		db    1
		db    1
		db    0
		db    0
		dd offset ??_C@_0BP@PMJCKHHK@KeRevertToUserAffinityThreadEx@GHGBBCHJ@
		dd offset _VerifierKeRevertToUserAffinityThreadEx@4 ; VerifierKeRevertToUserAffinityThreadEx(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeRevertToUserAffinityThreadEx
		db  1Dh
		db    1
		db    0
		db    0
		dd offset ??_C@_0BK@MIHAMOIA@KeSetSystemAffinityThread@GHGBBCHJ@
		dd offset _VerifierKeSetSystemAffinityThread@4 ; VerifierKeSetSystemAffinityThread(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeSetSystemAffinityThread
		db  21h	; !
		db    1
		db    0
		db    0
		dd offset ??_C@_0BG@IDJHMIOP@KeQueryPriorityThread@GHGBBCHJ@
		dd offset _VerifierKeQueryPriorityThread@4 ; VerifierKeQueryPriorityThread(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeQueryPriorityThread
		db    2
		db    1
		db    0
		db    0
		dd offset ??_C@_0BF@BJEBNMBD@KeQueryRuntimeThread@GHGBBCHJ@
		dd offset _VerifierKeQueryRuntimeThread@8 ; VerifierKeQueryRuntimeThread(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeQueryRuntimeThread
		db    3
		db    1
		db    0
		db    0
		dd offset loc_A557FF+1
		dd offset _VerifierKeReadStateEvent@4 ;	VerifierKeReadStateEvent(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeReadStateEvent
		db    6
		db    1
		db    0
		db    0
		dd offset ??_C@_0BB@CALFIDIN@KeReadStateMutex@GHGBBCHJ@
		dd offset _VerifierKeReadStateMutex@4 ;	VerifierKeReadStateMutex(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeReadStateMutex
		db    7
		db    1
		db    0
		db    0
		dd offset loc_A558F3+1
		dd offset _VerifierKeReadStateSemaphore@4 ; VerifierKeReadStateSemaphore(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeReadStateSemaphore
		db    8
		db    1
		db    0
		db    0
		dd offset ??_C@_0BB@HGICFKMC@KeReadStateTimer@GHGBBCHJ@
		dd offset _VerifierKeReadStateTimer@4 ;	VerifierKeReadStateTimer(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeReadStateTimer
		db    9
		db    1
		db    0
		db    0
		dd offset ??_C@_0BG@ONPHHIH@KeRegisterNmiCallback@GHGBBCHJ@
		dd offset _VerifierKeRegisterNmiCallback@8 ; VerifierKeRegisterNmiCallback(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeRegisterNmiCallback
		db  0Ah
		db    1
		db    0
		db    0
		dd offset loc_A558A5+3
		dd offset @VerifierKeReleaseGuardedMutex@4 ; VerifierKeReleaseGuardedMutex(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeReleaseGuardedMutex
		db  0Bh
		db    1
		db    0
		db    0
		dd offset loc_A5588B+1
		dd offset @VerifierKeReleaseGuardedMutexUnsafe@4 ; VerifierKeReleaseGuardedMutexUnsafe(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeReleaseGuardedMutexUnsafe
		db  0Ch
		db    1
		db    0
		db    0
		dd offset ??_C@_0BL@KLCPMGKK@KeReleaseInterruptSpinLock@GHGBBCHJ@
		dd offset _VerifierKeReleaseInterruptSpinLock@8	; VerifierKeReleaseInterruptSpinLock(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeReleaseInterruptSpinLock
		db  10h
		db    1
		db    0
		db    0
		dd offset ??_C@_0BI@OMBMNHKC@KeReleaseQueuedSpinLock@GHGBBCHJ@
		dd offset @VerifierKeReleaseQueuedSpinLock@8 ; VerifierKeReleaseQueuedSpinLock(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeReleaseQueuedSpinLock
		db  13h
		db    1
		db    0
		db    0
		dd offset ??_C@_0BD@BOKPENEF@KeReleaseSemaphore@GHGBBCHJ@
		dd offset _VerifierKeReleaseSemaphore@16 ; VerifierKeReleaseSemaphore(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeReleaseSemaphore
		db  14h
		db    1
		db    0
		db    0
		dd offset ??_C@_0BI@GAOKHMHE@KeReleaseSpinLockForDpc@GHGBBCHJ@
		dd offset @VerifierKeReleaseSpinLockForDpc@8 ; VerifierKeReleaseSpinLockForDpc(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeReleaseSpinLockForDpc
		db  15h
		db    1
		db    0
		db    0
		dd offset loc_A559E3+1
		dd offset _VerifierKeRemoveByKeyDeviceQueue@8 ;	VerifierKeRemoveByKeyDeviceQueue(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeRemoveByKeyDeviceQueue
		db  16h
		db    1
		db    0
		db    0
		dd offset ??_C@_0BE@LNOIFKLH@KeRemoveDeviceQueue@GHGBBCHJ@
		dd offset _VerifierKeRemoveDeviceQueue@4 ; VerifierKeRemoveDeviceQueue(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeRemoveDeviceQueue
		db  17h
		db    1
		db    0
		db    0
		dd offset ??_C@_0BJ@DOLMKFAK@KeRemoveEntryDeviceQueue@GHGBBCHJ@
		dd offset _VerifierKeRemoveEntryDeviceQueue@8 ;	VerifierKeRemoveEntryDeviceQueue(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeRemoveEntryDeviceQueue
		db  18h
		db    1
		db    0
		db    0
		dd offset ??_C@_0O@GGAAGBOF@KeRemoveQueue@GHGBBCHJ@
		dd offset _VerifierKeRemoveQueue@12 ; VerifierKeRemoveQueue(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeRemoveQueue
		db  19h
		db    1
		db    0
		db    0
		dd offset ??_C@_0N@GIMFFBBC@KeResetEvent@GHGBBCHJ@
		dd offset _VerifierKeResetEvent@4 ; VerifierKeResetEvent(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeResetEvent
		db  1Bh
		db    1
		db    0
		db    0
		dd offset ??_C@_0BJ@ENKACOPE@KeSaveFloatingPointState@GHGBBCHJ@
		dd offset _VerifierKeSaveFloatingPointState@4 ;	VerifierKeSaveFloatingPointState(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeSaveFloatingPointState
		db  1Fh
		db    1
		db    0
		db    0
		dd offset loc_A55A6E+6
		dd offset _VerifierKeSetSystemGroupAffinityThread@8 ; VerifierKeSetSystemGroupAffinityThread(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeSetSystemGroupAffinityThread
		db  22h	; "
		db    1
		db    0
		db    0
		dd offset ??_C@_0L@EEIFKGE@KeSetTimer@GHGBBCHJ@
		dd offset _VerifierKeSetTimer@16 ; VerifierKeSetTimer(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeSetTimer
		db  23h	; #
		db    1
		db    0
		db    0
		dd offset loc_A55AA3+1
		dd offset _VerifierKeSetTimerEx@20 ; VerifierKeSetTimerEx(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeSetTimerEx
		db  24h	; $
		db    1
		db    0
		db    0
		dd offset ??_C@_0P@CMHMIJAH@KeTestSpinLock@GHGBBCHJ@
		dd offset @VerifierKeTestSpinLock@4 ; VerifierKeTestSpinLock(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeTestSpinLock
		db  26h	; &
		db    1
		db    0
		db    0
		dd offset ??_C@_0BL@BPMCCEG@KeTryToAcquireGuardedMutex@GHGBBCHJ@
		dd offset @VerifierKeTryToAcquireGuardedMutex@4	; VerifierKeTryToAcquireGuardedMutex(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeTryToAcquireGuardedMutex
		db  27h	; '
		db    1
		db    0
		db    0
		dd offset ??_C@_0BE@MDFBHIGK@MmAddPhysicalMemory@GHGBBCHJ@
		dd offset _VerifierMmAddPhysicalMemory@8 ; VerifierMmAddPhysicalMemory(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmAddPhysicalMemory
		db  32h	; 2
		db    1
		db    0
		db    0
		dd offset ??_C@_0P@NBKLIHNN@MmCreateMirror@GHGBBCHJ@
		dd offset _VerifierMmCreateMirror@0 ; VerifierMmCreateMirror()
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmCreateMirror
		db  3Bh	; ;
		db    1
		db    0
		db    0
		dd offset loc_A55A2F+1
		dd offset _VerifierMmDoesFileHaveUserWritableReferences@4 ; VerifierMmDoesFileHaveUserWritableReferences(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmDoesFileHaveUserWritableReferences
		db  3Ch	; <
		db    1
		db    0
		db    0
		dd offset ??_C@_0BK@LPDDDECA@MmGetPhysicalMemoryRanges@GHGBBCHJ@
		dd offset _VerifierMmGetPhysicalMemoryRanges@0 ; VerifierMmGetPhysicalMemoryRanges()
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmGetPhysicalMemoryRanges
		db  41h	; A
		db    1
		db    0
		db    0
		dd offset ??_C@_0BJ@GKLIFAE@MmLockPagableDataSection@GHGBBCHJ@
		dd offset _VerifierMmLockPagableDataSection@4 ;	VerifierMmLockPagableDataSection(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmLockPagableDataSection
		db  43h	; C
		db    1
		db    0
		db    0
		dd offset ??_C@_0BN@PGLJKPN@MmLockPagableSectionByHandle@GHGBBCHJ@
		dd offset _VerifierMmLockPagableSectionByHandle@4 ; VerifierMmLockPagableSectionByHandle(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmLockPagableSectionByHandle
		db  44h	; D
		db    1
		db    0
		db    0
		dd offset ??_C@_0CE@MOKIDCPN@MmMapLockedPagesWithReservedMap@GHGBBCHJ@
		dd offset _VerifierMmMapLockedPagesWithReservedMapping@16 ; VerifierMmMapLockedPagesWithReservedMapping(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmMapLockedPagesWithReservedMapping
		db  48h	; H
		db    1
		db    0
		db    0
		dd offset ??_C@_0BD@HMJANFJE@MmPageEntireDriver@GHGBBCHJ@
		dd offset _VerifierMmPageEntireDriver@4	; VerifierMmPageEntireDriver(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmPageEntireDriver
		db  49h	; I
		db    1
		db    0
		db    0
		dd offset ??_C@_0BA@EHOMDAKO@MmPrefetchPages@GHGBBCHJ@
		dd offset _VerifierMmPrefetchPages@8 ; VerifierMmPrefetchPages(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmPrefetchPages
		db  4Ah	; J
		db    1
		db    0
		db    0
		dd offset ??_C@_0BH@GFOLFMHN@MmRemovePhysicalMemory@GHGBBCHJ@
		dd offset _VerifierMmRemovePhysicalMemory@8 ; VerifierMmRemovePhysicalMemory(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmRemovePhysicalMemory
		db  4Dh	; M
		db    1
		db    0
		db    0
		dd offset ??_C@_0BE@DFPPCCIK@MmResetDriverPaging@GHGBBCHJ@
		dd offset _VerifierMmResetDriverPaging@4 ; VerifierMmResetDriverPaging(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmResetDriverPaging
		db  4Eh	; N
		db    1
		db    0
		db    0
		dd offset loc_A55BF7+1
		dd offset _VerifierMmSecureVirtualMemory@12 ; VerifierMmSecureVirtualMemory(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmSecureVirtualMemory
		db  4Fh	; O
		db    1
		db    0
		db    0
		dd offset ??_C@_0BM@BMLEJECB@MmUnlockPagableImageSection@GHGBBCHJ@
		dd offset _VerifierMmUnlockPagableImageSection@4 ; VerifierMmUnlockPagableImageSection(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmUnlockPagableImageSection
		db  50h	; P
		db    1
		db    0
		db    0
		dd offset loc_A55C17+5
		dd offset _VerifierMmUnsecureVirtualMemory@4 ; VerifierMmUnsecureVirtualMemory(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmUnsecureVirtualMemory
		db  54h	; T
		db    1
		db    0
		db    0
		dd offset ??_C@_0L@MODOAKDL@NtLockFile@GHGBBCHJ@
		dd offset _VerifierNtLockFile@40 ; VerifierNtLockFile(x,x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvNtLockFile
		db  56h	; V
		db    1
		db    0
		db    0
		dd offset loc_A55B89+7
		dd offset _VerifierNtSetInformationFile@20 ; VerifierNtSetInformationFile(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvNtSetInformationFile
		db  58h	; X
		db    1
		db    0
		db    0
		dd offset ??_C@_0N@PFEAAKMI@NtUnlockFile@GHGBBCHJ@
		dd offset _VerifierNtUnlockFile@20 ; VerifierNtUnlockFile(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvNtUnlockFile
		db  59h	; Y
		db    1
		db    0
		db    0
		dd offset loc_A55BC2+2
		dd offset @VerifierObfDereferenceObject@4 ; VerifierObfDereferenceObject(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvObfDereferenceObject
		db  61h	; a
		db    1
		db    0
		db    0
		dd offset ??_C@_0BM@KBNOOIAM@ObfDereferenceObjectWithTag@GHGBBCHJ@
		dd offset @VerifierObfDereferenceObjectWithTag@8 ; VerifierObfDereferenceObjectWithTag(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvObfDereferenceObjectWithTag
		db  62h	; b
		db    1
		db    0
		db    0
		dd offset loc_A55CA8+4
		dd offset @VerifierObfReferenceObjectWithTag@8 ; VerifierObfReferenceObjectWithTag(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvObfReferenceObjectWithTag
		db  64h	; d
		db    1
		db    0
		db    0
		dd offset ??_C@_0BE@GKJPIHDM@ObGetObjectSecurity@GHGBBCHJ@
		dd offset _VerifierObGetObjectSecurity@12 ; VerifierObGetObjectSecurity(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvObGetObjectSecurity
		db  5Bh	; [
		db    1
		db    0
		db    0
		dd offset loc_A55CEB+1
		dd offset _VerifierObReferenceObjectByHandleWithTag@28 ; VerifierObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvObReferenceObjectByHandleWithTag
		db  5Dh	; ]
		db    1
		db    0
		db    0
		dd offset loc_A55CC7+1
		dd offset _VerifierObReferenceObjectByPointerWithTag@20	; VerifierObReferenceObjectByPointerWithTag(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvObReferenceObjectByPointerWithTag
		db  5Fh	; _
		db    1
		db    0
		db    0
		dd offset ??_C@_0BI@BOGDLNOD@ObReleaseObjectSecurity@GHGBBCHJ@
		dd offset _VerifierObReleaseObjectSecurity@8 ; VerifierObReleaseObjectSecurity(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvObReleaseObjectSecurity
		db  60h	; `
		db    1
		db    0
		db    0
		dd offset loc_A55C33+1
		dd offset _VerifierPoCallDriver@8 ; VerifierPoCallDriver(x,x)
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset _pXdvPoCallDriver
		db  65h	; e
		db    1
		db    0
		db    0
		dd offset ??_C@_0BG@NNMIODPD@PoFxActivateComponent@GHGBBCHJ@
		dd offset _VerifierPoFxActivateComponent@12 ; VerifierPoFxActivateComponent(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPoFxActivateComponent
		db  66h	; f
		db    1
		db    0
		db    0
		dd offset ??_C@_0CD@LBIPMALL@PoFxCompleteDevicePowerNotRequi@GHGBBCHJ@
		dd offset _VerifierPoFxCompleteDevicePowerNotRequired@4	; VerifierPoFxCompleteDevicePowerNotRequired(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPoFxCompleteDevicePowerNotRequired
		db  67h	; g
		db    1
		db    0
		db    0
		dd offset ??_C@_0BK@MAADGOKA@PoFxCompleteIdleCondition@GHGBBCHJ@
		dd offset _VerifierPoFxCompleteIdleCondition@8 ; VerifierPoFxCompleteIdleCondition(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPoFxCompleteIdleCondition
		db  68h	; h
		db    1
		db    0
		db    0
		dd offset ??_C@_0BG@MIKNLDNH@PoFxCompleteIdleState@GHGBBCHJ@
		dd offset _VerifierPoFxCompleteIdleState@8 ; VerifierPoFxCompleteIdleState(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPoFxCompleteIdleState
		db  69h	; i
		db    1
		db    0
		db    0
		dd offset ??_C@_0BC@KLHKOMHD@PoFxIdleComponent@GHGBBCHJ@
		dd offset _VerifierPoFxIdleComponent@12	; VerifierPoFxIdleComponent(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPoFxIdleComponent
		db  6Ah	; j
		db    1
		db    0
		db    0
		dd offset ??_C@_0BK@BCCNDOAG@PoFxNotifySurprisePowerOn@GHGBBCHJ@
		dd offset _VerifierPoFxNotifySurprisePowerOn@4 ; VerifierPoFxNotifySurprisePowerOn(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPoFxNotifySurprisePowerOn
		db  6Bh	; k
		db    1
		db    0
		db    0
		dd offset ??_C@_0BB@DIOAKMBD@PoFxPowerControl@GHGBBCHJ@
		dd offset _VerifierPoFxPowerControl@28 ; VerifierPoFxPowerControl(x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPoFxPowerControl
		db  6Ch	; l
		db    1
		db    0
		db    0
		dd offset ??_C@_0BD@DOCNIGLA@PoFxRegisterDevice@GHGBBCHJ@
		dd offset _VerifierPoFxRegisterDevice@12 ; VerifierPoFxRegisterDevice(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPoFxRegisterDevice
		db  6Dh	; m
		db    1
		db    0
		db    0
		dd offset ??_C@_0BK@NAJHNHGP@PoFxReportDevicePoweredOn@GHGBBCHJ@
		dd offset _VerifierPoFxReportDevicePoweredOn@4 ; VerifierPoFxReportDevicePoweredOn(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPoFxReportDevicePoweredOn
		db  6Eh	; n
		db    1
		db    0
		db    0
		dd offset ??_C@_0BI@JHFKAKCH@PoFxSetComponentLatency@GHGBBCHJ@
		dd offset _VerifierPoFxSetComponentLatency@16 ;	VerifierPoFxSetComponentLatency(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPoFxSetComponentLatency
		db  6Fh	; o
		db    1
		db    0
		db    0
		dd offset ??_C@_0BK@MEIHEBDN@PoFxSetComponentResidency@GHGBBCHJ@
		dd offset _VerifierPoFxSetComponentResidency@16	; VerifierPoFxSetComponentResidency(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPoFxSetComponentResidency
		db  70h	; p
		db    1
		db    0
		db    0
		dd offset ??_C@_0BF@OEGEHJMI@PoFxSetComponentWake@GHGBBCHJ@
		dd offset _VerifierPoFxSetComponentWake@12 ; VerifierPoFxSetComponentWake(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPoFxSetComponentWake
		db  71h	; q
		db    1
		db    0
		db    0
		dd offset ??_C@_0BJ@IIMIFLIN@PoFxSetDeviceIdleTimeout@GHGBBCHJ@
		dd offset _VerifierPoFxSetDeviceIdleTimeout@12 ; VerifierPoFxSetDeviceIdleTimeout(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPoFxSetDeviceIdleTimeout
		db  72h	; r
		db    1
		db    0
		db    0
		dd offset ??_C@_0BP@KEDIMJIF@PoFxStartDevicePowerManagement@GHGBBCHJ@
		dd offset _VerifierPoFxStartDevicePowerManagement@4 ; VerifierPoFxStartDevicePowerManagement(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPoFxStartDevicePowerManagement
		db  73h	; s
		db    1
		db    0
		db    0
		dd offset ??_C@_0BF@HBBEJIAN@PoFxUnregisterDevice@GHGBBCHJ@
		dd offset _VerifierPoFxUnregisterDevice@4 ; VerifierPoFxUnregisterDevice(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPoFxUnregisterDevice
		db  74h	; t
		db    1
		db    0
		db    0
		dd offset ??_C@_0BC@GIOOBLCP@PoRequestPowerIrp@GHGBBCHJ@
		dd offset _VerifierPoRequestPowerIrp@24	; VerifierPoRequestPowerIrp(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPoRequestPowerIrp
		db  75h	; u
		db    1
		db    0
		db    0
		dd offset ??_C@_0N@ODPDCMLN@ProbeForRead@GHGBBCHJ@
		dd offset _VerifierProbeForRead@12 ; VerifierProbeForRead(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvProbeForRead
		db  76h	; v
		db    1
		db    0
		db    0
		dd offset ??_C@_0O@PGCGPCEB@ProbeForWrite@GHGBBCHJ@
		dd offset _VerifierProbeForWrite@12 ; VerifierProbeForWrite(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvProbeForWrite
		db  77h	; w
		db    1
		db    0
		db    0
		dd offset ??_C@_0BL@KCEAPHIA@PsAssignImpersonationToken@GHGBBCHJ@
		dd offset _VerifierPsAssignImpersonationToken@8	; VerifierPsAssignImpersonationToken(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPsAssignImpersonationToken
		db  78h	; x
		db    1
		db    0
		db    0
		dd offset loc_A55EE3+5
		dd offset _VerifierPsCreateSystemThread@28 ; VerifierPsCreateSystemThread(x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPsCreateSystemThread
		db  79h	; y
		db    1
		db    0
		db    0
		dd offset ??_C@_0CA@OLJHELGG@PsDereferenceImpersonationToken@GHGBBCHJ@
		dd offset _VerifierPsDereferenceImpersonationToken@4 ; VerifierPsDereferenceImpersonationToken(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPsDereferenceImpersonationToken
		db  7Ah	; z
		db    1
		db    0
		db    0
		dd offset loc_A55F1B+1
		dd offset _VerifierPsDereferencePrimaryToken@4 ; VerifierPsDereferencePrimaryToken(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPsDereferencePrimaryToken
		db  7Bh	; {
		db    1
		db    0
		db    0
		dd offset ??_C@_0BH@IKBDLDOJ@PsDisableImpersonation@GHGBBCHJ@
		dd offset _VerifierPsDisableImpersonation@8 ; VerifierPsDisableImpersonation(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPsDisableImpersonation
		db  7Ch	; |
		db    1
		db    0
		db    0
		dd offset ??_C@_0N@IDKDFBOC@PsGetVersion@GHGBBCHJ@
		dd offset _VerifierPsGetVersion@16 ; VerifierPsGetVersion(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPsGetVersion
		db  7Dh	; }
		db    1
		db    0
		db    0
		dd offset ??_C@_0BE@LHKJAOID@PsImpersonateClient@GHGBBCHJ@
		dd offset _VerifierPsImpersonateClient@20 ; VerifierPsImpersonateClient(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPsImpersonateClient
		db  7Eh	; ~
		db    1
		db    0
		db    0
		dd offset ??_C@_0BO@MPBOCLON@PsReferenceImpersonationToken@GHGBBCHJ@
		dd offset _VerifierPsReferenceImpersonationToken@16 ; VerifierPsReferenceImpersonationToken(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPsReferenceImpersonationToken
		db  7Fh	; 
		db    1
		db    0
		db    0
		dd offset loc_A55FF3+5
		dd offset _VerifierPsReferencePrimaryToken@4 ; VerifierPsReferencePrimaryToken(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPsReferencePrimaryToken
		db  80h	; 
		db    1
		db    0
		db    0
		dd offset loc_A55FD3+5
		dd offset _VerifierPsRemoveLoadImageNotifyRoutine@4 ; VerifierPsRemoveLoadImageNotifyRoutine(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPsRemoveLoadImageNotifyRoutine
		db  81h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BH@PKLOMPPA@PsRestoreImpersonation@GHGBBCHJ@
		dd offset _VerifierPsRestoreImpersonation@8 ; VerifierPsRestoreImpersonation(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPsRestoreImpersonation
		db  82h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0P@BBJDAIEP@PsRevertToSelf@GHGBBCHJ@
		dd offset _VerifierPsRevertToSelf@0 ; VerifierPsRevertToSelf()
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPsRevertToSelf
		db  83h	; 
		db    1
		db    0
		db    0
		dd offset loc_A55F7B+1
		dd offset _VerifierPsSetCreateProcessNotifyRoutine@8 ; VerifierPsSetCreateProcessNotifyRoutine(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPsSetCreateProcessNotifyRoutine
		db  84h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0CC@DOJIFMGM@PsSetCreateProcessNotifyRoutine@GHGBBCHJ@
		dd offset _VerifierPsSetCreateProcessNotifyRoutineEx@8 ; VerifierPsSetCreateProcessNotifyRoutineEx(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPsSetCreateProcessNotifyRoutineEx
		db  85h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BP@HBCNNCAP@PsSetCreateThreadNotifyRoutine@GHGBBCHJ@
		dd offset _VerifierPsSetCreateThreadNotifyRoutine@4 ; VerifierPsSetCreateThreadNotifyRoutine(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPsSetCreateThreadNotifyRoutine
		db  86h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BM@DDLPPFME@PsSetLoadImageNotifyRoutine@GHGBBCHJ@
		dd offset _VerifierPsSetLoadImageNotifyRoutine@4 ; VerifierPsSetLoadImageNotifyRoutine(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPsSetLoadImageNotifyRoutine
		db  87h	; 
		db    1
		db    0
		db    0
		dd offset loc_A560BE+2
		dd offset _VerifierPsTerminateSystemThread@4 ; VerifierPsTerminateSystemThread(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvPsTerminateSystemThread
		db  88h	; 
		db    1
		db    0
		db    0
		dd offset loc_A560A7+1
		dd offset _VerifierRtlCompareUnicodeString@12 ;	VerifierRtlCompareUnicodeString(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlCompareUnicodeString
		db  8Ah	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BH@GPMLOEIN@RtlDeleteRegistryValue@GHGBBCHJ@
		dd offset _VerifierRtlDeleteRegistryValue@12 ; VerifierRtlDeleteRegistryValue(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlDeleteRegistryValue
		db  8Eh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BG@KMNHAFPD@RtlWriteRegistryValue@GHGBBCHJ@
		dd offset _VerifierRtlWriteRegistryValue@24 ; VerifierRtlWriteRegistryValue(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlWriteRegistryValue
		db 0A3h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BF@BBANLIHJ@RtlCreateRegistryKey@GHGBBCHJ@
		dd offset _VerifierRtlCreateRegistryKey@8 ; VerifierRtlCreateRegistryKey(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlCreateRegistryKey
		db  8Bh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0CH@LCNLDEMI@RtlCreateSystemVolumeInformatio@GHGBBCHJ@
		dd offset _VerifierRtlCreateSystemVolumeInformationFolder@4 ; VerifierRtlCreateSystemVolumeInformationFolder(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlCreateSystemVolumeInformationFolder
		db  8Ch	; 
		db    1
		db    0
		db    0
		dd offset loc_A5608F+1
		dd offset _VerifierRtlDowncaseUnicodeChar@4 ; VerifierRtlDowncaseUnicodeChar(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlDowncaseUnicodeChar
		db  8Fh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BG@DECGJEOB@RtlEqualUnicodeString@GHGBBCHJ@
		dd offset _VerifierRtlEqualUnicodeString@12 ; VerifierRtlEqualUnicodeString(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlEqualUnicodeString
		db  92h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BF@GENHDPCD@RtlFreeUnicodeString@GHGBBCHJ@
		dd offset _VerifierRtlFreeUnicodeString@4 ; VerifierRtlFreeUnicodeString(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlFreeUnicodeString
		db  93h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BG@EIHHCKPD@RtlGenerateClass5Guid@GHGBBCHJ@
		dd offset _VerifierRtlGenerateClass5Guid@16 ; VerifierRtlGenerateClass5Guid(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlGenerateClass5Guid
		db  95h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BC@FANMNHGG@RtlGUIDFromString@GHGBBCHJ@
		dd offset _VerifierRtlGUIDFromString@8 ; VerifierRtlGUIDFromString(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlGUIDFromString
		db  94h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BF@HAIJMKCF@RtlHashUnicodeString@GHGBBCHJ@
		dd offset _VerifierRtlHashUnicodeString@16 ; VerifierRtlHashUnicodeString(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlHashUnicodeString
		db  96h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BC@MFBLMEKB@RtlStringFromGUID@GHGBBCHJ@
		dd offset _VerifierRtlStringFromGUID@8 ; VerifierRtlStringFromGUID(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlStringFromGUID
		db  99h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BC@GGFIMMMG@RtlUnicodeToUTF8N@GHGBBCHJ@
		dd offset _VerifierRtlUnicodeToUTF8N@20	; VerifierRtlUnicodeToUTF8N(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlUnicodeToUTF8N
		db  9Eh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BF@OABOIEII@RtlUpcaseUnicodeChar@GHGBBCHJ@
		dd offset _VerifierRtlUpcaseUnicodeChar@4 ; VerifierRtlUpcaseUnicodeChar(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlUpcaseUnicodeChar
		db  9Fh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BC@GJEAIKI@RtlUTF8ToUnicodeN@GHGBBCHJ@
		dd offset _VerifierRtlUTF8ToUnicodeN@20	; VerifierRtlUTF8ToUnicodeN(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlUTF8ToUnicodeN
		db  9Ah	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BM@HMPGFOLH@RtlxAnsiStringToUnicodeSize@GHGBBCHJ@
		dd offset _VerifierRtlxAnsiStringToUnicodeSize@4 ; VerifierRtlxAnsiStringToUnicodeSize(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlxAnsiStringToUnicodeSize
		db 0A4h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BM@EFEAIGKK@RtlxUnicodeStringToAnsiSize@GHGBBCHJ@
		dd offset _VerifierRtlxUnicodeStringToAnsiSize@4 ; VerifierRtlxUnicodeStringToAnsiSize(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlxUnicodeStringToAnsiSize
		db 0A5h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0O@DHJHKJKC@SeAccessCheck@GHGBBCHJ@
		dd offset _VerifierSeAccessCheck@40 ; VerifierSeAccessCheck(x,x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvSeAccessCheck
		db 0B5h	; 
		db    1
		db    0
		db    0
		dd offset loc_A56247+1
		dd offset _VerifierSeAssignSecurity@28 ; VerifierSeAssignSecurity(x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvSeAssignSecurity
		db 0B6h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BD@PIMPBIIE@SeAssignSecurityEx@GHGBBCHJ@
		dd offset _VerifierSeAssignSecurityEx@36 ; VerifierSeAssignSecurityEx(x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvSeAssignSecurityEx
		db 0B7h	; 
		db    1
		db    0
		db    0
		dd offset loc_A561B2+6
		dd offset _VerifierSeDeassignSecurity@4	; VerifierSeDeassignSecurity(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvSeDeassignSecurity
		db 0B8h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BF@JDAJABIM@SeLockSubjectContext@GHGBBCHJ@
		dd offset _VerifierSeLockSubjectContext@4 ; VerifierSeLockSubjectContext(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvSeLockSubjectContext
		db 0B9h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BI@KFBIJFPO@SeReleaseSubjectContext@GHGBBCHJ@
		dd offset _VerifierSeReleaseSubjectContext@4 ; VerifierSeReleaseSubjectContext(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvSeReleaseSubjectContext
		db 0BAh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BH@GLHJHLCD@SeSinglePrivilegeCheck@GHGBBCHJ@
		dd offset _VerifierSeSinglePrivilegeCheck@12 ; VerifierSeSinglePrivilegeCheck(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvSeSinglePrivilegeCheck
		db 0BBh	; 
		db    1
		db    0
		db    0
		dd offset loc_A562B3+1
		dd offset _VerifierSeUnlockSubjectContext@4 ; VerifierSeUnlockSubjectContext(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvSeUnlockSubjectContext
		db 0BCh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BK@BGHCEEON@SeValidSecurityDescriptor@GHGBBCHJ@
		dd offset _VerifierSeValidSecurityDescriptor@8 ; VerifierSeValidSecurityDescriptor(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvSeValidSecurityDescriptor
		db 0BDh	; 
		db    1
		db    0
		db    0
		dd offset loc_A562E3+1
		dd offset _VerifierZwAllocateLocallyUniqueId@4 ; VerifierZwAllocateLocallyUniqueId(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwAllocateLocallyUniqueId
		db 0D1h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_07IPICGNAN@ZwClose@GHGBBCHJ@
		dd offset _VerifierZwClose@4 ; VerifierZwClose(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwClose
		db 0D4h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BB@FCLNHJJO@ZwCommitComplete@GHGBBCHJ@
		dd offset _VerifierZwCommitComplete@8 ;	VerifierZwCommitComplete(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwCommitComplete
		db 0D5h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BE@DDCAJFMM@ZwCommitTransaction@GHGBBCHJ@
		dd offset _VerifierZwCommitTransaction@8 ; VerifierZwCommitTransaction(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwCommitTransaction
		db 0D7h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BG@ICJHAGLN@ZwCreateKeyTransacted@GHGBBCHJ@
		dd offset _VerifierZwCreateKeyTransacted@32 ; VerifierZwCreateKeyTransacted(x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwCreateKeyTransacted
		db 0DDh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BI@PHFAOIFC@ZwCreateResourceManager@GHGBBCHJ@
		dd offset _VerifierZwCreateResourceManager@28 ;	VerifierZwCreateResourceManager(x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwCreateResourceManager
		db 0DEh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0M@GHIFNKKI@ZwDeleteKey@GHGBBCHJ@
		dd offset _VerifierZwDeleteKey@4 ; VerifierZwDeleteKey(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwDeleteKey
		db 0E4h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BN@DLBDDIJG@ZwEnumerateTransactionObject@GHGBBCHJ@
		dd offset _VerifierZwEnumerateTransactionObject@20 ; VerifierZwEnumerateTransactionObject(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwEnumerateTransactionObject
		db 0EBh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BD@LLOHOAGA@ZwFlushBuffersFile@GHGBBCHJ@
		dd offset _VerifierZwFlushBuffersFile@8	; VerifierZwFlushBuffersFile(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwFlushBuffersFile
		db 0EDh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BF@FEEAIOON@ZwFlushBuffersFileEx@GHGBBCHJ@
		dd offset _VerifierZwFlushBuffersFileEx@20 ; VerifierZwFlushBuffersFileEx(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwFlushBuffersFileEx
		db 0EEh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0L@FGGADCAM@ZwFlushKey@GHGBBCHJ@
		dd offset _VerifierZwFlushKey@4	; VerifierZwFlushKey(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwFlushKey
		db 0EFh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0CB@JEGANOH@ZwGetNotificationResourceManage@GHGBBCHJ@
		dd offset _VerifierZwGetNotificationResourceManager@28 ; VerifierZwGetNotificationResourceManager(x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwGetNotificationResourceManager
		db 0F3h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0L@DLCGAGHB@ZwLockFile@GHGBBCHJ@
		dd offset _VerifierZwLockFile@40 ; VerifierZwLockFile(x,x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwLockFile
		db 0F5h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BG@CKOEGIOA@ZwMakeTemporaryObject@GHGBBCHJ@
		dd offset _VerifierZwMakeTemporaryObject@4 ; VerifierZwMakeTemporaryObject(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwMakeTemporaryObject
		db 0F6h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0M@OKCCJLED@ZwOpenKeyEx@GHGBBCHJ@
		dd offset _VerifierZwOpenKeyEx@16 ; VerifierZwOpenKeyEx(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwOpenKeyEx
		db 0FEh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BE@PPJELLFA@ZwOpenKeyTransacted@GHGBBCHJ@
		dd offset _VerifierZwOpenKeyTransacted@16 ; VerifierZwOpenKeyTransacted(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwOpenKeyTransacted
		db 0FFh
		db    1
		db    0
		db    0
		dd offset loc_A5645B+1
		dd offset _VerifierZwOpenKeyTransactedEx@20 ; VerifierZwOpenKeyTransactedEx(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwOpenKeyTransactedEx
		db    0
		db    2
		db    0
		db    0
		dd offset ??_C@_0BG@KJFANHMB@ZwOpenResourceManager@GHGBBCHJ@
		dd offset _VerifierZwOpenResourceManager@20 ; VerifierZwOpenResourceManager(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwOpenResourceManager
		db    3
		db    2
		db    0
		db    0
		dd offset ??_C@_0BF@BJFCFGHI@ZwPrePrepareComplete@GHGBBCHJ@
		dd offset _VerifierZwPrePrepareComplete@8 ; VerifierZwPrePrepareComplete(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwPrePrepareComplete
		db  0Bh
		db    2
		db    0
		db    0
		dd offset loc_A56410+4
		dd offset _VerifierZwQueryInformationResourceManager@20	; VerifierZwQueryInformationResourceManager(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwQueryInformationResourceManager
		db  14h
		db    2
		db    0
		db    0
		dd offset ??_C@_0BM@NMGOCKNF@ZwQueryQuotaInformationFile@GHGBBCHJ@
		dd offset _VerifierZwQueryQuotaInformationFile@36 ; VerifierZwQueryQuotaInformationFile(x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwQueryQuotaInformationFile
		db  1Ah
		db    2
		db    0
		db    0
		dd offset loc_A564FB+1
		dd offset _VerifierZwReadOnlyEnlistment@8 ; VerifierZwReadOnlyEnlistment(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwReadOnlyEnlistment
		db  20h
		db    2
		db    0
		db    0
		dd offset ??_C@_0BE@KNMOALJP@ZwRecoverEnlistment@GHGBBCHJ@
		dd offset _VerifierZwRecoverEnlistment@8 ; VerifierZwRecoverEnlistment(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwRecoverEnlistment
		db  21h	; !
		db    2
		db    0
		db    0
		dd offset ??_C@_0BM@FPMAKEFE@ZwRecoverTransactionManager@GHGBBCHJ@
		dd offset _VerifierZwRecoverTransactionManager@4 ; VerifierZwRecoverTransactionManager(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwRecoverTransactionManager
		db  22h	; "
		db    2
		db    0
		db    0
		dd offset ??_C@_0M@NPIGFLDK@ZwRenameKey@GHGBBCHJ@
		dd offset _VerifierZwRenameKey@8 ; VerifierZwRenameKey(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwRenameKey
		db  23h	; #
		db    2
		db    0
		db    0
		dd offset ??_C@_0BE@GBHFBHOH@ZwSetInformationKey@GHGBBCHJ@
		dd offset _VerifierZwSetInformationKey@16 ; VerifierZwSetInformationKey(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwSetInformationKey
		db  2Bh	; +
		db    2
		db    0
		db    0
		dd offset loc_A56487+1
		dd offset _VerifierZwRollbackComplete@8	; VerifierZwRollbackComplete(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwRollbackComplete
		db  24h	; $
		db    2
		db    0
		db    0
		dd offset ??_C@_0BG@NEJIBFHB@ZwRollbackTransaction@GHGBBCHJ@
		dd offset _VerifierZwRollbackTransaction@8 ; VerifierZwRollbackTransaction(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwRollbackTransaction
		db  26h	; &
		db    2
		db    0
		db    0
		dd offset ??_C@_0CA@OKMCBOFF@ZwSetInformationResourceManager@GHGBBCHJ@
		dd offset _VerifierZwSetInformationResourceManager@16 ;	VerifierZwSetInformationResourceManager(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwSetInformationResourceManager
		db  2Ch	; ,
		db    2
		db    0
		db    0
		dd offset loc_A56592+6
		dd offset _VerifierZwSetInformationToken@16 ; VerifierZwSetInformationToken(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwSetInformationToken
		db  2Eh	; .
		db    2
		db    0
		db    0
		dd offset ??_C@_0BK@JKGEINAM@ZwSetQuotaInformationFile@GHGBBCHJ@
		dd offset _VerifierZwSetQuotaInformationFile@16	; VerifierZwSetQuotaInformationFile(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwSetQuotaInformationFile
		db  30h	; 0
		db    2
		db    0
		db    0
		dd offset ??_C@_0N@JCCKKCOI@ZwSetTimerEx@GHGBBCHJ@
		dd offset _VerifierZwSetTimerEx@16 ; VerifierZwSetTimerEx(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwSetTimerEx
		db  33h	; 3
		db    2
		db    0
		db    0
		dd offset ??_C@_0BD@KGKBMFPI@ZwTerminateProcess@GHGBBCHJ@
		dd offset _VerifierZwTerminateProcess@8	; VerifierZwTerminateProcess(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwTerminateProcess
		db  36h	; 6
		db    2
		db    0
		db    0
		dd offset ??_C@_0N@PGGABEHE@ZwUnlockFile@GHGBBCHJ@
		dd offset _VerifierZwUnlockFile@20 ; VerifierZwUnlockFile(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwUnlockFile
		db  38h	; 8
		db    2
		db    0
		db    0
		dd offset ??_C@_0BF@IPAHFEPJ@ZwUnmapViewOfSection@GHGBBCHJ@
		dd offset _VerifierZwUnmapViewOfSection@8 ; VerifierZwUnmapViewOfSection(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwUnmapViewOfSection
		db  39h	; 9
		db    2
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_VfPoolThunks	dd offset ??_C@_0CG@LANCDJAB@ExAllocateCacheAwareRundownProt@GHGBBCHJ@
					; DATA XREF: VfThunkAddTargetNotify+32o
					; VfGetHookAddressForOriginal(x)+1Bo ...
		dd offset _VerifierExAllocateCacheAwareRundownProtection@8 ; VerifierExAllocateCacheAwareRundownProtection(x,x)
		align 10h
		dd offset _pXdvExAllocateCacheAwareRundownProtection
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A52A27+1
		dd offset _VerifierExAllocatePool@8 ; VerifierExAllocatePool(x,x)
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset _pXdvExAllocatePool
		db  1Bh
		db    0
		db    0
		db    0
		dd offset ??_C@_0BA@HAHFAAIP@ExAllocatePool2@GHGBBCHJ@
		dd offset _VerifierExAllocatePool2@16 ;	VerifierExAllocatePool2(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset _pXdvExAllocatePool2
		db  15h
		db    0
		db    0
		db    0
		dd offset loc_A529D2+2
		dd offset _VerifierExAllocatePool3@24 ;	VerifierExAllocatePool3(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset _pXdvExAllocatePool3
		db  16h
		db    0
		db    0
		db    0
		dd offset ??_C@_0BI@MFNAEHDK@ExAllocatePoolWithQuota@GHGBBCHJ@
		dd offset _VerifierExAllocatePoolWithQuota@8 ; VerifierExAllocatePoolWithQuota(x,x)
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset _pXdvExAllocatePoolWithQuota
		db  18h
		db    0
		db    0
		db    0
		dd offset ??_C@_0BL@DHNBKPBH@ExAllocatePoolWithQuotaTag@GHGBBCHJ@
		dd offset _VerifierExAllocatePoolWithQuotaTag@12 ; VerifierExAllocatePoolWithQuotaTag(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset _pXdvExAllocatePoolWithQuotaTag
		db  17h
		db    0
		db    0
		db    0
		dd offset ??_C@_0BG@HPOEIOMD@ExAllocatePoolWithTag@GHGBBCHJ@
		dd offset _VerifierExAllocatePoolWithTag@12 ; VerifierExAllocatePoolWithTag(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset _pXdvExAllocatePoolWithTag
		db  1Ah
		db    0
		db    0
		db    0
		dd offset ??_C@_0BO@MJMFJFMG@ExAllocatePoolWithTagPriority@GHGBBCHJ@
		dd offset _VerifierExAllocatePoolWithTagPriority@16 ; VerifierExAllocatePoolWithTagPriority(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset _pXdvExAllocatePoolWithTagPriority
		db  19h
		db    0
		db    0
		db    0
		dd offset loc_A52B07+1
		dd offset _VerifierExFreePool@4	; VerifierExFreePool(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExFreePool
		db  27h	; '
		db    0
		db    0
		db    0
		dd offset ??_C@_0BC@LGLGINHN@ExFreePoolWithTag@GHGBBCHJ@
		dd offset _VerifierExFreePoolWithTag@8 ; VerifierExFreePoolWithTag(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExFreePoolWithTag
		db  28h	; (
		db    0
		db    0
		db    0
		dd offset ??_C@_0O@HNLDFBJF@IoAllocateIrp@GHGBBCHJ@
		dd offset _VerifierIoAllocateIrp@8 ; VerifierIoAllocateIrp(x,x)
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset _pXdvIoAllocateIrp
		db  7Fh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0O@MANEEFN@IoAllocateMdl@GHGBBCHJ@
		dd offset _VerifierIoAllocateMdl@20 ; VerifierIoAllocateMdl(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset _pXdvIoAllocateMdl
		db  80h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BJ@HCEIIDF@IoSetCompletionRoutineEx@GHGBBCHJ@
		dd offset _VerifierIoSetCompletionRoutineEx@28 ; VerifierIoSetCompletionRoutineEx(x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoSetCompletionRoutineEx
		db 0C9h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BN@PPLEAEDO@RtlAnsiStringToUnicodeString@GHGBBCHJ@
		dd offset _VerifierRtlAnsiStringToUnicodeString@12 ; VerifierRtlAnsiStringToUnicodeString(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlAnsiStringToUnicodeString
		db  89h	; 
		db    1
		db    0
		db    0
		dd offset loc_A52BCB+5
		dd offset _VerifierRtlUnicodeStringToAnsiString@12 ; VerifierRtlUnicodeStringToAnsiString(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlUnicodeStringToAnsiString
		db  9Bh	; 
		db    1
		db    0
		db    0
		dd offset loc_A52BA7+5
		dd offset _VerifierRtlUpcaseUnicodeStringToAnsiString@12 ; VerifierRtlUpcaseUnicodeStringToAnsiString(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvRtlUpcaseUnicodeStringToAnsiString
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A52C08+4
		dd offset _VerifierRtlOemStringToUnicodeString@12 ; VerifierRtlOemStringToUnicodeString(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlOemStringToUnicodeString
		db  98h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BM@DEEFKKDE@RtlUnicodeStringToOemString@GHGBBCHJ@
		dd offset _VerifierRtlUnicodeStringToOemString@12 ; VerifierRtlUnicodeStringToOemString(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlUnicodeStringToOemString
		db  9Dh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0CC@HOCCNKKP@RtlUpcaseUnicodeStringToOemStri@GHGBBCHJ@
		dd offset _VerifierRtlUpcaseUnicodeStringToOemString@12	; VerifierRtlUpcaseUnicodeStringToOemString(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlUpcaseUnicodeStringToOemString
		db 0A2h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0CD@GPJEMFLM@RtlOemStringToCountedUnicodeStr@GHGBBCHJ@
		dd offset _VerifierRtlOemStringToCountedUnicodeString@12 ; VerifierRtlOemStringToCountedUnicodeString(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlOemStringToCountedUnicodeString
		db  97h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0CD@KEEJKOLL@RtlUnicodeStringToCountedOemStr@GHGBBCHJ@
		dd offset _VerifierRtlUnicodeStringToCountedOemString@12 ; VerifierRtlUnicodeStringToCountedOemString(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlUnicodeStringToCountedOemString
		db  9Ch	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0CJ@JNBPJCLI@RtlUpcaseUnicodeStringToCounted@GHGBBCHJ@
		dd offset _VerifierRtlUpcaseUnicodeStringToCountedOemString@12 ; VerifierRtlUpcaseUnicodeStringToCountedOemString(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlUpcaseUnicodeStringToCountedOemString
		db 0A1h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BH@MCOIMNMM@RtlUpcaseUnicodeString@GHGBBCHJ@
		dd offset _VerifierRtlUpcaseUnicodeString@12 ; VerifierRtlUpcaseUnicodeString(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlUpcaseUnicodeString
		db 0A0h	; 
		db    1
		db    0
		db    0
		dd offset loc_A52C9B+5
		dd offset _VerifierRtlDowncaseUnicodeString@12 ; VerifierRtlDowncaseUnicodeString(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlDowncaseUnicodeString
		db  90h	; 
		db    1
		db    0
		db    0
		dd offset loc_A52CEF+1
		dd offset _VerifierRtlCreateUnicodeString@8 ; VerifierRtlCreateUnicodeString(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlCreateUnicodeString
		db  8Dh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BK@BKMPPJLP@RtlDuplicateUnicodeString@GHGBBCHJ@
		dd offset _VerifierRtlDuplicateUnicodeString@12	; VerifierRtlDuplicateUnicodeString(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvRtlDuplicateUnicodeString
		db  91h	; 
		db    1
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_VfMandatoryThunks dd offset ??_C@_0BP@GNCMKEPO@ExInitializePagedLookasideList@GHGBBCHJ@
					; DATA XREF: VfGetHookAddressForOriginal(x)+2Do
					; ViXdvSearchAllThunkArrays(x,x)+2Ao ...
		dd offset _VerifierExInitializePagedLookasideList@28 ; VerifierExInitializePagedLookasideList(x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset _pXdvExInitializePagedLookasideList
		db  2Dh	; -
		db    0
		db    0
		db    0
		dd offset loc_A52C26+2
		dd offset _VerifierExInitializeNPagedLookasideList@28 ;	VerifierExInitializeNPagedLookasideList(x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset _pXdvExInitializeNPagedLookasideList
		db  2Ch	; ,
		db    0
		db    0
		db    0
		dd offset loc_A52C80+4
		dd offset _VerifierExDeletePagedLookasideList@4	; VerifierExDeletePagedLookasideList(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExDeletePagedLookasideList
		db  20h
		db    0
		db    0
		db    0
		dd offset loc_A52C63+5
		dd offset _VerifierExDeleteNPagedLookasideList@4 ; VerifierExDeleteNPagedLookasideList(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExDeleteNPagedLookasideList
		db  1Fh
		db    0
		db    0
		db    0
		dd offset loc_A52D7A+6
		dd offset _VerifierExInitializeLookasideListEx@32 ; VerifierExInitializeLookasideListEx(x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset _pXdvExInitializeLookasideListEx
		db  2Bh	; +
		db    0
		db    0
		db    0
		dd offset ??_C@_0BI@KLGPHBAP@ExDeleteLookasideListEx@GHGBBCHJ@
		dd offset _VerifierExDeleteLookasideListEx@4 ; VerifierExDeleteLookasideListEx(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExDeleteLookasideListEx
		db  1Eh
		db    0
		db    0
		db    0
		dd offset ??_C@_0BO@OCNLMHJA@HalAllocateCrashDumpRegisters@GHGBBCHJ@
		dd offset _VfAllocateCrashDumpRegisters@8 ; VfAllocateCrashDumpRegisters(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvHalAllocateCrashDumpRegisters
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A52D96+6
		dd offset _VfMapTransfer@24 ; VfMapTransfer(x,x,x,x,x,x)
		align 10h
		dd offset _pXdvIoMapTransfer
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BG@ICCJOPAF@IoFlushAdapterBuffers@GHGBBCHJ@
		dd offset _VfFlushAdapterBuffers@24 ; VfFlushAdapterBuffers(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvIoFlushAdapterBuffers
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BI@NNECMFPB@HalAllocateCommonBuffer@GHGBBCHJ@
		dd offset _VfAllocateCommonBuffer@16 ; VfAllocateCommonBuffer(x,x,x,x)
		align 10h
		dd offset _pXdvHalAllocateCommonBuffer
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BE@LEBEIBPC@HalFreeCommonBuffer@GHGBBCHJ@
		dd offset _VfFreeCommonBuffer@24 ; VfFreeCommonBuffer(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvHalFreeCommonBuffer
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BJ@KFCEPHJG@IoAllocateAdapterChannel@GHGBBCHJ@
		dd offset _VfAllocateAdapterChannel@20 ; VfAllocateAdapterChannel(x,x,x,x,x)
		align 10h
		dd offset _pXdvIoAllocateAdapterChannel
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A52E47+1
		dd offset _VfFreeAdapterChannel@4 ; VfFreeAdapterChannel(x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvIoFreeAdapterChannel
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A52E33+1
		dd offset _VfFreeMapRegisters@12 ; VfFreeMapRegisters(x,x,x)
		align 10h
		dd offset _pXdvIoFreeMapRegisters
		db 0FFh
		db 0FFh
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_VfRegularThunks dd offset ??_C@_0BJ@KHMECDBK@ExInitializeResourceLite@GHGBBCHJ@
					; DATA XREF: ViInitializeKernelVerifierThunks():loc_67874Er
					; ViInitializeKernelVerifierThunks()+9o ...
		dd offset _VerifierExInitializeResourceLite@4 ;	VerifierExInitializeResourceLite(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExInitializeResourceLite
		db  2Eh	; .
		db    0
		db    0
		db    0
		dd offset ??_C@_0BF@KLLIHMHG@ExDeleteResourceLite@GHGBBCHJ@
		dd offset _VerifierExDeleteResourceLite@4 ; VerifierExDeleteResourceLite(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvExDeleteResourceLite
		db  21h	; !
		db    0
		db    0
		db    0
		dd offset ??_C@_0BM@BCMDBIBF@ExfAcquirePushLockExclusive@GHGBBCHJ@
		dd offset @VerifierExfAcquirePushLockExclusive@4 ; VerifierExfAcquirePushLockExclusive(x)
		align 10h
		dd offset _pXdvExfAcquirePushLockExclusive
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BJ@KINNKGCF@ExfAcquirePushLockShared@GHGBBCHJ@
		dd offset @VerifierExfAcquirePushLockShared@4 ;	VerifierExfAcquirePushLockShared(x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvExfAcquirePushLockShared
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BM@NMMKABDM@ExfTryAcquirePushLockShared@GHGBBCHJ@
		dd offset @VerifierExfTryAcquirePushLockShared@4 ; VerifierExfTryAcquirePushLockShared(x)
		align 10h
		dd offset _pXdvExfTryAcquirePushLockShared
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A52E00+4
		dd offset @VerifierExfReleasePushLock@4	; VerifierExfReleasePushLock(x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvExfReleasePushLock
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BF@IOOBINIL@ExfTryToWakePushLock@GHGBBCHJ@
		dd offset @VerifierExfTryToWakePushLock@4 ; VerifierExfTryToWakePushLock(x)
		align 10h
		dd offset _pXdvExfTryToWakePushLock
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A52EE3+1
		dd offset @VerifierExfReleasePushLockShared@4 ;	VerifierExfReleasePushLockShared(x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvExfReleasePushLockShared
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BK@HCAFDBOA@MmBuildMdlForNonPagedPool@GHGBBCHJ@
		dd offset _VerifierMmBuildMdlForNonPagedPool@4 ; VerifierMmBuildMdlForNonPagedPool(x)
		align 10h
		dd offset _pXdvMmBuildMdlForNonPagedPool
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BE@ILDAPLFN@MmProbeAndLockPages@GHGBBCHJ@
		dd offset _VerifierMmProbeAndLockPages@12 ; VerifierMmProbeAndLockPages(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmProbeAndLockPages
		db  4Bh	; K
		db    1
		db    0
		db    0
		dd offset ??_C@_0BL@ONDJLGP@MmProbeAndLockProcessPages@GHGBBCHJ@
		dd offset _VerifierMmProbeAndLockProcessPages@16 ; VerifierMmProbeAndLockProcessPages(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmProbeAndLockProcessPages
		db  4Ch	; L
		db    1
		db    0
		db    0
		dd offset loc_A52E8D+7
		dd offset _VerifierMmMapIoSpace@16 ; VerifierMmMapIoSpace(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmMapIoSpace
		db  45h	; E
		db    1
		db    0
		db    0
		dd offset ??_C@_0P@MEELKFMN@MmMapIoSpaceEx@GHGBBCHJ@
		dd offset _VerifierMmMapIoSpaceEx@16 ; VerifierMmMapIoSpaceEx(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A52EBF+1
		dd offset _VerifierMmMapLockedPages@8 ;	VerifierMmMapLockedPages(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmMapLockedPages
		db  46h	; F
		db    1
		db    0
		db    0
		dd offset ??_C@_0BN@PIHKKIFN@MmMapLockedPagesSpecifyCache@GHGBBCHJ@
		dd offset _VerifierMmMapLockedPagesSpecifyCache@24 ; VerifierMmMapLockedPagesSpecifyCache(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmMapLockedPagesSpecifyCache
		db  47h	; G
		db    1
		db    0
		db    0
		dd offset ??_C@_0BD@JKHIDLLH@MmMapViewOfSection@GHGBBCHJ@
		dd offset _VerifierMmMapViewOfSection@40 ; VerifierMmMapViewOfSection(x,x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvMmMapViewOfSection
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BD@OPIOPJOL@NtMapViewOfSection@GHGBBCHJ@
		dd offset _VerifierNtMapViewOfSection@40 ; VerifierNtMapViewOfSection(x,x,x,x,x,x,x,x,x,x)
		align 10h
		dd offset _pXdvNtMapViewOfSection
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0O@OMFFIEBC@MmUnlockPages@GHGBBCHJ@
		dd offset _VerifierMmUnlockPages@4 ; VerifierMmUnlockPages(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmUnlockPages
		db  51h	; Q
		db    1
		db    0
		db    0
		dd offset loc_A52F57+1
		dd offset _VerifierMmUnmapLockedPages@8	; VerifierMmUnmapLockedPages(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmUnmapLockedPages
		db  53h	; S
		db    1
		db    0
		db    0
		dd offset ??_C@_0P@EMJLEDGK@MmUnmapIoSpace@GHGBBCHJ@
		dd offset _VerifierMmUnmapIoSpace@8 ; VerifierMmUnmapIoSpace(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmUnmapIoSpace
		db  52h	; R
		db    1
		db    0
		db    0
		dd offset ??_C@_0BL@KMIOEMCL@MmAllocateContiguousMemory@GHGBBCHJ@
		dd offset _VerifierMmAllocateContiguousMemory@12 ; VerifierMmAllocateContiguousMemory(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmAllocateContiguousMemory
		db  33h	; 3
		db    1
		db    0
		db    0
		dd offset loc_A52F6B+1
		dd offset _VerifierMmAllocateContiguousMemorySpecifyCache@32 ; VerifierMmAllocateContiguousMemorySpecifyCache(x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmAllocateContiguousMemorySpecifyCache
		db  34h	; 4
		db    1
		db    0
		db    0
		dd offset ??_C@_0CL@NMGHDAJA@MmAllocateContiguousMemorySpeci@GHGBBCHJ@
		dd offset _VerifierMmAllocateContiguousMemorySpecifyCacheNode@36 ; VerifierMmAllocateContiguousMemorySpecifyCacheNode(x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmAllocateContiguousMemorySpecifyCacheNode
		db  35h	; 5
		db    1
		db    0
		db    0
		dd offset ??_C@_0BP@EGCAGHLF@MmAllocateContiguousNodeMemory@GHGBBCHJ@
		dd offset _VerifierMmAllocateContiguousNodeMemory@36 ; VerifierMmAllocateContiguousNodeMemory(x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmAllocateContiguousNodeMemory
		db  36h	; 6
		db    1
		db    0
		db    0
		dd offset ??_C@_0BK@FHEGIMGE@MmAllocateNonCachedMemory@GHGBBCHJ@
		dd offset _VerifierMmAllocateNonCachedMemory@4 ; VerifierMmAllocateNonCachedMemory(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmAllocateNonCachedMemory
		db  37h	; 7
		db    1
		db    0
		db    0
		dd offset ??_C@_0BH@CDFCIAHF@MmFreeContiguousMemory@GHGBBCHJ@
		dd offset _VerifierMmFreeContiguousMemory@4 ; VerifierMmFreeContiguousMemory(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmFreeContiguousMemory
		db  3Dh	; =
		db    1
		db    0
		db    0
		dd offset ??_C@_0CD@IDDLAELJ@MmFreeContiguousMemorySpecifyCa@GHGBBCHJ@
		dd offset _VerifierMmFreeContiguousMemorySpecifyCache@12 ; VerifierMmFreeContiguousMemorySpecifyCache(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmFreeContiguousMemorySpecifyCache
		db  3Eh	; >
		db    1
		db    0
		db    0
		dd offset ??_C@_0BG@OOBECNLI@MmFreeNonCachedMemory@GHGBBCHJ@
		dd offset _VerifierMmFreeNonCachedMemory@8 ; VerifierMmFreeNonCachedMemory(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmFreeNonCachedMemory
		db  3Fh	; ?
		db    1
		db    0
		db    0
		dd offset ??_C@_0BG@CCMELLDE@MmAllocatePagesForMdl@GHGBBCHJ@
		dd offset _VerifierMmAllocatePagesForMdl@28 ; VerifierMmAllocatePagesForMdl(x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmAllocatePagesForMdl
		db  38h	; 8
		db    1
		db    0
		db    0
		dd offset ??_C@_0BI@HGCOAHOC@MmAllocatePagesForMdlEx@GHGBBCHJ@
		dd offset _VerifierMmAllocatePagesForMdlEx@36 ;	VerifierMmAllocatePagesForMdlEx(x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmAllocatePagesForMdlEx
		db  39h	; 9
		db    1
		db    0
		db    0
		dd offset ??_C@_0BM@ILMHMAJC@MmAllocateNodePagesForMdlEx@GHGBBCHJ@
		dd offset _VerifierMmAllocateNodePagesForMdlEx@40 ; VerifierMmAllocateNodePagesForMdlEx(x,x,x,x,x,x,x,x,x,x)
		align 10h
		dd offset _pXdvMmAllocateNodePagesForMdlEx
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BD@EOFIHELD@MmFreePagesFromMdl@GHGBBCHJ@
		dd offset _VerifierMmFreePagesFromMdl@4	; VerifierMmFreePagesFromMdl(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmFreePagesFromMdl
		db  40h	; @
		db    1
		db    0
		db    0
		dd offset ??_C@_0M@IBDNJKJC@MmCreateMdl@GHGBBCHJ@
		dd offset _VerifierMmCreateMdl@12 ; VerifierMmCreateMdl(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmCreateMdl
		db  3Ah	; :
		db    1
		db    0
		db    0
		dd offset ??_C@_0BJ@CGBIGMNF@MmAllocateMappingAddress@GHGBBCHJ@
		dd offset _VerifierMmAllocateMappingAddress@8 ;	VerifierMmAllocateMappingAddress(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvMmAllocateMappingAddress
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BA@NLADEBML@MmCreateSection@GHGBBCHJ@
		dd offset _VerifierMmCreateSection@32 ;	VerifierMmCreateSection(x,x,x,x,x,x,x,x)
		align 10h
		dd offset _pXdvMmCreateSection
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BA@MANLHNBJ@NtCreateSection@GHGBBCHJ@
		dd offset _VerifierNtCreateSection@28 ;	VerifierNtCreateSection(x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvNtCreateSection
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BK@EOAPMLDF@MmGetSystemRoutineAddress@GHGBBCHJ@
		dd offset _VerifierMmGetSystemRoutineAddress@4 ; VerifierMmGetSystemRoutineAddress(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvMmGetSystemRoutineAddress
		db  42h	; B
		db    1
		db    0
		db    0
		dd offset loc_A53113+1
		dd offset _VerifierMmProtectMdlSystemAddress@8 ; VerifierMmProtectMdlSystemAddress(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvMmProtectMdlSystemAddress
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0L@LBMJOLIB@KeSetEvent@GHGBBCHJ@
		dd offset _VerifierKeSetEvent@12 ; VerifierKeSetEvent(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeSetEvent
		db  20h
		db    1
		db    0
		db    0
		dd offset ??_C@_0BN@IPNABLFG@KeSaveExtendedProcessorState@GHGBBCHJ@
		dd offset _VerifierKeSaveExtendedProcessorState@12 ; VerifierKeSaveExtendedProcessorState(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeSaveExtendedProcessorState
		db  1Eh
		db    1
		db    0
		db    0
		dd offset ??_C@_0CA@OHCIBDML@KeRestoreExtendedProcessorState@GHGBBCHJ@
		dd offset _VerifierKeRestoreExtendedProcessorState@4 ; VerifierKeRestoreExtendedProcessorState(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeRestoreExtendedProcessorState
		db  1Ch
		db    1
		db    0
		db    0
		dd offset loc_A5320B+1
		dd offset @VerifierKfRaiseIrql@4 ; VerifierKfRaiseIrql(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKfRaiseIrql
		db  30h	; 0
		db    1
		db    0
		db    0
		dd offset loc_A531AF+1
		dd offset @VerifierKfLowerIrql@4 ; VerifierKfLowerIrql(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKfLowerIrql
		db  2Fh	; /
		db    1
		db    0
		db    0
		dd offset loc_A531A3+1
		dd offset _VerifierKeRaiseIrql@8 ; VerifierKeRaiseIrql(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeRaiseIrql
		db    4
		db    1
		db    0
		db    0
		dd offset loc_A531C7+1
		dd offset _VerifierKeRaiseIrqlToDpcLevel@0 ; VerifierKeRaiseIrqlToDpcLevel()
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeRaiseIrqlToDpcLevel
		db    5
		db    1
		db    0
		db    0
		dd offset ??_C@_0M@NCFLJKKN@KeLowerIrql@GHGBBCHJ@
		dd offset _VerifierKeLowerIrql@4 ; VerifierKeLowerIrql(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeLowerIrql
		db 0FFh
		db    0
		db    0
		db    0
		dd offset ??_C@_0BH@LEMIKANE@KeSynchronizeExecution@GHGBBCHJ@
		dd offset _VerifierKeSynchronizeExecution@12 ; VerifierKeSynchronizeExecution(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeSynchronizeExecution
		db  25h	; %
		db    1
		db    0
		db    0
		dd offset ??_C@_0BE@MADIFMFE@KeInitializeTimerEx@GHGBBCHJ@
		dd offset _VerifierKeInitializeTimerEx@8 ; VerifierKeInitializeTimerEx(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeInitializeTimerEx
		db 0F7h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BC@DOLLALDB@KeInitializeTimer@GHGBBCHJ@
		dd offset _VerifierKeInitializeTimer@4 ; VerifierKeInitializeTimer(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeInitializeTimer
		db 0F6h	; 
		db    0
		db    0
		db    0
		dd offset loc_A532B7+5
		dd offset _VerifierKeDelayExecutionThread@12 ; VerifierKeDelayExecutionThread(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeDelayExecutionThread
		db 0EBh	; 
		db    0
		db    0
		db    0
		dd offset loc_A53248+8
		dd offset _VerifierKeEnterCriticalRegion@0 ; VerifierKeEnterCriticalRegion()
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeEnterCriticalRegion
		db 0EDh	; 
		db    0
		db    0
		db    0
		dd offset loc_A53237+1
		dd offset _VerifierKeLeaveCriticalRegion@0 ; VerifierKeLeaveCriticalRegion()
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeLeaveCriticalRegion
		db 0FDh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BB@NEFFAOJG@KeInsertQueueDpc@GHGBBCHJ@
		dd offset _VfKeInsertQueueDpc@12 ; VfKeInsertQueueDpc(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeInsertQueueDpc
		db 0FCh	; 
		db    0
		db    0
		db    0
		dd offset loc_A53260+8
		dd offset _VfKeRemoveQueueDpc@4	; VfKeRemoveQueueDpc(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeRemoveQueueDpc
		db  1Ah
		db    1
		db    0
		db    0
		dd offset ??_C@_0N@KPMLACHP@NtCreateFile@GHGBBCHJ@
		dd offset _VerifierNtCreateFile@44 ; VerifierNtCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvNtCreateFile
		db  55h	; U
		db    1
		db    0
		db    0
		dd offset ??_C@_0M@NBHOGDOK@NtWriteFile@GHGBBCHJ@
		dd offset _VerifierNtWriteFile@36 ; VerifierNtWriteFile(x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvNtWriteFile
		db  5Ah	; Z
		db    1
		db    0
		db    0
		dd offset ??_C@_0L@FNDFCMOM@NtReadFile@GHGBBCHJ@
		dd offset _VerifierNtReadFile@36 ; VerifierNtReadFile(x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvNtReadFile
		db  57h	; W
		db    1
		db    0
		db    0
		dd offset ??_C@_0BD@LGNDLMOF@ObfReferenceObject@GHGBBCHJ@
		dd offset @VerifierObfReferenceObject@4	; VerifierObfReferenceObject(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvObfReferenceObject
		db  63h	; c
		db    1
		db    0
		db    0
		dd offset ??_C@_0BK@PAFEOPMG@ObReferenceObjectByHandle@GHGBBCHJ@
		dd offset _VerifierObReferenceObjectByHandle@24	; VerifierObReferenceObjectByHandle(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvObReferenceObjectByHandle
		db  5Ch	; \
		db    1
		db    0
		db    0
		dd offset ??_C@_0BL@FCIHCOLE@ObReferenceObjectByPointer@GHGBBCHJ@
		dd offset _VerifierObReferenceObjectByPointer@16 ; VerifierObReferenceObjectByPointer(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvObReferenceObjectByPointer
		db  5Eh	; ^
		db    1
		db    0
		db    0
		dd offset ??_C@_09POLIELFF@IoFreeIrp@GHGBBCHJ@
		dd offset _VerifierIoFreeIrp@4 ; VerifierIoFreeIrp(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoFreeIrp
		db  9Ch	; 
		db    0
		db    0
		db    0
		dd offset loc_A5331F+1
		dd offset _VerifierIoFreeMdl@4 ; VerifierIoFreeMdl(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoFreeMdl
		db  9Dh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BD@CIFKDNMJ@IofCompleteRequest@GHGBBCHJ@
		dd offset @VerifierIofCompleteRequest@8	; VerifierIofCompleteRequest(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIofCompleteRequest
		db 0DEh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BO@CPCKJMEP@IoBuildDeviceIoControlRequest@GHGBBCHJ@
		dd offset _IovBuildDeviceIoControlRequest@36 ; IovBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset _pXdvIoBuildDeviceIoControlRequest
		db  86h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BO@PAOFNJIG@IoBuildAsynchronousFsdRequest@GHGBBCHJ@
		dd offset _IovBuildAsynchronousFsdRequest@24 ; IovBuildAsynchronousFsdRequest(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset _pXdvIoBuildAsynchronousFsdRequest
		db  85h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BN@OEFIMPJC@IoBuildSynchronousFsdRequest@GHGBBCHJ@
		dd offset _IovBuildSynchronousFsdRequest@28 ; IovBuildSynchronousFsdRequest(x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset _pXdvIoBuildSynchronousFsdRequest
		db  87h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BC@JEDLPOL@IoInitializeTimer@GHGBBCHJ@
		dd offset _IovInitializeTimer@12 ; IovInitializeTimer(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoInitializeTimer
		db 0AEh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BA@PIHPIHIM@IoGetDmaAdapter@GHGBBCHJ@
		dd offset _VfGetDmaAdapter@12 ;	VfGetDmaAdapter(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoGetDmaAdapter
		db 0A8h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0O@NAJHKPON@HalGetAdapter@GHGBBCHJ@
		dd offset _VfLegacyGetAdapter@8	; VfLegacyGetAdapter(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvHalGetAdapter
		db  76h	; v
		db    0
		db    0
		db    0
		dd offset ??_C@_0BJ@CGEBKANA@IoInitializeRemoveLockEx@GHGBBCHJ@
		dd offset _VerifierIoInitializeRemoveLockEx@20 ; VerifierIoInitializeRemoveLockEx(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoInitializeRemoveLockEx
		db 0ADh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BG@NAAGCMAE@IoAcquireRemoveLockEx@GHGBBCHJ@
		dd offset _VerifierIoAcquireRemoveLockEx@20 ; VerifierIoAcquireRemoveLockEx(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoAcquireRemoveLockEx
		db  7Bh	; {
		db    0
		db    0
		db    0
		dd offset ??_C@_0BG@CAEIPNB@IoReleaseRemoveLockEx@GHGBBCHJ@
		dd offset _VerifierIoReleaseRemoveLockEx@12 ; VerifierIoReleaseRemoveLockEx(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoReleaseRemoveLockEx
		db 0C1h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BN@PLFJGAJD@IoReleaseRemoveLockAndWaitEx@GHGBBCHJ@
		dd offset _VerifierIoReleaseRemoveLockAndWaitEx@12 ; VerifierIoReleaseRemoveLockAndWaitEx(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoReleaseRemoveLockAndWaitEx
		db 0C0h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0CA@MNOBIDIL@IoAllocateDriverObjectExtension@GHGBBCHJ@
		dd offset _VerifierIoAllocateDriverObjectExtension@16 ;	VerifierIoAllocateDriverObjectExtension(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvIoAllocateDriverObjectExtension
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BI@CLANGFAI@IoAllocateErrorLogEntry@GHGBBCHJ@
		dd offset _VerifierIoAllocateErrorLogEntry@8 ; VerifierIoAllocateErrorLogEntry(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoAllocateErrorLogEntry
		db  7Eh	; ~
		db    0
		db    0
		db    0
		dd offset ??_C@_0BD@GODPMFCO@IoAllocateWorkItem@GHGBBCHJ@
		dd offset _VerifierIoAllocateWorkItem@4	; VerifierIoAllocateWorkItem(x)
		db    0
		db    0
		db    0
		db    0
		db    4
		db    0
		db    0
		db    0
		dd offset _pXdvIoAllocateWorkItem
		db  81h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BF@NBKCIHHN@IoInitializeWorkItem@GHGBBCHJ@
		dd offset _VerifierIoInitializeWorkItem@8 ; VerifierIoInitializeWorkItem(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoInitializeWorkItem
		db 0AFh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BJ@PAEJOFEI@IoWMIRegistrationControl@GHGBBCHJ@
		dd offset _VerifierIoWMIRegistrationControl@8 ;	VerifierIoWMIRegistrationControl(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoWMIRegistrationControl
		db 0D8h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BA@GNNCFCJF@IoWMIWriteEvent@GHGBBCHJ@
		dd offset _VerifierIoWMIWriteEvent@4 ; VerifierIoWMIWriteEvent(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoWMIWriteEvent
		db 0D9h	; 
		db    0
		db    0
		db    0
		dd offset loc_A5355A+2
		dd offset _VerifierIoWriteErrorLogEntry@4 ; VerifierIoWriteErrorLogEntry(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoWriteErrorLogEntry
		db 0DAh	; 
		db    0
		db    0
		db    0
		dd offset loc_A5359F+1
		dd offset _VerifierEtwRegister@16 ; VerifierEtwRegister(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvEtwRegister
		db    9
		db    0
		db    0
		db    0
		dd offset ??_C@_0BL@KFEKKDAO@EtwRegisterClassicProvider@GHGBBCHJ@
		dd offset _VerifierEtwRegisterClassicProvider@20 ; VerifierEtwRegisterClassicProvider(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvEtwRegisterClassicProvider
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0O@CJIIPCHG@EtwUnregister@GHGBBCHJ@
		dd offset _VerifierEtwUnregister@8 ; VerifierEtwUnregister(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvEtwUnregister
		db  0Ah
		db    0
		db    0
		db    0
		dd offset ??_C@_0P@CGOCKIBH@IoCreateDevice@GHGBBCHJ@
		dd offset _VerifierIoCreateDevice@28 ; VerifierIoCreateDevice(x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoCreateDevice
		db  8Dh	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BI@HDNIGKKP@IoVolumeDeviceToDosName@GHGBBCHJ@
		dd offset _VerifierIoVolumeDeviceToDosName@8 ; VerifierIoVolumeDeviceToDosName(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvIoVolumeDeviceToDosName
		db 0D6h	; 
		db    0
		db    0
		db    0
		dd offset loc_A53527+1
		dd offset _VerifierIoVolumeDeviceToDosName@8 ; VerifierIoVolumeDeviceToDosName(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BC@ILDKLKNE@KeInitializeEvent@GHGBBCHJ@
		dd offset _VerifierKeInitializeEvent@12	; VerifierKeInitializeEvent(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeInitializeEvent
		db 0F1h	; 
		db    0
		db    0
		db    0
		dd offset loc_A5360B+1
		dd offset _VerifierKeInitializeSemaphore@12 ; VerifierKeInitializeSemaphore(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeInitializeSemaphore
		db 0F5h	; 
		db    0
		db    0
		db    0
		dd offset ??_C@_0BN@BEJKANHH@KeTryToAcquireQueuedSpinLock@GHGBBCHJ@
		dd offset @VerifierKeTryToAcquireQueuedSpinLock@8 ; VerifierKeTryToAcquireQueuedSpinLock(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvKeTryToAcquireQueuedSpinLock
		db  28h	; (
		db    1
		db    0
		db    0
		dd offset ??_C@_0CE@HCAAJOFM@KeAcquireQueuedSpinLockRaiseToS@GHGBBCHJ@
		dd offset @VerifierKeAcquireQueuedSpinLockRaiseToSynch@4 ; VerifierKeAcquireQueuedSpinLockRaiseToSynch(x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0CJ@KINHPDIA@KeTryToAcquireQueuedSpinLockRai@GHGBBCHJ@
		dd offset @VerifierKeTryToAcquireQueuedSpinLockRaiseToSynch@8 ;	VerifierKeTryToAcquireQueuedSpinLockRaiseToSynch(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A535A4+8
		dd offset _Verifiermemcpy
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvmemcpy
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BL@LBCFAPLA@ZwAccessCheckAndAuditAlarm@GHGBBCHJ@
		dd offset _VfZwAccessCheckAndAuditAlarm@44 ; VfZwAccessCheckAndAuditAlarm(x,x,x,x,x,x,x,x,x,x,x)
		align 10h
		dd offset _pXdvZwAccessCheckAndAuditAlarm
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0P@NJGBECCE@ZwAddBootEntry@GHGBBCHJ@
		dd offset _VfZwAddBootEntry@8 ;	VfZwAddBootEntry(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwAddBootEntry
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BB@KIFBPAKN@ZwAddDriverEntry@GHGBBCHJ@
		dd offset _VfZwAddDriverEntry@8	; VfZwAddDriverEntry(x,x)
		align 10h
		dd offset _pXdvZwAddDriverEntry
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BI@PGLJEMKC@ZwAdjustPrivilegesToken@GHGBBCHJ@
		dd offset _VfZwAdjustPrivilegesToken@24	; VfZwAdjustPrivilegesToken(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwAdjustPrivilegesToken
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BI@HKENIFPC@ZwAllocateVirtualMemory@GHGBBCHJ@
		dd offset _VfZwAllocateVirtualMemory@24	; VfZwAllocateVirtualMemory(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwAllocateVirtualMemory
		db 0D2h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0P@LEIBOHAK@ZwCancelIoFile@GHGBBCHJ@
		dd offset _VfZwCancelIoFile@8 ;	VfZwCancelIoFile(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwCancelIoFile
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0O@CNOBKCEK@ZwCancelTimer@GHGBBCHJ@
		dd offset _VfZwCancelTimer@8 ; VfZwCancelTimer(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwCancelTimer
		db 0D3h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BI@IDLCOIHA@ZwCloseObjectAuditAlarm@GHGBBCHJ@
		dd offset _VfZwCloseObjectAuditAlarm@12	; VfZwCloseObjectAuditAlarm(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwCloseObjectAuditAlarm
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A536B9+3
		dd offset _VfZwConnectPort@32 ;	VfZwConnectPort(x,x,x,x,x,x,x,x)
		align 10h
		dd offset _pXdvZwConnectPort
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BI@BPIHCBGG@ZwCreateDirectoryObject@GHGBBCHJ@
		dd offset _VfZwCreateDirectoryObject@12	; VfZwCreateDirectoryObject(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwCreateDirectoryObject
		db 0D8h	; 
		db    1
		db    0
		db    0
		dd offset loc_A53779+7
		dd offset _VfZwCreateEvent@20 ;	VfZwCreateEvent(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwCreateEvent
		db 0DAh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0N@KMOLBMMD@ZwCreateFile@GHGBBCHJ@
		dd offset _VfZwCreateFile@44 ; VfZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwCreateFile
		db 0DBh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BC@JPJKFEGL@ZwCreateJobObject@GHGBBCHJ@
		dd offset _VfZwCreateJobObject@12 ; VfZwCreateJobObject(x,x,x)
		align 10h
		dd offset _pXdvZwCreateJobObject
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0M@KGPINBFB@ZwCreateKey@GHGBBCHJ@
		dd offset _VfZwCreateKey@28 ; VfZwCreateKey(x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwCreateKey
		db 0DCh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BA@ODLAGFHJ@ZwCreateSection@GHGBBCHJ@
		dd offset _VfZwCreateSection@28	; VfZwCreateSection(x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwCreateSection
		db 0DFh	; 
		db    1
		db    0
		db    0
		dd offset loc_A5371F+1
		dd offset _VfZwCreateSymbolicLinkObject@16 ; VfZwCreateSymbolicLinkObject(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwCreateSymbolicLinkObject
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0O@OJGKKHJH@ZwCreateTimer@GHGBBCHJ@
		dd offset _VfZwCreateTimer@16 ;	VfZwCreateTimer(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwCreateTimer
		db 0E0h	; 
		db    1
		db    0
		db    0
		dd offset loc_A5374B+1
		dd offset _VfZwDeleteBootEntry@4 ; VfZwDeleteBootEntry(x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwDeleteBootEntry
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0N@GIELCLHA@ZwDeleteFile@GHGBBCHJ@
		dd offset _VfZwDeleteFile@4 ; VfZwDeleteFile(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwDeleteFile
		db 0E3h	; 
		db    1
		db    0
		db    0
		dd offset loc_A53807+5
		dd offset _VfZwDeleteValueKey@8	; VfZwDeleteValueKey(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwDeleteValueKey
		db 0E5h	; 
		db    1
		db    0
		db    0
		dd offset loc_A5383C+4
		dd offset _VfZwDeviceIoControlFile@40 ;	VfZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwDeviceIoControlFile
		db 0E6h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BA@NCONONMM@ZwDisplayString@GHGBBCHJ@
		dd offset _VfZwDisplayString@4 ; VfZwDisplayString(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwDisplayString
		db 0E7h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BC@LFLAJKLI@ZwDuplicateObject@GHGBBCHJ@
		dd offset _VfZwDuplicateObject@28 ; VfZwDuplicateObject(x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwDuplicateObject
		db 0E8h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BB@KLKOBDFJ@ZwDuplicateToken@GHGBBCHJ@
		dd offset _VfZwDuplicateToken@24 ; VfZwDuplicateToken(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwDuplicateToken
		db 0E9h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BH@ENILHPP@ZwEnumerateBootEntries@GHGBBCHJ@
		dd offset _VfZwEnumerateBootEntries@8 ;	VfZwEnumerateBootEntries(x,x)
		align 10h
		dd offset _pXdvZwEnumerateBootEntries
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BJ@IOALJHII@ZwEnumerateDriverEntries@GHGBBCHJ@
		dd offset _VfZwEnumerateDriverEntries@8	; VfZwEnumerateDriverEntries(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwEnumerateDriverEntries
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0P@GMGACGJD@ZwEnumerateKey@GHGBBCHJ@
		dd offset _VfZwEnumerateKey@24 ; VfZwEnumerateKey(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwEnumerateKey
		db 0EAh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BE@IIIKCKBL@ZwEnumerateValueKey@GHGBBCHJ@
		dd offset _VfZwEnumerateValueKey@24 ; VfZwEnumerateValueKey(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwEnumerateValueKey
		db 0ECh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BI@LEEJKIGN@ZwFlushInstructionCache@GHGBBCHJ@
		dd offset _VfZwFlushInstructionCache@12	; VfZwFlushInstructionCache(x,x,x)
		align 10h
		dd offset _pXdvZwFlushInstructionCache
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A538BB+1
		dd offset _VfZwFlushVirtualMemory@16 ; VfZwFlushVirtualMemory(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwFlushVirtualMemory
		db 0F0h	; 
		db    1
		db    0
		db    0
		dd offset loc_A53864+4
		dd offset _VfZwFreeVirtualMemory@16 ; VfZwFreeVirtualMemory(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwFreeVirtualMemory
		db 0F1h	; 
		db    1
		db    0
		db    0
		dd offset loc_A53852+6
		dd offset _VfZwFsControlFile@40	; VfZwFsControlFile(x,x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwFsControlFile
		db 0F2h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0N@PEGGKEB@ZwLoadDriver@GHGBBCHJ@
		dd offset _VfZwLoadDriver@4 ; VfZwLoadDriver(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwLoadDriver
		db 0F4h	; 
		db    1
		db    0
		db    0
		dd offset loc_A5387B+1
		dd offset _VfZwLoadKey@8 ; VfZwLoadKey(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwLoadKey
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BD@PPCCBCGB@ZwMapViewOfSection@GHGBBCHJ@
		dd offset _VfZwMapViewOfSection@40 ; VfZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwMapViewOfSection
		db 0F7h	; 
		db    1
		db    0
		db    0
		dd offset loc_A53927+5
		dd offset _VfZwModifyBootEntry@4 ; VfZwModifyBootEntry(x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwModifyBootEntry
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BE@MACMJJBB@ZwModifyDriverEntry@GHGBBCHJ@
		dd offset _VfZwModifyDriverEntry@4 ; VfZwModifyDriverEntry(x)
		align 10h
		dd offset _pXdvZwModifyDriverEntry
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BC@JHKPHPDB@ZwNotifyChangeKey@GHGBBCHJ@
		dd offset _VfZwNotifyChangeKey@40 ; VfZwNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwNotifyChangeKey
		db 0F8h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BG@EBIHBOPF@ZwOpenDirectoryObject@GHGBBCHJ@
		dd offset _VfZwOpenDirectoryObject@12 ;	VfZwOpenDirectoryObject(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwOpenDirectoryObject
		db 0F9h	; 
		db    1
		db    0
		db    0
		dd offset loc_A538EB+1
		dd offset _VfZwOpenEvent@12 ; VfZwOpenEvent(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwOpenEvent
		db 0FBh	; 
		db    1
		db    0
		db    0
		dd offset loc_A5391D+3
		dd offset _VfZwOpenFile@24 ; VfZwOpenFile(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwOpenFile
		db 0FCh	; 
		db    1
		db    0
		db    0
		dd offset loc_A5390F+1
		dd offset _VfZwOpenJobObject@12	; VfZwOpenJobObject(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
off_AABBA8	dd offset _pXdvZwOpenJobObject
					; DATA XREF: .text:_GUID_SLEEPSTUDY_BLOCKER_TOP_LEVEL_SOC_SUBSYSTEMo
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_09LIJLGMPD@ZwOpenKey@GHGBBCHJ@
		dd offset _VfZwOpenKey@12 ; VfZwOpenKey(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwOpenKey
		db 0FDh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0O@FEPJHLEJ@ZwOpenProcess@GHGBBCHJ@
		dd offset _VfZwOpenProcess@16 ;	VfZwOpenProcess(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwOpenProcess
		db    1
		db    2
		db    0
		db    0
		dd offset ??_C@_0BD@FICHFIDH@ZwOpenProcessToken@GHGBBCHJ@
		dd offset _VfZwOpenProcessToken@12 ; VfZwOpenProcessToken(x,x,x)
		align 10h
		dd offset _pXdvZwOpenProcessToken
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BF@GEAAJNAA@ZwOpenProcessTokenEx@GHGBBCHJ@
		dd offset _VfZwOpenProcessTokenEx@16 ; VfZwOpenProcessTokenEx(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwOpenProcessTokenEx
		db    2
		db    2
		db    0
		db    0
		dd offset ??_C@_0O@HNILNMLD@ZwOpenSection@GHGBBCHJ@
		dd offset _VfZwOpenSection@12 ;	VfZwOpenSection(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwOpenSection
		db    4
		db    2
		db    0
		db    0
		dd offset ??_C@_0BJ@CLLKOGDP@ZwOpenSymbolicLinkObject@GHGBBCHJ@
		dd offset _VfZwOpenSymbolicLinkObject@12 ; VfZwOpenSymbolicLinkObject(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwOpenSymbolicLinkObject
		db    5
		db    2
		db    0
		db    0
		dd offset ??_C@_0N@HLDGFDL@ZwOpenThread@GHGBBCHJ@
		dd offset _VfZwOpenThread@16 ; VfZwOpenThread(x,x,x,x)
		align 10h
		dd offset _pXdvZwOpenThread
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BC@IHGIMNLF@ZwOpenThreadToken@GHGBBCHJ@
		dd offset _VfZwOpenThreadToken@16 ; VfZwOpenThreadToken(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwOpenThreadToken
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A53A6F+5
		dd offset _VfZwOpenThreadTokenEx@20 ; VfZwOpenThreadTokenEx(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwOpenThreadTokenEx
		db    6
		db    2
		db    0
		db    0
		dd offset ??_C@_0M@MAILKIKO@ZwOpenTimer@GHGBBCHJ@
		dd offset _VfZwOpenTimer@12 ; VfZwOpenTimer(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwOpenTimer
		db    7
		db    2
		db    0
		db    0
		dd offset ??_C@_0BD@FJKHNGHL@ZwPowerInformation@GHGBBCHJ@
		dd offset _VfZwPowerInformation@20 ; VfZwPowerInformation(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwPowerInformation
		db  0Ah
		db    2
		db    0
		db    0
		dd offset ??_C@_0BH@HLJMLBBA@ZwProtectVirtualMemory@GHGBBCHJ@
		dd offset _VfZwProtectVirtualMemory@20 ; VfZwProtectVirtualMemory(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwProtectVirtualMemory
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0N@JGLBEHHB@ZwPulseEvent@GHGBBCHJ@
		dd offset _VfZwPulseEvent@8 ; VfZwPulseEvent(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwPulseEvent
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A53A13+1
		dd offset _VfZwQueryBootEntryOrder@8 ; VfZwQueryBootEntryOrder(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwQueryBootEntryOrder
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BD@KODEDALN@ZwQueryBootOptions@GHGBBCHJ@
		dd offset _VfZwQueryBootOptions@8 ; VfZwQueryBootOptions(x,x)
		align 10h
		dd offset _pXdvZwQueryBootOptions
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BF@EEAHCEJ@ZwQueryDefaultLocale@GHGBBCHJ@
		dd offset _VfZwQueryDefaultLocale@8 ; VfZwQueryDefaultLocale(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwQueryDefaultLocale
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BJ@LBCAOJIC@ZwQueryDefaultUILanguage@GHGBBCHJ@
		dd offset _VfZwQueryDefaultUILanguage@4	; VfZwQueryDefaultUILanguage(x)
		align 10h
		dd offset _pXdvZwQueryDefaultUILanguage
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A53B0A+6
		dd offset _VfZwQueryDriverEntryOrder@8 ; VfZwQueryDriverEntryOrder(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwQueryDriverEntryOrder
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BJ@GJJANIEK@ZwQueryInstallUILanguage@GHGBBCHJ@
		dd offset _VfZwQueryInstallUILanguage@4	; VfZwQueryInstallUILanguage(x)
		align 10h
		dd offset _pXdvZwQueryInstallUILanguage
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BF@NMACOFBK@ZwQueryDirectoryFile@GHGBBCHJ@
		dd offset _VfZwQueryDirectoryFile@44 ; VfZwQueryDirectoryFile(x,x,x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwQueryDirectoryFile
		db  0Fh
		db    2
		db    0
		db    0
		dd offset loc_A53ABE+6
		dd offset _VfZwQueryDirectoryObject@28 ; VfZwQueryDirectoryObject(x,x,x,x,x,x,x)
		align 10h
		dd offset _pXdvZwQueryDirectoryObject
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0O@HDJBJFAL@ZwQueryEaFile@GHGBBCHJ@
		dd offset _VfZwQueryEaFile@36 ;	VfZwQueryEaFile(x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwQueryEaFile
		db  10h
		db    2
		db    0
		db    0
		dd offset loc_A53AEF+5
		dd offset _VfZwQueryFullAttributesFile@8 ; VfZwQueryFullAttributesFile(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwQueryFullAttributesFile
		db  11h
		db    2
		db    0
		db    0
		dd offset ??_C@_0BH@DLOJOCLP@ZwQueryInformationFile@GHGBBCHJ@
		dd offset _VfZwQueryInformationFile@20 ; VfZwQueryInformationFile(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwQueryInformationFile
		db  13h
		db    2
		db    0
		db    0
		dd offset ??_C@_0BM@PIIFPAIC@ZwQueryInformationJobObject@GHGBBCHJ@
		dd offset _VfZwQueryInformationJobObject@20 ; VfZwQueryInformationJobObject(x,x,x,x,x)
		align 10h
		dd offset _pXdvZwQueryInformationJobObject
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BK@PDBIPODP@ZwQueryInformationProcess@GHGBBCHJ@
		dd offset _VfZwQueryInformationProcess@20 ; VfZwQueryInformationProcess(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwQueryInformationProcess
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BJ@IBBAHCNP@ZwQueryInformationThread@GHGBBCHJ@
		dd offset _VfZwQueryInformationThread@20 ; VfZwQueryInformationThread(x,x,x,x,x)
		align 10h
		dd offset _pXdvZwQueryInformationThread
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A53BF1+3
		dd offset _VfZwQueryInformationToken@20	; VfZwQueryInformationToken(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwQueryInformationToken
		db  15h
		db    2
		db    0
		db    0
		dd offset loc_A53B87+1
		dd offset _VfZwQueryKey@20 ; VfZwQueryKey(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwQueryKey
		db  18h
		db    2
		db    0
		db    0
		dd offset ??_C@_0O@EHBHKBHL@ZwQueryObject@GHGBBCHJ@
		dd offset _VfZwQueryObject@20 ;	VfZwQueryObject(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwQueryObject
		db  19h
		db    2
		db    0
		db    0
		dd offset ??_C@_0P@NHBMKANJ@ZwQuerySection@GHGBBCHJ@
		dd offset _VfZwQuerySection@20 ; VfZwQuerySection(x,x,x,x,x)
		align 10h
		dd offset _pXdvZwQuerySection
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A53B93+1
		dd offset _VfZwQuerySecurityObject@20 ;	VfZwQuerySecurityObject(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwQuerySecurityObject
		db  1Bh
		db    2
		db    0
		db    0
		dd offset ??_C@_0BK@OAMNJJCG@ZwQuerySymbolicLinkObject@GHGBBCHJ@
		dd offset _VfZwQuerySymbolicLinkObject@12 ; VfZwQuerySymbolicLinkObject(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwQuerySymbolicLinkObject
		db  1Ch
		db    2
		db    0
		db    0
		dd offset ??_C@_0BJ@CIAKDCJK@ZwQuerySystemInformation@GHGBBCHJ@
		dd offset _VfZwQuerySystemInformation@16 ; VfZwQuerySystemInformation(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwQuerySystemInformation
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A53CBD+7
		dd offset _VfZwQueryValueKey@24	; VfZwQueryValueKey(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwQueryValueKey
		db  1Dh
		db    2
		db    0
		db    0
		dd offset ??_C@_0BN@LODIJCKM@ZwQueryVolumeInformationFile@GHGBBCHJ@
		dd offset _VfZwQueryVolumeInformationFile@20 ; VfZwQueryVolumeInformationFile(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwQueryVolumeInformationFile
		db  1Eh
		db    2
		db    0
		db    0
		dd offset ??_C@_0L@KICNCAKG@ZwReadFile@GHGBBCHJ@
		dd offset _VfZwReadFile@36 ; VfZwReadFile(x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwReadFile
		db  1Fh
		db    2
		db    0
		db    0
		dd offset ??_C@_0N@PNPAILHB@ZwReplaceKey@GHGBBCHJ@
		dd offset _VfZwReplaceKey@12 ; VfZwReplaceKey(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwReplaceKey
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BH@IAKOPMKC@ZwRequestWaitReplyPort@GHGBBCHJ@
		dd offset _VfZwRequestWaitReplyPort@12 ; VfZwRequestWaitReplyPort(x,x,x)
		align 10h
		dd offset _pXdvZwRequestWaitReplyPort
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A53C3F+5
		dd offset _VfZwResetEvent@8 ; VfZwResetEvent(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwResetEvent
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0N@PDJGDHEJ@ZwRestoreKey@GHGBBCHJ@
		dd offset _VfZwRestoreKey@12 ; VfZwRestoreKey(x,x,x)
		align 10h
		dd offset _pXdvZwRestoreKey
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A53D19+7
		dd offset _VfZwSetBootEntryOrder@8 ; VfZwSetBootEntryOrder(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwSetBootEntryOrder
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BB@COOOOIJN@ZwSetBootOptions@GHGBBCHJ@
		dd offset _VfZwSetBootOptions@8	; VfZwSetBootOptions(x,x)
		align 10h
		dd offset _pXdvZwSetBootOptions
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BG@EMHFEHPC@ZwSetDriverEntryOrder@GHGBBCHJ@
		dd offset _VfZwSetDriverEntryOrder@8 ; VfZwSetDriverEntryOrder(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwSetDriverEntryOrder
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A53CDF+1
		dd offset _VfZwSetEaFile@16 ; VfZwSetEaFile(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwSetEaFile
		db  27h	; '
		db    2
		db    0
		db    0
		dd offset ??_C@_0L@PNOKKBFP@ZwSetEvent@GHGBBCHJ@
		dd offset _VfZwSetEvent@8 ; VfZwSetEvent(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwSetEvent
		db  28h	; (
		db    2
		db    0
		db    0
		dd offset loc_A53D07+1
		dd offset _VfZwSetInformationFile@20 ; VfZwSetInformationFile(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwSetInformationFile
		db  2Ah	; *
		db    2
		db    0
		db    0
		dd offset loc_A53CE8+4
		dd offset _VfZwSetInformationJobObject@16 ; VfZwSetInformationJobObject(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwSetInformationJobObject
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BH@EKHBPACC@ZwSetInformationObject@GHGBBCHJ@
		dd offset _VfZwSetInformationObject@16 ; VfZwSetInformationObject(x,x,x,x)
		align 10h
		dd offset _pXdvZwSetInformationObject
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A53DAE+6
		dd offset _VfZwSetInformationProcess@16	; VfZwSetInformationProcess(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwSetInformationProcess
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BH@JHOFABAM@ZwSetInformationThread@GHGBBCHJ@
		dd offset _VfZwSetInformationThread@16 ; VfZwSetInformationThread(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwSetInformationThread
		db  2Dh	; -
		db    2
		db    0
		db    0
		dd offset ??_C@_0BE@JGCEKJAC@ZwSetSecurityObject@GHGBBCHJ@
		dd offset _VfZwSetSecurityObject@12 ; VfZwSetSecurityObject(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwSetSecurityObject
		db  31h	; 1
		db    2
		db    0
		db    0
		dd offset loc_A53D7C+4
		dd offset _VfZwSetSystemInformation@12 ; VfZwSetSystemInformation(x,x,x)
		align 10h
		dd offset _pXdvZwSetSystemInformation
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A53D6F+1
		dd offset _VfZwSetSystemTime@8 ; VfZwSetSystemTime(x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwSetSystemTime
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0L@EIGLBALK@ZwSetTimer@GHGBBCHJ@
		dd offset _VfZwSetTimer@28 ; VfZwSetTimer(x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwSetTimer
		db  32h	; 2
		db    2
		db    0
		db    0
		dd offset ??_C@_0O@COONLEMJ@ZwSetValueKey@GHGBBCHJ@
		dd offset _VfZwSetValueKey@24 ;	VfZwSetValueKey(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwSetValueKey
		db  34h	; 4
		db    2
		db    0
		db    0
		dd offset ??_C@_0BL@EBHBPCHL@ZwSetVolumeInformationFile@GHGBBCHJ@
		dd offset _VfZwSetVolumeInformationFile@20 ; VfZwSetVolumeInformationFile(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwSetVolumeInformationFile
		db  35h	; 5
		db    2
		db    0
		db    0
		dd offset loc_A53E60+4
		dd offset _VfZwTranslateFilePath@16 ; VfZwTranslateFilePath(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwTranslateFilePath
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0P@IBIICCAK@ZwUnloadDriver@GHGBBCHJ@
		dd offset _VfZwUnloadDriver@4 ;	VfZwUnloadDriver(x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwUnloadDriver
		db  37h	; 7
		db    2
		db    0
		db    0
		dd offset ??_C@_0M@OHLHELHF@ZwUnloadKey@GHGBBCHJ@
		dd offset _VfZwUnloadKey@4 ; VfZwUnloadKey(x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwUnloadKey
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A53E27+1
		dd offset _VfZwWaitForMultipleObjects@20 ; VfZwWaitForMultipleObjects(x,x,x,x,x)
		align 10h
		dd offset _pXdvZwWaitForMultipleObjects
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BG@DJNHKNCA@ZwWaitForSingleObject@GHGBBCHJ@
		dd offset _VfZwWaitForSingleObject@12 ;	VfZwWaitForSingleObject(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwWaitForSingleObject
		db  3Ah	; :
		db    2
		db    0
		db    0
		dd offset ??_C@_0M@EHICNDGI@ZwWriteFile@GHGBBCHJ@
		dd offset _VfZwWriteFile@36 ; VfZwWriteFile(x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwWriteFile
		db  3Bh	; ;
		db    2
		db    0
		db    0
		dd offset ??_C@_0BB@OMGJBGBF@ZwAlpcCreatePort@GHGBBCHJ@
		dd offset _VfZwAlpcCreatePort@12 ; VfZwAlpcCreatePort(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwAlpcCreatePort
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A53F2B+1
		dd offset _VfZwAlpcConnectPort@44 ; VfZwAlpcConnectPort(x,x,x,x,x,x,x,x,x,x,x)
		align 10h
		dd offset _pXdvZwAlpcConnectPort
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A53F12+2
		dd offset _VfZwAlpcAcceptConnectPort@36	; VfZwAlpcAcceptConnectPort(x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwAlpcAcceptConnectPort
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A53F5B+1
		dd offset _VfZwAlpcSendWaitReceivePort@32 ; VfZwAlpcSendWaitReceivePort(x,x,x,x,x,x,x,x)
		align 10h
		dd offset _pXdvZwAlpcSendWaitReceivePort
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BM@BOHDK@ZwAlpcCreateSecurityContext@GHGBBCHJ@
		dd offset _VfZwAlpcCreateSecurityContext@12 ; VfZwAlpcCreateSecurityContext(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwAlpcCreateSecurityContext
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BI@JGCMGHHC@ZwAlpcCreatePortSection@GHGBBCHJ@
		dd offset _VfZwAlpcCreatePortSection@24	; VfZwAlpcCreatePortSection(x,x,x,x,x,x)
		align 10h
		dd offset _pXdvZwAlpcCreatePortSection
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A53EAF+1
		dd offset _VfZwAlpcCreateSectionView@12	; VfZwAlpcCreateSectionView(x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwAlpcCreateSectionView
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BM@FCGKKLHP@ZwAlpcCreateResourceReserve@GHGBBCHJ@
		dd offset _VfZwAlpcCreateResourceReserve@16 ; VfZwAlpcCreateResourceReserve(x,x,x,x)
		align 10h
		dd offset _pXdvZwAlpcCreateResourceReserve
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A53EDF+1
		dd offset _VfZwAlpcSetInformation@16 ; VfZwAlpcSetInformation(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwAlpcSetInformation
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset loc_A53FFF+1
		dd offset _VfZwAlpcQueryInformation@20 ; VfZwAlpcQueryInformation(x,x,x,x,x)
		align 10h
		dd offset _pXdvZwAlpcQueryInformation
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BH@GNBHINHE@ZwRemoveIoCompletionEx@GHGBBCHJ@
		dd offset _VfZwRemoveIoCompletionEx@24 ; VfZwRemoveIoCompletionEx(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		dd offset _pXdvZwRemoveIoCompletionEx
		db 0FFh
		db 0FFh
		db    0
		db    0
		dd offset ??_C@_0BL@FPNCDFPK@ZwCreateTransactionManager@GHGBBCHJ@
		dd offset _VfZwCreateTransactionManager@24 ; VfZwCreateTransactionManager(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwCreateTransactionManager
		db 0E2h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BJ@PIFJBJDB@ZwOpenTransactionManager@GHGBBCHJ@
		dd offset _VfZwOpenTransactionManager@24 ; VfZwOpenTransactionManager(x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwOpenTransactionManager
		db    9
		db    2
		db    0
		db    0
		dd offset ??_C@_0CF@GDCHDIPJ@ZwQueryInformationTransactionMa@GHGBBCHJ@
		dd offset _VfZwQueryInformationTransactionManager@20 ; VfZwQueryInformationTransactionManager(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwQueryInformationTransactionManager
		db  17h
		db    2
		db    0
		db    0
		dd offset ??_C@_0BE@LIPAKKGA@ZwCreateTransaction@GHGBBCHJ@
		dd offset _VfZwCreateTransaction@40 ; VfZwCreateTransaction(x,x,x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwCreateTransaction
		db 0E1h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BC@EAIKDAOG@ZwOpenTransaction@GHGBBCHJ@
		dd offset _VfZwOpenTransaction@20 ; VfZwOpenTransaction(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwOpenTransaction
		db    8
		db    2
		db    0
		db    0
		dd offset ??_C@_0BO@OGPHOCCL@ZwQueryInformationTransaction@GHGBBCHJ@
		dd offset _VfZwQueryInformationTransaction@20 ;	VfZwQueryInformationTransaction(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwQueryInformationTransaction
		db  16h
		db    2
		db    0
		db    0
		dd offset ??_C@_0BM@POLPOMDM@ZwSetInformationTransaction@GHGBBCHJ@
		dd offset _VfZwSetInformationTransaction@16 ; VfZwSetInformationTransaction(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwSetInformationTransaction
		db  2Fh	; /
		db    2
		db    0
		db    0
		dd offset ??_C@_0BH@CLOABDGB@ZwPrePrepareEnlistment@GHGBBCHJ@
		dd offset _VfZwPrePrepareEnlistment@8 ;	VfZwPrePrepareEnlistment(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwPrePrepareEnlistment
		db  0Ch
		db    2
		db    0
		db    0
		dd offset loc_A540EB+1
		dd offset _VfZwPrepareEnlistment@8 ; VfZwPrepareEnlistment(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwPrepareEnlistment
		db  0Eh
		db    2
		db    0
		db    0
		dd offset loc_A540D7+1
		dd offset _VfZwCommitEnlistment@8 ; VfZwCommitEnlistment(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwCommitEnlistment
		db 0D6h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BF@IILIILLD@ZwRollbackEnlistment@GHGBBCHJ@
		dd offset _VfZwRollbackEnlistment@8 ; VfZwRollbackEnlistment(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwRollbackEnlistment
		db  25h	; %
		db    2
		db    0
		db    0
		dd offset loc_A5404F+1
		dd offset _VfZwPrepareComplete@8 ; VfZwPrepareComplete(x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwPrepareComplete
		db  0Dh
		db    2
		db    0
		db    0
		dd offset ??_C@_0BD@OGJCHHOH@ZwCreateEnlistment@GHGBBCHJ@
		dd offset _VfZwCreateEnlistment@32 ; VfZwCreateEnlistment(x,x,x,x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwCreateEnlistment
		db 0D9h	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BB@POKGJIDK@ZwOpenEnlistment@GHGBBCHJ@
		dd offset _VfZwOpenEnlistment@20 ; VfZwOpenEnlistment(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwOpenEnlistment
		db 0FAh	; 
		db    1
		db    0
		db    0
		dd offset ??_C@_0BN@DPCDDCJP@ZwQueryInformationEnlistment@GHGBBCHJ@
		dd offset _VfZwQueryInformationEnlistment@20 ; VfZwQueryInformationEnlistment(x,x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwQueryInformationEnlistment
		db  12h
		db    2
		db    0
		db    0
		dd offset loc_A54153+1
		dd offset _VfZwSetInformationEnlistment@16 ; VfZwSetInformationEnlistment(x,x,x,x)
		db    0
		db    0
		db    0
		db    0
		db    8
		db    0
		db    0
		db    0
		dd offset _pXdvZwSetInformationEnlistment
		db  29h	; )
		db    2
		db    0
		db    0
		dd offset ??_C@_0BE@EEGNAMPL@ZwQueryLicenseValue@GHGBBCHJ@
		dd offset _VfZwQueryLicenseValue@20 ; VfZwQueryLicenseValue(x,x,x,x,x)
		align 10h
		dd offset _pXdvZwQueryLicenseValue
		db 0FFh
		db 0FFh
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
_ViExpectedDriversCount	dd 0		; DATA XREF: ViInitSystemPhase0:loc_AE6C9Ar
					; VfRandomInit+1A27Aw ...
_ViRandomSeed	dd 0			; DATA XREF: VfRandomGetNumber(x,x)+5o
					; VfRandomInit+15w
_VfDifSetting	dd 0			; DATA XREF: VfUtilUpdateSpecialPoolSetting(x)+Er
					; VfUtilUpdateSpecialPoolSetting(x)+1Ew ...
_XdvEnabled	dd 0			; DATA XREF: ViDifCheckCallbackInterception:loc_5DC7C8r
					; VfIsVerifierExtensionEnabled()r ...
; void VfRuleViolationStackSavedArea
_VfRuleViolationStackSavedArea dd 0	; DATA XREF: VfUtilCaptureViolationKernelStack(x,x)+94o
					; VfUtilCaptureViolationKernelStack(x,x)+B4o ...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViLocalSystemDescriptor dd ?		; DATA XREF: VfUtilIsLocalSystem(x)+59r
					; ViInitializeLocalSystemDescriptor()r	...
_ViXdvThunksNotFound dd	?		; DATA XREF: ViXdvBindXdvDDIWrappers(x)+1Aw
					; ViXdvBindXdvDDIWrappers(x)+80r ...
_ViXdvThunksNotPristine	dd ?		; DATA XREF: ViXdvBindXdvDDIWrappers(x)+20w
					; ViXdvSearchAndReplaceThunkArray(x,x,x,x)+29w	...
_ViXdvThunksShared dd ?			; DATA XREF: ViXdvBindXdvDDIWrappers(x)+26w
					; ViXdvSearchAndReplaceThunkArray(x,x,x,x)+33w	...
_ViXdvEPThunksNoXdvEntry dd ?		; DATA XREF: ViXdvBindXdvDriverEntryWrappers(x)+Ew
					; ViXdvBindXdvDriverEntryWrappers(x)+4Fr ...
_ViCtxInterrupts dd ?			; DATA XREF: ViCtxCaptureInitialIsrState(x)+6w
_ViCtxInterruptsChecked	dd ?		; DATA XREF: ViCtxCaptureInitialIsrState(x):loc_A6DB02w
_ViXdvThunksNoXdvEntry dd ?		; DATA XREF: ViXdvBindXdvDDIWrappers(x)+Ew
					; ViXdvBindXdvDDIWrappers(x)+68r ...
_ViXdvThunksBoundToXdv dd ?		; DATA XREF: ViXdvBindXdvDDIWrappers(x)+14w
					; ViXdvSearchAndReplaceThunkArray(x,x,x,x):loc_A5BFCCw	...
_ViFnXdvQueryDispatchTable dd ?		; DATA XREF: VfQueryDispatchTable(x,x):loc_67778Fr
					; ViXdvDriverLoadImage(x)+2ABw
_VfDifAPIThunkContextHead dd ?		; DATA XREF: ViSetRequestedIoCallbacks(x):loc_6778C5r
					; ViSetRequestedIoCallbacks(x)+4Cr ...
_PFnViUpdateDIFPlugins dd ?		; DATA XREF: VfNotifyDifPlugins(x,x)+Br
					; VfNotifyDifPlugins(x,x)+A7r ...
_ViXdvEPBound	dd ?			; DATA XREF: ViXdvBindXdvDriverEntryWrappers(x)+14w
					; ViXdvBindXdvDriverEntryWrappers(x)+9Er ...
_ViXdvTipUtils	dd ?			; DATA XREF: ViXdvDriverLoadImage(x)+2BAw
					; VerifierBugCheckIfAppropriate(x,x,x,x,x)+25r	...
_ViFnExtensionHiberFunc	dd ?		; DATA XREF: PopMarkComponentsBootPhase+8701r
					; ViXdvDriverLoadImage(x)+22Fw	...
_ViFnXdvNotifyExtensions dd ?		; DATA XREF: VfNotifyVerifierExtensions(x,x)+Br
					; ViXdvDriverLoadImage(x)+26Bw
_ViObjectContextInitialized db	  ? ;	; DATA XREF: VfObjectContextInit()+2Do
		db    ?	;
		db    ?	;
		db    ?	;
_ViBugcheckWorkaroundLogIndex dd ?	; DATA XREF: VfBugcheckLogWorkaround(x,x,x)+8w
_ViIoCallbacksInitialized dd ?		; DATA XREF: VfFastIoSnapState()r
					; VfFastIoSnapState()+62o ...
; size_t ViCtxXStateSize
_ViCtxXStateSize dd ?			; DATA XREF: VfCtxInit()+3Ew
					; ViCtxAllocateXStateContexts(x)+3r ...
_ViCtxHintIndex	dd ?			; DATA XREF: ViCtxReserveIsrStateBlock()+6w
_ViCtxInitializedIsrStateBlocks	dd ?	; DATA XREF: VerifierIoDisconnectInterrupt(x)+Br
					; VfCtxHookAndConnectInterrupt(x,x,x,x,x,x,x,x,x,x,x)+Dr ...
_ViSessionDataInitialized dd ?		; DATA XREF: IovpSessionDataCreate(x,x,x)+30r
					; VfSessionDataInit()+30o
_ViRemLockInitialized dd ?		; DATA XREF: VfInitVerifierComponents(x,x,x)+232o
					; VerifierIoAcquireRemoveLockEx(x,x,x,x,x)+5r ...
_ViTargetWMIRegistrationMismatches dd ?	; DATA XREF: ViTargetWMIDeregister(x,x):loc_A64B6Aw
dword_AAF4F4	dd ?			; DATA XREF: ViTargetWMIDeregisterCallback(x,x)+1Bw
_ViCtxXStateEnabledMask	dd ?		; DATA XREF: VfCtxInit()+2Dw
					; VfCtxInit():loc_A6D9B3r ...
dword_AAF4FC	dd ?			; DATA XREF: VfCtxInit()+33w
					; VfCtxInit()+52r ...
_ViPacketLookaside db	 ? ;		; DATA XREF: VfInitVerifierComponents(x,x,x)+B2o
					; VfPacketCreateAndLock(x)+6o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViObjectContextTableLookaside db    ? ; ; DATA	XREF: VfObjectContextInit()+20o
					; ViAllocateContextTable(x)+5o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViBugcheckWorkaroundLog dd ?		; DATA XREF: VfBugcheckLogWorkaround(x,x,x)+1Aw
dword_AAF684	dd ?			; DATA XREF: VfBugcheckLogWorkaround(x,x,x)+24w
dword_AAF688	dd ?			; DATA XREF: VfBugcheckLogWorkaround(x,x,x)+2Aw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViIoCallbackStateLookaside db	  ? ;	; DATA XREF: VfFastIoCheckState(x,x)+91o
					; VfFastIoSnapState()+55o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViCtxIsrStateBlocks dd	?		; DATA XREF: ViCtxReserveIsrStateBlock()+18r
unk_AAF804	db    ?	;		; DATA XREF: VfCtxInit()+47o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViSessionDataLookaside	db    ?	;	; DATA XREF: IovpSessionDataCreate(x,x,x)+39o
					; IovpSessionDataDereference(x)+32o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViRemLockAvl	db    ?	;		; DATA XREF: VfInitVerifierComponents(x,x,x)+220o
					; VerifierIoInitializeRemoveLockEx(x,x,x,x,x)+6Co ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_AAFDC4	dd ?			; DATA XREF: VfRemLockDeleteMemoryRange(x,x)+24r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_AAFDD4	dd ?			; DATA XREF: ViRemLockDeleteFirstTreeNode(x,x)+5Ar
_ViRemLockAllocationFailures db	   ? ;	; DATA XREF: VfInitVerifierComponents(x,x,x)+239o
					; VerifierIoInitializeRemoveLockEx(x,x,x,x,x)+7Fo
		db    ?	;
		db    ?	;
		db    ?	;
_ViRemLockReusedCount dd ?		; DATA XREF: VerifierIoInitializeRemoveLockEx(x,x,x,x,x):loc_A63C70w
_ViResourceInitialized dd ?		; DATA XREF: VfInitVerifierComponents(x,x,x)+D0o
					; VerifierExDeleteResourceLite(x)+1Br ...
_ViResourceNotTracked dd ?		; DATA XREF: VfInitVerifierComponents(x,x,x)+D9o
					; VerifierExDeleteResourceLite(x)+52r ...
_ViResourcesAlreadyLoadedDrivers dd ?	; DATA XREF: ViThunkApplyMandatoryThunksCurrentSession(x,x)+3Co
					; ViThunkApplyThunksCurrentSession(x,x)+5Do ...
_ViResourceStaleNodes dd ?		; DATA XREF: VerifierExInitializeResourceLite(x):loc_A6C3C8w
					; VfCheckForResource(x,x)+9Fw
_VfPoolTracesIndex dd ?			; DATA XREF: ViPoolLogStackTrace(x,x)+Ew
_ViBugcheckLogIndex dd ?		; DATA XREF: VerifierBugCheckIfAppropriate(x,x,x,x,x)+98w
_ViBugcheckLog	dd ?			; DATA XREF: VerifierBugCheckIfAppropriate(x,x,x,x,x)+BCw
dword_AAFDFC	dd ?			; DATA XREF: VerifierBugCheckIfAppropriate(x,x,x,x,x)+C2w
dword_AAFE00	dd ?			; DATA XREF: VerifierBugCheckIfAppropriate(x,x,x,x,x)+AAw
dword_AAFE04	dd ?			; DATA XREF: VerifierBugCheckIfAppropriate(x,x,x,x,x)+B3w
dword_AAFE08	dd ?			; DATA XREF: VerifierBugCheckIfAppropriate(x,x,x,x,x)+C8w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViDevObjAvl	db    ?	;		; DATA XREF: VfInitVerifierComponents(x,x,x)+24Eo
					; VfDevObjIsDeviceRemoved(x)+37o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_AAFF4C	dd ?			; DATA XREF: ViDevObjRemove(x)+77r
_ViDevObjAllocationFailures db	  ? ;	; DATA XREF: VfInitVerifierComponents(x,x,x)+261o
					; ViDevObjAdd(x)+3Co
		db    ?	;
		db    ?	;
		db    ?	;
_ViDevObjInitialized dd	?		; DATA XREF: VfInitVerifierComponents(x,x,x)+258o
					; ViDevObjAdd(x)+19r ...
_VfPoolTraces	dd ?			; DATA XREF: VfAllocPoolNotification(x,x):loc_A6A300r
					; VfFreePoolNotification(x,x):loc_A6A390r ...
_VfKeCriticalRegionTracesIndex dd ?	; DATA XREF: ViKeLogCriticalRegionStackTrace()+Dw
_ViShutdownWatchdogTimer db    ? ;	; DATA XREF: ViShutdownScheduleWatchdog()+2Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViShutdownWatchdogDpc db    ? ;	; DATA XREF: ViShutdownScheduleWatchdog()+1Do
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViKeTrackIrqlDisabled dd ?		; DATA XREF: VfNotifyVerifierOfEvent(x)+AAo
					; VfKeIrqlTransitionReserveLogEntry(x,x)+Dr
_ViKeTrackIrqlSkipped dd ?		; DATA XREF: VfKeIrqlTransitionReserveLogEntry(x,x)+15w
_VfKeCriticalRegionTraces dd ?		; DATA XREF: ViKeLogCriticalRegionStackTrace()r
					; ViKeLogCriticalRegionStackTrace()+28r ...
_ViLookasideInitialized	dd ?		; DATA XREF: VfInitVerifierComponents(x,x,x)+76o
					; VfCheckForLookaside(x,x)+13r	...
_ViLookasideAllocationFailures dd ?	; DATA XREF: VfInitVerifierComponents(x,x,x)+7Fo
					; ViLookasideAdd(x)+3Ao ...
_ViLookasideAlreadyLoadedDrivers dd ?	; DATA XREF: ViThunkApplyMandatoryThunksCurrentSession(x,x)+32o
					; ViThunkApplyThunksCurrentSession(x,x)+56o ...
_ViResourceAvl	db    ?	;		; DATA XREF: VfInitVerifierComponents(x,x,x)+C6o
					; VerifierExDeleteResourceLite(x)+43o ...
		db    ?	;
		db    ?	;
		db    ?	;
dword_AAFFC4	dd ?			; DATA XREF: VerifierExDeleteResourceLite(x)+27r
					; VfCheckForResource(x,x)+35r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_AAFFD4	dd ?			; DATA XREF: VerifierExDeleteResourceLite(x)+9Fr
					; VerifierExInitializeResourceLite(x)+F9r ...
_ViShutdownTimeoutCount	dd ?		; DATA XREF: ViShutdownWatchdogExecuteDpc(x,x,x,x)r
					; ViShutdownWatchdogExecuteDpc(x,x,x,x)+Ew
_VfShutdownThread dd ?			; DATA XREF: ViShutdownScheduleWatchdog()r
					; ViShutdownScheduleWatchdog()+Fw ...
_ViEtwLastStopTraceCount dd ?		; DATA XREF: ViShutdownWatchdogExecuteDpc(x,x,x,x)+28r
					; ViShutdownWatchdogExecuteDpc(x,x,x,x)+30w
_ViSystemSufficientlyBooted dd ?	; DATA XREF: VfFaultsIsSystemSufficientlyBooted()+7r
					; VfFaultsIsSystemSufficientlyBooted():loc_A67B88w ...
_ViLookasideAvl	db    ?	;		; DATA XREF: VfInitVerifierComponents(x,x,x)+68o
					; VfCheckForLookaside(x,x)+3Eo	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_AAFFFC	dd ?			; DATA XREF: ViLookasideAdd(x)+BDr
					; ViLookasideDelete(x)+8Fr
_ViRequiredTimeSinceBootInMsecs	dd ?	; DATA XREF: VfFaultsInitPhase0()+13w
					; VfFaultsIsSystemSufficientlyBooted()+50r
dword_AB0004	dd ?			; DATA XREF: VfFaultsInitPhase0()+18w
					; VfFaultsIsSystemSufficientlyBooted()+46r
_ViFaultsInitialized dd	?		; DATA XREF: VfFaultsInitPhase0()+2Dw
					; VfFaultsInjectPoolAllocationFailure(x):loc_A67993r ...
_ViFaultsDisabled dd ?			; DATA XREF: VfNotifyVerifierOfEvent(x)+B9o
					; VfFaultsInjectPoolAllocationFailure(x):loc_A679A4r ...
_ViFaultTracesIndex dd ?		; DATA XREF: ViFaultsTracesLog(x)+Dw
_ViTrackIrqlQueue dd ?			; DATA XREF: PopMarkComponentsBootPhase+86D0r
					; PopMarkComponentsBootPhase+86E2r ...
_ViTrackIrqlIndex dd ?			; DATA XREF: VfKeIrqlTransitionReserveLogEntry(x,x)+21w
_ViFaultsProcessNotifyRoutineSet dd ?	; DATA XREF: VfFaultsSetParameters(x)+2Cr
					; VfFaultsSetParameters(x)+41w	...
_ViFaultsDecisions dd ?			; DATA XREF: VfFaultsInjectResourceFailure(x)+1Ew
dword_AB0024	dd ?			; DATA XREF: VfFaultsInjectPoolAllocationFailure(x)+21w
dword_AB0028	dd ?			; DATA XREF: VfFaultsInjectResourceFailure(x)+70w
dword_AB002C	dd ?			; DATA XREF: VfFaultsIsSystemSufficientlyBooted():loc_A67B94w
dword_AB0030	dd ?			; DATA XREF: ViFaultsIsCurrentAppTarget()+6Dw
dword_AB0034	dd ?			; DATA XREF: ViFaultsIsCurrentAppTarget():loc_A68249w
dword_AB0038	dd ?			; DATA XREF: VfFaultsInjectResourceFailure(x)+C9w
dword_AB003C	dd ?			; DATA XREF: VfFaultsInjectResourceFailure(x):loc_A67AEEw
dword_AB0040	dd ?			; DATA XREF: VfFaultsInjectResourceFailure(x)+11Ew
dword_AB0044	dd ?			; DATA XREF: ViFaultsIsTagTarget(x)+3Dw
dword_AB0048	dd ?			; DATA XREF: ViFaultsIsTagTarget(x):loc_A682CDw
dword_AB004C	dd ?			; DATA XREF: VfFaultsInjectPoolAllocationFailure(x)+32w
					; VfFaultsInjectResourceFailure(x)+34w
_ViFaultTraces	dd ?			; DATA XREF: ViFaultsTracesInitialize()+2Aw
					; ViFaultsTracesLog(x)r ...
_VfRealHalAllocateMapRegisters dd ?	; DATA XREF: VfHalAllocateMapRegisters(x,x,x,x)+5r
					; ViHalApplySettings()+2Ew
; void ViMajorVerifierRoutines
_ViMajorVerifierRoutines db    ? ;	; DATA XREF: VfInitVerifierComponents(x,x,x)+112o
					; VfMajorRegisterHandlers(x,x,x,x,x,x,x,x,x,x,x,x,x)+2Ao
		db    ?	;
		db    ?	;
		db    ?	;
dword_AB005C	dd ?			; DATA XREF: VfMajorVerifyNewRequest(x,x,x,x,x,x)+2Br
dword_AB0060	dd ?			; DATA XREF: VfMajorVerifyIrpStackDownward(x,x,x,x,x,x)+30r
dword_AB0064	dd ?			; DATA XREF: VfMajorVerifyIrpStackUpward(x,x,x,x,x)+2Br
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_AB006C	dd ?			; DATA XREF: VfMajorAdvanceIrpStatus(x,x,x)+3Cr
dword_AB0070	dd ?			; DATA XREF: VfMajorIsValidIrpStatus(x,x)+23r
dword_AB0074	dd ?			; DATA XREF: VfMajorIsNewRequest(x,x)+23r
dword_AB0078	dd ?			; DATA XREF: VfMajorVerifyNewIrp(x,x,x,x,x)+2Br
dword_AB007C	dd ?			; DATA XREF: VfMajorVerifyFinalIrpStack(x,x)+23r
dword_AB0080	dd ?			; DATA XREF: VfMajorTestStartedPdoStack(x)+34r
dword_AB0084	dd ?			; DATA XREF: VfMajorBuildIrpLogEntry(x,x,x,x)+3Er
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_AB0598	dd ?			; DATA XREF: VfInitVerifierComponents(x,x,x)+1BEw
dword_AB059C	dd ?			; DATA XREF: VfInitVerifierComponents(x,x,x)+1A0w
					; VfMajorVerifyNewRequest(x,x,x,x,x,x):loc_A64F70r
dword_AB05A0	dd ?			; DATA XREF: VfInitVerifierComponents(x,x,x)+1AAw
					; VfMajorVerifyIrpStackDownward(x,x,x,x,x,x):loc_A64E51r
dword_AB05A4	dd ?			; DATA XREF: VfInitVerifierComponents(x,x,x)+1B4w
					; VfMajorVerifyIrpStackUpward(x,x,x,x,x):loc_A64EB2r
dword_AB05A8	dd ?			; DATA XREF: VfInitVerifierComponents(x,x,x)+1C8w
dword_AB05AC	dd ?			; DATA XREF: VfInitVerifierComponents(x,x,x)+1CEw
					; VfMajorAdvanceIrpStatus(x,x,x):loc_A64C50r
dword_AB05B0	dd ?			; DATA XREF: VfInitVerifierComponents(x,x,x)+1D4w
					; VfMajorIsValidIrpStatus(x,x):loc_A64D4Er
dword_AB05B4	dd ?			; DATA XREF: VfInitVerifierComponents(x,x,x)+1DEw
					; VfMajorIsNewRequest(x,x):loc_A64D03r
dword_AB05B8	dd ?			; DATA XREF: VfInitVerifierComponents(x,x,x)+1E8w
					; VfMajorVerifyNewIrp(x,x,x,x,x):loc_A64F11r
dword_AB05BC	dd ?			; DATA XREF: VfInitVerifierComponents(x,x,x)+1F2w
					; VfMajorVerifyFinalIrpStack(x,x):loc_A64DEEr
dword_AB05C0	dd ?			; DATA XREF: VfInitVerifierComponents(x,x,x)+1FCw
					; VfMajorTestStartedPdoStack(x)+48r
dword_AB05C4	dd ?			; DATA XREF: VfInitVerifierComponents(x,x,x)+202w
					; VfMajorBuildIrpLogEntry(x,x,x,x)+5r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViAllocationsFailedDeliberately db    ? ;
		db    ?	;
		db    ?	;
		db    ?	;
_VfFilterCreated dd ?			; DATA XREF: VfFilterAttach(x,x)+8r
					; VfFilterAttach(x,x)+49w
_ViIrpCallDriverDataList db    ? ;	; DATA XREF: IovCallDriver(x,x,x)+205o
					; VfInitVerifierComponents(x,x,x)+101o	...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViKernelVerifierThunks	dd ?		; DATA XREF: ViInitializeKernelVerifierThunks():loc_678771w
					; MiInitSystem:loc_AE1C32o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViSufficientlyBootedForDmaFailure db	 ? ;
		db    ?	;
		db    ?	;
		db    ?	;
_ViAdapterList	dd ?			; DATA XREF: VfDisableHalVerifier()+10r
					; VfDisableHalVerifier()+17o ...
dword_AB06DC	dd ?			; DATA XREF: VfHalVerifierInitialize()+25w
dword_AB06E0	dd ?			; DATA XREF: VF_FIND_DEVICE_INFORMATION_AND_REMOVE(x)+12o
					; VF_FIND_DEVICE_INFORMATION_AND_REMOVE(x)+3Eo	...
_ViHalEnabledInThePast dd ?		; DATA XREF: ViHalApplySettings():loc_A60768r
					; ViHalApplySettings()+43w
_ViDomainCommonBufferList dd ?		; DATA XREF: VfHalVerifierInitialize()+2Fo
					; VfHalVerifierInitialize()+4Bw ...
dword_AB06EC	dd ?			; DATA XREF: VfHalVerifierInitialize()+46w
dword_AB06F0	dd ?			; DATA XREF: VfHalVerifierInitialize()+40w
					; ViHalFreeDomainCommonBuffer(x)+16o ...
_ViEnableAfterHibernate	dd ?		; DATA XREF: VfNotifyOfHibernate(x)+16w
					; VfNotifyOfHibernate(x):loc_A5F265r ...
_ViDMADisabledNoRebootNeeded dd	?	; DATA XREF: VfGetDmaAdapter(x,x,x)+36r
					; ViHalApplySettings():loc_A607A5w
_ViDeadlockDetectionEnabled dd ?	; DATA XREF: VerifierKeWaitForMultipleObjects(x,x,x,x,x,x,x,x)+3Cr
					; VerifierKeWaitForSingleObject(x,x,x,x,x)+29r	...
_ViHalWaitBlockLookaside db    ? ;	; DATA XREF: ViFlushZeroMapRegisterBaseWcbs(x)+7Ao
					; VfAllocateAdapterChannel(x,x,x,x,x)+34o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViDeadlockThreadLookaside db	 ? ;	; DATA XREF: VfDeadlockInitialize(x,x)+122o
					; VfDeadlockInitialize(x,x)+1A8o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViDeadlockResourceLookaside db	   ? ;	; DATA XREF: VfDeadlockInitialize(x,x)+15Co
					; VfDeadlockInitialize(x,x)+1C3o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViDeadlockNodeLookaside db    ? ;	; DATA XREF: VfDeadlockInitialize(x,x)+193o
					; ViDeadlockAllocate(x):loc_A69432o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViStackSwitchAlreadyReported dd ?	; DATA XREF: ViDeadlockCheckStackLimits()+3Dr
					; ViDeadlockCheckStackLimits()+55w
_ViDeadlockGlobals dd ?			; DATA XREF: ViDeadlockRemoveMemoryRangeResources(x,x,x,x)+39r
					; ViDeadlockRemoveMemoryRangeThreads(x,x,x,x)+36r ...
_ViDeadlockState dd ?			; DATA XREF: VfDeadlockAcquireResource(x,x,x,x,x)+423w
					; VfDeadlockInitialize(x,x)+1CDw ...
_VfWdIrpListLock dd ?			; DATA XREF: VfWdInit()+3Fw
					; ViWdBeforeCancelIrp(x)+19o ...
_ViWdIrpTimer	db    ?	;		; DATA XREF: VfWdCheckForSettingsChange(x)+18o
					; VfWdInit()+4Co ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViWdIrpTimerDpc db    ? ;		; DATA XREF: VfWdCheckForSettingsChange(x)+25o
					; VfWdCheckForSettingsChange(x)+48o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_VfWdIrpListHead dd ?			; DATA XREF: VfWdInit()+17o
					; VfWdInit()+3Aw ...
dword_AB0A5C	dd ?			; DATA XREF: VfWdInit()+35w
					; ViWdFlushIrpList()+16w ...
_ViWdInitialized dd ?			; DATA XREF: VfWdInit()+73o
					; ViWdBeforeCallDriver(x,x,x)+23r
_ViWdCancelling	dd ?			; DATA XREF: VfWdCheckForSettingsChange(x)+Fo
					; ViWdIrpTimerDpcRoutine(x,x,x,x):loc_A6B79Dr
_ViDdiWmiMofResourceName dw ?		; DATA XREF: VfDdiExposeWmiObjects()+21o
					; ViDdiBuildWmiRegInfoData(x,x)+85r ...
		align 4
; void *dword_AB0A6C
dword_AB0A6C	dd ?			; DATA XREF: ViDdiBuildWmiRegInfoData(x,x)+A8r
_ViDdiDeviceObjectArray	dd ?		; DATA XREF: ViDdiDriverEntry(x,x)+30w
					; ViDdiDriverEntry(x,x)+61r ...
_ViWdIrpListLength dd ?			; DATA XREF: ViWdBeforeCancelIrp(x)+4Aw
					; ViWdFlushIrpList()+22w ...
_ViWdIrpListLengthMaximum dd ?		; DATA XREF: ViWdInsertSortIrp(x)+38r
					; ViWdInsertSortIrp(x)+4Aw
_ViWdCancelIrpCount dd ?		; DATA XREF: ViWdBeforeCancelIrp(x)+13w
_ViWdIrpLookasideList db    ? ;		; DATA XREF: VfWdInit()+30o
					; ViWdBeforeCallDriver(x,x,x)+2Co ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViDdiWmiMofKey	dw ?			; DATA XREF: VfDdiExposeWmiObjects()+16o
					; ViDdiBuildWmiRegInfoData(x,x)+40r ...
		align 4
; void *dword_AB0B44
dword_AB0B44	dd ?			; DATA XREF: ViDdiBuildWmiRegInfoData(x,x)+5Fr
; void VfBTSDataManagementArea
_VfBTSDataManagementArea dd ?		; DATA XREF: VfInitializeBranchTracing()+40o
					; VfInitializeBranchTracing()+92w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_VfErrorBugcheckDataReady db	? ;	; DATA XREF: VfErrorReleaseTriageInformation()+2o
					; VfErrorStoreTriageInformation(x,x,x,x,x)+Co ...
		db    ?	;
		db    ?	;
		db    ?	;
_ViWdTickCount	dd ?			; DATA XREF: ViWdBeforeCancelIrp(x)+1Fr
					; ViWdIrpTimerDpcRoutine(x,x,x,x)+16r ...
_VfErrorBugcheckData dd	?		; DATA XREF: VfErrorStoreTriageInformation(x,x,x,x,x)+1Aw
dword_AB0BD4	dd ?			; DATA XREF: VfErrorStoreTriageInformation(x,x,x,x,x)+20w
dword_AB0BD8	dd ?			; DATA XREF: VfErrorStoreTriageInformation(x,x,x,x,x)+26w
dword_AB0BDC	dd ?			; DATA XREF: VfErrorStoreTriageInformation(x,x,x,x,x)+2Ew
dword_AB0BE0	dd ?			; DATA XREF: VfErrorStoreTriageInformation(x,x,x,x,x)+36w
_VfBTSSupported	dd ?			; DATA XREF: VfStartBranchTracing()+Cr
					; VfStopBranchTracing()+Cr ...
_VfBTSInitialized dd ?			; DATA XREF: VfInitializeBranchTracing()+1Br
					; VfInitializeBranchTracing():loc_A65329w ...
_VfMrxsmbDllBase dd ?			; DATA XREF: ViDeadlockCertify(x,x):loc_A6976Ar
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+101w	...
_VfBTSStarted	dd ?			; DATA XREF: VfStartBranchTracing()+2Ar
					; VfStartBranchTracing()+62w ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_VfMrxsmbSizeOfImage dd	?		; DATA XREF: ViDeadlockCertify(x,x)+C8r
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+109w
_VfTmDllBase	dd ?			; DATA XREF: ViDeadlockCertify(x,x)+E5r
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+124w	...
_VfTdxDllBase	dd ?			; DATA XREF: ViDeadlockCertify(x,x):loc_A6974Dr
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+DBw ...
_VfTdxSizeOfImage dd ?			; DATA XREF: ViDeadlockCertify(x,x)+A9r
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+E3w
_VfKsDllBase	dd ?			; DATA XREF: ViDeadlockCertify(x,x):loc_A697B4r
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+16Aw	...
_VfKsSizeOfImage dd ?			; DATA XREF: ViDeadlockCertify(x,x)+110r
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+172w
_VfTmSizeOfImage dd ?			; DATA XREF: ViDeadlockCertify(x,x)+F3r
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+12Cw
_VfWin32kDllBase dd ?			; DATA XREF: VfDeadlockAcquireResource(x,x,x,x,x)+54r
					; ViDeadlockCertify(x,x)+Ar ...
_VfWin32kSizeOfImage dd	?		; DATA XREF: VfDeadlockAcquireResource(x,x,x,x,x)+6Ar
					; ViDeadlockCertify(x,x)+19r ...
_VfTcpIpDllBase	dd ?			; DATA XREF: ViDeadlockCertify(x,x):loc_A69730r
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+B5w ...
_VfRandomTargetsBitMapHeader dd	?	; DATA XREF: ViInitSystemPhase0+1A21Fw
					; ViInitSystemPhase0+1A231o
dword_AB0C9C	dd ?			; DATA XREF: VfInitPickCurrentRandomTarget()+13r
					; ViInitSystemPhase0+1A227w ...
_VfTcpIpSizeOfImage dd ?		; DATA XREF: ViDeadlockCertify(x,x)+8Cr
					; VfSuspectDriversLoadCallback(x,x,x,x,x)+BDw
_ViImageExecutionOptions dd ?		; DATA XREF: ViInitSystemPhase1+1Cr
					; INIT:00AF6308o
_VfRandomTargetsBitMap db    ? ;	; DATA XREF: ViInitSystemPhase0+1A227o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_ViSearchedNodesLimitFromRegistry dd ?	; DATA XREF: VfDeadlockInitialize(x,x):loc_A68BD4r
					; INIT:00AF3B60o
_ViRecursionDepthLimitFromRegistry dd ?	; DATA XREF: VfDeadlockInitialize(x,x)+ADr
					; INIT:00AF3B48o
_ViVerifyBTSBufferSize dd ?		; DATA XREF: VfInitializeBranchTracing()+4Ar
					; VfInitializeBranchTracing()+62w ...
_VfRandomVerifiedDrivers dd ?		; DATA XREF: VfInitPickCurrentRandomTarget()+3r
					; VfInitPickCurrentRandomTarget()+33w ...
_ViVerifyTriageRules dd	?		; DATA XREF: VfTriageSystem+1A3BFo
					; ViFindTriageDriverTargets(x,x)+6o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_VfWdIrpTimeoutMsec dd ?		; DATA XREF: VfWdInit()+66r
					; INIT:00AF3950o
_VfZeroAllPagesRunning dd ?		; DATA XREF: MiZeroAllPageFiles()+2Fw
					; MiZeroAllPageFiles()+158w ...
_VfBugcheckTmpData dd ?			; DATA XREF: VerifierCrashEvent(x)+26r
					; VfBugCheckNoStackUsage()+18r	...
dword_AB1D04	dd ?			; DATA XREF: VerifierCrashEvent(x)+30r
					; VfBugCheckNoStackUsage()+12r	...
dword_AB1D08	dd ?			; DATA XREF: VerifierCrashEvent(x)+38r
					; VfBugCheckNoStackUsage()+Cr ...
dword_AB1D0C	dd ?			; DATA XREF: VerifierCrashEvent(x)+40r
					; VfBugCheckNoStackUsage()+6r ...
dword_AB1D10	dd ?			; DATA XREF: VerifierCrashEvent(x)+48r
					; VfBugCheckNoStackUsage()r ...
_VfBugcheckTmpDataLock dd ?		; DATA XREF: IovCallDriver(x,x,x)+5Ao
					; IovCallDriver(x,x,x)+E9o ...
_pXdvZwUnlockFile dd ?			; DATA XREF: VerifierZwUnlockFile(x,x,x,x,x)+6r
					; PAGEVRFD:00AAAAF8o
_pXdvZwUnmapViewOfSection dd ?		; DATA XREF: VerifierZwUnmapViewOfSection(x,x)+6r
					; PAGEVRFD:00AAAB10o
_pXdvZwSetInformationToken dd ?		; DATA XREF: VerifierZwSetInformationToken(x,x,x,x)+6r
					; PAGEVRFD:00AAAA98o
_pXdvZwSetQuotaInformationFile dd ?	; DATA XREF: VerifierZwSetQuotaInformationFile(x,x,x,x)+6r
					; PAGEVRFD:00AAAAB0o
_pXdvZwSetTimerEx dd ?			; DATA XREF: VerifierZwSetTimerEx(x,x,x,x)+6r
					; PAGEVRFD:00AAAAC8o
_pXdvZwTerminateProcess	dd ?		; DATA XREF: VerifierZwTerminateProcess(x,x)+6r
					; PAGEVRFD:00AAAAE0o
_pXdvZwOpenResourceManager dd ?		; DATA XREF: VerifierZwOpenResourceManager(x,x,x,x,x)+6r
					; PAGEVRFD:00AAA978o
_pXdvZwPrePrepareComplete dd ?		; DATA XREF: VerifierZwPrePrepareComplete(x,x)+6r
					; PAGEVRFD:00AAA990o
_pXdvZwQueryInformationResourceManager dd ?
					; DATA XREF: VerifierZwQueryInformationResourceManager(x,x,x,x,x)+6r
					; PAGEVRFD:00AAA9A8o
_pXdvZwQueryQuotaInformationFile dd ?	; DATA XREF: VerifierZwQueryQuotaInformationFile(x,x,x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AAA9C0o
_pXdvZwMakeTemporaryObject dd ?		; DATA XREF: VerifierZwMakeTemporaryObject(x)+6r
					; PAGEVRFD:00AAA918o
_pXdvZwOpenKeyEx dd ?			; DATA XREF: VerifierZwOpenKeyEx(x,x,x,x)+6r
					; PAGEVRFD:00AAA930o
_pXdvZwOpenKeyTransacted dd ?		; DATA XREF: VerifierZwOpenKeyTransacted(x,x,x,x)+6r
					; PAGEVRFD:00AAA948o
_pXdvZwOpenKeyTransactedEx dd ?		; DATA XREF: VerifierZwOpenKeyTransactedEx(x,x,x,x,x)+6r
					; PAGEVRFD:00AAA960o
_pXdvZwRollbackComplete	dd ?		; DATA XREF: VerifierZwRollbackComplete(x,x)+6r
					; PAGEVRFD:00AAAA50o
_pXdvZwRollbackTransaction dd ?		; DATA XREF: VerifierZwRollbackTransaction(x,x)+6r
					; PAGEVRFD:00AAAA68o
_pXdvZwSetInformationResourceManager dd	?
					; DATA XREF: VerifierZwSetInformationResourceManager(x,x,x,x)+6r
					; PAGEVRFD:00AAAA80o
_pXdvZwReadOnlyEnlistment dd ?		; DATA XREF: VerifierZwReadOnlyEnlistment(x,x)+6r
					; PAGEVRFD:00AAA9D8o
_pXdvZwRecoverEnlistment dd ?		; DATA XREF: VerifierZwRecoverEnlistment(x,x)+6r
					; PAGEVRFD:00AAA9F0o
_pXdvZwRecoverTransactionManager dd ?	; DATA XREF: VerifierZwRecoverTransactionManager(x)+6r
					; PAGEVRFD:00AAAA08o
_pXdvZwRenameKey dd ?			; DATA XREF: VerifierZwRenameKey(x,x)+6r
					; PAGEVRFD:00AAAA20o
_pXdvZwClose	dd ?			; DATA XREF: VerifierZwClose(x)+6r
					; PAGEVRFD:00AAA7F8o
_pXdvZwCommitComplete dd ?		; DATA XREF: VerifierZwCommitComplete(x,x)+6r
					; PAGEVRFD:00AAA810o
_pXdvZwCommitTransaction dd ?		; DATA XREF: VerifierZwCommitTransaction(x,x)+6r
					; PAGEVRFD:00AAA828o
_pXdvZwCreateKeyTransacted dd ?		; DATA XREF: VerifierZwCreateKeyTransacted(x,x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AAA840o
_pXdvSeSinglePrivilegeCheck dd ?	; DATA XREF: VerifierSeSinglePrivilegeCheck(x,x,x)+Er
					; PAGEVRFD:00AAA798o
_pXdvSeUnlockSubjectContext dd ?	; DATA XREF: VerifierSeUnlockSubjectContext(x)r
					; PAGEVRFD:00AAA7B0o
_pXdvSeValidSecurityDescriptor dd ?	; DATA XREF: VerifierSeValidSecurityDescriptor(x,x)+6r
					; PAGEVRFD:00AAA7C8o
_pXdvZwAllocateLocallyUniqueId dd ?	; DATA XREF: VerifierZwAllocateLocallyUniqueId(x)+6r
					; PAGEVRFD:00AAA7E0o
_pXdvZwFlushKey	dd ?			; DATA XREF: VerifierZwFlushKey(x)+6r
					; PAGEVRFD:00AAA8D0o
_pXdvZwGetNotificationResourceManager dd ?
					; DATA XREF: VerifierZwGetNotificationResourceManager(x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AAA8E8o
_pXdvZwLockFile	dd ?			; DATA XREF: VerifierZwLockFile(x,x,x,x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AAA900o
_pXdvZwCreateResourceManager dd	?	; DATA XREF: VerifierZwCreateResourceManager(x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AAA858o
_pXdvZwDeleteKey dd ?			; DATA XREF: VerifierZwDeleteKey(x)+6r
					; PAGEVRFD:00AAA870o
_pXdvZwEnumerateTransactionObject dd ?	; DATA XREF: VerifierZwEnumerateTransactionObject(x,x,x,x,x)+6r
					; PAGEVRFD:00AAA888o
_pXdvZwFlushBuffersFile	dd ?		; DATA XREF: VerifierZwFlushBuffersFile(x,x)+6r
					; PAGEVRFD:00AAA8A0o
_pXdvPsSetLoadImageNotifyRoutine dd ?	; DATA XREF: VerifierPsSetLoadImageNotifyRoutine(x)+6r
					; PAGEVRFD:00AAA540o
_pXdvPsTerminateSystemThread dd	?	; DATA XREF: VerifierPsTerminateSystemThread(x)+6r
					; PAGEVRFD:00AAA558o
_pXdvRtlDeleteRegistryValue dd ?	; DATA XREF: VerifierRtlDeleteRegistryValue(x,x,x)+6r
					; PAGEVRFD:00AAA588o
_pXdvPsRevertToSelf dd ?		; DATA XREF: VerifierPsRevertToSelf()r
					; PAGEVRFD:00AAA4E0o
_pXdvPsSetCreateProcessNotifyRoutine dd	?
					; DATA XREF: VerifierPsSetCreateProcessNotifyRoutine(x,x)+6r
					; PAGEVRFD:00AAA4F8o
_pXdvPsSetCreateProcessNotifyRoutineEx dd ?
					; DATA XREF: VerifierPsSetCreateProcessNotifyRoutineEx(x,x)+6r
					; PAGEVRFD:00AAA510o
_pXdvPsSetCreateThreadNotifyRoutine dd ?
					; DATA XREF: VerifierPsSetCreateThreadNotifyRoutine(x)+6r
					; PAGEVRFD:00AAA528o
_pXdvSeAssignSecurityEx	dd ?		; DATA XREF: VerifierSeAssignSecurityEx(x,x,x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AAA738o
_pXdvSeDeassignSecurity	dd ?		; DATA XREF: VerifierSeDeassignSecurity(x)+6r
					; PAGEVRFD:00AAA750o
_pXdvSeLockSubjectContext dd ?		; DATA XREF: VerifierSeLockSubjectContext(x)r
					; PAGEVRFD:00AAA768o
_pXdvSeReleaseSubjectContext dd	?	; DATA XREF: VerifierSeReleaseSubjectContext(x)r
					; PAGEVRFD:00AAA780o
_pXdvSeAccessCheck dd ?			; DATA XREF: VerifierSeAccessCheck(x,x,x,x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AAA708o
_pXdvSeAssignSecurity dd ?		; DATA XREF: VerifierSeAssignSecurity(x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AAA720o
_pXdvProbeForWrite dd ?			; DATA XREF: VerifierProbeForWrite(x,x,x)r
					; PAGEVRFD:00AAA3C0o
_pXdvPsAssignImpersonationToken	dd ?	; DATA XREF: VerifierPsAssignImpersonationToken(x,x)+6r
					; PAGEVRFD:00AAA3D8o
_pXdvPsCreateSystemThread dd ?		; DATA XREF: VerifierPsCreateSystemThread(x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AAA3F0o
_pXdvPsDereferenceImpersonationToken dd	?
					; DATA XREF: VerifierPsDereferenceImpersonationToken(x)r
					; PAGEVRFD:00AAA408o
_pXdvPoFxStartDevicePowerManagement dd ?
					; DATA XREF: VerifierPoFxStartDevicePowerManagement(x)r
					; PAGEVRFD:00AAA360o
_pXdvPoFxUnregisterDevice dd ?		; DATA XREF: VerifierPoFxUnregisterDevice(x)r
					; PAGEVRFD:00AAA378o
_pXdvPoRequestPowerIrp dd ?		; DATA XREF: VerifierPoRequestPowerIrp(x,x,x,x,x,x)+6r
					; PAGEVRFD:00AAA390o
_pXdvProbeForRead dd ?			; DATA XREF: VerifierProbeForRead(x,x,x)r
					; PAGEVRFD:00AAA3A8o
_pXdvPsReferenceImpersonationToken dd ?	; DATA XREF: VerifierPsReferenceImpersonationToken(x,x,x,x)+6r
					; PAGEVRFD:00AAA480o
_pXdvPsReferencePrimaryToken dd	?	; DATA XREF: VerifierPsReferencePrimaryToken(x)+6r
					; PAGEVRFD:00AAA498o
_pXdvPsRemoveLoadImageNotifyRoutine dd ?
					; DATA XREF: VerifierPsRemoveLoadImageNotifyRoutine(x)+6r
					; PAGEVRFD:00AAA4B0o
_pXdvPsRestoreImpersonation dd ?	; DATA XREF: VerifierPsRestoreImpersonation(x,x)r
					; PAGEVRFD:00AAA4C8o
_pXdvPsDereferencePrimaryToken dd ?	; DATA XREF: VerifierPsDereferencePrimaryToken(x)r
					; PAGEVRFD:00AAA420o
_pXdvPsDisableImpersonation dd ?	; DATA XREF: VerifierPsDisableImpersonation(x,x)+6r
					; PAGEVRFD:00AAA438o
_pXdvPsGetVersion dd ?			; DATA XREF: VerifierPsGetVersion(x,x,x,x)+6r
					; PAGEVRFD:00AAA450o
_pXdvPsImpersonateClient dd ?		; DATA XREF: VerifierPsImpersonateClient(x,x,x,x,x)+6r
					; PAGEVRFD:00AAA468o
_pXdvPoFxCompleteDevicePowerNotRequired	dd ?
					; DATA XREF: VerifierPoFxCompleteDevicePowerNotRequired(x)r
					; PAGEVRFD:00AAA240o
_pXdvPoFxCompleteIdleCondition dd ?	; DATA XREF: VerifierPoFxCompleteIdleCondition(x,x)r
					; PAGEVRFD:00AAA258o
_pXdvPoFxCompleteIdleState dd ?		; DATA XREF: VerifierPoFxCompleteIdleState(x,x)r
					; PAGEVRFD:00AAA270o
_pXdvPoFxIdleComponent dd ?		; DATA XREF: VerifierPoFxIdleComponent(x,x,x)r
					; PAGEVRFD:00AAA288o
_pXdvMmUnsecureVirtualMemory dd	?	; DATA XREF: VerifierMmUnsecureVirtualMemory(x)r
					; PAGEVRFD:00AAA108o
_pXdvNtSetInformationFile dd ?		; DATA XREF: VerifierNtSetInformationFile(x,x,x,x,x)+6r
					; PAGEVRFD:00AAA138o
_pXdvPoFxActivateComponent dd ?		; DATA XREF: VerifierPoFxActivateComponent(x,x,x)r
					; PAGEVRFD:00AAA228o
_pXdvPoFxSetComponentLatency dd	?	; DATA XREF: VerifierPoFxSetComponentLatency(x,x,x,x)+11r
					; PAGEVRFD:00AAA300o
_pXdvPoFxSetComponentResidency dd ?	; DATA XREF: VerifierPoFxSetComponentResidency(x,x,x,x)+11r
					; PAGEVRFD:00AAA318o
_pXdvPoFxSetComponentWake dd ?		; DATA XREF: VerifierPoFxSetComponentWake(x,x,x)r
					; PAGEVRFD:00AAA330o
_pXdvPoFxSetDeviceIdleTimeout dd ?	; DATA XREF: VerifierPoFxSetDeviceIdleTimeout(x,x,x)+Er
					; PAGEVRFD:00AAA348o
_pXdvPoFxNotifySurprisePowerOn dd ?	; DATA XREF: VerifierPoFxNotifySurprisePowerOn(x)r
					; PAGEVRFD:00AAA2A0o
_pXdvPoFxPowerControl dd ?		; DATA XREF: VerifierPoFxPowerControl(x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AAA2B8o
_pXdvPoFxRegisterDevice	dd ?		; DATA XREF: VerifierPoFxRegisterDevice(x,x,x)+6r
					; PAGEVRFD:00AAA2D0o
_pXdvPoFxReportDevicePoweredOn dd ?	; DATA XREF: VerifierPoFxReportDevicePoweredOn(x)r
					; PAGEVRFD:00AAA2E8o
_pXdvMmCreateMirror dd ?		; DATA XREF: VerifierMmCreateMirror()r
					; PAGEVRFD:00AA9FE8o
_pXdvMmDoesFileHaveUserWritableReferences dd ?
					; DATA XREF: VerifierMmDoesFileHaveUserWritableReferences(x)+6r
					; PAGEVRFD:00AAA000o
_pXdvMmGetPhysicalMemoryRanges dd ?	; DATA XREF: VerifierMmGetPhysicalMemoryRanges()r
					; PAGEVRFD:00AAA018o
_pXdvMmLockPagableDataSection dd ?	; DATA XREF: VerifierMmLockPagableDataSection(x)+6r
					; PAGEVRFD:00AAA030o
_pXdvKeSetSystemGroupAffinityThread dd ?
					; DATA XREF: VerifierKeSetSystemGroupAffinityThread(x,x)r
					; PAGEVRFD:00AA9F58o
_pXdvKeTestSpinLock dd ?		; DATA XREF: VerifierKeTestSpinLock(x)r
					; PAGEVRFD:00AA9FA0o
_pXdvKeTryToAcquireGuardedMutex	dd ?	; DATA XREF: VerifierKeTryToAcquireGuardedMutex(x)r
					; PAGEVRFD:00AA9FB8o
_pXdvMmAddPhysicalMemory dd ?		; DATA XREF: VerifierMmAddPhysicalMemory(x,x)+6r
					; PAGEVRFD:00AA9FD0o
_pXdvMmRemovePhysicalMemory dd ?	; DATA XREF: VerifierMmRemovePhysicalMemory(x,x)+6r
					; PAGEVRFD:00AAA0A8o
_pXdvMmResetDriverPaging dd ?		; DATA XREF: VerifierMmResetDriverPaging(x)r
					; PAGEVRFD:00AAA0C0o
_pXdvMmSecureVirtualMemory dd ?		; DATA XREF: VerifierMmSecureVirtualMemory(x,x,x)+6r
					; PAGEVRFD:00AAA0D8o
_pXdvMmUnlockPagableImageSection dd ?	; DATA XREF: VerifierMmUnlockPagableImageSection(x)r
					; PAGEVRFD:00AAA0F0o
_pXdvMmLockPagableSectionByHandle dd ?	; DATA XREF: VerifierMmLockPagableSectionByHandle(x)r
					; PAGEVRFD:00AAA048o
_pXdvMmMapLockedPagesWithReservedMapping dd ?
					; DATA XREF: VerifierMmMapLockedPagesWithReservedMapping(x,x,x,x)+6r
					; PAGEVRFD:00AAA060o
_pXdvMmPageEntireDriver	dd ?		; DATA XREF: VerifierMmPageEntireDriver(x)+6r
					; PAGEVRFD:00AAA078o
_pXdvMmPrefetchPages dd	?		; DATA XREF: VerifierMmPrefetchPages(x,x)+6r
					; PAGEVRFD:00AAA090o
_pXdvKeQueryPriorityThread dd ?		; DATA XREF: VerifierKeQueryPriorityThread(x)+6r
					; PAGEVRFD:00AA9D90o
_pXdvKeQueryRuntimeThread dd ?		; DATA XREF: VerifierKeQueryRuntimeThread(x,x)+6r
					; PAGEVRFD:00AA9DA8o
_pXdvKeRegisterNmiCallback dd ?		; DATA XREF: VerifierKeRegisterNmiCallback(x,x)+6r
					; PAGEVRFD:00AA9E20o
_pXdvKeReleaseGuardedMutex dd ?		; DATA XREF: VerifierKeReleaseGuardedMutex(x)r
					; PAGEVRFD:00AA9E38o
_pXdvKeLeaveGuardedRegion dd ?		; DATA XREF: VerifierKeLeaveGuardedRegion()r
					; PAGEVRFD:00AA9D18o
_pXdvKeRemoveDeviceQueue dd ?		; DATA XREF: VerifierKeRemoveDeviceQueue(x)+6r
					; PAGEVRFD:00AA9EE0o
_pXdvKeRemoveEntryDeviceQueue dd ?	; DATA XREF: VerifierKeRemoveEntryDeviceQueue(x,x)+6r
					; PAGEVRFD:00AA9EF8o
_pXdvKeRemoveQueue dd ?			; DATA XREF: VerifierKeRemoveQueue(x,x,x)+6r
					; PAGEVRFD:00AA9F10o
_pXdvKeReleaseGuardedMutexUnsafe dd ?	; DATA XREF: VerifierKeReleaseGuardedMutexUnsafe(x)r
					; PAGEVRFD:00AA9E50o
_pXdvKeReleaseInterruptSpinLock	dd ?	; DATA XREF: VerifierKeReleaseInterruptSpinLock(x,x)r
					; PAGEVRFD:00AA9E68o
_pXdvKeReleaseSpinLockForDpc dd	?	; DATA XREF: VerifierKeReleaseSpinLockForDpc(x,x)r
					; PAGEVRFD:00AA9EB0o
_pXdvKeRemoveByKeyDeviceQueue dd ?	; DATA XREF: VerifierKeRemoveByKeyDeviceQueue(x,x)+6r
					; PAGEVRFD:00AA9EC8o
_pXdvKeFlushQueuedDpcs dd ?		; DATA XREF: VerifierKeFlushQueuedDpcs()r
					; PAGEVRFD:00AA9C70o
_pXdvKeInitializeDeviceQueue dd	?	; DATA XREF: VerifierKeInitializeDeviceQueue(x)r
					; PAGEVRFD:00AA9C88o
_pXdvKeInitializeGuardedMutex dd ?	; DATA XREF: VerifierKeInitializeGuardedMutex(x)r
					; PAGEVRFD:00AA9CA0o
_pXdvKeInsertByKeyDeviceQueue dd ?	; DATA XREF: VerifierKeInsertByKeyDeviceQueue(x,x,x)+6r
					; PAGEVRFD:00AA9CB8o
_pXdvKeAreAllApcsDisabled dd ?		; DATA XREF: VerifierKeAreAllApcsDisabled()r
					; PAGEVRFD:00AA9BE0o
_pXdvKeAreApcsDisabled dd ?		; DATA XREF: VerifierKeAreApcsDisabled()r
					; PAGEVRFD:00AA9BF8o
_pXdvKeDeregisterNmiCallback dd	?	; DATA XREF: VerifierKeDeregisterNmiCallback(x)+6r
					; PAGEVRFD:00AA9C40o
_pXdvKeEnterGuardedRegion dd ?		; DATA XREF: VerifierKeEnterGuardedRegion()r
					; PAGEVRFD:00AA9C58o
_pXdvKeReleaseQueuedSpinLock dd	?	; DATA XREF: VerifierKeReleaseQueuedSpinLock(x,x)+50r
					; PAGEVRFD:00AA9E80o
_pXdvKeInsertDeviceQueue dd ?		; DATA XREF: VerifierKeInsertDeviceQueue(x,x)+6r
					; PAGEVRFD:00AA9CD0o
_pXdvKeInsertHeadQueue dd ?		; DATA XREF: VerifierKeInsertHeadQueue(x,x)+6r
					; PAGEVRFD:00AA9CE8o
_pXdvKeInsertQueue dd ?			; DATA XREF: VerifierKeInsertQueue(x,x)+6r
					; PAGEVRFD:00AA9D00o
_pXdvKeAcquireQueuedSpinLock dd	?	; DATA XREF: VerifierKeAcquireQueuedSpinLock(x)+33r
					; PAGEVRFD:00AA9BB0o
_pXdvIoStartNextPacket dd ?		; DATA XREF: VerifierIoStartNextPacket(x,x)r
					; PAGEVRFD:00AA9AA8o
_pXdvIoUnregisterPlugPlayNotification dd ?
					; DATA XREF: VerifierIoUnregisterPlugPlayNotification(x)+6r
					; PAGEVRFD:00AA9AC0o
_pXdvIoUnregisterPlugPlayNotificationEx	dd ?
					; DATA XREF: VerifierIoUnregisterPlugPlayNotificationEx(x)+6r
					; PAGEVRFD:00AA9AD8o
_pXdvIoUnregisterShutdownNotification dd ?
					; DATA XREF: VerifierIoUnregisterShutdownNotification(x)r
					; PAGEVRFD:00AA9AF0o
_pXdvIoSetPartitionInformation dd ?	; DATA XREF: VerifierIoSetPartitionInformation(x,x,x,x)+6r
					; PAGEVRFD:00AA9A48o
_pXdvIoSetPartitionInformationEx dd ?	; DATA XREF: VerifierIoSetPartitionInformationEx(x,x,x)+6r
					; PAGEVRFD:00AA9A60o
_pXdvIoSetShareAccess dd ?		; DATA XREF: VerifierIoSetShareAccess(x,x,x,x)r
					; PAGEVRFD:00AA9A78o
_pXdvIoSetStartIoAttributes dd ?	; DATA XREF: VerifierIoSetStartIoAttributes(x,x,x)r
					; PAGEVRFD:00AA9A90o
_pXdvKeAcquireGuardedMutex dd ?		; DATA XREF: VerifierKeAcquireGuardedMutex(x)r
					; PAGEVRFD:00AA9B68o
_pXdvKeAcquireGuardedMutexUnsafe dd ?	; DATA XREF: VerifierKeAcquireGuardedMutexUnsafe(x)r
					; PAGEVRFD:00AA9B80o
_pXdvKeAcquireInterruptSpinLock	dd ?	; DATA XREF: VerifierKeAcquireInterruptSpinLock(x)+6r
					; PAGEVRFD:00AA9B98o
_pXdvKeAcquireSpinLockForDpc dd	?	; DATA XREF: VerifierKeAcquireSpinLockForDpc(x)r
					; PAGEVRFD:00AA9BC8o
_pXdvIoUpdateShareAccess dd ?		; DATA XREF: VerifierIoUpdateShareAccess(x,x)r
					; PAGEVRFD:00AA9B08o
_pXdvIoWMIAllocateInstanceIds dd ?	; DATA XREF: VerifierIoWMIAllocateInstanceIds(x,x,x)+6r
					; PAGEVRFD:00AA9B20o
_pXdvIoWritePartitionTable dd ?		; DATA XREF: VerifierIoWritePartitionTable(x,x,x,x,x)+6r
					; PAGEVRFD:00AA9B38o
_pXdvIoWritePartitionTableEx dd	?	; DATA XREF: VerifierIoWritePartitionTableEx(x,x)+6r
					; PAGEVRFD:00AA9B50o
_pXdvIoRegisterPlugPlayNotification dd ?
					; DATA XREF: VerifierIoRegisterPlugPlayNotification(x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AA9928o
_pXdvIoRegisterShutdownNotification dd ?
					; DATA XREF: VerifierIoRegisterShutdownNotification(x)+6r
					; PAGEVRFD:00AA9940o
_pXdvIoReleaseCancelSpinLock dd	?	; DATA XREF: VerifierIoReleaseCancelSpinLock(x)r
					; PAGEVRFD:00AA9958o
_pXdvIoReleaseVpbSpinLock dd ?		; DATA XREF: VerifierIoReleaseVpbSpinLock(x)r
					; PAGEVRFD:00AA9970o
_pXdvIoRegisterBootDriverReinitialization dd ?
					; DATA XREF: VerifierIoRegisterBootDriverReinitialization(x,x,x)r
					; PAGEVRFD:00AA98C8o
_pXdvIoRegisterDeviceInterface dd ?	; DATA XREF: VerifierIoRegisterDeviceInterface(x,x,x,x)+6r
					; PAGEVRFD:00AA98E0o
_pXdvIoRegisterDriverReinitialization dd ?
					; DATA XREF: VerifierIoRegisterDriverReinitialization(x,x,x)r
					; PAGEVRFD:00AA98F8o
_pXdvIoRegisterLastChanceShutdownNotification dd ?
					; DATA XREF: VerifierIoRegisterLastChanceShutdownNotification(x)+6r
					; PAGEVRFD:00AA9910o
_pXdvIoReportTargetDeviceChangeAsynchronous dd ?
					; DATA XREF: VerifierIoReportTargetDeviceChangeAsynchronous(x,x,x,x)+6r
					; PAGEVRFD:00AA99E8o
_pXdvIoReuseIrp	dd ?			; DATA XREF: VerifierIoReuseIrp(x,x)r
					; PAGEVRFD:00AA9A00o
_pXdvIoSetDeviceInterfaceState dd ?	; DATA XREF: VerifierIoSetDeviceInterfaceState(x,x)+6r
					; PAGEVRFD:00AA9A18o
_pXdvIoSetDevicePropertyData dd	?	; DATA XREF: VerifierIoSetDevicePropertyData(x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AA9A30o
_pXdvIoRemoveShareAccess dd ?		; DATA XREF: VerifierIoRemoveShareAccess(x,x)r
					; PAGEVRFD:00AA9988o
_pXdvIoReplacePartitionUnit dd ?	; DATA XREF: VerifierIoReplacePartitionUnit(x,x,x)+6r
					; PAGEVRFD:00AA99A0o
_pXdvIoReportDetectedDevice dd ?	; DATA XREF: VerifierIoReportDetectedDevice(x,x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AA99B8o
_pXdvIoReportTargetDeviceChange	dd ?	; DATA XREF: VerifierIoReportTargetDeviceChange(x,x)+6r
					; PAGEVRFD:00AA99D0o
_pXdvIoSetDeviceToVerify dd ?		; DATA XREF: VerifierIoSetDeviceToVerify(x,x)r
					; PAGEVRFD:00AA97A8o
_pXdvIoGetFileObjectGenericMapping dd ?	; DATA XREF: VerifierIoGetFileObjectGenericMapping()r
					; PAGEVRFD:00AA97C0o
_pXdvIoGetInitialStack dd ?		; DATA XREF: VerifierIoGetInitialStack()r
					; PAGEVRFD:00AA97D8o
_pXdvIoInitializeIrp dd	?		; DATA XREF: VerifierIoInitializeIrp(x,x,x)r
					; PAGEVRFD:00AA97F0o
_pXdvIoGetDeviceProperty dd ?		; DATA XREF: VerifierIoGetDeviceProperty(x,x,x,x,x)+6r
					; PAGEVRFD:00AA9760o
_pXdvIoGetDevicePropertyData dd	?	; DATA XREF: VerifierIoGetDevicePropertyData(x,x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AA9778o
_pXdvIoGetDeviceToVerify dd ?		; DATA XREF: VerifierIoGetDeviceToVerify(x)+6r
					; PAGEVRFD:00AA9790o
_pXdvIoRaiseHardError dd ?		; DATA XREF: VerifierIoRaiseHardError(x,x,x)r
					; PAGEVRFD:00AA9868o
_pXdvIoRaiseInformationalHardError dd ?	; DATA XREF: VerifierIoRaiseInformationalHardError(x,x,x)+6r
					; PAGEVRFD:00AA9880o
_pXdvIoReadPartitionTable dd ?		; DATA XREF: VerifierIoReadPartitionTable(x,x,x,x)+6r
					; PAGEVRFD:00AA9898o
_pXdvIoReadPartitionTableEx dd ?	; DATA XREF: VerifierIoReadPartitionTableEx(x,x)+6r
					; PAGEVRFD:00AA98B0o
_pXdvIoInvalidateDeviceRelations dd ?	; DATA XREF: VerifierIoInvalidateDeviceRelations(x,x)r
					; PAGEVRFD:00AA9808o
_pXdvIoIsWdmVersionAvailable dd	?	; DATA XREF: VerifierIoIsWdmVersionAvailable(x,x)+6r
					; PAGEVRFD:00AA9820o
_pXdvIoOpenDeviceInterfaceRegistryKey dd ?
					; DATA XREF: VerifierIoOpenDeviceInterfaceRegistryKey(x,x,x)+6r
					; PAGEVRFD:00AA9838o
_pXdvIoOpenDeviceRegistryKey dd	?	; DATA XREF: VerifierIoOpenDeviceRegistryKey(x,x,x,x)+6r
					; PAGEVRFD:00AA9850o
_pXdvIoDeleteController	dd ?		; DATA XREF: VerifierIoDeleteController(x)r
					; PAGEVRFD:00AA9628o
_pXdvIoDeleteDevice dd ?		; DATA XREF: VerifierIoDeleteDevice(x)r
					; PAGEVRFD:00AA9640o
_pXdvIoDeleteSymbolicLink dd ?		; DATA XREF: VerifierIoDeleteSymbolicLink(x)+6r
					; PAGEVRFD:00AA9658o
_pXdvIoDetachDevice dd ?		; DATA XREF: VerifierIoDetachDevice(x)r
					; PAGEVRFD:00AA9670o
_pXdvIoCreateNotificationEvent dd ?	; DATA XREF: VerifierIoCreateNotificationEvent(x,x)+6r
					; PAGEVRFD:00AA95C8o
_pXdvIoCreateSymbolicLink dd ?		; DATA XREF: VerifierIoCreateSymbolicLink(x,x)+6r
					; PAGEVRFD:00AA95E0o
_pXdvIoCreateSynchronizationEvent dd ?	; DATA XREF: VerifierIoCreateSynchronizationEvent(x,x)+6r
					; PAGEVRFD:00AA95F8o
_pXdvIoCreateUnprotectedSymbolicLink dd	?
					; DATA XREF: VerifierIoCreateUnprotectedSymbolicLink(x,x)+6r
					; PAGEVRFD:00AA9610o
_pXdvIoGetDeviceInterfaceAlias dd ?	; DATA XREF: VerifierIoGetDeviceInterfaceAlias(x,x,x)+6r
					; PAGEVRFD:00AA9700o
_pXdvIoGetDeviceInterfaces dd ?		; DATA XREF: VerifierIoGetDeviceInterfaces(x,x,x,x)+6r
					; PAGEVRFD:00AA9718o
_pXdvIoGetDeviceNumaNode dd ?		; DATA XREF: VerifierIoGetDeviceNumaNode(x,x)+6r
					; PAGEVRFD:00AA9730o
_pXdvIoGetDeviceObjectPointer dd ?	; DATA XREF: VerifierIoGetDeviceObjectPointer(x,x,x,x)+6r
					; PAGEVRFD:00AA9748o
_pXdvIoFreeController dd ?		; DATA XREF: VerifierIoFreeController(x)r
					; PAGEVRFD:00AA9688o
_pXdvIoGetAttachedDeviceReference dd ?	; DATA XREF: VerifierIoGetAttachedDeviceReference(x)+6r
					; PAGEVRFD:00AA96A0o
_pXdvIoGetConfigurationInformation dd ?	; DATA XREF: VerifierIoGetConfigurationInformation()r
					; PAGEVRFD:00AA96B8o
_pXdvIoAcquireCancelSpinLock dd	?	; DATA XREF: VerifierIoAcquireCancelSpinLock(x)r
					; PAGEVRFD:00AA94A8o
_pXdvIoAcquireVpbSpinLock dd ?		; DATA XREF: VerifierIoAcquireVpbSpinLock(x)r
					; PAGEVRFD:00AA94C0o
_pXdvIoAllocateController dd ?		; DATA XREF: VerifierIoAllocateController(x,x,x,x)r
					; PAGEVRFD:00AA94D8o
_pXdvIoAttachDevice dd ?		; DATA XREF: VerifierIoAttachDevice(x,x,x)+6r
					; PAGEVRFD:00AA94F0o
_pXdvHalExamineMBR dd ?			; DATA XREF: VerifierHalExamineMBR(x,x,x,x)+6r
					; PAGEVRFD:00AA9448o
_pXdvIoCreateController	dd ?		; DATA XREF: VerifierIoCreateController(x)+6r
					; PAGEVRFD:00AA9568o
_pXdvIoCreateFile dd ?			; DATA XREF: VerifierIoCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AA9580o
_pXdvIoAttachDeviceToDeviceStack dd ?	; DATA XREF: VerifierIoAttachDeviceToDeviceStack(x,x)+6r
					; PAGEVRFD:00AA9508o
_pXdvIoAttachDeviceToDeviceStackSafe dd	?
					; DATA XREF: VerifierIoAttachDeviceToDeviceStackSafe(x,x,x)+6r
					; PAGEVRFD:00AA9520o
_pXdvIoCancelIrp dd ?			; DATA XREF: VerifierIoCancelIrp(x)+6r
					; PAGEVRFD:00AA9538o
_pXdvIoCheckShareAccess	dd ?		; DATA XREF: VerifierIoCheckShareAccess(x,x,x,x,x)+6r
					; PAGEVRFD:00AA9550o
_pXdvFsRtlMdlWriteCompleteDev dd ?	; DATA XREF: VerifierFsRtlMdlWriteCompleteDev(x,x,x,x)+6r
					; PAGEVRFD:00AA9328o
_pXdvFsRtlNotifyFilterChangeDirectory dd ?
					; DATA XREF: VerifierFsRtlNotifyFilterChangeDirectory(x,x,x,x,x,x,x,x,x,x,x)r
					; PAGEVRFD:00AA9340o
_pXdvFsRtlNotifyFilterReportChange dd ?	; DATA XREF: VerifierFsRtlNotifyFilterReportChange(x,x,x,x,x,x,x,x,x,x)r
					; PAGEVRFD:00AA9358o
_pXdvFsRtlNotifyFullChangeDirectory dd ?
					; DATA XREF: VerifierFsRtlNotifyFullChangeDirectory(x,x,x,x,x,x,x,x,x,x)r
					; PAGEVRFD:00AA9370o
_pXdvFsRtlIncrementCcFastReadWait dd ?	; DATA XREF: VerifierFsRtlIncrementCcFastReadWait()r
					; PAGEVRFD:00AA92C8o
_pXdvFsRtlInitializeFileLock dd	?	; DATA XREF: VerifierFsRtlInitializeFileLock(x,x,x)r
					; PAGEVRFD:00AA92E0o
_pXdvFsRtlIsNameInExpression dd	?	; DATA XREF: VerifierFsRtlIsNameInExpression(x,x,x,x)+6r
					; PAGEVRFD:00AA92F8o
_pXdvFsRtlMdlReadCompleteDev dd	?	; DATA XREF: VerifierFsRtlMdlReadCompleteDev(x,x,x)+6r
					; PAGEVRFD:00AA9310o
_pXdvFsRtlRegisterUncProviderEx	dd ?	; DATA XREF: VerifierFsRtlRegisterUncProviderEx(x,x,x,x)+6r
					; PAGEVRFD:00AA93E8o
_pXdvFsRtlRemoveDotsFromPath dd	?	; DATA XREF: VerifierFsRtlRemoveDotsFromPath(x,x,x)+6r
					; PAGEVRFD:00AA9400o
_pXdvFsRtlUninitializeFileLock dd ?	; DATA XREF: VerifierFsRtlUninitializeFileLock(x)r
					; PAGEVRFD:00AA9418o
_pXdvFsRtlValidateReparsePointBuffer dd	?
					; DATA XREF: VerifierFsRtlValidateReparsePointBuffer(x,x)+6r
					; PAGEVRFD:00AA9430o
_pXdvFsRtlNotifyFullReportChange dd ?	; DATA XREF: VerifierFsRtlNotifyFullReportChange(x,x,x,x,x,x,x,x,x)r
					; PAGEVRFD:00AA9388o
_pXdvFsRtlPrivateLock dd ?		; DATA XREF: VerifierFsRtlPrivateLock(x,x,x,x,x,x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AA93A0o
_pXdvFsRtlProcessFileLock dd ?		; DATA XREF: VerifierFsRtlProcessFileLock(x,x,x)+6r
					; PAGEVRFD:00AA93B8o
_pXdvFsRtlRegisterUncProvider dd ?	; DATA XREF: VerifierFsRtlRegisterUncProvider(x,x,x)+6r
					; PAGEVRFD:00AA93D0o
_pXdvFsRtlDeregisterUncProvider	dd ?	; DATA XREF: VerifierFsRtlDeregisterUncProvider(x)r
					; PAGEVRFD:00AA91A8o
_pXdvFsRtlDissectName dd ?		; DATA XREF: VerifierFsRtlDissectName(x,x,x,x)+11r
					; PAGEVRFD:00AA91C0o
_pXdvFsRtlDoesNameContainWildCards dd ?	; DATA XREF: VerifierFsRtlDoesNameContainWildCards(x)+6r
					; PAGEVRFD:00AA91D8o
_pXdvFsRtlFastCheckLockForRead dd ?	; DATA XREF: VerifierFsRtlFastCheckLockForRead(x,x,x,x,x,x)+6r
					; PAGEVRFD:00AA91F0o
_pXdvFsRtlCancellableWaitForSingleObject dd ?
					; DATA XREF: VerifierFsRtlCancellableWaitForSingleObject(x,x,x)+6r
					; PAGEVRFD:00AA9148o
_pXdvFsRtlCheckLockForReadAccess dd ?	; DATA XREF: VerifierFsRtlCheckLockForReadAccess(x,x)+6r
					; PAGEVRFD:00AA9160o
_pXdvFsRtlCheckLockForWriteAccess dd ?	; DATA XREF: VerifierFsRtlCheckLockForWriteAccess(x,x)+6r
					; PAGEVRFD:00AA9178o
_pXdvFsRtlCopyWrite dd ?		; DATA XREF: VerifierFsRtlCopyWrite(x,x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AA9190o
_pXdvFsRtlFreeFileLock dd ?		; DATA XREF: VerifierFsRtlFreeFileLock(x)r
					; PAGEVRFD:00AA9268o
_pXdvFsRtlGetFileSize dd ?		; DATA XREF: VerifierFsRtlGetFileSize(x,x)+6r
					; PAGEVRFD:00AA9280o
_pXdvFsRtlGetNextFileLock dd ?		; DATA XREF: VerifierFsRtlGetNextFileLock(x,x)+6r
					; PAGEVRFD:00AA9298o
_pXdvFsRtlIncrementCcFastReadNoWait dd ?
					; DATA XREF: VerifierFsRtlIncrementCcFastReadNoWait()r
					; PAGEVRFD:00AA92B0o
_pXdvFsRtlFastCheckLockForWrite	dd ?	; DATA XREF: VerifierFsRtlFastCheckLockForWrite(x,x,x,x,x,x)+6r
					; PAGEVRFD:00AA9208o
_pXdvFsRtlFastUnlockAll	dd ?		; DATA XREF: VerifierFsRtlFastUnlockAll(x,x,x,x)+6r
					; PAGEVRFD:00AA9220o
_pXdvFsRtlFastUnlockAllByKey dd	?	; DATA XREF: VerifierFsRtlFastUnlockAllByKey(x,x,x,x,x)+6r
					; PAGEVRFD:00AA9238o
_pXdvFsRtlFastUnlockSingle dd ?		; DATA XREF: VerifierFsRtlFastUnlockSingle(x,x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AA9250o
_pXdvExReleaseRundownProtectionEx dd ?	; DATA XREF: VerifierExReleaseRundownProtectionEx(x,x)r
					; PAGEVRFD:00AA9028o
_pXdvExSetResourceOwnerPointer dd ?	; DATA XREF: VerifierExSetResourceOwnerPointer(x,x)r
					; PAGEVRFD:00AA9040o
_pXdvExSetResourceOwnerPointerEx dd ?	; DATA XREF: VerifierExSetResourceOwnerPointerEx(x,x,x)r
					; PAGEVRFD:00AA9058o
_pXdvExSetTimerResolution dd ?		; DATA XREF: VerifierExSetTimerResolution(x,x)+6r
					; PAGEVRFD:00AA9070o
_pXdvExReinitializeResourceLite	dd ?	; DATA XREF: VerifierExReinitializeResourceLite(x)+6r
					; PAGEVRFD:00AA8FE0o
_pXdvExReleaseRundownProtection	dd ?	; DATA XREF: VerifierExReleaseRundownProtection(x)r
					; PAGEVRFD:00AA8FF8o
_pXdvExReleaseRundownProtectionCacheAware dd ?
					; DATA XREF: VerifierExReleaseRundownProtectionCacheAware(x)r
					; PAGEVRFD:00AA9010o
_pXdvFsRtlAllocateFileLock dd ?		; DATA XREF: VerifierFsRtlAllocateFileLock(x,x)+6r
					; PAGEVRFD:00AA90E8o
_pXdvFsRtlAreNamesEqual	dd ?		; DATA XREF: VerifierFsRtlAreNamesEqual(x,x,x,x)+6r
					; PAGEVRFD:00AA9100o
_pXdvFsRtlBalanceReads dd ?		; DATA XREF: VerifierFsRtlBalanceReads(x)+6r
					; PAGEVRFD:00AA9118o
_pXdvFsRtlCancellableWaitForMultipleObjects dd ?
					; DATA XREF: VerifierFsRtlCancellableWaitForMultipleObjects(x,x,x,x,x,x)+6r
					; PAGEVRFD:00AA9130o
_pXdvExUnregisterCallback dd ?		; DATA XREF: VerifierExUnregisterCallback(x)r
					; PAGEVRFD:00AA9088o
_pXdvExUuidCreate dd ?			; DATA XREF: VerifierExUuidCreate(x)+6r
					; PAGEVRFD:00AA90A0o
_pXdvExWaitForRundownProtectionRelease dd ?
					; DATA XREF: VerifierExWaitForRundownProtectionRelease(x)r
					; PAGEVRFD:00AA90B8o
_pXdvExWaitForRundownProtectionReleaseCacheAware dd ?
					; DATA XREF: VerifierExWaitForRundownProtectionReleaseCacheAware(x)r
					; PAGEVRFD:00AA90D0o
_pXdvExGetExclusiveWaiterCount dd ?	; DATA XREF: VerifierExGetExclusiveWaiterCount(x)+6r
					; PAGEVRFD:00AA8E78o
_pXdvExGetSharedWaiterCount dd ?	; DATA XREF: VerifierExGetSharedWaiterCount(x)+6r
					; PAGEVRFD:00AA8E90o
_pXdvExInterlockedAddLargeInteger dd ?	; DATA XREF: VerifierExInterlockedAddLargeInteger(x,x,x,x)+11r
					; PAGEVRFD:00AA8EA8o
_pXdvExRaiseAccessViolation dd ?	; DATA XREF: VerifierExRaiseAccessViolation()r
					; PAGEVRFD:00AA8F80o
_pXdvExRaiseDatatypeMisalignment dd ?	; DATA XREF: VerifierExRaiseDatatypeMisalignment()r
					; PAGEVRFD:00AA8F98o
_pXdvExRaiseStatus dd ?			; DATA XREF: VerifierExRaiseStatus(x)r
					; PAGEVRFD:00AA8FB0o
_pXdvExRegisterCallback	dd ?		; DATA XREF: VerifierExRegisterCallback(x,x,x)+6r
					; PAGEVRFD:00AA8FC8o
_pXdvExIsProcessorFeaturePresent dd ?	; DATA XREF: VerifierExIsProcessorFeaturePresent(x)+6r
					; PAGEVRFD:00AA8F38o
_pXdvExIsResourceAcquiredExclusiveLite dd ?
					; DATA XREF: VerifierExIsResourceAcquiredExclusiveLite(x)+6r
					; PAGEVRFD:00AA8F50o
_pXdvExIsResourceAcquiredSharedLite dd ?
					; DATA XREF: VerifierExIsResourceAcquiredSharedLite(x)+6r
					; PAGEVRFD:00AA8F68o
_pXdvExConvertExclusiveToSharedLite dd ?
					; DATA XREF: VerifierExConvertExclusiveToSharedLite(x)r
					; PAGEVRFD:00AA8DA0o
_pXdvExCreateCallback dd ?		; DATA XREF: VerifierExCreateCallback(x,x,x,x)+6r
					; PAGEVRFD:00AA8DB8o
_pXdvExEnterCriticalRegionAndAcquireSharedWaitForExclusive dd ?
					; DATA XREF: VerifierExEnterCriticalRegionAndAcquireSharedWaitForExclusive(x)+5r
					; PAGEVRFD:00AA8DD0o
_pXdvExAcquireRundownProtection	dd ?	; DATA XREF: VerifierExAcquireRundownProtection(x)r
					; PAGEVRFD:00AA8D40o
_pXdvExAcquireRundownProtectionCacheAware dd ?
					; DATA XREF: VerifierExAcquireRundownProtectionCacheAware(x)r
					; PAGEVRFD:00AA8D58o
_pXdvExAcquireRundownProtectionCacheAwareEx dd ?
					; DATA XREF: VerifierExAcquireRundownProtectionCacheAwareEx(x,x)r
					; PAGEVRFD:00AA8D70o
_pXdvExAcquireRundownProtectionEx dd ?	; DATA XREF: VerifierExAcquireRundownProtectionEx(x,x)r
					; PAGEVRFD:00AA8D88o
_pXdvCcWaitForCurrentLazyWriterActivity	dd ?
					; DATA XREF: VerifierCcWaitForCurrentLazyWriterActivity()r
					; PAGEVRFD:00AA8CC8o
_pXdvCmRegisterCallback	dd ?		; DATA XREF: VerifierCmRegisterCallback(x,x,x)+6r
					; PAGEVRFD:00AA8CE0o
_pXdvCmUnRegisterCallback dd ?		; DATA XREF: VerifierCmUnRegisterCallback(x,x)+Br
					; PAGEVRFD:00AA8CF8o
_pXdvCmRegisterCallbackEx dd ?		; DATA XREF: VerifierCmRegisterCallbackEx(x,x,x,x,x,x)+6r
					; PAGEVRFD:00AA8D10o
_pXdvDbgBreakPointWithStatus dd	?	; DATA XREF: VerifierDbgBreakPointWithStatus(x)r
					; PAGEVRFD:00AA8D28o
_pXdvIoWriteErrorLogEntry dd ?		; DATA XREF: VerifierIoWriteErrorLogEntry(x)r
					; PAGEVRFD:00AAB698o
_pXdvIoAllocateErrorLogEntry dd	?	; DATA XREF: VerifierIoAllocateErrorLogEntry(x,x)+17r
					; PAGEVRFD:00AAB620o
_pXdvIoSetCompletionRoutineEx dd ?	; DATA XREF: VerifierIoSetCompletionRoutineEx(x,x,x,x,x,x,x)+2Fr
					; PAGEVRFD:00AAAC60o
_pXdvIofCompleteRequest	dd ?		; DATA XREF: VerifierIofCompleteRequest(x,x)r
					; PAGEVRFD:00AAB500o
_pXdvIoAllocateDriverObjectExtension dd	?
					; DATA XREF: VerifierIoAllocateDriverObjectExtension(x,x,x,x)+20r
					; PAGEVRFD:00AAB608o
_pXdvIoInitializeWorkItem dd ?		; DATA XREF: VerifierIoInitializeWorkItem(x,x)+6Ar
					; PAGEVRFD:00AAB650o
_pXdvIoFreeIrp	dd ?			; DATA XREF: VerifierIoFreeIrp(x)r
					; PAGEVRFD:00AAB4D0o
_pXdvIoFreeMdl	dd ?			; DATA XREF: VerifierIoFreeMdl(x)+41r
					; PAGEVRFD:00AAB4E8o
_pXdvIoGetDmaAdapter dd	?		; DATA XREF: VfGetDmaAdapter(x,x,x)+B0r
					; PAGEVRFD:00AAB578o
_pXdvExFreePoolWithTag dd ?		; DATA XREF: VerifierExFreePoolWithTag(x,x)+41r
					; PAGEVRFD:00AAAC18o
_pXdvExFreePool	dd ?			; DATA XREF: VerifierExFreePool(x)+3Cr
					; PAGEVRFD:00AAAC00o
_pXdvIoConnectInterruptEx dd ?		; DATA XREF: VfCtxHookAndConnectInterruptEx(x)+5Ar
					; VfCtxHookAndConnectInterruptEx(x)+85r ...
_pXdvIoDisconnectInterruptEx dd	?	; DATA XREF: VfCtxUnhookAndDisconnectInterruptEx(x)+2Fr
					; PAGEVRFD:00AA8A0Co
_pXdvExReleaseResourceAndLeavePriorityRegion dd	?
					; DATA XREF: VerifierExReleaseResourceAndLeavePriorityRegionNoReboot(x)+Dr
					; PAGEVRFD:00AA8980o
_pXdvExReleaseResourceForThreadLite dd ?
					; DATA XREF: VerifierExReleaseResourceForThreadLite(x,x)+Er
					; PAGEVRFD:00AA899Co
_pXdvIoConnectInterrupt	dd ?		; DATA XREF: VfCtxHookAndConnectInterrupt(x,x,x,x,x,x,x,x,x,x,x)+54r
					; PAGEVRFD:00AA89B8o
_pXdvIoDisconnectInterrupt dd ?		; DATA XREF: VerifierIoDisconnectInterrupt(x)+17r
					; PAGEVRFD:00AA89D4o
_pXdvKeReleaseInStackQueuedSpinLockFromDpcLevel	dd ?
					; DATA XREF: VerifierKeReleaseInStackQueuedSpinLockFromDpcLevelCommon(x)+3Dr
					; PAGEVRFD:00AA8814o
_pXdvKeReleaseInStackQueuedSpinLockForDpc dd ?
					; DATA XREF: VerifierKeReleaseInStackQueuedSpinLockForDpcCommon(x)+3Dr
					; PAGEVRFD:00AA8830o
_pXdvExAcquireResourceExclusiveLite dd ?
					; DATA XREF: VerifierExAcquireResourceExclusiveLite(x,x)+23r
					; VerifierExAcquireResourceExclusiveLiteNoReboot(x,x)+13r ...
_pXdvExAcquireSharedStarveExclusive dd ?
					; DATA XREF: VerifierExAcquireSharedStarveExclusive(x,x)+23r
					; VerifierExAcquireSharedStarveExclusiveNoReboot(x,x)+13r ...
_pXdvKeAcquireInStackQueuedSpinLock dd ?
					; DATA XREF: VerifierKeAcquireInStackQueuedSpinLockCommon(x,x,x)+4Cr
					; PAGEVRFD:00AA87A4o
_pXdvKeAcquireInStackQueuedSpinLockAtDpcLevel dd ?
					; DATA XREF: VerifierKeAcquireInStackQueuedSpinLockAtDpcLevelCommon(x,x,x)+76r
					; PAGEVRFD:00AA87C0o
_pXdvKeAcquireInStackQueuedSpinLockForDpc dd ?
					; DATA XREF: VerifierKeAcquireInStackQueuedSpinLockForDpcCommon(x,x,x)+40r
					; PAGEVRFD:00AA87DCo
_pXdvKeReleaseInStackQueuedSpinLock dd ?
					; DATA XREF: VerifierKeReleaseInStackQueuedSpinLockCommon(x)+3Fr
					; PAGEVRFD:00AA87F8o
_pXdvExEnterPriorityRegionAndAcquireResourceShared dd ?
					; DATA XREF: VerifierExEnterPriorityRegionAndAcquireResourceShared(x)+9r
					; VerifierExEnterPriorityRegionAndAcquireResourceSharedNoReboot(x)+6r ...
_pXdvExAcquireResourceSharedLite dd ?	; DATA XREF: VerifierExAcquireResourceSharedLite(x,x)+23r
					; VerifierExAcquireResourceSharedLiteNoReboot(x,x)+13r	...
_pXdvExReleaseResourceLite dd ?		; DATA XREF: VerifierExReleaseResourceLiteNoReboot(x)+Dr
					; PAGEVRFD:00AA8948o
_pXdvExReleaseResourceAndLeaveCriticalRegion dd	?
					; DATA XREF: VerifierExReleaseResourceAndLeaveCriticalRegion(x)+1Er
					; VerifierExReleaseResourceAndLeaveCriticalRegionNoReboot(x)+Dr ...
_pXdvExAcquireSharedWaitForExclusive dd	?
					; DATA XREF: VerifierExAcquireSharedWaitForExclusive(x,x)+23r
					; VerifierExAcquireSharedWaitForExclusiveNoReboot(x,x)+13r ...
_pXdvExEnterCriticalRegionAndAcquireResourceExclusive dd ?
					; DATA XREF: VerifierExEnterCriticalRegionAndAcquireResourceExclusive(x)+9r
					; VerifierExEnterCriticalRegionAndAcquireResourceExclusiveNoReboot(x)+6r ...
_pXdvExEnterCriticalRegionAndAcquireResourceShared dd ?
					; DATA XREF: VerifierExEnterCriticalRegionAndAcquireResourceShared(x)+9r
					; VerifierExEnterCriticalRegionAndAcquireResourceSharedNoReboot(x)+6r ...
_pXdvExEnterPriorityRegionAndAcquireResourceExclusive dd ?
					; DATA XREF: VerifierExEnterPriorityRegionAndAcquireResourceExclusive(x)+9r
					; VerifierExEnterPriorityRegionAndAcquireResourceExclusiveNoReboot(x)+6r ...
_pXdvKeWaitForMultipleObjects dd ?	; DATA XREF: ViKeWaitForMultipleObjectsCommon(x,x,x,x,x,x,x,x,x)+6Fr
					; PAGEVRFD:00AA85E4o
_pXdvExAcquireFastMutexUnsafe dd ?	; DATA XREF: VerifierExAcquireFastMutexUnsafeNoReboot(x)+1Cr
					; PAGEVRFD:00AA8670o
_pXdvExReleaseFastMutexUnsafe dd ?	; DATA XREF: VerifierExReleaseFastMutexUnsafe(x)+36r
					; VerifierExReleaseFastMutexUnsafeNoReboot(x)+1Cr ...
_pXdvExAcquireFastMutex	dd ?		; DATA XREF: VerifierExAcquireFastMutex(x)+2Fr
					; VerifierExAcquireFastMutexNoReboot(x)+25r ...
_pXdvZwQueryInformationEnlistment dd ?	; DATA XREF: VfZwQueryInformationEnlistment(x,x,x,x,x)+28r
					; PAGEVRFD:00AAC400o
_pXdvZwSetInformationEnlistment	dd ?	; DATA XREF: VfZwSetInformationEnlistment(x,x,x,x)+1Ar
					; PAGEVRFD:00AAC418o
_pXdvZwQueryLicenseValue dd ?		; DATA XREF: VfZwQueryLicenseValue(x,x,x,x,x)+3Cr
					; PAGEVRFD:00AAC430o
_pXdvKeWaitForSingleObject dd ?		; DATA XREF: ViKeWaitForSingleObjectCommon(x,x,x,x,x,x)+6Ar
					; PAGEVRFD:00AA85C8o
_pXdvKeTryToAcquireSpinLockAtDpcLevel dd ?
					; DATA XREF: ViKeTryToAcquireSpinLockAtDpcLevelCommon(x,x)+63r
					; PAGEVRFD:00AA8788o
_pXdvExReleaseFastMutex	dd ?		; DATA XREF: VerifierExReleaseFastMutex(x)+27r
					; VerifierExReleaseFastMutexNoReboot(x)+Dr ...
_pXdvExTryToAcquireFastMutex dd	?	; DATA XREF: ViExTryToAcquireFastMutexCommon(x,x)+24r
					; PAGEVRFD:00AA86C4o
_pXdvZwCreateTransaction dd ?		; DATA XREF: VfZwCreateTransaction(x,x,x,x,x,x,x,x,x,x)+46r
					; PAGEVRFD:00AAC2F8o
_pXdvZwOpenTransaction dd ?		; DATA XREF: VfZwOpenTransaction(x,x,x,x,x)+32r
					; PAGEVRFD:00AAC310o
_pXdvZwOpenTransactionManager dd ?	; DATA XREF: VfZwOpenTransactionManager(x,x,x,x,x,x)+3Cr
					; PAGEVRFD:00AAC2C8o
_pXdvZwQueryInformationTransaction dd ?	; DATA XREF: VfZwQueryInformationTransaction(x,x,x,x,x)+28r
					; PAGEVRFD:00AAC328o
_pXdvZwAlpcQueryInformation dd ?	; DATA XREF: VfZwAlpcQueryInformation(x,x,x,x,x)+28r
					; PAGEVRFD:00AAC280o
_pXdvZwRemoveIoCompletionEx dd ?	; DATA XREF: VfZwRemoveIoCompletionEx(x,x,x,x,x,x)+32r
					; PAGEVRFD:00AAC298o
_pXdvZwCreateTransactionManager	dd ?	; DATA XREF: VfZwCreateTransactionManager(x,x,x,x,x,x)+32r
					; PAGEVRFD:00AAC2B0o
_pXdvZwQueryInformationTransactionManager dd ?
					; DATA XREF: VfZwQueryInformationTransactionManager(x,x,x,x,x)+28r
					; PAGEVRFD:00AAC2E0o
_pXdvZwRollbackEnlistment dd ?		; DATA XREF: VfZwRollbackEnlistment(x,x)+1Ar
					; PAGEVRFD:00AAC3A0o
_pXdvZwPrepareComplete dd ?		; DATA XREF: VfZwPrepareComplete(x,x)+1Ar
					; PAGEVRFD:00AAC3B8o
_pXdvZwCreateEnlistment	dd ?		; DATA XREF: VfZwCreateEnlistment(x,x,x,x,x,x,x,x)+28r
					; PAGEVRFD:00AAC3D0o
_pXdvZwOpenEnlistment dd ?		; DATA XREF: VfZwOpenEnlistment(x,x,x,x,x)+28r
					; PAGEVRFD:00AAC3E8o
_pXdvZwSetInformationTransaction dd ?	; DATA XREF: VfZwSetInformationTransaction(x,x,x,x)+1Ar
					; PAGEVRFD:00AAC340o
_pXdvZwPrePrepareEnlistment dd ?	; DATA XREF: VfZwPrePrepareEnlistment(x,x)+1Ar
					; PAGEVRFD:00AAC358o
_pXdvZwPrepareEnlistment dd ?		; DATA XREF: VfZwPrepareEnlistment(x,x)+1Ar
					; PAGEVRFD:00AAC370o
_pXdvZwCommitEnlistment	dd ?		; DATA XREF: VfZwCommitEnlistment(x,x)+1Ar
					; PAGEVRFD:00AAC388o
_pXdvZwWaitForMultipleObjects dd ?	; DATA XREF: VfZwWaitForMultipleObjects(x,x,x,x,x)+28r
					; PAGEVRFD:00AAC160o
_pXdvZwWaitForSingleObject dd ?		; DATA XREF: VfZwWaitForSingleObject(x,x,x)+1Ar
					; PAGEVRFD:00AAC178o
_pXdvZwWriteFile dd ?			; DATA XREF: VfZwWriteFile(x,x,x,x,x,x,x,x,x)+57r
					; PAGEVRFD:00AAC190o
_pXdvZwAlpcCreatePort dd ?		; DATA XREF: VfZwAlpcCreatePort(x,x,x)+32r
					; PAGEVRFD:00AAC1A8o
_pXdvZwSetVolumeInformationFile	dd ?	; DATA XREF: VfZwSetVolumeInformationFile(x,x,x,x,x)+28r
					; PAGEVRFD:00AAC100o
_pXdvZwTranslateFilePath dd ?		; DATA XREF: VfZwTranslateFilePath(x,x,x,x)+32r
					; PAGEVRFD:00AAC118o
_pXdvZwUnloadDriver dd ?		; DATA XREF: VfZwUnloadDriver(x)+1Ar
					; PAGEVRFD:00AAC130o
_pXdvZwUnloadKey dd ?			; DATA XREF: VfZwUnloadKey(x)+1Ar
					; PAGEVRFD:00AAC148o
_pXdvZwAlpcCreatePortSection dd	?	; DATA XREF: VfZwAlpcCreatePortSection(x,x,x,x,x,x)+28r
					; PAGEVRFD:00AAC220o
_pXdvZwAlpcCreateSectionView dd	?	; DATA XREF: VfZwAlpcCreateSectionView(x,x,x)+1Ar
					; PAGEVRFD:00AAC238o
_pXdvZwAlpcCreateResourceReserve dd ?	; DATA XREF: VfZwAlpcCreateResourceReserve(x,x,x,x)+1Ar
					; PAGEVRFD:00AAC250o
_pXdvZwAlpcSetInformation dd ?		; DATA XREF: VfZwAlpcSetInformation(x,x,x,x)+1Ar
					; PAGEVRFD:00AAC268o
_pXdvZwAlpcConnectPort dd ?		; DATA XREF: VfZwAlpcConnectPort(x,x,x,x,x,x,x,x,x,x,x)+78r
					; PAGEVRFD:00AAC1C0o
_pXdvZwAlpcAcceptConnectPort dd	?	; DATA XREF: VfZwAlpcAcceptConnectPort(x,x,x,x,x,x,x,x,x)+46r
					; PAGEVRFD:00AAC1D8o
_pXdvZwAlpcSendWaitReceivePort dd ?	; DATA XREF: VfZwAlpcSendWaitReceivePort(x,x,x,x,x,x,x,x)+50r
					; PAGEVRFD:00AAC1F0o
_pXdvZwAlpcCreateSecurityContext dd ?	; DATA XREF: VfZwAlpcCreateSecurityContext(x,x,x)+1Ar
					; PAGEVRFD:00AAC208o
_pXdvZwSetEaFile dd ?			; DATA XREF: VfZwSetEaFile(x,x,x,x)+28r
					; PAGEVRFD:00AABFE0o
_pXdvZwSetEvent	dd ?			; DATA XREF: VfZwSetEvent(x,x)+1Ar
					; PAGEVRFD:00AABFF8o
_pXdvZwSetInformationFile dd ?		; DATA XREF: VfZwSetInformationFile(x,x,x,x,x)+28r
					; PAGEVRFD:00AAC010o
_pXdvZwSetInformationJobObject dd ?	; DATA XREF: VfZwSetInformationJobObject(x,x,x,x)+1Ar
					; PAGEVRFD:00AAC028o
_pXdvZwRestoreKey dd ?			; DATA XREF: VfZwRestoreKey(x,x,x)+6r
					; PAGEVRFD:00AABF80o
_pXdvZwSetBootEntryOrder dd ?		; DATA XREF: VfZwSetBootEntryOrder(x,x)+1Ar
					; PAGEVRFD:00AABF98o
_pXdvZwSetBootOptions dd ?		; DATA XREF: VfZwSetBootOptions(x,x)+1Ar
					; PAGEVRFD:00AABFB0o
_pXdvZwSetDriverEntryOrder dd ?		; DATA XREF: VfZwSetDriverEntryOrder(x,x)+1Ar
					; PAGEVRFD:00AABFC8o
_pXdvZwSetSystemInformation dd ?	; DATA XREF: VfZwSetSystemInformation(x,x,x)+1Ar
					; PAGEVRFD:00AAC0A0o
_pXdvZwSetSystemTime dd	?		; DATA XREF: VfZwSetSystemTime(x,x)+28r
					; PAGEVRFD:00AAC0B8o
_pXdvZwSetTimer	dd ?			; DATA XREF: VfZwSetTimer(x,x,x,x,x,x,x)+3Cr
					; PAGEVRFD:00AAC0D0o
_pXdvZwSetValueKey dd ?			; DATA XREF: VfZwSetValueKey(x,x,x,x,x,x)+28r
					; PAGEVRFD:00AAC0E8o
_pXdvZwSetInformationObject dd ?	; DATA XREF: VfZwSetInformationObject(x,x,x,x)+1Ar
					; PAGEVRFD:00AAC040o
_pXdvZwSetInformationProcess dd	?	; DATA XREF: VfZwSetInformationProcess(x,x,x,x)+1Ar
					; PAGEVRFD:00AAC058o
_pXdvZwSetInformationThread dd ?	; DATA XREF: VfZwSetInformationThread(x,x,x,x)+1Ar
					; PAGEVRFD:00AAC070o
_pXdvZwSetSecurityObject dd ?		; DATA XREF: VfZwSetSecurityObject(x,x,x)+1Ar
					; PAGEVRFD:00AAC088o
_pXdvZwQueryKey	dd ?			; DATA XREF: VfZwQueryKey(x,x,x,x,x)+28r
					; PAGEVRFD:00AABE60o
_pXdvZwQueryObject dd ?			; DATA XREF: VfZwQueryObject(x,x,x,x,x)+28r
					; PAGEVRFD:00AABE78o
_pXdvZwQuerySection dd ?		; DATA XREF: VfZwQuerySection(x,x,x,x,x)+28r
					; PAGEVRFD:00AABE90o
_pXdvZwQuerySecurityObject dd ?		; DATA XREF: VfZwQuerySecurityObject(x,x,x,x,x)+28r
					; PAGEVRFD:00AABEA8o
_pXdvZwQueryInformationJobObject dd ?	; DATA XREF: VfZwQueryInformationJobObject(x,x,x,x,x)+28r
					; PAGEVRFD:00AABE00o
_pXdvZwQueryInformationProcess dd ?	; DATA XREF: VfZwQueryInformationProcess(x,x,x,x,x)+28r
					; PAGEVRFD:00AABE18o
_pXdvZwQueryInformationThread dd ?	; DATA XREF: VfZwQueryInformationThread(x,x,x,x,x)+28r
					; PAGEVRFD:00AABE30o
_pXdvZwQueryInformationToken dd	?	; DATA XREF: VfZwQueryInformationToken(x,x,x,x,x)+28r
					; PAGEVRFD:00AABE48o
_pXdvZwReadFile	dd ?			; DATA XREF: VfZwReadFile(x,x,x,x,x,x,x,x,x)+57r
					; PAGEVRFD:00AABF20o
_pXdvZwReplaceKey dd ?			; DATA XREF: VfZwReplaceKey(x,x,x)+28r
					; PAGEVRFD:00AABF38o
_pXdvZwRequestWaitReplyPort dd ?	; DATA XREF: VfZwRequestWaitReplyPort(x,x,x)+28r
					; PAGEVRFD:00AABF50o
_pXdvZwResetEvent dd ?			; DATA XREF: VfZwResetEvent(x,x)+1Ar
					; PAGEVRFD:00AABF68o
_pXdvZwQuerySymbolicLinkObject dd ?	; DATA XREF: VfZwQuerySymbolicLinkObject(x,x,x)+28r
					; PAGEVRFD:00AABEC0o
_pXdvZwQuerySystemInformation dd ?	; DATA XREF: VfZwQuerySystemInformation(x,x,x,x)+28r
					; PAGEVRFD:00AABED8o
_pXdvZwQueryValueKey dd	?		; DATA XREF: VfZwQueryValueKey(x,x,x,x,x,x)+32r
					; PAGEVRFD:00AABEF0o
_pXdvZwQueryVolumeInformationFile dd ?	; DATA XREF: VfZwQueryVolumeInformationFile(x,x,x,x,x)+28r
					; PAGEVRFD:00AABF08o
_pXdvZwQueryBootEntryOrder dd ?		; DATA XREF: VfZwQueryBootEntryOrder(x,x)+28r
					; PAGEVRFD:00AABCF8o
_pXdvZwQueryBootOptions	dd ?		; DATA XREF: VfZwQueryBootOptions(x,x)+28r
					; PAGEVRFD:00AABD10o
_pXdvZwQueryDefaultLocale dd ?		; DATA XREF: VfZwQueryDefaultLocale(x,x)+1Ar
					; PAGEVRFD:00AABD28o
_pXdvZwQueryDefaultUILanguage dd ?	; DATA XREF: VfZwQueryDefaultUILanguage(x)+1Ar
					; PAGEVRFD:00AABD40o
_pXdvZwOpenTimer dd ?			; DATA XREF: VfZwOpenTimer(x,x,x)+28r
					; PAGEVRFD:00AABC98o
_pXdvZwPowerInformation	dd ?		; DATA XREF: VfZwPowerInformation(x,x,x,x,x)+28r
					; PAGEVRFD:00AABCB0o
_pXdvZwProtectVirtualMemory dd ?	; DATA XREF: VfZwProtectVirtualMemory(x,x,x,x,x)+3Cr
					; PAGEVRFD:00AABCC8o
_pXdvZwPulseEvent dd ?			; DATA XREF: VfZwPulseEvent(x,x)+1Ar
					; PAGEVRFD:00AABCE0o
_pXdvZwQueryDirectoryObject dd ?	; DATA XREF: VfZwQueryDirectoryObject(x,x,x,x,x,x,x)+32r
					; PAGEVRFD:00AABDA0o
_pXdvZwQueryEaFile dd ?			; DATA XREF: VfZwQueryEaFile(x,x,x,x,x,x,x,x,x)+32r
					; PAGEVRFD:00AABDB8o
_pXdvZwQueryFullAttributesFile dd ?	; DATA XREF: VfZwQueryFullAttributesFile(x,x)+28r
					; PAGEVRFD:00AABDD0o
_pXdvZwQueryInformationFile dd ?	; DATA XREF: VfZwQueryInformationFile(x,x,x,x,x)+28r
					; PAGEVRFD:00AABDE8o
_pXdvZwQueryDriverEntryOrder dd	?	; DATA XREF: VfZwQueryDriverEntryOrder(x,x)+28r
					; PAGEVRFD:00AABD58o
_pXdvZwQueryInstallUILanguage dd ?	; DATA XREF: VfZwQueryInstallUILanguage(x)+1Ar
					; PAGEVRFD:00AABD70o
_pXdvZwQueryDirectoryFile dd ?		; DATA XREF: VfZwQueryDirectoryFile(x,x,x,x,x,x,x,x,x,x,x)+4Dr
					; PAGEVRFD:00AABD88o
_pXdvZwOpenEvent dd ?			; DATA XREF: VfZwOpenEvent(x,x,x)+28r
					; PAGEVRFD:00AABB78o
_pXdvZwOpenFile	dd ?			; DATA XREF: VfZwOpenFile(x,x,x,x,x,x)+32r
					; PAGEVRFD:00AABB90o
_pXdvZwOpenJobObject dd	?		; DATA XREF: VfZwOpenJobObject(x,x,x)+28r
					; PAGEVRFD:off_AABBA8o
_pXdvZwOpenKey	dd ?			; DATA XREF: VfZwOpenKey(x,x,x)+28r
					; PAGEVRFD:00AABBC0o
_pXdvZwModifyDriverEntry dd ?		; DATA XREF: VfZwModifyDriverEntry(x)+1Ar
					; PAGEVRFD:00AABB30o
_pXdvZwNotifyChangeKey dd ?		; DATA XREF: VfZwNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)+78r
					; PAGEVRFD:00AABB48o
_pXdvZwOpenDirectoryObject dd ?		; DATA XREF: VfZwOpenDirectoryObject(x,x,x)+28r
					; PAGEVRFD:00AABB60o
_pXdvZwOpenSymbolicLinkObject dd ?	; DATA XREF: VfZwOpenSymbolicLinkObject(x,x,x)+28r
					; PAGEVRFD:00AABC38o
_pXdvZwOpenThread dd ?			; DATA XREF: VfZwOpenThread(x,x,x,x)+32r
					; PAGEVRFD:00AABC50o
_pXdvZwOpenThreadToken dd ?		; DATA XREF: VfZwOpenThreadToken(x,x,x,x)+1Ar
					; PAGEVRFD:00AABC68o
_pXdvZwOpenThreadTokenEx dd ?		; DATA XREF: VfZwOpenThreadTokenEx(x,x,x,x,x)+1Ar
					; PAGEVRFD:00AABC80o
_pXdvZwOpenProcess dd ?			; DATA XREF: VfZwOpenProcess(x,x,x,x)+32r
					; PAGEVRFD:00AABBD8o
_pXdvZwOpenProcessToken	dd ?		; DATA XREF: VfZwOpenProcessToken(x,x,x)+1Ar
					; PAGEVRFD:00AABBF0o
_pXdvZwOpenProcessTokenEx dd ?		; DATA XREF: VfZwOpenProcessTokenEx(x,x,x,x)+1Ar
					; PAGEVRFD:00AABC08o
_pXdvZwOpenSection dd ?			; DATA XREF: VfZwOpenSection(x,x,x)+28r
					; PAGEVRFD:00AABC20o
_pXdvZwDuplicateToken dd ?		; DATA XREF: VfZwDuplicateToken(x,x,x,x,x,x)+28r
					; PAGEVRFD:00AAB9F8o
_pXdvZwEnumerateBootEntries dd ?	; DATA XREF: VfZwEnumerateBootEntries(x,x)+28r
					; PAGEVRFD:00AABA10o
_pXdvZwEnumerateDriverEntries dd ?	; DATA XREF: VfZwEnumerateDriverEntries(x,x)+28r
					; PAGEVRFD:00AABA28o
_pXdvZwEnumerateKey dd ?		; DATA XREF: VfZwEnumerateKey(x,x,x,x,x,x)+28r
					; PAGEVRFD:00AABA40o
_pXdvZwDeleteValueKey dd ?		; DATA XREF: VfZwDeleteValueKey(x,x)+1Ar
					; PAGEVRFD:00AAB998o
_pXdvZwDeviceIoControlFile dd ?		; DATA XREF: VfZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)+4Dr
					; PAGEVRFD:00AAB9B0o
_pXdvZwDisplayString dd	?		; DATA XREF: VfZwDisplayString(x)+1Ar
					; PAGEVRFD:00AAB9C8o
_pXdvZwDuplicateObject dd ?		; DATA XREF: VfZwDuplicateObject(x,x,x,x,x,x,x)+1Ar
					; PAGEVRFD:00AAB9E0o
_pXdvZwFsControlFile dd	?		; DATA XREF: VfZwFsControlFile(x,x,x,x,x,x,x,x,x,x)+4Dr
					; PAGEVRFD:00AABAB8o
_pXdvZwLoadDriver dd ?			; DATA XREF: VfZwLoadDriver(x)+1Ar
					; PAGEVRFD:00AABAD0o
_pXdvZwLoadKey	dd ?			; DATA XREF: VfZwLoadKey(x,x)+28r
					; PAGEVRFD:00AABAE8o
_pXdvZwMapViewOfSection	dd ?		; DATA XREF: VfZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x)+3Cr
					; PAGEVRFD:00AABB00o
_pXdvZwEnumerateValueKey dd ?		; DATA XREF: VfZwEnumerateValueKey(x,x,x,x,x,x)+28r
					; PAGEVRFD:00AABA58o
_pXdvZwFlushInstructionCache dd	?	; DATA XREF: VfZwFlushInstructionCache(x,x,x)+1Ar
					; PAGEVRFD:00AABA70o
_pXdvZwFlushVirtualMemory dd ?		; DATA XREF: VfZwFlushVirtualMemory(x,x,x,x)+32r
					; PAGEVRFD:00AABA88o
_pXdvZwFreeVirtualMemory dd ?		; DATA XREF: VfZwFreeVirtualMemory(x,x,x,x)+28r
					; PAGEVRFD:00AABAA0o
_pXdvZwCloseObjectAuditAlarm dd	?	; DATA XREF: VfZwCloseObjectAuditAlarm(x,x,x)+1Ar
					; PAGEVRFD:00AAB878o
_pXdvZwConnectPort dd ?			; DATA XREF: VfZwConnectPort(x,x,x,x,x,x,x,x)+64r
					; PAGEVRFD:00AAB890o
_pXdvZwCreateDirectoryObject dd	?	; DATA XREF: VfZwCreateDirectoryObject(x,x,x)+28r
					; PAGEVRFD:00AAB8A8o
_pXdvZwCreateEvent dd ?			; DATA XREF: VfZwCreateEvent(x,x,x,x,x)+28r
					; PAGEVRFD:00AAB8C0o
_pXdvZwAdjustPrivilegesToken dd	?	; DATA XREF: VfZwAdjustPrivilegesToken(x,x,x,x,x,x)+32r
					; PAGEVRFD:00AAB818o
_pXdvZwAllocateVirtualMemory dd	?	; DATA XREF: VfZwAllocateVirtualMemory(x,x,x,x,x,x)+32r
					; PAGEVRFD:00AAB830o
_pXdvZwCancelIoFile dd ?		; DATA XREF: VfZwCancelIoFile(x,x)+1Ar
					; PAGEVRFD:00AAB848o
_pXdvZwCancelTimer dd ?			; DATA XREF: VfZwCancelTimer(x,x)+1Ar
					; PAGEVRFD:00AAB860o
_pXdvZwCreateSymbolicLinkObject	dd ?	; DATA XREF: VfZwCreateSymbolicLinkObject(x,x,x,x)+32r
					; PAGEVRFD:00AAB938o
_pXdvZwCreateTimer dd ?			; DATA XREF: VfZwCreateTimer(x,x,x,x)+28r
					; PAGEVRFD:00AAB950o
_pXdvZwDeleteBootEntry dd ?		; DATA XREF: VfZwDeleteBootEntry(x)+6r
					; PAGEVRFD:00AAB968o
_pXdvZwDeleteFile dd ?			; DATA XREF: VfZwDeleteFile(x)+1Ar
					; PAGEVRFD:00AAB980o
_pXdvZwCreateFile dd ?			; DATA XREF: VfZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)+46r
					; PAGEVRFD:00AAB8D8o
_pXdvZwCreateJobObject dd ?		; DATA XREF: VfZwCreateJobObject(x,x,x)+28r
					; PAGEVRFD:00AAB8F0o
_pXdvZwCreateKey dd ?			; DATA XREF: VfZwCreateKey(x,x,x,x,x,x,x)+3Cr
					; PAGEVRFD:00AAB908o
_pXdvZwCreateSection dd	?		; DATA XREF: VfZwCreateSection(x,x,x,x,x,x,x)+3Cr
					; PAGEVRFD:00AAB920o
_pXdvKeReadStateTimer dd ?		; DATA XREF: VerifierKeReadStateTimer(x)+6r
					; PAGEVRFD:00AA9E08o
_pXdvKeSetTimer	dd ?			; DATA XREF: VerifierKeSetTimer(x,x,x,x)+11r
					; PAGEVRFD:00AA9F70o
_pXdvKeSetTimerEx dd ?			; DATA XREF: VerifierKeSetTimerEx(x,x,x,x,x)+14r
					; PAGEVRFD:00AA9F88o
_pXdvKeInitializeSemaphore dd ?		; DATA XREF: VerifierKeInitializeSemaphore(x,x,x)+11r
					; PAGEVRFD:00AAB758o
_pXdvKeReleaseMutant dd	?		; DATA XREF: VerifierKeReleaseMutant(x,x,x,x)+2Cr
					; VerifierKeReleaseMutantNoReboot(x,x,x,x)+11r	...
_pXdvKeCancelTimer dd ?			; DATA XREF: VerifierKeCancelTimer(x)+6r
					; PAGEVRFD:00AA9C10o
_pXdvKeInitializeTimer db    ? ;	; DATA XREF: PAGEVRFD:00AAB3B0o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvKeInitializeTimerEx dd ?		; DATA XREF: VerifierKeInitializeTimerEx(x,x)+28r
					; PAGEVRFD:00AAB398o
_pXdvZwAccessCheckAndAuditAlarm	dd ?	; DATA XREF: VfZwAccessCheckAndAuditAlarm(x,x,x,x,x,x,x,x,x,x,x)+5Ar
					; PAGEVRFD:00AAB7D0o
_pXdvZwAddBootEntry dd ?		; DATA XREF: VfZwAddBootEntry(x,x)+28r
					; PAGEVRFD:00AAB7E8o
_pXdvZwAddDriverEntry dd ?		; DATA XREF: VfZwAddDriverEntry(x,x)+28r
					; PAGEVRFD:00AAB800o
_pXdvKeReadStateSemaphore dd ?		; DATA XREF: VerifierKeReadStateSemaphore(x)+6r
					; PAGEVRFD:00AA9DF0o
_pXdvKeReleaseSemaphore	dd ?		; DATA XREF: VerifierKeReleaseSemaphore(x,x,x,x)+6r
					; PAGEVRFD:00AA9E98o
_pXdvKeTryToAcquireQueuedSpinLock dd ?	; DATA XREF: VerifierKeTryToAcquireQueuedSpinLock(x,x)+38r
					; PAGEVRFD:00AAB770o
_pXdvIoCreateDevice dd ?		; DATA XREF: VerifierIoCreateDevice(x,x,x,x,x,x,x)+1Dr
					; PAGEVRFD:00AAB6F8o
_pXdvIoVolumeDeviceToDosName dd	?	; DATA XREF: VerifierIoVolumeDeviceToDosName(x,x)+2Er
					; PAGEVRFD:00AAB710o
_pXdvKeClearEvent dd ?			; DATA XREF: VerifierKeClearEvent(x)r
					; PAGEVRFD:00AA9C28o
_pXdvKeInitializeEvent dd ?		; DATA XREF: VerifierKeInitializeEvent(x,x,x)+11r
					; PAGEVRFD:00AAB740o
_pXdvIoWMIWriteEvent dd	?		; DATA XREF: VerifierIoWMIWriteEvent(x)+13r
					; VerifierIoWMIWriteEvent(x)+31r ...
_pXdvEtwRegister dd ?			; DATA XREF: VerifierEtwRegister(x,x,x,x)+14r
					; PAGEVRFD:00AAB6B0o
_pXdvEtwRegisterClassicProvider	dd ?	; DATA XREF: VerifierEtwRegisterClassicProvider(x,x,x,x,x)+17r
					; PAGEVRFD:00AAB6C8o
_pXdvEtwUnregister dd ?			; DATA XREF: VerifierEtwUnregister(x,x)+19r
					; PAGEVRFD:00AAB6E0o
_pXdvKeInitializeMutex dd ?		; DATA XREF: VerifierKeInitializeMutex(x,x)+16r
					; VerifierKeInitializeMutexNoReboot(x,x)+11r ...
_pXdvKeInitializeMutant	dd ?		; DATA XREF: VerifierKeInitializeMutant(x,x)+16r
					; VerifierKeInitializeMutantNoReboot(x,x)+11r ...
_pXdvKeReadStateMutex dd ?		; DATA XREF: VerifierKeReadStateMutex(x)+6r
					; PAGEVRFD:00AA9DD8o
_pXdvKeReleaseMutex dd ?		; DATA XREF: VerifierKeReleaseMutex(x,x)+26r
					; VerifierKeReleaseMutexNoReboot(x,x)+11r ...
_pXdvKePulseEvent dd ?			; DATA XREF: VerifierKePulseEvent(x,x,x)+6r
					; PAGEVRFD:00AA9D30o
_pXdvKeReadStateEvent dd ?		; DATA XREF: VerifierKeReadStateEvent(x)+6r
					; PAGEVRFD:00AA9DC0o
_pXdvKeResetEvent dd ?			; DATA XREF: VerifierKeResetEvent(x)+6r
					; PAGEVRFD:00AA9F28o
_pXdvKeSetEvent	dd ?			; DATA XREF: VerifierKeSetEvent(x,x,x)+3Dr
					; PAGEVRFD:00AAB2C0o
_pXdvObReferenceObjectByHandle dd ?	; DATA XREF: VerifierObReferenceObjectByHandle(x,x,x,x,x,x)+1Br
					; PAGEVRFD:00AAB4A0o
_pXdvObReferenceObjectByHandleWithTag dd ?
					; DATA XREF: VerifierObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AAA1C8o
_pXdvObReferenceObjectByPointer	dd ?	; DATA XREF: VerifierObReferenceObjectByPointer(x,x,x,x)+41r
					; PAGEVRFD:00AAB4B8o
_pXdvObReferenceObjectByPointerWithTag dd ?
					; DATA XREF: VerifierObReferenceObjectByPointerWithTag(x,x,x,x,x)+11r
					; PAGEVRFD:00AAA1E0o
_pXdvObfDereferenceObject dd ?		; DATA XREF: VerifierObfDereferenceObject(x)+10r
					; PAGEVRFD:00AAA168o
_pXdvObfDereferenceObjectWithTag dd ?	; DATA XREF: VerifierObfDereferenceObjectWithTag(x,x)+16r
					; PAGEVRFD:00AAA180o
_pXdvObfReferenceObject	dd ?		; DATA XREF: VerifierObfReferenceObject(x)+10r
					; PAGEVRFD:00AAB488o
_pXdvObfReferenceObjectWithTag dd ?	; DATA XREF: VerifierObfReferenceObjectWithTag(x,x)+16r
					; PAGEVRFD:00AAA198o
_pXdvIoAcquireRemoveLockEx dd ?		; DATA XREF: VerifierIoAcquireRemoveLockEx(x,x,x,x,x)+2Fr
					; VerifierIoAcquireRemoveLockEx(x,x,x,x,x)+3Ar	...
_pXdvIoReleaseRemoveLockEx dd ?		; DATA XREF: VerifierIoReleaseRemoveLockEx(x,x,x)+29r
					; VerifierIoReleaseRemoveLockEx(x,x,x)+34r ...
_pXdvIoReleaseRemoveLockAndWaitEx dd ?	; DATA XREF: VerifierIoReleaseRemoveLockAndWaitEx(x,x,x)+29r
					; VerifierIoReleaseRemoveLockAndWaitEx(x,x,x)+34r ...
_pXdvIoWMIRegistrationControl dd ?	; DATA XREF: VerifierIoWMIRegistrationControl(x,x)+1Fr
					; PAGEVRFD:00AAB668o
_pXdvObReleaseObjectSecurity dd	?	; DATA XREF: VerifierObReleaseObjectSecurity(x,x)r
					; PAGEVRFD:00AAA1F8o
_pXdvIoBuildAsynchronousFsdRequest db	 ? ; ; DATA XREF: PAGEVRFD:00AAB530o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIoBuildSynchronousFsdRequest db	? ; ; DATA XREF: PAGEVRFD:00AAB548o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvIoInitializeRemoveLockEx dd ?	; DATA XREF: VerifierIoInitializeRemoveLockEx(x,x,x,x,x)+9Dr
					; VerifierIoInitializeRemoveLockEx(x,x,x,x,x)+E7r ...
_pXdvKeSaveExtendedProcessorState dd ?	; DATA XREF: VerifierKeSaveExtendedProcessorState(x,x,x)+Er
					; PAGEVRFD:00AAB2D8o
_pXdvKeRestoreExtendedProcessorState dd	?
					; DATA XREF: VerifierKeRestoreExtendedProcessorState(x)r
					; PAGEVRFD:00AAB2F0o
_pXdvKeEnterCriticalRegion dd ?		; DATA XREF: VerifierKeEnterCriticalRegion():loc_A56BE4r
					; PAGEVRFD:00AAB3E0o
_pXdvKeLeaveCriticalRegion dd ?		; DATA XREF: VerifierKeLeaveCriticalRegion():loc_A56D39r
					; PAGEVRFD:00AAB3F8o
_pXdvKeDelayExecutionThread dd ?	; DATA XREF: VerifierKeDelayExecutionThread(x,x,x)+1Br
					; PAGEVRFD:00AAB3C8o
_pXdvKfRaiseIrql dd ?			; DATA XREF: VerifierKfRaiseIrql(x)+7r
					; PAGEVRFD:00AAB308o
_pXdvKeRaiseIrqlToDpcLevel dd ?		; DATA XREF: VerifierKeRaiseIrqlToDpcLevel()+6r
					; PAGEVRFD:00AAB350o
_pXdvNtReadFile	dd ?			; DATA XREF: VerifierNtReadFile(x,x,x,x,x,x,x,x,x)+26r
					; PAGEVRFD:00AAB470o
_pXdvNtLockFile	dd ?			; DATA XREF: VerifierNtLockFile(x,x,x,x,x,x,x,x,x,x)+6r
					; PAGEVRFD:00AAA120o
_pXdvNtUnlockFile dd ?			; DATA XREF: VerifierNtUnlockFile(x,x,x,x,x)+6r
					; PAGEVRFD:00AAA150o
_pXdvObGetObjectSecurity dd ?		; DATA XREF: VerifierObGetObjectSecurity(x,x,x)+11r
					; PAGEVRFD:00AAA1B0o
_pXdvKeInsertQueueDpc dd ?		; DATA XREF: VfKeInsertQueueDpc(x,x,x)+11r
					; PAGEVRFD:00AAB410o
_pXdvKeRemoveQueueDpc dd ?		; DATA XREF: VfKeRemoveQueueDpc(x)+11r
					; PAGEVRFD:00AAB428o
_pXdvNtCreateFile dd ?			; DATA XREF: VerifierNtCreateFile(x,x,x,x,x,x,x,x,x,x,x)+26r
					; PAGEVRFD:00AAB440o
_pXdvNtWriteFile dd ?			; DATA XREF: VerifierNtWriteFile(x,x,x,x,x,x,x,x,x)+26r
					; PAGEVRFD:00AAB458o
_pXdvMmFreeNonCachedMemory dd ?		; DATA XREF: VerifierMmFreeNonCachedMemory(x,x)+1Ar
					; PAGEVRFD:00AAB1B8o
_pXdvMmAllocatePagesForMdl dd ?		; DATA XREF: VerifierMmAllocatePagesForMdl(x,x,x,x,x,x,x)+3Cr
					; PAGEVRFD:00AAB1D0o
_pXdvMmAllocatePagesForMdlEx dd	?	; DATA XREF: VerifierMmAllocatePagesForMdlEx(x,x,x,x,x,x,x,x,x)+42r
					; PAGEVRFD:00AAB1E8o
_pXdvMmAllocateNodePagesForMdlEx dd ?	; DATA XREF: VerifierMmAllocateNodePagesForMdlEx(x,x,x,x,x,x,x,x,x,x)+3Br
					; PAGEVRFD:00AAB200o
_pXdvMmAllocateContiguousNodeMemory dd ?
					; DATA XREF: VerifierMmAllocateContiguousMemory(x,x,x)+3Er
					; VerifierMmAllocateContiguousMemorySpecifyCache(x,x,x,x,x,x,x,x)+63r ...
_pXdvMmFreeContiguousMemory dd ?	; DATA XREF: VerifierMmFreeContiguousMemory(x)+1Ar
					; PAGEVRFD:00AAB188o
_pXdvMmFreeContiguousMemorySpecifyCache	dd ?
					; DATA XREF: VerifierMmFreeContiguousMemorySpecifyCache(x,x,x)+1Ar
					; PAGEVRFD:00AAB1A0o
_pXdvMmAllocateNonCachedMemory dd ?	; DATA XREF: VerifierMmAllocateNonCachedMemory(x)+18r
					; PAGEVRFD:00AAB170o
_pXdvNtCreateSection dd	?		; DATA XREF: VerifierNtCreateSection(x,x,x,x,x,x,x)+11r
					; PAGEVRFD:00AAB278o
_pXdvMmGetSystemRoutineAddress dd ?	; DATA XREF: VerifierMmGetSystemRoutineAddress(x)+8r
					; PAGEVRFD:00AAB290o
_pXdvMmProtectMdlSystemAddress dd ?	; DATA XREF: VerifierMmProtectMdlSystemAddress(x,x)+11r
					; PAGEVRFD:00AAB2A8o
_pXdvKeSynchronizeExecution dd ?	; DATA XREF: VerifierKeSynchronizeExecution(x,x,x)+37r
					; PAGEVRFD:00AAB380o
_pXdvMmFreePagesFromMdl	dd ?		; DATA XREF: VerifierMmFreePagesFromMdl(x)+3Fr
					; PAGEVRFD:00AAB218o
_pXdvMmCreateMdl dd ?			; DATA XREF: VerifierMmCreateMdl(x,x,x)+24r
					; PAGEVRFD:00AAB230o
_pXdvMmAllocateMappingAddress dd ?	; DATA XREF: VerifierMmAllocateMappingAddress(x,x)+1Br
					; PAGEVRFD:00AAB248o
_pXdvMmCreateSection dd	?		; DATA XREF: VerifierMmCreateSection(x,x,x,x,x,x,x,x)+11r
					; PAGEVRFD:00AAB260o
_pXdvMmProbeAndLockProcessPages	dd ?	; DATA XREF: VerifierMmProbeAndLockProcessPages(x,x,x,x)+8Er
					; PAGEVRFD:00AAB020o
_pXdvMmMapIoSpace dd ?			; DATA XREF: VerifierMmMapIoSpace(x,x,x,x)+93r
					; PAGEVRFD:00AAB038o
_pXdvMmMapLockedPages db    ? ;		; DATA XREF: PAGEVRFD:00AAB068o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvMmMapLockedPagesSpecifyCache dd ?	; DATA XREF: VerifierMmMapLockedPages(x,x)+6Ar
					; PAGEVRFD:00AAB080o
_pXdvExfReleasePushLockShared dd ?	; DATA XREF: VerifierExfReleasePushLockShared(x)+1Er
					; PAGEVRFD:00AAAFD8o
_pXdvExfTryAcquirePushLockShared dd ?	; DATA XREF: VerifierExfTryAcquirePushLockShared(x)+1Er
					; PAGEVRFD:00AAAF90o
_pXdvMmBuildMdlForNonPagedPool dd ?	; DATA XREF: VerifierMmBuildMdlForNonPagedPool(x)+42r
					; PAGEVRFD:00AAAFF0o
_pXdvMmProbeAndLockPages dd ?		; DATA XREF: VerifierMmProbeAndLockPages(x,x,x)+91r
					; PAGEVRFD:00AAB008o
_pXdvMmUnmapIoSpace dd ?		; DATA XREF: VerifierMmUnmapIoSpace(x,x)+50r
					; PAGEVRFD:00AAB0F8o
_pXdvMmAllocateContiguousMemory	db    ?	; ; DATA XREF: PAGEVRFD:00AAB110o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvMmAllocateContiguousMemorySpecifyCache db	  ? ; ;	DATA XREF: PAGEVRFD:00AAB128o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvMmAllocateContiguousMemorySpecifyCacheNode	db    ?	; ; DATA XREF: PAGEVRFD:00AAB140o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvMmMapViewOfSection	dd ?		; DATA XREF: VerifierMmMapLockedPagesSpecifyCache(x,x,x,x,x,x)+DAr
					; PAGEVRFD:00AAB098o
_pXdvNtMapViewOfSection	dd ?		; DATA XREF: VerifierNtMapViewOfSection(x,x,x,x,x,x,x,x,x,x)+11r
					; PAGEVRFD:00AAB0B0o
_pXdvMmUnlockPages dd ?			; DATA XREF: VerifierMmUnlockPages(x)+E2r
					; PAGEVRFD:00AAB0C8o
_pXdvMmUnmapLockedPages	dd ?		; DATA XREF: VerifierMmUnmapLockedPages(x,x)+144r
					; PAGEVRFD:00AAB0E0o
_pXdvExDeleteNPagedLookasideList dd ?	; DATA XREF: VerifierExDeleteNPagedLookasideList(x)+Er
					; PAGEVRFD:00AAAE10o
_pXdvExDeleteLookasideListEx dd	?	; DATA XREF: VerifierExDeleteLookasideListEx(x)+Er
					; PAGEVRFD:00AAAE40o
_pXdvHalAllocateCrashDumpRegisters db	 ? ; ; DATA XREF: PAGEVRFD:00AAAE58o
		db    ?	;
		db    ?	;
		db    ?	;
_pXdvExfAcquirePushLockExclusive dd ?	; DATA XREF: VerifierExfAcquirePushLockExclusive(x)+1Er
					; PAGEVRFD:00AAAF60o
_pXdvExfAcquirePushLockShared dd ?	; DATA XREF: VerifierExfAcquirePushLockShared(x)+1Er
					; PAGEVRFD:00AAAF78o
_pXdvExfReleasePushLock	dd ?		; DATA XREF: VerifierExfReleasePushLock(x)+1Er
					; PAGEVRFD:00AAAFA8o
_pXdvExfTryToWakePushLock dd ?		; DATA XREF: VerifierExfTryToWakePushLock(x)+1Er
					; PAGEVRFD:00AAAFC0o
_pXdvExInitializeResourceLite dd ?	; DATA XREF: VerifierExInitializeResourceLite(x)+26r
					; PAGEVRFD:00AAAF30o
_pXdvExDeleteResourceLite dd ?		; DATA XREF: VerifierExDeleteResourceLite(x)+BDr
					; PAGEVRFD:00AAAF48o
_pXdvRtlHashUnicodeString dd ?		; DATA XREF: VerifierRtlHashUnicodeString(x,x,x,x)+6r
					; PAGEVRFD:00AAA660o
_pXdvRtlUpcaseUnicodeChar dd ?		; DATA XREF: VerifierRtlUpcaseUnicodeChar(x)+6r
					; PAGEVRFD:00AAA6A8o
_pXdvRtlDowncaseUnicodeChar dd ?	; DATA XREF: VerifierRtlDowncaseUnicodeChar(x)+6r
					; PAGEVRFD:00AAA5E8o
_pXdvRtlFreeUnicodeString dd ?		; DATA XREF: VerifierRtlFreeUnicodeString(x)r
					; PAGEVRFD:00AAA618o
_pXdvRtlCreateUnicodeString dd ?	; DATA XREF: VerifierRtlCreateUnicodeString(x,x)+Cr
					; PAGEVRFD:00AAAD80o
_pXdvRtlDuplicateUnicodeString dd ?	; DATA XREF: VerifierRtlDuplicateUnicodeString(x,x,x)+Er
					; PAGEVRFD:00AAAD98o
_pXdvRtlCompareUnicodeString dd	?	; DATA XREF: VerifierRtlCompareUnicodeString(x,x,x)+6r
					; PAGEVRFD:00AAA570o
_pXdvRtlEqualUnicodeString dd ?		; DATA XREF: VerifierRtlEqualUnicodeString(x,x,x)+6r
					; PAGEVRFD:00AAA600o
_pXdvRtlStringFromGUID dd ?		; DATA XREF: VerifierRtlStringFromGUID(x,x)+6r
					; PAGEVRFD:00AAA678o
_pXdvRtlGUIDFromString dd ?		; DATA XREF: VerifierRtlGUIDFromString(x,x)+6r
					; PAGEVRFD:00AAA648o
_pXdvRtlGenerateClass5Guid dd ?		; DATA XREF: VerifierRtlGenerateClass5Guid(x,x,x,x)+6r
					; PAGEVRFD:00AAA630o
_pXdvExDeletePagedLookasideList	dd ?	; DATA XREF: VerifierExDeletePagedLookasideList(x)+Er
					; PAGEVRFD:00AAADF8o
_pXdvRtlxAnsiStringToUnicodeSize dd ?	; DATA XREF: VerifierRtlxAnsiStringToUnicodeSize(x)+6r
					; PAGEVRFD:00AAA6D8o
_pXdvRtlxUnicodeStringToAnsiSize dd ?	; DATA XREF: VerifierRtlxUnicodeStringToAnsiSize(x)+6r
					; PAGEVRFD:00AAA6F0o
_pXdvRtlUnicodeToUTF8N dd ?		; DATA XREF: VerifierRtlUnicodeToUTF8N(x,x,x,x,x)+6r
					; PAGEVRFD:00AAA690o
_pXdvRtlUTF8ToUnicodeN dd ?		; DATA XREF: VerifierRtlUTF8ToUnicodeN(x,x,x,x,x)+6r
					; PAGEVRFD:00AAA6C0o
_pXdvExAllocateCacheAwareRundownProtection dd ?
					; DATA XREF: VerifierExAllocateCacheAwareRundownProtection(x,x)+14r
					; PAGEVRFD:00AAAB40o
_pXdvRtlAnsiStringToUnicodeString dd ?	; DATA XREF: VerifierRtlAnsiStringToUnicodeString(x,x,x)+Er
					; PAGEVRFD:00AAAC78o
_pXdvRtlUnicodeStringToAnsiString dd ?	; DATA XREF: VerifierRtlUnicodeStringToAnsiString(x,x,x)+Er
					; PAGEVRFD:00AAAC90o
_pXdvRtlUpcaseUnicodeStringToAnsiString	dd ?
					; DATA XREF: VerifierRtlUpcaseUnicodeStringToAnsiString(x,x,x)+Er
					; PAGEVRFD:00AAACA8o
_pXdvRtlUnicodeStringToCountedOemString	dd ?
					; DATA XREF: VerifierRtlUnicodeStringToCountedOemString(x,x,x)+Er
					; PAGEVRFD:00AAAD20o
_pXdvRtlUpcaseUnicodeStringToCountedOemString dd ?
					; DATA XREF: VerifierRtlUpcaseUnicodeStringToCountedOemString(x,x,x)+Er
					; PAGEVRFD:00AAAD38o
_pXdvRtlUpcaseUnicodeString dd ?	; DATA XREF: VerifierRtlUpcaseUnicodeString(x,x,x)+Er
					; PAGEVRFD:00AAAD50o
_pXdvRtlDowncaseUnicodeString dd ?	; DATA XREF: VerifierRtlDowncaseUnicodeString(x,x,x)+Er
					; PAGEVRFD:00AAAD68o
_pXdvRtlOemStringToUnicodeString dd ?	; DATA XREF: VerifierRtlOemStringToUnicodeString(x,x,x)+Er
					; PAGEVRFD:00AAACC0o
_pXdvRtlOemStringToCountedUnicodeString	dd ?
					; DATA XREF: VerifierRtlOemStringToCountedUnicodeString(x,x,x)+Er
					; PAGEVRFD:00AAAD08o
_pXdvRtlUnicodeStringToOemString dd ?	; DATA XREF: VerifierRtlUnicodeStringToOemString(x,x,x)+Er
					; PAGEVRFD:00AAACD8o
_pXdvRtlUpcaseUnicodeStringToOemString dd ?
					; DATA XREF: VerifierRtlUpcaseUnicodeStringToOemString(x,x,x)+Er
					; PAGEVRFD:00AAACF0o
_pXdvIoInitializeTimer dd ?		; DATA XREF: IovInitializeTimer(x,x,x)+30r
					; PAGEVRFD:00AAB560o
_VfXdvThunksBitMap db	 ? ;		; DATA XREF: VfThunkInit()+69o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_VfPoolThunksBitMap db	  ? ;		; DATA XREF: VfThunkInit()+2Do
		db    ?	;
		db    ?	;
		db    ?	;
_VfXdvThunksBitMapHeader dd ?		; DATA XREF: VfThunkAddTargetNotify+69o
					; ViThunkReplaceAllSharedExports(x,x,x)+55o ...
dword_AB261C	dd ?			; DATA XREF: VfThunkInit()+69w
_VfOrderDependentThunksBitMap db    ? ;	; DATA XREF: VfThunkInit()+4Bo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_VfOrderDependentThunksBitMapHeader dd ? ; DATA	XREF: VfThunkAddTargetNotify+4Ao
					; ViThunkReplaceAllSharedExports(x,x,x)+40o ...
dword_AB262C	dd ?			; DATA XREF: VfThunkInit()+4Bw
_VfRegularThunksBitMap db    ? ;	; DATA XREF: VfThunkInit()+Fo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_VfRegularThunksBitMapHeader dd	?	; DATA XREF: VfThunkAddTargetNotify+11o
					; ViThunkReplaceAllSharedExports(x,x,x)+27o ...
dword_AB2654	dd ?			; DATA XREF: VfThunkInit()+Fw
_VfPoolThunksBitMapHeader dd ?		; DATA XREF: VfThunkAddTargetNotify+2Bo
					; ViThunkReplaceAllSharedExports(x,x,x)+5o ...
dword_AB265C	dd ?			; DATA XREF: VfThunkInit()+2Dw
PAGEVRFD	ends

; Section 20. (virtual address 006B3000)
; Virtual size			: 00049CBC ( 302268.)
; Section size in file		: 00049E00 ( 302592.)
; Offset to raw	data for section: 00633000
; Flags	62000020: Text Discardable Executable Readable
; Alignment	: default
; 

; Segment type:	Pure code
; Segment permissions: Read/Execute
INIT		segment	para public 'CODE' use32
		assume cs:INIT
		;org 0AB3000h
		assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing

;  S U B	R O U T	I N E 


; __stdcall CmInitBootFeatureConfigurations(x)
_CmInitBootFeatureConfigurations@4 proc	near
					; CODE XREF: KiInitializePcr(x,x,x,x,x,x,x,x)+113p
					; DATA XREF: INIT:00AF322Ao
		mov	edi, edi
		push	ecx
		mov	ecx, ds:_KeLoaderBlock
		call	_CmFcInitSystem0@4 ; CmFcInitSystem0(x)
		pop	ecx
		retn
_CmInitBootFeatureConfigurations@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmFcInitSystem2()
_CmFcInitSystem2@0 proc	near		; CODE XREF: CmInitSystem1(x):loc_AC7FBEp

var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		xor	ebx, ebx
		push	ebx
		mov	[ebp+var_4], ebx
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_4]
		push	eax
		push	1
		push	offset aOSygSydAGaSyAG ; "O:SYG:SYD:(A;;GA;;;SY)(A;;GA;;;BA)"
		call	SeConvertStringSecurityDescriptorToSecurityDescriptor
		mov	edi, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	short loc_AB3080
		lea	eax, [ebp+var_14]
		push	eax
		call	SeCaptureSubjectContext
		push	1
		push	offset _CmFcFeatureConfigMapping
		lea	eax, [ebp+var_14]
		push	eax
		push	ebx
		push	offset _CmFcFeatureConfigSecurityDescriptor
		push	edi
		push	ebx
		call	_SeAssignSecurity@28 ; SeAssignSecurity(x,x,x,x,x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_14]
		push	eax
		call	SeReleaseSubjectContext
		test	esi, esi
		js	short loc_AB3080
		call	_CmFcManagerStartRuntimePhase@4	; CmFcManagerStartRuntimePhase(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AB3080
		mov	esi, ebx

loc_AB3080:				; CODE XREF: CmFcInitSystem2()+31j
					; CmFcInitSystem2()+61j ...
		test	edi, edi
		jz	short loc_AB308B
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AB308B:				; CODE XREF: CmFcInitSystem2()+72j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_CmFcInitSystem2@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmFcInitSystem3()
_CmFcInitSystem3@0 proc	near		; CODE XREF: INIT:00AC63EFp

var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BB		= dword	ptr -0BBh
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0DCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	ebx, offset dword_6B1EB8
		push	edi
		mov	ecx, ebx
		call	_TlgRegisterAggregateProvider@4	; TlgRegisterAggregateProvider(x)
		mov	eax, ds:_KeLoaderBlock
		mov	esi, [eax+84h]
		add	esi, 0D14h
		cmp	dword_6B1EB8, 5
		jbe	loc_AB3216
		push	4000h
		xor	edi, edi
		mov	ecx, ebx
		push	edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_AB3216
		mov	al, [esi]
		xor	ecx, ecx
		mov	byte ptr [ebp+var_BB+2], al
		inc	ecx
		lea	eax, [ebp+var_BB+2]
		mov	[ebp+var_90], ecx
		mov	[ebp+var_98], eax
		mov	al, [esi+1]
		mov	byte ptr [ebp+var_BB+1], al
		lea	eax, [ebp+var_BB+1]
		mov	[ebp+var_88], eax
		mov	al, [esi+2]
		mov	byte ptr [ebp+var_BB], al
		lea	eax, [ebp+var_BB]
		mov	[ebp+var_78], eax
		mov	eax, [esi+4]
		mov	[ebp+var_C0], eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_68], eax
		mov	eax, [esi+8]
		mov	[ebp+var_C4], eax
		lea	eax, [ebp+var_C4]
		mov	[ebp+var_58], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_C8], eax
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_48], eax
		mov	eax, [esi+10h]
		mov	[ebp+var_CC], eax
		lea	eax, [ebp+var_CC]
		mov	[ebp+var_38], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_D0], eax
		lea	eax, [ebp+var_D0]
		push	4
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_D8]
		mov	[ebp+var_80], ecx
		mov	[ebp+var_70], ecx
		pop	ecx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_BB+3]
		push	eax
		push	0Bh
		push	edi
		push	edi
		push	offset loc_419A01
		push	ebx
		mov	[ebp+var_94], edi
		mov	[ebp+var_8C], edi
		mov	[ebp+var_84], edi
		mov	[ebp+var_7C], edi
		mov	[ebp+var_74], edi
		mov	[ebp+var_6C], edi
		mov	[ebp+var_64], edi
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], edi
		mov	[ebp+var_54], edi
		mov	[ebp+var_50], ecx
		mov	[ebp+var_4C], edi
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], ecx
		mov	[ebp+var_1C], edi
		mov	[ebp+var_D8], 1000000h
		mov	[ebp+var_D4], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], 8
		mov	[ebp+var_C], edi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_AB3216:				; CODE XREF: CmFcInitSystem3()+3Cj
					; CmFcInitSystem3()+53j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmFcInitSystem3@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall wil_InitializeFeatureStagingFromBuffers(x)
_wil_InitializeFeatureStagingFromBuffers@4 proc	near ; CODE XREF: CmFcInitSystem0(x)+18p
		mov	edi, edi
		push	ecx
		call	_wil_details_PopulateInitialConfiguredFeatureStatesFromBuffers@4 ; wil_details_PopulateInitialConfiguredFeatureStatesFromBuffers(x)
		call	_wil_details_EvaluateFeatureDependencies@0 ; wil_details_EvaluateFeatureDependencies()
		xor	eax, eax
		pop	ecx
		retn
_wil_InitializeFeatureStagingFromBuffers@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall wil_details_PopulateInitialConfiguredFeatureStatesFromBuffers(x)
_wil_details_PopulateInitialConfiguredFeatureStatesFromBuffers@4 proc near
					; CODE XREF: wil_InitializeFeatureStagingFromBuffers(x)+3p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 1Ch
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	ecx, offset _wil_details_featureDescriptors_a
		push	edi
		jmp	short loc_AB32C0
; 

loc_AB324F:				; CODE XREF: wil_details_PopulateInitialConfiguredFeatureStatesFromBuffers(x)+91j
		and	[esp+28h+var_18], 0
		lea	edi, [esp+28h+var_C]
		and	[esp+28h+var_14], 0
		xor	eax, eax
		cmp	byte ptr [esi+11h], 0
		stosd
		stosd
		stosd
		jnz	short loc_AB3292
		cmp	byte ptr [esi+12h], 0
		jnz	short loc_AB3292
		mov	al, [esi+10h]
		cmp	al, 3
		jz	short loc_AB327E
		cmp	al, 2
		jz	short loc_AB327E
		xor	eax, eax
		inc	eax
		jmp	short loc_AB3280
; 

loc_AB327E:				; CODE XREF: wil_details_PopulateInitialConfiguredFeatureStatesFromBuffers(x)+3Bj
					; wil_details_PopulateInitialConfiguredFeatureStatesFromBuffers(x)+3Fj
		xor	eax, eax

loc_AB3280:				; CODE XREF: wil_details_PopulateInitialConfiguredFeatureStatesFromBuffers(x)+44j
		mov	edx, [esi+0Ch]
		lea	ecx, [esp+28h+var_C]
		push	ecx
		push	eax
		mov	ecx, ebx
		call	_RtlQueryFeatureConfigurationFromBuffers@16 ; RtlQueryFeatureConfigurationFromBuffers(x,x,x,x)
		jmp	short loc_AB3297
; 

loc_AB3292:				; CODE XREF: wil_details_PopulateInitialConfiguredFeatureStatesFromBuffers(x)+2Ej
					; wil_details_PopulateInitialConfiguredFeatureStatesFromBuffers(x)+34j
		mov	eax, 0C0000225h

loc_AB3297:				; CODE XREF: wil_details_PopulateInitialConfiguredFeatureStatesFromBuffers(x)+58j
		cmp	eax, 80000022h
		jz	short loc_AB32CD
		lea	ecx, [esp+28h+var_18]
		push	ecx
		lea	edx, [esp+2Ch+var_C]
		mov	ecx, eax
		call	_wil_details_BuildFeatureStateCacheFromQueryResults@12 ; wil_details_BuildFeatureStateCacheFromQueryResults(x,x,x)
		mov	ecx, [esi]
		mov	eax, [esp+28h+var_18]
		mov	[ecx], eax
		mov	eax, [esp+28h+var_14]
		mov	[ecx+4], eax
		lea	ecx, [esi+18h]

loc_AB32C0:				; CODE XREF: wil_details_PopulateInitialConfiguredFeatureStatesFromBuffers(x)+15j
		call	_wil_details_FeatureDescriptors_SkipPadding@4 ;	wil_details_FeatureDescriptors_SkipPadding(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_AB324F
		jmp	short loc_AB32E7
; 

loc_AB32CD:				; CODE XREF: wil_details_PopulateInitialConfiguredFeatureStatesFromBuffers(x)+64j
					; wil_details_PopulateInitialConfiguredFeatureStatesFromBuffers(x)+ADj
		mov	eax, [esi]
		lea	ecx, [esi+18h]
		mov	dword ptr [eax], 206h
		and	dword ptr [eax+4], 0
		call	_wil_details_FeatureDescriptors_SkipPadding@4 ;	wil_details_FeatureDescriptors_SkipPadding(x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_AB32CD

loc_AB32E7:				; CODE XREF: wil_details_PopulateInitialConfiguredFeatureStatesFromBuffers(x)+93j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_wil_details_PopulateInitialConfiguredFeatureStatesFromBuffers@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmFcManagerStartBootPhase(x, x, x, x, x, x,	x)
_CmFcManagerStartBootPhase@28 proc near	; CODE XREF: CmFcInitSystem0(x)+2Cp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 3Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+3Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	dword_6CE130
		mov	esi, edx
		push	dword_6CE12C
		call	_CmFcpIncrementChangeStamp@8 ; CmFcpIncrementChangeStamp(x,x)
		mov	ecx, [ebp+arg_0]
		mov	ebx, eax
		mov	eax, [ebp+arg_4]
		mov	edi, edx
		push	edi
		mov	[esp+4Ch+var_2C], ecx
		lea	edx, [esp+4Ch+var_38]
		mov	[esp+4Ch+var_1C], ecx
		mov	ecx, offset unk_6CE168
		mov	[esp+4Ch+var_10], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	[esp+50h+var_38], ebx
		mov	[esp+50h+var_34], edi
		mov	[esp+50h+var_30], esi
		mov	[esp+50h+var_28], ebx
		mov	[esp+50h+var_24], edi
		mov	[esp+50h+var_20], esi
		mov	[esp+50h+var_18], ebx
		mov	[esp+50h+var_14], edi
		mov	[esp+50h+var_C], eax
		call	_RtlpFcBufferManagerUpdateBuffers@16 ; RtlpFcBufferManagerUpdateBuffers(x,x,x,x)
		push	edi
		push	ebx
		mov	ecx, offset dword_6CE12C
		call	_RtlpFcWriteHighLowHigh@12 ; RtlpFcWriteHighLowHigh(x,x,x)
		mov	ecx, [esp+48h+var_4]
		mov	eax, [ebp+arg_C]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		mov	dword_6CE204, eax
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	14h
_CmFcManagerStartBootPhase@28 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmFcManagerStartRuntimePhase(x)
_CmFcManagerStartRuntimePhase@4	proc near ; CODE XREF: CmFcInitSystem2()+63p

var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 94h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		lea	ecx, [ebp+var_38]
		push	3
		pop	ebx
		mov	[ebp+var_94], esi
		mov	edx, ebx
		mov	[ebp+var_90], esi
		mov	[ebp+var_78], esi
		mov	[ebp+var_74], esi
		mov	[ebp+var_8C], ebx

loc_AB33CA:				; CODE XREF: CmFcManagerStartRuntimePhase(x)+45j
		call	_CmFcpInitializeSectionState@4 ; CmFcpInitializeSectionState(x)
		add	ecx, 10h
		sub	edx, 1
		jnz	short loc_AB33CA
		push	30h		; size_t
		lea	eax, [ebp+var_68]
		mov	[ebp+var_6C], esi
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	byte_6CE1FE, 1
		push	esi
		push	offset _CmFcSystemManager
		push	1
		push	offset aOSygSydAGrSyAG ; "O:SYG:SYD:(A;;GR;;;SY)(A;;GR;;;BA)(A;;G"...
		call	SeConvertStringSecurityDescriptorToSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	loc_AB3682
		call	_KeEnterCriticalRegion@0 ; KeEnterCriticalRegion()
		mov	ecx, offset unk_6CE128
		call	_CmSiRWLockAcquireExclusive@4 ;	CmSiRWLockAcquireExclusive(x)
		lea	eax, [ebp+var_6C]
		mov	ecx, offset unk_6CE168
		push	eax
		lea	edx, [ebp+var_78]
		call	_RtlpFcBufferManagerReferenceBuffers@12	; RtlpFcBufferManagerReferenceBuffers(x,x,x)
		mov	ecx, [ebp+var_74]
		lea	eax, [ebp+var_38]
		mov	edx, [ebp+var_78]
		mov	esi, ebx

loc_AB3437:				; CODE XREF: CmFcManagerStartRuntimePhase(x)+B2j
		mov	[eax], edx
		lea	eax, [eax+10h]
		mov	[eax-0Ch], ecx
		sub	esi, 1
		jnz	short loc_AB3437
		mov	edi, [ebp+var_6C]
		mov	eax, [edi+8]
		test	eax, eax
		jz	short loc_AB347F
		lea	esi, [ebp+var_38]
		push	esi
		push	_CmFcSystemManager
		push	ecx
		push	edx
		mov	edx, [edi+0Ch]
		mov	ecx, eax
		call	_CmFcpManagerCreateSectionFromBuffer@24	; CmFcpManagerCreateSectionFromBuffer(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AB365C
		lea	edx, [ebp+var_38]
		lea	ecx, [ebp+var_28]
		call	_CmFcpCopySectionState@8 ; CmFcpCopySectionState(x,x)
		mov	ecx, [ebp+var_74]
		mov	edx, [ebp+var_78]

loc_AB347F:				; CODE XREF: CmFcManagerStartRuntimePhase(x)+BCj
		mov	eax, [edi+28h]
		test	eax, eax
		jz	short loc_AB34A6
		lea	esi, [ebp+var_18]
		push	esi
		push	_CmFcSystemManager
		push	ecx
		push	edx
		mov	edx, [edi+2Ch]
		mov	ecx, eax
		call	_CmFcpManagerCreateSectionFromBuffer@24	; CmFcpManagerCreateSectionFromBuffer(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AB365C

loc_AB34A6:				; CODE XREF: CmFcManagerStartRuntimePhase(x)+F4j
		mov	edx, edi
		mov	ecx, offset unk_6CE168
		call	_RtlpFcBufferManagerDereferenceBuffers@8 ; RtlpFcBufferManagerDereferenceBuffers(x,x)
		and	[ebp+var_7C], 0
		lea	esi, [ebp+var_38]
		xor	edi, edi
		mov	[ebp+var_6C], esi

loc_AB34BE:				; CODE XREF: CmFcManagerStartRuntimePhase(x)+15Aj
		mov	ecx, edi
		call	_RtlpFcSectionTypeToBufferType@4 ; RtlpFcSectionTypeToBufferType(x)
		shl	eax, 4
		lea	edx, [ebp+var_68]
		add	edx, eax
		mov	ecx, esi
		call	CmFcpMapSection
		mov	esi, eax
		test	esi, esi
		js	loc_AB3673
		mov	esi, [ebp+var_6C]
		inc	edi
		add	esi, 10h
		mov	[ebp+var_6C], esi
		cmp	edi, ebx
		jb	short loc_AB34BE
		mov	ecx, offset unk_6CE124
		call	_CmSiRWLockAcquireExclusive@4 ;	CmSiRWLockAcquireExclusive(x)
		xor	edi, edi
		mov	esi, edi

loc_AB34FA:				; CODE XREF: CmFcManagerStartRuntimePhase(x)+180j
		lea	edx, [ebp+var_38]
		add	edx, esi
		lea	ecx, dword_6CE138[esi]
		call	_CmFcpSwapSectionState@8 ; CmFcpSwapSectionState(x,x)
		add	esi, 10h
		cmp	esi, 30h
		jb	short loc_AB34FA
		push	[ebp+var_74]
		lea	edx, [ebp+var_68]
		mov	ecx, offset unk_6CE168
		push	[ebp+var_78]
		call	_RtlpFcBufferManagerUpdateBuffers@16 ; RtlpFcBufferManagerUpdateBuffers(x,x,x,x)
		push	30h		; size_t
		lea	eax, [ebp+var_68]
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, 0FFDF0710h
		push	[ebp+var_74]
		push	[ebp+var_78]
		call	_RtlpFcWriteHighLowHigh@12 ; RtlpFcWriteHighLowHigh(x,x,x)
		mov	ecx, offset unk_6CE124
		call	CmSiRWLockReleaseExclusive
		push	edi
		push	edi
		push	edi
		push	offset _CmFcpWnfTypeId
		push	8
		lea	eax, [ebp+var_78]
		push	eax
		push	offset _WNF_CMFC_FEATURE_CONFIGURATION_CHANGED
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AB3673
		mov	[ebp+var_6C], edi

loc_AB3573:				; CODE XREF: CmFcManagerStartRuntimePhase(x)+269j
		mov	ecx, offset unk_6CE1EC
		call	_RtlGetSwapReferenceIndex@4 ; RtlGetSwapReferenceIndex(x)
		push	63466D43h
		push	310h
		push	200h
		lea	esi, [eax-1]
		and	esi, 1
		mov	[ebp+var_88], esi
		mov	eax, dword_6CE204[esi*4]
		mov	[ebp+var_80], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_84], eax
		test	eax, eax
		jz	loc_AB366E
		mov	edx, [ebp+var_80]
		test	edx, edx
		jnz	short loc_AB35CB
		mov	ecx, eax	; void *
		call	_RtlpFcInitializeDelayedUsageReportBuffer@4 ; RtlpFcInitializeDelayedUsageReportBuffer(x)
		mov	eax, [ebp+var_84]
		jmp	short loc_AB35DF
; 

loc_AB35CB:				; CODE XREF: CmFcManagerStartRuntimePhase(x)+22Aj
		mov	ecx, 0C4h
		mov	esi, edx
		mov	edi, eax
		rep movsd
		mov	esi, [ebp+var_88]
		mov	edi, [ebp+var_6C]

loc_AB35DF:				; CODE XREF: CmFcManagerStartRuntimePhase(x)+239j
		mov	edx, esi
		mov	dword_6CE204[esi*4], eax
		mov	ecx, offset unk_6CE1EC
		call	_RtlUpdateSwapReference@8 ; RtlUpdateSwapReference(x,x)
		inc	edi
		mov	[ebp+var_6C], edi
		cmp	edi, 2
		jb	loc_AB3573
		push	8
		mov	esi, offset _CmFcSystemManager
		push	esi
		push	offset _CmFcpManagerRetryUsageNotificationsTimerRoutine@8 ; CmFcpManagerRetryUsageNotificationsTimerRoutine(x,x)
		call	ExAllocateTimer
		mov	dword_6CE250, eax
		test	eax, eax
		jz	short loc_AB366E
		call	_RtlIsStateSeparationEnabled@0 ; RtlIsStateSeparationEnabled()
		test	al, al
		mov	eax, offset ??_C@_1DC@LPOMOPCG@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@PBOPGDP@ ;	"\\"
		jnz	short loc_AB362D
		mov	eax, offset ??_C@_1DG@IOMDFJHH@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@PBOPGDP@ ;	"\\REGISTRY\\MACHINE\\SOFTWARE"

loc_AB362D:				; CODE XREF: CmFcManagerStartRuntimePhase(x)+296j
		push	eax
		lea	eax, [ebp+var_94]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset unk_6CE1E8
		lea	eax, [ebp+var_94]
		push	eax
		push	esi
		push	offset CmFcpManagerSoftwareHiveReady
		call	CmRegisterMachineHiveLoadedNotification
		mov	esi, eax
		test	esi, esi
		js	short loc_AB3673
		mov	edi, [ebp+var_7C]
		xor	esi, esi

loc_AB365C:				; CODE XREF: CmFcManagerStartRuntimePhase(x)+D8j
					; CmFcManagerStartRuntimePhase(x)+110j
		test	edi, edi
		jz	short loc_AB3673
		mov	edx, edi
		mov	ecx, offset unk_6CE168
		call	_RtlpFcBufferManagerDereferenceBuffers@8 ; RtlpFcBufferManagerDereferenceBuffers(x,x)
		jmp	short loc_AB3673
; 

loc_AB366E:				; CODE XREF: CmFcManagerStartRuntimePhase(x)+21Fj
					; CmFcManagerStartRuntimePhase(x)+288j
		mov	esi, 0C000009Ah

loc_AB3673:				; CODE XREF: CmFcManagerStartRuntimePhase(x)+148j
					; CmFcManagerStartRuntimePhase(x)+1DAj	...
		mov	ecx, offset unk_6CE128
		call	CmSiRWLockReleaseExclusive
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()

loc_AB3682:				; CODE XREF: CmFcManagerStartRuntimePhase(x)+76j
		lea	edi, [ebp+var_68]

loc_AB3685:				; CODE XREF: CmFcManagerStartRuntimePhase(x)+302j
		mov	ecx, edi
		call	_CmFcpUnmapSection@4 ; CmFcpUnmapSection(x)
		add	edi, 10h
		sub	ebx, 1
		jnz	short loc_AB3685
		mov	ebx, [ebp+var_8C]
		lea	edi, [ebp+var_38]

loc_AB369D:				; CODE XREF: CmFcManagerStartRuntimePhase(x)+31Aj
		mov	ecx, edi
		call	_CmFcpCleanupSectionState@4 ; CmFcpCleanupSectionState(x)
		add	edi, 10h
		sub	ebx, 1
		jnz	short loc_AB369D
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmFcManagerStartRuntimePhase@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MxCreatePfn(x, x, x, x, x, x, x)
_MxCreatePfn@28	proc near		; CODE XREF: MxCreatePfns(x,x,x,x)+F8p
					; MxCreatePfns(x,x,x,x)+196p ...

var_38		= dword	ptr -38h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		push	esi
		mov	ebx, ecx
		imul	esi, ebx, 1Ch
		push	edi
		xor	edi, edi
		inc	edi
		add	esi, ds:_MmPfnDatabase
		cmp	[ebp+arg_8], edi
		jnz	short loc_AB36E8
		push	7
		xor	eax, eax
		mov	edi, esi
		pop	ecx
		rep stosd
		xor	edi, edi
		inc	edi

loc_AB36E8:				; CODE XREF: MxCreatePfn(x,x,x,x,x,x,x)+1Cj
		mov	eax, [esi+18h]
		mov	ecx, esi
		xor	eax, [ebp+arg_0]
		and	eax, offset loc_7FFFFF
		mov	[esi+4], edx
		xor	[esi+18h], eax
		mov	edx, edi
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	al, [esi+16h]
		mov	edx, edi
		and	al, 0FEh
		mov	[esi+14h], di
		mov	edi, [ebp+arg_C]
		or	al, 6
		mov	ecx, edi
		mov	[esi+16h], al
		and	ecx, 10h
		mov	[ebp+arg_8], edx
		mov	eax, ecx
		or	eax, 0
		push	2
		pop	eax
		jnz	short loc_AB3733
		and	edi, 8
		or	edi, 0
		jz	short loc_AB3733
		mov	edx, eax
		jmp	short loc_AB373A
; 

loc_AB3733:				; CODE XREF: MxCreatePfn(x,x,x,x,x,x,x)+67j
					; MxCreatePfn(x,x,x,x,x,x,x)+6Fj
		or	ecx, 0
		jz	short loc_AB373D
		xor	edx, edx

loc_AB373A:				; CODE XREF: MxCreatePfn(x,x,x,x,x,x,x)+73j
		mov	[ebp+arg_8], edx

loc_AB373D:				; CODE XREF: MxCreatePfn(x,x,x,x,x,x,x)+78j
		mov	cl, [esi+16h]
		mov	al, dl
		and	cl, 3Fh
		shl	al, 6
		or	cl, al
		push	4
		mov	[esi+16h], cl
		pop	ecx
		call	_MiMakeDemandZeroPte@4 ; MiMakeDemandZeroPte(x)
		mov	ecx, [ebp+arg_8]
		cmp	ecx, 2
		jnz	short loc_AB3764
		or	eax, 300h
		jmp	short loc_AB376D
; 

loc_AB3764:				; CODE XREF: MxCreatePfn(x,x,x,x,x,x,x)+9Dj
		test	ecx, ecx
		jnz	short loc_AB376D
		or	eax, 100h

loc_AB376D:				; CODE XREF: MxCreatePfn(x,x,x,x,x,x,x)+A4j
					; MxCreatePfn(x,x,x,x,x,x,x)+A8j
		mov	[esi+0Ch], edx
		mov	edx, ebx
		mov	[esi+8], eax
		mov	eax, ebx
		or	byte ptr [esi+16h], 10h
		and	eax, 7
		shr	edx, 3
		add	edx, dword_6D35B8
		movsx	ecx, byte ptr [edx]
		bts	ecx, eax
		cmp	[ebp+arg_4], 1
		mov	[edx], cl
		jnz	short loc_AB37DC
		mov	eax, ebx
		and	eax, 0FFFFFE00h
		cmp	ebx, eax
		jnz	short loc_AB37BD
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		push	7
		pop	ecx
		rep stosd
		mov	eax, [esi+18h]
		and	eax, 0FEFFFFFFh
		or	eax, 2000000h
		mov	[ebp+var_4], eax
		mov	[esi+18h], eax

loc_AB37BD:				; CODE XREF: MxCreatePfn(x,x,x,x,x,x,x)+E0j
		push	7
		xor	eax, eax
		lea	edi, [ebp+var_38]
		pop	ecx
		rep stosd
		mov	eax, [esi+18h]
		or	eax, 800000h
		mov	[ebp+var_20], eax
		push	2
		mov	[esi+18h], eax
		pop	eax
		mov	[esi+14h], ax

loc_AB37DC:				; CODE XREF: MxCreatePfn(x,x,x,x,x,x,x)+D5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
_MxCreatePfn@28	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreateResidentPfnTemplate(x)
_MiCreateResidentPfnTemplate@4 proc near ; CODE	XREF: MiInitNucleus(x)+186p

var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	edi
		mov	edx, ecx
		xor	eax, eax
		push	7
		pop	ecx
		mov	edi, edx
		rep stosd
		mov	byte ptr [edx+16h], 6
		lea	edi, [ebp+var_1C]
		mov	al, [edx+16h]
		and	al, 3Fh
		or	al, 40h
		mov	[edx+16h], al
		mov	eax, [edx+10h]
		and	eax, 0C0000001h
		or	eax, 1
		mov	[edx+10h], eax
		push	2
		pop	eax
		mov	[edx+14h], ax
		xor	eax, eax
		push	7
		pop	ecx
		rep stosd
		mov	eax, [edx+18h]
		or	eax, (offset loc_7FFFFF+1)
		mov	[ebp+var_4], eax
		mov	[edx+18h], eax
		pop	edi
		leave
		retn
_MiCreateResidentPfnTemplate@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpEarlyLaunchStatusNotificationPreProcess(x, x, x,	x, x)
_PnpEarlyLaunchStatusNotificationPreProcess@20 proc near
					; DATA XREF: PnpNotifyEarlyLaunchStatusUpdate(x)+45o

arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_10]
		mov	ecx, [eax]
		mov	eax, [ebp+arg_8]
		mov	[eax], ecx
		pop	ebp
		retn	14h
_PnpEarlyLaunchStatusNotificationPreProcess@20 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall InitializeBuildStrings(x)
_InitializeBuildStrings@4 proc near	; CODE XREF: KiInitializePcr(x,x,x,x,x,x,x,x)+30p
		mov	edi, edi
		push	esi
		push	edi
		mov	eax, ecx
		mov	edi, offset _NtBuildLab
		push	38h
		pop	ecx
		push	38h
		lea	esi, [eax+0AACh]
		rep movsd
		pop	ecx
		lea	esi, [eax+0B8Ch]
		mov	edi, offset _NtBuildLabEx
		rep movsd
		pop	edi
		pop	esi
		retn
_InitializeBuildStrings@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiSwPdoDriverEntry(x, x)
_PiSwPdoDriverEntry@8 proc near		; DATA XREF: PiSwInit()+67o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	_PiSwDeviceDriverObject, ecx
		mov	eax, [ecx+18h]
		mov	dword ptr [eax+4], offset _ArbPreprocessEntry@8	; ArbPreprocessEntry(x,x)
		xor	eax, eax
		mov	dword ptr [ecx+0A4h], offset PiSwPdoPnPDispatch
		mov	dword ptr [ecx+90h], offset IopPowerDispatch
		mov	dword ptr [ecx+94h], offset _IopSystemControlDispatch@8	; IopSystemControlDispatch(x,x)
		pop	ebp
		retn	8
_PiSwPdoDriverEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipPnPDriverEntry(x, x)
_PipPnPDriverEntry@8 proc near		; DATA XREF: IopInitializePlugPlayServices(x,x)+6B9o

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, [ebp+arg_0]
		mov	_PnpDriverObject, ecx
		mov	eax, [ecx+18h]
		mov	dword ptr [eax+4], offset _ArbPreprocessEntry@8	; ArbPreprocessEntry(x,x)
		xor	eax, eax
		mov	dword ptr [ecx+0A4h], offset IopPnPDispatch
		mov	dword ptr [ecx+90h], offset IopPowerDispatch
		mov	dword ptr [ecx+94h], offset _IopSystemControlDispatch@8	; IopSystemControlDispatch(x,x)
		pop	ebp
		retn	8
_PipPnPDriverEntry@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpHwprofileDefaultSelect(x, x, x)
_CmpHwprofileDefaultSelect@12 proc near	; DATA XREF: CmpCreateHardwareProfiles+430o

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		and	dword ptr [eax], 0
		xor	eax, eax
		pop	ebp
		retn	0Ch
_CmpHwprofileDefaultSelect@12 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall CmFcInitSystem0(x)
_CmFcInitSystem0@4 proc	near		; CODE XREF: CmInitBootFeatureConfigurations(x)+9p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		call	_CmFcManagerInitialize@4 ; CmFcManagerInitialize(x)
		mov	esi, [esi+84h]
		add	esi, 0CFCh
		mov	ecx, esi
		call	_wil_InitializeFeatureStagingFromBuffers@4 ; wil_InitializeFeatureStagingFromBuffers(x)
		mov	edx, [esi]
		push	ecx
		push	dword ptr [esi+10h]
		push	dword ptr [esi+0Ch]
		push	dword ptr [esi+8]
		push	dword ptr [esi+4]
		call	_CmFcManagerStartBootPhase@28 ;	CmFcManagerStartBootPhase(x,x,x,x,x,x,x)
		pop	esi
		retn
_CmFcInitSystem0@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall xHalIommuGetConfiguration(x, x, x, x)
_xHalIommuGetConfiguration@16 proc near	; DATA XREF: .data:006B3194o
		mov	eax, 0C0000001h
		retn	10h
_xHalIommuGetConfiguration@16 endp


;  S U B	R O U T	I N E 


; __stdcall xHalIommuRegisterDispatchTable(x)
_xHalIommuRegisterDispatchTable@4 proc near ; CODE XREF: INIT:00ACD2A6p
					; DATA XREF: .data:off_6B13A0o
		retn	4
_xHalIommuRegisterDispatchTable@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopReportBootResources proc near	; DATA XREF: IopInitializePlugPlayServices(x,x)+228o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00AE0D29 SIZE 0000005C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	ecx, edi
		call	_PnpDetermineResourceListSize@4	; PnpDetermineResourceListSize(x)
		mov	ecx, eax
		mov	[ebp+arg_8], ecx
		test	ecx, ecx
		jz	short loc_AB3990
		mov	ebx, [ebp+arg_4]
		test	ebx, ebx
		jz	short loc_AB3989
		mov	eax, [ebx+0B0h]
		mov	esi, [eax+14h]
		test	byte ptr [esi+10Ch], 1
		jnz	near ptr loc_AE0CFB+1
		push	edi
		push	ebx
		push	[ebp+arg_0]
		call	_IopAllocateBootResources@12 ; IopAllocateBootResources(x,x,x)

loc_AB3982:				; CODE XREF: IopReportBootResources+52j
					; IopReportBootResources+2D41Ej
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	0Ch
; 

loc_AB3989:				; CODE XREF: IopReportBootResources+20j
		xor	esi, esi
		jmp	loc_AE0D29
; 

loc_AB3990:				; CODE XREF: IopReportBootResources+19j
					; IopReportBootResources+2D440j
		xor	eax, eax
		jmp	short loc_AB3982
IopReportBootResources endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopInitializeSystemDrivers proc	near	; CODE XREF: IoInitSystem+25p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE0D85 SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		xor	ebx, ebx
		xor	edx, edx
		push	esi
		push	edi
		push	ebx
		mov	ecx, offset _KMPnPEvt_SystemStart_Start
		mov	[esp+3Ch+var_20], ebx
		mov	[esp+3Ch+var_24], ebx
		mov	[esp+3Ch+var_28], ebx
		mov	[esp+3Ch+var_10], ebx
		mov	[esp+3Ch+var_C], ebx
		mov	[esp+3Ch+var_18], ebx
		mov	[esp+3Ch+var_14], ebx
		mov	[esp+3Ch+var_8], ebx
		mov	[esp+3Ch+var_4], ebx
		call	_PnpDiagnosticTrace@12 ; PnpDiagnosticTrace(x,x,x)
		call	_ExIsManufacturingModeEnabled@0	; ExIsManufacturingModeEnabled()
		movzx	ecx, al
		neg	ecx
		sbb	ecx, ecx
		and	ecx, dword_6BBFE8
		call	CmGetSystemDriverList
		mov	esi, eax
		test	esi, esi
		jz	loc_AB3B30
		mov	[esp+38h+var_1C], esi

loc_AB39FA:				; CODE XREF: IopInitializeSystemDrivers+155j
		mov	eax, [esi]
		test	eax, eax
		jz	loc_AB3B26
		lea	edx, [esp+38h+var_8]
		mov	ecx, eax
		call	IopGetDriverNameFromKeyNode
		test	eax, eax
		js	short loc_AB3A30
		lea	ecx, [esp+38h+var_8]
		call	_IopReferenceDriverObjectByName@4 ; IopReferenceDriverObjectByName(x)
		mov	edi, eax
		lea	eax, [esp+38h+var_8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	edi, edi
		jnz	loc_AE0D85

loc_AB3A30:				; CODE XREF: IopInitializeSystemDrivers+7Dj
		push	0Ah
		pop	eax
		push	8
		mov	word ptr [esp+3Ch+var_18+2], ax
		lea	ecx, [esp+3Ch+var_24]
		pop	eax
		mov	word ptr [esp+38h+var_18], ax
		lea	eax, [esp+38h+var_18]
		push	20019h
		mov	[esp+3Ch+var_14], offset ??_C@_19DDCEFKEI@?$AAE?$AAn?$AAu?$AAm@PBOPGDP@	; "Enum"
		mov	edx, [esi]
		push	eax
		call	_IopOpenRegistryKeyEx@16 ; IopOpenRegistryKeyEx(x,x,x,x)
		test	eax, eax
		jns	loc_AB3AF2

loc_AB3A65:				; CODE XREF: IopInitializeSystemDrivers+187j
		mov	ecx, [esi]
		lea	eax, [esp+38h+var_28]
		push	eax
		push	ebx
		mov	edx, offset ??_C@_1M@LHGLMLD@?$AAG?$AAr?$AAo?$AAu?$AAp@PBOPGDP@	; "Group"
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_AB3AEE
		mov	ebx, [esp+38h+var_28]
		cmp	dword ptr [ebx+0Ch], 0
		jz	loc_AE0DB9
		mov	ax, [ebx+0Ch]
		lea	ecx, [esp+38h+var_10]
		mov	word ptr [esp+38h+var_10], ax
		xor	edx, edx
		mov	word ptr [esp+38h+var_10+2], ax
		inc	edx
		mov	eax, [ebx+8]
		add	eax, ebx
		mov	[esp+38h+var_C], eax
		call	_PipLookupGroupName@8 ;	PipLookupGroupName(x,x)
		mov	edi, eax

loc_AB3AAE:				; CODE XREF: IopInitializeSystemDrivers+2D427j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ebx, ebx

loc_AB3AB8:				; CODE XREF: IopInitializeSystemDrivers+15Cj
		mov	ecx, [esi]
		call	PipCheckDependencies
		mov	ecx, [esi]
		test	eax, eax
		jz	loc_AE0DC0
		lea	eax, [esp+38h+var_20]
		mov	dl, 1
		push	eax
		push	ebx
		call	IopLoadDriver
		test	eax, eax
		js	short loc_AB3AE1
		test	edi, edi
		jz	short loc_AB3AE1
		inc	dword ptr [edi+10h]

loc_AB3AE1:				; CODE XREF: IopInitializeSystemDrivers+144j
					; IopInitializeSystemDrivers+148j ...
		call	_InbvIndicateProgress@0	; InbvIndicateProgress()

loc_AB3AE6:				; CODE XREF: IopInitializeSystemDrivers+2D404j
		add	esi, 4
		jmp	loc_AB39FA
; 

loc_AB3AEE:				; CODE XREF: IopInitializeSystemDrivers+E5j
		mov	edi, ebx
		jmp	short loc_AB3AB8
; 

loc_AB3AF2:				; CODE XREF: IopInitializeSystemDrivers+CBj
		mov	ecx, [esp+38h+var_24]
		lea	eax, [esp+38h+var_28]
		push	eax
		push	ebx
		mov	edx, offset ??_C@_1CA@KLKNBMIL@?$AAI?$AAN?$AAI?$AAT?$AAS?$AAT?$AAA?$AAR?$AAT?$AAF?$AAA?$AAI?$AAL?$AAE?$AAD@PBOPGDP@ ; "INITSTARTFAILED"
		mov	edi, ebx
		call	IopGetRegistryValue
		test	eax, eax
		jns	loc_AE0D9D

loc_AB3B10:				; CODE XREF: IopInitializeSystemDrivers+2D420j
		push	[esp+38h+var_24]
		call	_ZwClose@4	; ZwClose(x)
		test	edi, edi
		jz	loc_AB3A65
		jmp	loc_AE0D91
; 

loc_AB3B26:				; CODE XREF: IopInitializeSystemDrivers+6Aj
		push	ebx
		push	[esp+3Ch+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AB3B30:				; CODE XREF: IopInitializeSystemDrivers+5Cj
		mov	ecx, _IopRootDeviceNode
		push	ebx
		push	ebx
		push	ebx
		mov	ecx, [ecx+10h]
		push	ebx
		push	ebx
		push	11h
		pop	edx
		call	PnpRequestDeviceAction
		cmp	_PnpBootOptions, 0
		jz	short loc_AB3B8B

loc_AB3B4F:				; CODE XREF: IopInitializeSystemDrivers+1FCj
		mov	ecx, _IopRootDeviceNode
		push	ebx
		push	ebx
		push	ebx
		mov	ecx, [ecx+10h]
		push	ebx
		push	ebx
		push	12h
		pop	edx
		call	PnpRequestDeviceAction
		mov	ecx, _IopGroupListHead
		test	ecx, ecx
		jz	short loc_AB3B74
		call	_PipFreeGroupTree@4 ; PipFreeGroupTree(x)

loc_AB3B74:				; CODE XREF: IopInitializeSystemDrivers+1D9j
		push	ebx
		xor	edx, edx
		mov	ecx, offset _KMPnPEvt_SystemStart_Stop
		call	_PnpDiagnosticTrace@12 ; PnpDiagnosticTrace(x,x,x)
		pop	edi
		xor	eax, eax
		pop	esi
		inc	eax
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_AB3B8B:				; CODE XREF: IopInitializeSystemDrivers+1B9j
		call	_PnpWaitForDevicesToStart@0 ; PnpWaitForDevicesToStart()
		jmp	short loc_AB3B4F
IopInitializeSystemDrivers endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipGetDriverTagPriority	proc near	; CODE XREF: IopInitializeBootDrivers+349p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE0DCB SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_18], 840082h
		push	20019h
		lea	eax, [ebp+var_18]
		mov	[ebp+var_8], ebx
		mov	esi, ecx
		mov	[ebp+var_C], ebx
		push	eax
		xor	edx, edx
		mov	[ebp+var_10], ebx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_4], ebx
		mov	edi, 0FFFFh
		mov	[ebp+var_14], offset ??_C@_1IE@JFLGONEL@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@ ; "\\Registry\\Machine\\System\\CurrentControl"...
		call	_IopOpenRegistryKeyEx@16 ; IopOpenRegistryKeyEx(x,x,x,x)
		test	eax, eax
		js	short loc_AB3C53
		lea	eax, [ebp+var_8]
		mov	edx, offset ??_C@_1M@LHGLMLD@?$AAG?$AAr?$AAo?$AAu?$AAp@PBOPGDP@	; "Group"
		push	eax
		push	ebx
		mov	ecx, esi
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_AB3C4B
		mov	ebx, [ebp+var_8]
		cmp	dword ptr [ebx+4], 1
		jnz	short loc_AB3C27
		mov	edx, [ebx+0Ch]
		test	edx, edx
		jz	short loc_AB3C27
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		push	ecx
		mov	ecx, [ebx+8]
		push	eax
		add	ecx, ebx
		call	_PnpRegSzToString@16 ; PnpRegSzToString(x,x,x,x)
		mov	ax, word ptr [ebp+var_8]
		mov	word ptr [ebp+var_18], ax
		mov	ax, [ebx+0Ch]
		mov	word ptr [ebp+var_18+2], ax
		mov	eax, [ebx+8]
		add	eax, ebx
		mov	[ebp+var_14], eax

loc_AB3C27:				; CODE XREF: PipGetDriverTagPriority+61j
					; PipGetDriverTagPriority+68j
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_C]
		push	eax
		push	50h
		mov	edx, offset ??_C@_17COOIMOOP@?$AAT?$AAa?$AAg@PBOPGDP@ ;	"Tag"
		mov	ecx, esi
		call	IopGetRegistryValue
		mov	esi, eax
		test	esi, esi
		jns	short loc_AB3C5B

loc_AB3C43:				; CODE XREF: PipGetDriverTagPriority+F3j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AB3C4B:				; CODE XREF: PipGetDriverTagPriority+58j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_AB3C53:				; CODE XREF: PipGetDriverTagPriority+43j
					; PipGetDriverTagPriority+11Aj	...
		mov	ax, di
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AB3C5B:				; CODE XREF: PipGetDriverTagPriority+AFj
		mov	ecx, [ebp+var_C]
		cmp	dword ptr [ecx+4], 4
		jnz	loc_AE0DCB
		cmp	dword ptr [ecx+0Ch], 4
		jnz	loc_AE0DCB
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		mov	[ebp+var_8], eax

loc_AB3C7B:				; CODE XREF: PipGetDriverTagPriority+2D23Ej
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		js	short loc_AB3C43
		mov	edx, [ebp+var_14]
		lea	eax, [ebp+var_10]
		mov	ecx, [ebp+var_4]
		push	eax
		push	50h
		call	IopGetRegistryValue
		push	0
		push	ebx
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_AB3C53
		mov	esi, [ebp+var_10]
		cmp	dword ptr [esi+4], 3
		jnz	short loc_AB3CED
		mov	ecx, [esi+0Ch]
		cmp	ecx, 4
		jb	short loc_AB3CED
		mov	edx, [esi+8]
		add	edx, esi
		mov	ebx, [edx]
		lea	eax, ds:4[ebx*4]
		cmp	eax, ecx
		ja	short loc_AB3CED
		xor	edi, edi
		add	edx, 4
		inc	edi
		cmp	ebx, edi
		jb	short loc_AB3CED
		mov	eax, [ebp+var_8]

loc_AB3CDE:				; CODE XREF: PipGetDriverTagPriority+159j
		cmp	eax, [edx]
		jz	short loc_AB3CED
		add	edx, 4
		inc	edi
		movzx	ecx, di
		cmp	ecx, ebx
		jbe	short loc_AB3CDE

loc_AB3CED:				; CODE XREF: PipGetDriverTagPriority+123j
					; PipGetDriverTagPriority+12Bj	...
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AB3C53
PipGetDriverTagPriority	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopInitializeBootDrivers proc near	; CODE XREF: INIT:00AC2EC1p

var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= byte ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE0DD5 SIZE 0000021C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ECh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		xor	edx, edx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_EC], ebx
		push	ebx
		mov	ecx, offset _KMPnPEvt_BootStart_Start
		mov	[ebp+var_90], edi
		mov	[ebp+var_E8], ebx
		mov	[ebp+var_CC], ebx
		mov	[ebp+var_C8], ebx
		mov	dword ptr [ebp+var_B4],	ebx
		mov	[ebp+var_8C], ebx
		mov	[ebp+var_98], ebx
		mov	[ebp+var_B0], ebx
		mov	[ebp+var_A8], ebx
		mov	[ebp+var_AC], ebx
		mov	[ebp+var_E4], ebx
		mov	[ebp+var_E0], ebx
		mov	[ebp+var_A0], ebx
		call	_PnpDiagnosticTrace@12 ; PnpDiagnosticTrace(x,x,x)
		push	7Eh
		pop	esi
		mov	eax, 80h
		mov	ds:_PnpDriverImageLoadPolicy, 3
		mov	word ptr [ebp+var_BC+2], ax
		lea	ecx, [ebp+var_8C]
		push	20019h
		lea	eax, [ebp-0BCh]
		mov	word ptr [ebp+var_BC], si
		push	eax
		xor	edx, edx
		mov	[ebp+var_B8], offset ??_C@_1IA@ELGFJICG@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@
		call	_IopOpenRegistryKeyEx@16 ; IopOpenRegistryKeyEx(x,x,x,x)
		test	eax, eax
		jns	short loc_AB3DF6
		push	7Ch
		pop	eax
		mov	word ptr [ebp+var_BC], ax
		lea	ecx, [ebp+var_8C]
		push	20019h
		lea	eax, [ebp+var_BC]
		mov	word ptr [ebp+var_BC+2], si
		push	eax
		xor	edx, edx
		mov	[ebp+var_B8], offset ??_C@_1HO@HDMJFOBD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@ ; "\\Registry\\Machine\\System\\CurrentControl"...
		call	_IopOpenRegistryKeyEx@16 ; IopOpenRegistryKeyEx(x,x,x,x)
		test	eax, eax
		js	short loc_AB3E23

loc_AB3DF6:				; CODE XREF: IopInitializeBootDrivers+C2j
		mov	ecx, [ebp+var_8C]
		lea	eax, [ebp+var_98]
		push	eax
		push	ebx
		mov	edx, offset ??_C@_1CC@OINPPADF@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAL?$AAo?$AAa?$AAd?$AAP?$AAo?$AAl?$AAi?$AAc@PBOPGDP@
		call	IopGetRegistryValue
		push	[ebp+var_8C]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		jns	loc_AE0DD5

loc_AB3E23:				; CODE XREF: IopInitializeBootDrivers+FAj
					; IopInitializeBootDrivers+2D0FFj
		mov	eax, ds:_PnpDriverImageLoadPolicy
		cmp	eax, 8
		jz	loc_AE0DFE
		test	eax, 0FFFFFFF8h
		jnz	loc_AE0E09

loc_AB3E3C:				; CODE XREF: IopInitializeBootDrivers+2D10Aj
					; IopInitializeBootDrivers+2D119j
		mov	ecx, edi
		call	_PipInitializeCoreDriversAndElam@4 ; PipInitializeCoreDriversAndElam(x)
		mov	ecx, edi
		call	PipInitComputerIds
		push	20h
		pop	eax
		push	1Eh
		mov	word ptr [ebp+var_DC+2], ax
		lea	ecx, [ebp+var_A0]
		pop	eax
		push	2
		mov	word ptr [ebp+var_DC], ax
		lea	edx, [ebp+var_C4]
		pop	eax
		push	ecx
		push	ecx
		mov	word ptr [ebp+var_C4+2], ax
		lea	ecx, [ebp+var_DC]
		push	ebx
		xor	eax, eax
		mov	[ebp+var_D8], offset ??_C@_1CA@DOFLLPJ@?$AA?2?$AAF?$AAi?$AAl?$AAe?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAR?$AAA?$AAW@PBOPGDP@ ;	"\\FileSystem\\RAW"
		push	ebx
		mov	word ptr [ebp+var_C4], ax
		lea	eax, [edi+10h]
		push	eax
		push	ebx
		push	offset RawInitialize
		mov	[ebp+var_C0], offset ??_C@_11LOCGONAA@@PBOPGDP@
		call	PnpInitializeBootStartDriver
		mov	eax, [ebp+var_A0]
		mov	[ebp+var_94], eax
		test	eax, eax
		jz	loc_AE0E68
		xor	ecx, ecx
		call	PpInitGetGroupOrderIndex
		movzx	eax, ax
		mov	ecx, 0FFFFh
		mov	_IopGroupIndex,	eax
		mov	[ebp+var_A4], ecx
		cmp	eax, ecx
		jz	loc_AE0E18
		push	6E697050h
		shl	eax, 3
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	_IopGroupTable,	ecx
		test	ecx, ecx
		jz	loc_AE0E1C
		mov	esi, _IopGroupIndex
		mov	edx, ebx
		test	esi, esi
		jz	short loc_AB3F1E
		mov	eax, ebx

loc_AB3F0E:				; CODE XREF: IopInitializeBootDrivers+222j
		lea	eax, [ecx+eax*8]
		inc	edx
		mov	[eax+4], eax
		mov	[eax], eax
		movzx	eax, dx
		cmp	eax, esi
		jb	short loc_AB3F0E

loc_AB3F1E:				; CODE XREF: IopInitializeBootDrivers+210j
		push	2
		mov	edx, edi
		pop	ecx
		call	_PipInitializeDriverDependentDLLs@8 ; PipInitializeDriverDependentDLLs(x,x)
		push	offset ??_C@_1CA@FJJAHGFO@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?5?$AAR?$AAe?$AAs?$AAe?$AAr?$AAv?$AAe?$AAd@PBOPGDP@
		lea	eax, [ebp+var_E4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1CE@DFDJALFB@?$AAB?$AAo?$AAo?$AAt?$AA?5?$AAB?$AAu?$AAs?$AA?5?$AAE?$AAx?$AAt?$AAe?$AAn?$AAd@PBOPGDP@
		lea	eax, [ebp+var_EC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ax, _PiInitGroupOrderTableCount
		xor	ecx, ecx
		mov	esi, ebx
		cmp	cx, ax
		jnb	short loc_AB3FB4
		mov	di, ax

loc_AB3F5C:				; CODE XREF: IopInitializeBootDrivers+2B2j
		mov	eax, _PiInitGroupOrderTable
		movzx	ecx, bx
		push	1
		lea	eax, [eax+ecx*8]
		lea	ecx, [ebp+var_E4]
		mov	[ebp+var_9C], eax
		push	ecx
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jz	loc_AB4071
		push	1
		lea	eax, [ebp+var_EC]
		push	eax
		push	[ebp+var_9C]
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jz	loc_AB4068

loc_AB3FA0:				; CODE XREF: IopInitializeBootDrivers+378j
		push	2
		pop	eax
		cmp	si, ax
		jnb	short loc_AB3FAE
		inc	ebx
		cmp	bx, di
		jb	short loc_AB3F5C

loc_AB3FAE:				; CODE XREF: IopInitializeBootDrivers+2ACj
		mov	edi, [ebp+var_90]

loc_AB3FB4:				; CODE XREF: IopInitializeBootDrivers+25Dj
		mov	esi, [edi+20h]

loc_AB3FB7:				; CODE XREF: IopInitializeBootDrivers+2F0j
					; IopInitializeBootDrivers+369j ...
		lea	eax, [edi+20h]

loc_AB3FBA:				; CODE XREF: IopInitializeBootDrivers+2DCj
		cmp	esi, eax
		jz	loc_AB4077
		mov	ecx, esi
		mov	esi, [esi]
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_90], esi
		cmp	dword ptr [ecx+1Ch], 0
		jl	short loc_AB3FBA
		push	6E697050h
		push	1Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_AB3FB7
		xor	eax, eax
		lea	ecx, [ebp+var_8C]
		mov	[ebx+8], eax
		xor	edx, edx
		mov	[ebx+10h], eax
		mov	[ebx+14h], eax
		mov	[ebx+18h], eax
		mov	eax, [ebp+var_9C]
		mov	[ebx+0Ch], eax
		add	eax, 10h
		push	20019h
		push	eax
		mov	[ebx+4], ebx
		mov	[ebx], ebx
		call	_IopOpenRegistryKeyEx@16 ; IopOpenRegistryKeyEx(x,x,x,x)
		test	eax, eax
		js	loc_AE0E20
		mov	eax, [ebp+var_8C]
		mov	[ebx+10h], eax
		mov	ecx, [ebp+var_8C]
		call	PpInitGetGroupOrderIndex
		mov	ecx, [ebp+var_8C]
		movzx	esi, ax
		call	PipGetDriverTagPriority
		mov	[ebx+18h], ax
		mov	ecx, esi
		mov	eax, _IopGroupTable
		mov	edx, ebx
		lea	ecx, [eax+ecx*8]
		call	_PipInsertDriverList@8 ; PipInsertDriverList(x,x)
		mov	esi, [ebp+var_90]
		jmp	loc_AB3FB7
; 

loc_AB4068:				; CODE XREF: IopInitializeBootDrivers+2A0j
		movzx	eax, bx
		mov	[ebp+var_A4], eax

loc_AB4071:				; CODE XREF: IopInitializeBootDrivers+284j
		inc	esi
		jmp	loc_AB3FA0
; 

loc_AB4077:				; CODE XREF: IopInitializeBootDrivers+2C2j
		xor	ecx, ecx
		inc	ecx
		call	_PnpNotifyEarlyLaunchStatusUpdate@4 ; PnpNotifyEarlyLaunchStatusUpdate(x)
		xor	esi, esi
		mov	edx, esi
		mov	[ebp+var_90], edx
		cmp	_IopGroupIndex,	edx
		jz	short loc_AB40D8
		mov	ebx, [ebp+var_94]
		mov	ecx, esi
		mov	[ebp+var_9C], ecx

loc_AB409F:				; CODE XREF: IopInitializeBootDrivers+3DAj
		mov	eax, _IopGroupTable
		lea	eax, [eax+ecx*8]
		mov	esi, [eax]
		cmp	esi, eax
		jnz	loc_AB4270

loc_AB40B1:				; CODE XREF: IopInitializeBootDrivers+71Bj
		cmp	dx, word ptr [ebp+var_A4]
		jz	loc_AB44A0

loc_AB40BE:				; CODE XREF: IopInitializeBootDrivers+7C6j
		inc	edx
		movzx	ecx, dx
		mov	[ebp+var_90], edx
		mov	[ebp+var_9C], ecx
		cmp	ecx, _IopGroupIndex
		jb	short loc_AB409F
		xor	esi, esi

loc_AB40D8:				; CODE XREF: IopInitializeBootDrivers+395j
		push	2
		pop	eax
		mov	ecx, eax
		call	_PnpNotifyEarlyLaunchStatusUpdate@4 ; PnpNotifyEarlyLaunchStatusUpdate(x)
		mov	ecx, edi
		call	_PipUnloadEarlyLaunchDrivers@4 ; PipUnloadEarlyLaunchDrivers(x)
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		xor	edx, edx
		mov	_PnPBootDriversLoaded, 1
		xor	ecx, ecx
		call	PnpRequestDeviceAction
		call	_PnpWaitForDevicesToStart@0 ; PnpWaitForDevicesToStart()
		test	eax, eax
		jz	loc_AE0E5E
		call	_IopCallBootDriverReinitializationRoutines@0 ; IopCallBootDriverReinitializationRoutines()
		test	al, al
		jz	short loc_AB4121
		call	_PnpWaitForDevicesToStart@0 ; PnpWaitForDevicesToStart()
		test	eax, eax
		jz	loc_AE0E41

loc_AB4121:				; CODE XREF: IopInitializeBootDrivers+418j
		push	8		; unsigned int
		push	(offset	loc_AE0C9D+1) ;	void *
		push	dword ptr [edi+68h] ; void *
		call	__memicmp
		add	esp, 0Ch
		test	eax, eax
		jz	loc_AE0E45
		mov	eax, 0C0000225h

loc_AB4140:				; CODE XREF: IopInitializeBootDrivers+2D152j
		test	eax, eax
		jns	loc_AE0E51

loc_AB4148:				; CODE XREF: IopInitializeBootDrivers+2D15Ej
		mov	ecx, edi
		call	VhdInitialize
		test	eax, eax
		js	short loc_AB4160
		call	_PnpWaitForDevicesToStart@0 ; PnpWaitForDevicesToStart()
		test	eax, eax
		jz	loc_AE0E5E

loc_AB4160:				; CODE XREF: IopInitializeBootDrivers+457j
		mov	ecx, edi
		call	_IopCreateArcNames@4 ; IopCreateArcNames(x)
		test	eax, eax
		js	loc_AE0E68
		push	esi
		xor	edx, edx
		mov	ecx, edi
		push	offset IopMarkBootPartition
		inc	edx
		call	_PnpBootDeviceWait@16 ;	PnpBootDeviceWait(x,x,x,x)
		mov	eax, [edi+84h]
		mov	_PnPBootDriversInitialized, 1
		test	dword ptr [eax+54h], 400h
		jnz	loc_AE0E6F

loc_AB4199:				; CODE XREF: IopInitializeBootDrivers+2D190j
		mov	ecx, edi
		call	PipWaitCriticalDevices
		test	eax, eax
		js	loc_AE0E68
		call	PiCreateDriverDataDirectoryRoot
		test	eax, eax
		js	loc_AE0E68
		xor	eax, eax
		lea	edx, [ebp+var_B4]
		mov	word ptr [ebp+var_88], ax
		call	_PipHardwareConfigGetIndex@8 ; PipHardwareConfigGetIndex(x,x)
		mov	ebx, eax
		mov	[ebp+var_94], ebx
		test	ebx, ebx
		js	short loc_AB4200
		push	dword ptr [ebp+var_B4] ; char
		lea	eax, [ebp+var_88]
		push	offset ??_C@_15KNBIKKIN@?$AA?$CF?$AAd@PBOPGDP@ ; wchar_t *
		push	800h		; int
		push	esi		; int
		push	esi		; int
		push	40h		; int
		push	eax		; void *
		call	RtlStringCchPrintfExW
		add	esp, 1Ch
		mov	[ebp+var_94], eax
		mov	ebx, eax

loc_AB4200:				; CODE XREF: IopInitializeBootDrivers+4D9j
		cmp	_IopGroupIndex,	0
		mov	ecx, esi
		mov	[ebp+var_9C], ecx
		jbe	short loc_AB4245
		mov	edx, esi
		mov	[ebp+var_A4], edx

loc_AB4219:				; CODE XREF: IopInitializeBootDrivers+547j
					; IopInitializeBootDrivers+781j
		mov	eax, _IopGroupTable
		lea	eax, [eax+edx*8]
		mov	esi, [eax]
		cmp	esi, eax
		jnz	loc_AB4421
		inc	ecx
		movzx	edx, cx
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_A4], edx
		cmp	edx, _IopGroupIndex
		jb	short loc_AB4219
		xor	esi, esi

loc_AB4245:				; CODE XREF: IopInitializeBootDrivers+515j
		push	esi
		push	_IopGroupTable
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	esi
		xor	edx, edx
		mov	ecx, offset _KMPnPEvt_BootStart_Stop
		call	_PnpDiagnosticTrace@12 ; PnpDiagnosticTrace(x,x,x)
		xor	eax, eax
		inc	eax

loc_AB4261:				; CODE XREF: IopInitializeBootDrivers+2D170j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AB4270:				; CODE XREF: IopInitializeBootDrivers+3B1j
					; IopInitializeBootDrivers+70Fj
		mov	eax, [esi+10h]
		lea	edx, [ebp+var_C4]
		mov	[ebp+var_8C], eax
		mov	eax, [esi+0Ch]
		mov	[ebp+var_D4], eax
		mov	eax, [eax+18h]
		mov	byte ptr [esi+1Bh], 1
		mov	ecx, [ebp+var_8C]
		mov	[ebp+var_D0], eax
		call	IopGetDriverNameFromKeyNode
		test	eax, eax
		js	loc_AE0E2D
		mov	ecx, [ebp+var_8C]
		lea	eax, [ebp+var_98]
		push	eax
		push	0
		mov	edx, offset ??_C@_1M@LHGLMLD@?$AAG?$AAr?$AAo?$AAu?$AAp@PBOPGDP@	; "Group"
		call	IopGetRegistryValue
		test	eax, eax
		js	loc_AB441A
		mov	ecx, [ebp+var_98]
		cmp	dword ptr [ecx+0Ch], 0
		jz	loc_AE0E36
		mov	ax, [ecx+0Ch]
		xor	edx, edx
		mov	word ptr [ebp+var_CC], ax
		inc	edx
		mov	word ptr [ebp+var_CC+2], ax
		mov	eax, [ecx+8]
		add	eax, ecx
		lea	ecx, [ebp+var_CC]
		mov	[ebp+var_C8], eax
		call	_PipLookupGroupName@8 ;	PipLookupGroupName(x,x)
		mov	ecx, [ebp+var_98]
		mov	ebx, eax

loc_AB430C:				; CODE XREF: IopInitializeBootDrivers+2D13Ej
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AB4314:				; CODE XREF: IopInitializeBootDrivers+722j
		mov	ecx, [ebp+var_8C]
		and	[ebp+var_94], 0
		call	PipCheckDependencies
		test	eax, eax
		jz	loc_AB4497
		mov	eax, [esi+8]
		mov	[ebp+var_94], eax
		mov	[ebp+var_A0], eax
		test	eax, eax
		jnz	short loc_AB43A0
		cmp	[esi+1Ah], al
		jnz	short loc_AB4398
		mov	edx, [ebp+var_D4]
		lea	eax, [ebp+var_A0]
		push	eax
		push	ecx
		push	1
		push	0
		lea	eax, [edi+10h]
		add	edx, 10h
		push	eax
		mov	eax, [ebp+var_D0]
		lea	ecx, [ebp+var_C4]
		push	eax
		push	dword ptr [eax+1Ch]
		call	PnpInitializeBootStartDriver
		mov	[esi+14h], eax
		mov	eax, [ebp+var_A0]
		mov	[ebp+var_94], eax
		test	eax, eax
		jz	loc_AB4497
		mov	ecx, eax
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, [ebp+var_94]

loc_AB4398:				; CODE XREF: IopInitializeBootDrivers+64Aj
		test	eax, eax
		jz	loc_AB4497

loc_AB43A0:				; CODE XREF: IopInitializeBootDrivers+645j
		test	ebx, ebx
		jz	short loc_AB43A7
		inc	dword ptr [ebx+10h]

loc_AB43A7:				; CODE XREF: IopInitializeBootDrivers+6A8j
		mov	[esi+8], eax

loc_AB43AA:				; CODE XREF: IopInitializeBootDrivers+7A1j
		push	0
		push	[ebp+var_C0]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, [ebp+var_94]

loc_AB43BD:				; CODE XREF: IopInitializeBootDrivers+2D137j
		cmp	byte ptr [esi+1Ah], 0
		jnz	short loc_AB43EA
		call	PnpLockDeviceActionQueue
		mov	ecx, ebx
		call	_PipAddDevicesToBootDriver@4 ; PipAddDevicesToBootDriver(x)
		call	PnpUnlockDeviceActionQueue
		call	_PnpWaitForEmptyDeviceActionQueue@0 ; PnpWaitForEmptyDeviceActionQueue()
		xor	eax, eax
		xor	ecx, ecx
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	7
		pop	edx
		call	PnpRequestDeviceAction

loc_AB43EA:				; CODE XREF: IopInitializeBootDrivers+6C7j
		call	_PnpWaitForBootDevicesDeleted@0	; PnpWaitForBootDevicesDeleted()
		test	eax, eax
		jz	loc_AE0E3D
		mov	eax, _IopGroupTable
		mov	ecx, [ebp+var_9C]
		mov	esi, [esi]
		lea	eax, [eax+ecx*8]
		cmp	esi, eax
		jnz	loc_AB4270
		mov	edx, [ebp+var_90]
		jmp	loc_AB40B1
; 

loc_AB441A:				; CODE XREF: IopInitializeBootDrivers+5C9j
		xor	ebx, ebx
		jmp	loc_AB4314
; 

loc_AB4421:				; CODE XREF: IopInitializeBootDrivers+52Bj
		cmp	[esi+4], eax
		jnz	loc_AB44D4
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	loc_AB44D4
		mov	[eax], ecx
		mov	[ecx+4], eax
		mov	edi, [esi+8]
		test	ebx, ebx
		js	short loc_AB444E
		cmp	byte ptr [esi+1Ah], 0
		jnz	short loc_AB444E
		xor	ecx, ecx
		cmp	[edi+4], ecx
		jz	short loc_AB4480

loc_AB444E:				; CODE XREF: IopInitializeBootDrivers+745j
					; IopInitializeBootDrivers+74Bj ...
		test	edi, edi
		jz	short loc_AB4459
		mov	ecx, edi
		call	ObfDereferenceObject

loc_AB4459:				; CODE XREF: IopInitializeBootDrivers+756j
		cmp	byte ptr [esi+1Ah], 0
		jnz	short loc_AB44C5

loc_AB445F:				; CODE XREF: IopInitializeBootDrivers+7D8j
		push	dword ptr [esi+10h]
		call	_ZwClose@4	; ZwClose(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_9C]
		mov	edx, [ebp+var_A4]
		jmp	loc_AB4219
; 

loc_AB4480:				; CODE XREF: IopInitializeBootDrivers+752j
		mov	eax, [edi+18h]
		cmp	[eax+4], ecx
		jz	short loc_AB444E
		mov	eax, [edi+8]
		test	eax, 400h
		jnz	short loc_AB444E
		jmp	loc_AE0E8F
; 

loc_AB4497:				; CODE XREF: IopInitializeBootDrivers+62Ej
					; IopInitializeBootDrivers+68Bj ...
		mov	byte ptr [esi+1Ah], 1
		jmp	loc_AB43AA
; 

loc_AB44A0:				; CODE XREF: IopInitializeBootDrivers+3BEj
		xor	edx, edx
		xor	ecx, ecx
		call	IopAllocateLegacyBootResources
		mov	edx, [ebp+var_90]
		mov	_IopAllocateBootResourcesRoutine, offset _IopAllocateBootResources@12 ;	IopAllocateBootResources(x,x,x)
		mov	_IopBootConfigsReserved, 1
		jmp	loc_AB40BE
; 

loc_AB44C5:				; CODE XREF: IopInitializeBootDrivers+763j
		mov	eax, [esi+0Ch]
		mov	eax, [eax+18h]
		or	dword ptr [eax+34h], 20000h
		jmp	short loc_AB445F
; 

loc_AB44D4:				; CODE XREF: IopInitializeBootDrivers+72Aj
					; IopInitializeBootDrivers+735j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
IopInitializeBootDrivers endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpInitializeBootStartDriver proc near	; CODE XREF: IopInitializeBootDrivers+1ABp
					; IopInitializeBootDrivers+675p ...

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_18		= dword	ptr  20h

; FUNCTION CHUNK AT 00AE0FF1 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		push	ebx
		push	esi
		push	edi
		push	40h		; size_t
		xor	ebx, ebx
		mov	[ebp+var_C], edx
		lea	eax, [ebp+var_4C]
		mov	edi, ecx
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	esi, [ebp+arg_4]
		add	esp, 0Ch
		mov	[ebp+var_8], ebx
		cmp	[ebp+arg_10], ebx
		jz	short loc_AB4581
		test	esi, esi
		jz	loc_AE0FF1
		mov	eax, [esi+24h]
		mov	ecx, [ebp+var_C]
		mov	[ebp+var_44], eax
		mov	eax, [esi+28h]
		mov	[ebp+var_40], eax
		mov	eax, [esi+84h]
		and	eax, 1
		mov	[ebp+var_48], eax
		mov	eax, [esi+74h]
		mov	[ebp+var_1C], eax
		mov	eax, [esi+7Ch]
		mov	[ebp+var_14], eax
		mov	eax, [esi+6Ch]
		mov	[ebp+var_24], eax
		mov	eax, [esi+78h]
		mov	[ebp+var_18], eax
		mov	eax, [esi+80h]
		mov	[ebp+var_10], eax
		mov	eax, [esi+70h]
		mov	[ebp+var_20], eax
		mov	eax, [ecx]
		mov	[ebp+var_3C], eax
		mov	eax, [ecx+4]
		mov	[ebp+var_38], eax
		mov	eax, [esi+64h]
		mov	[ebp+var_2C], eax
		mov	eax, [esi+68h]
		mov	[ebp+var_28], eax
		mov	eax, [esi+5Ch]
		mov	[ebp+var_34], eax
		mov	eax, [esi+60h]
		mov	[ebp+var_30], eax

loc_AB4573:				; CODE XREF: PnpInitializeBootStartDriver+2CB22j
		lea	edx, [ebp+var_8]
		lea	ecx, [ebp+var_4C]
		call	_PnpNotifyEarlyLaunchImageLoad@8 ; PnpNotifyEarlyLaunchImageLoad(x,x)
		mov	ebx, [ebp+var_8]

loc_AB4581:				; CODE XREF: PnpInitializeBootStartDriver+2Aj
		mov	dl, 1
		mov	ecx, ebx
		call	PnpDoPolicyCheck
		test	al, al
		jz	loc_AE1001

loc_AB4592:				; CODE XREF: PnpInitializeBootStartDriver+2CB2Bj
		call	_VfDriverInitStarting@0	; VfDriverInitStarting()
		mov	edx, edi
		mov	ecx, offset _KMPnPEvt_BootInit_Start
		mov	ebx, eax
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)
		push	[ebp+arg_18]
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		push	[ebp+arg_C]
		push	esi
		push	[ebp+arg_0]
		call	_IopInitializeBuiltinDriver@24 ; IopInitializeBuiltinDriver(x,x,x,x,x,x)
		mov	esi, eax
		mov	edx, edi
		push	esi
		mov	ecx, offset _KMPnPEvt_BootInit_Stop
		call	_PnpDiagnosticTraceObjectWithStatus@12 ; PnpDiagnosticTraceObjectWithStatus(x,x,x)
		test	esi, esi
		js	short loc_AB45D6
		mov	edx, [ebp+arg_8]
		mov	ecx, ebx
		call	_VfDriverInitSuccess@8 ; VfDriverInitSuccess(x,x)

loc_AB45D6:				; CODE XREF: PnpInitializeBootStartDriver+F0j
					; PnpInitializeBootStartDriver+2CB36j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	1Ch
PnpInitializeBootStartDriver endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopInitializeBuiltinDriver(x, x, x,	x, x, x)
_IopInitializeBuiltinDriver@24 proc near ; CODE	XREF: PnpInitializeBootStartDriver+DAp

var_38		= dword	ptr -38h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= byte ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= byte ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_C], edx
		push	6
		xor	eax, eax
		mov	dword ptr [ebp+var_4], ebx
		pop	ecx
		xor	edx, edx
		lea	edi, [ebp+var_38]
		rep stosd
		mov	eax, [ebp+arg_C]
		xor	ecx, ecx
		mov	[ebp+var_10], edx
		inc	ecx
		mov	[ebp+var_14], edx
		mov	[ebp+var_8], edx
		mov	[eax], edx
		mov	[ebp+var_18], edx
		mov	edx, ebx
		call	HeadlessKernelAddLogEntry
		lea	eax, [ebp+var_14]
		mov	ecx, ebx
		push	eax
		lea	edx, [ebp+var_38]
		call	_IopInitializeAttributesAndCreateObject@12 ; IopInitializeAttributesAndCreateObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_AB463F
		push	3
		xor	edx, edx
		pop	ecx
		call	HeadlessKernelAddLogEntry
		mov	eax, esi
		jmp	loc_AB4956
; 

loc_AB463F:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+4Cj
		mov	esi, [ebp+var_14]
		xor	ebx, ebx
		push	0D0h		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esi+0A8h]
		mov	[esi+18h], eax
		lea	edi, [esi+38h]
		mov	[eax], esi
		mov	eax, offset _IopInvalidDeviceRequest@8 ; IopInvalidDeviceRequest(x,x)
		push	1Ch
		pop	ecx
		push	4
		rep stosd
		pop	eax
		mov	[esi], ax
		mov	eax, 0A8h
		mov	[esi+2], ax
		mov	eax, [ebp+arg_0]
		mov	[esi+2Ch], eax
		lea	eax, [ebp+var_10]
		push	eax
		push	ebx
		push	ebx
		push	1
		push	ebx
		push	esi
		call	_ObInsertObject@24 ; ObInsertObject(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_AB46A4
		push	3
		xor	edx, edx
		pop	ecx
		call	HeadlessKernelAddLogEntry
		jmp	loc_AB4954
; 

loc_AB46A4:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+B3j
		push	ebx
		lea	eax, [ebp+arg_0]
		push	eax
		push	ebx
		push	ds:_IoDriverObjectType
		push	ebx
		push	[ebp+var_10]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	edi, _PsLoadedModuleList
		mov	ebx, [ebp+arg_4]
		jmp	short loc_AB46DD
; 

loc_AB46C4:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+103j
		test	ebx, ebx
		jz	short loc_AB46EA
		push	1
		lea	eax, [edi+2Ch]
		push	eax
		lea	eax, [ebx+2Ch]
		push	eax
		call	_RtlEqualString@12 ; RtlEqualString(x,x,x)
		test	al, al
		jnz	short loc_AB46E7
		mov	edi, [edi]

loc_AB46DD:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+E2j
		cmp	edi, offset _PsLoadedModuleList
		jnz	short loc_AB46C4
		jmp	short loc_AB46EA
; 

loc_AB46E7:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+F9j
		mov	[esi+14h], edi

loc_AB46EA:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+E6j
					; IopInitializeBuiltinDriver(x,x,x,x,x,x)+105j
		call	_InbvIndicateProgress@0	; InbvIndicateProgress()
		test	ebx, ebx
		jz	short loc_AB4715
		mov	edi, [ebx+18h]
		push	edi
		mov	[ebp+arg_4], edi
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	[esi+0Ch], edi
		mov	ecx, [eax+50h]
		mov	[esi+10h], ecx
		mov	ecx, 2000h
		test	[eax+5Eh], cx
		jnz	short loc_AB471D
		jmp	short loc_AB4719
; 

loc_AB4715:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+111j
		and	[ebp+arg_4], 0

loc_AB4719:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+133j
		or	dword ptr [esi+8], 2

loc_AB471D:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+131j
		mov	edi, dword ptr [ebp+var_4]
		mov	ecx, 200h
		movzx	edx, word ptr [edi+2]
		add	edx, 2
		call	IopVerifierExAllocatePool
		mov	[ebp+arg_0], eax
		test	eax, eax
		jz	short loc_AB476B
		mov	[esi+20h], eax
		mov	cx, [edi+2]
		mov	[esi+1Eh], cx
		mov	cx, [edi]
		mov	[esi+1Ch], cx
		movzx	eax, word ptr [edi+2]
		push	eax		; size_t
		push	dword ptr [edi+4] ; void *
		push	dword ptr [esi+20h] ; void *
		call	_memcpy
		movzx	eax, word ptr [edi]
		add	esp, 0Ch
		mov	ecx, [ebp+arg_0]
		shr	eax, 1
		xor	edx, edx
		mov	[ecx+eax*2], dx

loc_AB476B:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+156j
		mov	ecx, [ebp+var_C]
		mov	eax, [esi+18h]
		mov	[ebp+var_14], eax
		test	ecx, ecx
		jz	loc_AB4876
		movzx	edx, word ptr [ecx]
		test	dx, dx
		jz	loc_AB4876
		mov	ecx, [ecx+4]
		mov	eax, edx
		shr	eax, 1
		push	5Ch
		pop	edx
		lea	edi, [ecx-2]
		lea	edi, [edi+eax*2]
		cmp	[edi], dx
		jnz	short loc_AB47A3
		lea	edi, [ecx-4]
		lea	edi, [edi+eax*2]

loc_AB47A3:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+1BBj
		xor	eax, eax
		jmp	short loc_AB47B2
; 

loc_AB47A7:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+1D7j
		cmp	[edi], dx
		jz	short loc_AB47BB
		add	eax, 2
		sub	edi, 2

loc_AB47B2:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+1C5j
		mov	[ebp+arg_0], eax
		cmp	edi, ecx
		jnz	short loc_AB47A7
		jmp	short loc_AB47BE
; 

loc_AB47BB:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+1CAj
		add	edi, 2

loc_AB47BE:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+1D9j
		cmp	edi, ecx
		jnz	short loc_AB47C8
		add	eax, 2
		mov	[ebp+arg_0], eax

loc_AB47C8:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+1E0j
		movzx	eax, ax
		mov	ecx, 200h
		mov	[ebp+var_1C], eax
		lea	edx, [eax+2]
		call	IopVerifierExAllocatePool
		mov	edx, [ebp+var_14]
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		lea	eax, [edx+0Ch]
		mov	[ebp+var_14], eax
		test	ecx, ecx
		jz	short loc_AB4863
		mov	eax, [ebp+arg_0]
		push	[ebp+var_1C]	; size_t
		mov	[edx+10h], ecx
		push	edi		; void *
		mov	edi, [ebp+var_20]
		lea	ecx, [eax+2]
		push	edi		; void *
		mov	[edx+0Eh], cx
		mov	[edx+0Ch], ax
		call	_memcpy
		mov	eax, [ebp+var_14]
		add	esp, 0Ch
		xor	ecx, ecx
		xor	edx, edx
		movzx	eax, word ptr [eax]
		shr	eax, 1
		push	0F003Fh
		push	[ebp+var_C]
		mov	[edi+eax*2], cx
		lea	ecx, [ebp+var_8]
		call	_IopOpenRegistryKeyEx@16 ; IopOpenRegistryKeyEx(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_AB4904
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_18]
		mov	ecx, [ebp+var_14]
		push	eax
		movzx	eax, [ebp+arg_8]
		push	eax
		push	[ebp+arg_4]
		call	PnpPrepareDriverLoading
		push	[ebp+var_8]
		mov	edi, eax
		call	NtClose
		test	edi, edi
		js	loc_AB4904
		jmp	short loc_AB487F
; 

loc_AB4863:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+20Bj
		and	dword ptr [edx+10h], 0
		mov	edi, 0C000009Ah
		xor	ecx, ecx
		mov	[eax], cx
		jmp	loc_AB4904
; 

loc_AB4876:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+196j
					; IopInitializeBuiltinDriver(x,x,x,x,x,x)+1A2j
		and	dword ptr [eax+10h], 0
		xor	ecx, ecx
		mov	[eax+0Ch], ecx

loc_AB487F:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+281j
		test	byte ptr [ebp+var_18], 1
		jz	short loc_AB488C
		or	dword ptr [esi+8], 100h

loc_AB488C:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+2A3j
		mov	ecx, esi
		mov	dword ptr [esi+24h], offset _CmRegistryMachineHardwareDescriptionSystemName
		call	VfDifCaptureDriverEntry
		mov	ecx, ebx
		call	_KseDriverLoadImage@4 ;	KseDriverLoadImage(x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_AB48B3
		mov	ebx, dword ptr [ebp+var_4]
		push	edi
		push	ebx
		push	offset ??_C@_0DJ@LEKBNM@IOINIT?3?5Built?9in?5driver?5?$CFwZ?5blo@PBOPGDP@
		jmp	short loc_AB48F8
; 

loc_AB48B3:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+2C5j
		push	[ebp+var_C]
		push	esi
		call	dword ptr [esi+2Ch]
		mov	edi, eax
		test	edi, edi
		js	short loc_AB48DA
		mov	ecx, esi
		call	_VfDifCaptureIoCallbacks@4 ; VfDifCaptureIoCallbacks(x)
		lea	eax, [ebx+24h]
		mov	ecx, esi
		neg	ebx
		sbb	ebx, ebx
		and	ebx, eax
		push	ebx
		call	KseShimDriverIoCallbacks
		jmp	short loc_AB4904
; 

loc_AB48DA:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+2DEj
		mov	ebx, dword ptr [ebp+var_4]
		mov	eax, 0C000025Eh
		cmp	edi, eax
		jz	short loc_AB48F1
		push	edi
		push	ebx
		push	offset ??_C@_0EG@KAJKABNN@IOINIT?3?5Built?9in?5driver?5?$CFwZ?5fai@PBOPGDP@
		push	0
		jmp	short loc_AB48FA
; 

loc_AB48F1:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+304j
		push	eax
		push	ebx		; char
		push	offset ??_C@_0EG@KAJKABNN@IOINIT?3?5Built?9in?5driver?5?$CFwZ?5fai@PBOPGDP@ ; char *

loc_AB48F8:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+2D1j
		push	3		; int

loc_AB48FA:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+30Fj
		push	65h		; int
		call	_DbgPrintEx
		add	esp, 14h

loc_AB4904:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+252j
					; IopInitializeBuiltinDriver(x,x,x,x,x,x)+27Bj	...
		push	[ebp+var_10]
		call	NtClose
		test	edi, edi
		js	short loc_AB4928
		mov	ecx, esi
		call	_IopReadyDeviceObjects@4 ; IopReadyDeviceObjects(x)
		push	2
		xor	edx, edx
		pop	ecx
		call	HeadlessKernelAddLogEntry
		mov	eax, [ebp+arg_C]
		mov	[eax], esi
		jmp	short loc_AB4954
; 

loc_AB4928:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+32Ej
		cmp	edi, 0C000025Eh
		jz	short loc_AB493D
		mov	edx, [esi+18h]
		xor	ecx, ecx
		add	edx, 0Ch
		call	PnpDriverLoadingFailed

loc_AB493D:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+34Ej
		push	3
		xor	edx, edx
		pop	ecx
		call	HeadlessKernelAddLogEntry
		push	esi
		call	_ObMakeTemporaryObject@4 ; ObMakeTemporaryObject(x)
		mov	ecx, esi
		call	ObfDereferenceObject

loc_AB4954:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+BFj
					; IopInitializeBuiltinDriver(x,x,x,x,x,x)+346j
		mov	eax, edi

loc_AB4956:				; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+5Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
_IopInitializeBuiltinDriver@24 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall InbvIndicateProgress()
_InbvIndicateProgress@0	proc near	; CODE XREF: IopInitializeSystemDrivers:loc_AB3AE1p
					; IopInitializeBuiltinDriver(x,x,x,x,x,x):loc_AB46EAp
		mov	eax, dword_6D4D4C
		test	eax, eax
		jz	short locret_AB4970
		mov	eax, [eax+3Ch]
		test	eax, eax
		jz	short locret_AB4970
		jmp	eax
; 

locret_AB4970:				; CODE XREF: InbvIndicateProgress()+7j
					; InbvIndicateProgress()+Ej
		retn
_InbvIndicateProgress@0	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopInitializeAttributesAndCreateObject(x, x, x)
_IopInitializeAttributesAndCreateObject@12 proc	near
					; CODE XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+43p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:124h
		push	esi
		push	[ebp+arg_0]
		xor	esi, esi
		mov	dword ptr [edx], 18h
		push	esi
		push	esi
		push	0D0h
		push	esi
		push	esi
		mov	[edx+4], esi
		mov	dword ptr [edx+0Ch], 50h
		mov	[edx+8], ecx
		mov	[edx+10h], esi
		mov	[edx+14h], esi
		mov	al, [eax+15Ah]
		push	edx
		push	ds:_IoDriverObjectType
		mov	byte ptr [ebp+var_4], al
		push	[ebp+var_4]
		call	_ObCreateObject@36 ; ObCreateObject(x,x,x,x,x,x,x,x,x)
		pop	esi
		leave
		retn	4
_IopInitializeAttributesAndCreateObject@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpDoPolicyCheck proc near		; CODE XREF: PnpInitializeBootStartDriver+ABp
					; PipInitializeDriverDependentDLLs(x,x)+FBp

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 00AE1015 SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_1], dl
		mov	edx, ds:_PnpDriverImageLoadPolicy
		push	esi
		mov	esi, ecx
		cmp	ds:_PnpBootDriverCallbackObject, ebx
		jz	short loc_AB4A04
		mov	eax, esi
		sub	eax, ebx
		jz	short loc_AB4A08
		sub	eax, 1
		jnz	loc_AE1015

loc_AB49F0:				; CODE XREF: PnpDoPolicyCheck:loc_AB4A0Bj
		mov	bl, 1

loc_AB49F2:				; CODE XREF: PnpDoPolicyCheck+49j
					; PnpDoPolicyCheck+2C659j ...
		movzx	ecx, bl
		push	ecx
		push	edx
		mov	edx, esi
		call	_PnpDiagnosticTraceElamDecision@16 ; PnpDiagnosticTraceElamDecision(x,x,x,x)

loc_AB49FE:				; CODE XREF: PnpDoPolicyCheck+42j
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_AB4A04:				; CODE XREF: PnpDoPolicyCheck+1Bj
		mov	bl, 1
		jmp	short loc_AB49FE
; 

loc_AB4A08:				; CODE XREF: PnpDoPolicyCheck+21j
		test	dl, 1

loc_AB4A0B:				; CODE XREF: PnpDoPolicyCheck+2C670j
		jnz	short loc_AB49F0
		jmp	short loc_AB49F2
PnpDoPolicyCheck endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpNotifyEarlyLaunchImageLoad(x, x)
_PnpNotifyEarlyLaunchImageLoad@8 proc near ; CODE XREF:	PnpInitializeBootStartDriver+9Fp
					; PipInitializeDriverDependentDLLs(x,x)+F0p

var_50		= dword	ptr -50h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		lea	eax, [ebp+var_50]
		push	esi
		push	edi
		push	40h		; size_t
		push	0		; int
		push	eax		; void *
		mov	esi, edx
		mov	edi, ecx
		call	_memset
		mov	ecx, ds:_PnpBootDriverCallbackObject
		add	esp, 0Ch
		test	ecx, ecx
		jz	short loc_AB4A5C
		lea	eax, [ebp+var_10]
		mov	[ebp+var_10], offset _PnpEarlyLaunchImageNotificationPreProcess@20 ; PnpEarlyLaunchImageNotificationPreProcess(x,x,x,x,x)
		push	eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_C], offset _PnpEarlyLaunchImageNotificationPostProcess@20 ; PnpEarlyLaunchImageNotificationPostProcess(x,x,x,x,x)
		xor	edx, edx
		mov	[ebp+var_8], esi
		push	eax
		inc	edx
		mov	[ebp+var_4], edi
		call	ExNotifyWithProcessing

loc_AB4A5C:				; CODE XREF: PnpNotifyEarlyLaunchImageLoad(x,x)+26j
		pop	edi
		pop	esi
		leave
		retn
_PnpNotifyEarlyLaunchImageLoad@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpInitGetGroupOrderIndex proc near	; CODE XREF: PipCallDriverAddDeviceQueryRoutine+243p
					; IopInitializeBootDrivers+1C6p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE1039 SIZE 00000016 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		xor	ebx, ebx
		push	esi
		push	edi
		mov	[ebp+var_4], ebx
		cmp	_PiInitGroupOrderTable,	ebx
		jz	loc_AE1039
		test	ecx, ecx
		jz	loc_AB4B26
		lea	eax, [ebp+var_4]
		mov	edx, offset ??_C@_1M@LHGLMLD@?$AAG?$AAr?$AAo?$AAu?$AAp@PBOPGDP@	; "Group"
		push	eax
		push	ebx
		call	IopGetRegistryValue
		test	eax, eax
		js	loc_AB4B1E
		mov	esi, [ebp+var_4]
		cmp	dword ptr [esi+4], 1
		jnz	loc_AE1043
		mov	edx, [esi+0Ch]
		test	edx, edx
		jz	loc_AE1043
		push	ecx
		mov	ecx, [esi+8]
		lea	eax, [ebp+var_4]
		push	eax
		add	ecx, esi
		mov	[ebp+var_4], ebx
		call	_PnpRegSzToString@16 ; PnpRegSzToString(x,x,x,x)
		mov	ax, word ptr [ebp+var_4]
		mov	edi, ebx
		mov	bx, _PiInitGroupOrderTableCount
		mov	word ptr [ebp+var_8], ax
		mov	ax, [esi+0Ch]
		mov	word ptr [ebp+var_8+2],	ax
		mov	eax, [esi+8]
		add	eax, esi
		mov	[ebp+var_4], eax
		xor	eax, eax
		cmp	ax, bx
		jnb	short loc_AB4B0E

loc_AB4AED:				; CODE XREF: PpInitGetGroupOrderIndex+ACj
		mov	eax, _PiInitGroupOrderTable
		movzx	ecx, di
		push	1
		lea	eax, [eax+ecx*8]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_AB4B0E
		inc	edi
		cmp	di, bx
		jb	short loc_AB4AED

loc_AB4B0E:				; CODE XREF: PpInitGetGroupOrderIndex+8Bj
					; PpInitGetGroupOrderIndex+A6j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ax, di

loc_AB4B19:				; CODE XREF: PpInitGetGroupOrderIndex+C4j
					; PpInitGetGroupOrderIndex+CEj	...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AB4B1E:				; CODE XREF: PpInitGetGroupOrderIndex+35j
					; PpInitGetGroupOrderIndex+2C5EAj
		mov	ax, _PiInitGroupOrderTableCount
		jmp	short loc_AB4B19
; 

loc_AB4B26:				; CODE XREF: PpInitGetGroupOrderIndex+1Ej
		mov	ax, _PiInitGroupOrderTableCount
		inc	ax
		jmp	short loc_AB4B19
PpInitGetGroupOrderIndex endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipCheckDependencies proc near		; CODE XREF: IopInitializeSystemDrivers+126p
					; IopInitializeBootDrivers+627p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE104F SIZE 0000005C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	edx, edx
		lea	eax, [ebp+var_4]
		push	edi
		push	eax
		mov	[ebp+var_4], edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edx
		push	edx
		mov	edx, (offset loc_ADDCC6+4)
		call	IopGetRegistryValue
		test	eax, eax
		jns	loc_AE104F
		xor	eax, eax
		inc	eax

loc_AB4B60:				; CODE XREF: PipCheckDependencies+2C576j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PipCheckDependencies endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PipInsertDriverList(x, x)
_PipInsertDriverList@8 proc near	; CODE XREF: IopInitializeBootDrivers+35Ep
		mov	eax, [ecx]
		cmp	eax, ecx
		jnz	short loc_AB4B81

loc_AB4B6C:				; CODE XREF: PipInsertDriverList(x,x)+2Dj
		mov	eax, [eax+4]
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_AB4B95
		mov	[edx], ecx
		mov	[edx+4], eax
		mov	[ecx+4], edx
		mov	[eax], edx
		retn
; 

loc_AB4B81:				; CODE XREF: PipInsertDriverList(x,x)+4j
		push	esi
		movzx	esi, word ptr [edx+18h]

loc_AB4B86:				; CODE XREF: PipInsertDriverList(x,x)+2Aj
		cmp	[eax+18h], si
		ja	short loc_AB4B92
		mov	eax, [eax]
		cmp	eax, ecx
		jnz	short loc_AB4B86

loc_AB4B92:				; CODE XREF: PipInsertDriverList(x,x)+24j
		pop	esi
		jmp	short loc_AB4B6C
; 

loc_AB4B95:				; CODE XREF: PipInsertDriverList(x,x)+Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_PipInsertDriverList@8 endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipLookupGroupName(x, x)
_PipLookupGroupName@8 proc near		; CODE XREF: IopInitializeSystemDrivers+113p
					; IopInitializeBootDrivers+605p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, _IopGroupListHead
		mov	eax, edx
		mov	[ebp+var_4], eax
		mov	ebx, ecx
		push	edi
		test	esi, esi
		jz	loc_AB4C42
		movzx	edx, word ptr [ebx]

loc_AB4BBB:				; CODE XREF: PipLookupGroupName(x,x)+32j
		movzx	ecx, word ptr [esi+14h]
		cmp	dx, cx
		jnb	short loc_AB4BCE
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_AB4C2B

loc_AB4BCA:				; CODE XREF: PipLookupGroupName(x,x)+3Bj
		mov	esi, ecx
		jmp	short loc_AB4BBB
; 

loc_AB4BCE:				; CODE XREF: PipLookupGroupName(x,x)+28j
		jbe	short loc_AB4BE7
		mov	ecx, [esi+4]
		test	ecx, ecx
		jnz	short loc_AB4BCA
		test	eax, eax
		jz	short loc_AB4C52
		mov	ecx, ebx
		call	_PipCreateEntry@4 ; PipCreateEntry(x)
		mov	[esi+4], eax
		jmp	short loc_AB4C14
; 

loc_AB4BE7:				; CODE XREF: PipLookupGroupName(x,x):loc_AB4BCEj
		push	1
		lea	eax, [esi+14h]
		push	eax
		push	ebx
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_AB4C12
		mov	edi, [esi+8]

loc_AB4BFA:				; CODE XREF: PipLookupGroupName(x,x)+A6j
		test	edi, edi
		jz	short loc_AB4C19
		push	1
		lea	eax, [edi+14h]
		push	eax
		push	ebx
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_AB4C3A
		mov	eax, edi
		jmp	short loc_AB4C14
; 

loc_AB4C12:				; CODE XREF: PipLookupGroupName(x,x)+5Bj
		mov	eax, esi

loc_AB4C14:				; CODE XREF: PipLookupGroupName(x,x)+4Bj
					; PipLookupGroupName(x,x)+76j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AB4C19:				; CODE XREF: PipLookupGroupName(x,x)+62j
		cmp	[ebp+var_4], 0
		jz	short loc_AB4C52
		mov	ecx, ebx
		call	_PipCreateEntry@4 ; PipCreateEntry(x)
		mov	[esi+8], eax
		jmp	short loc_AB4C14
; 

loc_AB4C2B:				; CODE XREF: PipLookupGroupName(x,x)+2Ej
		test	eax, eax
		jz	short loc_AB4C52
		mov	ecx, ebx
		call	_PipCreateEntry@4 ; PipCreateEntry(x)
		mov	[esi], eax
		jmp	short loc_AB4C14
; 

loc_AB4C3A:				; CODE XREF: PipLookupGroupName(x,x)+72j
		mov	esi, [esi+8]
		mov	edi, [edi+8]
		jmp	short loc_AB4BFA
; 

loc_AB4C42:				; CODE XREF: PipLookupGroupName(x,x)+18j
		test	eax, eax
		jz	short loc_AB4C52
		call	_PipCreateEntry@4 ; PipCreateEntry(x)
		mov	_IopGroupListHead, eax
		jmp	short loc_AB4C14
; 

loc_AB4C52:				; CODE XREF: PipLookupGroupName(x,x)+3Fj
					; PipLookupGroupName(x,x)+83j ...
		xor	eax, eax
		jmp	short loc_AB4C14
_PipLookupGroupName@8 endp


;  S U B	R O U T	I N E 


; __stdcall PipCreateEntry(x)
_PipCreateEntry@4 proc near		; CODE XREF: PipLookupGroupName(x,x)+43p
					; PipLookupGroupName(x,x)+87p ...
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	6E697050h
		movzx	eax, word ptr [ebx]
		add	eax, 1Ch
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		xor	eax, eax
		test	esi, esi
		jz	short loc_AB4CA6
		push	edi
		push	7
		pop	ecx
		mov	edi, esi
		rep stosd
		mov	ax, [ebx]
		lea	ecx, [esi+1Ch]
		mov	[esi+14h], ax
		mov	ax, [ebx]
		mov	[esi+16h], ax
		mov	[esi+18h], ecx
		movzx	eax, word ptr [ebx]
		push	eax		; size_t
		push	dword ptr [ebx+4] ; void *
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	eax, esi
		pop	edi

loc_AB4CA6:				; CODE XREF: PipCreateEntry(x)+1Fj
		pop	esi
		pop	ebx
		retn
_PipCreateEntry@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipInitializeDriverDependentDLLs(x,	x)
_PipInitializeDriverDependentDLLs@8 proc near ;	CODE XREF: IopInitializeBootDrivers+229p
					; PipInitializeCoreDriversAndElam(x)+9p ...

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= word ptr -40h
var_3E		= word ptr -3Eh
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		push	ebx
		push	esi
		push	edi
		push	40h		; size_t
		lea	eax, [ebp+var_50]
		mov	[ebp+var_C], ecx
		push	0		; int
		push	eax		; void *
		mov	ebx, edx
		call	_memset
		and	[ebp+var_8], 0
		add	esp, 0Ch
		mov	edx, [ebp+var_C]
		cmp	edx, 1
		setnz	[ebp+var_1]
		add	ebx, 10h
		mov	edi, [ebx]

loc_AB4CDD:				; CODE XREF: PipInitializeDriverDependentDLLs(x,x)+4Bj
		cmp	edi, ebx
		jz	loc_AB4DE9
		mov	esi, edi
		mov	edi, [edi]
		test	dword ptr [esi+34h], 4000000h
		jnz	short loc_AB4CF7

loc_AB4CF2:				; CODE XREF: PipInitializeDriverDependentDLLs(x,x)+6Dj
					; PipInitializeDriverDependentDLLs(x,x)+102j ...
		mov	edx, [ebp+var_C]
		jmp	short loc_AB4CDD
; 

loc_AB4CF7:				; CODE XREF: PipInitializeDriverDependentDLLs(x,x)+46j
		mov	eax, [esi+88h]
		mov	ecx, edx
		sub	ecx, 0
		jz	loc_AB4DD6
		sub	ecx, 1
		jnz	loc_AB4DC0
		shr	eax, 1
		and	al, 1

loc_AB4D15:				; CODE XREF: PipInitializeDriverDependentDLLs(x,x)+127j
					; PipInitializeDriverDependentDLLs(x,x)+136j
		test	al, al
		jz	short loc_AB4CF2
		test	edx, edx
		jz	loc_AB4DE5
		and	[ebp+var_8], 0
		lea	edx, [ebp+var_8]
		and	[ebp+var_50], 0
		lea	ecx, [ebp+var_50]
		mov	eax, [esi+24h]
		mov	[ebp+var_48], eax
		mov	eax, [esi+28h]
		mov	[ebp+var_44], eax
		mov	eax, [esi+84h]
		and	eax, 1
		mov	[ebp+var_4C], eax
		mov	eax, [esi+74h]
		mov	[ebp+var_20], eax
		mov	eax, [esi+7Ch]
		mov	[ebp+var_18], eax
		mov	eax, [esi+6Ch]
		mov	[ebp+var_28], eax
		mov	eax, [esi+78h]
		mov	[ebp+var_1C], eax
		mov	eax, [esi+80h]
		mov	[ebp+var_14], eax
		mov	eax, [esi+70h]
		mov	[ebp+var_24], eax
		push	2
		pop	eax
		mov	[ebp+var_3E], ax
		xor	eax, eax
		mov	[ebp+var_40], ax
		mov	[ebp+var_3C], offset ??_C@_11LOCGONAA@@PBOPGDP@
		mov	eax, [esi+64h]
		mov	[ebp+var_30], eax
		mov	eax, [esi+68h]
		mov	[ebp+var_2C], eax
		mov	eax, [esi+5Ch]
		mov	[ebp+var_38], eax
		mov	eax, [esi+60h]
		mov	[ebp+var_34], eax
		call	_PnpNotifyEarlyLaunchImageLoad@8 ; PnpNotifyEarlyLaunchImageLoad(x,x)
		mov	dl, [ebp+var_1]
		mov	ecx, [ebp+var_8]
		call	PnpDoPolicyCheck

loc_AB4DAA:				; CODE XREF: PipInitializeDriverDependentDLLs(x,x)+13Dj
		test	al, al
		jz	loc_AB4CF2
		mov	edx, ebx
		mov	ecx, esi
		call	MmCallDllInitialize
		jmp	loc_AB4CF2
; 

loc_AB4DC0:				; CODE XREF: PipInitializeDriverDependentDLLs(x,x)+61j
		sub	ecx, 1
		jnz	loc_AB4CF2
		and	al, 3
		neg	al
		sbb	al, al
		inc	al
		jmp	loc_AB4D15
; 

loc_AB4DD6:				; CODE XREF: PipInitializeDriverDependentDLLs(x,x)+58j
		test	al, 1
		jz	loc_AB4CF2
		mov	al, 1
		jmp	loc_AB4D15
; 

loc_AB4DE5:				; CODE XREF: PipInitializeDriverDependentDLLs(x,x)+71j
		mov	al, 1
		jmp	short loc_AB4DAA
; 

loc_AB4DE9:				; CODE XREF: PipInitializeDriverDependentDLLs(x,x)+35j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PipInitializeDriverDependentDLLs@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipInitializeCoreDriversByGroup	proc near
					; CODE XREF: PipInitializeCoreDriversAndElam(x)+12p
					; PipInitializeCoreDriversAndElam(x)+64p ...

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE10AB SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_14], edx
		mov	eax, ecx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_C], ebx
		push	esi
		push	edi
		sub	eax, ebx
		jz	loc_AB4F2D
		sub	eax, 1
		jz	loc_AB4F1F
		sub	eax, 1
		jnz	loc_AB4F1A
		push	40h

loc_AB4E2B:				; CODE XREF: PipInitializeCoreDriversByGroup+13Aj
					; PipInitializeCoreDriversByGroup+141j
		pop	eax
		lea	edi, [edx+eax]
		test	edi, edi
		jz	loc_AB4F1A
		mov	esi, [edi]
		mov	_PnpCoreDriverGroupLoadPhase, ecx

loc_AB4E3F:				; CODE XREF: PipInitializeCoreDriversByGroup+63j
					; PipInitializeCoreDriversByGroup+127j
		cmp	esi, edi
		jz	loc_AB4F1A
		mov	eax, esi
		mov	esi, [esi]
		mov	[ebp+var_10], eax
		cmp	[eax+1Ch], ebx
		jl	short loc_AB4E3F
		add	eax, 10h
		mov	[ebp+var_1C], ebx
		push	20019h
		push	eax
		xor	edx, edx
		mov	[ebp+var_4], ebx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_18], eax
		call	_IopOpenRegistryKeyEx@16 ; IopOpenRegistryKeyEx(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_AB4EED
		mov	ecx, [ebp+var_4]
		lea	edx, [ebp+var_20]
		call	IopGetDriverNameFromKeyNode
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_AB4EED
		mov	ecx, [ebp+var_10]
		lea	eax, [ebp+var_8]
		mov	edx, [ebp+var_18]
		push	eax
		mov	eax, [ebp+var_14]
		mov	ecx, [ecx+18h]
		add	eax, 10h
		push	ecx
		push	[ebp+var_C]
		push	0
		push	eax
		push	ecx
		push	dword ptr [ecx+1Ch]
		lea	ecx, [ebp+var_20]
		call	PnpInitializeBootStartDriver
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_AB4EED
		cmp	[ebp+var_8], 0
		jz	short loc_AB4EED
		call	PnpLockDeviceActionQueue
		mov	ecx, [ebp+var_8]
		call	_PipAddDevicesToBootDriver@4 ; PipAddDevicesToBootDriver(x)
		call	PnpUnlockDeviceActionQueue
		call	_PnpWaitForEmptyDeviceActionQueue@0 ; PnpWaitForEmptyDeviceActionQueue()
		xor	eax, eax
		xor	ecx, ecx
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	7
		pop	edx
		call	PnpRequestDeviceAction
		call	_PnpWaitForBootDevicesDeleted@0	; PnpWaitForBootDevicesDeleted()
		test	eax, eax
		jz	loc_AE10AB

loc_AB4EED:				; CODE XREF: PipInitializeCoreDriversByGroup+85j
					; PipInitializeCoreDriversByGroup+96j ...
		cmp	[ebp+var_4], 0
		jz	short loc_AB4EFB
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_AB4EFB:				; CODE XREF: PipInitializeCoreDriversByGroup+103j
		cmp	[ebp+var_1C], 0
		jz	short loc_AB4F0B
		push	0
		push	[ebp+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AB4F0B:				; CODE XREF: PipInitializeCoreDriversByGroup+111j
		test	ebx, ebx
		js	loc_AE10BA

loc_AB4F13:				; CODE XREF: PipInitializeCoreDriversByGroup+2C2D9j
		xor	ebx, ebx
		jmp	loc_AB4E3F
; 

loc_AB4F1A:				; CODE XREF: PipInitializeCoreDriversByGroup+35j
					; PipInitializeCoreDriversByGroup+43j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AB4F1F:				; CODE XREF: PipInitializeCoreDriversByGroup+2Cj
		mov	[ebp+var_C], 1
		push	38h
		jmp	loc_AB4E2B
; 

loc_AB4F2D:				; CODE XREF: PipInitializeCoreDriversByGroup+23j
		push	30h
		jmp	loc_AB4E2B
PipInitializeCoreDriversByGroup	endp


;  S U B	R O U T	I N E 


; __stdcall PipInitializeCoreDriversAndElam(x)
_PipInitializeCoreDriversAndElam@4 proc	near ; CODE XREF: IopInitializeBootDrivers+144p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	ecx, ecx
		mov	edx, esi
		call	_PipInitializeDriverDependentDLLs@8 ; PipInitializeDriverDependentDLLs(x,x)
		mov	edx, esi
		xor	ecx, ecx
		call	PipInitializeCoreDriversByGroup
		push	0A0h		; size_t
		push	0		; int
		push	offset _PsKernelRangeList ; void *
		mov	_PspPicoRegistrationDisabled, 1
		call	_memset
		and	_PspKernelRanges, 0
		add	esp, 0Ch
		and	dword_6B2FFC, 0
		mov	ecx, esi
		call	PipInitializeEarlyLaunchDrivers
		xor	ecx, ecx
		mov	_PnpBootDriverCallbackRegistrationClosed, 1
		call	_PnpNotifyEarlyLaunchStatusUpdate@4 ; PnpNotifyEarlyLaunchStatusUpdate(x)
		xor	ecx, ecx
		mov	edx, esi
		inc	ecx
		call	_PipInitializeDriverDependentDLLs@8 ; PipInitializeDriverDependentDLLs(x,x)
		xor	ecx, ecx
		mov	edx, esi
		inc	ecx
		call	PipInitializeCoreDriversByGroup
		push	2
		mov	edx, esi
		pop	ecx
		call	PipInitializeCoreDriversByGroup
		mov	_PnpCoreDriverGroupLoadPhase, 3
		pop	esi
		retn
_PipInitializeCoreDriversAndElam@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopInitializeResourceMap proc near	; CODE XREF: IopInitializePlugPlayServices(x,x)+216p

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2A		= byte ptr -2Ah
var_1A		= word ptr -1Ah
var_16		= byte ptr -16h
var_13		= byte ptr -13h
var_12		= word ptr -12h
var_10		= byte ptr -10h
var_C		= word ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE10CC SIZE 00000115 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	eax, [ebp+var_70]
		push	edi
		push	offset _IopWstrSystem
		mov	esi, ecx
		mov	[ebp+var_40], ebx
		push	eax
		mov	[ebp+var_54], esi
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_44], ebx

loc_AB4FF6:				; CODE XREF: IopInitializeResourceMap+288j
		mov	eax, ebx
		sub	eax, 0
		jz	loc_AB50D7
		sub	eax, 1
		lea	eax, [ebp+var_64]
		jz	short loc_AB5084
		push	offset _IopWstrLoaderReservedMemory ; "Loader Reserved"
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset _PnpWstrRaw
		lea	eax, [ebp+var_5C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		cmp	eax, 29h
		jnb	loc_AB5247

loc_AB502D:				; CODE XREF: IopInitializeResourceMap+82j
		mov	byte ptr [ebp+eax+var_30], 0
		inc	eax
		cmp	eax, 29h
		jb	short loc_AB502D
		lea	edx, [ebp+var_30]
		mov	byte ptr [ebp+var_30+3], 1
		mov	ecx, esi
		mov	[ebp+var_12], 101h
		mov	[ebp+var_2A], 1
		mov	[ebp+var_10], 1
		mov	[ebp+var_C], 101h
		mov	[ebp+var_1A], 101h
		mov	[ebp+var_16], 1
		mov	[ebp+var_13], 1
		call	MmInitializeMemoryLimits
		mov	edi, eax
		mov	[ebp+var_34], edi
		test	edi, edi
		jnz	loc_AE10CC

loc_AB5075:				; CODE XREF: IopInitializeResourceMap+28Ej
					; IopInitializeResourceMap+2C21Aj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AB5084:				; CODE XREF: IopInitializeResourceMap+53j
		push	offset _IopWstrSpecialMemory ; "Reserved"
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset _PnpWstrTranslated
		lea	eax, [ebp+var_5C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		cmp	eax, 29h
		jnb	loc_AB5247

loc_AB50A8:				; CODE XREF: IopInitializeResourceMap+FDj
		mov	byte ptr [ebp+eax+var_30], 0
		inc	eax
		cmp	eax, 29h
		jb	short loc_AB50A8
		lea	edx, [ebp+var_30]
		mov	byte ptr [ebp+var_1A], 1
		mov	ecx, esi
		mov	[ebp+var_16], 1
		call	MmInitializeMemoryLimits
		mov	edi, eax
		mov	[ebp+var_34], eax
		test	edi, edi
		jz	loc_AB5235
		jmp	loc_AE10CC
; 

loc_AB50D7:				; CODE XREF: IopInitializeResourceMap+47j
		push	offset _IopWstrPhysicalMemory ;	"Physical Memory"
		lea	eax, [ebp+var_64]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset _PnpWstrTranslated
		lea	eax, [ebp+var_5C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edi, ds:_MmPhysicalMemoryBlock
		mov	[ebp+var_34], edi
		jmp	loc_AE10CC
; 

loc_AB5101:				; CODE XREF: IopInitializeResourceMap+186j
					; IopInitializeResourceMap+2C148j
		mov	esi, [eax]
		xor	edx, edx
		shld	edx, esi, 0Ch
		shl	esi, 0Ch
		mov	eax, edx
		mov	ecx, esi
		shrd	ecx, eax, 8
		xor	eax, eax
		shld	eax, ecx, 8
		shl	ecx, 8
		cmp	esi, ecx
		jnz	loc_AE1101
		cmp	edx, eax
		jnz	loc_AE1101

loc_AB512D:				; CODE XREF: IopInitializeResourceMap+2C156j
					; IopInitializeResourceMap+2C15Ej ...
		inc	ebx

loc_AB512E:				; CODE XREF: IopInitializeResourceMap+2C19Aj
		mov	eax, [ebp+var_38]
		add	eax, 8
		mov	[ebp+var_38], eax
		sub	edi, 1
		jnz	short loc_AB5101
		mov	edi, [ebp+var_34]

loc_AB513F:				; CODE XREF: IopInitializeResourceMap+2C139j
		lea	eax, [ebx-1]
		shl	eax, 4
		add	eax, 24h
		push	20207050h
		push	eax
		push	1
		mov	[ebp+var_50], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_3C], esi
		test	esi, esi
		jz	loc_AE11CA
		push	[ebp+var_50]	; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		and	[ebp+var_48], 0
		add	esp, 0Ch
		mov	dword ptr [esi], 1
		mov	[esi+10h], ebx
		add	esi, 14h
		cmp	dword ptr [edi], 0
		jbe	short loc_AB51DD
		lea	ecx, [edi+8]
		mov	[ebp+var_4C], ecx

loc_AB518E:				; CODE XREF: IopInitializeResourceMap+227j
		mov	ebx, [ecx+4]
		xor	edx, edx
		mov	ecx, [ecx]
		xor	eax, eax
		shld	edx, ecx, 0Ch
		shld	eax, ebx, 0Ch
		push	edx
		shl	ecx, 0Ch
		push	ecx
		push	eax
		shl	ebx, 0Ch
		push	ebx
		push	3
		push	esi
		mov	[ebp+var_68], eax
		mov	[ebp+var_34], edx
		mov	[ebp+var_38], ecx
		call	RtlCmEncodeMemIoResource
		test	eax, eax
		js	loc_AE1159
		mov	byte ptr [esi+1], 1

loc_AB51C6:				; CODE XREF: IopInitializeResourceMap+2C211j
		add	esi, 10h

loc_AB51C9:				; CODE XREF: IopInitializeResourceMap+2C1FDj
		mov	eax, [ebp+var_48]
		mov	ecx, [ebp+var_4C]
		inc	eax
		add	ecx, 8
		mov	[ebp+var_48], eax
		mov	[ebp+var_4C], ecx
		cmp	eax, [edi]
		jb	short loc_AB518E

loc_AB51DD:				; CODE XREF: IopInitializeResourceMap+1D2j
		push	0
		push	1
		push	2001Fh
		push	offset _CmRegistryMachineHardwareResourceMapName
		xor	edx, edx
		lea	ecx, [ebp+var_40]
		call	IopCreateRegistryKeyEx
		mov	esi, [ebp+var_3C]
		test	eax, eax
		js	short loc_AB521B
		push	[ebp+var_50]
		mov	ecx, [ebp+var_40]
		lea	eax, [ebp+var_5C]
		push	esi
		push	eax
		lea	eax, [ebp+var_64]
		push	eax
		lea	edx, [ebp+var_70]
		call	IopWriteResourceList
		push	[ebp+var_40]
		call	_ZwClose@4	; ZwClose(x)

loc_AB521B:				; CODE XREF: IopInitializeResourceMap+246j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, [ebp+var_44]
		test	ebx, ebx
		jz	short loc_AB5232
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AB5232:				; CODE XREF: IopInitializeResourceMap+274j
		mov	esi, [ebp+var_54]

loc_AB5235:				; CODE XREF: IopInitializeResourceMap+118j
					; IopInitializeResourceMap+2C123j ...
		inc	ebx
		mov	[ebp+var_44], ebx
		cmp	ebx, 3
		jb	loc_AB4FF6
		jmp	loc_AB5075
; 

loc_AB5247:				; CODE XREF: IopInitializeResourceMap+73j
					; IopInitializeResourceMap+EEj
		call	___report_rangecheckfailure
IopInitializeResourceMap endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmInitializeMemoryLimits proc near	; CODE XREF: IopInitializeResourceMap+AFp
					; IopInitializeResourceMap+10Cp ...

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE11E1 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		lea	ebx, [ecx+18h]
		mov	[ebp+var_10], edx
		mov	eax, [ebx]
		push	edi
		xor	edi, edi
		cmp	eax, ebx
		jz	loc_AB5371

loc_AB5269:				; CODE XREF: MmInitializeMemoryLimits+22j
		mov	eax, [eax]
		inc	edi
		cmp	eax, ebx
		jnz	short loc_AB5269
		mov	[ebp+var_1C], edi
		test	edi, edi
		jz	loc_AB5371
		push	0
		lea	ecx, ds:8[edi*8]
		mov	edx, 6C4D6D4Dh
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_18], esi
		test	esi, esi
		jz	loc_AB5371
		mov	[esi], edi
		xor	edx, edx
		mov	ecx, [ebx]
		xor	eax, eax
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], eax
		cmp	ecx, ebx
		jz	loc_AE11E4
		lea	eax, [esi+4]
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_C], eax
		mov	esi, eax

loc_AB52BE:				; CODE XREF: MmInitializeMemoryLimits+8Aj
		mov	eax, [ecx+8]
		cmp	eax, 29h
		jge	short loc_AB52D2
		mov	edx, [ebp+var_10]
		cmp	byte ptr [eax+edx], 0
		mov	edx, [ebp+var_8]
		jnz	short loc_AB5333

loc_AB52D2:				; CODE XREF: MmInitializeMemoryLimits+78j
					; MmInitializeMemoryLimits+106j ...
		mov	ecx, [ecx]
		cmp	ecx, ebx
		jnz	short loc_AB52BE
		mov	esi, [ebp+var_18]
		mov	edi, [ebp+var_1C]
		test	edx, edx
		jz	loc_AE11E1
		cmp	edi, edx
		jbe	short loc_AB5324
		mov	ebx, edx
		mov	edx, 6C4D6D4Dh
		shl	ebx, 3
		push	0
		push	40h
		lea	ecx, [ebx+8]
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_AB5321
		push	ebx		; size_t
		lea	ecx, [esi+8]
		push	ecx		; void *
		lea	ecx, [edi+8]
		push	ecx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, edi

loc_AB5321:				; CODE XREF: MmInitializeMemoryLimits+B8j
		mov	edx, [ebp+var_8]

loc_AB5324:				; CODE XREF: MmInitializeMemoryLimits+9Cj
		mov	eax, [ebp+var_4]

loc_AB5327:				; CODE XREF: MmInitializeMemoryLimits+2BFA0j
		mov	[esi+4], eax
		mov	eax, esi
		mov	[esi], edx

loc_AB532E:				; CODE XREF: MmInitializeMemoryLimits+127j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AB5333:				; CODE XREF: MmInitializeMemoryLimits+84j
		mov	eax, [ecx+10h]
		add	[ebp+var_4], eax
		mov	[ebp+var_C], eax
		mov	eax, [ecx+0Ch]
		mov	[ebp+var_14], eax
		cmp	eax, edi
		jnz	short loc_AB5357
		test	edx, edx
		jz	short loc_AB5357
		mov	eax, [ebp+var_C]
		add	[esi], eax
		add	edi, [ecx+10h]
		jmp	loc_AB52D2
; 

loc_AB5357:				; CODE XREF: MmInitializeMemoryLimits+F8j
					; MmInitializeMemoryLimits+FCj
		mov	edi, [ebp+var_14]
		mov	[esi+4], eax
		mov	eax, [ecx+10h]
		add	edi, eax
		inc	edx
		mov	[esi+8], eax
		mov	[ebp+var_8], edx
		add	esi, 8
		jmp	loc_AB52D2
; 

loc_AB5371:				; CODE XREF: MmInitializeMemoryLimits+17j
					; MmInitializeMemoryLimits+29j	...
		xor	eax, eax
		jmp	short loc_AB532E
MmInitializeMemoryLimits endp

; 
		align 2

; __stdcall IopBuildSpecialMemoryTable(x)
_IopBuildSpecialMemoryTable@4:		; CODE XREF: IopInitCrashDumpDuringSysInit+2Ep
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		test	ecx, ecx
		jz	short loc_AB53BD
		xor	eax, eax
		cmp	eax, 29h
		jnb	short loc_AB53C9

loc_AB5393:				; CODE XREF: INIT:00AB539Cj
		mov	byte ptr [ebp+eax-30h],	0
		inc	eax
		cmp	eax, 29h
		jb	short loc_AB5393
		lea	edx, [ebp-30h]
		mov	word ptr [ebp-12h], 101h
		mov	byte ptr [ebp-2Ah], 1
		mov	byte ptr [ebp-10h], 1
		mov	byte ptr [ebp-0Bh], 1
		call	MmInitializeMemoryLimits
		mov	_SpecialMemoryRanges, eax

loc_AB53BD:				; CODE XREF: INIT:00AB538Aj
		mov	ecx, [ebp-4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AB53C9:				; CODE XREF: INIT:00AB5391j
		call	___report_rangecheckfailure
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiConvertInitialMemoryBlock(x, x)
_MiConvertInitialMemoryBlock@8 proc near ; CODE	XREF: MiMakePartitionMemoryBlock(x)+12Bp
					; MiInitNucleus(x)+3C9p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	[ebp+var_4], ecx
		xor	ebx, ebx
		inc	ebx
		mov	eax, [edi]
		cmp	eax, ebx
		jbe	short loc_AB5400
		lea	edx, [edi+10h]
		lea	ecx, [eax-1]

loc_AB53ED:				; CODE XREF: MiConvertInitialMemoryBlock(x,x)+2Ej
		mov	eax, [edx-8]
		add	eax, [edx-4]
		cmp	[edx], eax
		jz	short loc_AB53F8
		inc	ebx

loc_AB53F8:				; CODE XREF: MiConvertInitialMemoryBlock(x,x)+25j
		add	edx, 8
		sub	ecx, 1
		jnz	short loc_AB53ED

loc_AB5400:				; CODE XREF: MiConvertInitialMemoryBlock(x,x)+15j
		xor	esi, esi
		lea	ecx, ds:10h[ebx*8]
		push	esi
		push	40h
		mov	edx, 6C4D6D4Dh
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		test	eax, eax
		jz	short loc_AB5468
		mov	ecx, [ebp+var_4]
		mov	dword ptr [eax+4], 1
		mov	[eax], ecx
		add	eax, 8
		mov	[ebp+var_4], eax
		mov	[eax], ebx
		lea	edx, [eax+4]
		mov	eax, [edi+4]
		mov	[edx], eax
		cmp	[edi], esi
		jbe	short loc_AB5460
		lea	ecx, [edi+8]

loc_AB543D:				; CODE XREF: MiConvertInitialMemoryBlock(x,x)+8Ej
		test	esi, esi
		jz	short loc_AB544B
		mov	eax, [ecx-8]
		add	eax, [ecx-4]
		cmp	[ecx], eax
		jz	short loc_AB546C

loc_AB544B:				; CODE XREF: MiConvertInitialMemoryBlock(x,x)+6Fj
		mov	eax, [ecx]
		mov	[edx+4], eax
		add	edx, 8
		mov	eax, [ecx+4]
		mov	[edx], eax

loc_AB5458:				; CODE XREF: MiConvertInitialMemoryBlock(x,x)+A1j
		inc	esi
		add	ecx, 8
		cmp	esi, [edi]
		jb	short loc_AB543D

loc_AB5460:				; CODE XREF: MiConvertInitialMemoryBlock(x,x)+68j
		mov	eax, [ebp+var_4]

loc_AB5463:				; CODE XREF: MiConvertInitialMemoryBlock(x,x)+9Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AB5468:				; CODE XREF: MiConvertInitialMemoryBlock(x,x)+48j
		xor	eax, eax
		jmp	short loc_AB5463
; 

loc_AB546C:				; CODE XREF: MiConvertInitialMemoryBlock(x,x)+79j
		mov	eax, [ecx+4]
		add	[edx], eax
		jmp	short loc_AB5458
_MiConvertInitialMemoryBlock@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeNonPagedPool()
_MiInitializeNonPagedPool@0 proc near	; CODE XREF: MiInitNucleus(x):loc_AB5899p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		xor	eax, eax
		mov	edx, offset unk_6D3B40
		push	edi
		push	eax
		push	7
		mov	ecx, offset _MiSystemPartition
		mov	[ebp+var_10], eax
		mov	[ebp+var_C], eax
		call	MiInitializeSystemWorkingSetList
		test	eax, eax
		jz	loc_AB55B7
		lea	eax, [ebp+var_10]
		push	eax
		call	KeQuerySystemTime
		mov	ecx, large fs:20h
		rdtsc
		mov	esi, eax
		xor	esi, [ecx+590h]
		xor	esi, [ecx+4B4h]
		xor	ecx, ecx
		xor	esi, [ebp+var_C]
		xor	esi, [ebp+var_10]
		call	ExGenRandom
		xor	esi, eax
		jnz	short loc_AB54D3
		inc	esi

loc_AB54D3:				; CODE XREF: MiInitializeNonPagedPool()+5Cj
		mov	edx, ds:_MxPfnAllocation
		mov	eax, 200000h
		mov	ecx, ds:_MmSystemRangeStart
		movzx	ebx, ds:_KeNumberNodes
		shl	edx, 0Ch
		add	edx, ds:_MmPfnDatabase
		mov	dword_6D35A4, esi
		mov	esi, edx
		and	esi, 1FFFFFh
		sub	eax, esi
		mov	[ebp+var_C], esi
		mov	edi, esi
		neg	edi
		sbb	edi, edi
		neg	ecx
		and	edi, eax
		mov	eax, dword_6D07D0
		mov	[ebp+var_4], eax
		mov	eax, ecx
		and	eax, 0FFFh
		neg	eax
		sbb	eax, eax
		shr	ecx, 0Ch
		neg	eax
		add	eax, ecx
		mov	dword_6D35D8, eax
		test	ebx, ebx
		jz	short loc_AB5551
		mov	esi, [ebp+var_4]
		xor	ecx, ecx

loc_AB5539:				; CODE XREF: MiInitializeNonPagedPool()+D8j
		mov	eax, dword_6D069C
		lea	ecx, [ecx+48h]
		mov	[ecx+eax-0Ch], esi
		mov	[ecx+eax-8], esi
		sub	ebx, 1
		jnz	short loc_AB5539
		mov	esi, [ebp+var_C]

loc_AB5551:				; CODE XREF: MiInitializeNonPagedPool()+BEj
		test	edi, edi
		jz	short loc_AB55AF
		shr	edx, 12h
		and	edx, 3FF8h
		mov	ebx, [edx-3FA00000h]
		nop
		mov	ecx, [edx-3F9FFFFCh]
		mov	eax, ebx
		and	eax, 80h
		xor	edx, edx
		or	eax, edx
		jz	short loc_AB55AF
		nop
		shrd	ebx, ecx, 0Ch
		and	ebx, 1FFFFFFh
		imul	ecx, ebx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		test	dword ptr [ecx+18h], 800000h
		jz	short loc_AB559F
		push	edx
		push	edx
		push	6
		push	edx
		call	_MiConvertEntireLargePageToSmall@24 ; MiConvertEntireLargePageToSmall(x,x,x,x,x,x)

loc_AB559F:				; CODE XREF: MiInitializeNonPagedPool()+11Fj
		shr	esi, 0Ch
		shr	edi, 0Ch
		mov	edx, edi
		lea	ecx, [ebx+esi]
		call	_MiAddExpansionNonPagedPool@8 ;	MiAddExpansionNonPagedPool(x,x)

loc_AB55AF:				; CODE XREF: MiInitializeNonPagedPool()+DFj
					; MiInitializeNonPagedPool()+102j
		call	MiInitializeNonPagedPoolThresholds
		xor	eax, eax
		inc	eax

loc_AB55B7:				; CODE XREF: MiInitializeNonPagedPool()+27j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiInitializeNonPagedPool@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MxConsumeLargePageSlush	proc near	; CODE XREF: MiInitNucleus(x)+3E1p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE11F1 SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	ebx, 1FFFFFh
		xor	edi, edi

loc_AB55D0:				; CODE XREF: MxConsumeLargePageSlush+58j
		mov	ecx, ds:dword_AFF34C
		test	edi, edi
		jz	short loc_AB55E0
		mov	ecx, ds:_MxHalDataTableEntry

loc_AB55E0:				; CODE XREF: MxConsumeLargePageSlush+1Cj
		mov	eax, [ecx+18h]
		test	eax, ebx
		jnz	loc_AE11F1
		mov	ecx, [ecx+20h]
		add	ecx, eax
		test	ecx, ebx
		jz	short loc_AB5610
		call	_MiVaToPfn@4	; MiVaToPfn(x)
		mov	[ebp+esi*8+var_10], eax
		lea	ecx, [eax+1FFh]
		and	ecx, 0FFFFFE00h
		sub	ecx, eax
		mov	[ebp+esi*8+var_C], ecx
		inc	esi

loc_AB5610:				; CODE XREF: MxConsumeLargePageSlush+36j
		inc	edi
		cmp	edi, 2
		jb	short loc_AB55D0
		jmp	short loc_AB5626
; 

loc_AB5618:				; CODE XREF: MxConsumeLargePageSlush+6Cj
		mov	edx, [ebp+esi*8+var_14]
		dec	esi
		mov	ecx, [ebp+esi*8+var_10]
		call	_MiAddExpansionNonPagedPool@8 ;	MiAddExpansionNonPagedPool(x,x)

loc_AB5626:				; CODE XREF: MxConsumeLargePageSlush+5Aj
		test	esi, esi
		jnz	short loc_AB5618
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MxConsumeLargePageSlush	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitNucleus(x)
_MiInitNucleus@4 proc near		; CODE XREF: MmInitSystem+3Cp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		xor	eax, eax
		mov	[ebp+var_38], offset _MiVisibleState
		mov	esi, ecx
		mov	[ebp+var_38], offset _MiVisiblePartition
		inc	eax
		mov	[ebp+var_34], esi
		or	word_6C68BA, ax
		push	edi
		mov	dword_6C6760, 800h
		mov	dword_6C6764, offset unk_6C6768
		call	MiInitializeSystemDefaults
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		mov	eax, cr3
		mov	[ecx+18h], eax
		call	MiExamineHalVa
		mov	ds:_MiLowHalVa,	eax
		call	_MiInitializeZeroingAttributes@0 ; MiInitializeZeroingAttributes()
		mov	ecx, esi
		call	MiInitializeBootDefaults
		xor	edx, edx
		mov	eax, offset unk_6D3CC8
		push	10h
		mov	dword_6D3380, edx
		mov	dword_6D3384, edx
		mov	dword_6D3388, edx
		pop	ecx

loc_AB56D0:				; CODE XREF: MiInitNucleus(x)+ABj
		mov	[eax+4], eax
		mov	[eax], eax
		add	eax, 8
		sub	ecx, 1
		jnz	short loc_AB56D0
		xor	eax, eax
		mov	edi, offset dword_6D3444
		stosd
		stosd
		stosd
		mov	eax, offset dword_6D3450
		mov	dword_6D3454, eax
		mov	dword_6D3450, eax
		mov	dword_6D347C, edx
		call	MiInitializeDynamicVa
		mov	ecx, ds:dword_7051D4
		cmp	ecx, (offset loc_690056+1)
		jnz	short loc_AB5722
		mov	dword ptr ds:0FFDF0264h, 1
		and	ds:dword_7051D4, 0
		jmp	short loc_AB573F
; 

loc_AB5722:				; CODE XREF: MiInitNucleus(x)+DDj
		xor	eax, eax
		cmp	ecx, (offset loc_610049+3)
		setnz	al
		add	eax, 2
		mov	ds:0FFDF0264h, eax
		mov	ds:dword_7051D4, 1

loc_AB573F:				; CODE XREF: MiInitNucleus(x)+F0j
		call	MiInitializeNumaRangesTemporary
		call	_MiConfigureDynamicMemory@0 ; MiConfigureDynamicMemory()
		mov	ecx, esi
		call	MiMemoryLicense
		mov	esi, ds:__imp__KeQueryPerformanceCounter@4 ; KeQueryPerformanceCounter(x)
		push	0
		call	esi
		push	0
		mov	ds:dword_B01698, eax
		mov	ds:dword_B0169C, edx
		call	esi
		mov	esi, [ebp+var_34]
		mov	ecx, esi
		mov	ds:dword_B016A0, eax
		mov	ds:dword_B016A4, edx
		call	MiFindLargestLoaderDescriptor
		test	eax, eax
		jnz	short loc_AB579E
		mov	byte_6D311E, 3

loc_AB5789:				; CODE XREF: MiInitNucleus(x)+1D2j
					; MiInitNucleus(x)+264j ...
		xor	al, al

loc_AB578B:				; CODE XREF: MiInitNucleus(x)+567j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_AB579E:				; CODE XREF: MiInitNucleus(x)+150j
		mov	ecx, esi
		call	MiCheckLargePageOk
		or	dword_6D0748, 0FFFFFFFFh
		call	MiProtectSharedUserPage
		mov	ecx, offset unk_6D2FB0
		call	_MiCreateResidentPfnTemplate@4 ; MiCreateResidentPfnTemplate(x)
		push	7
		pop	ecx
		mov	esi, offset unk_6D2FB0
		mov	edi, offset unk_6D2FCC
		rep movsd
		mov	al, byte_6D2FE2
		mov	edi, ds:__imp__KeQueryPerformanceCounter@4 ; KeQueryPerformanceCounter(x)
		and	al, 0FDh
		or	al, 5
		push	0
		mov	byte_6D2FE2, al
		call	edi
		mov	esi, [ebp+var_34]
		mov	ecx, esi
		mov	ds:dword_B016A8, eax
		mov	ds:dword_B016AC, edx
		call	_MiCreatePfnDatabase@4 ; MiCreatePfnDatabase(x)
		test	eax, eax
		jnz	short loc_AB5804
		mov	byte_6D311E, 6
		jmp	short loc_AB5789
; 

loc_AB5804:				; CODE XREF: MiInitNucleus(x)+1C9j
		push	0
		call	edi
		mov	ecx, esi
		mov	ds:dword_B016B0, eax
		mov	ds:dword_B016B4, edx
		call	_MiInitializePfnsForValidMappings@4 ; MiInitializePfnsForValidMappings(x)
		push	0
		call	edi
		mov	ecx, esi
		mov	ds:dword_B016B8, eax
		mov	ds:dword_B016BC, edx
		call	MiSwitchToPfns
		push	0
		call	edi
		mov	ecx, esi
		mov	ds:dword_B016C0, eax
		mov	ds:dword_B016C4, edx
		call	_MxRelocatePageTables@4	; MxRelocatePageTables(x)
		xor	esi, esi
		push	esi
		call	edi
		mov	ds:dword_B016C8, eax
		mov	ds:dword_B016CC, edx
		call	_MiZeroBootMappings@0 ;	MiZeroBootMappings()
		call	_MiInitializeDecayPfns@0 ; MiInitializeDecayPfns()
		mov	dword_6D3288, esi
		mov	dword_6D328C, esi
		mov	esi, offset _MiSystemPartition
		mov	ecx, esi
		call	_MiInitializeSections@4	; MiInitializeSections(x)
		mov	ecx, esi
		call	MiInitializeCommitment
		call	_MiInitializeDummyPages@0 ; MiInitializeDummyPages()
		call	MiInitializeSystemPtes
		test	eax, eax
		jnz	short loc_AB5899
		mov	byte_6D311E, 9
		jmp	loc_AB5789
; 

loc_AB5899:				; CODE XREF: MiInitNucleus(x)+25Bj
		call	_MiInitializeNonPagedPool@0 ; MiInitializeNonPagedPool()
		test	eax, eax
		jnz	short loc_AB58AE
		mov	byte_6D311E, 7
		jmp	loc_AB5789
; 

loc_AB58AE:				; CODE XREF: MiInitNucleus(x)+270j
		call	MiMapDummyPages
		test	eax, eax
		jnz	short loc_AB58C3
		mov	byte_6D311E, 5
		jmp	loc_AB5789
; 

loc_AB58C3:				; CODE XREF: MiInitNucleus(x)+285j
		movzx	esi, word ptr ds:_MiFlags+2
		push	0
		call	edi
		and	esi, 1
		mov	ds:dword_B016D0, eax
		shl	esi, 0Ah
		mov	ecx, esi
		mov	ds:dword_B016D4, edx
		call	ExInitializePoolHeapManagement
		test	eax, eax
		jns	short loc_AB58F6
		mov	byte_6D311E, 2
		jmp	loc_AB5789
; 

loc_AB58F6:				; CODE XREF: MiInitNucleus(x)+2B8j
		call	_MiInitializeKernelStacks@0 ; MiInitializeKernelStacks()
		test	eax, eax
		jnz	short loc_AB590B
		mov	byte_6D311E, 14h
		jmp	loc_AB5789
; 

loc_AB590B:				; CODE XREF: MiInitNucleus(x)+2CDj
		mov	ecx, large fs:20h
		call	MmInitializeProcessor
		test	eax, eax
		jnz	short loc_AB5927
		mov	byte_6D311E, 0Ah
		jmp	loc_AB5789
; 

loc_AB5927:				; CODE XREF: MiInitNucleus(x)+2E9j
		xor	edx, edx
		mov	ecx, offset dword_6D35E0
		inc	edx
		call	MiReservePtes
		mov	ecx, eax
		mov	dword_6D31C4, ecx
		test	ecx, ecx
		jnz	short loc_AB594C
		mov	byte_6D311E, 0Bh
		jmp	loc_AB5789
; 

loc_AB594C:				; CODE XREF: MiInitNucleus(x)+30Ej
		mov	eax, ds:_ZeroPte
		mov	[ecx], eax
		nop
		mov	ecx, dword_6D31C4
		mov	eax, ds:dword_40F9FC
		push	0
		mov	[ecx+4], eax
		call	MiFreeUnusedPfnPages
		call	_MiPaeInitialize@0 ; MiPaeInitialize()
		test	eax, eax
		jnz	short loc_AB597E
		mov	byte_6D311E, 11h
		jmp	loc_AB5789
; 

loc_AB597E:				; CODE XREF: MiInitNucleus(x)+340j
		xor	eax, eax

loc_AB5980:				; CODE XREF: MiInitNucleus(x)+39Ej
		cmp	eax, 1Eh
		jz	short loc_AB59BB
		cmp	eax, 1Fh
		jz	short loc_AB59BB
		cmp	eax, 6
		jz	short loc_AB59BB
		cmp	eax, 20h
		jz	short loc_AB59BB
		cmp	eax, 22h
		jz	short loc_AB59BB
		cmp	eax, 17h
		jz	short loc_AB59BB
		cmp	eax, 3
		jz	short loc_AB59BB
		cmp	eax, 16h
		jz	short loc_AB59BB
		cmp	eax, 26h
		jz	short loc_AB59BB
		cmp	eax, 27h
		jz	short loc_AB59BB
		cmp	eax, 28h
		jz	short loc_AB59BB
		mov	cl, 1
		jmp	short loc_AB59C6
; 

loc_AB59BB:				; CODE XREF: MiInitNucleus(x)+353j
					; MiInitNucleus(x)+358j ...
		cmp	eax, 29h
		jnb	loc_AB5BA8
		xor	cl, cl

loc_AB59C6:				; CODE XREF: MiInitNucleus(x)+389j
		mov	byte ptr [ebp+eax+var_30], cl
		inc	eax
		cmp	eax, 29h
		jb	short loc_AB5980
		push	0
		call	edi
		mov	ecx, [ebp+var_34]
		mov	ds:dword_B016DC, edx
		lea	edx, [ebp+var_30]
		mov	ds:dword_B016D8, eax
		call	MmInitializeMemoryLimits
		test	eax, eax
		jz	loc_AB5B9C
		mov	edx, eax
		mov	ecx, offset _MiSystemPartition
		call	_MiConvertInitialMemoryBlock@8 ; MiConvertInitialMemoryBlock(x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_AB5B9C
		test	byte ptr ds:_MiFlags, 4
		jz	short loc_AB5A16
		call	MxConsumeLargePageSlush

loc_AB5A16:				; CODE XREF: MiInitNucleus(x)+3DFj
		mov	edx, esi
		mov	ecx, offset _MiSystemPartition
		call	MiCreateNodeLists
		mov	dword_6D4E58, eax
		test	eax, eax
		jnz	short loc_AB5A37
		mov	byte_6D311E, 0Dh
		jmp	loc_AB5789
; 

loc_AB5A37:				; CODE XREF: MiInitNucleus(x)+3F9j
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		inc	edx
		call	MiComputeNodeMemory
		call	_MiFillPfnGaps@0 ; MiFillPfnGaps()
		test	eax, eax
		jnz	short loc_AB5A59
		mov	byte_6D311E, 12h
		jmp	loc_AB5789
; 

loc_AB5A59:				; CODE XREF: MiInitNucleus(x)+41Bj
		mov	edx, offset dword_6D3510
		or	ecx, 0FFFFFFFFh
		call	_MiInitializeGapFrames@8 ; MiInitializeGapFrames(x,x)
		test	eax, eax
		jnz	short loc_AB5A76
		mov	byte_6D311E, 13h
		jmp	loc_AB5789
; 

loc_AB5A76:				; CODE XREF: MiInitNucleus(x)+438j
		push	0
		call	edi
		mov	ds:dword_B016E0, eax
		mov	ds:dword_B016E4, edx
		call	_MiInitializePageFaultResources@0 ; MiInitializePageFaultResources()
		test	eax, eax
		jnz	short loc_AB5A9A
		mov	byte_6D311E, 15h
		jmp	loc_AB5789
; 

loc_AB5A9A:				; CODE XREF: MiInitNucleus(x)+45Cj
		call	_MiBuildPagedPool@0 ; MiBuildPagedPool()
		test	eax, eax
		jz	loc_AB5789
		mov	ds:_MmPhysicalMemoryBlock, esi
		mov	edx, esi
		mov	esi, offset _MiSystemPartition
		mov	ecx, esi
		call	MiCreatePfnBitMaps
		test	eax, eax
		jnz	short loc_AB5ACB
		mov	byte_6D311E, 0Fh
		jmp	loc_AB5789
; 

loc_AB5ACB:				; CODE XREF: MiInitNucleus(x)+48Dj
		push	0
		call	edi
		mov	ds:dword_B016E8, eax
		mov	ds:dword_B016EC, edx
		call	MiMarkLargePageRanges
		push	0
		call	edi
		mov	ecx, esi
		mov	ds:dword_B016F0, eax
		mov	ds:dword_B016F4, edx
		call	_MiInitializeWsSwapping@4 ; MiInitializeWsSwapping(x)
		cmp	dword_6D06B0, offset unk_6D06A0
		jz	short loc_AB5B39
		mov	eax, dword_6D0688
		mov	edx, 20206D4Dh
		push	0
		push	40h
		lea	edi, ds:10h[eax*8]
		mov	ecx, edi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_AB5B39
		push	edi		; size_t
		push	dword_6D06B0	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	dword_6D06B0, esi

loc_AB5B39:				; CODE XREF: MiInitNucleus(x)+4CFj
					; MiInitNucleus(x)+4F1j
		cmp	dword_6D06B4, 0
		jz	short loc_AB5B79
		mov	eax, dword_6D0694
		mov	edx, 20206D4Dh
		add	eax, 2
		imul	edi, eax, 0Ch
		push	0
		push	40h
		mov	ecx, edi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_AB5B79
		push	edi		; size_t
		push	dword_6D06B4	; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	dword_6D06B4, esi

loc_AB5B79:				; CODE XREF: MiInitNucleus(x)+510j
					; MiInitNucleus(x)+531j
		xor	eax, eax
		push	eax
		push	eax
		push	6B4C6D4Dh
		push	50h
		push	200h
		push	eax
		push	eax
		push	offset unk_6D32C0
		call	ExInitializeNPagedLookasideListInternal
		mov	al, 1
		jmp	loc_AB578B
; 

loc_AB5B9C:				; CODE XREF: MiInitNucleus(x)+3BCj
					; MiInitNucleus(x)+3D2j
		mov	byte_6D311E, 0Ch
		jmp	loc_AB5789
; 

loc_AB5BA8:				; CODE XREF: MiInitNucleus(x)+38Ej
		call	___report_rangecheckfailure
		int	3		; Trap to Debugger
_MiInitNucleus@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMarkLargePageRanges proc near		; CODE XREF: MiInitNucleus(x)+4AAp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE1220 SIZE 00000037 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		call	_MiMarkLargePageMappings@0 ; MiMarkLargePageMappings()
		mov	eax, ds:_MmPhysicalMemoryBlock
		mov	ebx, [eax]
		jmp	short loc_AB5C2D
; 

loc_AB5BC7:				; CODE XREF: MiMarkLargePageRanges+71j
					; MiMarkLargePageRanges+C7j
		test	dword ptr [edi+10h], 3FFFFFFFh
		jnz	loc_AB5C7D

loc_AB5BD4:				; CODE XREF: MiMarkLargePageRanges+D6j
					; MiMarkLargePageRanges+E9j
		cmp	esi, 200h
		jnb	loc_AE1220

loc_AB5BE0:				; CODE XREF: MiMarkLargePageRanges+2B68Aj
		test	esi, esi
		jnz	short loc_AB5BF7
		sub	edi, ds:_MmPfnDatabase
		mov	eax, edi
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		mov	edx, eax
		mov	[ebp+var_4], edx

loc_AB5BF7:				; CODE XREF: MiMarkLargePageRanges+34j
		lea	eax, [esi+200h]
		add	eax, edx
		push	0
		pop	esi
		and	eax, 0FFFFFE00h
		jz	short loc_AB5C2D
		mov	edi, ds:_MmPfnDatabase
		imul	ecx, eax, 1Ch
		add	edi, 0FFFFFFE4h
		add	edi, ecx

loc_AB5C17:				; CODE XREF: MxConsumeLargePageSlush+2BC5Fj
		push	1Ch
		pop	eax
		add	edi, eax
		cmp	edi, [ebp+var_8]
		jb	short loc_AB5BC7
		cmp	esi, 200h
		jnb	loc_AE123D

loc_AB5C2D:				; CODE XREF: MiMarkLargePageRanges+17j
					; MiMarkLargePageRanges+59j ...
		test	ebx, ebx
		jz	short loc_AB5CA2
		mov	eax, ds:_MmPhysicalMemoryBlock
		dec	ebx
		mov	ecx, [eax+ebx*8+8]
		mov	eax, [eax+ebx*8+0Ch]
		add	eax, ecx
		add	ecx, 1FFh
		and	eax, 0FFFFFE00h
		and	ecx, 0FFFFFE00h
		jz	short loc_AB5C2D
		cmp	ecx, eax
		jnb	short loc_AB5C2D
		sub	eax, ecx
		imul	edi, ecx, 1Ch
		imul	eax, 1Ch
		or	edx, 0FFFFFFFFh
		xor	esi, esi
		mov	[ebp+var_4], edx
		add	edi, ds:_MmPfnDatabase
		add	eax, edi
		mov	[ebp+var_8], eax
		cmp	edi, eax
		jb	loc_AB5BC7
		jmp	short loc_AB5C2D
; 

loc_AB5C7D:				; CODE XREF: MiMarkLargePageRanges+20j
		mov	al, [edi+16h]
		and	al, 7
		cmp	al, 6
		jnz	loc_AB5BD4
		mov	eax, [edi+18h]
		and	eax, offset loc_7FFFFF
		cmp	eax, (offset loc_7FFFFA+3)
		jnz	loc_AB5BD4
		jmp	loc_AE1203
; 

loc_AB5CA2:				; CODE XREF: MiMarkLargePageRanges+81j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiMarkLargePageRanges endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMarkLargePageMappings()
_MiMarkLargePageMappings@0 proc	near	; CODE XREF: MiMarkLargePageRanges+Bp

var_58		= dword	ptr -58h
var_52		= byte ptr -52h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	4Ch		; size_t
		lea	eax, [ebp+var_58]
		push	0		; int
		push	eax		; void *
		call	_memset
		or	[ebp+var_40], 0FFFFFFFFh
		mov	eax, 0A07h
		mov	word ptr [ebp+var_58], ax
		add	esp, 0Ch
		mov	eax, dword_6D07D0
		mov	esi, offset unk_6D3940
		mov	[ebp+var_44], eax
		mov	ecx, esi
		mov	al, byte ptr [ebp+var_58+2]
		and	al, 0E7h
		mov	[ebp+var_18], offset MiMarkLargePagePte
		or	al, 4
		mov	[ebp+var_48], esi
		mov	byte ptr [ebp+var_58+2], al
		call	MiLockWorkingSetShared
		lea	ecx, [ebp+var_58]
		mov	[ebp+var_52], al
		call	MiWalkPageTables
		mov	dl, [ebp+var_52]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiMarkLargePageMappings@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeRebuildCandidateCounts(x, x)
_MiInitializeRebuildCandidateCounts@8 proc near	; CODE XREF: MiCreatePfnBitMaps+1CEp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, dword_6D0744
		push	ebx
		push	esi
		push	edi
		imul	edi, [ebp+arg_0], 280h
		mov	[ebp+var_1C], eax
		add	edi, dword_6D4E50
		lea	eax, [edi+202h]
		mov	[ebp+var_18], eax

loc_AB5D4B:				; CODE XREF: MiInitializeRebuildCandidateCounts(x,x)+E1j
		movzx	eax, byte ptr [eax]
		lea	esi, [edi+0B0h]
		mov	[ebp+var_14], 2
		lea	ecx, ds:16h[eax*4]
		shl	eax, 4
		add	esi, eax

loc_AB5D67:				; CODE XREF: MiInitializeRebuildCandidateCounts(x,x)+CCj
		mov	[ebp+var_C], ecx
		mov	[ebp+var_10], 2

loc_AB5D71:				; CODE XREF: MiInitializeRebuildCandidateCounts(x,x)+C6j
		xor	edx, edx
		mov	[ebp+var_8], edx

loc_AB5D76:				; CODE XREF: MiInitializeRebuildCandidateCounts(x,x)+BAj
		cmp	dword ptr [esi], 0
		jz	short loc_AB5DD2
		lea	eax, [ecx+edx]
		mov	ebx, [edi+eax*4+98h]
		mov	eax, [ebp+var_1C]
		test	eax, eax
		jz	short loc_AB5DD2
		mov	ecx, eax
		mov	[ebp+var_4], eax

loc_AB5D91:				; CODE XREF: MiInitializeRebuildCandidateCounts(x,x)+A8j
		mov	eax, [ebx]
		mov	[ebp+arg_0], eax
		cmp	eax, ebx
		jz	short loc_AB5DC1

loc_AB5D9A:				; CODE XREF: MiInitializeRebuildCandidateCounts(x,x)+9Aj
		sub	eax, ds:_MmPfnDatabase
		push	1
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		xor	edx, edx
		inc	edx
		mov	ecx, eax
		call	_MiUpdateLargePageCandidates@12	; MiUpdateLargePageCandidates(x,x,x)
		mov	eax, [ebp+arg_0]
		mov	eax, [eax]
		mov	[ebp+arg_0], eax
		cmp	eax, ebx
		jnz	short loc_AB5D9A
		mov	ecx, [ebp+var_4]

loc_AB5DC1:				; CODE XREF: MiInitializeRebuildCandidateCounts(x,x)+76j
		add	ebx, 0Ch
		sub	ecx, 1
		mov	[ebp+var_4], ecx
		jnz	short loc_AB5D91
		mov	ecx, [ebp+var_C]
		mov	edx, [ebp+var_8]

loc_AB5DD2:				; CODE XREF: MiInitializeRebuildCandidateCounts(x,x)+57j
					; MiInitializeRebuildCandidateCounts(x,x)+68j
		inc	edx
		add	esi, 4
		mov	[ebp+var_8], edx
		cmp	edx, 3
		jle	short loc_AB5D76
		add	ecx, 4
		sub	[ebp+var_10], 1
		mov	[ebp+var_C], ecx
		jnz	short loc_AB5D71
		sub	[ebp+var_14], 1
		jnz	loc_AB5D67
		mov	eax, [ebp+var_18]
		lea	ecx, [edi+203h]
		inc	eax
		mov	[ebp+var_18], eax
		cmp	eax, ecx
		jnz	loc_AB5D4B
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MiInitializeRebuildCandidateCounts@8 endp


;  S U B	R O U T	I N E 


; __stdcall MiBuildPagedPool()
_MiBuildPagedPool@0 proc near		; CODE XREF: MiInitNucleus(x):loc_AB5A9Ap
		mov	edi, edi
		push	esi
		mov	esi, ds:_MiLowHalVa
		mov	edx, offset unk_6D3840
		sub	esi, dword_6D07D0
		mov	ecx, offset _MiSystemPartition
		shr	esi, 0Ch
		mov	eax, esi
		mov	dword_6D35DC, esi
		push	esi
		shl	eax, 0Ch
		push	3
		mov	ds:_MmSizeOfPagedPoolInBytes, eax
		call	MiInitializeSystemWorkingSetList
		test	eax, eax
		jnz	short loc_AB5E4A
		pop	esi
		retn
; 

loc_AB5E4A:				; CODE XREF: MiBuildPagedPool()+36j
		and	dword_6D35CC, 0
		mov	eax, dword_6D35DC
		mov	dword_6D35D0, eax
		mov	dword_6CF354, 1E00h
		push	5
		pop	ecx
		cmp	esi, 9600h
		jnb	short loc_AB5E7B
		mov	eax, esi
		xor	edx, edx
		div	ecx
		mov	dword_6CF354, eax

loc_AB5E7B:				; CODE XREF: MiBuildPagedPool()+5Ej
		lea	eax, [esi+esi]
		mov	dword_6CF358, 3C00h
		cmp	eax, 12C00h
		jnb	short loc_AB5E98
		xor	edx, edx
		div	ecx
		mov	dword_6CF358, eax

loc_AB5E98:				; CODE XREF: MiBuildPagedPool()+7Dj
		xor	eax, eax
		inc	eax
		pop	esi
		retn
_MiBuildPagedPool@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiFillPfnGaps()
_MiFillPfnGaps@0 proc near		; CODE XREF: MiInitNucleus(x)+414p
		mov	edi, edi
		push	esi
		mov	esi, offset dword_6D3518
		xor	ecx, ecx
		mov	edx, esi
		call	_MiInitializeGapFrames@8 ; MiInitializeGapFrames(x,x)
		test	eax, eax
		jz	short loc_AB5ED0
		imul	edx, dword_6D07B0, 1Ch
		mov	ecx, ds:_MmPfnDatabase
		push	esi
		add	edx, 1Bh
		add	edx, ecx
		call	_MiFillGapAddresses@12 ; MiFillGapAddresses(x,x,x)
		xor	eax, eax
		inc	eax
		pop	esi
		retn
; 

loc_AB5ED0:				; CODE XREF: MiFillPfnGaps()+13j
		xor	eax, eax
		pop	esi
		retn
_MiFillPfnGaps@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeGapFrames(x, x)
_MiInitializeGapFrames@8 proc near	; CODE XREF: MiInitNucleus(x)+431p
					; MiFillPfnGaps()+Cp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	[ebp+var_8], edx
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jnz	short loc_AB5EEE
		mov	esi, dword_6D34F0
		jmp	short loc_AB5EFD
; 

loc_AB5EEE:				; CODE XREF: MiInitializeGapFrames(x,x)+10j
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_AB6063
		mov	esi, dword_6D34E4

loc_AB5EFD:				; CODE XREF: MiInitializeGapFrames(x,x)+18j
		xor	edi, edi
		mov	ecx, offset dword_6D35E0
		lea	edx, [edi+1]
		call	MiReservePtes
		mov	ebx, eax
		mov	[ebp+var_14], ebx
		test	ebx, ebx
		jz	loc_AB6063
		push	2
		push	edi
		lea	edx, [edi+1]
		mov	ecx, offset _MiSystemPartition
		call	MiAcquireNonPagedResources
		test	eax, eax
		js	loc_AB6063
		mov	eax, [ebp+var_8]

loc_AB5F34:				; CODE XREF: MiInitializeGapFrames(x,x)+175j
		test	edi, edi
		jz	loc_AB6042
		push	208h
		mov	edx, edi
		mov	ecx, offset _MiSystemPartition
		call	MiGetPage
		mov	edx, eax
		mov	[ebp+var_10], edx
		cmp	edx, 0FFFFFFFFh
		jz	loc_AB6063
		imul	ecx, edx, 1Ch
		xor	esi, esi
		inc	esi
		push	0A0000004h
		add	ecx, ds:_MmPfnDatabase
		mov	eax, [ecx+10h]
		and	dword ptr [ecx+18h], 7FFFFFFFh
		and	eax, 0C0000001h
		mov	[ecx+14h], si
		or	eax, esi
		mov	[ecx+10h], eax
		lea	esi, [ebx+edi*8]
		mov	ecx, esi
		call	MiMakeValidPte
		and	[ebp+var_4], 0
		add	esi, 0FFFFFFF8h
		mov	ecx, esi
		mov	[ebp+var_C], esi
		mov	ebx, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_AB5FE9
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_AB5FCC
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr word_6D07B8+1,	0
		jnz	short loc_AB5FEC

loc_AB5FBA:				; CODE XREF: MiInitializeGapFrames(x,x)+111j
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	short loc_AB5FEC
		or	edx, 80000000h
		jmp	short loc_AB5FEC
; 

loc_AB5FCC:				; CODE XREF: MiInitializeGapFrames(x,x)+D8j
		mov	eax, large fs:124h
		mov	ecx, [ebp+var_4]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_AB5FBA
		jmp	short loc_AB5FEC
; 

loc_AB5FE9:				; CODE XREF: MiInitializeGapFrames(x,x)+CFj
		mov	ecx, [ebp+var_4]

loc_AB5FEC:				; CODE XREF: MiInitializeGapFrames(x,x)+E4j
					; MiInitializeGapFrames(x,x)+EEj ...
		mov	[esi+4], edx
		nop
		mov	[esi], ebx
		test	ecx, ecx
		jz	short loc_AB5FFF
		push	edx
		push	ebx
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_AB5FFF:				; CODE XREF: MiInitializeGapFrames(x,x)+120j
		mov	edx, [ebp+var_8]
		lea	ecx, [edi-1]
		shl	esi, 9
		lea	eax, [edi-1]
		neg	ecx
		mov	edx, [edx+edi*4-4]
		sbb	ecx, ecx
		not	ecx
		and	ecx, [ebp+var_C]
		neg	eax
		sbb	eax, eax
		and	eax, 88000003h
		add	eax, 20000001h
		push	eax
		call	MiMakeValidPte
		push	edx
		push	eax
		push	1000h
		push	esi
		call	_RtlFillMemoryUlonglong@16 ; RtlFillMemoryUlonglong(x,x,x,x)
		mov	esi, [ebp+var_10]
		mov	ebx, [ebp+var_14]
		mov	eax, [ebp+var_8]

loc_AB6042:				; CODE XREF: MiInitializeGapFrames(x,x)+62j
		mov	[eax+edi*4], esi
		inc	edi
		cmp	edi, 2
		jb	loc_AB5F34
		xor	esi, esi
		mov	edx, ebx
		inc	esi
		mov	ecx, offset dword_6D35E0
		push	esi
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		mov	eax, esi
		jmp	short loc_AB6065
; 

loc_AB6063:				; CODE XREF: MiInitializeGapFrames(x,x)+1Dj
					; MiInitializeGapFrames(x,x)+3Fj ...
		xor	eax, eax

loc_AB6065:				; CODE XREF: MiInitializeGapFrames(x,x)+18Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiInitializeGapFrames@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreatePfnDatabase(x)
_MiCreatePfnDatabase@4 proc near	; CODE XREF: MiInitNucleus(x)+1C2p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], ecx
		call	_MiInitializeColors@0 ;	MiInitializeColors()
		movzx	ebx, ds:_KeNumberNodes
		mov	esi, dword_6D07B0
		mov	edx, ebx
		imul	edx, dword_6D06D4
		cmp	dword_6D3250, 0FFFFFFFFh
		mov	dword_6D06D4, edx
		jnz	short loc_AB60B0
		lea	eax, [esi+1]
		add	esi, 800h
		mov	dword_6D3250, eax

loc_AB60B0:				; CODE XREF: MiCreatePfnDatabase(x)+36j
		lea	eax, [esi+1]
		imul	ecx, eax, 1Ch
		imul	eax, edx, 14h
		mov	dword_6D5380, ecx
		add	ecx, eax
		mov	dword_6D5384, ecx
		lea	esi, [eax+7]
		mov	eax, edx
		add	esi, ecx
		shl	eax, 3
		and	esi, 0FFFFFFF8h
		mov	dword_6D5794, esi
		add	esi, eax
		mov	dword_6D5798, esi
		add	esi, eax
		imul	eax, ebx, 280h
		mov	edi, esi
		add	esi, eax
		mov	dword_6D594C, esi
		call	_MiGetPartitionLargePageListCount@0 ; MiGetPartitionLargePageListCount()
		imul	eax, 0Ch
		imul	ecx, ebx, 48h
		imul	ebx, ebx
		push	0
		add	eax, 7
		add	eax, esi
		and	eax, 0FFFFFFF8h
		mov	dword_6D069C, eax
		add	eax, ecx
		mov	dword_6D0698, eax
		lea	ebx, ds:7[ebx*4]
		add	ebx, eax
		mov	eax, dword_6D07B0
		and	ebx, 0FFFFFFF8h
		mov	dword_6D3394, ebx
		add	ebx, ecx
		inc	eax
		mov	dword_6D3398, ebx
		add	ebx, ecx
		mov	[ebp+var_8], eax
		test	al, 1Fh
		pop	ecx
		setnz	cl
		shr	eax, 5
		add	ecx, eax
		push	4
		pop	edx
		lea	ecx, ds:0FFFh[ecx*4]
		add	ecx, ebx
		and	ecx, 0FFFFF000h
		mov	eax, ecx
		add	ecx, 1FFFFFh
		shr	eax, 0Ch
		shr	ecx, 15h
		mov	ds:_MxPfnAllocation, eax
		call	MiObtainSystemVa
		add	dword_6D5380, eax
		add	dword_6D5384, eax
		add	dword_6D5794, eax
		add	dword_6D5798, eax
		add	dword_6D594C, eax
		add	dword_6D069C, eax
		add	dword_6D0698, eax
		add	dword_6D3394, eax
		add	dword_6D3398, eax
		mov	esi, [ebp+var_4]
		mov	ecx, esi
		mov	ds:_MmPfnDatabase, eax
		add	eax, edi
		mov	dword_6D4E50, eax
		call	MiCreateSparsePfnDatabase
		test	eax, eax
		jz	short loc_AB61FD
		mov	eax, [ebp+var_8]
		mov	dword_6D35B4, eax
		mov	eax, ds:_MmPfnDatabase
		add	eax, ebx
		push	offset dword_6D35B4
		mov	dword_6D35B8, eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		xor	ecx, ecx
		call	_MiInitializePartitions@4 ; MiInitializePartitions(x)
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	MiInitializePartition
		mov	ecx, esi
		call	MiInitializeNumaGraph
		xor	eax, eax
		inc	eax

loc_AB61FD:				; CODE XREF: MiCreatePfnDatabase(x)+156j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiCreatePfnDatabase@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeNumaGraph proc near		; CODE XREF: MiCreatePfnDatabase(x)+18Bp

var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_FC		= dword	ptr -0FCh
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE1257 SIZE 00000188 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 124h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ecx+84h]
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax+0E0h]
		test	eax, eax
		jnz	loc_AE1257
		xor	esi, esi
		mov	[ebp+var_108], esi

loc_AB6236:				; CODE XREF: MiInitializeNumaGraph+2B09Cj
					; MiInitializeNumaGraph+2B1D8j
		movzx	ebx, ds:_KeNumberNodes

loc_AB623D:				; CODE XREF: MiInitializeNumaGraph+7Ej
		cmp	esi, ebx
		jnb	short loc_AB6282
		lea	eax, [ebx+esi]
		mov	ecx, esi
		mov	[ebp+var_11C], eax
		cmp	esi, eax
		jnb	short loc_AB6279
		mov	edi, ebx
		imul	edi, esi
		mov	esi, eax
		shl	edi, 2

loc_AB625A:				; CODE XREF: MiInitializeNumaGraph+6Fj
		xor	edx, edx
		mov	eax, ecx
		div	ebx
		mov	eax, dword_6D0698
		and	edx, 0Fh
		inc	ecx
		mov	[edi+eax], edx
		lea	edi, [edi+4]
		cmp	ecx, esi
		jb	short loc_AB625A
		mov	esi, [ebp+var_108]

loc_AB6279:				; CODE XREF: MiInitializeNumaGraph+4Cj
		inc	esi
		mov	[ebp+var_108], esi
		jmp	short loc_AB623D
; 

loc_AB6282:				; CODE XREF: MiInitializeNumaGraph+3Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
MiInitializeNumaGraph endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiInitializePartitions(x)
_MiInitializePartitions@4 proc near	; CODE XREF: MiCreatePfnDatabase(x)+178p
		xor	eax, eax
		inc	eax
		test	ecx, ecx
		jnz	short locret_AB62F4
		and	dword_6D2FF0, ecx
		and	dword_6D2FF4, ecx
		movsx	ecx, byte_6D2FF8
		bts	ecx, 0
		mov	dword_6D300C, eax
		mov	byte_6D2FF8, cl
		mov	ecx, offset dword_6D3000
		mov	dword_6D3010, offset byte_6D2FF8
		mov	dword_6D3008, offset dword_6D300C
		mov	dword_6D3004, ecx
		mov	dword_6D3000, ecx
		mov	dword_6D3014, offset _MiSystemPartition
		mov	dword_6D3018, offset dword_6D3014

locret_AB62F4:				; CODE XREF: MiInitializePartitions(x)+5j
		retn
_MiInitializePartitions@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MxReleaseFreeDescriptor	proc near	; CODE XREF: MiCreateFreePfns+100p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE13DF SIZE 00000024 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_C], edx
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_14], ebx
		mov	edi, 200h
		mov	eax, [esi+0Ch]
		mov	ecx, [esi]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_8], ecx
		cmp	eax, 0FFFFFFFFh
		jz	short loc_AB6330
		sub	eax, ecx
		lea	ecx, [ebp+var_14]
		add	eax, edi
		mov	[ebp+var_4], eax
		call	_MxCreateFreePfns@4 ; MxCreateFreePfns(x)
		inc	ebx

loc_AB6330:				; CODE XREF: MxReleaseFreeDescriptor+28j
		mov	eax, [esi+8]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_AB635F
		mov	edx, [esi]
		mov	ecx, eax
		and	ecx, 0FFFFFE00h
		cmp	ecx, edx
		jbe	short loc_AB6364

loc_AB6346:				; CODE XREF: MxReleaseFreeDescriptor+73j
		sub	eax, ecx
		mov	[ebp+var_8], ecx
		inc	eax
		lea	ecx, [ebp+var_14]
		mov	[ebp+var_4], eax
		call	_MxCreateFreePfns@4 ; MxCreateFreePfns(x)
		test	ebx, ebx
		jz	loc_AE13DF

loc_AB635F:				; CODE XREF: MxReleaseFreeDescriptor+40j
					; MxReleaseFreeDescriptor+2B0F2j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AB6364:				; CODE XREF: MxReleaseFreeDescriptor+4Ej
		xor	ebx, ebx
		mov	ecx, edx
		inc	ebx
		jmp	short loc_AB6346
MxReleaseFreeDescriptor	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreateNodeLists proc near		; CODE XREF: MiMakePartitionMemoryBlock(x)+148p
					; MiInitNucleus(x)+3EDp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE1403 SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	eax, edx
		mov	[ebp+var_8], ecx
		push	esi
		lea	ecx, [ebp+var_14]
		mov	[ebp+var_4], eax
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_10], ecx
		xor	edi, edi
		mov	[ebp+var_14], ecx
		and	[ebp+var_C], ebx
		lea	esi, [eax+0Ch]

loc_AB6392:				; CODE XREF: MiCreateNodeLists+45j
		mov	eax, [esi]
		lea	ecx, [ebp+var_14]
		mov	edx, [esi-4]
		push	eax
		call	_MiDescribePageRun@12 ;	MiDescribePageRun(x,x,x)
		test	eax, eax
		jz	loc_AE1403
		mov	eax, [ebp+var_4]
		inc	edi
		add	esi, 8
		cmp	edi, [eax]
		jnz	short loc_AB6392
		mov	ecx, [ebp+var_C]
		mov	edx, 6C4D6D4Dh
		push	0
		push	40h
		lea	ecx, [ecx+1]
		shl	ecx, 4
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		test	eax, eax
		jz	loc_AE1403
		mov	ecx, [ebp+var_8]
		lea	ebx, [eax+8]
		mov	dword ptr [eax+4], 1
		lea	edi, [ebx+0Ch]
		mov	[eax], ecx
		mov	eax, [ebp+var_C]
		mov	[ebx], eax
		mov	esi, [ebx]
		mov	eax, [ebp+var_4]
		inc	esi
		mov	eax, [eax+4]
		lea	esi, [ebx+esi*8]
		mov	[ebx+4], eax

loc_AB63F8:				; CODE XREF: MiCreateNodeLists+CFj
		mov	ecx, [ebp+var_14]
		lea	eax, [ebp+var_14]
		cmp	ecx, eax
		jz	short loc_AB643D
		cmp	[ecx+4], eax
		jnz	short loc_AB6444
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_AB6444
		mov	[ebp+var_14], eax
		lea	edx, [ebp+var_14]
		mov	[eax+4], edx
		mov	eax, [ecx+8]
		mov	[edi-4], eax
		mov	eax, [ecx+0Ch]
		mov	[edi], eax
		add	edi, 8
		mov	eax, [ecx+10h]
		mov	[esi], eax
		mov	eax, [ecx+14h]
		push	0
		mov	[esi+4], eax
		add	esi, 8
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_AB63F8
; 

loc_AB643D:				; CODE XREF: MiCreateNodeLists+94j
					; MiCreateNodeLists+2B09Fj
		pop	edi
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_AB6444:				; CODE XREF: MiCreateNodeLists+99j
					; MiCreateNodeLists+A0j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
MiCreateNodeLists endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSwitchToPfns	proc near		; CODE XREF: MiInitNucleus(x)+1FBp

var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE1438 SIZE 00000156 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 30h
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_10], ecx
		lea	edi, [ebp+var_30]
		xor	edx, edx
		stosd
		mov	ecx, 7FFFFFFFh
		stosd
		stosd
		stosd
		stosd
		mov	eax, dword_6D5D80
		imul	esi, eax, 1Ch
		add	esi, ds:_MmPfnDatabase
		test	eax, eax
		jz	loc_AE1438

loc_AB6490:				; CODE XREF: MiSwitchToPfns+2AFF2j
					; MiSwitchToPfns+2B061j
		mov	eax, [ebp+var_10]
		add	eax, 18h
		mov	[ebp+var_1C], eax
		mov	edi, [eax]
		mov	[ebp+var_10], edi
		cmp	edi, eax
		jz	loc_AB65B7
		mov	[ebp+var_14], 1Ch

loc_AB64AD:				; CODE XREF: MiSwitchToPfns+167j
		mov	esi, [edi+8]
		mov	eax, [edi+10h]
		mov	[ebp+var_8], eax
		test	esi, esi
		js	loc_AE14B0
		test	esi, 40000000h
		jnz	loc_AB65D5
		cmp	esi, 2
		jz	loc_AB65D5
		cmp	esi, 5
		jz	loc_AB65D5
		cmp	esi, 4
		jz	loc_AB65D5
		cmp	esi, 18h
		jz	loc_AB65D5
		cmp	esi, 8
		jz	loc_AB65D5
		cmp	esi, 1Dh
		jz	loc_AE14BA

loc_AB6500:				; CODE XREF: MiSwitchToPfns+2B080j
		mov	ecx, [edi+0Ch]
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	loc_AB663A

loc_AB650E:				; CODE XREF: MiSwitchToPfns+2B08Bj
		cmp	esi, 20h
		jz	loc_AB6598
		cmp	esi, 6
		jz	short loc_AB6598
		cmp	esi, 1Eh
		jz	short loc_AB6598
		cmp	esi, 1Fh
		jz	short loc_AB6598
		cmp	esi, 22h
		jz	short loc_AB6598
		cmp	esi, 17h
		jz	short loc_AB6598
		cmp	esi, 3
		jz	loc_AE155F
		cmp	esi, 16h
		jz	short loc_AB6598
		cmp	esi, 26h
		jz	short loc_AB6598
		cmp	esi, 27h
		jz	short loc_AB6598
		cmp	esi, 28h
		jz	short loc_AB6598
		imul	edi, ecx, 1Ch
		add	edi, ds:_MmPfnDatabase

loc_AB6556:				; CODE XREF: MiSwitchToPfns+149j
		test	eax, eax
		jz	short loc_AB6595
		imul	eax, 1Ch
		push	edx
		push	eax
		push	edi
		call	_RtlCompareMemoryUlong@12 ; RtlCompareMemoryUlong(x,x,x)
		push	1Ch
		xor	edx, edx
		pop	ecx
		div	ecx
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_AB65DE
		cmp	esi, 1Dh
		jz	loc_AE14F7
		cmp	esi, 24h
		jz	loc_AE14F7

loc_AB6584:				; CODE XREF: MiSwitchToPfns+2B0F5j
					; MiSwitchToPfns+2B110j
		mov	eax, [ebp+var_8]
		push	1Ch
		dec	eax
		pop	ecx

loc_AB658B:				; CODE XREF: MiSwitchToPfns+1EBj
		push	0
		mov	[ebp+var_8], eax
		add	edi, ecx
		pop	edx
		jmp	short loc_AB6556
; 

loc_AB6595:				; CODE XREF: MiSwitchToPfns+10Ej
		mov	edi, [ebp+var_10]

loc_AB6598:				; CODE XREF: MiSwitchToPfns+C7j
					; MiSwitchToPfns+D0j ...
		cmp	esi, 3
		jz	loc_AE155F

loc_AB65A1:				; CODE XREF: MiSwitchToPfns+192j
					; MiSwitchToPfns+1F6j ...
		mov	ecx, 7FFFFFFFh

loc_AB65A6:				; CODE XREF: MiSwitchToPfns+2B06Bj
					; MiSwitchToPfns+2B133j ...
		mov	edi, [edi]
		push	0
		mov	[ebp+var_10], edi
		pop	edx
		cmp	edi, [ebp+var_1C]
		jnz	loc_AB64AD

loc_AB65B7:				; CODE XREF: MiSwitchToPfns+56j
		push	2
		pop	edx
		push	3
		pop	ecx
		call	KeFlushTb
		or	ds:_MiFlags, 8000000h
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_AB65D5:				; CODE XREF: MiSwitchToPfns+7Aj
					; MiSwitchToPfns+83j ...
		mov	ecx, edi
		call	MiCreateFreePfns
		jmp	short loc_AB65A1
; 

loc_AB65DE:				; CODE XREF: MiSwitchToPfns+126j
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	[ebp+var_14]
		mov	edx, ecx
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	MiRestrictRangeToNode
		mov	ecx, eax
		mov	[ebp+var_18], ecx
		cmp	esi, 9
		jz	loc_AE14DA
		cmp	esi, 0Bh
		jz	loc_AE14DA
		cmp	esi, 1Dh
		jz	short loc_AB664B
		cmp	esi, 24h
		jz	short loc_AB664B
		push	40h
		pop	eax

loc_AB661A:				; CODE XREF: MiSwitchToPfns+206j
		push	0
		push	0
		push	0
		push	eax
		push	ecx
		mov	edx, ecx
		mov	ecx, edi
		call	_MiInitializeUnusablePfns@28 ; MiInitializeUnusablePfns(x,x,x,x,x,x,x)

loc_AB662B:				; CODE XREF: MiSwitchToPfns+2B0A8j
		mov	eax, [ebp+var_8]
		sub	eax, [ebp+var_18]
		imul	ecx, [ebp+var_18], 1Ch
		jmp	loc_AB658B
; 

loc_AB663A:				; CODE XREF: MiSwitchToPfns+BEj
		sub	eax, 1
		mov	[ebp+var_8], eax
		jz	loc_AB65A1
		jmp	loc_AE14CF
; 

loc_AB664B:				; CODE XREF: MiSwitchToPfns+1C6j
					; MiSwitchToPfns+1CBj
		mov	eax, 80h
		jmp	short loc_AB661A
MiSwitchToPfns	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreateFreePfns proc near		; CODE XREF: MiSwitchToPfns+18Dp

var_84		= dword	ptr -84h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE158E SIZE 00000063 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	40h		; size_t
		xor	esi, esi
		lea	eax, [ebp+var_48]
		mov	edi, ecx
		mov	[ebp+var_5C], esi
		push	esi		; int
		push	eax		; void *
		mov	[ebp+var_58], edi
		call	_memset
		mov	eax, [edi+0Ch]
		add	esp, 0Ch
		mov	[ebp+var_4C], eax
		mov	ebx, esi
		mov	eax, [edi+10h]
		mov	[ebp+var_50], eax
		mov	eax, [edi+8]
		test	eax, 40000000h
		jnz	loc_AE158E
		mov	ecx, offset _MxBootFreeDescriptor

loc_AB66A4:				; CODE XREF: MiCreateFreePfns+2AF49j
		movzx	eax, ds:_KeNumberNodes
		imul	edx, eax, 14h
		add	edx, ecx
		cmp	ecx, edx
		jnb	short loc_AB66E0
		mov	edi, [ebp+var_4C]

loc_AB66B7:				; CODE XREF: MiCreateFreePfns+82j
		cmp	[ecx+4], esi
		jz	short loc_AB66CF
		mov	eax, [ecx]
		mov	[ebp+var_4C], eax
		cmp	eax, edi
		jb	short loc_AB66CF
		mov	eax, [ebp+var_50]
		add	eax, edi
		cmp	[ebp+var_4C], eax
		jb	short loc_AB66F6

loc_AB66CF:				; CODE XREF: MiCreateFreePfns+68j
					; MiCreateFreePfns+71j	...
		add	ecx, 14h
		cmp	ecx, edx
		jb	short loc_AB66B7
		mov	edi, [ebp+var_58]
		mov	[ebp+var_4C], ebx
		test	ebx, ebx
		jnz	short loc_AB66FD

loc_AB66E0:				; CODE XREF: MiCreateFreePfns+60j
		mov	ecx, edi

loc_AB66E2:				; CODE XREF: MiCreateFreePfns+2AF9Aj
		call	_MxCreateFreePfns@4 ; MxCreateFreePfns(x)

loc_AB66E7:				; CODE XREF: MiCreateFreePfns+107j
					; MiCreateFreePfns+2AF91j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AB66F6:				; CODE XREF: MiCreateFreePfns+7Bj
		mov	[ebp+ebx*4+var_48], ecx
		inc	ebx
		jmp	short loc_AB66CF
; 

loc_AB66FD:				; CODE XREF: MiCreateFreePfns+8Cj
		push	offset _MxDescriptorSort ; int __cdecl (*)(const void *,const void *)
		push	4		; size_t
		lea	eax, [ebp+var_48]
		push	ebx		; size_t
		push	eax		; void *
		call	_qsort
		add	esp, 10h
		mov	esi, edi
		lea	edi, [ebp+var_70]
		test	ebx, ebx
		push	5
		pop	ecx
		rep movsd
		mov	ebx, [ebp+var_60]
		jz	loc_AE15E1
		mov	edx, [ebp+var_64]
		xor	esi, esi

loc_AB672B:				; CODE XREF: MiCreateFreePfns+2AF89j
		mov	ecx, [ebp+esi*4+var_48]
		mov	[ebp+var_54], ecx
		mov	eax, [ecx]
		cmp	eax, edx
		ja	loc_AE15A0

loc_AB673C:				; CODE XREF: MiCreateFreePfns+2AF7Aj
		mov	eax, [ecx+4]
		add	edx, eax
		sub	ebx, eax
		mov	[ebp+var_54], edx
		mov	eax, [ebp+var_58]
		mov	[ebp+var_64], edx
		mov	[ebp+var_60], ebx
		mov	edx, [eax+8]
		call	MxReleaseFreeDescriptor
		test	ebx, ebx
		jz	short loc_AB66E7
		jmp	loc_AE15D1
MiCreateFreePfns endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MxCreateFreePfns(x)
_MxCreateFreePfns@4 proc near		; CODE XREF: MxReleaseFreeDescriptor+34p
					; MxReleaseFreeDescriptor+5Cp ...

var_58		= dword	ptr -58h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= byte ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		push	ebx
		push	esi
		push	edi
		mov	edx, ecx
		lea	edi, [ebp+var_58]
		push	7
		xor	eax, eax
		pop	ecx
		mov	ebx, [edx+0Ch]
		rep stosd
		mov	edi, [edx+10h]
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_10], edi
		test	ebx, ebx
		jnz	short loc_AB6794
		sub	edi, ecx
		mov	[ebp+var_10], edi
		jz	loc_AB6A50
		mov	ebx, ecx

loc_AB6794:				; CODE XREF: MxCreateFreePfns(x)+25j
		mov	eax, [edx+8]
		mov	[ebp+var_28], eax
		cmp	eax, 2
		jz	short loc_AB67A4
		cmp	eax, 18h
		jnz	short loc_AB67A6

loc_AB67A4:				; CODE XREF: MxCreateFreePfns(x)+3Dj
		xor	ecx, ecx

loc_AB67A6:				; CODE XREF: MxCreateFreePfns(x)+42j
		xor	edx, edx
		mov	[ebp+var_20], ecx
		cmp	eax, 18h
		push	1Ch
		setnz	dl
		imul	esi, ebx, 1Ch
		mov	[ebp+var_24], edx
		pop	edx
		add	esi, ds:_MmPfnDatabase
		xor	eax, eax
		mov	[ebp+var_8], eax
		jmp	loc_AB699E
; 

loc_AB67CA:				; CODE XREF: MxCreateFreePfns(x)+240j
		test	ecx, ecx
		jz	short loc_AB6838
		movzx	ecx, word ptr [esi+14h]
		xor	edx, edx
		inc	edx
		cmp	cx, dx
		jnz	loc_AB687A
		mov	eax, [esi+18h]
		mov	edx, [esi+4]
		and	eax, offset loc_7FFFFF
		imul	ecx, eax, 1Ch
		or	edx, 80000000h
		mov	eax, ds:_ZeroPte
		add	ecx, ds:_MmPfnDatabase
		mov	[edx], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[edx+4], eax
		or	edx, 0FFFFFFFFh
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		mov	eax, [ecx+10h]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jnz	short loc_AB6822
		call	_MiFreeEmptyBootPageTable@4 ; MiFreeEmptyBootPageTable(x)

loc_AB6822:				; CODE XREF: MxCreateFreePfns(x)+BBj
		and	dword ptr [esi+10h], 0C0000000h
		xor	eax, eax
		mov	[esi+14h], ax
		mov	eax, [ebp+var_8]

loc_AB6832:				; CODE XREF: MxCreateFreePfns(x)+11Dj
		mov	ecx, [ebp+var_20]
		push	1Ch
		pop	edx

loc_AB6838:				; CODE XREF: MxCreateFreePfns(x)+6Cj
		test	ebx, 1FFh
		jnz	loc_AB6A0E
		test	ecx, ecx
		jnz	loc_AB6A0E
		cmp	edi, 200h
		jb	loc_AB6A0E
		mov	edx, edi
		mov	ecx, ebx
		call	MiRestrictRangeToNode
		mov	edx, eax
		mov	[ebp+var_18], edx
		cmp	edx, 200h
		jnb	short loc_AB688E
		mov	eax, [ebp+var_8]
		mov	[esi], eax
		mov	eax, esi
		mov	[ebp+var_8], eax
		jmp	short loc_AB687F
; 

loc_AB687A:				; CODE XREF: MxCreateFreePfns(x)+78j
		test	cx, cx
		jz	short loc_AB6832

loc_AB687F:				; CODE XREF: MxCreateFreePfns(x)+118j
		push	1Ch
		pop	edx

loc_AB6882:				; CODE XREF: MxCreateFreePfns(x)+2B5j
		inc	ebx
		add	esi, edx
		dec	edi
		mov	[ebp+var_10], edi
		jmp	loc_AB699B
; 

loc_AB688E:				; CODE XREF: MxCreateFreePfns(x)+10Cj
		xor	ecx, ecx
		mov	[ebp+var_1C], ecx

loc_AB6893:				; CODE XREF: MxCreateFreePfns(x)+22Fj
		mov	eax, ds:_MiLargePageSizes[ecx*4]
		mov	[ebp+var_14], eax
		neg	eax
		and	eax, ebx
		cmp	ebx, eax
		jnz	loc_AB6989
		cmp	edx, [ebp+var_14]
		jb	loc_AB6989
		test	ecx, ecx
		jz	short loc_AB68DB
		mov	ecx, ds:dword_4102F0[ecx*4]
		lea	eax, [ecx-1]
		and	eax, ebx
		sub	ecx, eax
		cmp	ecx, edx
		jbe	short loc_AB68CA
		mov	ecx, edx

loc_AB68CA:				; CODE XREF: MxCreateFreePfns(x)+166j
		mov	eax, ecx
		xor	edx, edx
		div	[ebp+var_14]
		sub	ecx, edx
		mov	[ebp+var_C], ecx
		mov	ecx, [ebp+var_1C]
		jmp	short loc_AB68EA
; 

loc_AB68DB:				; CODE XREF: MxCreateFreePfns(x)+154j
		mov	eax, edx
		xor	edx, edx
		div	[ebp+var_14]
		mov	eax, [ebp+var_18]
		sub	eax, edx
		mov	[ebp+var_C], eax

loc_AB68EA:				; CODE XREF: MxCreateFreePfns(x)+179j
		mov	edx, ecx
		xor	ecx, ecx
		push	0
		call	_MiDetermineNewPfnHeatState@8 ;	MiDetermineNewPfnHeatState(x,x)
		neg	eax
		mov	edx, ebx
		sbb	eax, eax
		inc	eax
		push	eax
		xor	eax, eax
		inc	eax
		push	eax
		push	[ebp+var_1C]
		push	[ebp+var_C]
		call	_MiInitializeAllResidentPageBasePfns@28	; MiInitializeAllResidentPageBasePfns(x,x,x,x,x,x,x)
		mov	edx, [ebp+var_C]
		xor	eax, eax
		push	0
		push	ecx
		inc	eax
		mov	ecx, ebx
		push	eax
		push	[ebp+var_1C]
		call	_MiCreateInitialLargeLeafPfns@24 ; MiCreateInitialLargeLeafPfns(x,x,x,x,x,x)
		cmp	[ebp+var_C], 0
		jz	short loc_AB697B
		imul	eax, [ebp+var_14], 1Ch
		mov	[ebp+var_1C], eax

loc_AB692D:				; CODE XREF: MxCreateFreePfns(x)+217j
		xor	eax, eax
		lea	edi, [ebp+var_3C]
		stosd
		mov	ecx, esi
		stosd
		stosd
		stosd
		mov	eax, [ebp+var_24]
		and	[ebp+var_34], 0
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		lea	ecx, [ebp+var_3C]
		mov	[ebp+var_30], al
		call	_MiInsertLargePageInNodeList@4 ; MiInsertLargePageInNodeList(x)
		mov	ecx, [ebp+var_14]
		add	ebx, ecx
		mov	eax, [ebp+var_C]
		mov	edx, [ebp+var_18]
		sub	eax, ecx
		mov	edi, [ebp+var_10]
		sub	edx, ecx
		add	esi, [ebp+var_1C]
		sub	edi, ecx
		mov	[ebp+var_C], eax
		mov	[ebp+var_18], edx
		mov	[ebp+var_10], edi
		test	eax, eax
		jnz	short loc_AB692D
		jmp	short loc_AB697E
; 

loc_AB697B:				; CODE XREF: MxCreateFreePfns(x)+1C4j
		mov	edx, [ebp+var_18]

loc_AB697E:				; CODE XREF: MxCreateFreePfns(x)+219j
		cmp	edx, 200h
		jb	short loc_AB6995
		or	ecx, 0FFFFFFFFh

loc_AB6989:				; CODE XREF: MxCreateFreePfns(x)+143j
					; MxCreateFreePfns(x)+14Cj
		add	ecx, 1
		mov	[ebp+var_1C], ecx
		jz	loc_AB6893

loc_AB6995:				; CODE XREF: MxCreateFreePfns(x)+224j
		mov	eax, [ebp+var_8]
		push	1Ch
		pop	edx

loc_AB699B:				; CODE XREF: MxCreateFreePfns(x)+129j
		mov	ecx, [ebp+var_20]

loc_AB699E:				; CODE XREF: MxCreateFreePfns(x)+65j
		test	edi, edi
		jnz	loc_AB67CA
		xor	ebx, ebx
		cmp	[ebp+var_28], 18h
		push	2
		setz	bl
		xor	ecx, ecx
		pop	edx
		call	_MiDetermineNewPfnHeatState@8 ;	MiDetermineNewPfnHeatState(x,x)
		test	eax, eax
		jz	short loc_AB69C3
		or	ebx, 400h

loc_AB69C3:				; CODE XREF: MxCreateFreePfns(x)+25Bj
		mov	ecx, [ebp+var_24]
		lea	edx, [ebp+var_58]
		call	_MiCreatePfnTemplate@8 ; MiCreatePfnTemplate(x,x)
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	edi, [ebp+var_8]
		mov	[ebp+var_1], al
		test	edi, edi
		jz	short loc_AB6A48

loc_AB69E0:				; CODE XREF: MxCreateFreePfns(x)+2E3j
		mov	esi, edi
		mov	edi, [edi]
		mov	eax, esi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		mov	ecx, esi
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_58]
		push	eax
		xor	eax, eax
		lea	edx, [eax+1]
		call	_MiCreateInitialPfns@12	; MiCreateInitialPfns(x,x,x)
		and	[ebp+var_2C], 0
		add	esi, 10h
		jmp	short loc_AB6A28
; 

loc_AB6A0E:				; CODE XREF: MxCreateFreePfns(x)+DEj
					; MxCreateFreePfns(x)+E6j ...
		mov	[esi], eax
		mov	eax, esi
		mov	[ebp+var_8], eax
		jmp	loc_AB6882
; 

loc_AB6A1A:				; CODE XREF: MxCreateFreePfns(x)+2C6j
					; MxCreateFreePfns(x)+2CDj
		lea	ecx, [ebp+var_2C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_AB6A1A

loc_AB6A28:				; CODE XREF: MxCreateFreePfns(x)+2ACj
		lock bts dword ptr [esi], 1Fh
		jb	short loc_AB6A1A
		mov	ecx, [ebp+var_28]
		mov	edx, ebx
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		test	edi, edi
		jnz	short loc_AB69E0
		mov	al, [ebp+var_1]

loc_AB6A48:				; CODE XREF: MxCreateFreePfns(x)+27Ej
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_AB6A50:				; CODE XREF: MxCreateFreePfns(x)+2Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MxCreateFreePfns@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFindLargestLoaderDescriptor proc near	; CODE XREF: MiInitNucleus(x)+149p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE15F1 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 48h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		or	dword_6D5D80, 0FFFFFFFFh
		lea	edx, [ebp+var_44]
		push	esi
		push	edi
		mov	esi, ecx
		call	MxComputeFreeNodeDescriptorRequirements
		lea	edi, [esi+18h]
		mov	esi, [edi]

loc_AB6A80:				; CODE XREF: MiFindLargestLoaderDescriptor+A9j
		cmp	esi, edi
		jz	loc_AB6B19
		mov	eax, [esi+8]
		cmp	eax, 20h
		jz	short loc_AB6AFD
		cmp	eax, 6
		jz	short loc_AB6AFD
		cmp	eax, 1Eh
		jz	short loc_AB6AFD
		cmp	eax, 1Fh
		jz	short loc_AB6AFD
		cmp	eax, 22h
		jz	short loc_AB6AFD
		cmp	eax, 17h
		jz	short loc_AB6AFD
		cmp	eax, 3
		jz	short loc_AB6AFD
		cmp	eax, 16h
		jz	short loc_AB6AFD
		cmp	eax, 26h
		jz	short loc_AB6AFD
		cmp	eax, 27h
		jz	short loc_AB6AFD
		cmp	eax, 28h
		jz	short loc_AB6AFD
		mov	ecx, [esi+0Ch]
		mov	edx, [esi+10h]
		lea	eax, [edx+ecx]
		mov	[ebp+var_48], eax
		mov	eax, dword_6D5D84
		cmp	[ebp+var_48], eax
		jbe	short loc_AB6AE2
		lea	eax, [ecx-1]
		add	eax, edx
		mov	dword_6D5D84, eax

loc_AB6AE2:				; CODE XREF: MiFindLargestLoaderDescriptor+80j
		add	dword_6D5D88, edx
		cmp	ecx, dword_6D5D80
		jb	short loc_AB6B10

loc_AB6AF0:				; CODE XREF: MiFindLargestLoaderDescriptor+C1j
		mov	eax, [esi+8]
		cmp	eax, 2
		jz	short loc_AB6B04
		cmp	eax, 18h
		jz	short loc_AB6B04

loc_AB6AFD:				; CODE XREF: MiFindLargestLoaderDescriptor+38j
					; MiFindLargestLoaderDescriptor+3Dj ...
		mov	esi, [esi]
		jmp	loc_AB6A80
; 

loc_AB6B04:				; CODE XREF: MiFindLargestLoaderDescriptor+A0j
					; MiFindLargestLoaderDescriptor+A5j
		lea	edx, [ebp+var_44]
		mov	ecx, esi
		call	MxInitializeFreeNodeDescriptors
		jmp	short loc_AB6AFD
; 

loc_AB6B10:				; CODE XREF: MiFindLargestLoaderDescriptor+98j
		mov	eax, ecx
		mov	dword_6D5D80, eax
		jmp	short loc_AB6AF0
; 

loc_AB6B19:				; CODE XREF: MiFindLargestLoaderDescriptor+2Cj
		mov	eax, dword_6D5D84
		mov	ecx, ds:_MmDynamicPfn
		inc	eax
		pop	edi
		pop	esi
		cmp	ecx, eax
		jnb	short loc_AB6B33
		mov	ecx, eax
		mov	ds:_MmDynamicPfn, ecx

loc_AB6B33:				; CODE XREF: MiFindLargestLoaderDescriptor+D3j
		mov	eax, dword_6D07B0
		inc	eax
		cmp	ecx, eax
		ja	loc_AE15F1

loc_AB6B41:				; CODE XREF: MiFindLargestLoaderDescriptor+2ABA3j
		lea	eax, [ecx-1]
		mov	ecx, [ebp+var_4]
		mov	dword_6D07B0, eax
		xor	ecx, ebp
		xor	eax, eax
		inc	eax
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
MiFindLargestLoaderDescriptor endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MxInitializeFreeNodeDescriptors	proc near ; CODE XREF: MiFindLargestLoaderDescriptor+B3p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE15FE SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, [ecx+10h]
		mov	[ebp+var_8], edx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], eax
		push	ebx
		mov	ebx, [ecx+0Ch]
		test	eax, eax
		jz	short loc_AB6BBA
		push	esi
		push	edi

loc_AB6B76:				; CODE XREF: MxInitializeFreeNodeDescriptors+5Ej
		mov	edx, eax
		mov	ecx, ebx
		call	MiRestrictRangeToNode
		mov	ecx, ebx
		mov	[ebp+var_4], eax
		call	MiSearchNumaNodeTable
		mov	ecx, [ebp+var_4]
		mov	esi, [eax+4]
		imul	edi, esi, 14h
		add	edi, offset _MxBootFreeDescriptor
		cmp	ecx, [edi+4]
		jnb	short loc_AB6BBD
		mov	eax, [ebp+var_8]
		mov	eax, [eax+esi*4]
		add	eax, 4000h
		cmp	ecx, eax
		jnb	short loc_AB6BBD

loc_AB6BAC:				; CODE XREF: MxInitializeFreeNodeDescriptors+A4j
		mov	eax, [ebp+var_C]
		add	ebx, ecx
		sub	eax, ecx
		mov	[ebp+var_C], eax
		jnz	short loc_AB6B76
		pop	edi
		pop	esi

loc_AB6BBA:				; CODE XREF: MxInitializeFreeNodeDescriptors+1Aj
		pop	ebx
		leave
		retn
; 

loc_AB6BBD:				; CODE XREF: MxInitializeFreeNodeDescriptors+43j
					; MxInitializeFreeNodeDescriptors+52j
		dec	ecx
		add	ecx, ebx
		call	MxPageAlwaysHot
		cmp	eax, 1
		jz	short loc_AB6BE3
		mov	ecx, [edi+4]
		test	ecx, ecx
		jz	short loc_AB6BE3
		mov	eax, [edi]
		dec	eax
		add	ecx, eax
		call	MxPageAlwaysHot
		test	eax, eax
		jnz	loc_AE15FE

loc_AB6BE3:				; CODE XREF: MxInitializeFreeNodeDescriptors+70j
					; MxInitializeFreeNodeDescriptors+77j ...
		mov	eax, [ebp+var_4]
		mov	ecx, edi
		mov	edx, [ebp+var_10]
		push	eax
		push	ebx
		call	_MiInitializeBootMemoryDescriptor@16 ; MiInitializeBootMemoryDescriptor(x,x,x,x)
		mov	ds:_MxFreeDescriptor[esi*4], edi

loc_AB6BF9:				; CODE XREF: MxInitializeFreeNodeDescriptors+2AAB9j
		mov	ecx, [ebp+var_4]
		jmp	short loc_AB6BAC
MxInitializeFreeNodeDescriptors	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreateSparsePfnDatabase proc near	; CODE XREF: MiCreatePfnDatabase(x)+14Fp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE161C SIZE 0000003F BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		add	ecx, 18h
		xor	edx, edx
		push	edi
		push	3
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_4], edx
		mov	eax, [ecx]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], eax
		pop	edi
		cmp	eax, ecx
		jz	loc_AB6D9D

loc_AB6C38:				; CODE XREF: MiCreateSparsePfnDatabase+190j
		mov	ecx, [eax+8]
		cmp	ecx, 20h
		jz	loc_AB6DD4
		cmp	ecx, 6
		jz	loc_AB6DD4
		cmp	ecx, 1Eh
		jz	loc_AB6DD4
		cmp	ecx, 1Fh
		jz	loc_AB6DD4
		cmp	ecx, 22h
		jz	loc_AB6DD4
		cmp	ecx, 17h
		jz	loc_AB6DD4
		cmp	ecx, 3
		jz	loc_AB6DD4
		cmp	ecx, 16h
		jz	loc_AB6DD4
		cmp	ecx, 26h
		jz	loc_AB6DD4
		cmp	ecx, 27h
		jz	loc_AB6DD4
		cmp	ecx, 28h
		jz	loc_AB6DD4
		mov	edx, [eax+0Ch]
		cmp	esi, 0FFFFFFFFh
		jz	loc_AB6E0A
		mov	eax, [ebp+var_4]
		add	eax, esi
		cmp	eax, edx
		jnz	loc_AB6DD9
		cmp	edi, 2
		jz	loc_AB6DF3
		cmp	edi, 18h
		jz	loc_AB6DF3

loc_AB6CC9:				; CODE XREF: MiCreateSparsePfnDatabase+201j
		cmp	edi, 2
		jz	short loc_AB6CFA
		cmp	ecx, 2
		jz	loc_AB6DD9
		cmp	edi, 18h
		jz	loc_AB6DD9
		cmp	ecx, 18h
		jz	loc_AB6DD9

loc_AB6CE9:				; CODE XREF: MiCreateSparsePfnDatabase+1F8j
					; MiCreateSparsePfnDatabase+207j
		mov	eax, [ebp+var_8]
		mov	edx, [ebp+var_4]
		add	edx, [eax+10h]
		mov	[ebp+var_4], edx
		jmp	loc_AB6D86
; 

loc_AB6CFA:				; CODE XREF: MiCreateSparsePfnDatabase+CEj
					; MiCreateSparsePfnDatabase+1DEj ...
		xor	eax, eax

loc_AB6CFC:				; CODE XREF: MiCreateSparsePfnDatabase+1F0j
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		push	eax
		call	MxMapPfnRange
		test	eax, eax
		jz	loc_AB6E24
		mov	ecx, [ebp+var_8]
		mov	eax, [ecx+8]
		cmp	eax, 20h
		jz	loc_AB6E19
		cmp	eax, 6
		jz	loc_AB6E19
		cmp	eax, 1Eh
		jz	loc_AB6E19
		cmp	eax, 1Fh
		jz	loc_AB6E19
		cmp	eax, 22h
		jz	loc_AB6E19
		cmp	eax, 17h
		jz	loc_AB6E19
		cmp	eax, 3
		jz	loc_AB6E19
		cmp	eax, 16h
		jz	loc_AB6E19
		cmp	eax, 26h
		jz	loc_AB6E19
		cmp	eax, 27h
		jz	loc_AB6E19
		cmp	eax, 28h
		jz	loc_AB6E19
		mov	edx, [ecx+10h]
		mov	edi, eax
		mov	esi, [ecx+0Ch]
		mov	[ebp+var_4], edx

loc_AB6D83:				; CODE XREF: MiCreateSparsePfnDatabase+221j
		mov	eax, [ebp+var_8]

loc_AB6D86:				; CODE XREF: MiCreateSparsePfnDatabase+F7j
					; MiCreateSparsePfnDatabase+1D9j ...
		mov	eax, [eax]
		mov	[ebp+var_8], eax
		cmp	eax, [ebp+var_C]
		jnz	loc_AB6C38
		cmp	esi, 0FFFFFFFFh
		jnz	loc_AE161C

loc_AB6D9D:				; CODE XREF: MiCreateSparsePfnDatabase+34j
					; MiCreateSparsePfnDatabase+2AA3Fj
		mov	eax, dword_6D07B0
		mov	ecx, dword_6D3250
		inc	eax
		cmp	ecx, eax
		jnz	loc_AE1642

loc_AB6DB1:				; CODE XREF: MiCreateSparsePfnDatabase+2AA58j
		mov	ecx, dword_6D07B0
		or	edx, 0FFFFFFFFh
		push	1
		lea	ecx, [ecx+1]
		call	MxMapPfnRange
		test	eax, eax
		jz	short loc_AB6E24
		xor	eax, eax
		inc	eax

loc_AB6DCB:				; CODE XREF: MiCreateSparsePfnDatabase+228j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_AB6DD4:				; CODE XREF: MiCreateSparsePfnDatabase+40j
					; MiCreateSparsePfnDatabase+49j ...
		cmp	esi, 0FFFFFFFFh
		jz	short loc_AB6D86

loc_AB6DD9:				; CODE XREF: MiCreateSparsePfnDatabase+B3j
					; MiCreateSparsePfnDatabase+D3j ...
		cmp	edi, 2
		jz	loc_AB6CFA
		cmp	edi, 18h
		jz	loc_AB6CFA
		xor	eax, eax
		inc	eax
		jmp	loc_AB6CFC
; 

loc_AB6DF3:				; CODE XREF: MiCreateSparsePfnDatabase+BCj
					; MiCreateSparsePfnDatabase+C5j
		cmp	ecx, 2
		jz	loc_AB6CE9
		cmp	ecx, 18h
		jnz	loc_AB6CC9
		jmp	loc_AB6CE9
; 

loc_AB6E0A:				; CODE XREF: MiCreateSparsePfnDatabase+A6j
		mov	esi, edx
		mov	edi, ecx
		mov	edx, [eax+10h]
		mov	[ebp+var_4], edx
		jmp	loc_AB6D86
; 

loc_AB6E19:				; CODE XREF: MiCreateSparsePfnDatabase+11Aj
					; MiCreateSparsePfnDatabase+123j ...
		mov	edx, [ebp+var_4]
		or	esi, 0FFFFFFFFh
		jmp	loc_AB6D83
; 

loc_AB6E24:				; CODE XREF: MiCreateSparsePfnDatabase+10Bj
					; MiCreateSparsePfnDatabase+1C8j ...
		xor	eax, eax
		jmp	short loc_AB6DCB
MiCreateSparsePfnDatabase endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MxMapPfnRange	proc near		; CODE XREF: MiCreateSparsePfnDatabase+104p
					; MiCreateSparsePfnDatabase+1C1p ...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00AE165B SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_8], ecx
		lea	edi, [ebp+var_2C]
		xor	eax, eax
		mov	esi, edx
		mov	edx, ds:_MmPfnDatabase
		push	6
		pop	ecx
		rep stosd
		mov	ecx, [ebp+var_8]
		imul	edi, ecx, 1Ch
		add	edi, edx
		mov	eax, edi
		and	eax, 0FFE00000h
		cmp	edi, eax
		jz	loc_AE165B
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h

loc_AB6E6E:				; CODE XREF: MxMapPfnRange+2A835j
		cmp	esi, 0FFFFFFFFh
		jz	loc_AB6F8B
		lea	eax, [ecx+esi]
		imul	ebx, eax, 1Ch
		add	ebx, edx
		mov	eax, ebx
		and	eax, 0FFE00000h
		cmp	ebx, eax
		jz	loc_AB6F8B
		dec	ebx
		shr	ebx, 9
		and	ebx, offset loc_7FFFF8
		sub	ebx, 40000000h

loc_AB6E9E:				; CODE XREF: MxMapPfnRange+165j
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], ebx

loc_AB6EA4:				; CODE XREF: MxMapPfnRange+14Bj
		test	esi, esi
		jz	loc_AB6F78
		mov	[ebp+var_C], esi
		cmp	esi, 0FFFFFFFFh
		jz	loc_AB6F92
		mov	edx, esi
		call	MiRestrictRangeToNode
		mov	ecx, [ebp+var_8]
		sub	esi, eax
		mov	[ebp+var_C], eax
		add	eax, ecx
		mov	[ebp+var_14], esi
		imul	eax, 1Ch

loc_AB6ECF:				; CODE XREF: MxMapPfnRange+176j
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_10], eax
		call	MiSearchNumaNodeTable
		mov	ecx, [ebp+var_8]
		mov	edx, offset loc_7FFFF8
		imul	esi, ecx, 1Ch
		add	ecx, [ebp+var_C]
		mov	eax, [eax+4]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_10]
		add	esi, ds:_MmPfnDatabase
		shr	esi, 9
		and	esi, edx
		mov	[ebp+var_8], ecx
		sub	esi, 40000000h
		dec	eax
		shr	eax, 9
		and	eax, edx
		sub	eax, 40000000h
		mov	[ebp+var_10], eax
		cmp	esi, eax
		ja	short loc_AB6F70

loc_AB6F1A:				; CODE XREF: MxMapPfnRange+143j
		cmp	esi, edi
		jnz	short loc_AB6F82

loc_AB6F1E:				; CODE XREF: MxMapPfnRange+15Cj
		xor	ecx, ecx
		inc	ecx

loc_AB6F21:				; CODE XREF: MxMapPfnRange+161j
		and	[ebp+var_18], 0
		mov	eax, esi
		shl	eax, 9
		mov	[ebp+var_24], ecx
		lea	ecx, [ebp+var_2C]
		mov	[ebp+var_2C], eax
		call	MxMapVa
		test	eax, eax
		jz	short loc_AB6FA8
		mov	eax, [ebp+var_18]
		test	eax, eax
		jz	short loc_AB6FA3
		mov	ecx, eax

loc_AB6F45:				; CODE XREF: MxMapPfnRange+12Fj
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		sub	ecx, 1
		jnz	short loc_AB6F45
		add	esi, 8
		test	eax, eax
		jz	short loc_AB6F68

loc_AB6F60:				; CODE XREF: MxMapPfnRange+13Ej
		shl	esi, 9
		sub	eax, 1
		jnz	short loc_AB6F60

loc_AB6F68:				; CODE XREF: MxMapPfnRange+136j
					; MxMapPfnRange+17Ej
		cmp	esi, [ebp+var_10]
		jbe	short loc_AB6F1A
		mov	ecx, [ebp+var_8]

loc_AB6F70:				; CODE XREF: MxMapPfnRange+F0j
		mov	esi, [ebp+var_14]
		jmp	loc_AB6EA4
; 

loc_AB6F78:				; CODE XREF: MxMapPfnRange+7Ej
		xor	eax, eax
		inc	eax

loc_AB6F7B:				; CODE XREF: MxMapPfnRange+182j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_AB6F82:				; CODE XREF: MxMapPfnRange+F4j
		cmp	esi, ebx
		jz	short loc_AB6F1E
		mov	ecx, [ebp+arg_0]
		jmp	short loc_AB6F21
; 

loc_AB6F8B:				; CODE XREF: MxMapPfnRange+49j
					; MxMapPfnRange+60j
		xor	ebx, ebx
		jmp	loc_AB6E9E
; 

loc_AB6F92:				; CODE XREF: MxMapPfnRange+8Aj
		mov	eax, ds:_MxPfnAllocation
		and	[ebp+var_14], 0
		shl	eax, 0Ch
		jmp	loc_AB6ECF
; 

loc_AB6FA3:				; CODE XREF: MxMapPfnRange+119j
		add	esi, 8
		jmp	short loc_AB6F68
; 

loc_AB6FA8:				; CODE XREF: MxMapPfnRange+112j
		xor	eax, eax
		jmp	short loc_AB6F7B
MxMapPfnRange	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MxMapVa		proc near		; CODE XREF: MxMapPfnRange+10Bp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE1662 SIZE 00000131 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		xor	eax, eax
		cmp	dword_6D5D88, 20000h
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_8], eax
		jbe	short loc_AB6FD7
		mov	[ebp+var_8], 1

loc_AB6FD7:				; CODE XREF: MxMapVa+22j
		mov	ecx, [edi]
		lea	edx, [ebp+var_18]
		call	_MiFillPteHierarchy@8 ;	MiFillPteHierarchy(x,x)
		xor	ebx, ebx
		inc	ebx

loc_AB6FE4:				; CODE XREF: MxMapVa+2A77Bj
		mov	esi, [ebp+ebx*4+var_18]
		mov	eax, [esi+4]
		mov	ecx, [esi]
		mov	[ebp+var_C], eax
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_AB7018
		test	ebx, ebx
		jz	short loc_AB7010
		and	ecx, 80h
		or	ecx, 0
		jz	loc_AE171E
		mov	[edi+14h], ebx

loc_AB7010:				; CODE XREF: MxMapVa+50j MxMapVa+109j	...
		xor	eax, eax
		inc	eax

loc_AB7013:				; CODE XREF: MxMapVa+2A7E2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AB7018:				; CODE XREF: MxMapVa+4Cj
		cmp	ebx, 1
		jnz	loc_AE1662
		cmp	[ebp+var_8], ebx
		jnz	loc_AE1662
		push	dword ptr [edi+4]
		xor	ecx, ecx
		inc	ecx
		call	MxGetNextPage
		cmp	eax, 0FFFFFFFFh
		jz	loc_AE1662
		add	dword_6D3634, 200h
		mov	edx, eax
		push	0B4000004h
		mov	ecx, esi
		call	MiMakeValidPte
		and	[ebp+var_4], 0
		mov	ecx, esi
		mov	ebx, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_AE172C
		mov	ecx, [ebp+var_4]

loc_AB706E:				; CODE XREF: MxMapVa+2A793j
					; MxMapVa+2A7A1j ...
		mov	[esi+4], edx
		nop
		mov	[esi], ebx
		test	ecx, ecx
		jnz	loc_AE177E

loc_AB707C:				; CODE XREF: MxMapVa+2A7DBj
		mov	eax, [edi+8]
		mov	ecx, esi
		shl	ecx, 12h
		test	eax, eax
		jnz	short loc_AB70BD
		mov	eax, [edi+0Ch]
		mov	edx, offset loc_7FFFF8
		shr	eax, 9
		mov	ebx, 40000000h
		and	eax, edx
		sub	eax, ebx
		cmp	esi, eax
		jz	short loc_AB70BA
		mov	eax, [edi+10h]
		shr	eax, 9
		and	eax, edx
		sub	eax, ebx
		cmp	esi, eax
		jz	short loc_AB70BA

loc_AB70AE:				; CODE XREF: MxMapVa+114j MxMapVa+121j
		mov	dword ptr [edi+14h], 1
		jmp	loc_AB7010
; 

loc_AB70BA:				; CODE XREF: MxMapVa+F2j MxMapVa+100j
		xor	eax, eax
		inc	eax

loc_AB70BD:				; CODE XREF: MxMapVa+DAj
		cmp	eax, 1
		jnz	short loc_AB70AE
		mov	edx, 200000h
		call	_KeZeroPages	; KiZeroPages(x,x)
		jmp	short loc_AB70AE
MxMapVa		endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MxComputeFreeNodeDescriptorRequirements	proc near
					; CODE XREF: MiFindLargestLoaderDescriptor+20p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE1793 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		push	40h		; size_t
		mov	eax, edx
		mov	edi, ecx
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_14], eax
		call	_memset
		or	[ebp+var_4], 0FFFFFFFFh
		lea	eax, [edi+18h]
		mov	ebx, [eax]
		or	ecx, 0FFFFFFFFh
		add	esp, 0Ch
		mov	[ebp+var_8], ecx
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_1C], eax
		cmp	ebx, eax

loc_AB7106:				; CODE XREF: MxComputeFreeNodeDescriptorRequirements+123j
		mov	[ebp+var_10], ebx
		jz	loc_AB71FD
		mov	eax, [ebx+8]
		cmp	eax, 20h
		jz	loc_AB71EE
		cmp	eax, 6
		jz	loc_AB71EE
		cmp	eax, 1Eh
		jz	loc_AB71EE
		cmp	eax, 1Fh
		jz	loc_AB71EE
		cmp	eax, 22h
		jz	loc_AB71EE
		cmp	eax, 17h
		jz	loc_AB71EE
		cmp	eax, 3
		jz	loc_AB71EE
		cmp	eax, 16h
		jz	loc_AB71EE
		cmp	eax, 26h
		jz	loc_AB71EE
		cmp	eax, 27h
		jz	loc_AB71EE
		cmp	eax, 28h
		jz	short loc_AB71EE
		mov	eax, [ebx+0Ch]
		mov	[ebp+var_18], eax
		mov	eax, [ebx+10h]
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	short loc_AB71EE
		mov	ebx, [ebp+var_18]

loc_AB7184:				; CODE XREF: MxComputeFreeNodeDescriptorRequirements+119j
		mov	edx, eax
		mov	ecx, ebx
		call	MiRestrictRangeToNode
		mov	ecx, ebx
		mov	[ebp+var_18], eax
		call	MiSearchNumaNodeTable
		mov	edx, [ebp+var_8]
		mov	edi, [eax+4]
		cmp	edx, 0FFFFFFFFh
		jz	short loc_AB71F8
		cmp	edi, esi
		jnz	loc_AE1793
		imul	ecx, edx, 1Ch
		imul	eax, ebx, 1Ch
		shr	ecx, 12h
		shr	eax, 12h
		and	ecx, 3FF8h
		and	eax, 3FF8h
		sub	ecx, 3F9FFFF8h
		sub	eax, 3FA00000h
		cmp	ecx, eax
		jb	loc_AE1793

loc_AB71D4:				; CODE XREF: MxComputeFreeNodeDescriptorRequirements+12Bj
		mov	edx, [ebp+var_18]
		mov	esi, edi
		mov	eax, [ebp+var_C]
		sub	eax, edx
		mov	[ebp+var_C], eax
		lea	ecx, [edx+ebx]
		mov	[ebp+var_8], ecx
		mov	ebx, ecx
		jnz	short loc_AB7184
		mov	ebx, [ebp+var_10]

loc_AB71EE:				; CODE XREF: MxComputeFreeNodeDescriptorRequirements+45j
					; MxComputeFreeNodeDescriptorRequirements+4Ej ...
		mov	ebx, [ebx]
		cmp	ebx, [ebp+var_1C]
		jmp	loc_AB7106
; 

loc_AB71F8:				; CODE XREF: MxComputeFreeNodeDescriptorRequirements+D0j
					; MxComputeFreeNodeDescriptorRequirements+2A6D1j
		mov	[ebp+var_4], ebx
		jmp	short loc_AB71D4
; 

loc_AB71FD:				; CODE XREF: MxComputeFreeNodeDescriptorRequirements+39j
		mov	edx, ecx
		mov	ecx, [ebp+var_4]
		call	_MxComputePfnPagesNeeded@8 ; MxComputePfnPagesNeeded(x,x)
		mov	ecx, [ebp+var_14]
		pop	edi
		add	[ecx+esi*4], eax
		pop	esi
		pop	ebx
		leave
		retn
MxComputeFreeNodeDescriptorRequirements	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MxGetNextPage	proc near		; CODE XREF: MxMapVa+84p
					; MxMapVa+2A6BBp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00AE17A6 SIZE 000000CD BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		mov	esi, ecx
		or	ebx, 0FFFFFFFFh
		push	edi
		mov	[ebp+var_8], esi

loc_AB7228:				; CODE XREF: MxGetNextPage+2A5C5j
		mov	eax, [ebp+arg_0]
		xor	ecx, ecx

loc_AB722D:				; CODE XREF: MxGetNextPage+2A5B0j
		mov	edi, ds:_MxFreeDescriptor[eax*4]
		test	edi, edi
		jz	loc_AE17A6
		cmp	dword ptr [edi+4], 0
		jz	loc_AE17A6
		cmp	esi, 1
		jnz	short loc_AB7294
		cmp	[edi+0Ch], ebx

loc_AB724E:				; CODE XREF: MxGetNextPage+85j
		jz	loc_AE17A6

loc_AB7254:				; CODE XREF: MxGetNextPage+2A5B6j
		test	edi, edi
		jz	loc_AE17CD

loc_AB725C:				; CODE XREF: MxGetNextPage+2A5CBj
		movzx	eax, ds:_KeNumberNodes
		cmp	ecx, eax
		jz	loc_AE17E2

loc_AB726B:				; CODE XREF: MxGetNextPage+2A5E1j
		cmp	esi, 1
		jnz	loc_AE1807
		mov	esi, [edi+0Ch]
		mov	eax, esi
		sub	eax, [edi]
		cmp	eax, 200h
		jb	short loc_AB7299
		lea	eax, [esi-200h]
		mov	[edi+0Ch], eax

loc_AB728B:				; CODE XREF: MxGetNextPage+2A65Cj
		mov	eax, esi

loc_AB728D:				; CODE XREF: MxGetNextPage+2A5F0j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_AB7294:				; CODE XREF: MxGetNextPage+37j
		cmp	[edi+8], ebx
		jmp	short loc_AB724E
; 

loc_AB7299:				; CODE XREF: MxGetNextPage+6Ej
					; MxGetNextPage+2A646j
		mov	[edi+0Ch], ebx
		jmp	loc_AE1867
MxGetNextPage	endp

; 
		align 2

;  S U B	R O U T	I N E 


MxPageAlwaysHot	proc near		; CODE XREF: MxInitializeFreeNodeDescriptors+68p
					; MxInitializeFreeNodeDescriptors+7Ep

; FUNCTION CHUNK AT 00AE1873 SIZE 00000013 BYTES

		cmp	dword_6D06B4, 0
		jnz	loc_AE1873

loc_AB72AF:				; CODE XREF: MxPageAlwaysHot+2A5DAj
		xor	eax, eax
		retn
MxPageAlwaysHot	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeBootMemoryDescriptor(x,	x, x, x)
_MiInitializeBootMemoryDescriptor@16 proc near
					; CODE XREF: MxInitializeFreeNodeDescriptors+95p
					; MxSwitchDescriptors(x)+BFp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		lea	esi, [eax-1]
		mov	[ecx], edi
		add	esi, edi
		mov	[ecx+4], eax
		mov	[ecx+8], esi
		and	esi, 0FFFFFE00h
		mov	[ecx+10h], edx
		cmp	esi, edi
		jb	short loc_AB72F3
		mov	eax, esi
		sub	eax, edi
		cmp	eax, 200h
		jb	short loc_AB72F3
		lea	eax, [esi-200h]

loc_AB72EA:				; CODE XREF: MiInitializeBootMemoryDescriptor(x,x,x,x)+44j
		pop	edi
		mov	[ecx+0Ch], eax
		pop	esi
		pop	ebp
		retn	8
; 

loc_AB72F3:				; CODE XREF: MiInitializeBootMemoryDescriptor(x,x,x,x)+25j
					; MiInitializeBootMemoryDescriptor(x,x,x,x)+30j
		or	eax, 0FFFFFFFFh
		jmp	short loc_AB72EA
_MiInitializeBootMemoryDescriptor@16 endp


;  S U B	R O U T	I N E 


; __stdcall MxComputePfnPagesNeeded(x, x)
_MxComputePfnPagesNeeded@8 proc	near	; CODE XREF: MxComputeFreeNodeDescriptorRequirements+132p
					; MxComputeFreeNodeDescriptorRequirements+2A6C6p
		imul	ecx, 1Ch
		imul	eax, edx, 1Ch
		shr	ecx, 12h
		shr	eax, 12h
		and	ecx, 3FF8h
		sub	eax, ecx
		sar	eax, 3
		inc	eax
		shl	eax, 9
		retn
_MxComputePfnPagesNeeded@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeColors()
_MiInitializeColors@0 proc near		; CODE XREF: MiCreatePfnDatabase(x)+Ep
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		call	MiInitializeCacheSizes
		bsr	ecx, dword_6D06D4
		xor	eax, eax
		inc	eax
		mov	byte_6D068D, cl
		shl	eax, cl
		mov	byte_6D068C, cl
		dec	eax
		mov	ecx, large fs:20h
		mov	dword_6D0680, eax
		mov	eax, dword_6D06D0
		mov	[ecx+4CCh], eax
		leave
		retn
_MiInitializeColors@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeCacheSizes proc near	; CODE XREF: MiInitializeColors()+6p

; FUNCTION CHUNK AT 00AE1886 SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, large fs:1Ch
		mov	ecx, large fs:1Ch
		mov	edx, [eax+90h]
		mov	dword_6D06B8, edx
		mov	al, [ecx+53h]
		test	al, al
		jnz	loc_AE1886

loc_AB737D:				; CODE XREF: MiInitializeCacheSizes+2A53Fj
		test	edx, edx
		jnz	loc_AE1896

loc_AB7385:				; CODE XREF: MiInitializeCacheSizes+2A54Cj
		push	esi
		mov	esi, 100h
		cmp	edx, 8
		jnb	loc_AE18A3

loc_AB7394:				; CODE XREF: MiInitializeCacheSizes+2A559j
		mov	eax, dword_6D5D88
		cmp	eax, 80000h
		jb	loc_AE18B0
		mov	edx, esi

loc_AB73A6:				; CODE XREF: MiInitializeCacheSizes+2A553j
					; MiInitializeCacheSizes+2A56Bj
		lea	eax, [edx-1]
		mov	dword_6D06D4, edx
		mov	dword_6D06D0, eax
		mov	eax, edx
		shr	eax, 4
		test	dl, 0Fh
		jnz	loc_AE18C2

loc_AB73C2:				; CODE XREF: MiInitializeCacheSizes+2A571j
		bsr	ecx, eax
		jz	short loc_AB73CC
		xor	eax, eax
		inc	eax
		shl	eax, cl

loc_AB73CC:				; CODE XREF: MiInitializeCacheSizes+73j
		mov	dword_6D0744, eax
		mov	eax, large fs:20h
		mov	dword_6D0740, 11h
		mov	edx, [eax+4010h]
		lea	ecx, [eax+3FD4h]
		test	edx, edx
		jz	short loc_AB7414

loc_AB73F1:				; CODE XREF: MiInitializeCacheSizes+C0j
		cmp	byte ptr [ecx],	1
		jnz	short loc_AB740C
		mov	eax, [ecx+8]
		cmp	eax, 2
		jnz	short loc_AB7408

loc_AB73FE:				; CODE XREF: MiInitializeCacheSizes+B8j
		mov	eax, [ecx+4]
		mov	dword_6D06BC, eax
		jmp	short loc_AB740C
; 

loc_AB7408:				; CODE XREF: MiInitializeCacheSizes+AAj
		test	eax, eax
		jz	short loc_AB73FE

loc_AB740C:				; CODE XREF: MiInitializeCacheSizes+A2j
					; MiInitializeCacheSizes+B4j
		add	ecx, 0Ch
		sub	edx, 1
		jnz	short loc_AB73F1

loc_AB7414:				; CODE XREF: MiInitializeCacheSizes+9Dj
		mov	eax, 4000h
		cmp	dword_6D06BC, eax
		jb	short loc_AB742A

loc_AB7421:				; CODE XREF: MiInitializeCacheSizes+DDj
		mov	dword_6D06E4, esi
		pop	esi
		leave
		retn
; 

loc_AB742A:				; CODE XREF: MiInitializeCacheSizes+CDj
		mov	dword_6D06BC, eax
		jmp	short loc_AB7421
MiInitializeCacheSizes endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmInitSystem	proc near		; CODE XREF: INIT:00ABFC83p
					; Phase1InitializationDiscard(x)+8C8p ...

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE18C8 SIZE 00000076 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		mov	esi, edx
		mov	[ebp+var_10], esi
		push	edi
		test	ecx, ecx
		jz	short loc_AB746C
		xor	ebx, ebx
		inc	ebx
		cmp	ecx, ebx
		jz	short loc_AB747D
		cmp	ecx, 2
		jnz	short loc_AB74B3
		mov	eax, ds:_MiFlags
		and	eax, 0FFFFFFEFh
		or	eax, 20h
		mov	ds:_MiFlags, eax

loc_AB7462:				; CODE XREF: MmInitSystem+49j
		call	MiInitSystem

loc_AB7467:				; CODE XREF: MmInitSystem+7Fj
					; MmInitSystem+83j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AB746C:				; CODE XREF: MmInitSystem+12j
		mov	ecx, esi
		call	_MiInitNucleus@4 ; MiInitNucleus(x)
		test	al, al
		jz	short loc_AB74B3
		mov	edx, esi
		xor	ecx, ecx
		jmp	short loc_AB7462
; 

loc_AB747D:				; CODE XREF: MmInitSystem+19j
		cmp	ds:_KeNumberNodes, bx
		ja	loc_AE18C8

loc_AB748A:				; CODE XREF: MmInitSystem+2A4A2j
					; MmInitSystem+2A507j
		mov	ecx, ds:_MiFlags
		mov	edx, esi
		and	ecx, 0FFFFFFDFh
		or	ecx, 10h
		mov	ds:_MiFlags, ecx
		mov	ecx, ebx
		call	MiInitSystem
		test	al, al
		jz	short loc_AB74B3
		mov	byte_6D35B0, bl
		mov	al, bl
		jmp	short loc_AB7467
; 

loc_AB74B3:				; CODE XREF: MmInitSystem+1Ej
					; MmInitSystem+43j ...
		xor	al, al
		jmp	short loc_AB7467
MmInitSystem	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitSystem	proc near		; CODE XREF: MmInitSystem:loc_AB7462p
					; MmInitSystem+6Ep

var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_65		= byte ptr -65h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE193E SIZE 000005BD BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 98h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		xor	esi, esi
		mov	[ebp+var_6C], edx
		mov	[ebp+var_90], esi
		mov	[ebp+var_14], offset KeBalanceSetManager
		mov	[ebp+var_10], offset _KeSwapProcessOrStack@4 ; KeSwapProcessOrStack(x)
		mov	[ebp+var_C], offset _MiRebuildLargePagesThread@4 ; MiRebuildLargePagesThread(x)
		mov	[ebp+var_8], offset MiZeroPageThread
		push	edi
		test	ecx, ecx
		jz	loc_AB769F
		cmp	ecx, 1
		jnz	loc_AB78E0
		mov	eax, large fs:124h
		push	esi
		mov	edi, [eax+80h]
		mov	edx, edi
		mov	eax, [edi+194h]
		mov	ecx, [eax+18h]
		mov	eax, [eax+1Ch]
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	_MiSetPageTablePfnBuddy@12 ; MiSetPageTablePfnBuddy(x,x,x)
		lea	eax, [edi+0FCh]
		mov	ecx, 400h
		lock or	[eax], ecx
		mov	ecx, 800h
		lock or	[eax], ecx
		mov	dword ptr ds:0FFDF0244h, 200000h
		or	ds:_MiFlags, 10000000h
		mov	edx, ds:_BBTPagesToReserve
		test	edx, edx
		jnz	loc_AE19DB

loc_AB7584:				; CODE XREF: MiInitSystem+2A738j
		call	MiSectionInitialization
		test	eax, eax
		jz	loc_AB7930
		call	_MiInitializeCfg@0 ; MiInitializeCfg()
		test	eax, eax
		js	loc_AB7930
		mov	ecx, [ebp+var_6C]
		call	MiCreateEnclaveRegions
		test	eax, eax
		jz	loc_AE1BF5
		mov	eax, offset dword_6D35C0
		mov	dword_6D2F88, esi
		mov	dword_6D35C4, eax
		mov	dword_6D35C0, eax
		call	MiInitializeSessionIds
		call	MiInitializeCacheFlushing
		call	MiComputeOptimalZeroPath
		mov	edi, offset _MiSystemPartition
		mov	ecx, edi
		call	_MiInitializeMemoryEvents@4 ; MiInitializeMemoryEvents(x)
		test	eax, eax
		jz	loc_AB7930
		call	_MiStoreChargeReservedPages@4 ;	MiStoreChargeReservedPages(x)
		test	eax, eax
		jz	loc_AB7930
		call	_MiInitializeModifiedWriterParameters@0	; MiInitializeModifiedWriterParameters()
		xor	edx, edx
		xor	ecx, ecx
		call	_MiCreateZeroThreadContext@8 ; MiCreateZeroThreadContext(x,x)
		mov	dword_6D5C58, eax
		test	eax, eax
		jz	loc_AB7930
		mov	eax, esi
		mov	[ebp+var_40], esi

loc_AB7613:				; CODE XREF: MiInitSystem+192j
		push	edi
		push	[ebp+eax*4+var_14]
		lea	eax, [ebp+var_90]
		push	esi
		push	esi
		push	esi
		push	1FFFFFh
		push	eax
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_AB7930
		push	esi
		push	[ebp+var_90]
		call	ObCloseHandle
		mov	eax, [ebp+var_40]
		inc	eax
		mov	[ebp+var_40], eax
		cmp	eax, 4
		jb	short loc_AB7613
		call	MiInitializeMirroring
		test	eax, eax
		jz	loc_AB7930
		mov	[ebp+var_80], esi
		cmp	_KernelVerifier, esi
		jnz	loc_AE1C01

loc_AB7668:				; CODE XREF: MiInitSystem+2A766j
					; MiInitSystem+2A774j ...
		mov	dword_6D05C8, esi
		call	MiWriteProtectSystemImages
		lock dec dword_6D3544
		mov	ecx, [ebp+var_6C]
		call	MiInitializeApiSets
		test	eax, eax
		js	loc_AB7930

loc_AB768A:				; CODE XREF: MiInitSystem+423j
					; MiInitSystem+46Dj ...
		mov	al, 1

loc_AB768C:				; CODE XREF: MiInitSystem+47Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_AB769F:				; CODE XREF: MiInitSystem+52j
		and	ds:_MmTrackLockedPages,	1
		mov	ecx, offset dword_6D35E0
		push	20h
		pop	edx
		call	MiReservePtes
		mov	dword_6D306C, eax
		lock inc dword_6D3544
		mov	edi, offset _MiSystemPartition
		mov	ecx, edi
		call	MiInitializeWorkingSetManagerParameters
		test	eax, eax
		jz	loc_AB7930
		call	_ExInitializePagedHeaps@0 ; ExInitializePagedHeaps()
		test	eax, eax
		js	loc_AB7930
		push	esi
		xor	ecx, ecx
		push	4
		inc	ecx
		call	_MiGetAnyMultiplexedVm@4 ; MiGetAnyMultiplexedVm(x)
		mov	edx, eax
		mov	ecx, edi
		call	MiInitializeSystemWorkingSetList
		test	eax, eax
		jz	loc_AB7930
		xor	ecx, ecx
		call	_PsInitializeQuotaSystem@4 ; PsInitializeQuotaSystem(x)
		test	al, al
		jz	loc_AB7930
		call	_MiGenerateSecureCookie@0 ; MiGenerateSecureCookie()
		mov	dword_6D061C, eax
		mov	dword_6D05F4, 12345678h
		call	_MiInitializeSharedUserData@0 ;	MiInitializeSharedUserData()
		test	eax, eax
		jz	loc_AB7930
		call	MiInitializeBootProcess
		test	eax, eax
		js	loc_AB7930
		push	3
		pop	ecx
		call	KeFlushCurrentTbOnly
		mov	ecx, ds:_MiLowHalVa
		or	edx, 0FFFFFFFFh
		call	_MiAddLoaderHalIoMappings@8 ; MiAddLoaderHalIoMappings(x,x)
		mov	ecx, ds:_MmSystemRangeStart
		cmp	ecx, 0C0000000h
		jnb	short loc_AB7767
		mov	edx, 0BFFFFFFFh
		call	_MiAddLoaderHalIoMappings@8 ; MiAddLoaderHalIoMappings(x,x)

loc_AB7767:				; CODE XREF: MiInitSystem+2A3j
		mov	edx, ds:_MiLowHalVa
		mov	ecx, 0C0800000h
		lea	edx, [edx-1]
		call	_MiAddLoaderHalIoMappings@8 ; MiAddLoaderHalIoMappings(x,x)
		mov	ecx, ds:_KdPrintBufferAllocateSize
		test	ecx, ecx
		jnz	loc_AE193E

loc_AB7788:				; CODE XREF: MiInitSystem+2A48Bj
		mov	ecx, edi
		call	MiSetSlabAllocatorPolicy
		push	esi
		mov	dword_6CF51C, esi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		test	byte ptr dword_6D4E44, 8
		mov	ds:dword_B01708, eax
		mov	ds:dword_B0170C, edx
		jnz	loc_AE1948

loc_AB77B4:				; CODE XREF: MiInitSystem+2A4FEj
		mov	edi, ds:__imp__KeQueryPerformanceCounter@4 ; KeQueryPerformanceCounter(x)
		push	esi
		call	edi
		mov	ecx, [ebp+var_6C]
		mov	ds:dword_B01710, eax
		mov	ds:dword_B01714, edx
		call	MiInitializeDriverImages
		test	eax, eax
		jz	loc_AB7930
		push	esi
		call	edi
		mov	ds:dword_B01718, eax
		mov	ecx, offset unk_6CF5A4
		mov	eax, dword_6D5D88
		mov	ds:dword_B0171C, edx
		mov	ds:0FFDF02E8h, eax
		mov	ds:0FFDF0244h, esi
		call	_MiInitializeSystemSpaceMap@4 ;	MiInitializeSystemSpaceMap(x)
		push	esi
		mov	dword_6CF4C0, esi
		mov	dword_6D2FA4, esi
		mov	dword_6D2FAC, esi
		call	edi
		mov	ecx, [ebp+var_6C]
		mov	ds:dword_B01720, eax
		mov	ds:dword_B01724, edx
		call	_MiInitializeLoadedModuleList@4	; MiInitializeLoadedModuleList(x)
		test	eax, eax
		jz	loc_AB7930
		or	ds:_MiFlags, 1000000h
		push	20h
		pop	ecx
		mov	dword_6D50B8, esi
		call	_MmConfigurePrefetchSeekThreshold@4 ; MmConfigurePrefetchSeekThreshold(x)
		mov	ecx, large fs:124h
		push	5
		pop	edx
		call	PsSetPagePriorityThread
		call	_MiEnablePagingTheExecutive@0 ;	MiEnablePagingTheExecutive()
		push	offset _MmShutdownSystem@4 ; MmShutdownSystem(x)
		call	MmLockPagableDataSection
		xor	edx, edx
		mov	ds:_ExPageLockHandle, eax
		mov	ecx, eax
		call	MiLockPagableImageSection
		call	_MiAllocateDummyPage@0 ; MiAllocateDummyPage()
		mov	dword_6D34E8, eax
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		pop	ecx
		cdq
		idiv	ecx
		xor	edx, edx
		mov	ecx, offset dword_6D35E0
		inc	edx
		mov	dword_6D34EC, eax
		call	MiReservePtes
		mov	ds:_MmBadPointer, eax
		test	eax, eax
		jz	loc_AB7930
		shl	eax, 9
		mov	ds:_MmBadPointer, eax
		call	_MiInitializeRelocations@0 ; MiInitializeRelocations()
		test	eax, eax
		jz	short loc_AB7930
		push	esi
		call	edi
		mov	ds:dword_B01728, eax
		mov	ds:dword_B0172C, edx
		call	MiInitializeTbFlushing
		push	esi
		call	edi
		mov	ds:dword_B01730, eax
		mov	ds:dword_B01734, edx
		jmp	loc_AB768A
; 

loc_AB78E0:				; CODE XREF: MiInitSystem+5Bj
		cmp	ecx, 2
		jnz	short loc_AB7930
		call	_MiUnlockBootPageSections@0 ; MiUnlockBootPageSections()
		push	ecx
		mov	edi, offset unk_6B2ED8
		mov	edx, offset _MiTracingEnabledCallback@36 ; MiTracingEnabledCallback(x,x,x,x,x,x,x,x,x)
		push	esi
		mov	ecx, edi
		call	TlgRegisterAggregateProviderEx
		mov	dword_6D35BC, edi
		call	MiFlushStrongCodeDriverLoadFailures
		mov	eax, ds:_MmSessionSpaceLimit
		or	eax, ds:_MmSystemPtesLimit
		or	eax, ds:_MmSystemCacheLimit
		or	eax, ds:_MmPagedPoolLimit
		or	eax, ds:_MmNonPagedPoolLimit
		jz	loc_AB768A
		jmp	loc_AE1C8D
; 

loc_AB7930:				; CODE XREF: MiInitSystem+D3j
					; MiInitSystem+E0j ...
		xor	al, al
		jmp	loc_AB768C
MiInitSystem	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiAddLoaderHalIoMappings(x,	x)
_MiAddLoaderHalIoMappings@8 proc near	; CODE XREF: MiInitSystem+292p
					; MiInitSystem+2AAp ...

var_58		= dword	ptr -58h
var_52		= byte ptr -52h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	4Ch		; size_t
		lea	eax, [ebp+var_58]
		mov	edi, edx
		push	0		; int
		push	eax		; void *
		mov	esi, ecx
		call	_memset
		mov	[ebp+var_44], esi
		add	esp, 0Ch
		mov	esi, offset unk_6D3740
		mov	[ebp+var_40], edi
		mov	eax, 807h
		mov	[ebp+var_18], offset MiAddLoaderHalIoPte
		mov	ecx, esi
		mov	word ptr [ebp+var_58], ax
		mov	[ebp+var_48], esi
		call	MiLockWorkingSetShared
		lea	ecx, [ebp+var_58]
		mov	[ebp+var_52], al
		call	MiWalkPageTables
		mov	dl, [ebp+var_52]
		mov	ecx, esi
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiAddLoaderHalIoMappings@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFlushStrongCodeDriverLoadFailures proc near ;	CODE XREF: MiInitSystem+44Bp

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE1EFB SIZE 00000111 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		call	_MmAcquireLoadLock@0 ; MmAcquireLoadLock()
		mov	ebx, eax

loc_AB79C7:				; CODE XREF: MiFlushStrongCodeDriverLoadFailures+2A647j
		mov	esi, dword_6CF568
		mov	ecx, offset dword_6CF568
		cmp	esi, ecx
		jnz	loc_AE1EFB
		mov	ecx, ebx
		call	_MmReleaseLoadLock@4 ; MmReleaseLoadLock(x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
MiFlushStrongCodeDriverLoadFailures endp


;  S U B	R O U T	I N E 


; __stdcall PnpTraceInitialize()
_PnpTraceInitialize@0 proc near		; CODE XREF: IopInitializePlugPlayServices(x,x)+8F5p
		mov	edi, edi
		push	ecx
		mov	ecx, offset dword_6B2B18
		call	_TlgRegisterAggregateProvider@4	; TlgRegisterAggregateProvider(x)
		mov	ecx, offset dword_6B2DD8
		call	_TlgRegisterAggregateProvider@4	; TlgRegisterAggregateProvider(x)
		push	0
		xor	edx, edx
		mov	ecx, offset dword_6B2E00
		call	_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 ; TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)
		pop	ecx
		retn
_PnpTraceInitialize@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiUnlockBootPageSections()
_MiUnlockBootPageSections@0 proc near	; CODE XREF: MiInitSystem+42Dp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		dec	word ptr [edi+13Ch]
		nop
		push	1
		push	offset _PsLoadedModuleResource
		call	ExAcquireResourceExclusiveLite
		mov	esi, _PsLoadedModuleList
		mov	ebx, offset _PsLoadedModuleList

loc_AB7A43:				; CODE XREF: MiUnlockBootPageSections()+4Cj
		cmp	esi, ebx
		jz	short loc_AB7A66
		mov	eax, [esi+34h]
		test	eax, 400000h
		jz	short loc_AB7A62
		and	eax, 0FFBFFFFFh
		xor	edx, edx
		mov	ecx, esi
		mov	[esi+34h], eax
		call	_MiLockPagableSections@8 ; MiLockPagableSections(x,x)

loc_AB7A62:				; CODE XREF: MiUnlockBootPageSections()+37j
		mov	esi, [esi]
		jmp	short loc_AB7A43
; 

loc_AB7A66:				; CODE XREF: MiUnlockBootPageSections()+2Dj
		mov	ecx, offset _PsLoadedModuleResource
		call	ExReleaseResourceLite
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegionThread@4 ; KeLeaveCriticalRegionThread(x)
_MiUnlockBootPageSections@0 endp


;  S U B	R O U T	I N E 


; __stdcall MiEnablePagingTheExecutive()
_MiEnablePagingTheExecutive@0 proc near	; CODE XREF: MiInitSystem+39Fp
		mov	edi, edi
		push	ecx
		push	esi
		mov	esi, _PsLoadedModuleList
		push	edi
		mov	edi, offset _PsLoadedModuleList
		jmp	short loc_AB7AA6
; 

loc_AB7A8C:				; CODE XREF: MiEnablePagingTheExecutive()+2Ej
		or	dword ptr [esi+34h], 400000h
		mov	ecx, esi
		call	_MiEnablePagingOfDriver@4 ; MiEnablePagingOfDriver(x)
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_MiLockPagableSections@8 ; MiLockPagableSections(x,x)
		mov	esi, [esi]

loc_AB7AA6:				; CODE XREF: MiEnablePagingTheExecutive()+10j
		cmp	esi, edi
		jnz	short loc_AB7A8C
		pop	edi
		pop	esi
		pop	ecx
		retn
_MiEnablePagingTheExecutive@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiLockPagableSections(x, x)
_MiLockPagableSections@8 proc near	; CODE XREF: MiCancelPhase0Locking(x)+39p
					; MiUnlockBootPageSections()+45p ...

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, [ecx+18h]
		push	esi
		mov	[ebp+var_4], edx
		mov	edx, ebx
		push	edi
		call	_MiImagePagable@8 ; MiImagePagable(x,x)
		test	eax, eax
		jz	short loc_AB7AF2
		push	ebx
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		movzx	ecx, word ptr [eax+14h]
		lea	esi, [eax+18h]
		movzx	edi, word ptr [eax+6]
		add	esi, ecx
		test	edi, edi
		jz	short loc_AB7AF2

loc_AB7ADF:				; CODE XREF: MiLockPagableSections(x,x)+42j
		mov	ecx, esi
		call	MmImageSectionPagable
		test	eax, eax
		jnz	short loc_AB7AF7

loc_AB7AEA:				; CODE XREF: MiLockPagableSections(x,x)+5Aj
					; MiLockPagableSections(x,x)+65j
		add	esi, 28h
		sub	edi, 1
		jnz	short loc_AB7ADF

loc_AB7AF2:				; CODE XREF: MiLockPagableSections(x,x)+18j
					; MiLockPagableSections(x,x)+2Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AB7AF7:				; CODE XREF: MiLockPagableSections(x,x)+3Aj
		cmp	[ebp+var_4], 1
		jnz	short loc_AB7B0A
		mov	eax, [esi+0Ch]
		add	eax, ebx
		push	eax
		call	MmLockPagableDataSection
		jmp	short loc_AB7AEA
; 

loc_AB7B0A:				; CODE XREF: MiLockPagableSections(x,x)+4Dj
		xor	edx, edx
		mov	ecx, esi
		call	MiLockPagableImageSection
		jmp	short loc_AB7AEA
_MiLockPagableSections@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeApiSets proc near		; CODE XREF: MiInitSystem+1C5p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		xor	esi, esi
		push	esi
		push	esi
		push	8000000h
		mov	eax, [ebx+84h]
		push	4
		mov	[esp+30h+var_C], esi
		mov	[esp+30h+var_10], esi
		mov	eax, [eax+0A00h]
		mov	[esp+30h+var_8], eax
		lea	eax, [esp+30h+var_8]
		push	eax
		push	esi
		push	0F001Fh
		lea	eax, [esp+3Ch+var_10]
		mov	[esp+3Ch+var_4], esi
		push	eax
		call	MmCreateSection
		test	eax, eax
		js	short loc_AB7BC6
		mov	edi, [esp+20h+var_10]
		lea	eax, [esp+20h+var_8]
		push	eax
		lea	eax, [esp+24h+var_C]
		mov	[esp+24h+var_8], esi
		push	eax
		push	edi
		call	_MmMapViewInSystemSpace@12 ; MmMapViewInSystemSpace(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AE1FF9
		mov	eax, [ebx+84h]
		mov	esi, [esp+20h+var_C]
		push	dword ptr [eax+0A00h] ;	size_t
		push	dword ptr [eax+9FCh] ; void *
		push	esi		; void *
		call	_memcpy
		mov	dword_6CF4E0, edi
		add	esp, 0Ch
		mov	dword_6CF4E4, esi
		mov	eax, [ebx+84h]
		mov	eax, [eax+0A00h]
		mov	dword_6CF4E8, eax
		xor	eax, eax

loc_AB7BC6:				; CODE XREF: MiInitializeApiSets+4Ej
					; MiFlushStrongCodeDriverLoadFailures+2A65Fj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
MiInitializeApiSets endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeDriverImages proc near	; CODE XREF: MiInitSystem+313p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE200C SIZE 0000012F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		or	dword_6CF55C, 0FFFFFFFFh
		sub	esp, 14h
		and	dword_6CF57C, 0
		mov	edx, offset dword_6CF560
		mov	eax, ds:_MmLargePageDriverBufferLength
		mov	dword_6CF564, edx
		mov	dword_6CF560, edx
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		cmp	eax, 0FFFFFFFFh
		jnz	loc_AE200C

loc_AB7C08:				; CODE XREF: MiInitializeDriverImages+2A454j
					; MiInitializeDriverImages+2A50Cj ...
		and	dword_6CF5A0, 0
		mov	ecx, esi
		call	MiInitializeBootLoadedDriverPfns
		test	eax, eax
		jz	short loc_AB7C5B
		mov	ecx, esi
		call	MiInitializeDriverPtes
		test	eax, eax
		jz	short loc_AB7C5B
		mov	ecx, esi
		call	_MiReloadBootLoadedDrivers@4 ; MiReloadBootLoadedDrivers(x)
		test	eax, eax
		jz	short loc_AB7C5B
		mov	ecx, esi
		call	_MiCreateInitialSystemWsles@4 ;	MiCreateInitialSystemWsles(x)
		test	eax, eax
		jz	short loc_AB7C5B
		mov	ecx, esi
		call	VfInitBootDriversLoaded
		mov	ecx, offset dword_6CF568
		xor	eax, eax
		mov	dword_6CF56C, ecx
		inc	eax
		mov	dword_6CF568, ecx

loc_AB7C56:				; CODE XREF: MiInitializeDriverImages+8Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AB7C5B:				; CODE XREF: MiInitializeDriverImages+4Aj
					; MiInitializeDriverImages+55j	...
		xor	eax, eax
		jmp	short loc_AB7C56
MiInitializeDriverImages endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VfInitBootDriversLoaded	proc near	; CODE XREF: MiInitializeDriverImages+6Fp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, dword_6FDE00
		and	ds:_VfBugcheckTmpDataLock, 0
		and	eax, 8
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_4], eax
		call	_VfThunkInit@0	; VfThunkInit()
		push	10h
		push	54416656h
		push	18h
		push	ecx
		push	offset _VfUtilFreePoolCheckIRQL@4 ; VfUtilFreePoolCheckIRQL(x)
		xor	edx, edx
		mov	ecx, offset _ViAvlNodeLookaside
		call	_VfLookasideInitializeInternalNPagedList@28 ; VfLookasideInitializeInternalNPagedList(x,x,x,x,x,x,x)
		xor	ebx, ebx
		mov	ecx, offset _ViAvlInitialized
		inc	ebx
		mov	eax, ebx
		xchg	eax, [ecx]
		call	_VfTargetDriversInit@0 ; VfTargetDriversInit()
		cmp	_ViVerifierDriverAddedThunkListHead, 0
		jnz	short loc_AB7CD8

loc_AB7CB7:				; CODE XREF: VfInitBootDriversLoaded+7Dj
		mov	ecx, edi
		call	_VfThunkFindExportAddressAllTables@4 ; VfThunkFindExportAddressAllTables(x)
		cmp	_ViVerifierDriverAddedThunkListHead, 0
		jnz	sub_AE213B
		lea	ecx, [edi+10h]
		call	_VfDriverLoadBootDrivers@4 ; VfDriverLoadBootDrivers(x)

loc_AB7CD3:				; CODE XREF: sub_AE213B+CAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AB7CD8:				; CODE XREF: VfInitBootDriversLoaded+55j
		call	_VfObjectContextInit@0 ; VfObjectContextInit()
		jmp	short loc_AB7CB7
VfInitBootDriversLoaded	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall VfDriverLoadBootDrivers(x)
_VfDriverLoadBootDrivers@4 proc	near	; CODE XREF: VfInitBootDriversLoaded+6Ep
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [edi]
		mov	edx, [esi+18h]
		mov	eax, [esi+20h]
		add	eax, edx
		mov	_ViDriverKernelBase, edx
		mov	_ViDriverKernelEnd, eax
		jmp	short loc_AB7D0B
; 

loc_AB7CFE:				; CODE XREF: VfDriverLoadBootDrivers(x)+2Fj
		push	0
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	VfDriverLoadImage

loc_AB7D0B:				; CODE XREF: VfDriverLoadBootDrivers(x)+1Cj
		mov	esi, [esi]
		cmp	esi, edi
		jnz	short loc_AB7CFE
		pop	edi
		pop	esi
		pop	ecx
		retn
_VfDriverLoadBootDrivers@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall VfThunkFindExportAddressAllTables(x)
_VfThunkFindExportAddressAllTables@4 proc near ; CODE XREF: VfInitBootDriversLoaded+59p
		mov	edi, edi
		push	esi
		push	offset _VfRegularThunksBitMapHeader
		push	18h
		mov	edx, offset _VfRegularThunks
		mov	esi, ecx
		call	_ViThunkFindAllExportAddresses@16 ; ViThunkFindAllExportAddresses(x,x,x,x)
		push	offset _VfOrderDependentThunksBitMapHeader
		push	1Ch
		mov	edx, offset _VfOrderDependentThunks
		mov	ecx, esi
		call	_ViThunkFindAllExportAddresses@16 ; ViThunkFindAllExportAddresses(x,x,x,x)
		push	offset _VfPoolThunksBitMapHeader
		push	18h
		mov	edx, offset _VfPoolThunks
		mov	ecx, esi
		call	_ViThunkFindAllExportAddresses@16 ; ViThunkFindAllExportAddresses(x,x,x,x)
		push	0
		push	18h
		mov	edx, offset _VfMandatoryThunks
		mov	ecx, esi
		call	_ViThunkFindAllExportAddresses@16 ; ViThunkFindAllExportAddresses(x,x,x,x)
		push	offset _VfXdvThunksBitMapHeader
		push	18h
		mov	edx, offset _VfXdvThunks
		mov	ecx, esi
		call	_ViThunkFindAllExportAddresses@16 ; ViThunkFindAllExportAddresses(x,x,x,x)
		pop	esi
		retn
_VfThunkFindExportAddressAllTables@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViThunkFindAllExportAddresses(x, x,	x, x)
_ViThunkFindAllExportAddresses@16 proc near
					; CODE XREF: VfThunkFindExportAddressAllTables(x)+11p
					; VfThunkFindExportAddressAllTables(x)+24p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		mov	eax, [edx]
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], ecx
		test	eax, eax
		jz	short loc_AB7DC9
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		lea	esi, [edx+0Ch]

loc_AB7D97:				; CODE XREF: ViThunkFindAllExportAddresses(x,x,x,x)+4Dj
		lea	edx, [ebp+var_4]
		push	edx
		mov	edx, eax
		call	_ViThunkFindExportAddress@12 ; ViThunkFindExportAddress(x,x,x)
		mov	edx, [esi+4]
		test	edx, edx
		jz	short loc_AB7DB1
		mov	ecx, [edx]
		test	ecx, ecx
		jnz	short loc_AB7DCE
		mov	[edx], eax

loc_AB7DB1:				; CODE XREF: ViThunkFindAllExportAddresses(x,x,x,x)+2Fj
					; ViThunkFindAllExportAddresses(x,x,x,x)+59j ...
		cmp	[ebp+var_4], 0
		jnz	short loc_AB7DDC

loc_AB7DB7:				; CODE XREF: ViThunkFindAllExportAddresses(x,x,x,x)+81j
		mov	ecx, [ebp+var_8]
		mov	[esi-4], eax
		add	esi, ebx
		inc	edi
		mov	eax, [esi-0Ch]
		test	eax, eax
		jnz	short loc_AB7D97
		pop	esi
		pop	ebx

loc_AB7DC9:				; CODE XREF: ViThunkFindAllExportAddresses(x,x,x,x)+15j
		pop	edi
		leave
		retn	8
; 

loc_AB7DCE:				; CODE XREF: ViThunkFindAllExportAddresses(x,x,x,x)+35j
		cmp	ecx, 1
		jnz	short loc_AB7DB1
		cmp	ecx, eax
		jz	short loc_AB7DB1
		and	dword ptr [edx], 0
		jmp	short loc_AB7DB1
; 

loc_AB7DDC:				; CODE XREF: ViThunkFindAllExportAddresses(x,x,x,x)+3Dj
		mov	eax, [ebp+arg_4]
		mov	edx, edi
		shr	edx, 3
		add	edx, [eax+4]
		mov	eax, edi
		and	eax, 7
		movsx	ecx, byte ptr [edx]
		btr	ecx, eax
		mov	[edx], cl
		or	dword ptr [esi], 2
		xor	eax, eax
		jmp	short loc_AB7DB7
_ViThunkFindAllExportAddresses@16 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViThunkFindExportAddress(x,	x, x)
_ViThunkFindExportAddress@12 proc near	; CODE XREF: ViThunkFindAllExportAddresses(x,x,x,x)+25p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		and	dword ptr [eax], 0
		lea	edi, [ecx+10h]
		and	[ebp+var_18], 0
		mov	esi, [edi]
		mov	[ebp+var_20], edx
		mov	[ebp+var_14], edi

loc_AB7E1C:				; CODE XREF: ViThunkFindExportAddress(x,x,x)+116j
		cmp	esi, edi
		jz	loc_AB7F1E
		mov	ebx, [esi+18h]
		lea	eax, [ebp+var_24]
		push	eax
		push	0
		push	1
		push	ebx
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	loc_AB7F04
		mov	eax, [ecx+20h]
		mov	edx, [ecx+18h]
		add	eax, ebx
		mov	[ebp+var_1C], eax
		mov	eax, [ecx+24h]
		add	eax, ebx
		mov	[ebp+var_24], eax
		xor	eax, eax
		mov	[ebp+var_10], eax
		dec	edx

loc_AB7E5B:				; CODE XREF: ViThunkFindExportAddress(x,x,x)+B5j
		mov	ecx, [ebp+var_20]
		lea	edi, [edx+eax]
		mov	eax, [ebp+var_1C]
		shr	edi, 1
		mov	[ebp+var_8], ecx
		mov	eax, [eax+edi*4]
		add	eax, ebx

loc_AB7E6E:				; CODE XREF: ViThunkFindExportAddress(x,x,x)+A3j
		mov	ecx, [ebp+var_8]
		mov	cl, [ecx]
		cmp	cl, [eax]
		mov	[ebp+var_1], cl
		mov	ecx, [ebp+var_C]
		jnz	short loc_AB7EFA
		cmp	[ebp+var_1], 0
		jz	short loc_AB7EA1
		mov	ecx, [ebp+var_8]
		mov	cl, [ecx+1]
		cmp	cl, [eax+1]
		mov	[ebp+var_1], cl
		mov	ecx, [ebp+var_C]
		jnz	short loc_AB7EFA
		add	[ebp+var_8], 2
		add	eax, 2
		cmp	[ebp+var_1], 0
		jnz	short loc_AB7E6E

loc_AB7EA1:				; CODE XREF: ViThunkFindExportAddress(x,x,x)+85j
		xor	eax, eax

loc_AB7EA3:				; CODE XREF: ViThunkFindExportAddress(x,x,x)+103j
		test	eax, eax
		js	short loc_AB7EB5
		jle	short loc_AB7EC1
		lea	eax, [edi+1]
		mov	[ebp+var_10], eax

loc_AB7EAF:				; CODE XREF: ViThunkFindExportAddress(x,x,x)+C3j
		cmp	edx, eax
		jnb	short loc_AB7E5B
		jmp	short loc_AB7EC4
; 

loc_AB7EB5:				; CODE XREF: ViThunkFindExportAddress(x,x,x)+A9j
		test	edi, edi
		jz	short loc_AB7F17
		mov	eax, [ebp+var_10]
		lea	edx, [edi-1]
		jmp	short loc_AB7EAF
; 

loc_AB7EC1:				; CODE XREF: ViThunkFindExportAddress(x,x,x)+ABj
		mov	eax, [ebp+var_10]

loc_AB7EC4:				; CODE XREF: ViThunkFindExportAddress(x,x,x)+B7j
					; ViThunkFindExportAddress(x,x,x)+120j
		cmp	edx, eax
		jl	short loc_AB7F01
		mov	eax, [ebp+var_24]
		movzx	edi, word ptr [eax+edi*2]
		cmp	edi, [ecx+14h]
		jnb	short loc_AB7F01
		mov	edx, ecx
		mov	ecx, ebx
		push	edi
		call	_ViThunkIsExportAddressShared@12 ; ViThunkIsExportAddressShared(x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	ecx, edi
		mov	eax, [ebp+var_C]
		mov	eax, [eax+1Ch]
		lea	eax, [eax+ecx*4]
		mov	eax, [eax+ebx]
		add	eax, ebx

loc_AB7EF3:				; CODE XREF: ViThunkFindExportAddress(x,x,x)+124j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_AB7EFA:				; CODE XREF: ViThunkFindExportAddress(x,x,x)+7Fj
					; ViThunkFindExportAddress(x,x,x)+96j
		sbb	eax, eax
		or	eax, 1
		jmp	short loc_AB7EA3
; 

loc_AB7F01:				; CODE XREF: ViThunkFindExportAddress(x,x,x)+CAj
					; ViThunkFindExportAddress(x,x,x)+D6j
		mov	edi, [ebp+var_14]

loc_AB7F04:				; CODE XREF: ViThunkFindExportAddress(x,x,x)+40j
		mov	eax, [ebp+var_18]
		inc	eax
		mov	[ebp+var_18], eax
		cmp	eax, 2
		jz	short loc_AB7F1E
		mov	esi, [esi]
		jmp	loc_AB7E1C
; 

loc_AB7F17:				; CODE XREF: ViThunkFindExportAddress(x,x,x)+BBj
		xor	eax, eax
		xor	edx, edx
		inc	eax
		jmp	short loc_AB7EC4
; 

loc_AB7F1E:				; CODE XREF: ViThunkFindExportAddress(x,x,x)+22j
					; ViThunkFindExportAddress(x,x,x)+112j
		xor	eax, eax
		jmp	short loc_AB7EF3
_ViThunkFindExportAddress@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViThunkIsExportAddressShared(x, x, x)
_ViThunkIsExportAddressShared@12 proc near ; CODE XREF:	ViThunkFindExportAddress(x,x,x)+DDp

arg_0		= word ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	si, [ebp+arg_0]
		push	edi
		mov	edi, [edx+1Ch]
		mov	edx, [edx+14h]
		add	edi, ecx
		movzx	eax, si
		mov	ebx, [edi+eax*4]
		xor	eax, eax
		test	edx, edx
		jz	short loc_AB7F65

loc_AB7F50:				; CODE XREF: ViThunkIsExportAddressShared(x,x,x)+33j
		cmp	ax, si
		jz	short loc_AB7F5D
		movzx	ecx, ax
		cmp	[edi+ecx*4], ebx
		jz	short loc_AB7F6E

loc_AB7F5D:				; CODE XREF: ViThunkIsExportAddressShared(x,x,x)+23j
		inc	eax
		movzx	ecx, ax
		cmp	ecx, edx
		jb	short loc_AB7F50

loc_AB7F65:				; CODE XREF: ViThunkIsExportAddressShared(x,x,x)+1Ej
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		pop	ebp
		retn	4
; 

loc_AB7F6E:				; CODE XREF: ViThunkIsExportAddressShared(x,x,x)+2Bj
		pop	edi
		pop	esi
		mov	eax, 1
		pop	ebx
		pop	ebp
		retn	4
_ViThunkIsExportAddressShared@12 endp


;  S U B	R O U T	I N E 


; __stdcall VfTargetDriversInit()
_VfTargetDriversInit@0 proc near	; CODE XREF: VfInitBootDriversLoaded+49p
		cmp	_VfSafeMode, 0
		jnz	short locret_AB7FAE
		push	esi
		push	offset _ViTargetDelayFreeAvlNode@8 ; ViTargetDelayFreeAvlNode(x,x)
		xor	esi, esi
		xor	edx, edx
		inc	esi
		mov	ecx, offset _ViTargetDriversAvl
		push	esi
		push	20h
		call	VfAvlInitializeTreeEx
		test	eax, eax
		js	short loc_AB7FAF
		and	dword_6BE398, 0
		mov	eax, offset _ViTargetInitialized

loc_AB7FAB:				; CODE XREF: VfTargetDriversInit()+3Aj
		xchg	esi, [eax]
		pop	esi

locret_AB7FAE:				; CODE XREF: VfTargetDriversInit()+7j
		retn
; 

loc_AB7FAF:				; CODE XREF: VfTargetDriversInit()+23j
		mov	eax, offset _ViTargetAllocationFailures
		jmp	short loc_AB7FAB
_VfTargetDriversInit@0 endp


;  S U B	R O U T	I N E 


; __stdcall VfThunkInit()
_VfThunkInit@0	proc near		; CODE XREF: VfInitBootDriversLoaded+1Dp
		push	offset _VfRegularThunksBitMapHeader
		mov	ds:_VfRegularThunksBitMapHeader, 100h
		mov	ds:dword_AB2654, offset	_VfRegularThunksBitMap
		call	_RtlSetAllBits@4 ; RtlSetAllBits(x)
		push	offset _VfPoolThunksBitMapHeader
		mov	ds:_VfPoolThunksBitMapHeader, 20h
		mov	ds:dword_AB265C, offset	_VfPoolThunksBitMap
		call	_RtlSetAllBits@4 ; RtlSetAllBits(x)
		push	offset _VfOrderDependentThunksBitMapHeader
		mov	ds:_VfOrderDependentThunksBitMapHeader,	40h
		mov	ds:dword_AB262C, offset	_VfOrderDependentThunksBitMap
		call	_RtlSetAllBits@4 ; RtlSetAllBits(x)
		push	offset _VfXdvThunksBitMapHeader
		mov	ds:_VfXdvThunksBitMapHeader, 160h
		mov	ds:dword_AB261C, offset	_VfXdvThunksBitMap
		call	_RtlSetAllBits@4 ; RtlSetAllBits(x)
		retn
_VfThunkInit@0	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreateInitialSystemWsles(x)
_MiCreateInitialSystemWsles@4 proc near	; CODE XREF: MiInitializeDriverImages+64p

var_130		= dword	ptr -130h
var_124		= dword	ptr -124h
var_118		= dword	ptr -118h
var_104		= dword	ptr -104h
var_100		= word ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_52		= byte ptr -52h
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 130h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	4Ch		; size_t
		lea	eax, [ebp+var_58]
		mov	esi, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_130]
		push	0D8h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, esi
		call	_MiMarkBootRegions@4 ; MiMarkBootRegions(x)
		movzx	ecx, byte_6D37A0
		lea	edx, [ebp+var_68]
		xor	eax, eax
		mov	[ebp+var_118], 0Ch
		and	ecx, 7
		mov	[ebp+var_124], offset _MiSystemPartition
		push	eax
		mov	[ebp+var_F8], eax
		mov	[ebp+var_104], eax
		mov	ecx, dword_6D2E68[ecx*4]
		mov	[ebp+var_100], ax
		mov	[ebp+var_F4], eax
		mov	[ebp+var_FC], 21h
		mov	[ebp+var_F0], eax
		call	_MiInitializeColorBase@12 ; MiInitializeColorBase(x,x,x)
		or	[ebp+var_40], 0FFFFFFFFh
		lea	eax, [ebp+var_130]
		mov	[ebp+var_10], eax
		mov	edi, offset unk_6D3740
		xor	eax, eax
		mov	[ebp+var_18], offset _MiCreatePteWsle@12 ; MiCreatePteWsle(x,x,x)
		inc	eax
		mov	[ebp+var_48], edi
		mov	word ptr [ebp+var_58], ax
		mov	esi, offset unk_6D3C40
		mov	al, byte_6D37A0
		and	al, 7
		cmp	al, 2
		jz	short loc_AB8107
		mov	esi, offset unk_6D37C0

loc_AB8107:				; CODE XREF: MiCreateInitialSystemWsles(x)+D0j
		push	esi
		call	ExAcquireSpinLockExclusive
		and	dword ptr [esi+4], 0
		lea	ecx, [ebp+var_58]
		mov	[ebp+var_52], al
		call	MiWalkPageTables
		mov	dl, [ebp+var_52]
		mov	ecx, edi
		mov	esi, eax
		call	MiUnlockWorkingSetExclusive
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		cmp	esi, 4
		pop	edi
		setnz	al
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiCreateInitialSystemWsles@4 endp


;  S U B	R O U T	I N E 


MiInitializeDynamicVa proc near		; CODE XREF: MiInitNucleus(x)+CCp

; FUNCTION CHUNK AT 00AE220A SIZE 0000004F BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	offset unk_6D2E94
		mov	dword_6D2EA4, ebx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	esi, dword_6D07D0
		xor	ecx, ecx
		mov	edi, 80000000h
		inc	ecx
		mov	dword_6D4254, edi
		mov	dword_6D07C8, edi
		call	ExGenRandom
		and	eax, 3Fh
		mov	dword_6D07C4, eax
		cmp	esi, edi
		jnz	loc_AE220A

loc_AB8186:				; CODE XREF: MiInitializeDynamicVa+2A0D7j
		shr	esi, 12h
		and	esi, 3FF8h
		sub	esi, 3FA00000h

loc_AB8195:				; CODE XREF: MiInitializeDynamicVa+6Cj
		mov	ecx, [esi]
		nop
		or	ecx, [esi+4]
		jnz	loc_AB8257

loc_AB81A1:				; CODE XREF: MiInitializeDynamicVa+12Bj
		add	esi, 8
		cmp	esi, 0C0603FFFh
		jb	short loc_AB8195
		mov	esi, 0C0800000h
		mov	ecx, 0C0000000h
		push	2
		mov	edx, esi
		call	MiInitializeSystemVaRange
		mov	edi, offset unk_6D2E70
		mov	eax, esi
		push	3
		mov	edx, 0C0A00000h
		mov	ecx, esi
		stosd
		stosd
		stosd
		call	MiInitializeSystemVaRange
		mov	eax, offset unk_6D3F9C
		mov	edx, ebx
		lea	ecx, [eax+1]

loc_AB81E1:				; CODE XREF: MiInitializeDynamicVa+2A0E8j
		cmp	[eax], dl
		jnz	loc_AE221A
		cmp	[ecx], dl
		jnz	loc_AE221A
		mov	edx, eax
		sub	edx, offset dword_6D3D94
		sub	edx, 400h
		shl	edx, 15h

loc_AB8202:				; CODE XREF: MiInitializeDynamicVa+2A0EEj
		mov	ecx, edx
		test	edx, edx
		jz	loc_AE2231
		mov	dword_6D2E88, edx
		add	edx, 200000h
		mov	dword_6D2E68, edx
		push	2
		lea	eax, [edx+1FFFFFh]
		add	edx, 200000h
		mov	dword_6D2E8C, eax
		call	MiInitializeSystemVaRange
		mov	ecx, ds:_MiLowHalVa
		xor	edx, edx
		push	0Ah
		call	MiInitializeSystemVaRange
		mov	al, byte_6D37A0
		pop	edi
		and	al, 0FCh
		or	al, 4
		pop	esi
		mov	byte_6D37A0, al
		pop	ebx
		retn
; 

loc_AB8257:				; CODE XREF: MiInitializeDynamicVa+5Dj
		mov	ecx, esi
		shl	ecx, 12h
		push	0Ch
		lea	edx, [ecx+200000h]
		call	MiInitializeSystemVaRange
		jmp	loc_AB81A1
MiInitializeDynamicVa endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiMarkBootRegions(x)
_MiMarkBootRegions@4 proc near		; CODE XREF: MiCreateInitialSystemWsles(x)+41p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		lea	edi, [ebx+10h]
		mov	esi, [edi]
		jmp	short loc_AB82A1
; 

loc_AB8281:				; CODE XREF: MiMarkBootRegions(x)+35j
		mov	edx, [esi+20h]
		mov	eax, 0FFE00000h
		mov	ecx, [esi+18h]
		add	edx, 1FFFFFh
		add	edx, ecx
		and	ecx, eax
		push	0Ch
		and	edx, eax
		call	MiInitializeSystemVaRange
		mov	esi, [esi]

loc_AB82A1:				; CODE XREF: MiMarkBootRegions(x)+11j
		cmp	esi, edi
		jnz	short loc_AB8281
		add	ebx, 18h
		xor	ecx, ecx
		mov	[ebp+var_8], ebx
		mov	esi, [ebx]
		cmp	esi, ebx
		jz	short loc_AB82EB

loc_AB82B3:				; CODE XREF: MiMarkBootRegions(x)+67j
		mov	edi, [esi+10h]
		test	edi, edi
		jz	short loc_AB82D1
		mov	eax, [esi+8]
		cmp	eax, 7
		jz	short loc_AB82F0
		cmp	eax, 13h
		jz	short loc_AB82F0
		cmp	eax, 15h
		jz	short loc_AB82F0
		cmp	eax, 0Eh
		jz	short loc_AB82F0

loc_AB82D1:				; CODE XREF: MiMarkBootRegions(x)+4Aj
					; MiMarkBootRegions(x)+8Cj ...
		mov	esi, [esi]
		cmp	esi, ebx
		jnz	short loc_AB82B3
		test	ecx, ecx
		jz	short loc_AB82EB
		shl	ecx, 12h
		push	0Ch
		lea	edx, [ecx+200000h]
		call	MiInitializeSystemVaRange

loc_AB82EB:				; CODE XREF: MiMarkBootRegions(x)+43j
					; MiMarkBootRegions(x)+6Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AB82F0:				; CODE XREF: MiMarkBootRegions(x)+52j
					; MiMarkBootRegions(x)+57j ...
		mov	eax, [esi+0Ch]
		xor	edx, edx
		mov	[ebp+var_4], edx
		test	edi, edi
		jz	short loc_AB82D1
		imul	ebx, eax, 1Ch

loc_AB82FF:				; CODE XREF: MiMarkBootRegions(x)+B7j
		mov	eax, ds:_MmPfnDatabase
		mov	edi, [ebx+eax+4]
		shr	edi, 9
		and	edi, 3FF8h
		lea	eax, [edi-3FA00000h]
		cmp	eax, ecx
		jnz	short loc_AB832C

loc_AB831B:				; CODE XREF: MiMarkBootRegions(x)+DBj
		inc	edx
		add	ebx, 1Ch
		mov	[ebp+var_4], edx
		cmp	edx, [esi+10h]
		jb	short loc_AB82FF
		mov	ebx, [ebp+var_8]
		jmp	short loc_AB82D1
; 

loc_AB832C:				; CODE XREF: MiMarkBootRegions(x)+ABj
		test	ecx, ecx
		jz	short loc_AB8343
		shl	ecx, 12h
		push	0Ch
		lea	edx, [ecx+200000h]
		call	MiInitializeSystemVaRange
		mov	edx, [ebp+var_4]

loc_AB8343:				; CODE XREF: MiMarkBootRegions(x)+C0j
		lea	ecx, [edi-3FA00000h]
		jmp	short loc_AB831B
_MiMarkBootRegions@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReloadBootLoadedDrivers(x)
_MiReloadBootLoadedDrivers@4 proc near	; CODE XREF: MiInitializeDriverImages+59p

var_A0		= dword	ptr -0A0h
var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [ebp+var_A0]
		mov	ebx, ecx
		push	0		; int
		push	eax		; void *
		call	_memset
		and	[ebp+var_8C], 0
		add	esp, 0Ch
		mov	[ebp+var_98], 21h
		call	_MmAcquireLoadLock@0 ; MmAcquireLoadLock()
		lea	edi, [ebx+10h]
		mov	esi, [edi]

loc_AB8397:				; CODE XREF: MiReloadBootLoadedDrivers(x)+72j
		cmp	esi, edi
		jz	short loc_AB83C0
		mov	eax, ds:_PsNtosImageBase
		cmp	eax, [esi+18h]
		jz	short loc_AB83AC
		mov	ecx, esi
		call	_MiProcessLoadConfigForDriver@8	; MiProcessLoadConfigForDriver(x,x)

loc_AB83AC:				; CODE XREF: MiReloadBootLoadedDrivers(x)+57j
		lea	eax, [ebp+var_A0]
		mov	edx, esi
		push	eax
		mov	ecx, ebx
		call	MiHandleBootImage
		mov	esi, [esi]
		jmp	short loc_AB8397
; 

loc_AB83C0:				; CODE XREF: MiReloadBootLoadedDrivers(x)+4Dj
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList
		mov	ecx, large fs:124h
		call	_MmReleaseLoadLock@4 ; MmReleaseLoadLock(x)
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, ebp
		inc	eax
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiReloadBootLoadedDrivers@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiHandleBootImage proc near		; CODE XREF: MiReloadBootLoadedDrivers(x)+6Bp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE2259 SIZE 000000A9 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		mov	esi, dword_6CF51C
		mov	eax, esi
		and	eax, 0FFFh
		mov	[ebp+var_18], edx
		neg	eax
		mov	[ebp+var_24], ecx
		push	edi
		mov	edi, [edx+18h]
		sbb	eax, eax
		neg	eax
		shr	esi, 0Ch
		add	eax, esi
		mov	[ebp+var_14], 1
		push	edi
		mov	[ebp+var_10], eax
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_10]
		mov	[ebp+var_1C], eax
		mov	eax, edi
		shr	eax, 9
		mov	esi, [edx+20h]
		and	eax, offset loc_7FFFF8
		add	esi, 0FFFh
		mov	[ebp+var_28], eax
		shr	esi, 0Ch
		add	eax, 0C0000000h
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], ecx
		cmp	edi, ds:_PsNtosImageBase
		jz	loc_AB85B6
		cmp	edi, ds:_PsHalImageBase
		jz	loc_AB85B6

loc_AB847F:				; CODE XREF: MiHandleBootImage+200j
		mov	edx, [ebp+var_14]

loc_AB8482:				; CODE XREF: MiHandleBootImage+1F8j
		test	ecx, ecx
		jnz	loc_AE2245

loc_AB848A:				; CODE XREF: MiInitializeDynamicVa+2A116j
		cmp	edi, ds:_PsNtosImageBase
		jz	loc_AB85AB
		cmp	edi, ds:_PsHalImageBase
		jz	loc_AB85AB
		mov	ecx, [ebp+var_1C]
		xor	esi, esi
		mov	edx, [ebp+var_18]
		mov	[ebp+var_14], esi
		mov	[ecx+34h], edi
		test	dword ptr [edx+34h], (offset loc_7FFFFF+1)
		jnz	loc_AB85AB
		test	byte ptr [ecx+16h], 1
		push	4
		pop	eax
		mov	[ebp+var_4], eax
		jnz	loc_AE2259
		cmp	dword ptr [ecx+74h], 5
		jbe	loc_AE2259
		mov	eax, [ecx+0A0h]
		test	eax, eax
		mov	[ebp+var_20], eax
		mov	eax, [ebp+var_4]
		jz	short loc_AB84F9
		mov	ecx, [ecx+0A4h]
		add	ecx, [ebp+var_20]
		cmp	ecx, [edx+20h]
		ja	loc_AE2259

loc_AB84F9:				; CODE XREF: MiHandleBootImage+FBj
		cmp	[ebp+var_10], esi
		jnz	short loc_AB8516
		lea	eax, [edx+2Ch]
		mov	ecx, eax
		mov	[ebp+var_20], eax
		call	MiUseLargeDriverPage
		test	eax, eax
		jnz	loc_AE2263
		push	4

loc_AB8515:				; CODE XREF: MiHandleBootImage+29EDDj
					; MiHandleBootImage+29EE4j
		pop	eax

loc_AB8516:				; CODE XREF: MiHandleBootImage+112j
					; MiHandleBootImage+29E74j
		test	al, 1
		jnz	loc_AB85A0
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		mov	edi, [ebp+var_28]
		add	edi, 0C0000000h
		mov	[ebp+var_14], edx
		mov	[ebp+var_28], esi
		lea	ecx, [edi+ecx*8]
		mov	edi, [ebp+var_C]
		mov	[ebp+var_20], ecx
		cmp	edi, ecx
		jnb	short loc_AB85A3

loc_AB853F:				; CODE XREF: MiHandleBootImage+1B1j
		mov	ecx, [edi]
		nop
		mov	eax, [edi+4]
		nop
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	eax, ecx, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	ecx, eax
		mov	[ebp+var_24], eax
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jnz	short loc_AB858F
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_28]
		push	eax
		push	[ebp+var_24]
		mov	ecx, esi
		call	MiGetBootImagePageProtection
		push	1
		mov	edx, eax
		mov	ecx, offset _MiSystemPartition
		call	MiAllocateDriverPage
		cmp	eax, 0FFFFFFFFh
		jnz	loc_AE22D3

loc_AB858F:				; CODE XREF: MiHandleBootImage+17Bj
					; MiHandleBootImage+29EF2j
		add	edi, 8
		add	esi, 1000h
		cmp	edi, [ebp+var_20]
		jb	short loc_AB853F
		mov	eax, [ebp+var_4]

loc_AB85A0:				; CODE XREF: MiHandleBootImage+12Ej
		mov	edx, [ebp+var_14]

loc_AB85A3:				; CODE XREF: MiHandleBootImage+153j
		test	al, 2
		jnz	loc_AE22E1

loc_AB85AB:				; CODE XREF: MiHandleBootImage+A6j
					; MiHandleBootImage+B2j ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn	4
; 

loc_AB85B6:				; CODE XREF: MiHandleBootImage+83j
					; MiHandleBootImage+8Fj
		mov	ecx, edi
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		mov	eax, [ebp+var_C]
		jz	short loc_AB85E7
		mov	ecx, [ebp+var_10]
		mov	edx, 0FFFFFE00h
		add	esi, 1FFh
		add	ecx, 1FFh
		and	esi, edx
		and	ecx, edx
		push	3
		mov	[ebp+var_8], esi
		pop	edx
		jmp	loc_AB8482
; 

loc_AB85E7:				; CODE XREF: MiHandleBootImage+1D8j
		mov	ecx, [ebp+var_4]
		jmp	loc_AB847F
MiHandleBootImage endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiGetBootImagePageProtection proc near	; CODE XREF: MiHandleBootImage+189p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00AE2302 SIZE 00000015 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	[ebp+var_4], edx
		mov	ebx, ecx
		mov	edx, [ebp+arg_4]
		push	esi
		push	edi
		xor	edi, edi
		mov	edx, [edx]
		test	edx, edx
		jz	short loc_AB864D
		mov	ecx, [edx+0Ch]
		cmp	ebx, ecx
		jb	short loc_AB864D
		mov	eax, [edx+10h]
		mov	esi, [edx+8]
		cmp	eax, esi
		jb	short loc_AB8649

loc_AB861A:				; CODE XREF: MiGetBootImagePageProtection+5Bj
		add	eax, ecx
		cmp	ebx, eax
		jnb	short loc_AB864D
		mov	edi, edx
		xor	ecx, ecx
		mov	edx, [edx+24h]
		call	MiComputeDriverProtection
		mov	ecx, eax

loc_AB862E:				; CODE XREF: MiGetBootImagePageProtection+7Fj
					; MiGetBootImagePageProtection+A9j
		test	byte ptr ds:_MiFlags+2,	1
		jnz	loc_AE2302

loc_AB863B:				; CODE XREF: MiGetBootImagePageProtection+29D19j
					; MiGetBootImagePageProtection+29D22j
		mov	eax, [ebp+arg_4]
		mov	[eax], edi
		mov	eax, ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_AB8649:				; CODE XREF: MiGetBootImagePageProtection+28j
		mov	eax, esi
		jmp	short loc_AB861A
; 

loc_AB864D:				; CODE XREF: MiGetBootImagePageProtection+17j
					; MiGetBootImagePageProtection+1Ej ...
		mov	ecx, [ebp+var_4]
		movzx	eax, word ptr [ecx+14h]
		lea	esi, [ecx+18h]
		add	esi, eax
		movzx	eax, word ptr [ecx+6]
		imul	eax, 28h
		xor	ecx, ecx
		inc	ecx
		add	eax, esi
		mov	[ebp+var_4], eax
		cmp	esi, eax
		jnb	short loc_AB8687

loc_AB866C:				; CODE XREF: MiGetBootImagePageProtection+95j
		cmp	ebx, [esi+0Ch]
		jb	short loc_AB862E
		mov	edx, [esi+24h]
		xor	ecx, ecx
		call	MiComputeDriverProtection
		mov	edi, esi
		mov	ecx, eax
		add	esi, 28h
		cmp	esi, [ebp+var_4]
		jb	short loc_AB866C

loc_AB8687:				; CODE XREF: MiGetBootImagePageProtection+7Aj
		mov	eax, [ebp+arg_0]
		xor	edi, edi
		mov	ecx, [eax+8]
		mov	eax, [eax+0Ch]
		shrd	ecx, eax, 5
		and	ecx, 1Fh
		jmp	short loc_AB862E
MiGetBootImagePageProtection endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeDriverPtes proc near	; CODE XREF: MiInitializeDriverImages+4Ep

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE2317 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	ebx, [ecx+10h]
		mov	esi, [ebx]
		mov	[ebp+var_10], edi
		jmp	short loc_AB86CA
; 

loc_AB86B3:				; CODE XREF: MiInitializeDriverPtes+90j
		mov	byte ptr [ebp+var_C], 0

loc_AB86B7:				; CODE XREF: MiInitializeDriverPtes+67j
					; MiInitializeDriverPtes+8Aj
		push	ecx
		push	[ebp+var_C]
		lea	eax, [ebp+var_10]
		push	edi
		push	eax
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		mov	edi, [ebp+var_10]

loc_AB86C8:				; CODE XREF: MiInitializeDriverPtes+3Cj
		mov	esi, [esi]

loc_AB86CA:				; CODE XREF: MiInitializeDriverPtes+15j
		cmp	esi, ebx
		jz	short loc_AB8732
		mov	ecx, [esi+18h]
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	short loc_AB86C8
		push	eax
		push	40h
		push	10h
		mov	edx, 70446D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_AB8A09
		mov	[ecx+0Ch], esi
		mov	eax, [esi+18h]
		mov	[ebp+var_18], eax
		mov	byte ptr [ebp+var_C], 0
		test	edi, edi
		jz	short loc_AB86B7

loc_AB8705:				; CODE XREF: MiInitializeDriverPtes+94j
		mov	eax, [edi+0Ch]
		mov	edx, [eax+18h]
		mov	eax, [eax+20h]
		dec	eax
		add	eax, edx
		cmp	[ebp+var_18], eax
		ja	short loc_AB871B
		cmp	[ebp+var_18], edx
		jb	short loc_AB8728

loc_AB871B:				; CODE XREF: MiInitializeDriverPtes+78j
		mov	eax, [edi+4]
		test	eax, eax
		jnz	short loc_AB872E
		mov	byte ptr [ebp+var_C], 1
		jmp	short loc_AB86B7
; 

loc_AB8728:				; CODE XREF: MiInitializeDriverPtes+7Dj
		mov	eax, [edi]
		test	eax, eax
		jz	short loc_AB86B3

loc_AB872E:				; CODE XREF: MiInitializeDriverPtes+84j
		mov	edi, eax
		jmp	short loc_AB8705
; 

loc_AB8732:				; CODE XREF: MiInitializeDriverPtes+30j
		xor	esi, esi
		jmp	short loc_AB873A
; 

loc_AB8736:				; CODE XREF: MiInitializeDriverPtes+A0j
		mov	esi, edi
		mov	edi, [edi]

loc_AB873A:				; CODE XREF: MiInitializeDriverPtes+98j
		test	edi, edi
		jnz	short loc_AB8736
		jmp	short loc_AB8752
; 

loc_AB8740:				; CODE XREF: MiInitializeDriverPtes+E9j
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_AB8752

loc_AB8748:				; CODE XREF: MiInitializeDriverPtes+B4j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_AB8748

loc_AB8752:				; CODE XREF: MiInitializeDriverPtes+A2j
					; MiInitializeDriverPtes+AAj ...
		test	esi, esi
		jz	short loc_AB8797
		mov	edx, [esi+0Ch]
		mov	ecx, [edx+18h]
		mov	edx, [edx+20h]
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		shr	edx, 0Ch
		sub	ecx, 40000000h
		call	_MiReserveBootDriverPtes@8 ; MiReserveBootDriverPtes(x,x)
		test	eax, eax
		jz	loc_AB8A09
		mov	eax, [esi+4]
		mov	ecx, esi
		test	eax, eax
		jnz	short loc_AB8740

loc_AB8787:				; CODE XREF: MiInitializeDriverPtes+F9j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jz	short loc_AB8752
		cmp	[esi], ecx
		jz	short loc_AB8752
		mov	ecx, esi
		jmp	short loc_AB8787
; 

loc_AB8797:				; CODE XREF: MiInitializeDriverPtes+B8j
		mov	ebx, dword_6CF580

loc_AB879D:				; CODE XREF: MiInitializeDriverPtes+273j
		mov	[ebp+var_18], ebx
		test	ebx, ebx
		jz	loc_AB89AD
		xor	edi, edi

loc_AB87AA:				; CODE XREF: MiInitializeDriverPtes+26Bj
		mov	ecx, [ebx+8]
		cmp	edi, ecx
		mov	edx, [ebx+0Ch]
		sbb	esi, esi
		mov	[ebp+var_4], ecx
		and	esi, edi
		mov	[ebp+var_8], edx
		lea	eax, [ecx-1]
		mov	[ebp+var_1C], eax
		mov	ebx, eax

loc_AB87C4:				; CODE XREF: MiInitializeDriverPtes+29C97j
		and	[ebp+var_1C], 0
		mov	eax, ebx
		sub	eax, esi
		mov	[ebp+var_14], esi
		inc	eax
		cmp	eax, 1
		jb	loc_AE2317
		mov	eax, ebx
		mov	ecx, esi
		shr	eax, 5
		and	ecx, 1Fh
		lea	eax, [edx+eax*4]
		xor	edx, edx
		mov	[ebp+var_1C], eax
		inc	edx
		shl	edx, cl
		mov	eax, esi
		mov	ecx, [ebp+var_8]
		dec	edx
		shr	eax, 5
		lea	esi, [ecx+eax*4]
		mov	eax, [esi]
		or	eax, edx
		cmp	eax, 0FFFFFFFFh
		jz	loc_AB8970

loc_AB8807:				; CODE XREF: MiInitializeDriverPtes+2E5j
		mov	edx, [ebp+var_8]
		not	eax
		bsf	eax, eax
		sub	esi, edx
		sar	esi, 2
		shl	esi, 5
		add	esi, eax
		mov	[ebp+var_C], esi
		cmp	esi, ebx
		ja	loc_AE2338
		cmp	esi, 0FFFFFFFFh
		jz	loc_AB898F

loc_AB882D:				; CODE XREF: MiInitializeDriverPtes+29C85j
		mov	ebx, [ebp+var_18]
		cmp	esi, edi
		jb	loc_AB890D
		cmp	esi, 0FFFFFFFFh
		jz	loc_AB890D
		mov	edx, [ebx+8]
		lea	ecx, [esi+1]
		mov	edi, [ebx+0Ch]
		cmp	ecx, edx
		mov	[ebp+var_8], ecx
		sbb	esi, esi
		mov	[ebp+var_14], edx
		lea	eax, [edx-1]
		mov	[ebp+var_1C], edi
		and	esi, ecx
		mov	[ebp+var_4], eax
		mov	ebx, eax

loc_AB8861:				; CODE XREF: MiInitializeDriverPtes+2CFj
		and	[ebp+var_4], 0
		mov	eax, ebx
		sub	eax, esi
		inc	eax
		cmp	eax, 1
		jb	loc_AB8997
		mov	eax, ebx
		xor	edx, edx
		shr	eax, 5
		mov	ecx, esi
		and	ecx, 1Fh
		inc	edx
		shl	edx, cl
		dec	edx
		lea	eax, [edi+eax*4]
		mov	[ebp+var_4], eax
		mov	eax, esi
		shr	eax, 5
		lea	edi, [edi+eax*4]
		mov	eax, [edi]
		not	eax
		or	eax, edx
		cmp	eax, 0FFFFFFFFh
		jz	loc_AB892E

loc_AB88A0:				; CODE XREF: MiInitializeDriverPtes+2A5j
		sub	edi, [ebp+var_1C]
		not	eax
		bsf	eax, eax
		sar	edi, 2
		shl	edi, 5
		add	edi, eax
		mov	[ebp+var_4], edi
		cmp	edi, ebx
		ja	loc_AB8946
		cmp	edi, 0FFFFFFFFh
		jz	loc_AB894C

loc_AB88C4:				; CODE XREF: MiInitializeDriverPtes+2B8j
		mov	esi, [ebp+var_C]
		mov	ebx, [ebp+var_18]
		cmp	edi, [ebp+var_8]
		jnb	loc_AB899F

loc_AB88D3:				; CODE XREF: MiInitializeDriverPtes+30Cj
		mov	edi, [ebx+8]
		mov	[ebp+var_4], edi

loc_AB88D9:				; CODE XREF: MiInitializeDriverPtes+306j
		mov	eax, [ebx+4]
		mov	edx, edi
		sub	edx, esi
		mov	[ebp+var_1C], edx
		lea	eax, [eax+esi*8]
		mov	[ebp+var_14], eax
		jz	short loc_AB8904
		mov	edi, eax

loc_AB88ED:				; CODE XREF: MiInitializeDriverPtes+263j
		mov	ecx, [edi]
		nop
		or	ecx, [edi+4]
		jnz	short loc_AB8914

loc_AB88F5:				; CODE XREF: MiInitializeDriverPtes+290j
		inc	esi
		add	edi, 8
		sub	edx, 1
		mov	[ebp+var_1C], edx
		jnz	short loc_AB88ED
		mov	edi, [ebp+var_4]

loc_AB8904:				; CODE XREF: MiInitializeDriverPtes+24Dj
		cmp	edi, [ebx+8]
		jb	loc_AB87AA

loc_AB890D:				; CODE XREF: MiInitializeDriverPtes+196j
					; MiInitializeDriverPtes+19Fj
		mov	ebx, [ebx]
		jmp	loc_AB879D
; 

loc_AB8914:				; CODE XREF: MiInitializeDriverPtes+257j
		mov	edx, esi
		mov	eax, esi
		shr	edx, 3
		and	eax, 7
		add	edx, [ebx+0Ch]
		movsx	ecx, byte ptr [edx]
		bts	ecx, eax
		mov	[edx], cl
		mov	edx, [ebp+var_1C]
		jmp	short loc_AB88F5
; 

loc_AB892E:				; CODE XREF: MiInitializeDriverPtes+1FEj
		mov	ecx, [ebp+var_4]

loc_AB8931:				; CODE XREF: MiInitializeDriverPtes+2A3j
		add	edi, 4
		cmp	edi, ecx
		ja	short loc_AB8946
		mov	eax, [edi]
		not	eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_AB8931
		jmp	loc_AB88A0
; 

loc_AB8946:				; CODE XREF: MiInitializeDriverPtes+219j
					; MiInitializeDriverPtes+29Aj
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_4], edi

loc_AB894C:				; CODE XREF: MiInitializeDriverPtes+222j
		mov	ecx, [ebp+var_8]
		mov	edx, [ebp+var_14]

loc_AB8952:				; CODE XREF: MiInitializeDriverPtes+301j
		test	esi, esi
		jz	loc_AB88C4
		lea	ebx, [ecx+1]
		cmp	ebx, edx
		ja	loc_AE2343

loc_AB8965:				; CODE XREF: MiInitializeDriverPtes+29CA9j
		mov	edi, [ebp+var_1C]
		dec	ebx
		xor	esi, esi
		jmp	loc_AB8861
; 

loc_AB8970:				; CODE XREF: MiInitializeDriverPtes+165j
		mov	ecx, [ebp+var_1C]

loc_AB8973:				; CODE XREF: MiInitializeDriverPtes+2E3j
		add	esi, 4
		cmp	esi, ecx
		ja	short loc_AB8986
		mov	eax, [esi]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_AB8973
		jmp	loc_AB8807
; 

loc_AB8986:				; CODE XREF: MiInitializeDriverPtes+2DCj
		mov	edx, [ebp+var_8]
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_C], esi

loc_AB898F:				; CODE XREF: MiInitializeDriverPtes+18Bj
					; MiInitializeDriverPtes+29CA2j
		mov	ecx, [ebp+var_4]
		jmp	loc_AE231D
; 

loc_AB8997:				; CODE XREF: MiInitializeDriverPtes+1D1j
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_4], edi
		jmp	short loc_AB8952
; 

loc_AB899F:				; CODE XREF: MiInitializeDriverPtes+231j
		cmp	edi, 0FFFFFFFFh
		jnz	loc_AB88D9
		jmp	loc_AB88D3
; 

loc_AB89AD:				; CODE XREF: MiInitializeDriverPtes+106j
		mov	eax, [ebp+var_10]
		xor	esi, esi
		jmp	short loc_AB89B8
; 

loc_AB89B4:				; CODE XREF: MiInitializeDriverPtes+31Ej
		mov	esi, eax
		mov	eax, [eax]

loc_AB89B8:				; CODE XREF: MiInitializeDriverPtes+316j
		test	eax, eax
		jnz	short loc_AB89B4
		jmp	short loc_AB89E2
; 

loc_AB89BE:				; CODE XREF: MiInitializeDriverPtes+353j
		mov	esi, eax
		mov	ecx, [esi]
		test	ecx, ecx
		jz	short loc_AB89D0

loc_AB89C6:				; CODE XREF: MiInitializeDriverPtes+332j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		test	eax, eax
		jnz	short loc_AB89C6

loc_AB89D0:				; CODE XREF: MiInitializeDriverPtes+328j
					; MiInitializeDriverPtes+35Bj ...
		push	edi
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlAvlRemoveNode@8 ; RtlAvlRemoveNode(x,x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AB89E2:				; CODE XREF: MiInitializeDriverPtes+320j
		test	esi, esi
		jz	short loc_AB8A01
		mov	eax, [esi+4]
		mov	edi, esi
		mov	ecx, esi
		test	eax, eax
		jnz	short loc_AB89BE

loc_AB89F1:				; CODE XREF: MiInitializeDriverPtes+363j
		mov	esi, [esi+8]
		and	esi, 0FFFFFFFCh
		jz	short loc_AB89D0
		cmp	[esi], ecx
		jz	short loc_AB89D0
		mov	ecx, esi
		jmp	short loc_AB89F1
; 

loc_AB8A01:				; CODE XREF: MiInitializeDriverPtes+348j
		xor	eax, eax
		inc	eax

loc_AB8A04:				; CODE XREF: MiInitializeDriverPtes+36Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AB8A09:				; CODE XREF: MiInitializeDriverPtes+52j
					; MiInitializeDriverPtes+DCj
		xor	eax, eax
		jmp	short loc_AB8A04
MiInitializeDriverPtes endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiReserveBootDriverPtes(x, x)
_MiReserveBootDriverPtes@8 proc	near	; CODE XREF: MiInitializeDriverPtes+D5p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		mov	esi, dword_6CF51C
		mov	eax, esi
		and	eax, 0FFFh
		neg	eax
		push	edi
		sbb	eax, eax
		mov	edi, ecx
		shr	esi, 0Ch
		neg	eax
		add	esi, edx
		mov	edx, edi
		add	eax, esi
		mov	esi, 0FFFFF000h
		lea	ecx, [edi+0FF8h]
		mov	[ebp+var_8], eax
		and	edx, esi
		mov	[ebp+var_C], edx
		lea	ecx, [ecx+eax*8]
		and	ecx, esi
		mov	esi, dword_6CF580
		mov	[ebp+var_18], esi
		test	esi, esi
		jz	short loc_AB8AA1
		lea	eax, [esi+8]
		mov	esi, [esi+4]
		mov	[ebp+var_14], eax
		mov	eax, [eax]
		mov	[ebp+var_10], esi
		lea	eax, [esi+eax*8]
		mov	esi, [ebp+var_8]
		mov	[ebp+var_4], eax
		lea	eax, [edi+esi*8]
		cmp	eax, [ebp+var_4]
		ja	short loc_AB8A91
		sub	edi, [ebp+var_10]
		push	esi
		sar	edi, 3
		push	edi
		push	[ebp+var_14]
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		xor	eax, eax
		inc	eax

loc_AB8A8D:				; CODE XREF: MiReserveBootDriverPtes(x,x)+125j
					; MiReserveBootDriverPtes(x,x)+12Cj
		pop	edi
		pop	esi
		leave
		retn
; 

loc_AB8A91:				; CODE XREF: MiReserveBootDriverPtes(x,x)+6Aj
		cmp	edi, [ebp+var_4]
		sbb	esi, esi
		and	esi, [ebp+var_18]
		jz	short loc_AB8AA1
		mov	edx, [esi+4]
		mov	[ebp+var_C], edx

loc_AB8AA1:				; CODE XREF: MiReserveBootDriverPtes(x,x)+4Bj
					; MiReserveBootDriverPtes(x,x)+8Bj
		sub	ecx, edx
		mov	edx, 70446D4Dh
		sar	ecx, 3
		mov	[ebp+var_18], ecx
		shr	ecx, 3
		push	0
		add	ecx, 18h
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jz	short loc_AB8B38
		mov	eax, [ebp+var_18]
		lea	edx, [ecx+8]
		mov	[edx], eax
		lea	eax, [ecx+18h]
		mov	[ebp+var_14], edx
		mov	[edx+4], eax
		test	esi, esi
		jz	short loc_AB8B02
		mov	eax, [esi+8]
		shr	eax, 3
		push	eax		; size_t
		push	dword ptr [esi+0Ch] ; void *
		push	dword ptr [ecx+0Ch] ; void *
		call	_memcpy
		mov	eax, [esi]
		add	esp, 0Ch
		mov	dword_6CF580, eax
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	edx, [ebp+var_14]

loc_AB8B02:				; CODE XREF: MiReserveBootDriverPtes(x,x)+CBj
		push	[ebp+var_8]
		mov	esi, [ebp+var_C]
		sub	edi, esi
		sar	edi, 3
		push	edi
		push	edx
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		mov	eax, [ebp+var_10]
		xor	edx, edx
		and	dword ptr [eax+10h], 0
		inc	edx
		mov	[eax+14h], edx
		mov	[eax+4], esi
		mov	ecx, dword_6CF580
		mov	[eax], ecx
		mov	dword_6CF580, eax
		mov	eax, edx
		jmp	loc_AB8A8D
; 

loc_AB8B38:				; CODE XREF: MiReserveBootDriverPtes(x,x)+B6j
		xor	eax, eax
		jmp	loc_AB8A8D
_MiReserveBootDriverPtes@8 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeBootLoadedDriverPfns proc near ; CODE XREF:	MiInitializeDriverImages+43p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE234A SIZE 0000004D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		lea	eax, [ecx+10h]
		push	esi
		push	edi
		mov	edi, [eax]
		cmp	edi, eax
		mov	[ebp+var_24], eax
		jmp	loc_AB8C2A
; 

loc_AB8B5A:				; CODE XREF: MiInitializeBootLoadedDriverPfns+A7j
					; MiInitializeBootLoadedDriverPfns+146j
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		mov	ecx, [edi]
		nop
		mov	eax, [edi+4]
		mov	[ebp+var_C], eax
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], eax
		nop
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	ebx, ecx, 1Ch
		add	ebx, ds:_MmPfnDatabase
		mov	ecx, ebx
		call	_MiIsPfnFromSlabAllocation@4 ; MiIsPfnFromSlabAllocation(x)
		test	eax, eax
		jnz	loc_AE234A

loc_AB8B94:				; CODE XREF: MiInitializeBootLoadedDriverPfns+2980Bj
		mov	ecx, [ebp+var_C]
		xor	eax, eax
		and	ecx, 80000000h
		or	eax, ecx
		jnz	short loc_AB8BDD
		mov	al, byte ptr ds:_MiFlags+2
		and	al, 1
		movzx	edx, al
		mov	eax, [ebx+8]
		neg	edx
		sbb	edx, edx
		xor	ecx, ecx
		and	edx, 0FFFFFFFDh
		and	eax, 0FFFFFC1Fh
		add	edx, 6
		shld	ecx, edx, 5
		or	[ebx+0Ch], ecx
		shl	edx, 5
		or	edx, eax
		mov	[ebx+8], edx
		test	byte ptr ds:_MiFlags+2,	1
		jnz	loc_AE2350

loc_AB8BDD:				; CODE XREF: MiInitializeBootLoadedDriverPfns+61j
					; MiInitializeBootLoadedDriverPfns+2981Dj ...
		or	byte ptr [ebx+17h], 8
		add	edi, 8
		cmp	edi, [ebp+var_18]
		jb	loc_AB8B5A
		mov	edi, [ebp+var_14]
		mov	[ebp+var_4], esi
		mov	ebx, [ebp+var_4]
		mov	esi, [ebp+var_1C]
		test	ebx, ebx
		jnz	loc_AE2371

loc_AB8C01:				; CODE XREF: MiInitializeBootLoadedDriverPfns+13Ej
					; MiInitializeBootLoadedDriverPfns+2984Bj
		mov	eax, [ebp+var_20]
		cmp	eax, ds:_PsNtosImageBase
		jz	short loc_AB8C25
		cmp	eax, ds:_PsHalImageBase
		jz	short loc_AB8C25
		mov	eax, esi
		mov	ecx, offset unk_6D362C
		lock xadd [ecx], eax
		sub	dword_6D361C, esi

loc_AB8C25:				; CODE XREF: MiInitializeBootLoadedDriverPfns+CAj
					; MiInitializeBootLoadedDriverPfns+D2j	...
		mov	edi, [edi]
		cmp	edi, [ebp+var_24]

loc_AB8C2A:				; CODE XREF: MiInitializeBootLoadedDriverPfns+15j
		mov	[ebp+var_14], edi
		jz	short loc_AB8C8B
		mov	ecx, [edi+18h]
		mov	ebx, ecx
		shr	ebx, 9
		and	ebx, offset loc_7FFFF8
		mov	[ebp+var_20], ecx
		lea	eax, [ebx-40000000h]
		mov	[ebp+var_C], eax
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jnz	short loc_AB8C25
		mov	esi, [edi+20h]
		mov	eax, dword_6CF51C
		add	esi, 0FFFh
		and	[ebp+var_4], 0
		shr	eax, 0Ch
		shr	esi, 0Ch
		add	esi, eax
		mov	[ebp+var_1C], esi
		lea	eax, [esi-8000000h]
		lea	eax, [ebx+eax*8]
		mov	[ebp+var_18], eax
		cmp	[ebp+var_C], eax
		jnb	short loc_AB8C01
		mov	esi, [ebp+var_4]
		mov	edi, [ebp+var_C]
		jmp	loc_AB8B5A
; 

loc_AB8C8B:				; CODE XREF: MiInitializeBootLoadedDriverPfns+EDj
		nop
		or	ds:_MiFlags, 1000h
		xor	eax, eax
		inc	eax

loc_AB8C99:				; CODE XREF: MiInitializeBootLoadedDriverPfns+29852j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiInitializeBootLoadedDriverPfns endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeMirroring proc near		; CODE XREF: MiInitSystem+194p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE2397 SIZE 000001DA BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		push	edi
		push	1
		push	1
		xor	edi, edi
		push	offset unk_6D3038
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		or	eax, 0FFFFFFFFh
		mov	dword_6D3050, offset _MiFinishResume@4 ; MiFinishResume(x)
		mov	[ebp+var_8], eax
		mov	dword_6D3054, eax
		mov	dword_6D3048, edi
		call	_MiSizeMemoryListLocks@0 ; MiSizeMemoryListLocks()
		push	edi
		push	40h
		mov	edx, 614C6D4Dh
		mov	ecx, eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		test	eax, eax
		jz	loc_AB8D89
		mov	ecx, large fs:124h
		mov	dword_6D5900, eax
		mov	eax, dword_6D07B0
		inc	eax
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], eax
		lea	esi, [eax+7]
		shr	esi, 3
		add	esi, 0FFFh
		shr	esi, 0Ch

loc_AB8D2E:				; CODE XREF: MiInitializeMirroring+D0j
		mov	edx, esi
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		test	eax, eax
		jz	short loc_AB8D89
		push	0Ch
		push	[ebp+var_C]
		shl	eax, 9
		lea	ecx, [ebp+var_20]
		mov	edx, eax
		call	MiInitializeDynamicBitmap
		test	eax, eax
		jz	short loc_AB8D89
		and	dword_6D305C[edi], 0
		mov	eax, [ebp+var_1C]
		and	[ebp+var_20], 0
		mov	dword_6D3060[edi], eax
		add	edi, 8
		cmp	edi, 10h
		jb	short loc_AB8D2E
		test	byte ptr ds:dword_7051BC, 1
		jnz	loc_AE2397

loc_AB8D7D:				; CODE XREF: MiInitializeMirroring+298CEj
		xor	eax, eax
		inc	eax

loc_AB8D80:				; CODE XREF: MiInitializeMirroring+EDj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_AB8D89:				; CODE XREF: MiInitializeMirroring+63j
					; MiInitializeMirroring+9Ej ...
		xor	eax, eax
		jmp	short loc_AB8D80
MiInitializeMirroring endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiInitializeModifiedWriterParameters()
_MiInitializeModifiedWriterParameters@0	proc near ; CODE XREF: MiInitSystem+13Bp
		mov	eax, ds:dword_7051C4
		cmp	eax, 40h
		ja	short loc_AB8DB2
		test	eax, eax
		jnz	short loc_AB8D9D
		inc	eax

loc_AB8D9D:				; CODE XREF: MiInitializeModifiedWriterParameters()+Cj
					; MiInitializeModifiedWriterParameters()+27j
		shl	eax, 8
		test	ds:dword_7051B8, 0FFFFFFFEh
		mov	ds:dword_7051C4, eax
		jnz	short loc_AB8DB7
		retn
; 

loc_AB8DB2:				; CODE XREF: MiInitializeModifiedWriterParameters()+8j
		push	40h
		pop	eax
		jmp	short loc_AB8D9D
; 

loc_AB8DB7:				; CODE XREF: MiInitializeModifiedWriterParameters()+21j
		and	ds:dword_7051B8, 0
		retn
_MiInitializeModifiedWriterParameters@0	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializePagedPoolEvents proc near	; CODE XREF: MiInitializeMemoryEvents(x)+A2p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE2571 SIZE 00000075 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, large fs:124h
		push	esi
		push	edi
		mov	[ebp+var_28], eax
		dec	word ptr [eax+13Eh]
		nop
		mov	edi, offset dword_6D35CC
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		push	6
		pop	ecx
		call	MiFreePoolPagesLeft
		mov	esi, eax
		cmp	esi, dword_6CF358
		jb	loc_AE2571
		push	0
		push	0
		push	dword_6D4ED4
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)

loc_AB8E20:				; CODE XREF: MiInitializePagedPoolEvents+297BCj
		cmp	esi, dword_6CF354
		jbe	loc_AE2581
		mov	eax, dword_6D4ED0
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)

loc_AB8E37:				; CODE XREF: MiInitializePagedPoolEvents+297D0j
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_8], edx
		mov	eax, edx
		lock xadd [edi], eax
		test	al, 2
		jnz	loc_AE2595

loc_AB8E4B:				; CODE XREF: MiInitializePagedPoolEvents+297D7j
					; MiInitializePagedPoolEvents+297E7j
		xor	edi, edi
		mov	eax, offset dword_6D35CC
		mov	[ebp+var_C], edi
		test	eax, 7FFFFFFCh
		jz	loc_AB8FAE
		mov	esi, large fs:124h
		mov	ecx, eax
		mov	eax, dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], eax
		cmp	eax, offset dword_6D35CC
		ja	short loc_AB8EAC
		mov	eax, ecx
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_AB8E9C
		mov	eax, [ebp+var_20]
		cmp	eax, offset dword_6D35CC
		ja	short loc_AB8EAC
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jnz	short loc_AB8EAC

loc_AB8E9C:				; CODE XREF: MiInitializePagedPoolEvents+C7j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_8], eax

loc_AB8EAC:				; CODE XREF: MiInitializePagedPoolEvents+BCj
					; MiInitializePagedPoolEvents+D1j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset dword_6D35CC
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_20], ecx
		test	ecx, ecx
		jz	loc_AB8FBF
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_AB8EF4
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_20]

loc_AB8EF4:				; CODE XREF: MiInitializePagedPoolEvents+12Aj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	loc_AE25C1
		or	[esi+1E4h], dl

loc_AB8F3A:				; CODE XREF: MiInitializePagedPoolEvents+207j
					; MiInitializePagedPoolEvents+2980Dj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_24], eax
		jz	short loc_AB8F88
		test	edi, 8000h
		jz	short loc_AB8F5E
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_AB8F5E:				; CODE XREF: MiInitializePagedPoolEvents+193j
		test	byte ptr [ebp+var_C+2],	1
		jnz	short loc_AB8FD2

loc_AB8F64:				; CODE XREF: MiInitializePagedPoolEvents+222j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_AB8F78
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_AB8F78:				; CODE XREF: MiInitializePagedPoolEvents+1ABj
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_AE25D2

loc_AB8F88:				; CODE XREF: MiInitializePagedPoolEvents+18Bj
					; MiInitializePagedPoolEvents+29821j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_AB8FAE
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_AB8FAE
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_AB8FAE:				; CODE XREF: MiInitializePagedPoolEvents+9Aj
					; MiInitializePagedPoolEvents+1DFj ...
		mov	ecx, [ebp+var_28]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_AB8FBF:				; CODE XREF: MiInitializePagedPoolEvents+118j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_AB8F3A
		jmp	loc_AE25AC
; 

loc_AB8FD2:				; CODE XREF: MiInitializePagedPoolEvents+1A2j
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]
		jmp	short loc_AB8F64
MiInitializePagedPoolEvents endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiComputeOptimalZeroPath proc near	; CODE XREF: MiInitSystem+115p

var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE25E6 SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		push	2
		pop	esi
		mov	[ebp+var_C], ebx
		mov	edi, ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], esi

loc_AB9005:				; CODE XREF: MiComputeOptimalZeroPath+60j
		push	ebx
		mov	edx, edi
		mov	ecx, offset _MiSystemPartition
		call	MiGetPage
		mov	[ebp+edi*4+var_48], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_AE2613
		mov	edx, [ebp+edi*4+var_40]
		imul	ecx, eax, 1Ch
		add	ecx, ds:_MmPfnDatabase
		mov	[ebp+edi*4+var_38], ecx
		movzx	eax, byte ptr [ecx+16h]
		shr	eax, 6
		cmp	eax, edx
		jz	short loc_AB9041
		push	ebx
		call	MiChangePageAttribute

loc_AB9041:				; CODE XREF: MiComputeOptimalZeroPath+55j
		inc	edi
		cmp	edi, esi
		jb	short loc_AB9005
		mov	ecx, ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_8], ecx

loc_AB904E:				; CODE XREF: MiComputeOptimalZeroPath+1CFj
		mov	eax, [ebp+ecx+var_40]
		mov	[ebp+var_4], eax
		mov	eax, [ebp+ecx+var_48]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], 3

loc_AB9069:				; CODE XREF: MiComputeOptimalZeroPath+C9j
		rdtsc
		mov	esi, eax
		mov	[ebp+var_28], ebx
		mov	edi, edx
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		lock or	[eax], ecx
		push	[ebp+var_4]
		mov	ecx, [ebp+var_1C]
		push	3
		pop	edx
		call	MiZeroPhysicalPage
		mov	[ebp+var_28], ebx
		lea	eax, [ebp+var_28]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [ebp+var_10]
		rdtsc
		sub	eax, esi
		sbb	edx, edi
		add	ecx, eax
		mov	eax, [ebp+var_14]
		adc	eax, edx
		mov	[ebp+var_10], ecx
		sub	[ebp+var_18], 1
		mov	[ebp+var_14], eax
		jnz	short loc_AB9069
		push	ebx
		push	3
		pop	esi
		push	esi
		push	eax
		push	ecx
		call	__aulldiv
		mov	ecx, [ebp+var_8]
		mov	[ebp+var_24], eax
		mov	[ebp+var_28], edx
		mov	[ebp+var_14], ebx
		mov	eax, [ebp+ecx+var_38]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_18], eax
		mov	[ebp+var_20], esi

loc_AB90D4:				; CODE XREF: MiComputeOptimalZeroPath+14Cj
		rdtsc
		mov	esi, eax
		mov	[ebp+var_30], ebx
		mov	edi, edx
		lea	eax, [ebp+var_30]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [ebp+var_18]
		xor	edx, edx
		push	ebx
		inc	edx
		call	MiChangePageAttribute
		push	[ebp+var_4]
		mov	ecx, [ebp+var_1C]
		push	3
		pop	edx
		call	MiZeroPhysicalPage
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_18]
		push	ebx
		call	MiChangePageAttribute
		mov	[ebp+var_30], ebx
		lea	eax, [ebp+var_30]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [ebp+var_14]
		rdtsc
		sub	eax, esi
		sbb	edx, edi
		add	ecx, eax
		mov	eax, [ebp+var_10]
		adc	eax, edx
		mov	[ebp+var_14], ecx
		sub	[ebp+var_20], 1
		mov	[ebp+var_10], eax
		jnz	short loc_AB90D4
		push	ebx
		push	3
		push	eax
		push	ecx
		call	__aulldiv
		push	ebx
		push	0Ah
		push	[ebp+var_28]
		mov	edi, eax
		mov	[ebp+var_30], edx
		push	[ebp+var_24]
		call	__aulldiv
		mov	ecx, eax
		mov	eax, edx
		push	9
		pop	esi
		mul	esi
		push	9
		mov	esi, eax
		mov	eax, ecx
		pop	ecx
		mul	ecx
		add	esi, edx
		mov	edx, [ebp+var_30]
		cmp	edx, esi
		ja	short loc_AB9180
		jb	short loc_AB9170
		cmp	edi, eax
		jnb	short loc_AB9180

loc_AB9170:				; CODE XREF: MiComputeOptimalZeroPath+186j
		mov	eax, [ebp+var_4]
		shl	eax, 4
		mov	dword_6D0750[eax], 1

loc_AB9180:				; CODE XREF: MiComputeOptimalZeroPath+184j
					; MiComputeOptimalZeroPath+18Aj
		mov	eax, [ebp+var_2C]
		mov	ecx, [ebp+var_24]
		mov	dword_6D0790[eax], ecx
		mov	ecx, [ebp+var_28]
		mov	dword_6D0794[eax], ecx
		mov	ecx, [ebp+var_8]
		mov	dword_6D0798[eax], edi
		add	ecx, 4
		mov	dword_6D079C[eax], edx
		add	eax, 10h
		mov	[ebp+var_2C], eax
		mov	[ebp+var_8], ecx
		cmp	eax, 20h
		jb	loc_AB904E
		mov	edi, 7FFFFFFFh

loc_AB91BE:				; CODE XREF: MiComputeOptimalZeroPath+210j
		mov	esi, [ebp+ebx+var_38]
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [ebp+var_C]
		mov	bl, al
		push	2
		pop	edx
		mov	ecx, [ebp+ecx+var_48]
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		lea	ecx, [esi+10h]
		lock and [ecx],	edi
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [ebp+var_C]
		add	ebx, 4
		mov	[ebp+var_C], ebx
		cmp	ebx, 8
		jb	short loc_AB91BE

loc_AB91F6:				; CODE XREF: MiComputeOptimalZeroPath+29633j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiComputeOptimalZeroPath endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeCacheFlushing proc near	; CODE XREF: MiInitSystem+110p

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE261C SIZE 00000032 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	8
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_28]
		xor	esi, esi
		push	esi
		rep stosd
		push	20h
		lea	eax, [ebp+var_28]
		push	eax
		push	0C0h
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_AB9240
		mov	eax, [ebp+var_20]
		and	eax, 1
		or	eax, esi
		jnz	loc_AE261C

loc_AB9240:				; CODE XREF: MiInitializeCacheFlushing+34j
					; MiInitializeCacheFlushing+29427j
		push	esi
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		call	MiGetPage
		mov	[ebp+var_40], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_AB941D
		imul	edi, eax, 1Ch
		xor	edx, edx
		push	esi
		inc	edx
		mov	[ebp+var_34], esi
		mov	ebx, esi
		mov	[ebp+var_44], esi
		mov	[ebp+var_48], esi
		add	edi, ds:_MmPfnDatabase
		mov	ecx, edi
		mov	[ebp+var_74], edi
		call	_MiFinalizePageAttribute@12 ; MiFinalizePageAttribute(x,x,x)
		push	2
		pop	eax
		mov	cl, al
		mov	[ebp+var_4C], eax
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_29], al
		lea	esi, [edi+10h]
		mov	[ebp+var_30], 4

loc_AB9296:				; CODE XREF: MiInitializeCacheFlushing+141j
		mov	ecx, [ebp+var_40]
		xor	edx, edx
		push	0
		inc	edx
		call	MiZeroPhysicalPage
		and	[ebp+var_50], 0

loc_AB92A7:				; CODE XREF: MiInitializeCacheFlushing+2943Aj
		lock bts dword ptr [esi], 1Fh
		jb	loc_AE2628
		and	byte ptr [edi+16h], 3Fh
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		and	[ebp+var_54], 0
		xor	ecx, ecx
		rdtsc
		mov	[ebp+var_64], eax
		lea	eax, [ebp+var_54]
		mov	[ebp+var_3C], edx
		lock or	[eax], ecx
		xor	edx, edx
		push	ecx
		mov	ecx, [ebp+var_40]
		inc	edx
		call	_MiFlushCacheForAttributeChange@12 ; MiFlushCacheForAttributeChange(x,x,x)
		and	[ebp+var_58], 0
		lea	eax, [ebp+var_58]
		xor	ecx, ecx
		lock or	[eax], ecx
		and	[ebp+var_5C], ecx
		rdtsc
		mov	[ebp+var_60], eax
		mov	[ebp+var_38], edx

loc_AB92F5:				; CODE XREF: MiInitializeCacheFlushing+2944Dj
		lock bts dword ptr [esi], 1Fh
		jb	loc_AE263B
		mov	al, [edi+16h]
		and	al, 3Fh
		or	al, 40h
		mov	[edi+16h], al
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		inc	dword_6D06D8
		push	2
		pop	edx
		push	4
		pop	ecx
		call	KeFlushTb
		mov	ecx, [ebp+var_60]
		sub	ecx, [ebp+var_64]
		mov	edx, [ebp+var_38]
		sbb	edx, [ebp+var_3C]
		mov	eax, [ebp+var_34]
		add	eax, ecx
		mov	[ebp+var_34], eax
		adc	ebx, edx
		sub	[ebp+var_30], 1
		jnz	loc_AB9296
		shrd	eax, ebx, 2
		shr	ebx, 2
		mov	[ebp+var_34], eax
		or	eax, ebx
		mov	[ebp+var_38], ebx
		jz	loc_AB940D
		mov	eax, dword_6D06B8
		test	eax, eax
		jnz	short loc_AB9366
		mov	eax, 100h

loc_AB9366:				; CODE XREF: MiInitializeCacheFlushing+163j
		shr	eax, 2
		mov	edx, 20206D4Dh
		imul	eax, 3
		push	0
		push	40h
		mov	ecx, eax
		mov	[ebp+var_3C], eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	[ebp+var_30], eax
		test	eax, eax
		jz	loc_AB940D
		mov	ebx, eax

loc_AB938C:				; CODE XREF: MiInitializeCacheFlushing+1EDj
		push	[ebp+var_3C]	; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		rdtsc
		xor	ebx, ebx
		mov	esi, eax
		add	esp, 0Ch
		mov	[ebp+var_68], ebx
		mov	edi, edx
		lea	eax, [ebp+var_68]
		xor	ecx, ecx
		lock or	[eax], ecx
		inc	dword_6D06DC
		call	KeInvalidateAllCaches
		mov	[ebp+var_6C], ebx
		lea	eax, [ebp+var_6C]
		xor	ecx, ecx
		lock or	[eax], ecx
		rdtsc
		mov	[ebp+var_70], ebx
		lea	ecx, [ebp+var_70]
		lock or	[ecx], ebx
		mov	ebx, [ebp+var_30]
		sub	eax, esi
		mov	esi, [ebp+var_44]
		sbb	edx, edi
		mov	edi, [ebp+var_48]
		add	esi, eax
		mov	[ebp+var_44], esi
		adc	edi, edx
		sub	[ebp+var_4C], 1
		mov	[ebp+var_48], edi
		jnz	short loc_AB938C
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, [ebp+var_38]
		and	esi, 0FFFFFFFEh
		mov	ecx, [ebp+var_34]
		push	ebx
		push	ecx
		push	edi
		push	esi
		call	__aulldiv
		mov	edi, [ebp+var_74]
		mov	dword_6D06E4, eax

loc_AB940D:				; CODE XREF: MiInitializeCacheFlushing+156j
					; MiInitializeCacheFlushing+188j
		mov	cl, [ebp+var_29]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, edi
		call	_MiReleaseFreshPage@4 ;	MiReleaseFreshPage(x)

loc_AB941D:				; CODE XREF: MiInitializeCacheFlushing+57j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
MiInitializeCacheFlushing endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeSessionIds proc near	; CODE XREF: MiInitSystem+10Bp

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE264E SIZE 00000181 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 68h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	0Eh
		pop	eax
		push	10h
		pop	ecx
		xor	edi, edi
		mov	word ptr [ebp+var_68], ax
		push	edi
		push	100h
		mov	edx, 20206D4Dh
		mov	word ptr [ebp+var_68+2], cx
		mov	[ebp+var_64], offset ??_C@_1BA@FJPOMCMI@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn@PBOPGDP@
		mov	dword_6D05C0, edi
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	dword_6D35C8, eax
		test	eax, eax
		jz	loc_AE265E
		lea	ecx, [eax+8]
		mov	dword ptr [eax], 40h
		mov	[eax+4], ecx
		mov	eax, dword_6D35C8
		test	eax, eax
		jz	loc_AE265E
		push	eax
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		push	edi
		push	edi
		push	offset unk_6D05DC
		mov	dword_6D05D8, edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	58h
		pop	esi
		push	esi		; size_t
		lea	eax, [ebp+var_60]
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	word ptr [ebp+var_60], si
		lea	eax, [ebp+var_60]
		mov	[ebp+var_58], edi
		mov	esi, (offset loc_AF68BF+1)
		mov	[ebp+var_3C], 200h
		lea	edi, [ebp+var_54]
		add	esp, 0Ch
		movsd
		push	offset _MmSessionObjectType
		push	0
		movsd
		push	eax
		lea	eax, [ebp+var_68]
		push	eax
		movsd
		movsd
		or	byte ptr [ebp+var_60+2], 0Ch
		mov	[ebp+var_34], 18h
		mov	[ebp+var_44], 0F0003h
		mov	[ebp+var_24], offset _MiSessionObjectDelete@4 ;	MiSessionObjectDelete(x)
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AE264E
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
MiInitializeSessionIds endp ; sp =  4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCreateEnclaveRegions proc near	; CODE XREF: MiInitSystem+E9p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h

; FUNCTION CHUNK AT 00AE27CF SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		mov	eax, offset dword_6D3594
		mov	esi, ecx
		xor	edi, edi
		mov	dword_6D3598, eax
		and	dword_6D359C, edi
		mov	ecx, offset unk_6D35A0
		mov	[ebp+var_10], edi
		mov	dword_6D3594, eax
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		push	edi
		push	80h
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[ebp+var_18], eax
		lea	eax, [esi+18h]
		mov	esi, [eax]
		mov	[ebp+var_1C], edx
		mov	[ebp+var_20], eax
		cmp	esi, eax
		jz	short loc_AB959A

loc_AB957E:				; CODE XREF: MiCreateEnclaveRegions+68j
		mov	eax, [esi+8]
		cmp	eax, 21h
		jz	loc_AE267D
		cmp	eax, 23h
		jz	loc_AE267D

loc_AB9593:				; CODE XREF: MiInitializeSessionIds+2939Ej
		mov	esi, [esi]
		cmp	esi, [ebp+var_20]
		jnz	short loc_AB957E

loc_AB959A:				; CODE XREF: MiCreateEnclaveRegions+4Cj
		cmp	dword_6D3580, 0
		jnz	loc_AE27CF

loc_AB95A7:				; CODE XREF: MiCreateEnclaveRegions+292A6j
		xor	eax, eax
		inc	eax

loc_AB95AA:				; CODE XREF: MiCreateEnclaveRegions+292AEj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiCreateEnclaveRegions endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeCfg()
_MiInitializeCfg@0 proc	near		; CODE XREF: MiInitSystem+D9p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	ecx, ecx
		mov	[ebp+var_10], 3000000h
		push	ecx
		push	ecx
		push	4000000h
		push	4
		lea	eax, [ebp+var_10]
		mov	[ebp+var_4], ecx
		push	eax
		push	ecx
		push	0F001Fh
		lea	eax, [ebp+var_4]
		mov	[ebp+var_C], ecx
		push	eax
		call	MmCreateSection
		test	eax, eax
		js	short locret_AB95FC
		mov	ecx, [ebp+var_4]
		mov	dword_6CF4F8, ecx
		call	_MiSectionControlArea@4	; MiSectionControlArea(x)
		mov	dword_6CF4FC, eax
		xor	eax, eax

locret_AB95FC:				; CODE XREF: MiInitializeCfg()+35j
		leave
		retn
_MiInitializeCfg@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiSectionInitialization	proc near	; CODE XREF: MiInitSystem:loc_AB7584p

var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_6C		= dword	ptr -6Ch
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		push	ebx
		push	esi
		push	edi
		push	0Eh
		pop	eax
		or	dword_6D34D4, 0FFFFFFFFh
		xor	ebx, ebx
		push	10h
		mov	word ptr [ebp+var_10], ax
		pop	eax
		push	2Ch
		mov	word ptr [ebp+var_10+2], ax
		pop	eax
		push	2Eh
		mov	word ptr [ebp+var_18], ax
		pop	eax
		push	58h
		pop	esi
		push	esi		; size_t
		mov	word ptr [ebp+var_18+2], ax
		lea	eax, [ebp+var_88]
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], (offset loc_ADF265+1)
		mov	[ebp+var_14], offset ??_C@_1CO@GCKPAJAM@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAP?$AAh?$AAy?$AAs?$AAi?$AAc?$AAa@PBOPGDP@ ; "\\Device\\PhysicalMemory"
		mov	dword_6CF3C4, ebx
		call	_memset
		mov	word ptr [ebp+var_88], si
		lea	edi, [ebp+var_7C]
		mov	[ebp+var_80], 100h
		lea	eax, [ebp+var_88]
		mov	[ebp+var_64], 1
		mov	esi, offset _MiSectionMapping
		mov	[ebp+var_60], 28h
		add	esp, 0Ch
		mov	[ebp+var_6C], 0F001Fh
		mov	[ebp+var_54], offset _MiSectionOpen@24 ; MiSectionOpen(x,x,x,x,x,x)
		mov	[ebp+var_50], offset _MiSectionClose@16	; MiSectionClose(x,x,x,x)
		mov	[ebp+var_4C], offset MiSectionDelete
		movsd
		push	offset _MmSectionObjectType
		push	ebx
		push	eax
		movsd
		lea	eax, [ebp+var_10]
		push	eax
		movsd
		movsd
		or	byte ptr [ebp+var_88+2], 4
		mov	[ebp+var_84], 80h
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AB97BB
		push	ebx
		push	100h
		push	30h
		mov	edx, 67536D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_AB97BB
		push	50h		; size_t
		push	ebx		; int
		mov	edi, offset dword_6CF430
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		push	54h		; size_t
		push	ebx		; int
		push	offset dword_6CF3D8 ; void *
		call	_memset
		add	esp, 0Ch
		mov	[esi+1Ch], ebx
		or	dword_6CF44C, 400h
		lea	eax, [ebp+var_18]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_4]
		mov	dword_6CF3D8, edi
		push	eax
		push	ebx
		push	28h
		push	28h
		push	ebx
		push	ebx
		lea	eax, [ebp+var_30]
		mov	dword_6CF430, esi
		push	eax
		mov	dword_6CF43C, 1
		mov	[esi], edi
		push	ds:_MmSectionObjectType
		mov	[ebp+var_30], 18h
		push	ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], 10010h
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		call	_ObCreateObject@36 ; ObCreateObject(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	sub_AE27E3
		mov	ecx, [ebp+var_4]
		mov	[ecx+14h], edi
		or	dword ptr [ecx+18h], 0FFFFFFFFh
		mov	dword ptr [ecx+1Ch], 1Fh
		mov	[ecx+20h], ebx
		mov	eax, [ecx+24h]
		and	eax, 0FFFFF040h
		or	eax, 40h
		mov	[ecx+24h], eax
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		push	ebx
		push	4
		push	ebx
		push	ecx
		call	_ObInsertObject@24 ; ObInsertObject(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AB97BB
		push	ebx
		push	[ebp+var_8]
		call	ObCloseHandle
		xor	eax, eax
		inc	eax

loc_AB97B6:				; CODE XREF: MiSectionInitialization+1BFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AB97BB:				; CODE XREF: MiSectionInitialization+CEj
					; MiSectionInitialization+EBj ...
		xor	eax, eax
		jmp	short loc_AB97B6
MiSectionInitialization	endp

; 
		align 10h

;  S U B	R O U T	I N E 


MiInitializeTbFlushing proc near	; CODE XREF: MiInitSystem+410p

; FUNCTION CHUNK AT 00AE27EF SIZE 00000025 BYTES

		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		call	KeGetTbSize
		mov	esi, eax
		mov	edi, 800h
		test	esi, esi
		jz	short loc_AB97F3

loc_AB97D5:				; CODE XREF: MiInitializeTbFlushing+35j
		or	dword_6D0748, 0FFFFFFFFh
		mov	ecx, esi
		call	MiInitializeTbFlush
		cmp	dword_6D0748, esi
		jz	loc_AE27EF

loc_AB97EF:				; CODE XREF: MiInitializeTbFlushing+29031j
					; MiInitializeTbFlushing+2904Fj
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_AB97F3:				; CODE XREF: MiInitializeTbFlushing+13j
		mov	esi, edi
		jmp	short loc_AB97D5
MiInitializeTbFlushing endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeTbFlush proc near		; CODE XREF: MiInitializeTbFlushing+1Ep
					; MiInitializeTbFlushing+29042p

var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE2814 SIZE 00000072 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0FCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_A0]
		push	98h		; size_t
		mov	edi, ecx
		mov	[ebp+var_D4], ebx
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_B4], edi
		mov	[ebp+var_DC], ebx
		mov	[ebp+var_D8], ebx
		mov	[ebp+var_E0], ebx
		call	_memset
		add	esp, 0Ch
		mov	edx, edi
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		mov	esi, eax
		mov	[ebp+var_FC], esi
		test	esi, esi
		jz	loc_AB9B38
		mov	edx, dword_6D34E4
		mov	ecx, esi
		push	1
		mov	[ebp+var_98], 21h
		mov	[ebp+var_8C], ebx
		call	MiMakeValidPte
		mov	ecx, edx
		mov	ebx, eax
		mov	edx, esi
		mov	[ebp+var_A4], ecx
		shl	edx, 9
		mov	[ebp+var_B0], edx
		test	edi, edi
		jz	short loc_AB98F6
		mov	[ebp+var_A8], edi
		mov	edi, edx

loc_AB98A3:				; CODE XREF: MiInitializeTbFlush+F0j
		and	[ebp+var_AC], 0
		mov	edx, ecx
		mov	ecx, esi
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_AE2814
		mov	eax, ebx

loc_AB98BD:				; CODE XREF: MiInitializeTbFlush+29037j
					; MiInitializeTbFlush+29049j ...
		mov	[esi+4], edx
		nop
		cmp	[ebp+var_AC], 0
		mov	[esi], eax
		jnz	loc_AE2878

loc_AB98D0:				; CODE XREF: MiInitializeTbFlush+29089j
		mov	al, [edi]
		add	esi, 8
		mov	ecx, [ebp+var_A4]
		add	edi, 1000h
		sub	[ebp+var_A8], 1
		jnz	short loc_AB98A3
		mov	edi, [ebp+var_B4]
		mov	edx, [ebp+var_B0]

loc_AB98F6:				; CODE XREF: MiInitializeTbFlush+A1j
		xor	ebx, ebx
		xor	esi, esi
		and	[ebp+var_E4], ebx
		mov	[ebp+var_AC], ebx
		test	edi, edi
		jz	loc_AB9B6F

loc_AB990E:				; CODE XREF: MiInitializeTbFlush+2EAj
		and	[ebp+var_A8], 0
		mov	eax, esi
		and	[ebp+var_A4], 0
		xor	edi, edi
		and	[ebp+var_CC], 0
		shl	eax, 0Ch
		add	eax, edx
		mov	[ebp+var_D0], 4
		mov	[ebp+var_C4], eax
		mov	eax, [ebp+var_B4]
		mov	ebx, [ebp+var_C4]
		sub	eax, esi
		mov	[ebp+var_C8], eax
		shr	eax, 1
		mov	[ebp+var_C0], eax

loc_AB9958:				; CODE XREF: MiInitializeTbFlush+27Dj
		and	[ebp+var_E8], 0
		xor	ecx, ecx
		rdtsc
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_E8]
		mov	[ebp+var_BC], edx
		lock or	[eax], ecx
		test	esi, esi
		jz	loc_AB9AF2
		mov	edx, [ebp+var_B0]
		push	ecx
		push	esi
		lea	ecx, [ebp+var_A0]
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList

loc_AB999E:				; CODE XREF: MiInitializeTbFlush+304j
		and	[ebp+var_EC], 0
		lea	eax, [ebp+var_EC]
		xor	ecx, ecx
		lock or	[eax], ecx
		rdtsc
		sub	eax, [ebp+var_B8]
		mov	ecx, ebx
		sbb	edx, [ebp+var_BC]
		add	[ebp+var_A8], eax
		adc	[ebp+var_A4], edx
		and	[ebp+var_BC], 0
		rdtsc
		mov	[ebp+var_F4], eax
		lea	eax, [ebp+var_BC]
		mov	[ebp+var_F8], edx
		xor	edx, edx
		lock or	[eax], edx
		cmp	[ebp+var_C0], edx
		jbe	short loc_AB9A31
		mov	ecx, [ebp+var_C8]
		mov	edx, ebx
		shl	ecx, 0Ch
		add	ecx, 0FFFFF000h
		add	ecx, ebx
		mov	ebx, [ebp+var_C0]

loc_AB9A0D:				; CODE XREF: MiInitializeTbFlush+22Bj
		mov	al, [edx]
		mov	al, [ecx]
		mov	eax, 1000h
		mov	[ebp+var_B8], ecx
		add	edx, eax
		sub	ecx, eax
		sub	ebx, 1
		jnz	short loc_AB9A0D
		mov	ebx, [ebp+var_C4]
		mov	ecx, [ebp+var_B8]

loc_AB9A31:				; CODE XREF: MiInitializeTbFlush+1FAj
		test	byte ptr [ebp+var_C8], 1
		jnz	loc_AB9AE7

loc_AB9A3E:				; CODE XREF: MiInitializeTbFlush+2F5j
		and	[ebp+var_F0], 0
		lea	eax, [ebp+var_F0]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ecx, [ebp+var_CC]
		rdtsc
		sub	eax, [ebp+var_F4]
		sbb	edx, [ebp+var_F8]
		add	ecx, eax
		mov	[ebp+var_CC], ecx
		adc	edi, edx
		sub	[ebp+var_D0], 1
		jnz	loc_AB9958
		mov	eax, [ebp+var_A4]
		mov	edx, [ebp+var_A8]
		mov	ebx, [ebp+var_AC]
		shrd	edx, eax, 2
		shrd	ecx, edi, 2
		shr	eax, 2
		shr	edi, 2
		test	esi, esi
		jz	loc_AB9B47
		add	ecx, edx
		mov	edx, [ebp+var_D4]
		adc	edi, eax
		add	edx, [ebp+var_D8]
		mov	eax, [ebp+var_DC]
		adc	eax, [ebp+var_E0]
		cmp	edi, eax
		jb	short loc_AB9AC9
		ja	short loc_AB9B01
		cmp	ecx, edx
		jnb	short loc_AB9B01

loc_AB9AC9:				; CODE XREF: MiInitializeTbFlush+2C9j
		xor	ebx, ebx
		mov	[ebp+var_AC], ebx

loc_AB9AD1:				; CODE XREF: MiInitializeTbFlush+31Dj
					; MiInitializeTbFlush+367j
		mov	edi, [ebp+var_B4]
		inc	esi
		cmp	esi, edi
		jnb	short loc_AB9B22
		mov	edx, [ebp+var_B0]
		jmp	loc_AB990E
; 

loc_AB9AE7:				; CODE XREF: MiInitializeTbFlush+240j
		mov	al, [ecx-1000h]
		jmp	loc_AB9A3E
; 

loc_AB9AF2:				; CODE XREF: MiInitializeTbFlush+182j
		push	2
		pop	edx
		xor	ecx, ecx
		call	KeFlushTb
		jmp	loc_AB999E
; 

loc_AB9B01:				; CODE XREF: MiInitializeTbFlush+2CBj
					; MiInitializeTbFlush+2CFj
		test	ebx, ebx
		jz	short loc_AB9B64
		mov	eax, [ebp+var_E4]

loc_AB9B0B:				; CODE XREF: MiInitializeTbFlush+375j
		inc	ebx
		mov	[ebp+var_AC], ebx
		cmp	ebx, 3
		jnz	short loc_AB9AD1
		mov	edi, [ebp+var_B4]
		mov	dword_6D0748, eax

loc_AB9B22:				; CODE XREF: MiInitializeTbFlush+2E2j
		cmp	ebx, 3
		jnz	short loc_AB9B6F

loc_AB9B27:				; CODE XREF: MiInitializeTbFlush+37Dj
		mov	edx, [ebp+var_FC]
		mov	ecx, offset dword_6D35E0
		push	edi
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_AB9B38:				; CODE XREF: MiInitializeTbFlush+65j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AB9B47:				; CODE XREF: MiInitializeTbFlush+2A5j
		mov	[ebp+var_D4], edx
		mov	[ebp+var_DC], eax
		mov	[ebp+var_D8], ecx
		mov	[ebp+var_E0], edi
		jmp	loc_AB9AD1
; 

loc_AB9B64:				; CODE XREF: MiInitializeTbFlush+30Bj
		lea	eax, [esi-1]
		mov	[ebp+var_E4], eax
		jmp	short loc_AB9B0B
; 

loc_AB9B6F:				; CODE XREF: MiInitializeTbFlush+110j
					; MiInitializeTbFlush+32Dj
		mov	dword_6D0748, esi
		jmp	short loc_AB9B27
MiInitializeTbFlush endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeGetTbSize	proc near		; CODE XREF: MiInitializeTbFlushing+5p

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= byte ptr -3Ch
var_38		= dword	ptr -38h
var_34		= byte ptr -34h
var_30		= dword	ptr -30h
var_2C		= byte ptr -2Ch
var_28		= dword	ptr -28h
var_24		= byte ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE2886 SIZE 0000007C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[ebp+var_3C], 0B4h
		push	esi
		push	edi
		lea	edi, [ebp+var_4C]
		mov	[ebp+var_38], 100h
		stosd
		mov	[ebp+var_34], 64h
		mov	[ebp+var_2C], 0C1h
		mov	[ebp+var_28], 400h
		stosd
		mov	[ebp+var_24], 0C3h
		mov	[ebp+var_20], 600h
		mov	[ebp+var_1C], 0CAh
		stosd
		stosd
		mov	eax, 200h
		mov	[ebp+var_30], eax
		mov	[ebp+var_18], eax
		mov	eax, large fs:20h
		mov	al, [eax+3BEh]
		cmp	al, 2
		jz	loc_AE2886
		cmp	al, 1
		jnz	loc_AB9C71
		xor	eax, eax
		lea	edi, [ebp+var_4C]
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		push	2
		mov	[edi+0Ch], edx
		mov	edi, [ebp+var_4C]
		pop	eax
		cmp	edi, eax
		jb	short loc_AB9C71
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		lea	ebx, [ebp+var_4C]
		mov	[ebx], eax
		mov	[ebx+4], esi
		mov	[ebx+8], ecx
		mov	[ebx+0Ch], edx
		mov	eax, [ebp+var_4C]
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_48]
		mov	[ebp+var_10], eax
		mov	eax, [ebp+var_44]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+var_40]
		mov	[ebp+var_8], eax
		cmp	edi, 18h
		jnb	short loc_AB9C86

loc_AB9C3D:				; CODE XREF: KeGetTbSize+28D85j
		xor	edx, edx

loc_AB9C3F:				; CODE XREF: KeGetTbSize+F7j
		movzx	ebx, [ebp+edx*8+var_3C]
		xor	ecx, ecx
		mov	edi, [ebp+edx*8+var_38]

loc_AB9C4A:				; CODE XREF: KeGetTbSize+F1j
		xor	esi, esi

loc_AB9C4C:				; CODE XREF: KeGetTbSize+E9j
		mov	eax, [ebp+esi*4+var_14]
		test	eax, eax
		js	short loc_AB9C5D
		shr	eax, cl
		movzx	eax, al
		cmp	eax, ebx
		jz	short loc_AB9C75

loc_AB9C5D:				; CODE XREF: KeGetTbSize+DAj
		inc	esi
		cmp	esi, 4
		jb	short loc_AB9C4C
		add	ecx, 8
		cmp	ecx, 20h
		jb	short loc_AB9C4A
		inc	edx
		cmp	edx, 5
		jb	short loc_AB9C3F

loc_AB9C71:				; CODE XREF: KeGetTbSize+68j
					; KeGetTbSize+8Fj ...
		xor	eax, eax
		jmp	short loc_AB9C77
; 

loc_AB9C75:				; CODE XREF: KeGetTbSize+E3j
		mov	eax, edi

loc_AB9C77:				; CODE XREF: KeGetTbSize+FBj
					; KeGetTbSize+28D57j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AB9C86:				; CODE XREF: KeGetTbSize+C3j
		xor	ecx, ecx
		jmp	loc_AE28D4
KeGetTbSize	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiInitializeRelocations()
_MiInitializeRelocations@0 proc	near	; CODE XREF: MiInitSystem+3F9p
		push	0
		push	100h
		mov	edx, 69526D4Dh
		mov	ecx, 500h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		test	eax, eax
		jz	short loc_AB9CEC
		xor	ecx, ecx
		mov	dword_6CF4CC, 2800h
		inc	ecx
		mov	dword_6CF4D0, eax
		call	ExGenRandom
		movzx	ecx, al
		mov	dword_6CF4D4, ecx
		xor	ecx, ecx
		inc	ecx
		call	ExGenRandom
		movzx	ecx, al
		xor	eax, eax
		add	ecx, 7800h
		shl	ecx, 10h
		inc	eax
		mov	dword_6CF4D8, ecx
		mov	dword_6CF4DC, ecx
		retn
; 

loc_AB9CEC:				; CODE XREF: MiInitializeRelocations()+18j
		xor	eax, eax
		retn
_MiInitializeRelocations@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeDummyPages()
_MiInitializeDummyPages@0 proc near	; CODE XREF: MiInitNucleus(x)+24Fp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		call	_MiAllocateDummyPage@0 ; MiAllocateDummyPage()
		push	0
		push	20h
		mov	esi, eax
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	edi, eax
		mov	eax, edx
		mov	[esi+0Ch], eax
		mov	[esi+8], edi
		sub	esi, ds:_MmPfnDatabase
		mov	[ebp+var_4], eax
		mov	eax, esi
		push	1Ch
		pop	esi
		cdq
		idiv	esi
		push	0
		mov	ecx, eax
		mov	dword_6D34F0, eax
		call	MiFillPhysicalPages
		call	_MiAllocateDummyPage@0 ; MiAllocateDummyPage()
		mov	ecx, [ebp+var_4]
		mov	dword_6D34E0, eax
		push	0FFFFFFFFh
		mov	[eax+0Ch], ecx
		mov	[eax+8], edi
		mov	eax, dword_6D34E0
		sub	eax, ds:_MmPfnDatabase
		cdq
		idiv	esi
		mov	ecx, eax
		mov	dword_6D34E4, eax
		call	MiFillPhysicalPages
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
_MiInitializeDummyPages@0 endp ; sp =  4


;  S U B	R O U T	I N E 


; __stdcall MiAllocateDummyPage()
_MiAllocateDummyPage@0 proc near	; CODE XREF: MiInitSystem+3BCp
					; MiInitializeDummyPages()+1Bp	...
		mov	edi, edi
		push	ebx
		push	esi
		xor	edx, edx
		mov	esi, offset _MiSystemPartition
		inc	edx
		mov	ecx, esi
		push	edx
		push	0
		call	MiAcquireNonPagedResources
		push	208h
		xor	edx, edx
		mov	ecx, esi
		call	MiGetPage
		cmp	eax, 0FFFFFFFFh
		jz	short loc_AB9E05
		imul	esi, eax, 1Ch
		xor	edx, edx
		push	0
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiSetPfnTbFlushStamp@12 ; MiSetPfnTbFlushStamp(x,x,x)
		mov	ecx, esi
		mov	dword ptr [esi+4], 0C0000000h
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		push	0
		push	80h
		mov	bl, al
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		and	dword ptr [esi+18h], 7F800000h
		lea	ecx, [esi+10h]
		mov	[esi+8], eax
		push	2
		pop	eax
		mov	[esi+14h], ax
		mov	eax, 7FFFFFFFh
		mov	[esi+0Ch], edx
		or	byte ptr [esi+16h], 2Fh
		lock and [ecx],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
; 

loc_AB9E05:				; CODE XREF: MiAllocateDummyPage()+27j
		push	102h
		push	dword_6D5D84
		push	dword_6D5D80
		push	dword_6D5D88
		push	7Dh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_MiAllocateDummyPage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeLoadedModuleList(x)
_MiInitializeLoadedModuleList@4	proc near ; CODE XREF: MiInitSystem+36Bp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	eax, offset dword_6CF540
		xor	ebx, ebx
		push	offset _PsLoadedModuleResource
		mov	edi, ecx
		mov	[ebp+var_4], ebx
		mov	dword_6CF544, eax
		mov	dword_6CF540, eax
		call	ExInitializeResourceLite
		mov	eax, offset _PsLoadedModuleList
		mov	_ExpCovPushLock, ebx
		push	1
		mov	dword_6C6E3C, eax
		mov	_PsLoadedModuleList, eax
		mov	eax, offset _ExpCovUnloadedModuleList
		push	ebx
		push	7Eh
		mov	dword_6BB4EC, eax
		mov	_ExpCovUnloadedModuleList, eax
		call	NtSetDebugFilterState
		add	edi, 10h
		mov	esi, [edi]
		mov	ecx, esi
		call	_MiLocateKernelSections@4 ; MiLocateKernelSections(x)

loc_AB9E87:				; CODE XREF: MiInitializeLoadedModuleList(x)+8Aj
		cmp	esi, edi
		jz	short loc_AB9EB0
		lea	eax, [ebp+var_4]
		mov	ecx, esi
		push	eax		; int
		push	1		; int
		push	ebx		; int
		lea	eax, [esi+24h]
		push	eax		; void *
		lea	edx, [esi+2Ch]
		call	MiConstructLoaderEntry
		test	eax, eax
		js	short loc_AB9EBD
		mov	ecx, [ebp+var_4]
		call	MiLockdownSections
		mov	esi, [esi]
		jmp	short loc_AB9E87
; 

loc_AB9EB0:				; CODE XREF: MiInitializeLoadedModuleList(x)+65j
		call	MiBuildImportsForBootDrivers
		xor	eax, eax
		inc	eax

loc_AB9EB8:				; CODE XREF: MiInitializeLoadedModuleList(x)+9Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AB9EBD:				; CODE XREF: MiInitializeLoadedModuleList(x)+7Ej
		xor	eax, eax
		jmp	short loc_AB9EB8
_MiInitializeLoadedModuleList@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiBuildImportsForBootDrivers proc near	; CODE XREF: MiInitializeLoadedModuleList(x):loc_AB9EB0p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE2902 SIZE 00000055 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		and	[ebp+var_8], 0
		xor	edx, edx
		mov	eax, _PsLoadedModuleList
		push	ebx
		push	esi
		xor	esi, esi
		xor	ebx, ebx
		push	edi
		cmp	eax, offset _PsLoadedModuleList
		jz	loc_AE294D
		xor	edi, edi
		inc	edi

loc_AB9EEA:				; CODE XREF: MiBuildImportsForBootDrivers+5Dj
		mov	ecx, [eax+18h]
		cmp	ds:_PsNtosImageBase, ecx
		jz	loc_ABA11D
		cmp	ds:_PsHalImageBase, ecx
		jz	loc_ABA124

loc_AB9F05:				; CODE XREF: MiBuildImportsForBootDrivers+25Dj
					; MiBuildImportsForBootDrivers+264j
		test	dword ptr [eax+34h], 4000000h
		jnz	short loc_AB9F6E

loc_AB9F0E:				; CODE XREF: MiBuildImportsForBootDrivers+AEj
					; MiBuildImportsForBootDrivers+B2j
		mov	ecx, edi

loc_AB9F10:				; CODE XREF: MiBuildImportsForBootDrivers+B6j
		mov	[eax+38h], cx
		inc	esi
		mov	[eax+4Ch], edi
		mov	eax, [eax]
		cmp	eax, offset _PsLoadedModuleList
		jnz	short loc_AB9EEA
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], edx
		mov	[ebp+var_14], ebx
		test	ebx, ebx
		jz	loc_AE294D
		test	edx, edx
		jz	loc_AE294D
		mov	eax, esi
		mov	edx, 54446D4Dh
		shl	eax, 2
		push	0
		push	100h
		mov	ecx, eax
		mov	[ebp+var_24], eax
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_4], edi
		test	edi, edi
		jz	loc_AE2943
		and	[ebp+var_18], 0
		mov	edi, _PsLoadedModuleList
		jmp	short loc_AB9F83
; 

loc_AB9F6E:				; CODE XREF: MiBuildImportsForBootDrivers+4Aj
		cmp	eax, edx
		jz	short loc_AB9F0E
		cmp	eax, ebx
		jz	short loc_AB9F0E
		xor	ecx, ecx
		jmp	short loc_AB9F10
; 

loc_AB9F7A:				; CODE XREF: MiBuildImportsForBootDrivers+E4j
					; MiBuildImportsForBootDrivers+136j ...
		mov	dword ptr [edi+4Ch], 0FFFFFFFEh

loc_AB9F81:				; CODE XREF: MiBuildImportsForBootDrivers+16Bj
					; MiBuildImportsForBootDrivers+238j
		mov	edi, [edi]

loc_AB9F83:				; CODE XREF: MiBuildImportsForBootDrivers+AAj
		mov	[ebp+var_20], edi
		cmp	edi, offset _PsLoadedModuleList
		jz	loc_ABA12B
		lea	eax, [ebp+var_8]
		push	eax
		push	0Ch
		push	1
		push	dword ptr [edi+18h]
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_AB9F7A
		push	[ebp+var_24]	; size_t
		push	0		; int
		push	[ebp+var_4]	; void *
		call	_memset
		mov	eax, [ebp+var_8]
		xor	ecx, ecx
		and	[ebp+var_1C], ecx
		add	esp, 0Ch
		shr	eax, 2
		xor	edx, edx
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	short loc_AB9FEC

loc_AB9FCC:				; CODE XREF: MiBuildImportsForBootDrivers+125j
		test	ecx, ecx
		jz	short loc_ABA032
		mov	eax, [esi]
		cmp	eax, ecx
		jb	short loc_ABA032
		cmp	eax, edx
		jnb	short loc_ABA032

loc_AB9FDA:				; CODE XREF: MiBuildImportsForBootDrivers+1B2j
					; MiBuildImportsForBootDrivers+1C2j
		mov	eax, [ebp+var_1C]
		add	esi, 4
		inc	eax
		mov	[ebp+var_1C], eax
		cmp	eax, [ebp+var_28]
		jb	short loc_AB9FCC
		mov	ebx, [ebp+var_14]

loc_AB9FEC:				; CODE XREF: MiBuildImportsForBootDrivers+108j
		xor	esi, esi
		xor	ecx, ecx
		xor	edx, edx
		mov	[ebp+var_8], esi
		cmp	[ebp+var_10], ecx
		jbe	short loc_AB9F7A

loc_AB9FFA:				; CODE XREF: MiBuildImportsForBootDrivers+14Aj
		mov	eax, [ebp+var_4]
		mov	eax, [eax+ecx*4]
		test	eax, eax
		jnz	loc_ABA089

loc_ABA008:				; CODE XREF: MiBuildImportsForBootDrivers+1C9j
					; MiBuildImportsForBootDrivers+1D2j ...
		inc	ecx
		cmp	ecx, [ebp+var_10]
		jb	short loc_AB9FFA
		mov	[ebp+var_8], esi
		test	esi, esi
		jz	loc_AB9F7A
		cmp	esi, 1
		jnz	loc_ABA0AA
		mov	eax, edx
		or	eax, esi
		mov	[edi+4Ch], eax
		inc	word ptr [edx+38h]
		jmp	loc_AB9F81
; 

loc_ABA032:				; CODE XREF: MiBuildImportsForBootDrivers+10Cj
					; MiBuildImportsForBootDrivers+112j ...
		mov	eax, _PsLoadedModuleList
		xor	ebx, ebx
		cmp	eax, offset _PsLoadedModuleList
		jz	short loc_ABA06C
		mov	ecx, [esi]
		mov	[ebp+var_8], ecx

loc_ABA045:				; CODE XREF: MiBuildImportsForBootDrivers+198j
		mov	ecx, [eax+18h]
		mov	edx, [eax+20h]
		add	edx, ecx
		cmp	[ebp+var_8], ecx
		jnb	short loc_ABA05E

loc_ABA052:				; CODE XREF: MiBuildImportsForBootDrivers+19Fj
		mov	eax, [eax]
		inc	ebx
		cmp	eax, offset _PsLoadedModuleList
		jnz	short loc_ABA045
		jmp	short loc_ABA06C
; 

loc_ABA05E:				; CODE XREF: MiBuildImportsForBootDrivers+18Ej
		cmp	[ebp+var_8], edx
		jnb	short loc_ABA052
		mov	edi, [ebp+var_4]
		mov	[edi+ebx*4], eax
		mov	edi, [ebp+var_20]

loc_ABA06C:				; CODE XREF: MiBuildImportsForBootDrivers+17Cj
					; MiBuildImportsForBootDrivers+19Aj
		mov	eax, [esi]
		cmp	eax, ecx
		jb	short loc_ABA07A
		cmp	eax, edx
		jb	loc_AB9FDA

loc_ABA07A:				; CODE XREF: MiBuildImportsForBootDrivers+1AEj
		test	eax, eax
		jnz	loc_AE2902
		xor	ecx, ecx
		jmp	loc_AB9FDA
; 

loc_ABA089:				; CODE XREF: MiBuildImportsForBootDrivers+140j
		cmp	eax, ebx
		jz	loc_ABA008
		cmp	eax, [ebp+var_C]
		jz	loc_ABA008
		cmp	eax, edi
		jz	loc_ABA008
		mov	edx, eax
		inc	esi
		jmp	loc_ABA008
; 

loc_ABA0AA:				; CODE XREF: MiBuildImportsForBootDrivers+15Aj
		cmp	esi, 3FFFFFFEh
		ja	loc_AE2902
		push	0
		lea	ecx, ds:4[esi*4]
		mov	edx, 54446D4Dh
		push	100h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edx, eax
		mov	[ebp+var_28], edx
		test	edx, edx
		jz	loc_AE2902
		mov	[edx], esi
		xor	ecx, ecx
		lea	esi, [edx+4]
		mov	edx, [ebp+var_10]

loc_ABA0E5:				; CODE XREF: MiBuildImportsForBootDrivers+230j
		mov	eax, [ebp+var_4]
		mov	eax, [eax+ecx*4]
		test	eax, eax
		jnz	short loc_ABA0FF

loc_ABA0EF:				; CODE XREF: MiBuildImportsForBootDrivers+23Fj
					; MiBuildImportsForBootDrivers+244j ...
		inc	ecx
		cmp	ecx, edx
		jb	short loc_ABA0E5
		mov	edx, [ebp+var_28]
		mov	[edi+4Ch], edx
		jmp	loc_AB9F81
; 

loc_ABA0FF:				; CODE XREF: MiBuildImportsForBootDrivers+22Bj
		cmp	eax, ebx
		jz	short loc_ABA0EF
		cmp	eax, [ebp+var_C]
		jz	short loc_ABA0EF
		cmp	eax, edi
		jz	short loc_ABA0EF
		mov	[esi], eax
		mov	eax, [ebp+var_4]
		mov	eax, [eax+ecx*4]
		inc	word ptr [eax+38h]
		add	esi, 4
		jmp	short loc_ABA0EF
; 

loc_ABA11D:				; CODE XREF: MiBuildImportsForBootDrivers+31j
		mov	ebx, eax
		jmp	loc_AB9F05
; 

loc_ABA124:				; CODE XREF: MiBuildImportsForBootDrivers+3Dj
		mov	edx, eax
		jmp	loc_AB9F05
; 

loc_ABA12B:				; CODE XREF: MiBuildImportsForBootDrivers+CAj
					; MiBuildImportsForBootDrivers+28A47j
		push	0
		push	[ebp+var_4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_14]
		xor	ecx, ecx
		inc	ecx
		mov	[eax+4Ch], ecx
		mov	eax, [ebp+var_C]
		mov	[eax+4Ch], ecx
		cmp	[ebp+var_18], ecx
		jz	loc_AE290E
		xor	eax, eax

loc_ABA14F:				; CODE XREF: MiBuildImportsForBootDrivers+28A86j
					; MiBuildImportsForBootDrivers+28A90j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiBuildImportsForBootDrivers endp


;  S U B	R O U T	I N E 


; __stdcall MiLocateKernelSections(x)
_MiLocateKernelSections@4 proc near	; CODE XREF: MiInitializeLoadedModuleList(x)+5Ep
		mov	edi, edi
		push	edi
		mov	edi, [ecx+18h]
		push	edi
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		movzx	ecx, word ptr [eax+14h]
		movzx	edx, word ptr [eax+6]
		add	ecx, 18h
		add	ecx, eax
		test	edx, edx
		jz	short loc_ABA19C
		push	esi

loc_ABA172:				; CODE XREF: MiLocateKernelSections(x)+45j
		mov	esi, [ecx+10h]
		mov	eax, [ecx+8]
		cmp	esi, eax
		jb	short loc_ABA19E

loc_ABA17C:				; CODE XREF: MiLocateKernelSections(x)+4Cj
		mov	eax, [ecx]
		cmp	eax, 766F632Eh
		jz	short loc_ABA1C9
		cmp	eax, 7472692Eh
		jz	short loc_ABA1C9
		cmp	eax, 4C4F4F50h
		jz	short loc_ABA1A2

loc_ABA193:				; CODE XREF: MiLocateKernelSections(x)+5Aj
					; MiLocateKernelSections(x)+73j ...
		dec	edx
		add	ecx, 28h
		test	edx, edx
		jg	short loc_ABA172
		pop	esi

loc_ABA19C:				; CODE XREF: MiLocateKernelSections(x)+1Bj
		pop	edi
		retn
; 

loc_ABA19E:				; CODE XREF: MiLocateKernelSections(x)+26j
		mov	esi, eax
		jmp	short loc_ABA17C
; 

loc_ABA1A2:				; CODE XREF: MiLocateKernelSections(x)+3Dj
		mov	eax, [ecx+0Ch]
		add	eax, edi
		cmp	dword ptr [ecx+4], 45444F43h
		jnz	short loc_ABA193
		mov	_ExPoolCodeStart, eax
		add	eax, 0FFFh
		add	eax, esi
		and	eax, 0FFFFF000h
		dec	eax
		mov	_ExPoolCodeEnd,	eax
		jmp	short loc_ABA193
; 

loc_ABA1C9:				; CODE XREF: MiLocateKernelSections(x)+2Fj
					; MiLocateKernelSections(x)+36j
		or	ds:_MiFlags, 400h
		jmp	short loc_ABA193
_MiLocateKernelSections@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipInitComputerIds proc	near		; CODE XREF: IopInitializeBootDrivers+14Bp

var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= byte ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_192		= byte ptr -192h
var_191		= byte ptr -191h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_168		= dword	ptr -168h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= word ptr -1Ch
var_C		= word ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE2957 SIZE 00000157 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_1A4], ecx
		push	ebx
		push	esi
		push	edi
		push	50h		; size_t
		mov	edi, eax
		mov	[ebp+var_1A0], eax
		push	eax		; int
		mov	[ebp+var_184], eax
		mov	[ebp+var_188], eax
		mov	[ebp+var_180], eax
		mov	[ebp+var_192], al
		mov	[ebp+var_191], al
		mov	[ebp+var_1B8], eax
		mov	[ebp+var_1B4], eax
		mov	dword ptr [ebp+var_1A8], eax
		mov	[ebp+var_1C0], eax
		mov	[ebp+var_1BC], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_1AC], eax
		mov	[ebp+var_190], eax
		mov	[ebp+var_18C], eax
		mov	[ebp+var_19C], eax
		lea	eax, [ebp+var_88]
		push	eax		; void *
		mov	[ebp+var_198], edi
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_1A0]
		mov	edx, 0F003Fh
		push	eax
		call	_PipHardwareConfigOpenKey@12 ; PipHardwareConfigOpenKey(x,x,x)
		mov	esi, eax
		mov	[ebp+var_1B0], 0Ah
		test	esi, esi
		js	loc_ABAE1C
		mov	edi, [ebp+var_1A0]
		mov	esi, offset ??_C@_1BI@CEAGCKOK@?$AAC?$AAo?$AAm?$AAp?$AAu?$AAt?$AAe?$AAr?$AAI?$AAd?$AAs@PBOPGDP@	; "ComputerIds"
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	esi
		call	__PnpCtxRegDeleteTree@12 ; _PnpCtxRegDeleteTree(x,x,x)
		push	18h
		pop	eax
		push	16h
		mov	word ptr [ebp+var_190+2], ax
		lea	ecx, [ebp+var_198]
		pop	eax
		mov	word ptr [ebp+var_190],	ax
		mov	edx, edi
		xor	eax, eax
		mov	[ebp+var_18C], esi
		push	eax
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_190]
		push	eax
		call	IopCreateRegistryKeyEx
		mov	esi, eax
		test	esi, esi
		js	loc_ABAE90
		mov	ecx, _PiPnpRtlCtx
		mov	esi, offset ??_C@_1BG@NPDIHKNP@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAI?$AAd?$AAs@PBOPGDP@
		push	esi
		mov	edx, edi
		call	__PnpCtxRegDeleteTree@12 ; _PnpCtxRegDeleteTree(x,x,x)
		push	16h
		pop	eax
		push	14h
		mov	word ptr [ebp+var_190+2], ax
		lea	ecx, [ebp+var_184]
		pop	eax
		mov	word ptr [ebp+var_190],	ax
		mov	edx, edi
		xor	eax, eax
		mov	[ebp+var_18C], esi
		push	eax
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_190]
		push	eax
		call	IopCreateRegistryKeyEx
		mov	esi, eax
		mov	[ebp+var_17C], esi
		test	esi, esi
		js	loc_ABAE90
		mov	eax, [ebp+var_1A4]
		mov	eax, [eax+84h]
		mov	ecx, [eax+24h]
		test	ecx, ecx
		jz	loc_AE2957
		mov	edx, [ecx+10h]
		mov	eax, edx
		mov	edi, [ecx+14h]
		or	eax, edi
		jz	loc_AE2957
		mov	eax, [ecx+0Ch]
		push	2
		push	eax
		push	edi
		push	edx
		mov	[ebp+var_180], eax
		call	_MmMapIoSpaceEx@16 ; MmMapIoSpaceEx(x,x,x,x)
		mov	[ebp+var_188], eax
		test	eax, eax
		jz	loc_AE2961
		push	[ebp+var_180]
		xor	dl, dl
		mov	cl, 1
		push	eax
		call	_PipSmBiosFindStruct@16	; PipSmBiosFindStruct(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_ABA509
		movzx	ecx, byte ptr [edi+1]
		lea	eax, [edi+5]
		add	ecx, edi
		cmp	eax, ecx
		ja	short loc_ABA3FD
		mov	dl, [edi+4]
		lea	eax, [ebp+var_88]
		push	eax
		push	[ebp+var_180]
		mov	ecx, edi
		push	[ebp+var_188]
		call	PipSmBiosGetString
		mov	esi, eax
		mov	[ebp+var_17C], esi
		cmp	esi, 0C0000225h
		jz	loc_AE296B
		test	esi, esi
		js	loc_ABAE90

loc_ABA3FD:				; CODE XREF: PipInitComputerIds+1ECj
					; PipInitComputerIds+2879Dj
		movzx	ecx, byte ptr [edi+1]
		lea	eax, [edi+1Bh]
		add	ecx, edi
		cmp	eax, ecx
		ja	short loc_ABA440
		mov	dl, [edi+1Ah]
		lea	eax, [ebp+var_80]
		push	eax
		push	[ebp+var_180]
		mov	ecx, edi
		push	[ebp+var_188]
		call	PipSmBiosGetString
		mov	esi, eax
		mov	[ebp+var_17C], esi
		cmp	esi, 0C0000225h
		jnz	loc_AE2978
		xor	eax, eax
		mov	[ebp+var_17C], eax

loc_ABA440:				; CODE XREF: PipInitComputerIds+232j
					; PipInitComputerIds+287AAj
		movzx	eax, byte ptr [edi+1]
		lea	ecx, [edi+6]
		add	eax, edi
		cmp	ecx, eax
		ja	short loc_ABA483
		mov	dl, [edi+5]
		lea	eax, [ebp+var_78]
		push	eax
		push	[ebp+var_180]
		mov	ecx, edi
		push	[ebp+var_188]
		call	PipSmBiosGetString
		mov	esi, eax
		mov	[ebp+var_17C], esi
		cmp	esi, 0C0000225h
		jz	loc_AE2985
		test	esi, esi
		js	loc_ABAE90

loc_ABA483:				; CODE XREF: PipInitComputerIds+275j
					; PipInitComputerIds+287B7j
		movzx	ecx, byte ptr [edi+1]
		lea	eax, [edi+1Ah]
		add	ecx, edi
		cmp	eax, ecx
		ja	short loc_ABA4C6
		mov	dl, [edi+19h]
		lea	eax, [ebp+var_70]
		push	eax
		push	[ebp+var_180]
		mov	ecx, edi
		push	[ebp+var_188]
		call	PipSmBiosGetString
		mov	esi, eax
		mov	[ebp+var_17C], esi
		cmp	esi, 0C0000225h
		jz	loc_AE2992
		test	esi, esi
		js	loc_ABAE90

loc_ABA4C6:				; CODE XREF: PipInitComputerIds+2B8j
					; PipInitComputerIds+287C4j
		movzx	ecx, byte ptr [edi+1]
		lea	eax, [edi+7]
		add	ecx, edi
		cmp	eax, ecx
		ja	short loc_ABA509
		mov	dl, [edi+6]
		lea	eax, [ebp+var_40]
		push	eax
		push	[ebp+var_180]
		mov	ecx, edi
		push	[ebp+var_188]
		call	PipSmBiosGetString
		mov	esi, eax
		mov	[ebp+var_17C], esi
		cmp	esi, 0C0000225h
		jz	loc_AE299F
		test	esi, esi
		js	loc_ABAE90

loc_ABA509:				; CODE XREF: PipInitComputerIds+1DBj
					; PipInitComputerIds+2FBj ...
		push	[ebp+var_180]
		mov	dl, 0Ah
		mov	cl, 2
		push	[ebp+var_188]
		call	_PipSmBiosFindStruct@16	; PipSmBiosFindStruct(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_ABA5B0
		movzx	ecx, byte ptr [edi+1]
		lea	edx, [edi+5]
		add	ecx, edi
		cmp	edx, ecx
		ja	short loc_ABA56E
		mov	dl, [edi+4]
		lea	eax, [ebp+var_58]
		push	eax
		push	[ebp+var_180]
		mov	ecx, edi
		push	[ebp+var_188]
		call	PipSmBiosGetString
		mov	esi, eax
		mov	[ebp+var_17C], esi
		cmp	esi, 0C0000225h
		jz	loc_AE29AC
		test	esi, esi
		js	loc_ABAE90

loc_ABA56B:				; CODE XREF: PipInitComputerIds+287DEj
		lea	edx, [edi+5]

loc_ABA56E:				; CODE XREF: PipInitComputerIds+35Dj
		movzx	ecx, byte ptr [edi+1]
		lea	eax, [edi+6]
		add	ecx, edi
		cmp	eax, ecx
		ja	short loc_ABA5B0
		mov	dl, [edx]
		lea	eax, [ebp+var_50]
		push	eax
		push	[ebp+var_180]
		mov	ecx, edi
		push	[ebp+var_188]
		call	PipSmBiosGetString
		mov	esi, eax
		mov	[ebp+var_17C], esi
		cmp	esi, 0C0000225h
		jz	loc_AE29B9
		test	esi, esi
		js	loc_ABAE90

loc_ABA5B0:				; CODE XREF: PipInitComputerIds+34Cj
					; PipInitComputerIds+3A3j ...
		push	[ebp+var_180]
		xor	dl, dl
		xor	cl, cl
		push	[ebp+var_188]
		call	_PipSmBiosFindStruct@16	; PipSmBiosFindStruct(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_ABA6BF
		movzx	ecx, byte ptr [edi+1]
		lea	edx, [edi+5]
		add	ecx, edi
		cmp	edx, ecx
		ja	short loc_ABA615
		mov	dl, [edi+4]
		lea	eax, [ebp+var_68]
		push	eax
		push	[ebp+var_180]
		mov	ecx, edi
		push	[ebp+var_188]
		call	PipSmBiosGetString
		mov	esi, eax
		mov	[ebp+var_17C], esi
		cmp	esi, 0C0000225h
		jz	loc_AE29C6
		test	esi, esi
		js	loc_ABAE90

loc_ABA612:				; CODE XREF: PipInitComputerIds+287F8j
		lea	edx, [edi+5]

loc_ABA615:				; CODE XREF: PipInitComputerIds+404j
		movzx	ecx, byte ptr [edi+1]
		lea	eax, [edi+6]
		add	ecx, edi
		cmp	eax, ecx
		ja	short loc_ABA657
		mov	dl, [edx]
		lea	eax, [ebp+var_60]
		push	eax
		push	[ebp+var_180]
		mov	ecx, edi
		push	[ebp+var_188]
		call	PipSmBiosGetString
		mov	esi, eax
		mov	[ebp+var_17C], esi
		cmp	esi, 0C0000225h
		jz	loc_AE29D3
		test	esi, esi
		js	loc_ABAE90

loc_ABA657:				; CODE XREF: PipInitComputerIds+44Aj
					; PipInitComputerIds+28805j
		movzx	ecx, byte ptr [edi+1]
		lea	eax, [edi+9]
		add	ecx, edi
		cmp	eax, ecx
		ja	short loc_ABA69A
		mov	dl, [edi+8]
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_180]
		mov	ecx, edi
		push	[ebp+var_188]
		call	PipSmBiosGetString
		mov	esi, eax
		mov	[ebp+var_17C], esi
		cmp	esi, 0C0000225h
		jz	loc_AE29E0
		test	esi, esi
		js	loc_ABAE90

loc_ABA69A:				; CODE XREF: PipInitComputerIds+48Cj
					; PipInitComputerIds+28812j
		movzx	edx, byte ptr [edi+1]
		lea	ecx, [edi+15h]
		add	edx, edi
		cmp	ecx, edx
		ja	short loc_ABA6B0
		mov	al, [edi+14h]
		mov	[ebp+var_192], al

loc_ABA6B0:				; CODE XREF: PipInitComputerIds+4CFj
		lea	eax, [edi+16h]
		cmp	eax, edx
		ja	short loc_ABA6BF
		mov	al, [ecx]
		mov	[ebp+var_191], al

loc_ABA6BF:				; CODE XREF: PipInitComputerIds+3F3j
					; PipInitComputerIds+4DFj
		push	[ebp+var_180]
		xor	dl, dl
		mov	cl, 3
		push	[ebp+var_188]
		call	_PipSmBiosFindStruct@16	; PipSmBiosFindStruct(x,x,x,x)
		test	eax, eax
		jz	loc_AE29ED
		movzx	edx, byte ptr [eax+1]
		lea	ecx, [eax+6]
		add	edx, eax
		cmp	ecx, edx
		ja	loc_AE29ED
		movzx	eax, byte ptr [eax+5]
		and	eax, 7Fh
		mov	dword ptr [ebp+var_1A8], eax

loc_ABA6FA:				; CODE XREF: PipInitComputerIds+2881Dj
		test	eax, eax
		jz	short loc_ABA73C
		push	1Ch
		pop	eax
		push	1Ah
		mov	word ptr [ebp+var_190+2], ax
		pop	eax
		push	4
		mov	word ptr [ebp+var_190],	ax
		lea	eax, [ebp+var_1A8]
		push	eax
		push	4
		xor	eax, eax
		mov	[ebp+var_18C], offset ??_C@_1BM@HJMNCFND@?$AAE?$AAn?$AAc?$AAl?$AAo?$AAs?$AAu?$AAr?$AAe?$AAT?$AAy?$AAp?$AAe@PBOPGDP@
		push	eax
		lea	eax, [ebp+var_190]
		push	eax
		push	[ebp+var_1A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_ABA73C:				; CODE XREF: PipInitComputerIds+526j
		push	0Ah
		pop	eax
		lea	edi, [ebp+var_88]
		mov	[ebp+var_1A4], eax
		xor	ecx, ecx

loc_ABA74D:				; CODE XREF: PipInitComputerIds+591j
		cmp	[edi+4], ecx
		jz	short loc_ABA75B
		cmp	[edi], cx
		jz	loc_AE29F8

loc_ABA75B:				; CODE XREF: PipInitComputerIds+57Aj
					; PipInitComputerIds+28830j
		add	edi, 8
		sub	eax, 1
		mov	[ebp+var_1A4], eax
		jnz	short loc_ABA74D
		lea	edi, [ebp+var_88]
		mov	ebx, ecx
		xor	esi, esi

loc_ABA773:				; CODE XREF: PipInitComputerIds+61Bj
		push	ds:off_404828[ebx]
		lea	eax, [ebp+var_190]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		cmp	[edi], si
		jz	loc_ABAE79
		push	edi
		xor	edx, edx
		lea	ecx, [ebp+var_19C]
		call	PnpUnicodeStringToWstr
		test	eax, eax
		js	short loc_ABA7E8
		mov	ecx, [ebp+var_19C]
		lea	edx, [ecx+2]

loc_ABA7A9:				; CODE XREF: PipInitComputerIds+5DCj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_ABA7A9
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, ds:2[ecx*2]
		push	eax
		push	[ebp+var_19C]
		lea	eax, [ebp+var_190]
		push	1
		push	esi
		push	eax
		push	[ebp+var_1A0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	ecx, [ebp+var_19C]
		mov	edx, edi
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)

loc_ABA7E8:				; CODE XREF: PipInitComputerIds+5C8j
					; PipInitComputerIds+CB5j
		add	ebx, 4
		add	edi, 8
		cmp	ebx, 28h
		jb	short loc_ABA773
		mov	eax, [ebp+var_84]
		mov	edi, [ebp+var_198]
		mov	esi, [ebp+var_17C]
		mov	ebx, [ebp+var_1AC]
		test	eax, eax
		jz	loc_ABACE4
		cmp	[ebp+var_74], ebx
		jz	loc_ABA97B
		cmp	[ebp+var_64], ebx
		jz	loc_ABA97B
		cmp	[ebp+var_5C], ebx
		jz	loc_ABA97B
		movzx	eax, [ebp+var_191]
		push	eax
		movzx	eax, [ebp+var_192]
		push	eax		; char
		push	offset ??_C@_1BE@CBLLAGJJ@?$AA?$CF?$AA0?$AA2?$AAx?$AA?$CG?$AA?$CF?$AA0?$AA2?$AAx@PBOPGDP@ ; wchar_t *
		lea	eax, [ebp+var_1C]
		push	8		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		mov	esi, eax
		add	esp, 14h
		test	esi, esi
		js	loc_ABAE1C
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_1B8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		cmp	[ebp+var_6C], ebx
		jz	short loc_ABA8C7
		mov	edx, [ebp+var_184]
		lea	eax, [ebp+var_88]
		mov	[ebp+var_38], eax
		mov	ecx, edi
		lea	eax, [ebp+var_80]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_1B8]
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_178]
		push	eax
		push	7
		lea	eax, [ebp+var_38]
		push	eax
		call	PipCreateComputerId
		xor	ebx, ebx
		mov	esi, eax
		inc	ebx
		test	esi, esi
		js	loc_ABAE1C

loc_ABA8C7:				; CODE XREF: PipInitComputerIds+698j
		mov	edx, [ebp+var_184]
		lea	eax, [ebp+var_88]
		mov	[ebp+var_38], eax
		lea	ecx, [ebp+var_178]
		lea	eax, [ebp+var_80]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_1B8]
		mov	[ebp+var_24], eax
		mov	eax, ebx
		shl	eax, 4
		mov	[ebp+var_1AC], eax
		add	eax, ecx
		push	eax
		push	6
		lea	eax, [ebp+var_38]
		mov	ecx, edi
		push	eax
		call	PipCreateComputerId
		mov	esi, eax
		test	esi, esi
		js	loc_ABAE1C
		mov	edx, [ebp+var_184]
		lea	eax, [ebp+var_88]
		mov	[ebp+var_38], eax
		lea	ecx, [ebp+var_168]
		lea	eax, [ebp+var_78]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_68]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_1B8]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_1AC]
		add	eax, ecx
		mov	ecx, edi
		push	eax
		push	5
		lea	eax, [ebp+var_38]
		push	eax
		call	PipCreateComputerId
		mov	esi, eax
		add	ebx, 2
		test	esi, esi
		js	loc_ABAE1C
		mov	eax, [ebp+var_84]

loc_ABA97B:				; CODE XREF: PipInitComputerIds+640j
					; PipInitComputerIds+649j ...
		test	eax, eax
		jz	loc_ABACE4
		cmp	[ebp+var_74], 0
		jz	loc_ABAA84
		cmp	[ebp+var_6C], 0
		jz	loc_ABAA3D
		cmp	[ebp+var_54], 0
		jz	short loc_ABA9F6
		cmp	[ebp+var_4C], 0
		jz	short loc_ABA9F6
		mov	edx, [ebp+var_184]
		lea	eax, [ebp+var_88]
		mov	[ebp+var_38], eax
		lea	ecx, [ebp+var_178]
		lea	eax, [ebp+var_80]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_24], eax
		mov	eax, ebx
		shl	eax, 4
		add	eax, ecx
		mov	ecx, edi
		push	eax
		push	6
		lea	eax, [ebp+var_38]
		push	eax
		call	PipCreateComputerId
		mov	esi, eax
		inc	ebx
		test	esi, esi
		js	loc_ABAE1C

loc_ABA9F6:				; CODE XREF: PipInitComputerIds+7C5j
					; PipInitComputerIds+7CBj
		mov	edx, [ebp+var_184]
		lea	eax, [ebp+var_88]
		mov	[ebp+var_38], eax
		lea	ecx, [ebp+var_178]
		lea	eax, [ebp+var_80]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_2C], eax
		mov	eax, ebx
		shl	eax, 4
		add	eax, ecx
		mov	ecx, edi
		push	eax
		push	4
		lea	eax, [ebp+var_38]
		push	eax
		call	PipCreateComputerId
		mov	esi, eax
		inc	ebx
		test	esi, esi
		js	loc_ABAE1C

loc_ABAA3D:				; CODE XREF: PipInitComputerIds+7BBj
		mov	edx, [ebp+var_184]
		lea	eax, [ebp+var_88]
		mov	[ebp+var_38], eax
		lea	ecx, [ebp+var_178]
		lea	eax, [ebp+var_80]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_78]
		mov	[ebp+var_30], eax
		mov	eax, ebx
		shl	eax, 4
		add	eax, ecx
		mov	ecx, edi
		push	eax
		push	3
		lea	eax, [ebp+var_38]
		push	eax
		call	PipCreateComputerId
		mov	esi, eax
		inc	ebx
		test	esi, esi
		js	loc_ABAE1C
		mov	eax, [ebp+var_84]

loc_ABAA84:				; CODE XREF: PipInitComputerIds+7B1j
		test	eax, eax
		jz	loc_ABACE4
		cmp	[ebp+var_6C], 0
		jz	loc_ABAB2A
		cmp	[ebp+var_54], 0
		jz	short loc_ABAAE9
		cmp	[ebp+var_4C], 0
		jz	short loc_ABAAE9
		mov	edx, [ebp+var_184]
		lea	eax, [ebp+var_88]
		mov	[ebp+var_38], eax
		lea	ecx, [ebp+var_178]
		lea	eax, [ebp+var_70]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_2C], eax
		mov	eax, ebx
		shl	eax, 4
		add	eax, ecx
		mov	ecx, edi
		push	eax
		push	4
		lea	eax, [ebp+var_38]
		push	eax
		call	PipCreateComputerId
		mov	esi, eax
		inc	ebx
		test	esi, esi
		js	loc_ABAE1C

loc_ABAAE9:				; CODE XREF: PipInitComputerIds+8C4j
					; PipInitComputerIds+8CAj
		mov	edx, [ebp+var_184]
		lea	eax, [ebp+var_88]
		mov	[ebp+var_38], eax
		lea	ecx, [ebp+var_178]
		lea	eax, [ebp+var_70]
		mov	[ebp+var_34], eax
		mov	eax, ebx
		shl	eax, 4
		add	eax, ecx
		mov	ecx, edi
		push	eax
		push	2
		lea	eax, [ebp+var_38]
		push	eax
		call	PipCreateComputerId
		mov	esi, eax
		inc	ebx
		test	esi, esi
		js	loc_ABAE1C
		mov	eax, [ebp+var_84]

loc_ABAB2A:				; CODE XREF: PipInitComputerIds+8BAj
		test	eax, eax
		jz	loc_ABACE4
		cmp	[ebp+var_74], 0
		jz	loc_ABABD0
		cmp	[ebp+var_54], 0
		jz	short loc_ABAB8F
		cmp	[ebp+var_4C], 0
		jz	short loc_ABAB8F
		mov	edx, [ebp+var_184]
		lea	eax, [ebp+var_88]
		mov	[ebp+var_38], eax
		lea	ecx, [ebp+var_178]
		lea	eax, [ebp+var_78]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_2C], eax
		mov	eax, ebx
		shl	eax, 4
		add	eax, ecx
		mov	ecx, edi
		push	eax
		push	4
		lea	eax, [ebp+var_38]
		push	eax
		call	PipCreateComputerId
		mov	esi, eax
		inc	ebx
		test	esi, esi
		js	loc_ABAE1C

loc_ABAB8F:				; CODE XREF: PipInitComputerIds+96Aj
					; PipInitComputerIds+970j
		mov	edx, [ebp+var_184]
		lea	eax, [ebp+var_88]
		mov	[ebp+var_38], eax
		lea	ecx, [ebp+var_178]
		lea	eax, [ebp+var_78]
		mov	[ebp+var_34], eax
		mov	eax, ebx
		shl	eax, 4
		add	eax, ecx
		mov	ecx, edi
		push	eax
		push	2
		lea	eax, [ebp+var_38]
		push	eax
		call	PipCreateComputerId
		mov	esi, eax
		inc	ebx
		test	esi, esi
		js	loc_ABAE1C
		mov	eax, [ebp+var_84]

loc_ABABD0:				; CODE XREF: PipInitComputerIds+960j
		test	eax, eax
		jz	loc_ABACE4
		cmp	[ebp+var_7C], 0
		jnz	loc_AE2A0B

loc_ABABE2:				; CODE XREF: PipInitComputerIds+288C9j
		test	eax, eax
		jz	loc_ABACE4
		cmp	dword ptr [ebp+var_1A8], 0
		jz	short loc_ABAC66
		push	dword ptr [ebp+var_1A8]	; char
		lea	eax, [ebp+var_C]
		push	offset ??_C@_15LHNHECKK@?$AA?$CF?$AAx@PBOPGDP@ ; "%x"
		push	4		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		mov	esi, eax
		add	esp, 10h
		test	esi, esi
		js	loc_ABAE1C
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_1C0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_88]
		xor	edx, edx
		mov	[ebp+var_38], eax
		lea	ecx, [ebp+var_178]
		lea	eax, [ebp+var_1C0]
		mov	[ebp+var_34], eax
		mov	eax, ebx
		shl	eax, 4
		add	eax, ecx
		mov	ecx, edi
		push	eax
		push	2
		lea	eax, [ebp+var_38]
		push	eax
		call	PipCreateComputerId
		mov	esi, eax
		inc	ebx
		test	esi, esi
		js	loc_ABAE1C
		mov	eax, [ebp+var_84]

loc_ABAC66:				; CODE XREF: PipInitComputerIds+A1Bj
		test	eax, eax
		jz	short loc_ABACE4
		cmp	[ebp+var_4C], 0
		jz	short loc_ABACB3
		cmp	[ebp+var_54], 0
		jz	short loc_ABACB3
		lea	eax, [ebp+var_88]
		xor	edx, edx
		mov	[ebp+var_38], eax
		lea	ecx, [ebp+var_178]
		lea	eax, [ebp+var_58]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_30], eax
		mov	eax, ebx
		shl	eax, 4
		add	eax, ecx
		mov	ecx, edi
		push	eax
		push	3
		lea	eax, [ebp+var_38]
		push	eax
		call	PipCreateComputerId
		mov	esi, eax
		inc	ebx
		test	esi, esi
		js	loc_ABAE1C

loc_ABACB3:				; CODE XREF: PipInitComputerIds+A98j
					; PipInitComputerIds+A9Ej
		lea	eax, [ebp+var_88]
		xor	edx, edx
		mov	[ebp+var_38], eax
		lea	ecx, [ebp+var_178]
		mov	eax, ebx
		shl	eax, 4
		add	eax, ecx
		mov	ecx, edi
		push	eax
		push	1
		lea	eax, [ebp+var_38]
		push	eax
		call	PipCreateComputerId
		mov	esi, eax
		inc	ebx
		test	esi, esi
		js	loc_ABAE1C

loc_ABACE4:				; CODE XREF: PipInitComputerIds+637j
					; PipInitComputerIds+7A7j ...
		imul	eax, ebx, 70h
		push	6E697050h
		add	eax, 2
		push	eax
		push	1
		mov	[ebp+var_198], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_184], edx
		test	edx, edx
		jz	loc_AE2AA4
		and	[ebp+var_1A4], 0
		mov	ecx, [ebp+var_198]
		mov	[ebp+var_18C], eax
		mov	word ptr [ebp+var_190+2], cx
		test	ebx, ebx
		jz	loc_ABADD9
		lea	eax, [ebp+var_178]
		mov	[ebp+var_19C], eax

loc_ABAD3B:				; CODE XREF: PipInitComputerIds+BF1j
		xor	eax, eax
		mov	edx, offset ??_C@_1CE@CGBOJPBG@?$AAC?$AAo?$AAm?$AAp?$AAu?$AAt?$AAe?$AAr?$AAM?$AAe?$AAt?$AAa?$AAd?$AAa?$AAt@PBOPGDP@ ; "ComputerMetadata\\"
		push	eax
		mov	word ptr [ebp+var_190],	ax
		lea	eax, [ebp+var_190]
		push	eax
		mov	ecx, eax
		call	RtlUnicodeStringCopyStringEx
		mov	esi, eax
		test	esi, esi
		js	loc_ABAE0E
		mov	ecx, [ebp+var_19C]
		lea	edx, [ebp+var_190]
		xor	eax, eax
		push	eax
		call	_RtlStringFromGUIDEx@12	; RtlStringFromGUIDEx(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_ABAE0E
		xor	eax, eax
		push	eax
		lea	eax, [ebp+var_190]
		push	eax
		push	eax
		call	RtlUpcaseUnicodeString
		mov	esi, eax
		test	esi, esi
		js	short loc_ABAE0E
		mov	eax, [ebp+var_18C]
		mov	ecx, 0FFB2h
		add	word ptr [ebp+var_190+2], cx
		add	eax, 4Eh
		mov	ecx, [ebp+var_1A4]
		add	[ebp+var_19C], 10h
		inc	ecx
		mov	[ebp+var_18C], eax
		mov	[ebp+var_1A4], ecx
		cmp	ecx, ebx
		jb	loc_ABAD3B
		mov	ecx, [ebp+var_198]
		mov	edx, [ebp+var_184]

loc_ABADD9:				; CODE XREF: PipInitComputerIds+B53j
		test	esi, esi
		js	short loc_ABAE0E
		xor	esi, esi
		mov	[eax], si
		xor	eax, eax
		add	[ebp+var_18C], 2
		push	eax
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	edx
		push	2012h
		push	(offset	loc_4069E3+5)
		push	eax
		push	eax
		push	5
		mov	edx, offset ??_C@_1EO@EKIIDBMB@?$AA?$HL?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA?9?$AA0?$AA0?$AA0?$AA0?$AA?9@PBOPGDP@
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax

loc_ABAE0E:				; CODE XREF: PipInitComputerIds+B86j
					; PipInitComputerIds+BA4j ...
		xor	eax, eax
		push	eax
		push	[ebp+var_184]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_ABAE1C:				; CODE XREF: PipInitComputerIds+C5j
					; PipInitComputerIds+67Fj ...
		lea	ebx, [ebp+var_88]

loc_ABAE22:				; CODE XREF: PipInitComputerIds+C5Cj
		push	ebx
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		add	ebx, 8
		sub	[ebp+var_1B0], 1
		jnz	short loc_ABAE22
		mov	eax, [ebp+var_188]
		test	eax, eax
		jz	short loc_ABAE4A
		push	[ebp+var_180]
		push	eax
		call	MmUnmapIoSpace

loc_ABAE4A:				; CODE XREF: PipInitComputerIds+C66j
		test	edi, edi
		jz	short loc_ABAE54
		push	edi
		call	_ZwClose@4	; ZwClose(x)

loc_ABAE54:				; CODE XREF: PipInitComputerIds+C76j
		cmp	[ebp+var_1A0], 0
		jz	short loc_ABAE68
		mov	edx, [ebp+var_1A0]
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)

loc_ABAE68:				; CODE XREF: PipInitComputerIds+C85j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_ABAE79:				; CODE XREF: PipInitComputerIds+5B2j
		lea	eax, [ebp+var_190]
		push	eax
		push	[ebp+var_1A0]
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		jmp	loc_ABA7E8
; 

loc_ABAE90:				; CODE XREF: PipInitComputerIds+11Fj
					; PipInitComputerIds+179j ...
		mov	edi, [ebp+var_198]
		jmp	short loc_ABAE1C
PipInitComputerIds endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipCreateComputerId proc near		; CODE XREF: PipInitComputerIds+6DFp
					; PipInitComputerIds+73Dp ...

var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_5C		= byte ptr -5Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00AE2AAE SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_8]
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[ebp+var_BC], eax
		xor	eax, eax
		and	[ebp+var_C4], eax
		and	[ebp+var_C0], eax
		mov	[ebp+var_D4], edx
		xor	edx, edx
		push	esi
		push	edi
		mov	[ebp+var_D0], ecx
		mov	[ebp+var_C8], ebx
		mov	[ebp+var_B8], eax
		cmp	[ebp+arg_4], eax
		jbe	loc_AE2AB8
		push	2
		pop	esi
		mov	cx, ax

loc_ABAEF3:				; CODE XREF: PipCreateComputerId+83j
		test	edx, edx
		jz	short loc_ABAF02
		add	eax, esi
		mov	[ebp+var_B8], eax
		mov	cx, ax

loc_ABAF02:				; CODE XREF: PipCreateComputerId+5Dj
		mov	eax, [ebx+edx*4]
		add	cx, [eax]
		inc	edx
		mov	word ptr [ebp+var_B8], cx
		cmp	edx, [ebp+arg_4]
		jnb	short loc_ABAF1D
		mov	eax, [ebp+var_B8]
		jmp	short loc_ABAEF3
; 

loc_ABAF1D:				; CODE XREF: PipCreateComputerId+7Bj
		cmp	cx, si
		jbe	loc_AE2AB8
		mov	eax, [ebp+var_B8]
		add	eax, 2
		movzx	eax, ax
		push	6E697050h
		push	eax
		push	1
		mov	[ebp+var_B8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_CC], edi
		test	edi, edi
		jz	loc_AE2AAE
		mov	ebx, edi
		xor	esi, esi
		mov	edi, [ebp+var_C8]

loc_ABAF5F:				; CODE XREF: PipCreateComputerId+FBj
		test	esi, esi
		jz	short loc_ABAF6C
		push	26h
		pop	eax
		mov	[ebx], ax
		add	ebx, 2

loc_ABAF6C:				; CODE XREF: PipCreateComputerId+C9j
		mov	ecx, [edi+esi*4]
		movzx	eax, word ptr [ecx]
		test	ax, ax
		jz	short loc_ABAF8F
		push	eax		; size_t
		push	dword ptr [ecx+4] ; void *
		push	ebx		; void *
		call	_memcpy
		mov	eax, [edi+esi*4]
		add	esp, 0Ch
		movzx	eax, word ptr [eax]
		shr	eax, 1
		lea	ebx, [ebx+eax*2]

loc_ABAF8F:				; CODE XREF: PipCreateComputerId+DDj
		inc	esi
		cmp	esi, [ebp+arg_4]
		jb	short loc_ABAF5F
		push	[ebp+var_BC]
		mov	edi, [ebp+var_CC]
		xor	eax, eax
		mov	[ebx], ax
		mov	ebx, [ebp+var_B8]
		lea	eax, [ebx-2]
		push	eax
		push	edi
		push	(offset	loc_406ACF+1)
		call	RtlGenerateClass5Guid
		mov	esi, eax
		test	esi, esi
		js	loc_ABB06D
		push	ecx		; int
		mov	ecx, [ebp+var_BC] ; int
		lea	edx, [ebp+var_5C] ; void *
		call	_PnpStringFromGuid@12 ;	PnpStringFromGuid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_ABB06D
		lea	eax, [ebp+var_5C]
		push	eax
		lea	eax, [ebp+var_C4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		push	edi
		push	1
		push	0
		lea	eax, [ebp+var_C4]
		push	eax
		push	[ebp+var_D0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_ABB06D
		mov	ebx, [ebp+var_D4]
		test	ebx, ebx
		jz	short loc_ABB06D
		push	offset ??_C@_17NIABIIAO@?$AAx?$AA8?$AA6@PBOPGDP@ ; "x86"
		lea	eax, [ebp+var_5C]
		push	eax		; char
		push	offset ??_C@_1BA@DEHANLLM@?$AA?$CF?$AAw?$AAs?$AA_?$AA?$CF?$AAw?$AAs@PBOPGDP@ ; "%ws_%ws"
		push	800h		; int
		push	0		; int
		push	0		; int
		lea	eax, [ebp+var_B4]
		push	58h		; size_t
		push	eax		; int
		call	RtlStringCbPrintfExW
		mov	esi, eax
		add	esp, 20h
		test	esi, esi
		js	short loc_ABB06D
		lea	eax, [ebp+var_B4]
		push	eax
		lea	eax, [ebp+var_C4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		push	eax
		push	eax
		push	1
		push	eax
		lea	eax, [ebp+var_C4]
		push	eax
		push	ebx
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax

loc_ABB06D:				; CODE XREF: PipCreateComputerId+127j
					; PipCreateComputerId+140j ...
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_ABB075:				; CODE XREF: PipCreateComputerId+27C1Bj
					; PipCreateComputerId+27C25j
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
PipCreateComputerId endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipSmBiosGetString proc	near		; CODE XREF: PipInitComputerIds+206p
					; PipInitComputerIds+249p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00AE2AC2 SIZE 00000030 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		mov	bl, dl
		test	bl, bl
		jz	loc_ABB18C
		movzx	edx, byte ptr [ecx+1]
		push	esi
		mov	esi, [ebp+arg_4]
		add	edx, ecx
		xor	ecx, ecx
		dec	esi
		add	esi, [ebp+arg_0]
		inc	ecx
		push	edi
		movzx	edi, bl
		mov	[ebp+arg_4], esi
		cmp	edi, ecx
		jbe	short loc_ABB0EA
		mov	al, [edx]

loc_ABB0C0:				; CODE XREF: PipSmBiosGetString+60j
		test	al, al
		jz	short loc_ABB0D2

loc_ABB0C4:				; CODE XREF: PipSmBiosGetString+48j
		inc	edx
		cmp	edx, esi
		jnb	loc_ABB193
		cmp	byte ptr [edx],	0
		jnz	short loc_ABB0C4

loc_ABB0D2:				; CODE XREF: PipSmBiosGetString+3Aj
		add	edx, 1
		jz	loc_ABB193
		mov	al, [edx]
		test	al, al
		jz	loc_AE2AC2
		inc	ecx
		cmp	ecx, edi
		jb	short loc_ABB0C0

loc_ABB0EA:				; CODE XREF: PipSmBiosGetString+34j
					; PipSmBiosGetString+27A3Cj
		test	edx, edx
		jz	loc_ABB193
		xor	esi, esi
		mov	edi, edx
		cmp	byte ptr [edx],	0
		mov	[ebp+var_4], edi
		mov	word ptr [ebp+var_8], si
		jz	short loc_ABB122
		mov	ebx, [ebp+arg_4]

loc_ABB105:				; CODE XREF: PipSmBiosGetString+98j
		mov	eax, [ebp+var_8]
		inc	edx
		inc	eax
		movzx	ecx, ax
		mov	si, ax
		mov	word ptr [ebp+var_8], si
		cmp	edx, ebx
		jnb	short loc_ABB193
		cmp	ecx, 40h
		ja	short loc_ABB193
		cmp	byte ptr [edx],	0
		jnz	short loc_ABB105

loc_ABB122:				; CODE XREF: PipSmBiosGetString+78j
		add	edx, 1
		jz	short loc_ABB193
		mov	al, [edi]
		mov	ebx, 0FFFFh
		test	al, al
		jz	short loc_ABB14D

loc_ABB132:				; CODE XREF: PipSmBiosGetString+27A4Dj
		movsx	eax, al
		push	eax		; int
		push	offset asc_406AE0 ; " \t\r"
		call	_strchr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_AE2AC9

loc_ABB14A:				; CODE XREF: PipSmBiosGetString+27A53j
		mov	[ebp+var_4], edi

loc_ABB14D:				; CODE XREF: PipSmBiosGetString+A8j
		test	si, si
		jz	short loc_ABB16F

loc_ABB152:				; CODE XREF: PipSmBiosGetString+27A5Fj
		movzx	eax, si
		movsx	eax, byte ptr [eax+edi-1]
		push	eax		; int
		push	offset asc_406AE0 ; " \t\r"
		call	_strchr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_AE2AE0

loc_ABB16F:				; CODE XREF: PipSmBiosGetString+C8j
					; PipSmBiosGetString+27A65j
		mov	eax, [ebp+var_8]
		inc	eax
		mov	word ptr [ebp+var_8+2],	ax
		lea	eax, [ebp+var_8]
		push	1
		push	eax
		push	[ebp+arg_8]
		call	RtlAnsiStringToUnicodeString

loc_ABB185:				; CODE XREF: PipSmBiosGetString+110j
		pop	edi
		pop	esi

loc_ABB187:				; CODE XREF: PipSmBiosGetString+109j
		pop	ebx
		leave
		retn	0Ch
; 

loc_ABB18C:				; CODE XREF: PipSmBiosGetString+14j
		mov	eax, 0C0000225h
		jmp	short loc_ABB187
; 

loc_ABB193:				; CODE XREF: PipSmBiosGetString+3Fj
					; PipSmBiosGetString+4Dj ...
		mov	eax, 0C0000225h
		jmp	short loc_ABB185
PipSmBiosGetString endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipSmBiosFindStruct(x, x, x, x)
_PipSmBiosFindStruct@16	proc near	; CODE XREF: PipInitComputerIds+1D2p
					; PipInitComputerIds+343p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	bl, dl
		mov	bh, cl
		mov	edx, [ebp+arg_4]
		xor	ecx, ecx
		push	esi
		mov	esi, [ebp+arg_0]
		add	edx, 0FFFFFFFEh
		push	edi
		add	edx, esi
		jmp	short loc_ABB1B8
; 

loc_ABB1B5:				; CODE XREF: PipSmBiosFindStruct(x,x,x,x)+35j
					; PipSmBiosFindStruct(x,x,x,x)+3Cj
		add	esi, 2

loc_ABB1B8:				; CODE XREF: PipSmBiosFindStruct(x,x,x,x)+19j
		mov	edi, ecx
		cmp	esi, edx
		jnb	short loc_ABB1DE
		mov	al, [esi]
		cmp	al, bh
		jz	short loc_ABB1D8

loc_ABB1C4:				; CODE XREF: PipSmBiosFindStruct(x,x,x,x)+61j
		movzx	eax, byte ptr [esi+1]
		add	esi, eax
		jmp	short loc_ABB1D2
; 

loc_ABB1CC:				; CODE XREF: PipSmBiosFindStruct(x,x,x,x)+3Aj
		cmp	[esi], cx
		jz	short loc_ABB1B5
		inc	esi

loc_ABB1D2:				; CODE XREF: PipSmBiosFindStruct(x,x,x,x)+30j
		cmp	esi, edx
		jb	short loc_ABB1CC
		jmp	short loc_ABB1B5
; 

loc_ABB1D8:				; CODE XREF: PipSmBiosFindStruct(x,x,x,x)+28j
		mov	edi, esi
		cmp	al, 2
		jz	short loc_ABB1E7

loc_ABB1DE:				; CODE XREF: PipSmBiosFindStruct(x,x,x,x)+22j
					; PipSmBiosFindStruct(x,x,x,x)+5Dj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_ABB1E7:				; CODE XREF: PipSmBiosFindStruct(x,x,x,x)+42j
		movzx	ecx, byte ptr [esi+1]
		lea	eax, [esi+0Eh]
		add	ecx, esi
		cmp	eax, ecx
		ja	short loc_ABB1F9
		cmp	[esi+0Dh], bl
		jz	short loc_ABB1DE

loc_ABB1F9:				; CODE XREF: PipSmBiosFindStruct(x,x,x,x)+58j
		xor	ecx, ecx
		jmp	short loc_ABB1C4
_PipSmBiosFindStruct@16	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipCheckSystemFirmwareUpdated proc near	; CODE XREF: IopInitializePlugPlayServices(x,x)+52Dp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE2AF2 SIZE 00000040 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	eax, ecx
		push	edi
		push	0F003Fh
		mov	edi, ebx
		mov	[ebp+var_14], eax
		mov	esi, ebx
		mov	[ebp+var_C], ebx
		push	offset _CmRegistryMachineHardwareDescriptionSystemName
		xor	edx, edx
		mov	[ebp+var_4], ebx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], esi
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		mov	[eax], bl
		call	_IopOpenRegistryKeyEx@16 ; IopOpenRegistryKeyEx(x,x,x,x)
		test	eax, eax
		js	loc_ABB2DB
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		mov	edx, (offset loc_ADD319+1)
		call	IopGetRegistryValue
		test	eax, eax
		js	loc_ABB304
		lea	eax, [ebp+var_C]
		mov	edx, 0F003Fh
		push	eax
		call	_PipHardwareConfigOpenKey@12 ; PipHardwareConfigOpenKey(x,x,x)
		mov	esi, [ebp+var_8]
		mov	ebx, [ebp+var_C]
		test	eax, eax
		js	short loc_ABB2CE
		lea	eax, [ebp+var_10]
		mov	edx, (offset loc_ADD319+1)
		push	eax
		push	edi
		mov	ecx, ebx
		call	IopGetRegistryValue
		mov	edi, [ebp+var_10]
		cmp	eax, 0C0000034h
		jz	loc_AE2AF2
		test	eax, eax
		js	short loc_ABB2CE
		mov	eax, [esi+4]
		cmp	eax, [edi+4]
		jnz	loc_AE2AF2
		mov	eax, [esi+0Ch]
		cmp	eax, [edi+0Ch]
		jnz	loc_AE2AF2
		push	eax		; size_t
		mov	eax, [edi+8]
		add	eax, edi
		push	eax		; void *
		mov	eax, [esi+8]
		add	eax, esi
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_AE2AF2

loc_ABB2CE:				; CODE XREF: PipCheckSystemFirmwareUpdated+76j
					; PipCheckSystemFirmwareUpdated+99j ...
		test	ebx, ebx
		jz	short loc_ABB2D9
		mov	edx, ebx
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)

loc_ABB2D9:				; CODE XREF: PipCheckSystemFirmwareUpdated+D2j
		xor	ebx, ebx

loc_ABB2DB:				; CODE XREF: PipCheckSystemFirmwareUpdated+40j
					; PipCheckSystemFirmwareUpdated+109j
		cmp	[ebp+var_4], 0
		jz	short loc_ABB2E9
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_ABB2E9:				; CODE XREF: PipCheckSystemFirmwareUpdated+E1j
		test	esi, esi
		jz	short loc_ABB2F4
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_ABB2F4:				; CODE XREF: PipCheckSystemFirmwareUpdated+EDj
		test	edi, edi
		jz	short loc_ABB2FF
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_ABB2FF:				; CODE XREF: PipCheckSystemFirmwareUpdated+F8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_ABB304:				; CODE XREF: PipCheckSystemFirmwareUpdated+5Aj
		mov	esi, [ebp+var_8]
		jmp	short loc_ABB2DB
PipCheckSystemFirmwareUpdated endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopMarkBootPartition proc near		; DATA XREF: IopInitializeBootDrivers+47Ao

var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= byte ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= byte ptr -108h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00AE2B32 SIZE 00000027 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 14Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+14Ch+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		push	eax
		mov	[esp+15Ch+var_13C], eax
		mov	[esp+15Ch+var_138], eax
		mov	[esp+15Ch+var_14C], eax
		mov	[esp+15Ch+var_134], eax
		mov	[esp+15Ch+var_130], eax
		mov	[esp+15Ch+var_144], eax
		mov	[esp+15Ch+var_140], eax
		lea	eax, [esp+15Ch+var_144]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	dword ptr [ebx+68h] ; char
		lea	eax, [esp+15Ch+var_114]
		mov	dword ptr [esp+15Ch+var_114], 6372415Ch
		push	eax		; char *
		lea	eax, [esp+160h+var_108]
		mov	[esp+160h+var_110], 656D614Eh
		push	100h		; int
		push	eax		; char *
		mov	[esp+168h+var_10C], offset loc_73255C
		call	RtlStringCchPrintfA
		mov	esi, eax
		add	esp, 10h
		test	esi, esi
		js	loc_ABB4BA
		lea	eax, [esp+158h+var_108]
		push	eax
		lea	eax, [esp+15Ch+var_13C]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [esp+15Ch+var_13C]
		push	eax
		push	edi
		call	RtlAnsiStringToUnicodeString
		mov	esi, eax
		test	esi, esi
		js	loc_ABB4BA
		xor	eax, eax
		mov	[esp+158h+var_12C], 18h
		push	40h
		push	eax
		mov	[esp+160h+var_128], eax
		mov	[esp+160h+var_11C], eax
		mov	[esp+160h+var_118], eax
		lea	eax, [esp+160h+var_134]
		push	eax
		lea	eax, [esp+164h+var_12C]
		mov	[esp+164h+var_120], 240h
		push	eax
		push	80h
		lea	eax, [esp+16Ch+var_14C]
		mov	[esp+16Ch+var_124], edi
		push	eax
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_ABB4BA
		mov	eax, ds:_IoFileObjectType
		lea	ecx, [esp+158h+var_148]
		xor	edx, edx
		push	edx
		push	ecx
		push	edx
		push	eax
		push	edx
		push	[esp+16Ch+var_14C]
		mov	[esp+170h+var_148], edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_ABB4BA
		mov	esi, [esp+158h+var_148]
		mov	edx, 746C6644h
		mov	ecx, [esi+4]
		call	IoGetDeviceAttachmentBaseRefWithTag
		mov	ecx, [esi+4]
		mov	edi, eax
		mov	edx, 100h
		or	[ecx+1Ch], edx
		or	[edi+1Ch], edx
		cmp	_InitIsWinPEMode, 0
		jnz	loc_AE2B32

loc_ABB457:				; CODE XREF: IopMarkBootPartition+2783Ej
					; IopMarkBootPartition+2784Aj
		mov	edx, [esp+158h+var_14C]
		call	PnpHardwareConfigCreateBootDriverFlags
		mov	ecx, [esi+4]
		mov	edx, 746C6644h
		call	ObfReferenceObjectWithTag
		push	0
		push	[esp+15Ch+var_14C]
		call	ObCloseHandle
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		mov	edx, 746C6644h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		call	IopAssignBootDriveLetter
		mov	edx, [ebx+74h]
		lea	ecx, [esp+158h+var_144]
		call	_IopCreateUnicodeFromAnsiBuffer@8 ; IopCreateUnicodeFromAnsiBuffer(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_ABB4BA
		lea	edx, [esp+158h+var_144]
		call	IopStoreSystemPartitionInformation
		lea	eax, [esp+158h+var_144]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_ABB4BA:				; CODE XREF: IopMarkBootPartition+84j
					; IopMarkBootPartition+AAj ...
		mov	ecx, [esp+158h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
IopMarkBootPartition endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopStoreSystemPartitionInformation proc	near ; CODE XREF: IopMarkBootPartition+1A1p

var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_24		= dword	ptr -24h
var_20		= word ptr -20h
var_1E		= word ptr -1Eh
var_1C		= word ptr -1Ch
var_1A		= word ptr -1Ah
var_18		= word ptr -18h
var_16		= word ptr -16h
var_14		= word ptr -14h
var_12		= word ptr -12h
var_10		= word ptr -10h
var_E		= word ptr -0Eh
var_C		= word ptr -0Ch
var_A		= word ptr -0Ah
var_8		= word ptr -8
var_6		= word ptr -6
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE2B59 SIZE 0000003A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 25Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	ds:dword_A9440C
		xor	ebx, ebx
		lea	ecx, [ebp+var_228]
		mov	edi, edx
		mov	[ebp+var_23C], ebx
		mov	edx, 100h
		mov	[ebp+var_244], ebx
		mov	[ebp+var_240], ebx
		mov	[ebp+var_230], ebx
		mov	[ebp+var_22C], ebx
		call	RtlStringCchCopyW
		movzx	eax, ds:_IoArcHalDeviceName
		lea	ecx, [ebp+var_228]
		mov	[ebp+var_234], ecx
		mov	ecx, 200h
		mov	word ptr [ebp+var_238],	ax
		cmp	cx, ax
		jb	loc_AE2B59

loc_ABB54C:				; CODE XREF: IopStoreSystemPartitionInformation+2768Cj
		mov	eax, 1FEh
		push	18h
		mov	word ptr [ebp+var_238+2], ax
		pop	eax
		mov	[ebp+var_25C], eax

loc_ABB561:				; CODE XREF: IopStoreSystemPartitionInformation+116j
		lea	eax, [ebp+var_238]
		mov	[ebp+var_258], ebx
		mov	[ebp+var_254], eax
		lea	eax, [ebp+var_25C]
		push	eax
		push	1
		lea	eax, [ebp+var_23C]
		mov	[ebp+var_250], 240h
		push	eax
		mov	[ebp+var_24C], ebx
		mov	[ebp+var_248], ebx
		call	_ZwOpenSymbolicLinkObject@12 ; ZwOpenSymbolicLinkObject(x,x,x)
		test	eax, eax
		js	short loc_ABB5EF
		push	ebx
		lea	eax, [ebp+var_238]
		push	eax
		push	[ebp+var_23C]
		call	NtQuerySymbolicLinkObject
		push	ebx
		push	[ebp+var_23C]
		mov	esi, eax
		call	ObCloseHandle
		test	esi, esi
		js	loc_ABB7E3
		movzx	ecx, word ptr [ebp+var_238]
		mov	eax, [ebp+var_234]
		shr	ecx, 1
		xor	edx, edx
		mov	[eax+ecx*2], dx
		mov	[ebp+var_25C], 18h
		jmp	loc_ABB561
; 

loc_ABB5EF:				; CODE XREF: IopStoreSystemPartitionInformation+CCj
		cmp	eax, 0C0000024h
		jnz	loc_ABB7E3
		mov	esi, 0F003Fh
		lea	ecx, [ebp+var_244]
		push	esi
		push	offset _CmRegistryMachineSystemName
		xor	edx, edx
		call	_IopOpenRegistryKeyEx@16 ; IopOpenRegistryKeyEx(x,x,x,x)
		test	eax, eax
		js	loc_ABB7E3
		push	53h
		pop	eax
		push	65h
		mov	word ptr [ebp+var_24], ax
		lea	ecx, [ebp+var_240]
		pop	eax
		push	74h
		mov	word ptr [ebp+var_24+2], ax
		pop	eax
		push	75h
		mov	edx, [ebp+var_244]
		mov	[ebp+var_20], ax
		pop	eax
		push	70h
		mov	[ebp+var_1E], ax
		pop	eax
		mov	[ebp+var_1C], ax
		xor	eax, eax
		push	0Ch
		mov	[ebp+var_1A], ax
		pop	eax
		push	0Ah
		mov	word ptr [ebp+var_230+2], ax
		pop	eax
		push	ebx
		mov	word ptr [ebp+var_230],	ax
		lea	eax, [ebp+var_24]
		push	ebx
		mov	[ebp+var_22C], eax
		lea	eax, [ebp+var_230]
		push	esi
		push	eax
		call	IopCreateRegistryKeyEx
		push	ebx
		push	[ebp+var_244]
		mov	esi, eax
		call	ObCloseHandle
		test	esi, esi
		js	loc_ABB7E3
		push	73h
		pop	esi
		push	61h
		pop	edx
		push	2
		pop	ecx
		cmp	_InitIsWinPEMode, bl
		jnz	loc_AE2B65
		push	53h
		pop	eax
		push	79h
		mov	word ptr [ebp+var_24], ax
		pop	eax
		push	74h
		mov	word ptr [ebp+var_24+2], ax
		mov	[ebp+var_20], si
		pop	esi
		push	65h
		pop	eax
		push	6Dh
		mov	[ebp+var_1C], ax
		pop	eax
		push	50h
		mov	[ebp+var_1A], ax
		pop	eax
		push	72h
		mov	[ebp+var_18], ax
		pop	eax
		push	69h
		mov	[ebp+var_14], ax
		pop	eax
		push	6Fh
		mov	[ebp+var_10], ax
		mov	[ebp+var_C], ax
		pop	eax
		push	6Eh
		mov	[ebp+var_A], ax
		pop	eax
		push	20h
		mov	[ebp+var_8], ax
		xor	eax, eax
		mov	[ebp+var_6], ax
		pop	eax
		push	1Eh
		mov	word ptr [ebp+var_230+2], ax
		pop	eax
		mov	word ptr [ebp+var_230],	ax
		movzx	eax, word ptr [ebp+var_238]
		add	eax, ecx
		mov	[ebp+var_1E], si
		push	eax
		push	[ebp+var_234]
		lea	eax, [ebp+var_230]
		mov	[ebp+var_16], dx
		push	1
		push	ebx
		push	eax
		push	[ebp+var_240]
		mov	[ebp+var_12], si
		mov	[ebp+var_E], si
		call	NtSetValueKey
		push	61h
		pop	edx

loc_ABB742:				; CODE XREF: IopStoreSystemPartitionInformation+27694j
		push	4Fh
		pop	eax
		push	73h
		mov	word ptr [ebp+var_24], ax
		pop	eax
		push	4Ch
		mov	word ptr [ebp+var_24+2], ax
		pop	eax
		push	6Fh
		mov	[ebp+var_20], ax
		pop	eax
		push	64h
		mov	[ebp+var_1E], ax
		pop	eax
		push	65h
		mov	[ebp+var_1A], ax
		pop	eax
		push	72h
		movzx	ecx, word ptr [edi]
		mov	[ebp+var_18], ax
		pop	eax
		push	50h
		mov	[ebp+var_16], ax
		pop	eax
		push	68h
		mov	[ebp+var_14], ax
		pop	eax
		mov	[ebp+var_E], ax
		xor	eax, eax
		push	1Ah
		mov	[ebp+var_C], ax
		pop	eax
		push	18h
		mov	word ptr [ebp+var_230+2], ax
		pop	eax
		push	2
		mov	word ptr [ebp+var_230],	ax
		pop	eax
		mov	[ebp+var_1C], dx
		mov	[ebp+var_12], dx
		mov	edx, ecx
		mov	[ebp+var_10], si
		cmp	cx, ax
		ja	loc_AE2B6D

loc_ABB7B8:				; CODE XREF: IopStoreSystemPartitionInformation+276A2j
					; IopStoreSystemPartitionInformation+276BAj
		movzx	eax, dx
		add	eax, 2
		push	eax
		push	dword ptr [edi+4]
		lea	eax, [ebp+var_230]
		push	1
		push	ebx
		push	eax
		push	[ebp+var_240]
		call	NtSetValueKey
		push	ebx
		push	[ebp+var_240]
		call	ObCloseHandle

loc_ABB7E3:				; CODE XREF: IopStoreSystemPartitionInformation+F1j
					; IopStoreSystemPartitionInformation+120j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
IopStoreSystemPartitionInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCreateArcNames(x)
_IopCreateArcNames@4 proc near		; CODE XREF: IopInitializeBootDrivers+468p

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= byte ptr -88h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		xor	eax, eax
		mov	ebx, offset ??_C@_0M@HCOOGNOF@?2ArcName?2?$CFs@PBOPGDP@
		mov	[ebp+var_90], eax
		mov	[ebp+var_8C], eax
		mov	edi, 80h
		mov	[ebp+var_98], eax
		push	dword ptr [esi+6Ch] ; char
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_88]
		push	ebx		; char *
		push	edi		; int
		push	eax		; char *
		call	RtlStringCchPrintfA
		add	esp, 10h
		lea	eax, [ebp+var_88]
		push	eax
		lea	eax, [ebp+var_90]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_90]
		push	eax
		push	offset _IoArcHalDeviceName
		call	RtlAnsiStringToUnicodeString
		push	dword ptr [esi+68h] ; char
		lea	eax, [ebp+var_88]
		push	ebx		; char *
		push	edi		; int
		push	eax		; char *
		call	RtlStringCchPrintfA
		add	esp, 10h
		lea	eax, [ebp+var_88]
		push	eax
		lea	eax, [ebp+var_90]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_90]
		push	eax
		push	offset _IoArcBootDeviceName
		call	RtlAnsiStringToUnicodeString
		mov	ecx, [esi+68h]
		lea	edx, [ecx+1]

loc_ABB8AA:				; CODE XREF: IopCreateArcNames(x)+BDj
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_ABB8AA
		sub	ecx, edx
		lea	edi, [ecx+1]
		xor	ecx, ecx
		mov	edx, edi
		inc	ecx
		call	IopVerifierExAllocatePool
		mov	ds:_IoLoaderArcBootDeviceName, eax
		test	eax, eax
		jz	short loc_ABB8D6
		push	edi		; size_t
		push	dword ptr [esi+68h] ; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_ABB8D6:				; CODE XREF: IopCreateArcNames(x)+D5j
		push	dword ptr [esi+6Ch]
		lea	eax, [ebp+var_98]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		call	IopCreateArcNamesDisk
		test	eax, eax
		js	short loc_ABB8F5
		mov	ecx, esi
		call	IopCreateArcNamesCd

loc_ABB8F5:				; CODE XREF: IopCreateArcNames(x)+FAj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IopCreateArcNames@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopAssignBootDriveLetter proc near	; CODE XREF: IopMarkBootPartition+186p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+38h+var_10]
		stosd
		xor	ebx, ebx
		push	offset ??_C@_1DE@MJJBHHAG@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAM?$AAo?$AAu?$AAn?$AAt?$AAP?$AAo@PBOPGDP@ ; "\\Device\\MountPointManager"
		mov	[esp+3Ch+var_20], ebx
		mov	[esp+3Ch+var_1C], ebx
		stosd
		mov	[esp+3Ch+var_24], ebx
		mov	[esp+3Ch+var_28], ebx
		mov	[esp+3Ch+var_18], ebx
		stosd
		mov	[esp+3Ch+var_14], ebx
		stosd
		lea	eax, [esp+3Ch+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+38h+var_28]
		push	eax
		lea	eax, [esp+3Ch+var_24]
		push	eax
		push	80h
		lea	eax, [esp+44h+var_20]
		push	eax
		call	IoGetDeviceObjectPointer
		test	eax, eax
		js	short loc_ABB9B6
		push	ebx
		push	ebx
		lea	eax, [esp+40h+var_10]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	dword ptr [ebp+4] ; int
		lea	eax, [esp+3Ch+var_18]
		push	eax		; int
		lea	eax, [esp+40h+var_10]
		push	eax		; int
		push	ebx		; int
		push	ebx		; int
		push	ebx		; int
		push	ebx		; size_t
		push	ebx		; void *
		push	[esp+58h+var_28] ; int
		push	offset unk_6DC044 ; int
		call	IopBuildDeviceIoControlRequest
		test	eax, eax
		jz	short loc_ABB9BD
		mov	ecx, [esp+38h+var_28]
		mov	edx, eax
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jz	sub_AE2B93

loc_ABB9AB:				; CODE XREF: IopAssignBootDriveLetter+BEj
					; sub_AE2B93+12j
		mov	ecx, [esp+38h+var_24]
		call	ObfDereferenceObject
		mov	eax, esi

loc_ABB9B6:				; CODE XREF: IopAssignBootDriveLetter+5Cj
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_ABB9BD:				; CODE XREF: IopAssignBootDriveLetter+8Cj
		mov	esi, 0C000009Ah
		jmp	short loc_ABB9AB
IopAssignBootDriveLetter endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCreateArcNamesDisk proc near		; CODE XREF: IopCreateArcNames(x)+F3p

var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_89		= byte ptr -89h
var_88		= word ptr -88h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE2BAA SIZE 0000006C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ACh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_A8], eax
		mov	[ebp+var_A4], eax
		mov	[ebp+var_A0], eax
		mov	[ebp+var_98], eax
		mov	[ebp+var_94], eax
		mov	[ebp+var_9C], eax
		call	_IoGetConfigurationInformation@0 ; IoGetConfigurationInformation()
		sub	esp, 10h
		lea	ecx, [ebp+var_94]
		mov	edi, esp
		mov	esi, offset _GUID_DEVINTERFACE_DISK
		mov	ebx, [eax]
		xor	eax, eax
		mov	[ebp+var_90], eax
		mov	edx, ebx
		movsd
		mov	[ebp+var_89], al
		lea	eax, [ebp+var_90]
		push	eax
		movsd
		movsd
		movsd
		call	IopFetchConfigurationInformation
		test	eax, eax
		js	loc_AE2BAA
		mov	cl, [ebp+var_89]

loc_ABBA47:				; CODE XREF: IopCreateArcNamesDisk+271EEj
		mov	eax, [ebp+var_90]
		mov	esi, [ebp+var_94]
		cmp	eax, ebx
		ja	loc_AE2BB7

loc_ABBA5B:				; CODE XREF: IopCreateArcNamesDisk+271F5j
		test	cl, cl
		jnz	loc_AE2BBE

loc_ABBA63:				; CODE XREF: IopCreateArcNamesDisk+271FCj
					; IopCreateArcNamesDisk+27205j
		xor	eax, eax
		mov	edi, eax
		test	ebx, ebx
		jz	loc_ABBB0A

loc_ABBA6F:				; CODE XREF: IopCreateArcNamesDisk+140j
		test	esi, esi
		jz	loc_AE2BE1
		cmp	[esi], ax
		jz	loc_AE2BE1
		or	[ebp+var_90], 0FFFFFFFFh
		lea	eax, [ebp+var_A4]
		push	esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_ABBA99:				; CODE XREF: IopCreateArcNamesDisk+E2j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_A8]
		jnz	short loc_ABBA99
		sub	ecx, edx
		sar	ecx, 1
		lea	esi, [esi+ecx*2]
		add	esi, 2
		cmp	[ebp+var_89], 0
		jnz	loc_AE2BCE

loc_ABBABF:				; CODE XREF: IopCreateArcNamesDisk+2720Fj
					; IopCreateArcNamesDisk+27218j	...
		lea	eax, [ebp+var_98]
		push	eax
		lea	eax, [ebp+var_9C]
		push	eax
		push	80h
		lea	eax, [ebp+var_A4]
		push	eax
		call	IoGetDeviceObjectPointer
		test	eax, eax
		js	short loc_ABBAFE
		mov	edx, [ebp+var_90]
		mov	ecx, [ebp+var_98]
		call	IopCreateArcName
		mov	ecx, [ebp+var_9C]
		call	ObfDereferenceObject

loc_ABBAFE:				; CODE XREF: IopCreateArcNamesDisk+11Cj
		inc	edi
		push	0
		pop	eax
		cmp	edi, ebx
		jb	loc_ABBA6F

loc_ABBB0A:				; CODE XREF: IopCreateArcNamesDisk+A5j
		cmp	[ebp+var_94], 0
		jz	short loc_ABBB1F
		push	eax
		push	[ebp+var_94]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_ABBB1F:				; CODE XREF: IopCreateArcNamesDisk+14Dj
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
IopCreateArcNamesDisk endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCreateArcNamesCd proc near		; CODE XREF: IopCreateArcNames(x)+FEp

var_184		= dword	ptr -184h
var_17E		= byte ptr -17Eh
var_17D		= byte ptr -17Dh
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_114		= dword	ptr -114h
var_110		= byte ptr -110h
var_108		= byte ptr -108h
var_88		= byte ptr -88h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE2C16 SIZE 000002B7 BYTES
; FUNCTION CHUNK AT 00AE2ECE SIZE 00000038 BYTES
; FUNCTION CHUNK AT 00AE2F10 SIZE 000000B4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 184h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+184h+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[esp+190h+var_154], ecx
		lea	edi, [esp+190h+var_130]
		xor	edx, edx
		stosd
		mov	[esp+190h+var_150], edx
		mov	[esp+190h+var_14C], edx
		mov	[esp+190h+var_178], edx
		stosd
		mov	[esp+190h+var_174], edx
		mov	[esp+190h+var_170], edx
		mov	[esp+190h+var_138], edx
		stosd
		mov	[esp+190h+var_134], edx
		mov	[esp+190h+var_140], edx
		mov	[esp+190h+var_13C], edx
		stosd
		mov	eax, [ecx+80h]
		mov	[esp+190h+var_164], edx
		mov	[esp+190h+var_148], edx
		mov	[esp+190h+var_144], edx
		mov	[esp+190h+var_17D], dl
		mov	[esp+190h+var_168], eax
		mov	[esp+190h+var_16C], edx
		call	_IoGetConfigurationInformation@0 ; IoGetConfigurationInformation()
		lea	edi, [esp+190h+var_114]
		sub	esp, 10h
		mov	esi, offset _GUID_DEVINTERFACE_CDROM
		lea	ecx, [esp+1A0h+var_184]
		mov	ebx, [eax+8]
		xor	eax, eax
		mov	[esp+1A0h+var_184], eax
		mov	edx, ebx
		stosd
		mov	[esp+1A0h+var_17C], ebx
		stosd
		stosd
		lea	eax, [esp+1A0h+var_16C]
		mov	edi, esp
		push	eax
		movsd
		movsd
		movsd
		movsd
		call	IopFetchConfigurationInformation
		test	eax, eax
		js	loc_AE2C16

loc_ABBBE0:				; CODE XREF: IopCreateArcNamesCd+270EBj
		mov	esi, [esp+190h+var_168]
		mov	edi, [esp+190h+var_184]
		mov	[esp+190h+var_15C], edi
		mov	eax, [esi]
		cmp	eax, esi
		jz	short loc_ABBC54
		mov	edi, [esp+190h+var_154]
		mov	edi, [edi+68h]

loc_ABBBF9:				; CODE XREF: IopCreateArcNamesCd+116j
		mov	ecx, [eax+0Ch]
		mov	edx, edi
		mov	[esp+190h+var_160], eax

loc_ABBC02:				; CODE XREF: IopCreateArcNamesCd+102j
		mov	bl, [ecx]
		cmp	bl, [edx]
		mov	[esp+190h+var_17E], bl
		mov	ebx, [esp+190h+var_17C]
		jnz	short loc_ABBC7E
		cmp	[esp+190h+var_17E], 0
		jz	short loc_ABBC34
		mov	bl, [ecx+1]
		cmp	bl, [edx+1]
		mov	[esp+190h+var_17E], bl
		mov	ebx, [esp+190h+var_17C]
		jnz	short loc_ABBC7E
		add	ecx, 2
		add	edx, 2
		cmp	[esp+190h+var_17E], 0
		jnz	short loc_ABBC02

loc_ABBC34:				; CODE XREF: IopCreateArcNamesCd+E5j
		xor	edx, edx
		mov	ecx, edx

loc_ABBC38:				; CODE XREF: IopCreateArcNamesCd+155j
		test	ecx, ecx
		jz	short loc_ABBC87
		mov	eax, [eax]
		mov	ecx, edx
		mov	[esp+190h+var_160], ecx
		cmp	eax, esi
		jnz	short loc_ABBBF9

loc_ABBC48:				; CODE XREF: IopCreateArcNamesCd+15Bj
		mov	edi, [esp+190h+var_15C]
		test	ecx, ecx
		jnz	loc_AE2C20

loc_ABBC54:				; CODE XREF: IopCreateArcNamesCd+C0j
					; IopCreateArcNamesCd+27103j
		xor	ebx, ebx

loc_ABBC56:				; CODE XREF: IopCreateArcNamesCd+27467j
		cmp	[esp+190h+var_184], 0
		jz	short loc_ABBC67
		push	ebx
		push	[esp+194h+var_184]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_ABBC67:				; CODE XREF: IopCreateArcNamesCd+12Bj
		xor	eax, eax

loc_ABBC69:				; CODE XREF: IopCreateArcNamesCd+273ECj
		mov	ecx, [esp+190h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_ABBC7E:				; CODE XREF: IopCreateArcNamesCd+DEj
					; IopCreateArcNamesCd+F5j
		sbb	ecx, ecx
		or	ecx, 1
		xor	edx, edx
		jmp	short loc_ABBC38
; 

loc_ABBC87:				; CODE XREF: IopCreateArcNamesCd+10Aj
		mov	ecx, [esp+190h+var_160]
		jmp	short loc_ABBC48
IopCreateArcNamesCd endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopFetchConfigurationInformation proc near ; CODE XREF:	IopCreateArcNamesDisk+70p
					; IopCreateArcNamesCd+A3p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00AE2FC4 SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		lea	esi, [ebp+arg_4]
		mov	[ebp+var_24], eax
		lea	edi, [ebp+var_1C]
		mov	[ebp+var_28], edx
		movsd
		mov	ebx, ecx
		xor	eax, eax
		push	ebx
		push	eax
		movsd
		push	eax
		movsd
		movsd
		mov	edi, [ebx]
		mov	esi, eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	IoGetDeviceInterfaces
		test	eax, eax
		js	loc_AE2FC4
		mov	edx, [ebx]
		mov	ecx, edx
		xor	ebx, ebx
		lea	edi, [ecx+2]

loc_ABBCDB:				; CODE XREF: IopFetchConfigurationInformation+56j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_ABBCDB

loc_ABBCE6:				; CODE XREF: IopFetchConfigurationInformation+A6j
		sub	ecx, edi
		sar	ecx, 1
		jnz	short loc_ABBD09
		mov	eax, [ebp+var_24]
		mov	[eax], esi
		cmp	esi, [ebp+var_28]
		jb	short loc_ABBD36
		xor	eax, eax

loc_ABBCF8:				; CODE XREF: IopFetchConfigurationInformation+ADj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	14h
; 

loc_ABBD09:				; CODE XREF: IopFetchConfigurationInformation+5Cj
		mov	ecx, edx
		inc	esi
		lea	edi, [ecx+2]

loc_ABBD0F:				; CODE XREF: IopFetchConfigurationInformation+8Aj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_ABBD0F
		sub	ecx, edi
		sar	ecx, 1
		lea	edx, [edx+ecx*2]
		add	edx, 2
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_ABBD29:				; CODE XREF: IopFetchConfigurationInformation+A4j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_ABBD29
		jmp	short loc_ABBCE6
; 

loc_ABBD36:				; CODE XREF: IopFetchConfigurationInformation+66j
					; IopFetchConfigurationInformation+27338j ...
		mov	eax, 0C0000001h
		jmp	short loc_ABBCF8
IopFetchConfigurationInformation endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExInitializeTimeRefresh	proc near	; CODE XREF: Phase1InitializationDiscard(x)+B9Cp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE2FD6 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		xor	ebx, ebx
		push	ebx
		push	ebx
		call	_ZwLockProductActivationKeys@8 ; ZwLockProductActivationKeys(x,x)
		cmp	_ExpSystemSetupInProgress, bl
		jnz	short loc_ABBD85
		mov	ecx, offset _ExpNtExpirationDate
		call	ExGetExpirationDate
		test	eax, eax
		js	loc_AE2FD6

loc_ABBD6B:				; CODE XREF: ExInitializeTimeRefresh+272A4j
		mov	eax, ds:_ExpNtExpirationDate
		mov	ds:0FFDF02C8h, eax
		mov	eax, ds:dword_A94E64
		mov	ds:0FFDF02CCh, eax
		mov	ds:_ExpShuttingDown, bl

loc_ABBD85:				; CODE XREF: ExInitializeTimeRefresh+19j
		push	offset _ExpOkToTimeRefresh
		push	offset _ExpTimeRefreshDpcRoutine@16 ; ExpTimeRefreshDpcRoutine(x,x,x,x)
		push	offset _ExpTimeRefreshDpc
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	8
		mov	esi, offset _ExpTimeRefreshTimer
		mov	dword_6BBE68, offset _ExpTimeRefreshWork@4 ; ExpTimeRefreshWork(x)
		push	ebx
		mov	edx, offset _ExpTimeRefreshCallback@8 ;	ExpTimeRefreshCallback(x,x)
		mov	dword_6BBE6C, ebx
		mov	ecx, esi
		mov	_ExpTimeRefreshWorkItem, ebx
		mov	word_6BBEE2, bx
		call	_KiInitializeTimer2@16 ; KiInitializeTimer2(x,x,x,x)
		or	[ebp+var_8], 0FFFFFFFFh
		lea	eax, [ebp+var_10]
		or	[ebp+var_4], 0FFFFFFFFh
		mov	edx, 9E3B9800h
		push	0FFFFFFF7h
		pop	ecx
		push	eax
		push	ebx
		push	ebx
		push	ecx
		push	edx
		push	esi
		mov	_ExpTimeRefreshInterval, edx
		mov	dword_6BBF74, ecx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		call	KeSetTimer2
		push	offset _ExpTimeRefreshLock
		call	ExInitializeResourceLite
		mov	eax, offset _ExpTimerResolutionListHead
		pop	esi
		mov	dword_6BBF64, eax
		mov	_ExpTimerResolutionListHead, eax
		pop	ebx
		leave
		retn
ExInitializeTimeRefresh	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

sub_ABBE18	proc near		; CODE XREF: ExInitLicenseData+48p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		xor	esi, esi
		xor	dl, dl
		push	esi
		push	esi
		mov	ecx, offset unk_6B72E0
		call	KiInitializeMutant
		push	esi
		push	esi
		push	offset unk_6B72C0
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], esi
		push	eax
		mov	[ebp+var_4], esi
		call	KeQueryTickCount
		call	_KeQueryTimeIncrement@0	; KeQueryTimeIncrement()
		push	[ebp+var_4]
		push	[ebp+var_8]
		push	esi
		push	eax
		call	__allmul
		push	esi
		push	2710h
		push	edx
		push	eax
		call	__alldiv
		mov	ds:dword_A93F20, eax
		mov	ds:dword_A93F24, edx
		mov	ds:_g_qwSystemInitTime,	eax
		mov	ds:dword_A93F44, edx
		pop	esi
		leave
		retn
sub_ABBE18	endp


;  S U B	R O U T	I N E 


; __stdcall PopCoalescingInitialize()
_PopCoalescingInitialize@0 proc	near	; CODE XREF: PoInitSystem+7C4p
		and	_PopCoalescingState, 0F0h
		push	esi
		xor	esi, esi
		mov	dword_6C3528, offset _PopCoalescingCallbackWorker@4 ; PopCoalescingCallbackWorker(x)
		push	esi
		push	offset _PopCoalescingRegistration
		push	esi
		push	offset _xKdUnmapVirtualAddress@12 ; xKdUnmapVirtualAddress(x,x,x)
		mov	dword_6C352C, esi
		mov	_PopCoalescingCallbackWorkItem,	esi
		call	PoRegisterCoalescingCallback
		test	eax, eax
		js	short loc_ABBEDA
		push	esi
		push	offset _PopCoalescingTimer
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	esi
		push	offset _PopCoalesingTimerDpcCallback@16	; PopCoalesingTimerDpcCallback(x,x,x,x)
		push	offset _PopCoalescingTimerDpc
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		pop	esi
		jmp	PopUpdateDiskIdleTimeoutSetting
; 

loc_ABBEDA:				; CODE XREF: PopCoalescingInitialize()+33j
		pop	esi
		retn
_PopCoalescingInitialize@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopCheckShutdownMarker proc near	; CODE XREF: PoInitSystem+6CCp

var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F3		= byte ptr -0F3h
var_F2		= byte ptr -0F2h
var_F1		= byte ptr -0F1h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE2FE7 SIZE 000002EC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 114h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	20h
		pop	eax
		push	0
		mov	[ebp+var_14], eax
		mov	esi, offset _PopBsdPhysicalPowerButtonInfo
		mov	[ebp+var_8], eax
		mov	ebx, ecx
		push	3
		lea	eax, [ebp+var_28]
		mov	[ebp+var_F1], 0
		push	eax
		mov	[ebp+var_28], 0Eh
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], 30h
		mov	[ebp+var_1C], 7
		mov	[ebp+var_18], offset _PopBsdPowerTransition
		mov	[ebp+var_10], 10h
		mov	[ebp+var_C], offset _PopBsdPowerTransitionExtension
		call	_RtlGetSystemBootStatusEx@12 ; RtlGetSystemBootStatusEx(x,x,x)
		mov	eax, [ebx+84h]
		xor	ecx, ecx
		inc	ecx
		mov	edi, offset _PopBsdPhysicalPowerButtonInfoAtBoot
		push	0Ch
		mov	al, [eax+54h]
		and	al, cl
		pop	ecx
		rep movsd
		mov	esi, dword_6D6F08
		mov	_PopLastBootSucceeded, al
		test	esi, esi
		jnz	loc_AE2FE7

loc_ABBF70:				; CODE XREF: PopCheckShutdownMarker+27112j
					; PopCheckShutdownMarker+2712Cj ...
		push	8
		pop	ecx
		mov	esi, offset _PopBsdPowerTransitionExtension
		mov	edi, offset _PopBsdPowerTransitionExtensionAtBoot
		rep movsd
		push	8
		pop	ecx
		mov	esi, offset _PopBsdPowerTransition
		mov	edi, offset _PopBsdPowerTransitionAtBoot
		rep movsd
		call	_ExIsSoftBoot@0	; ExIsSoftBoot()
		test	al, al
		jnz	loc_AE3184

loc_ABBF9B:				; CODE XREF: PopCheckShutdownMarker+272AFj
		xor	ecx, ecx
		inc	ecx
		test	_PopSimulate, 200h
		jnz	loc_AE3190

loc_ABBFAE:				; CODE XREF: PopCheckShutdownMarker+272BAj
		mov	eax, dword_6D6F8C
		shr	eax, 10h
		and	al, 0DFh
		cmp	dword_6D6F08, 0
		mov	byte ptr dword_6D6F8C+2, al
		jnz	loc_AE319B

loc_ABBFCA:				; CODE XREF: PopCheckShutdownMarker+272C6j
					; PopCheckShutdownMarker+272E7j
		mov	al, byte_6D4A06
		shr	al, 4
		and	al, cl
		mov	_PopAutoChkCausedReboot, al
		mov	eax, ds:_WNF_PO_PREVIOUS_SHUTDOWN_STATE
		mov	[ebp+var_F0], eax
		mov	eax, ds:dword_412DE4
		mov	[ebp+var_EC], eax
		movzx	eax, byte_6D6F88
		and	eax, ecx
		mov	[ebp+var_110], eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	4
		lea	eax, [ebp+var_110]
		push	eax
		lea	eax, [ebp+var_F0]
		push	eax
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	ecx, _PopSimulate
		test	ecx, 400h
		jnz	loc_AE31C8
		xor	eax, eax
		inc	eax

loc_ABC02E:				; CODE XREF: PopCheckShutdownMarker+27303j
		test	ecx, 20000000h
		jnz	loc_AE31E4
		xor	edi, edi

loc_ABC03C:				; CODE XREF: PopCheckShutdownMarker+2731Cj
		test	byte_6D6F88, al
		jnz	loc_AE31FD

loc_ABC048:				; CODE XREF: PopCheckShutdownMarker+273F2j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopCheckShutdownMarker endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopCheckAndClearBootError proc near	; CODE XREF: PoInitSystem+6D1p

var_18		= dword	ptr -18h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE32D3 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		push	0
		push	14h
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_18]
		push	eax
		push	0Dh
		call	_RtlGetSystemBootStatus@16 ; RtlGetSystemBootStatus(x,x,x,x)
		test	eax, eax
		js	short loc_ABC092
		cmp	[ebp+var_C], 0
		jnz	loc_AE32D3

loc_ABC092:				; CODE XREF: PopCheckAndClearBootError+2Ej
					; PopCheckAndClearBootError+2729Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopCheckAndClearBootError endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EmInitSystem	proc near		; CODE XREF: INIT:00ABFC39p
					; Phase1InitializationDiscard(x)+AFDp

var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_108		= dword	ptr -108h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE32F9 SIZE 000001FE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 16Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		or	[ebp+var_128], 0FFFFFFFFh
		xor	eax, eax
		or	[ebp+var_124], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_140], eax
		mov	[ebp+var_13C], eax
		lea	edi, [ebp+var_120]
		mov	[ebp+var_12C], eax
		mov	ebx, eax
		mov	[ebp+var_14C], eax
		mov	[ebp+var_148], eax
		mov	[ebp+var_138], eax
		mov	[ebp+var_134], eax
		push	6
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_164]
		push	6
		pop	ecx
		rep stosd
		mov	edi, eax
		test	esi, esi
		jz	loc_ABC282
		cmp	esi, 1
		jnz	loc_ABC23D
		push	offset ??_C@_1IE@NBCGBAGB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@
		lea	eax, [ebp+var_138]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	ecx, ecx
		mov	[ebp+var_164], 18h
		push	ecx
		push	ecx
		push	ecx
		lea	eax, [ebp+var_138]
		mov	[ebp+var_160], ecx
		mov	[ebp+var_15C], eax
		lea	eax, [ebp+var_164]
		push	ecx
		push	eax
		push	20019h
		lea	eax, [ebp+var_128]
		mov	[ebp+var_158], 240h
		push	eax
		mov	[ebp+var_154], ecx
		mov	[ebp+var_150], ecx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_ABC23F
		lea	eax, [ebp+var_12C]
		push	eax
		push	edi
		push	edi
		push	2
		push	[ebp+var_128]
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	loc_AE32F9

loc_ABC1AE:				; CODE XREF: EmInitSystem+2725Fj
		push	74694D45h
		push	[ebp+var_12C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_AE332F
		lea	eax, [ebp+var_12C]
		push	eax
		push	[ebp+var_12C]
		push	ebx
		push	2
		push	[ebp+var_128]
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_ABC23F
		mov	esi, [ebx+28h]
		push	74694D45h
		add	esi, 10h
		push	esi
		push	1
		mov	[ebp+var_16C], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_AE332F
		and	[ebp+var_144], 0
		lea	eax, [ebp+var_12C]
		push	eax
		push	esi
		push	edi
		push	2
		push	0

loc_ABC222:				; CODE XREF: EmInitSystem+2742Dj
		push	[ebp+var_128]
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 8000001Ah
		jnz	loc_AE3339

loc_ABC23B:				; CODE XREF: EmInitSystem+298j
		xor	eax, eax

loc_ABC23D:				; CODE XREF: EmInitSystem+79j
		mov	esi, eax

loc_ABC23F:				; CODE XREF: EmInitSystem+E4j
					; EmInitSystem+149j ...
		cmp	[ebp+var_128], 0FFFFFFFFh
		jz	short loc_ABC253
		push	[ebp+var_128]
		call	_ZwClose@4	; ZwClose(x)

loc_ABC253:				; CODE XREF: EmInitSystem+1A6j
		test	ebx, ebx
		jz	short loc_ABC262
		push	74694D45h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_ABC262:				; CODE XREF: EmInitSystem+1B5j
		test	edi, edi
		jz	short loc_ABC271
		push	74694D45h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_ABC271:				; CODE XREF: EmInitSystem+1C4j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_ABC282:				; CODE XREF: EmInitSystem+70j
		or	dword_6CDC44, 80000000h
		mov	_EmpParseLock, eax
		mov	_EmpDatabaseLock, eax
		mov	_EmpEvaluationQueueLock, eax
		mov	_EmpPagingLock,	eax
		mov	_EmpEntryListHead, eax
		mov	_EmpCallbackListHead, eax
		mov	_EmpRuleListHead, eax
		mov	_EmpTargetRuleListHead,	eax
		mov	_EmpRuleUpdateQueue, eax
		mov	_EmpWorkerBusy,	eax
		mov	dword_6CDC38, offset EmpRuleUpdateWorkerThread
		mov	dword_6CDC3C, eax
		mov	_EmpRuleUpdateWorker, eax
		mov	_EmpStringTable, eax
		mov	_EmpNumberOfEntryTypes,	eax
		mov	_EmpNumberOfCallbacks, eax
		mov	_EmpNumberOfRules, eax
		mov	_EmpNumberOfStrings, eax
		mov	_EmpNumberOfTargetRules, eax
		mov	eax, [edx+84h]
		mov	ecx, [eax+14h]
		test	ecx, ecx
		jz	short loc_ABC313
		mov	edx, [eax+18h]
		test	edx, edx
		jz	short loc_ABC313
		call	EmpParseInfDatabase
		mov	esi, eax
		test	esi, esi
		js	loc_ABC23F

loc_ABC313:				; CODE XREF: EmInitSystem+25Bj
					; EmInitSystem+262j
		call	EmpCacheBiosDate
		call	ds:__imp__HalRegisterErrataCallbacks@0 ; HalRegisterErrataCallbacks()
		push	offset _EmBuiltinProviderHandle	; int
		push	6		; int
		push	offset _BuiltinCallbackReg ; int
		xor	eax, eax
		push	eax		; size_t
		push	eax		; int
		push	eax		; int
		call	EmpProviderRegister
		mov	esi, eax
		test	esi, esi
		jns	loc_ABC23B
		jmp	loc_ABC23F
EmInitSystem	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EmpCacheBiosDate proc near		; CODE XREF: EmInitSystem:loc_ABC313p

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3D		= byte ptr -3Dh
var_3C		= byte ptr -3Ch
var_38		= dword	ptr -38h
ms_exc		= CPPEH_RECORD ptr -18h

		push	38h
		push	offset dword_6A71D8
		call	__SEH_prolog4_GS
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_38]
		rep stosd
		xor	ebx, ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ebx
		mov	_EmpCachedBiosDate, ebx
		mov	[ebp-3Ah], bl
		cmp	dword_6BBFD0, 1
		jnz	loc_ABC441
		lea	eax, [ebp+var_38]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_44]
		push	eax
		call	EmpMapPhysicalAddress
		mov	esi, eax
		test	esi, esi
		jz	loc_ABC441
		mov	[ebp+ms_exc.disabled], ebx
		mov	ax, [esi+6]
		mov	word ptr [ebp+var_3C], ax
		push	10h		; int
		push	ebx		; char **
		lea	eax, [ebp+var_3C]
		push	eax		; char *
		call	_strtoul
		add	esp, 0Ch
		mov	ecx, eax
		cmp	ecx, 80h
		sbb	eax, eax
		and	eax, 7000000h
		add	eax, 19000000h
		shl	ecx, 10h
		add	ecx, eax
		mov	_EmpCachedBiosDate, ecx
		mov	ax, [esi]
		mov	word ptr [ebp+var_3C], ax
		push	10h		; int
		push	ebx		; char **
		lea	eax, [ebp+var_3C]
		push	eax		; char *
		call	_strtoul
		add	esp, 0Ch
		mov	ecx, eax
		shl	ecx, 8
		mov	eax, _EmpCachedBiosDate
		or	eax, ecx
		mov	_EmpCachedBiosDate, eax
		mov	ax, [esi+3]
		mov	word ptr [ebp+var_3C], ax
		push	10h		; int
		push	ebx		; char **
		lea	eax, [ebp+var_3C]
		push	eax		; char *
		call	_strtoul
		add	esp, 0Ch
		mov	ecx, _EmpCachedBiosDate
		or	ecx, eax
		mov	_EmpCachedBiosDate, ecx
		mov	bl, 1

loc_ABC41A:				; CODE XREF: sub_AE34FB+5j
		mov	[ebp+var_3D], bl
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	esi, [ebp+var_44]
		push	[ebp+var_48]
		push	0FFFFFFFFh
		call	_ZwUnmapViewOfSection@8	; ZwUnmapViewOfSection(x,x)
		xor	edx, edx
		lea	ecx, [ebp+var_38]
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		push	esi
		call	_ZwClose@4	; ZwClose(x)

loc_ABC441:				; CODE XREF: EmpCacheBiosDate+2Ej
					; EmpCacheBiosDate+49j
		mov	al, bl
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
EmpCacheBiosDate endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EmpMapPhysicalAddress proc near		; CODE XREF: EmpCacheBiosDate+40p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00AE3505 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		mov	ebx, [ebp+arg_4]
		lea	eax, [ebp+var_10]
		push	esi
		push	edi
		xor	esi, esi
		push	offset ??_C@_1CO@GCKPAJAM@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAP?$AAh?$AAy?$AAs?$AAi?$AAc?$AAa@PBOPGDP@ ; "\\Device\\PhysicalMemory"
		push	eax
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		mov	[ebx], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edi, [ebp+arg_0]
		lea	eax, [ebp+var_10]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	4
		push	edi
		mov	[ebp+var_34], 18h
		mov	[ebp+var_30], esi
		mov	[ebp+var_28], 240h
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], esi
		call	_ZwOpenSection@12 ; ZwOpenSection(x,x,x)
		test	eax, eax
		js	short loc_ABC4FF
		push	[ebp+arg_8]
		mov	ecx, ds:_PsInitialSystemProcess
		xor	edx, edx
		mov	[ebp+var_8], esi
		mov	[ebp+arg_4], 8
		mov	[ebp+var_1C], 0FF000h
		mov	[ebp+var_18], esi
		call	KiStackAttachProcess
		push	4
		push	esi
		push	2
		lea	eax, [ebp+arg_4]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+arg_4]
		lea	eax, [ebp+var_8]
		push	esi
		push	eax
		push	0FFFFFFFFh
		push	dword ptr [edi]
		call	_ZwMapViewOfSection@40 ; ZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_AE3505
		mov	eax, [ebp+var_8]
		mov	[ebx], eax
		lea	esi, [eax+0FF5h]

loc_ABC4FF:				; CODE XREF: EmpMapPhysicalAddress+54j
					; EmpMapPhysicalAddress+270C4j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
EmpMapPhysicalAddress endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EmpParseInfDatabase proc near		; CODE XREF: EmInitSystem+264p
					; EmInitSystem+27404p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE351D SIZE 00000060 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 38h
		push	esi
		push	edi
		mov	esi, edx
		mov	edi, ecx
		xor	edx, edx
		mov	ecx, offset _EmpParseLock
		call	ExAcquirePushLockExclusiveEx
		and	[ebp+var_14], 0
		lea	eax, [ebp+var_14]
		push	eax
		mov	edx, esi
		mov	ecx, edi
		call	CmpParseInfBuffer
		mov	edi, eax
		test	edi, edi
		jz	loc_AE351D
		mov	ecx, edi
		call	EmpParseEntryTypes
		mov	esi, eax
		mov	[ebp+var_8], esi
		test	esi, esi
		js	short loc_ABC599
		mov	ecx, edi
		call	EmpParseCallbacks
		mov	esi, eax
		mov	[ebp+var_8], esi
		test	esi, esi
		js	short loc_ABC599
		mov	ecx, edi
		call	EmpParseRules
		mov	esi, eax
		mov	[ebp+var_8], esi
		test	esi, esi
		js	short loc_ABC599
		mov	ecx, edi
		call	EmpParseStrings
		mov	esi, eax
		mov	[ebp+var_8], esi
		test	esi, esi
		js	short loc_ABC599
		mov	ecx, edi
		call	EmpParseTargetRules
		mov	[ebp+var_8], eax

loc_ABC599:				; CODE XREF: EmpParseInfDatabase+55j
					; EmpParseInfDatabase+65j ...
		mov	ecx, [edi]
		call	_CmpFreeSectionList@4 ;	CmpFreeSectionList(x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_ABC5A8:				; CODE XREF: EmpParseInfDatabase+2701Cj
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _EmpParseLock
		mov	[ebp+var_C], edx
		mov	eax, edx
		lock xadd [ecx], eax
		test	al, 2
		jnz	loc_AE3529

loc_ABC5C1:				; CODE XREF: EmpParseInfDatabase+27023j
					; EmpParseInfDatabase+27036j
		xor	edi, edi
		mov	[ebp+var_10], edi
		test	ecx, 7FFFFFFCh
		jz	loc_ABC71E
		mov	esi, large fs:124h
		mov	eax, dword_6D07D0
		shr	ecx, 15h
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], eax
		cmp	eax, offset _EmpParseLock
		ja	short loc_ABC61C
		mov	eax, ecx
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_ABC60C
		mov	eax, [ebp+var_30]
		cmp	eax, offset _EmpParseLock
		ja	short loc_ABC61C
		cmp	byte ptr dword_6D3994[ecx], 0Bh
		jnz	short loc_ABC61C

loc_ABC60C:				; CODE XREF: EmpParseInfDatabase+EFj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp+var_C], eax

loc_ABC61C:				; CODE XREF: EmpParseInfDatabase+E4j
					; EmpParseInfDatabase+F9j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _EmpParseLock
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_30], ecx
		test	ecx, ecx
		jz	loc_ABC72A
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_ABC664
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_30]

loc_ABC664:				; CODE XREF: EmpParseInfDatabase+152j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_10], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	byte ptr [ebp+var_4+3],	1
		jnz	loc_AE3558
		or	[esi+1E4h], dl

loc_ABC6AA:				; CODE XREF: EmpParseInfDatabase+22Aj
					; EmpParseInfDatabase+2705Cj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_34], eax
		jz	short loc_ABC6F8
		test	edi, 8000h
		jz	short loc_ABC6CE
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_ABC6CE:				; CODE XREF: EmpParseInfDatabase+1BBj
		test	byte ptr [ebp+var_10+2], 1
		jnz	short loc_ABC73D

loc_ABC6D4:				; CODE XREF: EmpParseInfDatabase+245j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_ABC6E8
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_ABC6E8:				; CODE XREF: EmpParseInfDatabase+1D3j
		test	dword ptr ds:byte_70EFC4, 200h
		jnz	loc_AE3569

loc_ABC6F8:				; CODE XREF: EmpParseInfDatabase+1B3j
					; EmpParseInfDatabase+27070j
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_ABC71E
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_ABC71E
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_ABC71E:				; CODE XREF: EmpParseInfDatabase+C4j
					; EmpParseInfDatabase+207j ...
		mov	eax, [ebp+var_8]
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_ABC72A:				; CODE XREF: EmpParseInfDatabase+140j
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_ABC6AA
		jmp	loc_AE3543
; 

loc_ABC73D:				; CODE XREF: EmpParseInfDatabase+1CAj
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]
		jmp	short loc_ABC6D4
EmpParseInfDatabase endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpFreeSectionList(x)
_CmpFreeSectionList@4 proc near		; CODE XREF: EmpParseInfDatabase+93p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_ABC788
		push	edi

loc_ABC75A:				; CODE XREF: CmpFreeSectionList(x)+35j
		cmp	byte ptr [esi+0Ch], 0
		mov	edi, [esi]
		jz	short loc_ABC771
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_ABC771
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_ABC771:				; CODE XREF: CmpFreeSectionList(x)+10j
					; CmpFreeSectionList(x)+17j
		mov	ecx, [esi+8]
		call	_CmpFreeLineList@4 ; CmpFreeLineList(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, edi
		test	edi, edi
		jnz	short loc_ABC75A
		pop	edi

loc_ABC788:				; CODE XREF: CmpFreeSectionList(x)+7j
		pop	esi
		retn
_CmpFreeSectionList@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpFreeLineList(x)
_CmpFreeLineList@4 proc	near		; CODE XREF: CmpFreeSectionList(x)+24p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_ABC7C2
		push	edi

loc_ABC794:				; CODE XREF: CmpFreeLineList(x)+35j
		cmp	byte ptr [esi+0Ch], 0
		mov	edi, [esi]
		jz	short loc_ABC7AB
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_ABC7AB
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_ABC7AB:				; CODE XREF: CmpFreeLineList(x)+10j
					; CmpFreeLineList(x)+17j
		mov	ecx, [esi+8]
		call	_CmpFreeValueList@4 ; CmpFreeValueList(x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, edi
		test	edi, edi
		jnz	short loc_ABC794
		pop	edi

loc_ABC7C2:				; CODE XREF: CmpFreeLineList(x)+7j
		pop	esi
		retn
_CmpFreeLineList@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpFreeValueList(x)
_CmpFreeValueList@4 proc near		; CODE XREF: CmpFreeLineList(x)+24p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_ABC7F4
		push	edi

loc_ABC7CE:				; CODE XREF: CmpFreeValueList(x)+2Dj
		cmp	byte ptr [esi+8], 0
		mov	edi, [esi]
		jz	short loc_ABC7E5
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_ABC7E5
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_ABC7E5:				; CODE XREF: CmpFreeValueList(x)+10j
					; CmpFreeValueList(x)+17j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, edi
		test	edi, edi
		jnz	short loc_ABC7CE
		pop	edi

loc_ABC7F4:				; CODE XREF: CmpFreeValueList(x)+7j
		pop	esi
		retn
_CmpFreeValueList@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopGetBootDiskInformationLite proc near	; CODE XREF: IoGetBootDiskInformationLite(x)+11p

var_FE		= byte ptr -0FEh
var_FD		= byte ptr -0FDh
var_FC		= dword	ptr -0FCh
var_F8		= word ptr -0F8h
var_F6		= byte ptr -0F6h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_A0		= dword	ptr -0A0h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE357D SIZE 000000AE BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 104h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+104h+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	7
		mov	[esp+114h+var_C4], ecx
		lea	edi, [esp+114h+var_E0]
		pop	ecx
		xor	ebx, ebx
		mov	[esp+110h+var_28], 20000100h
		xor	eax, eax
		mov	[esp+110h+var_24], 20200000h
		push	90h		; size_t
		rep stosd
		lea	eax, [esp+114h+var_B8]
		mov	[esp+114h+var_20], 20000000h
		push	ebx		; int
		push	eax		; void *
		mov	[esp+11Ch+var_F8], bx
		mov	[esp+11Ch+var_F6], bl
		mov	[esp+11Ch+var_C0], ebx
		mov	[esp+11Ch+var_BC], ebx
		call	_memset
		mov	eax, ds:_KeLoaderBlock
		add	esp, 0Ch
		mov	edi, ebx
		mov	[esp+110h+var_E8], ebx
		mov	[esp+110h+var_FD], bl
		mov	[esp+110h+var_F4], ebx
		push	dword ptr [eax+68h]
		lea	eax, [esp+114h+var_1C]
		mov	[esp+114h+var_FC], edi
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		mov	eax, ds:_KeLoaderBlock
		push	dword ptr [eax+6Ch]
		lea	eax, [esp+114h+var_14]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		mov	eax, ds:_KeLoaderBlock
		push	dword ptr [eax+0C0h]
		lea	eax, [esp+114h+var_C]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		mov	eax, ds:_KeLoaderBlock
		push	3
		pop	ecx
		mov	edx, [eax+80h]
		mov	eax, [edx]

loc_ABC8CF:				; CODE XREF: IopGetBootDiskInformationLite+1FCj
		cmp	eax, edx
		jnz	loc_ABC9EB
		imul	esi, ecx, 1Ch
		mov	ecx, 200h
		add	esi, 4
		mov	edx, esi
		call	IopVerifierExAllocatePool
		mov	[esp+110h+var_F0], eax
		test	eax, eax
		jz	loc_AE357D
		push	esi		; size_t
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	eax, ds:_KeLoaderBlock
		add	esp, 0Ch
		mov	eax, [eax+80h]
		mov	ebx, [eax]
		cmp	ebx, eax
		jz	loc_ABC9CA

loc_ABC915:				; CODE XREF: IopGetBootDiskInformationLite+1CEj
		push	dword ptr [ebx+0Ch]
		lea	eax, [esp+114h+var_C0]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		xor	esi, esi
		lea	edi, [esp+110h+var_1C]
		mov	[esp+110h+var_E4], esi
		mov	[esp+110h+var_EC], edi

loc_ABC933:				; CODE XREF: IopGetBootDiskInformationLite+1B0j
		cmp	byte ptr [esp+esi+110h+var_F8],	0
		jnz	short loc_ABC997
		lea	eax, [esp+110h+var_E8]
		mov	edx, edi
		push	eax
		lea	ecx, [esp+114h+var_C0]
		call	_IopCheckDiskName@12 ; IopCheckDiskName(x,x,x)
		test	al, al
		jz	short loc_ABC997
		cmp	byte ptr [ebx+16h], 0
		lea	edi, [esp+110h+var_D8]
		mov	eax, [esp+110h+var_E8]
		mov	[esp+110h+var_DC], eax
		mov	eax, [esp+esi*4+110h+var_28]
		mov	byte ptr [esp+esi+110h+var_F8],	1
		mov	[esp+110h+var_C8], eax
		jnz	loc_AE3587
		and	[esp+110h+var_E0], 0
		xor	eax, eax
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ebx+8]
		mov	[esp+110h+var_D8], eax

loc_ABC986:				; CODE XREF: IopGetBootDiskInformationLite+26DA4j
		mov	ecx, [esp+110h+var_F0]
		lea	edx, [esp+110h+var_E0]
		call	IopAddBootDiskInformation
		mov	edi, [esp+110h+var_EC]

loc_ABC997:				; CODE XREF: IopGetBootDiskInformationLite+142j
					; IopGetBootDiskInformationLite+156j
		inc	esi
		add	edi, 8
		mov	[esp+110h+var_E4], esi
		mov	[esp+110h+var_EC], edi
		cmp	esi, 3
		jb	short loc_ABC933
		mov	ecx, [ebx+28h]
		test	ecx, ecx
		jnz	loc_AE359F

loc_ABC9B3:				; CODE XREF: IopGetBootDiskInformationLite+26DD9j
					; IopGetBootDiskInformationLite+26E30j
		mov	edi, [esp+110h+var_FC]

loc_ABC9B7:				; CODE XREF: IopGetBootDiskInformationLite+26DCFj
		mov	eax, ds:_KeLoaderBlock
		mov	ebx, [ebx]
		cmp	ebx, [eax+80h]
		jnz	loc_ABC915

loc_ABC9CA:				; CODE XREF: IopGetBootDiskInformationLite+119j
		mov	ecx, [esp+110h+var_C4]
		mov	eax, [esp+110h+var_F0]
		mov	[ecx], eax

loc_ABC9D4:				; CODE XREF: IopGetBootDiskInformationLite+26D8Cj
		mov	ecx, [esp+110h+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_ABC9EB:				; CODE XREF: IopGetBootDiskInformationLite+DBj
		cmp	[eax+28h], ebx
		jnz	short loc_ABC9F7

loc_ABC9F0:				; CODE XREF: IopGetBootDiskInformationLite+202j
		mov	eax, [eax]
		jmp	loc_ABC8CF
; 

loc_ABC9F7:				; CODE XREF: IopGetBootDiskInformationLite+1F8j
		inc	ecx
		jmp	short loc_ABC9F0
IopGetBootDiskInformationLite endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EmpParseEntryTypes proc	near		; CODE XREF: EmpParseInfDatabase+49p

var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE362B SIZE 00000012 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	edx, offset ??_C@_0BB@NBFILPMM@EntryTypeGuidDef@PBOPGDP@ ; "EntryTypeGuidDef"
		push	esi
		push	edi
		mov	[ebp+var_64], eax
		mov	esi, eax
		mov	[ebp+var_70], eax
		mov	ebx, eax
		mov	[ebp+var_6C], eax
		mov	edi, ecx
		lea	eax, [ebp+var_58]
		mov	[ebp+var_5C], edi
		push	4Eh
		mov	[ebp+var_60], eax
		pop	eax
		mov	word ptr [ebp+var_64+2], ax
		call	_EmpInfParseGetSectionLineCount@8 ; EmpInfParseGetSectionLineCount(x,x)
		mov	[ebp+var_68], eax
		test	eax, eax
		jz	loc_ABCB0D

loc_ABCA45:				; CODE XREF: EmpParseEntryTypes+F1j
		push	0
		push	ebx
		mov	edx, offset ??_C@_0BB@NBFILPMM@EntryTypeGuidDef@PBOPGDP@ ; "EntryTypeGuidDef"
		mov	ecx, edi
		call	_CmpGetSectionLineIndex@16 ; CmpGetSectionLineIndex(x,x,x,x)
		test	eax, eax
		jz	loc_ABCB0D
		push	eax
		lea	eax, [ebp+var_70]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	0
		lea	eax, [ebp+var_70]
		push	eax
		lea	eax, [ebp+var_64]
		push	eax
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	loc_ABCB02
		push	74694D45h
		push	30h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_ABCB06
		push	edi
		lea	eax, [ebp+var_64]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AE362B
		mov	ecx, edi	; void *
		call	_EmpSearchEntryDatabase@4 ; EmpSearchEntryDatabase(x)
		test	eax, eax
		jnz	loc_AE362B
		and	[edi+2Ch], eax
		lea	ecx, [edi+1Ch]
		and	dword ptr [edi+10h], 0
		lea	eax, [edi+24h]
		inc	_EmpNumberOfEntryTypes
		mov	[ecx+4], ecx
		mov	[ecx], ecx
		mov	[edi+18h], ecx
		lea	ecx, [edi+14h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	eax, _EmpEntryListHead
		mov	[ecx], eax
		mov	_EmpEntryListHead, ecx

loc_ABCAE4:				; CODE XREF: EmpParseEntryTypes+26C3Ej
		mov	edi, [ebp+var_5C]

loc_ABCAE7:				; CODE XREF: EmpParseEntryTypes+10Aj
		inc	ebx
		cmp	ebx, [ebp+var_68]
		jb	loc_ABCA45

loc_ABCAF1:				; CODE XREF: EmpParseEntryTypes+111j
					; EmpParseEntryTypes+115j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_ABCB02:				; CODE XREF: EmpParseEntryTypes+7Dj
		xor	esi, esi
		jmp	short loc_ABCAE7
; 

loc_ABCB06:				; CODE XREF: EmpParseEntryTypes+95j
		mov	esi, 0C000009Ah
		jmp	short loc_ABCAF1
; 

loc_ABCB0D:				; CODE XREF: EmpParseEntryTypes+45j
					; EmpParseEntryTypes+5Cj
		xor	esi, esi
		jmp	short loc_ABCAF1
EmpParseEntryTypes endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EmpParseCallbacks proc near		; CODE XREF: EmpParseInfDatabase+59p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE363D SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_18], ecx
		lea	edi, [ebp+var_14]
		mov	edx, offset ??_C@_0M@JFEBFCJJ@CallbackDef@PBOPGDP@ ; "CallbackDef"
		stosd
		xor	ebx, ebx
		xor	esi, esi
		stosd
		stosd
		stosd
		call	_EmpInfParseGetSectionLineCount@8 ; EmpInfParseGetSectionLineCount(x,x)
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	loc_ABCCD0

loc_ABCB4C:				; CODE XREF: EmpParseCallbacks+149j
		mov	esi, [ebp+var_18]
		mov	edx, offset ??_C@_0M@JFEBFCJJ@CallbackDef@PBOPGDP@ ; "CallbackDef"
		push	ebx
		mov	ecx, esi
		call	_CmpGetKeyName@12 ; CmpGetKeyName(x,x,x)
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	loc_ABCCD0
		push	ebx
		mov	edx, offset ??_C@_0M@JFEBFCJJ@CallbackDef@PBOPGDP@ ; "CallbackDef"
		mov	ecx, esi
		call	_CmpGetSectionLineIndexValueCount@12 ; CmpGetSectionLineIndexValueCount(x,x,x)
		mov	[ebp+var_20], eax
		cmp	eax, 2
		jb	loc_AE3648
		push	74694D45h
		lea	eax, ds:28h[eax*4]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_AE3659
		push	edi		; int
		push	[ebp+var_1C]	; char *
		mov	edx, offset ??_C@_0BA@NLAPLPIK@CallbackGuidDef@PBOPGDP@	; "CallbackGuidDef"
		mov	ecx, esi	; int
		call	_EmpInfParseGetGuidFromName@16 ; EmpInfParseGetGuidFromName(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AE363D
		mov	ecx, edi	; void *
		call	_EmpSearchCallbackDatabase@4 ; EmpSearchCallbackDatabase(x)
		test	eax, eax
		jnz	loc_AE363D
		mov	eax, [ebp+var_20]
		mov	edx, offset ??_C@_0M@JFEBFCJJ@CallbackDef@PBOPGDP@ ; "CallbackDef"
		mov	ecx, [ebp+var_18]
		add	eax, 0FFFFFFFEh
		push	0
		push	ebx
		mov	[edi+2Ch], eax
		call	_CmpGetSectionLineIndex@16 ; CmpGetSectionLineIndex(x,x,x,x)
		test	eax, eax
		jz	loc_AE363D
		push	0Ah		; int
		push	0		; char **
		push	eax		; char *
		call	_strtoul
		mov	ecx, [ebp+var_18]
		add	esp, 0Ch
		mov	edx, offset ??_C@_0M@JFEBFCJJ@CallbackDef@PBOPGDP@ ; "CallbackDef"
		mov	[edi+24h], eax
		push	1
		push	ebx
		call	_CmpGetSectionLineIndex@16 ; CmpGetSectionLineIndex(x,x,x,x)
		test	eax, eax
		jz	loc_AE363D
		push	0Ah		; int
		push	0		; char **
		push	eax		; char *
		call	_strtoul
		add	esp, 0Ch
		mov	[edi+28h], eax
		push	2
		pop	eax
		mov	[ebp+var_24], eax
		cmp	[ebp+var_20], eax
		ja	short loc_ABCC72

loc_ABCC2B:				; CODE XREF: EmpParseCallbacks+1B6j
					; EmpParseCallbacks+26B42j
		test	esi, esi
		js	loc_AE363D
		xor	eax, eax
		lea	ecx, [edi+1Ch]
		inc	_EmpNumberOfCallbacks
		mov	[edi+20h], eax
		mov	[edi+10h], eax
		mov	[edi+14h], eax
		mov	[edi+18h], eax
		mov	eax, _EmpCallbackListHead
		mov	[ecx], eax
		mov	_EmpCallbackListHead, ecx

loc_ABCC57:				; CODE XREF: EmpParseCallbacks+26B38j
		inc	ebx
		cmp	ebx, [ebp+var_28]
		jb	loc_ABCB4C

loc_ABCC61:				; CODE XREF: EmpParseCallbacks+1C0j
					; EmpParseCallbacks+26B4Cj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_ABCC72:				; CODE XREF: EmpParseCallbacks+117j
		lea	ecx, [edi+30h]
		mov	[ebp+var_1C], ecx

loc_ABCC78:				; CODE XREF: EmpParseCallbacks+1BCj
		mov	ecx, [ebp+var_18]
		mov	edx, offset ??_C@_0M@JFEBFCJJ@CallbackDef@PBOPGDP@ ; "CallbackDef"
		push	eax
		push	ebx
		call	_CmpGetSectionLineIndex@16 ; CmpGetSectionLineIndex(x,x,x,x)
		lea	ecx, [ebp+var_14]
		mov	edx, offset ??_C@_0BB@NBFILPMM@EntryTypeGuidDef@PBOPGDP@ ; "EntryTypeGuidDef"
		push	ecx		; int
		mov	ecx, [ebp+var_18] ; int
		push	eax		; char *
		call	_EmpInfParseGetGuidFromName@16 ; EmpInfParseGetGuidFromName(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AE363D
		lea	ecx, [ebp+var_14] ; void *
		call	_EmpSearchEntryDatabase@4 ; EmpSearchEntryDatabase(x)
		test	eax, eax
		jz	loc_AE364F
		mov	ecx, [ebp+var_1C]
		mov	[ecx], eax
		add	ecx, 4
		mov	eax, [ebp+var_24]
		inc	eax
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_24], eax
		cmp	eax, [ebp+var_20]
		jnb	loc_ABCC2B
		jmp	short loc_ABCC78
; 

loc_ABCCD0:				; CODE XREF: EmpParseCallbacks+34j
					; EmpParseCallbacks+4Fj
		xor	esi, esi
		jmp	short loc_ABCC61
EmpParseCallbacks endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EmpParseRuleTerm proc near		; CODE XREF: EmpParseRuleExpression+80p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00AE3663 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_20], eax
		mov	eax, [ebp+arg_4]
		push	ebx
		mov	[ebp+var_2C], eax
		xor	ebx, ebx
		mov	eax, [ebp+arg_8]
		push	esi
		push	edi
		mov	[ebp+var_30], eax
		lea	edi, [ebp+var_18]
		xor	eax, eax
		mov	[ebp+var_24], edx
		stosd
		lea	esi, [edx+1]
		push	28h		; int
		push	esi		; char *
		mov	[ebp+var_1C], ecx
		stosd
		stosd
		stosd
		call	_strchr
		mov	[ebp+var_28], eax
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_AE3663
		mov	ecx, [ebp+var_1C] ; int
		mov	[eax], bl
		mov	eax, [ebp+var_24]
		cmp	byte ptr [eax],	3Fh
		lea	eax, [ebp+var_18]
		push	eax		; int
		push	esi		; char *
		jz	loc_ABCDCE
		mov	edx, offset ??_C@_0BA@BBPLJNBJ@RuleNameGuidDef@PBOPGDP@	; "RuleNameGuidDef"
		call	_EmpInfParseGetGuidFromName@16 ; EmpInfParseGetGuidFromName(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_ABCDBB
		lea	ecx, [ebp+var_18] ; void *
		call	_EmpSearchRuleDatabase@4 ; EmpSearchRuleDatabase(x)
		test	eax, eax
		jz	loc_ABCDFD
		mov	ecx, [ebp+var_20]
		mov	[ecx], eax
		mov	ecx, [eax+20h]
		mov	edx, [eax+24h]
		mov	eax, [eax+28h]

loc_ABCD68:				; CODE XREF: EmpParseRuleTerm+124j
		lea	edi, [ecx+edx]
		mov	[ebp+var_20], eax
		add	edi, eax
		mov	[ebp+var_1C], edx
		mov	eax, [ebp+var_28]
		mov	[ebp+var_24], ecx
		mov	byte ptr [eax],	28h
		jz	short loc_ABCDB1
		push	74734D45h
		mov	eax, edi
		shl	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_ABCE04
		push	[ebp+var_20]	; int
		mov	ecx, [ebp+var_28] ; char *
		mov	edx, ebx	; int
		push	[ebp+var_1C]	; int
		push	[ebp+var_24]	; int
		call	EmpParseRuleTermArgMapping
		test	al, al
		jz	loc_AE366D

loc_ABCDB1:				; CODE XREF: EmpParseRuleTerm+A8j
		mov	eax, [ebp+var_2C]
		mov	[eax], ebx
		mov	eax, [ebp+var_30]
		mov	[eax], edi

loc_ABCDBB:				; CODE XREF: EmpParseRuleTerm+74j
					; EmpParseRuleTerm+108j ...
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch		; char *
; 

loc_ABCDCE:				; CODE XREF: EmpParseRuleTerm+60j
		mov	edx, offset ??_C@_0BA@NLAPLPIK@CallbackGuidDef@PBOPGDP@	; "CallbackGuidDef"
		call	_EmpInfParseGetGuidFromName@16 ; EmpInfParseGetGuidFromName(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_ABCDBB
		lea	ecx, [ebp+var_18] ; void *
		call	_EmpSearchCallbackDatabase@4 ; EmpSearchCallbackDatabase(x)
		test	eax, eax
		jz	short loc_ABCDFD
		mov	ecx, [ebp+var_20]
		mov	[ecx], eax
		mov	ecx, [eax+24h]
		mov	edx, [eax+28h]
		mov	eax, [eax+2Ch]
		jmp	loc_ABCD68
; 

loc_ABCDFD:				; CODE XREF: EmpParseRuleTerm+80j
					; EmpParseRuleTerm+114j
		mov	esi, 0C0000225h
		jmp	short loc_ABCDBB
; 

loc_ABCE04:				; CODE XREF: EmpParseRuleTerm+C0j
		mov	esi, 0C000009Ah
		jmp	short loc_ABCDBB
EmpParseRuleTerm endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall EmpParseRuleExpression(int,char *,int)
EmpParseRuleExpression proc near	; CODE XREF: EmpParseRules+137p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00AE3682 SIZE 000000E5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_2C]
		mov	ebx, ecx
		mov	[ebp+var_2C], edi
		mov	ecx, edi
		mov	[ebp+var_30], ebx
		push	eax		; int
		push	ecx		; int
		mov	[ebp+var_18], ecx
		mov	esi, edi
		push	edx		; char *
		mov	edx, offset ??_C@_04HOKIGJEB@Rule@PBOPGDP@ ; "Rule"
		mov	[ebp+var_8], edi
		mov	ecx, ebx
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_28], edi
		call	_EmpInfParseGetValueFromSectionAndKeyName@20 ; EmpInfParseGetValueFromSectionAndKeyName(x,x,x,x,x)
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	loc_ABD1E3
		call	_EmpCreateRuleParserStack@0 ; EmpCreateRuleParserStack()
		mov	ecx, [ebp+var_1C]
		mov	ebx, eax

loc_ABCE61:				; CODE XREF: EmpParseRuleExpression+1B9j
		movsx	eax, byte ptr [ecx]
		sub	eax, 25h
		jz	short loc_ABCE7B
		sub	eax, 1
		jz	loc_ABD103
		sub	eax, 19h
		jnz	loc_ABD0FA

loc_ABCE7B:				; CODE XREF: EmpParseRuleExpression+5Bj
		lea	eax, [ebp+var_10]
		mov	edx, ecx
		mov	ecx, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	EmpParseRuleTerm
		mov	esi, eax
		test	esi, esi
		js	loc_ABD008
		mov	eax, [ebp+var_1C]
		mov	ecx, [ebp+var_8]
		mov	al, [eax]
		mov	[ebp+var_1], al
		cmp	al, 3Fh
		jz	loc_ABD032
		mov	eax, [ecx+20h]
		mov	edx, [ecx+24h]

loc_ABCEB4:				; CODE XREF: EmpParseRuleExpression+22Cj
		mov	[ebp+var_24], edx
		add	edx, eax
		mov	[ebp+var_C], edx
		cmp	edx, [ebp+var_10]
		ja	loc_AE368C
		and	[ebp+var_1C], 0
		mov	edi, [ebp+arg_0]
		test	eax, eax
		jz	short loc_ABCEF6
		mov	edx, [edi+20h]
		mov	[ebp+var_34], edx

loc_ABCED6:				; CODE XREF: EmpParseRuleExpression+E8j
		mov	edx, [ebp+var_14]
		mov	ecx, [ebp+var_1C]
		mov	edi, [ebp+var_34]
		cmp	[edx+ecx*4], edi
		mov	edi, [ebp+arg_0]
		mov	edx, [ebp+var_C]
		jnb	loc_AE368C
		inc	[ebp+var_1C]
		cmp	[ebp+var_1C], eax
		jb	short loc_ABCED6

loc_ABCEF6:				; CODE XREF: EmpParseRuleExpression+C2j
		mov	[ebp+var_1C], eax
		cmp	eax, edx
		jnb	short loc_ABCF23
		mov	edx, [edi+24h]
		mov	[ebp+var_34], edx

loc_ABCF03:				; CODE XREF: EmpParseRuleExpression+115j
		mov	edx, [ebp+var_14]
		mov	ecx, [ebp+var_1C]
		mov	edi, [ebp+var_34]
		cmp	[edx+ecx*4], edi
		mov	edi, [ebp+arg_0]
		mov	edx, [ebp+var_C]
		jnb	loc_AE368C
		inc	[ebp+var_1C]
		cmp	[ebp+var_1C], edx
		jb	short loc_ABCF03

loc_ABCF23:				; CODE XREF: EmpParseRuleExpression+EFj
		cmp	edx, [ebp+var_10]
		jb	loc_ABD09C

loc_ABCF2C:				; CODE XREF: EmpParseRuleExpression+2E6j
		cmp	[ebp+var_1], 3Fh
		push	74694D45h
		jz	loc_ABD03D
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_AE3682
		mov	edx, [ebp+var_8]
		lea	ecx, [eax+4]
		mov	[eax], edx
		mov	eax, [edi+34h]
		mov	[ecx], eax
		lea	eax, [edx+1Ch]
		mov	[edi+34h], ecx
		mov	edx, edi
		mov	[ebp+var_34], eax
		mov	ecx, eax
		call	_EmpInfParseSearchDependencyList@8 ; EmpInfParseSearchDependencyList(x,x)
		test	al, al
		jnz	short loc_ABCF93
		push	74694D45h
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_AE3682
		mov	edx, [ebp+var_34]
		lea	ecx, [eax+4]
		mov	[eax], edi
		mov	eax, [edx]
		mov	[ecx], eax
		mov	[edx], ecx

loc_ABCF93:				; CODE XREF: EmpParseRuleExpression+161j
		xor	edx, edx
		inc	edx

loc_ABCF96:				; CODE XREF: EmpParseRuleExpression+28Bj
		push	[ebp+var_10]
		push	[ebp+var_14]
		push	[ebp+var_8]

loc_ABCF9F:				; CODE XREF: EmpParseRuleExpression+3B5j
		mov	ecx, ebx
		call	_EmpRuleParserStackPush@20 ; EmpRuleParserStackPush(x,x,x,x,x)
		mov	eax, [ebp+var_28]
		mov	edx, offset ??_C@_04HOKIGJEB@Rule@PBOPGDP@ ; "Rule"
		mov	ecx, [ebp+var_30]
		inc	eax
		push	eax
		push	[ebp+var_2C]
		mov	[ebp+var_28], eax
		call	_CmpGetSectionLineIndex@16 ; CmpGetSectionLineIndex(x,x,x,x)
		mov	ecx, eax
		mov	[ebp+var_1C], ecx
		test	ecx, ecx
		jnz	loc_ABCE61
		cmp	dword ptr [ebx], 1
		jnz	loc_AE368C
		push	74694D45h
		push	10h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+var_20], eax
		lea	ecx, [eax+8]
		push	ecx
		lea	ecx, [eax+0Ch]
		push	ecx
		lea	ecx, [eax+4]
		push	ecx
		mov	ecx, ebx
		call	_EmpRuleParserStackPop@20 ; EmpRuleParserStackPop(x,x,x,x,x)
		test	al, al
		jz	loc_ABD20E
		mov	eax, [ebp+var_20]
		mov	[edi+40h], eax

loc_ABD008:				; CODE XREF: EmpParseRuleExpression+89j
					; EmpParseRuleExpression+407j ...
		test	ebx, ebx
		jz	short loc_ABD021

loc_ABD00C:				; CODE XREF: EmpParseRuleExpression+268A0j
		cmp	dword ptr [ebx+4], 0
		jnz	loc_AE3696
		push	74734D45h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_ABD021:				; CODE XREF: EmpParseRuleExpression+1FEj
		test	esi, esi
		js	loc_AE36B1

loc_ABD029:				; CODE XREF: EmpParseRuleExpression+3F7j
					; EmpParseRuleExpression+26956j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_ABD032:				; CODE XREF: EmpParseRuleExpression+9Cj
		mov	eax, [ecx+24h]
		mov	edx, [ecx+28h]
		jmp	loc_ABCEB4
; 

loc_ABD03D:				; CODE XREF: EmpParseRuleExpression+129j
		push	8
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_AE3682
		mov	edx, [ebp+var_8]
		lea	ecx, [eax+4]
		mov	[eax], edx
		mov	eax, [edi+30h]
		mov	[ecx], eax
		lea	eax, [edx+20h]
		mov	[edi+30h], ecx
		mov	edx, edi
		mov	[ebp+var_34], eax
		mov	ecx, eax
		call	_EmpInfParseSearchDependencyList@8 ; EmpInfParseSearchDependencyList(x,x)
		test	al, al
		jnz	short loc_ABD095
		push	74694D45h
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	loc_AE3682
		mov	edx, [ebp+var_34]
		lea	ecx, [eax+4]
		mov	[eax], edi
		mov	eax, [edx]
		mov	[ecx], eax
		mov	[edx], ecx

loc_ABD095:				; CODE XREF: EmpParseRuleExpression+263j
		xor	edx, edx
		jmp	loc_ABCF96
; 

loc_ABD09C:				; CODE XREF: EmpParseRuleExpression+11Aj
		sub	edx, [ebp+var_24]
		mov	ecx, [edi+28h]
		sub	edx, eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_34], ecx
		mov	ecx, [ebp+var_8]
		shl	edx, 2

loc_ABD0B0:				; CODE XREF: EmpParseRuleExpression+2ECj
		mov	edi, [ebp+var_14]
		mov	eax, [edi+eax*4]
		mov	edi, [ebp+arg_0]
		mov	[ebp+var_24], eax
		cmp	eax, [ebp+var_34]
		jnb	loc_AE368C
		cmp	[ebp+var_1], 3Fh
		mov	eax, [edi+2Ch]
		jnz	loc_ABD1C6
		mov	ecx, [ebp+var_24]
		mov	eax, [eax+ecx*4]
		mov	ecx, [ebp+var_8]
		cmp	eax, [ecx+edx+30h]
		jnz	loc_AE368C

loc_ABD0E5:				; CODE XREF: EmpParseRuleExpression+3D2j
		mov	eax, [ebp+var_C]
		add	edx, 4
		inc	eax
		mov	[ebp+var_C], eax
		cmp	eax, [ebp+var_10]
		jnb	loc_ABCF2C
		jmp	short loc_ABD0B0
; 

loc_ABD0FA:				; CODE XREF: EmpParseRuleExpression+69j
		sub	eax, 3Dh
		jnz	loc_AE368C

loc_ABD103:				; CODE XREF: EmpParseRuleExpression+60j
		cmp	dword ptr [ebx], 2
		jb	loc_AE368C
		push	74734D45h
		push	1Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	loc_AE3682
		push	74734D45h
		push	10h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+var_18]
		push	74734D45h
		push	10h
		push	1
		mov	[ecx+4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+var_18]
		mov	edx, [ecx+4]
		mov	[ecx+10h], eax
		test	edx, edx
		jz	loc_AE3682
		test	eax, eax
		jz	loc_AE3682
		mov	eax, [ebp+var_1C]
		mov	al, [eax]
		mov	[ecx], al
		and	dword ptr [edx+8], 0
		xor	edx, edx
		mov	eax, [ecx+4]
		mov	[eax+0Ch], edx
		mov	eax, [ecx+10h]
		mov	[eax+8], edx
		mov	eax, [ecx+10h]
		mov	[eax+0Ch], edx
		lea	eax, [ecx+14h]
		mov	edx, [ecx+10h]
		push	eax
		lea	eax, [ecx+18h]
		mov	ecx, ebx
		push	eax
		lea	eax, [edx+4]
		push	eax
		call	_EmpRuleParserStackPop@20 ; EmpRuleParserStackPop(x,x,x,x,x)
		test	al, al
		jz	short loc_ABD20E
		mov	ecx, [ebp+var_18]
		mov	edx, [ecx+4]
		lea	eax, [ecx+8]
		push	eax
		lea	eax, [ecx+0Ch]
		mov	ecx, ebx
		push	eax
		lea	eax, [edx+4]
		push	eax
		call	_EmpRuleParserStackPop@20 ; EmpRuleParserStackPop(x,x,x,x,x)
		test	al, al
		jz	short loc_ABD20E
		mov	ecx, [ebp+var_18]
		push	0
		push	0
		push	ecx
		push	2
		pop	edx
		jmp	loc_ABCF9F
; 

loc_ABD1C6:				; CODE XREF: EmpParseRuleExpression+2C0j
		mov	edi, [ebp+var_24]
		mov	ecx, [ecx+2Ch]
		mov	eax, [eax+edi*4]
		mov	edi, [ebp+arg_0]
		cmp	eax, [edx+ecx]
		jnz	loc_AE368C
		mov	ecx, [ebp+var_8]
		jmp	loc_ABD0E5
; 

loc_ABD1E3:				; CODE XREF: EmpParseRuleExpression+45j
		mov	esi, 0C0000225h

loc_ABD1E8:				; CODE XREF: EmpParseRuleExpression+268AAj
					; EmpParseRuleExpression+2690Ej
		mov	ecx, [edi+34h]
		test	ecx, ecx
		jnz	loc_AE36E7

loc_ABD1F3:				; CODE XREF: EmpParseRuleExpression+26946j
		mov	ecx, [edi+30h]
		test	ecx, ecx
		jnz	loc_AE371F
		mov	eax, [ebp+var_20]
		test	eax, eax
		jz	loc_ABD029
		jmp	loc_AE3757
; 

loc_ABD20E:				; CODE XREF: EmpParseRuleExpression+1F0j
					; EmpParseRuleExpression+38Bj ...
		mov	esi, 0C0000225h
		jmp	loc_ABD008
EmpParseRuleExpression endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGetSectionLineIndexValueCount(x,	x, x)
_CmpGetSectionLineIndexValueCount@12 proc near ; CODE XREF: EmpParseCallbacks+5Dp
					; EmpParseRules+117p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		xor	esi, esi
		call	_CmpSearchSectionByName@8 ; CmpSearchSectionByName(x,x)
		test	eax, eax
		jz	short loc_ABD243
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		call	_CmpSearchLineInSectionByIndex@8 ; CmpSearchLineInSectionByIndex(x,x)
		test	eax, eax
		jz	short loc_ABD243
		mov	ecx, [eax+8]
		jmp	short loc_ABD23F
; 

loc_ABD23C:				; CODE XREF: CmpGetSectionLineIndexValueCount(x,x,x)+29j
		mov	ecx, [ecx]
		inc	esi

loc_ABD23F:				; CODE XREF: CmpGetSectionLineIndexValueCount(x,x,x)+22j
		test	ecx, ecx
		jnz	short loc_ABD23C

loc_ABD243:				; CODE XREF: CmpGetSectionLineIndexValueCount(x,x,x)+Fj
					; CmpGetSectionLineIndexValueCount(x,x,x)+1Dj
		mov	eax, esi
		pop	esi
		pop	ebp
		retn	4
_CmpGetSectionLineIndexValueCount@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EmpParseRules	proc near		; CODE XREF: EmpParseInfDatabase+69p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE3767 SIZE 000000A7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		mov	esi, ecx
		xor	ebx, ebx
		mov	[ebp+var_18], esi
		mov	edx, offset ??_C@_07HEKHBGDN@RuleDef@PBOPGDP@ ;	"RuleDef"
		mov	[ebp+var_1C], ebx
		stosd
		stosd
		stosd
		xor	edi, edi
		call	_EmpInfParseGetSectionLineCount@8 ; EmpInfParseGetSectionLineCount(x,x)
		mov	[ebp+var_30], eax
		test	eax, eax
		jz	loc_ABD4CF

loc_ABD289:				; CODE XREF: EmpParseRules+16Cj
		push	ebx
		mov	edx, offset ??_C@_07HEKHBGDN@RuleDef@PBOPGDP@ ;	"RuleDef"
		mov	ecx, esi
		call	_CmpGetKeyName@12 ; CmpGetKeyName(x,x,x)
		mov	edi, eax
		mov	[ebp+var_2C], edi
		test	edi, edi
		jz	loc_ABD4CF
		push	74694D45h
		push	44h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_AE3804
		xor	ecx, ecx
		mov	dword ptr [esi+10h], 1
		mov	[esi+2Ch], ecx
		lea	eax, [esi+38h]
		mov	[eax+4], eax
		mov	edx, offset ??_C@_0BA@BBPLJNBJ@RuleNameGuidDef@PBOPGDP@	; "RuleNameGuidDef"
		mov	[eax], eax
		push	esi		; int
		mov	[esi+14h], cl
		mov	[esi+30h], ecx
		mov	[esi+34h], ecx
		mov	[esi+1Ch], ecx
		mov	[esi+28h], ecx
		mov	[esi+20h], ecx
		mov	ecx, [ebp+var_18] ; int
		push	edi		; char *
		call	_EmpInfParseGetGuidFromName@16 ; EmpInfParseGetGuidFromName(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_ABD490
		mov	ecx, esi	; void *
		call	_EmpSearchRuleDatabase@4 ; EmpSearchRuleDatabase(x)
		test	eax, eax
		jnz	loc_ABD490
		mov	ecx, [ebp+var_18]
		mov	edx, offset ??_C@_07HEKHBGDN@RuleDef@PBOPGDP@ ;	"RuleDef"
		push	eax
		push	ebx
		call	_CmpGetSectionLineIndex@16 ; CmpGetSectionLineIndex(x,x,x,x)
		test	eax, eax
		jz	loc_ABD4B6
		push	0Ah		; int
		push	0		; char **
		push	eax		; char *
		call	_strtoul
		mov	ecx, [ebp+var_18]
		add	esp, 0Ch
		mov	edx, offset ??_C@_07HEKHBGDN@RuleDef@PBOPGDP@ ;	"RuleDef"
		mov	[esi+20h], eax
		push	1
		push	ebx
		call	_CmpGetSectionLineIndex@16 ; CmpGetSectionLineIndex(x,x,x,x)
		test	eax, eax
		jz	loc_ABD4B6
		push	0Ah		; int
		push	0		; char **
		push	eax		; char *
		call	_strtoul
		mov	ecx, [ebp+var_18]
		add	esp, 0Ch
		mov	edx, offset ??_C@_07HEKHBGDN@RuleDef@PBOPGDP@ ;	"RuleDef"
		mov	[esi+24h], eax
		push	ebx
		call	_CmpGetSectionLineIndexValueCount@12 ; CmpGetSectionLineIndexValueCount(x,x,x)
		mov	[ebp+var_24], eax
		cmp	eax, 2
		jb	loc_ABD4B6
		add	eax, 0FFFFFFFEh
		mov	[esi+28h], eax
		jnz	short loc_ABD3BB

loc_ABD37A:				; CODE XREF: EmpParseRules+241j
		mov	edx, [ebp+var_2C] ; char *
		mov	ecx, [ebp+var_18] ; int
		push	esi		; int
		call	EmpParseRuleExpression
		mov	edi, eax
		test	edi, edi
		js	loc_ABD4A0
		mov	eax, _EmpRuleListHead
		lea	ecx, [esi+18h]
		inc	_EmpNumberOfRules
		mov	[ecx], eax
		mov	_EmpRuleListHead, ecx

loc_ABD3A6:				; CODE XREF: EmpParseRules+251j
					; EmpParseRules+279j ...
		inc	ebx
		mov	[ebp+var_1C], ebx
		cmp	ebx, [ebp+var_30]
		jnb	loc_ABD4D1
		mov	esi, [ebp+var_18]
		jmp	loc_ABD289
; 

loc_ABD3BB:				; CODE XREF: EmpParseRules+12Ej
		mov	ebx, 74694D45h
		shl	eax, 2
		push	ebx
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esi+2Ch], eax
		test	eax, eax
		jz	loc_AE37FD
		mov	ecx, [esi+28h]
		shl	ecx, 2
		push	ecx		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		push	2
		pop	ebx
		cmp	[ebp+var_24], ebx
		jbe	loc_ABD480
		and	[ebp+var_20], 0

loc_ABD3F9:				; CODE XREF: EmpParseRules+230j
		mov	ecx, [ebp+var_18]
		mov	edx, offset ??_C@_07HEKHBGDN@RuleDef@PBOPGDP@ ;	"RuleDef"
		push	ebx
		push	[ebp+var_1C]
		call	_CmpGetSectionLineIndex@16 ; CmpGetSectionLineIndex(x,x,x,x)
		lea	ecx, [ebp+var_14]
		mov	edx, offset ??_C@_0BB@NBFILPMM@EntryTypeGuidDef@PBOPGDP@ ; "EntryTypeGuidDef"
		push	ecx		; int
		mov	ecx, [ebp+var_18] ; int
		push	eax		; char *
		call	_EmpInfParseGetGuidFromName@16 ; EmpInfParseGetGuidFromName(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_AE3767
		lea	ecx, [ebp+var_14] ; void *
		call	_EmpSearchEntryDatabase@4 ; EmpSearchEntryDatabase(x)
		test	eax, eax
		jz	loc_AE3767
		mov	ecx, [esi+2Ch]
		mov	edx, [ebp+var_20]
		mov	[edx+ecx], eax
		add	eax, 2Ch
		mov	edx, esi
		mov	[ebp+var_28], eax
		mov	ecx, eax
		call	_EmpInfParseSearchDependencyList@8 ; EmpInfParseSearchDependencyList(x,x)
		test	al, al
		jnz	short loc_ABD472
		push	74694D45h
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_ABD4C8
		mov	edx, [ebp+var_28]
		lea	ecx, [eax+4]
		mov	[eax], esi
		mov	eax, [edx]
		mov	[ecx], eax
		mov	[edx], ecx

loc_ABD472:				; CODE XREF: EmpParseRules+206j
		add	[ebp+var_20], 4
		inc	ebx
		cmp	ebx, [ebp+var_24]
		jb	loc_ABD3F9

loc_ABD480:				; CODE XREF: EmpParseRules+1A5j
					; EmpParseRules+283j
		test	edi, edi
		js	loc_AE3767
		mov	ebx, [ebp+var_1C]
		jmp	loc_ABD37A
; 

loc_ABD490:				; CODE XREF: EmpParseRules+AAj
					; EmpParseRules+B9j
		push	74694D45h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_ABD3A6
; 

loc_ABD4A0:				; CODE XREF: EmpParseRules+140j
		xor	edi, edi
		cmp	[esi+28h], edi
		ja	loc_AE37BE

loc_ABD4AB:				; CODE XREF: EmpParseRules+2659Ej
		mov	eax, [esi+2Ch]
		test	eax, eax
		jnz	loc_AE37ED

loc_ABD4B6:				; CODE XREF: EmpParseRules+D0j
					; EmpParseRules+F8j ...
		push	74694D45h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edi, edi
		jmp	loc_ABD3A6
; 

loc_ABD4C8:				; CODE XREF: EmpParseRules+218j
		mov	edi, 0C000009Ah
		jmp	short loc_ABD480
; 

loc_ABD4CF:				; CODE XREF: EmpParseRules+39j
					; EmpParseRules+53j
		xor	edi, edi

loc_ABD4D1:				; CODE XREF: EmpParseRules+163j
					; EmpParseRules+265BFj
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
EmpParseRules	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EmpParseStrings	proc near		; CODE XREF: EmpParseInfDatabase+79p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE380E SIZE 00000081 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		mov	eax, ecx
		mov	edx, offset ??_C@_07BJOIOONN@Strings@PBOPGDP@
		push	esi
		mov	[ebp+var_C], eax
		xor	esi, esi
		call	_EmpInfParseGetSectionLineCount@8 ; EmpInfParseGetSectionLineCount(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_ABD5D9
		mov	eax, _EmpStringTable
		mov	[ebp+var_4], eax
		push	edi
		push	74694D45h
		test	eax, eax
		jnz	loc_AE380E
		mov	edi, ebx
		shl	edi, 2
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	_EmpStringTable, eax
		test	eax, eax
		jz	loc_ABD5DD
		push	edi		; size_t
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_ABD542:				; CODE XREF: EmpParseStrings+2638Ej
		xor	edi, edi
		test	ebx, ebx
		jz	loc_ABD5D2

loc_ABD54C:				; CODE XREF: EmpParseStrings+EAj
		mov	ecx, [ebp+var_C]
		mov	edx, offset ??_C@_07BJOIOONN@Strings@PBOPGDP@
		push	0
		push	edi
		call	_CmpGetSectionLineIndex@16 ; CmpGetSectionLineIndex(x,x,x,x)
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_ABD5CA
		mov	ecx, eax
		lea	edx, [ecx+1]

loc_ABD568:				; CODE XREF: EmpParseStrings+8Bj
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_ABD568
		sub	ecx, edx
		push	74694D45h
		lea	eax, [ecx+1]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, _EmpNumberOfStrings
		mov	esi, eax
		mov	eax, _EmpStringTable
		mov	[ebp+var_4], eax
		mov	[ebp+var_10], ecx
		mov	[eax+ecx*4], esi
		test	esi, esi
		jz	short loc_ABD5DD
		mov	ecx, [ebp+var_8]
		mov	edx, ecx
		lea	eax, [edx+1]
		mov	[ebp+var_8], eax

loc_ABD5A6:				; CODE XREF: EmpParseStrings+C9j
		mov	al, [edx]
		inc	edx
		test	al, al
		jnz	short loc_ABD5A6
		sub	edx, [ebp+var_8]
		push	ecx
		inc	edx
		mov	ecx, esi
		call	_RtlStringCchCopyA@12 ;	RtlStringCchCopyA(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AE3875
		inc	_EmpNumberOfStrings

loc_ABD5C9:				; CODE XREF: EmpParseStrings+263A8j
		inc	edi

loc_ABD5CA:				; CODE XREF: EmpParseStrings+7Fj
		cmp	edi, ebx
		jb	loc_ABD54C

loc_ABD5D2:				; CODE XREF: EmpParseStrings+64j
					; EmpParseStrings+100j
		pop	edi

loc_ABD5D3:				; CODE XREF: EmpParseStrings+F9j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_ABD5D9:				; CODE XREF: EmpParseStrings+1Fj
		xor	esi, esi
		jmp	short loc_ABD5D3
; 

loc_ABD5DD:				; CODE XREF: EmpParseStrings+4Fj
					; EmpParseStrings+B7j ...
		mov	esi, 0C000009Ah
		jmp	short loc_ABD5D2
EmpParseStrings	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall EmpInfParseGetGuidFromName(int,int,char *,int)
_EmpInfParseGetGuidFromName@16 proc near ; CODE	XREF: EmpParseCallbacks+97p
					; EmpParseCallbacks+182p ...

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		xor	ebx, ebx
		push	edi
		push	4Eh
		lea	edi, [ebp+var_58]
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], edi
		pop	edi
		push	ebx		; int
		push	ecx		; int
		push	eax		; char *
		mov	[ebp+var_68], ebx
		mov	[ebp+var_64], ebx
		mov	word ptr [ebp+var_60+2], di
		call	_EmpInfParseGetValueFromSectionAndKeyName@20 ; EmpInfParseGetValueFromSectionAndKeyName(x,x,x,x,x)
		test	eax, eax
		jz	short loc_ABD65A
		push	eax
		lea	eax, [ebp+var_68]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	ebx
		lea	eax, [ebp+var_68]
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	short loc_ABD649
		push	esi
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)

loc_ABD649:				; CODE XREF: EmpInfParseGetGuidFromName(x,x,x,x)+59j
					; EmpInfParseGetGuidFromName(x,x,x,x)+7Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_ABD65A:				; CODE XREF: EmpInfParseGetGuidFromName(x,x,x,x)+3Dj
		mov	eax, 0C0000225h
		jmp	short loc_ABD649
_EmpInfParseGetGuidFromName@16 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall EmpInfParseGetSectionLineCount(x, x)
_EmpInfParseGetSectionLineCount@8 proc near ; CODE XREF: EmpParseEntryTypes+3Bp
					; EmpParseCallbacks+2Ap ...
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	ebx, ecx
		xor	esi, esi

loc_ABD66D:				; CODE XREF: EmpInfParseGetSectionLineCount(x,x)+26j
		mov	edx, edi
		mov	ecx, ebx
		call	_CmpSearchSectionByName@8 ; CmpSearchSectionByName(x,x)
		test	eax, eax
		jz	short loc_ABD68A
		mov	edx, esi
		mov	ecx, eax
		call	_CmpSearchLineInSectionByIndex@8 ; CmpSearchLineInSectionByIndex(x,x)
		test	eax, eax
		jz	short loc_ABD68A
		inc	esi
		jmp	short loc_ABD66D
; 

loc_ABD68A:				; CODE XREF: EmpInfParseGetSectionLineCount(x,x)+16j
					; EmpInfParseGetSectionLineCount(x,x)+23j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn
_EmpInfParseGetSectionLineCount@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EmpParseTargetRules proc near		; CODE XREF: EmpParseInfDatabase+89p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE388F SIZE 00000065 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		mov	ebx, ecx
		mov	edx, offset ??_C@_0O@GODDGPD@TargetRuleDef@PBOPGDP@ ; "TargetRuleDef"
		mov	[ebp+var_18], ebx
		xor	esi, esi
		stosd
		stosd
		stosd
		call	_EmpInfParseGetSectionLineCount@8 ; EmpInfParseGetSectionLineCount(x,x)
		mov	ecx, eax
		mov	[ebp+var_34], ecx
		test	ecx, ecx
		jz	loc_ABD846
		xor	eax, eax
		mov	[ebp+var_24], eax
		test	ecx, ecx
		jz	loc_ABD828

loc_ABD6D9:				; CODE XREF: EmpParseTargetRules+192j
		push	eax
		mov	edx, offset ??_C@_0O@GODDGPD@TargetRuleDef@PBOPGDP@ ; "TargetRuleDef"
		mov	ecx, ebx
		xor	esi, esi
		call	_CmpGetKeyName@12 ; CmpGetKeyName(x,x,x)
		test	eax, eax
		jz	loc_ABD818
		lea	ecx, [ebp+var_14]
		mov	edx, offset ??_C@_0BA@BBPLJNBJ@RuleNameGuidDef@PBOPGDP@	; "RuleNameGuidDef"
		push	ecx		; int
		push	eax		; char *
		mov	ecx, ebx	; int
		call	_EmpInfParseGetGuidFromName@16 ; EmpInfParseGetGuidFromName(x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_30], esi
		test	esi, esi
		js	loc_ABD818
		lea	ecx, [ebp+var_14] ; void *
		call	_EmpSearchRuleDatabase@4 ; EmpSearchRuleDatabase(x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_ABD815
		mov	ecx, [ebx+20h]
		xor	edi, edi
		and	[ebp+var_20], edi
		add	ecx, [ebx+24h]
		jz	loc_ABD7E2
		push	[ebp+var_24]
		mov	ecx, [ebp+var_18]
		mov	edx, offset ??_C@_0O@GODDGPD@TargetRuleDef@PBOPGDP@ ; "TargetRuleDef"
		call	_CmpGetSectionLineIndexValueCount@12 ; CmpGetSectionLineIndexValueCount(x,x,x)
		mov	edi, eax
		mov	[ebp+var_2C], edi
		test	edi, edi
		jz	loc_ABD815
		mov	ecx, ebx
		call	_EmpSearchTargetRuleList@4 ; EmpSearchTargetRuleList(x)
		mov	ecx, [ebx+20h]
		add	ecx, [ebx+24h]
		imul	ecx, edi
		mov	[ebp+var_1C], eax
		push	74694D45h
		test	eax, eax
		jnz	loc_AE388F
		mov	eax, ecx
		mov	[ebp+var_28], ecx
		shl	eax, 2
		push	eax
		push	1
		mov	[ebp+var_1C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_AE38EA
		push	[ebp+var_1C]	; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch

loc_ABD799:				; CODE XREF: EmpParseTargetRules+26255j
		xor	eax, eax
		mov	[ebp+var_1C], eax
		cmp	[ebp+var_2C], eax
		jbe	short loc_ABD7DC
		mov	esi, [ebp+var_24]

loc_ABD7A6:				; CODE XREF: EmpParseTargetRules+147j
		mov	ecx, [ebp+var_18]
		mov	edx, offset ??_C@_0O@GODDGPD@TargetRuleDef@PBOPGDP@ ; "TargetRuleDef"
		push	eax
		push	esi
		call	_CmpGetSectionLineIndex@16 ; CmpGetSectionLineIndex(x,x,x,x)
		lea	ecx, [ebp+var_20]
		mov	edx, eax
		push	ecx
		push	[ebp+var_28]
		mov	ecx, [ebp+var_18]
		push	edi
		push	dword ptr [ebx+24h]
		push	dword ptr [ebx+20h]
		call	EmpParseTargetRuleStringIndexList
		mov	eax, [ebp+var_1C]
		inc	eax
		mov	[ebp+var_1C], eax
		cmp	eax, [ebp+var_2C]
		jb	short loc_ABD7A6
		mov	esi, [ebp+var_30]

loc_ABD7DC:				; CODE XREF: EmpParseTargetRules+111j
		cmp	[ebp+var_20], 0
		jz	short loc_ABD839

loc_ABD7E2:				; CODE XREF: EmpParseTargetRules+9Bj
		push	74694D45h
		push	14h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+var_20]
		and	dword ptr [eax], 0
		inc	_EmpNumberOfTargetRules
		mov	[eax+0Ch], ecx
		lea	ecx, [eax+10h]
		mov	[eax+4], ebx
		mov	[eax+8], edi
		mov	eax, _EmpTargetRuleListHead
		mov	[ecx], eax
		mov	_EmpTargetRuleListHead,	ecx

loc_ABD815:				; CODE XREF: EmpParseTargetRules+8Aj
					; EmpParseTargetRules+B8j ...
		mov	ebx, [ebp+var_18]

loc_ABD818:				; CODE XREF: EmpParseTargetRules+5Aj
					; EmpParseTargetRules+78j
		mov	eax, [ebp+var_24]
		inc	eax
		mov	[ebp+var_24], eax
		cmp	eax, [ebp+var_34]
		jb	loc_ABD6D9

loc_ABD828:				; CODE XREF: EmpParseTargetRules+43j
					; EmpParseTargetRules+1B8j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_ABD839:				; CODE XREF: EmpParseTargetRules+150j
		push	74694D45h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_ABD815
; 

loc_ABD846:				; CODE XREF: EmpParseTargetRules+36j
		xor	esi, esi
		jmp	short loc_ABD828
EmpParseTargetRules endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EmpParseTargetRuleStringIndexList proc near ; CODE XREF: EmpParseTargetRules+138p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00AE38F4 SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		xor	eax, eax
		mov	[ebp+var_28], ecx
		and	[ebp+var_10], eax
		xor	ecx, ecx
		push	ebx
		mov	[ebp+var_4], eax
		xor	bl, bl
		mov	eax, [ebp+arg_10]
		push	esi
		mov	esi, edx
		mov	[ebp+var_8], ecx
		xor	edx, edx
		push	edi
		mov	edi, [eax]
		mov	eax, ecx
		mov	[ebp+var_C], edx
		mov	[ebp+var_14], edi
		cmp	[ebp+arg_8], ecx
		jz	loc_ABDA10
		mov	edx, [ebp+arg_8]
		lea	edx, [edx+edi*4]
		mov	[ebp+var_18], edx
		mov	edx, eax

loc_ABD88C:				; CODE XREF: EmpParseTargetRuleStringIndexList+72j
					; EmpParseTargetRuleStringIndexList+148j ...
		test	bl, bl
		jnz	loc_ABD9F2
		sub	eax, 0
		jz	loc_ABD9B8
		sub	eax, 1
		jz	short loc_ABD8BE
		sub	eax, 1
		jnz	loc_ABD9CB
		mov	al, [esi]
		cmp	al, 2Eh
		jnz	loc_ABD9FC

loc_ABD8B5:				; CODE XREF: EmpParseTargetRuleStringIndexList+171j
		xor	eax, eax
		inc	esi
		inc	eax

loc_ABD8B9:				; CODE XREF: EmpParseTargetRuleStringIndexList+1BAj
		mov	[ebp+var_4], eax
		jmp	short loc_ABD88C
; 

loc_ABD8BE:				; CODE XREF: EmpParseTargetRuleStringIndexList+56j
		cmp	byte ptr [esi],	7Dh
		jz	loc_ABDA00
		cmp	ecx, [ebp+arg_0]
		ja	loc_ABDA14
		cmp	edx, [ebp+arg_4]
		ja	loc_ABDA14
		lea	eax, [edx+ecx]
		add	eax, edi
		mov	[ebp+var_2C], eax
		cmp	eax, [ebp+arg_C]
		jnb	loc_ABDA14
		mov	edi, esi
		mov	[ebp+var_20], edi

loc_ABD8EF:				; CODE XREF: EmpParseTargetRuleStringIndexList+BCj
		movsx	eax, byte ptr [esi]
		push	eax		; int
		push	offset ??_C@_02KIPMEKLM@?4?$HN@PBOPGDP@	; char *
		call	_strchr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_ABD908
		add	esi, 1
		jnz	short loc_ABD8EF

loc_ABD908:				; CODE XREF: EmpParseTargetRuleStringIndexList+B7j
		mov	eax, esi
		sub	eax, edi
		mov	[ebp+var_1C], eax
		add	eax, 1
		mov	[ebp+var_24], eax
		jz	loc_AE38F4
		push	74694D45h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_AE38F4
		push	[ebp+var_1C]
		mov	edx, [ebp+var_24]
		mov	ecx, edi
		push	[ebp+var_20]
		call	RtlStringCbCopyNA
		test	eax, eax
		js	loc_AE38F4
		mov	eax, [ebp+arg_0]
		cmp	[ebp+var_8], eax
		lea	eax, [ebp+var_10]
		push	eax
		jb	short loc_ABD997
		push	10h
		push	edi
		call	RtlCharToInteger
		test	eax, eax
		js	loc_ABDA09
		mov	ecx, [ebp+var_2C]
		mov	edx, [ebp+arg_8]
		mov	eax, [ebp+var_10]
		inc	[ebp+var_C]
		mov	[edx+ecx*4], eax

loc_ABD975:				; CODE XREF: EmpParseTargetRuleStringIndexList+16Cj
		push	2
		pop	eax
		mov	[ebp+var_4], eax

loc_ABD97B:				; CODE XREF: EmpParseTargetRuleStringIndexList+1C1j
		push	74694D45h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_ABD986:				; CODE XREF: EmpParseTargetRuleStringIndexList+260ACj
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_4]
		mov	edx, [ebp+var_C]
		mov	edi, [ebp+var_14]
		jmp	loc_ABD88C	; int
; 

loc_ABD997:				; CODE XREF: EmpParseTargetRuleStringIndexList+10Aj
		mov	ecx, [ebp+var_28] ; int
		mov	edx, edi	; char *
		call	_EmpInfParseGetStringIndexFromName@12 ;	EmpInfParseGetStringIndexFromName(x,x,x)
		test	eax, eax
		js	short loc_ABDA09
		mov	ecx, [ebp+var_18]
		mov	eax, [ebp+var_10]
		inc	[ebp+var_8]
		mov	[ecx], eax
		add	ecx, 4
		mov	[ebp+var_18], ecx
		jmp	short loc_ABD975
; 

loc_ABD9B8:				; CODE XREF: EmpParseTargetRuleStringIndexList+4Dj
		cmp	byte ptr [esi],	7Bh
		jz	loc_ABD8B5

loc_ABD9C1:				; CODE XREF: EmpParseTargetRuleStringIndexList+190j
					; EmpParseTargetRuleStringIndexList+195j ...
		mov	eax, [ebp+var_4]
		mov	bl, 1
		jmp	loc_ABD88C
; 

loc_ABD9CB:				; CODE XREF: EmpParseTargetRuleStringIndexList+5Bj
		sub	eax, 1
		mov	eax, [ebp+var_4]
		jnz	loc_ABD88C
		cmp	byte ptr [esi],	0
		jnz	short loc_ABD9C1
		cmp	ecx, [ebp+arg_0]
		jnz	short loc_ABD9C1
		cmp	edx, [ebp+arg_4]
		jnz	short loc_ABD9C1
		lea	eax, [edx+ecx]
		mov	ecx, [ebp+arg_10]
		add	eax, edi
		mov	[ecx], eax

loc_ABD9F0:				; CODE XREF: EmpParseTargetRuleStringIndexList+1CCj
		test	bl, bl

loc_ABD9F2:				; CODE XREF: EmpParseTargetRuleStringIndexList+44j
		setz	al

loc_ABD9F5:				; CODE XREF: EmpParseTargetRuleStringIndexList+1C8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_ABD9FC:				; CODE XREF: EmpParseTargetRuleStringIndexList+65j
		cmp	al, 7Dh
		jnz	short loc_ABD9C1

loc_ABDA00:				; CODE XREF: EmpParseTargetRuleStringIndexList+77j
		push	3
		inc	esi
		pop	eax
		jmp	loc_ABD8B9
; 

loc_ABDA09:				; CODE XREF: EmpParseTargetRuleStringIndexList+116j
					; EmpParseTargetRuleStringIndexList+159j
		mov	bl, 1
		jmp	loc_ABD97B
; 

loc_ABDA10:				; CODE XREF: EmpParseTargetRuleStringIndexList+31j
		xor	al, al
		jmp	short loc_ABD9F5
; 

loc_ABDA14:				; CODE XREF: EmpParseTargetRuleStringIndexList+80j
					; EmpParseTargetRuleStringIndexList+89j ...
		mov	bl, 1
		jmp	short loc_ABD9F0
EmpParseTargetRuleStringIndexList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall EmpInfParseGetStringIndexFromName(int,char *,int)
_EmpInfParseGetStringIndexFromName@12 proc near
					; CODE XREF: EmpParseTargetRuleStringIndexList+152p

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		push	ebx		; int
		push	ecx		; int
		push	edx		; char *
		mov	edx, offset ??_C@_07BJOIOONN@Strings@PBOPGDP@
		call	_EmpInfParseGetValueFromSectionAndKeyName@20 ; EmpInfParseGetValueFromSectionAndKeyName(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_ABDAA5
		mov	ecx, ebx
		mov	[ebp+var_1], bl
		cmp	_EmpNumberOfStrings, ecx
		jz	short loc_ABDA8B

loc_ABDA42:				; CODE XREF: EmpInfParseGetStringIndexFromName(x,x,x)+6Bj
		mov	eax, _EmpStringTable
		mov	edx, esi
		mov	eax, [eax+ecx*4]

loc_ABDA4C:				; CODE XREF: EmpInfParseGetStringIndexFromName(x,x,x)+5Cj
		mov	bl, [eax]
		cmp	bl, [edx]
		push	0
		mov	[ebp+var_2], bl
		pop	ebx
		jnz	short loc_ABDA9E
		cmp	[ebp+var_2], bl
		jz	short loc_ABDA76
		mov	bl, [eax+1]
		cmp	bl, [edx+1]
		push	0
		mov	[ebp+var_2], bl
		pop	ebx
		jnz	short loc_ABDA9E
		add	eax, 2
		add	edx, 2
		cmp	[ebp+var_2], bl
		jnz	short loc_ABDA4C

loc_ABDA76:				; CODE XREF: EmpInfParseGetStringIndexFromName(x,x,x)+43j
		mov	eax, ebx

loc_ABDA78:				; CODE XREF: EmpInfParseGetStringIndexFromName(x,x,x)+8Bj
		test	eax, eax
		jz	short loc_ABDA87
		inc	ecx
		cmp	ecx, _EmpNumberOfStrings
		jb	short loc_ABDA42
		jmp	short loc_ABDA8B
; 

loc_ABDA87:				; CODE XREF: EmpInfParseGetStringIndexFromName(x,x,x)+62j
		mov	[ebp+var_1], 1

loc_ABDA8B:				; CODE XREF: EmpInfParseGetStringIndexFromName(x,x,x)+28j
					; EmpInfParseGetStringIndexFromName(x,x,x)+6Dj
		mov	eax, [ebp+arg_0]
		mov	[eax], ecx
		cmp	[ebp+var_1], 0
		jz	short loc_ABDAA5

loc_ABDA96:				; CODE XREF: EmpInfParseGetStringIndexFromName(x,x,x)+92j
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn	4
; 

loc_ABDA9E:				; CODE XREF: EmpInfParseGetStringIndexFromName(x,x,x)+3Ej
					; EmpInfParseGetStringIndexFromName(x,x,x)+51j
		sbb	eax, eax
		or	eax, 1
		jmp	short loc_ABDA78
; 

loc_ABDAA5:				; CODE XREF: EmpInfParseGetStringIndexFromName(x,x,x)+1Bj
					; EmpInfParseGetStringIndexFromName(x,x,x)+7Cj
		mov	ebx, 0C0000225h
		jmp	short loc_ABDA96
_EmpInfParseGetStringIndexFromName@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGetSectionLineIndex(x, x, x, x)
_CmpGetSectionLineIndex@16 proc	near	; CODE XREF: EmpParseEntryTypes+55p
					; EmpParseCallbacks+C9p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		call	_CmpSearchSectionByName@8 ; CmpSearchSectionByName(x,x)
		test	eax, eax
		jz	short loc_ABDAE8
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		call	_CmpSearchLineInSectionByIndex@8 ; CmpSearchLineInSectionByIndex(x,x)
		test	eax, eax
		jz	short loc_ABDAE8
		mov	edx, [ebp+arg_4]
		mov	ecx, eax
		call	_CmpSearchValueInLine@8	; CmpSearchValueInLine(x,x)
		test	eax, eax
		jz	short loc_ABDAE8
		mov	edx, [eax+4]
		mov	ecx, esi
		call	CmpProcessForSimpleStringSub

loc_ABDAE3:				; CODE XREF: CmpGetSectionLineIndex(x,x,x,x)+3Ej
		pop	esi
		pop	ebp
		retn	8
; 

loc_ABDAE8:				; CODE XREF: CmpGetSectionLineIndex(x,x,x,x)+Fj
					; CmpGetSectionLineIndex(x,x,x,x)+1Dj ...
		xor	eax, eax
		jmp	short loc_ABDAE3
_CmpGetSectionLineIndex@16 endp


;  S U B	R O U T	I N E 


; __stdcall CmpSearchValueInLine(x, x)
_CmpSearchValueInLine@8	proc near	; CODE XREF: CmpGetSectionLineIndex(x,x,x,x)+24p
		xor	eax, eax
		test	ecx, ecx
		jz	short locret_ABDAFD
		push	esi
		mov	esi, eax
		mov	eax, [ecx+8]
		test	edx, edx
		jnz	short loc_ABDAFE

loc_ABDAFC:				; CODE XREF: CmpSearchValueInLine(x,x)+14j
		pop	esi

locret_ABDAFD:				; CODE XREF: CmpSearchValueInLine(x,x)+4j
		retn
; 

loc_ABDAFE:				; CODE XREF: CmpSearchValueInLine(x,x)+Ej
					; CmpSearchValueInLine(x,x)+1Bj
		test	eax, eax
		jz	short loc_ABDAFC
		mov	eax, [eax]
		inc	esi
		cmp	esi, edx
		jb	short loc_ABDAFE
		pop	esi
		retn
_CmpSearchValueInLine@8	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	EmpInfParseGetValueFromSectionAndKeyName(char *,int,int)
_EmpInfParseGetValueFromSectionAndKeyName@20 proc near
					; CODE XREF: EmpParseRuleExpression+38p
					; EmpInfParseGetGuidFromName(x,x,x,x)+36p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	eax, edx
		mov	[ebp+var_8], ecx
		xor	edi, edi
		mov	[ebp+var_4], eax
		mov	esi, edi

loc_ABDB22:				; CODE XREF: EmpInfParseGetValueFromSectionAndKeyName(x,x,x,x,x)+4Fj
		push	esi
		mov	edx, eax
		call	_CmpGetKeyName@12 ; CmpGetKeyName(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_ABDB50
		mov	ecx, [ebp+arg_0]
		lea	edx, [ecx+1]

loc_ABDB36:				; CODE XREF: EmpInfParseGetValueFromSectionAndKeyName(x,x,x,x,x)+2Fj
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_ABDB36
		sub	ecx, edx
		push	ecx		; size_t
		push	[ebp+arg_0]	; char *
		push	ebx		; char *
		call	__strnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_ABDB5D

loc_ABDB50:				; CODE XREF: EmpInfParseGetValueFromSectionAndKeyName(x,x,x,x,x)+22j
		inc	esi
		test	ebx, ebx
		jz	short loc_ABDB73
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		jmp	short loc_ABDB22
; 

loc_ABDB5D:				; CODE XREF: EmpInfParseGetValueFromSectionAndKeyName(x,x,x,x,x)+42j
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+var_8]
		push	edi
		push	esi
		call	_CmpGetSectionLineIndex@16 ; CmpGetSectionLineIndex(x,x,x,x)
		mov	ecx, [ebp+arg_8]
		mov	edi, eax
		test	ecx, ecx
		jnz	short loc_ABDB7C

loc_ABDB73:				; CODE XREF: EmpInfParseGetValueFromSectionAndKeyName(x,x,x,x,x)+47j
					; EmpInfParseGetValueFromSectionAndKeyName(x,x,x,x,x)+72j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_ABDB7C:				; CODE XREF: EmpInfParseGetValueFromSectionAndKeyName(x,x,x,x,x)+65j
		mov	[ecx], esi
		jmp	short loc_ABDB73
_EmpInfParseGetValueFromSectionAndKeyName@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGetKeyName(x, x,	x)
_CmpGetKeyName@12 proc near		; CODE XREF: EmpParseCallbacks+45p
					; EmpParseRules+47p ...

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		call	_CmpSearchSectionByName@8 ; CmpSearchSectionByName(x,x)
		test	eax, eax
		jz	short loc_ABDBA3
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		call	_CmpSearchLineInSectionByIndex@8 ; CmpSearchLineInSectionByIndex(x,x)
		test	eax, eax
		jz	short loc_ABDBA3
		mov	eax, [eax+4]

loc_ABDB9F:				; CODE XREF: CmpGetKeyName(x,x,x)+25j
		pop	ebp
		retn	4
; 

loc_ABDBA3:				; CODE XREF: CmpGetKeyName(x,x,x)+Cj
					; CmpGetKeyName(x,x,x)+1Aj
		xor	eax, eax
		jmp	short loc_ABDB9F
_CmpGetKeyName@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpSearchLineInSectionByIndex(x, x)
_CmpSearchLineInSectionByIndex@8 proc near
					; CODE XREF: CmpGetSectionLineIndexValueCount(x,x,x)+16p
					; EmpInfParseGetSectionLineCount(x,x)+1Cp ...
		test	ecx, ecx
		jz	short loc_ABDBCD
		mov	eax, [ecx+8]
		push	esi
		xor	esi, esi
		test	edx, edx
		jz	short loc_ABDBCB
		mov	edi, edi

loc_ABDBC0:				; CODE XREF: CmpSearchLineInSectionByIndex(x,x)+19j
		test	eax, eax
		jz	short loc_ABDBCB
		mov	eax, [eax]
		inc	esi
		cmp	esi, edx
		jb	short loc_ABDBC0

loc_ABDBCB:				; CODE XREF: CmpSearchLineInSectionByIndex(x,x)+Cj
					; CmpSearchLineInSectionByIndex(x,x)+12j
		pop	esi
		retn
; 

loc_ABDBCD:				; CODE XREF: CmpSearchLineInSectionByIndex(x,x)+2j
		xor	eax, eax
		retn
_CmpSearchLineInSectionByIndex@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSearchSectionByName(x, x)
_CmpSearchSectionByName@8 proc near	; CODE XREF: CmpGetSectionLineIndexValueCount(x,x,x)+8p
					; EmpInfParseGetSectionLineCount(x,x)+Fp ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_4], edx
		xor	esi, esi
		test	ebx, ebx
		jz	short loc_ABDC11
		test	edx, edx
		jz	short loc_ABDC11
		push	edi
		mov	edi, [ebx+4]
		mov	esi, edi
		mov	[ebp+var_8], edi
		test	edi, edi
		jz	short loc_ABDC22
		mov	edi, edx

loc_ABDBF7:				; CODE XREF: CmpSearchSectionByName(x,x)+4Bj
		push	edi		; char *
		push	dword ptr [esi+4] ; char *
		call	__stricmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_ABDC17

loc_ABDC06:				; CODE XREF: CmpSearchSectionByName(x,x)+4Dj
		mov	edi, [ebp+var_8]
		test	esi, esi
		jz	short loc_ABDC1F

loc_ABDC0D:				; CODE XREF: CmpSearchSectionByName(x,x)+76j
		mov	[ebx+4], esi

loc_ABDC10:				; CODE XREF: CmpSearchSectionByName(x,x)+78j
		pop	edi

loc_ABDC11:				; CODE XREF: CmpSearchSectionByName(x,x)+12j
					; CmpSearchSectionByName(x,x)+16j
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_ABDC17:				; CODE XREF: CmpSearchSectionByName(x,x)+34j
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_ABDBF7
		jmp	short loc_ABDC06
; 

loc_ABDC1F:				; CODE XREF: CmpSearchSectionByName(x,x)+3Bj
		mov	edx, [ebp+var_4]

loc_ABDC22:				; CODE XREF: CmpSearchSectionByName(x,x)+23j
		mov	esi, [ebx]

loc_ABDC24:				; CODE XREF: CmpSearchSectionByName(x,x)+7Fj
		test	esi, esi
		jz	short loc_ABDC40
		cmp	esi, edi
		jz	short loc_ABDC51
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_ABDC4A
		push	edx		; char *
		push	eax		; char *
		call	__stricmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_ABDC4A

loc_ABDC40:				; CODE XREF: CmpSearchSectionByName(x,x)+56j
		cmp	esi, edi
		jz	short loc_ABDC51

loc_ABDC44:				; CODE XREF: CmpSearchSectionByName(x,x)+83j
		test	esi, esi
		jnz	short loc_ABDC0D
		jmp	short loc_ABDC10
; 

loc_ABDC4A:				; CODE XREF: CmpSearchSectionByName(x,x)+61j
					; CmpSearchSectionByName(x,x)+6Ej
		mov	esi, [esi]
		mov	edx, [ebp+var_4]
		jmp	short loc_ABDC24
; 

loc_ABDC51:				; CODE XREF: CmpSearchSectionByName(x,x)+5Aj
					; CmpSearchSectionByName(x,x)+72j
		xor	esi, esi
		jmp	short loc_ABDC44
_CmpSearchSectionByName@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


CmpProcessForSimpleStringSub proc near	; CODE XREF: CmpGetSectionLineIndex(x,x,x,x)+32p

; FUNCTION CHUNK AT 00AE38FB SIZE 00000055 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, edx
		push	edi
		mov	edi, ebx
		lea	edx, [edi+1]

loc_ABDC61:				; CODE XREF: CmpProcessForSimpleStringSub+10j
		mov	al, [edi]
		inc	edi
		test	al, al
		jnz	short loc_ABDC61
		sub	edi, edx
		cmp	byte ptr [ebx],	25h
		jz	short loc_ABDC74

loc_ABDC6F:				; CODE XREF: CmpProcessForSimpleStringSub+21j
					; CmpProcessForSimpleStringSub+28j ...
		pop	edi
		mov	eax, ebx
		pop	ebx
		retn
; 

loc_ABDC74:				; CODE XREF: CmpProcessForSimpleStringSub+17j
		cmp	edi, 2
		jbe	short loc_ABDC6F
		cmp	byte ptr [edi+ebx-1], 25h
		jnz	short loc_ABDC6F
		jmp	loc_AE38FB
CmpProcessForSimpleStringSub endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EmpRuleParserStackPush(x, x, x, x, x)
_EmpRuleParserStackPush@20 proc	near	; CODE XREF: EmpParseRuleExpression+195p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		push	74734D45h
		push	14h
		push	1
		mov	edi, edx
		mov	esi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short loc_ABDCC4
		mov	ecx, [ebp+arg_0]
		mov	[eax+4], ecx
		mov	ecx, [ebp+arg_4]
		mov	[eax+8], ecx
		mov	ecx, [ebp+arg_8]
		mov	[eax+0Ch], ecx
		lea	ecx, [eax+10h]
		mov	[eax], edi
		mov	eax, [esi+4]
		mov	[ecx], eax
		inc	dword ptr [esi]
		mov	[esi+4], ecx

loc_ABDCC4:				; CODE XREF: EmpRuleParserStackPush(x,x,x,x,x)+1Bj
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
_EmpRuleParserStackPush@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EmpRuleParserStackPop(x, x,	x, x, x)
_EmpRuleParserStackPop@20 proc near	; CODE XREF: EmpParseRuleExpression+1E9p
					; EmpParseRuleExpression+384p ...

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, edx
		mov	edx, [ecx+4]
		test	edx, edx
		jz	short loc_ABDD11
		mov	eax, [edx]
		add	edx, 0FFFFFFF0h
		mov	[ecx+4], eax
		dec	dword ptr [ecx]
		mov	eax, [ebp+arg_0]
		mov	ecx, [edx+4]
		push	74734D45h
		push	edx
		mov	[eax], ecx
		mov	eax, [ebp+arg_4]
		mov	ecx, [edx+8]
		mov	[eax], ecx
		mov	eax, [ebp+arg_8]
		mov	ecx, [edx+0Ch]
		mov	[eax], ecx
		mov	eax, [edx]
		mov	[esi], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	al, 1

loc_ABDD0C:				; CODE XREF: EmpRuleParserStackPop(x,x,x,x,x)+49j
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_ABDD11:				; CODE XREF: EmpRuleParserStackPop(x,x,x,x,x)+Dj
		xor	al, al
		jmp	short loc_ABDD0C
_EmpRuleParserStackPop@20 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall EmpInfParseSearchDependencyList(x, x)
_EmpInfParseSearchDependencyList@8 proc	near ; CODE XREF: EmpParseRuleExpression+15Ap
					; EmpParseRuleExpression+25Cp ...
		mov	eax, [ecx]
		push	ebx
		xor	bl, bl

loc_ABDD1B:				; CODE XREF: EmpInfParseSearchDependencyList(x,x)+10j
		test	eax, eax
		jz	short loc_ABDD2A
		cmp	[eax-4], edx
		jz	short loc_ABDD28
		mov	eax, [eax]
		jmp	short loc_ABDD1B
; 

loc_ABDD28:				; CODE XREF: EmpInfParseSearchDependencyList(x,x)+Cj
		mov	bl, 1

loc_ABDD2A:				; CODE XREF: EmpInfParseSearchDependencyList(x,x)+7j
		mov	al, bl
		pop	ebx
		retn
_EmpInfParseSearchDependencyList@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall EmpParseRuleTermArgMapping(char *,int,int,int,int)
EmpParseRuleTermArgMapping proc	near	; CODE XREF: EmpParseRuleTerm+D0p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00AE3950 SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	[ebp+var_C], edx
		xor	eax, eax
		mov	edx, [ebp+arg_0]
		add	edx, [ebp+arg_4]
		add	edx, [ebp+arg_8]
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_18], edx
		and	[ebp+var_10], esi
		xor	edx, edx
		push	edi
		xor	bh, bh
		mov	[ebp+var_8], ecx
		xor	bl, bl
		mov	[ebp+var_1C], esi
		xor	edi, edi
		mov	[ebp+var_14], eax
		mov	[ebp+var_4], edx
		cmp	[ebp+var_C], eax
		jz	loc_AE3950

loc_ABDD6C:				; CODE XREF: EmpParseRuleTermArgMapping+B3j
		test	bl, bl
		jnz	short loc_ABDDE5
		cmp	edi, 9		; switch 10 cases
		ja	short loc_ABDDD5 ; default
		jmp	ds:off_ABDF46[edi*4] ; switch jump

loc_ABDD7C:				; DATA XREF: INIT:off_ABDF46o
		cmp	byte ptr [ecx],	29h ; case 0x1
		jz	loc_ABDF08
		cmp	esi, [ebp+var_18]
		jnb	loc_ABDF34
		push	0Ah		; int
		lea	eax, [ebp+var_4]
		push	eax		; char **
		push	ecx		; char *
		call	_strtoul
		mov	ecx, [ebp+var_C]
		add	esp, 0Ch
		mov	edx, [ebp+var_4]
		mov	[ecx+esi*4], eax
		mov	ecx, [ebp+var_8]
		cmp	ecx, edx
		jz	loc_ABDF3D
		push	2
		inc	esi
		pop	edi
		mov	[ebp+var_1C], esi

loc_ABDDB8:				; CODE XREF: EmpParseRuleTermArgMapping+111j
					; EmpParseRuleTermArgMapping+18Dj ...
		test	edx, edx
		jz	short loc_ABDDD5 ; default
		mov	ecx, edx
		mov	[ebp+var_8], edx
		xor	edx, edx
		mov	[ebp+var_4], edx
		jmp	short loc_ABDDD9
; 

loc_ABDDC8:				; CODE XREF: EmpParseRuleTermArgMapping+47j
					; DATA XREF: INIT:off_ABDF46o
		mov	al, [ecx]	; case 0x5
		cmp	al, 2Eh
		jnz	loc_ABDE77

loc_ABDDD2:				; CODE XREF: EmpParseRuleTermArgMapping+127j
		push	4

loc_ABDDD4:				; CODE XREF: EmpParseRuleTermArgMapping+144j
					; EmpParseRuleTermArgMapping+14Fj ...
		pop	edi

loc_ABDDD5:				; CODE XREF: EmpParseRuleTermArgMapping+45j
					; EmpParseRuleTermArgMapping+8Cj ...
		inc	ecx		; default
		mov	[ebp+var_8], ecx

loc_ABDDD9:				; CODE XREF: EmpParseRuleTermArgMapping+98j
		mov	esi, [ebp+var_1C]
		mov	eax, [ebp+var_14]
		test	bh, bh
		jz	short loc_ABDD6C
		test	bl, bl

loc_ABDDE5:				; CODE XREF: EmpParseRuleTermArgMapping+40j
		setz	al

loc_ABDDE8:				; CODE XREF: EmpParseRuleTermArgMapping+25C24j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_ABDDEF:				; CODE XREF: EmpParseRuleTermArgMapping+47j
					; DATA XREF: INIT:off_ABDF46o
		mov	al, [ecx]	; case 0x2
		cmp	al, 29h
		jz	loc_ABDEAC
		cmp	al, 2Eh

loc_ABDDFB:				; CODE XREF: EmpParseRuleTermArgMapping+119j
		jnz	short loc_ABDE5B
		xor	edi, edi
		inc	edi
		jmp	short loc_ABDDD5 ; default
; 

loc_ABDE02:				; CODE XREF: EmpParseRuleTermArgMapping+47j
					; DATA XREF: INIT:off_ABDF46o
		cmp	byte ptr [ecx],	29h ; case 0x4
		jz	loc_ABDF30
		add	esi, eax
		cmp	esi, [ebp+var_18]
		jnb	loc_ABDF34
		push	0Ah		; int
		lea	eax, [ebp+var_4]
		push	eax		; char **
		push	ecx		; char *
		call	_strtoul
		mov	ecx, [ebp+var_C]
		add	esp, 0Ch
		mov	edx, [ebp+var_4]
		mov	[ecx+esi*4], eax
		mov	ecx, [ebp+var_8]
		cmp	ecx, edx
		jz	loc_ABDF3D
		inc	[ebp+var_14]
		push	5
		pop	edi
		jmp	loc_ABDDB8
; 

loc_ABDE44:				; CODE XREF: EmpParseRuleTermArgMapping+47j
					; DATA XREF: INIT:off_ABDF46o
		cmp	byte ptr [ecx],	28h ; case 0x0
		jmp	short loc_ABDDFB
; 

loc_ABDE49:				; CODE XREF: EmpParseRuleTermArgMapping+47j
					; DATA XREF: INIT:off_ABDF46o
		mov	al, [ecx]	; case 0x3
		test	al, al
		jz	loc_AE3957
		cmp	al, 28h
		jz	loc_ABDDD2

loc_ABDE5B:				; CODE XREF: EmpParseRuleTermArgMapping:loc_ABDDFBj
					; EmpParseRuleTermArgMapping+140j ...
		mov	bl, 1
		jmp	loc_ABDDD5	; default
; 

loc_ABDE62:				; CODE XREF: EmpParseRuleTermArgMapping+47j
					; DATA XREF: INIT:off_ABDF46o
		mov	al, [ecx]	; case 0x6
		test	al, al
		jz	loc_ABDF0C
		cmp	al, 28h
		jnz	short loc_ABDE5B

loc_ABDE70:				; CODE XREF: EmpParseRuleTermArgMapping+25C3Dj
		push	7
		jmp	loc_ABDDD4
; 

loc_ABDE77:				; CODE XREF: EmpParseRuleTermArgMapping+9Ej
		cmp	al, 29h
		jnz	short loc_ABDE5B
		push	6
		jmp	loc_ABDDD4
; 

loc_ABDE82:				; CODE XREF: EmpParseRuleTermArgMapping+47j
					; DATA XREF: INIT:off_ABDF46o
		cmp	byte ptr [ecx],	0 ; case 0x9
		jnz	short loc_ABDE5B
		cmp	esi, [ebp+arg_0]
		jnz	loc_ABDF3D
		cmp	eax, [ebp+arg_4]
		jnz	loc_ABDF3D
		mov	eax, [ebp+var_10]
		cmp	eax, [ebp+arg_8]
		jnz	loc_ABDF3D

loc_ABDEA5:				; CODE XREF: EmpParseRuleTermArgMapping+1F7j
		mov	bh, 1
		jmp	loc_ABDDD5	; default
; 

loc_ABDEAC:				; CODE XREF: EmpParseRuleTermArgMapping+C5j
		push	3
		jmp	loc_ABDDD4
; 

loc_ABDEB3:				; CODE XREF: EmpParseRuleTermArgMapping+47j
					; DATA XREF: INIT:off_ABDF46o
		cmp	byte ptr [ecx],	29h ; case 0x7
		jnz	short loc_ABDEC0
		push	9

loc_ABDEBA:				; CODE XREF: EmpParseRuleTermArgMapping+1DCj
					; EmpParseRuleTermArgMapping+204j
		pop	edi
		jmp	loc_ABDDB8
; 

loc_ABDEC0:				; CODE XREF: EmpParseRuleTermArgMapping+188j
		add	eax, [ebp+var_10]
		mov	ecx, [ebp+var_8]
		add	esi, eax
		cmp	esi, [ebp+var_18]
		jnb	short loc_ABDF34
		push	0Ah		; int
		lea	eax, [ebp+var_4]
		push	eax		; char **
		push	ecx		; char *
		call	_strtoul
		mov	ecx, [ebp+var_C]
		add	esp, 0Ch
		mov	edx, [ebp+var_4]
		mov	[ecx+esi*4], eax
		mov	ecx, [ebp+var_8]
		cmp	ecx, edx
		jz	short loc_ABDF3D
		inc	[ebp+var_10]
		push	8
		pop	edi
		jmp	loc_ABDDB8
; 

loc_ABDEF7:				; CODE XREF: EmpParseRuleTermArgMapping+47j
					; DATA XREF: INIT:off_ABDF46o
		mov	al, [ecx]	; case 0x8
		cmp	al, 29h
		jnz	loc_AE3969
		push	9
		jmp	loc_ABDDD4
; 

loc_ABDF08:				; CODE XREF: EmpParseRuleTermArgMapping+51j
		push	3
		jmp	short loc_ABDEBA
; 

loc_ABDF0C:				; CODE XREF: EmpParseRuleTermArgMapping+138j
		cmp	esi, [ebp+arg_0]
		jnz	loc_ABDE5B
		mov	eax, [ebp+arg_4]
		cmp	[ebp+var_14], eax

loc_ABDF1B:				; CODE XREF: EmpParseRuleTermArgMapping+25C36j
		jnz	loc_ABDE5B
		cmp	[ebp+arg_8], 0
		jz	loc_ABDEA5
		jmp	loc_ABDE5B
; 

loc_ABDF30:				; CODE XREF: EmpParseRuleTermArgMapping+D7j
		push	6
		jmp	short loc_ABDEBA
; 

loc_ABDF34:				; CODE XREF: EmpParseRuleTermArgMapping+5Aj
					; EmpParseRuleTermArgMapping+E2j ...
		mov	bl, 1
		mov	bh, bl
		jmp	loc_ABDDD5	; default
; 

loc_ABDF3D:				; CODE XREF: EmpParseRuleTermArgMapping+7Dj
					; EmpParseRuleTermArgMapping+105j ...
		mov	bl, 1
		jmp	loc_ABDDB8
EmpParseRuleTermArgMapping endp

; 
		db 8Bh,	0FFh
off_ABDF46	dd offset loc_ABDE44	; DATA XREF: EmpParseRuleTermArgMapping+47r
		dd offset loc_ABDD7C	; jump table for switch	statement
		dd offset loc_ABDDEF
		dd offset loc_ABDE49
		dd offset loc_ABDE02
		dd offset loc_ABDDC8
		dd offset loc_ABDE62
		dd offset loc_ABDEB3
		dd offset loc_ABDEF7
		dd offset loc_ABDE82

;  S U B	R O U T	I N E 


; __stdcall EmpCreateRuleParserStack()
_EmpCreateRuleParserStack@0 proc near	; CODE XREF: EmpParseRuleExpression+4Bp
		push	74734D45h
		push	8
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		test	eax, eax
		jz	short locret_ABDF87
		and	dword ptr [eax], 0
		and	dword ptr [eax+4], 0

locret_ABDF87:				; CODE XREF: EmpCreateRuleParserStack()+10j
		retn
_EmpCreateRuleParserStack@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiAllProcessorsStarted proc near	; CODE XREF: KeStartAllProcessors:loc_ABE80Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE3976 SIZE 00000048 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		call	KiAdjustSimultaneousMultiThreadingCharacteristics
		mov	ax, ds:_KeNumberNodes
		xor	ecx, ecx
		xor	ebx, ebx
		cmp	cx, ax
		jnb	short loc_ABDFD1

loc_ABDFA6:				; CODE XREF: KiAllProcessorsStarted+47j
		movzx	ecx, bx
		imul	eax, ecx, 140h
		mov	[ebp+var_8], ecx
		lea	esi, _KiNodeInit[eax]
		cmp	ds:_KeNodeBlock[ecx*4],	esi
		jz	loc_AE3976

loc_ABDFC5:				; CODE XREF: KiAllProcessorsStarted+25A09j
					; KiAllProcessorsStarted+25A31j
		mov	ax, ds:_KeNumberNodes
		inc	ebx
		cmp	bx, ax
		jb	short loc_ABDFA6

loc_ABDFD1:				; CODE XREF: KiAllProcessorsStarted+1Cj
		push	10h
		movzx	ecx, ax
		pop	edx
		mov	esi, ecx
		cmp	cx, dx
		jnb	short loc_ABDFEE
		sub	edx, ecx
		lea	edi, _KeNodeBlock[ecx*4]
		movzx	ecx, dx
		xor	eax, eax
		rep stosd

loc_ABDFEE:				; CODE XREF: KiAllProcessorsStarted+54j
		pop	edi
		cmp	esi, 1
		pop	esi
		pop	ebx
		jnz	short loc_ABE023
		mov	eax, ds:_KeNodeBlock
		xor	ecx, ecx
		mov	[eax+88h], cx
		mov	ecx, ds:dword_70E328
		mov	eax, ds:_KeNodeBlock
		mov	[eax+84h], ecx
		mov	ecx, ds:dword_70E328
		mov	eax, ds:_KeNodeBlock
		mov	[eax+48h], ecx

loc_ABE023:				; CODE XREF: KiAllProcessorsStarted+6Cj
		call	_KiConfigureAllSchedulingInformation@0 ; KiConfigureAllSchedulingInformation()
		leave
		retn
KiAllProcessorsStarted endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiConfigureAllSchedulingInformation()
_KiConfigureAllSchedulingInformation@0 proc near
					; CODE XREF: KiAllProcessorsStarted:loc_ABE023p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	edi
		xor	ecx, ecx
		xor	edi, edi
		cmp	cx, ds:_KeNumberNodes
		jnb	short loc_ABE09A
		push	ebx
		push	esi

loc_ABE040:				; CODE XREF: KiConfigureAllSchedulingInformation()+4Ej
		movzx	eax, di
		mov	eax, ds:_KeNodeBlock[eax*4]
		mov	ebx, [eax+84h]
		jmp	short loc_ABE06A
; 

loc_ABE052:				; CODE XREF: KiConfigureAllSchedulingInformation()+42j
		and	[ebp+var_4], 0
		xor	dl, dl
		bsf	esi, ebx
		mov	ecx, ds:_KiProcessorBlock[esi*4]
		call	_KiConfigureSchedulingInformation@8 ; KiConfigureSchedulingInformation(x,x)
		btr	ebx, esi

loc_ABE06A:				; CODE XREF: KiConfigureAllSchedulingInformation()+26j
		test	ebx, ebx
		jnz	short loc_ABE052
		mov	ax, ds:_KeNumberNodes
		inc	edi
		cmp	di, ax
		jb	short loc_ABE040
		xor	ecx, ecx
		cmp	cx, ax
		jnb	short loc_ABE098
		mov	esi, offset _KeNodeBlock
		movzx	edi, ax

loc_ABE089:				; CODE XREF: KiConfigureAllSchedulingInformation()+6Cj
		mov	ecx, [esi]
		call	_KiConfigureNodeSchedulingInformation@4	; KiConfigureNodeSchedulingInformation(x)
		lea	esi, [esi+4]
		sub	edi, 1
		jnz	short loc_ABE089

loc_ABE098:				; CODE XREF: KiConfigureAllSchedulingInformation()+55j
		pop	esi
		pop	ebx

loc_ABE09A:				; CODE XREF: KiConfigureAllSchedulingInformation()+12j
		pop	edi
		leave
		retn
_KiConfigureAllSchedulingInformation@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInitializeIdtGates(x, x, x)
_KiInitializeIdtGates@12 proc near	; CODE XREF: KiSystemStartup(x)+E6p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	ecx, [eax+58h]
		mov	esi, [eax+48h]
		add	ecx, 9000h
		add	esi, ecx
		mov	ecx, [ebp+arg_8]
		push	esi
		push	58h
		lea	edx, [edi+10h]
		call	_KiInitializeFatalTSS@16 ; KiInitializeFatalTSS(x,x,x,x)
		mov	ecx, [ebp+arg_8]
		lea	edx, [edi+40h]
		push	esi
		push	50h
		call	_KiInitializeFatalTSS@16 ; KiInitializeFatalTSS(x,x,x,x)
		mov	ecx, [ebp+arg_8]
		lea	edx, [edi+90h]
		push	esi
		push	0A0h
		call	_KiInitializeFatalTSS@16 ; KiInitializeFatalTSS(x,x,x,x)
		xor	dl, dl
		mov	ecx, edi
		call	_KiInitializeIdt@8 ; KiInitializeIdt(x,x)
		pop	edi
		pop	esi
		pop	ebp
		retn	0Ch
_KiInitializeIdtGates@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInitializeFatalTSS(x, x, x, x)
_KiInitializeFatalTSS@16 proc near	; CODE XREF: KiInitializeIdtGates(x,x,x)+24p
					; KiInitializeIdtGates(x,x,x)+32p ...

arg_0		= word ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		mov	cx, [ebp+arg_0]
		test	edx, edx
		jz	short loc_ABE12B
		xor	eax, eax
		mov	[edx+4], bl
		mov	[edx], ax
		mov	eax, [edx+4]
		and	eax, 0FFFF85FFh
		mov	[edx+2], cx
		or	eax, 8500h
		mov	[edx+4], eax
		mov	[edx+6], bx

loc_ABE12B:				; CODE XREF: KiInitializeFatalTSS(x,x,x,x)+11j
		push	67h
		pop	eax
		movzx	ecx, cx
		shr	ecx, 3
		push	10h
		mov	[esi+ecx*8], ax
		mov	eax, [esi+ecx*8+4]
		and	eax, 0FFFF89FFh
		or	eax, 8900h
		mov	[esi+ecx*8+4], eax
		movzx	edx, byte ptr [esi+ecx*8+7]
		movzx	eax, byte ptr [esi+ecx*8+4]
		mov	[esi+ecx*8+6], bl
		shl	edx, 8
		or	edx, eax
		movzx	eax, word ptr [esi+ecx*8+2]
		pop	ecx
		shl	edx, 10h
		or	edx, eax
		xor	eax, eax
		push	8
		mov	[edx+60h], ax
		mov	dword ptr [edx+64h], 20AC0000h
		mov	[edx+8], cx
		mov	eax, cr3
		mov	[edx+1Ch], eax
		mov	eax, [ebp+arg_4]
		mov	[edx+38h], eax
		mov	[edx+4], eax
		pop	eax
		push	30h
		mov	[edx+4Ch], ax
		pop	eax
		push	23h
		mov	[edx+58h], ax
		pop	eax
		pop	esi
		mov	[edx+24h], ebx
		mov	[edx+50h], cx
		mov	[edx+48h], ax
		mov	[edx+54h], ax
		pop	ebx
		pop	ebp
		retn	8
_KiInitializeFatalTSS@16 endp


;  S U B	R O U T	I N E 


; __stdcall KiInitializeIdt(x, x)
_KiInitializeIdt@8 proc	near		; CODE XREF: KiEnableKvaShadowing(x,x)+86p
					; KiInitializeIdtGates(x,x,x)+4Fp
		mov	edi, edi
		push	ebx
		push	esi
		mov	bl, dl
		xor	esi, esi

loc_ABE1B8:				; CODE XREF: KiInitializeIdt(x,x)+68j
		mov	edx, offset _IDTShadow
		test	bl, bl
		jnz	short loc_ABE1C6
		mov	edx, offset _IDT

loc_ABE1C6:				; CODE XREF: KiInitializeIdt(x,x)+Fj
		cmp	esi, 0Eh
		jle	short loc_ABE21D
		cmp	esi, 12h
		jz	loc_ABE296
		cmp	esi, 29h
		jz	short loc_ABE243
		cmp	esi, 2Bh
		jle	short loc_ABE1EB
		cmp	esi, 2Dh
		jle	short loc_ABE243
		cmp	esi, 80h
		jz	short loc_ABE261

loc_ABE1EB:				; CODE XREF: KiInitializeIdt(x,x)+2Cj
					; KiInitializeIdt(x,x)+86j ...
		mov	ax, [edx+esi*8]
		mov	[ecx+esi*8], ax
		mov	ax, [edx+esi*8+2]
		mov	[ecx+esi*8+6], ax
		mov	ax, [edx+esi*8+6]
		mov	[ecx+esi*8+2], ax
		mov	ax, [edx+esi*8+4]
		mov	[ecx+esi*8+4], ax

loc_ABE211:				; CODE XREF: KiInitializeIdt(x,x)+91j
					; KiInitializeIdt(x,x)+A4j ...
		inc	esi
		cmp	esi, 0FFh
		jle	short loc_ABE1B8
		pop	esi
		pop	ebx
		retn
; 

loc_ABE21D:				; CODE XREF: KiInitializeIdt(x,x)+19j
		cmp	esi, 0Dh
		jge	short loc_ABE243
		mov	eax, esi
		sub	eax, 1
		jz	short loc_ABE243
		sub	eax, 1
		jz	short loc_ABE256
		sub	eax, 1
		jz	short loc_ABE243
		sub	eax, 5
		jnz	short loc_ABE1EB
		mov	eax, [edx+esi*8]
		mov	[ecx-0AC0h], eax
		jmp	short loc_ABE211
; 

loc_ABE243:				; CODE XREF: KiInitializeIdt(x,x)+27j
					; KiInitializeIdt(x,x)+31j ...
		mov	eax, ds:_KeLoaderBlock
		mov	eax, [eax+84h]
		test	byte ptr [eax+54h], 8
		jz	short loc_ABE1EB
		jmp	short loc_ABE211
; 

loc_ABE256:				; CODE XREF: KiInitializeIdt(x,x)+7Cj
		mov	eax, [edx+esi*8]
		mov	[ecx-0B30h], eax
		jmp	short loc_ABE211
; 

loc_ABE261:				; CODE XREF: KiInitializeIdt(x,x)+39j
		mov	eax, [ecx+140h]
		mov	[ecx+400h], eax
		mov	eax, [ecx+144h]
		mov	[ecx+404h], eax
		and	dword ptr [ecx+140h], 0
		and	dword ptr [ecx+144h], 0
		push	8
		pop	eax
		mov	[ecx+142h], ax
		jmp	loc_ABE211
; 

loc_ABE296:				; CODE XREF: KiInitializeIdt(x,x)+1Ej
		mov	eax, [edx+esi*8]
		mov	[ecx-0A50h], eax
		jmp	loc_ABE211
_KiInitializeIdt@8 endp


;  S U B	R O U T	I N E 


; __stdcall KePerformGroupConfiguration(x)
_KePerformGroupConfiguration@4 proc near ; CODE	XREF: Phase1InitializationDiscard(x)+23Ep
		and	ds:byte_711665,	0F9h
		xor	eax, eax
		mov	ds:byte_711664,	0
		mov	word_6D4E28, ax
		call	KiPerformGroupConfiguration
		mov	ecx, offset _ExNode0
		jmp	KiCommitNodeAssignment
_KePerformGroupConfiguration@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiInitializeKernelStacks()
_MiInitializeKernelStacks@0 proc near	; CODE XREF: MiInitNucleus(x):loc_AB58F6p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		mov	edi, large fs:124h
		mov	eax, offset loc_7FFFF8
		mov	edx, large fs:2330h
		mov	ebx, edx
		sub	ebx, ds:_KeKernelStackSize
		shr	ebx, 9
		and	ebx, eax
		shr	edx, 9
		and	edx, eax
		sub	edx, 40000000h
		lea	ecx, [ebx-40000000h]
		call	MiMarkBootKernelStack
		mov	esi, [edi+24h]
		mov	ecx, offset loc_7FFFF8
		mov	edx, [edi+28h]
		mov	eax, 40000000h
		shr	esi, 9
		and	esi, ecx
		shr	edx, 9
		and	edx, ecx
		sub	esi, eax
		sub	edx, eax
		mov	ecx, esi
		call	MiMarkBootKernelStack
		lea	ecx, [esi-8]
		call	MiMarkBootGuardPage
		lea	ecx, [ebx-40000008h]
		call	MiMarkBootGuardPage
		mov	eax, ds:_KeKernelStackSize
		mov	ecx, dword_6D07D0
		shr	eax, 0Ch
		push	1
		mov	byte_6D3408, al
		mov	eax, ds:_MiLowHalVa
		sub	eax, ecx
		push	eax
		push	ecx
		push	0Bh
		push	0
		push	0Eh
		pop	edx
		mov	ecx, offset unk_6D33D0
		call	MiInitializePteInfo
		test	eax, eax
		jz	short loc_ABE38A
		mov	ecx, dword_6D3398
		xor	eax, eax
		or	dword_6D33DC, 1
		inc	eax
		mov	dword_6D33FC, ecx

loc_ABE386:				; CODE XREF: MiInitializeKernelStacks()+C2j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_ABE38A:				; CODE XREF: MiInitializeKernelStacks()+A4j
		xor	eax, eax
		jmp	short loc_ABE386
_MiInitializeKernelStacks@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeStartAllProcessors proc near		; CODE XREF: Phase1InitializationDiscard(x)+67Dp

var_36C		= dword	ptr -36Ch
var_368		= dword	ptr -368h
var_364		= dword	ptr -364h
var_360		= dword	ptr -360h
var_35C		= dword	ptr -35Ch
var_358		= dword	ptr -358h
var_354		= dword	ptr -354h
var_350		= dword	ptr -350h
var_34C		= dword	ptr -34Ch
var_348		= dword	ptr -348h
var_344		= dword	ptr -344h
var_340		= dword	ptr -340h
var_33C		= dword	ptr -33Ch
var_338		= dword	ptr -338h
var_334		= dword	ptr -334h
var_330		= dword	ptr -330h
var_32C		= dword	ptr -32Ch
var_328		= dword	ptr -328h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE39BE SIZE 000002DC BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 370h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	esi, esi
		lea	eax, [ebp+var_328]
		push	320h		; size_t
		push	esi		; int
		push	eax		; void *
		mov	[ebp+var_32C], esi
		mov	[ebp+var_340], esi
		mov	[ebp+var_33C], esi
		call	_memset
		add	esp, 0Ch
		call	_KiSaveBootProcessorIdt@0 ; KiSaveBootProcessorIdt()
		test	eax, eax
		js	loc_AE3C8B
		push	ds:_KeRegisteredProcessors
		call	ds:__imp__HalEnumerateProcessors@4 ; HalEnumerateProcessors(x)
		mov	edi, eax
		mov	eax, ds:_KeNumprocSpecified
		mov	[ebp+var_358], edi
		test	eax, eax
		jnz	loc_AE39BE

loc_ABE40E:				; CODE XREF: KeStartAllProcessors+25638j
		mov	eax, ds:_KeBootprocSpecified
		test	eax, eax
		jnz	loc_AE39CB

loc_ABE41B:				; CODE XREF: KeStartAllProcessors+25643j
					; KeStartAllProcessors+25651j
		mov	eax, ds:_KeFeatureBits
		and	eax, 200h
		or	eax, esi
		jz	loc_AE3C8B
		call	ds:__imp__HalQueryMaximumProcessorCount@0 ; HalQueryMaximumProcessorCount()
		mov	[ebp+var_36C], eax
		mov	esi, eax
		mov	[ebp+var_334], eax
		cmp	eax, 20h
		ja	loc_AE39E4

loc_ABE44A:				; CODE XREF: KeStartAllProcessors+2565Fj
		mov	eax, ds:_KiProcessorBlock
		mov	ecx, [eax+344h]
		imul	ecx, [eax+340h]
		imul	ecx, ds:_KeRegisteredProcessors
		cmp	esi, ecx
		ja	loc_AE39F2

loc_ABE46B:				; CODE XREF: KeStartAllProcessors+2566Cj
		mov	eax, ds:_KeNumprocSpecified
		test	eax, eax
		jnz	loc_AE39FF

loc_ABE478:				; CODE XREF: KeStartAllProcessors+25673j
					; KeStartAllProcessors+25681j
		cmp	esi, edi
		ja	loc_AE3A14

loc_ABE480:				; CODE XREF: KeStartAllProcessors+2568Dj
					; KeStartAllProcessors+2569Bj
		mov	ecx, esi
		call	_KiAllocateCpuSetData@4	; KiAllocateCpuSetData(x)
		test	eax, eax
		jz	loc_AE3A2E
		mov	ecx, esi
		call	_KiComputeProcessorDataSize@4 ;	KiComputeProcessorDataSize(x)
		mov	edi, ds:_KeRegisteredProcessors
		mov	[ebp+var_350], eax
		mov	[ebp+var_338], edi
		cmp	edi, 20h
		ja	loc_AE3A66

loc_ABE4B1:				; CODE XREF: KeStartAllProcessors+256E6j
		mov	edi, large fs:20h
		xor	edx, edx
		mov	ecx, edi
		call	KiInitializePrcbContext
		test	eax, eax
		js	loc_AE3A36
		lea	ecx, [edi+429Ch]
		xor	edx, edx
		call	_MmAllocateIsrStack@8 ;	MmAllocateIsrStack(x,x)
		test	al, al
		jz	loc_AE3A3E
		mov	eax, large fs:1Ch
		lea	ecx, [ebp+var_344]
		xor	edx, edx
		mov	eax, [eax+3Ch]
		mov	eax, [eax+24B4h]
		mov	[ebp+var_344], eax
		call	_MmAllocateIsrStack@8 ;	MmAllocateIsrStack(x,x)
		test	al, al
		jz	loc_AE3A3E
		xor	edi, edi
		inc	edi
		mov	ds:_KiBarrierWait, edi
		call	HvlStartBootLogicalProcessors
		xor	ecx, ecx
		mov	[ebp+var_360], edi
		inc	ecx
		mov	[ebp+var_35C], ecx

loc_ABE525:				; CODE XREF: KeStartAllProcessors+47Aj
		cmp	_KiSMTProcessorsPresent, 0
		jz	loc_AE3A79

loc_ABE532:				; CODE XREF: KeStartAllProcessors+256F7j
		mov	eax, [ebp+var_358]
		test	eax, eax
		jz	short loc_ABE544
		cmp	edi, eax
		jnb	loc_ABE80E

loc_ABE544:				; CODE XREF: KeStartAllProcessors+1ACj
					; KeStartAllProcessors+257D3j
		or	[ebp+var_33C], 0FFFFFFFFh
		lea	eax, [ebp+var_32C]
		push	eax
		lea	edx, [ebp+var_33C]
		mov	[ebp+var_32C], 0FFFFh
		call	KiQueryProcessorNode
		test	eax, eax
		jnz	loc_ABE7F8
		movzx	edx, word ptr [ebp+var_32C]
		mov	ecx, [ebp+var_350]
		mov	eax, ds:_KeNodeBlock[edx*4]
		mov	[ebp+var_34C], eax
		mov	[ebp+var_368], eax
		call	_MmAllocateIndependentPages@8 ;	MmAllocateIndependentPages(x,x)
		mov	[ebp+var_348], eax
		test	eax, eax
		jz	loc_ABE80E
		movzx	edx, word ptr [ebp+var_32C]
		mov	ecx, 7000h
		call	_MmAllocateIndependentPages@8 ;	MmAllocateIndependentPages(x,x)
		mov	[ebp+var_330], eax
		test	eax, eax
		jz	loc_AE3C18
		mov	edx, [ebp+var_32C]
		mov	ecx, edi
		call	_ExCreatePoolTagTable@8	; ExCreatePoolTagTable(x,x)
		test	eax, eax
		jz	loc_AE3C08
		movzx	edx, word ptr [ebp+var_32C]
		xor	ecx, ecx
		push	0
		call	MmCreateKernelStack
		movzx	edx, word ptr [ebp+var_32C]
		xor	ecx, ecx
		push	0
		mov	[ebp+var_354], eax
		call	MmCreateKernelStack
		movzx	edx, word ptr [ebp+var_32C]
		lea	ecx, [ebp+var_340]
		and	[ebp+var_340], 0
		mov	[ebp+var_364], eax
		call	_MmAllocateIsrStack@8 ;	MmAllocateIsrStack(x,x)
		movzx	edx, word ptr [ebp+var_32C]
		lea	ecx, [ebp+var_344]
		and	[ebp+var_344], 0
		call	_MmAllocateIsrStack@8 ;	MmAllocateIsrStack(x,x)
		test	al, al
		jz	loc_AE3C01
		push	[ebp+var_344]	; int
		mov	edx, ds:_KeLoaderBlock ; int
		lea	ecx, [ebp+var_328] ; void *
		push	[ebp+var_340]	; int
		push	[ebp+var_364]	; int
		push	[ebp+var_354]	; int
		push	esi		; int
		push	[ebp+var_330]	; void *
		push	[ebp+var_348]	; void *
		push	edi		; int
		call	_KiInitializeProcessorState@40 ; KiInitializeProcessorState(x,x,x,x,x,x,x,x,x,x)
		movzx	edx, word ptr [ebp+var_32C]
		imul	ecx, edx, 140h
		mov	[ebp+var_330], eax
		add	ecx, offset _KiNodeInit
		cmp	ds:_KeNodeBlock[edx*4],	ecx
		jz	loc_AE3A8A
		mov	ecx, [ebp+var_34C]

loc_ABE69F:				; CODE XREF: KeStartAllProcessors+2576Cj
		mov	[eax+338h], ecx
		xor	edx, edx
		mov	ecx, eax
		call	KiAddProcessorToGroupDatabase
		mov	edx, [ebp+var_33C]
		mov	ecx, [ebp+var_330]
		and	dword_6CAAE4, 0
		mov	_KiProcessorStartData, 1
		mov	_KiProcessorStartControl, 2
		call	HvlInitializeProcessor
		test	eax, eax
		jnz	loc_AE3B66
		mov	ecx, [ebp+var_330]
		call	MmInitializeProcessor
		test	eax, eax
		jz	loc_AE3B66
		movzx	edx, word ptr [ebp+var_32C]
		mov	ecx, [ebp+var_330]
		call	KiInitializePrcbContext
		test	eax, eax
		js	loc_AE3B66
		mov	ecx, [ebp+var_330]
		call	KeInitializeTimerTable
		test	eax, eax
		js	loc_AE3B66
		push	[ebp+var_33C]
		lea	eax, [ebp+var_328]
		push	edi
		push	eax
		call	ds:__imp__HalStartNextProcessor@12 ; HalStartNextProcessor(x,x,x)
		cmp	eax, 3
		jz	loc_AE3A4C
		cmp	eax, 4
		jnz	loc_AE3B66
		call	KiStartWaitAcknowledge
		test	al, al
		jz	loc_AE3B08
		test	dword_6CAAEC, 10000000h
		jz	loc_AE3B08
		cmp	byte ptr dword_6CAAE4+2, 1
		jbe	loc_AE3B08
		mov	eax, large fs:20h
		xor	edx, edx
		mov	ecx, [eax+3D38h]
		movzx	eax, byte ptr dword_6CAAE4+3
		dec	ecx
		not	ecx
		and	eax, ecx
		mov	[ebp+var_354], eax
		test	edi, edi
		jz	loc_AE3B08

loc_ABE79A:				; CODE XREF: KeStartAllProcessors+25774j
		mov	eax, ds:_KiProcessorBlock[edx*4]
		test	eax, eax
		jz	loc_AE3AFF
		movzx	eax, byte ptr [eax+3D49h]
		and	eax, ecx
		cmp	eax, [ebp+var_354]
		jnz	loc_AE3AFF
		inc	[ebp+var_338]

loc_ABE7C4:				; CODE XREF: KeStartAllProcessors+25786j
		and	_KiProcessorStartControl, 0
		jmp	short loc_ABE7CF
; 

loc_ABE7CD:				; CODE XREF: KeStartAllProcessors+44Bj
		pause

loc_ABE7CF:				; CODE XREF: KeStartAllProcessors+43Dj
		mov	eax, ds:_KeLoaderBlock
		mov	eax, [eax+4Ch]
		test	eax, eax
		jnz	short loc_ABE7CD
		mov	ecx, [ebp+var_330]
		xor	dl, dl
		call	KiConfigureProcessorBlock
		xor	edx, edx
		mov	ecx, edi
		call	_KiUpdateProcessorCount@8 ; KiUpdateProcessorCount(x,x)
		inc	edi
		mov	[ebp+var_360], edi

loc_ABE7F8:				; CODE XREF: KeStartAllProcessors+1DBj
		mov	ecx, [ebp+var_35C]
		inc	ecx
		mov	[ebp+var_35C], ecx
		cmp	ecx, 20h
		jb	loc_ABE525

loc_ABE80E:				; CODE XREF: KeStartAllProcessors+1B0j
					; KeStartAllProcessors+20Ej ...
		call	KiAllProcessorsStarted
		xor	esi, esi
		push	0
		inc	esi
		push	esi
		call	off_6B12A0	; xHalTscSynchronization(x,x)
		cmp	ds:_KeMaximumProcessors, 0
		jnz	short loc_ABE83F
		cmp	ds:_KeDynamicPartitioningSupported, 0
		jnz	loc_AE3C2E

loc_ABE835:				; CODE XREF: KeStartAllProcessors+258ACj
		mov	eax, ds:_KeNumberProcessors
		mov	ds:_KeMaximumProcessors, eax

loc_ABE83F:				; CODE XREF: KeStartAllProcessors+498j
					; KeStartAllProcessors+258ECj ...
		push	0FFFFh
		mov	ds:_KiBootProcessorsStarted, esi
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	ds:_KiBootProcessorCount, eax
		mov	ds:_KiBarrierWait, 0

loc_ABE85E:				; CODE XREF: KeStartAllProcessors+25907j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
KeStartAllProcessors endp ; sp =  4

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMarkBootKernelStack proc near		; CODE XREF: MiInitializeKernelStacks()+36p
					; MiInitializeKernelStacks()+5Bp

var_A1		= byte ptr -0A1h
var_A0		= dword	ptr -0A0h
var_9C		= byte ptr -9Ch
var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE3C9A SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		lea	eax, [ebp+var_A0]
		mov	ebx, edx
		push	0		; int
		push	eax		; void *
		mov	edi, ecx
		call	_memset
		and	[ebp+var_8C], 0
		add	esp, 0Ch
		mov	ecx, offset unk_6D3A40
		mov	[ebp+var_98], 21h
		mov	[ebp+var_9C], 1
		xor	esi, esi
		call	MiLockWorkingSetShared
		mov	[ebp+var_A1], al

loc_ABE8CE:				; CODE XREF: MiMarkBootKernelStack+B2j
		cmp	edi, ebx
		jnb	short loc_ABE947
		test	esi, esi
		jz	short loc_ABE926
		test	edi, 0FFFh
		jz	loc_AE3C9A

loc_ABE8E2:				; CODE XREF: MiMarkBootKernelStack+D3j
		push	0FFFFFFF8h
		pop	edx
		mov	ecx, edi
		call	MiMarkKernelStack
		mov	eax, [edi]
		nop
		test	ds:_MiFlags, 40000h
		mov	ecx, [edi+4]
		jnz	short loc_ABE921
		or	eax, 62h
		or	ecx, 80000000h
		nop
		mov	[edi], eax
		mov	edx, edi
		push	0
		mov	[edi+4], ecx
		lea	ecx, [ebp+var_A0]
		push	1
		shl	edx, 9
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)

loc_ABE921:				; CODE XREF: MiMarkBootKernelStack+8Aj
		add	edi, 8
		jmp	short loc_ABE8CE
; 

loc_ABE926:				; CODE XREF: MiMarkBootKernelStack+62j
					; MiMarkBootKernelStack+25434j
		mov	esi, edi
		mov	ecx, offset unk_6D3A40
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		push	0
		mov	edx, esi
		call	MiLockPageTableInternal
		jmp	short loc_ABE8E2
; 

loc_ABE947:				; CODE XREF: MiMarkBootKernelStack+5Ej
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList
		test	esi, esi
		jz	short loc_ABE962
		mov	edx, esi
		mov	ecx, offset unk_6D3A40
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_ABE962:				; CODE XREF: MiMarkBootKernelStack+E2j
		mov	dl, [ebp+var_A1]
		mov	ecx, offset unk_6D3A40
		call	MiUnlockWorkingSetShared
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
MiMarkBootKernelStack endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExRngInitializeSystem proc near		; CODE XREF: KiInitializePcr(x,x,x,x,x,x,x,x)+54p

var_EC		= dword	ptr -0ECh
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE3CAB SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0ECh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ds:_KeLoaderBlock
		mov	edx, 0DCh
		and	_ExpLFGRngLock,	0
		push	ebx
		push	esi
		mov	ebx, [eax+84h]
		mov	eax, offset _ExpLFGRngState
		mov	[ebp+var_EC], ebx
		push	edi
		mov	[ebp+var_E4], 2
		lea	ecx, [ebx+61Ch]
		mov	ebx, ecx

loc_ABE9CE:				; CODE XREF: ExRngInitializeSystem+88j
		push	37h
		pop	ecx
		mov	esi, ebx
		lea	edi, [ebp+var_E0]
		rep movsd
		push	37h
		mov	edi, eax
		mov	dword ptr [eax+0E0h], 20h
		pop	ecx
		lea	esi, [ebp+var_E0]
		add	ebx, edx
		rep movsd
		xor	ecx, ecx
		inc	ecx
		or	[eax], ecx
		mov	[eax+0DCh], ecx
		add	eax, 0E4h
		sub	[ebp+var_E4], ecx
		jnz	short loc_ABE9CE
		mov	ebx, [ebp+var_EC]
		mov	edi, offset _ExpLeftoverBootRngData
		push	5Bh
		pop	ecx
		mov	_ExpRemainingLeftoverBootRngData, ecx
		lea	esi, [ebx+7D4h]
		rep movsd
		pop	edi
		pop	esi
		lea	eax, [ebx+540h]
		mov	ecx, 400h
		pop	ebx

loc_ABEA36:				; CODE XREF: ExRngInitializeSystem+BBj
		mov	byte ptr [eax],	0
		inc	eax
		sub	ecx, 1
		jnz	short loc_ABEA36
		lea	eax, [ebp+var_E0]

loc_ABEA45:				; CODE XREF: ExRngInitializeSystem+CAj
		mov	byte ptr [eax],	0
		inc	eax
		sub	edx, 1
		jnz	short loc_ABEA45
		xor	ecx, ecx
		call	ExGenRandom
		mov	_ExpSecurityCookieRandomData, eax
		test	eax, eax
		jz	loc_AE3CAB

loc_ABEA62:				; CODE XREF: ExRngInitializeSystem+25333j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
ExRngInitializeSystem endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiPerformGroupConfiguration proc near	; CODE XREF: KePerformGroupConfiguration(x)+16p

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE3CBA SIZE 0000049D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_6C], ecx
		push	40h		; size_t
		lea	eax, [ebp+var_44]
		mov	[ebp+var_68], ebx
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	ax, ds:_KeNumberNodes
		xor	ecx, ecx
		add	esp, 0Ch
		mov	[ebp+var_80], ebx
		mov	[ebp+var_78], ebx
		mov	esi, ebx
		mov	[ebp+var_7C], ebx
		mov	[ebp+var_60], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_5C], ebx
		cmp	cx, ax
		jnb	loc_ABEB48

loc_ABEAC2:				; CODE XREF: KiPerformGroupConfiguration+D4j
		lea	eax, [ebp+var_78]
		push	eax
		push	esi
		call	_KiNumaQueryNodeCapacity ; KiNonNumaQueryNodeCapacity(x,x)
		mov	al, byte ptr [ebp+var_78]
		movzx	edi, si
		mov	ecx, ds:_KeNodeBlock[edi*4]
		mov	[ecx+0A4h], al
		mov	eax, [ebp+var_60]
		add	eax, [ebp+var_78]
		mov	[ebp+var_60], eax
		cmp	[ebp+var_78], ebx
		jz	short loc_ABEAF1
		inc	[ebp+var_64]

loc_ABEAF1:				; CODE XREF: KiPerformGroupConfiguration+7Ej
		mov	edx, _KiNumaQueryProximityId
		lea	eax, [ecx+98h]
		test	edx, edx
		jz	loc_AE3CBA
		lea	ecx, [ebp+var_7C]
		push	ecx
		push	eax
		push	esi
		call	edx
		mov	eax, ds:_KeNodeBlock[edi*4]
		add	eax, 8Ch
		push	eax
		push	[ebp+var_7C]
		call	_KiNumaQueryProximityNode
		mov	eax, ds:_KeNodeBlock[edi*4]
		mov	eax, [eax+98h]
		cmp	eax, [ebp+var_7C]
		jnz	short loc_ABEB38
		inc	[ebp+var_5C]

loc_ABEB38:				; CODE XREF: KiPerformGroupConfiguration+C5j
					; KiPerformGroupConfiguration+25262j
		mov	ax, ds:_KeNumberNodes
		inc	esi
		cmp	si, ax
		jb	loc_ABEAC2

loc_ABEB48:				; CODE XREF: KiPerformGroupConfiguration+4Ej
		xor	ecx, ecx
		inc	ecx
		cmp	ax, cx
		ja	loc_AE3CD5

loc_ABEB54:				; CODE XREF: KiPerformGroupConfiguration+25287j
		mov	si, ds:_KeNumberNodes
		xor	eax, eax
		mov	edi, ebx
		cmp	ax, si
		jnb	short loc_ABEBAC

loc_ABEB64:				; CODE XREF: KiPerformGroupConfiguration+13Cj
		xor	eax, eax
		mov	[ebp+var_58], ebx
		cmp	ax, si
		jnb	short loc_ABEBA6
		movzx	eax, di
		mov	[ebp+var_70], eax

loc_ABEB74:				; CODE XREF: KiPerformGroupConfiguration+134j
		lea	eax, [ebp+var_80]
		push	eax
		push	ebx
		push	edi
		call	_KiNumaQueryNodeDistance ; KiNonNumaQueryNodeDistance(x,x,x)
		mov	si, ds:_KeNumberNodes
		mov	ecx, [ebp+var_80]
		movzx	edx, si
		imul	edx, [ebp+var_70]
		movzx	eax, bx
		add	edx, eax
		mov	eax, ds:_KeNodeDistance
		inc	ebx
		mov	[eax+edx*4], ecx
		cmp	bx, si
		jb	short loc_ABEB74
		xor	ebx, ebx

loc_ABEBA6:				; CODE XREF: KiPerformGroupConfiguration+FEj
		inc	edi
		cmp	di, si
		jb	short loc_ABEB64

loc_ABEBAC:				; CODE XREF: KiPerformGroupConfiguration+F4j
		xor	eax, eax
		mov	[ebp+var_58], ebx
		mov	edi, ebx
		cmp	ax, si
		jnb	loc_ABEC84

loc_ABEBBC:				; CODE XREF: KiPerformGroupConfiguration+1E3j
		movzx	edx, di
		mov	[ebp+var_74], edx
		mov	ecx, ds:_KeNodeBlock[edx*4]
		mov	ax, [ecx+8Ah]
		cmp	ax, [ecx+8Ch]
		jnz	short loc_ABEC46
		lea	eax, [ebp+var_68]
		xor	ecx, ecx
		push	eax
		lea	eax, [ebp+var_58]
		push	eax
		call	_MmGetChannelInformation@16 ; MmGetChannelInformation(x,x,x,x)
		test	eax, eax
		js	loc_AE3D05
		mov	eax, [ebp+var_68]
		xor	edx, edx
		push	28h
		pop	ecx
		div	ecx
		xor	ecx, ecx
		mov	esi, ebx
		mov	[ebp+var_70], eax
		lea	edx, [ecx+1]
		test	eax, eax
		jz	short loc_ABEC1D
		mov	ecx, [ebp+var_58]
		mov	edx, eax
		add	ecx, 8

loc_ABEC10:				; CODE XREF: KiPerformGroupConfiguration+252AAj
		mov	eax, [ecx]
		or	eax, [ecx+4]
		jz	loc_AE3D10
		mov	dl, bl

loc_ABEC1D:				; CODE XREF: KiPerformGroupConfiguration+198j
					; KiPerformGroupConfiguration+252B5j
		mov	ecx, [ebp+var_74]
		shl	dl, 4
		push	ebx
		push	[ebp+var_58]
		mov	ecx, ds:_KeNodeBlock[ecx*4]
		mov	al, [ecx+0A5h]
		and	al, 0EFh
		or	dl, al
		mov	[ecx+0A5h], dl
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	[ebp+var_58], ebx

loc_ABEC46:				; CODE XREF: KiPerformGroupConfiguration+169j
		mov	si, ds:_KeNumberNodes
		inc	edi
		cmp	di, si
		jb	loc_ABEBBC
		xor	eax, eax
		cmp	ax, si
		jnb	short loc_ABEC84
		mov	edx, offset _KeNodeBlock
		movzx	esi, si

loc_ABEC66:				; CODE XREF: KiPerformGroupConfiguration+214j
		mov	ecx, [edx]
		movzx	eax, word ptr [ecx+8Ch]
		cmp	[ecx+8Ah], ax
		jnz	loc_AE3D28

loc_ABEC7C:				; CODE XREF: KiPerformGroupConfiguration+252D5j
		add	edx, 4
		sub	esi, 1
		jnz	short loc_ABEC66

loc_ABEC84:				; CODE XREF: KiPerformGroupConfiguration+148j
					; KiPerformGroupConfiguration+1EEj
		xor	eax, eax
		lea	edi, [ebp+var_54]
		cmp	ds:_HvlHypervisorConnected, 0
		stosd
		stosd
		stosd
		stosd
		jnz	loc_AE3D48

loc_ABEC9A:				; CODE XREF: KiPerformGroupConfiguration+2535Dj
					; KiPerformGroupConfiguration+25386j
		mov	eax, [ebp+var_6C]
		mov	[ebp+var_68], ebx
		mov	[ebp+var_74], 0FFFFh
		mov	eax, [eax+84h]
		mov	esi, [eax+0E4h]
		test	esi, esi
		jnz	loc_AE3DF9

loc_ABECBB:				; CODE XREF: KiPerformGroupConfiguration+25390j
					; KiPerformGroupConfiguration+253E2j ...
		mov	esi, [ebp+var_6C]
		push	offset ??_C@_0N@IGHPMJHE@MAXGROUP?$DNOFF@PBOPGDP@ ; char *
		push	dword ptr [esi+78h] ; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_ABED09
		push	offset ??_C@_08IABDDFLJ@MAXGROUP@PBOPGDP@ ; "MAXGROUP"
		push	dword ptr [esi+78h] ; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_AE3F76

loc_ABECE8:				; CODE XREF: KiPerformGroupConfiguration+2A1j
		xor	eax, eax
		inc	eax

loc_ABECEB:				; CODE XREF: KiPerformGroupConfiguration+25510j
		cmp	word ptr [ebp+var_64], ax
		jnz	loc_AE3F83

loc_ABECF5:				; CODE XREF: KiPerformGroupConfiguration+25350j
					; KiPerformGroupConfiguration+25370j ...
		call	_KiAssignAllNodesToGroup0@0 ; KiAssignAllNodesToGroup0()

loc_ABECFA:				; CODE XREF: KiPerformGroupConfiguration+254E4j
					; KiPerformGroupConfiguration+25503j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_ABED09:				; CODE XREF: KiPerformGroupConfiguration+261j
		mov	ds:_KiMaximizeGroupsCreated, bl
		jmp	short loc_ABECE8
KiPerformGroupConfiguration endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiAssignAllNodesToGroup0()
_KiAssignAllNodesToGroup0@0 proc near	; CODE XREF: KiPerformGroupConfiguration:loc_ABECF5p
		mov	cx, ds:_KeNumberNodes
		xor	eax, eax
		inc	eax
		xor	edx, edx
		mov	ds:_KiMaximumGroups, ax
		cmp	dx, cx
		jnb	short locret_ABED5C
		movzx	edx, cx
		mov	ecx, edx
		shl	eax, cl
		mov	ecx, offset _KeNodeBlock
		push	esi
		push	edi
		lea	esi, [eax-1]

loc_ABED3A:				; CODE XREF: KiAssignAllNodesToGroup0()+46j
		mov	eax, [ecx]
		xor	edi, edi
		lea	ecx, [ecx+4]
		or	byte ptr [eax+0A5h], 2
		mov	[eax+88h], di
		mov	[eax+80h], esi
		sub	edx, 1
		jnz	short loc_ABED3A
		pop	edi
		pop	esi

locret_ABED5C:				; CODE XREF: KiAssignAllNodesToGroup0()+15j
		retn
_KiAssignAllNodesToGroup0@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeSystemPtes proc near	; CODE XREF: MiInitNucleus(x)+254p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE4157 SIZE 00000061 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	eax, dword_6D07D0
		mov	edx, offset unk_6D3940
		push	esi
		push	edi
		mov	edi, ds:_MiLowHalVa
		mov	esi, offset _MiSystemPartition
		push	0
		push	5
		mov	ecx, esi
		mov	[ebp+var_4], eax
		sub	edi, eax
		call	MiInitializeSystemWorkingSetList
		test	eax, eax
		jz	loc_ABEF1A
		push	0
		push	6
		mov	edx, offset unk_6D3A40
		mov	ecx, esi
		call	MiInitializeSystemWorkingSetList
		test	eax, eax
		jz	loc_ABEF1A
		mov	eax, large fs:20h
		push	9
		pop	edx
		or	dword ptr [eax+406Ch], 0FFFFFFFFh
		mov	eax, edi
		mov	esi, ds:dword_7051B4
		shr	eax, 0Ch
		and	esi, 2
		mov	[ebp+var_8], eax
		or	esi, 1
		shr	eax, 3
		add	eax, 0FFFh
		and	eax, 0FFFFF000h
		imul	esi, eax
		mov	[ebp+var_C], eax
		lea	ecx, [esi+1FFFFFh]
		shr	ecx, 15h
		call	MiObtainSystemVa
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_ABEF1A
		push	1
		push	edi
		push	[ebp+var_4]
		mov	ecx, offset dword_6D35E0
		add	esi, eax
		push	9
		push	eax
		push	9
		pop	edx
		call	MiInitializePteInfo
		test	eax, eax
		jz	loc_ABEF1A
		mov	eax, dword_6D3394
		or	dword_6D35EC, 1
		mov	dword_6D360C, eax
		mov	al, byte_6D39A0
		and	al, 0FDh
		or	al, 5
		test	byte ptr ds:dword_7051B4, 2
		mov	byte_6D39A0, al
		jnz	loc_AE4157

loc_ABEE5B:				; CODE XREF: MiInitializeSystemPtes+25417j
					; MiInitializeSystemPtes+25424j
		mov	eax, esi
		and	eax, 1FFFFFh
		jz	loc_ABEEF1
		shr	esi, 9
		mov	edi, 200000h
		and	esi, offset loc_7FFFF8
		sub	edi, eax
		sub	esi, dword_6D35E8
		sub	esi, 40000000h
		shr	edi, 0Ch
		sar	esi, 3
		mov	eax, esi
		mov	edx, esi
		and	eax, 7
		shr	edx, 3
		add	edx, dword_6D35E4
		add	eax, edi
		push	eax
		push	9
		pop	ecx
		call	MiSplitBitmapPages
		cmp	eax, 1
		jnz	short loc_ABEED4
		push	edi
		push	esi
		lea	eax, [esi+edi]
		push	offset dword_6D35E0
		mov	dword_6D35E0, eax
		call	_RtlClearBits@12 ; RtlClearBits(x,x,x)
		mov	eax, edi
		mov	ecx, offset dword_6D3610
		lock xadd [ecx], eax
		mov	eax, edi
		mov	ecx, offset unk_6D3600
		lock xadd [ecx], eax

loc_ABEED4:				; CODE XREF: MiInitializeSystemPtes+14Aj
		test	byte ptr ds:dword_7051B4, 2
		jnz	loc_AE4187

loc_ABEEE1:				; CODE XREF: MiInitializeSystemPtes+25448j
					; MiInitializeSystemPtes+25455j
		and	esi, 0FFFFFFE0h
		or	dword_6D35EC, 8
		mov	dword_6D3608, esi

loc_ABEEF1:				; CODE XREF: MiInitializeSystemPtes+104j
		and	dword_6D3410, 0
		xor	edx, edx
		inc	edx
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		mov	dword_6D3420, eax
		test	eax, eax
		jz	short loc_ABEF1A
		xor	eax, eax
		inc	eax

loc_ABEF11:				; CODE XREF: MiInitializeSystemPtes+1BEj
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_ABEF1A:				; CODE XREF: MiInitializeSystemPtes+43j
					; MiInitializeSystemPtes+5Bj ...
		xor	eax, eax
		jmp	short loc_ABEF11
MiInitializeSystemPtes endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializePteInfo proc near		; CODE XREF: MiInitializeSystemSpaceMap(x)+36p
					; MiInitializeKernelStacks()+9Dp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00AE41B8 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_C]
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		shr	eax, 0Ch
		mov	ecx, [ebp+arg_0]
		xor	edi, edi
		xor	ebx, ebx
		mov	[ebp+var_4], edx
		mov	[ebp+arg_C], eax
		test	ecx, ecx
		jnz	short loc_ABEF73
		dec	eax
		xor	edx, edx
		add	eax, [ebp+arg_10]
		mov	ecx, offset dword_6D35E0
		div	[ebp+arg_10]
		lea	edi, [eax+7]
		shr	edi, 3
		add	edi, 0FFFh
		shr	edi, 0Ch
		mov	edx, edi
		call	MiReservePtes
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_ABEFD4
		mov	eax, [ebp+arg_C]
		mov	ecx, ebx
		shl	ecx, 9

loc_ABEF73:				; CODE XREF: MiInitializePteInfo+21j
		xor	edx, edx
		div	[ebp+arg_10]
		push	[ebp+arg_4]
		mov	edx, ecx
		mov	ecx, esi
		push	eax
		call	MiInitializeDynamicBitmap
		test	eax, eax
		jz	loc_AE41B8
		cmp	[ebp+arg_10], 10h
		mov	dword ptr [esi+0Ch], 2
		jz	short loc_ABEFCB

loc_ABEF9A:				; CODE XREF: MiInitializePteInfo+B4j
		mov	eax, [ebp+var_4]
		mov	[esi+10h], eax
		lea	eax, [esi+18h]
		mov	[esi+14h], eax
		mov	eax, [ebp+arg_8]
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		sub	eax, 40000000h
		mov	[esi+8], eax
		xor	eax, eax
		mov	[esi+28h], eax
		mov	[esi], eax
		mov	[esi+1Ch], eax
		inc	eax

loc_ABEFC4:				; CODE XREF: MiInitializePteInfo+B8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_ABEFCB:				; CODE XREF: MiInitializePteInfo+7Aj
		mov	dword ptr [esi+0Ch], 6
		jmp	short loc_ABEF9A
; 

loc_ABEFD4:				; CODE XREF: MiInitializePteInfo+4Bj
					; MiInitializePteInfo+2529Cj ...
		xor	eax, eax
		jmp	short loc_ABEFC4
MiInitializePteInfo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiComputeNumaCosts proc	near		; CODE XREF: INIT:loc_AC0037p

var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= word ptr -11Ch
var_114		= dword	ptr -114h
var_108		= dword	ptr -108h
var_100		= dword	ptr -100h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE41D2 SIZE 00000550 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 15Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+15Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+168h+var_114]
		stosd
		xor	ecx, ecx
		inc	ecx
		stosd
		stosd
		mov	ax, ds:_KeNumberNodes
		cmp	ax, cx
		ja	loc_AE41D2

loc_ABF012:				; CODE XREF: KiComputeNumaCosts+25745j
		mov	al, cl

loc_ABF014:				; CODE XREF: KiComputeNumaCosts+25221j
		mov	ecx, [esp+168h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
KiComputeNumaCosts endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiIntSteerInit()
_KiIntSteerInit@0 proc near		; CODE XREF: INIT:00AC004Ep

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, offset _KiIntTrackRootList
		xor	ecx, ecx
		mov	dword_6C74EC, eax
		mov	_KiIntTrackRootList, eax
		xor	eax, eax
		inc	eax
		mov	_KiIntTrackRootCount, ecx
		mov	word ptr _KiIntSteerMask, ax
		mov	word ptr _KiIntSteerMask+2, ax
		mov	dword_6C7528, eax
		mov	_KiIntSteerAffinitizedInterrupts, ax
		mov	word_6C7502, ax
		lea	eax, [ebp+var_4]
		push	eax
		push	offset _KiInterruptControllerInfo
		push	4
		push	27h
		mov	_KiIntTrackSpinlock, ecx
		mov	dword_6C7524, ecx
		mov	dword_6C7504, ecx
		mov	dword_6C7508, ecx
		mov	[ebp+var_4], ecx
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		call	KiIntSteerDetermineSteeringEnabled
		mov	_KiIntSteerEnabled, al
		xor	eax, eax
		leave
		retn
_KiIntSteerInit@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


KiIntSteerDetermineSteeringEnabled proc	near ; CODE XREF: KiIntSteerInit()+6Bp

; FUNCTION CHUNK AT 00AE4722 SIZE 0000001F BYTES

		cmp	ds:_KiInterruptSteeringDisabled, 0
		push	ebx
		jnz	short loc_ABF0F5
		xor	ebx, ebx
		inc	ebx
		cmp	ds:_KiActiveGroups, bx
		ja	short loc_ABF0F5
		push	0
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		cmp	eax, 2
		jb	short loc_ABF0F5
		cmp	byte ptr ds:dword_7051D4, 0
		jnz	short loc_ABF0F5
		cmp	ds:_HvlHypervisorConnected, 0
		jnz	loc_AE4722
		call	HviIsAnyHypervisorPresent
		test	al, al
		jnz	short loc_ABF0F5

loc_ABF0E5:				; CODE XREF: KiIntSteerDetermineSteeringEnabled+25692j
		push	0
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		cmp	eax, 10h
		ja	short loc_ABF0F5
		mov	al, bl
		pop	ebx
		retn
; 

loc_ABF0F5:				; CODE XREF: KiIntSteerDetermineSteeringEnabled+8j
					; KiIntSteerDetermineSteeringEnabled+14j ...
		xor	al, al
		pop	ebx
		retn
KiIntSteerDetermineSteeringEnabled endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiInitMachineDependent proc near	; CODE XREF: INIT:loc_AC00A3p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE4741 SIZE 000000A5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, large fs:20h
		xor	eax, eax
		push	edi
		lea	edi, [ebp+var_10]
		mov	[ebp+var_1C], esi
		stosd
		xor	ebx, ebx
		mov	[ebp+var_14], ebx
		stosd
		stosd
		mov	eax, ds:_KeNumberProcessors
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	offset _Ki386EnableGlobalPage@4	; Ki386EnableGlobalPage(x)
		call	KeIpiGenericCall
		xor	ecx, ecx
		mov	ds:0FFDF0274h, cx
		mov	eax, ds:_KeFeatureBits
		and	eax, 4
		or	eax, ecx
		jz	short loc_ABF167
		mov	eax, ds:_KeNumberProcessors
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_18]
		push	eax
		push	offset _Ki386EnableDE@4	; Ki386EnableDE(x)
		call	KeIpiGenericCall

loc_ABF167:				; CODE XREF: KiInitMachineDependent+55j
		push	2
		pop	ecx
		cmp	_KiXMMIZeroingEnable, ecx
		jz	short loc_ABF1BC
		mov	edx, offset _CmpIntelID	; "GenuineIntel"
		lea	eax, [esi+3D3Ch]

loc_ABF17D:				; CODE XREF: KiInitMachineDependent+A3j
		mov	bl, [eax]
		cmp	bl, [edx]
		jnz	loc_ABF2B1
		test	bl, bl
		jz	short loc_ABF19F
		mov	bl, [eax+1]
		cmp	bl, [edx+1]
		jnz	loc_ABF2B1
		add	eax, ecx
		add	edx, ecx
		test	bl, bl
		jnz	short loc_ABF17D

loc_ABF19F:				; CODE XREF: KiInitMachineDependent+8Fj
		xor	eax, eax

loc_ABF1A1:				; CODE XREF: KiInitMachineDependent+1BCj
		test	eax, eax
		jnz	short loc_ABF1AF
		cmp	byte ptr [esi+14h], 0Fh
		jz	loc_AE4741

loc_ABF1AF:				; CODE XREF: KiInitMachineDependent+A9j
					; KiInitMachineDependent+25654j
		mov	_KeZeroPages, offset @KiXMMIZeroPages@8	; KiXMMIZeroPages(x,x)

loc_ABF1B9:				; CODE XREF: KiInitMachineDependent+2564Ej
		mov	ebx, [ebp+var_14]

loc_ABF1BC:				; CODE XREF: KiInitMachineDependent+76j
		mov	eax, ds:_KiCacheErrataMonitor
		test	al, 3
		jnz	loc_AE4753
		and	ds:_KiTLBCOverride, 0

loc_ABF1D0:				; CODE XREF: KiInitMachineDependent+2567Aj
		xor	esi, esi
		cmp	ds:_KeNumberProcessors,	esi
		jbe	loc_ABF2D7
		mov	edi, offset _KiSystemCallExit2
		sub	edi, offset _KiSystemCallExit

loc_ABF1E9:				; CODE XREF: KiInitMachineDependent+1B2j
		mov	ecx, esi
		test	ebx, ebx
		jz	loc_ABF2BB
		xor	edx, edx
		call	_KiSetSystemAffinityThreadToProcessor@8	; KiSetSystemAffinityThreadToProcessor(x,x)

loc_ABF1FA:				; CODE XREF: KiInitMachineDependent+1D0j
		mov	eax, ds:_KeNumberProcessors
		dec	eax
		mov	_KiSystemCallExitAdjust, edi
		cmp	esi, eax
		setz	bl
		call	KiLoadFastSyscallMachineSpecificRegisters
		call	KiEnableFastSyscallReturn
		test	byte ptr ds:_KiCacheErrataMonitor, 3
		jnz	loc_AE4779

loc_ABF222:				; CODE XREF: KiInitMachineDependent+25688j
		mov	eax, ds:_KeFeatureBits
		and	eax, 40h
		or	eax, 0
		jz	short loc_ABF236
		mov	cl, bl
		call	KiInitializeMTRR

loc_ABF236:				; CODE XREF: KiInitMachineDependent+133j
		cmp	_KiI386PentiumLockErrataPresent, 0
		jnz	loc_AE478F

loc_ABF243:				; CODE XREF: KiInitMachineDependent+2569Ej
		mov	eax, large fs:124h
		xor	ebx, ebx
		mov	ecx, 0FFBFh
		mov	eax, [eax+4Ch]
		mov	[eax+1Ch], ebx
		nop
		fxsave	dword ptr [eax]
		nop
		mov	eax, [eax+1Ch]
		test	eax, eax
		jz	short loc_ABF264
		mov	ecx, eax

loc_ABF264:				; CODE XREF: KiInitMachineDependent+166j
		test	esi, esi
		jz	short loc_ABF2CF

loc_ABF268:				; CODE XREF: KiInitMachineDependent+1DBj
		mov	eax, ds:_KiMxCsrMask
		cmp	eax, ecx
		jnz	loc_AE47B2
		mov	eax, ds:_KeFeatureBits
		and	eax, 200000h
		or	eax, ebx
		jnz	loc_AE479D

loc_ABF287:				; CODE XREF: KiInitMachineDependent+256B3j
		mov	eax, ds:_KeFeatureBits
		and	eax, 1000000h
		or	eax, ebx
		jz	short loc_ABF2A0
		mov	eax, cr4
		or	eax, 100000h
		mov	cr4, eax

loc_ABF2A0:				; CODE XREF: KiInitMachineDependent+199j
		inc	esi
		cmp	esi, ds:_KeNumberProcessors
		jnb	short loc_ABF2D7
		mov	ebx, [ebp+var_14]
		jmp	loc_ABF1E9
; 

loc_ABF2B1:				; CODE XREF: KiInitMachineDependent+87j
					; KiInitMachineDependent+97j
		sbb	eax, eax
		or	eax, 1
		jmp	loc_ABF1A1
; 

loc_ABF2BB:				; CODE XREF: KiInitMachineDependent+F3j
		lea	edx, [ebp+var_10]
		call	_KiSetSystemAffinityThreadToProcessor@8	; KiSetSystemAffinityThreadToProcessor(x,x)
		mov	[ebp+var_14], 1
		jmp	loc_ABF1FA
; 

loc_ABF2CF:				; CODE XREF: KiInitMachineDependent+16Cj
		mov	ds:_KiMxCsrMask, ecx
		jmp	short loc_ABF268
; 

loc_ABF2D7:				; CODE XREF: KiInitMachineDependent+DEj
					; KiInitMachineDependent+1ADj
		mov	eax, [ebp+var_1C]
		cmp	byte ptr [eax+3BEh], 1
		jnz	short loc_ABF2F5
		mov	ecx, 1A0h
		rdmsr
		mov	ds:_KiIa32MiscEnable, eax
		mov	ds:dword_70E4BC, edx

loc_ABF2F5:				; CODE XREF: KiInitMachineDependent+1E7j
		cmp	[ebp+var_14], 0
		jz	short loc_ABF304
		lea	ecx, [ebp+var_10]
		push	ecx
		call	KeRevertToUserGroupAffinityThread

loc_ABF304:				; CODE XREF: KiInitMachineDependent+1FFj
		mov	al, 1

loc_ABF306:				; CODE XREF: KiInitMachineDependent+25690j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
KiInitMachineDependent endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiInitializeMTRR proc near		; CODE XREF: KiInitMachineDependent+137p

var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 00AE47E6 SIZE 00000113 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		cmp	large byte ptr fs:51h, 0
		push	ebx
		push	esi
		push	edi
		push	0
		mov	[ebp+var_2], cl
		mov	[ebp+var_1], 1
		pop	ecx
		jz	loc_ABF4C0

loc_ABF339:				; CODE XREF: KiInitializeMTRR+280j
					; KiInitializeMTRR+2A8j ...
		cmp	dword_6C75B4, 0
		jz	loc_AE486B
		cmp	dword_6C75B8, 0
		jz	loc_AE4859

loc_ABF353:				; CODE XREF: KiInitializeMTRR+2554Fj
		mov	ecx, 0FEh
		rdmsr
		mov	ebx, eax
		xor	eax, eax
		mov	ecx, ebx
		and	ecx, 400h
		or	ecx, eax
		jz	short loc_ABF37E
		mov	eax, ds:_KeFeatureBits
		xor	ecx, ecx
		and	eax, 40h
		or	eax, ecx
		jz	loc_AE4878

loc_ABF37C:				; CODE XREF: KiInitializeMTRR+25568j
		xor	eax, eax

loc_ABF37E:				; CODE XREF: KiInitializeMTRR+52j
		cmp	ebx, dword_6C75A8
		jnz	loc_AE489A
		cmp	edx, dword_6C75AC
		jnz	loc_AE489A
		mov	ecx, 2FFh
		rdmsr
		cmp	eax, _KiMtrrInfo
		jnz	loc_AE4883
		cmp	edx, dword_6C75A4
		jnz	loc_AE4883

loc_ABF3B5:				; CODE XREF: KiInitializeMTRR+2555Dj
					; KiInitializeMTRR+2557Fj
		cmp	[ebp+var_1], 0
		jz	loc_AE48C2
		cmp	large byte ptr fs:51h, 0
		jz	short loc_ABF3E2

loc_ABF3C9:				; CODE XREF: KiInitializeMTRR+EAj
					; KiInitializeMTRR+1A5j
		cmp	[ebp+var_1], 0
		jz	loc_AE48C2
		cmp	[ebp+var_2], 0
		jnz	loc_ABF5C3

loc_ABF3DD:				; CODE XREF: KiInitializeMTRR+2BCj
					; KiInitializeMTRR+2DFj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn			; char
; 

loc_ABF3E2:				; CODE XREF: KiInitializeMTRR+B1j
		mov	ecx, dword_6C75B8
		test	ecx, ecx
		jz	short loc_ABF3F1
		call	KiReadFixedMtrr

loc_ABF3F1:				; CODE XREF: KiInitializeMTRR+D4j
		xor	ecx, ecx
		movzx	eax, bl
		mov	[ebp+var_2C], eax
		mov	esi, ecx
		mov	[ebp+var_10], ecx
		cmp	eax, ecx
		jbe	short loc_ABF3C9
		mov	edi, 201h
		mov	ebx, ecx
		mov	[ebp+var_14], edi

loc_ABF40C:				; CODE XREF: KiInitializeMTRR+19Fj
		lea	ecx, [edi-1]
		rdmsr
		mov	[ebp+var_20], edx
		mov	ecx, edi
		mov	[ebp+var_1C], eax
		rdmsr
		mov	ecx, dword_6B3FB4
		mov	[ebp+var_C], edx
		and	ecx, [ebp+var_C]
		mov	edx, _KiMtrrMaskMask
		mov	[ebp+var_8], ecx
		and	edx, eax
		mov	ecx, eax
		mov	[ebp+var_24], eax
		and	ecx, 800h
		mov	[ebp+var_18], edx
		xor	eax, eax
		or	ecx, eax
		jz	short loc_ABF4A5
		push	[ebp+var_8]
		push	edx
		call	_KiMaskToLength@8 ; KiMaskToLength(x,x)
		movzx	ecx, _KiMtrrMaxRangeShift
		mov	edi, eax
		add	edi, [ebp+var_18]
		mov	esi, edx
		adc	esi, [ebp+var_8]
		xor	eax, eax
		inc	eax
		xor	edx, edx
		call	__allshl
		not	eax
		not	edx
		and	edi, eax
		and	esi, edx
		or	edi, esi
		jnz	loc_AE48A6

loc_ABF47A:				; CODE XREF: KiInitializeMTRR+255A7j
		mov	eax, dword_6C75B4
		mov	ecx, [ebp+var_1C]
		mov	esi, [ebp+var_10]
		mov	edi, [ebp+var_14]
		mov	[ebx+eax], ecx
		mov	ecx, [ebp+var_20]
		mov	[ebx+eax+4], ecx
		mov	eax, dword_6C75B4
		mov	ecx, [ebp+var_24]
		mov	[ebx+eax+8], ecx
		mov	ecx, [ebp+var_C]
		mov	[ebx+eax+0Ch], ecx

loc_ABF4A5:				; CODE XREF: KiInitializeMTRR+12Ej
		inc	esi
		add	edi, 2
		add	ebx, 10h
		mov	[ebp+var_10], esi
		mov	[ebp+var_14], edi
		cmp	esi, [ebp+var_2C]
		jb	loc_ABF40C
		jmp	loc_ABF3C9
; 

loc_ABF4C0:				; CODE XREF: KiInitializeMTRR+1Dj
		mov	ebx, large fs:20h
		mov	ecx, 0FEh
		rdmsr
		mov	ecx, 2FFh
		mov	dword_6C75AC, edx
		mov	edi, eax
		mov	[ebp+var_2C], edx
		rdmsr
		xor	ecx, ecx
		mov	dword_6C75A8, edi
		mov	esi, eax
		mov	dword_6C75A4, edx
		mov	_KiMtrrInfo, esi
		mov	byte_6C75B1, cl
		cmp	byte ptr [ebx+3BEh], 2
		mov	[ebp+var_2C], edx
		jz	loc_AE47C2

loc_ABF50C:				; CODE XREF: KiInitMachineDependent+256DAj
					; KiInitMachineDependent+256E7j
		mov	eax, esi
		and	eax, 800h
		or	eax, ecx
		jz	loc_AE47FF
		movzx	eax, byte ptr dword_6C75A8
		or	eax, ecx
		jz	loc_AE47FF
		and	edi, 400h
		or	edi, ecx
		jz	short loc_ABF544
		mov	eax, ds:_KeFeatureBits
		and	eax, 40h
		or	eax, ecx
		jz	loc_AE47E6

loc_ABF544:				; CODE XREF: KiInitializeMTRR+21Cj
					; KiInitializeMTRR+254E4j
		movzx	esi, byte ptr dword_6C75A8
		mov	edi, 2020654Bh
		mov	eax, dword_6C75B4
		mov	ebx, 200h
		shl	esi, 4
		test	eax, eax
		jnz	short loc_ABF574
		push	edi
		push	esi
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	dword_6C75B4, eax
		test	eax, eax
		jz	short loc_ABF57F
		xor	ecx, ecx

loc_ABF574:				; CODE XREF: KiInitializeMTRR+249j
		push	esi		; size_t
		push	ecx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_ABF57F:				; CODE XREF: KiInitializeMTRR+25Aj
		mov	eax, dword_6C75B8
		test	eax, eax
		jnz	short loc_ABF5AE
		mov	eax, dword_6C75A8
		xor	ecx, ecx
		and	eax, 100h
		or	eax, ecx
		jz	loc_ABF339
		push	edi
		push	58h
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	dword_6C75B8, eax
		test	eax, eax
		jz	short loc_ABF5BC

loc_ABF5AE:				; CODE XREF: KiInitializeMTRR+270j
		push	58h		; size_t
		xor	ecx, ecx
		push	ecx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_ABF5BC:				; CODE XREF: KiInitializeMTRR+296j
		xor	ecx, ecx
		jmp	loc_ABF339
; 

loc_ABF5C3:				; CODE XREF: KiInitializeMTRR+C1j
		mov	byte_6C75B0, 1
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		cmp	al, 2
		jnb	loc_ABF3DD
		push	ds:_ExPageLockHandle
		call	_MmLockPagableSectionByHandle@4	; MmLockPagableSectionByHandle(x)
		call	_KeRestoreMtrrBroadcast@0 ; KeRestoreMtrrBroadcast()
		mov	ecx, ds:_ExPageLockHandle
		xor	edx, edx
		call	MiLockPagableImageSection
		jmp	loc_ABF3DD
KiInitializeMTRR endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiInitializeReservedCpuSets proc near	; CODE XREF: INIT:00AC0177p

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE48F9 SIZE 0000005C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	6
		pop	ecx
		push	1Eh
		xor	eax, eax
		mov	[ebp+var_30], offset sub_940092
		lea	edi, [ebp+var_20]
		mov	[ebp+var_2C], offset ??_C@_1JE@HGOMPPME@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@
		rep stosd
		pop	eax
		push	20h
		mov	word ptr [ebp+var_38], ax
		xor	esi, esi
		pop	eax
		mov	word ptr [ebp+var_38+2], ax
		lea	eax, [ebp+var_30]
		push	18h
		pop	edi
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_50]
		push	eax
		push	1
		lea	eax, [ebp+var_24]
		mov	[ebp+var_28], esi
		push	eax
		mov	[ebp+var_34], offset ??_C@_1CA@DLHALLFH@?$AAR?$AAe?$AAs?$AAe?$AAr?$AAv?$AAe?$AAd?$AAC?$AAp?$AAu?$AAS?$AAe?$AAt?$AAs@PBOPGDP@
		mov	[ebp+var_24], esi
		mov	ds:_KiReservedCpuSets, esi
		mov	[ebp+var_50], edi
		mov	[ebp+var_4C], esi
		mov	[ebp+var_44], 240h
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_ABF697
		lea	eax, [ebp+var_28]
		push	eax
		push	edi
		lea	eax, [ebp+var_20]
		push	eax
		push	2
		lea	eax, [ebp+var_38]
		push	eax
		push	[ebp+var_24]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_AE48F9

loc_ABF697:				; CODE XREF: KiInitializeReservedCpuSets+7Cj
					; KiInitializeReservedCpuSets+25303j ...
		cmp	[ebp+var_24], 0
		jz	short loc_ABF6A5
		push	[ebp+var_24]
		call	_ZwClose@4	; ZwClose(x)

loc_ABF6A5:				; CODE XREF: KiInitializeReservedCpuSets+A1j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
KiInitializeReservedCpuSets endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MmFreeLoaderBlock proc near		; CODE XREF: INIT:00AC018Dp

var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A2		= byte ptr -0A2h
var_A1		= byte ptr -0A1h
var_A0		= dword	ptr -0A0h
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE4955 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0E4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, ds:_KeLoaderBlock
		lea	eax, [ebp+var_A0]
		push	edi
		push	98h		; size_t
		xor	edi, edi
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	eax, edi
		mov	[ebp+var_C0], edi
		mov	ebx, edi
		mov	[ebp+var_AC], edi
		lea	edi, [esi+18h]
		mov	[ebp+var_A8], eax
		mov	ecx, [edi]
		add	esp, 0Ch
		mov	[ebp+var_D4], edi
		cmp	ecx, edi
		jz	loc_ABF7E8

loc_ABF712:				; CODE XREF: MmFreeLoaderBlock+92j
		mov	edx, [ecx+10h]
		test	edx, edx
		jz	short loc_ABF740
		mov	eax, [ecx+8]
		cmp	eax, 13h
		jz	loc_ABFA54

loc_ABF725:				; CODE XREF: MmFreeLoaderBlock+3A2j
		cmp	eax, 7
		jz	loc_ABF840
		cmp	eax, 15h
		jz	loc_ABF840
		cmp	eax, 0Eh
		jz	loc_ABF840

loc_ABF740:				; CODE XREF: MmFreeLoaderBlock+63j
					; MmFreeLoaderBlock+192j
		mov	eax, [ecx]
		mov	ecx, eax
		cmp	eax, edi
		jnz	short loc_ABF712
		test	ebx, ebx
		jz	loc_ABF7E2
		push	0
		lea	ecx, ds:4[ebx*4]
		mov	edx, 624D6D4Dh
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_D8], esi
		test	esi, esi
		jz	short loc_ABF7E2
		mov	[esi], ebx
		lea	eax, [esi+4]
		and	[ebp+var_8C], 0
		mov	ecx, offset unk_6D3740
		mov	[ebp+var_C4], eax
		mov	[ebp+var_98], 21h
		call	MiLockWorkingSetShared
		mov	ebx, [edi]
		mov	[ebp+var_A2], al
		cmp	ebx, edi
		jz	short loc_ABF7C1

loc_ABF7A3:				; CODE XREF: MmFreeLoaderBlock+FFj
		cmp	dword ptr [ebx+8], 13h
		jz	loc_ABF861

loc_ABF7AD:				; CODE XREF: MmFreeLoaderBlock+1B2j
					; MmFreeLoaderBlock+329j
		mov	eax, [ebx]
		mov	ebx, eax
		cmp	eax, edi
		jnz	short loc_ABF7A3
		mov	esi, [ebp+var_D8]
		mov	al, [ebp+var_A2]

loc_ABF7C1:				; CODE XREF: MmFreeLoaderBlock+EDj
		mov	dl, al
		mov	ecx, offset unk_6D3740
		call	MiUnlockWorkingSetShared
		mov	ecx, esi
		mov	edx, offset dword_6D35A8
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	loc_AE4955

loc_ABF7E2:				; CODE XREF: MmFreeLoaderBlock+96j
					; MmFreeLoaderBlock+BBj ...
		mov	eax, [ebp+var_A8]

loc_ABF7E8:				; CODE XREF: MmFreeLoaderBlock+58j
		mov	ecx, eax
		mov	edx, 624D6D4Dh
		push	0
		shl	ecx, 3
		push	40h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_ABF831
		mov	ecx, [edi]
		mov	esi, ebx
		cmp	ecx, edi
		jz	short loc_ABF829

loc_ABF809:				; CODE XREF: MmFreeLoaderBlock+16Bj
		mov	eax, [ecx+8]
		cmp	eax, 7
		jz	short loc_ABF84B
		cmp	eax, 15h
		jz	short loc_ABF84B
		cmp	eax, 0Eh
		jz	short loc_ABF84B

loc_ABF81B:				; CODE XREF: MmFreeLoaderBlock+19Bj
					; MmFreeLoaderBlock+1ABj
		mov	ecx, [ecx]
		cmp	ecx, edi
		jnz	short loc_ABF809
		cmp	esi, ebx
		jnz	loc_ABFA90

loc_ABF829:				; CODE XREF: MmFreeLoaderBlock+153j
					; MmFreeLoaderBlock+3E1j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_ABF831:				; CODE XREF: MmFreeLoaderBlock+14Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_ABF840:				; CODE XREF: MmFreeLoaderBlock+74j
					; MmFreeLoaderBlock+7Dj ...
		inc	[ebp+var_A8]
		jmp	loc_ABF740
; 

loc_ABF84B:				; CODE XREF: MmFreeLoaderBlock+15Bj
					; MmFreeLoaderBlock+160j ...
		cmp	dword ptr [ecx+10h], 0
		jz	short loc_ABF81B
		mov	eax, [ecx+0Ch]
		mov	[esi], eax
		mov	eax, [ecx+10h]
		mov	[esi+4], eax
		add	esi, 8
		jmp	short loc_ABF81B
; 

loc_ABF861:				; CODE XREF: MmFreeLoaderBlock+F3j
		mov	eax, [ebx+10h]
		test	eax, eax
		jz	loc_ABF7AD
		and	[ebp+var_B8], 0
		xor	esi, esi
		mov	ecx, [ebx+0Ch]
		mov	[ebp+var_D0], ecx
		test	eax, eax
		jz	loc_ABF9B5
		imul	edx, ecx, 1Ch
		mov	[ebp+var_BC], esi
		mov	[ebp+var_B0], edx

loc_ABF895:				; CODE XREF: MmFreeLoaderBlock+2F5j
		mov	eax, ds:_MmPfnDatabase
		add	eax, edx
		mov	edx, [ebp+var_C4]
		mov	[ebp+var_CC], eax
		mov	ecx, [eax+4]
		or	ecx, 80000000h
		mov	edi, ecx
		mov	[ebp+var_C8], ecx
		shr	edi, 9
		mov	eax, ecx
		shl	eax, 9
		and	edi, offset loc_7FFFF8
		mov	[edx], eax
		add	edx, 4
		mov	[ebp+var_B4], eax
		mov	[ebp+var_C4], edx
		lea	eax, [edi-40000000h]
		cmp	esi, eax
		jnz	loc_ABF9E2

loc_ABF8E6:				; CODE XREF: MmFreeLoaderBlock+37Aj
		mov	edi, [ecx]
		nop
		mov	esi, [ecx+4]
		xor	edx, edx
		mov	ecx, [ebp+var_CC]
		call	_MiMarkPfnTradable@8 ; MiMarkPfnTradable(x,x)
		mov	edx, [ebp+var_B4]
		mov	ecx, offset unk_6D3740
		call	MiLocateWsle
		mov	edx, [ebp+var_B4]
		mov	ecx, offset unk_6D3740
		mov	al, [eax]
		and	al, 0FAh
		or	al, 0Ah
		mov	[ebp+var_A1], al
		call	MiLocateWsle
		mov	ecx, eax
		mov	al, [ebp+var_A1]
		mov	[ecx], al
		nop
		shrd	edi, esi, 0Ch
		push	4
		and	edi, 1FFFFFFh
		pop	edx
		mov	ecx, edi
		call	_MiMakeTransitionPte@8 ; MiMakeTransitionPte(x,x)
		mov	ecx, [ebp+var_C8]
		mov	[ebp+var_E0], eax
		mov	[ebp+var_DC], edx
		mov	[ecx], eax
		nop
		mov	[ecx+4], edx
		cmp	[ebp+var_94], 0
		jz	loc_ABFA33
		inc	[ebp+var_AC]

loc_ABF96F:				; CODE XREF: MmFreeLoaderBlock+39Bj
		mov	edx, [ebp+var_B4]
		lea	ecx, [ebp+var_A0]
		push	0
		push	1
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		mov	ecx, [ebp+var_B8]
		mov	edx, [ebp+var_B0]
		inc	ecx
		mov	esi, [ebp+var_BC]
		add	edx, 1Ch
		mov	[ebp+var_B8], ecx
		mov	[ebp+var_B0], edx
		cmp	ecx, [ebx+10h]
		jb	loc_ABF895
		mov	edi, [ebp+var_D4]

loc_ABF9B5:				; CODE XREF: MmFreeLoaderBlock+1CCj
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList
		mov	edx, [ebp+var_AC]
		mov	ecx, [ebp+var_C0]
		call	MiFreeRegistryPageRange
		mov	edx, esi
		mov	ecx, offset unk_6D3740
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		jmp	loc_ABF7AD
; 

loc_ABF9E2:				; CODE XREF: MmFreeLoaderBlock+22Cj
		test	esi, esi
		jz	short loc_ABFA0E
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList
		mov	edx, [ebp+var_AC]
		mov	ecx, [ebp+var_C0]
		call	MiFreeRegistryPageRange
		mov	edx, esi
		mov	ecx, offset unk_6D3740
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)

loc_ABFA0E:				; CODE XREF: MmFreeLoaderBlock+330j
		lea	eax, [edi-40000000h]
		mov	ecx, offset unk_6D3740
		push	0
		mov	edx, eax
		mov	[ebp+var_BC], eax
		call	MiLockPageTableInternal
		mov	ecx, [ebp+var_C8]
		jmp	loc_ABF8E6
; 

loc_ABFA33:				; CODE XREF: MmFreeLoaderBlock+2AFj
		mov	eax, [ebp+var_B8]
		add	eax, [ebp+var_D0]
		mov	[ebp+var_C0], eax
		mov	[ebp+var_AC], 1
		jmp	loc_ABF96F
; 

loc_ABFA54:				; CODE XREF: MmFreeLoaderBlock+6Bj
		add	ebx, edx
		jmp	loc_ABF725
; 

loc_ABFA5B:				; CODE XREF: MmFreeLoaderBlock+3BFj
					; MmFreeLoaderBlock+409j
		lea	edx, [edx+1Ch]
		add	edi, 8
		mov	eax, [edx]
		or	eax, 80000000h
		cmp	eax, edi
		jnz	short loc_ABFAC1
		sub	[ebp+var_B0], 1
		jnz	short loc_ABFA5B

loc_ABFA75:				; CODE XREF: MmFreeLoaderBlock+40Bj
					; MmFreeLoaderBlock+426j
		mov	eax, ds:_MmPfnDatabase
		mov	edx, [esi+4]
		push	ecx
		imul	ecx, [esi], 1Ch
		mov	ecx, [ecx+eax+4]
		or	ecx, 80000000h
		call	MiDeleteBootRange

loc_ABFA90:				; CODE XREF: MmFreeLoaderBlock+16Fj
					; MmFreeLoaderBlock+424j
		sub	esi, 8
		cmp	esi, ebx
		jb	loc_ABF829
		imul	edx, [esi], 1Ch
		mov	eax, [esi+4]
		add	edx, 4
		add	edx, ds:_MmPfnDatabase
		mov	ecx, [edx]
		or	ecx, 80000000h
		sub	eax, 1
		mov	edi, ecx
		mov	[ebp+var_B0], eax
		jnz	short loc_ABFA5B
		jmp	short loc_ABFA75
; 

loc_ABFAC1:				; CODE XREF: MmFreeLoaderBlock+3B6j
		sub	edi, ecx
		sar	edi, 3
		push	ecx
		mov	edx, edi
		call	MiDeleteBootRange
		sub	[esi+4], edi
		add	[esi], edi
		add	esi, 8
		test	edi, edi
		jnz	short loc_ABFA90
		jmp	short loc_ABFA75
MmFreeLoaderBlock endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiFreeRegistryPageRange	proc near	; CODE XREF: MmFreeLoaderBlock+318p
					; MmFreeLoaderBlock+349p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE4965 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		push	0
		mov	ebx, edx
		mov	esi, ecx
		push	80h
		mov	[ebp+var_4], ebx
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], edx
		test	ebx, ebx
		jz	short loc_ABFB49
		imul	ebx, esi, 1Ch

loc_ABFB07:				; CODE XREF: MiFreeRegistryPageRange+6Bj
		mov	edi, ds:_MmPfnDatabase
		add	edi, ebx
		and	[ebp+var_8], 0
		lea	esi, [edi+10h]

loc_ABFB16:				; CODE XREF: MiFreeRegistryPageRange+24E97j
		lock bts dword ptr [esi], 1Fh
		jb	loc_AE4965
		mov	eax, [ebp+var_C]
		mov	ecx, edi
		mov	[edi+8], eax
		mov	eax, [ebp+var_10]
		mov	[edi+0Ch], eax
		or	byte ptr [edi+16h], 10h
		call	MiDecrementShareCount
		mov	eax, 7FFFFFFFh
		lock and [esi],	eax
		add	ebx, 1Ch
		sub	[ebp+var_4], 1
		jnz	short loc_ABFB07

loc_ABFB49:				; CODE XREF: MiFreeRegistryPageRange+26j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiFreeRegistryPageRange	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInitializeVelocity()
_KiInitializeVelocity@0	proc near	; CODE XREF: INIT:00AC01A0p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, _Feature_SchedulerAssistReflectPriority__private_featureState
		test	al, 10h
		jnz	short loc_ABFB66
		push	0
		push	eax
		call	_Feature_SchedulerAssistReflectPriority__private_ReportUsageFallback@12	; Feature_SchedulerAssistReflectPriority__private_ReportUsageFallback(x,x,x)

loc_ABFB66:				; CODE XREF: KiInitializeVelocity()+Ej
		call	_Feature_SchedulerAssistPreemptionPriorityKick__private_ReportDeviceUsage@0 ; Feature_SchedulerAssistPreemptionPriorityKick__private_ReportDeviceUsage()
		or	ds:_KiVelocityFlags, 2
		call	_Feature_SchedulerAssistThreadFlag__private_ReportDeviceUsage@0	; Feature_SchedulerAssistThreadFlag__private_ReportDeviceUsage()
		or	ds:_KiVelocityFlags, 4
		call	_Feature_SchedulerAssistForegroundBoostBias__private_ReportDeviceUsage@0 ; Feature_SchedulerAssistForegroundBoostBias__private_ReportDeviceUsage()
		call	_Feature_SchedulerAssistEnableBAM__private_ReportDeviceUsage@0 ; Feature_SchedulerAssistEnableBAM__private_ReportDeviceUsage()
		or	ds:_KiVelocityFlags, 10h
		call	_Feature_SchedulerAssistSpinLock__private_ReportDeviceUsage@0 ;	Feature_SchedulerAssistSpinLock__private_ReportDeviceUsage()
		or	ds:_KiVelocityFlags, 20h
		call	_Feature_SchedulerAssistHRTimer__private_ReportDeviceUsage@0 ; Feature_SchedulerAssistHRTimer__private_ReportDeviceUsage()
		or	ds:_KiVelocityFlags, 40h
		call	_Feature_SchedulerAggressiveForegroundBoost__private_ReportDeviceUsage@0 ; Feature_SchedulerAggressiveForegroundBoost__private_ReportDeviceUsage()
		mov	ds:_KiForegroundBoostTicks, 1
		call	_Feature_SchedulerAssistAllowRealTime__private_ReportDeviceUsage@0 ; Feature_SchedulerAssistAllowRealTime__private_ReportDeviceUsage()
		or	ds:_KiVelocityFlags, 80h
		call	_Feature_SchedulerAssistLongSpinWait__private_ReportDeviceUsage@0 ; Feature_SchedulerAssistLongSpinWait__private_ReportDeviceUsage()
		or	ds:_KiVelocityFlags, 400h
		call	_Feature_ReduceTimerWakes__private_ReportDeviceUsage@0 ; Feature_ReduceTimerWakes__private_ReportDeviceUsage()
		or	ds:_KiVelocityFlags, 2000h
		call	_Feature_DisableLowQosTimerResolution__private_ReportDeviceUsage@0 ; Feature_DisableLowQosTimerResolution__private_ReportDeviceUsage()
		call	_KiIsDisableFgBoostDecayFeatureStateSet@0 ; KiIsDisableFgBoostDecayFeatureStateSet()
		test	al, al
		jz	short locret_ABFBF8
		mov	ds:_KiForegrounBoostVelocityFlag, 1

locret_ABFBF8:				; CODE XREF: KiInitializeVelocity()+A1j
		leave
		retn
_KiInitializeVelocity@0	endp

; 

; __stdcall Phase1InitializationIoReady(x, x)
_Phase1InitializationIoReady@8:		; CODE XREF: Phase1Initialization(x)+3Fp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		cmp	_CmStateSeparationEnabled, 0
		push	ebx
		push	esi
		push	edi
		setnz	byte ptr [esp+0Ch]
		mov	bl, dl
		push	dword ptr [esp+0Ch]
		mov	esi, ecx
		call	ds:__imp__ExpInitializeStateSeparationPhase1@4 ; ExpInitializeStateSeparationPhase1(x)
		test	eax, eax
		jns	short loc_ABFC2F
		cmp	eax, 0C00000BBh
		jnz	loc_ABFD79

loc_ABFC2F:				; CODE XREF: INIT:00ABFC22j
		call	_CmInitSystem2@0 ; CmInitSystem2()
		xor	ecx, ecx
		mov	edx, esi
		inc	ecx
		call	EmInitSystem
		test	eax, eax
		jns	short loc_ABFC4E
		push	0
		push	1
		push	8
		push	eax
		jmp	loc_ABFD7F
; 

loc_ABFC4E:				; CODE XREF: INIT:00ABFC40j
		call	ds:__imp__TmInitSystemPhase2@0 ; TmInitSystemPhase2()
		push	64h
		pop	edx
		xor	ecx, ecx
		call	_InbvSetProgressBarSubset@8 ; InbvSetProgressBarSubset(x,x)
		cmp	_InitSafeBootMode, 0
		jz	short loc_ABFC6E
		mov	cl, bl
		call	_InitSafeBoot@4	; InitSafeBoot(x)

loc_ABFC6E:				; CODE XREF: INIT:00ABFC65j
		push	2
		pop	edi
		mov	ecx, edi
		call	_SmInitSystem@4	; SmInitSystem(x)
		mov	ecx, edi
		call	_VmInitSystem@4	; VmInitSystem(x)
		mov	edx, esi
		mov	ecx, edi
		call	MmInitSystem
		call	SaveNodeDistanceInformation
		call	_KeI386VdmInitialize@0 ; KeI386VdmInitialize()
		cmp	_CmProcessorMismatch, 0
		jz	short loc_ABFCC1
		mov	cl, 98h
		call	_IoAllocateGenericErrorLogEntry@4 ; IoAllocateGenericErrorLogEntry(x)
		test	eax, eax
		jz	short loc_ABFCC1
		mov	ecx, 40000029h
		mov	[eax+14h], ecx
		mov	[eax+0Ch], ecx
		movzx	ecx, _CmProcessorMismatch
		push	eax
		mov	[eax+10h], ecx
		call	IoWriteErrorLogEntry

loc_ABFCC1:				; CODE XREF: INIT:00ABFC99j
					; INIT:00ABFCA4j
		push	3
		mov	edx, esi
		pop	ecx
		call	PoInitSystem
		test	al, al
		jz	loc_ABFD86
		mov	edx, esi
		mov	ecx, edi
		call	KeInitializeClock
		push	3
		pop	ecx
		call	_KeInitSystem@4	; KeInitSystem(x)
		call	_ExInitTraceLogging@0 ;	ExInitTraceLogging()
		call	_ExLogTimeZoneInformation@0 ; ExLogTimeZoneInformation()
		call	ExInitLicenseData
		mov	edx, esi
		mov	ecx, edi
		call	PsInitSystem
		test	al, al
		jnz	short loc_ABFD07
		push	6Bh
		jmp	loc_ABFD8B
; 

loc_ABFD07:				; CODE XREF: INIT:00ABFCFEj
		call	_MmInitSystemDll@0 ; MmInitSystemDll()
		call	_SeRmInitPhase1@0 ; SeRmInitPhase1()
		test	al, al
		jnz	short loc_ABFD19
		push	6Ch
		jmp	short loc_ABFD8B
; 

loc_ABFD19:				; CODE XREF: INIT:00ABFD13j
		call	_FsRtlInitSystem2@0 ; FsRtlInitSystem2()
		call	StartFirstUserProcess
		inc	_InitializationPhase
		xor	esi, esi
		push	esi
		push	esi
		push	_ExCbPhase1InitComplete
		call	_ExNotifyCallback@12 ; ExNotifyCallback(x,x,x)
		cmp	_ViVerifierEnabled, esi
		jz	short loc_ABFD48
		push	5
		pop	ecx
		call	_VfNotifyVerifierOfEvent@4 ; VfNotifyVerifierOfEvent(x)

loc_ABFD48:				; CODE XREF: INIT:00ABFD3Ej
		cmp	_VfClearanceFlag, esi
		jz	short loc_ABFD55
		call	_VfClearVerifierSettings@0 ; VfClearVerifierSettings()

loc_ABFD55:				; CODE XREF: INIT:00ABFD4Ej
		xor	ecx, ecx
		call	_ExQueryBootEntropyInformation@4 ; ExQueryBootEntropyInformation(x)
		push	4
		pop	ecx
		call	_KeInitSystem@4	; KeInitSystem(x)
		test	al, al
		jnz	short loc_ABFD72
		push	esi
		push	edi
		push	esi
		push	0C0000001h
		jmp	short loc_ABFD7F
; 

loc_ABFD72:				; CODE XREF: INIT:00ABFD66j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_ABFD79:				; CODE XREF: INIT:00ABFC29j
		xor	esi, esi
		push	esi
		push	esi
		push	esi
		push	esi

loc_ABFD7F:				; CODE XREF: INIT:00ABFC49j
					; INIT:00ABFD70j
		push	32h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_ABFD86:				; CODE XREF: INIT:00ABFCCDj
		push	0A0h

loc_ABFD8B:				; CODE XREF: INIT:00ABFD02j
					; INIT:00ABFD17j
		call	_KeBugCheck@4	; KeBugCheck(x)
; 
		db 2 dup(0CCh)
; 

; __stdcall KeInitSystem(x)
_KeInitSystem@4:			; CODE XREF: INIT:00ABFCDFp
					; INIT:00ABFD5Fp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		xor	eax, eax
		inc	eax
		push	ebx
		push	esi
		push	edi
		test	ecx, ecx
		jnz	loc_ABFE3E
		mov	esi, large fs:20h
		xor	ebx, ebx
		mov	eax, ds:_KeFeatureBits2
		and	eax, 8000h
		or	eax, ebx
		jz	short loc_ABFDF5
		cmp	ds:_KiDisableTsx, ebx
		jz	short loc_ABFDF5
		mov	edi, [esi+3F38h]
		mov	eax, edi
		mov	edx, [esi+3F3Ch]
		and	eax, 3
		cmp	eax, 3
		jz	short loc_ABFDF5
		or	edi, 3
		mov	[esi+3F3Ch], edx
		mov	ecx, 122h
		mov	[esi+3F38h], edi
		mov	eax, edi
		wrmsr

loc_ABFDF5:				; CODE XREF: INIT:00ABFDBDj
					; INIT:00ABFDC5j ...
		call	_KiDetectTsx@0	; KiDetectTsx()
		mov	ecx, esi
		mov	ds:_KiTsxSupported, eax
		call	KeInitializeSchedulerAssist
		call	KeI386InitializeSEHOP
		mov	ecx, esi
		call	KeInitializeTimerTable
		test	eax, eax
		js	loc_AC01C4
		mov	ecx, _KiHrIncrement
		mov	eax, ds:_KeMinimumIncrement
		cmp	ecx, eax
		jb	short loc_ABFE31
		cmp	ecx, ds:_KeMaximumIncrement
		jbe	short loc_ABFE36

loc_ABFE31:				; CODE XREF: INIT:00ABFE27j
		mov	_KiHrIncrement,	eax

loc_ABFE36:				; CODE XREF: INIT:00ABFE2Fj
					; INIT:00AC0141j ...
		xor	eax, eax
		inc	eax

loc_ABFE39:				; CODE XREF: INIT:00AC0155j
					; INIT:00AC01BFj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_ABFE3E:				; CODE XREF: INIT:00ABFDA2j
		cmp	ecx, eax
		jnz	loc_AC015A
		mov	ecx, 8000h
		mov	eax, offset unk_7111B8
		lock or	[eax], ecx
		mov	ecx, 400000h
		mov	eax, offset unk_711468
		lock or	[eax], ecx
		push	0FFFFh
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	ecx, ds:_KeMaximumIncrement
		mov	ebx, eax
		xor	edx, edx
		mov	[ebp-4], ebx
		lea	eax, [ecx+1C9C37Fh]
		div	ecx
		xor	edx, edx
		dec	eax
		add	eax, ebx
		div	ebx
		mov	ds:_KiClockKeepAliveCycle, al
		call	HviIsAnyHypervisorPresent
		xor	ebx, ebx
		test	al, al
		jz	short loc_ABFEC1
		cmp	ds:_HvlHypervisorConnected, bl
		jz	short loc_ABFEAB
		test	byte ptr ds:_HvlEnlightenments,	20h
		jnz	short loc_ABFEAB
		mov	ecx, ebx
		jmp	short loc_ABFEBC
; 

loc_ABFEAB:				; CODE XREF: INIT:00ABFE9Cj
					; INIT:00ABFEA5j
		xor	eax, eax
		mov	ds:_KeDpcWatchdogPeriod, ebx
		inc	eax
		mov	ds:_KiDPCTimeout, ebx
		mov	ecx, eax

loc_ABFEBC:				; CODE XREF: INIT:00ABFEA9j
		call	_KeRelaxTimingConstraints@4 ; KeRelaxTimingConstraints(x)

loc_ABFEC1:				; CODE XREF: INIT:00ABFE94j
		mov	ecx, ds:_KeDpcWatchdogPeriod
		test	ecx, ecx
		jz	short loc_ABFEED
		mov	eax, 7D0h
		cmp	ecx, eax
		jnb	short loc_ABFEDC
		mov	ecx, eax
		mov	ds:_KeDpcWatchdogPeriod, ecx

loc_ABFEDC:				; CODE XREF: INIT:00ABFED2j
		mov	eax, 3A980h
		cmp	ecx, eax
		jbe	short loc_ABFEED
		mov	ecx, eax
		mov	ds:_KeDpcWatchdogPeriod, ecx

loc_ABFEED:				; CODE XREF: INIT:00ABFEC9j
					; INIT:00ABFEE3j
		mov	esi, ds:_KiDPCTimeout
		test	esi, esi
		jz	short loc_ABFF16
		cmp	esi, 14h
		jnb	short loc_ABFF05
		push	14h
		pop	esi
		mov	ds:_KiDPCTimeout, esi

loc_ABFF05:				; CODE XREF: INIT:00ABFEFAj
		mov	eax, 4E20h
		cmp	esi, eax
		jbe	short loc_ABFF16
		mov	esi, eax
		mov	ds:_KiDPCTimeout, esi

loc_ABFF16:				; CODE XREF: INIT:00ABFEF5j
					; INIT:00ABFF0Cj
		cmp	_ViVerifierEnabled, ebx
		jz	short loc_ABFF55
		mov	edx, ds:_KeVerifierDpcScalingFactor
		xor	eax, eax
		inc	eax
		cmp	edx, eax
		jnb	short loc_ABFF33
		mov	edx, eax
		mov	ds:_KeVerifierDpcScalingFactor,	edx

loc_ABFF33:				; CODE XREF: INIT:00ABFF29j
		cmp	edx, 64h
		jbe	short loc_ABFF41
		push	64h
		pop	edx
		mov	ds:_KeVerifierDpcScalingFactor,	edx

loc_ABFF41:				; CODE XREF: INIT:00ABFF36j
		mov	eax, edx
		imul	ecx, eax
		imul	esi, edx
		mov	ds:_KeDpcWatchdogPeriod, ecx
		mov	ds:_KiDPCTimeout, esi

loc_ABFF55:				; CODE XREF: INIT:00ABFF1Cj
		test	ecx, ecx
		jz	loc_AC0000
		test	esi, esi
		jz	loc_AC0000
		cmp	esi, ecx
		jnb	loc_AC0000
		mov	edi, ds:_KeDpcWatchdogProfileOffset
		test	edi, edi
		jz	loc_AC0000
		mov	edx, 3E8h
		cmp	edi, edx
		ja	short loc_ABFF8C
		mov	edi, edx
		mov	ds:_KeDpcWatchdogProfileOffset,	edi

loc_ABFF8C:				; CODE XREF: INIT:00ABFF82j
		cmp	edi, ecx
		jbe	short loc_ABFFA7
		mov	eax, 2710h
		cmp	eax, ecx
		sbb	edi, edi
		and	edi, 2328h
		add	edi, edx
		mov	ds:_KeDpcWatchdogProfileOffset,	edi

loc_ABFFA7:				; CODE XREF: INIT:00ABFF8Ej
		mov	eax, ecx
		sub	eax, edi
		mov	_KiDpcWatchdogProfileCumulativeDpcThreshold, eax
		cmp	eax, edx
		jnb	short loc_ABFFBC
		mov	_KiDpcWatchdogProfileCumulativeDpcThreshold, edx
		mov	eax, edx

loc_ABFFBC:				; CODE XREF: INIT:00ABFFB2j
		push	ebx
		imul	eax, esi
		push	ecx
		push	ebx
		push	eax
		call	__aulldiv
		cmp	edx, ebx
		ja	short loc_ABFFD1
		cmp	eax, 0FFFFFFFFh
		jbe	short loc_ABFFD4

loc_ABFFD1:				; CODE XREF: INIT:00ABFFCAj
		or	eax, 0FFFFFFFFh

loc_ABFFD4:				; CODE XREF: INIT:00ABFFCFj
		sub	esi, eax
		mov	_KiDpcWatchdogProfileSingleDpcThreshold, eax
		cmp	esi, edi
		jbe	short loc_ABFFE5
		mov	_KiDpcWatchdogProfileSingleDpcThreshold, ebx

loc_ABFFE5:				; CODE XREF: INIT:00ABFFDDj
		xor	edx, edx
		mov	eax, edi
		mov	ecx, 3E8h
		div	ecx
		imul	eax, 0D40h
		mov	_KiDpcWatchdogProfileArrayLength, eax
		mov	ds:dword_7050A0, eax

loc_AC0000:				; CODE XREF: INIT:00ABFF57j
					; INIT:00ABFF5Fj ...
		mov	edi, [ebp-4]
		mov	esi, ebx
		test	edi, edi
		jz	short loc_AC0037

loc_AC0009:				; CODE XREF: INIT:00AC0035j
		mov	eax, ds:_KiProcessorBlock[esi*4]
		mov	ecx, eax
		mov	[ebp-4], eax
		call	KiInitializeProcessor
		cmp	ds:_KeThreadDpcEnable, ebx
		jz	short loc_AC0032
		mov	ecx, [ebp-4]
		call	KiStartDpcThread
		test	eax, eax
		js	loc_AC0153

loc_AC0032:				; CODE XREF: INIT:00AC0020j
		inc	esi
		cmp	esi, edi
		jb	short loc_AC0009

loc_AC0037:				; CODE XREF: INIT:00AC0007j
		call	KiComputeNumaCosts
		test	al, al
		jz	loc_AC0153
		mov	ecx, (offset loc_640004+1)
		call	@SymCryptInitEnvWindowsKernelmodeWin8_1nLater@4	; SymCryptInitEnvWindowsKernelmodeWin8_1nLater(x)
		call	_KiIntSteerInit@0 ; KiIntSteerInit()
		call	_KiExtendedSupervisorStateSupported@0 ;	KiExtendedSupervisorStateSupported()
		push	6
		pop	ecx
		test	al, al
		jz	short loc_AC00A3
		xor	eax, eax
		mov	[ebp-24h], cx
		mov	[ebp-22h], ax
		mov	ecx, offset _KiSupervisorStateExtensionHost
		push	0Ch
		pop	eax
		mov	[ebp-28h], ax
		xor	eax, eax
		inc	eax
		mov	dword ptr [ebp-20h], 200h
		mov	[ebp-26h], ax
		lea	eax, [ebp-28h]
		push	eax
		mov	dword ptr [ebp-1Ch], (offset loc_404D0B+5)
		mov	[ebp-18h], ebx
		mov	[ebp-14h], ebx
		call	ExRegisterHost
		test	eax, eax
		jns	short loc_AC00A3
		mov	_KiSupervisorStateExtensionHost, ebx

loc_AC00A3:				; CODE XREF: INIT:00AC005Dj
					; INIT:00AC009Bj
		call	KiInitMachineDependent
		test	al, al

loc_AC00AA:				; DATA XREF: DbgkpWerIsFullLiveDumpDisabled()+15o
		jz	loc_AC0153
		mov	ecx, ds:_KiProcessorBlock
		xor	eax, eax
		lea	edx, [eax+1]
		call	_KeQueryCycleCounterFrequency@8	; KeQueryCycleCounterFrequency(x,x)
		mov	ecx, eax
		mov	eax, edx
		mul	ds:_KeMaximumIncrement
		push	0
		mov	edi, eax
		mov	eax, ecx
		mul	ds:_KeMaximumIncrement
		push	0Ah
		add	edi, edx
		push	edi
		push	eax
		call	__aulldiv
		push	0
		push	0F0h
		mov	esi, edx
		mov	edi, eax
		push	esi
		push	edi
		call	__aulldiv
		push	0
		push	3
		push	esi
		push	edi
		mov	ds:_KiShortExecutionCycles, eax
		call	__aulldiv
		mov	ecx, ds:_KiProcessorBlock
		xor	dl, dl
		mov	ds:_KiCyclesPerClockQuantum, eax
		mov	ds:_KiDirectQuantumTarget, eax
		imul	eax, 3
		mov	ds:_KiLockQuantumTarget, eax
		call	_KeQueryCycleCounterFrequency@8	; KeQueryCycleCounterFrequency(x,x)
		mov	ecx, eax
		mov	eax, edx
		push	6
		pop	edi
		mul	edi
		mov	esi, eax
		mov	eax, ecx
		mul	edi
		add	esi, edx
		bsr	ecx, esi
		jz	short loc_AC0146
		add	ecx, 20h
		mov	ds:_KiFavoredCoreCycleTimeBits,	ecx
		jmp	loc_ABFE36
; 

loc_AC0146:				; CODE XREF: INIT:00AC0136j
		bsr	eax, eax
		mov	ds:_KiFavoredCoreCycleTimeBits,	eax
		jmp	loc_ABFE36
; 

loc_AC0153:				; CODE XREF: INIT:00AC002Cj
					; INIT:00AC003Ej ...
		xor	al, al
		jmp	loc_ABFE39
; 

loc_AC015A:				; CODE XREF: INIT:00ABFE40j
		cmp	ecx, 2
		jnz	short loc_AC0172
		push	0
		xor	edx, edx
		mov	ecx, offset dword_6B1F28
		call	_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 ; TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)
		jmp	loc_ABFE36
; 

loc_AC0172:				; CODE XREF: INIT:00AC015Dj
		cmp	ecx, 3
		jnz	short loc_AC0181
		call	KiInitializeReservedCpuSets
		jmp	loc_ABFE36
; 

loc_AC0181:				; CODE XREF: INIT:00AC0175j
		mov	esi, offset _KiDynamicProcessorLock
		mov	ecx, esi
		call	ExAcquireFastMutexUnsafe
		call	MmFreeLoaderBlock
		and	ds:_KeLoaderBlock, 0
		mov	ecx, esi
		call	@ExReleaseFastMutexUnsafe@4 ; ExReleaseFastMutexUnsafe(x)
		call	_KiInitializeVelocity@0	; KiInitializeVelocity()
		call	KiRegisterForDisableFgBoostDecayRegistryNotification
		call	HviIsAnyHypervisorPresent
		test	al, al
		jnz	loc_ABFE36
		xor	eax, eax
		inc	eax
		mov	ds:_KeEnableWatchdogTimeout, al
		jmp	loc_ABFE39
; 

loc_AC01C4:				; CODE XREF: INIT:00ABFE14j
		push	ebx
		push	ebx
		push	1
		push	eax
		push	31h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoInitSystem	proc near		; CODE XREF: Phase1Initialization(x)+31p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE4978 SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	ecx
		mov	[esp+8+var_4], offset _IopInitFailCode
		call	_IoInitSystemPreDrivers@4 ; IoInitSystemPreDrivers(x)
		test	al, al
		jz	loc_AE498C
		call	ds:__imp__WerLiveKernelInitSystem@0 ; WerLiveKernelInitSystem()
		call	IopInitializeSystemDrivers
		test	eax, eax
		jz	loc_AE4993
		cmp	_PnpBootOptions, 0
		jz	short loc_AC0221

loc_AC020D:				; CODE XREF: IoInitSystem+54j
		cmp	_ViVerifierEnabled, 0
		jnz	short loc_AC0228

loc_AC0216:				; CODE XREF: IoInitSystem+5Dj
		call	IopRegistryInitializeCallbacks
		mov	al, 1

loc_AC021D:				; CODE XREF: IoInitSystem+247BCj
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_AC0221:				; CODE XREF: IoInitSystem+39j
		call	_PnpSerializeBoot@0 ; PnpSerializeBoot()
		jmp	short loc_AC020D
; 

loc_AC0228:				; CODE XREF: IoInitSystem+42j
		xor	ecx, ecx
		call	_VfNotifyVerifierOfEvent@4 ; VfNotifyVerifierOfEvent(x)
		jmp	short loc_AC0216
IoInitSystem	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopSleepstudyInitialize()
_PopSleepstudyInitialize@0 proc	near	; CODE XREF: PopDiagSleepStudyInitialize():loc_88939Ap

var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		imul	esi, dword_6BF0B0, 60h
		lea	ecx, [ebp+var_8]
		xor	ebx, ebx
		mov	_PopSleepstudySessionLock, ebx
		mov	dword_6BF3BC, ebx
		add	esi, offset dword_6BF0B8
		mov	[esi], ebx
		mov	dword ptr [esi+20h], 1
		call	_RtlGetInterruptTimePrecise@4 ;	RtlGetInterruptTimePrecise(x)
		mov	[esi+14h], edx
		mov	ecx, offset unk_6BF048
		mov	[esi+10h], eax
		mov	edx, offset _PopSleepstudyScenarioStopTimerCallback@8 ;	PopSleepstudyScenarioStopTimerCallback(x,x)
		push	8
		push	ebx
		mov	dword_6BF0A8, offset _PopSleepstudyScenarioStopWorker@4	; PopSleepstudyScenarioStopWorker(x)
		mov	dword_6BF0AC, ebx
		mov	dword_6BF0A0, ebx
		mov	word_6BF04A, bx
		call	_KiInitializeTimer2@16 ; KiInitializeTimer2(x,x,x,x)
		pop	esi
		pop	ebx
		leave
		retn
_PopSleepstudyInitialize@0 endp


;  S U B	R O U T	I N E 


; __stdcall SshpSubscribeCallbacks()
_SshpSubscribeCallbacks@0 proc near	; CODE XREF: SshInitialize+9Dp
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		sub	esp, 0Ch
		call	_SSHSupportRegisterPowerSettingCallback@20 ; SSHSupportRegisterPowerSettingCallback(x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_AC02F8
		xor	esi, esi
		mov	_SshpPowerSettingHandleInitialized, 1
		push	esi
		push	offset _SshpWnfCallback@24 ; SshpWnfCallback(x,x,x,x,x,x)
		push	esi
		push	1
		push	offset _WNF_PO_UMPO_SCENARIO_CHANGE
		push	offset _SshpWnfSubscription
		call	_ExSubscribeWnfStateChange@24 ;	ExSubscribeWnfStateChange(x,x,x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_AC02F8
		mov	edi, offset _SshpSessionGuid
		mov	_SshpWnfSubscriptionInitialized, 1
		xor	eax, eax
		mov	_SshpSessionId,	esi
		mov	dword_6BEF84, esi
		stosd
		stosd
		stosd
		stosd

loc_AC02F8:				; CODE XREF: SshpSubscribeCallbacks()+11j
					; SshpSubscribeCallbacks()+38j
		pop	edi
		mov	eax, ecx
		pop	esi
		pop	ecx
		retn
_SshpSubscribeCallbacks@0 endp


;  S U B	R O U T	I N E 


; __stdcall KiAllocateCpuSetData(x)
_KiAllocateCpuSetData@4	proc near	; CODE XREF: KeStartAllProcessors+F4p
		movzx	eax, ds:_KiMaximumGroups
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		cmp	eax, 1
		jnz	short loc_AC0368

loc_AC030F:				; CODE XREF: KiAllocateCpuSetData(x)+6Fj
		imul	ebx, esi, 18h
		push	2020654Bh
		push	ebx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_AC036F
		push	ebx		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	edx, esi
		mov	ds:_KiCpuSetAffinities,	edi
		shl	edx, 2
		add	esp, 0Ch
		add	edi, edx
		mov	ds:_KiCpuSetAffinitySize, edx
		mov	ds:_KiCpuSetAffinitiesShadow, edi
		lea	ecx, [edx+edi]
		mov	ds:_KiCpuSetData, ecx
		mov	ecx, ds:_KiProcessorBlock
		call	KiCreateCpuSetForProcessor
		xor	eax, eax
		inc	eax

loc_AC0364:				; CODE XREF: KiAllocateCpuSetData(x)+73j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_AC0368:				; CODE XREF: KiAllocateCpuSetData(x)+Fj
		mov	esi, eax
		shl	esi, 5
		jmp	short loc_AC030F
; 

loc_AC036F:				; CODE XREF: KiAllocateCpuSetData(x)+28j
		xor	eax, eax
		jmp	short loc_AC0364
_KiAllocateCpuSetData@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall Phase1InitializationDiscard(x)
_Phase1InitializationDiscard@4 proc near ; CODE	XREF: Phase1Initialization(x)+1Cp

var_12A		= byte ptr -12Ah
var_129		= byte ptr -129h
var_124		= dword	ptr -124h
var_11A		= byte ptr -11Ah
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_100		= dword	ptr -100h
var_F8		= dword	ptr -0F8h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_DE		= byte ptr -0DEh
var_DC		= dword	ptr -0DCh
var_D6		= byte ptr -0D6h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_24		= byte ptr -24h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0DCh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0DCh+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+0E8h+var_2C]
		stosd
		xor	ebx, ebx
		mov	esi, ecx
		mov	[esp+0E8h+var_C8], ebx
		push	9
		pop	ecx
		stosd
		mov	[esp+0E8h+var_BC], esi
		mov	[esp+0E8h+var_C4], ebx
		mov	[esp+0E8h+var_A0], ebx
		stosd
		mov	[esp+0E8h+var_9C], ebx
		mov	[esp+0E8h+var_68], ebx
		mov	[esp+0E8h+var_64], ebx
		stosd
		xor	eax, eax
		lea	edi, [esp+0E8h+var_50]
		mov	[esp+0E8h+var_78], ebx
		rep stosd
		mov	[esp+0E8h+var_74], ebx
		mov	[esp+0E8h+var_AC], ebx
		mov	[esp+0E8h+var_70], ebx
		mov	[esp+0E8h+var_6C], ebx
		mov	[esp+0E8h+var_D0], ebx
		mov	[esp+0E8h+var_8C], ebx
		mov	[esp+13h], bl
		mov	[esp+0E8h+var_94], ebx
		mov	[esp+0E8h+var_90], ebx
		mov	[esp+0E8h+var_58], ebx
		mov	[esp+0E8h+var_54], ebx
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		push	74696E49h
		mov	eax, [eax+268h]
		mov	[esp+0ECh+var_A8], eax
		mov	eax, 200h
		push	eax
		push	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+0E8h+var_D4], edi
		test	edi, edi
		jz	loc_AC119E
		lea	eax, [edi+100h]
		mov	[esp+0E8h+var_D6], bl
		mov	[esp+0E8h+var_7C], eax
		xor	eax, eax
		inc	eax
		mov	_InitializationPhase, eax
		mov	eax, large fs:124h
		push	1Fh
		push	eax
		call	KeSetPriorityThread
		mov	eax, [esi+78h]
		test	eax, eax
		jz	short loc_AC046C
		push	eax		; char *
		call	__strupr
		pop	ecx
		mov	ebx, eax

loc_AC046C:				; CODE XREF: Phase1InitializationDiscard(x)+EDj
		test	ebx, ebx
		jz	loc_AC05AC
		push	offset ??_C@_0BF@OIDMGEAM@?5HYPERVISORROOTPROC?$DN@PBOPGDP@ ; "	HYPERVISORROOTPROC="
		push	ebx		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AC04A3
		push	offset ??_C@_01NEMOKFLO@?$DN@PBOPGDP@ ;	char *
		push	eax		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AC04A3
		inc	eax
		push	eax		; char *
		call	_atol
		pop	ecx
		mov	ds:_KeRootProcSpecified, eax

loc_AC04A3:				; CODE XREF: Phase1InitializationDiscard(x)+10Fj
					; Phase1InitializationDiscard(x)+120j
		push	offset ??_C@_0BO@DKMHGMAN@?5HYPERVISORROOTPROCNUMANODES?$DN@PBOPGDP@ ; " HYPERVISORROOTPROCNUMANODES="
		push	ebx		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AC0506
		push	offset ??_C@_01NEMOKFLO@?$DN@PBOPGDP@ ;	char *
		push	eax		; char *
		call	_strstr
		mov	esi, eax
		pop	ecx
		pop	ecx
		test	esi, esi
		jz	short loc_AC0506

loc_AC04C7:				; CODE XREF: Phase1InitializationDiscard(x)+190j
		cmp	ds:_KeRootProcNumaNodesSpecified, 10h
		jnb	short loc_AC0506
		inc	esi
		push	esi		; char *
		call	_atol
		pop	ecx
		mov	ecx, ds:_KeRootProcNumaNodesSpecified
		mov	ds:_KeRootProcNumaNodes[ecx*2],	ax
		inc	ecx
		mov	ds:_KeRootProcNumaNodesSpecified, ecx
		jmp	short loc_AC04F8
; 

loc_AC04EF:				; CODE XREF: Phase1InitializationDiscard(x)+188j
		cmp	al, 20h
		jz	short loc_AC0506
		test	al, al
		jz	short loc_AC04FE
		inc	esi

loc_AC04F8:				; CODE XREF: Phase1InitializationDiscard(x)+179j
		mov	al, [esi]
		cmp	al, 2Ch
		jnz	short loc_AC04EF

loc_AC04FE:				; CODE XREF: Phase1InitializationDiscard(x)+181j
		cmp	al, 20h
		jz	short loc_AC0506
		test	al, al
		jnz	short loc_AC04C7

loc_AC0506:				; CODE XREF: Phase1InitializationDiscard(x)+13Ej
					; Phase1InitializationDiscard(x)+151j ...
		push	offset ??_C@_0CA@NOEEJOCD@?5HYPERVISORROOTPROCNUMANODELPS?$DN@PBOPGDP@ ; " HYPERVISORROOTPROCNUMANODELPS="
		push	ebx		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_AC05AC
		push	offset ??_C@_01NEMOKFLO@?$DN@PBOPGDP@ ;	char *
		push	eax		; char *
		call	_strstr
		and	ds:_KeRootProcNumaNodesSpecified, 0
		mov	esi, eax
		and	ds:_KeRootProcSpecified, 0
		xor	eax, eax
		inc	eax
		mov	ds:_KeRootProcNumaNodeLpsSpecified, al
		pop	ecx
		pop	ecx
		test	esi, esi
		jz	short loc_AC05AC

loc_AC0544:				; CODE XREF: Phase1InitializationDiscard(x)+232j
		and	[esp+0E8h+var_B8], 0
		lea	eax, [esp+0E8h+var_B8]
		push	0Ah		; int
		push	eax		; char **
		inc	esi
		push	esi		; char *
		call	_strtoul
		mov	edi, eax
		add	esp, 0Ch
		mov	eax, [esp+0E8h+var_B8]
		cmp	esi, eax
		jz	short loc_AC059A
		cmp	byte ptr [eax],	3Dh
		jnz	short loc_AC059A
		cmp	edi, 10h
		jnb	short loc_AC059A
		lea	esi, [eax+1]
		push	10h
		lea	eax, [esp+0ECh+var_B8]
		push	eax
		push	esi
		call	__strtoui64
		add	esp, 0Ch
		mov	ds:_KeRootProcNumaNodeLps[edi*8], eax
		mov	ds:dword_70E3C4[edi*8],	edx
		jmp	short loc_AC059A
; 

loc_AC0591:				; CODE XREF: Phase1InitializationDiscard(x)+22Aj
		cmp	al, 20h
		jz	short loc_AC05A8
		test	al, al
		jz	short loc_AC05A0
		inc	esi

loc_AC059A:				; CODE XREF: Phase1InitializationDiscard(x)+1EEj
					; Phase1InitializationDiscard(x)+1F3j ...
		mov	al, [esi]
		cmp	al, 2Ch
		jnz	short loc_AC0591

loc_AC05A0:				; CODE XREF: Phase1InitializationDiscard(x)+223j
		cmp	al, 20h
		jz	short loc_AC05A8
		test	al, al
		jnz	short loc_AC0544

loc_AC05A8:				; CODE XREF: Phase1InitializationDiscard(x)+21Fj
					; Phase1InitializationDiscard(x)+22Ej
		mov	edi, [esp+0E8h+var_D4]

loc_AC05AC:				; CODE XREF: Phase1InitializationDiscard(x)+FAj
					; Phase1InitializationDiscard(x)+1A1j ...
		mov	esi, [esp+0E8h+var_BC]
		mov	ecx, esi
		call	_KePerformGroupConfiguration@4 ; KePerformGroupConfiguration(x)
		push	esi
		push	_InitializationPhase
		call	ds:__imp__HalInitSystem@8 ; HalInitSystem(x,x)
		test	al, al
		jz	loc_AC119A
		mov	ecx, _InitializationPhase
		mov	edx, esi
		call	KeInitializeClock
		test	ebx, ebx
		jz	short loc_AC05EE
		push	offset ??_C@_09KDJKCLOD@NOGUIBOOT@PBOPGDP@ ; "NOGUIBOOT"
		push	ebx		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_AC061C

loc_AC05EE:				; CODE XREF: Phase1InitializationDiscard(x)+267j
		push	0
		call	_InbvEnableDisplayString@4 ; InbvEnableDisplayString(x)
		call	_BgkDisplayProgressIndicator@0 ; BgkDisplayProgressIndicator()
		call	_BgkDisplayBackgroundUpdate@0 ;	BgkDisplayBackgroundUpdate()
		push	offset _DisplayFilter@4	; DisplayFilter(x)
		call	_InbvInstallDisplayStringFilter@4 ; InbvInstallDisplayStringFilter(x)
		push	7
		xor	eax, eax
		push	esi
		inc	eax
		push	eax
		call	_InbvDriverInitialize@12 ; InbvDriverInitialize(x,x,x)
		xor	cl, cl
		call	DisplayBootBitmap

loc_AC061C:				; CODE XREF: Phase1InitializationDiscard(x)+278j
		test	ebx, ebx
		jz	short loc_AC065F
		push	offset ??_C@_06MKBEKGJJ@MININT@PBOPGDP@	; "MININT"
		push	ebx		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AC065F
		xor	eax, eax
		inc	eax
		push	offset ??_C@_05NECCPCEG@INRAM@PBOPGDP@ ; "INRAM"
		push	ebx		; char *
		mov	_InitIsWinPEMode, al
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AC0656
		or	_InitWinPEModeType, 80000000h
		jmp	short loc_AC065F
; 

loc_AC0656:				; CODE XREF: Phase1InitializationDiscard(x)+2D4j
		xor	eax, eax
		inc	eax
		or	_InitWinPEModeType, eax

loc_AC065F:				; CODE XREF: Phase1InitializationDiscard(x)+2AAj
					; Phase1InitializationDiscard(x)+2BBj ...
		lea	eax, [esp+18h]
		push	eax
		push	4000007Eh
		push	0
		push	0Bh
		push	400000h
		call	_RtlFindMessage@20 ; RtlFindMessage(x,x,x,x,x)
		cmp	word ptr _CmCSDVersionString, 0
		mov	esi, edi
		mov	[esp+0F0h+var_D4], eax
		mov	[esp+0F0h+var_B8], esi
		mov	[esp+0F0h+var_BC], 100h
		jz	short loc_AC06CA
		push	offset _CmCSDVersionString ; char
		push	offset ??_C@_05KMBLMBJE@?3?5?$CFwZ@PBOPGDP@ ; ": %wZ"
		xor	esi, esi
		lea	eax, [esp+0F8h+var_BC]
		push	esi		; int
		push	eax		; int
		lea	eax, [esp+100h+var_B8]
		push	eax		; int
		push	0FFh		; int
		push	edi		; int
		call	_RtlStringCbPrintfExA
		add	esp, 1Ch
		test	eax, eax
		js	loc_AC11A5
		mov	esi, [esp+0F0h+var_B8]
		mov	edi, [esp+0F0h+var_BC]
		jmp	short loc_AC06D3
; 

loc_AC06CA:				; CODE XREF: Phase1InitializationDiscard(x)+31Dj
		mov	edi, 0FFh
		mov	[esp+0F0h+var_BC], edi

loc_AC06D3:				; CODE XREF: Phase1InitializationDiscard(x)+354j
		push	0
		push	0Ah		; char
		push	offset ??_C@_05EENHEND@?$CFu?4?$CFu@PBOPGDP@ ; char *
		mov	byte ptr [esi],	0
		lea	eax, [esp+0FCh+var_24]
		push	18h		; int
		inc	esi
		push	eax		; char *
		mov	[esp+104h+var_B8], esi
		call	RtlStringCbPrintfA
		add	esp, 14h
		test	eax, eax
		jns	short loc_AC0705
		xor	ecx, ecx
		push	0
		inc	ecx
		push	ecx
		jmp	loc_AC11A7
; 

loc_AC0705:				; CODE XREF: Phase1InitializationDiscard(x)+384j
		cmp	[esp+0F0h+var_D4], 0
		jl	short loc_AC073F
		push	[esp+0F0h+var_DC]
		movzx	eax, word ptr _NtBuildNumber
		push	eax
		lea	eax, [esp+0F8h+var_24]
		push	eax		; char
		mov	eax, [esp+24h]
		add	eax, 4
		push	eax		; char *
		push	edi		; int
		push	esi		; char *
		call	RtlStringCbPrintfA
		add	esp, 18h
		test	eax, eax
		jns	short loc_AC075A
		push	0
		push	2
		jmp	loc_AC11A7
; 

loc_AC073F:				; CODE XREF: Phase1InitializationDiscard(x)+396j
		push	offset ??_C@_0BM@PDNNGJEH@MICROSOFT?5?$CIR?$CJ?5WINDOWS?5?$CITM?$CJ?6@PBOPGDP@ ; "MICROSOFT (R)	WINDOWS	(TM)\n"
		mov	edx, edi
		mov	ecx, esi
		call	_RtlStringCbCopyA@12 ; RtlStringCbCopyA(x,x,x)
		test	eax, eax
		jns	short loc_AC075A
		push	0
		push	3
		jmp	loc_AC11A7
; 

loc_AC075A:				; CODE XREF: Phase1InitializationDiscard(x)+3C0j
					; Phase1InitializationDiscard(x)+3DBj
		push	esi
		call	InbvDisplayString
		mov	esi, [esp+0F0h+var_DC]
		mov	edi, [esp+0F0h+var_84]
		push	40h
		pop	ecx
		rep movsd
		mov	edi, [esp+0F0h+var_C4]
		xor	ecx, ecx
		mov	edx, edi
		call	PoInitSystem
		test	al, al
		jz	loc_AC1193
		cmp	_ExpRealTimeIsUniversal, 0
		jnz	short loc_AC07D0
		mov	ecx, [esp+0F0h+var_B0]
		mov	eax, [ecx+1B4h]
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_AC07AC
		xor	eax, eax
		inc	eax
		mov	[esp+0F0h+var_DE], al
		mov	eax, ds:_ExpAltTimeZoneBias
		mov	[ecx+1B4h], eax

loc_AC07AC:				; CODE XREF: Phase1InitializationDiscard(x)+424j
		imul	eax, 3Ch
		mov	edx, (offset loc_98967E+2)
		add	ecx, 1B8h
		imul	edx
		mov	[ecx], eax
		mov	[ecx+4], edx
		mov	dword ptr ds:0FFDF025Ch, 0
		call	_ExpWriteTimeZoneBias@4	; ExpWriteTimeZoneBias(x)

loc_AC07D0:				; CODE XREF: Phase1InitializationDiscard(x)+415j
		mov	ecx, [edi+84h]
		lea	edx, [esp+0F0h+var_D0]
		call	_GetBootSystemTime@8 ; GetBootSystemTime(x,x)
		test	ebx, ebx
		jz	short loc_AC083C
		push	offset ??_C@_04FJMBNFHG@YEAR@PBOPGDP@ ;	"YEAR"
		push	ebx		; char *
		call	_strstr
		mov	esi, offset ??_C@_01NEMOKFLO@?$DN@PBOPGDP@
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AC0841
		push	esi		; char *
		push	eax		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AC0841
		inc	eax
		push	eax		; char *
		call	_atol
		mov	esi, eax
		lea	eax, [esp+0F4h+var_34]
		pop	ecx
		push	eax
		lea	eax, [esp+0F4h+var_D0]
		push	eax
		call	_RtlTimeToTimeFields@8 ; RtlTimeToTimeFields(x,x)
		lea	eax, [esp+0F0h+var_D0]
		mov	word ptr [esp+0F0h+var_34], si
		push	eax
		lea	eax, [esp+0F4h+var_34]
		push	eax
		call	_RtlTimeFieldsToTime@8 ; RtlTimeFieldsToTime(x,x)

loc_AC083C:				; CODE XREF: Phase1InitializationDiscard(x)+46Dj
		mov	esi, offset ??_C@_01NEMOKFLO@?$DN@PBOPGDP@

loc_AC0841:				; CODE XREF: Phase1InitializationDiscard(x)+483j
					; Phase1InitializationDiscard(x)+490j
		cmp	_ExpRealTimeIsUniversal, 0
		jnz	short loc_AC085B
		lea	eax, [esp+0F0h+var_A8]
		push	eax
		lea	eax, [esp+0F4h+var_D0]
		push	eax
		call	_ExSystemTimeToLocalTime@8 ; ExSystemTimeToLocalTime(x,x)
		jmp	short loc_AC086B
; 

loc_AC085B:				; CODE XREF: Phase1InitializationDiscard(x)+4D4j
		mov	eax, [esp+0F0h+var_D0]
		mov	[esp+0F0h+var_A8], eax
		mov	eax, [esp+0F0h+var_CC]
		mov	[esp+0F0h+var_A4], eax

loc_AC086B:				; CODE XREF: Phase1InitializationDiscard(x)+4E5j
		push	4
		lea	edx, [esp+0F4h+var_70]
		lea	ecx, [esp+0F4h+var_D0]
		call	_KeSetSystemTime@12 ; KeSetSystemTime(x,x,x)
		push	0
		lea	edx, [esp+0F4h+var_70]
		lea	ecx, [esp+0F4h+var_D0]
		call	_PoNotifySystemTimeSet@12 ; PoNotifySystemTimeSet(x,x,x)
		push	offset ??_C@_1DI@FBEJLCLF@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAe?$AAr@PBOPGDP@	; "Kernel-RegisteredProcessors"
		lea	eax, [esp+0F4h+var_60]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+0F0h+var_9C]
		push	eax
		push	4
		push	offset _KeRegisteredProcessors
		lea	eax, [esp+0FCh+var_98]
		push	eax
		lea	eax, [esp+100h+var_60]
		push	eax
		call	_ZwQueryLicenseValue@20	; ZwQueryLicenseValue(x,x,x,x,x)
		test	eax, eax
		js	short loc_AC08D1
		cmp	[esp+0F0h+var_9C], 4
		jnz	short loc_AC08D1
		cmp	[esp+0F0h+var_98], 4
		jz	short loc_AC08D9

loc_AC08D1:				; CODE XREF: Phase1InitializationDiscard(x)+54Dj
					; Phase1InitializationDiscard(x)+554j
		xor	eax, eax
		inc	eax
		mov	ds:_KeRegisteredProcessors, eax

loc_AC08D9:				; CODE XREF: Phase1InitializationDiscard(x)+55Bj
		test	ebx, ebx
		jz	loc_AC09DC
		push	offset ??_C@_0L@DLLJGAHK@?5BOOTPROC?$DN@PBOPGDP@ ; " BOOTPROC="
		push	ebx		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AC090C
		push	esi		; char *
		push	eax		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AC090C
		inc	eax
		push	eax		; char *
		call	_atol
		pop	ecx
		mov	ds:_KeBootprocSpecified, eax

loc_AC090C:				; CODE XREF: Phase1InitializationDiscard(x)+57Cj
					; Phase1InitializationDiscard(x)+589j
		push	offset ??_C@_09OIHMACMH@?5NUMPROC?$DN@PBOPGDP@ ; char *
		push	ebx		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AC0937
		push	esi		; char *
		push	eax		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AC0937
		inc	eax
		push	eax		; char *
		call	_atol
		pop	ecx
		mov	ds:_KeNumprocSpecified,	eax

loc_AC0937:				; CODE XREF: Phase1InitializationDiscard(x)+5A7j
					; Phase1InitializationDiscard(x)+5B4j
		push	offset ??_C@_0BE@BHEMMNNB@?5HYPERVISORNUMPROC?$DN@PBOPGDP@ ; " HYPERVISORNUMPROC="
		push	ebx		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AC0962
		push	esi		; char *
		push	eax		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AC0962
		inc	eax
		push	eax		; char *
		call	_atol
		pop	ecx
		mov	ds:_KeHypervisorNumprocSpecified, eax

loc_AC0962:				; CODE XREF: Phase1InitializationDiscard(x)+5D2j
					; Phase1InitializationDiscard(x)+5DFj
		cmp	ds:_KeRootProcNumaNodeLpsSpecified, 0
		jnz	short loc_AC09C1
		push	offset ??_C@_0BM@LMPKCFPH@?5HYPERVISORROOTPROCPERNODE?$DN@PBOPGDP@ ; " HYPERVISORROOTPROCPERNODE="
		push	ebx		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AC0996
		push	esi		; char *
		push	eax		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AC0996
		inc	eax
		push	eax		; char *
		call	_atol
		pop	ecx
		mov	ds:_KeRootProcPerNodeSpecified,	eax

loc_AC0996:				; CODE XREF: Phase1InitializationDiscard(x)+606j
					; Phase1InitializationDiscard(x)+613j
		push	offset ??_C@_0BM@HFBGDOGK@?5HYPERVISORROOTPROCPERCORE?$DN@PBOPGDP@ ; " HYPERVISORROOTPROCPERCORE="
		push	ebx		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AC09C1
		push	esi		; char *
		push	eax		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AC09C1
		inc	eax
		push	eax		; char *
		call	_atol
		pop	ecx
		mov	ds:_KeRootProcPerCoreSpecified,	eax

loc_AC09C1:				; CODE XREF: Phase1InitializationDiscard(x)+5F5j
					; Phase1InitializationDiscard(x)+631j ...
		push	offset ??_C@_08NCLLJEEA@?5MAXPROC@PBOPGDP@ ; " MAXPROC"
		push	ebx		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AC09DC
		mov	ds:_KeMaximumProcessors, 20h

loc_AC09DC:				; CODE XREF: Phase1InitializationDiscard(x)+567j
					; Phase1InitializationDiscard(x)+65Cj
		mov	esi, ds:__imp__KeQueryPerformanceCounter@4 ; KeQueryPerformanceCounter(x)
		push	0
		call	esi
		mov	ds:dword_B01658, eax
		mov	ds:dword_B0165C, edx
		call	KeStartAllProcessors
		push	0
		call	esi
		mov	ecx, large fs:124h
		push	ecx
		mov	ds:dword_B01664, edx
		xor	edx, edx
		mov	ds:dword_B01660, eax
		mov	ecx, [ecx+80h]
		push	offset _KeActiveProcessors
		call	KeSetAffinityProcess
		mov	ecx, large fs:20h
		add	ecx, 0FFFFFEE0h
		call	_KeShadowProcessorArea@4 ; KeShadowProcessorArea(x)
		lea	eax, [esp+0F8h+var_9C]
		push	eax
		push	40000089h
		push	0
		push	0Bh
		push	400000h
		call	_RtlFindMessage@20 ; RtlFindMessage(x,x,x,x,x)
		test	eax, eax
		js	short loc_AC0A56
		mov	esi, [esp+0F8h+var_9C]
		add	esi, 4
		jmp	short loc_AC0A5B
; 

loc_AC0A56:				; CODE XREF: Phase1InitializationDiscard(x)+6D7j
		mov	esi, offset ??_C@_0BI@KMJFPDIO@MultiProcessor?5Kernel?$AN?6@PBOPGDP@ ; "MultiProcessor Kernel\r\n"

loc_AC0A5B:				; CODE XREF: Phase1InitializationDiscard(x)+6E0j
		call	ds:__imp__HalAllProcessorsStarted@0 ; HalAllProcessorsStarted()
		test	al, al
		jz	loc_AC119A
		push	esi
		lea	eax, [esp+0FCh+var_88]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		mov	ax, word ptr [esp+0F8h+var_88]
		push	2
		pop	esi
		cmp	ax, si
		jb	short loc_AC0A8E
		mov	ecx, 0FFFEh
		add	ax, cx
		mov	word ptr [esp+0F8h+var_88], ax

loc_AC0A8E:				; CODE XREF: Phase1InitializationDiscard(x)+70Bj
		mov	eax, ds:_KeNumberProcessors
		xor	ecx, ecx
		inc	ecx
		cmp	ecx, eax
		lea	ecx, [esp+18h]
		push	ecx
		sbb	eax, eax
		and	eax, 15h
		add	eax, 40000088h
		push	eax
		push	0
		push	0Bh
		push	400000h
		call	_RtlFindMessage@20 ; RtlFindMessage(x,x,x,x,x)
		mov	[esp+0F8h+var_DC], eax
		xor	edx, edx
		mov	eax, ds:_MmPhysicalMemoryBlock
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_AC0AD4
		add	eax, 0Ch

loc_AC0ACA:				; CODE XREF: Phase1InitializationDiscard(x)+75Ej
		add	edx, [eax]
		lea	eax, [eax+8]
		sub	ecx, 1
		jnz	short loc_AC0ACA

loc_AC0AD4:				; CODE XREF: Phase1InitializationDiscard(x)+751j
		cmp	[esp+0F8h+var_DC], 0
		jl	short loc_AC0AE4
		mov	ecx, [esp+18h]
		add	ecx, 4
		jmp	short loc_AC0AE9
; 

loc_AC0AE4:				; CODE XREF: Phase1InitializationDiscard(x)+765j
		mov	ecx, offset ??_C@_0CH@GNCFDLAB@?$CFu?5System?5Processor?5?$FL?$CFu?5MB?5Memo@PBOPGDP@ ;	"%u System Processor [%u MB Memory] %Z\n"

loc_AC0AE9:				; CODE XREF: Phase1InitializationDiscard(x)+76Ej
		lea	eax, [esp+0F8h+var_88]
		push	eax
		lea	eax, [edx+0FFh]
		shr	eax, 8
		push	eax
		push	ds:_KeNumberProcessors ; char
		push	ecx		; char *
		push	100h		; int
		push	[esp+10Ch+var_E4] ; char *
		call	RtlStringCbPrintfA
		add	esp, 18h
		test	eax, eax
		jns	short loc_AC0B1D
		push	0
		push	4
		jmp	loc_AC11A7
; 

loc_AC0B1D:				; CODE XREF: Phase1InitializationDiscard(x)+79Ej
		push	[esp+0F8h+var_E4]
		call	InbvDisplayString
		push	0
		push	[esp+0FCh+var_E4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		call	ObInitSystem
		test	al, al
		jnz	short loc_AC0B41
		push	62h
		jmp	loc_AC11A0
; 

loc_AC0B41:				; CODE XREF: Phase1InitializationDiscard(x)+7C4j
		call	ExInitSystem
		test	al, al
		jnz	short loc_AC0B5C
		xor	eax, eax
		push	0
		inc	eax
		push	eax

loc_AC0B50:				; CODE XREF: Phase1InitializationDiscard(x)+7FDj
					; Phase1InitializationDiscard(x)+810j ...
		push	0
		push	0C0000001h
		jmp	loc_AC11AA
; 

loc_AC0B5C:				; CODE XREF: Phase1InitializationDiscard(x)+7D4j
		push	0FFFFFFFFh
		call	ds:__imp__HalReportResourceUsage@4 ; HalReportResourceUsage(x)
		call	IoCreateObjectTypes
		test	al, al
		jnz	short loc_AC0B73
		push	0
		push	4
		jmp	short loc_AC0B50
; 

loc_AC0B73:				; CODE XREF: Phase1InitializationDiscard(x)+7F7j
		xor	eax, eax
		lea	ecx, [eax+1]
		call	_KeInitSystem@4	; KeInitSystem(x)
		push	0
		test	al, al
		jnz	short loc_AC0B86
		push	esi
		jmp	short loc_AC0B50
; 

loc_AC0B86:				; CODE XREF: Phase1InitializationDiscard(x)+80Dj
		push	_InitializationPhase
		call	KdInitSystem
		test	al, al
		jnz	short loc_AC0B9B
		push	0
		push	3
		jmp	short loc_AC0B50
; 

loc_AC0B9B:				; CODE XREF: Phase1InitializationDiscard(x)+81Fj
		push	offset _TmTransactionObjectType
		push	offset _TmTransactionManagerObjectType
		push	offset _TmEnlistmentObjectType
		push	offset _TmResourceManagerObjectType
		call	ds:__imp__TmInitSystem@16 ; TmInitSystem(x,x,x,x)
		test	eax, eax
		jns	short loc_AC0BCA
		cmp	eax, 0C00000BBh
		jz	short loc_AC0BCA
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		jmp	loc_AC11A9
; 

loc_AC0BCA:				; CODE XREF: Phase1InitializationDiscard(x)+843j
					; Phase1InitializationDiscard(x)+84Aj
		call	DbgkInitialize
		test	eax, eax
		jns	short loc_AC0BDD
		xor	ecx, ecx
		push	ecx
		push	ecx

loc_AC0BD7:				; CODE XREF: Phase1InitializationDiscard(x)+930j
		push	ecx
		jmp	loc_AC11A9
; 

loc_AC0BDD:				; CODE XREF: Phase1InitializationDiscard(x)+85Dj
		call	BcdInitializeBcdSyncMutant
		xor	ecx, ecx
		call	VerifierInitSystem
		call	SeInitSystem
		test	al, al
		jnz	short loc_AC0BF9
		push	63h
		jmp	loc_AC11A0
; 

loc_AC0BF9:				; CODE XREF: Phase1InitializationDiscard(x)+87Cj
		xor	eax, eax
		mov	edx, edi
		lea	ecx, [eax+1]
		call	PsInitSystem
		call	_ExInitLicenseCallback@0 ; ExInitLicenseCallback()
		mov	ecx, edi
		call	CreateSystemRootLink
		test	eax, eax
		jns	short loc_AC0C22
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx
		push	eax
		push	64h
		jmp	loc_AC11AC
; 

loc_AC0C22:				; CODE XREF: Phase1InitializationDiscard(x)+89Fj
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ds:dword_B01678, eax
		xor	eax, eax
		mov	ds:dword_B0167C, edx
		mov	edx, edi
		lea	ecx, [eax+1]
		call	MmInitSystem
		test	al, al
		jnz	short loc_AC0C4C
		push	65h
		jmp	loc_AC11A0
; 

loc_AC0C4C:				; CODE XREF: Phase1InitializationDiscard(x)+8CFj
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ds:dword_B01680, eax
		mov	eax, ds:_InitNlsTableSize
		mov	ds:dword_B01684, edx
		test	eax, eax
		jz	loc_AC0D3F
		xor	ecx, ecx
		mov	[esp+114h+var_9C], eax
		push	ecx
		push	8000000h
		push	4
		lea	eax, [esp+120h+var_9C]
		mov	[esp+120h+var_98], ecx
		push	eax
		push	ecx
		push	0F001Fh
		lea	eax, [esp+54h]
		push	eax
		call	_ZwCreateSection@28 ; ZwCreateSection(x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_AC0CA9
		push	0
		xor	ecx, ecx
		push	0
		inc	ecx
		jmp	loc_AC0BD7
; 

loc_AC0CA9:				; CODE XREF: Phase1InitializationDiscard(x)+927j
		mov	eax, ds:_MmSectionObjectType
		lea	ecx, [esp+114h+var_B4]
		xor	edx, edx
		push	edx
		push	ecx
		push	edx
		push	eax
		push	0F001Fh
		push	dword ptr [esp+50h]
		mov	[esp+12Ch+var_B4], edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		push	dword ptr [esp+3Ch]
		mov	[esp+118h+var_F8], eax
		mov	eax, [esp+118h+var_B4]
		mov	ds:_InitNlsSectionPointer, eax
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [esp+114h+var_F8]
		test	eax, eax
		jns	short loc_AC0CF2
		push	0
		push	0
		push	esi
		jmp	loc_AC11A9
; 

loc_AC0CF2:				; CODE XREF: Phase1InitializationDiscard(x)+972j
		and	[esp+114h+var_B0], 0
		lea	eax, [esp+114h+var_D0]
		and	[esp+114h+var_D0], 0
		push	eax
		lea	eax, [esp+118h+var_B0]
		push	eax
		push	ds:_InitNlsSectionPointer
		call	_MmMapViewInSystemSpace@12 ; MmMapViewInSystemSpace(x,x,x)
		test	eax, eax
		jns	short loc_AC0D20
		push	0
		push	0
		push	3
		jmp	loc_AC11A9
; 

loc_AC0D20:				; CODE XREF: Phase1InitializationDiscard(x)+99Fj
		push	ds:_InitNlsTableSize ; size_t
		mov	esi, [esp+118h+var_B0]
		push	ds:_InitNlsTableBase ; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	ds:_InitNlsTableBase, esi

loc_AC0D3F:				; CODE XREF: Phase1InitializationDiscard(x)+8F2j
		mov	ecx, ds:_InitNlsTableBase
		push	ecx
		test	ecx, ecx
		jnz	short loc_AC0D51
		push	ecx

loc_AC0D4B:				; CODE XREF: Phase1InitializationDiscard(x)+9E7j
		xor	edx, edx
		xor	ecx, ecx
		jmp	short loc_AC0D6F
; 

loc_AC0D51:				; CODE XREF: Phase1InitializationDiscard(x)+9D4j
		mov	eax, ds:_InitUnicodeCaseTableDataOffset
		test	eax, eax
		jnz	short loc_AC0D5D
		push	ecx
		jmp	short loc_AC0D4B
; 

loc_AC0D5D:				; CODE XREF: Phase1InitializationDiscard(x)+9E4j
		mov	edx, ds:_InitOemCodePageDataOffset
		add	eax, ecx
		push	eax
		lea	edx, [edx+ecx]
		add	ecx, ds:_InitAnsiCodePageDataOffset

loc_AC0D6F:				; CODE XREF: Phase1InitializationDiscard(x)+9DBj
		call	RtlInitNlsTables
		call	RtlResetRtlTranslations
		call	_CcInitializeCacheManager@0 ; CcInitializeCacheManager()
		test	al, al
		jnz	short loc_AC0D89
		push	66h
		jmp	loc_AC11A0
; 

loc_AC0D89:				; CODE XREF: Phase1InitializationDiscard(x)+A0Cj
		mov	ecx, edi
		call	_CmInitSystem1@4 ; CmInitSystem1(x)
		test	al, al
		jnz	short loc_AC0D9B
		push	67h
		jmp	loc_AC11A0
; 

loc_AC0D9B:				; CODE XREF: Phase1InitializationDiscard(x)+A1Ej
		call	ExInitializeLeapSecondData
		test	eax, eax
		jns	short loc_AC0DAF
		push	0
		push	0
		push	0Ch
		jmp	loc_AC11A9
; 

loc_AC0DAF:				; CODE XREF: Phase1InitializationDiscard(x)+A2Ej
		call	InitSkuSessionParameters
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ds:dword_B01648, eax
		xor	eax, eax
		push	eax
		mov	ds:dword_B0164C, edx
		mov	[esp+11Ch+var_7C], eax
		mov	[esp+11Ch+var_78], eax
		mov	[esp+11Ch+var_6C], eax
		mov	[esp+11Ch+var_68], eax
		mov	[esp+11Ch+var_64], eax
		mov	[esp+11Ch+var_60], eax
		mov	[esp+11Ch+var_80], 24h
		mov	[esp+11Ch+var_74], offset _KeRemoveEnclavePage@4 ; KeRemoveEnclavePage(x)
		mov	[esp+11Ch+var_70], offset _KdPullRemoteFileEx@20 ; KdPullRemoteFileEx(x,x,x,x,x)
		call	_BgGetDisplayContext@0 ; BgGetDisplayContext()
		push	eax
		lea	eax, [esp+120h+var_80]
		push	eax
		push	edi
		call	ds:__imp__KsrInitSystem@16 ; KsrInitSystem(x,x,x,x)
		push	0
		mov	esi, eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ds:dword_B01650, eax
		mov	ds:dword_B01654, edx
		test	esi, esi
		jns	short loc_AC0E59
		cmp	esi, 0C00000BBh
		jz	short loc_AC0E59
		push	0
		xor	eax, eax
		inc	eax
		push	eax
		push	0
		push	esi
		jmp	loc_AC11AA
; 

loc_AC0E59:				; CODE XREF: Phase1InitializationDiscard(x)+ACDj
					; Phase1InitializationDiscard(x)+AD5j
		mov	edi, offset _ExKsrInterface
		lea	esi, [esp+12Ch+var_80]
		xor	ecx, ecx
		movsd
		movsd
		movsd
		movsd
		mov	esi, [esp+12Ch+var_100]
		mov	edx, esi
		call	EmInitSystem
		test	eax, eax
		jns	short loc_AC0E85
		push	0
		push	0

loc_AC0E7E:				; CODE XREF: Phase1InitializationDiscard(x)+DF1j
		push	8
		jmp	loc_AC11A9
; 

loc_AC0E85:				; CODE XREF: Phase1InitializationDiscard(x)+B04j
		mov	ecx, esi
		call	MfgInitSystem
		test	eax, eax
		jns	short loc_AC0E9B
		push	0
		push	0
		push	9
		jmp	loc_AC11A9
; 

loc_AC0E9B:				; CODE XREF: Phase1InitializationDiscard(x)+B1Aj
		call	_PfInitializeSuperfetch@0 ; PfInitializeSuperfetch()
		xor	ecx, ecx
		call	_SmInitSystem@4	; SmInitSystem(x)
		xor	ecx, ecx
		call	_VmInitSystem@4	; VmInitSystem(x)
		test	eax, eax
		jns	short loc_AC0EBD
		push	0
		push	0
		push	0Ah
		jmp	loc_AC11A9
; 

loc_AC0EBD:				; CODE XREF: Phase1InitializationDiscard(x)+B3Cj
		mov	eax, [esi+84h]
		push	2
		pop	edi
		mov	eax, [eax+9D8h]
		and	eax, edi
		or	eax, 0
		jz	short loc_AC0EE4
		push	offset ??_C@_0O@OBHIAGJN@FORCETIMESYNC@PBOPGDP@	; char *
		push	ebx		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AC0EF6

loc_AC0EE4:				; CODE XREF: Phase1InitializationDiscard(x)+B5Dj
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	eax
		push	offset _WNF_BOOT_INVALID_TIME_SOURCE
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)

loc_AC0EF6:				; CODE XREF: Phase1InitializationDiscard(x)+B6Ej
		and	[esp+12Ch+var_A0], 0
		xor	eax, eax
		inc	eax
		push	eax
		push	eax
		lea	eax, [esp+134h+var_A0]
		push	eax
		call	FsRtlSendModernAppTermination
		call	ExInitializeTimeRefresh
		xor	eax, eax
		lea	ecx, [eax+1]
		call	_ExAcquireTimeRefreshLock@4 ; ExAcquireTimeRefreshLock(x)
		lea	ecx, [esp+12Ch+var_E4]
		call	_ExInitializeUtcTimeZoneBias@4 ; ExInitializeUtcTimeZoneBias(x)
		mov	eax, [esp+12Ch+var_EC]
		xor	cl, cl
		mov	eax, [eax+1B4h]
		mov	[esp+12Ch+var_E8], eax
		call	_ExpRefreshTimeZoneInformation@4 ; ExpRefreshTimeZoneInformation(x)
		call	_ExReleaseTimeRefreshLock@0 ; ExReleaseTimeRefreshLock()
		cmp	[esp+12Ch+var_11A], 0
		jz	short loc_AC0F6C
		lea	eax, [esp+12Ch+var_10C]
		push	eax
		lea	eax, [esp+130h+var_E4]
		push	eax
		call	_ExLocalTimeToSystemTime@8 ; ExLocalTimeToSystemTime(x,x)
		push	4
		lea	edx, [esp+130h+var_AC]
		lea	ecx, [esp+130h+var_10C]
		call	_KeSetSystemTime@12 ; KeSetSystemTime(x,x,x)
		jmp	short loc_AC0F85
; 

loc_AC0F6C:				; CODE XREF: Phase1InitializationDiscard(x)+BD3j
		mov	ecx, [esp+12Ch+var_EC]
		mov	eax, [esp+12Ch+var_E8]
		cmp	eax, [ecx+1B4h]
		jz	short loc_AC0F85
		push	0
		push	0
		call	_ZwSetSystemTime@8 ; ZwSetSystemTime(x,x)

loc_AC0F85:				; CODE XREF: Phase1InitializationDiscard(x)+BF6j
					; Phase1InitializationDiscard(x)+C06j
		call	_FsRtlInitSystem@0 ; FsRtlInitSystem()
		test	al, al
		jnz	short loc_AC0F95
		push	68h
		jmp	loc_AC11A0
; 

loc_AC0F95:				; CODE XREF: Phase1InitializationDiscard(x)+C18j
		call	_RtlInitializeCompression@0 ; RtlInitializeCompression()
		call	_RtlInitializeRangeListPackage@0 ; RtlInitializeRangeListPackage()
		mov	ecx, esi
		call	HvlDebuggerSupportInitialize
		push	0
		call	ds:__imp__HalReportResourceUsage@4 ; HalReportResourceUsage(x)
		push	offset _KdpContext
		xor	eax, eax
		push	esi
		inc	eax
		push	eax
		call	ds:__imp__KdInitialize@12 ; KdInitialize(x,x,x)
		call	PpInitSystem
		test	al, al
		jnz	short loc_AC0FD1
		push	90h
		jmp	loc_AC11A0
; 

loc_AC0FD1:				; CODE XREF: Phase1InitializationDiscard(x)+C51j
		call	_LpcInitSystem@0 ; LpcInitSystem()
		test	al, al
		jnz	short loc_AC0FE1
		push	6Ah
		jmp	loc_AC11A0
; 

loc_AC0FE1:				; CODE XREF: Phase1InitializationDiscard(x)+C64j
		test	ebx, ebx
		jz	short loc_AC0FF6
		push	(offset	loc_ADCBDD+1) ;	char *
		push	ebx		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		mov	esi, eax
		jmp	short loc_AC0FF8
; 

loc_AC0FF6:				; CODE XREF: Phase1InitializationDiscard(x)+C6Fj
		xor	esi, esi

loc_AC0FF8:				; CODE XREF: Phase1InitializationDiscard(x)+C80j
		mov	ebx, esi
		test	esi, esi
		jz	loc_AC10D1
		push	7		; size_t
		add	esi, 9
		push	offset ??_C@_07NNINPBDK@MINIMAL@PBOPGDP@ ; "MINIMAL"
		push	esi		; char *
		call	_strncmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_AC1020
		lea	edi, [eax+1]

loc_AC101C:				; CODE XREF: Phase1InitializationDiscard(x)+CBEj
		push	10h
		jmp	short loc_AC1053
; 

loc_AC1020:				; CODE XREF: Phase1InitializationDiscard(x)+CA3j
		push	7		; size_t
		push	offset ??_C@_07BCBHNHNG@NETWORK@PBOPGDP@ ; "NETWORK"
		push	esi		; char *
		call	_strncmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_AC101C
		push	8		; size_t
		push	offset ??_C@_08EGIDFHDE@DSREPAIR@PBOPGDP@ ; char *
		push	esi		; char *
		call	_strncmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_AC104F
		push	3
		pop	edi
		push	11h
		jmp	short loc_AC1053
; 

loc_AC104F:				; CODE XREF: Phase1InitializationDiscard(x)+CD2j
		xor	edi, edi
		push	9

loc_AC1053:				; CODE XREF: Phase1InitializationDiscard(x)+CAAj
					; Phase1InitializationDiscard(x)+CD9j
		pop	eax
		add	eax, ebx
		mov	_InitSafeBootMode, edi
		cmp	byte ptr [eax],	0
		jz	short loc_AC107A
		push	10h		; size_t
		push	offset ??_C@_0BB@IJFKEGCF@?$CIALTERNATESHELL?$CJ@PBOPGDP@ ; char *
		push	eax		; char *
		call	_strncmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_AC107A
		inc	eax
		mov	[esp+13Ch+var_129], al

loc_AC107A:				; CODE XREF: Phase1InitializationDiscard(x)+CEBj
					; Phase1InitializationDiscard(x)+CFFj
		mov	eax, _InitSafeBootMode
		test	eax, eax
		jz	short loc_AC10D1
		and	[esp+13Ch+var_D4], 0
		xor	ecx, ecx
		sub	eax, 1
		jz	short loc_AC10A7
		sub	eax, 1
		jz	short loc_AC10A0
		sub	eax, 1
		jnz	short loc_AC10AC
		mov	ecx, 0AAh
		jmp	short loc_AC10AC
; 

loc_AC10A0:				; CODE XREF: Phase1InitializationDiscard(x)+D1Ej
		mov	ecx, 0A9h
		jmp	short loc_AC10AC
; 

loc_AC10A7:				; CODE XREF: Phase1InitializationDiscard(x)+D19j
		mov	ecx, 0A8h

loc_AC10AC:				; CODE XREF: Phase1InitializationDiscard(x)+D23j
					; Phase1InitializationDiscard(x)+D2Aj ...
		lea	eax, [esp+13Ch+var_D4]
		push	eax
		push	ecx
		push	0
		push	0Bh
		push	400000h
		call	_RtlFindMessage@20 ; RtlFindMessage(x,x,x,x,x)
		test	eax, eax
		js	short loc_AC10D1
		mov	eax, [esp+13Ch+var_D4]
		add	eax, 4
		push	eax
		call	InbvDisplayString

loc_AC10D1:				; CODE XREF: Phase1InitializationDiscard(x)+C88j
					; Phase1InitializationDiscard(x)+D0Dj ...
		mov	ebx, [esp+13Ch+var_110]
		xor	esi, esi
		mov	eax, [ebx+84h]
		test	dword ptr [eax+54h], 800h
		jz	short loc_AC1119
		lea	eax, [esp+13Ch+var_124]
		push	eax
		push	0B7h
		push	esi
		push	0Bh
		push	400000h
		call	_RtlFindMessage@20 ; RtlFindMessage(x,x,x,x,x)
		test	eax, eax
		js	short loc_AC110E
		mov	eax, [esp+13Ch+var_124]
		add	eax, 4
		push	eax
		call	InbvDisplayString

loc_AC110E:				; CODE XREF: Phase1InitializationDiscard(x)+D8Bj
		mov	edx, [esp+13Ch+var_D0]
		mov	ecx, ebx
		call	_IopInitializeBootLogging@8 ; IopInitializeBootLogging(x,x)

loc_AC1119:				; CODE XREF: Phase1InitializationDiscard(x)+D70j
		call	_ExInitSystemPhase2@0 ;	ExInitSystemPhase2()
		call	_ExpComputeCyclesPerYield@0 ; ExpComputeCyclesPerYield()
		cmp	_InitIsWinPEMode, 0
		mov	ds:0FFDF02D6h, ax
		jz	short loc_AC1137
		call	_CreateMiniNtBootKey@0 ; CreateMiniNtBootKey()

loc_AC1137:				; CODE XREF: Phase1InitializationDiscard(x)+DBCj
		mov	ecx, ebx
		call	_SeCodeIntegrityInitializePolicy@4 ; SeCodeIntegrityInitializePolicy(x)
		test	eax, eax
		jns	short loc_AC114B
		push	esi
		push	esi
		push	69436553h
		jmp	short loc_AC11A9
; 

loc_AC114B:				; CODE XREF: Phase1InitializationDiscard(x)+DCCj
		mov	_KdpTimeSlipPending, esi
		call	_ExInitializeNls@0 ; ExInitializeNls()
		test	eax, eax
		js	short loc_AC11A5
		call	_ExInitializeExternalBootSupport@0 ; ExInitializeExternalBootSupport()
		test	eax, eax
		jns	short loc_AC116A
		push	esi
		push	esi
		jmp	loc_AC0E7E
; 

loc_AC116A:				; CODE XREF: Phase1InitializationDiscard(x)+DEDj
		xor	eax, eax
		mov	edx, ebx
		lea	ecx, [eax+1]
		call	PoInitSystem
		test	al, al
		jz	short loc_AC1193
		mov	ecx, [esp+13Ch+var_58]
		mov	al, [esp+13Ch+var_129]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_AC1193:				; CODE XREF: Phase1InitializationDiscard(x)+408j
					; Phase1InitializationDiscard(x)+E04j
		push	0A0h
		jmp	short loc_AC11A0
; 

loc_AC119A:				; CODE XREF: Phase1InitializationDiscard(x)+252j
					; Phase1InitializationDiscard(x)+6EFj
		push	61h
		jmp	short loc_AC11A0
; 

loc_AC119E:				; CODE XREF: Phase1InitializationDiscard(x)+BEj
		push	31h

loc_AC11A0:				; CODE XREF: Phase1InitializationDiscard(x)+7C8j
					; Phase1InitializationDiscard(x)+880j ...
		call	_KeBugCheck@4	; KeBugCheck(x)

loc_AC11A5:				; CODE XREF: Phase1InitializationDiscard(x)+346j
					; Phase1InitializationDiscard(x)+DE4j
		push	esi
		push	esi

loc_AC11A7:				; CODE XREF: Phase1InitializationDiscard(x)+38Cj
					; Phase1InitializationDiscard(x)+3C6j ...
		push	7

loc_AC11A9:				; CODE XREF: Phase1InitializationDiscard(x)+851j
					; Phase1InitializationDiscard(x)+864j ...
		push	eax

loc_AC11AA:				; CODE XREF: Phase1InitializationDiscard(x)+7E3j
					; Phase1InitializationDiscard(x)+AE0j
		push	32h

loc_AC11AC:				; CODE XREF: Phase1InitializationDiscard(x)+8A9j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_Phase1InitializationDiscard@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopPowerAggregatorInitialize(x)
_PopPowerAggregatorInitialize@4	proc near ; CODE XREF: PoInitSystem+A1p
					; PoInitSystem+504p
		mov	edi, edi
		push	ebx
		test	ecx, ecx
		jnz	loc_AC1241
		xor	ebx, ebx
		push	1308h		; size_t
		push	ebx		; int
		push	offset _PopPowerAggregatorContext ; void *
		mov	_PopPowerAggregatorLock, ebx
		mov	dword_6C09A4, ebx
		call	_memset
		add	esp, 0Ch
		mov	dword_6C09E0, 1
		mov	edx, offset _PopPowerAggregatorSessionSwitchTimerCallback@8 ; PopPowerAggregatorSessionSwitchTimerCallback(x,x)
		mov	dword_6C0A08, ebx
		mov	ecx, offset unk_6C0A40
		mov	dword_6C1CB8, offset _PopPowerAggregatorWorker@4 ; PopPowerAggregatorWorker(x)
		mov	dword_6C1CBC, ebx
		push	8
		push	ebx
		mov	dword_6C1CB0, ebx
		mov	dword_6C0A34, offset _PopPowerAggregatorSessionSwitchWorker@4 ;	PopPowerAggregatorSessionSwitchWorker(x)
		mov	dword_6C0A38, ebx
		mov	dword_6C0A2C, ebx
		mov	word_6C0A42, bx
		call	_KiInitializeTimer2@16 ; KiInitializeTimer2(x,x,x,x)
		push	ebx
		push	ebx
		push	offset unk_6C0A98
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)

loc_AC123F:				; CODE XREF: PopPowerAggregatorInitialize(x)+92j
		pop	ebx
		retn
; 

loc_AC1241:				; CODE XREF: PopPowerAggregatorInitialize(x)+5j
		cmp	ecx, 1
		jnz	short loc_AC123F
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		call	_PopPowerAggregatorCachePoPolicy@4 ; PopPowerAggregatorCachePoPolicy(x)
		pop	ebx
		jmp	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
_PopPowerAggregatorInitialize@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoInitSystem	proc near		; CODE XREF: INIT:00ABFCC6p
					; Phase1InitializationDiscard(x)+401p ...

var_30		= dword	ptr -30h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE49A4 SIZE 0000017D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		push	6
		pop	ecx
		xor	eax, eax
		mov	_PopOsInitPhase, esi
		xor	ebx, ebx
		lea	edi, [ebp+var_30]
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		rep stosd
		push	2
		pop	edi
		test	esi, esi
		jz	short loc_AC12AE
		mov	edi, edx

loc_AC1287:				; CODE XREF: PoInitSystem+4FCj
		cmp	esi, 1
		jz	loc_AC1757

loc_AC1290:				; CODE XREF: PoInitSystem+5C1j
		cmp	esi, 2
		jz	loc_AC181C

loc_AC1299:				; CODE XREF: PoInitSystem+651j
		cmp	esi, 3
		jz	loc_AC18AC

loc_AC12A2:				; CODE XREF: PoInitSystem+830j
		mov	eax, ebx

loc_AC12A4:				; CODE XREF: PoInitSystem+1E5j
					; PoInitSystem+4E8j ...
		pop	edi
		shr	eax, 1Fh
		pop	esi
		xor	al, 1
		pop	ebx
		leave
		retn
; 

loc_AC12AE:				; CODE XREF: PoInitSystem+2Dj
		lea	eax, [ebp+var_18]
		push	eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	eax, [ebp+var_14]
		mov	edx, offset _PpmPerformanceCounterShift
		mov	ecx, [ebp+var_18]
		push	eax
		mov	ds:_PopQpcFrequency, ecx
		push	ecx
		mov	ecx, offset _PpmPerformanceDistributionShift
		mov	ds:dword_70ED2C, eax
		call	PopComputeCounterShifts
		push	ebx
		push	(offset	loc_98967E+2)
		mov	edx, offset _PpmHvPerformanceCounterShift
		mov	ecx, offset _PpmHvPerformanceDistributionShift
		call	PopComputeCounterShifts
		xor	ecx, ecx
		mov	_PopCsResiliencyStatsLock, ebx
		call	_PopPowerAggregatorInitialize@4	; PopPowerAggregatorInitialize(x)
		push	ebx
		push	ebx
		push	72496F50h
		push	98h
		push	200h
		mov	eax, offset _PopIrpList
		mov	_PopPowerEventLock, ebx
		push	ebx
		mov	dword_6C2AC4, eax
		mov	_PopIrpList, eax
		mov	eax, offset _PopInrushIrpList
		push	ebx
		push	offset _PopIrpDataLookaside
		mov	dword_6C040C, ebx
		mov	_PopSystemIdleLock, ebx
		mov	dword_6C00E4, ebx
		mov	_PopCoalRegistrationListLock, ebx
		mov	dword_6C3544, ebx
		mov	_PopDeepSleepDisengageReasonLock, ebx
		mov	_PopIrpLock, ebx
		mov	dword_6C2ACC, eax
		mov	_PopInrushIrpList, eax
		call	ExInitializeNPagedLookasideListInternal
		push	ebx
		mov	edx, offset _PopSetUserShutdownMarkerWorker@4 ;	PopSetUserShutdownMarkerWorker(x)
		mov	_BootStatFileHandle, ebx
		mov	ecx, offset _PopSetUserShutdownMarkerWorkItem
		mov	_BootStatFileHandleAcquired, bl
		mov	_BootStatKeepHandleOpen, bl
		mov	_BootStatDataCache, ebx
		mov	_BootStatDisableFlush, bl
		mov	_PopBsdSkipLogging, bl
		mov	_PopBsdUpdateLock, ebx
		mov	dword_6C3D9C, ebx
		call	_PopInitializeWorkItem@12 ; PopInitializeWorkItem(x,x,x)
		push	ebx
		mov	edx, offset _PopClearUserShutdownMarkerWorker@4	; PopClearUserShutdownMarkerWorker(x)
		mov	ecx, offset _PopClearUserShutdownMarkerWorkItem
		call	_PopInitializeWorkItem@12 ; PopInitializeWorkItem(x,x,x)
		push	ebx
		mov	edx, offset _PopBsdUpdateWorker@4 ; PopBsdUpdateWorker(x)
		mov	ecx, offset _PopBsdUpdateWorkItem
		call	_PopInitializeWorkItem@12 ; PopInitializeWorkItem(x,x,x)
		push	ebx
		mov	edx, offset PopExternalMonitorUpdatedWorker
		mov	_PopWdiCurrentScenario,	offset _GUID_NULL
		mov	ecx, offset _PopExternalMonitorUpdatedWorkItem
		mov	_PopWdiCurrentScenarioInstanceId, ebx
		mov	dword_6C1F7C, ebx
		call	_PopInitializeWorkItem@12 ; PopInitializeWorkItem(x,x,x)
		push	ebx
		mov	edx, offset _PopRecordLidStateWorker@4 ; PopRecordLidStateWorker(x)
		mov	ecx, offset _PopRecordLidStateWorkItem
		call	_PopInitializeWorkItem@12 ; PopInitializeWorkItem(x,x,x)
		mov	eax, offset _PopTransitionCheckpoints
		mov	_PopInputSuppressionLock, ebx
		mov	dword_6C099C, ebx
		mov	_PopTransitionCheckpointLock, ebx
		mov	dword_6C3CFC, ebx
		mov	dword_6C3CEC, eax
		mov	_PopTransitionCheckpoints, eax
		mov	_PopMonitorOffDueToSleep, bl
		call	PpmHeteroInitializeHgsSupport
		call	_PpmCheckInit@0	; PpmCheckInit()
		call	_PopInitializeIrpWorkers@0 ; PopInitializeIrpWorkers()
		test	eax, eax
		js	loc_AC12A4
		push	1
		push	1
		push	offset unk_6C2B24
		mov	_PopIrpSerialLock, ebx
		mov	_PpmIdlePolicyLock, ebx
		mov	dword_6C2ADC, ebx
		mov	_PpmIdleVetoLock, ebx
		mov	_PpmParkStateLock, ebx
		mov	dword_6D4648, ebx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, offset _PopIrpSerialList
		mov	_PopWorkerLock,	ebx
		push	1
		mov	dword_6C2B3C, eax
		mov	_PopIrpSerialList, eax
		mov	eax, offset _PopRequestedIrps
		push	1
		push	offset _PopTransitionLock
		mov	dword_6C2B44, eax
		mov	_PopRequestedIrps, eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, offset _PowerStateDisableReasonListHead
		mov	dword_6C3664, ebx
		mov	dword_6C2AF4, eax
		mov	_PowerStateDisableReasonListHead, eax
		xor	eax, eax
		inc	eax
		mov	dword_6C3668, ebx
		push	ebx
		push	eax
		push	offset unk_6C366C
		mov	_PopDisableSleepMutex, eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, offset _PopDisableSleepList
		mov	dword_6C3684, eax
		mov	_PopDisableSleepList, eax
		call	_PopInitShutdownList@0 ; PopInitShutdownList()
		mov	ecx, _PopIdleScanInterval
		mov	eax, offset _PopIdleDetectList
		mov	_PopDopeGlobalLock, ebx
		mov	dword_6C2B04, eax
		mov	_PopIdleDetectList, eax
		test	ecx, ecx
		jz	short loc_AC1534
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_AE49A4
		push	1Eh
		pop	ecx

loc_AC1513:				; CODE XREF: PoInitSystem+2375Dj
		mov	_PopIdleScanInterval, ecx

loc_AC1519:				; CODE XREF: PoInitSystem+23755j
		xor	edx, edx
		lea	eax, [ecx+3Bh]
		div	ecx
		xor	edx, edx
		mov	_PopIdleBackgroundIgnoreCount, eax
		lea	eax, [ecx+0B3h]
		div	ecx
		mov	_PopBackgroundTaskIgnoreCount, eax

loc_AC1534:				; CODE XREF: PoInitSystem+2AFj
		or	_PopWorkerStatus, 0FFFFFFFFh
		push	offset _PopPolicyLock
		mov	_PopWorkerSpinLock, ebx
		mov	dword_6C2BB8, offset PopPolicyWorkerThread
		mov	dword_6C2BBC, 80000000h
		mov	_PopPolicyWorker, ebx
		call	ExInitializeResourceLite
		mov	ecx, offset _PopVolumeLock
		mov	_PopAwaymodeLock, ebx
		call	@KeInitializeGuardedMutex@4 ; KeInitializeGuardedMutex(x)
		push	ebx
		push	ebx
		push	offset _PopPowerSettingCallbackReturned
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, offset _PopVolumeDevices
		mov	ecx, offset _PopThermal
		mov	dword_6C2B84, eax
		mov	_PopVolumeDevices, eax
		mov	eax, offset _PopSwitches
		mov	dword_6C2B8C, eax
		mov	_PopSwitches, eax
		mov	eax, offset _PopFans
		push	8
		pop	edx
		mov	dword_6C2B94, eax
		mov	_PopFans, eax
		mov	dword_6C2B9C, ecx
		mov	_PopThermal, ecx
		call	IoAddTriageDumpDataBlock
		mov	eax, offset _PopActionWaiters
		mov	dword_6C2BA4, eax
		mov	_PopActionWaiters, eax
		call	_PopResetActionDefaults@0 ; PopResetActionDefaults()
		mov	ecx, offset unk_6C2C24 ; void *
		mov	_PopPolicy, ecx
		call	_PopDefaultPolicy@4 ; PopDefaultPolicy(x)
		or	dword_6C2D8C, 0FFFFFFFFh
		or	dword_6C2D94, 0FFFFFFFFh
		mov	_PopAdminPolicy, edi
		mov	dword_6C2D84, 5
		mov	dword_6C2D88, ebx
		mov	dword_6C2D90, ebx
		mov	_PopFullWake, 1
		mov	_PopCoolingMode, ebx
		mov	dword_6D4640, 0FFFFFFFFh
		mov	dword_6D4644, edi
		call	_PpmInitPolicyConfiguration@0 ;	PpmInitPolicyConfiguration()
		call	PpmInitIdlePolicy
		call	PpmPerfInitialize
		call	_PpmInitCoreParkingPolicy@0 ; PpmInitCoreParkingPolicy()
		call	_PpmInitHeteroPolicy@0 ; PpmInitHeteroPolicy()
		call	PpmIdleRegisterDefaultStates
		xor	ecx, ecx
		call	_PopDeepSleepInitialize@4 ; PopDeepSleepInitialize(x)
		call	_PopInitializePowerSettings@0 ;	PopInitializePowerSettings()
		call	PopInitilizeAcDcSettings
		mov	_PopPolicyDeviceLock, ebx
		mov	dword_6C2044, ebx
		call	_PopBatteryInit@0 ; PopBatteryInit()
		mov	_PopFanLock, ebx
		mov	dword_6C204C, ebx
		call	_PopThermalInit@0 ; PopThermalInit()
		mov	eax, offset _PopCoolingExtensionList
		mov	_PopCoolingExtensionLock, ebx
		mov	dword_6C21A4, ebx
		mov	dword_6C21AC, eax
		mov	_PopCoolingExtensionList, eax
		mov	dword_6C2DE0, 4
		mov	byte_6C2DE4, bl
		mov	dword_6C2DE8, offset _PopShutdownHandler@20 ; PopShutdownHandler(x,x,x,x,x)
		call	_PopWakeSourceInit@0 ; PopWakeSourceInit()
		call	_PpmWmiInit@0	; PpmWmiInit()
		push	ebx
		push	offset _PopAwayModeUserPresenceTimer
		mov	_PopUserPresentSetStatus, ebx
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	ebx
		push	1
		push	offset _PopUserPresentCompletedEvent
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	1
		push	1
		push	offset unk_6C3BC4
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		call	PoFxInitPowerManagement
		push	64h
		pop	eax
		xor	ecx, ecx
		mov	dword_6C2D2C, ebx
		mov	dword_6C2D30, eax
		mov	dword_6C2D34, ebx
		mov	dword_6C2D38, eax
		mov	dword_6C2D3C, ebx
		mov	dword_6C2D40, eax
		call	PopNetInitialize
		xor	ecx, ecx
		call	_PopInitializePowerButtonHold@4	; PopInitializePowerButtonHold(x)
		call	_PopRecorderInit@0 ; PopRecorderInit()
		mov	edi, [ebp+var_4]
		mov	ecx, edi
		call	PopRecordFirmwareResetReason
		call	PopCreateTimebrokerServiceSid
		test	eax, eax
		js	loc_AC12A4
		xor	ecx, ecx
		call	_PopInitializeDirectedDrips@4 ;	PopInitializeDirectedDrips(x)
		xor	ecx, ecx
		call	SshInitialize
		jmp	loc_AC1287
; 

loc_AC1757:				; CODE XREF: PoInitSystem+34j
		xor	ecx, ecx
		inc	ecx
		call	_PopPowerAggregatorInitialize@4	; PopPowerAggregatorInitialize(x)
		call	HviIsAnyHypervisorPresent
		test	al, al
		jnz	loc_AE49B8

loc_AC176C:				; CODE XREF: PoInitSystem+2376Ej
		mov	eax, ds:_PopAggressiveStandbyActionsRegValue
		cmp	eax, 4
		jnb	short loc_AC177B
		mov	_PopAggressiveStandbyEnabledActions, eax

loc_AC177B:				; CODE XREF: PoInitSystem+51Ej
		call	PopUmpoInitializeChannel
		call	PopUmpoInitializeMonitorChannel
		xor	ecx, ecx
		mov	_PopPdcDeviceListLock, ebx
		inc	ecx
		mov	_PopEsLock, ebx
		mov	dword_6BFD2C, ebx
		mov	dword_6FC68C, offset PopEsWorker
		mov	dword_6FC690, ebx
		mov	_PopEsWorkItem,	ebx
		call	_PopEsWorkItemSchedule@4 ; PopEsWorkItemSchedule(x)
		call	_PopInitializePowerSettingCallbacks@0 ;	PopInitializePowerSettingCallbacks()
		call	PopEtInit
		test	eax, eax
		js	loc_AC12A4
		call	_PopPowerRequestInit@0 ; PopPowerRequestInit()
		test	eax, eax
		js	loc_AC12A4
		call	PopInitializeHighPerfPowerRequest
		test	eax, eax
		js	loc_AC12A4
		call	_PopCheckPowerSourceAfterRtcWakeInitialize@0 ; PopCheckPowerSourceAfterRtcWakeInitialize()
		call	_PopWatchdogInit@0 ; PopWatchdogInit()
		xor	ecx, ecx
		inc	ecx
		call	_PopInitializePowerButtonHold@4	; PopInitializePowerButtonHold(x)
		call	PpmInitHeteroEngine
		test	eax, eax
		js	loc_AC12A4
		call	_PopInitDripsWakeAccounting@0 ;	PopInitDripsWakeAccounting()
		call	_PopEmRegister@0 ; PopEmRegister()
		test	eax, eax
		js	loc_AC12A4
		call	_PopReadErrataDisablePrimaryDeviceFastResume@0 ; PopReadErrataDisablePrimaryDeviceFastResume()
		jmp	loc_AC1290
; 

loc_AC181C:				; CODE XREF: PoInitSystem+3Dj
		call	PoFxRegisterDebugger
		push	1
		call	ds:__imp__HalReportResourceUsage@4 ; HalReportResourceUsage(x)
		call	_PopBatteryInitPhaseTwo@0 ; PopBatteryInitPhaseTwo()
		call	_PpmEventInitialize@0 ;	PpmEventInitialize()
		test	eax, eax
		js	loc_AC12A4
		push	ebx
		push	ebx
		push	offset _PopNewProcessorCallback@12 ; PopNewProcessorCallback(x,x,x)
		call	KeRegisterProcessorChangeCallback
		mov	ebx, offset _PpmPerfPolicyLock
		mov	ecx, ebx
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		mov	cl, 1
		call	_PopInitializeHeteroProcessors@4 ; PopInitializeHeteroProcessors(x)
		mov	ecx, ebx
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		mov	ecx, ds:_PpmPerfArtificialDomainSetting
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_AE49C9

loc_AC1870:				; CODE XREF: PoInitSystem+2377Fj
		call	PpmIdleRegisterDefaultStates
		xor	ecx, ecx
		call	PpmCheckInitProcessors
		mov	ebx, offset _PopFxSystemLatencyLock
		mov	ecx, ebx
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		call	PoFxSendSystemLatencyUpdate
		mov	ecx, ebx
		call	_PpmReleaseLock@4 ; PpmReleaseLock(x)
		call	PopPdcCsCheckSystemVolumeDevice
		xor	cl, cl
		call	_PopUpdateBackgroundCoolingStatus@4 ; PopUpdateBackgroundCoolingStatus(x)
		call	_PopInitVideoWnfState@0	; PopInitVideoWnfState()
		xor	ebx, ebx
		jmp	loc_AC1299
; 

loc_AC18AC:				; CODE XREF: PoInitSystem+46j
		call	_PopDiagInitialize@0 ; PopDiagInitialize()
		test	eax, eax
		js	loc_AC12A4
		push	3
		pop	ecx
		call	SshInitialize
		call	_PopTriggerDiagTraceAoAcCapability@4 ; PopTriggerDiagTraceAoAcCapability(x)
		call	_PopFanReportBootStartDevices@0	; PopFanReportBootStartDevices()
		mov	eax, ds:_PopSkipTickPolicy
		mov	bl, 1
		push	2
		pop	esi
		sub	eax, 0
		jz	loc_AE49E1
		sub	eax, 1
		jnz	loc_AE49DA
		lea	eax, [ebp+var_30]
		xor	bl, bl
		push	eax
		push	0
		push	esi
		call	ds:__imp__HalGetInterruptTargetInformation@12 ;	HalGetInterruptTargetInformation(x,x,x)
		test	eax, eax
		js	loc_AE49E1
		mov	eax, [ebp+var_1C]
		mov	ds:_PopApicMode, eax
		call	PopCheckSkipTick
		test	al, al
		jz	loc_AE49DE
		xor	ebx, ebx
		mov	ds:_PoSkipTickMode, ebx

loc_AC191B:				; CODE XREF: PoInitSystem+237A9j
		call	PpmInitIllegalThrottleLogging
		mov	ecx, edi
		call	PopCheckShutdownMarker
		call	PopCheckAndClearBootError
		call	PopCheckForAbnormalReset
		call	_PopIdleWakeInitialize@0 ; PopIdleWakeInitialize()
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		push	ebx
		call	_PopUpdateUpgradeInProgress@4 ;	PopUpdateUpgradeInProgress(x)
		cmp	_InitIsWinPEMode, 0
		jnz	loc_AE4A04

loc_AC194E:				; CODE XREF: PoInitSystem+237BBj
		cmp	byte_6C2E34, 0
		jnz	loc_AE4A16

loc_AC195B:				; CODE XREF: PoInitSystem+237CDj
		mov	eax, [edi+84h]
		mov	eax, [eax+9D0h]
		and	eax, 8
		or	eax, ebx
		jnz	loc_AE4A28

loc_AC1972:				; CODE XREF: PoInitSystem+237E6j
		push	3
		pop	esi
		mov	ecx, esi
		call	_PopDeepSleepInitialize@4 ; PopDeepSleepInitialize(x)
		call	PopInitializePowerPolicySimulate
		mov	eax, _PopSimulate
		test	al, 1
		jnz	loc_AE4A41

loc_AC198E:				; CODE XREF: PoInitSystem+2382Ej
		test	al, 2
		jnz	loc_AE4A89

loc_AC1996:				; CODE XREF: PoInitSystem+23856j
		call	PopResetCurrentPolicies
		call	_PopInitializeAdpm@0 ; PopInitializeAdpm()
		mov	ecx, esi
		call	PopEsInit
		call	PopInitilizeAcDcSettings
		xor	eax, eax
		inc	eax
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	_PopUpdateConsoleDisplayState@4	; PopUpdateConsoleDisplayState(x)
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	4
		lea	eax, [ebp+var_C]
		push	eax
		push	offset _WNF_PO_PRIMARY_DISPLAY_VISIBLE_STATE
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		mov	ecx, esi
		call	PopNetInitialize
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		call	_PopIdleInitAoAcDozeS4Timer@0 ;	PopIdleInitAoAcDozeS4Timer()
		call	_PopCreateIdlePhaseWatchdog@0 ;	PopCreateIdlePhaseWatchdog()
		call	_PopInitializeSystemIdleDetection@0 ; PopInitializeSystemIdleDetection()
		call	PopInitializePreSleepNotifications
		mov	edx, [edi+84h]
		mov	eax, [edx+0D4h]
		mov	_PopHiberLoaderScratchPages, eax
		mov	eax, [edx+54h]
		shr	eax, 1Ch
		and	al, 1
		mov	_PopHiberResumeXhciHandoffSkip,	al
		call	PopSetupHighPerfPowerRequest
		call	_PpmEnableWmiInterface@0 ; PpmEnableWmiInterface()
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		call	_PopCoalescingInitialize@0 ; PopCoalescingInitialize()
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		mov	ecx, esi
		call	_PopInitializeDirectedDrips@4 ;	PopInitializeDirectedDrips(x)
		call	PopDripsWatchdogInitialize
		call	_PopSetupAudioEventNotification@0 ; PopSetupAudioEventNotification()
		call	_PopSetupMixedRealitytNotification@0 ; PopSetupMixedRealitytNotification()
		call	_PopSetupFullScrenVideoNotification@0 ;	PopSetupFullScrenVideoNotification()
		call	_PopSetupUserPresencePredictionNotification@0 ;	PopSetupUserPresencePredictionNotification()
		call	_PopSetupSprActiveSessionChangeNotification@0 ;	PopSetupSprActiveSessionChangeNotification()
		call	_PopSetupAirplaneModeNotification@0 ; PopSetupAirplaneModeNotification()
		call	_PopSetupBluetoothChargingNotification@0 ; PopSetupBluetoothChargingNotification()
		call	_PopSetupMobileHotspotNotification@0 ; PopSetupMobileHotspotNotification()
		call	PopThermalHandlePreviousShutdown
		call	TtmInit
		cmp	_PopPlatformAoAc, 0
		jnz	loc_AE4AB1

loc_AC1A6F:				; CODE XREF: PoInitSystem+23884j
					; PoInitSystem+238A9j ...
		xor	ecx, ecx
		inc	ecx
		call	_PopBatteryQueueWork@4 ; PopBatteryQueueWork(x)
		call	PopSetupKsrCallbacks
		call	_PopHiberEvaluateSkippingMemoryMapValidation@0 ; PopHiberEvaluateSkippingMemoryMapValidation()
		call	_PopReadErrataSkipMemoryOverwriteRequestControlLockAction@0 ; PopReadErrataSkipMemoryOverwriteRequestControlLockAction()
		jmp	loc_AC12A2
PoInitSystem	endp

; 
		align 4

;  S U B	R O U T	I N E 


PopEsInit	proc near		; CODE XREF: PoInitSystem+74Cp

; FUNCTION CHUNK AT 00AE4B21 SIZE 0000008F BYTES

		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		cmp	ecx, 1
		jnz	short loc_AC1AC3
		xor	esi, esi
		mov	dword_6FC68C, offset PopEsWorker
		mov	_PopEsLock, esi
		mov	dword_6BFD2C, esi
		mov	dword_6FC690, esi
		mov	_PopEsWorkItem,	esi
		call	_PopEsWorkItemSchedule@4 ; PopEsWorkItemSchedule(x)

loc_AC1ABF:				; CODE XREF: PopEsInit+3Ej
					; PopEsInit+23098j ...
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_AC1AC3:				; CODE XREF: PopEsInit+8j
		cmp	_PopPlatformAoAc, 0
		jz	short loc_AC1ABF
		jmp	loc_AE4B21
PopEsInit	endp

; 
		align 2

;  S U B	R O U T	I N E 


SshInitialize	proc near		; CODE XREF: PoInitSystem+4F7p
					; PoInitSystem+666p

; FUNCTION CHUNK AT 00AE4BB0 SIZE 0000000A BYTES

		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		test	ecx, ecx
		jnz	short loc_AC1B37
		mov	ecx, offset _SshpLibraryListLock
		call	_CmSiRWLockInitialize@4	; CmSiRWLockInitialize(x)
		mov	eax, offset _SshpLibraryList
		push	7
		mov	dword_6BEF9C, eax
		mov	_SshpLibraryList, eax
		mov	eax, offset unk_6BEFC8
		pop	edx

loc_AC1AFC:				; CODE XREF: SshInitialize+3Dj
		lea	ecx, [eax-8]
		call	_CmSiRWLockInitialize@4	; CmSiRWLockInitialize(x)
		mov	[eax+4], eax
		mov	[eax], eax
		add	eax, 10h
		sub	edx, 1
		jnz	short loc_AC1AFC
		and	_SshpSessionId,	edx
		xor	eax, eax
		and	dword_6BEF84, edx
		mov	edi, offset _SshpSessionGuid
		mov	_SshpInitialized, 1
		stosd
		stosd
		stosd
		stosd

loc_AC1B2F:				; CODE XREF: SshInitialize+ADj
		xor	esi, esi

loc_AC1B31:				; CODE XREF: SshInitialize+B4j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ecx
		retn
; 

loc_AC1B37:				; CODE XREF: SshInitialize+7j
		cmp	ecx, 3
		jnz	loc_AE4BB0
		push	ecx
		push	ecx
		call	_SSHSupportEtwRegister@16 ; SSHSupportEtwRegister(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AC1B81
		push	0
		xor	edx, edx
		mov	_SshpTraceHandleRegistered, 1
		mov	ecx, offset dword_6B2FD0
		call	_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 ; TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AC1B81
		mov	_SshpTelemetryHandleRegistered,	1
		call	_SshpSubscribeCallbacks@0 ; SshpSubscribeCallbacks()
		mov	esi, eax
		test	esi, esi
		js	short loc_AC1B81
		call	_SshpQueryRegistryValues@0 ; SshpQueryRegistryValues()
		jmp	short loc_AC1B2F
; 

loc_AC1B81:				; CODE XREF: SshInitialize+79j
					; SshInitialize+94j ...
		call	_SshpUninitialize@0 ; SshpUninitialize()
		jmp	short loc_AC1B31
SshInitialize	endp


;  S U B	R O U T	I N E 


; __stdcall PopInitializeDirectedDrips(x)
_PopInitializeDirectedDrips@4 proc near	; CODE XREF: PoInitSystem+4F0p
					; PoInitSystem+7D0p
		mov	edi, edi
		push	ecx
		test	ecx, ecx
		jnz	short loc_AC1B96
		call	_PopDirectedDripsInitializePhase0@4 ; PopDirectedDripsInitializePhase0(x)

loc_AC1B94:				; CODE XREF: PopInitializeDirectedDrips(x)+11j
					; PopInitializeDirectedDrips(x)+1Aj
		pop	ecx
		retn
; 

loc_AC1B96:				; CODE XREF: PopInitializeDirectedDrips(x)+5j
		cmp	ecx, 3
		jnz	short loc_AC1B94
		call	PopDirectedDripsInitializePhase3
		test	eax, eax
		js	short loc_AC1B94
		push	0
		push	2
		call	_PopQueueDirectedDripsWork@12 ;	PopQueueDirectedDripsWork(x,x,x)
		pop	ecx
		retn
_PopInitializeDirectedDrips@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopInitializePowerButtonHold(x)
_PopInitializePowerButtonHold@4	proc near ; CODE XREF: PoInitSystem+4CDp
					; PoInitSystem+598p

var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 23Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		xor	esi, esi
		mov	[ebp+var_214], esi
		mov	[ebp+var_21C], esi
		mov	[ebp+var_218], esi
		sub	ecx, esi
		jz	loc_AC1C9F
		sub	ecx, 1
		jnz	loc_AC1C92
		lea	eax, [ebp+var_238]
		push	eax		; int
		push	208h		; int
		lea	eax, [ebp+var_210]
		push	eax		; void *
		push	esi		; int
		push	offset ??_C@_1HC@DOINKFBC@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@PBOPGDP@ ; void	*
		push	esi		; int
		push	offset ??_C@_1DI@GNGJCIJC@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAB?$AAu?$AAt?$AAt?$AAo?$AAn?$AAB?$AAu?$AAg?$AAc@PBOPGDP@ ; int
		call	RtlGetPersistedStateLocation
		test	eax, eax
		js	short loc_AC1C92
		lea	eax, [ebp+var_210]
		push	eax
		lea	eax, [ebp+var_21C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_21C]
		mov	[ebp+var_234], 18h
		mov	[ebp+var_22C], eax
		lea	eax, [ebp+var_234]
		push	eax
		push	11h
		lea	eax, [ebp+var_214]
		mov	[ebp+var_230], esi
		push	eax
		mov	[ebp+var_228], 240h
		mov	[ebp+var_224], esi
		mov	[ebp+var_220], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_AC1C92
		mov	ecx, [ebp+var_214]
		mov	dword_6BFDE8, offset _PopPowerButtonBugcheckWatchCallback@4 ; PopPowerButtonBugcheckWatchCallback(x)
		mov	dword_6BFDEC, ecx
		mov	_PopPowerButtonBugcheckWatchWorkItem, esi
		call	PopPowerButtonBugcheckConfigure

loc_AC1C92:				; CODE XREF: PopInitializePowerButtonHold(x)+35j
					; PopInitializePowerButtonHold(x)+61j ...
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AC1C9F:				; CODE XREF: PopInitializePowerButtonHold(x)+2Cj
		push	84h		; size_t
		push	esi		; int
		push	offset unk_6BFE04 ; void *
		mov	_PopAcpiPdttSupportEnabled, esi
		mov	_PopPowerButtonBugcheckConfig, esi
		mov	_PopPowerButtonBugcheckLock, esi
		call	_memset
		add	esp, 0Ch
		push	70h		; size_t
		push	esi		; int
		push	offset _PopPowerButtonTriageBlock ; void *
		call	_memset
		add	esp, 0Ch
		mov	_PopPowerButtonTriageBlock, 2
		mov	edx, offset _PopPowerButtonWorkCallback@4 ; PopPowerButtonWorkCallback(x)
		mov	dword_6BFDB0, esi
		mov	ecx, offset unk_6BFE60
		mov	dword_6BFDB4, esi
		mov	dword_6BFDC0, offset _PopBlackBoxEntries
		push	esi
		mov	dword_6BFDC4, esi
		mov	dword_6BFDC8, 16h
		mov	_PopPowerButtonHold, esi
		call	_PopInitializeWorkItem@12 ; PopInitializeWorkItem(x,x,x)
		jmp	loc_AC1C92
_PopInitializePowerButtonHold@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopNetInitialize proc near		; CODE XREF: PoInitSystem+4C6p
					; PoInitSystem+779p

var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 00AE4BBA SIZE 00000083 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_8], 500h
		mov	[ebp+var_C], ebx
		mov	byte ptr [ebp+var_1], bl
		push	esi
		push	edi
		test	ecx, ecx
		jz	short loc_AC1DA9
		cmp	ecx, 3
		jnz	short loc_AC1D96
		cmp	_PopNetDeferLogRequest,	bl
		jnz	loc_AE4BC4

loc_AC1D4E:				; CODE XREF: PopNetInitialize+22EB5j
		cmp	ds:_PopEnforceDisconnectedStandby, ebx
		jnz	loc_AE4BDA
		cmp	_PopNetStandbyStateMask, ebx
		jnz	short loc_AC1D76
		cmp	_PopPlatformAoAc, bl
		jnz	loc_AE4BE1
		push	6

loc_AC1D70:				; CODE XREF: PopNetInitialize+22EBCj
		pop	ecx
		call	PopNetSetConnectivityConstraint

loc_AC1D76:				; CODE XREF: PopNetInitialize+40j
					; PopNetInitialize+22EC7j ...
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	1
		lea	eax, [ebp+var_1]
		push	eax
		push	offset _WNF_PO_OPPORTUNISTIC_CS
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		cmp	_PopPlatformAoAc, bl
		jnz	loc_AE4C05

loc_AC1D96:				; CODE XREF: PopNetInitialize+20j
					; PopNetInitialize+127j ...
		mov	edi, ebx
		mov	esi, ebx

loc_AC1D9A:				; CODE XREF: PopNetInitialize+C4j
		test	esi, esi
		jnz	loc_AE4C2D

loc_AC1DA2:				; CODE XREF: PopNetInitialize+22E9Fj
					; PopNetInitialize+22F18j
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AC1DA9:				; CODE XREF: PopNetInitialize+1Bj
		push	6
		call	_RtlLengthRequiredSid@4	; RtlLengthRequiredSid(x)
		push	74654E50h
		mov	edi, eax
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_AE4BBA
		push	edi		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_C]
		push	6
		push	eax
		push	esi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_AC1D9A
		push	ecx
		push	ebx
		mov	dword ptr [esi+8], 50h
		mov	edx, offset _PopNetEvaluationTimerCallback@8 ; PopNetEvaluationTimerCallback(x,x)
		push	ecx
		mov	dword ptr [esi+0Ch], 7688ED03h
		mov	dword ptr [esi+10h], 7283ADE4h
		push	offset PopNetEvaluationWorkerCallback
		mov	dword ptr [esi+14h], 168B5A20h
		push	ecx
		mov	dword ptr [esi+18h], 0A12DF105h
		mov	ecx, offset _PopNetEvaluationTimer
		mov	dword ptr [esi+1Ch], 35134F48h
		mov	_PopNetBIServiceSid, esi
		call	_PopInitializeIRTimer@28 ; PopInitializeIRTimer(x,x,x,x,x,x,x)
		push	ecx
		push	5
		push	ecx
		push	offset _PopNetRefreshTimerWorkerCallback@4 ; PopNetRefreshTimerWorkerCallback(x)
		push	ecx
		mov	edx, offset _PopNetRefreshTimerCallback@8 ; PopNetRefreshTimerCallback(x,x)
		mov	ecx, offset _PopNetRefreshTimer
		call	_PopInitializeIRTimer@28 ; PopInitializeIRTimer(x,x,x,x,x,x,x)
		jmp	loc_AC1D96
PopNetInitialize endp


;  S U B	R O U T	I N E 


; __stdcall PopDeepSleepInitialize(x)
_PopDeepSleepInitialize@4 proc near	; CODE XREF: PoInitSystem+3FFp
					; PoInitSystem+721p
		test	ecx, ecx
		jnz	short loc_AC1E71
		and	dword_6C00DC, ecx
		and	_PopDeepSleepEvaluateWorkItem, ecx
		mov	_PopDeepSleepDisengageReasonMask, 41h
		mov	dword_6C00D8, offset _PopDeepSleepEvaluateCallback@4 ; PopDeepSleepEvaluateCallback(x)

locret_AC1E70:				; CODE XREF: PopDeepSleepInitialize(x)+28j
					; PopDeepSleepInitialize(x)+31j
		retn
; 

loc_AC1E71:				; CODE XREF: PopDeepSleepInitialize(x)+2j
		cmp	ecx, 3
		jnz	short locret_AC1E70
		cmp	byte_6C2E34, 0
		jnz	short locret_AC1E70
		or	_PopDeepSleepDisengageReasonMask, 2
		retn
_PopDeepSleepInitialize@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspInitPhase0	proc near		; CODE XREF: PsInitSystem+2Ep

var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= byte ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= byte ptr -28h
var_24		= dword	ptr -24h
var_20		= byte ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= byte ptr -18h
var_14		= dword	ptr -14h
var_10		= byte ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE4C3D SIZE 00000041 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		add	ds:_PspMinimumWorkingSet, 1Eh
		xor	edx, edx
		add	ds:_PspMaximumWorkingSet, 12Ch
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_C8], ecx
		mov	edi, offset _PspHardenedMitigationOptionsMap
		push	6
		pop	ecx
		rep stosd
		mov	[ebp+var_60], edx
		mov	ecx, edx
		mov	[ebp+var_5C], edx
		mov	[ebp+var_C4], edx
		mov	[ebp+var_34], edx
		mov	[ebp+var_30], 1
		mov	[ebp+var_2C], 2
		mov	[ebp+var_28], 3
		mov	[ebp+var_24], 3
		mov	[ebp+var_20], 1
		mov	[ebp+var_1C], 1
		mov	[ebp+var_18], 1
		mov	[ebp+var_14], 4
		mov	[ebp+var_10], 1
		mov	[ebp+var_C], 5
		mov	[ebp+var_8], 1
		mov	[ebp+var_54], 7
		mov	[ebp+var_50], 19h
		mov	[ebp+var_4C], 14h
		mov	[ebp+var_48], 15h
		mov	[ebp+var_44], 16h
		mov	[ebp+var_40], 17h
		mov	[ebp+var_3C], 18h
		mov	[ebp+var_38], 1Ah
		mov	[ebp+var_58], edx

loc_AC1F4C:				; CODE XREF: PspInitPhase0+124j
		mov	eax, [ebp+ecx*8+var_34]
		shl	eax, 2
		mov	ebx, eax
		shr	eax, 6
		mov	[ebp+var_64], eax
		and	ebx, 3Fh
		movzx	eax, [ebp+ecx*8+var_30]
		mov	ecx, ebx
		cdq
		call	__allshl
		push	3
		mov	esi, eax
		mov	edi, edx
		pop	eax
		xor	edx, edx
		mov	ecx, ebx
		call	__allshl
		mov	ecx, [ebp+var_64]
		not	eax
		not	edx
		and	eax, ds:_PspHardenedMitigationOptionsMap[ecx*8]
		and	edx, ds:dword_70EF04[ecx*8]
		or	esi, eax
		or	edi, edx
		mov	ds:_PspHardenedMitigationOptionsMap[ecx*8], esi
		mov	ds:dword_70EF04[ecx*8],	edi
		mov	ecx, [ebp+var_58]
		inc	ecx
		mov	[ebp+var_58], ecx
		cmp	ecx, 6
		jb	short loc_AC1F4C
		mov	ecx, ds:_PspSystemMitigationOptionsLength
		push	18h
		pop	ebx
		cmp	ecx, ebx
		jnb	short loc_AC1FD1
		mov	eax, ebx
		sub	eax, ecx
		push	eax		; size_t
		lea	eax, _PspSystemMitigationOptions[ecx]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_AC1FD1:				; CODE XREF: PspInitPhase0+131j
		sub	esp, 18h
		mov	ds:_PspSystemMitigationOptionsLength, ebx
		mov	esi, offset _PspSystemMitigationOptions
		push	6
		pop	ecx
		mov	edi, esp
		rep movsd
		mov	cl, 1
		call	_PspValidateMitigationOptions@28 ; PspValidateMitigationOptions(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_AE4C3D

loc_AC1FF5:				; CODE XREF: PspInitPhase0+22DC1j
		xor	edi, edi

loc_AC1FF7:				; CODE XREF: PspInitPhase0+19Ej
		mov	ecx, [ebp+edi*4+var_54]
		xor	edx, edx
		shl	ecx, 2
		mov	esi, ecx
		and	ecx, 3Fh
		push	3
		pop	eax
		shr	esi, 6
		call	__allshl
		not	eax
		not	edx
		and	ds:_PspSystemMitigationOptions[esi*8], eax
		and	ds:dword_70EEC4[esi*8],	edx
		inc	edi
		cmp	edi, 8
		jb	short loc_AC1FF7
		mov	eax, ds:_PspSystemMitigationAuditOptionsLength
		mov	[ebp+var_64], eax
		cmp	eax, ebx
		jb	loc_AE4C4E
		xor	ebx, ebx

loc_AC203A:				; CODE XREF: PspInitPhase0+22DDBj
		sub	esp, 18h
		mov	esi, offset _PspSystemMitigationAuditOptions
		push	6
		pop	ecx
		mov	edi, esp
		rep movsd
		call	_PspValidateMitigationAuditOptions@24 ;	PspValidateMitigationAuditOptions(x,x,x,x,x,x)
		test	eax, eax
		js	loc_AE4C68

loc_AC2056:				; CODE XREF: PspInitPhase0+22DF1j
		call	_PspInitializeCallbacks@0 ; PspInitializeCallbacks()
		mov	edx, ds:_PsRawPrioritySeparation
		xor	cl, cl
		call	PsChangeQuantumTable
		mov	eax, offset _PsActiveProcessHead
		mov	ds:_PspActiveProcessLock, ebx
		mov	dword_6BEEDC, eax
		mov	_PsActiveProcessHead, eax
		mov	eax, large fs:124h
		mov	ecx, [eax+80h]
		mov	ds:_PsIdleProcess, ecx
		mov	[ecx+0E0h], ebx
		add	ecx, 0F0h
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		mov	eax, ds:_PsIdleProcess
		push	58h
		pop	esi
		push	esi		; size_t
		mov	[eax+9Ch], ebx
		lea	eax, [ebp+var_C0]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	word ptr [ebp+var_C0], si
		lea	eax, [ebp+var_60]
		mov	[ebp+var_9C], 200h
		push	offset ??_C@_17EKANHMLE@?$AAJ?$AAo?$AAb@PBOPGDP@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_BC], 800h
		lea	edi, [ebp+var_B4]
		mov	[ebp+var_98], ebx
		mov	esi, offset _PspJobMapping
		mov	[ebp+var_94], 3C0h
		mov	[ebp+var_84], offset PspJobDelete
		mov	[ebp+var_88], offset PspJobClose
		mov	[ebp+var_A4], 1F003Fh
		movsd
		push	offset _PsJobType
		push	ebx
		movsd
		movsd
		movsd
		mov	al, byte ptr [ebp+var_C0+2]
		and	al, 77h
		mov	[ebp+var_B8], ebx
		or	al, 8
		mov	byte ptr [ebp+var_C0+2], al
		lea	eax, [ebp+var_C0]
		push	eax
		lea	eax, [ebp+var_60]
		push	eax
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AC26A4
		mov	ecx, ds:_PsJobType
		xor	edx, edx
		inc	edx
		call	SeRegisterObjectTypeMandatoryPolicy
		test	eax, eax
		js	loc_AC26A4
		push	offset ??_C@_1BA@NMDNJJOO@?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs@PBOPGDP@
		lea	eax, [ebp+var_60]
		mov	[ebp+var_B8], 0B0h
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_BC], 20h
		lea	edi, [ebp+var_B4]
		mov	[ebp+var_94], 500h
		mov	esi, (offset loc_AF6B6F+1)
		mov	[ebp+var_84], offset PspProcessDelete
		mov	eax, 1000h
		mov	[ebp+var_98], eax
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_8C], offset _PspProcessOpen@24	; PspProcessOpen(x,x,x,x,x,x)
		mov	[ebp+var_88], offset PspProcessClose
		mov	[ebp+var_A4], 1FFFFFh
		mov	[ebp+var_A0], 101000h
		movsd
		push	offset _PsProcessType
		push	ebx
		push	eax
		movsd
		lea	eax, [ebp+var_60]
		push	eax
		movsd
		movsd
		or	byte ptr [ebp+var_C0+2], 0C2h
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AC26A4
		mov	ecx, ds:_PsProcessType
		push	3
		pop	edx
		call	SeRegisterObjectTypeMandatoryPolicy
		test	eax, eax
		js	loc_AC26A4
		push	offset ??_C@_1O@CDOGJPJJ@?$AAT?$AAh?$AAr?$AAe?$AAa?$AAd@PBOPGDP@
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_BC], 4
		lea	edi, [ebp+var_B4]
		mov	[ebp+var_98], ebx
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_94], 4E0h
		mov	esi, (offset loc_AF6B7F+1)
		mov	[ebp+var_84], offset PspThreadDelete
		mov	[ebp+var_8C], offset PspThreadOpen
		mov	[ebp+var_88], ebx
		mov	[ebp+var_A4], 1FFFFFh
		mov	[ebp+var_A0], 101800h
		movsd
		push	offset _PsThreadType
		push	ebx
		push	eax
		movsd
		lea	eax, [ebp+var_60]
		push	eax
		movsd
		movsd
		or	byte ptr [ebp+var_C0+2], 80h
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AC26A4
		mov	ecx, ds:_PsThreadType
		push	3
		pop	edx
		call	SeRegisterObjectTypeMandatoryPolicy
		test	eax, eax
		js	loc_AC26A4
		push	offset ??_C@_1BE@CBCOEOIA@?$AAP?$AAa?$AAr?$AAt?$AAi?$AAt?$AAi?$AAo?$AAn@PBOPGDP@ ; "Partition"
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	58h
		pop	esi
		push	esi		; size_t
		lea	eax, [ebp+var_C0]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		or	byte ptr [ebp+var_C0+2], 0Ch
		lea	edi, [ebp+var_B4]
		mov	word ptr [ebp+var_C0], si
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_B8], 10h
		mov	esi, offset _PspPartitionMapping
		add	esp, 0Ch
		movsd
		push	offset _PsPartitionType
		push	ebx
		push	eax
		movsd
		lea	eax, [ebp+var_60]
		push	eax
		movsd
		movsd
		mov	edi, 200h
		mov	[ebp+var_A4], 1F0003h
		mov	[ebp+var_9C], edi
		mov	[ebp+var_94], 40h
		mov	[ebp+var_8C], offset PspOpenPartitionHandle
		mov	[ebp+var_88], offset PspClosePartitionHandle
		mov	[ebp+var_84], offset _PspDeletePartition@4 ; PspDeletePartition(x)
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AC26A4
		push	58h
		pop	esi
		push	esi		; size_t
		lea	eax, [ebp+var_C0]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	word ptr [ebp+var_C0], si
		add	esp, 0Ch
		mov	[ebp+var_9C], edi
		mov	esi, (offset loc_AF6AD3+5)
		mov	[ebp+var_B8], 0B0h
		lea	edi, [ebp+var_B4]
		movsd
		movsd
		movsd
		movsd
		mov	al, byte ptr [ebp+var_C0+2]
		mov	esi, offset _PspMemoryReserveObjectNames
		and	al, 7Dh
		mov	[ebp+var_A4], 0F0003h
		or	al, 2
		mov	edi, ebx
		mov	byte ptr [ebp+var_C0+2], al

loc_AC23C1:				; CODE XREF: PspInitPhase0+56Ej
		mov	eax, ds:_PspMemoryReserveObjectSizes[edi]
		mov	[ebp+var_94], eax
		lea	eax, _PspMemoryReserveObjectTypes[edi]
		push	eax
		push	ebx
		lea	eax, [ebp+var_C0]
		push	eax
		push	esi
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AC26A4
		add	esi, 8
		add	edi, 4
		cmp	esi, offset _PspSiloStorageNonPagedTypeName
		jl	short loc_AC23C1
		push	offset ??_C@_1CE@KMPMCJPP@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAi?$AAt?$AAy?$AAR?$AAe?$AAf?$AAe?$AAr?$AAe?$AAn@PBOPGDP@ ; "ActivityReference"
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	58h
		pop	esi
		push	esi		; size_t
		lea	eax, [ebp+var_C0]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	word ptr [ebp+var_C0], si
		lea	edi, [ebp+var_B4]
		mov	[ebp+var_9C], 1
		lea	eax, [ebp+var_C0]
		mov	[ebp+var_98], 4
		mov	esi, offset _PspActivityReferenceMapping
		mov	[ebp+var_B8], 192h
		add	esp, 0Ch
		movsd
		push	offset _PspActivityReferenceObjectType
		push	ebx
		push	eax
		movsd
		lea	eax, [ebp+var_60]
		push	eax
		movsd
		movsd
		or	byte ptr [ebp+var_C0+2], 4
		mov	[ebp+var_A4], 1F0000h
		mov	[ebp+var_88], offset _PspCloseActivityReference@16 ; PspCloseActivityReference(x,x,x,x)
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AC26A4
		call	PspInitializeJobStructures
		test	al, al
		jz	loc_AC26A4
		call	PspInitializeSiloStructures
		test	al, al
		jz	loc_AC26A4
		mov	eax, offset _PspWorkingSetChangeHead
		mov	dword_6BEF18, ebx
		xor	edx, edx
		mov	dword_6BEF14, eax
		xor	ecx, ecx
		mov	_PspWorkingSetChangeHead, eax
		mov	ds:_PspAffinityUpdateLock, ebx
		call	ExCreateHandleTable
		mov	ds:_PspCidTable, eax
		test	eax, eax
		jz	loc_AC26A4
		mov	ecx, offset _PsWin32CallBack
		call	_CmSiRWLockInitialize@4	; CmSiRWLockInitialize(x)
		mov	ecx, offset _PsWin32NullCallBack
		call	_CmSiRWLockInitialize@4	; CmSiRWLockInitialize(x)
		mov	eax, ds:_PspCidTable
		xor	dl, dl
		push	ebx
		push	1
		mov	ecx, offset _LdtMutex
		or	byte ptr [eax+1Ch], 1
		call	KiInitializeMutant
		push	offset _VdmIoListCreationResource
		call	ExInitializeResourceLite
		test	eax, eax
		js	loc_AC26A4
		mov	eax, ds:_PsIdleProcess
		mov	_PsReaperListHead, ebx
		mov	dword_6BEEC8, offset PspReaper
		mov	dword_6BEECC, ebx
		mov	_PsReaperWorkItem, ebx
		mov	dword_6BEF08, offset _PspProcessRundownWorker@4	; PspProcessRundownWorker(x)
		mov	dword_6BEF0C, ebx
		mov	_PspProcessRundownWorkItem, ebx
		mov	dword_6BEEF8, offset _PspProcessRundownWorkerSingle@4 ;	PspProcessRundownWorkerSingle(x)
		mov	dword_6BEEFC, ebx
		mov	_PspProcessRundownCacheWorkItem, ebx
		mov	eax, [eax+12Ch]
		and	eax, 0FFFFFFF8h
		mov	ds:_PspBootAccessToken,	eax
		call	PspInitializeSystemPartitionPhase0
		test	eax, eax
		js	loc_AC26A4
		mov	esi, ds:_PspSystemPartition
		mov	edx, 1FFFFFh
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	ecx, [esi+38h]
		call	PspCreateProcess
		test	eax, eax
		js	loc_AC26A4
		mov	eax, ds:_PsProcessType
		lea	edx, [ebp+var_58]
		mov	ecx, [esi+38h]
		push	ebx
		push	edx
		push	ebx
		push	eax
		push	ebx
		push	ecx
		mov	[ebp+var_58], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, [ebp+var_58]
		mov	[esi+34h], ecx
		test	eax, eax
		js	loc_AC26A4
		mov	ds:_PsInitialSystemProcess, ecx
		lea	eax, [ecx+490h]
		mov	edx, 40000000h
		lock or	[eax], edx
		mov	eax, ds:_PsInitialSystemProcess
		mov	ecx, 2000h
		add	eax, 494h
		lock or	[eax], ecx
		mov	eax, ds:_PsInitialSystemProcess
		mov	ecx, 1000h
		add	eax, 3A8h
		lock or	[eax], ecx
		mov	eax, ds:_PsIdleProcess
		push	offset ??_C@_04IBDNPPCI@Idle@PBOPGDP@ ;	"Idle"
		add	eax, 1ACh
		push	0Fh
		push	eax
		call	_strcpy_s
		mov	eax, ds:_PsInitialSystemProcess
		add	esp, 0Ch
		add	eax, 1ACh
		push	offset ??_C@_06JIODDOFH@System@PBOPGDP@
		push	0Fh
		push	eax
		call	_strcpy_s
		add	esp, 0Ch
		push	61506553h
		push	8
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, ds:_PsInitialSystemProcess
		mov	[ecx+1C0h], eax
		mov	eax, ds:_PsInitialSystemProcess
		mov	eax, [eax+1C0h]
		test	eax, eax
		jz	short loc_AC26A4
		push	[ebp+var_C8]
		lea	ecx, [ebp+var_C4]
		mov	[eax], ebx
		push	offset _Phase1Initialization@4 ; Phase1Initialization(x)
		push	ebx
		push	ebx
		push	ebx
		push	1FFFFFh
		push	ecx
		mov	[eax+4], ebx
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AC26A4
		push	ebx
		push	[ebp+var_C4]
		call	ObCloseHandle
		mov	_PsVmProcessorHostTransitionEvent, ebx
		mov	al, 1

loc_AC2695:				; CODE XREF: PspInitPhase0+81Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AC26A4:				; CODE XREF: PspInitPhase0+2CBj
					; PspInitPhase0+2E1j ...
		xor	al, al
		jmp	short loc_AC2695
PspInitPhase0	endp

; 

; __stdcall IoInitSystemPreDrivers(x)
_IoInitSystemPreDrivers@4:		; CODE XREF: IoInitSystem+12p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp-4], eax
		push	ebx
		push	esi
		xor	edx, edx
		mov	dword ptr [ebp-60h], offset _IoInitSystem_deviceNameBuffer
		push	edi
		push	8
		mov	ebx, ecx
		mov	[ebp-7Ch], edx
		pop	ecx
		xor	eax, eax
		mov	[ebp-78h], edx
		lea	edi, [ebp-24h]
		mov	[ebp-74h], edx
		rep stosd
		push	offset _IopDriverLoadResource
		mov	[ebp-70h], edx
		mov	[ebp-5Ch], edx
		mov	[ebp-58h], edx
		mov	[ebp-54h], edx
		mov	[ebp-2Ch], edx
		mov	[ebp-6Ch], edx
		mov	[ebp-68h], edx
		mov	[ebp-25h], dl
		mov	dword ptr [ebp-64h], 1000000h
		call	ExInitializeResourceLite
		push	offset _IopDatabaseResource
		call	ExInitializeResourceLite
		push	offset _IopSecurityResource
		call	ExInitializeResourceLite
		push	offset _IopCrashDumpLock
		call	ExInitializeResourceLite
		push	offset _IopLiveDumpLock
		call	ExInitializeResourceLite
		mov	ecx, offset _IopFilesystemDatabaseShutdownRundown
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		mov	eax, offset _IopDiskFileSystemQueueHead
		xor	ecx, ecx
		mov	dword_6CCD94, eax
		mov	_IopDiskFileSystemQueueHead, eax
		mov	eax, offset _IopCdRomFileSystemQueueHead
		mov	dword_6CCD8C, eax
		mov	_IopCdRomFileSystemQueueHead, eax
		mov	eax, offset _IopTapeFileSystemQueueHead
		mov	dword_6CCD6C, eax
		mov	_IopTapeFileSystemQueueHead, eax
		mov	eax, offset _IopNetworkFileSystemQueueHead
		mov	dword_6CCD64, eax
		mov	_IopNetworkFileSystemQueueHead,	eax
		mov	eax, offset _IopBootDriverReinitializeQueueHead
		mov	dword_6CCD7C, eax
		mov	_IopBootDriverReinitializeQueueHead, eax
		mov	eax, offset _IopDriverReinitializeQueueHead
		mov	dword_6CCD74, eax
		mov	_IopDriverReinitializeQueueHead, eax
		mov	eax, offset _IopNotifyShutdownQueueHead
		mov	dword_6CCDBC, eax
		mov	_IopNotifyShutdownQueueHead, eax
		mov	eax, offset _IopNotifyLastChanceShutdownQueueHead
		mov	dword_6CCDB4, eax
		mov	_IopNotifyLastChanceShutdownQueueHead, eax
		mov	eax, offset _IopFsNotifyChangeQueueHead
		mov	dword_6CCDCC, eax
		mov	_IopFsNotifyChangeQueueHead, eax
		mov	eax, offset _IopPerfIoTrackingListHead
		mov	dword_6CCDC4, eax
		mov	_IopPerfIoTrackingListHead, eax
		rdtsc
		shrd	eax, edx, 4
		push	ecx
		push	64h
		shr	edx, 4
		push	edx
		push	eax
		mov	_IopPerfIoTrackingLock,	ecx
		mov	ds:_IoStatisticsLock, ecx
		mov	_IopFunctionPointerLock, ecx
		mov	_IopDiskIoAttributionTree, ecx
		mov	dword_6CCDA4, ecx
		mov	_IopUniqueDeviceObjectNumber, ecx
		call	__aullrem
		add	eax, 0Ah
		and	_IopIrpStackProfilerFlags, 0
		xor	ecx, ecx
		mov	_IopUniqueDriverObjectNumber, eax
		inc	ecx
		xor	eax, eax
		cmp	_IopLargeIrpStackLocations, eax
		jnz	short loc_AC2836
		mov	_IopLargeIrpStackLocations, 0Eh
		mov	eax, ecx
		mov	_IopIrpStackProfilerFlags, ecx

loc_AC2836:				; CODE XREF: INIT:00AC2822j
		cmp	_IopMediumIrpStackLocations, 0
		jnz	short loc_AC2851
		or	eax, 2
		mov	_IopMediumIrpStackLocations, 4
		mov	_IopIrpStackProfilerFlags, eax

loc_AC2851:				; CODE XREF: INIT:00AC283Dj
		mov	eax, _IopIrpCompletionTimeoutInSeconds
		mov	ecx, 12Ch
		cmp	eax, ecx
		ja	short loc_AC2864
		cmp	eax, 2
		jnb	short loc_AC286A

loc_AC2864:				; CODE XREF: INIT:00AC285Dj
		mov	_IopIrpCompletionTimeoutInSeconds, ecx

loc_AC286A:				; CODE XREF: INIT:00AC2862j
		lea	ecx, [ebp-24h]
		call	_IopQueryProcessorInitValues@4 ; IopQueryProcessorInitValues(x)
		mov	esi, offset _ExSystemLookasideListHead
		mov	edi, 200h
		push	esi
		push	dword ptr [ebp-1Eh]
		mov	edx, edi
		mov	ecx, offset _IopCompletionLookasideList
		push	20706349h
		push	1Ch
		call	_ExInitializeSystemLookasideList@24 ; ExInitializeSystemLookasideList(x,x,x,x,x,x)
		push	esi
		push	dword ptr [ebp-20h]
		mov	edx, edi
		mov	ecx, offset _IopLargeIrpLookasideList
		push	6C707249h
		push	dword ptr [ebp-10h]
		call	_ExInitializeSystemLookasideList@24 ; ExInitializeSystemLookasideList(x,x,x,x,x,x)
		push	esi
		push	dword ptr [ebp-22h]
		mov	edx, edi
		mov	ecx, offset _IopMediumIrpLookasideList
		push	6D707249h
		push	dword ptr [ebp-14h]
		call	_ExInitializeSystemLookasideList@24 ; ExInitializeSystemLookasideList(x,x,x,x,x,x)
		push	esi
		push	dword ptr [ebp-24h]
		mov	edx, edi
		mov	ecx, offset _IopSmallIrpLookasideList
		push	73707249h
		push	dword ptr [ebp-18h]
		call	_ExInitializeSystemLookasideList@24 ; ExInitializeSystemLookasideList(x,x,x,x,x,x)
		push	esi
		push	dword ptr [ebp-1Ch]
		mov	edx, edi
		mov	ecx, offset _IopMdlLookasideList
		push	206C644Dh
		push	dword ptr [ebp-0Ch]
		call	_ExInitializeSystemLookasideList@24 ; ExInitializeSystemLookasideList(x,x,x,x,x,x)
		xor	eax, eax
		push	eax
		push	73556F49h
		push	10h
		push	edi
		push	eax
		push	eax
		push	offset _IopSafeCompletionLookasideList
		call	_ExInitializeNPagedLookasideList@28 ; ExInitializeNPagedLookasideList(x,x,x,x,x,x,x)
		push	69536F49h
		push	112h
		push	0
		push	offset _IopSymlinkInfoLookasideList
		call	_FsRtlInitExtraCreateParameterLookasideList@16 ; FsRtlInitExtraCreateParameterLookasideList(x,x,x,x)
		xor	eax, eax
		push	eax
		push	7443704Fh
		push	2Ch
		push	edi
		push	eax
		push	eax
		push	offset _IopOplockFoExtLookasideList
		call	_ExInitializeNPagedLookasideList@28 ; ExInitializeNPagedLookasideList(x,x,x,x,x,x,x)
		push	0FFFFh
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	esi, eax
		xor	ecx, ecx
		mov	[ebp-38h], ecx
		test	esi, esi
		jz	short loc_AC2966

loc_AC294C:				; CODE XREF: INIT:00AC2964j
		mov	ecx, ds:_KiProcessorBlock[ecx*4]
		lea	edx, [ebp-24h]
		call	IoInitializeProcessor
		mov	ecx, [ebp-38h]
		inc	ecx
		mov	[ebp-38h], ecx
		cmp	ecx, esi
		jb	short loc_AC294C

loc_AC2966:				; CODE XREF: INIT:00AC294Aj
		and	ds:_IopErrorLogLock, 0
		mov	eax, offset _IopErrorLogListHead
		mov	dword_6CCE6C, eax
		mov	_IopErrorLogListHead, eax
		call	_IopInitializeReserveIrps@4 ; IopInitializeReserveIrps(x)
		test	al, al
		jnz	short loc_AC29A0
		mov	_IopInitFailCode, 1

loc_AC298F:				; CODE XREF: INIT:00AC2B8Fj
					; INIT:00AC2C07j ...
		xor	al, al

loc_AC2991:				; CODE XREF: INIT:00AC3037j
		mov	ecx, [ebp-4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AC29A0:				; CODE XREF: INIT:00AC2983j
		test	byte ptr _IopIrpStackProfilerFlags, 3
		jz	short loc_AC29D9
		push	0
		push	offset _IopIrpStackProfilerDpcRoutine@16 ; IopIrpStackProfilerDpcRoutine(x,x,x,x)
		push	offset _IopIrpStackProfilerDpc
		mov	_IopIrpStackProfilerMinSizeThreshold, 190h
		mov	_IopIrpStackProfilerSampleSize,	7D0h
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	4
		pop	edi
		or	_IopIrpStackProfilerFlags, edi
		jmp	short loc_AC29DC
; 

loc_AC29D9:				; CODE XREF: INIT:00AC29A7j
		push	4
		pop	edi

loc_AC29DC:				; CODE XREF: INIT:00AC29D7j
		mov	esi, _IopRevocationExtension
		push	2Ch
		push	0
		push	esi
		call	_memset
		add	esp, 0Ch
		mov	[esi], edi
		call	_IopConfigureDiskIoAttribution@0 ; IopConfigureDiskIoAttribution()
		xor	eax, eax
		mov	dword ptr [ebp-44h], 240h
		push	18h
		pop	esi
		mov	[ebp-4Ch], eax
		mov	[ebp-40h], eax
		mov	[ebp-3Ch], eax
		lea	eax, [ebp-50h]
		push	eax
		push	20019h
		lea	eax, [ebp-2Ch]
		mov	[ebp-50h], esi
		push	eax
		mov	dword ptr [ebp-48h], offset _CmRegistryMachineSystemCurrentControlSetServicesEventLog
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_AC2A7C
		push	offset ??_C@_1M@IOJLKPKK@?$AAS?$AAt?$AAa?$AAr?$AAt@PBOPGDP@
		lea	eax, [ebp-58h]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp-38h]
		push	eax
		push	20h
		push	offset _IoInitSystem_valueBuffer
		push	2
		lea	eax, [ebp-58h]
		push	eax
		push	dword ptr [ebp-2Ch]
		call	NtQueryValueKey
		test	eax, eax
		js	short loc_AC2A69
		cmp	ds:dword_AFDF0C, edi
		jnz	short loc_AC2A69
		cmp	ds:dword_AFDF14, edi
		setz	al
		jmp	short loc_AC2A6B
; 

loc_AC2A69:				; CODE XREF: INIT:00AC2A54j
					; INIT:00AC2A5Cj
		mov	al, 1

loc_AC2A6B:				; CODE XREF: INIT:00AC2A67j
		push	0
		push	dword ptr [ebp-2Ch]
		mov	_IopErrorLogDisabledThisBoot, al
		call	ObCloseHandle
		jmp	short loc_AC2A83
; 

loc_AC2A7C:				; CODE XREF: INIT:00AC2A29j
		mov	_IopErrorLogDisabledThisBoot, 1

loc_AC2A83:				; CODE XREF: INIT:00AC2A7Aj
		and	ds:_IopTimerLock, 0
		mov	eax, offset _IopTimerQueueHead
		push	offset _IopTimerCount
		push	offset _IopTimerDispatch@16 ; IopTimerDispatch(x,x,x,x)
		push	offset _IopTimerDpc
		mov	dword_6CCEDC, eax
		mov	_IopTimerQueueHead, eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	1
		push	offset _IopTimer
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		xor	ecx, ecx
		mov	dword_6CCF48, offset _IopHardErrorThread@4 ; IopHardErrorThread(x)
		mov	eax, offset _IopDeadIrps
		mov	dword_6CCF4C, ecx
		push	7FFFFFFFh
		mov	dword_6CCECC, eax
		mov	_IopDeadIrps, eax
		mov	eax, offset dword_6CCF50
		push	ecx
		push	offset unk_6CCF5C
		mov	_IopHardError, ecx
		mov	dword_6CCF54, eax
		mov	dword_6CCF50, eax
		mov	dword_6CCF58, ecx
		call	_KeInitializeSemaphore@12 ; KeInitializeSemaphore(x,x,x)
		mov	eax, offset dword_6CCF90
		mov	dword_6CCF88, offset _IopKeepAliveWorker@4 ; IopKeepAliveWorker(x)
		xor	ecx, ecx
		mov	dword_6CCF94, eax
		mov	dword_6CCF90, eax
		lea	eax, [ebp-58h]
		push	offset ??_C@_1CO@KLCFCLGO@?$AA?2?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AA?2?$AAT?$AAR?$AAK?$AAW?$AAK@PBOPGDP@
		push	eax
		mov	byte_6CCF70, cl
		mov	dword_6CCF8C, ecx
		mov	_IopKeepAliveTracker, ecx
		mov	dword_6CCF98, ecx
		mov	byte_6CCFB0, cl
		mov	_IopErrorLogSessionPending, 1
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	ecx, ecx
		mov	[ebp-50h], esi
		push	ecx
		lea	eax, [ebp-58h]
		mov	[ebp-4Ch], ecx
		mov	[ebp-48h], eax
		lea	eax, [ebp-50h]
		push	ecx
		push	eax
		push	1F0003h
		lea	eax, [ebp-2Ch]
		mov	dword ptr [ebp-44h], 210h
		push	eax
		mov	[ebp-40h], ecx
		mov	[ebp-3Ch], ecx
		call	NtCreateEvent
		test	eax, eax
		jns	short loc_AC2B94
		xor	edx, edx
		mov	ecx, edi
		call	HeadlessKernelAddLogEntry
		jmp	loc_AC298F
; 

loc_AC2B94:				; CODE XREF: INIT:00AC2B84j
		xor	ecx, ecx
		lea	eax, [ebp-30h]
		push	ecx
		push	eax
		push	ecx
		push	ds:_ExEventObjectType
		mov	[ebp-30h], ecx
		push	ecx
		push	dword ptr [ebp-2Ch]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	eax, [ebp-30h]
		push	0
		push	0
		push	offset _IopMountCompletionEvent
		mov	ds:_IopLinkTrackingServiceEvent, eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	0
		push	0
		push	offset unk_6CCF10
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	1
		push	1
		push	offset _IopLinkTrackingPortObject
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	0
		push	dword ptr [ebp-2Ch]
		call	ObCloseHandle
		call	_IopCreateRootDirectories@0 ; IopCreateRootDirectories()
		test	al, al
		jnz	short loc_AC2C0C
		push	6
		xor	edx, edx
		pop	ecx
		call	HeadlessKernelAddLogEntry
		mov	_IopInitFailCode, 3
		jmp	loc_AC298F
; 

loc_AC2C0C:				; CODE XREF: INIT:00AC2BF1j
		call	_IopInitializeSessionNotifications@0 ; IopInitializeSessionNotifications()
		test	eax, eax
		jns	short loc_AC2C24
		mov	_IopInitFailCode, 0Fh
		jmp	loc_AC298F
; 

loc_AC2C24:				; CODE XREF: INIT:00AC2C13j
		xor	edx, edx
		mov	ecx, ebx
		call	_IopInitializePlugPlayServices@8 ; IopInitializePlugPlayServices(x,x)
		xor	edx, edx
		test	eax, eax
		jns	short loc_AC2C46
		push	7
		pop	ecx
		call	HeadlessKernelAddLogEntry
		mov	_IopInitFailCode, edi
		jmp	loc_AC298F
; 

loc_AC2C46:				; CODE XREF: INIT:00AC2C31j
		mov	ecx, ebx
		call	KseInitialize
		call	_PoInitDriverServices@0	; PoInitDriverServices()
		call	off_6B2BF0	; xHalProcessorFreeze()
		call	_PnpMarkHalDeviceNode@0	; PnpMarkHalDeviceNode()
		mov	edx, ebx
		xor	ecx, ecx
		call	_WMIInitialize@8 ; WMIInitialize(x,x)
		test	al, al
		jz	loc_AC298F
		call	_RtlIsStateSeparationEnabled@0 ; RtlIsStateSeparationEnabled()
		test	al, al
		jz	short loc_AC2C84
		call	_CmIsStateSeparationDevModeEnabled@0 ; CmIsStateSeparationDevModeEnabled()
		mov	byte ptr [ebp-30h], 1
		test	al, al
		jz	short loc_AC2C88

loc_AC2C84:				; CODE XREF: INIT:00AC2C75j
		mov	byte ptr [ebp-30h], 0

loc_AC2C88:				; CODE XREF: INIT:00AC2C82j
		push	dword ptr [ebp-30h]
		call	ds:__imp__ExpInitializeStateSeparationPhase0@4 ; ExpInitializeStateSeparationPhase0(x)
		test	eax, eax
		jns	short loc_AC2CA0
		cmp	eax, 0C00000BBh
		jnz	loc_AC298F

loc_AC2CA0:				; CODE XREF: INIT:00AC2C93j
		xor	ecx, ecx
		call	EtwInitialize
		push	offset _IoTraceHandle
		push	0
		push	offset _IopEtwEnableCallback@36	; IopEtwEnableCallback(x,x,x,x,x,x,x,x,x)
		push	(offset	loc_409C26+2)
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		test	eax, eax
		jns	short loc_AC2CD0
		mov	_IopInitFailCode, 10h
		jmp	loc_AC298F
; 

loc_AC2CD0:				; CODE XREF: INIT:00AC2CBFj
		push	offset _IoMgrTraceHandle
		push	0
		push	0
		push	offset _IoMgrProvider
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		test	eax, eax
		jns	short loc_AC2CF6
		mov	_IopInitFailCode, 0Bh
		jmp	loc_AC298F
; 

loc_AC2CF6:				; CODE XREF: INIT:00AC2CE5j
		mov	ecx, [ebx+84h]
		mov	ecx, [ecx+0A64h]
		call	SeAuditBootConfiguration
		xor	ecx, ecx
		inc	ecx
		call	_BootApplicationPersistentDataProcess@4	; BootApplicationPersistentDataProcess(x)
		call	BapdRecordFirmwareBootStats
		push	offset _KdpContext
		push	0
		push	2
		call	ds:__imp__KdInitialize@12 ; KdInitialize(x,x,x)
		push	2
		pop	ecx
		call	_KeInitSystem@4	; KeInitSystem(x)
		cmp	_IopErrorLogDisabledThisBoot, 0
		jnz	short loc_AC2D88
		mov	esi, offset _IopErrorLogLock
		mov	ecx, esi
		call	@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
		cmp	_IopErrorLogListHead, offset _IopErrorLogListHead
		mov	[ebp-31h], al
		jz	short loc_AC2D78
		and	dword_6CCB6C, 0
		and	_IopErrorLogWorkItem, 0
		push	1
		push	offset _IopErrorLogWorkItem
		mov	dword_6CCB68, offset IopErrorLogThread
		call	ExQueueWorkItem
		mov	al, [ebp-31h]
		jmp	short loc_AC2D7F
; 

loc_AC2D78:				; CODE XREF: INIT:00AC2D4Dj
		mov	_IopErrorLogSessionPending, 0

loc_AC2D7F:				; CODE XREF: INIT:00AC2D76j
		mov	dl, al
		mov	ecx, esi
		call	KfReleaseSpinLock

loc_AC2D88:				; CODE XREF: INIT:00AC2D32j
		xor	edx, edx
		mov	ecx, ebx
		call	_WheaInitialize@8 ; WheaInitialize(x,x)
		mov	ecx, ebx
		call	IopStoreArcInformation
		test	eax, eax
		js	loc_AC298F
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	_IopInitializePlugPlayServices@8 ; IopInitializePlugPlayServices(x,x)
		test	eax, eax
		jns	short loc_AC2DC7
		push	8
		xor	edx, edx
		pop	ecx
		call	HeadlessKernelAddLogEntry
		mov	_IopInitFailCode, 5
		jmp	loc_AC298F
; 

loc_AC2DC7:				; CODE XREF: INIT:00AC2DACj
		push	0
		push	offset _IopFreeGenericTableEntry@8 ; IopFreeGenericTableEntry(x,x)
		push	offset _IopAllocateGenericTableEntry@8 ; IopAllocateGenericTableEntry(x,x)
		push	offset _IopCompareIosbRanges@12	; IopCompareIosbRanges(x,x,x)
		push	offset _IoStatusBlockRangeTable
		call	_RtlInitializeGenericTableAvl@20 ; RtlInitializeGenericTableAvl(x,x,x,x,x)
		xor	eax, eax
		xor	ecx, ecx
		inc	ecx
		mov	dword_6CCFE4, eax
		push	eax
		push	ecx
		push	offset unk_6CCFEC
		mov	_IoStatusBlockRangeTableLock, ecx
		mov	dword_6CCFE8, eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	ecx, ebx
		call	KitInitialize
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	KseInitialize
		mov	ecx, ebx
		call	HvlPhase2Initialize
		test	eax, eax
		js	loc_AC298F
		push	0FFFFh
		call	_KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x)
		mov	[ebp-80h], eax
		mov	[ebp-84h], eax
		lea	eax, [ebp-84h]
		push	eax
		push	offset _KeOptimizeSpecCtrlSettings@4 ; KeOptimizeSpecCtrlSettings(x)
		call	KeIpiGenericCall
		call	_PnpDiagnosticTraceDriverInitPhaseStart@4 ; PnpDiagnosticTraceDriverInitPhaseStart(x)
		call	_IopInitializeActiveConnectList@0 ; IopInitializeActiveConnectList()
		call	_IopInitializePassiveInterruptServices@0 ; IopInitializePassiveInterruptServices()
		test	eax, eax
		js	loc_AC298F
		lea	edx, [ebp-25h]
		call	SecureDump_PrepareForInit
		cmp	_ForceDumpDisabled, 0
		jnz	short loc_AC2E7C
		cmp	byte ptr [ebp-25h], 0
		jnz	short loc_AC2E7C
		call	_IopInitDumpCapsuleSupport@0 ; IopInitDumpCapsuleSupport()
		jmp	short loc_AC2E83
; 

loc_AC2E7C:				; CODE XREF: INIT:00AC2E6Dj
					; INIT:00AC2E73j
		mov	_CapsuleDumpAllowed, 0

loc_AC2E83:				; CODE XREF: INIT:00AC2E7Aj
		mov	ecx, ds:_ExLeapSecondDataLastParseResult
		test	ecx, ecx
		jz	short loc_AC2E92
		call	_EtwTraceLeapSecondDataParseFailure@4 ;	EtwTraceLeapSecondDataParseFailure(x)

loc_AC2E92:				; CODE XREF: INIT:00AC2E8Bj
		mov	eax, _ExLeapSecondData
		xor	ecx, ecx
		push	0
		push	dword ptr [eax+4]
		movzx	edx, byte ptr [eax]
		call	EtwTraceLeapSecondDataUpdate
		call	_IopInitializeIoRate@0 ; IopInitializeIoRate()
		and	_PsAltSystemCallRegistrationLock, 0
		lea	edx, [ebp-5Ch]
		mov	ecx, ebx
		mov	ds:_PsAltSystemCallHandlers, offset @PsPicoAltSystemCallDispatch@4 ; PsPicoAltSystemCallDispatch(x)
		call	IopInitializeBootDrivers
		test	eax, eax
		jnz	short loc_AC2EE3
		push	9
		xor	edx, edx
		pop	ecx
		call	HeadlessKernelAddLogEntry
		mov	_IopInitFailCode, 6
		jmp	loc_AC298F
; 

loc_AC2EE3:				; CODE XREF: INIT:00AC2EC8j
		push	2
		mov	edx, ebx
		pop	ecx
		call	PoInitSystem
		test	al, al
		jz	loc_AC303C
		xor	ecx, ecx
		inc	ecx
		call	_SmInitSystem@4	; SmInitSystem(x)
		xor	ecx, ecx
		inc	ecx
		call	EtwInitialize
		call	IopInitializeSystemVariableService
		cmp	_ForceDumpDisabled, 0
		jnz	short loc_AC2F18
		call	_IoInitializeLiveDump@0	; IoInitializeLiveDump()

loc_AC2F18:				; CODE XREF: INIT:00AC2F11j
		call	IopInitializeTriageDumpData
		mov	ecx, ebx
		call	IopInitCrashDumpDuringSysInit
		test	eax, eax
		js	short loc_AC2F2D
		call	_IopRemoveDumpCapsuleSupport@0 ; IopRemoveDumpCapsuleSupport()

loc_AC2F2D:				; CODE XREF: INIT:00AC2F26j
		call	_RtlIsStateSeparationEnabled@0 ; RtlIsStateSeparationEnabled()
		test	al, al
		jnz	short loc_AC2F3B
		call	PpLastGoodDoBootProcessing

loc_AC2F3B:				; CODE XREF: INIT:00AC2F34j
		mov	esi, _NtGlobalFlag
		mov	eax, esi
		or	eax, 40000h
		mov	_NtGlobalFlag, eax
		call	PsLocateSystemDlls
		mov	_NtGlobalFlag, esi
		test	eax, eax
		jns	short loc_AC2F75
		push	0Ah
		xor	edx, edx
		pop	ecx
		call	HeadlessKernelAddLogEntry
		mov	_IopInitFailCode, 7
		jmp	loc_AC298F
; 

loc_AC2F75:				; CODE XREF: INIT:00AC2F5Aj
		xor	ecx, ecx
		call	PfSnBeginBootPhase
		lea	edx, [ebp-64h]
		mov	ecx, ebx
		call	_IopReassignSystemRoot@8 ; IopReassignSystemRoot(x,x)
		test	al, al
		jnz	short loc_AC2FA3
		push	0Ch
		xor	edx, edx
		pop	ecx
		call	HeadlessKernelAddLogEntry
		mov	_IopInitFailCode, 9
		jmp	loc_AC298F
; 

loc_AC2FA3:				; CODE XREF: INIT:00AC2F88j
		mov	eax, _PsLoadedModuleList
		xor	ecx, ecx
		add	eax, 24h
		mov	dword ptr [ebp-50h], 18h
		push	ecx
		mov	[ebp-48h], eax
		lea	eax, [ebp-6Ch]
		push	1
		push	eax
		lea	eax, [ebp-50h]
		mov	[ebp-4Ch], ecx
		push	eax
		push	80000000h
		lea	eax, [ebp-2Ch]
		mov	dword ptr [ebp-44h], 240h
		push	eax
		mov	[ebp-40h], ecx
		mov	[ebp-3Ch], ecx
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AC3019
		xor	ecx, ecx
		lea	eax, [ebp-30h]
		push	ecx
		push	eax
		push	ecx
		push	ecx
		push	80h
		push	dword ptr [ebp-2Ch]
		mov	[ebp-30h], ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AC3011
		mov	ecx, [ebp-30h]
		call	_PpPagePathAssign@4 ; PpPagePathAssign(x)
		mov	ecx, [ebp-30h]
		call	ObfDereferenceObject

loc_AC3011:				; CODE XREF: INIT:00AC2FFFj
		push	dword ptr [ebp-2Ch]
		call	_ZwClose@4	; ZwClose(x)

loc_AC3019:				; CODE XREF: INIT:00AC2FE2j
		xor	ecx, ecx
		xor	edx, edx
		inc	ecx
		call	_WMIInitialize@8 ; WMIInitialize(x,x)
		test	al, al
		jz	loc_AC298F
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	_WheaInitialize@8 ; WheaInitialize(x,x)
		mov	al, 1
		jmp	loc_AC2991
; 

loc_AC303C:				; CODE XREF: INIT:00AC2EEFj
		push	0A0h
		call	_KeBugCheck@4	; KeBugCheck(x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpInitSystemPhase1 proc near		; CODE XREF: ExInitSystem+1Ap

var_2		= byte ptr -2
var_1		= byte ptr -1

; FUNCTION CHUNK AT 00AE4C7E SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		push	0FFFFh
		mov	_ExpSpinCycleCount, edi
		call	KeQueryMaximumProcessorCountEx
		cmp	eax, 1
		jbe	short loc_AC3072
		mov	_ExpSpinCycleCount, 500h

loc_AC3072:				; CODE XREF: ExpInitSystemPhase1+1Ej
		mov	eax, offset _ExpHostList
		mov	ds:_ExpHostListLock, edi
		mov	ds:dword_A9AABC, eax
		mov	ds:_ExpHostList, eax
		mov	_ExpKeyManipLock, edi
		mov	_ExpSysDbgLock,	edi
		mov	ds:_ExpPlatformBinaryLock, edi
		call	ExpWorkerInitialization
		test	eax, eax
		mov	esi, edi
		sets	bh
		dec	bh
		and	bh, 1
		cmp	ds:_KeNumberProcessors,	edi
		jbe	short loc_AC30C9

loc_AC30B2:				; CODE XREF: ExpInitSystemPhase1+7Fj
		mov	ecx, ds:_KiProcessorBlock[esi*4]
		xor	dl, dl
		call	ExInitializeProcessor
		inc	esi
		cmp	esi, ds:_KeNumberProcessors
		jb	short loc_AC30B2

loc_AC30C9:				; CODE XREF: ExpInitSystemPhase1+68j
		call	_ExpEventInitialization@0 ; ExpEventInitialization()
		mov	bl, al
		neg	bl
		sbb	bl, bl
		and	bl, bh
		call	_ExpMutantInitialization@0 ; ExpMutantInitialization()
		mov	bh, al
		neg	bh
		sbb	bh, bh
		and	bh, bl
		call	ExpAeThresholdInitialization
		mov	bl, al
		neg	bl
		sbb	bl, bl
		and	bl, bh
		call	_ExpInitializeCallbacks@0 ; ExpInitializeCallbacks()
		mov	bh, al
		neg	bh
		sbb	bh, bh
		and	bh, bl
		call	_ExpSemaphoreInitialization@0 ;	ExpSemaphoreInitialization()
		mov	bl, al
		neg	bl
		sbb	bl, bl
		and	bl, bh
		call	_ExpTimerInitialization@0 ; ExpTimerInitialization()
		mov	bh, al
		neg	bh
		sbb	bh, bh
		and	bh, bl
		call	_ExpHeapGCInitialization@0 ; ExpHeapGCInitialization()
		mov	bl, al
		neg	bl
		sbb	bl, bl
		and	bl, bh
		call	_ExpProfileInitialization@0 ; ExpProfileInitialization()
		neg	al
		mov	_ExpUuidLock, edi
		push	offset _ExpUuidLastTimeAllocated
		sbb	al, al
		and	al, bl
		mov	[ebp+var_1], al
		call	KeQuerySystemTime
		call	ExpKeyedEventInitialization
		test	eax, eax
		sets	bh
		dec	bh
		and	bh, [ebp+var_1]
		call	ExpWnfAllocateDispatcher
		test	al, al
		setnz	al
		test	al, al
		setz	bl
		dec	bl
		and	bl, bh
		call	_ExpWin32Initialization@0 ; ExpWin32Initialization()
		mov	bh, al
		neg	bh
		sbb	bh, bh
		and	bh, bl
		call	ExpWorkerFactoryInitialization
		test	eax, eax
		sets	bl
		dec	bl
		and	bl, bh
		call	ExpSaInitialize
		mov	bh, al
		neg	bh
		push	1
		sbb	bh, bh
		and	bh, bl
		call	ds:__imp__ExpMicrocodeInitialization@4 ; ExpMicrocodeInitialization(x)
		test	eax, eax
		js	loc_AE4C7E

loc_AC319C:				; CODE XREF: ExpInitSystemPhase1+21C42j
		call	ExpUpdateProductType
		call	_ExpInitializePcw@0 ; ExpInitializePcw()
		call	ExpInitializeSvm
		pop	edi
		pop	esi
		mov	al, bh
		pop	ebx
		leave
		retn
ExpInitSystemPhase1 endp

; 

; __stdcall CcInitializeCacheManager()
_CcInitializeCacheManager@0:		; CODE XREF: Phase1InitializationDiscard(x)+A05p
		mov	edi, edi
		push	ebx
		push	esi
		movzx	esi, byte ptr ds:dword_7051D4
		xor	ebx, ebx
		mov	_CcMasterLock, ebx
		mov	_CcChangeSharedCacheMapFileLock, ebx
		mov	_CcMaxNestingLevel, 2
		mov	_CcMaxAsyncReadWorkerThreads, 64h
		push	edi
		test	esi, esi
		jnz	short loc_AC3214
		push	32h
		pop	edi
		mov	_CcMaxAsyncReadWorkerThreads, edi
		call	_FsRtlIsMobileOS@0 ; FsRtlIsMobileOS()
		test	al, al
		jz	short loc_AC3200
		mov	_CcMaxAsyncReadWorkerThreads, 0Ah

loc_AC3200:				; CODE XREF: INIT:00AC31F4j
		mov	_CcMaxNumberCompleteAsyncReadExWorkItems, edi
		call	_FsRtlIsMobileOS@0 ; FsRtlIsMobileOS()
		test	al, al
		jz	short loc_AC322E
		push	9
		pop	eax
		jmp	short loc_AC3219
; 

loc_AC3214:				; CODE XREF: INIT:00AC31E2j
		mov	eax, 1F4h

loc_AC3219:				; CODE XREF: INIT:00AC3212j
		mov	_CcMaxNumberCompleteAsyncReadExWorkItems, eax
		test	esi, esi
		jz	short loc_AC322E
		mov	_CcMaxCachemapUninitWorkerThreads, 8
		jmp	short loc_AC3238
; 

loc_AC322E:				; CODE XREF: INIT:00AC320Dj
					; INIT:00AC3220j
		mov	_CcMaxCachemapUninitWorkerThreads, 4

loc_AC3238:				; CODE XREF: INIT:00AC322Cj
		call	CcInitializeVacbs
		push	72506343h
		push	2C0h
		mov	_CcGlobalPartitionLock,	ebx
		mov	ebx, ds:_PspSystemPartition
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_AC351D
		mov	edx, ebx
		mov	ecx, edi
		call	CcInitializePartition
		test	al, al
		jnz	short loc_AC3281
		mov	ecx, edi
		call	_CcDeletePartition@4 ; CcDeletePartition(x)
		xor	ebx, ebx
		mov	edi, ebx
		jmp	short loc_AC3283
; 

loc_AC3281:				; CODE XREF: INIT:00AC3272j
		xor	ebx, ebx

loc_AC3283:				; CODE XREF: INIT:00AC327Fj
		test	edi, edi
		jz	loc_AC351D
		mov	eax, ds:_PspSystemPartition
		xor	edx, edx
		xor	ecx, ecx
		inc	ecx
		push	ebx
		mov	[eax+4], edi
		lea	eax, [edi+198h]
		mov	_CcSystemPartitionDirtyPageStatistics, eax
		lea	eax, [edi+1A8h]
		mov	_CcSystemPartitionDirtyPageThresholds, eax
		mov	edi, 989680h
		mov	eax, edi
		mov	_CcPartitionCount, cx
		div	ds:_KeMaximumIncrement
		push	ecx
		mov	_CcIdleDelayTick, eax
		mov	eax, offset _CcVolumeCacheMapList
		push	offset unk_6CE6CC
		mov	dword_6CE6B4, eax
		mov	_CcVolumeCacheMapList, eax
		mov	_CcBcbTrimNotificationListLock,	ecx
		mov	dword_6CE6C4, ebx
		mov	dword_6CE6C8, ebx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, offset _CcBcbTrimNotificationList
		mov	_CcAggressiveZeroThreshold, 4
		mov	dword_6CE6E4, eax
		mov	_CcBcbTrimNotificationList, eax
		mov	eax, esi
		neg	eax
		sbb	eax, eax
		and	eax, 700h
		add	eax, 100h
		mov	_CcMaxLazyWritePages, eax
		mov	eax, esi
		neg	eax
		sbb	eax, eax
		and	eax, 0FFB3B4C0h
		add	eax, edi
		mov	_CcExtraWBThreadDelay, eax
		mov	eax, _CcMaxLazyWritePagesOverride
		test	eax, eax
		jz	short loc_AC3349
		cmp	eax, 8000h
		ja	short loc_AC3349
		mov	_CcMaxLazyWritePages, eax

loc_AC3349:				; CODE XREF: INIT:00AC333Bj
					; INIT:00AC3342j
		mov	eax, _CcAzure_SoftThrottleDelayInMs
		mov	_CcSoftThrottleDelay, eax
		test	eax, eax
		jnz	short loc_AC3361
		mov	_CcSoftThrottleDelay, 5

loc_AC3361:				; CODE XREF: INIT:00AC3355j
		push	ebx
		xor	edi, edi
		mov	_CcAggressiveZeroCount,	ebx
		inc	edi
		push	edi
		push	offset _CcCoalescingFlushEvent
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, esi
		lea	ecx, [edi+7Fh]
		neg	eax
		mov	edx, 200h
		push	offset _ExSystemLookasideListHead
		sbb	eax, eax
		and	eax, ecx
		add	eax, ecx
		mov	ecx, offset _CcTwilightLookasideList
		push	eax
		push	6B576343h
		push	50h
		call	_ExInitializeSystemLookasideList@24 ; ExInitializeSystemLookasideList(x,x,x,x,x,x)
		neg	esi
		mov	_CcMaxWorklessLazywriteScans, edi
		sbb	esi, esi
		and	esi, 1F00000h
		add	esi, 100000h
		mov	_CcMaxZeroTransferSize,	esi
		mov	esi, ebx
		cmp	ds:_KeNumberProcessors,	ebx
		jbe	short loc_AC33E2

loc_AC33C5:				; CODE XREF: INIT:00AC33E0j
		mov	ecx, ds:_KiProcessorBlock[esi*4]
		call	_CcInitializeProcessor@4 ; CcInitializeProcessor(x)
		test	eax, eax
		js	loc_AC3529
		inc	esi
		cmp	esi, ds:_KeNumberProcessors
		jb	short loc_AC33C5

loc_AC33E2:				; CODE XREF: INIT:00AC33C3j
		push	ebx
		push	ebx
		push	6D426343h
		mov	eax, 200h
		mov	_CcDbgNumberOfFailedWorkQueueEntryAllocations, ebx
		push	eax
		push	eax
		push	ebx
		push	ebx
		push	offset _CcBitmapLookasideList
		call	ExInitializeNPagedLookasideListInternal
		push	ebx
		push	ebx
		mov	esi, 6C566343h
		mov	_CcDbgNumberOfFailedBitmapAllocations, ebx
		push	esi
		push	208h
		push	200h
		push	ebx
		push	ebx
		push	offset _CcVacbLevelLookasideList
		call	ExInitializeNPagedLookasideListInternal
		push	ebx
		push	ebx
		push	esi
		push	408h
		push	200h
		push	ebx
		push	ebx
		push	offset _CcVacbLevelWithBcbListHeadsLookasideList
		call	ExInitializeNPagedLookasideListInternal
		mov	edx, _CcRemoteFileDPInlineFlushThreshold
		mov	eax, offset _CcExternalCacheList
		mov	_CcExternalCacheListLock, ebx
		mov	dword_6CE714, eax
		mov	_CcExternalCacheList, eax
		cmp	edx, 0FFFFFFFFh
		jz	short loc_AC3480
		cmp	edx, 8000h
		jb	short loc_AC3476
		mov	ecx, ds:_PspSystemPartition
		call	_MmGetNumberOfPhysicalPagesForPartitionObject@4	; MmGetNumberOfPhysicalPagesForPartitionObject(x)
		cmp	edx, eax
		jbe	short loc_AC3480

loc_AC3476:				; CODE XREF: INIT:00AC3465j
		mov	_CcRemoteFileDPInlineFlushThreshold, 140000h

loc_AC3480:				; CODE XREF: INIT:00AC345Dj
					; INIT:00AC3474j
		mov	eax, _CcUnmapBehindLength
		cmp	eax, edi
		jb	short loc_AC3490
		cmp	eax, 80h
		jbe	short loc_AC3493

loc_AC3490:				; CODE XREF: INIT:00AC3487j
		push	8
		pop	eax

loc_AC3493:				; CODE XREF: INIT:00AC348Ej
		mov	ecx, _CcAzure_LargeWriteSize
		shl	eax, 14h
		mov	_CcUnmapBehindLength, eax
		test	ecx, ecx
		jz	short loc_AC34AE
		mov	eax, ecx
		shl	eax, 0Ah
		cmp	eax, ecx
		ja	short loc_AC34B0

loc_AC34AE:				; CODE XREF: INIT:00AC34A3j
		mov	eax, ebx

loc_AC34B0:				; CODE XREF: INIT:00AC34ACj
		mov	_CcAzure_LargeWriteSize, eax
		mov	eax, _CcAzure_SoftThrottleLargeWriteAtPct
		test	eax, eax
		jz	short loc_AC34C9
		cmp	eax, 64h
		jbe	short loc_AC34C9
		mov	_CcAzure_SoftThrottleLargeWriteAtPct, ebx

loc_AC34C9:				; CODE XREF: INIT:00AC34BCj
					; INIT:00AC34C1j
		mov	eax, _CcAzure_LazyWriterPercentageOfNumProcs
		test	eax, eax
		jz	short loc_AC34DD
		cmp	eax, 64h
		jbe	short loc_AC34DD
		mov	_CcAzure_LazyWriterPercentageOfNumProcs, ebx

loc_AC34DD:				; CODE XREF: INIT:00AC34D0j
					; INIT:00AC34D5j
		push	6
		pop	ecx
		push	ebx
		push	offset _CcCoalescingRegistration
		xor	eax, eax
		mov	edi, offset _CcTestControlData
		push	1
		rep stosd
		push	offset _CcCoalescingCallBack@12	; CcCoalescingCallBack(x,x,x)
		call	PoRegisterCoalescingCallback
		test	eax, eax
		js	short loc_AC350F
		pop	edi
		pop	esi
		mov	_CcInitializationComplete, 1
		mov	al, 1
		pop	ebx
		retn
; 

loc_AC350F:				; CODE XREF: INIT:00AC34FDj
		push	ebx
		push	ebx
		push	0C0000420h
		push	294h
		jmp	short loc_AC3535
; 

loc_AC351D:				; CODE XREF: INIT:00AC3261j
					; INIT:00AC3285j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	4016Ch
		jmp	short loc_AC3535
; 

loc_AC3529:				; CODE XREF: INIT:00AC33D3j
		push	ebx
		push	ebx
		push	0C0000420h
		push	202h

loc_AC3535:				; CODE XREF: INIT:00AC351Bj
					; INIT:00AC3527j
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObInitSystem	proc near		; CODE XREF: Phase1InitializationDiscard(x)+7BDp
					; INIT:00ACD8B6p

var_1CC		= dword	ptr -1CCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_16C		= dword	ptr -16Ch
var_164		= dword	ptr -164h
var_15C		= dword	ptr -15Ch
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE4C8F SIZE 000000EA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1CCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_1B4]
		stosd
		xor	ebx, ebx
		push	6
		pop	ecx
		push	6
		stosd
		mov	[ebp+var_110], ebx
		mov	[ebp+var_128], ebx
		mov	[ebp+var_124], ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_1CC]
		rep stosd
		pop	ecx
		push	58h
		lea	edi, [ebp+var_1A0]
		rep stosd
		pop	eax
		push	eax		; size_t
		lea	eax, [ebp+var_188]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_10C], ebx
		mov	[ebp+var_130], ebx
		mov	[ebp+var_12C], ebx
		mov	[ebp+var_120], ebx
		mov	[ebp+var_11C], ebx
		cmp	byte ptr ds:dword_7051D4, bl
		jnz	loc_AE4C8F
		push	20h
		pop	esi
		push	10h

loc_AC35D2:				; CODE XREF: ObInitSystem+21756j
		pop	edi
		cmp	_InitializationPhase, ebx
		jnz	loc_AC3888
		xor	ecx, ecx
		call	ExGenRandom
		mov	ebx, offset _ExSystemLookasideListHead
		mov	ds:_ObHeaderCookie, eax
		push	ebx
		push	esi
		push	6943624Fh
		push	2Ch
		mov	edx, 200h
		mov	ecx, offset _ObpCreateInfoLookasideList
		call	_ExInitializeSystemLookasideList@24 ; ExInitializeSystemLookasideList(x,x,x,x,x,x)
		push	ebx
		push	edi
		push	6D4E624Fh
		xor	edx, edx
		mov	esi, offset _ObpNameBufferLookasideList
		push	0F8h
		inc	edx
		mov	ecx, esi
		call	_ExInitializeSystemLookasideList@24 ; ExInitializeSystemLookasideList(x,x,x,x,x,x)
		mov	eax, large fs:20h
		xor	ebx, ebx
		mov	ecx, offset _ObpCreateInfoLookasideList
		mov	_ObpPendingObjectDirectoryList,	ebx
		mov	[eax+5C4h], ecx
		mov	[eax+5C0h], ecx
		mov	[eax+5CCh], esi
		mov	[eax+5C8h], esi
		mov	_ObpRemoveObjectList, ebx
		mov	_ObpRemoveObjectWait, ebx
		mov	_ObpPendingObjectDirectoryListLock, ebx
		call	_ObpInitSecurityDescriptorCache@0 ; ObpInitSecurityDescriptorCache()
		test	eax, eax
		js	loc_AC3AAE
		push	1
		push	ebx
		push	offset _ObpDefaultObject
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	edx, edx
		xor	ecx, ecx
		inc	edx
		call	ExCreateHandleTable
		mov	_ObpKernelHandleTable, eax
		mov	eax, large fs:124h
		mov	ecx, _ObpKernelHandleTable
		mov	eax, [eax+80h]
		mov	[eax+18Ch], ecx
		test	ecx, ecx
		jz	loc_AC3AAE
		push	ebx
		push	offset _ObpProcessRemoveObjectDpcWorker@16 ; ObpProcessRemoveObjectDpcWorker(x,x,x,x)
		push	offset _ObpRemoveObjectDpc
		mov	dword_6C42A8, offset ObpProcessRemoveObjectQueue
		mov	dword_6C42AC, ebx
		mov	_ObpRemoveObjectWorkItem, ebx
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		call	_ObpInitInfoBlockOffsets@0 ; ObpInitInfoBlockOffsets()
		mov	eax, ds:_MmBadPointer
		push	58h
		mov	ds:dword_70E814, eax
		pop	eax
		mov	word ptr [ebp+var_188],	ax
		lea	eax, [ebp+var_120]
		push	offset ??_C@_19BIEPDBPA@?$AAT?$AAy?$AAp?$AAe@PBOPGDP@ ;	"Type"
		push	eax
		mov	[ebp+var_180], 100h
		mov	[ebp+var_164], 200h
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_16C], 0F0001h
		lea	edi, [ebp+var_17C]
		mov	esi, offset _ObpTypeMapping
		lea	eax, [ebp+var_188]
		push	offset _ObpTypeObjectType
		push	ebx
		push	eax
		movsd
		lea	eax, [ebp+var_120]
		push	eax
		movsd
		movsd
		movsd
		or	byte ptr [ebp+var_188+2], 24h
		mov	[ebp+var_15C], 90h
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AC3AAE
		push	offset ??_C@_1BE@DNDHOCGP@?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt?$AAo?$AAr?$AAy@PBOPGDP@ ; "Directory"
		lea	eax, [ebp+var_128]
		mov	[ebp+var_164], 1
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_15C], 0B0h
		lea	edi, [ebp+var_17C]
		mov	[ebp+var_16C], 0F000Fh
		mov	esi, offset _ObpDirectoryMapping
		push	offset _ObpDirectoryObjectType
		push	ebx
		movsd
		movsd
		movsd
		movsd
		mov	al, byte ptr [ebp+var_188+2]
		and	al, 0DFh
		mov	[ebp+var_150], offset _ObpCloseDirectoryObject@16 ; ObpCloseDirectoryObject(x,x,x,x)
		or	al, 0Dh
		mov	[ebp+var_14C], offset _ObpDeleteDirectoryObject@4 ; ObpDeleteDirectoryObject(x)
		mov	byte ptr [ebp+var_188+2], al
		lea	eax, [ebp+var_188]
		push	eax
		lea	eax, [ebp+var_128]
		push	eax
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AC3AAE
		mov	eax, _ObpDirectoryObjectType
		push	offset ??_C@_1BK@KDPOKCA@?$AAS?$AAy?$AAm?$AAb?$AAo?$AAl?$AAi?$AAc?$AAL?$AAi?$AAn?$AAk@PBOPGDP@
		mov	[ebp+var_150], ebx
		and	dword ptr [eax+44h], 0FFEFFFFFh
		lea	eax, [ebp+var_130]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_15C], 20h
		lea	edi, [ebp+var_17C]
		mov	[ebp+var_164], 1
		mov	esi, (offset loc_AF68EF+1)
		mov	[ebp+var_16C], 0FFFFFh
		push	offset _ObpSymbolicLinkObjectType
		push	ebx
		movsd
		movsd
		movsd
		movsd
		mov	al, byte ptr [ebp+var_188+2]
		or	byte ptr [ebp+var_188+3], 1
		and	al, 0F7h
		or	al, 1
		mov	[ebp+var_14C], offset _ObpDeleteSymbolicLink@4 ; ObpDeleteSymbolicLink(x)
		mov	byte ptr [ebp+var_188+2], al
		lea	eax, [ebp+var_188]
		push	eax
		lea	eax, [ebp+var_130]
		mov	[ebp+var_148], offset ObpParseSymbolicLinkEx
		push	eax
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AC3AAE
		mov	eax, _ObpSymbolicLinkObjectType
		and	dword ptr [eax+44h], 0FFEFFFFFh
		call	ObpInitStackTrace

loc_AC3888:				; CODE XREF: ObInitSystem+9Bj
		cmp	_InitializationPhase, 1
		jnz	loc_AC3A95
		xor	ecx, ecx
		call	ObInitServerSilo
		test	eax, eax
		js	loc_AC3AAE
		mov	esi, ebx
		cmp	ds:_KeNumberProcessors,	ebx
		jbe	short loc_AC38CB

loc_AC38AE:				; CODE XREF: ObInitSystem+38Bj
		mov	ecx, ds:_KiProcessorBlock[esi*4]
		call	ObInitializeProcessor
		test	eax, eax
		js	loc_AC3AAE
		inc	esi
		cmp	esi, ds:_KeNumberProcessors
		jb	short loc_AC38AE

loc_AC38CB:				; CODE XREF: ObInitSystem+36Ej
		push	18h
		mov	edi, offset _ObpWaitBlockLookaside
		pop	esi

loc_AC38D3:				; CODE XREF: ObInitSystem+3C4j
		mov	eax, esi
		cmp	esi, 40h
		jnb	loc_AC3AA6

loc_AC38DE:				; CODE XREF: ObInitSystem+56Bj
		push	ebx
		push	ebx
		push	6D57624Fh
		imul	eax, 18h
		push	eax
		push	200h
		push	ebx
		push	ebx
		push	edi
		call	ExInitializeNPagedLookasideListInternal
		add	esi, 0Eh
		add	edi, 0C0h
		cmp	esi, 50h
		jb	short loc_AC38D3
		cmp	_ObpAuditBaseDirectories, 0
		mov	esi, ds:_SePublicDefaultUnrestrictedSd
		jnz	loc_AE4C99
		cmp	_ObpAuditBaseObjects, 0
		jnz	loc_AE4C99

loc_AC3924:				; CODE XREF: ObInitSystem+2182Fj
		lea	eax, [ebp+var_1A0]
		mov	[ebp+var_1A0], 18h
		push	eax
		push	0F000Fh
		lea	eax, [ebp+var_10C]
		mov	[ebp+var_19C], ebx
		push	eax
		mov	[ebp+var_194], 50h
		mov	[ebp+var_198], (offset loc_A401A7+1)
		mov	[ebp+var_190], esi
		mov	[ebp+var_18C], ebx
		call	_NtCreateDirectoryObject@12 ; NtCreateDirectoryObject(x,x,x)
		test	eax, eax
		js	loc_AC3AAE
		mov	eax, _ObpDirectoryObjectType
		lea	ecx, [ebp+var_114]
		push	ebx
		push	ecx
		push	ebx
		push	eax
		push	ebx
		push	[ebp+var_10C]
		mov	[ebp+var_114], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+var_114]
		mov	_ObpRootDirectoryObject, eax
		test	ecx, ecx
		js	loc_AC3AAE
		mov	edx, [ebp+var_10C]
		xor	ecx, ecx
		push	ebx
		call	ObpInitializeRootNamespace
		test	eax, eax
		js	loc_AC3AAE
		push	[ebp+var_10C]
		call	NtClose
		test	eax, eax
		js	loc_AC3AAE
		mov	edx, _ObpTypeDirectoryObject
		lea	ecx, [ebp+var_1CC]
		mov	[ebp+var_1B8], 0FFFF1234h
		call	_ObpLockDirectoryExclusive@8 ; ObpLockDirectoryExclusive(x,x)
		mov	ebx, _ObpTypeObjectType
		mov	esi, [ebx]

loc_AC39F6:				; CODE XREF: ObInitSystem+53Dj
		cmp	esi, ebx
		jz	loc_AC3A80
		mov	al, [esi+1Eh]
		test	al, 2
		jz	loc_AE4D72
		movzx	eax, al
		lea	edx, [esi+10h]
		and	eax, 3
		movzx	eax, _ObpInfoMaskToOffset[eax]
		sub	edx, eax

loc_AC3A1B:				; CODE XREF: ObInitSystem+21836j
		test	edx, edx
		jz	short loc_AC3A79
		cmp	dword ptr [edx], 0
		jnz	short loc_AC3A79
		mov	ecx, _ObpTypeDirectoryObject
		lea	eax, [ebp+var_1CC]
		push	eax
		push	40h
		add	edx, 4
		call	_ObpLookupDirectoryEntry@16 ; ObpLookupDirectoryEntry(x,x,x,x)
		test	eax, eax
		jnz	short loc_AC3A79
		cmp	dword ptr [esi+24h], 0
		lea	eax, [esi+28h]
		mov	[ebp+var_118], eax
		jnz	short loc_AC3A61
		xor	edx, edx
		mov	ecx, eax
		call	_ObpInitObjectTypeSD@8 ; ObpInitObjectTypeSD(x,x)
		test	eax, eax
		js	short loc_AC3AAE
		mov	eax, [ebp+var_118]

loc_AC3A61:				; CODE XREF: ObInitSystem+50Ej
		lea	ecx, [ebp+var_1CC]
		mov	edx, eax
		push	ecx
		mov	ecx, _ObpTypeDirectoryObject
		call	_ObpInsertDirectoryEntry@12 ; ObpInsertDirectoryEntry(x,x,x)
		test	al, al
		jz	short loc_AC3AAE

loc_AC3A79:				; CODE XREF: ObInitSystem+4DFj
					; ObInitSystem+4E4j ...
		mov	esi, [esi]
		jmp	loc_AC39F6
; 

loc_AC3A80:				; CODE XREF: ObInitSystem+4BAj
		lea	ecx, [ebp+var_1CC]
		call	_ObpReleaseLookupContext@4 ; ObpReleaseLookupContext(x)
		mov	[ebp+var_118], offset _ObpLUIDDeviceMapsEnabled

loc_AC3A95:				; CODE XREF: ObInitSystem+351j
		mov	al, 1

loc_AC3A97:				; CODE XREF: ObInitSystem+572j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AC3AA6:				; CODE XREF: ObInitSystem+39Aj
		push	40h
		pop	eax
		jmp	loc_AC38DE
; 

loc_AC3AAE:				; CODE XREF: ObInitSystem+129j
					; ObInitSystem+165j ...
		xor	al, al
		jmp	short loc_AC3A97
ObInitSystem	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpWin32Initialization()
_ExpWin32Initialization@0 proc near	; CODE XREF: ExpInitSystemPhase1+11Cp

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		push	ebx
		push	esi
		push	edi
		push	(offset	loc_AE097F+1)
		lea	eax, [ebp+var_8]
		xor	ebx, ebx
		push	eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	58h
		pop	esi
		push	esi		; size_t
		lea	eax, [ebp+var_60]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	word ptr [ebp+var_60], si
		lea	edi, [ebp+var_54]
		mov	esi, offset _ExpWindowStationMapping
		add	esp, 0Ch
		movsd
		push	offset _ExWindowStationObjectType
		push	ebx
		movsd
		movsd
		movsd
		mov	al, byte ptr [ebp+var_60+2]
		and	al, 0BFh
		mov	[ebp+var_3C], 200h
		or	al, 18h
		mov	[ebp+var_28], offset ExpWin32CloseProcedure
		mov	byte ptr [ebp+var_60+2], al
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_24], offset _ExpWin32DeleteProcedure@4	; ExpWin32DeleteProcedure(x)
		push	eax
		mov	[ebp+var_14], offset ExpWin32OkayToCloseProcedure
		mov	[ebp+var_20], offset _ExpWin32ParseProcedure@40	; ExpWin32ParseProcedure(x,x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_2C], offset ExpWin32OpenProcedure
		mov	[ebp+var_58], 130h
		mov	[ebp+var_44], 0F0000h
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AC3CA4
		push	offset ??_C@_1BA@CBCBMBGJ@?$AAD?$AAe?$AAs?$AAk?$AAt?$AAo?$AAp@PBOPGDP@
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_20], ebx
		lea	edi, [ebp+var_54]
		mov	esi, offset _ExpDesktopMapping
		lea	eax, [ebp+var_60]
		push	offset _ExDesktopObjectType
		push	ebx
		push	eax
		movsd
		lea	eax, [ebp+var_8]
		push	eax
		movsd
		movsd
		movsd
		or	byte ptr [ebp+var_60+2], 40h
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AC3CA4
		push	offset ??_C@_1BI@GKIJCEIJ@?$AAC?$AAo?$AAm?$AAp?$AAo?$AAs?$AAi?$AAt?$AAi?$AAo?$AAn@PBOPGDP@
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_20], ebx
		lea	edi, [ebp+var_54]
		mov	esi, offset _ExpCompositionMapping
		push	offset _ExCompositionObjectType
		push	ebx
		movsd
		movsd
		movsd
		movsd
		mov	al, byte ptr [ebp+var_60+2]
		and	al, 0BFh
		mov	[ebp+var_5C], 400h
		or	al, 2
		mov	byte ptr [ebp+var_60+2], al
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		mov	[ebp+var_5C], ebx
		test	eax, eax
		js	loc_AC3CA4
		push	offset ??_C@_1CA@LMBIDJNB@?$AAR?$AAa?$AAw?$AAI?$AAn?$AAp?$AAu?$AAt?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@PBOPGDP@
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_20], ebx
		lea	edi, [ebp+var_54]
		mov	esi, offset _ExpRawInputManagerMapping
		push	offset _ExRawInputManagerObjectType
		push	ebx
		movsd
		movsd
		movsd
		movsd
		mov	al, byte ptr [ebp+var_60+2]
		and	al, 0BFh
		or	al, 2
		mov	byte ptr [ebp+var_60+2], al
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AC3CA4
		push	offset ??_C@_1BM@JKJGADFH@?$AAC?$AAo?$AAr?$AAe?$AAM?$AAe?$AAs?$AAs?$AAa?$AAg?$AAi?$AAn?$AAg@PBOPGDP@
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_20], ebx
		lea	edi, [ebp+var_54]
		mov	esi, offset _ExpCoreMessagingMapping
		push	offset _ExCoreMessagingObjectType
		push	ebx
		movsd
		movsd
		movsd
		movsd
		mov	al, byte ptr [ebp+var_60+2]
		and	al, 0BFh
		or	al, 2
		mov	byte ptr [ebp+var_60+2], al
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	short loc_AC3CA4
		push	offset ??_C@_1CC@KNODJGBO@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAa?$AAt?$AAi?$AAo?$AAn?$AAO?$AAb?$AAj?$AAe?$AAc@PBOPGDP@
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_20], ebx
		lea	edi, [ebp+var_54]
		mov	esi, offset _ExpActivationObjectMapping
		push	offset _ExActivationObjectType
		push	ebx
		movsd
		movsd
		movsd
		movsd
		mov	al, byte ptr [ebp+var_60+2]
		and	al, 0BFh
		mov	[ebp+var_3C], 221h
		or	al, 6
		mov	byte ptr [ebp+var_60+2], al
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		setns	al

loc_AC3C9F:				; CODE XREF: ExpWin32Initialization()+1F4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AC3CA4:				; CODE XREF: ExpWin32Initialization()+99j
					; ExpWin32Initialization()+D5j	...
		xor	al, al
		jmp	short loc_AC3C9F
_ExpWin32Initialization@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IoCreateObjectTypes proc near		; CODE XREF: Phase1InitializationDiscard(x)+7F0p

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= word ptr -0Ch
var_A		= word ptr -0Ah
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE4D79 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		push	ebx
		push	esi
		push	edi
		push	58h
		pop	esi
		xor	ebx, ebx
		lea	eax, [ebp+var_60]
		push	esi		; size_t
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	_memset
		mov	word ptr [ebp+var_60], si
		lea	edi, [ebp+var_54]
		mov	esi, (offset loc_A3F6BF+1)
		mov	[ebp+var_58], 100h
		add	esp, 0Ch
		lea	eax, [ebp+var_8]
		movsd
		push	offset ??_C@_1BA@PCIIBPJI@?$AAA?$AAd?$AAa?$AAp?$AAt?$AAe?$AAr@PBOPGDP@ ; "Adapter"
		push	eax
		movsd
		movsd
		movsd
		or	byte ptr [ebp+var_60+2], 4
		mov	[ebp+var_3C], 200h
		mov	[ebp+var_44], 1F01FFh
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset _IoAdapterObjectType
		push	ebx
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AC3F51
		push	offset ??_C@_1BG@IGJNEGIG@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl?$AAe?$AAr@PBOPGDP@ ;	"Controller"
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset _IoControllerObjectType
		push	ebx
		lea	eax, [ebp+var_60]
		mov	[ebp+var_34], 28h
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AC3F51
		push	offset ??_C@_1O@HAMLNBEA@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@PBOPGDP@ ; "D"
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		or	byte ptr [ebp+var_60+2], 1
		lea	eax, [ebp+var_60]
		or	byte ptr [ebp+var_60+3], 1
		push	offset _IoDeviceObjectType
		push	ebx
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_34], 0B8h
		push	eax
		mov	[ebp+var_20], offset _IopParseDevice@44	; IopParseDevice(x,x,x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_24], offset IopDeleteDevice
		mov	[ebp+var_1C], offset IopGetSetSecurityObject
		mov	[ebp+var_18], ebx
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AC3F51
		push	offset ??_C@_1O@GAOCKAOK@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@PBOPGDP@ ; "Driver"
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		and	byte ptr [ebp+var_60+3], 0FEh
		mov	[ebp+var_34], 0A8h
		mov	[ebp+var_20], ebx
		mov	[ebp+var_24], offset IopDeleteDriver
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		cmp	_ViVerifierEnabled, ebx
		jnz	loc_AE4D79

loc_AC3DD3:				; CODE XREF: IoCreateObjectTypes+210E4j
					; IoCreateObjectTypes+210EEj
		push	offset _IoDriverObjectType
		push	ebx
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AC3F51
		push	offset ??_C@_1BK@HCMNLOAL@?$AAI?$AAo?$AAC?$AAo?$AAm?$AAp?$AAl?$AAe?$AAt?$AAi?$AAo?$AAn@PBOPGDP@	; "I"
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_34], 30h
		lea	edi, [ebp+var_54]
		mov	[ebp+var_58], 110h
		mov	esi, offset _IopCompletionMapping
		push	offset _IoCompletionObjectType
		push	ebx
		movsd
		movsd
		movsd
		movsd
		mov	al, byte ptr [ebp+var_60+2]
		and	al, 0FBh
		mov	[ebp+var_44], 1F0003h
		or	al, 80h
		mov	[ebp+var_28], offset _IopCloseIoCompletion@16 ;	IopCloseIoCompletion(x,x,x,x)
		mov	byte ptr [ebp+var_60+2], al
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_24], offset _IopDeleteIoCompletion@4 ;	IopDeleteIoCompletion(x)
		push	eax
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AC3F51
		push	offset ??_C@_1CK@PPBFOLIO@?$AAW?$AAa?$AAi?$AAt?$AAC?$AAo?$AAm?$AAp?$AAl?$AAe?$AAt?$AAi?$AAo?$AAn?$AAP@PBOPGDP@ ; "WaitCompletionPacket"
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_34], 38h
		lea	edi, [ebp+var_54]
		mov	[ebp+var_58], 110h
		mov	esi, offset _IopWaitCompletionMapping
		push	offset _IopWaitCompletionPacketObjectType
		push	ebx
		movsd
		movsd
		movsd
		movsd
		mov	al, byte ptr [ebp+var_60+2]
		and	al, 7Bh
		mov	[ebp+var_44], 0F0001h
		or	al, 4
		mov	[ebp+var_28], offset IopCloseWaitCompletionPacket
		mov	byte ptr [ebp+var_60+2], al
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_24], ebx
		push	eax
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AC3F51
		push	offset ??_C@_19DDLLJDOO@?$AAF?$AAi?$AAl?$AAe@PBOPGDP@ ;	"F"
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	[ebp+var_38], 400h
		lea	edi, [ebp+var_54]
		mov	[ebp+var_34], 0C0h
		lea	ecx, [ebp+var_60]
		mov	[ebp+var_58], 130h
		mov	esi, (offset loc_A3F6BF+1)
		mov	[ebp+var_5C], 1
		push	2Ch
		movsd
		movsd
		movsd
		movsd
		mov	al, byte ptr [ebp+var_60+2]
		or	byte ptr [ebp+var_60+3], 1
		and	al, 0FBh
		or	al, 10h
		mov	[ebp+var_44], 1F01FFh
		mov	byte ptr [ebp+var_60+2], al
		pop	eax
		push	10h
		mov	[ebp+var_C], ax
		pop	eax
		push	offset _IoFileObjectType
		push	5Fh
		push	ebx
		push	ecx
		lea	ecx, [ebp+var_8]
		mov	[ebp+var_28], offset _IopCloseFile@16 ;	IopCloseFile(x,x,x,x)
		push	ecx
		mov	[ebp+var_24], offset _IopDeleteFile@4 ;	IopDeleteFile(x)
		mov	[ebp+var_20], offset _IopParseFile@44 ;	IopParseFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	[ebp+var_1C], offset IopGetSetSecurityObject
		mov	[ebp+var_18], offset _IopQueryName@24 ;	IopQueryName(x,x,x,x,x,x)
		mov	[ebp+var_10], 10000000h
		mov	[ebp+var_A], ax
		call	ObCreateObjectTypeEx
		test	eax, eax
		js	short loc_AC3F51
		mov	al, 1

loc_AC3F4C:				; CODE XREF: IoCreateObjectTypes+2ABj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AC3F51:				; CODE XREF: IoCreateObjectTypes+70j
					; IoCreateObjectTypes+A0j ...
		xor	al, al
		jmp	short loc_AC3F4C
IoCreateObjectTypes endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpTimerInitialization()
_ExpTimerInitialization@0 proc near	; CODE XREF: ExpInitSystemPhase1+C2p

var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		push	ebx
		push	esi
		mov	eax, offset _ExpWakeTimerList
		xor	ebx, ebx
		push	edi
		mov	dword_6BBC74, eax
		mov	_ExpWakeTimerList, eax
		lea	eax, [ebp+var_8]
		push	offset ??_C@_1M@EEEEDEMN@?$AAT?$AAi?$AAm?$AAe?$AAr@PBOPGDP@
		push	eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		mov	_ExpWakeTimerLock, ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	58h
		pop	esi
		push	esi		; size_t
		lea	eax, [ebp+var_60]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	word ptr [ebp+var_60], si
		lea	edi, [ebp+var_54]
		mov	[ebp+var_58], 100h
		lea	eax, [ebp+var_60]
		mov	esi, offset _ExpTimerMapping
		add	esp, 0Ch
		movsd
		push	offset _ExTimerObjectType
		push	ebx
		push	eax
		movsd
		lea	eax, [ebp+var_8]
		push	eax
		movsd
		movsd
		mov	[ebp+var_3C], 200h
		mov	[ebp+var_34], 0C0h
		mov	[ebp+var_44], 1F0003h
		mov	[ebp+var_24], offset ExpDeleteTimer
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_AC4027
		push	offset ??_C@_1BA@OGEKEOOD@?$AAI?$AAR?$AAT?$AAi?$AAm?$AAe?$AAr@PBOPGDP@
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset _ExpIRTimerObjectType
		push	0
		lea	eax, [ebp+var_60]
		mov	[ebp+var_34], 78h
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_24], offset _ExpDeleteTimer2@4	; ExpDeleteTimer2(x)
		push	eax
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		xor	ecx, ecx
		mov	ebx, eax
		call	ExGenRandom
		mov	ds:_ExpTimerFreedCookie, al

loc_AC4027:				; CODE XREF: ExpTimerInitialization()+91j
		shr	ebx, 1Fh
		pop	edi
		xor	bl, 1
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
_ExpTimerInitialization@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspInitializeSiloStructures proc near	; CODE XREF: PspInitPhase0+60Cp

var_58		= dword	ptr -58h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE4D9B SIZE 00000046 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 58h
		push	esi
		push	edi
		push	476C6953h
		mov	esi, 270h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ds:dword_717F8C, eax
		test	eax, eax
		jz	loc_AC4175
		push	esi		; size_t
		xor	edi, edi
		push	edi		; int
		push	eax		; void *
		call	_memset
		mov	ecx, ds:dword_717F8C
		add	esp, 0Ch
		call	_PspSiloInitializeSharedUserSessionId@4	; PspSiloInitializeSharedUserSessionId(x)
		test	eax, eax
		js	loc_AC4175
		mov	ecx, offset _PsObjectDirectorySiloContextSlot
		call	PspStorageAllocSlot
		test	eax, eax
		js	loc_AC4175
		mov	ecx, offset _PsObjectDirectoryTeardownSlot
		call	PspStorageAllocSlot
		test	eax, eax
		js	loc_AE4D9B
		mov	ecx, offset _PsSystemRootSiloContextSlot
		call	PspStorageAllocSlot
		test	eax, eax
		js	loc_AE4DA3
		push	58h
		pop	esi
		mov	eax, offset _PspSiloMonitorList
		mov	_PspSiloMonitorLock, edi
		push	esi		; size_t
		mov	dword_6BEE1C, eax
		mov	_PspSiloMonitorList, eax
		lea	eax, [ebp+var_58]
		push	edi		; int
		push	eax		; void *
		call	_memset
		or	byte ptr [ebp+var_58+2], 84h
		add	esp, 0Ch
		mov	eax, 20000h
		mov	word ptr [ebp+var_58], si
		mov	[ebp+var_4C], eax
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], eax
		mov	eax, 0F0000h
		push	offset _PsSiloContextPagedType
		mov	[ebp+var_40], eax
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_58]
		push	edi
		push	eax
		push	offset _PspSiloStoragePagedTypeName
		mov	[ebp+var_34], 1
		mov	[ebp+var_1C], offset _PspDeleteSiloContext@4 ; PspDeleteSiloContext(x)
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	short loc_AC4175
		push	offset _PsSiloContextNonPagedType
		push	edi
		lea	eax, [ebp+var_58]
		mov	[ebp+var_34], 200h
		push	eax
		push	offset _PspSiloStorageNonPagedTypeName
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AE4DBE
		mov	ecx, offset dword_717F7C
		call	_PspAllocStorage@4 ; PspAllocStorage(x)
		test	eax, eax
		js	loc_AE4DC6
		mov	al, 1

loc_AC416C:				; CODE XREF: PspInitializeSiloStructures+143j
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_AC4175:				; CODE XREF: PspInitializeSiloStructures+38j
					; PspInitializeSiloStructures+58j ...
		xor	al, al
		jmp	short loc_AC416C
PspInitializeSiloStructures endp

; 
		align 2

; __stdcall WheaInitialize(x, x)
_WheaInitialize@8:			; CODE XREF: INIT:00AC2D8Cp
					; INIT:00AC3030p
		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+4], ebp
		mov	ebp, esp
		sub	esp, 30h
		push	esi
		mov	esi, edx
		mov	eax, ecx
		push	edi
		xor	edi, edi
		mov	[ebp-10h], esi
		mov	[ebp-14h], eax
		mov	[ebp-8], edi
		mov	[ebp-2Ch], edi
		mov	[ebp-28h], edi
		mov	[ebp-0Ch], edi
		test	esi, esi
		jnz	loc_AC42A7
		mov	edi, offset _WheapStatus
		xor	eax, eax
		push	offset _WheapErrorRecordId
		stosd
		stosd
		stosd
		call	KeQuerySystemTime
		call	WheapLoadPolicy
		mov	ecx, [ebp-14h]
		mov	eax, [ecx+84h]
		test	byte ptr [eax+54h], 2
		jnz	short loc_AC41E5
		mov	_WheapPreviousSessionFailure, 1

loc_AC41E5:				; CODE XREF: INIT:00AC41DCj
		lea	eax, [ebp-2Ch]
		push	eax
		push	ecx
		call	ds:__imp__PshedInitialize@8 ; PshedInitialize(x,x)
		test	eax, eax
		js	loc_AC472D
		call	WheapCreatePerProcessorInfo
		test	eax, eax
		jns	short loc_AC420D
		push	0
		push	0
		push	eax
		push	4
		jmp	loc_AC4734
; 

loc_AC420D:				; CODE XREF: INIT:00AC41FFj
		lea	edx, [ebp-8]
		lea	ecx, [ebp-0Ch]
		call	WheapQueryPshedForErrorSources
		test	eax, eax
		jns	short loc_AC4228
		push	0
		push	0

loc_AC4220:				; CODE XREF: INIT:00AC42E4j
		push	eax
		push	5
		jmp	loc_AC4734
; 

loc_AC4228:				; CODE XREF: INIT:00AC421Aj
		and	dword_6F9ACC, 0
		mov	edi, offset dword_6F9AD4
		push	1
		push	1
		push	offset unk_6F9ADC
		mov	_WheapErrorSourceTable,	4C424154h
		mov	dword_6F9AD8, edi
		mov	dword_6F9AD4, edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		call	WheapInitializeEventing
		mov	esi, [ebp-8]
		xor	edi, edi
		cmp	[ebp-0Ch], edi
		jbe	short loc_AC428E

loc_AC4267:				; CODE XREF: INIT:00AC4289j
		imul	eax, [esi+8], 24h
		push	0
		push	esi
		push	0
		mov	eax, dword_6FD670[eax]
		call	eax
		test	eax, eax
		js	short loc_AC429A
		mov	dword ptr [esi+0Ch], 2
		add	esi, [esi]
		inc	edi
		cmp	edi, [ebp-0Ch]
		jb	short loc_AC4267
		mov	esi, [ebp-8]

loc_AC428E:				; CODE XREF: INIT:00AC4265j
		push	esi
		call	ds:__imp__PshedFreeMemory@4 ; PshedFreeMemory(x)
		jmp	loc_AC4722
; 

loc_AC429A:				; CODE XREF: INIT:00AC427Aj
		push	dword ptr [esi+8]
		push	0

loc_AC429F:				; CODE XREF: INIT:00AC451Dj
		push	eax
		push	6
		jmp	loc_AC4734
; 

loc_AC42A7:				; CODE XREF: INIT:00AC41B0j
		mov	ecx, offset _WheapPrevErrList
		mov	dword_6BB3FC, ecx
		mov	_WheapPrevErrList, ecx
		lea	ecx, [ebp-2Ch]
		push	ecx
		push	eax
		call	ds:__imp__PshedInitialize@8 ; PshedInitialize(x,x)
		test	eax, eax
		jns	short loc_AC42CE
		push	edi
		push	edi
		jmp	loc_AC4731
; 

loc_AC42CE:				; CODE XREF: INIT:00AC42C5j
		call	_WheapInitializeWorkQueue@8 ; WheapInitializeWorkQueue(x,x)
		lea	edx, [ebp-8]
		lea	ecx, [ebp-0Ch]
		call	WheapQueryPshedForErrorSources
		test	eax, eax
		jns	short loc_AC42E9
		push	edi
		push	esi
		jmp	loc_AC4220
; 

loc_AC42E9:				; CODE XREF: INIT:00AC42E0j
		mov	ecx, offset _WheapConfigTableLock
		mov	[ebp-24h], edi
		mov	eax, ecx
		push	0FFFFFFFFh
		and	eax, 7FFFFFFCh
		pop	edx
		mov	[ebp-18h], eax
		mov	[ebp-1Ch], edx
		jz	loc_AC4438
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jz	short loc_AC4342
		push	edi
		call	ds:__imp__KeGetCurrentIrql@0 ; KeGetCurrentIrql()
		movzx	eax, al
		push	eax
		mov	eax, offset _WheapConfigTableLock
		push	eax
		push	esi
		push	192h
		jmp	loc_AC4739
; 

loc_AC4342:				; CODE XREF: INIT:00AC4324j
		mov	cl, [esi+1E4h]
		mov	[ebp-20h], edi
		test	cl, cl
		jnz	short loc_AC4366
		lea	ecx, [esi+222h]
		cmp	byte ptr [ecx],	0
		jz	short loc_AC438D
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [esi+1E4h]
		or	cl, al

loc_AC4366:				; CODE XREF: INIT:00AC434Dj
		movzx	ecx, cl
		bsf	eax, ecx
		imul	edi, eax, 30h
		btr	ecx, eax
		mov	[ebp-20h], eax
		mov	[esi+1E4h], cl
		add	edi, [esi+1E8h]
		jnz	short loc_AC43A7

loc_AC4383:				; CODE XREF: INIT:00AC4397j
					; INIT:00AC43A5j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	short loc_AC4404
; 

loc_AC438D:				; CODE XREF: INIT:00AC4358j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_AC4383
		mov	edx, offset _WheapConfigTableLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		jmp	short loc_AC4383
; 

loc_AC43A7:				; CODE XREF: INIT:00AC4381j
		mov	ecx, dword_6D07D0
		mov	eax, offset _WheapConfigTableLock
		shr	eax, 15h
		cmp	ecx, offset _WheapConfigTableLock
		ja	short loc_AC43F8
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_AC43D7
		cmp	ecx, offset _WheapConfigTableLock
		ja	short loc_AC43F8
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jnz	short loc_AC43F8

loc_AC43D7:				; CODE XREF: INIT:00AC43C4j
		mov	eax, [esi+80h]
		mov	ecx, [eax+180h]
		test	ecx, ecx
		jz	short loc_AC43F8
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_AC43F8
		mov	eax, [ecx+8]
		jmp	short loc_AC43FA
; 

loc_AC43F8:				; CODE XREF: INIT:00AC43BBj
					; INIT:00AC43CCj ...
		mov	eax, edx

loc_AC43FA:				; CODE XREF: INIT:00AC43F6j
		mov	[edi+14h], eax
		nop
		mov	eax, [ebp-18h]
		mov	[edi+10h], eax

loc_AC4404:				; CODE XREF: INIT:00AC438Bj
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp-24h]
		push	eax
		mov	edx, offset _WheapConfigTableLock
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_AC4433
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_AC4433
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_AC4433:				; CODE XREF: INIT:00AC4424j
					; INIT:00AC442Cj
		mov	ecx, offset _WheapConfigTableLock

loc_AC4438:				; CODE XREF: INIT:00AC4301j
		lock bts dword ptr [ecx], 0
		jnb	short loc_AC4447
		push	ecx
		mov	edx, edi
		call	ExfAcquirePushLockExclusiveEx

loc_AC4447:				; CODE XREF: INIT:00AC443Dj
		test	edi, edi
		jz	short loc_AC444F
		or	byte ptr [edi+0Eh], 1

loc_AC444F:				; CODE XREF: INIT:00AC4449j
		mov	edx, [ebp-8]
		mov	ecx, [ebp-0Ch]
		call	_WheapInitializeErrorSourceTable@8 ; WheapInitializeErrorSourceTable(x,x)
		test	eax, eax
		jns	short loc_AC446A
		push	0
		push	0
		push	eax
		push	7
		jmp	loc_AC4734
; 

loc_AC446A:				; CODE XREF: INIT:00AC445Cj
		push	dword ptr [ebp-8]
		call	ds:__imp__PshedFreeMemory@4 ; PshedFreeMemory(x)
		xor	esi, esi
		cmp	ds:_KeNumberProcessors,	esi
		jbe	short loc_AC44B2

loc_AC447D:				; CODE XREF: INIT:00AC44B0j
		mov	ecx, esi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, [ebp-0Ch]
		inc	esi
		mov	edx, [eax+4050h]
		mov	[edx], ecx
		mov	ecx, [eax+4050h]
		mov	dword ptr [ecx+8], offset _WheapWorkQueue
		mov	eax, [eax+4050h]
		mov	dword ptr [eax+4], offset _WheapErrorSourceTable
		cmp	esi, ds:_KeNumberProcessors
		jb	short loc_AC447D

loc_AC44B2:				; CODE XREF: INIT:00AC447Bj
		mov	esi, dword_6F9AD4
		mov	edi, offset dword_6F9AD4
		jmp	short loc_AC44DC
; 

loc_AC44BF:				; CODE XREF: INIT:00AC44DEj
		cmp	dword ptr [esi+58h], 7
		jnz	short loc_AC44DA
		mov	edx, [ebp-10h]
		mov	ecx, esi
		mov	dword ptr [esi+5Ch], 2
		call	_WheapCallErrorSourceInitialize@8 ; WheapCallErrorSourceInitialize(x,x)
		test	eax, eax
		js	short loc_AC4510

loc_AC44DA:				; CODE XREF: INIT:00AC44C3j
		mov	esi, [esi]

loc_AC44DC:				; CODE XREF: INIT:00AC44BDj
		cmp	esi, edi
		jnz	short loc_AC44BF
		mov	ecx, [ebp-14h]
		mov	eax, [ecx+84h]
		mov	eax, [eax+9D0h]
		and	eax, 4
		or	eax, 0
		jnz	short loc_AC4506
		call	ds:__imp__PshedIsSystemWheaEnabled@0 ; PshedIsSystemWheaEnabled()
		test	al, al
		jz	short loc_AC4506
		call	WheapCheckForAndReportErrorsFromPreviousSession

loc_AC4506:				; CODE XREF: INIT:00AC44F5j
					; INIT:00AC44FFj
		mov	esi, dword_6F9AD4
		xor	eax, eax
		jmp	short loc_AC4552
; 

loc_AC4510:				; CODE XREF: INIT:00AC44D8j
					; INIT:00AC454Aj
		mov	dword ptr [esi+5Ch], 1
		push	dword ptr [esi+58h]
		push	dword ptr [ebp-10h]
		jmp	loc_AC429F
; 

loc_AC4522:				; CODE XREF: INIT:00AC4557j
		cmp	dword ptr [esi+58h], 7
		mov	[esi+6Ch], eax
		jz	short loc_AC454F
		cmp	byte ptr [esi+48h], 0
		jnz	short loc_AC454F
		cmp	dword ptr [esi+5Ch], 1
		jnz	short loc_AC454F
		mov	edx, [ebp-10h]
		mov	ecx, esi
		mov	dword ptr [esi+5Ch], 2
		call	_WheapCallErrorSourceInitialize@8 ; WheapCallErrorSourceInitialize(x,x)
		test	eax, eax
		js	short loc_AC4510
		mov	eax, [ebp-14h]

loc_AC454F:				; CODE XREF: INIT:00AC4529j
					; INIT:00AC452Fj ...
		mov	esi, [esi]
		inc	eax

loc_AC4552:				; CODE XREF: INIT:00AC450Ej
		mov	[ebp-14h], eax
		cmp	esi, edi
		jnz	short loc_AC4522
		call	_WheapLogInitEvent@0 ; WheapLogInitEvent()
		call	_WheaWmiInit@0	; WheaWmiInit()
		or	edx, 0FFFFFFFFh
		mov	_WheapInitializationComplete, 1
		mov	eax, edx
		mov	ecx, offset _WheapConfigTableLock
		lock xadd [ecx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_AC458B
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _WheapConfigTableLock

loc_AC458B:				; CODE XREF: INIT:00AC457Cj
		xor	edi, edi
		mov	[ebp-14h], edi
		cmp	[ebp-18h], edi
		jz	loc_AC4722
		mov	esi, large fs:124h
		mov	eax, ecx
		mov	ecx, dword_6D07D0
		shr	eax, 15h
		mov	[ebp-10h], esi
		cmp	ecx, offset _WheapConfigTableLock
		ja	short loc_AC45E0
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_AC45D0
		cmp	ecx, offset _WheapConfigTableLock
		ja	short loc_AC45E0
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jnz	short loc_AC45E0

loc_AC45D0:				; CODE XREF: INIT:00AC45BDj
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	edx, eax
		mov	[ebp-1Ch], eax

loc_AC45E0:				; CODE XREF: INIT:00AC45B4j
					; INIT:00AC45C5j ...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	ecx, esi
		push	edx
		mov	edx, offset _WheapConfigTableLock
		mov	[ebp-1], al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp-18h], ecx
		test	ecx, ecx
		jnz	short loc_AC4631
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_AC46A3
		push	ecx
		push	dword ptr [ebp-1Ch]
		mov	eax, offset _WheapConfigTableLock
		push	eax
		push	esi
		push	162h
		jmp	loc_AC4739
; 

loc_AC4631:				; CODE XREF: INIT:00AC460Cj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_AC4647
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp-18h]

loc_AC4647:				; CODE XREF: INIT:00AC463Dj
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp-14h], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		cdq
		pop	ecx
		idiv	ecx
		cmp	byte ptr [ebp-1], 1
		mov	edx, eax
		jnz	short loc_AC4691
		movzx	ecx, byte ptr [esi+1E4h]
		bts	ecx, edx
		mov	[esi+1E4h], cl
		jmp	short loc_AC46A3
; 

loc_AC4691:				; CODE XREF: INIT:00AC467Dj
		mov	al, 1
		mov	ecx, edx
		shl	al, cl
		add	esi, 222h
		lock or	[esi], al
		mov	esi, [ebp-10h]

loc_AC46A3:				; CODE XREF: INIT:00AC4616j
					; INIT:00AC468Fj
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp-24h], eax
		jz	short loc_AC470A
		test	edi, 8000h
		jz	short loc_AC46C7
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_AC46C7:				; CODE XREF: INIT:00AC46BCj
		test	byte ptr [ebp-12h], 1
		jz	short loc_AC46DB
		lock dec dword ptr [esi+21Ch]
		lock dec dword ptr [esi+330h]

loc_AC46DB:				; CODE XREF: INIT:00AC46CBj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_AC46EF
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_AC46EF:				; CODE XREF: INIT:00AC46E2j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_AC470A
		push	dword ptr [ebp-24h]
		mov	edx, offset _WheapConfigTableLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_AC470A:				; CODE XREF: INIT:00AC46B4j
					; INIT:00AC46F9j
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_AC4722
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_AC4722
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_AC4722:				; CODE XREF: INIT:00AC4295j
					; INIT:00AC4593j ...
		pop	edi
		xor	eax, eax
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_AC472D:				; CODE XREF: INIT:00AC41F2j
		push	0
		push	0

loc_AC4731:				; CODE XREF: INIT:00AC42C9j
		push	eax
		push	3

loc_AC4734:				; CODE XREF: INIT:00AC4208j
					; INIT:00AC4223j ...
		push	122h

loc_AC4739:				; CODE XREF: INIT:00AC433Dj
					; INIT:00AC462Cj
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheapInitializeErrorSourceTable(x, x)
_WheapInitializeErrorSourceTable@8 proc	near ; CODE XREF: INIT:00AC4455p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	eax, eax
		mov	[esp+14h+var_4], ecx
		mov	[esp+14h+var_8], eax
		mov	esi, edx
		mov	[esp+14h+var_C], esi
		push	edi
		test	ecx, ecx
		jz	loc_AC4832

loc_AC4766:				; CODE XREF: WheapInitializeErrorSourceTable(x,x)+ECj
		mov	ecx, [esi+8]
		cmp	ecx, 11h
		jge	loc_AC4823
		test	ecx, ecx
		js	loc_AC4823
		mov	eax, large fs:20h
		mov	edx, 420h
		push	0
		mov	ecx, 200h
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	61656857h
		call	ExpAllocatePoolWithTagFromNode
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_AC483B
		push	420h		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		lea	edi, [ebx+50h]
		mov	ecx, 0F3h
		rep movsd
		mov	esi, [esp+24h+var_C]
		add	esp, 0Ch
		imul	eax, [esi+8], 24h
		cmp	byte_6FD664[eax], 0
		jz	short loc_AC47F6
		mov	ecx, ebx
		call	WheapInitializeErrorSource
		mov	edi, eax
		test	edi, edi
		jns	short loc_AC4800
		mov	ecx, ebx
		call	ExFreeHeapPool
		mov	eax, edi
		jmp	short loc_AC4834
; 

loc_AC47F6:				; CODE XREF: WheapInitializeErrorSourceTable(x,x)+9Cj
		mov	eax, [esi+8]
		mov	[ebx+20h], eax
		mov	byte ptr [ebx+48h], 1

loc_AC4800:				; CODE XREF: WheapInitializeErrorSourceTable(x,x)+A9j
		cmp	dword ptr [ebx+58h], 5
		jnz	short loc_AC4812
		cmp	dword ptr [ebx+80h], 0FFFFh
		jnz	short loc_AC4819

loc_AC4812:				; CODE XREF: WheapInitializeErrorSourceTable(x,x)+C4j
		mov	edx, ebx
		call	_WheapAddErrorSource@8 ; WheapAddErrorSource(x,x)

loc_AC4819:				; CODE XREF: WheapInitializeErrorSourceTable(x,x)+D0j
		add	esi, [esi]
		mov	eax, [esp+18h+var_8]
		mov	[esp+18h+var_C], esi

loc_AC4823:				; CODE XREF: WheapInitializeErrorSourceTable(x,x)+2Cj
					; WheapInitializeErrorSourceTable(x,x)+34j
		inc	eax
		mov	[esp+18h+var_8], eax
		cmp	eax, [esp+18h+var_4]
		jb	loc_AC4766

loc_AC4832:				; CODE XREF: WheapInitializeErrorSourceTable(x,x)+20j
		xor	eax, eax

loc_AC4834:				; CODE XREF: WheapInitializeErrorSourceTable(x,x)+B4j
					; WheapInitializeErrorSourceTable(x,x)+100j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_AC483B:				; CODE XREF: WheapInitializeErrorSourceTable(x,x)+6Dj
		mov	eax, 0C000009Ah
		jmp	short loc_AC4834
_WheapInitializeErrorSourceTable@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WheapQueryPshedForErrorSources proc near ; CODE	XREF: INIT:00AC4213p
					; INIT:00AC42D9p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE4DE1 SIZE 00000042 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	eax, eax
		push	ebx
		push	edi
		mov	[ebp+var_4], eax
		mov	edi, edx
		mov	[ebp+var_8], eax
		mov	ebx, ecx
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	ds:__imp__PshedGetAllErrorSources@12 ; PshedGetAllErrorSources(x,x,x)
		cmp	eax, 0C0000023h
		jnz	loc_AE4E0C
		push	[ebp+var_8]
		call	ds:__imp__PshedAllocateMemory@4	; PshedAllocateMemory(x)
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_AE4DE1
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		call	ds:__imp__PshedGetAllErrorSources@12 ; PshedGetAllErrorSources(x,x,x)
		test	eax, eax
		js	loc_AE4DF8
		mov	eax, [ebp+var_4]
		mov	[edi], eax
		mov	eax, [ebp+var_C]
		mov	[ebx], eax
		xor	eax, eax

loc_AC48B2:				; CODE XREF: WheapQueryPshedForErrorSources+205B1j
					; WheapQueryPshedForErrorSources+205DCj
		pop	edi
		pop	ebx
		leave
		retn
WheapQueryPshedForErrorSources endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpInitialize	proc near		; CODE XREF: EtwInitialize+Ap

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE4E23 SIZE 000000B7 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		push	ebx
		mov	ebx, ds:_KeNumberProcessors
		mov	edx, ecx
		push	esi
		push	edi
		xor	esi, esi
		lea	edi, [ebp+var_58]
		push	6
		xor	eax, eax
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_4], esi
		pop	ecx
		rep stosd
		test	edx, edx
		jnz	loc_AC4C52
		lea	eax, [ebp+var_20]
		mov	ecx, offset _EtwpRefTimeSystem
		push	eax
		lea	edx, [ebp+var_18]
		call	KeQueryBootTimeValues
		mov	ecx, [ebp+var_18]
		sub	ecx, [ebp+var_20]
		mov	eax, [ebp+var_14]
		sbb	eax, [ebp+var_1C]
		mov	dword_6BC194, eax
		lea	eax, [ebp+var_4]
		push	eax
		push	3
		lea	eax, [ebp+var_58]
		mov	_EtwpBootTime, ecx
		push	eax
		call	RtlGetMultiTimePrecise
		test	byte ptr [ebp+var_4], 1
		mov	_EtwpRefQpcDelta, esi
		mov	dword_6BC19C, esi
		jz	loc_AE4E3D
		test	byte ptr [ebp+var_4], 2
		mov	eax, [ebp+var_58]
		mov	edx, [ebp+var_54]
		mov	_EtwpRefTimePerfCounter, eax
		mov	dword_6BC164, edx
		jnz	loc_AE4E23

loc_AC4954:				; CODE XREF: EtwpInitialize+20582j
					; EtwpInitialize+20599j
		rdtsc
		mov	_EtwpRefTimeCycle, eax
		mov	dword_6BC16C, edx
		call	EtwpInitializeSecurity
		test	eax, eax
		js	loc_AE4E54
		xor	eax, eax
		mov	edi, 0FFDF0380h
		stosd
		stosd
		stosd
		stosd
		stosw
		test	ebx, ebx
		jz	short loc_AC499A

loc_AC497F:				; CODE XREF: EtwpInitialize+E2j
		mov	ecx, esi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	ecx, eax
		call	_EtwInitializeProcessor@4 ; EtwInitializeProcessor(x)
		test	eax, eax
		js	loc_AE4E5B
		inc	esi
		cmp	esi, ebx
		jb	short loc_AC497F

loc_AC499A:				; CODE XREF: EtwpInitialize+C7j
		xor	ebx, ebx
		push	ebx
		push	offset _EtwpGroupMaskMutex
		call	_KeInitializeMutex@8 ; KeInitializeMutex(x,x)
		push	ebx
		push	offset _EtwpCrimsonMaskMutex
		call	_KeInitializeMutex@8 ; KeInitializeMutex(x,x)
		mov	_EtwpSecurityLock, ebx
		call	_EtwpInitializeStackLookasideList@0 ; EtwpInitializeStackLookasideList()
		call	EtwpReadConfigParameters
		call	_EtwpInitializeRegistration@0 ;	EtwpInitializeRegistration()
		call	_EtwpInitializePrivateSessionDemuxObject@0 ; EtwpInitializePrivateSessionDemuxObject()
		call	_EtwpInitializeRealTimeConnection@0 ; EtwpInitializeRealTimeConnection()
		xor	ecx, ecx
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	dl, 1
		mov	ecx, eax
		call	_KeQueryCycleCounterFrequency@8	; KeQueryCycleCounterFrequency(x,x)
		push	offset _EtwPerfFreq
		mov	_EtwCPUSpeedInMHz, eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		call	EtwpInitializeLastBranchTracing
		call	_EtwpInitializeProcessorTrace@0	; EtwpInitializeProcessorTrace()
		push	8
		pop	edi
		push	edi
		push	ebx
		push	offset _EtwpLogMemInfoTimerCallback@8 ;	EtwpLogMemInfoTimerCallback(x,x)
		push	offset _EtwpMemInfoTimer
		mov	dword_6BC05C, ebx
		mov	_EtwpMdlTable, ebx
		mov	dword_6BC058, ebx
		mov	dword_6BC054, 0Ch
		mov	_EtwpBufferAdjustmentCount, edi
		mov	dword_6BC148, offset EtwpAdjustTraceBuffers
		mov	dword_6BC14C, offset _EtwpBufferAdjustmentActive
		mov	_EtwpAdjustBuffersWorkItem, ebx
		call	_KeInitializeTimer2@16 ; KeInitializeTimer2(x,x,x,x)
		call	_EtwpInitializeProviderTraits@0	; EtwpInitializeProviderTraits()
		push	ebx
		push	offset _EtwpPowerStateCallback@12 ; EtwpPowerStateCallback(x,x,x)
		push	_ExCbPowerState
		call	ExRegisterCallback
		test	eax, eax
		jz	loc_AE4EC5
		lea	eax, [ebp+var_8]
		mov	[ebp+var_28], ebx
		push	eax
		mov	[ebp+var_24], ebx
		mov	[ebp+var_8], ebx
		call	ds:__imp__KsrGetFirmwareInformation@4 ;	KsrGetFirmwareInformation(x)
		test	eax, eax
		jns	loc_AE4E6B

loc_AC4A84:				; CODE XREF: EtwpInitialize+205F3j
					; EtwpInitialize+2060Aj
		call	EtwpLoadMicroarchitecturalPmcs
		call	_EtwpInitializeSiloAllowedGroupMask@0 ;	EtwpInitializeSiloAllowedGroupMask()
		xor	ecx, ecx
		call	EtwInitializeSiloState
		test	eax, eax
		js	loc_AE4EC5
		push	offset _EtwpComponentName
		push	5
		push	offset _EtwpBugCheckMultiPartCallback@16 ; EtwpBugCheckMultiPartCallback(x,x,x,x)
		push	offset _EtwpBugCheckCallback
		mov	byte_6BC0D8, bl
		call	KeRegisterBugCheckReasonCallback
		push	offset _EtwpEventTracingProvRegHandle
		push	ebx
		push	offset EtwpTracingProvEnableCallback
		push	offset _EventTracingProvGuid
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		call	_WdipSemInitialize@0 ; WdipSemInitialize()
		call	_PerfDiagInitialize@0 ;	PerfDiagInitialize()
		call	_EtwpInitializeCoverage@0 ; EtwpInitializeCoverage()
		call	EtwpInitializeCoverageSampler
		push	offset _EtwKernelProvRegHandle
		push	ebx
		push	offset _EtwpKernelProvEnableCallback@36	; EtwpKernelProvEnableCallback(x,x,x,x,x,x,x,x,x)
		push	offset _KernelProvGuid
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		mov	ecx, offset dword_6B2A40
		call	_TlgRegisterAggregateProvider@4	; TlgRegisterAggregateProvider(x)
		push	offset _EtwpPsProvRegHandle
		push	1
		mov	esi, offset EtwpCrimsonProvEnableCallback
		push	esi
		push	offset _PsProvGuid
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		push	ecx
		push	offset _PsProvTraceLoggingGuid
		mov	edx, offset EtwpTraceLoggingProvEnableCallback
		mov	ecx, offset dword_6B2A18
		call	TlgRegisterAggregateProviderEx
		push	offset _EtwpNetProvRegHandle
		push	10000h
		push	esi
		push	offset _NetProvGuid
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		push	offset _EtwpDiskProvRegHandle
		push	100h
		push	esi
		push	offset _DiskProvGuid
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		push	offset _EtwpFileProvRegHandle
		push	2000000h
		push	esi
		push	offset _FileProvGuid
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		push	offset _EtwpRegTraceHandle
		push	ebx
		push	offset _EtwpRegTraceEnableCallback@36 ;	EtwpRegTraceEnableCallback(x,x,x,x,x,x,x,x,x)
		push	offset _RegistryProvGuid
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		push	offset _EtwpMemoryProvRegHandle
		push	20000001h
		push	esi
		push	(offset	loc_405466+2)
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		push	offset _EtwAppCompatProvRegHandle
		push	ebx
		push	ebx
		push	offset _MS_Windows_Kernel_AppCompat_Provider
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		push	offset _EtwApiCallsProvRegHandle
		push	ebx
		push	ebx
		push	offset _KernelAuditApiCallsGuid
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		push	offset _EtwCVEAuditProvRegHandle
		push	ebx
		push	ebx
		push	(offset	loc_405557+1)
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		push	offset _EtwThreatIntProvRegHandle
		push	ebx
		push	ebx
		push	offset _ThreatIntProviderGuid
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		push	offset _EtwLpacProvRegHandle
		push	ebx
		push	ebx
		push	offset _MS_Windows_Security_LPAC_Provider
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		push	offset _EtwAdminlessProvRegHandle
		push	ebx
		push	ebx
		push	offset _MS_Windows_Security_Adminless_Provider
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		push	offset _EtwSecurityMitigationsRegHandle
		push	ebx
		push	ebx
		push	offset _SecurityMitigationsProviderGuid
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		push	offset _WNF_ETW_SUBSYSTEM_INITIALIZED
		mov	_EtwpInitialized, 1
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		call	EtwpTraceSystemInitialization
		lea	eax, [ebp+var_C]
		mov	[ebp+var_C], ebx
		push	eax
		push	offset _EtwpMaxPmcCounter
		push	4
		push	2Ch
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_AC4C6D

loc_AC4C43:				; CODE XREF: EtwpInitialize+3BDj
		mov	eax, ds:_EtwpMaxPmcCounter
		mov	ds:_EtwpMaxProfilingSources, eax

loc_AC4C4D:				; CODE XREF: EtwpInitialize+39Fj
					; EtwpInitialize+3B5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AC4C52:				; CODE XREF: EtwpInitialize+30j
		cmp	edx, 1
		jnz	short loc_AC4C4D
		push	esi
		push	ds:_EtwpHostSiloState
		mov	ecx, offset _PerfGlobalGroupMask
		push	edx
		mov	edx, ecx
		call	EtwpUpdateFileInfoDriverState
		jmp	short loc_AC4C4D
; 

loc_AC4C6D:				; CODE XREF: EtwpInitialize+38Bj
		mov	ds:_EtwpMaxPmcCounter, edi
		jmp	short loc_AC4C43
EtwpInitialize	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WMIInitialize(x, x)
_WMIInitialize@8 proc near		; CODE XREF: INIT:00AC2C61p
					; INIT:00AC301Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		push	esi
		mov	esi, edx
		test	ecx, ecx
		jnz	short loc_AC4CC6
		call	_WmipInitializeAllocs@0	; WmipInitializeAllocs()
		push	offset ??_C@_1CA@PFOGGCOI@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?2?$AAW?$AAM?$AAI?$AAx?$AAW?$AAD?$AAM@PBOPGDP@
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset WmipDriverEntry
		lea	eax, [ebp+var_8]
		push	eax
		call	IoCreateDriver
		test	eax, eax
		js	short loc_AC4CC0
		mov	ecx, esi
		call	_WmipGetSMBiosFromLoaderBlock@4	; WmipGetSMBiosFromLoaderBlock(x)
		call	_WmipRegisterFirmwareProviders@0 ; WmipRegisterFirmwareProviders()

loc_AC4CBE:				; CODE XREF: WMIInitialize(x,x)+55j
		mov	bl, 1

loc_AC4CC0:				; CODE XREF: WMIInitialize(x,x)+3Aj
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_AC4CC6:				; CODE XREF: WMIInitialize(x,x)+15j
		call	_WmipInitializeRegistration@4 ;	WmipInitializeRegistration(x)
		jmp	short loc_AC4CBE
_WMIInitialize@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KseInitialize	proc near		; CODE XREF: INIT:00AC2C48p
					; INIT:00AC2E0Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE4EDA SIZE 0000011F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edx
		xor	eax, eax
		inc	edi
		mov	ebx, ecx
		mov	esi, eax
		test	edx, edx
		jnz	loc_AC4DE9
		mov	ecx, edi
		mov	edx, offset dword_6D4A78
		lock cmpxchg [edx], ecx
		cmp	eax, 2
		jz	loc_AC4E3F
		cmp	eax, edi
		jz	loc_AE4ED0
		mov	ecx, [ebx+84h]
		push	dword ptr [ecx+34h]
		mov	edx, [ecx+2Ch]
		push	dword ptr [ecx+30h]
		mov	ecx, [ecx+28h]
		call	KseShimDatabaseBootInitialize
		test	eax, eax
		js	loc_AE4EDA
		mov	eax, _InitSafeBootMode
		test	eax, eax
		jnz	loc_AE4EE4
		mov	ecx, [ebx+84h]
		cmp	[ecx+28h], esi
		jz	loc_AE4EE4
		cmp	[ecx+2Ch], esi
		jz	loc_AE4EE4
		mov	ecx, offset _KseEngine
		call	KsepEngineInitialize
		mov	esi, eax
		test	esi, esi
		js	loc_AE4F20
		mov	ecx, ebx
		call	KsepMatchInitMachineInfo
		mov	esi, eax
		test	esi, esi
		js	loc_AE4F20
		mov	dword_6D4A78, 2
		call	KseDriverScopeInitialize

loc_AC4D81:				; CODE XREF: KseInitialize+157j
					; KseInitialize+16Cj
		mov	edx, [ebp+var_4]

loc_AC4D84:				; CODE XREF: KseInitialize+11Dj
		mov	eax, edi
		lock xadd _KsepHistoryMessagesIndex, eax
		inc	eax
		and	eax, 3Fh
		mov	ebx, offset ??_C@_0BN@KGLPCGAF@KSE?3?5Initialized?5phase?50x?$CFx?6@PBOPGDP@ ; "KSE: Initialized phase 0x%x\n"
		push	5
		pop	ecx
		and	dword_6C7244[eax*8], 0
		test	_KsepDebugFlag,	1
		mov	word_6C7242[eax*8], cx
		mov	ecx, 104h
		mov	_KsepHistoryMessages[eax*8], cx
		jnz	loc_AE4FA3

loc_AC4DC4:				; CODE XREF: KseInitialize+202E0j
		push	[ebp+var_4]
		push	ebx
		push	edi
		call	_KsepLogInfo
		add	esp, 0Ch
		cmp	_InitIsWinPEMode, 0
		jnz	short loc_AC4E43

loc_AC4DDA:				; CODE XREF: KseInitialize+17Bj
		test	esi, esi
		js	loc_AE4F20

loc_AC4DE2:				; CODE XREF: KseInitialize+202BCj
					; KseInitialize+20326j
		mov	eax, esi

loc_AC4DE4:				; CODE XREF: KseInitialize+173j
					; EtwpInitialize+2061Fj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn			; char
; 

loc_AC4DE9:				; CODE XREF: KseInitialize+19j
		cmp	edx, edi
		jnz	short loc_AC4D84
		push	offset _KseEtwHandle
		push	eax
		push	eax
		push	offset _KernelShimEngineProvider
		mov	[ebp+var_8], eax
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		lea	ecx, [ebp+var_8]
		call	KseShimDatabaseOpen
		mov	esi, eax
		test	esi, esi
		js	loc_AE4F8F
		mov	ecx, [ebp+var_8]
		test	ecx, ecx
		jz	loc_AE4F8F
		call	KseShimDatabaseClose

loc_AC4E23:				; CODE XREF: KseInitialize+202D0j
		test	esi, esi
		js	loc_AC4D81
		call	KseVersionLieInitialize
		call	KseSkipDriverUnloadInitialize
		call	KseZeroPoolInitialize
		jmp	loc_AC4D81
; 

loc_AC4E3F:				; CODE XREF: KseInitialize+2Dj
		xor	eax, eax
		jmp	short loc_AC4DE4
; 

loc_AC4E43:				; CODE XREF: KseInitialize+10Aj
		or	_KseEngine, edi
		jmp	short loc_AC4DDA
KseInitialize	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopInitializePlugPlayServices(x, x)
_IopInitializePlugPlayServices@8 proc near ; CODE XREF:	INIT:00AC2C28p
					; INIT:00AC2DA5p

var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_CD		= dword	ptr -0CDh
var_C8		= dword	ptr -0C8h
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 15Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_F4], ebx
		mov	[ebp+var_CD+1],	ebx
		mov	[ebp+var_104], ebx
		mov	[ebp+var_138], ebx
		mov	[ebp+var_134], ebx
		mov	[ebp+var_130], ebx
		mov	[ebp+var_12C], ebx
		mov	[ebp+var_D4], ebx
		mov	[ebp+var_124], ebx
		mov	[ebp+var_FC], ebx
		mov	[ebp+var_E4], ebx
		mov	[ebp+var_10C], ebx
		mov	[ebp+var_114], ebx
		mov	[ebp+var_11C], ebx
		mov	[ebp+var_EC], ebx
		mov	byte ptr [ebp+var_CD], bl
		push	esi
		push	edi
		mov	edi, ecx
		test	edx, edx
		jnz	loc_AC5729
		push	ecx
		push	offset _PnpSystemHiveLimits
		mov	_PnPInitialized, bl
		mov	_PnpSystemHiveLimits, 50h
		mov	dword_6D4DFC, 5Ah
		call	CmRegisterSystemHiveLimitCallback
		push	18h
		pop	eax
		mov	[ebp+var_158], eax
		lea	eax, [ebp+var_124]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_158]
		mov	_PnpSystemHiveTooLarge,	bl
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_EC]
		mov	[ebp+var_154], ebx
		push	eax
		mov	[ebp+var_14C], 240h
		mov	[ebp+var_150], offset _CmRegistryMachineHardwareDescriptionSystemName
		mov	[ebp+var_148], ebx
		mov	[ebp+var_144], ebx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_AC4FFA
		mov	ecx, [ebp+var_EC]
		lea	eax, [ebp+var_FC]
		push	eax
		push	ebx
		mov	edx, offset ??_C@_1CE@OMPBPMAF@?$AAO?$AAl?$AAd?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAB?$AAi?$AAo?$AAs?$AAD?$AAa@PBOPGDP@
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_AC4FEF
		mov	esi, [ebp+var_FC]
		test	esi, esi
		jz	short loc_AC4FEF
		mov	ecx, [ebp+var_EC]
		lea	eax, [ebp+var_E4]
		push	eax
		push	ebx
		mov	edx, offset ??_C@_1BO@BHDHIFGP@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAB?$AAi?$AAo?$AAs?$AAD?$AAa?$AAt?$AAe@PBOPGDP@
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_AC4FE8
		mov	ebx, [ebp+var_E4]
		test	ebx, ebx
		jz	short loc_AC4FE6
		mov	eax, [esi+8]
		add	eax, esi
		push	eax
		lea	eax, [ebp+var_138]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebx+8]
		add	eax, ebx
		push	eax
		lea	eax, [ebp+var_130]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	0		; size_t
		push	0		; void *
		push	4000002Ch	; int
		lea	edx, [ebp+var_130]
		lea	ecx, [ebp+var_138]
		call	_PnpLogEvent@20	; PnpLogEvent(x,x,x,x,x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AC4FE6:				; CODE XREF: IopInitializePlugPlayServices(x,x)+152j
		xor	ebx, ebx

loc_AC4FE8:				; CODE XREF: IopInitializePlugPlayServices(x,x)+148j
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AC4FEF:				; CODE XREF: IopInitializePlugPlayServices(x,x)+122j
					; IopInitializePlugPlayServices(x,x)+12Cj
		push	[ebp+var_EC]
		call	_ZwClose@4	; ZwClose(x)

loc_AC4FFA:				; CODE XREF: IopInitializePlugPlayServices(x,x)+102j
		call	_PnpDeviceCompletionQueueInitialize@4 ;	PnpDeviceCompletionQueueInitialize(x)
		test	eax, eax
		js	loc_AC59CA
		mov	ecx, edi
		call	PiInitFirmwareResources
		mov	eax, [edi+84h]
		test	dword ptr [eax+54h], 400h
		jnz	short loc_AC5026
		xor	edx, edx
		mov	ecx, edi
		call	PpInitializeBootDDB

loc_AC5026:				; CODE XREF: IopInitializePlugPlayServices(x,x)+1CFj
		call	PipInitDeviceOverrideCache
		push	ebx
		push	ebx
		push	offset _PnpSystemDeviceEnumerationComplete
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		call	_PiInitCacheGroupInformation@0 ; PiInitCacheGroupInformation()
		test	eax, eax
		js	loc_AC59CA
		xor	ebx, ebx
		inc	ebx
		push	ebx
		push	ebx
		push	offset _PpRegistrySemaphore
		call	_KeInitializeSemaphore@12 ; KeInitializeSemaphore(x,x,x)
		call	_PnpInitializeLegacyBusInformationTable@0 ; PnpInitializeLegacyBusInformationTable()
		test	eax, eax
		js	loc_AC59CA
		mov	ecx, edi
		call	IopInitializeResourceMap
		mov	ecx, dword_6D06C0
		and	ds:_IopInitReservedResourceList, 0
		mov	_IopAllocateBootResourcesRoutine, offset IopReportBootResources
		mov	_PnpDefaultInterfaceType, ebx
		call	_ArbInitializeOsInaccessibleRange@4 ; ArbInitializeOsInaccessibleRange(x)
		call	_IopPortInitialize@0 ; IopPortInitialize()
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		call	_IopMemInitialize@0 ; IopMemInitialize()
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		call	_IopDmaInitialize@0 ; IopDmaInitialize()
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		call	_IopIrqInitialize@0 ; IopIrqInitialize()
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		call	_IopBusNumberInitialize@0 ; IopBusNumberInitialize()
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		xor	ecx, ecx
		call	PiPnpRtlInit
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		call	PipMigratePnpState
		call	_PiDmInit@0	; PiDmInit()
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_104]
		push	eax
		push	4
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		mov	edx, [ebp+var_104]
		lea	ecx, [ebp+var_CD+1]
		push	18h
		pop	eax
		push	16h
		mov	word ptr [ebp+var_E0+2], ax
		xor	esi, esi
		pop	eax
		push	esi
		push	esi
		mov	word ptr [ebp+var_E0], ax
		lea	eax, [ebp+var_E0]
		push	0F003Fh
		push	eax
		mov	[ebp+var_DC], offset ??_C@_1BI@EIJDOAKI@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAP?$AAn?$AAp@PBOPGDP@
		call	IopCreateRegistryKeyEx
		test	eax, eax
		js	loc_AC5240
		mov	ecx, [ebp+var_CD+1]
		lea	eax, [ebp+var_10C]
		push	eax
		push	esi
		mov	edx, offset ??_C@_1CI@NLPLCOOC@?$AAA?$AAs?$AAy?$AAn?$AAc?$AAh?$AAr?$AAo?$AAn?$AAo?$AAu?$AAs?$AAO?$AAp?$AAt@PBOPGDP@
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_AC519F
		mov	ecx, [ebp+var_10C]
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_AC5198
		cmp	dword ptr [ecx+0Ch], 4
		jnz	short loc_AC5198
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		mov	_PnpAsyncOptions, eax

loc_AC5198:				; CODE XREF: IopInitializePlugPlayServices(x,x)+339j
					; IopInitializePlugPlayServices(x,x)+33Fj
		push	esi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AC519F:				; CODE XREF: IopInitializePlugPlayServices(x,x)+32Dj
		mov	ecx, [ebp+var_CD+1]
		lea	eax, [ebp+var_114]
		push	eax
		push	esi
		mov	edx, offset ??_C@_1BI@KODDANKI@?$AAB?$AAo?$AAo?$AAt?$AAO?$AAp?$AAt?$AAi?$AAo?$AAn?$AAs@PBOPGDP@
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_AC51DF
		mov	ecx, [ebp+var_114]
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_AC51D8
		cmp	dword ptr [ecx+0Ch], 4
		jnz	short loc_AC51D8
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		mov	_PnpBootOptions, eax

loc_AC51D8:				; CODE XREF: IopInitializePlugPlayServices(x,x)+379j
					; IopInitializePlugPlayServices(x,x)+37Fj
		push	esi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AC51DF:				; CODE XREF: IopInitializePlugPlayServices(x,x)+36Dj
		mov	ecx, [ebp+var_CD+1]
		lea	eax, [ebp+var_11C]
		push	eax
		push	esi
		mov	edx, offset ??_C@_1DK@LHAIMOCD@?$AAF?$AAi?$AAn?$AAd?$AAB?$AAe?$AAs?$AAt?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu@PBOPGDP@
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_AC521F
		mov	ecx, [ebp+var_11C]
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_AC5218
		cmp	dword ptr [ecx+0Ch], 4
		jnz	short loc_AC5218
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		mov	_PnpFindBestConfigurationTimeout, eax

loc_AC5218:				; CODE XREF: IopInitializePlugPlayServices(x,x)+3B9j
					; IopInitializePlugPlayServices(x,x)+3BFj
		push	esi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AC521F:				; CODE XREF: IopInitializePlugPlayServices(x,x)+3ADj
		mov	ecx, [ebp+var_CD+1]
		call	PiDmaGuardProcessRegistry
		mov	ecx, [ebp+var_CD+1]
		call	IopQueryDeviceResetRegistrySettings
		push	[ebp+var_CD+1]
		call	_ZwClose@4	; ZwClose(x)

loc_AC5240:				; CODE XREF: IopInitializePlugPlayServices(x,x)+30Dj
		push	3Eh
		pop	eax
		push	3Ch
		mov	word ptr [ebp+var_E0+2], ax
		lea	ecx, [ebp+var_CD+1]
		pop	eax
		mov	word ptr [ebp+var_E0], ax
		xor	edx, edx
		push	20019h
		lea	eax, [ebp+var_E0]
		mov	[ebp+var_DC], offset ??_C@_1DO@PGOAJPNE@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@
		push	eax
		call	_IopOpenRegistryKeyEx@16 ; IopOpenRegistryKeyEx(x,x,x,x)
		test	eax, eax
		js	loc_AC5358
		mov	ecx, [ebp+var_CD+1]
		call	PipUpdateSetupInProgress
		mov	ecx, [ebp+var_CD+1]
		lea	eax, [ebp+var_E4]
		push	eax
		push	esi
		mov	edx, offset ??_C@_1BA@GGIBCIOH@?$AAU?$AAp?$AAg?$AAr?$AAa?$AAd?$AAe@PBOPGDP@
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_AC52CD
		mov	ecx, [ebp+var_E4]
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_AC52C6
		cmp	dword ptr [ecx+0Ch], 4
		jnz	short loc_AC52C6
		mov	eax, [ecx+8]
		cmp	[ecx+eax], esi
		jz	short loc_AC52C6
		mov	_PnpSetupUpgradeInProgress, bl

loc_AC52C6:				; CODE XREF: IopInitializePlugPlayServices(x,x)+464j
					; IopInitializePlugPlayServices(x,x)+46Aj ...
		push	esi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AC52CD:				; CODE XREF: IopInitializePlugPlayServices(x,x)+458j
		mov	ecx, [ebp+var_CD+1]
		lea	eax, [ebp+var_E4]
		push	eax
		push	esi
		mov	edx, offset ??_C@_1BO@MAAICHKD@?$AAR?$AAo?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe@PBOPGDP@
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_AC5310
		mov	ecx, [ebp+var_E4]
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_AC5309
		cmp	dword ptr [ecx+0Ch], 4
		jnz	short loc_AC5309
		mov	eax, [ecx+8]
		cmp	[ecx+eax], esi
		jz	short loc_AC5309
		mov	_PnpSetupRollbackActiveInProgress, bl

loc_AC5309:				; CODE XREF: IopInitializePlugPlayServices(x,x)+4A7j
					; IopInitializePlugPlayServices(x,x)+4ADj ...
		push	esi
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AC5310:				; CODE XREF: IopInitializePlugPlayServices(x,x)+49Bj
		cmp	_PnpSetupInProgress, 0
		jnz	short loc_AC532F
		cmp	_PnpSetupOOBEInProgress, 0
		jnz	short loc_AC532F
		push	[ebp+var_CD+1]
		call	_ZwClose@4	; ZwClose(x)
		jmp	short loc_AC5352
; 

loc_AC532F:				; CODE XREF: IopInitializePlugPlayServices(x,x)+4CBj
					; IopInitializePlugPlayServices(x,x)+4D4j
		mov	ecx, [ebp+var_CD+1]
		xor	dl, dl
		mov	dword_6CCB28, offset _PipUpdateSetupInProgressCallback@4 ; PipUpdateSetupInProgressCallback(x)
		mov	dword_6CCB2C, ecx
		mov	_PnpSetupWorkItem, esi
		call	_PipUpdateSetupInProgressNotify@8 ; PipUpdateSetupInProgressNotify(x,x)

loc_AC5352:				; CODE XREF: IopInitializePlugPlayServices(x,x)+4E1j
		mov	[ebp+var_CD+1],	esi

loc_AC5358:				; CODE XREF: IopInitializePlugPlayServices(x,x)+42Dj
		mov	ecx, [edi+84h]
		add	ecx, 9A8h
		call	PipHardwareConfigInit
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		lea	ecx, [ebp+var_CD]
		call	PipCheckSystemFirmwareUpdated
		xor	ecx, ecx
		call	_PiDcInit@4	; PiDcInit(x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		call	_PiAuCreateSecurityObjects@0 ; PiAuCreateSecurityObjects()
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		call	_PiDqInit@0	; PiDqInit()
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		call	PpDevCfgInit
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		call	_PipResetDevices@4 ; PipResetDevices(x)
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_F4]
		xor	edi, edi
		mov	edx, offset ??_C@_1BK@CCOOHMCM@?$AAH?$AAT?$AAR?$AAE?$AAE?$AA?2?$AAR?$AAO?$AAO?$AAT?$AA?2?$AA0@PBOPGDP@ ; "HTREE\\ROOT\\0"
		push	edi
		push	edi
		push	eax
		push	0F003Fh
		call	_CmCreateDevice
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		mov	ecx, _PiPnpRtlCtx
		mov	esi, offset ??_C@_1BK@CCOOHMCM@?$AAH?$AAT?$AAR?$AAE?$AAE?$AA?2?$AAR?$AAO?$AAO?$AAT?$AA?2?$AA0@PBOPGDP@ ; "HTREE\\ROOT\\0"
		push	edi
		push	4Eh
		pop	eax
		push	eax
		push	offset ??_C@_1EO@EKIIDBMB@?$AA?$HL?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA?9?$AA0?$AA0?$AA0?$AA0?$AA?9@PBOPGDP@
		push	ebx
		push	25h
		push	[ebp+var_F4]
		mov	edx, esi
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_128]
		push	edi
		push	4
		push	eax
		push	4
		push	0Bh
		push	[ebp+var_F4]
		mov	edx, esi
		mov	[ebp+var_128], edi
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		push	[ebp+var_F4]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, offset _IopPendingEjects
		mov	dword_6CC51C, eax
		mov	_IopPendingEjects, eax
		mov	eax, offset _IopPendingSurpriseRemovals
		push	offset _IopDeviceTreeLock
		mov	dword_6CC524, eax
		mov	_IopPendingSurpriseRemovals, eax
		call	ExInitializeResourceLite
		push	offset _IopSurpriseRemoveListLock
		call	ExInitializeResourceLite
		push	offset _PnpDevicePropertyLock
		call	ExInitializeResourceLite
		push	offset _PiEngineLock
		call	ExInitializeResourceLite
		mov	ecx, offset _PiResourceListLock
		mov	_PnpSpinLock, edi
		call	@KeInitializeGuardedMutex@4 ; KeInitializeGuardedMutex(x)
		push	edi
		push	ebx
		push	offset unk_6CC54C
		mov	_PnpRebuildPowerRelationsQueueLock, ebx
		mov	dword_6CC544, edi
		mov	dword_6CC548, edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		call	_PiDeviceDependencyInit@0 ; PiDeviceDependencyInit()
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		call	_PnpInitializeDeviceActions@0 ;	PnpInitializeDeviceActions()
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		call	_PpProfileInit@0 ; PpProfileInit()
		push	ebx
		push	ebx
		push	offset _IopWarmEjectLock
		mov	_IopWarmEjectPdo, edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	26h
		pop	eax
		push	24h
		mov	word ptr [ebp+var_E0+2], ax
		pop	eax
		mov	word ptr [ebp+var_E0], ax
		lea	eax, [ebp+var_E0]
		push	offset _PipPnPDriverEntry@8 ; PipPnPDriverEntry(x,x)
		push	eax
		mov	[ebp+var_DC], offset ??_C@_1CG@DOIHNFDF@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?2?$AAP?$AAn?$AAp?$AAM?$AAa?$AAn?$AAa@PBOPGDP@
		call	IoCreateDriver
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		lea	eax, [ebp+var_D4]
		push	eax
		push	edi
		push	edi
		push	4
		push	edi
		push	edi
		push	_PnpDriverObject
		call	IoCreateDevice
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		mov	edi, [ebp+var_D4]
		mov	edx, offset _IopRootDeviceNode
		mov	ecx, edi
		or	dword ptr [edi+1Ch], 1000h
		call	PipAllocateDeviceNode
		mov	ecx, _IopRootDeviceNode
		mov	esi, eax
		test	ecx, ecx
		jnz	short loc_AC5581
		push	edi
		call	IoDeleteDevice
		push	_PnpDriverObject
		call	_IoDeleteDriver@4 ; IoDeleteDriver(x)
		jmp	loc_AC565A
; 

loc_AC5581:				; CODE XREF: IopInitializePlugPlayServices(x,x)+71Dj
		mov	edx, 131h
		call	PipSetDevNodeFlags
		mov	ecx, _IopRootDeviceNode
		push	0Ah
		pop	edx
		call	PipSetDevNodeUserFlags
		mov	eax, _IopRootDeviceNode
		push	1Ah
		pop	edi
		mov	edx, edi
		mov	dword ptr [eax+1A4h], 0FFFFFFFEh
		mov	ecx, _IopRootDeviceNode
		call	_PnpAllocateDeviceInstancePath@8 ; PnpAllocateDeviceInstancePath(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		mov	ecx, _IopRootDeviceNode
		lea	edx, [ebp+var_D8]
		push	18h
		pop	eax
		mov	word ptr [ebp+var_D8+2], di
		mov	word ptr [ebp+var_D8], ax
		mov	[ebp+var_D4], offset ??_C@_1BK@CCOOHMCM@?$AAH?$AAT?$AAR?$AAE?$AAE?$AA?2?$AAR?$AAO?$AAO?$AAT?$AA?2?$AA0@PBOPGDP@	; "HTREE\\ROOT\\0"
		call	_PnpCopyDeviceInstancePath@8 ; PnpCopyDeviceInstancePath(x,x)
		mov	ecx, _IopRootDeviceNode
		lea	edx, [ecx+14h]
		mov	ecx, [ecx+10h]
		call	_PnpMapDeviceObjectToDeviceInstance@8 ;	PnpMapDeviceObjectToDeviceInstance(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		push	4Eh
		pop	eax
		mov	word ptr [ebp+var_D8+2], ax
		push	4Ch
		pop	eax
		mov	word ptr [ebp+var_D8], ax
		mov	eax, _IopRootDeviceNode
		add	eax, 1A8h
		mov	[ebp+var_D4], offset ??_C@_1EO@EKIIDBMB@?$AA?$HL?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA?9?$AA0?$AA0?$AA0?$AA0?$AA?9@PBOPGDP@
		push	eax
		lea	eax, [ebp+var_D8]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		mov	ecx, _IopRootDeviceNode
		call	_PnpQueryAndSaveDeviceNodeCapabilities@4 ; PnpQueryAndSaveDeviceNodeCapabilities(x)
		push	ecx
		mov	ecx, _IopRootDeviceNode
		mov	edx, 308h
		call	PipSetDevNodeState

loc_AC565A:				; CODE XREF: IopInitializePlugPlayServices(x,x)+730j
		test	esi, esi
		js	loc_AC59C8
		mov	ecx, _PiPnpRtlCtx
		xor	edi, edi
		push	edi
		mov	eax, offset ??_C@_1EO@EKIIDBMB@?$AA?$HL?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA?9?$AA0?$AA0?$AA0?$AA0?$AA?9@PBOPGDP@
		push	offset ??_C@_1BK@CCOOHMCM@?$AAH?$AAT?$AAR?$AAE?$AAE?$AA?2?$AAR?$AAO?$AAO?$AAT?$AA?2?$AA0@PBOPGDP@ ; "HTREE\\ROOT\\0"
		push	eax
		mov	edx, eax
		call	_CmAddDeviceToContainer
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		cmp	byte ptr [ebp+var_CD], 0
		jz	short loc_AC5695
		call	_PiDcHandleSystemFirmwareUpdate@0 ; PiDcHandleSystemFirmwareUpdate()

loc_AC5695:				; CODE XREF: IopInitializePlugPlayServices(x,x)+842j
		call	_PnpInitializePnpWatchdogs@0 ; PnpInitializePnpWatchdogs()
		call	_PnpInitializeDeviceEvents@0 ; PnpInitializeDeviceEvents()
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		call	_PnpInitializeNotification@0 ; PnpInitializeNotification()
		call	PnpBusTypeGuidInitialize
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		push	ebx
		push	ebx
		push	offset _PnpReplaceEvent
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		call	_PiSwInit@0	; PiSwInit()
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		xor	ecx, ecx
		call	_PiUEventInit@4	; PiUEventInit(x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		call	_PiDaInit@0	; PiDaInit()
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		xor	ecx, ecx
		call	PiDmaGuardInitialize
		mov	esi, eax
		test	esi, esi
		js	loc_AC59C8
		call	_PipProcessPendingOperations@0 ; PipProcessPendingOperations()
		mov	ecx, _IopRootDeviceNode
		push	edi
		push	edi
		push	edi
		mov	ecx, [ecx+10h]
		push	edi
		push	edi
		push	0Ah
		pop	edx
		call	PnpRequestDeviceAction
		jmp	loc_AC59C8
; 

loc_AC5729:				; CODE XREF: IopInitializePlugPlayServices(x,x)+7Ej
		xor	ebx, ebx
		inc	ebx
		cmp	edx, ebx
		jnz	loc_AC59C3
		call	_PnpDiagInitialize@0 ; PnpDiagInitialize()
		test	eax, eax
		js	loc_AC59CA
		call	_PnpTraceInitialize@0 ;	PnpTraceInitialize()
		mov	ecx, ebx
		call	_PiDcInit@4	; PiDcInit(x)
		test	eax, eax
		js	loc_AC59CA
		mov	ecx, ebx
		call	_PiUEventInit@4	; PiUEventInit(x)
		test	eax, eax
		js	loc_AC59CA
		mov	eax, [edi+84h]
		xor	esi, esi
		add	eax, 58h
		mov	[ebp+var_14], esi
		mov	[ebp+var_18], eax
		mov	edx, ebx
		lea	eax, [ebp+var_18]
		mov	[ebp+var_10], 50h
		push	eax
		mov	ecx, offset _KMPnPEvt_OsLoader_Time
		mov	[ebp+var_C], esi
		call	_PnpDiagnosticTrace@12 ; PnpDiagnosticTrace(x,x,x)
		cmp	dword_6B2B58, 4
		jbe	loc_AC5951
		push	4000h
		push	esi
		mov	ecx, offset dword_6B2B58
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_AC5951
		mov	ecx, [edi+84h]
		push	8
		pop	edx
		mov	eax, [ecx+58h]
		mov	[ebp+var_D8], eax
		mov	eax, [ecx+5Ch]
		mov	[ebp+var_D4], eax
		lea	eax, [ebp+var_D8]
		mov	[ebp+var_A8], eax
		mov	[ebp+var_A4], esi
		mov	[ebp+var_A0], edx
		mov	[ebp+var_9C], esi
		mov	eax, [ecx+60h]
		mov	[ebp+var_120], eax
		mov	eax, [ecx+64h]
		mov	[ebp+var_11C], eax
		lea	eax, [ebp+var_120]
		mov	[ebp+var_98], eax
		mov	[ebp+var_94], esi
		mov	[ebp+var_90], edx
		mov	[ebp+var_8C], esi
		mov	eax, [ecx+68h]
		mov	[ebp+var_118], eax
		mov	eax, [ecx+6Ch]
		mov	[ebp+var_114], eax
		lea	eax, [ebp+var_118]
		mov	[ebp+var_88], eax
		mov	[ebp+var_84], esi
		mov	[ebp+var_80], edx
		mov	[ebp+var_7C], esi
		mov	eax, [ecx+70h]
		mov	[ebp+var_110], eax
		mov	eax, [ecx+74h]
		mov	[ebp+var_10C], eax
		lea	eax, [ebp+var_110]
		mov	[ebp+var_78], eax
		mov	[ebp+var_74], esi
		mov	[ebp+var_70], edx
		mov	[ebp+var_6C], esi
		mov	eax, [ecx+88h]
		mov	[ebp+var_108], eax
		mov	eax, [ecx+8Ch]
		mov	[ebp+var_104], eax
		lea	eax, [ebp+var_108]
		mov	[ebp+var_68], eax
		mov	[ebp+var_64], esi
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], esi
		mov	eax, [ecx+90h]
		mov	[ebp+var_100], eax
		mov	eax, [ecx+94h]
		mov	[ebp+var_FC], eax
		lea	eax, [ebp+var_100]
		mov	[ebp+var_58], eax
		mov	[ebp+var_54], esi
		mov	[ebp+var_50], edx
		mov	[ebp+var_4C], esi
		mov	eax, [ecx+78h]
		mov	[ebp+var_F8], eax
		mov	eax, [ecx+7Ch]
		mov	[ebp+var_F4], eax
		lea	eax, [ebp+var_F8]
		mov	[ebp+var_48], eax
		mov	[ebp+var_44], esi
		mov	[ebp+var_40], edx
		mov	[ebp+var_3C], esi
		mov	eax, [ecx+80h]
		mov	[ebp+var_E8], eax
		mov	eax, [ecx+84h]
		mov	[ebp+var_E4], eax
		lea	eax, [ebp+var_E8]
		mov	[ebp+var_38], eax
		mov	[ebp+var_34], esi
		mov	[ebp+var_30], edx
		mov	[ebp+var_2C], esi
		mov	eax, [ecx+960h]
		mov	[ebp+var_140], eax
		mov	eax, [ecx+964h]
		mov	[ebp+var_13C], eax
		lea	eax, [ebp+var_140]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_24], esi
		push	eax
		push	0Bh
		push	esi
		push	esi
		push	(offset	loc_41BFF8+7)
		push	offset dword_6B2B58
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], esi
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_AC5951:				; CODE XREF: IopInitializePlugPlayServices(x,x)+94Aj
					; IopInitializePlugPlayServices(x,x)+962j
		mov	ecx, offset dword_6B2B58
		call	_TraceLoggingUnregister_EtwUnregister@4	; TraceLoggingUnregister_EtwUnregister(x)
		mov	ecx, ebx
		call	PiPnpRtlInit
		test	eax, eax
		js	short loc_AC59CA
		call	_PiCslInitialize@0 ; PiCslInitialize()
		test	eax, eax
		js	short loc_AC59CA
		mov	ecx, ebx
		call	PiDmaGuardInitialize
		mov	esi, eax
		test	esi, esi
		js	short loc_AC59C8
		call	PiKsrInitialize
		test	eax, eax
		js	short loc_AC59CA
		mov	ecx, _IopRootDeviceNode
		xor	esi, esi
		push	esi
		push	esi
		push	esi
		mov	ecx, [ecx+10h]
		push	esi
		push	esi
		push	0Ah
		pop	edx
		call	PnpRequestDeviceAction
		push	esi
		push	esi
		push	offset _PnpShutdownEvent
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, [edi+84h]
		test	dword ptr [eax+54h], 400h
		jnz	short loc_AC59C8
		mov	edx, ebx
		mov	ecx, edi
		call	PpInitializeBootDDB
		jmp	short loc_AC59C8
; 

loc_AC59C3:				; CODE XREF: IopInitializePlugPlayServices(x,x)+8E2j
		mov	esi, 0C00000F0h

loc_AC59C8:				; CODE XREF: IopInitializePlugPlayServices(x,x)+246j
					; IopInitializePlugPlayServices(x,x)+255j ...
		mov	eax, esi

loc_AC59CA:				; CODE XREF: IopInitializePlugPlayServices(x,x)+1B5j
					; IopInitializePlugPlayServices(x,x)+1F2j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IopInitializePlugPlayServices@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PiUEventInit(x)
_PiUEventInit@4	proc near		; CODE XREF: IopInitializePlugPlayServices(x,x)+88Ep
					; IopInitializePlugPlayServices(x,x)+90Bp
		mov	edi, edi
		push	ecx
		push	esi
		xor	esi, esi
		push	edi
		test	ecx, ecx
		jnz	loc_AC5AC3
		xor	edi, edi
		mov	dword_6CC644, esi
		push	esi
		inc	edi
		mov	dword_6CC648, esi
		push	edi
		push	offset unk_6CC64C
		mov	_PiUEventClientRegistrationListLock, edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	esi
		push	edi
		push	offset unk_6CC80C
		mov	_PiUEventUsermodeEventQueueLock, edi
		mov	dword_6CC804, esi
		mov	dword_6CC808, esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	esi
		push	edi
		push	offset unk_6CC7EC
		mov	_PiUEventBroadcastEventQueueLock, edi
		mov	dword_6CC7E4, esi
		mov	dword_6CC7E8, esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	0Eh
		mov	ecx, esi
		pop	edx

loc_AC5A4B:				; CODE XREF: PiUEventInit(x)+AFj
		lea	eax, _PiUEventDevInterfaceClientList[ecx]
		mov	dword_6CC664[ecx], eax
		mov	[eax], eax
		lea	eax, _PiUEventDevInstanceClientList[ecx]
		mov	dword_6CC764[ecx], eax
		mov	[eax], eax
		lea	eax, _PiUEventDevInstancePropertyClientList[ecx]
		mov	dword_6CC6E4[ecx], eax
		mov	[eax], eax
		lea	eax, _PiUEventDevHandleClientList[ecx]
		mov	dword_6CC824[ecx], eax
		lea	ecx, [ecx+8]
		mov	[eax], eax
		sub	edx, 1
		jnz	short loc_AC5A4B
		push	esi
		push	offset _PiUEventMetaNotificationCallback@24 ; PiUEventMetaNotificationCallback(x,x,x,x,x,x)
		push	esi
		mov	eax, offset _PiUEventUsermodeEventQueue
		push	2
		mov	dword_6CC7DC, eax
		mov	_PiUEventUsermodeEventQueue, eax
		mov	eax, offset _PiUEventBroadcastEventQueue
		push	offset _WNF_PNPA_DEVNODES_CHANGED
		push	offset _PiUEventMetaNotificationHandle
		mov	dword_6CC7D4, eax
		mov	_PiUEventBroadcastEventQueue, eax
		call	_ExSubscribeWnfStateChange@24 ;	ExSubscribeWnfStateChange(x,x,x,x,x,x)
		mov	esi, eax

loc_AC5AC3:				; CODE XREF: PiUEventInit(x)+9j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ecx
		retn
_PiUEventInit@4	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PiDcInit(x)
_PiDcInit@4	proc near		; CODE XREF: IopInitializePlugPlayServices(x,x)+534p
					; IopInitializePlugPlayServices(x,x)+8FCp
		mov	edi, edi
		push	esi
		xor	esi, esi
		sub	ecx, esi
		jz	short loc_AC5AF3
		sub	ecx, 1
		jnz	short loc_AC5AEF
		call	PiDcInitUpdateProperties
		mov	esi, eax
		test	esi, esi
		js	short loc_AC5AEF
		mov	ecx, offset ??_C@_1EO@EKIIDBMB@?$AA?$HL?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA?9?$AA0?$AA0?$AA0?$AA0?$AA?9@PBOPGDP@
		call	PiDcGenerateConfigNotificationIfContainerRequiresConfiguration
		mov	esi, eax

loc_AC5AEF:				; CODE XREF: PiDcInit(x)+Cj
					; PiDcInit(x)+17j ...
		mov	eax, esi
		pop	esi
		retn
; 

loc_AC5AF3:				; CODE XREF: PiDcInit(x)+7j
		push	esi		; int
		push	offset _PiDcFreeGenericTableEntry@8 ; int
		push	offset _PiDcAllocateGenericTableEntry@8	; int
		push	offset _PiDcCompareUpdateProperties@12 ; int
		push	offset _PiDcUpdateProperties ; void *
		call	_RtlInitializeGenericTableAvl@20 ; RtlInitializeGenericTableAvl(x,x,x,x,x)
		jmp	short loc_AC5AEF
_PiDcInit@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 


PpInitializeBootDDB proc near		; CODE XREF: IopInitializePlugPlayServices(x,x)+1D5p
					; IopInitializePlugPlayServices(x,x)+B70p

; FUNCTION CHUNK AT 00AE4FFC SIZE 00000017 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	edx, edx
		jnz	short loc_AC5B7E
		xor	eax, eax
		push	offset _PiDDBLock
		mov	ds:_PpDDBHandle, eax
		mov	ds:_PpBootDDB, eax
		mov	ds:_PpDDBPatchHandle, eax
		mov	ds:_PpBootDDBPatch, eax
		call	ExInitializeResourceLite
		call	_PiInitializeDDBCache@0	; PiInitializeDDBCache()
		cmp	_InitIsWinPEMode, 0
		jnz	short loc_AC5B82
		mov	ecx, [esi+84h]
		push	offset _PpDDBHandle
		push	offset _PpBootDDB
		mov	edx, [ecx+2Ch]
		mov	ecx, [ecx+28h]
		call	PpBootDDBHelper
		test	eax, eax
		js	short loc_AC5B80
		mov	edx, [esi+84h]
		mov	ecx, [edx+30h]
		test	ecx, ecx
		jnz	loc_AE4FFC

loc_AC5B77:				; CODE XREF: PpInitializeBootDDB+1F4FEj
		mov	ds:_PpBootDDBInitialized, 1

loc_AC5B7E:				; CODE XREF: PpInitializeBootDDB+7j
		xor	eax, eax

loc_AC5B80:				; CODE XREF: PpInitializeBootDDB+54j
		pop	esi
		retn
; 

loc_AC5B82:				; CODE XREF: PpInitializeBootDDB+35j
		mov	eax, 0C0000001h
		pop	esi
		retn
PpInitializeBootDDB endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PiInitializeDDBCache()
_PiInitializeDDBCache@0	proc near	; CODE XREF: PpInitializeBootDDB+29p
		push	0		; int
		push	offset _CMFFreeFn@8 ; int
		push	offset _PnpAllocateGenericTableEntry@8 ; int
		push	offset _PiCompareDDBCacheEntries@12 ; int
		push	offset _PiDDBCacheTable	; void *
		call	_RtlInitializeGenericTableAvl@20 ; RtlInitializeGenericTableAvl(x,x,x,x,x)
		mov	eax, offset _PiDDBCacheList
		mov	ds:dword_A944EC, eax
		mov	ds:_PiDDBCacheList, eax
		xor	eax, eax
		retn
_PiInitializeDDBCache@0	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipDriverEntry	proc near		; DATA XREF: WMIInitialize(x,x)+2Ao

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00AE5013 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 18h
		push	esi
		xor	esi, esi
		xor	dl, dl
		push	edi
		push	esi
		push	1
		mov	ecx, offset _WmipSMMutex
		mov	[esp+28h+var_18], esi
		mov	[esp+28h+var_14], esi
		mov	[esp+28h+var_8], esi
		mov	[esp+28h+var_4], esi
		mov	[esp+28h+var_10], esi
		mov	[esp+28h+var_C], esi
		call	KiInitializeMutant
		xor	ecx, ecx
		call	_WmipInitializeRegistration@4 ;	WmipInitializeRegistration(x)
		mov	dword_6BC618, offset _WmipEventNotification@4 ;	WmipEventNotification(x)
		mov	dword_6BC61C, esi
		mov	_WmipEventWorkQueueItem, esi
		mov	_WmipNPNotificationSpinlock, esi
		call	WmipInitializeDataStructs
		test	eax, eax
		js	loc_AC5CF3
		push	offset ??_C@_0DI@MFDNILJK@?2Registry?2Machine?2System?2Curren@PBOPGDP@ ; "\\Registry\\Machine\\System\\CurrentControl"...
		lea	eax, [esp+24h+var_10]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [esp+24h+var_10]
		push	eax
		push	offset _WmipRegistryPath
		call	RtlAnsiStringToUnicodeString
		call	WmipInitializeSecurity
		test	eax, eax
		js	loc_AC5CF3
		push	offset ??_C@_1CM@COJJNPDN@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAW?$AAM?$AAI?$AAD?$AAa?$AAt?$AAa@PBOPGDP@ ; "\\Device\\WMIDataDevice"
		lea	eax, [esp+24h+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset _WmipServiceDeviceObject
		push	esi
		push	100h
		push	22h
		lea	eax, [esp+30h+var_18]
		push	eax
		push	esi
		mov	esi, [ebp+arg_0]
		push	esi
		call	IoCreateDevice
		test	eax, eax
		js	short loc_AC5CF3
		push	offset ??_C@_1DE@FEBDNHHJ@?$AA?2?$AAD?$AAo?$AAs?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAs?$AA?2?$AAW?$AAM?$AAI@PBOPGDP@ ; "\\DosDevices\\WMIDataDevice"
		lea	eax, [esp+24h+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+20h+var_18]
		push	eax
		lea	eax, [esp+24h+var_8]
		push	eax
		call	_IoCreateSymbolicLink@8	; IoCreateSymbolicLink(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_AE5013
		mov	eax, _WmipServiceDeviceObject
		push	1
		mov	byte ptr [eax+30h], 2
		mov	eax, offset _WmipOpenCloseCleanup@8 ; WmipOpenCloseCleanup(x,x)
		mov	[esi+38h], eax
		mov	[esi+40h], eax
		mov	dword ptr [esi+70h], offset WmipIoControl
		mov	[esi+80h], eax
		mov	dword ptr [esi+94h], offset _WmipSystemControl@8 ; WmipSystemControl(x,x)
		mov	eax, _WmipServiceDeviceObject
		and	dword ptr [eax+1Ch], 0FFFFFF7Fh
		push	_WmipServiceDeviceObject
		call	IoWMIRegistrationControl
		push	_WmipServiceDeviceObject
		call	_IoRegisterShutdownNotification@4 ; IoRegisterShutdownNotification(x)

loc_AC5CF1:				; CODE XREF: WmipDriverEntry+1F466j
		mov	eax, edi

loc_AC5CF3:				; CODE XREF: WmipDriverEntry+60j
					; WmipDriverEntry+8Dj ...
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
WmipDriverEntry	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDaDriverEntry	proc near		; DATA XREF: PiDaInit()+18o

var_C		= dword	ptr -0Ch
var_8		= word ptr -8
var_6		= word ptr -6
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00AE5023 SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 10h
		and	[esp+10h+var_C], 0
		mov	eax, offset PiDaDispatch
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	70h		; size_t
		push	0		; int
		mov	edi, offset _FastIoDispatch
		mov	[esi+38h], eax
		push	edi		; void *
		mov	[esi+80h], eax
		mov	[esi+40h], eax
		mov	[esi+70h], eax
		call	_memset
		add	esp, 0Ch
		mov	_FastIoDispatch, 70h
		mov	dword_6CB608, offset _PiDaFastIoDispatch@36 ; PiDaFastIoDispatch(x,x,x,x,x,x,x,x,x)
		mov	[esi+28h], edi
		mov	[esp+18h+var_4], offset	??_C@_1CE@IKGPEGDF@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAA@PBOPGDP@ ; "\\Device\\DeviceApi"
		push	24h
		pop	eax
		push	22h
		pop	ecx
		mov	[esp+18h+var_6], ax
		lea	eax, [esp+18h+var_C]
		push	eax
		push	0
		push	20000h
		push	ecx
		lea	eax, [esp+20h]
		mov	[esp+28h+var_8], cx
		push	eax
		push	0
		push	esi
		call	IoCreateDevice
		mov	ecx, [esp+18h+var_C]
		mov	esi, eax
		test	esi, esi
		js	loc_AE5023
		and	dword ptr [ecx+1Ch], 0FFFFFF7Fh

loc_AC5D95:				; CODE XREF: PiDaDriverEntry+1F329j
					; PiDaDriverEntry+1F339j
		pop	edi
		mov	eax, esi
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	8
PiDaDriverEntry	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipInitializeSecurity proc near	; CODE XREF: WmipDriverEntry+86p

var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE503A SIZE 00000020 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	ecx, ds:_SeExports
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		mov	eax, [ecx+12Ch]
		push	esi
		push	edi
		push	70696D57h
		movzx	edx, byte ptr [eax+1]
		mov	eax, [ecx+128h]
		movzx	eax, byte ptr [eax+1]
		add	edx, eax
		mov	eax, ds:_SeAliasUsersSid
		movzx	eax, byte ptr [eax+1]
		add	edx, eax
		mov	eax, ds:_SeAliasAdminsSid
		movzx	eax, byte ptr [eax+1]
		add	edx, eax
		mov	eax, _SeLocalSystemSid
		movzx	eax, byte ptr [eax+1]
		add	edx, eax
		lea	esi, ds:74h[edx*4]
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_AE503A
		push	2		; int
		push	esi		; size_t
		push	ebx		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AE5044
		push	_SeLocalSystemSid
		push	1FFFFFh
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AE5044
		push	ds:_SeAliasUsersSid
		push	800h
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AE5044
		mov	edi, ds:_SeAliasAdminsSid
		push	edi
		push	11FFFFFh
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AE5044
		mov	eax, ds:_SeExports
		push	dword ptr [eax+128h]
		push	1FFFFFh
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AE5044
		mov	eax, ds:_SeExports
		push	dword ptr [eax+12Ch]
		push	1FFFFFh
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AE5044
		mov	esi, offset _WmipDefaultAccessSecurityDescriptor
		push	1
		push	esi
		mov	ds:_WmipDefaultAccessSd, esi
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	0
		push	ebx
		push	1
		push	esi
		call	RtlSetDaclSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	loc_AE5044
		push	0
		push	edi
		push	offset _WmipDefaultAccessSecurityDescriptor
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AE5044
		push	0
		push	edi
		push	offset _WmipDefaultAccessSecurityDescriptor
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AE5044
		push	offset _WmipSystemSubjectContext
		call	SeCaptureSubjectContext
		push	58h
		pop	esi
		push	esi		; size_t
		lea	eax, [ebp+var_60]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	word ptr [ebp+var_60], si
		lea	edi, [ebp+var_54]
		mov	esi, offset _WmipGenericMapping
		mov	[ebp+var_58], 100h
		add	esp, 0Ch
		movsd
		push	(offset	loc_AE0545+1)
		movsd
		movsd
		movsd
		mov	al, byte ptr [ebp+var_60+2]
		and	al, 0EFh
		mov	[ebp+var_44], 1F1FFFh
		or	al, 8
		mov	[ebp+var_3C], 200h
		mov	byte ptr [ebp+var_60+2], al
		lea	eax, [ebp+var_8]
		push	eax
		mov	[ebp+var_34], 6Ch
		mov	[ebp+var_1C], offset WmipSecurityMethod
		mov	[ebp+var_24], offset _WmipDeleteMethod@4 ; WmipDeleteMethod(x)
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset _WmipGuidObjectType
		push	0
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AE5044

loc_AC5F9F:				; CODE XREF: WmipInitializeSecurity+1F29Fj
					; WmipInitializeSecurity+1F2B5j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
WmipInitializeSecurity endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WmipInitializeDataStructs proc near	; CODE XREF: WmipDriverEntry+59p

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_59		= dword	ptr -59h
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE505A SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, offset _WmipDSHead
		mov	[ebp+var_6C], 0E3DFF7BDh
		mov	_WmipDSHeadPtr,	eax
		mov	edx, 50000000h
		mov	dword_6BC62C, eax
		or	ecx, 0FFFFFFFFh
		mov	_WmipDSHead, eax
		mov	eax, offset _WmipGEHead
		push	ebx
		push	esi
		mov	_WmipGEHeadPtr,	eax
		mov	dword_6BC644, eax
		mov	_WmipGEHead, eax
		mov	eax, offset _WmipMRHead
		push	edi
		mov	[ebp+var_68], 11D23915h
		mov	[ebp+var_64], 0C0000391h
		mov	[ebp+var_60], 0A298B94Fh
		mov	byte ptr [ebp+var_59], 0
		mov	_WmipMRHeadPtr,	eax
		mov	dword_6BC63C, eax
		mov	_WmipMRHead, eax
		call	WmipAllocRegEntry
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_AE505A
		push	4Ch
		pop	esi
		push	esi		; size_t
		lea	eax, [ebp+var_59+1]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	[ebp+var_59+1],	esi
		lea	edi, [ebp+var_28]
		mov	[ebp+var_48], 2
		lea	esi, [ebp+var_6C]
		mov	[ebp+var_44], 0C7BF35D0h
		lea	edx, [ebp+var_59+1]
		mov	[ebp+var_40], 11D1AADBh
		add	esp, 0Ch
		mov	[ebp+var_3C], 0A0004ABFh
		xor	eax, eax
		mov	[ebp+var_38], 102906C9h
		mov	ecx, ebx
		movsd
		push	eax
		push	eax
		push	4Ch
		movsd
		movsd
		movsd
		call	WmipAddDataSource
		test	eax, eax
		js	short loc_AC60B4
		mov	ecx, _WmipGEHeadPtr
		mov	eax, [ecx]
		jmp	short loc_AC6092
; 

loc_AC608C:				; CODE XREF: WmipInitializeDataStructs+F0j
		or	dword ptr [eax+8], 1
		mov	eax, [eax]

loc_AC6092:				; CODE XREF: WmipInitializeDataStructs+E6j
		cmp	eax, ecx
		jnz	short loc_AC608C
		mov	ecx, [ebx+10h]
		lea	eax, [ebp+var_59]
		push	eax
		push	offset ??_C@_1CA@BHCOJPO@?$AAM?$AAo?$AAf?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc?$AAe?$AAN?$AAa?$AAm?$AAe@PBOPGDP@
		push	1
		mov	edx, offset ??_C@_1BO@MFOKJHPK@?$AAk?$AAe?$AAr?$AAn?$AAe?$AAl?$AAb?$AAa?$AAs?$AAe?$AA?4?$AAd?$AAl?$AAl@PBOPGDP@	; "kernelbase.dll"
		call	WmipAddMofResource
		test	eax, eax
		js	short loc_AC60B4
		xor	eax, eax

loc_AC60B4:				; CODE XREF: WmipInitializeDataStructs+DCj
					; WmipInitializeDataStructs+10Cj ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
WmipInitializeDataStructs endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall WmipInitializeRegistration(x)
_WmipInitializeRegistration@4 proc near	; CODE XREF: WMIInitialize(x,x):loc_AC4CC6p
					; WmipDriverEntry+38p
		mov	edi, edi
		push	esi
		xor	esi, esi
		test	ecx, ecx
		jnz	short loc_AC60F5
		push	esi
		push	esi
		push	52696D57h
		push	20h
		push	200h
		push	esi
		push	esi
		push	offset _WmipRegLookaside
		call	ExInitializeNPagedLookasideListInternal
		mov	_WmipRegistrationSpinLock, esi
		mov	_WmipCancelSpinLock, esi

loc_AC60F3:				; CODE XREF: WmipInitializeRegistration(x)+52j
		pop	esi
		retn
; 

loc_AC60F5:				; CODE XREF: WmipInitializeRegistration(x)+7j
		mov	dword_6BC658, offset _WmipRegistrationWorker@4 ; WmipRegistrationWorker(x)
		or	eax, 0FFFFFFFFh
		mov	dword_6BC65C, esi
		mov	_WmipRegWorkQueue, esi
		lock xadd _WmipRegWorkItemCount, eax
		jz	short loc_AC60F3
		push	1
		push	offset _WmipRegWorkQueue
		call	ExQueueWorkItem
		pop	esi
		retn
_WmipInitializeRegistration@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RawInitialize	proc near		; DATA XREF: IopInitializeBootDrivers+19Co

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00AE5064 SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		push	offset ??_C@_1CA@DMHLFLLM@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAR?$AAa?$AAw?$AAD?$AAi?$AAs?$AAk@PBOPGDP@ ; "\\Device\\RawDisk"
		lea	eax, [esp+1Ch+var_8]
		xor	ebx, ebx
		push	eax
		mov	[esp+20h+var_8], ebx
		mov	[esp+20h+var_4], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	esi, [ebp+arg_0]
		lea	eax, [esp+18h+var_8]
		push	offset _RawDeviceDiskObject
		push	ebx
		push	ebx
		push	8
		push	eax
		push	ebx
		push	esi
		call	IoCreateDevice
		test	eax, eax
		js	loc_AC62B8
		push	offset ??_C@_1CC@FCKODIIM@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAR?$AAa?$AAw?$AAC?$AAd?$AAR?$AAo@PBOPGDP@
		lea	eax, [esp+1Ch+var_8]
		mov	dword ptr [esi+34h], offset _RawUnload@4 ; RawUnload(x)
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset _RawDeviceCdRomObject
		push	ebx
		push	ebx
		push	3
		lea	eax, [esp+28h+var_8]
		push	eax
		push	ebx
		push	esi
		call	IoCreateDevice
		mov	edi, eax
		test	edi, edi
		js	loc_AE507A
		push	offset ??_C@_1CA@KOHLMEHM@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAR?$AAa?$AAw?$AAT?$AAa?$AAp?$AAe@PBOPGDP@ ; "\\Device\\RawTape"
		lea	eax, [esp+1Ch+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset _RawDeviceTapeObject
		push	ebx
		push	ebx
		push	20h
		lea	eax, [esp+28h+var_8]
		push	eax
		push	ebx
		push	esi
		call	IoCreateDevice
		mov	edi, eax
		test	edi, edi
		js	loc_AE506F
		push	_RawDeviceTapeObject
		call	_IoRegisterShutdownNotification@4 ; IoRegisterShutdownNotification(x)
		mov	edi, eax
		test	edi, edi
		js	loc_AE5064
		mov	eax, _RawDeviceDiskObject
		or	dword ptr [eax+1Ch], 10h
		mov	eax, _RawDeviceCdRomObject
		or	dword ptr [eax+1Ch], 10h
		mov	eax, _RawDeviceTapeObject
		or	dword ptr [eax+1Ch], 10h
		mov	eax, offset RawDispatch
		mov	[esi+5Ch], eax
		mov	[esi+0A4h], eax
		mov	[esi+70h], eax
		mov	[esi+6Ch], eax
		mov	[esi+60h], eax
		mov	[esi+50h], eax
		mov	[esi+4Ch], eax
		mov	[esi+48h], eax
		mov	[esi+44h], eax
		mov	[esi+40h], eax
		mov	[esi+80h], eax
		mov	[esi+38h], eax
		mov	dword ptr [esi+78h], offset _RawShutdown@8 ; RawShutdown(x,x)
		push	_RawDeviceDiskObject
		call	IoRegisterFileSystem
		push	_RawDeviceCdRomObject
		call	IoRegisterFileSystem
		push	_RawDeviceTapeObject
		call	IoRegisterFileSystem
		mov	ecx, _RawDeviceDiskObject
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, _RawDeviceCdRomObject
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	ecx, _RawDeviceTapeObject
		call	@ObfReferenceObject@4 ;	ObfReferenceObject(x)
		mov	eax, offset _RawMountedQueue
		mov	dword_6BED04, ebx
		mov	dword_6BECEC, eax
		mov	_RawMountedQueue, eax
		mov	eax, offset _RawDismountedQueue
		mov	dword_6BECF4, eax
		mov	_RawDismountedQueue, eax
		xor	eax, eax
		inc	eax
		mov	dword_6BED08, ebx
		push	ebx
		push	eax
		push	offset unk_6BED0C
		mov	_RawGlobalLock,	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	eax, eax

loc_AC62B8:				; CODE XREF: RawInitialize+41j
					; RawInitialize+1EF61j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	8
RawInitialize	endp

; 
		align 2

;  S U B	R O U T	I N E 


PipDmgInitPhaseZero proc near		; CODE XREF: PiDmaGuardInitialize:loc_56BF50p

; FUNCTION CHUNK AT 00AE508C SIZE 00000028 BYTES

		mov	edi, edi
		push	ecx
		call	_PipDmgIsIommuSecurityEnabled@0	; PipDmgIsIommuSecurityEnabled()
		mov	_PipHalIommuSecurityEnabled, al
		test	al, al
		jnz	loc_AE508C
		cmp	_PipDmaGuardTestMode, al
		jnz	loc_AE508C
		and	_PipDmaGuardPolicy, 0

loc_AC62EA:				; CODE XREF: PipDmgInitPhaseZero+1EDEDj
		xor	eax, eax
		pop	ecx
		retn
PipDmgInitPhaseZero endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipDmgIsIommuSecurityEnabled()
_PipDmgIsIommuSecurityEnabled@0	proc near ; CODE XREF: PipDmgInitPhaseZero+3p

var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		lea	eax, [ebp+var_8]
		xor	ebx, ebx
		push	eax
		lea	eax, [ebp-1]
		mov	[ebp+var_8], ebx
		push	eax
		push	1
		push	2Fh
		mov	[ebp+var_1], bl
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_AC631D
		cmp	[ebp+var_8], 1
		jnz	short loc_AC631D
		mov	bl, [ebp+var_1]

loc_AC631D:				; CODE XREF: PipDmgIsIommuSecurityEnabled()+24j
					; PipDmgIsIommuSecurityEnabled()+2Aj
		mov	al, bl
		pop	ebx
		leave
		retn
_PipDmgIsIommuSecurityEnabled@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiDaInit()
_PiDaInit@0	proc near		; CODE XREF: IopInitializePlugPlayServices(x,x)+89Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	24h
		pop	eax
		push	22h
		mov	word ptr [ebp+var_8+2],	ax
		pop	eax
		mov	word ptr [ebp+var_8], ax
		lea	eax, [ebp+var_8]
		push	offset PiDaDriverEntry
		push	eax
		mov	[ebp+var_4], offset ??_C@_1CE@LBEPOOOC@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAA@PBOPGDP@ ;	"\\Driver\\DeviceApi"
		call	IoCreateDriver
		leave
		retn
_PiDaInit@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiSwInit()
_PiSwInit@0	proc near		; CODE XREF: IopInitializePlugPlayServices(x,x)+87Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		push	0		; int
		mov	edi, offset _PiSwFreeGenericTableEntry@8 ; PiSwFreeGenericTableEntry(x,x)
		mov	esi, offset _PiSwAllocateGenericTableEntry@8 ; PiSwAllocateGenericTableEntry(x,x)
		push	edi		; int
		push	esi		; int
		push	offset PiSwDeviceCompareObjects	; int
		push	offset _PiSwDeviceInstanceTable	; void *
		call	_RtlInitializeGenericTableAvl@20 ; RtlInitializeGenericTableAvl(x,x,x,x,x)
		push	0		; int
		push	edi		; int
		push	esi		; int
		push	offset _PiSwBusRelationsCompareInstancePath@12 ; int
		push	offset _PiSwBusRelationsTable ;	void *
		call	_RtlInitializeGenericTableAvl@20 ; RtlInitializeGenericTableAvl(x,x,x,x,x)
		mov	eax, offset _PiSwGlobalPdoAssociationList
		push	offset _PiSwLockObj
		mov	dword_6CB69C, eax
		mov	_PiSwGlobalPdoAssociationList, eax
		call	ExInitializeResourceLite
		test	eax, eax
		js	short loc_AC63C7
		push	2Eh
		pop	eax
		push	2Ch
		mov	word ptr [ebp+var_8+2],	ax
		pop	eax
		mov	word ptr [ebp+var_8], ax
		lea	eax, [ebp+var_8]
		push	offset _PiSwPdoDriverEntry@8 ; PiSwPdoDriverEntry(x,x)
		push	eax
		mov	[ebp+var_4], offset ??_C@_1CO@FBODLIMA@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?2?$AAS?$AAo?$AAf?$AAt?$AAw?$AAa?$AAr@PBOPGDP@
		call	IoCreateDriver

loc_AC63C7:				; CODE XREF: PiSwInit()+54j
		pop	edi
		pop	esi
		leave
		retn
_PiSwInit@0	endp

; 
		align 4

; __stdcall CmInitSystem2()
_CmInitSystem2@0:			; CODE XREF: INIT:loc_ABFC2Fp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	esi
		push	1Eh
		pop	esi
		push	20h
		pop	eax
		mov	[ebp-8], si
		mov	[ebp-6], ax
		mov	dword ptr [ebp-4], offset ??_C@_1CA@HNKGOEIL@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?2?$AAW?$AAs?$AAc?$AAV?$AAR?$AAe?$AAg@PBOPGDP@
		call	_CmpRegisterTraceLoggingProvider@0 ; CmpRegisterTraceLoggingProvider()
		call	_CmFcInitSystem3@0 ; CmFcInitSystem3()
		push	offset VRegSetup
		lea	eax, [ebp-8]
		push	eax
		call	IoCreateDriver
		test	eax, eax
		js	short loc_AC6409
		pop	esi
		leave
		retn
; 

loc_AC6409:				; CODE XREF: INIT:00AC6404j
		push	0
		push	0
		push	eax
		push	esi
		push	51h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpInitializeTrustedInstallerSid()
_CmpInitializeTrustedInstallerSid@0 proc near ;	CODE XREF: CmInitSystem1(x)+187p

var_8		= dword	ptr -8
var_4		= word ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	65536D43h
		xor	eax, eax
		mov	[ebp+var_4], 500h
		push	6
		mov	[ebp+var_8], eax
		call	_RtlLengthRequiredSid@4	; RtlLengthRequiredSid(x)
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	ds:_CmpTrustedInstallerSid, esi
		test	esi, esi
		jz	short loc_AC6481
		push	6
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	dword ptr [esi+8], 50h
		mov	dword ptr [esi+0Ch], 38FB89B5h
		mov	dword ptr [esi+10h], 0CBC28419h
		mov	dword ptr [esi+14h], 6D236C5Ch
		mov	dword ptr [esi+18h], 6E770057h
		mov	dword ptr [esi+1Ch], 876402C0h

loc_AC6481:				; CODE XREF: CmpInitializeTrustedInstallerSid()+31j
		pop	esi
		leave
		retn
_CmpInitializeTrustedInstallerSid@0 endp


;  S U B	R O U T	I N E 


; __stdcall CmpInitializeTransactions()
_CmpInitializeTransactions@0 proc near	; CODE XREF: CmInitSystem1(x)+1AFp
		mov	edi, edi
		push	esi
		push	edi
		xor	edi, edi
		xor	esi, esi
		push	edi
		inc	esi
		mov	dword_6CDDE4, edi
		mov	eax, offset _CmpRmListHead
		mov	_CmpRmListLock,	esi
		push	esi
		push	offset unk_6CDDEC
		mov	dword_6CDDC4, eax
		mov	_CmpRmListHead,	eax
		mov	dword_6CDDE8, edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	esi
		push	offset unk_6CDEAC
		mov	_CmpTransactionListLock, esi
		mov	dword_6CDEA4, edi
		mov	dword_6CDEA8, edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		mov	eax, offset _CmpLazyCommitListHead
		mov	_CmpTransactionInitializingEvent, edi
		push	offset _CmpLazyCommitDpcRoutine@16 ; CmpLazyCommitDpcRoutine(x,x,x,x)
		push	offset _CmpLazyCommitDpc
		mov	dword_6CDEE8, offset _CmpLazyCommitWorker@4 ; CmpLazyCommitWorker(x)
		mov	dword_6CDEEC, edi
		mov	_CmpLazyCommitWorkItem,	edi
		mov	dword_6CDED4, eax
		mov	_CmpLazyCommitListHead,	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	edi
		push	offset _CmpLazyCommitTimer
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	edi
		mov	eax, offset _CmpDelayFreeRMListHead
		mov	_CmpDelayFreeRMLock, esi
		push	esi
		push	offset unk_6CDDAC
		mov	dword_6CDD94, eax
		mov	_CmpDelayFreeRMListHead, eax
		mov	dword_6CDDA4, edi
		mov	dword_6CDDA8, edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	offset _CmpDelayFreeRMDpcRoutine@16 ; CmpDelayFreeRMDpcRoutine(x,x,x,x)
		push	offset _CmpDelayFreeRMDpc
		mov	dword_6CDE28, offset _CmpDelayFreeRMWorker@4 ; CmpDelayFreeRMWorker(x)
		mov	dword_6CDE2C, edi
		mov	_CmpDelayFreeRMWorkItem, edi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	edi
		push	offset _CmpDelayFreeRMTimer
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		mov	eax, offset _CmpLightTransactionList
		pop	edi
		mov	dword_6CDECC, eax
		mov	_CmpLightTransactionList, eax
		pop	esi
		retn
_CmpInitializeTransactions@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCreateObjectTypes()
_CmpCreateObjectTypes@0	proc near	; CODE XREF: CmInitSystem1(x)+1E7p

var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 58h
		push	esi
		push	edi
		push	58h
		pop	esi
		push	esi		; size_t
		xor	edi, edi
		lea	eax, [ebp+var_58]
		push	edi		; int
		push	eax		; void *
		call	_memset
		or	byte ptr [ebp+var_58+3], 1
		mov	eax, 0F003Fh
		mov	[ebp+var_40], eax
		add	esp, 0Ch
		mov	[ebp+var_3C], eax
		mov	al, byte ptr [ebp+var_58+2]
		and	al, 0EFh
		mov	word ptr [ebp+var_58], si
		or	al, 0Dh
		mov	[ebp+var_50], 30h
		push	offset _CmKeyObjectType
		mov	byte ptr [ebp+var_58+2], al
		lea	eax, [ebp+var_58]
		push	edi
		push	eax
		push	(offset	loc_AF31F7+1)
		mov	[ebp+var_4C], 20019h
		mov	[ebp+var_48], 20006h
		mov	[ebp+var_44], 20039h
		mov	[ebp+var_30], 38h
		mov	[ebp+var_34], 1
		mov	[ebp+var_54], 100h
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], offset CmpCloseKeyObject
		mov	[ebp+var_1C], offset CmpDeleteKeyObject
		mov	[ebp+var_18], offset CmpParseKey
		mov	[ebp+var_14], offset CmpSecurityMethod
		mov	[ebp+var_10], offset CmpQueryKeyName
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		pop	edi
		pop	esi
		leave
		retn
_CmpCreateObjectTypes@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpInitializeDriverStores proc near	; CODE XREF: CmInitSystem1(x)+5C6p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE50B4 SIZE 00000106 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	eax, [ebp+var_1C]
		push	edi
		push	offset ??_C@_1BM@PNGDECLI@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAS?$AAt?$AAo?$AAr?$AAe?$AAs@PBOPGDP@
		mov	esi, ecx
		mov	[ebp+var_8], ebx
		push	eax
		mov	[ebp+var_C], esi
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_4], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_3C], 18h
		mov	[ebp+var_34], eax
		mov	eax, ds:_SePublicDefaultUnrestrictedSd
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_3C]
		push	eax
		push	0F000Fh
		lea	eax, [ebp+var_4]
		mov	[ebp+var_38], ebx
		push	eax
		mov	[ebp+var_30], 250h
		mov	[ebp+var_28], ebx
		call	_ZwCreateDirectoryObject@12 ; ZwCreateDirectoryObject(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_AC6782
		push	20204D43h
		mov	edi, 1000h
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_AE50B4
		push	edi		; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		mov	word ptr [ebp+var_14+2], di
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], ebx
		push	offset ??_C@_1BI@OMNCDEIM@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt@PBOPGDP@ ; "\\SystemRoot"
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		push	offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@PBOPGDP@
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_4]
		and	[ebp+var_28], 0
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_34], eax
		mov	eax, ds:_SePublicDefaultUnrestrictedSd
		mov	[ebp+var_2C], eax
		mov	ax, word ptr [ebp+var_14]
		mov	word ptr [ebp+var_14+2], ax
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_3C], 18h
		push	eax
		push	0F0001h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_30], 250h
		push	eax
		call	_ZwCreateSymbolicLinkObject@16 ; ZwCreateSymbolicLinkObject(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_AC677A
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [esi+84h]
		add	eax, 0E8h
		mov	esi, [eax]

loc_AC675A:				; CODE XREF: CmpInitializeDriverStores+13Ej
		cmp	esi, eax
		jz	short loc_AC677A
		test	byte ptr [esi+0Ch], 80h
		jnz	loc_AE50BE

loc_AC6768:				; CODE XREF: CmpInitializeDriverStores+1EB7Bj
		mov	eax, [ebp+var_C]
		mov	esi, [esi]
		mov	eax, [eax+84h]
		add	eax, 0E8h
		jmp	short loc_AC675A
; 

loc_AC677A:				; CODE XREF: CmpInitializeDriverStores+109j
					; CmpInitializeDriverStores+122j ...
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AC6782:				; CODE XREF: CmpInitializeDriverStores+70j
					; CmpInitializeDriverStores+1EA7Fj
		cmp	[ebp+var_4], 0
		jz	short loc_AC6790
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_AC6790:				; CODE XREF: CmpInitializeDriverStores+14Cj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
CmpInitializeDriverStores endp

; 
		align 4

;  S U B	R O U T	I N E 


CmpCreateExtendedControlSets proc near	; CODE XREF: CmInitSystem1(x)+5DAp

; FUNCTION CHUNK AT 00AE51BA SIZE 00000070 BYTES

		mov	edi, edi
		push	ecx
		cmp	_CmStateSeparationEnabled, 0
		push	esi
		push	edi
		mov	edi, ecx
		jnz	loc_AE51BA

loc_AC67AC:				; CODE XREF: CmpCreateExtendedControlSets+1EA33j
					; CmpCreateExtendedControlSets+1EA41j
		mov	ecx, [edi+84h]
		lea	eax, [ecx+0E8h]
		mov	esi, [eax]

loc_AC67BA:				; CODE XREF: CmpCreateExtendedControlSets+3Ej
		cmp	esi, eax
		jz	short loc_AC67D8
		test	byte ptr [esi+0Ch], 80h
		jnz	loc_AE51DE

loc_AC67C8:				; CODE XREF: CmpCreateExtendedControlSets+1EA58j
		mov	ecx, [edi+84h]
		mov	esi, [esi]
		lea	eax, [ecx+0E8h]
		jmp	short loc_AC67BA
; 

loc_AC67D8:				; CODE XREF: CmpCreateExtendedControlSets+24j
		cmp	_CmStateSeparationEnabled, 0
		jnz	loc_AE51F5

loc_AC67E5:				; CODE XREF: CmpCreateExtendedControlSets+1EA8Dj
		xor	eax, eax

loc_AC67E7:				; CODE XREF: CmpCreateExtendedControlSets+1EA3Bj
					; CmpCreateExtendedControlSets+1EA52j ...
		pop	edi
		pop	esi
		pop	ecx
		retn
CmpCreateExtendedControlSets endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpInitializeHardwareConfiguration(x)
_CmpInitializeHardwareConfiguration@4 proc near	; CODE XREF: CmInitSystem1(x)+5B2p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		mov	esi, [ecx+64h]
		lea	eax, [ebp+var_8]
		push	edi
		push	18h
		pop	ebx
		push	eax
		xor	edi, edi
		mov	[ebp+var_20], ebx
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_20]
		mov	[ebp+var_4], edi
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_4]
		mov	[ebp+var_8], edi
		push	eax
		mov	[ebp+var_1C], edi
		mov	[ebp+var_14], 240h
		mov	[ebp+var_18], offset _CmRegistryMachineHardwareDeviceMapName
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_AC68CA
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		lea	eax, [ebp+var_8]
		mov	[ebp+var_20], ebx
		push	eax
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_20]
		mov	[ebp+var_1C], edi
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_4]
		mov	[ebp+var_14], 240h
		push	eax
		mov	[ebp+var_18], offset _CmRegistryMachineHardwareDescriptionName
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AC68CA
		push	20204D43h
		push	ds:_CmpConfigurationAreaSize
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ds:_CmpConfigurationData, eax
		test	eax, eax
		jz	short loc_AC68CF
		test	esi, esi
		jz	short loc_AC68D6
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		call	CmpSetupConfigurationTree
		mov	esi, eax

loc_AC68AE:				; CODE XREF: CmpInitializeHardwareConfiguration(x)+ECj
		push	edi
		push	ds:_CmpConfigurationData
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ds:_CmpConfigurationData, edi

loc_AC68C0:				; CODE XREF: CmpInitializeHardwareConfiguration(x)+E8j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, esi

loc_AC68CA:				; CODE XREF: CmpInitializeHardwareConfiguration(x)+4Ej
					; CmpInitializeHardwareConfiguration(x)+91j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AC68CF:				; CODE XREF: CmpInitializeHardwareConfiguration(x)+ACj
		mov	esi, 0C000009Ah
		jmp	short loc_AC68C0
; 

loc_AC68D6:				; CODE XREF: CmpInitializeHardwareConfiguration(x)+B0j
		mov	esi, edi
		jmp	short loc_AC68AE
_CmpInitializeHardwareConfiguration@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpSetupConfigurationTree proc near	; CODE XREF: CmpInitializeHardwareConfiguration(x)+BBp
					; CmpSetupConfigurationTree+71p

var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00AE522A SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_64], 0
		push	ebx
		mov	ebx, [ebp+arg_4]
		push	esi
		mov	esi, ecx
		mov	[ebp+var_68], edx
		push	edi
		xor	ecx, ecx

loc_AC68FD:				; CODE XREF: CmpSetupConfigurationTree+3Dj
		movzx	eax, cx
		add	eax, eax
		cmp	eax, 54h
		jnb	loc_AC69A3
		xor	edx, edx
		inc	ecx
		mov	word ptr [ebp+eax+var_60], dx
		cmp	cx, 2Ah
		jb	short loc_AC68FD
		mov	edi, [ebp+arg_0]

loc_AC691C:				; CODE XREF: CmpSetupConfigurationTree+8Cj
		test	esi, esi
		jz	short loc_AC6968
		cmp	dword ptr [esi+0Ch], 3
		jz	short loc_AC697B

loc_AC6926:				; CODE XREF: CmpSetupConfigurationTree+A7j
					; CmpSetupConfigurationTree+ADj ...
		mov	edx, [ebp+var_68]
		lea	eax, [ebp+var_60]
		push	ecx
		push	eax
		push	ebx
		push	edi
		lea	eax, [ebp+var_64]
		mov	ecx, esi
		push	eax
		call	CmpInitializeRegistryNode
		test	eax, eax
		js	short loc_AC696A
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_AC695B
		mov	edx, [ebp+var_64]
		push	ebx
		push	edi
		call	CmpSetupConfigurationTree
		mov	[ebp+var_6C], eax
		test	eax, eax
		js	loc_AE522A

loc_AC695B:				; CODE XREF: CmpSetupConfigurationTree+6Aj
		push	[ebp+var_64]
		call	_ZwClose@4	; ZwClose(x)
		mov	esi, [esi+8]
		jmp	short loc_AC691C
; 

loc_AC6968:				; CODE XREF: CmpSetupConfigurationTree+44j
		xor	eax, eax

loc_AC696A:				; CODE XREF: CmpSetupConfigurationTree+63j
					; CmpSetupConfigurationTree+1E95Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_AC697B:				; CODE XREF: CmpSetupConfigurationTree+4Aj
		mov	eax, [esi]
		cmp	dword ptr [eax+0Ch], 0
		jnz	short loc_AC6926
		cmp	dword ptr [esi+10h], 0Ch
		jnz	short loc_AC6926
		push	offset ??_C@_03LPDPNJPJ@ISA@PBOPGDP@ ; char *
		push	dword ptr [esi+2Ch] ; char *
		call	__stricmp
		pop	ecx
		xor	edi, edi
		pop	ecx
		test	eax, eax
		jnz	short loc_AC699F
		inc	edi

loc_AC699F:				; CODE XREF: CmpSetupConfigurationTree+C2j
		xor	ebx, ebx
		jmp	short loc_AC6926
; 

loc_AC69A3:				; CODE XREF: CmpSetupConfigurationTree+2Bj
		call	___report_rangecheckfailure
CmpSetupConfigurationTree endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpInitializeMachineDependentConfiguration proc	near ; CODE XREF: CmInitSystem1(x)+606p

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE523A SIZE 0000003C BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 78h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_58], ecx
		push	6
		pop	ecx
		lea	edi, [ebp+var_48]
		xor	esi, esi
		rep stosd
		lea	edi, [ebp+var_10]
		mov	[ebp+var_60], esi
		stosd
		mov	[ebp+var_5C], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_20], esi
		stosd
		mov	[ebp+var_24], esi
		mov	[ebp+var_68], esi
		mov	[ebp+var_64], esi
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		mov	[ebp+var_28], esi
		stosd
		mov	[ebp+var_54], esi
		mov	[ebp+var_30], esi
		mov	[ebp+var_2C], esi
		stosd
		stosd
		mov	eax, esi
		cmp	eax, 54h
		jnb	loc_AC6D5A

loc_AC6A17:				; CODE XREF: CmpInitializeMachineDependentConfiguration+7Ej
		xor	ecx, ecx
		mov	_CmpDeviceIndexTable[eax], cx
		add	eax, 2
		cmp	eax, 54h
		jb	short loc_AC6A17
		lea	eax, [ebp+var_48]
		mov	[ebp+var_48], 18h
		push	eax
		mov	edi, 2001Fh
		mov	[ebp+var_44], esi
		push	edi
		lea	eax, [ebp+var_24]
		mov	[ebp+var_3C], 240h
		push	eax
		mov	[ebp+var_40], offset _CmRegistryMachineSystemCurrentControlSetControlSessionManagerMemoryManagement
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_AC6A8F
		push	offset _CmPhysicalAddressExtension ; "PhysicalAddressExtension"
		lea	eax, [ebp+var_30]
		mov	[ebp+var_4C], 1
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [ebp+var_4C]
		push	eax
		push	4
		push	esi
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_24]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[ebp+var_24]
		call	_ZwClose@4	; ZwClose(x)

loc_AC6A8F:				; CODE XREF: CmpInitializeMachineDependentConfiguration+B3j
		push	esi
		push	esi
		push	esi
		push	esi
		lea	eax, [ebp+var_48]
		mov	[ebp+var_48], 18h
		push	eax
		push	20019h
		lea	eax, [ebp+var_20]
		mov	[ebp+var_44], esi
		push	eax
		mov	[ebp+var_3C], 240h
		mov	[ebp+var_40], offset _CmRegistryMachineHardwareDescriptionSystemName
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_AC6D35
		push	offset ??_C@_1CC@GHGIBEHL@?$AAC?$AAe?$AAn?$AAt?$AAr?$AAa?$AAl?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo@PBOPGDP@
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_20]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_60]
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_50]
		push	eax
		push	esi
		push	esi
		push	esi
		lea	eax, [ebp+var_48]
		mov	[ebp+var_48], 18h
		push	eax
		push	edi
		lea	eax, [ebp+var_24]
		mov	[ebp+var_3C], 240h
		push	eax
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		push	[ebp+var_24]
		call	_ZwClose@4	; ZwClose(x)
		cmp	[ebp+var_50], 1
		jnz	loc_AC6C36
		push	20204D43h
		push	ds:_CmpConfigurationAreaSize
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, esi
		mov	ds:_CmpConfigurationData, eax
		cmp	ds:_KeNumberProcessors,	esi
		jbe	loc_AC6C20

loc_AC6B45:				; CODE XREF: CmpInitializeMachineDependentConfiguration+270j
		mov	esi, ds:_KiProcessorBlock[edi*4]
		xor	eax, eax
		and	[ebp+var_70], 0
		inc	eax
		and	[ebp+var_6C], 0
		mov	ecx, [esi+3CCh]
		shl	eax, cl
		mov	[ebp+var_74], eax
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		call	KeSetSystemGroupAffinityThread
		push	[ebp+var_20]
		mov	edx, edi
		mov	ecx, esi
		call	CmpAddProcessorConfigurationEntry
		mov	eax, large fs:1Ch
		mov	eax, [eax+90h]
		test	edi, edi
		jz	loc_AC6D52
		cmp	byte ptr [esi+15h], 0
		mov	[ebp+var_4C], eax
		jz	loc_AE5252
		mov	ecx, ds:_KiProcessorBlock
		lea	eax, [esi+3D3Ch]
		add	ecx, 3D3Ch

loc_AC6BAE:				; CODE XREF: CmpInitializeMachineDependentConfiguration+228j
		mov	dl, [eax]
		cmp	dl, [ecx]
		jnz	loc_AC6D48
		test	dl, dl
		jz	short loc_AC6BD2
		mov	dl, [eax+1]
		cmp	dl, [ecx+1]
		jnz	loc_AC6D48
		add	eax, 2
		add	ecx, 2
		test	dl, dl
		jnz	short loc_AC6BAE

loc_AC6BD2:				; CODE XREF: CmpInitializeMachineDependentConfiguration+212j
		xor	eax, eax

loc_AC6BD4:				; CODE XREF: CmpInitializeMachineDependentConfiguration+3A5j
		test	eax, eax
		jnz	loc_AE523A

loc_AC6BDC:				; CODE XREF: CmpInitializeMachineDependentConfiguration+1E899j
		mov	eax, [ebp+var_54]
		cmp	[ebp+var_4C], eax
		jnz	loc_AE5246

loc_AC6BE8:				; CODE XREF: CmpInitializeMachineDependentConfiguration+1E8A5j
		mov	ecx, ds:_KiProcessorBlock
		mov	al, [esi+14h]
		cmp	al, [ecx+14h]
		jnz	loc_AE5260
		mov	ax, [esi+16h]
		cmp	ax, [ecx+16h]

loc_AC6C02:				; CODE XREF: CmpInitializeMachineDependentConfiguration+1E8B3j
		jnz	loc_AE5260

loc_AC6C08:				; CODE XREF: CmpInitializeMachineDependentConfiguration+3ADj
					; CmpInitializeMachineDependentConfiguration+1E8BFj
		lea	eax, [ebp+var_1C]
		push	eax
		call	KeRevertToUserGroupAffinityThread
		inc	edi
		cmp	edi, ds:_KeNumberProcessors
		jb	loc_AC6B45
		xor	esi, esi

loc_AC6C20:				; CODE XREF: CmpInitializeMachineDependentConfiguration+197j
		mov	eax, ds:_CmpConfigurationData
		test	eax, eax
		jz	short loc_AC6C36
		push	esi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ds:_CmpConfigurationData, esi

loc_AC6C36:				; CODE XREF: CmpInitializeMachineDependentConfiguration+172j
					; CmpInitializeMachineDependentConfiguration+27Fj
		push	offset ??_C@_1CO@GCKPAJAM@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAP?$AAh?$AAy?$AAs?$AAi?$AAc?$AAa@PBOPGDP@ ; "\\Device\\PhysicalMemory"
		lea	eax, [ebp+var_68]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_68]
		mov	[ebp+var_48], 18h
		mov	[ebp+var_40], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	0F001Fh
		lea	eax, [ebp+var_28]
		mov	[ebp+var_44], esi
		push	eax
		mov	[ebp+var_3C], 240h
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], esi
		call	_ZwOpenSection@12 ; ZwOpenSection(x,x,x)
		test	eax, eax
		js	loc_AC6D2B
		mov	esi, dword_6BBFD0
		mov	edi, [ebp+var_58]
		mov	ecx, edi
		cmp	esi, 1
		jnz	loc_AE526C
		push	[ebp+var_20]
		mov	edx, [ebp+var_28]
		call	CmpSetSystemBiosInformation

loc_AC6C9A:				; CODE XREF: CmpInitializeMachineDependentConfiguration+1E8C9j
		lea	edx, [ebp+var_10]
		mov	ecx, edi
		call	_CmpGetAcpiBiosInformation@8 ; CmpGetAcpiBiosInformation(x,x)
		test	al, al
		jz	short loc_AC6D13
		push	offset ??_C@_1CC@MBMHMCGC@?$AAB?$AAo?$AAo?$AAt?$AAA?$AAr?$AAc?$AAh?$AAi?$AAt?$AAe?$AAc?$AAt?$AAu?$AAr@PBOPGDP@ ; "B"
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [ebp+var_10]
		xor	edi, edi
		push	eax
		push	4
		push	edi
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_20]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1CC@CBGHPEEO@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAr?$AAr?$AAe?$AAd?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl@PBOPGDP@ ; "PreferredProfile"
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [ebp+var_C]
		push	eax
		push	4
		push	edi
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_20]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BK@JKLHPNBO@?$AAC?$AAa?$AAp?$AAa?$AAb?$AAi?$AAl?$AAi?$AAt?$AAi?$AAe?$AAs@PBOPGDP@	; "C"
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [ebp+var_8]
		push	eax
		push	4
		push	edi
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_20]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_AC6D13:				; CODE XREF: CmpInitializeMachineDependentConfiguration+2FEj
		cmp	esi, 1
		jnz	short loc_AC6D23
		mov	edx, [ebp+var_20]
		mov	ecx, [ebp+var_28]
		call	CmpSetVideoBiosInformation

loc_AC6D23:				; CODE XREF: CmpInitializeMachineDependentConfiguration+36Ej
		push	[ebp+var_28]
		call	_ZwClose@4	; ZwClose(x)

loc_AC6D2B:				; CODE XREF: CmpInitializeMachineDependentConfiguration+2CDj
		push	[ebp+var_20]
		call	_ZwClose@4	; ZwClose(x)
		xor	eax, eax

loc_AC6D35:				; CODE XREF: CmpInitializeMachineDependentConfiguration+11Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_AC6D48:				; CODE XREF: CmpInitializeMachineDependentConfiguration+20Aj
					; CmpInitializeMachineDependentConfiguration+21Aj
		sbb	eax, eax
		or	eax, 1
		jmp	loc_AC6BD4
; 

loc_AC6D52:				; CODE XREF: CmpInitializeMachineDependentConfiguration+1E1j
		mov	[ebp+var_54], eax
		jmp	loc_AC6C08
; 

loc_AC6D5A:				; CODE XREF: CmpInitializeMachineDependentConfiguration+69j
		call	___report_rangecheckfailure
		int	3		; Trap to Debugger
CmpInitializeMachineDependentConfiguration endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpSetSystemBiosInformation proc near	; CODE XREF: CmpInitializeMachineDependentConfiguration+2EDp

var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00AE5276 SIZE 0000009F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		push	esi
		push	edi
		mov	ebx, [ebp+arg_0]
		lea	eax, [ebp+var_BC]
		xor	esi, esi
		mov	[ebp+var_B0], ebx
		push	4
		push	esi
		push	2
		push	eax
		mov	edi, ecx
		mov	[ebp+var_B8], esi
		lea	eax, [ebp+var_D4]
		mov	[ebp+var_A8], edi
		push	eax
		mov	ecx, 10000h
		mov	[ebp+var_B4], esi
		push	ecx
		push	esi
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_90], esi
		push	eax
		push	0FFFFFFFFh
		push	edx
		mov	[ebp+var_98], esi
		mov	[ebp+var_94], esi
		mov	[ebp+var_A4], esi
		mov	[ebp+var_A0], esi
		mov	[ebp+var_9C], esi
		mov	[ebp+var_BC], ecx
		mov	[ebp+var_D4], 0F0000h
		mov	[ebp+var_D0], esi
		call	_ZwMapViewOfSection@40 ; ZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_AC6FDF
		push	20204D43h
		push	1000h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+var_9C]
		mov	esi, eax
		push	1
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_C0], esi
		push	eax
		push	8
		add	ecx, 0FFF5h
		pop	edx
		call	CmpGetBiosDate
		test	al, al
		jz	short loc_AC6EA1
		lea	eax, [ebp+var_8C]
		push	eax
		lea	eax, [ebp+var_B8]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_B8]
		push	eax
		lea	eax, [ebp+var_98]
		push	eax
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	short loc_AC6EA1
		push	offset ??_C@_1BO@BHDHIFGP@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAB?$AAi?$AAo?$AAs?$AAD?$AAa?$AAt?$AAe@PBOPGDP@
		lea	eax, [ebp+var_A4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, [ebp+var_A0]
		lea	eax, [ebp+var_90]
		push	eax
		mov	ecx, ebx
		call	CmpGetRegistryValue
		test	eax, eax
		jns	loc_AE5276

loc_AC6E95:				; CODE XREF: CmpSetSystemBiosInformation+1E5B0j
		lea	eax, [ebp+var_98]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_AC6EA1:				; CODE XREF: CmpSetSystemBiosInformation+DAj
					; CmpSetSystemBiosInformation+106j
		mov	ecx, [ebp+var_9C]
		lea	eax, [ebp+var_8C]
		push	1
		push	eax
		mov	edx, 10000h
		call	CmpGetBiosDate
		test	al, al
		jz	short loc_AC6F29
		push	offset ??_C@_1BO@BHDHIFGP@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAB?$AAi?$AAo?$AAs?$AAD?$AAa?$AAt?$AAe@PBOPGDP@
		lea	eax, [ebp+var_A4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8C]
		push	eax
		lea	eax, [ebp+var_B8]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_B8]
		push	eax
		lea	eax, [ebp+var_98]
		push	eax
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	short loc_AC6F29
		movzx	eax, word ptr [ebp+var_98]
		add	eax, 2
		push	eax
		push	[ebp+var_94]
		lea	eax, [ebp+var_A4]
		push	1
		push	0
		push	eax
		push	ebx
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		lea	eax, [ebp+var_98]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_AC6F29:				; CODE XREF: CmpSetSystemBiosInformation+15Cj
					; CmpSetSystemBiosInformation+199j
		mov	[ebp+var_90], esi
		test	esi, esi
		jz	loc_AC6FC6
		xor	ebx, ebx
		mov	esi, ebx

loc_AC6F3B:				; CODE XREF: CmpSetSystemBiosInformation+319j
		test	ebx, ebx
		jz	loc_AC6FF0
		lea	edx, [ebx-1]
		neg	edx
		lea	ecx, [ebx-1]
		lea	eax, [ebp+var_8C]
		sbb	edx, edx
		and	edx, 0FFFF0000h
		add	edx, 10000h
		neg	ecx
		push	eax
		sbb	ecx, ecx
		not	ecx
		and	ecx, [ebp+var_9C]
		call	CmpGetBiosVersion
		test	al, al
		jnz	loc_AC7002

loc_AC6F79:				; CODE XREF: CmpSetSystemBiosInformation+306j
		mov	[ebp+var_AC], esi
		test	esi, esi
		mov	esi, [ebp+var_C0]
		jz	short loc_AC6FC6
		mov	eax, [ebp+var_90]
		xor	ecx, ecx
		push	(offset	loc_ADD319+1)
		mov	[eax], cx
		lea	eax, [ebp+var_A4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_AC]
		add	eax, 2
		push	eax
		push	esi
		push	7
		push	0
		lea	eax, [ebp+var_A4]
		push	eax
		push	[ebp+var_B0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_AC6FC6:				; CODE XREF: CmpSetSystemBiosInformation+1D1j
					; CmpSetSystemBiosInformation+227j
		push	[ebp+var_9C]
		push	0FFFFFFFFh
		call	_ZwUnmapViewOfSection@8	; ZwUnmapViewOfSection(x,x)
		test	esi, esi
		jz	short loc_AC6FDF
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AC6FDF:				; CODE XREF: CmpSetSystemBiosInformation+9Cj
					; CmpSetSystemBiosInformation+275j
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_AC6FF0:				; CODE XREF: CmpSetSystemBiosInformation+1DDj
		push	ecx
		lea	edx, [ebp+var_8C]
		mov	ecx, edi
		call	_CmpGetAcpiBiosVersion@12 ; CmpGetAcpiBiosVersion(x,x,x)
		test	al, al
		jz	short loc_AC7072

loc_AC7002:				; CODE XREF: CmpSetSystemBiosInformation+213j
		lea	eax, [ebp+var_8C]
		push	eax
		lea	eax, [ebp+var_B8]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_B8]
		push	eax
		lea	eax, [ebp+var_98]
		push	eax
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	short loc_AC7072
		movzx	edi, word ptr [ebp+var_98]
		add	edi, 2
		push	edi		; size_t
		push	[ebp+var_94]	; void *
		push	[ebp+var_90]	; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_98]
		add	esi, edi
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+104h]
		cmp	eax, 1000h
		ja	loc_AC6F79
		add	[ebp+var_90], edi

loc_AC7072:				; CODE XREF: CmpSetSystemBiosInformation+2A0j
					; CmpSetSystemBiosInformation+2CCj
		mov	edi, [ebp+var_A8]
		inc	ebx
		jmp	loc_AC6F3B
CmpSetSystemBiosInformation endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpSetVideoBiosInformation proc	near	; CODE XREF: CmpInitializeMachineDependentConfiguration+376p

var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE5315 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	4
		mov	edi, ecx
		lea	eax, [ebp+var_98]
		xor	ecx, ecx
		mov	ebx, edx
		push	ecx
		push	2
		push	eax
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_C0], ebx
		push	eax
		mov	edx, 1000h
		mov	[ebp+var_B0], ecx
		push	edx
		push	ecx
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_AC], ecx
		push	eax
		push	0FFFFFFFFh
		push	edi
		mov	[ebp+var_94], ecx
		mov	[ebp+var_90], ecx
		mov	[ebp+var_B8], ecx
		mov	[ebp+var_B4], ecx
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_98], edx
		mov	[ebp+var_A8], ecx
		mov	[ebp+var_A4], ecx
		call	_ZwMapViewOfSection@40 ; ZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_AE5315
		mov	ecx, [ebp+var_8C]
		mov	eax, [ecx+40h]
		mov	esi, eax
		shr	esi, 0Ch
		and	eax, 0FFF0h
		add	esi, eax
		mov	eax, 0C0000h
		and	esi, 0FFFF8000h
		cmp	esi, eax
		jb	loc_AE531F

loc_AC713D:				; CODE XREF: CmpSetVideoBiosInformation+1E2A3j
		push	ecx
		push	0FFFFFFFFh
		call	_ZwUnmapViewOfSection@8	; ZwUnmapViewOfSection(x,x)

loc_AC7145:				; CODE XREF: CmpSetVideoBiosInformation+1E29Cj
		push	4
		xor	ecx, ecx
		mov	[ebp+var_A8], esi
		push	ecx
		push	2
		lea	eax, [ebp+var_98]
		mov	[ebp+var_8C], ecx
		push	eax
		lea	eax, [ebp+var_A8]
		mov	[ebp+var_A4], ecx
		push	eax
		mov	edx, 8000h
		lea	eax, [ebp+var_8C]
		push	edx
		push	ecx
		push	eax
		push	0FFFFFFFFh
		push	edi
		mov	[ebp+var_98], edx
		call	_ZwMapViewOfSection@40 ; ZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_AC733A
		push	20204D43h
		push	1000h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, [ebp+var_8C]
		mov	esi, eax
		push	0
		lea	eax, [ebp+var_88]
		mov	[ebp+var_BC], esi
		mov	edi, 8000h
		push	eax
		mov	edx, edi
		call	CmpGetBiosDate
		test	al, al
		jz	short loc_AC7233
		push	offset ??_C@_1BM@NLECKPGB@?$AAV?$AAi?$AAd?$AAe?$AAo?$AAB?$AAi?$AAo?$AAs?$AAD?$AAa?$AAt?$AAe@PBOPGDP@
		lea	eax, [ebp+var_B8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_88]
		push	eax
		lea	eax, [ebp+var_B0]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_B0]
		push	eax
		lea	eax, [ebp+var_94]
		push	eax
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	short loc_AC7233
		movzx	eax, word ptr [ebp+var_94]
		add	eax, 2
		push	eax
		push	[ebp+var_90]
		lea	eax, [ebp+var_B8]
		push	1
		push	0
		push	eax
		push	ebx
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		lea	eax, [ebp+var_94]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_AC7233:				; CODE XREF: CmpSetVideoBiosInformation+148j
					; CmpSetVideoBiosInformation+185j
		test	esi, esi
		jz	loc_AC7321
		mov	ecx, [ebp+var_8C]
		lea	eax, [ebp+var_88]
		push	eax
		mov	edx, edi
		call	CmpGetBiosVersion
		test	al, al
		jz	loc_AC7321
		mov	ebx, esi
		mov	esi, [ebp+var_9C]

loc_AC725F:				; CODE XREF: CmpSetVideoBiosInformation+256j
		lea	eax, [ebp+var_88]
		push	eax
		lea	eax, [ebp+var_B0]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_B0]
		push	eax
		lea	eax, [ebp+var_94]
		push	eax
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	short loc_AC72C2
		movzx	edi, word ptr [ebp+var_94]
		add	edi, 2
		push	edi		; size_t
		push	[ebp+var_90]	; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_94]
		add	esi, edi
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+104h]
		cmp	eax, 1000h
		ja	short loc_AC72D6
		add	ebx, edi

loc_AC72C2:				; CODE XREF: CmpSetVideoBiosInformation+20Bj
		lea	eax, [ebp+var_88]
		xor	edx, edx
		push	eax
		xor	ecx, ecx
		call	CmpGetBiosVersion
		test	al, al
		jnz	short loc_AC725F

loc_AC72D6:				; CODE XREF: CmpSetVideoBiosInformation+240j
		mov	edi, esi
		mov	[ebp+var_9C], esi
		mov	esi, [ebp+var_BC]
		test	edi, edi
		jz	short loc_AC7321
		cmp	edi, 0FFEh
		ja	short loc_AC7321
		xor	eax, eax
		mov	[ebx], ax
		lea	eax, [ebp+var_B8]
		push	offset ??_C@_1CC@NBEHNIFJ@?$AAV?$AAi?$AAd?$AAe?$AAo?$AAB?$AAi?$AAo?$AAs?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo@PBOPGDP@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [edi+2]
		push	eax
		push	esi
		push	7
		push	0
		lea	eax, [ebp+var_B8]
		push	eax
		push	[ebp+var_C0]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_AC7321:				; CODE XREF: CmpSetVideoBiosInformation+1B7j
					; CmpSetVideoBiosInformation+1D3j ...
		push	[ebp+var_8C]
		push	0FFFFFFFFh
		call	_ZwUnmapViewOfSection@8	; ZwUnmapViewOfSection(x,x)
		test	esi, esi
		jz	short loc_AC733A
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AC733A:				; CODE XREF: CmpSetVideoBiosInformation+10Cj
					; CmpSetVideoBiosInformation+2B2j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpSetVideoBiosInformation endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpGetBiosVersion proc near		; CODE XREF: CmpSetSystemBiosInformation+20Cp
					; CmpSetVideoBiosInformation+1CCp ...

var_88		= dword	ptr -88h
var_5		= byte ptr -5
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00AE5326 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 88h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_88], eax
		test	ecx, ecx
		jnz	loc_AC746C

loc_AC7370:				; CODE XREF: CmpGetBiosVersion+13Aj
		push	ebx
		push	esi
		push	edi

loc_AC7373:				; CODE XREF: CmpGetBiosVersion+ABj
		mov	eax, ds:_Start
		xor	esi, esi
		mov	edx, ds:_End
		cmp	eax, edx
		ja	loc_AC7489

loc_AC7388:				; CODE XREF: CmpGetBiosVersion+4Bj
		cmp	byte ptr [eax],	2Eh
		jz	short loc_AC7399

loc_AC738D:				; CODE XREF: CmpGetBiosVersion+55j
					; CmpGetBiosVersion+5Aj ...
		inc	eax
		mov	ds:_Start, eax
		cmp	eax, edx
		jbe	short loc_AC7388
		jmp	short loc_AC73B5
; 

loc_AC7399:				; CODE XREF: CmpGetBiosVersion+41j
		mov	cl, [eax+1]
		cmp	cl, 30h
		jl	short loc_AC738D
		cmp	cl, 39h
		jg	short loc_AC738D
		mov	cl, [eax-1]
		cmp	cl, 30h
		jl	short loc_AC738D
		cmp	cl, 39h
		jg	short loc_AC738D
		mov	esi, eax

loc_AC73B5:				; CODE XREF: CmpGetBiosVersion+4Dj
		cmp	eax, edx
		ja	loc_AC7489
		add	eax, 2
		lea	edi, [ebp-5]
		xor	ecx, ecx
		mov	ds:_Start, eax
		mov	[ebp+var_5], cl
		dec	esi

loc_AC73CE:				; CODE XREF: CmpGetBiosVersion+9Fj
		cmp	esi, ds:_BiosBegin
		jb	short loc_AC73EB
		mov	al, [esi]
		cmp	al, 20h
		jl	short loc_AC73EB
		cmp	al, 24h
		jz	short loc_AC73EB
		dec	edi
		dec	esi
		inc	ecx
		mov	[edi], al
		cmp	cx, 78h
		jb	short loc_AC73CE

loc_AC73EB:				; CODE XREF: CmpGetBiosVersion+8Aj
					; CmpGetBiosVersion+90j ...
		mov	eax, ds:_SearchStrings
		inc	esi
		xor	ebx, ebx

loc_AC73F3:				; CODE XREF: CmpGetBiosVersion+C9j
		test	eax, eax
		jz	loc_AC7373
		push	eax		; char *
		push	edi		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_AC7415
		inc	ebx
		movzx	eax, bx
		mov	eax, ds:_SearchStrings[eax*4]
		jmp	short loc_AC73F3
; 

loc_AC7415:				; CODE XREF: CmpGetBiosVersion+BCj
		test	esi, esi
		jz	short loc_AC7422

loc_AC7419:				; CODE XREF: CmpGetBiosVersion+1DFDFj
		cmp	byte ptr [esi],	20h
		jz	loc_AE5326

loc_AC7422:				; CODE XREF: CmpGetBiosVersion+CDj
					; CmpGetBiosVersion+1DFE5j
		mov	edi, [ebp+var_88]
		xor	ecx, ecx

loc_AC742A:				; CODE XREF: CmpGetBiosVersion+106j
		test	esi, esi
		jz	short loc_AC7452
		mov	eax, ds:_End
		inc	eax
		cmp	esi, eax
		ja	short loc_AC7452
		mov	dl, [esi]
		cmp	dl, 20h
		jl	short loc_AC7452
		cmp	dl, 24h
		jz	short loc_AC7452
		movzx	eax, cx
		inc	ecx
		inc	esi
		mov	[eax+edi], dl
		cmp	cx, 7Fh
		jb	short loc_AC742A

loc_AC7452:				; CODE XREF: CmpGetBiosVersion+E2j
					; CmpGetBiosVersion+ECj ...
		movzx	eax, cx
		mov	byte ptr [eax+edi], 0
		mov	al, 1

loc_AC745B:				; CODE XREF: CmpGetBiosVersion+141j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_AC746C:				; CODE XREF: CmpGetBiosVersion+20j
		lea	eax, [ecx+1]
		mov	ds:_BiosBegin, ecx
		mov	ds:_Start, eax
		lea	eax, [edx-2]
		add	eax, ecx
		mov	ds:_End, eax
		jmp	loc_AC7370
; 

loc_AC7489:				; CODE XREF: CmpGetBiosVersion+38j
					; CmpGetBiosVersion+6Dj
		xor	al, al
		jmp	short loc_AC745B
CmpGetBiosVersion endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpGetBiosDate	proc near		; CODE XREF: CmpSetSystemBiosInformation+D3p
					; CmpSetSystemBiosInformation+155p ...

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_22		= byte ptr -22h
var_21		= byte ptr -21h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_17		= dword	ptr -17h
var_13		= byte ptr -13h
var_10		= byte ptr -10h
var_C		= byte ptr -0Ch
var_B		= byte ptr -0Bh
var_7		= byte ptr -7
var_6		= byte ptr -6
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch

; FUNCTION CHUNK AT 00AE5334 SIZE 00000076 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_1C]
		mov	[ebp+var_2C], ecx
		stosd
		mov	esi, ecx
		lea	ecx, [edx-5]
		mov	[ebp+var_38], ebx
		add	ecx, esi
		mov	[ebp+var_20], ecx
		stosd
		stosw
		stosb
		lea	edi, [esi+2]
		cmp	edi, ecx
		jnb	short loc_AC74E8
		mov	bl, [ebp+arg_4]
		lea	ecx, [esi+6]
		mov	eax, [ebp+var_20]
		mov	[ebp+var_28], ecx

loc_AC74D3:				; CODE XREF: CmpGetBiosDate+55j
		cmp	byte ptr [edi],	2Fh
		jz	short loc_AC7524

loc_AC74D8:				; CODE XREF: CmpGetBiosDate+9Aj
					; CmpGetBiosDate+A6j
		inc	edi
		inc	esi
		inc	ecx
		mov	[ebp+var_2C], esi
		mov	[ebp+var_28], ecx
		cmp	edi, eax
		jb	short loc_AC74D3
		mov	ebx, [ebp+var_38]

loc_AC74E8:				; CODE XREF: CmpGetBiosDate+37j
		cmp	byte ptr [ebp+var_1C], 0
		jz	loc_AE53A0
		mov	eax, [ebp+var_17]
		mov	[ebx], eax
		mov	al, [ebp+var_13]
		mov	[ebx+4], al
		mov	al, byte ptr [ebp+var_1C+2]
		mov	[ebx+6], al
		mov	al, byte ptr [ebp+var_1C+3]
		mov	[ebx+7], al
		mov	al, 1
		mov	byte ptr [ebx+5], 2Fh
		mov	byte ptr [ebx+8], 0

loc_AC7513:				; CODE XREF: CmpGetBiosDate+1DF17j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_AC7524:				; CODE XREF: CmpGetBiosDate+48j
		cmp	byte ptr [edi+3], 2Fh
		jnz	short loc_AC74D8
		mov	al, [edi-1]
		cmp	al, 30h
		jge	short loc_AC7536

loc_AC7531:				; CODE XREF: CmpGetBiosDate+AAj
					; CmpGetBiosDate+B3j ...
		mov	eax, [ebp+var_20]
		jmp	short loc_AC74D8
; 

loc_AC7536:				; CODE XREF: CmpGetBiosDate+A1j
		cmp	al, 39h
		jg	short loc_AC7531
		mov	al, [edi+1]
		sub	al, 30h
		cmp	al, 9
		ja	short loc_AC7531
		lea	eax, [edi+2]
		mov	[ebp+var_34], eax
		mov	al, [eax]
		sub	al, 30h
		cmp	al, 9
		ja	short loc_AC7531
		mov	dl, [ecx]
		lea	eax, [edx-30h]
		cmp	al, 9
		ja	short loc_AC7531
		mov	dh, [edi+5]
		mov	al, dh
		sub	al, 30h
		cmp	al, 9
		ja	short loc_AC7531
		mov	eax, [esi]
		mov	dword ptr [ebp+var_B], eax
		mov	al, [esi+4]
		mov	[ebp+var_7], al
		mov	al, [ebp+var_B]
		cmp	al, 30h
		jl	loc_AE5334
		cmp	al, 39h
		jg	loc_AE5334

loc_AC7583:				; CODE XREF: CmpGetBiosDate+1DEAAj
		xor	eax, eax
		mov	[ebp-0Eh], dl
		push	10h		; int
		push	eax		; char **
		mov	[ebp+var_6], al
		mov	[ebp-9], al
		mov	[ebp+var_C], al
		lea	eax, [ebp-0Eh]
		push	eax		; char *
		mov	[ebp-0Dh], dh
		call	_strtoul
		push	10h		; int
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_B]
		push	0		; char **
		push	eax		; char *
		call	_strtoul
		push	10h		; int
		mov	esi, eax
		lea	eax, [ebp-8]
		push	0		; char **
		push	eax		; char *
		call	_strtoul
		lea	ecx, [esi-1]
		add	esp, 24h
		cmp	ecx, 11h
		ja	short loc_AC7635
		dec	eax
		cmp	eax, 30h
		ja	short loc_AC7635
		test	bl, bl
		jz	short loc_AC75E2
		mov	al, [edi+6]
		mov	[ebp+var_21], al
		cmp	al, 30h
		jge	loc_AE533D

loc_AC75E2:				; CODE XREF: CmpGetBiosDate+144j
					; CmpGetBiosDate+1DEB1j ...
		cmp	[ebp+var_30], 80h
		mov	word ptr [ebp+var_10], 3032h
		jnb	short loc_AC762D

loc_AC75F1:				; CODE XREF: CmpGetBiosDate+1A5j
					; CmpGetBiosDate+1DF0Dj
		push	0Ah		; size_t
		lea	eax, [ebp+var_10]
		mov	byte ptr [ebp-9], 2Fh
		push	eax		; void *
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_C], 2Fh
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jns	short loc_AC7619
		lea	esi, [ebp+var_10]
		lea	edi, [ebp+var_1C]
		movsd
		movsd
		movsw

loc_AC7619:				; CODE XREF: CmpGetBiosDate+17Fj
		mov	esi, [ebp+var_2C]
		mov	ecx, [ebp+var_28]
		add	esi, 2
		mov	edi, [ebp+var_34]
		add	ecx, 2
		jmp	loc_AC7531
; 

loc_AC762D:				; CODE XREF: CmpGetBiosDate+161j
		mov	word ptr [ebp+var_10], 3931h
		jmp	short loc_AC75F1
; 

loc_AC7635:				; CODE XREF: CmpGetBiosDate+13Aj
					; CmpGetBiosDate+140j
		mov	esi, [ebp+var_2C]
		mov	ecx, [ebp+var_28]
		jmp	loc_AC7531
CmpGetBiosDate	endp


;  S U B	R O U T	I N E 


; __stdcall CmpGetAcpiBiosVersion(x, x,	x)
_CmpGetAcpiBiosVersion@12 proc near	; CODE XREF: CmpSetSystemBiosInformation+299p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	ebx, ecx
		push	esi
		push	esi
		push	54445352h
		push	ebx
		mov	edi, edx
		call	ds:__imp__HalAcpiGetTableEx@16 ; HalAcpiGetTableEx(x,x,x,x)
		test	eax, eax
		jnz	short loc_AC766F
		push	esi
		push	esi
		push	54445358h
		push	ebx
		call	ds:__imp__HalAcpiGetTableEx@16 ; HalAcpiGetTableEx(x,x,x,x)
		test	eax, eax
		jz	short loc_AC76A1

loc_AC766F:				; CODE XREF: CmpGetAcpiBiosVersion(x,x,x)+1Bj
					; CmpGetAcpiBiosVersion(x,x,x)+3Ej
		mov	cl, [eax+esi+0Ah]
		test	cl, cl
		jz	short loc_AC7680
		mov	[edi], cl
		inc	edi
		inc	esi
		cmp	esi, 6
		jb	short loc_AC766F

loc_AC7680:				; CODE XREF: CmpGetAcpiBiosVersion(x,x,x)+35j
		push	dword ptr [eax+18h]
		mov	eax, 80h
		push	offset ??_C@_05JJCGIBE@?5?9?5?$CFx@PBOPGDP@
		sub	eax, esi
		push	eax
		push	edi
		call	_sprintf_s
		add	esp, 10h
		mov	al, 1

loc_AC769B:				; CODE XREF: CmpGetAcpiBiosVersion(x,x,x)+63j
		pop	edi
		pop	esi
		pop	ebx
		retn	4
; 

loc_AC76A1:				; CODE XREF: CmpGetAcpiBiosVersion(x,x,x)+2Dj
		xor	al, al
		jmp	short loc_AC769B
_CmpGetAcpiBiosVersion@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpGetRegistryValue proc near		; CODE XREF: CmpSetSystemBiosInformation+128p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00AE53AA SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_10]
		push	edx
		push	eax
		mov	edi, ecx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		push	ebx
		push	2
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_AE53AA
		cmp	eax, 80000005h
		jz	loc_AE53AA
		cmp	eax, 0C0000023h
		jz	loc_AE53AA

loc_AC76F8:				; CODE XREF: CmpGetRegistryValue+1DD21j
					; CmpGetRegistryValue+1DD49j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
CmpGetRegistryValue endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall CmpGetAcpiBiosInformation(x, x)
_CmpGetAcpiBiosInformation@8 proc near	; CODE XREF: CmpInitializeMachineDependentConfiguration+2F7p
		mov	edi, edi
		push	esi
		xor	eax, eax
		mov	esi, edx
		push	eax
		push	eax
		push	50434146h
		push	ecx
		mov	[esi], eax
		mov	[esi+8], eax
		mov	[esi+4], eax
		call	ds:__imp__HalAcpiGetTableEx@16 ; HalAcpiGetTableEx(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_AC7747
		mov	al, [ecx+8]
		cmp	al, 1
		jbe	short loc_AC7742
		movzx	eax, word ptr [ecx+6Dh]
		mov	[esi], eax
		mov	eax, [ecx+70h]
		mov	[esi+8], eax
		movzx	eax, byte ptr [ecx+2Dh]
		mov	[esi+4], eax
		mov	al, [ecx+8]
		cmp	al, 1

loc_AC7742:				; CODE XREF: CmpGetAcpiBiosInformation(x,x)+28j
		setnbe	al
		pop	esi
		retn
; 

loc_AC7747:				; CODE XREF: CmpGetAcpiBiosInformation(x,x)+21j
		xor	al, al
		pop	esi
		retn
_CmpGetAcpiBiosInformation@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpSetSystemValues proc	near		; CODE XREF: CmInitSystem1(x)+617p

var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE5400 SIZE 00000066 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 134h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		mov	[ebp+var_130], 18h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_110], eax
		mov	ebx, ecx
		mov	[ebp+var_114], eax
		mov	[ebp+var_118], eax
		mov	[ebp+var_10C], eax
		mov	[ebp+var_12C], eax
		mov	[ebp+var_120], eax
		mov	[ebp+var_11C], eax
		lea	eax, [ebp+var_130]
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_10C]
		mov	[ebp+var_124], 240h
		push	eax
		mov	[ebp+var_128], (offset loc_AF3237+1)
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC78FA
		movzx	eax, ds:_CmpLoadOptions
		xor	edi, edi
		push	eax
		push	ds:dword_AFD0C4
		inc	edi
		push	edi
		push	0
		push	(offset	loc_AF3194+4)
		push	[ebp+var_10C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC78FA
		push	dword ptr [ebx+68h]
		mov	ecx, [ebp+var_10C]
		mov	edx, (offset loc_AF319B+5)
		call	_CmpSetSystemRegistryString@12 ; CmpSetSystemRegistryString(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC78FA
		push	dword ptr [ebx+6Ch]
		mov	ecx, [ebp+var_10C]
		mov	edx, (offset loc_AF3207+1)
		call	_CmpSetSystemRegistryString@12 ; CmpSetSystemRegistryString(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC78FA
		push	dword ptr [ebx+0C4h]
		mov	ecx, [ebp+var_10C]
		mov	edx, offset _CmpWindowsSysPartString
		call	_CmpSetSystemRegistryString@12 ; CmpSetSystemRegistryString(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC78FA
		push	dword ptr [ebx+0BCh]
		mov	ecx, [ebp+var_10C]
		mov	edx, (offset loc_AF31DF+1)
		call	_CmpSetSystemRegistryString@12 ; CmpSetSystemRegistryString(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC78FA
		mov	eax, [ebx+84h]
		push	4
		mov	eax, [eax+54h]
		and	eax, edi
		mov	[ebp+var_110], eax
		lea	eax, [ebp+var_110]
		push	eax
		push	4
		push	0
		push	offset _CmpLastBootSucceededString
		push	[ebp+var_10C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AC78FA
		mov	eax, [ebx+84h]
		push	4
		mov	eax, [eax+54h]
		shr	eax, 1
		and	eax, edi
		mov	[ebp+var_110], eax
		lea	eax, [ebp+var_110]
		push	eax
		push	4
		push	0
		push	offset _CmpLastBootShutdownString
		push	[ebp+var_10C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AC78FA
		mov	eax, [ebx+84h]
		test	byte ptr [eax+54h], 2
		jz	loc_AE5400

loc_AC78F4:				; CODE XREF: CmpSetSystemValues+1DD15j
		test	esi, esi
		js	short loc_AC78FA
		xor	esi, esi

loc_AC78FA:				; CODE XREF: CmpSetSystemValues+80j
					; CmpSetSystemValues+AEj ...
		cmp	[ebp+var_10C], 0
		jz	short loc_AC790E
		push	[ebp+var_10C]
		call	_ZwClose@4	; ZwClose(x)

loc_AC790E:				; CODE XREF: CmpSetSystemValues+1B5j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpSetSystemValues endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpMigrateOOBELanguageToInstallationLanguage proc near
					; CODE XREF: CmInitSystem1(x):loc_AC7F8Cp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE5466 SIZE 000000A4 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		cmp	ds:_CmInstallUILanguageFallbackToOOBm, edi
		jnz	loc_AE5466
		xor	eax, eax

loc_AC794D:				; CODE XREF: CmpMigrateOOBELanguageToInstallationLanguage+1DBE5j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpMigrateOOBELanguageToInstallationLanguage endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmFcInitSystem1()
_CmFcInitSystem1@0 proc	near		; CODE XREF: CmInitSystem0(x)+41p
		mov	edi, edi
		push	ecx
		call	_wil_RegisterFeatureStagingChangeNotification@4	; wil_RegisterFeatureStagingChangeNotification(x)
		pop	ecx
		retn
_CmFcInitSystem1@0 endp	; sp =	20h


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmInitSystem1(x)
_CmInitSystem1@4 proc near		; CODE XREF: Phase1InitializationDiscard(x)+A17p

var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_D8		= dword	ptr -0D8h
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 25Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx		; struct _exception *
		push	esi
		push	edi
		xor	esi, esi
		lea	eax, [ebp+var_D8]
		push	0B4h		; size_t
		push	esi		; int
		push	eax		; void *
		mov	ebx, ecx
		mov	[ebp+var_234], esi
		mov	[ebp+var_238], esi
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_258], esi
		lea	eax, [ebp+var_230]
		mov	[ebp+var_254], esi
		push	154h		; size_t
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	edi, [ebp+var_1C]
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd
		lea	ecx, [ebp+var_D8] ; void *
		call	_CmpInitializeParseContext@4 ; CmpInitializeParseContext(x)
		mov	al, _InitIsWinPEMode
		mov	_CmIoFileObjectType, offset _IoFileObjectType
		test	al, al
		jz	short loc_AC79FF
		mov	ds:_CmpMiniNTBoot, al
		mov	ds:_CmpShareSystemHives, 1
		mov	ds:_CmpForceSynchronousMachineHiveLoad,	1

loc_AC79FF:				; CODE XREF: CmInitSystem1(x)+84j
		cmp	_CmpVolatileBoot, esi
		jz	short loc_AC7A0E
		mov	ds:_CmpShareSystemHives, 1

loc_AC7A0E:				; CODE XREF: CmInitSystem1(x)+9Fj
		call	_CmpInitializeRegistryNames@0 ;	CmpInitializeRegistryNames()
		call	CmpInitGlobalQuotaAllowed
		mov	eax, offset _CmpHiveListHead
		xor	edi, edi
		mov	ecx, offset _CmpShutdownRundown
		mov	ds:dword_A940F4, eax
		mov	ds:_CmpHiveListHead, eax
		mov	_CmpHiveListHeadLock, edi
		mov	_CmpLoadHiveLock, edi
		mov	_CmpShutdownLock, edi
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		mov	eax, offset _CmpAppHiveLoadList
		mov	_CmpActiveHiveRundownEvent, edi
		push	offset _CmpRegistryLock
		mov	_CmpActiveAppHiveUnloadEvent, edi
		mov	_CmpAppHiveLoadListLock, edi
		mov	dword_6CE0AC, eax
		mov	_CmpAppHiveLoadList, eax
		call	ExInitializeResourceLite
		xor	eax, eax
		mov	dword_6CE084, edi
		inc	eax
		mov	dword_6CE088, edi
		push	edi
		push	eax
		push	offset unk_6CE08C
		mov	_CmpPostLock, eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, offset _CmpAsyncKernelPostList
		mov	dword_6CE0C8, offset CmpWorkerEngineWorker
		mov	ecx, offset _CmpWorkerEngineLock
		mov	ds:dword_A93340, eax
		mov	ds:_CmpAsyncKernelPostList, eax
		mov	dword_6CE0CC, edi
		mov	_CmpWorkerEngineWorkItem, edi
		call	@KeInitializeGuardedMutex@4 ; KeInitializeGuardedMutex(x)
		mov	eax, offset _CmpWorkerEngineListHead
		mov	_CmpWorkerEngineFinishedEvent, edi
		mov	dword_6CE104, eax
		mov	_CmpWorkerEngineListHead, eax
		call	CmpInitializeNameCache
		call	_CmpInitCmPrivateAlloc@0 ; CmpInitCmPrivateAlloc()
		call	_CmpInitSIDToHiveMapping@0 ; CmpInitSIDToHiveMapping()
		call	CmpAdminSystemSecurityDescriptor
		mov	_CmpAdminSystemFileSecurityDescriptor, eax
		call	_CmpInitializeTrustedInstallerSid@0 ; CmpInitializeTrustedInstallerSid()
		call	_CmpInitializeDelayedCloseTable@0 ; CmpInitializeDelayedCloseTable()
		call	_CmpInitCallbacks@0 ; CmpInitCallbacks()
		call	_CmpInitializeMachineHiveLoadedCallbacks@0 ; CmpInitializeMachineHiveLoadedCallbacks()
		call	CmpInitializeFreezeThaw
		call	_HvInitializeHashLibrary@0 ; HvInitializeHashLibrary()
		call	_CmpValidateGlobalFlushControlFlags@0 ;	CmpValidateGlobalFlushControlFlags()
		call	_CmpInitializeGlobalKeyLockTracker@0 ; CmpInitializeGlobalKeyLockTracker()
		call	_CmpInitializeTransactions@0 ; CmpInitializeTransactions()
		call	_CmpVolumeManagerInitialize@4 ;	CmpVolumeManagerInitialize(x)

loc_AC7B1F:				; CODE XREF: CmInitSystem1(x)+1E5j
		push	_CmpBootLoadControl[esi]
		lea	eax, [ebp+var_258]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	ecx, [ebp+var_258]
		call	_CmpHashUnicodeComponent@4 ; CmpHashUnicodeComponent(x)
		mov	dword_6B19F0[esi], eax
		add	esi, 14h
		cmp	esi, 0A0h
		jb	short loc_AC7B1F
		call	_CmpCreateObjectTypes@0	; CmpCreateObjectTypes()
		test	eax, eax
		js	loc_AC7FE6
		call	_CmpInitializeLightWeightTransactionType@0 ; CmpInitializeLightWeightTransactionType()
		test	eax, eax
		jns	short loc_AC7B6C
		push	edi
		push	eax
		push	18h
		jmp	loc_AC7FEA
; 

loc_AC7B6C:				; CODE XREF: CmInitSystem1(x)+1FBj
		call	_CmpInitializeRegistryProcess@0	; CmpInitializeRegistryProcess()
		test	eax, eax
		jns	short loc_AC7B7E
		push	edi
		push	eax
		push	19h
		jmp	loc_AC7FEA
; 

loc_AC7B7E:				; CODE XREF: CmInitSystem1(x)+20Dj
		lea	ecx, [ebp+var_1C]
		call	CmpAttachToRegistryProcess
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		xor	edx, edx
		mov	ecx, ebx
		call	CmpInitializePreloadedHives
		lea	eax, [ebp+var_230]
		xor	esi, esi
		push	eax
		push	edi
		push	edi
		push	edi
		push	20000h
		push	edi
		push	edi
		push	edi
		push	edi
		inc	esi
		xor	edx, edx
		push	esi
		mov	ecx, offset _CmpMasterHive
		call	_CmpCreateHive@48 ; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_AC7BCB
		lea	ecx, [ebp+var_230]
		push	ecx
		push	eax
		push	2

loc_AC7BC5:				; CODE XREF: CmInitSystem1(x)+27Dj
					; CmInitSystem1(x)+28Cj ...
		push	esi
		jmp	loc_AC7FEC
; 

loc_AC7BCB:				; CODE XREF: CmInitSystem1(x)+253j
		mov	ecx, ds:_CmpMasterHive
		mov	edx, 80h
		call	CmpInitializeKcbCache
		test	eax, eax
		jns	short loc_AC7BE5
		push	edi
		push	eax
		push	3
		jmp	short loc_AC7BC5
; 

loc_AC7BE5:				; CODE XREF: CmInitSystem1(x)+277j
		call	CmpCreateRegistryRoot
		test	al, al
		jnz	short loc_AC7BF4
		push	edi
		push	edi
		push	4
		jmp	short loc_AC7BC5
; 

loc_AC7BF4:				; CODE XREF: CmInitSystem1(x)+286j
		call	_MiIsSoftwareEnclave@4 ; MiIsSoftwareEnclave(x)
		mov	ecx, eax
		call	_CmpInitSiloSupport@4 ;	CmpInitSiloSupport(x)
		test	eax, eax
		jns	short loc_AC7C0A
		push	edi
		push	eax
		push	1Ah
		jmp	short loc_AC7BC5
; 

loc_AC7C0A:				; CODE XREF: CmInitSystem1(x)+29Cj
		call	CmpHiveRootSecurityDescriptor
		push	edi
		push	edi
		push	offset _nullclass
		mov	esi, eax
		mov	[ebp+var_250], 18h
		push	edi
		lea	eax, [ebp+var_250]
		mov	[ebp+var_24C], edi
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_234]
		mov	[ebp+var_244], 240h
		push	eax
		mov	[ebp+var_248], offset _CmRegistryMachineName
		mov	[ebp+var_240], esi
		mov	[ebp+var_23C], edi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_AC7C79
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	edi
		push	5
		jmp	loc_AC7FEA
; 

loc_AC7C79:				; CODE XREF: CmInitSystem1(x)+2FFj
		push	[ebp+var_234]
		call	_ZwClose@4	; ZwClose(x)
		xor	eax, eax
		mov	[ebp+var_250], 18h
		push	eax
		push	eax
		push	offset _nullclass
		push	eax
		mov	[ebp+var_24C], eax
		mov	[ebp+var_23C], eax
		lea	eax, [ebp+var_250]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_234]
		mov	[ebp+var_244], 240h
		push	eax
		mov	[ebp+var_248], offset _CmRegistryUserName
		mov	[ebp+var_240], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_AC7CEE
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	edi
		push	6
		jmp	loc_AC7FEA
; 

loc_AC7CEE:				; CODE XREF: CmInitSystem1(x)+374j
		push	[ebp+var_234]
		call	_ZwClose@4	; ZwClose(x)
		lea	eax, [ebp+var_234]
		mov	[ebp+var_250], 18h
		push	eax
		lea	eax, [ebp+var_D8]
		mov	[ebp+var_244], 240h
		push	eax
		xor	ecx, ecx
		mov	[ebp+var_248], offset _CmRegistryAppName
		push	2001Fh
		push	ecx
		push	ecx
		push	ds:_CmKeyObjectType
		lea	eax, [ebp+var_250]
		mov	[ebp+var_24C], ecx
		push	eax
		mov	[ebp+var_240], esi
		mov	[ebp+var_23C], ecx
		mov	[ebp+var_D8], 41h
		call	_ObOpenObjectByName@28 ; ObOpenObjectByName(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_AC7D81
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	dl, dl
		lea	ecx, [ebp+var_D8]
		call	CmpCleanupParseContext
		push	0
		push	edi
		push	7
		jmp	loc_AC7FEA
; 

loc_AC7D81:				; CODE XREF: CmInitSystem1(x)+3FAj
		xor	dl, dl
		lea	ecx, [ebp+var_D8]
		call	CmpCleanupParseContext
		push	[ebp+var_234]
		call	_ZwClose@4	; ZwClose(x)
		xor	eax, eax
		mov	[ebp+var_250], 18h
		push	eax
		push	eax
		push	offset _nullclass
		push	eax
		mov	[ebp+var_24C], eax
		mov	[ebp+var_23C], eax
		lea	eax, [ebp+var_250]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_234]
		mov	[ebp+var_244], 240h
		push	eax
		mov	[ebp+var_248], offset _CmRegistryContainersName
		mov	[ebp+var_240], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_AC7E03
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	edi
		push	8
		jmp	loc_AC7FEA
; 

loc_AC7E03:				; CODE XREF: CmInitSystem1(x)+489j
		push	[ebp+var_234]
		call	_ZwClose@4	; ZwClose(x)
		mov	ecx, ebx
		mov	ds:_CmpNoMasterCreates,	1
		call	CmpInitializeLoadOptions
		xor	edx, edx
		mov	ecx, ebx
		inc	edx
		call	CmpInitializePreloadedHives
		test	eax, eax
		jns	short loc_AC7E34
		push	0
		push	eax
		push	14h
		jmp	loc_AC7FEA
; 

loc_AC7E34:				; CODE XREF: CmInitSystem1(x)+4C2j
		xor	dl, dl
		mov	ecx, offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@PBOPGDP@ ;	char
		call	CmpCreateControlSet
		test	eax, eax
		jns	short loc_AC7E4E
		push	0
		push	eax
		push	0Dh
		jmp	loc_AC7FEA
; 

loc_AC7E4E:				; CODE XREF: CmInitSystem1(x)+4DCj
		cmp	ds:_CmpLKGEnabled, 0
		jz	short loc_AC7E5E
		or	dword ptr ds:0FFDF02F0h, 10h

loc_AC7E5E:				; CODE XREF: CmInitSystem1(x)+4EFj
		cmp	_CmStateSeparationEnabled, 0
		jz	short loc_AC7E6C
		call	_CmpUpdateStateSeparationHiveOptions@0 ; CmpUpdateStateSeparationHiveOptions()

loc_AC7E6C:				; CODE XREF: CmInitSystem1(x)+4FFj
		push	154h		; size_t
		xor	edi, edi
		lea	eax, [ebp+var_230]
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_230]
		xor	edx, edx
		lea	ecx, [ebp+var_238]
		push	eax
		push	edi
		push	edi
		push	edi
		push	20000h
		push	edi
		push	edi
		push	edi
		push	edi
		push	1
		call	_CmpCreateHive@48 ; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_AC7EC2
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lea	eax, [ebp+var_230]
		push	eax
		push	edi
		push	10h
		jmp	loc_AC7FEA
; 

loc_AC7EC2:				; CODE XREF: CmInitSystem1(x)+543j
		lea	eax, [ebp+var_230]
		xor	edi, edi
		push	eax
		push	1
		push	edi
		push	edi
		push	esi
		push	edi
		push	edi
		push	dword_6B1640
		xor	edx, edx
		mov	ecx, offset _CmRegistryMachineHardwareName
		push	1
		push	[ebp+var_238]
		call	CmpLinkHiveToMaster
		test	eax, eax
		jz	short loc_AC7EF9
		push	edi
		push	eax
		push	11h
		jmp	loc_AC7FEA
; 

loc_AC7EF9:				; CODE XREF: CmInitSystem1(x)+588j
		mov	ecx, [ebp+var_238]
		call	CmpAddToHiveFileList
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_238]
		mov	ecx, ebx
		mov	dword_6B1634, eax
		call	_CmpInitializeHardwareConfiguration@4 ;	CmpInitializeHardwareConfiguration(x)
		test	eax, eax
		jns	short loc_AC7F2A
		push	edi
		push	eax
		push	12h
		jmp	loc_AC7FEA
; 

loc_AC7F2A:				; CODE XREF: CmInitSystem1(x)+5B9j
		mov	ecx, ebx
		call	CmpInitializeDriverStores
		test	eax, eax
		jns	short loc_AC7F3E
		push	edi
		push	eax
		push	13h
		jmp	loc_AC7FEA
; 

loc_AC7F3E:				; CODE XREF: CmInitSystem1(x)+5CDj
		mov	ecx, ebx
		call	CmpCreateExtendedControlSets
		test	eax, eax
		jns	short loc_AC7F52
		push	edi
		push	eax
		push	1Bh
		jmp	loc_AC7FEA
; 

loc_AC7F52:				; CODE XREF: CmInitSystem1(x)+5E1j
		mov	ecx, ebx
		call	CmpCreateHardwareProfiles
		push	ebx
		call	ds:__imp__CmSetInitMachineConfig@4 ; CmSetInitMachineConfig(x)
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		call	_CmpMarkCurrentProfileDirty@0 ;	CmpMarkCurrentProfileDirty()
		mov	ecx, ebx
		call	CmpInitializeMachineDependentConfiguration
		test	eax, eax
		jns	short loc_AC7F7B
		push	edi
		push	eax
		push	15h
		jmp	short loc_AC7FEA
; 

loc_AC7F7B:				; CODE XREF: CmInitSystem1(x)+60Dj
		mov	ecx, ebx
		call	CmpSetSystemValues
		test	eax, eax
		jns	short loc_AC7F8C
		push	edi
		push	eax
		push	16h
		jmp	short loc_AC7FEA
; 

loc_AC7F8C:				; CODE XREF: CmInitSystem1(x)+61Ej
		call	CmpMigrateOOBELanguageToInstallationLanguage
		push	edi
		push	ds:dword_AFD0C4
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebx+84h]
		cmp	dword ptr [eax], 3Ch
		jb	short loc_AC7FBE
		mov	ecx, [eax+38h]
		test	ecx, ecx
		jz	short loc_AC7FBE
		call	_CmpSetNetworkValue@4 ;	CmpSetNetworkValue(x)
		test	eax, eax
		jns	short loc_AC7FBE
		push	edi
		push	eax
		push	17h
		jmp	short loc_AC7FEA
; 

loc_AC7FBE:				; CODE XREF: CmInitSystem1(x)+640j
					; CmInitSystem1(x)+647j ...
		call	_CmFcInitSystem2@0 ; CmFcInitSystem2()
		test	eax, eax
		jns	short loc_AC7FCD
		push	edi
		push	eax
		push	1Ah
		jmp	short loc_AC7FEA
; 

loc_AC7FCD:				; CODE XREF: CmInitSystem1(x)+65Fj
		lea	ecx, [ebp+var_1C]
		call	_CmpDetachFromRegistryProcess@4	; CmpDetachFromRegistryProcess(x)
		mov	ecx, [ebp+var_4]
		mov	al, 1
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AC7FE6:				; CODE XREF: CmInitSystem1(x)+1EEj
		push	edi
		push	eax
		push	1

loc_AC7FEA:				; CODE XREF: CmInitSystem1(x)+201j
					; CmInitSystem1(x)+213j ...
		push	1

loc_AC7FEC:				; CODE XREF: CmInitSystem1(x)+260j
		push	67h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_CmInitSystem1@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpInitializePreloadedHives proc near	; CODE XREF: CmInitSystem1(x)+229p
					; CmInitSystem1(x)+4BBp

var_8		= dword	ptr -8

; FUNCTION CHUNK AT 00AE550A SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		push	edi
		test	edx, edx
		jnz	short loc_AC8043
		mov	eax, offset _CmpPreloadedHivesList
		mov	dword_6CE3DC, eax
		mov	_CmpPreloadedHivesList,	eax
		mov	eax, [ebx+84h]
		add	eax, 0E8h
		mov	ecx, [eax]
		jmp	short loc_AC8038
; 

loc_AC8025:				; CODE XREF: CmpInitializePreloadedHives+46j
		inc	_CmpPreloadedHivesCount
		mov	eax, [ebx+84h]
		mov	ecx, [ecx]
		add	eax, 0E8h

loc_AC8038:				; CODE XREF: CmpInitializePreloadedHives+2Fj
		cmp	ecx, eax
		jnz	short loc_AC8025

loc_AC803C:				; CODE XREF: CmpInitializePreloadedHives+ABj
					; CmpInitializePreloadedHives+B2j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AC8043:				; CODE XREF: CmpInitializePreloadedHives+11j
		call	CmpHiveRootSecurityDescriptor
		mov	edi, eax
		test	edi, edi
		jz	short loc_AC80A1
		push	ecx
		mov	edx, edi
		mov	ecx, ebx
		call	CmpInitializeSystemHive
		mov	esi, eax
		mov	[ebp+var_8], esi
		test	esi, esi
		js	loc_AE550A
		mov	eax, [ebx+84h]
		add	eax, 0E8h
		mov	ecx, [eax]
		cmp	ecx, eax
		jz	short loc_AC8097
		mov	esi, ecx

loc_AC8078:				; CODE XREF: CmpInitializePreloadedHives+9Ej
		push	ecx
		push	ecx
		mov	edx, edi
		mov	ecx, esi
		call	CmpInitializePreloadedHive
		mov	eax, [ebx+84h]
		mov	esi, [esi]
		add	eax, 0E8h
		cmp	esi, eax
		jnz	short loc_AC8078
		mov	esi, [ebp+var_8]

loc_AC8097:				; CODE XREF: CmpInitializePreloadedHives+80j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_AC803C
; 

loc_AC80A1:				; CODE XREF: CmpInitializePreloadedHives+58j
		mov	esi, 0C000009Ah
		jmp	short loc_AC803C
CmpInitializePreloadedHives endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpInitializeSystemHive	proc near	; CODE XREF: CmpInitializePreloadedHives+5Fp

var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 00AE5523 SIZE 0000004E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		push	ebx
		push	esi
		push	edi
		push	33394D43h
		push	154h
		push	1
		mov	ebx, edx
		mov	byte ptr [ebp+var_1], 0
		mov	esi, ecx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_AE5519
		push	154h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	eax, [esi+60h]
		lea	ecx, [ebp+var_1]
		add	esp, 0Ch
		xor	edx, edx
		inc	edx
		push	edi
		push	ecx
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	(offset	loc_590007+1)
		push	offset _CmpSystemFileName
		push	ecx
		push	eax
		push	2
		push	12h
		lea	ecx, [ebp+var_8]
		call	_CmpCreateHive@48 ; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_AE5523
		mov	edx, [esi+84h]
		mov	ecx, [ebp+var_8]
		add	edx, 0A80h
		call	CmpSetupLoggingState
		cmp	byte ptr [ebp+var_1], 1
		jz	loc_AE5536

loc_AC8136:				; CODE XREF: CmpInitializeSystemHive+1D495j
		cmp	ds:_CmpShareSystemHives, 0
		mov	ecx, 8000h
		jnz	short loc_AC81AD

loc_AC8144:				; CODE XREF: CmpInitializeSystemHive+10Bj
		cmp	_CmStateSeparationEnabled, 0
		jnz	loc_AE5542

loc_AC8151:				; CODE XREF: CmpInitializeSystemHive+1D4A1j
					; CmpInitializeSystemHive+1D4B4j
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		mov	eax, [ecx+20h]
		mov	eax, [eax+0FF8h]
		mov	_CmpBootType, eax
		cmp	_CmSelfHeal, edx
		jz	loc_AE5561

loc_AC8170:				; CODE XREF: CmpInitializeSystemHive+1D4C1j
		push	edi
		push	1
		push	edx
		push	edx
		push	ebx
		push	edx
		push	edx
		push	dword_6B17A8
		push	edx
		push	ecx
		xor	edx, edx
		mov	ecx, offset _CmRegistryMachineSystemName
		call	CmpLinkHiveToMaster
		mov	esi, eax
		test	esi, esi
		js	short loc_AC819C
		mov	eax, [ebp+var_8]
		xor	esi, esi
		mov	dword_6B179C, eax

loc_AC819C:				; CODE XREF: CmpInitializeSystemHive+E8j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AC81A4:				; CODE XREF: CmpInitializePreloadedHives+1D52Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_AC81AD:				; CODE XREF: CmpInitializeSystemHive+9Aj
		mov	eax, [ebp+var_8]
		or	[eax+64h], ecx
		jmp	short loc_AC8144
CmpInitializeSystemHive	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpInitializePreloadedHive proc	near	; CODE XREF: CmpInitializePreloadedHives+8Ap

var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_1F8		= dword	ptr -1F8h
var_1F4		= dword	ptr -1F4h
var_1F0		= dword	ptr -1F0h
var_1EC		= dword	ptr -1ECh
var_1E8		= dword	ptr -1E8h
var_1E1		= dword	ptr -1E1h
var_88		= dword	ptr -88h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE5571 SIZE 00000133 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 204h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	154h		; size_t
		xor	ebx, ebx
		mov	[ebp+var_200], edx
		lea	eax, [ebp+var_1E1+1]
		mov	edi, ecx
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_1E8], ebx
		mov	esi, 1000h
		mov	byte ptr [ebp+var_1E1],	bl
		push	20204D43h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_1FC], eax
		test	eax, eax
		jz	loc_AE5621
		mov	[ebp+var_1EC], eax
		mov	ecx, 80h
		mov	eax, [edi+0Ch]
		mov	[ebp+var_1F0], ebx
		mov	word ptr [ebp+var_1F0+2], si
		test	al, 36h
		jnz	loc_AE5571
		test	al, cl
		jnz	loc_AE55AE
		push	offset ??_C@_1DK@MBODLMJO@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@PBOPGDP@ ; "\\SystemRoot\\System32\\Config\\"
		lea	eax, [ebp+var_1F0]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		push	dword ptr [edi+8] ; void *
		lea	eax, [ebp+var_1F0]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, 4000h

loc_AC8269:				; CODE XREF: CmpInitializePreloadedHive+1D3CFj
					; CmpInitializePreloadedHive+1D3DEj ...
		test	dword ptr [edi+0Ch], 100h
		jnz	loc_AE5608

loc_AC8276:				; CODE XREF: CmpInitializePreloadedHive+1D458j
		movzx	eax, word ptr [ebp+var_1F0]
		push	20204D43h
		add	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_AE561F
		movzx	ecx, word ptr [ebp+var_1F0]
		push	ecx		; size_t
		push	[ebp+var_1EC]	; void *
		push	ebx		; void *
		call	_memcpy
		add	esp, 0Ch
		push	0
		push	[ebp+var_1FC]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		movzx	eax, word ptr [ebp+var_1F0]
		xor	ecx, ecx
		shr	eax, 1
		xor	edx, edx
		mov	[ebx+eax*2], cx
		lea	ecx, [ebp+var_1E1+1]
		mov	eax, [ebp+var_1F0]
		push	ecx
		lea	ecx, [ebp+var_1E1]
		mov	[ebp+var_1EC], ebx
		push	ecx
		push	edx
		push	edx
		add	eax, 2
		lea	ecx, [ebp+var_1F0]
		push	(offset	loc_590007+1)
		push	ecx
		mov	word ptr [ebp+var_1F0+2], ax
		lea	ecx, [ebp+var_1E8]
		mov	eax, [edi+0Ch]
		push	edx
		push	dword ptr [edi+10h]
		and	eax, 8
		inc	edx
		shl	eax, 5
		or	eax, 12h
		push	2
		push	eax
		call	_CmpCreateHive@48 ; CmpCreateHive(x,x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_AE5613
		mov	ecx, [ebp+var_1E8]
		lea	edx, [edi+20h]
		call	CmpSetupLoggingState
		mov	eax, [ebp+var_1E8]
		push	ebx
		add	eax, 4A8h
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_1E8]
		or	esi, 400h
		or	[eax+64h], esi
		cmp	byte ptr [ebp+var_1E1],	1
		jz	loc_AE5632

loc_AC8361:				; CODE XREF: CmpInitializePreloadedHive+1D489j
		cmp	ds:_CmpShareSystemHives, 0
		mov	ecx, 8000h
		jnz	loc_AE5644

loc_AC8373:				; CODE XREF: CmpInitializePreloadedHive+1D497j
		cmp	_CmStateSeparationEnabled, 0
		jnz	loc_AE5652

loc_AC8380:				; CODE XREF: CmpInitializePreloadedHive+1D4A3j
					; CmpInitializePreloadedHive+1D4ADj ...
		mov	ecx, [ebp+var_1E8]
		xor	ebx, ebx
		mov	eax, [ecx+20h]
		mov	eax, [eax+0FF8h]
		mov	_CmpBootType, eax
		cmp	_CmSelfHeal, ebx
		jz	loc_AE5677

loc_AC83A2:				; CODE XREF: CmpInitializePreloadedHive+1D4C9j
		mov	eax, 80h
		mov	[ebp+var_1F8], ebx
		mov	word ptr [ebp+var_1F8+2], ax
		lea	eax, [ebp+var_88]
		mov	[ebp+var_1F4], eax
		lea	eax, [ebp+var_1F8]
		push	offset ??_C@_1BG@OKCBELMP@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2@PBOPGDP@	; "\\"
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		push	dword ptr [edi+1Ch] ; void *
		lea	eax, [ebp+var_1F8]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@PBOPGDP@	; void *
		lea	eax, [ebp+var_1F8]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		push	dword ptr [edi+18h] ; void *
		lea	eax, [ebp+var_1F8]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		lea	eax, [ebp+var_1E1+1]
		xor	edx, edx
		push	eax
		push	1
		push	ebx
		push	ebx
		push	[ebp+var_200]
		lea	ecx, [ebp+var_1F8]
		push	ebx
		push	ebx
		push	200h
		push	ebx
		push	[ebp+var_1E8]
		call	CmpLinkHiveToMaster
		test	eax, eax
		js	loc_AE568B
		mov	ecx, dword_6CE3DC
		mov	edx, offset _CmpPreloadedHivesList
		mov	eax, [ebp+var_1E8]
		add	eax, 428h
		cmp	[ecx], edx
		jnz	short loc_AC846D
		mov	[eax+4], ecx
		mov	[eax], edx
		mov	[ecx], eax
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		mov	dword_6CE3DC, eax
		xor	ecx, ebp
		xor	eax, eax
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_AC846D:				; CODE XREF: CmpInitializePreloadedHive+296j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

CmpCreateRegistryRoot:			; CODE XREF: CmInitSystem1(x):loc_AC7BE5p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		xor	esi, esi
		lea	eax, [ebp+var_10]
		push	edi
		push	eax
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		call	_CmpCreateRootNode@12 ;	CmpCreateRootNode(x,x,x)
		test	al, al
		jz	loc_AC85BD
		call	CmpHiveRootSecurityDescriptor
		mov	ebx, eax
		mov	[ebp+var_34], 18h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_30], esi
		push	eax
		push	esi
		push	esi
		push	38h
		push	esi
		push	esi
		lea	eax, [ebp+var_34]
		mov	[ebp+var_28], 240h
		push	eax
		push	ds:_CmKeyObjectType
		mov	[ebp+var_2C], offset _CmRegistryRootName
		push	esi
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], esi
		call	_ObCreateObject@36 ; ObCreateObject(x,x,x,x,x,x,x,x,x)
		push	esi
		push	ebx
		mov	edi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		js	loc_AC85BD
		push	offset ??_C@_1BC@KAILKFFG@?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY@PBOPGDP@ ; "REGISTRY"
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4]
		push	eax
		push	esi
		lea	ecx, [ebp+var_1C]
		call	_CmpHashUnicodeComponent@4 ; CmpHashUnicodeComponent(x)
		mov	edx, [ebp+var_10]
		mov	ecx, ds:_CmpMasterHive
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		push	esi
		push	esi
		call	CmpCreateKeyControlBlock
		test	eax, eax
		js	loc_AC85BD
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_4]
		mov	dword ptr [ecx], 6B793032h
		mov	[ecx+8], eax
		mov	eax, large fs:124h
		mov	edi, [ebp+var_8]
		mov	[ecx+0Ch], esi
		mov	ecx, [ebp+var_4]
		mov	eax, [eax+2ACh]
		mov	[edi+10h], eax
		xor	eax, eax
		mov	[edi+1Ch], eax
		lea	eax, [edi+28h]
		mov	[eax+4], eax
		mov	[eax], eax
		mov	[edi+20h], esi
		mov	[edi+24h], esi
		call	CmpTryToLockKcbExclusive
		push	2
		pop	edx
		mov	ecx, edi
		call	EnlistKeyBodyWithKCB
		mov	ecx, [ebp+var_4]
		call	_CmpUnlockKcb@4	; CmpUnlockKcb(x)
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		push	esi
		push	esi
		push	esi
		push	edi
		call	_ObInsertObject@24 ; ObInsertObject(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AC85BD
		push	esi
		lea	eax, [ebp+var_14]
		mov	[ebp+var_14], esi
		push	eax
		push	esi
		push	esi
		push	20019h
		push	[ebp+var_C]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ecx, [ebp+var_14]
		mov	ds:_CmpRegistryRootObject, ecx
		test	eax, eax
		js	loc_AE5696
		mov	al, 1

loc_AC85B8:				; CODE XREF: CmpInitializePreloadedHive+409j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AC85BD:				; CODE XREF: CmpInitializePreloadedHive+2E6j
					; CmpInitializePreloadedHive+336j ...
		xor	al, al
		jmp	short loc_AC85B8
CmpInitializePreloadedHive endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpCreateHardwareProfiles proc near	; CODE XREF: CmInitSystem1(x)+5EEp

var_2E0		= dword	ptr -2E0h
var_2DC		= byte ptr -2DCh
var_2D8		= dword	ptr -2D8h
var_2D4		= dword	ptr -2D4h
var_2D0		= dword	ptr -2D0h
var_2CC		= dword	ptr -2CCh
var_2C8		= byte ptr -2C8h
var_2C4		= dword	ptr -2C4h
var_2C0		= dword	ptr -2C0h
var_2BC		= dword	ptr -2BCh
var_2B8		= dword	ptr -2B8h
var_2B4		= dword	ptr -2B4h
var_2B0		= dword	ptr -2B0h
var_2AC		= dword	ptr -2ACh
var_2A8		= dword	ptr -2A8h
var_2A4		= dword	ptr -2A4h
var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_291		= byte ptr -291h
var_28E		= word ptr -28Eh
var_28C		= word ptr -28Ch
var_288		= dword	ptr -288h
var_188		= dword	ptr -188h
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE56A4 SIZE 0000046A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2E4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		lea	edx, [ebp+var_2D0]
		push	ebx
		push	esi
		push	edi
		push	6
		mov	ebx, ecx
		mov	[ebp+var_2CC], eax
		pop	ecx
		lea	edi, [ebp+var_2B8]
		mov	dword ptr [ebp+var_2DC], eax
		rep stosd
		mov	[ebp+var_2D8], eax
		mov	[ebp+var_2A0], eax
		mov	[ebp+var_29C], eax
		mov	[ebp+var_2E0], eax
		mov	[ebp+var_2C4], eax
		mov	[ebp+var_2D0], eax
		mov	[ebp+var_2BC], eax
		mov	[ebp+var_2C0], eax
		mov	[ebp+var_2D4], eax
		mov	[ebp+var_298], eax
		mov	dword ptr [ebp+var_2C8], eax
		mov	[ebp+var_291], al
		lea	eax, [ebp+var_2DC]
		push	eax
		call	CmpOpenDevicesControlSet
		mov	edi, [ebp+var_2D0]
		mov	esi, eax
		test	esi, esi
		js	loc_AC8A2F
		and	[ebp+var_2A8], 0
		lea	eax, [ebp+var_2B8]
		and	[ebp+var_2A4], 0
		push	eax
		push	20019h
		lea	eax, [ebp+var_2BC]
		mov	[ebp+var_2B8], 18h
		push	eax
		mov	[ebp+var_2B4], edi
		mov	[ebp+var_2AC], 240h
		mov	[ebp+var_2B0], offset _CmpControlIdConfigDbString
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		xor	ecx, ecx
		mov	esi, eax
		inc	ecx
		cmp	esi, 0C0000034h
		jz	loc_AE56A4
		test	esi, esi
		js	loc_AC8A2F
		lea	eax, [ebp+var_2E0]
		push	eax
		push	80h
		lea	eax, [ebp+var_88]
		push	eax
		push	ecx
		push	(offset	loc_A3F667+1)
		push	[ebp+var_2BC]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC8A2F
		cmp	[ebp+var_84], 4
		jnz	loc_AC8A2F
		mov	eax, [ebp+var_80]
		mov	eax, [ebp+eax+var_88]
		mov	dword ptr [ebp+var_2C8], eax

loc_AC870D:				; CODE XREF: CmpCreateHardwareProfiles+1D2FFj
		and	[ebp+var_2A8], 0
		lea	eax, [ebp+var_2B8]
		and	[ebp+var_2A4], 0
		push	eax
		push	20019h
		lea	eax, [ebp+var_2D4]
		mov	[ebp+var_2B8], 18h
		push	eax
		mov	[ebp+var_2B4], edi
		mov	[ebp+var_2AC], 240h
		mov	[ebp+var_2B0], (offset loc_A3F627+1)
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_AE58C6

loc_AC8765:				; CODE XREF: CmpCreateHardwareProfiles+1D337j
		test	esi, esi
		js	loc_AC8A2F
		push	dword ptr [ebp+var_2C8]	; char
		xor	esi, esi
		mov	eax, 100h
		mov	[ebp+var_2A0], esi
		mov	word ptr [ebp+var_2A0+2], ax
		lea	eax, [ebp+var_188]
		mov	[ebp+var_29C], eax
		lea	eax, [ebp+var_2A0]
		push	offset ??_C@_19BLGDCJIP@?$AA?$CF?$AA0?$AA4?$AAd@PBOPGDP@ ; "%04d"
		push	eax		; int
		call	_RtlUnicodeStringPrintf
		mov	eax, [ebp+var_2D4]
		add	esp, 0Ch
		mov	[ebp+var_2B4], eax
		lea	eax, [ebp+var_2A0]
		mov	[ebp+var_2B0], eax
		lea	eax, [ebp+var_2B8]
		mov	[ebp+var_2B8], 18h
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_2C0]
		mov	[ebp+var_2AC], 240h
		push	eax
		mov	[ebp+var_2A8], esi
		mov	[ebp+var_2A4], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_AE58FE

loc_AC8805:				; CODE XREF: CmpCreateHardwareProfiles+1D36Fj
		test	esi, esi
		js	loc_AC8A2F
		mov	esi, [ebx+84h]
		push	3
		pop	edx
		mov	[ebp+var_2D0], esi
		movzx	eax, word ptr [esi+8]
		lea	ebx, [esi+4]
		mov	ecx, eax
		cmp	ax, dx
		jnz	short loc_AC8833
		xor	eax, eax
		inc	eax
		mov	[esi+8], ax
		mov	ecx, eax

loc_AC8833:				; CODE XREF: CmpCreateHardwareProfiles+266j
		movzx	eax, word ptr [ebx]
		sub	eax, 1
		jz	loc_AE59AA
		sub	eax, 1
		jnz	loc_AE5936

loc_AC8848:				; CODE XREF: CmpCreateHardwareProfiles+1D3FBj
		mov	eax, [ebp+var_2BC]
		xor	ecx, ecx
		mov	[ebp+var_2B4], eax
		lea	eax, [ebp+var_2C4]
		push	eax
		xor	eax, eax
		mov	[ebp+var_2B8], 18h
		inc	eax
		mov	[ebp+var_2AC], 240h
		push	eax
		push	ecx
		push	ecx
		lea	eax, [ebp+var_2B8]
		mov	[ebp+var_2B0], (offset loc_AF31C7+1)
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_298]
		mov	[ebp+var_2A8], ecx
		push	eax
		mov	[ebp+var_2A4], ecx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AC88C8
		mov	ecx, [ebp+var_298]
		mov	edx, ebx
		call	_CmpAddDockingInfo@8 ; CmpAddDockingInfo(x,x)
		push	[ebp+var_298]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_298], 0

loc_AC88C8:				; CODE XREF: CmpCreateHardwareProfiles+2E5j
		xor	eax, eax
		inc	eax
		mov	bl, al
		cmp	ax, [esi+8]
		jnz	loc_AE59C2

loc_AC88D7:				; CODE XREF: CmpCreateHardwareProfiles+1D406j
		lea	eax, [ebp+var_2B8]
		mov	[ebp+var_2B8], 18h
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_298]
		mov	[ebp+var_2B4], edi
		xor	esi, esi
		mov	[ebp+var_2AC], 240h
		push	eax
		mov	[ebp+var_2B0], (offset loc_A3F61F+1)
		mov	[ebp+var_2A8], esi
		mov	[ebp+var_2A4], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		jns	loc_AE59CD

loc_AC8929:				; CODE XREF: CmpCreateHardwareProfiles+1D432j
		lea	eax, [ebp+var_2C4]
		push	eax
		push	3
		push	esi
		push	esi
		lea	eax, [ebp+var_2B8]
		push	eax
		push	20h
		lea	eax, [ebp+var_298]
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC89D4
		push	dword ptr [ebp+var_2C8]
		xor	esi, esi
		mov	eax, 100h
		mov	[ebp+var_2A0], esi
		mov	word ptr [ebp+var_2A0+2], ax
		lea	eax, [ebp+var_188]
		mov	[ebp+var_29C], eax
		lea	eax, [ebp+var_2DC]
		push	eax		; char
		lea	eax, [ebp+var_2A0]
		push	offset ??_C@_1HO@DPJFAAAO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@ ; wchar_t *
		push	eax		; int
		call	_RtlUnicodeStringPrintf
		movzx	eax, word ptr [ebp+var_2A0]
		add	esp, 10h
		push	eax
		push	[ebp+var_29C]
		push	6
		push	esi
		push	offset _CmSymbolicLinkValueName
		push	[ebp+var_298]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		xor	eax, eax
		inc	eax
		push	eax
		push	(offset	loc_A3F617+1)
		lea	eax, [ebp+var_2DC]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	loc_AE59F9

loc_AC89D4:				; CODE XREF: CmpCreateHardwareProfiles+38Bj
					; CmpCreateHardwareProfiles+1D4DEj ...
		test	bl, bl
		jz	short loc_AC8A2F
		and	[ebp+var_2D0], 0
		xor	eax, eax
		inc	eax
		mov	[ebp+var_291], 0
		push	2
		mov	[ebp-290h], ax
		mov	edx, offset _CmpHwprofileDefaultSelect@12 ; CmpHwprofileDefaultSelect(x,x,x)
		pop	eax
		mov	[ebp+var_28E], ax
		xor	eax, eax
		mov	[ebp+var_28C], ax
		lea	eax, [ebp+var_291]
		push	eax
		lea	eax, [ebp+var_2D0]
		push	eax
		push	ecx
		lea	ecx, [ebp-290h]
		call	CmSetAcpiHwProfile
		push	[ebp+var_2D0]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)

loc_AC8A2F:				; CODE XREF: CmpCreateHardwareProfiles+97j
					; CmpCreateHardwareProfiles+FAj ...
		test	edi, edi
		jz	short loc_AC8A39
		push	edi
		call	_ZwClose@4	; ZwClose(x)

loc_AC8A39:				; CODE XREF: CmpCreateHardwareProfiles+46Fj
		cmp	[ebp+var_2BC], 0
		jz	short loc_AC8A4D
		push	[ebp+var_2BC]
		call	_ZwClose@4	; ZwClose(x)

loc_AC8A4D:				; CODE XREF: CmpCreateHardwareProfiles+47Ej
		cmp	[ebp+var_2C0], 0
		jz	short loc_AC8A61
		push	[ebp+var_2C0]
		call	_ZwClose@4	; ZwClose(x)

loc_AC8A61:				; CODE XREF: CmpCreateHardwareProfiles+492j
		cmp	[ebp+var_2D4], 0
		jz	short loc_AC8A75
		push	[ebp+var_2D4]
		call	_ZwClose@4	; ZwClose(x)

loc_AC8A75:				; CODE XREF: CmpCreateHardwareProfiles+4A6j
		cmp	[ebp+var_298], 0
		jz	short loc_AC8A89
		push	[ebp+var_298]
		call	_ZwClose@4	; ZwClose(x)

loc_AC8A89:				; CODE XREF: CmpCreateHardwareProfiles+4BAj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpCreateHardwareProfiles endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall CmpCreateControlSet(char)
CmpCreateControlSet proc near		; CODE XREF: CmInitSystem1(x)+4D5p
					; CmpCreateExtendedControlSets+1EA29p ...

var_1C4		= byte ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BC		= dword	ptr -1BCh
var_1B8		= dword	ptr -1B8h
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_1A8		= dword	ptr -1A8h
var_1A4		= dword	ptr -1A4h
var_1A0		= dword	ptr -1A0h
var_19C		= dword	ptr -19Ch
var_198		= byte ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_88		= dword	ptr -88h
var_80		= dword	ptr -80h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE5B0E SIZE 00000113 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1C4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		xor	eax, eax
		lea	edi, [ebp+var_1B8]
		mov	bl, dl
		mov	edx, ecx
		pop	ecx
		rep stosd
		xor	edi, edi
		mov	dword ptr [ebp+var_1C4], edx
		mov	eax, 100h
		mov	[ebp+var_190], edi
		mov	word ptr [ebp+var_190+2], ax
		lea	eax, [ebp+var_188]
		push	edx		; char
		mov	[ebp+var_18C], eax
		lea	eax, [ebp+var_190]
		push	offset ??_C@_1CM@GKGENBLN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@ ; "\\"
		push	eax		; int
		mov	[ebp+var_1C0], edi
		mov	[ebp+var_1BC], edi
		mov	[ebp+var_1A0], edi
		mov	[ebp+var_19C], edi
		mov	[ebp+var_194], edi
		mov	dword ptr [ebp+var_198], edi
		call	_RtlUnicodeStringPrintf
		mov	esi, eax
		add	esp, 0Ch
		test	esi, esi
		js	loc_AC8CE8
		lea	eax, [ebp+var_190]
		mov	[ebp+var_1B8], 18h
		mov	[ebp+var_1B0], eax
		lea	eax, [ebp+var_1B8]
		push	eax
		push	20019h
		lea	eax, [ebp+var_1A0]
		mov	[ebp+var_1B4], edi
		push	eax
		mov	[ebp+var_1AC], 240h
		mov	[ebp+var_1A8], edi
		mov	[ebp+var_1A4], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC8CE8
		mov	eax, [ebp+var_1A0]
		mov	[ebp+var_1B4], eax
		lea	eax, [ebp+var_1B8]
		push	eax
		push	20019h
		lea	eax, [ebp+var_19C]
		mov	[ebp+var_1B8], 18h
		push	eax
		mov	[ebp+var_1AC], 240h
		mov	[ebp+var_1B0], (offset loc_A3F632+6)
		mov	[ebp+var_1A8], edi
		mov	[ebp+var_1A4], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_AE5B0E
		test	esi, esi
		js	loc_AC8CE8

loc_AC8BE4:				; CODE XREF: CmpCreateControlSet+1D182j
		cmp	dword ptr [ebp+var_198], edi
		jnz	short loc_AC8C2B
		lea	eax, [ebp+var_1C0]
		push	eax
		push	80h
		lea	eax, [ebp+var_88]
		push	eax
		push	1
		push	(offset	loc_A3F69A+6)
		push	[ebp+var_19C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC8CE8
		mov	eax, [ebp+var_80]
		mov	eax, [ebp+eax+var_88]
		mov	dword ptr [ebp+var_198], eax

loc_AC8C2B:				; CODE XREF: CmpCreateControlSet+150j
		mov	eax, [ebp+var_1A0]
		mov	[ebp+var_1B4], eax
		lea	eax, [ebp+var_1BC]
		push	eax
		push	3
		push	edi
		push	edi
		lea	eax, [ebp+var_1B8]
		mov	[ebp+var_1B8], 18h
		push	eax
		push	20h
		lea	eax, [ebp+var_194]
		mov	[ebp+var_1AC], 240h
		push	eax
		mov	[ebp+var_1B0], (offset loc_AF322F+1)
		mov	[ebp+var_1A8], edi
		mov	[ebp+var_1A4], edi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AC8CE8
		push	dword ptr [ebp+var_198]
		mov	eax, 100h
		mov	[ebp+var_190], edi
		push	dword ptr [ebp+var_1C4]	; char
		mov	word ptr [ebp+var_190+2], ax
		lea	eax, [ebp+var_188]
		mov	[ebp+var_18C], eax
		lea	eax, [ebp+var_190]
		push	offset ??_C@_1EK@NFKNHMIJ@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@ ; "\\Registry\\Machine\\%ws\\ControlSet%03d"
		push	eax		; int
		call	_RtlUnicodeStringPrintf
		movzx	eax, word ptr [ebp+var_190]
		add	esp, 10h
		push	eax
		push	[ebp+var_18C]
		push	6
		push	edi
		push	offset _CmSymbolicLinkValueName
		push	[ebp+var_194]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax

loc_AC8CE8:				; CODE XREF: CmpCreateControlSet+8Cj
					; CmpCreateControlSet+E0j ...
		cmp	[ebp+var_194], edi
		jz	short loc_AC8CFB
		push	[ebp+var_194]
		call	_ZwClose@4	; ZwClose(x)

loc_AC8CFB:				; CODE XREF: CmpCreateControlSet+254j
		cmp	[ebp+var_19C], edi
		jz	short loc_AC8D0E
		push	[ebp+var_19C]
		call	_ZwClose@4	; ZwClose(x)

loc_AC8D0E:				; CODE XREF: CmpCreateControlSet+267j
		cmp	[ebp+var_1A0], edi
		jz	short loc_AC8D21
		push	[ebp+var_1A0]
		call	_ZwClose@4	; ZwClose(x)

loc_AC8D21:				; CODE XREF: CmpCreateControlSet+27Aj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmpCreateControlSet endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCreateRootNode(x, x, x)
_CmpCreateRootNode@12 proc near		; CODE XREF: CmpInitializePreloadedHive+2DFp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		or	[ebp+var_24], 0FFFFFFFFh
		lea	eax, [ebp+var_10]
		push	ebx
		push	esi
		push	edi
		mov	edi, ds:_CmpMasterHive
		xor	ebx, ebx
		push	offset ??_C@_1BC@KAILKFFG@?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY@PBOPGDP@ ; "REGISTRY"
		push	eax
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	ecx, [ebp+var_10]
		call	_CmpNameSize@4	; CmpNameSize(x)
		movzx	edx, ax
		mov	ecx, edi
		lea	eax, [ebp+var_24]
		add	edx, 4Ch
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		call	_HvAllocateCell@20 ; HvAllocateCell(x,x,x,x,x)
		mov	ecx, [ebp+arg_0]
		mov	edx, eax
		mov	[ecx], edx
		cmp	edx, 0FFFFFFFFh
		jz	loc_AC8E2A
		mov	eax, [edi+20h]
		mov	esi, [ebp+var_8]
		push	0Ch
		mov	[eax+24h], edx
		mov	eax, 6B6Eh
		mov	[esi], ax
		pop	eax
		mov	[esi+2], ax
		lea	eax, [ebp+var_1C]
		push	eax
		call	KeQuerySystemTime
		mov	eax, [ebp+var_1C]
		lea	ecx, [esi+4Ch]
		mov	[esi+4], eax
		lea	edx, [ebp+var_10]
		mov	eax, [ebp+var_18]
		mov	[esi+8], eax
		or	eax, 0FFFFFFFFh
		mov	[esi+10h], eax
		mov	[esi+14h], ebx
		mov	[esi+18h], ebx
		mov	[esi+1Ch], eax
		mov	[esi+20h], eax
		mov	[esi+24h], ebx
		mov	[esi+28h], eax
		mov	[esi+2Ch], eax
		mov	[esi+30h], eax
		xor	eax, eax
		mov	[esi+4Ah], ax
		mov	[esi+40h], ebx
		mov	[esi+34h], ax
		and	dword ptr [esi+34h], 0FF00FFFFh
		mov	[esi+37h], bl
		mov	[esi+3Ch], ebx
		mov	[esi+38h], ebx
		call	CmpCopyName
		mov	[esi+48h], ax
		cmp	ax, word ptr [ebp+var_10]
		jnb	short loc_AC8E19
		or	word ptr [esi+2], 20h

loc_AC8E19:				; CODE XREF: CmpCreateRootNode(x,x,x)+E0j
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		mov	al, 1

loc_AC8E23:				; CODE XREF: CmpCreateRootNode(x,x,x)+FAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_AC8E2A:				; CODE XREF: CmpCreateRootNode(x,x,x)+5Fj
		xor	al, al
		jmp	short loc_AC8E23
_CmpCreateRootNode@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAddDockingInfo(x, x)
_CmpAddDockingInfo@8 proc near		; CODE XREF: CmpCreateHardwareProfiles+2EFp
					; CmpAddAliasEntry(x,x,x)+1C1p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	4
		mov	esi, edx
		mov	edi, ecx
		pop	ebx
		push	ebx
		movzx	eax, word ptr [esi+4]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		push	0
		push	(offset	loc_AF31B7+1)
		push	edi
		call	NtSetValueKey
		test	eax, eax
		js	short loc_AC8EB0
		movzx	eax, word ptr [esi+6]
		push	ebx
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		push	0
		push	(offset	loc_AF31CF+1)
		push	edi
		call	NtSetValueKey
		test	eax, eax
		js	short loc_AC8EB0
		mov	eax, [esi+8]
		push	ebx
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		push	0
		push	(offset	loc_AF31BF+1)
		push	edi
		call	NtSetValueKey
		test	eax, eax
		js	short loc_AC8EB0
		mov	eax, [esi+0Ch]
		push	ebx
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		push	0
		push	(offset	loc_AF31A7+1)
		push	edi
		call	NtSetValueKey

loc_AC8EB0:				; CODE XREF: CmpAddDockingInfo(x,x)+2Cj
					; CmpAddDockingInfo(x,x)+4Aj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpAddDockingInfo@8 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiInitializePfnsForValidMappings(x)
_MiInitializePfnsForValidMappings@4 proc near ;	CODE XREF: MiInitNucleus(x)+1E5p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, dword_6D07D0
		mov	eax, 40000000h
		shr	edi, 9
		mov	esi, ecx
		sub	edi, eax
		mov	edx, 0C0603FF8h
		shr	edi, 9
		and	edi, offset loc_7FFFF8
		sub	edi, eax
		push	esi
		push	1
		mov	ecx, edi
		call	MxZeroPageTablePfns
		push	esi
		push	1
		mov	edx, 0C0603FF8h
		mov	ecx, edi
		call	_MxCreatePfns@16 ; MxCreatePfns(x,x,x,x)
		xor	ecx, ecx
		call	KeFlushCurrentTbOnly
		pop	edi
		pop	esi
		pop	ecx
		retn
_MiInitializePfnsForValidMappings@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MxCopyPage	proc near		; CODE XREF: MiCreateSystemPageTable:loc_4B962Ap

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE5C21 SIZE 00000085 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_4], edx
		mov	edi, ecx
		call	MxGetPhase0Mapping
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_AE5C21
		mov	esi, ebx
		mov	edx, edi
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		push	0A0000004h
		mov	ecx, esi
		call	MiMakeValidPte
		mov	ecx, esi
		mov	edi, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_AE5C32

loc_AC8F4F:				; CODE XREF: MxCopyPage+1CD77j
					; MxCopyPage+1CD85j ...
		xor	ecx, ecx

loc_AC8F51:				; CODE XREF: MxCopyPage+1CD43j
					; MxCopyPage+1CD50j ...
		mov	[esi+4], edx
		nop
		mov	[esi], edi
		test	ecx, ecx
		jnz	loc_AE5C98

loc_AC8F5F:				; CODE XREF: MxCopyPage+1CD9Fj
		push	1000h		; size_t
		push	[ebp+var_4]	; void *
		push	ebx		; void *
		call	_memcpy
		mov	eax, ds:_ZeroPte
		add	esp, 0Ch
		mov	[esi], eax
		nop
		mov	eax, ds:dword_40F9FC
		xor	edx, edx
		push	1
		mov	ecx, ebx
		mov	[esi+4], eax
		call	KeFlushSingleTb
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MxCopyPage	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MxRelocatePageTables(x)
_MxRelocatePageTables@4	proc near	; CODE XREF: MiInitNucleus(x)+211p

var_C		= dword	ptr -0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	edx, [ebp+var_C]
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_C]
		mov	esi, ecx
		stosd
		xor	ecx, ecx
		push	0
		stosd
		stosd
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		mov	ecx, dword_6D07D0
		mov	edi, 40000000h
		mov	edx, ds:_MmPfnDatabase
		mov	ebx, offset loc_7FFFF8
		shr	ecx, 9
		shr	edx, 9
		sub	ecx, edi
		sub	edx, edi
		shr	ecx, 9
		shr	edx, 9
		and	ecx, ebx
		and	edx, ebx
		sub	ecx, edi
		sub	edx, edi
		cmp	ecx, edx
		jnb	short loc_AC8FF2
		lea	eax, [ebp+var_C]
		add	edx, 0FFFFFFF8h
		push	eax
		push	esi
		push	1
		call	_MxMovePageTables@20 ; MxMovePageTables(x,x,x,x,x)

loc_AC8FF2:				; CODE XREF: MxRelocatePageTables(x)+51j
		mov	ecx, ds:_MxPfnAllocation
		mov	edx, 0C0603FF8h
		shl	ecx, 0Ch
		add	ecx, ds:_MmPfnDatabase
		shr	ecx, 9
		sub	ecx, edi
		shr	ecx, 9
		and	ecx, ebx
		sub	ecx, edi
		cmp	ecx, edx
		jnb	short loc_AC9025
		lea	eax, [ebp+var_C]
		add	ecx, 8
		push	eax
		push	esi
		push	1
		call	_MxMovePageTables@20 ; MxMovePageTables(x,x,x,x,x)

loc_AC9025:				; CODE XREF: MxRelocatePageTables(x)+84j
		mov	edx, 0C07FEF80h
		lea	ecx, [ebp+var_C]
		call	MxSwapPages
		mov	ecx, ds:0C07FEF80h
		nop
		mov	eax, ds:0C07FEF84h
		nop
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	esi, ecx, 1Ch
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		inc	word ptr [esi+14h]
		lea	ecx, [esi+10h]
		mov	edx, 7FFFFFFFh
		lock and [ecx],	edx
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MxRelocatePageTables@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MxMovePageTables(x,	x, x, x, x)
_MxMovePageTables@20 proc near		; CODE XREF: MxRelocatePageTables(x)+5Dp
					; MxRelocatePageTables(x)+90p ...

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], edx
		mov	eax, esi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		push	edi
		mov	edi, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		nop
		shrd	edi, eax, 0Ch
		and	edi, 1FFFFFFh
		cmp	esi, edx
		ja	short loc_AC9128

loc_AC90AC:				; CODE XREF: MxMovePageTables(x,x,x,x,x)+B0j
		test	esi, 0FFFh
		jz	loc_AC917A

loc_AC90B8:				; CODE XREF: MxMovePageTables(x,x,x,x,x)+126j
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		mov	edx, [esi]
		nop
		mov	ecx, [esi+4]
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jz	short loc_AC9120
		cmp	esi, 0C0603018h
		jz	short loc_AC9120
		cmp	esi, 0C0603000h
		jnb	loc_AC91DB

loc_AC90E4:				; CODE XREF: MxMovePageTables(x,x,x,x,x)+16Bj
		mov	ebx, [ebp+arg_0]
		test	ebx, ebx
		jnz	short loc_AC912F

loc_AC90EB:				; CODE XREF: MxMovePageTables(x,x,x,x,x)+C3j
		nop
		shrd	edx, ecx, 0Ch
		and	edx, 1FFFFFFh
		test	ebx, ebx
		jnz	loc_AC91A1
		mov	ecx, [ebp+arg_4]
		call	_MiIsRegularMemory@8 ; MiIsRegularMemory(x,x)
		test	eax, eax
		jz	short loc_AC9120

loc_AC910A:				; CODE XREF: MxMovePageTables(x,x,x,x,x)+160j
		imul	ecx, edx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		mov	eax, [ecx+18h]
		xor	eax, edi
		and	eax, offset loc_7FFFFF
		xor	[ecx+18h], eax

loc_AC9120:				; CODE XREF: MxMovePageTables(x,x,x,x,x)+58j
					; MxMovePageTables(x,x,x,x,x)+60j ...
		add	esi, 8
		cmp	esi, [ebp+var_4]
		jbe	short loc_AC90AC

loc_AC9128:				; CODE XREF: MxMovePageTables(x,x,x,x,x)+34j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_AC912F:				; CODE XREF: MxMovePageTables(x,x,x,x,x)+73j
		mov	eax, edx
		and	eax, 80h
		or	eax, 0
		jz	short loc_AC90EB
		mov	ecx, [esi]
		nop
		mov	eax, [esi+4]
		nop
		shrd	ecx, eax, 0Ch
		mov	ebx, edi
		mov	edx, 200h
		and	ecx, 1FFFFFFh
		and	ebx, offset loc_7FFFFF
		imul	ecx, 1Ch
		add	ecx, 18h
		add	ecx, ds:_MmPfnDatabase

loc_AC9165:				; CODE XREF: MxMovePageTables(x,x,x,x,x)+100j
		mov	eax, [ecx]
		and	eax, 0FF800000h
		or	eax, ebx
		mov	[ecx], eax
		lea	ecx, [ecx+1Ch]
		sub	edx, 1
		jnz	short loc_AC9165
		jmp	short loc_AC9120
; 

loc_AC917A:				; CODE XREF: MxMovePageTables(x,x,x,x,x)+3Cj
		mov	eax, esi
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	edi, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		nop
		shrd	edi, eax, 0Ch
		and	edi, 1FFFFFFh
		jmp	loc_AC90B8
; 

loc_AC91A1:				; CODE XREF: MxMovePageTables(x,x,x,x,x)+82j
		mov	ecx, [ebp+arg_8]
		mov	edx, esi
		call	MxSwapPages
		push	[ebp+arg_8]
		mov	ecx, esi
		lea	eax, [ebx-1]
		push	[ebp+arg_4]
		shl	ecx, 9
		push	eax
		lea	edx, [ecx+0FF8h]
		call	_MxMovePageTables@20 ; MxMovePageTables(x,x,x,x,x)
		mov	edx, [esi]
		nop
		mov	eax, [esi+4]
		nop
		shrd	edx, eax, 0Ch
		and	edx, 1FFFFFFh
		jmp	loc_AC910A
; 

loc_AC91DB:				; CODE XREF: MxMovePageTables(x,x,x,x,x)+68j
		cmp	esi, 0C0603018h
		jnb	loc_AC90E4
		jmp	loc_AC9120
_MxMovePageTables@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MxCreatePfns(x, x, x, x)
_MxCreatePfns@16 proc near		; CODE XREF: MiInitializePfnsForValidMappings(x)+3Bp
					; MxCreatePfns(x,x,x,x)+1E3p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		mov	eax, edx
		mov	[ebp+var_C], ecx
		mov	esi, ecx
		mov	[ebp+var_1C], eax
		push	edi
		cmp	esi, eax
		ja	loc_AC92F8

loc_AC9209:				; CODE XREF: MxCreatePfns(x,x,x,x)+106j
		and	[ebp+var_18], 0
		and	[ebp+var_14], 0
		mov	edi, [esi]
		nop
		mov	ecx, [esi+4]
		mov	eax, edi
		and	eax, 1
		mov	[ebp+var_4], ecx
		or	eax, 0
		jz	loc_AC92E9
		nop
		and	[ebp+var_18], 0
		mov	eax, ecx
		and	[ebp+var_14], 0
		mov	ebx, edi
		shrd	ebx, eax, 0Ch
		mov	eax, esi
		shr	eax, 9
		and	ebx, 1FFFFFFh
		and	eax, offset loc_7FFFF8
		mov	ecx, [eax-40000000h]
		nop
		mov	eax, [eax-3FFFFFFCh]
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], eax
		nop
		shrd	ecx, eax, 0Ch
		xor	edx, edx
		and	ecx, 1FFFFFFh
		inc	edx
		mov	[ebp+var_8], ecx
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		call	_MiUpdateShareCount@8 ;	MiUpdateShareCount(x,x)
		cmp	[ebp+arg_0], 0
		mov	ecx, [ebp+var_4]
		jnz	short loc_AC92FF
		and	edi, 0FFFFFFFBh
		mov	eax, edi
		and	eax, 42h
		or	eax, 0
		jz	short loc_AC9297
		or	edi, 800h

loc_AC9297:				; CODE XREF: MxCreatePfns(x,x,x,x)+A3j
		mov	al, byte ptr word_6D07B8
		and	edi, 0FFFFFEFFh
		and	al, 1
		movzx	eax, al
		cdq
		shld	edx, eax, 8
		shl	eax, 8
		or	edx, ecx
		or	eax, edi
		mov	[ebp+var_C], edx
		mov	[ebp+var_4], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], edx
		nop
		mov	ecx, [ebp+arg_4]
		mov	[esi], eax
		mov	[esi+4], edx
		mov	edx, ebx
		call	_MiIsRegularMemory@8 ; MiIsRegularMemory(x,x)
		test	eax, eax
		jz	short loc_AC92E9
		push	[ebp+var_C]
		mov	edx, esi
		mov	ecx, ebx
		push	[ebp+var_4]
		push	1
		push	0
		push	[ebp+var_8]
		call	_MxCreatePfn@28	; MxCreatePfn(x,x,x,x,x,x,x)

loc_AC92E9:				; CODE XREF: MxCreatePfns(x,x,x,x)+36j
					; MxCreatePfns(x,x,x,x)+E5j ...
		add	esi, 8
		mov	[ebp+var_C], esi
		cmp	esi, [ebp+var_1C]
		jbe	loc_AC9209

loc_AC92F8:				; CODE XREF: MxCreatePfns(x,x,x,x)+17j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_AC92FF:				; CODE XREF: MxCreatePfns(x,x,x,x)+96j
		mov	eax, edi
		xor	edx, edx
		and	eax, 80h
		or	eax, edx
		jz	loc_AC9398
		and	edi, 0FFFFFFFBh
		mov	eax, edi
		and	eax, 42h
		or	eax, edx
		jz	short loc_AC9322
		or	edi, 800h

loc_AC9322:				; CODE XREF: MxCreatePfns(x,x,x,x)+12Ej
		mov	al, byte ptr word_6D07B8
		and	edi, 0FFFFFEFFh
		and	al, 1
		movzx	eax, al
		cdq
		shld	edx, eax, 8
		shl	eax, 8
		or	edx, ecx
		or	eax, edi
		mov	[ebp+var_10], edx
		mov	[ebp+var_4], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_24], edx
		nop
		mov	edi, esi
		mov	[esi], eax
		shl	edi, 9
		mov	[esi+4], edx
		lea	eax, [edi+1000h]
		mov	[ebp+var_14], eax
		cmp	edi, eax
		jnb	short loc_AC92E9
		mov	esi, [ebp+var_4]

loc_AC9365:				; CODE XREF: MxCreatePfns(x,x,x,x)+1A2j
		mov	ecx, [ebp+arg_4]
		mov	edx, ebx
		call	_MiIsRegularMemory@8 ; MiIsRegularMemory(x,x)
		test	eax, eax
		jz	short loc_AC9387
		push	[ebp+var_10]
		mov	edx, edi
		mov	ecx, ebx
		push	esi
		push	1
		push	1
		push	[ebp+var_8]
		call	_MxCreatePfn@28	; MxCreatePfn(x,x,x,x,x,x,x)

loc_AC9387:				; CODE XREF: MxCreatePfns(x,x,x,x)+185j
		add	edi, 8
		inc	ebx
		cmp	edi, [ebp+var_14]
		jb	short loc_AC9365
		mov	esi, [ebp+var_C]
		jmp	loc_AC92E9
; 

loc_AC9398:				; CODE XREF: MxCreatePfns(x,x,x,x)+11Ej
		push	ecx
		push	edi
		push	edx
		push	edx
		push	[ebp+var_8]
		mov	edx, esi
		mov	ecx, ebx
		call	_MxCreatePfn@28	; MxCreatePfn(x,x,x,x,x,x,x)
		cmp	esi, 0C0603018h
		jz	loc_AC92E9
		cmp	esi, 0C0603000h
		jnb	short loc_AC93D9

loc_AC93BC:				; CODE XREF: MxCreatePfns(x,x,x,x)+1F9j
		push	[ebp+arg_4]
		mov	eax, [ebp+arg_0]
		mov	ecx, esi
		shl	ecx, 9
		dec	eax
		push	eax
		lea	edx, [ecx+0FF8h]
		call	_MxCreatePfns@16 ; MxCreatePfns(x,x,x,x)
		jmp	loc_AC92E9
; 

loc_AC93D9:				; CODE XREF: MxCreatePfns(x,x,x,x)+1CEj
		cmp	esi, 0C0603018h
		jb	loc_AC92E9
		jmp	short loc_AC93BC
_MxCreatePfns@16 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall MiIsRegularMemory(x, x)
_MiIsRegularMemory@8 proc near		; CODE XREF: MxMovePageTables(x,x,x,x,x)+8Bp
					; MxCreatePfns(x,x,x,x)+DEp ...
		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ds:_MxPfnMemoryDescriptorCache
		lea	ebx, [ecx+18h]
		mov	ecx, [ebx]
		push	edi
		test	esi, esi
		jz	short loc_AC9415
		mov	edi, [esi+0Ch]
		cmp	edx, edi
		jb	short loc_AC9415
		mov	eax, [esi+10h]
		add	eax, edi
		cmp	edx, eax
		jnb	short loc_AC9413

loc_AC940C:				; CODE XREF: MiIsRegularMemory(x,x)+ADj
		xor	eax, eax
		inc	eax

loc_AC940F:				; CODE XREF: MiIsRegularMemory(x,x)+BAj
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_AC9413:				; CODE XREF: MiIsRegularMemory(x,x)+22j
		mov	ecx, [esi]

loc_AC9415:				; CODE XREF: MiIsRegularMemory(x,x)+12j
					; MiIsRegularMemory(x,x)+19j
		mov	esi, ds:_MxNonPfnMemoryDescriptorCache
		test	esi, esi
		jz	short loc_AC944A
		mov	edi, [esi+0Ch]
		cmp	edx, edi
		jb	short loc_AC944A
		mov	eax, [esi+10h]
		add	eax, edi
		cmp	edx, eax
		jb	short loc_AC94A0
		cmp	edi, [ecx+0Ch]
		jbe	short loc_AC944A
		mov	ecx, [esi]
		jmp	short loc_AC944A
; 

loc_AC9438:				; CODE XREF: MiIsRegularMemory(x,x)+64j
		mov	esi, [ecx+0Ch]
		cmp	edx, esi
		jb	short loc_AC94A0
		mov	eax, [ecx+10h]
		add	eax, esi
		cmp	edx, eax
		jb	short loc_AC9450
		mov	ecx, [ecx]

loc_AC944A:				; CODE XREF: MiIsRegularMemory(x,x)+35j
					; MiIsRegularMemory(x,x)+3Cj ...
		cmp	ecx, ebx
		jnz	short loc_AC9438
		jmp	short loc_AC94A0
; 

loc_AC9450:				; CODE XREF: MiIsRegularMemory(x,x)+5Ej
		mov	eax, [ecx+8]
		and	eax, 3FFFFFFFh
		cmp	eax, 20h
		jz	short loc_AC949A
		cmp	eax, 1Eh
		jz	short loc_AC949A
		cmp	eax, 1Fh
		jz	short loc_AC949A
		cmp	eax, 6
		jz	short loc_AC949A
		cmp	eax, 22h
		jz	short loc_AC949A
		cmp	eax, 17h
		jz	short loc_AC949A
		cmp	eax, 3
		jz	short loc_AC949A
		cmp	eax, 16h
		jz	short loc_AC949A
		cmp	eax, 26h
		jz	short loc_AC949A
		cmp	eax, 27h
		jz	short loc_AC949A
		cmp	eax, 28h
		jz	short loc_AC949A
		mov	ds:_MxPfnMemoryDescriptorCache,	ecx
		jmp	loc_AC940C
; 

loc_AC949A:				; CODE XREF: MiIsRegularMemory(x,x)+73j
					; MiIsRegularMemory(x,x)+78j ...
		mov	ds:_MxNonPfnMemoryDescriptorCache, ecx

loc_AC94A0:				; CODE XREF: MiIsRegularMemory(x,x)+45j
					; MiIsRegularMemory(x,x)+55j ...
		xor	eax, eax
		jmp	loc_AC940F
_MiIsRegularMemory@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MxSwapPages	proc near		; CODE XREF: MxRelocatePageTables(x)+9Dp
					; MxMovePageTables(x,x,x,x,x)+130p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE5CA6 SIZE 00000060 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		and	[ebp+var_1C], 0
		mov	eax, edx
		push	ebx
		push	esi
		push	edi
		mov	ebx, [eax]
		mov	edi, ecx
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], ebx
		nop
		mov	eax, [eax+4]
		mov	[ebp+var_18], eax
		nop
		shrd	ebx, eax, 0Ch
		and	ebx, 1FFFFFFh
		mov	[ebp+var_1C], ebx
		call	MxGetPhase0Mapping
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	loc_AC9693
		mov	ecx, [edi]
		xor	esi, esi
		inc	esi
		lock xadd [ecx], esi
		inc	esi
		mov	edx, [edi+4]
		dec	esi
		and	edx, esi
		mov	ecx, offset _MiSystemPartition
		or	edx, [edi+8]
		push	8
		call	MiGetPage
		mov	edi, eax
		cmp	edi, 0FFFFFFFFh
		jz	loc_AC9693
		imul	eax, ebx, 1Ch
		imul	esi, edi, 1Ch
		add	eax, ds:_MmPfnDatabase
		add	esi, ds:_MmPfnDatabase
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, esi
		mov	bl, al
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		mov	eax, [ebp+var_C]
		mov	ecx, esi
		push	1
		movzx	edx, byte ptr [eax+16h]
		shr	edx, 6
		call	_MiFinalizePageAttribute@12 ; MiFinalizePageAttribute(x,x,x)
		mov	edx, [ebp+var_C]
		push	ecx
		mov	ecx, esi
		call	_MiCopyPfnEntryEx@12 ; MiCopyPfnEntryEx(x,x,x)
		mov	ecx, 7FFFFFFFh
		lea	eax, [esi+10h]
		lock and [eax],	ecx
		mov	eax, [ebp+var_C]
		add	eax, 10h
		lock and [eax],	ecx
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	esi, [ebp+var_8]
		mov	edx, edi
		shr	esi, 9
		and	esi, offset loc_7FFFF8
		sub	esi, 40000000h
		push	0A0000004h
		mov	ecx, esi
		call	MiMakeValidPte
		and	[ebp+var_4], 0
		mov	ecx, esi
		mov	ebx, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_AE5CA6
		mov	ecx, [ebp+var_4]

loc_AC95A9:				; CODE XREF: MxSwapPages+1C811j
					; MxSwapPages+1C81Fj ...
		mov	[esi+4], edx
		nop
		mov	[esi], ebx
		test	ecx, ecx
		jnz	loc_AE5CF8

loc_AC95B7:				; CODE XREF: MxSwapPages+1C859j
		mov	ebx, [ebp+var_10]
		shl	ebx, 9
		push	1000h		; size_t
		push	ebx		; void *
		push	[ebp+var_8]	; void *
		mov	[ebp+var_4], ebx
		call	_memcpy
		mov	eax, ebx
		add	esp, 0Ch
		xor	eax, esi
		test	eax, 0FFFFF000h
		mov	eax, ds:_ZeroPte
		jz	loc_AC9698
		mov	[esi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[esi+4], eax

loc_AC95F0:				; CODE XREF: MxSwapPages+209j
		mov	eax, [ebp+var_14]
		and	edi, 1FFFFFFh
		mov	edx, [ebp+var_18]
		xor	ecx, ecx
		shld	ecx, edi, 0Ch
		and	eax, 0FFFh
		and	edx, 0FFFFFFE0h
		shl	edi, 0Ch
		or	ecx, edx
		or	edi, eax
		mov	[ebp+var_24], ecx
		or	edi, 20h
		mov	[ebp+var_18], edi
		mov	[ebp+var_28], edi
		nop

loc_AC961E:				; CODE XREF: MxSwapPages+192j
					; MxSwapPages+197j
		mov	eax, [ebp+var_10]
		mov	esi, [eax]
		mov	edx, [eax+4]
		mov	eax, esi
		mov	[ebp+var_14], edx
		nop
		mov	ebx, edi
		mov	edi, [ebp+var_10]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_18]
		cmp	eax, esi
		jnz	short loc_AC961E
		cmp	edx, [ebp+var_14]
		jnz	short loc_AC961E
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		push	1
		call	KeFlushSingleTb
		mov	ecx, [ebp+var_8]
		xor	edx, edx
		push	1
		call	KeFlushSingleTb
		mov	esi, [ebp+var_C]
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [ebp+var_1C]
		lea	edi, [esi+10h]
		and	dword ptr [edi], 0C0000000h
		mov	bl, al
		xor	eax, eax
		push	2
		mov	[esi+14h], ax
		and	byte ptr [esi+16h], 0D7h
		pop	edx
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		mov	eax, 7FFFFFFFh
		lock and [edi],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_AC9693:				; CODE XREF: MxSwapPages+3Aj
					; MxSwapPages+64j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AC9698:				; CODE XREF: MxSwapPages+137j
		mov	ecx, [ebp+var_8]
		shr	esi, 3
		and	esi, 1FFh
		mov	[ecx+esi*8], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[ecx+esi*8+4], eax
		jmp	loc_AC95F0
MxSwapPages	endp


;  S U B	R O U T	I N E 


MxGetPhase0Mapping proc	near		; CODE XREF: MiFillPhysicalPages:loc_4B9BBDp
					; MxCopyPage+Ep ...

; FUNCTION CHUNK AT 00AE5D06 SIZE 0000001D BYTES

		mov	eax, ds:_MiHalScratchPte
		test	eax, eax
		jz	short loc_AC96C3
		shl	eax, 9
		retn
; 

loc_AC96C3:				; CODE XREF: MxGetPhase0Mapping+7j
		mov	edx, ds:_MiLowHalVa
		shr	edx, 12h
		push	edi
		and	edx, 3FF8h
		mov	edi, 0FFFh
		sub	edx, 3FA00000h
		push	esi

loc_AC96DF:				; CODE XREF: MxGetPhase0Mapping+1C660j
		mov	eax, [edx]
		and	eax, 1
		or	eax, 0
		jz	loc_AE5D11
		mov	esi, edx
		shl	esi, 9

loc_AC96F2:				; CODE XREF: MxGetPhase0Mapping+1C655j
		mov	ecx, [esi]
		nop
		or	ecx, [esi+4]
		jnz	loc_AE5D06
		mov	ds:_MiHalScratchPte, esi
		shl	esi, 9
		mov	eax, esi

loc_AC9709:				; CODE XREF: MxGetPhase0Mapping+1C668j
		pop	esi
		pop	edi
		retn
MxGetPhase0Mapping endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MxZeroPageTablePfns proc near		; CODE XREF: MiInitializePfnsForValidMappings(x)+2Cp
					; MxZeroPageTablePfns+1C629p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00AE5D23 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	eax, edx
		mov	ebx, ecx
		mov	[ebp+var_14], eax
		push	esi
		push	edi
		cmp	ebx, eax
		ja	short loc_AC9745

loc_AC9722:				; CODE XREF: MxZeroPageTablePfns+37j
		mov	ecx, [ebx]
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		mov	[ebp+var_4], ecx
		nop
		mov	edx, [ebx+4]
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jnz	short loc_AC974C

loc_AC973D:				; CODE XREF: MxZeroPageTablePfns+9Cj
					; MxZeroPageTablePfns+AEj ...
		add	ebx, 8
		cmp	ebx, [ebp+var_14]
		jbe	short loc_AC9722

loc_AC9745:				; CODE XREF: MxZeroPageTablePfns+14j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_AC974C:				; CODE XREF: MxZeroPageTablePfns+2Fj
		nop
		mov	eax, ecx
		shrd	eax, edx, 0Ch
		and	eax, 1FFFFFFh
		imul	eax, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_C], eax
		mov	eax, ebx
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	esi, [eax-40000000h]
		nop
		mov	edx, [eax-3FFFFFFCh]
		nop
		shrd	esi, edx, 0Ch
		mov	edx, [ebp+arg_0]
		xor	eax, eax
		and	esi, 1FFFFFFh
		imul	edi, esi, 1Ch
		push	7
		pop	ecx
		add	edi, ds:_MmPfnDatabase
		rep stosd
		test	edx, edx
		jz	short loc_AC97AA
		mov	eax, [ebp+var_4]
		and	eax, 80h
		or	eax, 0
		jnz	short loc_AC973D

loc_AC97AA:				; CODE XREF: MxZeroPageTablePfns+8Fj
		mov	edi, [ebp+var_C]
		xor	eax, eax
		push	7
		pop	ecx
		rep stosd
		cmp	ebx, 0C0603018h
		jz	short loc_AC973D
		cmp	ebx, 0C0603000h
		jnb	short loc_AC97D2

loc_AC97C4:				; CODE XREF: MxZeroPageTablePfns+D2j
		cmp	edx, 1
		jle	loc_AC973D
		jmp	loc_AE5D23
; 

loc_AC97D2:				; CODE XREF: MxZeroPageTablePfns+B6j
		cmp	ebx, 0C0603018h
		jb	loc_AC973D
		jmp	short loc_AC97C4
MxZeroPageTablePfns endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpParseInfBuffer proc near		; CODE XREF: EmpParseInfDatabase+38p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00AE5D3F SIZE 00000169 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_8], 0
		lea	edi, [ebp+var_28]
		mov	ebx, edx
		stosd
		mov	esi, ecx
		push	69704D43h
		push	18h
		push	1
		stosd
		stosd
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_AE5D3F
		xor	edx, edx
		mov	[ebp+var_18], esi
		xor	ecx, ecx
		mov	[edi], edx
		lea	eax, [esi+ebx]
		mov	[edi+4], edx
		inc	ecx
		mov	[edi+8], edx
		mov	[edi+0Ch], edx
		mov	bl, dl
		mov	[edi+10h], edx
		mov	bh, dl
		mov	[edi+14h], edx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_14], ecx

loc_AC9842:				; CODE XREF: CmpParseInfBuffer+F2j
		lea	ecx, [ebp+var_28]
		mov	edx, eax
		push	ecx
		lea	ecx, [ebp+var_18]
		call	CmpGetToken
		mov	eax, [ebp+var_4]
		mov	esi, [ebp+var_28]
		dec	eax
		cmp	eax, 9		; switch 10 cases
		ja	loc_AE5E6C	; default
		jmp	ds:off_AC9A40[eax*4] ; switch jump

loc_AC9867:				; DATA XREF: INIT:off_AC9A40o
		mov	eax, esi	; case 0x4
		sub	eax, 0
		jz	loc_AC9A2C
		sub	eax, 1
		jz	short loc_AC98C0
		sub	eax, 1
		jz	loc_AC9A25
		dec	eax
		sub	eax, 1
		jnz	loc_AC9A37
		mov	al, byte ptr [ebp+var_20]
		mov	ecx, [ebp+var_24]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_8], al
		push	6
		jmp	short loc_AC98BC
; 

loc_AC989A:				; CODE XREF: CmpParseInfBuffer+80j
					; DATA XREF: INIT:off_AC9A40o
		mov	eax, esi	; case 0x6
		sub	eax, 4
		jnz	loc_AE5E42
		push	[ebp+var_20]

loc_AC98A8:				; CODE XREF: CmpParseInfBuffer+186j
		mov	edx, [ebp+var_24]
		mov	ecx, edi
		call	_CmpAppendValue@12 ; CmpAppendValue(x,x,x)
		test	al, al
		jz	loc_AC9A37
		push	9

loc_AC98BC:				; CODE XREF: CmpParseInfBuffer+B8j
					; CmpParseInfBuffer+12Dj ...
		pop	eax
		mov	[ebp+var_4], eax

loc_AC98C0:				; CODE XREF: CmpParseInfBuffer+95j
					; CmpParseInfBuffer+1C3j ...
		test	bh, bh
		jnz	loc_AE5D48
		cmp	esi, 1
		jz	short loc_AC98E9

loc_AC98CD:				; CODE XREF: CmpParseInfBuffer+10Cj
					; CmpParseInfBuffer+1C5A6j
		mov	eax, [ebp+var_1C]
		test	bl, bl
		jz	loc_AC9842
		test	edi, edi
		jz	short loc_AC98E0
		and	dword ptr [edi+4], 0

loc_AC98E0:				; CODE XREF: CmpParseInfBuffer+FAj
		mov	eax, edi

loc_AC98E2:				; CODE XREF: CmpParseInfBuffer+1C561j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_AC98E9:				; CODE XREF: CmpParseInfBuffer+EBj
		inc	[ebp+var_14]
		jmp	short loc_AC98CD
; 

loc_AC98EE:				; CODE XREF: CmpParseInfBuffer+80j
					; DATA XREF: INIT:off_AC9A40o
		mov	eax, esi	; case 0x8
		sub	eax, 0
		jz	loc_AC9A2C
		sub	eax, 1
		jz	loc_AC998E
		sub	eax, 5
		jnz	loc_AC9A37

loc_AC990B:				; CODE XREF: CmpParseInfBuffer+1C60Bj
		push	7
		jmp	short loc_AC98BC
; 

loc_AC990F:				; CODE XREF: CmpParseInfBuffer+80j
					; DATA XREF: INIT:off_AC9A40o
		mov	eax, esi	; case 0x5
		sub	eax, 0
		jz	loc_AE5E19
		sub	eax, 1
		jz	loc_AE5DF0
		sub	eax, 4
		jnz	loc_AE5DB7
		push	dword ptr [ebp+var_8]
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		call	_CmpAppendLine@12 ; CmpAppendLine(x,x,x)
		test	al, al
		jz	loc_AC9A37
		and	[ebp+var_C], 0
		push	8
		jmp	loc_AC98BC
; 

loc_AC994C:				; CODE XREF: CmpParseInfBuffer+80j
					; DATA XREF: INIT:off_AC9A40o
		mov	eax, esi	; case 0x7
		sub	eax, 0
		jz	loc_AE5E7E
		sub	eax, 1
		jz	short loc_AC996B
		sub	eax, 3
		jnz	loc_AC9A37
		push	eax
		jmp	loc_AC98A8
; 

loc_AC996B:				; CODE XREF: CmpParseInfBuffer+17Aj
		mov	eax, offset _EmptyValue
		mov	byte ptr [ebp+var_20], 0
		push	0
		mov	edx, eax
		mov	[ebp+var_24], eax
		mov	ecx, edi
		mov	[ebp+var_8], 0
		call	_CmpAppendValue@12 ; CmpAppendValue(x,x,x)
		test	al, al
		jz	loc_AE5E75

loc_AC998E:				; CODE XREF: CmpParseInfBuffer+11Cj
					; CmpParseInfBuffer+1C634j
		push	5
		jmp	loc_AC98BC
; 

loc_AC9995:				; CODE XREF: CmpParseInfBuffer+80j
					; DATA XREF: INIT:off_AC9A40o
		mov	eax, esi	; case 0x0
		sub	eax, 0
		jz	loc_AC9A2C
		sub	eax, 1
		jz	loc_AC98C0
		sub	eax, 1
		jnz	loc_AC9A33
		mov	[ebp+var_4], 2
		jmp	loc_AC98C0
; 

loc_AC99BE:				; CODE XREF: CmpParseInfBuffer+80j
					; DATA XREF: INIT:off_AC9A40o
		push	3		; case 0x1
		mov	eax, esi
		pop	ecx
		sub	eax, ecx
		jz	loc_AE5D8B
		sub	eax, 1
		jnz	short loc_AC9A37
		mov	eax, [ebp+var_24]
		mov	[ebp+var_4], ecx
		mov	cl, byte ptr [ebp+var_20]
		mov	[ebp+var_10], eax
		mov	[ebp+var_8], cl
		jmp	loc_AC98C0
; 

loc_AC99E4:				; CODE XREF: CmpParseInfBuffer+80j
					; DATA XREF: INIT:off_AC9A40o
		cmp	esi, 3		; case 0x2
		jnz	short loc_AC9A37

loc_AC99E9:				; CODE XREF: CmpParseInfBuffer+1C5BAj
		mov	[ebp+var_4], 4
		jmp	loc_AC98C0
; 

loc_AC99F5:				; CODE XREF: CmpParseInfBuffer+80j
					; DATA XREF: INIT:off_AC9A40o
		mov	eax, esi	; case 0x3
		sub	eax, 0
		jz	loc_AE5D9F
		sub	eax, 1
		jnz	short loc_AC9A37
		push	dword ptr [ebp+var_8] ;	char
		mov	edx, [ebp+var_10] ; char *
		mov	ecx, edi	; int
		call	CmpAppendSection
		test	al, al
		jz	short loc_AC9A37
		push	5
		pop	eax
		mov	[ebp+var_4], eax

loc_AC9A1C:				; CODE XREF: CmpParseInfBuffer+1C5D2j
		and	[ebp+var_10], 0
		jmp	loc_AC98C0
; 

loc_AC9A25:				; CODE XREF: CmpParseInfBuffer+9Aj
		push	2
		jmp	loc_AC98BC
; 

loc_AC9A2C:				; CODE XREF: CmpParseInfBuffer+8Cj
					; CmpParseInfBuffer+113j ...
		mov	bl, 1
		jmp	loc_AC98C0
; 

loc_AC9A33:				; CODE XREF: CmpParseInfBuffer+1CCj
		dec	eax
		sub	eax, 1

loc_AC9A37:				; CODE XREF: CmpParseInfBuffer+A4j
					; CmpParseInfBuffer+D4j ...
		mov	bl, 1
		jmp	loc_AE5D46
CmpParseInfBuffer endp

; 
		align 10h
off_AC9A40	dd offset loc_AC9995	; DATA XREF: CmpParseInfBuffer+80r
		dd offset loc_AC99BE	; jump table for switch	statement
		dd offset loc_AC99E4
		dd offset loc_AC99F5
		dd offset loc_AC9867
		dd offset loc_AC990F
		dd offset loc_AC989A
		dd offset loc_AC994C
		dd offset loc_AC98EE
		dd offset loc_AC98EE

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpGetToken	proc near		; CODE XREF: CmpParseInfBuffer+6Bp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00AE5EA8 SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		mov	ebx, [ebp+arg_0]
		push	esi
		mov	esi, [ecx]
		push	edi
		and	dword ptr [ebx+4], 0
		mov	edi, edx
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], ecx
		mov	byte ptr [ebx+8], 0

loc_AC9A88:				; CODE XREF: CmpGetToken+14Bj
		mov	byte ptr [ebp+arg_0+3],	1
		cmp	esi, edi
		jnb	short loc_AC9AC2

loc_AC9A90:				; CODE XREF: CmpGetToken+3Fj
		mov	al, [esi]
		cmp	al, 0Ah
		jz	short loc_AC9AA9
		movzx	eax, al
		push	eax		; int
		call	_isspace
		pop	ecx
		test	eax, eax
		jz	short loc_AC9AA9
		inc	esi
		cmp	esi, edi
		jb	short loc_AC9A90

loc_AC9AA9:				; CODE XREF: CmpGetToken+2Cj
					; CmpGetToken+3Aj
		cmp	esi, edi
		jnb	short loc_AC9ABF
		mov	al, [esi]
		cmp	al, 3Bh
		jz	loc_AC9BC8
		cmp	al, 23h
		jz	loc_AC9BC8

loc_AC9ABF:				; CODE XREF: CmpGetToken+43j
					; CmpGetToken+163j ...
		mov	ecx, [ebp+var_4]

loc_AC9AC2:				; CODE XREF: CmpGetToken+26j
		mov	edx, esi
		mov	[ebp+var_10], edx
		cmp	esi, edi
		jnb	loc_AC9CA7
		mov	al, [esi]
		cmp	al, 1Ah
		jz	loc_AC9CA7
		movsx	eax, al
		sub	eax, 0Ah
		jz	loc_AC9BA5
		sub	eax, 18h
		jz	loc_AC9C53
		sub	eax, 0Ah
		jz	loc_AC9BC0
		sub	eax, 11h
		jz	loc_AC9C2F
		sub	eax, 1Eh
		jz	loc_AC9C9C
		sub	eax, 1
		jz	loc_AC9BDB
		sub	eax, 1
		jz	loc_AC9C91

loc_AC9B1B:				; CODE XREF: CmpGetToken+1C443j
		mov	[ebp+var_C], esi
		cmp	esi, edi
		jnb	loc_AE5EBB

loc_AC9B26:				; CODE XREF: CmpGetToken+D5j
		movsx	eax, byte ptr [esi]
		push	eax		; int
		push	offset _StringTerminators ; char *
		call	_strchr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_AC9B3F
		inc	esi
		cmp	esi, edi
		jb	short loc_AC9B26

loc_AC9B3F:				; CODE XREF: CmpGetToken+D0j
		mov	ecx, [ebp+var_C]
		cmp	esi, ecx
		jz	loc_AE5EBB
		mov	eax, esi
		sub	eax, ecx
		mov	[ebp+var_10], eax
		lea	ecx, [eax+1]
		mov	[ebp+var_14], ecx
		cmp	ecx, eax
		jb	loc_AE5EB0
		push	69704D43h
		push	ecx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	loc_AE5EB0
		push	[ebp+var_10]
		push	[ebp+var_C]
		push	[ebp+var_14]
		push	eax
		call	_strncpy_s
		mov	ecx, [ebp+var_18]
		add	esp, 10h
		mov	eax, [ebp+var_10]
		mov	dword ptr [ebx], 4
		mov	[ebx+4], ecx
		mov	byte ptr [ebx+8], 1
		mov	byte ptr [eax+ecx], 0

loc_AC9BA0:				; CODE XREF: CmpGetToken+224j
					; CmpGetToken+1C44Ej ...
		mov	ecx, [ebp+var_4]
		jmp	short loc_AC9BAC
; 

loc_AC9BA5:				; CODE XREF: CmpGetToken+77j
		mov	dword ptr [ebx], 1

loc_AC9BAB:				; CODE XREF: CmpGetToken+15Ej
					; CmpGetToken+1CDj ...
		inc	esi

loc_AC9BAC:				; CODE XREF: CmpGetToken+13Bj
		mov	al, byte ptr [ebp+arg_0+3]

loc_AC9BAF:				; CODE XREF: CmpGetToken+1C5j
		mov	[ecx], esi
		test	al, al
		jz	loc_AC9A88

loc_AC9BB9:				; CODE XREF: CmpGetToken+248j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_AC9BC0:				; CODE XREF: CmpGetToken+89j
		mov	dword ptr [ebx], 6
		jmp	short loc_AC9BAB
; 

loc_AC9BC8:				; CODE XREF: CmpGetToken+49j
					; CmpGetToken+51j ...
		cmp	byte ptr [esi],	0Ah
		jz	loc_AC9ABF
		inc	esi
		cmp	esi, edi
		jb	short loc_AC9BC8
		jmp	loc_AC9ABF
; 

loc_AC9BDB:				; CODE XREF: CmpGetToken+A4j
		mov	eax, [ebp+var_8]
		inc	esi
		mov	edi, esi
		cmp	esi, eax
		jnb	short loc_AC9C05

loc_AC9BE5:				; CODE XREF: CmpGetToken+198j
		mov	cl, [edi]
		cmp	cl, 0Ah
		jz	short loc_AC9C02
		movzx	eax, cl
		push	eax		; int
		call	_isspace
		test	eax, eax
		mov	eax, [ebp+var_8]
		pop	ecx
		jz	short loc_AC9C02
		inc	edi
		cmp	edi, eax
		jb	short loc_AC9BE5

loc_AC9C02:				; CODE XREF: CmpGetToken+182j
					; CmpGetToken+193j
		mov	edx, [ebp+var_10]

loc_AC9C05:				; CODE XREF: CmpGetToken+17Bj
		mov	cl, [edi]
		cmp	cl, 3Bh
		jz	short loc_AC9C3A
		cmp	cl, 23h
		jz	short loc_AC9C3A

loc_AC9C11:				; CODE XREF: CmpGetToken+1E2j
					; CmpGetToken+1E9j
		cmp	edi, eax
		jnb	loc_AE5EC9
		cmp	byte ptr [edi],	0Ah
		jnz	loc_AE5EA8
		mov	ecx, [ebp+var_4]
		lea	esi, [edi+1]
		mov	edi, [ebp+var_8]
		xor	al, al
		jmp	short loc_AC9BAF
; 

loc_AC9C2F:				; CODE XREF: CmpGetToken+92j
		mov	dword ptr [ebx], 5
		jmp	loc_AC9BAB
; 

loc_AC9C3A:				; CODE XREF: CmpGetToken+1A2j
					; CmpGetToken+1A7j
		lea	esi, [edx+2]
		mov	edi, esi
		cmp	esi, eax
		jnb	loc_AE5EC9

loc_AC9C47:				; CODE XREF: CmpGetToken+1E7j
		cmp	byte ptr [edi],	0Ah
		jz	short loc_AC9C11
		inc	edi
		cmp	edi, eax
		jb	short loc_AC9C47
		jmp	short loc_AC9C11
; 

loc_AC9C53:				; CODE XREF: CmpGetToken+80j
		inc	esi
		mov	[ebp+var_18], esi
		cmp	esi, edi
		jnb	short loc_AC9CB5

loc_AC9C5B:				; CODE XREF: CmpGetToken+20Aj
		movsx	eax, byte ptr [esi]
		push	eax		; int
		push	(offset	loc_AF6712+4) ;	char *
		call	_strchr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_AC9C74
		inc	esi
		cmp	esi, edi
		jb	short loc_AC9C5B

loc_AC9C74:				; CODE XREF: CmpGetToken+205j
		cmp	esi, edi
		jnb	short loc_AC9CB5
		cmp	byte ptr [esi],	22h
		jnz	short loc_AC9CB5
		mov	eax, [ebp+var_18]
		mov	byte ptr [esi],	0
		inc	esi
		mov	[ebx+4], eax
		push	4

loc_AC9C89:				; CODE XREF: CmpGetToken+24Fj
		pop	eax
		mov	[ebx], eax
		jmp	loc_AC9BA0
; 

loc_AC9C91:				; CODE XREF: CmpGetToken+ADj
		mov	dword ptr [ebx], 3
		jmp	loc_AC9BAB
; 

loc_AC9C9C:				; CODE XREF: CmpGetToken+9Bj
		mov	dword ptr [ebx], 2
		jmp	loc_AC9BAB
; 

loc_AC9CA7:				; CODE XREF: CmpGetToken+61j
					; CmpGetToken+6Bj
		and	dword ptr [ebx], 0
		and	dword ptr [ebx+4], 0
		mov	[ecx], esi
		jmp	loc_AC9BB9
; 

loc_AC9CB5:				; CODE XREF: CmpGetToken+1F1j
					; CmpGetToken+20Ej ...
		push	7
		jmp	short loc_AC9C89
CmpGetToken	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAppendValue(x, x, x)
_CmpAppendValue@12 proc	near		; CODE XREF: CmpParseInfBuffer+CDp
					; CmpParseInfBuffer+1A1p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		cmp	dword ptr [esi+8], 0
		jz	short loc_AC9D0B
		test	edi, edi
		jz	short loc_AC9D0B
		push	69704D43h
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_AC9D0B
		mov	al, [ebp+arg_0]
		and	dword ptr [ecx], 0
		mov	[ecx+4], edi
		mov	[ecx+8], al
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_AC9D03
		mov	[eax], ecx

loc_AC9CF8:				; CODE XREF: CmpAppendValue(x,x,x)+4Fj
		mov	[esi+0Ch], ecx
		mov	al, 1

loc_AC9CFD:				; CODE XREF: CmpAppendValue(x,x,x)+53j
		pop	edi
		pop	esi
		pop	ebp
		retn	4
; 

loc_AC9D03:				; CODE XREF: CmpAppendValue(x,x,x)+3Aj
		mov	eax, [esi+8]
		mov	[eax+8], ecx
		jmp	short loc_AC9CF8
; 

loc_AC9D0B:				; CODE XREF: CmpAppendValue(x,x,x)+Fj
					; CmpAppendValue(x,x,x)+13j ...
		xor	al, al
		jmp	short loc_AC9CFD
_CmpAppendValue@12 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAppendLine(x, x,	x)
_CmpAppendLine@12 proc near		; CODE XREF: CmpParseInfBuffer+154p
					; CmpParseInfBuffer+1C5E5p ...

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, ecx
		xor	ebx, ebx
		push	edi
		mov	edi, edx
		cmp	[esi+4], ebx
		jz	short loc_AC9D65
		push	69704D43h
		push	10h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_AC9D65
		mov	al, [ebp+arg_0]
		mov	[ecx], ebx
		mov	[ecx+8], ebx
		mov	[ecx+4], edi
		mov	[ecx+0Ch], al
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_AC9D5D
		mov	[eax], ecx

loc_AC9D4E:				; CODE XREF: CmpAppendLine(x,x,x)+53j
		mov	[esi+8], ecx
		mov	al, 1
		mov	[esi+0Ch], ebx

loc_AC9D56:				; CODE XREF: CmpAppendLine(x,x,x)+57j
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_AC9D5D:				; CODE XREF: CmpAppendLine(x,x,x)+3Aj
		mov	eax, [esi+4]
		mov	[eax+8], ecx
		jmp	short loc_AC9D4E
; 

loc_AC9D65:				; CODE XREF: CmpAppendLine(x,x,x)+11j
					; CmpAppendLine(x,x,x)+25j
		xor	al, al
		jmp	short loc_AC9D56
_CmpAppendLine@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall CmpAppendSection(int,char *,char)
CmpAppendSection proc near		; CODE XREF: CmpParseInfBuffer+22Dp
					; CmpParseInfBuffer+1C5C7p

arg_0		= byte ptr  8

; FUNCTION CHUNK AT 00AE5ED7 SIZE 00000019 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ebx, edx
		test	edi, edi
		jz	loc_AC9E13
		test	ebx, ebx
		jz	loc_AC9E13
		mov	esi, [edi]
		test	esi, esi
		jz	short loc_AC9DAE

loc_AC9D8C:				; CODE XREF: CmpAppendSection+3Aj
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_AC9DA0
		push	ebx		; char *
		push	eax		; char *
		call	__stricmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AC9DA6

loc_AC9DA0:				; CODE XREF: CmpAppendSection+27j
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_AC9D8C

loc_AC9DA6:				; CODE XREF: CmpAppendSection+34j
		test	esi, esi
		jnz	loc_AE5ED7

loc_AC9DAE:				; CODE XREF: CmpAppendSection+20j
		push	69704D43h
		push	10h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_AC9E13
		and	dword ptr [esi], 0
		mov	cl, [ebp+arg_0]
		and	dword ptr [esi+8], 0
		push	7		; size_t
		mov	[esi+4], ebx
		mov	[esi+0Ch], cl
		mov	ecx, [edi]
		push	offset ??_C@_07BJOIOONN@Strings@PBOPGDP@ ; char	*
		mov	[esi], ecx
		push	ebx		; char *
		mov	[edi], esi
		call	__strnicmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_AC9E01

loc_AC9DEC:				; CODE XREF: CmpAppendSection+A2j
					; CmpAppendSection+A7j
		xor	eax, eax

loc_AC9DEE:				; CODE XREF: CmpAppendSection+1C172j
					; CmpAppendSection+1C17Cj
		mov	[edi+8], eax
		mov	al, 1
		and	dword ptr [edi+0Ch], 0
		mov	[edi+4], esi

loc_AC9DFA:				; CODE XREF: CmpAppendSection+ABj
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	4
; 

loc_AC9E01:				; CODE XREF: CmpAppendSection+80j
		xor	eax, eax
		cmp	[ebx+7], al
		setz	al
		cmp	eax, [edi+10h]
		jle	short loc_AC9DEC
		mov	[edi+14h], esi
		jmp	short loc_AC9DEC
; 

loc_AC9E13:				; CODE XREF: CmpAppendSection+Ej
					; CmpAppendSection+16j	...
		xor	al, al
		jmp	short loc_AC9DFA
CmpAppendSection endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiAddLoaderHalIoPte proc near		; DATA XREF: MiAddLoaderHalIoMappings(x,x)+38o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00AE5EF0 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_4]
		push	ebx
		push	esi
		push	edi
		mov	edi, [eax]
		xor	ebx, ebx
		nop
		mov	ecx, [eax+4]
		mov	eax, edi
		and	eax, 1
		or	eax, ebx
		jz	short loc_AC9E64
		nop
		mov	esi, edi
		shrd	esi, ecx, 0Ch
		and	esi, 1FFFFFFh
		cmp	esi, dword_6D07B0
		ja	short loc_AC9E6D
		mov	eax, dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_AC9E6D

loc_AC9E64:				; CODE XREF: MiAddLoaderHalIoPte+1Cj
					; MiAddLoaderHalIoPte+92j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	0Ch
; 

loc_AC9E6D:				; CODE XREF: MiAddLoaderHalIoPte+31j
					; MiAddLoaderHalIoPte+4Aj
		mov	eax, edi
		and	eax, 80h
		or	eax, ebx
		jnz	loc_AE5EF0
		xor	edx, edx
		inc	edx

loc_AC9E7F:				; CODE XREF: MiAddLoaderHalIoPte+1C0E3j
					; MiAddLoaderHalIoPte+1C0F2j
		mov	ecx, edi
		xor	ebx, ebx
		and	ecx, 10h
		inc	ebx
		mov	eax, ecx
		or	eax, 0
		jz	loc_AE5F0F

loc_AC9E92:				; CODE XREF: MiAddLoaderHalIoPte+1C0FDj
		or	ecx, 0
		jz	short loc_AC9E99
		xor	ebx, ebx

loc_AC9E99:				; CODE XREF: MiAddLoaderHalIoPte+7Dj
					; MiAddLoaderHalIoPte+1C106j
		push	ecx
		push	0
		push	0
		push	ebx
		xor	ecx, ecx
		push	edx
		mov	edx, esi
		inc	ecx
		call	MiReferenceIoPages
		jmp	short loc_AC9E64
MiAddLoaderHalIoPte endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpOpenSystemDriverHiveContext proc near ; CODE	XREF: CmGetSystemDriverList+93p
					; CmGetSystemDriverList+1BF53p	...

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE5F23 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+38h+var_18]
		and	[esp+38h+var_2C], eax
		mov	ebx, edx
		mov	edx, ecx
		mov	word ptr [esp+38h+var_20], ax
		push	6
		pop	ecx
		rep stosd
		mov	ax, [edx]
		xor	edi, edi
		add	ax, 4
		mov	[esp+38h+var_24], edx
		add	ax, ds:_CmRegistryMachineName
		mov	word ptr [esp+38h+var_20+2], ax
		push	20204D43h
		movzx	eax, ax
		push	eax
		push	1
		mov	[esp+44h+var_28], edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+38h+var_1C], eax
		test	eax, eax
		jz	loc_AE5F23
		push	offset _CmRegistryMachineName
		lea	eax, [esp+3Ch+var_20]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC9FD9
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@PBOPGDP@	; void *
		lea	eax, [esp+3Ch+var_20]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC9FD9
		push	[esp+38h+var_24]
		lea	eax, [esp+3Ch+var_20]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC9FD9
		lea	eax, [esp+38h+var_20]
		mov	[esp+38h+var_18], 18h
		mov	[esp+38h+var_10], eax
		xor	ecx, ecx
		lea	eax, [esp+38h+var_18]
		mov	[esp+38h+var_14], ecx
		push	eax
		push	20019h
		lea	eax, [esp+40h+var_2C]
		mov	[esp+40h+var_C], 240h
		push	eax
		mov	[esp+44h+var_8], ecx
		mov	[esp+44h+var_4], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AC9FD9
		push	edi
		lea	eax, [esp+3Ch+var_28]
		xor	edx, edx
		push	eax
		push	edi
		push	ecx
		mov	ecx, [esp+48h+var_2C]
		inc	edx
		call	_CmObReferenceObjectByHandle@24	; CmObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_ACA007
		mov	eax, [esp+38h+var_24]
		push	dword ptr [eax+4] ; void *
		lea	eax, [ebx+8]
		push	eax		; int
		call	RtlCreateUnicodeString
		test	al, al
		jz	loc_AE5F2D
		mov	eax, [esp+38h+var_2C]
		mov	[ebx+10h], eax
		mov	eax, [esp+38h+var_28]
		mov	[esp+38h+var_2C], edi
		mov	[ebx+14h], eax

loc_AC9FD9:				; CODE XREF: CmpOpenSystemDriverHiveContext+72j
					; CmpOpenSystemDriverHiveContext+8Bj ...
		cmp	[esp+38h+var_1C], 0
		jz	short loc_AC9FEB
		push	0
		push	[esp+3Ch+var_1C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AC9FEB:				; CODE XREF: CmpOpenSystemDriverHiveContext+132j
		test	edi, edi
		jnz	loc_AE5F37

loc_AC9FF3:				; CODE XREF: CmpOpenSystemDriverHiveContext+1C097j
		cmp	[esp+38h+var_2C], 0
		jnz	loc_AE5F48

loc_AC9FFE:				; CODE XREF: CmpOpenSystemDriverHiveContext+1C0A5j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_ACA007:				; CODE XREF: CmpOpenSystemDriverHiveContext+101j
					; CmpOpenSystemDriverHiveContext+1C086j
		mov	edi, [esp+38h+var_28]
		jmp	short loc_AC9FD9
CmpOpenSystemDriverHiveContext endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmGetSystemDriverList proc near		; CODE XREF: IopInitializeSystemDrivers+53p

var_B4		= dword	ptr -0B4h
var_A4		= dword	ptr -0A4h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1F		= byte ptr -1Fh
var_1E		= byte ptr -1Eh
var_1D		= byte ptr -1Dh
var_1C		= dword	ptr -1Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE5F56 SIZE 00000160 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0B4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_68], ecx
		lea	edi, [ebp+var_64]
		push	6
		pop	ecx
		xor	eax, eax
		xor	edx, edx
		rep stosd
		push	6
		pop	ecx
		push	8
		lea	edi, [ebp+var_1C]
		mov	[ebp+var_74], edx
		rep stosd
		pop	ecx
		lea	edi, [ebp+var_94]
		mov	[ebp+var_70], edx
		rep stosd
		or	[ebp+var_78], 0FFFFFFFFh
		lea	edi, [ebp+var_B4]
		push	8
		pop	ecx
		rep stosd
		or	[ebp+var_98], 0FFFFFFFFh
		lea	eax, [ebp+var_30]
		mov	[ebp+var_2C], eax
		mov	ebx, edx
		mov	[ebp+var_30], eax
		mov	ecx, (offset loc_A3F617+1)
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_4C], edx
		mov	[ebp+var_38], eax
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_48], edx
		mov	[ebp+var_1E], dl
		mov	[ebp+var_34], edx
		mov	[ebp+var_44], edx
		mov	[ebp+var_1D], dl
		mov	[ebp+var_1F], dl
		lea	edx, [ebp+var_94]
		mov	[ebp+var_24], eax
		mov	[ebp+var_28], eax
		call	CmpOpenSystemDriverHiveContext
		test	eax, eax
		js	loc_ACA2B1
		cmp	_CmStateSeparationEnabled, ebx
		jnz	loc_AE5F56

loc_ACA0BA:				; CODE XREF: CmGetSystemDriverList+1BF5Dj
					; CmGetSystemDriverList+1BF6Bj
		push	offset ??_C@_1BM@PNGDECLI@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAS?$AAt?$AAo?$AAr?$AAe?$AAs@PBOPGDP@
		lea	eax, [ebp+var_74]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_74]
		mov	[ebp+var_64], 18h
		mov	[ebp+var_5C], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_64]
		mov	[ebp+var_60], ecx
		push	eax
		push	1
		lea	eax, [ebp+var_34]
		mov	[ebp+var_58], 240h
		push	eax
		mov	[ebp+var_54], ecx
		mov	[ebp+var_50], ecx
		call	_ZwOpenDirectoryObject@12 ; ZwOpenDirectoryObject(x,x,x)
		test	eax, eax
		js	loc_ACA2B1
		push	20204D43h
		mov	esi, 400h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_6C], ebx
		test	ebx, ebx
		jz	loc_ACA2B1
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	1

loc_ACA127:				; CODE XREF: CmGetSystemDriverList+175j
		push	1
		push	esi
		push	ebx
		push	[ebp+var_34]
		call	_ZwQueryDirectoryObject@28 ; ZwQueryDirectoryObject(x,x,x,x,x,x,x)
		cmp	eax, 8000001Ah
		jz	short loc_ACA185
		test	eax, eax
		js	loc_ACA2B1
		xor	ecx, ecx
		mov	[ebp+var_40], ebx
		mov	eax, ebx
		cmp	[ebx], cx
		jz	short loc_ACA178

loc_ACA14E:				; CODE XREF: CmGetSystemDriverList+163j
		push	1
		push	offset _CmpSystemFileName
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	loc_AE5F7E

loc_ACA163:				; CODE XREF: CmGetSystemDriverList+1BFACj
					; CmGetSystemDriverList+1BFC9j
		mov	eax, [ebp+var_40]
		xor	ecx, ecx
		add	eax, 10h
		mov	[ebp+var_40], eax
		cmp	[eax], cx
		jnz	short loc_ACA14E
		mov	esi, 400h

loc_ACA178:				; CODE XREF: CmGetSystemDriverList+13Ej
		lea	eax, [ebp+var_48]
		push	eax
		lea	eax, [ebp+var_4C]
		push	eax
		xor	eax, eax
		push	eax
		jmp	short loc_ACA127
; 

loc_ACA185:				; CODE XREF: CmGetSystemDriverList+12Aj
		call	CmpAcquireShutdownRundown
		mov	[ebp+var_1F], al
		test	al, al
		jz	loc_ACA2B1
		lea	ecx, [ebp+var_1C]
		call	CmpAttachToRegistryProcess
		mov	[ebp+var_1E], 1
		call	_CmpLockRegistryExclusive@0 ; CmpLockRegistryExclusive()
		lea	ecx, [ebp+var_94]
		mov	[ebp+var_1D], 1
		call	_CmpAcquireSystemDriverHiveContext@4 ; CmpAcquireSystemDriverHiveContext(x)
		test	eax, eax
		js	loc_ACA2B1
		cmp	[ebp+var_A4], 0
		jnz	loc_AE5FDC

loc_ACA1CA:				; CODE XREF: CmGetSystemDriverList+1BFE1j
		mov	esi, [ebp+var_30]

loc_ACA1CD:				; CODE XREF: CmGetSystemDriverList+1C040j
		lea	eax, [ebp+var_30]
		cmp	esi, eax
		jnz	loc_AE5FF4
		mov	edx, [ebp+var_78]
		lea	eax, [ebp+var_28]
		push	ecx
		push	[ebp+var_68]
		push	ecx
		push	eax
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_7C]
		lea	eax, [ebp+var_3C]
		push	eax
		push	[ebp+var_98]
		push	[ebp+var_9C]
		call	CmpFindDrivers
		test	al, al
		jz	loc_ACA2B1
		mov	edx, [ebp+var_78]
		lea	eax, [ebp+var_28]
		mov	ecx, [ebp+var_7C]
		push	eax
		call	CmpSortDriverList
		test	al, al
		jz	loc_ACA2B1
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		mov	eax, [ebp+var_28]
		xor	ecx, ecx
		mov	[ebp+var_1D], cl
		jmp	short loc_ACA22F
; 

loc_ACA22C:				; CODE XREF: CmGetSystemDriverList+226j
		mov	eax, [eax]
		inc	ecx

loc_ACA22F:				; CODE XREF: CmGetSystemDriverList+21Cj
		lea	edx, [ebp+var_28]
		cmp	eax, edx
		jnz	short loc_ACA22C
		push	32384D43h
		lea	eax, ds:4[ecx*4]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_44], eax
		test	eax, eax
		jz	loc_AE6058
		mov	esi, [ebp+var_28]
		lea	ecx, [ebp+var_28]
		xor	edx, edx
		mov	edi, edx
		cmp	esi, ecx
		jz	short loc_ACA2AE
		mov	ebx, eax

loc_ACA268:				; CODE XREF: CmGetSystemDriverList+298j
		lea	eax, [esi+10h]
		mov	[ebp+var_64], 18h
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	2001Fh
		push	ebx
		mov	[ebp+var_60], edx
		mov	[ebp+var_58], 240h
		mov	[ebp+var_54], edx
		mov	[ebp+var_50], edx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_ACA29C
		inc	edi
		add	ebx, 4

loc_ACA29C:				; CODE XREF: CmGetSystemDriverList+288j
		mov	esi, [esi]
		lea	eax, [ebp+var_28]
		push	0
		pop	edx
		cmp	esi, eax
		jnz	short loc_ACA268
		mov	ebx, [ebp+var_6C]
		mov	eax, [ebp+var_44]

loc_ACA2AE:				; CODE XREF: CmGetSystemDriverList+256j
		mov	[eax+edi*4], edx

loc_ACA2B1:				; CODE XREF: CmGetSystemDriverList+9Aj
					; CmGetSystemDriverList+EAj ...
		lea	eax, [ebp+var_28]
		cmp	[ebp+var_28], eax
		jz	short loc_ACA2C3
		mov	ecx, [ebp+var_7C]
		mov	edx, eax
		call	_CmpFreeDriverList@8 ; CmpFreeDriverList(x,x)

loc_ACA2C3:				; CODE XREF: CmGetSystemDriverList+2A9j
		cmp	[ebp+var_1D], 0
		jnz	loc_AE6067

loc_ACA2CD:				; CODE XREF: CmGetSystemDriverList+1C05Ej
		cmp	[ebp+var_1E], 0
		jz	short loc_ACA2DB
		lea	ecx, [ebp+var_1C]
		call	_CmpDetachFromRegistryProcess@4	; CmpDetachFromRegistryProcess(x)

loc_ACA2DB:				; CODE XREF: CmGetSystemDriverList+2C3j
		cmp	[ebp+var_1F], 0
		jz	short loc_ACA2E6
		call	_CmpReleaseShutdownRundown@4 ; CmpReleaseShutdownRundown(x)

loc_ACA2E6:				; CODE XREF: CmGetSystemDriverList+2D1j
		lea	ecx, [ebp+var_94]
		call	_CmpCloseSystemDriverHiveContext@4 ; CmpCloseSystemDriverHiveContext(x)
		cmp	[ebp+var_A4], 0
		jnz	loc_AE6071

loc_ACA2FE:				; CODE XREF: CmGetSystemDriverList+1C06Ej
		cmp	[ebp+var_34], 0
		jz	short loc_ACA30C
		push	[ebp+var_34]
		call	_ZwClose@4	; ZwClose(x)

loc_ACA30C:				; CODE XREF: CmGetSystemDriverList+2F4j
		test	ebx, ebx
		jz	short loc_ACA319
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_ACA319:				; CODE XREF: CmGetSystemDriverList+300j
		mov	edi, [ebp+var_30]
		lea	eax, [ebp+var_30]
		xor	ebx, ebx
		cmp	edi, eax
		jnz	loc_AE6081

loc_ACA329:				; CODE XREF: CmGetSystemDriverList+1C08Cj
		mov	ecx, [ebp+var_3C]
		lea	eax, [ebp+var_3C]
		cmp	ecx, eax
		jnz	loc_AE609F

loc_ACA337:				; CODE XREF: CmGetSystemDriverList+1C0A3j
		mov	ecx, [ebp+var_4]
		mov	eax, [ebp+var_44]
		xor	ecx, ebp
		pop	edi
		pop	esi
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
CmGetSystemDriverList endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCloseSystemDriverHiveContext(x)
_CmpCloseSystemDriverHiveContext@4 proc	near ; CODE XREF: CmGetSystemDriverList+2DEp
					; CmGetSystemDriverList+1C069p	...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		push	esi
		mov	esi, ecx
		and	dword ptr [esi+18h], 0
		lea	eax, [esi+8]
		or	dword ptr [esi+1Ch], 0FFFFFFFFh
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [esi+14h]
		test	ecx, ecx
		jz	short loc_ACA37C
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag
		and	dword ptr [esi+14h], 0

loc_ACA37C:				; CODE XREF: CmpCloseSystemDriverHiveContext(x)+22j
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_ACA38D
		push	eax
		call	_ZwClose@4	; ZwClose(x)
		and	dword ptr [esi+10h], 0

loc_ACA38D:				; CODE XREF: CmpCloseSystemDriverHiveContext(x)+37j
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn
_CmpCloseSystemDriverHiveContext@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFreeDriverList(x, x)
_CmpFreeDriverList@8 proc near		; CODE XREF: CmGetSystemDriverList+2B0p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, edx
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, [ebx]
		cmp	esi, ebx
		jz	short loc_ACA3E7

loc_ACA3A5:				; CODE XREF: CmpFreeDriverList(x,x)+53j
		mov	ecx, [esi+44h]
		mov	eax, [esi]
		mov	[ebp+var_4], eax
		test	ecx, ecx
		jz	short loc_ACA3BA
		movzx	eax, word ptr [esi+40h]
		push	eax
		push	ecx
		call	dword ptr [edi+10h]

loc_ACA3BA:				; CODE XREF: CmpFreeDriverList(x,x)+1Dj
		mov	ecx, [esi+14h]
		test	ecx, ecx
		jz	short loc_ACA3CA
		movzx	eax, word ptr [esi+12h]
		push	eax
		push	ecx
		call	dword ptr [edi+10h]

loc_ACA3CA:				; CODE XREF: CmpFreeDriverList(x,x)+2Dj
		mov	ecx, [esi+0Ch]
		test	ecx, ecx
		jz	short loc_ACA3DA
		movzx	eax, word ptr [esi+0Ah]
		push	eax
		push	ecx
		call	dword ptr [edi+10h]

loc_ACA3DA:				; CODE XREF: CmpFreeDriverList(x,x)+3Dj
		push	50h
		push	esi
		call	dword ptr [edi+10h]
		mov	esi, [ebp+var_4]
		cmp	esi, ebx
		jnz	short loc_ACA3A5

loc_ACA3E7:				; CODE XREF: CmpFreeDriverList(x,x)+11j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpFreeDriverList@8 endp


;  S U B	R O U T	I N E 


; __stdcall CmInitSystem0(x)
_CmInitSystem0@4 proc near		; CODE XREF: INIT:00ACD2F2p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		push	0
		mov	ecx, [edi+60h]
		call	CmpGetSystemControlValues
		mov	eax, [edi+84h]
		add	eax, 0E8h
		mov	esi, [eax]
		jmp	short loc_ACA429
; 

loc_ACA40C:				; CODE XREF: CmInitSystem0(x)+3Fj
		test	byte ptr [esi+0Ch], 40h
		jz	short loc_ACA41C
		mov	ecx, [esi+10h]
		push	1
		call	CmpGetSystemControlValues

loc_ACA41C:				; CODE XREF: CmInitSystem0(x)+24j
		mov	eax, [edi+84h]
		mov	esi, [esi]
		add	eax, 0E8h

loc_ACA429:				; CODE XREF: CmInitSystem0(x)+1Ej
		cmp	esi, eax
		jnz	short loc_ACA40C
		call	_CmFcInitSystem1@0 ; CmFcInitSystem1()
		pop	edi
		pop	esi
		pop	ecx
		retn
_CmInitSystem0@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpFindRedirectedDriverServiceStateNode	proc near ; CODE XREF: CmpFindDrivers+83p

var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00AE60B6 SIZE 0000011C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_18], eax
		mov	esi, ecx
		mov	[ebp+var_14], eax
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_3C], eax
		mov	ebx, edx
		mov	[ebp+var_24], eax
		mov	[ebp+var_2C], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_40], ecx
		push	eax
		mov	[ebp+var_28], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_38], ecx
		mov	[ebp+var_20], ecx
		mov	ecx, esi
		push	(offset	loc_AF331B+5)
		mov	[ebp+var_10], ebx
		call	CmpFindHiveSubKey
		test	al, al
		jnz	loc_AE60B6

loc_ACA493:				; CODE XREF: CmpFindRedirectedDriverServiceStateNode+1BC9Cj
					; CmpFindRedirectedDriverServiceStateNode+1BCADj ...
		xor	al, al

loc_ACA495:				; CODE XREF: CmpFindRedirectedDriverServiceStateNode+1BD97j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
CmpFindRedirectedDriverServiceStateNode	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpFindHiveSubKey proc near		; CODE XREF: CmpFindRedirectedDriverServiceStateNode+50p
					; CmpGetKnownHivePathNode(x,x,x,x,x,x,x,x)+8Cp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= dword	ptr -5
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00AE61D2 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], edx
		mov	ecx, [ebp+arg_0]
		xor	ebx, ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		mov	eax, [edi+20h]
		mov	esi, [eax+24h]
		test	ecx, ecx
		jz	short loc_ACA508
		cmp	[ecx], bx
		jz	short loc_ACA508
		mov	eax, [ecx]
		lea	edx, [ebp+var_14]
		mov	[ebp+var_1C], eax
		mov	eax, [ecx+4]
		lea	ecx, [ebp+var_1C]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_5]
		push	eax
		call	_CmpGetNextName@12 ; CmpGetNextName(x,x,x)
		test	al, al
		jz	short loc_ACA511
		push	1
		lea	eax, [ebp+var_14]
		push	eax
		push	(offset	loc_AF3473+5)
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		mov	ecx, edi
		test	al, al
		jz	short loc_ACA51A
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_1C]
		push	eax

loc_ACA501:				; CODE XREF: CmpFindHiveSubKey+83j
		call	_CmpWalkUnicodeStringPath@12 ; CmpWalkUnicodeStringPath(x,x,x)
		mov	esi, eax

loc_ACA508:				; CODE XREF: CmpFindHiveSubKey+23j
					; CmpFindHiveSubKey+28j
		cmp	esi, 0FFFFFFFFh
		jnz	loc_AE61D2

loc_ACA511:				; CODE XREF: CmpFindHiveSubKey+46j
					; CmpFindHiveSubKey+1BD4Fj
		pop	edi
		pop	esi
		mov	al, bl
		pop	ebx
		leave
		retn	0Ch
; 

loc_ACA51A:				; CODE XREF: CmpFindHiveSubKey+5Cj
		push	[ebp+arg_0]
		mov	edx, esi
		jmp	short loc_ACA501
CmpFindHiveSubKey endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAcquireSystemDriverHiveContext(x)
_CmpAcquireSystemDriverHiveContext@4 proc near ; CODE XREF: CmGetSystemDriverList+1A2p
					; CmGetSystemDriverList+1BFD4p	...

var_2		= byte ptr -2

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		mov	edi, ecx
		mov	byte ptr [ebp-1], 0
		xor	edx, edx
		mov	ecx, [edi+14h]
		call	CmpPerformKeyBodyDeletionCheck
		mov	esi, eax
		test	esi, esi
		js	short loc_ACA569
		mov	edx, [edi+14h]
		lea	eax, [ebp-1]
		push	eax
		push	(offset	loc_A3F69A+6)
		mov	ecx, [edx+8]
		mov	ecx, [ecx+10h]
		mov	[edi+18h], ecx
		mov	edx, [edx+8]
		mov	edx, [edx+14h]
		call	CmpFindControlSet
		mov	[edi+1Ch], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_ACA56F

loc_ACA569:				; CODE XREF: CmpAcquireSystemDriverHiveContext(x)+1Dj
					; CmpAcquireSystemDriverHiveContext(x)+52j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_ACA56F:				; CODE XREF: CmpAcquireSystemDriverHiveContext(x)+45j
		mov	esi, 0C0000225h
		jmp	short loc_ACA569
_CmpAcquireSystemDriverHiveContext@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLoadServicesNode(x, x, x, x)
_CmpLoadServicesNode@16	proc near	; CODE XREF: CmpFindDrivers+4Ep
					; CmpFindDrivers+1AF1Fp

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		or	[ebp+var_8], 0FFFFFFFFh
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	esi
		push	edi
		push	eax
		mov	esi, ecx
		push	edx
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	short loc_ACA5CC
		push	(offset	loc_AF3347+1)
		mov	edx, eax
		mov	ecx, esi
		call	_CmpFindSubKeyByName@12	; CmpFindSubKeyByName(x,x,x)
		mov	edi, eax
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		cmp	edi, 0FFFFFFFFh
		jz	short loc_ACA5CC
		push	[ebp+arg_4]
		push	edi
		push	esi
		call	dword ptr [esi+4]
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		test	eax, eax
		jz	short loc_ACA5CC
		mov	al, 1

loc_ACA5C6:				; CODE XREF: CmpLoadServicesNode(x,x,x,x)+58j
		pop	edi
		pop	esi
		leave
		retn	8
; 

loc_ACA5CC:				; CODE XREF: CmpLoadServicesNode(x,x,x,x)+1Ej
					; CmpLoadServicesNode(x,x,x,x)+3Bj ...
		xor	al, al
		jmp	short loc_ACA5C6
_CmpLoadServicesNode@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpFindGroupOrderList(x, x)
_CmpFindGroupOrderList@8 proc near	; CODE XREF: CmpFindDrivers+9Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		or	[ebp+var_8], 0FFFFFFFFh
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	esi
		push	edi
		push	eax
		mov	edi, ecx
		push	edx
		push	edi
		call	dword ptr [edi+4]
		test	eax, eax
		jz	short loc_ACA638
		push	(offset	loc_AF34CB+5)
		mov	edx, eax
		mov	ecx, edi
		call	_CmpFindSubKeyByName@12	; CmpFindSubKeyByName(x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		cmp	esi, 0FFFFFFFFh
		jz	short loc_ACA638
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		push	edi
		call	dword ptr [edi+4]
		test	eax, eax
		jz	short loc_ACA638
		push	(offset	loc_AF33C7+1)
		mov	edx, eax
		mov	ecx, edi
		call	_CmpFindSubKeyByName@12	; CmpFindSubKeyByName(x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_8]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		mov	eax, esi

loc_ACA634:				; CODE XREF: CmpFindGroupOrderList(x,x)+6Bj
		pop	edi
		pop	esi
		leave
		retn
; 

loc_ACA638:				; CODE XREF: CmpFindGroupOrderList(x,x)+1Ej
					; CmpFindGroupOrderList(x,x)+3Bj ...
		or	eax, 0FFFFFFFFh
		jmp	short loc_ACA634
_CmpFindGroupOrderList@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpSortDriverList proc near		; CODE XREF: CmGetSystemDriverList+202p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00AE61F0 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		xor	eax, eax
		or	ebx, 0FFFFFFFFh
		push	esi
		push	edi
		mov	[ebp+var_18], eax
		mov	edi, ecx
		mov	[ebp+var_14], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_10]
		push	eax
		push	edx
		push	edi
		mov	[ebp+var_28], ebx
		mov	[ebp+var_20], ebx
		mov	[ebp+var_10], ebx
		call	dword ptr [edi+4]
		test	eax, eax
		jz	loc_ACA760
		push	(offset	loc_AF34CB+5)
		mov	edx, eax
		mov	ecx, edi
		call	_CmpFindSubKeyByName@12	; CmpFindSubKeyByName(x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		cmp	esi, ebx
		jz	loc_ACA760
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		push	edi
		call	dword ptr [edi+4]
		test	eax, eax
		jz	loc_ACA760
		push	(offset	loc_AF333F+1)
		mov	edx, eax
		mov	ecx, edi
		call	_CmpFindSubKeyByName@12	; CmpFindSubKeyByName(x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		cmp	esi, ebx
		jz	loc_ACA760
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		push	edi
		call	dword ptr [edi+4]
		test	eax, eax
		jz	loc_ACA760
		push	(offset	loc_AF339F+1)
		mov	edx, eax
		mov	ecx, edi
		call	_CmpFindValueByName@12 ; CmpFindValueByName(x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		cmp	esi, ebx
		jz	short loc_ACA760
		lea	eax, [ebp+var_20]
		push	eax
		push	esi
		push	edi
		call	dword ptr [edi+4]
		test	eax, eax
		jz	short loc_ACA760
		cmp	dword ptr [eax+0Ch], 7
		jnz	loc_AE61F0
		lea	ecx, [ebp+var_28]
		mov	edx, esi
		push	ecx
		lea	ecx, [ebp+var_8]
		push	ecx
		push	eax
		mov	ecx, edi
		call	CmpValueToData
		mov	esi, eax
		lea	eax, [ebp+var_20]
		push	eax
		push	edi
		mov	[ebp+var_14], esi
		call	dword ptr [edi+8]
		test	esi, esi
		jz	short loc_ACA760
		mov	eax, [ebp+var_8]
		lea	edx, [ebp+var_18]
		mov	ecx, [ebp+arg_0]
		add	eax, 0FFFFFFFEh
		mov	word ptr [ebp+var_18+2], ax
		mov	word ptr [ebp+var_18], ax
		call	_CmpDoSort@8	; CmpDoSort(x,x)
		mov	bl, al
		lea	eax, [ebp+var_28]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		mov	al, bl

loc_ACA759:				; CODE XREF: CmpSortDriverList+124j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_ACA760:				; CODE XREF: CmpSortDriverList+38j
					; CmpSortDriverList+58j ...
		xor	al, al
		jmp	short loc_ACA759
CmpSortDriverList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpDoSort(x, x)
_CmpDoSort@8	proc near		; CODE XREF: CmpSortDriverList+10Ap

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		call	_CmpSortByTag@4	; CmpSortByTag(x)
		test	al, al
		jz	loc_ACA84C
		mov	ecx, [esi+4]
		mov	edx, edi
		movzx	esi, word ptr [esi]
		shr	esi, 1
		dec	esi
		mov	[ebp+var_4], edx
		mov	[ebp+var_C], ecx
		lea	esi, [ecx+esi*2]
		cmp	esi, ecx
		jbe	loc_ACA845

loc_ACA7A4:				; CODE XREF: CmpDoSort(x,x)+A9j
		xor	eax, eax

loc_ACA7A6:				; CODE XREF: CmpDoSort(x,x)+52j
		cmp	[esi], ax
		jz	short loc_ACA80F

loc_ACA7AB:				; CODE XREF: CmpDoSort(x,x)+ADj
		sub	esi, 2
		cmp	esi, ecx
		jz	short loc_ACA7B8
		cmp	[esi-2], ax
		jnz	short loc_ACA7A6

loc_ACA7B8:				; CODE XREF: CmpDoSort(x,x)+4Cj
		mov	[ebp+var_10], ebx
		sub	ebx, esi
		mov	word ptr [ebp+var_1C], bx
		mov	word ptr [ebp+var_1C+2], bx
		mov	ebx, [edi+4]
		mov	[ebp+var_18], esi
		cmp	ebx, edx
		jz	short loc_ACA803

loc_ACA7CF:				; CODE XREF: CmpDoSort(x,x)+9Aj
		cmp	ebx, edi
		jz	short loc_ACA800
		mov	eax, ebx
		lea	ecx, [ebx+4]
		mov	ebx, [ecx]
		mov	[ebp+var_8], eax
		mov	[ebp+var_14], ecx
		cmp	dword ptr [eax+3Ch], 0
		jz	short loc_ACA7FC
		push	1
		add	eax, 38h
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_ACA813

loc_ACA7F9:				; CODE XREF: CmpDoSort(x,x)+DAj
		mov	edx, [ebp+var_4]

loc_ACA7FC:				; CODE XREF: CmpDoSort(x,x)+80j
		cmp	ebx, edx
		jnz	short loc_ACA7CF

loc_ACA800:				; CODE XREF: CmpDoSort(x,x)+6Dj
		mov	ecx, [ebp+var_C]

loc_ACA803:				; CODE XREF: CmpDoSort(x,x)+69j
		sub	esi, 2
		cmp	esi, ecx
		jbe	short loc_ACA845
		mov	ebx, [ebp+var_10]
		jmp	short loc_ACA7A4
; 

loc_ACA80F:				; CODE XREF: CmpDoSort(x,x)+45j
		mov	ebx, esi
		jmp	short loc_ACA7AB
; 

loc_ACA813:				; CODE XREF: CmpDoSort(x,x)+93j
		mov	eax, [ebp+var_8]
		cmp	[ebp+var_4], edi
		jz	short loc_ACA840

loc_ACA81B:				; CODE XREF: CmpDoSort(x,x)+DFj
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	short loc_ACA850
		cmp	[ebx], eax
		jnz	short loc_ACA850
		mov	[ebx], ecx
		mov	[ecx+4], ebx
		mov	ecx, [edi]
		cmp	[ecx+4], edi
		jnz	short loc_ACA850
		mov	edx, [ebp+var_14]
		mov	[eax], ecx
		mov	[edx], edi
		mov	[ecx+4], eax
		mov	[edi], eax
		jmp	short loc_ACA7F9
; 

loc_ACA840:				; CODE XREF: CmpDoSort(x,x)+B5j
		mov	[ebp+var_4], eax
		jmp	short loc_ACA81B
; 

loc_ACA845:				; CODE XREF: CmpDoSort(x,x)+3Aj
					; CmpDoSort(x,x)+A4j
		mov	al, 1

loc_ACA847:				; CODE XREF: CmpDoSort(x,x)+EAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_ACA84C:				; CODE XREF: CmpDoSort(x,x)+1Ej
		xor	al, al
		jmp	short loc_ACA847
; 

loc_ACA850:				; CODE XREF: CmpDoSort(x,x)+BCj
					; CmpDoSort(x,x)+C0j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_CmpDoSort@8	endp


;  S U B	R O U T	I N E 


; __stdcall CmpSortByTag(x)
_CmpSortByTag@4	proc near		; CODE XREF: CmpDoSort(x,x)+17p
		mov	edi, edi
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		mov	esi, [ebx]
		mov	edi, [ebx+4]
		mov	edx, [esi]
		cmp	esi, edi
		jz	short loc_ACA8BA

loc_ACA868:				; CODE XREF: CmpSortByTag(x)+22j
		mov	eax, [esi+48h]
		cmp	eax, [edx+48h]
		ja	short loc_ACA87A
		mov	esi, edx

loc_ACA872:				; CODE XREF: CmpSortByTag(x)+62j
		cmp	esi, edi
		jz	short loc_ACA8BA
		mov	edx, [edx]
		jmp	short loc_ACA868
; 

loc_ACA87A:				; CODE XREF: CmpSortByTag(x)+18j
		cmp	edx, edi
		jz	short loc_ACA8C0

loc_ACA87E:				; CODE XREF: CmpSortByTag(x)+6Cj
		mov	eax, [edx]
		cmp	[eax+4], edx
		jnz	short loc_ACA8C4
		mov	ecx, [edx+4]
		cmp	[ecx], edx
		jnz	short loc_ACA8C4
		mov	[ecx], eax
		mov	[eax+4], ecx
		mov	eax, [ebx]
		cmp	eax, esi
		jz	short loc_ACA8A5
		mov	ecx, [edx+48h]

loc_ACA89A:				; CODE XREF: CmpSortByTag(x)+4Dj
		cmp	[eax+48h], ecx
		jnb	short loc_ACA8A5
		mov	eax, [eax]
		cmp	eax, esi
		jnz	short loc_ACA89A

loc_ACA8A5:				; CODE XREF: CmpSortByTag(x)+3Fj
					; CmpSortByTag(x)+47j
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_ACA8C4
		mov	[edx], eax
		mov	[edx+4], ecx
		mov	[ecx], edx
		mov	[eax+4], edx
		mov	edx, esi
		jmp	short loc_ACA872
; 

loc_ACA8BA:				; CODE XREF: CmpSortByTag(x)+10j
					; CmpSortByTag(x)+1Ej
		pop	edi
		pop	esi
		mov	al, 1
		pop	ebx
		retn
; 

loc_ACA8C0:				; CODE XREF: CmpSortByTag(x)+26j
		mov	edi, esi
		jmp	short loc_ACA87E
; 

loc_ACA8C4:				; CODE XREF: CmpSortByTag(x)+2Dj
					; CmpSortByTag(x)+34j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
_CmpSortByTag@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmSelectQualifiedInstallLanguage proc near ; CODE XREF:	CmpGetSystemControlValues+284p

var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_225		= byte ptr -225h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21B		= byte ptr -21Bh
var_21A		= byte ptr -21Ah
var_219		= byte ptr -219h
var_218		= word ptr -218h
var_168		= dword	ptr -168h
var_B8		= word ptr -0B8h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00AE61FD SIZE 0000014A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 274h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_168]
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		mov	ebx, edx
		push	edi
		or	edx, 0FFFFFFFFh
		mov	[ebp+var_244], esi
		mov	edi, 0AAh
		mov	[ebp+var_230], ecx
		push	edi		; size_t
		push	ecx		; int
		push	eax		; void *
		mov	[ebp+var_24C], ecx
		mov	[ebp+var_248], ecx
		mov	[ebp+var_254], edx
		mov	[ebp+var_250], ecx
		mov	[ebp+var_264], edx
		mov	[ebp+var_260], ecx
		mov	[ebp+var_274], edx
		mov	[ebp+var_270], ecx
		mov	[ebp+var_240], edx
		mov	[ebp+var_23C], ecx
		mov	[ebp+var_21A], cl
		mov	[ebp+var_219], cl
		mov	[ebp+var_21B], cl
		mov	[ebp+var_238], ecx
		mov	[ebp+var_234], ecx
		mov	[ebp+var_22C], ecx
		mov	[ebp+var_26C], edx
		mov	[ebp+var_268], ecx
		mov	[ebp+var_25C], edx
		mov	[ebp+var_258], ecx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_B8]
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_218]
		push	edi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		test	esi, esi
		jz	loc_ACAD25
		and	dword ptr [esi], 0
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jz	loc_AE6206
		push	46h
		pop	esi
		push	0
		push	55h
		lea	edx, [ebp+var_218]
		mov	ecx, edi
		call	DownLevelLangIDToLanguageName
		test	eax, eax
		jz	loc_AE61FD

loc_ACA9DC:				; CODE XREF: CmSelectQualifiedInstallLanguage+1B937j
					; CmSelectQualifiedInstallLanguage+1B93Fj
		push	offset ??_C@_1BK@LCAHJIMJ@?$AAM?$AAU?$AAI?$AA?2?$AAS?$AAe?$AAt?$AAt?$AAi?$AAn?$AAg?$AAs@PBOPGDP@ ; "MUI\\Settings"
		mov	edx, ebx
		mov	ecx, offset _CmControlHive
		call	_CmpWalkPath@12	; CmpWalkPath(x,x,x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_ACAA4C
		lea	ecx, [ebp+var_264]
		push	ecx
		push	eax
		push	offset _CmControlHive
		call	ds:dword_AFD0CC
		mov	edi, eax
		test	edi, edi
		jz	short loc_ACAA4C
		push	offset ??_C@_1CK@CDBMDBEP@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAr?$AAr?$AAe?$AAd?$AAU?$AAI?$AAL?$AAa?$AAn?$AAg@PBOPGDP@ ; "P"
		lea	eax, [ebp+var_24C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_24C]
		mov	edx, edi
		push	eax
		mov	ecx, offset _CmControlHive
		call	_CmpFindValueByName@12 ; CmpFindValueByName(x,x,x)
		mov	edi, eax
		cmp	edi, 0FFFFFFFFh
		jnz	loc_AE620E

loc_ACAA3A:				; CODE XREF: CmSelectQualifiedInstallLanguage+1B959j
					; CmSelectQualifiedInstallLanguage+1B9DEj
		lea	eax, [ebp+var_264]
		push	eax
		push	offset _CmControlHive
		call	ds:dword_AFD0D0

loc_ACAA4C:				; CODE XREF: CmSelectQualifiedInstallLanguage+126j
					; CmSelectQualifiedInstallLanguage+13Fj
		mov	edx, ebx
		mov	ebx, offset _CmControlHive
		push	offset ??_C@_1CA@JHCOEJCA@?$AAM?$AAU?$AAI?$AA?2?$AAU?$AAI?$AAL?$AAa?$AAn?$AAg?$AAu?$AAa?$AAg?$AAe?$AAs@PBOPGDP@	; "MUI\\UILanguages"
		mov	ecx, ebx
		call	_CmpWalkPath@12	; CmpWalkPath(x,x,x)
		cmp	eax, 0FFFFFFFFh
		jz	loc_ACACE9
		lea	ecx, [ebp+var_274]
		push	ecx
		push	eax
		push	ebx
		call	ds:dword_AFD0CC
		mov	ecx, eax
		mov	[ebp+var_224], ecx
		test	ecx, ecx
		jz	loc_ACACE9
		and	esi, 0FFFFFFFDh
		xor	eax, eax
		mov	[ebp+var_220], eax
		mov	bl, al
		mov	bh, al

loc_ACAA96:				; CODE XREF: CmSelectQualifiedInstallLanguage+35Bj
					; CmSelectQualifiedInstallLanguage+364j ...
		lea	edx, [ebp+var_230]
		push	edx
		mov	edx, ecx
		mov	ecx, offset _CmControlHive
		push	eax
		call	_CmpFindSubKeyByNumber@16 ; CmpFindSubKeyByNumber(x,x,x,x)
		inc	[ebp+var_220]
		cmp	[ebp+var_230], 0FFFFFFFFh
		jz	loc_ACACB6
		lea	eax, [ebp+var_240]
		push	eax
		push	[ebp+var_230]
		push	offset _CmControlHive
		call	ds:dword_AFD0CC
		mov	ecx, [ebp+var_224]
		mov	ebx, eax
		mov	eax, [ebp+var_220]
		test	ebx, ebx
		jz	loc_AE62AD
		push	offset ??_C@_19BIEPDBPA@?$AAT?$AAy?$AAp?$AAe@PBOPGDP@ ;	"Type"
		lea	eax, [ebp+var_24C]
		mov	[ebp+var_225], 0
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_24C]
		mov	edx, ebx
		push	eax
		mov	ecx, offset _CmControlHive
		call	_CmpFindValueByName@12 ; CmpFindValueByName(x,x,x)
		mov	edi, eax
		cmp	edi, 0FFFFFFFFh
		jz	loc_AE630D
		lea	eax, [ebp+var_254]
		push	eax
		push	edi
		push	offset _CmControlHive
		call	ds:dword_AFD0CC
		test	eax, eax
		jz	loc_AE630D
		cmp	dword ptr [eax+0Ch], 4
		jnz	short loc_ACAB7F
		lea	ecx, [ebp+var_26C]
		mov	edx, edi
		push	ecx
		lea	ecx, [ebp+var_22C]
		push	ecx
		push	eax
		mov	ecx, offset _CmControlHive
		call	CmpValueToData
		mov	eax, [eax]
		mov	[ebp+var_234], eax
		test	al, 3
		jnz	loc_ACACFC

loc_ACAB6D:				; CODE XREF: CmSelectQualifiedInstallLanguage+434j
					; CmSelectQualifiedInstallLanguage+441j
		lea	eax, [ebp+var_26C]
		push	eax
		push	offset _CmControlHive
		call	ds:dword_AFD0D0

loc_ACAB7F:				; CODE XREF: CmSelectQualifiedInstallLanguage+276j
		lea	eax, [ebp+var_254]
		push	eax
		push	offset _CmControlHive
		call	ds:dword_AFD0D0
		cmp	[ebp+var_225], 0
		jz	loc_AE630D
		test	byte ptr [ebx+2], 20h
		movzx	ecx, word ptr [ebx+48h]
		jz	loc_AE62BE
		lea	eax, [ecx+ecx]
		movzx	edi, ax
		cmp	edi, 0A8h
		ja	loc_AE630D
		push	ecx
		lea	eax, [ebx+4Ch]
		mov	edx, edi
		push	eax
		lea	ecx, [ebp+var_B8]
		call	_CmpCopyCompressedName@16 ; CmpCopyCompressedName(x,x,x,x)

loc_ACABD0:				; CODE XREF: CmSelectQualifiedInstallLanguage+1BA12j
		lea	eax, [ebp+var_240]
		push	eax
		push	offset _CmControlHive
		call	ds:dword_AFD0D0
		and	edi, 0FFFFFFFEh
		cmp	edi, 0AAh
		jnb	loc_ACAD1A
		xor	eax, eax
		lea	ecx, [ebp+var_B8] ; void *
		xor	edx, edx
		mov	[ebp+edi+var_B8], ax
		call	_DownLevelLanguageNameToLangID@8 ; DownLevelLanguageNameToLangID(x,x)
		mov	bl, [ebp+var_219]
		mov	bh, [ebp+var_21A]
		mov	ecx, [ebp+var_224]
		movzx	edi, ax
		mov	eax, [ebp+var_220]
		test	edi, edi
		jz	loc_ACAA96
		cmp	edi, 7Fh
		jz	loc_ACAA96
		cmp	[ebp+arg_4], 0
		jz	short loc_ACAC66
		cmp	[ebp+var_21B], 0
		jnz	short loc_ACAC66
		lea	eax, [ebp+var_B8]
		push	eax		; wchar_t *
		lea	eax, [ebp+var_218]
		push	eax		; wchar_t *
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_ACAC66
		mov	[ebp+var_21B], 1
		and	esi, 0FFFFFFBFh

loc_ACAC66:				; CODE XREF: CmSelectQualifiedInstallLanguage+36Ej
					; CmSelectQualifiedInstallLanguage+377j ...
		mov	bh, [ebp+var_21A]
		mov	bl, [ebp+var_219]
		mov	eax, [ebp+var_220]
		mov	ecx, [ebp+var_224]
		test	bh, bh
		jnz	loc_AE62E1
		test	bl, bl
		jnz	loc_ACAA96
		test	byte ptr [ebp+var_234],	2
		mov	[ebp+var_238], edi
		jnz	short loc_ACAD10
		inc	bh
		mov	[ebp+var_21A], bh

loc_ACACA5:				; CODE XREF: CmSelectQualifiedInstallLanguage+44Ej
					; CmSelectQualifiedInstallLanguage+1BA61j
		mov	eax, [ebp+var_220]
		mov	ecx, [ebp+var_224]
		jmp	loc_ACAA96
; 

loc_ACACB6:				; CODE XREF: CmSelectQualifiedInstallLanguage+1EDj
		lea	eax, [ebp+var_274]
		push	eax
		push	offset _CmControlHive
		call	ds:dword_AFD0D0
		test	bh, bh
		jz	short loc_ACAD1F

loc_ACACCC:				; CODE XREF: CmSelectQualifiedInstallLanguage+459j
		and	esi, 0FFFFFFFBh

loc_ACACCF:				; CODE XREF: CmSelectQualifiedInstallLanguage+457j
		cmp	[ebp+var_21B], 0
		jz	loc_AE6330
		mov	eax, [ebp+arg_4]

loc_ACACDF:				; CODE XREF: CmSelectQualifiedInstallLanguage+1BA78j
		mov	ecx, [ebp+var_244]
		xor	esi, esi
		mov	[ecx], eax

loc_ACACE9:				; CODE XREF: CmSelectQualifiedInstallLanguage+198j
					; CmSelectQualifiedInstallLanguage+1B7j ...
		mov	eax, esi

loc_ACACEB:				; CODE XREF: CmSelectQualifiedInstallLanguage+45Ej
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
; 

loc_ACACFC:				; CODE XREF: CmSelectQualifiedInstallLanguage+29Dj
		test	al, 10h
		jz	loc_ACAB6D
		mov	[ebp+var_225], 1
		jmp	loc_ACAB6D
; 

loc_ACAD10:				; CODE XREF: CmSelectQualifiedInstallLanguage+3D1j
					; CmSelectQualifiedInstallLanguage+1BA3Ej
		mov	bl, 1
		mov	[ebp+var_219], bl
		jmp	short loc_ACACA5
; 

loc_ACAD1A:				; CODE XREF: CmSelectQualifiedInstallLanguage+321j
		call	___report_rangecheckfailure

loc_ACAD1F:				; CODE XREF: CmSelectQualifiedInstallLanguage+400j
		test	bl, bl
		jz	short loc_ACACCF
		jmp	short loc_ACACCC
; 

loc_ACAD25:				; CODE XREF: CmSelectQualifiedInstallLanguage+E2j
		xor	eax, eax
		inc	eax
		jmp	short loc_ACACEB
CmSelectQualifiedInstallLanguage endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpFindTagIndex	proc near		; CODE XREF: CmpAddDriverToList+379p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00AE6347 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_30], eax
		mov	esi, edx
		mov	[ebp+var_10], eax
		mov	edi, ecx
		mov	[ebp+var_18], eax
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_28], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_20], eax
		mov	byte ptr [ebp+var_1], al
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		push	edi
		mov	[ebp+var_34], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_24], ecx
		call	dword ptr [edi+4]
		test	eax, eax
		jz	loc_ACAE39
		lea	ecx, [ebp+var_34]
		mov	edx, esi
		push	ecx
		lea	ecx, [ebp+var_8]
		push	ecx
		push	eax
		mov	ecx, edi
		call	CmpValueToData
		mov	ebx, eax
		lea	eax, [ebp+var_14]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		test	ebx, ebx
		jz	loc_ACAE39
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+arg_0]
		push	edi
		call	dword ptr [edi+4]
		test	eax, eax
		jz	loc_ACAE3E
		push	[ebp+arg_4]
		mov	edx, eax
		mov	ecx, edi
		call	_CmpFindValueByName@12 ; CmpFindValueByName(x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		cmp	esi, 0FFFFFFFFh
		jz	short loc_ACAE43
		lea	eax, [ebp+var_24]
		push	eax
		push	esi
		push	edi
		call	dword ptr [edi+4]
		test	eax, eax
		jz	short loc_ACAE3E
		lea	ecx, [ebp+var_2C]
		mov	edx, esi
		push	ecx
		lea	ecx, [ebp+var_1]
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		lea	ecx, [ebp+var_8]
		push	ecx
		push	eax
		mov	ecx, edi
		call	CmpGetValueData
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_ACAE3E
		mov	ecx, [eax]
		xor	esi, esi
		inc	esi
		cmp	ecx, esi
		jb	short loc_ACAE13
		mov	edx, [ebx]

loc_ACAE09:				; CODE XREF: CmpFindTagIndex+E7j
		cmp	[eax+esi*4], edx
		jz	short loc_ACAE16
		inc	esi
		cmp	esi, ecx
		jbe	short loc_ACAE09

loc_ACAE13:				; CODE XREF: CmpFindTagIndex+DBj
		push	0FFFFFFFEh
		pop	esi

loc_ACAE16:				; CODE XREF: CmpFindTagIndex+E2j
		cmp	byte ptr [ebp+var_1], 0
		jnz	loc_AE6347
		lea	eax, [ebp+var_2C]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_ACAE28:				; CODE XREF: CmpFindTagIndex+117j
					; CmpFindTagIndex+11Bj	...
		lea	eax, [ebp+var_34]
		push	eax
		push	edi
		call	dword ptr [edi+8]

loc_ACAE30:				; CODE XREF: CmpFindTagIndex+112j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_ACAE39:				; CODE XREF: CmpFindTagIndex+46j
					; CmpFindTagIndex+6Aj
		push	0FFFFFFFEh
		pop	esi
		jmp	short loc_ACAE30
; 

loc_ACAE3E:				; CODE XREF: CmpFindTagIndex+7Dj
					; CmpFindTagIndex+A9j ...
		push	0FFFFFFFEh
		pop	esi
		jmp	short loc_ACAE28
; 

loc_ACAE43:				; CODE XREF: CmpFindTagIndex+9Cj
		mov	esi, [ebx]
		jmp	short loc_ACAE28
CmpFindTagIndex	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpAddDriverToList proc	near		; CODE XREF: CmpFindDrivers+F7p
					; CmpFindDrivers+1AF77p

var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_5		= byte ptr -5
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00AE6354 SIZE 000000AA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 68h
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_5C], eax
		mov	edi, eax
		mov	[ebp+var_54], eax
		mov	esi, ecx
		mov	[ebp+var_4C], eax
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_C], eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_68], eax
		mov	[ebp+var_64], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_20], eax
		mov	[ebp+var_28], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_30], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_5], al
		lea	eax, [ebp+var_60]
		push	eax
		push	edx
		push	esi
		mov	[ebp+var_60], ecx
		mov	[ebp+var_58], ecx
		mov	[ebp+var_50], ecx
		mov	[ebp+var_48], ecx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_38], ecx
		call	dword ptr [esi+4]
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_ACB1AE
		lea	ecx, [ebp+var_20]
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	CmpGetNodeName
		mov	ebx, eax
		mov	[ebp+var_1C], ebx
		test	ebx, ebx
		jz	loc_ACB1A6
		push	ebx
		lea	eax, [ebp+var_68]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	loc_ACB19E
		push	20314D43h
		push	edi
		push	50h
		call	dword ptr [esi+0Ch]
		mov	edi, eax
		test	edi, edi
		jz	loc_ACB19E
		push	50h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	ecx, [ebp+arg_8]
		add	esp, 0Ch
		mov	edx, [ebp+var_20]
		mov	ebx, edi
		mov	[edi+24h], esi
		mov	eax, [ecx]
		mov	[edi+28h], eax
		mov	eax, [ecx+4]
		mov	ecx, esi
		mov	[edi+2Ch], eax
		and	dword ptr [edi+14h], 0
		and	dword ptr [edi+0Ch], 0
		mov	eax, [ebp+var_1C]
		mov	[edi+44h], eax
		lea	eax, [edx-2]
		mov	[edi+40h], ax
		xor	eax, eax
		mov	[edi+42h], dx
		mov	edx, [ebp+var_14]
		push	(offset	loc_AF33AF+1)
		mov	[ebp+var_1C], eax
		call	_CmpFindValueByName@12 ; CmpFindValueByName(x,x,x)
		mov	[ebp+var_10], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_ACB1DC
		lea	ecx, [ebp+var_38]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_AE63BB
		mov	edx, [ebp+var_10]
		lea	ecx, [ebp+var_40]
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		push	eax
		mov	ecx, esi
		call	CmpValueToData
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		cmp	[ebp+var_18], 0
		jz	loc_AE63BB
		push	20334D43h
		push	0
		push	[ebp+var_C]
		call	dword ptr [esi+0Ch]
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_AE6354
		push	[ebp+var_C]	; size_t
		push	[ebp+var_18]	; void *
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_C]
		add	esp, 0Ch
		mov	word ptr [ebp+var_28], ax
		mov	word ptr [ebp+var_28+2], ax
		lea	eax, [ebp+var_40]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_ACAFBF:				; CODE XREF: CmpAddDriverToList+3F4j
		mov	ax, [edi+40h]
		mov	ecx, [ebp+arg_8]
		add	ax, 5Ch
		push	20344D43h
		push	0
		add	ax, [ecx]
		mov	word ptr [ebp+var_30+2], ax
		movzx	eax, ax
		push	eax
		call	dword ptr [esi+0Ch]
		mov	[ebp+var_18], eax
		mov	[ebp+var_2C], eax
		test	eax, eax
		jz	loc_AE639B
		push	(offset	loc_AF34AC+4)
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		test	eax, eax
		js	loc_AE6386
		push	[ebp+arg_8]
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		test	eax, eax
		js	loc_AE6386
		push	(offset	loc_AF34B7+1)
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		test	eax, eax
		js	loc_AE6386
		lea	eax, [edi+40h]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		test	eax, eax
		js	loc_AE6386
		mov	ecx, [edi+0Ch]
		test	ecx, ecx
		jnz	loc_AE635E

loc_ACB04D:				; CODE XREF: CmpAddDriverToList+1B51Fj
		mov	ecx, [ebp+var_10]
		xor	ebx, ebx
		mov	eax, [ebp+var_28]
		mov	[edi+0Ch], ecx
		mov	ecx, [edi+14h]
		mov	[edi+8], eax
		mov	[ebp+var_28], ebx
		mov	[ebp+var_10], ebx
		test	ecx, ecx
		jnz	loc_AE636C

loc_ACB06C:				; CODE XREF: CmpAddDriverToList+1B52Dj
		mov	eax, [ebp+var_30]
		mov	[edi+10h], eax
		mov	eax, [ebp+var_2C]
		mov	[edi+14h], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_30], ebx
		mov	[ebp+var_18], ebx
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_ACB2A6
		mov	edx, [ebp+var_14]
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[ecx+4], edi
		mov	ecx, esi
		push	(offset	loc_AF33E3+5)
		mov	[eax], edi
		call	_CmpFindValueByName@12 ; CmpFindValueByName(x,x,x)
		mov	ebx, eax
		cmp	ebx, 0FFFFFFFFh
		jz	loc_AE637A
		lea	eax, [ebp+var_38]
		push	eax
		push	ebx
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_ACB1A6
		lea	ecx, [ebp+var_48]
		mov	edx, ebx
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		push	eax
		mov	ecx, esi
		call	CmpValueToData
		mov	ebx, eax
		lea	eax, [ebp+var_38]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		test	ebx, ebx
		jz	loc_ACB1A6
		mov	eax, [ebx]
		mov	[edi+4Ch], eax
		lea	eax, [ebp+var_48]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_ACB0F2:				; CODE XREF: CmpAddDriverToList+1B539j
		mov	edx, [ebp+var_14]
		mov	ecx, esi
		push	(offset	loc_AF33CF+1)
		call	_CmpFindValueByName@12 ; CmpFindValueByName(x,x,x)
		mov	ebx, eax
		cmp	ebx, 0FFFFFFFFh
		jz	loc_ACB1CB
		lea	eax, [ebp+var_38]
		push	eax
		push	ebx
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_ACB1A6
		lea	ecx, [ebp+var_50]
		mov	edx, ebx
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		push	eax
		mov	ecx, esi
		call	CmpValueToData
		mov	[edi+3Ch], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		cmp	dword ptr [edi+3Ch], 0
		jz	short loc_ACB1A6
		lea	eax, [ebp+var_50]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	eax, [ebp+var_C]
		lea	ebx, [edi+38h]
		lea	ecx, [eax-2]
		mov	[ebx], cx
		cmp	cx, ax
		ja	short loc_ACB1A6
		mov	[edi+3Ah], cx

loc_ACB15D:				; CODE XREF: CmpAddDriverToList+392j
		mov	edx, [ebp+var_14]
		mov	ecx, esi
		push	(offset	loc_AF344F+1)
		call	_CmpFindValueByName@12 ; CmpFindValueByName(x,x,x)
		mov	[ebp+arg_8], eax
		cmp	eax, 0FFFFFFFFh
		jnz	loc_ACB241
		xor	eax, eax
		mov	[edi+30h], eax
		and	[edi+34h], eax

loc_ACB180:				; CODE XREF: CmpAddDriverToList+451j
		mov	edx, [ebp+var_14]
		mov	ecx, esi
		push	(offset	loc_AF32BF+1)
		call	_CmpFindValueByName@12 ; CmpFindValueByName(x,x,x)
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_ACB1B8
		or	[edi+48h], eax

loc_ACB197:				; CODE XREF: CmpAddDriverToList+381j
		mov	ebx, [ebp+var_1C]
		mov	[ebp+var_5], 1

loc_ACB19E:				; CODE XREF: CmpAddDriverToList+8Dj
					; CmpAddDriverToList+A2j
		test	ebx, ebx
		jnz	loc_AE638E

loc_ACB1A6:				; CODE XREF: CmpAddDriverToList+7Bj
					; CmpAddDriverToList+273j ...
		lea	eax, [ebp+var_60]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_ACB1AE:				; CODE XREF: CmpAddDriverToList+61j
		mov	al, [ebp+var_5]
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	14h
; 

loc_ACB1B8:				; CODE XREF: CmpAddDriverToList+34Aj
		mov	ecx, [ebp+arg_0]
		mov	edx, eax
		push	ebx
		push	[ebp+arg_4]
		call	CmpFindTagIndex
		mov	[edi+48h], eax
		jmp	short loc_ACB197
; 

loc_ACB1CB:				; CODE XREF: CmpAddDriverToList+2BEj
		xor	eax, eax
		lea	ebx, [edi+38h]
		mov	[ebx], ax
		mov	[edi+3Ah], ax
		and	[edi+3Ch], eax
		jmp	short loc_ACB15D
; 

loc_ACB1DC:				; CODE XREF: CmpAddDriverToList+FEj
		movzx	eax, word ptr [edi+40h]
		push	20334D43h
		add	eax, 2Eh
		push	0
		push	eax
		mov	word ptr [ebp+var_28+2], ax
		call	dword ptr [esi+0Ch]
		mov	[ebp+var_24], eax
		test	eax, eax
		jz	loc_AE63BB
		push	(offset	loc_ADD37F+1) ;	void *
		lea	eax, [ebp+var_28]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		test	eax, eax
		js	loc_ACB29E
		lea	eax, [edi+40h]
		push	eax
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		test	eax, eax
		js	short loc_ACB29E
		push	offset ??_C@_19DKJJGBOC@?$AA?4?$AAs?$AAy?$AAs@PBOPGDP@ ; ".sys"
		lea	eax, [ebp+var_28]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		test	eax, eax
		js	short loc_ACB29E
		mov	eax, [ebp+var_24]
		mov	[ebp+var_10], eax
		jmp	loc_ACAFBF
; 

loc_ACB241:				; CODE XREF: CmpAddDriverToList+32Aj
		lea	ecx, [ebp+var_38]
		push	ecx
		push	eax
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_ACB1A6
		mov	edx, [ebp+arg_8]
		lea	ecx, [ebp+var_58]
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		push	eax
		mov	ecx, esi
		call	CmpValueToData
		mov	[edi+34h], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		cmp	dword ptr [edi+34h], 0
		jz	loc_ACB1A6
		lea	eax, [ebp+var_58]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	eax, [ebp+var_C]
		lea	ecx, [eax-2]
		mov	[edi+30h], cx
		cmp	cx, ax
		ja	loc_ACB1A6
		mov	[edi+32h], cx
		jmp	loc_ACB180
; 

loc_ACB29E:				; CODE XREF: CmpAddDriverToList+3C5j
					; CmpAddDriverToList+3DAj ...
		mov	ecx, [ebp+var_24]
		jmp	loc_AE639E
; 

loc_ACB2A6:				; CODE XREF: CmpAddDriverToList+23Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger
CmpAddDriverToList endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpGetSystemControlValues proc near	; CODE XREF: CmInitSystem0(x)+Cp
					; CmInitSystem0(x)+2Bp

var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_166		= dword	ptr -166h
var_160		= dword	ptr -160h
var_8		= dword	ptr -8
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 00AE63FE SIZE 00000114 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 190h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		or	[ebp+var_18C], 0FFFFFFFFh
		lea	eax, [ebp+var_160]
		or	[ebp+var_180], 0FFFFFFFFh
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, ecx
		push	edi
		push	150h		; size_t
		push	ebx		; int
		push	eax		; void *
		mov	edi, (offset loc_AF34DA+6)
		mov	[ebp+var_174], ebx
		mov	[ebp+var_170], ebx
		mov	[ebp+var_188], ebx
		mov	byte ptr [ebp+var_166],	bl
		mov	byte ptr [ebp+var_166+1], bl
		mov	[ebp+var_184], ebx
		mov	[ebp+var_17C], ebx
		call	_memset
		add	esp, 0Ch
		push	0C00h		; size_t
		push	ebx		; int
		mov	ebx, offset _CmControlHive
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, ebx
		call	_CmpInitSecurityCache@4	; CmpInitSecurityCache(x)
		mov	ecx, ebx	; void *
		call	_HvHiveInitialize@4 ; HvHiveInitialize(x)
		xor	ecx, ecx
		mov	[ebp+var_166+2], ebx
		lea	eax, [ebp+var_166+2]
		push	eax
		push	ecx
		mov	ds:dword_AFD0E4, eax
		lea	eax, [ebp+var_166+1]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	1
		push	ecx
		push	esi
		push	ecx
		push	1
		push	4
		pop	edx
		mov	ecx, ebx
		call	HvHiveStartMemoryBacked
		test	eax, eax
		js	loc_AE63FE
		and	ds:dword_AFD0E4, 0
		mov	bl, [ebp+arg_0]
		mov	esi, [esi+24h]
		cmp	bl, 1
		jz	loc_AE6425
		push	offset ??_C@_1BA@BJGEONAH@?$AAc?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt@PBOPGDP@ ; "current"
		lea	eax, [ebp+var_174]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_166]
		mov	edx, esi
		push	eax
		lea	eax, [ebp+var_174]
		mov	esi, offset _CmControlHive
		push	eax
		mov	ecx, esi
		call	CmpFindControlSet
		cmp	eax, 0FFFFFFFFh
		jz	loc_AE6484
		lea	ecx, [ebp+var_180]
		push	ecx
		push	eax
		push	esi
		call	ds:dword_AFD0CC
		mov	esi, eax
		test	esi, esi
		jz	loc_ACB576
		push	offset ??_C@_1BA@IBGCEPCN@?$AAc?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl@PBOPGDP@ ; "control"
		lea	eax, [ebp+var_174]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_174]
		mov	edx, esi
		push	eax
		mov	ecx, offset _CmControlHive
		call	_CmpFindSubKeyByName@12	; CmpFindSubKeyByName(x,x,x)
		mov	[ebp+var_178], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_AE6404
		lea	eax, [ebp+var_180]
		push	eax
		push	offset _CmControlHive

loc_ACB418:				; CODE XREF: CmpGetSystemControlValues+1B1D3j
		call	ds:dword_AFD0D0
		cmp	dword ptr ds:loc_AF34DA+6, 0
		jz	loc_ACB4D3

loc_ACB42B:				; CODE XREF: CmpGetSystemControlValues+221j
		cmp	bl, 1
		jz	loc_AE6493

loc_ACB434:				; CODE XREF: CmpGetSystemControlValues+1B1F1j
		push	dword ptr [edi]
		mov	edx, [ebp+var_178]
		mov	ecx, offset _CmControlHive
		or	esi, 0FFFFFFFFh
		call	_CmpWalkPath@12	; CmpWalkPath(x,x,x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_ACB4BC
		lea	ecx, [ebp+var_180]
		push	ecx
		push	eax
		push	offset _CmControlHive
		call	ds:dword_AFD0CC
		mov	[ebp+var_16C], eax
		test	eax, eax
		jz	loc_ACB576
		push	dword ptr [edi+4]
		lea	eax, [ebp+var_174]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, [ebp+var_16C]
		lea	eax, [ebp+var_174]
		push	eax
		mov	ecx, offset _CmControlHive
		call	_CmpFindValueByName@12 ; CmpFindValueByName(x,x,x)
		mov	[ebp+var_16C], eax
		lea	eax, [ebp+var_180]
		push	eax
		push	offset _CmControlHive
		call	ds:dword_AFD0D0
		mov	ecx, [ebp+var_16C]
		cmp	ecx, 0FFFFFFFFh
		jnz	loc_ACB587

loc_ACB4BC:				; CODE XREF: CmpGetSystemControlValues+1A0j
					; CmpGetSystemControlValues+36Bj
		mov	eax, [edi+0Ch]
		test	eax, eax
		jnz	loc_ACB61C

loc_ACB4C7:				; CODE XREF: CmpGetSystemControlValues+372j
					; CmpGetSystemControlValues+1B1EBj
		add	edi, 18h
		cmp	dword ptr [edi], 0
		jnz	loc_ACB42B

loc_ACB4D3:				; CODE XREF: CmpGetSystemControlValues+179j
		cmp	ds:_CmDefaultLanguageIdType, 1
		jnz	loc_AE64B9
		mov	edx, ds:_CmDefaultLanguageIdLength
		mov	ecx, offset _CmDefaultLanguageId
		call	CmpConvertLangId
		movzx	eax, ax
		mov	ds:_PsDefaultSystemLocaleId, eax

loc_ACB4F8:				; CODE XREF: CmpGetSystemControlValues+1B20Fj
					; CmpGetSystemControlValues+1B21Fj
		cmp	ds:_CmInstallUILanguageIdType, 1
		jnz	short loc_ACB517
		mov	edx, ds:_CmInstallUILanguageIdLength
		mov	ecx, offset _CmInstallUILanguageId
		call	CmpConvertLangId
		mov	ds:_PsInstallUILanguageId, ax

loc_ACB517:				; CODE XREF: CmpGetSystemControlValues+253j
		test	bl, bl
		jnz	short loc_ACB552
		movzx	eax, ds:_PsInstallUILanguageId
		mov	edx, [ebp+var_178]
		push	eax
		lea	eax, [ebp+var_184]
		push	eax
		call	CmSelectQualifiedInstallLanguage
		test	eax, eax
		jnz	loc_AE64E6
		movzx	eax, ds:_PsInstallUILanguageId
		mov	ecx, [ebp+var_184]
		cmp	eax, ecx
		jnz	loc_AE64D0

loc_ACB552:				; CODE XREF: CmpGetSystemControlValues+26Dj
					; CmpGetSystemControlValues+1B235j ...
		cmp	ds:_PsMachineUILanguageId, 0
		mov	eax, ds:_PsDefaultSystemLocaleId
		mov	ds:_PsDefaultThreadLocaleId, eax
		jnz	loc_AE6504

loc_ACB56A:				; CODE XREF: CmpGetSystemControlValues+1B261j
		mov	ax, ds:_PsInstallUILanguageId
		mov	ds:_PsMachineUILanguageId, ax

loc_ACB576:				; CODE XREF: CmpGetSystemControlValues+127j
					; CmpGetSystemControlValues+1BDj ...
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_ACB587:				; CODE XREF: CmpGetSystemControlValues+20Aj
		mov	eax, [edi+0Ch]
		test	eax, eax
		jnz	loc_ACB623
		mov	[ebp+var_16C], 4

loc_ACB59C:				; CODE XREF: CmpGetSystemControlValues+37Fj
		lea	eax, [ebp+var_18C]
		push	eax
		push	ecx
		push	offset _CmControlHive
		call	ds:dword_AFD0CC
		mov	ecx, eax
		mov	[ebp+var_190], ecx
		test	ecx, ecx
		jz	short loc_ACB576
		mov	eax, [ecx+4]
		mov	edx, 80000000h
		mov	esi, eax
		cmp	esi, edx
		jb	short loc_ACB5CB
		add	esi, edx

loc_ACB5CB:				; CODE XREF: CmpGetSystemControlValues+31Bj
		cmp	eax, edx
		sbb	al, al
		inc	al
		mov	byte ptr [ebp+var_166+1], al
		mov	eax, [ebp+var_16C]
		cmp	eax, esi
		jb	short loc_ACB637

loc_ACB5E1:				; CODE XREF: CmpGetSystemControlValues+38Dj
		test	esi, esi
		jz	short loc_ACB5FE
		push	esi		; size_t
		push	dword ptr [edi+8] ; void *
		mov	edx, ecx
		call	CmpGetBootValueData
		test	al, al
		jz	loc_AE64A2
		mov	ecx, [ebp+var_190]

loc_ACB5FE:				; CODE XREF: CmpGetSystemControlValues+337j
		mov	edx, [edi+10h]
		test	edx, edx
		jnz	short loc_ACB630

loc_ACB605:				; CODE XREF: CmpGetSystemControlValues+389j
		lea	eax, [ebp+var_18C]
		push	eax
		push	offset _CmControlHive
		call	ds:dword_AFD0D0
		jmp	loc_ACB4BC
; 

loc_ACB61C:				; CODE XREF: CmpGetSystemControlValues+215j
		mov	[eax], esi
		jmp	loc_ACB4C7
; 

loc_ACB623:				; CODE XREF: CmpGetSystemControlValues+2E0j
		mov	eax, [eax]
		mov	[ebp+var_16C], eax
		jmp	loc_ACB59C
; 

loc_ACB630:				; CODE XREF: CmpGetSystemControlValues+357j
		mov	eax, [ecx+0Ch]
		mov	[edx], eax
		jmp	short loc_ACB605
; 

loc_ACB637:				; CODE XREF: CmpGetSystemControlValues+333j
		mov	esi, eax
		jmp	short loc_ACB5E1
CmpGetSystemControlValues endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpFindDrivers	proc near		; CODE XREF: CmGetSystemDriverList+1EBp

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_14		= dword	ptr  1Ch
arg_1C		= dword	ptr  24h

; FUNCTION CHUNK AT 00AE6512 SIZE 000000ED BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	eax, edx
		or	ecx, 0FFFFFFFFh
		mov	[ebp+var_10], eax
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_44], ecx
		lea	ecx, [ebp+var_44]
		push	edi
		xor	edi, edi
		push	ecx
		lea	ecx, [ebp+var_20]
		mov	[ebp+var_8], edi
		push	ecx
		mov	ecx, esi
		mov	[ebp+var_24], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_30], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_4C], edi
		mov	[ebp+var_48], edi
		call	_CmpLoadServicesNode@16	; CmpLoadServicesNode(x,x,x,x)
		test	al, al
		jz	loc_ACB772
		mov	ebx, edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_14], edi
		cmp	[ebp+arg_1C], ebx
		jnz	loc_AE6512

loc_ACB6A8:				; CODE XREF: CmpFindDrivers+1AEFBj
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_3C]
		push	eax
		lea	eax, [ebp+var_1C]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	CmpFindRedirectedDriverServiceStateNode
		test	al, al
		jnz	loc_AE653C
		xor	eax, eax
		and	[ebp+var_1C], eax
		mov	[ebp+arg_0], eax

loc_ACB6D4:				; CODE XREF: CmpFindDrivers+1AF0Cj
		mov	edx, [ebp+var_10]
		mov	ecx, esi
		call	_CmpFindGroupOrderList@8 ; CmpFindGroupOrderList(x,x)
		mov	[ebp+arg_4], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_ACB772
		xor	eax, eax
		mov	[ebp+arg_1C], eax

loc_ACB6EF:				; CODE XREF: CmpFindDrivers+E2j
					; CmpFindDrivers+FFj
		mov	edx, [ebp+var_20]
		lea	ecx, [ebp+var_8]
		push	ecx
		push	eax
		mov	ecx, esi
		call	_CmpFindSubKeyByNumber@16 ; CmpFindSubKeyByNumber(x,x,x,x)
		inc	[ebp+arg_1C]
		cmp	[ebp+var_8], 0FFFFFFFFh
		jz	short loc_ACB73D
		mov	edx, [ebp+var_8]
		sub	esp, 0Ch
		mov	ecx, esi
		push	edi
		push	ebx
		sub	esp, 0Ch
		call	CmpIsLoadType
		test	al, al
		mov	eax, [ebp+arg_1C]
		jz	short loc_ACB6EF
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		push	0
		push	[ebp+arg_14]
		push	(offset	loc_AF34BF+1)
		push	[ebp+arg_4]
		push	esi
		call	CmpAddDriverToList
		mov	eax, [ebp+arg_1C]
		jmp	short loc_ACB6EF
; 

loc_ACB73D:				; CODE XREF: CmpFindDrivers+C9j
		mov	eax, [ebp+arg_8]
		test	eax, eax
		jz	short loc_ACB74E
		mov	edi, [eax]
		cmp	edi, eax
		jnz	loc_AE654D

loc_ACB74E:				; CODE XREF: CmpFindDrivers+106j
					; CmpFindDrivers+1AF90j
		test	ebx, ebx
		jnz	loc_AE65D1

loc_ACB756:				; CODE XREF: CmpFindDrivers+1AF99j
					; CmpFindDrivers+1AFA7j
		mov	eax, [ebp+arg_0]
		test	eax, eax
		jnz	loc_AE65E8

loc_ACB761:				; CODE XREF: CmpFindDrivers+1AFB0j
					; CmpFindDrivers+1AFBEj
		lea	eax, [ebp+var_44]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	al, 1

loc_ACB76B:				; CODE XREF: CmpFindDrivers+138j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	24h
; 

loc_ACB772:				; CODE XREF: CmpFindDrivers+55j
					; CmpFindDrivers+A8j
		xor	al, al
		jmp	short loc_ACB76B
CmpFindDrivers	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpIsLoadType	proc near		; CODE XREF: CmpFindDrivers+D8p
					; CmpFindDrivers+1AF58p

var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00AE65FF SIZE 00000139 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 54h
		or	eax, 0FFFFFFFFh
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_24], eax
		push	edi
		mov	[ebp+var_4C], eax
		mov	esi, ecx
		mov	[ebp+var_54], eax
		mov	edi, ebx
		mov	[ebp+var_1C], eax
		mov	[ebp+var_3C], eax
		mov	[ebp+var_34], eax
		mov	[ebp+var_44], eax
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4C]
		push	eax
		push	edx
		push	esi
		mov	[ebp+var_20], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_50], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_C], ebx
		call	dword ptr [esi+4]
		mov	[ebp+var_8], eax
		test	eax, eax
		jz	short loc_ACB84C
		cmp	[ebp+arg_C], ebx
		jnz	loc_AE65FF

loc_ACB7DC:				; CODE XREF: CmpIsLoadType+1AE8Cj
					; CmpIsLoadType+1AFBDj
		push	(offset	loc_AF32AB+5)
		mov	edx, eax
		mov	ecx, esi
		mov	edi, esi
		call	_CmpFindValueByName@12 ; CmpFindValueByName(x,x,x)
		mov	[ebp+var_4], eax
		cmp	eax, 0FFFFFFFFh
		jz	short loc_ACB835

loc_ACB7F4:				; CODE XREF: CmpIsLoadType+1AF07j
					; CmpIsLoadType+1AFB4j
		lea	ecx, [ebp+var_44]
		push	ecx
		push	eax
		push	edi
		call	dword ptr [edi+4]
		test	eax, eax
		jz	short loc_ACB835
		mov	edx, [ebp+var_4]
		lea	ecx, [ebp+var_24]
		push	ecx
		lea	ecx, [ebp+var_10]
		push	ecx
		push	eax
		mov	ecx, edi
		call	CmpValueToData
		mov	[ebp+arg_C], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		mov	ecx, [ebp+arg_C]
		test	ecx, ecx
		jz	short loc_ACB835
		cmp	dword ptr [ecx], 1
		lea	ecx, [ebp+var_24]
		mov	eax, [edi+8]
		push	ecx
		push	edi
		jz	short loc_ACB846
		call	eax

loc_ACB835:				; CODE XREF: CmpIsLoadType+7Cj
					; CmpIsLoadType+89j ...
		lea	eax, [ebp+var_4C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	al, bl

loc_ACB83F:				; CODE XREF: CmpIsLoadType+D8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	20h
; 

loc_ACB846:				; CODE XREF: CmpIsLoadType+BBj
		call	eax
		mov	bl, 1
		jmp	short loc_ACB835
; 

loc_ACB84C:				; CODE XREF: CmpIsLoadType+5Bj
		xor	al, al
		jmp	short loc_ACB83F
CmpIsLoadType	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmpGetBootValueData(void *,size_t)
CmpGetBootValueData proc near		; CODE XREF: CmpGetSystemControlValues+33Fp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00AE6738 SIZE 00000007 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		or	esi, 0FFFFFFFFh
		xor	edx, edx
		mov	[ebp+var_2C], esi
		mov	ebx, 80000000h
		mov	[ebp+var_28], edx
		mov	eax, [edi+4]
		lea	ecx, [eax-80000000h]
		cmp	eax, ebx
		jb	short loc_ACB895
		push	[ebp+arg_4]	; size_t
		lea	eax, [edi+8]
		push	eax		; void *
		push	[ebp+arg_0]	; void *
		call	_memcpy
		add	esp, 0Ch

loc_ACB88C:				; CODE XREF: CmpGetBootValueData+93j
		mov	al, 1

loc_ACB88E:				; CODE XREF: CmpGetBootValueData+175j
					; CmpGetBootValueData+1AEEAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_ACB895:				; CODE XREF: CmpGetBootValueData+28j
		cmp	ds:dword_AFD164, 4
		mov	ecx, eax
		jb	short loc_ACB8AD
		lea	eax, [ecx-3FD9h]
		cmp	eax, 7FFFC026h
		jbe	short loc_ACB8E5

loc_ACB8AD:				; CODE XREF: CmpGetBootValueData+4Ej
		mov	eax, [edi+8]
		lea	ecx, [ebp+var_2C]
		push	ecx
		push	eax
		mov	esi, offset _CmControlHive
		push	esi
		call	ds:dword_AFD0CC
		test	eax, eax
		jz	loc_AE6738
		push	[ebp+arg_4]	; size_t
		push	eax		; void *
		push	[ebp+arg_0]	; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_2C]
		push	eax
		push	esi
		call	ds:dword_AFD0D0
		jmp	short loc_ACB88C
; 

loc_ACB8E5:				; CODE XREF: CmpGetBootValueData+5Bj
		mov	eax, [edi+8]
		lea	ecx, [ebp+var_24]
		push	ecx
		mov	[ebp+var_24], esi
		mov	bl, 1
		mov	[ebp+var_14], esi
		mov	[ebp+var_1C], esi
		mov	esi, offset _CmControlHive
		push	eax
		push	esi
		mov	[ebp+var_20], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_18], edx
		call	ds:dword_AFD0CC
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_ACB9CE
		mov	eax, [eax+4]
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	eax
		push	esi
		call	ds:dword_AFD0CC
		mov	edx, eax
		mov	[ebp+var_8], edx
		test	edx, edx
		jz	loc_ACB9D2
		mov	eax, [edi+4]
		mov	edi, [ebp+arg_4]
		cmp	eax, edi
		ja	short loc_ACB940
		mov	edi, eax

loc_ACB940:				; CODE XREF: CmpGetBootValueData+ECj
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		xor	eax, eax
		cmp	dx, [ecx+2]
		jmp	short loc_ACB9A5
; 

loc_ACB94D:				; CODE XREF: CmpGetBootValueData+15Bj
		movzx	eax, ax
		lea	ecx, [ebp+var_14]
		push	ecx
		mov	[ebp+var_C], eax
		mov	eax, [edx+eax*4]
		push	eax
		push	esi
		call	ds:dword_AFD0CC
		test	eax, eax
		jz	short loc_ACB9D6
		mov	ecx, 3FD8h
		cmp	edi, ecx
		jbe	short loc_ACB9CA

loc_ACB96F:				; CODE XREF: CmpGetBootValueData+17Cj
		push	ecx		; size_t
		push	eax		; void *
		imul	eax, [ebp+var_C], 3FD8h
		add	eax, [ebp+arg_0]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		call	ds:dword_AFD0D0
		mov	eax, 3FD8h
		cmp	edi, eax
		jbe	short loc_ACB9AD
		mov	ecx, [ebp+var_4]
		sub	edi, eax
		mov	eax, [ebp+arg_4]
		inc	eax
		cmp	ax, [ecx+2]

loc_ACB9A5:				; CODE XREF: CmpGetBootValueData+FBj
		mov	edx, [ebp+var_8]
		mov	[ebp+arg_4], eax
		jb	short loc_ACB94D

loc_ACB9AD:				; CODE XREF: CmpGetBootValueData+146j
					; CmpGetBootValueData+188j
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		call	ds:dword_AFD0D0

loc_ACB9B8:				; CODE XREF: CmpGetBootValueData+184j
		lea	eax, [ebp+var_24]
		push	eax
		push	esi
		call	ds:dword_AFD0D0

loc_ACB9C3:				; CODE XREF: CmpGetBootValueData+180j
		mov	al, bl
		jmp	loc_ACB88E
; 

loc_ACB9CA:				; CODE XREF: CmpGetBootValueData+11Dj
		mov	ecx, edi
		jmp	short loc_ACB96F
; 

loc_ACB9CE:				; CODE XREF: CmpGetBootValueData+C2j
		xor	bl, bl
		jmp	short loc_ACB9C3
; 

loc_ACB9D2:				; CODE XREF: CmpGetBootValueData+DEj
		xor	bl, bl
		jmp	short loc_ACB9B8
; 

loc_ACB9D6:				; CODE XREF: CmpGetBootValueData+114j
		xor	bl, bl
		jmp	short loc_ACB9AD
CmpGetBootValueData endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CmpGetNodeName	proc near		; CODE XREF: CmpAddDriverToList+6Fp
					; CmpIsLoadType+1AE9Ap

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00AE673F SIZE 0000003F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		mov	ebx, edx
		test	edi, edi
		jz	short loc_ACB9F1
		xor	eax, eax
		mov	[edi], ax

loc_ACB9F1:				; CODE XREF: CmpGetNodeName+10j
		test	byte ptr [ebx+2], 20h
		movzx	eax, word ptr [ebx+48h]
		mov	ecx, [ecx+0Ch]
		push	20324D43h
		push	0
		jz	loc_AE673F
		lea	eax, ds:2[eax*2]
		movzx	eax, ax
		mov	[ebp+arg_0], eax
		movzx	eax, ax
		push	eax
		mov	[ebp+var_4], eax
		call	ecx
		mov	esi, eax
		test	esi, esi
		jz	short loc_ACBA56
		movzx	ecx, word ptr [ebx+48h]
		push	ecx
		lea	ecx, [ebx+4Ch]
		mov	ebx, [ebp+var_4]
		push	ecx
		mov	edx, ebx
		mov	ecx, esi
		call	_CmpCopyCompressedName@16 ; CmpCopyCompressedName(x,x,x,x)
		shr	ebx, 1
		xor	eax, eax
		mov	[esi+ebx*2-2], ax

loc_ACBA43:				; CODE XREF: CmpGetNodeName+1AD9Fj
		test	edi, edi
		jz	short loc_ACBA4D
		mov	eax, [ebp+arg_0]
		mov	[edi], ax

loc_ACBA4D:				; CODE XREF: CmpGetNodeName+6Bj
		mov	eax, esi

loc_ACBA4F:				; CODE XREF: CmpGetNodeName+7Ej
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_ACBA56:				; CODE XREF: CmpGetNodeName+49j
					; CmpGetNodeName+1AD7Bj
		xor	eax, eax
		jmp	short loc_ACBA4F
CmpGetNodeName	endp


;  S U B	R O U T	I N E 


CmpConvertLangId proc near		; CODE XREF: CmpGetSystemControlValues+23Fp
					; CmpGetSystemControlValues+260p

; FUNCTION CHUNK AT 00AE677E SIZE 00000022 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		xor	esi, esi
		mov	ebx, ecx
		shr	edx, 1
		push	edi
		mov	edi, esi
		jz	short loc_ACBAA5
		mov	eax, esi

loc_ACBA6B:				; CODE XREF: CmpConvertLangId+35j
		movzx	eax, word ptr [ebx+eax*2]
		lea	ecx, [eax-30h]
		cmp	cx, 9
		ja	short loc_ACBA93
		movzx	eax, cx

loc_ACBA7B:				; CODE XREF: CmpConvertLangId+1AD41j
		cmp	ax, 10h
		jnb	short loc_ACBAA5
		shl	esi, 4
		or	esi, eax
		inc	edi
		movzx	eax, di
		movzx	esi, si
		cmp	eax, edx
		jb	short loc_ACBA6B
		jmp	short loc_ACBAA5
; 

loc_ACBA93:				; CODE XREF: CmpConvertLangId+1Cj
		cmp	eax, 41h
		jnb	loc_AE677E

loc_ACBA9C:				; CODE XREF: CmpConvertLangId+1AD27j
		cmp	eax, 61h
		jnb	loc_AE678C

loc_ACBAA5:				; CODE XREF: CmpConvertLangId+Dj
					; CmpConvertLangId+25j	...
		pop	edi
		mov	ax, si
		pop	esi
		pop	ebx
		retn
CmpConvertLangId endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpAeThresholdInitialization proc near	; CODE XREF: ExpInitSystemPhase1+9Bp

var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_101		= byte ptr -101h
var_100		= dword	ptr -100h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE67A0 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFC0h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 138h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_10C], 0
		lea	eax, [ebp+var_100]
		push	esi
		push	edi
		push	0C0h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	cl, 2
		xor	esi, esi
		xor	edi, edi
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_101], al
		mov	[ebp+var_108], 400h

loc_ACBB0E:				; CODE XREF: ExpAeThresholdInitialization+78j
		lea	ecx, [ebp+var_100]
		call	_ExpAeMeasureContention@4 ; ExpAeMeasureContention(x)
		add	esi, eax
		adc	edi, edx
		sub	[ebp+var_108], 1
		jnz	short loc_ACBB0E
		mov	cl, [ebp+var_101]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		lea	eax, [ebp+var_100]
		shrd	esi, edi, 0Ah
		push	eax
		push	offset _ExpAeThresholdInitWorker@16 ; ExpAeThresholdInitWorker(x,x,x,x)
		mov	[ebp+var_10C], esi
		shr	edi, 0Ah
		call	_KeGenericCallDpc@8 ; KeGenericCallDpc(x,x)
		push	0
		push	400h
		push	[ebp+var_7C]
		push	[ebp+var_80]
		call	__alldiv
		mov	esi, eax
		mov	ecx, edx
		mov	eax, [ebp+var_78]
		cdq
		push	edx
		push	eax
		push	ecx
		push	esi
		call	__aulldiv
		mov	esi, [ebp+var_10C]
		mov	ecx, edi
		shld	ecx, esi, 2
		shl	esi, 2
		mov	[ebp+var_108], esi
		mov	esi, [ebp+var_10C]
		cmp	edx, ecx
		ja	short loc_ACBBA4
		jb	loc_AE67A0
		cmp	eax, [ebp+var_108]
		jb	loc_AE67A0

loc_ACBBA4:				; CODE XREF: ExpAeThresholdInitialization+E4j
		mov	eax, edi
		or	eax, 0
		jnz	short loc_ACBC14
		bsr	ecx, esi

loc_ACBBAE:				; CODE XREF: ExpAeThresholdInitialization+16Ej
		cmp	ecx, 2
		jb	short loc_ACBC1C
		sub	ecx, 2

loc_ACBBB6:				; CODE XREF: ExpAeThresholdInitialization+172j
		mov	eax, esi
		mov	[ebp+var_10C], ecx
		mov	edx, edi
		shrd	eax, edx, 2
		shr	edx, 2
		add	eax, esi
		adc	edx, edi
		shld	edx, eax, 7
		shl	eax, 7
		call	__aullshr
		mov	ecx, eax
		or	eax, 0FFFFFFFFh
		test	edx, edx
		jnz	short loc_ACBC20
		cmp	ecx, eax
		ja	short loc_ACBC20

loc_ACBBE4:				; CODE XREF: ExpAeThresholdInitialization+176j
		mov	eax, [ebp+var_10C]
		mov	ds:_ExpAeCycleCountScaler, al
		mov	eax, 0F00000h

loc_ACBBF4:				; CODE XREF: ExpAeThresholdInitialization+1AD00j
		mov	ds:_ExpAeCycleCountThreshold, ecx
		mov	ecx, [ebp+var_4]
		pop	edi
		mov	ds:_ExpAeSamplingPeriodMask, eax
		xor	ecx, ebp
		mov	al, 1
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_ACBC14:				; CODE XREF: ExpAeThresholdInitialization+FDj
		bsr	ecx, edi
		add	ecx, 20h
		jmp	short loc_ACBBAE
; 

loc_ACBC1C:				; CODE XREF: ExpAeThresholdInitialization+105j
		xor	ecx, ecx
		jmp	short loc_ACBBB6
; 

loc_ACBC20:				; CODE XREF: ExpAeThresholdInitialization+132j
					; ExpAeThresholdInitialization+136j
		mov	ecx, eax
		jmp	short loc_ACBBE4
ExpAeThresholdInitialization endp


;  S U B	R O U T	I N E 


ExpValidateLoader proc near		; CODE XREF: INIT:00ACD0B9p

; FUNCTION CHUNK AT 00AE67B1 SIZE 0000002D BYTES

		mov	edi, edi
		push	esi
		push	edi
		mov	edi, [ecx]
		cmp	edi, 0Ah
		jnz	short loc_ACBC68
		mov	eax, [ecx+4]
		test	eax, eax
		jnz	short loc_ACBC68
		mov	edx, [ecx+8]
		cmp	edx, 0C8h
		jnz	short loc_ACBC68
		mov	ecx, [ecx+84h]
		mov	esi, [ecx]
		cmp	esi, 0D30h
		jnz	loc_AE67B1
		cmp	dword ptr [ecx+0AA4h], 0A000008h
		jnz	loc_AE67B1
		pop	edi
		pop	esi
		retn
; 

loc_ACBC68:				; CODE XREF: ExpValidateLoader+9j
					; ExpValidateLoader+10j ...
		mov	edx, [ecx+8]
		xor	esi, esi
		mov	eax, [ecx+4]
		jmp	loc_AE67B1
ExpValidateLoader endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WheaInitializeServices()
_WheaInitializeServices@0 proc near	; CODE XREF: INIT:00ACD29Bp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		call	_WheapSetDefaultErrorSourceConfiguration@0 ; WheapSetDefaultErrorSourceConfiguration()
		mov	eax, offset _WheapPfaList
		xor	edx, edx
		mov	dword_6FD8CC, eax
		xor	ecx, ecx
		mov	_WheapPfaList, eax
		lea	eax, [ebp+var_4]
		mov	_WheapPfaLock, edx
		mov	[ebp+var_4], edx
		lock or	[eax], ecx
		xor	eax, eax
		mov	dword_6B7324, edx
		inc	eax
		mov	dword_6B7328, edx
		push	edx
		push	eax
		push	offset unk_6B732C
		mov	_WheapPfaInitialized, al
		mov	_WheapLiveDumpLock, eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, offset _WheapLiveDumpRecordList
		mov	dword_6B7344, eax
		mov	_WheapLiveDumpRecordList, eax
		leave
		retn
_WheaInitializeServices@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall WheapSetDefaultErrorSourceConfiguration()
_WheapSetDefaultErrorSourceConfiguration@0 proc	near
					; CODE XREF: WheaInitializeServices()+6p
		xor	ecx, ecx
		mov	eax, ecx

loc_ACBCDE:				; CODE XREF: WheapSetDefaultErrorSourceConfiguration()+4Aj
		mov	_WheapSourceConfiguration[eax],	ecx
		mov	dword_6FD66C[eax], offset _xKdGetAcpiTablePhase0@8 ; xKdGetAcpiTablePhase0(x,x)
		mov	dword_6FD670[eax], offset _WheapDefaultErrSrcInitialize@12 ; WheapDefaultErrSrcInitialize(x,x,x)
		mov	dword_6FD674[eax], offset _WheapDefaultErrSrcCreateRecord@20 ; WheapDefaultErrSrcCreateRecord(x,x,x,x,x)
		mov	dword_6FD678[eax], offset _xKdGetAcpiTablePhase0@8 ; xKdGetAcpiTablePhase0(x,x)
		mov	dword_6FD67C[eax], offset _KeSetDmaIoCoherency@4 ; KeSetDmaIoCoherency(x)
		mov	dword_6FD680[eax], ecx
		add	eax, 24h
		cmp	eax, 264h
		jb	short loc_ACBCDE
		mov	_WheapConfigTableLock, ecx
		retn
_WheapSetDefaultErrorSourceConfiguration@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeInitializeClock proc near		; CODE XREF: INIT:00ABFCD7p
					; Phase1InitializationDiscard(x)+260p ...

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_29		= byte ptr -29h
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE67DE SIZE 00000170 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		lea	edi, [ebp+var_28]
		push	8
		xor	eax, eax
		xor	ebx, ebx
		pop	ecx
		rep stosd
		mov	eax, esi
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_38], ebx
		mov	[ebp+var_34], ebx
		sub	eax, ebx
		jz	short loc_ACBDD7
		sub	eax, 1
		jz	loc_AE67FD
		sub	eax, 1
		jnz	loc_AE67C0
		inc	ebx
		cmp	byte ptr ds:_KiDynamicTickDisableReason, al
		jnz	loc_AE67ED
		cmp	ds:_HvlHypervisorConnected, al
		jnz	loc_AE67CC

loc_ACBD8E:				; CODE XREF: ExpValidateLoader+1ABB5j
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], ebx
		push	eax		; int
		push	offset _GUID_EM_CPU_TYPE_INTEL_DTT_DISABLE ; void *
		call	EmClientQueryRuleState
		cmp	[ebp+var_30], 2
		jz	loc_AE67DE

loc_ACBDA9:				; CODE XREF: ExpValidateLoader+1ABAFj
					; KeInitializeClock+1AABAj
		cmp	byte ptr ds:_KiDynamicTickDisableReason, 0
		jnz	loc_AE67ED

loc_ACBDB6:				; CODE XREF: KeInitializeClock+1AACAj
		and	[ebp+var_3C], 0
		lea	eax, [ebp+var_3C]
		xor	ecx, ecx
		lock or	[eax], ecx
		mov	ds:_KiDynamicTickInitialized, bl

loc_ACBDC8:				; CODE XREF: KeInitializeClock+11Dj
					; KeInitializeClock+1ABE3j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_ACBDD7:				; CODE XREF: KeInitializeClock+33j
		or	eax, 0FFFFFFFFh
		xor	ebx, ebx
		mov	dword_6CAB68, eax
		inc	ebx
		mov	dword_6CAB6C, eax
		mov	dword_6CAB88, eax
		mov	dword_6CAB8C, eax
		mov	eax, [edx+78h]
		test	eax, eax
		jz	short loc_ACBE0D
		push	offset ??_C@_0BD@CKAEPKPP@DISABLEDYNAMICTICK@PBOPGDP@ ;	"DISABLEDYNAMICTICK"
		push	eax		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_AE6934

loc_ACBE0D:				; CODE XREF: KeInitializeClock+C8j
					; KeInitializeClock+1AC0Cj
		lea	eax, [ebp+var_28]
		push	eax
		call	off_6B1380	; KeSetDmaIoCoherency(x)
		mov	al, byte ptr [ebp+var_28]
		test	al, 4
		jz	short loc_ACBE24
		mov	ds:_KiClockTimerPerCpu,	bl

loc_ACBE24:				; CODE XREF: KeInitializeClock+EEj
		test	al, 2
		jnz	short loc_ACBE87

loc_ACBE28:				; CODE XREF: KeInitializeClock+15Fj
		test	al, bl
		jnz	short loc_ACBE8F

loc_ACBE2C:				; CODE XREF: KeInitializeClock+167j
		cmp	byte ptr ds:_KiDynamicTickDisableReason, 0
		jnz	short loc_ACBE3D
		test	al, 8
		jz	loc_AE693F

loc_ACBE3D:				; CODE XREF: KeInitializeClock+105j
					; KeInitializeClock+1AC1Bj
		push	[ebp+var_14]
		mov	ecx, [ebp+var_10]
		push	[ebp+var_18]
		call	KiSetupTimeIncrement
		jmp	loc_ACBDC8
; 

loc_ACBE50:				; CODE XREF: KeInitializeClock+138j
					; KeInitializeClock+1ABA1j
		cmp	esi, [ecx+10h]
		jb	short loc_ACBE68
		mov	eax, [ecx+4]
		test	edx, edx
		jnz	loc_AE6916

loc_ACBE60:				; CODE XREF: KeInitializeClock+1ABF2j
		test	eax, eax
		jz	short loc_ACBE7F

loc_ACBE64:				; CODE XREF: KeInitializeClock+146j
		mov	ecx, eax
		jmp	short loc_ACBE50
; 

loc_ACBE68:				; CODE XREF: KeInitializeClock+125j
		mov	eax, [ecx]
		test	edx, edx
		jnz	loc_AE6925

loc_ACBE72:				; CODE XREF: KeInitializeClock+1AC01j
		test	eax, eax
		jnz	short loc_ACBE64

loc_ACBE76:				; CODE XREF: KeInitializeClock+1ABF9j
		mov	byte ptr [ebp+var_30], 0
		jmp	loc_AE68D5
; 

loc_ACBE7F:				; CODE XREF: KeInitializeClock+134j
					; KeInitializeClock+1ABEAj
		mov	byte ptr [ebp+var_30], bl
		jmp	loc_AE68D5
; 

loc_ACBE87:				; CODE XREF: KeInitializeClock+F8j
		mov	ds:_KiClockTimerHighLatency, bl
		jmp	short loc_ACBE28
; 

loc_ACBE8F:				; CODE XREF: KeInitializeClock+FCj
		mov	ds:_KiClockTimerAlwaysOnPresent, bl
		jmp	short loc_ACBE2C
KeInitializeClock endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PsInitializeQuotaSystem(x)
_PsInitializeQuotaSystem@4 proc	near	; CODE XREF: MiInitSystem+246p
					; INIT:00ACD2EBp
		mov	edi, edi
		push	ebx
		test	ecx, ecx
		jnz	loc_ACBF27
		xor	ebx, ebx
		mov	ecx, offset unk_6D69C0
		inc	ebx
		mov	eax, offset _PspResourceFlags
		mov	dword_6D6B80, ebx
		mov	dword_6D6B84, ebx

loc_ACBEBC:				; CODE XREF: PsInitializeQuotaSystem(x)+37j
		test	byte ptr [eax],	2
		jnz	short loc_ACBEC4
		or	dword ptr [ecx], 0FFFFFFFFh

loc_ACBEC4:				; CODE XREF: PsInitializeQuotaSystem(x)+27j
		add	eax, 8
		sub	ecx, 0FFFFFF80h
		cmp	eax, offset _PsAltSystemCallHandlers
		jl	short loc_ACBEBC
		mov	eax, large fs:124h
		mov	edx, ebx
		mov	ecx, offset _PspDefaultResourceLimits
		mov	eax, [eax+80h]
		mov	dword ptr [eax+188h], offset _PspSystemQuotaBlock
		call	PspSanitizeResourceLimits
		push	74517350h
		push	180h
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ds:_PspQuotaBlockTable,	eax
		test	eax, eax
		jz	short loc_ACBF86
		push	20h
		add	eax, 4
		pop	ecx

loc_ACBF12:				; CODE XREF: PsInitializeQuotaSystem(x)+89j
		mov	[eax+4], eax
		mov	[eax], eax
		and	dword ptr [eax-4], 0
		add	eax, 0Ch
		sub	ecx, 1
		jnz	short loc_ACBF12

loc_ACBF23:				; CODE XREF: PsInitializeQuotaSystem(x)+ECj
		mov	al, bl
		pop	ebx
		retn
; 

loc_ACBF27:				; CODE XREF: PsInitializeQuotaSystem(x)+5j
		push	esi
		mov	esi, 0C0000044h
		mov	dl, 5
		push	esi
		xor	ecx, ecx
		call	PspRegisterResource
		xor	ebx, ebx
		inc	ebx
		push	esi
		mov	ecx, ebx
		call	PspRegisterResource
		push	0C000012Ch
		push	2
		xor	dl, dl
		pop	ecx
		call	PspRegisterResource
		push	0C00000A1h
		push	3
		pop	ecx
		call	PspRegisterResource
		push	2
		push	ecx
		push	ecx
		push	10000h
		mov	ecx, offset _PspQuotaExpansionDescriptors
		call	_PspInitializeQuotaExpansionDescriptor@24 ; PspInitializeQuotaExpansionDescriptor(x,x,x,x,x,x)
		push	ebx
		push	ecx
		push	ecx
		push	80000h
		mov	ecx, offset unk_6BEE9C
		call	_PspInitializeQuotaExpansionDescriptor@24 ; PspInitializeQuotaExpansionDescriptor(x,x,x,x,x,x)
		pop	esi
		jmp	short loc_ACBF23
; 

loc_ACBF86:				; CODE XREF: PsInitializeQuotaSystem(x)+72j
		xor	al, al
		pop	ebx
		retn
_PsInitializeQuotaSystem@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspInitializeQuotaExpansionDescriptor(x, x,	x, x, x, x)
_PspInitializeQuotaExpansionDescriptor@24 proc near
					; CODE XREF: PsInitializeQuotaSystem(x)+D4p
					; PsInitializeQuotaSystem(x)+E6p

arg_0		= dword	ptr  8
arg_C		= byte ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		cmp	[ebp+arg_C], 2
		mov	[ecx+4], eax
		lea	eax, [ecx+14h]
		mov	[eax+4], eax
		mov	[eax], eax
		sbb	eax, eax
		inc	eax
		mov	dword ptr [ecx+0Ch], offset _MmRaisePoolQuota@16 ; MmRaisePoolQuota(x,x,x,x)
		mov	dword ptr [ecx+10h], offset _MmReturnPoolQuota@8 ; MmReturnPoolQuota(x,x)
		mov	[ecx], eax
		and	dword ptr [ecx+8], 0
		pop	ebp
		retn	10h
_PspInitializeQuotaExpansionDescriptor@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExComputeTickCountMultiplier(x)
_ExComputeTickCountMultiplier@4	proc near ; CODE XREF: INIT:loc_ACD32Dp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		mov	esi, ds:_KeMaximumIncrement
		xor	edx, edx
		push	edi
		mov	eax, esi
		mov	edi, 2710h
		div	edi
		push	18h
		imul	ecx, eax, 2710h
		pop	edx
		sub	esi, ecx
		xor	ecx, ecx

loc_ACBFE2:				; CODE XREF: ExComputeTickCountMultiplier(x)+31j
		add	esi, esi
		add	ecx, ecx
		cmp	esi, edi
		jnb	short loc_ACBFF8

loc_ACBFEA:				; CODE XREF: ExComputeTickCountMultiplier(x)+41j
		sub	edx, 1
		jnz	short loc_ACBFE2
		shl	eax, 18h
		pop	edi
		or	eax, ecx
		pop	esi
		leave
		retn
; 

loc_ACBFF8:				; CODE XREF: ExComputeTickCountMultiplier(x)+2Cj
		sub	esi, edi
		or	ecx, 1
		jmp	short loc_ACBFEA
_ExComputeTickCountMultiplier@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 


ExInitSystem	proc near		; CODE XREF: Phase1InitializationDiscard(x):loc_AC0B41p
					; INIT:00ACD4D2p

; FUNCTION CHUNK AT 00AE694E SIZE 00000014 BYTES

		mov	edi, edi
		push	ecx
		mov	ecx, _InitializationPhase
		xor	edx, edx
		mov	eax, ecx
		sub	eax, edx
		jz	short loc_ACC021
		sub	eax, 1
		jnz	loc_AE694E
		call	ExpInitSystemPhase1
		pop	ecx
		retn
; 

loc_ACC021:				; CODE XREF: ExInitSystem+Fj
		push	ds:off_A414E8
		mov	edx, ds:off_A4147C
		push	ds:off_A414E4
		mov	ecx, ds:off_A41478
		push	ds:off_A414E0
		push	ds:off_A414DC
		push	ds:off_A414D8
		push	ds:off_A414D4
		push	ds:off_A414D0
		push	ds:off_A414CC
		push	ds:off_A414C8
		push	ds:off_A414C4
		push	ds:off_A414C0
		push	ds:off_A414BC
		push	ds:off_A414B8
		push	ds:off_A414B4
		push	ds:off_A414B0
		push	ds:off_A414AC
		push	ds:off_A414A8
		push	ds:off_A414A4
		push	ds:off_A414A0
		push	ds:off_A4149C
		push	ds:off_A41498
		push	ds:off_A41494
		push	ds:off_A41490
		push	ds:off_A4148C
		push	ds:off_A41488
		push	ds:off_A41484
		push	ds:off_A41480
		call	ExpStringCheck
		call	_ExpInitSystemPhase0@0 ; ExpInitSystemPhase0()
		pop	ecx
		retn
ExInitSystem	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExInitializePoolTracker	proc near	; CODE XREF: ExInitializePoolHeapManagement+148p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= byte ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00ACC223 SIZE 000000F0 BYTES
; FUNCTION CHUNK AT 00AE6962 SIZE 000000F2 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_28]
		push	eax
		mov	[ebp+var_8], edi
		mov	[ebp+var_28], edi
		mov	[ebp+var_24], edi
		call	KeQuerySystemTime
		mov	ecx, large fs:20h
		rdtsc
		mov	esi, eax
		xor	esi, [ecx+590h]
		xor	esi, [ecx+4B4h]
		xor	ecx, ecx
		xor	esi, [ebp+var_24]
		xor	esi, [ebp+var_28]
		call	ExGenRandom
		xor	esi, eax
		push	1
		pop	ebx
		jz	loc_AE695B

loc_ACC12A:				; CODE XREF: ExInitSystem+1A95Dj
		bsr	ecx, ds:_KeLargestCacheLine
		mov	eax, ebx
		mov	ds:_ExpPoolQuotaCookie,	esi
		shl	eax, cl
		mov	esi, 1000h
		push	8
		mov	[ebp+var_8], ecx
		pop	ecx
		mov	ds:_ExpCacheLineSize, eax
		cmp	eax, ecx
		jb	loc_AE6962
		cmp	eax, esi
		ja	loc_AE696D

loc_ACC15B:				; CODE XREF: ExInitializePoolTracker+1A88Cj
					; ExInitializePoolTracker+1A897j
		mov	eax, _PoolTrackTableSize
		test	eax, eax
		jnz	loc_AE697F
		push	edi
		mov	_PoolTrackTableSize, esi
		call	_MmGetNumberOfPhysicalPages@4 ;	MmGetNumberOfPhysicalPages(x)
		cmp	eax, 10000h
		jbe	loc_AE6978

loc_ACC17F:				; CODE XREF: ExInitializePoolTracker+1A8BEj
		lea	eax, [esi+1]
		cmp	eax, 5555555h
		ja	loc_AE6992
		imul	edx, esi, 30h
		add	edx, 102Fh
		and	edx, 0FFFFF000h
		call	_ExAllocateHeapPages@8 ; ExAllocateHeapPages(x,x)
		mov	edx, eax
		mov	_PoolTrackTable, edx
		test	edx, edx
		jz	loc_AE699F
		mov	ecx, _PoolTrackTableSize
		mov	_ExPoolTagTables, edx
		lea	eax, [ecx-1]
		inc	ecx
		mov	_PoolTrackTableMask, eax
		imul	eax, ecx, 30h
		mov	_PoolTrackTableSize, ecx
		push	eax		; size_t
		push	edi		; int
		push	edx		; void *
		call	_memset
		add	esp, 0Ch
		call	_ExpSeedHotTags@0 ; ExpSeedHotTags()
		imul	edx, _PoolTrackTableSize, 30h
		xor	eax, eax
		mov	ecx, _PoolTrackTable
		mov	esi, 6C6F6F50h
		mov	_ExpTaggedPoolLock, edi
		lea	edi, [ebp+var_34]
		stosd
		mov	[ebp+var_4], esi
		add	edx, 0FFFh
		and	edx, 0FFFFF000h
		stosd
		mov	[ebp+var_10], edx
		stosd
		mov	eax, ds:_PoolHitTag
		cmp	eax, esi
		jz	loc_AE69B3
		jmp	loc_AE69B4
ExInitializePoolTracker	endp

; 
; START	OF FUNCTION CHUNK FOR ExInitializePoolTracker

loc_ACC223:				; CODE XREF: ExInitializePoolTracker+1CAj
		lea	edx, [ebp+var_34]
		mov	ecx, offset _ExpTaggedPoolLock
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, _PoolTrackTable
		cmp	dword ptr [edi+ecx], 0
		jnz	short loc_ACC245
		mov	eax, [ebp+var_4]
		mov	[edi+ecx], eax
		mov	[edi+ebx], eax

loc_ACC245:				; CODE XREF: ExInitializePoolTracker+15Ej
		test	ds:byte_70EFC6,	1
		jnz	loc_AE6A27
		mov	eax, [ebp+var_34]
		test	eax, eax
		jnz	loc_AE6A3F
		mov	edx, [ebp+var_30]
		lea	eax, [ebp+var_34]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_34]
		cmp	eax, ecx
		jnz	loc_AE6A37

loc_ACC274:				; CODE XREF: ExInitializePoolTracker+1A956j
					; ExInitializePoolTracker+1A973j
		mov	cl, [ebp+var_2C]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	edx, [ebp+var_18]

loc_ACC280:				; CODE XREF: ExInitializePoolTracker+1D9j
					; ExInitializePoolTracker+232j	...
		imul	edi, esi, 30h
		mov	[ebp+var_C], edi
		mov	eax, [edi+ebx]
		mov	ecx, [ebp+var_4]
		cmp	eax, ecx
		jz	short loc_ACC2C6
		test	eax, eax
		jnz	short loc_ACC2AF
		mov	eax, _PoolTrackTable
		mov	eax, [edi+eax]
		test	eax, eax
		jnz	short loc_ACC30B
		mov	eax, [ebp+var_14]
		dec	eax
		cmp	esi, eax
		jnz	loc_ACC223
		mov	ecx, [ebp+var_4]

loc_ACC2AF:				; CODE XREF: ExInitializePoolTracker+1B6j
		inc	esi
		and	esi, edx
		cmp	esi, [ebp+var_1C]
		jnz	short loc_ACC280
		mov	edx, [ebp+var_10]
		push	200h
		call	ExpInsertPoolTrackerExpansion
		jmp	short loc_ACC304
; 

loc_ACC2C6:				; CODE XREF: ExInitializePoolTracker+1B2j
		lea	eax, [ebx+8]
		add	eax, edi
		mov	[ebp+var_1C], eax
		mov	edi, eax

loc_ACC2D0:				; CODE XREF: ExInitializePoolTracker+211j
					; ExInitializePoolTracker+216j
		mov	esi, [edi]
		xor	eax, eax
		mov	edx, [edi+4]
		inc	eax
		mov	ebx, esi
		mov	[ebp+var_1C], edx
		add	ebx, eax
		mov	ecx, edx
		mov	eax, esi
		adc	ecx, 0
		nop
		lock cmpxchg8b qword ptr [edi]
		cmp	eax, esi
		jnz	short loc_ACC2D0
		cmp	edx, [ebp+var_1C]
		jnz	short loc_ACC2D0
		mov	eax, [ebp+var_20]
		mov	edx, [ebp+var_10]
		add	eax, 4
		add	eax, [ebp+var_C]
		lock xadd [eax], edx

loc_ACC304:				; CODE XREF: ExInitializePoolTracker+1E8j
		xor	eax, eax

loc_ACC306:				; CODE XREF: ExInitializePoolTracker+1A8D2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_ACC30B:				; CODE XREF: ExInitializePoolTracker+1C2j
		mov	[edi+ebx], eax
		jmp	loc_ACC280
; END OF FUNCTION CHUNK	FOR ExInitializePoolTracker
; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSeedHotTags()
_ExpSeedHotTags@0 proc near		; CODE XREF: ExInitializePoolTracker+FEp

var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 108h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		mov	esi, _PoolTrackTable
		xor	edx, edx
		push	edi
		mov	[ebp+var_104], 20206F49h
		mov	[ebp+var_100], 206C6148h
		mov	[ebp+var_FC], 506C644Dh
		mov	[ebp+var_F8], 4C6F6F50h
		mov	[ebp+var_F4], 7453624Fh
		mov	[ebp+var_F0], 20707249h
		mov	[ebp+var_EC], 6264444Eh
		mov	[ebp+var_E8], 4C707249h
		mov	[ebp+var_E4], 704F6F49h
		mov	[ebp+var_E0], 206C644Dh
		mov	[ebp+var_DC], 656C6946h
		mov	[ebp+var_D8], 61564D43h
		mov	[ebp+var_D4], 64536553h
		mov	[ebp+var_D0], 4346744Eh
		mov	[ebp+var_CC], 6C6F6F50h
		mov	[ebp+var_C8], 72504354h
		mov	[ebp+var_C4], 624E4D43h
		mov	[ebp+var_C0], 64546553h
		mov	[ebp+var_BC], 7346744Eh
		mov	[ebp+var_B8], 54504354h
		mov	[ebp+var_B4], 43504354h
		mov	[ebp+var_B0], 2079654Bh
		mov	[ebp+var_AC], 7153624Fh
		mov	[ebp+var_A8], 6D4E6F49h
		mov	[ebp+var_A4], 61456F49h
		mov	[ebp+var_A0], 63504354h
		mov	[ebp+var_9C], 6146744Eh
		mov	[ebp+var_98], 3066744Eh
		mov	[ebp+var_94], 74636553h
		mov	[ebp+var_90], 53707249h
		mov	[ebp+var_8C], 656B6F54h
		mov	[ebp+var_88], 20206553h
		mov	[ebp+var_84], 6C43624Fh
		mov	[ebp+var_80], 63536343h
		mov	[ebp+var_7C], 4C46744Eh
		mov	[ebp+var_78], 63416553h
		mov	[ebp+var_74], 6D665346h
		mov	[ebp+var_70], 6B576343h
		mov	[ebp+var_6C], 6D695346h
		mov	[ebp+var_68], 43646641h
		mov	[ebp+var_64], 45646641h
		mov	[ebp+var_60], 6F725346h
		mov	[ebp+var_5C], 6E66744Eh
		mov	[ebp+var_58], 50524955h
		mov	[ebp+var_54], 7246704Eh
		mov	[ebp+var_50], 5246704Eh
		mov	[ebp+var_4C], 61506553h
		mov	[ebp+var_48], 73556553h
		mov	[ebp+var_44], 46706341h
		mov	[ebp+var_40], 4D706341h
		mov	[ebp+var_3C], 63536553h
		mov	[ebp+var_38], 6D4E624Fh
		mov	[ebp+var_34], 7346704Eh
		mov	[ebp+var_30], 754C6553h
		mov	[ebp+var_2C], 44506353h
		mov	[ebp+var_28], 6E657645h
		mov	[ebp+var_24], 76727152h
		mov	[ebp+var_20], 6C646156h
		mov	[ebp+var_1C], 20207050h
		mov	[ebp+var_18], 53646156h
		mov	[ebp+var_14], 20646156h
		mov	[ebp+var_10], 4C646156h
		mov	[ebp+var_C], 46646156h
		mov	[ebp+var_8], 69646D4Dh

loc_ACC557:				; CODE XREF: ExpSeedHotTags()+2A5j
		mov	ebx, [ebp+edx*4+var_104]
		mov	eax, ebx
		shr	eax, 8
		movzx	ecx, al
		mov	edi, _PoolTrackTableMask
		movzx	eax, bl
		shl	eax, 2
		xor	ecx, eax
		mov	eax, ebx
		shl	ecx, 2
		shr	eax, 10h
		movzx	eax, al
		xor	ecx, eax
		mov	eax, ebx
		shl	ecx, 2
		shr	eax, 18h
		xor	ecx, eax
		imul	ecx, 9E5Fh
		sar	ecx, 2
		and	ecx, edi
		mov	[ebp+var_108], ecx

loc_ACC59C:				; CODE XREF: ExpSeedHotTags()+2BFj
		imul	eax, ecx, 30h
		cmp	dword ptr [eax+esi], 0
		jnz	short loc_ACC5CA
		mov	eax, _PoolTrackTableSize
		dec	eax
		cmp	ecx, eax
		jz	short loc_ACC5CA
		imul	eax, ecx, 30h
		mov	[eax+esi], ebx

loc_ACC5B5:				; CODE XREF: ExpSeedHotTags()+2C1j
		inc	edx
		cmp	edx, 40h
		jb	short loc_ACC557
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_ACC5CA:				; CODE XREF: ExpSeedHotTags()+28Fj
					; ExpSeedHotTags()+299j
		inc	ecx
		and	ecx, edi
		cmp	ecx, [ebp+var_108]
		jnz	short loc_ACC59C
		jmp	short loc_ACC5B5
_ExpSeedHotTags@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpInitSystemPhase0()
_ExpInitSystemPhase0@0 proc near	; CODE XREF: ExInitSystem+D4p

var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		or	dword_6BB4FC, 0FFFFFFFFh
		push	ebx
		push	esi
		push	0Ah
		pop	eax
		mov	ds:0FFDF02D6h, ax
		xor	esi, esi
		xor	ebx, ebx
		mov	_ExpTimeout, 0FD9DA600h
		push	esi
		inc	ebx
		mov	dword_6BBC24, esi
		mov	eax, offset _ExpSystemResourcesList
		mov	_ExpEnvironmentLock, ebx
		push	ebx
		push	offset unk_6BBC2C
		mov	dword_6BBC84, eax
		mov	_ExpSystemResourcesList, eax
		mov	dword_6BBC28, esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, offset _ExNPagedLookasideListHead
		mov	_ExNPagedLookasideLock,	esi
		mov	dword_6BBC64, eax
		mov	_ExNPagedLookasideListHead, eax
		mov	eax, offset _ExPagedLookasideListHead
		mov	dword_6BBC54, eax
		mov	_ExPagedLookasideListHead, eax
		mov	eax, offset _ExpFirmwareTableProviderListHead
		push	offset _ExpFirmwareTableResource
		mov	_ExPagedLookasideLock, esi
		mov	dword_6BC03C, eax
		mov	_ExpFirmwareTableProviderListHead, eax
		call	ExInitializeResourceLite
		mov	eax, ds:_KeLoaderBlock
		mov	eax, [eax+94h]
		shr	eax, 2
		and	al, bl
		mov	ds:_ExpConDrvLoadLock, esi
		cmp	ds:_CmSuiteBufferType, 7
		mov	_ExpFirmwarePageProtectionSupported, al
		jnz	short loc_ACC6A9
		mov	dl, ds:_ExpMultiUserTS
		mov	ecx, offset _CmSuiteBuffer
		call	_ExGetSuiteMask@8 ; ExGetSuiteMask(x,x)
		mov	ds:0FFDF02D0h, eax

loc_ACC6A9:				; CODE XREF: ExpInitSystemPhase0()+BAj
		mov	ecx, ebx
		call	ExGenRandom
		mov	_RtlpHeapKey, eax
		call	_RtlHpGlobalsInitialize@0 ; RtlHpGlobalsInitialize()
		mov	[ebp+var_8], esi
		mov	al, bl
		mov	dword_6BEC84, esi
		mov	byte ptr [ebp+var_8], 2
		mov	ecx, [ebp+var_8]
		pop	esi
		mov	_RtlpHpLegacyEnvHandle,	ecx
		pop	ebx
		leave
		retn
_ExpInitSystemPhase0@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpUpdateProductType proc near		; CODE XREF: ExpInitSystemPhase1:loc_AC319Cp

var_10		= dword	ptr -10h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE6A54 SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		xor	ecx, ecx
		mov	[ebp+var_4], ecx
		stosd
		stosd
		lea	eax, [ebp+var_4]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	6
		call	RtlGetProductInfo
		test	al, al
		jz	short loc_ACC726
		mov	ecx, [ebp+var_4]
		cmp	ecx, 0ABCDABCDh
		jz	short loc_ACC726
		lea	edx, [ebp+var_10]
		call	_ExpGetProductInfoSuiteTypeMap@8 ; ExpGetProductInfoSuiteTypeMap(x,x)
		test	al, al
		jz	short loc_ACC726
		mov	ecx, ds:0FFDF0264h
		mov	eax, [ebp+var_8]
		cmp	ecx, eax
		jnz	loc_AE6A54

loc_ACC726:				; CODE XREF: ExpUpdateProductType+26j
					; ExpUpdateProductType+31j ...
		pop	edi
		leave
		retn
ExpUpdateProductType endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpStringCheck	proc near		; CODE XREF: ExInitSystem+CFp

var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch
arg_18		= dword	ptr  20h
arg_1C		= dword	ptr  24h
arg_20		= dword	ptr  28h
arg_24		= dword	ptr  2Ch
arg_28		= dword	ptr  30h
arg_2C		= dword	ptr  34h
arg_30		= dword	ptr  38h
arg_34		= dword	ptr  3Ch
arg_38		= dword	ptr  40h
arg_3C		= dword	ptr  44h
arg_40		= dword	ptr  48h
arg_44		= dword	ptr  4Ch
arg_48		= dword	ptr  50h
arg_4C		= dword	ptr  54h
arg_50		= dword	ptr  58h
arg_54		= dword	ptr  5Ch
arg_58		= dword	ptr  60h
arg_5C		= dword	ptr  64h
arg_60		= dword	ptr  68h
arg_64		= dword	ptr  6Ch
arg_68		= dword	ptr  70h

; FUNCTION CHUNK AT 00AE6A6C SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0DCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_7C], eax
		mov	eax, [ebp+arg_C]
		mov	[ebp+var_80], eax
		mov	eax, [ebp+arg_10]
		mov	[ebp+var_84], eax
		mov	eax, [ebp+arg_14]
		mov	[ebp+var_88], eax
		mov	eax, [ebp+arg_18]
		mov	[ebp+var_8C], eax
		mov	eax, [ebp+arg_1C]
		mov	[ebp+var_90], eax
		mov	eax, [ebp+arg_20]
		mov	[ebp+var_94], eax
		mov	eax, [ebp+arg_24]
		mov	[ebp+var_98], eax
		mov	eax, [ebp+arg_28]
		mov	[ebp+var_9C], eax
		mov	eax, [ebp+arg_2C]
		mov	[ebp+var_A0], eax
		mov	eax, [ebp+arg_30]
		mov	[ebp+var_A4], eax
		mov	eax, [ebp+arg_34]
		mov	[ebp+var_A8], eax
		mov	eax, [ebp+arg_38]
		mov	[ebp+var_AC], eax
		mov	eax, [ebp+arg_3C]
		mov	[ebp+var_B0], eax
		mov	eax, [ebp+arg_40]
		mov	[ebp+var_B4], eax
		mov	eax, [ebp+arg_44]
		mov	[ebp+var_B8], eax
		mov	eax, [ebp+arg_48]
		mov	[ebp+var_BC], eax
		mov	eax, [ebp+arg_4C]
		mov	[ebp+var_C0], eax
		mov	eax, [ebp+arg_50]
		mov	[ebp+var_C4], eax
		mov	eax, [ebp+arg_54]
		mov	[ebp+var_C8], eax
		mov	eax, [ebp+arg_58]
		mov	[ebp+var_CC], eax
		mov	eax, [ebp+arg_5C]
		mov	[ebp+var_D0], eax
		mov	eax, [ebp+arg_60]
		mov	ebx, [ebp+arg_4]
		mov	[ebp+var_D4], eax
		mov	eax, [ebp+arg_64]
		mov	esi, [ebp+arg_0]
		mov	[ebp+var_D8], eax
		mov	eax, [ebp+arg_68]
		mov	[ebp+var_DC], eax
		call	ExpSingleStringCheck
		mov	ecx, edi
		mov	[ebp+var_78], eax
		call	ExpSingleStringCheck
		mov	ecx, esi
		mov	[ebp+var_74], eax
		call	ExpSingleStringCheck
		mov	ecx, ebx
		mov	[ebp+var_70], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_7C]
		mov	[ebp+var_6C], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_80]
		mov	[ebp+var_68], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_84]
		mov	[ebp+var_64], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_88]
		mov	[ebp+var_60], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_8C]
		mov	[ebp+var_5C], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_90]
		mov	[ebp+var_58], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_94]
		mov	[ebp+var_54], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_98]
		mov	[ebp+var_50], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_9C]
		mov	[ebp+var_4C], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_A0]
		mov	[ebp+var_48], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_A4]
		mov	[ebp+var_44], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_A8]
		mov	[ebp+var_40], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_AC]
		mov	[ebp+var_3C], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_B0]
		mov	[ebp+var_38], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_B4]
		mov	[ebp+var_34], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_B8]
		mov	[ebp+var_30], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_BC]
		mov	[ebp+var_2C], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_C0]
		mov	[ebp+var_28], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_C4]
		mov	[ebp+var_24], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_C8]
		mov	[ebp+var_20], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_CC]
		mov	[ebp+var_1C], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_D0]
		mov	[ebp+var_18], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_D4]
		mov	[ebp+var_14], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_D8]
		mov	[ebp+var_10], eax
		call	ExpSingleStringCheck
		mov	ecx, [ebp+var_DC]
		mov	[ebp+var_C], eax
		call	ExpSingleStringCheck
		pop	edi
		pop	esi
		mov	[ebp+var_8], eax
		xor	ecx, ecx
		pop	ebx

loc_ACC9A8:				; CODE XREF: ExpStringCheck+294j
		mov	eax, [ebp+ecx+var_78]
		cmp	eax, ds:dword_418B68[ecx]
		jnz	loc_AE6A6C

loc_ACC9B8:				; CODE XREF: ExpStringCheck+1A34Cj
		add	ecx, 4
		cmp	ecx, 74h
		jl	short loc_ACC9A8
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	6Ch
ExpStringCheck	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpSingleStringCheck proc near		; CODE XREF: ExpStringCheck+FBp
					; ExpStringCheck+105p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		lea	eax, [ebp+var_8]
		and	[ebp+var_4], 0
		push	ecx
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	eax, word ptr [ebp+var_8]
		push	eax
		push	[ebp+var_4]
		push	0
		call	_RtlComputeCrc32@12 ; RtlComputeCrc32(x,x,x)
		leave
		retn
ExpSingleStringCheck endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeNumaInitialize()
_KeNumaInitialize@0 proc near		; CODE XREF: INIT:00ACD4DFp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		and	[ebp+var_4], 0
		xor	eax, eax
		push	edi
		push	8
		pop	ecx
		lea	edi, [ebp+var_24]
		rep stosd
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		push	20h
		push	0Bh
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_ACCA61
		mov	ax, word ptr [ebp+var_24]
		mov	ds:_KeNumberNodes, ax
		mov	eax, [ebp+var_20]
		mov	_KiNumaQueryProcessorNode, eax
		mov	eax, [ebp+var_C]
		mov	_KiNumaQueryNodeCapacity, eax
		mov	eax, [ebp+var_8]
		mov	_KiNumaQueryNodeDistance, eax
		mov	eax, [ebp+var_18]
		mov	_KiNumaQueryProximityNode, eax
		mov	eax, [ebp+var_10]
		mov	_KiNumaQueryProximityId, eax
		mov	_PnpQueryProximityNode,	offset _KiQueryProximityNode@8 ; KiQueryProximityNode(x,x)

loc_ACCA61:				; CODE XREF: KeNumaInitialize()+2Bj
		pop	edi
		leave
		retn
_KeNumaInitialize@0 endp


;  S U B	R O U T	I N E 


VerifierInitSystem proc	near		; CODE XREF: Phase1InitializationDiscard(x)+870p
					; INIT:00ACD4E6p

; FUNCTION CHUNK AT 00AE6A7B SIZE 0000001E BYTES

		mov	edi, edi
		push	ecx
		mov	edx, _InitializationPhase
		mov	eax, edx
		sub	eax, 0
		jz	short loc_ACCA84
		sub	eax, 1
		jnz	loc_AE6A7B
		call	ViInitSystemPhase1
		pop	ecx
		retn
; 

loc_ACCA84:				; CODE XREF: VerifierInitSystem+Ej
		call	ViInitSystemPhase0
		pop	ecx
		retn
VerifierInitSystem endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ViInitSystemPhase0 proc	near		; CODE XREF: VerifierInitSystem:loc_ACCA84p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

; FUNCTION CHUNK AT 00ACCB6F SIZE 00000085 BYTES
; FUNCTION CHUNK AT 00AE6A99 SIZE 000003CC BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	ebx, ecx
		xor	edx, edx
		push	esi
		push	edi
		mov	[ebp+var_1C], edx
		mov	eax, [ebx+84h]
		mov	[ebp+var_18], edx
		mov	edi, [eax+54h]
		mov	esi, [eax+0D8h]
		and	edi, 2
		mov	eax, _VfOptionFlags
		and	eax, 7FFh
		mov	_VfOptionFlags,	eax
		test	al, 4
		jnz	loc_AE6A8A

loc_ACCACA:				; CODE XREF: VerifierInitSystem+1A030j
		test	al, al
		js	loc_AE6A99

loc_ACCAD2:				; CODE XREF: ViInitSystemPhase0+1A012j
		push	edx
		push	1
		xor	dl, dl
		mov	ecx, offset _ViDriversLoadLock
		call	KiInitializeMutant
		mov	eax, offset _VfSuspectDriversList
		or	edx, 0FFFFFFFFh
		mov	dword_6BE524, eax
		mov	_VfSuspectDriversList, eax
		mov	eax, offset _VfExcludedDriversList
		mov	dword_6BDFDC, eax
		mov	_VfExcludedDriversList,	eax
		mov	eax, offset _VfXdvExcludedDriversList
		mov	dword_6BDFD4, eax
		mov	_VfXdvExcludedDriversList, eax
		cmp	_VfVerifyMode, edx
		jnz	short loc_ACCB37
		mov	eax, _MmVerifierData
		and	eax, 400000h
		neg	eax
		sbb	eax, eax
		and	eax, 0FFFFFFFEh
		add	eax, 4
		mov	_VfVerifyMode, eax
		mov	dword_6C6EAC, eax

loc_ACCB37:				; CODE XREF: ViInitSystemPhase0+8Bj
		mov	ecx, _MmVerifyDriverLevel
		cmp	ecx, edx
		jnz	loc_AE6AA3
		cmp	_VfRuleClasses,	0
		jnz	loc_AE6AAE

loc_ACCB52:				; CODE XREF: ViInitSystemPhase0+1A01Dj
		test	edi, edi
		jz	loc_AE6AD2

loc_ACCB5A:				; CODE XREF: ViInitSystemPhase0+1A048j
					; ViInitSystemPhase0+1A076j
		test	_VfOptionFlags,	410h
		jz	loc_AE6B2D
		jmp	loc_AE6B07
ViInitSystemPhase0 endp

; 
; START	OF FUNCTION CHUNK FOR ViInitSystemPhase0

loc_ACCB6F:				; CODE XREF: ViInitSystemPhase0+1A09Cj
					; ViInitSystemPhase0+1A0A3j
		push	(offset	loc_ADCBDD+1) ;	char *
		push	dword ptr [ebx+78h] ; char *
		mov	_VfClearanceFlag, eax
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_AE6E47
		cmp	_VfClearanceFlag, eax
		jnz	loc_AE6E47
		mov	ecx, ebx
		call	VfTriageSystem
		or	esi, 0FFFFFFFFh
		cmp	_MmVerifyDriverLevel, esi
		jnz	loc_AE6B34

loc_ACCBAD:				; CODE XREF: ViInitSystemPhase0+1A0CDj
					; ViInitSystemPhase0+1A0D8j
		xor	ebx, ebx
		mov	ds:_VfRandomVerifiedDrivers, ebx

loc_ACCBB5:				; CODE XREF: ViInitSystemPhase0+1A0E0j
		call	VfRandomInit
		mov	eax, _ViVerifyAllDrivers
		cmp	eax, 1
		jz	loc_AE6B8F
		cmp	eax, 2
		jz	loc_AE6B71
		cmp	ds:_MmVerifyDriverBufferLength,	esi
		jnz	loc_AE6B95
		mov	eax, ds:_VfRandomVerifiedDrivers
		mov	esi, ebx
		mov	[ebp+var_C], esi
		test	eax, eax
		jnz	loc_AE6C8A

loc_ACCBEF:				; CODE XREF: ViInitSystemPhase0+1A031j
					; ViInitSystemPhase0+1A041j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; END OF FUNCTION CHUNK	FOR ViInitSystemPhase0

;  S U B	R O U T	I N E 


VfRandomInit	proc near		; CODE XREF: ViInitSystemPhase0:loc_ACCBB5p

; FUNCTION CHUNK AT 00AE6E65 SIZE 00000041 BYTES

		cmp	ds:_VfRandomVerifiedDrivers, 0
		jnz	loc_AE6E65

loc_ACCC01:				; CODE XREF: VfRandomInit+1A295j
					; VfRandomInit+1A2A1j ...
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ds:_ViRandomSeed, eax
		retn
VfRandomInit	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VfTriageSystem	proc near		; CODE XREF: ViInitSystemPhase0+10Dp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE6EA6 SIZE 000001F5 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi		; char
		push	_ViVerifyTriage	; char
		mov	edi, ecx
		xor	ebx, ebx
		push	offset ??_C@_0DM@DDGEBKLC@CRASH?5TRIAGE?3?5verifier?5triage?5g@PBOPGDP@	; "CRASH TRIAGE: verifier triage global/re"...
		push	3		; int
		push	5Dh		; int
		mov	[ebp+var_8], edi
		call	_DbgPrintEx
		or	esi, 0FFFFFFFFh
		add	esp, 10h
		cmp	_MmVerifyDriverLevel, esi
		jnz	short loc_ACCC71
		cmp	_ViVerifyAllDrivers, ebx
		jnz	short loc_ACCC71
		mov	eax, _ViVerifyTriage
		cmp	eax, esi
		jnz	loc_AE6EA6
		push	offset ??_C@_0EE@NFKNPAOI@CRASH?5TRIAGE?3?5triage?5skipped?5be@PBOPGDP@	; "CRASH TRIAGE: triage	skipped	because	it"...

loc_ACCC5E:				; CODE XREF: VfTriageSystem+66j
					; VfTriageSystem+1A29Fj ...
		push	3		; int
		push	5Dh		; int
		call	_DbgPrintEx
		add	esp, 0Ch

loc_ACCC6A:				; CODE XREF: VfTriageSystem+1A430j
		xor	eax, eax

loc_ACCC6C:				; CODE XREF: VfTriageSystem+1A47Cj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn			; char
; 

loc_ACCC71:				; CODE XREF: VfTriageSystem+32j
					; VfTriageSystem+3Aj
		push	offset ??_C@_0DB@IGBGODFP@CRASH?5TRIAGE?3?5driver?5verifier?5s@PBOPGDP@	; "CRASH TRIAGE: driver	verifier settings "...
		jmp	short loc_ACCC5E
VfTriageSystem	endp


;  S U B	R O U T	I N E 


ViInitSystemPhase1 proc	near		; CODE XREF: VerifierInitSystem+19p

; FUNCTION CHUNK AT 00AE709B SIZE 00000014 BYTES

		mov	edi, edi
		push	ecx
		cmp	_ViVerifierEnabled, 0
		jnz	loc_AE709B

loc_ACCC88:				; CODE XREF: ViInitSystemPhase1+1A432j
		push	0
		push	offset ViCreateProcessCallback
		call	_PsSetCreateProcessNotifyRoutine@8 ; PsSetCreateProcessNotifyRoutine(x,x)
		mov	eax, ds:_ViImageExecutionOptions
		xor	ecx, ecx
		inc	ecx
		mov	ds:_ViFaultsProcessNotifyRoutineSet, ecx
		cmp	eax, ecx
		jnz	short loc_ACCCAE
		mov	ecx, 0FFDF03A0h
		lock or	[ecx], eax

loc_ACCCAE:				; CODE XREF: ViInitSystemPhase1+2Cj
		pop	ecx
		retn
ViInitSystemPhase1 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

InitializeDynamicPartitioningPolicy proc near ;	CODE XREF: INIT:00ACD4EBp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE70AF SIZE 00000084 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		xor	eax, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		call	HviIsAnyHypervisorPresent
		test	al, al
		jnz	loc_AE70AF

locret_ACCCD6:				; CODE XREF: InitializeDynamicPartitioningPolicy+1A406j
					; InitializeDynamicPartitioningPolicy+1A442j ...
		leave
		retn
InitializeDynamicPartitioningPolicy endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall InbvDriverInitialize(x, x, x)
_InbvDriverInitialize@12 proc near	; CODE XREF: KiSystemStartup(x)+185p
					; Phase1InitializationDiscard(x)+29Cp ...

var_10		= dword	ptr -10h
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		mov	esi, [ebp+arg_4]
		mov	bl, 1
		mov	ecx, esi
		call	InbvDetermineFunction
		cmp	eax, 2
		jz	short loc_ACCD11
		mov	edx, [ebp+arg_0]
		mov	ecx, esi
		call	BgkInitialize
		test	eax, eax
		js	short loc_ACCD48
		mov	_BvgaDisplayState, 2
		push	4

loc_ACCD0B:				; CODE XREF: InbvDriverInitialize(x,x,x)+7Aj
		pop	ecx
		call	_InbvSetFunction@4 ; InbvSetFunction(x)

loc_ACCD11:				; CODE XREF: InbvDriverInitialize(x,x,x)+17j
		mov	eax, [esi+78h]
		test	eax, eax
		jz	short loc_ACCD31
		push	eax		; char *
		call	__strupr
		mov	[esp+10h+var_10], offset ??_C@_05NDBNEPKH@NOVGA@PBOPGDP@ ; "NOVGA"
		push	eax		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_ACCD3F

loc_ACCD31:				; CODE XREF: InbvDriverInitialize(x,x,x)+3Ej
		push	[ebp+arg_8]
		push	esi
		push	[ebp+arg_0]
		call	BvgaDriverInitialize
		mov	bl, al

loc_ACCD3F:				; CODE XREF: InbvDriverInitialize(x,x,x)+57j
		pop	esi
		mov	al, bl
		pop	ebx
		pop	ecx
		pop	ebp
		retn	0Ch
; 

loc_ACCD48:				; CODE XREF: InbvDriverInitialize(x,x,x)+25j
		xor	ebx, ebx
		mov	_BvgaDisplayState, ebx
		push	3
		jmp	short loc_ACCD0B
_InbvDriverInitialize@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BvgaDriverInitialize proc near		; CODE XREF: InbvDriverInitialize(x,x,x)+60p
					; DATA XREF: .data:006B2CACo

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00AE7133 SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		xor	ecx, ecx
		cmp	_BvgaBootDriverFullyInitialized, 1
		push	ebx
		mov	byte ptr [ebp+var_4], cl
		jz	loc_ACCE19
		xor	ebx, ebx
		mov	_BootDriverLock, ecx
		inc	ebx
		cmp	[ebp+arg_0], ebx
		jz	loc_ACCE08
		mov	byte ptr [ebp+var_4], cl

loc_ACCD83:				; CODE XREF: BvgaDriverInitialize+BAj
					; BvgaDriverInitialize+1A40Ej ...
		push	[ebp+var_4]
		push	[ebp+arg_0]
		call	ds:__imp__VidInitialize@8 ; VidInitialize(x,x)
		mov	_BvgaBootDriverInstalled, al
		test	al, al
		jz	loc_ACCE1D
		cmp	[ebp+arg_0], ebx
		jz	short loc_ACCDAB

loc_ACCDA1:				; CODE XREF: BvgaDriverInitialize+B2j
		mov	al, _BvgaBootDriverInstalled

loc_ACCDA6:				; CODE XREF: BvgaDriverInitialize+C7j
					; BvgaDriverInitialize+CBj
		pop	ebx
		leave
		retn	0Ch
; 

loc_ACCDAB:				; CODE XREF: BvgaDriverInitialize+4Bj
		mov	eax, [ebp+arg_8]
		push	7
		pop	ecx
		mov	_BvgaBootDriverFullyInitialized, bl
		mov	_ResourceCount,	eax
		cmp	eax, ecx
		ja	loc_AE716F

loc_ACCDC4:				; CODE XREF: BvgaDriverInitialize+1A423j
		cmp	eax, ebx
		jb	short loc_ACCDE6

loc_ACCDC8:				; CODE XREF: BvgaDriverInitialize+90j
		lea	edx, ___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUrlUnkUlyquivUrDIGUrlkOlyq@io[ebx*4]
		mov	ecx, ebx
		call	_FindBitmapResource@8 ;	FindBitmapResource(x,x)
		mov	dword_6CD8DC[ebx*4], eax
		inc	ebx
		cmp	ebx, _ResourceCount
		jbe	short loc_ACCDC8

loc_ACCDE6:				; CODE XREF: BvgaDriverInitialize+72j
		call	_BvgaSaveResources@0 ; BvgaSaveResources()
		and	_BvgaProgressState, 0
		mov	dword_6CD914, 2710h
		mov	dword_6CD918, 64h
		jmp	short loc_ACCDA1
; 

loc_ACCE08:				; CODE XREF: BvgaDriverInitialize+26j
		cmp	_BvgaDisplayState, ecx
		jnz	loc_ACCD83
		jmp	loc_AE7133
; 

loc_ACCE19:				; CODE XREF: BvgaDriverInitialize+14j
		mov	al, 1
		jmp	short loc_ACCDA6
; 

loc_ACCE1D:				; CODE XREF: BvgaDriverInitialize+42j
		xor	al, al
		jmp	short loc_ACCDA6
BvgaDriverInitialize endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FindBitmapResource(x, x)
_FindBitmapResource@8 proc near		; CODE XREF: BvgaDriverInitialize+7Dp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		xor	eax, eax
		mov	[ebp+var_10], 2
		push	edi
		mov	[ebp+var_14], eax
		mov	edi, 400000h
		mov	[ebp+var_18], eax
		mov	esi, edx
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	3
		lea	eax, [ebp+var_10]
		mov	[ebp+var_C], ecx
		push	eax
		push	edi
		call	_LdrFindResource_U@16 ;	LdrFindResource_U(x,x,x,x)
		test	eax, eax
		js	short loc_ACCE89
		push	esi
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+var_14]
		push	edi
		call	_LdrAccessResource@16 ;	LdrAccessResource(x,x,x,x)
		test	eax, eax
		js	short loc_ACCE89
		mov	eax, [ebp+var_18]

loc_ACCE7B:				; CODE XREF: FindBitmapResource(x,x)+69j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_ACCE89:				; CODE XREF: FindBitmapResource(x,x)+42j
					; FindBitmapResource(x,x)+54j
		xor	eax, eax
		jmp	short loc_ACCE7B
_FindBitmapResource@8 endp

; 
		align 2

; __stdcall BvgaSaveResources()
_BvgaSaveResources@0:			; CODE XREF: BvgaDriverInitialize:loc_ACCDE6p
		mov	edi, edi
		push	esi
		push	edi
		push	4
		pop	esi

loc_ACCE95:				; CODE XREF: INIT:00ACCEDAj
		cmp	dword_6CD8DC[esi], 0
		jz	short loc_ACCED4
		push	6D427642h
		push	___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUrlUnkUlyquivUrDIGUrlkOlyq@io[esi]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_ACCEDF
		push	___@@_PchSym_@00@KxulyqvxgPillgKxunrmpvimvoUmglhUrlUnkUlyquivUrDIGUrlkOlyq@io[esi]
		push	dword_6CD8DC[esi]
		push	edi
		call	_memcpy
		add	esp, 0Ch
		mov	dword_6CD8DC[esi], edi

loc_ACCED4:				; CODE XREF: INIT:00ACCE9Cj
		add	esi, 4
		cmp	esi, 1Ch
		jb	short loc_ACCE95
		pop	edi
		pop	esi
		retn
; 

loc_ACCEDF:				; CODE XREF: INIT:00ACCEB7j
		push	7Dh
		call	_KeBugCheck@4	; KeBugCheck(x)
; 
		dw 0CCCCh

;  S U B	R O U T	I N E 


; __stdcall ExpInitializeBootEnvironment(x)
_ExpInitializeBootEnvironment@4	proc near ; CODE XREF: INIT:00ACD684p
		test	byte ptr [ecx+94h], 1
		push	esi
		push	edi
		push	0
		pop	eax
		setnz	al
		mov	edi, offset _ExpBootEnvironmentInformation
		inc	eax
		mov	dword_6BBFD0, eax
		mov	esi, [ecx+84h]
		add	esi, 0C4h
		movsd
		movsd
		movsd
		movsd
		mov	ecx, [ecx+84h]
		pop	edi
		pop	esi
		mov	eax, [ecx+9D0h]
		mov	dword_6BBFD8, eax
		mov	eax, [ecx+9D4h]
		mov	dword_6BBFDC, eax
		retn
_ExpInitializeBootEnvironment@4	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

HeadlessInit	proc near		; CODE XREF: INIT:00ACD69Ep

var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= word ptr -0A8h
var_A6		= word ptr -0A6h
var_A4		= word ptr -0A4h
var_A2		= word ptr -0A2h
var_A0		= byte ptr -0A0h
var_9D		= byte ptr -9Dh
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE717C SIZE 0000029B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0BCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, ecx
		mov	[ebp+var_BC], eax
		push	ebx
		push	esi
		mov	eax, [eax+84h]
		push	edi
		mov	edx, [eax+20h]
		mov	[ebp+var_B8], edx
		test	edx, edx
		jnz	loc_AE717C

loc_ACCF69:				; CODE XREF: HeadlessInit+1A253j
					; HeadlessInit+1A26Ej ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
HeadlessInit	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BootApplicationPersistentDataInitialize	proc near ; CODE XREF: INIT:00ACD6A5p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE7417 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	edx, offset dword_6FD470
		push	edi
		mov	dword_6FD474, edx
		mov	dword_6FD470, edx
		mov	edi, [ecx+84h]
		add	edi, 0B8h
		mov	ebx, [edi]
		cmp	ebx, edi
		jz	short loc_ACD022
		push	esi

loc_ACCFA4:				; CODE XREF: BootApplicationPersistentDataInitialize+A7j
		mov	eax, ebx
		mov	ebx, [ebx]
		mov	[ebp+var_4], eax
		cmp	dword ptr [eax+10h], 0
		jz	short loc_ACD01D
		push	64506142h
		push	14h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_ACD021
		mov	eax, [ebp+var_4]
		push	64506142h
		push	dword ptr [eax+10h]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_AE7417
		mov	eax, [ebp+var_4]
		mov	ecx, [eax+10h]
		mov	[esi+10h], ecx
		mov	[esi+8], edx
		push	dword ptr [eax+10h] ; size_t
		push	dword ptr [eax+8] ; void *
		push	edx		; void *
		call	_memcpy
		mov	eax, dword_6FD474
		mov	edx, offset dword_6FD470
		add	esp, 0Ch
		cmp	[eax], edx
		jnz	short loc_ACD026
		mov	[esi], edx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	dword_6FD474, esi

loc_ACD01D:				; CODE XREF: BootApplicationPersistentDataInitialize+37j
		cmp	ebx, edi
		jnz	short loc_ACCFA4

loc_ACD021:				; CODE XREF: BootApplicationPersistentDataInitialize+4Ej
					; BootApplicationPersistentDataInitialize+1A4A7j
		pop	esi

loc_ACD022:				; CODE XREF: BootApplicationPersistentDataInitialize+29j
		pop	edi
		pop	ebx
		leave
		retn
; 

loc_ACD026:				; CODE XREF: BootApplicationPersistentDataInitialize+96j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall ExInitializeHandleTablePackage()
_ExInitializeHandleTablePackage@0:	; CODE XREF: INIT:loc_ACD8B1p
		and	ds:_HandleTableListLock, 0
		mov	eax, offset _HandleTableListHead
		mov	ds:dword_A94E74, eax
		mov	ds:_HandleTableListHead, eax
		call	ds:__imp__HalQueryMaximumProcessorCount@0 ; HalQueryMaximumProcessorCount()
		mov	ds:_ExpFreeListCount, eax
		retn
BootApplicationPersistentDataInitialize	endp

; 

; __stdcall InitBootProcessor(x)
_InitBootProcessor@4:			; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+6ECp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 194h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+190h], eax
		or	ds:dword_717B74, 0FFFFFFFFh
		xor	eax, eax
		push	ebx
		xor	ebx, ebx
		mov	ds:dword_717F84, 103h
		push	esi
		inc	eax
		mov	[esp+2Ch], ebx
		mov	esi, ecx
		mov	[esp+0Ch], ebx
		push	edi
		mov	[esp+34h], esi
		mov	[esp+14h], ebx
		mov	[esp+38h], ebx
		mov	[esp+3Ch], ebx
		mov	[esp+24h], ebx
		mov	[esp+18h], ebx
		mov	ds:dword_717F80, eax
		mov	ds:byte_717F61,	al
		mov	ds:dword_717F68, offset	_PspTimeZoneStateBuffer
		call	ExpValidateLoader
		mov	eax, [esi+84h]
		mov	ecx, offset _PspHostSiloGlobals
		mov	eax, [eax+0A74h]
		mov	ds:0FFDF02C4h, eax
		call	_ExpInitLicensing@4 ; ExpInitLicensing(x)
		call	_ExInitPoolLookasidePointers@0 ; ExInitPoolLookasidePointers()
		mov	edi, [esi+78h]
		mov	_InitializationPhase, ebx
		test	edi, edi
		jz	loc_ACD1AC
		push	edi
		call	__strupr
		mov	dword ptr [esp], offset	??_C@_07BFMFHDBI@PERFMEM@PBOPGDP@ ; "PERFMEM"
		push	edi
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_ACD153
		push	offset ??_C@_01NEMOKFLO@?$DN@PBOPGDP@
		push	eax
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_ACD153
		inc	eax
		push	eax
		call	_atol
		mov	edx, eax
		mov	eax, [esi+84h]
		shl	edx, 8
		pop	ecx
		cmp	[eax+0A50h], ebx
		jz	short loc_ACD13C
		mov	ds:_BBTPagesToReserve, edx
		jmp	short loc_ACD153
; 

loc_ACD13C:				; CODE XREF: INIT:00ACD132j
		test	edx, edx
		jz	short loc_ACD153
		push	offset _BBTMemoryDescriptor
		push	17h
		mov	ecx, esi
		call	_ExBurnMemory@16 ; ExBurnMemory(x,x,x,x)
		mov	ds:_BBTPagesToReserve, eax

loc_ACD153:				; CODE XREF: INIT:00ACD106j
					; INIT:00ACD117j ...
		push	(offset	??_C@_01NEMOKFLO@?$DN@PBOPGDP@+2)
		push	edi
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_ACD194
		push	offset ??_C@_01NEMOKFLO@?$DN@PBOPGDP@
		push	eax
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_ACD194
		inc	eax
		push	eax
		call	_atol
		shl	eax, 8
		pop	ecx
		test	eax, eax
		jz	short loc_ACD194
		push	offset _BurnMemoryDescriptor
		push	6
		mov	edx, eax
		mov	ecx, esi
		call	_ExBurnMemory@16 ; ExBurnMemory(x,x,x,x)

loc_ACD194:				; CODE XREF: INIT:00ACD162j
					; INIT:00ACD173j ...
		push	offset ??_C@_0BA@GMDJJHOP@FORCEGROUPAWARE@PBOPGDP@
		push	edi
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_ACD1AC
		mov	ds:_KeForceGroupAwareness, 1

loc_ACD1AC:				; CODE XREF: INIT:00ACD0E9j
					; INIT:00ACD1A3j
		lea	ecx, [esi+18h]
		mov	edi, [ecx]
		jmp	short loc_ACD20A
; 

loc_ACD1B3:				; CODE XREF: INIT:00ACD20Cj
		cmp	dword ptr [edi+8], 15h
		jnz	short loc_ACD1F7
		mov	ecx, [edi+10h]
		lea	eax, [esp+20h]
		and	dword ptr [esp+20h], 0
		mov	edx, 1000h
		push	eax
		call	_RtlSIZETMult@12 ; RtlSIZETMult(x,x,x)
		test	eax, eax
		js	loc_ACD94D
		mov	edx, [esp+20h]
		mov	ecx, ds:_InitNlsTableSize
		push	offset _InitNlsTableSize
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		test	eax, eax
		js	loc_ACD94D
		lea	ecx, [esi+18h]

loc_ACD1F7:				; CODE XREF: INIT:00ACD1B7j
		mov	eax, [edi+0Ch]
		mov	edx, [edi+10h]
		cmp	eax, ebx
		jb	loc_ACD951
		mov	edi, [edi]
		lea	ebx, [eax+edx]

loc_ACD20A:				; CODE XREF: INIT:00ACD1B1j
		cmp	edi, ecx
		jnz	short loc_ACD1B3
		mov	ecx, [esi+7Ch]
		xor	ebx, ebx
		test	ecx, ecx
		jnz	short loc_ACD235
		push	ecx
		mov	ds:_InitNlsTableBase, ebx
		xor	edx, edx
		mov	ds:_InitUnicodeCaseTableDataOffset, ebx
		mov	ds:_InitAnsiCodePageDataOffset,	ebx
		mov	ds:_InitOemCodePageDataOffset, ebx
		push	ebx
		jmp	short loc_ACD280
; 

loc_ACD235:				; CODE XREF: INIT:00ACD215j
		mov	eax, [ecx]
		test	eax, eax
		jz	short loc_ACD25C
		cmp	[ecx+4], ebx
		jz	short loc_ACD25C
		mov	ds:_InitNlsTableBase, eax
		mov	ds:_InitAnsiCodePageDataOffset,	ebx
		mov	eax, [ecx+4]
		sub	eax, [ecx]
		mov	ds:_InitOemCodePageDataOffset, eax
		mov	eax, [ecx+8]
		sub	eax, [ecx]
		jmp	short loc_ACD272
; 

loc_ACD25C:				; CODE XREF: INIT:00ACD239j
					; INIT:00ACD23Ej
		mov	eax, [ecx+8]
		mov	ds:_InitNlsTableBase, eax
		mov	eax, ebx
		mov	ds:_InitAnsiCodePageDataOffset,	ebx
		mov	ds:_InitOemCodePageDataOffset, ebx

loc_ACD272:				; CODE XREF: INIT:00ACD25Aj
		mov	ds:_InitUnicodeCaseTableDataOffset, eax
		mov	edx, [ecx+4]
		push	ecx
		push	dword ptr [ecx+8]
		mov	ecx, [ecx]

loc_ACD280:				; CODE XREF: INIT:00ACD233j
		call	RtlInitNlsTables
		call	RtlResetRtlTranslations
		mov	eax, [esi+84h]
		mov	eax, [eax+0AA0h]
		mov	_ExLeapSecondData, eax
		call	_WheaInitializeServices@0 ; WheaInitializeServices()
		push	_HalIommuDispatch
		call	off_6B13A0	; xHalIommuRegisterDispatchTable(x)
		push	esi
		push	_InitializationPhase
		rdtsc
		mov	ds:dword_B01688, eax
		mov	ds:dword_B0168C, edx
		call	ds:__imp__HalInitSystem@8 ; HalInitSystem(x,x)
		test	al, al
		jz	loc_ACD95C
		mov	ecx, _InitializationPhase
		rdtsc
		mov	ds:dword_B01694, edx
		mov	edx, esi
		mov	ds:dword_B01690, eax
		call	KeInitializeClock
		xor	ecx, ecx
		inc	ecx
		call	_PsInitializeQuotaSystem@4 ; PsInitializeQuotaSystem(x)
		mov	ecx, esi
		call	_CmInitSystem0@4 ; CmInitSystem0(x)
		mov	ecx, esi
		call	KvfInitFeatureStates
		call	_PoEnergyEstimationEnabled@0 ; PoEnergyEstimationEnabled()
		test	al, al
		jnz	short loc_ACD314
		mov	eax, ds:_KiProcessorBlock
		mov	eax, [eax+0Ch]
		lock btr dword ptr [eax], 15h

loc_ACD314:				; CODE XREF: INIT:00ACD305j
		xor	ecx, ecx
		call	_KeInitSystem@4	; KeInitSystem(x)
		test	al, al
		jnz	short loc_ACD32D
		push	ebx
		push	ebx
		push	0Bh
		push	0C0000001h
		jmp	loc_ACD955
; 

loc_ACD32D:				; CODE XREF: INIT:00ACD31Dj
		call	_ExComputeTickCountMultiplier@4	; ExComputeTickCountMultiplier(x)
		mov	_ExpTickCountMultiplier, eax
		mov	ds:0FFDF0004h, eax
		lea	eax, [esp+58h]
		mov	ds:0FFDF023Ch, ebx
		mov	ebx, 100h
		push	dword ptr [esi+70h]
		push	offset ??_C@_04IDIMJMIA@C?3?$CFs@PBOPGDP@
		push	ebx
		push	eax
		call	RtlStringCbPrintfA
		add	esp, 10h
		test	eax, eax
		jns	short loc_ACD36E
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx

loc_ACD366:				; CODE XREF: INIT:00ACD3C7j
		push	eax
		push	6Eh
		jmp	loc_ACD957
; 

loc_ACD36E:				; CODE XREF: INIT:00ACD35Fj
		lea	eax, [esp+58h]
		push	eax
		lea	eax, [esp+14h]
		push	eax
		call	_RtlInitString@8 ; RtlInitString(x,x)
		mov	ax, [esp+10h]
		mov	ecx, 0FFFFh
		add	ax, cx
		mov	[esp+10h], ax
		movzx	ecx, ax
		mov	eax, [esp+14h]
		mov	byte ptr [ecx+eax], 0
		call	_RtlGetHostNtSystemRoot@0 ; RtlGetHostNtSystemRoot()
		push	0
		lea	ecx, [esp+14h]
		mov	[esp+30h], eax
		push	ecx
		push	eax
		mov	dword ptr [eax+4], 0FFDF0030h
		mov	dword ptr [eax], 2080000h
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		jns	short loc_ACD3C9
		push	0
		push	0
		push	1
		jmp	short loc_ACD366
; 

loc_ACD3C9:				; CODE XREF: INIT:00ACD3BFj
		and	dword ptr [esp+54h], 0
		lea	eax, [esp+24h]
		and	dword ptr [esp+28h], 0
		xor	edi, edi
		push	eax
		push	3
		lea	eax, [esp+54h]
		mov	dword ptr [esp+54h], 0Bh
		push	eax
		push	400000h
		mov	dword ptr [esp+60h], 1
		mov	[esp+1Ch], edi
		call	_LdrFindResource_U@16 ;	LdrFindResource_U(x,x,x,x)
		test	eax, eax
		js	short loc_ACD42C
		lea	eax, [esp+0Ch]
		push	eax
		lea	eax, [esp+2Ch]
		push	eax
		push	dword ptr [esp+2Ch]
		push	400000h
		call	_LdrAccessResource@16 ;	LdrAccessResource(x,x,x,x)
		mov	edi, [esp+0Ch]
		test	eax, eax
		js	short loc_ACD42C
		mov	eax, [esp+28h]
		mov	ds:_KiBugCodeMessages, eax

loc_ACD42C:				; CODE XREF: INIT:00ACD401j
					; INIT:00ACD421j
		mov	eax, ds:_CmGlobalValidationRunlevel
		xor	edx, edx
		inc	edx
		xor	ecx, ecx
		and	ds:_CmNtGlobalFlag2, edx
		mov	ds:0FFDF0258h, eax
		mov	ds:0FFDF028Bh, dl
		mov	eax, _CmNtSpBuildNumber
		and	eax, 0FFFh
		mov	word ptr _CmNtCSDVersion+2, cx
		mov	_CmNtSpBuildNumber, eax
		cmp	_CmNtCSDReleaseType, ecx
		jz	short loc_ACD46E
		shl	eax, 10h
		or	_CmNtCSDVersion, eax

loc_ACD46E:				; CODE XREF: INIT:00ACD463j
		cmp	ds:_InitTickRolloverDelayLength, 4
		jnz	short loc_ACD480
		cmp	ds:_InitTickRolloverDelayType, 4
		jz	short loc_ACD486

loc_ACD480:				; CODE XREF: INIT:00ACD475j
		and	ds:_InitTickRolloverDelay, ecx

loc_ACD486:				; CODE XREF: INIT:00ACD47Ej
		mov	eax, ds:_InitTickRolloverDelay
		test	eax, eax
		jz	short loc_ACD4A9
		mov	ecx, 2710h
		neg	eax
		mul	ecx
		mov	cl, 1
		push	edx
		push	eax
		call	_KeAdjustInterruptTime@12 ; KeAdjustInterruptTime(x,x,x)
		call	_KeRebaselineSystemTime@0 ; KeRebaselineSystemTime()
		xor	edx, edx
		inc	edx

loc_ACD4A9:				; CODE XREF: INIT:00ACD48Dj
		mov	eax, ds:_CmNtGlobalFlag
		or	_NtGlobalFlag, eax
		mov	eax, ds:_CmNtGlobalFlag2
		or	_NtGlobalFlag2,	eax
		mov	ds:0FFDF03C0h, edx
		mov	ds:0FFDF03C4h, dl
		mov	ds:0FFDF036Ah, dx
		call	ExInitSystem
		test	al, al
		jz	loc_ACD94D
		call	_KeNumaInitialize@0 ; KeNumaInitialize()
		mov	ecx, esi
		call	VerifierInitSystem
		call	InitializeDynamicPartitioningPolicy
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	ds:dword_B01634, edx
		xor	ecx, ecx
		mov	edx, esi
		mov	ds:_EtwBootPerfData, eax
		call	MmInitSystem
		test	al, al
		jz	loc_ACD94D
		push	0
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		and	_KiHwPolicyDriverImageBase, 0
		push	esi
		push	0
		mov	ds:dword_B01638, eax
		mov	ds:dword_B0163C, edx
		call	ds:__imp__HalInitializeBios@8 ;	HalInitializeBios(x,x)
		push	0
		push	esi
		push	0
		call	_InbvDriverInitialize@12 ; InbvDriverInitialize(x,x,x)
		cmp	ds:_KiBugCodeMessages, 0
		jz	short loc_ACD582
		push	6342694Bh
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_ACD567
		push	7Dh
		jmp	loc_ACD95E
; 

loc_ACD567:				; CODE XREF: INIT:00ACD55Ej
		push	edi
		push	ds:_KiBugCodeMessages
		push	ebx
		call	_memcpy
		mov	ds:_KiBugCodeMessages, ebx
		add	esp, 0Ch
		mov	ebx, 100h

loc_ACD582:				; CODE XREF: INIT:00ACD548j
		cmp	dword ptr [esi+0Ch], 2
		jnb	short loc_ACD5A0
		xor	eax, eax
		push	eax
		push	eax
		push	2
		mov	_IopAutoReboot,	eax
		push	dword ptr [esi+0Ch]
		push	196h
		jmp	loc_ACD957
; 

loc_ACD5A0:				; CODE XREF: INIT:00ACD586j
		mov	edi, [esi+10h]
		lea	eax, [esi+10h]
		xor	ecx, ecx
		jmp	loc_ACD664
; 

loc_ACD5AD:				; CODE XREF: INIT:00ACD66Aj
		cmp	ecx, 3
		jb	loc_ACD661
		mov	edx, [edi+28h]
		push	5Ch
		pop	eax
		cmp	[edx], ax
		jnz	short loc_ACD5FB
		movzx	eax, word ptr [edi+24h]
		shr	eax, 1
		mov	[esp+1Ch], eax
		inc	eax
		cmp	eax, ebx
		ja	loc_ACD65E
		mov	esi, [esp+1Ch]
		xor	ecx, ecx

loc_ACD5DA:				; CODE XREF: INIT:00ACD5E6j
		mov	al, [edx]
		lea	edx, [edx+2]
		mov	[esp+ecx+58h], al
		inc	ecx
		cmp	ecx, esi
		jb	short loc_ACD5DA
		mov	esi, [esp+34h]
		cmp	ecx, ebx
		jnb	loc_ACD963
		mov	byte ptr [esp+ecx+58h],	0
		jmp	short loc_ACD63C
; 

loc_ACD5FB:				; CODE XREF: INIT:00ACD5BFj
		mov	eax, [esp+2Ch]
		lea	edx, [edi+2Ch]
		movzx	ecx, word ptr [edx]
		shr	ecx, 1
		movzx	eax, word ptr [eax]
		shr	eax, 1
		add	eax, 11h
		add	eax, ecx
		cmp	eax, ebx
		ja	short loc_ACD65A
		mov	eax, [esp+2Ch]
		push	edx
		mov	eax, [eax+4]
		add	eax, 4
		push	eax
		push	(offset	loc_ADC74D+5)
		lea	eax, [esp+64h]
		push	ebx
		push	eax
		call	RtlStringCbPrintfA
		add	esp, 14h
		test	eax, eax
		js	loc_ACD6EF

loc_ACD63C:				; CODE XREF: INIT:00ACD5F9j
		lea	eax, [esp+58h]
		push	eax
		lea	eax, [esp+3Ch]
		push	eax
		call	_RtlInitString@8 ; RtlInitString(x,x)
		push	0FFFFFFFFh
		push	dword ptr [edi+18h]
		lea	eax, [esp+40h]
		push	eax
		call	DbgLoadImageSymbols

loc_ACD65A:				; CODE XREF: INIT:00ACD613j
		mov	ecx, [esp+0Ch]

loc_ACD65E:				; CODE XREF: INIT:00ACD5CEj
		lea	eax, [esi+10h]

loc_ACD661:				; CODE XREF: INIT:00ACD5B0j
		mov	edi, [edi]
		inc	ecx

loc_ACD664:				; CODE XREF: INIT:00ACD5A8j
		mov	[esp+0Ch], ecx
		cmp	edi, eax
		jnz	loc_ACD5AD
		cmp	_KdBreakAfterSymbolLoad, 0
		jz	short loc_ACD682
		xor	eax, eax
		inc	eax
		push	eax
		call	_DbgBreakPointWithStatus@4 ; DbgBreakPointWithStatus(x)

loc_ACD682:				; CODE XREF: INIT:00ACD677j
		mov	ecx, esi
		call	_ExpInitializeBootEnvironment@4	; ExpInitializeBootEnvironment(x)
		call	HvlPhase1Initialize
		mov	eax, [esi+84h]
		cmp	dword ptr [eax], 0D30h
		jb	short loc_ACD6A3
		mov	ecx, esi
		call	HeadlessInit

loc_ACD6A3:				; CODE XREF: INIT:00ACD69Aj
		mov	ecx, esi
		call	BootApplicationPersistentDataInitialize
		mov	eax, ds:_MmHighestUserAddress
		mov	ds:0FFDF02B4h, eax
		mov	eax, ds:_MmSystemRangeStart
		mov	ds:0FFDF02B8h, eax
		cmp	_CmNtCSDVersion, 0
		jz	loc_ACD7B2
		lea	eax, [esp+30h]
		push	eax
		push	40000087h
		push	0
		push	0Bh
		push	400000h
		call	_RtlFindMessage@20 ; RtlFindMessage(x,x,x,x,x)
		test	eax, eax
		jns	short loc_ACD6FB
		push	0
		push	0
		push	4
		jmp	short loc_ACD6F5
; 

loc_ACD6EF:				; CODE XREF: INIT:00ACD636j
		push	0
		push	0
		push	3

loc_ACD6F5:				; CODE XREF: INIT:00ACD6EDj
					; INIT:00ACD752j ...
		push	eax
		jmp	loc_ACD955
; 

loc_ACD6FB:				; CODE XREF: INIT:00ACD6E5j
		mov	eax, [esp+30h]
		add	eax, 4
		push	eax
		lea	eax, [esp+14h]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		movzx	ecx, byte ptr _CmNtCSDVersion
		mov	eax, 0FFFEh
		add	[esp+10h], ax
		lea	eax, [ecx+40h]
		neg	ecx
		sbb	ecx, ecx
		and	ecx, eax
		movzx	eax, byte ptr _CmNtCSDVersion+1
		push	ecx
		push	eax
		lea	eax, [esp+18h]
		push	eax
		push	offset ??_C@_07IONELDNO@?$CFZ?5?$CFu?$CFc@PBOPGDP@
		lea	eax, [esp+68h]
		push	ebx
		push	eax
		call	RtlStringCbPrintfA
		add	esp, 18h
		test	eax, eax
		jns	short loc_ACD754
		push	0
		push	0
		push	5
		jmp	short loc_ACD6F5
; 

loc_ACD754:				; CODE XREF: INIT:00ACD74Aj
		xor	ebx, ebx
		test	_CmNtCSDVersion, 0FFFF0000h
		jz	short loc_ACD7DF
		push	ecx
		lea	eax, [esp+1Ch]
		mov	[esp+20h], ebx
		push	eax
		lea	eax, [esp+24h]
		push	eax
		push	ecx
		lea	ecx, [esp+68h]
		call	_RtlStringCbCatExA@24 ;	RtlStringCbCatExA(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_ACD788
		push	ebx
		push	ebx
		push	6
		jmp	loc_ACD6F5
; 

loc_ACD788:				; CODE XREF: INIT:00ACD77Dj
		movzx	eax, word ptr _CmNtCSDVersion+2
		push	eax
		push	offset ??_C@_04GDGMMMDI@v?4?$CFu@PBOPGDP@
		push	dword ptr [esp+20h]
		push	dword ptr [esp+28h]
		call	RtlStringCbPrintfA
		add	esp, 10h
		test	eax, eax
		jns	short loc_ACD7DF
		push	ebx
		push	ebx
		push	7
		jmp	loc_ACD6F5
; 

loc_ACD7B2:				; CODE XREF: INIT:00ACD6C5j
		push	ecx
		lea	eax, [esp+1Ch]
		push	eax
		push	ecx
		push	ecx
		lea	ecx, [esp+68h]
		call	_RtlStringCbCopyExA@24 ; RtlStringCbCopyExA(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_ACD7D2
		push	0
		push	0
		push	8
		jmp	loc_ACD6F5
; 

loc_ACD7D2:				; CODE XREF: INIT:00ACD7C5j
		sub	ebx, [esp+18h]
		mov	word ptr _CmCSDVersionString+2,	bx
		xor	ebx, ebx

loc_ACD7DF:				; CODE XREF: INIT:00ACD760j
					; INIT:00ACD7A7j
		lea	eax, [esp+58h]
		push	eax
		lea	eax, [esp+14h]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		xor	eax, eax
		inc	eax
		push	eax
		lea	eax, [esp+14h]
		push	eax
		push	offset _CmCSDVersionString
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		jns	short loc_ACD80E
		push	ebx
		push	ebx
		push	9
		jmp	loc_ACD6F5
; 

loc_ACD80E:				; CODE XREF: INIT:00ACD803j
		push	3
		push	6
		push	offset ??_C@_05EENHEND@?$CFu?4?$CFu@PBOPGDP@
		lea	eax, [esp+164h]
		push	40h
		push	eax
		call	RtlStringCbPrintfA
		add	esp, 14h
		test	eax, eax
		jns	short loc_ACD836
		push	ebx
		push	ebx
		push	0Ah
		jmp	loc_ACD6F5
; 

loc_ACD836:				; CODE XREF: INIT:00ACD82Bj
		lea	eax, [esp+158h]
		push	eax
		push	offset _CmVersionString
		call	_RtlCreateUnicodeStringFromAsciiz@8 ; RtlCreateUnicodeStringFromAsciiz(x,x)
		test	al, al
		jz	loc_ACD94D
		test	_NtGlobalFlag, 2000h
		jz	short loc_ACD8A0
		push	63617453h
		push	800000h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_ACD8A0
		mov	eax, 800000h
		mov	[esp+40h], edi
		mov	[esp+44h], eax
		mov	[esp+48h], eax
		lea	eax, [esp+40h]
		push	eax
		call	_RtlControlStackTraceDataBase@12 ; RtlControlStackTraceDataBase(x,x,x)
		test	eax, eax
		jns	short loc_ACD8A0
		push	63617453h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_ACD8A0:				; CODE XREF: INIT:00ACD85Aj
					; INIT:00ACD874j ...
		test	_NtGlobalFlag, 800000h
		jz	short loc_ACD8B1
		call	_RtlInitializeExceptionLog@4 ; RtlInitializeExceptionLog(x)

loc_ACD8B1:				; CODE XREF: INIT:00ACD8AAj
		call	_ExInitializeHandleTablePackage@0 ; ExInitializeHandleTablePackage()
		call	ObInitSystem
		test	al, al
		jnz	short loc_ACD8C6
		push	5Eh
		jmp	loc_ACD95E
; 

loc_ACD8C6:				; CODE XREF: INIT:00ACD8BDj
		call	SeInitSystem
		test	al, al
		jnz	short loc_ACD8D6
		push	5Fh
		jmp	loc_ACD95E
; 

loc_ACD8D6:				; CODE XREF: INIT:00ACD8CDj
		mov	edx, esi
		xor	ecx, ecx
		call	PsInitSystem
		test	al, al
		jz	short loc_ACD949
		call	DbgkInitialize
		test	eax, eax
		js	short loc_ACD949
		call	PpInitSystem
		test	al, al
		jnz	short loc_ACD8FC
		push	8Fh
		jmp	short loc_ACD95E
; 

loc_ACD8FC:				; CODE XREF: INIT:00ACD8F3j
		mov	ecx, [esp+19Ch]
		mov	dword ptr ds:0FFDF026Ch, 0Ah
		mov	ds:0FFDF0270h, ebx
		mov	dword ptr ds:0FFDF0260h, 4A61h
		mov	ax, ds:_KeProcessorArchitecture
		mov	ds:0FFDF026Ah, ax
		xor	eax, eax
		pop	edi
		mov	dword ptr ds:0FFDF002Ch, 14C014Ch
		pop	esi
		mov	ds:0FFDF03A4h, ebx
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_ACD949:				; CODE XREF: INIT:00ACD8E1j
					; INIT:00ACD8EAj
		push	60h
		jmp	short loc_ACD95E
; 

loc_ACD94D:				; CODE XREF: INIT:00ACD1D2j
					; INIT:00ACD1EEj ...
		push	31h
		jmp	short loc_ACD95E
; 

loc_ACD951:				; CODE XREF: INIT:00ACD1FFj
		push	ebx
		push	edx
		push	eax
		push	edi

loc_ACD955:				; CODE XREF: INIT:00ACD328j
					; INIT:00ACD6F6j
		push	31h

loc_ACD957:				; CODE XREF: INIT:00ACD369j
					; INIT:00ACD59Bj
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_ACD95C:				; CODE XREF: INIT:00ACD2C8j
		push	5Ch

loc_ACD95E:				; CODE XREF: INIT:00ACD562j
					; INIT:00ACD8C1j ...
		call	_KeBugCheck@4	; KeBugCheck(x)

loc_ACD963:				; CODE XREF: INIT:00ACD5EEj
		call	___report_rangecheckfailure
; 
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 


PpInitSystem	proc near		; CODE XREF: Phase1InitializationDiscard(x)+C4Ap
					; INIT:00ACD8ECp

; FUNCTION CHUNK AT 00AE7424 SIZE 00000015 BYTES

		mov	edi, edi
		push	ecx
		mov	ecx, _InitializationPhase
		xor	edx, edx
		mov	eax, ecx
		sub	eax, edx
		jz	short loc_ACD988
		sub	eax, 1
		jnz	loc_AE7424

loc_ACD984:				; CODE XREF: PpInitSystem+2Dj
		mov	al, 1
		pop	ecx
		retn
; 

loc_ACD988:				; CODE XREF: PpInitSystem+Fj
		push	offset _PnpRegistryDeviceResource
		call	ExInitializeResourceLite
		call	_PnpInitializeDeviceReferenceTable@0 ; PnpInitializeDeviceReferenceTable()
		jmp	short loc_ACD984
PpInitSystem	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PnpInitializeDeviceReferenceTable()
_PnpInitializeDeviceReferenceTable@0 proc near ; CODE XREF: PpInitSystem+28p
		mov	edi, edi
		push	esi
		xor	esi, esi
		xor	eax, eax
		inc	eax
		mov	dword_6CC984, esi
		push	esi
		push	eax
		push	offset unk_6CC98C
		mov	_PnpDeviceReferenceTableLock, eax
		mov	dword_6CC988, esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	esi		; int
		push	offset _CMFFreeFn@8 ; int
		push	offset _PnpAllocateGenericTableEntry@8 ; int
		push	offset _PnpCompareInstancePath@12 ; int
		push	offset _PnpDeviceReferenceTable	; void *
		call	_RtlInitializeGenericTableAvl@20 ; RtlInitializeGenericTableAvl(x,x,x,x,x)
		pop	esi
		retn
_PnpInitializeDeviceReferenceTable@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


DbgkInitialize	proc near		; CODE XREF: Phase1InitializationDiscard(x):loc_AC0BCAp
					; INIT:00ACD8E3p
		mov	edi, edi
		push	ecx
		mov	ecx, _InitializationPhase
		xor	edx, edx
		mov	eax, ecx
		sub	eax, edx
		jz	short loc_ACD9FD
		sub	eax, 1
		jnz	loc_AE694E
		call	_DbgkpInitializePhase1@0 ; DbgkpInitializePhase1()
		pop	ecx
		retn
; 

loc_ACD9FD:				; CODE XREF: DbgkInitialize+Fj
		call	_DbgkpInitializePhase0@0 ; DbgkpInitializePhase0()
		pop	ecx
		retn
DbgkInitialize	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall DbgkpInitializePhase0()
_DbgkpInitializePhase0@0 proc near	; CODE XREF: DbgkInitialize:loc_ACD9FDp

var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		push	esi
		push	edi
		push	16h
		pop	eax
		push	18h
		mov	word ptr [ebp+var_8], ax
		xor	esi, esi
		pop	eax
		push	58h
		pop	edi
		push	edi		; size_t
		mov	word ptr [ebp+var_8+2],	ax
		lea	eax, [ebp+var_60]
		push	esi		; int
		push	eax		; void *
		mov	[ebp+var_4], offset ??_C@_1BI@PBOLNAPE@?$AAD?$AAe?$AAb?$AAu?$AAg?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt@PBOPGDP@
		call	_memset
		add	esp, 0Ch
		mov	dword_6CDC64, esi
		xor	eax, eax
		mov	dword_6CDC68, esi
		inc	eax
		mov	_DbgkpProcessDebugPortMutex, eax
		push	esi
		push	eax
		push	offset unk_6CDC6C
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	ecx, ecx
		call	_DbgkpGetServerSiloState@4 ; DbgkpGetServerSiloState(x)
		mov	ecx, eax
		call	_DbgkpInitializePhase0SiloState@4 ; DbgkpInitializePhase0SiloState(x)
		test	eax, eax
		js	loc_ACDAF4
		or	byte ptr [ebp+var_60+2], 8
		mov	eax, 1F000Fh
		push	offset _DbgkDebugObjectType
		mov	[ebp+var_44], eax
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_60]
		push	esi
		push	eax
		lea	eax, [ebp+var_8]
		mov	word ptr [ebp+var_60], di
		push	eax
		mov	[ebp+var_58], esi
		mov	[ebp+var_3C], 200h
		mov	[ebp+var_24], offset _PopPdcCallback@4 ; PopPdcCallback(x)
		mov	[ebp+var_28], offset _DbgkpCloseObject@16 ; DbgkpCloseObject(x,x,x,x)
		mov	[ebp+var_54], 20001h
		mov	[ebp+var_50], 20002h
		mov	[ebp+var_4C], 120000h
		mov	[ebp+var_38], esi
		mov	[ebp+var_34], esi
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	short loc_ACDAF2
		cmp	ds:_DbgkpMaxModuleMsgs,	esi
		jnz	short loc_ACDADD
		mov	ds:_DbgkpMaxModuleMsgs,	1F4h

loc_ACDADD:				; CODE XREF: DbgkpInitializePhase0()+CDj
		push	8
		mov	ecx, offset unk_6D6C80
		pop	eax

loc_ACDAE5:				; CODE XREF: DbgkpInitializePhase0()+ECj
		call	_CmSiRWLockInitialize@4	; CmSiRWLockInitialize(x)
		add	ecx, 8
		sub	eax, 1
		jnz	short loc_ACDAE5

loc_ACDAF2:				; CODE XREF: DbgkpInitializePhase0()+C5j
		mov	eax, edx

loc_ACDAF4:				; CODE XREF: DbgkpInitializePhase0()+62j
		pop	edi
		pop	esi
		leave
		retn
_DbgkpInitializePhase0@0 endp


;  S U B	R O U T	I N E 


; __stdcall PspInitializeCallbacks()
_PspInitializeCallbacks@0 proc near	; CODE XREF: PspInitPhase0:loc_AC2056p
		push	40h
		pop	eax
		mov	ecx, offset _PspCreateThreadNotifyRoutine
		mov	edx, eax

loc_ACDB02:				; CODE XREF: PspInitializeCallbacks()+15j
		call	_CmSiRWLockInitialize@4	; CmSiRWLockInitialize(x)
		add	ecx, 4
		sub	edx, 1
		jnz	short loc_ACDB02
		mov	ecx, offset _PspCreateProcessNotifyRoutine
		mov	edx, eax

loc_ACDB16:				; CODE XREF: PspInitializeCallbacks()+29j
		call	_CmSiRWLockInitialize@4	; CmSiRWLockInitialize(x)
		add	ecx, 4
		sub	edx, 1
		jnz	short loc_ACDB16
		mov	ecx, offset _PspLoadImageNotifyRoutine

loc_ACDB28:				; CODE XREF: PspInitializeCallbacks()+3Bj
		call	_CmSiRWLockInitialize@4	; CmSiRWLockInitialize(x)
		add	ecx, 4
		sub	eax, 1
		jnz	short loc_ACDB28
		retn
_PspInitializeCallbacks@0 endp


;  S U B	R O U T	I N E 


; __stdcall DbgkpInitializePhase1()
_DbgkpInitializePhase1@0 proc near	; CODE XREF: DbgkInitialize+1Ap
		mov	edi, edi
		push	ecx
		xor	ecx, ecx
		call	_DbgkpGetServerSiloState@4 ; DbgkpGetServerSiloState(x)
		mov	ecx, eax
		call	_DbgkpInitializePhase1SiloState@4 ; DbgkpInitializePhase1SiloState(x)
		test	eax, eax
		js	short loc_ACDB79
		cmp	_DbgkpWerInitialized, 0
		jnz	short loc_ACDB79
		mov	_DbgkpBusy, 0
		mov	_DbgkpWerDefaultPolicy,	2
		mov	_DbgkpWerDeferredWriteTimeoutSeconds, 258h
		mov	_DbgkpWerInitialized, 1

loc_ACDB79:				; CODE XREF: DbgkpInitializePhase1()+13j
					; DbgkpInitializePhase1()+1Cj
		pop	ecx
		retn
_DbgkpInitializePhase1@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspInitPhase2(x)
_PspInitPhase2@4 proc near		; CODE XREF: PsInitSystem+1Cp

var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	esi
		push	edi
		xor	edi, edi
		xor	edx, edx
		push	edi
		mov	ecx, offset dword_6B1F50
		call	_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 ; TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)
		mov	esi, ds:_PsInitialSystemProcess
		call	RtlGetSystemTimePrecise
		mov	[esi+100h], eax
		mov	[esi+104h], edx
		call	KeQueryInterruptTime
		mov	ecx, ds:_PsInitialSystemProcess
		mov	[ecx+3F0h], eax
		mov	[ecx+3F4h], edx
		mov	cl, 1
		call	KiQueryUnbiasedInterruptTime
		mov	ecx, ds:_PsInitialSystemProcess
		mov	[ecx+3F8h], eax
		mov	[ecx+3FCh], edx
		mov	ecx, ds:_PsInitialSystemProcess
		mov	edx, ds:_PsIdleProcess
		mov	eax, [ecx+100h]
		mov	[edx+100h], eax
		mov	eax, [ecx+104h]
		mov	[edx+104h], eax
		mov	ecx, ds:_PsInitialSystemProcess
		mov	eax, [ecx+3F0h]
		mov	[edx+3F0h], eax
		mov	eax, [ecx+3F4h]
		mov	[edx+3F4h], eax
		mov	ecx, ds:_PsInitialSystemProcess
		mov	eax, [ecx+3F8h]
		mov	[edx+3F8h], eax
		mov	eax, [ecx+3FCh]
		mov	[edx+3FCh], eax
		call	RtlGetSystemTimePrecise
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlRandom@4	; RtlRandom(x)
		mov	ds:dword_A9451C, eax
		lea	eax, [ebp+var_8]
		push	eax
		mov	ds:_PspWorkOnBehalfEncodingKey,	edi
		call	_RtlRandom@4	; RtlRandom(x)
		or	ds:_PspWorkOnBehalfEncodingKey,	eax
		mov	eax, ds:_PspSehValidationPolicy
		or	ds:dword_A9451C, edi
		sub	eax, edi
		jz	short loc_ACDCC0
		dec	eax
		sub	eax, 1
		mov	al, ds:0FFDF02D5h
		jnz	short loc_ACDCBA
		and	al, 0FBh
		or	al, 8

loc_ACDC81:				; CODE XREF: PspInitPhase2(x)+142j
					; PspInitPhase2(x)+14Bj
		mov	ds:0FFDF02D5h, al
		mov	ecx, ds:_PspCurDirDevicesSkippedForDlls
		cmp	ecx, 1
		jz	short loc_ACDCD3
		cmp	ecx, 2
		jz	short loc_ACDCCD
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_ACDCC9
		and	al, 0CFh

loc_ACDC9D:				; CODE XREF: PspInitPhase2(x)+14Fj
					; PspInitPhase2(x)+155j ...
		mov	ds:0FFDF02D5h, al
		call	PspInitializeSystemDlls
		mov	ecx, offset _PspHostSiloGlobals
		call	PspInitializeProtectedProcessParameters
		test	eax, eax
		pop	edi
		setns	al
		pop	esi
		leave
		retn
; 

loc_ACDCBA:				; CODE XREF: PspInitPhase2(x)+FFj
		and	al, 0F7h
		or	al, 4
		jmp	short loc_ACDC81
; 

loc_ACDCC0:				; CODE XREF: PspInitPhase2(x)+F4j
		mov	al, ds:0FFDF02D5h
		and	al, 0F3h
		jmp	short loc_ACDC81
; 

loc_ACDCC9:				; CODE XREF: PspInitPhase2(x)+11Dj
		or	al, 30h
		jmp	short loc_ACDC9D
; 

loc_ACDCCD:				; CODE XREF: PspInitPhase2(x)+118j
		and	al, 0EFh
		or	al, 20h
		jmp	short loc_ACDC9D
; 

loc_ACDCD3:				; CODE XREF: PspInitPhase2(x)+113j
		and	al, 0DFh
		or	al, 10h
		jmp	short loc_ACDC9D
_PspInitPhase2@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspInitializeSystemDlls	proc near	; CODE XREF: PspInitPhase2(x)+126p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE7439 SIZE 00000065 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		xor	esi, esi

loc_ACDCEA:				; CODE XREF: PspInitializeSystemDlls+21j
		mov	ecx, esi
		call	_PsQuerySystemDllInfo@4	; PsQuerySystemDllInfo(x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_ACDD02

loc_ACDCF7:				; CODE XREF: PspInitializeSystemDlls+6Ej
					; PspInitializeSystemDlls+99j
		inc	esi
		cmp	esi, 6
		jl	short loc_ACDCEA
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_ACDD02:				; CODE XREF: PspInitializeSystemDlls+1Bj
		mov	eax, ds:_NtdllExportInformation[esi*8]
		xor	edi, edi
		mov	[ebp+var_8], eax
		cmp	ds:dword_AF6BA4[esi*8],	edi
		jbe	short loc_ACDD46

loc_ACDD17:				; CODE XREF: PspInitializeSystemDlls+6Aj
		mov	edx, [eax+edi*8]
		lea	ecx, [ebp+var_4]
		push	ecx
		mov	ecx, ebx
		call	_PspLookupEntryPoint@12	; PspLookupEntryPoint(x,x,x)
		test	eax, eax
		js	loc_AE7431
		mov	ecx, [ebp+var_8]
		mov	eax, [ebp+var_4]
		mov	ecx, [ecx+edi*8+4]
		inc	edi
		mov	[ecx], eax
		mov	eax, [ebp+var_8]
		cmp	edi, ds:dword_AF6BA4[esi*8]
		jb	short loc_ACDD17

loc_ACDD46:				; CODE XREF: PspInitializeSystemDlls+3Bj
		test	esi, esi
		jnz	short loc_ACDCF7
		push	offset _KeI386FastSystemCallReturn
		mov	edx, offset ??_C@_0BE@FEPJFGML@KiFastSystemCallRet@PBOPGDP@ ; "KiFastSystemCallRet"
		mov	ecx, ebx
		call	_PspLookupEntryPoint@12	; PspLookupEntryPoint(x,x,x)
		test	eax, eax
		js	loc_AE7439
		mov	dword ptr ds:0FFDF02F8h, 0C3h
		and	ds:0FFDF02FCh, esi
		jmp	short loc_ACDCF7
PspInitializeSystemDlls	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspLookupEntryPoint(x, x, x)
_PspLookupEntryPoint@12	proc near	; CODE XREF: PspInitializeSystemDlls+46p
					; PspInitializeSystemDlls+7Cp

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		push	edx
		push	dword ptr [esi+10h]
		call	_RtlFindExportedRoutineByName@8	; RtlFindExportedRoutineByName(x,x)
		mov	edx, [ebp+arg_0]
		mov	ecx, eax
		mov	[edx], ecx
		test	ecx, ecx
		jz	short loc_ACDDA3
		mov	eax, [esi+0Ch]
		sub	eax, [esi+10h]
		add	eax, ecx
		mov	[edx], eax
		xor	eax, eax

loc_ACDD9E:				; CODE XREF: PspLookupEntryPoint(x,x,x)+32j
		pop	esi
		pop	ebp
		retn	4
; 

loc_ACDDA3:				; CODE XREF: PspLookupEntryPoint(x,x,x)+1Aj
		mov	eax, 0C000007Ah
		jmp	short loc_ACDD9E
_PspLookupEntryPoint@12	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PsInitSystem	proc near		; CODE XREF: INIT:00ABFCF7p
					; Phase1InitializationDiscard(x)+88Cp ...
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		xor	eax, eax
		sub	ecx, eax
		jz	short loc_ACDDD6
		sub	ecx, 1
		jz	short loc_ACDDCF
		sub	ecx, 1
		jnz	loc_AE7448
		call	_PspInitPhase2@4 ; PspInitPhase2(x)

loc_ACDDCB:				; CODE XREF: PsInitSystem+2Aj
					; PsInitSystem+33j
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_ACDDCF:				; CODE XREF: PsInitSystem+11j
		call	_PspInitPhase1@0 ; PspInitPhase1()
		jmp	short loc_ACDDCB
; 

loc_ACDDD6:				; CODE XREF: PsInitSystem+Cj
		mov	ecx, edx
		call	PspInitPhase0
		jmp	short loc_ACDDCB
PsInitSystem	endp

; 
		align 10h

;  S U B	R O U T	I N E 


SeInitSystem	proc near		; CODE XREF: Phase1InitializationDiscard(x)+875p
					; INIT:loc_ACD8C6p
		mov	edi, edi
		push	ecx
		mov	ecx, _InitializationPhase
		xor	edx, edx
		mov	eax, ecx
		sub	eax, edx
		jz	short loc_ACDE01
		sub	eax, 1
		jnz	loc_AE745A
		call	_SepInitializationPhase1@0 ; SepInitializationPhase1()
		pop	ecx
		retn
; 

loc_ACDE01:				; CODE XREF: SeInitSystem+Fj
		call	_SepInitializationPhase0@0 ; SepInitializationPhase0()
		pop	ecx
		retn
SeInitSystem	endp


;  S U B	R O U T	I N E 


; __stdcall SepInitializationPhase0()
_SepInitializationPhase0@0 proc	near	; CODE XREF: SeInitSystem:loc_ACDE01p
		mov	edi, edi
		push	esi
		call	_SepVariableInitialization@0 ; SepVariableInitialization()
		test	al, al
		jz	loc_ACDEB9
		call	_SepRmDbInitialization@0 ; SepRmDbInitialization()
		test	al, al
		jz	loc_ACDEB9
		call	_SepTokenInitialization@0 ; SepTokenInitialization()
		test	al, al
		jz	loc_ACDEB9
		call	_SepInitializeWorkList@0 ; SepInitializeWorkList()
		test	al, al
		jz	short loc_ACDEB9
		mov	eax, large fs:124h
		push	0FFFFFFF7h
		pop	ecx
		and	dword ptr [eax+2C8h], 0
		mov	eax, large fs:124h
		add	eax, 2FCh
		lock and [eax],	ecx
		mov	eax, large fs:124h
		xor	edx, edx
		mov	ecx, [eax+80h]
		add	ecx, 12Ch
		call	@ObInitializeFastReference@8 ; ObInitializeFastReference(x,x)
		mov	eax, large fs:124h
		mov	esi, [eax+80h]
		call	SeMakeSystemToken
		lea	ecx, [esi+12Ch]
		mov	edx, eax
		call	@ObInitializeFastReference@8 ; ObInitializeFastReference(x,x)
		mov	eax, _SeMediumMandatorySid
		and	_SepMandatoryObjectTypePolicyLock, 0
		mov	_SepDefaultMandatorySid, eax
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		cmp	dword ptr [eax+12Ch], 0
		setnz	al
		pop	esi
		retn
; 

loc_ACDEB9:				; CODE XREF: SepInitializationPhase0()+Aj
					; SepInitializationPhase0()+17j ...
		xor	al, al
		pop	esi
		retn
_SepInitializationPhase0@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


SepInitializeSingletonAttributesStructures proc	near
					; CODE XREF: SepInitializationPhase1()+1FFp
		mov	eax, _SepSingletonGlobal
		push	esi
		xor	esi, esi
		mov	[eax], esi
		mov	[eax+4], esi
		mov	[eax+8], esi
		mov	[eax+0Ch], esi
		mov	eax, ds:_SeLuidToIndexMapping
		mov	[eax], esi
		mov	[eax+4], esi
		mov	eax, _SepTokenSingletonAttributesConfig
		and	eax, 3
		cmp	al, 3
		jnz	loc_ACDF8C
		push	ebx
		push	edi
		mov	ebx, 74446553h
		push	ebx
		push	8
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_AE747D
		push	ebx
		push	600h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_AE7471
		push	600h		; size_t
		push	esi		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		push	74446553h
		push	4
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, _SepSingletonGlobal
		mov	[ecx+8], eax
		test	eax, eax
		jz	loc_AE7466
		mov	[eax], ebx
		mov	edx, 80h
		inc	dword ptr [ecx+4]
		mov	ecx, ds:_SeLuidToIndexMapping
		push	esi
		push	esi
		lea	ecx, [ecx+4]
		call	RtlpCreateHashTable
		test	al, al
		jz	loc_AE7466
		mov	eax, ds:_SeLuidToIndexMapping
		add	eax, 8
		push	eax
		mov	dword ptr [eax], 40h
		mov	[eax+4], edi
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)

loc_ACDF8A:				; CODE XREF: PspInitializeSystemDlls+197B2j
					; PspInitializeSystemDlls+197BFj
		pop	edi
		pop	ebx

loc_ACDF8C:				; CODE XREF: SepInitializeSingletonAttributesStructures+27j
		mov	eax, esi
		pop	esi
		retn
SepInitializeSingletonAttributesStructures endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpInitializePcw()
_ExpInitializePcw@0 proc near		; CODE XREF: ExpInitSystemPhase1+159p

var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_12		= word ptr -12h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_C], 0
		xor	eax, eax
		and	[ebp+var_4], 0
		xor	ecx, ecx
		push	5
		mov	[ebp+var_12], ax
		inc	ecx
		pop	eax
		mov	[ebp+var_14], ax
		lea	eax, [ebp+var_18]
		mov	word ptr [ebp+var_18], cx
		mov	word ptr [ebp+var_18+2], cx
		mov	[ebp+var_10], ecx
		mov	ecx, offset _ExpPcwExtensionHost
		push	eax
		mov	[ebp+var_8], offset ExpPcwHostCallback
		call	ExRegisterHost
		test	eax, eax
		js	short loc_ACDFD6
		leave
		retn
; 

loc_ACDFD6:				; CODE XREF: ExpInitializePcw()+42j
		and	ds:_ExpPcwExtensionHost, 0
		leave
		retn
_ExpInitializePcw@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VmInitSystem(x)
_VmInitSystem@4	proc near		; CODE XREF: INIT:00ABFC7Ap
					; Phase1InitializationDiscard(x)+B35p

var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_12		= word ptr -12h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		push	edi
		test	ecx, ecx
		jnz	short loc_ACE052
		xor	eax, eax
		mov	[ebp+var_C], (offset loc_403737+1)
		mov	[ebp+var_12], ax
		xor	esi, esi
		push	8
		pop	eax
		mov	word ptr [ebp+var_18], ax
		mov	edi, 200h
		push	11h
		pop	eax
		mov	word ptr [ebp+var_18+2], ax
		mov	ecx, offset _VmpExtensionHost
		xor	eax, eax
		mov	[ebp+var_8], esi
		inc	eax
		mov	[ebp+var_4], esi
		mov	[ebp+var_14], ax
		lea	eax, [ebp+var_18]
		push	eax
		mov	[ebp+var_10], edi
		call	ExRegisterHost
		test	eax, eax
		js	short loc_ACE04E
		push	esi
		push	esi
		push	624C6D56h
		push	6010h
		push	esi
		push	edi
		push	esi
		push	esi
		push	offset _VmpLargeFaultBatchLookasideList
		call	ExInitializeLookasideListExInternal

loc_ACE04C:				; CODE XREF: VmInitSystem(x)+75j
					; VmInitSystem(x)+8Dj
		xor	eax, eax

loc_ACE04E:				; CODE XREF: VmInitSystem(x)+50j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_ACE052:				; CODE XREF: VmInitSystem(x)+Cj
		cmp	ecx, 2
		jnz	short loc_ACE04C
		mov	esi, offset unk_705F38
		xor	edx, edx
		push	0
		mov	ecx, esi
		call	_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 ; TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)
		mov	_VmpTraceLoggingProvider, esi
		jmp	short loc_ACE04C
_VmInitSystem@4	endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PspInitPhase1()
_PspInitPhase1@0 proc near		; CODE XREF: PsInitSystem:loc_ACDDCFp
		mov	edi, edi
		push	ecx
		push	offset _PspSystemPartitionHandle
		push	0
		push	0
		push	1F0003h
		push	0
		push	ds:_PspSystemPartition
		call	_ObInsertObject@24 ; ObInsertObject(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_ACE0DB
		xor	eax, eax
		test	eax, eax
		js	short loc_ACE0DB
		call	PspInitializeNetRateControl
		test	al, al
		jz	short loc_ACE0E2
		call	_PspInitializeBackgroundActivityModeratorCallouts@0 ; PspInitializeBackgroundActivityModeratorCallouts()
		test	eax, eax
		js	short loc_ACE0E2
		call	_PspInitializeDesktopActivityModeratorCallouts@0 ; PspInitializeDesktopActivityModeratorCallouts()
		test	eax, eax
		js	short loc_ACE0E2
		call	_PspInitializeMMCSSCallouts@0 ;	PspInitializeMMCSSCallouts()
		test	eax, eax
		js	short loc_ACE0E2
		call	_PspInitializeHwTraceCallouts@0	; PspInitializeHwTraceCallouts()
		test	eax, eax
		js	short loc_ACE0E2
		call	_PspInitializeOctagonExtensionHost@0 ; PspInitializeOctagonExtensionHost()
		test	eax, eax
		js	short loc_ACE0E2
		call	_PspInitializeSecExtensionHost@0 ; PspInitializeSecExtensionHost()
		test	eax, eax
		js	short loc_ACE0E2
		mov	al, 1
		pop	ecx
		retn
; 

loc_ACE0DB:				; CODE XREF: PspInitPhase1()+20j
					; PspInitPhase1()+26j
		push	60h
		call	_KeBugCheck@4	; KeBugCheck(x)

loc_ACE0E2:				; CODE XREF: PspInitPhase1()+2Fj
					; PspInitPhase1()+38j ...
		xor	al, al
		pop	ecx
		retn
_PspInitPhase1@0 endp ;	sp = -4


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspInitializeBackgroundActivityModeratorCallouts()
_PspInitializeBackgroundActivityModeratorCallouts@0 proc near
					; CODE XREF: PspInitPhase1()+31p

var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_12		= word ptr -12h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_8], 0
		xor	eax, eax
		and	[ebp+var_4], 0
		mov	ecx, offset _PspBamExtensionHost
		push	5
		mov	[ebp+var_12], ax
		pop	eax
		push	0Dh
		mov	word ptr [ebp+var_18], ax
		pop	eax
		push	6
		mov	word ptr [ebp+var_18+2], ax
		pop	eax
		mov	[ebp+var_14], ax
		lea	eax, [ebp+var_18]
		push	eax
		mov	[ebp+var_10], 200h
		mov	[ebp+var_C], (offset loc_40379F+1)
		call	ExRegisterHost
		test	eax, eax
		js	short loc_ACE133
		leave
		retn
; 

loc_ACE133:				; CODE XREF: PspInitializeBackgroundActivityModeratorCallouts()+49j
		and	ds:_PspBamExtensionHost, 0
		leave
		retn
_PspInitializeBackgroundActivityModeratorCallouts@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspInitializeDesktopActivityModeratorCallouts()
_PspInitializeDesktopActivityModeratorCallouts@0 proc near ; CODE XREF:	PspInitPhase1()+3Ap

var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_12		= word ptr -12h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	esi
		xor	eax, eax
		mov	[ebp+var_10], 200h
		mov	[ebp+var_12], ax
		xor	esi, esi
		push	7
		pop	eax
		mov	word ptr [ebp+var_18], ax
		mov	ecx, offset _PspDamExtensionHost
		xor	eax, eax
		mov	[ebp+var_C], esi
		inc	eax
		mov	[ebp+var_8], esi
		mov	word ptr [ebp+var_18+2], ax
		mov	[ebp+var_14], ax
		lea	eax, [ebp+var_18]
		push	eax
		mov	[ebp+var_4], esi
		call	ExRegisterHost
		test	eax, eax
		js	short loc_ACE184

loc_ACE181:				; CODE XREF: PspInitializeDesktopActivityModeratorCallouts()+4Ej
		pop	esi
		leave
		retn
; 

loc_ACE184:				; CODE XREF: PspInitializeDesktopActivityModeratorCallouts()+43j
		mov	ds:_PspDamExtensionHost, esi
		jmp	short loc_ACE181
_PspInitializeDesktopActivityModeratorCallouts@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspInitializeHwTraceCallouts()
_PspInitializeHwTraceCallouts@0	proc near ; CODE XREF: PspInitPhase1()+4Cp

var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_12		= word ptr -12h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_8], 0
		xor	eax, eax
		and	[ebp+var_4], 0
		mov	ecx, offset _PspHwTraceExtensionHost
		mov	[ebp+var_12], ax
		push	0Ah
		pop	eax
		mov	word ptr [ebp+var_18], ax
		push	2
		pop	eax
		mov	word ptr [ebp+var_18+2], ax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_10], 200h
		mov	[ebp+var_14], ax
		lea	eax, [ebp+var_18]
		push	eax
		mov	[ebp+var_C], offset _PspHwTraceHostInterface
		call	ExRegisterHost
		test	eax, eax
		js	short loc_ACE1D9
		leave
		retn
; 

loc_ACE1D9:				; CODE XREF: PspInitializeHwTraceCallouts()+49j
		and	ds:_PspHwTraceExtensionHost, 0
		leave
		retn
_PspInitializeHwTraceCallouts@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspInitializeMMCSSCallouts()
_PspInitializeMMCSSCallouts@0 proc near	; CODE XREF: PspInitPhase1()+43p

var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_12		= word ptr -12h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		and	[ebp+var_8], 0
		xor	eax, eax
		and	[ebp+var_4], 0
		mov	ecx, offset _PspMmcssExtensionHost
		mov	[ebp+var_12], ax
		push	9
		pop	eax
		mov	word ptr [ebp+var_18], ax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_10], 200h
		mov	word ptr [ebp+var_18+2], ax
		mov	[ebp+var_14], ax
		lea	eax, [ebp+var_18]
		push	eax
		mov	[ebp+var_C], (offset loc_4037B7+1)
		call	ExRegisterHost
		test	eax, eax
		js	short loc_ACE22C
		leave
		retn
; 

loc_ACE22C:				; CODE XREF: PspInitializeMMCSSCallouts()+46j
		and	ds:_PspMmcssExtensionHost, 0
		leave
		retn
_PspInitializeMMCSSCallouts@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspInitializeOctagonExtensionHost()
_PspInitializeOctagonExtensionHost@0 proc near ; CODE XREF: PspInitPhase1()+55p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	esi
		push	0Dh
		pop	eax
		push	2
		mov	word ptr [ebp+var_18], ax
		xor	esi, esi
		pop	eax
		mov	word ptr [ebp+var_18+2], ax
		mov	ecx, offset _PspOctExtensionHost
		lea	eax, [ebp+var_18]
		mov	[ebp+var_14], esi
		push	eax
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_10], 200h
		mov	[ebp+var_C], (offset loc_4037BA+2)
		call	ExRegisterHost
		test	eax, eax
		js	short loc_ACE27B

loc_ACE278:				; CODE XREF: PspInitializeOctagonExtensionHost()+4Bj
		pop	esi
		leave
		retn
; 

loc_ACE27B:				; CODE XREF: PspInitializeOctagonExtensionHost()+40j
		mov	_PspOctExtensionHost, esi
		jmp	short loc_ACE278
_PspInitializeOctagonExtensionHost@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PspInitializeSecExtensionHost()
_PspInitializeSecExtensionHost@0 proc near ; CODE XREF:	PspInitPhase1()+5Ep

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	esi
		push	0Eh
		pop	eax
		mov	word ptr [ebp+var_18], ax
		xor	esi, esi
		xor	eax, eax
		mov	[ebp+var_14], esi
		inc	eax
		mov	[ebp+var_8], esi
		mov	word ptr [ebp+var_18+2], ax
		mov	ecx, offset _PspSecExtensionHost
		lea	eax, [ebp+var_18]
		mov	[ebp+var_4], esi
		push	eax
		mov	[ebp+var_10], 200h
		mov	[ebp+var_C], (offset loc_4037C7+5)
		call	ExRegisterHost
		test	eax, eax
		js	short loc_ACE2C9

loc_ACE2C6:				; CODE XREF: PspInitializeSecExtensionHost()+4Bj
		pop	esi
		leave
		retn
; 

loc_ACE2C9:				; CODE XREF: PspInitializeSecExtensionHost()+40j
		mov	_PspSecExtensionHost, esi
		jmp	short loc_ACE2C6
_PspInitializeSecExtensionHost@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspInitializeNetRateControl proc near	; CODE XREF: PspInitPhase1()+28p

var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_12		= word ptr -12h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE749E SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		xor	eax, eax
		xor	ebx, ebx
		mov	[ebp+var_12], ax
		inc	ebx
		push	4
		pop	eax
		mov	word ptr [ebp+var_18], ax
		mov	ecx, offset _PspNetRateControlExtensionHost
		xor	eax, eax
		mov	word ptr [ebp+var_18+2], bx
		mov	[ebp+var_C], eax
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_18]
		push	eax
		mov	[ebp+var_14], bx
		mov	[ebp+var_10], ebx
		call	ExRegisterHost
		test	eax, eax
		js	loc_AE749E

loc_ACE317:				; CODE XREF: PspInitializeNetRateControl+191D5j
		mov	al, bl
		pop	ebx
		leave
		retn
PspInitializeNetRateControl endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepInitializeAuthorizationCallbacks()
_SepInitializeAuthorizationCallbacks@0 proc near ; CODE	XREF: SepInitializationPhase1()+1FAp

var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_12		= word ptr -12h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	esi
		push	edi
		xor	eax, eax
		xor	edi, edi
		push	2
		mov	[ebp+var_12], ax
		xor	esi, esi
		pop	eax
		push	6
		mov	word ptr [ebp+var_18], ax
		inc	edi
		pop	eax
		mov	[ebp+var_14], ax
		mov	ecx, offset _SepAuthExtensionHost
		lea	eax, [ebp+var_18]
		mov	word ptr [ebp+var_18+2], di
		push	eax
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		call	ExRegisterHost
		test	eax, eax
		js	short loc_ACE399

loc_ACE361:				; CODE XREF: SepInitializeAuthorizationCallbacks()+83j
		push	3
		pop	eax
		push	24h
		mov	word ptr [ebp+var_18], ax
		mov	ecx, offset _SepBCryptExtensionHost
		pop	eax
		mov	[ebp+var_14], ax
		lea	eax, [ebp+var_18]
		push	eax
		mov	word ptr [ebp+var_18+2], di
		mov	[ebp+var_10], 200h
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		call	ExRegisterHost
		test	eax, eax
		js	short loc_ACE3A1

loc_ACE395:				; CODE XREF: SepInitializeAuthorizationCallbacks()+8Bj
		pop	edi
		pop	esi
		leave
		retn
; 

loc_ACE399:				; CODE XREF: SepInitializeAuthorizationCallbacks()+43j
		mov	_SepAuthExtensionHost, esi
		jmp	short loc_ACE361
; 

loc_ACE3A1:				; CODE XREF: SepInitializeAuthorizationCallbacks()+77j
		mov	_SepBCryptExtensionHost, esi
		jmp	short loc_ACE395
_SepInitializeAuthorizationCallbacks@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeMakeSystemToken proc near		; CODE XREF: SepInitializationPhase0()+76p

var_3D8		= dword	ptr -3D8h
var_3D4		= dword	ptr -3D4h
var_3D0		= dword	ptr -3D0h
var_3CC		= dword	ptr -3CCh
var_3C8		= dword	ptr -3C8h
var_3C4		= dword	ptr -3C4h
var_3C0		= dword	ptr -3C0h
var_3BC		= dword	ptr -3BCh
var_3B8		= dword	ptr -3B8h
var_3B4		= dword	ptr -3B4h
var_3AC		= dword	ptr -3ACh
var_3A8		= dword	ptr -3A8h
var_3A4		= dword	ptr -3A4h
var_3A0		= dword	ptr -3A0h
var_39C		= dword	ptr -39Ch
var_398		= word ptr -398h
var_396		= word ptr -396h
var_394		= word ptr -394h
var_392		= word ptr -392h
var_390		= word ptr -390h
var_38E		= word ptr -38Eh
var_38C		= word ptr -38Ch
var_38A		= word ptr -38Ah
var_388		= dword	ptr -388h
var_384		= dword	ptr -384h
var_380		= dword	ptr -380h
var_37C		= dword	ptr -37Ch
var_378		= dword	ptr -378h
var_374		= dword	ptr -374h
var_370		= dword	ptr -370h
var_36C		= dword	ptr -36Ch
var_368		= dword	ptr -368h
var_364		= dword	ptr -364h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE74AC SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3DCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	ecx, ecx
		lea	edx, [ebp+var_3B8]
		inc	ecx
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_3A8], ecx
		mov	eax, 0BB8h
		mov	[ebp+var_396], cx
		mov	[ebp+var_394], cx
		mov	[ebp+var_392], cx
		mov	[ebp+var_390], cx
		mov	[ebp+var_38E], cx
		mov	[ebp+var_38C], cx
		mov	[ebp+var_38A], cx
		push	ecx
		lea	ecx, [ebp-398h]
		mov	[ebp+var_388], ebx
		mov	[ebp+var_3B8], ebx
		mov	[ebp+var_3B4], ebx
		mov	[ebp+var_398], ax
		call	RtlpTimeFieldsToTime
		mov	eax, _SeSystemMandatorySid
		mov	ecx, ds:_SeAuthenticatedUsersSid
		mov	edi, _SeWorldSid
		mov	esi, _SeLocalSystemSid
		mov	[ebp+var_368], eax
		mov	[ebp+var_3BC], ebx
		mov	ebx, ds:_SeAliasAdminsSid
		push	7
		pop	edx
		mov	[ebp+var_374], edx
		mov	[ebp+var_36C], edx
		mov	[ebp+var_370], ecx
		mov	[ebp+var_3C0], esi
		mov	[ebp+var_380], ebx
		mov	[ebp+var_378], edi
		mov	[ebp+var_37C], 0Eh
		mov	[ebp+var_364], 60h
		movzx	eax, byte ptr [eax+1]
		push	3
		mov	[ebp+var_3A0], ebx
		lea	edx, ds:0Bh[eax*4]
		movzx	eax, byte ptr [ecx+1]
		and	edx, 0FFFFFFFCh
		pop	ecx
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	edx, eax
		movzx	eax, byte ptr [edi+1]
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	edx, eax
		movzx	eax, byte ptr [ebx+1]
		mov	[ebp+var_178], ecx
		mov	[ebp+var_154], ecx
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	eax, 8
		add	eax, edx
		xor	edx, edx
		mov	[ebp+var_3A4], eax
		mov	eax, ds:_SeTcbPrivilege
		mov	[ebp+var_180], eax
		mov	eax, ds:dword_A949B4
		mov	[ebp+var_17C], eax
		mov	eax, ds:_SeCreateTokenPrivilege
		mov	[ebp+var_174], eax
		mov	eax, ds:dword_A94CB4
		mov	[ebp+var_170], eax
		mov	eax, ds:_SeTakeOwnershipPrivilege
		mov	[ebp+var_168], eax
		mov	eax, ds:dword_A94CBC
		mov	[ebp+var_164], eax
		mov	eax, ds:_SeCreatePagefilePrivilege
		mov	[ebp+var_15C], eax
		mov	eax, ds:dword_A94A0C
		mov	[ebp+var_16C], edx
		mov	[ebp+var_160], edx
		mov	[ebp+var_158], eax
		mov	eax, ds:_SeLockMemoryPrivilege
		mov	[ebp+var_150], eax
		mov	eax, ds:dword_A94A5C
		mov	[ebp+var_14C], eax
		mov	eax, ds:_SeAssignPrimaryTokenPrivilege
		mov	[ebp+var_144], eax
		mov	eax, ds:dword_A94A04
		mov	[ebp+var_140], eax
		mov	eax, ds:_SeIncreaseQuotaPrivilege
		mov	[ebp+var_138], eax
		mov	eax, ds:dword_A94A1C
		mov	[ebp+var_134], eax
		mov	eax, ds:_SeIncreaseBasePriorityPrivilege
		mov	[ebp+var_12C], eax
		mov	eax, ds:dword_A949F4
		mov	[ebp+var_128], eax
		mov	eax, ds:_SeCreatePermanentPrivilege
		mov	[ebp+var_120], eax
		mov	eax, ds:dword_A94A34
		mov	[ebp+var_11C], eax
		mov	eax, ds:_SeDebugPrivilege
		mov	[ebp+var_114], eax
		mov	eax, ds:dword_A94A14
		mov	[ebp+var_110], eax
		mov	eax, ds:_SeAuditPrivilege
		mov	[ebp+var_108], eax
		mov	eax, ds:dword_A94CAC
		mov	[ebp+var_104], eax
		mov	eax, ds:_SeSecurityPrivilege
		mov	[ebp+var_FC], eax
		mov	eax, ds:dword_A94A3C
		mov	[ebp+var_F8], eax
		mov	eax, ds:_SeSystemEnvironmentPrivilege
		mov	[ebp+var_F0], eax
		mov	eax, ds:dword_A94CA4
		mov	[ebp+var_EC], eax
		mov	eax, ds:_SeChangeNotifyPrivilege
		mov	[ebp+var_E4], eax
		mov	eax, ds:dword_A94A9C
		mov	[ebp+var_E0], eax
		mov	eax, ds:_SeBackupPrivilege
		mov	[ebp+var_D8], eax
		mov	eax, ds:dword_A949E4
		mov	[ebp+var_D4], eax
		mov	eax, ds:_SeRestorePrivilege
		mov	[ebp+var_CC], eax
		mov	eax, ds:dword_A949DC
		mov	[ebp+var_C8], eax
		mov	eax, ds:_SeShutdownPrivilege
		mov	[ebp+var_C0], eax
		mov	eax, ds:dword_A949BC
		mov	[ebp+var_BC], eax
		mov	eax, ds:_SeLoadDriverPrivilege
		mov	[ebp+var_B4], eax
		mov	eax, ds:dword_A94E04
		mov	[ebp+var_B0], eax
		mov	eax, ds:_SeProfileSingleProcessPrivilege
		mov	[ebp+var_A8], eax
		mov	eax, ds:dword_A949EC
		mov	[ebp+var_A4], eax
		mov	eax, ds:_SeSystemtimePrivilege
		mov	[ebp+var_9C], eax
		mov	eax, ds:dword_A94C94
		mov	[ebp+var_98], eax
		mov	eax, ds:_SeUndockPrivilege
		mov	[ebp+var_148], ecx
		mov	[ebp+var_13C], edx
		mov	[ebp+var_130], edx
		mov	[ebp+var_124], ecx
		mov	[ebp+var_118], ecx
		mov	[ebp+var_10C], ecx
		mov	[ebp+var_100], ecx
		mov	[ebp+var_F4], edx
		mov	[ebp+var_E8], edx
		mov	[ebp+var_DC], ecx
		mov	[ebp+var_D0], edx
		mov	[ebp+var_C4], edx
		mov	[ebp+var_B8], edx
		mov	[ebp+var_AC], edx
		mov	[ebp+var_A0], ecx
		mov	[ebp+var_94], edx
		mov	[ebp+var_90], eax
		mov	eax, ds:dword_A94AAC
		mov	[ebp+var_8C], eax
		mov	eax, ds:_SeManageVolumePrivilege
		mov	[ebp+var_84], eax
		mov	eax, ds:dword_A94A74
		mov	[ebp+var_80], eax
		mov	eax, ds:_SeImpersonatePrivilege
		mov	[ebp+var_78], eax
		mov	eax, ds:dword_A94A8C
		mov	[ebp+var_74], eax
		mov	eax, ds:_SeCreateGlobalPrivilege
		mov	[ebp+var_6C], eax
		mov	eax, ds:dword_A94A2C
		mov	[ebp+var_68], eax
		mov	eax, ds:_SeTrustedCredManAccessPrivilege
		mov	[ebp+var_60], eax
		mov	eax, ds:dword_A94A84
		mov	[ebp+var_5C], eax
		mov	eax, ds:_SeRelabelPrivilege
		mov	[ebp+var_54], eax
		mov	eax, ds:dword_A94A4C
		mov	[ebp+var_50], eax
		mov	eax, ds:_SeIncreaseWorkingSetPrivilege
		mov	[ebp+var_48], eax
		mov	eax, ds:dword_A949FC
		mov	[ebp+var_44], eax
		mov	eax, ds:_SeTimeZonePrivilege
		mov	[ebp+var_3C], eax
		mov	eax, ds:dword_A94ABC
		mov	[ebp+var_38], eax
		mov	eax, ds:_SeCreateSymbolicLinkPrivilege
		mov	[ebp+var_30], eax
		mov	eax, ds:dword_A94AB4
		mov	[ebp+var_2C], eax
		mov	eax, ds:_SeSystemProfilePrivilege
		mov	[ebp+var_24], eax
		mov	eax, ds:dword_A94C9C
		mov	[ebp+var_20], eax
		mov	eax, ds:_SeDelegateSessionUserImpersonatePrivilege
		mov	[ebp+var_18], eax
		mov	eax, ds:dword_A94C6C
		mov	[ebp+var_88], edx
		mov	[ebp+var_7C], edx
		mov	[ebp+var_70], ecx
		mov	[ebp+var_64], ecx
		mov	[ebp+var_58], edx
		mov	[ebp+var_4C], edx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], ecx
		movzx	eax, byte ptr [esi+1]
		push	63416553h
		lea	edi, ds:18h[eax*4]
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_384], ebx
		test	ebx, ebx
		jz	loc_AE74B4
		push	2		; int
		push	edi		; size_t
		push	ebx		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	eax, _SeProcTrustWinTcbSid
		push	63416553h
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:18h[eax*4]
		push	eax
		push	1
		mov	[ebp+var_39C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_3AC], edi
		test	edi, edi
		jz	loc_AE74AC
		push	2		; int
		push	[ebp+var_39C]	; size_t
		push	edi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		push	_SeLocalSystemSid
		push	0F01FFh
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	20018h
		push	14h
		push	_SeProcTrustWinTcbSid
		push	0
		push	2
		push	edi
		call	RtlAddProcessTrustLabelAce
		push	64536553h
		push	14h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_AE74BB
		push	1
		push	ebx
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	0
		push	[ebp+var_384]
		push	1
		push	ebx
		call	RtlSetDaclSecurityDescriptor
		push	0
		push	edi
		push	1
		push	ebx
		call	_RtlSetSaclSecurityDescriptor@16 ; RtlSetSaclSecurityDescriptor(x,x,x,x)
		mov	edi, ds:_SeAliasAdminsSid
		push	0
		push	edi
		push	ebx
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		push	0
		push	edi
		push	ebx
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		push	ecx
		push	ecx
		push	ds:_SeSystemDefaultDacl
		lea	eax, [ebp+var_180]
		mov	[ebp+var_3D8], 18h
		push	esi
		push	[ebp+var_3A0]
		xor	edi, edi
		mov	[ebp+var_3C8], ebx
		push	eax
		push	1Fh
		push	[ebp+var_3A4]
		lea	eax, [ebp+var_380]
		mov	[ebp+var_3D4], edi
		push	eax
		push	4
		lea	eax, [ebp+var_3C0]
		mov	[ebp+var_3CC], edi
		push	eax
		lea	eax, [ebp+var_3B8]
		mov	[ebp+var_3D0], edi
		push	eax
		push	offset _SeSystemAuthenticationId
		push	ecx
		push	ecx
		lea	eax, [ebp+var_3D8]
		mov	[ebp+var_3C4], edi
		push	eax
		push	ecx
		lea	ecx, [ebp+var_388]
		call	_SepCreateToken@76 ; SepCreateToken(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_388]
		lea	edx, [ebp+var_3A8]
		call	_SeSetMandatoryPolicyToken@8 ; SeSetMandatoryPolicyToken(x,x)
		push	edi
		push	[ebp+var_384]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	edi
		push	[ebp+var_3AC]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	edi
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_388]

loc_ACE98F:				; CODE XREF: SeMakeSystemToken+1910Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
SeMakeSystemToken endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeMakeAnonymousLogonTokenNoEveryone proc near ;	CODE XREF: SepInitializationPhase1()+6Ap

var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= word ptr -220h
var_21E		= word ptr -21Eh
var_21C		= word ptr -21Ch
var_21A		= word ptr -21Ah
var_218		= word ptr -218h
var_216		= word ptr -216h
var_214		= word ptr -214h
var_212		= word ptr -212h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE74CD SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 254h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	ecx, ecx
		lea	edx, [ebp+var_230]
		inc	ecx
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_228], ecx
		mov	eax, 0BB8h
		mov	[ebp+var_21E], cx
		mov	[ebp+var_21C], cx
		mov	[ebp+var_21A], cx
		mov	[ebp+var_218], cx
		mov	[ebp+var_216], cx
		mov	[ebp+var_214], cx
		mov	[ebp+var_212], cx
		push	ecx
		lea	ecx, [ebp-220h]
		mov	[ebp+var_20C], ebx
		mov	[ebp+var_230], ebx
		mov	[ebp+var_22C], ebx
		mov	[ebp+var_220], ax
		call	RtlpTimeFieldsToTime
		mov	eax, _SeUntrustedMandatorySid
		mov	esi, ds:_SeAnonymousLogonSid
		mov	[ebp+var_208], eax
		mov	[ebp+var_238], esi
		mov	[ebp+var_234], ebx
		mov	[ebp+var_204], 60h
		movzx	eax, byte ptr [eax+1]
		push	63416553h
		push	0C8h
		push	1
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	eax, 8
		mov	[ebp+var_224], eax
		mov	eax, _SeWorldSid
		movzx	ecx, byte ptr [eax+1]
		movzx	eax, byte ptr [esi+1]
		add	ecx, eax
		lea	edi, ds:30h[ecx*4]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_AE74D5
		push	2		; int
		push	edi		; size_t
		push	ebx		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		push	_SeWorldSid
		mov	edi, 0F01FFh
		push	edi
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	ds:_SeAnonymousLogonSid
		push	edi
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	64536553h
		push	14h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_210], edi
		test	edi, edi
		jz	loc_AE74CD
		push	1
		push	edi
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	0
		push	ebx
		push	1
		push	edi
		call	RtlSetDaclSecurityDescriptor
		mov	edi, _SeWorldSid
		push	0
		push	edi
		push	[ebp+var_210]
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		push	0
		push	edi
		mov	edi, [ebp+var_210]
		push	edi
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_250], 18h
		push	eax
		push	eax
		push	eax
		push	[ebp+var_224]
		mov	[ebp+var_24C], eax
		mov	[ebp+var_244], eax
		mov	[ebp+var_248], eax
		mov	[ebp+var_23C], eax
		lea	eax, [ebp+var_208]
		push	eax
		push	1
		lea	eax, [ebp+var_238]
		mov	[ebp+var_240], edi
		push	eax
		lea	eax, [ebp+var_230]
		push	eax
		push	offset _SeAnonymousAuthenticationId
		push	ecx
		push	ecx
		lea	eax, [ebp+var_250]
		push	eax
		push	ecx
		lea	ecx, [ebp+var_20C]
		call	_SepCreateToken@76 ; SepCreateToken(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_20C]
		lea	edx, [ebp+var_228]
		call	_SeSetMandatoryPolicyToken@8 ; SeSetMandatoryPolicyToken(x,x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_20C]

loc_ACEBA0:				; CODE XREF: SeMakeAnonymousLogonTokenNoEveryone+18B39j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
SeMakeAnonymousLogonTokenNoEveryone endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeMakeAnonymousLogonToken proc near	; CODE XREF: SepInitializationPhase1()+60p

var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= word ptr -220h
var_21E		= word ptr -21Eh
var_21C		= word ptr -21Ch
var_21A		= word ptr -21Ah
var_218		= word ptr -218h
var_216		= word ptr -216h
var_214		= word ptr -214h
var_212		= word ptr -212h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_204		= dword	ptr -204h
var_200		= dword	ptr -200h
var_1FC		= dword	ptr -1FCh
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE74DC SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 254h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	ecx, ecx
		lea	edx, [ebp+var_230]
		inc	ecx
		xor	ebx, ebx
		push	edi
		mov	[ebp+var_228], ecx
		mov	eax, 0BB8h
		mov	[ebp+var_21E], cx
		mov	[ebp+var_21C], cx
		mov	[ebp+var_21A], cx
		mov	[ebp+var_218], cx
		mov	[ebp+var_216], cx
		mov	[ebp+var_214], cx
		mov	[ebp+var_212], cx
		push	ecx
		lea	ecx, [ebp-220h]
		mov	[ebp+var_20C], ebx
		mov	[ebp+var_230], ebx
		mov	[ebp+var_22C], ebx
		mov	[ebp+var_220], ax
		call	RtlpTimeFieldsToTime
		mov	eax, _SeLowMandatorySid
		mov	edx, _SeWorldSid
		mov	esi, ds:_SeAnonymousLogonSid
		mov	[ebp+var_200], eax
		mov	[ebp+var_238], esi
		mov	[ebp+var_234], ebx
		mov	[ebp+var_208], edx
		mov	[ebp+var_204], 7
		mov	[ebp+var_1FC], 60h
		movzx	eax, byte ptr [eax+1]
		push	63416553h
		push	0C8h
		push	1
		lea	ecx, ds:0Bh[eax*4]
		movzx	eax, byte ptr [edx+1]
		and	ecx, 0FFFFFFFCh
		add	ecx, 8
		lea	eax, ds:0Bh[eax*4]
		and	eax, 0FFFFFFFCh
		add	eax, ecx
		movzx	ecx, byte ptr [edx+1]
		mov	[ebp+var_224], eax
		movzx	eax, byte ptr [esi+1]
		add	ecx, eax
		lea	edi, ds:30h[ecx*4]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_AE74E4
		push	2		; int
		push	edi		; size_t
		push	ebx		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		push	_SeWorldSid
		mov	edi, 0F01FFh
		push	edi
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	ds:_SeAnonymousLogonSid
		push	edi
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	64536553h
		push	14h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_210], edi
		test	edi, edi
		jz	loc_AE74DC
		push	1
		push	edi
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	0
		push	ebx
		push	1
		push	edi
		call	RtlSetDaclSecurityDescriptor
		mov	edi, _SeWorldSid
		push	0
		push	edi
		push	[ebp+var_210]
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		push	0
		push	edi
		mov	edi, [ebp+var_210]
		push	edi
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		push	ecx
		push	ecx
		push	ebx
		push	esi
		xor	eax, eax
		mov	[ebp+var_250], 18h
		push	eax
		push	eax
		push	eax
		push	[ebp+var_224]
		mov	[ebp+var_24C], eax
		mov	[ebp+var_244], eax
		mov	[ebp+var_248], eax
		mov	[ebp+var_23C], eax
		lea	eax, [ebp+var_208]
		push	eax
		push	2
		lea	eax, [ebp+var_238]
		mov	[ebp+var_240], edi
		push	eax
		lea	eax, [ebp+var_230]
		push	eax
		push	offset _SeAnonymousAuthenticationId
		push	ecx
		push	ecx
		lea	eax, [ebp+var_250]
		push	eax
		push	ecx
		lea	ecx, [ebp+var_20C]
		call	_SepCreateToken@76 ; SepCreateToken(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_20C]
		lea	edx, [ebp+var_228]
		call	_SeSetMandatoryPolicyToken@8 ; SeSetMandatoryPolicyToken(x,x)
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_20C]

loc_ACEDD3:				; CODE XREF: SeMakeAnonymousLogonToken+18936j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
SeMakeAnonymousLogonToken endp


;  S U B	R O U T	I N E 


; __stdcall SepInitializeWorkList()
_SepInitializeWorkList@0 proc near	; CODE XREF: SepInitializationPhase0()+2Ap
		mov	edi, edi
		push	esi
		push	offset unk_6D7130
		call	ExInitializeResourceLite
		and	dword_6D7168, 0
		mov	eax, offset _SepLsaAuditQueueInfo
		mov	dword_6D7124, eax
		mov	esi, offset _ExFreePool@4 ; ExFreePool(x)
		mov	_SepLsaAuditQueueInfo, eax
		mov	eax, offset dword_6D7128
		push	3
		mov	dword_6D712C, eax
		mov	dword_6D7128, eax
		pop	eax
		push	offset unk_6D7088
		mov	dword_6D7194, esi
		mov	dword_6D7190, offset SepAdtDetermineInsertQueue
		mov	word_6D7198, ax
		call	ExInitializeResourceLite
		mov	eax, offset _SepLsaDeletedLogonQueueInfo
		mov	dword_6D70EC, esi
		mov	dword_6D707C, eax
		mov	_SepLsaDeletedLogonQueueInfo, eax
		xor	eax, eax
		inc	eax
		mov	word_6D70F0, ax
		pop	esi
		retn
_SepInitializeWorkList@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepTokenInitialization()
_SepTokenInitialization@0 proc near	; CODE XREF: SepInitializationPhase0()+1Dp

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_24		= dword	ptr -24h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		push	ebx
		push	esi
		push	edi
		push	offset ??_C@_1M@JFPKKFCK@?$AAT?$AAo?$AAk?$AAe?$AAn@PBOPGDP@
		lea	eax, [ebp+var_8]
		xor	ebx, ebx
		push	eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	58h
		pop	esi
		push	esi		; size_t
		lea	eax, [ebp+var_60]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	word ptr [ebp+var_60], si
		lea	edi, [ebp+var_54]
		mov	[ebp+var_5C], 200h
		lea	eax, [ebp+var_60]
		mov	[ebp+var_58], 100h
		mov	esi, offset _SepTokenMapping
		add	esp, 0Ch
		movsd
		push	offset _SeTokenObjectType
		push	ebx
		push	eax
		movsd
		lea	eax, [ebp+var_8]
		push	eax
		movsd
		movsd
		or	byte ptr [ebp+var_60+2], 0Eh
		xor	esi, esi
		inc	esi
		mov	[ebp+var_44], 0F01FFh
		mov	[ebp+var_3C], esi
		mov	[ebp+var_24], offset SepTokenDeleteMethod
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	short loc_ACEEE8
		mov	ecx, ds:_SeTokenObjectType
		mov	edx, esi
		call	SeRegisterObjectTypeMandatoryPolicy

loc_ACEEE8:				; CODE XREF: SepTokenInitialization()+7Dj
		pop	edi
		shr	eax, 1Fh
		pop	esi
		xor	al, 1
		pop	ebx
		leave
		retn
_SepTokenInitialization@0 endp

; 
		align 4
		db 2 dup(0CCh)

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepVariableInitialization()
_SepVariableInitialization@0 proc near	; CODE XREF: SepInitializationPhase0()+3p

var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= word ptr -5Ch
var_58		= dword	ptr -58h
var_54		= word ptr -54h
var_50		= dword	ptr -50h
var_4C		= word ptr -4Ch
var_48		= dword	ptr -48h
var_44		= word ptr -44h
var_40		= dword	ptr -40h
var_3C		= word ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= word ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= word ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= word ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 16Ch
		push	ebx
		push	esi
		push	edi
		push	22h
		pop	eax
		push	24h
		pop	ecx
		push	0Eh
		mov	word ptr [ebp+var_D4], ax
		pop	eax
		push	10h
		mov	word ptr [ebp+var_DC], ax
		pop	eax
		push	26h
		mov	word ptr [ebp+var_DC+2], ax
		pop	eax
		push	28h
		pop	esi
		push	2Ah
		pop	edx
		push	4Eh
		mov	word ptr [ebp+var_E4+2], ax
		mov	word ptr [ebp+var_F4], ax
		pop	eax
		push	50h
		mov	word ptr [ebp+var_FC], ax
		pop	eax
		push	12h
		mov	word ptr [ebp+var_FC+2], ax
		pop	eax
		push	14h
		mov	word ptr [ebp+var_104],	ax
		pop	eax
		push	18h
		pop	edi
		push	1Ah
		pop	ebx
		push	2Ch
		mov	word ptr [ebp+var_D4+2], cx
		mov	word ptr [ebp+var_E4], cx
		pop	ecx
		push	2Eh
		mov	word ptr [ebp+var_104+2], ax
		pop	eax
		push	1Eh
		mov	word ptr [ebp+var_11C+2], ax
		pop	eax
		push	20h
		mov	word ptr [ebp+var_134],	ax
		pop	eax
		mov	[ebp+var_D0], offset ??_C@_1CE@LBIPJBGA@?$AAl?$AAp?$AAa?$AAc?$AAA?$AAp?$AAp?$AAE?$AAx?$AAp?$AAe?$AAr?$AAi?$AAe?$AAn@PBOPGDP@
		mov	[ebp+var_D8], offset ??_C@_1BA@HJJDJBOL@?$AAl?$AAp?$AAa?$AAc?$AAC?$AAo?$AAm@PBOPGDP@
		mov	[ebp+var_E0], offset ??_C@_1CG@JEFDGIAA@?$AAl?$AAp?$AAa?$AAc?$AAC?$AAr?$AAy?$AAp?$AAt?$AAo?$AAS?$AAe?$AAr?$AAv?$AAi@PBOPGDP@
		mov	word ptr [ebp+var_EC], si
		mov	word ptr [ebp+var_EC+2], dx
		mov	[ebp+var_E8], offset ??_C@_1CK@IBGBDPLP@?$AAl?$AAp?$AAa?$AAc?$AAI?$AAd?$AAe?$AAn?$AAt?$AAi?$AAt?$AAy?$AAS?$AAe?$AAr@PBOPGDP@
		mov	word ptr [ebp+var_F4+2], si
		mov	[ebp+var_F0], offset ??_C@_1CI@PDLNLLIE@?$AAl?$AAp?$AAa?$AAc?$AAI?$AAn?$AAs?$AAt?$AAr?$AAu?$AAm?$AAe?$AAn?$AAt?$AAa@PBOPGDP@
		mov	[ebp+var_F8], offset ??_C@_1FA@KJGLJJEA@?$AAl?$AAp?$AAa?$AAc?$AAE?$AAn?$AAt?$AAe?$AAr?$AAp?$AAr?$AAi?$AAs?$AAe?$AAP@PBOPGDP@
		mov	[ebp+var_100], offset ??_C@_1BE@MDCHJCLH@?$AAl?$AAp?$AAa?$AAc?$AAM?$AAe?$AAd?$AAi?$AAa@PBOPGDP@
		mov	word ptr [ebp+var_10C],	si
		mov	word ptr [ebp+var_10C+2], dx
		mov	[ebp+var_108], (offset loc_ADF923+1)
		mov	word ptr [ebp+var_114],	di
		mov	word ptr [ebp+var_114+2], bx
		mov	[ebp+var_110], offset ??_C@_1BK@KMMANFGK@?$AAr?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AAR?$AAe?$AAa?$AAd@PBOPGDP@ ; "registryRead"
		mov	word ptr [ebp+var_11C],	cx
		mov	[ebp+var_118], offset ??_C@_1CO@GMCGHMFJ@?$AAl?$AAp?$AAa?$AAc?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe?$AAs?$AAM?$AAa?$AAn@PBOPGDP@
		mov	word ptr [ebp+var_124],	dx
		mov	word ptr [ebp+var_124+2], cx
		mov	[ebp+var_120], offset ??_C@_1CM@NONINMBB@?$AAl?$AAp?$AAa?$AAc?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAM?$AAa?$AAn?$AAa@PBOPGDP@
		mov	word ptr [ebp+var_12C],	di
		mov	word ptr [ebp+var_12C+2], bx
		mov	[ebp+var_128], offset ??_C@_1BK@JNJNHEED@?$AAl?$AAp?$AAa?$AAc?$AAP?$AAr?$AAi?$AAn?$AAt?$AAi?$AAn?$AAg@PBOPGDP@
		mov	word ptr [ebp+var_134+2], ax
		mov	[ebp+var_130], offset ??_C@_1CA@LDBOOCPP@?$AAl?$AAp?$AAa?$AAc?$AAW?$AAe?$AAb?$AAP?$AAl?$AAa?$AAt?$AAf?$AAo?$AAr?$AAm@PBOPGDP@ ;	"lpacWebPlatform"
		mov	word ptr [ebp+var_13C],	di
		mov	word ptr [ebp+var_13C+2], bx
		mov	[ebp+var_138], (offset loc_ADFB3D+1)
		mov	word ptr [ebp+var_144],	bx
		push	1Ch
		pop	ecx
		mov	word ptr [ebp+var_15C],	ax
		push	0Eh
		mov	word ptr [ebp+var_144+2], cx
		pop	ecx
		push	10h
		mov	word ptr [ebp+var_14C],	cx
		pop	ecx
		push	22h
		pop	eax
		mov	word ptr [ebp+var_15C+2], ax
		push	36h
		pop	eax
		mov	word ptr [ebp+var_154],	ax
		push	38h
		pop	eax
		mov	word ptr [ebp+var_154+2], ax
		push	30h
		pop	eax
		mov	word ptr [ebp+var_164],	ax
		push	32h
		pop	eax
		mov	word ptr [ebp+var_164+2], ax
		mov	eax, ds:dword_A40C44
		mov	[ebp+var_60], eax
		mov	ax, ds:word_A40C48
		mov	[ebp+var_5C], ax
		mov	eax, ds:dword_A40C3C
		mov	[ebp+var_58], eax
		mov	ax, ds:word_A40C40
		mov	[ebp+var_54], ax
		mov	eax, ds:dword_A40C54
		mov	[ebp+var_50], eax
		mov	ax, ds:word_A40C58
		mov	[ebp+var_4C], ax
		mov	eax, ds:dword_A40C4C
		mov	[ebp+var_30], eax
		mov	ax, ds:word_A40C50
		mov	[ebp+var_2C], ax
		mov	eax, ds:dword_A40C24
		mov	[ebp+var_8], eax
		mov	ax, ds:word_A40C28
		mov	[ebp+var_4], ax
		mov	eax, ds:dword_A40C1C
		mov	[ebp+var_40], eax
		mov	ax, ds:word_A40C20
		mov	[ebp+var_3C], ax
		mov	eax, ds:dword_A40C34
		mov	[ebp+var_48], eax
		mov	ax, ds:word_A40C38
		mov	[ebp+var_44], ax
		mov	eax, ds:dword_A40C2C
		mov	[ebp+var_24], eax
		mov	ax, ds:word_A40C30
		mov	[ebp+var_20], ax
		mov	eax, ds:_KeLoaderBlock
		mov	[ebp+var_140], offset ??_C@_1BM@IJLACMGH@?$AAl?$AAp?$AAa?$AAc?$AAC?$AAl?$AAi?$AAp?$AAb?$AAo?$AAa?$AAr?$AAd@PBOPGDP@
		mov	word ptr [ebp+var_14C+2], cx
		mov	[ebp+var_148], offset ??_C@_1BA@MHLBKOMP@?$AAl?$AAp?$AAa?$AAc?$AAI?$AAM?$AAE@PBOPGDP@
		mov	eax, [eax+84h]
		mov	[ebp+var_158], offset ??_C@_1CC@MLHJLFCA@?$AAl?$AAp?$AAa?$AAc?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAA?$AAc?$AAc?$AAe?$AAs@PBOPGDP@
		mov	[ebp+var_150], offset ??_C@_1DI@IBHPAEPL@?$AAl?$AAp?$AAa?$AAc?$AAP?$AAa?$AAc?$AAk?$AAa?$AAg?$AAe?$AAM?$AAa?$AAn?$AAa@PBOPGDP@
		mov	word ptr [ebp+var_16C],	si
		mov	eax, [eax+54h]
		mov	word ptr [ebp+var_16C+2], dx
		mov	[ebp+var_168], offset ??_C@_1CK@BPPHHIGP@?$AAs?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAI?$AAm?$AAp?$AAe?$AAr?$AAs?$AAo?$AAn@PBOPGDP@
		mov	[ebp+var_160], offset ??_C@_1DC@PEEFCLCL@?$AAc?$AAo?$AAn?$AAs?$AAt?$AAr?$AAa?$AAi?$AAn?$AAe?$AAd?$AAI?$AAm?$AAp?$AAe@PBOPGDP@ ;	"constrainedImpersonation"
		test	al, 40h
		jnz	short loc_ACF1EA
		cmp	dword ptr ds:0FFDF0264h, 1
		jnz	short loc_ACF1EA
		cmp	dword ptr ds:0FFDF02E8h, 51400h
		ja	short loc_ACF1EA
		mov	cl, 1
		jmp	short loc_ACF1EC
; 

loc_ACF1EA:				; CODE XREF: SepVariableInitialization()+2D9j
					; SepVariableInitialization()+2E2j ...
		xor	cl, cl

loc_ACF1EC:				; CODE XREF: SepVariableInitialization()+2F2j
		shr	eax, 7
		and	al, 1
		mov	_SepTokenSidSharingEnabled, cl
		push	1
		mov	_SepTokenCapabilitySidSharingEnabled, cl
		mov	_SepOsLoaderTpmDriverLoaded, al
		call	_RtlLengthRequiredSid@4	; RtlLengthRequiredSid(x)
		push	2
		mov	esi, eax
		call	_RtlLengthRequiredSid@4	; RtlLengthRequiredSid(x)
		push	6
		mov	ebx, eax
		call	_RtlLengthRequiredSid@4	; RtlLengthRequiredSid(x)
		push	9
		mov	[ebp+var_A4], eax
		call	_RtlLengthRequiredSid@4	; RtlLengthRequiredSid(x)
		push	0Ah
		mov	[ebp+var_34], eax
		call	_RtlLengthRequiredSid@4	; RtlLengthRequiredSid(x)
		push	69536553h
		push	esi
		push	11h
		mov	edi, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	210h
		mov	ds:_SeNullSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	210h
		mov	_SeCreatorOwnerSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	210h
		mov	_SeCreatorGroupSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	210h
		mov	_SeCreatorOwnerServerSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	210h
		mov	_SeCreatorGroupServerSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	210h
		mov	_SeWorldSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	210h
		mov	_SeLocalSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, ds:_SeNullSid
		mov	_SeOwnerRightsSid, eax
		mov	[ebp+var_38], edx
		test	edx, edx
		jz	loc_AD090D
		mov	ecx, _SeWorldSid
		mov	[ebp+var_1C], ecx
		test	ecx, ecx
		jz	loc_AD090D
		mov	ecx, _SeLocalSid
		mov	[ebp+var_18], ecx
		test	ecx, ecx
		jz	loc_AD090D
		mov	ecx, _SeCreatorOwnerSid
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jz	loc_AD090D
		mov	ecx, _SeCreatorGroupSid
		mov	[ebp+var_10], ecx
		test	ecx, ecx
		jz	loc_AD090D
		mov	ecx, _SeCreatorOwnerServerSid
		mov	[ebp+var_C], ecx
		test	ecx, ecx
		jz	loc_AD090D
		test	eax, eax
		jz	loc_AD090D
		mov	eax, _SeCreatorGroupServerSid
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	loc_AD090D
		push	1
		lea	eax, [ebp+var_60]
		push	eax
		push	edx
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_58]
		push	eax
		push	[ebp+var_1C]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_50]
		push	eax
		push	[ebp+var_18]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_14]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_10]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_C]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_30]
		push	eax
		push	[ebp+var_28]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_30]
		push	eax
		push	_SeOwnerRightsSid
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	eax, [ebp+var_38]
		xor	ecx, ecx
		push	69536553h
		push	ecx
		mov	[eax+8], ecx
		mov	eax, [ebp+var_1C]
		mov	[eax+8], ecx
		mov	eax, [ebp+var_18]
		mov	[eax+8], ecx
		mov	eax, [ebp+var_14]
		mov	[eax+8], ecx
		mov	eax, [ebp+var_10]
		mov	dword ptr [eax+8], 1
		mov	eax, [ebp+var_C]
		mov	dword ptr [eax+8], 2
		mov	eax, [ebp+var_28]
		mov	dword ptr [eax+8], 3
		mov	eax, _SeOwnerRightsSid
		mov	dword ptr [eax+8], 4
		call	_RtlLengthRequiredSid@4	; RtlLengthRequiredSid(x)
		push	eax
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	11h
		mov	ds:_SeNtAuthoritySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	210h
		mov	ds:_SeDialupSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	210h
		mov	_SeNetworkSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		mov	_SeBatchSid, eax
		push	esi
		push	210h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	210h
		mov	_SeInteractiveSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	11h
		mov	_SePrincipalSelfSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	210h
		mov	ds:_SeServiceSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	11h
		mov	_SeLocalSystemSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	11h
		mov	ds:_SeAuthenticatedUsersSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	11h
		mov	ds:_SeRestrictedSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	11h
		mov	ds:_SeAnonymousLogonSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	11h
		mov	ds:_SeLocalServiceSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	11h
		mov	ds:_SeNetworkServiceSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	ebx
		push	11h
		mov	ds:_SeIUserSid,	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	ebx
		push	11h
		mov	ds:_SeAliasAdminsSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	ebx
		push	11h
		mov	ds:_SeAliasUsersSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	ebx
		push	11h
		mov	ds:_SeAliasGuestsSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	ebx
		push	11h
		mov	ds:_SeAliasPowerUsersSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	ebx
		push	11h
		mov	ds:_SeAliasAccountOpsSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	ebx
		mov	ds:_SeAliasSystemOpsSid, eax
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	ebx
		push	11h
		mov	ds:_SeAliasPrintOpsSid,	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	210h
		mov	ds:_SeAliasBackupOpsSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	210h
		mov	_SeUntrustedMandatorySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	210h
		mov	_SeLowMandatorySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	210h
		mov	_SeMediumMandatorySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	210h
		mov	_SeHighMandatorySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	210h
		mov	_SeSystemMandatorySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	210h
		mov	_SePackagePrefixSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, 69536553h
		mov	_SeCapabilityPrefixSid,	eax
		push	esi
		push	ebx
		push	210h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	ebx
		push	210h
		mov	_SeAllAppPackagesSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	edi
		push	11h
		mov	_SeAllRestrictedAppPackagesSid,	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	edi
		push	11h
		mov	_SeLpacAppExperienceCapabilitySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	edi
		push	11h
		mov	_SeLpacComCapabilitySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	edi
		push	11h
		mov	_SeLpacCryptoServicesCapabilitySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	edi
		push	11h
		mov	_SeLpacIdentityServicesCapabilitySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	edi
		mov	_SeLpacInstrumentationCapabilitySid, eax
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	edi
		push	11h
		mov	_SeLpacEnterprisePolicyChangeNotificationsCapabilitySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	edi
		push	11h
		mov	_SeLpacMediaCapabilitySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	edi
		push	11h
		mov	_SeLpacPnpNotificationsCapabilitySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	edi
		push	11h
		mov	_SeRegistryReadCapabilitySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	edi
		push	11h
		mov	_SeLpacServicesManagementCapabilitySid,	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	edi
		push	11h
		mov	_SeLpacSessionManagementCapabilitySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	edi
		push	11h
		mov	_SeLpacPrintingCapabilitySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	edi
		push	11h
		mov	_SeLpacWebPlatformCapabilitySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	edi
		push	11h
		mov	_SeLpacPaymentsCapabilitySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	edi
		push	11h
		mov	_SeLpacClipboardCapabilitySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	edi
		push	11h
		mov	_SeLpacImeCapabilitySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	edi
		push	0
		push	120h
		mov	_SeLpacPackageManagerOperationCapabilitySid, eax
		call	_ExAllocatePool2@16 ; ExAllocatePool2(x,x,x,x)
		push	esi
		mov	esi, [ebp+var_A4]
		push	esi
		push	210h
		mov	_SeLpacDeviceAccessCapabilitySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	69536553h
		push	esi
		push	210h
		mov	_SeUserModeDriversSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, 69536553h
		mov	_SeTrustedInstallerSid,	eax
		push	esi
		push	ebx
		push	210h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	_SeProcTrustWinTcbSid, eax
		push	esi
		push	ebx
		push	210h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	ebx
		push	210h
		mov	_SeProcTrustWinSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	ebx
		push	210h
		mov	_SeProcTrustAuthenticodeSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	ebx
		push	210h
		mov	_SeProcTrustLiteAntimalwareSid,	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	ebx
		push	210h
		mov	_SeProcTrustLiteWinTcbSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	ebx
		push	210h
		mov	_SeProcTrustLiteWinSid,	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	ebx
		push	210h
		mov	_SeProcTrustLiteAppSid,	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		push	ebx
		push	11h
		mov	_SeProcTrustNoneSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	esi
		mov	esi, [ebp+var_34]
		push	esi
		push	11h
		mov	_SeDefaultAccountAliasSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, 69536553h
		mov	_SeConstrainedImpersonationCapabilityGroupSid, eax
		push	ebx
		push	edi
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	ebx
		push	esi
		push	11h
		mov	_SeConstrainedImpersonationCapabilitySid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	ebx
		push	edi
		push	11h
		mov	_SeSessionImpersonationCapabilityGroupSid, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, ds:_SeNtAuthoritySid
		mov	ecx, eax
		mov	_SeSessionImpersonationCapabilitySid, ecx
		test	edx, edx
		jz	loc_AD090D
		mov	eax, ds:_SeDialupSid
		mov	[ebp+var_28], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, _SeNetworkSid
		mov	[ebp+var_A8], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, _SeBatchSid
		mov	[ebp+var_AC], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, _SeInteractiveSid
		mov	[ebp+var_B0], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, ds:_SeServiceSid
		mov	[ebp+var_B4], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, _SePrincipalSelfSid
		mov	[ebp+var_64], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, _SeLocalSystemSid
		mov	[ebp+var_68], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, ds:_SeAuthenticatedUsersSid
		mov	[ebp+var_6C], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, ds:_SeRestrictedSid
		mov	[ebp+var_70], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, ds:_SeAnonymousLogonSid
		mov	[ebp+var_74], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, ds:_SeLocalServiceSid
		mov	[ebp+var_78], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, ds:_SeNetworkServiceSid
		mov	[ebp+var_7C], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, ds:_SeIUserSid
		mov	[ebp+var_80], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, ds:_SeAliasAdminsSid
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, ds:_SeAliasUsersSid
		mov	[ebp+var_10], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, ds:_SeAliasGuestsSid
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, ds:_SeAliasPowerUsersSid
		mov	[ebp+var_18], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, ds:_SeAliasAccountOpsSid
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, ds:_SeAliasSystemOpsSid
		mov	[ebp+var_84], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, ds:_SeAliasPrintOpsSid
		mov	[ebp+var_88], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, ds:_SeAliasBackupOpsSid
		mov	[ebp+var_8C], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, _SeUntrustedMandatorySid
		mov	[ebp+var_90], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, _SeLowMandatorySid
		mov	[ebp+var_94], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, _SeMediumMandatorySid
		mov	[ebp+var_A0], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, _SeHighMandatorySid
		mov	[ebp+var_98], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, _SeSystemMandatorySid
		mov	[ebp+var_9C], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, _SePackagePrefixSid
		mov	[ebp+var_34], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, _SeCapabilityPrefixSid
		mov	[ebp+var_38], eax
		test	eax, eax
		jz	loc_AD090D
		mov	edi, _SeAllAppPackagesSid
		test	edi, edi
		jz	loc_AD090D
		mov	esi, _SeAllRestrictedAppPackagesSid
		test	esi, esi
		jz	loc_AD090D
		cmp	_SeLpacAppExperienceCapabilitySid, 0
		jz	loc_AD090D
		cmp	_SeLpacComCapabilitySid, 0
		jz	loc_AD090D
		cmp	_SeLpacCryptoServicesCapabilitySid, 0
		jz	loc_AD090D
		cmp	_SeLpacIdentityServicesCapabilitySid, 0
		jz	loc_AD090D
		cmp	_SeLpacInstrumentationCapabilitySid, 0
		jz	loc_AD090D
		cmp	_SeLpacEnterprisePolicyChangeNotificationsCapabilitySid, 0
		jz	loc_AD090D
		cmp	_SeLpacMediaCapabilitySid, 0
		jz	loc_AD090D
		cmp	_SeLpacPnpNotificationsCapabilitySid, 0
		jz	loc_AD090D
		cmp	_SeRegistryReadCapabilitySid, 0
		jz	loc_AD090D
		cmp	_SeLpacServicesManagementCapabilitySid,	0
		jz	loc_AD090D
		cmp	_SeLpacSessionManagementCapabilitySid, 0
		jz	loc_AD090D
		cmp	_SeLpacPrintingCapabilitySid, 0
		jz	loc_AD090D
		cmp	_SeLpacWebPlatformCapabilitySid, 0
		jz	loc_AD090D
		cmp	_SeLpacPaymentsCapabilitySid, 0
		jz	loc_AD090D
		cmp	_SeLpacClipboardCapabilitySid, 0
		jz	loc_AD090D
		cmp	_SeLpacImeCapabilitySid, 0
		jz	loc_AD090D
		cmp	_SeLpacPackageManagerOperationCapabilitySid, 0
		jz	loc_AD090D
		cmp	_SeLpacDeviceAccessCapabilitySid, 0
		jz	loc_AD090D
		mov	ebx, _SeUserModeDriversSid
		test	ebx, ebx
		jz	loc_AD090D
		mov	eax, _SeProcTrustWinTcbSid
		mov	[ebp+var_BC], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, _SeProcTrustWinSid
		mov	[ebp+var_B8], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, _SeProcTrustAuthenticodeSid
		mov	[ebp+var_C0], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, _SeProcTrustLiteAntimalwareSid
		mov	[ebp+var_C4], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, _SeProcTrustLiteWinTcbSid
		mov	[ebp+var_50], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, _SeProcTrustLiteWinSid
		mov	[ebp+var_58], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, _SeProcTrustLiteAppSid
		mov	[ebp+var_60], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, _SeProcTrustNoneSid
		mov	[ebp+var_C8], eax
		test	eax, eax
		jz	loc_AD090D
		mov	eax, _SeTrustedInstallerSid
		mov	[ebp+var_CC], eax
		test	eax, eax
		jz	loc_AD090D
		cmp	_SeDefaultAccountAliasSid, 0
		jz	loc_AD090D
		cmp	_SeConstrainedImpersonationCapabilitySid, 0
		jz	loc_AD090D
		mov	eax, _SeConstrainedImpersonationCapabilityGroupSid
		mov	[ebp+var_30], eax
		test	eax, eax
		jz	loc_AD090D
		test	ecx, ecx
		jz	loc_AD090D
		cmp	_SeSessionImpersonationCapabilityGroupSid, 0
		jz	loc_AD090D
		push	0
		lea	eax, [ebp+var_8]
		push	eax
		push	edx
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_28]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_A8]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_AC]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_B0]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_B4]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_64]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_68]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_6C]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_70]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_74]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_78]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_7C]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_80]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	2
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_C]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	2
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_10]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	2
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_14]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	2
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_18]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	2
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_1C]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	2
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_84]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	2
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_88]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	2
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_8C]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	6
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_CC]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_40]
		push	eax
		push	[ebp+var_90]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_40]
		push	eax
		push	[ebp+var_94]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_40]
		push	eax
		push	[ebp+var_A0]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_40]
		push	eax
		push	[ebp+var_98]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_40]
		push	eax
		push	[ebp+var_9C]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_34]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	1
		lea	eax, [ebp+var_48]
		push	eax
		push	[ebp+var_38]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	2
		lea	eax, [ebp+var_48]
		push	eax
		push	edi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	2
		lea	eax, [ebp+var_48]
		push	eax
		push	esi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	[ebp+var_A4]	; size_t
		push	0		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_8]
		push	6
		push	eax
		push	ebx
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	2
		pop	ebx
		push	ebx
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_C8]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	ebx
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_BC]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	ebx
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_B8]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	ebx
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_C0]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	ebx
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_C4]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	ebx
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_50]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	ebx
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_58]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	ebx
		lea	eax, [ebp+var_24]
		push	eax
		push	[ebp+var_60]
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	eax, [ebp+var_28]
		push	20h
		pop	ecx
		mov	dword ptr [eax+8], 1
		mov	eax, [ebp+var_A8]
		mov	[eax+8], ebx
		mov	eax, [ebp+var_AC]
		mov	dword ptr [eax+8], 3
		mov	eax, [ebp+var_B0]
		mov	dword ptr [eax+8], 4
		mov	eax, [ebp+var_B4]
		mov	dword ptr [eax+8], 6
		mov	eax, [ebp+var_64]
		mov	dword ptr [eax+8], 0Ah
		mov	eax, [ebp+var_68]
		mov	dword ptr [eax+8], 12h
		mov	eax, [ebp+var_6C]
		mov	dword ptr [eax+8], 0Bh
		mov	eax, [ebp+var_70]
		mov	dword ptr [eax+8], 0Ch
		mov	eax, [ebp+var_74]
		mov	dword ptr [eax+8], 7
		mov	eax, [ebp+var_78]
		mov	dword ptr [eax+8], 13h
		mov	eax, [ebp+var_7C]
		mov	dword ptr [eax+8], 14h
		mov	eax, [ebp+var_80]
		mov	dword ptr [eax+8], 11h
		mov	eax, [ebp+var_C]
		mov	[eax+8], ecx
		mov	eax, [ebp+var_10]
		mov	[eax+8], ecx
		mov	eax, [ebp+var_14]
		mov	ebx, [ebp+var_1C]
		mov	edx, [ebp+var_84]
		push	20h
		mov	[eax+8], ecx
		mov	eax, [ebp+var_18]
		mov	[eax+8], ecx
		mov	eax, [ebp+var_8C]
		mov	[ebx+8], ecx
		mov	[edx+8], ecx
		mov	ecx, [ebp+var_88]
		pop	ebx
		push	2
		mov	[ecx+8], ebx
		mov	[eax+8], ebx
		mov	ebx, [ebp+var_C]
		mov	dword ptr [ebx+0Ch], 220h
		mov	ebx, [ebp+var_10]
		mov	dword ptr [ebx+0Ch], 221h
		mov	ebx, [ebp+var_14]
		mov	dword ptr [ebx+0Ch], 222h
		mov	ebx, [ebp+var_18]
		mov	dword ptr [ebx+0Ch], 223h
		mov	ebx, [ebp+var_1C]
		mov	dword ptr [ebx+0Ch], 224h
		mov	dword ptr [edx+0Ch], 225h
		mov	dword ptr [ecx+0Ch], 226h
		mov	dword ptr [eax+0Ch], 227h
		mov	eax, [ebp+var_90]
		pop	ebx
		and	dword ptr [eax+8], 0
		mov	eax, [ebp+var_94]
		mov	dword ptr [eax+8], 1000h
		mov	eax, [ebp+var_A0]
		mov	dword ptr [eax+8], 2000h
		mov	eax, [ebp+var_98]
		mov	dword ptr [eax+8], 3000h
		mov	eax, [ebp+var_9C]
		mov	dword ptr [eax+8], 4000h
		mov	eax, [ebp+var_34]
		mov	[eax+8], ebx
		mov	eax, [ebp+var_38]
		mov	dword ptr [eax+8], 3
		lea	eax, [ebp+var_D4]
		mov	[edi+8], ebx
		mov	dword ptr [edi+0Ch], 1
		mov	[esi+8], ebx
		mov	[esi+0Ch], ebx
		push	_SeLpacAppExperienceCapabilitySid
		push	[ebp+var_30]
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_AD090D
		push	_SeLpacComCapabilitySid
		lea	eax, [ebp+var_DC]
		push	_SeConstrainedImpersonationCapabilityGroupSid
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_AD090D
		push	_SeLpacCryptoServicesCapabilitySid
		lea	eax, [ebp+var_E4]
		push	_SeConstrainedImpersonationCapabilityGroupSid
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_AD090D
		push	_SeLpacIdentityServicesCapabilitySid
		lea	eax, [ebp+var_EC]
		push	_SeConstrainedImpersonationCapabilityGroupSid
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_AD090D
		push	_SeLpacInstrumentationCapabilitySid
		lea	eax, [ebp+var_F4]
		push	_SeConstrainedImpersonationCapabilityGroupSid
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_AD090D
		push	_SeLpacEnterprisePolicyChangeNotificationsCapabilitySid
		lea	eax, [ebp+var_FC]
		push	_SeConstrainedImpersonationCapabilityGroupSid
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_AD090D
		push	_SeLpacMediaCapabilitySid
		lea	eax, [ebp+var_104]
		push	_SeConstrainedImpersonationCapabilityGroupSid
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_AD090D
		push	_SeLpacPnpNotificationsCapabilitySid
		lea	eax, [ebp+var_10C]
		push	_SeConstrainedImpersonationCapabilityGroupSid
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_AD090D
		push	_SeRegistryReadCapabilitySid
		lea	eax, [ebp+var_114]
		push	_SeConstrainedImpersonationCapabilityGroupSid
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_AD090D
		push	_SeLpacServicesManagementCapabilitySid
		lea	eax, [ebp+var_11C]
		push	_SeConstrainedImpersonationCapabilityGroupSid
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_AD090D
		push	_SeLpacSessionManagementCapabilitySid
		lea	eax, [ebp+var_124]
		push	_SeConstrainedImpersonationCapabilityGroupSid
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_AD090D
		push	_SeLpacPrintingCapabilitySid
		lea	eax, [ebp+var_12C]
		push	_SeConstrainedImpersonationCapabilityGroupSid
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_AD090D
		push	_SeLpacWebPlatformCapabilitySid
		lea	eax, [ebp+var_134]
		push	_SeConstrainedImpersonationCapabilityGroupSid
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_AD090D
		push	_SeLpacPaymentsCapabilitySid
		lea	eax, [ebp+var_13C]
		push	_SeConstrainedImpersonationCapabilityGroupSid
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_AD090D
		push	_SeLpacClipboardCapabilitySid
		lea	eax, [ebp+var_144]
		push	_SeConstrainedImpersonationCapabilityGroupSid
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_AD090D
		push	_SeLpacImeCapabilitySid
		lea	eax, [ebp+var_14C]
		push	_SeConstrainedImpersonationCapabilityGroupSid
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_AD090D
		push	_SeLpacPackageManagerOperationCapabilitySid
		lea	eax, [ebp+var_154]
		push	_SeConstrainedImpersonationCapabilityGroupSid
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_AD090D
		push	_SeLpacDeviceAccessCapabilitySid
		lea	eax, [ebp+var_15C]
		push	_SeConstrainedImpersonationCapabilityGroupSid
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_AD090D
		mov	eax, _SeUserModeDriversSid
		mov	ecx, 400h
		mov	esi, 2000h
		mov	edx, 1000h
		push	ebx
		mov	dword ptr [eax+8], 54h
		mov	eax, _SeProcTrustNoneSid
		and	dword ptr [eax+8], 0
		and	dword ptr [eax+0Ch], 0
		mov	eax, _SeProcTrustWinTcbSid
		mov	[eax+8], ecx
		mov	[eax+0Ch], esi
		mov	eax, _SeProcTrustWinSid
		mov	[eax+8], ecx
		mov	[eax+0Ch], edx
		mov	eax, _SeProcTrustAuthenticodeSid
		mov	[eax+8], ecx
		mov	[eax+0Ch], ecx
		mov	ecx, 200h
		mov	eax, _SeProcTrustLiteAntimalwareSid
		mov	[eax+8], ecx
		mov	dword ptr [eax+0Ch], 600h
		mov	eax, _SeProcTrustLiteWinTcbSid
		mov	[eax+0Ch], esi
		mov	[eax+8], ecx
		mov	eax, _SeProcTrustLiteWinSid
		mov	esi, _SeDefaultAccountAliasSid
		mov	[eax+8], ecx
		mov	[eax+0Ch], edx
		mov	eax, _SeProcTrustLiteAppSid
		mov	[eax+8], ecx
		mov	dword ptr [eax+0Ch], 800h
		mov	eax, _SeTrustedInstallerSid
		mov	dword ptr [eax+8], 50h
		mov	dword ptr [eax+0Ch], 38FB89B5h
		mov	dword ptr [eax+10h], 0CBC28419h
		mov	dword ptr [eax+14h], 6D236C5Ch
		mov	dword ptr [eax+18h], 6E770057h
		mov	dword ptr [eax+1Ch], 876402C0h
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		push	_SeConstrainedImpersonationCapabilitySid
		lea	eax, [ebp+var_164]
		mov	dword ptr [esi+8], 20h
		push	_SeConstrainedImpersonationCapabilityGroupSid
		mov	dword ptr [esi+0Ch], 245h
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_AD090D
		push	_SeSessionImpersonationCapabilitySid
		lea	eax, [ebp+var_16C]
		push	_SeSessionImpersonationCapabilityGroupSid
		push	eax
		call	RtlDeriveCapabilitySidsFromName
		test	eax, eax
		js	loc_AD090D
		call	_SepInitSystemDacls@0 ;	SepInitSystemDacls()
		push	0Eh
		xor	eax, eax
		mov	ds:_SeCreateTokenPrivilege, ebx
		pop	ecx
		push	10h
		mov	ds:_SeIncreaseBasePriorityPrivilege, ecx
		pop	ecx
		push	1Bh
		pop	ebx
		push	1Dh
		pop	edi
		push	1Fh
		pop	esi
		push	21h
		pop	edx
		mov	ds:dword_A94CB4, eax
		mov	ds:_SeAssignPrimaryTokenPrivilege, 3
		mov	ds:dword_A94A04, eax
		mov	ds:_SeLockMemoryPrivilege, 4
		mov	ds:dword_A94A5C, eax
		mov	ds:_SeIncreaseQuotaPrivilege, 5
		mov	ds:dword_A94A1C, eax
		mov	ds:_SeUnsolicitedInputPrivilege, 6
		mov	ds:dword_A94CC4, eax
		mov	ds:_SeTcbPrivilege, 7
		mov	ds:dword_A949B4, eax
		mov	ds:_SeSecurityPrivilege, 8
		mov	ds:dword_A94A3C, eax
		mov	ds:_SeTakeOwnershipPrivilege, 9
		mov	ds:dword_A94CBC, eax
		mov	ds:_SeLoadDriverPrivilege, 0Ah
		mov	ds:dword_A94E04, eax
		mov	ds:_SeCreatePagefilePrivilege, 0Fh
		mov	ds:dword_A94A0C, eax
		mov	ds:dword_A949F4, eax
		mov	ds:_SeSystemProfilePrivilege, 0Bh
		mov	ds:dword_A94C9C, eax
		mov	ds:_SeSystemtimePrivilege, 0Ch
		mov	ds:dword_A94C94, eax
		mov	ds:_SeProfileSingleProcessPrivilege, 0Dh
		mov	ds:dword_A949EC, eax
		mov	ds:_SeCreatePermanentPrivilege,	ecx
		mov	ds:dword_A94A34, eax
		mov	ds:_SeBackupPrivilege, 11h
		mov	ds:dword_A949E4, eax
		mov	ds:_SeRestorePrivilege,	12h
		mov	ds:dword_A949DC, eax
		mov	ds:_SeShutdownPrivilege, 13h
		mov	ds:dword_A949BC, eax
		mov	ds:_SeDebugPrivilege, 14h
		mov	ds:dword_A94A14, eax
		mov	ds:_SeAuditPrivilege, 15h
		mov	ds:dword_A94CAC, eax
		mov	ds:_SeSystemEnvironmentPrivilege, 16h
		mov	ds:dword_A94CA4, eax
		mov	ds:_SeChangeNotifyPrivilege, 17h
		mov	ds:dword_A94A9C, eax
		mov	ds:_SeRemoteShutdownPrivilege, 18h
		mov	ds:dword_A94A94, eax
		mov	ds:_SeUndockPrivilege, 19h
		mov	ds:dword_A94AAC, eax
		mov	ds:_SeSyncAgentPrivilege, 1Ah
		mov	ds:dword_A94AA4, eax
		mov	ds:_SeEnableDelegationPrivilege, ebx
		mov	ds:dword_A94A7C, eax
		mov	ds:_SeManageVolumePrivilege, 1Ch
		mov	ds:dword_A94A74, eax
		mov	ds:_SeImpersonatePrivilege, edi
		mov	ds:dword_A94A8C, eax
		mov	ds:_SeCreateGlobalPrivilege, 1Eh
		mov	ds:dword_A94A2C, eax
		mov	ds:_SeTrustedCredManAccessPrivilege, esi
		mov	ds:dword_A94A84, eax
		mov	ds:_SeRelabelPrivilege,	20h
		mov	ds:dword_A94A4C, eax
		mov	ds:_SeIncreaseWorkingSetPrivilege, edx
		mov	ds:dword_A949FC, eax
		mov	ds:_SeTimeZonePrivilege, 22h
		mov	ds:dword_A94ABC, eax
		push	23h
		mov	ds:dword_A94AB4, eax
		mov	ds:dword_A94C6C, eax
		mov	eax, ds:_SeNullSid
		mov	ds:dword_A94B78, eax
		mov	eax, _SeWorldSid
		mov	ds:dword_A94B7C, eax
		mov	eax, _SeLocalSid
		mov	ds:dword_A94B80, eax
		mov	eax, _SeCreatorOwnerSid
		mov	ds:dword_A94B84, eax
		mov	eax, _SeCreatorGroupSid
		mov	ds:dword_A94B88, eax
		mov	eax, _SeOwnerRightsSid
		mov	ds:dword_A94C48, eax
		mov	eax, ds:_SeNtAuthoritySid
		mov	ds:dword_A94B8C, eax
		mov	eax, ds:_SeDialupSid
		mov	ds:dword_A94B90, eax
		mov	eax, _SeNetworkSid
		mov	ds:dword_A94B94, eax
		mov	eax, _SeBatchSid
		mov	ds:dword_A94B98, eax
		mov	eax, _SeInteractiveSid
		mov	ds:dword_A94B9C, eax
		mov	eax, _SeLocalSystemSid
		mov	ds:dword_A94BA0, eax
		mov	eax, ds:_SeAuthenticatedUsersSid
		mov	ds:dword_A94BC4, eax
		mov	eax, ds:_SeRestrictedSid
		mov	ds:dword_A94BC8, eax
		mov	eax, ds:_SeAnonymousLogonSid
		mov	ds:dword_A94BCC, eax
		mov	eax, ds:_SeLocalServiceSid
		mov	ds:dword_A94BE8, eax
		mov	eax, ds:_SeNetworkServiceSid
		mov	ds:dword_A94BEC, eax
		mov	eax, ds:_SeIUserSid
		mov	ds:dword_A94C30, eax
		mov	eax, ds:_SeAliasAdminsSid
		mov	ds:dword_A94BA4, eax
		mov	eax, ds:_SeAliasUsersSid
		mov	ds:dword_A94BA8, eax
		mov	eax, ds:_SeAliasGuestsSid
		mov	ds:dword_A94BAC, eax
		mov	eax, ds:_SeAliasPowerUsersSid
		mov	ds:dword_A94BB0, eax
		mov	eax, ds:_SeAliasAccountOpsSid
		mov	ds:dword_A94BB4, eax
		mov	eax, ds:_SeAliasSystemOpsSid
		mov	ds:dword_A94BB8, eax
		mov	eax, ds:_SeAliasPrintOpsSid
		mov	ds:dword_A94BBC, eax
		mov	eax, ds:_SeAliasBackupOpsSid
		mov	ds:dword_A94BC0, eax
		mov	eax, _SeUntrustedMandatorySid
		mov	ds:dword_A94C34, eax
		mov	eax, _SeLowMandatorySid
		mov	ds:dword_A94C38, eax
		mov	eax, _SeMediumMandatorySid
		mov	ds:dword_A94C3C, eax
		mov	eax, _SeHighMandatorySid
		mov	ds:dword_A94C40, eax
		mov	eax, _SeSystemMandatorySid
		mov	ds:dword_A94C44, eax
		mov	eax, _SeAllAppPackagesSid
		mov	ds:dword_A94C4C, eax
		mov	eax, _SeUserModeDriversSid
		mov	ds:dword_A94C50, eax
		mov	eax, _SeProcTrustWinTcbSid
		mov	ds:dword_A94C54, eax
		mov	eax, _SeTrustedInstallerSid
		mov	ds:dword_A94C58, eax
		xor	eax, eax
		pop	ecx
		mov	ds:_SeCreateSymbolicLinkPrivilege, ecx
		mov	ds:_SeDelegateSessionUserImpersonatePrivilege, 24h
		mov	ds:_SepExports,	2
		mov	ds:dword_A94AC4, eax
		mov	ds:dword_A94AC8, 3
		mov	ds:dword_A94ACC, eax
		mov	ds:dword_A94AD0, 4
		mov	ds:dword_A94AD4, eax
		mov	ds:dword_A94AD8, 5
		mov	ds:dword_A94ADC, eax
		mov	ds:dword_A94AE0, 6
		mov	ds:dword_A94AE4, eax
		mov	ds:dword_A94AE8, 7
		mov	ds:dword_A94AEC, eax
		mov	ds:dword_A94AF0, 8
		mov	ds:dword_A94AF4, eax
		mov	ds:dword_A94AF8, 9
		mov	ds:dword_A94AFC, eax
		mov	ds:dword_A94B00, 0Ah
		mov	ds:dword_A94B04, eax
		mov	ds:dword_A94B08, 0Fh
		mov	ds:dword_A94B0C, eax
		mov	ds:dword_A94B10, 0Eh
		mov	ds:dword_A94B14, eax
		mov	ds:dword_A94B18, 0Bh
		mov	ds:dword_A94B1C, eax
		mov	ds:dword_A94B20, 0Ch
		mov	ds:dword_A94B24, eax
		mov	ds:dword_A94B28, 0Dh
		mov	ds:dword_A94B2C, eax
		mov	ds:dword_A94B30, 10h
		mov	ds:dword_A94B34, eax
		mov	ds:dword_A94B38, 11h
		mov	ds:dword_A94B3C, eax
		mov	ds:dword_A94B40, 12h
		mov	ds:dword_A94B44, eax
		mov	ds:dword_A94B48, 13h
		mov	ds:dword_A94B4C, eax
		mov	ds:dword_A94B50, 14h
		mov	ds:dword_A94B54, eax
		mov	ds:dword_A94B58, 15h
		mov	ds:dword_A94B5C, eax
		mov	ds:dword_A94B60, 16h
		mov	ds:dword_A94B64, eax
		mov	ds:dword_A94B68, 17h
		mov	ds:dword_A94B6C, eax
		mov	ds:dword_A94B70, 18h
		mov	ds:dword_A94B74, eax
		mov	ds:dword_A94BD0, 19h
		mov	ds:dword_A94BD4, eax
		mov	ds:dword_A94BD8, 1Ah
		mov	ds:dword_A94BDC, eax
		mov	ds:dword_A94BE0, ebx
		mov	ds:dword_A94BE4, eax
		mov	ds:dword_A94BF0, 1Ch
		mov	ds:dword_A94BF4, eax
		mov	ds:dword_A94BF8, edi
		mov	ds:dword_A94BFC, eax
		mov	ds:dword_A94C00, 1Eh
		mov	ds:dword_A94C04, eax
		mov	ds:dword_A94C08, esi
		mov	ds:dword_A94C0C, eax
		mov	ds:dword_A94C10, 20h
		mov	ds:dword_A94C14, eax
		mov	ds:dword_A94C18, edx
		mov	ds:dword_A94C1C, eax
		mov	ds:dword_A94C20, 22h
		mov	ds:dword_A94C24, eax
		mov	ds:dword_A94C28, ecx
		mov	ds:dword_A94C2C, eax
		mov	ds:dword_A94C5C, 24h
		mov	ds:dword_A94C60, eax
		mov	ds:_SeExports, offset _SepExports
		call	_SepInitializeSessionLowboxStructures@0	; SepInitializeSessionLowboxStructures()
		call	_SepInitializeSharedSidMap@0 ; SepInitializeSharedSidMap()
		test	eax, eax
		js	short loc_AD090D
		mov	al, 1
		jmp	short loc_AD090F
; 

loc_AD090D:				; CODE XREF: SepVariableInitialization()+3EEj
					; SepVariableInitialization()+3FFj ...
		xor	al, al

loc_AD090F:				; CODE XREF: SepVariableInitialization()+1A15j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SepVariableInitialization@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepInitSystemDacls()
_SepInitSystemDacls@0 proc near		; CODE XREF: SepVariableInitialization()+1499p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ds:_SeAliasAdminsSid
		push	ebx
		push	esi
		push	edi
		movzx	edi, byte ptr [eax+1]
		mov	eax, _SeLocalSystemSid
		push	63416553h
		movzx	edx, byte ptr [eax+1]
		lea	eax, [edx+edi]
		lea	ebx, ds:30h[eax*4]
		mov	eax, _SeWorldSid
		mov	[ebp+var_18], ebx
		movzx	ecx, byte ptr [eax+1]
		mov	eax, ds:_SeRestrictedSid
		lea	esi, [ecx+5]
		lea	esi, [ebx+esi*4]
		movzx	ebx, byte ptr [eax+1]
		mov	[ebp+var_24], esi
		lea	eax, [ebx+5]
		lea	eax, [esi+eax*4]
		mov	[ebp+var_4], eax
		mov	eax, ds:_SeLocalServiceSid
		movzx	esi, byte ptr [eax+1]
		lea	eax, [esi+ecx]
		add	eax, edx
		add	eax, edi
		lea	eax, ds:58h[eax*4]
		mov	[ebp+var_14], eax
		mov	eax, _SeOwnerRightsSid
		movzx	eax, byte ptr [eax+1]
		add	eax, edx
		add	eax, edi
		lea	edi, ds:44h[eax*4]
		mov	eax, _SeAllAppPackagesSid
		mov	[ebp+var_1C], edi
		add	edi, 64h
		movzx	edx, byte ptr [eax+1]
		mov	eax, ds:_SeServiceSid
		movzx	ecx, byte ptr [eax+1]
		mov	eax, ds:_SeNetworkServiceSid
		add	ecx, esi
		add	ecx, edx
		movzx	eax, byte ptr [eax+1]
		add	eax, ecx
		add	eax, ebx
		mov	ebx, [ebp+var_24]
		push	ebx
		push	11h
		lea	esi, [edi+eax*4]
		mov	eax, _SeMediumMandatorySid
		movzx	eax, byte ptr [eax+1]
		lea	edi, ds:1Ch[eax*4]
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	63416553h
		push	[ebp+var_4]
		mov	ds:_SePublicDefaultDacl, eax
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	63416553h
		push	ebx
		push	11h
		mov	ds:_SePublicDefaultUnrestrictedDacl, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	63416553h
		push	[ebp+var_4]
		mov	ds:_SePublicOpenDacl, eax
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	63416553h
		push	[ebp+var_18]
		mov	ds:_SePublicOpenUnrestrictedDacl, eax
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	63416553h
		push	[ebp+var_14]
		mov	ds:_SeSystemDefaultDacl, eax
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	63416553h
		push	[ebp+var_4]
		mov	ds:_SeLocalServicePublicDacl, eax
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	63416553h
		push	[ebp+var_1C]
		mov	ds:_SeAtomDacl,	eax
		push	11h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	63416553h
		push	esi
		push	11h
		mov	ds:_SepDefaultCapeDacl,	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	63416553h
		push	edi
		push	11h
		mov	ds:_SepDefaultRecoveryCapeDacl,	eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		push	2		; int
		push	ebx		; size_t
		push	ds:_SePublicDefaultDacl	; void *
		mov	ds:_SeMediumSacl, eax
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	ecx, ds:_SePublicDefaultUnrestrictedDacl
		push	2		; int
		push	[ebp+var_4]	; size_t
		mov	[ebp+var_20], ecx
		push	ecx		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	eax, ds:_SePublicOpenDacl
		push	2		; int
		push	ebx		; size_t
		push	eax		; void *
		mov	[ebp+var_24], eax
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	ebx, [ebp+var_4]
		mov	eax, ds:_SePublicOpenUnrestrictedDacl
		push	2		; int
		push	ebx		; size_t
		push	eax		; void *
		mov	[ebp+var_8], eax
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		push	2		; int
		push	[ebp+var_18]	; size_t
		push	ds:_SeSystemDefaultDacl	; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	eax, ds:_SeLocalServicePublicDacl
		push	2		; int
		push	[ebp+var_14]	; size_t
		mov	[ebp+var_C], eax
		push	eax		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	eax, ds:_SeAtomDacl
		push	2		; int
		push	ebx		; size_t
		push	eax		; void *
		mov	[ebp+var_10], eax
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	eax, ds:_SepDefaultCapeDacl
		push	2		; int
		push	[ebp+var_1C]	; size_t
		mov	[ebp+var_14], eax
		push	eax		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	eax, ds:_SepDefaultRecoveryCapeDacl
		push	2		; int
		push	esi		; size_t
		push	eax		; void *
		mov	[ebp+var_18], eax
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		push	2		; int
		push	edi		; size_t
		push	ds:_SeMediumSacl ; void	*
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, _SeWorldSid
		mov	ebx, 20000000h
		push	esi
		push	ebx
		push	2
		push	ds:_SePublicDefaultDacl
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	esi
		mov	edi, [ebp+var_20]
		push	ebx
		push	2
		push	edi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	ebx, [ebp+var_24]
		push	esi
		push	0E0000000h
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	esi
		push	0E0000000h
		push	2
		push	[ebp+var_8]
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	esi
		push	20000000h
		push	2
		push	[ebp+var_C]
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	esi
		mov	esi, [ebp+var_10]
		push	20000h
		push	2
		push	esi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	eax, _SeLocalSystemSid
		push	eax
		push	10000000h
		push	2
		push	ds:_SePublicDefaultDacl
		mov	[ebp+var_4], eax
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	[ebp+var_4]
		push	10000000h
		push	2
		push	edi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	[ebp+var_4]
		push	10000000h
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	[ebp+var_4]
		push	10000000h
		push	2
		push	[ebp+var_8]
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	[ebp+var_4]
		push	10000000h
		push	2
		push	ds:_SeSystemDefaultDacl
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	[ebp+var_4]
		push	10000000h
		push	2
		push	[ebp+var_C]
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	[ebp+var_4]
		push	1F0000h
		push	2
		push	esi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	esi, ds:_SeAliasAdminsSid
		push	esi
		push	10000000h
		push	2
		push	ds:_SePublicDefaultDacl
		mov	[ebp+var_1C], esi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	esi
		push	10000000h
		push	2
		push	edi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	esi
		push	10000000h
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	esi
		mov	ebx, 10000000h
		push	ebx
		push	2
		push	[ebp+var_8]
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	esi
		push	0A0020000h
		push	2
		push	ds:_SeSystemDefaultDacl
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	esi
		push	ebx
		push	2
		push	[ebp+var_C]
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	esi
		push	1F0000h
		push	2
		push	[ebp+var_10]
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	ebx, ds:_SeRestrictedSid
		push	ebx
		push	20000000h
		push	2
		push	edi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	ebx
		push	0A0000000h
		push	2
		push	[ebp+var_8]
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	ebx
		push	20000h
		push	2
		push	[ebp+var_10]
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	edi, ds:_SeLocalServiceSid
		push	edi
		push	10000000h
		push	2
		push	[ebp+var_C]
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	[ebp+var_4]
		push	1FFFFFh
		push	2
		push	[ebp+var_14]
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	esi
		push	1FFFFFh
		push	2
		push	[ebp+var_14]
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	esi, _SeOwnerRightsSid
		push	esi
		push	0
		push	2
		push	[ebp+var_14]
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	[ebp+var_4]
		push	1FFFFFh
		push	2
		push	[ebp+var_18]
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	[ebp+var_1C]
		push	1FFFFFh
		push	2
		push	[ebp+var_18]
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	esi
		mov	esi, [ebp+var_18]
		push	0
		push	2
		push	esi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	edi
		mov	edi, 1FFFFFh
		push	edi
		push	2
		push	esi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	ds:_SeNetworkServiceSid
		push	edi
		push	2
		push	esi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	ebx
		push	edi
		push	2
		pop	ebx
		push	ebx
		push	esi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	ds:_SeServiceSid
		push	edi
		push	ebx
		push	esi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		push	_SeAllAppPackagesSid
		push	1200A9h
		push	ebx
		push	esi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	edi, ds:_SeMediumSacl
		push	ebx
		push	ecx
		push	_SeMediumMandatorySid
		mov	ecx, edi
		push	0
		call	RtlAddMandatoryAce
		mov	ebx, offset _SepPublicDefaultSd
		push	1
		push	ebx
		mov	ds:_SePublicDefaultSd, ebx
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	0
		push	ds:_SePublicDefaultDacl
		push	1
		push	ebx
		call	RtlSetDaclSecurityDescriptor
		mov	ebx, offset _SepPublicDefaultUnrestrictedSd
		push	1
		push	ebx
		mov	ds:_SePublicDefaultUnrestrictedSd, ebx
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	ecx, [ebp+var_20]
		push	0
		push	ecx
		push	1
		push	ebx
		call	RtlSetDaclSecurityDescriptor
		mov	ebx, offset _SepPublicOpenSd
		push	1
		push	ebx
		mov	ds:_SePublicOpenSd, ebx
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	0
		push	[ebp+var_24]
		push	1
		push	ebx
		call	RtlSetDaclSecurityDescriptor
		mov	ebx, offset _SepPublicOpenUnrestrictedSd
		push	1
		push	ebx
		mov	ds:_SePublicOpenUnrestrictedSd,	ebx
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	0
		push	[ebp+var_8]
		push	1
		push	ebx
		call	RtlSetDaclSecurityDescriptor
		mov	eax, offset _SepSystemDefaultSd
		push	1
		push	eax
		mov	ds:_SeSystemDefaultSd, eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	0
		push	ds:_SeSystemDefaultDacl
		push	1
		push	ds:_SeSystemDefaultSd
		call	RtlSetDaclSecurityDescriptor
		mov	ebx, offset _SepLocalServicePublicSd
		push	1
		push	ebx
		mov	ds:_SeLocalServicePublicSd, ebx
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	0
		push	[ebp+var_C]
		push	1
		push	ebx
		call	RtlSetDaclSecurityDescriptor
		mov	ebx, offset _SepAtomSd
		push	1
		push	ebx
		mov	ds:_SeAtomSd, ebx
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	0
		push	[ebp+var_10]
		push	1
		push	ebx
		call	RtlSetDaclSecurityDescriptor
		mov	ebx, offset _SepDefaultCapeSd
		push	1
		push	ebx
		mov	ds:_SeDefaultCapeSd, ebx
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	0
		push	[ebp+var_14]
		push	1
		push	ebx
		call	RtlSetDaclSecurityDescriptor
		mov	ebx, [ebp+var_4]
		push	0
		push	ebx
		push	offset _SepDefaultCapeSd
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		push	0
		push	ebx
		push	offset _SepDefaultCapeSd
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		mov	eax, offset _SepDefaultRecoveryCapeSd
		push	1
		push	eax
		mov	ds:_SeDefaultRecoveryCapeSd, eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	0
		push	esi
		push	1
		mov	esi, offset _SepDefaultRecoveryCapeSd
		push	esi
		call	RtlSetDaclSecurityDescriptor
		push	0
		push	ebx
		push	esi
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		push	0
		push	ebx
		push	esi
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		mov	eax, offset _SepNullDaclSd
		push	1
		push	eax
		mov	ds:_SeNullDaclSd, eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, offset _SepMediumDaclSd
		push	1
		push	esi
		mov	ds:_SeMediumDaclSd, esi
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		push	0
		push	edi
		push	1
		push	esi
		call	_RtlSetSaclSecurityDescriptor@16 ; RtlSetSaclSecurityDescriptor(x,x,x,x)
		push	0
		push	ebx
		push	esi
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		push	0
		push	ebx
		push	esi
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_SepInitSystemDacls@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopInitCrashDumpRegCallback(x, x, x, x, x, x)
_IopInitCrashDumpRegCallback@24	proc near ; DATA XREF: IopInitCrashDumpDuringSysInit+42o

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 30h
		push	esi
		mov	esi, [ebp+arg_14]
		push	edi
		xor	edi, edi
		mov	[esp+38h+var_2C], edi
		mov	[esp+38h+var_28], edi
		mov	[esp+38h+var_24], edi
		mov	[esp+38h+var_20], edi
		mov	[esp+38h+var_1C], edi
		test	esi, esi
		jz	loc_AD1048
		cmp	byte ptr [esi],	0
		jnz	loc_AD1048
		cmp	[ebp+arg_8], edi
		jz	loc_AD1048
		cmp	[ebp+arg_C], edi
		jz	loc_AD1048
		cmp	[ebp+arg_10], edi
		jz	loc_AD1048
		push	[ebp+arg_8]
		lea	eax, [esp+3Ch+var_28]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	loc_AD1048
		push	112h		; int
		push	edi		; int
		push	edi		; int
		push	edi		; int
		push	edi		; void *
		push	8008h		; int
		push	1		; int
		push	2		; int
		push	6		; int
		lea	eax, [esp+5Ch+var_28]
		mov	[esp+5Ch+var_18], 18h
		mov	[esp+5Ch+var_10], eax
		lea	eax, [esp+5Ch+var_20]
		push	edi		; int
		push	eax		; int
		lea	eax, [esp+64h+var_18]
		mov	[esp+64h+var_14], edi
		push	eax		; int
		push	0C0100000h	; int
		lea	eax, [esp+6Ch+var_2C]
		mov	[esp+6Ch+var_C], 40h
		push	eax		; int
		mov	[esp+70h+var_8], edi
		mov	[esp+70h+var_4], edi
		call	_IoCreateFile@56 ; IoCreateFile(x,x,x,x,x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AD1048
		push	1
		mov	edi, offset _IopCrashDumpLock
		push	edi
		call	ExAcquireResourceExclusiveLite
		push	[esp+38h+var_24]
		mov	ecx, [esp+3Ch+var_2C]
		push	[esp+3Ch+var_28]
		call	IopInitializeCrashDump
		test	al, al
		jz	short loc_AD1038
		mov	byte ptr [esi],	1

loc_AD1038:				; CODE XREF: IopInitCrashDumpRegCallback(x,x,x,x,x,x)+DDj
		mov	ecx, edi
		call	ExReleaseResourceLite
		push	[esp+38h+var_2C]
		call	NtClose

loc_AD1048:				; CODE XREF: IopInitCrashDumpRegCallback(x,x,x,x,x,x)+28j
					; IopInitCrashDumpRegCallback(x,x,x,x,x,x)+31j	...
		pop	edi
		xor	eax, eax
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	18h
_IopInitCrashDumpRegCallback@24	endp


;  S U B	R O U T	I N E 


; __stdcall PiDmInit()
_PiDmInit@0	proc near		; CODE XREF: IopInitializePlugPlayServices(x,x)+29Ep
		mov	edi, edi
		push	ebx
		push	esi
		xor	edx, edx
		mov	esi, offset _PiDmDeviceManager
		push	edi
		inc	edx
		mov	ecx, esi
		call	_PiDmObjectManagerInit@8 ; PiDmObjectManagerInit(x,x)
		push	3
		pop	edx
		mov	ecx, offset _PiDmDeviceInterfaceManager
		call	_PiDmObjectManagerInit@8 ; PiDmObjectManagerInit(x,x)
		push	4
		pop	edx
		mov	ecx, offset _PiDmDeviceInterfaceClassManager
		call	_PiDmObjectManagerInit@8 ; PiDmObjectManagerInit(x,x)
		push	5
		pop	edx
		mov	ecx, offset _PiDmDeviceContainerManager
		call	_PiDmObjectManagerInit@8 ; PiDmObjectManagerInit(x,x)
		push	2
		mov	ebx, offset _PiDmDeviceInstallerClassManager
		pop	edx
		mov	ecx, ebx
		call	_PiDmObjectManagerInit@8 ; PiDmObjectManagerInit(x,x)
		push	6
		mov	edi, offset _PiDmDevicePanelManager
		pop	edx
		mov	ecx, edi
		call	_PiDmObjectManagerInit@8 ; PiDmObjectManagerInit(x,x)
		mov	ecx, esi
		call	PiDmObjectManagerPopulate
		test	eax, eax
		js	short loc_AD1109
		mov	ecx, offset _PiDmDeviceInterfaceManager
		call	PiDmObjectManagerPopulate
		test	eax, eax
		js	short loc_AD1109
		mov	ecx, offset _PiDmDeviceInterfaceClassManager
		call	PiDmObjectManagerPopulate
		test	eax, eax
		js	short loc_AD1109
		mov	ecx, offset _PiDmDeviceContainerManager
		call	PiDmObjectManagerPopulate
		test	eax, eax
		js	short loc_AD1109
		mov	ecx, ebx
		call	PiDmObjectManagerPopulate
		test	eax, eax
		js	short loc_AD1109
		mov	ecx, edi
		call	PiDmObjectManagerPopulate
		test	eax, eax
		js	short loc_AD1109
		xor	esi, esi

loc_AD10F8:				; CODE XREF: PiDmInit()+B5j
		mov	ecx, esi
		call	_PiDmListInit@4	; PiDmListInit(x)
		test	eax, eax
		js	short loc_AD1109
		inc	esi
		cmp	esi, 7
		jb	short loc_AD10F8

loc_AD1109:				; CODE XREF: PiDmInit()+62j
					; PiDmInit()+70j ...
		pop	edi
		pop	esi
		pop	ebx
		retn
_PiDmInit@0	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PerfDiagInitialize()
_PerfDiagInitialize@0 proc near		; CODE XREF: EtwpInitialize+21Dp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		xor	esi, esi
		push	offset _PerfDiagGlobals
		push	esi
		push	offset _PerfDiagpBootSystemProxyCallback@36 ; PerfDiagpBootSystemProxyCallback(x,x,x,x,x,x,x,x,x)
		push	offset _MS_Kernel_BootDiagnostics_SystemProxy_Provider
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		mov	dword_6BC720, esi
		mov	dword_6BC724, esi
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		push	offset unk_6BC708
		push	esi
		push	offset _PerfDiagpBootUserProxyCallback@36 ; PerfDiagpBootUserProxyCallback(x,x,x,x,x,x,x,x,x)
		push	offset _MS_Kernel_BootDiagnostics_UserProxy_Provider
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		push	offset unk_6BC710
		push	esi
		push	offset _PerfDiagpSecondaryLogonProxyCallback@36	; PerfDiagpSecondaryLogonProxyCallback(x,x,x,x,x,x,x,x,x)
		push	offset _MS_Kernel_SecondaryLogonDiagnostics_Proxy_Provider
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		push	offset unk_6BC718
		push	esi
		push	offset _PerfDiagpShutdownProxyCallback@36 ; PerfDiagpShutdownProxyCallback(x,x,x,x,x,x,x,x,x)
		push	offset _MS_Kernel_ShutdownDiagnostics_Proxy_Provider
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		lea	eax, [ebp+var_20]
		push	eax
		push	esi
		push	esi
		push	offset _MS_Kernel_BootDiagnostics_Provider
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		test	eax, eax
		js	short loc_AD11DA
		push	esi
		push	esi
		lea	eax, [ebp+var_14]
		mov	[ebp+var_14], 67144949h
		push	eax
		push	(offset	loc_40847E+2)
		push	[ebp+var_1C]
		mov	[ebp+var_10], 48595132h
		push	[ebp+var_20]
		mov	[ebp+var_C], 37A73680h
		mov	[ebp+var_8], 0D82538B4h
		call	EtwWriteStartScenario
		push	[ebp+var_1C]
		push	[ebp+var_20]
		call	EtwUnregister

loc_AD11DA:				; CODE XREF: PerfDiagInitialize()+8Dj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PerfDiagInitialize@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreatePteWsle(x, x, x)
_MiCreatePteWsle@12 proc near		; DATA XREF: MiCreateInitialSystemWsles(x)+B3o

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	[ebp+arg_8], 1
		jge	short loc_AD120E
		mov	edx, [ebp+arg_4]
		mov	eax, [edx]
		and	eax, 1
		or	eax, 0
		jz	short loc_AD120E
		mov	ecx, [ebp+arg_0]
		call	MiCreateSoftwareWsle

loc_AD1209:				; CODE XREF: MiCreatePteWsle(x,x,x)+28j
		pop	ecx
		pop	ebp
		retn	0Ch
; 

loc_AD120E:				; CODE XREF: MiCreatePteWsle(x,x,x)+Aj
					; MiCreatePteWsle(x,x,x)+17j
		xor	eax, eax
		jmp	short loc_AD1209
_MiCreatePteWsle@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipAddDevicesToBootDriverWorker(x, x, x)
_PipAddDevicesToBootDriverWorker@12 proc near
					; CODE XREF: PipApplyFunctionToServiceInstances+169p

arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ecx
		mov	ecx, [ebp+arg_4]
		mov	edx, 746C6644h
		push	esi
		call	_PnpDeviceObjectFromDeviceInstanceWithTag@8 ; PnpDeviceObjectFromDeviceInstanceWithTag(x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_AD1242
		mov	ecx, esi
		call	_PiProcessAddBootDevices@4 ; PiProcessAddBootDevices(x)
		mov	edx, 746C6644h
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag

loc_AD1242:				; CODE XREF: PipAddDevicesToBootDriverWorker(x,x,x)+1Bj
		xor	eax, eax
		inc	eax
		pop	esi
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_PipAddDevicesToBootDriverWorker@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiInitializeTRTSS(x, x)
_KiInitializeTRTSS@8 proc near		; CODE XREF: KiSystemStartup(x)+D1p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_4]
		test	eax, eax
		jz	short loc_AD1267
		and	dword ptr [eax+4], 0FFF0FFFFh
		mov	ecx, 20ABh
		mov	[eax], cx

loc_AD1267:				; CODE XREF: KiInitializeTRTSS(x,x)+Aj
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		push	2004h		; size_t
		push	0FFh		; int
		lea	eax, [esi+88h]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	edi, [esi+68h]
		xor	eax, eax
		lea	edx, [esi+208Ch]
		push	8
		pop	ecx
		rep stosd
		push	8
		mov	byte ptr [esi+68h], 4
		mov	edi, edx
		mov	word ptr [esi+6Bh], 1818h
		pop	ecx
		rep stosd
		mov	byte ptr [edx],	4
		mov	word ptr [edx+3], 1818h
		push	10h
		mov	[esi+60h], ax
		pop	eax
		pop	edi
		mov	dword ptr [esi+64h], 20AC0000h
		mov	[esi+8], ax
		pop	esi
		pop	ebp
		retn	8
_KiInitializeTRTSS@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopDiagInitialize()
_PopDiagInitialize@0 proc near		; CODE XREF: PoInitSystem:loc_AC18ACp
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	eax, offset _PopDiagHandle
		mov	edi, offset PopDiagTraceControlCallback
		push	eax
		push	eax
		push	edi
		push	offset _POP_ETW_PROVIDER
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		test	eax, eax
		js	short loc_AD130F
		movzx	eax, word ptr ds:?Traits@?1??EnableManifestedProviderForMicrosoftTelemetry@@9@9	; `EnableManifestedProviderForMicrosoftTelemetry'::`2'::Traits
		push	eax
		push	offset ?Traits@?1??EnableManifestedProviderForMicrosoftTelemetry@@9@9 ;	`EnableManifestedProviderForMicrosoftTelemetry'::`2'::Traits
		push	2
		push	dword_6C1D74
		mov	_PopDiagHandleRegistered, 1
		push	_PopDiagHandle
		call	EtwSetInformation

loc_AD130F:				; CODE XREF: PopDiagInitialize()+1Ej
		mov	ecx, offset dword_6B23F8
		mov	dword_6C1EF8, offset _PopDiagDeviceRundownWorker@4 ; PopDiagDeviceRundownWorker(x)
		xor	esi, esi
		mov	edx, edi
		push	ecx
		mov	dword_6C1EFC, esi
		mov	_PopDiagDeviceRundownWorkItem, esi
		call	_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 ; TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)
		push	offset _PopTriggerDiagHandle
		push	esi
		push	esi
		push	offset _POP_TRIGGER_ETW_PROVIDER
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		test	eax, eax
		js	short loc_AD1350
		mov	_PopTriggerDiagHandleRegistered, 1

loc_AD1350:				; CODE XREF: PopDiagInitialize()+7Fj
		call	_PopDiagSleepStudyInitialize@0 ; PopDiagSleepStudyInitialize()
		push	offset dword_6C1F30
		mov	_PopTelemetryOsState, esi
		mov	dword_6C1F24, esi
		call	KeQuerySystemTime
		call	KeQueryInterruptTime
		mov	cl, 1
		mov	dword_6C1F38, eax
		mov	dword_6C1F3C, edx
		call	KiQueryUnbiasedInterruptTime
		mov	dword_6C1F44, edx
		xor	ecx, ecx
		xor	edx, edx
		mov	dword_6C1F40, eax
		inc	edx
		mov	byte_6C1F64, 1
		inc	ecx
		call	PopTransitionTelemetryOsState
		call	_PdcTaskClientRegister@8 ; PdcTaskClientRegister(x,x)
		pop	edi
		xor	eax, eax
		pop	esi
		pop	ecx
		retn
_PopDiagInitialize@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiInitCacheGroupInformation()
_PiInitCacheGroupInformation@0 proc near
					; CODE XREF: IopInitializePlugPlayServices(x,x)+1EBp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_18], 8A0088h
		push	20019h
		lea	eax, [ebp+var_18]
		mov	[ebp+var_8], ebx
		push	eax
		xor	edx, edx
		mov	[ebp+var_4], ebx
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], offset ??_C@_1IK@LOKJJLEF@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@ ; "\\Registry\\Machine\\System\\CurrentControl"...
		call	_IopOpenRegistryKeyEx@16 ; IopOpenRegistryKeyEx(x,x,x,x)
		test	eax, eax
		js	short loc_AD1446
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		mov	edx, offset ??_C@_19DOLMIDJD@?$AAL?$AAi?$AAs?$AAt@PBOPGDP@
		call	IopGetRegistryValue
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		mov	[ebp+var_C], ebx
		test	esi, esi
		js	short loc_AD1452
		mov	edi, [ebp+var_8]
		cmp	dword ptr [edi+4], 7
		jnz	short loc_AD144B
		cmp	[edi+0Ch], ebx
		jz	short loc_AD144B
		lea	eax, [ebp+var_10]
		mov	ecx, edi
		push	eax
		lea	edx, [ebp+var_C]
		call	PnpRegMultiSzToUnicodeStrings
		mov	ebx, [ebp+var_C]
		mov	esi, eax

loc_AD1429:				; CODE XREF: PiInitCacheGroupInformation()+A6j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	esi, esi
		js	short loc_AD1452
		mov	eax, [ebp+var_10]
		mov	_PiInitGroupOrderTableCount, ax
		xor	eax, eax
		mov	_PiInitGroupOrderTable,	ebx

loc_AD1446:				; CODE XREF: PiInitCacheGroupInformation()+39j
					; PiInitCacheGroupInformation()+AAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AD144B:				; CODE XREF: PiInitCacheGroupInformation()+65j
					; PiInitCacheGroupInformation()+6Aj
		mov	esi, 0C0000001h
		jmp	short loc_AD1429
; 

loc_AD1452:				; CODE XREF: PiInitCacheGroupInformation()+5Cj
					; PiInitCacheGroupInformation()+89j
		mov	eax, esi
		jmp	short loc_AD1446
_PiInitCacheGroupInformation@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpRegMultiSzToUnicodeStrings proc near	; CODE XREF: PiInitCacheGroupInformation()+75p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00AE74EB SIZE 00000078 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		mov	esi, ecx
		mov	ebx, edx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_14], esi
		cmp	dword ptr [esi+4], 7
		jnz	loc_AE74EB
		xor	eax, eax
		mov	ecx, eax
		mov	eax, [esi+8]
		push	edi
		mov	edi, [esi+0Ch]
		add	eax, esi
		add	edi, eax
		cmp	eax, edi
		jz	loc_AE74F5
		lea	edx, [eax+2]
		xor	ebx, ebx

loc_AD1490:				; CODE XREF: PnpRegMultiSzToUnicodeStrings+47j
		cmp	[eax], bx
		jz	short loc_AD14A1

loc_AD1495:				; CODE XREF: PnpRegMultiSzToUnicodeStrings+53j
		add	eax, 2
		add	edx, 2
		cmp	eax, edi
		jnz	short loc_AD1490
		jmp	short loc_AD14AB
; 

loc_AD14A1:				; CODE XREF: PnpRegMultiSzToUnicodeStrings+3Dj
		inc	ecx
		cmp	edx, edi
		jz	short loc_AD14AB
		cmp	[edx], bx
		jnz	short loc_AD1495

loc_AD14AB:				; CODE XREF: PnpRegMultiSzToUnicodeStrings+49j
					; PnpRegMultiSzToUnicodeStrings+4Ej
		mov	ebx, [ebp+var_8]
		mov	[ebp+var_C], ecx
		cmp	eax, edi
		jz	loc_AE74F5

loc_AD14B9:				; CODE XREF: PnpRegMultiSzToUnicodeStrings+160A3j
		mov	eax, ecx
		push	75737050h
		shl	eax, 3
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx], eax
		test	eax, eax
		jz	loc_AE7526
		mov	esi, [esi+8]
		xor	edx, edx
		add	esi, [ebp+var_14]
		mov	ebx, edx
		mov	ecx, esi
		mov	[ebp+var_4], ecx
		cmp	esi, edi
		jz	loc_AE74FE
		lea	eax, [esi+2]
		mov	[ebp+var_14], eax

loc_AD14F2:				; CODE XREF: PnpRegMultiSzToUnicodeStrings+ACj
		cmp	[esi], dx
		jz	short loc_AD1519

loc_AD14F7:				; CODE XREF: PnpRegMultiSzToUnicodeStrings+124j
		add	esi, 2
		add	eax, 2
		mov	[ebp+var_14], eax
		cmp	esi, edi
		jnz	short loc_AD14F2

loc_AD1504:				; CODE XREF: PnpRegMultiSzToUnicodeStrings+116j
					; PnpRegMultiSzToUnicodeStrings+11Dj
		cmp	esi, edi
		jz	short loc_AD1586

loc_AD1508:				; CODE XREF: PnpRegMultiSzToUnicodeStrings+16108j
		mov	eax, [ebp+arg_0]
		mov	ecx, [ebp+var_C]
		mov	[eax], ecx
		xor	eax, eax

loc_AD1512:				; CODE XREF: PnpRegMultiSzToUnicodeStrings+160D5j
		pop	edi

loc_AD1513:				; CODE XREF: PnpRegMultiSzToUnicodeStrings+1609Aj
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_AD1519:				; CODE XREF: PnpRegMultiSzToUnicodeStrings+9Fj
		mov	eax, esi
		sub	eax, ecx
		add	eax, 2
		push	75737050h
		push	eax
		push	1
		mov	[ebp+var_10], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		mov	eax, [ebp+var_8]
		mov	eax, [eax]
		mov	[ebp+var_18], eax
		mov	[eax+ebx*8+4], ecx
		test	ecx, ecx
		jz	short loc_AD157F
		push	[ebp+var_10]	; size_t
		push	[ebp+var_4]	; void *
		push	ecx		; void *
		call	_memcpy
		mov	ecx, [ebp+var_18]
		add	esp, 0Ch
		mov	eax, [ebp+var_10]
		movzx	eax, ax
		mov	[ecx+ebx*8+2], ax
		add	eax, 0FFFFFFFEh
		mov	[ecx+ebx*8], ax
		inc	ebx
		mov	eax, [ebp+var_14]
		cmp	eax, edi
		jz	short loc_AD1504
		xor	edx, edx
		cmp	[eax], dx
		jz	short loc_AD1504
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		jmp	loc_AD14F7
; 

loc_AD157F:				; CODE XREF: PnpRegMultiSzToUnicodeStrings+EAj
		mov	ecx, eax
		jmp	loc_AE751F
; 

loc_AD1586:				; CODE XREF: PnpRegMultiSzToUnicodeStrings+B0j
		mov	ecx, [ebp+var_4]
		jmp	loc_AE74FE
PnpRegMultiSzToUnicodeStrings endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMemoryLicense	proc near		; CODE XREF: MiInitNucleus(x)+11Bp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE7563 SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		or	[ebp+var_4], 0FFFFFFFFh
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		lea	ecx, [ebp+var_4]
		call	_MxMemoryLicense@4 ; MxMemoryLicense(x)
		mov	esi, [ebp+var_4]
		cmp	esi, 100000h
		mov	[ebp+var_8], eax
		sbb	ebx, ebx
		mov	dword_6D06CC, eax
		neg	ebx
		call	_MiLargestSystemVa@0 ; MiLargestSystemVa()
		dec	eax
		xor	edx, edx
		shl	eax, 15h
		push	1Ch
		pop	ecx
		div	ecx
		dec	eax
		cmp	esi, eax
		ja	loc_AE7563

loc_AD15D5:				; CODE XREF: MiMemoryLicense+15FD7j
		mov	eax, 1FFFFFFh
		cmp	esi, eax
		ja	short loc_AD164A

loc_AD15DE:				; CODE XREF: MiMemoryLicense+BEj
		mov	eax, offset loc_7FFFFA
		cmp	esi, eax
		ja	short loc_AD164E

loc_AD15E7:				; CODE XREF: MiMemoryLicense+C2j
		mov	ecx, dword_6D0700
		mov	eax, dword_6D0704
		shrd	ecx, eax, 0Ch
		shr	eax, 0Ch
		mov	edx, ecx
		add	edx, 0FFFFFFFFh
		adc	eax, 0FFFFFFFFh
		and	[ebp+var_4], 0
		cmp	[ebp+var_4], eax
		jb	short loc_AD1610
		ja	short loc_AD1652
		cmp	esi, edx
		ja	short loc_AD1652

loc_AD1610:				; CODE XREF: MiMemoryLicense+7Aj
					; MiMemoryLicense+C7j
		mov	edx, esi
		mov	ecx, edi
		call	MiLimitLoaderBlockHighMemory
		mov	edx, [ebp+var_8]
		mov	ecx, edi
		call	MiLimitLoaderBlockTotalMemory
		test	ebx, ebx
		jz	loc_AE756A

loc_AD162B:				; CODE XREF: MiMemoryLicense+15FEBj
					; MiMemoryLicense+15FF8j
		or	dword_6D3250, 0FFFFFFFFh
		mov	edx, 7FF7FAh
		cmp	esi, edx
		ja	loc_AE758B

loc_AD163F:				; CODE XREF: MiMemoryLicense+16006j
		pop	edi
		mov	dword_6D07B0, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AD164A:				; CODE XREF: MiMemoryLicense+4Ej
		mov	esi, eax
		jmp	short loc_AD15DE
; 

loc_AD164E:				; CODE XREF: MiMemoryLicense+57j
		mov	esi, eax
		jmp	short loc_AD15E7
; 

loc_AD1652:				; CODE XREF: MiMemoryLicense+7Cj
					; MiMemoryLicense+80j
		lea	esi, [ecx-1]
		jmp	short loc_AD1610
MiMemoryLicense	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLimitLoaderBlockTotalMemory proc near	; CODE XREF: MiMemoryLicense+90p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE7599 SIZE 00000071 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [ecx+1Ch]
		lea	eax, [ecx+18h]
		mov	[ebp+var_10], edx
		mov	ebx, esi
		xor	edx, edx
		mov	[ebp+var_C], esi
		and	[ebp+var_4], edx
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], eax
		cmp	ebx, eax
		jz	short loc_AD16E5
		mov	esi, eax

loc_AD1681:				; CODE XREF: MiLimitLoaderBlockTotalMemory+88j
		mov	eax, [ebx+8]
		cmp	eax, 20h
		jz	short loc_AD16DB
		cmp	eax, 6
		jz	short loc_AD16DB
		cmp	eax, 1Eh
		jz	short loc_AD16DB
		cmp	eax, 1Fh
		jz	short loc_AD16DB
		cmp	eax, 22h
		jz	short loc_AD16DB
		cmp	eax, 17h
		jz	short loc_AD16DB
		cmp	eax, 3
		jz	short loc_AD16DB
		cmp	eax, 16h
		jz	short loc_AD16DB
		cmp	eax, 26h
		jz	short loc_AD16DB
		cmp	eax, 27h
		jz	short loc_AD16DB
		cmp	eax, 28h
		jz	short loc_AD16DB
		mov	ecx, [ebx+10h]
		add	edi, ecx
		cmp	eax, 2
		jz	short loc_AD16D9
		cmp	eax, 5
		jz	short loc_AD16D9
		cmp	eax, 4
		jz	short loc_AD16D9
		cmp	eax, 18h
		jz	short loc_AD16D9
		cmp	eax, 8
		jnz	short loc_AD16DB

loc_AD16D9:				; CODE XREF: MiLimitLoaderBlockTotalMemory+6Bj
					; MiLimitLoaderBlockTotalMemory+70j ...
		add	edx, ecx

loc_AD16DB:				; CODE XREF: MiLimitLoaderBlockTotalMemory+2Fj
					; MiLimitLoaderBlockTotalMemory+34j ...
		mov	ebx, [ebx+4]
		cmp	ebx, esi
		jnz	short loc_AD1681
		mov	esi, [ebp+var_C]

loc_AD16E5:				; CODE XREF: MiLimitLoaderBlockTotalMemory+25j
		mov	ecx, [ebp+var_10]
		mov	eax, edi
		sub	eax, edx
		cmp	eax, ecx
		ja	loc_AE7599
		mov	ebx, [ebp+var_8]
		cmp	esi, ebx
		jz	short loc_AD176F
		mov	eax, edi
		sub	eax, ecx
		cmp	ecx, edi
		mov	edi, [ebp+var_4]
		sbb	edx, edx
		and	edx, eax

loc_AD1708:				; CODE XREF: MiLimitLoaderBlockTotalMemory+107j
		test	edx, edx
		jnz	loc_AE75A8

loc_AD1710:				; CODE XREF: MiLimitLoaderBlockTotalMemory+15F6Aj
					; MiLimitLoaderBlockTotalMemory+15F91j	...
		mov	eax, [esi+8]
		cmp	eax, 20h
		jz	short loc_AD175A
		cmp	eax, 6
		jz	short loc_AD175A
		cmp	eax, 1Eh
		jz	short loc_AD175A
		cmp	eax, 1Fh
		jz	short loc_AD175A
		cmp	eax, 22h
		jz	short loc_AD175A
		cmp	eax, 17h
		jz	short loc_AD175A
		cmp	eax, 3
		jz	short loc_AD175A
		cmp	eax, 16h
		jz	short loc_AD175A
		cmp	eax, 26h
		jz	short loc_AD175A
		cmp	eax, 27h
		jz	short loc_AD175A
		cmp	eax, 28h
		jz	short loc_AD175A
		mov	ecx, [esi+10h]
		test	ecx, ecx
		jz	short loc_AD175A
		mov	eax, [esi+0Ch]
		add	eax, ecx
		cmp	eax, edi
		ja	short loc_AD1768

loc_AD175A:				; CODE XREF: MiLimitLoaderBlockTotalMemory+BEj
					; MiLimitLoaderBlockTotalMemory+C3j ...
		mov	esi, [esi+4]
		cmp	esi, ebx
		jnz	short loc_AD1708

loc_AD1761:				; CODE XREF: MiLimitLoaderBlockTotalMemory+11Aj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AD1768:				; CODE XREF: MiLimitLoaderBlockTotalMemory+100j
		mov	[ebp+var_4], eax
		mov	edi, eax
		jmp	short loc_AD175A
; 

loc_AD176F:				; CODE XREF: MiLimitLoaderBlockTotalMemory+A1j
		mov	edi, [ebp+var_4]
		jmp	short loc_AD1761
MiLimitLoaderBlockTotalMemory endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiLimitLoaderBlockHighMemory proc near	; CODE XREF: MiMemoryLicense+86p
					; MiMemoryLicense+16001p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE760A SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		add	ecx, 18h
		push	ebx
		push	esi
		mov	ebx, edx
		mov	[ebp+var_4], ecx
		mov	esi, [ecx]
		cmp	esi, ecx
		jz	short loc_AD17F0
		mov	eax, ecx
		push	edi

loc_AD178D:				; CODE XREF: MiLimitLoaderBlockHighMemory+79j
		mov	ecx, [esi+8]
		cmp	ecx, 26h
		jz	loc_AE75FF
		cmp	ecx, 27h
		jz	loc_AE760A

loc_AD17A2:				; CODE XREF: MiLimitLoaderBlockHighMemory+15E9Cj
		cmp	ecx, 20h
		jz	short loc_AD17E9
		cmp	ecx, 6
		jz	short loc_AD17E9
		cmp	ecx, 1Eh
		jz	short loc_AD17E9
		cmp	ecx, 1Fh
		jz	short loc_AD17E9

loc_AD17B6:				; CODE XREF: MiLimitLoaderBlockTotalMemory+15FADj
		cmp	ecx, 22h
		jz	short loc_AD17E9
		cmp	ecx, 17h
		jz	short loc_AD17E9
		cmp	ecx, 3
		jz	short loc_AD17E9
		cmp	ecx, 16h
		jz	short loc_AD17E9
		cmp	ecx, 26h
		jz	short loc_AD17E9
		cmp	ecx, 27h
		jz	short loc_AD17E9
		cmp	ecx, 28h
		jz	short loc_AD17E9
		mov	edi, [esi+10h]
		mov	edx, [esi+0Ch]
		lea	eax, [edx+edi]
		cmp	eax, ebx
		ja	short loc_AD17F4

loc_AD17E6:				; CODE XREF: MiLimitLoaderBlockHighMemory+A0j
					; MiLimitLoaderBlockHighMemory+A9j
		mov	eax, [ebp+var_4]

loc_AD17E9:				; CODE XREF: MiLimitLoaderBlockHighMemory+31j
					; MiLimitLoaderBlockHighMemory+36j ...
		mov	esi, [esi]
		cmp	esi, eax
		jnz	short loc_AD178D
		pop	edi

loc_AD17F0:				; CODE XREF: MiLimitLoaderBlockHighMemory+14j
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AD17F4:				; CODE XREF: MiLimitLoaderBlockHighMemory+70j
		cmp	ecx, 2
		jnz	loc_AE7615

loc_AD17FD:				; CODE XREF: MiLimitLoaderBlockHighMemory+15EA4j
					; MiLimitLoaderBlockHighMemory+15EADj ...
		cmp	edx, ebx
		jb	short loc_AD1816
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_AD181F
		mov	ecx, [esi+4]
		cmp	[ecx], esi
		jnz	short loc_AD181F
		mov	[ecx], eax
		mov	[eax+4], ecx
		jmp	short loc_AD17E6
; 

loc_AD1816:				; CODE XREF: MiLimitLoaderBlockHighMemory+8Bj
		mov	eax, ebx
		sub	eax, edx
		mov	[esi+10h], eax
		jmp	short loc_AD17E6
; 

loc_AD181F:				; CODE XREF: MiLimitLoaderBlockHighMemory+92j
					; MiLimitLoaderBlockHighMemory+99j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall MiLargestSystemVa()
_MiLargestSystemVa@0:			; CODE XREF: MiMemoryLicense+2Ep
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	offset dword_6D2E64
		xor	esi, esi
		xor	edi, edi
		call	_ExAcquireSpinLockShared@4 ; ExAcquireSpinLockShared(x)
		mov	bl, al
		xor	eax, eax

loc_AD183B:				; CODE XREF: MiLimitLoaderBlockHighMemory+D7j
		cmp	byte ptr dword_6D3D94[eax], 0
		jnz	short loc_AD1865
		inc	esi

loc_AD1845:				; CODE XREF: MiLimitLoaderBlockHighMemory+F7j
		inc	eax
		cmp	eax, 400h
		jb	short loc_AD183B
		push	offset dword_6D2E64
		call	ExReleaseSpinLockSharedFromDpcLevel
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_AD1865:				; CODE XREF: MiLimitLoaderBlockHighMemory+CEj
		cmp	esi, edi
		ja	short loc_AD186D

loc_AD1869:				; CODE XREF: MiLimitLoaderBlockHighMemory+FBj
		xor	esi, esi
		jmp	short loc_AD1845
; 

loc_AD186D:				; CODE XREF: MiLimitLoaderBlockHighMemory+F3j
		mov	edi, esi
		jmp	short loc_AD1869
MiLimitLoaderBlockHighMemory endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MxMemoryLicense(x)
_MxMemoryLicense@4 proc	near		; CODE XREF: MiMemoryLicense+14p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		push	esi
		push	edi
		push	3Ch
		pop	eax
		push	3Eh
		mov	word ptr [ebp+var_14], ax
		mov	edi, ecx
		pop	eax
		push	2Ch
		mov	word ptr [ebp+var_14+2], ax
		xor	ebx, ebx
		pop	eax
		push	2Eh
		mov	word ptr [ebp+var_1C], ax
		pop	eax
		push	4
		pop	ecx
		mov	word ptr [ebp+var_1C+2], ax
		lea	eax, [ebp+var_8]
		push	eax
		push	ecx
		lea	eax, [ebp+var_4]
		mov	[ebp+var_10], offset ??_C@_1DO@KHKMKABP@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AAM@PBOPGDP@
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_18], offset ??_C@_1CO@CEOBBIMK@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAM?$AAa?$AAx?$AAP?$AAh?$AAy?$AAs?$AAi@PBOPGDP@
		push	eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_C], ebx
		push	eax
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ecx
		call	NtQueryLicenseValue
		test	eax, eax
		js	short loc_AD1915
		mov	esi, [ebp+var_4]
		test	esi, esi
		jz	short loc_AD1915
		shl	esi, 8

loc_AD18DB:				; CODE XREF: MxMemoryLicense(x)+A8j
		push	4
		pop	ecx
		lea	eax, [ebp+var_8]
		mov	[ebp+var_C], ebx
		push	eax
		push	ecx
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ebx
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_8], ecx
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	NtQueryLicenseValue
		test	eax, eax
		js	short loc_AD190E
		mov	ecx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_AD190E
		shl	ecx, 8
		dec	ecx
		mov	[edi], ecx

loc_AD190E:				; CODE XREF: MxMemoryLicense(x)+8Dj
					; MxMemoryLicense(x)+94j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AD1915:				; CODE XREF: MxMemoryLicense(x)+5Dj
					; MxMemoryLicense(x)+64j
		mov	esi, 80000h
		jmp	short loc_AD18DB
_MxMemoryLicense@4 endp


;  S U B	R O U T	I N E 


; __stdcall MiInitializeDecayPfns()
_MiInitializeDecayPfns@0 proc near	; CODE XREF: MiInitNucleus(x)+22Bp
		mov	eax, dword_6D3250
		and	dword_6D3258, 0
		add	eax, 7FFh
		and	dword_6D325C, 0
		push	esi
		imul	esi, eax, 1Ch
		push	edi
		mov	edi, 800h
		add	esi, ds:_MmPfnDatabase
		mov	eax, [esi+18h]
		and	eax, 0FF800001h
		or	eax, 1
		mov	[esi+18h], eax

loc_AD1952:				; CODE XREF: MiInitializeDecayPfns()+48j
		mov	edx, esi
		mov	ecx, offset dword_6D3258
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		sub	esi, 1Ch
		sub	edi, 1
		jnz	short loc_AD1952
		pop	edi
		pop	esi
		retn
_MiInitializeDecayPfns@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCheckLargePageOk proc	near		; CODE XREF: MiInitNucleus(x)+170p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE7665 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], edi
		mov	ebx, [esi+10h]
		mov	esi, edi

loc_AD1984:				; CODE XREF: MiCheckLargePageOk+5Aj
		mov	eax, [ebx+18h]
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jz	short loc_AD1996
		inc	esi

loc_AD1996:				; CODE XREF: MiCheckLargePageOk+29j
		mov	ecx, [ebx+20h]
		mov	edx, [ebp+var_C]
		add	ecx, edx
		mov	eax, [ebp+var_4]
		test	eax, eax
		jnz	loc_AD1A5C
		mov	ds:dword_AFF34C, ebx
		mov	ds:_PsNtosImageBase, edx
		mov	ds:_PsNtosImageEnd, ecx

loc_AD19BB:				; CODE XREF: MiCheckLargePageOk+104j
		mov	ebx, [ebx]
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, 2
		jb	short loc_AD1984
		mov	[ebp+var_C], esi
		nop
		mov	esi, [ebp+var_8]
		mov	ebx, edi
		mov	ecx, edi
		mov	[ebp+var_8], edi
		mov	edx, [esi+10h]
		mov	[ebp+var_4], edx

loc_AD19DA:				; CODE XREF: MiCheckLargePageOk+A7j
		mov	eax, [edx+18h]
		push	eax
		mov	dword_6CF570[ecx*4], edx
		call	_RtlImageNtHeader@4 ; RtlImageNtHeader(x)
		mov	ecx, [ebp+var_8]
		mov	eax, [eax+38h]
		test	ecx, ecx
		jnz	short loc_AD1A73
		mov	ebx, eax
		cmp	ebx, 1000h
		jnz	loc_AE765B

loc_AD1A02:				; CODE XREF: MiCheckLargePageOk+10Bj
		mov	edx, [ebp+var_4]
		inc	ecx
		mov	[ebp+var_8], ecx
		mov	edx, [edx]
		mov	[ebp+var_4], edx
		cmp	ecx, 2
		jb	short loc_AD19DA
		mov	eax, [ebp+var_C]
		test	eax, eax
		jz	short loc_AD1A7C
		cmp	eax, 2
		jnz	loc_AE7674
		mov	ebx, [esi+10h]

loc_AD1A26:				; CODE XREF: MiCheckLargePageOk+E1j
		mov	eax, [ebx+18h]
		mov	ecx, eax
		mov	[ebp+var_C], eax
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		cmp	eax, 1
		jnz	loc_AE767E
		mov	edx, ebx
		mov	ecx, esi
		call	MiCheckLargePageSystemImage
		mov	ebx, [ebx]
		inc	edi
		cmp	edi, 2
		jb	short loc_AD1A26
		or	ds:_MiFlags, 4
		xor	eax, eax
		inc	eax

loc_AD1A57:				; CODE XREF: MiCheckLargePageOk+114j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AD1A5C:				; CODE XREF: MiCheckLargePageOk+39j
		mov	ds:_MxHalDataTableEntry, ebx
		mov	ds:_PsHalImageBase, edx
		mov	ds:_PsHalImageEnd, ecx
		jmp	loc_AD19BB
; 

loc_AD1A73:				; CODE XREF: MiCheckLargePageOk+88j
		cmp	ebx, eax
		jz	short loc_AD1A02
		jmp	loc_AE7665
; 

loc_AD1A7C:				; CODE XREF: MiCheckLargePageOk+AEj
		xor	eax, eax
		jmp	short loc_AD1A57
MiCheckLargePageOk endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiCheckLargePageSystemImage proc near	; CODE XREF: MiCheckLargePageOk+D6p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE7692 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		mov	esi, [edx+18h]
		push	edi
		mov	edi, esi
		mov	[ebp+var_4], ecx
		shr	edi, 12h
		lea	ebx, [esi-1]
		and	edi, 3FF8h
		add	ebx, [edx+20h]
		sub	edi, 3FA00000h
		shr	ebx, 12h
		and	ebx, 3FF8h
		sub	ebx, 3FA00000h
		cmp	edi, ebx
		ja	short loc_AD1B2D
		add	ecx, 18h
		mov	[ebp+var_8], ecx

loc_AD1AC1:				; CODE XREF: MiCheckLargePageSystemImage+ABj
		and	[ebp+var_10], 0
		and	[ebp+var_C], 0
		mov	edx, [edi]
		nop
		mov	esi, [edi+4]
		mov	eax, edx
		and	eax, 80h
		or	eax, 0
		jz	loc_AE769E
		nop
		shrd	edx, esi, 0Ch
		mov	esi, [ecx]
		and	edx, 1FFFFFFh
		jmp	short loc_AD1B09
; 

loc_AD1AEE:				; CODE XREF: MiCheckLargePageSystemImage+8Bj
		mov	eax, [esi+0Ch]
		cmp	eax, edx
		ja	short loc_AD1B07
		mov	ecx, [esi+10h]
		add	ecx, eax
		lea	eax, [edx+200h]
		cmp	ecx, eax
		jnb	short loc_AD1B0F
		mov	ecx, [ebp+var_8]

loc_AD1B07:				; CODE XREF: MiCheckLargePageSystemImage+73j
		mov	esi, [esi]

loc_AD1B09:				; CODE XREF: MiCheckLargePageSystemImage+6Cj
		cmp	esi, ecx
		jnz	short loc_AD1AEE
		jmp	short loc_AD1B1E
; 

loc_AD1B0F:				; CODE XREF: MiCheckLargePageSystemImage+82j
		mov	eax, [esi+8]
		cmp	eax, 9
		jnz	loc_AE7692
		mov	ecx, [ebp+var_8]

loc_AD1B1E:				; CODE XREF: MiCheckLargePageSystemImage+8Dj
		cmp	esi, ecx
		jz	loc_AE76AF
		add	edi, 8
		cmp	edi, ebx
		jbe	short loc_AD1AC1

loc_AD1B2D:				; CODE XREF: MiCheckLargePageSystemImage+39j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiCheckLargePageSystemImage endp


;  S U B	R O U T	I N E 


; __stdcall MiZeroBootMappings()
_MiZeroBootMappings@0 proc near		; CODE XREF: MiInitNucleus(x)+226p
		mov	edi, edi
		push	ecx
		mov	edx, dword_6D07D0
		mov	eax, 40000000h
		shr	edx, 9
		mov	ecx, 0C0600000h
		sub	edx, eax
		shr	edx, 9
		and	edx, offset loc_7FFFF8
		sub	edx, eax
		push	1
		call	MxZeroBootMappings
		xor	ecx, ecx
		inc	ecx
		call	KeFlushCurrentTbOnly
		pop	ecx
		retn
_MiZeroBootMappings@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MxZeroBootMappings proc	near		; CODE XREF: MiZeroBootMappings()+25p
					; MxZeroBootMappings+15B63p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00AE76BC SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	esi, ecx

loc_AD1B75:				; CODE XREF: MxZeroBootMappings+2Bj
		cmp	esi, ebx
		jnb	short loc_AD1BD9
		mov	edi, [esi]
		nop
		mov	ecx, [esi+4]
		mov	eax, edi
		or	eax, ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], ecx
		jnz	short loc_AD1B93

loc_AD1B8E:				; CODE XREF: MxZeroBootMappings+71j
		add	esi, 8
		jmp	short loc_AD1B75
; 

loc_AD1B93:				; CODE XREF: MxZeroBootMappings+26j
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	short loc_AD1BC7
		mov	eax, edi
		and	eax, 80h
		or	eax, 0
		jnz	short loc_AD1BC7
		mov	eax, [ebp+arg_0]
		cmp	eax, 1
		jg	loc_AE76BC

loc_AD1BB5:				; CODE XREF: MxZeroBootMappings+15B6Bj
		nop
		shrd	edi, ecx, 0Ch
		and	edi, 1FFFFFFh
		mov	ecx, edi
		call	MiFreeBootPageTable

loc_AD1BC7:				; CODE XREF: MxZeroBootMappings+35j
					; MxZeroBootMappings+41j
		mov	eax, ds:_ZeroPte
		mov	[esi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[esi+4], eax
		jmp	short loc_AD1B8E
; 

loc_AD1BD9:				; CODE XREF: MxZeroBootMappings+11j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
MxZeroBootMappings endp


;  S U B	R O U T	I N E 


MiFreeBootPageTable proc near		; CODE XREF: MxZeroBootMappings+5Cp

; FUNCTION CHUNK AT 00AE76D6 SIZE 00000021 BYTES

		mov	edi, edi
		push	ecx
		push	esi
		imul	esi, ecx, 1Ch
		push	edi
		add	esi, ds:_MmPfnDatabase
		movzx	eax, word ptr [esi+14h]
		test	ax, ax
		jz	short loc_AD1C4D
		cmp	eax, 2
		jnz	loc_AE76D6
		lea	edi, [esi+10h]
		mov	eax, [edi]
		and	eax, 3FFFFFFFh
		cmp	eax, 1
		jnz	loc_AE76D6
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		and	dword ptr [edi], 0C0000000h
		xor	ecx, ecx
		mov	[esi+14h], cx
		mov	cl, [esi+16h]
		and	cl, 0FDh
		or	cl, 5
		mov	[esi+16h], cl
		mov	ecx, 7FFFFFFFh
		lock and [edi],	ecx
		mov	cl, al
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_AD1C42:				; CODE XREF: MiFreeBootPageTable+71j
		mov	ecx, esi
		call	_MiLockAndInsertPageInFreeList@4 ; MiLockAndInsertPageInFreeList(x)
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_AD1C4D:				; CODE XREF: MiFreeBootPageTable+15j
		and	dword ptr [esi+4], 0
		jmp	short loc_AD1C42
MiFreeBootPageTable endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipInitializeEarlyLaunchDrivers	proc near
					; CODE XREF: PipInitializeCoreDriversAndElam(x)+42p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		mov	eax, ecx
		xor	ebx, ebx
		push	esi
		push	edi
		mov	[ebp+var_10], eax
		lea	edi, [eax+28h]
		mov	[ebp+var_18], ebx
		mov	esi, [edi]
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], edi
		cmp	esi, edi
		jz	loc_AD1D2D
		mov	eax, edi

loc_AD1C84:				; CODE XREF: PipInitializeEarlyLaunchDrivers+D3j
		lea	edi, [esi]
		mov	esi, [esi]
		cmp	[edi+1Ch], ebx
		jl	loc_AD1D25
		mov	eax, [edi+18h]
		test	eax, eax
		jz	short loc_AD1CA6
		mov	ecx, [eax+18h]
		test	ecx, ecx
		jz	short loc_AD1CA6
		push	ecx
		push	ebx
		call	_SeRegisterElamCertResources@16	; SeRegisterElamCertResources(x,x,x,x)

loc_AD1CA6:				; CODE XREF: PipInitializeEarlyLaunchDrivers+42j
					; PipInitializeEarlyLaunchDrivers+49j
		lea	eax, [edi+10h]
		mov	[ebp+var_14], ebx
		push	20019h
		push	eax
		xor	edx, edx
		mov	[ebp+var_4], ebx
		lea	ecx, [ebp+var_4]
		call	_IopOpenRegistryKeyEx@16 ; IopOpenRegistryKeyEx(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_AD1CFA
		mov	ecx, [ebp+var_4]
		lea	edx, [ebp+var_18]
		call	IopGetDriverNameFromKeyNode
		mov	ebx, eax
		test	ebx, ebx
		js	short loc_AD1CFA
		mov	ecx, [edi+18h]
		lea	eax, [ebp+var_C]
		push	eax
		mov	eax, [ebp+var_10]
		lea	edx, [edi+10h]
		push	ecx
		push	0
		push	0
		add	eax, 10h
		push	eax
		push	ecx
		push	dword ptr [ecx+1Ch]
		lea	ecx, [ebp+var_18]
		call	PnpInitializeBootStartDriver
		mov	ebx, eax

loc_AD1CFA:				; CODE XREF: PipInitializeEarlyLaunchDrivers+6Fj
					; PipInitializeEarlyLaunchDrivers+80j
		cmp	[ebp+var_4], 0
		jz	short loc_AD1D08
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_AD1D08:				; CODE XREF: PipInitializeEarlyLaunchDrivers+AAj
		cmp	[ebp+var_14], 0
		jz	short loc_AD1D18
		push	0
		push	[ebp+var_14]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD1D18:				; CODE XREF: PipInitializeEarlyLaunchDrivers+B8j
		test	ebx, ebx
		js	loc_AE76E8

loc_AD1D20:				; CODE XREF: MiFreeBootPageTable+15B12j
		mov	eax, [ebp+var_8]
		xor	ebx, ebx

loc_AD1D25:				; CODE XREF: PipInitializeEarlyLaunchDrivers+37j
		cmp	esi, eax
		jnz	loc_AD1C84

loc_AD1D2D:				; CODE XREF: PipInitializeEarlyLaunchDrivers+28j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PipInitializeEarlyLaunchDrivers	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMarkLargePagePte proc	near		; DATA XREF: MiMarkLargePageMappings()+44o

arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00AE76F7 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_4]
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, [eax]
		nop
		mov	ecx, [eax+4]
		mov	eax, esi
		and	eax, 1
		or	eax, edi
		jnz	short loc_AD1D57

loc_AD1D4F:				; CODE XREF: MiMarkLargePagePte+2Ej
					; MiMarkLargePagePte+41j ...
		pop	edi
		xor	eax, eax
		pop	esi
		leave
		retn	0Ch
; 

loc_AD1D57:				; CODE XREF: MiMarkLargePagePte+1Bj
		mov	eax, esi
		and	eax, 80h
		or	eax, edi
		jz	short loc_AD1D4F
		nop
		shrd	esi, ecx, 0Ch
		and	esi, 1FFFFFFh
		cmp	esi, dword_6D07B0
		ja	short loc_AD1D4F
		mov	eax, dword_6D35B8
		mov	edx, esi
		shr	edx, 5
		mov	ecx, esi
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, 1
		jz	short loc_AD1D4F
		mov	ecx, [ebp+arg_8]
		mov	eax, 200h
		cmp	ecx, 1
		jg	short loc_AD1DAD

loc_AD1D9B:				; CODE XREF: MiMarkLargePagePte+159CDj
		push	edi
		push	1
		push	eax
		mov	edx, esi
		mov	ecx, offset _MiSystemPartition
		call	MiUpdateLargePageBitMap
		jmp	short loc_AD1D4F
; 

loc_AD1DAD:				; CODE XREF: MiMarkLargePagePte+67j
		dec	ecx
		jmp	loc_AE76F7
MiMarkLargePagePte endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpInitializePnpWatchdogs()
_PnpInitializePnpWatchdogs@0 proc near	; CODE XREF: IopInitializePlugPlayServices(x,x):loc_AC5695p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		lea	ecx, [ebp+var_4]
		call	_PnpOpenCCSPnpRegKey@8 ; PnpOpenCCSPnpRegKey(x,x)
		test	eax, eax
		js	short locret_AD1DE3
		mov	ecx, [ebp+var_4]
		call	PnpWatchdogBugcheckConfigure
		mov	ecx, [ebp+var_4]
		call	PnpQueryWatchdogTimeoutConfiguration
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

locret_AD1DE3:				; CODE XREF: PnpInitializePnpWatchdogs()+15j
		leave
		retn
_PnpInitializePnpWatchdogs@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiDmaGuardProcessRegistry proc near	; CODE XREF: IopInitializePlugPlayServices(x,x)+3D9p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE7704 SIZE 00000013 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		mov	edx, offset ??_C@_1CC@HLGJCCDP@?$AAD?$AAm?$AAa?$AAG?$AAu?$AAa?$AAr?$AAd?$AAT?$AAe?$AAs?$AAt?$AAM?$AAo?$AAd@PBOPGDP@ ; "DmaGuardTestMode"
		call	_PnpGetRegistryDword@12	; PnpGetRegistryDword(x,x,x)
		test	eax, eax
		jns	loc_AE7704

locret_AD1E06:				; CODE XREF: PiDmaGuardProcessRegistry+15922j
		leave
		retn
PiDmaGuardProcessRegistry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpWatchdogBugcheckConfigure proc near	; CODE XREF: PnpInitializePnpWatchdogs()+1Ap

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE7717 SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		lea	eax, [ebp+var_4]
		xor	esi, esi
		push	eax
		mov	edx, (offset off_40857E+2)
		mov	[ebp+var_4], esi
		call	_PnpGetRegistryDword@12	; PnpGetRegistryDword(x,x,x)
		test	eax, eax
		jns	loc_AE7717
		push	2
		pop	esi

loc_AD1E2D:				; CODE XREF: PnpWatchdogBugcheckConfigure+15912j
					; PnpWatchdogBugcheckConfigure+1591Bj
		mov	_PnpWatchdogBugcheckConfig, esi
		pop	esi
		leave
		retn
PnpWatchdogBugcheckConfigure endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpQueryWatchdogTimeoutConfiguration proc near ; CODE XREF: PnpInitializePnpWatchdogs()+22p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE7728 SIZE 00000033 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	esi
		push	eax
		mov	edx, offset _PnpWatchdogFirstChanceRegName
		mov	esi, ecx
		call	_PnpGetRegistryDword@12	; PnpGetRegistryDword(x,x,x)
		test	eax, eax
		jns	loc_AE7728

loc_AD1E59:				; CODE XREF: PnpQueryWatchdogTimeoutConfiguration+15907j
		mov	_PnpWatchdogTimeoutFirstChance,	2710h

loc_AD1E63:				; CODE XREF: PnpQueryWatchdogTimeoutConfiguration+15901j
		lea	eax, [ebp+var_4]
		mov	edx, offset _PnpWatchdogSecondChanceRegName
		push	eax
		mov	ecx, esi
		call	_PnpGetRegistryDword@12	; PnpGetRegistryDword(x,x,x)
		pop	esi
		test	eax, eax
		jns	loc_AE7742

loc_AD1E7C:				; CODE XREF: PnpQueryWatchdogTimeoutConfiguration+15920j
		mov	_PnpWatchdogTimeoutSecondChance, 57E40h

locret_AD1E86:				; CODE XREF: PnpQueryWatchdogTimeoutConfiguration+1591Aj
		leave
		retn
PnpQueryWatchdogTimeoutConfiguration endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpOpenCCSPnpRegKey(x, x)
_PnpOpenCCSPnpRegKey@8 proc near	; CODE XREF: PnpInitializePnpWatchdogs()+Ep

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		lea	eax, [ebp+var_4]
		mov	esi, ecx
		mov	ecx, _PiPnpRtlCtx
		xor	edi, edi
		push	eax
		push	4
		pop	edx
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], edi
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_AD1EE7
		mov	edx, [ebp+var_4]
		lea	ecx, [ebp+var_8]
		push	18h
		pop	eax
		push	16h
		mov	word ptr [ebp+var_10+2], ax
		pop	eax
		push	edi
		push	edi
		mov	word ptr [ebp+var_10], ax
		lea	eax, [ebp+var_10]
		push	1
		push	eax
		mov	[ebp+var_C], offset ??_C@_1BI@EIJDOAKI@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAP?$AAn?$AAp@PBOPGDP@
		call	IopCreateRegistryKeyEx
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_AD1EE7
		mov	eax, [ebp+var_8]
		mov	[esi], eax

loc_AD1EE7:				; CODE XREF: PnpOpenCCSPnpRegKey(x,x)+2Aj
					; PnpOpenCCSPnpRegKey(x,x)+58j
		pop	edi
		mov	eax, ecx
		pop	esi
		leave
		retn
_PnpOpenCCSPnpRegKey@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopAllocateLegacyBootResources proc near ; CODE	XREF: PipProcessStartPhase2+73p
					; PipProcessStartPhase2+83p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE7778 SIZE 0000005C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		xor	ebx, ebx
		mov	[ebp+var_4], ecx
		mov	eax, edx
		push	esi
		push	edi
		mov	[ebp+var_8], eax
		cmp	ds:_IopInitHalDeviceNode, ebx
		jz	short loc_AD1F2E
		cmp	ds:_IopInitHalResources, ebx
		jz	short loc_AD1F2E
		lea	edx, [ebp+var_C]
		mov	[ebp+var_C], ebx
		push	edx		; void *
		push	eax		; int
		mov	edx, ecx
		call	IopCreateCmResourceList
		mov	edi, eax
		test	edi, edi
		jnz	short loc_AD1F45

loc_AD1F28:				; CODE XREF: IopAllocateLegacyBootResources+A3j
					; sub_AE776C+7j
		mov	eax, [ebp+var_8]
		mov	ecx, [ebp+var_4]

loc_AD1F2E:				; CODE XREF: IopAllocateLegacyBootResources+1Bj
					; IopAllocateLegacyBootResources+23j
		mov	esi, ds:_IopInitReservedResourceList
		mov	edi, ebx

loc_AD1F36:				; CODE XREF: IopAllocateLegacyBootResources+158E1j
		test	esi, esi
		jnz	loc_AE7778
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
; 

loc_AD1F45:				; CODE XREF: IopAllocateLegacyBootResources+38j
		mov	esi, [ebp+var_C]
		test	esi, esi
		jnz	sub_AE775B

loc_AD1F50:				; CODE XREF: sub_AE775B+Cj
		mov	ecx, ds:_IopInitHalDeviceNode
		push	40h
		mov	ds:_IopInitHalResources, esi
		pop	edx
		mov	esi, [ecx+168h]
		call	PipSetDevNodeFlags
		mov	eax, ds:_IopInitHalDeviceNode
		push	edi
		push	dword ptr [eax+10h]
		push	1
		call	_IopAllocateBootResources@12 ; IopAllocateBootResources(x,x,x)
		mov	edx, edi
		mov	ecx, esi
		call	IopCombineCmResourceList
		mov	ecx, ds:_IopInitHalDeviceNode
		mov	[ecx+168h], eax
		test	esi, esi
		jz	short loc_AD1F28
		jmp	sub_AE776C
IopAllocateLegacyBootResources endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeRmInitPhase1()
_SeRmInitPhase1@0 proc near		; CODE XREF: INIT:00ABFD0Cp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	esi
		push	2000h
		push	100h
		push	4
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], 18h
		xor	esi, esi
		mov	[ebp+var_10], offset _SepRmCommandPortName
		push	eax
		push	offset dword_A94E28
		mov	[ebp+var_14], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		call	_ZwCreatePort@20 ; ZwCreatePort(x,x,x,x,x)
		test	eax, eax
		js	short loc_AD2021
		call	_SepAdtInitializeAuditingOptions@0 ; SepAdtInitializeAuditingOptions()
		push	esi
		push	offset SepRmCommandServerThread
		push	esi
		push	esi
		push	esi
		push	38h
		push	offset dword_A94E24
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AD2021
		call	_AuthzBasepInitializeSystemSecurityAttributes@4	; AuthzBasepInitializeSystemSecurityAttributes(x)
		push	ds:dword_A94E24
		call	_ZwClose@4	; ZwClose(x)
		push	esi
		xor	edx, edx
		mov	ds:dword_A94E24, esi
		mov	ecx, offset dword_6B29A8
		call	_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 ; TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)
		mov	al, 1

loc_AD201E:				; CODE XREF: SeRmInitPhase1()+8Bj
		pop	esi
		leave
		retn
; 

loc_AD2021:				; CODE XREF: SeRmInitPhase1()+41j
					; SeRmInitPhase1()+5Fj
		xor	al, al
		jmp	short loc_AD201E
_SeRmInitPhase1@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepAdtInitializeAuditingOptions()
_SepAdtInitializeAuditingOptions@0 proc	near ; CODE XREF: SeRmInitPhase1()+43p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		call	_AdtpInitializeAuditingCommon@0	; AdtpInitializeAuditingCommon()
		test	eax, eax
		js	short loc_AD207C
		lea	ecx, [ebp+var_4]
		call	_SepAdtOpenEtwReadyEvent@4 ; SepAdtOpenEtwReadyEvent(x)
		test	eax, eax
		js	short loc_AD207C
		push	0
		push	[ebp+var_4]
		call	NtSetEvent
		push	[ebp+var_4]
		mov	esi, eax
		call	NtClose
		test	esi, esi
		js	short loc_AD207A
		push	ecx
		push	ecx
		call	_SepAdtOpenRegAndSetupNotification@16 ;	SepAdtOpenRegAndSetupNotification(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD207C
		call	_SepAdtInitializeCrashOnFail@0 ; SepAdtInitializeCrashOnFail()
		call	_SepAdtInitializePrivilegeAuditing@0 ; SepAdtInitializePrivilegeAuditing()
		call	_SepAdtInitializeBounds@0 ; SepAdtInitializeBounds()

loc_AD207A:				; CODE XREF: SepAdtInitializeAuditingOptions()+36j
		mov	eax, esi

loc_AD207C:				; CODE XREF: SepAdtInitializeAuditingOptions()+12j
					; SepAdtInitializeAuditingOptions()+1Ej ...
		pop	esi
		leave
		retn
_SepAdtInitializeAuditingOptions@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiMapDummyPages	proc near		; CODE XREF: MiInitNucleus(x):loc_AB58AEp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE77D4 SIZE 000000C3 BYTES

		mov	edi, edi
		push	ebx
		mov	ebx, esp
		push	ecx
		push	ecx
		and	esp, 0FFFFFFF8h
		add	esp, 4
		push	ebp
		mov	ebp, [ebx+4]
		mov	[esp+8+var_4], ebp
		mov	ebp, esp
		sub	esp, 10h
		mov	ecx, offset dword_6D35E0
		push	esi
		push	edi
		push	2
		pop	edx
		call	MiReservePtes
		mov	esi, eax
		test	esi, esi
		jz	loc_AD218C
		mov	edx, dword_6D34F0
		mov	ecx, esi
		push	20000001h
		call	MiMakeValidPte
		and	[ebp+var_8], 0
		mov	ecx, esi
		mov	[ebp+var_10], eax
		mov	eax, edx
		mov	edx, [ebp+var_10]
		mov	edi, eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_4], edx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_AE77D4
		mov	ecx, [ebp+var_8]

loc_AD20EB:				; CODE XREF: MiMapDummyPages+15767j
					; MiMapDummyPages+15775j ...
		mov	edx, [ebp+var_4]

loc_AD20EE:				; CODE XREF: MiMapDummyPages+15784j
		mov	[esi+4], edi
		nop
		mov	[esi], edx
		test	ecx, ecx
		jnz	loc_AE7829

loc_AD20FC:				; CODE XREF: MiMapDummyPages+157B2j
		mov	ecx, esi
		shl	ecx, 9
		mov	dword_6D34F4, ecx
		call	_MiComputeHash64@4 ; MiComputeHash64(x)
		mov	edi, dword_6D34E4
		add	esi, 8
		mov	ecx, [ebp+var_C]
		and	edi, 1FFFFFFh
		and	[ebp+var_8], 0
		and	ecx, 0FFFFFFE0h
		mov	dword_6D3504, edx
		xor	edx, edx
		mov	dword_6D3500, eax
		mov	eax, [ebp+var_10]
		shld	edx, edi, 0Ch
		and	eax, 0FFFh
		shl	edi, 0Ch
		or	edx, ecx
		mov	ecx, esi
		or	edi, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_AE7837
		mov	ecx, [ebp+var_8]

loc_AD2157:				; CODE XREF: MiMapDummyPages+157CAj
					; MiMapDummyPages+157D8j ...
		mov	[esi+4], edx
		nop
		mov	[esi], edi
		test	ecx, ecx
		jnz	loc_AE7889

loc_AD2165:				; CODE XREF: MiMapDummyPages+15812j
		shl	esi, 9
		mov	ecx, esi
		mov	dword_6D34F8, esi
		call	_MiComputeHash64@4 ; MiComputeHash64(x)
		mov	dword_6D3508, eax
		xor	eax, eax
		mov	dword_6D350C, edx
		inc	eax

loc_AD2183:				; CODE XREF: MiMapDummyPages+10Ej
		pop	edi
		pop	esi
		mov	esp, ebp
		pop	ebp
		mov	esp, ebx
		pop	ebx
		retn
; 

loc_AD218C:				; CODE XREF: MiMapDummyPages+2Dj
		xor	eax, eax
		jmp	short loc_AD2183
MiMapDummyPages	endp


;  S U B	R O U T	I N E 


KseZeroPoolInitialize proc near		; CODE XREF: KseInitialize+167p

; FUNCTION CHUNK AT 00AE7897 SIZE 00000050 BYTES

		mov	edi, edi
		push	esi
		push	0
		push	0
		push	offset _KseZeroPoolShim
		call	_KseRegisterShim@12 ; KseRegisterShim(x,x,x)
		test	eax, eax
		js	loc_AE7897
		pop	esi
		retn			; char
KseZeroPoolInitialize endp

; 
		align 4

;  S U B	R O U T	I N E 


KseDriverScopeInitialize proc near	; CODE XREF: KseInitialize+AEp

; FUNCTION CHUNK AT 00AE78E7 SIZE 0000000E BYTES

		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		xor	esi, esi
		push	esi
		push	esi
		push	offset _KseDsShim
		call	_KseRegisterShim@12 ; KseRegisterShim(x,x,x)
		test	eax, eax
		js	short loc_AD220C
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryMessagesIndex, eax
		inc	eax
		and	eax, 3Fh
		mov	ecx, 90h
		test	_KsepDebugFlag,	1
		mov	edi, offset ??_C@_0CH@JAGLGLJF@KSE?9DS?3?5driver?5scope?5shim?5regis@PBOPGDP@ ;	"KSE-DS: driver	scope shim registered.\n"
		push	0Bh
		mov	dword_6C7244[eax*8], esi
		pop	esi
		mov	word_6C7242[eax*8], si
		mov	_KsepHistoryMessages[eax*8], cx
		jnz	loc_AE78E7

loc_AD2203:				; CODE XREF: KseDriverScopeInitialize+15744j
		push	edi
		push	esi
		call	_KsepLogInfo
		pop	ecx
		pop	ecx

loc_AD220C:				; CODE XREF: KseDriverScopeInitialize+15j
		pop	edi
		pop	esi
		pop	ecx
		retn			; char
KseDriverScopeInitialize endp


;  S U B	R O U T	I N E 


KseSkipDriverUnloadInitialize proc near	; CODE XREF: KseInitialize+162p

; FUNCTION CHUNK AT 00AE78F5 SIZE 00000052 BYTES

		mov	edi, edi
		push	esi
		push	0
		push	0
		push	offset _KseSkipDriverUnloadShim
		call	_KseRegisterShim@12 ; KseRegisterShim(x,x,x)
		test	eax, eax
		js	loc_AE78F5
		pop	esi
		retn			; char
KseSkipDriverUnloadInitialize endp

; 
		align 4

;  S U B	R O U T	I N E 


KseVersionLieInitialize	proc near	; CODE XREF: KseInitialize+15Dp

; FUNCTION CHUNK AT 00AE7947 SIZE 000000F1 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	offset _Win7VersionLieShim
		call	_KseRegisterShim@12 ; KseRegisterShim(x,x,x)
		xor	esi, esi
		inc	esi
		push	0Ch
		pop	edi
		test	eax, eax
		js	loc_AE7947

loc_AD224D:				; CODE XREF: KseVersionLieInitialize+15768j
		push	ebx
		push	ebx
		push	offset _Win8VersionLieShim
		call	_KseRegisterShim@12 ; KseRegisterShim(x,x,x)
		test	eax, eax
		js	loc_AE7999

loc_AD2261:				; CODE XREF: KseVersionLieInitialize+157BAj
		push	ebx
		push	ebx
		push	offset _Win81VersionLieShim
		call	_KseRegisterShim@12 ; KseRegisterShim(x,x,x)
		test	eax, eax
		js	loc_AE79EB

loc_AD2275:				; CODE XREF: KseVersionLieInitialize+15807j
		pop	edi
		pop	esi
		pop	ebx
		retn			; char
KseVersionLieInitialize	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiCreateDriverDataDirectoryRoot	proc near ; CODE XREF: IopInitializeBootDrivers+4AEp

var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE7A38 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		or	[ebp+var_2C], 0FFFFFFFFh
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_30], 0FFF0BDC0h
		push	6
		pop	ecx
		lea	edi, [ebp+var_48]
		mov	[ebp+var_14], ebx
		rep stosd
		push	ebx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_10], ebx
		mov	edi, ebx
		mov	[ebp+var_24], ebx
		push	eax
		mov	[ebp+var_20], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_4], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_14]
		mov	edx, offset ??_C@_1FA@LKHFNIDA@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@PBOPGDP@ ;	"\\SystemRoot\\System32\\Drivers\\DriverData"...
		push	eax		; int
		push	1		; int
		mov	ecx, offset ??_C@_1BG@PDMPPEN@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAD?$AAa?$AAt?$AAa@PBOPGDP@ ; int
		call	PiGetStateRootPath
		mov	esi, eax
		test	esi, esi
		js	loc_AD23BE
		lea	ecx, [ebp+var_4]
		call	PiAuGetDriverDataDirectorySecurityObject
		mov	edi, [ebp+var_4]
		mov	esi, eax
		test	esi, esi
		js	loc_AD23BE
		lea	eax, [ebp+var_14]
		mov	[ebp+var_48], 18h
		mov	[ebp+var_44], ebx
		mov	[ebp+var_3C], 240h
		mov	[ebp+var_40], eax
		mov	[ebp+var_38], edi
		mov	[ebp+var_34], ebx

loc_AD2314:				; CODE XREF: PiCreateDriverDataDirectoryRoot+157CFj
		xor	eax, eax
		push	eax
		push	eax
		push	21h
		push	3
		push	3
		push	80h
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_48]
		push	eax
		push	100001h
		lea	eax, [ebp+var_8]
		push	eax
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C000003Ah
		jz	loc_AE7A38
		cmp	esi, 80000010h
		jz	loc_AE7A38
		cmp	esi, 80000011h
		jz	loc_AE7A38
		cmp	esi, 0C000000Eh
		jz	loc_AE7A38

loc_AD236C:				; CODE XREF: PiCreateDriverDataDirectoryRoot+157D5j
		test	esi, esi
		js	loc_AD23F5
		push	offset ??_C@_1BI@OGGIKDOE@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAD?$AAa?$AAt?$AAa@PBOPGDP@
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_48], 18h
		mov	[ebp+var_40], eax
		xor	ebx, ebx
		mov	eax, ds:_SePublicDefaultUnrestrictedSd
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_48]
		mov	[ebp+var_44], ebx
		push	eax
		push	0F0001h
		lea	eax, [ebp+var_C]
		mov	[ebp+var_3C], 50h
		push	eax
		mov	[ebp+var_34], ebx
		call	_ZwCreateSymbolicLinkObject@16 ; ZwCreateSymbolicLinkObject(x,x,x,x)
		mov	esi, eax

loc_AD23BE:				; CODE XREF: PiCreateDriverDataDirectoryRoot+62j
					; PiCreateDriverDataDirectoryRoot+77j ...
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	[ebp+var_8], 0
		jz	short loc_AD23D5
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_AD23D5:				; CODE XREF: PiCreateDriverDataDirectoryRoot+151j
		cmp	[ebp+var_C], 0
		jz	short loc_AD23E3
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)

loc_AD23E3:				; CODE XREF: PiCreateDriverDataDirectoryRoot+15Fj
		test	edi, edi
		jz	short loc_AD23EE
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD23EE:				; CODE XREF: PiCreateDriverDataDirectoryRoot+16Bj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AD23F5:				; CODE XREF: PiCreateDriverDataDirectoryRoot+F4j
		xor	ebx, ebx
		jmp	short loc_AD23BE
PiCreateDriverDataDirectoryRoot	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiAuCreateSecurityObjects()
_PiAuCreateSecurityObjects@0 proc near	; CODE XREF: IopInitializePlugPlayServices(x,x)+543p

var_20		= dword	ptr -20h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		xor	eax, eax
		push	esi
		push	edi
		push	8
		pop	ecx
		lea	edi, [ebp+var_20]
		rep stosd
		lea	ecx, [ebp+var_20]
		call	_PiAuCreateUserSids@4 ;	PiAuCreateUserSids(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD2434
		lea	ecx, [ebp+var_20]
		call	PiAuCreateStandardSecurityObject
		mov	esi, eax
		test	esi, esi
		js	short loc_AD2434
		lea	ecx, [ebp+var_20]
		call	PiAuCreateLocalSystemSecurityObject
		mov	esi, eax

loc_AD2434:				; CODE XREF: PiAuCreateSecurityObjects()+20j
					; PiAuCreateSecurityObjects()+2Ej
		lea	ecx, [ebp+var_20]
		call	_PiAuFreeUserSids@4 ; PiAuFreeUserSids(x)
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_PiAuCreateSecurityObjects@0 endp


;  S U B	R O U T	I N E 


; __stdcall PiAuFreeUserSids(x)
_PiAuFreeUserSids@4 proc near		; CODE XREF: PiAuCreateSecurityObjects()+3Dp
		mov	edi, edi
		push	esi
		mov	esi, ecx
		push	edi
		xor	edi, edi
		mov	eax, [esi]
		test	eax, eax
		jz	short loc_AD2457
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD2457:				; CODE XREF: PiAuFreeUserSids(x)+Cj
		mov	eax, [esi+4]
		test	eax, eax
		jz	short loc_AD2465
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD2465:				; CODE XREF: PiAuFreeUserSids(x)+1Aj
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_AD2473
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD2473:				; CODE XREF: PiAuFreeUserSids(x)+28j
		mov	eax, [esi+0Ch]
		test	eax, eax
		jz	short loc_AD2481
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD2481:				; CODE XREF: PiAuFreeUserSids(x)+36j
		mov	eax, [esi+10h]
		test	eax, eax
		jz	short loc_AD248F
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD248F:				; CODE XREF: PiAuFreeUserSids(x)+44j
		mov	eax, [esi+14h]
		test	eax, eax
		jz	short loc_AD249D
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD249D:				; CODE XREF: PiAuFreeUserSids(x)+52j
		mov	eax, [esi+18h]
		test	eax, eax
		jz	short loc_AD24AB
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD24AB:				; CODE XREF: PiAuFreeUserSids(x)+60j
		mov	eax, [esi+1Ch]
		test	eax, eax
		jz	short loc_AD24B9
		push	edi
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD24B9:				; CODE XREF: PiAuFreeUserSids(x)+6Ej
		pop	edi
		xor	eax, eax
		pop	esi
		retn
_PiAuFreeUserSids@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiAuCreateLocalSystemSecurityObject proc near ;	CODE XREF: PiAuCreateSecurityObjects()+33p

var_18		= dword	ptr -18h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE7A54 SIZE 0000001A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4], ecx
		lea	edi, [ebp+var_18]
		stosd
		push	47706E50h
		stosd
		stosd
		stosd
		stosd
		mov	eax, [ecx]
		xor	edi, edi
		movzx	eax, byte ptr [eax+1]
		lea	esi, ds:18h[eax*4]
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_AE7A54
		push	2		; int
		push	esi		; size_t
		push	ebx		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD25DD
		mov	eax, [ebp+var_4]
		push	dword ptr [eax]
		push	0F0000h
		push	edi
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAceEx@20 ; RtlAddAccessAllowedAceEx(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD25DD
		push	1
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD25DD
		push	edi
		push	ebx
		push	1
		lea	eax, [ebp+var_18]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	loc_AD25DD
		mov	eax, [ebp+var_4]
		push	edi
		push	dword ptr [eax]
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD25DD
		mov	eax, [ebp+var_4]
		push	edi
		push	dword ptr [eax]
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD25DD
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlValidSecurityDescriptor@4 ;	RtlValidSecurityDescriptor(x)
		test	al, al
		jz	short loc_AD25F7
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		mov	esi, eax
		mov	[ebp+var_4], esi
		cmp	esi, 14h
		jb	short loc_AD25F7
		push	47706E50h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_AD25FE
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlAbsoluteToSelfRelativeSD@12	; RtlAbsoluteToSelfRelativeSD(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD25DD
		mov	_PiAuLocalSystemSecurityObject,	edi
		xor	edi, edi

loc_AD25DD:				; CODE XREF: PiAuCreateLocalSystemSecurityObject+4Bj
					; PiAuCreateLocalSystemSecurityObject+68j ...
		push	47706E50h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		jnz	loc_AE7A5E

loc_AD25F0:				; CODE XREF: PiAuCreateLocalSystemSecurityObject+1559Bj
					; PiAuCreateLocalSystemSecurityObject+155ABj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AD25F7:				; CODE XREF: PiAuCreateLocalSystemSecurityObject+CFj
					; PiAuCreateLocalSystemSecurityObject+E2j
		mov	esi, 0C00000E5h
		jmp	short loc_AD25DD
; 

loc_AD25FE:				; CODE XREF: PiAuCreateLocalSystemSecurityObject+F5j
		mov	esi, 0C000009Ah
		jmp	short loc_AD25DD
PiAuCreateLocalSystemSecurityObject endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiAuGetDriverDataDirectorySecurityObject proc near
					; CODE XREF: PiCreateDriverDataDirectoryRoot+6Bp

var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE7A6E SIZE 00000017 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		push	ebx
		xor	eax, eax
		mov	[ebp+var_8], ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_1C]
		stosd
		push	20207050h
		stosd
		stosd
		stosd
		stosd
		mov	eax, ds:_SeExports
		xor	edi, edi
		mov	eax, [eax+190h]
		movzx	ecx, byte ptr [eax+1]
		mov	eax, ds:_SeAliasAdminsSid
		movzx	eax, byte ptr [eax+1]
		add	ecx, eax
		mov	eax, _SeLocalSystemSid
		movzx	eax, byte ptr [eax+1]
		add	ecx, eax
		lea	esi, ds:38h[ecx*4]
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_AE7A6E
		push	2		; int
		push	esi		; size_t
		push	ebx		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD2787
		mov	eax, _SeLocalSystemSid
		push	eax
		push	10000000h
		push	3
		push	2
		push	ebx
		mov	[ebp+var_4], eax
		call	_RtlAddAccessAllowedAceEx@20 ; RtlAddAccessAllowedAceEx(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD2787
		push	ds:_SeAliasAdminsSid
		push	10000000h
		push	3
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAceEx@20 ; RtlAddAccessAllowedAceEx(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD2787
		mov	eax, ds:_SeExports
		push	dword ptr [eax+190h]
		push	10000000h
		push	3
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAceEx@20 ; RtlAddAccessAllowedAceEx(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD2787
		push	1
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD2787
		push	edi
		push	ebx
		push	1
		lea	eax, [ebp+var_1C]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	loc_AD2787
		push	edi
		push	[ebp+var_4]
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD2787
		push	edi
		push	[ebp+var_4]
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD2787
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlValidSecurityDescriptor@4 ;	RtlValidSecurityDescriptor(x)
		test	al, al
		jz	short loc_AD279E
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		mov	esi, eax
		mov	[ebp+var_4], esi
		cmp	esi, 14h
		jb	short loc_AD279E
		push	20207050h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_AD27A5
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlAbsoluteToSelfRelativeSD@12	; RtlAbsoluteToSelfRelativeSD(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD2787
		mov	eax, [ebp+var_8]
		mov	[eax], edi
		xor	edi, edi

loc_AD2787:				; CODE XREF: PiAuGetDriverDataDirectorySecurityObject+6Aj
					; PiAuGetDriverDataDirectorySecurityObject+8Cj	...
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		test	edi, edi
		jnz	loc_AE7A78

loc_AD2797:				; CODE XREF: PiAuGetDriverDataDirectorySecurityObject+1546Dj
					; PiAuGetDriverDataDirectorySecurityObject+1547Aj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AD279E:				; CODE XREF: PiAuGetDriverDataDirectorySecurityObject+132j
					; PiAuGetDriverDataDirectorySecurityObject+145j
		mov	esi, 0C00000E5h
		jmp	short loc_AD2787
; 

loc_AD27A5:				; CODE XREF: PiAuGetDriverDataDirectorySecurityObject+158j
		mov	esi, 0C000009Ah
		jmp	short loc_AD2787
PiAuGetDriverDataDirectorySecurityObject endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiAuCreateUserSids(x)
_PiAuCreateUserSids@4 proc near		; CODE XREF: PiAuCreateSecurityObjects()+17p

var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_10		= dword	ptr -10h
var_C		= word ptr -0Ch
var_8		= dword	ptr -8
var_4		= word ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		mov	[ebp+var_4], 500h
		xor	eax, eax
		mov	[ebp+var_C], 100h
		push	8
		pop	ecx
		mov	edi, ebx
		mov	[ebp+var_8], eax
		rep stosd
		push	1
		lea	edx, [ebp+var_8]
		mov	[ebp+var_10], eax
		mov	ecx, ebx
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], 0F00h
		call	PiAuAllocateAndInitializeSid
		mov	esi, eax
		test	esi, esi
		js	loc_AD295F
		mov	eax, [ebx]
		mov	dword ptr [eax+8], 12h
		push	dword ptr [ebx]
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_AD2966
		lea	edi, [ebx+4]
		push	1
		lea	edx, [ebp+var_10]
		mov	ecx, edi
		call	PiAuAllocateAndInitializeSid
		mov	esi, eax
		test	esi, esi
		js	loc_AD295F
		mov	eax, [edi]
		and	dword ptr [eax+8], 0
		push	dword ptr [edi]
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_AD2966
		lea	edi, [ebx+8]
		push	2
		lea	edx, [ebp+var_8]
		mov	ecx, edi
		call	PiAuAllocateAndInitializeSid
		mov	esi, eax
		test	esi, esi
		js	loc_AD295F
		mov	eax, [edi]
		mov	dword ptr [eax+8], 20h
		mov	eax, [edi]
		mov	dword ptr [eax+0Ch], 220h
		push	dword ptr [edi]
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_AD2966
		lea	edi, [ebx+0Ch]
		push	1
		lea	edx, [ebp+var_8]
		mov	ecx, edi
		call	PiAuAllocateAndInitializeSid
		mov	esi, eax
		test	esi, esi
		js	loc_AD295F
		mov	eax, [edi]
		push	2
		pop	esi
		mov	[eax+8], esi
		push	dword ptr [edi]
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_AD2966
		lea	edi, [ebx+10h]
		push	esi
		lea	edx, [ebp+var_8]
		mov	ecx, edi
		call	PiAuAllocateAndInitializeSid
		mov	esi, eax
		test	esi, esi
		js	loc_AD295F
		mov	eax, [edi]
		mov	dword ptr [eax+8], 20h
		mov	eax, [edi]
		mov	dword ptr [eax+0Ch], 221h
		push	dword ptr [edi]
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_AD2966
		lea	edi, [ebx+14h]
		push	1
		lea	edx, [ebp+var_8]
		mov	ecx, edi
		call	PiAuAllocateAndInitializeSid
		mov	esi, eax
		test	esi, esi
		js	short loc_AD295F
		mov	eax, [edi]
		mov	dword ptr [eax+8], 13h
		push	dword ptr [edi]
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	short loc_AD2966
		lea	edi, [ebx+18h]
		push	1
		lea	edx, [ebp+var_8]
		mov	ecx, edi
		call	PiAuAllocateAndInitializeSid
		mov	esi, eax
		test	esi, esi
		js	short loc_AD295F
		mov	eax, [edi]
		mov	dword ptr [eax+8], 14h
		push	dword ptr [edi]
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	short loc_AD2966
		push	2
		pop	edi
		push	edi
		lea	edx, [ebp+var_18]
		lea	ecx, [ebx+1Ch]
		call	PiAuAllocateAndInitializeSid
		mov	esi, eax
		test	esi, esi
		js	short loc_AD295F
		mov	eax, [ebx+1Ch]
		mov	[eax+8], edi
		mov	eax, [ebx+1Ch]
		mov	dword ptr [eax+0Ch], 1
		push	dword ptr [ebx+1Ch]
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	short loc_AD2966

loc_AD295F:				; CODE XREF: PiAuCreateUserSids(x)+41j
					; PiAuCreateUserSids(x)+72j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AD2966:				; CODE XREF: PiAuCreateUserSids(x)+59j
					; PiAuCreateUserSids(x)+87j ...
		mov	esi, 0C00000E5h
		jmp	short loc_AD295F
_PiAuCreateUserSids@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiAuCreateStandardSecurityObject proc near ; CODE XREF:	PiAuCreateSecurityObjects()+25p

var_8C		= dword	ptr -8Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= word ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE7A85 SIZE 00000035 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_70], ecx
		lea	edi, [ebp+var_8C]
		mov	[ebp+var_68], 500h
		stosd
		xor	ecx, ecx
		push	54h		; size_t
		push	ecx		; int
		mov	ebx, ecx
		mov	[ebp+var_6C], ecx
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_58]
		mov	edi, ecx
		push	eax		; void *
		mov	[ebp+var_5C], edi
		call	_memset
		lea	eax, [ebp+var_58]
		mov	esi, offset _PiAuSwDeviceCreateSidSubAuthorities
		add	esp, 0Ch
		mov	[ebp+var_64], eax
		and	[ebp+var_74], ebx
		mov	[ebp+var_60], esi

loc_AD29C8:				; CODE XREF: PiAuCreateStandardSecurityObject+C9j
		push	dword ptr [esi]
		lea	edx, [ebp+var_6C]
		mov	ecx, eax
		call	PiAuAllocateAndInitializeSid
		mov	esi, eax
		test	esi, esi
		js	loc_AD2C5C
		mov	esi, [ebp+var_60]
		and	[ebp+var_78], ebx
		mov	edx, [ebp+var_64]
		cmp	[esi], ebx
		jbe	short loc_AD2A0A
		mov	ecx, [edx]
		lea	edx, [esi+4]
		mov	edi, [ebp+var_78]
		add	ecx, 8

loc_AD29F6:				; CODE XREF: PiAuCreateStandardSecurityObject+95j
		mov	eax, [edx]
		inc	edi
		mov	[ecx], eax
		lea	edx, [edx+4]
		lea	ecx, [ecx+4]
		cmp	edi, [esi]
		jb	short loc_AD29F6
		mov	edx, [ebp+var_64]
		mov	edi, ebx

loc_AD2A0A:				; CODE XREF: PiAuCreateStandardSecurityObject+7Bj
		push	dword ptr [edx]
		call	_RtlValidSid@4	; RtlValidSid(x)
		test	al, al
		jz	loc_AE7AA3
		mov	ecx, [ebp+var_74]
		add	esi, 1Ch
		mov	eax, [ebp+var_64]
		add	ecx, 1Ch
		add	eax, 4
		mov	[ebp+var_74], ecx
		mov	[ebp+var_60], esi
		mov	[ebp+var_64], eax
		cmp	ecx, 24Ch
		jb	short loc_AD29C8
		mov	edi, [ebp+var_70]
		mov	eax, [edi+18h]
		movzx	ecx, byte ptr [eax+1]
		mov	eax, [edi+8]
		movzx	eax, byte ptr [eax+1]
		add	ecx, eax
		mov	eax, [edi+0Ch]
		movzx	eax, byte ptr [eax+1]
		add	ecx, eax
		mov	eax, [edi+10h]
		movzx	eax, byte ptr [eax+1]
		add	ecx, eax
		mov	eax, [edi+14h]
		movzx	eax, byte ptr [eax+1]
		add	ecx, eax
		mov	eax, [edi]
		movzx	eax, byte ptr [eax+1]
		add	ecx, eax
		lea	esi, ds:68h[ecx*4]
		xor	ecx, ecx

loc_AD2A78:				; CODE XREF: PiAuCreateStandardSecurityObject+11Cj
		mov	eax, [ebp+ecx*4+var_58]
		movzx	eax, byte ptr [eax+1]
		lea	esi, [esi+eax*4]
		add	esi, 10h
		inc	ecx
		cmp	ecx, 15h
		jb	short loc_AD2A78
		push	20207050h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_AE7A85
		push	2		; int
		push	esi		; size_t
		push	ebx		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD2CA2
		push	dword ptr [edi+8]
		push	201E7h
		push	0
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAceEx@20 ; RtlAddAccessAllowedAceEx(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD2CA2
		push	dword ptr [edi+0Ch]
		push	0F01FFh
		push	0
		push	2
		push	ebx
		call	_RtlAddAccessDeniedAceEx@20 ; RtlAddAccessDeniedAceEx(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD2CA2
		push	dword ptr [edi]
		push	0F01FFh
		push	0
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAceEx@20 ; RtlAddAccessAllowedAceEx(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD2CA2
		push	dword ptr [edi+10h]
		push	20125h
		push	0
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAceEx@20 ; RtlAddAccessAllowedAceEx(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD2CA2
		push	dword ptr [edi+14h]
		push	40h
		push	0
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAceEx@20 ; RtlAddAccessAllowedAceEx(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD2CA2
		push	dword ptr [edi+18h]
		push	40h
		push	0
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAceEx@20 ; RtlAddAccessAllowedAceEx(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD2CA2
		xor	eax, eax
		mov	[ebp+var_60], eax

loc_AD2B5C:				; CODE XREF: PiAuCreateStandardSecurityObject+215j
		push	[ebp+eax*4+var_58]
		push	80h
		push	0
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAceEx@20 ; RtlAddAccessAllowedAceEx(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD2CA2
		mov	eax, [ebp+var_60]
		inc	eax
		mov	[ebp+var_60], eax
		cmp	eax, 15h
		jb	short loc_AD2B5C
		push	1
		lea	eax, [ebp+var_8C]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD2CA2
		push	0
		push	ebx
		push	1
		lea	eax, [ebp+var_8C]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	loc_AD2CA2
		push	0
		push	dword ptr [edi]
		lea	eax, [ebp+var_8C]
		push	eax
		call	_RtlSetOwnerSecurityDescriptor@12 ; RtlSetOwnerSecurityDescriptor(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD2CA2
		push	0
		push	dword ptr [edi]
		lea	eax, [ebp+var_8C]
		push	eax
		call	_RtlSetGroupSecurityDescriptor@12 ; RtlSetGroupSecurityDescriptor(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD2CA2
		lea	eax, [ebp+var_8C]
		push	eax
		call	_RtlValidSecurityDescriptor@4 ;	RtlValidSecurityDescriptor(x)
		test	al, al
		jz	loc_AE7A8F
		lea	eax, [ebp+var_8C]
		push	eax
		call	_RtlLengthSecurityDescriptor@4 ; RtlLengthSecurityDescriptor(x)
		mov	esi, eax
		mov	[ebp+var_70], esi
		cmp	esi, 14h
		jb	loc_AE7A8F
		push	20207050h
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_AE7A99
		push	esi		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_70]
		push	eax
		push	edi
		lea	eax, [ebp+var_8C]
		push	eax
		call	_RtlAbsoluteToSelfRelativeSD@12	; RtlAbsoluteToSelfRelativeSD(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD2C5C
		mov	_PiAuSecurityObject, edi
		xor	edi, edi

loc_AD2C5C:				; CODE XREF: PiAuCreateStandardSecurityObject+6Aj
					; PiAuCreateStandardSecurityObject+2E4j ...
		xor	eax, eax
		mov	[ebp+var_60], eax

loc_AD2C61:				; CODE XREF: PiAuCreateStandardSecurityObject+30Dj
		mov	ecx, [ebp+eax*4+var_58]
		test	ecx, ecx
		jz	short loc_AD2C74
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_60]

loc_AD2C74:				; CODE XREF: PiAuCreateStandardSecurityObject+2F9j
		inc	eax
		mov	[ebp+var_60], eax
		cmp	eax, 15h
		jb	short loc_AD2C61
		test	ebx, ebx
		jz	short loc_AD2C89
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD2C89:				; CODE XREF: PiAuCreateStandardSecurityObject+311j
		test	edi, edi
		jnz	loc_AE7AAD

loc_AD2C91:				; CODE XREF: PiAuCreateStandardSecurityObject+15147j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AD2CA2:				; CODE XREF: PiAuCreateStandardSecurityObject+142j
					; PiAuCreateStandardSecurityObject+15Ej ...
		mov	edi, [ebp+var_5C]
		jmp	short loc_AD2C5C
PiAuCreateStandardSecurityObject endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ObpInitInfoBlockOffsets()
_ObpInitInfoBlockOffsets@0 proc	near	; CODE XREF: ObInitSystem+191p
		push	8
		xor	ecx, ecx
		pop	edx

loc_AD2CAD:				; CODE XREF: ObpInitInfoBlockOffsets()+48j
		mov	al, cl
		and	al, 1
		shl	al, 4
		test	cl, 2
		jz	short loc_AD2CBB
		add	al, 10h

loc_AD2CBB:				; CODE XREF: ObpInitInfoBlockOffsets()+Fj
		test	cl, 4
		jz	short loc_AD2CC2
		add	al, dl

loc_AD2CC2:				; CODE XREF: ObpInitInfoBlockOffsets()+16j
		test	cl, dl
		jz	short loc_AD2CC8
		add	al, 10h

loc_AD2CC8:				; CODE XREF: ObpInitInfoBlockOffsets()+1Cj
		test	cl, 10h
		jz	short loc_AD2CCF
		add	al, dl

loc_AD2CCF:				; CODE XREF: ObpInitInfoBlockOffsets()+23j
		test	cl, 20h
		jz	short loc_AD2CD6
		add	al, dl

loc_AD2CD6:				; CODE XREF: ObpInitInfoBlockOffsets()+2Aj
		test	cl, 40h
		jz	short loc_AD2CDD
		add	al, dl

loc_AD2CDD:				; CODE XREF: ObpInitInfoBlockOffsets()+31j
		test	cl, cl
		jns	short loc_AD2CE3
		add	al, 4

loc_AD2CE3:				; CODE XREF: ObpInitInfoBlockOffsets()+37j
		mov	_ObpInfoMaskToOffset[ecx], al
		inc	ecx
		cmp	ecx, 100h
		jb	short loc_AD2CAD
		retn
_ObpInitInfoBlockOffsets@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall ExInitSystemPhase2()
_ExInitSystemPhase2@0 proc near		; CODE XREF: Phase1InitializationDiscard(x):loc_AC1119p
		mov	edi, edi
		push	ecx
		call	ExpWatchProductTypeInitialization
		or	dword ptr ds:0FFDF02E0h, 0FFFFFFFFh
		xor	ecx, ecx
		call	_BootApplicationPersistentDataProcess@4	; BootApplicationPersistentDataProcess(x)
		push	2
		call	ds:__imp__ExpMicrocodeInitialization@4 ; ExpMicrocodeInitialization(x)
		mov	eax, ds:_KeMaximumProcessors
		cmp	ds:_ExpFreeListCount, eax
		ja	short loc_AD2D21
		pop	ecx
		retn
; 

loc_AD2D21:				; CODE XREF: ExInitSystemPhase2()+29j
		mov	ds:_ExpFreeListCount, eax
		pop	ecx
		retn
_ExInitSystemPhase2@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BapdpProcessFwUpdateResults proc near	; CODE XREF: BootApplicationPersistentDataProcess(x)+39p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE7ABA SIZE 00000048 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_14], 0D5651EBCh
		lea	eax, [ebp+var_18]
		mov	[ebp+var_10], 494F152Fh
		push	eax		; int
		push	edi		; void *
		push	edi		; int
		lea	edx, [ebp+var_14] ; void *
		mov	[ebp+var_C], 3C4A45BBh
		mov	[ebp+var_8], 0EED9EB83h
		mov	esi, edi
		mov	[ebp+var_18], edi
		call	_BapdpQueryData@20 ; BapdpQueryData(x,x,x,x,x)
		cmp	eax, 0C0000023h
		jz	loc_AE7ABA

loc_AD2D78:				; CODE XREF: BapdpProcessFwUpdateResults+14DB0j
		test	eax, eax
		jns	loc_AE7ADD

loc_AD2D80:				; CODE XREF: BapdpProcessFwUpdateResults+14DC5j
					; BapdpProcessFwUpdateResults+14DD5j
		test	esi, esi
		jnz	short loc_AD2D92

loc_AD2D84:				; CODE XREF: BapdpProcessFwUpdateResults+71j
					; BapdpProcessFwUpdateResults+14DA8j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AD2D92:				; CODE XREF: BapdpProcessFwUpdateResults+5Aj
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_AD2D84
BapdpProcessFwUpdateResults endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BapdpProcessWmdResults proc near	; CODE XREF: BootApplicationPersistentDataProcess(x)+16p

var_4C		= dword	ptr -4Ch
var_3C		= dword	ptr -3Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE7B02 SIZE 0000007A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_14], 54B8275Bh
		lea	edi, [ebp+var_3C]
		mov	[ebp+var_10], 473FD431h
		stosd
		push	64506142h
		mov	[ebp+var_C], 36E5FBACh
		mov	[ebp+var_8], 0A39484A0h
		stosd
		stosd
		stosd
		mov	edi, 10000h
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_AD2E3F
		xor	esi, esi
		mov	[ebp+var_15], 0
		and	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_28], edi

loc_AD2E00:				; CODE XREF: BapdpProcessWmdResults+90j
		lea	eax, [ebp+var_28]
		mov	edi, esi
		push	eax		; int
		push	ebx		; void *
		push	esi		; int
		lea	edx, [ebp+var_14] ; void *
		mov	[ebp+var_24], edi
		call	_BapdpQueryData@20 ; BapdpQueryData(x,x,x,x,x)
		mov	[ebp+var_2C], eax
		test	eax, eax
		jns	loc_AE7B02
		mov	cl, [ebp+var_15]

loc_AD2E21:				; CODE XREF: BapdpProcessWmdResults+14DB5j
		mov	eax, [ebp+var_20]

loc_AD2E24:				; CODE XREF: BapdpProcessWmdResults+14D8Ej
		inc	esi
		cmp	[ebp+var_2C], 0
		mov	[ebp+var_1C], esi
		jge	short loc_AD2E00
		cmp	cl, 1
		jz	loc_AE7B56

loc_AD2E37:				; CODE XREF: BapdpProcessWmdResults+14DCEj
					; BapdpProcessWmdResults+14DDBj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD2E3F:				; CODE XREF: BapdpProcessWmdResults+53j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
BapdpProcessWmdResults endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BapdpProcessBootMetadata proc near	; CODE XREF: BootApplicationPersistentDataProcess(x)+77p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE7B7C SIZE 00000067 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_14], 5B043C6Ch
		push	edi
		mov	[ebp+var_10], 479C9BC5h
		mov	[ebp+var_C], 6788718Fh
		mov	[ebp+var_8], 3EE1947Bh
		mov	_ExSoftRebootFlags, ebx
		mov	_ExSoftRebootState, ebx
		mov	_ExBootLoaderMetadata, ebx
		call	_ExIsSoftBoot@0	; ExIsSoftBoot()
		test	al, al
		jnz	loc_AE7B7C

loc_AD2EA0:				; CODE XREF: BapdpProcessBootMetadata+14D3Bj
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], ebx
		push	eax		; int
		push	ebx		; void *
		push	ebx		; int
		lea	edx, [ebp+var_14] ; void *
		call	_BapdpQueryData@20 ; BapdpQueryData(x,x,x,x,x)
		cmp	eax, 0C0000023h
		jz	loc_AE7B8E

loc_AD2EBC:				; CODE XREF: BapdpProcessBootMetadata+14D57j
					; BapdpProcessBootMetadata+14D83j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
BapdpProcessBootMetadata endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BapdpProcessEDrvHintInfo proc near	; CODE XREF: BootApplicationPersistentDataProcess(x)+34p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE7BE3 SIZE 0000004F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_14], 0E61E38DEh
		lea	eax, [ebp+var_18]
		mov	[ebp+var_10], 411AA6E9h
		push	eax		; int
		push	edi		; void *
		push	edi		; int
		lea	edx, [ebp+var_14] ; void *
		mov	[ebp+var_C], 0A8555BDh
		mov	[ebp+var_8], 64631481h
		mov	esi, edi
		mov	[ebp+var_18], edi
		call	_BapdpQueryData@20 ; BapdpQueryData(x,x,x,x,x)
		cmp	eax, 0C0000023h
		jz	loc_AE7BE3

loc_AD2F1C:				; CODE XREF: BapdpProcessEDrvHintInfo+14D35j
		test	eax, eax
		jns	loc_AE7C06

loc_AD2F24:				; CODE XREF: BapdpProcessEDrvHintInfo+14D4Aj
					; BapdpProcessEDrvHintInfo+14D54j ...
		test	esi, esi
		jnz	short loc_AD2F36

loc_AD2F28:				; CODE XREF: BapdpProcessEDrvHintInfo+71j
					; BapdpProcessEDrvHintInfo+14D2Dj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AD2F36:				; CODE XREF: BapdpProcessEDrvHintInfo+5Aj
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_AD2F28
BapdpProcessEDrvHintInfo endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BapdpProcessHSTIResults	proc near	; CODE XREF: BootApplicationPersistentDataProcess(x)+81p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE7C32 SIZE 0000004B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_14], 0C0D9DF24h
		lea	eax, [ebp+var_18]
		mov	[ebp+var_10], 4E53D1DDh
		push	eax		; int
		push	edi		; void *
		push	edi		; int
		lea	edx, [ebp+var_14] ; void *
		mov	[ebp+var_C], 0D8CBEB95h
		mov	[ebp+var_8], 8665B827h
		mov	esi, edi
		mov	[ebp+var_18], edi
		call	_BapdpQueryData@20 ; BapdpQueryData(x,x,x,x,x)
		cmp	eax, 0C0000023h
		jz	loc_AE7C32

loc_AD2F90:				; CODE XREF: BapdpProcessHSTIResults+14D0Dj
		test	eax, eax
		jns	loc_AE7C52

loc_AD2F98:				; CODE XREF: BapdpProcessHSTIResults+14D22j
					; BapdpProcessHSTIResults+14D38j
		test	esi, esi
		jnz	short loc_AD2FAA

loc_AD2F9C:				; CODE XREF: BapdpProcessHSTIResults+71j
					; BapdpProcessHSTIResults+14D05j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AD2FAA:				; CODE XREF: BapdpProcessHSTIResults+5Aj
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_AD2F9C
BapdpProcessHSTIResults	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall BootApplicationPersistentDataProcess(x)
_BootApplicationPersistentDataProcess@4	proc near ; CODE XREF: INIT:00AC2D0Ap
					; ExInitSystemPhase2()+11p
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		mov	edi, offset dword_6FD470
		cmp	dword_6FD470, edi
		jz	short loc_AD3022
		test	ecx, ecx
		jnz	short loc_AD3026
		call	BapdpProcessWmdResults
		call	_BapdpProcessResumeInformation@0 ; BapdpProcessResumeInformation()
		call	_BapdpProcessBitlockerStatus@0 ; BapdpProcessBitlockerStatus()
		xor	ecx, ecx
		call	_BapdpRegisterWbclData@4 ; BapdpRegisterWbclData(x)
		xor	ecx, ecx
		inc	ecx
		call	_BapdpRegisterWbclData@4 ; BapdpRegisterWbclData(x)
		call	BapdpProcessEDrvHintInfo
		call	BapdpProcessFwUpdateResults
		jmp	short loc_AD3022
; 

loc_AD2FF4:				; CODE XREF: BootApplicationPersistentDataProcess(x)+6Cj
		push	0
		push	dword ptr [esi+8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD3006:				; CODE XREF: BootApplicationPersistentDataProcess(x)+8Bj
		mov	esi, dword_6FD474
		mov	eax, [esi+4]
		cmp	[esi], edi
		jnz	short loc_AD3041
		cmp	[eax], esi
		jnz	short loc_AD3041
		mov	dword_6FD474, eax
		mov	[eax], edi
		cmp	esi, edi
		jnz	short loc_AD2FF4

loc_AD3022:				; CODE XREF: BootApplicationPersistentDataProcess(x)+10j
					; BootApplicationPersistentDataProcess(x)+3Ej ...
		pop	edi
		pop	esi
		pop	ecx
		retn
; 

loc_AD3026:				; CODE XREF: BootApplicationPersistentDataProcess(x)+14j
		cmp	ecx, 1
		jnz	short loc_AD3022
		call	BapdpProcessBootMetadata
		call	BapdpProcessEtwEvents
		call	BapdpProcessHSTIResults
		call	BapdpMarshallBootDataToRegistry
		jmp	short loc_AD3006
; 

loc_AD3041:				; CODE XREF: BootApplicationPersistentDataProcess(x)+5Dj
					; BootApplicationPersistentDataProcess(x)+61j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_BootApplicationPersistentDataProcess@4	endp ; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BapdpProcessResumeInformation()
_BapdpProcessResumeInformation@0 proc near
					; CODE XREF: BootApplicationPersistentDataProcess(x)+1Bp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_14], 60C95D64h
		lea	eax, [ebp+var_18]
		mov	[ebp+var_10], 4287ADE2h
		push	eax		; int
		push	edi		; void *
		push	edi		; int
		lea	edx, [ebp+var_14] ; void *
		mov	[ebp+var_C], 33F06090h
		mov	[ebp+var_8], 2ED01901h
		mov	esi, edi
		mov	[ebp+var_18], edi
		call	_BapdpQueryData@20 ; BapdpQueryData(x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_AD30AC
		push	64506142h
		push	[ebp+var_18]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_AD30D7
		mov	eax, edi

loc_AD30AC:				; CODE XREF: BapdpProcessResumeInformation()+4Aj
		test	eax, eax
		js	short loc_AD30CC
		lea	eax, [ebp+var_18]
		push	eax		; int
		push	esi		; void *
		push	edi		; int
		lea	edx, [ebp+var_14] ; void *
		call	_BapdpQueryData@20 ; BapdpQueryData(x,x,x,x,x)
		test	eax, eax
		js	short loc_AD30CC
		mov	edx, [ebp+var_18]
		mov	ecx, esi
		call	_BapdpRegisterResumeInformation@8 ; BapdpRegisterResumeInformation(x,x)

loc_AD30CC:				; CODE XREF: BapdpProcessResumeInformation()+68j
					; BapdpProcessResumeInformation()+7Aj
		test	esi, esi
		jz	short loc_AD30D7
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD30D7:				; CODE XREF: BapdpProcessResumeInformation()+62j
					; BapdpProcessResumeInformation()+88j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_BapdpProcessResumeInformation@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BapdpProcessBitlockerStatus()
_BapdpProcessBitlockerStatus@0 proc near
					; CODE XREF: BootApplicationPersistentDataProcess(x)+20p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_14], 0BD750217h
		lea	eax, [ebp+var_18]
		mov	[ebp+var_10], 40C62A5Eh
		push	eax		; int
		push	edi		; void *
		push	edi		; int
		lea	edx, [ebp+var_14] ; void *
		mov	[ebp+var_C], 3C18DFABh
		mov	[ebp+var_8], 2B0F76C7h
		mov	esi, edi
		mov	[ebp+var_18], edi
		call	_BapdpQueryData@20 ; BapdpQueryData(x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_AD314C
		push	64506142h
		push	[ebp+var_18]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_AD3177
		mov	eax, edi

loc_AD314C:				; CODE XREF: BapdpProcessBitlockerStatus()+4Aj
		test	eax, eax
		js	short loc_AD316C
		lea	eax, [ebp+var_18]
		push	eax		; int
		push	esi		; void *
		push	edi		; int
		lea	edx, [ebp+var_14] ; void *
		call	_BapdpQueryData@20 ; BapdpQueryData(x,x,x,x,x)
		test	eax, eax
		js	short loc_AD316C
		mov	edx, [ebp+var_18]
		mov	ecx, esi
		call	_BapdpRegisterBitlockerStatus@8	; BapdpRegisterBitlockerStatus(x,x)

loc_AD316C:				; CODE XREF: BapdpProcessBitlockerStatus()+68j
					; BapdpProcessBitlockerStatus()+7Aj
		test	esi, esi
		jz	short loc_AD3177
		push	edi
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD3177:				; CODE XREF: BapdpProcessBitlockerStatus()+62j
					; BapdpProcessBitlockerStatus()+88j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_BapdpProcessBitlockerStatus@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BapdpRegisterWbclData(x)
_BapdpRegisterWbclData@4 proc near	; CODE XREF: BootApplicationPersistentDataProcess(x)+27p
					; BootApplicationPersistentDataProcess(x)+2Fp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	ebx, ebx
		push	esi
		mov	esi, ebx
		push	edi
		sub	ecx, ebx
		jz	loc_AD3238
		sub	ecx, 1		; int
		jnz	short loc_AD3229
		push	2
		mov	[ebp+var_14], 0B8728CAEh
		mov	[ebp+var_10], 45BE0A5Dh
		mov	[ebp+var_C], 171D495h
		mov	[ebp+var_8], 252ED19Ah
		pop	edi

loc_AD31CB:				; CODE XREF: BapdpRegisterWbclData(x)+D0j
		lea	eax, [ebp+var_18]
		mov	[ebp+var_18], ebx
		push	eax		; int
		push	ebx		; void *
		push	ebx		; int
		lea	edx, [ebp+var_14] ; void *
		call	_BapdpQueryData@20 ; BapdpQueryData(x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_AD31FD
		push	64506142h
		push	[ebp+var_18]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_AD3229
		mov	eax, ebx

loc_AD31FD:				; CODE XREF: BapdpRegisterWbclData(x)+5Bj
		test	eax, eax
		js	short loc_AD321E
		lea	eax, [ebp+var_18]
		push	eax		; int
		push	esi		; void *
		push	ebx		; int
		lea	edx, [ebp+var_14] ; void *
		call	_BapdpQueryData@20 ; BapdpQueryData(x,x,x,x,x)
		test	eax, eax
		js	short loc_AD321E
		mov	edx, [ebp+var_18]
		mov	ecx, esi
		push	edi
		call	_BapdRegisterSiData@12 ; BapdRegisterSiData(x,x,x)

loc_AD321E:				; CODE XREF: BapdpRegisterWbclData(x)+79j
					; BapdpRegisterWbclData(x)+8Bj
		test	esi, esi
		jz	short loc_AD3229
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD3229:				; CODE XREF: BapdpRegisterWbclData(x)+24j
					; BapdpRegisterWbclData(x)+73j	...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AD3238:				; CODE XREF: BapdpRegisterWbclData(x)+1Bj
		mov	[ebp+var_14], 0B639D9DDh
		mov	edi, ebx
		mov	[ebp+var_10], 471C6272h
		mov	[ebp+var_C], 3459B2B1h
		mov	[ebp+var_8], 2FE04810h
		jmp	loc_AD31CB
_BapdpRegisterWbclData@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall BapdpQueryData(int,void *,int,void *,int)
_BapdpQueryData@20 proc	near		; CODE XREF: BapdpProcessEtwEvents+45p
					; BapdpProcessEtwEvents+86p ...

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	ecx, edx
		mov	[ebp+var_4], ecx
		test	edi, edi
		jz	short loc_AD32E5
		test	ecx, ecx
		jz	short loc_AD32E5
		mov	eax, [edi]
		mov	[ebp+var_8], eax
		test	eax, eax
		jnz	short loc_AD32DF

loc_AD327F:				; CODE XREF: BapdpQueryData(x,x,x,x,x)+87j
		and	[ebp+arg_8], 0
		mov	ebx, dword_6FD470

loc_AD3289:				; CODE XREF: BapdpQueryData(x,x,x,x,x)+3Fj
					; BapdpQueryData(x,x,x,x,x)+44j ...
		cmp	ebx, offset dword_6FD470
		jz	short loc_AD32D3
		mov	esi, [ebx+8]
		mov	ebx, [ebx]
		mov	eax, [esi+20h]
		test	eax, eax
		jz	short loc_AD3289
		cmp	eax, 2
		ja	short loc_AD3289
		push	10h		; size_t
		lea	eax, [esi+10h]
		push	eax		; void *
		push	ecx		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_AD32BA

loc_AD32B5:				; CODE XREF: BapdpQueryData(x,x,x,x,x)+AAj
		mov	ecx, [ebp+var_4]
		jmp	short loc_AD3289
; 

loc_AD32BA:				; CODE XREF: BapdpQueryData(x,x,x,x,x)+57j
		mov	ecx, [ebp+arg_8]
		cmp	[ebp+arg_0], ecx
		jnz	short loc_AD3302
		mov	eax, [esi+24h]
		cmp	[ebp+var_8], eax
		jnb	short loc_AD32EC
		mov	[edi], eax
		mov	eax, 0C0000023h
		jmp	short loc_AD32D8
; 

loc_AD32D3:				; CODE XREF: BapdpQueryData(x,x,x,x,x)+33j
		mov	eax, 0C0000225h

loc_AD32D8:				; CODE XREF: BapdpQueryData(x,x,x,x,x)+75j
					; BapdpQueryData(x,x,x,x,x)+8Ej ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	0Ch
; 

loc_AD32DF:				; CODE XREF: BapdpQueryData(x,x,x,x,x)+21j
		cmp	[ebp+arg_4], 0
		jnz	short loc_AD327F

loc_AD32E5:				; CODE XREF: BapdpQueryData(x,x,x,x,x)+14j
					; BapdpQueryData(x,x,x,x,x)+18j
		mov	eax, 0C000000Dh
		jmp	short loc_AD32D8
; 

loc_AD32EC:				; CODE XREF: BapdpQueryData(x,x,x,x,x)+6Cj
		push	eax		; size_t
		mov	eax, [esi+28h]
		add	eax, esi
		push	eax		; void *
		push	[ebp+arg_4]	; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax
		jmp	short loc_AD32D8
; 

loc_AD3302:				; CODE XREF: BapdpQueryData(x,x,x,x,x)+64j
		inc	ecx
		mov	[ebp+arg_8], ecx
		jmp	short loc_AD32B5
_BapdpQueryData@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BapdpRegisterBitlockerStatus(x, x)
_BapdpRegisterBitlockerStatus@8	proc near ; CODE XREF: BapdpProcessBitlockerStatus()+81p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		mov	[ebp+var_C], edi
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		test	esi, esi
		jz	loc_AD33EF
		cmp	edx, 4
		jnz	loc_AD33EF
		push	offset ??_C@_1GG@IBGAEKLO@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@PBOPGDP@ ; "\\"
		lea	eax, [ebp+var_14]
		mov	[ebp+var_4], edi
		push	eax
		mov	[ebp+var_8], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	18h
		pop	ebx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_4]
		mov	[ebp+var_28], edi
		push	eax
		mov	[ebp+var_20], 240h
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_AD33EF
		push	offset ??_C@_1CA@GKOLLCBA@?$AAB?$AAi?$AAt?$AAl?$AAo?$AAc?$AAk?$AAe?$AAr?$AAS?$AAt?$AAa?$AAt?$AAu?$AAs@PBOPGDP@ ; "BitlockerStatus"
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_4]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_C]
		push	eax
		push	1
		push	edi
		push	edi
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_2C], ebx
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_8]
		mov	[ebp+var_20], 240h
		push	eax
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], edi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		push	[ebp+var_4]
		test	eax, eax
		js	short loc_AD33EA
		call	_ZwClose@4	; ZwClose(x)
		push	offset ??_C@_1BG@LCMMIACL@?$AAB?$AAo?$AAo?$AAt?$AAS?$AAt?$AAa?$AAt?$AAu?$AAs@PBOPGDP@ ;	"BootStatus"
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		push	esi
		push	4
		push	edi
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[ebp+var_8]

loc_AD33EA:				; CODE XREF: BapdpRegisterBitlockerStatus(x,x)+B8j
		call	_ZwClose@4	; ZwClose(x)

loc_AD33EF:				; CODE XREF: BapdpRegisterBitlockerStatus(x,x)+1Aj
					; BapdpRegisterBitlockerStatus(x,x)+23j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_BapdpRegisterBitlockerStatus@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BapdpRegisterResumeInformation(x, x)
_BapdpRegisterResumeInformation@8 proc near ; CODE XREF: BapdpProcessResumeInformation()+81p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	esi, edx
		push	edi
		mov	edi, ecx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		test	edi, edi
		jz	loc_AD34E0
		test	esi, esi
		jz	loc_AD34E0
		push	offset ??_C@_1GG@IBGAEKLO@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@PBOPGDP@ ; "\\"
		lea	eax, [ebp+var_14]
		mov	[ebp+var_4], ebx
		push	eax
		mov	[ebp+var_8], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_14]
		mov	[ebp+var_2C], 18h
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_28], ebx
		push	eax
		mov	[ebp+var_20], 240h
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_AD34E0
		push	offset ??_C@_1BE@DIPHLEGJ@?$AAW?$AAi?$AAn?$AAr?$AAe?$AAs?$AAu?$AAm?$AAe@PBOPGDP@
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_4]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_C]
		push	eax
		push	1
		push	ebx
		push	ebx
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_2C], 18h
		push	eax
		push	20019h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_20], 240h
		push	eax
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		push	[ebp+var_4]
		test	eax, eax
		js	short loc_AD34DB
		call	_ZwClose@4	; ZwClose(x)
		push	offset ??_C@_1BM@DBOPHHKE@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAC?$AAo?$AAn?$AAt?$AAe?$AAx?$AAt@PBOPGDP@ ; "ResumeContext"
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		push	edi
		push	3
		push	ebx
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[ebp+var_8]

loc_AD34DB:				; CODE XREF: BapdpRegisterResumeInformation(x,x)+BEj
		call	_ZwClose@4	; ZwClose(x)

loc_AD34E0:				; CODE XREF: BapdpRegisterResumeInformation(x,x)+1Cj
					; BapdpRegisterResumeInformation(x,x)+24j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_BapdpRegisterResumeInformation@8 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWatchProductTypeInitialization proc near ; CODE XREF: ExInitSystemPhase2()+3p

var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_80		= dword	ptr -80h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_44		= dword	ptr -44h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE7C7D SIZE 0000009F BYTES
; FUNCTION CHUNK AT 00AE7D3F SIZE 00000413 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0ECh
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0ECh+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+0F8h+var_90]
		stosd
		xor	ecx, ecx
		mov	[esp+0F8h+var_AC], ecx
		mov	ebx, ecx
		mov	[esp+0F8h+var_A8], ecx
		mov	[esp+0F8h+var_D0], ecx
		stosd
		mov	[esp+0F8h+var_CC], ecx
		mov	[esp+0F8h+var_E8], ecx
		mov	[esp+0F8h+var_A0], ecx
		stosd
		mov	[esp+0F8h+var_D8], ecx
		mov	_ExpSetupModeDetected, cl
		mov	_ExpSystemSetupInProgress, cl
		stosd
		mov	byte ptr ds:0FFDF0268h,	1
		call	ExpGetNtProductTypeFromLicenseValue
		push	ds:off_A41478
		lea	eax, [esp+0FCh+var_AC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+0F8h+var_AC]
		mov	[esp+0F8h+var_C4], 18h
		mov	[esp+0F8h+var_BC], eax
		xor	ecx, ecx
		lea	eax, [esp+0F8h+var_C4]
		mov	[esp+0F8h+var_C0], ecx
		push	eax
		push	2001Fh
		push	offset _ExpSetupKey
		mov	[esp+104h+var_B8], 240h
		mov	[esp+104h+var_B4], ecx
		mov	[esp+104h+var_B0], ecx
		call	_NtOpenKey@12	; NtOpenKey(x,x,x)
		test	eax, eax
		js	loc_AE7C86
		mov	eax, ds:_CmKeyObjectType
		xor	edx, edx
		mov	ecx, _ExpSetupKey
		push	edx
		mov	[esp+0FCh+var_E4], edx
		lea	edx, [esp+0FCh+var_E4]
		push	edx
		xor	edx, edx
		push	edx
		push	eax
		push	edx
		push	ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, [esp+0F8h+var_E4]
		test	eax, eax
		js	loc_AE7C7D
		push	ds:off_A4147C
		lea	eax, [esp+0FCh+var_D0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+0F8h+var_E8]
		push	eax		; int
		push	48h		; int
		lea	eax, [esp+100h+var_50]
		push	eax		; int
		push	2
		pop	edi
		push	edi		; size_t
		lea	eax, [esp+108h+var_D0]
		push	eax		; int
		push	_ExpSetupKey	; int
		call	NtQueryValueKey
		test	eax, eax
		js	loc_AE8146
		cmp	[esp+0F8h+var_44], 1
		jz	loc_AE7C97
		cmp	[esp+0F8h+var_44], 4
		jz	loc_AE7C97

loc_AD361E:				; CODE XREF: ExpWatchProductTypeInitialization+147CFj
		push	ds:off_A414E0
		lea	eax, [esp+0FCh+var_D0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+0F8h+var_E8]
		push	eax		; int
		push	48h		; int
		lea	eax, [esp+100h+var_50]
		push	eax		; int
		push	edi		; size_t
		lea	eax, [esp+108h+var_D0]
		push	eax		; int
		push	_ExpSetupKey	; int
		call	NtQueryValueKey
		test	eax, eax
		js	loc_AE8146
		cmp	[esp+0F8h+var_44], 1
		jz	loc_AE7CBA

loc_AD3664:				; CODE XREF: ExpWatchProductTypeInitialization+147DBj
		cmp	_InitIsWinPEMode, bl
		jnz	loc_AE7CC6
		push	ds:off_A41484
		xor	eax, eax
		mov	dword_6BBE28, offset ExpWatchProductTypeWork
		mov	dword_6BBE2C, eax
		mov	_ExpWatchProductTypeWorkItem, eax
		lea	eax, [esp+0FCh+var_AC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+0F8h+var_AC]
		mov	[esp+0F8h+var_C4], 18h
		mov	[esp+0F8h+var_BC], eax
		xor	ecx, ecx
		lea	eax, [esp+0F8h+var_C4]
		mov	[esp+0F8h+var_C0], ecx
		push	eax
		push	2001Fh
		push	offset _ExpProductTypeKey
		mov	[esp+104h+var_B8], 240h
		mov	[esp+104h+var_B4], ecx
		mov	[esp+104h+var_B0], ecx
		call	_NtOpenKey@12	; NtOpenKey(x,x,x)
		test	eax, eax
		js	loc_AE7CD1
		cmp	_ExpSetupModeDetected, bl
		jnz	short loc_AD370C
		mov	eax, ds:_CmKeyObjectType
		lea	edx, [esp+0F8h+var_E4]
		mov	ecx, _ExpProductTypeKey
		xor	ebx, ebx
		push	ebx
		push	edx
		push	ebx
		push	eax
		push	ebx
		push	ecx
		mov	[esp+110h+var_E4], ebx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	ebx, [esp+0F8h+var_E4]
		test	eax, eax
		js	loc_AE7CE6

loc_AD370C:				; CODE XREF: ExpWatchProductTypeInitialization+1F8j
		mov	_ExpControlKey,	esi
		mov	dword_6BBE54, ebx
		call	ExpUpdateProductSuiteTypeInRegistry
		push	ds:off_A41488
		lea	eax, [esp+0FCh+var_D0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ebx, 2079654Bh
		push	ebx
		push	22h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	_ExpProductTypeValueInfo, eax
		test	eax, eax
		jz	loc_AD38B5
		lea	ecx, [esp+0F8h+var_E8]
		push	ecx		; int
		push	22h		; int
		push	eax		; int
		push	edi		; size_t
		lea	eax, [esp+108h+var_D0]
		push	eax		; int
		push	_ExpProductTypeKey ; int
		call	NtQueryValueKey
		test	eax, eax
		js	loc_AE7CEF
		push	ds:off_A41498
		lea	eax, [esp+0FCh+var_D0]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+0F8h+var_E8]
		push	eax		; int
		push	10h		; int
		lea	eax, [esp+100h+var_90]
		push	eax		; int
		push	edi		; size_t
		lea	eax, [esp+108h+var_D0]
		push	eax		; int
		push	_ExpProductTypeKey ; int
		call	NtQueryValueKey
		cmp	eax, 80000005h
		jnz	loc_AE7D3F
		mov	eax, [esp+0F8h+var_E8]
		add	eax, 10h
		push	ebx
		push	eax
		push	1
		mov	[esp+104h+var_E8], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	dword_6D6EF0, eax
		test	eax, eax
		jz	loc_AE7D05
		lea	ecx, [esp+0F8h+var_E8]
		push	ecx		; int
		push	[esp+0FCh+var_E8] ; int
		push	eax		; int
		push	edi		; size_t
		lea	eax, [esp+108h+var_D0]
		push	eax		; int
		push	_ExpProductTypeKey ; int
		call	NtQueryValueKey
		xor	ebx, ebx
		test	eax, eax
		js	sub_AE7D1C

loc_AD37E8:				; CODE XREF: sub_AE7D1C+1Ej
					; ExpWatchProductTypeInitialization+1485Bj
		mov	edx, ds:off_A4148C
		mov	ecx, edx
		lea	esi, [ecx+2]

loc_AD37F3:				; CODE XREF: ExpWatchProductTypeInitialization+315j
		mov	ax, [ecx]
		add	ecx, edi
		cmp	ax, bx
		jnz	short loc_AD37F3
		mov	eax, _ExpProductTypeValueInfo
		sub	ecx, esi
		sar	ecx, 1
		add	eax, 0Ch
		push	ecx		; size_t
		push	eax		; wchar_t *
		push	edx		; wchar_t *
		call	_wcsncmp
		add	esp, 0Ch
		push	3
		pop	ecx
		test	eax, eax
		jz	loc_AE7D46

loc_AD381F:				; CODE XREF: ExpWatchProductTypeInitialization+14866j
					; ExpWatchProductTypeInitialization+14873j ...
		push	1
		push	4
		push	offset _ExpProductTypeChangeBuffer
		push	ebx
		push	10000005h
		push	offset _ExpProductTypeIoSb
		push	1
		push	offset _ExpWatchProductTypeWorkItem
		push	ebx
		push	_ExpProductTypeKey
		call	_NtNotifyChangeKey@40 ;	NtNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_AE7D71
		push	ds:off_A4149C
		lea	eax, [esp+0FCh+var_AC]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+0F8h+var_AC]
		mov	[esp+0F8h+var_C4], 18h
		mov	[esp+0F8h+var_BC], eax
		lea	eax, [esp+0F8h+var_C4]
		push	eax
		push	20019h
		lea	eax, [esp+100h+var_D8]
		mov	[esp+100h+var_C0], ebx
		push	eax
		mov	[esp+104h+var_B8], 240h
		mov	[esp+104h+var_B4], ebx
		mov	[esp+104h+var_B0], ebx
		call	_NtOpenKey@12	; NtOpenKey(x,x,x)
		test	eax, eax
		jns	loc_AE7D88

loc_AD389E:				; CODE XREF: ExpWatchProductTypeInitialization+147E6j
					; ExpWatchProductTypeInitialization+14C2Cj
		mov	al, 1

loc_AD38A0:				; CODE XREF: ExpWatchProductTypeInitialization+3D1j
		mov	ecx, [esp+0F8h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_AD38B5:				; CODE XREF: ExpWatchProductTypeInitialization+25Dj
					; ExpWatchProductTypeInitialization+147F1j ...
		xor	al, al
		jmp	short loc_AD38A0
ExpWatchProductTypeInitialization endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpUpdateProductSuiteTypeInRegistry proc near
					; CODE XREF: ExpWatchProductTypeInitialization+232p

var_318		= dword	ptr -318h
var_314		= dword	ptr -314h
var_310		= dword	ptr -310h
var_30C		= dword	ptr -30Ch
var_308		= dword	ptr -308h
var_304		= dword	ptr -304h
var_300		= dword	ptr -300h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE8152 SIZE 000003CF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 31Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, _ExpProductTypeKey
		lea	eax, [ebp+var_300]
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_318], ebx
		mov	esi, 2F6h
		mov	[ebp+var_304], edi
		push	esi		; size_t
		push	edi		; int
		push	eax		; void *
		mov	[ebp+var_314], edi
		mov	[ebp+var_310], edi
		mov	[ebp+var_30C], edi
		mov	[ebp+var_308], edi
		call	_memset
		add	esp, 0Ch
		cmp	_ExpSetupModeDetected, 0
		jnz	loc_AD3AF7
		push	ds:off_A41488
		lea	eax, [ebp+var_314]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, ds:0FFDF0264h
		dec	eax
		sub	eax, 1
		jz	loc_AE815A
		sub	eax, 1
		lea	eax, [ebp+var_30C]
		jz	loc_AE8152
		push	ds:off_A41494
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, ds:off_A41494
		lea	edx, [ecx+2]

loc_AD3966:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+B5j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_AD3966
		sub	ecx, edx
		sar	ecx, 1
		lea	ecx, ds:2[ecx*2]

loc_AD397C:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+148B5j
		push	ecx
		push	[ebp+var_308]
		lea	eax, [ebp+var_314]
		push	1
		push	edi
		push	eax
		push	ebx
		call	NtSetValueKey
		test	eax, eax
		js	loc_AE8174
		push	ds:off_A41498
		lea	eax, [ebp+var_314]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	eax, eax
		lea	edi, [ebp+var_300]
		push	eax
		call	_ExVerifySuite@4 ; ExVerifySuite(x)
		test	al, al
		jnz	loc_AE8189

loc_AD39C3:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+148F6j
					; ExpUpdateProductSuiteTypeInRegistry+14917j
		push	1
		call	_ExVerifySuite@4 ; ExVerifySuite(x)
		test	al, al
		jnz	loc_AE81D6

loc_AD39D2:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14943j
					; ExpUpdateProductSuiteTypeInRegistry+14958j
		push	2
		call	_ExVerifySuite@4 ; ExVerifySuite(x)
		test	al, al
		jnz	loc_AE8217

loc_AD39E1:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14984j
					; ExpUpdateProductSuiteTypeInRegistry+14999j
		push	3
		call	_ExVerifySuite@4 ; ExVerifySuite(x)
		test	al, al
		jnz	loc_AE8258

loc_AD39F0:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+149C5j
					; ExpUpdateProductSuiteTypeInRegistry+149DAj
		push	4
		call	_ExVerifySuite@4 ; ExVerifySuite(x)
		test	al, al
		jz	short loc_AD3A33
		mov	edx, ds:off_A414B8
		mov	ecx, edx
		lea	ebx, [ecx+2]

loc_AD3A06:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+159j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_304]
		jnz	short loc_AD3A06
		sub	ecx, ebx
		sar	ecx, 1
		lea	ebx, ds:2[ecx*2]
		cmp	esi, ebx
		jbe	short loc_AD3A33
		push	ebx		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		add	edi, ebx
		sub	esi, ebx

loc_AD3A33:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+13Fj
					; ExpUpdateProductSuiteTypeInRegistry+168j
		push	5
		call	_ExVerifySuite@4 ; ExVerifySuite(x)
		test	al, al
		jnz	loc_AE8299

loc_AD3A42:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14A06j
					; ExpUpdateProductSuiteTypeInRegistry+14A1Bj
		push	6
		call	_ExVerifySuite@4 ; ExVerifySuite(x)
		test	al, al
		jnz	loc_AE82DA

loc_AD3A51:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14A47j
					; ExpUpdateProductSuiteTypeInRegistry+14A5Cj
		push	7
		call	_ExVerifySuite@4 ; ExVerifySuite(x)
		test	al, al
		jnz	loc_AE831B

loc_AD3A60:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14A88j
					; ExpUpdateProductSuiteTypeInRegistry+14A9Dj
		push	9
		call	_ExVerifySuite@4 ; ExVerifySuite(x)
		test	al, al
		jnz	loc_AE835C

loc_AD3A6F:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14AC9j
					; ExpUpdateProductSuiteTypeInRegistry+14ADEj
		push	0Ah
		call	_ExVerifySuite@4 ; ExVerifySuite(x)
		test	al, al
		jnz	loc_AE839D

loc_AD3A7E:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14B0Aj
					; ExpUpdateProductSuiteTypeInRegistry+14B1Fj
		push	0Bh
		call	_ExVerifySuite@4 ; ExVerifySuite(x)
		test	al, al
		jnz	loc_AE83DE

loc_AD3A8D:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14B4Bj
					; ExpUpdateProductSuiteTypeInRegistry+14B60j
		push	0Ch
		call	_ExVerifySuite@4 ; ExVerifySuite(x)
		test	al, al
		jnz	loc_AE841F

loc_AD3A9C:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14B8Cj
					; ExpUpdateProductSuiteTypeInRegistry+14BA1j
		push	0Dh
		call	_ExVerifySuite@4 ; ExVerifySuite(x)
		test	al, al
		jnz	loc_AE8460

loc_AD3AAB:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14BCDj
					; ExpUpdateProductSuiteTypeInRegistry+14BE2j
		push	0Eh
		call	_ExVerifySuite@4 ; ExVerifySuite(x)
		test	al, al
		jnz	loc_AE84A1

loc_AD3ABA:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14C0Ej
					; ExpUpdateProductSuiteTypeInRegistry+14C23j
		push	10h
		call	_ExVerifySuite@4 ; ExVerifySuite(x)
		test	al, al
		jnz	loc_AE84E2

loc_AD3AC9:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14C4Fj
					; ExpUpdateProductSuiteTypeInRegistry+14C62j
		mov	eax, 2F8h
		xor	ebx, ebx
		sub	eax, esi
		push	eax
		lea	eax, [ebp+var_300]
		push	eax
		push	7
		push	ebx
		lea	eax, [ebp+var_314]
		push	eax
		push	[ebp+var_318]
		call	NtSetValueKey
		test	eax, eax
		js	loc_AE8179

loc_AD3AF7:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+61j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
ExpUpdateProductSuiteTypeInRegistry endp


;  S U B	R O U T	I N E 


; __stdcall PfInitializeSuperfetch()
_PfInitializeSuperfetch@0 proc near	; CODE XREF: Phase1InitializationDiscard(x):loc_AC0E9Bp
		mov	edi, edi
		push	esi
		mov	ecx, offset _PfGlobals ; void *
		call	_PfpParametersInitialize@4 ; PfpParametersInitialize(x)
		mov	ecx, offset unk_6D48C0 ; void *
		call	PfpRpInitialize
		mov	esi, offset unk_6D4870
		mov	ecx, esi	; void *
		call	_PfpScenCtxInitialize@4	; PfpScenCtxInitialize(x)
		mov	ecx, esi
		call	_PfpScenCtxStart@4 ; PfpScenCtxStart(x)
		mov	esi, offset unk_6D492C
		mov	ecx, esi
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		mov	ecx, esi
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	ecx, esi
		call	@ExRundownCompleted@4 ;	ExRundownCompleted(x)
		or	dword_6D4940, 1
		mov	eax, offset dword_6D4938
		xor	esi, esi
		mov	dword_6D493C, eax
		mov	dword_6D4930, esi
		mov	dword_6D4934, esi
		mov	dword_6D4938, eax
		call	_PfSnInitializePrefetcher@0 ; PfSnInitializePrefetcher()
		push	esi		; char
		mov	ecx, offset _PfTGlobals	; void *
		call	PfTInitialize
		mov	eax, dword_6D4684
		test	eax, eax
		jz	short loc_AD3BA9
		push	1
		push	4
		push	offset unk_6D46A0
		push	esi
		push	1000000Fh
		push	offset unk_6D4688
		push	1
		push	offset unk_6D4690
		push	esi
		push	eax
		call	_ZwNotifyChangeKey@40 ;	ZwNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)

loc_AD3BA9:				; CODE XREF: PfInitializeSuperfetch()+7Fj
		xor	eax, eax
		pop	esi
		retn
_PfInitializeSuperfetch@0 endp ; sp =  8

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall PfpParametersInitialize(void *)
_PfpParametersInitialize@4 proc	near	; CODE XREF: PfInitializeSuperfetch()+8p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		push	1F0h		; size_t
		push	edi		; int
		push	esi		; void *
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		call	_memset
		mov	dword ptr [esi+18h], offset _PfpParametersWatcher@4 ; PfpParametersWatcher(x)
		add	esp, 0Ch
		mov	[esi+1Ch], esi
		mov	eax, 2710h
		mov	[esi+10h], edi
		mov	ecx, esi
		mov	[esi+28h], edi
		mov	dword ptr [esi+24h], 80000000h
		mov	dword ptr [esi+30h], 10h
		mov	dword ptr [esi+2Ch], 40h
		mov	dword ptr [esi+34h], 1388h
		mov	[esi+38h], eax
		mov	[esi+3Ch], eax
		call	_PfSnParametersSetDefaults@4 ; PfSnParametersSetDefaults(x)
		push	offset ??_C@_1FG@HIGCKPME@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@PBOPGDP@
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	edx, edx
		lea	ecx, [ebp+var_C]
		push	esi
		inc	edx
		call	PfpCreateEvent
		push	(offset	loc_ADF367+1)
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_14]
		mov	[ebp+var_2C], 18h
		push	edi
		mov	[ebp+var_24], eax
		lea	ebx, [esi+4]
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_28], edi
		push	eax
		push	0F003Fh
		push	ebx
		mov	[ebp+var_20], 240h
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], edi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AD3CCF
		mov	ecx, esi
		call	PfpParametersRead
		mov	ecx, esi
		call	PfSnParametersRead
		push	4
		pop	ecx
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ecx
		push	eax
		lea	ebx, [esi+28h]
		mov	edx, offset ??_C@_1O@EALALNHK@?$AAB?$AAo?$AAo?$AAt?$AAI?$AAd@PBOPGDP@ ;	"BootId"
		push	ebx
		push	ecx
		mov	ecx, [esi+4]
		call	_PfpGetParameter@20 ; PfpGetParameter(x,x,x,x,x)
		test	eax, eax
		js	short loc_AD3CA5
		mov	edi, [ebx]

loc_AD3CA5:				; CODE XREF: PfpParametersInitialize(x)+F3j
		push	[ebp+var_4]
		lea	eax, [edi+1]
		mov	edx, offset ??_C@_1O@EALALNHK@?$AAB?$AAo?$AAo?$AAt?$AAI?$AAd@PBOPGDP@ ;	"BootId"
		push	ebx
		push	ecx
		mov	ecx, [esi+4]
		mov	[ebx], eax
		call	_PfpSetParameter@20 ; PfpSetParameter(x,x,x,x,x)
		mov	ecx, [esi+4]
		lea	edx, [esi+1ECh]
		call	PfpSetBaseTime

loc_AD3CCA:				; CODE XREF: PfpParametersInitialize(x)+123j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AD3CCF:				; CODE XREF: PfpParametersInitialize(x)+C5j
		mov	[ebx], edi
		jmp	short loc_AD3CCA
_PfpParametersInitialize@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PfSnInitializePrefetcher()
_PfSnInitializePrefetcher@0 proc near	; CODE XREF: PfInitializeSuperfetch()+68p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	eax, offset _PfSnGlobals
		push	edi
		xor	esi, esi
		mov	dword_6D4954, eax
		push	ebx
		inc	esi
		mov	_PfSnGlobals, eax
		mov	eax, offset dword_6D495C
		mov	[ebp+var_8], ebx
		push	esi
		push	offset unk_6D4970
		mov	[ebp+var_4], ebx
		mov	dword_6D4958, ebx
		mov	dword_6D4960, eax
		mov	dword_6D495C, eax
		mov	dword_6D4964, esi
		mov	dword_6D4968, ebx
		mov	dword_6D496C, ebx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	offset ??_C@_1EG@LJBMOFGE@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@PBOPGDP@
		lea	eax, [ebp+var_8]
		mov	dword_6D4988, ebx
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset dword_6D498C
		mov	edx, esi
		lea	ecx, [ebp+var_8]
		call	PfpCreateEvent
		mov	ecx, offset unk_6D4994 ; void *
		call	_PfSnPrefetchCacheCtxInitialize@4 ; PfSnPrefetchCacheCtxInitialize(x)
		push	66506343h
		push	58h
		push	200h
		mov	dword_6D49E8, ebx
		mov	dword_6D49EC, ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_AD3DB1
		push	ebx
		push	edi
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	edi
		push	offset _PfSnTracingStateDpcRoutine@16 ;	PfSnTracingStateDpcRoutine(x,x,x,x)
		lea	esi, [edi+28h]
		push	esi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	0FFFFFFFEh
		push	9A5F4400h
		push	esi
		push	ebx
		xor	edx, edx
		mov	dword ptr [edi+50h], offset PfSnTracingStateExWorkerRoutine
		mov	ecx, edi
		mov	[edi+54h], edi
		mov	[edi+48h], ebx
		call	KiSetTimerEx

loc_AD3DB1:				; CODE XREF: PfSnInitializePrefetcher()+A6j
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
_PfSnInitializePrefetcher@0 endp


;  S U B	R O U T	I N E 


; __stdcall PfSnParametersSetDefaults(x)
_PfSnParametersSetDefaults@4 proc near	; CODE XREF: PfpParametersInitialize(x)+63p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		xor	ecx, ecx

loc_AD3DBF:				; CODE XREF: PfSnParametersSetDefaults(x)+4Bj
		and	dword ptr [esi+ecx*4+40h], 0
		mov	eax, ecx
		mov	edx, ecx
		add	eax, eax
		sub	edx, 0
		jz	loc_AD3E5D
		sub	edx, 1
		jnz	short loc_AD3DFF
		or	dword ptr [esi+eax*8+54h], 0FFFFFFFFh
		mov	dword ptr [esi+eax*8+48h], 4E20h
		mov	dword ptr [esi+eax*8+4Ch], 1F4h
		mov	dword ptr [esi+eax*8+50h], 0FF676980h
		mov	dword ptr [esi+1E4h], offset ??_C@_1BC@CJPNELAP@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAi?$AAt?$AAy@LBKOJDO@

loc_AD3DFF:				; CODE XREF: PfSnParametersSetDefaults(x)+1Ej
					; PfSnParametersSetDefaults(x)+CCj
		inc	ecx
		cmp	ecx, 2
		jl	short loc_AD3DBF
		and	dword ptr [esi+1D0h], 0
		lea	ecx, [esi+70h]
		push	offset ??_C@_1CK@MIPHFJLM@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAP?$AAr?$AAe@PBOPGDP@
		push	60h
		pop	edx
		mov	dword ptr [esi+68h], 8
		mov	dword ptr [esi+6Ch], 10h
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		xor	eax, eax
		lea	ecx, [esi+0D0h]
		push	offset ??_C@_1HE@BIDEJMEP@?$AAD?$AAL?$AAL?$AAH?$AAO?$AAS?$AAT?$AA?4?$AAE?$AAX?$AAE?$AA?0?$AAM?$AAM?$AAC@PBOPGDP@ ; "DLLHOST.EXE,MMC.EXE,RUNDLL32.EXE,SVCHOS"...
		mov	edx, 100h
		mov	[esi+0CEh], ax
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		xor	eax, eax
		mov	dword ptr [esi+1D4h], 0Ah
		mov	[esi+1CEh], ax
		pop	esi
		retn
; 

loc_AD3E5D:				; CODE XREF: PfSnParametersSetDefaults(x)+15j
		or	dword ptr [esi+eax*8+54h], 0FFFFFFFFh
		mov	dword ptr [esi+eax*8+48h], 7D00h
		mov	dword ptr [esi+eax*8+4Ch], 154h
		mov	dword ptr [esi+eax*8+50h], 0FF676980h
		mov	dword ptr [esi+1E0h], offset ??_C@_1BE@MLPDMAIF@?$AAA?$AAp?$AAp?$AAL?$AAa?$AAu?$AAn?$AAc?$AAh@LBKOJDO@
		jmp	loc_AD3DFF
_PfSnParametersSetDefaults@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; int __fastcall PfpRpInitialize(void *)
PfpRpInitialize	proc near		; CODE XREF: PfInitializeSuperfetch()+12p

; FUNCTION CHUNK AT 00AD3EB8 SIZE 0000004B BYTES
; FUNCTION CHUNK AT 00AE8521 SIZE 0000001C BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	68h		; size_t
		xor	eax, eax
		mov	edi, ecx
		push	eax		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		xor	edx, edx
		or	ebx, 0FFFFFFFFh
		mov	[edi+4], edx
		mov	ecx, ebx
		push	4
		pop	esi
		mov	eax, esi

loc_AD3EAE:				; CODE XREF: PfpRpInitialize+27j
		inc	ecx
		shr	eax, 1
		jnz	short loc_AD3EAE
		jmp	loc_AE8521
PfpRpInitialize	endp

; 
; START	OF FUNCTION CHUNK FOR PfpRpInitialize

loc_AD3EB8:				; CODE XREF: PfpRpInitialize+31j
					; PfpRpInitialize+146AEj
		inc	ebx
		shr	esi, 1
		jnz	short loc_AD3EB8
		xor	eax, eax
		mov	[edi+3Ch], ebx
		push	eax		; size_t
		push	eax		; int
		push	eax		; void *
		mov	[edi+44h], eax
		mov	[edi+40h], eax
		mov	[edi+38h], eax
		call	_memset
		add	esp, 0Ch
		lea	eax, [edi+10h]
		lea	ecx, [edi+50h]
		mov	[edi+0Ch], eax
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		lea	ecx, [edi+50h]
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		test	byte_6D46A4, 2
		jz	short loc_AD3EFF
		mov	ecx, edi
		pop	edi
		pop	esi
		pop	ebx
		jmp	_PfpRpStart@4	; PfpRpStart(x)
; 

loc_AD3EFF:				; CODE XREF: PfpRpInitialize+69j
		pop	edi
		pop	esi
		pop	ebx
		retn
; END OF FUNCTION CHUNK	FOR PfpRpInitialize
; 
		align 4

;  S U B	R O U T	I N E 


KsepEngineInitialize proc near		; CODE XREF: KseInitialize+84p

; FUNCTION CHUNK AT 00AE853D SIZE 00000056 BYTES

		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	loc_AE853D

loc_AD3F11:				; CODE XREF: KsepEngineInitialize+14672j
					; KsepEngineInitialize+1468Aj
		lea	eax, [esi+0Ch]
		mov	edx, offset _KsepCacheDeviceEqual@8 ; KsepCacheDeviceEqual(x,x)
		mov	[eax+4], eax
		mov	[eax], eax
		lea	eax, [esi+14h]
		push	offset _KsepCacheDeviceFree@4 ;	KsepCacheDeviceFree(x)
		mov	[eax+4], eax
		mov	[eax], eax
		and	dword ptr [esi+1Ch], 0
		push	offset _KsepCacheDeviceHash@4 ;	KsepCacheDeviceHash(x)
		call	KsepCacheInitialize
		mov	[esi+28h], eax
		test	eax, eax
		jz	short loc_AD3F87
		push	offset _KsepCacheHwIdFree@4 ; KsepCacheHwIdFree(x)
		push	offset _KsepCacheHwIdHash@4 ; KsepCacheHwIdHash(x)
		mov	edx, offset _KsepCacheHwIdEqual@8 ; KsepCacheHwIdEqual(x,x)
		call	KsepCacheInitialize
		mov	[esi+2Ch], eax
		test	eax, eax
		jz	short loc_AD3F87
		mov	ecx, offset _KseEngine
		mov	dword ptr [esi+20h], offset _KseGetIoCallbacks@4 ; KseGetIoCallbacks(x)
		mov	dword ptr [esi+24h], offset _KseSetCompletionHook@16 ; KseSetCompletionHook(x,x,x,x)
		call	KsepEngineReadFlags
		test	eax, eax
		js	short loc_AD3F85
		mov	ecx, _KseEngine
		and	ecx, 3
		cmp	cl, 3
		jz	short loc_AD3F8E

loc_AD3F85:				; CODE XREF: KsepEngineInitialize+71j
		pop	esi
		retn
; 

loc_AD3F87:				; CODE XREF: KsepEngineInitialize+3Aj
					; KsepEngineInitialize+55j
		mov	eax, 0C0000017h
		pop	esi
		retn
; 

loc_AD3F8E:				; CODE XREF: KsepEngineInitialize+7Fj
		mov	eax, 0C00000BBh
		pop	esi
		retn
KsepEngineInitialize endp

; 
		align 2

;  S U B	R O U T	I N E 


KsepMatchInitMachineInfo proc near	; CODE XREF: KseInitialize+95p

; FUNCTION CHUNK AT 00AE8593 SIZE 00000103 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	ecx
		call	_KsepMatchInitAcpiOemInfo@12 ; KsepMatchInitAcpiOemInfo(x,x,x)
		xor	edi, edi
		mov	esi, eax
		inc	edi
		xor	ebx, ebx
		push	0Ah
		pop	eax
		test	esi, esi
		js	loc_AE8593

loc_AD3FB3:				; CODE XREF: KsepMatchInitMachineInfo+1464Ej
		call	_KsepMatchInitCpuInfo@4	; KsepMatchInitCpuInfo(x)
		mov	esi, eax
		test	esi, esi
		js	loc_AE85E9

loc_AD3FC2:				; CODE XREF: KsepMatchInitMachineInfo+146A7j
		call	KsepMatchInitBiosInfo
		mov	esi, eax
		test	esi, esi
		js	loc_AE8642

loc_AD3FD1:				; CODE XREF: KsepMatchInitMachineInfo+146FBj
		pop	edi
		pop	esi
		mov	_KsepMatchMachineInfo, offset dword_6D6CC0
		xor	eax, eax
		mov	dword_6C74C4, offset dword_6FD3F4
		mov	dword_6C74C8, offset dword_6FD418
		mov	dword_6C74CC, offset dword_6FD44C
		pop	ebx
		retn
KsepMatchInitMachineInfo endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KsepMatchInitBiosInfo proc near		; CODE XREF: KsepMatchInitMachineInfo:loc_AD3FC2p

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_18		= word ptr -18h
var_16		= word ptr -16h
var_12		= word ptr -12h
var_10		= word ptr -10h
var_8		= word ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE8696 SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		and	[ebp+var_24], 0
		xor	eax, eax
		and	[ebp+var_20], 0
		xor	edx, edx	; void *
		push	ebx
		push	esi
		push	edi
		push	9
		pop	ecx
		mov	edi, offset dword_6FD418
		rep stosd
		lea	eax, [ebp+var_20]
		mov	ecx, offset ??_C@_1FM@BFBPAOJP@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@ ;	"\\Registry\\Machine\\Hardware\\Description\\"...
		push	eax		; int
		or	edi, 0FFFFFFFFh
		call	KsepRegistryOpenKey
		mov	ebx, eax
		test	ebx, ebx
		js	loc_AD41BA
		mov	ecx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		push	eax		; int
		push	16h		; int
		lea	eax, [ebp+var_1C]
		xor	esi, esi
		push	eax		; void *
		inc	esi
		mov	edx, offset ??_C@_1BO@BHDHIFGP@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAB?$AAi?$AAo?$AAs?$AAD?$AAa?$AAt?$AAe@PBOPGDP@
		push	esi		; int
		call	KsepRegistryQuerySZ
		mov	ebx, eax
		test	ebx, ebx
		js	loc_AD41BA
		xor	eax, eax
		mov	[ebp+var_8], ax
		mov	eax, esi
		lock xadd _KsepHistoryMessagesIndex, eax
		inc	eax
		and	eax, 3Fh
		xor	ebx, ebx
		test	_KsepDebugFlag,	1
		mov	edi, offset ??_C@_0BM@MLFPCADL@KSE?3?5BiosDate?5name?5?$FL?$CFws?$FN?5?4?6@PBOPGDP@ ; "KSE: BiosDate name [%ws]	.\n"
		push	0Ah
		pop	ecx
		mov	word_6C7242[eax*8], cx
		mov	ecx, 1C8h
		mov	dword_6C7244[eax*8], ebx
		mov	_KsepHistoryMessages[eax*8], cx
		jnz	loc_AE8696

loc_AD40B2:				; CODE XREF: KsepMatchInitBiosInfo+146A4j
		lea	eax, [ebp+var_1C]
		push	eax
		push	edi
		push	ebx
		call	_KsepLogInfo
		mov	ecx, [ebp+var_20]
		lea	eax, [ebp+var_24]
		add	esp, 0Ch
		mov	edi, offset word_6D6CE8
		mov	edx, (offset loc_ADD319+1)
		push	eax
		push	208h
		push	edi
		call	_KsepRegistryQueryMULTISZ@20 ; KsepRegistryQueryMULTISZ(x,x,x,x,x)
		mov	[ebp+var_24], eax
		xor	eax, eax
		mov	word_6D6EEE, ax

loc_AD40E7:				; CODE XREF: KsepMatchInitBiosInfo+F8j
		cmp	word_6D6CE8[eax*2], 20h
		jz	short loc_AD40FC
		inc	eax
		cmp	eax, 104h
		jb	short loc_AD40E7
		jmp	short loc_AD4112
; 

loc_AD40FC:				; CODE XREF: KsepMatchInitBiosInfo+F0j
		add	eax, eax
		cmp	eax, 208h
		jnb	loc_AD41F1
		xor	ecx, ecx
		mov	word_6D6CE8[eax], cx

loc_AD4112:				; CODE XREF: KsepMatchInitBiosInfo+FAj
		lock xadd _KsepHistoryMessagesIndex, esi
		inc	esi
		and	esi, 3Fh
		test	_KsepDebugFlag,	1
		push	0Ah
		pop	eax
		mov	word_6C7242[esi*8], ax
		mov	eax, 1E0h
		mov	dword_6C7244[esi*8], ebx
		mov	_KsepHistoryMessages[esi*8], ax
		mov	esi, offset ??_C@_0BO@OPGOOCEP@KSE?3?5BiosVendor?5name?5?$FL?$CFws?$FN?5?4?6@PBOPGDP@ ;	"KSE: BiosVendor name [%ws] .\n"
		jnz	loc_AE86A9

loc_AD414F:				; CODE XREF: KsepMatchInitBiosInfo+146B4j
		push	edi
		push	esi
		push	ebx
		call	_KsepLogInfo
		add	esp, 0Ch
		xor	eax, eax
		mov	[ebp+var_18], ax
		mov	[ebp+var_12], ax
		lea	eax, [ebp+var_10]
		push	10h		; int
		push	ebx		; wchar_t **
		push	eax		; wchar_t *
		call	_wcstoul
		add	esp, 0Ch
		mov	ebx, eax
		cmp	ebx, 80h
		lea	eax, [ebp+var_1C]
		sbb	edi, edi
		add	ebx, 1900h
		push	10h		; int
		push	0		; wchar_t **
		push	eax		; wchar_t *
		and	edi, 700h
		call	_wcstoul
		add	esp, 0Ch
		mov	esi, eax
		lea	eax, [ebp+var_16]
		shl	esi, 8
		push	10h		; int
		push	0		; wchar_t **
		push	eax		; wchar_t *
		call	_wcstoul
		add	edi, ebx
		add	eax, esi
		mov	ebx, [ebp+var_24]
		add	esp, 0Ch
		shl	edi, 10h
		add	edi, eax

loc_AD41BA:				; CODE XREF: KsepMatchInitBiosInfo+40j
					; KsepMatchInitBiosInfo+65j
		cmp	[ebp+var_20], 0
		jz	short loc_AD41C8
		mov	ecx, [ebp+var_20]
		call	_KsepRegistryCloseKey@4	; KsepRegistryCloseKey(x)

loc_AD41C8:				; CODE XREF: KsepMatchInitBiosInfo+1BEj
		test	ebx, ebx
		js	loc_AE86B9
		mov	dword_6FD418, offset word_6D6CE8
		mov	dword_6FD430, edi

loc_AD41E0:				; CODE XREF: KsepMatchInitBiosInfo+146C7j
		mov	ecx, [ebp+var_4]
		mov	eax, ebx
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AD41F1:				; CODE XREF: KsepMatchInitBiosInfo+103j
		call	___report_rangecheckfailure
KsepMatchInitBiosInfo endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KsepEngineReadFlags proc near		; CODE XREF: KsepEngineInitialize+6Ap

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE86CC SIZE 0000024E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		and	[ebp+var_4], 0
		and	[ebp+var_14], 0
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	esi, ecx
		xor	edi, edi
		inc	ebx
		mov	[ebp+var_8], edi
		push	4
		pop	ecx
		test	esi, esi
		jz	loc_AE86CC

loc_AD421E:				; CODE XREF: KsepEngineReadFlags+14509j
					; KsepEngineReadFlags+14521j
		and	[esi], edi
		lea	eax, [ebp+var_4]
		push	eax		; int
		xor	edx, edx	; void *
		mov	ecx, offset ??_C@_1JI@PIOJPGEO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@ ;	int
		call	KsepRegistryOpenKey
		test	eax, eax
		jz	loc_AE871C
		cmp	eax, 0C0000034h
		jnz	short loc_AD4243
		or	dword ptr [esi+8], 2

loc_AD4243:				; CODE XREF: KsepEngineReadFlags+47j
					; KsepEngineReadFlags+145D6j
		lea	eax, [ebp+var_4]
		xor	edx, edx	; void *
		push	eax		; int
		mov	ecx, offset ??_C@_1IC@OOOCOOLB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@ ;	"\\Registry\\Machine\\System\\CurrentControl"...
		call	KsepRegistryOpenKey
		mov	edi, eax
		cmp	edi, 0C0000034h
		jz	loc_AD42E9
		test	edi, edi
		js	loc_AE87D1
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_14]
		push	eax
		mov	edx, offset ??_C@_1BK@LNPPAKLL@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAF?$AAl?$AAa?$AAg?$AAs@PBOPGDP@
		call	KsepRegistryQueryDWORD
		mov	edi, eax
		cmp	edi, 0C0000034h
		jnz	loc_AE8829

loc_AD4288:				; CODE XREF: KsepEngineReadFlags+F6j
		xor	edi, edi

loc_AD428A:				; CODE XREF: KsepEngineReadFlags+14697j
					; KsepEngineReadFlags+1470Dj
		mov	eax, [ebp+var_8]
		or	[esi], eax
		lock xadd _KsepHistoryMessagesIndex, ebx
		inc	ebx
		and	ebx, 3Fh
		push	4
		pop	eax
		and	dword_6C7244[ebx*8], 0
		test	_KsepDebugFlag,	1
		mov	word_6C7242[ebx*8], ax
		mov	eax, 0D2h
		mov	_KsepHistoryMessages[ebx*8], ax
		mov	ebx, offset ??_C@_0DH@KDBKEOJJ@KSE?3?5Engine?5flags?5?$CIafter?5regist@PBOPGDP@	; "KSE:	Engine flags (after registry/group"...
		jnz	loc_AE8908

loc_AD42CD:				; CODE XREF: KsepEngineReadFlags+1471Fj
		push	dword ptr [esi]
		push	ebx
		push	0
		call	_KsepLogInfo
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		call	_KsepRegistryCloseKey@4	; KsepRegistryCloseKey(x)
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AD42E9:				; CODE XREF: KsepEngineReadFlags+65j
		or	[esi+8], ebx
		jmp	short loc_AD4288
KsepEngineReadFlags endp


;  S U B	R O U T	I N E 


; __stdcall KsepMatchInitCpuInfo(x)
_KsepMatchInitCpuInfo@4	proc near	; CODE XREF: KsepMatchInitMachineInfo:loc_AD3FB3p
		mov	edi, edi
		push	esi
		mov	esi, large fs:20h
		xor	eax, eax
		push	edi
		push	9
		pop	ecx
		mov	edi, offset dword_6FD44C
		lea	edx, [esi+3D3Ch]
		rep stosd
		mov	ecx, edx
		lea	edi, [ecx+1]

loc_AD4310:				; CODE XREF: KsepMatchInitCpuInfo(x)+27j
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_AD4310
		sub	ecx, edi
		mov	edi, offset unk_6FD1E8
		push	ecx
		push	edx
		mov	edx, 20Ah
		mov	ecx, edi
		call	_KsepStringAnsiToUnicode@16 ; KsepStringAnsiToUnicode(x,x,x,x)
		test	eax, eax
		js	short loc_AD434A
		movsx	ecx, byte ptr [esi+14h]
		mov	dword_6FD460, ecx
		movzx	ecx, byte ptr [esi+17h]
		mov	dword_6FD45C, ecx
		mov	dword_6FD44C, edi

loc_AD434A:				; CODE XREF: KsepMatchInitCpuInfo(x)+40j
		pop	edi
		pop	esi
		retn
_KsepMatchInitCpuInfo@4	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KsepMatchInitAcpiOemInfo(x,	x, x)
_KsepMatchInitAcpiOemInfo@12 proc near	; CODE XREF: KsepMatchInitMachineInfo+6p
		or	dword_6D6CDC, 0FFFFFFFFh
		mov	edx, ecx
		or	dword_6D6CE0, 0FFFFFFFFh
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edi, offset dword_6FD3F4
		push	9
		pop	ecx
		push	ebx
		push	ebx
		push	50434146h
		rep stosd
		or	dword_6FD410, 0FFFFFFFFh
		mov	esi, 0C0000225h
		push	edx
		mov	dword_6D6CC0, ebx
		mov	dword_6D6CC4, ebx
		mov	dword_6D6CC8, ebx
		mov	dword_6D6CCC, ebx
		mov	dword_6D6CD0, ebx
		mov	dword_6D6CD4, ebx
		mov	dword_6D6CD8, ebx
		call	ds:__imp__HalAcpiGetTableEx@16 ; HalAcpiGetTableEx(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_AD4443
		push	6
		lea	eax, [edi+0Ah]
		mov	ebx, offset unk_6FD43C
		push	eax
		push	0Eh
		pop	edx
		mov	ecx, ebx
		call	_KsepStringAnsiToUnicode@16 ; KsepStringAnsiToUnicode(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD4443
		push	8
		lea	eax, [edi+10h]
		mov	ecx, offset unk_6FD1D0
		push	eax
		push	12h
		pop	edx
		call	_KsepStringAnsiToUnicode@16 ; KsepStringAnsiToUnicode(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD4443
		push	4
		lea	eax, [edi+1Ch]
		mov	ecx, offset unk_6FD1C4
		push	eax
		push	0Ah
		pop	edx
		call	_KsepStringAnsiToUnicode@16 ; KsepStringAnsiToUnicode(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD4443
		mov	dword_6D6CC0, ebx
		mov	dword_6D6CC4, offset unk_6FD1C4
		movzx	eax, byte ptr [edi+8]
		mov	dword_6D6CDC, eax
		mov	eax, [edi+20h]
		mov	dword_6D6CE0, eax
		mov	dword_6FD3F4, ebx
		mov	dword_6FD3F8, offset unk_6FD1D0
		mov	eax, [edi+18h]
		mov	dword_6FD410, eax

loc_AD4443:				; CODE XREF: KsepMatchInitAcpiOemInfo(x,x,x)+69j
					; KsepMatchInitAcpiOemInfo(x,x,x)+88j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		retn	4
_KsepMatchInitAcpiOemInfo@12 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl PpmInfoConfigComparer(const void *,const void *)
_PpmInfoConfigComparer proc near	; DATA XREF: PpmInitPolicyConfiguration()+9Eo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	cl, [eax+18h]
		mov	eax, [ebp+arg_4]
		mov	al, [eax+18h]
		cmp	al, cl
		jbe	short loc_AD4466
		or	eax, 0FFFFFFFFh
		pop	ebp
		retn
; 

loc_AD4466:				; CODE XREF: _PpmInfoConfigComparer+13j
		sbb	eax, eax
		neg	eax
		pop	ebp
		retn
_PpmInfoConfigComparer endp


;  S U B	R O U T	I N E 


; __stdcall ObpInitSecurityDescriptorCache()
_ObpInitSecurityDescriptorCache@0 proc near ; CODE XREF: ObInitSystem+122p
		xor	eax, eax

loc_AD446E:				; CODE XREF: ObpInitSecurityDescriptorCache()+18j
		and	ds:_ObsSecurityDescriptorCache[eax], 0
		and	ds:dword_7171C4[eax], 0
		add	eax, 8
		cmp	eax, 800h
		jb	short loc_AD446E
		xor	eax, eax
		retn
_ObpInitSecurityDescriptorCache@0 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1161. KeHwPolicyLocateResource

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeHwPolicyLocateResource
KeHwPolicyLocateResource proc near	; CODE XREF: KiIntersectFeaturesWithPolicy+59p
					; KiIntersectFeaturesWithPolicy+387Bp

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00AE891A SIZE 00000011 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	ecx, _KiHwPolicyDriverImageBase
		sub	esp, 0Ch
		test	ecx, ecx
		jnz	short loc_AD44C4
		cmp	_KiHwPolicyDriverNotPresent, cl
		jnz	loc_AE891A
		mov	ecx, [ebp+arg_0]
		call	_KiHwPolicyFindDriverImage@4 ; KiHwPolicyFindDriverImage(x)
		mov	ecx, eax
		mov	_KiHwPolicyDriverImageBase, ecx
		test	ecx, ecx
		jz	loc_AE891A

loc_AD44C4:				; CODE XREF: KeHwPolicyLocateResource+10j
		mov	eax, [ebp+arg_4]
		mov	[ebp+var_C], eax
		mov	eax, [ebp+arg_8]
		mov	[ebp+var_8], eax
		xor	eax, eax
		push	eax
		push	eax
		push	[ebp+arg_10]
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_C]
		push	[ebp+arg_C]
		push	30h
		push	3
		push	eax
		push	ecx
		call	_LdrResSearchResource@32 ; LdrResSearchResource(x,x,x,x,x,x,x,x)

locret_AD44EB:				; CODE XREF: KeHwPolicyLocateResource+14498j
		leave
		retn	14h
KeHwPolicyLocateResource endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiHwPolicyFindDriverImage(x)
_KiHwPolicyFindDriverImage@4 proc near	; CODE XREF: KeHwPolicyLocateResource+21p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		push	18h
		pop	eax
		push	1Ah
		mov	word ptr [ebp+var_8], ax
		lea	ebx, [ecx+20h]
		mov	esi, [ebx]
		pop	eax
		mov	word ptr [ebp+var_8+2],	ax
		mov	[ebp+var_4], offset ??_C@_1BK@BAEKFJOA@?$AAh?$AAw?$AAp?$AAo?$AAl?$AAi?$AAc?$AAy?$AA?4?$AAs?$AAy?$AAs@PBOPGDP@
		jmp	short loc_AD4539
; 

loc_AD4517:				; CODE XREF: KiHwPolicyFindDriverImage(x)+4Bj
		mov	edi, [esi+18h]
		test	edi, edi
		jz	short loc_AD4537
		cmp	dword ptr [esi+1Ch], 0
		jl	short loc_AD4537
		push	1
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [edi+2Ch]
		push	eax
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jz	short loc_AD4541

loc_AD4537:				; CODE XREF: KiHwPolicyFindDriverImage(x)+2Cj
					; KiHwPolicyFindDriverImage(x)+32j
		mov	esi, [esi]

loc_AD4539:				; CODE XREF: KiHwPolicyFindDriverImage(x)+25j
		cmp	esi, ebx
		jnz	short loc_AD4517
		xor	eax, eax
		jmp	short loc_AD4544
; 

loc_AD4541:				; CODE XREF: KiHwPolicyFindDriverImage(x)+45j
		mov	eax, [edi+18h]

loc_AD4544:				; CODE XREF: KiHwPolicyFindDriverImage(x)+4Fj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KiHwPolicyFindDriverImage@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipMigratePnpState proc	near		; CODE XREF: IopInitializePlugPlayServices(x,x)+299p

Source1		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
Source2		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE892B SIZE 0000031C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		xor	ecx, ecx
		lea	eax, [ebp+var_10]
		push	ebx
		push	esi
		push	edi
		push	eax
		push	2001Fh
		push	ecx
		mov	edi, ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_18], ecx
		mov	bl, cl
		mov	[ebp+var_1C], ecx
		mov	edx, 80000002h
		mov	[ebp+var_8], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+Source1], ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+Source2], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_2C], ecx
		mov	ecx, _PiPnpRtlCtx
		push	offset ??_C@_1DC@EAKGAEM@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAS?$AAe?$AAt?$AAu?$AAp?$AA?2?$AAU?$AAp@PBOPGDP@
		mov	[ebp+var_20], edi
		call	__PnpCtxRegOpenKey@24 ;	_PnpCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	loc_AE892B
		xor	esi, esi

loc_AD45B4:				; CODE XREF: PipMigratePnpState+143E3j
					; PipMigratePnpState+14415j ...
		mov	edx, [ebp+var_24]
		test	edx, edx
		jnz	short loc_AD45D7

loc_AD45BB:				; CODE XREF: PipMigratePnpState+92j
		mov	edx, [ebp+var_C]
		test	edx, edx
		jnz	short loc_AD45DE

loc_AD45C2:				; CODE XREF: PipMigratePnpState+99j
		mov	edx, [ebp+var_18]
		test	edx, edx
		jnz	short loc_AD45E5

loc_AD45C9:				; CODE XREF: PipMigratePnpState+A0j
		mov	edx, [ebp+var_10]
		test	edx, edx
		jnz	short loc_AD45EC

loc_AD45D0:				; CODE XREF: PipMigratePnpState+A7j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AD45D7:				; CODE XREF: PipMigratePnpState+6Fj
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)
		jmp	short loc_AD45BB
; 

loc_AD45DE:				; CODE XREF: PipMigratePnpState+76j
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)
		jmp	short loc_AD45C2
; 

loc_AD45E5:				; CODE XREF: PipMigratePnpState+7Dj
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)
		jmp	short loc_AD45C9
; 

loc_AD45EC:				; CODE XREF: PipMigratePnpState+84j
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)
		jmp	short loc_AD45D0
PipMigratePnpState endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpDevCfgInit	proc near		; CODE XREF: IopInitializePlugPlayServices(x,x)+561p

var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_52		= dword	ptr -52h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE8C47 SIZE 000000DB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 7Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	7
		pop	esi
		push	4
		pop	edx
		xor	ecx, ecx
		mov	[ebp+var_44], edx
		lea	eax, [ebp+var_58]
		mov	[ebp+var_2C], edx
		mov	[ebp+var_48], eax
		mov	bl, cl
		push	3
		lea	eax, [ebp+var_64]
		mov	[ebp+var_58], ecx
		mov	[ebp+var_30], eax
		mov	edx, offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@PBOPGDP@
		pop	edi
		lea	eax, [ebp+var_52+1]
		mov	[ebp+var_64], ecx
		push	edi
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_52+2]
		push	eax
		push	ecx
		push	esi
		mov	byte ptr [ebp+var_52+1], cl
		mov	byte ptr [ebp+var_52], bl
		mov	[ebp+var_60], ecx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_70], ecx
		mov	[ebp+var_68], ecx
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_28], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		mov	[ebp+var_52+2],	offset _DEVPKEY_DriverDatabase_ConfigMode
		mov	[ebp+var_4C], esi
		mov	[ebp+var_38], offset _DEVPKEY_DriverDatabase_ConfigOptions
		mov	[ebp+var_34], esi
		mov	[ebp+var_20], offset _DEVPKEY_DriverDatabase_Updated
		mov	[ebp+var_1C], 11h
		mov	[ebp+var_14], 1
		call	PiDevCfgQueryObjectProperties
		mov	esi, eax
		test	esi, esi
		js	loc_AD478B
		cmp	[ebp+var_3C], 0
		jge	loc_AE8C47
		mov	[ebp+var_58], edi

loc_AD46A9:				; CODE XREF: PpDevCfgInit+14662j
		xor	edi, edi
		cmp	[ebp+var_24], edi
		jge	short loc_AD46B3
		mov	[ebp+var_64], edi

loc_AD46B3:				; CODE XREF: PpDevCfgInit+BAj
		cmp	[ebp+var_C], 0
		lea	ecx, [ebp+var_78]
		push	1Ch
		setl	al
		mov	[ebp+var_74], offset ??_C@_1BM@OAGJGBCL@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl@PBOPGDP@
		dec	al
		mov	edx, 20019h
		and	byte ptr [ebp+var_52+1], al
		pop	eax
		push	1Ah
		mov	word ptr [ebp+var_78+2], ax
		pop	eax
		push	edi
		mov	word ptr [ebp+var_78], ax
		lea	eax, [ebp+var_60]
		push	edi
		push	eax
		call	PipOpenServiceEnumKeys
		test	eax, eax
		js	short loc_AD474B
		mov	edx, [ebp+var_60]
		lea	eax, [ebp+var_5C]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	20019h
		push	edi
		push	offset ??_C@_1BG@PGIGMDPA@?$AAP?$AAa?$AAr?$AAa?$AAm?$AAe?$AAt?$AAe?$AAr?$AAs@PBOPGDP@ ;	"Parameters"
		call	__PnpCtxRegOpenKey@24 ;	_PnpCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AD473C
		mov	edx, [ebp+var_5C]
		lea	eax, [ebp+var_6C]
		push	eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_6C], 4
		push	eax
		lea	eax, [ebp+var_68]
		push	eax
		push	offset ??_C@_1CK@GFEHGGAK@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAU?$AAp?$AAd?$AAa?$AAt?$AAe?$AAs?$AAP?$AAe@PBOPGDP@
		call	__PnpCtxRegQueryValue@24 ; _PnpCtxRegQueryValue(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_AE8C5B

loc_AD4734:				; CODE XREF: PpDevCfgInit+1466Bj
					; PpDevCfgInit+14675j ...
		push	[ebp+var_5C]
		call	_ZwClose@4	; ZwClose(x)

loc_AD473C:				; CODE XREF: PpDevCfgInit+116j
		push	[ebp+var_60]
		call	_ZwClose@4	; ZwClose(x)
		or	ds:_PiDevCfgFlags, 2

loc_AD474B:				; CODE XREF: PpDevCfgInit+F5j
		mov	eax, [ebp+var_58]
		mov	edx, [ebp+var_64]
		mov	ds:_PiDevCfgMode, eax
		mov	ds:_PiDevCfgOptions, edx
		test	eax, eax
		jz	short loc_AD477E
		test	byte ptr ds:_PiDevCfgFlags, 2
		setnz	cl
		test	dl, 20h
		setz	al
		test	cl, al
		jz	loc_AE8C8E

loc_AD4778:				; CODE XREF: PpDevCfgInit+146A9j
					; PpDevCfgInit+146B1j ...
		cmp	byte ptr [ebp+var_52+1], 0FFh
		jz	short loc_AD479C

loc_AD477E:				; CODE XREF: PpDevCfgInit+16Aj
					; PpDevCfgInit+1AFj
		test	byte ptr ds:_PiDevCfgFlags, 1
		jnz	loc_AE8CB7

loc_AD478B:				; CODE XREF: PpDevCfgInit+A2j
					; PpDevCfgInit+146D5j ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AD479C:				; CODE XREF: PpDevCfgInit+188j
		or	ds:_PiDevCfgFlags, 1
		jmp	short loc_AD477E
PpDevCfgInit	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PipProcessPendingOperations()
_PipProcessPendingOperations@0 proc near
					; CODE XREF: IopInitializePlugPlayServices(x,x)+8BDp
		mov	edi, edi
		push	ecx
		call	PipProcessPendingServices
		test	eax, eax
		js	short loc_AD47B7
		call	PipProcessPendingOsExtensionResources

loc_AD47B7:				; CODE XREF: PipProcessPendingOperations()+Aj
		pop	ecx
		retn
_PipProcessPendingOperations@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipProcessPendingServices proc near	; CODE XREF: PipProcessPendingOperations()+3p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE8D22 SIZE 0000002F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		push	eax
		push	4
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD4811
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	2001Fh
		push	0
		push	offset ??_C@_1FC@OBEGEIPL@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAP?$AAe?$AAn?$AAd?$AAi?$AAn?$AAg@PBOPGDP@	; "Control\\PendingDriverOperations\\Service"...
		call	__PnpCtxRegOpenKey@24 ;	_PnpCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	loc_AE8D22

loc_AD480F:				; CODE XREF: PipProcessPendingServices+1456Ej
		xor	esi, esi

loc_AD4811:				; CODE XREF: PipProcessPendingServices+27j
					; PipProcessPendingServices+14576j ...
		mov	edx, [ebp+var_4]
		test	edx, edx
		jnz	short loc_AD481D

loc_AD4818:				; CODE XREF: PipProcessPendingServices+68j
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_AD481D:				; CODE XREF: PipProcessPendingServices+5Cj
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)
		jmp	short loc_AD4818
PipProcessPendingServices endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipProcessPendingOsExtensionResources proc near
					; CODE XREF: PipProcessPendingOperations()+Cp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE8D51 SIZE 0000002C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_8]
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	esi
		push	eax
		push	4
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD487B
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	2001Fh
		push	0
		push	(offset	loc_ADE845+1)
		call	__PnpCtxRegOpenKey@24 ;	_PnpCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	loc_AE8D51

loc_AD4879:				; CODE XREF: PipProcessPendingOsExtensionResources+14533j
		xor	esi, esi

loc_AD487B:				; CODE XREF: PipProcessPendingOsExtensionResources+27j
					; PipProcessPendingOsExtensionResources+1453Bj	...
		mov	edx, [ebp+var_4]
		test	edx, edx
		jnz	short loc_AD4887

loc_AD4882:				; CODE XREF: PipProcessPendingOsExtensionResources+68j
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_AD4887:				; CODE XREF: PipProcessPendingOsExtensionResources+5Cj
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)
		jmp	short loc_AD4882
PipProcessPendingOsExtensionResources endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipResetDevices(x)
_PipResetDevices@4 proc	near		; CODE XREF: IopInitializePlugPlayServices(x,x)+570p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		push	edi
		mov	edi, _PiPnpRtlCtx
		lea	eax, [ebp+var_4]
		xor	ecx, ecx
		mov	edx, 80000002h
		push	eax
		push	1
		push	ecx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_8], ecx
		mov	ecx, edi
		push	offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@PBOPGDP@
		call	__PnpCtxRegOpenKey@24 ;	_PnpCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AD4914
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_C], 4
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		push	(offset	loc_ADE159+1)
		call	__PnpCtxRegQueryValue@24 ; _PnpCtxRegQueryValue(x,x,x,x,x,x)
		mov	edx, [ebp+var_4]
		mov	esi, eax
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)
		test	esi, esi
		jns	short loc_AD4918

loc_AD48F3:				; CODE XREF: PipResetDevices(x)+90j
		push	80h
		mov	edx, offset ??_C@_1JE@CCFAJHHG@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@PBOPGDP@
		mov	ecx, edi
		call	PipResetMatchingFilteredDevices
		push	2
		mov	edx, offset ??_C@_1JG@DMEADAPE@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@PBOPGDP@
		mov	ecx, edi
		call	PipResetMatchingFilteredDevices

loc_AD4912:				; CODE XREF: PipResetDevices(x)+8Ej
		mov	eax, esi

loc_AD4914:				; CODE XREF: PipResetDevices(x)+35j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_AD4918:				; CODE XREF: PipResetDevices(x)+63j
		cmp	[ebp+var_8], 0
		jnz	short loc_AD4912
		jmp	short loc_AD48F3
_PipResetDevices@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipResetMatchingFilteredDevices	proc near ; CODE XREF: PipResetDevices(x)+71p
					; PipResetDevices(x)+7Fp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 00AE8D7D SIZE 0000019D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		xor	eax, eax
		mov	[ebp+var_8], ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_10], eax
		mov	ebx, eax
		mov	[ebp+var_14], eax
		mov	esi, edx
		mov	[ebp+var_18], eax
		mov	[ebp+var_C], eax
		mov	eax, large fs:124h
		mov	[ebp+var_1C], edi
		dec	word ptr [eax+13Ch]
		nop
		push	1
		push	offset _PnpRegistryDeviceResource
		call	ExAcquireResourceExclusiveLite
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_10]
		push	eax
		push	20019h
		push	ebx
		push	esi
		mov	edx, 80000002h
		call	__PnpCtxRegOpenKey@24 ;	_PnpCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	loc_AE8D7D
		xor	esi, esi

loc_AD498A:				; CODE XREF: PipResetMatchingFilteredDevices+1445Fj
					; PipResetMatchingFilteredDevices+14481j ...
		mov	edx, [ebp+var_10]
		test	edx, edx
		jnz	short loc_AD49C0

loc_AD4991:				; CODE XREF: PipResetMatchingFilteredDevices+A5j
		test	ebx, ebx
		jnz	loc_AE8EFE

loc_AD4999:				; CODE XREF: PipResetMatchingFilteredDevices+145E7j
		test	edi, edi
		jnz	loc_AE8F0C

loc_AD49A1:				; CODE XREF: PipResetMatchingFilteredDevices+145F5j
		mov	ecx, offset _PnpRegistryDeviceResource
		call	ExReleaseResourceLite
		mov	ecx, large fs:124h
		call	_KiLeaveCriticalRegionUnsafe@4 ; KiLeaveCriticalRegionUnsafe(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_AD49C0:				; CODE XREF: PipResetMatchingFilteredDevices+6Fj
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)
		jmp	short loc_AD4991
PipResetMatchingFilteredDevices	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpEarlyLaunchImageNotificationPreProcess(x, x, x, x, x)
_PnpEarlyLaunchImageNotificationPreProcess@20 proc near
					; DATA XREF: PnpNotifyEarlyLaunchImageLoad(x,x)+2Bo

arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		mov	esi, [ebp+arg_10]
		push	edi
		push	10h
		pop	ecx
		mov	edi, ebx
		rep movsd
		mov	edi, [ebp+arg_10]
		lea	esi, [ebx+8]
		push	esi
		lea	eax, [edi+8]
		push	eax
		push	0
		call	RtlDuplicateUnicodeString
		lea	eax, [ebx+10h]
		push	eax
		lea	eax, [edi+10h]
		push	eax
		push	0
		call	RtlDuplicateUnicodeString
		lea	eax, [ebx+20h]
		push	eax
		lea	eax, [edi+20h]
		push	eax
		push	0
		call	RtlDuplicateUnicodeString
		lea	eax, [ebx+18h]
		push	eax
		lea	eax, [edi+18h]
		push	eax
		push	0
		call	RtlDuplicateUnicodeString
		mov	edx, esi
		mov	ecx, offset _KMPnPEvt_EarlyLaunch_LoadNotification_Start
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
_PnpEarlyLaunchImageNotificationPreProcess@20 endp

; 
		align 10h

;  S U B	R O U T	I N E 


WheapInitializeEventing	proc near	; CODE XREF: INIT:00AC4258p

; FUNCTION CHUNK AT 00AE8F1A SIZE 00000011 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	eax, offset _WheapWaitingETWEvents
		inc	esi
		mov	dword_6BB3D4, eax
		push	esi
		mov	_WheapWaitingETWEvents,	eax
		mov	eax, offset _WheapDeferredInternalLogs
		push	esi
		push	offset _WheapWaitingETWEventLock
		mov	dword_6BB3C4, eax
		mov	_WheapDeferredInternalLogs, eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	esi
		push	esi
		push	offset _WheapDeferredInternalLogsEventLock
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	eax, eax
		mov	edi, offset _WheapHighIrqlLogSelHandler
		push	offset _WheapEtwHandle
		xor	ebx, ebx
		push	ebx
		stosd
		push	offset WheapEtwEnableCallback
		push	offset _WHEA_ETW_PROVIDER
		stosd
		stosd
		stosd
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		test	eax, eax
		jnz	loc_AE8F1A

loc_AD4A98:				; CODE XREF: WheapInitializeEventing+144F6j
		mov	_WheapIpmiLogEntryList,	ebx
		mov	esi, offset _WheapIpmiLogEntry
		mov	dword_6B7364, ebx
		mov	edi, 80h

loc_AD4AAE:				; CODE XREF: WheapInitializeEventing+9Cj
		push	40h		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	edx, esi
		mov	ecx, offset _WheapIpmiLogEntryList
		call	@InterlockedPushEntrySList@8 ; InterlockedPushEntrySList(x,x)
		add	esi, 40h
		sub	edi, 1
		jnz	short loc_AD4AAE
		pop	edi
		pop	esi
		pop	ebx
		retn
WheapInitializeEventing	endp


;  S U B	R O U T	I N E 


ExpWorkerInitialization	proc near	; CODE XREF: ExpInitSystemPhase1+51p

; FUNCTION CHUNK AT 00AE8F2B SIZE 0000002E BYTES

		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		xor	ebx, ebx
		push	edi
		inc	ebx
		mov	dword_6BBBE4, edi
		push	ebx
		push	offset unk_6BBBEC
		mov	_ExpWorkerSwapinMutex, ebx
		mov	dword_6BBBE8, edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, _ExpMaximumKernelWorkerThreads
		mov	ecx, 4000h
		mov	_ExpWorkersCanSwap, bl
		cmp	eax, ecx
		jg	loc_AE8F2B

loc_AD4B12:				; CODE XREF: ExpWorkerInitialization+14460j
		push	20h
		pop	ecx
		cmp	eax, ecx
		jl	loc_AE8F37

loc_AD4B1D:				; CODE XREF: ExpWorkerInitialization+1446Bj
		mov	eax, _ExpWorkerThreadTimeoutInSeconds
		mov	ecx, 0E10h
		cmp	eax, ecx
		ja	loc_AE8F42

loc_AD4B2F:				; CODE XREF: ExpWorkerInitialization+14477j
		push	3Ch
		pop	ecx
		cmp	eax, ecx
		jb	loc_AE8F4E

loc_AD4B3A:				; CODE XREF: ExpWorkerInitialization+14482j
		mov	bx, ds:_KeNumberNodes
		xor	eax, eax
		mov	esi, edi
		cmp	ax, bx
		jnb	short loc_AD4B6C
		mov	edi, offset _KeNodeBlock

loc_AD4B4F:				; CODE XREF: ExpWorkerInitialization+96j
		mov	ecx, esi
		call	_KeIsNodeInitialized@4 ; KeIsNodeInitialized(x)
		test	al, al
		jz	short loc_AD4BCE
		mov	ecx, [edi]

loc_AD4B5C:				; CODE XREF: ExpWorkerInitialization+FEj
		call	_ExpNodeInitialize@4 ; ExpNodeInitialize(x)
		inc	esi
		add	edi, 4
		cmp	si, bx
		jb	short loc_AD4B4F
		xor	edi, edi

loc_AD4B6C:				; CODE XREF: ExpWorkerInitialization+76j
		mov	ecx, ds:_PspSystemPartition
		call	ExpPartitionInitialize
		test	eax, eax
		js	short loc_AD4BCA
		mov	eax, ds:_PspSystemPartition
		mov	ecx, [eax+8]
		call	_ExpPartitionStart@4 ; ExpPartitionStart(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD4BC8
		call	ExpLegacyWorkerInitialization
		push	edi
		push	offset _ExpDebuggerDpcRoutine@16 ; ExpDebuggerDpcRoutine(x,x,x,x)
		push	offset _ExpDebuggerDpc
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	dword_6BBBA8, offset ExpDebuggerWorker
		mov	dword_6BBBAC, edi
		mov	_ExpDebuggerWorkItem, edi
		mov	_ExpDebuggerWork, 1
		call	_ExQueueDebuggerWorker@0 ; ExQueueDebuggerWorker()

loc_AD4BC8:				; CODE XREF: ExpWorkerInitialization+BAj
		mov	eax, esi

loc_AD4BCA:				; CODE XREF: ExpWorkerInitialization+A7j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_AD4BCE:				; CODE XREF: ExpWorkerInitialization+86j
		xor	ecx, ecx
		jmp	short loc_AD4B5C
ExpWorkerInitialization	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpComputeCyclesPerYield()
_ExpComputeCyclesPerYield@0 proc near	; CODE XREF: Phase1InitializationDiscard(x)+DAAp
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	bl, al
		mov	ecx, 100h
		rdtsc
		mov	esi, eax
		mov	edi, edx

loc_AD4BEE:				; CODE XREF: ExpComputeCyclesPerYield()+21j
		pause
		sub	ecx, 1
		jnz	short loc_AD4BEE
		rdtsc
		mov	ecx, eax
		test	bl, bl
		jz	short loc_AD4BFE
		sti

loc_AD4BFE:				; CODE XREF: ExpComputeCyclesPerYield()+29j
		sub	ecx, esi
		mov	eax, 0FFFFh
		sbb	edx, edi
		shrd	ecx, edx, 8
		pop	edi
		shr	edx, 8
		pop	esi
		pop	ebx
		test	edx, edx
		jnz	short loc_AD4C29
		cmp	ecx, eax
		ja	short loc_AD4C29
		mov	eax, ecx
		or	eax, edx
		jz	short loc_AD4C24

loc_AD4C1F:				; CODE XREF: ExpComputeCyclesPerYield()+55j
					; ExpComputeCyclesPerYield()+59j
		mov	ax, cx
		leave
		retn
; 

loc_AD4C24:				; CODE XREF: ExpComputeCyclesPerYield()+4Bj
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_AD4C1F
; 

loc_AD4C29:				; CODE XREF: ExpComputeCyclesPerYield()+41j
					; ExpComputeCyclesPerYield()+45j
		mov	ecx, eax
		jmp	short loc_AD4C1F
_ExpComputeCyclesPerYield@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpEarlyLaunchImageNotificationPostProcess(x, x, x,	x, x)
_PnpEarlyLaunchImageNotificationPostProcess@20 proc near
					; DATA XREF: PnpNotifyEarlyLaunchImageLoad(x,x)+36o

arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	edx, [ebp+arg_10]
		mov	ecx, offset _KMPnPEvt_EarlyLaunch_LoadNotification_Stop
		push	esi
		push	edi
		lea	edx, [edx+8]
		call	_PnpDiagnosticTraceObject@8 ; PnpDiagnosticTraceObject(x,x)
		mov	esi, [ebp+arg_8]
		mov	edi, [ebp+arg_C]
		mov	edx, [esi]
		mov	ecx, [edi]
		mov	eax, ds:_PnpClassificationRank[edx*4]
		cmp	eax, ds:_PnpClassificationRank[ecx*4]
		jbe	short loc_AD4C61
		mov	[edi], edx

loc_AD4C61:				; CODE XREF: PnpEarlyLaunchImageNotificationPostProcess(x,x,x,x,x)+2Fj
		lea	eax, [esi+8]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+20h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [esi+18h]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		pop	edi
		pop	esi
		pop	ebp
		retn	14h
_PnpEarlyLaunchImageNotificationPostProcess@20 endp


;  S U B	R O U T	I N E 


; __stdcall PpmInitPolicyConfiguration()
_PpmInitPolicyConfiguration@0 proc near	; CODE XREF: PoInitSystem+3DFp
		mov	edi, edi
		push	ebx
		push	esi
		mov	ebx, offset _PpmPerfPolicyLock
		push	edi
		mov	ecx, ebx
		call	_PpmAcquireLock@4 ; PpmAcquireLock(x)
		xor	esi, esi

loc_AD4C95:				; CODE XREF: PpmInitPolicyConfiguration()+52j
		movzx	ecx, ds:byte_7056D8[esi]
		xor	eax, eax
		inc	eax
		xor	edx, edx
		call	__allshl
		test	ds:byte_7056D9[esi], 4
		jnz	loc_AD4D40

loc_AD4CB3:				; CODE XREF: PpmInitPolicyConfiguration()+C4j
		or	dword_6BF8A0, eax
		add	esi, 1Ch
		or	dword_6BF8A4, edx
		or	dword_6BF990, eax
		or	dword_6BF994, edx
		cmp	esi, 5CCh
		jb	short loc_AD4C95
		or	dword_6BFA98, 0FFFFFFFFh
		mov	esi, offset _GUID_NULL
		or	dword_6BFA9C, 0FFFFFFFFh
		mov	edi, offset unk_6BF888
		mov	_PpmDefaultProfile, offset _PpmInfoDefaultProfileName ;	"Default"
		mov	dword_6BF898, 2
		movsd
		movsd
		movsd
		movsd
		mov	esi, offset _PpmDefaultProfile
		mov	ecx, esi
		call	PpmEnableProfile
		call	KeQueryInterruptTime
		push	edx
		push	eax
		mov	ecx, esi
		call	_PpmBeginProfileAccumulation@12	; PpmBeginProfileAccumulation(x,x,x)
		push	offset _PpmInfoConfigComparer ;	int __cdecl (*)(const void *,const void	*)
		push	1Ch		; size_t
		push	35h		; size_t
		push	offset _PpmPolicyConfigTable ; void *
		call	_qsort
		add	esp, 10h
		mov	ecx, ebx
		pop	edi
		pop	esi
		pop	ebx
		jmp	_PpmReleaseLock@4 ; PpmReleaseLock(x)
; 

loc_AD4D40:				; CODE XREF: PpmInitPolicyConfiguration()+2Bj
		shr	ds:dword_7056D4[esi], 1
		jmp	loc_AD4CB3
_PpmInitPolicyConfiguration@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopInitializePowerSettingCallbacks()
_PopInitializePowerSettingCallbacks@0 proc near	; CODE XREF: PoInitSystem+55Fp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, edi

loc_AD4D55:				; CODE XREF: PopInitializePowerSettingCallbacks()+26j
		push	edi		; int
		push	edi		; int
		push	dword ptr ds:(_PopInitialSettingCallbacks+4)[esi] ; int
		push	dword ptr ds:_PopInitialSettingCallbacks[esi] ;	void *
		push	edi		; int
		call	PoRegisterPowerSettingCallback
		add	esi, 8
		cmp	esi, 1D8h
		jb	short loc_AD4D55
		call	_PpmInfoRegisterCallbacks@0 ; PpmInfoRegisterCallbacks()
		mov	esi, edi
		mov	ebx, offset _PopBatteryAlarmPowerSettingCallback@16 ; PopBatteryAlarmPowerSettingCallback(x,x,x,x)

loc_AD4D80:				; CODE XREF: PopInitializePowerSettingCallbacks()+68j
		push	edi		; int
		push	esi		; int
		push	ebx		; int
		push	ds:_GUIDS_BATTERY_DISCHARGE_ACTION[esi*4] ; void *
		push	edi		; int
		call	PoRegisterPowerSettingCallback
		push	edi		; int
		push	esi		; int
		push	ebx		; int
		push	ds:_GUIDS_BATTERY_DISCHARGE_LEVEL[esi*4] ; void	*
		push	edi		; int
		call	PoRegisterPowerSettingCallback
		push	edi		; int
		push	esi		; int
		push	ebx		; int
		push	ds:_GUIDS_BATTERY_DISCHARGE_FLAGS[esi*4] ; void	*
		push	edi		; int
		call	PoRegisterPowerSettingCallback
		inc	esi
		cmp	esi, 4
		jb	short loc_AD4D80
		pop	edi
		pop	esi
		pop	ebx
		retn
_PopInitializePowerSettingCallbacks@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PpmInfoRegisterCallbacks()
_PpmInfoRegisterCallbacks@0 proc near	; CODE XREF: PopInitializePowerSettingCallbacks()+28p

var_24		= dword	ptr -24h
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_5		= byte ptr -5
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, offset _GUID_PROC_CAP_BASE
		lea	edi, [ebp+var_14]
		movsd
		movsd
		movsd
		movsd
		mov	esi, (offset loc_4130C2+2)
		lea	edi, [ebp+var_24]
		movsd
		movsd
		movsd
		movsd
		xor	esi, esi
		mov	ebx, esi
		cmp	ds:_KeNumberProcessors,	esi
		jbe	short loc_AD4E21
		mov	edi, offset _PpmPerfProcCapFloorSettingCallback@16 ; PpmPerfProcCapFloorSettingCallback(x,x,x,x)

loc_AD4DF8:				; CODE XREF: PpmInfoRegisterCallbacks()+65j
		push	esi		; int
		push	esi		; int
		push	edi		; int
		lea	eax, [ebp+var_14]
		mov	[ebp+var_5], bl
		push	eax		; void *
		push	esi		; int
		mov	[ebp+var_15], bl
		call	PoRegisterPowerSettingCallback
		push	esi		; int
		push	esi		; int
		push	edi		; int
		lea	eax, [ebp+var_24]
		push	eax		; void *
		push	esi		; int
		call	PoRegisterPowerSettingCallback
		inc	ebx
		cmp	ebx, ds:_KeNumberProcessors
		jb	short loc_AD4DF8

loc_AD4E21:				; CODE XREF: PpmInfoRegisterCallbacks()+37j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PpmInfoRegisterCallbacks@0 endp


;  S U B	R O U T	I N E 


; __stdcall SmInitSystem(x)
_SmInitSystem@4	proc near		; CODE XREF: INIT:00ABFC73p
					; Phase1InitializationDiscard(x)+B2Ep ...
		mov	edi, edi
		push	esi
		test	ecx, ecx
		jz	short loc_AD4E69
		cmp	ecx, 1
		jnz	short loc_AD4E7C
		push	offset unk_718648
		push	0
		push	offset SmEtwEnableCallback
		push	offset _SmEventProvider
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		test	eax, eax
		js	short loc_AD4E7C
		or	ds:dword_718650, 1
		mov	ds:dword_718654, 40h
		jmp	short loc_AD4E7C
; 

loc_AD4E69:				; CODE XREF: SmInitSystem(x)+5j
		mov	esi, offset ?SmGlobals@@3U_SM_GLOBALS@@A ; _SM_GLOBALS SmGlobals
		mov	ecx, esi	; void *
		call	_SmGlobalsInitialize@4 ; SmGlobalsInitialize(x)
		mov	ecx, esi
		call	_SmQueryRegistry@4 ; SmQueryRegistry(x)

loc_AD4E7C:				; CODE XREF: SmInitSystem(x)+Aj
					; SmInitSystem(x)+24j ...
		xor	eax, eax
		pop	esi
		retn
_SmInitSystem@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SmQueryRegistry(x)
_SmQueryRegistry@4 proc	near		; CODE XREF: SmInitSystem(x)+47p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		xor	edx, edx
		mov	[ebp+var_34], 120h
		push	edx
		lea	eax, [ecx+4B4h]
		mov	[ebp+var_38], edx
		push	edx
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	offset ??_C@_1MK@ENOAMLHH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@
		push	edx
		mov	[ebp+var_30], offset ??_C@_1CE@OOACAECG@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAD?$AAi?$AAr?$AAt?$AAy?$AAS?$AAt?$AAo?$AAr@PBOPGDP@
		mov	[ebp+var_28], 4000000h
		mov	[ebp+var_24], edx
		mov	[ebp+var_20], edx
		mov	[ebp+var_1C], edx
		mov	[ebp+var_18], edx
		mov	[ebp+var_14], edx
		mov	[ebp+var_10], edx
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], edx
		call	_RtlQueryRegistryValuesEx@20 ; RtlQueryRegistryValuesEx(x,x,x,x,x)
		xor	eax, eax
		leave
		retn
_SmQueryRegistry@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall SmGlobalsInitialize(void *)
_SmGlobalsInitialize@4 proc near	; CODE XREF: SmInitSystem(x)+40p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	6A8h		; size_t
		xor	esi, esi
		mov	ebx, ecx
		push	esi		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_8], 3Bh
		lea	edx, [ebp+var_8]
		mov	[ebp+var_4], offset ?SmpStoreMgrCallback@@YGJPAU_SMKM_STORE_LIST@@PAXW4_SMKM_CALLBACK_TYPE@@@Z ; SmpStoreMgrCallback(_SMKM_STORE_LIST *,void *,_SMKM_CALLBACK_TYPE)
		mov	ecx, ebx	; void *
		call	?SmInitialize@?$SMKM_STORE_MGR@USM_TRAITS@@@@SGXPAU1@PAU_SMKM_STORE_MGR_PARAMS@@@Z ; SMKM_STORE_MGR<SM_TRAITS>::SmInitialize(SMKM_STORE_MGR<SM_TRAITS> *,_SMKM_STORE_MGR_PARAMS	*)
		mov	[ebx+4A4h], esi
		lea	edx, [ebx+4B8h]
		mov	eax, ds:_PsInitialSystemProcess
		mov	edi, edx
		mov	?SmKmGlobals@@3U_SMKM_GLOBALS@@A, eax ;	_SMKM_GLOBALS SmKmGlobals
		xor	eax, eax
		push	6
		pop	ecx
		rep stosd
		mov	[edx+4], esi
		lea	ecx, [ebx+4D8h]	; void *
		mov	[edx+0Ch], esi
		mov	[edx+8], esi
		or	dword ptr [ebx+4D0h], 0FFFFFFFFh
		mov	[ebx+4D4h], esi
		mov	byte ptr [ebx+4A8h], 5
		call	_SmcCacheManagerInitialize@4 ; SmcCacheManagerInitialize(x)
		lea	ecx, [ebx+5F0h]
		call	_CmSiRWLockInitialize@4	; CmSiRWLockInitialize(x)
		mov	[ebx+5F8h], esi
		xor	edi, edi
		mov	[ebx+5FCh], esi
		push	44h		; size_t
		mov	[ebx+5F4h], esi
		lea	esi, [ebx+600h]
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esi+4]
		push	edi
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	44h		; size_t
		lea	esi, [ebx+644h]
		push	edi		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esi+4]
		push	edi
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		pop	edi
		pop	esi
		mov	dword ptr [ebx+6A0h], 3
		pop	ebx
		leave
		retn
_SmGlobalsInitialize@4 endp


;  S U B	R O U T	I N E 


; int __fastcall SmcCacheManagerInitialize(void	*)
_SmcCacheManagerInitialize@4 proc near	; CODE XREF: SmGlobalsInitialize(x)+77p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	118h		; size_t
		mov	esi, ecx
		push	0		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	edi, [esi+4]
		push	10h
		pop	ebx

loc_AD4FDF:				; CODE XREF: SmcCacheManagerInitialize(x)+36j
		mov	ecx, edi
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		mov	ecx, edi
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		xor	eax, eax
		mov	[edi+4], eax
		add	edi, 10h
		sub	ebx, 1
		jnz	short loc_AD4FDF
		mov	[esi+104h], eax
		mov	[esi+108h], eax
		mov	[esi+10Ch], eax
		mov	[esi+110h], eax
		mov	[esi+100h], eax
		lea	eax, [esi+104h]
		pop	edi
		pop	esi
		mov	[eax+4], eax
		mov	[eax], eax
		pop	ebx
		retn
_SmcCacheManagerInitialize@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlInitSystem()
_FsRtlInitSystem@0 proc	near		; CODE XREF: Phase1InitializationDiscard(x):loc_AC0F85p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		push	74725346h
		mov	edi, 380h
		xor	ebx, ebx
		push	edi
		push	210h
		mov	[ebp+var_4], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	_FsRtlPagingIoResources, eax
		mov	esi, ebx

loc_AD5054:				; CODE XREF: FsRtlInitSystem()+3Ej
		mov	eax, _FsRtlPagingIoResources
		add	eax, esi
		push	eax
		call	ExInitializeResourceLite
		add	esi, 38h
		cmp	esi, edi
		jb	short loc_AD5054
		call	FsRtlInitializeTunnels
		call	_FsRtlInitializeFileLocks@0 ; FsRtlInitializeFileLocks()
		call	_FsRtlInitializeLargeMcbs@0 ; FsRtlInitializeLargeMcbs()
		push	ebx
		push	6C655346h
		push	10h
		push	ebx
		push	ebx
		push	ebx
		push	offset _FsRtlEcpListLookaside
		call	_ExInitializePagedLookasideList@28 ; ExInitializePagedLookasideList(x,x,x,x,x,x,x)
		push	7FFFFFFFh
		push	1
		push	offset _FsRtlpUncSemaphore
		call	_KeInitializeSemaphore@12 ; KeInitializeSemaphore(x,x,x)
		push	30h
		pop	eax
		push	32h
		mov	word ptr [ebp+var_C], ax
		lea	edx, [ebp+var_4]
		pop	eax
		lea	ecx, [ebp+var_C]
		mov	[ebp+var_8], offset ??_C@_1DC@EOCPMAFK@?$AAW?$AAi?$AAn?$AA9?$AA5?$AAT?$AAr?$AAu?$AAn?$AAc?$AAa?$AAt?$AAe?$AAd?$AAE@PBOPGDP@
		mov	word ptr [ebp+var_C+2],	ax
		call	FsRtlGetCompatibilityModeValue
		test	eax, eax
		js	short loc_AD50CC
		cmp	[ebp+var_4], ebx
		jz	short loc_AD50CC
		mov	ds:_FsRtlSafeExtensions, bl

loc_AD50CC:				; CODE XREF: FsRtlInitSystem()+97j
					; FsRtlInitSystem()+9Cj
		call	_FsRtlInitializeWorkerThread@0 ; FsRtlInitializeWorkerThread()
		test	eax, eax
		js	short loc_AD50F3
		call	FsFilterInit
		test	eax, eax
		js	short loc_AD50F3
		call	_FsRtlInitializeSmssEvent@0 ; FsRtlInitializeSmssEvent()
		test	eax, eax
		js	short loc_AD50F3
		call	_FsRtlInitializeTieringHeat@0 ;	FsRtlInitializeTieringHeat()
		mov	al, 1

loc_AD50EE:				; CODE XREF: FsRtlInitSystem()+CDj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AD50F3:				; CODE XREF: FsRtlInitSystem()+ABj
					; FsRtlInitSystem()+B4j ...
		xor	al, al
		jmp	short loc_AD50EE
_FsRtlInitSystem@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlInitializeSmssEvent()
_FsRtlInitializeSmssEvent@0 proc near	; CODE XREF: FsRtlInitSystem()+B6p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		push	edi
		push	42h
		pop	eax
		push	44h
		mov	word ptr [ebp+var_10], ax
		xor	edi, edi
		pop	eax
		mov	word ptr [ebp+var_10+2], ax
		lea	eax, [ebp+var_10]
		push	edi
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_28]
		push	edi
		push	eax
		push	1F0003h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], edi
		push	eax
		mov	[ebp+var_C], offset ??_C@_1EE@BKEAFBFL@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAV?$AAo?$AAl?$AAu?$AAm?$AAe?$AAs@PBOPGDP@
		mov	[ebp+var_28], 18h
		mov	[ebp+var_24], edi
		mov	[ebp+var_1C], 250h
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		call	NtCreateEvent
		test	eax, eax
		js	short loc_AD519C
		push	edi
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], edi
		push	eax
		push	edi
		push	edi
		push	100000h
		push	[ebp+var_4]
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		push	[ebp+var_4]
		mov	esi, eax
		call	NtClose
		test	esi, esi
		js	short loc_AD51A0
		mov	eax, [ebp+var_8]
		push	1
		push	offset _SmssEventWorkItem
		mov	dword_6CDBD8, offset _FsRtlWaitForSmssEvent@4 ;	FsRtlWaitForSmssEvent(x)
		mov	dword_6CDBDC, eax
		mov	_SmssEventWorkItem, edi
		call	ExQueueWorkItem
		xor	eax, eax

loc_AD519C:				; CODE XREF: FsRtlInitializeSmssEvent()+57j
					; FsRtlInitializeSmssEvent()+AAj
		pop	edi
		pop	esi
		leave
		retn
; 

loc_AD51A0:				; CODE XREF: FsRtlInitializeSmssEvent()+7Cj
		mov	eax, esi
		jmp	short loc_AD519C
_FsRtlInitializeSmssEvent@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FsRtlInitializeWorkerThread()
_FsRtlInitializeWorkerThread@0 proc near ; CODE	XREF: FsRtlInitSystem():loc_AD50CCp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_20], 18h
		mov	eax, offset _FsRtlWorkerQueues
		mov	[ebp+var_4], esi
		push	edi
		mov	[ebp+var_1C], esi
		mov	ebx, esi
		mov	[ebp+var_14], esi
		mov	edi, esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], eax

loc_AD51D6:				; CODE XREF: FsRtlInitializeWorkerThread()+8Aj
		push	esi
		push	eax
		call	_KeInitializeQueue@8 ; KeInitializeQueue(x,x)
		push	ebx
		push	offset FsRtlWorkerThread
		push	esi
		push	esi
		lea	eax, [ebp+var_20]
		push	eax
		push	1FFFFFh
		lea	eax, [ebp+var_4]
		push	eax
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD5225
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [ebp+var_8]
		add	edi, 28h
		add	eax, 28h
		inc	ebx
		mov	[ebp+var_8], eax
		cmp	edi, 50h
		jb	short loc_AD522C
		push	1
		push	1
		push	offset _StackOverflowFallbackSerialEvent
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)

loc_AD5225:				; CODE XREF: FsRtlInitializeWorkerThread()+57j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AD522C:				; CODE XREF: FsRtlInitializeWorkerThread()+71j
		xor	esi, esi
		jmp	short loc_AD51D6
_FsRtlInitializeWorkerThread@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlGetCompatibilityModeValue proc near ; CODE	XREF: FsRtlInitSystem()+90p

var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE8F59 SIZE 0000004F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 9Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	7Ah
		pop	eax
		push	7Ch
		mov	word ptr [ebp+var_80], ax
		mov	edi, ecx
		pop	eax
		mov	word ptr [ebp+var_80+2], ax
		xor	ecx, ecx
		lea	eax, [ebp+var_80]
		mov	[ebp+var_78], edx
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_98]
		push	eax
		push	20019h
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_74], edi
		push	eax
		mov	[ebp+var_6C], ecx
		mov	[ebp+var_70], ecx
		mov	[ebp+var_7C], offset ??_C@_1HM@IHPPCBKD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@ ; "\\"
		mov	[ebp+var_98], 18h
		mov	[ebp+var_94], ecx
		mov	[ebp+var_8C], 40h
		mov	[ebp+var_88], ecx
		mov	[ebp+var_84], ecx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_AD5306
		push	5Ch
		pop	ebx
		lea	eax, [ebp+var_70]
		push	eax
		lea	esi, [ebp+var_68]
		push	ebx
		mov	eax, esi
		push	eax
		push	1
		push	edi

loc_AD52C6:				; CODE XREF: FsRtlGetCompatibilityModeValue+13D5Cj
		push	[ebp+var_6C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	edi, eax
		cmp	edi, 80000005h
		jz	loc_AE8F59
		push	[ebp+var_6C]
		call	_ZwClose@4	; ZwClose(x)
		test	edi, edi
		js	short loc_AD52F9
		cmp	dword ptr [esi+0Ch], 0
		jz	short loc_AD5315
		mov	eax, [esi+8]
		mov	ecx, [ebp+var_78]
		mov	eax, [esi+eax]
		mov	[ecx], eax

loc_AD52F9:				; CODE XREF: FsRtlGetCompatibilityModeValue+B6j
					; FsRtlGetCompatibilityModeValue+EAj
		lea	eax, [ebp+var_68]
		cmp	esi, eax
		jnz	loc_AE8F9B

loc_AD5304:				; CODE XREF: FsRtlGetCompatibilityModeValue+13D73j
		mov	eax, edi

loc_AD5306:				; CODE XREF: FsRtlGetCompatibilityModeValue+83j
					; FsRtlGetCompatibilityModeValue+13D66j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AD5315:				; CODE XREF: FsRtlGetCompatibilityModeValue+BCj
		mov	edi, 0C0000034h
		jmp	short loc_AD52F9
FsRtlGetCompatibilityModeValue endp


;  S U B	R O U T	I N E 


; __stdcall FsRtlInitializeLargeMcbs()
_FsRtlInitializeLargeMcbs@0 proc near	; CODE XREF: FsRtlInitSystem()+4Ap
		mov	edi, edi
		push	esi
		push	edi
		push	4
		mov	esi, 6D695346h
		xor	edi, edi
		push	esi
		push	78h
		push	edi
		push	edi
		push	edi
		push	offset _FsRtlFirstPagedMappingLookasideList
		call	_ExInitializePagedLookasideList@28 ; ExInitializePagedLookasideList(x,x,x,x,x,x,x)
		push	4
		push	esi
		push	78h
		push	edi
		push	edi
		push	edi
		push	offset _FsRtlFirstNonPagedMappingLookasideList
		call	_ExInitializeNPagedLookasideList@28 ; ExInitializeNPagedLookasideList(x,x,x,x,x,x,x)
		push	20h
		push	6D665346h
		push	20h
		push	200h
		push	edi
		push	edi
		push	offset _FsRtlFastMutexLookasideList
		call	_ExInitializeNPagedLookasideList@28 ; ExInitializeNPagedLookasideList(x,x,x,x,x,x,x)
		pop	edi
		pop	esi
		retn
_FsRtlInitializeLargeMcbs@0 endp


;  S U B	R O U T	I N E 


; __stdcall FsRtlInitializeFileLocks()
_FsRtlInitializeFileLocks@0 proc near	; CODE XREF: FsRtlInitSystem()+45p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edi, 200h
		push	ebx
		push	10h
		pop	esi
		push	esi
		push	68734C46h
		push	30h
		push	edi
		push	ebx
		push	ebx
		push	offset _FsRtlSharedLockLookasideList
		call	ExInitializeNPagedLookasideListInternal
		push	ebx
		push	esi
		push	78654C46h
		push	38h
		push	edi
		push	ebx
		push	ebx
		push	offset _FsRtlExclusiveLockLookasideList
		call	ExInitializeNPagedLookasideListInternal
		push	ebx
		push	esi
		push	6C774C46h
		push	esi
		push	edi
		push	ebx
		push	ebx
		push	offset _FsRtlWaitingLockLookasideList
		call	ExInitializeNPagedLookasideListInternal
		push	ebx
		push	esi
		push	6E6C4C46h
		push	20h
		push	edi
		push	ebx
		push	ebx
		push	offset _FsRtlLockTreeNodeLookasideList
		call	ExInitializeNPagedLookasideListInternal
		push	ebx
		push	8
		push	696C4C46h
		push	28h
		push	edi
		push	ebx
		push	ebx
		push	offset _FsRtlLockInfoLookasideList
		call	ExInitializeNPagedLookasideListInternal
		push	8
		push	6C664C46h
		push	40h
		push	ebx
		push	ebx
		push	ebx
		push	offset _FsRtlFileLockLookasideList
		call	_ExInitializePagedLookasideList@28 ; ExInitializePagedLookasideList(x,x,x,x,x,x,x)
		xor	eax, eax
		mov	dword_6CDBA4, ebx
		inc	eax
		mov	dword_6CDBA8, ebx
		push	ebx
		push	eax
		push	offset unk_6CDBAC
		mov	_FsRtlCreateLockInfo, eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		pop	edi
		pop	esi
		mov	_FsRtlFileLockCancelCollideLock, ebx
		mov	_FsRtlFileLockCancelCollideList, ebx
		pop	ebx
		retn
_FsRtlInitializeFileLocks@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FsRtlInitializeTunnels proc near	; CODE XREF: FsRtlInitSystem()+40p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE8FA8 SIZE 00000022 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		cmp	byte ptr ds:dword_7051D4, 0
		jnz	loc_AE8FA8

loc_AD5440:				; CODE XREF: FsRtlInitializeTunnels+13B86j
		push	28h
		pop	eax
		push	2Ah
		mov	word ptr [ebp+var_8], ax
		lea	ecx, [ebp+var_8]
		pop	eax
		mov	edx, offset _TunnelMaxEntries
		mov	[ebp+var_4], offset ??_C@_1CK@NKAOLMMN@?$AAM?$AAa?$AAx?$AAi?$AAm?$AAu?$AAm?$AAT?$AAu?$AAn?$AAn?$AAe?$AAl?$AAE?$AAn@PBOPGDP@ ; "MaximumTunnelEntries"
		mov	word ptr [ebp+var_8+2],	ax
		call	FsRtlGetTunnelParameterValue
		push	3Ch
		pop	eax
		push	3Eh
		mov	word ptr [ebp+var_8], ax
		lea	ecx, [ebp+var_8]
		pop	eax
		mov	edx, offset _TunnelMaxAge
		mov	[ebp+var_4], offset ??_C@_1DO@FHBENCEN@?$AAM?$AAa?$AAx?$AAi?$AAm?$AAu?$AAm?$AAT?$AAu?$AAn?$AAn?$AAe?$AAl?$AAE?$AAn@PBOPGDP@ ; "M"
		mov	word ptr [ebp+var_8+2],	ax
		call	FsRtlGetTunnelParameterValue
		mov	eax, ds:_TunnelMaxAge
		xor	edx, edx
		test	eax, eax
		jz	short loc_AD54DF

loc_AD548F:				; CODE XREF: FsRtlInitializeTunnels+B9j
		mov	ecx, ds:_TunnelMaxEntries
		imul	eax, 989680h
		mov	ds:_TunnelMaxAge, eax
		cmp	ecx, 0FFFFh
		ja	short loc_AD54E7
		mov	ax, cx
		shr	ax, 4
		movzx	eax, ax
		test	ax, ax
		jz	loc_AE8FB7

loc_AD54BB:				; CODE XREF: FsRtlInitializeTunnels+13B99j
		mov	ecx, 100h
		cmp	ax, cx
		ja	short loc_AD54EE

loc_AD54C5:				; CODE XREF: FsRtlInitializeTunnels+C0j
					; FsRtlInitializeTunnels+C4j ...
		push	eax
		push	4C6E7554h
		push	88h
		push	edx
		push	edx
		push	edx
		push	offset _TunnelLookasideList
		call	_ExInitializePagedLookasideList@28 ; ExInitializePagedLookasideList(x,x,x,x,x,x,x)
		leave
		retn
; 

loc_AD54DF:				; CODE XREF: FsRtlInitializeTunnels+61j
		mov	ds:_TunnelMaxEntries, edx
		jmp	short loc_AD548F
; 

loc_AD54E7:				; CODE XREF: FsRtlInitializeTunnels+7Aj
		mov	eax, 100h
		jmp	short loc_AD54C5
; 

loc_AD54EE:				; CODE XREF: FsRtlInitializeTunnels+97j
		mov	eax, ecx
		jmp	short loc_AD54C5
FsRtlInitializeTunnels endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmInitIdlePolicy proc near		; CODE XREF: PoInitSystem+3E4p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE8FCA SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, 0C350h
		mov	word_6BF93D, 3Ch
		push	ebx
		xor	ebx, ebx
		mov	dword_6BF938, eax
		push	esi
		mov	esi, ds:_PopQpcFrequency
		mov	ecx, esi
		mov	dword_6BFA28, eax
		mov	eax, ds:dword_70ED2C
		mov	edx, eax
		shld	edx, ecx, 1
		mov	[ebp+var_C], ebx
		add	ecx, ecx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		mov	word_6BF934, bx
		mov	word_6BFA24, bx
		mov	word_6BFA2D, 3Ch
		mov	byte_6BF93C, 28h
		mov	byte_6BFA2C, 28h
		mov	ds:_PopIdleTransitionTimeout, ecx
		mov	ds:dword_70ED0C, edx
		cmp	_KdPitchDebugger, bl
		jz	loc_AE8FCA
		mov	ds:_PopCoordinatedIdleExitTimeout, ecx
		mov	ds:dword_70ED04, edx

loc_AD5583:				; CODE XREF: PpmInitIdlePolicy+13AF2j
		mov	esi, ebx

loc_AD5585:				; CODE XREF: PpmInitIdlePolicy+D6j
		mov	ecx, ds:dword_705208[esi]
		mov	eax, ecx
		mov	edx, ds:dword_70520C[esi]
		and	eax, edx
		cmp	eax, 0FFFFFFFFh
		jz	short loc_AD55BF
		push	ds:dword_70ED2C
		push	ds:_PopQpcFrequency
		push	ebx
		push	(offset	loc_98967E+2)
		push	edx
		push	ecx
		call	PpmConvertTime
		mov	ds:_PpmIdleIntervalLimits[esi],	eax
		mov	ds:dword_705204[esi], edx

loc_AD55BF:				; CODE XREF: PpmInitIdlePolicy+A6j
		add	esi, 18h
		cmp	esi, 270h
		jb	short loc_AD5585
		push	offset ??_C@_1DI@ECBOFMBD@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?9?$AAI?$AAd?$AAl?$AAe?$AAS?$AAt?$AAa?$AAt?$AAe@PBOPGDP@	; "Power-IdleStatesMax-Enabled"
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_ZwQueryLicenseValue@20	; ZwQueryLicenseValue(x,x,x,x,x)
		test	eax, eax
		js	short loc_AD5609
		cmp	[ebp+var_4], 4
		jnz	short loc_AD5609
		cmp	[ebp+var_8], 4
		jnz	short loc_AD5609
		cmp	[ebp+var_C], ebx
		setnz	ds:_PpmIdleRespectIdleStateMax

loc_AD5609:				; CODE XREF: PpmInitIdlePolicy+FFj
					; PpmInitIdlePolicy+105j ...
		cmp	ds:_PpmIdleDisableStatesAtBoot,	0FFFFFFFFh
		jnz	short loc_AD5618
		mov	ds:_PpmIdleDisableStatesAtBoot,	ebx

loc_AD5618:				; CODE XREF: PpmInitIdlePolicy+11Ej
		pop	esi
		pop	ebx
		leave
		retn
PpmInitIdlePolicy endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

StartFirstUserProcess proc near		; CODE XREF: INIT:00ABFD1Ep

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE8FE9 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		lea	eax, [ebp+var_60]
		push	ebx
		push	esi
		push	edi
		push	44h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		call	QueryRegistryHideMachine
		test	al, al
		jnz	loc_AE8FE9

loc_AD5644:				; CODE XREF: StartFirstUserProcess+139D2j
		movzx	esi, ds:word_717F4A
		movzx	ebx, ds:word_717F52
		add	esi, 2FCh
		mov	eax, ebx
		add	eax, esi
		push	62537350h
		push	eax
		push	200h
		mov	[ebp+var_4], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_AE8FF3
		push	[ebp+var_4]	; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	[edi+4], esi
		lea	eax, [esi+edi]
		mov	[edi], esi
		mov	[edi+48h], eax
		mov	eax, ebx
		mov	[edi+290h], eax
		lea	eax, [edi+30h]
		push	0
		push	eax
		mov	dword ptr [edi+8], 400001h
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	esi, [edi+2C0h]
		mov	[edi+28h], esi
		mov	ax, ds:word_717F4A
		mov	[edi+26h], ax
		lea	eax, [edi+24h]
		push	offset unk_717F48
		push	eax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		movzx	eax, word ptr [edi+26h]
		add	eax, esi
		lea	esi, [edi+38h]
		push	3Ch
		mov	[edi+3Ch], eax
		pop	eax
		push	offset _NtInitialUserProcess
		push	esi
		mov	[edi+3Ah], ax
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		mov	eax, [esi]
		mov	[edi+40h], eax
		mov	eax, [esi+4]
		mov	[edi+44h], eax
		mov	eax, [edi+48h]
		mov	[ebp+var_C], eax
		xor	eax, eax
		mov	word ptr [ebp+var_10], ax
		lea	eax, [ebp+var_10]
		push	offset unk_717F50
		push	eax
		mov	word ptr [ebp+var_10+2], bx
		call	_RtlCopyUnicodeString@8	; RtlCopyUnicodeString(x,x)
		lea	eax, [ebp+var_60]
		mov	edx, edi
		push	eax
		push	ecx
		push	ecx
		mov	ecx, esi
		call	RtlCreateUserProcessEx
		mov	esi, eax
		call	_InbvIsBootDriverInstalled@0 ; InbvIsBootDriverInstalled()
		test	al, al
		jnz	short loc_AD579D

loc_AD572E:				; CODE XREF: StartFirstUserProcess+186j
		test	esi, esi
		js	loc_AE900D
		push	4
		lea	eax, [ebp+var_14]
		mov	[ebp+var_14], 1
		push	eax
		push	1Dh
		push	[ebp+var_5C]
		call	_ZwSetInformationProcess@16 ; ZwSetInformationProcess(x,x,x,x)
		test	eax, eax
		js	loc_AE8FFF
		xor	ebx, ebx
		push	ebx
		push	[ebp+var_58]
		call	_ZwResumeThread@8 ; ZwResumeThread(x,x)
		test	eax, eax
		js	short loc_AD57A4
		or	[ebp+var_C], 0FFFFFFFFh
		lea	eax, [ebp+var_10]
		push	eax
		push	ebx
		push	ebx
		mov	byte_6D4D48, 1
		mov	[ebp+var_10], 0FD050F80h
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		push	[ebp+var_58]
		call	_ZwClose@4	; ZwClose(x)
		push	[ebp+var_5C]
		call	_ZwClose@4	; ZwClose(x)
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AD579D:				; CODE XREF: StartFirstUserProcess+110j
		call	_FinalizeBootLogo@0 ; FinalizeBootLogo()
		jmp	short loc_AD572E
; 

loc_AD57A4:				; CODE XREF: StartFirstUserProcess+146j
		push	ebx
		push	3
		push	ebx
		jmp	loc_AE9005
StartFirstUserProcess endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlCreateUserProcessEx proc near	; CODE XREF: StartFirstUserProcess+102p

arg_8		= dword	ptr  10h

; FUNCTION CHUNK AT 00AE9016 SIZE 00000089 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		test	esi, esi
		jz	short loc_AD5807
		test	edx, edx
		jz	short loc_AD5807
		mov	ecx, [edx+8]
		test	cl, 1
		jz	loc_AE9016

loc_AD57CA:				; CODE XREF: RtlCreateUserProcessEx+138ECj
		mov	ecx, [edx+8]
		mov	eax, ecx
		and	dword ptr [edx+2Ch], 0
		shr	eax, 0Bh
		and	eax, 80h
		test	ecx, 400000h
		jz	short loc_AD57E6
		or	eax, 40h

loc_AD57E6:				; CODE XREF: RtlCreateUserProcessEx+33j
		test	ecx, (offset loc_7FFFFF+1)
		jnz	short loc_AD5800

loc_AD57EE:				; CODE XREF: RtlCreateUserProcessEx+57j
		push	[ebp+arg_8]
		push	ecx
		push	ecx
		push	eax
		mov	ecx, esi
		call	RtlpCreateUserProcess

loc_AD57FB:				; CODE XREF: RtlCreateUserProcessEx+5Ej
		pop	esi
		pop	ebp
		retn	0Ch
; 

loc_AD5800:				; CODE XREF: RtlCreateUserProcessEx+3Ej
		or	eax, 40000h
		jmp	short loc_AD57EE
; 

loc_AD5807:				; CODE XREF: RtlCreateUserProcessEx+Aj
					; RtlCreateUserProcessEx+Ej
		mov	eax, 0C000000Dh
		jmp	short loc_AD57FB
RtlCreateUserProcessEx endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

RtlpCreateUserProcess proc near		; CODE XREF: RtlCreateUserProcessEx+48p

var_150		= dword	ptr -150h
var_148		= byte ptr -148h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00AE909F SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 154h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_C]
		lea	eax, [ebp+var_9C]
		push	esi
		push	edi
		push	90h		; size_t
		push	0		; int
		push	eax		; void *
		mov	esi, edx
		mov	edi, ecx
		call	_memset
		xor	eax, eax
		push	44h		; size_t
		push	eax		; int
		push	ebx		; void *
		mov	[ebp+var_104], eax
		mov	[ebp+var_C8], eax
		mov	[ebp+var_C4], eax
		call	_memset
		xor	edx, edx
		mov	dword ptr [ebx], 44h
		push	18h
		pop	ecx
		mov	eax, 200h
		mov	[ebp+var_100], ecx
		push	48h		; size_t
		mov	[ebp+var_F4], eax
		mov	[ebp+var_DC], eax
		lea	eax, [ebp+var_150]
		push	edx		; int
		push	eax		; void *
		mov	[ebp+var_FC], edx
		mov	[ebp+var_F8], edx
		mov	[ebp+var_F0], edx
		mov	[ebp+var_EC], edx
		mov	[ebp+var_E8], ecx
		mov	[ebp+var_E4], edx
		mov	[ebp+var_E0], edx
		mov	[ebp+var_D8], edx
		mov	[ebp+var_D4], edx
		mov	[ebp+var_D0], edx
		mov	[ebp+var_CC], edx
		call	_memset
		or	[ebp+var_148], 4
		lea	eax, [ebx+0Ch]
		add	esp, 24h
		mov	[ebp+var_B4], eax
		xor	edx, edx
		mov	[ebp+var_150], 48h
		mov	[ebp+var_BC], 10003h
		lea	eax, [ebx+14h]
		mov	[ebp+var_B8], 8
		mov	[ebp+var_B0], edx
		mov	[ebp+var_AC], 6
		mov	[ebp+var_A8], 30h
		mov	[ebp+var_A0], edx
		mov	[ebp+var_A4], eax
		push	2
		pop	ecx
		test	edi, edi
		jz	short loc_AD5981
		movzx	eax, word ptr [edi]
		mov	[ebp+var_98], eax
		mov	eax, [edi+4]
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_C8]
		push	4
		mov	[ebp+var_C8], ecx
		mov	[ebp+var_9C], 20005h
		mov	[ebp+var_90], edx
		mov	[ebp+var_8C], 2000Ah
		mov	[ebp+var_88], 8
		mov	[ebp+var_80], edx
		mov	[ebp+var_84], eax
		pop	ecx

loc_AD5981:				; CODE XREF: RtlpCreateUserProcess+123j
		xor	edi, edi
		inc	edi
		test	byte ptr [ebp+arg_0], 40h
		jz	short loc_AD59B3
		mov	eax, ecx
		add	eax, eax
		inc	ecx
		mov	[ebp+eax*8+var_BC], 60011h
		mov	[ebp+eax*8+var_B8], edi
		mov	[ebp+eax*8+var_B0], edx
		mov	[ebp+eax*8+var_B4], 61h

loc_AD59B3:				; CODE XREF: RtlpCreateUserProcess+17Aj
		test	esi, esi
		jz	short loc_AD59C2
		mov	eax, [esi+8]
		test	eax, eax
		js	loc_AE909F

loc_AD59C2:				; CODE XREF: RtlpCreateUserProcess+1A7j
					; RtlpCreateUserProcess+138C8j
		lea	eax, [ebp+var_C0]
		shl	ecx, 4
		push	eax
		lea	eax, [ebp+var_150]
		add	ecx, 4
		push	eax
		push	esi
		push	edi
		push	[ebp+arg_0]
		lea	eax, [ebp+var_E8]
		mov	[ebp+var_C0], ecx
		push	eax
		lea	eax, [ebp+var_100]
		push	eax
		mov	eax, 2000000h
		push	eax
		push	eax
		lea	eax, [ebx+8]
		push	eax
		lea	eax, [ebx+4]
		push	eax
		call	_ZwCreateUserProcess@44	; ZwCreateUserProcess(x,x,x,x,x,x,x,x,x,x,x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	10h
RtlpCreateUserProcess endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

QueryRegistryHideMachine proc near	; CODE XREF: StartFirstUserProcess+1Bp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE90DB SIZE 00000088 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_10]
		push	offset ??_C@_1II@OLBDKLDD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@
		push	eax
		mov	[ebp+var_10], ebx
		mov	edi, ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_10]
		mov	[ebp+var_28], 18h
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_28]
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_24], ebx
		push	eax
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		jns	loc_AE90DB

loc_AD5A74:				; CODE XREF: QueryRegistryHideMachine+136EEj
					; QueryRegistryHideMachine+13707j ...
		cmp	[ebp+var_4], ebx
		jnz	loc_AE9156

loc_AD5A7D:				; CODE XREF: QueryRegistryHideMachine+1374Aj
		test	edi, edi
		pop	edi
		pop	esi
		setnz	al
		pop	ebx
		leave
		retn
QueryRegistryHideMachine endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PpmInitHeteroPolicy()
_PpmInitHeteroPolicy@0 proc near	; CODE XREF: PoInitSystem+3F3p
		mov	ds:_PpmHeteroMinRelativePerformance, 10000h
		xor	ecx, ecx

loc_AD5A94:				; CODE XREF: PpmInitHeteroPolicy()+3Ej
		test	ecx, ecx
		setz	al
		dec	al
		and	al, 0F6h
		add	al, 5Ah
		test	ecx, ecx
		mov	byte_6BF961[ecx], al
		mov	byte_6BFA51[ecx], al
		setz	al
		dec	al
		and	al, 14h
		add	al, 1Eh
		mov	byte_6BF941[ecx], al
		mov	byte_6BFA31[ecx], al
		inc	ecx
		cmp	ecx, 20h
		jb	short loc_AD5A94
		push	5
		pop	eax
		mov	byte_6BF93F, 3
		mov	byte_6BFA2F, 3
		mov	word_6BF981, 3232h
		mov	word_6BFA71, 3232h
		mov	dword_6BF988, eax
		mov	dword_6BFA78, eax
		mov	dword_6BF984, eax
		mov	dword_6BFA74, eax
		retn
_PpmInitHeteroPolicy@0 endp


;  S U B	R O U T	I N E 


; __stdcall CmpInitializeRegistryNames()
_CmpInitializeRegistryNames@0 proc near	; CODE XREF: CmInitSystem1(x):loc_AC7A0Ep
		mov	edi, edi
		push	esi
		push	edi
		push	offset ??_C@_1BE@MOENMHEO@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY@LBKOJDO@
		push	offset _CmRegistryRootName
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1CE@BGEMHEPM@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@
		push	offset _CmRegistryMachineName
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1DG@ODDNOCB@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@
		push	offset _CmRegistryMachineHardwareName
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1EO@DMECHFLJ@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@
		push	offset _CmRegistryMachineHardwareDescriptionName
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1FM@PPGHCFAK@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@
		push	offset _CmRegistryMachineHardwareDescriptionSystemName
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1EK@KCBLDELJ@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@
		push	offset _CmRegistryMachineHardwareDeviceMapName
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1EO@IGPCEENG@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@
		push	offset _CmRegistryMachineHardwareResourceMapName
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1EI@GLMAMPDA@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@
		push	offset _CmRegistryMachineHardwareOwnerMapName
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1DC@GKOJGBFO@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@
		push	offset _CmRegistryMachineSystemName
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1FG@FGBKPELI@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@
		push	offset _CmRegistryMachineSystemCurrentControlSet
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1BO@PBBLJICK@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAU?$AAS?$AAE?$AAR@LBKOJDO@
		push	offset _CmRegistryUserName
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1BK@GILENGI@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAW?$AAC@LBKOJDO@
		push	offset _CmRegistryContainersName
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1BI@IOMEIGOA@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAA@LBKOJDO@
		push	offset _CmRegistryAppName
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@LBKOJDO@
		push	offset _CmpSystemFileName
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1GA@LDINLKCH@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@
		push	offset _CmRegistryMachineSystemCurrentControlSetEnumName
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1GK@GHCECGGJ@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@
		push	offset _CmRegistryMachineSystemCurrentControlSetEnumRootName
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1GI@KDCMPEIG@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@
		push	offset _CmRegistryMachineSystemCurrentControlSetServices
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1IK@HBJLIGFJ@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@
		push	offset _CmRegistryMachineSystemCurrentControlSetHardwareProfilesCurrent
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1HC@HJNLJPFC@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@
		push	offset _CmRegistryMachineSystemCurrentControlSetControlClass
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1HI@JLNEJCDM@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@
		push	offset _CmRegistryMachineSystemCurrentControlSetControlSafeBoot
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1KK@OBGIGMAN@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@
		push	offset _CmRegistryMachineSystemCurrentControlSetControlSessionManagerMemoryManagement
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1HG@FIOMGKDP@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@
		push	offset _CmRegistryMachineSystemCurrentControlSetControlBootLog
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1HK@IDPKCGLJ@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@LBKOJDO@
		push	offset _CmRegistryMachineSystemCurrentControlSetServicesEventLog
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1CE@CFOIKICP@?$AAS?$AAy?$AAm?$AAb?$AAo?$AAl?$AAi?$AAc?$AAL?$AAi?$AAn?$AAk?$AAV?$AAa?$AAl@LBKOJDO@
		push	offset _CmSymbolicLinkValueName
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1DM@HHDLMKAF@?$AAC?$AAO?$AAN?$AAT?$AAR?$AAO?$AAL?$AAS?$AAE?$AAT?$AA0?$AA0?$AA1?$AA?2?$AAS@LBKOJDO@
		push	offset _CmMpsSvcKeySubstring
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1BC@HDFELGIF@?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy@LBKOJDO@
		push	offset _CmRegistryProcessName
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edi, offset _CmTypeName
		xor	esi, esi

loc_AD5C91:				; CODE XREF: CmpInitializeRegistryNames()+1A9j
		push	ds:_CmTypeString[esi]
		push	edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		add	esi, 4
		add	edi, 8
		cmp	esi, 0A4h
		jbe	short loc_AD5C91
		pop	edi
		pop	esi
		retn
_CmpInitializeRegistryNames@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopThermalInit()
_PopThermalInit@0 proc near		; CODE XREF: PoInitSystem+42Bp
		mov	edi, edi
		push	esi
		xor	esi, esi
		mov	byte ptr word_6C1F88, 1
		push	edi
		push	ecx
		push	esi
		push	offset _PopThermalTelemetryWorker@4 ; PopThermalTelemetryWorker(x)
		push	esi
		mov	edx, offset _PopThermalTelemetryCallback@8 ; PopThermalTelemetryCallback(x,x)
		mov	_PopThermalLock, esi
		mov	ecx, offset _PopThermalTelemetryTimer
		mov	dword_6C2194, esi
		mov	_PopThermalTelemetryLock, esi
		mov	dword_6C2054, esi
		mov	_PopSystemThermalInfo, esi
		mov	dword_6C1F84, esi
		call	_PopInitializeTimer@24 ; PopInitializeTimer(x,x,x,x,x,x)
		cmp	_PopThermalPollingMode,	esi
		jnz	short loc_AD5D1E

loc_AD5CFE:				; CODE XREF: PopThermalInit()+77j
		mov	ecx, esi

loc_AD5D00:				; CODE XREF: PopThermalInit()+6Bj
		xor	edx, edx
		mov	eax, ecx
		push	14h
		pop	edi
		div	edi
		add	ecx, 64h
		mov	_PopThermalTrackingThresholds[esi], al
		inc	esi
		cmp	ecx, 834h
		jb	short loc_AD5D00
		pop	edi
		pop	esi
		retn
; 

loc_AD5D1E:				; CODE XREF: PopThermalInit()+4Ej
		mov	_PopThermalPollingWakesAllowed,	1
		jmp	short loc_AD5CFE
_PopThermalInit@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


PpmPerfInitialize proc near		; CODE XREF: PoInitSystem+3E9p

; FUNCTION CHUNK AT 00AE9163 SIZE 00000013 BYTES

		mov	edi, edi
		push	esi
		push	32h
		mov	eax, offset _PpmPerfDomainHead
		xor	edx, edx
		mov	ds:dword_70EE24, eax
		mov	ds:_PpmPerfDomainHead, eax
		pop	eax
		push	64h
		pop	ecx
		push	2
		mov	dword_6BF8B4, eax
		mov	dword_6BF9A4, eax
		mov	eax, edx
		pop	esi

loc_AD5D51:				; CODE XREF: PpmPerfInitialize+6Ej
		mov	byte_6BF8B8[eax], 1
		mov	byte_6BF9A8[eax], 1
		mov	byte_6BF8C8[eax], 46h
		mov	byte_6BF9B8[eax], 46h
		mov	byte_6BF8C6[eax], 1Eh
		mov	byte_6BF9B6[eax], 1Eh
		mov	byte_6BF8BA[eax], cl
		mov	byte_6BF9AA[eax], cl
		mov	byte_6BF8BC[eax], cl
		mov	byte_6BF9AC[eax], cl
		inc	eax
		cmp	eax, esi
		jb	short loc_AD5D51
		mov	eax, ds:_PpmPerfQosTransitionHysteresisOverride
		mov	dword_6BF8D4, ecx
		mov	dword_6BF9C4, ecx
		mov	ecx, ds:_PpmPerfQosTransitionHysteresis
		mov	dword_6BF8D8, esi
		mov	dword_6BF9C8, esi
		mov	_PpmMediaBufferingWork,	edx
		mov	dword_6C3C30, offset PpmMediaBufferingWorker
		mov	dword_6C3C34, edx
		mov	dword_6C3C28, edx
		mov	dword_6C3BF8, offset _PpmPerfLatencySensitivityHintWorker@4 ; PpmPerfLatencySensitivityHintWorker(x)
		mov	dword_6C3BFC, edx
		mov	_PpmPerfLatencyBoostWorkItem, edx
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_AD5E28

loc_AD5DF2:				; CODE XREF: PpmPerfInitialize+102j
		mov	esi, 1F4h
		cmp	ecx, esi
		ja	loc_AE9163
		mov	eax, esi

loc_AD5E01:				; CODE XREF: PpmPerfInitialize+1343Ej
					; PpmPerfInitialize+13449j
		push	ecx
		push	edx
		imul	eax, 0Ah
		mov	ecx, offset _PpmPerfTelemetryTimer
		push	offset _PpmPerfTelemetryWorker@4 ; PpmPerfTelemetryWorker(x)
		mov	ds:dword_70EE1C, edx
		push	edx
		mov	edx, offset _PpmPerfTelemetryCallback@8	; PpmPerfTelemetryCallback(x,x)
		mov	ds:_PpmPerfQosIdleExpirationTimeout, eax
		call	_PopInitializeTimer@24 ; PopInitializeTimer(x,x,x,x,x,x)
		pop	esi
		retn
; 

loc_AD5E28:				; CODE XREF: PpmPerfInitialize+C8j
		mov	ecx, eax
		jmp	short loc_AD5DF2
PpmPerfInitialize endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopDirectedDripsInitializePhase3 proc near ; CODE XREF:	PopInitializeDirectedDrips(x)+13p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE9176 SIZE 0000001E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		push	edi
		push	3
		xor	edi, edi
		pop	ecx
		mov	[ebp+var_4], edi
		call	_PopDirectedDripsDiagInitialize@4 ; PopDirectedDripsDiagInitialize(x)
		mov	esi, offset _PopDirectedDripsState
		mov	ecx, esi
		call	_PopDirectedDripsQueryEnabledMitigations@4 ; PopDirectedDripsQueryEnabledMitigations(x)
		test	byte ptr dword_6C36C4, 3
		jz	loc_AE9176
		push	esi
		push	offset PopDirectedDripsWorkerRoutine
		push	edi
		push	edi
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_1C], 18h
		push	eax
		push	edi
		lea	eax, [ebp+var_4]
		mov	[ebp+var_18], edi
		push	eax
		mov	[ebp+var_10], 200h
		mov	[ebp+var_14], edi
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD5EDB
		push	edi
		push	offset unk_6C36B0
		push	67446F50h
		push	edi
		push	ds:_PsThreadType
		push	1FFFFFh
		push	[ebp+var_4]
		call	_ObReferenceObjectByHandleWithTag@28 ; ObReferenceObjectByHandleWithTag(x,x,x,x,x,x,x)
		push	[ebp+var_4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_AD5EDB
		mov	eax, _PopDirectedDripsDfxEnforcementPolicy
		xor	ecx, ecx
		inc	ecx
		test	eax, eax
		jz	short loc_AD5ED3
		cmp	eax, ecx
		jnz	loc_AE9180

loc_AD5ED3:				; CODE XREF: PopDirectedDripsInitializePhase3+9Dj
					; PopDirectedDripsInitializePhase3+13357j ...
		or	_PopDirectedDripsState,	ecx
		mov	esi, edi

loc_AD5EDB:				; CODE XREF: PopDirectedDripsInitializePhase3+64j
					; PopDirectedDripsInitializePhase3+91j	...
		mov	ecx, esi
		call	PopDiagTraceDirectedDripsInitialization
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
PopDirectedDripsInitializePhase3 endp


;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsInitializePhase0(x)
_PopDirectedDripsInitializePhase0@4 proc near ;	CODE XREF: PopInitializeDirectedDrips(x)+7p
		mov	edi, edi
		push	ebx
		xor	ebx, ebx
		push	ebx
		push	1
		push	offset unk_6C36B4
		mov	dword_6C371C, ebx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		or	dword_6C3834, 0FFFFFFFFh
		mov	edx, offset _PopDirectedDripsNotifyResiliencyCompletionWorker@4	; PopDirectedDripsNotifyResiliencyCompletionWorker(x)
		push	offset _PopDirectedDripsState
		mov	ecx, offset unk_6C372C
		mov	dword_6C36CC, 8C000000h
		mov	dword_6C3740, ebx
		mov	word_6C3720, bx
		mov	dword_6C3724, ebx
		mov	byte_6C3728, bl
		call	_PopInitializeWorkItem@12 ; PopInitializeWorkItem(x,x,x)
		push	_PopDirectedDripsWaitWakeTimeoutSeconds
		mov	ecx, offset unk_6C3748
		push	2
		pop	edx
		call	_PopDirectedDripsInitializeDisengageTimer@12 ; PopDirectedDripsInitializeDisengageTimer(x,x,x)
		push	_PopDirectedDripsSurprisePowerOnTimeoutSeconds
		mov	ecx, offset unk_6C37B8
		push	3
		pop	edx
		call	_PopDirectedDripsInitializeDisengageTimer@12 ; PopDirectedDripsInitializeDisengageTimer(x,x,x)
		xor	ecx, ecx
		mov	dword_6C3838, ebx
		mov	dword_6C383C, ebx
		call	_PopDirectedDripsDiagInitialize@4 ; PopDirectedDripsDiagInitialize(x)
		pop	ebx
		jmp	_PopDirectedDripsUmInitialize@0	; PopDirectedDripsUmInitialize()
_PopDirectedDripsInitializePhase0@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopDirectedDripsDiagInitialize(x)
_PopDirectedDripsDiagInitialize@4 proc near
					; CODE XREF: PopDirectedDripsInitializePhase3+12p
					; PopDirectedDripsInitializePhase0(x)+8Ap
		mov	edi, edi
		push	esi
		test	ecx, ecx
		jnz	short loc_AD5FE1
		push	offset ??_C@_11LOCGONAA@@PBOPGDP@
		push	offset _PopDirectedDripsDiagEmptyString
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		and	_PopDirectedDripsDiagLock, 0
		mov	esi, offset _PopDirectedDripsDiagSessionContext
		push	1F8h		; size_t
		push	0		; int
		push	esi		; void *
		call	_memset
		and	dword_6BF65C, 0
		mov	eax, offset dword_6BF648
		mov	dword_6BF64C, eax
		add	esp, 0Ch
		mov	dword_6BF648, eax
		xor	eax, eax
		inc	eax
		mov	dword_6BF644, esi
		mov	_PopDirectedDripsDiagSessionContext, esi
		mov	dword_6BF828, eax
		mov	dword_6BF82C, eax

loc_AD5FDF:				; CODE XREF: PopDirectedDripsDiagInitialize(x)+66j
					; PopDirectedDripsDiagInitialize(x)+7Fj
		pop	esi
		retn
; 

loc_AD5FE1:				; CODE XREF: PopDirectedDripsDiagInitialize(x)+5j
		cmp	ecx, 3
		jnz	short loc_AD5FDF
		push	0
		xor	edx, edx
		mov	_PopDirectedDripsDiagTraceHandleRegistered, 0
		mov	ecx, offset dword_A93B08
		call	_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 ; TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)
		test	eax, eax
		js	short loc_AD5FDF
		mov	_PopDirectedDripsDiagTraceHandleRegistered, 1
		pop	esi
		retn
_PopDirectedDripsDiagInitialize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KiInitSystem	proc near		; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+323p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE9194 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, _KiForceSymbolReferencesTrigger
		test	eax, eax
		jnz	loc_AE9194

loc_AD601B:				; CODE XREF: KiInitSystem+13191j
		mov	eax, offset _KeBugCheckCallbackListHead
		mov	[ebp+var_4], offset _KiQueuedLockTableSize
		mov	dword_6CB3EC, eax
		mov	_KeBugCheckCallbackListHead, eax
		mov	eax, offset _KeBugCheckReasonCallbackListHead
		push	ebx
		mov	dword_6CB3FC, eax
		xor	ebx, ebx
		mov	_KeBugCheckReasonCallbackListHead, eax
		mov	eax, offset _KeBugCheckAddRemovePagesCallbackListHead
		push	esi
		mov	dword_6CB3F4, eax
		mov	_KeBugCheckAddRemovePagesCallbackListHead, eax
		mov	eax, offset _KeBugCheckTriageDumpDataArrayListHead
		push	edi
		mov	dword_6CB404, eax
		mov	_KeBugCheckTriageDumpDataArrayListHead,	eax
		mov	eax, offset _KiProfileListHead
		push	ebx
		mov	dword_6CB30C, eax
		mov	_KiProfileListHead, eax
		mov	eax, offset _KiProfileSourceListHead
		push	1
		push	offset _KiSwapEvent
		mov	[ebp+var_4], offset _KiTimerTableSize
		mov	_KeBugCheckCallbackLock, ebx
		mov	dword_6CB324, eax
		mov	_KiProfileSourceListHead, eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, ds:_KiServiceLimit
		mov	edi, offset _KeServiceDescriptorTableShadow
		push	8
		mov	ds:dword_70E688, eax
		mov	eax, offset _KeServiceDescriptorTable
		pop	ecx
		push	8
		mov	ds:_KeServiceDescriptorTable, offset _KiServiceTable
		mov	esi, eax
		mov	ds:dword_70E68C, offset	_KiArgumentTable
		mov	ds:dword_70E698, ebx
		rep movsd
		pop	ecx
		mov	esi, eax
		mov	_KiProcessInSwapListHead, ebx
		mov	edi, offset _KeServiceDescriptorTableFilter
		mov	_KiProcessOutSwapListHead, ebx
		rep movsd
		mov	esi, offset _KiBalanceSetManagerPeriodicEvent
		mov	_KiStackInSwapListHead,	ebx
		push	esi
		push	offset _KiBalanceSetManagerDeferredRoutine@16 ;	KiBalanceSetManagerDeferredRoutine(x,x,x,x)
		push	offset _KiBalanceSetManagerPeriodicDpc
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	ebx
		xor	edi, edi
		inc	edi
		push	edi
		push	esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	ebx
		push	ebx
		push	offset _KiStackProtectNotifyEvent
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, ebx

loc_AD611C:				; CODE XREF: KiInitSystem+12Ej
		mov	_KiAbTreeArray[eax], ebx
		mov	dword_6FAC04[eax], ebx
		mov	dword_6FAC08[eax], ebx
		add	eax, 40h
		cmp	eax, 400h
		jb	short loc_AD611C
		push	ebx
		push	edi
		push	offset unk_6CB20C
		mov	_KiDynamicProcessorLock, edi
		mov	dword_6CB204, ebx
		mov	dword_6CB208, ebx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	ebx
		push	offset _KiSetVirtualHeteroClockIntervalRequestDpcRoutine@16 ; KiSetVirtualHeteroClockIntervalRequestDpcRoutine(x,x,x,x)
		push	offset _KiSetVirtualHeteroClockIntervalRequestDpc
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		pop	edi
		pop	esi
		mov	byte_6CB341, 2
		pop	ebx
		leave
		retn
KiInitSystem	endp


;  S U B	R O U T	I N E 


; __stdcall PipFreeGroupTree(x)
_PipFreeGroupTree@4 proc near		; CODE XREF: IopInitializeSystemDrivers+1DBp
					; PipFreeGroupTree(x):loc_AD6195p ...
		mov	edi, edi
		push	esi
		mov	esi, ecx
		mov	ecx, [esi]
		test	ecx, ecx
		jnz	short loc_AD61A3

loc_AD617D:				; CODE XREF: PipFreeGroupTree(x)+36j
		mov	ecx, [esi+8]
		test	ecx, ecx
		jnz	short loc_AD6195

loc_AD6184:				; CODE XREF: PipFreeGroupTree(x)+28j
		mov	ecx, [esi+4]
		test	ecx, ecx
		jnz	short loc_AD619C

loc_AD618B:				; CODE XREF: PipFreeGroupTree(x)+2Fj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	esi
		retn
; 

loc_AD6195:				; CODE XREF: PipFreeGroupTree(x)+10j
		call	_PipFreeGroupTree@4 ; PipFreeGroupTree(x)
		jmp	short loc_AD6184
; 

loc_AD619C:				; CODE XREF: PipFreeGroupTree(x)+17j
		call	_PipFreeGroupTree@4 ; PipFreeGroupTree(x)
		jmp	short loc_AD618B
; 

loc_AD61A3:				; CODE XREF: PipFreeGroupTree(x)+9j
		call	_PipFreeGroupTree@4 ; PipFreeGroupTree(x)
		jmp	short loc_AD617D
_PipFreeGroupTree@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PnpNotifyEarlyLaunchStatusUpdate(x)
_PnpNotifyEarlyLaunchStatusUpdate@4 proc near ;	CODE XREF: IopInitializeBootDrivers+380p
					; IopInitializeBootDrivers+3E3p ...

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_8], 0
		cmp	ds:_PnpBootDriverCallbackObject, 0
		push	esi
		mov	esi, ecx
		jz	short loc_AD6207
		mov	edx, esi
		mov	ecx, offset _KMPnPEvt_EarlyLaunch_StatusNotification_Start
		call	_PnpDiagnosticTraceElamStatus@8	; PnpDiagnosticTraceElamStatus(x,x)
		mov	ecx, ds:_PnpBootDriverCallbackObject
		lea	eax, [ebp+var_4]
		and	[ebp+var_14], 0
		xor	edx, edx
		and	[ebp+var_10], 0
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], esi
		push	eax
		mov	[ebp+var_18], offset _PnpEarlyLaunchStatusNotificationPreProcess@20 ; PnpEarlyLaunchStatusNotificationPreProcess(x,x,x,x,x)
		call	ExNotifyWithProcessing
		mov	edx, esi
		mov	ecx, offset _KMPnPEvt_EarlyLaunch_StatusNotification_Stop
		call	_PnpDiagnosticTraceElamStatus@8	; PnpDiagnosticTraceElamStatus(x,x)

loc_AD6207:				; CODE XREF: PnpNotifyEarlyLaunchStatusUpdate(x)+16j
		pop	esi
		leave
		retn
_PnpNotifyEarlyLaunchStatusUpdate@4 endp


;  S U B	R O U T	I N E 


; __stdcall IopInitializePassiveInterruptServices()
_IopInitializePassiveInterruptServices@0 proc near ; CODE XREF:	INIT:00AC2E51p
		mov	edi, edi
		push	ecx
		call	IopQueryPassiveInterruptRegistryOptions
		and	_PassiveInterruptListLock, 0
		mov	eax, offset _PassiveInterruptList
		mov	dword_6CC9CC, eax
		mov	_PassiveInterruptList, eax
		movzx	eax, _PassiveInterruptRealtimeWorkerCount
		push	eax
		push	offset _PassiveInterruptRealtimeWorkQueue
		call	_KeInitializeQueue@8 ; KeInitializeQueue(x,x)
		call	_IopCreatePassiveInterruptRealtimeThreads@8 ; IopCreatePassiveInterruptRealtimeThreads(x,x)
		pop	ecx
		retn
_IopInitializePassiveInterruptServices@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopInitDripsWakeAccounting()
_PopInitDripsWakeAccounting@0 proc near	; CODE XREF: PoInitSystem+5AAp
		mov	edi, edi
		push	esi
		xor	esi, esi

loc_AD6247:				; CODE XREF: PopInitDripsWakeAccounting()+3Bj
		push	ds:dword_70ED2C
		push	ds:_PopQpcFrequency
		push	0
		push	3E8h
		push	ds:dword_70565C[esi]
		push	ds:_PopDripsWakeIdleAccountingBucketLimitsMs[esi]
		call	PpmConvertTime
		mov	ds:_PopDripsWakeIdleAccountingBucketLimitsQpc[esi], eax
		mov	ds:dword_70ECB4[esi], edx
		add	esi, 8
		cmp	esi, 48h
		jb	short loc_AD6247
		or	ds:dword_70ECF8, 0FFFFFFFFh
		or	ds:dword_70ECFC, 0FFFFFFFFh
		xor	esi, esi

loc_AD628F:				; CODE XREF: PopInitDripsWakeAccounting()+77j
		push	0
		push	2710h
		push	ds:dword_7055FC[esi]
		push	ds:_PopDripsWakePeriodAccountingBucketLimitsHns[esi]
		call	__aulldiv
		mov	ds:_PopDripsWakePeriodAccountingBucketLimitsMs[esi], eax
		mov	ds:dword_70EC54[esi], edx
		add	esi, 8
		cmp	esi, 58h
		jb	short loc_AD628F
		or	ds:dword_70ECA8, 0FFFFFFFFh
		or	ds:dword_70ECAC, 0FFFFFFFFh
		pop	esi
		retn
_PopInitDripsWakeAccounting@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopEtInit	proc near		; CODE XREF: PoInitSystem+564p

var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE919E SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		push	ebx
		xor	ebx, ebx
		push	esi
		push	edi
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		cmp	_PopEnergyEstimationEnabled, bl
		jz	loc_AD6476
		push	54456F50h
		mov	esi, 2E8h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	_PopEtGlobals, edi
		test	edi, edi
		jz	loc_AE919E
		push	esi		; size_t
		push	ebx		; int
		push	edi		; void *
		call	_memset
		mov	[edi+0Ch], ebx
		lea	edx, [edi+38h]
		mov	[edi+8], ebx
		lea	ecx, [edi+20h]
		mov	[edi+4], edi
		add	esp, 0Ch
		mov	[edi], edi
		mov	[edi+18h], ebx
		mov	[edi+14h], ebx
		mov	dword ptr [edx], offset	_PopEtInternerAllocate@8 ; PopEtInternerAllocate(x,x)
		mov	dword ptr [edi+3Ch], offset _PopEtInternerFree@8 ; PopEtInternerFree(x,x)
		mov	dword ptr [edi+40h], offset _PopEtInternerLock@8 ; PopEtInternerLock(x,x)
		mov	dword ptr [edi+44h], offset _PopEtInternerUnlock@8 ; PopEtInternerUnlock(x,x)
		mov	dword ptr [edi+48h], offset _PopEtInternerEntryInitialize@12 ; PopEtInternerEntryInitialize(x,x,x)
		call	_RtlInternTableInitialize@8 ; RtlInternTableInitialize(x,x)
		lea	ecx, [edi+50h]
		call	_PoEnergyContextInitialize@4 ; PoEnergyContextInitialize(x)
		mov	esi, ds:_PsIdleProcess
		mov	edx, offset aDefault_1 ; "Default"
		mov	[esi+3E0h], ecx
		lea	ecx, [edi+278h]
		call	_PopEtInitializeBuiltinAppId@8 ; PopEtInitializeBuiltinAppId(x,x)
		lea	ecx, [edi+2A4h]
		mov	edx, offset aOverflow ;	"Overflow"
		call	_PopEtInitializeBuiltinAppId@8 ; PopEtInitializeBuiltinAppId(x,x)
		lea	ecx, [edi+24Ch]
		mov	edx, offset aIsrdpc ; "IsrDpc"
		call	_PopEtInitializeBuiltinAppId@8 ; PopEtInitializeBuiltinAppId(x,x)
		mov	eax, [esi+3E0h]
		mov	edx, offset aSystem_1 ;	"System"
		mov	[eax+1B8h], ecx
		lea	ecx, [edi+220h]
		call	_PopEtInitializeBuiltinAppId@8 ; PopEtInitializeBuiltinAppId(x,x)
		mov	eax, ds:_PsInitialSystemProcess
		mov	eax, [eax+3E0h]
		test	eax, eax
		jz	short loc_AD63CE
		mov	[eax+1B8h], ecx

loc_AD63CE:				; CODE XREF: PopEtInit+FAj
		xor	ecx, ecx
		jmp	short loc_AD63EB
; 

loc_AD63D2:				; CODE XREF: PopEtInit+13Cj
		mov	eax, _PopEtGlobals
		add	eax, 278h
		mov	[ecx+1B8h], eax
		mov	ecx, esi
		call	_PoEnergyContextStart@4	; PoEnergyContextStart(x)

loc_AD63E9:				; CODE XREF: PopEtInit+132j
					; PopEtInit+13Aj
		mov	ecx, esi

loc_AD63EB:				; CODE XREF: PopEtInit+104j
		call	_PsGetNextProcess@4 ; PsGetNextProcess(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_AD640A
		mov	ecx, [esi+3E0h]
		test	ecx, ecx
		jz	short loc_AD63E9
		cmp	[ecx+1B8h], ebx
		jnz	short loc_AD63E9
		jmp	short loc_AD63D2
; 

loc_AD640A:				; CODE XREF: PopEtInit+128j
		push	offset ??_C@_1BM@LENONAPF@?$AAE?$AAn?$AAe?$AAr?$AAg?$AAy?$AAT?$AAr?$AAa?$AAc?$AAk?$AAe?$AAr@PBOPGDP@
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	58h
		pop	esi
		push	esi		; size_t
		lea	eax, [ebp+var_60]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	eax, _PopEtGlobals
		add	esp, 0Ch
		or	byte ptr [ebp+var_60+2], 4
		add	eax, 10h
		mov	word ptr [ebp+var_60], si
		mov	[ebp+var_3C], 1
		push	eax
		push	ebx
		lea	eax, [ebp+var_60]
		mov	[ebp+var_38], 258h
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_58], 192h
		push	eax
		mov	[ebp+var_44], 1F0001h
		mov	[ebp+var_28], offset _PopEtEnergyTrackerClose@16 ; PopEtEnergyTrackerClose(x,x,x,x)
		mov	[ebp+var_24], offset _PopEtEnergyTrackerDelete@4 ; PopEtEnergyTrackerDelete(x)
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	short loc_AD6478

loc_AD6476:				; CODE XREF: PopEtInit+19j
		mov	eax, ebx

loc_AD6478:				; CODE XREF: PopEtInit+1A8j
					; PopEtInit+12ED7j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PopEtInit	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopRecorderInit()
_PopRecorderInit@0 proc	near		; CODE XREF: PoInitSystem+4D2p
		and	_PopBlackBoxLock, 0
		and	_PopBootStatLock, 0
		push	esi
		xor	esi, esi

loc_AD648F:				; CODE XREF: PopRecorderInit()+3Aj
		push	off_6B2424[esi]
		lea	eax, dword_6B242C[esi]
		mov	byte_6B2444[esi], 0
		push	2
		push	offset _PopBlackBoxBugcheckCallback@16 ; PopBlackBoxBugcheckCallback(x,x,x,x)
		push	eax
		call	KeRegisterBugCheckReasonCallback
		add	esi, 40h
		cmp	esi, 580h
		jb	short loc_AD648F
		pop	esi
		retn
_PopRecorderInit@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeBootProcess	proc near	; CODE XREF: MiInitSystem+274p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= byte ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE91A8 SIZE 00000029 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		cmp	ds:dword_7051E4, 0
		push	esi
		push	edi
		lea	edi, [ebp+var_10]
		stosd
		stosd
		stosd
		jnz	short loc_AD64E1
		mov	ds:dword_7051E4, 100000h

loc_AD64E1:				; CODE XREF: MiInitializeBootProcess+19j
		cmp	ds:dword_7051E0, 0
		jnz	short loc_AD64F4
		mov	ds:dword_7051E0, 2000h

loc_AD64F4:				; CODE XREF: MiInitializeBootProcess+2Cj
		cmp	ds:dword_7051DC, 0
		jnz	short loc_AD6507
		mov	ds:dword_7051DC, 10000h

loc_AD6507:				; CODE XREF: MiInitializeBootProcess+3Fj
		cmp	ds:dword_7051D8, 0
		jnz	short loc_AD651A
		mov	ds:dword_7051D8, 1000h

loc_AD651A:				; CODE XREF: MiInitializeBootProcess+52j
		mov	eax, large fs:124h
		mov	esi, [eax+80h]
		mov	dword ptr [esi+27Ch], 32h
		mov	dword ptr [esi+290h], 1C2h
		call	MiInitializeBootPageDirectoryPages
		test	eax, eax
		js	loc_AD65FF
		mov	ecx, ds:0C0603018h
		xor	edi, edi
		mov	eax, ds:0C060301Ch
		mov	edx, esi
		shrd	ecx, eax, 0Ch
		push	edi
		and	ecx, 1FFFFFFh
		imul	ecx, 1Ch
		add	ecx, ds:_MmPfnDatabase
		mov	[ecx], edi
		call	_MiSetPageTablePfnBuddy@12 ; MiSetPageTablePfnBuddy(x,x,x)
		lea	eax, [esi+0FCh]
		mov	ecx, 40000h
		lock or	[eax], ecx
		mov	ecx, 800h
		lock or	[eax], ecx
		lea	edx, [ebp+var_10]
		mov	ecx, offset dword_6D3540
		call	@KeAcquireInStackQueuedSpinLock@8 ; KeAcquireInStackQueuedSpinLock(x,x)
		mov	ecx, dword_6D060C
		lea	eax, [esi+340h]
		mov	edx, offset dword_6D0608
		cmp	[ecx], edx
		jnz	short loc_AD6603
		mov	[eax], edx
		mov	[eax+4], ecx
		mov	[ecx], eax
		test	ds:byte_70EFC6,	1
		mov	dword_6D060C, eax
		jnz	loc_AE91A8
		mov	eax, [ebp+var_10]
		test	eax, eax
		jnz	loc_AE91C0
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_10]
		xor	ecx, ecx
		lock cmpxchg [edx], ecx
		lea	ecx, [ebp+var_10]
		cmp	eax, ecx
		jnz	loc_AE91B8

loc_AD65E4:				; CODE XREF: MiInitializeBootProcess+12CF7j
					; MiInitializeBootProcess+12D10j
		mov	cl, [ebp+var_8]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		push	edi
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], edi
		push	eax
		push	edi
		xor	edx, edx
		mov	ecx, esi
		call	MmInitializeProcessAddressSpace

loc_AD65FF:				; CODE XREF: MiInitializeBootProcess+85j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_AD6603:				; CODE XREF: MiInitializeBootProcess+EBj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
MiInitializeBootProcess	endp		; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeBootPageDirectoryPages proc	near ; CODE XREF: MiInitializeBootProcess+7Ep

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE91D1 SIZE 000000BA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		mov	eax, [eax+80h]
		mov	edi, 0C0603018h
		mov	[ebp+var_C], eax
		mov	ebx, [eax+194h]
		mov	edx, [edi]
		add	ebx, 18h
		nop
		mov	eax, ds:0C060301Ch
		sub	edi, ebx
		shrd	edx, eax, 0Ch
		mov	[ebp+var_4], edi
		and	edx, 1FFFFFFh
		xor	esi, esi
		mov	[ebp+var_8], edx

loc_AD664C:				; CODE XREF: MiInitializeBootPageDirectoryPages+83j
		sub	ebx, 8
		mov	ecx, [ebx]
		nop
		mov	eax, [ebx+4]
		xor	esi, esi
		shrd	ecx, eax, 0Ch
		push	280h
		and	ecx, 1FFFFFFh
		add	edi, ebx
		imul	eax, ecx, 1Ch
		push	edx
		mov	edx, edi
		add	eax, ds:_MmPfnDatabase
		mov	[eax+14h], si
		mov	[eax], esi
		call	MiInitializePfnForOtherProcess
		mov	edx, [ebp+var_8]
		test	edi, 0FFFh
		mov	edi, [ebp+var_4]
		jnz	short loc_AD664C
		test	ds:_MiFlags, 0C00000h
		jz	loc_AD6787
		cmp	dword_6D07D0, 0C0000000h
		jnb	loc_AD6787
		mov	ecx, [ebp+var_C]
		lea	edi, [ebp+var_18]
		xor	eax, eax
		lea	edx, [ebp+var_18]
		stosd
		add	ecx, 240h
		push	esi
		stosd
		stosd
		call	_MiInitializePageColorBase@12 ;	MiInitializePageColorBase(x,x,x)
		xor	ebx, ebx
		mov	ecx, offset _MiSystemPartition
		push	esi
		inc	ebx
		push	esi
		mov	edx, ebx
		call	MiAcquireNonPagedResources
		test	eax, eax
		js	loc_AE91F5
		mov	edx, ebx
		mov	ecx, offset dword_6D35E0
		call	MiReservePtes
		mov	edi, eax
		test	edi, edi
		jz	loc_AE91D1
		mov	eax, [ebp+var_18]
		mov	ecx, ebx
		lock xadd [eax], ecx
		inc	ecx
		mov	ebx, [ebp+var_14]
		dec	ecx
		and	ebx, ecx
		mov	ecx, offset _MiSystemPartition
		or	ebx, [ebp+var_10]
		push	302h
		mov	edx, ebx
		call	MiGetPage
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		cmp	ecx, 0FFFFFFFFh
		jz	loc_AE91FF

loc_AD6728:				; CODE XREF: MiInitializeBootPageDirectoryPages+12C1Fj
		imul	eax, ecx, 1Ch
		mov	edx, 0C0603010h
		push	200h
		push	[ebp+var_8]
		add	eax, ds:_MmPfnDatabase
		mov	[eax], esi
		call	MiInitializePfnForOtherProcess
		mov	edx, [ebp+var_4]
		mov	ecx, edi
		push	80000004h
		mov	dword_6D0624, edx
		call	MiMakeValidPte
		mov	ecx, edi
		mov	[ebp+var_4], esi
		mov	ebx, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jnz	loc_AE922C
		mov	ecx, esi

loc_AD6770:				; CODE XREF: MiInitializeBootPageDirectoryPages+12C37j
					; MiInitializeBootPageDirectoryPages+12C44j ...
		mov	[edi+4], edx
		nop
		mov	[edi], ebx
		test	ecx, ecx
		jnz	loc_AE927D

loc_AD677E:				; CODE XREF: MiInitializeBootPageDirectoryPages+12C7Ej
		shl	edi, 9
		mov	dword_6D0628, edi

loc_AD6787:				; CODE XREF: MiInitializeBootPageDirectoryPages+8Fj
					; MiInitializeBootPageDirectoryPages+9Fj
		xor	eax, eax

loc_AD6789:				; CODE XREF: MiInitializeBootPageDirectoryPages+12BF2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
MiInitializeBootPageDirectoryPages endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipHardwareConfigInit proc near		; CODE XREF: IopInitializePlugPlayServices(x,x)+518p

var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_211		= byte ptr -211h
var_210		= dword	ptr -210h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE928B SIZE 0000024A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 25Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		or	[ebp+var_21C], 0FFFFFFFFh
		mov	ebx, ecx
		push	esi
		xor	ecx, ecx
		mov	[ebp+var_230], offset ??_C@_1DO@PGOAJPNE@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@
		push	edi
		push	3Eh
		pop	eax
		push	3Ch
		mov	word ptr [ebp+var_234+2], ax
		xor	edx, edx
		pop	eax
		push	ecx
		push	ecx
		mov	word ptr [ebp+var_234],	ax
		lea	eax, [ebp+var_234]
		push	0F003Fh
		mov	[ebp+var_240], ecx
		mov	[ebp+var_23C], ecx
		mov	[ebp+var_250], ecx
		mov	[ebp+var_24C], ecx
		mov	[ebp+var_248], ecx
		mov	[ebp+var_238], ecx
		mov	[ebp+var_218], ecx
		mov	[ebp+var_22C], ecx
		mov	[ebp+var_244], ecx
		mov	[ebp+var_220], ecx
		mov	[ebp+var_258], ecx
		mov	[ebp+var_254], ecx
		mov	[ebp+var_228], ecx
		mov	[ebp+var_224], ecx
		lea	ecx, [ebp+var_244]
		push	eax
		call	IopCreateRegistryKeyEx
		test	eax, eax
		js	loc_AE928B
		mov	edi, [ebp+var_244]

loc_AD684C:				; CODE XREF: PipHardwareConfigInit+12AFFj
		push	1Ah
		pop	eax
		push	18h
		pop	ecx
		test	edi, edi
		jz	short loc_AD687B
		mov	word ptr [ebp+var_234+2], ax
		lea	eax, [ebp+var_234]
		push	eax
		push	edi
		mov	word ptr [ebp+var_234],	cx
		mov	[ebp+var_230], offset ??_C@_1BK@CGJOHCEH@?$AAR?$AAe?$AAs?$AAp?$AAe?$AAc?$AAi?$AAa?$AAl?$AAi?$AAz?$AAe@PBOPGDP@ ; "R"
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)

loc_AD687B:				; CODE XREF: PipHardwareConfigInit+C6j
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_22C]
		push	eax
		push	0Fh
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD6B4D
		push	offset _PnpCurrentHardwareConfigurationGuidString
		push	ebx
		call	_RtlStringFromGUID@8 ; RtlStringFromGUID(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD6B4D
		push	16h
		pop	eax
		push	14h
		mov	word ptr [ebp+var_228+2], ax
		pop	eax
		mov	word ptr [ebp+var_228],	ax
		movzx	eax, _PnpCurrentHardwareConfigurationGuidString
		add	eax, 2
		mov	[ebp+var_224], offset ??_C@_1BG@CNBOIILD@?$AAL?$AAa?$AAs?$AAt?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg@PBOPGDP@ ; "LastConfig"
		push	eax
		push	dword_6FD4AC
		lea	eax, [ebp+var_228]
		push	1
		push	0
		push	eax
		push	[ebp+var_22C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD6B4D
		mov	edx, [ebp+var_22C]
		lea	eax, [ebp+var_248]
		push	eax
		push	0
		push	0F003Fh
		push	offset _PnpCurrentHardwareConfigurationGuidString
		lea	ecx, [ebp+var_218]
		call	IopCreateRegistryKeyEx
		mov	ebx, [ebp+var_218]
		mov	esi, eax
		test	esi, esi
		js	loc_AD6B33
		lea	eax, [ebp+var_220]
		mov	edx, offset ??_C@_15NCCOGFKM@?$AAI?$AAd@PBOPGDP@
		push	eax
		push	0
		mov	ecx, ebx
		call	IopGetRegistryValue
		mov	[ebp+var_218], eax
		mov	esi, 0C0000001h
		push	4
		pop	edx
		test	eax, eax
		js	loc_AE929D
		mov	ecx, [ebp+var_220]
		cmp	[ecx+4], edx
		jnz	loc_AE9292
		cmp	[ecx+0Ch], edx
		jnz	loc_AE9292
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		mov	[ebp+var_21C], eax

loc_AD6981:				; CODE XREF: PipHardwareConfigInit+12B0Aj
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[ebp+var_218], 0
		jl	loc_AE929D

loc_AD6996:				; CODE XREF: PipHardwareConfigInit+12C1Dj
		mov	eax, [ebp+var_21C]
		lea	edx, [ebp+var_240]
		mov	_PnpCurrentHardwareConfigurationIndex, eax
		lea	ecx, [ebp+var_258]
		lea	eax, [ebp+var_250]
		push	eax
		call	KeQueryBootTimeValues
		mov	eax, [ebp+var_250]
		sub	[ebp+var_240], eax
		mov	eax, [ebp+var_24C]
		sbb	[ebp+var_23C], eax
		push	10h
		pop	esi
		push	0Eh
		pop	eax
		push	8
		mov	word ptr [ebp+var_228],	ax
		lea	eax, [ebp+var_240]
		push	eax
		push	3
		push	0
		lea	eax, [ebp+var_228]
		mov	word ptr [ebp+var_228+2], si
		push	eax
		push	ebx
		mov	[ebp+var_224], offset ??_C@_1BA@LLDEAMNN@?$AAL?$AAa?$AAs?$AAt?$AAU?$AAs?$AAe@PBOPGDP@ ;	"LastUse"
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	edx, [ebp+var_22C]
		lea	ecx, [ebp+var_238]
		push	0Eh
		pop	eax
		push	0
		push	3
		mov	word ptr [ebp+var_228],	ax
		lea	eax, [ebp+var_228]
		push	0F003Fh
		push	eax
		mov	word ptr [ebp+var_228+2], si
		mov	[ebp+var_224], offset ??_C@_1BA@OFLJGHK@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt@PBOPGDP@
		call	IopCreateRegistryKeyEx
		mov	esi, eax
		test	esi, esi
		js	loc_AD6B33
		lea	eax, [ebp+var_218]
		mov	[ebp+var_218], 104h
		push	eax
		lea	eax, [ebp+var_210]
		mov	edx, ebx
		push	eax
		call	__PnpCtxRegQueryKeyPathName@16 ; _PnpCtxRegQueryKeyPathName(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD6B33
		mov	eax, [ebp+var_218]
		lea	eax, ds:0FFFFFFFEh[eax*2]
		push	eax
		lea	eax, [ebp+var_210]
		push	eax
		push	6
		pop	eax
		push	eax
		push	0
		push	offset _CmSymbolicLinkValueName
		push	[ebp+var_238]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD6B33
		cmp	_InitSafeBootMode, 0
		jnz	loc_AE93E6
		lea	eax, [ebp+var_220]
		mov	edx, offset ??_C@_1M@PNBPANGG@?$AAR?$AAe?$AAs?$AAe?$AAt@PBOPGDP@ ; "Reset"
		push	eax
		push	0
		mov	ecx, ebx
		call	IopGetRegistryValue
		test	eax, eax
		jns	loc_AE93B0
		xor	eax, eax

loc_AD6AD9:				; CODE XREF: PipHardwareConfigInit+12C53j
		test	eax, eax
		jnz	loc_AE93E6

loc_AD6AE1:				; CODE XREF: PipHardwareConfigInit+12C65j
					; PipHardwareConfigInit+12C96j
		test	edi, edi
		jz	short loc_AD6B33
		cmp	[ebp+var_248], 1
		jz	loc_AE9496
		lea	eax, [ebp+var_220]
		mov	[ebp+var_211], 0
		push	eax
		push	0
		mov	edx, offset ??_C@_1CI@ICGFNELF@?$AAR?$AAe?$AAs?$AAp?$AAe?$AAc?$AAi?$AAa?$AAl?$AAi?$AAz?$AAe?$AAS?$AAt?$AAa@PBOPGDP@ ; "RespecializeStarted"
		mov	ecx, edi
		call	IopGetRegistryValue
		test	eax, eax
		jns	loc_AE9429

loc_AD6B16:				; CODE XREF: PipHardwareConfigInit+12CCDj
		lea	eax, [ebp+var_220]
		mov	edx, offset ??_C@_1BK@CGJOHCEH@?$AAR?$AAe?$AAs?$AAp?$AAe?$AAc?$AAi?$AAa?$AAl?$AAi?$AAz?$AAe@PBOPGDP@ ; "R"
		push	eax
		push	0
		mov	ecx, ebx
		call	IopGetRegistryValue
		test	eax, eax
		jns	loc_AE9460

loc_AD6B33:				; CODE XREF: PipHardwareConfigInit+19Ej
					; PipHardwareConfigInit+2BBj ...
		test	ebx, ebx
		jz	short loc_AD6B3D
		push	ebx
		call	_ZwClose@4	; ZwClose(x)

loc_AD6B3D:				; CODE XREF: PipHardwareConfigInit+3A7j
		mov	eax, [ebp+var_238]
		test	eax, eax
		jz	short loc_AD6B4D
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_AD6B4D:				; CODE XREF: PipHardwareConfigInit+106j
					; PipHardwareConfigInit+11Bj ...
		test	edi, edi
		jz	short loc_AD6B57
		push	edi
		call	_ZwClose@4	; ZwClose(x)

loc_AD6B57:				; CODE XREF: PipHardwareConfigInit+3C1j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PipHardwareConfigInit endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpKeyedEventInitialization proc near	; CODE XREF: ExpInitSystemPhase1+FAp

var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_58		= dword	ptr -58h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch

; FUNCTION CHUNK AT 00AD6D00 SIZE 000000E6 BYTES
; FUNCTION CHUNK AT 00AE94D5 SIZE 0000008A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0A4h
		push	ebx
		push	esi
		push	edi
		push	58h
		pop	esi
		xor	ebx, ebx
		lea	eax, [esp+0B0h+var_58]
		push	esi		; size_t
		push	ebx		; int
		push	eax		; void *
		mov	[esp+0BCh+var_9C], ebx
		mov	[esp+0BCh+var_98], ebx
		call	_memset
		xor	eax, eax
		mov	[esp+0BCh+var_A4], ebx
		lea	edi, [esp+0BCh+var_6C]
		mov	[esp+0BCh+var_94], 20001h
		stosd
		add	esp, 0Ch
		mov	[esp+0B0h+var_90], 20002h
		mov	[esp+0B0h+var_8C], 20000h
		stosd
		push	offset ??_C@_1BG@ODBANIJN@?$AAK?$AAe?$AAy?$AAe?$AAd?$AAE?$AAv?$AAe?$AAn?$AAt@PBOPGDP@ ;	"KeyedEvent"
		stosd
		stosd
		stosd
		lea	eax, [esp+0B4h+var_9C]
		mov	edi, 0F0003h
		push	eax
		mov	[esp+0B8h+var_88], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	word ptr [esp+0B0h+var_58], si
		lea	eax, [esp+0B0h+var_58]
		mov	[esp+0B0h+var_3C], edi
		lea	esi, [esp+0B0h+var_94]
		mov	[esp+0B0h+var_50], ebx
		lea	edi, [esp+0B0h+var_4C]
		mov	[esp+0B0h+var_34], 1
		movsd
		push	offset _ExpKeyedEventObjectType
		push	ebx
		push	eax
		movsd
		lea	eax, [esp+0BCh+var_9C]
		push	eax
		movsd
		movsd
		or	byte ptr [esp+0C0h+var_58+2], 4
		mov	[esp+0C0h+var_30], ebx
		mov	[esp+0C0h+var_2C], ebx
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	short loc_AD6C31
		push	1
		lea	eax, [esp+0B4h+var_6C]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		test	eax, eax
		jns	short loc_AD6C38

loc_AD6C31:				; CODE XREF: ExpKeyedEventInitialization+B7j
					; ExpKeyedEventInitialization+279j ...
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
; 

loc_AD6C38:				; CODE XREF: ExpKeyedEventInitialization+C7j
		mov	eax, _SeWorldSid
		push	ebx
		movzx	ecx, byte ptr [eax+1]
		mov	eax, ds:_SeAliasAdminsSid
		movzx	eax, byte ptr [eax+1]
		add	ecx, eax
		mov	eax, _SeLocalSystemSid
		movzx	eax, byte ptr [eax+1]
		add	ecx, eax
		mov	eax, large fs:20h
		mov	eax, [eax+338h]
		lea	edi, ds:44h[ecx*4]
		xor	ecx, ecx
		mov	edx, edi
		inc	ecx
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	6C636144h
		call	ExpAllocatePoolWithTagFromNode
		mov	esi, eax
		test	esi, esi
		jz	loc_AE94D5
		push	2		; int
		push	edi		; size_t
		push	esi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_AE94E4
		push	_SeWorldSid
		push	20003h
		push	2
		push	esi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_AE94E4
		push	ds:_SeAliasAdminsSid
		push	0F0003h
		push	2
		push	esi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_AE94E4
		push	_SeLocalSystemSid
		push	0F0003h
		push	2
		push	esi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_AE94E4
		jmp	loc_AE94F2
ExpKeyedEventInitialization endp

; 
; START	OF FUNCTION CHUNK FOR ExpKeyedEventInitialization

loc_AD6D00:				; CODE XREF: ExpKeyedEventInitialization+129DCj
		push	2		; int
		push	ebx		; size_t
		push	edi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_AE954C
		push	1
		push	ecx
		push	_SeLowMandatorySid
		mov	ecx, edi
		push	0
		call	RtlAddMandatoryAce
		mov	ebx, eax
		test	ebx, ebx
		js	loc_AE954C
		push	0
		push	edi
		push	1
		lea	eax, [esp+0BCh+var_6C]
		push	eax
		call	_RtlSetSaclSecurityDescriptor@16 ; RtlSetSaclSecurityDescriptor(x,x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		js	loc_AE954C
		push	offset ??_C@_1EO@JIABBENN@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@PBOPGDP@
		lea	eax, [esp+0B4h+var_9C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+0B0h+var_9C]
		mov	[esp+0B0h+var_84], 18h
		mov	[esp+0B0h+var_7C], eax
		xor	ecx, ecx
		lea	eax, [esp+0B0h+var_6C]
		mov	[esp+0B0h+var_80], ecx
		mov	[esp+0B0h+var_74], eax
		lea	eax, [esp+0B0h+var_84]
		push	ecx
		push	eax
		push	0F0003h
		lea	eax, [esp+0BCh+var_A4]
		mov	[esp+0BCh+var_78], 10h
		push	eax
		mov	[esp+0C0h+var_70], ecx
		call	_ZwCreateKeyedEvent@16 ; ZwCreateKeyedEvent(x,x,x,x)
		mov	ecx, esi
		mov	ebx, eax
		call	ExFreeHeapPool
		mov	ecx, edi
		call	ExFreeHeapPool
		test	ebx, ebx
		js	short loc_AD6DDF
		mov	eax, ds:_ExpKeyedEventObjectType
		lea	ecx, [esp+0B0h+var_A0]
		xor	edx, edx
		push	edx
		push	ecx
		push	edx
		push	eax
		push	0F0003h
		push	[esp+0C4h+var_A4]
		mov	[esp+0C8h+var_A0], edx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		push	[esp+0B0h+var_A4]
		mov	ebx, eax
		mov	eax, [esp+0B4h+var_A0]
		mov	_ExpCritSecOutOfMemoryEvent, eax
		call	_ZwClose@4	; ZwClose(x)

loc_AD6DDF:				; CODE XREF: ExpKeyedEventInitialization+240j
					; ExpKeyedEventInitialization+129F2j
		mov	eax, ebx
		jmp	loc_AD6C31
; END OF FUNCTION CHUNK	FOR ExpKeyedEventInitialization

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiComputeMemoryNodeProcessorAssignments	proc near ; CODE XREF: MiZeroBootLargePages+35p

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE955F SIZE 0000013F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ecx
		xor	edx, edx
		mov	ecx, dword_6D06C4
		push	ebx
		mov	[ebp+var_14], ecx
		mov	ebx, edx
		xor	ecx, ecx
		mov	[ebp+var_10], eax
		push	esi
		push	edi
		cmp	cx, ds:_KeNumberNodes
		jnb	short loc_AD6E58
		mov	[ebp+var_C], ecx
		mov	esi, edx

loc_AD6E13:				; CODE XREF: MiComputeMemoryNodeProcessorAssignments+68j
		mov	eax, [eax+10h]
		add	eax, ecx
		lea	edi, [eax+270h]
		add	eax, 264h
		push	edi
		push	eax
		push	esi
		call	_KeQueryNodeActiveAffinity@12 ;	KeQueryNodeActiveAffinity(x,x,x)
		xor	eax, eax
		cmp	[edi], ax
		jz	short loc_AD6E60

loc_AD6E32:				; CODE XREF: MiComputeMemoryNodeProcessorAssignments+7Bj
		mov	ecx, [ebp+var_C]
		inc	esi
		movzx	edx, ds:_KeNumberNodes
		add	ecx, 280h
		mov	eax, [ebp+var_10]
		mov	[ebp+var_C], ecx
		mov	[ebp+var_20], edx
		cmp	esi, edx
		jb	short loc_AD6E13
		test	ebx, ebx
		jnz	loc_AE955F

loc_AD6E58:				; CODE XREF: MiComputeMemoryNodeProcessorAssignments+26j
					; MiComputeMemoryNodeProcessorAssignments+12782j ...
		xor	eax, eax
		inc	eax

loc_AD6E5B:				; CODE XREF: MiComputeMemoryNodeProcessorAssignments+128B3j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AD6E60:				; CODE XREF: MiComputeMemoryNodeProcessorAssignments+4Aj
		inc	ebx
		jmp	short loc_AD6E32
MiComputeMemoryNodeProcessorAssignments	endp

; 
		align 4

;  S U B	R O U T	I N E 


PoFxInitPowerManagement	proc near	; CODE XREF: PoInitSystem+49Bp

; FUNCTION CHUNK AT 00AE969E SIZE 0000000B BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	eax, offset _PopFxDeviceList
		mov	dword_6C39B8, offset _PopFxResidentTimeoutRoutine@4 ; PopFxResidentTimeoutRoutine(x)
		mov	dword_6C39A4, eax
		xor	esi, esi
		mov	_PopFxDeviceList, eax
		xor	ebx, ebx
		push	edi
		mov	eax, offset _PopFxAcpiDeviceList
		mov	_PopFxDeviceListLock, esi
		mov	dword_6C3984, eax
		inc	ebx
		mov	_PopFxAcpiDeviceList, eax
		mov	ecx, offset _PopFxPluginList
		mov	eax, offset _PopWorkOrderList
		mov	dword_6C3994, ecx
		push	ebx
		mov	dword_6C3B14, eax
		mov	_PopWorkOrderList, eax
		mov	eax, offset dword_6C39E4
		push	esi
		push	offset unk_6C39F4
		mov	_PopFxPluginList, ecx
		mov	_PopFxDeviceRegisterHead, ecx
		mov	_PopFxPluginLock, esi
		mov	_PopWorkOrderLock, esi
		mov	dword_6C39BC, esi
		mov	_PopFxResidentWorkItem,	esi
		mov	_PopFxBlockingDeviceListLock, esi
		mov	_PopFxUpdateDripsConstraintContext, esi
		mov	dword_6C39E8, eax
		mov	dword_6C39E4, eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	esi
		push	offset _PopFxResidentTimeoutDpcRoutine@16 ; PopFxResidentTimeoutDpcRoutine(x,x,x,x)
		push	offset _PopFxResidentDpc
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	ebx
		push	offset _PopFxResidentTimer
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		imul	eax, _PopFxActiveIdleThreshold,	2710h
		cmp	_PopFxActiveIdleLevel, 3
		mov	_PopFxActiveIdleThreshold, eax
		jnb	loc_AE969E

loc_AD6F38:				; CODE XREF: PoFxInitPowerManagement+12840j
		push	6Fh		; size_t
		push	esi		; int
		push	offset byte_6C3AA1 ; void *
		mov	_PopFxGlobalDeviceAccountingLock, esi
		call	_memset
		mov	eax, _PopSleepStudyDeviceAccountingLevel
		add	esp, 0Ch
		mov	_PopFxGlobalDeviceAccountingInfo, bl
		mov	_PopFxDeviceAccountingLevel, eax
		cmp	_PopSleepStudyDisabled,	esi
		jnz	short loc_AD6FCE

loc_AD6F66:				; CODE XREF: PoFxInitPowerManagement+170j
		mov	eax, offset _SocSubsystemsList
		xor	edx, edx
		mov	ecx, offset _PopFxSystemWorkPool
		mov	dword_6C39CC, eax
		mov	_SocSubsystemsList, eax
		call	_PopFxInitializeWorkPool@8 ; PopFxInitializeWorkPool(x,x)
		call	_PopPepEntry@0	; PopPepEntry()
		xor	eax, eax
		mov	_PopFxDirectedPowerUpTimeoutMs,	esi
		mov	edi, offset _PopFxPlatformInterface
		stosd
		stosd
		stosd
		mov	eax, ds:_PopWatchdogResumeTimeout
		test	eax, eax
		jz	short loc_AD6FAD
		add	eax, 78h
		imul	eax, 3E8h
		mov	_PopFxDirectedPowerUpTimeoutMs,	eax

loc_AD6FAD:				; CODE XREF: PoFxInitPowerManagement+139j
		mov	eax, ds:_PopWatchdogSleepTimeout
		mov	_PopFxDirectedPowerDownTimeoutMs, esi
		test	eax, eax
		jz	short loc_AD6FCA
		add	eax, 78h
		imul	eax, 3E8h
		mov	_PopFxDirectedPowerDownTimeoutMs, eax

loc_AD6FCA:				; CODE XREF: PoFxInitPowerManagement+156j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_AD6FCE:				; CODE XREF: PoFxInitPowerManagement+100j
		mov	_PopFxDeviceAccountingLevel, esi
		jmp	short loc_AD6F66
PoFxInitPowerManagement	endp


;  S U B	R O U T	I N E 


; __stdcall PopPepEntry()
_PopPepEntry@0	proc near		; CODE XREF: PoFxInitPowerManagement+11Dp
		mov	edi, edi
		push	esi
		xor	esi, esi
		mov	dword_6C0968, offset _PopPepIdleTimeoutRoutine@4 ; PopPepIdleTimeoutRoutine(x)
		push	esi
		mov	eax, offset _PopPepDeviceList
		mov	_PopPepDeviceListLock, esi
		push	offset _PopPepIdleTimeoutDpcRoutine@16 ; PopPepIdleTimeoutDpcRoutine(x,x,x,x)
		push	offset _PopPepIdleDpc
		mov	dword_6C08CC, eax
		mov	_PopPepDeviceList, eax
		mov	dword_6C096C, esi
		mov	_PopPepIdleWorkItem, esi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	1
		push	offset _PopPepIdleTimer
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		mov	_PopPepVetoMaskReadyLock, esi
		xor	eax, eax
		pop	esi
		retn
_PopPepEntry@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCreateRootDirectories()
_IopCreateRootDirectories@0 proc near	; CODE XREF: INIT:00AC2BEAp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	esi
		push	edi
		xor	esi, esi
		lea	eax, [ebp+var_C]
		push	offset ??_C@_1BA@DCJJIJNE@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@PBOPGDP@
		push	eax
		mov	[ebp+var_4], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_C]
		mov	[ebp+var_24], 18h
		mov	[ebp+var_1C], eax
		mov	edi, 0F000Fh
		lea	eax, [ebp+var_24]
		mov	[ebp+var_20], esi
		push	eax
		push	edi
		lea	eax, [ebp+var_4]
		mov	[ebp+var_18], 210h
		push	eax
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		call	_NtCreateDirectoryObject@12 ; NtCreateDirectoryObject(x,x,x)
		test	eax, eax
		js	short loc_AD70ED
		push	esi
		push	[ebp+var_4]
		call	ObCloseHandle
		push	offset ??_C@_1BI@CPDHNCDG@?$AA?2?$AAF?$AAi?$AAl?$AAe?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm@PBOPGDP@
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		lea	eax, [ebp+var_4]
		push	eax
		call	_NtCreateDirectoryObject@12 ; NtCreateDirectoryObject(x,x,x)
		test	eax, eax
		js	short loc_AD70ED
		push	esi
		push	[ebp+var_4]
		call	ObCloseHandle
		push	offset ??_C@_1CI@DCCGEKKC@?$AA?2?$AAF?$AAi?$AAl?$AAe?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAF?$AAi?$AAl@PBOPGDP@
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_24]
		push	eax
		push	edi
		lea	eax, [ebp+var_4]
		push	eax
		call	_NtCreateDirectoryObject@12 ; NtCreateDirectoryObject(x,x,x)
		test	eax, eax
		js	short loc_AD70ED
		push	esi
		push	[ebp+var_4]
		call	ObCloseHandle
		call	IopCreateUmdfDirectory
		test	eax, eax
		js	short loc_AD70ED
		mov	al, 1

loc_AD70E9:				; CODE XREF: IopCreateRootDirectories()+C3j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_AD70ED:				; CODE XREF: IopCreateRootDirectories()+55j
					; IopCreateRootDirectories()+7Ej ...
		xor	al, al
		jmp	short loc_AD70E9
_IopCreateRootDirectories@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopCreateUmdfDirectory proc near	; CODE XREF: IopCreateRootDirectories()+B2p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= word ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE96A9 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_C], 500h
		push	esi
		push	edi
		lea	edi, [ebp+var_2C]
		stosd
		push	6
		stosd
		stosd
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_10], eax
		mov	eax, ds:_SeExports
		mov	ebx, [eax+0E0h]
		mov	[ebp+var_8], ebx
		call	_RtlLengthRequiredSid@4	; RtlLengthRequiredSid(x)
		xor	ecx, ecx
		mov	edx, eax
		inc	ecx
		call	IopVerifierExAllocatePool
		mov	edi, eax
		test	edi, edi
		jz	loc_AE96A9
		push	6
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD7269
		mov	dword ptr [edi+8], 50h
		mov	dword ptr [edi+0Ch], 9E1CA8F1h
		mov	dword ptr [edi+10h], 22B95BC1h
		mov	dword ptr [edi+14h], 6D66817Fh
		mov	dword ptr [edi+18h], 5027F559h
		movzx	ecx, byte ptr [edi+1]
		mov	dword ptr [edi+1Ch], 2CA91DC5h
		movzx	eax, byte ptr [ebx+1]
		add	ecx, eax
		lea	esi, ds:28h[ecx*4]
		xor	ecx, ecx
		mov	edx, esi
		inc	ecx
		call	IopVerifierExAllocatePool
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_AE96B3
		push	2		; int
		push	esi		; size_t
		push	ebx		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD7261
		push	[ebp+var_8]
		push	10000000h
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD7261
		push	edi
		push	10000000h
		push	2
		push	ebx
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD7261
		push	1
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD7261
		push	0
		push	ebx
		push	1
		lea	eax, [ebp+var_2C]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	short loc_AD7261
		push	offset ??_C@_1DA@DPBMJBPE@?$AA?2?$AAU?$AAM?$AAD?$AAF?$AAC?$AAo?$AAm?$AAm?$AAu?$AAn?$AAi?$AAc?$AAa?$AAt@PBOPGDP@	; "\\UMDFCommunicationPorts"
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		and	[ebp+var_40], 0
		lea	eax, [ebp+var_18]
		and	[ebp+var_30], 0
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_44]
		push	eax
		push	0F000Fh
		lea	eax, [ebp+var_4]
		mov	[ebp+var_44], 18h
		push	eax
		mov	[ebp+var_38], 210h
		call	_NtCreateDirectoryObject@12 ; NtCreateDirectoryObject(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD7261
		push	0
		push	[ebp+var_4]
		call	ObCloseHandle

loc_AD7261:				; CODE XREF: IopCreateUmdfDirectory+C4j
					; IopCreateUmdfDirectory+DEj ...
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD7269:				; CODE XREF: IopCreateUmdfDirectory+62j
					; IopCreateUmdfDirectory+125C6j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD7271:				; CODE XREF: IopCreateUmdfDirectory+125BCj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
IopCreateUmdfDirectory endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpInitializeCallbacks()
_ExpInitializeCallbacks@0 proc near	; CODE XREF: ExpInitSystemPhase1+A8p

var_80		= dword	ptr -80h
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_64		= dword	ptr -64h
var_5C		= dword	ptr -5Ch
var_44		= dword	ptr -44h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		push	ebx
		push	esi
		mov	eax, offset _ExpCallbackListHead
		xor	ebx, ebx
		push	edi
		mov	dword_6BBD9C, eax
		mov	_ExpCallbackListHead, eax
		lea	eax, [ebp+var_C]
		push	offset ??_C@_1BC@HPKCMHLF@?$AAC?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk@PBOPGDP@
		push	eax
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		mov	_ExpCallbackListLock, ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	58h
		pop	esi
		push	esi		; size_t
		lea	eax, [ebp+var_80]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	word ptr [ebp+var_80], si
		lea	edi, [ebp+var_74]
		mov	[ebp+var_78], 100h
		lea	eax, [ebp+var_80]
		mov	esi, offset _ExpCallbackMapping
		add	esp, 0Ch
		movsd
		push	offset _ExCallbackObjectType
		push	ebx
		push	eax
		movsd
		lea	eax, [ebp+var_C]
		push	eax
		movsd
		movsd
		or	byte ptr [ebp+var_80+2], 4
		mov	[ebp+var_44], offset _ExpDeleteCallback@4 ; ExpDeleteCallback(x)
		mov	[ebp+var_5C], 200h
		mov	[ebp+var_64], 1F0001h
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AD73D1
		push	offset _ExpWstrCallback	; "\\Callback"
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_C]
		mov	[ebp+var_24], 18h
		mov	[ebp+var_1C], eax
		mov	eax, ds:_SePublicDefaultSd
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_24]
		push	eax
		push	0F000Fh
		lea	eax, [ebp+var_4]
		mov	[ebp+var_20], ebx
		push	eax
		mov	[ebp+var_18], 50h
		mov	[ebp+var_10], ebx
		call	_NtCreateDirectoryObject@12 ; NtCreateDirectoryObject(x,x,x)
		test	eax, eax
		js	short loc_AD73D1
		push	[ebp+var_4]
		call	NtClose
		push	ebx
		push	ebx
		push	offset _ExpCallbackEvent
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	esi, ebx
		cmp	ds:_ExpInitializeCallback, ebx
		jz	short loc_AD73CA
		mov	eax, ebx
		mov	edi, offset _ExpInitializeCallback

loc_AD737B:				; CODE XREF: ExpInitializeCallbacks()+150j
		push	ds:off_A41574[eax]
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	1
		lea	eax, [ebp+var_C]
		mov	[ebp+var_24], 18h
		mov	[ebp+var_1C], eax
		lea	eax, [ebp+var_24]
		push	1
		push	eax
		push	dword ptr [edi]
		mov	[ebp+var_20], ebx
		mov	[ebp+var_18], 50h
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		call	_ExCreateCallback@16 ; ExCreateCallback(x,x,x,x)
		test	eax, eax
		js	short loc_AD73D1
		inc	esi
		mov	eax, esi
		shl	eax, 3
		lea	edi, _ExpInitializeCallback[eax]
		cmp	[edi], ebx
		jnz	short loc_AD737B

loc_AD73CA:				; CODE XREF: ExpInitializeCallbacks()+FAj
		mov	al, 1

loc_AD73CC:				; CODE XREF: ExpInitializeCallbacks()+15Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AD73D1:				; CODE XREF: ExpInitializeCallbacks()+92j
					; ExpInitializeCallbacks()+DCj	...
		xor	al, al
		jmp	short loc_AD73CC
_ExpInitializeCallbacks@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall SepRmDbInitialization()
_SepRmDbInitialization@0 proc near	; CODE XREF: SepInitializationPhase0()+10p
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	4
		mov	esi, offset _SepRmDbLock
		pop	edi

loc_AD73E3:				; CODE XREF: SepRmDbInitialization()+19j
		push	esi
		call	ExInitializeResourceLite
		add	esi, 38h
		sub	edi, 1
		jnz	short loc_AD73E3
		push	offset _SepRmGlobalSaclLock
		call	ExInitializeResourceLite
		xor	ebx, ebx
		xor	eax, eax
		inc	eax
		mov	dword_6FC698, ebx
		push	ebx
		push	eax
		push	offset unk_6FC6A0
		mov	_SepRmNotifyMutex, eax
		mov	dword_6FC69C, ebx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	734C6553h
		push	40h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	ds:_SepLogonSessions, edi
		test	edi, edi
		jz	short loc_AD749C
		push	10h
		pop	ecx
		xor	eax, eax
		rep stosd
		mov	ecx, offset _SeSystemAuthenticationId
		call	SepCreateLogonSessionTrack
		test	eax, eax
		js	short loc_AD749C
		mov	ecx, offset _SeAnonymousAuthenticationId
		call	SepCreateLogonSessionTrack
		test	eax, eax
		js	short loc_AD749C
		push	78h		; size_t
		push	ebx		; int
		push	offset _SeAuditingState	; void *
		mov	_SepRmAuditingEnabled, ebx
		call	_memset
		add	esp, 0Ch
		mov	byte_6BE704, 1
		mov	_SepRmCapTableLock, ebx
		mov	_SepRmEnforceCap, bl
		call	SepBuildDefaultCap
		test	eax, eax
		js	short loc_AD749C
		mov	ds:dword_A94E30, 1
		mov	al, 1

loc_AD7498:				; CODE XREF: SepRmDbInitialization()+C8j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_AD749C:				; CODE XREF: SepRmDbInitialization()+5Fj
					; SepRmDbInitialization()+74j ...
		xor	al, al
		jmp	short loc_AD7498
_SepRmDbInitialization@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PipInitDeviceOverrideCache proc	near	; CODE XREF: IopInitializePlugPlayServices(x,x):loc_AC5026p

var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_23C		= dword	ptr -23Ch
var_220		= dword	ptr -220h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE96BD SIZE 00000053 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 264h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_250]
		push	30h		; size_t
		push	edi		; int
		push	eax		; void *
		mov	[ebp+var_254], edi
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_25C], edi
		lea	eax, [ebp+var_264]
		mov	[ebp+var_258], edi
		xor	edx, edx
		mov	[ebp+var_264], 860084h
		lea	ecx, [ebp+var_254]
		mov	[ebp+var_260], offset ??_C@_1IG@GGMOEGCN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@	; "\\Registry\\Machine\\System\\CurrentControl"...
		push	20019h
		push	eax
		call	_IopOpenRegistryKeyEx@16 ; IopOpenRegistryKeyEx(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	loc_AD75EE
		test	esi, esi
		js	loc_AD75F0
		lea	eax, [ebp+var_25C]
		push	eax
		push	30h
		lea	eax, [ebp+var_250]
		push	eax
		push	2
		push	[ebp+var_254]
		call	_ZwQueryKey@20	; ZwQueryKey(x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 80000005h
		jz	short loc_AD7550
		test	esi, esi
		js	loc_AD75F0

loc_AD7550:				; CODE XREF: PipInitDeviceOverrideCache+A6j
		cmp	[ebp+var_23C], edi
		jz	loc_AD75EE
		mov	ecx, edi

loc_AD755E:				; CODE XREF: PipInitDeviceOverrideCache+12223j
		mov	edx, ds:dword_4181B4[ecx]
		imul	eax, edx, 3
		cmp	[ebp+var_23C], eax
		jnb	loc_AE96BD
		mov	_PnpDeviceOverrideHashListSize,	edx

loc_AD7579:				; CODE XREF: PipInitDeviceOverrideCache+12229j
		mov	eax, _PnpDeviceOverrideHashListSize
		test	eax, eax
		jz	loc_AE96CE

loc_AD7586:				; CODE XREF: PipInitDeviceOverrideCache+12238j
		push	6E697050h
		shl	eax, 3
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	_PnpDeviceOverrideHashList, eax
		test	eax, eax
		jz	loc_AE96DD
		mov	ecx, _PnpDeviceOverrideHashListSize
		test	ecx, ecx
		jz	short loc_AD75BA

loc_AD75AD:				; CODE XREF: PipInitDeviceOverrideCache+118j
		mov	[eax+4], eax
		mov	[eax], eax
		add	eax, 8
		sub	ecx, 1
		jnz	short loc_AD75AD

loc_AD75BA:				; CODE XREF: PipInitDeviceOverrideCache+10Bj
		mov	ebx, edi

loc_AD75BC:				; CODE XREF: PipInitDeviceOverrideCache+1FDj
		lea	eax, [ebp+var_25C]
		push	eax
		push	218h
		lea	eax, [ebp+var_220]
		push	eax
		push	edi
		push	ebx
		push	[ebp+var_254]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_AD7615
		cmp	esi, 8000001Ah
		jnz	loc_AE96ED

loc_AD75EE:				; CODE XREF: PipInitDeviceOverrideCache+73j
					; PipInitDeviceOverrideCache+B6j
		mov	esi, edi

loc_AD75F0:				; CODE XREF: PipInitDeviceOverrideCache+7Bj
					; PipInitDeviceOverrideCache+AAj ...
		cmp	[ebp+var_254], 0
		jz	short loc_AD7604
		push	[ebp+var_254]
		call	_ZwClose@4	; ZwClose(x)

loc_AD7604:				; CODE XREF: PipInitDeviceOverrideCache+157j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AD7615:				; CODE XREF: PipInitDeviceOverrideCache+140j
		mov	eax, [ebp+var_214]
		cmp	eax, 200h
		ja	short loc_AD769C
		push	6E697050h
		shr	eax, 1
		xor	ecx, ecx
		push	10h
		push	1
		mov	word ptr [ebp+eax*2+var_210], cx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_AE96E3
		lea	eax, [ebp+var_210]
		push	eax		; void *
		lea	esi, [edi+8]
		push	esi		; int
		call	RtlCreateUnicodeString
		test	al, al
		jz	loc_AE96FE
		lea	eax, [ebp+var_258]
		push	eax
		push	0
		push	1
		push	esi
		call	RtlHashUnicodeString
		test	eax, eax
		js	short loc_AD76A2
		mov	eax, [ebp+var_258]

loc_AD7679:				; CODE XREF: PipInitDeviceOverrideCache+20Aj
		xor	edx, edx
		div	_PnpDeviceOverrideHashListSize
		mov	eax, _PnpDeviceOverrideHashList
		lea	eax, [eax+edx*8]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_AD76AC
		mov	[edi], eax
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi
		xor	edi, edi

loc_AD769C:				; CODE XREF: PipInitDeviceOverrideCache+180j
					; PipInitDeviceOverrideCache+12259j
		inc	ebx
		jmp	loc_AD75BC
; 

loc_AD76A2:				; CODE XREF: PipInitDeviceOverrideCache+1D1j
		xor	eax, eax
		mov	[ebp+var_258], eax
		jmp	short loc_AD7679
; 

loc_AD76AC:				; CODE XREF: PipInitDeviceOverrideCache+1EEj
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display
		int	3		; Trap to Debugger

; __stdcall MiInitializeSharedUserData()
_MiInitializeSharedUserData@0:		; CODE XREF: MiInitSystem+267p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ds:_HvlpReferenceTscPage
		push	ebx
		push	esi
		push	edi		; struct _exception *
		xor	edi, edi
		mov	[ebp+var_20], 0FFDF0000h
		inc	edi
		mov	ebx, edi
		mov	[ebp+var_10], ebx
		test	eax, eax
		jnz	short loc_AD76DB
		call	off_6B1448	; MiIsSoftwareEnclave(x)

loc_AD76DB:				; CODE XREF: PipInitDeviceOverrideCache+233j
		xor	esi, esi
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	short loc_AD7759
		shr	eax, 9
		and	eax, offset loc_7FFFF8
		mov	[ebp+var_14], esi
		mov	ecx, [eax-40000000h]
		nop
		mov	edx, [eax-3FFFFFFCh]
		mov	eax, ecx
		and	eax, edi
		or	eax, esi
		jz	short loc_AD7759
		nop
		shrd	ecx, edx, 0Ch
		and	ecx, 1FFFFFFh
		cmp	ecx, dword_6D07B0
		ja	short loc_AD7759
		mov	eax, dword_6D35B8
		mov	edx, ecx
		shr	edx, 5
		and	ecx, 1Fh
		mov	eax, [eax+edx*4]
		shr	eax, cl
		and	eax, edi
		jz	short loc_AD7759
		push	2
		pop	ebx
		mov	ecx, edi
		mov	[ebp+var_10], ebx
		call	ExGenRandom
		mov	ecx, eax
		and	ecx, 0Fh
		mov	eax, ecx
		or	eax, esi
		jnz	short loc_AD774B
		push	0Fh
		pop	ecx
		mov	[ebp+var_24], esi

loc_AD774B:				; CODE XREF: PipInitDeviceOverrideCache+2A3j
		lea	eax, [ecx+7FFE0h]
		shl	eax, 0Ch
		mov	dword_6D0618, eax

loc_AD7759:				; CODE XREF: PipInitDeviceOverrideCache+242j
					; PipInitDeviceOverrideCache+262j ...
		push	esi
		mov	ecx, ebx
		mov	edx, 74536D4Dh
		shl	ecx, 3
		push	112h
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_AD7883
		mov	ebx, esi
		mov	[ebp+var_C], esi

loc_AD777D:				; CODE XREF: PipInitDeviceOverrideCache+3DAj
		mov	ecx, [ebp+ebx*4+var_20]
		shr	ecx, 9
		and	ecx, offset loc_7FFFF8
		sub	ecx, 40000000h
		mov	edx, [ecx]
		nop
		mov	eax, [ecx+4]
		shrd	edx, eax, 0Ch
		push	20000001h
		and	edx, 1FFFFFFh
		mov	[ebp+var_14], edx
		call	MiMakeValidPte
		mov	esi, eax
		mov	[ebp+var_4], edx
		mov	[ebp+var_4], edx
		mov	ecx, edi
		and	[ebp+var_4], 0
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], edx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_AD780E
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_AD77F1
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr word_6D07B8+1,	0
		jnz	short loc_AD7811

loc_AD77DF:				; CODE XREF: PipInitDeviceOverrideCache+36Aj
		mov	eax, esi
		and	eax, 1
		or	eax, 0
		jz	short loc_AD7811
		or	edx, 80000000h
		jmp	short loc_AD7811
; 

loc_AD77F1:				; CODE XREF: PipInitDeviceOverrideCache+331j
		mov	eax, large fs:124h
		mov	ecx, [ebp+var_4]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_AD77DF
		jmp	short loc_AD7811
; 

loc_AD780E:				; CODE XREF: PipInitDeviceOverrideCache+328j
		mov	ecx, [ebp+var_4]

loc_AD7811:				; CODE XREF: PipInitDeviceOverrideCache+33Dj
					; PipInitDeviceOverrideCache+347j ...
		mov	[edi+4], edx
		nop
		mov	[edi], esi
		test	ecx, ecx
		jz	short loc_AD7824
		push	edx
		push	esi
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_AD7824:				; CODE XREF: PipInitDeviceOverrideCache+379j
		imul	esi, [ebp+var_14], 1Ch
		mov	dword_6D0610[ebx*4], edi
		add	esi, ds:_MmPfnDatabase
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		push	0
		push	80h
		mov	bl, al
		call	_MiSwizzleInvalidPte@8 ; MiSwizzleInvalidPte(x,x)
		or	dword ptr [esi+18h], 80000000h
		lea	ecx, [esi+10h]
		mov	[esi+0Ch], edx
		mov	edx, 7FFFFFFFh
		mov	[esi+8], eax
		mov	[esi+4], edi
		lock and [ecx],	edx
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ebx, [ebp+var_C]
		add	edi, 8
		inc	ebx
		mov	[ebp+var_C], ebx
		cmp	ebx, [ebp+var_10]
		jb	loc_AD777D
		xor	eax, eax
		inc	eax

loc_AD7883:				; CODE XREF: PipInitDeviceOverrideCache+2D2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PipInitDeviceOverrideCache endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PspInitializeSystemPartitionPhase0 proc	near ; CODE XREF: PspInitPhase0+6E3p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE9710 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_4], offset ??_C@_1EA@MLJLEKJJ@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@PBOPGDP@
		lea	edi, [ebp+var_1C]
		stosd
		push	3Eh
		stosd
		stosd
		stosd
		stosd
		pop	eax
		push	40h
		mov	word ptr [ebp+var_8], ax
		pop	eax
		mov	word ptr [ebp+var_8+2],	ax
		lea	eax, [ebp+var_1C]
		push	1
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD795F
		mov	eax, ds:_SeAliasAdminsSid
		push	6C636144h
		movzx	eax, byte ptr [eax+1]
		lea	esi, ds:1Ch[eax*4]
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_AE9710
		push	2		; int
		push	esi		; size_t
		push	edi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		xor	ebx, ebx
		test	esi, esi
		js	short loc_AD7958
		push	ds:_SeAliasAdminsSid
		push	1F0003h
		push	2
		push	edi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD7958
		push	ebx
		push	edi
		push	1
		lea	eax, [ebp+var_1C]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	short loc_AD7958
		lea	eax, [ebp+var_8]
		mov	[ebp+var_34], 18h
		mov	[ebp+var_2C], eax
		lea	ecx, [ebp+var_34]
		sub	esp, 14h
		mov	[ebp+var_30], ebx
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_28], 200h
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], ebx
		call	PspAllocatePartition
		mov	esi, eax

loc_AD7958:				; CODE XREF: PspInitializeSystemPartitionPhase0+75j
					; PspInitializeSystemPartitionPhase0+8Ej ...
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD795F:				; CODE XREF: PspInitializeSystemPartitionPhase0+39j
					; PspInitializeSystemPartitionPhase0+11E8Dj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
PspInitializeSystemPartitionPhase0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

CreateSystemRootLink proc near		; CODE XREF: Phase1InitializationDiscard(x)+898p

var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= word ptr -208h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE971A SIZE 00000036 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 244h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_240]
		push	offset ??_C@_1BC@OAEIEHDI@?$AA?2?$AAA?$AAr?$AAc?$AAN?$AAa?$AAm?$AAe@PBOPGDP@ ; "\\ArcName"
		push	eax
		mov	esi, ecx
		mov	[ebp+var_230], edi
		mov	[ebp+var_240], edi
		mov	[ebp+var_23C], edi
		mov	[ebp+var_238], edi
		mov	[ebp+var_234], edi
		mov	[ebp+var_22C], edi
		mov	[ebp+var_228], edi
		mov	[ebp+var_20C], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	18h
		lea	eax, [ebp+var_240]
		mov	[ebp+var_220], edi
		mov	[ebp+var_21C], eax
		mov	eax, ds:_SePublicDefaultUnrestrictedSd
		pop	ebx
		mov	[ebp+var_214], eax
		lea	eax, [ebp+var_224]
		push	eax
		push	0F000Fh
		lea	eax, [ebp+var_230]
		mov	[ebp+var_224], ebx
		push	eax
		mov	[ebp+var_218], 50h
		mov	[ebp+var_210], edi
		call	_NtCreateDirectoryObject@12 ; NtCreateDirectoryObject(x,x,x)
		test	eax, eax
		js	loc_AE971A
		push	[ebp+var_230]
		call	NtClose
		push	offset ??_C@_1BA@CCLAPIHO@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@PBOPGDP@	; "\\"
		lea	eax, [ebp+var_240]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_240]
		mov	[ebp+var_224], ebx
		mov	[ebp+var_21C], eax
		mov	eax, ds:_SePublicDefaultUnrestrictedSd
		mov	[ebp+var_214], eax
		lea	eax, [ebp+var_224]
		push	eax
		push	0F000Fh
		lea	eax, [ebp+var_230]
		mov	[ebp+var_220], edi
		push	eax
		mov	[ebp+var_218], 50h
		mov	[ebp+var_210], edi
		call	_NtCreateDirectoryObject@12 ; NtCreateDirectoryObject(x,x,x)
		test	eax, eax
		js	loc_AE972C
		push	[ebp+var_230]
		call	NtClose
		push	offset ??_C@_1CG@MNLGCLPO@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAB?$AAo?$AAo?$AAt?$AAD?$AAe?$AAv@PBOPGDP@
		lea	eax, [ebp+var_238]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	dword ptr [esi+68h] ; char
		lea	eax, [ebp+var_238]
		mov	[ebp+var_224], ebx
		mov	[ebp+var_21C], eax
		mov	eax, ds:_SePublicDefaultUnrestrictedSd
		push	offset ??_C@_1BI@HJOIHDKL@?$AA?2?$AAA?$AAr?$AAc?$AAN?$AAa?$AAm?$AAe?$AA?2?$AA?$CF?$AAS@PBOPGDP@	; "\\ArcName\\%S"
		mov	[ebp+var_214], eax
		lea	eax, [ebp+var_208]
		push	200h		; int
		push	eax		; wchar_t *
		mov	[ebp+var_220], edi
		mov	[ebp+var_218], 50h
		mov	[ebp+var_210], edi
		call	_RtlStringCbPrintfW
		add	esp, 10h
		test	eax, eax
		js	loc_AE9732
		lea	eax, [ebp+var_208]
		push	eax
		lea	eax, [ebp+var_22C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_22C]
		push	eax
		lea	eax, [ebp+var_224]
		push	eax
		push	0F0001h
		lea	eax, [ebp+var_20C]
		push	eax
		call	NtCreateSymbolicLinkObject
		test	eax, eax
		js	loc_AE9738
		push	[ebp+var_20C]
		call	NtClose
		push	offset ??_C@_1BI@OMNCDEIM@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt@PBOPGDP@ ; "\\SystemRoot"
		lea	eax, [ebp+var_238]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	dword ptr [esi+70h]
		lea	eax, [ebp+var_238]
		mov	[ebp+var_224], ebx
		push	offset ??_C@_1CG@MNLGCLPO@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAB?$AAo?$AAo?$AAt?$AAD?$AAe?$AAv@PBOPGDP@ ; char
		mov	[ebp+var_21C], eax
		mov	eax, ds:_SePublicDefaultUnrestrictedSd
		push	offset ??_C@_19BJAHPNKH@?$AA?$CF?$AAs?$AA?$CF?$AAS@PBOPGDP@ ; "%s%S"
		mov	[ebp+var_214], eax
		lea	eax, [ebp+var_208]
		push	200h		; int
		push	eax		; wchar_t *
		mov	[ebp+var_220], edi
		mov	[ebp+var_218], 50h
		mov	[ebp+var_210], edi
		call	_RtlStringCbPrintfW
		add	esp, 14h
		test	eax, eax
		js	loc_AE973E
		lea	eax, [ebp+var_208]
		push	eax
		lea	eax, [ebp+var_22C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, 0FFFEh
		add	word ptr [ebp+var_22C],	ax
		lea	eax, [ebp+var_22C]
		push	eax
		lea	eax, [ebp+var_224]
		push	eax
		push	0F0001h
		lea	eax, [ebp+var_20C]
		push	eax
		call	NtCreateSymbolicLinkObject
		test	eax, eax
		js	loc_AE9744
		push	[ebp+var_20C]
		call	NtClose
		push	offset ??_C@_1CK@JIMDGDFN@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAO?$AAS?$AAD?$AAa?$AAt?$AAa?$AAD@PBOPGDP@ ; "\\"
		lea	eax, [ebp+var_238]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_238]
		mov	[ebp+var_224], ebx
		mov	[ebp+var_21C], eax
		mov	eax, ds:_SePublicDefaultUnrestrictedSd
		mov	[ebp+var_214], eax
		mov	eax, [esi+0C0h]
		mov	[ebp+var_220], edi
		mov	[ebp+var_218], 50h
		mov	[ebp+var_210], edi
		test	eax, eax
		jnz	short loc_AD7C4F
		mov	eax, [esi+68h]

loc_AD7C4F:				; CODE XREF: CreateSystemRootLink+2E4j
		push	eax		; char
		push	offset ??_C@_1BI@HJOIHDKL@?$AA?2?$AAA?$AAr?$AAc?$AAN?$AAa?$AAm?$AAe?$AA?2?$AA?$CF?$AAS@PBOPGDP@	; "\\ArcName\\%S"
		lea	eax, [ebp+var_208]
		push	200h		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 10h
		test	eax, eax
		js	loc_AE974A
		lea	eax, [ebp+var_208]
		push	eax
		lea	eax, [ebp+var_22C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_22C]
		mov	esi, 0F0001h
		push	eax
		lea	eax, [ebp+var_224]
		push	eax
		push	esi
		lea	eax, [ebp+var_20C]
		push	eax
		call	NtCreateSymbolicLinkObject
		test	eax, eax
		js	loc_AD7D4B
		push	[ebp+var_20C]
		call	NtClose
		push	offset ??_C@_1BI@BNCMKGKH@?$AA?2?$AAO?$AAS?$AAD?$AAa?$AAt?$AAa?$AAR?$AAo?$AAo?$AAt@PBOPGDP@ ; "\\OSDataRoot"
		lea	eax, [ebp+var_238]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_238]
		mov	[ebp+var_224], ebx
		mov	[ebp+var_21C], eax
		mov	eax, ds:_SePublicDefaultUnrestrictedSd
		mov	[ebp+var_214], eax
		lea	eax, [ebp+var_22C]
		push	offset ??_C@_1CK@JIMDGDFN@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAO?$AAS?$AAD?$AAa?$AAt?$AAa?$AAD@PBOPGDP@ ; "\\"
		push	eax
		mov	[ebp+var_220], edi
		mov	[ebp+var_218], 50h
		mov	[ebp+var_210], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_22C]
		push	eax
		lea	eax, [ebp+var_224]
		push	eax
		push	esi
		lea	eax, [ebp+var_20C]
		push	eax
		call	NtCreateSymbolicLinkObject
		test	eax, eax
		js	loc_AE9720
		push	[ebp+var_20C]
		call	NtClose
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AD7D4B:				; CODE XREF: CreateSystemRootLink+340j
		push	edi
		push	edi
		push	8
		jmp	loc_AE9724
CreateSystemRootLink endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopInitPlatformSettings	proc near	; CODE XREF: NtPowerInformation+1362p

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE9750 SIZE 0000007F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_18], 41435049h
		push	eax
		push	14h
		lea	eax, [ebp+var_18]
		mov	[ebp+var_14], 1
		xor	ebx, ebx
		mov	[ebp+var_10], 50434146h
		push	eax
		push	4Ch
		mov	[ebp+var_8], ebx
		mov	edi, ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_1C], ebx
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	loc_AD7E71
		push	206D654Dh
		push	[ebp+var_1C]
		xor	esi, esi
		inc	esi
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_AE9750
		mov	dword ptr [edi], 41435049h
		mov	[edi+4], esi
		mov	dword ptr [edi+8], 50434146h
		mov	eax, [ebp+var_1C]
		add	eax, 0FFFFFFF0h
		mov	[edi+0Ch], eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_1C]
		push	edi
		push	4Ch
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AE9755
		cmp	byte ptr [edi+18h], 3
		jb	short loc_AD7E06
		movzx	eax, byte ptr [edi+3Dh]
		mov	ds:_PopFirmwarePlatformRole, eax

loc_AD7E06:				; CODE XREF: PopInitPlatformSettings+A7j
		call	off_6B1378	; KeIsCetCapable()
		test	al, al
		jnz	loc_AE9764

loc_AD7E14:				; CODE XREF: PopInitPlatformSettings+11A17j
		mov	eax, ds:_PopPlatformRoleOverride
		cmp	eax, 0FFFFFFFFh
		jnz	loc_AE9770

loc_AD7E22:				; CODE XREF: PopInitPlatformSettings+11A21j
		mov	eax, ds:_PopPlatformAoAcOverride
		cmp	eax, 0FFFFFFFFh
		jnz	loc_AE977A

loc_AD7E30:				; CODE XREF: PopInitPlatformSettings+11A2Fj
		test	byte ptr ds:_HvlpFlags,	2
		jnz	loc_AE9788

loc_AD7E3D:				; CODE XREF: PopInitPlatformSettings+11A3Bj
					; PopInitPlatformSettings+11A4Dj
		cmp	_PopPlatformAoAc, bl
		jnz	loc_AE97A6
		push	ebx		; int
		push	ebx		; void *
		push	20h
		pop	edx
		push	13h
		pop	ecx
		call	PopLogSleepDisabled

loc_AD7E56:				; CODE XREF: PopInitPlatformSettings+11A58j
					; PopInitPlatformSettings+11A64j ...
		mov	_PopPlatformAoAc, bl

loc_AD7E5C:				; CODE XREF: PopInitPlatformSettings+11A70j
		mov	eax, ds:_PopFirmwarePlatformRole
		test	eax, eax
		js	short loc_AD7E99
		cmp	eax, 9
		jge	short loc_AD7E99

loc_AD7E6A:				; CODE XREF: PopInitPlatformSettings+14Cj
		mov	_PopPlatformRole, eax
		mov	esi, ebx

loc_AD7E71:				; CODE XREF: PopInitPlatformSettings+50j
		test	esi, esi
		js	loc_AE9755
		test	edi, edi
		jz	short loc_AD7E88
		push	206D654Dh
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD7E88:				; CODE XREF: PopInitPlatformSettings+127j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AD7E99:				; CODE XREF: PopInitPlatformSettings+10Fj
					; PopInitPlatformSettings+114j
		mov	eax, ebx
		mov	ds:_PopFirmwarePlatformRole, eax
		jmp	short loc_AD7E6A
PopInitPlatformSettings	endp


;  S U B	R O U T	I N E 


; __stdcall LpcInitSystem()
_LpcInitSystem@0 proc near		; CODE XREF: Phase1InitializationDiscard(x):loc_AC0FD1p
		mov	edi, edi
		push	ecx
		mov	ds:_LpcLegacyMaxMessageLength, 148h
		call	AlpcpInitSystem
		test	eax, eax
		js	short loc_AD7ECB
		mov	eax, ds:_AlpcPortObjectType
		mov	ds:_LpcPortObjectType, eax
		mov	ds:_LpcWaitablePortObjectType, eax
		mov	al, 1
		pop	ecx
		retn
; 

loc_AD7ECB:				; CODE XREF: LpcInitSystem()+14j
		xor	al, al
		pop	ecx
		retn
_LpcInitSystem@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall IopInitializeReserveIrps(x)
_IopInitializeReserveIrps@4 proc near	; CODE XREF: INIT:00AC297Cp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	byte_6CCE64, 2Ah
		push	edi
		push	edi
		mov	dl, 2Ah
		call	_IopAllocateIrpWithExtension@16	; IopAllocateIrpWithExtension(x,x,x,x)
		mov	_IopReserveIrps, eax
		test	eax, eax
		jz	loc_AD7FD1
		push	edi
		xor	ebx, ebx
		mov	dword_6CCDE4, edi
		inc	ebx
		push	ebx
		push	offset unk_6CCDE8
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		mov	dl, 2Ah
		call	_IopAllocateIrpWithExtension@16	; IopAllocateIrpWithExtension(x,x,x,x)
		mov	dword_6CCDF8, eax
		test	eax, eax
		jz	loc_AD7FD1
		push	edi
		push	ebx
		push	offset unk_6CCE00
		mov	dword_6CCDFC, edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		mov	dl, 2Ah
		call	_IopAllocateIrpWithExtension@16	; IopAllocateIrpWithExtension(x,x,x,x)
		mov	dword_6CCE10, eax
		test	eax, eax
		jz	loc_AD7FD1
		push	edi
		push	ebx
		push	offset unk_6CCE18
		mov	dword_6CCE14, edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	dword_6CCE60, edi
		mov	esi, edi

loc_AD7F61:				; CODE XREF: IopInitializeReserveIrps(x)+B9j
		push	edi
		push	edi
		mov	dl, 2Ah
		call	_IopAllocateIrpWithExtension@16	; IopAllocateIrpWithExtension(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	short loc_AD7FD1
		test	esi, esi
		jz	short loc_AD7FC1
		cmp	esi, ebx
		jz	short loc_AD7FC9
		mov	eax, dword_6CCE60
		mov	[ecx], eax
		mov	dword_6CCE60, ecx

loc_AD7F85:				; CODE XREF: IopInitializeReserveIrps(x)+F7j
					; IopInitializeReserveIrps(x)+FFj
		inc	esi
		cmp	esi, 8
		jb	short loc_AD7F61
		push	edi
		push	ebx
		push	offset unk_6CCE34
		mov	dword_6CCE2C, edi
		mov	dword_6CCE48, edi
		mov	dword_6CCE30, edi
		mov	dword_6CCE4C, edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	ebx
		push	offset unk_6CCE50
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	al, bl

loc_AD7FBD:				; CODE XREF: IopInitializeReserveIrps(x)+103j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_AD7FC1:				; CODE XREF: IopInitializeReserveIrps(x)+A2j
		mov	dword_6CCE28, ecx
		jmp	short loc_AD7F85
; 

loc_AD7FC9:				; CODE XREF: IopInitializeReserveIrps(x)+A6j
		mov	dword_6CCE44, ecx
		jmp	short loc_AD7F85
; 

loc_AD7FD1:				; CODE XREF: IopInitializeReserveIrps(x)+1Ej
					; IopInitializeReserveIrps(x)+49j ...
		xor	al, al
		jmp	short loc_AD7FBD
_IopInitializeReserveIrps@4 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpTraceSystemInitialization proc near	; CODE XREF: EtwpInitialize+36Ep

var_2A0		= dword	ptr -2A0h
var_29C		= dword	ptr -29Ch
var_298		= dword	ptr -298h
var_294		= dword	ptr -294h
var_290		= dword	ptr -290h
var_28C		= dword	ptr -28Ch
var_284		= dword	ptr -284h
var_280		= dword	ptr -280h
var_27C		= dword	ptr -27Ch
var_278		= dword	ptr -278h
var_274		= dword	ptr -274h
var_270		= dword	ptr -270h
var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_259		= byte ptr -259h
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_144		= dword	ptr -144h
var_138		= dword	ptr -138h
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE97CF SIZE 00000132 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2A4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	118h		; size_t
		lea	eax, [ebp+var_254]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	eax, _NtBuildQfe
		add	esp, 0Ch
		mov	[ebp+var_264], eax
		mov	eax, _InitSafeBootMode
		mov	[ebp+var_268], eax
		lea	eax, [ebp+var_258]
		push	eax
		mov	[ebp+var_258], 11Ch
		call	RtlGetVersion
		test	eax, eax
		js	loc_AD8362
		mov	eax, ds:_KeLoaderBlock
		mov	esi, ds:_KeBootTime
		mov	edi, ds:dword_70E2EC
		mov	[ebp+var_298], esi
		mov	[ebp+var_294], edi
		mov	eax, [eax+84h]
		mov	eax, [eax+9D0h]
		and	eax, 8
		or	eax, 0
		jnz	loc_AE97CF
		xor	bl, bl

loc_AD806F:				; CODE XREF: EtwpTraceSystemInitialization+117FBj
		cmp	dword_6B2A40, 5
		jbe	loc_AE97D6
		push	8000h
		push	0
		mov	ecx, offset dword_6B2A40
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_AE97D6
		mov	eax, [ebp+var_254]
		xor	ecx, ecx
		mov	[ebp+var_26C], eax
		lea	eax, [ebp+var_26C]
		mov	[ebp+var_118], eax
		mov	eax, [ebp+var_250]
		mov	[ebp+var_270], eax
		lea	eax, [ebp+var_270]
		mov	[ebp+var_108], eax
		mov	eax, [ebp+var_24C]
		mov	[ebp+var_274], eax
		lea	eax, [ebp+var_274]
		mov	[ebp+var_F8], eax
		lea	eax, [ebp+var_278]
		mov	[ebp+var_E8], eax
		mov	eax, [ebp+var_264]
		mov	[ebp+var_27C], eax
		lea	eax, [ebp+var_27C]
		mov	[ebp+var_D8], eax
		movzx	eax, word ptr [ebp+var_144]
		mov	[ebp+var_280], eax
		lea	eax, [ebp+var_280]
		mov	[ebp+var_C8], eax
		mov	eax, [ebp+var_268]
		mov	[ebp+var_284], eax
		lea	eax, [ebp+var_284]
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_290]
		mov	[ebp+var_A8], eax
		mov	eax, dword_6D4D44
		mov	[ebp+var_260], eax
		lea	eax, [ebp+var_260]
		push	4
		pop	edx
		mov	[ebp+var_98], eax
		lea	eax, [ebp-259h]
		mov	[ebp+var_88], eax
		lea	eax, [ebp+var_138]
		push	eax
		push	0Ch
		mov	[ebp+var_259], bl
		xor	ebx, ebx
		push	ebx
		push	ebx
		push	(offset	loc_423813+4)
		push	offset dword_6B2A40
		mov	[ebp+var_114], ecx
		mov	[ebp+var_110], edx
		mov	[ebp+var_10C], ecx
		mov	[ebp+var_104], ecx
		mov	[ebp+var_100], edx
		mov	[ebp+var_FC], ecx
		mov	[ebp+var_F4], ecx
		mov	[ebp+var_F0], edx
		mov	[ebp+var_EC], ecx
		mov	[ebp+var_278], 1
		mov	[ebp+var_E4], ecx
		mov	[ebp+var_E0], edx
		mov	[ebp+var_DC], ecx
		mov	[ebp+var_D4], ecx
		mov	[ebp+var_D0], edx
		mov	[ebp+var_CC], ecx
		mov	[ebp+var_C4], ecx
		mov	[ebp+var_C0], 2
		mov	[ebp+var_BC], ecx
		mov	[ebp+var_B4], ecx
		mov	[ebp+var_B0], edx
		mov	[ebp+var_AC], ecx
		mov	[ebp+var_290], esi
		mov	[ebp+var_28C], edi
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_A0], 8
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_94], ecx
		mov	[ebp+var_90], edx
		mov	[ebp+var_8C], ecx
		mov	[ebp+var_84], ebx
		mov	[ebp+var_80], 1
		mov	[ebp+var_7C], ebx
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)

loc_AD8258:				; CODE XREF: EtwpTraceSystemInitialization+11802j
		mov	ecx, _EtwKernelProvRegHandle
		mov	eax, ecx
		mov	edx, dword_6BC12C
		or	eax, edx
		jz	loc_AD8362
		lea	eax, [ebp+var_254]
		mov	[ebp+var_74], ebx
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_250]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_24C]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_264]
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_144]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_268]
		push	4
		pop	esi
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_298]
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	7
		push	ebx
		push	offset _KernelSystemStart
		push	edx
		push	ecx
		mov	[ebp+var_70], esi
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], esi
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], esi
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_30], 2
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], ebx
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], 8
		mov	[ebp+var_C], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		mov	esi, dword_6BC12C
		mov	edi, _EtwKernelProvRegHandle
		push	offset _BootPerformanceData
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jnz	loc_AE97DD

loc_AD832A:				; CODE XREF: EtwpTraceSystemInitialization+1182Ej
		mov	edi, ds:_KeLoaderBlock
		mov	esi, [edi+84h]
		test	dword ptr [esi+54h], 100h
		jnz	loc_AE9809
		mov	eax, [esi+0B0h]
		or	eax, [esi+0B4h]
		jnz	loc_AE9809

loc_AD8355:				; CODE XREF: EtwpTraceSystemInitialization+118A1j
		call	_ExIsSoftBoot@0	; ExIsSoftBoot()
		test	al, al
		jnz	loc_AE987C

loc_AD8362:				; CODE XREF: EtwpTraceSystemInitialization+5Cj
					; EtwpTraceSystemInitialization+292j ...
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
EtwpTraceSystemInitialization endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpLastGoodDoBootProcessing proc	near	; CODE XREF: INIT:00AC2F36p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE9901 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	esi
		xor	esi, esi
		lea	eax, [ebp+var_10]
		push	offset ??_C@_1CK@BMHMHDCI@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAL?$AAa?$AAs@PBOPGDP@
		push	eax
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1HA@JIFMKPBK@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@ ; "\\"
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1DC@HBEOHGCL@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAL?$AAa?$AAs@PBOPGDP@
		lea	eax, [ebp+var_20]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1HI@JJAPFIHO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		call	_CmIsLastKnownGoodBoot@0 ; CmIsLastKnownGoodBoot()
		test	al, al
		jnz	loc_AE9901
		cmp	_InitSafeBootMode, esi
		jnz	short loc_AD8405
		push	esi
		lea	edx, [ebp+var_20]
		lea	ecx, [ebp+var_10]
		call	IopFileUtilRename
		test	eax, eax
		jns	short loc_AD83F9
		cmp	eax, 0C0000034h
		jnz	short loc_AD8405

loc_AD83F9:				; CODE XREF: PpLastGoodDoBootProcessing+7Ej
		push	ecx
		lea	edx, [ebp+var_18]
		lea	ecx, [ebp+var_8]
		call	PiLastGoodCopyKeyContents

loc_AD8405:				; CODE XREF: PpLastGoodDoBootProcessing+6Ej
					; PpLastGoodDoBootProcessing+85j ...
		pop	esi
		leave
		retn
PpLastGoodDoBootProcessing endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiLastGoodCopyKeyContents proc near	; CODE XREF: PpLastGoodDoBootProcessing+8Ep

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8

; FUNCTION CHUNK AT 00AE991C SIZE 000000DA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	ebx, edx
		push	674C7050h
		push	418h
		push	1
		mov	esi, ecx
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_10], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_1C], eax
		mov	[ebp+var_18], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_AD848E
		xor	eax, eax
		mov	[ebp+var_34], 18h
		mov	[ebp+var_30], eax
		mov	[ebp+var_24], eax
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_34]
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_8]
		mov	[ebp+var_28], 240h
		push	eax
		mov	[ebp+var_2C], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	loc_AE991C

loc_AD847A:				; CODE XREF: PiLastGoodCopyKeyContents+115E9j
		push	674C7050h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, esi

loc_AD8487:				; CODE XREF: PiLastGoodCopyKeyContents+8Bj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_AD848E:				; CODE XREF: PiLastGoodCopyKeyContents+38j
		mov	eax, 0C000009Ah
		jmp	short loc_AD8487
PiLastGoodCopyKeyContents endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopFileUtilRename proc near		; CODE XREF: PpLastGoodDoBootProcessing+77p
					; PiLastGoodRevertCopyCallback(x,x,x,x)+8Fp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= byte ptr  8

; FUNCTION CHUNK AT 00AE99F6 SIZE 0000004E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 2Ch
		push	ebx
		push	esi
		xor	eax, eax
		mov	[esp+34h+var_24], ecx
		mov	esi, edx
		mov	[esp+34h+var_28], eax
		push	edi
		mov	[esp+38h+var_20], eax
		mov	[esp+38h+var_1C], eax
		movzx	eax, word ptr [esi]
		push	75466F49h
		add	eax, 10h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_AD853F
		mov	bl, [ebp+arg_0]
		test	bl, bl
		jnz	short loc_AD8546

loc_AD84D8:				; CODE XREF: IopFileUtilRename+B7j
		mov	eax, [esp+38h+var_24]
		xor	ecx, ecx
		push	204022h
		mov	[esp+3Ch+var_10], eax
		lea	eax, [esp+3Ch+var_20]
		push	7
		push	eax
		lea	eax, [esp+44h+var_18]
		mov	[esp+44h+var_18], 18h
		push	eax
		push	110080h
		lea	eax, [esp+4Ch+var_28]
		mov	[esp+4Ch+var_14], ecx
		push	eax
		mov	[esp+50h+var_C], 240h
		mov	[esp+50h+var_8], ecx
		mov	[esp+50h+var_4], ecx
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	[esp+38h+var_24], eax
		test	eax, eax
		jns	loc_AE99F6
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [esp+38h+var_24]

loc_AD8536:				; CODE XREF: IopFileUtilRename+AEj
					; IopFileUtilRename+115A9j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	4
; 

loc_AD853F:				; CODE XREF: IopFileUtilRename+39j
		mov	eax, 0C000009Ah
		jmp	short loc_AD8536
; 

loc_AD8546:				; CODE XREF: IopFileUtilRename+40j
		mov	ecx, esi
		call	_IopFileUtilClearAttributes@8 ;	IopFileUtilClearAttributes(x,x)
		jmp	short loc_AD84D8
IopFileUtilRename endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmIsLastKnownGoodBoot()
_CmIsLastKnownGoodBoot@0 proc near	; CODE XREF: PpLastGoodDoBootProcessing+5Bp

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		xor	esi, esi
		mov	[ebp+var_70], offset ??_C@_1BA@OFLJGHK@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt@PBOPGDP@
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_84], esi
		mov	[ebp+var_6C], eax
		mov	edx, 120h
		mov	[ebp+var_64], eax
		mov	ecx, 4000004h
		lea	eax, [ebp+var_80]
		mov	[ebp+var_7C], esi
		mov	[ebp+var_50], eax
		mov	[ebp+var_48], eax
		lea	eax, [ebp+var_84]
		push	esi
		push	esi
		mov	[ebp+var_34], eax
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	(offset	loc_ADD127+1)
		push	esi
		mov	[ebp+var_80], esi
		mov	[ebp+var_78], esi
		mov	[ebp+var_74], edx
		mov	[ebp+var_68], ecx
		mov	[ebp+var_60], esi
		mov	[ebp+var_5C], esi
		mov	[ebp+var_58], edx
		mov	[ebp+var_54], offset ??_C@_1BM@MFCPMGNM@?$AAL?$AAa?$AAs?$AAt?$AAK?$AAn?$AAo?$AAw?$AAn?$AAG?$AAo?$AAo?$AAd@PBOPGDP@
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_44], esi
		mov	[ebp+var_40], esi
		mov	[ebp+var_3C], edx
		mov	[ebp+var_38], (offset loc_ADD117+1)
		mov	[ebp+var_30], ecx
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		call	_RtlQueryRegistryValuesEx@20 ; RtlQueryRegistryValuesEx(x,x,x,x,x)
		test	eax, eax
		js	short loc_AD860A
		mov	eax, [ebp+var_7C]
		cmp	eax, [ebp+var_84]
		jnz	short loc_AD8619

loc_AD860A:				; CODE XREF: CmIsLastKnownGoodBoot()+ADj
					; CmIsLastKnownGoodBoot()+CCj
		xor	al, al

loc_AD860C:				; CODE XREF: CmIsLastKnownGoodBoot()+D0j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AD8619:				; CODE XREF: CmIsLastKnownGoodBoot()+B8j
		cmp	[ebp+var_80], eax
		jnz	short loc_AD860A
		mov	al, 1
		jmp	short loc_AD860C
_CmIsLastKnownGoodBoot@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PnpLoadBootFilterDriver	proc near	; CODE XREF: PipCallDriverAddDeviceQueryRoutine+253p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00AE9A44 SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ebp+arg_4]
		xor	ecx, ecx
		push	ebx
		push	esi
		push	edi
		mov	[eax], ecx
		mov	edi, 0C0000001h
		mov	eax, _IopGroupTable
		mov	[ebp+var_8], edx
		mov	[ebp+var_4], ecx
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], ecx
		test	eax, eax
		jz	loc_AD8720
		mov	ebx, [ebp+arg_0]
		cmp	ebx, _IopGroupIndex
		jnb	loc_AD8720
		mov	edx, ecx
		test	ebx, ebx
		jz	short loc_AD8683

loc_AD8667:				; CODE XREF: PnpLoadBootFilterDriver+5Fj
		mov	ecx, [eax]

loc_AD8669:				; CODE XREF: PnpLoadBootFilterDriver+57j
		cmp	ecx, eax
		jz	short loc_AD867B
		cmp	byte ptr [ecx+1Bh], 0
		jz	loc_AD8720
		mov	ecx, [ecx]
		jmp	short loc_AD8669
; 

loc_AD867B:				; CODE XREF: PnpLoadBootFilterDriver+49j
		inc	edx
		add	eax, 8
		cmp	edx, ebx
		jb	short loc_AD8667

loc_AD8683:				; CODE XREF: PnpLoadBootFilterDriver+43j
		lfence	eax
		mov	eax, _IopGroupTable
		lea	eax, [eax+ebx*8]
		mov	esi, [eax]

loc_AD8690:				; CODE XREF: PnpLoadBootFilterDriver+11436j
		cmp	esi, eax
		jz	loc_AD8720
		mov	ecx, [esi+10h]
		lea	edx, [ebp+var_10]
		call	IopGetDriverNameFromKeyNode
		test	eax, eax
		js	loc_AE9A4E
		push	1
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_8]
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	loc_AE9A44
		cmp	byte ptr [esi+1Bh], 0
		jnz	loc_AE9A5D
		mov	edx, [esi+0Ch]
		lea	eax, [ebp+var_4]
		push	eax
		mov	eax, ds:_KeLoaderBlock
		add	eax, 10h
		mov	ecx, [edx+18h]
		add	edx, 10h
		push	ecx
		push	1
		push	1
		push	eax
		push	ecx
		push	dword ptr [ecx+1Ch]
		lea	ecx, [ebp+var_10]
		call	PnpInitializeBootStartDriver
		mov	ebx, [ebp+var_4]
		mov	edi, eax
		mov	[esi+14h], edi
		mov	[esi+8], ebx
		mov	byte ptr [esi+1Bh], 1
		test	ebx, ebx
		jz	short loc_AD8729
		mov	edx, 746C6644h
		mov	ecx, ebx
		call	ObfReferenceObjectWithTag
		mov	eax, [ebp+arg_4]
		mov	[eax], ebx

loc_AD8716:				; CODE XREF: PnpLoadBootFilterDriver+10Bj
					; PnpLoadBootFilterDriver+11440j ...
		push	0
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD8720:				; CODE XREF: PnpLoadBootFilterDriver+2Aj
					; PnpLoadBootFilterDriver+39j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
; 

loc_AD8729:				; CODE XREF: PnpLoadBootFilterDriver+E1j
		mov	byte ptr [esi+1Ah], 1
		jmp	short loc_AD8716
PnpLoadBootFilterDriver	endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopBatteryInitPhaseTwo()
_PopBatteryInitPhaseTwo@0 proc near	; CODE XREF: PoInitSystem+5D3p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		sub	esp, 10h
		mov	edx, offset _WeakChargerChargeDropMilliPercent
		mov	ecx, offset ??_C@_1EK@LILFEBPG@?$AAC?$AAh?$AAa?$AAr?$AAg?$AAe?$AAr?$AAW?$AAe?$AAa?$AAk?$AAD?$AAe?$AAt?$AAe@PBOPGDP@ ; "ChargerWeakDetectionThresholdPercent"
		call	PopReadUlongPowerKey
		imul	eax, _WeakChargerChargeDropMilliPercent, 3E8h
		sub	esp, 10h
		mov	edx, offset _BatteryChargeTrajectoryThresholdMilliPercent
		mov	ecx, offset ??_C@_1FA@KIMILAJ@?$AAB?$AAa?$AAt?$AAt?$AAe?$AAr?$AAy?$AAC?$AAh?$AAa?$AAr?$AAg?$AAe?$AAT?$AAr@PBOPGDP@ ; "B"
		mov	_WeakChargerChargeDropMilliPercent, eax
		call	PopReadUlongPowerKey
		imul	eax, _BatteryChargeTrajectoryThresholdMilliPercent, 3E8h
		push	offset _PopBatteryEtwHandle
		push	0
		push	offset _PopBatteryEtwCallback@36 ; PopBatteryEtwCallback(x,x,x,x,x,x,x,x,x)
		push	offset _BATTERY_ETW_PROVIDER
		mov	_BatteryChargeTrajectoryThresholdMilliPercent, eax
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		test	eax, eax
		js	short locret_AD87B3
		push	0
		push	offset _PopUsbErrorWNFNotificationCallback@24 ;	PopUsbErrorWNFNotificationCallback(x,x,x,x,x,x)
		push	0
		push	1
		push	offset _WNF_USB_ERROR_NOTIFICATION
		lea	eax, [ebp+var_4]
		mov	_PopBatteryEtwRegistered, 1
		push	eax
		call	_ExSubscribeWnfStateChange@24 ;	ExSubscribeWnfStateChange(x,x,x,x,x,x)

locret_AD87B3:				; CODE XREF: PopBatteryInitPhaseTwo()+61j
		leave
		retn
_PopBatteryInitPhaseTwo@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCallBootDriverReinitializationRoutines()
_IopCallBootDriverReinitializationRoutines@0 proc near
					; CODE XREF: IopInitializeBootDrivers+411p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		push	ebx
		push	esi
		push	0
		xor	edx, edx
		mov	ecx, offset _KMPnPEvt_BootDriverReinit_Start
		xor	bl, bl
		call	_PnpDiagnosticTrace@12 ; PnpDiagnosticTrace(x,x,x)

loc_AD87D0:				; CODE XREF: IopCallBootDriverReinitializationRoutines()+61j
		mov	ecx, offset _IopBootDriverReinitializeQueueHead
		call	IopInterlockedRemoveHeadList
		mov	esi, eax
		test	esi, esi
		jz	short loc_AD8819
		mov	eax, [esi+8]
		mov	bl, 1
		mov	eax, [eax+18h]
		inc	dword ptr [eax+8]
		mov	eax, [esi+8]
		and	dword ptr [eax+8], 0FFFFFFDFh
		mov	ecx, [esi+8]
		mov	eax, [ecx+18h]
		push	dword ptr [eax+8]
		push	dword ptr [esi+10h]
		push	ecx
		call	dword ptr [esi+0Ch]
		mov	ecx, [esi+8]
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_AD87D0
; 

loc_AD8819:				; CODE XREF: IopCallBootDriverReinitializationRoutines()+28j
		push	0
		xor	edx, edx
		mov	_IopBootDriverReinitCompleted, 1
		mov	ecx, offset _KMPnPEvt_BootDriverReinit_Stop
		call	_PnpDiagnosticTrace@12 ; PnpDiagnosticTrace(x,x,x)
		pop	esi
		mov	al, bl
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_IopCallBootDriverReinitializationRoutines@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WheapLoadPolicy	proc near		; CODE XREF: INIT:00AC41CAp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE9A6F SIZE 0000016A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		xor	eax, eax
		push	edi
		mov	[ebp+var_8], eax
		or	edi, 0FFFFFFFFh
		mov	[ebp+var_4], eax
		mov	[ebp+var_C], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		mov	eax, _WheaRegPolicyDisableOffline
		cmp	eax, edi
		jnz	loc_AE9A6F

loc_AD8860:				; CODE XREF: WheapLoadPolicy+11242j
		mov	eax, _WheaRegPolicyMemPersistOffline
		cmp	eax, edi
		jnz	loc_AE9A7D
		push	offset ??_C@_1EE@CNAJKBAK@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAP?$AAe?$AAr?$AAs?$AAi?$AAs?$AAt?$AAD@PBOPGDP@	; "Kernel-PersistDefectiveMemoryList"
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		push	4
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_ZwQueryLicenseValue@20	; ZwQueryLicenseValue(x,x,x,x,x)
		test	eax, eax
		js	short loc_AD88AD
		cmp	[ebp+var_4], 4
		jnz	short loc_AD88AD
		cmp	[ebp+var_8], 4
		jnz	short loc_AD88AD
		cmp	[ebp+var_C], 0

loc_AD88A6:				; CODE XREF: WheapLoadPolicy+11249j
		setnz	_WheapPolicyMemPersistOffline

loc_AD88AD:				; CODE XREF: WheapLoadPolicy+5Ej
					; WheapLoadPolicy+64j ...
		mov	eax, _WheaRegPolicyMemPfaDisable
		cmp	eax, edi
		jnz	loc_AE9A84

loc_AD88BA:				; CODE XREF: WheapLoadPolicy+11257j
		mov	ecx, _WheaRegPolicyMemPfaPageCount
		mov	edx, 0FFFFh
		lea	eax, [ecx-1]
		cmp	eax, edx
		jbe	loc_AE9A92
		mov	ecx, _WheapMaxCorrectedMCEOutstanding
		lea	eax, [ecx-1]
		cmp	eax, edx
		jbe	loc_AE9A92

loc_AD88E1:				; CODE XREF: WheapLoadPolicy+11262j
		mov	ecx, _WheaRegPolicyMemPfaThreshold
		lea	eax, [ecx-1]
		cmp	eax, edx
		jbe	loc_AE9A9D
		mov	ecx, _WheapSingleBitEccErrorThreshold
		lea	eax, [ecx-1]
		cmp	eax, edx
		jbe	loc_AE9A9D

loc_AD8903:				; CODE XREF: WheapLoadPolicy+1126Dj
		mov	eax, _WheaRegPolicyMemPfaTimeout
		cmp	eax, 93A80h
		jbe	loc_AE9AA8

loc_AD8913:				; CODE XREF: WheapLoadPolicy+11284j
		cmp	_WheapPolicyMemPfaPageCount, 0
		jz	loc_AE9ABF
		cmp	_WheapPolicyMemPfaThreshold, 0
		jz	loc_AE9ABF

loc_AD892D:				; CODE XREF: WheapLoadPolicy+11290j
		mov	eax, _WheaRegPolicyIgnoreDummyWrite
		cmp	eax, edi
		jnz	loc_AE9ACB

loc_AD893A:				; CODE XREF: WheapLoadPolicy+1129Ej
		mov	eax, _WheapRegPolicyRestoreCmciEnabled
		cmp	eax, edi
		jnz	loc_AE9AD9

loc_AD8947:				; CODE XREF: WheapLoadPolicy+112ACj
		movzx	eax, _WheapPolicyRestoreCmciEnabled
		push	esi
		mov	esi, ds:__imp__HalWheaUpdateCmciPolicy@8 ; HalWheaUpdateCmciPolicy(x,x)
		push	eax
		push	7
		call	esi
		mov	eax, _WheapRegPolicyRestoreCmciMaxAttempts
		cmp	eax, edi
		jnz	loc_AE9AE7

loc_AD8967:				; CODE XREF: WheapLoadPolicy+112B6j
		push	_WheapPolicyRestoreCmciMaxAttempts
		push	8
		call	esi
		mov	eax, _WheapRegPolicyRestoreCmciErrorLimit
		cmp	eax, edi
		jnz	loc_AE9AF1

loc_AD897E:				; CODE XREF: WheapLoadPolicy+112C0j
		push	_WheapPolicyRestoreCmciErrorLimit
		push	9
		call	esi
		mov	eax, _WheapRegPolicyCmciThresholdCount
		cmp	eax, edi
		jnz	loc_AE9AFB

loc_AD8995:				; CODE XREF: WheapLoadPolicy+112CFj
		mov	eax, _WheapRegPolicyCmciThresholdTime
		cmp	eax, edi
		jnz	loc_AE9B0A

loc_AD89A2:				; CODE XREF: WheapLoadPolicy+112DEj
		mov	eax, _WheapRegPolicyCmciThresholdPollCount
		cmp	eax, edi
		jnz	loc_AE9B19

loc_AD89AF:				; CODE XREF: WheapLoadPolicy+112EDj
		pop	esi
		cmp	_WheaRegPolicyDisableOffline, edi
		jnz	loc_AE9B28

loc_AD89BC:				; CODE XREF: WheapLoadPolicy+112F9j
		cmp	_WheaRegPolicyMemPersistOffline, edi
		jnz	loc_AE9B34

loc_AD89C8:				; CODE XREF: WheapLoadPolicy+11305j
		cmp	_WheaRegPolicyMemPfaDisable, edi
		jnz	loc_AE9B40

loc_AD89D4:				; CODE XREF: WheapLoadPolicy+11311j
		cmp	_WheaRegPolicyMemPfaPageCount, edi
		jnz	loc_AE9B4C

loc_AD89E0:				; CODE XREF: WheapLoadPolicy+1131Dj
		cmp	_WheaRegPolicyMemPfaThreshold, edi
		jnz	loc_AE9B58

loc_AD89EC:				; CODE XREF: WheapLoadPolicy+11329j
		cmp	_WheaRegPolicyMemPfaTimeout, edi
		jnz	short loc_AD8A5F

loc_AD89F4:				; CODE XREF: WheapLoadPolicy+230j
		cmp	_WheapSingleBitEccErrorThreshold, edi
		jnz	short loc_AD8A68

loc_AD89FC:				; CODE XREF: WheapLoadPolicy+239j
		cmp	_WheapMaxCorrectedMCEOutstanding, edi
		jnz	loc_AE9B64

loc_AD8A08:				; CODE XREF: WheapLoadPolicy+11338j
		cmp	_WheaRegPolicyIgnoreDummyWrite,	edi
		jnz	loc_AE9B73

loc_AD8A14:				; CODE XREF: WheapLoadPolicy+11347j
		cmp	_WheapRegPolicyRestoreCmciEnabled, edi
		jnz	loc_AE9B82

loc_AD8A20:				; CODE XREF: WheapLoadPolicy+11356j
		cmp	_WheapRegPolicyRestoreCmciMaxAttempts, edi
		jnz	loc_AE9B91

loc_AD8A2C:				; CODE XREF: WheapLoadPolicy+11365j
		cmp	_WheapRegPolicyRestoreCmciErrorLimit, edi
		jnz	loc_AE9BA0

loc_AD8A38:				; CODE XREF: WheapLoadPolicy+11374j
		cmp	_WheapRegPolicyCmciThresholdCount, edi
		jnz	loc_AE9BAF

loc_AD8A44:				; CODE XREF: WheapLoadPolicy+11383j
		cmp	_WheapRegPolicyCmciThresholdTime, edi
		jnz	loc_AE9BBE

loc_AD8A50:				; CODE XREF: WheapLoadPolicy+11392j
		cmp	_WheapRegPolicyCmciThresholdPollCount, edi
		pop	edi
		jnz	loc_AE9BCD
		leave
		retn
; 

loc_AD8A5F:				; CODE XREF: WheapLoadPolicy+1BCj
		or	_WheaRegistryKeysPresent, 20h
		jmp	short loc_AD89F4
; 

loc_AD8A68:				; CODE XREF: WheapLoadPolicy+1C4j
		or	_WheaRegistryKeysPresent, 40h
		jmp	short loc_AD89FC
WheapLoadPolicy	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopReassignSystemRoot(x, x)
_IopReassignSystemRoot@8 proc near	; CODE XREF: INIT:00AC2F81p

var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= word ptr -208h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 234h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	dword ptr [ecx+68h] ; char
		xor	ebx, ebx
		lea	eax, [ebp+var_208]
		push	offset ??_C@_1BI@HJOIHDKL@?$AA?2?$AAA?$AAr?$AAc?$AAN?$AAa?$AAm?$AAe?$AA?2?$AA?$CF?$AAS@PBOPGDP@	; "\\ArcName\\%S"
		push	100h		; int
		push	eax		; wchar_t *
		mov	edi, edx
		mov	[ebp+var_234], ebx
		mov	[ebp+var_230], ebx
		mov	[ebp+var_214], ebx
		mov	[ebp+var_210], ebx
		mov	[ebp+var_20C], ebx
		call	RtlStringCchPrintfW
		add	esp, 10h
		test	eax, eax
		js	loc_AD8B75
		lea	eax, [ebp+var_208]
		push	eax
		lea	eax, [ebp+var_214]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, 200h
		mov	word ptr [ebp+var_214+2], ax

loc_AD8AEF:				; CODE XREF: IopReassignSystemRoot(x,x)+FDj
		push	18h
		lea	eax, [ebp+var_214]
		mov	[ebp+var_228], ebx
		pop	esi
		mov	[ebp+var_224], eax
		lea	eax, [ebp+var_22C]
		push	eax
		push	0F0001h
		lea	eax, [ebp+var_20C]
		mov	[ebp+var_22C], esi
		push	eax
		mov	[ebp+var_220], 240h
		mov	[ebp+var_21C], ebx
		mov	[ebp+var_218], ebx
		call	NtOpenSymbolicLinkObject
		cmp	eax, 0C0000024h
		jz	short loc_AD8B7C
		test	eax, eax
		js	short loc_AD8B75
		xor	eax, eax
		mov	word ptr [ebp+var_214],	ax
		lea	eax, [ebp+var_214]
		push	ebx
		push	eax
		push	[ebp+var_20C]
		call	NtQuerySymbolicLinkObject
		push	ebx
		push	[ebp+var_20C]
		mov	esi, eax
		call	ObCloseHandle
		test	esi, esi
		jns	loc_AD8AEF

loc_AD8B75:				; CODE XREF: IopReassignSystemRoot(x,x)+58j
					; IopReassignSystemRoot(x,x)+CFj ...
		xor	al, al
		jmp	loc_AD8C58
; 

loc_AD8B7C:				; CODE XREF: IopReassignSystemRoot(x,x)+CBj
		push	ebx
		lea	eax, [ebp+var_214]
		push	eax
		push	edi
		call	RtlUnicodeStringToAnsiString
		test	eax, eax
		js	short loc_AD8B75
		push	offset ??_C@_1CG@MNLGCLPO@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAB?$AAo?$AAo?$AAt?$AAD?$AAe?$AAv@PBOPGDP@
		lea	eax, [ebp+var_234]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_234]
		mov	[ebp+var_22C], esi
		mov	[ebp+var_224], eax
		mov	edi, 0F0001h
		lea	eax, [ebp+var_22C]
		mov	[ebp+var_228], ebx
		push	eax
		push	edi
		lea	eax, [ebp+var_20C]
		mov	[ebp+var_220], 240h
		push	eax
		mov	[ebp+var_21C], ebx
		mov	[ebp+var_218], ebx
		call	NtOpenSymbolicLinkObject
		test	eax, eax
		js	short loc_AD8B75
		push	[ebp+var_20C]
		call	NtMakeTemporaryObject
		push	ebx
		push	[ebp+var_20C]
		call	ObCloseHandle
		lea	eax, [ebp+var_234]
		mov	[ebp+var_22C], esi
		mov	[ebp+var_224], eax
		lea	eax, [ebp+var_214]
		push	eax
		lea	eax, [ebp+var_22C]
		mov	[ebp+var_228], ebx
		push	eax
		push	edi
		lea	eax, [ebp+var_20C]
		mov	[ebp+var_220], 250h
		push	eax
		mov	[ebp+var_21C], ebx
		mov	[ebp+var_218], ebx
		call	NtCreateSymbolicLinkObject
		push	ebx
		push	[ebp+var_20C]
		call	ObCloseHandle
		mov	al, 1

loc_AD8C58:				; CODE XREF: IopReassignSystemRoot(x,x)+105j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IopReassignSystemRoot@8 endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PnpInitializeNotification()
_PnpInitializeNotification@0 proc near	; CODE XREF: IopInitializePlugPlayServices(x,x)+85Dp
		push	0Dh
		mov	eax, offset _PnpDeviceClassNotifyList
		pop	ecx

loc_AD8C70:				; CODE XREF: PnpInitializeNotification()+13j
		mov	[eax+4], eax
		mov	[eax], eax
		add	eax, 8
		sub	ecx, 1
		jnz	short loc_AD8C70
		push	esi
		push	edi
		xor	esi, esi
		mov	eax, offset _PnpProfileNotifyList
		xor	edi, edi
		mov	ds:dword_A94434, eax
		push	esi
		inc	edi
		mov	ds:_PnpProfileNotifyList, eax
		mov	eax, offset _PnpDeferredRegistrationList
		mov	_PnpDeviceClassNotifyLock, edi
		push	edi
		push	offset unk_6CCA6C
		mov	ds:dword_A9442C, eax
		mov	ds:_PnpDeferredRegistrationList, eax
		mov	dword_6CCA64, esi
		mov	dword_6CCA68, esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	esi
		push	edi
		push	offset unk_6CCA8C
		mov	_PnpTargetDeviceNotifyLock, edi
		mov	dword_6CCA84, esi
		mov	dword_6CCA88, esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	esi
		push	edi
		push	offset unk_6CCA2C
		mov	_PnpHwProfileNotifyLock, edi
		mov	dword_6CCA24, esi
		mov	dword_6CCA28, esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	esi
		push	edi
		push	offset unk_6CCA4C
		mov	_PnpDeferredRegistrationLock, edi
		mov	dword_6CCA44, esi
		mov	dword_6CCA48, esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		pop	edi
		pop	esi
		retn
_PnpInitializeNotification@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PiDqInit()
_PiDqInit@0	proc near		; CODE XREF: IopInitializePlugPlayServices(x,x)+552p
		mov	edi, edi
		push	ecx
		xor	edx, edx
		mov	ecx, offset _PiDqDeviceManager ; void *
		inc	edx
		call	_PiDqObjectManagerInit@8 ; PiDqObjectManagerInit(x,x)
		push	3
		pop	edx
		mov	ecx, offset _PiDqDeviceInterfaceManager	; void *
		call	_PiDqObjectManagerInit@8 ; PiDqObjectManagerInit(x,x)
		push	4
		pop	edx
		mov	ecx, offset _PiDqDeviceInterfaceClassManager ; void *
		call	_PiDqObjectManagerInit@8 ; PiDqObjectManagerInit(x,x)
		push	5
		pop	edx
		mov	ecx, offset _PiDqDeviceContainerManager	; void *
		call	_PiDqObjectManagerInit@8 ; PiDqObjectManagerInit(x,x)
		push	2
		pop	edx
		mov	ecx, offset _PiDqDeviceInstallerClassManager ; void *
		call	_PiDqObjectManagerInit@8 ; PiDqObjectManagerInit(x,x)
		push	6
		pop	edx
		mov	ecx, offset _PiDqDevicePanelManager ; void *
		call	_PiDqObjectManagerInit@8 ; PiDqObjectManagerInit(x,x)
		mov	_PiDqSequenceNumber, 0
		xor	eax, eax
		mov	dword_6CBA8C, 0
		pop	ecx
		retn
_PiDqInit@0	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall CmFcManagerInitialize(x)
_CmFcManagerInitialize@4 proc near	; CODE XREF: CmFcInitSystem0(x)+5p
		mov	edi, edi
		push	esi
		push	edi
		push	210h		; size_t
		push	0		; int
		mov	edi, offset _CmFcSystemManager
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, offset unk_6CE124
		call	_CmSiRWLockInitialize@4	; CmSiRWLockInitialize(x)
		mov	ecx, offset unk_6CE128
		call	_CmSiRWLockInitialize@4	; CmSiRWLockInitialize(x)
		push	3
		mov	ecx, offset dword_6CE138
		pop	edx

loc_AD8DBD:				; CODE XREF: CmFcManagerInitialize(x)+40j
		call	_CmFcpInitializeSectionState@4 ; CmFcpInitializeSectionState(x)
		add	ecx, 10h
		sub	edx, 1
		jnz	short loc_AD8DBD
		push	80h		; size_t
		push	edx		; int
		mov	esi, offset unk_6CE168
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, esi
		call	_RtlInitializeSwapReference@4 ;	RtlInitializeSwapReference(x)
		push	60h		; size_t
		push	0		; int
		push	offset unk_6CE178 ; void *
		call	_memset
		add	esp, 0Ch
		mov	ecx, offset unk_6CE1EC
		call	_RtlInitializeSwapReference@4 ;	RtlInitializeSwapReference(x)
		mov	ecx, offset unk_6CE1F8
		call	_CmSiRWLockInitialize@4	; CmSiRWLockInitialize(x)
		push	edi
		push	offset _CmFcpManagerDrainUsageNotificationsDpc@16 ; CmFcpManagerDrainUsageNotificationsDpc(x,x,x,x)
		push	offset unk_6CE20C
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	edi
		push	offset _CmFcpManagerDrainUsageNotificationsWorker@8 ; CmFcpManagerDrainUsageNotificationsWorker(x,x)
		mov	ecx, offset unk_6CE22C
		call	_CmFcpWorkItemInitialize@16 ; CmFcpWorkItemInitialize(x,x,x,x)
		push	edi
		push	offset _CmFcpManagerRetryUsageNotificationsWorker@8 ; CmFcpManagerRetryUsageNotificationsWorker(x,x)
		mov	ecx, offset unk_6CE254
		call	_CmFcpWorkItemInitialize@16 ; CmFcpWorkItemInitialize(x,x,x,x)
		mov	ecx, offset unk_6CE278
		call	_CmSiRWLockInitialize@4	; CmSiRWLockInitialize(x)
		mov	eax, offset dword_6CE27C
		pop	edi
		mov	dword_6CE280, eax
		mov	dword_6CE27C, eax
		pop	esi
		retn
_CmFcManagerInitialize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopUmpoInitializeChannel proc near	; CODE XREF: PoInitSystem:loc_AC177Bp

var_70		= dword	ptr -70h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE9BD9 SIZE 00000014 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_54]
		push	2Ch		; size_t
		rep stosd
		xor	ebx, ebx
		lea	eax, [ebp+var_30]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		xor	eax, eax
		mov	_PopAlpcServerPort, ebx
		lea	edi, [ebp+var_70]
		mov	_PopAlpcClientPort, ebx
		stosd
		add	esp, 0Ch
		mov	_PopUmpoPushLock, ebx
		mov	[ebp+var_5C], ebx
		mov	[ebp+var_58], ebx
		stosd
		push	6F706D55h
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		stosd
		mov	_PopUmpoAlpcClientConnected, bl
		mov	[ebp+var_34], ebx
		stosd
		stosd
		mov	eax, _SeLocalSystemSid
		movzx	eax, byte ptr [eax+1]
		lea	esi, ds:1Ch[eax*4]
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_AE9BD9
		push	2		; int
		push	esi		; size_t
		push	edi		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD9008
		push	_SeLocalSystemSid
		push	10000000h
		push	2
		push	edi
		call	_RtlAddAccessAllowedAce@16 ; RtlAddAccessAllowedAce(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD9008
		push	1
		lea	eax, [ebp+var_70]
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD9008
		push	ebx
		push	edi
		push	1
		lea	eax, [ebp+var_70]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	esi, eax
		test	esi, esi
		js	loc_AD9008
		push	offset ??_C@_1BG@OFPPOPIP@?$AA?2?$AAP?$AAo?$AAw?$AAe?$AAr?$AAP?$AAo?$AAr?$AAt@PBOPGDP@ ; "\\PowerPort"
		lea	eax, [ebp+var_5C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_20], 1000h
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_70]
		mov	[ebp+var_44], eax
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_54]
		mov	[ebp+var_30], 100000h
		push	eax
		push	offset _PopAlpcServerPort
		mov	[ebp+var_54], 18h
		mov	[ebp+var_50], ebx
		mov	[ebp+var_48], 200h
		mov	[ebp+var_40], ebx
		call	_ZwAlpcCreatePort@12 ; ZwAlpcCreatePort(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD9008
		push	ebx
		push	1
		lea	eax, [ebp+var_54]
		mov	[ebp+var_54], 18h
		push	eax
		lea	eax, [ebp+var_34]
		mov	[ebp+var_50], ebx
		push	eax
		mov	[ebp+var_48], 200h
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_40], ebx
		call	_ExCreateCallback@16 ; ExCreateCallback(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD9008
		push	ebx
		mov	ebx, [ebp+var_34]
		push	offset _PopUmpoMessageCallback@12 ; PopUmpoMessageCallback(x,x,x)
		push	ebx
		call	ExRegisterCallback
		test	eax, eax
		jz	loc_AE9BE3
		and	[ebp+var_38], 0
		lea	eax, [ebp+var_3C]
		push	8
		push	eax
		push	9
		push	_PopAlpcServerPort
		mov	[ebp+var_3C], ebx
		call	_ZwAlpcSetInformation@16 ; ZwAlpcSetInformation(x,x,x,x)
		mov	ecx, ebx
		mov	esi, eax
		call	ObfDereferenceObject
		test	esi, esi
		js	short loc_AD9020
		call	PopUmpoProcessMessages
		xor	ebx, ebx
		mov	esi, ebx

loc_AD9008:				; CODE XREF: PopUmpoInitializeChannel+98j
					; PopUmpoInitializeChannel+B5j	...
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AD900F:				; CODE XREF: PopUmpoInitializeChannel+10D88j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AD9020:				; CODE XREF: PopUmpoInitializeChannel+1A7j
					; PopUmpoInitializeChannel+10D92j
		xor	ebx, ebx
		jmp	short loc_AD9008
PopUmpoInitializeChannel endp

; 
		dd 0CCCCCCCCh
		db 2 dup(0CCh)
; Exported entry 958. IoReportHalResourceUsage

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	IoReportHalResourceUsage(int,void *,int,size_t)
		public IoReportHalResourceUsage
IoReportHalResourceUsage proc near

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

; FUNCTION CHUNK AT 00AE9BED SIZE 00000028 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		xor	ebx, ebx
		lea	eax, [esp+2Ch+var_8]
		push	edi
		push	offset _IopWstrHal ; "Hardware Abstraction Layer"
		push	eax
		mov	[esp+38h+var_24], ebx
		mov	[esp+38h+var_8], ebx
		mov	[esp+38h+var_4], ebx
		mov	[esp+38h+var_10], ebx
		mov	[esp+38h+var_C], ebx
		mov	[esp+38h+var_20], ebx
		mov	[esp+38h+var_1C], ebx
		mov	[esp+38h+var_18], ebx
		mov	[esp+38h+var_14], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	ebx
		push	1
		push	2001Fh
		push	offset _CmRegistryMachineHardwareResourceMapName
		xor	edx, edx
		lea	ecx, [esp+40h+var_24]
		call	IopCreateRegistryKeyEx
		mov	esi, eax
		test	esi, esi
		js	loc_AD918E
		push	offset _PnpWstrRaw
		lea	eax, [esp+34h+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, [ebp+arg_C]
		lea	eax, [esp+30h+var_1C]
		mov	ecx, [ebp+arg_4]
		push	eax
		lea	eax, [esp+34h+var_20]
		push	eax
		push	ebx
		call	HeadlessTerminalAddResources
		mov	edi, [esp+30h+var_20]
		mov	esi, eax
		test	esi, esi
		js	loc_AD9152
		mov	ecx, [esp+30h+var_1C]
		test	edi, edi
		jnz	loc_AE9BED
		mov	ecx, [ebp+arg_C]
		mov	eax, [ebp+arg_4]

loc_AD90D4:				; CODE XREF: IoReportHalResourceUsage+10BC5j
		push	ecx
		mov	ecx, [esp+34h+var_24]
		lea	edx, [esp+34h+var_8]
		push	eax
		lea	eax, [esp+38h+var_10]
		push	eax
		push	[ebp+arg_0]
		call	IopWriteResourceList
		mov	esi, eax
		test	esi, esi
		js	short loc_AD9152
		push	offset _PnpWstrTranslated
		lea	eax, [esp+34h+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, [ebp+arg_C]
		lea	eax, [esp+30h+var_14]
		mov	ecx, [ebp+arg_8]
		push	eax
		lea	eax, [esp+34h+var_18]
		push	eax
		push	1
		call	HeadlessTerminalAddResources
		mov	esi, eax
		test	esi, esi
		js	short loc_AD9152
		mov	ebx, [esp+30h+var_18]
		mov	eax, [esp+30h+var_14]
		test	ebx, ebx
		jnz	short loc_AD9199
		mov	eax, [ebp+arg_C]
		mov	ecx, [ebp+arg_8]

loc_AD912F:				; CODE XREF: IoReportHalResourceUsage+171j
		push	eax
		push	ecx
		mov	ecx, [esp+38h+var_24]
		lea	eax, [esp+38h+var_10]
		push	eax
		push	[ebp+arg_0]
		lea	edx, [esp+40h+var_8]
		call	IopWriteResourceList
		mov	esi, eax
		test	ebx, ebx
		jnz	loc_AE9BF4

loc_AD9150:				; CODE XREF: IoReportHalResourceUsage+10BD2j
		xor	ebx, ebx

loc_AD9152:				; CODE XREF: IoReportHalResourceUsage+92j
					; IoReportHalResourceUsage+C5j	...
		push	[esp+30h+var_24]
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	loc_AE9C01
		test	edi, edi
		jnz	short loc_AD919D
		push	20207050h
		push	[ebp+arg_C]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ds:_IopInitHalResources, eax
		test	eax, eax
		jz	short loc_AD91A5
		push	[ebp+arg_C]	; size_t
		push	[ebp+arg_4]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_AD918E:				; CODE XREF: IoReportHalResourceUsage+5Fj
					; IoReportHalResourceUsage+179j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
; 

loc_AD9199:				; CODE XREF: IoReportHalResourceUsage+FDj
		mov	ecx, ebx
		jmp	short loc_AD912F
; 

loc_AD919D:				; CODE XREF: IoReportHalResourceUsage+13Bj
		mov	ds:_IopInitHalResources, edi
		jmp	short loc_AD918E
; 

loc_AD91A5:				; CODE XREF: IoReportHalResourceUsage+153j
		mov	esi, 0C000009Ah
		jmp	short loc_AD918E
IoReportHalResourceUsage endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SeCodeIntegrityInitializePolicy(x)
_SeCodeIntegrityInitializePolicy@4 proc	near
					; CODE XREF: Phase1InitializationDiscard(x)+DC5p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ecx+84h]
		push	esi
		xor	esi, esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		push	edi
		mov	edi, esi
		test	eax, eax
		jz	short loc_AD91EB
		mov	edi, [eax+0A78h]
		test	edi, edi
		jz	short loc_AD91EB
		mov	edx, [edi+40h]
		test	edx, edx
		jz	short loc_AD91EB
		lea	ecx, [edi+48h]
		add	ecx, [edi+3Ch]
		call	SeSecureBootRegisterPolicy
		mov	esi, eax
		test	esi, esi
		js	short loc_AD921A

loc_AD91EB:				; CODE XREF: SeCodeIntegrityInitializePolicy(x)+1Bj
					; SeCodeIntegrityInitializePolicy(x)+25j ...
		call	SepInitializeDebugOptions
		mov	eax, dword_6BEA50
		test	eax, eax
		jz	short loc_AD921A
		lea	ecx, [ebp+var_8]
		push	ecx
		lea	ecx, [ebp+var_4]
		push	ecx
		push	edi
		call	eax
		mov	esi, eax
		test	esi, esi
		js	short loc_AD921A
		mov	eax, [ebp+var_4]
		mov	ds:_SeCiStateElements, eax
		mov	eax, [ebp+var_8]
		mov	ds:_SeCiStateElementCount, eax

loc_AD921A:				; CODE XREF: SeCodeIntegrityInitializePolicy(x)+3Dj
					; SeCodeIntegrityInitializePolicy(x)+4Bj ...
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
_SeCodeIntegrityInitializePolicy@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepInitializeDebugOptions proc near	; CODE XREF: SeCodeIntegrityInitializePolicy(x):loc_AD91EBp

var_1C		= dword	ptr -1Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE9C15 SIZE 0000007B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	edi
		push	6
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		pop	ecx
		rep stosd
		cmp	_KdDebuggerEnabled, al
		jnz	loc_AE9C15

loc_AD9249:				; CODE XREF: SepInitializeDebugOptions+109FBj
					; SepInitializeDebugOptions+10A08j ...
		cmp	ds:_SeILSigningPolicy, 0
		jnz	loc_AE9C3B

loc_AD9256:				; CODE XREF: SepInitializeDebugOptions+10A3Fj
					; SepInitializeDebugOptions+10A4Cj ...
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		pop	edi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
SepInitializeDebugOptions endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SeSecureBootRegisterPolicy proc	near	; CODE XREF: SeCodeIntegrityInitializePolicy(x)+34p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE9C90 SIZE 0000017A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		xor	eax, eax
		mov	[ebp+var_C], edi
		mov	ebx, ecx
		mov	[ebp+var_4], eax
		mov	[ebp+var_8], eax
		cmp	edi, 10h
		jb	short loc_AD92F4
		mov	edx, [ebx+0Ch]
		xor	ecx, ecx
		mov	esi, [ebx+8]
		test	edx, edx
		setz	cl
		test	esi, esi
		setz	al
		cmp	eax, ecx
		jnz	short loc_AD92F4
		cmp	esi, edi
		jnb	short loc_AD92F4
		cmp	edx, edi
		jnb	short loc_AD92F4
		test	edx, edx
		jnz	loc_AE9C90

loc_AD92A9:				; CODE XREF: SeSecureBootRegisterPolicy+10A35j
		lea	eax, [edx+esi]
		cmp	eax, edi
		ja	short loc_AD92F4
		push	6
		pop	ecx
		mov	esi, ebx
		mov	edi, offset _g_SecureBootPolicyBlobHeader
		rep movsd
		xor	edi, edi
		mov	esi, edi
		cmp	[ebx+0Ch], edi
		jnz	short loc_AD92E6

loc_AD92C5:				; CODE XREF: SeSecureBootRegisterPolicy+87j
		mov	ecx, esi
		call	SepSecureBootSetRegistryKey
		test	byte ptr dword_6D710C, 8
		jnz	short loc_AD92ED

loc_AD92D5:				; CODE XREF: SeSecureBootRegisterPolicy+8Ej
		test	esi, esi
		jnz	loc_AE9C9E
		mov	esi, edi

loc_AD92DF:				; CODE XREF: SeSecureBootRegisterPolicy+10A75j
					; SeSecureBootRegisterPolicy+10B70j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AD92E6:				; CODE XREF: SeSecureBootRegisterPolicy+5Fj
		mov	esi, [ebx+8]
		add	esi, ebx
		jmp	short loc_AD92C5
; 

loc_AD92ED:				; CODE XREF: SeSecureBootRegisterPolicy+6Fj
		call	_SepSecureBootCheckForUpdates@0	; SepSecureBootCheckForUpdates()
		jmp	short loc_AD92D5
; 

loc_AD92F4:				; CODE XREF: SeSecureBootRegisterPolicy+1Dj
					; SeSecureBootRegisterPolicy+33j ...
		mov	esi, 0C0430003h
		jmp	loc_AE9DD2
SeSecureBootRegisterPolicy endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SepSecureBootSetRegistryKey proc near	; CODE XREF: SeSecureBootRegisterPolicy+63p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE9E0A SIZE 00000139 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		and	[ebp+var_8], 0
		xor	eax, eax
		and	[ebp+var_4], 0
		push	ebx
		push	esi
		push	edi
		mov	ebx, ecx
		lea	edi, [ebp+var_2C]
		push	6
		pop	ecx
		rep stosd
		xor	edi, edi
		test	byte ptr dword_6D710C, 8
		mov	[ebp+var_14], edi
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], edi
		jnz	loc_AE9E0A
		test	ebx, ebx
		jnz	loc_AE9E0A
		mov	esi, edi

loc_AD933F:				; CODE XREF: SepSecureBootSetRegistryKey+10B44j
					; SepSecureBootSetRegistryKey+10B86j ...
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		cmp	[ebp+var_4], edi
		jnz	loc_AE9F29

loc_AD9351:				; CODE XREF: SepSecureBootSetRegistryKey+10C33j
		cmp	[ebp+var_8], edi
		jnz	loc_AE9F36

loc_AD935A:				; CODE XREF: SepSecureBootSetRegistryKey+10C40j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
SepSecureBootSetRegistryKey endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiInitializeZeroingAttributes()
_MiInitializeZeroingAttributes@0 proc near ; CODE XREF:	MiInitNucleus(x)+78p
		mov	edi, edi
		push	esi
		xor	ecx, ecx
		mov	esi, offset dword_6D074C
		push	edi
		mov	edx, ecx

loc_AD936F:				; CODE XREF: MiInitializeZeroingAttributes()+1Cj
		mov	edi, esi
		mov	eax, edx
		inc	edx
		add	esi, 10h
		stosd
		stosd
		stosd
		stosd
		cmp	edx, 3
		jb	short loc_AD936F
		pop	edi
		pop	esi

loc_AD9382:				; CODE XREF: MiInitializeZeroingAttributes()+2Bj
		mov	dword_6D077C[ecx*4], ecx
		inc	ecx
		cmp	ecx, 3
		jbe	short loc_AD9382
		mov	dword_6D0788, 1
		retn
_MiInitializeZeroingAttributes@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopUmpoInitializeMonitorChannel	proc near ; CODE XREF: PoInitSystem+52Ap

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE9F43 SIZE 0000002D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 5Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_5C]
		push	offset ??_C@_1CE@JMMPMGFK@?$AA?2?$AAP?$AAo?$AAw?$AAe?$AAr?$AAM?$AAo?$AAn?$AAi?$AAt?$AAo?$AAr?$AAP?$AAo@PBOPGDP@	; "\\"
		mov	esi, edi
		mov	[ebp+var_3C], edi
		push	eax
		mov	[ebp+var_38], edi
		mov	ebx, edi
		mov	[ebp+var_5C], edi
		mov	[ebp+var_58], edi
		mov	[ebp+var_34], esi
		mov	_PopAlpcMonitorServerPort, edi
		mov	_PopAlpcMonitorClientPort, edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	2Ch		; size_t
		lea	eax, [ebp+var_30]
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_30], 100000h
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_20], 100h
		mov	[ebp+var_4C], eax
		lea	eax, [ebp+var_30]
		mov	[ebp+var_54], 18h
		push	eax
		lea	eax, [ebp+var_54]
		mov	[ebp+var_50], edi
		push	eax
		push	offset _PopAlpcMonitorServerPort
		mov	[ebp+var_48], 200h
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], edi
		call	_ZwAlpcCreatePort@12 ; ZwAlpcCreatePort(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_AE9F43
		push	1
		push	1
		lea	eax, [ebp+var_54]
		mov	[ebp+var_54], 18h
		push	eax
		lea	eax, [ebp+var_34]
		mov	[ebp+var_50], esi
		push	eax
		mov	[ebp+var_48], 200h
		mov	[ebp+var_4C], esi
		mov	[ebp+var_44], esi
		mov	[ebp+var_40], esi
		call	_ExCreateCallback@16 ; ExCreateCallback(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_AD94C5
		push	esi
		mov	esi, [ebp+var_34]
		push	offset _PopMonitorAlpcCallback@12 ; PopMonitorAlpcCallback(x,x,x)
		push	esi
		call	ExRegisterCallback
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_AD94AC
		mov	ecx, _PopAlpcMonitorServerPort
		lea	eax, [ebp+var_3C]
		push	8
		push	eax
		push	9
		push	ecx
		mov	[ebp+var_3C], esi
		mov	[ebp+var_38], ecx
		call	_ZwAlpcSetInformation@16 ; ZwAlpcSetInformation(x,x,x,x)
		mov	ecx, esi
		mov	edi, eax
		call	ObfDereferenceObject
		test	edi, edi
		js	loc_AE9F43
		call	PopMonitorProcessLoop
		xor	edi, edi

loc_AD94AC:				; CODE XREF: PopUmpoInitializeMonitorChannel+DEj
		test	edi, edi
		js	loc_AE9F43

loc_AD94B4:				; CODE XREF: PopUmpoInitializeMonitorChannel+10BC4j
					; PopUmpoInitializeMonitorChannel+10BD1j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AD94C5:				; CODE XREF: PopUmpoInitializeMonitorChannel+C9j
		mov	esi, [ebp+var_34]
		jmp	loc_AE9F43
PopUmpoInitializeMonitorChannel	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall GetBootSystemTime(x, x)
_GetBootSystemTime@8 proc near		; CODE XREF: Phase1InitializationDiscard(x)+466p

var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= dword	ptr -14h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[ebp+var_44], edx
		push	esi
		push	edi
		lea	edi, [ebp+var_14]
		mov	ebx, ecx
		stosd
		xor	ecx, ecx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_28], ecx
		mov	esi, [ebx+9C0h]
		stosd
		mov	[ebp+var_24], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ecx
		stosd
		mov	[ebp+var_38], esi
		stosd
		mov	eax, [ebx+9D8h]
		mov	edi, [ebx+9C4h]
		and	eax, 1
		or	eax, ecx
		mov	[ebp+var_3C], edi
		jnz	short loc_AD9546
		cmp	_ExpRealTimeIsUniversal, ecx
		jnz	short loc_AD9546
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ecx, [eax+268h]
		add	esi, [ecx+1B8h]
		mov	[ebp+var_38], esi
		adc	edi, [ecx+1BCh]
		mov	[ebp+var_3C], edi

loc_AD9546:				; CODE XREF: GetBootSystemTime(x,x)+51j
					; GetBootSystemTime(x,x)+59j
		lea	eax, [ebp+var_28]
		push	eax
		call	off_6B1340	; xHalTimerQueryCycleCounter(x)
		sub	eax, [ebx+9C8h]
		mov	ecx, edx
		push	0
		sbb	ecx, [ebx+9CCh]
		mov	edx, (offset loc_98967E+2)
		push	edx
		push	ecx
		mov	[ebp+var_34], ecx
		lea	ecx, [ebp+var_30]
		push	eax
		mov	[ebp+var_1C], eax
		call	_RtlULongLongMult@20 ; RtlULongLongMult(x,x,x,x,x)
		push	[ebp+var_24]
		mov	esi, eax
		push	[ebp+var_28]
		push	[ebp+var_2C]
		push	[ebp+var_30]
		call	__aulldiv
		mov	ebx, eax
		mov	edi, edx
		test	esi, esi
		jns	short loc_AD95F7
		push	[ebp+var_24]
		mov	ebx, [ebp+var_1C]
		push	[ebp+var_28]
		push	[ebp+var_34]
		push	ebx
		call	__aulldiv
		push	[ebp+var_24]
		mov	esi, edx
		mov	edi, eax
		push	[ebp+var_28]
		push	esi
		push	edi
		call	__allmul
		push	[ebp+var_24]
		sub	ebx, eax
		mov	ecx, (offset loc_98967E+2)
		mov	eax, [ebp+var_34]
		push	[ebp+var_28]
		sbb	eax, edx
		mul	ecx
		mov	edx, (offset loc_98967E+2)
		mov	ecx, eax
		mov	eax, ebx
		mul	edx
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		push	0
		mov	ebx, eax
		mov	[ebp+var_1C], edx
		mov	eax, (offset loc_98967E+2)
		push	eax
		push	esi
		push	edi
		call	__allmul
		mov	edi, [ebp+var_1C]
		add	ebx, eax
		adc	edi, edx

loc_AD95F7:				; CODE XREF: GetBootSystemTime(x,x)+C1j
		mov	eax, [ebp+var_40]
		add	ebx, [ebp+var_38]
		mov	[ebp+var_20], ebx
		adc	edi, [ebp+var_3C]
		mov	eax, [eax+9D8h]
		and	eax, 2
		mov	[ebp+var_1C], edi
		or	eax, 0
		jnz	short loc_AD965B
		cmp	_ExpRealTimeIsUniversal, eax
		jnz	short loc_AD9643
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	edx, ebx
		mov	ecx, [eax+268h]
		mov	eax, edi
		push	ecx
		sub	edx, [ecx+1B8h]
		mov	[ebp+var_30], edx
		sbb	eax, [ecx+1BCh]
		lea	ecx, [ebp+var_30]
		mov	[ebp+var_2C], eax
		jmp	short loc_AD9647
; 

loc_AD9643:				; CODE XREF: GetBootSystemTime(x,x)+14Cj
		push	ecx
		lea	ecx, [ebp+var_20]

loc_AD9647:				; CODE XREF: GetBootSystemTime(x,x)+173j
		lea	edx, [ebp+var_14]
		call	RtlpTimeToTimeFields
		lea	eax, [ebp+var_14]
		push	eax
		call	ds:__imp__HalSetRealTimeClock@4	; HalSetRealTimeClock(x)
		jmp	short loc_AD96B0
; 

loc_AD965B:				; CODE XREF: GetBootSystemTime(x,x)+144j
		call	_ExIsSoftBoot@0	; ExIsSoftBoot()
		test	al, al
		jnz	short loc_AD96B0
		lea	eax, [ebp+var_14]
		push	eax
		call	ds:__imp__HalQueryRealTimeClock@4 ; HalQueryRealTimeClock(x)
		test	al, al
		jz	short loc_AD96B0
		push	ecx
		lea	edx, [ebp+var_20]
		lea	ecx, [ebp+var_14]
		call	RtlpTimeFieldsToTime
		test	al, al
		jz	short loc_AD96AA
		cmp	_ExpRealTimeIsUniversal, 0
		jnz	short loc_AD96AA
		call	_PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
		mov	ebx, [ebp+var_20]
		mov	edi, [ebp+var_1C]
		mov	ecx, [eax+268h]
		add	ebx, [ecx+1B8h]
		adc	edi, [ecx+1BCh]
		jmp	short loc_AD96B0
; 

loc_AD96AA:				; CODE XREF: GetBootSystemTime(x,x)+1B2j
					; GetBootSystemTime(x,x)+1BBj
		mov	edi, [ebp+var_1C]
		mov	ebx, [ebp+var_20]

loc_AD96B0:				; CODE XREF: GetBootSystemTime(x,x)+18Bj
					; GetBootSystemTime(x,x)+194j ...
		mov	eax, [ebp+var_44]
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		mov	[eax+4], edi
		pop	edi
		pop	esi
		mov	[eax], ebx
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_GetBootSystemTime@8 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopPowerRequestInit()
_PopPowerRequestInit@0 proc near	; CODE XREF: PoInitSystem+571p

var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	eax, [ebp+var_60]
		push	58h
		pop	esi
		push	esi		; size_t
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		mov	_PopPowerRequestLock, ebx
		mov	dword_6C3884, ebx
		mov	_PopPowerRequestSpinLock, ebx
		mov	_PopPowerRequestObjectCount, ebx
		mov	_PopSpecialPowerRequestObjectCount, ebx
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_8]
		push	offset ??_C@_1BK@FKKBABCD@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAR?$AAe?$AAq?$AAu?$AAe?$AAs?$AAt@PBOPGDP@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	word ptr [ebp+var_60], si
		lea	edi, [ebp+var_54]
		mov	[ebp+var_3C], 200h
		lea	eax, [ebp+var_60]
		mov	[ebp+var_34], 68h
		mov	esi, offset _PopPowerRequestMapping
		mov	[ebp+var_58], 192h
		push	offset _PopPowerRequestObjectType
		push	ebx
		movsd
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		movsd
		movsd
		movsd
		or	byte ptr [ebp+var_60+2], 14h
		mov	[ebp+var_44], 1F0000h
		mov	[ebp+var_28], offset _PopClosePowerRequestObject@16 ; PopClosePowerRequestObject(x,x,x,x)
		mov	[ebp+var_24], offset _PopDeletePowerRequestObject@4 ; PopDeletePowerRequestObject(x)
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD9812
		push	ebx		; int
		mov	eax, offset _PopPowerRequestObjectList
		mov	dword_6C3938, offset _PopPowerRequestCallbackWorker@4 ;	PopPowerRequestCallbackWorker(x)
		push	offset _PopPowerRequestFree@8 ;	int
		mov	dword_6C390C, eax
		mov	_PopPowerRequestObjectList, eax
		mov	eax, offset _PopSpecialPowerRequestObjectList
		push	offset _PopPowerRequestAllocate@8 ; int
		mov	dword_6C3914, eax
		mov	_PopSpecialPowerRequestObjectList, eax
		mov	eax, offset _PopPowerRequestCallbacks
		push	offset _PopPowerRequestCompare@12 ; int
		push	offset _PopPowerRequestTable ; void *
		mov	dword_6C393C, ebx
		mov	_PopCallbackWorkItem, ebx
		mov	dword_6C391C, eax
		mov	_PopPowerRequestCallbacks, eax
		call	_RtlInitializeGenericTableAvl@20 ; RtlInitializeGenericTableAvl(x,x,x,x,x)
		push	6
		pop	ecx
		xor	eax, eax
		mov	edi, offset _PopExecutionRequiredContext
		push	ebx
		rep stosd
		push	offset _PopExecutionRequiredTimer
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	ebx
		push	offset _PopExecutionRequiredTimeoutCallback@16 ; PopExecutionRequiredTimeoutCallback(x,x,x,x)
		push	offset _PopExecutionRequiredTimeoutDpc
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	dword_6C3968, offset _PopExecutionRequiredTimeoutWorkerRoutine@4 ; PopExecutionRequiredTimeoutWorkerRoutine(x)
		mov	dword_6C396C, ebx
		mov	_PopExecutionRequiredTimeoutWorker, ebx
		call	_PopStatsInitPowerRequestLibrary@0 ; PopStatsInitPowerRequestLibrary()

loc_AD9812:				; CODE XREF: PopPowerRequestInit()+A5j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_PopPowerRequestInit@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopStatsInitPowerRequestLibrary()
_PopStatsInitPowerRequestLibrary@0 proc	near ; CODE XREF: PopPowerRequestInit()+145p
		mov	edi, edi
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, offset _ExecutionRequiredStopWatchCollection
		push	30h		; size_t
		push	edi		; int
		push	esi		; void *
		mov	_PowerReqestStatsLock, edi
		mov	dword_6BF4B4, edi
		call	_memset
		add	esp, 0Ch
		mov	dword_6BF484, esi
		mov	_ExecutionRequiredStopWatchCollection, esi
		push	edi		; int
		push	offset _PopAvlFreePowerRequestStats@8 ;	int
		push	offset _PopAvlAllocatePowerRequestStats@8 ; int
		push	offset _PopAvlComparePowerRequestKeys@12 ; int
		push	offset _PowerRequestStatsDatabase ; void *
		call	_RtlInitializeGenericTableAvl@20 ; RtlInitializeGenericTableAvl(x,x,x,x,x)
		pop	edi
		xor	eax, eax
		pop	esi
		retn
_PopStatsInitPowerRequestLibrary@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ArbInitializeOsInaccessibleRange(x)
_ArbInitializeOsInaccessibleRange@4 proc near
					; CODE XREF: IopInitializePlugPlayServices(x,x)+238p

var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_27		= byte ptr -27h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 8Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	76h
		pop	eax
		mov	word ptr [ebp+var_7C+2], ax
		xor	ebx, ebx
		mov	word ptr [ebp+var_7C], ax
		mov	edi, ecx
		push	18h
		pop	esi
		lea	eax, [ebp+var_7C]
		mov	[ebp+var_54], ebx
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_70]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_54]
		mov	[ebp+var_74], ebx
		push	eax
		mov	[ebp+var_58], ebx
		mov	[ebp+var_78], offset ??_C@_1HI@MHCMANAK@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@
		mov	[ebp+var_70], esi
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_64], 240h
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_AD99B0
		push	22h
		pop	eax
		mov	word ptr [ebp+var_84+2], ax
		mov	word ptr [ebp+var_84], ax
		mov	eax, [ebp+var_54]
		mov	[ebp+var_6C], eax
		lea	eax, [ebp+var_84]
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_74]
		push	eax
		push	1
		push	ebx
		push	ebx
		lea	eax, [ebp+var_70]
		mov	[ebp+var_80], offset ??_C@_1CE@NKBPPJBA@?$AAI?$AAn?$AAa?$AAc?$AAc?$AAe?$AAs?$AAs?$AAi?$AAb?$AAl?$AAe?$AAR?$AAa?$AAn@PBOPGDP@
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_58]
		mov	[ebp+var_70], esi
		push	eax
		mov	[ebp+var_64], 240h
		mov	[ebp+var_60], ebx
		mov	[ebp+var_5C], ebx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD99A6
		push	48h
		pop	esi
		push	esi		; size_t
		lea	ecx, [ebp+var_50]
		push	ebx		; int
		push	ecx		; void *
		call	_memset
		xor	eax, eax
		mov	[ebp+var_50], esi
		add	esp, 0Ch
		mov	[ebp+var_27], 3
		inc	eax
		xor	edx, edx
		mov	ecx, edi
		mov	[ebp+var_34], eax
		mov	[ebp+var_2C], eax
		call	__allshl
		or	[ebp+var_10], 0FFFFFFFFh
		or	[ebp+var_C], 0FFFFFFFFh
		push	1Eh
		mov	[ebp+var_18], eax
		pop	eax
		push	esi
		mov	word ptr [ebp+var_8C+2], ax
		mov	word ptr [ebp+var_8C], ax
		lea	eax, [ebp+var_50]
		push	eax
		push	0Ah
		push	ebx
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_14], edx
		push	eax
		push	[ebp+var_58]
		mov	[ebp+var_88], offset ??_C@_1CA@PBELCONO@?$AAP?$AAh?$AAy?$AAs?$AAi?$AAc?$AAa?$AAl?$AAA?$AAd?$AAd?$AAr?$AAe?$AAs?$AAs@PBOPGDP@ ; "PhysicalAddress"
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AD999E
		mov	esi, ebx

loc_AD999E:				; CODE XREF: ArbInitializeOsInaccessibleRange(x)+132j
		push	[ebp+var_58]
		call	_ZwClose@4	; ZwClose(x)

loc_AD99A6:				; CODE XREF: ArbInitializeOsInaccessibleRange(x)+C2j
		push	[ebp+var_54]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, esi

loc_AD99B0:				; CODE XREF: ArbInitializeOsInaccessibleRange(x)+67j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_ArbInitializeOsInaccessibleRange@4 endp

; 
		align 10h

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopStoreArcInformation proc near	; CODE XREF: INIT:00AC2D93p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE9F70 SIZE 0000008A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, [ecx+80h]
		mov	edx, offset _IoArcTableListHead
		push	ebx
		mov	ebx, dword_6BBFD0
		push	esi
		push	edi
		mov	ds:dword_A9441C, edx
		xor	edi, edi
		mov	ds:_IoArcTableListHead,	edx
		mov	esi, [eax]
		mov	[ebp+var_14], eax
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], esi
		cmp	esi, eax
		jz	loc_AD9AC2

loc_AD99FD:				; CODE XREF: IopStoreArcInformation+F9j
		push	38h
		pop	edx
		mov	ecx, 200h
		call	IopVerifierExAllocatePool
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_AE9F8C
		mov	ecx, [esi+0Ch]
		lea	edx, [ecx+1]

loc_AD9A1A:				; CODE XREF: IopStoreArcInformation+5Fj
		mov	al, [ecx]
		inc	ecx
		test	al, al
		jnz	short loc_AD9A1A
		sub	ecx, edx
		lea	eax, [ecx+1]
		mov	ecx, 200h
		mov	edx, eax
		mov	[ebp+var_10], eax
		call	IopVerifierExAllocatePool
		mov	[ebp+var_4], eax
		test	eax, eax
		jz	loc_AE9F70
		push	38h		; size_t
		push	edi		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		mov	edi, ebx
		push	0Bh
		pop	ecx
		rep movsd
		mov	esi, [ebp+var_8]
		mov	edi, [ebp+var_10]
		mov	edx, edi
		mov	ecx, [ebp+var_4]
		push	dword ptr [esi+0Ch]
		call	_RtlStringCbCopyA@12 ; RtlStringCbCopyA(x,x,x)
		cmp	[ebp+var_C], 1
		mov	eax, [ebp+var_4]
		mov	[ebx+0Ch], eax
		jnz	short loc_AD9A94
		cmp	edi, 9
		jb	short loc_AD9A94
		push	8		; size_t
		add	eax, 0FFFFFFF7h
		add	eax, edi
		push	offset ??_C@_08OLNDGDOM@rdisk?$CI0?$CJ@PBOPGDP@	; char *
		push	eax		; char *
		call	__strnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_AD9A94
		mov	byte ptr [ebx+34h], 1

loc_AD9A94:				; CODE XREF: IopStoreArcInformation+B0j
					; IopStoreArcInformation+B5j ...
		mov	eax, ds:dword_A9441C
		mov	edx, offset _IoArcTableListHead
		cmp	[eax], edx
		jnz	short loc_AD9AFF
		mov	[ebx], edx
		xor	edi, edi
		mov	[ebx+4], eax
		mov	[eax], ebx
		mov	ds:dword_A9441C, ebx
		mov	esi, [esi]
		mov	[ebp+var_8], esi
		cmp	esi, [ebp+var_14]
		jnz	loc_AD99FD
		mov	ebx, [ebp+var_C]

loc_AD9AC2:				; CODE XREF: IopStoreArcInformation+37j
		mov	eax, ds:_IoArcTableListHead

loc_AD9AC7:				; CODE XREF: IopStoreArcInformation+136j
		cmp	eax, edx
		jnz	short loc_AD9AEA
		cmp	ebx, 1
		jnz	short loc_AD9AF8
		mov	ecx, ds:_IoArcTableListHead

loc_AD9AD6:				; CODE XREF: IopStoreArcInformation+128j
		cmp	ecx, edx
		jz	short loc_AD9AF8
		cmp	byte ptr [ecx+34h], 0
		jz	short loc_AD9AE6
		cmp	byte ptr [ecx+30h], 0
		jnz	short loc_AD9B04

loc_AD9AE6:				; CODE XREF: IopStoreArcInformation+11Ej
					; IopStoreArcInformation+14Bj
		mov	ecx, [ecx]
		jmp	short loc_AD9AD6
; 

loc_AD9AEA:				; CODE XREF: IopStoreArcInformation+109j
		cmp	byte ptr [eax+14h], 0
		jz	loc_AE9FBB

loc_AD9AF4:				; CODE XREF: IopStoreArcInformation+105FFj
					; IopStoreArcInformation+10635j
		mov	eax, [eax]
		jmp	short loc_AD9AC7
; 

loc_AD9AF8:				; CODE XREF: IopStoreArcInformation+10Ej
					; IopStoreArcInformation+118j ...
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AD9AFF:				; CODE XREF: IopStoreArcInformation+E0j
					; IopStoreArcInformation+105DEj ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_AD9B04:				; CODE XREF: IopStoreArcInformation+124j
		mov	_IopAmbiguousSystemDisk, 1
		jmp	short loc_AD9AE6
IopStoreArcInformation endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PnpInitializeLegacyBusInformationTable()
_PnpInitializeLegacyBusInformationTable@0 proc near
					; CODE XREF: IopInitializePlugPlayServices(x,x)+207p
		mov	eax, offset _IopLegacyBusInformationTable

loc_AD9B13:				; CODE XREF: PnpInitializeLegacyBusInformationTable()+12j
		mov	[eax+4], eax
		mov	[eax], eax
		add	eax, 8
		cmp	eax, offset _IopLegacyDeviceNode
		jl	short loc_AD9B13
		xor	eax, eax
		retn
_PnpInitializeLegacyBusInformationTable@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopBatteryInit()
_PopBatteryInit@0 proc near		; CODE XREF: PoInitSystem+41Ap
		mov	edi, edi
		push	ebx
		xor	ebx, ebx
		mov	dword_6C1CE8, offset PopBatteryWorker
		mov	eax, offset dword_6C2534
		mov	_PopCB,	ebx
		push	edi
		mov	dword_6C2538, eax
		mov	edi, offset byte_6C2674
		mov	dword_6C2534, eax
		mov	eax, offset dword_6C253C
		mov	dword_6C2540, eax
		mov	dword_6C253C, eax
		xor	eax, eax
		push	8
		pop	ecx
		mov	dword_6C2524, ebx
		mov	dword_6C2670, ebx
		mov	dword_6C266C, ebx
		mov	dword_6C2654, ebx
		mov	dword_6C2650, ebx
		rep stosd
		or	dword_6C2634, 0FFFFFFFFh
		mov	byte_6C2674, 1
		mov	byte_6C2630, bl
		mov	byte_6C2644, bl
		mov	dword_6C2648, ebx
		mov	byte_6C264C, bl
		mov	dword_6C2640, ebx
		mov	dword_6C2658, ebx
		mov	dword_6C2660, ebx
		mov	dword_6C2664, ebx
		mov	dword_6C1CEC, ebx
		mov	_PopBatteryWorkItem, ebx

loc_AD9BCE:				; CODE XREF: PopBatteryInit()+B8j
		mov	dword_6C25F0[eax], 2
		add	eax, 10h
		cmp	eax, 40h
		jb	short loc_AD9BCE
		push	ebx
		push	1
		push	offset unk_6C25D8
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	ebx
		push	offset _PopBatteryWakeDpc@16 ; PopBatteryWakeDpc(x,x,x,x)
		push	offset unk_6C25B8
		mov	dword_6C2668, ebx
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	ebx
		push	offset unk_6C2590
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		mov	byte_6C2530, bl
		mov	dword_6C2580, ebx
		call	KeQueryInterruptTime
		add	eax, 11E1A300h
		push	ebx
		push	offset _PopRefreshEstimateAfterSpoilingDpc@16 ;	PopRefreshEstimateAfterSpoilingDpc(x,x,x,x)
		adc	edx, ebx
		mov	_PopEstimateSpoiledUntilTime, eax
		push	offset _PopPostSpoilingRefresh
		mov	dword_6B3F34, edx
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	ebx
		push	offset unk_6C1D20
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		pop	edi
		mov	byte_6C25E8, 1
		mov	_PopBatteryInitiateIgnoreStatusDuringBoot, 1
		pop	ebx
		retn
_PopBatteryInit@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpReadConfigParameters proc near	; CODE XREF: EtwpInitialize+107p

var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_7C		= dword	ptr -7Ch
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AE9FFA SIZE 00000080 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0D4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	0Ah
		xor	esi, esi
		lea	eax, [ebp+var_B8]
		pop	edi
		push	offset ??_C@_1GO@GHPNNIDM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@
		push	eax
		mov	[ebp+var_AC], esi
		mov	[ebp+var_B8], esi
		mov	[ebp+var_B4], esi
		mov	[ebp+var_B0], esi
		mov	[ebp+var_A4], esi
		mov	[ebp+var_A0], esi
		mov	[ebp+var_9C], edi
		mov	[ebp+var_A8], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_D0], 18h
		mov	[ebp+var_C8], eax
		lea	eax, [ebp+var_D0]
		push	eax
		push	20019h
		lea	eax, [ebp+var_AC]
		mov	[ebp+var_CC], esi
		push	eax
		mov	[ebp+var_C4], 240h
		mov	[ebp+var_C0], esi
		mov	[ebp+var_BC], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_AD9E3C
		push	70h		; size_t
		lea	eax, [ebp+var_98]
		push	esi		; int
		push	eax		; void *
		call	_memset
		lea	eax, [ebp+var_24]
		mov	[ebp+var_90], offset ??_C@_1BM@MPECCFJP@?$AAR?$AAT?$AAB?$AAa?$AAc?$AAk?$AAl?$AAo?$AAg?$AAR?$AAo?$AAo?$AAt@PBOPGDP@
		mov	[ebp+var_8C], eax
		add	esp, 0Ch
		lea	eax, [ebp+var_B0]
		mov	[ebp+var_74], offset ??_C@_1CK@LDPNDEPP@?$AAM?$AAa?$AAx?$AAN?$AAo?$AAn?$AAP?$AAa?$AAg?$AAe?$AAd?$AAP?$AAo?$AAo?$AAl@PBOPGDP@ ; "MaxNonPagedPoolUsage"
		mov	[ebp+var_84], eax
		mov	ecx, offset EtwpQueryRegistryCallback
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_98], ecx
		mov	[ebp+var_20], eax
		xor	edx, edx
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_7C], ecx
		mov	[ebp+var_70], eax
		inc	edx
		push	4
		pop	ebx
		lea	eax, [ebp+var_9C]
		mov	[ebp+var_88], edx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_A8]
		push	esi
		push	esi
		mov	[ebp+var_10], eax
		lea	eax, [ebp+var_98]
		push	eax
		push	[ebp+var_AC]
		mov	[ebp+var_24], edx
		push	40000000h
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_60], ecx
		mov	[ebp+var_58], offset ??_C@_1CI@KEOGFAIA@?$AAS?$AAt?$AAa?$AAc?$AAk?$AAC?$AAa?$AAp?$AAt?$AAu?$AAr?$AAe?$AAT?$AAi?$AAm@PBOPGDP@
		mov	[ebp+var_50], ebx
		mov	[ebp+var_14], ebx
		call	_RtlQueryRegistryValuesEx@20 ; RtlQueryRegistryValuesEx(x,x,x,x,x)
		test	eax, eax
		js	short loc_AD9E3C
		cmp	[ebp+var_A0], esi
		jnz	loc_AE9FFA

loc_AD9DC9:				; CODE XREF: EtwpReadConfigParameters+103A3j
					; EtwpReadConfigParameters+103C4j ...
		mov	eax, [ebp+var_9C]
		cmp	eax, 32h
		ja	short loc_AD9E23
		cmp	eax, edi
		jb	short loc_AD9E2B

loc_AD9DD8:				; CODE XREF: EtwpReadConfigParameters+10417j
		mov	ecx, [ebp+var_A8]
		mov	edx, 2BF20h
		cmp	ecx, edx
		ja	short loc_AD9E32

loc_AD9DE7:				; CODE XREF: EtwpReadConfigParameters+1DCj
					; EtwpReadConfigParameters+1EAj
		mov	ds:_EtwpMaxNonPagedPoolUsage, eax
		test	esi, esi
		jnz	short loc_AD9E4A

loc_AD9DF0:				; CODE XREF: EtwpReadConfigParameters+1F2j
		test	ecx, ecx
		jnz	short loc_AD9E52

loc_AD9DF4:				; CODE XREF: EtwpReadConfigParameters+1FAj
		cmp	[ebp+var_AC], 0
		jz	short loc_AD9E08
		push	[ebp+var_AC]
		call	_ZwClose@4	; ZwClose(x)

loc_AD9E08:				; CODE XREF: EtwpReadConfigParameters+19Dj
		lea	eax, [ebp+var_A4]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AD9E23:				; CODE XREF: EtwpReadConfigParameters+174j
		push	32h
		pop	eax
		jmp	loc_AEA06F
; 

loc_AD9E2B:				; CODE XREF: EtwpReadConfigParameters+178j
		mov	eax, edi
		jmp	loc_AEA06F
; 

loc_AD9E32:				; CODE XREF: EtwpReadConfigParameters+187j
		mov	ecx, edx
		mov	[ebp+var_A8], ecx
		jmp	short loc_AD9DE7
; 

loc_AD9E3C:				; CODE XREF: EtwpReadConfigParameters+AAj
					; EtwpReadConfigParameters+15Dj
		mov	eax, [ebp+var_9C]
		mov	ecx, [ebp+var_A8]
		jmp	short loc_AD9DE7
; 

loc_AD9E4A:				; CODE XREF: EtwpReadConfigParameters+190j
		mov	ds:_EtwpRTBacklogFileRoot, esi
		jmp	short loc_AD9DF0
; 

loc_AD9E52:				; CODE XREF: EtwpReadConfigParameters+194j
		mov	_EtwpStackCaptureTimeout, ecx
		jmp	short loc_AD9DF4
EtwpReadConfigParameters endp

; 
		align 10h
; Exported entry 1136. KeFindConfigurationEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeFindConfigurationEntry(x,	x, x, x)
		public _KeFindConfigurationEntry@16
_KeFindConfigurationEntry@16 proc near

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+arg_C]
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	KeFindConfigurationNextEntry
		leave
		retn	10h
_KeFindConfigurationEntry@16 endp

; 
		align 8
; Exported entry 1137. KeFindConfigurationNextEntry

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

		public KeFindConfigurationNextEntry
KeFindConfigurationNextEntry proc near	; CODE XREF: KeFindConfigurationEntry(x,x,x,x)+1Ap
					; KeFindConfigurationNextEntry+10210p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h

; FUNCTION CHUNK AT 00AEA07A SIZE 00000039 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		test	ebx, ebx
		jnz	loc_AEA07A
		xor	edx, edx

loc_AD9E9D:				; CODE XREF: KeFindConfigurationNextEntry+101F4j
		mov	esi, [ebp+arg_0]
		mov	[ebp+arg_C], edx
		test	esi, esi
		jz	loc_AD9F36

loc_AD9EAB:				; CODE XREF: KeFindConfigurationNextEntry+41j
		mov	eax, [ebp+arg_10]
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_AD9ECB
		cmp	esi, ecx
		jz	short loc_AD9EF1

loc_AD9EB8:				; CODE XREF: KeFindConfigurationNextEntry+49j
					; KeFindConfigurationNextEntry+51j ...
		mov	edi, [esi+8]

loc_AD9EBB:				; CODE XREF: KeFindConfigurationNextEntry+10226j
		test	edi, edi
		jnz	short loc_AD9EF6
		mov	esi, [esi+4]
		test	esi, esi
		jz	short loc_AD9F36
		mov	edx, [ebp+arg_C]
		jmp	short loc_AD9EAB
; 

loc_AD9ECB:				; CODE XREF: KeFindConfigurationNextEntry+2Aj
		mov	ecx, [ebp+arg_4]
		cmp	[esi+0Ch], ecx
		jnz	short loc_AD9EB8
		mov	ecx, [ebp+arg_8]
		cmp	[esi+10h], ecx
		jnz	short loc_AD9EB8
		mov	eax, ebx
		neg	eax
		sbb	eax, eax
		and	eax, [esi+1Ch]
		cmp	eax, edx
		jnz	short loc_AD9F29
		mov	eax, esi

loc_AD9EEA:				; CODE XREF: KeFindConfigurationNextEntry+9Fj
					; KeFindConfigurationNextEntry+B0j ...
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	14h
; 

loc_AD9EF1:				; CODE XREF: KeFindConfigurationNextEntry+2Ej
		and	dword ptr [eax], 0
		jmp	short loc_AD9EB8
; 

loc_AD9EF6:				; CODE XREF: KeFindConfigurationNextEntry+35j
		mov	ecx, [eax]
		test	ecx, ecx
		jnz	loc_AEA081
		mov	ecx, [ebp+arg_4]
		cmp	[edi+0Ch], ecx
		jnz	loc_AEA088
		mov	ecx, [ebp+arg_8]
		cmp	[edi+10h], ecx
		jnz	loc_AEA088
		mov	eax, ebx
		neg	eax
		sbb	eax, eax
		and	eax, [edi+1Ch]
		cmp	eax, edx
		jnz	short loc_AD9F2E
		mov	eax, edi
		jmp	short loc_AD9EEA
; 

loc_AD9F29:				; CODE XREF: KeFindConfigurationNextEntry+5Ej
		mov	eax, [ebp+arg_10]
		jmp	short loc_AD9EB8
; 

loc_AD9F2E:				; CODE XREF: KeFindConfigurationNextEntry+9Bj
		mov	eax, [ebp+arg_10]
		jmp	loc_AEA088
; 

loc_AD9F36:				; CODE XREF: KeFindConfigurationNextEntry+1Dj
					; KeFindConfigurationNextEntry+3Cj
		xor	eax, eax
		jmp	short loc_AD9EEA
KeFindConfigurationNextEntry endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

WheapCreatePerProcessorInfo proc near	; CODE XREF: INIT:00AC41F8p

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AEA0B3 SIZE 0000002B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		mov	ebx, ds:_KeNumberProcessors
		mov	eax, large fs:20h
		push	esi
		push	edi
		imul	ecx, ebx, 0Ch
		xor	esi, esi
		mov	eax, [eax+338h]
		push	esi
		movzx	eax, word ptr [eax+8Ah]
		mov	edx, ecx
		or	eax, 80000000h
		mov	[ebp+var_4], ecx
		push	eax
		push	61656857h
		mov	ecx, 200h
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		test	edi, edi
		jz	loc_AEA0B3
		push	[ebp+var_4]	; size_t
		push	esi		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		test	ebx, ebx
		jz	short loc_AD9FAC

loc_AD9F97:				; CODE XREF: WheapCreatePerProcessorInfo+70j
		mov	ecx, esi
		call	_KeGetPrcb@4	; KeGetPrcb(x)
		mov	[eax+4050h], edi
		add	edi, 0Ch
		inc	esi
		cmp	esi, ebx
		jb	short loc_AD9F97

loc_AD9FAC:				; CODE XREF: WheapCreatePerProcessorInfo+5Bj
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
WheapCreatePerProcessorInfo endp

; 
		align 4

;  S U B	R O U T	I N E 


KitInitialize	proc near		; CODE XREF: INIT:00AC2E05p
		mov	edi, edi
		push	esi
		call	_KitpInitAitSampleRate@4 ; KitpInitAitSampleRate(x)
		push	offset _KitEtwHandle
		xor	esi, esi
		push	esi
		push	esi
		push	offset _MS_Windows_AIT_Provider
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		test	eax, eax
		js	loc_AEA0D0
		pop	esi
		retn
KitInitialize	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KitpInitAitSampleRate(x)
_KitpInitAitSampleRate@4 proc near	; CODE XREF: KitInitialize+3p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		test	ecx, ecx
		jz	short loc_ADA026
		mov	eax, [ecx+78h]
		test	eax, eax
		jz	short loc_ADA005
		push	(offset	loc_ADCBDD+1) ;	char *
		push	eax		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_ADA026

loc_ADA005:				; CODE XREF: KitpInitAitSampleRate(x)+18j
		lea	eax, [ebp+var_4]
		push	eax
		call	_KitpOpenRegKey@12 ; KitpOpenRegKey(x,x,x)
		test	eax, eax
		js	short loc_ADA026
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_8]
		push	eax
		call	KitpReadUlongFromKey
		test	eax, eax
		jns	short loc_ADA026
		and	[ebp+var_8], 0

loc_ADA026:				; CODE XREF: KitpInitAitSampleRate(x)+11j
					; KitpInitAitSampleRate(x)+29j	...
		push	4
		lea	eax, [ebp+var_8]
		push	eax
		push	6Fh
		call	_ZwSetSystemInformation@12 ; ZwSetSystemInformation(x,x,x)
		cmp	[ebp+var_4], 0
		jz	short locret_ADA041
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

locret_ADA041:				; CODE XREF: KitpInitAitSampleRate(x)+5Dj
		leave
		retn
_KitpInitAitSampleRate@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopInitCrashDumpDuringSysInit proc near	; CODE XREF: INIT:00AC2F1Fp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_1		= dword	ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		mov	eax, ds:__imp__HalSetEnvironmentVariableEx@20 ;	HalSetEnvironmentVariableEx(x,x,x,x,x)
		push	ebx
		xor	ebx, ebx
		mov	_IopReportBugCheckProgress, eax
		push	esi
		mov	esi, ecx
		mov	byte ptr [ebp+var_1], bl
		cmp	_ForceDumpDisabled, bl
		jnz	short loc_ADA070
		call	SecureDump_Init
		test	eax, eax
		js	short loc_ADA0D0

loc_ADA070:				; CODE XREF: IopInitCrashDumpDuringSysInit+21j
					; IopInitCrashDumpDuringSysInit+93j
		mov	ecx, esi
		call	_IopBuildSpecialMemoryTable@4 ;	IopBuildSpecialMemoryTable(x)
		push	38h		; size_t
		lea	eax, [ebp+var_3C]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_3C], offset _IopInitCrashDumpRegCallback@24 ; IopInitCrashDumpRegCallback(x,x,x,x,x,x)
		lea	eax, [ebp+var_1]
		mov	[ebp+var_38], 4
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_34], offset ??_C@_1CE@PLNJMHPE@?$AAE?$AAx?$AAi?$AAs?$AAt?$AAi?$AAn?$AAg?$AAP?$AAa?$AAg?$AAe?$AAF?$AAi?$AAl@PBOPGDP@ ; "ExistingPageFiles"
		push	ebx
		push	esi
		push	eax
		push	offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@PBOPGDP@
		push	2
		mov	[ebp+var_2C], ebx
		call	_RtlQueryRegistryValuesEx@20 ; RtlQueryRegistryValuesEx(x,x,x,x,x)
		cmp	byte ptr [ebp+var_1], bl
		jz	sub_AEA0DE

loc_ADA0BF:				; CODE XREF: sub_AEA0DE+1Cj
		mov	ecx, [esi+84h]
		call	IopInitializeOfflineCrashDump
		pop	esi
		mov	eax, ebx
		pop	ebx
		leave
		retn
; 

loc_ADA0D0:				; CODE XREF: IopInitCrashDumpDuringSysInit+2Aj
		mov	_ForceDumpDisabled, 1
		jmp	short loc_ADA070
IopInitCrashDumpDuringSysInit endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopInitializeIrpWorkers()
_PopInitializeIrpWorkers@0 proc	near	; CODE XREF: PoInitSystem+1DEp
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		xor	ecx, ecx
		mov	eax, offset _PopIrpThreadList
		push	7FFFFFFFh
		xor	ebx, ebx
		mov	dword_6C0064, eax
		mov	_PopIrpThreadList, eax
		inc	ebx
		mov	eax, offset _PopIrpWorkerList
		mov	_PopCreateIrpWorkerAllowed, bl
		push	ecx
		push	offset _PopIrpWorkerSemaphore
		mov	_PopIrpWorkerCount, ecx
		mov	_PopIrpWorkerInFlightCount, ecx
		mov	_PopIrpWorkerPendingCount, ecx
		mov	_PopIrpWorkerRequested,	cl
		mov	dword_6C2334, eax
		mov	_PopIrpWorkerList, eax
		call	_KeInitializeSemaphore@12 ; KeInitializeSemaphore(x,x,x)
		xor	edi, edi
		push	edi
		push	ebx
		push	offset _PopIrpWorkerControlEvent
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	ebx
		push	offset unk_6C008C
		mov	_PopIrpWorkerMutex, ebx
		mov	dword_6C0084, edi
		mov	dword_6C0088, edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		push	72496F50h
		push	4
		push	200h
		push	edi
		push	edi
		push	offset _PopDynamicIrpWorkerLookaside
		call	ExInitializeNPagedLookasideListInternal
		xor	edx, edx
		mov	ecx, offset PopIrpWorkerControl
		call	_PopCreatePowerThread@8	; PopCreatePowerThread(x,x)
		test	eax, eax
		js	short loc_ADA1A8
		push	2
		pop	ebx
		mov	_PopIrpWorkerPendingCount, ebx
		mov	esi, edi

loc_ADA191:				; CODE XREF: PopInitializeIrpWorkers()+CAj
		xor	edx, edx
		mov	ecx, offset PopIrpWorker
		call	_PopCreatePowerThread@8	; PopCreatePowerThread(x,x)
		test	eax, eax
		js	short loc_ADA1A8
		inc	esi
		cmp	esi, ebx
		jb	short loc_ADA191
		mov	eax, edi

loc_ADA1A8:				; CODE XREF: PopInitializeIrpWorkers()+AAj
					; PopInitializeIrpWorkers()+C5j
		pop	edi
		pop	esi
		pop	ebx
		retn
_PopInitializeIrpWorkers@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpWorkerFactoryInitialization proc near ; CODE	XREF: ExpInitSystemPhase1+129p

var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AEA0FF SIZE 00000026 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, _ExpWorkerFactoryThreadCreationTimeoutInSeconds
		mov	edx, 258h
		push	ebx
		push	esi
		xor	esi, esi
		xor	ebx, ebx
		inc	esi
		mov	[ebp+var_4], ebx
		push	edi
		cmp	eax, esi
		jb	loc_AEA0FF
		cmp	eax, edx
		ja	loc_AEA103

loc_ADA1D9:				; CODE XREF: ExpWorkerFactoryInitialization+FF5Ej
		mov	ecx, _ExpWorkerFactoryThreadIdleTimeoutInSeconds
		cmp	ecx, esi
		jb	loc_AEA10F
		cmp	ecx, edx
		ja	loc_AEA11A

loc_ADA1EF:				; CODE XREF: ExpWorkerFactoryInitialization+FF69j
					; ExpWorkerFactoryInitialization+FF74j
		or	dword_6BBA3C, 0FFFFFFFFh
		mov	ecx, 0FF676980h
		or	dword_6BBA44, 0FFFFFFFFh
		mov	edi, offset _ExpWorkerFactoryManagerQueue
		imul	ecx
		push	ebx
		push	edi
		mov	_ExpWorkerFactoryDeferredLongTimeout, eax
		mov	dword_6BBA34, edx
		mov	_ExpWorkerFactoryDeferredMediumTimeout,	0FFEDB080h
		mov	_ExpWorkerFactoryDeferredShortTimeout, 0FFFB6C20h
		mov	_ExpWorkerFactoryThreadCreationList, ebx
		mov	dword_6BBA4C, ebx
		call	_KeInitializeQueue@8 ; KeInitializeQueue(x,x)
		push	esi
		mov	esi, offset _ExpWorkerFactoryThreadCreationTimer
		push	esi
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	offset _ExpWorkerFactoryThreadCreationBlock
		mov	edx, edi
		mov	ecx, esi
		call	KeRegisterObjectNotification
		push	58h
		pop	esi
		push	esi		; size_t
		lea	eax, [ebp+var_60]
		mov	_ExpWorkerFactoryThreadCreationState, ebx
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	word ptr [ebp+var_60], si
		lea	edi, [ebp+var_54]
		mov	[ebp+var_58], 100h
		lea	eax, [ebp+var_60]
		mov	esi, offset _ExpWorkerFactoryMapping
		add	esp, 0Ch
		movsd
		push	offset _ExpWorkerFactoryObjectType
		push	ebx
		push	eax
		movsd
		push	offset dword_AF6CA4
		movsd
		movsd
		mov	[ebp+var_3C], 200h
		mov	[ebp+var_34], 108h
		mov	[ebp+var_44], 0F00FFh
		mov	[ebp+var_28], offset _ExpCloseWorkerFactory@16 ; ExpCloseWorkerFactory(x,x,x,x)
		mov	[ebp+var_24], offset _ExpDeleteWorkerFactory@4 ; ExpDeleteWorkerFactory(x)
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_ADA2E5
		push	ebx
		push	offset ExpWorkerFactoryManagerThread
		push	ebx
		push	ebx
		push	ebx
		push	1FFFFFh
		lea	eax, [ebp+var_4]
		push	eax
		call	_PsCreateSystemThread@28 ; PsCreateSystemThread(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_ADA2E5
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_ADA2E5:				; CODE XREF: ExpWorkerFactoryInitialization+112j
					; ExpWorkerFactoryInitialization+12Fj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
ExpWorkerFactoryInitialization endp


;  S U B	R O U T	I N E 


KiInitializeNxSupportDiscard proc near	; CODE XREF: KiInitializeNXSupport()+8j

; FUNCTION CHUNK AT 00AEA125 SIZE 0000005C BYTES

		mov	al, ds:0FFDF02D5h
		and	al, 0FDh
		or	al, 1
		mov	ds:0FFDF02D5h, al
		mov	eax, ds:_KeLoaderBlock
		push	offset ??_C@_0BD@BLJGODAL@NOEXECUTE?$DNALWAYSON@PBOPGDP@ ; "NOEXECUTE=ALWAYSON"
		push	dword ptr [eax+78h] ; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_ADA354
		mov	eax, ds:_KeLoaderBlock
		push	offset ??_C@_0BB@LHMFFKLJ@NOEXECUTE?$DNOPTOUT@PBOPGDP@ ; "NOEXECUTE=OPTOUT"
		push	dword ptr [eax+78h] ; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_ADA378
		mov	eax, ds:_KeLoaderBlock
		push	offset ??_C@_0BA@LJLLKALL@NOEXECUTE?$DNOPTIN@PBOPGDP@ ;	"NOEXECUTE=OPTIN"
		push	dword ptr [eax+78h] ; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_AEA125

loc_ADA346:				; CODE XREF: KiInitializeNxSupportDiscard+FE67j
					; KiInitializeNxSupportDiscard+FE83j
		mov	al, ds:0FFDF02D5h
		and	al, 0FEh
		or	al, 2
		mov	ds:0FFDF02D5h, al

loc_ADA354:				; CODE XREF: KiInitializeNxSupportDiscard+24j
					; KiInitializeNxSupportDiscard+93j ...
		call	_KiTryForceEnableNx@0 ;	KiTryForceEnableNx()
		call	KiIsNXSupported
		test	al, al
		jz	short locret_ADA377
		mov	ecx, 0C0000080h
		rdmsr
		or	eax, 800h
		wrmsr
		mov	byte ptr ds:0FFDF0280h,	1

locret_ADA377:				; CODE XREF: KiInitializeNxSupportDiscard+74j
		retn
; 

loc_ADA378:				; CODE XREF: KiInitializeNxSupportDiscard+3Cj
		or	byte ptr ds:0FFDF02D5h,	3
		jmp	short loc_ADA354
KiInitializeNxSupportDiscard endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiTryForceEnableNx()
_KiTryForceEnableNx@0 proc near		; CODE XREF: KiInitializeNxSupportDiscard:loc_ADA354p

var_14		= dword	ptr -14h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_14]
		stosd
		xor	ecx, ecx
		push	ebx
		stosd
		stosd
		stosd
		xor	eax, eax
		inc	eax
		lea	edi, [ebp+var_14]
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		test	[ebp+var_8], 4000000h
		pop	edi
		pop	esi
		pop	ebx
		jz	short loc_ADA3D5
		call	KiGetCpuVendor
		cmp	eax, 1
		jnz	short loc_ADA3D5
		mov	_KiNxForceEnable, al

loc_ADA3D5:				; CODE XREF: KiTryForceEnableNx()+42j
					; KiTryForceEnableNx()+4Cj
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_KiTryForceEnableNx@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopCreateTimebrokerServiceSid proc near	; CODE XREF: PoInitSystem+4E1p

var_8		= dword	ptr -8
var_4		= word ptr -4

; FUNCTION CHUNK AT 00AEA181 SIZE 00000010 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_4], 500h
		push	6
		mov	[ebp+var_8], ebx
		call	_RtlLengthRequiredSid@4	; RtlLengthRequiredSid(x)
		push	67696450h
		mov	edi, eax
		push	edi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_ADA471
		push	edi		; size_t
		push	ebx		; int
		push	esi		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_8]
		push	6
		push	eax
		push	esi
		call	_RtlInitializeSid@12 ; RtlInitializeSid(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_ADA462
		mov	dword ptr [esi+8], 50h
		mov	dword ptr [esi+0Ch], 187ED4D7h
		mov	dword ptr [esi+10h], 980B98E7h
		mov	dword ptr [esi+14h], 66628D6Fh
		mov	dword ptr [esi+18h], 8A5CB7F7h
		mov	dword ptr [esi+1Ch], 0DFDF7EBBh
		mov	_PopTimeBrokerServiceSid, esi
		mov	esi, ebx

loc_ADA462:				; CODE XREF: PopCreateTimebrokerServiceSid+4Cj
		test	esi, esi
		jnz	loc_AEA181

loc_ADA46A:				; CODE XREF: PopCreateTimebrokerServiceSid+94j
					; PopCreateTimebrokerServiceSid+FDAAj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_ADA471:				; CODE XREF: PopCreateTimebrokerServiceSid+2Fj
		mov	edi, 0C0000017h
		jmp	short loc_ADA46A
PopCreateTimebrokerServiceSid endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopInitializeHighPerfPowerRequest proc near ; CODE XREF: PoInitSystem+57Ep

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AEA191 SIZE 0000000D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	esi
		push	edi
		xor	edi, edi
		push	edi
		push	offset PpmHighPerfRequestExpiration
		push	offset _PpmHighPerfEndDpc
		mov	[ebp+var_4], edi
		mov	_PpmHighPerfRequestLock, edi
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	edi
		push	offset _PpmHighPerfEndTimer
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		mov	eax, edi
		mov	edx, 493E0h

loc_ADA4AF:				; CODE XREF: PopInitializeHighPerfPowerRequest+4Dj
		mov	ecx, ds:_PpmHighPerfDuration[eax]
		cmp	ecx, edx
		jnb	short loc_ADA521

loc_ADA4B9:				; CODE XREF: PopInitializeHighPerfPowerRequest+ABj
		mov	ds:_PpmHighPerfDuration[eax], ecx
		add	eax, 4
		cmp	eax, 10h
		jb	short loc_ADA4AF
		xor	esi, esi
		mov	[ebp+var_18], edi
		push	offset ??_C@_1BM@ICKAFFLD@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@PBOPGDP@ ;	"Power Manager"
		lea	eax, [ebp+var_18]
		mov	[ebp+var_14], edi
		inc	esi
		mov	[ebp+var_10], edi
		push	eax
		mov	[ebp+var_C], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4]
		xor	dl, dl
		push	eax
		push	edi
		push	esi
		push	edi
		lea	ecx, [ebp+var_20]
		call	_PoCaptureReasonContext@24 ; PoCaptureReasonContext(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_ADA51B
		mov	edx, [ebp+var_4]
		mov	ecx, offset _PpmHighPerfPowerRequest
		call	_PopCreateKernelPowerRequest@8 ; PopCreateKernelPowerRequest(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AEA191

loc_ADA51B:				; CODE XREF: PopInitializeHighPerfPowerRequest+8Aj
					; PopInitializeHighPerfPowerRequest+FD21j
		pop	edi
		mov	eax, esi
		pop	esi
		leave
		retn
; 

loc_ADA521:				; CODE XREF: PopInitializeHighPerfPowerRequest+3Fj
		mov	ecx, edx
		jmp	short loc_ADA4B9
PopInitializeHighPerfPowerRequest endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeBootDefaults proc near	; CODE XREF: MiInitNucleus(x)+7Fp

; FUNCTION CHUNK AT 00AEA19E SIZE 000000EB BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	ds:_MmSystemRangeStart,	80000000h
		mov	ds:_MmUserProbeAddress,	7FFF0000h
		push	(offset	loc_ADCBDD+1) ;	char *
		mov	eax, [edi+90h]
		mov	dword_6D07CC, eax
		mov	ds:_MmHighestUserAddress, 7FFEFFFFh
		push	dword ptr [edi+78h] ; char *
		call	_strstr
		pop	ecx
		xor	esi, esi
		pop	ecx
		test	eax, eax
		jnz	loc_AEA19E
		mov	eax, ds:_MmPageValidationFrequency
		bsr	ecx, eax
		push	1
		pop	ebx
		jnz	loc_AEA1CB

loc_ADA584:				; CODE XREF: MiInitializeBootDefaults+FCA9j
		mov	ds:_MmPageValidationFrequency, eax
		test	eax, eax
		jnz	loc_AEA1D4

loc_ADA591:				; CODE XREF: MiInitializeBootDefaults+FCBEj
		mov	ecx, _MmVerifierData
		test	ecx, ecx
		jnz	loc_AEA1E9

loc_ADA59F:				; CODE XREF: MiInitializeBootDefaults+FCD5j
					; MiInitializeBootDefaults+FCE3j
		cmp	ds:_MmSpecialPoolTag, esi
		jnz	loc_AEA20E

loc_ADA5AB:				; CODE XREF: MiInitializeBootDefaults+FCEEj
		test	byte ptr ds:_MiFlags, 1
		jnz	loc_AEA219

loc_ADA5B8:				; CODE XREF: MiInitializeBootDefaults+FCA0j
					; MiInitializeBootDefaults+FCF9j ...
		mov	eax, ds:_MiFlags
		or	eax, 8
		test	_NtGlobalFlag, 80000h
		mov	ds:_MiFlags, eax
		jnz	short loc_ADA5D9
		or	eax, 40h
		mov	ds:_MiFlags, eax

loc_ADA5D9:				; CODE XREF: MiInitializeBootDefaults+A9j
		push	esi
		push	offset MiAllocatePfnRepurposeLogDispatch
		push	offset unk_6D3264
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	eax, ds:dword_7051CC
		mov	ecx, 0FF676980h
		imul	ecx
		mov	ecx, ebx
		mov	dword_6CF548, esi
		mov	dword_6D0600, eax
		mov	eax, offset dword_6D0608
		mov	dword_6D060C, eax
		mov	dword_6D0608, eax
		mov	eax, ds:_MmHighestUserAddress
		mov	dword_6CF59C, esi
		mov	dword_6D3158, 5
		mov	dword_6D3180, esi
		mov	dword_6D3540, esi
		mov	dword_6D0604, edx
		mov	dword_6CF3C8, esi
		mov	dword_6CF3D4, eax
		call	ExGenRandom
		movzx	eax, al
		mov	ecx, 0FFFFFE80h
		sub	ecx, eax
		shl	ecx, 10h
		add	dword_6CF3D4, ecx
		cmp	dword_6D07CC, 0
		jnz	loc_AEA237

loc_ADA668:				; CODE XREF: MiInitializeBootDefaults+FD5Ej
		mov	eax, ds:_MmSystemRangeStart
		pop	edi
		pop	esi
		mov	dword_6D07D0, eax
		pop	ebx
		leave
		retn
MiInitializeBootDefaults endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PnpMarkHalDeviceNode()
_PnpMarkHalDeviceNode@0	proc near	; CODE XREF: INIT:00AC2C58p
		mov	edi, edi
		push	ecx
		mov	eax, _IopRootDeviceNode
		mov	ecx, [eax+4]
		jmp	short loc_ADA69B
; 

loc_ADA685:				; CODE XREF: PnpMarkHalDeviceNode()+25j
		mov	eax, [ecx+0ACh]
		cmp	eax, 307h
		jz	short loc_ADA6A1
		cmp	eax, 308h
		jz	short loc_ADA6A1

loc_ADA699:				; CODE XREF: PnpMarkHalDeviceNode()+33j
		mov	ecx, [ecx]

loc_ADA69B:				; CODE XREF: PnpMarkHalDeviceNode()+Bj
		test	ecx, ecx
		jnz	short loc_ADA685
		pop	ecx
		retn
; 

loc_ADA6A1:				; CODE XREF: PnpMarkHalDeviceNode()+18j
					; PnpMarkHalDeviceNode()+1Fj
		test	dword ptr [ecx+10Ch], 1000h
		jnz	short loc_ADA699
		push	4
		pop	edx
		mov	ds:_IopInitHalDeviceNode, ecx
		call	PipSetDevNodeFlags
		pop	ecx
		retn
_PnpMarkHalDeviceNode@0	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

InitSkuSessionParameters proc near	; CODE XREF: Phase1InitializationDiscard(x):loc_AC0DAFp

var_1		= byte ptr -1

; FUNCTION CHUNK AT 00AEA289 SIZE 0000001B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		lea	ecx, [ebp-1]
		mov	[ebp+var_1], 0
		call	ExIsMultiSessionSku
		test	eax, eax
		js	short loc_ADA6E5
		cmp	[ebp+var_1], 0
		jz	short loc_ADA6E5
		or	dword ptr ds:0FFDF02F0h, 100h

loc_ADA6E5:				; CODE XREF: InitSkuSessionParameters+15j
					; InitSkuSessionParameters+1Bj
		cmp	_RtlpMultiUsersInSessionSupported, 0
		jnz	loc_AEA289

loc_ADA6F2:				; CODE XREF: InitSkuSessionParameters+FBD5j
		cmp	_CmStateSeparationEnabled, 0
		jnz	loc_AEA298
		leave
		retn
InitSkuSessionParameters endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PoInitDriverServices()
_PoInitDriverServices@0	proc near	; CODE XREF: INIT:00AC2C4Dp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_4]
		mov	esi, offset PopNotifyPolicyDevice
		push	eax
		push	1
		push	esi
		push	_PnpDriverObject
		xor	ebx, ebx
		push	offset _GUID_DEVICE_THERMAL_ZONE
		push	ebx
		push	2
		pop	edi
		push	edi
		mov	[ebp+var_4], ebx
		call	IoRegisterPlugPlayNotification
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ebx
		push	eax
		push	edi
		push	esi
		push	_PnpDriverObject
		push	offset _GUID_DEVICE_BATTERY
		push	ebx
		push	edi
		call	IoRegisterPlugPlayNotification
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ebx
		push	eax
		push	3
		push	esi
		push	_PnpDriverObject
		push	offset _GUID_DEVICE_MEMORY
		push	ebx
		push	edi
		call	IoRegisterPlugPlayNotification
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ebx
		push	eax
		push	8
		push	esi
		push	_PnpDriverObject
		push	offset _GUID_DEVICE_ACPI_TIME
		push	ebx
		push	edi
		call	IoRegisterPlugPlayNotification
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ebx
		push	eax
		push	9
		push	esi
		push	_PnpDriverObject
		push	offset _GUID_DEVICE_FAN
		push	ebx
		push	edi
		call	IoRegisterPlugPlayNotification
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], ebx
		push	eax
		push	ebx
		push	offset _PopCadHpmiPnpNotification@8 ; PopCadHpmiPnpNotification(x,x)
		push	_PnpDriverObject
		push	offset _GUID_DEVINTERFACE_HPMI
		push	1
		push	edi
		call	IoRegisterPlugPlayNotification
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PoInitDriverServices@0	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeI386VdmInitialize()
_KeI386VdmInitialize@0 proc near	; CODE XREF: INIT:00ABFC8Dp

var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	esi, esi
		xor	edi, edi
		push	esi
		inc	edi
		mov	[ebp+var_38], esi
		push	edi
		xor	dl, dl
		mov	[ebp+var_40], esi
		mov	ecx, offset _VdmStringIoMutex
		mov	[ebp+var_3C], esi
		mov	[ebp+var_44], esi
		call	KiInitializeMutant
		push	(offset	loc_ADE941+1)
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_40]
		mov	[ebp+var_5C], 18h
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_5C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_38]
		mov	[ebp+var_58], esi
		push	eax
		mov	[ebp+var_50], 40h
		mov	[ebp+var_4C], esi
		mov	[ebp+var_48], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_ADA887
		push	offset ??_C@_1BG@POLIPCMA@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAV?$AAm?$AAe@PBOPGDP@
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_44]
		push	eax
		push	2Eh
		lea	eax, [ebp+var_34]
		push	eax
		push	esi
		lea	eax, [ebp+var_40]
		push	eax
		push	[ebp+var_38]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_ADA87F
		mov	eax, ds:_KeFeatureBits
		and	eax, edi
		or	eax, esi
		jz	short loc_ADA87F
		push	edi
		push	offset _Ki386VdmEnablePentiumExtentions@4 ; Ki386VdmEnablePentiumExtentions(x)
		call	KeIpiGenericCall
		mov	_KeI386VirtualIntExtensions, edi

loc_ADA87F:				; CODE XREF: KeI386VdmInitialize()+9Bj
					; KeI386VdmInitialize()+A6j
		push	[ebp+var_38]
		call	_ZwClose@4	; ZwClose(x)

loc_ADA887:				; CODE XREF: KeI386VdmInitialize()+72j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_KeI386VdmInitialize@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KseShimDatabaseBootInitialize proc near	; CODE XREF: KseInitialize+4Dp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

; FUNCTION CHUNK AT 00AEA2A4 SIZE 0000012F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	edi, ecx
		mov	esi, edx
		push	9
		pop	ecx
		cmp	_KsepShimDbDuringBoot, ebx
		jnz	loc_AEA2A4

loc_ADA8B4:				; CODE XREF: KseShimDatabaseBootInitialize+FA5Aj
		cmp	_KsepShimDbHandle, ebx
		jnz	loc_AEA2F5

loc_ADA8C0:				; CODE XREF: KseShimDatabaseBootInitialize+FA95j
					; KseShimDatabaseBootInitialize+FAACj
		push	50h		; size_t
		push	ebx		; int
		push	offset _KsepShimDb ; void *
		mov	_KsepShimDbLock, ebx
		mov	_KsepShimDbDuringBoot, 1
		mov	_KsepShimDbHandle, ebx
		call	_memset
		add	esp, 0Ch
		test	edi, edi
		jz	short loc_ADA929
		test	esi, esi
		jz	short loc_ADA929
		push	offset _KsepShimDb
		mov	edx, esi
		mov	ecx, edi
		call	KsepSdbBootInitialize
		mov	esi, eax
		test	esi, esi
		js	short loc_ADA91F
		mov	ecx, [ebp+arg_0]
		test	ecx, ecx
		jnz	loc_AEA347

loc_ADA90D:				; CODE XREF: KseShimDatabaseBootInitialize+FAB6j
					; KseShimDatabaseBootInitialize+FAD6j ...
		inc	_KsepShimDbRefCount
		mov	esi, ebx
		mov	_KsepShimDbHandle, offset _KsepShimDb

loc_ADA91F:				; CODE XREF: KseShimDatabaseBootInitialize+6Aj
					; KseShimDatabaseBootInitialize+98j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		pop	ecx
		pop	ebp
		retn	8		; char
; 

loc_ADA929:				; CODE XREF: KseShimDatabaseBootInitialize+52j
					; KseShimDatabaseBootInitialize+56j
		mov	esi, 0C0000001h
		jmp	short loc_ADA91F
KseShimDatabaseBootInitialize endp


;  S U B	R O U T	I N E 


MiInitializeSystemDefaults proc	near	; CODE XREF: MiInitNucleus(x)+57p

; FUNCTION CHUNK AT 00AEA3D3 SIZE 00000062 BYTES

		cmp	_KiSMTProcessorsPresent, 0
		push	ebx
		push	esi
		push	edi
		mov	edi, ecx
		mov	byte_6D3630, 2
		mov	dword_6D06C0, 25h
		jz	loc_AEA3D3
		mov	eax, large fs:20h
		mov	eax, [eax+344h]

loc_ADA95F:				; CODE XREF: MiInitializeSystemDefaults+FAA6j
		mov	esi, ds:_KiKvaShadowMode
		xor	ebx, ebx
		shl	esi, 16h
		xor	esi, ds:_MiFlags
		and	esi, 0C00000h
		mov	dword_6D06C4, eax
		xor	esi, ds:_MiFlags
		mov	ecx, esi
		mov	ds:_MiFlags, esi
		shr	ecx, 16h
		and	ecx, 3
		mov	eax, ecx
		sub	eax, ebx
		jz	loc_AEA3E4
		sub	eax, 1
		jz	loc_AEA3F2
		sub	eax, 1
		jnz	loc_AEA3DB
		mov	word_6D07B8, 100h

loc_ADA9B4:				; CODE XREF: MiInitializeSystemDefaults+FAAEj
					; MiInitializeSystemDefaults+FABDj ...
		test	ecx, ecx
		jz	short loc_ADA9EB
		mov	ebx, ds:_KiImplementedPhysicalBits
		test	ebx, ebx
		jle	short loc_ADA9E9
		xor	eax, eax
		lea	ecx, [ebx-1]
		inc	eax
		xor	edx, edx
		call	__allshl
		dec	bl
		mov	dword_6D0700, eax
		mov	dword_6D0704, edx
		mov	byte_6B1D4A, bl
		mov	byte_6B1D4B, 4

loc_ADA9E9:				; CODE XREF: MiInitializeSystemDefaults+90j
		xor	ebx, ebx

loc_ADA9EB:				; CODE XREF: MiInitializeSystemDefaults+86j
		mov	eax, _KiAccessBitErrata
		sub	eax, 1
		jz	loc_AEA406
		sub	eax, 1
		jz	loc_AEA3FE

loc_ADAA02:				; CODE XREF: MiInitializeSystemDefaults+FAE2j
		push	offset ??_C@_0BH@BPBKOJIE@NOACCESSBITREPLACEMENT@PBOPGDP@ ; "NOACCESSBITREPLACEMENT"
		push	dword ptr [edi+78h] ; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_AEA417

loc_ADAA19:				; CODE XREF: MiInitializeSystemDefaults+FAF1j
		mov	ecx, ds:_KeFeatureBits
		mov	eax, ecx
		and	eax, 100000h
		or	eax, ebx
		jnz	loc_AEA426
		and	ecx, (offset loc_7FFFFF+1)
		or	ecx, ebx
		jz	short loc_ADAA42
		or	ds:_MiFlags, 200h

loc_ADAA42:				; CODE XREF: MiInitializeSystemDefaults+106j
					; MiInitializeSystemDefaults+FB00j
		pop	edi
		pop	esi
		pop	ebx
		retn
MiInitializeSystemDefaults endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpInitializeSecurity proc near	; CODE XREF: EtwpInitialize+ABp

var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= dword	ptr -208h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AEA435 SIZE 00000075 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 234h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_210]
		push	offset ??_C@_1IA@OGAIDGCB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@ ; "\\Registry\\Machine\\System\\CurrentControl"...
		push	eax
		mov	[ebp+var_230], edi
		mov	[ebp+var_22C], edi
		mov	[ebp+var_210], edi
		mov	[ebp+var_20C], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	18h
		pop	ebx
		lea	eax, [ebp+var_210]
		mov	[ebp+var_228], ebx
		mov	[ebp+var_220], eax
		lea	eax, [ebp+var_228]
		push	eax
		push	20019h
		push	offset _EtwpSecurityKeyHandle
		mov	[ebp+var_224], edi
		mov	[ebp+var_21C], 240h
		mov	[ebp+var_218], edi
		mov	[ebp+var_214], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_ADAB4C

loc_ADAAD4:				; CODE XREF: EtwpInitializeSecurity+10Cj
		lea	eax, [ebp+var_234]
		push	eax		; int
		push	1FEh		; int
		lea	eax, [ebp+var_208]
		push	eax		; void *
		push	edi		; int
		push	edi		; void *
		push	edi		; int
		push	offset ??_C@_1CA@GCICNJFG@?$AAE?$AAT?$AAW?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AAP?$AAa?$AAt?$AAh@PBOPGDP@ ; "ETWSecurityPath"
		call	RtlGetPersistedStateLocation
		mov	esi, eax
		test	esi, esi
		jz	loc_AEA435

loc_ADAAFE:				; CODE XREF: EtwpInitializeSecurity+FA50j
		cmp	_EtwpSecurityKeyHandle,	edi
		jz	short loc_ADAB3B
		mov	_EtwpMutableSecurityKeyHandle, edi
		mov	esi, edi

loc_ADAB0E:				; CODE XREF: EtwpInitializeSecurity+FA4Aj
		push	offset ??_C@_1EK@DAACFDEJ@?$AA0?$AA8?$AA1?$AA1?$AAc?$AA1?$AAa?$AAf?$AA?9?$AA7?$AAa?$AA0?$AA7?$AA?9?$AA4@PBOPGDP@
		lea	eax, [ebp+var_230]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, offset _EtwpDefaultTraceSecurityDescriptor
		lea	ecx, [ebp+var_230]
		call	EtwpGetGuidSecurityDescriptor
		cmp	_EtwpDefaultTraceSecurityDescriptor, edi
		jz	loc_AEA49B

loc_ADAB3B:				; CODE XREF: EtwpInitializeSecurity+BEj
					; EtwpInitializeSecurity+FA5Fj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_ADAB4C:				; CODE XREF: EtwpInitializeSecurity+8Cj
		mov	_EtwpSecurityKeyHandle,	edi
		jmp	short loc_ADAAD4
EtwpInitializeSecurity endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ExpInitializeSvm proc near		; CODE XREF: ExpInitSystemPhase1+15Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AEA4AA SIZE 0000003C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	offset _ExpSvmIommuSystemContext
		push	offset _ExpSvmAgents
		lea	eax, [ebp+var_4]
		xor	ebx, ebx
		push	eax
		mov	eax, _HalIommuDispatch
		push	ebx
		mov	[ebp+var_4], ebx
		call	dword ptr [eax+4]
		mov	esi, [ebp+var_4]
		cmp	esi, 1
		ja	loc_AEA4AA

loc_ADAB86:				; CODE XREF: ExpInitializeSvm+F98Dj
		jz	short loc_ADAB92
		mov	edi, _ExpSvmWorkQueues
		test	edi, edi
		jnz	short loc_ADABA0

loc_ADAB92:				; CODE XREF: ExpInitializeSvm:loc_ADAB86j
		mov	edi, offset _ExpSvmStaticWorkQueue
		xor	esi, esi
		mov	_ExpSvmWorkQueues, edi
		inc	esi

loc_ADABA0:				; CODE XREF: ExpInitializeSvm+3Cj
		mov	_ExpSvmNumberOfWorkQueues, esi
		mov	eax, ebx
		mov	[ebp+var_8], eax
		test	esi, esi
		jz	short loc_ADABE8

loc_ADABAF:				; CODE XREF: ExpInitializeSvm+90j
		and	dword ptr [ebx+edi], 0
		push	eax
		mov	[ebx+edi+0Ch], eax
		lea	eax, [edi+10h]
		push	offset _ExpSvmDpcRoutine@16 ; ExpSvmDpcRoutine(x,x,x,x)
		add	eax, ebx
		mov	dword ptr [ebx+edi+8], offset _ExpSvmWorkerThread@4 ; ExpSvmWorkerThread(x)
		push	eax
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	eax, [ebp+var_8]
		inc	eax
		mov	dword ptr [ebx+edi+30h], 0
		add	ebx, 34h
		mov	[ebp+var_8], eax
		cmp	eax, esi
		jb	short loc_ADABAF
		xor	ebx, ebx

loc_ADABE8:				; CODE XREF: ExpInitializeSvm+59j
		mov	eax, _HalIommuDispatch
		pop	edi
		pop	esi
		mov	dword ptr [eax+30h], offset _ExpSvmFaultRoutine@4 ; ExpSvmFaultRoutine(x)
		mov	dword ptr [eax+34h], offset _ExpSvmReferenceAsid@4 ; ExpSvmReferenceAsid(x)
		mov	dword ptr [eax+38h], offset _ExpSvmDereferenceAsid@4 ; ExpSvmDereferenceAsid(x)
		mov	dword ptr [eax+3Ch], offset _ExpSvmServicePageFault@12 ; ExpSvmServicePageFault(x,x,x)
		mov	eax, offset _ExpSvmDevices
		mov	dword_6BBB10, ebx
		mov	_ExpSvmDeviceListLock, ebx
		mov	dword_6BBB5C, eax
		mov	_ExpSvmDevices,	eax
		pop	ebx
		leave
		retn
ExpInitializeSvm endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PnpInitializeDeviceEvents()
_PnpInitializeDeviceEvents@0 proc near	; CODE XREF: IopInitializePlugPlayServices(x,x)+84Ep
		mov	edi, edi
		push	ebx
		push	esi
		push	edi
		push	4A706E50h
		push	4Ch
		push	200h
		xor	edi, edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ds:_PnpDeviceEventList,	eax
		test	eax, eax
		jz	short loc_ADACB2
		xor	ebx, ebx
		lea	ecx, [eax+4]
		push	edi
		inc	ebx
		xor	dl, dl
		push	ebx
		call	KiInitializeMutant
		mov	esi, ds:_PnpDeviceEventList
		push	edi
		push	ebx
		lea	eax, [esi+30h]
		mov	[esi+24h], ebx
		push	eax
		mov	[esi+28h], edi
		mov	[esi+2Ch], edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		lea	eax, [esi+44h]
		mov	dword ptr [esi], 103h
		mov	[eax+4], eax
		mov	[eax], eax
		push	ebx
		push	offset unk_6CB74C
		mov	_PnpNotificationInProgressLock,	ebx
		mov	dword_6CB744, edi
		mov	dword_6CB748, edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	ebx
		push	edi
		push	offset _PnpEventQueueEmpty
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)

loc_ADACAC:				; CODE XREF: PnpInitializeDeviceEvents()+8Dj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_ADACB2:				; CODE XREF: PnpInitializeDeviceEvents()+1Fj
		mov	edi, 0C000009Ah
		jmp	short loc_ADACAC
_PnpInitializeDeviceEvents@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PopInitializeAdpm()
_PopInitializeAdpm@0 proc near		; CODE XREF: PoInitSystem+745p
		mov	edi, edi
		push	edi
		push	offset _PopAdpmLock
		call	ExInitializeResourceLite
		xor	eax, eax
		mov	edi, offset _PopConsoleContext
		and	_PopMaximumConnectionSessions, eax
		and	_PopConnectionState, eax
		push	0Ah
		pop	ecx
		rep stosd
		or	_PopConsoleContext, 0FFFFFFFFh
		xor	ecx, ecx
		mov	dword_6BFBC0, 3
		pop	edi
		jmp	PopExtendConnectionState
_PopInitializeAdpm@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopInitializeSystemIdleDetection()
_PopInitializeSystemIdleDetection@0 proc near ;	CODE XREF: PoInitSystem+78Dp
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _PopSystemIdleLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	ecx, ecx
		inc	ecx
		mov	dword_6C00E4, eax
		call	_PopPulseSystemIdleEvent@4 ; PopPulseSystemIdleEvent(x)
		xor	edi, edi
		push	edi
		push	offset _PopCheckForIdleness@16 ; PopCheckForIdleness(x,x,x,x)
		push	offset _PopIdleScanDpc
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	edi
		push	offset _PopIdleScanTimer
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		mov	esi, _PopIdleScanInterval
		test	esi, esi
		jz	short loc_ADAD7C
		push	0FFFFFFFFh
		push	0FF676980h
		push	edi
		push	esi
		call	__allmul
		push	offset _PopIdleScanDpc
		imul	ecx, esi, 3E8h
		push	3E8h
		push	ecx
		push	edx
		push	eax
		push	offset _PopIdleScanTimer
		call	_KeSetCoalescableTimer@24 ; KeSetCoalescableTimer(x,x,x,x,x,x)

loc_ADAD7C:				; CODE XREF: PopInitializeSystemIdleDetection()+57j
		cmp	dword_6C00E4, edi
		jz	short loc_ADAD8A
		mov	dword_6C00E4, edi

loc_ADAD8A:				; CODE XREF: PopInitializeSystemIdleDetection()+8Aj
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
_PopInitializeSystemIdleDetection@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpInitializeRegistration()
_EtwpInitializeRegistration@0 proc near	; CODE XREF: EtwpInitialize+10Cp

var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		xor	dl, dl
		push	ebx
		push	1
		mov	ecx, offset _EtwpGlobalMutex
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	KiInitializeMutant
		push	58h
		pop	esi
		mov	eax, offset _EtwpReplyListHead
		mov	_EtwpReplyListLock, ebx
		push	esi		; size_t
		mov	dword_6BC0F4, eax
		mov	_EtwpReplyListHead, eax
		lea	eax, [ebp+var_60]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	word ptr [ebp+var_60], si
		lea	edi, [ebp+var_54]
		mov	esi, offset _EtwpGenericMapping
		mov	[ebp+var_58], 100h
		add	esp, 0Ch
		lea	eax, [ebp+var_8]
		movsd
		push	offset ??_C@_1CA@BGGJKOKC@?$AAE?$AAt?$AAw?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn@PBOPGDP@
		push	eax
		movsd
		movsd
		movsd
		or	byte ptr [ebp+var_60+2], 18h
		mov	[ebp+var_44], 804h
		mov	[ebp+var_3C], 200h
		mov	[ebp+var_34], 3Ch
		mov	[ebp+var_2C], offset _EtwpOpenRegistrationObject@24 ; EtwpOpenRegistrationObject(x,x,x,x,x,x)
		mov	[ebp+var_28], offset EtwpCloseRegistrationObject
		mov	[ebp+var_24], offset EtwpDeleteRegistrationObject
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset _EtwpRegistrationObjectType
		push	ebx
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpInitializeRegistration@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PopInitializePowerSettings()
_PopInitializePowerSettings@0 proc near	; CODE XREF: PoInitSystem+404p
		push	2
		mov	eax, offset _PopSessionSpecificLists
		pop	ecx

loc_ADAE58:				; CODE XREF: PopInitializePowerSettings()+13j
		mov	[eax+4], eax
		mov	[eax], eax
		add	eax, 8
		sub	ecx, 1
		jnz	short loc_ADAE58
		push	edi
		xor	eax, eax
		mov	_PopPendingPowerSettingUpdateLock, ecx
		inc	eax
		mov	dword_6C3464, ecx
		push	ecx
		push	eax
		push	offset unk_6C346C
		mov	_PopSettingLock, eax
		mov	dword_6C3468, ecx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, offset _PopRegisteredPowerSettingCallbacks
		mov	edi, offset _PopPrimaryDisplayVisibleStateErratum
		mov	dword_6C216C, eax
		mov	_PopRegisteredPowerSettingCallbacks, eax
		mov	eax, offset _PopPowerSettings
		push	6
		mov	dword_6C214C, eax
		mov	_PopPowerSettings, eax
		xor	eax, eax
		pop	ecx
		rep stosd
		mov	_PopPrimaryDisplayVisibleStateErratum, offset _WNF_PO_PRIMARY_DISPLAY_VISIBLE_STATE
		pop	edi
		retn
_PopInitializePowerSettings@0 endp


;  S U B	R O U T	I N E 


PspInitializeJobStructures proc	near	; CODE XREF: PspInitPhase0+5FFp

; FUNCTION CHUNK AT 00AEA4E6 SIZE 0000001E BYTES

		xor	edx, edx
		xor	ecx, ecx
		call	ExCreateHandleTable
		mov	ds:_PspUniqueJobIdTable, eax
		test	eax, eax
		jz	short loc_ADAF3B
		or	byte ptr [eax+1Ch], 1
		mov	eax, offset _PspJobList
		mov	ds:dword_A93C6C, eax
		mov	ds:_PspJobList,	eax
		xor	eax, eax
		mov	ds:_PspJobListLock, eax
		mov	ds:_PspJobAssignmentLock, eax
		mov	dword_6BEE58, offset PspJobNotificationWorker
		mov	dword_6BEE5C, eax
		mov	_PspJobNotificationItem, eax
		mov	dword_6BEE38, offset _PspJobTimeLimitsWork@4 ; PspJobTimeLimitsWork(x)
		mov	dword_6BEE3C, eax
		mov	_PspJobTimeLimitsWorkItem, eax
		call	_PspInitializeStorageStructures@0 ; PspInitializeStorageStructures()
		cmp	ds:_PspJobNoWakeChargeLimit, eax
		jz	loc_AEA4E6

loc_ADAF2C:				; CODE XREF: PspInitializeJobStructures+F62Ej
		cmp	ds:_PspSystemNoWakeChargeLimit,	eax
		jz	loc_AEA4F5

loc_ADAF38:				; CODE XREF: PspInitializeJobStructures+F63Dj
		mov	al, 1
		retn
; 

loc_ADAF3B:				; CODE XREF: PspInitializeJobStructures+10j
		xor	al, al
		retn
PspInitializeJobStructures endp


;  S U B	R O U T	I N E 


; __stdcall PspInitializeStorageStructures()
_PspInitializeStorageStructures@0 proc near ; CODE XREF: PspInitializeJobStructures+59p
		and	_PspStorageBitmapLock, 0
		mov	_PspStorageBitmap, 20h
		mov	dword_6BED3C, offset _PspStorageBitmapBits
		mov	_PspStorageExpansionBitmap, 100h
		mov	dword_6BED34, offset _PspStorageExpansionBitmapBits
		retn
_PspInitializeStorageStructures@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpMutantInitialization()
_ExpMutantInitialization@0 proc	near	; CODE XREF: ExpInitSystemPhase1+8Ep

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		push	ebx
		push	esi
		push	edi
		push	offset ??_C@_1O@FBKOCLFA@?$AAM?$AAu?$AAt?$AAa?$AAn?$AAt@PBOPGDP@
		lea	eax, [ebp+var_8]
		xor	ebx, ebx
		push	eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	58h
		pop	esi
		push	esi		; size_t
		lea	eax, [ebp+var_60]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	eax, large fs:124h
		add	esp, 0Ch
		push	_KdDumpEnableOffset ; size_t
		mov	eax, [eax+80h]
		add	eax, 18h
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	word ptr [ebp+var_60], si
		lea	edi, [ebp+var_54]
		mov	[ebp+var_5C], 40h
		lea	eax, [ebp+var_60]
		mov	[ebp+var_58], 100h
		mov	esi, (offset loc_AF6CBA+2)
		add	esp, 0Ch
		movsd
		push	offset _ExMutantObjectType
		push	ebx
		push	eax
		movsd
		lea	eax, [ebp+var_8]
		push	eax
		movsd
		movsd
		mov	[ebp+var_3C], 200h
		mov	[ebp+var_34], 20h
		mov	[ebp+var_44], 1F0001h
		mov	[ebp+var_24], offset _ExpDeleteMutant@4	; ExpDeleteMutant(x)
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		pop	edi
		test	eax, eax
		pop	esi
		setns	al
		pop	ebx
		leave
		retn
_ExpMutantInitialization@0 endp


;  S U B	R O U T	I N E 


CmpInitGlobalQuotaAllowed proc near	; CODE XREF: CmInitSystem1(x)+ADp

; FUNCTION CHUNK AT 00AEA504 SIZE 0000003F BYTES

		mov	edi, edi
		push	esi
		mov	esi, ds:_MmSizeOfPagedPoolInBytes
		xor	edx, edx
		push	0Ah
		mov	eax, esi
		mov	ds:_CmpSizeOfPagedPoolInBytes, esi
		pop	ecx
		div	ecx
		shl	eax, 3
		cmp	ds:_CmRegistrySizeLimitLength, 4
		jz	loc_AEA504

loc_ADB03E:				; CODE XREF: CmpInitGlobalQuotaAllowed+F4F5j
					; CmpInitGlobalQuotaAllowed+F503j
		push	3
		mov	eax, esi
		xor	edx, edx
		pop	ecx
		div	ecx

loc_ADB047:				; CODE XREF: CmpInitGlobalQuotaAllowed+F512j
					; CmpInitGlobalQuotaAllowed+F51Aj
		mov	ecx, 7FFFFFFFh
		mov	ds:_CmpGlobalQuota, eax
		pop	esi
		cmp	eax, ecx
		ja	short loc_ADB099

loc_ADB056:				; CODE XREF: CmpInitGlobalQuotaAllowed+8Aj
		mov	ecx, 1000000h
		cmp	eax, ecx
		jb	short loc_ADB0A2

loc_ADB05F:				; CODE XREF: CmpInitGlobalQuotaAllowed+93j
		push	64h
		xor	edx, edx
		pop	ecx
		div	ecx
		imul	eax, 5Fh
		mov	ds:_CmpGlobalQuotaWarning, eax
		mov	eax, _CmSystemHiveLimitSize
		test	eax, eax
		jnz	short loc_ADB0AB
		push	eax
		call	_MmGetNumberOfPhysicalPages@4 ;	MmGetNumberOfPhysicalPages(x)
		and	eax, 0FFFFFFFEh
		cmp	eax, 32000h
		jb	loc_AEA535
		mov	eax, 19000h

loc_ADB090:				; CODE XREF: CmpInitGlobalQuotaAllowed+F528j
		shl	eax, 0Ch

loc_ADB093:				; CODE XREF: CmpInitGlobalQuotaAllowed+98j
		mov	_CmSystemHiveLimitSize,	eax
		retn
; 

loc_ADB099:				; CODE XREF: CmpInitGlobalQuotaAllowed+3Ej
		mov	eax, ecx
		mov	ds:_CmpGlobalQuota, eax
		jmp	short loc_ADB056
; 

loc_ADB0A2:				; CODE XREF: CmpInitGlobalQuotaAllowed+47j
		mov	eax, ecx
		mov	ds:_CmpGlobalQuota, eax
		jmp	short loc_ADB05F
; 

loc_ADB0AB:				; CODE XREF: CmpInitGlobalQuotaAllowed+5Fj
		shl	eax, 14h
		jmp	short loc_ADB093
CmpInitGlobalQuotaAllowed endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpProfileInitialization()
_ExpProfileInitialization@0 proc near	; CODE XREF: ExpInitSystemPhase1+DCp

var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_24		= dword	ptr -24h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		xor	dl, dl
		push	ebx
		push	1
		mov	ecx, offset _ExpProfileStateMutex
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	KiInitializeMutant
		push	offset ??_C@_1BA@OKEJPPOI@?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl?$AAe@PBOPGDP@
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	58h
		pop	esi
		push	esi		; size_t
		lea	eax, [ebp+var_60]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	word ptr [ebp+var_60], si
		lea	edi, [ebp+var_54]
		mov	[ebp+var_58], 100h
		lea	eax, [ebp+var_60]
		mov	[ebp+var_3C], 200h
		mov	esi, offset _ExpProfileMapping
		mov	[ebp+var_34], 38h
		add	esp, 0Ch
		mov	[ebp+var_44], 0F0001h
		mov	[ebp+var_24], offset _ExpProfileDelete@4 ; ExpProfileDelete(x)
		movsd
		push	offset _ExProfileObjectType
		push	ebx
		push	eax
		movsd
		lea	eax, [ebp+var_8]
		push	eax
		movsd
		movsd
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		pop	edi
		test	eax, eax
		pop	esi
		setns	al
		pop	ebx
		leave
		retn
_ExpProfileInitialization@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipUnloadEarlyLaunchDrivers(x)
_PipUnloadEarlyLaunchDrivers@4 proc near ; CODE	XREF: IopInitializeBootDrivers+3EAp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		lea	edi, [ecx+28h]
		xor	ebx, ebx
		mov	esi, [edi]
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		cmp	esi, edi
		jz	short loc_ADB1AB

loc_ADB15E:				; CODE XREF: PipUnloadEarlyLaunchDrivers(x)+31j
		mov	ecx, esi
		mov	esi, [esi]
		cmp	[ecx+1Ch], ebx
		jl	short loc_ADB171
		add	ecx, 10h
		mov	dl, 1
		call	IopUnloadDriver

loc_ADB171:				; CODE XREF: PipUnloadEarlyLaunchDrivers(x)+23j
		cmp	esi, edi
		jnz	short loc_ADB15E
		push	offset ??_C@_1CO@IJDDDFMO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@ ; "\\Registry\\Machine\\ELAM"
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		mov	[ebp+var_20], 18h
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_20]
		push	1
		push	eax
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_14], 240h
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		call	_ZwUnloadKey2@8	; ZwUnloadKey2(x,x)

loc_ADB1AB:				; CODE XREF: PipUnloadEarlyLaunchDrivers(x)+1Aj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_PipUnloadEarlyLaunchDrivers@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

SaveNodeDistanceInformation proc near	; CODE XREF: INIT:00ABFC88p

var_84		= dword	ptr -84h
var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_2D		= byte ptr -2Dh
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AEA543 SIZE 00000606 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		or	[ebp+var_38], 0FFFFFFFFh
		xor	edx, edx
		push	ebx
		push	esi
		movzx	esi, ds:_KeNumberNodes
		xor	eax, eax
		mov	[ebp+var_6C], edx
		mov	ebx, edx
		mov	[ebp+var_68], edx
		mov	[ebp+var_64], edx
		mov	[ebp+var_60], edx
		mov	[ebp+var_5C], edx
		mov	[ebp+var_34], esi
		mov	[ebp+var_40], ebx
		push	edi
		lea	edi, [ebp+var_84]
		push	6
		pop	ecx
		rep stosd
		test	esi, esi
		jz	loc_AEA543

loc_ADB201:				; CODE XREF: SaveNodeDistanceInformation+6Cj
		mov	ecx, ds:_KeNodeBlock[edx*4]
		mov	ax, [ecx+8Ah]
		cmp	ax, [ecx+8Ch]
		jnz	short loc_ADB219
		inc	ebx

loc_ADB219:				; CODE XREF: SaveNodeDistanceInformation+66j
		inc	edx
		cmp	edx, esi
		jb	short loc_ADB201
		mov	[ebp+var_40], ebx
		cmp	ebx, 1
		jnz	loc_AEA543

loc_ADB22A:				; CODE XREF: SaveNodeDistanceInformation+F986j
					; SaveNodeDistanceInformation+F994j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
SaveNodeDistanceInformation endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

EtwpInitializeCoverageSampler proc near	; CODE XREF: EtwpInitialize+227p

var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AEAB49 SIZE 00000049 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 60h
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, offset unk_6BC090
		mov	ecx, esi
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		mov	_EtwpCovSampGlobals, edi
		call	@ExInitializeRundownProtection@4 ; ExInitializeRundownProtection(x)
		mov	ecx, esi
		call	@ExWaitForRundownProtectionRelease@4 ; ExWaitForRundownProtectionRelease(x)
		mov	ecx, esi
		call	@ExRundownCompleted@4 ;	ExRundownCompleted(x)
		push	offset ??_C@_1CA@KFAJNICF@?$AAC?$AAo?$AAv?$AAe?$AAr?$AAa?$AAg?$AAe?$AAS?$AAa?$AAm?$AAp?$AAl?$AAe?$AAr@PBOPGDP@ ; "CoverageSampler"
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	58h
		pop	esi
		push	esi		; size_t
		lea	eax, [ebp+var_60]
		push	edi		; int
		push	eax		; void *
		call	_memset
		or	byte ptr [ebp+var_60+2], 4
		lea	eax, [ebp+var_60]
		add	esp, 0Ch
		mov	word ptr [ebp+var_60], si
		mov	[ebp+var_3C], 1
		mov	[ebp+var_38], 3D0h
		mov	[ebp+var_58], 192h
		push	offset dword_6BC088
		push	edi
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_44], 1F0001h
		push	eax
		mov	[ebp+var_28], offset _EtwpCoverageSamplerClose@16 ; EtwpCoverageSamplerClose(x,x,x,x)
		mov	[ebp+var_24], offset _EtwpCoverageSamplerDelete@4 ; EtwpCoverageSamplerDelete(x)
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		test	eax, eax
		js	loc_AEAB49
		pop	edi
		pop	esi
		leave
		retn
EtwpInitializeCoverageSampler endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpEventInitialization()
_ExpEventInitialization@0 proc near	; CODE XREF: ExpInitSystemPhase1:loc_AC30C9p

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		push	ebx
		push	esi
		push	edi
		push	offset ??_C@_1M@JJBFPLJB@?$AAE?$AAv?$AAe?$AAn?$AAt@PBOPGDP@
		lea	eax, [ebp+var_8]
		xor	ebx, ebx
		push	eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	58h
		pop	esi
		push	esi		; size_t
		lea	eax, [ebp+var_60]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	word ptr [ebp+var_60], si
		mov	[ebp+var_58], 100h
		lea	edi, [ebp+var_54]
		mov	esi, offset _ExpEventMapping
		push	10h
		pop	eax
		mov	[ebp+var_5C], eax
		movsd
		push	offset _ExEventObjectType
		push	ebx
		movsd
		movsd
		movsd
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebp+var_3C], 200h
		push	eax
		mov	[ebp+var_44], 1F0003h
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		pop	edi
		test	eax, eax
		pop	esi
		setns	al
		pop	ebx
		leave
		retn
_ExpEventInitialization@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

KeI386InitializeSEHOP proc near		; CODE XREF: INIT:00ABFE06p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	ds:_KiI386SEHOPEnabled,	0
		jz	short locret_ADB3D8
		push	ebx
		push	esi
		mov	esi, large fs:1Ch
		mov	ecx, [esi]
		cmp	ecx, 0FFFFFFFFh
		jz	short loc_ADB384

loc_ADB379:				; CODE XREF: KeI386InitializeSEHOP+28j
		mov	eax, [ecx]
		mov	esi, ecx
		mov	ecx, eax
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_ADB379

loc_ADB384:				; CODE XREF: KeI386InitializeSEHOP+1Dj
		xor	ecx, ecx
		call	ExGenRandom
		or	ds:_KiI386FinalExceptionRegistration, 0FFFFFFFFh
		and	eax, 3Fh
		add	eax, offset _FinalExceptionHandler@16 ;	""...
		mov	ds:dword_70E74C, eax
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	bl, al
		mov	eax, offset _KiI386FinalExceptionRegistration
		mov	ds:_KiI386ExceptionChainTerminator, eax
		mov	[esi], eax
		lea	eax, [ebp+var_4]
		mov	ecx, ds:_KiI386ExceptionChainTerminator
		push	eax
		push	4
		push	0Fh
		mov	[ebp+var_4], ecx
		call	off_6B2BC8	; xHalSetSystemInformation(x,x,x)
		pop	esi
		test	bl, bl
		pop	ebx
		jz	short loc_ADB3D0
		sti

loc_ADB3D0:				; CODE XREF: KeI386InitializeSEHOP+73j
		test	eax, eax
		js	loc_AEAB59

locret_ADB3D8:				; CODE XREF: KeI386InitializeSEHOP+Dj
		leave
		retn
KeI386InitializeSEHOP endp


;  S U B	R O U T	I N E 


ExpWnfAllocateDispatcher proc near	; CODE XREF: ExpInitSystemPhase1+109p
		mov	eax, large fs:20h
		mov	ecx, 200h
		push	ebx
		push	0
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	20666E57h
		push	18h
		pop	ebx
		mov	edx, ebx
		call	ExpAllocatePoolWithTagFromNode
		mov	edx, eax
		mov	_ExpWnfDispatcher, edx
		test	edx, edx
		jnz	loc_AEAB68
		xor	al, al
		pop	ebx
		retn
ExpWnfAllocateDispatcher endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PpmInitHeteroEngine proc near		; CODE XREF: PoInitSystem+59Dp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AEAB92 SIZE 0000001D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		push	0FFFFh
		call	KeQueryMaximumProcessorCountEx
		mov	edi, 704D5050h
		mov	[ebp+var_8], eax
		push	edi
		mov	ebx, 200h
		lea	ecx, [eax+2]
		imul	esi, ecx, 3
		push	esi
		push	ebx
		mov	[ebp+var_4], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ds:_PpmHeteroCapability, eax
		test	eax, eax
		jz	loc_AEABA5
		push	edi
		push	esi
		push	ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	ds:_PpmHeteroCapabilityTest, ebx
		test	ebx, ebx
		jz	loc_AEAB92
		push	esi		; size_t
		mov	esi, ds:_PpmHeteroCapability
		xor	edi, edi
		push	edi		; int
		push	esi		; void *
		call	_memset
		push	[ebp+var_4]	; size_t
		push	edi		; int
		push	ebx		; void *
		call	_memset
		mov	eax, [ebp+var_8]
		add	esp, 18h
		mov	[esi], eax
		mov	[ebx], eax

loc_ADB499:				; CODE XREF: PpmInitHeteroEngine+F78Cj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PpmInitHeteroEngine endp


;  S U B	R O U T	I N E 


; __stdcall PiCslInitialize()
_PiCslInitialize@0 proc	near		; CODE XREF: IopInitializePlugPlayServices(x,x)+B1Ap
		mov	edi, edi
		push	esi
		mov	_PipCslConsoleLockState, 0
		call	_PipCslCreateCallback@4	; PipCslCreateCallback(x)
		mov	esi, eax
		test	esi, esi
		js	short loc_ADB4D1
		push	0
		push	offset PipCslStateChangeCallback
		push	_PipCslCallbackObject
		call	ExRegisterCallback
		mov	_PipCslInitialized, 1

loc_ADB4D1:				; CODE XREF: PiCslInitialize()+16j
		mov	eax, esi
		pop	esi
		retn
_PiCslInitialize@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipCslCreateCallback(x)
_PipCslCreateCallback@4	proc near	; CODE XREF: PiCslInitialize()+Dp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	esi
		push	(offset	loc_ADE8AD+1)
		lea	eax, [ebp+var_8]
		xor	esi, esi
		push	eax
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	1
		lea	eax, [ebp+var_8]
		mov	[ebp+var_20], 18h
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_20]
		push	1
		push	eax
		push	offset _PipCslCallbackObject
		mov	[ebp+var_1C], esi
		mov	[ebp+var_14], 50h
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		call	_ExCreateCallback@16 ; ExCreateCallback(x,x,x,x)
		pop	esi
		leave
		retn
_PipCslCreateCallback@4	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExpSemaphoreInitialization()
_ExpSemaphoreInitialization@0 proc near	; CODE XREF: ExpInitSystemPhase1+B5p

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		push	ebx
		push	esi
		push	edi
		push	offset ??_C@_1BE@NPGPGCB@?$AAS?$AAe?$AAm?$AAa?$AAp?$AAh?$AAo?$AAr?$AAe@PBOPGDP@
		lea	eax, [ebp+var_8]
		xor	ebx, ebx
		push	eax
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	58h
		pop	esi
		push	esi		; size_t
		lea	eax, [ebp+var_60]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	word ptr [ebp+var_60], si
		lea	edi, [ebp+var_54]
		mov	[ebp+var_5C], 8
		lea	eax, [ebp+var_60]
		mov	[ebp+var_58], 100h
		mov	esi, offset _ExpSemaphoreMapping
		add	esp, 0Ch
		movsd
		push	offset _ExSemaphoreObjectType
		push	ebx
		push	eax
		movsd
		lea	eax, [ebp+var_8]
		push	eax
		movsd
		movsd
		mov	[ebp+var_3C], 200h
		mov	[ebp+var_34], 14h
		mov	[ebp+var_44], 1F0003h
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		pop	edi
		test	eax, eax
		pop	esi
		setns	al
		pop	ebx
		leave
		retn
_ExpSemaphoreInitialization@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall EtwpInitializeRealTimeConnection()
_EtwpInitializeRealTimeConnection@0 proc near ;	CODE XREF: EtwpInitialize+116p

var_60		= dword	ptr -60h
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_44		= dword	ptr -44h
var_3C		= dword	ptr -3Ch
var_34		= dword	ptr -34h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		push	ebx
		push	esi
		push	edi
		push	58h
		xor	eax, eax
		pop	ebx
		push	ebx		; size_t
		push	eax		; int
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_60]
		push	eax		; void *
		call	_memset
		mov	esi, offset _EtwpGenericMapping
		mov	word ptr [ebp+var_60], bx
		mov	[ebp+var_58], 100h
		lea	edi, [ebp+var_54]
		add	esp, 0Ch
		lea	eax, [ebp+var_8]
		movsd
		push	offset ??_C@_1BI@DKHDGCKG@?$AAE?$AAt?$AAw?$AAC?$AAo?$AAn?$AAs?$AAu?$AAm?$AAe?$AAr@PBOPGDP@ ; "EtwConsumer"
		push	eax
		movsd
		movsd
		movsd
		or	byte ptr [ebp+var_60+2], 18h
		mov	[ebp+var_44], 400h
		mov	[ebp+var_3C], 200h
		mov	[ebp+var_34], ebx
		mov	[ebp+var_2C], offset _EtwpOpenRegistrationObject@24 ; EtwpOpenRegistrationObject(x,x,x,x,x,x)
		mov	[ebp+var_28], offset _EtwpCloseRealTimeConnectionObject@16 ; EtwpCloseRealTimeConnectionObject(x,x,x,x)
		mov	[ebp+var_24], offset _EtwpDeleteRealTimeConnectionObject@4 ; EtwpDeleteRealTimeConnectionObject(x)
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset _EtwpRealTimeConnectionObjectType
		push	0
		lea	eax, [ebp+var_60]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		call	_ObCreateObjectType@16 ; ObCreateObjectType(x,x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_EtwpInitializeRealTimeConnection@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

VhdInitialize	proc near		; CODE XREF: IopInitializeBootDrivers+450p

var_C8		= dword	ptr -0C8h
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= byte ptr -24h
var_20		= dword	ptr -20h
var_1C		= byte ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= dword	ptr -1

; FUNCTION CHUNK AT 00AEABAF SIZE 00000284 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0CCh
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_8], ecx
		lea	edi, [ebp+var_38]
		xor	ebx, ebx
		stosd
		push	90h		; size_t
		push	ebx		; int
		mov	[ebp+var_28], ebx
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_C8]
		push	eax		; void *
		call	_memset
		mov	edi, [ebp+var_8]
		add	esp, 0Ch
		xor	eax, eax
		mov	byte ptr [ebp+var_1], bl
		mov	dword ptr [ebp+var_24],	ebx
		mov	esi, eax
		mov	[ebp+var_20], ebx
		push	offset ??_C@_06IKDJBIPJ@vdisk?$CI@PBOPGDP@ ; char *
		push	dword ptr [edi+68h] ; char *
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], ebx
		mov	dword ptr [ebp+var_1C],	eax
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_AEABAF

loc_ADB69A:				; CODE XREF: VhdInitialize+F589j
					; VhdInitialize+F5A6j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
VhdInitialize	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PpmInitCoreParkingPolicy()
_PpmInitCoreParkingPolicy@0 proc near	; CODE XREF: PoInitSystem+3EEp
		xor	ecx, ecx
		mov	byte_6BF92C, 64h
		mov	byte_6BFA1C, 64h
		mov	eax, ecx

loc_ADB6B4:				; CODE XREF: PpmInitCoreParkingPolicy()+30j
		mov	byte_6BF92E[eax], 64h
		mov	byte_6BFA1E[eax], 64h
		mov	byte_6BF919[eax], cl
		mov	byte_6BFA09[eax], cl
		inc	eax
		cmp	eax, 2
		jb	short loc_ADB6B4
		xor	eax, eax
		mov	word_6BF920, cx
		inc	eax
		mov	word_6BFA10, cx
		mov	dword_6BF928, eax
		mov	dword_6BFA18, eax
		mov	dword_6BF924, eax
		mov	dword_6BFA14, eax
		mov	word_6BF91C, 6146h
		mov	word_6BFA0C, 6146h
		mov	byte_6BF91E, 14h
		mov	byte_6BFA0E, 14h
		retn
_PpmInitCoreParkingPolicy@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

ObpInitStackTrace proc near		; CODE XREF: ObInitSystem+345p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AEAE33 SIZE 00000164 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		push	ebx
		push	esi
		push	edi
		xor	esi, esi
		mov	[ebp+var_4], offset _ObpObjectBuckets
		push	40h		; size_t
		mov	[ebp+var_4], offset _ObpMaxStacks
		mov	edi, offset _ObpRegTracePoolTags
		mov	[ebp+var_4], offset _ObpTraceDepth
		mov	ebx, esi
		push	esi		; int
		mov	[ebp+var_4], offset _ObpStackBuckets
		push	edi		; void *
		mov	[ebp+var_8], ebx
		mov	[ebp+var_4], offset _ObpStacksPerBucket
		mov	_ObpStackTraceLock, esi
		mov	dword_6C4368, offset _ObpPushStackInfoQueue@4 ;	ObpPushStackInfoQueue(x)
		mov	dword_6C436C, esi
		mov	_ObpPushStackInfoWorkItem, esi
		mov	_ObpPushStackInfoList, esi
		call	_memset
		push	40h		; size_t
		push	esi		; int
		push	offset _ObpRuntimeTracePoolTags	; void *
		call	_memset
		add	esp, 18h
		mov	_ObpNumTracedObjects, esi
		mov	_ObpStackSequence, esi
		cmp	_ObpTraceProcessNameBuffer, bx
		jnz	loc_AEAE33

loc_ADB7A7:				; CODE XREF: ObpInitStackTrace+F77Fj
		cmp	_ObpTracePoolTagsBuffer, 0
		jnz	loc_AEAE9E

loc_ADB7B5:				; CODE XREF: ObpInitStackTrace+F7F7j
		test	ebx, ebx
		jnz	loc_AEAF16

loc_ADB7BD:				; CODE XREF: ObpInitStackTrace+F752j
					; ObpInitStackTrace+F82Ej ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
ObpInitStackTrace endp


;  S U B	R O U T	I N E 


; __stdcall PnpDiagInitialize()
_PnpDiagInitialize@0 proc near		; CODE XREF: IopInitializePlugPlayServices(x,x)+8E8p
		mov	edi, edi
		push	esi
		mov	eax, offset _MS_KernelPnP_Provider_Context
		mov	ecx, offset _MS_KernelPnP_Provider
		push	eax
		push	eax
		xor	esi, esi
		call	_McGenEventRegister_EtwRegister@16 ; McGenEventRegister_EtwRegister(x,x,x,x)
		mov	ecx, eax
		mov	eax, _MS_KernelPnP_Provider_Context
		mov	_PnpEtwHandle, eax
		mov	eax, dword_6B23C4
		mov	dword_6D4DF4, eax
		test	ecx, ecx
		js	short loc_ADB810

loc_ADB7F2:				; CODE XREF: PnpDiagInitialize()+50j
		push	offset _PnpRundownEtwHandle
		push	0
		push	offset _PnpDiagRundownRegisterCallback@36 ; PnpDiagRundownRegisterCallback(x,x,x,x,x,x,x,x,x)
		push	(offset	loc_408C66+2)
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		test	eax, eax
		js	short loc_ADB814

loc_ADB80C:				; CODE XREF: PnpDiagInitialize()+54j
		mov	eax, esi
		pop	esi
		retn
; 

loc_ADB810:				; CODE XREF: PnpDiagInitialize()+2Ej
		mov	esi, ecx
		jmp	short loc_ADB7F2
; 

loc_ADB814:				; CODE XREF: PnpDiagInitialize()+48j
		mov	esi, eax
		jmp	short loc_ADB80C
_PnpDiagInitialize@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopTriggerDiagTraceAoAcCapability(x)
_PopTriggerDiagTraceAoAcCapability@4 proc near ; CODE XREF: PoInitSystem+66Bp

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopTriggerDiagHandleRegistered, 0
		jz	short loc_ADB884
		push	ebx
		push	esi
		mov	esi, dword_6C1D7C
		mov	ebx, (offset loc_408C87+1)
		push	edi
		mov	edi, _PopTriggerDiagHandle
		push	ebx
		push	esi
		push	edi
		call	EtwEventEnabled
		test	al, al
		jz	short loc_ADB881
		movzx	eax, _PopPlatformAoAc
		xor	ecx, ecx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_14], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	1
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_10], ecx
		mov	[ebp+var_C], 4
		mov	[ebp+var_8], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_ADB881:				; CODE XREF: PopTriggerDiagTraceAoAcCapability(x)+39j
		pop	edi
		pop	esi
		pop	ebx

loc_ADB884:				; CODE XREF: PopTriggerDiagTraceAoAcCapability(x)+19j
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PopTriggerDiagTraceAoAcCapability@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiProtectSharedUserPage	proc near	; CODE XREF: MiInitNucleus(x)+17Cp

var_A0		= dword	ptr -0A0h
var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AEAF97 SIZE 00000063 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_A0]
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	eax, 0C07FEF80h
		add	esp, 0Ch
		mov	esi, [eax]
		nop
		mov	edi, ds:0C07FEF84h
		cmp	edi, ebx
		jg	loc_AEAF97
		jl	short loc_ADB8DF
		cmp	esi, ebx
		jnb	loc_AEAF97

loc_ADB8DF:				; CODE XREF: MiProtectSharedUserPage+45j
		mov	ecx, esi
		mov	eax, edi
		shrd	ecx, eax, 8
		movzx	eax, byte ptr word_6D07B8
		and	ecx, 1
		cdq
		cmp	ecx, eax
		jnz	loc_AEAF97
		cmp	ebx, edx
		jnz	loc_AEAF97

loc_ADB902:				; CODE XREF: MiProtectSharedUserPage+F765j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
MiProtectSharedUserPage	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall WmipInitializeAllocs()
_WmipInitializeAllocs@0	proc near	; CODE XREF: WMIInitialize(x,x)+17p
		mov	edi, edi
		push	esi
		xor	esi, esi
		push	esi
		push	53446D57h
		push	40h
		push	esi
		push	esi
		push	esi
		push	offset _WmipDSChunkInfoLookaside
		call	_ExInitializePagedLookasideList@28 ; ExInitializePagedLookasideList(x,x,x,x,x,x,x)
		push	esi
		push	45476D57h
		push	70h
		push	esi
		push	esi
		push	esi
		push	offset _WmipGEChunkInfoLookaside
		call	_ExInitializePagedLookasideList@28 ; ExInitializePagedLookasideList(x,x,x,x,x,x,x)
		push	esi
		push	53496D57h
		push	34h
		push	esi
		push	esi
		push	esi
		push	offset _WmipISChunkInfoLookaside
		call	_ExInitializePagedLookasideList@28 ; ExInitializePagedLookasideList(x,x,x,x,x,x,x)
		push	esi
		push	524D6D57h
		push	1Ch
		push	esi
		push	esi
		push	esi
		push	offset _WmipMRChunkInfoLookaside
		call	_ExInitializePagedLookasideList@28 ; ExInitializePagedLookasideList(x,x,x,x,x,x,x)
		pop	esi
		retn
_WmipInitializeAllocs@0	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopInitializeSessionNotifications()
_IopInitializeSessionNotifications@0 proc near ; CODE XREF: INIT:loc_AC2C0Cp

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	esi
		mov	eax, offset _IopSessionNotificationQueueHead
		xor	esi, esi
		mov	dword_6CCC24, eax
		mov	_IopSessionNotificationQueueHead, eax
		lea	eax, [ebp+var_8]
		push	(offset	loc_ADD9DB+1)
		push	eax
		mov	[ebp+var_8], esi
		mov	[ebp+var_4], esi
		mov	_IopSessionNotificationLock, esi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	1
		lea	eax, [ebp+var_8]
		mov	[ebp+var_20], 18h
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_20]
		push	1
		push	eax
		push	offset _IopSessionCallbackObject
		mov	[ebp+var_1C], esi
		mov	[ebp+var_14], 50h
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		call	_ExCreateCallback@16 ; ExCreateCallback(x,x,x,x)
		pop	esi
		leave
		retn
_IopInitializeSessionNotifications@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopInitVideoWnfState()
_PopInitVideoWnfState@0	proc near	; CODE XREF: PoInitSystem+64Ap

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		xor	esi, esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	1
		push	offset _PopVideoInitialized
		push	offset _WNF_PO_VIDEO_INITIALIALIZED
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		push	esi
		push	esi
		push	esi
		push	esi
		push	1
		push	offset _PopVideoHighPrecisionBrightnessEnabled
		push	offset _WNF_PO_BASIC_BRIGHTNESS_ENGINE_DISABLED
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		push	esi
		push	esi
		push	esi
		push	esi
		push	4
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], 64h
		push	eax
		push	offset _WNF_PO_BRIGHTNESS_ALS_OFFSET
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		pop	esi
		leave
		retn
_PopInitVideoWnfState@0	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall MiPaeInitialize()
_MiPaeInitialize@0 proc	near		; CODE XREF: MiInitNucleus(x)+339p
		mov	eax, large fs:124h
		xor	ecx, ecx
		test	ds:_MiFlags, 0C00000h
		push	esi
		mov	esi, [eax+80h]
		mov	eax, offset dword_6D0630
		mov	dword_6D0658, ecx
		mov	dword_6D065C, ecx
		mov	dword_6D0654, ecx
		mov	dword_6D0634, eax
		mov	dword_6D0630, eax
		mov	dword_6D0620, 1
		jz	short loc_ADBA76
		mov	dword_6D0620, 2

loc_ADBA76:				; CODE XREF: MiPaeInitialize()+44j
		mov	edx, [esi+18h]
		push	ecx
		shr	edx, 0Ch
		xor	ecx, ecx
		push	40000000h
		call	MiMapSinglePage
		test	eax, eax
		jz	short loc_ADBAA3
		mov	ecx, [esi+18h]
		and	ecx, 0FFFh
		or	ecx, eax
		xor	eax, eax
		mov	[esi+194h], ecx
		inc	eax
		pop	esi
		retn
; 

loc_ADBAA3:				; CODE XREF: MiPaeInitialize()+65j
		xor	eax, eax
		pop	esi
		retn
_MiPaeInitialize@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiConfigureDynamicMemory()
_MiConfigureDynamicMemory@0 proc near	; CODE XREF: MiInitNucleus(x)+114p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	ecx, ecx
		push	esi
		mov	esi, ds:_MmDynamicPfn
		shl	esi, 12h
		mov	eax, esi
		or	eax, ecx
		jnz	short loc_ADBAF0
		and	[ebp+var_C], ecx
		lea	eax, [ebp+var_4]
		and	[ebp+var_8], ecx
		push	8
		pop	ecx
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_4], ecx
		push	eax
		push	ecx
		push	11h
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	short loc_ADBAFB
		mov	esi, [ebp+var_C]
		mov	ecx, [ebp+var_8]
		shrd	esi, ecx, 0Ch
		shr	ecx, 0Ch

loc_ADBAF0:				; CODE XREF: MiConfigureDynamicMemory()+18j
		cmp	ecx, 1
		jb	short loc_ADBAFB
		ja	short loc_ADBB04
		test	esi, esi
		jnb	short loc_ADBB04

loc_ADBAFB:				; CODE XREF: MiConfigureDynamicMemory()+39j
					; MiConfigureDynamicMemory()+4Bj ...
		mov	ds:_MmDynamicPfn, esi
		pop	esi
		leave
		retn
; 

loc_ADBB04:				; CODE XREF: MiConfigureDynamicMemory()+4Dj
					; MiConfigureDynamicMemory()+51j
		or	esi, 0FFFFFFFFh
		jmp	short loc_ADBAFB
_MiConfigureDynamicMemory@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall WmipRegisterFirmwareProviders()
_WmipRegisterFirmwareProviders@0 proc near ; CODE XREF:	WMIInitialize(x,x)+43p

var_10		= dword	ptr -10h
var_C		= byte ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_10]
		stosd
		push	10h
		stosd
		stosd
		stosd
		mov	eax, _PnpDriverObject
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_10]
		push	eax
		push	4Bh
		mov	[ebp+var_10], 52534D42h
		mov	[ebp+var_C], 1
		mov	[ebp+var_8], offset WmipRawSMBiosTableHandler
		call	_NtSetSystemInformation@12 ; NtSetSystemInformation(x,x,x)
		cmp	dword_6BBFD0, 1
		jnz	short loc_ADBB73
		mov	eax, _PnpDriverObject
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_10]
		push	10h
		push	eax
		push	4Bh
		mov	[ebp+var_10], 4649524Dh
		mov	[ebp+var_C], 1
		mov	[ebp+var_8], offset WmipFirmwareTableHandler
		call	_NtSetSystemInformation@12 ; NtSetSystemInformation(x,x,x)

loc_ADBB73:				; CODE XREF: WmipRegisterFirmwareProviders()+40j
		pop	edi
		leave
		retn
_WmipRegisterFirmwareProviders@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MfgInitSystem	proc near		; CODE XREF: Phase1InitializationDiscard(x)+B13p

var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_20C		= dword	ptr -20Ch
var_208		= word ptr -208h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AEAFFA SIZE 000002EF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 23Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_228]
		mov	edx, ecx
		xor	ebx, ebx
		push	6
		pop	ecx
		rep stosd
		mov	edi, offset _ExpManufacturingInformation
		mov	[ebp+var_234], ebx
		mov	[ebp+var_230], ebx
		mov	esi, ebx
		mov	[ebp+var_22C], ebx
		mov	[ebp+var_23C], ebx
		stosd
		mov	[ebp+var_238], ebx
		mov	[ebp+var_20C], ebx
		mov	[ebp+var_210], ebx
		stosd
		stosd
		mov	edi, [edx+84h]
		movzx	eax, word ptr [edi+0A48h]
		test	ax, ax
		jnz	loc_AEAFFA

loc_ADBBE9:				; CODE XREF: MfgInitSystem+F493j
					; MfgInitSystem+F75Dj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
MfgInitSystem	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BcdInitializeBcdSyncMutant proc	near	; CODE XREF: Phase1InitializationDiscard(x):loc_AC0BDDp

var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AEB2E9 SIZE 0000000A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		xor	eax, eax
		mov	[ebp+var_1C], 18h
		push	eax
		mov	[ebp+var_4], eax
		mov	[ebp+var_18], eax
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	1F0001h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_10], 250h
		push	eax
		mov	[ebp+var_14], (offset loc_40393F+1)
		mov	[ebp+var_C], offset _BiBcdMutantDescriptor
		call	_ZwCreateMutant@16 ; ZwCreateMutant(x,x,x,x)
		test	eax, eax
		js	short locret_ADBC56
		mov	ecx, [ebp+var_4]
		mov	edx, offset _BcdMutantHandle
		xor	eax, eax
		lock cmpxchg [edx], ecx
		test	eax, eax
		jnz	loc_AEB2E9

locret_ADBC56:				; CODE XREF: BcdInitializeBcdSyncMutant+44j
		leave
		retn
BcdInitializeBcdSyncMutant endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

IopQueryDeviceResetRegistrySettings proc near
					; CODE XREF: IopInitializePlugPlayServices(x,x)+3E4p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AEB2F3 SIZE 0000005B BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		mov	eax, ecx
		push	ebx
		push	esi
		push	edi
		push	0Ah
		pop	edi
		lea	ecx, [ebp+var_4]
		mov	[ebp+var_8], eax
		push	ecx
		push	0
		mov	edx, offset ??_C@_1DC@EBIJEFNM@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAR?$AAe?$AAs?$AAe?$AAt?$AAR?$AAe?$AAt?$AAr@PBOPGDP@ ; "DeviceResetRetryInterval"
		mov	ecx, eax
		mov	ebx, 0BB8h
		call	IopGetRegistryValue
		test	eax, eax
		jns	loc_AEB2F3

loc_ADBC8E:				; CODE XREF: IopQueryDeviceResetRegistrySettings+F6A2j
					; IopQueryDeviceResetRegistrySettings+F6BEj ...
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	0
		mov	edx, offset ??_C@_1DE@EDFFMAOJ@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAR?$AAe?$AAs?$AAe?$AAt?$AAM?$AAa?$AAx?$AAi@PBOPGDP@ ; "DeviceResetMaximumRetries"
		call	IopGetRegistryValue
		test	eax, eax
		jns	loc_AEB323

loc_ADBCA9:				; CODE XREF: IopQueryDeviceResetRegistrySettings+F6D2j
					; IopQueryDeviceResetRegistrySettings+F6E9j ...
		mov	eax, ebx
		mov	_PnpResetMaximumRetryAttempts, edi
		mov	ecx, 0FFFFD8F0h
		imul	ecx
		pop	edi
		pop	esi
		mov	_PnpResetRetryInterval,	eax
		mov	dword_6CC9FC, edx
		pop	ebx
		leave
		retn
IopQueryDeviceResetRegistrySettings endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiExamineHalVa	proc near		; CODE XREF: MiInitNucleus(x)+6Ep

var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AEB34E SIZE 0000001C BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	esi
		push	edi
		mov	ecx, 0C0603FF0h
		mov	edi, 0FFFh

loc_ADBCDA:				; CODE XREF: MiExamineHalVa+F69Dj
		mov	edx, ecx
		xor	esi, esi
		sub	ecx, 8
		inc	esi
		mov	[ebp+var_4], ecx

loc_ADBCE5:				; CODE XREF: MiExamineHalVa+37j
		mov	eax, [ebp+esi*4+var_8]
		dec	esi
		mov	eax, [eax]
		and	eax, 1
		or	eax, 0
		jnz	short loc_ADBCFD

loc_ADBCF4:				; CODE XREF: MiExamineHalVa+F693j
		shl	edx, 12h
		pop	edi
		mov	eax, edx
		pop	esi
		leave
		retn
; 

loc_ADBCFD:				; CODE XREF: MiExamineHalVa+2Aj
		test	esi, esi
		jnz	short loc_ADBCE5
		jmp	loc_AEB361
MiExamineHalVa	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PoFxRegisterDebugger proc near		; CODE XREF: PoInitSystem:loc_AC181Cp

var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_78		= dword	ptr -78h
var_5C		= dword	ptr -5Ch
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_34		= word ptr -34h
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AEB36A SIZE 00000194 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0A4h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_50]
		rep stosd
		push	38h		; size_t
		xor	edi, edi
		lea	eax, [ebp+var_88]
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_A4], edi
		lea	eax, [ebp+var_8C]
		mov	[ebp+var_A0], edi
		mov	[ebp+var_90], edi
		mov	[ebp+var_8C], edi
		push	eax
		push	edi
		push	edi
		push	21h
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		cmp	eax, 80000005h
		jz	loc_AEB36A

loc_ADBD70:				; CODE XREF: PoFxRegisterDebugger+F67Ej
					; PoFxRegisterDebugger+F7F3j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PoFxRegisterDebugger endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall PopWatchdogInit()
_PopWatchdogInit@0 proc	near		; CODE XREF: PoInitSystem+590p
		mov	edi, edi
		push	esi
		mov	eax, offset _PopWatchdogList
		xor	esi, esi
		mov	dword_6BFD14, eax
		mov	_PopWatchdogList, eax
		mov	_PopWatchdogLock, esi
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		push	esi
		push	offset unk_6C27F0
		mov	dword_6C20F8, esi
		mov	dword_6C27CC, esi
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	esi
		push	offset _PopPowerActionWatchdog@16 ; PopPowerActionWatchdog(x,x,x,x)
		push	offset unk_6C27D0
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	byte_6C2818, 1
		pop	esi
		jmp	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
_PopWatchdogInit@0 endp

; 
		align 4

;  S U B	R O U T	I N E 


PipWaitCriticalDevices proc near	; CODE XREF: IopInitializeBootDrivers+4A1p

; FUNCTION CHUNK AT 00AEB4FE SIZE 00000036 BYTES

		mov	edi, edi
		push	ebx
		push	esi
		mov	esi, ecx
		xor	edx, edx
		push	edi
		test	esi, esi
		jz	short loc_ADBE27
		mov	eax, [esi+0C0h]
		mov	ebx, offset _PipCriticalDeviceWaitCallback@12 ;	PipCriticalDeviceWaitCallback(x,x,x)
		test	eax, eax
		jnz	loc_AEB4FE

loc_ADBDF4:				; CODE XREF: PipWaitCriticalDevices+F73Ej
		mov	ecx, [esi+84h]
		add	ecx, 0E8h
		mov	edi, [ecx]
		cmp	edi, ecx
		jz	short loc_ADBE21

loc_ADBE06:				; CODE XREF: PipWaitCriticalDevices+4Bj
		test	byte ptr [edi+0Ch], 80h
		jnz	loc_AEB517

loc_ADBE10:				; CODE XREF: PipWaitCriticalDevices+F75Bj
		mov	eax, [esi+84h]
		mov	edi, [edi]
		add	eax, 0E8h
		cmp	edi, eax
		jnz	short loc_ADBE06

loc_ADBE21:				; CODE XREF: PipWaitCriticalDevices+30j
					; PipWaitCriticalDevices+58j ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		retn
; 

loc_ADBE27:				; CODE XREF: PipWaitCriticalDevices+Bj
		mov	edx, 0C000000Dh
		jmp	short loc_ADBE21
PipWaitCriticalDevices endp


;  S U B	R O U T	I N E 


PnpBusTypeGuidInitialize proc near	; CODE XREF: IopInitializePlugPlayServices(x,x)+862p

; FUNCTION CHUNK AT 00AEB534 SIZE 0000000E BYTES

		mov	edi, edi
		push	esi
		push	75737050h
		xor	esi, esi
		mov	_PnpBusTypeGuidCountMax, 10h
		push	100h
		inc	esi
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	_PnpBusTypeGuidArray, eax
		test	eax, eax
		jz	loc_AEB534
		xor	eax, eax
		mov	_PnpBusTypeGuidLock, esi
		push	eax
		push	esi
		push	offset unk_6CC90C
		mov	_PnpBusTypeGuidCount, eax
		mov	dword_6CC904, eax
		mov	dword_6CC908, eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	eax, eax
		pop	esi
		retn
PnpBusTypeGuidInitialize endp


;  S U B	R O U T	I N E 


; __stdcall PopInitShutdownList()
_PopInitShutdownList@0 proc near	; CODE XREF: PoInitSystem+28Dp
		mov	edi, edi
		push	esi
		xor	esi, esi
		push	esi
		push	esi
		push	offset _PopShutdownEvent
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	esi
		mov	eax, offset _PopShutdownQueue
		mov	_PopShutdownThreadList,	esi
		push	1
		push	offset unk_6C356C
		mov	dword_6C358C, eax
		mov	_PopShutdownQueue, eax
		mov	_PopShutdownListMutex, 1
		mov	dword_6C3564, esi
		mov	dword_6C3568, esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	_PopShutdownListAvailable, 1
		xor	eax, eax
		pop	esi
		retn
_PopInitShutdownList@0 endp


;  S U B	R O U T	I N E 


; __stdcall PopFanReportBootStartDevices()
_PopFanReportBootStartDevices@0	proc near ; CODE XREF: PoInitSystem+670p
		mov	eax, large fs:124h
		push	ebx
		push	esi
		push	edi
		dec	word ptr [eax+13Ch]
		nop
		mov	ebx, offset _PopPolicyDeviceLock
		xor	edx, edx
		mov	ecx, ebx
		call	ExAcquirePushLockSharedEx
		mov	esi, _PopFans
		mov	edi, offset _PopFans

loc_ADBF00:				; CODE XREF: PopFanReportBootStartDevices()+4Fj
		cmp	esi, edi
		jnz	short loc_ADBF1E
		cmp	dword_6C2044, 0
		jnz	short loc_ADBF27

loc_ADBF0D:				; CODE XREF: PopFanReportBootStartDevices()+58j
		xor	edx, edx
		mov	ecx, ebx
		call	ExReleasePushLockEx
		pop	edi
		pop	esi
		pop	ebx
		jmp	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
; 

loc_ADBF1E:				; CODE XREF: PopFanReportBootStartDevices()+2Cj
		call	_PopSqmFanEnumeration@0	; PopSqmFanEnumeration()
		mov	esi, [esi]
		jmp	short loc_ADBF00
; 

loc_ADBF27:				; CODE XREF: PopFanReportBootStartDevices()+35j
		and	dword_6C2044, 0
		jmp	short loc_ADBF0D
_PopFanReportBootStartDevices@0	endp


;  S U B	R O U T	I N E 


; __stdcall PpmCheckInit()
_PpmCheckInit@0	proc near		; CODE XREF: PoInitSystem+1D9p
		push	0
		push	offset _PpmCheckRun@16 ; PpmCheckRun(x,x,x,x)
		push	offset _PpmCheckDpc
		mov	_PpmCheckCurrentPipelineId, 6
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		push	0
		push	offset _PpmCheckPeriodicStart@16 ; PpmCheckPeriodicStart(x,x,x,x)
		push	offset _PpmCheckStartDpc
		mov	byte_6C0441, 3
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		mov	byte_6C0421, 3
		retn
_PpmCheckInit@0	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PopWakeSourceInit()
_PopWakeSourceInit@0 proc near		; CODE XREF: PoInitSystem+465p
		mov	edi, edi
		push	ebx
		xor	ebx, ebx
		mov	eax, offset _PopWakeInfoList
		push	1
		push	ebx
		push	offset _PopWakeSourceAvailable
		mov	_PopWakeInfoCount, ebx
		mov	dword_6C344C, eax
		mov	_PopWakeInfoList, eax
		mov	_PopCurrentWakeInfo, ebx
		mov	_PopPendingWakeInfo, ebx
		mov	_PopWakeSourceLock, ebx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, offset _PopWakeSourceWorkList
		mov	_PopWakeSourceWorkInProgress, bl
		mov	dword_6C343C, ebx
		mov	_PopWakeSourceWorkItem,	ebx
		mov	dword_6C342C, eax
		mov	_PopWakeSourceWorkList,	eax
		mov	dword_6C3438, offset _PopUpdateWakeSourceWorker@4 ; PopUpdateWakeSourceWorker(x)
		pop	ebx
		retn
_PopWakeSourceInit@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopPdcCsCheckSystemVolumeDevice	proc near ; CODE XREF: PoInitSystem+63Ep

var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_14		= byte ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AEB542 SIZE 000000DF BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 50h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		push	ebx
		push	edi
		lea	edi, [ebp+var_10]
		xor	ebx, ebx
		stosd
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_28], ebx
		mov	[ebp+var_24], ebx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_1C]
		stosd
		stosd
		stosd
		cmp	_PopPlatformAoAc, bl
		jnz	loc_AEB542

loc_ADC00D:				; CODE XREF: PopPdcCsCheckSystemVolumeDevice+F64Aj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
PopPdcCsCheckSystemVolumeDevice	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PpProfileInit()
_PpProfileInit@0 proc near		; CODE XREF: IopInitializePlugPlayServices(x,x)+688p
		mov	edi, edi
		push	esi
		push	edi
		xor	esi, esi
		xor	edi, edi
		push	esi
		inc	edi
		mov	dword_6CB7A4, esi
		mov	eax, offset _PiProfileDeviceListHead
		mov	_PiProfileDeviceListLock, edi
		push	edi
		push	offset unk_6CB7AC
		mov	dword_6CB7C4, eax
		mov	_PiProfileDeviceListHead, eax
		mov	dword_6CB7A8, esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	edi
		push	edi
		push	offset _PiProfileChangeSemaphore
		mov	_PiProfileDeviceCount, esi
		call	_KeInitializeSemaphore@12 ; KeInitializeSemaphore(x,x,x)
		pop	edi
		pop	esi
		retn
_PpProfileInit@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiInitFirmwareResources	proc near	; CODE XREF: IopInitializePlugPlayServices(x,x)+1BDp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AEB621 SIZE 000001DA BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		xor	esi, esi
		test	byte ptr [ecx+94h], 1
		push	edi
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_24], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_10], esi
		jnz	loc_AEB621

loc_ADC091:				; CODE XREF: PiInitFirmwareResources+F5C1j
		mov	edi, esi

loc_ADC093:				; CODE XREF: PiInitFirmwareResources+F780j
					; PiInitFirmwareResources+F78Ej
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
PiInitFirmwareResources	endp


;  S U B	R O U T	I N E 


; __stdcall WmipGetSMBiosFromLoaderBlock(x)
_WmipGetSMBiosFromLoaderBlock@4	proc near ; CODE XREF: WMIInitialize(x,x)+3Ep
		mov	edi, edi
		push	esi
		mov	esi, [ecx+84h]
		push	offset _WmipSMBiosLock
		call	ExInitializeResourceLite
		cmp	dword ptr [esi], 0D30h
		jb	short loc_ADC0F2
		mov	ecx, [esi+24h]
		test	ecx, ecx
		jz	short loc_ADC0F2
		mov	eax, [ecx+10h]
		mov	ds:_WmipSMBiosTablePhysicalAddress, eax
		mov	eax, [ecx+14h]
		mov	ds:dword_A93DB4, eax
		mov	eax, [ecx+0Ch]
		mov	ds:_WmipSMBiosTableLength, eax
		mov	al, [ecx+7]
		mov	byte ptr ds:_WmipSMBiosVersionInfo+1, al
		mov	al, [ecx+8]
		mov	byte ptr ds:_WmipSMBiosVersionInfo, 0
		mov	byte ptr ds:_WmipSMBiosVersionInfo+2, al
		mov	byte ptr ds:_WmipSMBiosVersionInfo+3, 0

loc_ADC0F2:				; CODE XREF: WmipGetSMBiosFromLoaderBlock(x)+19j
					; WmipGetSMBiosFromLoaderBlock(x)+20j
		pop	esi
		retn
_WmipGetSMBiosFromLoaderBlock@4	endp


;  S U B	R O U T	I N E 


; __stdcall KiPublishProcessorFeatures(x)
_KiPublishProcessorFeatures@4 proc near	; CODE XREF: PAGELK:007274E4p
		mov	edx, ds:_KeFeatureBits2
		mov	eax, edx
		push	esi
		and	eax, 2
		mov	esi, ecx
		or	eax, 0
		push	1
		pop	ecx
		jz	short loc_ADC10E
		mov	al, cl
		jmp	short loc_ADC110
; 

loc_ADC10E:				; CODE XREF: KiPublishProcessorFeatures(x)+14j
		xor	al, al

loc_ADC110:				; CODE XREF: KiPublishProcessorFeatures(x)+18j
		mov	ds:0FFDF0295h, al
		mov	eax, ds:_KeLoaderBlock
		push	edi
		mov	edi, 2000h
		mov	eax, [eax+84h]
		test	[eax+54h], edi
		jnz	short loc_ADC13D
		and	edx, edi
		or	edx, 0
		jz	short loc_ADC136
		mov	al, cl
		jmp	short loc_ADC138
; 

loc_ADC136:				; CODE XREF: KiPublishProcessorFeatures(x)+3Cj
		xor	al, al

loc_ADC138:				; CODE XREF: KiPublishProcessorFeatures(x)+40j
		mov	ds:0FFDF0297h, al

loc_ADC13D:				; CODE XREF: KiPublishProcessorFeatures(x)+35j
		mov	eax, ds:_KeLoaderBlock
		pop	edi
		mov	eax, [eax+84h]
		test	dword ptr [eax+54h], 8000h
		jnz	short loc_ADC16A
		mov	eax, [esi+3D50h]
		and	eax, 10000000h
		or	eax, 0
		jnz	short loc_ADC164
		xor	ecx, ecx

loc_ADC164:				; CODE XREF: KiPublishProcessorFeatures(x)+6Cj
		mov	ds:_KeSmapEnabled, ecx

loc_ADC16A:				; CODE XREF: KiPublishProcessorFeatures(x)+5Cj
		pop	esi
		retn
_KiPublishProcessorFeatures@4 endp


;  S U B	R O U T	I N E 


; __stdcall PiDeviceDependencyInit()
_PiDeviceDependencyInit@0 proc near	; CODE XREF: IopInitializePlugPlayServices(x,x)+66Ap
		mov	edi, edi
		push	ecx
		push	offset _PiDependencyRelationsLock
		call	ExInitializeResourceLite
		and	_PiDependencyEdgeWriteLock, 0
		mov	cl, 1
		call	_PnpAcquireDependencyRelationsLock@4 ; PnpAcquireDependencyRelationsLock(x)
		mov	eax, offset _PiDependencyNodeListHead
		mov	dword_6CCAAC, eax
		mov	_PiDependencyNodeListHead, eax
		mov	eax, offset _PiDependencyNodeEmptyList
		mov	dword_6CCB0C, eax
		mov	_PiDependencyNodeEmptyList, eax
		mov	eax, offset _PiRebuildPowerRelationsQueue
		mov	dword_6CCB04, eax
		mov	_PiRebuildPowerRelationsQueue, eax
		call	_PnpReleaseDependencyRelationsLock@0 ; PnpReleaseDependencyRelationsLock()
		xor	eax, eax
		pop	ecx
		retn
_PiDeviceDependencyInit@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PnpDeviceCompletionQueueInitialize(x)
_PnpDeviceCompletionQueueInitialize@4 proc near
					; CODE XREF: IopInitializePlugPlayServices(x,x):loc_AC4FFAp
		xor	ecx, ecx
		mov	eax, offset _PnpDeviceCompletionQueue
		push	7FFFFFFFh
		push	ecx
		push	offset unk_6CC454
		mov	dword_6CC468, ecx
		mov	dword_6CC448, ecx
		mov	dword_6CC444, eax
		mov	_PnpDeviceCompletionQueue, eax
		call	_KeInitializeSemaphore@12 ; KeInitializeSemaphore(x,x,x)
		mov	eax, offset dword_6CC44C
		mov	dword_6CC450, eax
		mov	dword_6CC44C, eax
		xor	eax, eax
		retn
_PnpDeviceCompletionQueueInitialize@4 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall ExInitializeExternalBootSupport()
_ExInitializeExternalBootSupport@0 proc	near
					; CODE XREF: Phase1InitializationDiscard(x)+DE6p
		xor	ecx, ecx
		mov	eax, offset _ExBootDeviceList
		push	ecx
		push	1
		push	offset _ExBootDevicesRemovedEvent
		mov	_ExNumMissingBootDevices, ecx
		mov	_ExBootDeviceRemovalHandler, ecx
		mov	dword_6BBD8C, eax
		mov	_ExBootDeviceList, eax
		mov	_ExBootDeviceListSpinLock, ecx
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	1
		push	1
		push	offset _ExExternalBootSupportInitializationEvent
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		xor	eax, eax
		retn
_ExInitializeExternalBootSupport@0 endp

; 
		align 10h

;  S U B	R O U T	I N E 


; __stdcall MmInitSystemDll()
_MmInitSystemDll@0 proc	near		; CODE XREF: INIT:loc_ABFD07p
		mov	edi, edi
		push	esi
		xor	ecx, ecx
		call	_PsQuerySystemDllInfo@4	; PsQuerySystemDllInfo(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_ADC272
		push	edi
		lea	ecx, [esi-8]
		call	PspReferenceSystemDll
		mov	edx, [esi+0Ch]
		mov	dword_6D05F0, edx
		pop	edi
		test	eax, eax
		jz	short loc_ADC272
		lea	ecx, [esi-8]
		mov	edx, eax
		pop	esi
		jmp	@ObFastDereferenceObject@8 ; ObFastDereferenceObject(x,x)
; 

loc_ADC272:				; CODE XREF: MmInitSystemDll()+Ej
					; MmInitSystemDll()+25j
		pop	esi
		retn
_MmInitSystemDll@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopReadErrataSkipMemoryOverwriteRequestControlLockAction()
_PopReadErrataSkipMemoryOverwriteRequestControlLockAction@0 proc near
					; CODE XREF: PoInitSystem+82Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		lea	eax, [ebp+var_10]
		mov	[ebp+var_4], 1
		mov	[ebp+var_8], eax
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	1		; int
		lea	eax, [ebp+var_8]
		mov	_PopErrataSkipMemoryOverwriteRequestControlLockAction, 0
		push	eax		; int
		push	offset _GUID_EM_RULE_SKIP_MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_ACTION_QUERY ; void *
		mov	[ebp+var_C], 10h
		mov	[ebp+var_10], offset _GUID_EM_RULE_SKIP_MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_ACTION
		call	EmClientRuleEvaluate
		cmp	[ebp+var_4], 2
		jz	short loc_ADC2BA
		leave
		retn
; 

loc_ADC2BA:				; CODE XREF: PopReadErrataSkipMemoryOverwriteRequestControlLockAction()+42j
		mov	_PopErrataSkipMemoryOverwriteRequestControlLockAction, 1
		leave
		retn
_PopReadErrataSkipMemoryOverwriteRequestControlLockAction@0 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopCreateIdlePhaseWatchdog()
_PopCreateIdlePhaseWatchdog@0 proc near	; CODE XREF: PoInitSystem+788p

var_3C		= dword	ptr -3Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 40h
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_3C]
		push	38h		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_3C], 15h
		lea	eax, [ebp+var_4]
		push	4
		push	eax
		push	38h
		lea	eax, [ebp+var_3C]
		push	eax
		push	57h
		call	_ZwPowerInformation@20 ; ZwPowerInformation(x,x,x,x,x)
		mov	eax, [ebp+var_4]
		mov	ecx, offset unk_6C06C4
		mov	_PopPdcIdlePhaseWatchdogContext, eax
		call	_PopRwLockInitialize@4 ; PopRwLockInitialize(x)
		leave
		retn
_PopCreateIdlePhaseWatchdog@0 endp


;  S U B	R O U T	I N E 


KiEnableNpxStateSwitching proc near	; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+310p

; FUNCTION CHUNK AT 00AEB7FB SIZE 00000050 BYTES

		mov	eax, ds:_KeFeatureBits
		and	eax, 400000h
		or	eax, 0
		jz	loc_AEB828
		mov	ecx, ds:0FFDF03ECh
		mov	eax, ecx
		push	esi
		and	eax, 2
		jnz	loc_AEB7FB
		mov	edx, offset _EnlightenedSwapContext_Xrstor
		mov	esi, offset _SwapContext_Xrstor

loc_ADC33D:				; CODE XREF: KiEnableNpxStateSwitching+F4F7j
		mov	_SwapContext_NpxLoad, esi
		mov	_EnlightenedSwapContext_NpxLoad, edx
		pop	esi
		test	eax, eax
		jnz	loc_AEB80A
		test	cl, 1
		jz	loc_AEB819
		mov	eax, offset _EnlightenedSwapContext_Xsaveopt
		mov	ecx, offset _SwapContext_Xsaveopt

loc_ADC365:				; CODE XREF: KiEnableNpxStateSwitching+F506j
					; KiEnableNpxStateSwitching+F515j ...
		mov	_SwapContext_NpxSave, ecx
		mov	_EnlightenedSwapContext_NpxSave, eax
		retn
KiEnableNpxStateSwitching endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

MiInitializeNumaRangesTemporary	proc near ; CODE XREF: MiInitNucleus(x):loc_AB573Fp

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AEB84B SIZE 00000046 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		or	dword_6D06A8, 0FFFFFFFFh
		push	0
		push	eax
		push	8
		push	1Eh
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		test	eax, eax
		jns	loc_AEB84B

loc_ADC39B:				; CODE XREF: MiInitializeNumaRangesTemporary+F4DEj
		mov	eax, offset unk_6D06A0

loc_ADC3A0:				; CODE XREF: MiInitializeNumaRangesTemporary+F4E9j
					; MiInitializeNumaRangesTemporary+F51Aj
		mov	dword_6D06B0, eax
		leave
		retn
MiInitializeNumaRangesTemporary	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PopSetupKsrCallbacks proc near		; CODE XREF: PoInitSystem+821p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AEB891 SIZE 00000056 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		push	esi
		xor	esi, esi
		lea	eax, [ebp+var_8]
		push	eax
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		call	ds:__imp__KsrGetFirmwareInformation@4 ;	KsrGetFirmwareInformation(x)
		test	eax, eax
		jns	loc_AEB891

loc_ADC3D1:				; CODE XREF: PopSetupKsrCallbacks+F526j
					; PopSetupKsrCallbacks+F53Aj
		pop	esi
		leave
		retn
PopSetupKsrCallbacks endp


;  S U B	R O U T	I N E 


CcInitializeVacbs proc near		; CODE XREF: INIT:loc_AC3238p

; FUNCTION CHUNK AT 00AEB8E7 SIZE 00000027 BYTES

		mov	edi, edi
		push	esi
		push	61566343h
		push	4
		xor	esi, esi
		push	200h
		mov	_CcDbgNumberOfFailedHighPriorityMappingsDueToMmResources, esi
		mov	_CcDbgNumberOfFailedHighPriorityMappingsDueToCcResources, esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	_CcVacbArrays, eax
		test	eax, eax
		jz	loc_AEB8E7
		mov	[eax], esi
		mov	eax, offset _CcVacbFreeList
		mov	dword_6CE66C, eax
		mov	_CcVacbFreeList, eax
		mov	_CcMinimumFreeHighPriorityVacbs, 80h
		pop	esi
		retn
CcInitializeVacbs endp


;  S U B	R O U T	I N E 


; __stdcall PopHiberEvaluateSkippingMemoryMapValidation()
_PopHiberEvaluateSkippingMemoryMapValidation@0 proc near ; CODE	XREF: PoInitSystem+826p
		mov	eax, ds:_PopEnableHibernateMemoryMapValidationOverride
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_ADC435
		call	_PopReadErrataSkipHibernateMemoryMapValidation@0 ; PopReadErrataSkipHibernateMemoryMapValidation()

loc_ADC42F:				; CODE XREF: PopHiberEvaluateSkippingMemoryMapValidation()+1Aj
		mov	ds:_PopHiberSkipMemoryMapValidation, al
		retn
; 

loc_ADC435:				; CODE XREF: PopHiberEvaluateSkippingMemoryMapValidation()+8j
		test	eax, eax
		setnz	al
		jmp	short loc_ADC42F
_PopHiberEvaluateSkippingMemoryMapValidation@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopReadErrataSkipHibernateMemoryMapValidation()
_PopReadErrataSkipHibernateMemoryMapValidation@0 proc near
					; CODE XREF: PopHiberEvaluateSkippingMemoryMapValidation()+Ap

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], 1
		push	eax		; int
		push	(offset	loc_408D6A+6) ;	void *
		xor	bl, bl
		call	EmClientQueryRuleState
		cmp	[ebp+var_4], 2
		jz	short loc_ADC465

loc_ADC460:				; CODE XREF: PopReadErrataSkipHibernateMemoryMapValidation()+2Bj
		mov	al, bl
		pop	ebx
		leave
		retn
; 

loc_ADC465:				; CODE XREF: PopReadErrataSkipHibernateMemoryMapValidation()+22j
		mov	bl, 1
		jmp	short loc_ADC460
_PopReadErrataSkipHibernateMemoryMapValidation@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExInitializeNls()
_ExInitializeNls@0 proc	near		; CODE XREF: Phase1InitializationDiscard(x)+DDDp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	(offset	loc_A41A30+4)
		push	0F000Fh
		push	eax
		call	_ZwCreateDirectoryObject@12 ; ZwCreateDirectoryObject(x,x,x)
		test	eax, eax
		js	short locret_ADC49C
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		and	ds:_NlsSectionLock, 0
		xor	eax, eax

locret_ADC49C:				; CODE XREF: ExInitializeNls()+1Fj
		leave
		retn
_ExInitializeNls@0 endp


;  S U B	R O U T	I N E 


; __stdcall PnpWaitForDevicesToStart()
_PnpWaitForDevicesToStart@0 proc near	; CODE XREF: IopInitializeSystemDrivers:loc_AB3B8Bp
					; IopInitializeBootDrivers+404p ...
		mov	edi, edi
		push	ecx
		call	_PnpWaitForEmptyDeviceActionQueue@0 ; PnpWaitForEmptyDeviceActionQueue()
		xor	ecx, ecx
		test	eax, eax
		setns	cl
		mov	eax, ecx
		pop	ecx
		retn
_PnpWaitForDevicesToStart@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

PiKsrInitialize	proc near		; CODE XREF: IopInitializePlugPlayServices(x,x)+B30p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		lea	eax, [ebp+var_4]
		xor	ebx, ebx
		push	eax
		mov	[ebp+var_4], ebx
		call	ds:__imp__KsrGetFirmwareInformation@4 ;	KsrGetFirmwareInformation(x)
		test	eax, eax
		jns	loc_AEB8FB
		mov	_PnpKsrEnabled,	bl

loc_ADC4D6:				; CODE XREF: CcInitializeVacbs+F535j
		mov	eax, ebx
		pop	ebx
		leave
		retn
PiKsrInitialize	endp

; 
		align 4

;  S U B	R O U T	I N E 


; __stdcall PnpInitializeDeviceActions()
_PnpInitializeDeviceActions@0 proc near	; CODE XREF: IopInitializePlugPlayServices(x,x)+679p
		xor	eax, eax
		mov	ecx, offset _PnpDeviceActionThread
		xchg	eax, [ecx]
		push	1
		push	0
		push	offset _PnpEnumerationLock
		mov	_PnpEnumerationInProgress, 0
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	eax, offset _PnpEnumerationRequestList
		mov	dword_6CB7FC, eax
		mov	_PnpEnumerationRequestList, eax
		xor	eax, eax
		retn
_PnpInitializeDeviceActions@0 endp


;  S U B	R O U T	I N E 


KeInitializeSchedulerAssist proc near	; CODE XREF: INIT:00ABFE01p

; FUNCTION CHUNK AT 00AEB90E SIZE 00000022 BYTES

		xor	edx, edx
		xor	eax, eax
		inc	edx
		cmp	[ecx+4DCh], eax
		jnz	loc_AEB90E

loc_ADC51D:				; CODE XREF: KeInitializeSchedulerAssist+F41Fj
		mov	ds:_KiSchedulerAssistThreadFlagEnabled,	eax
		test	eax, eax
		jnz	short loc_ADC535

loc_ADC526:				; CODE XREF: KeInitializeSchedulerAssist+31j
		mov	eax, ds:_KiVpThreadSystemWorkPriority
		test	eax, eax
		jle	short loc_ADC53F
		cmp	eax, 1Fh
		jg	short loc_ADC53F
		retn
; 

loc_ADC535:				; CODE XREF: KeInitializeSchedulerAssist+18j
					; KeInitializeSchedulerAssist+F411j
		mov	eax, [ecx+0Ch]
		lock bts dword ptr [eax], 16h
		jmp	short loc_ADC526
; 

loc_ADC53F:				; CODE XREF: KeInitializeSchedulerAssist+21j
					; KeInitializeSchedulerAssist+26j
		mov	ds:_KiVpThreadSystemWorkPriority, edx
		retn
KeInitializeSchedulerAssist endp


;  S U B	R O U T	I N E 


PopDripsWatchdogInitialize proc	near	; CODE XREF: PoInitSystem+7D5p

; FUNCTION CHUNK AT 00AEB930 SIZE 00000033 BYTES

		mov	edi, edi
		push	ecx
		push	offset _PopDripsWatchdogContext
		call	ExInitializeResourceLite
		cmp	_PopPlatformAoAc, 0
		jnz	loc_AEB930

loc_ADC560:				; CODE XREF: PopDripsWatchdogInitialize+F418j
		or	dword_6C0718, 1
		xor	eax, eax

loc_ADC569:				; CODE XREF: PopDripsWatchdogInitialize+F3F1j
					; PopDripsWatchdogInitialize+F3FEj ...
		pop	ecx
		retn
PopDripsWatchdogInitialize endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopReadErrataDisablePrimaryDeviceFastResume()
_PopReadErrataDisablePrimaryDeviceFastResume@0 proc near ; CODE	XREF: PoInitSystem+5BCp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], 1
		push	eax		; int
		push	offset _GUID_EM_RULE_DISABLE_DEVICE_FAST_RESUME	; void *
		mov	_PopErrataDisablePrimaryDeviceFastResume, 0
		call	EmClientQueryRuleState
		cmp	[ebp+var_4], 2
		jnz	short locret_ADC59B
		mov	_PopErrataDisablePrimaryDeviceFastResume, 1

locret_ADC59B:				; CODE XREF: PopReadErrataDisablePrimaryDeviceFastResume()+26j
		leave
		retn
_PopReadErrataDisablePrimaryDeviceFastResume@0 endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall PpmEventInitialize()
_PpmEventInitialize@0 proc near		; CODE XREF: PoInitSystem+5D8p
		mov	edi, edi
		push	ecx
		push	offset _PpmEtwHandle
		push	0
		push	offset PpmEventTraceControlCallback
		push	(offset	loc_408DAF+1)
		call	_EtwRegister@16	; EtwRegister(x,x,x,x)
		test	eax, eax
		js	short loc_ADC5C4
		mov	_PpmEtwRegistered, 1
		xor	eax, eax

loc_ADC5C4:				; CODE XREF: PpmEventInitialize()+1Bj
		pop	ecx
		retn
_PpmEventInitialize@0 endp


;  S U B	R O U T	I N E 


; __stdcall PpmWmiInit()
_PpmWmiInit@0	proc near		; CODE XREF: PoInitSystem+46Ap
		push	0
		push	offset _PpmWmiIdleAccountingTimer
		call	_KeInitializeTimerEx@8 ; KeInitializeTimerEx(x,x)
		push	0
		push	offset _PpmWmiIdleAccountingProcedure@16 ; PpmWmiIdleAccountingProcedure(x,x,x,x)
		push	offset _PpmWmiIdleAccountingDpc
		call	_KeInitializeDpc@12 ; KeInitializeDpc(x,x,x)
		retn
_PpmWmiInit@0	endp


;  S U B	R O U T	I N E 


; __stdcall IopInitializeActiveConnectList()
_IopInitializeActiveConnectList@0 proc near ; CODE XREF: INIT:00AC2E4Cp
		push	1
		mov	eax, offset _ActiveConnectList
		push	1
		push	offset _ActiveConnectListLock
		mov	dword_6CC9F4, eax
		mov	_ActiveConnectList, eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		retn
_IopInitializeActiveConnectList@0 endp


;  S U B	R O U T	I N E 


PopRecordFirmwareResetReason proc near	; CODE XREF: PoInitSystem+4DCp

; FUNCTION CHUNK AT 00AEB963 SIZE 0000002A BYTES

		mov	edi, edi
		push	esi
		mov	esi, [ecx+84h]
		mov	al, [esi+0C70h]
		mov	_PopFirmwareResetReason, al
		cmp	byte ptr [esi+0C70h], 0
		jnz	loc_AEB963
		pop	esi
		retn
PopRecordFirmwareResetReason endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall KiInitializeGSCookieValue()
_KiInitializeGSCookieValue@0 proc near	; CODE XREF: KiSystemStartup(x)+22Ep
		rdtsc
		xor	eax, _ExpSecurityCookieRandomData
		mov	___security_cookie, eax
		not	eax
		mov	___security_cookie_complement, eax
		retn
_KiInitializeGSCookieValue@0 endp

; 
		align 10h
; Exported entry 1025. IoUnregisterBootDriverCallback

;  S U B	R O U T	I N E 


; __stdcall IoUnregisterBootDriverCallback(x)
		public _IoUnregisterBootDriverCallback@4
_IoUnregisterBootDriverCallback@4 proc near
		jmp	ExUnregisterCallback
_IoUnregisterBootDriverCallback@4 endp

; 
		align 4
		db 2 dup(0CCh)
; Exported entry 1297. KeSetProfileIrql

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KeSetProfileIrql(x)
		public _KeSetProfileIrql@4
_KeSetProfileIrql@4 proc near

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	al, [ebp+arg_0]
		mov	ds:_KiProfileIrql, al
		pop	ebp
		retn	4
_KeSetProfileIrql@4 endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiSaveBootProcessorIdt()
_KiSaveBootProcessorIdt@0 proc near	; CODE XREF: KeStartAllProcessors+52p

var_8		= byte ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	dword ptr [ebp+var_8], 0
		and	dword ptr [ebp+var_8+4], 0
		push	esi
		sidt	fword ptr [ebp+var_8+2]
		mov	eax, dword ptr [ebp+var_8]
		mov	esi, dword ptr [ebp+var_8+4]
		shr	eax, 10h
		inc	eax
		push	2020654Bh
		push	eax
		push	1
		mov	_KiBootProcessorIdtSize, eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	_KiBootProcessorIdt, eax
		test	eax, eax
		jz	short loc_ADC6AA
		push	_KiBootProcessorIdtSize	; size_t
		push	esi		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	eax, eax

loc_ADC6A7:				; CODE XREF: KiSaveBootProcessorIdt()+53j
		pop	esi
		leave
		retn
; 

loc_ADC6AA:				; CODE XREF: KiSaveBootProcessorIdt()+37j
		mov	eax, 0C000009Ah
		jmp	short loc_ADC6A7
_KiSaveBootProcessorIdt@0 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiI386PentiumLockErrataFixup()
_KiI386PentiumLockErrataFixup@0	proc near ; CODE XREF: KiInitMachineDependent:loc_AE478Fp

var_8		= dword	ptr -8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		xor	edx, edx
		and	dword ptr [ebp-4], 0
		mov	ecx, 2000h
		push	ebx
		push	esi
		push	edi
		call	_MmAllocateIndependentPages@8 ;	MmAllocateIndependentPages(x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_ADC6DB
		xor	al, al
		jmp	short loc_ADC721
; 

loc_ADC6DB:				; CODE XREF: KiI386PentiumLockErrataFixup()+23j
		lea	esi, [edi+0FC8h]
		call	_KeDisableInterrupts@0 ; KeDisableInterrupts()
		mov	bl, al
		sidt	fword ptr [ebp+var_8+2]
		movzx	ecx, word ptr [ebp+var_8+2]
		inc	ecx
		push	ecx		; size_t
		push	dword ptr [ebp-4] ; void *
		push	esi		; void *
		call	_memcpy
		add	esp, 0Ch
		mov	[ebp-4], esi
		lidt	fword ptr [ebp+var_8+2]
		mov	eax, large fs:1Ch
		mov	[eax+38h], esi
		test	bl, bl
		jz	short loc_ADC713
		sti

loc_ADC713:				; CODE XREF: KiI386PentiumLockErrataFixup()+5Ej
		push	2
		mov	edx, 1000h
		mov	ecx, edi
		call	MmSetPageProtection

loc_ADC721:				; CODE XREF: KiI386PentiumLockErrataFixup()+27j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KiI386PentiumLockErrataFixup@0	endp

; 
??_C@_07BFMFHDBI@PERFMEM@PBOPGDP@ db 'PERFMEM',0 ; DATA XREF: INIT:00ACD0F5o
; 

; char ??_C
??_C@_01NEMOKFLO@?$DN@PBOPGDP@:		; DATA XREF: Phase1InitializationDiscard(x)+111o
					; Phase1InitializationDiscard(x)+140o ...
		cmp	eax, 52554200h
		dec	esi
		dec	ebp
		inc	ebp
		dec	ebp
		dec	edi
		push	edx
		pop	ecx
		add	ah, cl

??_C@_0BA@GMDJJHOP@FORCEGROUPAWARE@PBOPGDP@: ; DATA XREF: INIT:loc_ACD194o
		inc	esi
		dec	edi
		push	edx
		inc	ebx
		inc	ebp
		inc	edi
		push	edx
		dec	edi
		push	ebp
		push	eax
		inc	ecx
		push	edi
		inc	ecx
		push	edx
		inc	ebp
; 
		db 0
; 

??_C@_04IDIMJMIA@C?3?$CFs@PBOPGDP@:	; DATA XREF: INIT:00ACD34Eo
		inc	ebx

loc_ADC74D:				; DATA XREF: INIT:00ACD621o
		cmp	ah, ds:25CC0073h
		ja	short near ptr loc_ADC7C6+2
		pop	esp
		push	ebx
		jns	short loc_ADC7CC
		jz	short near ptr loc_ADC7BF+1
		insd
		xor	esi, [edx]
		pop	esp
		inc	esp
		jb	short near ptr loc_ADC7C9+2
		jbe	short loc_ADC7C9
		jb	short near ptr loc_ADC7D7+2
		pop	esp
		and	eax, 0CC005A77h

??_C@_07IONELDNO@?$CFZ?5?$CFu?$CFc@PBOPGDP@: ; DATA XREF: INIT:00ACD735o
		and	eax, 7525205Ah
; 
		db 25h,	63h, 0
; 

??_C@_02KEGNLNML@?0?5@PBOPGDP@:		; DATA XREF: RtlStringCbCatExA(x,x,x,x,x,x)+12o
		sub	al, 20h
		add	ah, cl

??_C@_04GDGMMMDI@v?4?$CFu@PBOPGDP@:	; DATA XREF: INIT:00ACD790o
		jbe	short loc_ADC7A8

loc_ADC77A:				; DATA XREF: RtlStringCbCopyExA(x,x,x,x,x,x)+Co
		and	eax, 0CC0075h
		int	3		; Trap to Debugger

; char ??_C
??_C@_05EENHEND@?$CFu?4?$CFu@PBOPGDP@:	; DATA XREF: Phase1InitializationDiscard(x)+363o
					; INIT:00ACD812o
		and	eax, 75252E75h
		add	[ecx+0], al	; DATA XREF: InitSafeBoot(x)+78o
		insb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		outsb
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[ebx+0], dl
		push	6C006500h
		add	[eax+eax+0], ch
		add	[edi+0], cl	; DATA XREF: InitSafeBoot(x):loc_AEBC0Bo
		jo	short $+2

loc_ADC7A8:				; CODE XREF: INIT:??_C@_04GDGMMMDI@v?4?$CFu@PBOPGDP@j
		jz	short $+2
		imul	eax, [eax], 6E006Fh
; 
		db 2 dup(0)
; 

??_C@_1BI@CBOLNBDL@?$AAO?$AAp?$AAt?$AAi?$AAo?$AAn?$AAV?$AAa?$AAl?$AAu?$AAe@PBOPGDP@:
					; DATA XREF: InitSafeBoot(x)+F9o
		dec	edi
		add	[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		push	esi

loc_ADC7BF:				; CODE XREF: INIT:00ADC759j
		add	[ecx+0], ah
		insb
		add	[ebp+0], dh

loc_ADC7C6:				; CODE XREF: INIT:00ADC753j
		add	gs:[eax], al

loc_ADC7C9:				; CODE XREF: INIT:00ADC762j
					; INIT:00ADC760j
					; DATA XREF: ...
		add	[ebp+0], dl

loc_ADC7CC:				; CODE XREF: INIT:00ADC757j
		jnb	short $+2
		add	gs:[ecx+0], al
		insb
		add	[eax+eax+65h], dh

loc_ADC7D7:				; CODE XREF: INIT:00ADC764j
		add	[edx+0], dh
		outsb
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[ebx+0], dl
		push	6C006500h
		add	[eax+eax+0], ch
		add	[ebx+0], dl	; DATA XREF: MfgInitSystem+F4E9o
					; MfgInitSystem+F6E3o
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebp+0], cl
		popa
		add	[esi+0], ch
		jnz	short $+2
		db	66h
		add	[ecx+0], ah
		arpl	[eax], ax
		jz	short $+2
		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 67006Eh
		dec	ebp
		add	[edi+0], ch
		add	fs:[ebp+0], ah
		pop	esp
; 
		db 0
		db 2 dup(0)
; 

??_C@_1CG@GMHJCNO@?$AA?2?$AAr?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAm?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: MfgInitSystem+F4EEo
					; MfgInitSystem+F6E8o
		pop	esp
		add	[edx+0], dh
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], ch
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
; 
		db 3 dup(0)
; 

; wchar_t ??_C
??_C@_19LJDFFCJJ@?$AA?$CF?$AAs?$AA?$CF?$AAs@PBOPGDP@: ;	DATA XREF: MfgInitSystem+F4F3o
		and	eax, 25007300h
		add	[ebx+0], dh
; 
		db 2 dup(0)
; 

??_C@_1BI@MPLGKGLB@?$AAL?$AAa?$AAs?$AAt?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl?$AAe@PBOPGDP@:
					; DATA XREF: MfgInitSystem+F5F4o
		dec	esp
		add	[ecx+0], ah
		jnb	short $+2
		jz	short $+2
		push	eax
		add	[edx+0], dh
		outsd
		add	[esi+0], ah
		imul	eax, [eax], 65006Ch
; 
		db 2 dup(0)
; 

??_C@_1BA@OFLJGHK@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt@PBOPGDP@:
					; DATA XREF: PipHardwareConfigInit+2A8o
					; CmIsLastKnownGoodBoot()+18o ...
		inc	ebx
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1BA@HGMBKIKB@?$AA?$CF?$AAs?$AA?$CF?$AAs?$AA?$CF?$AAw?$AAZ@PBOPGDP@:
					; DATA XREF: MfgInitSystem+F6EDo
		and	eax, 25007300h
		add	[ebx+0], dh
		and	eax, 5A007700h
; 
		db 0
		db 2 dup(0)
; 

??_C@_1II@OLBDKLDD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: QueryRegistryHideMachine+10o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		pop	ecx
		add	[ebx+0], dl
		push	esp
		add	[ebp+0], al
		dec	ebp
		add	[eax+eax+43h], bl
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[edi+0], dl
		dec	ebp
		add	[ecx+0], cl
		pop	esp
		add	[edx+0], dl
		add	gs:[ebx+0], dh
		jz	short $+2
		jb	short $+2
		imul	eax, [eax], 740063h
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BI@HMDFEAOI@?$AAH?$AAi?$AAd?$AAe?$AAM?$AAa?$AAc?$AAh?$AAi?$AAn?$AAe@PBOPGDP@:
					; DATA XREF: QueryRegistryHideMachine:loc_AE90DBo
		dec	eax
		add	[ecx+0], ch
		add	fs:[ebp+0], ah
		dec	ebp
		add	[ecx+0], ah
		arpl	[eax], ax
		push	6E006900h
		add	[ebp+0], ah
; 
		db 2 dup(0)
; 

??_C@_1HO@NHDPAOGO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: RegistryOverwriteCentralProcessor()+24o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[eax+0], cl
		popa
		add	[edx+0], dh
		add	fs:[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[eax+eax+44h], bl
		add	[ebp+0], ah
		jnb	short $+2
		arpl	[eax], ax
		jb	short $+2
		imul	eax, [eax], 740070h
		imul	eax, [eax], 6E006Fh
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		add	gs:[esi+0], ch
		jz	short $+2
		jb	short $+2
		popa
		add	[eax+eax+50h], ch
		add	[edx+0], dh
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		outsd
		add	[edx+0], dh
; 
		dw 0
??_C@_1BM@EKKKCBGF@?$AAN?$AAo?$AAt?$AA?5?$AAA?$AAv?$AAa?$AAi?$AAl?$AAa?$AAb?$AAl?$AAe@PBOPGDP@:
					; DATA XREF: RegistryOverwriteCentralProcessor()+F5o
		unicode	0, <Not	Available>,0
??_C@_1CC@GHLLHEOD@?$AAV?$AAe?$AAn?$AAd?$AAo?$AAr?$AAI?$AAd?$AAe?$AAn?$AAt?$AAi?$AAf?$AAi?$AAe@PBOPGDP@:
					; DATA XREF: RegistryOverwriteCentralProcessor()+103o
		unicode	0, <VendorIdentifier>,0
??_C@_1CI@HONJKKAP@?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo?$AAr?$AAN?$AAa?$AAm?$AAe?$AAS?$AAt@PBOPGDP@	db 'P',0
					; DATA XREF: RegistryOverwriteCentralProcessor()+12Bo
aRocessornamest:
		unicode	0, <rocessorNameString>,0
; 

??_C@_1BG@IEICLFFJ@?$AAI?$AAd?$AAe?$AAn?$AAt?$AAi?$AAf?$AAi?$AAe?$AAr@PBOPGDP@:
					; DATA XREF: RegistryOverwriteCentralProcessor()+153o
		dec	ecx
		add	[eax+eax+65h], ah
		add	[esi+0], ch
		jz	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
; 
		dw 0
; char ??_C[]
??_C@_0BF@OIDMGEAM@?5HYPERVISORROOTPROC?$DN@PBOPGDP@ db	' HYPERVISORROOTPROC=',0
					; DATA XREF: Phase1InitializationDiscard(x)+100o
		align 2
; char ??_C[]
??_C@_0BO@DKMHGMAN@?5HYPERVISORROOTPROCNUMANODES?$DN@PBOPGDP@ db ' HYPERVISORROOTPROCNUMANODES=',0
					; DATA XREF: Phase1InitializationDiscard(x):loc_AC04A3o
; char ??_C[]
??_C@_0CA@NOEEJOCD@?5HYPERVISORROOTPROCNUMANODELPS?$DN@PBOPGDP@	db ' HYPERVISORROOTPROCNUMANODELPS=',0
					; DATA XREF: Phase1InitializationDiscard(x):loc_AC0506o
; char ??_C[]
??_C@_09KDJKCLOD@NOGUIBOOT@PBOPGDP@ db 'NOGUIBOOT',0
					; DATA XREF: Phase1InitializationDiscard(x)+269o
; char ??_C[]
??_C@_06MKBEKGJJ@MININT@PBOPGDP@ db 'MININT',0
					; DATA XREF: Phase1InitializationDiscard(x)+2ACo
		align 2
; char ??_C[]
??_C@_05NECCPCEG@INRAM@PBOPGDP@	db 'INRAM',0
					; DATA XREF: Phase1InitializationDiscard(x)+2C0o
; char ??_C[]
??_C@_05KMBLMBJE@?3?5?$CFwZ@PBOPGDP@ db	': %wZ',0
					; DATA XREF: Phase1InitializationDiscard(x)+324o
??_C@_0BM@PDNNGJEH@MICROSOFT?5?$CIR?$CJ?5WINDOWS?5?$CITM?$CJ?6@PBOPGDP@	db 'MICROSOFT (R) WINDOWS (TM)',0Ah,0
					; DATA XREF: Phase1InitializationDiscard(x):loc_AC073Fo
; char ??_C[]
??_C@_04FJMBNFHG@YEAR@PBOPGDP@ db 'YEAR',0 ; DATA XREF: Phase1InitializationDiscard(x)+46Fo
		align 4
??_C@_1DI@FBEJLCLF@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAe?$AAr@PBOPGDP@:
					; DATA XREF: Phase1InitializationDiscard(x)+51Bo
		unicode	0, <Kernel-RegisteredProcessors>,0
; char ??_C[]
??_C@_0L@DLLJGAHK@?5BOOTPROC?$DN@PBOPGDP@ db ' BOOTPROC=',0
					; DATA XREF: Phase1InitializationDiscard(x)+56Do
		align 10h

; char ??_C
??_C@_09OIHMACMH@?5NUMPROC?$DN@PBOPGDP@:
					; DATA XREF: Phase1InitializationDiscard(x):loc_AC090Co
		and	[esi+55h], cl
		dec	ebp
		push	eax
		push	edx
		dec	edi
		inc	ebx
; 
		db 3Dh,	0
; char ??_C[]
??_C@_0BE@BHEMMNNB@?5HYPERVISORNUMPROC?$DN@PBOPGDP@ db ' HYPERVISORNUMPROC=',0
					; DATA XREF: Phase1InitializationDiscard(x):loc_AC0937o
; char ??_C[]
??_C@_0BM@LMPKCFPH@?5HYPERVISORROOTPROCPERNODE?$DN@PBOPGDP@ db ' HYPERVISORROOTPROCPERNODE=',0
					; DATA XREF: Phase1InitializationDiscard(x)+5F7o
; char ??_C[]
??_C@_0BM@HFBGDOGK@?5HYPERVISORROOTPROCPERCORE?$DN@PBOPGDP@ db ' HYPERVISORROOTPROCPERCORE=',0
					; DATA XREF: Phase1InitializationDiscard(x):loc_AC0996o
; char ??_C[]
??_C@_08NCLLJEEA@?5MAXPROC@PBOPGDP@ db ' MAXPROC',0
					; DATA XREF: Phase1InitializationDiscard(x):loc_AC09C1o
		align 10h
??_C@_0BI@KMJFPDIO@MultiProcessor?5Kernel?$AN?6@PBOPGDP@ db 'MultiProcessor Kernel',0Dh,0Ah,0
					; DATA XREF: Phase1InitializationDiscard(x):loc_AC0A56o
; char ??_C[]
??_C@_0CH@GNCFDLAB@?$CFu?5System?5Processor?5?$FL?$CFu?5MB?5Memo@PBOPGDP@ db '%u System Processor [%u MB Memory] %Z',0Ah,0
					; DATA XREF: Phase1InitializationDiscard(x):loc_AC0AE4o
		align 10h

;  S U B	R O U T	I N E 


; char ??_C
??_C@_0O@OBHIAGJN@FORCETIMESYNC@PBOPGDP@ proc near
					; DATA XREF: Phase1InitializationDiscard(x)+B5Fo
		inc	esi
		dec	edi
		push	edx
		inc	ebx
		inc	ebp
		push	esp
		dec	ecx
		dec	ebp
		inc	ebp
		push	ebx
		pop	ecx
		dec	esi
		inc	ebx

loc_ADCBDD:				; DATA XREF: Phase1InitializationDiscard(x)+C71o
					; ViInitSystemPhase0:loc_ACCB6Fo ...
		add	[ebx+41h], dl
??_C@_0O@OBHIAGJN@FORCETIMESYNC@PBOPGDP@ endp

		inc	esi
		inc	ebp
		inc	edx
		dec	edi
		dec	edi
		push	esp
		cmp	al, [eax]
; 
; char ??_C[]
??_C@_07NNINPBDK@MINIMAL@PBOPGDP@ db 'MINIMAL',0
					; DATA XREF: Phase1InitializationDiscard(x)+C93o
; char ??_C[]
??_C@_07BCBHNHNG@NETWORK@PBOPGDP@ db 'NETWORK',0
					; DATA XREF: Phase1InitializationDiscard(x)+CAEo
; 

; char ??_C
??_C@_08EGIDFHDE@DSREPAIR@PBOPGDP@:	; DATA XREF: Phase1InitializationDiscard(x)+CC2o
		inc	esp
		push	ebx
		push	edx
		inc	ebp
		push	eax
		inc	ecx
		dec	ecx
		push	edx
		add	ah, cl

; char ??_C
??_C@_0BB@IJFKEGCF@?$CIALTERNATESHELL?$CJ@PBOPGDP@:
					; DATA XREF: Phase1InitializationDiscard(x)+CEFo
		sub	[ecx+4Ch], al
		push	esp
		inc	ebp
		push	edx
		dec	esi
		inc	ecx
		push	esp
		inc	ebp
		push	ebx
		dec	eax
		inc	ebp
		dec	esp
		dec	esp
		sub	[eax], eax
		int	3		; Trap to Debugger

??_C@_1BG@PJGFOIGG@?$AA?$CF?$AAs?$AA?2?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl@PBOPGDP@:
					; DATA XREF: CreateMiniNtBootKey()+46o
		and	eax, 5C007300h
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+0], ch
		add	[ebp+0], cl	; DATA XREF: CreateMiniNtBootKey()+A5o
		imul	eax, [eax], 69006Eh
		dec	esi
		add	[eax+eax+0], dl
; 
		db 0
??_C@_1BC@OAEIEHDI@?$AA?2?$AAA?$AAr?$AAc?$AAN?$AAa?$AAm?$AAe@PBOPGDP@:
					; DATA XREF: CreateSystemRootLink+20o
		unicode	0, <\ArcName>,0
??_C@_1BA@CCLAPIHO@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@PBOPGDP@ db '\',0
					; DATA XREF: CreateSystemRootLink+BEo
aDevice:
		unicode	0, <Device>,0
; 

??_C@_1CG@MNLGCLPO@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAB?$AAo?$AAo?$AAt?$AAD?$AAe?$AAv@PBOPGDP@:
					; DATA XREF: CreateSystemRootLink+12Do
					; CreateSystemRootLink+1FAo ...
		pop	esp
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		pop	esp
		add	[edx+0], al
		outsd
		add	[edi+0], ch
		jz	short $+2
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
; 
		dw 0
; wchar_t ??_C
??_C@_1BI@HJOIHDKL@?$AA?2?$AAA?$AAr?$AAc?$AAN?$AAa?$AAm?$AAe?$AA?2?$AA?$CF?$AAS@PBOPGDP@:
					; DATA XREF: CreateSystemRootLink+158o
					; CreateSystemRootLink+2EAo ...
		unicode	0, <\ArcName\%S>,0
; void ??_C
??_C@_1BI@OMNCDEIM@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt@PBOPGDP@:
					; DATA XREF: CmpInitializeDriverStores+A8o
					; CreateSystemRootLink+1DAo
		unicode	0, <\SystemRoot>,0
; wchar_t ??_C
??_C@_19BJAHPNKH@?$AA?$CF?$AAs?$AA?$CF?$AAS@PBOPGDP@: ;	DATA XREF: CreateSystemRootLink+20Ao
		unicode	0, <%s%S>,0
??_C@_1CK@JIMDGDFN@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAO?$AAS?$AAD?$AAa?$AAt?$AAa?$AAD@PBOPGDP@ db '\',0
					; DATA XREF: CreateSystemRootLink+298o
					; CreateSystemRootLink+385o
aDeviceOsdatade:
		unicode	0, <Device\OSDataDevice>,0
??_C@_1BI@BNCMKGKH@?$AA?2?$AAO?$AAS?$AAD?$AAa?$AAt?$AAa?$AAR?$AAo?$AAo?$AAt@PBOPGDP@:
					; DATA XREF: CreateSystemRootLink+351o
		unicode	0, <\OSDataRoot>,0
; 

??_C@_1HA@CJCIHDEO@?$AA?2?$AAr?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAm?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: SaveNodeDistanceInformation:loc_AEA8E6o
		pop	esp
		add	[edx+0], dh
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], ch
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		pop	ecx
		add	[ebx+0], dl
		push	esp
		add	[ebp+0], al
		dec	ebp
		add	[eax+eax+43h], bl
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[esi+0], cl
		push	ebp
		add	[ebp+0], cl
		inc	ecx
; 
		db 3 dup(0)
; 

??_C@_1CI@GFOKFGED@?$AAV?$AAa?$AAr?$AAi?$AAa?$AAt?$AAi?$AAo?$AAn?$AA?5?$AAT?$AAh?$AAr?$AAe?$AAs@PBOPGDP@:
					; DATA XREF: SaveNodeDistanceInformation+F74Bo
		push	esi
		add	[ecx+0], ah
		jb	short $+2
		imul	eax, [eax], 740061h
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ebx+0], dh
		push	6C006F00h
		add	[eax+eax+0], ah
; 
		db 0
; 

??_C@_1BM@ODCPILIP@?$AAN?$AAo?$AAd?$AAe?$AA?5?$AAD?$AAi?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe@PBOPGDP@:
					; DATA XREF: SaveNodeDistanceInformation+F895o
		dec	esi
		add	[edi+0], ch
		add	fs:[ebp+0], ah
		and	[eax], al
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[esi+0], ch
		arpl	[eax], ax
		add	gs:[eax], al
		add	[ebx+0], cl	; DATA XREF: InitializeDynamicPartitioningPolicy+1A413o
		add	gs:[edx+0], dh
		outsb
		add	[ebp+0], ah
		insb
		add	ds:69005600h, ch
		add	[edx+0], dh
		jz	short $+2
		jnz	short $+2
		popa
		add	[eax+eax+44h], ch
		add	[ecx+0], bh
		outsb
		add	[ecx+0], ah
		insd
		add	[ecx+0], ch
		arpl	[eax], ax
		push	eax
		add	[ecx+0], ah
		jb	short $+2
		jz	short $+2
		imul	eax, [eax], 690074h
		outsd
		add	[esi+0], ch
		imul	eax, [eax], 67006Eh
		push	ebx
		add	[ebp+0], dh
		jo	short $+2
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		add	gs:[eax+eax+0],	ah
; 
		db 0
; 

??_C@_1EI@BEACFJPF@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAD?$AAy?$AAn?$AAa?$AAm?$AAi?$AAc?$AAP@PBOPGDP@:
					; DATA XREF: InitializeDynamicPartitioningPolicy+1A41Ao
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	ds:79004400h, ch
		add	[esi+0], ch
		popa
		add	[ebp+0], ch
		imul	eax, [eax], 500063h
		popa
		add	[edx+0], dh
		jz	short $+2
		imul	eax, [eax], 690074h
		outsd
		add	[esi+0], ch
		imul	eax, [eax], 67006Eh
		push	ebx
		add	[ebp+0], dh
		jo	short $+2
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		add	gs:[eax+eax+0],	ah
; 
		db 0
; 

??_C@_1CA@HNKGOEIL@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?2?$AAW?$AAs?$AAc?$AAV?$AAR?$AAe?$AAg@PBOPGDP@:
					; DATA XREF: INIT:00AC63E3o
		pop	esp
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		pop	esp
		add	[edi+0], dl
		jnb	short $+2
		arpl	[eax], ax
		push	esi
		add	[edx+0], dl
		add	gs:[edi+0], ah
; 
		db 2 dup(0)
; 

??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@PBOPGDP@:
					; DATA XREF: CmpInitializeDriverStores+B3o
					; CmInitSystem1(x)+4D0o ...
		push	ebx
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
; 
		dw 0
??_C@_1BC@KAILKFFG@?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY@PBOPGDP@:
					; DATA XREF: CmpInitializePreloadedHive+33Co
					; CmpCreateRootNode(x,x,x)+1Ao
		unicode	0, <REGISTRY>,0
; 

; wchar_t ??_C
??_C@_1CE@EFNBKPGE@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA3?$AA2?$AA?2?$AAC?$AAo?$AAn?$AAf?$AAi@PBOPGDP@:
					; DATA XREF: CmpGetSystemRelativeRegistryHiveFilePath(x)+2Do
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		xor	eax, [eax]
		xor	al, [eax]
		pop	esp
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		db	66h
		add	[ecx+0], ch
		add	[si+0],	bl
; 
		db 2 dup(0)
; 

??_C@_1BM@PNGDECLI@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAS?$AAt?$AAo?$AAr?$AAe?$AAs@PBOPGDP@:
					; DATA XREF: CmpInitializeDriverStores+10o
					; CmGetSystemDriverList:loc_ACA0BAo
		pop	esp
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		push	ebx
		add	[eax+eax+6Fh], dh
		add	[edx+0], dh
		add	gs:[ebx+0], dh
; 
		db 2 dup(0)
; 

; void ??_C
??_C@_1BE@HOPMDIJK@?$AA?2?$AAA?$AAr?$AAc?$AAN?$AAa?$AAm?$AAe?$AA?2@PBOPGDP@:
					; DATA XREF: CmpInitializeDriverStores+1EABDo
		pop	esp
		add	[ecx+0], al
		jb	short $+2
		arpl	[eax], ax
		dec	esi
		add	[ecx+0], ah
		insd
		add	[ebp+0], ah
		pop	esp
; 
		db 0
		db 2 dup(0)
; 

; void ??_C
??_C@_1BO@DFBFEJHF@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAS?$AAt?$AAo?$AAr?$AAe?$AAs?$AA?2@PBOPGDP@:
					; DATA XREF: CmpInitializePreloadedHive+1D408o
		pop	esp
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		push	ebx
		add	[eax+eax+6Fh], dh
		add	[edx+0], dh
		add	gs:[ebx+0], dh
		pop	esp
; 
		db 3 dup(0)
; void ??_C
??_C@_1DK@MBODLMJO@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@PBOPGDP@:
					; DATA XREF: CmpInitializePreloadedHive+8Eo
		unicode	0, <\SystemRoot\System32\Config\>,0
; void ??_C
??_C@_1BG@OKCBELMP@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2@PBOPGDP@ db '\',0
					; DATA XREF: CmpInitializePreloadedHive+210o
aRegistry:
		unicode	0, <REGISTRY\>,0
; 

; void ??_C
??_C@_13FPGAJAPJ@?$AA?2@PBOPGDP@:	; DATA XREF: CmpInitializePreloadedHive+22Ao
					; CmpOpenSystemDriverHiveContext+78o ...
		pop	esp
; 
		db 3 dup(0)
; wchar_t ??_C
??_C@_19BLGDCJIP@?$AA?$CF?$AA0?$AA4?$AAd@PBOPGDP@:
					; DATA XREF: CmpCreateHardwareProfiles+1D7o
					; CmpCreateHardwareProfiles+1D240o ...
		unicode	0, <%04d>,0
; wchar_t ??_C
??_C@_1CM@GKGENBLN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@ db '\',0
					; DATA XREF: CmpCreateControlSet+56o
aRegistryMac_12:
		unicode	0, <Registry\Machine\%ws>,0
; 

; wchar_t ??_C
??_C@_1BO@KHANIFDG@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAS?$AAe?$AAt?$AA?$CF?$AA0?$AA3?$AAd@PBOPGDP@:
					; DATA XREF: CmpCreateControlSet+1D103o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+25h], dh
		add	[eax], dh
		add	[ebx], dh
		add	[eax+eax+0], ah
; 
		db 0
; wchar_t ??_C
??_C@_1EK@NFKNHMIJ@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: CmpCreateControlSet+21Do
		unicode	0, <\Registry\Machine\%ws\ControlSet%03d>,0
; wchar_t ??_C
??_C@_1CE@EEBHDKEM@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF@PBOPGDP@ db '\',0
					; DATA XREF: CmpCreateControlSetOverride(x)+53o
aRegistryWsWs:
		unicode	0, <REGISTRY\%ws\%ws>,0
; 

??_C@_1BA@LMMHLKFA@?$AAD?$AAE?$AAV?$AAI?$AAC?$AAE?$AAS@PBOPGDP@:
					; DATA XREF: CmpCreateExtendedControlSets+1EA24o
		inc	esp
		add	[ebp+0], al
		push	esi
		add	[ecx+0], cl
		inc	ebx
		add	[ebp+0], al
		push	ebx
; 
		db 0
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1HO@DPJFAAAO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: CmpCreateHardwareProfiles+3C4o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	ds:5A007700h, ah
		add	[eax+eax+43h], bl
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[eax+0], cl
		popa
		add	[edx+0], dh
		add	fs:[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[eax], ah
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[esi+0], ah
		imul	eax, [eax], 65006Ch
		jnb	short $+2
		pop	esp
		add	ds:34003000h, ah
		add	[eax+eax+0], ah
		add	[eax+eax+52h], bl ; DATA XREF: CmpCreateHardwareProfiles+1D478o
					; CmpCreateHardwareProfiles+1D516o
		add	[ebp+0], ah
		add	[bx+di+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	ds:5A007700h, ah
		add	[eax+eax+43h], bl
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	ds:5A007700h, ah
; 
		db 3 dup(0)
; 

??_C@_1BM@MFCPMGNM@?$AAL?$AAa?$AAs?$AAt?$AAK?$AAn?$AAo?$AAw?$AAn?$AAG?$AAo?$AAo?$AAd@PBOPGDP@:
					; DATA XREF: CmIsLastKnownGoodBoot()+71o
		dec	esp
		add	[ecx+0], ah
		jnb	short $+2
		jz	short $+2
		dec	ebx
		add	[esi+0], ch
		outsd
		add	[edi+0], dh
		outsb
		add	[edi+0], al
		outsd
		add	[edi+0], ch
		add	fs:[eax], al

loc_ADD117:				; DATA XREF: CmIsLastKnownGoodBoot()+84o
		add	[eax+eax+65h], al
		add	[esi+0], ah
		popa
		add	[ebp+0], dh
		insb
		add	[eax+eax+0], dh

loc_ADD127:				; DATA XREF: CmIsLastKnownGoodBoot()+56o
		add	[eax+eax+52h], bl
		add	[ebp+0], ah
		add	[bx+di+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], dl
		add	gs:[eax+eax+65h], ch
		add	[ebx+0], ah
		jz	short $+2
; 
		dw 0
??_C@_1BK@LCAHJIMJ@?$AAM?$AAU?$AAI?$AA?2?$AAS?$AAe?$AAt?$AAt?$AAi?$AAn?$AAg?$AAs@PBOPGDP@:
					; DATA XREF: CmSelectQualifiedInstallLanguage:loc_ACA9DCo
		unicode	0, <MUI\Settings>,0
??_C@_1CK@CDBMDBEP@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAr?$AAr?$AAe?$AAd?$AAU?$AAI?$AAL?$AAa?$AAn?$AAg@PBOPGDP@	db 'P',0
					; DATA XREF: CmSelectQualifiedInstallLanguage+141o
aReferreduilang:
		unicode	0, <referredUILanguages>,0
??_C@_1CA@JHCOEJCA@?$AAM?$AAU?$AAI?$AA?2?$AAU?$AAI?$AAL?$AAa?$AAn?$AAg?$AAu?$AAa?$AAg?$AAe?$AAs@PBOPGDP@:
					; DATA XREF: CmSelectQualifiedInstallLanguage+189o
		unicode	0, <MUI\UILanguages>,0
??_C@_19BIEPDBPA@?$AAT?$AAy?$AAp?$AAe@PBOPGDP@:	; DATA XREF: ObInitSystem+1B0o
					; CmSelectQualifiedInstallLanguage+221o ...
		unicode	0, <Type>,0
; 

??_C@_1CG@PBNNDBEJ@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAS?$AAe?$AAt?$AAO?$AAv?$AAe?$AAr?$AAr@PBOPGDP@:
					; DATA XREF: CmpGetSystemControlValues+1B196o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+4Fh], dh
		add	[esi+0], dh
		add	gs:[edx+0], dh
		jb	short $+2
		imul	eax, [eax], 650064h
; 
		dw 0
??_C@_1BA@BJGEONAH@?$AAc?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt@PBOPGDP@:
					; DATA XREF: CmpGetSystemControlValues+DEo
		unicode	0, <current>,0
??_C@_1BA@IBGCEPCN@?$AAc?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl@PBOPGDP@:
					; DATA XREF: CmpGetSystemControlValues+12Do
		unicode	0, <control>,0
; 

; void ??_C
??_C@_02CLJDCEPA@19@PBOPGDP@:		; DATA XREF: CmpGetBiosDate+1DECCo
		xor	[ecx], edi
		add	ah, cl

; void ??_C
??_C@_02PIBHCBOA@20@PBOPGDP@:		; DATA XREF: CmpGetBiosDate+1DEE0o
		xor	dh, [eax]
		add	ah, cl

??_C@_05JJCGIBE@?5?9?5?$CFx@PBOPGDP@:	; DATA XREF: CmpGetAcpiBiosVersion(x,x,x)+48o
		and	byte ptr ds:off_782520,	ch

??_C@_1CC@GHGIBEHL@?$AAC?$AAe?$AAn?$AAt?$AAr?$AAa?$AAl?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo@PBOPGDP@:
					; DATA XREF: CmpInitializeMachineDependentConfiguration+123o
		inc	ebx
		add	[ebp+0], ah
		outsb
		add	[eax+eax+72h], dh
		add	[ecx+0], ah
		insb
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		outsd
		add	[edx+0], dh
; 
		dw 0
??_C@_1CO@GCKPAJAM@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAP?$AAh?$AAy?$AAs?$AAi?$AAc?$AAa@PBOPGDP@:
					; DATA XREF: MiSectionInitialization+4Co
					; EmpMapPhysicalAddress+13o ...
		unicode	0, <\Device\PhysicalMemory>,0
??_C@_1CC@MBMHMCGC@?$AAB?$AAo?$AAo?$AAt?$AAA?$AAr?$AAc?$AAh?$AAi?$AAt?$AAe?$AAc?$AAt?$AAu?$AAr@PBOPGDP@	db 'B',0
					; DATA XREF: CmpInitializeMachineDependentConfiguration+300o
aOotarchitectur:
		unicode	0, <ootArchitecture>,0
??_C@_1CC@CBGHPEEO@?$AAP?$AAr?$AAe?$AAf?$AAe?$AAr?$AAr?$AAe?$AAd?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl@PBOPGDP@:
					; DATA XREF: CmpInitializeMachineDependentConfiguration+325o
		unicode	0, <PreferredProfile>,0
??_C@_1BK@JKLHPNBO@?$AAC?$AAa?$AAp?$AAa?$AAb?$AAi?$AAl?$AAi?$AAt?$AAi?$AAe?$AAs@PBOPGDP@ db 'C',0
					; DATA XREF: CmpInitializeMachineDependentConfiguration+348o
aApabilities_0:
		unicode	0, <apabilities>,0

;  S U B	R O U T	I N E 


??_C@_1BO@BHDHIFGP@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAB?$AAi?$AAo?$AAs?$AAD?$AAa?$AAt?$AAe@PBOPGDP@ proc	near
					; DATA XREF: IopInitializePlugPlayServices(x,x)+13Co
					; CmpSetSystemBiosInformation+108o ...
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		inc	edx
		add	[ecx+0], ch
		outsd
??_C@_1BO@BHDHIFGP@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAB?$AAi?$AAo?$AAs?$AAD?$AAa?$AAt?$AAe@PBOPGDP@ endp

		add	[ebx+0], dh
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[eax], al
; 
		db 0

;  S U B	R O U T	I N E 


??_C@_1CE@OMPBPMAF@?$AAO?$AAl?$AAd?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAB?$AAi?$AAo?$AAs?$AAD?$AAa@PBOPGDP@	proc near
					; DATA XREF: IopInitializePlugPlayServices(x,x)+116o
					; CmpSetSystemBiosInformation+1E564o
		dec	edi
		add	[eax+eax+64h], ch
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		inc	edx
		add	[ecx+0], ch
		outsd
		add	[ebx+0], dh
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[eax], al

loc_ADD319:				; DATA XREF: PipCheckSystemFirmwareUpdated+4Eo
					; PipCheckSystemFirmwareUpdated+7Bo ...
		add	[ebx+0], dl
??_C@_1CE@OMPBPMAF@?$AAO?$AAl?$AAd?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAB?$AAi?$AAo?$AAs?$AAD?$AAa@PBOPGDP@	endp

		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		inc	edx
		add	[ecx+0], ch
		outsd
		add	[ebx+0], dh
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		db 2 dup(0)
; 

??_C@_1BM@NLECKPGB@?$AAV?$AAi?$AAd?$AAe?$AAo?$AAB?$AAi?$AAo?$AAs?$AAD?$AAa?$AAt?$AAe@PBOPGDP@:
					; DATA XREF: CmpSetVideoBiosInformation+14Ao
		push	esi
		add	[ecx+0], ch
		add	fs:[ebp+0], ah
		outsd
		add	[edx+0], al
		imul	eax, [eax], 73006Fh
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1CC@NBEHNIFJ@?$AAV?$AAi?$AAd?$AAe?$AAo?$AAB?$AAi?$AAo?$AAs?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo@PBOPGDP@:
					; DATA XREF: CmpSetVideoBiosInformation+27Do
		push	esi
		add	[ecx+0], ch
		add	fs:[ebp+0], ah
		outsd
		add	[edx+0], al
		imul	eax, [eax], 73006Fh
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dw 0

;  S U B	R O U T	I N E 


; char ??_C
??_C@_03LPDPNJPJ@ISA@PBOPGDP@ proc near	; DATA XREF: CmpSetupConfigurationTree+AFo
		dec	ecx
		push	ebx
		inc	ecx

loc_ADD37F:				; DATA XREF: CmpAddDriverToList+3B5o
		add	[ebx+0], dl
??_C@_03LPDPNJPJ@ISA@PBOPGDP@ endp

		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		xor	eax, [eax]
		xor	al, [eax]
		pop	esp
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		jnb	short $+2
		pop	esp
; 
		db 3 dup(0)
; void ??_C
??_C@_19DKJJGBOC@?$AA?4?$AAs?$AAy?$AAs@PBOPGDP@: ; DATA	XREF: CmpAddDriverToList+3DCo
		unicode	0, <.sys>,0
??_C@_1DC@LPOMOPCG@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@PBOPGDP@ db '\',0
					; DATA XREF: CmFcManagerStartRuntimePhase(x)+291o
aRegistryMac_14:
		unicode	0, <REGISTRY\MACHINE\OSDATA>,0
??_C@_1DG@IOMDFJHH@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@PBOPGDP@:
					; DATA XREF: CmFcManagerStartRuntimePhase(x)+298o
		unicode	0, <\REGISTRY\MACHINE\SOFTWARE>,0
; 

??_C@_1BI@PBOLNAPE@?$AAD?$AAe?$AAb?$AAu?$AAg?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt@PBOPGDP@:
					; DATA XREF: DbgkpInitializePhase0()+23o
		inc	esp
		add	[ebp+0], ah
		bound	eax, [eax]
		jnz	short $+2
		add	[bx+0],	cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
; 
		db 2 dup(0)
; 

??_C@_1IE@NBCGBAGB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: EmInitSystem+7Fo
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebp+0], al
		jb	short $+2
		jb	short $+2
		popa
		add	[eax+eax+61h], dh
		add	[eax+eax+44h], bl
		add	[ecx+0], bh
		outsb
		add	[ecx+0], ah
		insd
		add	[ecx+0], ch
		arpl	[eax], ax
; 
		db 2 dup(0)
; 

??_C@_1CC@IBEIBDLA@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAi?$AAn?$AAf@PBOPGDP@:
					; DATA XREF: EmInitSystem+272BDo
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+5Ch], dh
		add	[ecx+0], ch
		outsb
		add	[esi+0], ah
		pop	esp
; 
		db 3 dup(0)
; 

; char ??_C
??_C@_07BJOIOONN@Strings@PBOPGDP@:	; DATA XREF: EmpParseStrings+Bo
					; EmpParseStrings+6Do ...
		push	ebx
		jz	short loc_ADD549
; 
aIngs		db 'ings',0
; 

; char ??_C
??_C@_02KIPMEKLM@?4?$HN@PBOPGDP@:	; DATA XREF: EmpParseTargetRuleStringIndexList+A9o
		db	2Eh
		jge	short $+3
		int	3		; Trap to Debugger
; 
??_C@_04HOKIGJEB@Rule@PBOPGDP@ db 'Rule',0 ; DATA XREF: EmpParseRuleExpression+22o
					; EmpParseRuleExpression+19Do
		align 2
??_C@_0BB@NBFILPMM@EntryTypeGuidDef@PBOPGDP@ db	'EntryTypeGuidDef',0
					; DATA XREF: EmpParseEntryTypes+15o
					; EmpParseEntryTypes+4Eo ...
		align 4
??_C@_0BA@NLAPLPIK@CallbackGuidDef@PBOPGDP@ db 'CallbackGuidDef',0
					; DATA XREF: EmpParseCallbacks+90o
					; EmpParseRuleTerm:loc_ABCDCEo
??_C@_0BA@BBPLJNBJ@RuleNameGuidDef@PBOPGDP@ db 'RuleNameGuidDef',0
					; DATA XREF: EmpParseRuleTerm+66o
					; EmpParseRules+83o ...
??_C@_0O@GODDGPD@TargetRuleDef@PBOPGDP@	db 'TargetRuleDef',0
					; DATA XREF: EmpParseTargetRules+1Do
					; EmpParseTargetRules+4Ao ...
??_C@_0M@JFEBFCJJ@CallbackDef@PBOPGDP@ db 'CallbackDef',0 ; DATA XREF: EmpParseCallbacks+1Do
					; EmpParseCallbacks+3Do ...
??_C@_07HEKHBGDN@RuleDef@PBOPGDP@ db 'RuleDef',0 ; DATA XREF: EmpParseRules+22o
					; EmpParseRules+40o ...
??_C@_1HM@IHPPCBKD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@ db '\',0
					; DATA XREF: FsRtlGetCompatibilityModeValue+4Fo
aRegist_0:
		unicode	0, <Regist>
		db 72h
; 

loc_ADD549:				; CODE XREF: INIT:00ADD4D5j
		add	[ecx+0], bh
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[esi+0], al
		imul	eax, [eax], 65006Ch
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
; 
		db 2 dup(0)
; 

??_C@_1EE@BKEAFBFL@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAV?$AAo?$AAl?$AAu?$AAm?$AAe?$AAs@PBOPGDP@:
					; DATA XREF: FsRtlInitializeSmssEvent()+32o
		pop	esp
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		pop	esp
		add	[esi+0], dl
		outsd
		add	[eax+eax+75h], ch
		add	[ebp+0], ch
		add	gs:[ebx+0], dh
		push	ebx
		add	[ecx+0], ah
		db	66h
		add	[ebp+0], ah
		inc	esi
		add	[edi+0], ch
		jb	short $+2
		push	edi
		add	[edx+0], dh
		imul	eax, [eax], 650074h
		inc	ecx
		add	[ebx+0], ah
		arpl	[eax], ax
		add	gs:[ebx+0], dh
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1DC@EOCPMAFK@?$AAW?$AAi?$AAn?$AA9?$AA5?$AAT?$AAr?$AAu?$AAn?$AAc?$AAa?$AAt?$AAe?$AAd?$AAE@PBOPGDP@:
					; DATA XREF: FsRtlInitSystem()+85o
		push	edi
		add	[ecx+0], ch
		outsb
		add	[ecx], bh
		add	ds:72005400h, dh
		add	[ebp+0], dh
		outsb
		add	[ebx+0], ah
		popa
		add	[eax+eax+65h], dh
		add	[eax+eax+45h], ah
		add	[eax+0], bh
		jz	short $+2
		add	gs:[esi+0], ch
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dw 0
??_C@_1CK@NKAOLMMN@?$AAM?$AAa?$AAx?$AAi?$AAm?$AAu?$AAm?$AAT?$AAu?$AAn?$AAn?$AAe?$AAl?$AAE?$AAn@PBOPGDP@:
					; DATA XREF: FsRtlInitializeTunnels+26o
		unicode	0, <MaximumTunnelEntries>,0
??_C@_1DO@FHBENCEN@?$AAM?$AAa?$AAx?$AAi?$AAm?$AAu?$AAm?$AAT?$AAu?$AAn?$AAn?$AAe?$AAl?$AAE?$AAn@PBOPGDP@	db 'M',0
					; DATA XREF: FsRtlInitializeTunnels+48o
aAximumtunnelen:
		unicode	0, <aximumTunnelEntryAgeInSeconds>,0
??_C@_05NDBNEPKH@NOVGA@PBOPGDP@	db 'NOVGA',0 ; DATA XREF: InbvDriverInitialize(x,x,x)+46o
; 

; char ??_C
??_C@_08GADDGKEM@BOOTLOGO@PBOPGDP@:	; DATA XREF: BvgaDriverInitialize+1A3F8o
		inc	edx
		dec	edi
		dec	edi
		push	esp
		dec	esp
		dec	edi
		inc	edi
		dec	edi
		add	ah, cl

??_C@_1CO@KLCFCLGO@?$AA?2?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AA?2?$AAT?$AAR?$AAK?$AAW?$AAK@PBOPGDP@:
					; DATA XREF: INIT:00AC2B23o
		pop	esp
		add	[ebx+0], dl
		add	gs:[ebx+0], ah
		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 790074h
		pop	esp
		add	[eax+eax+52h], dl
		add	[ebx+0], cl
		push	edi
		add	[ebx+0], cl
		push	ebx
		add	[edi+0], bl
		inc	ebp
		add	[esi+0], dl
		inc	ebp
		add	[esi+0], cl
		push	esp
; 
		db 0
		db 2 dup(0)
; 

; char ??_C
??_C@_08OLNDGDOM@rdisk?$CI0?$CJ@PBOPGDP@: ; DATA XREF: IopStoreArcInformation+BEo
		jb	short near ptr ??_C@_1DM@FMJIKGBL@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi?$AAs@PBOPGDP@+34h
		imul	esi, [ebx+6Bh],	293028h
		int	3		; Trap to Debugger

??_C@_1M@IOJLKPKK@?$AAS?$AAt?$AAa?$AAr?$AAt@PBOPGDP@: ;	DATA XREF: INIT:00AC2A2Bo
					; IopInitializeBootDrivers+2D1A3o
		push	ebx
		add	[eax+eax+61h], dh
		add	[edx+0], dh
		jz	short $+2
; 
		dw 0
; 

; char ??_C
??_C@_0BA@IFCGMJBN@?2Device?2CdRom?$CFd@PBOPGDP@: ; DATA XREF: IopCreateArcNamesCd+27215o
					; IopCreateArcNamesCd+27272o
		pop	esp
		inc	esp
		db	65h
		jbe	short near ptr ??_C@_1O@HAMLNBEA@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@PBOPGDP@ ; "D"
		arpl	[ebp+5Ch], sp
		inc	ebx
		db	64h
		push	edx
		outsd
		insd
; 
		db 25h,	64h, 0
; 

; char ??_C
??_C@_0M@HCOOGNOF@?2ArcName?2?$CFs@PBOPGDP@: ; DATA XREF: IopCreateArcNames(x)+1Co
					; IopCreateArcNamesCd+273FFo ...
		pop	esp
		inc	ecx
		jb	short loc_ADD75F
		dec	esi
		popa
		insd
		db	65h
		pop	esp
; 
		db 25h,	73h, 0
; wchar_t ??_C
??_C@_1DM@FMJIKGBL@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi?$AAs@PBOPGDP@:
					; DATA XREF: IopCreateArcNamesDisk+2721Eo
					; VhdiInitializeBootDisk(x,x,x)+D3o
		unicode	0, <\Device\Harddisk%d\Partition0>,0
??_C@_1BG@IGJNEGIG@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAl?$AAe?$AAr@PBOPGDP@:
					; DATA XREF: IoCreateObjectTypes+76o
		unicode	0, <Controller>,0
??_C@_1O@HAMLNBEA@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@PBOPGDP@ db 'D',0
					; CODE XREF: INIT:00ADD6EAj
					; DATA XREF: IoCreateObjectTypes+A6o
aEvi:
		unicode	0, <evi>
		db 63h
; 

loc_ADD75F:				; CODE XREF: INIT:00ADD6FAj
		add	[ebp+0], ah
; 
		dw 0
??_C@_1BA@PCIIBPJI@?$AAA?$AAd?$AAa?$AAp?$AAt?$AAe?$AAr@PBOPGDP@:
					; DATA XREF: IoCreateObjectTypes+3Bo
		unicode	0, <Adapter>,0
??_C@_1CK@PPBFOLIO@?$AAW?$AAa?$AAi?$AAt?$AAC?$AAo?$AAm?$AAp?$AAl?$AAe?$AAt?$AAi?$AAo?$AAn?$AAP@PBOPGDP@:
					; DATA XREF: IoCreateObjectTypes+1A8o
		unicode	0, <WaitCompletionPacket>,0
??_C@_19DDLLJDOO@?$AAF?$AAi?$AAl?$AAe@PBOPGDP@ db 'F',0
					; DATA XREF: IoCreateObjectTypes+206o
aIle:
		unicode	0, <ile>,0
??_C@_1O@GAOCKAOK@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@PBOPGDP@:
					; DATA XREF: IoCreateObjectTypes+F6o
		unicode	0, <Driver>,0
??_C@_1BK@HCMNLOAL@?$AAI?$AAo?$AAC?$AAo?$AAm?$AAp?$AAl?$AAe?$AAt?$AAi?$AAo?$AAn@PBOPGDP@ db 'I',0
					; DATA XREF: IoCreateObjectTypes+146o
aOcompletion:
		unicode	0, <oCompletion>,0
; 

??_C@_1CI@DCCGEKKC@?$AA?2?$AAF?$AAi?$AAl?$AAe?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAF?$AAi?$AAl@PBOPGDP@:
					; DATA XREF: IopCreateRootDirectories()+89o
		pop	esp
		add	[esi+0], al
		imul	eax, [eax], 65006Ch
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[esi+0], al
		imul	eax, [eax], 74006Ch
		add	gs:[edx+0], dh
		jnb	short $+2
; 
		dw 0
??_C@_1DA@DPBMJBPE@?$AA?2?$AAU?$AAM?$AAD?$AAF?$AAC?$AAo?$AAm?$AAm?$AAu?$AAn?$AAi?$AAc?$AAa?$AAt@PBOPGDP@:
					; DATA XREF: IopCreateUmdfDirectory+11Do
		unicode	0, <\UMDFCommunicationPorts>,0
; 

??_C@_1BA@DCJJIJNE@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@PBOPGDP@:
					; DATA XREF: IopCreateRootDirectories()+Fo
		pop	esp
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1BI@CPDHNCDG@?$AA?2?$AAF?$AAi?$AAl?$AAe?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm@PBOPGDP@:
					; DATA XREF: IopCreateRootDirectories()+60o
		pop	esp
		add	[esi+0], al
		imul	eax, [eax], 65006Ch
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
; 
		dw 0
??_C@_1DE@MJJBHHAG@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAM?$AAo?$AAu?$AAn?$AAt?$AAP?$AAo@PBOPGDP@:
					; DATA XREF: IopAssignBootDriveLetter+17o
		unicode	0, <\Device\MountPointManager>,0
??_C@_1CE@PLNJMHPE@?$AAE?$AAx?$AAi?$AAs?$AAt?$AAi?$AAn?$AAg?$AAP?$AAa?$AAg?$AAe?$AAF?$AAi?$AAl@PBOPGDP@:
					; DATA XREF: IopInitCrashDumpDuringSysInit+59o
		unicode	0, <ExistingPageFiles>,0

;  S U B	R O U T	I N E 


??_C@_0DJ@LEKBNM@IOINIT?3?5Built?9in?5driver?5?$CFwZ?5blo@PBOPGDP@ proc	near
					; DATA XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+2CCo

; FUNCTION CHUNK AT 00ADD956 SIZE 00000015 BYTES

		dec	ecx
		dec	edi
		dec	ecx
		dec	esi
		dec	ecx
		push	esp
		cmp	ah, [eax]
		inc	edx
		jnz	short near ptr loc_ADD91B+1
		insb
		jz	short loc_ADD8E3
		imul	ebp, [esi+20h],	76697264h
		db	65h
		jb	short near ptr loc_ADD8DF+1
		and	eax, 62205A77h
		insb
		outsd
		arpl	[ebx+65h], bp
		and	fs:[edi+69h], dh
		jz	short loc_ADD938
		and	[ebx+74h], dh
		popa
		jz	short near ptr loc_ADD94A+1
		jnb	short near ptr loc_ADD8F7+1
		sub	eax, 25783020h
		insb
		pop	eax

loc_ADD8DF:				; CODE XREF: ??_C@_0DJ@LEKBNM@IOINIT?3?5Built?9in?5driver?5?$CFwZ?5blo@PBOPGDP@+15j
		or	al, [eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0EG@KAJKABNN@IOINIT?3?5Built?9in?5driver?5?$CFwZ?5fai@PBOPGDP@:
					; DATA XREF: IopInitializeBuiltinDriver(x,x,x,x,x,x)+308o
					; IopInitializeBuiltinDriver(x,x,x,x,x,x)+313o
		dec	ecx

loc_ADD8E3:				; CODE XREF: ??_C@_0DJ@LEKBNM@IOINIT?3?5Built?9in?5driver?5?$CFwZ?5blo@PBOPGDP@+Cj
		dec	edi
		dec	ecx
		dec	esi
		dec	ecx
		push	esp
		cmp	ah, [eax]
		inc	edx
		jnz	short loc_ADD956
		insb
		jz	short loc_ADD91D
		imul	ebp, [esi+20h],	76697264h

loc_ADD8F7:				; CODE XREF: ??_C@_0DJ@LEKBNM@IOINIT?3?5Built?9in?5driver?5?$CFwZ?5blo@PBOPGDP@+2Ej
		db	65h
		jb	short near ptr loc_ADD916+4
		and	eax, 66205A77h
		popa
		imul	ebp, [ebp+64h],	206F7420h
		imul	ebp, [esi+69h],	6C616974h
		imul	edi, [edx+65h],	74697720h

loc_ADD916:				; CODE XREF: ??_C@_0DJ@LEKBNM@IOINIT?3?5Built?9in?5driver?5?$CFwZ?5blo@PBOPGDP@:loc_ADD8F7j
		push	61747320h

loc_ADD91B:				; CODE XREF: ??_C@_0DJ@LEKBNM@IOINIT?3?5Built?9in?5driver?5?$CFwZ?5blo@PBOPGDP@+9j
		jz	short near ptr loc_ADD991+1

loc_ADD91D:				; CODE XREF: ??_C@_0DJ@LEKBNM@IOINIT?3?5Built?9in?5driver?5?$CFwZ?5blo@PBOPGDP@+46j
		jnb	short near ptr loc_ADD93D+2
		sub	eax, 25783020h
		insb
		pop	eax
		or	al, [eax]
??_C@_0DJ@LEKBNM@IOINIT?3?5Built?9in?5driver?5?$CFwZ?5blo@PBOPGDP@ endp


;  S U B	R O U T	I N E 


??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@PBOPGDP@ proc near
					; DATA XREF: IopInitCrashDumpDuringSysInit+63o
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al

loc_ADD938:				; CODE XREF: ??_C@_0DJ@LEKBNM@IOINIT?3?5Built?9in?5driver?5?$CFwZ?5blo@PBOPGDP@+26j
		dec	ebp
		add	[ecx+0], ah
		outsb
??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@PBOPGDP@ endp


loc_ADD93D:				; CODE XREF: ??_C@_0DJ@LEKBNM@IOINIT?3?5Built?9in?5driver?5?$CFwZ?5blo@PBOPGDP@:loc_ADD91Dj
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ebp+0], cl

loc_ADD94A:				; CODE XREF: ??_C@_0DJ@LEKBNM@IOINIT?3?5Built?9in?5driver?5?$CFwZ?5blo@PBOPGDP@+2Cj
		add	gs:[ebp+0], ch
		outsd
		add	[edx+0], dh
		jns	short $+2
		and	[eax], al
; START	OF FUNCTION CHUNK FOR ??_C@_0DJ@LEKBNM@IOINIT?3?5Built?9in?5driver?5?$CFwZ?5blo@PBOPGDP@

loc_ADD956:				; CODE XREF: ??_C@_0DJ@LEKBNM@IOINIT?3?5Built?9in?5driver?5?$CFwZ?5blo@PBOPGDP@+43j
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+0], dh
; END OF FUNCTION CHUNK	FOR ??_C@_0DJ@LEKBNM@IOINIT?3?5Built?9in?5driver?5?$CFwZ?5blo@PBOPGDP@
; 
		db 0
; char ??_C[]
??_C@_0BO@FKAHPBKI@?2Device?2Harddisk?$CFd?2Partition0@PBOPGDP@	db '\Device\Harddisk%d\Partition0',0
					; DATA XREF: IopGetBootDiskInformation(x,x)+F8o
; 

; char ??_C
??_C@_0BA@LLFPLPJL@?$CFspartition?$CI?$CFd?$CJ@PBOPGDP@:
					; DATA XREF: IopGetBootDiskInformation(x,x)+328o
		and	eax, 72617073h
		jz	short loc_ADD9FA

loc_ADD991:				; CODE XREF: ??_C@_0DJ@LEKBNM@IOINIT?3?5Built?9in?5driver?5?$CFwZ?5blo@PBOPGDP@:loc_ADD91Bj
		jz	short loc_ADD9FC
		outsd
		outsb
		sub	ds:44002964h, ah ; DATA	XREF: IopCachePreviousBootData(x)+66o
		add	[ebp+0], dh
		insd
		add	[eax+0], dh
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[esi+0], ch
		arpl	[eax], ax
		add	gs:[eax+0], dl
		jb	short $+2
		jbe	short $+2
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+0], dh
; 
		db 0
; 

??_C@_1BK@BNBFJDPA@?$AAD?$AAu?$AAm?$AAp?$AAI?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe@PBOPGDP@:
					; DATA XREF: IopCachePreviousBootData(x)+3Fo
		inc	esp
		add	[ebp+0], dh
		insd
		add	[eax+0], dh
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[esi+0], ch
		arpl	[eax], ax
		add	gs:[eax], al

loc_ADD9DB:				; DATA XREF: IopInitializeSessionNotifications()+1Do
		add	[eax+eax+43h], bl
		add	[ecx+0], ah
		insb
		add	[eax+eax+62h], ch
		add	[ecx+0], ah
		arpl	[eax], ax
		imul	eax, [eax], 5Ch
		add	[ecx+0], cl
		outsd
		add	[ebx+0], dl
		add	gs:[ebx+0], dh

loc_ADD9FA:				; CODE XREF: INIT:00ADD98Fj
		jnb	short $+2

loc_ADD9FC:				; CODE XREF: INIT:loc_ADD991j
		imul	eax, [eax], 6E006Fh
		dec	esi
		add	[edi+0], ch
		jz	short $+2
		imul	eax, [eax], 690066h
		arpl	[eax], ax
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], dh
; 
		db 2 dup(0)
; 

??_C@_1BI@EIJDOAKI@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAP?$AAn?$AAp@PBOPGDP@:
					; DATA XREF: IopInitializePlugPlayServices(x,x)+2FCo
					; PnpOpenCCSPnpRegKey(x,x)+48o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+50h], bl
		add	[esi+0], ch
		jo	short $+2
; 
		db 2 dup(0)
; 

??_C@_1DO@PGOAJPNE@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: IopInitializePlugPlayServices(x,x)+41Bo
					; PipHardwareConfigInit+22o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], dl
		add	gs:[eax+eax+75h], dh
		add	[eax+0], dh
; 
		dw 0
; 

??_C@_1DK@LHAIMOCD@?$AAF?$AAi?$AAn?$AAd?$AAB?$AAe?$AAs?$AAt?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu@PBOPGDP@:
					; DATA XREF: IopInitializePlugPlayServices(x,x)+3A1o
		inc	esi
		add	[ecx+0], ch
		outsb
		add	[eax+eax+42h], ah
		add	[ebp+0], ah
		jnb	short $+2
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[esi+0], ah
		imul	eax, [eax], 750067h
		jb	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[edi+0], ch
		jnz	short $+2
		jz	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BI@KODDANKI@?$AAB?$AAo?$AAo?$AAt?$AAO?$AAp?$AAt?$AAi?$AAo?$AAn?$AAs@PBOPGDP@:
					; DATA XREF: IopInitializePlugPlayServices(x,x)+361o
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+4Fh], dh
		add	[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1CI@NLPLCOOC@?$AAA?$AAs?$AAy?$AAn?$AAc?$AAh?$AAr?$AAo?$AAn?$AAo?$AAu?$AAs?$AAO?$AAp?$AAt@PBOPGDP@:
					; DATA XREF: IopInitializePlugPlayServices(x,x)+321o
		inc	ecx
		add	[ebx+0], dh
		jns	short $+2
		outsb
		add	[ebx+0], ah
		push	6F007200h
		add	[esi+0], ch
		outsd
		add	[ebp+0], dh
		jnb	short $+2
		dec	edi
		add	[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1EO@EKIIDBMB@?$AA?$HL?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA0?$AA?9?$AA0?$AA0?$AA0?$AA0?$AA?9@PBOPGDP@:
					; DATA XREF: PipInitComputerIds+C2Co
					; IopInitializePlugPlayServices(x,x)+5AFo ...
		jnp	short $+2
		xor	[eax], al
		xor	[eax], al
		xor	[eax], al
		xor	[eax], al
		xor	[eax], al
		xor	[eax], al
		xor	[eax], al
		xor	[eax], al
		sub	eax, 30003000h
		add	[eax], dh
		add	[eax], dh
		add	ds:30003000h, ch
		add	[eax], dh
		add	[eax], dh
		add	ds:46004600h, ch
		add	[esi+0], al
		inc	esi
		add	ds:46004600h, ch
		add	[esi+0], al
		inc	esi
		add	[esi+0], al
		inc	esi
		add	[esi+0], al
		inc	esi
		add	[esi+0], al
		inc	esi
		add	[esi+0], al
		inc	esi
		add	[ebp+0], bh
; 
		dw 0
; wchar_t ??_C
??_C@_1BK@CCOOHMCM@?$AAH?$AAT?$AAR?$AAE?$AAE?$AA?2?$AAR?$AAO?$AAO?$AAT?$AA?2?$AA0@PBOPGDP@:
					; DATA XREF: IopInitializePlugPlayServices(x,x)+583o
					; IopInitializePlugPlayServices(x,x)+5A5o ...
		unicode	0, <HTREE\ROOT\0>,0
; 

??_C@_1BO@MAAICHKD@?$AAR?$AAo?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe@PBOPGDP@:
					; DATA XREF: IopInitializePlugPlayServices(x,x)+48Fo
		push	edx
		add	[edi+0], ch
		insb
		add	[eax+eax+62h], ch
		add	[ecx+0], ah
		arpl	[eax], ax
		imul	eax, [eax], 41h
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 650076h
; 
		dw 0
; 

??_C@_1BA@GGIBCIOH@?$AAU?$AAp?$AAg?$AAr?$AAa?$AAd?$AAe@PBOPGDP@:
					; DATA XREF: IopInitializePlugPlayServices(x,x)+44Co
		push	ebp
		add	[eax+0], dh
		add	[bp+si+0], dh
		popa
		add	[eax+eax+65h], ah
; 
		db 3 dup(0)
; 

??_C@_1CG@DOIHNFDF@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?2?$AAP?$AAn?$AAp?$AAM?$AAa?$AAn?$AAa@PBOPGDP@:
					; DATA XREF: IopInitializePlugPlayServices(x,x)+6BFo
		pop	esp
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		pop	esp
		add	[eax+0], dl
		outsb
		add	[eax+0], dh
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1CC@OINPPADF@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAL?$AAo?$AAa?$AAd?$AAP?$AAo?$AAl?$AAi?$AAc@PBOPGDP@:
					; DATA XREF: IopInitializeBootDrivers+10Ao
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		dec	esp
		add	[edi+0], ch
		popa
		add	[eax+eax+50h], ah
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
; 
		dw 0
??_C@_1HO@HDMJFOBD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: IopInitializeBootDrivers+E9o
		unicode	0, <\Registry\Machine\System\CurrentControlSet\Control\EarlyL>
		unicode	0, <aunch>,0
; 

??_C@_1IA@ELGFJICG@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: IopInitializeBootDrivers+B1o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[eax+0], dl
		outsd
		add	[eax+eax+69h], ch
		add	[ebx+0], ah
		imul	eax, [eax], 730065h
		pop	esp
		add	[ebp+0], al
		popa
		add	[edx+0], dh
		insb
		add	[ecx+0], bh
		dec	esp
		add	[ecx+0], ah
		jnz	short $+2
		outsb
		add	[ebx+0], ah

loc_ADDCC6:				; DATA XREF: PipCheckDependencies+1Bo
		push	44000000h
		add	[ebp+0], ah
		jo	short $+2
		add	gs:[esi+0], ch
		add	fs:[edi+0], cl
		outsb
		add	[edi+0], al
		jb	short $+2
		outsd
		add	[ebp+0], dh
		jo	short $+2
; 
		db 2 dup(0)
; 

??_C@_1CE@DFDJALFB@?$AAB?$AAo?$AAo?$AAt?$AA?5?$AAB?$AAu?$AAs?$AA?5?$AAE?$AAx?$AAt?$AAe?$AAn?$AAd@PBOPGDP@:
					; DATA XREF: IopInitializeBootDrivers+23Fo
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+20h], dh
		add	[edx+0], al
		jnz	short $+2
		jnb	short $+2
		and	[eax], al
		inc	ebp
		add	[eax+0], bh
		jz	short $+2
		add	gs:[esi+0], ch
		add	fs:[ebp+0], ah
		jb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1CA@FJJAHGFO@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?5?$AAR?$AAe?$AAs?$AAe?$AAr?$AAv?$AAe?$AAd@PBOPGDP@:
					; DATA XREF: IopInitializeBootDrivers+22Eo
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		and	[eax], al
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		add	gs:[edx+0], dh
		jbe	short $+2
		add	gs:[eax+eax+0],	ah
; 
		db 0
??_C@_11LOCGONAA@@PBOPGDP@ dw 0		; DATA XREF: IopInitializeBootDrivers+1A1o
					; PipInitializeDriverDependentDLLs(x,x)+D1o ...
??_C@_1CA@DOFLLPJ@?$AA?2?$AAF?$AAi?$AAl?$AAe?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAR?$AAA?$AAW@PBOPGDP@:
					; DATA XREF: IopInitializeBootDrivers+185o
		unicode	0, <\FileSystem\RAW>,0
??_C@_1CO@IJDDDFMO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: PipUnloadEarlyLaunchDrivers(x)+33o
		unicode	0, <\Registry\Machine\ELAM>,0
; 

??_C@_1BM@HPEBLEEL@?$AAS?$AAt?$AAa?$AAr?$AAt?$AAO?$AAv?$AAe?$AAr?$AAr?$AAi?$AAd?$AAe@PBOPGDP@:
					; DATA XREF: IopInitializeBootDrivers+2D231o
		push	ebx
		add	[eax+eax+61h], dh
		add	[edx+0], dh
		jz	short $+2
		dec	edi
		add	[esi+0], dh
		add	gs:[edx+0], dh
		jb	short $+2
		imul	eax, [eax], 650064h
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_15KNBIKKIN@?$AA?$CF?$AAd@PBOPGDP@: ; DATA	XREF: IopInitializeBootDrivers+4E7o
		and	eax, 6400h
; 
		db 0
??_C@_1M@LHGLMLD@?$AAG?$AAr?$AAo?$AAu?$AAp@PBOPGDP@:
					; DATA XREF: IopInitializeSystemDrivers+D9o
					; PipGetDriverTagPriority+48o ...
		unicode	0, <Group>,0
??_C@_17COOIMOOP@?$AAT?$AAa?$AAg@PBOPGDP@: ; DATA XREF:	PipGetDriverTagPriority+9Fo
		unicode	0, <Tag>,0
??_C@_1IE@JFLGONEL@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: PipGetDriverTagPriority+35o
		unicode	0, <\Registry\Machine\System\CurrentControlSet\Control\GroupO>
		unicode	0, <rderList>,0
??_C@_1CA@KLKNBMIL@?$AAI?$AAN?$AAI?$AAT?$AAS?$AAT?$AAA?$AAR?$AAT?$AAF?$AAA?$AAI?$AAL?$AAE?$AAD@PBOPGDP@:
					; DATA XREF: IopInitializeSystemDrivers+168o
		unicode	0, <INITSTARTFAILED>,0
??_C@_19DDCEFKEI@?$AAE?$AAn?$AAu?$AAm@PBOPGDP@:	; DATA XREF: IopInitializeSystemDrivers+B9o
		unicode	0, <Enum>,0
; 

??_C@_19DOLMIDJD@?$AAL?$AAi?$AAs?$AAt@PBOPGDP@:
					; DATA XREF: PiInitCacheGroupInformation()+43o
		dec	esp
		add	[ecx+0], ch
		jnb	short $+2
		jz	short $+2
; 
		dw 0
??_C@_1IK@LOKJJLEF@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: PiInitCacheGroupInformation()+2Bo
		unicode	0, <\Registry\Machine\System\CurrentControlSet\Control\Servic>
		unicode	0, <eGroupOrder>,0
; 

??_C@_1BA@LIACFDLB@?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@PBOPGDP@:
					; DATA XREF: PiInitFirmwareResources+F6BEo
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		db 2 dup(0)
; 

??_C@_19LKGGJOEB@?$AAE?$AAS?$AAR?$AAT@PBOPGDP@:	; DATA XREF: PiInitFirmwareResources+F61Ao
		inc	ebp
		add	[ebx+0], dl
		push	edx
		add	[eax+eax+0], dl
; 
		db 0
; 

??_C@_1EA@OIKLMKHD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: PiInitFirmwareResources+F5E4o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[eax+0], cl
		inc	ecx
		add	[edx+0], dl
		inc	esp
		add	[edi+0], dl
		inc	ecx
		add	[edx+0], dl
		inc	ebp
		add	[eax+eax+55h], bl
		add	[ebp+0], al
		inc	esi
		add	[ecx+0], cl
; 
		dw 0
??_C@_1IG@GGMOEGCN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: PipInitDeviceOverrideCache+56o
		unicode	0, <\Registry\Machine\System\CurrentControlSet\Control\Device>
		unicode	0, <Overrides>,0
??_C@_1CE@IHKFLCFN@?$AAL?$AAa?$AAs?$AAt?$AAA?$AAt?$AAt?$AAe?$AAm?$AAp?$AAt?$AAS?$AAt?$AAa?$AAt@PBOPGDP@	db 'L',0
					; DATA XREF: PiInitFirmwareResources+F742o
					; BapdpRegisterFwUpdateResults(x,x)+15Do
aAstattemptstat:
		unicode	0, <astAttemptStatus>,0
; 

??_C@_1CG@LGDNDENB@?$AAL?$AAa?$AAs?$AAt?$AAA?$AAt?$AAt?$AAe?$AAm?$AAp?$AAt?$AAV?$AAe?$AAr?$AAs@PBOPGDP@:
					; DATA XREF: PiInitFirmwareResources+F716o
					; BapdpRegisterFwUpdateResults(x,x)+137o
		dec	esp
		add	[ecx+0], ah
		jnb	short $+2
		jz	short $+2
		inc	ecx
		add	[eax+eax+74h], dh
		add	[ebp+0], ah
		insd
		add	[eax+0], dh
		jz	short $+2
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dw 0
; 

??_C@_1CO@CCJBOFHH@?$AAL?$AAo?$AAw?$AAe?$AAs?$AAt?$AAS?$AAu?$AAp?$AAp?$AAo?$AAr?$AAt?$AAe?$AAd@PBOPGDP@:
					; DATA XREF: PiInitFirmwareResources+F6EAo
		dec	esp
		add	[edi+0], ch
		ja	short $+2
		add	gs:[ebx+0], dh
		jz	short $+2
		push	ebx
		add	[ebp+0], dh
		jo	short $+2
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		add	gs:[eax+eax+56h], ah
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		db 2 dup(0)
; 

??_C@_15NCCOGFKM@?$AAI?$AAd@PBOPGDP@:	; DATA XREF: PipHardwareConfigInit+1AAo
					; PipHardwareConfigInit+12C04o	...
		dec	ecx
		add	[eax+eax+0], ah
; 
		db 0
??_C@_1BG@CNBOIILD@?$AAL?$AAa?$AAs?$AAt?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg@PBOPGDP@:
					; DATA XREF: PipHardwareConfigInit+13Fo
		unicode	0, <LastConfig>,0
??_C@_1BK@CGJOHCEH@?$AAR?$AAe?$AAs?$AAp?$AAe?$AAc?$AAi?$AAa?$AAl?$AAi?$AAz?$AAe@PBOPGDP@ db 'R',0
					; DATA XREF: PipHardwareConfigInit+DEo
					; PipHardwareConfigInit+38Eo ...
aEspecialize:
		unicode	0, <especialize>,0
??_C@_1CI@ICGFNELF@?$AAR?$AAe?$AAs?$AAp?$AAe?$AAc?$AAi?$AAa?$AAl?$AAi?$AAz?$AAe?$AAS?$AAt?$AAa@PBOPGDP@:
					; DATA XREF: PipHardwareConfigInit+374o
		unicode	0, <RespecializeStarted>,0
??_C@_1M@PNBPANGG@?$AAR?$AAe?$AAs?$AAe?$AAt@PBOPGDP@:
					; DATA XREF: PipHardwareConfigInit+332o
					; PipHardwareConfigInit+12C87o
		unicode	0, <Reset>,0
??_C@_1BA@LLDEAMNN@?$AAL?$AAa?$AAs?$AAt?$AAU?$AAs?$AAe@PBOPGDP@:
					; DATA XREF: PipHardwareConfigInit+26Co
		unicode	0, <LastUse>,0
; 

??_C@_1O@FPIIFKIC@?$AAL?$AAa?$AAs?$AAt?$AAI?$AAd@PBOPGDP@:
					; DATA XREF: PipHardwareConfigInit+12B22o
					; PipHardwareConfigInit+12BCAo
		dec	esp
		add	[ecx+0], ah
		jnb	short $+2
		jz	short $+2
		dec	ecx
		add	[eax+eax+0], ah
; 
		db 0
; 

??_C@_1BG@NPDIHKNP@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAI?$AAd?$AAs@PBOPGDP@:
					; DATA XREF: PipInitComputerIds+12Bo
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+75h], ah
		add	[ebx+0], ah
		jz	short $+2
		dec	ecx
		add	[eax+eax+73h], ah
; 
		db 3 dup(0)
??_C@_1BI@CEAGCKOK@?$AAC?$AAo?$AAm?$AAp?$AAu?$AAt?$AAe?$AAr?$AAI?$AAd?$AAs@PBOPGDP@:
					; DATA XREF: PipInitComputerIds+D1o
		unicode	0, <ComputerIds>,0
??_C@_1CE@CGBOJPBG@?$AAC?$AAo?$AAm?$AAp?$AAu?$AAt?$AAe?$AAr?$AAM?$AAe?$AAt?$AAa?$AAd?$AAa?$AAt@PBOPGDP@:
					; DATA XREF: PipInitComputerIds+B67o
		unicode	0, <ComputerMetadata\>,0
; wchar_t ??_C
??_C@_15LHNHECKK@?$AA?$CF?$AAx@PBOPGDP@: ; DATA	XREF: PipInitComputerIds+A26o
		unicode	0, <%x>,0
; 

; wchar_t ??_C
??_C@_1BE@CBLLAGJJ@?$AA?$CF?$AA0?$AA2?$AAx?$AA?$CG?$AA?$CF?$AA0?$AA2?$AAx@PBOPGDP@:
					; DATA XREF: PipInitComputerIds+668o
		and	eax, 32003000h
		add	[eax+0], bh
		add	es:32003000h, ah
		add	[eax+0], bh
; 
		db 2 dup(0)
; 

??_C@_1BM@HJMNCFND@?$AAE?$AAn?$AAc?$AAl?$AAo?$AAs?$AAu?$AAr?$AAe?$AAT?$AAy?$AAp?$AAe@PBOPGDP@:
					; DATA XREF: PipInitComputerIds+549o
		inc	ebp
		add	[esi+0], ch
		arpl	[eax], ax
		insb
		add	[edi+0], ch
		jnb	short $+2
		jnz	short $+2
		jb	short $+2
		add	gs:[eax+eax+79h], dl
		add	[eax+0], dh
		add	gs:[eax], al

loc_ADE159:				; DATA XREF: PipResetDevices(x)+4Do
		add	[eax+eax+65h], al
		add	[esi+0], dh
		dec	ebp
		add	[edi+0], ch
		add	fs:[ebp+0], ah
		inc	ebp
		add	[esi+0], dh
		add	gs:[edx+0], dh
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 0
; wchar_t ??_C
??_C@_1BA@DEHANLLM@?$AA?$CF?$AAw?$AAs?$AA_?$AA?$CF?$AAw?$AAs@PBOPGDP@:
					; DATA XREF: PipCreateComputerId+187o
		unicode	0, <%ws_%ws>,0
??_C@_17NIABIIAO@?$AAx?$AA8?$AA6@PBOPGDP@: ; DATA XREF:	PipCreateComputerId+17Eo
		unicode	0, <x86>,0
; 

??_C@_0CP@DMMJOECI@Resetting?5devices?5in?5device?5set@PBOPGDP@:
					; DATA XREF: PipResetMatchingFilteredDevices+144E8o
		push	edx
		db	65h
		jnb	short loc_ADE201
		jz	short near ptr loc_ADE211+1
		imul	ebp, [esi+67h],	76656420h
		imul	esp, [ebx+65h],	6E692073h
		and	[ebp+76h], ah
		imul	esp, [ebx+65h],	74657320h
		jnz	short near ptr loc_ADE227+2
		and	[ebx+6Ch], ah
		popa
		jnb	short loc_ADE232
		and	[edi], ah
		and	eax, 0A277377h
		add	ah, cl
; 
; char ??_C[]
??_C@_0BI@BGOEFHIP@Resetting?5device?5?8?$CFws?8?6@PBOPGDP@ db 'Resetting device ',27h,'%ws',27h,0Ah,0
					; DATA XREF: PipResetDevice(x,x)+24o

;  S U B	R O U T	I N E 


??_C@_1JG@DMEADAPE@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@PBOPGDP@ proc near
					; DATA XREF: PipResetDevices(x)+78o
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
??_C@_1JG@DMEADAPE@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@PBOPGDP@ endp


loc_ADE201:				; CODE XREF: INIT:00ADE199j
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh

loc_ADE211:				; CODE XREF: INIT:00ADE19Cj
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		jz	short $+2
		popa

loc_ADE227:				; CODE XREF: INIT:00ADE1B7j
		add	[eax+eax+65h], dh
		add	[ebx+0], dl
		add	gs:[eax+0], dh

loc_ADE232:				; CODE XREF: INIT:00ADE1BDj
		popa
		add	[edx+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax+eax+50h], bl
		add	[esi+0], ch
		push	eax
		add	[eax+eax+52h], bl
		add	[ebp+0], ah
		jnb	short $+2
		add	gs:[eax+eax+44h], dh
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
		pop	esp
		add	[ebx+0], dl
		add	gs:[edx+0], dh
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
; 
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_1JE@CCFAJHHG@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@PBOPGDP@ proc near
					; DATA XREF: PipResetDevices(x)+6Ao
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
??_C@_1JE@CCFAJHHG@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC@PBOPGDP@ endp

		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+65h], dh
		add	[ebx+0], dl
		add	gs:[eax+0], dh
		popa
		add	[edx+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax+eax+50h], bl
		add	[esi+0], ch
		push	eax
		add	[eax+eax+52h], bl
		add	[ebp+0], ah
		jnb	short $+2
		add	gs:[eax+eax+44h], dh
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
		pop	esp
		add	[ebx+0], al
		insb
		add	[ecx+0], ah
		jnb	short $+2
		jnb	short $+2
		add	gs:[ebx+0], dh
; 
		db 2 dup(0)
; 

??_C@_1CA@NPBOKNOJ@?$AAM?$AAi?$AAg?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn?$AAS?$AAt?$AAa?$AAt?$AAu?$AAs@PBOPGDP@:
					; DATA XREF: PipMigratePnpState+143FFo
					; PipMigratePnpState+14589o ...
		dec	ebp
		add	[ecx+0], ch
		add	[bp+si+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
; 
		db 2 dup(0)
; 

??_C@_1DC@EAKGAEM@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA?2?$AAS?$AAe?$AAt?$AAu?$AAp?$AA?2?$AAU?$AAp@PBOPGDP@:
					; DATA XREF: PipMigratePnpState+4Do
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], dl
		add	gs:[eax+eax+75h], dh
		add	[eax+0], dh
		pop	esp
		add	[ebp+0], dl
		jo	short $+2
		add	[bp+si+0], dh
		popa
		add	[eax+eax+65h], ah
		add	[eax+eax+50h], bl
		add	[esi+0], ch
		push	eax
; 
		db 3 dup(0)
; 

; char ??_C
??_C@_0CE@BGANPMMF@Resetting?5devices?5related?5to?5?8?$CF@PBOPGDP@:
					; DATA XREF: PipResetMatchingFilteredDevices+144FAo
		push	edx
		db	65h
		jnb	short loc_ADE3C5
		jz	short near ptr loc_ADE3D5+1
		imul	ebp, [esi+67h],	76656420h
		imul	esp, [ebx+65h],	65722073h
		insb
		popa
		jz	short loc_ADE3D9
		and	fs:[edi+ebp*2+20h], dh
		daa
		and	eax, 0A277377h
; 
		db 0
; 

??_C@_0CH@DBLIHBID@Resetting?5devices?5using?5service@PBOPGDP@:
					; DATA XREF: PipResetMatchingFilteredDevices+144F3o
		push	edx
		db	65h
		jnb	short loc_ADE3E9
		jz	short near ptr loc_ADE3F6+4
		imul	ebp, [esi+67h],	76656420h
		imul	esp, [ebx+65h],	73752073h
		imul	ebp, [esi+67h],	72657320h
		jbe	short near ptr loc_ADE405+1
		arpl	[ebp+20h], sp
		daa
		and	eax, 0A277377h
		add	ah, cl

??_C@_1BM@JHDACHBJ@?$AAT?$AAa?$AAr?$AAg?$AAe?$AAt?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@PBOPGDP@:
					; DATA XREF: PipMigratePnpState+145DAo
		push	esp
		add	[ecx+0], ah
		jb	short $+2
		add	[di+0],	ah
		jz	short $+2
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dw 0
; 

??_C@_1BM@HNBIHKIB@?$AAM?$AAi?$AAg?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn?$AAT?$AAi?$AAm?$AAe@PBOPGDP@:
					; DATA XREF: PipMigratePnpState+144A6o
					; PipMigratePnpState+14533o ...
		dec	ebp

loc_ADE3C5:				; CODE XREF: INIT:00ADE35Dj
		add	[ecx+0], ch
		add	[bp+si+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb

loc_ADE3D5:				; CODE XREF: INIT:00ADE360j
		add	[eax+eax+69h], dl

loc_ADE3D9:				; CODE XREF: INIT:00ADE372j
		add	[ebp+0], ch
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1DA@PEBFPDJH@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAM@PBOPGDP@:
					; DATA XREF: PipMigratePnpState+1447Co
					; PipMigratePnpState+1450Ao
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh

loc_ADE3E9:				; CODE XREF: INIT:00ADE381j
		add	[edi+0], ch
		insb
		add	[eax+eax+44h], bl
		add	[ebp+0], ah
		jbe	short $+2

loc_ADE3F6:				; CODE XREF: INIT:00ADE384j
		imul	eax, [eax], 650063h
		dec	ebp
		add	[ecx+0], ch
		add	[bp+si+0], dh
		popa

loc_ADE405:				; CODE XREF: INIT:00ADE39Bj
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
; 
		db 3 dup(0)
; 

??_C@_1CE@MEIKCFL@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAS@PBOPGDP@:
					; DATA XREF: PipMigratePnpState+14446o
		inc	ebx
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+0],	dh
		add	[ebx+0], al	; DATA XREF: PipMigrateCleanServiceCallback(x,x,x,x)+53o
		insb
		add	[ebp+0], ah
		popa
		add	[esi+0], ch
; 
		dw 0
; 

??_C@_1BC@DHAHNLLM@?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe?$AAs@PBOPGDP@:
					; DATA XREF: PipMigratePnpState+14648o
		push	ebx
		add	[ebp+0], ah
		jb	short $+2
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BI@OGGIKDOE@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAD?$AAa?$AAt?$AAa@PBOPGDP@:
					; DATA XREF: PiCreateDriverDataDirectoryRoot+FAo
		pop	esp
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		popa
; 
		db 0
		db 2 dup(0)
; 

??_C@_1BG@PDMPPEN@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAD?$AAa?$AAt?$AAa@PBOPGDP@:
					; DATA XREF: PiCreateDriverDataDirectoryRoot+54o
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		popa
; 
		db 3 dup(0)
; void ??_C
??_C@_1FA@LKHFNIDA@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@PBOPGDP@:
					; DATA XREF: PiCreateDriverDataDirectoryRoot+4Co
		unicode	0, <\SystemRoot\System32\Drivers\DriverData>,0
??_C@_1DE@EDFFMAOJ@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAR?$AAe?$AAs?$AAe?$AAt?$AAM?$AAa?$AAx?$AAi@PBOPGDP@:
					; DATA XREF: IopQueryDeviceResetRegistrySettings+3Fo
		unicode	0, <DeviceResetMaximumRetries>,0
??_C@_1DC@EBIJEFNM@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAR?$AAe?$AAs?$AAe?$AAt?$AAR?$AAe?$AAt?$AAr@PBOPGDP@:
					; DATA XREF: IopQueryDeviceResetRegistrySettings+1Do
		unicode	0, <DeviceResetRetryInterval>,0
??_C@_1HA@JIFMKPBK@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@ db '\',0
					; DATA XREF: PpLastGoodDoBootProcessing+31o
aRegistryMac_16:
		unicode	0, <Registry\Machine\System\LastKnownGoodRecovery\LastGood>,0
; 

??_C@_1CK@BMHMHDCI@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAL?$AAa?$AAs@PBOPGDP@:
					; DATA XREF: PpLastGoodDoBootProcessing+Eo
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+5Ch], dh
		add	[eax+eax+61h], cl
		add	[ebx+0], dh
		jz	short $+2
		inc	edi
		add	[edi+0], ch
		outsd
		add	[eax+eax+0], ah
		add	[eax+eax+53h], bl
					; DATA XREF: PiLastGoodRevertLastKnownDirectory(x,x)+15Fo
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+5Ch], dh
; 
		db 0
		db 2 dup(0)
; 

??_C@_1HI@JJAPFIHO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: PpLastGoodDoBootProcessing+4Do
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[eax+eax+61h], cl
		add	[ebx+0], dh
		jz	short $+2
		dec	ebx
		add	[esi+0], ch
		outsd
		add	[edi+0], dh
		outsb
		add	[edi+0], al
		outsd
		add	[edi+0], ch
		add	fs:[edx+0], dl
		add	gs:[ebx+0], ah
		outsd
		add	[esi+0], dh
		add	gs:[edx+0], dh
		jns	short $+2
		pop	esp
		add	[eax+eax+61h], cl
		add	[ebx+0], dh
		jz	short $+2
		inc	edi
		add	[edi+0], ch
		outsd
		add	[eax+eax+2Eh], ah
		add	[eax+eax+6Dh], dl
		add	[eax+0], dh
; 
		db 2 dup(0)
; 

??_C@_1DC@HBEOHGCL@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAL?$AAa?$AAs@PBOPGDP@:
					; DATA XREF: PpLastGoodDoBootProcessing+3Fo
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+5Ch], dh
		add	[eax+eax+61h], cl
		add	[ebx+0], dh
		jz	short $+2
		inc	edi
		add	[edi+0], ch
		outsd
		add	[eax+eax+2Eh], ah
		add	[eax+eax+6Dh], dl
		add	[eax+0], dh
; 
		dw 0
??_C@_1CC@HLGJCCDP@?$AAD?$AAm?$AAa?$AAG?$AAu?$AAa?$AAr?$AAd?$AAT?$AAe?$AAs?$AAt?$AAM?$AAo?$AAd@PBOPGDP@:
					; DATA XREF: PiDmaGuardProcessRegistry+Eo
		unicode	0, <DmaGuardTestMode>,0
; 

??_C@_1CK@GFEHGGAK@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAU?$AAp?$AAd?$AAa?$AAt?$AAe?$AAs?$AAP?$AAe@PBOPGDP@:
					; DATA XREF: PpDevCfgInit+12Eo
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		push	ebp
		add	[eax+0], dh
		add	fs:[ecx+0], ah
		jz	short $+2
		add	gs:[ebx+0], dh
		push	eax
		add	[ebp+0], ah
		outsb
		add	[eax+eax+69h], ah
		add	[esi+0], ch
		add	[bx+si], al
; 
		db 0
??_C@_1BG@PGIGMDPA@?$AAP?$AAa?$AAr?$AAa?$AAm?$AAe?$AAt?$AAe?$AAr?$AAs@PBOPGDP@:
					; DATA XREF: PpDevCfgInit+10Ao
		unicode	0, <Parameters>,0
; 

??_C@_1BM@OAGJGBCL@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl@PBOPGDP@:
					; DATA XREF: PpDevCfgInit+CBo
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[eax+eax+6Ch], ch
; 
		db 0
		db 2 dup(0)
; 

??_C@_1CO@FBODLIMA@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?2?$AAS?$AAo?$AAf?$AAt?$AAw?$AAa?$AAr@PBOPGDP@:
					; DATA XREF: PiSwInit()+6Do
		pop	esp
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		pop	esp
		add	[ebx+0], dl
		outsd
		add	[esi+0], ah
		jz	short $+2
		ja	short $+2
		popa
		add	[edx+0], dh
		add	gs:[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
; 
		dw 0
??_C@_1CE@IKGPEGDF@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAA@PBOPGDP@:
					; DATA XREF: PiDaDriverEntry+52o
		unicode	0, <\Device\DeviceApi>,0
??_C@_1CE@LBEPOOOC@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAA@PBOPGDP@:
					; DATA XREF: PiDaInit()+1Eo
		unicode	0, <\Driver\DeviceApi>,0
??_C@_1FC@OBEGEIPL@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAP?$AAe?$AAn?$AAd?$AAi?$AAn?$AAg@PBOPGDP@:
					; DATA XREF: PipProcessPendingServices+3Do
					; PipCommitPendingService(x,x,x,x)+69o
		unicode	0, <Control\PendingDriverOperations\Services>,0
; wchar_t ??_C
??_C@_1BC@FNLKCFOP@?$AAE?$AAv?$AAe?$AAn?$AAt?$AAL?$AAo?$AAg@PBOPGDP@ db	'E',0
					; DATA XREF: PipCommitPendingService(x,x,x,x)+C8o
					; PipCommitPendingService(x,x,x,x)+18Ao ...
aVentlog:
		unicode	0, <ventLog>,0
; 

??_C@_1CC@LPKCGKMO@?$AAD?$AAe?$AAp?$AAe?$AAn?$AAd?$AAO?$AAn?$AAF?$AAi?$AAr?$AAm?$AAw?$AAa?$AAr@PBOPGDP@:
					; DATA XREF: PipProcessPendingObjects(x,x,x,x,x)+119o
					; PipProcessPendingObjects(x,x,x,x,x)+172o
		inc	esp
		add	[ebp+0], ah
		jo	short $+2
		add	gs:[esi+0], ch
		add	fs:[edi+0], cl
		outsb
		add	[esi+0], al
		imul	eax, [eax], 6D0072h
		ja	short $+2
		popa
		add	[edx+0], dh
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1DI@FAEMCGLM@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAO?$AAs?$AAE?$AAx?$AAt?$AAe?$AAn@PBOPGDP@:
					; DATA XREF: PipCommitPendingOsExtensionResource(x,x,x,x)+AEo
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+4Fh], bl
		add	[ebx+0], dh
		inc	ebp
		add	[eax+0], bh
		jz	short $+2
		add	gs:[esi+0], ch
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		popa
		add	[edx+0], ah
		popa
		add	[ebx+0], dh
		add	gs:[eax], al

loc_ADE845:				; DATA XREF: PipProcessPendingOsExtensionResources+3Do
					; PipCommitPendingOsExtensionResource(x,x,x,x)+52o
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+0], dl
		add	gs:[esi+0], ch
		add	fs:[ecx+0], ch
		outsb
		add	[edi+0], ah
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		dec	edi
		add	[eax+0], dh
		add	gs:[edx+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], dh
		pop	esp
		add	[edi+0], cl
		jnb	short $+2
		inc	ebp
		add	[eax+0], bh
		jz	short $+2
		add	gs:[esi+0], ch
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		inc	esp
		add	[ecx+0], ah
		jz	short $+2
		popa
		add	[edx+0], ah
		popa
		add	[ebx+0], dh
		add	gs:[eax], al

loc_ADE8AD:				; DATA XREF: PipCslCreateCallback(x)+9o
		add	[eax+eax+43h], bl
		add	[ecx+0], ah
		insb
		add	[eax+eax+62h], ch
		add	[ecx+0], ah
		arpl	[eax], ax
		imul	eax, [eax], 5Ch
		add	[ecx+0], cl
		outsd
		add	[ebp+0], al
		js	short $+2
		jz	short $+2
		add	gs:[edx+0], dh
		outsb
		add	[ecx+0], ah
		insb
		add	[eax+eax+6Dh], al
		add	[ecx+0], ah
		push	ebp
		add	[esi+0], ch
		bound	eax, [eax]
		insb
		add	[edi+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 0
		add	[eax+eax+43h], bl ; DATA XREF: EtwpInitialize:loc_AE4E6Bo
					; PopSetupKsrCallbacks:loc_AEB891o ...
		add	[ecx+0], ah
		insb
		add	[eax+eax+62h], ch
		add	[ecx+0], ah
		arpl	[eax], ax
		imul	eax, [eax], 5Ch
		add	[ebx+0], dl
		outsd
		add	[esi+0], ah
		jz	short $+2
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jz	short $+2
		popa
		add	[edx+0], dh
		jz	short $+2
; 
		dw 0
; char ??_C[]
??_C@_0BD@CKAEPKPP@DISABLEDYNAMICTICK@PBOPGDP@ db 'DISABLEDYNAMICTICK',0
					; DATA XREF: KeInitializeClock+CAo
		align 4

??_C@_1BG@POLIPCMA@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAV?$AAm?$AAe@PBOPGDP@:
					; DATA XREF: KeI386VdmInitialize()+74o
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		push	esi
		add	[ebp+0], ch
		add	gs:[eax], al

loc_ADE941:				; DATA XREF: KeI386VdmInitialize()+33o
		add	[eax+eax+52h], bl
		add	[ebp+0], al
		inc	edi
		add	[ecx+0], cl
		push	ebx
		add	[eax+eax+52h], dl
		add	[ecx+0], bl
		pop	esp
		add	[ebp+0], cl
		inc	ecx
		add	[ebx+0], al
		dec	eax
		add	[ecx+0], cl
		dec	esi
		add	[ebp+0], al
		pop	esp
		add	[ebx+0], dl
		pop	ecx
		add	[ebx+0], dl
		push	esp
		add	[ebp+0], al
		dec	ebp
		add	[eax+eax+43h], bl
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[edi+0], dl
		outsd
		add	[edi+0], dh
; 
		dw 0
; 

??_C@_1BK@BAEKFJOA@?$AAh?$AAw?$AAp?$AAo?$AAl?$AAi?$AAc?$AAy?$AA?4?$AAs?$AAy?$AAs@PBOPGDP@:
					; DATA XREF: KiHwPolicyFindDriverImage(x)+1Eo
		push	70007700h
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
		add	cs:[ebx+0], dh
		jns	short $+2
		jnb	short $+2
; 
		db 2 dup(0)
; 

; char ??_C
??_C@_0N@IGHPMJHE@MAXGROUP?$DNOFF@PBOPGDP@: ; DATA XREF: KiPerformGroupConfiguration+250o
		dec	ebp
		inc	ecx
		pop	eax
		inc	edi
		push	edx
		dec	edi
		push	ebp
		push	eax
		cmp	eax, 46464Fh
		int	3		; Trap to Debugger
; 
; char ??_C[]
??_C@_08IABDDFLJ@MAXGROUP@PBOPGDP@ db 'MAXGROUP',0
					; DATA XREF: KiPerformGroupConfiguration+263o
		align 2
; char ??_C[]
??_C@_0BA@LJLLKALL@NOEXECUTE?$DNOPTIN@PBOPGDP@ db 'NOEXECUTE=OPTIN',0
					; DATA XREF: KiInitializeNxSupportDiscard+43o
; char ??_C[]
??_C@_0BB@LHMFFKLJ@NOEXECUTE?$DNOPTOUT@PBOPGDP@	db 'NOEXECUTE=OPTOUT',0
					; DATA XREF: KiInitializeNxSupportDiscard+2Bo
		align 4
; char ??_C[]
??_C@_0BD@BLJGODAL@NOEXECUTE?$DNALWAYSON@PBOPGDP@ db 'NOEXECUTE=ALWAYSON',0
					; DATA XREF: KiInitializeNxSupportDiscard+13o
		align 4

; char ??_C
??_C@_07LBDEDADF@EXECUTE@PBOPGDP@:	; DATA XREF: KiInitializeNxSupportDiscard+FE72o
		inc	ebp
		pop	eax
		inc	ebp
		inc	ebx
		push	ebp
		push	esp
		inc	ebp
		add	[esi+4Fh], cl	; DATA XREF: KiInitializeNxSupportDiscard+FE56o
		inc	ebp
		pop	eax
		inc	ebp
		inc	ebx
		push	ebp
		push	esp
		inc	ebp
		add	[esi+4Fh], cl	; DATA XREF: KiInitializeNxSupportDiscard+FE3Eo
		inc	ebp
		pop	eax
		inc	ebp
		inc	ebx
		push	ebp
		push	esp
		inc	ebp
		cmp	eax, 41574C41h
		pop	ecx
		push	ebx
		dec	edi
		inc	esi
		inc	esi
		add	[ebx+61h], al	; DATA XREF: KiInitializeMTRR+25528o
		arpl	[eax+69h], bp
		outsb
		and	[bx+di+73h], ch
		and	[ecx+ebp*2+73h], ah
		popa
		bound	ebp, [ebp+64h]
		and	[edx+79h], ah
		and	[ecx+6Eh], ch
		arpl	[edi+72h], bp
		jb	short loc_ADEAC1
		arpl	[eax+4Dh], si
		push	esp
		push	edx
		push	edx
		and	[ebx+65h], dh
		jz	short loc_ADEADC
		imul	ebp, [esi+67h],	0A2E73h
		int	3		; Trap to Debugger

; char ??_C
??_C@_0DD@INEKMLNH@KiInitializeMTRR?3?5Found?5non?9con@PBOPGDP@:
					; DATA XREF: KiInitializeMTRR:loc_AE48A6o
		dec	ebx
		imul	ecx, [ecx+6Eh],	61697469h
		insb
		imul	edi, [edx+65h],	5252544Dh
		cmp	ah, [eax]
		inc	esi
		outsd
		jnz	short loc_ADEAF4
		and	fs:[esi+6Fh], ch
		outsb
		sub	eax, 746E6F63h
		imul	esp, [edi+75h],	2073756Fh
		dec	ebp
		push	esp
		push	edx
		push	edx
		and	[ebp+61h], ch
		jnb	short near ptr loc_ADEB0A+1
		and	[edx], ecx
		add	ah, cl

; char ??_C
??_C@_0EK@BBJAFGHH@KiInitializeMTRR?3?5MTRR_MSR_DEFA@PBOPGDP@:
					; DATA XREF: KiInitializeMTRR:loc_AE4883o
		dec	ebx
		imul	ecx, [ecx+6Eh],	61697469h
		insb
		imul	edi, [edx+65h],	5252544Dh
		cmp	ah, [eax]
		dec	ebp
		push	esp
		push	edx
		push	edx
		pop	edi
		dec	ebp
		push	ebx
		push	edx
		pop	edi
		inc	esp
		inc	ebp

loc_ADEAC1:				; CODE XREF: INIT:00ADEA5Aj
		inc	esi
		inc	ecx
		push	ebp
		dec	esp
		push	esp
		and	[ecx+73h], ch
		and	[esi+6Fh], ch
		jz	short ??_C@_1CA@DLHALLFH@?$AAR?$AAe?$AAs?$AAe?$AAr?$AAv?$AAe?$AAd?$AAC?$AAp?$AAu?$AAS?$AAe?$AAt?$AAs@PBOPGDP@
		arpl	[edi+6Eh], bp
		jnb	short loc_ADEB3C
		jnb	short near ptr loc_ADEB48+1
		outs	dx, byte ptr gs:[esi]
		jz	short near ptr loc_ADEAF8+1
		bound	esp, [ebp+74h]

loc_ADEADC:				; CODE XREF: INIT:00ADEA66j
		ja	short near ptr loc_ADEB41+2
		outs	dx, byte ptr gs:[esi]
		and	[eax+72h], dh
		outsd
		arpl	[ebp+73h], sp
		jnb	short near ptr loc_ADEB57+1
		jb	short loc_ADEB5E
		or	al, cs:[eax]

??_C@_1CA@DLHALLFH@?$AAR?$AAe?$AAs?$AAe?$AAr?$AAv?$AAe?$AAd?$AAC?$AAp?$AAu?$AAS?$AAe?$AAt?$AAs@PBOPGDP@:
					; CODE XREF: INIT:00ADEACCj
					; DATA XREF: KiInitializeReservedCpuSets+52o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2

loc_ADEAF4:				; CODE XREF: INIT:00ADEA84j
		add	gs:[edx+0], dh

loc_ADEAF8:				; CODE XREF: INIT:00ADEAD7j
		jbe	short $+2
		add	gs:[eax+eax+43h], ah
		add	[eax+0], dh
		jnz	short $+2
		push	ebx
		add	[ebp+0], ah
		jz	short $+2

loc_ADEB0A:				; CODE XREF: INIT:00ADEA9Ej
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1JE@HGOMPPME@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: KiInitializeReservedCpuSets+25o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		pop	ecx
		add	[ebx+0], dl
		push	esp
		add	[ebp+0], al

loc_ADEB3C:				; CODE XREF: INIT:00ADEAD1j
		dec	ebp
		add	[eax+eax+43h], bl

loc_ADEB41:				; CODE XREF: INIT:loc_ADEADCj
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2

loc_ADEB48:				; CODE XREF: INIT:00ADEAD3j
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh

loc_ADEB57:				; CODE XREF: INIT:00ADEAE7j
		add	[edi+0], ch
		insb
		add	[ebx+0], dl

loc_ADEB5E:				; CODE XREF: INIT:00ADEAE9j
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ebx+0], ch
		add	gs:[edx+0], dh
		outsb
		add	[ebp+0], ah
		insb
; 
		db 0
		db 2 dup(0)
; 

??_C@_0P@CCGIFHAI@Engine?5?$CB?$DN?5NULL@PBOPGDP@: ; DATA XREF:	KsepEngineInitialize+14680o
					; KsepEngineReadFlags+14517o ...
		inc	ebp
		outsb
		imul	ebp, [bp+65h], 203D2120h
		dec	esi
		push	ebp
		dec	esp
		dec	esp
		add	ah, cl

??_C@_0BP@FJIAFDAP@minkernel?2ntos?2kshim?2ksecore?4c@PBOPGDP@:
					; DATA XREF: KsepEngineInitialize+1467Bo
					; KsepEngineUninitialize(x)+46o
		insd
		imul	ebp, [esi+6Bh],	656E7265h
		insb
		pop	esp
		outsb
		jz	short near ptr loc_ADEC2C+2
		jnb	short loc_ADEC1D
		imul	esi, [ebx+68h],	69h
		insd
		pop	esp
		imul	esi, [ebx+65h],	63h
		outsd
		jb	short near ptr loc_ADEC30+3
		arpl	cs:[eax], ax
		int	3		; Trap to Debugger

; char ??_C
??_C@_0GK@EKNHKKIG@KSE?3?5Engine?5not?5initialized?5?$CIdi@PBOPGDP@:
					; DATA XREF: KseInitialize+20286o
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		inc	ebp
		outsb
		imul	ebp, [bp+65h], 746F6E20h
		and	[ecx+6Eh], ch
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		and	fs:[eax], ch
		imul	esi, fs:[ebx+61h], 64656C62h
		and	[ebp+78h], ah
		jo	short near ptr loc_ADEC61+7
		imul	esp, [ebx+69h],	2C796C74h
		and	[ebx+61h], dh
		db	66h
		and	gs:[edx+6Fh], ah
		outsd
		jz	short near ptr loc_ADEC2C+2
		outsd
		outsb
		sub	al, 20h
		jbe	short loc_ADEC79
		jb	short loc_ADEC7F
		imul	sp, [ebp+72h], 6F20h
		outsb

loc_ADEC1D:				; CODE XREF: INIT:00ADEBBFj
		sub	al, 20h
		push	edi
		imul	ebp, [esi+50h],	6F6D2045h
		db	64h
		and	gs:[edi+72h], ch

loc_ADEC2C:				; CODE XREF: INIT:00ADEBBDj
					; INIT:00ADEC0Cj
		and	[edi+ebp*2+61h], ch

loc_ADEC30:				; CODE XREF: INIT:00ADEBCCj
		db	64h, 65h
		jb	short near ptr ??_C@_0BN@KGLPCGAF@KSE?3?5Initialized?5phase?50x?$CFx?6@PBOPGDP@+18h
		imul	esi, [ebx+73h],	0A296575h
; 
		db 0
??_C@_0BN@KGLPCGAF@KSE?3?5Initialized?5phase?50x?$CFx?6@PBOPGDP@ db 'KSE: Initialized phase 0x%x',0Ah,0
					; DATA XREF: KseInitialize+C4o
		align 2

; char ??_C
??_C@_0CC@IJLGGAFB@KSE?3?5Initialization?5failed?3?50x?$CF@PBOPGDP@:
					; DATA XREF: KseInitialize+202ECo
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		dec	ecx
		outsb

loc_ADEC61:				; CODE XREF: INIT:00ADEBFAj
		imul	esi, [ecx+ebp*2+61h], 617A696Ch
		jz	short near ptr ??_C@_1FM@BFBPAOJP@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@+28h
		outsd
		outsb
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	7830203Ah
; 
		db 25h
; 

loc_ADEC79:				; CODE XREF: INIT:00ADEC12j
		js	short near ptr loc_ADEC84+1
; 
		db 0
; 

; char ??_C
??_C@_0CP@CIMLLFAM@KSE?3?5KsepMatchInitAcpiOemInfo?5f@PBOPGDP@:
					; DATA XREF: KsepMatchInitMachineInfo+14631o
					; KsepMatchInitMachineInfo+14640o
		dec	ebx
		push	ebx
		inc	ebp

loc_ADEC7F:				; CODE XREF: INIT:00ADEC14j
		cmp	ah, [eax]
		dec	ebx
		jnb	short near ptr ??_C@_1FM@BFBPAOJP@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@+3Dh

loc_ADEC84:				; CODE XREF: INIT:loc_ADEC79j
		jo	short near ptr ??_C@_1FM@BFBPAOJP@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@+27h
		popa
		jz	short near ptr ??_C@_1FM@BFBPAOJP@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@+40h
		push	74696E49h
		inc	ecx
		arpl	[eax+69h], si
		dec	edi
		db	65h
		insd
		dec	ecx
		outsb
		outsw
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	78305B20h
		and	eax, 5D783830h
		or	al, [eax]
		int	3		; Trap to Debugger
; 
??_C@_1FM@BFBPAOJP@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: KsepMatchInitBiosInfo+2Eo
		unicode	0, <\Registry\Machine\Hardware\Description\System>,0
; 

; char ??_C
??_C@_0CM@GMBMCLEG@KSE?3?5KsepMatchInitBiosInfo?5fail@PBOPGDP@:
					; DATA XREF: KsepMatchInitMachineInfo+146DEo
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		dec	ebx
		jnb	short near ptr ??_C@_0BO@OPGOOCEP@KSE?3?5BiosVendor?5name?5?$FL?$CFws?$FN?5?4?6@PBOPGDP@+15h
		jo	short near ptr loc_ADED5E+1
		popa
		jz	short near ptr ??_C@_0BO@OPGOOCEP@KSE?3?5BiosVendor?5name?5?$FL?$CFws?$FN?5?4?6@PBOPGDP@+18h
		push	74696E49h
		inc	edx
		imul	ebp, [edi+73h],	6F666E49h
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	78305B20h
		and	eax, 5D783830h
		or	al, [eax]

; char ??_C
??_C@_0CM@JILIAGMP@KSE?3?5KsepMatchInitCpuInfo?5faile@PBOPGDP@:
					; DATA XREF: KsepMatchInitMachineInfo+1468Ao
					; KsepMatchInitMachineInfo+14699o
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		dec	ebx
		jnb	short near ptr loc_ADED9B+6
		jo	short near ptr ??_C@_0BM@MLFPCADL@KSE?3?5BiosDate?5name?5?$FL?$CFws?$FN?5?4?6@PBOPGDP@+0Dh
		popa
		jz	short loc_ADEDA4
		push	74696E49h
		inc	ebx
		jo	short loc_ADEDBE
		dec	ecx
		outsb
		outsw
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	305B200Ah
		js	short near ptr ??_C@_0BM@MLFPCADL@KSE?3?5BiosDate?5name?5?$FL?$CFws?$FN?5?4?6@PBOPGDP@+1
		xor	[eax], bh
		js	short loc_ADEDBB

loc_ADED5E:				; CODE XREF: INIT:00ADED10j
		or	al, [eax]
; 
??_C@_0BO@OPGOOCEP@KSE?3?5BiosVendor?5name?5?$FL?$CFws?$FN?5?4?6@PBOPGDP@ db 'KSE: BiosVendor name [%ws] .',0Ah,0
					; DATA XREF: KsepMatchInitBiosInfo+144o
??_C@_0BM@MLFPCADL@KSE?3?5BiosDate?5name?5?$FL?$CFws?$FN?5?4?6@PBOPGDP@	db 'KSE: BiosDate name [%ws] .',0Ah,0
					; CODE XREF: INIT:00ADED58j
					; INIT:00ADED3Cj
					; DATA XREF: ...
; 

??_C@_0BO@PKNCBPOC@minkernel?2ntos?2kshim?2ksesdb?4c@PBOPGDP@:
					; DATA XREF: KseShimDatabaseBootInitialize+FA48o
					; KseShimDatabaseBootInitialize+FA9Do
		insd

loc_ADED9B:				; CODE XREF: INIT:00ADED3Aj
		imul	ebp, [esi+6Bh],	656E7265h
		insb
		pop	esp

loc_ADEDA4:				; CODE XREF: INIT:00ADED3Fj
		outsb
		jz	short near ptr loc_ADEE11+5
		jnb	short loc_ADEE05
		imul	esi, [ebx+68h],	69h
		insd
		pop	esp
		imul	esi, [ebx+65h],	73h
		bound	ebp, fs:[esi]
		arpl	[eax], ax

; char ??_C
??_C@_0DC@LAGJLJEN@KSE?3?5KsepSdbBootInitialize?5fail@PBOPGDP@:
					; DATA XREF: KseShimDatabaseBootInitialize+FB15o
		dec	ebx
		push	ebx
		inc	ebp

loc_ADEDBB:				; CODE XREF: INIT:00ADED5Cj
		cmp	ah, [eax]
		dec	ebx

loc_ADEDBE:				; CODE XREF: INIT:00ADED47j
		jnb	short loc_ADEE25
		jo	short near ptr loc_ADEE11+4
		bound	eax, fs:[edx+6Fh]
		outsd
		jz	short near ptr loc_ADEE11+1
		outsb
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		and	[esi+61h], ah
		imul	ebp, [ebp+64h],	726F6620h
		and	[eax+61h], dh
		jz	short near ptr loc_ADEE40+5
		push	42445320h
		and	[edx], ecx
; 
		db 0
; 

??_C@_0BJ@LBPKNCIA@KsepShimDbHandle?5?$DN?$DN?5NULL@PBOPGDP@:
					; DATA XREF: KseShimDatabaseBootInitialize+FAA2o
		dec	ebx
		jnb	short loc_ADEE52
		jo	short near ptr loc_ADEE40+2
		push	62446D69h
		dec	eax
		popa
		outsb
		db	64h
		insb
		and	gs:554E203Dh, bh
		dec	esp
		dec	esp
		add	ah, cl

??_C@_0BO@MIHHOGEB@KsepShimDbDuringBoot?5?$DN?$DN?5FALSE@PBOPGDP@:
					; DATA XREF: KseShimDatabaseBootInitialize+FA4Do
		dec	ebx

loc_ADEE05:				; CODE XREF: INIT:00ADEDA7j
		jnb	short near ptr byte_ADEE6C
		jo	short loc_ADEE5C
		push	62446D69h
		inc	esp
		jnz	short near ptr loc_ADEE81+2

loc_ADEE11:				; CODE XREF: INIT:00ADEDC7j
					; INIT:00ADEDC0j ...
		imul	ebp, [esi+67h],	746F6F42h
		and	ds:4146203Dh, bh
		dec	esp
		push	ebx
		inc	ebp
		add	[eax+eax+69h], al ; DATA XREF: KsepEngineReadFlags+14559o

loc_ADEE25:				; CODE XREF: INIT:loc_ADEDBEj
		add	[ebx+0], dh
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		push	ebx
		add	[eax+0], ch

loc_ADEE40:				; CODE XREF: INIT:00ADEDEDj
					; INIT:00ADEDE0j
		imul	eax, [eax], 73006Dh
; 
		dw 0
; 

??_C@_1CG@FKKGHNMB@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAF?$AAl@PBOPGDP@:
					; DATA XREF: KsepEngineReadFlags+1452Fo
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah

loc_ADEE52:				; CODE XREF: INIT:00ADEDEBj
		insb
		add	[ebp+0], ah
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2

loc_ADEE5C:				; CODE XREF: INIT:00ADEE07j
		imul	eax, [eax], 650063h
		inc	esi
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		jnb	short $+2
; 
byte_ADEE6C	db 2 dup(0)		; CODE XREF: INIT:loc_ADEE05j
; 

??_C@_1JI@PIOJPGEO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: KsepEngineReadFlags+30o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp

loc_ADEE81:				; CODE XREF: INIT:00ADEE0Fj
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[eax+0], dl
		outsd
		add	[eax+eax+69h], ch
		add	[ebx+0], ah
		imul	eax, [eax], 730065h
		pop	esp
		add	[ebp+0], cl
		imul	eax, [eax], 720063h
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		pop	esp
		add	[ebx+0], al
		outsd
		add	[ebp+0], ch
		jo	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edx+0], ah
		imul	eax, [eax], 69006Ch
		jz	short $+2
		jns	short $+2
; 
		db 2 dup(0)
; 

??_C@_0CD@GDPINNHE@minkernel?2ntos?2kshim?2kseregistr@PBOPGDP@:
					; DATA XREF: KsepEngineReadFlags+14512o
		insd
		imul	ebp, [esi+6Bh],	656E7265h
		insb
		pop	esp
		outsb
		jz	short near ptr ??_C@_1IC@OOOCOOLB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@+0Ah
		jnb	short loc_ADEF71
		imul	esi, [ebx+68h],	69h
		insd
		pop	esp
		imul	esi, [ebx+65h],	72h
		imul	esi, gs:[bp+di+74h], 632E7972h
		add	ah, cl

??_C@_1BK@LNPPAKLL@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAF?$AAl?$AAa?$AAg?$AAs@PBOPGDP@:
					; DATA XREF: KsepEngineReadFlags+7Ao
					; KsepEngineReadFlags+1466Eo ...
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		inc	esi
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		jnb	short $+2
; 
		dw 0
; 

; char ??_C
??_C@_0DE@NBFNIPAL@KSE?3?5Error?5reading?5compatibilit@PBOPGDP@:
					; DATA XREF: KsepEngineReadFlags+14612o
					; KsepEngineReadFlags+14622o
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		inc	ebp
		jb	short near ptr ??_C@_1IC@OOOCOOLB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@+46h
		outsd
		jb	short loc_ADEF6F
		jb	short near ptr ??_C@_1IC@OOOCOOLB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@+3Eh
		popa
		imul	ebp, fs:[esi+67h], 6D6F6320h
		jo	short near ptr ??_C@_1IC@OOOCOOLB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@+45h
		jz	short near ptr ??_C@_1IC@OOOCOOLB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@+4Fh
		bound	ebp, [ecx+6Ch]
		imul	esi, [ecx+edi*2+20h], 3A79656Bh
		and	[ebx+74h], dh
		popa
		jz	short near ptr ??_C@_1IC@OOOCOOLB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@+6Ch

loc_ADEF6F:				; CODE XREF: INIT:00ADEF4Dj
		jnb	short near ptr ??_C@_1IC@OOOCOOLB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@+33h

loc_ADEF71:				; CODE XREF: INIT:00ADEF13j
		and	ds:0A783830h, ah
; 
		db 0
??_C@_1IC@OOOCOOLB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; CODE XREF: INIT:00ADEF11j
					; DATA XREF: KsepEngineReadFlags+53o
		unicode	0, <\Registry\Machine\System\CurrentControlSet\Control\Compat>
		unicode	0, <ibility>,0
; 

; char ??_C
??_C@_0CK@GLCKPOOA@KSE?3?5Engine?5has?5group?5policy?5fl@PBOPGDP@:
					; DATA XREF: KsepEngineReadFlags+145ABo
					; KsepEngineReadFlags+145BBo
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		inc	ebp
		outsb
		imul	ebp, [bp+65h], 73616820h
		and	[edi+72h], ah
		outsd
		jnz	short near ptr loc_ADF07B+4
		and	[eax+6Fh], dh
		insb
		imul	esp, [ebx+79h],	616C6620h
		db	67h
		jnb	near ptr 0F057h
		and	ds:0A783830h, ah
; 
		db 0
??_C@_0DH@KDBKEOJJ@KSE?3?5Engine?5flags?5?$CIafter?5regist@PBOPGDP@ db 'KSE: Engine flags (after registry/group policy): %08x',0Ah,0
					; DATA XREF: KsepEngineReadFlags+CCo
		align 4

; char ??_C
??_C@_0DD@DEFAGPD@KSE?3?5Engine?5initialized?5with?5re@PBOPGDP@:
					; DATA XREF: KsepEngineReadFlags+146EDo
					; KsepEngineReadFlags+146FEo
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		inc	ebp
		outsb
		imul	ebp, [bp+65h], 696E6920h
		jz	short near ptr loc_ADF0D4+2
		popa
		insb
		imul	edi, [edx+65h],	69772064h
		jz	short near ptr loc_ADF0DF+1
		and	[edx+65h], dh

loc_ADF07B:				; CODE XREF: INIT:00ADF00Dj
		imul	esi, [bp+di+74h], 66207972h
		insb
		popa
		db	67h
		jnb	near ptr 0F0C2h
		and	ds:0A783830h, ah
		add	ah, cl

; char ??_C
??_C@_0DM@IEIMCIGI@KSE?3?5Error?5reading?5compatibilit@PBOPGDP@:
					; DATA XREF: KsepEngineReadFlags+14673o
					; KsepEngineReadFlags+14688o
		dec	ebx
		push	ebx
		inc	ebp
		cmp	ah, [eax]
		inc	ebp
		jb	short near ptr loc_ADF104+6
		outsd
		jb	short loc_ADF0BB
		jb	short near ptr loc_ADF101+1
		popa
		imul	ebp, fs:[esi+67h], 6D6F6320h
		jo	short near ptr loc_ADF104+5
		jz	short near ptr loc_ADF10E+5
		bound	ebp, [ecx+6Ch]
		imul	esi, [ecx+edi*2+20h], 756C6176h
		and	gs:[ebx+25h], bl
		ja	short near ptr loc_ADF12A+4

loc_ADF0BB:				; CODE XREF: INIT:00ADF099j
		pop	ebp
		cmp	ah, [eax]
		jnb	short near ptr loc_ADF132+2
		popa
		jz	short near ptr loc_ADF132+6
		jnb	short near ptr loc_ADF0FA+5
		and	ds:0A783830h, ah
		add	[edx+65h], bl	; DATA XREF: KseZeroPoolInitialize+15716o
		jb	short near ptr loc_ADF13D+2
		push	eax
		outsd
		outsd
		insb

loc_ADF0D4:				; CODE XREF: INIT:00ADF06Bj
		and	[ebx+68h], dh
		imul	ebp, [ebp+3Ah],	69616620h
		insb

loc_ADF0DF:				; CODE XREF: INIT:00ADF076j
		db	65h
		and	fs:[edi+ebp*2+20h], dh
		jb	short near ptr loc_ADF14B+1
		imul	esi, [bp+di+74h], 0A2E7265h
		add	[edx+75h], al	; DATA XREF: KseVersionLieInitialize+157EEo
		imul	ebp, [esp+esi*2+2Dh], 57206E69h

loc_ADF0FA:				; CODE XREF: INIT:00ADF0C3j
		imul	ebp, [esi+38h],	7620312Eh

loc_ADF101:				; CODE XREF: INIT:00ADF09Bj
		db	65h
		jb	short loc_ADF177

loc_ADF104:				; CODE XREF: INIT:00ADF0A6j
					; INIT:00ADF096j
		imul	ebp, [edi+6Eh],	65696C20h
		and	[ebx+68h], dh

loc_ADF10E:				; CODE XREF: INIT:00ADF0A8j
		imul	ebp, [ebp+73h],	6166203Ah
		imul	ebp, [ebp+64h],	206F7420h
		jb	short near ptr loc_ADF181+3
		imul	esi, [bp+di+74h], 0A2E7265h
		add	[edx+75h], al	; DATA XREF: KseVersionLieInitialize+157A0o
					; KseVersionLieInitialize:loc_AE79D9o

loc_ADF12A:				; CODE XREF: INIT:00ADF0B9j
		imul	ebp, [esp+esi*2+2Dh], 57206E69h

loc_ADF132:				; CODE XREF: INIT:00ADF0BEj
					; INIT:00ADF0C1j
		imul	ebp, [esi+38h],	72657620h
		jnb	short near ptr ??_C@_0CH@JAGLGLJF@KSE?9DS?3?5driver?5scope?5shim?5regis@PBOPGDP@+10h
		outsd
		outsb

loc_ADF13D:				; CODE XREF: INIT:00ADF0CEj
		and	[ecx+ebp*2+65h], ch
		and	[ebx+68h], dh
		imul	ebp, [ebp+73h],	6166203Ah

loc_ADF14B:				; CODE XREF: INIT:00ADF0E5j
		imul	ebp, [ebp+64h],	206F7420h
		jb	short near ptr ??_C@_0CH@JAGLGLJF@KSE?9DS?3?5driver?5scope?5shim?5regis@PBOPGDP@+26h
		imul	esi, [bp+di+74h], 0A2E7265h
		add	[edx+75h], al	; DATA XREF: KseVersionLieInitialize+1574Eo
					; KseVersionLieInitialize:loc_AE7987o
		imul	ebp, [esp+esi*2+2Dh], 57206E69h
		imul	ebp, [esi+37h],	72657620h
		jnb	short near ptr loc_ADF1D8+2
		outsd
		outsb
		and	[ecx+ebp*2+65h], ch

loc_ADF177:				; CODE XREF: INIT:loc_ADF101j
		and	[ebx+68h], dh
		imul	ebp, [ebp+73h],	6166203Ah

loc_ADF181:				; CODE XREF: INIT:00ADF11Dj
		imul	ebp, [ebp+64h],	206F7420h
		jb	short near ptr loc_ADF1E9+7
		imul	esi, [bp+di+74h], 0A2E7265h
; 
		db 0
??_C@_0CH@JAGLGLJF@KSE?9DS?3?5driver?5scope?5shim?5regis@PBOPGDP@ db 'KSE-DS: driver scope shim registered.',0Ah,0
					; DATA XREF: KseDriverScopeInitialize+32o
		align 4

; char ??_C
??_C@_0DG@CAOOACBL@Built?9in?5SkipDriverUnload?5shims@PBOPGDP@:
					; DATA XREF: KseSkipDriverUnloadInitialize+156F4o
		inc	edx
		jnz	short near ptr loc_ADF224+4
		insb
		jz	short near ptr loc_ADF1E9+6
		imul	ebp, [esi+20h],	70696B53h
		inc	esp
		jb	short loc_ADF235
		jbe	short loc_ADF233
		jb	short near ptr loc_ADF224+1
		outsb
		insb
		outsd
		popa
		and	fs:[ebx+68h], dh

loc_ADF1D8:				; CODE XREF: INIT:00ADF16Fj
		imul	ebp, [ebp+73h],	6166203Ah
		imul	ebp, [ebp+64h],	206F7420h
		jb	short near ptr loc_ADF24D+1

loc_ADF1E9:				; CODE XREF: INIT:00ADF1C0j
					; INIT:00ADF189j
		imul	esi, [bp+di+74h], 0A2E7265h
; 
		db 0
; 

??_C@_1DO@KHKMKABP@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AAM@PBOPGDP@:
					; DATA XREF: MxMemoryLicense(x)+36o
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	ds:69005700h, ch
		add	[esi+0], ch
		add	fs:[edi+0], ch
		ja	short $+2
		jnb	short $+2
		dec	ebp
		add	[ecx+0], ah
		js	short $+2
		dec	ebp
		add	[ebp+0], ah
		insd
		add	[ecx+0], al
		insb
		add	[eax+eax+6Fh], ch
		add	[edi+0], dh

loc_ADF224:				; CODE XREF: INIT:00ADF1CEj
					; INIT:00ADF1BDj
		add	gs:[eax+eax+78h], ah
		add	[eax], bh
		add	[esi], dh
; 
		db 3 dup(0)

;  S U B	R O U T	I N E 


; char ??_C
??_C@_06OJCAKAJO@USERVA@PBOPGDP@ proc near ; DATA XREF:	MiInitializeBootDefaults:loc_AEA237o
		push	ebp
		push	ebx
		inc	ebp

loc_ADF233:				; CODE XREF: INIT:00ADF1CCj
		push	edx
		push	esi

loc_ADF235:				; CODE XREF: INIT:00ADF1CAj
		inc	ecx
		add	ah, cl
??_C@_06OJCAKAJO@USERVA@PBOPGDP@ endp


;  S U B	R O U T	I N E 


??_C@_1CO@CEOBBIMK@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAM?$AAa?$AAx?$AAP?$AAh?$AAy?$AAs?$AAi@PBOPGDP@ proc near
					; DATA XREF: MxMemoryLicense(x)+41o
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	ds:61004D00h, ch
		add	[eax+0], bh
		push	eax

loc_ADF24D:				; CODE XREF: INIT:00ADF1E7j
		add	[eax+0], ch
		jns	short $+2
		jnb	short $+2
		imul	eax, [eax], 610063h
		insb
		add	[eax+0], dl
		popa
		add	[edi+0], ah
		add	gs:[eax], al

loc_ADF265:				; DATA XREF: MiSectionInitialization+45o
		add	[ebx+0], dl
??_C@_1CO@CEOBBIMK@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAM?$AAa?$AAx?$AAP?$AAh?$AAy?$AAs?$AAi@PBOPGDP@ endp

		add	gs:[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
; 
		db 2 dup(0)
; char ??_C[]
??_C@_0BH@BPBKOJIE@NOACCESSBITREPLACEMENT@PBOPGDP@ db 'NOACCESSBITREPLACEMENT',0
					; DATA XREF: MiInitializeSystemDefaults:loc_ADAA02o
		align 2

??_C@_1BA@FJPOMCMI@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn@PBOPGDP@:
					; DATA XREF: MiInitializeSessionIds+41o
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_1BK@KDPOKCA@?$AAS?$AAy?$AAm?$AAb?$AAo?$AAl?$AAi?$AAc?$AAL?$AAi?$AAn?$AAk@PBOPGDP@	proc near
					; DATA XREF: ObInitSystem+2A2o
		push	ebx
		add	[ecx+0], bh
		insd
??_C@_1BK@KDPOKCA@?$AAS?$AAy?$AAm?$AAb?$AAo?$AAl?$AAi?$AAc?$AAL?$AAi?$AAn?$AAk@PBOPGDP@	endp

		add	[edx+0], ah
		outsd
		add	[eax+eax+69h], ch
		add	[ebx+0], ah
		dec	esp
		add	[ecx+0], ch
		outsb
		add	[ebx+0], ch
; 
		dw 0
??_C@_1BE@DNDHOCGP@?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt?$AAo?$AAr?$AAy@PBOPGDP@:
					; DATA XREF: ObInitSystem+21Ao
		unicode	0, <Directory>,0
; 

??_C@_1EG@LJBMOFGE@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@PBOPGDP@:
					; DATA XREF: PfSnInitializePrefetcher()+58o
		pop	esp
		add	[ebx+0], cl
		add	gs:[edx+0], dh
		outsb
		add	[ebp+0], ah
		insb
		add	[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
		pop	esp
		add	[eax+0], dl
		jb	short $+2
		add	gs:[esi+0], ah
		add	gs:[eax+eax+63h], dh
		add	[eax+0], ch
		push	esp
		add	[edx+0], dh
		popa
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		push	edx
		add	[ebp+0], ah
		popa
		add	[eax+eax+79h], ah
; 
		db 0
		db 2 dup(0)
; 

??_C@_1FG@HIGCKPME@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@PBOPGDP@:
					; DATA XREF: PfpParametersInitialize(x)+68o
		pop	esp
		add	[ebx+0], cl
		add	gs:[edx+0], dh
		outsb
		add	[ebp+0], ah
		insb
		add	[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
		pop	esp
		add	[ebx+0], dl
		jnz	short $+2
		jo	short $+2
		add	gs:[edx+0], dh
		db	66h
		add	[ebp+0], ah
		jz	short $+2
		arpl	[eax], ax
		push	61005000h
		add	[edx+0], dh
		popa
		add	[ebp+0], ch
		add	gs:[eax+eax+65h], dh
		add	[edx+0], dh
		jnb	short $+2
		inc	ebx
		add	[eax+0], ch
		popa
		add	[esi+0], ch
		add	[di+0],	ah
		add	fs:[eax], al

loc_ADF367:				; DATA XREF: PfpParametersInitialize(x)+82o
		add	[eax+eax+52h], bl
		add	[ebp+0], ah
		add	[bx+di+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ebp+0], cl
		add	gs:[ebp+0], ch
		outsd
		add	[edx+0], dh
		jns	short $+2
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+5Ch], dh
		add	[eax+0], dl
		jb	short $+2
		add	gs:[esi+0], ah
		add	gs:[eax+eax+63h], dh
		add	[eax+0], ch
		push	eax
		add	[ecx+0], ah
		jb	short $+2
		popa
		add	[ebp+0], ch
		add	gs:[eax+eax+65h], dh
		add	[edx+0], dh
		jnb	short $+2
; 
		dw 0
??_C@_1O@EALALNHK@?$AAB?$AAo?$AAo?$AAt?$AAI?$AAd@PBOPGDP@:
					; DATA XREF: PfpParametersInitialize(x)+E2o
					; PfpParametersInitialize(x)+FDo
		unicode	0, <BootId>,0
; 

??_C@_1CK@MIPHFJLM@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAP?$AAr?$AAe@PBOPGDP@:
					; DATA XREF: PfSnParametersSetDefaults(x)+57o
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+5Ch], dh
		add	[eax+0], dl
		jb	short $+2
		add	gs:[esi+0], ah
		add	gs:[eax+eax+63h], dh
		add	[eax+0], ch
; 
		dw 0
??_C@_1HE@BIDEJMEP@?$AAD?$AAL?$AAL?$AAH?$AAO?$AAS?$AAT?$AA?4?$AAE?$AAX?$AAE?$AA?0?$AAM?$AAM?$AAC@PBOPGDP@:
					; DATA XREF: PfSnParametersSetDefaults(x)+7Ao
		unicode	0, <DLLHOST.EXE,MMC.EXE,RUNDLL32.EXE,SVCHOST.EXE,TASKHOST.EXE>
		unicode	0, <>,0
??_C@_1BM@ICKAFFLD@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@PBOPGDP@:
					; DATA XREF: PopInitializeHighPerfPowerRequest+54o
		unicode	0, <Power Manager>,0
??_C@_1DI@ECBOFMBD@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?9?$AAI?$AAd?$AAl?$AAe?$AAS?$AAt?$AAa?$AAt?$AAe@PBOPGDP@:
					; DATA XREF: PpmInitIdlePolicy+D8o
		unicode	0, <Power-IdleStatesMax-Enabled>,0
; 

??_C@_1BK@FKKBABCD@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAR?$AAe?$AAq?$AAu?$AAe?$AAs?$AAt@PBOPGDP@:
					; DATA XREF: PopPowerRequestInit()+45o
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		push	edx
		add	[ebp+0], ah
		jno	short $+2
		jnz	short $+2
		add	gs:[ebx+0], dh
		jz	short $+2
; 
		db 2 dup(0)
; 

??_C@_1JM@PGOHLILP@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: PopDiagTraceDirtyTransition(x,x,x,x,x,x,x,x,x,x,x,x)+FBo
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], al
		jb	short $+2
		popa
		add	[ebx+0], dh
		push	6F004300h
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+eax+61h], cl
		add	[ebx+0], dh
		jz	short $+2
		inc	ebx
		add	[edx+0], dh
		popa
		add	[ebx+0], dh
		push	75006400h
		add	[ebp+0], ch
		jo	short $+2
; 
		db 2 dup(0)
; 

??_C@_19GFDACHI@?$AAI?$AAn?$AAf?$AAo@PBOPGDP@:
					; DATA XREF: PopDiagTraceDirtyTransition(x,x,x,x,x,x,x,x,x,x,x,x)+106o
		dec	ecx
		add	[esi+0], ch
		db	66h
		add	[edi+0], ch
; 
		dw 0
??_C@_1EK@LILFEBPG@?$AAC?$AAh?$AAa?$AAr?$AAg?$AAe?$AAr?$AAW?$AAe?$AAa?$AAk?$AAD?$AAe?$AAt?$AAe@PBOPGDP@:
					; DATA XREF: PopBatteryInitPhaseTwo()+Fo
		unicode	0, <ChargerWeakDetectionThresholdPercent>,0
??_C@_1FA@KIMILAJ@?$AAB?$AAa?$AAt?$AAt?$AAe?$AAr?$AAy?$AAC?$AAh?$AAa?$AAr?$AAg?$AAe?$AAT?$AAr@PBOPGDP@ db 'B',0
					; DATA XREF: PopBatteryInitPhaseTwo()+2Bo
aAtterychargetr:
		unicode	0, <atteryChargeTrajectoryThresholdPercent>,0
; 

; void ??_C
??_C@_1HC@DOINKFBC@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@PBOPGDP@:
					; DATA XREF: PopInitializePowerButtonHold(x)+4Fo
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
		pop	esp
		add	[ebx+0], al
		push	ebp
		add	[edx+0], dl
		push	edx
		add	[ebp+0], al
		dec	esi
		add	[eax+eax+43h], dl
		add	[edi+0], cl
		dec	esi
		add	[eax+eax+52h], dl
		add	[edi+0], cl
		dec	esp
		add	[ebx+0], dl
		inc	ebp
		add	[eax+eax+5Ch], dl
		add	[ebx+0], al
		dec	edi
		add	[esi+0], cl
		push	esp
		add	[edx+0], dl
		dec	edi
		add	[eax+eax+5Ch], cl
		add	[eax+0], dl
		dec	edi
		add	[edi+0], dl
		inc	ebp
		add	[edx+0], dl
; 
		dw 0
; 

??_C@_1DI@GNGJCIJC@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAB?$AAu?$AAt?$AAt?$AAo?$AAn?$AAB?$AAu?$AAg?$AAc@PBOPGDP@:
					; DATA XREF: PopInitializePowerButtonHold(x)+55o
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		inc	edx
		add	[ebp+0], dh
		jz	short $+2
		jz	short $+2
		outsd
		add	[esi+0], ch
		inc	edx
		add	[ebp+0], dh
		add	[bp+di+0], ah
		push	63006500h
		add	[ebx+0], ch
		push	ebx
		add	[ebp+0], ah
		jz	short $+2
		jz	short $+2
		imul	eax, [eax], 67006Eh
		jnb	short $+2
; 
		dw 0
??_C@_1BG@OFPPOPIP@?$AA?2?$AAP?$AAo?$AAw?$AAe?$AAr?$AAP?$AAo?$AAr?$AAt@PBOPGDP@:
					; DATA XREF: PopUmpoInitializeChannel+E7o
		unicode	0, <\PowerPort>,0
??_C@_1CE@JMMPMGFK@?$AA?2?$AAP?$AAo?$AAw?$AAe?$AAr?$AAM?$AAo?$AAn?$AAi?$AAt?$AAo?$AAr?$AAP?$AAo@PBOPGDP@ db '\',0
					; DATA XREF: PopUmpoInitializeMonitorChannel+1Ao
aPowermonitorpo:
		unicode	0, <PowerMonitorPort>,0
; 

??_C@_1BM@LENONAPF@?$AAE?$AAn?$AAe?$AAr?$AAg?$AAy?$AAT?$AAr?$AAa?$AAc?$AAk?$AAe?$AAr@PBOPGDP@:
					; DATA XREF: PopEtInit:loc_AD640Ao
		inc	ebp
		add	[esi+0], ch
		add	gs:[edx+0], dh
		add	[bx+di+0], bh
		push	esp
		add	[edx+0], dh
		popa
		add	[ebx+0], ah
		imul	eax, [eax], 65h
		add	[edx+0], dh
; 
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1DM@JLCHDFIG@?$AAP?$AAC?$AAI?$AA_?$AAD?$AAE?$AAB?$AAU?$AAG?$AA_?$AA?$CF?$AA0?$AA4?$AAX?$AA_@PBOPGDP@:
					; DATA XREF: PoFxRegisterDebugger+F709o
		push	eax
		add	[ebx+0], al
		dec	ecx
		add	[edi+0], bl
		inc	esp
		add	[ebp+0], al
		inc	edx
		add	[ebp+0], dl
		inc	edi
		add	[edi+0], bl
		and	eax, 34003000h
		add	[eax+0], bl
		pop	edi
		add	ds:32003000h, ah
		add	[eax+0], bl
		pop	edi
		add	ds:32003000h, ah
		add	[eax+0], bl
		pop	edi
		add	ds:32003000h, ah
		add	[eax+0], bl
; 
		db 2 dup(0)
; 

??_C@_17EKANHMLE@?$AAJ?$AAo?$AAb@PBOPGDP@: ; DATA XREF:	PspInitPhase0+24Bo
		dec	edx
		add	[edi+0], ch
		bound	eax, [eax]
; 
		db 2 dup(0)
; 

??_C@_1BA@NMDNJJOO@?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs@PBOPGDP@:
					; DATA XREF: PspInitPhase0+2E7o
		push	eax
		add	[edx+0], dh
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1O@CDOGJPJJ@?$AAT?$AAh?$AAr?$AAe?$AAa?$AAd@PBOPGDP@: ; DATA XREF:	PspInitPhase0+39Ao
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ecx+0], ah
		add	fs:[eax], al
; 
		db 0
??_C@_1BE@CBCOEOIA@?$AAP?$AAa?$AAr?$AAt?$AAi?$AAt?$AAi?$AAo?$AAn@PBOPGDP@:
					; DATA XREF: PspInitPhase0+43Ao
		unicode	0, <Partition>,0
??_C@_1CE@KMPMCJPP@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAi?$AAt?$AAy?$AAR?$AAe?$AAf?$AAe?$AAr?$AAe?$AAn@PBOPGDP@:
					; DATA XREF: PspInitPhase0+570o
		unicode	0, <ActivityReference>,0
??_C@_04IBDNPPCI@Idle@PBOPGDP@ db 'Idle',0 ; DATA XREF: PspInitPhase0+776o
		align 2

??_C@_06JIODDOFH@System@PBOPGDP@:	; DATA XREF: PspInitPhase0+795o
		push	ebx
		jns	short near ptr loc_ADF8A5+3
		jz	short loc_ADF89C
		insd
		add	ah, cl
; 
??_C@_0BE@FEPJFGML@KiFastSystemCallRet@PBOPGDP@	db 'KiFastSystemCallRet',0
					; DATA XREF: PspInitializeSystemDlls+75o
; 

??_C@_1EA@MLJLEKJJ@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@PBOPGDP@:
					; DATA XREF: PspInitializeSystemPartitionPhase0+Do
		pop	esp
		add	[ebx+0], cl
		add	gs:[edx+0], dh
		outsb
		add	[ebp+0], ah
		insb
		add	[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
		pop	esp
		add	[ebp+0], cl
		add	gs:[ebp+0], ch
		outsd
		add	[edx+0], dh
		jns	short $+2
		push	eax
		add	[ecx+0], ah
		jb	short $+2
		jz	short $+2
		imul	eax, [eax], 690074h
		outsd
		add	[esi+0], ch
		xor	[eax], al
; 
		db 2 dup(0)
; 

??_C@_1CC@FCKODIIM@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAR?$AAa?$AAw?$AAC?$AAd?$AAR?$AAo@PBOPGDP@:
					; DATA XREF: RawInitialize+47o
		pop	esp
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h

loc_ADF89C:				; CODE XREF: INIT:00ADF835j
		pop	esp
		add	[edx+0], dl
		popa
		add	[edi+0], dh
		inc	ebx

loc_ADF8A5:				; CODE XREF: INIT:00ADF833j
		add	[eax+eax+52h], ah
		add	[edi+0], ch
		insd
; 
		db 3 dup(0)
??_C@_1CA@KOHLMEHM@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAR?$AAa?$AAw?$AAT?$AAa?$AAp?$AAe@PBOPGDP@:
					; DATA XREF: RawInitialize+7Co
		unicode	0, <\Device\RawTape>,0
??_C@_1CA@DMHLFLLM@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAR?$AAa?$AAw?$AAD?$AAi?$AAs?$AAk@PBOPGDP@:
					; DATA XREF: RawInitialize+Eo
		unicode	0, <\Device\RawDisk>,0
; 

??_C@_1BA@HJJDJBOL@?$AAl?$AAp?$AAa?$AAc?$AAC?$AAo?$AAm@PBOPGDP@:
					; DATA XREF: SepVariableInitialization()+A6o
		insb
		add	[eax+0], dh
		popa
		add	[ebx+0], ah
		inc	ebx
		add	[edi+0], ch
		insd
; 
		db 3 dup(0)
; 

??_C@_1CE@LBIPJBGA@?$AAl?$AAp?$AAa?$AAc?$AAA?$AAp?$AAp?$AAE?$AAx?$AAp?$AAe?$AAr?$AAi?$AAe?$AAn@PBOPGDP@:
					; DATA XREF: SepVariableInitialization()+9Co
		insb
		add	[eax+0], dh
		popa
		add	[ebx+0], ah
		inc	ecx
		add	[eax+0], dh
		jo	short $+2
		inc	ebp
		add	[eax+0], bh
		jo	short $+2
		add	gs:[edx+0], dh
		imul	eax, [eax], 6E0065h
		arpl	[eax], ax
		add	gs:[eax], al

loc_ADF923:				; DATA XREF: SepVariableInitialization()+105o
		add	[eax+eax+70h], ch
		add	[ecx+0], ah
		arpl	[eax], ax
		push	eax
		add	[esi+0], ch
		jo	short $+2
		dec	esi
		add	[edi+0], ch
		jz	short $+2
		imul	eax, [eax], 690066h
		arpl	[eax], ax
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], dh
; 
		db 2 dup(0)
; 

??_C@_1BE@MDCHJCLH@?$AAl?$AAp?$AAa?$AAc?$AAM?$AAe?$AAd?$AAi?$AAa@PBOPGDP@:
					; DATA XREF: SepVariableInitialization()+EDo
		insb
		add	[eax+0], dh
		popa
		add	[ebx+0], ah
		dec	ebp
		add	[ebp+0], ah
		add	fs:[ecx+0], ch
		popa
; 
		db 0
		db 2 dup(0)
; 

??_C@_1CO@GMCGHMFJ@?$AAl?$AAp?$AAa?$AAc?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe?$AAs?$AAM?$AAa?$AAn@PBOPGDP@:
					; DATA XREF: SepVariableInitialization()+12Eo
		insb
		add	[eax+0], dh
		popa
		add	[ebx+0], ah
		push	ebx
		add	[ebp+0], ah
		jb	short $+2
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+0], dh
; 
		db 0
??_C@_1BK@KMMANFGK@?$AAr?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AAR?$AAe?$AAa?$AAd@PBOPGDP@:
					; DATA XREF: SepVariableInitialization()+11Do
		unicode	0, <registryRead>,0
; 

??_C@_1CK@IBGBDPLP@?$AAl?$AAp?$AAa?$AAc?$AAI?$AAd?$AAe?$AAn?$AAt?$AAi?$AAt?$AAy?$AAS?$AAe?$AAr@PBOPGDP@:
					; DATA XREF: SepVariableInitialization()+C8o
		insb
		add	[eax+0], dh
		popa
		add	[ebx+0], ah
		dec	ecx
		add	[eax+eax+65h], ah
		add	[esi+0], ch
		jz	short $+2
		imul	eax, [eax], 790074h
		push	ebx
		add	[ebp+0], ah
		jb	short $+2
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
; 
		dw 0
; 

??_C@_1CG@JEFDGIAA@?$AAl?$AAp?$AAa?$AAc?$AAC?$AAr?$AAy?$AAp?$AAt?$AAo?$AAS?$AAe?$AAr?$AAv?$AAi@PBOPGDP@:
					; DATA XREF: SepVariableInitialization()+B0o
		insb
		add	[eax+0], dh
		popa
		add	[ebx+0], ah
		inc	ebx
		add	[edx+0], dh
		jns	short $+2
		jo	short $+2
		jz	short $+2
		outsd
		add	[ebx+0], dl
		add	gs:[edx+0], dh
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1FA@KJGLJJEA@?$AAl?$AAp?$AAa?$AAc?$AAE?$AAn?$AAt?$AAe?$AAr?$AAp?$AAr?$AAi?$AAs?$AAe?$AAP@PBOPGDP@:
					; DATA XREF: SepVariableInitialization()+E3o
		insb
		add	[eax+0], dh
		popa
		add	[ebx+0], ah
		inc	ebp
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edx+0], dh
		jo	short $+2
		jb	short $+2
		imul	eax, [eax], 650073h
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
		inc	ebx
		add	[eax+0], ch
		popa
		add	[esi+0], ch
		add	[di+0],	ah
		dec	esi
		add	[edi+0], ch
		jz	short $+2
		imul	eax, [eax], 690066h
		arpl	[eax], ax
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], dh
; 
		db 2 dup(0)
; 

??_C@_1CI@PDLNLLIE@?$AAl?$AAp?$AAa?$AAc?$AAI?$AAn?$AAs?$AAt?$AAr?$AAu?$AAm?$AAe?$AAn?$AAt?$AAa@PBOPGDP@:
					; DATA XREF: SepVariableInitialization()+D9o
		insb
		add	[eax+0], dh
		popa
		add	[ebx+0], ah
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+61h], dh
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
; 
		db 0
		db 2 dup(0)
; 

??_C@_1BA@MHLBKOMP@?$AAl?$AAp?$AAa?$AAc?$AAI?$AAM?$AAE@PBOPGDP@:
					; DATA XREF: SepVariableInitialization()+28Eo
		insb
		add	[eax+0], dh
		popa
		add	[ebx+0], ah
		dec	ecx
		add	[ebp+0], cl
		inc	ebp
; 
		db 0
		db 2 dup(0)
; 

??_C@_1BM@IJLACMGH@?$AAl?$AAp?$AAa?$AAc?$AAC?$AAl?$AAi?$AAp?$AAb?$AAo?$AAa?$AAr?$AAd@PBOPGDP@:
					; DATA XREF: SepVariableInitialization()+27Do
		insb
		add	[eax+0], dh
		popa
		add	[ebx+0], ah
		inc	ebx
		add	[eax+eax+69h], ch
		add	[eax+0], dh
		bound	eax, [eax]
		outsd
		add	[ecx+0], ah
		jb	short $+2
		add	fs:[eax], al
; 
		db 0
; 

??_C@_1DI@IBHPAEPL@?$AAl?$AAp?$AAa?$AAc?$AAP?$AAa?$AAc?$AAk?$AAa?$AAg?$AAe?$AAM?$AAa?$AAn?$AAa@PBOPGDP@:
					; DATA XREF: SepVariableInitialization()+2A8o
		insb
		add	[eax+0], dh
		popa
		add	[ebx+0], ah
		push	eax
		add	[ecx+0], ah
		arpl	[eax], ax
		imul	eax, [eax], 61h
		add	[edi+0], ah
		add	gs:[ebp+0], cl
		popa
		add	[esi+0], ch
		popa
		add	[edi+0], ah
		add	gs:[edx+0], dh
		dec	edi
		add	[eax+0], dh
		add	gs:[edx+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
; 
		db 0
		db 2 dup(0)
; 

??_C@_1CC@MLHJLFCA@?$AAl?$AAp?$AAa?$AAc?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAA?$AAc?$AAc?$AAe?$AAs@PBOPGDP@:
					; DATA XREF: SepVariableInitialization()+29Eo
		insb
		add	[eax+0], dh
		popa
		add	[ebx+0], ah
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		inc	ecx
		add	[ebx+0], ah
		arpl	[eax], ax
		add	gs:[ebx+0], dh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BK@JNJNHEED@?$AAl?$AAp?$AAa?$AAc?$AAP?$AAr?$AAi?$AAn?$AAt?$AAi?$AAn?$AAg@PBOPGDP@:
					; DATA XREF: SepVariableInitialization()+15Eo
		insb
		add	[eax+0], dh
		popa
		add	[ebx+0], ah
		push	eax
		add	[edx+0], dh
		imul	eax, [eax], 74006Eh
		imul	eax, [eax], 67006Eh
; 
		db 2 dup(0)
; 

??_C@_1CM@NONINMBB@?$AAl?$AAp?$AAa?$AAc?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAM?$AAa?$AAn?$AAa@PBOPGDP@:
					; DATA XREF: SepVariableInitialization()+146o
		insb
		add	[eax+0], dh
		popa
		add	[ebx+0], ah
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+0], dh

loc_ADFB3D:				; DATA XREF: SepVariableInitialization()+187o
		add	[eax+eax+70h], ch
		add	[ecx+0], ah
		arpl	[eax], ax
		push	eax
		add	[ecx+0], ah
		jns	short $+2
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+73h], dh
; 
		db 3 dup(0)
??_C@_1CA@LDBOOCPP@?$AAl?$AAp?$AAa?$AAc?$AAW?$AAe?$AAb?$AAP?$AAl?$AAa?$AAt?$AAf?$AAo?$AAr?$AAm@PBOPGDP@:
					; DATA XREF: SepVariableInitialization()+16Fo
		unicode	0, <lpacWebPlatform>,0
??_C@_1DC@PEEFCLCL@?$AAc?$AAo?$AAn?$AAs?$AAt?$AAr?$AAa?$AAi?$AAn?$AAe?$AAd?$AAI?$AAm?$AAp?$AAe@PBOPGDP@:
					; DATA XREF: SepVariableInitialization()+2CDo
		unicode	0, <constrainedImpersonation>,0
; 

??_C@_1CK@BPPHHIGP@?$AAs?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAI?$AAm?$AAp?$AAe?$AAr?$AAs?$AAo?$AAn@PBOPGDP@:
					; DATA XREF: SepVariableInitialization()+2C3o
		jnb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		dec	ecx
		add	[ebp+0], ch
		jo	short $+2
		add	gs:[edx+0], dh
		jnb	short $+2
		outsd
		add	[esi+0], ch
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
; 
		db 3 dup(0)
; 

??_C@_1M@JFPKKFCK@?$AAT?$AAo?$AAk?$AAe?$AAn@PBOPGDP@:
					; DATA XREF: SepTokenInitialization()+Bo
		push	esp
		add	[edi+0], ch
		imul	eax, [eax], 65h
		add	[esi+0], ch
; 
		dw 0
; 

??_C@_1GO@BNNKBEEN@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: SepAdtOpenRegAndSetupNotification(x,x,x,x)+Do
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+eax+73h], cl
		add	[ecx+0], ah
; 
		db 2 dup(0)
; 

??_C@_1MK@ENOAMLHH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: SmQueryRegistry(x)+23o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ebp+0], cl
		add	gs:[ebp+0], ch
		outsd
		add	[edx+0], dh
		jns	short $+2
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+5Ch], dh
		add	[ebx+0], dl
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[eax+0], dl
		popa
		add	[edx+0], dh
		popa
		add	[ebp+0], ch
		add	gs:[eax+eax+65h], dh
		add	[edx+0], dh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1CE@OOACAECG@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAD?$AAi?$AAr?$AAt?$AAy?$AAS?$AAt?$AAo?$AAr@PBOPGDP@:
					; DATA XREF: SmQueryRegistry(x)+29o
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		inc	esp
		add	[ecx+0], ch
		jb	short $+2
		jz	short $+2
		jns	short $+2
		push	ebx
		add	[eax+eax+6Fh], dh
		add	[edx+0], dh
		add	gs:[ebx+0], dh
; 
		dw 0
; 

; void ??_C
??_C@_13BBDEGPLJ@?$AA?$CK@PBOPGDP@:	; DATA XREF: ViInitSystemPhase0+1A0BCo
					; ViMakeVerifierSettings(x,x)+23o
		sub	al, [eax]
; 
		dw 0
??_C@_0DB@IGBGODFP@CRASH?5TRIAGE?3?5driver?5verifier?5s@PBOPGDP@ db 'CRASH TRIAGE: driver verifier settings present.',0Ah,0
					; DATA XREF: VfTriageSystem:loc_ACCC71o
		align 2
; char ??_C[]
??_C@_0DM@DDGEBKLC@CRASH?5TRIAGE?3?5verifier?5triage?5g@PBOPGDP@ db 'CRASH TRIAGE: verifier triage global/registry settings %X ',0Ah,0
					; DATA XREF: VfTriageSystem+15o
; 

??_C@_0EC@NANKEBNG@CRASH?5TRIAGE?3?5triage?5skipped?5be@PBOPGDP@:
					; DATA XREF: VfTriageSystem+1A29Ao
		inc	ebx
		push	edx
		inc	ecx
		push	ebx
		dec	eax
		and	[edx+edx*2+49h], dl
		inc	ecx
		inc	edi
		inc	ebp
		cmp	ah, [eax]
		jz	short near ptr ??_C@_0EE@NFKNPAOI@CRASH?5TRIAGE?3?5triage?5skipped?5be@PBOPGDP@+40h
		imul	esp, [ecx+67h],	6B732065h
		imul	esi, [eax+70h],	62206465h
		arpl	gs:[ecx+75h], sp
		jnb	short loc_ADFE37
		and	[ecx+74h], ch
		and	[ecx+73h], ch
		and	[ecx+ebp*2+73h], ah
		popa
		bound	ebp, [ebp+64h]
		and	[ebp+78h], ah
		jo	short near ptr loc_ADFE51+1
		imul	esp, [ebx+69h],	796C6574h
		or	al, cs:[eax]
; 
; char ??_C[]
??_C@_0EE@NFKNPAOI@CRASH?5TRIAGE?3?5triage?5skipped?5be@PBOPGDP@ db 'CRASH TRIAGE: triage skipped because it is not enabled by default'
					; DATA XREF: VfTriageSystem+49o
		db '.',0Ah,0
; 

; char ??_C
??_C@_0CG@PLDDMJHL@CRASH?5TRIAGE?3?5a?5real?5crash?5happ@PBOPGDP@:
					; DATA XREF: VfTriageSystem+1A33Co
		inc	ebx
		push	edx
		inc	ecx

loc_ADFE37:				; CODE XREF: INIT:00ADFDD0j
		push	ebx
		dec	eax
		and	[edx+edx*2+49h], dl
		inc	ecx
		inc	edi
		inc	ebp
		cmp	ah, [eax]
		popa
		and	[edx+65h], dh
		popa
		insb
		and	[ebx+72h], ah
		popa
		jnb	short loc_ADFEB6
		and	[eax+61h], ch

loc_ADFE51:				; CODE XREF: INIT:00ADFDE4j
		jo	short near ptr loc_ADFEC2+1
		outs	dx, byte ptr gs:[esi]
		db	65h, 64h
		or	al, cs:[eax]

??_C@_0CP@BKDEPIBK@CRASH?5TRIAGE?3?5a?5fake?5crash?5will@PBOPGDP@:
					; DATA XREF: VfTriageSystem+1A326o
		inc	ebx
		push	edx
		inc	ecx
		push	ebx
		dec	eax
		and	[edx+edx*2+49h], dl
		inc	ecx
		inc	edi
		inc	ebp
		cmp	ah, [eax]
		popa
		and	[esi+61h], ah
		imul	esp, [ebp+20h],	63h
		jb	short near ptr loc_ADFED1+2
		jnb	short near ptr loc_ADFEDB+1
		and	[edi+69h], dh
		insb
		insb
		and	[edx+65h], ah
		and	[ebx+69h], dh
		insd
		jnz	short loc_ADFEEE
		popa
		jz	short near ptr loc_ADFEE7+3
		db	64h
		or	al, cs:[eax]
		int	3		; Trap to Debugger

??_C@_0FI@KGHHEFKP@CRASH?5TRIAGE?3?5triage?5skipped?5be@PBOPGDP@:
					; DATA XREF: VfTriageSystem+1A397o
		inc	ebx
		push	edx
		inc	ecx
		push	ebx
		dec	eax
		and	[edx+edx*2+49h], dl
		inc	ecx
		inc	edi
		inc	ebp
		cmp	ah, [eax]
		jz	short near ptr loc_ADFF0B+1
		imul	esp, [ecx+67h],	6B732065h
		imul	esi, [eax+70h],	62206465h
		arpl	gs:[ecx+75h], sp
		jnb	short loc_ADFF13
		and	[ecx+74h], ch
		and	[edi+61h], dh
		jnb	short loc_ADFED6

loc_ADFEB6:				; CODE XREF: INIT:00ADFE4Cj
		popa
		arpl	[ecx+ebp*2+76h], si
		and	gs:[ecx+6Eh], ch
		and	[eax+72h], dh

loc_ADFEC2:				; CODE XREF: INIT:loc_ADFE51j
		db	65h
		jbe	short near ptr loc_ADFF2C+2
		outsd
		jnz	short loc_ADFF3B
		and	[ebx+72h], ah
		popa
		jnb	short near ptr loc_ADFF34+2
		and	[edi+72h], ch

loc_ADFED1:				; CODE XREF: INIT:00ADFE70j
		and	[ebx+65h], dh
		jb	short loc_ADFF4C

loc_ADFED6:				; CODE XREF: INIT:00ADFEB4j
		db	65h
		jb	short near ptr loc_ADFEF8+1
		jnb	short loc_ADFF54

loc_ADFEDB:				; CODE XREF: INIT:00ADFE72j
		jnb	short loc_ADFF51
		db	65h
		insd
		or	al, cs:[eax]

; char ??_C
??_C@_0DH@OBGLAHLC@CRASH?5TRIAGE?3?5previous?5crash?5wa@PBOPGDP@:
					; DATA XREF: VfTriageSystem+1A364o
		inc	ebx
		push	edx
		inc	ecx
		push	ebx
		dec	eax

loc_ADFEE7:				; CODE XREF: INIT:00ADFE83j
		and	[edx+edx*2+49h], dl
		inc	ecx
		inc	edi
		inc	ebp

loc_ADFEEE:				; CODE XREF: INIT:00ADFE80j
		cmp	ah, [eax]
		jo	short near ptr loc_ADFF60+4
		db	65h
		jbe	short near ptr loc_ADFF5D+1
		outsd
		jnz	short loc_ADFF6B

loc_ADFEF8:				; CODE XREF: INIT:loc_ADFED6j
		and	[ebx+72h], ah
		popa
		jnb	short near ptr loc_ADFF60+6
		and	[edi+61h], dh
		jnb	short loc_ADFF23
		and	eax, 25207849h
		dec	ecx
		js	short loc_ADFF2B

loc_ADFF0B:				; CODE XREF: INIT:00ADFE98j
		and	eax, 25207849h
		dec	ecx
		js	short near ptr loc_ADFF30+3

loc_ADFF13:				; CODE XREF: INIT:00ADFEACj
		and	eax, 0A2E7849h
		add	ah, cl

??_C@_0CG@KGBHOPLP@CRASH?5TRIAGE?3?5null?5loader?5exten@PBOPGDP@:
					; DATA XREF: VfTriageSystem+1A2CFo
		inc	ebx
		push	edx
		inc	ecx
		push	ebx
		dec	eax
		and	[edx+edx*2+49h], dl

loc_ADFF23:				; CODE XREF: INIT:00ADFF01j
		inc	ecx
		inc	edi
		inc	ebp
		cmp	ah, [eax]
		outsb
		jnz	short loc_ADFF97

loc_ADFF2B:				; CODE XREF: INIT:00ADFF09j
		insb

loc_ADFF2C:				; CODE XREF: INIT:loc_ADFEC2j
		and	[edi+ebp*2+61h], ch

loc_ADFF30:				; CODE XREF: INIT:00ADFF11j
		db	64h, 65h
		jb	short loc_ADFF54

loc_ADFF34:				; CODE XREF: INIT:00ADFECCj
		db	65h
		js	short near ptr loc_ADFFA7+4
		outs	dx, byte ptr gs:[esi]
		jnb	short loc_ADFFA4

loc_ADFF3B:				; CODE XREF: INIT:00ADFEC6j
		outsd
		outsb
		or	al, cs:[eax]

; char ??_C
??_C@_0CI@LFJCAECG@CRASH?5TRIAGE?3?5simulated?5crash?5c@PBOPGDP@:
					; DATA XREF: VfTriageSystem+1A2AAo
		inc	ebx
		push	edx
		inc	ecx
		push	ebx
		dec	eax
		and	[edx+edx*2+49h], dl
		inc	ecx
		inc	edi
		inc	ebp

loc_ADFF4C:				; CODE XREF: INIT:00ADFED4j
		cmp	ah, [eax]
		jnb	short loc_ADFFB9
		insd

loc_ADFF51:				; CODE XREF: INIT:loc_ADFEDBj
		jnz	short near ptr loc_ADFFBD+2
		popa

loc_ADFF54:				; CODE XREF: INIT:00ADFED9j
					; INIT:loc_ADFF30j
		jz	short loc_ADFFBB
		and	fs:[ebx+72h], ah
		popa
		jnb	short loc_ADFFC5

loc_ADFF5D:				; CODE XREF: INIT:00ADFEF2j
		and	[ebx+6Fh], ah

loc_ADFF60:				; CODE XREF: INIT:00ADFEF0j
					; INIT:00ADFEFCj
		db	64h
		and	gs:0A2E58h, ah

??_C@_0CL@CEIILJGF@CRASH?5TRIAGE?3?5standard?5retail?5e@PBOPGDP@:
					; DATA XREF: VfTriageSystem+1A313o
		inc	ebx
		push	edx
		inc	ecx

loc_ADFF6B:				; CODE XREF: INIT:00ADFEF6j
		push	ebx
		dec	eax
		and	[edx+edx*2+49h], dl
		inc	ecx
		inc	edi
		inc	ebp
		cmp	ah, [eax]
		jnb	short near ptr loc_ADFFEB+1
		popa
		outsb
		db	64h
		popa
		jb	short loc_ADFFE2
		and	[edx+65h], dh
		jz	short loc_ADFFE4
		imul	ebp, [eax+65h],	20746978h
		jo	short loc_ADFFFC
		imul	ebp, [esi+74h],	0CC000A2Eh

??_C@_0DB@LHLIJKDI@CRASH?5TRIAGE?3?5unexpected?5loader@PBOPGDP@:
					; DATA XREF: VfTriageSystem+1A2E1o
		inc	ebx
		push	edx
		inc	ecx

loc_ADFF97:				; CODE XREF: INIT:00ADFF29j
		push	ebx
		dec	eax
		and	[edx+edx*2+49h], dl
		inc	ecx
		inc	edi
		inc	ebp
		cmp	ah, [eax]
		jnz	short loc_AE0012

loc_ADFFA4:				; CODE XREF: INIT:00ADFF39j
		db	65h
		js	short loc_AE0017

loc_ADFFA7:				; CODE XREF: INIT:loc_ADFF34j
		arpl	gs:[ebp+64h], si
		and	[edi+ebp*2+61h], ch
		db	64h, 65h
		jb	short loc_ADFFD4
		db	65h
		js	short near ptr loc_AE002A+1
		outs	dx, byte ptr gs:[esi]

loc_ADFFB9:				; CODE XREF: INIT:00ADFF4Ej
		jnb	short near ptr loc_AE001E+6

loc_ADFFBB:				; CODE XREF: INIT:loc_ADFF54j
		outsd
		outsb

loc_ADFFBD:				; CODE XREF: INIT:loc_ADFF51j
		and	[ebx+69h], dh
		jp	short near ptr loc_AE0026+1
		or	al, cs:[eax]

loc_ADFFC5:				; CODE XREF: INIT:00ADFF5Bj
		int	3		; Trap to Debugger

; char ??_C
??_C@_0BP@IMNEAIDJ@CRASH?5TRIAGE?3?5triage?5enabled?$CB?6@PBOPGDP@:
					; DATA XREF: VfTriageSystem+1A468o
		inc	ebx
		push	edx
		inc	ecx
		push	ebx
		dec	eax
		and	[edx+edx*2+49h], dl
		inc	ecx
		inc	edi
		inc	ebp
		cmp	ah, [eax]

loc_ADFFD4:				; CODE XREF: INIT:00ADFFB0j
		jz	short ??_C@_0DP@OFEDJCGI@CRASH?5TRIAGE?3?5triage?5disabled?5d@PBOPGDP@
		imul	esp, [ecx+67h],	6E652065h
		popa
		bound	ebp, [ebp+64h]

loc_ADFFE2:				; CODE XREF: INIT:00ADFF7Cj
		and	[edx], ecx

loc_ADFFE4:				; CODE XREF: INIT:00ADFF81j
		add	ah, cl

; char ??_C
??_C@_0CI@GLHLNLAP@CRASH?5TRIAGE?3?5no?5?$GAtargets?8?5rule@PBOPGDP@:
					; DATA XREF: VfTriageSystem+1A448o
					; ViFindTriageDriverTargets(x,x):loc_AEFD23o
		inc	ebx
		push	edx
		inc	ecx
		push	ebx
		dec	eax

loc_ADFFEB:				; CODE XREF: INIT:00ADFF76j
		and	[edx+edx*2+49h], dl
		inc	ecx
		inc	edi
		inc	ebp
		cmp	ah, [eax]
		outsb
		outsd
		and	[eax+74h], ah
		popa
		jb	short near ptr loc_AE0061+2

loc_ADFFFC:				; CODE XREF: INIT:00ADFF8Bj
		db	65h
		jz	short near ptr loc_AE0070+2
		daa
		and	[edx+75h], dh
		insb
		and	gs:[esi+6Fh], ah
		jnz	short near ptr loc_AE0076+2
		db	64h
		or	al, cs:[eax]

; char ??_C
??_C@_0DJ@LLPBLGK@CRASH?5TRIAGE?3?5failed?5to?5get?5dri@PBOPGDP@:
					; DATA XREF: ViTriageSameDriversFromDump(x,x)+24o
		inc	ebx
		push	edx
		inc	ecx
		push	ebx

loc_AE0012:				; CODE XREF: INIT:00ADFFA2j
		dec	eax
		and	[edx+edx*2+49h], dl

loc_AE0017:				; CODE XREF: INIT:loc_ADFFA4j
		inc	ecx
		inc	edi
		inc	ebp
		cmp	ah, [eax]
		popaw

loc_AE001E:				; CODE XREF: INIT:loc_ADFFB9j
		imul	ebp, [ebp+64h],	206F7420h

loc_AE0026:				; CODE XREF: INIT:00ADFFC0j
		db	67h, 65h
		jz	near ptr 4Ah

loc_AE002A:				; CODE XREF: INIT:00ADFFB4j
		db	64h
		jb	short loc_AE0096
		jbe	short loc_AE0094
		jb	short loc_AE0051
		arpl	[edi+75h], bp
		outsb
		jz	short near ptr loc_AE0056+1
		db	66h
		jb	short loc_AE00A9
		insd
		and	[eax+ebp*2+65h], dh
		and	[ebp+esi*2+6Dh], ah
		jo	short near ptr loc_AE0070+3
		or	al, [eax]
		int	3		; Trap to Debugger

??_C@_0DP@OFEDJCGI@CRASH?5TRIAGE?3?5triage?5disabled?5d@PBOPGDP@:
					; CODE XREF: INIT:loc_ADFFD4j
					; DATA XREF: VfTriageSystem:loc_AE7091o
		inc	ebx
		push	edx
		inc	ecx
		push	ebx
		dec	eax
		and	[edx+edx*2+49h], dl

loc_AE0051:				; CODE XREF: INIT:00AE002Fj
		inc	ecx
		inc	edi
		inc	ebp
		cmp	ah, [eax]

loc_AE0056:				; CODE XREF: INIT:00AE0035j
		jz	short loc_AE00CA
		imul	esp, [ecx+67h],	69642065h
		jnb	short near ptr loc_AE00C1+1

loc_AE0061:				; CODE XREF: INIT:00ADFFFAj
		bound	ebp, [ebp+64h]
		and	[ebp+esi*2+65h], ah
		and	[edi+ebp*2+20h], dh
		jb	short loc_AE00E4
		insb

loc_AE0070:				; CODE XREF: INIT:loc_ADFFFCj
					; INIT:00AE0043j
		and	gs:[edi+69h], dh
		jz	short loc_AE00DE

loc_AE0076:				; CODE XREF: INIT:00AE0008j
		and	[esi+75h], ch
		insb
		insb
		and	[esi+65h], ah
		popa
		jz	short loc_AE00F6
		jb	short near ptr loc_AE00E5+3
		jnb	short near ptr loc_AE00AD+6
		or	al, [eax]
		int	3		; Trap to Debugger

??_C@_0DO@BCCPJMDG@CRASH?5TRIAGE?3?5triage?5disabled?5d@PBOPGDP@:
					; DATA XREF: VfTriageSystem+1A3CFo
		inc	ebx
		push	edx
		inc	ecx
		push	ebx
		dec	eax
		and	[edx+edx*2+49h], dl
		inc	ecx
		inc	edi
		inc	ebp

loc_AE0094:				; CODE XREF: INIT:00AE002Dj
		cmp	ah, [eax]

loc_AE0096:				; CODE XREF: INIT:loc_AE002Aj
		jz	short loc_AE010A
		imul	esp, [ecx+67h],	69642065h
		jnb	short loc_AE0102
		bound	ebp, [ebp+64h]
		and	[ebp+esi*2+65h], ah

loc_AE00A9:				; CODE XREF: INIT:00AE0037j
		and	[edi+ebp*2+20h], dh

loc_AE00AD:				; CODE XREF: INIT:00AE0083j
		imul	ebp, [esi+76h],	64696C61h
		and	[edx+65h], dh
		imul	esi, [bp+di+74h], 72207972h
		jnz	short near ptr loc_AE012B+2

loc_AE00C1:				; CODE XREF: INIT:00AE005Fj
		db	65h
		jnb	short near ptr loc_AE00F0+2
		or	al, [eax]

??_C@_0DJ@CEGDOEDA@CRASH?5TRIAGE?3?5some?5drivers?5chan@PBOPGDP@:
					; DATA XREF: VfTriageSystem+1A3AFo
		inc	ebx
		push	edx
		inc	ecx
		push	ebx

loc_AE00CA:				; CODE XREF: INIT:loc_AE0056j
		dec	eax
		and	[edx+edx*2+49h], dl
		inc	ecx
		inc	edi
		inc	ebp
		cmp	ah, [eax]
		jnb	short near ptr loc_AE0144+1
		insd
		and	gs:[edx+esi*2+69h], ah
		jbe	short near ptr loc_AE0142+1

loc_AE00DE:				; CODE XREF: INIT:00AE0074j
		jb	short near ptr loc_AE0151+2
		and	[ebx+68h], ah
		popa

loc_AE00E4:				; CODE XREF: INIT:00AE006Dj
		outsb

loc_AE00E5:				; CODE XREF: INIT:00AE0081j
		db	65h
		and	fs:[bp+72h], ah
		outsd
		insd
		and	[eax+72h], dh

loc_AE00F0:				; CODE XREF: INIT:loc_AE00C1j
		db	65h
		jbe	short near ptr loc_AE0159+3
		outsd
		jnz	short loc_AE0169

loc_AE00F6:				; CODE XREF: INIT:00AE007Fj
		and	[ebx+72h], ah
		popa
		jnb	short near ptr loc_AE0163+1
		or	al, cs:[eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0DD@HCAOJOAG@CRASH?5TRIAGE?3?5crash?5code?5?$CFIx?5wi@PBOPGDP@:
					; DATA XREF: VfTriageSystem+1A41Fo
		inc	ebx
		push	edx

loc_AE0102:				; CODE XREF: INIT:00AE009Fj
		inc	ecx
		push	ebx
		dec	eax
		and	[edx+edx*2+49h], dl
		inc	ecx

loc_AE010A:				; CODE XREF: INIT:loc_AE0096j
		inc	edi
		inc	ebp
		cmp	ah, [eax]
		arpl	[edx+61h], si
		jnb	short loc_AE017B
		and	[ebx+6Fh], ah
		db	64h
		and	gs:77207849h, ah
		imul	ebp, [esp+ebp*2+20h], 20746F6Eh
		bound	esp, [ebp+20h]
		jz	short loc_AE019D

loc_AE012B:				; CODE XREF: INIT:00AE00BFj
		imul	esp, [ecx+67h],	0A2E6465h
		add	ah, cl

??_C@_0DO@FDLDCNLE@CRASH?5TRIAGE?3?5triage?5disabled?5d@PBOPGDP@:
					; DATA XREF: VfTriageSystem+1A3EAo
		inc	ebx
		push	edx
		inc	ecx
		push	ebx
		dec	eax
		and	[edx+edx*2+49h], dl
		inc	ecx
		inc	edi
		inc	ebp
		cmp	ah, [eax]

loc_AE0142:				; CODE XREF: INIT:00AE00DCj
		jz	short near ptr loc_AE01B5+1

loc_AE0144:				; CODE XREF: INIT:00AE00D4j
		imul	esp, [ecx+67h],	69642065h
		jnb	short near ptr loc_AE01AC+2
		bound	ebp, [ebp+64h]

loc_AE0151:				; CODE XREF: INIT:loc_AE00DEj
		and	[ebp+esi*2+65h], ah
		and	[edi+ebp*2+20h], dh

loc_AE0159:				; CODE XREF: INIT:loc_AE00F0j
		imul	ebp, [esi+76h],	64696C61h
		and	[ecx+6Eh], ch

loc_AE0163:				; CODE XREF: INIT:00AE00FAj
		jz	short near ptr loc_AE01C9+1
		jb	short near ptr loc_AE01D4+1
		popa
		insb

loc_AE0169:				; CODE XREF: INIT:00AE00F4j
		and	[edx+75h], dh
		insb
		db	65h
		jnb	short loc_AE0191
		or	al, [eax]

; char ??_C
??_C@_0CH@JLKGLPDN@CRASH?5TRIAGE?3?5found?5a?5?$GAtargets?8@PBOPGDP@:
					; DATA XREF: ViFindTriageDriverTargets(x,x)+2Eo
		inc	ebx
		push	edx
		inc	ecx
		push	ebx
		dec	eax
		and	[edx+edx*2+49h], dl

loc_AE017B:				; CODE XREF: INIT:00AE0111j
		inc	ecx
		inc	edi
		inc	ebp
		cmp	ah, [eax]
		outsw
		jnz	short near ptr loc_AE01F0+2
		and	fs:[ecx+20h], ah
		pusha
		jz	short loc_AE01EC
		jb	short loc_AE01F4
		db	65h
		jz	short near ptr loc_AE0201+2
		daa

loc_AE0191:				; CODE XREF: INIT:00AE016Dj
		and	[edx+75h], dh
		insb
		db	65h
		or	al, cs:[eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0EC@EKEAOEPB@CRASH?5TRIAGE?3?5zeroed?5rules?5stru@PBOPGDP@:
					; DATA XREF: ViFindTriageDriverTargets(x,x):loc_AEFD38o
					; ViFindTriageRule(x,x,x):loc_AEFDB1o
		inc	ebx
		push	edx
		inc	ecx

loc_AE019D:				; CODE XREF: INIT:00AE0129j
		push	ebx
		dec	eax
		and	[edx+edx*2+49h], dl
		inc	ecx
		inc	edi
		inc	ebp
		cmp	ah, [eax]
		jp	short loc_AE020F
		jb	short near ptr loc_AE021A+1

loc_AE01AC:				; CODE XREF: INIT:00AE014Bj
		db	65h
		and	fs:[edx+75h], dh
		insb
		db	65h
		jnb	short near ptr loc_AE01D4+1

loc_AE01B5:				; CODE XREF: INIT:loc_AE0142j
		jnb	short loc_AE022B
		jb	short near ptr loc_AE022D+1
		arpl	[ebp+esi*2+72h], si
		and	gs:[eax], ch
		push	61207469h
		outsb
		and	[ecx+6Eh], ch

loc_AE01C9:				; CODE XREF: INIT:loc_AE0163j
		jbe	short near ptr loc_AE022B+1
		insb
		imul	esp, [eax+74h],	20657079h

loc_AE01D4:				; CODE XREF: INIT:00AE0165j
					; INIT:00AE01B2j
		jb	short near ptr ??_C@_0EF@FKCCFLMP@CRASH?5TRIAGE?3?5no?5suspect?5driver@PBOPGDP@+0Dh
		insb
		sub	gs:[esi], ebp
		or	al, [eax]

; char ??_C
??_C@_0DA@EENFKLGP@CRASH?5TRIAGE?3?5no?5rule?5found?5for@PBOPGDP@:
					; DATA XREF: ViFindTriageRule(x,x,x)+42o
		inc	ebx
		push	edx
		inc	ecx
		push	ebx
		dec	eax
		and	[edx+edx*2+49h], dl
		inc	ecx
		inc	edi
		inc	ebp
		cmp	ah, [eax]
		outsb
		outsd

loc_AE01EC:				; CODE XREF: INIT:00AE0189j
		and	[edx+75h], dh
		insb

loc_AE01F0:				; CODE XREF: INIT:00AE0182j
		and	gs:[esi+6Fh], ah

loc_AE01F4:				; CODE XREF: INIT:00AE018Bj
		jnz	short near ptr ??_C@_0EF@FKCCFLMP@CRASH?5TRIAGE?3?5no?5suspect?5driver@PBOPGDP@+26h
		and	fs:[esi+6Fh], ah
		jb	short loc_AE021C
		arpl	[edx+61h], si
		jnb	short near ptr ??_C@_0EF@FKCCFLMP@CRASH?5TRIAGE?3?5no?5suspect?5driver@PBOPGDP@+2Bh

loc_AE0201:				; CODE XREF: INIT:00AE018Dj
		and	[ebx+6Fh], ah
		db	64h
		and	gs:0A2E58h, ah

; char ??_C
??_C@_0DB@NEABKCED@CRASH?5TRIAGE?3?5rule?5was?5found?5fo@PBOPGDP@:
					; DATA XREF: ViFindTriageRule(x,x,x)+5Do
		inc	ebx
		push	edx
		inc	ecx

loc_AE020F:				; CODE XREF: INIT:00AE01A8j
		push	ebx
		dec	eax
		and	[edx+edx*2+49h], dl
		inc	ecx
		inc	edi
		inc	ebp
		cmp	ah, [eax]

loc_AE021A:				; CODE XREF: INIT:00AE01AAj
		jb	short near ptr loc_AE0290+1

loc_AE021C:				; CODE XREF: INIT:00AE01FAj
		insb
		and	gs:[edi+61h], dh
		jnb	short near ptr ??_C@_0EF@FKCCFLMP@CRASH?5TRIAGE?3?5no?5suspect?5driver@PBOPGDP@+5
		outsw
		jnz	short loc_AE0295
		and	fs:[esi+6Fh], ah

loc_AE022B:				; CODE XREF: INIT:loc_AE01B5j
					; INIT:loc_AE01C9j
		jb	short near ptr ??_C@_0EF@FKCCFLMP@CRASH?5TRIAGE?3?5no?5suspect?5driver@PBOPGDP@+0Fh

loc_AE022D:				; CODE XREF: INIT:00AE01B7j
		arpl	[edx+61h], si
		jnb	short loc_AE029A
		and	[ebx+6Fh], ah
		db	64h
		and	gs:0A2E58h, ah
		int	3		; Trap to Debugger
; 
; char ??_C[]
??_C@_0EF@FKCCFLMP@CRASH?5TRIAGE?3?5no?5suspect?5driver@PBOPGDP@ db 'CRASH TRIAGE: no suspect drivers will be selected for verificatio'
					; CODE XREF: INIT:00AE0221j
					; INIT:loc_AE01D4j ...
		db 'n.',0Ah,0
		align 4

; char ??_C
??_C@_0DL@JKOFOHFA@Matching?5checksum?5for?5module?5?$CFw@PBOPGDP@:
					; DATA XREF: ViTriageSameDriversFromDump(x,x)+67o
		dec	ebp
		popa
		jz	short near ptr ??_C@_0EE@LACMLKGP@VfTriageAddDrivers?3?5Marking?5?$CFwZ@PBOPGDP@+2Bh
		push	20676E69h
		arpl	[eax+65h], bp

loc_AE0290:				; CODE XREF: INIT:loc_AE021Aj
		arpl	[ebx+73h], bp
		jnz	short near ptr ??_C@_0EE@LACMLKGP@VfTriageAddDrivers?3?5Marking?5?$CFwZ@PBOPGDP@+42h

loc_AE0295:				; CODE XREF: INIT:00AE0225j
		and	[esi+6Fh], ah
		jb	short near ptr loc_AE02B6+4

loc_AE029A:				; CODE XREF: INIT:00AE0230j
		insd
		outsd
		db	64h
		jnz	short near ptr ??_C@_0DM@OAGOANJA@CRASH?5TRIAGE?3?5will?5select?5targe@PBOPGDP@+7
		and	gs:6E205A77h, ah
		outsd
		jz	short near ptr ??_C@_0EE@LACMLKGP@VfTriageAddDrivers?3?5Marking?5?$CFwZ@PBOPGDP@+9
		outsw
		jnz	short near ptr ??_C@_0DM@OAGOANJA@CRASH?5TRIAGE?3?5will?5select?5targe@PBOPGDP@+17h
		and	fs:[ecx+6Eh], ch
		and	[edx+esi*2+69h], dh
		popa

loc_AE02B6:				; CODE XREF: INIT:00AE0298j
		and	gs:[si+75h], ah
		insd
		jo	short near ptr ??_C@_0EE@LACMLKGP@VfTriageAddDrivers?3?5Marking?5?$CFwZ@PBOPGDP@+8
		add	ah, cl
; 
; char ??_C[]
??_C@_0EE@LACMLKGP@VfTriageAddDrivers?3?5Marking?5?$CFwZ@PBOPGDP@ db 'VfTriageAddDrivers: Marking %wZ for verification when it is loade'
					; CODE XREF: INIT:00AE02BCj
					; INIT:00AE02A7j
					; DATA XREF: ...
		db 'd',0Ah,0
; char ??_C[]
??_C@_0DM@OAGOANJA@CRASH?5TRIAGE?3?5will?5select?5targe@PBOPGDP@ db 'CRASH TRIAGE: will select target drivers for verification.',0Ah,0
					; CODE XREF: INIT:00AE029Cj
					; DATA XREF: VfTriageAddDrivers(x):loc_AEFC56o
; char ??_C[]
??_C@_0DM@KPCNIJOB@CRASH?5TRIAGE?3?5system?5will?5enabl@PBOPGDP@ db 'CRASH TRIAGE: system will enable verification features %X.',0Ah,0
					; DATA XREF: ViMakeVerifierSettings(x,x)+91o
; 

; char ??_C
??_C@_0CJ@HLBJFCCN@CRASH?5TRIAGE?3?5target?5drivers?5ar@PBOPGDP@:
					; DATA XREF: ViMakeVerifierSettings(x,x)+4Do
		inc	ebx
		push	edx
		inc	ecx
		push	ebx
		dec	eax
		and	[edx+edx*2+49h], dl
		inc	ecx
		inc	edi
		inc	ebp
		cmp	ah, [eax]
		jz	short loc_AE03ED
		jb	short near ptr loc_AE03F3+2
		db	65h
		jz	short loc_AE03B1
		db	64h
		jb	short near ptr loc_AE03FA+3
		jbe	short near ptr loc_AE03FA+1
		jb	short near ptr loc_AE0409+2
		and	[ecx+72h], ah
		and	gs:[eax+25h], ah
		ja	short loc_AE0414
		daa
		or	al, cs:[eax]
		int	3		; Trap to Debugger

; char ??_C
??_C@_0CJ@CNPCFPHB@CRASH?5TRIAGE?3?5invalid?5rules?5str@PBOPGDP@:
					; DATA XREF: ViValidateTriageRules(x,x):loc_AEFF41o
		inc	ebx
		push	edx
		inc	ecx
		push	ebx
		dec	eax
		and	[edx+edx*2+49h], dl
		inc	ecx
		inc	edi

loc_AE03B1:				; CODE XREF: INIT:00AE038Ej
		inc	ebp
		cmp	ah, [eax]
		imul	ebp, [esi+76h],	64696C61h
		and	[edx+75h], dh
		insb
		db	65h
		jnb	short loc_AE03E2
		jnb	short near ptr loc_AE0437+1
		jb	short loc_AE043B
		arpl	[ebp+esi*2+72h], si
		and	gs:[eax], esp
		or	al, [eax]
		int	3		; Trap to Debugger

??_C@_0DE@PFHEJPLB@CRASH?5TRIAGE?3?5found?5zeroed?5rule@PBOPGDP@:
					; DATA XREF: ViValidateTriageRules(x,x):loc_AEFF56o
		inc	ebx
		push	edx
		inc	ecx
		push	ebx
		dec	eax
		and	[edx+edx*2+49h], dl
		inc	ecx
		inc	edi
		inc	ebp
		cmp	ah, [eax]
		outsw
		jnz	short ??_C@_1CA@PFOGGCOI@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?2?$AAW?$AAM?$AAI?$AAx?$AAW?$AAD?$AAM@PBOPGDP@

loc_AE03E2:				; CODE XREF: INIT:00AE03BFj
		and	fs:[edx+65h], bh
		jb	short near ptr loc_AE0455+2
		db	65h
		and	fs:[edx+75h], dh

loc_AE03ED:				; CODE XREF: INIT:00AE038Aj
		insb
		and	gs:[ebp+esi*2+72h], ah

loc_AE03F3:				; CODE XREF: INIT:00AE038Cj
		imul	ebp, [esi+67h],	6C617620h

loc_AE03FA:				; CODE XREF: INIT:00AE0394j
					; INIT:00AE0391j
		imul	esp, [ecx+74h],	2E6E6F69h
		or	al, [eax]

; char ??_C
??_C@_0CO@ONEBBCGJ@CRASH?5TRIAGE?3?5all?5drivers?5will?5@PBOPGDP@:
					; DATA XREF: ViMakeVerifierSettings(x,x)+71o
		inc	ebx
		push	edx
		inc	ecx
		push	ebx
		dec	eax

loc_AE0409:				; CODE XREF: INIT:00AE0396j
		and	[edx+edx*2+49h], dl
		inc	ecx
		inc	edi
		inc	ebp
		cmp	ah, [eax]
		popa
		insb

loc_AE0414:				; CODE XREF: INIT:00AE039Fj
		insb
		and	[edx+esi*2+69h], ah
		jbe	short near ptr ??_C@_1CM@COJJNPDN@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAW?$AAM?$AAI?$AAD?$AAa?$AAt?$AAa@PBOPGDP@+10h
		jb	short near ptr ??_C@_1CM@COJJNPDN@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAW?$AAM?$AAI?$AAD?$AAa?$AAt?$AAa@PBOPGDP@+20h
		and	[edi+69h], dh
		insb
		insb
		and	[edx+65h], ah
		and	[ecx+72h], dh
		db	67h, 65h
		jz	near ptr 4A1h
		db	65h, 64h
		or	al, cs:[eax]

; char ??_C
??_C@_0BN@PBKHKAOG@CRASH?5TRIAGE?3?5rules?5are?5ok?4?6@PBOPGDP@:
					; DATA XREF: ViValidateTriageRules(x,x):loc_AEFF2Bo
		inc	ebx
		push	edx
		inc	ecx
		push	ebx
		dec	eax

loc_AE0437:				; CODE XREF: INIT:00AE03C2j
		and	[edx+edx*2+49h], dl

loc_AE043B:				; CODE XREF: INIT:00AE03C4j
		inc	ecx
		inc	edi
		inc	ebp
		cmp	ah, [eax]
		jb	short near ptr ??_C@_0DI@MFDNILJK@?2Registry?2Machine?2System?2Curren@PBOPGDP@+1Bh
		insb
		db	65h
		jnb	short loc_AE0466
		popa
		jb	short near ptr ??_C@_0DI@MFDNILJK@?2Registry?2Machine?2System?2Curren@PBOPGDP@+12h
		and	[edi+6Bh], ch
		or	al, cs:[eax]
		int	3		; Trap to Debugger

??_C@_1CA@PFOGGCOI@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?2?$AAW?$AAM?$AAI?$AAx?$AAW?$AAD?$AAM@PBOPGDP@:
					; CODE XREF: INIT:00AE03E0j
					; DATA XREF: WMIInitialize(x,x)+1Co
		pop	esp
		add	[eax+eax+72h], al

loc_AE0455:				; CODE XREF: INIT:00AE03E6j
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		pop	esp
		add	[edi+0], dl
		dec	ebp
		add	[ecx+0], cl

loc_AE0466:				; CODE XREF: INIT:00AE0443j
		js	short $+2
		push	edi
		add	[eax+eax+4Dh], al
; 
		db 3 dup(0)
??_C@_1CM@COJJNPDN@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAW?$AAM?$AAI?$AAD?$AAa?$AAt?$AAa@PBOPGDP@:
					; DATA XREF: WmipDriverEntry+93o
		unicode	0, <\Device\WMIDataDevice>,0
??_C@_0DI@MFDNILJK@?2Registry?2Machine?2System?2Curren@PBOPGDP@	db '\Registry\Machine\System\CurrentControlSet\Services\WMI',0
					; DATA XREF: WmipDriverEntry+66o
??_C@_1DE@FEBDNHHJ@?$AA?2?$AAD?$AAo?$AAs?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAs?$AA?2?$AAW?$AAM?$AAI@PBOPGDP@:
					; DATA XREF: WmipDriverEntry+C2o
		unicode	0, <\DosDevices\WMIDataDevice>,0
??_C@_1BO@MFOKJHPK@?$AAk?$AAe?$AAr?$AAn?$AAe?$AAl?$AAb?$AAa?$AAs?$AAe?$AA?4?$AAd?$AAl?$AAl@PBOPGDP@:
					; DATA XREF: WmipInitializeDataStructs+100o
		unicode	0, <kernelbase.dll>,0
; 

??_C@_1CA@BHCOJPO@?$AAM?$AAo?$AAf?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc?$AAe?$AAN?$AAa?$AAm?$AAe@PBOPGDP@:
					; DATA XREF: WmipInitializeDataStructs+F9o
		dec	ebp
		add	[edi+0], ch
		db	66h
		add	[edx+0], dl
		add	gs:[ebx+0], dh
		outsd
		add	[ebp+0], dh
		jb	short $+2
		arpl	[eax], ax
		add	gs:[esi+0], cl
		popa
		add	[ebp+0], ch
		add	gs:[eax], al

loc_AE0545:				; DATA XREF: WmipInitializeSecurity+1A3o
		add	[edi+0], dl
		insd
		add	[ecx+0], ch
		inc	edi
		add	[ebp+0], dh
		imul	eax, [eax], 64h

??_C@_1CA@BGGJKOKC@?$AAE?$AAt?$AAw?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn@PBOPGDP@:
					; DATA XREF: EtwpInitializeRegistration()+5Fo
		inc	ebp
		add	[eax+eax+77h], dh
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
; 
		db 0
		db 2 dup(0)
; 

??_C@_1BM@MPECCFJP@?$AAR?$AAT?$AAB?$AAa?$AAc?$AAk?$AAl?$AAo?$AAg?$AAR?$AAo?$AAo?$AAt@PBOPGDP@:
					; DATA XREF: EtwpReadConfigParameters+C2o
		push	edx
		add	[eax+eax+42h], dl
		add	[ecx+0], ah
		arpl	[eax], ax
		imul	eax, [eax], 6Ch
		add	[edi+0], ch
		add	[bp+si+0], dl
		outsd
		add	[edi+0], ch
		jz	short $+2
; 
		db 2 dup(0)
; 

??_C@_1GO@GHPNNIDM@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: EtwpReadConfigParameters+23o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[edi+0], dl
		dec	ebp
		add	[ecx+0], cl
; 
		dw 0
; 

??_C@_1CI@KEOGFAIA@?$AAS?$AAt?$AAa?$AAc?$AAk?$AAC?$AAa?$AAp?$AAt?$AAu?$AAr?$AAe?$AAT?$AAi?$AAm@PBOPGDP@:
					; DATA XREF: EtwpReadConfigParameters+149o
		push	ebx
		add	[eax+eax+61h], dh
		add	[ebx+0], ah
		imul	eax, [eax], 43h
		add	[ecx+0], ah
		jo	short $+2
		jz	short $+2
		jnz	short $+2
		jb	short $+2
		add	gs:[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[edi+0], ch
		jnz	short $+2
		jz	short $+2
; 
		dw 0
??_C@_1CK@LDPNDEPP@?$AAM?$AAa?$AAx?$AAN?$AAo?$AAn?$AAP?$AAa?$AAg?$AAe?$AAd?$AAP?$AAo?$AAo?$AAl@PBOPGDP@:
					; DATA XREF: EtwpReadConfigParameters+DBo
		unicode	0, <MaxNonPagedPoolUsage>,0
; 

??_C@_1EK@DAACFDEJ@?$AA0?$AA8?$AA1?$AA1?$AAc?$AA1?$AAa?$AAf?$AA?9?$AA7?$AAa?$AA0?$AA7?$AA?9?$AA4@PBOPGDP@:
					; DATA XREF: EtwpInitializeSecurity:loc_ADAB0Eo
		xor	[eax], al
		cmp	[eax], al
		xor	[eax], eax
		xor	[eax], eax
		arpl	[eax], ax
		xor	[eax], eax
		popa
		add	[esi+0], ah
		sub	eax, 61003700h
		add	[eax], dh
		add	[edi], dh
		add	ds:61003400h, ch
		add	[eax], dh
		add	[esi], dh
		add	ds:32003800h, ch
		add	[ebp+0], ah
		add	fs:36003800h, ch
		add	[ecx], bh
		add	[eax+eax], dh
		xor	eax, 63003500h
		add	[eax+eax+66h], ah
		add	[edi], dh
		add	[ecx], dh
		add	[ebx], dh
; 
		db 3 dup(0)
??_C@_1CA@GCICNJFG@?$AAE?$AAT?$AAW?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AAP?$AAa?$AAt?$AAh@PBOPGDP@:
					; DATA XREF: EtwpInitializeSecurity+A4o
		unicode	0, <ETWSecurityPath>,0
??_C@_1IA@OGAIDGCB@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: EtwpInitializeSecurity+20o
		unicode	0, <\Registry\Machine\System\CurrentControlSet\Control\WMI\Se>
		unicode	0, <curity>,0
??_C@_1BI@DKHDGCKG@?$AAE?$AAt?$AAw?$AAC?$AAo?$AAn?$AAs?$AAu?$AAm?$AAe?$AAr@PBOPGDP@:
					; DATA XREF: EtwpInitializeRealTimeConnection()+3Bo
		unicode	0, <EtwConsumer>,0
??_C@_1CA@KFAJNICF@?$AAC?$AAo?$AAv?$AAe?$AAr?$AAa?$AAg?$AAe?$AAS?$AAa?$AAm?$AAp?$AAl?$AAe?$AAr@PBOPGDP@:
					; DATA XREF: EtwpInitializeCoverageSampler+32o
		unicode	0, <CoverageSampler>,0
; 

??_C@_1BE@DIPHLEGJ@?$AAW?$AAi?$AAn?$AAr?$AAe?$AAs?$AAu?$AAm?$AAe@PBOPGDP@:
					; DATA XREF: BapdpRegisterResumeInformation(x,x)+71o
		push	edi
		add	[ecx+0], ch
		outsb
		add	[edx+0], dh
		add	gs:[ebx+0], dh
		jnz	short $+2
		insd
		add	[ebp+0], ah
; 
		dw 0
??_C@_1BM@DBOPHHKE@?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAC?$AAo?$AAn?$AAt?$AAe?$AAx?$AAt@PBOPGDP@:
					; DATA XREF: BapdpRegisterResumeInformation(x,x)+C5o
		unicode	0, <ResumeContext>,0
; 

??_C@_1CM@NKIJFGBG@?$AAE?$AAD?$AAr?$AAi?$AAv?$AAe?$AAS?$AAu?$AAp?$AAp?$AAo?$AAr?$AAt?$AAe?$AAd@PBOPGDP@:
					; DATA XREF: BapdpRegisterEDrvHintInfo(x)+C7o
		inc	ebp
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[ebx+0], dl
		jnz	short $+2
		jo	short $+2
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		add	gs:[eax+eax+49h], ah
		add	[esi+0], ch
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+0], dh
; 
		db 0
??_C@_1IK@DJIKLOAN@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@PBOPGDP@:
					; DATA XREF: BapdpRegisterFwUpdateResults(x,x):loc_AF04C5o
		unicode	0, <\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\Firmwa>
		unicode	0, <reResources>,0
??_C@_1GG@IBGAEKLO@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@PBOPGDP@ db '\',0
					; DATA XREF: BapdpRegisterBitlockerStatus(x,x)+29o
					; BapdpRegisterResumeInformation(x,x)+2Ao ...
aRegistryMac_18:
		unicode	0, <REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control>,0
; 

??_C@_1DA@HBKKGICP@?$AAB?$AAi?$AAt?$AAL?$AAo?$AAc?$AAk?$AAe?$AAr?$AAE?$AAD?$AAr?$AAi?$AAv?$AAe@PBOPGDP@:
					; DATA XREF: BapdpRegisterEDrvHintInfo(x)+7Ao
		inc	edx
		add	[ecx+0], ch
		jz	short $+2
		dec	esp
		add	[edi+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 65h
		add	[edx+0], dh
		inc	ebp
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[esi+0], dl
		outsd
		add	[eax+eax+61h], ch
		add	[eax+eax+69h], dh
		add	[eax+eax+65h], ch
; 
		db 3 dup(0)
??_C@_1CA@GKOLLCBA@?$AAB?$AAi?$AAt?$AAl?$AAo?$AAc?$AAk?$AAe?$AAr?$AAS?$AAt?$AAa?$AAt?$AAu?$AAs@PBOPGDP@:
					; DATA XREF: BapdpRegisterBitlockerStatus(x,x)+6Fo
		unicode	0, <BitlockerStatus>,0
??_C@_1BG@LCMMIACL@?$AAB?$AAo?$AAo?$AAt?$AAS?$AAt?$AAa?$AAt?$AAu?$AAs@PBOPGDP@:
					; DATA XREF: BapdpRegisterBitlockerStatus(x,x)+BFo
		unicode	0, <BootStatus>,0
; 

??_C@_1CC@FDHHNLFC@?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy?$AAD?$AAi?$AAa?$AAg?$AAn?$AAo?$AAs?$AAt?$AAi@PBOPGDP@:
					; DATA XREF: BapdpRegisterWmdResult(x)+6Ao
		dec	ebp
		add	[ebp+0], ah
		insd
		add	[edi+0], ch
		jb	short $+2
		jns	short $+2
		inc	esp
		add	[ecx+0], ch
		popa
		add	[edi+0], ah
		outsb
		add	[edi+0], ch
		jnb	short $+2
		jz	short $+2
		imul	eax, [eax], 63h

??_C@_1BA@HJAKFAGA@?$AAR?$AAe?$AAs?$AAu?$AAl?$AAt?$AAs@PBOPGDP@:
					; DATA XREF: BapdpRegisterWmdResult(x)+B9o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insb
		add	[eax+eax+73h], dh
; 
		db 3 dup(0)
; 

??_C@_1BG@KEIKIIOJ@?$AAR?$AAu?$AAn?$AAM?$AAe?$AAm?$AAD?$AAi?$AAa?$AAg@PBOPGDP@:
					; DATA XREF: BapdpRegisterWmdResult(x)+DEo
		push	edx
		add	[ebp+0], dh
		outsb
		add	[ebp+0], cl
		add	gs:[ebp+0], ch
		inc	esp
		add	[ecx+0], ch
		popa
		add	[edi+0], ah
; 
		db 2 dup(0)
; 

??_C@_1BC@HPKCMHLF@?$AAC?$AAa?$AAl?$AAl?$AAb?$AAa?$AAc?$AAk@PBOPGDP@:
					; DATA XREF: ExpInitializeCallbacks()+22o
		inc	ebx
		add	[ecx+0], ah
		insb
		add	[eax+eax+62h], ch
		add	[ecx+0], ah
		arpl	[eax], ax
		imul	eax, [eax], 0

loc_AE097F:				; DATA XREF: ExpWin32Initialization()+Bo
		add	[edi+0], dl
		imul	eax, [eax], 64006Eh
		outsd
		add	[edi+0], dh
		push	ebx
		add	[eax+eax+61h], dh
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
; 
		db 3 dup(0)
; 

??_C@_1BA@CBCBMBGJ@?$AAD?$AAe?$AAs?$AAk?$AAt?$AAo?$AAp@PBOPGDP@:
					; DATA XREF: ExpWin32Initialization()+9Fo
		inc	esp
		add	[ebp+0], ah
		jnb	short $+2
		imul	eax, [eax], 74h
		add	[edi+0], ch
		jo	short $+2
; 
		dw 0
; 

??_C@_1BM@JKJGADFH@?$AAC?$AAo?$AAr?$AAe?$AAM?$AAe?$AAs?$AAs?$AAa?$AAg?$AAi?$AAn?$AAg@PBOPGDP@:
					; DATA XREF: ExpWin32Initialization()+169o
		inc	ebx
		add	[edi+0], ch
		jb	short $+2
		add	gs:[ebp+0], cl
		add	gs:[ebx+0], dh
		jnb	short $+2
		popa
		add	[edi+0], ah
		imul	eax, [eax], 67006Eh
; 
		dw 0
; 

??_C@_1CC@KNODJGBO@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAa?$AAt?$AAi?$AAo?$AAn?$AAO?$AAb?$AAj?$AAe?$AAc@PBOPGDP@:
					; DATA XREF: ExpWin32Initialization()+1A7o
		inc	ecx
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 610076h
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		dec	edi
		add	[edx+0], ah
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BI@GKIJCEIJ@?$AAC?$AAo?$AAm?$AAp?$AAo?$AAs?$AAi?$AAt?$AAi?$AAo?$AAn@PBOPGDP@:
					; DATA XREF: ExpWin32Initialization()+DBo
		inc	ebx
		add	[edi+0], ch
		insd
		add	[eax+0], dh
		outsd
		add	[ebx+0], dh
		imul	eax, [eax], 690074h
		outsd
		add	[esi+0], ch
; 
		db 2 dup(0)
; 

??_C@_1CA@LMBIDJNB@?$AAR?$AAa?$AAw?$AAI?$AAn?$AAp?$AAu?$AAt?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@PBOPGDP@:
					; DATA XREF: ExpWin32Initialization()+127o
		push	edx
		add	[ecx+0], ah
		ja	short $+2
		dec	ecx
		add	[esi+0], ch
		jo	short $+2
		jnz	short $+2
		jz	short $+2
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1BA@OGEKEOOD@?$AAI?$AAR?$AAT?$AAi?$AAm?$AAe?$AAr@PBOPGDP@:
					; DATA XREF: ExpTimerInitialization()+93o
		dec	ecx
		add	[edx+0], dl
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		jb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1M@EEEEDEMN@?$AAT?$AAi?$AAm?$AAe?$AAr@PBOPGDP@:
					; DATA XREF: ExpTimerInitialization()+1Fo
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		jb	short $+2
; 
		db 2 dup(0)
; 

??_C@_1M@JJBFPLJB@?$AAE?$AAv?$AAe?$AAn?$AAt@PBOPGDP@:
					; DATA XREF: ExpEventInitialization()+Bo
		inc	ebp
		add	[esi+0], dh
		add	gs:[esi+0], ch
		jz	short $+2
; 
		db 2 dup(0)

;  S U B	R O U T	I N E 


??_C@_1BE@NPGPGCB@?$AAS?$AAe?$AAm?$AAa?$AAp?$AAh?$AAo?$AAr?$AAe@PBOPGDP@ proc near
					; DATA XREF: ExpSemaphoreInitialization()+Bo
		push	ebx
		add	[ebp+0], ah
		insd
??_C@_1BE@NPGPGCB@?$AAS?$AAe?$AAm?$AAa?$AAp?$AAh?$AAo?$AAr?$AAe@PBOPGDP@ endp

		add	[ecx+0], ah
		jo	short $+2
		push	72006F00h
		add	[ebp+0], ah
; 
		db 2 dup(0)
; 

??_C@_1O@FBKOCLFA@?$AAM?$AAu?$AAt?$AAa?$AAn?$AAt@PBOPGDP@:
					; DATA XREF: ExpMutantInitialization()+Bo
		dec	ebp
		add	[ebp+0], dh
		jz	short $+2
		popa
		add	[esi+0], ch
		jz	short $+2
; 
		dw 0
??_C@_1BG@ODBANIJN@?$AAK?$AAe?$AAy?$AAe?$AAd?$AAE?$AAv?$AAe?$AAn?$AAt@PBOPGDP@:
					; DATA XREF: ExpKeyedEventInitialization+51o
		unicode	0, <KeyedEvent>,0
; 

??_C@_1EO@JIABBENN@?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAs?$AA?2@PBOPGDP@:
					; DATA XREF: ExpKeyedEventInitialization+1E0o
		pop	esp
		add	[ebx+0], cl
		add	gs:[edx+0], dh
		outsb
		add	[ebp+0], ah
		insb
		add	[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
		pop	esp
		add	[ebx+0], al
		jb	short $+2
		imul	eax, [eax], 530074h
		add	gs:[ebx+0], ah
		dec	edi
		add	[ebp+0], dh
		jz	short $+2
		dec	edi
		add	[esi+0], ah
		dec	ebp
		add	[ebp+0], ah
		insd
		add	[edi+0], ch
		jb	short $+2
		jns	short $+2
		inc	ebp
		add	[esi+0], dh
		add	gs:[esi+0], ch
		jz	short $+2
; 
		dw 0
; 

??_C@_1BA@OKEJPPOI@?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl?$AAe@PBOPGDP@:
					; DATA XREF: ExpProfileInitialization()+22o
		push	eax
		add	[edx+0], dh
		outsd
		add	[esi+0], ah
		imul	eax, [eax], 65006Ch
; 
		dw 0
??_C@_1EE@CNAJKBAK@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAP?$AAe?$AAr?$AAs?$AAi?$AAs?$AAt?$AAD@PBOPGDP@:
					; DATA XREF: WheapLoadPolicy+37o
		unicode	0, <Kernel-PersistDefectiveMemoryList>,0
??_C@_1CA@PBELCONO@?$AAP?$AAh?$AAy?$AAs?$AAi?$AAc?$AAa?$AAl?$AAA?$AAd?$AAd?$AAr?$AAe?$AAs?$AAs@PBOPGDP@:
					; DATA XREF: ArbInitializeOsInaccessibleRange(x)+11Fo
		unicode	0, <PhysicalAddress>,0
; 

??_C@_1CE@NKBPPJBA@?$AAI?$AAn?$AAa?$AAc?$AAc?$AAe?$AAs?$AAs?$AAi?$AAb?$AAl?$AAe?$AAR?$AAa?$AAn@PBOPGDP@:
					; DATA XREF: ArbInitializeOsInaccessibleRange(x)+98o
		dec	ecx
		add	[esi+0], ch
		popa
		add	[ebx+0], ah
		arpl	[eax], ax
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6C0062h
		add	gs:[edx+0], dl
		popa
		add	[esi+0], ch
		add	[di+0],	ah
; 
		dw 0
; 

??_C@_1HI@MHCMANAK@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@:
					; DATA XREF: ArbInitializeOsInaccessibleRange(x)+46o
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ecx+0], al
		jb	short $+2
		bound	eax, [eax]
		imul	eax, [eax], 650074h
		jb	short $+2
		jnb	short $+2
; 
		dw 0
; wchar_t ??_C
??_C@_1DO@HBNMGCKD@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi?$AAs@PBOPGDP@:
					; DATA XREF: VhdiGetVolumeNumber(x,x,x,x)+7Do
		unicode	0, <\Device\Harddisk%d\Partition%d>,0
; 

; wchar_t ??_C
??_C@_1CI@NBOCCOHM@?$AA?2?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAR?$AAa?$AAm?$AAd?$AAi?$AAs@PBOPGDP@:
					; DATA XREF: VhdInitialize+F6BCo
		pop	esp
		add	[eax+eax+44h], bl
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		pop	esp
		add	[edx+0], dl
		popa
		add	[ebp+0], ch
		add	fs:[ecx+0], ch
		jnb	short $+2
		imul	eax, [eax], 25h
		add	[edi+0], dh
		pop	edx
; 
		db 0
		db 2 dup(0)
; 

; wchar_t ??_C
??_C@_1DG@ICOLAHHE@?$AA?2?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi@PBOPGDP@:
					; DATA XREF: VhdInitialize+F681o
		pop	esp
		add	[eax+eax+44h], bl
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		pop	esp
		add	[eax+0], cl
		popa
		add	[edx+0], dh
		add	fs:[eax+eax+69h], ah
		add	[ebx+0], dh
		imul	eax, [eax], 56h
		add	[edi+0], ch
		insb
		add	[ebp+0], dh
		insd
		add	[ebp+0], ah
		and	eax, 75006C00h
; 
		db 3 dup(0)
; 

; char ??_C
??_C@_0L@MENOPLJP@partition?$CI@PBOPGDP@: ; DATA XREF: VhdInitialize+F57Ao
		jo	short near ptr loc_AE0CDD+2
		jb	short loc_AE0CF4
		imul	esi, [ecx+ebp*2+6Fh], 0CC00286Eh

; char ??_C
??_C@_06IKDJBIPJ@vdisk?$CI@PBOPGDP@:	; DATA XREF: VhdInitialize+44o
					; RamdiskStart(x)+294o
		jbe	short near ptr loc_AE0CED+1
		imul	esi, [ebx+6Bh],	52CC0028h ; DATA XREF: RamdiskStart(x)+141o
		inc	esp
		dec	ecx
		dec	ebp
		inc	ecx
		inc	edi
		inc	ebp
		dec	edi
		inc	esi
		inc	esi
		push	ebx
		inc	ebp
		push	esp

loc_AE0C9D:				; DATA XREF: IopInitializeBootDrivers+429o
		add	[edx+61h], dh
		insd
		imul	esi, fs:[ebx+6Bh], 5CCC0028h ; DATA XREF: RamdiskStart(x)+317o
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		pop	esp
		add	[edx+0], dl
		popa
		add	[ebp+0], ch
		add	fs:[ecx+0], ch
		jnb	short $+2
		imul	eax, [eax], 25h
		add	[edi+0], dh
		pop	edx
; 
		db 0
		db 2 dup(0)
; 

??_C@_1CA@JFAJFNPB@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAR?$AAa?$AAm?$AAd?$AAi?$AAs?$AAk@PBOPGDP@:
					; DATA XREF: RamdiskStart(x)+1F0o
		pop	esp
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		pop	esp

loc_AE0CDD:				; CODE XREF: INIT:??_C@_0L@MENOPLJP@partition?$CI@PBOPGDP@j
		add	[edx+0], dl
		popa
		add	[ebp+0], ch
		add	fs:[ecx+0], ch
		jnb	short $+2
		imul	eax, [eax], 0

loc_AE0CED:				; CODE XREF: INIT:??_C@_06IKDJBIPJ@vdisk?$CI@PBOPGDP@j
					; DATA XREF: RamdiskStart(x)+181o
		add	[edx+44h], dl
		dec	ecx
		dec	ebp
		inc	ecx
		inc	edi

loc_AE0CF4:				; CODE XREF: INIT:00AE0C7Ej
		inc	ebp
		dec	esp
		inc	ebp
		dec	esi
		inc	edi
		push	esp
		dec	eax

loc_AE0CFB:				; CODE XREF: IopReportBootResources+32j
		add	[ebx+168BEh], al
; 
		db 2 dup(0), 75h
		dd 70506824h, 6A512020h, 0E2FEE801h, 8689FFBCh,	168h, 3D74C085h
		dd 571075FFh, 3A0AE850h, 0C483FFAAh
		db 0Ch
; 
; START	OF FUNCTION CHUNK FOR IopReportBootResources

loc_AE0D29:				; CODE XREF: IopReportBootResources+4Bj
		push	20207050h
		push	0Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jnz	short loc_AE0D63
		test	esi, esi
		jz	short loc_AE0D59
		mov	eax, [esi+168h]
		test	eax, eax
		jz	short loc_AE0D59
		push	ecx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword ptr [esi+168h], 0

loc_AE0D59:				; CODE XREF: IopReportBootResources+2D3FFj
					; IopReportBootResources+2D409j
		mov	eax, 0C000009Ah
		jmp	loc_AB3982
; 

loc_AE0D63:				; CODE XREF: IopReportBootResources+2D3FBj
		test	esi, esi
		jz	short loc_AE0D6D
		mov	edi, [esi+168h]

loc_AE0D6D:				; CODE XREF: IopReportBootResources+2D425j
		mov	[ecx+8], edi
		mov	eax, ds:_IopInitReservedResourceList
		mov	[ecx+4], ebx
		mov	[ecx], eax
		mov	ds:_IopInitReservedResourceList, ecx
		jmp	loc_AB3990
; END OF FUNCTION CHUNK	FOR IopReportBootResources
; 
; START	OF FUNCTION CHUNK FOR IopInitializeSystemDrivers

loc_AE0D85:				; CODE XREF: IopInitializeSystemDrivers+96j
		mov	edx, 746C6644h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag

loc_AE0D91:				; CODE XREF: IopInitializeSystemDrivers+18Dj
		push	dword ptr [esi]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_AB3AE6
; 

loc_AE0D9D:				; CODE XREF: IopInitializeSystemDrivers+176j
		mov	ecx, [esp+38h+var_28]
		cmp	dword ptr [ecx+0Ch], 4
		jnz	short loc_AE0DAD
		mov	eax, [ecx+8]
		mov	edi, [ecx+eax]

loc_AE0DAD:				; CODE XREF: IopInitializeSystemDrivers+2D411j
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AB3B10
; 

loc_AE0DB9:				; CODE XREF: IopInitializeSystemDrivers+EFj
		xor	edi, edi
		jmp	loc_AB3AAE
; 

loc_AE0DC0:				; CODE XREF: IopInitializeSystemDrivers+12Fj
		push	ecx
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_AB3AE1
; END OF FUNCTION CHUNK	FOR IopInitializeSystemDrivers
; 
; START	OF FUNCTION CHUNK FOR PipGetDriverTagPriority

loc_AE0DCB:				; CODE XREF: PipGetDriverTagPriority+D0j
					; PipGetDriverTagPriority+DAj
		mov	esi, 0C0000001h
		jmp	loc_AB3C7B
; END OF FUNCTION CHUNK	FOR PipGetDriverTagPriority
; 
; START	OF FUNCTION CHUNK FOR IopInitializeBootDrivers

loc_AE0DD5:				; CODE XREF: IopInitializeBootDrivers+123j
		mov	ecx, [ebp+var_98]
		cmp	dword ptr [ecx+4], 4
		jnz	short loc_AE0DF2
		cmp	dword ptr [ecx+0Ch], 4
		jb	short loc_AE0DF2
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		mov	ds:_PnpDriverImageLoadPolicy, eax

loc_AE0DF2:				; CODE XREF: IopInitializeBootDrivers+2D0E5j
					; IopInitializeBootDrivers+2D0EBj
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AB3E23
; 

loc_AE0DFE:				; CODE XREF: IopInitializeBootDrivers+131j
		mov	ds:_PnpDriverImageLoadPolicy, ebx
		jmp	loc_AB3E3C
; 

loc_AE0E09:				; CODE XREF: IopInitializeBootDrivers+13Cj
		mov	ds:_PnpDriverImageLoadPolicy, 3
		jmp	loc_AB3E3C
; 

loc_AE0E18:				; CODE XREF: IopInitializeBootDrivers+1E0j
		push	10h
		jmp	short loc_AE0E60
; 

loc_AE0E1C:				; CODE XREF: IopInitializeBootDrivers+200j
		push	11h
		jmp	short loc_AE0E60
; 

loc_AE0E20:				; CODE XREF: IopInitializeBootDrivers+326j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AB3FB7
; 

loc_AE0E2D:				; CODE XREF: IopInitializeBootDrivers+5A8j
		mov	byte ptr [esi+1Ah], 1
		jmp	loc_AB43BD
; 

loc_AE0E36:				; CODE XREF: IopInitializeBootDrivers+5D9j
		xor	ebx, ebx
		jmp	loc_AB430C
; 

loc_AE0E3D:				; CODE XREF: IopInitializeBootDrivers+6F7j
		push	12h
		jmp	short loc_AE0E60
; 

loc_AE0E41:				; CODE XREF: IopInitializeBootDrivers+421j
		push	14h
		jmp	short loc_AE0E60
; 

loc_AE0E45:				; CODE XREF: IopInitializeBootDrivers+43Bj
		mov	ecx, edi
		call	_RamdiskStart@4	; RamdiskStart(x)
		jmp	loc_AB4140
; 

loc_AE0E51:				; CODE XREF: IopInitializeBootDrivers+448j
		call	_PnpWaitForDevicesToStart@0 ; PnpWaitForDevicesToStart()
		test	eax, eax
		jnz	loc_AB4148

loc_AE0E5E:				; CODE XREF: IopInitializeBootDrivers+40Bj
					; IopInitializeBootDrivers+460j
		push	13h

loc_AE0E60:				; CODE XREF: IopInitializeBootDrivers+2D120j
					; IopInitializeBootDrivers+2D124j ...
		xor	edx, edx
		pop	ecx
		call	HeadlessKernelAddLogEntry

loc_AE0E68:				; CODE XREF: IopInitializeBootDrivers+1BEj
					; IopInitializeBootDrivers+46Fj ...
		xor	eax, eax
		jmp	loc_AB4261
; 

loc_AE0E6F:				; CODE XREF: IopInitializeBootDrivers+499j
		call	_SbpStartLanman@0 ; SbpStartLanman()
		test	eax, eax
		js	short loc_AE0E68
		call	_SbpWaitForVmbus@0 ; SbpWaitForVmbus()
		test	eax, eax
		js	short loc_AE0E68
		call	_SbpAddTransportToInstance@0 ; SbpAddTransportToInstance()
		test	eax, eax
		js	short loc_AE0E68
		jmp	loc_AB4199
; 

loc_AE0E8F:				; CODE XREF: IopInitializeBootDrivers+798j
		test	al, 8
		jnz	loc_AB444E
		lea	eax, [ebp+var_98]
		mov	edx, offset ??_C@_1M@IOJLKPKK@?$AAS?$AAt?$AAa?$AAr?$AAt@PBOPGDP@
		push	eax
		push	ecx
		mov	ecx, [esi+10h]
		call	IopGetRegistryValue
		test	eax, eax
		js	loc_AB444E
		mov	ecx, [ebp+var_98]
		cmp	dword ptr [ecx+4], 4
		jnz	loc_AE0FE4
		cmp	dword ptr [ecx+0Ch], 4
		jb	loc_AE0FE4
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		mov	[ebp+var_AC], eax
		test	eax, eax
		jnz	loc_AE0FE4
		mov	[ebp+var_AC], 3
		lea	eax, [ebp+var_B0]
		mov	ecx, [edi+18h]
		push	eax
		add	ecx, 0Ch
		call	PiCreateDriverRedirectedStateKey
		test	eax, eax
		jns	short loc_AE0F0D
		mov	ebx, [esi+10h]
		mov	[ebp+var_B0], ebx
		jmp	short loc_AE0F13
; 

loc_AE0F0D:				; CODE XREF: IopInitializeBootDrivers+2D206j
		mov	ebx, [ebp+var_B0]

loc_AE0F13:				; CODE XREF: IopInitializeBootDrivers+2D211j
		xor	ecx, ecx
		lea	eax, [ebp+var_A8]
		push	ecx
		push	eax
		push	ecx
		push	2
		pop	eax
		push	eax
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		mov	edx, ebx
		push	offset ??_C@_1BM@HPEBLEEL@?$AAS?$AAt?$AAa?$AAr?$AAt?$AAO?$AAv?$AAe?$AAr?$AAr?$AAi?$AAd?$AAe@PBOPGDP@
		call	__PnpCtxRegCreateKey@32	; _PnpCtxRegCreateKey(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_AE0FC6
		mov	edx, [ebp+var_A8]
		lea	eax, [ebp+var_AC]
		push	4
		push	eax
		push	4
		lea	eax, [ebp+var_88]
		push	eax
		call	__PnpCtxRegSetValue@24 ; _PnpCtxRegSetValue(x,x,x,x,x,x)
		mov	edx, [ebp+var_A8]
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)
		and	[ebp+var_A8], 0
		test	byte_6CD8BB, 1
		jz	short loc_AE0FC6
		mov	eax, [edi+18h]
		lea	ecx, [ebp+var_90]
		and	[ebp+var_90], 0
		add	eax, 0Ch
		push	eax
		xor	edx, edx
		call	PnpUnicodeStringToWstr
		test	eax, eax
		js	short loc_AE0FC6
		test	byte_6CD8BB, 1
		jz	short loc_AE0FB5
		push	[ebp+var_AC]
		push	[ebp+var_90]
		push	dword ptr [ebp+var_B4]
		push	ecx
		call	_McTemplateK0dzd_EtwWriteTransfer@24 ; McTemplateK0dzd_EtwWriteTransfer(x,x,x,x,x,x)

loc_AE0FB5:				; CODE XREF: IopInitializeBootDrivers+2D2A1j
		mov	edx, [edi+18h]
		mov	ecx, [ebp+var_90]
		add	edx, 0Ch
		call	_PnpUnicodeStringToWstrFree@8 ;	PnpUnicodeStringToWstrFree(x,x)

loc_AE0FC6:				; CODE XREF: IopInitializeBootDrivers+2D23Dj
					; IopInitializeBootDrivers+2D279j ...
		cmp	ebx, [esi+10h]
		jz	short loc_AE0FD8
		push	ebx
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_B0], 0

loc_AE0FD8:				; CODE XREF: IopInitializeBootDrivers+2D2CFj
		mov	ebx, [ebp+var_94]
		mov	ecx, [ebp+var_98]

loc_AE0FE4:				; CODE XREF: IopInitializeBootDrivers+2D1C4j
					; IopInitializeBootDrivers+2D1CEj ...
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AB444E
; END OF FUNCTION CHUNK	FOR IopInitializeBootDrivers
; 
; START	OF FUNCTION CHUNK FOR PnpInitializeBootStartDriver

loc_AE0FF1:				; CODE XREF: PnpInitializeBootStartDriver+2Ej
		mov	eax, [edi]
		mov	[ebp+var_44], eax
		mov	eax, [edi+4]
		mov	[ebp+var_40], eax
		jmp	loc_AB4573
; 

loc_AE1001:				; CODE XREF: PnpInitializeBootStartDriver+B2j
		cmp	[ebp+arg_10], 0
		jz	loc_AB4592
		mov	esi, 0C0000022h
		jmp	loc_AB45D6
; END OF FUNCTION CHUNK	FOR PnpInitializeBootStartDriver
; 
; START	OF FUNCTION CHUNK FOR PnpDoPolicyCheck

loc_AE1015:				; CODE XREF: PnpDoPolicyCheck+26j
		sub	eax, 1
		jz	short loc_AE1028
		sub	eax, 1
		jnz	loc_AB49F2
		test	dl, 2
		jmp	short loc_AE102B
; 

loc_AE1028:				; CODE XREF: PnpDoPolicyCheck+2C654j
		test	dl, 4

loc_AE102B:				; CODE XREF: PnpDoPolicyCheck+2C662j
		jz	loc_AB49F2
		cmp	[ebp+var_1], bl
		jmp	loc_AB4A0B
; END OF FUNCTION CHUNK	FOR PnpDoPolicyCheck
; 
; START	OF FUNCTION CHUNK FOR PpInitGetGroupOrderIndex

loc_AE1039:				; CODE XREF: PpInitGetGroupOrderIndex+16j
		mov	eax, 0FFFFh
		jmp	loc_AB4B19
; 

loc_AE1043:				; CODE XREF: PpInitGetGroupOrderIndex+42j
					; PpInitGetGroupOrderIndex+4Dj
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AB4B1E
; END OF FUNCTION CHUNK	FOR PpInitGetGroupOrderIndex
; 
; START	OF FUNCTION CHUNK FOR PipCheckDependencies

loc_AE104F:				; CODE XREF: PipCheckDependencies+27j
		mov	edi, [ebp+var_4]
		mov	[ebp+var_4], 1
		mov	esi, [edi+8]
		mov	ebx, [edi+0Ch]
		add	esi, edi
		test	ebx, ebx
		jz	short loc_AE109B

loc_AE1065:				; CODE XREF: PipCheckDependencies+2C569j
		push	esi
		lea	eax, [ebp+var_C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ax, word ptr [ebp+var_C+2]
		lea	ecx, [ebp+var_C]
		xor	edx, edx
		mov	word ptr [ebp+var_C], ax
		call	_PipLookupGroupName@8 ;	PipLookupGroupName(x,x)
		test	eax, eax
		jz	short loc_AE1091
		cmp	dword ptr [eax+10h], 0
		jnz	short loc_AE1091
		and	[ebp+var_4], 0
		jmp	short loc_AE109B
; 

loc_AE1091:				; CODE XREF: PipCheckDependencies+2C553j
					; PipCheckDependencies+2C559j
		movzx	eax, word ptr [ebp+var_C+2]
		add	esi, eax
		sub	ebx, eax
		jnz	short loc_AE1065

loc_AE109B:				; CODE XREF: PipCheckDependencies+2C533j
					; PipCheckDependencies+2C55Fj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_4]
		jmp	loc_AB4B60
; END OF FUNCTION CHUNK	FOR PipCheckDependencies
; 
; START	OF FUNCTION CHUNK FOR PipInitializeCoreDriversByGroup

loc_AE10AB:				; CODE XREF: PipInitializeCoreDriversByGroup+F9j
		push	12h
		xor	edx, edx
		pop	ecx
		call	HeadlessKernelAddLogEntry
		jmp	loc_AB4EED
; 

loc_AE10BA:				; CODE XREF: PipInitializeCoreDriversByGroup+11Fj
		mov	eax, [ebp+var_10]
		mov	eax, [eax+18h]
		or	dword ptr [eax+34h], 20000h
		jmp	loc_AB4F13
; END OF FUNCTION CHUNK	FOR PipInitializeCoreDriversByGroup
; 
; START	OF FUNCTION CHUNK FOR IopInitializeResourceMap

loc_AE10CC:				; CODE XREF: IopInitializeResourceMap+BBj
					; IopInitializeResourceMap+11Ej ...
		mov	eax, [edi]
		mov	[ebp+var_3C], eax
		test	eax, eax
		jnz	short loc_AE10E9
		test	ebx, ebx
		jz	loc_AB5235
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AB5235
; 

loc_AE10E9:				; CODE XREF: IopInitializeResourceMap+2C11Fj
		xor	ebx, ebx
		test	eax, eax
		jz	loc_AB513F
		lea	eax, [edi+0Ch]
		mov	edi, [ebp+var_3C]
		mov	[ebp+var_38], eax
		jmp	loc_AB5101
; 

loc_AE1101:				; CODE XREF: IopInitializeResourceMap+16Bj
					; IopInitializeResourceMap+173j
		mov	eax, esi
		and	eax, 0FFFF0000h
		cmp	esi, eax
		jz	loc_AB512D
		test	esi, esi
		jz	loc_AB512D
		test	edx, edx
		jnz	short loc_AE1128
		cmp	esi, 0FFFFF000h
		jbe	loc_AB512D

loc_AE1128:				; CODE XREF: IopInitializeResourceMap+2C166j
					; IopInitializeResourceMap+2C180j ...
		inc	ebx
		add	esi, 1000h
		adc	edx, 0FFFFFFFFh
		test	edx, edx
		ja	short loc_AE1128
		jb	loc_AB512D
		cmp	esi, 0FFFFF000h
		ja	short loc_AE1128
		test	edx, edx
		jnz	loc_AB512D
		test	esi, esi
		jz	loc_AB512E
		jmp	loc_AB512D
; 

loc_AE1159:				; CODE XREF: IopInitializeResourceMap+208j
		mov	eax, [ebp+var_68]
		test	eax, eax
		jnz	short loc_AE1170
		cmp	ebx, 0FFFFF000h
		ja	short loc_AE1170
		mov	ecx, [ebp+var_38]
		mov	edx, [ebp+var_34]
		jmp	short loc_AE11AB
; 

loc_AE1170:				; CODE XREF: IopInitializeResourceMap+2C1AAj
					; IopInitializeResourceMap+2C1B2j
		mov	ecx, [ebp+var_38]
		mov	edx, [ebp+var_34]

loc_AE1176:				; CODE XREF: IopInitializeResourceMap+2C1EBj
					; IopInitializeResourceMap+2C1F5j
		mov	[esi+4], ecx
		mov	[esi+8], edx
		mov	word ptr [esi],	103h
		mov	dword ptr [esi+0Ch], 0FFFFF000h
		add	esi, 10h
		add	ecx, 0FFFFF000h
		adc	edx, 0
		add	ebx, 1000h
		adc	eax, 0FFFFFFFFh
		test	eax, eax
		ja	short loc_AE1176
		jb	short loc_AE11B7
		cmp	ebx, 0FFFFF000h
		ja	short loc_AE1176

loc_AE11AB:				; CODE XREF: IopInitializeResourceMap+2C1BAj
		test	eax, eax
		jnz	short loc_AE11B7
		test	ebx, ebx
		jz	loc_AB51C9

loc_AE11B7:				; CODE XREF: IopInitializeResourceMap+2C1EDj
					; IopInitializeResourceMap+2C1F9j
		mov	word ptr [esi],	103h
		mov	[esi+4], ecx
		mov	[esi+8], edx
		mov	[esi+0Ch], ebx
		jmp	loc_AB51C6
; 

loc_AE11CA:				; CODE XREF: IopInitializeResourceMap+1ABj
		cmp	[ebp+var_44], 0
		jz	loc_AB5075
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AB5075
; END OF FUNCTION CHUNK	FOR IopInitializeResourceMap
; 
; START	OF FUNCTION CHUNK FOR MmInitializeMemoryLimits

loc_AE11E1:				; CODE XREF: MmInitializeMemoryLimits+94j
		mov	eax, [ebp+var_4]

loc_AE11E4:				; CODE XREF: MmInitializeMemoryLimits+61j
		and	dword ptr [esi+8], 0
		and	dword ptr [esi+0Ch], 0
		jmp	loc_AB5327
; END OF FUNCTION CHUNK	FOR MmInitializeMemoryLimits
; 
; START	OF FUNCTION CHUNK FOR MxConsumeLargePageSlush

loc_AE11F1:				; CODE XREF: MxConsumeLargePageSlush+29j
		push	0
		push	0
		push	eax
		push	3030210h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_AE1203:				; CODE XREF: MiMarkLargePageRanges+EFj
		test	esi, esi
		jnz	short loc_AE121A
		mov	eax, edi
		sub	eax, ds:_MmPfnDatabase
		push	1Ch
		cdq
		pop	ecx
		idiv	ecx
		mov	edx, eax
		mov	[ebp+var_4], edx

loc_AE121A:				; CODE XREF: MxConsumeLargePageSlush+2BC49j
		inc	esi
		jmp	loc_AB5C17
; END OF FUNCTION CHUNK	FOR MxConsumeLargePageSlush
; 
; START	OF FUNCTION CHUNK FOR MiMarkLargePageRanges

loc_AE1220:				; CODE XREF: MiMarkLargePageRanges+2Cj
		push	1
		and	esi, 0FFFFFE00h
		mov	ecx, offset _MiSystemPartition
		push	1
		push	esi
		call	MiUpdateLargePageBitMap
		mov	edx, [ebp+var_4]
		jmp	loc_AB5BE0
; 

loc_AE123D:				; CODE XREF: MiMarkLargePageRanges+79j
		push	1
		push	1
		and	esi, 0FFFFFE00h
		mov	ecx, offset _MiSystemPartition
		push	esi
		call	MiUpdateLargePageBitMap
		jmp	loc_AB5C2D
; END OF FUNCTION CHUNK	FOR MiMarkLargePageRanges
; 
; START	OF FUNCTION CHUNK FOR MiInitializeNumaGraph

loc_AE1257:				; CODE XREF: MiInitializeNumaGraph+26j
		mov	edx, [eax]
		mov	ebx, edx
		movzx	edi, ds:_KeNumberNodes
		mov	[ebp+var_124], edx
		mov	[ebp+var_110], ebx
		lea	eax, [eax+edx*4]
		add	eax, 4
		mov	[ebp+var_114], eax
		cmp	edx, edi
		jbe	short loc_AE1286
		mov	ebx, edi
		mov	[ebp+var_110], edi

loc_AE1286:				; CODE XREF: MiInitializeNumaGraph+2B07Aj
		cmp	ebx, 10h
		jbe	short loc_AE1294
		push	10h
		pop	ebx
		mov	[ebp+var_110], ebx

loc_AE1294:				; CODE XREF: MiInitializeNumaGraph+2B087j
		xor	esi, esi
		mov	[ebp+var_108], esi
		test	ebx, ebx
		jz	loc_AB6236
		lea	eax, [ebp+var_FC]
		mov	[ebp+var_118], eax
		lea	eax, [edx+edx]
		mov	[ebp+var_11C], eax
		mov	eax, [ebp+var_114]

loc_AE12BF:				; CODE XREF: MiInitializeNumaGraph+2B1D2j
		xor	ecx, ecx
		test	edx, edx
		jz	short loc_AE1326
		lea	edx, [ebp+var_FC]
		mov	[ebp+var_120], eax
		mov	[ebp+var_10C], edx
		mov	esi, eax

loc_AE12D9:				; CODE XREF: MiInitializeNumaGraph+2B11Cj
		cmp	ecx, 10h
		jnb	short loc_AE1320
		movzx	eax, word ptr [esi]
		test	ax, ax
		jnz	short loc_AE12E9
		xor	eax, eax
		inc	eax

loc_AE12E9:				; CODE XREF: MiInitializeNumaGraph+2B0E2j
		mov	esi, [ebp+var_10C]
		movzx	eax, ax
		mov	[edx-8], ecx
		inc	ecx
		cdq
		mov	[esi], eax
		mov	eax, esi
		mov	esi, [ebp+var_120]
		add	esi, 2
		mov	[ebp+var_120], esi
		mov	[eax+4], edx
		add	eax, 10h
		mov	edx, eax
		mov	[ebp+var_10C], eax
		cmp	ecx, [ebp+var_124]
		jb	short loc_AE12D9

loc_AE1320:				; CODE XREF: MiInitializeNumaGraph+2B0DAj
		mov	esi, [ebp+var_108]

loc_AE1326:				; CODE XREF: MiInitializeNumaGraph+2B0C1j
		cmp	ecx, edi
		jnb	short loc_AE134C
		mov	eax, ecx
		add	eax, eax
		lea	eax, [ebp+eax*8+var_FC]

loc_AE1335:				; CODE XREF: MiInitializeNumaGraph+2B148j
		cmp	ecx, 10h
		jnb	short loc_AE134C
		or	dword ptr [eax], 0FFFFFFFFh
		or	dword ptr [eax+4], 0FFFFFFFFh
		mov	[eax-8], ecx
		inc	ecx
		add	eax, 10h
		cmp	ecx, edi
		jb	short loc_AE1335

loc_AE134C:				; CODE XREF: MiInitializeNumaGraph+2B126j
					; MiInitializeNumaGraph+2B136j
		mov	eax, [ebp+var_118]
		push	offset _KiNodeCostSort ; int __cdecl (*)(const void *,const void *)
		push	10h		; size_t
		push	edi		; size_t
		and	dword ptr [eax], 0
		and	dword ptr [eax+4], 0
		lea	eax, [ebp+var_104]
		push	eax		; void *
		call	_qsort
		movzx	edi, ds:_KeNumberNodes
		add	esp, 10h
		test	edi, edi
		jz	short loc_AE13AC
		mov	edx, edi
		mov	ebx, edi
		imul	edx, esi
		lea	esi, [ebp+var_104]
		shl	edx, 2

loc_AE138B:				; CODE XREF: MiInitializeNumaGraph+2B19Cj
		mov	eax, dword_6D0698
		mov	ecx, [esi]
		lea	esi, [esi+10h]
		mov	[edx+eax], ecx
		lea	edx, [edx+4]
		sub	ebx, 1
		jnz	short loc_AE138B
		mov	esi, [ebp+var_108]
		mov	ebx, [ebp+var_110]

loc_AE13AC:				; CODE XREF: MiInitializeNumaGraph+2B177j
		mov	eax, [ebp+var_114]
		inc	esi
		add	eax, [ebp+var_11C]
		add	[ebp+var_118], 10h
		mov	edx, [ebp+var_124]
		mov	[ebp+var_108], esi
		mov	[ebp+var_114], eax
		cmp	esi, ebx
		jb	loc_AE12BF
		jmp	loc_AB6236
; END OF FUNCTION CHUNK	FOR MiInitializeNumaGraph
; 
; START	OF FUNCTION CHUNK FOR MxReleaseFreeDescriptor

loc_AE13DF:				; CODE XREF: MxReleaseFreeDescriptor+63j
		mov	ecx, [esi]
		mov	eax, ecx
		and	eax, 1FFh
		jz	loc_AB635F
		sub	edi, eax
		mov	[ebp+var_8], ecx
		lea	ecx, [ebp+var_14]
		mov	[ebp+var_4], edi
		call	_MxCreateFreePfns@4 ; MxCreateFreePfns(x)
		jmp	loc_AB635F
; END OF FUNCTION CHUNK	FOR MxReleaseFreeDescriptor
; 
; START	OF FUNCTION CHUNK FOR MiCreateNodeLists

loc_AE1403:				; CODE XREF: MiCreateNodeLists+36j
					; MiCreateNodeLists+60j ...
		mov	eax, [ebp+var_14]
		lea	ecx, [ebp+var_14]
		cmp	eax, ecx
		jz	loc_AB643D
		cmp	[eax+4], ecx
		jnz	loc_AB6444
		mov	ecx, [eax]
		cmp	[ecx+4], eax
		jnz	loc_AB6444
		push	0
		lea	edx, [ebp+var_14]
		mov	[ebp+var_14], ecx
		push	eax
		mov	[ecx+4], edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_AE1403
; END OF FUNCTION CHUNK	FOR MiCreateNodeLists
; 
; START	OF FUNCTION CHUNK FOR MiSwitchToPfns

loc_AE1438:				; CODE XREF: MiSwitchToPfns+40j
		cmp	[esi+14h], dx
		jnz	loc_AB6490
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		and	dword ptr [esi+18h], 0FF800000h
		lea	edx, [esi+10h]
		mov	ecx, [edx]
		mov	byte ptr [ebp+var_4+3],	al
		and	ecx, 0C0000001h
		xor	eax, eax
		mov	dword ptr [esi+4], 0C0000000h
		mov	[esi+14h], ax
		or	ecx, 1
		mov	al, [esi+16h]
		and	al, 0FDh
		mov	[edx], ecx
		or	al, 5
		mov	[esi+16h], al
		mov	al, [esi+16h]
		and	al, 3Fh
		or	al, 40h
		mov	[esi+16h], al
		mov	ecx, dword_6D35B8
		movsx	eax, byte ptr [ecx]
		bts	eax, 0
		mov	[ecx], al
		mov	eax, 7FFFFFFFh
		lock and [edx],	eax
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		xor	edx, edx
		mov	ecx, 7FFFFFFFh
		jmp	loc_AB6490
; 

loc_AE14B0:				; CODE XREF: MiSwitchToPfns+6Ej
		and	esi, ecx
		mov	[edi+8], esi
		jmp	loc_AB65A6
; 

loc_AE14BA:				; CODE XREF: MiSwitchToPfns+B0j
		test	ds:_MiFlags, 2000h
		jz	loc_AB65D5
		jmp	loc_AB6500
; 

loc_AE14CF:				; CODE XREF: MiSwitchToPfns+1FCj
		xor	ecx, ecx
		inc	ecx
		mov	[ebp+var_C], ecx
		jmp	loc_AB650E
; 

loc_AE14DA:				; CODE XREF: MiSwitchToPfns+1B4j
					; MiSwitchToPfns+1BDj
		mov	eax, [ebp+var_C]
		mov	[ebp+var_20], ecx
		lea	ecx, [ebp+var_30]
		mov	[ebp+var_28], 2
		mov	[ebp+var_24], eax
		call	_MxCreateFreePfns@4 ; MxCreateFreePfns(x)
		jmp	loc_AB662B
; 

loc_AE14F7:				; CODE XREF: MiSwitchToPfns+12Bj
					; MiSwitchToPfns+134j
		mov	ecx, [edi+4]
		cmp	esi, 1Dh
		jnz	short loc_AE1532
		test	ecx, ecx
		jz	short loc_AE1544
		xor	edx, edx
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_AE1518
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_AE1518
		inc	edx

loc_AE1518:				; CODE XREF: MiSwitchToPfns+2B0C2j
					; MiSwitchToPfns+2B0CBj
		xor	eax, eax
		mov	[ecx+4], eax
		nop
		mov	[ecx], eax
		test	edx, edx
		jz	short loc_AE152D
		push	eax
		push	eax
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		xor	eax, eax

loc_AE152D:				; CODE XREF: MiSwitchToPfns+2B0D8j
		mov	[edi+4], eax
		mov	ecx, eax

loc_AE1532:				; CODE XREF: MiSwitchToPfns+2B0B3j
		test	ecx, ecx
		jz	short loc_AE1544
		xor	edx, edx
		mov	ecx, edi
		call	_MiMarkPfnVerified@8 ; MiMarkPfnVerified(x,x)
		jmp	loc_AB6584
; 

loc_AE1544:				; CODE XREF: MiSwitchToPfns+2B0B7j
					; MiSwitchToPfns+2B0EAj
		push	0
		push	0
		push	0
		push	80h
		xor	edx, edx
		push	ecx
		inc	edx
		mov	ecx, edi
		call	_MiInitializeUnusablePfns@28 ; MiInitializeUnusablePfns(x,x,x,x,x,x,x)
		jmp	loc_AB6584
; 

loc_AE155F:				; CODE XREF: MiSwitchToPfns+E9j
					; MiSwitchToPfns+151j
		mov	edx, dword_6D5D84
		mov	esi, [ebp+var_C]
		cmp	esi, edx
		ja	loc_AB65A1
		lea	ecx, [esi+eax]
		lea	eax, [edx+1]
		cmp	ecx, eax
		mov	ecx, 7FFFFFFFh
		jbe	loc_AB65A6
		sub	edx, esi
		inc	edx
		mov	[edi+10h], edx
		jmp	loc_AB65A6
; END OF FUNCTION CHUNK	FOR MiSwitchToPfns
; 
; START	OF FUNCTION CHUNK FOR MiCreateFreePfns

loc_AE158E:				; CODE XREF: MiCreateFreePfns+47j
		and	eax, 0BFFFFFFFh
		mov	ecx, offset dword_AFF4E8
		mov	[edi+8], eax
		jmp	loc_AB66A4
; 

loc_AE15A0:				; CODE XREF: MiCreateFreePfns+E4j
		push	5
		pop	ecx
		lea	esi, [ebp+var_70]
		sub	eax, edx
		lea	edi, [ebp+var_84]
		mov	[ebp+var_50], eax
		rep movsd
		lea	ecx, [ebp+var_84]
		mov	[ebp+var_74], eax
		call	_MxCreateFreePfns@4 ; MxCreateFreePfns(x)
		mov	ecx, [ebp+var_54]
		sub	ebx, [ebp+var_50]
		mov	esi, [ebp+var_5C]
		mov	edx, [ecx]
		jmp	loc_AB673C
; 

loc_AE15D1:				; CODE XREF: MiCreateFreePfns+109j
		mov	edx, [ebp+var_54]
		inc	esi
		mov	[ebp+var_5C], esi
		cmp	esi, [ebp+var_4C]
		jb	loc_AB672B

loc_AE15E1:				; CODE XREF: MiCreateFreePfns+CEj
		test	ebx, ebx
		jz	loc_AB66E7
		lea	ecx, [ebp+var_70]
		jmp	loc_AB66E2
; END OF FUNCTION CHUNK	FOR MiCreateFreePfns
; 
; START	OF FUNCTION CHUNK FOR MiFindLargestLoaderDescriptor

loc_AE15F1:				; CODE XREF: MiFindLargestLoaderDescriptor+E5j
		mov	ecx, eax
		mov	ds:_MmDynamicPfn, ecx
		jmp	loc_AB6B41
; END OF FUNCTION CHUNK	FOR MiFindLargestLoaderDescriptor
; 
; START	OF FUNCTION CHUNK FOR MxInitializeFreeNodeDescriptors

loc_AE15FE:				; CODE XREF: MxInitializeFreeNodeDescriptors+85j
		mov	eax, [ebp+var_8]
		mov	ecx, [eax+esi*4]
		mov	eax, [edi+4]
		add	ecx, 4000h
		add	eax, [edi]
		cmp	eax, ecx
		jnb	loc_AB6BF9
		jmp	loc_AB6BE3
; END OF FUNCTION CHUNK	FOR MxInitializeFreeNodeDescriptors
; 
; START	OF FUNCTION CHUNK FOR MiCreateSparsePfnDatabase

loc_AE161C:				; CODE XREF: MiCreateSparsePfnDatabase+199j
		cmp	edi, 2
		jz	short loc_AE162B
		cmp	edi, 18h
		jz	short loc_AE162B
		xor	eax, eax
		inc	eax
		jmp	short loc_AE162D
; 

loc_AE162B:				; CODE XREF: MiCreateSparsePfnDatabase+2AA21j
					; MiCreateSparsePfnDatabase+2AA26j
		xor	eax, eax

loc_AE162D:				; CODE XREF: MiCreateSparsePfnDatabase+2AA2Bj
		push	eax
		mov	ecx, esi
		call	MxMapPfnRange
		test	eax, eax
		jz	loc_AB6E24
		jmp	loc_AB6D9D
; 

loc_AE1642:				; CODE XREF: MiCreateSparsePfnDatabase+1ADj
		push	1
		mov	edx, 800h
		call	MxMapPfnRange
		test	eax, eax
		jz	loc_AB6E24
		jmp	loc_AB6DB1
; END OF FUNCTION CHUNK	FOR MiCreateSparsePfnDatabase
; 
; START	OF FUNCTION CHUNK FOR MxMapPfnRange

loc_AE165B:				; CODE XREF: MxMapPfnRange+31j
		xor	edi, edi
		jmp	loc_AB6E6E
; END OF FUNCTION CHUNK	FOR MxMapPfnRange
; 
; START	OF FUNCTION CHUNK FOR MxMapVa

loc_AE1662:				; CODE XREF: MxMapVa+6Fj MxMapVa+78j ...
		push	dword ptr [edi+4]
		xor	ecx, ecx
		call	MxGetNextPage
		mov	[ebp+var_C], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_AE178C
		inc	dword_6D3634
		test	ebx, ebx
		jnz	short loc_AE1688
		cmp	dword ptr [edi+8], 1
		jnz	short loc_AE1691

loc_AE1688:				; CODE XREF: MxMapVa+2A6D4j
		push	0
		mov	ecx, eax
		call	MiFillPhysicalPages

loc_AE1691:				; CODE XREF: MxMapVa+2A6DAj
		mov	edx, [ebp+var_C]
		mov	eax, ebx
		neg	eax
		mov	ecx, esi
		sbb	eax, eax
		and	eax, 0E8000000h
		add	eax, 0B0000004h
		push	eax
		call	MiMakeValidPte
		and	[ebp+var_C], 0
		mov	ecx, esi
		mov	[ebp+var_4], eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_AE1706
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		mov	ecx, [ebp+var_4]
		test	eax, eax
		jz	short loc_AE16EC
		cmp	byte ptr word_6D07B8+1,	0
		mov	[ebp+var_C], 1
		jnz	short loc_AE1709

loc_AE16DA:				; CODE XREF: MxMapVa+2A758j
		mov	eax, ecx
		and	eax, 1
		or	eax, 0
		jz	short loc_AE1709
		or	edx, 80000000h
		jmp	short loc_AE1709
; 

loc_AE16EC:				; CODE XREF: MxMapVa+2A71Cj
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	short loc_AE1709
		jmp	short loc_AE16DA
; 

loc_AE1706:				; CODE XREF: MxMapVa+2A710j
		mov	ecx, [ebp+var_4]

loc_AE1709:				; CODE XREF: MxMapVa+2A72Cj
					; MxMapVa+2A736j ...
		mov	[esi+4], edx
		nop
		cmp	[ebp+var_C], 0
		mov	[esi], ecx
		jz	short loc_AE171E
		push	edx
		push	ecx
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_AE171E:				; CODE XREF: MxMapVa+5Bj
					; MxMapVa+2A767j
		test	ebx, ebx
		jz	loc_AB7010
		dec	ebx
		jmp	loc_AB6FE4
; 

loc_AE172C:				; CODE XREF: MxMapVa+B9j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_AE175E
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr word_6D07B8+1,	0
		jnz	loc_AB706E

loc_AE1745:				; CODE XREF: MxMapVa+2A7CBj
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	loc_AB706E
		or	edx, 80000000h
		jmp	loc_AB706E
; 

loc_AE175E:				; CODE XREF: MxMapVa+2A787j
		mov	eax, large fs:124h
		mov	ecx, [ebp+var_4]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_AE1745
		jmp	loc_AB706E
; 

loc_AE177E:				; CODE XREF: MxMapVa+CAj
		push	edx
		push	ebx
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_AB707C
; 

loc_AE178C:				; CODE XREF: MxMapVa+2A6C6j
		xor	eax, eax
		jmp	loc_AB7013
; END OF FUNCTION CHUNK	FOR MxMapVa
; 
; START	OF FUNCTION CHUNK FOR MxComputeFreeNodeDescriptorRequirements

loc_AE1793:				; CODE XREF: MxComputeFreeNodeDescriptorRequirements+D4j
					; MxComputeFreeNodeDescriptorRequirements+FEj
		mov	ecx, [ebp+var_4]
		call	_MxComputePfnPagesNeeded@8 ; MxComputePfnPagesNeeded(x,x)
		mov	ecx, [ebp+var_14]
		add	[ecx+esi*4], eax
		jmp	loc_AB71F8
; END OF FUNCTION CHUNK	FOR MxComputeFreeNodeDescriptorRequirements
; 
; START	OF FUNCTION CHUNK FOR MxGetNextPage

loc_AE17A6:				; CODE XREF: MxGetNextPage+24j
					; MxGetNextPage+2Ej ...
		movzx	esi, ds:_KeNumberNodes
		lea	edx, [eax+1]
		xor	edi, edi
		mov	eax, edx
		sub	eax, esi
		inc	ecx
		neg	eax
		sbb	eax, eax
		and	eax, edx
		cmp	ecx, esi
		mov	esi, [ebp+var_8]
		jb	loc_AB722D
		jmp	loc_AB7254
; 

loc_AE17CD:				; CODE XREF: MxGetNextPage+44j
		mov	edx, [ebp+var_4]
		inc	edx
		mov	[ebp+var_4], edx
		cmp	edx, 2
		jb	loc_AB7228
		jmp	loc_AB725C
; 

loc_AE17E2:				; CODE XREF: MxGetNextPage+53j
		cmp	esi, 1
		jz	short loc_AE1800
		push	[ebp+arg_0]
		call	_MxSwitchDescriptors@4 ; MxSwitchDescriptors(x)
		mov	edi, eax
		test	edi, edi
		jnz	loc_AB726B
		mov	byte_6D311E, 10h

loc_AE1800:				; CODE XREF: MxGetNextPage+2A5D3j
		mov	eax, ebx
		jmp	loc_AB728D
; 

loc_AE1807:				; CODE XREF: MxGetNextPage+5Cj
		mov	esi, [edi+8]
		mov	eax, esi
		and	eax, 0FFFFFE00h
		cmp	esi, eax
		jz	short loc_AE1821
		cmp	esi, [edi]
		jz	short loc_AE1821
		lea	eax, [esi-1]
		mov	[edi+8], eax
		jmp	short loc_AE1867
; 

loc_AE1821:				; CODE XREF: MxGetNextPage+2A601j
					; MxGetNextPage+2A605j
		mov	edx, [edi+0Ch]
		mov	ecx, [edi]
		cmp	edx, ebx
		jnz	short loc_AE1846
		cmp	esi, ecx
		jz	short loc_AE1841
		mov	eax, ecx
		and	eax, 0FFFFFE00h
		cmp	ecx, eax
		jz	short loc_AE1841
		mov	ebx, ecx
		or	ebx, 1FFh

loc_AE1841:				; CODE XREF: MxGetNextPage+2A61Aj
					; MxGetNextPage+2A625j
		mov	[edi+8], ebx
		jmp	short loc_AE1867
; 

loc_AE1846:				; CODE XREF: MxGetNextPage+2A616j
		lea	eax, [edx+1FFh]
		mov	[edi+8], eax
		mov	eax, edx
		sub	eax, ecx
		cmp	eax, 200h
		jb	loc_AB7299
		lea	eax, [edx-200h]
		mov	[edi+0Ch], eax

loc_AE1867:				; CODE XREF: MxGetNextPage+8Aj
					; MxGetNextPage+2A60Dj	...
		mov	ecx, edi
		call	_MxBootDescriptorDepleted@4 ; MxBootDescriptorDepleted(x)
		jmp	loc_AB728B
; END OF FUNCTION CHUNK	FOR MxGetNextPage
; 
; START	OF FUNCTION CHUNK FOR MxPageAlwaysHot

loc_AE1873:				; CODE XREF: MxPageAlwaysHot+7j
		call	_MiSearchChannelTable@4	; MiSearchChannelTable(x)
		cmp	byte ptr [eax+0Ah], 1
		jz	loc_AB72AF
		xor	eax, eax
		inc	eax
		retn
; END OF FUNCTION CHUNK	FOR MxPageAlwaysHot
; 
; START	OF FUNCTION CHUNK FOR MiInitializeCacheSizes

loc_AE1886:				; CODE XREF: MiInitializeCacheSizes+25j
		movzx	ecx, al
		mov	eax, edx
		xor	edx, edx
		div	ecx
		mov	edx, eax
		jmp	loc_AB737D
; 

loc_AE1896:				; CODE XREF: MiInitializeCacheSizes+2Dj
		bsr	ecx, edx
		xor	edx, edx
		inc	edx
		shl	edx, cl
		jmp	loc_AB7385
; 

loc_AE18A3:				; CODE XREF: MiInitializeCacheSizes+3Cj
		cmp	edx, esi
		jbe	loc_AB73A6
		jmp	loc_AB7394
; 

loc_AE18B0:				; CODE XREF: MiInitializeCacheSizes+4Cj
		cmp	eax, 40000h
		sbb	edx, edx
		and	edx, 0FFFFFFC0h
		sub	edx, 0FFFFFF80h
		jmp	loc_AB73A6
; 

loc_AE18C2:				; CODE XREF: MiInitializeCacheSizes+6Aj
		inc	eax
		jmp	loc_AB73C2
; END OF FUNCTION CHUNK	FOR MiInitializeCacheSizes
; 
; START	OF FUNCTION CHUNK FOR MmInitSystem

loc_AE18C8:				; CODE XREF: MmInitSystem+52j
		call	_KeQueryNumaGraph@0 ; KeQueryNumaGraph()
		mov	edx, eax
		mov	[ebp+var_14], edx
		test	edx, edx
		jz	loc_AB748A
		movzx	edi, ds:_KeNumberNodes
		test	edi, edi
		jz	short loc_AE1931
		xor	ebx, ebx
		mov	[ebp+var_8], eax
		mov	[ebp+var_4], ebx
		mov	[ebp+var_C], edi

loc_AE18F0:				; CODE XREF: MmInitSystem+2A4F4j
		mov	edx, ebx
		xor	esi, esi
		mov	ebx, eax

loc_AE18F6:				; CODE XREF: MmInitSystem+2A4D8j
		mov	eax, dword_6D0698
		inc	esi
		movzx	ecx, word ptr [ebx]
		lea	ebx, [ebx+2]
		mov	[edx+eax], ecx
		lea	edx, [edx+4]
		cmp	esi, edi
		jb	short loc_AE18F6
		mov	ebx, [ebp+var_4]
		mov	eax, edi
		shl	eax, 2
		add	ebx, eax
		sub	[ebp+var_C], 1
		mov	eax, [ebp+var_8]
		mov	[ebp+var_4], ebx
		lea	eax, [eax+edi*2]
		mov	[ebp+var_8], eax
		jnz	short loc_AE18F0
		mov	esi, [ebp+var_10]
		xor	ebx, ebx
		mov	edx, [ebp+var_14]
		inc	ebx

loc_AE1931:				; CODE XREF: MmInitSystem+2A4B1j
		push	0
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AB748A
; END OF FUNCTION CHUNK	FOR MmInitSystem
; 
; START	OF FUNCTION CHUNK FOR MiInitSystem

loc_AE193E:				; CODE XREF: MiInitSystem+2CAj
		call	_KdSetDbgPrintBufferSize@4 ; KdSetDbgPrintBufferSize(x)
		jmp	loc_AB7788
; 

loc_AE1948:				; CODE XREF: MiInitSystem+2F6j
		push	18h
		xor	edx, edx
		mov	ecx, edi
		call	_MiGetSlabAllocator@12 ; MiGetSlabAllocator(x,x,x)
		mov	[ebp+var_80], eax
		mov	eax, [ebp+var_6C]
		add	eax, 18h
		mov	[ebp+var_40], eax
		mov	edi, [eax]
		jmp	short loc_AE19B2
; 

loc_AE1963:				; CODE XREF: MiInitSystem+2A4FCj
		mov	ecx, [edi+8]
		cmp	ecx, 1Dh
		jz	short loc_AE1970
		cmp	ecx, 24h
		jnz	short loc_AE19B0

loc_AE1970:				; CODE XREF: MiInitSystem+2A4B1j
		mov	edx, [edi+10h]
		mov	eax, edx
		mov	ecx, [edi+0Ch]
		or	eax, ecx
		test	eax, 1FFh
		jnz	short loc_AE19BB
		test	ecx, ecx
		jz	short loc_AE19BB
		test	edx, edx
		jz	short loc_AE19BB
		lea	eax, [edx+ecx]
		cmp	eax, ecx
		jb	short loc_AE19BB
		dec	eax
		cmp	eax, dword_6D07B0
		ja	short loc_AE19BB
		push	ecx
		push	edx
		mov	edx, ecx
		mov	ecx, [ebp+var_80]
		call	_MiCreateBootSlabEntries@16 ; MiCreateBootSlabEntries(x,x,x,x)
		test	eax, eax
		js	loc_AB7930
		mov	eax, [ebp+var_40]

loc_AE19B0:				; CODE XREF: MiInitSystem+2A4B6j
		mov	edi, [edi]

loc_AE19B2:				; CODE XREF: MiInitSystem+2A4A9j
		cmp	edi, eax
		jnz	short loc_AE1963
		jmp	loc_AB77B4
; 

loc_AE19BB:				; CODE XREF: MiInitSystem+2A4C7j
					; MiInitSystem+2A4CBj ...
		push	esi
		push	edx
		push	ecx
		push	3030310h
		push	1Ah
		jmp	short loc_AE19D6
; 

loc_AE19C7:				; CODE XREF: MiInitSystem+2A938j
		push	esi
		push	[ebp+var_40]
		push	offset dword_6D05C8
		push	ecx
		push	162h

loc_AE19D6:				; CODE XREF: MiInitSystem+2A50Dj
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE19DB:				; CODE XREF: MiInitSystem+C6j
		mov	eax, [ebp+var_6C]
		mov	eax, [eax+84h]
		mov	ecx, [eax+0A50h]
		mov	[ebp+var_44], ecx
		test	ecx, ecx
		jz	short loc_AE1A02
		lea	edi, [edx+1FFh]
		and	edi, 0FFFFFE00h
		jmp	loc_AE1BDB
; 

loc_AE1A02:				; CODE XREF: MiInitSystem+2A537j
		lea	eax, [edx+1FFh]
		and	eax, 0FFFFFE00h
		mov	ecx, eax
		mov	[ebp+var_40], eax
		push	9
		shr	ecx, 9
		pop	edx
		call	MiObtainSystemVa
		mov	[ebp+var_44], eax
		test	eax, eax
		jz	short loc_AE1A69
		mov	edi, eax
		mov	eax, [ebp+var_40]
		shr	edi, 9
		dec	eax
		and	edi, offset loc_7FFFF8
		sub	edi, 40000000h
		push	esi
		push	9
		push	esi
		lea	eax, [edi+eax*8]
		mov	[ebp+var_64], edi
		mov	edx, eax
		mov	[ebp+var_40], eax
		mov	ecx, edi
		call	MiMakeZeroedPageTablesEx
		test	eax, eax
		jnz	short loc_AE1A74
		mov	edx, [ebp+var_40]
		push	ecx
		mov	ecx, [ebp+var_44]
		add	edx, 8
		push	9
		shl	edx, 9
		call	_MiReturnSystemVa@16 ; MiReturnSystemVa(x,x,x,x)
		mov	eax, esi

loc_AE1A69:				; CODE XREF: MiInitSystem+2A56Aj
		mov	ds:_BBTPagesToReserve, esi
		jmp	loc_AE1BEB
; 

loc_AE1A74:				; CODE XREF: MiInitSystem+2A599j
		push	0A0000004h
		xor	edx, edx
		mov	ecx, edi
		call	MiMakeValidPte
		mov	ecx, [ebp+var_6C]
		mov	edi, esi
		add	ecx, 18h
		mov	[ebp+var_70], eax
		mov	[ebp+var_74], edx
		mov	[ebp+var_60], ecx
		mov	eax, [ecx]
		jmp	loc_AE1BBF
; 

loc_AE1A9A:				; CODE XREF: MiInitSystem+2A70Cj
		cmp	dword ptr [eax+8], 17h
		jnz	loc_AE1BBD
		mov	edx, [eax+10h]
		mov	ecx, [eax+0Ch]
		mov	[ebp+var_88], ecx
		mov	ecx, ds:_BBTPagesToReserve
		lea	eax, [edx+edi]
		mov	[ebp+var_8C], edx
		cmp	eax, ecx
		jbe	short loc_AE1ACD
		mov	edx, ecx
		sub	edx, edi
		mov	[ebp+var_8C], edx

loc_AE1ACD:				; CODE XREF: MiInitSystem+2A609j
		mov	eax, [ebp+var_88]
		add	edi, edx
		mov	[ebp+var_7C], edi
		mov	edi, [ebp+var_64]

loc_AE1ADB:				; CODE XREF: MiInitSystem+2A6EBj
		and	[ebp+var_70], 0FFFh
		mov	ecx, eax
		and	[ebp+var_74], 0FFFFFFE0h
		and	ecx, 1FFFFFFh
		xor	eax, eax
		mov	[ebp+var_64], esi
		shld	eax, ecx, 0Ch
		or	eax, [ebp+var_74]
		shl	ecx, 0Ch
		or	ecx, [ebp+var_70]
		mov	[ebp+var_70], ecx
		mov	[ebp+var_84], ecx
		mov	ecx, edi
		mov	[ebp+var_74], eax
		mov	[ebp+var_78], eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_AE1B67
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_AE1B4F
		cmp	byte ptr word_6D07B8+1,	0
		mov	[ebp+var_64], 1
		jnz	short loc_AE1B67

loc_AE1B33:				; CODE XREF: MiInitSystem+2A6ADj
		mov	ecx, [ebp+var_70]
		mov	eax, ecx
		and	eax, 1
		or	eax, esi
		jz	short loc_AE1B67
		mov	eax, [ebp+var_74]
		mov	[ebp+var_84], ecx
		or	eax, 80000000h
		jmp	short loc_AE1B6A
; 

loc_AE1B4F:				; CODE XREF: MiInitSystem+2A669j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_AE1B33

loc_AE1B67:				; CODE XREF: MiInitSystem+2A660j
					; MiInitSystem+2A679j ...
		mov	eax, [ebp+var_78]

loc_AE1B6A:				; CODE XREF: MiInitSystem+2A695j
		mov	[edi+4], eax
		nop
		mov	ecx, [ebp+var_84]
		mov	[edi], ecx
		cmp	[ebp+var_64], esi
		jz	short loc_AE1B8A
		push	eax
		push	ecx
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		mov	edx, [ebp+var_8C]

loc_AE1B8A:				; CODE XREF: MiInitSystem+2A6C1j
		mov	eax, [ebp+var_88]
		add	edi, 8
		inc	eax
		sub	edx, 1
		mov	[ebp+var_88], eax
		mov	[ebp+var_8C], edx
		jnz	loc_AE1ADB
		mov	[ebp+var_64], edi
		mov	edi, [ebp+var_7C]
		cmp	edi, ds:_BBTPagesToReserve
		jz	short loc_AE1BD8
		mov	eax, [ebp+var_40]
		mov	ecx, [ebp+var_60]

loc_AE1BBD:				; CODE XREF: MiInitSystem+2A5E6j
		mov	eax, [eax]

loc_AE1BBF:				; CODE XREF: MiInitSystem+2A5DDj
		mov	[ebp+var_40], eax
		cmp	eax, ecx
		jnz	loc_AE1A9A
		cmp	edi, ds:_BBTPagesToReserve
		jnb	short loc_AE1BD8
		mov	ds:_BBTPagesToReserve, edi

loc_AE1BD8:				; CODE XREF: MiInitSystem+2A6FDj
					; MiInitSystem+2A718j
		mov	ecx, [ebp+var_44]

loc_AE1BDB:				; CODE XREF: MiInitSystem+2A545j
		shl	edi, 0Ch
		mov	edx, edi
		call	_KeZeroPages	; KiZeroPages(x,x)
		mov	eax, [ebp+var_44]
		mov	[eax], edi

loc_AE1BEB:				; CODE XREF: MiInitSystem+2A5B7j
		mov	_BBTBuffer, eax
		jmp	loc_AB7584
; 

loc_AE1BF5:				; CODE XREF: MiInitSystem+F0j
		mov	byte_6D311E, 20h
		jmp	loc_AB7930
; 

loc_AE1C01:				; CODE XREF: MiInitSystem+1AAj
		call	_ViInitializeKernelVerifierThunks@0 ; ViInitializeKernelVerifierThunks()
		lea	eax, [ebp+var_80]
		push	eax
		push	0Ch
		push	1
		push	ds:_PsNtosImageBase
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	[ebp+var_40], eax
		test	eax, eax
		jz	loc_AB7668
		mov	edi, [ebp+var_80]
		shr	edi, 2
		test	edi, edi
		jz	loc_AB7668

loc_AE1C32:				; CODE XREF: MiInitSystem+2A7C3j
		mov	edx, offset _ViKernelVerifierThunks
		mov	ecx, esi

loc_AE1C39:				; CODE XREF: MiInitSystem+2A7D1j
		test	edx, edx
		jz	short loc_AE1C82
		mov	esi, [edx]
		mov	[ebp+var_7C], esi
		push	0
		mov	esi, [esi+8]
		cmp	[eax], esi
		mov	[ebp+var_60], esi
		pop	esi
		jnz	short loc_AE1C82
		cmp	_ViKernelVerifierOriginalCalls[ecx*4], esi
		jnz	short loc_AE1C62
		mov	edx, [ebp+var_60]
		mov	_ViKernelVerifierOriginalCalls[ecx*4], edx

loc_AE1C62:				; CODE XREF: MiInitSystem+2A79Ej
		mov	edx, [ebp+var_7C]
		mov	ecx, eax
		mov	edx, [edx+4]
		call	_MmReplaceImportEntry@8	; MmReplaceImportEntry(x,x)
		mov	eax, [ebp+var_40]

loc_AE1C72:				; CODE XREF: MiInitSystem+2A7D3j
		add	eax, 4
		mov	[ebp+var_40], eax
		sub	edi, 1
		jnz	short loc_AE1C32
		jmp	loc_AB7668
; 

loc_AE1C82:				; CODE XREF: MiInitSystem+2A783j
					; MiInitSystem+2A795j
		add	edx, 4
		inc	ecx
		cmp	ecx, 5
		jb	short loc_AE1C39
		jmp	short loc_AE1C72
; 

loc_AE1C8D:				; CODE XREF: MiInitSystem+473j
		cmp	byte_6D35B1, 0
		jnz	loc_AB768A
		mov	edi, dword_6D07D0
		mov	eax, large fs:124h
		neg	edi
		shr	edi, 14h
		mov	[ebp+var_3C], 5
		mov	[ebp+var_38], 6
		dec	word ptr [eax+13Eh]
		mov	[ebp+var_34], 8
		mov	[ebp+var_30], 9
		mov	[ebp+var_2C], 1
		mov	[ebp+var_28], offset _MmNonPagedPoolLimit
		mov	[ebp+var_24], offset _MmPagedPoolLimit
		mov	[ebp+var_20], offset _MmSystemCacheLimit
		mov	[ebp+var_1C], offset _MmSystemPtesLimit
		mov	[ebp+var_18], offset _MmSessionSpaceLimit
		mov	[ebp+var_7C], eax
		nop
		xor	edx, edx
		mov	ecx, offset dword_6D05C8
		call	ExAcquirePushLockExclusiveEx
		mov	edx, esi

loc_AE1D0A:				; CODE XREF: MiInitSystem+2A87Dj
		mov	eax, [ebp+edx+var_28]
		mov	ecx, [eax]
		test	ecx, ecx
		jz	short loc_AE1D2F
		cmp	ecx, edi
		jnb	short loc_AE1D2F
		mov	eax, [ebp+edx+var_3C]
		shl	ecx, 14h
		add	ecx, 1FFFFFh
		shr	ecx, 15h
		mov	dword_6D41D4[eax*4], ecx

loc_AE1D2F:				; CODE XREF: MiInitSystem+2A85Aj
					; MiInitSystem+2A85Ej
		add	edx, 4
		cmp	edx, 14h
		jb	short loc_AE1D0A
		or	eax, 0FFFFFFFFh
		mov	edx, offset dword_6D05C8
		mov	[ebp+var_40], eax
		lock xadd [edx], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_AE1D58
		mov	ecx, edx
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		mov	edx, offset dword_6D05C8

loc_AE1D58:				; CODE XREF: MiInitSystem+2A892j
		mov	edi, esi
		mov	[ebp+var_64], edi
		test	edx, 7FFFFFFCh
		jz	loc_AE1EEE
		mov	ecx, large fs:124h
		mov	eax, dword_6D07D0
		shr	edx, 15h
		mov	[ebp+var_44], ecx
		mov	[ebp+var_60], eax
		cmp	eax, offset dword_6D05C8
		ja	short loc_AE1DA3
		mov	eax, edx
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_AE1DA8
		mov	eax, [ebp+var_60]
		cmp	eax, offset dword_6D05C8
		ja	short loc_AE1DA3
		cmp	byte ptr dword_6D3994[edx], 0Bh
		jz	short loc_AE1DA8

loc_AE1DA3:				; CODE XREF: MiInitSystem+2A8CBj
					; MiInitSystem+2A8E0j
		or	eax, 0FFFFFFFFh
		jmp	short loc_AE1DB9
; 

loc_AE1DA8:				; CODE XREF: MiInitSystem+2A8D6j
					; MiInitSystem+2A8E9j
		mov	ecx, [ecx+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, [ebp+var_44]
		mov	[ebp+var_40], eax

loc_AE1DB9:				; CODE XREF: MiInitSystem+2A8EEj
		dec	word ptr [ecx+13Eh]
		nop
		inc	byte ptr [ecx+1E6h]
		nop
		mov	dl, [ecx+1E6h]
		mov	[ebp+var_65], dl
		mov	edx, offset dword_6D05C8
		push	eax
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_60], ecx
		test	ecx, ecx
		jnz	short loc_AE1DFA
		mov	ecx, [ebp+var_44]
		mov	eax, [ecx+5Ch]
		test	eax, 10000h
		jz	loc_AE19C7
		mov	esi, ecx
		jmp	short loc_AE1E5F
; 

loc_AE1DFA:				; CODE XREF: MiInitSystem+2A92Bj
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], esi
		jge	short loc_AE1E10
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_60]

loc_AE1E10:				; CODE XREF: MiInitSystem+2A94Ej
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_64], edi
		mov	[ecx+2Ch], eax
		nop
		mov	[ecx+10h], esi
		mov	esi, [ebp+var_44]
		push	30h
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		pop	ecx
		cdq
		idiv	ecx
		mov	dl, 1
		mov	ecx, eax
		shl	dl, cl
		cmp	[ebp+var_65], 1
		jnz	short loc_AE1E53
		or	[esi+1E4h], dl
		jmp	short loc_AE1E5F
; 

loc_AE1E53:				; CODE XREF: MiInitSystem+2A991j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_44]

loc_AE1E5F:				; CODE XREF: MiInitSystem+2A940j
					; MiInitSystem+2A999j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_60], eax
		jz	short loc_AE1EC8
		test	edi, 8000h
		jz	short loc_AE1E83
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_AE1E83:				; CODE XREF: MiInitSystem+2A9C0j
		test	byte ptr [ebp+var_64+2], 1
		jz	short loc_AE1E99
		lea	eax, [esi+21Ch]
		lock dec dword ptr [eax]
		lock dec dword ptr [esi+330h]

loc_AE1E99:				; CODE XREF: MiInitSystem+2A9CFj
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_AE1EAD
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_AE1EAD:				; CODE XREF: MiInitSystem+2A9E8j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_AE1EC8
		push	[ebp+var_60]
		mov	edx, offset dword_6D05C8
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_AE1EC8:				; CODE XREF: MiInitSystem+2A9B8j
					; MiInitSystem+2A9FFj
		nop
		mov	ax, [esi+13Eh]
		inc	ax
		movzx	eax, ax
		mov	[esi+13Eh], ax
		test	ax, ax
		jnz	short loc_AE1EEE
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_AE1EEE
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_AE1EEE:				; CODE XREF: MiInitSystem+2A8ABj
					; MiInitSystem+2AA27j ...
		mov	ecx, [ebp+var_7C]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_AB768A
; END OF FUNCTION CHUNK	FOR MiInitSystem
; 
; START	OF FUNCTION CHUNK FOR MiFlushStrongCodeDriverLoadFailures

loc_AE1EFB:				; CODE XREF: MiFlushStrongCodeDriverLoadFailures+2Cj
		cmp	[esi+4], ecx
		jnz	loc_AE1FF4
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_AE1FF4
		mov	dword_6CF568, eax
		mov	[eax+4], ecx
		mov	edi, dword_6D35BC
		cmp	dword ptr [edi], 5
		jbe	loc_AE1FE7
		push	4000h
		push	0
		mov	ecx, edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_AE1FE7
		mov	edx, [esi+8]
		lea	ecx, [ebp+var_68]
		call	_tlgCreate1Sz_char
		lea	eax, [ebp+var_40]
		mov	[ebp+var_50], 2
		mov	[ebp+var_58], eax
		xor	ecx, ecx
		mov	eax, [esi+10h]
		mov	[ebp+var_48], eax
		movzx	eax, word ptr [esi+0Ch]
		mov	[ebp+var_40], eax
		mov	eax, [esi+14h]
		mov	[ebp+var_8C], eax
		lea	eax, [ebp+var_8C]
		push	4
		pop	edx
		mov	[ebp+var_38], eax
		mov	eax, [esi+18h]
		mov	[ebp+var_90], eax
		lea	eax, [ebp+var_90]
		push	8
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_98]
		mov	[ebp+var_30], edx
		mov	[ebp+var_20], edx
		pop	edx
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_88]
		push	eax
		push	edx
		push	ecx
		push	ecx
		push	1
		push	ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_4C], ecx
		mov	[ebp+var_44], ecx
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_34], ecx
		mov	[ebp+var_2C], ecx
		mov	[ebp+var_24], ecx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_94], ecx
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], edx
		mov	edx, offset loc_41CC7A
		mov	[ebp+var_C], ecx
		push	ecx
		mov	ecx, edi
		mov	[ebp+var_98], 1000000h
		call	__tlgWriteEx_EtwWriteEx@36 ; _tlgWriteEx_EtwWriteEx(x,x,x,x,x,x,x,x,x)

loc_AE1FE7:				; CODE XREF: MiFlushStrongCodeDriverLoadFailures+2A578j
					; MiFlushStrongCodeDriverLoadFailures+2A58Ej
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AB79C7
; 

loc_AE1FF4:				; CODE XREF: MiFlushStrongCodeDriverLoadFailures+2A556j
					; MiFlushStrongCodeDriverLoadFailures+2A561j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_AE1FF9:				; CODE XREF: MiInitializeApiSets+6Cj
		mov	edx, 746C6644h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		mov	eax, esi
		jmp	loc_AB7BC6
; END OF FUNCTION CHUNK	FOR MiFlushStrongCodeDriverLoadFailures
; 
; START	OF FUNCTION CHUNK FOR MiInitializeDriverImages

loc_AE200C:				; CODE XREF: MiInitializeDriverImages+34j
		add	eax, 0FFFFFFFEh
		mov	edi, offset _MmLargePageDriverBuffer
		shr	eax, 1
		lea	ecx, _MmLargePageDriverBuffer[eax*2]
		mov	[ebp+var_14], ecx
		cmp	ecx, edi
		jbe	loc_AB7C08
		push	9
		pop	edx
		push	0Ah
		pop	ebx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], 0Dh
		mov	[ebp+var_C], 20h
		mov	[ebp+var_10], 3000h

loc_AE2046:				; CODE XREF: MiInitializeDriverImages+2A557j
		movzx	eax, word ptr [edi]
		cmp	ax, dx
		jz	loc_AE2115
		cmp	ax, bx
		jz	loc_AE2115
		push	0Dh
		pop	ebx
		cmp	ax, bx
		jz	loc_AE2115
		push	20h
		pop	ebx
		cmp	ax, bx
		jz	loc_AE2115
		mov	ebx, 3000h
		cmp	ax, bx
		jz	loc_AE2115
		test	ax, ax
		jz	loc_AE2115
		cmp	eax, 2Ah
		jz	loc_AE212F
		mov	ebx, edi
		cmp	edi, ecx
		jnb	short loc_AE20C5

loc_AE2099:				; CODE XREF: MiInitializeDriverImages+2A4F5j
		movzx	eax, word ptr [ebx]
		cmp	ax, dx
		jz	short loc_AE20C5
		cmp	ax, word ptr [ebp+var_4]
		jz	short loc_AE20C5
		cmp	ax, word ptr [ebp+var_8]
		jz	short loc_AE20C5
		cmp	ax, word ptr [ebp+var_C]
		jz	short loc_AE20C5
		cmp	ax, word ptr [ebp+var_10]
		jz	short loc_AE20C5
		test	ax, ax
		jz	short loc_AE20C5
		add	ebx, 2
		cmp	ebx, ecx
		jb	short loc_AE2099

loc_AE20C5:				; CODE XREF: MiInitializeDriverImages+2A4C9j
					; MiInitializeDriverImages+2A4D1j ...
		push	0
		push	40h
		push	10h
		mov	edx, 704C6D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_AB7C08
		mov	eax, ebx
		mov	[ecx+0Ch], edi
		sub	eax, edi
		mov	edx, offset dword_6CF560
		and	eax, 0FFFFFFFEh
		mov	[ecx+8], ax
		mov	[ecx+0Ah], ax
		mov	eax, dword_6CF564
		cmp	[eax], edx
		jnz	short loc_AE212A
		mov	[ecx], edx
		mov	[ecx+4], eax
		mov	[eax], ecx
		push	9
		mov	dword_6CF564, ecx
		mov	ecx, [ebp+var_14]
		pop	edx
		jmp	short loc_AE2117
; 

loc_AE2115:				; CODE XREF: MiInitializeDriverImages+2A47Ej
					; MiInitializeDriverImages+2A487j ...
		mov	ebx, edi

loc_AE2117:				; CODE XREF: MiInitializeDriverImages+2A545j
		lea	edi, [ebx+2]
		cmp	edi, ecx
		jnb	loc_AB7C08
		push	0Ah
		pop	ebx
		jmp	loc_AE2046
; 

loc_AE212A:				; CODE XREF: MiInitializeDriverImages+2A530j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_AE212F:				; CODE XREF: MiInitializeDriverImages+2A4BFj
		mov	byte_6CF559, 1
		jmp	loc_AB7C08
; END OF FUNCTION CHUNK	FOR MiInitializeDriverImages

;  S U B	R O U T	I N E 


sub_AE213B	proc near		; CODE XREF: VfInitBootDriversLoaded+65j
		push	ebx
		push	0
		push	5Dh
		call	NtSetDebugFilterState
		cmp	ds:_MmVerifyDriverBufferLength,	0
		jz	short loc_AE2153
		call	_VfSuspectDriversParseRegistryString@0 ; VfSuspectDriversParseRegistryString()

loc_AE2153:				; CODE XREF: sub_AE213B+11j
		cmp	ds:_VfXdvSuppressDriversBufferLength, 0
		jz	short loc_AE2161
		call	_VfXdvExcludeParseRegistryString@0 ; VfXdvExcludeParseRegistryString()

loc_AE2161:				; CODE XREF: sub_AE213B+1Fj
		push	_KernelVerifier
		push	_ViVerifyAllDrivers
		push	_MmVerifierData
		call	_VfInitVerifierComponents@12 ; VfInitVerifierComponents(x,x,x)
		mov	ecx, _MmVerifierData
		call	_IoVerifierInit@4 ; IoVerifierInit(x)
		mov	ecx, edi
		mov	_ViFullyInitialized, ebx
		call	_VfTriageAddDrivers@4 ;	VfTriageAddDrivers(x)
		lea	ebx, [edi+10h]
		mov	esi, [ebx]
		mov	ecx, [esi+18h]
		mov	eax, [esi+20h]
		add	eax, ecx
		mov	_ViDriverKernelBase, ecx
		cmp	_KernelVerifier, 0
		mov	_ViDriverKernelEnd, eax
		jz	short loc_AE21BE
		push	0
		push	1
		xor	edx, edx
		mov	ecx, esi
		call	VfDriverLoadImage

loc_AE21BE:				; CODE XREF: sub_AE213B+74j
		cmp	dword ptr [ebp-4], 0
		mov	esi, [esi]
		jz	short loc_AE2201
		mov	ecx, edi
		call	_ViLogAndLoadXdv@4 ; ViLogAndLoadXdv(x)
		jmp	short loc_AE2201
; 

loc_AE21CF:				; CODE XREF: sub_AE213B+C8j
		push	1
		push	offset _XdvName
		lea	eax, [esi+2Ch]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_AE21F2
		push	0
		push	0
		xor	edx, edx
		mov	ecx, esi
		call	VfDriverLoadImage
		jmp	short loc_AE21FF
; 

loc_AE21F2:				; CODE XREF: sub_AE213B+A6j
		cmp	dword ptr [ebp-4], 0
		jnz	short loc_AE21FF
		mov	ecx, edi
		call	_ViLogAndLoadXdv@4 ; ViLogAndLoadXdv(x)

loc_AE21FF:				; CODE XREF: sub_AE213B+B5j
					; sub_AE213B+BBj
		mov	esi, [esi]

loc_AE2201:				; CODE XREF: sub_AE213B+89j
					; sub_AE213B+92j
		cmp	esi, ebx
		jnz	short loc_AE21CF
		jmp	loc_AB7CD3
sub_AE213B	endp

; 
; START	OF FUNCTION CHUNK FOR MiInitializeDynamicVa

loc_AE220A:				; CODE XREF: MiInitializeDynamicVa+42j
		push	3
		mov	edx, esi
		mov	ecx, edi
		call	MiInitializeSystemVaRange
		jmp	loc_AB8186
; 

loc_AE221A:				; CODE XREF: MiInitializeDynamicVa+A5j
					; MiInitializeDynamicVa+ADj
		add	ecx, 8
		add	eax, 8
		cmp	ecx, offset dword_6D4194
		jb	loc_AB81E1
		jmp	loc_AB8202
; 

loc_AE2231:				; CODE XREF: MiInitializeDynamicVa+C8j
		push	ebx
		push	ebx
		push	208h
		push	3030302h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_AE2245:				; CODE XREF: MiHandleBootImage+9Aj
		push	dword ptr [ebx+8]
		push	edx
		push	ecx
		lea	edx, [eax+esi*8]
		mov	ecx, edi
		call	_MiFreeBootDriverPages@20 ; MiFreeBootDriverPages(x,x,x,x,x)
		jmp	loc_AB848A
; END OF FUNCTION CHUNK	FOR MiInitializeDynamicVa
; 
; START	OF FUNCTION CHUNK FOR MiHandleBootImage

loc_AE2259:				; CODE XREF: MiHandleBootImage+DDj
					; MiHandleBootImage+E7j ...
		mov	eax, esi
		mov	[ebp+var_4], eax
		jmp	loc_AB8516
; 

loc_AE2263:				; CODE XREF: MiHandleBootImage+123j
		mov	ecx, [ebp+var_20]
		mov	edx, edi
		push	0FFFFFFFFh
		call	_DbgUnLoadImageSymbolsUnicode@12 ; DbgUnLoadImageSymbolsUnicode(x,x,x)
		mov	edx, [ebp+var_8]
		push	ecx		; int
		push	edi		; void *
		xor	ecx, ecx
		mov	[ebp+var_4], 6
		call	_MiMapSystemImageWithLargePage@16 ; MiMapSystemImageWithLargePage(x,x,x,x)
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	short loc_AE22CC
		push	[ebp+var_8]
		mov	edx, [ebp+var_18]
		push	[ebp+var_1C]
		mov	ecx, [ebp+var_24]
		push	eax
		push	edi
		mov	[ebp+var_4], 7
		call	_MiBootImageRelocated@24 ; MiBootImageRelocated(x,x,x,x,x,x)
		push	dword ptr [ebx+8]
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		push	esi
		push	[ebp+var_8]
		call	_MiFreeBootDriverPages@20 ; MiFreeBootDriverPages(x,x,x,x,x)
		mov	eax, [ebp+var_10]
		xor	ecx, ecx
		add	eax, [ebp+var_8]
		mov	edx, [ebp+var_C]
		push	eax
		call	MiReleaseDriverPtes
		push	7
		jmp	loc_AB8515
; 

loc_AE22CC:				; CODE XREF: MiHandleBootImage+29E9Dj
		push	6
		jmp	loc_AB8515
; 

loc_AE22D3:				; CODE XREF: MiHandleBootImage+19Fj
		mov	edx, eax
		mov	ecx, edi
		call	_MiTradeBootImagePage@8	; MiTradeBootImagePage(x,x)
		jmp	loc_AB858F
; 

loc_AE22E1:				; CODE XREF: MiHandleBootImage+1BBj
		mov	esi, [ebp+var_18]
		push	ecx
		lea	ecx, [esi+2Ch]
		call	_DbgLoadImageSymbolsUnicode@12 ; DbgLoadImageSymbolsUnicode(x,x,x)
		cmp	eax, 1
		jnz	loc_AB85AB
		or	dword ptr [esi+34h], 100000h
		jmp	loc_AB85AB
; END OF FUNCTION CHUNK	FOR MiHandleBootImage
; 
; START	OF FUNCTION CHUNK FOR MiGetBootImagePageProtection

loc_AE2302:				; CODE XREF: MiGetBootImagePageProtection+45j
		mov	eax, ecx
		and	eax, 6
		cmp	al, 6
		jnz	loc_AB863B
		push	3
		pop	ecx
		jmp	loc_AB863B
; END OF FUNCTION CHUNK	FOR MiGetBootImagePageProtection
; 
; START	OF FUNCTION CHUNK FOR MiInitializeDriverPtes

loc_AE2317:				; CODE XREF: MiInitializeDriverPtes+137j
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_C], esi

loc_AE231D:				; CODE XREF: MiInitializeDriverPtes+2F6j
		cmp	[ebp+var_14], 0
		jz	loc_AB882D
		lea	ebx, [edi+1]
		cmp	ebx, ecx
		jbe	short loc_AE2330
		mov	ebx, ecx

loc_AE2330:				; CODE XREF: MiInitializeDriverPtes+29C90j
		dec	ebx
		xor	esi, esi
		jmp	loc_AB87C4
; 

loc_AE2338:				; CODE XREF: MiInitializeDriverPtes+182j
		or	esi, 0FFFFFFFFh
		mov	[ebp+var_C], esi
		jmp	loc_AB898F
; 

loc_AE2343:				; CODE XREF: MiInitializeDriverPtes+2C3j
		mov	ebx, edx
		jmp	loc_AB8965
; END OF FUNCTION CHUNK	FOR MiInitializeDriverPtes
; 
; START	OF FUNCTION CHUNK FOR MiInitializeBootLoadedDriverPfns

loc_AE234A:				; CODE XREF: MiInitializeBootLoadedDriverPfns+4Ej
		inc	esi
		jmp	loc_AB8B94
; 

loc_AE2350:				; CODE XREF: MiInitializeBootLoadedDriverPfns+97j
		mov	eax, [ebx+18h]
		and	eax, 70000000h
		cmp	eax, 30000000h
		jz	loc_AB8BDD
		xor	edx, edx
		mov	ecx, ebx
		call	_MiMarkPfnVerified@8 ; MiMarkPfnVerified(x,x)
		jmp	loc_AB8BDD
; 

loc_AE2371:				; CODE XREF: MiInitializeBootLoadedDriverPfns+BBj
		push	0
		push	0
		mov	edx, ebx
		mov	ecx, offset _MiSystemPartition
		call	MiAcquireNonPagedResources
		test	eax, eax
		js	short loc_AE2390
		add	dword_6D361C, ebx
		jmp	loc_AB8C01
; 

loc_AE2390:				; CODE XREF: MiInitializeBootLoadedDriverPfns+29843j
		xor	eax, eax
		jmp	loc_AB8C99
; END OF FUNCTION CHUNK	FOR MiInitializeBootLoadedDriverPfns
; 
; START	OF FUNCTION CHUNK FOR MiInitializeMirroring

loc_AE2397:				; CODE XREF: MiInitializeMirroring+D9j
		mov	eax, [ebp+var_10]
		dec	word ptr [eax+13Eh]
		nop
		mov	esi, offset unk_6D4EAC
		xor	edx, edx
		mov	ecx, esi
		call	ExAcquirePushLockExclusiveEx
		call	_MiUpdateMirrorBitmaps@0 ; MiUpdateMirrorBitmaps()
		or	ecx, 0FFFFFFFFh
		mov	eax, ecx
		lock xadd [esi], eax
		and	al, 6
		cmp	al, 2
		jnz	short loc_AE23CE
		mov	ecx, esi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	ecx, 0FFFFFFFFh

loc_AE23CE:				; CODE XREF: MiInitializeMirroring+29724j
		xor	edi, edi
		mov	[ebp+var_C], edi
		test	esi, 7FFFFFFCh
		jz	loc_AE2564
		mov	esi, large fs:124h
		mov	eax, offset unk_6D4EAC
		mov	edx, dword_6D07D0
		shr	eax, 15h
		mov	[ebp+var_18], esi
		cmp	edx, offset unk_6D4EAC
		ja	short loc_AE2429
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_AE2419
		cmp	edx, offset unk_6D4EAC
		ja	short loc_AE2429
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jnz	short loc_AE2429

loc_AE2419:				; CODE XREF: MiInitializeMirroring+29768j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		mov	ecx, eax
		mov	[ebp+var_8], ecx

loc_AE2429:				; CODE XREF: MiInitializeMirroring+2975Fj
					; MiInitializeMirroring+29770j	...
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		mov	al, [esi+1E6h]
		mov	edx, offset unk_6D4EAC
		push	ecx
		mov	ecx, esi
		mov	byte ptr [ebp+var_4+3],	al
		call	_KiAbThreadClearAcquiredLockEntry@12 ; KiAbThreadClearAcquiredLockEntry(x,x,x)
		mov	ecx, eax
		mov	[ebp+var_14], ecx
		test	ecx, ecx
		jnz	short loc_AE2479
		mov	eax, [esi+5Ch]
		test	eax, 10000h
		jnz	loc_AE24E9
		push	ecx
		push	[ebp+var_8]
		push	offset unk_6D4EAC
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE2479:				; CODE XREF: MiInitializeMirroring+297B7j
		mov	al, [ecx+10h]
		or	al, 2
		mov	[ecx+10h], al
		nop
		cmp	[ecx+10h], edi
		jge	short loc_AE248F
		call	KiAbEntryRemoveFromTree
		mov	ecx, [ebp+var_14]

loc_AE248F:				; CODE XREF: MiInitializeMirroring+297E7j
		mov	eax, [ecx+2Ch]
		mov	edi, eax
		and	byte ptr [ecx+0Dh], 0FEh
		and	edi, 1FFFFh
		and	eax, 0FFFE0000h
		mov	[ebp+var_C], edi
		mov	[ecx+2Ch], eax
		nop
		mov	dword ptr [ecx+10h], 0
		sub	ecx, [esi+1E8h]
		mov	eax, ecx
		push	30h
		pop	ecx
		cdq
		idiv	ecx
		cmp	byte ptr [ebp+var_4+3],	1
		mov	ecx, eax
		jnz	short loc_AE24D9
		movzx	eax, byte ptr [esi+1E4h]
		bts	eax, ecx
		mov	[esi+1E4h], al
		jmp	short loc_AE24E9
; 

loc_AE24D9:				; CODE XREF: MiInitializeMirroring+29827j
		mov	al, 1
		add	esi, 222h
		shl	al, cl
		lock or	[esi], al
		mov	esi, [ebp+var_18]

loc_AE24E9:				; CODE XREF: MiInitializeMirroring+297C1j
					; MiInitializeMirroring+29839j
		nop
		dec	byte ptr [esi+1E6h]
		mov	eax, edi
		and	eax, 1FFFFh
		mov	[ebp+var_18], eax
		jz	short loc_AE254C
		test	edi, 8000h
		jz	short loc_AE250D
		xor	edx, edx
		mov	ecx, esi
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_AE250D:				; CODE XREF: MiInitializeMirroring+29864j
		test	byte ptr [ebp+var_C+2],	1
		jz	short loc_AE251D
		xor	edx, edx
		mov	ecx, esi
		inc	edx
		call	_KiAbThreadUnboostIoPriority@8 ; KiAbThreadUnboostIoPriority(x,x)

loc_AE251D:				; CODE XREF: MiInitializeMirroring+29873j
		mov	eax, 7FFFh
		test	edi, eax
		jz	short loc_AE2531
		and	edi, eax
		mov	ecx, esi
		mov	edx, edi
		call	KiAbThreadUnboostCpuPriority

loc_AE2531:				; CODE XREF: MiInitializeMirroring+29886j
		test	dword ptr ds:byte_70EFC4, 200h
		jz	short loc_AE254C
		push	[ebp+var_18]
		mov	edx, offset unk_6D4EAC
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)

loc_AE254C:				; CODE XREF: MiInitializeMirroring+2985Cj
					; MiInitializeMirroring+2989Dj
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_AE2564
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_AE2564
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_AE2564:				; CODE XREF: MiInitializeMirroring+2973Bj
					; MiInitializeMirroring+298B7j	...
		mov	ecx, [ebp+var_10]
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		jmp	loc_AB8D7D
; END OF FUNCTION CHUNK	FOR MiInitializeMirroring
; 
; START	OF FUNCTION CHUNK FOR MiInitializePagedPoolEvents

loc_AE2571:				; CODE XREF: MiInitializePagedPoolEvents+4Bj
		mov	eax, dword_6D4ED4
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		jmp	loc_AB8E20
; 

loc_AE2581:				; CODE XREF: MiInitializePagedPoolEvents+66j
		push	0
		push	0
		push	dword_6D4ED0
		call	_KeSetEvent@12	; KeSetEvent(x,x,x)
		jmp	loc_AB8E37
; 

loc_AE2595:				; CODE XREF: MiInitializePagedPoolEvents+85j
		test	al, 4
		jnz	loc_AB8E4B
		mov	ecx, edi
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh
		jmp	loc_AB8E4B
; 

loc_AE25AC:				; CODE XREF: MiInitializePagedPoolEvents+20Dj
		push	0
		push	[ebp+var_8]
		push	offset dword_6D35CC
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE25C1:				; CODE XREF: MiInitializePagedPoolEvents+16Ej
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_24]
		jmp	loc_AB8F3A
; 

loc_AE25D2:				; CODE XREF: MiInitializePagedPoolEvents+1C2j
		push	[ebp+var_24]
		mov	edx, offset dword_6D35CC
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_AB8F88
; END OF FUNCTION CHUNK	FOR MiInitializePagedPoolEvents
; 
; START	OF FUNCTION CHUNK FOR MiComputeOptimalZeroPath

loc_AE25E6:				; CODE XREF: MiComputeOptimalZeroPath+29631j
		mov	esi, [ebp+edi*4+var_3C]
		dec	edi
		mov	ecx, esi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [ebp+edi*4+var_48]
		mov	bl, al
		push	2
		pop	edx
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		lea	ecx, [esi+10h]
		mov	eax, 7FFFFFFFh
		lock and [ecx],	eax
		mov	cl, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)

loc_AE2613:				; CODE XREF: MiComputeOptimalZeroPath+35j
		test	edi, edi
		jnz	short loc_AE25E6
		jmp	loc_AB91F6
; END OF FUNCTION CHUNK	FOR MiComputeOptimalZeroPath
; 
; START	OF FUNCTION CHUNK FOR MiInitializeCacheFlushing

loc_AE261C:				; CODE XREF: MiInitializeCacheFlushing+3Ej
		mov	byte_6D06C8, 1
		jmp	loc_AB9240
; 

loc_AE2628:				; CODE XREF: MiInitializeCacheFlushing+B0j
					; MiInitializeCacheFlushing+29438j
		lea	ecx, [ebp+var_50]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_AE2628
		jmp	loc_AB92A7
; 

loc_AE263B:				; CODE XREF: MiInitializeCacheFlushing+FEj
					; MiInitializeCacheFlushing+2944Bj
		lea	ecx, [ebp+var_5C]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_AE263B
		jmp	loc_AB92F5
; END OF FUNCTION CHUNK	FOR MiInitializeCacheFlushing
; 
; START	OF FUNCTION CHUNK FOR MiInitializeSessionIds

loc_AE264E:				; CODE XREF: MiInitializeSessionIds+EBj
		push	0
		lea	ecx, [ebp+var_60]
		push	ecx
		push	eax
		push	1237h
		push	1Ah
		jmp	short loc_AE2677
; 

loc_AE265E:				; CODE XREF: MiInitializeSessionIds+5Aj
					; MiInitializeSessionIds+73j
		push	200h
		push	dword_6D5D84
		push	dword_6D5D80
		push	dword_6D5D88
		push	7Dh

loc_AE2677:				; CODE XREF: MiInitializeSessionIds+29230j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_AE267D:				; CODE XREF: MiCreateEnclaveRegions+54j
					; MiCreateEnclaveRegions+5Dj
		mov	ecx, [esi+10h]
		mov	ebx, [esi+0Ch]
		mov	[ebp+var_8], ecx
		test	edi, edi
		jz	short loc_AE269E
		mov	eax, [edi+0Ch]
		mov	edx, [edi+10h]
		add	eax, edx
		cmp	ebx, eax
		jnz	short loc_AE269E
		lea	eax, [edx+ecx]
		mov	[edi+10h], eax
		jmp	short loc_AE26FD
; 

loc_AE269E:				; CODE XREF: MiInitializeSessionIds+2925Cj
					; MiInitializeSessionIds+29268j
		push	0
		push	40h
		push	14h
		mov	edx, 52456D4Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		mov	[ebp+var_10], edi
		test	edi, edi
		jz	loc_AE27DC
		mov	ecx, [ebp+var_8]
		mov	[edi+0Ch], ebx
		mov	[edi+10h], ecx
		mov	ecx, dword_6D3580
		mov	byte ptr [ebp+var_C], 0
		test	ecx, ecx
		jz	short loc_AE26EB

loc_AE26D3:				; CODE XREF: MiInitializeSessionIds+29362j
		cmp	ebx, [ecx+0Ch]
		jb	loc_AE277E
		mov	eax, [ecx+4]
		test	eax, eax
		jnz	loc_AE278C
		mov	byte ptr [ebp+var_C], 1

loc_AE26EB:				; CODE XREF: MiInitializeSessionIds+292A5j
					; MiInitializeSessionIds+2935Bj
		push	edi
		push	[ebp+var_C]
		push	ecx
		push	offset dword_6D3580
		call	_RtlAvlInsertNodeEx@16 ; RtlAvlInsertNodeEx(x,x,x,x)
		mov	ecx, [ebp+var_8]

loc_AE26FD:				; CODE XREF: MiInitializeSessionIds+29270j
		push	0
		push	0
		push	ecx
		mov	edx, ebx
		mov	ecx, offset _MiSystemPartition
		call	MiUpdateLargePageBitMap
		mov	ecx, [ebp+var_8]
		push	ecx
		push	ebx
		push	offset dword_6D35B4
		call	_RtlSetBits@12	; RtlSetBits(x,x,x)
		imul	eax, ebx, 1Ch
		add	eax, ds:_MmPfnDatabase
		cmp	[ebp+var_8], 0
		mov	[ebp+var_14], eax
		jz	loc_AE27C1
		mov	edi, eax

loc_AE2735:				; CODE XREF: MiInitializeSessionIds+2938Cj
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		and	dword ptr [edi+10h], 80000000h
		xor	ecx, ecx
		mov	[edi+14h], cx
		mov	ecx, [edi+18h]
		mov	byte ptr [ebp+var_4+3],	al
		and	ecx, 9FFFFFFFh
		mov	eax, [ebp+var_18]
		or	ecx, 10000000h
		mov	[edi+8], eax
		mov	eax, [ebp+var_1C]
		mov	[edi+18h], ecx
		mov	[edi+0Ch], eax
		cmp	dword ptr [esi+8], 21h
		jnz	short loc_AE2793
		mov	edx, 100h
		mov	ecx, ebx
		call	_MiInsertPageInFreeOrZeroedList@8 ; MiInsertPageInFreeOrZeroedList(x,x)
		jmp	short loc_AE279C
; 

loc_AE277E:				; CODE XREF: MiInitializeSessionIds+292AAj
		mov	eax, [ecx]
		test	eax, eax
		jnz	short loc_AE278C
		mov	byte ptr [ebp+var_C], al
		jmp	loc_AE26EB
; 

loc_AE278C:				; CODE XREF: MiInitializeSessionIds+292B5j
					; MiInitializeSessionIds+29356j
		mov	ecx, eax
		jmp	loc_AE26D3
; 

loc_AE2793:				; CODE XREF: MiInitializeSessionIds+29342j
		xor	edx, edx
		mov	ecx, edi
		call	_MiInitializeMdlPfn@8 ;	MiInitializeMdlPfn(x,x)

loc_AE279C:				; CODE XREF: MiInitializeSessionIds+29350j
		mov	ecx, 7FFFFFFFh
		lea	eax, [edi+10h]
		lock and [eax],	ecx
		mov	cl, byte ptr [ebp+var_4+3]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		add	edi, 1Ch
		inc	ebx
		sub	[ebp+var_8], 1
		jnz	loc_AE2735
		mov	edi, [ebp+var_10]

loc_AE27C1:				; CODE XREF: MiInitializeSessionIds+29301j
		mov	eax, [esi+10h]
		sub	dword_6D3620, eax
		jmp	loc_AB9593
; END OF FUNCTION CHUNK	FOR MiInitializeSessionIds
; 
; START	OF FUNCTION CHUNK FOR MiCreateEnclaveRegions

loc_AE27CF:				; CODE XREF: MiCreateEnclaveRegions+71j
		call	_MiInitializeEnclaveMetadataPage@0 ; MiInitializeEnclaveMetadataPage()
		test	eax, eax
		jnz	loc_AB95A7

loc_AE27DC:				; CODE XREF: MiInitializeSessionIds+2928Aj
		xor	eax, eax
		jmp	loc_AB95AA
; END OF FUNCTION CHUNK	FOR MiCreateEnclaveRegions

;  S U B	R O U T	I N E 


sub_AE27E3	proc near		; CODE XREF: MiSectionInitialization+171j
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AB97BB
sub_AE27E3	endp

; 
; START	OF FUNCTION CHUNK FOR MiInitializeTbFlushing

loc_AE27EF:				; CODE XREF: MiInitializeTbFlushing+29j
					; MiInitializeTbFlushing+2904Dj
		cmp	esi, edi
		jz	loc_AB97EF
		or	dword_6D0748, 0FFFFFFFFh
		mov	ecx, edi
		mov	esi, edi
		call	MiInitializeTbFlush
		cmp	dword_6D0748, edi
		jz	short loc_AE27EF
		jmp	loc_AB97EF
; END OF FUNCTION CHUNK	FOR MiInitializeTbFlushing
; 
; START	OF FUNCTION CHUNK FOR MiInitializeTbFlush

loc_AE2814:				; CODE XREF: MiInitializeTbFlush+BDj
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_AE2858
		xor	ecx, ecx
		mov	eax, ebx
		inc	ecx
		cmp	byte ptr word_6D07B8+1,	0
		mov	[ebp+var_AC], ecx
		jnz	loc_AB98BD
		and	eax, ecx
		jmp	short loc_AE283C
; 

loc_AE2839:				; CODE XREF: MiInitializeTbFlush+2907Ej
		and	eax, 1

loc_AE283C:				; CODE XREF: MiInitializeTbFlush+2903Fj
		or	eax, 0
		mov	eax, ebx
		jz	loc_AB98BD
		mov	edx, [ebp+var_A4]
		or	edx, 80000000h
		jmp	loc_AB98BD
; 

loc_AE2858:				; CODE XREF: MiInitializeTbFlush+29023j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		mov	eax, ebx
		jz	loc_AB98BD
		jmp	short loc_AE2839
; 

loc_AE2878:				; CODE XREF: MiInitializeTbFlush+D2j
		push	edx
		push	eax
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_AB98D0
; END OF FUNCTION CHUNK	FOR MiInitializeTbFlush
; 
; START	OF FUNCTION CHUNK FOR KeGetTbSize

loc_AE2886:				; CODE XREF: KeGetTbSize+60j
		mov	eax, 80000000h
		lea	edi, [ebp+var_4C]
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	eax, 80000006h
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		cmp	[ebp+var_4C], eax
		jb	loc_AB9C71
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		mov	[edi], eax
		mov	[edi+4], esi
		mov	[edi+8], ecx
		mov	[edi+0Ch], edx
		mov	eax, [ebp+var_48]
		shr	eax, 10h
		and	eax, 0FFFh
		jmp	loc_AB9C77
; 

loc_AE28D4:				; CODE XREF: KeGetTbSize+110j
					; KeGetTbSize+28D83j
		xor	eax, eax

loc_AE28D6:				; CODE XREF: KeGetTbSize+28D7Bj
		mov	edx, [ebp+eax*4+var_14]
		test	edx, edx
		js	short loc_AE28EF
		shr	edx, cl
		cmp	dl, 0FEh
		jnz	short loc_AE28EF
		call	_KiGetTbLeafInfo@0 ; KiGetTbLeafInfo()
		jmp	loc_AB9C77
; 

loc_AE28EF:				; CODE XREF: KeGetTbSize+28D64j
					; KeGetTbSize+28D6Bj
		inc	eax
		cmp	eax, 4
		jb	short loc_AE28D6
		add	ecx, 8
		cmp	ecx, 20h
		jb	short loc_AE28D4
		jmp	loc_AB9C3D
; END OF FUNCTION CHUNK	FOR KeGetTbSize
; 
; START	OF FUNCTION CHUNK FOR MiBuildImportsForBootDrivers

loc_AE2902:				; CODE XREF: MiBuildImportsForBootDrivers+1BAj
					; MiBuildImportsForBootDrivers+1EEj ...
		mov	[ebp+var_18], 1
		jmp	loc_ABA12B
; 

loc_AE290E:				; CODE XREF: MiBuildImportsForBootDrivers+285j
		mov	esi, _PsLoadedModuleList
		mov	ebx, offset _PsLoadedModuleList
		jmp	short loc_AE293F
; 

loc_AE291B:				; CODE XREF: MiBuildImportsForBootDrivers+28A7Fj
		mov	eax, [esi+4Ch]
		cmp	eax, ecx
		jz	short loc_AE2936
		cmp	eax, 0FFFFFFFEh
		jz	short loc_AE2936
		test	al, 1
		jnz	short loc_AE2936
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ecx, ecx
		inc	ecx

loc_AE2936:				; CODE XREF: MiBuildImportsForBootDrivers+28A5Ej
					; MiBuildImportsForBootDrivers+28A63j ...
		mov	[esi+4Ch], ecx
		mov	[esi+38h], cx
		mov	esi, [esi]

loc_AE293F:				; CODE XREF: MiBuildImportsForBootDrivers+28A57j
		cmp	esi, ebx
		jnz	short loc_AE291B

loc_AE2943:				; CODE XREF: MiBuildImportsForBootDrivers+9Aj
		mov	eax, 0C000009Ah
		jmp	loc_ABA14F
; 

loc_AE294D:				; CODE XREF: MiBuildImportsForBootDrivers+1Fj
					; MiBuildImportsForBootDrivers+6Aj ...
		mov	eax, 0C0000225h
		jmp	loc_ABA14F
; END OF FUNCTION CHUNK	FOR MiBuildImportsForBootDrivers
; 
; START	OF FUNCTION CHUNK FOR PipInitComputerIds

loc_AE2957:				; CODE XREF: PipInitComputerIds+190j
					; PipInitComputerIds+1A0j
		mov	esi, 0C00000BBh
		jmp	loc_ABAE90
; 

loc_AE2961:				; CODE XREF: PipInitComputerIds+1C1j
		mov	esi, 0C000009Ah
		jmp	loc_ABAE90
; 

loc_AE296B:				; CODE XREF: PipInitComputerIds+219j
		xor	eax, eax
		mov	[ebp+var_17C], eax
		jmp	loc_ABA3FD
; 

loc_AE2978:				; CODE XREF: PipInitComputerIds+25Cj
		test	esi, esi
		js	loc_ABAE90
		jmp	loc_ABA440
; 

loc_AE2985:				; CODE XREF: PipInitComputerIds+29Fj
		xor	eax, eax
		mov	[ebp+var_17C], eax
		jmp	loc_ABA483
; 

loc_AE2992:				; CODE XREF: PipInitComputerIds+2E2j
		xor	eax, eax
		mov	[ebp+var_17C], eax
		jmp	loc_ABA4C6
; 

loc_AE299F:				; CODE XREF: PipInitComputerIds+325j
		xor	eax, eax
		mov	[ebp+var_17C], eax
		jmp	loc_ABA509
; 

loc_AE29AC:				; CODE XREF: PipInitComputerIds+387j
		xor	eax, eax
		mov	[ebp+var_17C], eax
		jmp	loc_ABA56B
; 

loc_AE29B9:				; CODE XREF: PipInitComputerIds+3CCj
		xor	eax, eax
		mov	[ebp+var_17C], eax
		jmp	loc_ABA5B0
; 

loc_AE29C6:				; CODE XREF: PipInitComputerIds+42Ej
		xor	eax, eax
		mov	[ebp+var_17C], eax
		jmp	loc_ABA612
; 

loc_AE29D3:				; CODE XREF: PipInitComputerIds+473j
		xor	eax, eax
		mov	[ebp+var_17C], eax
		jmp	loc_ABA657
; 

loc_AE29E0:				; CODE XREF: PipInitComputerIds+4B6j
		xor	eax, eax
		mov	[ebp+var_17C], eax
		jmp	loc_ABA69A
; 

loc_AE29ED:				; CODE XREF: PipInitComputerIds+500j
					; PipInitComputerIds+511j
		mov	eax, dword ptr [ebp+var_1A8]
		jmp	loc_ABA6FA
; 

loc_AE29F8:				; CODE XREF: PipInitComputerIds+57Fj
		push	edi
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, [ebp+var_1A4]
		xor	ecx, ecx
		jmp	loc_ABA75B
; 

loc_AE2A0B:				; CODE XREF: PipInitComputerIds+A06j
		cmp	[ebp+var_4C], 0
		jz	short loc_AE2A5E
		cmp	[ebp+var_54], 0
		jz	short loc_AE2A5E
		mov	edx, [ebp+var_184]
		lea	eax, [ebp+var_88]
		mov	[ebp+var_38], eax
		lea	ecx, [ebp+var_178]
		lea	eax, [ebp+var_80]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_58]
		mov	[ebp+var_30], eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_2C], eax
		mov	eax, ebx
		shl	eax, 4
		add	eax, ecx
		mov	ecx, edi
		push	eax
		push	4
		lea	eax, [ebp+var_38]
		push	eax
		call	PipCreateComputerId
		mov	esi, eax
		inc	ebx
		test	esi, esi
		js	loc_ABAE1C

loc_AE2A5E:				; CODE XREF: PipInitComputerIds+28839j
					; PipInitComputerIds+2883Fj
		mov	edx, [ebp+var_184]
		lea	eax, [ebp+var_88]
		mov	[ebp+var_38], eax
		lea	ecx, [ebp+var_178]
		lea	eax, [ebp+var_80]
		mov	[ebp+var_34], eax
		mov	eax, ebx
		shl	eax, 4
		add	eax, ecx
		mov	ecx, edi
		push	eax
		push	2
		lea	eax, [ebp+var_38]
		push	eax
		call	PipCreateComputerId
		mov	esi, eax
		inc	ebx
		test	esi, esi
		js	loc_ABAE1C
		mov	eax, [ebp+var_84]
		jmp	loc_ABABE2
; 

loc_AE2AA4:				; CODE XREF: PipInitComputerIds+B31j
		mov	esi, 0C000009Ah
		jmp	loc_ABAE1C
; END OF FUNCTION CHUNK	FOR PipInitComputerIds
; 
; START	OF FUNCTION CHUNK FOR PipCreateComputerId

loc_AE2AAE:				; CODE XREF: PipCreateComputerId+B7j
		mov	esi, 0C000009Ah
		jmp	loc_ABB075
; 

loc_AE2AB8:				; CODE XREF: PipCreateComputerId+4Fj
					; PipCreateComputerId+88j
		mov	esi, 0C000000Dh
		jmp	loc_ABB075
; END OF FUNCTION CHUNK	FOR PipCreateComputerId
; 
; START	OF FUNCTION CHUNK FOR PipSmBiosGetString

loc_AE2AC2:				; CODE XREF: PipSmBiosGetString+57j
		xor	edx, edx
		jmp	loc_ABB0EA
; 

loc_AE2AC9:				; CODE XREF: PipSmBiosGetString+BCj
		inc	edi
		add	si, bx
		mov	word ptr [ebp+var_8], si
		mov	al, [edi]
		test	al, al
		jnz	loc_ABB132
		jmp	loc_ABB14A
; 

loc_AE2AE0:				; CODE XREF: PipSmBiosGetString+E1j
		add	si, bx
		mov	word ptr [ebp+var_8], si
		jnz	loc_ABB152
		jmp	loc_ABB16F
; END OF FUNCTION CHUNK	FOR PipSmBiosGetString
; 
; START	OF FUNCTION CHUNK FOR PipCheckSystemFirmwareUpdated

loc_AE2AF2:				; CODE XREF: PipCheckSystemFirmwareUpdated+91j
					; PipCheckSystemFirmwareUpdated+A1j ...
		push	24h
		pop	eax
		push	22h
		mov	word ptr [ebp+var_1C+2], ax
		pop	eax
		mov	word ptr [ebp+var_1C], ax
		mov	[ebp+var_18], (offset loc_ADD319+1)
		push	dword ptr [esi+0Ch]
		mov	eax, [esi+8]
		add	eax, esi
		push	eax
		push	dword ptr [esi+4]
		lea	eax, [ebp+var_1C]
		push	0
		push	eax
		push	ebx
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_ABB2CE
		mov	eax, [ebp+var_14]
		mov	byte ptr [eax],	1
		jmp	loc_ABB2CE
; END OF FUNCTION CHUNK	FOR PipCheckSystemFirmwareUpdated
; 
; START	OF FUNCTION CHUNK FOR IopMarkBootPartition

loc_AE2B32:				; CODE XREF: IopMarkBootPartition+147j
		mov	ecx, [esi+4]
		mov	eax, [ecx+20h]
		test	al, 1
		jz	short loc_AE2B46
		or	_InitWinPEModeType, 200h

loc_AE2B46:				; CODE XREF: IopMarkBootPartition+27830j
		test	al, 2
		jz	loc_ABB457
		or	_InitWinPEModeType, edx
		jmp	loc_ABB457
; END OF FUNCTION CHUNK	FOR IopMarkBootPartition
; 
; START	OF FUNCTION CHUNK FOR IopStoreSystemPartitionInformation

loc_AE2B59:				; CODE XREF: IopStoreSystemPartitionInformation+72j
		mov	word ptr [ebp+var_238],	cx
		jmp	loc_ABB54C
; 

loc_AE2B65:				; CODE XREF: IopStoreSystemPartitionInformation+1CCj
		push	74h
		pop	esi
		jmp	loc_ABB742
; 

loc_AE2B6D:				; CODE XREF: IopStoreSystemPartitionInformation+2DEj
		mov	esi, [edi+4]
		cmp	word ptr [ecx+esi-2], 5Ch
		jnz	loc_ABB7B8
		lea	eax, [ecx-2]
		xor	ecx, ecx
		mov	[edi], ax
		movzx	eax, ax
		mov	[eax+esi], cx
		movzx	edx, word ptr [edi]
		jmp	loc_ABB7B8
; END OF FUNCTION CHUNK	FOR IopStoreSystemPartitionInformation

;  S U B	R O U T	I N E 


sub_AE2B93	proc near		; CODE XREF: IopAssignBootDriveLetter+A1j

arg_1C		= dword	ptr  30h
arg_24		= dword	ptr  38h

		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esp+arg_24]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esp-10h+arg_1C]
		jmp	loc_ABB9AB
sub_AE2B93	endp

; 
; START	OF FUNCTION CHUNK FOR IopCreateArcNamesDisk

loc_AE2BAA:				; CODE XREF: IopCreateArcNamesDisk+77j
		mov	cl, 1
		mov	[ebp+var_89], cl
		jmp	loc_ABBA47
; 

loc_AE2BB7:				; CODE XREF: IopCreateArcNamesDisk+91j
		mov	ebx, eax
		jmp	loc_ABBA5B
; 

loc_AE2BBE:				; CODE XREF: IopCreateArcNamesDisk+99j
		test	eax, eax
		jnz	loc_ABBA63
		add	ebx, 14h
		jmp	loc_ABBA63
; 

loc_AE2BCE:				; CODE XREF: IopCreateArcNamesDisk+F5j
		xor	eax, eax
		cmp	[esi], ax
		jnz	loc_ABBABF
		lea	ebx, [edi+14h]
		jmp	loc_ABBABF
; 

loc_AE2BE1:				; CODE XREF: IopCreateArcNamesDisk+ADj
					; IopCreateArcNamesDisk+B6j
		push	edi		; char
		push	offset ??_C@_1DM@FMJIKGBL@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi?$AAs@PBOPGDP@ ; "\\Device\\Harddisk%d\\Partition0"
		lea	eax, [ebp+var_88]
		mov	[ebp+var_90], edi
		push	40h		; int
		push	eax		; wchar_t *
		call	RtlStringCchPrintfW
		add	esp, 10h
		lea	eax, [ebp+var_88]
		push	eax
		lea	eax, [ebp+var_A4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		jmp	loc_ABBABF
; END OF FUNCTION CHUNK	FOR IopCreateArcNamesDisk
; 
; START	OF FUNCTION CHUNK FOR IopCreateArcNamesCd

loc_AE2C16:				; CODE XREF: IopCreateArcNamesCd+AAj
		mov	[esp+190h+var_17D], 1
		jmp	loc_ABBBE0
; 

loc_AE2C20:				; CODE XREF: IopCreateArcNamesCd+11Ej
		mov	edx, 800h
		mov	ecx, 204h
		call	IopVerifierExAllocatePool
		mov	esi, eax
		test	esi, esi
		jz	loc_ABBC54
		mov	eax, [esp+190h+var_16C]
		cmp	eax, ebx
		jbe	short loc_AE2C47
		mov	ebx, eax
		mov	[esp+190h+var_17C], eax

loc_AE2C47:				; CODE XREF: IopCreateArcNamesCd+2710Fj
		xor	edx, edx
		mov	ecx, edx
		mov	[esp+190h+var_158], ecx
		cmp	[esp+190h+var_17D], cl
		jz	short loc_AE2C60
		test	eax, eax
		jnz	short loc_AE2C60
		add	ebx, 5
		mov	[esp+190h+var_17C], ebx

loc_AE2C60:				; CODE XREF: IopCreateArcNamesCd+27123j
					; IopCreateArcNamesCd+27127j
		mov	[esp+190h+var_168], edx
		test	ebx, ebx
		jz	loc_AE2F8E

loc_AE2C6C:				; CODE XREF: IopCreateArcNamesCd+27398j
		xor	ebx, ebx
		test	edi, edi
		jz	loc_AE2DA1
		cmp	[edi], bx
		jz	loc_AE2DA1
		push	edi
		lea	eax, [esp+194h+var_178]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, edi
		lea	edx, [ecx+2]

loc_AE2C8F:				; CODE XREF: IopCreateArcNamesCd+27168j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_AE2C8F
		sub	ecx, edx
		lea	eax, [esp+190h+var_170]
		push	eax
		sar	ecx, 1
		lea	eax, [esp+194h+var_164]
		push	eax
		push	80h
		lea	eax, [esp+19Ch+var_178]
		lea	edi, [edi+ecx*2]
		add	edi, 2
		push	eax
		mov	[esp+1A0h+var_15C], edi
		call	IoGetDeviceObjectPointer
		mov	edi, eax
		test	edi, edi
		js	loc_AE2EED
		push	dword ptr [ebp+4] ; int
		lea	eax, [esp+194h+var_148]
		push	eax		; int
		lea	eax, [esp+198h+var_130]
		push	eax		; int
		push	ebx		; int
		push	0Ch		; int
		lea	eax, [esp+1A4h+var_114]
		push	eax		; int
		push	ebx		; size_t
		push	ebx		; void *
		mov	ebx, [esp+1B0h+var_170]
		push	ebx		; int
		push	2D1080h		; int
		call	IopBuildDeviceIoControlRequest
		mov	edi, eax
		test	edi, edi
		jz	loc_AE2EE1
		xor	eax, eax
		push	eax
		push	eax
		lea	eax, [esp+198h+var_130]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	edx, edi
		mov	ecx, ebx
		call	IofCallDriver
		mov	edi, eax
		cmp	edi, 103h
		jnz	short loc_AE2D33
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+1A0h+var_130]
		push	eax
		call	KeWaitForSingleObject
		mov	edi, [esp+190h+var_148]

loc_AE2D33:				; CODE XREF: IopCreateArcNamesCd+271EDj
		test	edi, edi
		js	short loc_AE2D85
		push	dword ptr [esp+190h+var_110] ; char
		lea	eax, [esp+194h+var_108]
		push	offset ??_C@_0BA@IFCGMJBN@?2Device?2CdRom?$CFd@PBOPGDP@	; char *
		push	80h		; int
		push	eax		; char *
		call	RtlStringCchPrintfA
		add	esp, 10h
		lea	eax, [esp+190h+var_108]
		push	eax
		lea	eax, [esp+194h+var_150]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [esp+194h+var_150]
		push	eax
		lea	eax, [esp+198h+var_178]
		push	eax
		call	RtlAnsiStringToUnicodeString
		mov	edi, eax
		test	edi, edi
		jns	loc_AE2E10

loc_AE2D85:				; CODE XREF: IopCreateArcNamesCd+27205j
		cmp	[esp+190h+var_184], 0
		jz	loc_AE2EDC
		xor	eax, eax
		push	eax
		push	[esp+194h+var_184]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AE2EDC
; 

loc_AE2DA1:				; CODE XREF: IopCreateArcNamesCd+27140j
					; IopCreateArcNamesCd+27149j
		push	ecx		; char
		push	offset ??_C@_0BA@IFCGMJBN@?2Device?2CdRom?$CFd@PBOPGDP@	; char *
		lea	eax, [esp+198h+var_108]
		push	80h		; int
		push	eax		; char *
		call	RtlStringCchPrintfA
		add	esp, 10h
		lea	eax, [esp+190h+var_108]
		inc	[esp+190h+var_158]
		push	eax
		lea	eax, [esp+194h+var_150]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [esp+194h+var_150]
		push	eax
		lea	eax, [esp+198h+var_178]
		push	eax
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	loc_AE2FB4
		lea	eax, [esp+190h+var_170]
		push	eax
		lea	eax, [esp+194h+var_164]
		push	eax
		push	80h
		lea	eax, [esp+19Ch+var_178]
		push	eax
		call	IoGetDeviceObjectPointer
		test	eax, eax
		js	loc_AE2F84
		mov	ebx, [esp+190h+var_170]

loc_AE2E10:				; CODE XREF: IopCreateArcNamesCd+2724Fj
		xor	eax, eax
		mov	[esp+190h+var_120], 8000h
		mov	[esp+190h+var_11C], eax
		lea	eax, [esp+190h+var_148]
		push	eax
		lea	eax, [esp+194h+var_130]
		push	eax
		lea	eax, [esp+198h+var_120]
		push	eax
		push	800h
		push	esi
		push	ebx
		push	3
		call	_IoBuildSynchronousFsdRequest@28 ; IoBuildSynchronousFsdRequest(x,x,x,x,x,x,x)
		xor	ecx, ecx
		mov	[esp+190h+var_16C], eax
		mov	edi, ecx
		test	eax, eax
		jz	short loc_AE2E8A
		push	ecx
		push	ecx
		lea	eax, [esp+198h+var_130]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	edx, [esp+190h+var_16C]
		mov	ecx, ebx
		call	IofCallDriver
		xor	ebx, ebx
		cmp	eax, 103h
		jnz	short loc_AE2E79
		push	ebx
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [esp+1A0h+var_130]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esp+190h+var_148]

loc_AE2E79:				; CODE XREF: IopCreateArcNamesCd+27335j
		test	eax, eax
		js	short loc_AE2E8A
		mov	eax, ebx

loc_AE2E7F:				; CODE XREF: IopCreateArcNamesCd+27358j
		add	edi, [esi+eax*4]
		inc	eax
		cmp	eax, 200h
		jb	short loc_AE2E7F

loc_AE2E8A:				; CODE XREF: IopCreateArcNamesCd+27315j
					; IopCreateArcNamesCd+2734Bj
		mov	ecx, [esp+190h+var_164]
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag
		mov	ecx, [esp+190h+var_160]
		mov	eax, [ecx+10h]
		add	eax, edi
		jz	short loc_AE2F21
		lea	eax, [esp+190h+var_178]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	eax, [esp+190h+var_168]
		inc	eax
		mov	[esp+190h+var_168], eax
		cmp	eax, [esp+190h+var_17C]
		jnb	loc_AE2F8E
		mov	edi, [esp+190h+var_15C]
		mov	ecx, [esp+190h+var_158]
		jmp	loc_AE2C6C
; END OF FUNCTION CHUNK	FOR IopCreateArcNamesCd

;  S U B	R O U T	I N E 


sub_AE2ECD	proc near		; CODE XREF: IopCreateArcNamesCd+2748Fj
		push	ebx
sub_AE2ECD	endp

; START	OF FUNCTION CHUNK FOR IopCreateArcNamesCd

loc_AE2ECE:				; CODE XREF: IopCreateArcNamesCd+273BBj
		push	[esp+194h+var_184]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE2ED7:				; CODE XREF: IopCreateArcNamesCd+273B6j
					; IopCreateArcNamesCd+27489j
		mov	edi, 0C000009Ah

loc_AE2EDC:				; CODE XREF: IopCreateArcNamesCd+2725Aj
					; IopCreateArcNamesCd+2726Cj
		xor	eax, eax
		push	eax
		jmp	short loc_AE2EFE
; 

loc_AE2EE1:				; CODE XREF: IopCreateArcNamesCd+271C8j
		cmp	[esp+190h+var_184], 0
		jz	short loc_AE2ED7
		xor	eax, eax
		push	eax
		jmp	short loc_AE2ECE
; 

loc_AE2EED:				; CODE XREF: IopCreateArcNamesCd+27195j
		cmp	[esp+190h+var_184], ebx
		jz	short loc_AE2EFD
		push	ebx
		push	[esp+194h+var_184]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE2EFD:				; CODE XREF: IopCreateArcNamesCd+273C1j
		push	ebx

loc_AE2EFE:				; CODE XREF: IopCreateArcNamesCd+273AFj
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_AE2F1A
; END OF FUNCTION CHUNK	FOR IopCreateArcNamesCd

;  S U B	R O U T	I N E 


sub_AE2F06	proc near		; CODE XREF: IopCreateArcNamesCd+2747Fj

arg_8		= dword	ptr  10h

		push	ebx
		push	[esp+arg_8]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
sub_AE2F06	endp

; START	OF FUNCTION CHUNK FOR IopCreateArcNamesCd

loc_AE2F10:				; CODE XREF: IopCreateArcNamesCd+27479j
		lea	eax, [esp+190h+var_178]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_AE2F1A:				; CODE XREF: IopCreateArcNamesCd+273D4j
		mov	eax, edi
		jmp	loc_ABBC69
; 

loc_AE2F21:				; CODE XREF: IopCreateArcNamesCd+27371j
		mov	eax, [esp+190h+var_154]
		push	dword ptr [eax+68h] ; char
		lea	eax, [esp+194h+var_88]
		push	offset ??_C@_0M@HCOOGNOF@?2ArcName?2?$CFs@PBOPGDP@ ; char *
		push	80h		; int
		push	eax		; char *
		call	RtlStringCchPrintfA
		add	esp, 10h
		lea	eax, [esp+190h+var_88]
		push	eax
		lea	eax, [esp+194h+var_138]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [esp+194h+var_138]
		push	eax
		lea	eax, [esp+198h+var_140]
		push	eax
		call	RtlAnsiStringToUnicodeString
		mov	edi, eax
		test	edi, edi
		js	short loc_AE2F9C
		lea	eax, [esp+190h+var_178]
		push	eax
		lea	eax, [esp+194h+var_140]
		push	eax
		call	_IoCreateSymbolicLink@8	; IoCreateSymbolicLink(x,x)
		lea	eax, [esp+190h+var_140]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_AE2F84:				; CODE XREF: IopCreateArcNamesCd+272D6j
		lea	eax, [esp+190h+var_178]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_AE2F8E:				; CODE XREF: IopCreateArcNamesCd+27136j
					; IopCreateArcNamesCd+2738Aj
		xor	ebx, ebx
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_ABBC56
; 

loc_AE2F9C:				; CODE XREF: IopCreateArcNamesCd+27439j
		xor	ebx, ebx
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[esp+190h+var_184], ebx
		jz	loc_AE2F10
		jmp	sub_AE2F06
; 

loc_AE2FB4:				; CODE XREF: IopCreateArcNamesCd+272B5j
		cmp	[esp+190h+var_184], 0
		jz	loc_AE2ED7
		jmp	sub_AE2ECD
; END OF FUNCTION CHUNK	FOR IopCreateArcNamesCd
; 
; START	OF FUNCTION CHUNK FOR IopFetchConfigurationInformation

loc_AE2FC4:				; CODE XREF: IopFetchConfigurationInformation+3Ej
		test	edi, edi
		jz	loc_ABBD36
		xor	eax, eax
		mov	[edi], ax
		jmp	loc_ABBD36
; END OF FUNCTION CHUNK	FOR IopFetchConfigurationInformation
; 
; START	OF FUNCTION CHUNK FOR ExInitializeTimeRefresh

loc_AE2FD6:				; CODE XREF: ExInitializeTimeRefresh+27j
		mov	ds:_ExpNtExpirationDate, ebx
		mov	ds:dword_A94E64, ebx
		jmp	loc_ABBD6B
; END OF FUNCTION CHUNK	FOR ExInitializeTimeRefresh
; 
; START	OF FUNCTION CHUNK FOR PopCheckShutdownMarker

loc_AE2FE7:				; CODE XREF: PopCheckShutdownMarker+8Ej
		cmp	dword_6B23F8, 5
		jbe	loc_ABBF70
		push	2000h
		xor	edi, edi
		mov	ecx, offset dword_6B23F8
		push	edi
		call	__tlgKeywordOn@12 ; _tlgKeywordOn(x,x,x)
		test	al, al
		jz	loc_ABBF70
		mov	edx, dword_6D6F0C
		xor	ecx, ecx
		movzx	eax, dx
		mov	[ebp+var_F8], eax
		lea	eax, [ebp+var_F8]
		mov	[ebp+var_B8], eax
		lea	eax, [ebp+var_FC]
		mov	[ebp+var_A8], eax
		mov	[ebp+var_C4], ecx
		mov	[ebp+var_BC], ecx
		mov	[ebp+var_B4], ecx
		mov	[ebp+var_AC], ecx
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_9C], ecx
		mov	[ebp+var_94], ecx
		mov	[ebp+var_8C], ecx
		mov	ecx, dword_6D6F1C
		movzx	eax, cx
		mov	[ebp+var_100], eax
		lea	eax, [ebp+var_100]
		mov	[ebp+var_88], eax
		lea	eax, [ebp+var_104]
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_108]
		mov	[ebp+var_68], eax
		mov	eax, edx
		shr	eax, 10h
		movzx	eax, al
		shr	ecx, 10h
		mov	[ebp+var_10C], eax
		lea	eax, [ebp+var_10C]
		mov	[ebp+var_108], ecx
		xor	ecx, ecx
		mov	[ebp+var_58], eax
		shr	edx, 18h
		mov	al, dl
		mov	[ebp+var_64], ecx
		mov	[ebp+var_5C], ecx
		mov	[ebp+var_54], ecx
		mov	[ebp+var_4C], ecx
		inc	ecx
		and	al, cl
		mov	[ebp+var_FC], esi
		push	8
		pop	edi
		mov	[ebp+var_F2], al
		lea	eax, [ebp+var_F2]
		push	4
		mov	[ebp+var_48], eax
		lea	eax, [ebp-0F3h]
		mov	[ebp+var_104], esi
		pop	esi
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_E8]
		push	eax
		mov	[ebp+var_C0], edi
		mov	[ebp+var_90], edi
		xor	edi, edi
		shr	dl, 1
		and	dl, cl
		mov	[ebp+var_C8], offset _PopBsdPhysicalPowerButtonInfoAtBoot
		push	0Ch
		mov	[ebp+var_B0], 4
		mov	[ebp+var_A0], 4
		mov	[ebp+var_98], offset unk_6D6F10
		mov	[ebp+var_84], edi
		mov	[ebp+var_80], 4
		mov	[ebp+var_7C], edi
		mov	[ebp+var_74], edi
		mov	[ebp+var_70], esi
		mov	[ebp+var_6C], edi
		mov	[ebp+var_60], esi
		mov	[ebp+var_50], esi
		mov	[ebp+var_44], edi
		mov	[ebp+var_40], ecx
		mov	[ebp+var_3C], edi
		mov	[ebp+var_F3], dl
		mov	[ebp+var_34], edi
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], edi
		push	edi
		push	edi
		push	offset loc_41D5E5
		push	offset dword_6B23F8
		call	__tlgWriteTransfer_EtwWriteTransfer@24 ; _tlgWriteTransfer_EtwWriteTransfer(x,x,x,x,x,x)
		jmp	loc_ABBF70
; 

loc_AE3184:				; CODE XREF: PopCheckShutdownMarker+B9j
		and	byte_6D6F88, 0FEh
		jmp	loc_ABBF9B
; 

loc_AE3190:				; CODE XREF: PopCheckShutdownMarker+CCj
		or	byte_6D6F88, cl
		jmp	loc_ABBFAE
; 

loc_AE319B:				; CODE XREF: PopCheckShutdownMarker+E8j
		test	byte ptr dword_6D6F0C+3, 4
		jz	loc_ABBFCA
		or	al, 20h
		mov	byte ptr dword_6D6F8C+2, al
		mov	eax, _PopBsdPhysicalPowerButtonInfoAtBoot
		mov	_PopBsdPowerTransitionAtBoot, eax
		mov	eax, dword_6D6F04
		mov	dword_6D6F84, eax
		jmp	loc_ABBFCA
; 

loc_AE31C8:				; CODE XREF: PopCheckShutdownMarker+149j
		mov	al, byte_6D6F88
		and	al, 0Fh
		or	al, 50h
		mov	byte_6D6F88, al
		xor	eax, eax
		inc	eax
		mov	word ptr dword_6D6F8C, ax
		jmp	loc_ABC02E
; 

loc_AE31E4:				; CODE XREF: PopCheckShutdownMarker+158j
		or	byte_6D6F88, 2
		xor	edi, edi
		mov	dword_6D6F78, eax
		mov	dword_6D6F7C, edi
		jmp	loc_ABC03C
; 

loc_AE31FD:				; CODE XREF: PopCheckShutdownMarker+166j
		push	edi
		mov	[ebp+var_114], eax
		lea	eax, [ebp+var_114]
		push	eax
		lea	eax, [ebp-0F1h]
		push	eax
		push	offset _SYSTEM_SLEEP_ETW_CHECKPOINT_GUID
		push	offset _PopCheckpointSystemSleepVariable
		call	ExGetFirmwareEnvironmentVariable
		test	eax, eax
		js	short loc_AE3259
		mov	al, [ebp+var_F1]
		movzx	esi, al
		mov	byte_6D6F62, al
		mov	ecx, esi
		mov	al, byte_6D6F61
		and	al, 0F7h
		or	al, 4
		mov	byte_6D6F61, al
		call	_PopRecordSleepCheckpoint@4 ; PopRecordSleepCheckpoint(x)
		xor	ecx, ecx
		inc	ecx
		call	_PopRecordSleepCheckpointSource@4 ; PopRecordSleepCheckpointSource(x)
		mov	cl, 1
		call	PopClearSystemSleepCheckpoint
		jmp	short loc_AE3276
; 

loc_AE3259:				; CODE XREF: PopCheckShutdownMarker+27347j
		mov	al, byte_6D6F61
		movzx	esi, byte_6D6F62
		and	al, 0FBh
		push	2
		or	al, 8
		pop	ecx
		mov	byte_6D6F61, al
		call	_PopRecordSleepCheckpointSource@4 ; PopRecordSleepCheckpointSource(x)

loc_AE3276:				; CODE XREF: PopCheckShutdownMarker+2737Bj
		mov	cl, byte ptr dword_6D6F8C+2
		mov	al, cl
		movzx	edx, byte_6D6F88
		shr	al, 5
		and	al, 1
		shr	edx, 4
		movzx	eax, al
		push	eax
		movzx	eax, cl
		and	eax, 0Fh
		push	eax
		mov	al, byte_6D6F88
		push	esi
		push	ecx
		push	dword_6D6F84
		shr	al, 1
		mov	ecx, ebx
		push	_PopBsdPowerTransitionAtBoot
		and	al, 1
		push	dword_6D4C9C
		movzx	eax, al
		push	dword_6D4C98
		push	eax
		movzx	eax, word ptr dword_6D6F8C
		push	eax
		call	_PopDiagTraceDirtyTransition@48	; PopDiagTraceDirtyTransition(x,x,x,x,x,x,x,x,x,x,x,x)
		jmp	loc_ABC048
; END OF FUNCTION CHUNK	FOR PopCheckShutdownMarker
; 
; START	OF FUNCTION CHUNK FOR PopCheckAndClearBootError

loc_AE32D3:				; CODE XREF: PopCheckAndClearBootError+34j
		lea	ecx, [ebp+var_18]
		call	_PopTraceBootError@4 ; PopTraceBootError(x)
		xor	eax, eax
		lea	edi, [ebp+var_18]
		stosd
		push	0
		push	14h
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_18]
		push	eax
		push	0Dh
		call	_RtlSetSystemBootStatus@16 ; RtlSetSystemBootStatus(x,x,x,x)
		jmp	loc_ABC092
; END OF FUNCTION CHUNK	FOR PopCheckAndClearBootError
; 
; START	OF FUNCTION CHUNK FOR EmInitSystem

loc_AE32F9:				; CODE XREF: EmInitSystem+108j
		cmp	esi, 80000005h
		jz	loc_ABC1AE
		test	esi, esi
		jnz	loc_ABC23F
		jmp	short loc_AE331A
; 

loc_AE330F:				; CODE XREF: EmInitSystem+2739Fj
		push	[ebp+var_124]
		call	_ZwClose@4	; ZwClose(x)

loc_AE331A:				; CODE XREF: EmInitSystem+2726Dj
		mov	esi, 0C0000001h
		jmp	loc_ABC23F
; 

loc_AE3324:				; CODE XREF: EmInitSystem+273C6j
		push	[ebp+var_124]
		call	_ZwClose@4	; ZwClose(x)

loc_AE332F:				; CODE XREF: EmInitSystem+124j
					; EmInitSystem+168j
		mov	esi, 0C000009Ah
		jmp	loc_ABC23F
; 

loc_AE3339:				; CODE XREF: EmInitSystem+195j
		test	esi, esi
		js	loc_ABC23F
		lea	eax, [ebp+var_108]
		mov	[ebp+var_140], 1000000h
		mov	[ebp+var_13C], eax
		lea	eax, [ebp+var_138]
		push	offset ??_C@_1CC@IBEIBDLA@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAi?$AAn?$AAf@PBOPGDP@
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_138]
		push	eax
		lea	eax, [ebp+var_140]
		push	eax
		call	_RtlAppendStringToString@8 ; RtlAppendStringToString(x,x)
		mov	eax, [edi+8]
		mov	byte ptr [eax+edi+0Ch],	0
		lea	eax, [edi+0Ch]
		push	eax
		lea	eax, [ebp+var_138]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_138]
		push	eax
		lea	eax, [ebp+var_140]
		push	eax
		call	_RtlAppendStringToString@8 ; RtlAppendStringToString(x,x)
		xor	ecx, ecx
		mov	[ebp+var_164], 18h
		push	ecx
		push	ecx
		push	20h
		push	1
		push	1
		push	80h
		lea	eax, [ebp+var_140]
		mov	[ebp+var_160], ecx
		mov	[ebp+var_15C], eax
		lea	eax, [ebp+var_14C]
		push	ecx
		push	eax
		lea	eax, [ebp+var_164]
		mov	[ebp+var_158], 240h
		push	eax
		push	120089h
		lea	eax, [ebp+var_124]
		mov	[ebp+var_154], ecx
		push	eax
		mov	[ebp+var_150], ecx
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_ABC23F
		push	5
		push	18h
		lea	eax, [ebp+var_120]
		push	eax
		lea	eax, [ebp+var_14C]
		push	eax
		push	[ebp+var_124]
		call	_ZwQueryInformationFile@20 ; ZwQueryInformationFile(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AE34E7
		cmp	[ebp+var_114], 0
		jnz	loc_AE330F
		mov	esi, [ebp+var_118]
		push	74694D45h
		push	esi
		push	1
		mov	[ebp+var_168], esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_130], eax
		test	eax, eax
		jz	loc_AE3324
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	esi
		push	eax
		lea	eax, [ebp+var_14C]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+var_124]
		call	_ZwReadFile@36	; ZwReadFile(x,x,x,x,x,x,x,x,x)
		push	[ebp+var_124]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_AE34D2
		mov	edx, [ebp+var_168]
		mov	ecx, [ebp+var_130]
		call	EmpParseInfDatabase
		mov	esi, eax
		test	esi, esi
		js	short loc_AE34D2
		mov	eax, [ebp+var_144]
		lea	ecx, [ebp+var_12C]
		push	ecx
		push	[ebp+var_16C]
		inc	eax
		push	edi
		push	2
		mov	[ebp+var_144], eax
		push	eax
		jmp	loc_ABC222
; 

loc_AE34D2:				; CODE XREF: EmInitSystem+273F6j
					; EmInitSystem+2740Dj
		push	74694D45h
		push	[ebp+var_130]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_ABC23F
; 

loc_AE34E7:				; CODE XREF: EmInitSystem+27392j
		push	[ebp+var_124]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_ABC23F
; END OF FUNCTION CHUNK	FOR EmInitSystem

;  S U B	R O U T	I N E 


sub_AE34F7	proc near		; DATA XREF: .text:006A71ECo
		xor	eax, eax
		inc	eax
		retn
sub_AE34F7	endp


;  S U B	R O U T	I N E 


sub_AE34FB	proc near		; DATA XREF: .text:006A71F0o
		mov	esp, [ebp-18h]
		xor	bl, bl
		jmp	loc_ABC41A
sub_AE34FB	endp

; 
; START	OF FUNCTION CHUNK FOR EmpMapPhysicalAddress

loc_AE3505:				; CODE XREF: EmpMapPhysicalAddress+9Aj
		mov	ecx, [ebp+arg_8]
		xor	edx, edx
		call	_KiUnstackDetachProcess@8 ; KiUnstackDetachProcess(x,x)
		push	dword ptr [edi]
		call	_ZwClose@4	; ZwClose(x)
		mov	[edi], esi
		jmp	loc_ABC4FF
; END OF FUNCTION CHUNK	FOR EmpMapPhysicalAddress
; 
; START	OF FUNCTION CHUNK FOR EmpParseInfDatabase

loc_AE351D:				; CODE XREF: EmpParseInfDatabase+41j
		mov	[ebp+var_8], 0C0000008h
		jmp	loc_ABC5A8
; 

loc_AE3529:				; CODE XREF: EmpParseInfDatabase+B3j
		test	al, 4
		jnz	loc_ABC5C1
		call	@ExfTryToWakePushLock@4	; ExfTryToWakePushLock(x)
		or	edx, 0FFFFFFFFh
		mov	ecx, offset _EmpParseLock
		jmp	loc_ABC5C1
; 

loc_AE3543:				; CODE XREF: EmpParseInfDatabase+230j
		push	0
		push	[ebp+var_C]
		push	offset _EmpParseLock
		push	esi
		push	162h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE3558:				; CODE XREF: EmpParseInfDatabase+196j
		add	esi, 222h
		lock or	[esi], dl
		mov	esi, [ebp+var_34]
		jmp	loc_ABC6AA
; 

loc_AE3569:				; CODE XREF: EmpParseInfDatabase+1EAj
		push	[ebp+var_34]
		mov	edx, offset _EmpParseLock
		mov	ecx, esi
		call	_EtwTraceAutoBoostClearFloor@12	; EtwTraceAutoBoostClearFloor(x,x,x)
		jmp	loc_ABC6F8
; END OF FUNCTION CHUNK	FOR EmpParseInfDatabase
; 
; START	OF FUNCTION CHUNK FOR IopGetBootDiskInformationLite

loc_AE357D:				; CODE XREF: IopGetBootDiskInformationLite+F9j
		mov	edi, 0C000009Ah
		jmp	loc_ABC9D4
; 

loc_AE3587:				; CODE XREF: IopGetBootDiskInformationLite+178j
		mov	[esp+110h+var_E0], 1
		lea	esi, [ebx+18h]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [esp+110h+var_E4]
		jmp	loc_ABC986
; 

loc_AE359F:				; CODE XREF: IopGetBootDiskInformationLite+1B7j
		lea	eax, [esp+110h+var_EC]
		push	eax		; int
		lea	eax, [esp+17h]
		push	eax		; int
		lea	eax, [esp+118h+var_F4]
		push	eax		; int
		lea	edx, [esp+11Ch+var_B8] ; void *
		call	_VhdiGetDiskParameters@20 ; VhdiGetDiskParameters(x,x,x,x,x)
		mov	[esp+110h+var_FC], eax
		test	eax, eax
		jns	short loc_AE35CA
		xor	edi, edi
		mov	[esp+110h+var_FC], edi
		jmp	loc_ABC9B7
; 

loc_AE35CA:				; CODE XREF: IopGetBootDiskInformationLite+26DC7j
		cmp	[esp+110h+var_FD], 0
		jnz	loc_ABC9B3
		mov	ecx, [esp+110h+var_B8]
		mov	eax, [esp+110h+var_A0]
		mov	[esp+110h+var_E0], ecx
		mov	[esp+110h+var_DC], eax
		mov	[esp+110h+var_C8], 400000h
		sub	ecx, 0
		jz	short loc_AE3605
		sub	ecx, 1
		jnz	short loc_AE3619
		mov	esi, [esp+110h+var_F4]
		lea	edi, [esp+110h+var_D8]
		movsd
		movsd
		movsd
		movsd
		jmp	short loc_AE3619
; 

loc_AE3605:				; CODE XREF: IopGetBootDiskInformationLite+26DFAj
		xor	eax, eax
		lea	edi, [esp+110h+var_D8]
		stosd
		stosd
		stosd
		stosd
		mov	eax, [esp+110h+var_F4]
		mov	eax, [eax]
		mov	[esp+110h+var_D8], eax

loc_AE3619:				; CODE XREF: IopGetBootDiskInformationLite+26DFFj
					; IopGetBootDiskInformationLite+26E0Dj
		mov	ecx, [esp+110h+var_F0]
		lea	edx, [esp+110h+var_E0]
		call	IopAddBootDiskInformation
		jmp	loc_ABC9B3
; END OF FUNCTION CHUNK	FOR IopGetBootDiskInformationLite
; 
; START	OF FUNCTION CHUNK FOR EmpParseEntryTypes

loc_AE362B:				; CODE XREF: EmpParseEntryTypes+A5j
					; EmpParseEntryTypes+B4j
		push	74694D45h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi
		jmp	loc_ABCAE4
; END OF FUNCTION CHUNK	FOR EmpParseEntryTypes
; 
; START	OF FUNCTION CHUNK FOR EmpParseCallbacks

loc_AE363D:				; CODE XREF: EmpParseCallbacks+A0j
					; EmpParseCallbacks+AFj ...
		push	74694D45h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE3648:				; CODE XREF: EmpParseCallbacks+68j
		xor	esi, esi
		jmp	loc_ABCC57
; 

loc_AE364F:				; CODE XREF: EmpParseCallbacks+19Bj
		mov	esi, 0C0000225h
		jmp	loc_ABCC2B
; 

loc_AE3659:				; CODE XREF: EmpParseCallbacks+86j
		mov	esi, 0C000009Ah
		jmp	loc_ABCC61
; END OF FUNCTION CHUNK	FOR EmpParseCallbacks
; 
; START	OF FUNCTION CHUNK FOR EmpParseRuleTerm

loc_AE3663:				; CODE XREF: EmpParseRuleTerm+4Aj
		mov	esi, 0C000000Dh
		jmp	loc_ABCDBB
; 

loc_AE366D:				; CODE XREF: EmpParseRuleTerm+D7j
		push	74734D45h
		push	ebx
		mov	esi, 0C000000Dh
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_ABCDBB
; END OF FUNCTION CHUNK	FOR EmpParseRuleTerm
; 
; START	OF FUNCTION CHUNK FOR EmpParseRuleExpression

loc_AE3682:				; CODE XREF: EmpParseRuleExpression+13Aj
					; EmpParseRuleExpression+173j ...
		mov	esi, 0C000009Ah
		jmp	loc_ABD008
; 

loc_AE368C:				; CODE XREF: EmpParseRuleExpression+B3j
					; EmpParseRuleExpression+DCj ...
		mov	esi, 0C000000Dh
		jmp	loc_ABD008
; 

loc_AE3696:				; CODE XREF: EmpParseRuleExpression+204j
		lea	eax, [ebp+arg_0]
		mov	ecx, ebx
		push	eax
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		lea	edx, [ebp+var_2C]
		call	_EmpRuleParserStackPop@20 ; EmpRuleParserStackPop(x,x,x,x,x)
		jmp	loc_ABD00C
; 

loc_AE36B1:				; CODE XREF: EmpParseRuleExpression+217j
		mov	ebx, [ebp+var_18]
		test	ebx, ebx
		jz	loc_ABD1E8
		mov	eax, [ebx+4]
		test	eax, eax
		jz	short loc_AE36CE
		push	74734D45h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE36CE:				; CODE XREF: EmpParseRuleExpression+268B5j
		mov	eax, [ebx+10h]
		test	eax, eax
		jz	short loc_AE36E0
		push	74734D45h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE36E0:				; CODE XREF: EmpParseRuleExpression+268C7j
		push	74734D45h
		jmp	short loc_AE3714
; 

loc_AE36E7:				; CODE XREF: EmpParseRuleExpression+3E1j
		mov	eax, [ecx]
		lea	ebx, [ecx-4]
		mov	[edi+34h], eax
		mov	edx, [ebx]
		mov	eax, [edx+1Ch]
		lea	ecx, [eax-4]
		cmp	[ecx], edi
		jnz	short loc_AE370F
		test	eax, eax
		jz	short loc_AE3704
		mov	eax, [eax]
		mov	[edx+1Ch], eax

loc_AE3704:				; CODE XREF: EmpParseRuleExpression+268F1j
		push	74694D45h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE370F:				; CODE XREF: EmpParseRuleExpression+268EDj
		push	74694D45h

loc_AE3714:				; CODE XREF: EmpParseRuleExpression+268D9j
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_ABD1E8
; 

loc_AE371F:				; CODE XREF: EmpParseRuleExpression+3ECj
		mov	eax, [ecx]
		lea	ebx, [ecx-4]
		mov	[edi+30h], eax
		mov	edx, [ebx]
		mov	eax, [edx+20h]
		lea	ecx, [eax-4]
		cmp	[ecx], edi
		jnz	short loc_AE3747
		test	eax, eax
		jz	short loc_AE373C
		mov	eax, [eax]
		mov	[edx+20h], eax

loc_AE373C:				; CODE XREF: EmpParseRuleExpression+26929j
		push	74694D45h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE3747:				; CODE XREF: EmpParseRuleExpression+26925j
		push	74694D45h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_ABD1F3
; 

loc_AE3757:				; CODE XREF: EmpParseRuleExpression+3FDj
		push	74694D45h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_ABD029
; END OF FUNCTION CHUNK	FOR EmpParseRuleExpression
; 
; START	OF FUNCTION CHUNK FOR EmpParseRules

loc_AE3767:				; CODE XREF: EmpParseRules+1D6j
					; EmpParseRules+1E6j ...
		xor	edi, edi
		add	ebx, 0FFFFFFFEh
		jz	short loc_AE3797

loc_AE376E:				; CODE XREF: EmpParseRules+2654Bj
		mov	eax, [esi+2Ch]
		mov	edx, [eax+edi*4]
		mov	eax, [edx+2Ch]
		lea	ecx, [eax-4]
		cmp	[ecx], esi
		jnz	short loc_AE3792
		test	eax, eax
		jz	short loc_AE3787
		mov	eax, [eax]
		mov	[edx+2Ch], eax

loc_AE3787:				; CODE XREF: EmpParseRules+26536j
		push	74694D45h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE3792:				; CODE XREF: EmpParseRules+26532j
		inc	edi
		cmp	edi, ebx
		jb	short loc_AE376E

loc_AE3797:				; CODE XREF: EmpParseRules+26522j
		mov	eax, [esi+2Ch]
		test	eax, eax
		jz	short loc_AE37A9
		push	74694D45h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE37A9:				; CODE XREF: EmpParseRules+26552j
		push	74694D45h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ebx, [ebp+var_1C]
		xor	edi, edi
		jmp	loc_ABD3A6
; 

loc_AE37BE:				; CODE XREF: EmpParseRules+25Bj
					; EmpParseRules+2659Cj
		mov	eax, [esi+2Ch]
		mov	edx, [eax+edi*4]
		mov	eax, [edx+2Ch]
		lea	ecx, [eax-4]
		cmp	[ecx], esi
		jnz	short loc_AE37E2
		test	eax, eax
		jz	short loc_AE37D7
		mov	eax, [eax]
		mov	[edx+2Ch], eax

loc_AE37D7:				; CODE XREF: EmpParseRules+26586j
		push	74694D45h
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE37E2:				; CODE XREF: EmpParseRules+26582j
		inc	edi
		cmp	edi, [esi+28h]
		jb	short loc_AE37BE
		jmp	loc_ABD4AB
; 

loc_AE37ED:				; CODE XREF: EmpParseRules+266j
		push	74694D45h
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_ABD4B6
; 

loc_AE37FD:				; CODE XREF: EmpParseRules+187j
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE3804:				; CODE XREF: EmpParseRules+6Bj
		mov	edi, 0C000009Ah
		jmp	loc_ABD4D1
; END OF FUNCTION CHUNK	FOR EmpParseRules
; 
; START	OF FUNCTION CHUNK FOR EmpParseStrings

loc_AE380E:				; CODE XREF: EmpParseStrings+35j
		mov	eax, _EmpNumberOfStrings
		add	eax, ebx
		shl	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	_EmpStringTable, edi
		test	edi, edi
		jz	loc_ABD5DD
		mov	eax, _EmpNumberOfStrings
		mov	[ebp+var_8], eax
		add	eax, ebx
		shl	eax, 2
		push	eax		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	ecx, [ebp+var_8]
		add	esp, 0Ch
		mov	edx, [ebp+var_4]
		test	ecx, ecx
		jz	short loc_AE3865
		sub	edx, edi

loc_AE3855:				; CODE XREF: EmpParseStrings+2637Ej
		mov	eax, [edx+edi]
		mov	[edi], eax
		lea	edi, [edi+4]
		sub	ecx, 1
		jnz	short loc_AE3855
		mov	edx, [ebp+var_4]

loc_AE3865:				; CODE XREF: EmpParseStrings+2636Fj
		push	74694D45h
		push	edx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_ABD542
; 

loc_AE3875:				; CODE XREF: EmpParseStrings+DBj
		mov	eax, [ebp+var_4]
		mov	ecx, [ebp+var_10]
		push	74694D45h
		push	dword ptr [eax+ecx*4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi
		jmp	loc_ABD5C9
; END OF FUNCTION CHUNK	FOR EmpParseStrings
; 
; START	OF FUNCTION CHUNK FOR EmpParseTargetRules

loc_AE388F:				; CODE XREF: EmpParseTargetRules+D8j
		mov	eax, [eax+0Ch]
		add	eax, ecx
		mov	[ebp+var_28], eax
		shl	eax, 2
		push	eax
		push	1
		mov	[ebp+var_20], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_AE38EA
		push	[ebp+var_20]	; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	ecx, [ebp+var_1C]
		add	esp, 0Ch
		mov	eax, [ecx+0Ch]
		shl	eax, 2
		push	eax		; size_t
		push	dword ptr [ecx+8] ; void *
		push	edi		; void *
		call	_memcpy
		mov	ecx, [ebp+var_1C]
		add	esp, 0Ch
		mov	eax, [ecx+0Ch]
		push	74694D45h
		push	dword ptr [ecx+8]
		mov	[ebp+var_20], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_ABD799
; 

loc_AE38EA:				; CODE XREF: EmpParseTargetRules+F5j
					; EmpParseTargetRules+26219j
		mov	esi, 0C000009Ah
		jmp	loc_ABD828
; END OF FUNCTION CHUNK	FOR EmpParseTargetRules
; 
; START	OF FUNCTION CHUNK FOR EmpParseTargetRuleStringIndexList

loc_AE38F4:				; CODE XREF: EmpParseTargetRuleStringIndexList+CBj
					; EmpParseTargetRuleStringIndexList+E2j ...
		mov	bl, 1
		jmp	loc_ABD986
; END OF FUNCTION CHUNK	FOR EmpParseTargetRuleStringIndexList
; 
; START	OF FUNCTION CHUNK FOR CmpProcessForSimpleStringSub

loc_AE38FB:				; CODE XREF: CmpProcessForSimpleStringSub+2Aj
		push	esi
		mov	esi, [ecx+14h]
		test	esi, esi
		jz	short loc_AE394A
		mov	esi, [esi+8]
		test	esi, esi
		jz	short loc_AE394A

loc_AE390A:				; CODE XREF: CmpProcessForSimpleStringSub+25CDEj
		mov	ecx, [esi+4]
		test	ecx, ecx
		jz	short loc_AE3930
		lea	eax, [edi-2]
		push	eax		; size_t
		lea	eax, [ebx+1]
		push	eax		; char *
		push	ecx		; char *
		call	__strnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_AE3930
		mov	eax, [esi+4]
		cmp	byte ptr [eax+edi-2], 0
		jz	short loc_AE3936

loc_AE3930:				; CODE XREF: CmpProcessForSimpleStringSub+25CB9j
					; CmpProcessForSimpleStringSub+25CCEj
		mov	esi, [esi]
		test	esi, esi
		jnz	short loc_AE390A

loc_AE3936:				; CODE XREF: CmpProcessForSimpleStringSub+25CD8j
		test	esi, esi
		jz	short loc_AE394A
		mov	eax, [esi+8]
		test	eax, eax
		jz	short loc_AE394A
		mov	eax, [eax+4]
		test	eax, eax
		jz	short loc_AE394A
		mov	ebx, eax

loc_AE394A:				; CODE XREF: CmpProcessForSimpleStringSub+25CABj
					; CmpProcessForSimpleStringSub+25CB2j ...
		pop	esi
		jmp	loc_ABDC6F
; END OF FUNCTION CHUNK	FOR CmpProcessForSimpleStringSub
; 
; START	OF FUNCTION CHUNK FOR EmpParseRuleTermArgMapping

loc_AE3950:				; CODE XREF: EmpParseRuleTermArgMapping+38j
		xor	al, al
		jmp	loc_ABDDE8
; 

loc_AE3957:				; CODE XREF: EmpParseRuleTermArgMapping+11Fj
		cmp	esi, [ebp+arg_0]
		jnz	loc_ABDE5B
		cmp	[ebp+arg_4], 0
		jmp	loc_ABDF1B
; 

loc_AE3969:				; CODE XREF: EmpParseRuleTermArgMapping+1CDj
		cmp	al, 2Eh
		jz	loc_ABDE70
		jmp	loc_ABDE5B
; END OF FUNCTION CHUNK	FOR EmpParseRuleTermArgMapping
; 
; START	OF FUNCTION CHUNK FOR KiAllProcessorsStarted

loc_AE3976:				; CODE XREF: KiAllProcessorsStarted+37j
		push	2020654Bh
		push	180h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_4], edi
		test	edi, edi
		jz	loc_ABDFC5
		push	180h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		push	50h
		pop	ecx
		rep movsd
		mov	ecx, [ebp+var_8]
		mov	ds:_KeNodeBlock[ecx*4],	eax
		jmp	loc_ABDFC5
; END OF FUNCTION CHUNK	FOR KiAllProcessorsStarted
; 
; START	OF FUNCTION CHUNK FOR KeStartAllProcessors

loc_AE39BE:				; CODE XREF: KeStartAllProcessors+7Aj
		mov	edi, eax
		mov	[ebp+var_358], eax
		jmp	loc_ABE40E
; 

loc_AE39CB:				; CODE XREF: KeStartAllProcessors+87j
		test	edi, edi
		jz	short loc_AE39D7
		cmp	eax, edi
		jnb	loc_ABE41B

loc_AE39D7:				; CODE XREF: KeStartAllProcessors+2563Fj
		mov	edi, eax
		mov	[ebp+var_358], edi
		jmp	loc_ABE41B
; 

loc_AE39E4:				; CODE XREF: KeStartAllProcessors+B6j
		push	20h
		pop	esi
		mov	[ebp+var_334], esi
		jmp	loc_ABE44A
; 

loc_AE39F2:				; CODE XREF: KeStartAllProcessors+D7j
		mov	esi, ecx
		mov	[ebp+var_334], esi
		jmp	loc_ABE46B
; 

loc_AE39FF:				; CODE XREF: KeStartAllProcessors+E4j
		cmp	eax, esi
		jnb	loc_ABE478
		mov	esi, eax
		mov	[ebp+var_334], esi
		jmp	loc_ABE478
; 

loc_AE3A14:				; CODE XREF: KeStartAllProcessors+ECj
		cmp	ds:_KeDynamicPartitioningSupported, 0
		jnz	loc_ABE480
		mov	esi, edi
		mov	[ebp+var_334], esi
		jmp	loc_ABE480
; 

loc_AE3A2E:				; CODE XREF: KeStartAllProcessors+FBj
		xor	eax, eax
		push	eax
		push	14h
		push	eax
		jmp	short loc_AE3A3B
; 

loc_AE3A36:				; CODE XREF: KeStartAllProcessors+135j
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	ecx

loc_AE3A3B:				; CODE XREF: KeStartAllProcessors+256A6j
		push	eax
		jmp	short loc_AE3A48
; 

loc_AE3A3E:				; CODE XREF: KeStartAllProcessors+14Aj
					; KeStartAllProcessors+174j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	0C000009Ah

loc_AE3A48:				; CODE XREF: KeStartAllProcessors+256AEj
		push	32h
		jmp	short loc_AE3A61
; 

loc_AE3A4C:				; CODE XREF: KeStartAllProcessors+3ABj
		push	[ebp+var_33C]
		lea	eax, [ebp+var_328]
		push	edi
		push	3
		push	eax
		push	1DFh

loc_AE3A61:				; CODE XREF: KeStartAllProcessors+256BCj
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE3A66:				; CODE XREF: KeStartAllProcessors+11Dj
		push	20h
		pop	eax
		mov	[ebp+var_338], eax
		mov	ds:_KeRegisteredProcessors, eax
		jmp	loc_ABE4B1
; 

loc_AE3A79:				; CODE XREF: KeStartAllProcessors+19Ej
		cmp	edi, [ebp+var_338]
		jnb	loc_ABE80E
		jmp	loc_ABE532
; 

loc_AE3A8A:				; CODE XREF: KeStartAllProcessors+305j
		mov	edi, [ebp+var_348]
		mov	ecx, esi
		shl	ecx, 5
		add	edi, 500h
		add	ecx, 603Fh
		and	ecx, 0FFFFFFC0h
		push	180h		; size_t
		add	edi, ecx
		push	0		; int
		push	edi		; void *
		mov	[ebp+var_34C], edi
		call	_memset
		movzx	eax, word ptr [ebp+var_32C]
		add	esp, 0Ch
		imul	esi, eax, 140h
		push	50h
		pop	ecx
		add	esi, offset _KiNodeInit
		rep movsd
		movzx	eax, word ptr [ebp+var_32C]
		mov	ecx, [ebp+var_34C]
		mov	esi, [ebp+var_334]
		mov	edi, [ebp+var_360]
		mov	ds:_KeNodeBlock[eax*4],	ecx
		mov	eax, [ebp+var_330]
		jmp	loc_ABE69F
; 

loc_AE3AFF:				; CODE XREF: KeStartAllProcessors+415j
					; KeStartAllProcessors+42Aj
		inc	edx
		cmp	edx, edi
		jb	loc_ABE79A

loc_AE3B08:				; CODE XREF: KeStartAllProcessors+3C1j
					; KeStartAllProcessors+3D1j ...
		mov	eax, [ebp+var_338]
		cmp	ds:_KeNumberProcessors,	eax
		jb	loc_ABE7C4
		mov	_KiProcessorStartControl, 3
		call	KiStartWaitAcknowledge
		mov	ecx, [ebp+var_330]
		call	_KiRemoveProcessorFromGroupDatabase@4 ;	KiRemoveProcessorFromGroupDatabase(x)
		mov	ecx, [ebp+var_364]
		xor	edx, edx
		and	ds:_KiProcessorBlock[edi*4], 0
		call	_MmDeleteKernelStack@8 ; MmDeleteKernelStack(x,x)
		mov	ecx, [ebp+var_340]
		call	_MmFreeIsrStack@4 ; MmFreeIsrStack(x)
		mov	ecx, edi
		call	_ExDeletePoolTagTable@4	; ExDeletePoolTagTable(x)
		mov	ecx, [ebp+var_35C]
		jmp	loc_ABE544
; 

loc_AE3B66:				; CODE XREF: KeStartAllProcessors+34Ej
					; KeStartAllProcessors+361j ...
		mov	ecx, [ebp+var_330]
		call	_KiRemoveProcessorFromGroupDatabase@4 ;	KiRemoveProcessorFromGroupDatabase(x)
		mov	edx, [ebp+var_368]
		mov	edi, edx
		mov	esi, [ebp+var_34C]
		push	50h
		pop	ecx
		rep movsd
		movzx	eax, word ptr [ebp+var_32C]
		mov	ecx, [ebp+var_330]
		mov	ds:_KeNodeBlock[eax*4],	edx
		call	_HvlDeleteProcessor@4 ;	HvlDeleteProcessor(x)
		mov	ecx, [ebp+var_330]
		call	_MmDeleteProcessor@4 ; MmDeleteProcessor(x)
		mov	ecx, [ebp+var_360]
		and	ds:_KiProcessorBlock[ecx*4], 0
		call	_ExDeletePoolTagTable@4	; ExDeletePoolTagTable(x)
		mov	edx, [ebp+var_350]
		mov	ecx, [ebp+var_348]
		call	_MmFreeIndependentPages@8 ; MmFreeIndependentPages(x,x)
		mov	ecx, [ebp+var_354]
		xor	edx, edx
		call	_MmDeleteKernelStack@8 ; MmDeleteKernelStack(x,x)
		mov	ecx, [ebp+var_364]
		xor	edx, edx
		call	_MmDeleteKernelStack@8 ; MmDeleteKernelStack(x,x)
		mov	ecx, [ebp+var_340]
		call	_MmFreeIsrStack@4 ; MmFreeIsrStack(x)
		mov	ecx, [ebp+var_344]
		call	_MmFreeIsrStack@4 ; MmFreeIsrStack(x)
		jmp	loc_ABE80E
; 

loc_AE3C01:				; CODE XREF: KeStartAllProcessors+2A8j
		push	7Dh
		call	_KeBugCheck@4	; KeBugCheck(x)

loc_AE3C08:				; CODE XREF: KeStartAllProcessors+242j
		mov	ecx, [ebp+var_330]
		mov	edx, 7000h
		call	_MmFreeIndependentPages@8 ; MmFreeIndependentPages(x,x)

loc_AE3C18:				; CODE XREF: KeStartAllProcessors+22Dj
		mov	edx, [ebp+var_350]
		mov	ecx, [ebp+var_348]
		call	_MmFreeIndependentPages@8 ; MmFreeIndependentPages(x,x)
		jmp	loc_ABE80E
; 

loc_AE3C2E:				; CODE XREF: KeStartAllProcessors+4A1j
		mov	edx, [ebp+var_36C]
		cmp	edx, ds:_KeNumberProcessors
		jbe	loc_ABE835
		mov	eax, ds:_KiProcessorBlock
		mov	ecx, [eax+344h]
		imul	ecx, [eax+340h]
		movzx	eax, ds:_KiMaximumGroups
		imul	eax, ds:_KiMaximumGroupSize
		imul	ecx, ds:_KeRegisteredProcessors
		mov	ds:_KeMaximumProcessors, ecx
		cmp	ecx, eax
		jbe	short loc_AE3C78
		mov	ds:_KeMaximumProcessors, eax
		mov	ecx, eax

loc_AE3C78:				; CODE XREF: KeStartAllProcessors+258E1j
		cmp	ecx, edx
		jbe	loc_ABE83F
		mov	ds:_KeMaximumProcessors, edx
		jmp	loc_ABE83F
; 

loc_AE3C8B:				; CODE XREF: KeStartAllProcessors+59j
					; KeStartAllProcessors+99j
		mov	ds:_KeMaximumProcessors, 1
		jmp	loc_ABE85E
; END OF FUNCTION CHUNK	FOR KeStartAllProcessors
; 
; START	OF FUNCTION CHUNK FOR MiMarkBootKernelStack

loc_AE3C9A:				; CODE XREF: MiMarkBootKernelStack+6Aj
		mov	edx, esi
		mov	ecx, offset unk_6D3A40
		call	_MiUnlockPageTableInternal@8 ; MiUnlockPageTableInternal(x,x)
		jmp	loc_ABE926
; END OF FUNCTION CHUNK	FOR MiMarkBootKernelStack
; 
; START	OF FUNCTION CHUNK FOR ExRngInitializeSystem

loc_AE3CAB:				; CODE XREF: ExRngInitializeSystem+DAj
		mov	_ExpSecurityCookieRandomData, 1
		jmp	loc_ABEA62
; END OF FUNCTION CHUNK	FOR ExRngInitializeSystem
; 
; START	OF FUNCTION CHUNK FOR KiPerformGroupConfiguration

loc_AE3CBA:				; CODE XREF: KiPerformGroupConfiguration+91j
		xor	edx, edx
		mov	[eax], ebx
		mov	ax, [ecx+8Ah]
		inc	edx
		mov	[ebp+var_5C], edx
		mov	[ecx+8Ch], ax
		jmp	loc_ABEB38
; 

loc_AE3CD5:				; CODE XREF: KiPerformGroupConfiguration+E0j
		movzx	eax, ax
		imul	eax, eax
		push	2020654Bh
		shl	eax, 2
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ds:_KeNodeDistance, eax
		test	eax, eax
		jnz	loc_ABEB54
		push	ebx
		push	ebx
		push	ebx
		push	0C000009Ah
		jmp	short loc_AE3D09
; 

loc_AE3D05:				; CODE XREF: KiPerformGroupConfiguration+17Cj
		push	ebx
		push	ebx
		push	ebx
		push	eax

loc_AE3D09:				; CODE XREF: KiPerformGroupConfiguration+25295j
		push	32h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE3D10:				; CODE XREF: KiPerformGroupConfiguration+1A7j
		push	28h
		pop	eax
		inc	esi
		add	ecx, eax
		cmp	esi, edx
		jb	loc_ABEC10
		xor	eax, eax
		lea	edx, [eax+1]
		jmp	loc_ABEC1D
; 

loc_AE3D28:				; CODE XREF: KiPerformGroupConfiguration+208j
		mov	eax, ds:_KeNodeBlock[eax*4]
		mov	al, [eax+0A5h]
		xor	al, [ecx+0A5h]
		and	al, 10h
		xor	[ecx+0A5h], al
		jmp	loc_ABEC7C
; 

loc_AE3D48:				; CODE XREF: KiPerformGroupConfiguration+226j
		mov	esi, ds:_KeRootProcSpecified
		test	esi, esi
		jnz	short loc_AE3DA5
		cmp	ds:_KeRootProcNumaNodeLpsSpecified, 0
		jz	short loc_AE3DA5
		mov	edi, ebx

loc_AE3D5D:				; CODE XREF: KiPerformGroupConfiguration+25333j
		mov	ebx, ds:_KeRootProcNumaNodeLps[edi]
		add	edi, 8
		not	ebx
		movzx	eax, bl
		shr	ebx, 8
		mov	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		shr	ebx, 8
		mov	ecx, ebx
		shr	ecx, 8
		add	dl, ds:_RtlpBitsClearTotal[eax]
		movzx	eax, bl
		mov	cl, ds:_RtlpBitsClearTotal[ecx]
		add	cl, ds:_RtlpBitsClearTotal[eax]
		add	cl, dl
		movzx	eax, cl
		add	esi, eax
		cmp	edi, 80h
		jb	short loc_AE3D5D
		xor	ebx, ebx

loc_AE3DA5:				; CODE XREF: KiPerformGroupConfiguration+252E2j
					; KiPerformGroupConfiguration+252EBj
		test	byte ptr ds:_HvlpRootFlags, 1
		jz	short loc_AE3DC4
		test	esi, esi
		jz	short loc_AE3DC4
		cmp	esi, 20h
		ja	short loc_AE3DC4
		cmp	ds:_KeDynamicPartitioningSupported, 0
		jz	loc_ABECF5

loc_AE3DC4:				; CODE XREF: KiPerformGroupConfiguration+2533Ej
					; KiPerformGroupConfiguration+25342j ...
		test	byte ptr ds:_HvlpFlags,	80h
		jnz	loc_ABEC9A
		lea	eax, [ebp+var_54]
		push	eax
		call	_HviGetImplementationLimits@4 ;	HviGetImplementationLimits(x)
		cmp	[ebp+var_54], 0FFFFFFFFh
		jnz	loc_ABECF5
		test	ds:_HvlEnlightenments, 4004h
		jnz	loc_ABECF5
		jmp	loc_ABEC9A
; 

loc_AE3DF9:				; CODE XREF: KiPerformGroupConfiguration+247j
		mov	edi, [ebp+var_5C]
		cmp	edi, [esi]
		jnz	loc_ABECBB
		mov	ax, ds:_KeNumberNodes
		xor	ecx, ecx
		cmp	cx, ax
		jnb	loc_AE3EAF
		mov	ecx, offset _KeNodeBlock
		movzx	edx, ax
		mov	edi, 0FFFFh

loc_AE3E22:				; CODE XREF: KiPerformGroupConfiguration+253CAj
		mov	eax, [ecx]
		lea	ecx, [ecx+4]
		mov	[eax+88h], di
		and	byte ptr [eax+0A5h], 0FDh
		sub	edx, 1
		jnz	short loc_AE3E22
		jmp	short loc_AE3EAC
; 

loc_AE3E3C:				; CODE XREF: KiPerformGroupConfiguration+25443j
		mov	eax, [esi+4]
		lea	ecx, [ebp+var_68]
		push	ecx
		dec	edi
		push	eax
		mov	[ebp+var_5C], edi
		call	_KiNumaQueryProximityNode
		test	eax, eax
		jnz	loc_ABECBB
		add	esi, 8
		xor	ecx, ecx
		inc	ecx
		mov	eax, [esi]
		cmp	eax, ecx
		jb	short loc_AE3E6F
		mov	ecx, 0FFFFh
		cmp	eax, ecx
		jnz	loc_ABECBB

loc_AE3E6F:				; CODE XREF: KiPerformGroupConfiguration+253F2j
		mov	ax, ds:_KeNumberNodes
		xor	ecx, ecx
		cmp	cx, ax
		jnb	short loc_AE3EAF
		mov	edx, offset _KeNodeBlock
		movzx	edi, ax

loc_AE3E84:				; CODE XREF: KiPerformGroupConfiguration+2543Cj
		mov	ecx, [edx]
		mov	ax, [ecx+8Ch]
		cmp	ax, word ptr [ebp+var_68]
		jnz	short loc_AE3EA4
		mov	ax, [esi]
		mov	[ecx+88h], ax
		or	byte ptr [ecx+0A5h], 2

loc_AE3EA4:				; CODE XREF: KiPerformGroupConfiguration+25423j
		add	edx, 4
		sub	edi, 1
		jnz	short loc_AE3E84

loc_AE3EAC:				; CODE XREF: KiPerformGroupConfiguration+253CCj
		mov	edi, [ebp+var_5C]

loc_AE3EAF:				; CODE XREF: KiPerformGroupConfiguration+253A1j
					; KiPerformGroupConfiguration+2540Cj
		test	edi, edi
		jnz	short loc_AE3E3C
		mov	eax, ds:_KeNodeBlock
		mov	ecx, 0FFFFh
		cmp	[eax+88h], cx
		jz	loc_ABECBB
		mov	cx, ds:_KeNumberNodes
		xor	esi, esi
		mov	eax, ds:_KiMaximumGroupSize
		mov	edx, ebx
		mov	[ebp+var_58], eax
		cmp	si, cx
		jnb	short loc_AE3F33

loc_AE3EE2:				; CODE XREF: KiPerformGroupConfiguration+254C0j
		movzx	eax, dx
		mov	esi, ds:_KeNodeBlock[eax*4]
		mov	al, [esi+0A5h]
		test	al, 2
		jz	loc_ABECBB
		movzx	edi, word ptr [esi+88h]
		cmp	di, word ptr [ebp+var_74]
		jnz	short loc_AE3F11
		and	al, 0FDh
		mov	[esi+0A5h], al
		jmp	short loc_AE3F2A
; 

loc_AE3F11:				; CODE XREF: KiPerformGroupConfiguration+25497j
		movzx	esi, byte ptr [esi+0A4h]
		mov	eax, [ebp+edi*4+var_58]
		cmp	eax, esi
		jb	loc_ABECBB
		sub	eax, esi
		mov	[ebp+edi*4+var_58], eax

loc_AE3F2A:				; CODE XREF: KiPerformGroupConfiguration+254A1j
		inc	edx
		cmp	dx, cx
		jb	short loc_AE3EE2
		mov	eax, [ebp+var_58]

loc_AE3F33:				; CODE XREF: KiPerformGroupConfiguration+25472j
		xor	edx, edx
		mov	ds:_KiMaximumGroups, dx
		cmp	eax, ds:_KiMaximumGroupSize
		jnb	short loc_AE3F4D
		xor	eax, eax
		inc	eax
		mov	ds:_KiMaximumGroups, ax

loc_AE3F4D:				; CODE XREF: KiPerformGroupConfiguration+254D4j
		xor	eax, eax
		cmp	ax, cx
		jnb	loc_ABECFA
		movzx	ecx, cx
		mov	edx, offset _KeNodeBlock

loc_AE3F60:				; CODE XREF: KiPerformGroupConfiguration+25501j
		mov	eax, [edx]
		lea	edx, [edx+4]
		or	byte ptr [eax+0A5h], 8
		sub	ecx, 1
		jnz	short loc_AE3F60
		jmp	loc_ABECFA
; 

loc_AE3F76:				; CODE XREF: KiPerformGroupConfiguration+274j
		xor	eax, eax
		inc	eax
		mov	ds:_KiMaximizeGroupsCreated, al
		jmp	loc_ABECEB
; 

loc_AE3F83:				; CODE XREF: KiPerformGroupConfiguration+281j
		cmp	ds:_KiMaximizeGroupsCreated, 0
		jnz	short loc_AE3F9B
		mov	eax, [ebp+var_60]
		cmp	eax, ds:_KiMaximumGroupSize
		jbe	loc_ABECF5

loc_AE3F9B:				; CODE XREF: KiPerformGroupConfiguration+2551Cj
		mov	dx, ds:_KeNumberNodes
		xor	eax, eax
		mov	[ebp+var_5C], ebx
		mov	edi, ebx
		cmp	ax, dx
		jnb	short loc_AE4019
		mov	eax, ebx
		mov	[ebp+var_58], offset _KeNodeBlock
		mov	[ebp+var_60], eax

loc_AE3FBA:				; CODE XREF: KiPerformGroupConfiguration+2559Cj
		mov	esi, ebx

loc_AE3FBC:				; CODE XREF: KiPerformGroupConfiguration+25573j
		cmp	di, si
		jz	short loc_AE3FDD
		movzx	ecx, dx
		imul	ecx, eax
		movzx	eax, si
		add	ecx, eax
		mov	eax, ds:_KeNodeDistance
		cmp	dword ptr [eax+ecx*4], 0FFFFh
		jnz	short loc_AE3FE5
		mov	eax, [ebp+var_60]

loc_AE3FDD:				; CODE XREF: KiPerformGroupConfiguration+25551j
		inc	esi
		cmp	si, dx
		jb	short loc_AE3FBC
		jmp	short loc_AE3FFE
; 

loc_AE3FE5:				; CODE XREF: KiPerformGroupConfiguration+2556Aj
		mov	eax, [ebp+var_58]
		mov	eax, [eax]
		or	byte ptr [eax+0A5h], 8
		movzx	eax, byte ptr [eax+0A4h]
		add	[ebp+var_5C], eax
		mov	eax, [ebp+var_60]

loc_AE3FFE:				; CODE XREF: KiPerformGroupConfiguration+25575j
		add	[ebp+var_58], 4
		inc	edi
		inc	eax
		mov	[ebp+var_60], eax
		cmp	di, dx
		jb	short loc_AE3FBA
		movzx	ecx, dx
		lea	edi, [ebp+var_44]
		mov	esi, offset _KeNodeBlock
		rep movsd

loc_AE4019:				; CODE XREF: KiPerformGroupConfiguration+2553Ej
		movzx	edx, dx
		dec	edx
		mov	[ebp+var_70], edx
		test	edx, edx
		jle	short loc_AE407A
		xor	eax, eax
		lea	ecx, [eax+1]

loc_AE4029:				; CODE XREF: KiPerformGroupConfiguration+2560Aj
		mov	di, ds:_KeNumberNodes
		cmp	cx, di
		jnb	short loc_AE406F
		movzx	eax, cx
		lea	esi, [ebp+var_44]
		sub	di, cx
		movzx	edx, di
		lea	esi, [esi+eax*4]

loc_AE4044:				; CODE XREF: KiPerformGroupConfiguration+255FCj
		mov	eax, [ebp+ebx*4+var_44]
		mov	edi, [esi]
		mov	[ebp+var_74], eax
		mov	al, [eax+0A4h]
		cmp	al, [edi+0A4h]
		jnb	short loc_AE4064
		mov	eax, [ebp+var_74]
		mov	[ebp+ebx*4+var_44], edi
		mov	[esi], eax

loc_AE4064:				; CODE XREF: KiPerformGroupConfiguration+255EBj
		add	esi, 4
		sub	edx, 1
		jnz	short loc_AE4044
		mov	edx, [ebp+var_70]

loc_AE406F:				; CODE XREF: KiPerformGroupConfiguration+255C5j
		inc	ecx
		lea	eax, [ecx-1]
		movzx	ebx, ax
		cmp	ebx, edx
		jl	short loc_AE4029

loc_AE407A:				; CODE XREF: KiPerformGroupConfiguration+255B4j
		mov	eax, [ebp+var_5C]
		test	eax, eax
		jnz	short loc_AE4086
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_AE40AE
; 

loc_AE4086:				; CODE XREF: KiPerformGroupConfiguration+25611j
		cmp	ds:_KiMaximizeGroupsCreated, 0
		jnz	short loc_AE40A0
		dec	eax
		xor	edx, edx
		add	eax, ds:_KiMaximumGroupSize
		div	ds:_KiMaximumGroupSize
		jmp	short loc_AE40A3
; 

loc_AE40A0:				; CODE XREF: KiPerformGroupConfiguration+2561Fj
		mov	eax, [ebp+var_64]

loc_AE40A3:				; CODE XREF: KiPerformGroupConfiguration+25630j
		xor	ecx, ecx
		movzx	esi, ax
		inc	ecx
		cmp	si, cx
		jbe	short loc_AE40B0

loc_AE40AE:				; CODE XREF: KiPerformGroupConfiguration+25616j
		mov	esi, ecx

loc_AE40B0:				; CODE XREF: KiPerformGroupConfiguration+2563Ej
		mov	ebx, [ebp+var_64]

loc_AE40B3:				; CODE XREF: KiPerformGroupConfiguration+2566Dj
		lea	eax, [ebp+var_5C]
		cmp	si, cx
		push	eax
		lea	eax, [ebp+var_6C]
		mov	edx, ebx
		push	eax
		setz	al
		lea	ecx, [ebp+var_44]
		movzx	eax, al
		push	eax
		push	esi
		call	_KiAssignFixedNodes@24 ; KiAssignFixedNodes(x,x,x,x,x,x)
		test	al, al
		jnz	short loc_AE40DD
		xor	ecx, ecx
		inc	esi
		inc	ecx
		cmp	si, cx
		jbe	short loc_AE40B3

loc_AE40DD:				; CODE XREF: KiPerformGroupConfiguration+25664j
		lea	eax, [ebp+var_5C]
		mov	edx, ebx
		push	eax
		lea	eax, [ebp+var_6C]
		push	eax
		lea	ecx, [ebp+var_44]
		call	_KiShuffleAssignedNodes@16 ; KiShuffleAssignedNodes(x,x,x,x)
		lea	eax, [ebp+var_6C]
		mov	edx, ebx
		push	eax
		push	ecx
		lea	ecx, [ebp+var_44]
		call	_KiAssignAdjustableNodes@16 ; KiAssignAdjustableNodes(x,x,x,x)
		movzx	eax, ax
		cmp	si, ax
		jbe	short loc_AE4109
		movzx	eax, si

loc_AE4109:				; CODE XREF: KiPerformGroupConfiguration+25696j
		mov	cx, ds:_KeNumberNodes
		mov	ds:_KiMaximumGroups, ax
		mov	eax, ds:_KeNodeBlock
		movzx	esi, word ptr [eax+88h]
		cmp	bx, cx
		jnb	loc_ABECFA
		movzx	eax, bx
		lea	edx, [ebp+var_44]
		sub	cx, bx
		movzx	ecx, cx
		lea	edx, [edx+eax*4]

loc_AE413A:				; CODE XREF: KiPerformGroupConfiguration+256E2j
		mov	eax, [edx]
		lea	edx, [edx+4]
		mov	[eax+88h], si
		or	byte ptr [eax+0A5h], 2
		sub	ecx, 1
		jnz	short loc_AE413A
		jmp	loc_ABECFA
; END OF FUNCTION CHUNK	FOR KiPerformGroupConfiguration
; 
; START	OF FUNCTION CHUNK FOR MiInitializeSystemPtes

loc_AE4157:				; CODE XREF: MiInitializeSystemPtes+F7j
		mov	ecx, [ebp+var_10]
		mov	edx, [ebp+var_C]
		mov	eax, [ebp+var_8]
		push	9
		add	eax, eax
		lea	edx, [edx+ecx]
		mov	ecx, offset unk_6D338C
		push	eax
		call	MiInitializeDynamicBitmap
		cmp	eax, 1
		jz	loc_ABEE5B
		and	ds:dword_7051B4, 0FFFFFFFDh
		jmp	loc_ABEE5B
; 

loc_AE4187:				; CODE XREF: MiInitializeSystemPtes+17Dj
		lea	eax, [esi+esi]
		mov	edx, eax
		and	eax, 7
		shr	edx, 3
		add	edx, dword_6D3390
		lea	eax, [eax+edi*2]
		push	eax
		push	9
		pop	ecx
		call	MiSplitBitmapPages
		test	eax, eax
		jnz	loc_ABEEE1
		and	ds:dword_7051B4, 0FFFFFFFDh
		jmp	loc_ABEEE1
; END OF FUNCTION CHUNK	FOR MiInitializeSystemPtes
; 
; START	OF FUNCTION CHUNK FOR MiInitializePteInfo

loc_AE41B8:				; CODE XREF: MiInitializePteInfo+69j
		test	ebx, ebx
		jz	loc_ABEFD4
		push	edi
		mov	edx, ebx
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)
		jmp	loc_ABEFD4
; END OF FUNCTION CHUNK	FOR MiInitializePteInfo
; 
; START	OF FUNCTION CHUNK FOR KiComputeNumaCosts

loc_AE41D2:				; CODE XREF: KiComputeNumaCosts+34j
		movzx	esi, ax
		imul	esi, esi
		push	634E654Bh
		imul	eax, esi, 0Ah
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	_KiActualNodeCost, edi
		test	edi, edi
		jnz	short loc_AE41FE
		xor	al, al
		jmp	loc_ABF014
; 

loc_AE41FE:				; CODE XREF: KiComputeNumaCosts+2521Dj
		lea	eax, [edi+esi*8]
		mov	_KiNodeGraph, eax
		test	esi, esi
		jz	short loc_AE4222
		or	dword ptr [edi], 0FFFFFFFFh
		lea	ecx, ds:0FFFFFFFBh[esi*8]
		or	dword ptr [edi+4], 0FFFFFFFFh
		mov	esi, edi
		shr	ecx, 2
		add	edi, 8
		rep movsd

loc_AE4222:				; CODE XREF: KiComputeNumaCosts+25230j
		xor	eax, eax
		lea	edi, [esp+168h+var_120]
		stosd
		xor	esi, esi
		mov	[esp+168h+var_15C], esi
		mov	ebx, esi
		mov	[esp+168h+var_144], esi
		stosd
		stosd
		movzx	eax, ds:_KeNumberNodes
		test	eax, eax
		jz	loc_AE4474

loc_AE4246:				; CODE XREF: KiComputeNumaCosts+25483j
		test	ds:_HvlEnlightenments, 800h
		mov	ecx, ds:_KeNodeBlock[ebx*4]
		jz	short loc_AE42D5
		test	eax, eax
		jz	loc_AE444A

loc_AE4261:				; CODE XREF: KiComputeNumaCosts+252F6j
		and	[esp+168h+var_138], 0
		lea	eax, [esp+168h+var_138]
		and	[esp+168h+var_134], 0
		push	eax
		push	esi
		push	ebx
		call	_HvlQueryNumaDistance@12 ; HvlQueryNumaDistance(x,x,x)
		mov	ecx, [esp+168h+var_138]
		mov	eax, ecx
		mov	edx, [esp+168h+var_134]
		and	eax, edx
		mov	edi, _KiActualNodeCost
		cmp	eax, 0FFFFFFFFh
		mov	ax, ds:_KeNumberNodes
		mov	word ptr [esp+168h+var_158], ax
		movzx	eax, ax
		jz	short loc_AE42B8
		shld	edx, ecx, 0Ah
		imul	eax, ebx
		shl	ecx, 0Ah
		shrd	ecx, edx, 0Ah
		shr	edx, 0Ah
		add	eax, esi
		mov	[edi+eax*8], ecx
		mov	[edi+eax*8+4], edx
		jmp	short loc_AE42C6
; 

loc_AE42B8:				; CODE XREF: KiComputeNumaCosts+252C2j
		imul	eax, ebx
		add	eax, esi
		or	dword ptr [edi+eax*8], 0FFFFFFFFh
		or	dword ptr [edi+eax*8+4], 0FFFFFFFFh

loc_AE42C6:				; CODE XREF: KiComputeNumaCosts+252DEj
		movzx	eax, word ptr [esp+168h+var_158]
		inc	esi
		cmp	esi, eax
		jb	short loc_AE4261
		jmp	loc_AE444A
; 

loc_AE42D5:				; CODE XREF: KiComputeNumaCosts+2527Fj
		movzx	edx, word ptr [ecx+8Ah]
		cmp	dx, [ecx+8Ch]
		jnz	loc_AE444A
		cmp	[ecx+84h], esi
		jnz	short loc_AE432B
		mov	esi, edx
		xor	edx, edx
		mov	[esp+168h+var_154], edx
		test	eax, eax
		jz	short loc_AE431F

loc_AE42FD:				; CODE XREF: KiComputeNumaCosts+25341j
		mov	ecx, ds:_KeNodeBlock[edx*4]
		cmp	[ecx+8Ch], si
		jnz	short loc_AE4316
		cmp	dword ptr [ecx+84h], 0
		jnz	short loc_AE431B

loc_AE4316:				; CODE XREF: KiComputeNumaCosts+25333j
		inc	edx
		cmp	edx, eax
		jb	short loc_AE42FD

loc_AE431B:				; CODE XREF: KiComputeNumaCosts+2533Cj
		mov	[esp+168h+var_154], edx

loc_AE431F:				; CODE XREF: KiComputeNumaCosts+25323j
		cmp	edx, eax
		jz	loc_AE444A
		xor	esi, esi
		jmp	short loc_AE432F
; 

loc_AE432B:				; CODE XREF: KiComputeNumaCosts+25317j
		mov	[esp+168h+var_154], ebx

loc_AE432F:				; CODE XREF: KiComputeNumaCosts+25351j
		mov	ax, [ecx+88h]
		mov	[esp+168h+var_11C], ax
		mov	eax, [ecx+84h]
		lea	ecx, [eax-1]
		xor	ecx, eax
		and	ecx, eax
		cmp	[esp+168h+var_15C], 0
		mov	[esp+168h+var_120], ecx
		jnz	short loc_AE4362
		lea	eax, [esp+168h+var_114]
		mov	[esp+168h+var_15C], 1
		push	eax
		jmp	short loc_AE4363
; 

loc_AE4362:				; CODE XREF: KiComputeNumaCosts+25379j
		push	esi

loc_AE4363:				; CODE XREF: KiComputeNumaCosts+25388j
		lea	eax, [esp+16Ch+var_120]
		push	eax
		call	KeSetSystemGroupAffinityThread
		xor	eax, eax
		mov	edi, esi
		mov	[esp+168h+var_150], edi
		cmp	ax, ds:_KeNumberNodes
		jnb	loc_AE444A
		mov	ebx, [esp+168h+var_154]

loc_AE4386:				; CODE XREF: KiComputeNumaCosts+25468j
		push	esi
		push	7
		push	edi
		push	esi
		push	1000h
		push	esi
		push	esi
		push	0FFFFFFFFh
		push	0FFFFFFFFh
		push	esi
		push	esi
		call	MmAllocatePartitionNodePagesForMdlEx
		mov	[esp+168h+var_140], eax
		test	eax, eax
		jz	loc_AE4432
		push	40000020h
		push	esi
		push	esi
		push	esi
		push	esi
		push	eax
		call	MmMapLockedPagesSpecifyCache
		mov	esi, eax
		test	esi, esi
		jz	short loc_AE441B
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	byte ptr [esp+168h+var_158], al
		lea	ecx, [esi+1000h]
		rdtsc
		mov	[esp+168h+var_148], eax
		mov	[esp+168h+var_13C], edx
		jmp	short loc_AE43E1
; 

loc_AE43DC:				; CODE XREF: KiComputeNumaCosts+2540Bj
		mov	eax, [esi]
		add	esi, 4

loc_AE43E1:				; CODE XREF: KiComputeNumaCosts+25402j
		cmp	esi, ecx
		jb	short loc_AE43DC
		mov	cl, byte ptr [esp+168h+var_158]
		rdtsc
		mov	esi, eax
		mov	edi, edx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		sub	esi, [esp+168h+var_148]
		movzx	ecx, ds:_KeNumberNodes
		sbb	edi, [esp+168h+var_13C]
		mov	eax, _KiActualNodeCost
		imul	ecx, ebx
		add	ecx, [esp+168h+var_150]
		mov	[eax+ecx*8], esi
		mov	[eax+ecx*8+4], edi
		mov	edi, [esp+168h+var_150]

loc_AE441B:				; CODE XREF: KiComputeNumaCosts+253E4j
		mov	esi, [esp+168h+var_140]
		xor	edx, edx
		mov	ecx, esi
		call	_MiFreePagesFromMdl@8 ;	MiFreePagesFromMdl(x,x)
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	esi, esi

loc_AE4432:				; CODE XREF: KiComputeNumaCosts+253CBj
		movzx	eax, ds:_KeNumberNodes
		inc	edi
		mov	[esp+168h+var_150], edi
		cmp	edi, eax
		jb	loc_AE4386
		mov	ebx, [esp+168h+var_144]

loc_AE444A:				; CODE XREF: KiComputeNumaCosts+25283j
					; KiComputeNumaCosts+252F8j ...
		movzx	eax, ds:_KeNumberNodes
		inc	ebx
		mov	[esp+168h+var_144], ebx
		push	0
		pop	esi
		cmp	ebx, eax
		jb	loc_AE4246
		cmp	[esp+168h+var_15C], 1
		jnz	short loc_AE4472
		lea	eax, [esp+168h+var_114]
		push	eax
		call	KeRevertToUserGroupAffinityThread

loc_AE4472:				; CODE XREF: KiComputeNumaCosts+2548Ej
		xor	esi, esi

loc_AE4474:				; CODE XREF: KiComputeNumaCosts+25268j
		mov	[esp+168h+var_15C], esi
		xor	ebx, ebx
		mov	[esp+168h+var_150], esi
		xor	eax, eax
		movzx	esi, ds:_KeNumberNodes
		mov	[esp+168h+var_14C], ebx
		mov	[esp+168h+var_140], esi
		mov	[esp+168h+var_148], eax
		test	esi, esi
		jz	loc_AE4623

loc_AE449B:				; CODE XREF: KiComputeNumaCosts+25645j
		mov	edx, ds:_KeNodeBlock[eax*4]
		mov	[esp+168h+var_128], edx
		movzx	ecx, word ptr [edx+8Ah]
		cmp	cx, [edx+8Ch]
		jnz	loc_AE4616
		mov	edi, ecx
		imul	edi, esi
		xor	eax, eax
		mov	[esp+168h+var_13C], eax
		mov	[esp+168h+var_158], edi

loc_AE44C9:				; CODE XREF: KiComputeNumaCosts+25634j
		mov	eax, ds:_KeNodeBlock[eax*4]
		movzx	ecx, word ptr [eax+8Ah]
		cmp	cx, [eax+8Ch]
		jnz	loc_AE4601
		mov	edx, ecx
		mov	[esp+168h+var_138], edx
		lea	ecx, [edx+edi]
		mov	edi, _KiActualNodeCost
		mov	eax, [edi+ecx*8]
		and	eax, [edi+ecx*8+4]
		cmp	eax, 0FFFFFFFFh
		jnz	loc_AE45FD
		mov	eax, [esp+168h+var_128]
		imul	esi, edx
		movzx	eax, word ptr [eax+8Ah]
		mov	[esp+168h+var_124], eax
		add	eax, esi
		mov	[esp+168h+var_12C], esi
		mov	esi, [edi+eax*8]
		mov	eax, [edi+eax*8+4]
		mov	[esp+168h+var_154], esi
		and	esi, eax
		cmp	esi, 0FFFFFFFFh
		mov	[esp+168h+var_144], eax
		mov	esi, [esp+168h+var_140]
		jz	short loc_AE4549
		mov	eax, [esp+168h+var_154]
		mov	[edi+ecx*8], eax
		mov	eax, [esp+168h+var_144]
		mov	[edi+ecx*8+4], eax
		jmp	loc_AE45FD
; 

loc_AE4549:				; CODE XREF: KiComputeNumaCosts+2555Bj
		mov	ecx, [esp+168h+var_124]
		mov	eax, esi
		imul	eax, ecx
		add	eax, edx
		mov	edx, ds:_KeNodeDistance
		mov	eax, [edx+eax*4]
		mov	[esp+168h+var_154], eax
		cmp	eax, 1
		jnz	short loc_AE457C
		mov	eax, [esp+168h+var_12C]
		add	eax, ecx
		mov	eax, [edx+eax*4]
		mov	[esp+168h+var_154], eax
		cmp	eax, 1
		jz	loc_AE45FD

loc_AE457C:				; CODE XREF: KiComputeNumaCosts+2558Cj
		test	ebx, ebx
		jnz	short loc_AE459B
		lea	ecx, [esp+168h+var_14C]
		call	_KiGetHalNumaConversionFactor@4	; KiGetHalNumaConversionFactor(x)
		mov	ebx, [esp+168h+var_14C]
		mov	ecx, eax
		mov	eax, edx
		mov	[esp+168h+var_15C], ecx
		mov	[esp+168h+var_150], eax
		jmp	short loc_AE45A3
; 

loc_AE459B:				; CODE XREF: KiComputeNumaCosts+255A6j
		mov	ecx, [esp+168h+var_15C]
		mov	eax, [esp+168h+var_150]

loc_AE45A3:				; CODE XREF: KiComputeNumaCosts+255C1j
		cmp	ebx, 2
		jnz	short loc_AE45C1
		mul	[esp+168h+var_154]
		push	0
		mov	ecx, eax
		mov	eax, [esp+16Ch+var_15C]
		mul	[esp+16Ch+var_154]
		push	64h
		add	ecx, edx
		pop	edx
		push	edx
		push	ecx
		jmp	short loc_AE45D6
; 

loc_AE45C1:				; CODE XREF: KiComputeNumaCosts+255CEj
		cmp	ebx, 3
		jnz	short loc_AE45E0
		mov	eax, [esp+168h+var_154]
		mov	esi, [esp+168h+var_150]
		push	64h
		pop	edx
		mul	edx
		push	esi
		push	ecx
		push	edx

loc_AE45D6:				; CODE XREF: KiComputeNumaCosts+255E7j
		push	eax
		call	__aulldiv
		mov	ecx, eax
		jmp	short loc_AE45E6
; 

loc_AE45E0:				; CODE XREF: KiComputeNumaCosts+255ECj
		or	ecx, 0FFFFFFFFh
		or	edx, 0FFFFFFFFh

loc_AE45E6:				; CODE XREF: KiComputeNumaCosts+25606j
		mov	eax, [esp+168h+var_138]
		add	eax, [esp+168h+var_158]
		mov	esi, [esp+168h+var_140]
		mov	ebx, [esp+168h+var_14C]
		mov	[edi+eax*8], ecx
		mov	[edi+eax*8+4], edx

loc_AE45FD:				; CODE XREF: KiComputeNumaCosts+25525j
					; KiComputeNumaCosts+2556Cj ...
		mov	edi, [esp+168h+var_158]

loc_AE4601:				; CODE XREF: KiComputeNumaCosts+25506j
		mov	eax, [esp+168h+var_13C]
		inc	eax
		mov	[esp+168h+var_13C], eax
		cmp	eax, esi
		jb	loc_AE44C9
		mov	eax, [esp+168h+var_148]

loc_AE4616:				; CODE XREF: KiComputeNumaCosts+254DCj
		inc	eax
		mov	[esp+168h+var_148], eax
		cmp	eax, esi
		jb	loc_AE449B

loc_AE4623:				; CODE XREF: KiComputeNumaCosts+254BDj
		xor	ebx, ebx
		mov	[esp+168h+var_148], ebx
		test	esi, esi
		jz	loc_AE471A
		lea	edi, [esp+168h+var_100]
		mov	[esp+168h+var_15C], edi

loc_AE4639:				; CODE XREF: KiComputeNumaCosts+2573Cj
		mov	eax, ds:_KeNodeBlock[ebx*4]
		movzx	eax, word ptr [eax+8Ch]
		imul	eax, esi
		mov	[esp+168h+var_138], eax
		xor	eax, eax
		mov	[esp+168h+var_14C], eax
		test	esi, esi
		jz	short loc_AE46B7
		mov	ebx, [esp+168h+var_138]
		lea	edi, [esp+168h+var_100]

loc_AE4660:				; CODE XREF: KiComputeNumaCosts+256D5j
		mov	ecx, ds:_KeNodeBlock[eax*4]
		mov	[edi-8], eax
		test	ecx, ecx
		jz	short loc_AE469C
		movzx	ecx, word ptr [ecx+8Ah]
		mov	eax, _KiActualNodeCost
		add	ecx, ebx
		mov	edx, [eax+ecx*8]
		mov	eax, [eax+ecx*8+4]
		mov	[edi], edx
		or	edx, eax
		mov	[edi+4], eax
		mov	eax, [esp+168h+var_14C]
		jnz	short loc_AE46A3
		and	dword ptr [edi+4], 0
		mov	dword ptr [edi], 1
		jmp	short loc_AE46A3
; 

loc_AE469C:				; CODE XREF: KiComputeNumaCosts+25694j
		or	dword ptr [edi], 0FFFFFFFFh
		or	dword ptr [edi+4], 0FFFFFFFFh

loc_AE46A3:				; CODE XREF: KiComputeNumaCosts+256B6j
					; KiComputeNumaCosts+256C2j
		inc	eax
		add	edi, 10h
		mov	[esp+168h+var_14C], eax
		cmp	eax, esi
		jb	short loc_AE4660
		mov	ebx, [esp+168h+var_148]
		mov	edi, [esp+168h+var_15C]

loc_AE46B7:				; CODE XREF: KiComputeNumaCosts+2567Ej
		and	dword ptr [edi], 0
		lea	eax, [esp+168h+var_108]
		and	dword ptr [edi+4], 0
		push	offset _KiNodeCostSort ; int __cdecl (*)(const void *,const void *)
		push	10h		; size_t
		push	esi		; size_t
		push	eax		; void *
		call	_qsort
		movzx	esi, ds:_KeNumberNodes
		add	esp, 10h
		test	esi, esi
		jz	short loc_AE4706
		mov	eax, _KiNodeGraph
		lea	edx, [esp+168h+var_108]
		mov	ecx, esi
		mov	edi, esi
		imul	ecx, ebx
		lea	ecx, [eax+ecx*2]

loc_AE46F1:				; CODE XREF: KiComputeNumaCosts+25728j
		mov	ax, [edx]
		lea	edx, [edx+10h]
		mov	[ecx], ax
		lea	ecx, [ecx+2]
		sub	edi, 1
		jnz	short loc_AE46F1
		mov	edi, [esp+168h+var_15C]

loc_AE4706:				; CODE XREF: KiComputeNumaCosts+25704j
		inc	ebx
		add	edi, 10h
		mov	[esp+168h+var_148], ebx
		mov	[esp+168h+var_15C], edi
		cmp	ebx, esi
		jb	loc_AE4639

loc_AE471A:				; CODE XREF: KiComputeNumaCosts+25653j
		xor	ecx, ecx
		inc	ecx
		jmp	loc_ABF012
; END OF FUNCTION CHUNK	FOR KiComputeNumaCosts
; 
; START	OF FUNCTION CHUNK FOR KiIntSteerDetermineSteeringEnabled

loc_AE4722:				; CODE XREF: KiIntSteerDetermineSteeringEnabled+32j
		test	byte ptr ds:_HvlpFlags,	2
		jz	loc_ABF0F5
		call	_HvlIsNestedRootPartition@0 ; HvlIsNestedRootPartition()
		test	eax, eax
		jz	loc_ABF0E5
		jmp	loc_ABF0F5
; END OF FUNCTION CHUNK	FOR KiIntSteerDetermineSteeringEnabled
; 
; START	OF FUNCTION CHUNK FOR KiInitMachineDependent

loc_AE4741:				; CODE XREF: KiInitMachineDependent+AFj
		cmp	_KiXMMIZeroingEnable, 1
		jnz	loc_ABF1B9
		jmp	loc_ABF1AF
; 

loc_AE4753:				; CODE XREF: KiInitMachineDependent+C9j
		test	al, 2
		jnz	short loc_AE476E
		cmp	byte ptr ds:0FFDF02ECh,	0
		jz	short loc_AE4765
		xor	ecx, ecx
		inc	ecx
		jmp	short loc_AE476E
; 

loc_AE4765:				; CODE XREF: KiInitMachineDependent+25664j
		mov	ecx, ds:_KiTLBCOverride
		and	ecx, 1

loc_AE476E:				; CODE XREF: KiInitMachineDependent+2565Bj
					; KiInitMachineDependent+25669j
		mov	ds:_KiTLBCOverride, ecx
		jmp	loc_ABF1D0
; 

loc_AE4779:				; CODE XREF: KiInitMachineDependent+122j
		mov	cl, bl
		call	_KiInitializeCacheErrataSupport@4 ; KiInitializeCacheErrataSupport(x)
		test	al, al
		jnz	loc_ABF222

loc_AE4788:				; CODE XREF: KiInitMachineDependent+2569Cj
		xor	al, al
		jmp	loc_ABF306
; 

loc_AE478F:				; CODE XREF: KiInitMachineDependent+143j
		call	_KiI386PentiumLockErrataFixup@0	; KiI386PentiumLockErrataFixup()
		test	al, al
		jz	short loc_AE4788
		jmp	loc_ABF243
; 

loc_AE479D:				; CODE XREF: KiInitMachineDependent+187j
		mov	ecx, 1A0h
		rdmsr
		or	eax, 8000000h
		or	edx, ebx
		wrmsr
		jmp	loc_ABF287
; 

loc_AE47B2:				; CODE XREF: KiInitMachineDependent+175j
		push	ebx
		push	ecx
		push	eax
		push	800h
		push	3Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_AE47C2:				; CODE XREF: KiInitializeMTRR+1F0j
		mov	ecx, 0C0010010h
		rdmsr
		xor	ecx, ecx
		and	eax, 40000h
		and	edx, ecx
		or	eax, edx
		jz	loc_ABF50C
		mov	byte_6C75B1, 1
		jmp	loc_ABF50C
; END OF FUNCTION CHUNK	FOR KiInitMachineDependent
; 
; START	OF FUNCTION CHUNK FOR KiInitializeMTRR

loc_AE47E6:				; CODE XREF: KiInitializeMTRR+228j
		mov	eax, dword_6C75AC
		and	dword_6C75A8, 0FFFFFBFFh
		mov	dword_6C75AC, eax
		jmp	loc_ABF544
; 

loc_AE47FF:				; CODE XREF: KiInitializeMTRR+1FFj
					; KiInitializeMTRR+20Ej
		mov	eax, ds:_KeFeatureBits
		and	eax, 40h
		or	eax, ecx
		jz	short loc_AE4851
		mov	eax, dword_6C75A8
		and	eax, 1FFh
		or	eax, ecx
		jz	short loc_AE4851
		and	esi, 800h
		or	esi, ecx
		jnz	short loc_AE4851
		cmp	byte ptr [ebx+3BEh], 2
		jnz	short loc_AE4835
		cmp	byte ptr _KiMtrrInfo, 6
		jz	short loc_AE4851

loc_AE4835:				; CODE XREF: KiInitializeMTRR+25514j
		cmp	_KdDebuggerEnabled, 0
		jz	short loc_AE4851
		push	(offset	loc_ADEA3D+1) ;	char *
		push	ecx		; int
		push	65h		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		int	3		; Trap to Debugger
		xor	ecx, ecx

loc_AE4851:				; CODE XREF: KiInitializeMTRR+254F3j
					; KiInitializeMTRR+25501j ...
		mov	[ebp+var_1], cl
		jmp	loc_ABF339
; 

loc_AE4859:				; CODE XREF: KiInitializeMTRR+37j
		mov	eax, dword_6C75A8
		and	eax, 100h
		or	eax, ecx
		jz	loc_ABF353

loc_AE486B:				; CODE XREF: KiInitializeMTRR+2Aj
		mov	[ebp+var_1], cl
		mov	ebx, ecx
		mov	[ebp+var_2C], ecx
		jmp	loc_ABF3B5
; 

loc_AE4878:				; CODE XREF: KiInitializeMTRR+60j
		and	ebx, 0FFFFFBFFh
		jmp	loc_ABF37C
; 

loc_AE4883:				; CODE XREF: KiInitializeMTRR+8Dj
					; KiInitializeMTRR+99j
		push	offset ??_C@_0EK@BBJAFGHH@KiInitializeMTRR?3?5MTRR_MSR_DEFA@PBOPGDP@ ; char *
		xor	ecx, ecx
		push	ecx		; int
		push	65h		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		jmp	loc_ABF3B5
; 

loc_AE489A:				; CODE XREF: KiInitializeMTRR+6Ej
					; KiInitializeMTRR+7Aj
		push	eax
		push	eax
		push	eax
		push	40h
		push	3Eh		; char
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE48A6:				; CODE XREF: KiInitializeMTRR+15Ej
		push	offset ??_C@_0DD@INEKMLNH@KiInitializeMTRR?3?5Found?5non?9con@PBOPGDP@ ; char *
		xor	ecx, ecx
		push	ecx		; int
		push	65h		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		xor	eax, eax
		mov	[ebp+var_1], al
		jmp	loc_ABF47A
; 

loc_AE48C2:				; CODE XREF: KiInitializeMTRR+A3j
					; KiInitializeMTRR+B7j
		mov	eax, dword_6C75B4
		xor	ebx, ebx
		test	eax, eax
		jz	short loc_AE48DA
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword_6C75B4, ebx

loc_AE48DA:				; CODE XREF: KiInitializeMTRR+255B5j
		mov	eax, dword_6C75B8
		test	eax, eax
		jz	loc_ABF3DD
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword_6C75B8, ebx
		jmp	loc_ABF3DD
; END OF FUNCTION CHUNK	FOR KiInitializeMTRR
; 
; START	OF FUNCTION CHUNK FOR KiInitializeReservedCpuSets

loc_AE48F9:				; CODE XREF: KiInitializeReservedCpuSets+97j
		cmp	[ebp+var_1C], 3
		jnz	loc_ABF697
		mov	edx, [ebp+var_18]
		test	dl, 7
		jnz	loc_ABF697
		shr	edx, 3
		lea	ecx, [ebp+var_14]
		call	_KiValidateCpuSetMasks@8 ; KiValidateCpuSetMasks(x,x)
		test	eax, eax
		js	loc_ABF697
		cmp	edx, 1
		jb	short loc_AE492A
		xor	edx, edx
		inc	edx

loc_AE492A:				; CODE XREF: KiInitializeReservedCpuSets+2532Bj
		mov	ecx, esi
		test	edx, edx
		jz	short loc_AE4940

loc_AE4930:				; CODE XREF: KiInitializeReservedCpuSets+25344j
		mov	eax, [ebp+ecx*8+var_14]
		mov	ds:_KiReservedCpuSets[ecx*4], eax
		inc	ecx
		cmp	ecx, edx
		jb	short loc_AE4930

loc_AE4940:				; CODE XREF: KiInitializeReservedCpuSets+25334j
					; KiInitializeReservedCpuSets+25354j
		push	esi
		xor	edx, edx
		xor	ecx, ecx
		call	KeSetSystemAllowedCpuSets
		inc	esi
		cmp	esi, 2
		jl	short loc_AE4940
		jmp	loc_ABF697
; END OF FUNCTION CHUNK	FOR KiInitializeReservedCpuSets
; 
; START	OF FUNCTION CHUNK FOR MmFreeLoaderBlock

loc_AE4955:				; CODE XREF: MmFreeLoaderBlock+128j
		mov	dword_6D35A8, esi
		call	_MmFreeBootRegistry@0 ;	MmFreeBootRegistry()
		jmp	loc_ABF7E2
; END OF FUNCTION CHUNK	FOR MmFreeLoaderBlock
; 
; START	OF FUNCTION CHUNK FOR MiFreeRegistryPageRange

loc_AE4965:				; CODE XREF: MiFreeRegistryPageRange+3Fj
					; MiFreeRegistryPageRange+24E95j
		lea	ecx, [ebp+var_8]
		call	KeYieldProcessorEx
		mov	eax, [esi]
		test	eax, eax
		js	short loc_AE4965
		jmp	loc_ABFB16
; END OF FUNCTION CHUNK	FOR MiFreeRegistryPageRange
; 
; START	OF FUNCTION CHUNK FOR IoInitSystem

loc_AE4978:				; CODE XREF: IoInitSystem+247D0j
		push	0Bh
		xor	edx, edx
		pop	ecx
		call	_HdlspKernelAddLogEntry@8 ; HdlspKernelAddLogEntry(x,x)

loc_AE4982:				; CODE XREF: IoInitSystem+247C8j
					; IoInitSystem+247CEj
		mov	_IopInitFailCode, 8

loc_AE498C:				; CODE XREF: IoInitSystem+19j
		xor	al, al
		jmp	loc_AC021D
; 

loc_AE4993:				; CODE XREF: IoInitSystem+2Cj
		mov	eax, _HeadlessGlobals
		test	eax, eax
		jz	short loc_AE4982
		cmp	dword ptr [eax+4], 0
		jz	short loc_AE4982
		jmp	short loc_AE4978
; END OF FUNCTION CHUNK	FOR IoInitSystem
; 
; START	OF FUNCTION CHUNK FOR PoInitSystem

loc_AE49A4:				; CODE XREF: PoInitSystem+2B4j
		mov	eax, 12Ch
		cmp	ecx, eax
		jbe	loc_AC1519
		mov	ecx, eax
		jmp	loc_AC1513
; 

loc_AE49B8:				; CODE XREF: PoInitSystem+510j
		mov	ds:_PpmExitLatencyCheckEnabled,	ebx
		mov	_PpmExitLatencySamplingPercentage, ebx
		jmp	loc_AC176C
; 

loc_AE49C9:				; CODE XREF: PoInitSystem+614j
		xor	eax, eax
		test	ecx, ecx
		setnz	al
		mov	ds:_PpmPerfArtificialDomainEnabled, eax
		jmp	loc_AC1870
; 

loc_AE49DA:				; CODE XREF: PoInitSystem+68Bj
		xor	esi, esi
		jmp	short loc_AE49E1
; 

loc_AE49DE:				; CODE XREF: PoInitSystem+6B7j
		xor	esi, esi
		inc	esi

loc_AE49E1:				; CODE XREF: PoInitSystem+682j
					; PoInitSystem+6A2j ...
		mov	ds:_PoSkipTickMode, esi
		cmp	esi, 2
		jz	short loc_AE49F3
		test	bl, bl
		jz	short loc_AE49FD
		cmp	esi, 2

loc_AE49F3:				; CODE XREF: PoInitSystem+23794j
		setz	cl
		mov	dl, bl
		call	_PopDiagTraceSkipTick@8	; PopDiagTraceSkipTick(x,x)

loc_AE49FD:				; CODE XREF: PoInitSystem+23798j
		xor	ebx, ebx
		jmp	loc_AC191B
; 

loc_AE4A04:				; CODE XREF: PoInitSystem+6F2j
		push	ebx		; int
		push	ebx		; void *
		push	0Fh
		pop	edx
		push	10h
		pop	ecx
		call	PopLogSleepDisabled
		jmp	loc_AC194E
; 

loc_AE4A16:				; CODE XREF: PoInitSystem+6FFj
		push	ebx		; int
		push	ebx		; void *
		push	7
		pop	edx
		push	11h
		pop	ecx
		call	PopLogSleepDisabled
		jmp	loc_AC195B
; 

loc_AE4A28:				; CODE XREF: PoInitSystem+716j
		push	ebx		; int
		push	ebx		; void *
		push	4
		pop	edx
		push	15h
		pop	ecx
		mov	_PopSecureLaunched, 1
		call	PopLogSleepDisabled
		jmp	loc_AC1972
; 

loc_AE4A41:				; CODE XREF: PoInitSystem+732j
		mov	byte_6C2E3E, 1
		mov	dword_6C2E40, 64h
		mov	dword_6C2E44, 190h
		mov	dword_6C2E48, 0Ah
		mov	dword_6C2E4C, 0FFFFh
		mov	dword_6C2E60, 4
		mov	dword_6C2E68, 2
		jmp	loc_AC198E
; 

loc_AE4A89:				; CODE XREF: PoInitSystem+73Aj
		mov	dword ptr _PopCapabilities, 1010101h
		mov	word_6C2E24, 101h
		mov	byte_6C2E26, 1
		mov	word ptr unk_6C2E31, 101h
		jmp	loc_AC1996
; 

loc_AE4AB1:				; CODE XREF: PoInitSystem+813j
		lea	eax, [ebp+var_8]
		mov	[ebp+var_8], 1
		push	eax		; int
		push	(offset	loc_4286AE+2) ;	void *
		call	EmClientQueryRuleState
		cmp	[ebp+var_8], 2
		jnz	short loc_AE4AD3
		mov	_PopErrataReportingIncorrectLidState, 1

loc_AE4AD3:				; CODE XREF: PoInitSystem+23874j
		cmp	_PopPlatformAoAc, 0
		jz	loc_AC1A6F
		mov	eax, _PopLidStateForInputSuppressionOverride
		cmp	eax, 0FFFFFFFFh
		jz	short loc_AE4AF3
		test	eax, eax
		setnz	_PopIgnoreLidStateForInputSuppression

loc_AE4AF3:				; CODE XREF: PoInitSystem+23892j
		call	_PopReadErrataDeviceAllowedForInputSuppression@0 ; PopReadErrataDeviceAllowedForInputSuppression()
		mov	_PopEnableInputSuppression, al
		test	al, al
		jnz	loc_AC1A6F
		mov	eax, _PopEnableInputSuppressionOverride
		cmp	eax, 0FFFFFFFFh
		jz	loc_AC1A6F
		test	eax, eax
		setnz	_PopEnableInputSuppression
		jmp	loc_AC1A6F
; END OF FUNCTION CHUNK	FOR PoInitSystem
; 
; START	OF FUNCTION CHUNK FOR PopEsInit

loc_AE4B21:				; CODE XREF: PopEsInit+40j
		cmp	ecx, 3
		jnz	loc_AC1ABF
		mov	eax, large fs:124h
		dec	word ptr [eax+13Ch]
		nop
		mov	edi, offset _PopEsLock
		xor	edx, edx
		mov	ecx, edi
		call	ExAcquirePushLockExclusiveEx
		mov	eax, large fs:124h
		xor	esi, esi
		push	esi		; int
		push	esi		; int
		push	offset _PopEsInStandbyLowPowerEpochCallback@16 ; int
		push	(offset	loc_407FB3+5) ;	void *
		push	esi		; int
		mov	dword_6BFD2C, eax
		call	PoRegisterPowerSettingCallback
		push	esi		; int
		push	esi		; int
		push	offset _PopEsInStandbyLowPowerEpochCallback@16 ; int
		push	offset _GUID_LOW_POWER_EPOCH ; void *
		push	esi		; int
		call	PoRegisterPowerSettingCallback
		push	esi
		push	offset _PopEsWnfOpportunisticCsCallback@24 ; PopEsWnfOpportunisticCsCallback(x,x,x,x,x,x)
		push	esi
		push	1
		push	offset _WNF_PO_OPPORTUNISTIC_CS
		push	offset _PopEsWnfSubscriptionOpportunisticCs
		call	_ExSubscribeWnfStateChange@24 ;	ExSubscribeWnfStateChange(x,x,x,x,x,x)
		cmp	dword_6BFD2C, esi
		jz	short loc_AE4B9D
		mov	dword_6BFD2C, esi

loc_AE4B9D:				; CODE XREF: PopEsInit+23109j
		xor	edx, edx
		mov	ecx, edi
		call	ExReleasePushLockEx
		call	_KeLeaveCriticalRegion@0 ; KeLeaveCriticalRegion()
		jmp	loc_AC1ABF
; END OF FUNCTION CHUNK	FOR PopEsInit
; 
; START	OF FUNCTION CHUNK FOR SshInitialize

loc_AE4BB0:				; CODE XREF: SshInitialize+68j
		mov	esi, 0C000000Dh
		jmp	loc_AC1B81
; END OF FUNCTION CHUNK	FOR SshInitialize
; 
; START	OF FUNCTION CHUNK FOR PopNetInitialize

loc_AE4BBA:				; CODE XREF: PopNetInitialize+A3j
		mov	edi, 0C0000017h
		jmp	loc_AC1DA2
; 

loc_AE4BC4:				; CODE XREF: PopNetInitialize+28j
		mov	edx, _PopNetStandbyReason
		mov	ecx, _PopNetStandbyState
		call	PopTraceStandbyConnectivityUpdate
		jmp	loc_AC1D4E
; 

loc_AE4BDA:				; CODE XREF: PopNetInitialize+34j
		push	2
		jmp	loc_AC1D70
; 

loc_AE4BE1:				; CODE XREF: PopNetInitialize+48j
		cmp	_PopNetStandbyStatePublished, bl
		jnz	loc_AC1D76
		cmp	_PopNetStandbyState, ebx
		jnz	loc_AC1D76
		mov	cl, 1
		call	_PopNetPublishWnfStateUpdate@4 ; PopNetPublishWnfStateUpdate(x)
		jmp	loc_AC1D76
; 

loc_AE4C05:				; CODE XREF: PopNetInitialize+70j
		cmp	ds:_PopEnforceDisconnectedStandby, ebx
		jnz	loc_AC1D96
		push	ebx
		push	offset _PopNetWnfLowPowerEpochCallback@24 ; PopNetWnfLowPowerEpochCallback(x,x,x,x,x,x)
		push	ebx
		push	1
		push	(offset	loc_425459+3)
		lea	eax, [ebp+var_C]
		push	eax
		call	_ExSubscribeWnfStateChange@24 ;	ExSubscribeWnfStateChange(x,x,x,x,x,x)
		jmp	loc_AC1D96
; 

loc_AE4C2D:				; CODE XREF: PopNetInitialize+7Cj
		push	74654E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AC1DA2
; END OF FUNCTION CHUNK	FOR PopNetInitialize
; 
; START	OF FUNCTION CHUNK FOR PspInitPhase0

loc_AE4C3D:				; CODE XREF: PspInitPhase0+167j
		push	6
		pop	ecx
		xor	eax, eax
		mov	edi, offset _PspSystemMitigationOptions
		rep stosd
		jmp	loc_AC1FF5
; 

loc_AE4C4E:				; CODE XREF: PspInitPhase0+1AAj
		sub	ebx, eax
		lea	eax, _PspSystemMitigationAuditOptions[eax]
		push	ebx		; size_t
		xor	ebx, ebx
		push	ebx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_AC203A
; 

loc_AE4C68:				; CODE XREF: PspInitPhase0+1C8j
		push	[ebp+var_64]	; size_t
		push	ebx		; int
		push	offset _PspSystemMitigationAuditOptions	; void *
		call	_memset
		add	esp, 0Ch
		jmp	loc_AC2056
; END OF FUNCTION CHUNK	FOR PspInitPhase0
; 
; START	OF FUNCTION CHUNK FOR ExpInitSystemPhase1

loc_AE4C7E:				; CODE XREF: ExpInitSystemPhase1+14Ej
		cmp	eax, 0C00000BBh
		setnz	cl
		dec	cl
		and	bh, cl
		jmp	loc_AC319C
; END OF FUNCTION CHUNK	FOR ExpInitSystemPhase1
; 
; START	OF FUNCTION CHUNK FOR ObInitSystem

loc_AE4C8F:				; CODE XREF: ObInitSystem+89j
		push	40h
		pop	esi
		push	20h
		jmp	loc_AC35D2
; 

loc_AE4C99:				; CODE XREF: ObInitSystem+3D3j
					; ObInitSystem+3E0j
		mov	eax, _SeWorldSid
		movzx	eax, byte ptr [eax+1]
		lea	eax, ds:1Ch[eax*4]
		cmp	eax, 0FAh
		jnb	loc_AC3AAE
		push	2		; int
		push	eax		; size_t
		lea	eax, [ebp+var_108]
		push	eax		; void *
		call	_RtlCreateAcl@12 ; RtlCreateAcl(x,x,x)
		test	eax, eax
		js	loc_AC3AAE
		sub	esp, 0Ch
		lea	ecx, [ebp+var_108]
		push	60000000h
		call	_RtlAddAuditAccessAce@24 ; RtlAddAuditAccessAce(x,x,x,x,x,x)
		test	eax, eax
		js	loc_AC3AAE
		lea	eax, [ebp+var_110]
		push	eax
		push	ebx
		lea	eax, [ebp+var_108]
		push	eax
		call	_RtlGetAce@12	; RtlGetAce(x,x,x)
		test	eax, eax
		js	loc_AC3AAE
		cmp	_ObpAuditBaseDirectories, 0
		mov	eax, [ebp+var_110]
		jz	short loc_AE4D15
		or	byte ptr [eax+1], 0Ah

loc_AE4D15:				; CODE XREF: ObInitSystem+217D1j
		cmp	_ObpAuditBaseObjects, 0
		jz	short loc_AE4D22
		or	byte ptr [eax+1], 9

loc_AE4D22:				; CODE XREF: ObInitSystem+217DEj
		lea	esi, [ebp+var_1B4]
		push	1
		mov	eax, esi
		push	eax
		call	_RtlCreateSecurityDescriptor@8 ; RtlCreateSecurityDescriptor(x,x)
		test	eax, eax
		js	loc_AC3AAE
		push	ebx
		push	ds:_SePublicDefaultUnrestrictedDacl
		mov	eax, esi
		push	1
		push	eax
		call	RtlSetDaclSecurityDescriptor
		test	eax, eax
		js	loc_AC3AAE
		push	ebx
		lea	eax, [ebp+var_108]
		push	eax
		push	1
		mov	eax, esi
		push	eax
		call	_RtlSetSaclSecurityDescriptor@16 ; RtlSetSaclSecurityDescriptor(x,x,x,x)
		test	eax, eax
		js	loc_AC3AAE
		jmp	loc_AC3924
; 

loc_AE4D72:				; CODE XREF: ObInitSystem+4C5j
		xor	edx, edx
		jmp	loc_AC3A1B
; END OF FUNCTION CHUNK	FOR ObInitSystem
; 
; START	OF FUNCTION CHUNK FOR IoCreateObjectTypes

loc_AE4D79:				; CODE XREF: IoCreateObjectTypes+125j
		test	_VfRuleClasses,	0FFAFFFFFh
		jnz	short loc_AE4D92
		test	byte ptr dword_6FDE00, 6
		jz	loc_AC3DD3

loc_AE4D92:				; CODE XREF: IoCreateObjectTypes+210DBj
		or	byte ptr [ebp+var_60+2], 20h
		jmp	loc_AC3DD3
; END OF FUNCTION CHUNK	FOR IoCreateObjectTypes
; 
; START	OF FUNCTION CHUNK FOR PspInitializeSiloStructures

loc_AE4D9B:				; CODE XREF: PspInitializeSiloStructures+7Cj
		mov	ecx, ds:_PsObjectDirectorySiloContextSlot
		jmp	short loc_AE4DB4
; 

loc_AE4DA3:				; CODE XREF: PspInitializeSiloStructures+8Ej
		mov	ecx, ds:_PsObjectDirectorySiloContextSlot
		call	_PspStorageFreeSlot@4 ;	PspStorageFreeSlot(x)
		mov	ecx, ds:_PsObjectDirectoryTeardownSlot

loc_AE4DB4:				; CODE XREF: PspInitializeSiloStructures+20D6Dj
		call	_PspStorageFreeSlot@4 ;	PspStorageFreeSlot(x)
		jmp	loc_AC4175
; 

loc_AE4DBE:				; CODE XREF: PspInitializeSiloStructures+11Ej
		mov	ecx, _PsSiloContextPagedType
		jmp	short loc_AE4DD7
; 

loc_AE4DC6:				; CODE XREF: PspInitializeSiloStructures+130j
		mov	ecx, _PsSiloContextPagedType
		call	ObfDereferenceObject
		mov	ecx, _PsSiloContextNonPagedType

loc_AE4DD7:				; CODE XREF: PspInitializeSiloStructures+20D90j
		call	ObfDereferenceObject
		jmp	loc_AC4175
; END OF FUNCTION CHUNK	FOR PspInitializeSiloStructures
; 
; START	OF FUNCTION CHUNK FOR WheapQueryPshedForErrorSources

loc_AE4DE1:				; CODE XREF: WheapQueryPshedForErrorSources+44j
		inc	_WheapStatus
		mov	eax, 0C000009Ah
		or	dword_6BB454, 1
		jmp	loc_AC48B2
; 

loc_AE4DF8:				; CODE XREF: WheapQueryPshedForErrorSources+5Ej
		inc	_WheapStatus
		or	dword_6BB454, 20h
		mov	dword_6BB458, eax
		jmp	short loc_AE4E19
; 

loc_AE4E0C:				; CODE XREF: WheapQueryPshedForErrorSources+30j
		inc	_WheapStatus
		or	dword_6BB454, 4

loc_AE4E19:				; CODE XREF: WheapQueryPshedForErrorSources+205C8j
		mov	eax, 0C0000001h
		jmp	loc_AC48B2
; END OF FUNCTION CHUNK	FOR WheapQueryPshedForErrorSources
; 
; START	OF FUNCTION CHUNK FOR EtwpInitialize

loc_AE4E23:				; CODE XREF: EtwpInitialize+98j
		mov	ecx, [ebp+var_50]
		sub	ecx, eax
		mov	eax, [ebp+var_4C]
		mov	_EtwpRefQpcDelta, ecx
		sbb	eax, edx
		mov	dword_6BC19C, eax
		jmp	loc_AC4954
; 

loc_AE4E3D:				; CODE XREF: EtwpInitialize+7Dj
		push	esi
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	_EtwpRefTimePerfCounter, eax
		mov	dword_6BC164, edx
		jmp	loc_AC4954
; 

loc_AE4E54:				; CODE XREF: EtwpInitialize+B2j
		push	esi
		push	esi
		push	eax
		push	1
		jmp	short loc_AE4E61
; 

loc_AE4E5B:				; CODE XREF: EtwpInitialize+D9j
		push	0
		push	esi
		push	eax
		push	2

loc_AE4E61:				; CODE XREF: EtwpInitialize+205A3j
		push	11Dh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE4E6B:				; CODE XREF: EtwpInitialize+1C8j
		push	(offset	loc_ADE8EB+1)
		lea	eax, [ebp+var_28]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	1
		lea	eax, [ebp+var_28]
		mov	[ebp+var_40], 18h
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_40]
		push	ebx
		push	eax
		push	offset _EtwpKsrCallbackObject
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_34], 50h
		mov	[ebp+var_30], ebx
		mov	[ebp+var_2C], ebx
		call	_ExCreateCallback@16 ; ExCreateCallback(x,x,x,x)
		test	eax, eax
		js	loc_AC4A84
		push	ebx
		push	offset _EtwpKsrCallback@12 ; EtwpKsrCallback(x,x,x)
		push	ds:_EtwpKsrCallbackObject
		call	ExRegisterCallback
		jmp	loc_AC4A84
; 

loc_AE4EC5:				; CODE XREF: EtwpInitialize+1ADj
					; EtwpInitialize+1E1j
		push	11Dh
		call	_KeBugCheck@4	; KeBugCheck(x)
		int	3		; Trap to Debugger

loc_AE4ED0:				; CODE XREF: KseInitialize+35j
		mov	eax, 103h
		jmp	loc_AC4DE4
; END OF FUNCTION CHUNK	FOR EtwpInitialize
; 
; START	OF FUNCTION CHUNK FOR KseInitialize

loc_AE4EDA:				; CODE XREF: KseInitialize+54j
		mov	eax, 0C0000001h
		jmp	loc_AC4DE4
; 

loc_AE4EE4:				; CODE XREF: KseInitialize+61j
					; KseInitialize+70j ...
		cmp	_ViVerifierEnabled, esi
		jz	short loc_AE4EF3
		or	dword_6D4A7C, 40h

loc_AE4EF3:				; CODE XREF: KseInitialize+2021Cj
		test	eax, eax
		jz	short loc_AE4F01
		or	dword_6D4A7C, 100h

loc_AE4F01:				; CODE XREF: KseInitialize+20227j
		mov	eax, [ebx+84h]
		cmp	[eax+28h], esi
		jz	short loc_AE4F11
		cmp	[eax+2Ch], esi
		jnz	short loc_AE4F1B

loc_AE4F11:				; CODE XREF: KseInitialize+2023Cj
		or	dword_6D4A7C, 80h

loc_AE4F1B:				; CODE XREF: KseInitialize+20241j
		mov	esi, 0C00000BBh

loc_AE4F20:				; CODE XREF: KseInitialize+8Dj
					; KseInitialize+9Ej ...
		mov	ecx, offset _KseEngine
		mov	dword_6D4A78, 0
		call	_KsepEngineUninitialize@4 ; KsepEngineUninitialize(x)
		mov	eax, edi
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		mov	ecx, 0C00000BBh
		and	eax, 3Fh
		push	5
		cmp	esi, ecx
		jnz	short loc_AE4FB3
		test	_KsepDebugFlag,	2
		mov	ebx, offset ??_C@_0GK@EKNHKKIG@KSE?3?5Engine?5not?5initialized?5?$CIdi@PBOPGDP@
		mov	dword_6C7024[eax*8], ecx
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 120h
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_AE4F81
		push	ebx		; char *
		push	edi		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx

loc_AE4F81:				; CODE XREF: KseInitialize+202A8j
		push	ebx		; char *
		push	edi		; int
		call	_KsepLogError
		pop	ecx
		pop	ecx
		jmp	loc_AC4DE2
; 

loc_AE4F8F:				; CODE XREF: KseInitialize+13Fj
					; KseInitialize+14Aj
		or	dword_6D4A7C, 80h
		mov	esi, 0C00000BBh
		jmp	loc_AC4E23
; 

loc_AE4FA3:				; CODE XREF: KseInitialize+F0j
		push	edx		; char
		push	ebx		; char *
		push	edi		; int
		call	_KsepDebugPrint
		add	esp, 0Ch
		jmp	loc_AC4DC4
; 

loc_AE4FB3:				; CODE XREF: KseInitialize+2027Dj
		test	_KsepDebugFlag,	2
		mov	ebx, offset ??_C@_0CC@IJLGGAFB@KSE?3?5Initialization?5failed?3?50x?$CF@PBOPGDP@
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 124h
		mov	dword_6C7024[eax*8], esi
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_AE4FE9
		push	esi		; char
		push	ebx		; char *
		push	edi		; int
		call	_KsepDebugPrint
		add	esp, 0Ch

loc_AE4FE9:				; CODE XREF: KseInitialize+2030Ej
		push	esi		; char
		push	ebx		; char *
		push	edi		; int
		call	_KsepLogError
		add	esp, 0Ch
		jmp	loc_AC4DE2
; END OF FUNCTION CHUNK	FOR KseInitialize
; 
		align 4
; START	OF FUNCTION CHUNK FOR PpInitializeBootDDB

loc_AE4FFC:				; CODE XREF: PpInitializeBootDDB+61j
		mov	edx, [edx+34h]
		push	offset _PpDDBPatchHandle
		push	offset _PpBootDDBPatch
		call	PpBootDDBHelper
		jmp	loc_AC5B77
; END OF FUNCTION CHUNK	FOR PpInitializeBootDDB
; 
; START	OF FUNCTION CHUNK FOR WmipDriverEntry

loc_AE5013:				; CODE XREF: WmipDriverEntry+E4j
		push	_WmipServiceDeviceObject
		call	IoDeleteDevice
		jmp	loc_AC5CF1
; END OF FUNCTION CHUNK	FOR WmipDriverEntry
; 
; START	OF FUNCTION CHUNK FOR PiDaDriverEntry

loc_AE5023:				; CODE XREF: PiDaDriverEntry+8Cj
		test	ecx, ecx
		jz	loc_AC5D95
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag
		jmp	loc_AC5D95
; END OF FUNCTION CHUNK	FOR PiDaDriverEntry
; 
; START	OF FUNCTION CHUNK FOR WmipInitializeSecurity

loc_AE503A:				; CODE XREF: WmipInitializeSecurity+68j
		mov	eax, 0C000009Ah
		jmp	loc_AC5F9F
; 

loc_AE5044:				; CODE XREF: WmipInitializeSecurity+7Bj
					; WmipInitializeSecurity+98j ...
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	ds:_WmipDefaultAccessSd, 0
		mov	eax, esi
		jmp	loc_AC5F9F
; END OF FUNCTION CHUNK	FOR WmipInitializeSecurity
; 
; START	OF FUNCTION CHUNK FOR WmipInitializeDataStructs

loc_AE505A:				; CODE XREF: WmipInitializeDataStructs+82j
		mov	eax, 0C000009Ah
		jmp	loc_AC60B4
; END OF FUNCTION CHUNK	FOR WmipInitializeDataStructs
; 
; START	OF FUNCTION CHUNK FOR RawInitialize

loc_AE5064:				; CODE XREF: RawInitialize+B9j
		push	_RawDeviceTapeObject
		call	IoDeleteDevice

loc_AE506F:				; CODE XREF: RawInitialize+A4j
		push	_RawDeviceCdRomObject
		call	IoDeleteDevice

loc_AE507A:				; CODE XREF: RawInitialize+76j
		push	_RawDeviceDiskObject
		call	IoDeleteDevice
		mov	eax, edi
		jmp	loc_AC62B8
; END OF FUNCTION CHUNK	FOR RawInitialize
; 
; START	OF FUNCTION CHUNK FOR PipDmgInitPhaseZero

loc_AE508C:				; CODE XREF: PipDmgInitPhaseZero+Fj
					; PipDmgInitPhaseZero+1Bj
		push	offset _PipDgqListLock
		mov	_PipDmaGuardPolicy, 3
		call	ExInitializeResourceLite
		mov	eax, offset _PipDgqListHead
		mov	dword_6CB52C, eax
		mov	_PipDgqListHead, eax
		jmp	loc_AC62EA
; END OF FUNCTION CHUNK	FOR PipDmgInitPhaseZero
; 
; START	OF FUNCTION CHUNK FOR CmpInitializeDriverStores

loc_AE50B4:				; CODE XREF: CmpInitializeDriverStores+8Cj
		mov	edi, 0C000009Ah
		jmp	loc_AC6782
; 

loc_AE50BE:				; CODE XREF: CmpInitializeDriverStores+128j
		push	dword ptr [esi+34h]
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_24]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		call	RtlAnsiStringToUnicodeString
		mov	edi, eax
		test	edi, edi
		js	loc_AC677A
		xor	edi, edi
		mov	[ebp+var_10], ebx
		mov	eax, 1000h
		mov	[ebp+var_14], edi
		mov	word ptr [ebp+var_14+2], ax
		lea	eax, [ebp+var_14]
		push	offset ??_C@_1BE@HOPMDIJK@?$AA?2?$AAA?$AAr?$AAc?$AAN?$AAa?$AAm?$AAe?$AA?2@PBOPGDP@ ; void *
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		mov	ecx, [esi+8]	; wchar_t *
		call	_CmpGetSystemRelativeRegistryHiveFilePath@4 ; CmpGetSystemRelativeRegistryHiveFilePath(x)
		mov	edx, [esi+8]
		cmp	eax, edx
		jbe	short loc_AE5154
		mov	ecx, eax
		sub	ecx, edx
		and	ecx, 0FFFFFFFEh
		cmp	ecx, 1FFFEh
		jge	short loc_AE5154
		mov	[ebp+var_18], edx
		sub	eax, [esi+8]
		and	eax, 0FFFFFFFEh
		mov	word ptr [ebp+var_1C], ax
		mov	word ptr [ebp+var_1C+2], ax
		lea	eax, [ebp+var_1C]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)

loc_AE5154:				; CODE XREF: CmpInitializeDriverStores+1EAEBj
					; CmpInitializeDriverStores+1EAFAj
		push	dword ptr [esi+18h]
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_4]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_34], eax
		mov	eax, ds:_SePublicDefaultUnrestrictedSd
		mov	[ebp+var_2C], eax
		mov	ax, word ptr [ebp+var_14]
		mov	word ptr [ebp+var_14+2], ax
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_3C], 18h
		push	eax
		push	0F0001h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_30], 250h
		push	eax
		mov	[ebp+var_28], edi
		call	_ZwCreateSymbolicLinkObject@16 ; ZwCreateSymbolicLinkObject(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_AC677A
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_AC6768
; END OF FUNCTION CHUNK	FOR CmpInitializeDriverStores
; 
; START	OF FUNCTION CHUNK FOR CmpCreateExtendedControlSets

loc_AE51BA:				; CODE XREF: CmpCreateExtendedControlSets+Ej
		mov	dl, 1
		mov	ecx, offset ??_C@_1BA@LMMHLKFA@?$AAD?$AAE?$AAV?$AAI?$AAC?$AAE?$AAS@PBOPGDP@ ; char
		call	CmpCreateControlSet
		cmp	eax, 0C0000034h
		jz	loc_AC67AC
		test	eax, eax
		js	loc_AC67E7
		jmp	loc_AC67AC
; 

loc_AE51DE:				; CODE XREF: CmpCreateExtendedControlSets+2Aj
		mov	ecx, [esi+18h]	; char
		mov	dl, 1
		call	CmpCreateControlSet
		test	eax, eax
		js	loc_AC67E7
		jmp	loc_AC67C8
; 

loc_AE51F5:				; CODE XREF: CmpCreateExtendedControlSets+47j
		lea	eax, [ecx+0E8h]
		mov	esi, [eax]
		jmp	short loc_AE5221
; 

loc_AE51FF:				; CODE XREF: CmpCreateExtendedControlSets+1EA8Bj
		test	byte ptr [esi+0Ch], 40h
		jz	short loc_AE5214
		mov	ecx, esi
		call	_CmpCreateControlSetOverride@4 ; CmpCreateControlSetOverride(x)
		test	eax, eax
		js	loc_AC67E7

loc_AE5214:				; CODE XREF: CmpCreateExtendedControlSets+1EA6Bj
		mov	eax, [edi+84h]
		mov	esi, [esi]
		add	eax, 0E8h

loc_AE5221:				; CODE XREF: CmpCreateExtendedControlSets+1EA65j
		cmp	esi, eax
		jnz	short loc_AE51FF
		jmp	loc_AC67E5
; END OF FUNCTION CHUNK	FOR CmpCreateExtendedControlSets
; 
; START	OF FUNCTION CHUNK FOR CmpSetupConfigurationTree

loc_AE522A:				; CODE XREF: CmpSetupConfigurationTree+7Bj
		push	[ebp+var_64]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [ebp+var_6C]
		jmp	loc_AC696A
; END OF FUNCTION CHUNK	FOR CmpSetupConfigurationTree
; 
; START	OF FUNCTION CHUNK FOR CmpInitializeMachineDependentConfiguration

loc_AE523A:				; CODE XREF: CmpInitializeMachineDependentConfiguration+22Ej
		or	_CmProcessorMismatch, 1
		jmp	loc_AC6BDC
; 

loc_AE5246:				; CODE XREF: CmpInitializeMachineDependentConfiguration+23Aj
		or	_CmProcessorMismatch, 4
		jmp	loc_AC6BE8
; 

loc_AE5252:				; CODE XREF: CmpInitializeMachineDependentConfiguration+1EEj
		mov	eax, ds:_KiProcessorBlock
		cmp	byte ptr [eax+15h], 0
		jmp	loc_AC6C02
; 

loc_AE5260:				; CODE XREF: CmpInitializeMachineDependentConfiguration+24Cj
					; CmpInitializeMachineDependentConfiguration:loc_AC6C02j
		or	_CmProcessorMismatch, 2
		jmp	loc_AC6C08
; 

loc_AE526C:				; CODE XREF: CmpInitializeMachineDependentConfiguration+2E1j
		call	_CmpInitializeSystemBiosInformation@4 ;	CmpInitializeSystemBiosInformation(x)
		jmp	loc_AC6C9A
; END OF FUNCTION CHUNK	FOR CmpInitializeMachineDependentConfiguration
; 
; START	OF FUNCTION CHUNK FOR CmpSetSystemBiosInformation

loc_AE5276:				; CODE XREF: CmpSetSystemBiosInformation+12Fj
		mov	edi, [ebp+var_90]
		test	edi, edi
		jz	loc_AE530A
		movzx	eax, word ptr [edi+8]
		lea	ebx, [edi+0Ch]
		mov	word ptr [ebp+var_C8+2], ax
		add	eax, 0FFFFFFFEh
		movzx	ecx, ax
		mov	word ptr [ebp+var_C8], ax
		lea	eax, [ebp+var_C8]
		push	1
		push	eax
		lea	eax, [ebp+var_98]
		mov	[ebp+var_C4], ebx
		push	eax
		mov	[ebp+var_90], ecx
		call	_RtlCompareUnicodeString@12 ; RtlCompareUnicodeString(x,x,x)
		test	eax, eax
		jz	short loc_AE52FC
		push	offset ??_C@_1CE@OMPBPMAF@?$AAO?$AAl?$AAd?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAB?$AAi?$AAo?$AAs?$AAD?$AAa@PBOPGDP@
		lea	eax, [ebp+var_A4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, [ebp+var_90]
		movzx	eax, cx
		add	eax, 2
		push	eax
		push	ebx
		mov	ebx, [ebp+var_B0]
		lea	eax, [ebp+var_A4]
		push	1
		push	0
		push	eax
		push	ebx
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		jmp	short loc_AE5302
; 

loc_AE52FC:				; CODE XREF: CmpSetSystemBiosInformation+1E562j
		mov	ebx, [ebp+var_B0]

loc_AE5302:				; CODE XREF: CmpSetSystemBiosInformation+1E59Aj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE530A:				; CODE XREF: CmpSetSystemBiosInformation+1E51Ej
		mov	edi, [ebp+var_A8]
		jmp	loc_AC6E95
; END OF FUNCTION CHUNK	FOR CmpSetSystemBiosInformation
; 
; START	OF FUNCTION CHUNK FOR CmpSetVideoBiosInformation

loc_AE5315:				; CODE XREF: CmpSetVideoBiosInformation+91j
		mov	esi, 0C0000h
		jmp	loc_AC7145
; 

loc_AE531F:				; CODE XREF: CmpSetVideoBiosInformation+B9j
		mov	esi, eax
		jmp	loc_AC713D
; END OF FUNCTION CHUNK	FOR CmpSetVideoBiosInformation
; 
; START	OF FUNCTION CHUNK FOR CmpGetBiosVersion

loc_AE5326:				; CODE XREF: CmpGetBiosVersion+D2j
		add	esi, 1
		jnz	loc_AC7419
		jmp	loc_AC7422
; END OF FUNCTION CHUNK	FOR CmpGetBiosVersion
; 
; START	OF FUNCTION CHUNK FOR CmpGetBiosDate

loc_AE5334:				; CODE XREF: CmpGetBiosDate+E7j
					; CmpGetBiosDate+EFj
		mov	[ebp+var_B], 30h
		jmp	loc_AC7583
; 

loc_AE533D:				; CODE XREF: CmpGetBiosDate+14Ej
		cmp	al, 39h
		jg	loc_AC75E2
		mov	al, [edi+7]
		mov	[ebp+var_22], al
		sub	al, 30h
		cmp	al, 9
		ja	loc_AC75E2
		mov	esi, [ebp+var_28]
		push	2		; size_t
		push	offset ??_C@_02CLJDCEPA@19@PBOPGDP@ ; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_AE5384
		push	2		; size_t
		push	offset ??_C@_02PIBHCBOA@20@PBOPGDP@ ; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jnz	loc_AC75E2

loc_AE5384:				; CODE XREF: CmpGetBiosDate+1DEDCj
		mov	al, [esi]
		mov	[ebp+var_10], al
		mov	al, [edi+5]
		mov	[ebp-0Fh], al
		mov	al, [ebp+var_21]
		mov	[ebp-0Eh], al
		mov	al, [ebp+var_22]
		mov	[ebp-0Dh], al
		jmp	loc_AC75F1
; 

loc_AE53A0:				; CODE XREF: CmpGetBiosDate+5Ej
		mov	byte ptr [ebx],	0
		xor	al, al
		jmp	loc_AC7513
; END OF FUNCTION CHUNK	FOR CmpGetBiosDate
; 
; START	OF FUNCTION CHUNK FOR CmpGetRegistryValue

loc_AE53AA:				; CODE XREF: CmpGetRegistryValue+36j
					; CmpGetRegistryValue+41j ...
		push	49504341h
		push	[ebp+var_8]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_AE53CC
		mov	eax, 0C000009Ah
		jmp	loc_AC76F8
; 

loc_AE53CC:				; CODE XREF: CmpGetRegistryValue+1DD1Aj
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_8]
		lea	eax, [ebp+var_10]
		push	esi
		push	2
		push	eax
		push	edi
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jns	short loc_AE53F4
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, edi
		jmp	loc_AC76F8
; 

loc_AE53F4:				; CODE XREF: CmpGetRegistryValue+1DD3Ej
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		xor	eax, eax
		jmp	loc_AC76F8
; END OF FUNCTION CHUNK	FOR CmpGetRegistryValue
; 
; START	OF FUNCTION CHUNK FOR CmpSetSystemValues

loc_AE5400:				; CODE XREF: CmpSetSystemValues+1A2j
		lea	eax, [ebp+var_118]
		mov	esi, (offset loc_AF320F+1)
		push	eax
		push	100h
		lea	eax, [ebp+var_108]
		push	eax
		push	edi
		push	esi
		push	[ebp+var_10C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AE5440
		cmp	[ebp+var_104], 4
		jnz	short loc_AE5440
		mov	eax, [ebp+var_100]
		mov	edi, [ebp+eax+var_108]
		inc	edi

loc_AE5440:				; CODE XREF: CmpSetSystemValues+1DCDBj
					; CmpSetSystemValues+1DCE4j
		push	4
		lea	eax, [ebp+var_114]
		mov	[ebp+var_114], edi
		push	eax
		push	4
		push	0
		push	esi
		push	[ebp+var_10C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		jmp	loc_AC78F4
; END OF FUNCTION CHUNK	FOR CmpSetSystemValues
; 
; START	OF FUNCTION CHUNK FOR CmpMigrateOOBELanguageToInstallationLanguage

loc_AE5466:				; CODE XREF: CmpMigrateOOBELanguageToInstallationLanguage+25j
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_2C], 18h
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_10]
		mov	[ebp+var_28], edi
		push	eax
		mov	[ebp+var_20], 240h
		mov	[ebp+var_24], (offset loc_AF3227+1)
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AE54F6
		movzx	ecx, ds:_PsInstallUILanguageId
		push	3
		mov	[ebp+var_14], ecx
		mov	si, cx
		pop	edx

loc_AE54AC:				; CODE XREF: CmpMigrateOOBELanguageToInstallationLanguage+1DBB6j
		and	ecx, 0Fh
		mov	ax, 9
		cmp	ax, cx
		sbb	eax, eax
		shr	si, 4
		and	eax, 7
		mov	word ptr [ebp+var_14], si
		add	eax, 30h
		add	ax, cx
		mov	word ptr [ebp+edx*2+var_C], ax
		sub	edx, 1
		js	short loc_AE54D8
		mov	ecx, [ebp+var_14]
		jmp	short loc_AE54AC
; 

loc_AE54D8:				; CODE XREF: CmpMigrateOOBELanguageToInstallationLanguage+1DBB1j
		push	8
		lea	eax, [ebp+var_C]
		push	eax
		push	1
		push	edi
		push	(offset	loc_AF31FF+1)
		push	[ebp+var_10]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AE54F6
		mov	esi, edi

loc_AE54F6:				; CODE XREF: CmpMigrateOOBELanguageToInstallationLanguage+1DB7Aj
					; CmpMigrateOOBELanguageToInstallationLanguage+1DBD2j
		cmp	[ebp+var_10], edi
		jz	short loc_AE5503
		push	[ebp+var_10]
		call	_ZwClose@4	; ZwClose(x)

loc_AE5503:				; CODE XREF: CmpMigrateOOBELanguageToInstallationLanguage+1DBD9j
		mov	eax, esi
		jmp	loc_AC794D
; END OF FUNCTION CHUNK	FOR CmpMigrateOOBELanguageToInstallationLanguage
; 
; START	OF FUNCTION CHUNK FOR CmpInitializePreloadedHives

loc_AE550A:				; CODE XREF: CmpInitializePreloadedHives+6Bj
		push	0
		push	esi
		push	0Ch
		push	1
		push	67h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_AE5519:				; CODE XREF: CmpInitializeSystemHive+2Bj
		mov	esi, 0C000009Ah
		jmp	loc_AC81A4
; END OF FUNCTION CHUNK	FOR CmpInitializePreloadedHives
; 
; START	OF FUNCTION CHUNK FOR CmpInitializeSystemHive

loc_AE5523:				; CODE XREF: CmpInitializeSystemHive+6Aj
		push	eax
		push	edi
		push	2
		jmp	short loc_AE552D
; 

loc_AE5529:				; CODE XREF: CmpInitializeSystemHive+1D4C7j
		push	edx
		push	ecx
		push	3

loc_AE552D:				; CODE XREF: CmpInitializeSystemHive+1D47Fj
		push	3
		push	74h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE5536:				; CODE XREF: CmpInitializeSystemHive+88j
		mov	_CmpInitRmLogOnLoad, 1
		jmp	loc_AC8136
; 

loc_AE5542:				; CODE XREF: CmpInitializeSystemHive+A3j
		cmp	_CmStateSeparationDevMode, 0
		jnz	loc_AC8151
		mov	eax, [ebp+var_8]
		or	[eax+64h], ecx
		mov	eax, [ebp+var_8]
		and	dword ptr [eax+64h], 0FFFFFFFDh
		jmp	loc_AC8151
; 

loc_AE5561:				; CODE XREF: CmpInitializeSystemHive+C2j
		mov	ds:_CmpSelfHeal, dl
		test	al, 4
		jz	loc_AC8170
		jmp	short loc_AE5529
; END OF FUNCTION CHUNK	FOR CmpInitializeSystemHive
; 
; START	OF FUNCTION CHUNK FOR CmpInitializePreloadedHive

loc_AE5571:				; CODE XREF: CmpInitializePreloadedHive+80j
		push	dword ptr [edi+8] ; void *
		lea	eax, [ebp+var_1F0]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	eax, [edi+0Ch]
		test	al, 2
		jnz	loc_AC8269
		test	al, 4
		jz	short loc_AE5599
		mov	esi, 2000h
		jmp	loc_AC8269
; 

loc_AE5599:				; CODE XREF: CmpInitializePreloadedHive+1D3D7j
		and	al, 20h
		movzx	esi, al
		neg	esi
		sbb	esi, esi
		and	esi, 1FFFFFh
		inc	esi
		jmp	loc_AC8269
; 

loc_AE55AE:				; CODE XREF: CmpInitializePreloadedHive+88j
		mov	ecx, [edi+8]	; wchar_t *
		call	_CmpGetSystemRelativeRegistryHiveFilePath@4 ; CmpGetSystemRelativeRegistryHiveFilePath(x)
		mov	esi, eax
		lea	eax, [ebp+var_1F0]
		push	offset ??_C@_1BO@DFBFEJHF@?$AA?2?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAS?$AAt?$AAo?$AAr?$AAe?$AAs?$AA?2@PBOPGDP@ ; void *
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		push	dword ptr [edi+18h] ; void *
		lea	eax, [ebp+var_1F0]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		push	esi		; void *
		lea	eax, [ebp+var_1F0]
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		mov	esi, 400000h
		cmp	_CmStateSeparationEnabled, ebx
		jz	loc_AC8269
		cmp	_CmStateSeparationDevMode, ebx
		jnz	loc_AC8269
		inc	esi
		jmp	loc_AC8269
; 

loc_AE5608:				; CODE XREF: CmpInitializePreloadedHive+BAj
		or	esi, 1000000h
		jmp	loc_AC8276
; 

loc_AE5613:				; CODE XREF: CmpInitializePreloadedHive+169j
		push	eax
		lea	eax, [ebp+var_1E1+1]
		push	eax
		push	5
		jmp	short loc_AE5629
; 

loc_AE561F:				; CODE XREF: CmpInitializePreloadedHive+DBj
		xor	ebx, ebx

loc_AE5621:				; CODE XREF: CmpInitializePreloadedHive+5Dj
		push	0C000009Ah
		push	ebx
		push	4

loc_AE5629:				; CODE XREF: CmpInitializePreloadedHive+1D467j
					; CmpInitializePreloadedHive+1D4D3j ...
		push	3
		push	74h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE5632:				; CODE XREF: CmpInitializePreloadedHive+1A5j
		mov	eax, [ebp+var_1E8]
		or	dword ptr [eax+64h], 800h
		jmp	loc_AC8361
; 

loc_AE5644:				; CODE XREF: CmpInitializePreloadedHive+1B7j
		mov	eax, [ebp+var_1E8]
		or	[eax+64h], ecx
		jmp	loc_AC8373
; 

loc_AE5652:				; CODE XREF: CmpInitializePreloadedHive+1C4j
		cmp	_CmStateSeparationDevMode, 0
		jnz	loc_AC8380
		test	byte ptr [edi+0Ch], 20h
		jnz	loc_AC8380
		mov	eax, [ebp+var_1E8]
		or	[eax+64h], ecx
		jmp	loc_AC8380
; 

loc_AE5677:				; CODE XREF: CmpInitializePreloadedHive+1E6j
		mov	ds:_CmpSelfHeal, bl
		test	al, 4
		jz	loc_AC83A2
		push	ebx
		push	ecx
		push	6
		jmp	short loc_AE5629
; 

loc_AE568B:				; CODE XREF: CmpInitializePreloadedHive+278j
		push	eax
		push	[ebp+var_1E8]
		push	7
		jmp	short loc_AE5629
; 

loc_AE5696:				; CODE XREF: CmpInitializePreloadedHive+3FAj
		push	esi
		push	[ebp+var_C]
		call	ObCloseHandle
		jmp	loc_AC85BD
; END OF FUNCTION CHUNK	FOR CmpInitializePreloadedHive
; 
; START	OF FUNCTION CHUNK FOR CmpCreateHardwareProfiles

loc_AE56A4:				; CODE XREF: CmpCreateHardwareProfiles+F2j
		cmp	_CmStateSeparationEnabled, 0
		jz	loc_AC8A2F
		xor	ecx, ecx
		mov	[ebp+var_2B8], 18h
		lea	eax, [ebp+var_2C4]
		mov	[ebp+var_2B4], edi
		push	eax
		push	ecx
		push	ecx
		push	ecx
		lea	eax, [ebp+var_2B8]
		mov	[ebp+var_2AC], 240h
		push	eax
		push	20019h
		lea	eax, [ebp+var_2CC]
		mov	[ebp+var_2B0], (offset loc_AF34CB+5)
		push	eax
		mov	[ebp+var_2A8], ecx
		mov	[ebp+var_2A4], ecx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC8A2F
		push	[ebp+var_2CC]
		call	_ZwClose@4	; ZwClose(x)
		xor	ecx, ecx
		mov	[ebp+var_2B8], 18h
		lea	eax, [ebp+var_2C4]
		mov	[ebp+var_2CC], ecx
		push	eax
		push	ecx
		push	ecx
		push	ecx
		lea	eax, [ebp+var_2B8]
		mov	[ebp+var_2B4], edi
		push	eax
		push	20019h
		lea	eax, [ebp+var_2BC]
		mov	[ebp+var_2AC], 240h
		push	eax
		mov	[ebp+var_2B0], offset _CmpControlIdConfigDbString
		mov	[ebp+var_2A8], ecx
		mov	[ebp+var_2A4], ecx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC8A2F
		mov	eax, [ebp+var_2BC]
		xor	ecx, ecx
		mov	[ebp+var_2B4], eax
		lea	eax, [ebp+var_2C4]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		lea	eax, [ebp+var_2B8]
		mov	[ebp+var_2B8], 18h
		push	eax
		push	20019h
		lea	eax, [ebp+var_2CC]
		mov	[ebp+var_2AC], 240h
		push	eax
		mov	[ebp+var_2B0], (offset loc_A3F627+1)
		mov	[ebp+var_2A8], ecx
		mov	[ebp+var_2A4], ecx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC8A2F
		mov	eax, 100h
		mov	word ptr [ebp+var_2A0+2], ax
		lea	eax, [ebp+var_188]
		push	0		; char
		mov	[ebp+var_29C], eax
		lea	eax, [ebp+var_2A0]
		push	offset ??_C@_19BLGDCJIP@?$AA?$CF?$AA0?$AA4?$AAd@PBOPGDP@ ; "%04d"
		push	eax		; int
		call	_RtlUnicodeStringPrintf
		mov	eax, [ebp+var_2CC]
		add	esp, 0Ch
		mov	[ebp+var_2B4], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_2A0]
		mov	[ebp+var_2B8], 18h
		mov	[ebp+var_2B0], eax
		lea	eax, [ebp+var_2C4]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		lea	eax, [ebp+var_2B8]
		mov	[ebp+var_2AC], 240h
		push	eax
		push	20019h
		lea	eax, [ebp+var_2C0]
		mov	[ebp+var_2A8], ecx
		push	eax
		mov	[ebp+var_2A4], ecx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		push	[ebp+var_2CC]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_2CC], 0
		test	esi, esi
		js	loc_AC8A2F
		push	[ebp+var_2C0]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_2C0], 0
		lea	eax, [ebp+var_2C8]
		push	4
		push	eax
		push	4
		push	0
		push	(offset	loc_A3F667+1)
		push	[ebp+var_2BC]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC8A2F
		jmp	loc_AC870D
; 

loc_AE58C6:				; CODE XREF: CmpCreateHardwareProfiles+19Dj
		cmp	_CmStateSeparationEnabled, 0
		jz	loc_AC8A2F
		lea	eax, [ebp+var_2C4]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_2B8]
		push	eax
		push	20019h
		lea	eax, [ebp+var_2D4]
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		jmp	loc_AC8765
; 

loc_AE58FE:				; CODE XREF: CmpCreateHardwareProfiles+23Dj
		cmp	_CmStateSeparationEnabled, 0
		jz	loc_AC8A2F
		lea	eax, [ebp+var_2C4]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_2B8]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_2C0]
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		jmp	loc_AC8805
; 

loc_AE5936:				; CODE XREF: CmpCreateHardwareProfiles+280j
		sub	eax, 1
		jnz	loc_AE59C2
		mov	edx, [ebp+var_2D4]
		lea	eax, [ebp+var_2C8]
		push	eax
		lea	eax, [ebp+var_2C0]
		push	eax
		push	ecx
		push	dword ptr [ebp+var_2C8]
		mov	ecx, [ebp+var_2BC]
		push	[ebp+var_2C0]
		call	_CmpCloneHwProfile@28 ;	CmpCloneHwProfile(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_AE597D
		and	[ebp+var_2C0], 0
		jmp	loc_AC8A2F
; 

loc_AE597D:				; CODE XREF: CmpCreateHardwareProfiles+1D3ADj
		push	4
		lea	eax, [ebp+var_2C8]
		push	eax
		push	4
		push	0
		push	(offset	loc_A3F667+1)
		push	[ebp+var_2BC]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC8A2F
		mov	esi, [ebp+var_2D0]

loc_AE59AA:				; CODE XREF: CmpCreateHardwareProfiles+277j
		push	dword ptr [ebp+var_2C8]
		mov	ecx, [ebp+var_2BC]
		mov	edx, ebx
		call	_CmpAddAliasEntry@12 ; CmpAddAliasEntry(x,x,x)
		jmp	loc_AC8848
; 

loc_AE59C2:				; CODE XREF: CmpCreateHardwareProfiles+30Fj
					; CmpCreateHardwareProfiles+1D377j
		mov	bl, [ebp+var_291]
		jmp	loc_AC88D7
; 

loc_AE59CD:				; CODE XREF: CmpCreateHardwareProfiles+361j
		push	ecx
		push	ecx
		mov	ecx, [ebp+var_298]
		lea	eax, [ebp+var_288]
		push	eax
		xor	edx, edx
		call	_CmDeleteKeyRecursive@20 ; CmDeleteKeyRecursive(x,x,x,x,x)
		push	[ebp+var_298]
		call	_ZwClose@4	; ZwClose(x)
		mov	[ebp+var_298], esi
		jmp	loc_AC8929
; 

loc_AE59F9:				; CODE XREF: CmpCreateHardwareProfiles+40Cj
		push	[ebp+var_298]
		call	_ZwClose@4	; ZwClose(x)
		xor	eax, eax
		mov	[ebp+var_2A0], eax
		mov	[ebp+var_298], eax
		mov	eax, 100h
		mov	word ptr [ebp+var_2A0+2], ax
		lea	eax, [ebp+var_188]
		push	(offset	loc_A3F61F+1)
		push	(offset	loc_A3F617+1) ;	char
		mov	[ebp+var_29C], eax
		lea	eax, [ebp+var_2A0]
		push	(offset	loc_ADD0A3+1) ;	wchar_t	*
		push	eax		; int
		call	_RtlUnicodeStringPrintf
		add	esp, 10h
		mov	[ebp+var_2B8], 18h
		lea	eax, [ebp+var_2A0]
		mov	[ebp+var_2AC], 240h
		mov	[ebp+var_2B0], eax
		xor	ecx, ecx
		lea	eax, [ebp+var_2C4]
		mov	[ebp+var_2B4], ecx
		push	eax
		push	3
		push	ecx
		push	ecx
		lea	eax, [ebp+var_2B8]
		mov	[ebp+var_2A8], ecx
		push	eax
		push	20h
		lea	eax, [ebp+var_298]
		mov	[ebp+var_2A4], ecx
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC89D4
		xor	esi, esi
		mov	eax, 100h
		mov	[ebp+var_2A0], esi
		mov	word ptr [ebp+var_2A0+2], ax
		lea	eax, [ebp+var_188]
		mov	[ebp+var_29C], eax
		lea	eax, [ebp+var_2DC]
		push	(offset	loc_A3F61F+1)
		push	eax		; char
		lea	eax, [ebp+var_2A0]
		push	(offset	loc_ADD0A3+1) ;	wchar_t	*
		push	eax		; int
		call	_RtlUnicodeStringPrintf
		movzx	eax, word ptr [ebp+var_2A0]
		add	esp, 10h
		push	eax
		push	[ebp+var_29C]
		push	6
		push	esi
		push	offset _CmSymbolicLinkValueName
		push	[ebp+var_298]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		jmp	loc_AC89D4
; END OF FUNCTION CHUNK	FOR CmpCreateHardwareProfiles
; 
; START	OF FUNCTION CHUNK FOR CmpCreateControlSet

loc_AE5B0E:				; CODE XREF: CmpCreateControlSet+13Cj
		test	bl, bl
		jz	loc_AC8CE8
		lea	eax, [ebp+var_1BC]
		mov	ebx, 20019h
		push	eax
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_1B8]
		push	eax
		push	ebx
		lea	eax, [ebp+var_19C]
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC8CE8
		push	4
		lea	eax, [ebp+var_198]
		mov	dword ptr [ebp+var_198], 1
		push	eax
		push	4
		push	edi
		push	(offset	loc_A3F69A+6)
		push	[ebp+var_19C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC8CE8
		push	dword ptr [ebp+var_198]	; char
		mov	eax, 100h
		mov	[ebp+var_190], edi
		mov	word ptr [ebp+var_190+2], ax
		lea	eax, [ebp+var_188]
		mov	[ebp+var_18C], eax
		lea	eax, [ebp+var_190]
		push	offset ??_C@_1BO@KHANIFDG@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAS?$AAe?$AAt?$AA?$CF?$AA0?$AA3?$AAd@PBOPGDP@ ; wchar_t *
		push	eax		; int
		call	_RtlUnicodeStringPrintf
		mov	eax, [ebp+var_1A0]
		add	esp, 0Ch
		mov	[ebp+var_1B4], eax
		lea	eax, [ebp+var_190]
		mov	[ebp+var_1B0], eax
		lea	eax, [ebp+var_1BC]
		mov	[ebp+var_1B8], 18h
		push	eax
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_1B8]
		mov	[ebp+var_1AC], 240h
		push	eax
		push	ebx
		lea	eax, [ebp+var_194]
		mov	[ebp+var_1A8], edi
		push	eax
		mov	[ebp+var_1A4], edi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AC8CE8
		push	[ebp+var_194]
		call	_ZwClose@4	; ZwClose(x)
		mov	[ebp+var_194], edi
		jmp	loc_AC8BE4
; END OF FUNCTION CHUNK	FOR CmpCreateControlSet
; 
; START	OF FUNCTION CHUNK FOR MxCopyPage

loc_AE5C21:				; CODE XREF: MxCopyPage+17j
		push	0
		push	0
		push	edi
		push	3030305h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE5C32:				; CODE XREF: MxCopyPage+47j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_AE5C63
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr word_6D07B8+1,	0
		jnz	loc_AC8F51
		mov	eax, edi
		and	eax, ecx
		or	eax, 0
		jz	loc_AC8F51
		or	edx, 80000000h
		jmp	loc_AC8F51
; 

loc_AE5C63:				; CODE XREF: MxCopyPage+1CD37j
		mov	eax, large fs:124h
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jz	loc_AC8F4F
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	loc_AC8F4F
		or	edx, 80000000h
		jmp	loc_AC8F4F
; 

loc_AE5C98:				; CODE XREF: MxCopyPage+57j
		push	edx
		push	edi
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_AC8F5F
; END OF FUNCTION CHUNK	FOR MxCopyPage
; 
; START	OF FUNCTION CHUNK FOR MxSwapPages

loc_AE5CA6:				; CODE XREF: MxSwapPages+F8j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_AE5CD8
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr word_6D07B8+1,	0
		jnz	loc_AC95A9

loc_AE5CBF:				; CODE XREF: MxSwapPages+1C849j
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	loc_AC95A9
		or	edx, 80000000h
		jmp	loc_AC95A9
; 

loc_AE5CD8:				; CODE XREF: MxSwapPages+1C805j
		mov	eax, large fs:124h
		mov	ecx, [ebp+var_4]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_AE5CBF
		jmp	loc_AC95A9
; 

loc_AE5CF8:				; CODE XREF: MxSwapPages+109j
		push	edx
		push	ebx
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_AC95B7
; END OF FUNCTION CHUNK	FOR MxSwapPages
; 
; START	OF FUNCTION CHUNK FOR MxGetPhase0Mapping

loc_AE5D06:				; CODE XREF: MxGetPhase0Mapping+42j
		add	esi, 8
		test	esi, edi
		jnz	loc_AC96F2

loc_AE5D11:				; CODE XREF: MxGetPhase0Mapping+31j
		add	edx, 8
		test	edx, edi
		jnz	loc_AC96DF
		xor	eax, eax
		jmp	loc_AC9709
; END OF FUNCTION CHUNK	FOR MxGetPhase0Mapping
; 
; START	OF FUNCTION CHUNK FOR MxZeroPageTablePfns

loc_AE5D23:				; CODE XREF: MxZeroPageTablePfns+C1j
		push	[ebp+arg_4]
		mov	ecx, ebx
		lea	eax, [edx-1]
		shl	ecx, 9
		push	eax
		lea	edx, [ecx+0FF8h]
		call	MxZeroPageTablePfns
		jmp	loc_AC973D
; END OF FUNCTION CHUNK	FOR MxZeroPageTablePfns
; 
; START	OF FUNCTION CHUNK FOR CmpParseInfBuffer

loc_AE5D3F:				; CODE XREF: CmpParseInfBuffer+2Dj
		xor	eax, eax
		jmp	loc_AC98E2
; 

loc_AE5D46:				; CODE XREF: CmpParseInfBuffer+259j
					; CmpParseInfBuffer+1C5D0j
		mov	bh, bl

loc_AE5D48:				; CODE XREF: CmpParseInfBuffer+E2j
					; CmpParseInfBuffer+1C699j
		mov	ecx, [ebp+arg_0]
		mov	eax, [ebp+var_14]
		mov	[ecx], eax
		mov	ecx, [ebp+var_10]
		mov	al, [ebp+var_8]
		test	ecx, ecx
		jz	short loc_AE5D69
		test	al, al
		jz	short loc_AE5D69
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	al, [ebp+var_8]

loc_AE5D69:				; CODE XREF: CmpParseInfBuffer+1C578j
					; CmpParseInfBuffer+1C57Cj
		mov	ecx, [ebp+var_C]
		test	ecx, ecx
		jz	short loc_AE5D7C
		test	al, al
		jz	short loc_AE5D7C
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE5D7C:				; CODE XREF: CmpParseInfBuffer+1C58Ej
					; CmpParseInfBuffer+1C592j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	edi, edi
		jmp	loc_AC98CD
; 

loc_AE5D8B:				; CODE XREF: CmpParseInfBuffer+1E5j
		mov	[ebp+var_24], offset _EmptyValue
		mov	byte ptr [ebp+var_20], 0
		mov	[ebp+var_8], 0
		jmp	loc_AC99E9
; 

loc_AE5D9F:				; CODE XREF: CmpParseInfBuffer+21Aj
		push	dword ptr [ebp+var_8] ;	char
		mov	edx, [ebp+var_10] ; char *
		mov	ecx, edi	; int
		call	CmpAppendSection
		mov	bl, 1
		test	al, al
		jz	short loc_AE5D46
		jmp	loc_AC9A1C
; 

loc_AE5DB7:				; CODE XREF: CmpParseInfBuffer+146j
		sub	eax, 1
		jnz	loc_AC9A37
		push	eax
		xor	edx, edx
		mov	ecx, edi
		call	_CmpAppendLine@12 ; CmpAppendLine(x,x,x)
		test	al, al
		jz	loc_AE5E6C	; default
		push	dword ptr [ebp+var_8]
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		call	_CmpAppendValue@12 ; CmpAppendValue(x,x,x)
		test	al, al
		jz	loc_AE5E6C	; default
		and	[ebp+var_C], 0
		jmp	loc_AC990B
; 

loc_AE5DF0:				; CODE XREF: CmpParseInfBuffer+13Dj
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	_CmpAppendLine@12 ; CmpAppendLine(x,x,x)
		test	al, al
		jz	short loc_AE5E6C ; default
		push	dword ptr [ebp+var_8]
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		call	_CmpAppendValue@12 ; CmpAppendValue(x,x,x)
		test	al, al
		jz	short loc_AE5E6C ; default
		and	[ebp+var_C], 0
		jmp	loc_AC998E
; 

loc_AE5E19:				; CODE XREF: CmpParseInfBuffer+134j
		push	0
		xor	edx, edx
		mov	ecx, edi
		call	_CmpAppendLine@12 ; CmpAppendLine(x,x,x)
		test	al, al
		jz	short loc_AE5E6C ; default
		push	dword ptr [ebp+var_8]
		mov	edx, [ebp+var_C]
		mov	ecx, edi
		call	_CmpAppendValue@12 ; CmpAppendValue(x,x,x)
		test	al, al
		jz	short loc_AE5E6C ; default
		and	[ebp+var_C], 0
		jmp	loc_AC9A2C
; 

loc_AE5E42:				; CODE XREF: CmpParseInfBuffer+BFj
		dec	eax
		sub	eax, 1
		jnz	loc_AC9A37
		mov	ecx, offset _EmptyValue
		mov	byte ptr [ebp+var_20], al
		mov	[ebp+var_24], ecx
		mov	edx, ecx
		push	eax
		mov	ecx, edi
		mov	[ebp+var_8], al
		call	_CmpAppendValue@12 ; CmpAppendValue(x,x,x)
		test	al, al
		jnz	loc_AC98C0

loc_AE5E6C:				; CODE XREF: CmpParseInfBuffer+7Aj
					; CmpParseInfBuffer+1C5ECj ...
		mov	bl, 1		; default
		mov	bh, bl
		jmp	loc_AC98C0
; 

loc_AE5E75:				; CODE XREF: CmpParseInfBuffer+1A8j
		mov	bh, 1
		mov	bl, bh
		jmp	loc_AE5D48
; 

loc_AE5E7E:				; CODE XREF: CmpParseInfBuffer+171j
		mov	eax, offset _EmptyValue
		mov	byte ptr [ebp+var_20], 0
		push	0
		mov	edx, eax
		mov	[ebp+var_24], eax
		mov	ecx, edi
		mov	[ebp+var_8], 0
		call	_CmpAppendValue@12 ; CmpAppendValue(x,x,x)
		test	al, al
		jnz	loc_AC9A2C
		mov	bh, 1
		jmp	loc_AC9A2C
; END OF FUNCTION CHUNK	FOR CmpParseInfBuffer
; 
; START	OF FUNCTION CHUNK FOR CmpGetToken

loc_AE5EA8:				; CODE XREF: CmpGetToken+1B4j
		mov	edi, [ebp+var_8]
		jmp	loc_AC9B1B
; 

loc_AE5EB0:				; CODE XREF: CmpGetToken+F1j
					; CmpGetToken+109j
		mov	dword ptr [ebx], 8
		jmp	loc_AC9BA0
; 

loc_AE5EBB:				; CODE XREF: CmpGetToken+B8j
					; CmpGetToken+DCj
		mov	ecx, [ebp+var_4]
		mov	dword ptr [ebx], 7
		jmp	loc_AC9BAB
; 

loc_AE5EC9:				; CODE XREF: CmpGetToken+1ABj
					; CmpGetToken+1D9j
		mov	edi, [ebp+var_8]
		mov	dword ptr [ebx], 7
		jmp	loc_AC9BA0
; END OF FUNCTION CHUNK	FOR CmpGetToken
; 
; START	OF FUNCTION CHUNK FOR CmpAppendSection

loc_AE5ED7:				; CODE XREF: CmpAppendSection+3Ej
		mov	eax, [esi+8]
		test	eax, eax
		jz	loc_AC9DEE

loc_AE5EE2:				; CODE XREF: CmpAppendSection+1C184j
		mov	ecx, [eax]
		test	ecx, ecx
		jz	loc_AC9DEE
		mov	eax, ecx
		jmp	short loc_AE5EE2
; END OF FUNCTION CHUNK	FOR CmpAppendSection
; 
; START	OF FUNCTION CHUNK FOR MiAddLoaderHalIoPte

loc_AE5EF0:				; CODE XREF: MiAddLoaderHalIoPte+5Ej
		mov	eax, [ebp+arg_8]
		mov	edx, 200h
		cmp	eax, 1
		jle	loc_AC9E7F
		dec	eax

loc_AE5F02:				; CODE XREF: MiAddLoaderHalIoPte+1C0F0j
		shl	edx, 9
		sub	eax, 1
		jnz	short loc_AE5F02
		jmp	loc_AC9E7F
; 

loc_AE5F0F:				; CODE XREF: MiAddLoaderHalIoPte+74j
		and	edi, 8
		or	edi, 0
		jz	loc_AC9E92
		push	2
		pop	ebx
		jmp	loc_AC9E99
; END OF FUNCTION CHUNK	FOR MiAddLoaderHalIoPte
; 
; START	OF FUNCTION CHUNK FOR CmpOpenSystemDriverHiveContext

loc_AE5F23:				; CODE XREF: CmpOpenSystemDriverHiveContext+59j
		mov	esi, 0C0000017h
		jmp	loc_AC9FD9
; 

loc_AE5F2D:				; CODE XREF: CmpOpenSystemDriverHiveContext+115j
		mov	esi, 0C0000017h
		jmp	loc_ACA007
; 

loc_AE5F37:				; CODE XREF: CmpOpenSystemDriverHiveContext+141j
		mov	edx, 746C6644h
		mov	ecx, edi
		call	ObfDereferenceObjectWithTag
		jmp	loc_AC9FF3
; 

loc_AE5F48:				; CODE XREF: CmpOpenSystemDriverHiveContext+14Cj
		push	[esp+38h+var_2C]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_AC9FFE
; END OF FUNCTION CHUNK	FOR CmpOpenSystemDriverHiveContext
; 
; START	OF FUNCTION CHUNK FOR CmGetSystemDriverList

loc_AE5F56:				; CODE XREF: CmGetSystemDriverList+A6j
		lea	edx, [ebp+var_B4]
		mov	ecx, (offset loc_A3F60F+1)
		call	CmpOpenSystemDriverHiveContext
		cmp	eax, 0C0000034h
		jz	loc_ACA0BA
		test	eax, eax
		js	loc_ACA2B1
		jmp	loc_ACA0BA
; 

loc_AE5F7E:				; CODE XREF: CmGetSystemDriverList+14Fj
		push	20204D43h
		push	20h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_ACA2B1
		push	8
		pop	ecx
		xor	eax, eax
		mov	edi, esi
		rep stosd
		mov	ecx, [ebp+var_40]
		mov	edx, esi
		or	dword ptr [esi+1Ch], 0FFFFFFFFh
		call	CmpOpenSystemDriverHiveContext
		test	eax, eax
		jns	short loc_AE5FBF
		xor	eax, eax
		push	eax
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_ACA163
; 

loc_AE5FBF:				; CODE XREF: CmGetSystemDriverList+1BFA1j
		mov	eax, [ebp+var_2C]
		lea	ecx, [ebp+var_30]
		cmp	[eax], ecx
		jnz	loc_AE6053
		mov	[esi], ecx
		mov	[esi+4], eax
		mov	[eax], esi
		mov	[ebp+var_2C], esi
		jmp	loc_ACA163
; 

loc_AE5FDC:				; CODE XREF: CmGetSystemDriverList+1B6j
		lea	ecx, [ebp+var_B4]
		call	_CmpAcquireSystemDriverHiveContext@4 ; CmpAcquireSystemDriverHiveContext(x)
		test	eax, eax
		js	loc_ACA2B1
		jmp	loc_ACA1CA
; 

loc_AE5FF4:				; CODE XREF: CmGetSystemDriverList+1C4j
		mov	ecx, esi
		call	_CmpAcquireSystemDriverHiveContext@4 ; CmpAcquireSystemDriverHiveContext(x)
		test	eax, eax
		js	short loc_AE604C
		push	20204D43h
		push	18h
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	loc_ACA2B1
		xor	eax, eax
		mov	edi, edx
		push	6
		pop	ecx
		rep stosd
		mov	ecx, [esi+8]
		mov	[edx+8], ecx
		lea	ecx, [ebp+var_3C]
		mov	eax, [esi+0Ch]
		mov	[edx+0Ch], eax
		mov	eax, [esi+18h]
		mov	[edx+10h], eax
		mov	eax, [esi+1Ch]
		mov	[edx+14h], eax
		mov	eax, [ebp+var_38]
		cmp	[eax], ecx
		jnz	short loc_AE6053
		mov	[edx], ecx
		mov	[edx+4], eax
		mov	[eax], edx
		mov	[ebp+var_38], edx

loc_AE604C:				; CODE XREF: CmGetSystemDriverList+1BFEFj
		mov	esi, [esi]
		jmp	loc_ACA1CD
; 

loc_AE6053:				; CODE XREF: CmGetSystemDriverList+1BFB9j
					; CmGetSystemDriverList+1C032j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_AE6058:				; CODE XREF: CmGetSystemDriverList+244j
		xor	eax, eax
		push	eax
		push	eax
		push	1
		push	2
		push	67h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE6067:				; CODE XREF: CmGetSystemDriverList+2B9j
		call	_CmpUnlockRegistry@0 ; CmpUnlockRegistry()
		jmp	loc_ACA2CD
; 

loc_AE6071:				; CODE XREF: CmGetSystemDriverList+2EAj
		lea	ecx, [ebp+var_B4]
		call	_CmpCloseSystemDriverHiveContext@4 ; CmpCloseSystemDriverHiveContext(x)
		jmp	loc_ACA2FE
; 

loc_AE6081:				; CODE XREF: CmGetSystemDriverList+315j
					; CmGetSystemDriverList+1C08Aj
		mov	esi, [edi]
		mov	ecx, edi
		call	_CmpCloseSystemDriverHiveContext@4 ; CmpCloseSystemDriverHiveContext(x)
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lea	eax, [ebp+var_30]
		mov	edi, esi
		cmp	esi, eax
		jnz	short loc_AE6081
		jmp	loc_ACA329
; 

loc_AE609F:				; CODE XREF: CmGetSystemDriverList+323j
					; CmGetSystemDriverList+1C0A1j
		mov	esi, [ecx]
		push	ebx
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lea	eax, [ebp+var_3C]
		mov	ecx, esi
		cmp	esi, eax
		jnz	short loc_AE609F
		jmp	loc_ACA337
; END OF FUNCTION CHUNK	FOR CmGetSystemDriverList
; 
; START	OF FUNCTION CHUNK FOR CmpFindRedirectedDriverServiceStateNode

loc_AE60B6:				; CODE XREF: CmpFindRedirectedDriverServiceStateNode+57j
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		push	(offset	loc_AF33BF+1)
		call	_CmpFindSubKeyByName@12	; CmpFindSubKeyByName(x,x,x)
		mov	edi, eax
		lea	eax, [ebp+var_20]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		cmp	edi, 0FFFFFFFFh
		jz	loc_ACA493
		lea	eax, [ebp+var_28]
		push	eax
		push	edi
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_ACA493
		push	(offset	loc_AF3457+1)
		mov	edx, eax
		mov	ecx, esi
		call	_CmpFindSubKeyByName@12	; CmpFindSubKeyByName(x,x,x)
		mov	edi, eax
		lea	eax, [ebp+var_28]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		cmp	edi, 0FFFFFFFFh
		jz	loc_ACA493
		lea	eax, [ebp+var_30]
		push	eax
		push	edi
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_ACA493
		push	(offset	loc_AF3327+1)
		mov	edx, eax
		mov	ecx, esi
		call	_CmpFindValueByName@12 ; CmpFindValueByName(x,x,x)
		mov	edi, eax
		lea	eax, [ebp+var_30]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		cmp	edi, 0FFFFFFFFh
		jz	loc_ACA493
		lea	eax, [ebp+var_38]
		push	eax
		push	edi
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_ACA493
		lea	ecx, [ebp+var_40]
		mov	edx, edi
		push	ecx
		lea	ecx, [ebp+var_C]
		push	ecx
		push	eax
		mov	ecx, esi
		call	CmpValueToData
		mov	edi, eax
		lea	eax, [ebp+var_38]
		push	eax
		push	esi
		mov	[ebp+var_14], edi
		call	dword ptr [esi+8]
		test	edi, edi
		jz	loc_ACA493
		mov	edx, [ebp+var_C]
		xor	ecx, ecx
		xor	eax, eax
		mov	word ptr [ebp+var_18+2], dx
		mov	word ptr [ebp+var_18], cx
		cmp	ax, dx
		jnb	short loc_AE61A5
		xor	ebx, ebx

loc_AE618A:				; CODE XREF: CmpFindRedirectedDriverServiceStateNode+1BD6Aj
		movzx	eax, cx
		shr	eax, 1
		cmp	[edi+eax*2], bx
		jz	short loc_AE61A2
		add	cx, 2
		mov	word ptr [ebp+var_18], cx
		cmp	cx, dx
		jb	short loc_AE618A

loc_AE61A2:				; CODE XREF: CmpFindRedirectedDriverServiceStateNode+1BD5Dj
		mov	ebx, [ebp+var_10]

loc_AE61A5:				; CODE XREF: CmpFindRedirectedDriverServiceStateNode+1BD50j
		push	[ebp+arg_10]
		lea	eax, [ebp+var_18]
		mov	edx, ebx
		push	[ebp+arg_C]
		mov	ecx, esi
		push	[ebp+arg_8]
		push	eax
		push	[ebp+arg_4]
		push	[ebp+arg_0]
		call	_CmpGetKnownHivePathNode@32 ; CmpGetKnownHivePathNode(x,x,x,x,x,x,x,x)
		mov	bl, al
		lea	eax, [ebp+var_40]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	al, bl
		jmp	loc_ACA495
; END OF FUNCTION CHUNK	FOR CmpFindRedirectedDriverServiceStateNode
; 
; START	OF FUNCTION CHUNK FOR CmpFindHiveSubKey

loc_AE61D2:				; CODE XREF: CmpFindHiveSubKey+6Fj
		push	[ebp+arg_8]
		push	esi
		push	edi
		call	dword ptr [edi+4]
		mov	ecx, eax
		mov	eax, [ebp+arg_4]
		test	ecx, ecx
		setz	bl
		dec	bl
		mov	[eax], ecx
		and	bl, 1
		jmp	loc_ACA511
; END OF FUNCTION CHUNK	FOR CmpFindHiveSubKey
; 
; START	OF FUNCTION CHUNK FOR CmpSortDriverList

loc_AE61F0:				; CODE XREF: CmpSortDriverList+CDj
		lea	eax, [ebp+var_20]
		push	eax
		push	edi
		call	dword ptr [edi+8]
		jmp	loc_ACA760
; END OF FUNCTION CHUNK	FOR CmpSortDriverList
; 
; START	OF FUNCTION CHUNK FOR CmSelectQualifiedInstallLanguage

loc_AE61FD:				; CODE XREF: CmSelectQualifiedInstallLanguage+10Cj
		and	[ebp+arg_4], 0
		jmp	loc_ACA9DC
; 

loc_AE6206:				; CODE XREF: CmSelectQualifiedInstallLanguage+F0j
		push	26h
		pop	esi
		jmp	loc_ACA9DC
; 

loc_AE620E:				; CODE XREF: CmSelectQualifiedInstallLanguage+16Aj
		lea	eax, [ebp+var_254]
		push	eax
		push	edi
		push	offset _CmControlHive
		call	ds:dword_AFD0CC
		test	eax, eax
		jz	loc_ACAA3A
		cmp	dword ptr [eax+0Ch], 7
		jnz	short loc_AE6295
		lea	ecx, [ebp+var_25C]
		mov	edx, edi
		push	ecx
		lea	ecx, [ebp+var_22C]
		mov	edi, offset _CmControlHive
		push	ecx
		push	eax
		mov	ecx, edi
		call	CmpValueToData
		test	eax, eax
		jz	short loc_AE629A
		cmp	[ebp+var_22C], 0A8h
		jnb	short loc_AE6285
		push	[ebp+var_22C]	; size_t
		push	eax		; void *
		lea	eax, [ebp+var_168]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		lea	ecx, [ebp+var_168] ; void *
		xor	edx, edx
		call	_DownLevelLanguageNameToLangID@8 ; DownLevelLanguageNameToLangID(x,x)
		mov	ds:_PsMachineUILanguageId, ax

loc_AE6285:				; CODE XREF: CmSelectQualifiedInstallLanguage+1B990j
		lea	eax, [ebp+var_25C]
		push	eax
		push	edi
		call	ds:dword_AFD0D0
		jmp	short loc_AE629A
; 

loc_AE6295:				; CODE XREF: CmSelectQualifiedInstallLanguage+1B963j
		mov	edi, offset _CmControlHive

loc_AE629A:				; CODE XREF: CmSelectQualifiedInstallLanguage+1B984j
					; CmSelectQualifiedInstallLanguage+1B9C9j
		lea	eax, [ebp+var_254]
		push	eax
		push	edi
		call	ds:dword_AFD0D0
		jmp	loc_ACAA3A
; 

loc_AE62AD:				; CODE XREF: CmSelectQualifiedInstallLanguage+21Bj
		mov	bl, [ebp+var_219]
		mov	bh, [ebp+var_21A]
		jmp	loc_ACAA96
; 

loc_AE62BE:				; CODE XREF: CmSelectQualifiedInstallLanguage+2DCj
		mov	edi, ecx
		cmp	edi, 0A8h
		ja	short loc_AE630D
		push	edi		; size_t
		lea	eax, [ebx+4Ch]
		push	eax		; void *
		lea	eax, [ebp+var_B8]
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		jmp	loc_ACABD0
; 

loc_AE62E1:				; CODE XREF: CmSelectQualifiedInstallLanguage+3B6j
		test	bl, bl
		jnz	loc_ACAA96
		test	byte ptr [ebp+var_234],	2
		mov	eax, [ebp+var_220]
		mov	ecx, [ebp+var_224]
		jz	loc_ACAA96
		mov	[ebp+var_238], edi
		jmp	loc_ACAD10
; 

loc_AE630D:				; CODE XREF: CmSelectQualifiedInstallLanguage+251j
					; CmSelectQualifiedInstallLanguage+26Cj ...
		lea	eax, [ebp+var_240]
		push	eax
		push	offset _CmControlHive
		call	ds:dword_AFD0D0
		mov	bl, [ebp+var_219]
		mov	bh, [ebp+var_21A]
		jmp	loc_ACACA5
; 

loc_AE6330:				; CODE XREF: CmSelectQualifiedInstallLanguage+40Cj
		test	bl, bl
		jnz	short loc_AE633C
		test	bh, bh
		jz	loc_ACACE9

loc_AE633C:				; CODE XREF: CmSelectQualifiedInstallLanguage+1BA68j
		mov	eax, [ebp+var_238]
		jmp	loc_ACACDF
; END OF FUNCTION CHUNK	FOR CmSelectQualifiedInstallLanguage
; 
; START	OF FUNCTION CHUNK FOR CmpFindTagIndex

loc_AE6347:				; CODE XREF: CmpFindTagIndex+F0j
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_ACAE28
; END OF FUNCTION CHUNK	FOR CmpFindTagIndex
; 
; START	OF FUNCTION CHUNK FOR CmpAddDriverToList

loc_AE6354:				; CODE XREF: CmpAddDriverToList+14Fj
		lea	eax, [ebp+var_40]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		jmp	short loc_AE63BB
; 

loc_AE635E:				; CODE XREF: CmpAddDriverToList+1FFj
		movzx	eax, word ptr [edi+8]
		push	eax
		push	ecx
		call	dword ptr [esi+10h]
		jmp	loc_ACB04D
; 

loc_AE636C:				; CODE XREF: CmpAddDriverToList+21Ej
		movzx	eax, word ptr [edi+10h]
		push	eax
		push	ecx
		call	dword ptr [esi+10h]
		jmp	loc_ACB06C
; 

loc_AE637A:				; CODE XREF: CmpAddDriverToList+262j
		mov	dword ptr [edi+4Ch], 1
		jmp	loc_ACB0F2
; 

loc_AE6386:				; CODE XREF: CmpAddDriverToList+1B5j
					; CmpAddDriverToList+1C9j ...
		mov	eax, [ebp+var_2C]
		mov	[ebp+var_18], eax
		jmp	short loc_AE639B
; 

loc_AE638E:				; CODE XREF: CmpAddDriverToList+358j
		mov	eax, [ebp+var_20]
		movzx	eax, ax
		push	eax
		push	ebx
		call	dword ptr [esi+10h]
		xor	ebx, ebx

loc_AE639B:				; CODE XREF: CmpAddDriverToList+19Fj
					; CmpAddDriverToList+1B544j
		mov	ecx, [ebp+var_10]

loc_AE639E:				; CODE XREF: CmpAddDriverToList+459j
		test	ecx, ecx
		jz	short loc_AE63AB
		movzx	eax, word ptr [ebp+var_28]
		push	eax
		push	ecx
		call	dword ptr [esi+10h]

loc_AE63AB:				; CODE XREF: CmpAddDriverToList+1B558j
		mov	ecx, [ebp+var_18]
		test	ecx, ecx
		jz	short loc_AE63BB
		movzx	eax, word ptr [ebp+var_30]
		push	eax
		push	ecx
		call	dword ptr [esi+10h]

loc_AE63BB:				; CODE XREF: CmpAddDriverToList+10Fj
					; CmpAddDriverToList+137j ...
		test	ebx, ebx
		jz	loc_ACB1A6
		mov	ecx, [ebx+0Ch]
		test	ecx, ecx
		jz	short loc_AE63D3
		movzx	eax, word ptr [ebx+8]
		push	eax
		push	ecx
		call	dword ptr [esi+10h]

loc_AE63D3:				; CODE XREF: CmpAddDriverToList+1B580j
		mov	ecx, [ebx+14h]
		test	ecx, ecx
		jz	short loc_AE63E3
		movzx	eax, word ptr [ebx+10h]
		push	eax
		push	ecx
		call	dword ptr [esi+10h]

loc_AE63E3:				; CODE XREF: CmpAddDriverToList+1B590j
		mov	ecx, [edi+44h]
		test	ecx, ecx
		jz	short loc_AE63F3
		movzx	eax, word ptr [edi+40h]
		push	eax
		push	ecx
		call	dword ptr [esi+10h]

loc_AE63F3:				; CODE XREF: CmpAddDriverToList+1B5A0j
		push	50h
		push	edi
		call	dword ptr [esi+10h]
		jmp	loc_ACB1A6
; END OF FUNCTION CHUNK	FOR CmpAddDriverToList
; 
; START	OF FUNCTION CHUNK FOR CmpGetSystemControlValues

loc_AE63FE:				; CODE XREF: CmpGetSystemControlValues+C2j
		push	eax
		push	ebx
		push	1
		jmp	short loc_AE640E
; 

loc_AE6404:				; CODE XREF: CmpGetSystemControlValues+15Aj
		lea	eax, [ebp+var_174]
		push	eax
		push	esi
		push	3

loc_AE640E:				; CODE XREF: CmpGetSystemControlValues+1B156j
					; CmpGetSystemControlValues+1B1E2j
		push	1
		push	74h
		jmp	short loc_AE6420
; 

loc_AE6414:				; CODE XREF: CmpGetSystemControlValues+1B241j
		push	0
		push	0
		push	eax
		push	1
		push	12Ah

loc_AE6420:				; CODE XREF: CmpGetSystemControlValues+1B166j
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE6425:				; CODE XREF: CmpGetSystemControlValues+D8j
		lea	eax, [ebp+var_180]
		push	eax
		push	esi
		push	offset _CmControlHive
		call	ds:dword_AFD0CC
		mov	esi, eax
		test	esi, esi
		jz	loc_ACB576
		push	offset ??_C@_1CG@PBNNDBEJ@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAS?$AAe?$AAt?$AAO?$AAv?$AAe?$AAr?$AAr@PBOPGDP@
		lea	eax, [ebp+var_174]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	edx, esi
		lea	eax, [ebp+var_174]
		mov	esi, offset _CmControlHive
		push	eax
		mov	ecx, esi
		call	_CmpFindSubKeyByName@12	; CmpFindSubKeyByName(x,x,x)
		mov	[ebp+var_178], eax
		cmp	eax, 0FFFFFFFFh
		jz	loc_ACB576
		lea	eax, [ebp+var_180]
		push	eax
		push	esi
		jmp	loc_ACB418
; 

loc_AE6484:				; CODE XREF: CmpGetSystemControlValues+10Ej
		lea	eax, [ebp+var_174]
		push	eax
		push	esi
		push	2
		jmp	loc_AE640E
; 

loc_AE6493:				; CODE XREF: CmpGetSystemControlValues+182j
		cmp	byte ptr [edi+14h], 0
		jz	loc_ACB4C7
		jmp	loc_ACB434
; 

loc_AE64A2:				; CODE XREF: CmpGetSystemControlValues+346j
		lea	eax, [ebp+var_18C]
		push	eax
		push	offset _CmControlHive
		call	ds:dword_AFD0D0
		jmp	loc_ACB576
; 

loc_AE64B9:				; CODE XREF: CmpGetSystemControlValues+22Ej
		test	bl, bl
		jnz	loc_ACB4F8
		mov	ds:_PsDefaultSystemLocaleId, 409h
		jmp	loc_ACB4F8
; 

loc_AE64D0:				; CODE XREF: CmpGetSystemControlValues+2A0j
		mov	ds:_PsInstallUILanguageId, cx
		mov	ds:_CmInstallUILanguageFallbackToOOBm, 1
		jmp	loc_ACB552
; 

loc_AE64E6:				; CODE XREF: CmpGetSystemControlValues+28Bj
		cmp	ds:_psMUITest, 0
		jz	loc_AE6414
		mov	ax, word ptr ds:_PsDefaultSystemLocaleId
		mov	ds:_PsInstallUILanguageId, ax
		jmp	loc_ACB552
; 

loc_AE6504:				; CODE XREF: CmpGetSystemControlValues+2B8j
		cmp	bl, 1
		jnz	loc_ACB576
		jmp	loc_ACB56A
; END OF FUNCTION CHUNK	FOR CmpGetSystemControlValues
; 
; START	OF FUNCTION CHUNK FOR CmpFindDrivers

loc_AE6512:				; CODE XREF: CmpFindDrivers+66j
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_14]
		mov	ecx, esi
		push	eax
		push	[ebp+arg_1C]
		call	_CmpLoadManufacturingProfileServicesNode@20 ; CmpLoadManufacturingProfileServicesNode(x,x,x,x,x)
		test	al, al
		jnz	short loc_AE652F
		xor	edi, edi
		jmp	short loc_AE6534
; 

loc_AE652F:				; CODE XREF: CmpFindDrivers+1AEEDj
		mov	edi, [ebp+var_14]
		mov	ebx, esi

loc_AE6534:				; CODE XREF: CmpFindDrivers+1AEF1j
		mov	[ebp+var_C], edi
		jmp	loc_ACB6A8
; 

loc_AE653C:				; CODE XREF: CmpFindDrivers+8Aj
		mov	eax, [ebp+var_18]
		mov	[ebp+arg_0], eax
		mov	eax, [ebp+var_1C]
		mov	[ebp+var_1C], eax
		jmp	loc_ACB6D4
; 

loc_AE654D:				; CODE XREF: CmpFindDrivers+10Cj
					; CmpFindDrivers+1AF8Ej
		mov	edx, [edi+14h]
		lea	eax, [ebp+var_2C]
		mov	ecx, [edi+10h]
		push	eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_CmpLoadServicesNode@16	; CmpLoadServicesNode(x,x,x,x)
		test	al, al
		jz	short loc_AE65C5
		xor	eax, eax
		mov	[ebp+arg_1C], eax

loc_AE6569:				; CODE XREF: CmpFindDrivers+1AF62j
					; CmpFindDrivers+1AF7Fj
		mov	edx, [ebp+var_24]
		lea	ecx, [ebp+var_8]
		push	ecx
		mov	ecx, [edi+10h]
		push	eax
		call	_CmpFindSubKeyByNumber@16 ; CmpFindSubKeyByNumber(x,x,x,x)
		inc	[ebp+arg_1C]
		cmp	[ebp+var_8], 0FFFFFFFFh
		mov	eax, [edi+10h]
		jz	short loc_AE65BD
		mov	edx, [ebp+var_8]
		sub	esp, 0Ch
		mov	ecx, eax
		push	[ebp+var_C]
		push	ebx
		sub	esp, 0Ch
		call	CmpIsLoadType
		test	al, al
		mov	eax, [ebp+arg_1C]
		jz	short loc_AE6569
		mov	edx, [ebp+var_8]
		lea	eax, [edi+8]
		mov	ecx, [edi+10h]
		push	0
		push	[ebp+arg_14]
		push	eax
		push	[ebp+arg_4]
		push	esi
		call	CmpAddDriverToList
		mov	eax, [ebp+arg_1C]
		jmp	short loc_AE6569
; 

loc_AE65BD:				; CODE XREF: CmpFindDrivers+1AF47j
		lea	ecx, [ebp+var_2C]
		push	ecx
		push	eax
		call	dword ptr [eax+8]

loc_AE65C5:				; CODE XREF: CmpFindDrivers+1AF26j
		mov	edi, [edi]
		cmp	edi, [ebp+arg_8]
		jnz	short loc_AE654D
		jmp	loc_ACB74E
; 

loc_AE65D1:				; CODE XREF: CmpFindDrivers+114j
		cmp	[ebp+var_C], 0
		jz	loc_ACB756
		lea	eax, [ebp+var_34]
		push	eax
		push	ebx
		call	dword ptr [ebx+8]
		jmp	loc_ACB756
; 

loc_AE65E8:				; CODE XREF: CmpFindDrivers+11Fj
		cmp	[ebp+var_1C], 0
		jz	loc_ACB761
		lea	ecx, [ebp+var_3C]
		push	ecx
		push	eax
		call	dword ptr [eax+8]
		jmp	loc_ACB761
; END OF FUNCTION CHUNK	FOR CmpFindDrivers
; 
; START	OF FUNCTION CHUNK FOR CmpIsLoadType

loc_AE65FF:				; CODE XREF: CmpIsLoadType+60j
		cmp	[ebp+arg_10], ebx
		jz	loc_ACB7DC
		lea	ecx, [ebp+var_C]
		mov	edx, eax
		push	ecx
		mov	ecx, esi
		call	CmpGetNodeName
		mov	[ebp+var_14], eax
		test	eax, eax
		jz	short loc_AE6683
		push	eax
		lea	eax, [ebp+var_2C]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_AE666C
		mov	edx, [ebp+arg_10]
		lea	eax, [ebp+var_2C]
		mov	ecx, [ebp+arg_C]
		push	eax
		call	_CmpFindSubKeyByName@12	; CmpFindSubKeyByName(x,x,x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_AE666C
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	eax
		mov	eax, [ebp+arg_C]
		push	eax
		call	dword ptr [eax+4]
		mov	edx, eax
		test	edx, edx
		jz	short loc_AE666C
		mov	edi, [ebp+arg_C]
		mov	ecx, edi
		push	(offset	loc_AF32AB+5)
		call	_CmpFindValueByName@12 ; CmpFindValueByName(x,x,x)
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_1C]
		push	eax
		mov	eax, edi
		push	eax
		call	dword ptr [eax+8]

loc_AE666C:				; CODE XREF: CmpIsLoadType+1AEB2j
					; CmpIsLoadType+1AEC6j	...
		movzx	eax, word ptr [ebp+var_C]
		push	eax
		push	[ebp+var_14]
		call	dword ptr [esi+10h]
		mov	eax, [ebp+var_4]
		cmp	eax, 0FFFFFFFFh
		jnz	loc_ACB7F4

loc_AE6683:				; CODE XREF: CmpIsLoadType+1AEA4j
		mov	edx, [ebp+var_8]
		mov	ecx, esi
		push	(offset	loc_AF32C7+1)
		call	_CmpFindValueByName@12 ; CmpFindValueByName(x,x,x)
		mov	edi, eax
		cmp	edi, 0FFFFFFFFh
		jz	loc_ACB835
		lea	eax, [ebp+var_34]
		push	eax
		push	edi
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	loc_ACB835
		lea	ecx, [ebp+var_3C]
		mov	edx, edi
		push	ecx
		lea	ecx, [ebp+var_10]
		push	ecx
		push	eax
		mov	ecx, esi
		call	CmpValueToData
		mov	edi, eax
		lea	eax, [ebp+var_34]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		test	edi, edi
		jz	loc_ACB835
		test	byte ptr [edi],	0Bh
		mov	edi, (offset loc_AF343F+1)
		jnz	short loc_AE66E1
		mov	edi, offset _CmpServiceWildcardString

loc_AE66E1:				; CODE XREF: CmpIsLoadType+1AF64j
		lea	eax, [ebp+var_3C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		mov	edx, [ebp+arg_10]
		push	edi
		mov	edi, [ebp+arg_C]
		mov	ecx, edi
		call	_CmpFindSubKeyByName@12	; CmpFindSubKeyByName(x,x,x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_AE6730
		lea	ecx, [ebp+var_1C]
		push	ecx
		push	eax
		push	edi
		call	dword ptr [edi+4]
		test	eax, eax
		jz	short loc_AE6730
		push	(offset	loc_AF32AB+5)
		mov	edx, eax
		mov	ecx, edi
		call	_CmpFindValueByName@12 ; CmpFindValueByName(x,x,x)
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_1C]
		push	eax
		mov	eax, edi
		push	eax
		call	dword ptr [eax+8]
		mov	eax, [ebp+var_4]
		cmp	eax, 0FFFFFFFFh
		jnz	loc_ACB7F4

loc_AE6730:				; CODE XREF: CmpIsLoadType+1AF84j
					; CmpIsLoadType+1AF91j
		mov	eax, [ebp+var_8]
		jmp	loc_ACB7DC
; END OF FUNCTION CHUNK	FOR CmpIsLoadType
; 
; START	OF FUNCTION CHUNK FOR CmpGetBootValueData

loc_AE6738:				; CODE XREF: CmpGetBootValueData+73j
		xor	al, al
		jmp	loc_ACB88E
; END OF FUNCTION CHUNK	FOR CmpGetBootValueData
; 
; START	OF FUNCTION CHUNK FOR CmpGetNodeName

loc_AE673F:				; CODE XREF: CmpGetNodeName+29j
		add	eax, 2
		movzx	eax, ax
		mov	[ebp+arg_0], eax
		movzx	eax, ax
		push	eax
		mov	[ebp+var_4], eax
		call	ecx
		mov	esi, eax
		test	esi, esi
		jz	loc_ACBA56
		movzx	eax, word ptr [ebx+48h]
		push	eax		; size_t
		lea	eax, [ebx+4Ch]
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		mov	eax, [ebp+var_4]
		add	esp, 0Ch
		shr	eax, 1
		xor	ecx, ecx
		mov	[esi+eax*2-2], cx
		jmp	loc_ACBA43
; END OF FUNCTION CHUNK	FOR CmpGetNodeName
; 
; START	OF FUNCTION CHUNK FOR CmpConvertLangId

loc_AE677E:				; CODE XREF: CmpConvertLangId+3Cj
		cmp	eax, 46h
		ja	loc_ACBA9C
		add	eax, 0FFFFFFC9h
		jmp	short loc_AE6798
; 

loc_AE678C:				; CODE XREF: CmpConvertLangId+45j
		cmp	eax, 66h
		ja	loc_ACBAA5
		add	eax, 0FFFFFFA9h

loc_AE6798:				; CODE XREF: CmpConvertLangId+1AD30j
		movzx	eax, ax
		jmp	loc_ACBA7B
; END OF FUNCTION CHUNK	FOR CmpConvertLangId
; 
; START	OF FUNCTION CHUNK FOR ExpAeThresholdInitialization

loc_AE67A0:				; CODE XREF: ExpAeThresholdInitialization+E6j
					; ExpAeThresholdInitialization+F2j
		or	eax, 0FFFFFFFFh
		mov	ds:_ExpAeCycleCountScaler, 0FFh
		mov	ecx, eax
		jmp	loc_ACBBF4
; END OF FUNCTION CHUNK	FOR ExpAeThresholdInitialization
; 
; START	OF FUNCTION CHUNK FOR ExpValidateLoader

loc_AE67B1:				; CODE XREF: ExpValidateLoader+2Bj
					; ExpValidateLoader+3Bj ...
		push	esi
		push	edx
		push	eax
		push	edi
		push	100h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_AE67C0:				; CODE XREF: KeInitializeClock+41j
		push	ebx
		push	ebx
		push	esi
		push	1
		push	33h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE67CC:				; CODE XREF: KeInitializeClock+5Aj
		test	byte ptr ds:_HvlpFlags,	2
		jz	loc_ACBDA9
		jmp	loc_ACBD8E
; END OF FUNCTION CHUNK	FOR ExpValidateLoader
; 
; START	OF FUNCTION CHUNK FOR KeInitializeClock

loc_AE67DE:				; CODE XREF: KeInitializeClock+75j
		mov	ds:_KiDynamicTickDisableReason,	3
		jmp	loc_ACBDA9
; 

loc_AE67ED:				; CODE XREF: KeInitializeClock+4Ej
					; KeInitializeClock+82j
		call	_PoTraceDynamicTickDisabled@0 ;	PoTraceDynamicTickDisabled()
		mov	ds:_KiForceIdleDisabled, ebx
		jmp	loc_ACBDB6
; 

loc_AE67FD:				; CODE XREF: KeInitializeClock+38j
		lea	eax, [ebp+var_38]
		push	eax
		call	ds:__imp__KeQueryPerformanceCounter@4 ;	KeQueryPerformanceCounter(x)
		mov	eax, [ebp+var_34]
		xor	ebx, ebx
		push	5
		pop	esi
		mul	esi
		inc	ebx
		mov	ecx, eax
		mov	eax, [ebp+var_38]
		mul	esi
		mov	ds:_KiClockStateUpdateTimeout, eax
		add	ecx, edx
		mov	eax, _KiClockTimerOwner
		mov	ds:dword_70E734, ecx
		mov	cl, 1Ch
		mov	eax, ds:_KiProcessorBlock[eax*4]
		mov	[eax+3D0h], bl
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_29], al
		mov	ds:_KiClockState, 0
		call	off_6B138C	; SymCryptFatalIntercept(x)
		xor	cl, cl
		call	KiSetPendingTick
		call	off_6B1388	; SymCryptFatalIntercept(x)
		push	ebx
		call	off_6B1384	; KeSetDmaIoCoherency(x)
		lea	eax, [ebp+var_48]
		push	eax
		push	0
		push	ds:_KeMaximumIncrement
		push	0
		call	off_6B1390	; ext_ms_win_ntos_tm_l1_1_0_TmPropagationComplete(x,x,x,x)
		mov	cl, bl
		call	KiSetPendingTick
		mov	eax, [ebp+var_48]
		mov	edi, offset _KiClockIntervalRequests
		mov	esi, ds:_KeMaximumIncrement
		mov	ecx, _KiClockIntervalRequests
		mov	ds:_KeTimeIncrement, eax
		mov	ds:_KeNonHrTimeIncrement, eax
		mov	ds:_KePseudoHrTimeIncrement, eax
		mov	eax, dword_6FB70C
		mov	_KiLastRequestedTimeIncrement, esi
		mov	dword_6CADD0, esi
		test	al, bl
		jz	short loc_AE68C4
		test	ecx, ecx
		jz	short loc_AE68C2
		xor	ecx, edi
		jmp	short loc_AE68C4
; 

loc_AE68C2:				; CODE XREF: KeInitializeClock+1AB8Ej
		xor	ecx, ecx

loc_AE68C4:				; CODE XREF: KeInitializeClock+1AB8Aj
					; KeInitializeClock+1AB92j
		movzx	edx, al
		and	edx, ebx
		mov	byte ptr [ebp+var_30], 0
		test	ecx, ecx
		jnz	loc_ACBE50

loc_AE68D5:				; CODE XREF: KeInitializeClock+14Cj
					; KeInitializeClock+154j
		push	offset _KiDefaultClockIntervalRequest
		push	[ebp+var_30]
		push	ecx
		push	edi
		call	RtlRbInsertNodeEx
		mov	cl, [ebp+var_29]
		mov	byte_6CADCC, bl
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	eax, ds:_KeTimeIncrement
		mov	dword_6CAB70, eax
		mov	dword_6CAB74, eax
		mov	eax, _KiLastRequestedTimeIncrement
		mov	dword_6CAB78, eax
		mov	dword_6CAB7C, eax
		jmp	loc_ACBDC8
; 

loc_AE6916:				; CODE XREF: KeInitializeClock+12Cj
		test	eax, eax
		jz	loc_ACBE7F
		xor	eax, ecx
		jmp	loc_ACBE60
; 

loc_AE6925:				; CODE XREF: KeInitializeClock+13Ej
		test	eax, eax
		jz	loc_ACBE76
		xor	eax, ecx
		jmp	loc_ACBE72
; 

loc_AE6934:				; CODE XREF: KeInitializeClock+D9j
		mov	ds:_KiDynamicTickDisableReason,	ebx
		jmp	loc_ACBE0D
; 

loc_AE693F:				; CODE XREF: KeInitializeClock+109j
		mov	ds:_KiDynamicTickDisableReason,	2
		jmp	loc_ACBE3D
; END OF FUNCTION CHUNK	FOR KeInitializeClock
; 
; START	OF FUNCTION CHUNK FOR ExInitSystem

loc_AE694E:				; CODE XREF: ExInitSystem+14j
					; DbgkInitialize+14j
		push	edx
		push	edx
		push	ecx
		push	3
		push	33h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_AE695B:				; CODE XREF: ExInitializePoolTracker+48j
		mov	esi, ebx
		jmp	loc_ACC12A
; END OF FUNCTION CHUNK	FOR ExInitSystem
; 
; START	OF FUNCTION CHUNK FOR ExInitializePoolTracker

loc_AE6962:				; CODE XREF: ExInitializePoolTracker+71j
		mov	ds:_ExpCacheLineSize, ecx
		jmp	loc_ACC15B
; 

loc_AE696D:				; CODE XREF: ExInitializePoolTracker+79j
		mov	ds:_ExpCacheLineSize, esi
		jmp	loc_ACC15B
; 

loc_AE6978:				; CODE XREF: ExInitializePoolTracker+9Dj
		mov	esi, 200h
		jmp	short loc_AE6994
; 

loc_AE697F:				; CODE XREF: ExInitializePoolTracker+86j
		push	40h
		pop	esi
		cmp	eax, esi
		jb	short loc_AE6994
		bsr	ecx, eax
		mov	esi, ebx
		mov	[ebp+var_8], ecx
		shl	esi, cl
		jmp	short loc_AE6994
; 

loc_AE6992:				; CODE XREF: ExInitializePoolTracker+ABj
					; ExInitializePoolTracker+1A8CBj
		shr	esi, 1

loc_AE6994:				; CODE XREF: ExInitializePoolTracker+1A8A1j
					; ExInitializePoolTracker+1A8A8j ...
		mov	_PoolTrackTableSize, esi
		jmp	loc_ACC17F
; 

loc_AE699F:				; CODE XREF: ExInitializePoolTracker+CFj
		mov	esi, _PoolTrackTableSize
		cmp	esi, ebx
		jnz	short loc_AE6992
		mov	eax, 0C000009Ah
		jmp	loc_ACC306
; 

loc_AE69B3:				; CODE XREF: ExInitializePoolTracker+13Cj
		int	3		; Trap to Debugger

loc_AE69B4:				; CODE XREF: ExInitializePoolTracker+142j
		test	ds:byte_70EFC4,	41h
		jz	short loc_AE69D1
		push	edx
		push	ecx
		push	[ebp+var_4]
		mov	edx, 200h
		mov	ecx, 0E20h
		call	_EtwTracePool@20 ; EtwTracePool(x,x,x,x,x)

loc_AE69D1:				; CODE XREF: ExInitializePoolTracker+1A8DFj
		movzx	eax, large byte	ptr fs:51h
		mov	edx, _PoolTrackTableMask
		mov	[ebp+var_18], edx
		mov	ebx, _ExPoolTagTables[eax*4]
		mov	eax, _PoolTrackTableSize
		mov	[ebp+var_14], eax
		mov	eax, [ebp+var_4]
		movzx	ecx, al
		shl	ecx, 2
		movzx	eax, ah
		xor	ecx, eax
		mov	[ebp+var_20], ebx
		movzx	eax, byte ptr [ebp+var_4+2]
		shl	ecx, 2
		xor	ecx, eax
		movzx	eax, byte ptr [ebp+var_4+3]
		shl	ecx, 2
		xor	ecx, eax
		imul	esi, ecx, 9E5Fh
		sar	esi, 2
		and	esi, edx
		mov	[ebp+var_1C], esi
		jmp	loc_ACC280
; 

loc_AE6A27:				; CODE XREF: ExInitializePoolTracker+170j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_34]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_ACC274
; 

loc_AE6A37:				; CODE XREF: ExInitializePoolTracker+192j
		lea	ecx, [ebp+var_34]
		call	KxWaitForLockChainValid

loc_AE6A3F:				; CODE XREF: ExInitializePoolTracker+17Bj
		xor	ecx, ecx
		mov	[ebp+var_34], 0
		add	eax, 4
		inc	ecx
		lock xor [eax],	ecx
		jmp	loc_ACC274
; END OF FUNCTION CHUNK	FOR ExInitializePoolTracker
; 
; START	OF FUNCTION CHUNK FOR ExpUpdateProductType

loc_AE6A54:				; CODE XREF: ExpUpdateProductType+4Aj
		cmp	ecx, 2
		jnz	short loc_AE6A62
		cmp	eax, 3
		jz	loc_ACC726

loc_AE6A62:				; CODE XREF: ExpUpdateProductType+1A381j
		mov	ds:0FFDF0264h, eax
		jmp	loc_ACC726
; END OF FUNCTION CHUNK	FOR ExpUpdateProductType
; 
; START	OF FUNCTION CHUNK FOR ExpStringCheck

loc_AE6A6C:				; CODE XREF: ExpStringCheck+288j
		mov	_KdDumpEnableOffset, 8
		jmp	loc_ACC9B8
; END OF FUNCTION CHUNK	FOR ExpStringCheck
; 
; START	OF FUNCTION CHUNK FOR VerifierInitSystem

loc_AE6A7B:				; CODE XREF: VerifierInitSystem+13j
		push	0
		push	0
		push	edx
		push	4
		push	33h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_AE6A8A:				; CODE XREF: ViInitSystemPhase0+38j
		mov	_MmVerifierTrimFrequency, 7
		jmp	loc_ACCACA
; END OF FUNCTION CHUNK	FOR VerifierInitSystem
; 
; START	OF FUNCTION CHUNK FOR ViInitSystemPhase0

loc_AE6A99:				; CODE XREF: ViInitSystemPhase0+40j
		call	_VfDisableCodeIntegrityBreaks@0	; VfDisableCodeIntegrityBreaks()
		jmp	loc_ACCAD2
; 

loc_AE6AA3:				; CODE XREF: ViInitSystemPhase0+B3j
		mov	_VfRuleClasses,	ecx
		jmp	loc_ACCB52
; 

loc_AE6AAE:				; CODE XREF: ViInitSystemPhase0+C0j
		call	_ViDisableVerification@0 ; ViDisableVerification()
		test	_VfOptionFlags,	410h
		jz	loc_ACCBEF
		mov	_VfClearanceFlag, 1
		jmp	loc_ACCBEF
; 

loc_AE6AD2:				; CODE XREF: ViInitSystemPhase0+C8j
		test	esi, esi
		jz	loc_ACCB5A
		mov	eax, [esi+28h]
		mov	ds:_VfBugcheckTmpData, eax
		mov	eax, [esi+2Ch]
		mov	ds:dword_AB1D04, eax
		mov	eax, [esi+30h]
		mov	ds:dword_AB1D08, eax
		mov	eax, [esi+34h]
		mov	ds:dword_AB1D0C, eax
		mov	eax, [esi+38h]
		mov	ds:dword_AB1D10, eax
		jmp	loc_ACCB5A
; 

loc_AE6B07:				; CODE XREF: ViInitSystemPhase0+DEj
		cmp	ecx, edx
		jz	short loc_AE6B2D
		mov	eax, ds:_MmVerifyDriverBufferLength
		test	eax, eax
		jz	short loc_AE6B18
		cmp	eax, edx
		jb	short loc_AE6B21

loc_AE6B18:				; CODE XREF: ViInitSystemPhase0+1A086j
		cmp	ds:_VfRandomVerifiedDrivers, 0
		jbe	short loc_AE6B2D

loc_AE6B21:				; CODE XREF: ViInitSystemPhase0+1A08Aj
		test	edi, edi
		jnz	short loc_AE6B2D
		xor	eax, eax
		inc	eax
		jmp	loc_ACCB6F
; 

loc_AE6B2D:				; CODE XREF: ViInitSystemPhase0+D8j
					; ViInitSystemPhase0+1A07Dj ...
		xor	eax, eax
		jmp	loc_ACCB6F
; 

loc_AE6B34:				; CODE XREF: ViInitSystemPhase0+11Bj
		cmp	ds:_VfRandomVerifiedDrivers, 0
		jnz	short loc_AE6B52
		cmp	ds:_MmVerifyDriverBufferLength,	esi
		jnz	short loc_AE6B52
		push	4
		pop	edx
		mov	ecx, offset ??_C@_13BBDEGPLJ@?$AA?$CK@PBOPGDP@ ; void *
		call	_VfInitSetVerifyDriverTargets@8	; VfInitSetVerifyDriverTargets(x,x)

loc_AE6B52:				; CODE XREF: ViInitSystemPhase0+1A0AFj
					; ViInitSystemPhase0+1A0B7j
		mov	eax, _MmVerifyDriverLevel
		cmp	eax, esi
		jz	loc_ACCBAD
		test	eax, 400000h
		jz	loc_ACCBAD
		xor	ebx, ebx
		jmp	loc_ACCBB5
; 

loc_AE6B71:				; CODE XREF: ViInitSystemPhase0+13Fj
		mov	_ViVerifyAllDrivers, 1
		mov	_KernelVerifier, 1
		mov	_ViForceAllDriversSuspect, 1

loc_AE6B8F:				; CODE XREF: ViInitSystemPhase0+136j
		mov	ds:_MmVerifyDriverBufferLength,	ebx

loc_AE6B95:				; CODE XREF: ViInitSystemPhase0+14Bj
		mov	ds:_VfRandomVerifiedDrivers, ebx

loc_AE6B9B:				; CODE XREF: ViInitSystemPhase0+1A310j
					; ViInitSystemPhase0+1A31Ej
		test	byte ptr _VfOptionFlags, 1
		jz	short loc_AE6BB1
		cmp	ds:_VfRandomVerifiedDrivers, 0
		jz	loc_AE6E30

loc_AE6BB1:				; CODE XREF: ViInitSystemPhase0+1A116j
		cmp	_ViVerifyAllDrivers, 0
		jnz	loc_AE6E3A
		cmp	ds:_VfRandomVerifiedDrivers, 0
		jnz	loc_AE6E3A
		mov	eax, ds:_MmVerifyDriverBufferLength
		mov	edx, offset _MmVerifyDriverBuffer
		add	eax, 0FFFFFFFEh
		shr	eax, 1
		lea	edi, _MmVerifyDriverBuffer[eax*2]
		cmp	edi, edx
		jbe	loc_AE6E3A
		push	9
		pop	ebx
		push	0Ah
		pop	ecx
		push	0Dh
		pop	esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], 20h
		mov	[ebp+var_8], 3000h
		mov	[ebp+var_14], 22h

loc_AE6C0A:				; CODE XREF: ViInitSystemPhase0+1A393j
		movzx	eax, word ptr [edx]
		cmp	ax, bx
		jz	loc_AE6E13
		cmp	ax, cx
		jz	loc_AE6E13
		cmp	ax, si
		jz	loc_AE6E13
		push	20h
		pop	esi
		cmp	ax, si
		jz	loc_AE6E13
		mov	esi, 3000h
		cmp	ax, si
		jz	loc_AE6E13
		test	ax, ax
		jz	loc_AE6E13
		cmp	eax, 2Ah
		jz	loc_AE6E30
		lea	esi, [edx+2]
		cmp	ax, word ptr [ebp+var_14]
		jnz	loc_AE6DD6
		mov	edx, esi
		lea	esi, [edx+2]
		cmp	esi, edi
		jnb	loc_AE6E3A
		push	22h
		pop	eax

loc_AE6C71:				; CODE XREF: ViInitSystemPhase0+1A1EFj
		cmp	[esi], ax
		jz	short loc_AE6C7D
		add	esi, 2
		cmp	esi, edi
		jb	short loc_AE6C71

loc_AE6C7D:				; CODE XREF: ViInitSystemPhase0+1A1E8j
		cmp	esi, edi
		jb	loc_AE6DDA
		jmp	loc_AE6E3A
; 

loc_AE6C8A:				; CODE XREF: ViInitSystemPhase0+15Dj
		mov	edx, 200h
		cmp	eax, edx
		jbe	short loc_AE6C9A
		mov	eax, edx
		mov	ds:_VfRandomVerifiedDrivers, eax

loc_AE6C9A:				; CODE XREF: ViInitSystemPhase0+1A205j
		mov	ecx, ds:_ViExpectedDriversCount
		lea	edi, [ecx+2]
		cmp	edi, edx
		jbe	short loc_AE6CA9
		mov	edi, edx

loc_AE6CA9:				; CODE XREF: ViInitSystemPhase0+1A219j
		add	eax, eax
		mov	ds:_VfRandomTargetsBitMapHeader, edx
		cmp	eax, ecx
		mov	ds:dword_AB0C9C, offset	_VfRandomTargetsBitMap
		push	offset _VfRandomTargetsBitMapHeader
		setnbe	[ebp+var_1]
		call	_RtlClearAllBits@4 ; RtlClearAllBits(x)
		cmp	ds:_VfRandomVerifiedDrivers, 0
		mov	[ebp+var_10], ebx
		jbe	loc_AE6D89
		lea	eax, [edi-1]

loc_AE6CDE:				; CODE XREF: ViInitSystemPhase0+1A2F2j
		push	eax
		push	1
		call	_VfRandomGetNumber@8 ; VfRandomGetNumber(x,x)
		mov	ecx, ds:dword_AB0C9C
		mov	ebx, eax
		shr	eax, 3
		mov	[ebp+var_14], eax
		mov	[ebp+var_8], ecx
		mov	al, [eax+ecx]
		mov	cl, bl
		and	cl, 7
		mov	dl, al
		sar	dl, cl
		test	dl, 1
		jz	short loc_AE6D5C
		cmp	[ebp+var_1], 0
		jz	short loc_AE6D14
		inc	esi
		mov	[ebp+var_C], esi
		jmp	short loc_AE6D6E
; 

loc_AE6D14:				; CODE XREF: ViInitSystemPhase0+1A280j
		mov	edx, ebx

loc_AE6D16:				; CODE XREF: ViInitSystemPhase0+1A2AEj
		lea	eax, [edx+1]
		xor	edx, edx
		div	edi
		test	edx, edx
		jnz	short loc_AE6D22
		inc	edx

loc_AE6D22:				; CODE XREF: ViInitSystemPhase0+1A293j
		mov	eax, [ebp+var_8]
		mov	esi, edx
		shr	esi, 3
		mov	cl, dl
		and	cl, 7
		mov	al, [esi+eax]
		sar	al, cl
		test	al, 1
		jz	short loc_AE6D3E
		cmp	edx, ebx
		jnz	short loc_AE6D16
		jmp	short loc_AE6D84
; 

loc_AE6D3E:				; CODE XREF: ViInitSystemPhase0+1A2AAj
		mov	eax, [ebp+var_8]
		movsx	ecx, byte ptr [esi+eax]
		mov	eax, edx
		and	eax, 7
		bts	ecx, eax
		mov	eax, [ebp+var_8]
		mov	[esi+eax], cl
		cmp	edx, ebx
		jz	short loc_AE6D84
		mov	esi, [ebp+var_C]
		jmp	short loc_AE6D6E
; 

loc_AE6D5C:				; CODE XREF: ViInitSystemPhase0+1A27Aj
		mov	ecx, [ebp+var_14]
		and	ebx, 7
		mov	edx, [ebp+var_8]
		movsx	eax, al
		bts	eax, ebx
		mov	[ecx+edx], al

loc_AE6D6E:				; CODE XREF: ViInitSystemPhase0+1A286j
					; ViInitSystemPhase0+1A2CEj
		mov	eax, [ebp+var_10]
		inc	eax
		cmp	eax, ds:_VfRandomVerifiedDrivers
		mov	[ebp+var_10], eax
		lea	eax, [edi-1]
		jb	loc_AE6CDE

loc_AE6D84:				; CODE XREF: ViInitSystemPhase0+1A2B0j
					; ViInitSystemPhase0+1A2C9j
		mov	esi, [ebp+var_C]
		xor	ebx, ebx

loc_AE6D89:				; CODE XREF: ViInitSystemPhase0+1A249j
		sub	ds:_VfRandomVerifiedDrivers, esi
		cmp	_VfVerifyMode, 2
		mov	ds:_MmVerifyDriverBufferLength,	ebx
		jle	loc_AE6B9B
		push	2
		pop	ecx
		call	_VfSetVerifierRunningMode@4 ; VfSetVerifierRunningMode(x)
		jmp	loc_AE6B9B
; 

loc_AE6DAF:				; CODE XREF: ViInitSystemPhase0+1A34Cj
		movzx	eax, word ptr [esi]
		cmp	ax, bx
		jz	short loc_AE6DDA
		cmp	ax, cx
		jz	short loc_AE6DDA
		cmp	ax, word ptr [ebp+var_10]
		jz	short loc_AE6DDA
		cmp	ax, word ptr [ebp+var_C]
		jz	short loc_AE6DDA
		cmp	ax, word ptr [ebp+var_8]
		jz	short loc_AE6DDA
		test	ax, ax
		jz	short loc_AE6DDA
		add	esi, 2

loc_AE6DD6:				; CODE XREF: ViInitSystemPhase0+1A1CFj
		cmp	esi, edi
		jb	short loc_AE6DAF

loc_AE6DDA:				; CODE XREF: ViInitSystemPhase0+1A1F3j
					; ViInitSystemPhase0+1A329j ...
		mov	eax, esi
		sub	eax, edx
		sar	eax, 1
		add	eax, eax
		jz	short loc_AE6E15
		movzx	ecx, ax
		mov	word ptr [ebp+var_1C], cx
		lea	eax, [ecx+2]
		mov	word ptr [ebp+var_1C+2], ax
		cmp	ax, cx
		jb	short loc_AE6E3A
		push	1
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_18], edx
		push	eax
		push	(offset	loc_A5042F+1)
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_AE6E24
		push	0Ah
		pop	ecx
		jmp	short loc_AE6E15
; 

loc_AE6E13:				; CODE XREF: ViInitSystemPhase0+1A184j
					; ViInitSystemPhase0+1A18Dj ...
		mov	esi, edx

loc_AE6E15:				; CODE XREF: ViInitSystemPhase0+1A356j
					; ViInitSystemPhase0+1A385j
		lea	edx, [esi+2]
		cmp	edx, edi
		jnb	short loc_AE6E3A
		push	0Dh
		pop	esi
		jmp	loc_AE6C0A
; 

loc_AE6E24:				; CODE XREF: ViInitSystemPhase0+1A380j
		mov	_KernelVerifier, 1
		jmp	short loc_AE6E3A
; 

loc_AE6E30:				; CODE XREF: ViInitSystemPhase0+1A11Fj
					; ViInitSystemPhase0+1A1C2j
		mov	_ViVerifyAllDrivers, 1

loc_AE6E3A:				; CODE XREF: ViInitSystemPhase0+1A12Cj
					; ViInitSystemPhase0+1A139j ...
		xor	edx, edx
		inc	edx
		call	_VfInitSystemNoRebootNeeded@8 ;	VfInitSystemNoRebootNeeded(x,x)
		jmp	loc_ACCBEF
; 

loc_AE6E47:				; CODE XREF: ViInitSystemPhase0+F9j
					; ViInitSystemPhase0+105j
		mov	eax, _VfRuleClasses
		mov	_VfRuleClassesRecord, eax
		mov	eax, dword_6FDE00
		mov	dword_6BDF3C, eax
		call	_ViDisableVerification@0 ; ViDisableVerification()
		jmp	loc_ACCBEF
; END OF FUNCTION CHUNK	FOR ViInitSystemPhase0
; 
; START	OF FUNCTION CHUNK FOR VfRandomInit

loc_AE6E65:				; CODE XREF: VfRandomInit+7j
		movzx	eax, word ptr ds:_VfRandomVerifiedDrivers+2
		xor	ecx, ecx
		mov	ds:_ViExpectedDriversCount, eax
		mov	word ptr ds:_VfRandomVerifiedDrivers+2,	cx
		cmp	eax, 3
		jnb	short loc_AE6E8E
		mov	ds:_ViExpectedDriversCount, 100h
		jmp	loc_ACCC01
; 

loc_AE6E8E:				; CODE XREF: VfRandomInit+1A289j
		mov	ecx, 200h
		cmp	eax, ecx
		jbe	loc_ACCC01
		mov	ds:_ViExpectedDriversCount, ecx
		jmp	loc_ACCC01
; END OF FUNCTION CHUNK	FOR VfRandomInit
; 
; START	OF FUNCTION CHUNK FOR VfTriageSystem

loc_AE6EA6:				; CODE XREF: VfTriageSystem+43j
		test	eax, eax
		jnz	short loc_AE6EB4
		push	offset ??_C@_0EC@NANKEBNG@CRASH?5TRIAGE?3?5triage?5skipped?5be@PBOPGDP@
		jmp	loc_ACCC5E
; 

loc_AE6EB4:				; CODE XREF: VfTriageSystem+1A298j
		jns	short loc_AE6ED5
		movzx	ebx, ax
		push	ebx		; char
		push	offset ??_C@_0CI@LFJCAECG@CRASH?5TRIAGE?3?5simulated?5crash?5c@PBOPGDP@	; char *
		push	3		; int
		push	5Dh		; int
		mov	_ViVerifyTriage, 1
		call	_DbgPrintEx
		add	esp, 10h

loc_AE6ED5:				; CODE XREF: VfTriageSystem:loc_AE6EB4j
		mov	eax, [edi+84h]
		test	eax, eax
		jnz	short loc_AE6EE9
		push	offset ??_C@_0CG@KGBHOPLP@CRASH?5TRIAGE?3?5null?5loader?5exten@PBOPGDP@
		jmp	loc_ACCC5E
; 

loc_AE6EE9:				; CODE XREF: VfTriageSystem+1A2CDj
		cmp	dword ptr [eax], 0D30h
		jnb	short loc_AE6EFB
		push	offset ??_C@_0DB@LHLIJKDI@CRASH?5TRIAGE?3?5unexpected?5loader@PBOPGDP@
		jmp	loc_ACCC5E
; 

loc_AE6EFB:				; CODE XREF: VfTriageSystem+1A2DFj
		mov	eax, [eax+1Ch]
		lea	ecx, [ebp+var_10]
		push	ecx
		lea	ecx, [ebp+var_14]
		mov	[ebp+var_C], eax
		push	ecx
		lea	ecx, [ebp+var_18]
		push	ecx
		lea	ecx, [ebp+var_1C]
		push	ecx
		lea	edx, [ebp+var_20]
		mov	ecx, eax
		call	_TriageGetBugcheckData@24 ; TriageGetBugcheckData(x,x,x,x,x,x)
		test	eax, eax
		jns	short loc_AE6F49
		test	ebx, ebx
		jnz	short loc_AE6F2D
		push	offset ??_C@_0CL@CEIILJGF@CRASH?5TRIAGE?3?5standard?5retail?5e@PBOPGDP@
		jmp	loc_ACCC5E
; 

loc_AE6F2D:				; CODE XREF: VfTriageSystem+1A311j
		and	[ebp+var_4], 0
		mov	edi, esi
		mov	[ebp+var_20], ebx
		mov	eax, offset ??_C@_0CP@BKDEPIBK@CRASH?5TRIAGE?3?5a?5fake?5crash?5will@PBOPGDP@
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		jmp	short loc_AE6F5E
; 

loc_AE6F49:				; CODE XREF: VfTriageSystem+1A30Dj
		mov	edi, [ebp+var_18]
		mov	eax, offset ??_C@_0CG@PLDDMJHL@CRASH?5TRIAGE?3?5a?5real?5crash?5happ@PBOPGDP@
		mov	esi, [ebp+var_1C]
		mov	ebx, [ebp+var_20]
		mov	[ebp+var_4], 1

loc_AE6F5E:				; CODE XREF: VfTriageSystem+1A337j
		push	eax		; char *
		push	3		; int
		push	5Dh		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		push	[ebp+var_10]
		push	[ebp+var_14]
		push	edi
		push	esi
		push	ebx		; char
		push	offset ??_C@_0DH@OBGLAHLC@CRASH?5TRIAGE?3?5previous?5crash?5wa@PBOPGDP@	; char *
		push	3		; int
		push	5Dh		; int
		call	_DbgPrintEx
		add	esp, 20h
		lea	esi, [ebp+var_20]
		cmp	[ebp+var_4], 0
		mov	edi, offset _ViTriageCrashData
		push	5
		pop	ecx
		rep movsd
		jz	short loc_AE6FC9
		mov	esi, [ebp+var_8]
		mov	ecx, esi
		call	_MmTriageActiveInLastCrash@4 ; MmTriageActiveInLastCrash(x)
		cmp	eax, 1
		jnz	short loc_AE6FB1
		push	offset ??_C@_0FI@KGHHEFKP@CRASH?5TRIAGE?3?5triage?5skipped?5be@PBOPGDP@
		jmp	loc_ACCC5E
; 

loc_AE6FB1:				; CODE XREF: VfTriageSystem+1A395j
		mov	edx, [ebp+var_C]
		mov	ecx, esi
		call	_ViTriageSameDriversFromDump@8 ; ViTriageSameDriversFromDump(x,x)
		test	eax, eax
		jnz	short loc_AE6FC9
		push	offset ??_C@_0DJ@CEGDOEDA@CRASH?5TRIAGE?3?5some?5drivers?5chan@PBOPGDP@
		jmp	loc_ACCC5E
; 

loc_AE6FC9:				; CODE XREF: VfTriageSystem+1A386j
					; VfTriageSystem+1A3ADj
		mov	edx, ds:_ViVerifyTriageRulesSize
		mov	esi, offset _ViVerifyTriageRules
		mov	ecx, esi	; char
		call	_ViValidateTriageRules@8 ; ViValidateTriageRules(x,x)
		test	eax, eax
		jnz	short loc_AE6FE9
		push	offset ??_C@_0DO@BCCPJMDG@CRASH?5TRIAGE?3?5triage?5disabled?5d@PBOPGDP@
		jmp	loc_ACCC5E
; 

loc_AE6FE9:				; CODE XREF: VfTriageSystem+1A3CDj
		push	30h
		pop	edx
		mov	ecx, offset _ViInternalTriageRules ; char
		call	_ViValidateTriageRules@8 ; ViValidateTriageRules(x,x)
		test	eax, eax
		jnz	short loc_AE7004
		push	offset ??_C@_0DO@FDLDCNLE@CRASH?5TRIAGE?3?5triage?5disabled?5d@PBOPGDP@
		jmp	loc_ACCC5E
; 

loc_AE7004:				; CODE XREF: VfTriageSystem+1A3E8j
		mov	edx, ds:_ViVerifyTriageRulesSize
		mov	ecx, esi
		push	ebx
		xor	edi, edi
		call	_ViFindTriageRule@12 ; ViFindTriageRule(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_AE7045
		push	ebx
		push	30h
		pop	edx
		mov	ecx, offset _ViInternalTriageRules
		call	_ViFindTriageRule@12 ; ViFindTriageRule(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_AE7045
		push	ebx		; char
		push	offset ??_C@_0DD@HCAOJOAG@CRASH?5TRIAGE?3?5crash?5code?5?$CFIx?5wi@PBOPGDP@ ; char *
		push	3		; int
		push	5Dh		; int
		call	_DbgPrintEx
		add	esp, 10h
		jmp	loc_ACCC6A
; 

loc_AE7045:				; CODE XREF: VfTriageSystem+1A408j
					; VfTriageSystem+1A41Cj
		cmp	dword ptr [esi], 80000h
		jnb	short loc_AE7069
		call	_ViFindTriageDriverTargets@8 ; ViFindTriageDriverTargets(x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_AE7069
		push	offset ??_C@_0CI@GLHLNLAP@CRASH?5TRIAGE?3?5no?5?$GAtargets?8?5rule@PBOPGDP@ ; char *
		push	3		; int
		push	5Dh		; int
		call	_DbgPrintEx
		add	esp, 0Ch

loc_AE7069:				; CODE XREF: VfTriageSystem+1A43Bj
					; VfTriageSystem+1A446j
		cmp	dword ptr [esi+4], 0
		jz	short loc_AE7091
		mov	edx, edi
		mov	ecx, esi
		call	_ViMakeVerifierSettings@8 ; ViMakeVerifierSettings(x,x)
		push	offset ??_C@_0BP@IMNEAIDJ@CRASH?5TRIAGE?3?5triage?5enabled?$CB?6@PBOPGDP@ ; char *
		push	3		; int
		push	5Dh		; int
		call	_DbgPrintEx
		xor	eax, eax
		add	esp, 0Ch
		inc	eax
		jmp	loc_ACCC6C
; 

loc_AE7091:				; CODE XREF: VfTriageSystem+1A45Dj
		push	offset ??_C@_0DP@OFEDJCGI@CRASH?5TRIAGE?3?5triage?5disabled?5d@PBOPGDP@
		jmp	loc_ACCC5E
; END OF FUNCTION CHUNK	FOR VfTriageSystem
; 
; START	OF FUNCTION CHUNK FOR ViInitSystemPhase1

loc_AE709B:				; CODE XREF: ViInitSystemPhase1+Aj
		call	_VfPoolInitPhase1@0 ; VfPoolInitPhase1()
		call	_VfSettingsMiscellaneousChecksInitPhase1@0 ; VfSettingsMiscellaneousChecksInitPhase1()
		call	_VfPendingInitPhase1@0 ; VfPendingInitPhase1()
		jmp	loc_ACCC88
; END OF FUNCTION CHUNK	FOR ViInitSystemPhase1
; 
; START	OF FUNCTION CHUNK FOR InitializeDynamicPartitioningPolicy

loc_AE70AF:				; CODE XREF: InitializeDynamicPartitioningPolicy+20j
		test	byte ptr ds:_HvlpFlags,	2
		jnz	locret_ACCCD6
		call	HviIsAnyHypervisorPresent
		test	al, al
		mov	eax, (offset loc_ADCDAF+1)
		jnz	short loc_AE70CF
		mov	eax, offset ??_C@_1EI@BEACFJPF@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAD?$AAy?$AAn?$AAa?$AAm?$AAi?$AAc?$AAP@PBOPGDP@

loc_AE70CF:				; CODE XREF: InitializeDynamicPartitioningPolicy+1A418j
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4]
		push	eax
		push	4
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_14]
		push	eax
		call	_ZwQueryLicenseValue@20	; ZwQueryLicenseValue(x,x,x,x,x)
		test	eax, eax
		js	locret_ACCCD6
		cmp	[ebp+var_4], 4
		jnz	locret_ACCCD6
		cmp	[ebp+var_8], 4
		jnz	locret_ACCCD6
		cmp	[ebp+var_C], 0
		jz	locret_ACCCD6
		test	byte ptr ds:_HvlpFlags,	4
		jnz	locret_ACCCD6
		mov	ds:_KeDynamicPartitioningSupported, 1
		or	dword ptr ds:0FFDF02F0h, 20h
		leave
		retn
; END OF FUNCTION CHUNK	FOR InitializeDynamicPartitioningPolicy
; 
; START	OF FUNCTION CHUNK FOR BvgaDriverInitialize

loc_AE7133:				; CODE XREF: BvgaDriverInitialize+C0j
		mov	eax, [ebp+arg_4]
		mov	eax, [eax+78h]
		test	eax, eax
		jz	short loc_AE7146
		push	eax		; char *
		call	__strupr
		pop	ecx
		jmp	short loc_AE7148
; 

loc_AE7146:				; CODE XREF: BvgaDriverInitialize+1A3E7j
		mov	eax, ecx

loc_AE7148:				; CODE XREF: BvgaDriverInitialize+1A3F0j
		test	eax, eax
		jz	short loc_AE7167
		push	offset ??_C@_08GADDGKEM@BOOTLOGO@PBOPGDP@ ; char *
		push	eax		; char *
		call	_strstr
		neg	eax
		pop	ecx
		sbb	al, al
		inc	al
		pop	ecx
		mov	byte ptr [ebp+var_4], al
		jmp	loc_ACCD83
; 

loc_AE7167:				; CODE XREF: BvgaDriverInitialize+1A3F6j
		mov	byte ptr [ebp+var_4], bl
		jmp	loc_ACCD83
; 

loc_AE716F:				; CODE XREF: BvgaDriverInitialize+6Aj
		mov	_ResourceCount,	ecx
		mov	eax, ecx
		jmp	loc_ACCDC4
; END OF FUNCTION CHUNK	FOR BvgaDriverInitialize
; 
; START	OF FUNCTION CHUNK FOR HeadlessInit

loc_AE717C:				; CODE XREF: HeadlessInit+31j
		cmp	dword ptr [edx+8], 4
		jbe	short loc_AE718B
		cmp	byte ptr [edx],	0
		jz	loc_ACCF69

loc_AE718B:				; CODE XREF: HeadlessInit+1A24Ej
		push	736C6448h
		push	60h
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_ACCF69
		push	5Ch		; size_t
		lea	ecx, [ebx+4]
		push	0		; int
		push	ecx		; void *
		call	_memset
		and	dword ptr [ebx], 0
		lea	edi, [ebx+40h]
		mov	edx, [ebp+var_B8]
		add	esp, 0Ch
		mov	ecx, [edx+8]
		lea	esi, [edx+20h]
		shl	ecx, 9
		xor	ecx, [ebx+18h]
		and	ecx, 0E00h
		xor	ecx, [ebx+18h]
		mov	[ebx+18h], ecx
		mov	eax, [edx+0Ch]
		mov	[ebx+24h], eax
		mov	eax, [edx+4]
		mov	[ebx+1Ch], eax
		movzx	eax, byte ptr [edx+3]
		shl	eax, 7
		xor	eax, ecx
		and	eax, 80h
		xor	ecx, eax
		mov	[ebx+18h], ecx
		movzx	eax, byte ptr [edx+2]
		shl	eax, 8
		xor	eax, ecx
		and	eax, 100h
		xor	ecx, eax
		mov	[ebx+18h], ecx
		movzx	eax, byte ptr [edx]
		shl	eax, 3
		xor	eax, ecx
		and	eax, 8
		xor	ecx, eax
		mov	[ebx+18h], ecx
		mov	[ebp+var_B4], ecx
		mov	cl, [edx+30h]
		mov	[ebx+50h], cl
		test	cl, cl
		mov	byte ptr [ebx+51h], 0
		mov	al, [edx+31h]
		mov	[ebx+34h], al
		mov	al, [edx+32h]
		mov	ecx, [ebp+var_B4]
		mov	[ebx+35h], al
		mov	al, [edx+33h]
		mov	[ebx+36h], al
		mov	al, [edx+34h]
		mov	[ebx+37h], al
		movsd
		movsd
		movsd
		movsd
		mov	edi, 1000h
		jz	short loc_AE725C
		or	ecx, edi
		mov	[ebx+18h], ecx

loc_AE725C:				; CODE XREF: HeadlessInit+1A323j
		mov	byte ptr [ebx+52h], 1
		mov	esi, 0FFFFh
		mov	al, [edx+1Ch]
		and	al, 1
		mov	[ebx+53h], al
		mov	ax, [edx+12h]
		mov	[ebx+54h], ax
		mov	ax, [edx+10h]
		mov	[ebx+56h], ax
		mov	ax, [edx+16h]
		mov	[ebx+58h], ax
		mov	al, [edx+14h]
		mov	[ebx+5Ah], al
		mov	al, [edx+18h]
		mov	[ebx+5Bh], al
		mov	al, [edx+19h]
		mov	[ebx+5Ch], al
		movzx	eax, word ptr [edx+10h]
		cmp	ax, si
		jz	loc_AE735B
		test	ax, ax
		jz	loc_AE735B
		movzx	eax, word ptr [edx+12h]
		cmp	ax, si
		jz	loc_AE735B
		test	ax, ax
		jz	loc_AE735B
		or	ecx, edi
		mov	[ebx+18h], ecx
		test	byte ptr [edx+1Ch], 1
		jnz	loc_AE735B
		push	0A8h		; size_t
		lea	eax, [ebp+var_B0]
		push	0		; int
		push	eax		; void *
		call	_memset
		mov	edx, [ebp+var_B8]
		add	esp, 0Ch
		mov	[ebp+var_A2], si
		mov	[ebp+var_A0], 0FFh
		mov	al, [edx]
		movzx	ecx, byte ptr [edx+19h]
		mov	[ebp+var_9D], al
		and	ecx, 7
		mov	ax, [edx+10h]
		mov	[ebp+var_A4], ax
		mov	ax, [edx+12h]
		mov	[ebp+var_A6], ax
		movzx	eax, byte ptr [edx+14h]
		mov	[ebp+var_B0], eax
		mov	ax, [edx+16h]
		mov	[ebp+var_A8], ax
		movzx	eax, byte ptr [edx+18h]
		and	eax, 1Fh
		shl	ecx, 5
		or	ecx, eax
		lea	eax, [ebp+var_B0]
		push	eax
		push	[ebp+var_BC]
		mov	[ebp+var_AC], ecx
		call	off_6B1244	; xHalIommuUnblockDevice(x,x)

loc_AE735B:				; CODE XREF: HeadlessInit+1A36Cj
					; HeadlessInit+1A375j ...
		mov	esi, 736C6448h
		mov	edi, 200h
		push	esi
		push	3800h
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+8], eax
		test	eax, eax
		jz	short loc_AE73DD
		push	esi
		push	50h
		push	edi
		mov	dword ptr [ebx+3Ch], 0FFFFFFFFh
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+0Ch], eax
		test	eax, eax
		jz	short loc_AE73DD
		push	esi
		push	50h
		push	edi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebx+10h], eax
		test	eax, eax
		jz	short loc_AE73DD
		push	offset _HdlspDispatch@20 ; HdlspDispatch(x,x,x,x,x)
		call	MmLockPagableDataSection
		mov	[ebx+4], eax
		test	eax, eax
		jz	short loc_AE73DD
		cmp	dword ptr [ebx+1Ch], 2580h
		jnz	short loc_AE73CB
		or	dword ptr [ebx+2Ch], 0FFFFFFFFh
		mov	dword ptr [ebx+30h], 515h
		mov	dword ptr [ebx+28h], 0FFFFCD2Eh

loc_AE73CB:				; CODE XREF: HeadlessInit+1A485j
		mov	cl, 1
		mov	_HeadlessGlobals, ebx
		call	_HdlspEnableTerminal@4 ; HdlspEnableTerminal(x)
		jmp	loc_ACCF69
; 

loc_AE73DD:				; CODE XREF: HeadlessInit+1A444j
					; HeadlessInit+1A45Bj ...
		mov	eax, [ebx+8]
		test	eax, eax
		jz	short loc_AE73EC
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE73EC:				; CODE XREF: HeadlessInit+1A4B0j
		mov	eax, [ebx+0Ch]
		test	eax, eax
		jz	short loc_AE73FB
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE73FB:				; CODE XREF: HeadlessInit+1A4BFj
		mov	eax, [ebx+10h]
		test	eax, eax
		jz	short loc_AE740A
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE740A:				; CODE XREF: HeadlessInit+1A4CEj
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_ACCF69
; END OF FUNCTION CHUNK	FOR HeadlessInit
; 
; START	OF FUNCTION CHUNK FOR BootApplicationPersistentDataInitialize

loc_AE7417:				; CODE XREF: BootApplicationPersistentDataInitialize+69j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_ACD021
; END OF FUNCTION CHUNK	FOR BootApplicationPersistentDataInitialize
; 
; START	OF FUNCTION CHUNK FOR PpInitSystem

loc_AE7424:				; CODE XREF: PpInitSystem+14j
		push	edx
		push	edx
		push	ecx
		push	2
		push	33h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_AE7431:				; CODE XREF: PspInitializeSystemDlls+4Dj
		push	0
		push	0
		push	6
		jmp	short loc_AE743F
; END OF FUNCTION CHUNK	FOR PpInitSystem
; 
; START	OF FUNCTION CHUNK FOR PspInitializeSystemDlls

loc_AE7439:				; CODE XREF: PspInitializeSystemDlls+83j
		push	0
		push	0
		push	7

loc_AE743F:				; CODE XREF: PpInitSystem+19ACDj
		push	eax
		push	6Bh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_AE7448:				; CODE XREF: PsInitSystem+16j
		push	eax
		push	eax
		push	_InitializationPhase
		push	1
		push	33h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_AE745A:				; CODE XREF: SeInitSystem+14j
		push	edx
		push	edx
		push	ecx
		push	edx
		push	33h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_AE7466:				; CODE XREF: SepInitializeSingletonAttributesStructures+8Dj
					; SepInitializeSingletonAttributesStructures+AFj
		push	74446553h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE7471:				; CODE XREF: SepInitializeSingletonAttributesStructures+5Cj
		mov	ebx, 74446553h
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE747D:				; CODE XREF: SepInitializeSingletonAttributesStructures+42j
		mov	eax, _SepSingletonGlobal
		mov	esi, 0C0000017h
		mov	eax, [eax+8]
		test	eax, eax
		jz	loc_ACDF8A
		push	ebx
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_ACDF8A
; END OF FUNCTION CHUNK	FOR PspInitializeSystemDlls
; 
; START	OF FUNCTION CHUNK FOR PspInitializeNetRateControl

loc_AE749E:				; CODE XREF: PspInitializeNetRateControl+3Fj
		and	_PspNetRateControlExtensionHost, 0
		xor	bl, bl
		jmp	loc_ACE317
; END OF FUNCTION CHUNK	FOR PspInitializeNetRateControl
; 
; START	OF FUNCTION CHUNK FOR SeMakeSystemToken

loc_AE74AC:				; CODE XREF: SeMakeSystemToken+4A5j
		push	0
		push	ebx

loc_AE74AF:				; CODE XREF: SeMakeSystemToken+19121j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE74B4:				; CODE XREF: SeMakeSystemToken+469j
		xor	eax, eax
		jmp	loc_ACE98F
; 

loc_AE74BB:				; CODE XREF: SeMakeSystemToken+4F5j
		push	0
		push	[ebp+var_384]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	0
		push	edi
		jmp	short loc_AE74AF
; END OF FUNCTION CHUNK	FOR SeMakeSystemToken
; 
; START	OF FUNCTION CHUNK FOR SeMakeAnonymousLogonTokenNoEveryone

loc_AE74CD:				; CODE XREF: SeMakeAnonymousLogonTokenNoEveryone+137j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE74D5:				; CODE XREF: SeMakeAnonymousLogonTokenNoEveryone+EDj
		xor	eax, eax
		jmp	loc_ACEBA0
; END OF FUNCTION CHUNK	FOR SeMakeAnonymousLogonTokenNoEveryone
; 
; START	OF FUNCTION CHUNK FOR SeMakeAnonymousLogonToken

loc_AE74DC:				; CODE XREF: SeMakeAnonymousLogonToken+158j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE74E4:				; CODE XREF: SeMakeAnonymousLogonToken+10Ej
		xor	eax, eax
		jmp	loc_ACEDD3
; END OF FUNCTION CHUNK	FOR SeMakeAnonymousLogonToken
; 
; START	OF FUNCTION CHUNK FOR PnpRegMultiSzToUnicodeStrings

loc_AE74EB:				; CODE XREF: PnpRegMultiSzToUnicodeStrings+18j
		mov	eax, 0C000000Dh
		jmp	loc_AD1513
; 

loc_AE74F5:				; CODE XREF: PnpRegMultiSzToUnicodeStrings+2Fj
					; PnpRegMultiSzToUnicodeStrings+5Dj
		inc	ecx
		mov	[ebp+var_C], ecx
		jmp	loc_AD14B9
; 

loc_AE74FE:				; CODE XREF: PnpRegMultiSzToUnicodeStrings+90j
					; PnpRegMultiSzToUnicodeStrings+133j
		sub	esi, ecx
		push	75737050h
		lea	eax, [esi+2]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, [ebp+var_8]
		mov	edi, [edi]
		mov	[edi+ebx*8+4], eax
		test	eax, eax
		jnz	short loc_AE7530
		mov	ecx, edi

loc_AE751F:				; CODE XREF: PnpRegMultiSzToUnicodeStrings+12Bj
		mov	edx, ebx
		call	_PnpFreeUnicodeStringList@8 ; PnpFreeUnicodeStringList(x,x)

loc_AE7526:				; CODE XREF: PnpRegMultiSzToUnicodeStrings+79j
		mov	eax, 0C000009Ah
		jmp	loc_AD1512
; 

loc_AE7530:				; CODE XREF: PnpRegMultiSzToUnicodeStrings+160C5j
		test	esi, esi
		jz	short loc_AE7541
		push	esi		; size_t
		push	[ebp+var_4]	; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch

loc_AE7541:				; CODE XREF: PnpRegMultiSzToUnicodeStrings+160DCj
		mov	eax, [edi+ebx*8+4]
		mov	ecx, esi
		shr	ecx, 1
		xor	edx, edx
		mov	[eax+ecx*2], dx
		movzx	eax, si
		mov	[edi+ebx*8], ax
		add	eax, 2
		mov	[edi+ebx*8+2], ax
		jmp	loc_AD1508
; END OF FUNCTION CHUNK	FOR PnpRegMultiSzToUnicodeStrings
; 
; START	OF FUNCTION CHUNK FOR MiMemoryLicense

loc_AE7563:				; CODE XREF: MiMemoryLicense+41j
		mov	esi, eax
		jmp	loc_AD15D5
; 

loc_AE756A:				; CODE XREF: MiMemoryLicense+97j
		mov	ecx, 100000h
		cmp	ds:_MmDynamicPfn, ecx
		ja	short loc_AE757F
		cmp	eax, ecx
		jbe	loc_AD162B

loc_AE757F:				; CODE XREF: MiMemoryLicense+15FE7j
		mov	ds:_Mm64BitPhysicalAddress, 1
		jmp	loc_AD162B
; 

loc_AE758B:				; CODE XREF: MiMemoryLicense+ABj
		mov	ecx, edi
		mov	esi, edx
		call	MiLimitLoaderBlockHighMemory
		jmp	loc_AD163F
; END OF FUNCTION CHUNK	FOR MiMemoryLicense
; 
; START	OF FUNCTION CHUNK FOR MiLimitLoaderBlockTotalMemory

loc_AE7599:				; CODE XREF: MiLimitLoaderBlockTotalMemory+96j
		push	edx
		push	edi
		push	ecx
		push	3030309h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE75A8:				; CODE XREF: MiLimitLoaderBlockTotalMemory+B2j
		mov	eax, [esi+8]
		cmp	eax, 2
		jz	short loc_AE75C8
		cmp	eax, 18h
		jz	short loc_AE75C8
		cmp	eax, 4
		jz	short loc_AE75C8
		cmp	eax, 5
		jz	short loc_AE75C8
		cmp	eax, 8
		jnz	loc_AD1710

loc_AE75C8:				; CODE XREF: MiLimitLoaderBlockTotalMemory+15F56j
					; MiLimitLoaderBlockTotalMemory+15F5Bj	...
		mov	eax, [esi+10h]
		cmp	eax, edx
		ja	short loc_AE75EE
		mov	ecx, [esi]
		cmp	[ecx+4], esi
		jnz	short loc_AE75FA
		mov	eax, [esi+4]
		cmp	[eax], esi
		jnz	short loc_AE75FA
		mov	[eax], ecx
		mov	[ecx+4], eax
		sub	edx, [esi+10h]
		and	dword ptr [esi+10h], 0
		jmp	loc_AD1710
; 

loc_AE75EE:				; CODE XREF: MiLimitLoaderBlockTotalMemory+15F75j
		sub	eax, edx
		xor	edx, edx
		mov	[esi+10h], eax
		jmp	loc_AD1710
; 

loc_AE75FA:				; CODE XREF: MiLimitLoaderBlockTotalMemory+15F7Cj
					; MiLimitLoaderBlockTotalMemory+15F83j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_AE75FF:				; CODE XREF: MiLimitLoaderBlockHighMemory+1Fj
		push	18h
		pop	ecx
		mov	[esi+8], ecx
		jmp	loc_AD17B6
; END OF FUNCTION CHUNK	FOR MiLimitLoaderBlockTotalMemory
; 
; START	OF FUNCTION CHUNK FOR MiLimitLoaderBlockHighMemory

loc_AE760A:				; CODE XREF: MiLimitLoaderBlockHighMemory+28j
		push	2
		pop	ecx
		mov	[esi+8], ecx
		jmp	loc_AD17A2
; 

loc_AE7615:				; CODE XREF: MiLimitLoaderBlockHighMemory+83j
		cmp	ecx, 18h
		jz	loc_AD17FD
		cmp	ecx, 4
		jz	loc_AD17FD
		cmp	ecx, 5
		jz	loc_AD17FD
		cmp	ecx, 8
		jz	loc_AD17FD
		cmp	ecx, 21h
		jz	loc_AD17FD
		cmp	ecx, 23h
		jz	loc_AD17FD
		push	edi
		push	edx
		push	ebx
		push	3030308h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_AE765B:				; CODE XREF: MiCheckLargePageOk+92j
		push	edi
		push	ebx
		push	esi
		push	3030207h
		jmp	short loc_AE766D
; END OF FUNCTION CHUNK	FOR MiLimitLoaderBlockHighMemory
; 
; START	OF FUNCTION CHUNK FOR MiCheckLargePageOk

loc_AE7665:				; CODE XREF: MiCheckLargePageOk+10Dj
		push	eax
		push	ebx
		push	esi
		push	3030205h

loc_AE766D:				; CODE XREF: MiLimitLoaderBlockHighMemory+15EEFj
					; MiCheckLargePageOk+15D12j ...
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE7674:				; CODE XREF: MiCheckLargePageOk+B3j
		push	edi
		push	eax
		push	esi
		push	3030203h
		jmp	short loc_AE766D
; 

loc_AE767E:				; CODE XREF: MiCheckLargePageOk+CCj
		mov	edi, [ebp+var_C]
		mov	ecx, edi
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		push	eax
		push	edi
		push	esi
		push	3030204h
		jmp	short loc_AE766D
; END OF FUNCTION CHUNK	FOR MiCheckLargePageOk
; 
; START	OF FUNCTION CHUNK FOR MiCheckLargePageSystemImage

loc_AE7692:				; CODE XREF: MiCheckLargePageSystemImage+95j
		push	eax
		push	edx
		push	[ebp+var_4]
		push	3030208h
		jmp	short loc_AE76A8
; 

loc_AE769E:				; CODE XREF: MiCheckLargePageSystemImage+59j
		push	edx
		push	edi
		push	[ebp+var_4]
		push	3030200h

loc_AE76A8:				; CODE XREF: MiCheckLargePageSystemImage+15C1Cj
					; MiCheckLargePageSystemImage+15C3Aj
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE76AF:				; CODE XREF: MiCheckLargePageSystemImage+A0j
		push	0
		push	edx
		push	[ebp+var_4]
		push	3030202h
		jmp	short loc_AE76A8
; END OF FUNCTION CHUNK	FOR MiCheckLargePageSystemImage
; 
; START	OF FUNCTION CHUNK FOR MxZeroBootMappings

loc_AE76BC:				; CODE XREF: MxZeroBootMappings+49j
		mov	ecx, esi
		shl	ecx, 9
		dec	eax
		push	eax
		lea	edx, [ecx+1000h]
		call	MxZeroBootMappings
		mov	ecx, [ebp+var_4]
		jmp	loc_AD1BB5
; END OF FUNCTION CHUNK	FOR MxZeroBootMappings
; 
; START	OF FUNCTION CHUNK FOR MiFreeBootPageTable

loc_AE76D6:				; CODE XREF: MiFreeBootPageTable+1Aj
					; MiFreeBootPageTable+2Dj
		push	0
		push	0
		push	ecx
		push	3030307h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_AE76E8:				; CODE XREF: PipInitializeEarlyLaunchDrivers+C6j
		mov	eax, [edi+18h]
		or	dword ptr [eax+34h], 20000h
		jmp	loc_AD1D20
; END OF FUNCTION CHUNK	FOR MiFreeBootPageTable
; 
; START	OF FUNCTION CHUNK FOR MiMarkLargePagePte

loc_AE76F7:				; CODE XREF: MiMarkLargePagePte+7Cj
					; MiMarkLargePagePte+159CBj
		shl	eax, 9
		sub	ecx, 1
		jnz	short loc_AE76F7
		jmp	loc_AD1D9B
; END OF FUNCTION CHUNK	FOR MiMarkLargePagePte
; 
; START	OF FUNCTION CHUNK FOR PiDmaGuardProcessRegistry

loc_AE7704:				; CODE XREF: PiDmaGuardProcessRegistry+1Aj
		cmp	[ebp+var_4], 1
		jnz	locret_AD1E06
		mov	_PipDmaGuardTestMode, 1
		leave
		retn
; END OF FUNCTION CHUNK	FOR PiDmaGuardProcessRegistry
; 
; START	OF FUNCTION CHUNK FOR PnpWatchdogBugcheckConfigure

loc_AE7717:				; CODE XREF: PnpWatchdogBugcheckConfigure+1Cj
		cmp	[ebp+var_4], esi
		jz	loc_AD1E2D
		xor	esi, esi
		inc	esi
		jmp	loc_AD1E2D
; END OF FUNCTION CHUNK	FOR PnpWatchdogBugcheckConfigure
; 
; START	OF FUNCTION CHUNK FOR PnpQueryWatchdogTimeoutConfiguration

loc_AE7728:				; CODE XREF: PnpQueryWatchdogTimeoutConfiguration+1Dj
		mov	ecx, [ebp+var_4]
		mov	_PnpWatchdogTimeoutFirstChance,	ecx
		lea	eax, [ecx-1]
		cmp	eax, 0FFFFFFFDh
		jbe	loc_AD1E63
		jmp	loc_AD1E59
; 

loc_AE7742:				; CODE XREF: PnpQueryWatchdogTimeoutConfiguration+40j
		mov	eax, [ebp+var_4]
		mov	_PnpWatchdogTimeoutSecondChance, eax
		cmp	_PnpWatchdogTimeoutFirstChance,	eax
		jb	locret_AD1E86
		jmp	loc_AD1E7C
; END OF FUNCTION CHUNK	FOR PnpQueryWatchdogTimeoutConfiguration

;  S U B	R O U T	I N E 


sub_AE775B	proc near		; CODE XREF: IopAllocateLegacyBootResources+5Cj
		push	ebx
		push	ds:_IopInitHalResources
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AD1F50
sub_AE775B	endp


;  S U B	R O U T	I N E 


sub_AE776C	proc near		; CODE XREF: IopAllocateLegacyBootResources+A5j
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AD1F28
sub_AE776C	endp

; 
; START	OF FUNCTION CHUNK FOR IopAllocateLegacyBootResources

loc_AE7778:				; CODE XREF: IopAllocateLegacyBootResources+4Aj
		mov	ebx, [esi+8]
		cmp	[ebx+4], ecx
		jnz	short loc_AE77C8
		cmp	[ebx+8], eax
		jnz	short loc_AE77C8
		push	ebx
		push	dword ptr [esi+4]
		push	4
		call	_IopAllocateBootResources@12 ; IopAllocateBootResources(x,x,x)
		cmp	dword ptr [esi+4], 0
		jnz	short loc_AE779E
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE779E:				; CODE XREF: IopAllocateLegacyBootResources+158A6j
		mov	eax, [esi]
		test	edi, edi
		jz	short loc_AE77A8
		mov	[edi], eax
		jmp	short loc_AE77AD
; 

loc_AE77A8:				; CODE XREF: IopAllocateLegacyBootResources+158B4j
		mov	ds:_IopInitReservedResourceList, eax

loc_AE77AD:				; CODE XREF: IopAllocateLegacyBootResources+158B8j
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	ecx, [ebp+var_4]
		test	edi, edi
		jz	short loc_AE77C0
		mov	esi, [edi]
		jmp	short loc_AE77CC
; 

loc_AE77C0:				; CODE XREF: IopAllocateLegacyBootResources+158CCj
		mov	esi, ds:_IopInitReservedResourceList
		jmp	short loc_AE77CC
; 

loc_AE77C8:				; CODE XREF: IopAllocateLegacyBootResources+15890j
					; IopAllocateLegacyBootResources+15895j
		mov	edi, esi
		mov	esi, [esi]

loc_AE77CC:				; CODE XREF: IopAllocateLegacyBootResources+158D0j
					; IopAllocateLegacyBootResources+158D8j
		mov	eax, [ebp+var_8]
		jmp	loc_AD1F36
; END OF FUNCTION CHUNK	FOR IopAllocateLegacyBootResources
; 
; START	OF FUNCTION CHUNK FOR MiMapDummyPages

loc_AE77D4:				; CODE XREF: MiMapDummyPages+62j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_AE7809
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr word_6D07B8+1,	0
		jnz	loc_AD20EB

loc_AE77ED:				; CODE XREF: MiMapDummyPages+157A2j
		mov	eax, edx
		and	eax, 1
		or	eax, 0
		jz	loc_AD20EB
		mov	edi, [ebp+var_C]
		or	edi, 80000000h
		jmp	loc_AD20EE
; 

loc_AE7809:				; CODE XREF: MiMapDummyPages+1575Bj
		mov	eax, large fs:124h
		mov	ecx, [ebp+var_8]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_AE77ED
		jmp	loc_AD20EB
; 

loc_AE7829:				; CODE XREF: MiMapDummyPages+76j
		push	edi
		push	edx
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_AD20FC
; 

loc_AE7837:				; CODE XREF: MiMapDummyPages+CEj
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_AE7869
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr word_6D07B8+1,	0
		jnz	loc_AD2157

loc_AE7850:				; CODE XREF: MiMapDummyPages+15802j
		mov	eax, edi
		and	eax, 1
		or	eax, 0
		jz	loc_AD2157
		or	edx, 80000000h
		jmp	loc_AD2157
; 

loc_AE7869:				; CODE XREF: MiMapDummyPages+157BEj
		mov	eax, large fs:124h
		mov	ecx, [ebp+var_8]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_AE7850
		jmp	loc_AD2157
; 

loc_AE7889:				; CODE XREF: MiMapDummyPages+DFj
		push	edx
		push	edi
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_AD2165
; END OF FUNCTION CHUNK	FOR MiMapDummyPages
; 
; START	OF FUNCTION CHUNK FOR KseZeroPoolInitialize

loc_AE7897:				; CODE XREF: KseZeroPoolInitialize+13j
		xor	ecx, ecx
		inc	ecx
		lock xadd _KsepHistoryErrorsIndex, ecx
		inc	ecx
		and	ecx, 3Fh
		mov	esi, (offset loc_ADF0CB+1)
		test	_KsepDebugFlag,	2
		push	10h
		mov	dword_6C7024[ecx*8], eax
		pop	eax
		push	74h
		mov	word_6C7022[ecx*8], ax
		pop	eax
		mov	_KsepHistoryErrors[ecx*8], ax
		jz	short loc_AE78DB
		push	esi		; char *
		push	0Ch		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx

loc_AE78DB:				; CODE XREF: KseZeroPoolInitialize+1573Fj
		push	esi		; char *
		push	0Ch		; int
		call	_KsepLogError
		pop	ecx
		pop	ecx
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR KseZeroPoolInitialize
; 
; START	OF FUNCTION CHUNK FOR KseDriverScopeInitialize

loc_AE78E7:				; CODE XREF: KseDriverScopeInitialize+51j
		push	edi		; char *
		push	esi		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx
		jmp	loc_AD2203
; END OF FUNCTION CHUNK	FOR KseDriverScopeInitialize
; 
; START	OF FUNCTION CHUNK FOR KseSkipDriverUnloadInitialize

loc_AE78F5:				; CODE XREF: KseSkipDriverUnloadInitialize+13j
		xor	ecx, ecx
		inc	ecx
		lock xadd _KsepHistoryErrorsIndex, ecx
		inc	ecx
		and	ecx, 3Fh
		mov	esi, offset ??_C@_0DG@CAOOACBL@Built?9in?5SkipDriverUnload?5shims@PBOPGDP@
		test	_KsepDebugFlag,	2
		push	0Dh
		mov	dword_6C7024[ecx*8], eax
		pop	eax
		mov	word_6C7022[ecx*8], ax
		mov	eax, 93h
		mov	_KsepHistoryErrors[ecx*8], ax
		jz	short loc_AE793B
		push	esi		; char *
		push	0Ch		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx

loc_AE793B:				; CODE XREF: KseSkipDriverUnloadInitialize+1571Fj
		push	esi		; char *
		push	0Ch		; int
		call	_KsepLogError
		pop	ecx
		pop	ecx
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR KseSkipDriverUnloadInitialize
; 
; START	OF FUNCTION CHUNK FOR KseVersionLieInitialize

loc_AE7947:				; CODE XREF: KseVersionLieInitialize+1Bj
		mov	ecx, esi
		lock xadd _KsepHistoryErrorsIndex, ecx
		inc	ecx
		and	ecx, 3Fh
		test	_KsepDebugFlag,	2
		mov	dword_6C7024[ecx*8], eax
		mov	eax, 0F1h
		mov	word_6C7022[ecx*8], di
		mov	_KsepHistoryErrors[ecx*8], ax
		jz	short loc_AE7987
		push	(offset	loc_ADF15D+1) ;	char *
		push	edi		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx

loc_AE7987:				; CODE XREF: KseVersionLieInitialize+1574Cj
		push	(offset	loc_ADF15D+1) ;	char *
		push	edi		; int
		call	_KsepLogError
		pop	ecx
		pop	ecx
		jmp	loc_AD224D
; 

loc_AE7999:				; CODE XREF: KseVersionLieInitialize+2Fj
		mov	ecx, esi
		lock xadd _KsepHistoryErrorsIndex, ecx
		inc	ecx
		and	ecx, 3Fh
		test	_KsepDebugFlag,	2
		mov	dword_6C7024[ecx*8], eax
		mov	eax, 0F9h
		mov	word_6C7022[ecx*8], di
		mov	_KsepHistoryErrors[ecx*8], ax
		jz	short loc_AE79D9
		push	(offset	loc_ADF127+1) ;	char *
		push	edi		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx

loc_AE79D9:				; CODE XREF: KseVersionLieInitialize+1579Ej
		push	(offset	loc_ADF127+1) ;	char *
		push	edi		; int
		call	_KsepLogError
		pop	ecx
		pop	ecx
		jmp	loc_AD2261
; 

loc_AE79EB:				; CODE XREF: KseVersionLieInitialize+43j
		lock xadd _KsepHistoryErrorsIndex, esi
		inc	esi
		and	esi, 3Fh
		test	_KsepDebugFlag,	2
		mov	dword_6C7024[esi*8], eax
		mov	eax, 101h
		mov	word_6C7022[esi*8], di
		mov	_KsepHistoryErrors[esi*8], ax
		mov	esi, (offset loc_ADF0EF+1)
		jz	short loc_AE7A2A
		push	esi		; char *
		push	edi		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx

loc_AE7A2A:				; CODE XREF: KseVersionLieInitialize+157F3j
		push	esi		; char *
		push	edi		; int
		call	_KsepLogError
		pop	ecx
		pop	ecx
		jmp	loc_AD2275
; END OF FUNCTION CHUNK	FOR KseVersionLieInitialize
; 
; START	OF FUNCTION CHUNK FOR PiCreateDriverDataDirectoryRoot

loc_AE7A38:				; CODE XREF: PiCreateDriverDataDirectoryRoot+C8j
					; PiCreateDriverDataDirectoryRoot+D4j ...
		lea	eax, [ebp+var_30]
		push	eax
		push	0
		push	0
		call	_KeDelayExecutionThread@12 ; KeDelayExecutionThread(x,x,x)
		inc	ebx
		cmp	ebx, 32h
		jb	loc_AD2314
		jmp	loc_AD236C
; END OF FUNCTION CHUNK	FOR PiCreateDriverDataDirectoryRoot
; 
; START	OF FUNCTION CHUNK FOR PiAuCreateLocalSystemSecurityObject

loc_AE7A54:				; CODE XREF: PiAuCreateLocalSystemSecurityObject+38j
		mov	esi, 0C000009Ah
		jmp	loc_AD25F0
; 

loc_AE7A5E:				; CODE XREF: PiAuCreateLocalSystemSecurityObject+12Cj
		push	47706E50h
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AD25F0
; END OF FUNCTION CHUNK	FOR PiAuCreateLocalSystemSecurityObject
; 
; START	OF FUNCTION CHUNK FOR PiAuGetDriverDataDirectorySecurityObject

loc_AE7A6E:				; CODE XREF: PiAuGetDriverDataDirectorySecurityObject+57j
		mov	esi, 0C000009Ah
		jmp	loc_AD2797
; 

loc_AE7A78:				; CODE XREF: PiAuGetDriverDataDirectorySecurityObject+18Bj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AD2797
; END OF FUNCTION CHUNK	FOR PiAuGetDriverDataDirectorySecurityObject
; 
; START	OF FUNCTION CHUNK FOR PiAuCreateStandardSecurityObject

loc_AE7A85:				; CODE XREF: PiAuCreateStandardSecurityObject+12Fj
		mov	esi, 0C000009Ah
		jmp	loc_AD2CA2
; 

loc_AE7A8F:				; CODE XREF: PiAuCreateStandardSecurityObject+28Cj
					; PiAuCreateStandardSecurityObject+2A6j
		mov	esi, 0C00000E5h
		jmp	loc_AD2CA2
; 

loc_AE7A99:				; CODE XREF: PiAuCreateStandardSecurityObject+2BDj
		mov	esi, 0C000009Ah
		jmp	loc_AD2C5C
; 

loc_AE7AA3:				; CODE XREF: PiAuCreateStandardSecurityObject+A5j
		mov	esi, 0C00000E5h
		jmp	loc_AD2C5C
; 

loc_AE7AAD:				; CODE XREF: PiAuCreateStandardSecurityObject+31Dj
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AD2C91
; END OF FUNCTION CHUNK	FOR PiAuCreateStandardSecurityObject
; 
; START	OF FUNCTION CHUNK FOR BapdpProcessFwUpdateResults

loc_AE7ABA:				; CODE XREF: BapdpProcessFwUpdateResults+4Aj
		push	64506142h
		push	[ebp+var_18]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_AD2D84
		mov	eax, edi
		jmp	loc_AD2D78
; 

loc_AE7ADD:				; CODE XREF: BapdpProcessFwUpdateResults+52j
		lea	eax, [ebp+var_18]
		push	eax		; int
		push	esi		; void *
		push	edi		; int
		lea	edx, [ebp+var_14] ; void *
		call	_BapdpQueryData@20 ; BapdpQueryData(x,x,x,x,x)
		test	eax, eax
		js	loc_AD2D80
		mov	edx, [ebp+var_18]
		mov	ecx, esi
		call	_BapdpRegisterFwUpdateResults@8	; BapdpRegisterFwUpdateResults(x,x)
		jmp	loc_AD2D80
; END OF FUNCTION CHUNK	FOR BapdpProcessFwUpdateResults
; 
; START	OF FUNCTION CHUNK FOR BapdpProcessWmdResults

loc_AE7B02:				; CODE XREF: BapdpProcessWmdResults+7Cj
		cmp	[ebp+var_15], 0
		jnz	short loc_AE7B2F
		mov	cl, 1
		mov	eax, esi
		mov	[ebp+var_15], cl
		lea	esi, [ebx+1Ch]
		jmp	short loc_AE7B1A
; 

loc_AE7B14:				; CODE XREF: BapdpProcessWmdResults+14DADj
		mov	eax, [ebp+var_1C]
		lea	esi, [ebp+var_4C]

loc_AE7B1A:				; CODE XREF: BapdpProcessWmdResults+14D76j
		lea	edi, [ebp+var_3C]
		mov	[ebp+var_20], eax
		movsd
		movsd
		movsd
		movsd
		mov	esi, [ebp+var_1C]
		mov	edi, [ebp+var_24]
		jmp	loc_AD2E24
; 

loc_AE7B2F:				; CODE XREF: BapdpProcessWmdResults+14D6Aj
		lea	esi, [ebx+1Ch]
		lea	edi, [ebp+var_4C]
		movsd
		lea	edx, [ebp+var_3C]
		lea	ecx, [ebp+var_4C]
		movsd
		movsd
		movsd
		call	_BapdpIsTime1MoreRecentThanTime2@8 ; BapdpIsTime1MoreRecentThanTime2(x,x)
		mov	cl, [ebp+var_15]
		test	al, al
		jnz	short loc_AE7B14
		mov	esi, [ebp+var_1C]
		mov	edi, [ebp+var_24]
		jmp	loc_AD2E21
; 

loc_AE7B56:				; CODE XREF: BapdpProcessWmdResults+95j
		cmp	eax, edi
		jz	short loc_AE7B70
		lea	ecx, [ebp+var_28] ; int
		push	ecx		; int
		push	ebx		; void *
		push	eax		; int
		lea	edx, [ebp+var_14] ; void *
		call	_BapdpQueryData@20 ; BapdpQueryData(x,x,x,x,x)
		test	eax, eax
		js	loc_AD2E37

loc_AE7B70:				; CODE XREF: BapdpProcessWmdResults+14DBCj
		mov	ecx, ebx
		call	_BapdpRegisterWmdResult@4 ; BapdpRegisterWmdResult(x)
		jmp	loc_AD2E37
; END OF FUNCTION CHUNK	FOR BapdpProcessWmdResults
; 
; START	OF FUNCTION CHUNK FOR BapdpProcessBootMetadata

loc_AE7B7C:				; CODE XREF: BapdpProcessBootMetadata+4Cj
		push	2
		pop	eax
		mov	_ExSoftRebootState, eax
		mov	_ExSoftRebootFlags, eax
		jmp	loc_AD2EA0
; 

loc_AE7B8E:				; CODE XREF: BapdpProcessBootMetadata+68j
		mov	eax, [ebp+var_18]
		push	64506142h
		add	eax, 4
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_AD2EBC
		lea	eax, [ebp+var_18]
		push	eax		; int
		lea	esi, [edi+4]
		push	esi		; void *
		push	ebx		; int
		lea	edx, [ebp+var_14] ; void *
		call	_BapdpQueryData@20 ; BapdpQueryData(x,x,x,x,x)
		mov	eax, [ebp+var_18]
		push	eax
		push	esi
		mov	_ExBootLoaderMetadata, edi
		mov	[edi], eax
		call	ds:__imp__KsrInitPageDatabase@8	; KsrInitPageDatabase(x,x)
		test	eax, eax
		js	loc_AD2EBC
		or	_ExSoftRebootFlags, 4
		jmp	loc_AD2EBC
; END OF FUNCTION CHUNK	FOR BapdpProcessBootMetadata
; 
; START	OF FUNCTION CHUNK FOR BapdpProcessEDrvHintInfo

loc_AE7BE3:				; CODE XREF: BapdpProcessEDrvHintInfo+4Aj
		push	64506142h
		push	[ebp+var_18]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_AD2F28
		mov	eax, edi
		jmp	loc_AD2F1C
; 

loc_AE7C06:				; CODE XREF: BapdpProcessEDrvHintInfo+52j
		lea	eax, [ebp+var_18]
		push	eax		; int
		push	esi		; void *
		push	edi		; int
		lea	edx, [ebp+var_14] ; void *
		call	_BapdpQueryData@20 ; BapdpQueryData(x,x,x,x,x)
		test	eax, eax
		js	loc_AD2F24
		cmp	[ebp+var_18], 8
		jb	loc_AD2F24
		mov	ecx, esi
		call	_BapdpRegisterEDrvHintInfo@4 ; BapdpRegisterEDrvHintInfo(x)
		jmp	loc_AD2F24
; END OF FUNCTION CHUNK	FOR BapdpProcessEDrvHintInfo
; 
; START	OF FUNCTION CHUNK FOR BapdpProcessHSTIResults

loc_AE7C32:				; CODE XREF: BapdpProcessHSTIResults+4Aj
		push	49545348h
		push	[ebp+var_18]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_AD2F9C
		mov	eax, edi
		jmp	loc_AD2F90
; 

loc_AE7C52:				; CODE XREF: BapdpProcessHSTIResults+52j
		lea	eax, [ebp+var_18]
		push	eax		; int
		push	esi		; void *
		push	edi		; int
		lea	edx, [ebp+var_14] ; void *
		call	_BapdpQueryData@20 ; BapdpQueryData(x,x,x,x,x)
		test	eax, eax
		js	loc_AD2F98
		mov	eax, [ebp+var_18]
		mov	ds:dword_A9AC30, esi
		mov	esi, edi
		mov	ds:dword_A9AC34, eax
		jmp	loc_AD2F98
; END OF FUNCTION CHUNK	FOR BapdpProcessHSTIResults
; 
; START	OF FUNCTION CHUNK FOR ExpWatchProductTypeInitialization

loc_AE7C7D:				; CODE XREF: ExpWatchProductTypeInitialization+DBj
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	eax
		push	0Bh
		jmp	short loc_AE7C8D
; 

loc_AE7C86:				; CODE XREF: ExpWatchProductTypeInitialization+ADj
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	eax
		push	2

loc_AE7C8D:				; CODE XREF: ExpWatchProductTypeInitialization+1479Ej
					; ExpWatchProductTypeInitialization+147FEj ...
		push	9Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE7C97:				; CODE XREF: ExpWatchProductTypeInitialization+124j
					; ExpWatchProductTypeInitialization+132j
		xor	eax, eax
		mov	_ExpSetupModeDetected, 1
		mov	edx, 746C6644h
		mov	ds:0FFDF0268h, al
		mov	ecx, esi
		call	ObfDereferenceObjectWithTag
		xor	eax, eax
		mov	esi, eax
		jmp	loc_AD361E
; 

loc_AE7CBA:				; CODE XREF: ExpWatchProductTypeInitialization+178j
		mov	_ExpSystemSetupInProgress, 1
		jmp	loc_AD3664
; 

loc_AE7CC6:				; CODE XREF: ExpWatchProductTypeInitialization+184j
		mov	_ExpControlKey,	esi
		jmp	loc_AD389E
; 

loc_AE7CD1:				; CODE XREF: ExpWatchProductTypeInitialization+1ECj
		cmp	_ExpSetupModeDetected, bl
		jnz	loc_AD38B5
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	eax
		push	6
		jmp	short loc_AE7C8D
; 

loc_AE7CE6:				; CODE XREF: ExpWatchProductTypeInitialization+220j
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	eax
		push	0Ch
		jmp	short loc_AE7C8D
; 

loc_AE7CEF:				; CODE XREF: ExpWatchProductTypeInitialization+27Ej
		cmp	_ExpSetupModeDetected, 0
		jnz	loc_AD38B5
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	eax
		push	7
		jmp	short loc_AE7C8D
; 

loc_AE7D05:				; CODE XREF: ExpWatchProductTypeInitialization+2D7j
		xor	eax, eax
		push	eax
		push	edi
		push	[esp+100h+var_E8]
		jmp	short loc_AE7D15
; 

loc_AE7D0F:				; CODE XREF: ExpWatchProductTypeInitialization+1498Dj
					; ExpWatchProductTypeInitialization+14995j
		xor	eax, eax
		push	eax
		push	4
		push	esi

loc_AE7D15:				; CODE XREF: ExpWatchProductTypeInitialization+14827j
					; ExpWatchProductTypeInitialization+14924j ...
		push	14h
		jmp	loc_AE7C8D
; END OF FUNCTION CHUNK	FOR ExpWatchProductTypeInitialization

;  S U B	R O U T	I N E 


sub_AE7D1C	proc near		; CODE XREF: ExpWatchProductTypeInitialization+2FCj
		push	ebx
		push	dword_6D6EF0
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	dword_6D6EF0, ebx
		cmp	_ExpSetupModeDetected, bl
		jnz	loc_AD38B5
		jmp	loc_AD37E8
sub_AE7D1C	endp

; 
; START	OF FUNCTION CHUNK FOR ExpWatchProductTypeInitialization

loc_AE7D3F:				; CODE XREF: ExpWatchProductTypeInitialization+2B6j
		xor	ebx, ebx
		jmp	loc_AD37E8
; 

loc_AE7D46:				; CODE XREF: ExpWatchProductTypeInitialization+333j
		cmp	_InitSafeBootMode, ecx
		jnz	loc_AD381F
		cmp	_ExpSetupModeDetected, 0
		jnz	loc_AD381F
		mov	byte ptr ds:0FFDF0268h,	1
		mov	ds:0FFDF0264h, ecx
		jmp	loc_AD381F
; 

loc_AE7D71:				; CODE XREF: ExpWatchProductTypeInitialization+362j
		cmp	_ExpSetupModeDetected, 0
		jnz	loc_AD38B5
		push	ebx
		push	ebx
		push	eax
		push	8
		jmp	loc_AE7C8D
; 

loc_AE7D88:				; CODE XREF: ExpWatchProductTypeInitialization+3B2j
		push	30h		; size_t
		lea	eax, [esp+0FCh+var_80]
		mov	[esp+0FCh+var_C8], ebx
		push	ebx		; int
		push	eax		; void *
		call	_memset
		mov	ecx, ds:off_A4149C
		add	esp, 0Ch
		mov	[esp+0F8h+var_E0], ebx
		xor	esi, esi
		mov	[esp+0F8h+var_DC], ebx
		mov	[esp+0F8h+var_98], ebx
		mov	[esp+0F8h+var_94], ebx
		lea	edx, [ecx+2]
		mov	[esp+0F8h+var_D4], ebx

loc_AE7DBB:				; CODE XREF: ExpWatchProductTypeInitialization+148DDj
		mov	ax, [ecx]
		add	ecx, edi
		cmp	ax, si
		jnz	short loc_AE7DBB
		sub	ecx, edx
		sar	ecx, 1
		push	2079654Bh
		lea	eax, ds:80h[ecx*2]
		mov	word ptr [esp+0FCh+var_E0], ax
		mov	word ptr [esp+0FCh+var_E0+2], ax
		movzx	eax, ax
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+0F8h+var_DC], eax
		test	eax, eax
		jnz	short loc_AE7E0F
		push	eax
		movzx	eax, word ptr [esp+0FCh+var_E0]
		push	3
		jmp	short loc_AE7E09
; 

loc_AE7DFF:				; CODE XREF: ExpWatchProductTypeInitialization+14B77j
		xor	eax, eax
		push	eax
		movzx	eax, word ptr [esp+104h+var_E8]
		push	7

loc_AE7E09:				; CODE XREF: ExpWatchProductTypeInitialization+14917j
					; ExpWatchProductTypeInitialization+149FEj ...
		push	eax
		jmp	loc_AE7D15
; 

loc_AE7E0F:				; CODE XREF: ExpWatchProductTypeInitialization+1490Dj
		lea	eax, [esp+0F8h+var_C8]
		push	eax
		push	30h
		lea	eax, [esp+100h+var_80]
		push	eax
		push	edi
		push	[esp+108h+var_D8]
		call	NtQueryKey
		test	eax, eax
		jns	short loc_AE7E3E
		push	esi
		push	1
		jmp	short loc_AE7E36
; 

loc_AE7E31:				; CODE XREF: ExpWatchProductTypeInitialization+14B50j
		xor	ecx, ecx
		push	ecx
		push	2

loc_AE7E36:				; CODE XREF: ExpWatchProductTypeInitialization+14949j
		push	eax
		push	13h
		jmp	loc_AE7C8D
; 

loc_AE7E3E:				; CODE XREF: ExpWatchProductTypeInitialization+14944j
		mov	eax, [esp+0F8h+var_68]
		lea	esi, ds:38h[eax*2]
		cmp	esi, eax
		jb	short loc_AE7E5B
		lea	eax, ds:20h[eax*2]
		cmp	esi, eax
		jnb	short loc_AE7E5D

loc_AE7E5B:				; CODE XREF: ExpWatchProductTypeInitialization+14968j
		mov	bl, 1

loc_AE7E5D:				; CODE XREF: ExpWatchProductTypeInitialization+14973j
		push	2079654Bh
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+0F8h+var_A4], eax
		test	eax, eax
		jz	loc_AE7D0F
		test	bl, bl
		jnz	loc_AE7D0F
		mov	ecx, [esp+0F8h+var_58]
		lea	edi, [ecx+20h]
		mov	[esp+0F8h+var_9C], edi
		cmp	edi, ecx
		jnb	short loc_AE7E95
		inc	bl

loc_AE7E95:				; CODE XREF: ExpWatchProductTypeInitialization+149ABj
		push	2079654Bh
		push	edi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[esp+0F8h+var_E4], eax
		test	eax, eax
		jz	loc_AE813B
		test	bl, bl
		jnz	loc_AE813B
		mov	edi, [esp+0F8h+var_6C]
		mov	eax, edi
		push	28h
		pop	ecx
		mul	ecx
		lea	ecx, [esp+0F8h+var_D4]
		mov	_ExpLicenseInfoCount, edi
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		jns	short loc_AE7EE9
		xor	eax, eax
		push	eax
		push	6
		imul	eax, edi, 28h
		jmp	loc_AE7E09
; 

loc_AE7EE9:				; CODE XREF: ExpWatchProductTypeInitialization+149F4j
		push	2079654Bh
		push	[esp+0FCh+var_D4]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	_ExpLicenseInfo, eax
		test	eax, eax
		jnz	short loc_AE7F14
		push	eax
		imul	eax, _ExpLicenseInfoCount, 28h
		push	6
		jmp	loc_AE7E09
; 

loc_AE7F14:				; CODE XREF: ExpWatchProductTypeInitialization+14A1Dj
		push	ds:off_A414A0
		lea	eax, [esp+0FCh+var_98]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ebx, [esp+0F8h+var_A4]
		lea	eax, [esp+0F8h+var_C8]
		push	eax
		push	esi
		xor	ecx, ecx
		push	ebx
		push	ecx
		push	ecx
		push	[esp+10Ch+var_D8]
		mov	[esp+110h+var_D4], ecx
		call	NtEnumerateKey
		cmp	eax, 8000001Ah
		jz	loc_AE80EA
		xor	ecx, ecx
		mov	edi, ecx

loc_AE7F4F:				; CODE XREF: ExpWatchProductTypeInitialization+14BFEj
		xor	ecx, ecx
		test	eax, eax
		js	loc_AE8131
		mov	eax, [ebx+0Ch]
		push	ds:off_A4149C
		shr	eax, 1
		mov	[ebx+eax*2+10h], cx
		movzx	eax, word ptr [esp+0FCh+var_E0+2]
		shr	eax, 1
		push	eax
		push	[esp+100h+var_DC]
		call	_wcscpy_s
		movzx	eax, word ptr [esp+104h+var_E0+2]
		add	esp, 0Ch
		shr	eax, 1
		push	offset ??_C@_13FPGAJAPJ@?$AA?2@PBOPGDP@
		push	eax
		push	[esp+100h+var_DC]
		call	_wcscat_s
		add	esp, 0Ch
		lea	eax, [ebx+10h]
		push	eax
		movzx	eax, word ptr [esp+0FCh+var_E0+2]
		shr	eax, 1
		push	eax
		push	[esp+100h+var_DC]
		call	_wcscat_s
		mov	ecx, [esp+104h+var_DC]
		add	esp, 0Ch
		lea	edx, [ecx+2]

loc_AE7FB5:				; CODE XREF: ExpWatchProductTypeInitialization+14ADAj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+0F8h+var_A0]
		jnz	short loc_AE7FB5
		sub	ecx, edx
		mov	[esp+0F8h+var_C4], 18h
		sar	ecx, 1
		mov	[esp+0F8h+var_B8], 240h
		lea	eax, [ecx+ecx]
		xor	ecx, ecx
		mov	word ptr [esp+0F8h+var_E0], ax
		lea	eax, [esp+0F8h+var_E0]
		mov	[esp+0F8h+var_BC], eax
		lea	eax, [esp+0F8h+var_C4]
		push	eax
		mov	eax, _ExpLicenseInfo
		push	2001Fh
		add	eax, edi
		mov	[esp+100h+var_C0], ecx
		push	eax
		mov	[esp+104h+var_B4], ecx
		mov	[esp+104h+var_B0], ecx
		call	_NtOpenKey@12	; NtOpenKey(x,x,x)
		test	eax, eax
		js	loc_AE8124
		lea	eax, [esp+0F8h+var_C8]
		push	eax		; int
		push	[esp+0FCh+var_9C] ; int
		lea	eax, [esp+100h+var_98]
		push	[esp+100h+var_E4] ; int
		push	2		; size_t
		push	eax		; int
		mov	eax, _ExpLicenseInfo
		push	dword ptr [edi+eax] ; int
		call	NtQueryValueKey
		test	eax, eax
		js	loc_AE7E31
		movzx	eax, word ptr [esp+0F8h+var_E0]
		push	2079654Bh
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ecx, _ExpLicenseInfo
		mov	[edi+ecx+8], eax
		test	eax, eax
		jz	loc_AE7DFF
		push	[esp+0F8h+var_DC]
		movzx	ecx, word ptr [esp+0FCh+var_E0]
		shr	ecx, 1
		push	ecx
		push	eax
		call	_wcscpy_s
		mov	edx, _ExpLicenseInfo
		add	esp, 0Ch
		mov	eax, [esp+0F8h+var_E4]
		add	edx, edi
		push	1
		mov	eax, [eax+0Ch]
		lea	ecx, [edx+0Ch]
		mov	[edx+4], eax
		xor	eax, eax
		push	4
		mov	[ecx], eax
		lea	eax, [edx+24h]
		push	eax
		push	1
		push	10000005h
		lea	eax, [edx+1Ch]
		mov	dword ptr [ecx+8], offset ExpWatchLicenseInfoWork
		push	eax
		push	1
		push	ecx
		xor	eax, eax
		mov	[ecx+0Ch], edx
		push	eax
		push	dword ptr [edx]
		call	_NtNotifyChangeKey@40 ;	NtNotifyChangeKey(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AE8117
		mov	eax, [esp+0F8h+var_D4]
		lea	ecx, [esp+0F8h+var_C8]
		push	ecx
		push	esi
		push	ebx
		xor	ecx, ecx
		inc	eax
		push	ecx
		push	eax
		push	[esp+10Ch+var_D8]
		mov	[esp+110h+var_D4], eax
		add	edi, 28h
		call	NtEnumerateKey
		cmp	eax, 8000001Ah
		jnz	loc_AE7F4F

loc_AE80EA:				; CODE XREF: ExpWatchProductTypeInitialization+14A5Fj
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		xor	ebx, ebx
		push	ebx
		push	[esp+0FCh+var_E4]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	ebx
		push	[esp+0FCh+var_DC]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	[esp+0F8h+var_D8]
		call	NtClose
		jmp	loc_AD389E
; 

loc_AE8117:				; CODE XREF: ExpWatchProductTypeInitialization+14BD7j
		xor	ecx, ecx
		push	ecx
		push	1
		push	eax
		push	18h
		jmp	loc_AE7C8D
; 

loc_AE8124:				; CODE XREF: ExpWatchProductTypeInitialization+14B27j
		xor	ecx, ecx
		push	ecx
		push	1
		push	eax
		push	16h
		jmp	loc_AE7C8D
; 

loc_AE8131:				; CODE XREF: ExpWatchProductTypeInitialization+14A6Dj
		push	ecx
		push	ecx
		push	eax
		push	1Ah
		jmp	loc_AE7C8D
; 

loc_AE813B:				; CODE XREF: ExpWatchProductTypeInitialization+149C5j
					; ExpWatchProductTypeInitialization+149CDj
		xor	eax, eax
		push	eax
		push	5
		push	edi
		jmp	loc_AE7D15
; 

loc_AE8146:				; CODE XREF: ExpWatchProductTypeInitialization+116j
					; ExpWatchProductTypeInitialization+16Aj
		xor	ecx, ecx
		push	ecx
		push	ecx
		push	eax
		push	3
		jmp	loc_AE7C8D
; END OF FUNCTION CHUNK	FOR ExpWatchProductTypeInitialization
; 
; START	OF FUNCTION CHUNK FOR ExpUpdateProductSuiteTypeInRegistry

loc_AE8152:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+91j
		push	ds:off_A41490
		jmp	short loc_AE8166
; 

loc_AE815A:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+82j
		push	ds:off_A4148C
		lea	eax, [ebp+var_30C]

loc_AE8166:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+1489Ej
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	12h
		pop	ecx
		jmp	loc_AD397C
; 

loc_AE8174:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+DBj
		push	edi
		push	1
		jmp	short loc_AE817C
; 

loc_AE8179:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+237j
		push	ebx
		push	2

loc_AE817C:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+148BDj
		push	eax
		push	11h
		push	9Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE8189:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+103j
		mov	edx, ds:off_A414A4
		mov	ecx, edx
		lea	ebx, [ecx+2]

loc_AE8194:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+148E7j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_304]
		jnz	short loc_AE8194
		sub	ecx, ebx
		sar	ecx, 1
		lea	ebx, ds:2[ecx*2]
		cmp	ebx, esi
		jnb	loc_AD39C3
		push	ebx		; size_t
		push	edx		; void *
		lea	eax, [ebp+var_300]
		push	eax		; void *
		call	_memcpy
		lea	edi, [ebp+var_300]
		add	esp, 0Ch
		add	edi, ebx
		sub	esi, ebx
		jmp	loc_AD39C3
; 

loc_AE81D6:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+112j
		mov	edx, ds:off_A414A8
		mov	ecx, edx
		lea	ebx, [ecx+2]

loc_AE81E1:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14934j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_304]
		jnz	short loc_AE81E1
		sub	ecx, ebx
		sar	ecx, 1
		lea	ebx, ds:2[ecx*2]
		cmp	esi, ebx
		jbe	loc_AD39D2
		push	ebx		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		add	edi, ebx
		sub	esi, ebx
		jmp	loc_AD39D2
; 

loc_AE8217:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+121j
		mov	edx, ds:off_A414B0
		mov	ecx, edx
		lea	ebx, [ecx+2]

loc_AE8222:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14975j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_304]
		jnz	short loc_AE8222
		sub	ecx, ebx
		sar	ecx, 1
		lea	ebx, ds:2[ecx*2]
		cmp	esi, ebx
		jbe	loc_AD39E1
		push	ebx		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		add	edi, ebx
		sub	esi, ebx
		jmp	loc_AD39E1
; 

loc_AE8258:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+130j
		mov	edx, ds:off_A414AC
		mov	ecx, edx
		lea	ebx, [ecx+2]

loc_AE8263:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+149B6j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_304]
		jnz	short loc_AE8263
		sub	ecx, ebx
		sar	ecx, 1
		lea	ebx, ds:2[ecx*2]
		cmp	esi, ebx
		jbe	loc_AD39F0
		push	ebx		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		add	edi, ebx
		sub	esi, ebx
		jmp	loc_AD39F0
; 

loc_AE8299:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+182j
		mov	edx, ds:off_A414B4
		mov	ecx, edx
		lea	ebx, [ecx+2]

loc_AE82A4:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+149F7j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_304]
		jnz	short loc_AE82A4
		sub	ecx, ebx
		sar	ecx, 1
		lea	ebx, ds:2[ecx*2]
		cmp	esi, ebx
		jbe	loc_AD3A42
		push	ebx		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		add	edi, ebx
		sub	esi, ebx
		jmp	loc_AD3A42
; 

loc_AE82DA:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+191j
		mov	edx, ds:off_A414BC
		mov	ecx, edx
		lea	ebx, [ecx+2]

loc_AE82E5:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14A38j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_304]
		jnz	short loc_AE82E5
		sub	ecx, ebx
		sar	ecx, 1
		lea	ebx, ds:2[ecx*2]
		cmp	esi, ebx
		jbe	loc_AD3A51
		push	ebx		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		add	edi, ebx
		sub	esi, ebx
		jmp	loc_AD3A51
; 

loc_AE831B:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+1A0j
		mov	edx, ds:off_A414C0
		mov	ecx, edx
		lea	ebx, [ecx+2]

loc_AE8326:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14A79j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_304]
		jnz	short loc_AE8326
		sub	ecx, ebx
		sar	ecx, 1
		lea	ebx, ds:2[ecx*2]
		cmp	esi, ebx
		jbe	loc_AD3A60
		push	ebx		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		add	edi, ebx
		sub	esi, ebx
		jmp	loc_AD3A60
; 

loc_AE835C:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+1AFj
		mov	edx, ds:off_A414C4
		mov	ecx, edx
		lea	ebx, [ecx+2]

loc_AE8367:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14ABAj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_304]
		jnz	short loc_AE8367
		sub	ecx, ebx
		sar	ecx, 1
		lea	ebx, ds:2[ecx*2]
		cmp	esi, ebx
		jbe	loc_AD3A6F
		push	ebx		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		add	edi, ebx
		sub	esi, ebx
		jmp	loc_AD3A6F
; 

loc_AE839D:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+1BEj
		mov	edx, ds:off_A414C8
		mov	ecx, edx
		lea	ebx, [ecx+2]

loc_AE83A8:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14AFBj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_304]
		jnz	short loc_AE83A8
		sub	ecx, ebx
		sar	ecx, 1
		lea	ebx, ds:2[ecx*2]
		cmp	esi, ebx
		jbe	loc_AD3A7E
		push	ebx		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		add	edi, ebx
		sub	esi, ebx
		jmp	loc_AD3A7E
; 

loc_AE83DE:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+1CDj
		mov	edx, ds:off_A414CC
		mov	ecx, edx
		lea	ebx, [ecx+2]

loc_AE83E9:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14B3Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_304]
		jnz	short loc_AE83E9
		sub	ecx, ebx
		sar	ecx, 1
		lea	ebx, ds:2[ecx*2]
		cmp	esi, ebx
		jbe	loc_AD3A8D
		push	ebx		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		add	edi, ebx
		sub	esi, ebx
		jmp	loc_AD3A8D
; 

loc_AE841F:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+1DCj
		mov	edx, ds:off_A414D0
		mov	ecx, edx
		lea	ebx, [ecx+2]

loc_AE842A:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14B7Dj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_304]
		jnz	short loc_AE842A
		sub	ecx, ebx
		sar	ecx, 1
		lea	ebx, ds:2[ecx*2]
		cmp	esi, ebx
		jbe	loc_AD3A9C
		push	ebx		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		add	edi, ebx
		sub	esi, ebx
		jmp	loc_AD3A9C
; 

loc_AE8460:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+1EBj
		mov	edx, ds:off_A414D4
		mov	ecx, edx
		lea	ebx, [ecx+2]

loc_AE846B:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14BBEj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_304]
		jnz	short loc_AE846B
		sub	ecx, ebx
		sar	ecx, 1
		lea	ebx, ds:2[ecx*2]
		cmp	esi, ebx
		jbe	loc_AD3AAB
		push	ebx		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		add	edi, ebx
		sub	esi, ebx
		jmp	loc_AD3AAB
; 

loc_AE84A1:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+1FAj
		mov	edx, ds:off_A414D8
		mov	ecx, edx
		lea	ebx, [ecx+2]

loc_AE84AC:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14BFFj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_304]
		jnz	short loc_AE84AC
		sub	ecx, ebx
		sar	ecx, 1
		lea	ebx, ds:2[ecx*2]
		cmp	esi, ebx
		jbe	loc_AD3ABA
		push	ebx		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		add	edi, ebx
		sub	esi, ebx
		jmp	loc_AD3ABA
; 

loc_AE84E2:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+209j
		mov	edx, ds:off_A414E4
		mov	ecx, edx
		lea	ebx, [ecx+2]

loc_AE84ED:				; CODE XREF: ExpUpdateProductSuiteTypeInRegistry+14C40j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_304]
		jnz	short loc_AE84ED
		sub	ecx, ebx
		sar	ecx, 1
		lea	ebx, ds:2[ecx*2]
		cmp	esi, ebx
		jbe	loc_AD3AC9
		push	ebx		; size_t
		push	edx		; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch
		sub	esi, ebx
		jmp	loc_AD3AC9
; END OF FUNCTION CHUNK	FOR ExpUpdateProductSuiteTypeInRegistry
; 
; START	OF FUNCTION CHUNK FOR PfpRpInitialize

loc_AE8521:				; CODE XREF: PfpRpInitialize+29j
		push	edx		; size_t
		push	edx		; int
		push	edx		; void *
		mov	[edi+2Ch], edx
		mov	[edi+24h], ecx
		mov	[edi+28h], edx
		mov	[edi+20h], edx
		call	_memset
		add	esp, 0Ch
		jmp	loc_AD3EB8
; END OF FUNCTION CHUNK	FOR PfpRpInitialize
; 
; START	OF FUNCTION CHUNK FOR KsepEngineInitialize

loc_AE853D:				; CODE XREF: KsepEngineInitialize+7j
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		push	2
		mov	dword_6C7024[eax*8], 0C0000420h
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 320h
		mov	_KsepHistoryErrors[eax*8], cx
		test	_KsepDebugFlag,	4
		jz	loc_AD3F11
		push	0
		push	ecx
		push	offset ??_C@_0BP@FJIAFDAP@minkernel?2ntos?2kshim?2ksecore?4c@PBOPGDP@
		push	offset ??_C@_0P@CCGIFHAI@Engine?5?$CB?$DN?5NULL@PBOPGDP@
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		jmp	loc_AD3F11
; END OF FUNCTION CHUNK	FOR KsepEngineInitialize
; 
; START	OF FUNCTION CHUNK FOR KsepMatchInitMachineInfo

loc_AE8593:				; CODE XREF: KsepMatchInitMachineInfo+17j
		mov	ecx, edi
		lock xadd _KsepHistoryErrorsIndex, ecx
		inc	ecx
		and	ecx, 3Fh
		test	_KsepDebugFlag,	2
		mov	word_6C7022[ecx*8], ax
		mov	eax, 9Ch
		mov	dword_6C7024[ecx*8], esi
		mov	_KsepHistoryErrors[ecx*8], ax
		jz	short loc_AE85D5
		push	esi		; char
		push	offset ??_C@_0CP@CIMLLFAM@KSE?3?5KsepMatchInitAcpiOemInfo?5f@PBOPGDP@ ;	char *
		push	ebx		; int
		call	_KsepDebugPrint
		add	esp, 0Ch

loc_AE85D5:				; CODE XREF: KsepMatchInitMachineInfo+1462Ej
		push	esi		; char
		push	offset ??_C@_0CP@CIMLLFAM@KSE?3?5KsepMatchInitAcpiOemInfo?5f@PBOPGDP@ ;	char *
		push	ebx		; int
		call	_KsepLogError
		add	esp, 0Ch
		jmp	loc_AD3FB3
; 

loc_AE85E9:				; CODE XREF: KsepMatchInitMachineInfo+26j
		mov	ecx, edi
		lock xadd _KsepHistoryErrorsIndex, ecx
		inc	ecx
		and	ecx, 3Fh
		test	_KsepDebugFlag,	2
		push	0Ah
		pop	eax
		mov	word_6C7022[ecx*8], ax
		mov	eax, 0A2h
		mov	dword_6C7024[ecx*8], esi
		mov	_KsepHistoryErrors[ecx*8], ax
		jz	short loc_AE862E
		push	esi		; char
		push	offset ??_C@_0CM@JILIAGMP@KSE?3?5KsepMatchInitCpuInfo?5faile@PBOPGDP@ ;	char *
		push	ebx		; int
		call	_KsepDebugPrint
		add	esp, 0Ch

loc_AE862E:				; CODE XREF: KsepMatchInitMachineInfo+14687j
		push	esi		; char
		push	offset ??_C@_0CM@JILIAGMP@KSE?3?5KsepMatchInitCpuInfo?5faile@PBOPGDP@ ;	char *
		push	ebx		; int
		call	_KsepLogError
		add	esp, 0Ch
		jmp	loc_AD3FC2
; 

loc_AE8642:				; CODE XREF: KsepMatchInitMachineInfo+35j
		lock xadd _KsepHistoryErrorsIndex, edi
		inc	edi
		and	edi, 3Fh
		test	_KsepDebugFlag,	2
		push	0Ah
		pop	eax
		mov	word_6C7022[edi*8], ax
		mov	eax, 0A8h
		mov	dword_6C7024[edi*8], esi
		mov	_KsepHistoryErrors[edi*8], ax
		mov	edi, offset ??_C@_0CM@GMBMCLEG@KSE?3?5KsepMatchInitBiosInfo?5fail@PBOPGDP@
		jz	short loc_AE8686
		push	esi		; char
		push	edi		; char *
		push	ebx		; int
		call	_KsepDebugPrint
		add	esp, 0Ch

loc_AE8686:				; CODE XREF: KsepMatchInitMachineInfo+146E3j
		push	esi		; char
		push	edi		; char *
		push	ebx		; int
		call	_KsepLogError
		add	esp, 0Ch
		jmp	loc_AD3FD1
; END OF FUNCTION CHUNK	FOR KsepMatchInitMachineInfo
; 
; START	OF FUNCTION CHUNK FOR KsepMatchInitBiosInfo

loc_AE8696:				; CODE XREF: KsepMatchInitBiosInfo+ACj
		lea	eax, [ebp+var_1C]
		push	eax		; char
		push	edi		; char *
		push	ebx		; int
		call	_KsepDebugPrint
		add	esp, 0Ch
		jmp	loc_AD40B2
; 

loc_AE86A9:				; CODE XREF: KsepMatchInitBiosInfo+149j
		push	edi		; char
		push	esi		; char *
		push	ebx		; int
		call	_KsepDebugPrint
		add	esp, 0Ch
		jmp	loc_AD414F
; 

loc_AE86B9:				; CODE XREF: KsepMatchInitBiosInfo+1CAj
		and	dword_6FD418, 0
		or	dword_6FD430, 0FFFFFFFFh
		jmp	loc_AD41E0
; END OF FUNCTION CHUNK	FOR KsepMatchInitBiosInfo
; 
; START	OF FUNCTION CHUNK FOR KsepEngineReadFlags

loc_AE86CC:				; CODE XREF: KsepEngineReadFlags+22j
		mov	eax, ebx
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		push	64h
		mov	word_6C7022[eax*8], cx
		pop	ecx
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], cx
		jz	loc_AD421E
		push	0
		push	ecx
		push	offset ??_C@_0CD@GDPINNHE@minkernel?2ntos?2kshim?2kseregistr@PBOPGDP@
		push	offset ??_C@_0P@CCGIFHAI@Engine?5?$CB?$DN?5NULL@PBOPGDP@
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		jmp	loc_AD421E
; 

loc_AE871C:				; CODE XREF: KsepEngineReadFlags+3Cj
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_C]
		and	[ebp+var_C], edi
		mov	edx, offset ??_C@_1CG@FKKGHNMB@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAF?$AAl@PBOPGDP@
		and	[ebp+var_10], edi
		push	eax
		call	KsepRegistryQueryDWORD
		test	eax, eax
		jnz	short loc_AE8748
		cmp	[ebp+var_C], ebx
		jnz	short loc_AE8748
		push	2
		pop	edi
		push	4
		pop	eax
		or	[esi+8], eax
		mov	[ebp+var_8], edi

loc_AE8748:				; CODE XREF: KsepEngineReadFlags+1453Fj
					; KsepEngineReadFlags+14544j
		mov	ecx, [ebp+var_4]
		lea	eax, [ebp+var_10]
		push	eax
		mov	edx, (offset loc_ADEE21+1)
		call	KsepRegistryQueryDWORD
		test	eax, eax
		jnz	short loc_AE876B
		cmp	[ebp+var_10], ebx
		jnz	short loc_AE876B
		or	edi, ebx
		or	dword ptr [esi+8], 8
		mov	[ebp+var_8], edi

loc_AE876B:				; CODE XREF: KsepEngineReadFlags+14565j
					; KsepEngineReadFlags+1456Aj
		mov	eax, ebx
		lock xadd _KsepHistoryMessagesIndex, eax
		inc	eax
		and	eax, 3Fh
		push	4
		pop	ecx
		and	dword_6C7244[eax*8], 0
		mov	word_6C7242[eax*8], cx
		add	ecx, 7Fh
		test	_KsepDebugFlag,	1
		mov	_KsepHistoryMessages[eax*8], cx
		jz	short loc_AE87B0
		push	edi		; char
		push	offset ??_C@_0CK@GLCKPOOA@KSE?3?5Engine?5has?5group?5policy?5fl@PBOPGDP@ ; char	*
		push	0		; int
		call	_KsepDebugPrint
		add	esp, 0Ch

loc_AE87B0:				; CODE XREF: KsepEngineReadFlags+145A8j
		push	edi
		push	offset ??_C@_0CK@GLCKPOOA@KSE?3?5Engine?5has?5group?5policy?5fl@PBOPGDP@
		push	0
		call	_KsepLogInfo
		mov	ecx, [ebp+var_4]
		add	esp, 0Ch
		call	_KsepRegistryCloseKey@4	; KsepRegistryCloseKey(x)
		and	[ebp+var_4], 0
		jmp	loc_AD4243
; 

loc_AE87D1:				; CODE XREF: KsepEngineReadFlags+6Dj
		mov	eax, ebx
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	2
		push	4
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 0A0h
		mov	dword_6C7024[eax*8], edi
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_AE8817
		push	edi		; char
		push	offset ??_C@_0DE@NBFNIPAL@KSE?3?5Error?5reading?5compatibilit@PBOPGDP@ ; char *
		push	0		; int
		call	_KsepDebugPrint
		add	esp, 0Ch

loc_AE8817:				; CODE XREF: KsepEngineReadFlags+1460Fj
		push	edi		; char
		push	offset ??_C@_0DE@NBFNIPAL@KSE?3?5Error?5reading?5compatibilit@PBOPGDP@ ; char *
		push	0		; int
		call	_KsepLogError
		jmp	loc_AE8900
; 

loc_AE8829:				; CODE XREF: KsepEngineReadFlags+8Cj
		test	edi, edi
		jns	short loc_AE8892
		mov	eax, ebx
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	2
		push	4
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 0B6h
		mov	dword_6C7024[eax*8], edi
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_AE8878
		push	edi
		push	offset ??_C@_1BK@LNPPAKLL@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAF?$AAl?$AAa?$AAg?$AAs@PBOPGDP@	; char
		push	offset ??_C@_0DM@IEIMCIGI@KSE?3?5Error?5reading?5compatibilit@PBOPGDP@ ; char *
		push	0		; int
		call	_KsepDebugPrint
		add	esp, 10h

loc_AE8878:				; CODE XREF: KsepEngineReadFlags+1466Bj
		push	edi
		push	offset ??_C@_1BK@LNPPAKLL@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAF?$AAl?$AAa?$AAg?$AAs@PBOPGDP@	; char
		push	offset ??_C@_0DM@IEIMCIGI@KSE?3?5Error?5reading?5compatibilit@PBOPGDP@ ; char *
		push	0		; int
		call	_KsepLogError
		add	esp, 10h
		jmp	loc_AD428A
; 

loc_AE8892:				; CODE XREF: KsepEngineReadFlags+14635j
		mov	eax, [ebp+var_14]
		and	eax, 3
		mov	[esi], eax
		test	al, 1
		jz	short loc_AE88A2
		or	dword ptr [esi+8], 20h

loc_AE88A2:				; CODE XREF: KsepEngineReadFlags+146A6j
		test	al, 2
		jz	short loc_AE88AA
		or	dword ptr [esi+8], 10h

loc_AE88AA:				; CODE XREF: KsepEngineReadFlags+146AEj
		mov	eax, ebx
		lock xadd _KsepHistoryMessagesIndex, eax
		inc	eax
		and	eax, 3Fh
		push	4
		pop	ecx
		and	dword_6C7244[eax*8], 0
		test	_KsepDebugFlag,	1
		mov	word_6C7242[eax*8], cx
		mov	ecx, 0C7h
		mov	_KsepHistoryMessages[eax*8], cx
		jz	short loc_AE88F2
		push	dword ptr [esi]	; char
		push	offset ??_C@_0DD@DEFAGPD@KSE?3?5Engine?5initialized?5with?5re@PBOPGDP@ ; char *
		push	0		; int
		call	_KsepDebugPrint
		add	esp, 0Ch

loc_AE88F2:				; CODE XREF: KsepEngineReadFlags+146E9j
		push	dword ptr [esi]
		push	offset ??_C@_0DD@DEFAGPD@KSE?3?5Engine?5initialized?5with?5re@PBOPGDP@
		push	0
		call	_KsepLogInfo

loc_AE8900:				; CODE XREF: KsepEngineReadFlags+1462Ej
		add	esp, 0Ch
		jmp	loc_AD428A
; 

loc_AE8908:				; CODE XREF: KsepEngineReadFlags+D1j
		push	dword ptr [esi]	; char
		push	ebx		; char *
		push	0		; int
		call	_KsepDebugPrint
		add	esp, 0Ch
		jmp	loc_AD42CD
; END OF FUNCTION CHUNK	FOR KsepEngineReadFlags
; 
; START	OF FUNCTION CHUNK FOR KeHwPolicyLocateResource

loc_AE891A:				; CODE XREF: KeHwPolicyLocateResource+18j
					; KeHwPolicyLocateResource+30j
		mov	_KiHwPolicyDriverNotPresent, 1
		mov	eax, 0C000026Ch
		jmp	locret_AD44EB
; END OF FUNCTION CHUNK	FOR KeHwPolicyLocateResource
; 
; START	OF FUNCTION CHUNK FOR PipMigratePnpState

loc_AE892B:				; CODE XREF: PipMigratePnpState+62j
		test	esi, esi
		js	loc_AD45B4
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_4], 4
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	offset ??_C@_1CA@NPBOKNOJ@?$AAM?$AAi?$AAg?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn?$AAS?$AAt?$AAa?$AAt?$AAu?$AAs@PBOPGDP@
		call	__PnpCtxRegQueryValue@24 ; _PnpCtxRegQueryValue(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_AE897B
		test	esi, esi
		js	loc_AD45B4
		cmp	[ebp+var_8], 4
		jnz	short loc_AE8971
		cmp	[ebp+var_4], 4
		jz	short loc_AE897B

loc_AE8971:				; CODE XREF: PipMigratePnpState+1441Fj
		mov	esi, 0C0000001h
		jmp	loc_AE8C06
; 

loc_AE897B:				; CODE XREF: PipMigratePnpState+14411j
					; PipMigratePnpState+14425j
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_18]
		mov	ecx, _PiPnpRtlCtx
		xor	ebx, ebx
		push	eax
		push	2001Fh
		push	ebx
		push	offset ??_C@_1CE@MEIKCFL@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAS@PBOPGDP@
		call	__PnpCtxRegOpenKey@24 ;	_PnpCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_AE89AB
		mov	esi, ebx
		jmp	loc_AD45B4
; 

loc_AE89AB:				; CODE XREF: PipMigratePnpState+14458j
		test	esi, esi
		js	loc_AD45B4
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_C]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	20019h
		push	ebx
		push	offset ??_C@_1DA@PEBFPDJH@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAM@PBOPGDP@
		call	__PnpCtxRegOpenKey@24 ;	_PnpCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD45B4
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+Source2]
		mov	[ebp+var_4], 8
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	offset ??_C@_1BM@HNBIHKIB@?$AAM?$AAi?$AAg?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn?$AAT?$AAi?$AAm?$AAe@PBOPGDP@
		call	__PnpCtxRegQueryValue@24 ; _PnpCtxRegQueryValue(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD45B4
		cmp	[ebp+var_8], 3
		jnz	loc_AE8C3D
		cmp	[ebp+var_4], 8
		jnz	loc_AE8C3D
		mov	edx, [ebp+var_C]
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_1C]
		push	eax
		push	4
		pop	edx
		mov	[ebp+var_C], ebx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD45B4
		mov	edx, [ebp+var_1C]
		lea	eax, [ebp+var_C]
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		push	eax
		push	ebx
		push	20006h
		push	ebx
		push	offset ??_C@_1DA@PEBFPDJH@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAM@PBOPGDP@
		call	__PnpCtxRegCreateKey@32	; _PnpCtxRegCreateKey(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD45B4
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_4]
		push	8
		pop	ebx
		push	eax
		lea	eax, [ebp+Source1]
		mov	[ebp+var_4], ebx
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	offset ??_C@_1BM@HNBIHKIB@?$AAM?$AAi?$AAg?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn?$AAT?$AAi?$AAm?$AAe@PBOPGDP@
		call	__PnpCtxRegQueryValue@24 ; _PnpCtxRegQueryValue(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_AE8AC8
		test	esi, esi
		js	loc_AD45B4
		cmp	[ebp+var_8], 3
		jnz	loc_AE8C3D
		cmp	[ebp+var_4], ebx
		jnz	loc_AE8C3D
		push	ebx		; Length
		lea	eax, [ebp+Source2]
		push	eax		; Source2
		lea	eax, [ebp+Source1]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, ebx
		jnz	short loc_AE8AC8
		mov	esi, 0C0000021h
		jmp	loc_AD45B4
; 

loc_AE8AC8:				; CODE XREF: PipMigratePnpState+14545j
					; PipMigratePnpState+14572j
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		push	4
		push	eax
		push	4
		push	offset ??_C@_1CA@NPBOKNOJ@?$AAM?$AAi?$AAg?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn?$AAS?$AAt?$AAa?$AAt?$AAu?$AAs@PBOPGDP@
		mov	[ebp+var_14], 103h
		call	__PnpCtxRegSetValue@24 ; _PnpCtxRegSetValue(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD45B4
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+Source2]
		push	ebx
		push	eax
		push	3
		push	offset ??_C@_1BM@HNBIHKIB@?$AAM?$AAi?$AAg?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn?$AAT?$AAi?$AAm?$AAe@PBOPGDP@
		call	__PnpCtxRegSetValue@24 ; _PnpCtxRegSetValue(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD45B4
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_4]
		push	eax
		lea	eax, [ebp+var_28]
		mov	[ebp+var_4], 4
		push	eax
		lea	eax, [ebp+var_8]
		mov	bl, 1
		push	eax
		push	offset ??_C@_1BM@JHDACHBJ@?$AAT?$AAa?$AAr?$AAg?$AAe?$AAt?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@PBOPGDP@
		call	__PnpCtxRegQueryValue@24 ; _PnpCtxRegQueryValue(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AE8C11
		cmp	[ebp+var_8], 4
		jnz	loc_AE8C0C
		cmp	[ebp+var_4], 4
		jnz	loc_AE8C0C
		mov	eax, [ebp+var_28]
		and	eax, 0FFFF0000h
		cmp	eax, 0A000000h
		jz	short loc_AE8B65
		mov	esi, 0C0000059h
		jmp	loc_AE8C11
; 

loc_AE8B65:				; CODE XREF: PipMigratePnpState+1460Fj
		mov	edx, [ebp+var_18]
		push	0
		push	[ebp+var_1C]
		push	0
		call	__PnpCtxRegCopyTree@20 ; _PnpCtxRegCopyTree(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AE8C11
		mov	edx, [ebp+var_18]
		lea	eax, [ebp+var_24]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	20019h
		push	0
		push	offset ??_C@_1BC@DHAHNLLM@?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe?$AAs@PBOPGDP@
		call	__PnpCtxRegOpenKey@24 ;	_PnpCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_AE8BC5
		test	esi, esi
		js	short loc_AE8C11
		mov	edx, [ebp+var_24]
		mov	ecx, _PiPnpRtlCtx
		push	0
		push	offset _PipMigrateCleanServiceCallback@16 ; PipMigrateCleanServiceCallback(x,x,x,x)
		call	__PnpCtxRegEnumKeyWithCallback@16 ; _PnpCtxRegEnumKeyWithCallback(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AE8C11

loc_AE8BC5:				; CODE XREF: PipMigratePnpState+1465Aj
		lea	eax, [ebp+var_20]
		xor	edx, edx
		push	eax
		push	ecx
		push	ecx
		push	0FFFFFFFFh
		push	ecx
		call	_PnpCtxOpenMachine
		mov	edi, [ebp+var_20]
		mov	esi, eax
		test	esi, esi
		js	short loc_AE8C11
		xor	ecx, ecx
		lea	eax, [ebp+var_2C]
		push	ecx
		push	eax
		push	ecx
		push	ecx
		push	ecx
		mov	edx, offset _PipMigrateResetDeviceCallback@16 ;	PipMigrateResetDeviceCallback(x,x,x,x)
		mov	ecx, edi
		call	_CmGetMatchingDeviceList
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_AE8C02
		xor	esi, esi
		jmp	short loc_AE8C11
; 

loc_AE8C02:				; CODE XREF: PipMigratePnpState+146B2j
		test	esi, esi
		js	short loc_AE8C11

loc_AE8C06:				; CODE XREF: PipMigratePnpState+1442Cj
		test	bl, bl
		jnz	short loc_AE8C11
		jmp	short loc_AE8C29
; 

loc_AE8C0C:				; CODE XREF: PipMigratePnpState+145F2j
					; PipMigratePnpState+145FCj
		mov	esi, 0C0000001h

loc_AE8C11:				; CODE XREF: PipMigratePnpState+145E8j
					; PipMigratePnpState+14616j ...
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_14]
		push	4
		push	eax
		push	4
		push	offset ??_C@_1CA@NPBOKNOJ@?$AAM?$AAi?$AAg?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn?$AAS?$AAt?$AAa?$AAt?$AAu?$AAs@PBOPGDP@
		mov	[ebp+var_14], esi
		call	__PnpCtxRegSetValue@24 ; _PnpCtxRegSetValue(x,x,x,x,x,x)

loc_AE8C29:				; CODE XREF: PipMigratePnpState+146C0j
		test	edi, edi
		jz	loc_AD45B4
		mov	ecx, edi
		call	__PnpCtxCloseMachine@4 ; _PnpCtxCloseMachine(x)
		jmp	loc_AD45B4
; 

loc_AE8C3D:				; CODE XREF: PipMigratePnpState+144BEj
					; PipMigratePnpState+144C8j ...
		mov	esi, 0C0000001h
		jmp	loc_AD45B4
; END OF FUNCTION CHUNK	FOR PipMigratePnpState
; 
; START	OF FUNCTION CHUNK FOR PpDevCfgInit

loc_AE8C47:				; CODE XREF: PpDevCfgInit+ACj
		mov	al, byte ptr [ebp+var_58]
		and	al, 3
		movzx	eax, al
		neg	eax
		sbb	eax, eax
		and	[ebp+var_58], eax
		jmp	loc_AD46A9
; 

loc_AE8C5B:				; CODE XREF: PpDevCfgInit+13Aj
		cmp	[ebp+var_68], 4
		jnz	loc_AD4734
		cmp	[ebp+var_6C], 4
		jnz	loc_AD4734
		cmp	[ebp+var_70], 0
		jz	loc_AD4734
		push	edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	edi
		push	offset _WNF_PNPC_DEVICE_INSTALL_REQUESTED
		call	_ZwUpdateWnfStateData@28 ; ZwUpdateWnfStateData(x,x,x,x,x,x,x)
		jmp	loc_AD4734
; 

loc_AE8C8E:				; CODE XREF: PpDevCfgInit+17Ej
		lea	edx, [ebp+var_52]
		xor	cl, cl
		call	_PiDrvDbQuerySyncNodesUpdated@8	; PiDrvDbQuerySyncNodesUpdated(x,x)
		mov	bl, byte ptr [ebp+var_52]
		test	eax, eax
		js	loc_AD4778
		test	bl, bl
		jz	loc_AD4778
		or	ds:_PiDevCfgFlags, 1
		jmp	loc_AD4778
; 

loc_AE8CB7:				; CODE XREF: PpDevCfgInit+191j
		call	_RtlIsStateSeparationEnabled@0 ; RtlIsStateSeparationEnabled()
		test	al, al
		jz	short loc_AE8CCF
		call	_PiDrvDbEnumNodes@8 ; PiDrvDbEnumNodes(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD478B

loc_AE8CCF:				; CODE XREF: PpDevCfgInit+146CAj
		xor	ecx, ecx
		mov	edx, offset _PiDevCfgInitDeviceCallback@12 ; PiDevCfgInitDeviceCallback(x,x,x)
		push	edi
		inc	ecx
		call	_PiDmEnumObjectsWithCallback@12	; PiDmEnumObjectsWithCallback(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD478B
		cmp	byte ptr [ebp+var_52+1], 0FFh
		jnz	short loc_AE8D0C
		push	edi
		push	edi
		push	edi
		push	edi
		push	offset _DEVPKEY_DriverDatabase_Updated
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		xor	edx, edx
		push	edi
		push	7
		push	offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@PBOPGDP@
		call	_PiDevCfgSetObjectProperty@44 ;	PiDevCfgSetObjectProperty(x,x,x,x,x,x,x,x,x,x,x)

loc_AE8D0C:				; CODE XREF: PpDevCfgInit+146F7j
		test	bl, bl
		jz	loc_AD478B
		xor	edx, edx
		mov	cl, 1
		call	_PiDrvDbQuerySyncNodesUpdated@8	; PiDrvDbQuerySyncNodesUpdated(x,x)
		jmp	loc_AD478B
; END OF FUNCTION CHUNK	FOR PpDevCfgInit
; 
; START	OF FUNCTION CHUNK FOR PipProcessPendingServices

loc_AE8D22:				; CODE XREF: PipProcessPendingServices+4Fj
		cmp	esi, 0C000017Ch
		jz	loc_AD480F
		test	esi, esi
		js	loc_AD4811
		push	ecx
		push	offset _PipCommitPendingService@16 ; PipCommitPendingService(x,x,x,x)
		push	ecx
		mov	ecx, [ebp+var_4]
		mov	edx, offset _PipPendingServicesFilter@16 ; PipPendingServicesFilter(x,x,x,x)
		call	_PipProcessPendingObjects@20 ; PipProcessPendingObjects(x,x,x,x,x)
		mov	esi, eax
		jmp	loc_AD4811
; END OF FUNCTION CHUNK	FOR PipProcessPendingServices
; 
; START	OF FUNCTION CHUNK FOR PipProcessPendingOsExtensionResources

loc_AE8D51:				; CODE XREF: PipProcessPendingOsExtensionResources+4Fj
		cmp	esi, 0C000017Ch
		jz	loc_AD4879
		test	esi, esi
		js	loc_AD487B
		push	ecx
		push	offset _PipCommitPendingOsExtensionResource@16 ; PipCommitPendingOsExtensionResource(x,x,x,x)
		push	ecx
		mov	ecx, [ebp+var_4]
		xor	edx, edx
		call	_PipProcessPendingObjects@20 ; PipProcessPendingObjects(x,x,x,x,x)
		mov	esi, eax
		jmp	loc_AD487B
; END OF FUNCTION CHUNK	FOR PipProcessPendingOsExtensionResources
; 
; START	OF FUNCTION CHUNK FOR PipResetMatchingFilteredDevices

loc_AE8D7D:				; CODE XREF: PipResetMatchingFilteredDevices+62j
		test	esi, esi
		js	loc_AD498A
		mov	edx, [ebp+var_10]
		lea	eax, [ebp+var_18]
		xor	ecx, ecx
		push	ecx
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		push	ecx
		push	ecx
		call	__PnpCtxRegQueryInfoKey@28 ; _PnpCtxRegQueryInfoKey(x,x,x,x,x,x,x)
		mov	esi, eax
		mov	[ebp+var_28], esi
		test	esi, esi
		js	loc_AD498A
		cmp	[ebp+var_C], ebx
		jz	loc_AD498A
		mov	eax, [ebp+var_18]
		inc	eax
		mov	[ebp+var_20], eax
		add	eax, eax
		push	6E697050h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		mov	[ebp+var_2C], ebx
		test	ebx, ebx
		jz	loc_AE8EF4
		xor	edx, edx
		mov	eax, edx
		mov	[ebp+var_18], edx
		cmp	[ebp+var_C], eax
		jbe	loc_AD498A

loc_AE8DE3:				; CODE XREF: PipResetMatchingFilteredDevices+145C9j
		mov	ecx, [ebp+var_20]
		push	edx		; int
		push	edx		; void *
		push	edx		; int
		mov	edx, [ebp+var_10]
		mov	[ebp+var_24], ecx
		lea	ecx, [ebp+var_24]
		push	ecx		; int
		push	ebx		; void *
		push	eax		; int
		call	__PnpCtxRegEnumValue@32	; _PnpCtxRegEnumValue(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	loc_AE8EDD
		test	[ebp+arg_0], 80h
		jz	short loc_AE8E0F
		mov	eax, offset ??_C@_0CP@DMMJOECI@Resetting?5devices?5in?5device?5set@PBOPGDP@
		jmp	short loc_AE8E1F
; 

loc_AE8E0F:				; CODE XREF: PipResetMatchingFilteredDevices+144E6j
		test	[ebp+arg_0], 2
		mov	eax, offset ??_C@_0CH@DBLIHBID@Resetting?5devices?5using?5service@PBOPGDP@
		jnz	short loc_AE8E1F
		mov	eax, offset ??_C@_0CE@BGANPMMF@Resetting?5devices?5related?5to?5?8?$CF@PBOPGDP@

loc_AE8E1F:				; CODE XREF: PipResetMatchingFilteredDevices+144EDj
					; PipResetMatchingFilteredDevices+144F8j
		push	ebx		; char
		push	eax		; char *
		push	0		; int
		push	20h		; int
		call	_DbgPrintEx
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		add	esp, 0Ch
		mov	edx, ebx
		push	eax
		push	[ebp+var_14]
		xor	eax, eax
		push	edi
		push	eax
		push	eax
		push	dword ptr [ebp+arg_0]
		call	_CmGetMatchingFilteredDeviceList
		cmp	eax, 0C0000023h
		jnz	short loc_AE8E91
		test	edi, edi
		jz	short loc_AE8E59
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE8E59:				; CODE XREF: PipResetMatchingFilteredDevices+1452Fj
		mov	eax, [ebp+var_4]
		mov	[ebp+var_14], eax
		add	eax, eax
		push	6E697050h
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[ebp+var_1C], edi
		test	edi, edi
		jz	short loc_AE8EF4
		push	ecx
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_4]
		push	eax
		push	[ebp+var_14]
		xor	eax, eax
		mov	edx, ebx
		push	edi
		push	eax
		push	eax
		push	dword ptr [ebp+arg_0]
		call	_CmGetMatchingFilteredDeviceList

loc_AE8E91:				; CODE XREF: PipResetMatchingFilteredDevices+1452Bj
		test	eax, eax
		js	short loc_AE8EDD
		xor	edx, edx
		cmp	[ebp+var_4], 1
		jb	short loc_AE8EDF
		mov	[ebp+var_24], edi
		cmp	[edi], dx
		jz	short loc_AE8EDF
		mov	ebx, [ebp+var_8]
		mov	esi, edi
		xor	edi, edi

loc_AE8EAC:				; CODE XREF: PipResetMatchingFilteredDevices+145B2j
		mov	edx, esi
		mov	ecx, ebx
		call	_PipResetDevice@8 ; PipResetDevice(x,x)
		mov	ecx, esi
		lea	edx, [ecx+2]

loc_AE8EBA:				; CODE XREF: PipResetMatchingFilteredDevices+145A3j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_AE8EBA
		sub	ecx, edx
		sar	ecx, 1
		lea	esi, [esi+ecx*2]
		add	esi, 2
		cmp	[esi], di
		jnz	short loc_AE8EAC
		mov	esi, [ebp+var_28]
		mov	edi, [ebp+var_1C]
		mov	ebx, [ebp+var_2C]

loc_AE8EDD:				; CODE XREF: PipResetMatchingFilteredDevices+144DCj
					; PipResetMatchingFilteredDevices+14573j
		xor	edx, edx

loc_AE8EDF:				; CODE XREF: PipResetMatchingFilteredDevices+1457Bj
					; PipResetMatchingFilteredDevices+14583j
		mov	eax, [ebp+var_18]
		inc	eax
		mov	[ebp+var_18], eax
		cmp	eax, [ebp+var_C]
		jb	loc_AE8DE3
		jmp	loc_AD498A
; 

loc_AE8EF4:				; CODE XREF: PipResetMatchingFilteredDevices+144ADj
					; PipResetMatchingFilteredDevices+14555j
		mov	esi, 0C000009Ah
		jmp	loc_AD498A
; 

loc_AE8EFE:				; CODE XREF: PipResetMatchingFilteredDevices+73j
		xor	eax, eax
		push	eax
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AD4999
; 

loc_AE8F0C:				; CODE XREF: PipResetMatchingFilteredDevices+7Bj
		xor	eax, eax
		push	eax
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AD49A1
; END OF FUNCTION CHUNK	FOR PipResetMatchingFilteredDevices
; 
; START	OF FUNCTION CHUNK FOR WheapInitializeEventing

loc_AE8F1A:				; CODE XREF: WheapInitializeEventing+62j
		mov	_WheapEtwHandle, ebx
		mov	dword_6B9384, ebx
		jmp	loc_AD4A98
; END OF FUNCTION CHUNK	FOR WheapInitializeEventing
; 
; START	OF FUNCTION CHUNK FOR ExpWorkerInitialization

loc_AE8F2B:				; CODE XREF: ExpWorkerInitialization+3Aj
		mov	eax, ecx
		mov	_ExpMaximumKernelWorkerThreads,	eax
		jmp	loc_AD4B12
; 

loc_AE8F37:				; CODE XREF: ExpWorkerInitialization+45j
		mov	_ExpMaximumKernelWorkerThreads,	ecx
		jmp	loc_AD4B1D
; 

loc_AE8F42:				; CODE XREF: ExpWorkerInitialization+57j
		mov	eax, ecx
		mov	_ExpWorkerThreadTimeoutInSeconds, eax
		jmp	loc_AD4B2F
; 

loc_AE8F4E:				; CODE XREF: ExpWorkerInitialization+62j
		mov	_ExpWorkerThreadTimeoutInSeconds, ecx
		jmp	loc_AD4B3A
; END OF FUNCTION CHUNK	FOR ExpWorkerInitialization
; 
; START	OF FUNCTION CHUNK FOR FsRtlGetCompatibilityModeValue

loc_AE8F59:				; CODE XREF: FsRtlGetCompatibilityModeValue+A6j
		lea	eax, [ebp+var_68]
		cmp	esi, eax
		jz	short loc_AE8F68
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE8F68:				; CODE XREF: FsRtlGetCompatibilityModeValue+13D2Ej
		push	20746146h
		add	ebx, 100h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_AE8F91
		lea	eax, [ebp+var_70]
		push	eax
		push	ebx
		push	esi
		push	1
		push	[ebp+var_74]
		jmp	loc_AD52C6
; 

loc_AE8F91:				; CODE XREF: FsRtlGetCompatibilityModeValue+13D4Fj
		mov	eax, 0C0000017h
		jmp	loc_AD5306
; 

loc_AE8F9B:				; CODE XREF: FsRtlGetCompatibilityModeValue+CEj
		push	0
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AD5304
; END OF FUNCTION CHUNK	FOR FsRtlGetCompatibilityModeValue
; 
; START	OF FUNCTION CHUNK FOR FsRtlInitializeTunnels

loc_AE8FA8:				; CODE XREF: FsRtlInitializeTunnels+Ej
		mov	ds:_TunnelMaxEntries, 400h
		jmp	loc_AD5440
; 

loc_AE8FB7:				; CODE XREF: FsRtlInitializeTunnels+89j
		test	ecx, ecx
		jz	loc_AD54C5
		lea	eax, [ecx+1]
		movzx	eax, ax
		jmp	loc_AD54BB
; END OF FUNCTION CHUNK	FOR FsRtlInitializeTunnels
; 
; START	OF FUNCTION CHUNK FOR PpmInitIdlePolicy

loc_AE8FCA:				; CODE XREF: PpmInitIdlePolicy+7Fj
		push	edi
		push	5Ah
		pop	edi
		mul	edi
		mov	ecx, eax
		mov	eax, esi
		mul	edi
		pop	edi
		add	ecx, edx
		mov	ds:_PopCoordinatedIdleExitTimeout, eax
		mov	ds:dword_70ED04, ecx
		jmp	loc_AD5583
; END OF FUNCTION CHUNK	FOR PpmInitIdlePolicy
; 
; START	OF FUNCTION CHUNK FOR StartFirstUserProcess

loc_AE8FE9:				; CODE XREF: StartFirstUserProcess+22j
		call	_RegistryOverwriteCentralProcessor@0 ; RegistryOverwriteCentralProcessor()
		jmp	loc_AD5644
; 

loc_AE8FF3:				; CODE XREF: StartFirstUserProcess+57j
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	0C000009Ah
		jmp	short loc_AE9006
; 

loc_AE8FFF:				; CODE XREF: StartFirstUserProcess+133j
		push	0
		push	2
		push	0

loc_AE9005:				; CODE XREF: StartFirstUserProcess+18Cj
		push	eax

loc_AE9006:				; CODE XREF: StartFirstUserProcess+139E1j
					; StartFirstUserProcess+139F8j
		push	6Dh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE900D:				; CODE XREF: StartFirstUserProcess+114j
		push	0
		push	1
		push	0
		push	esi
		jmp	short loc_AE9006
; END OF FUNCTION CHUNK	FOR StartFirstUserProcess
; 
; START	OF FUNCTION CHUNK FOR RtlCreateUserProcessEx

loc_AE9016:				; CODE XREF: RtlCreateUserProcessEx+16j
		mov	eax, [edx+28h]
		test	eax, eax
		jz	short loc_AE9022
		add	eax, edx
		mov	[edx+28h], eax

loc_AE9022:				; CODE XREF: RtlCreateUserProcessEx+1386Dj
		mov	eax, [edx+34h]
		test	eax, eax
		jz	short loc_AE902E
		add	eax, edx
		mov	[edx+34h], eax

loc_AE902E:				; CODE XREF: RtlCreateUserProcessEx+13879j
		mov	eax, [edx+3Ch]
		test	eax, eax
		jz	short loc_AE903A
		add	eax, edx
		mov	[edx+3Ch], eax

loc_AE903A:				; CODE XREF: RtlCreateUserProcessEx+13885j
		mov	eax, [edx+44h]
		test	eax, eax
		jz	short loc_AE9046
		add	eax, edx
		mov	[edx+44h], eax

loc_AE9046:				; CODE XREF: RtlCreateUserProcessEx+13891j
		mov	eax, [edx+74h]
		test	eax, eax
		jz	short loc_AE9052
		add	eax, edx
		mov	[edx+74h], eax

loc_AE9052:				; CODE XREF: RtlCreateUserProcessEx+1389Dj
		mov	eax, [edx+7Ch]
		test	eax, eax
		jz	short loc_AE905E
		add	eax, edx
		mov	[edx+7Ch], eax

loc_AE905E:				; CODE XREF: RtlCreateUserProcessEx+138A9j
		mov	eax, [edx+84h]
		test	eax, eax
		jz	short loc_AE9070
		add	eax, edx
		mov	[edx+84h], eax

loc_AE9070:				; CODE XREF: RtlCreateUserProcessEx+138B8j
		mov	eax, [edx+8Ch]
		test	eax, eax
		jz	short loc_AE9082
		add	eax, edx
		mov	[edx+8Ch], eax

loc_AE9082:				; CODE XREF: RtlCreateUserProcessEx+138CAj
		mov	eax, [edx+2A8h]
		test	eax, eax
		jz	short loc_AE9094
		add	eax, edx
		mov	[edx+2A8h], eax

loc_AE9094:				; CODE XREF: RtlCreateUserProcessEx+138DCj
		or	ecx, 1
		mov	[edx+8], ecx
		jmp	loc_AD57CA
; END OF FUNCTION CHUNK	FOR RtlCreateUserProcessEx
; 
; START	OF FUNCTION CHUNK FOR RtlpCreateUserProcess

loc_AE909F:				; CODE XREF: RtlpCreateUserProcess+1AEj
		and	eax, 7FFFFFFFh
		mov	[esi+8], eax
		mov	eax, ecx
		add	eax, eax
		inc	ecx
		mov	[ebp+eax*8+var_B0], edx
		lea	edx, [ebp+var_D0]
		mov	[ebp+eax*8+var_BC], 20012h
		mov	[ebp+eax*8+var_B8], 8
		mov	[ebp+eax*8+var_B4], edx
		jmp	loc_AD59C2
; END OF FUNCTION CHUNK	FOR RtlpCreateUserProcess
; 
; START	OF FUNCTION CHUNK FOR QueryRegistryHideMachine

loc_AE90DB:				; CODE XREF: QueryRegistryHideMachine+5Aj
		push	offset ??_C@_1BI@HMDFEAOI@?$AAH?$AAi?$AAd?$AAe?$AAM?$AAa?$AAc?$AAh?$AAi?$AAn?$AAe@PBOPGDP@
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_8]
		push	eax
		push	ebx
		push	ebx
		push	2
		lea	eax, [ebp+var_10]
		push	eax
		push	[ebp+var_4]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	loc_AD5A74
		push	74696E49h
		push	[ebp+var_8]
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_AD5A74
		lea	eax, [ebp+var_8]
		push	eax
		push	[ebp+var_8]
		lea	eax, [ebp+var_10]
		push	esi
		push	2
		push	eax
		push	[ebp+var_4]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AE914A
		cmp	dword ptr [esi+4], 4
		jnz	short loc_AE914A
		cmp	dword ptr [esi+8], 4
		jnz	short loc_AE914A
		mov	edi, [esi+0Ch]

loc_AE914A:				; CODE XREF: QueryRegistryHideMachine+13725j
					; QueryRegistryHideMachine+1372Bj ...
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AD5A74
; 

loc_AE9156:				; CODE XREF: QueryRegistryHideMachine+63j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_AD5A7D
; END OF FUNCTION CHUNK	FOR QueryRegistryHideMachine
; 
; START	OF FUNCTION CHUNK FOR PpmPerfInitialize

loc_AE9163:				; CODE XREF: PpmPerfInitialize+D1j
		cmp	eax, 0FFFFFFFFh
		jnz	loc_AD5E01
		mov	eax, ds:_PpmPerfQosTransitionHysteresis
		jmp	loc_AD5E01
; END OF FUNCTION CHUNK	FOR PpmPerfInitialize
; 
; START	OF FUNCTION CHUNK FOR PopDirectedDripsInitializePhase3

loc_AE9176:				; CODE XREF: PopDirectedDripsInitializePhase3+2Aj
		mov	esi, 0C00000BBh
		jmp	loc_AD5EDB
; 

loc_AE9180:				; CODE XREF: PopDirectedDripsInitializePhase3+A1j
		cmp	eax, 2
		jz	loc_AD5ED3
		mov	_PopDirectedDripsDfxEnforcementPolicy, ecx
		jmp	loc_AD5ED3
; END OF FUNCTION CHUNK	FOR PopDirectedDripsInitializePhase3
; 
; START	OF FUNCTION CHUNK FOR KiInitSystem

loc_AE9194:				; CODE XREF: KiInitSystem+Dj
		call	_KiForceSymbolReferences@0 ; KiForceSymbolReferences()
		jmp	loc_AD601B
; END OF FUNCTION CHUNK	FOR KiInitSystem
; 
; START	OF FUNCTION CHUNK FOR PopEtInit

loc_AE919E:				; CODE XREF: PopEtInit+3Ej
		mov	eax, 0C000009Ah
		jmp	loc_AD6478
; END OF FUNCTION CHUNK	FOR PopEtInit
; 
; START	OF FUNCTION CHUNK FOR MiInitializeBootProcess

loc_AE91A8:				; CODE XREF: MiInitializeBootProcess+100j
		mov	edx, [ebp+4]
		lea	ecx, [ebp+var_10]
		call	@KiReleaseQueuedSpinLockInstrumented@8 ; KiReleaseQueuedSpinLockInstrumented(x,x)
		jmp	loc_AD65E4
; 

loc_AE91B8:				; CODE XREF: MiInitializeBootProcess+122j
		lea	ecx, [ebp+var_10]
		call	KxWaitForLockChainValid

loc_AE91C0:				; CODE XREF: MiInitializeBootProcess+10Bj
		xor	ecx, ecx
		mov	[ebp+var_10], edi
		inc	ecx
		add	eax, 4
		lock xor [eax],	ecx
		jmp	loc_AD65E4
; END OF FUNCTION CHUNK	FOR MiInitializeBootProcess
; 
; START	OF FUNCTION CHUNK FOR MiInitializeBootPageDirectoryPages

loc_AE91D1:				; CODE XREF: MiInitializeBootPageDirectoryPages+E8j
		mov	esi, offset _MiSystemPartition
		mov	edx, ebx
		mov	ecx, esi
		call	MiReturnCommit
		mov	edx, ebx
		mov	ecx, esi
		call	MiReturnResavailToPrcb
		test	eax, eax
		jz	short loc_AE91F5
		mov	ecx, offset dword_6D5E40
		lock xadd [ecx], eax

loc_AE91F5:				; CODE XREF: MiInitializeBootPageDirectoryPages+D2j
					; MiInitializeBootPageDirectoryPages+12BE2j
		mov	eax, 0C000009Ah
		jmp	loc_AD6789
; 

loc_AE91FF:				; CODE XREF: MiInitializeBootPageDirectoryPages+11Aj
					; MiInitializeBootPageDirectoryPages+12C19j
		mov	esi, offset _MiSystemPartition
		mov	ecx, esi
		call	_MiWaitForFreePage@8 ; MiWaitForFreePage(x,x)
		push	302h
		mov	edx, ebx
		mov	ecx, esi
		call	MiGetPage
		mov	esi, eax
		mov	[ebp+var_4], esi
		cmp	esi, 0FFFFFFFFh
		jz	short loc_AE91FF
		xor	esi, esi
		mov	ecx, eax
		jmp	loc_AD6728
; 

loc_AE922C:				; CODE XREF: MiInitializeBootPageDirectoryPages+160j
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_AE925D
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr word_6D07B8+1,	0
		jnz	loc_AD6770

loc_AE9245:				; CODE XREF: MiInitializeBootPageDirectoryPages+12C6Ej
		mov	eax, ebx
		and	eax, 1
		or	eax, esi
		jz	loc_AD6770
		or	edx, 80000000h
		jmp	loc_AD6770
; 

loc_AE925D:				; CODE XREF: MiInitializeBootPageDirectoryPages+12C2Bj
		mov	eax, large fs:124h
		mov	ecx, [ebp+var_4]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_AE9245
		jmp	loc_AD6770
; 

loc_AE927D:				; CODE XREF: MiInitializeBootPageDirectoryPages+170j
		push	edx
		push	ebx
		mov	ecx, edi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)
		jmp	loc_AD677E
; END OF FUNCTION CHUNK	FOR MiInitializeBootPageDirectoryPages
; 
; START	OF FUNCTION CHUNK FOR PipHardwareConfigInit

loc_AE928B:				; CODE XREF: PipHardwareConfigInit+B2j
		xor	edi, edi
		jmp	loc_AD684C
; 

loc_AE9292:				; CODE XREF: PipHardwareConfigInit+1D8j
					; PipHardwareConfigInit+1E1j
		mov	[ebp+var_218], esi
		jmp	loc_AD6981
; 

loc_AE929D:				; CODE XREF: PipHardwareConfigInit+1C9j
					; PipHardwareConfigInit+202j
		mov	ecx, [ebp+var_22C]
		lea	eax, [ebp+var_220]
		and	[ebp+var_21C], 0
		mov	edx, offset ??_C@_1O@FPIIFKIC@?$AAL?$AAa?$AAs?$AAt?$AAI?$AAd@PBOPGDP@
		push	eax
		push	0
		call	IopGetRegistryValue
		test	eax, eax
		js	short loc_AE92E9
		mov	ecx, [ebp+var_220]
		push	4
		pop	eax
		cmp	[ecx+4], eax
		jnz	short loc_AE92E1
		cmp	[ecx+0Ch], eax
		jnz	short loc_AE92E1
		mov	eax, [ecx+8]
		mov	eax, [eax+ecx]
		inc	eax
		mov	[ebp+var_21C], eax

loc_AE92E1:				; CODE XREF: PipHardwareConfigInit+12B3Fj
					; PipHardwareConfigInit+12B44j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE92E9:				; CODE XREF: PipHardwareConfigInit+12B31j
		mov	eax, [ebp+var_21C]
		lea	ecx, [eax-1]
		mov	[ebp+var_218], ecx
		cmp	eax, ecx
		jz	loc_AD6B33

loc_AE9300:				; CODE XREF: PipHardwareConfigInit+12B98j
		mov	ecx, [ebp+var_22C]
		mov	edx, eax
		call	_PipHardwareConfigExists@8 ; PipHardwareConfigExists(x,x)
		mov	ecx, [ebp+var_218]
		test	al, al
		mov	eax, [ebp+var_21C]
		jz	short loc_AE9328
		inc	eax
		mov	[ebp+var_21C], eax
		cmp	eax, ecx
		jnz	short loc_AE9300

loc_AE9328:				; CODE XREF: PipHardwareConfigInit+12B8Dj
		cmp	eax, ecx
		jz	loc_AD6B33
		push	0Eh
		pop	eax
		push	0Ch
		mov	word ptr [ebp+var_228+2], ax
		pop	eax
		push	4
		pop	esi
		push	esi
		mov	word ptr [ebp+var_228],	ax
		lea	eax, [ebp+var_21C]
		push	eax
		push	esi
		push	0
		lea	eax, [ebp+var_228]
		mov	[ebp+var_224], offset ??_C@_1O@FPIIFKIC@?$AAL?$AAa?$AAs?$AAt?$AAI?$AAd@PBOPGDP@
		push	eax
		push	[ebp+var_22C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	6
		pop	eax
		push	esi
		mov	word ptr [ebp+var_228+2], ax
		lea	eax, [ebp+var_21C]
		push	eax
		push	esi
		push	0
		lea	eax, [ebp+var_228]
		mov	word ptr [ebp+var_228],	si
		push	eax
		push	ebx
		mov	[ebp+var_224], offset ??_C@_15NCCOGFKM@?$AAI?$AAd@PBOPGDP@
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD6B33
		jmp	loc_AD6996
; 

loc_AE93B0:				; CODE XREF: PipHardwareConfigInit+343j
		mov	ecx, [ebp+var_220]
		push	4
		pop	eax
		cmp	[ecx+4], eax
		jnz	short loc_AE93CB
		cmp	[ecx+0Ch], eax
		jnz	short loc_AE93CB
		mov	eax, [ecx+8]
		mov	eax, [ecx+eax]
		jmp	short loc_AE93CD
; 

loc_AE93CB:				; CODE XREF: PipHardwareConfigInit+12C2Ej
					; PipHardwareConfigInit+12C33j
		xor	eax, eax

loc_AE93CD:				; CODE XREF: PipHardwareConfigInit+12C3Bj
		push	0
		push	ecx
		mov	[ebp+var_218], eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_218]
		jmp	loc_AD6AD9
; 

loc_AE93E6:				; CODE XREF: PipHardwareConfigInit+326j
					; PipHardwareConfigInit+34Dj
		mov	ecx, [ebp+var_21C]
		call	_PipHardwareConfigClearStartOverrides@4	; PipHardwareConfigClearStartOverrides(x)
		test	eax, eax
		js	loc_AD6AE1
		push	0Ch
		pop	eax
		push	0Ah
		mov	word ptr [ebp+var_234+2], ax
		pop	eax
		mov	word ptr [ebp+var_234],	ax
		lea	eax, [ebp+var_234]
		push	eax
		push	ebx
		mov	[ebp+var_230], offset ??_C@_1M@PNBPANGG@?$AAR?$AAe?$AAs?$AAe?$AAt@PBOPGDP@ ; "Reset"
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		jmp	loc_AD6AE1
; 

loc_AE9429:				; CODE XREF: PipHardwareConfigInit+382j
		mov	ecx, [ebp+var_220]
		push	4
		pop	eax
		cmp	[ecx+4], eax
		jnz	short loc_AE944A
		cmp	[ecx+0Ch], eax
		jnz	short loc_AE944A
		mov	eax, [ecx+8]
		cmp	dword ptr [ecx+eax], 1
		setz	[ebp+var_211]

loc_AE944A:				; CODE XREF: PipHardwareConfigInit+12CA7j
					; PipHardwareConfigInit+12CACj
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[ebp+var_211], 0
		jnz	short loc_AE9496
		jmp	loc_AD6B16
; 

loc_AE9460:				; CODE XREF: PipHardwareConfigInit+39Fj
		mov	ecx, [ebp+var_220]
		push	4
		pop	eax
		cmp	[ecx+4], eax
		jnz	short loc_AE9481
		cmp	[ecx+0Ch], eax
		jnz	short loc_AE9481
		mov	eax, [ecx+8]
		cmp	dword ptr [ecx+eax], 1
		setz	[ebp+var_211]

loc_AE9481:				; CODE XREF: PipHardwareConfigInit+12CDEj
					; PipHardwareConfigInit+12CE3j
		push	0
		push	ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	[ebp+var_211], 0
		jz	loc_AD6B33

loc_AE9496:				; CODE XREF: PipHardwareConfigInit+35Ej
					; PipHardwareConfigInit+12CCBj
		mov	ecx, edi
		call	_PipHardwareConfigTriggerRespecialize@4	; PipHardwareConfigTriggerRespecialize(x)
		test	eax, eax
		js	loc_AD6B33
		push	1Ah
		pop	eax
		push	18h
		mov	word ptr [ebp+var_234+2], ax
		pop	eax
		mov	word ptr [ebp+var_234],	ax
		lea	eax, [ebp+var_234]
		push	eax
		push	ebx
		mov	[ebp+var_230], offset ??_C@_1BK@CGJOHCEH@?$AAR?$AAe?$AAs?$AAp?$AAe?$AAc?$AAi?$AAa?$AAl?$AAi?$AAz?$AAe@PBOPGDP@ ; "R"
		call	_ZwDeleteValueKey@8 ; ZwDeleteValueKey(x,x)
		jmp	loc_AD6B33
; END OF FUNCTION CHUNK	FOR PipHardwareConfigInit
; 
; START	OF FUNCTION CHUNK FOR ExpKeyedEventInitialization

loc_AE94D5:				; CODE XREF: ExpKeyedEventInitialization+123j
		mov	eax, 0C000009Ah
		jmp	loc_AD6C31
; 

loc_AE94DF:				; CODE XREF: ExpKeyedEventInitialization+129E2j
		mov	edi, 0C000009Ah

loc_AE94E4:				; CODE XREF: ExpKeyedEventInitialization+136j
					; ExpKeyedEventInitialization+153j ...
		mov	ecx, esi
		call	ExFreeHeapPool
		mov	eax, edi
		jmp	loc_AD6C31
; 

loc_AE94F2:				; CODE XREF: ExpKeyedEventInitialization+193j
		push	ebx
		push	esi
		push	1
		lea	eax, [esp+0BCh+var_6C]
		push	eax
		call	RtlSetDaclSecurityDescriptor
		mov	edi, eax
		test	edi, edi
		js	short loc_AE94E4
		mov	eax, _SeLowMandatorySid
		xor	ecx, ecx
		push	0
		inc	ecx
		movzx	eax, byte ptr [eax+1]
		lea	ebx, ds:1Ch[eax*4]
		mov	eax, large fs:20h
		mov	edx, ebx
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	6C636144h
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		test	edi, edi
		jnz	loc_AD6D00
		jmp	short loc_AE94DF
; 

loc_AE954C:				; CODE XREF: ExpKeyedEventInitialization+1A5j
					; ExpKeyedEventInitialization+1C1j ...
		mov	ecx, esi
		call	ExFreeHeapPool
		mov	ecx, edi
		call	ExFreeHeapPool
		jmp	loc_AD6DDF
; END OF FUNCTION CHUNK	FOR ExpKeyedEventInitialization
; 
; START	OF FUNCTION CHUNK FOR MiComputeMemoryNodeProcessorAssignments

loc_AE955F:				; CODE XREF: MiComputeMemoryNodeProcessorAssignments+6Cj
		xor	esi, esi
		mov	ecx, esi
		mov	[ebp+var_28], ecx
		test	edx, edx
		jz	loc_AD6E58
		mov	edi, esi
		mov	[ebp+var_2C], esi
		mov	ebx, esi
		mov	[ebp+var_C], esi

loc_AE9578:				; CODE XREF: MiComputeMemoryNodeProcessorAssignments+128A6j
		mov	eax, [ebp+var_10]
		mov	eax, [eax+10h]
		mov	[ebp+var_1C], eax
		cmp	[edi+eax+270h],	si
		jnz	loc_AE9673
		mov	esi, dword_6D0698
		add	esi, ebx
		lea	eax, [esi+edx*4]
		add	esi, 4
		mov	[ebp+var_24], eax
		mov	[ebp+var_18], esi
		cmp	esi, eax
		jnb	loc_AE966F

loc_AE95AB:				; CODE XREF: MiComputeMemoryNodeProcessorAssignments+127EFj
		imul	ebx, [esi], 280h
		xor	edx, edx
		add	ebx, [ebp+var_1C]
		mov	[ebp+var_34], ebx
		movzx	eax, word ptr [ebx+270h]
		div	[ebp+var_14]
		mov	edx, eax
		cmp	edx, 2
		jnb	short loc_AE95DC
		mov	eax, [ebp+var_24]
		add	esi, 4
		mov	[ebp+var_18], esi
		cmp	esi, eax
		jb	short loc_AE95AB
		jmp	loc_AE9667
; 

loc_AE95DC:				; CODE XREF: MiComputeMemoryNodeProcessorAssignments+127E2j
		mov	eax, [ebx+264h]
		imul	edx, [ebp+var_14]
		mov	[ebp+var_38], eax
		mov	[ebp+var_30], eax
		xor	eax, eax
		and	[ebp+var_8], eax
		mov	[ebp+var_4], eax
		shr	edx, 1
		jz	short loc_AE962B
		mov	edi, [ebp+var_8]
		mov	ecx, eax
		mov	ebx, [ebp+var_30]
		xor	esi, esi

loc_AE9602:				; CODE XREF: MiComputeMemoryNodeProcessorAssignments+1282Ej
		bsf	eax, ebx
		mov	[ebp+var_30], esi
		bts	ecx, eax
		btr	ebx, eax
		inc	edi
		movzx	eax, di
		cmp	eax, edx
		jb	short loc_AE9602
		mov	esi, [ebp+var_18]
		mov	ebx, [ebp+var_34]
		mov	[ebp+var_4], ecx
		mov	ecx, [ebp+var_28]
		mov	eax, [ebp+var_4]
		mov	[ebp+var_8], edi
		mov	edi, [ebp+var_2C]

loc_AE962B:				; CODE XREF: MiComputeMemoryNodeProcessorAssignments+12810j
		mov	edx, [ebp+var_1C]
		not	eax
		and	eax, [ebp+var_38]
		mov	[ebx+264h], eax
		mov	eax, [ebp+var_4]
		mov	[edi+edx+264h],	eax
		mov	ax, [ebx+268h]
		mov	[edi+edx+268h],	ax
		mov	eax, [ebp+var_8]
		mov	[edi+edx+270h],	ax
		sub	[ebx+270h], ax
		mov	eax, [ebp+var_24]

loc_AE9667:				; CODE XREF: MiComputeMemoryNodeProcessorAssignments+127F1j
		mov	ebx, [ebp+var_C]
		cmp	esi, eax
		mov	edx, [ebp+var_20]

loc_AE966F:				; CODE XREF: MiComputeMemoryNodeProcessorAssignments+127BFj
		jz	short loc_AE9697
		xor	esi, esi

loc_AE9673:				; CODE XREF: MiComputeMemoryNodeProcessorAssignments+127A3j
		mov	eax, edx
		inc	ecx
		shl	eax, 2
		add	edi, 280h
		add	ebx, eax
		mov	[ebp+var_28], ecx
		mov	[ebp+var_2C], edi
		mov	[ebp+var_C], ebx
		cmp	ecx, edx
		jb	loc_AE9578
		jmp	loc_AD6E58
; 

loc_AE9697:				; CODE XREF: MiComputeMemoryNodeProcessorAssignments:loc_AE966Fj
		xor	eax, eax
		jmp	loc_AD6E5B
; END OF FUNCTION CHUNK	FOR MiComputeMemoryNodeProcessorAssignments
; 
; START	OF FUNCTION CHUNK FOR PoFxInitPowerManagement

loc_AE969E:				; CODE XREF: PoFxInitPowerManagement+CEj
		mov	_PopFxActiveIdleLevel, ebx
		jmp	loc_AD6F38
; END OF FUNCTION CHUNK	FOR PoFxInitPowerManagement
; 
; START	OF FUNCTION CHUNK FOR IopCreateUmdfDirectory

loc_AE96A9:				; CODE XREF: IopCreateUmdfDirectory+4Cj
		mov	esi, 0C000009Ah
		jmp	loc_AD7271
; 

loc_AE96B3:				; CODE XREF: IopCreateUmdfDirectory+B1j
		mov	esi, 0C000009Ah
		jmp	loc_AD7269
; END OF FUNCTION CHUNK	FOR IopCreateUmdfDirectory
; 
; START	OF FUNCTION CHUNK FOR PipInitDeviceOverrideCache

loc_AE96BD:				; CODE XREF: PipInitDeviceOverrideCache+CDj
		add	ecx, 4
		cmp	ecx, 0Ch
		jb	loc_AD755E
		jmp	loc_AD7579
; 

loc_AE96CE:				; CODE XREF: PipInitDeviceOverrideCache+E0j
		mov	eax, 101h
		mov	_PnpDeviceOverrideHashListSize,	eax
		jmp	loc_AD7586
; 

loc_AE96DD:				; CODE XREF: PipInitDeviceOverrideCache+FDj
		mov	_PnpDeviceOverrideHashListSize,	edi

loc_AE96E3:				; CODE XREF: PipInitDeviceOverrideCache+1A0j
		mov	esi, 0C000009Ah
		jmp	loc_AD75F0
; 

loc_AE96ED:				; CODE XREF: PipInitDeviceOverrideCache+148j
		cmp	esi, 80000005h
		jnz	loc_AD75F0
		jmp	loc_AD769C
; 

loc_AE96FE:				; CODE XREF: PipInitDeviceOverrideCache+1B8j
		mov	esi, 0C000009Ah
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AD75F0
; END OF FUNCTION CHUNK	FOR PipInitDeviceOverrideCache
; 
; START	OF FUNCTION CHUNK FOR PspInitializeSystemPartitionPhase0

loc_AE9710:				; CODE XREF: PspInitializeSystemPartitionPhase0+60j
		mov	esi, 0C000009Ah
		jmp	loc_AD795F
; END OF FUNCTION CHUNK	FOR PspInitializeSystemPartitionPhase0
; 
; START	OF FUNCTION CHUNK FOR CreateSystemRootLink

loc_AE971A:				; CODE XREF: CreateSystemRootLink+ADj
		push	edi
		push	edi
		push	1
		jmp	short loc_AE9724
; 

loc_AE9720:				; CODE XREF: CreateSystemRootLink+3C3j
		push	edi
		push	edi
		push	9

loc_AE9724:				; CODE XREF: CreateSystemRootLink+3E9j
					; CreateSystemRootLink+11DB8j ...
		push	eax
		push	64h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE972C:				; CODE XREF: CreateSystemRootLink+11Cj
		push	edi
		push	edi
		push	2
		jmp	short loc_AE9724
; 

loc_AE9732:				; CODE XREF: CreateSystemRootLink+18Fj
		push	edi
		push	edi
		push	3
		jmp	short loc_AE9724
; 

loc_AE9738:				; CODE XREF: CreateSystemRootLink+1C9j
		push	edi
		push	edi
		push	4
		jmp	short loc_AE9724
; 

loc_AE973E:				; CODE XREF: CreateSystemRootLink+241j
		push	edi
		push	edi
		push	5
		jmp	short loc_AE9724
; 

loc_AE9744:				; CODE XREF: CreateSystemRootLink+287j
		push	edi
		push	edi
		push	6
		jmp	short loc_AE9724
; 

loc_AE974A:				; CODE XREF: CreateSystemRootLink+305j
		push	edi
		push	edi
		push	7
		jmp	short loc_AE9724
; END OF FUNCTION CHUNK	FOR CreateSystemRootLink
; 
; START	OF FUNCTION CHUNK FOR PopInitPlatformSettings

loc_AE9750:				; CODE XREF: PopInitPlatformSettings+6Bj
		mov	esi, 0C000009Ah

loc_AE9755:				; CODE XREF: PopInitPlatformSettings+9Dj
					; PopInitPlatformSettings+11Fj
		push	ebx
		push	ebx
		push	esi
		push	0Eh
		push	0A0h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE9764:				; CODE XREF: PopInitPlatformSettings+BAj
		mov	_PopPlatformAoAc, 1
		jmp	loc_AD7E14
; 

loc_AE9770:				; CODE XREF: PopInitPlatformSettings+C8j
		mov	ds:_PopFirmwarePlatformRole, eax
		jmp	loc_AD7E22
; 

loc_AE977A:				; CODE XREF: PopInitPlatformSettings+D6j
		test	eax, eax
		setnz	_PopPlatformAoAc
		jmp	loc_AD7E30
; 

loc_AE9788:				; CODE XREF: PopInitPlatformSettings+E3j
		call	_HvlGetDisabledSleepStates@0 ; HvlGetDisabledSleepStates()
		test	eax, eax
		jz	loc_AD7E3D
		push	ebx		; int
		push	ebx		; void *
		push	12h
		mov	edx, eax
		pop	ecx
		call	PopLogSleepDisabled
		jmp	loc_AD7E3D
; 

loc_AE97A6:				; CODE XREF: PopInitPlatformSettings+EFj
		cmp	_InitSafeBootMode, ebx
		jnz	loc_AD7E56
		cmp	_InitIsWinPEMode, bl
		jnz	loc_AD7E56
		cmp	ds:_PopModernStandbyDisabled, ebx
		jz	loc_AD7E5C
		jmp	loc_AD7E56
; END OF FUNCTION CHUNK	FOR PopInitPlatformSettings
; 
; START	OF FUNCTION CHUNK FOR EtwpTraceSystemInitialization

loc_AE97CF:				; CODE XREF: EtwpTraceSystemInitialization+91j
		mov	bl, 1
		jmp	loc_AD806F
; 

loc_AE97D6:				; CODE XREF: EtwpTraceSystemInitialization+A0j
					; EtwpTraceSystemInitialization+B9j
		xor	ebx, ebx
		jmp	loc_AD8258
; 

loc_AE97DD:				; CODE XREF: EtwpTraceSystemInitialization+34Ej
		lea	eax, [ebp+var_78]
		mov	[ebp+var_78], offset _EtwBootPerfData
		push	eax
		push	1
		push	ebx
		push	offset _BootPerformanceData
		push	esi
		push	edi
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], 108h
		mov	[ebp+var_6C], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_AD832A
; 

loc_AE9809:				; CODE XREF: EtwpTraceSystemInitialization+367j
					; EtwpTraceSystemInitialization+379j
		mov	ebx, dword_6BC12C
		mov	eax, _EtwKernelProvRegHandle
		push	offset _VsmPerformanceData
		push	ebx
		push	eax
		mov	[ebp+var_260], eax
		call	EtwEventEnabled
		test	al, al
		jz	short loc_AE9875
		xor	ecx, ecx
		mov	[ebp+var_70], 8
		lea	eax, [esi+0B0h]
		mov	[ebp+var_74], ecx
		mov	[ebp+var_78], eax
		mov	[ebp+var_6C], ecx
		mov	eax, [edi+84h]
		add	eax, 0CB0h
		mov	[ebp+var_64], ecx
		mov	[ebp+var_68], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	2
		push	ecx
		push	offset _VsmPerformanceData
		push	ebx
		push	[ebp+var_260]
		mov	[ebp+var_60], 40h
		mov	[ebp+var_5C], ecx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_AE9875:				; CODE XREF: EtwpTraceSystemInitialization+11852j
		xor	ebx, ebx
		jmp	loc_AD8355
; 

loc_AE987C:				; CODE XREF: EtwpTraceSystemInitialization+386j
		call	RtlGetSystemTimePrecise
		mov	ecx, ds:_KeLoaderBlock
		mov	[ebp+var_2A0], eax
		mov	[ebp+var_29C], edx
		mov	eax, [ecx+84h]
		add	eax, 0A98h
		mov	[ebp+var_74], ebx
		mov	[ebp+var_78], eax
		lea	eax, [ebp+var_2A0]
		mov	[ebp+var_68], eax
		mov	[ebp+var_70], 8
		mov	[ebp+var_6C], ebx
		mov	[ebp+var_64], ebx
		mov	[ebp+var_60], 8
		mov	[ebp+var_5C], ebx
		mov	eax, [ecx+84h]
		add	eax, 0A94h
		mov	[ebp+var_54], ebx
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_78]
		push	eax
		push	3
		push	ebx
		push	offset _SoftBootInfo
		push	dword_6BC12C
		mov	[ebp+var_50], 4
		push	_EtwKernelProvRegHandle
		mov	[ebp+var_4C], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)
		jmp	loc_AD8362
; END OF FUNCTION CHUNK	FOR EtwpTraceSystemInitialization
; 
; START	OF FUNCTION CHUNK FOR PpLastGoodDoBootProcessing

loc_AE9901:				; CODE XREF: PpLastGoodDoBootProcessing+62j
		lea	edx, [ebp+var_8]
		lea	ecx, [ebp+var_10]
		call	_PiLastGoodRevertLastKnownDirectory@8 ;	PiLastGoodRevertLastKnownDirectory(x,x)
		lea	edx, [ebp+var_18]
		lea	ecx, [ebp+var_20]
		call	_PiLastGoodRevertLastKnownDirectory@8 ;	PiLastGoodRevertLastKnownDirectory(x,x)
		jmp	loc_AD8405
; END OF FUNCTION CHUNK	FOR PpLastGoodDoBootProcessing
; 
; START	OF FUNCTION CHUNK FOR PiLastGoodCopyKeyContents

loc_AE991C:				; CODE XREF: PiLastGoodCopyKeyContents+6Cj
		xor	ecx, ecx
		mov	[ebp+var_4C], 18h
		lea	eax, [ebp+var_14]
		mov	[ebp+var_48], ecx
		push	eax
		push	ecx
		push	ecx
		push	ecx
		lea	eax, [ebp+var_4C]
		mov	[ebp+var_40], 240h
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_C]
		mov	[ebp+var_44], ebx
		push	eax
		mov	[ebp+var_3C], ecx
		mov	[ebp+var_38], ecx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_AE995F
		push	[ebp+var_8]
		jmp	loc_AE99EC
; 

loc_AE995F:				; CODE XREF: PiLastGoodCopyKeyContents+1154Dj
		lea	eax, [ebp+var_10]
		push	eax
		push	418h
		push	edi
		push	1
		push	0
		push	[ebp+var_8]
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		xor	ebx, ebx
		inc	ebx
		test	eax, eax
		js	short loc_AE99CB
		lea	ecx, [edi+14h]

loc_AE997F:				; CODE XREF: PiLastGoodCopyKeyContents+115C1j
		mov	[ebp+var_18], ecx
		mov	ax, [edi+10h]
		mov	word ptr [ebp+var_1C], ax
		mov	word ptr [ebp+var_1C+2], ax
		push	dword ptr [edi+0Ch]
		mov	eax, [edi+8]
		add	eax, edi
		push	eax
		push	dword ptr [edi+4]
		lea	eax, [ebp+var_1C]
		push	0
		push	eax
		push	[ebp+var_C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AE99E1
		lea	eax, [ebp+var_10]
		push	eax
		push	418h
		push	edi
		push	1
		push	ebx
		push	[ebp+var_8]
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		inc	ebx
		lea	ecx, [edi+14h]
		test	eax, eax
		jns	short loc_AE997F

loc_AE99CB:				; CODE XREF: PiLastGoodCopyKeyContents+11572j
		lea	esi, [eax+7FFFFFE6h]
		neg	esi
		sbb	esi, esi
		and	esi, eax
		jl	short loc_AE99E1
		push	[ebp+var_8]
		call	_ZwDeleteKey@4	; ZwDeleteKey(x)

loc_AE99E1:				; CODE XREF: PiLastGoodCopyKeyContents+115A4j
					; PiLastGoodCopyKeyContents+115CFj
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		push	[ebp+var_C]

loc_AE99EC:				; CODE XREF: PiLastGoodCopyKeyContents+11552j
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_AD847A
; END OF FUNCTION CHUNK	FOR PiLastGoodCopyKeyContents
; 
; START	OF FUNCTION CHUNK FOR IopFileUtilRename

loc_AE99F6:				; CODE XREF: IopFileUtilRename+8Ej
		movzx	eax, word ptr [esi]
		push	eax		; size_t
		push	dword ptr [esi+4] ; void *
		lea	eax, [edi+0Ch]
		push	eax		; void *
		call	_memcpy
		and	dword ptr [edi+4], 0
		add	esp, 0Ch
		mov	[edi], bl
		movzx	eax, word ptr [esi]
		mov	[edi+8], eax
		add	eax, 10h
		push	0Ah
		push	eax
		push	edi
		lea	eax, [esp+44h+var_20]
		push	eax
		push	[esp+48h+var_28]
		call	_ZwSetInformationFile@20 ; ZwSetInformationFile(x,x,x,x,x)
		push	0
		push	edi
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	[esp+38h+var_28]
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, esi
		jmp	loc_AD8536
; END OF FUNCTION CHUNK	FOR IopFileUtilRename
; 
; START	OF FUNCTION CHUNK FOR PnpLoadBootFilterDriver

loc_AE9A44:				; CODE XREF: PnpLoadBootFilterDriver+99j
		push	0
		push	[ebp+var_C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE9A4E:				; CODE XREF: PnpLoadBootFilterDriver+83j
		mov	eax, _IopGroupTable
		mov	esi, [esi]
		lea	eax, [eax+ebx*8]
		jmp	loc_AD8690
; 

loc_AE9A5D:				; CODE XREF: PnpLoadBootFilterDriver+A3j
		mov	eax, [esi+14h]
		test	eax, eax
		jns	loc_AD8716
		mov	edi, eax
		jmp	loc_AD8716
; END OF FUNCTION CHUNK	FOR PnpLoadBootFilterDriver
; 
; START	OF FUNCTION CHUNK FOR WheapLoadPolicy

loc_AE9A6F:				; CODE XREF: WheapLoadPolicy+24j
		test	eax, eax
		setnz	_WheapPolicyDisableOffline
		jmp	loc_AD8860
; 

loc_AE9A7D:				; CODE XREF: WheapLoadPolicy+31j
		test	eax, eax
		jmp	loc_AD88A6
; 

loc_AE9A84:				; CODE XREF: WheapLoadPolicy+7Ej
		test	eax, eax
		setnz	_WheapPolicyMemPfaDisable
		jmp	loc_AD88BA
; 

loc_AE9A92:				; CODE XREF: WheapLoadPolicy+94j
					; WheapLoadPolicy+A5j
		mov	_WheapPolicyMemPfaPageCount, ecx
		jmp	loc_AD88E1
; 

loc_AE9A9D:				; CODE XREF: WheapLoadPolicy+B6j
					; WheapLoadPolicy+C7j
		mov	_WheapPolicyMemPfaThreshold, ecx
		jmp	loc_AD8903
; 

loc_AE9AA8:				; CODE XREF: WheapLoadPolicy+D7j
		mov	ecx, 989680h
		mul	ecx
		mov	_WheapPolicyMemPfaTimeout, eax
		mov	dword_6B68EC, edx
		jmp	loc_AD8913
; 

loc_AE9ABF:				; CODE XREF: WheapLoadPolicy+E4j
					; WheapLoadPolicy+F1j
		mov	_WheapPolicyMemPfaDisable, 1
		jmp	loc_AD892D
; 

loc_AE9ACB:				; CODE XREF: WheapLoadPolicy+FEj
		test	eax, eax
		setnz	_WheapPolicyIgnoreDummyWrite
		jmp	loc_AD893A
; 

loc_AE9AD9:				; CODE XREF: WheapLoadPolicy+10Bj
		test	eax, eax
		setnz	_WheapPolicyRestoreCmciEnabled
		jmp	loc_AD8947
; 

loc_AE9AE7:				; CODE XREF: WheapLoadPolicy+12Bj
		mov	_WheapPolicyRestoreCmciMaxAttempts, eax
		jmp	loc_AD8967
; 

loc_AE9AF1:				; CODE XREF: WheapLoadPolicy+142j
		mov	_WheapPolicyRestoreCmciErrorLimit, eax
		jmp	loc_AD897E
; 

loc_AE9AFB:				; CODE XREF: WheapLoadPolicy+159j
		push	eax
		push	0Ah
		mov	_WheapPolicyCmciThresholdCount,	eax
		call	esi
		jmp	loc_AD8995
; 

loc_AE9B0A:				; CODE XREF: WheapLoadPolicy+166j
		push	eax
		push	0Bh
		mov	_WheapPolicyCmciThresholdTime, eax
		call	esi
		jmp	loc_AD89A2
; 

loc_AE9B19:				; CODE XREF: WheapLoadPolicy+173j
		push	eax
		push	0Ch
		mov	_WheapPolicyCmciThresholdPollCount, eax
		call	esi
		jmp	loc_AD89AF
; 

loc_AE9B28:				; CODE XREF: WheapLoadPolicy+180j
		or	_WheaRegistryKeysPresent, 1
		jmp	loc_AD89BC
; 

loc_AE9B34:				; CODE XREF: WheapLoadPolicy+18Cj
		or	_WheaRegistryKeysPresent, 2
		jmp	loc_AD89C8
; 

loc_AE9B40:				; CODE XREF: WheapLoadPolicy+198j
		or	_WheaRegistryKeysPresent, 4
		jmp	loc_AD89D4
; 

loc_AE9B4C:				; CODE XREF: WheapLoadPolicy+1A4j
		or	_WheaRegistryKeysPresent, 8
		jmp	loc_AD89E0
; 

loc_AE9B58:				; CODE XREF: WheapLoadPolicy+1B0j
		or	_WheaRegistryKeysPresent, 10h
		jmp	loc_AD89EC
; 

loc_AE9B64:				; CODE XREF: WheapLoadPolicy+1CCj
		or	_WheaRegistryKeysPresent, 80h
		jmp	loc_AD8A08
; 

loc_AE9B73:				; CODE XREF: WheapLoadPolicy+1D8j
		or	_WheaRegistryKeysPresent, 100h
		jmp	loc_AD8A14
; 

loc_AE9B82:				; CODE XREF: WheapLoadPolicy+1E4j
		or	_WheaRegistryKeysPresent, 200h
		jmp	loc_AD8A20
; 

loc_AE9B91:				; CODE XREF: WheapLoadPolicy+1F0j
		or	_WheaRegistryKeysPresent, 400h
		jmp	loc_AD8A2C
; 

loc_AE9BA0:				; CODE XREF: WheapLoadPolicy+1FCj
		or	_WheaRegistryKeysPresent, 800h
		jmp	loc_AD8A38
; 

loc_AE9BAF:				; CODE XREF: WheapLoadPolicy+208j
		or	_WheaRegistryKeysPresent, 1000h
		jmp	loc_AD8A44
; 

loc_AE9BBE:				; CODE XREF: WheapLoadPolicy+214j
		or	_WheaRegistryKeysPresent, 2000h
		jmp	loc_AD8A50
; 

loc_AE9BCD:				; CODE XREF: WheapLoadPolicy+221j
		or	_WheaRegistryKeysPresent, 4000h
		leave
		retn
; END OF FUNCTION CHUNK	FOR WheapLoadPolicy
; 
; START	OF FUNCTION CHUNK FOR PopUmpoInitializeChannel

loc_AE9BD9:				; CODE XREF: PopUmpoInitializeChannel+85j
		mov	esi, 0C000009Ah
		jmp	loc_AD900F
; 

loc_AE9BE3:				; CODE XREF: PopUmpoInitializeChannel+17Cj
		mov	esi, 0C000009Ah
		jmp	loc_AD9020
; END OF FUNCTION CHUNK	FOR PopUmpoInitializeChannel
; 
; START	OF FUNCTION CHUNK FOR IoReportHalResourceUsage

loc_AE9BED:				; CODE XREF: IoReportHalResourceUsage+9Ej
		mov	eax, edi
		jmp	loc_AD90D4
; 

loc_AE9BF4:				; CODE XREF: IoReportHalResourceUsage+120j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AD9150
; 

loc_AE9C01:				; CODE XREF: IoReportHalResourceUsage+133j
		test	edi, edi
		jz	loc_AD918E
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_AD918E
; END OF FUNCTION CHUNK	FOR IoReportHalResourceUsage
; 
; START	OF FUNCTION CHUNK FOR SepInitializeDebugOptions

loc_AE9C15:				; CODE XREF: SepInitializeDebugOptions+23j
		cmp	_KdDebuggerNotPresent, al
		jnz	loc_AD9249
		mov	eax, _SeCiDebugOptions
		test	al, 1
		jnz	loc_AD9249
		or	eax, 2
		mov	_SeCiDebugOptions, eax
		jmp	loc_AD9249
; 

loc_AE9C3B:				; CODE XREF: SepInitializeDebugOptions+30j
		push	0
		push	18h
		lea	eax, [ebp+var_1C]
		push	eax
		push	8Fh
		call	_ZwQuerySystemInformation@16 ; ZwQuerySystemInformation(x,x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_AE9C59
		test	byte ptr [ebp+var_8], 10h
		jnz	short loc_AE9C65

loc_AE9C59:				; CODE XREF: SepInitializeDebugOptions+10A31j
		cmp	ecx, 80430006h
		jnz	loc_AD9256

loc_AE9C65:				; CODE XREF: SepInitializeDebugOptions+10A37j
		mov	eax, _SeCiDebugOptions
		test	al, 1
		jnz	loc_AD9256
		test	ecx, ecx
		js	short loc_AE9C83
		test	[ebp+var_8], 8000h
		jnz	loc_AD9256

loc_AE9C83:				; CODE XREF: SepInitializeDebugOptions+10A54j
		or	eax, 4
		mov	_SeCiDebugOptions, eax
		jmp	loc_AD9256
; END OF FUNCTION CHUNK	FOR SepInitializeDebugOptions
; 
; START	OF FUNCTION CHUNK FOR SeSecureBootRegisterPolicy

loc_AE9C90:				; CODE XREF: SeSecureBootRegisterPolicy+3Fj
		cmp	edx, 40h
		jb	loc_AD92F4
		jmp	loc_AD92A9
; 

loc_AE9C9E:				; CODE XREF: SeSecureBootRegisterPolicy+73j
		push	62536553h
		push	dword ptr [ebx+0Ch]
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_AE9CDE
		push	dword ptr [ebx+0Ch] ; size_t
		push	esi		; void *
		push	edi		; void *
		call	_memcpy
		xor	eax, eax
		mov	dword_6FDDF4, edi
		add	esp, 0Ch
		cmp	[esi+24h], ax
		jnz	short loc_AE9CE8
		cmp	[esi+26h], ax
		jnz	short loc_AE9CE8
		mov	esi, eax
		jmp	loc_AD92DF
; 

loc_AE9CDE:				; CODE XREF: SeSecureBootRegisterPolicy+10A50j
					; SeSecureBootRegisterPolicy+10AEDj
		mov	esi, 0C000009Ah
		jmp	loc_AE9DDA
; 

loc_AE9CE8:				; CODE XREF: SeSecureBootRegisterPolicy+10A6Bj
					; SeSecureBootRegisterPolicy+10A71j
		mov	eax, [edi+34h]
		add	eax, 3Ch
		add	eax, edi
		mov	dword_6FE12C, eax
		call	_SepSecureBootBuildRules@0 ; SepSecureBootBuildRules()
		mov	esi, eax
		test	esi, esi
		js	loc_AE9DDA
		cmp	dword ptr [ebx], 2
		jb	loc_AE9DD2
		mov	ecx, [ebx+14h]
		test	ecx, ecx
		jz	loc_AE9DD2
		mov	edi, [ebp+var_C]
		cmp	ecx, edi
		jnb	loc_AE9E03
		mov	edx, [ebx+10h]
		cmp	edx, edi
		jnb	loc_AE9E03
		mov	eax, edi
		sub	eax, ecx
		cmp	edx, eax
		ja	loc_AE9E03
		push	62536553h
		push	ecx
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		mov	[ebp+var_14], esi
		test	esi, esi
		jz	short loc_AE9CDE
		push	dword ptr [ebx+14h] ; size_t
		mov	eax, [ebx+10h]
		add	eax, ebx
		push	eax		; void *
		push	esi		; void *
		call	_memcpy
		mov	edi, [ebx+14h]
		add	esp, 0Ch
		cmp	edi, 18h
		jb	loc_AE9E03
		lea	eax, [esi+18h]
		mov	ecx, 114h
		mov	[ebp+var_10], eax
		sub	edi, 18h
		mov	[esi+8], eax
		mov	eax, [esi]
		mul	ecx
		lea	ecx, [ebp+var_4]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		test	eax, eax
		js	short loc_AE9E03
		cmp	edi, [ebp+var_4]
		jb	short loc_AE9E03
		mov	eax, [esi+4]
		push	20h
		pop	ecx
		mul	ecx
		lea	ecx, [ebp+var_8]
		push	edx
		push	eax
		call	_RtlULongLongToUInt@12 ; RtlULongLongToUInt(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AE9E03
		mov	eax, [ebp+var_4]
		sub	edi, eax
		cmp	edi, [ebp+var_8]
		jb	short loc_AE9E03
		mov	ecx, [ebp+var_14]
		add	eax, [ebp+var_10]
		mov	_g_SecureBootActivePlatformManifest, ecx
		mov	[ecx+10h], eax
		mov	eax, [ebx+14h]
		mov	_g_SecureBootActivePlatformManifestSize, eax

loc_AE9DD2:				; CODE XREF: SeSecureBootRegisterPolicy+95j
					; SeSecureBootRegisterPolicy+10AA3j ...
		test	esi, esi
		jns	loc_AD92DF

loc_AE9DDA:				; CODE XREF: SeSecureBootRegisterPolicy+10A7Fj
					; SeSecureBootRegisterPolicy+10A9Aj ...
		mov	eax, dword_6FDDF4
		test	eax, eax
		jz	short loc_AE9DF2
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	dword_6FDDF4, 0

loc_AE9DF2:				; CODE XREF: SeSecureBootRegisterPolicy+10B7Dj
		push	0
		push	[ebp+var_C]
		push	ebx
		push	esi
		push	145h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AE9E03:				; CODE XREF: SeSecureBootRegisterPolicy+10AB9j
					; SeSecureBootRegisterPolicy+10AC4j ...
		mov	esi, 0C0430003h
		jmp	short loc_AE9DDA
; END OF FUNCTION CHUNK	FOR SeSecureBootRegisterPolicy
; 
; START	OF FUNCTION CHUNK FOR SepSecureBootSetRegistryKey

loc_AE9E0A:				; CODE XREF: SepSecureBootSetRegistryKey+31j
					; SepSecureBootSetRegistryKey+39j
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_2C], 18h
		push	eax
		push	20006h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_28], edi
		push	eax
		mov	[ebp+var_20], 240h
		mov	[ebp+var_24], (offset loc_404E2B+1)
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], edi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD933F
		mov	eax, [ebp+var_8]
		push	edi
		push	1
		push	edi
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_2C]
		push	edi
		push	eax
		push	20006h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_2C], 18h
		push	eax
		mov	[ebp+var_20], 240h
		mov	[ebp+var_24], (offset loc_404E33+1)
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], edi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD933F
		mov	eax, dword_6D710C
		test	al, 8
		jz	short loc_AE9EC8
		and	eax, 1
		push	4
		mov	[ebp+var_C], eax
		lea	eax, [ebp+var_C]
		push	eax
		push	4
		push	edi
		push	(offset	loc_404E1B+1)
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD933F
		cmp	[ebp+var_C], edi
		jz	short loc_AE9EC8
		mov	eax, 0FFDF02F0h
		lock bts dword ptr [eax], 7

loc_AE9EC8:				; CODE XREF: SepSecureBootSetRegistryKey+10B93j
					; SepSecureBootSetRegistryKey+10BBEj
		test	ebx, ebx
		jz	loc_AD933F
		lea	eax, [ebp+var_14]
		push	eax
		lea	eax, [ebx+4]
		push	eax
		call	_RtlStringFromGUID@8 ; RtlStringFromGUID(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD933F
		movzx	eax, word ptr [ebp+var_14]
		add	eax, 2
		push	eax
		push	[ebp+var_10]
		push	1
		push	edi
		push	(offset	loc_404E23+1)
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AD933F
		push	4
		lea	eax, [ebx+14h]
		push	eax
		push	4
		push	edi
		push	(offset	loc_404E0B+1)
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		jmp	loc_AD933F
; 

loc_AE9F29:				; CODE XREF: SepSecureBootSetRegistryKey+4Dj
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_AD9351
; 

loc_AE9F36:				; CODE XREF: SepSecureBootSetRegistryKey+56j
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_AD935A
; END OF FUNCTION CHUNK	FOR SepSecureBootSetRegistryKey
; 
; START	OF FUNCTION CHUNK FOR PopUmpoInitializeMonitorChannel

loc_AE9F43:				; CODE XREF: PopUmpoInitializeMonitorChannel+94j
					; PopUmpoInitializeMonitorChannel+105j	...
		mov	eax, _PopAlpcMonitorServerPort
		test	eax, eax
		jz	short loc_AE9F52
		push	eax
		call	_ZwClose@4	; ZwClose(x)

loc_AE9F52:				; CODE XREF: PopUmpoInitializeMonitorChannel+10BB0j
		test	ebx, ebx
		jz	short loc_AE9F5C
		push	ebx
		call	ExUnregisterCallback

loc_AE9F5C:				; CODE XREF: PopUmpoInitializeMonitorChannel+10BBAj
		test	esi, esi
		jz	loc_AD94B4
		mov	ecx, esi
		call	ObfDereferenceObject
		jmp	loc_AD94B4
; END OF FUNCTION CHUNK	FOR PopUmpoInitializeMonitorChannel
; 
; START	OF FUNCTION CHUNK FOR IopStoreArcInformation

loc_AE9F70:				; CODE XREF: IopStoreArcInformation+7Aj
		push	edi
		push	ebx
		jmp	short loc_AE9F87
; 

loc_AE9F74:				; CODE XREF: IopStoreArcInformation+105EFj
		mov	ds:_IoArcTableListHead,	eax
		push	edi
		mov	[eax+4], ecx
		push	dword ptr [esi+0Ch]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	edi
		push	esi

loc_AE9F87:				; CODE XREF: IopStoreArcInformation+105B2j
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AE9F8C:				; CODE XREF: IopStoreArcInformation+4Ej
		mov	esi, ds:_IoArcTableListHead
		mov	ecx, offset _IoArcTableListHead
		cmp	esi, ecx
		jz	short loc_AE9FB1
		cmp	[esi+4], ecx
		jnz	loc_AD9AFF
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	loc_AD9AFF
		jmp	short loc_AE9F74
; 

loc_AE9FB1:				; CODE XREF: IopStoreArcInformation+105D9j
		mov	edi, 0C000009Ah
		jmp	loc_AD9AF8
; 

loc_AE9FBB:				; CODE XREF: IopStoreArcInformation+12Ej
		cmp	byte ptr [eax+30h], 0
		jnz	loc_AD9AF4
		mov	edx, [eax+10h]
		mov	esi, offset _IoArcTableListHead
		mov	ecx, [eax]

loc_AE9FCF:				; CODE XREF: IopStoreArcInformation+1062Ej
		cmp	ecx, esi
		jz	short loc_AE9FF0
		cmp	byte ptr [ecx+14h], 0
		jnz	short loc_AE9FEC
		cmp	byte ptr [ecx+30h], 0
		jnz	short loc_AE9FEC
		cmp	edx, [ecx+10h]
		jnz	short loc_AE9FEC
		mov	byte ptr [eax+30h], 1
		mov	byte ptr [ecx+30h], 1

loc_AE9FEC:				; CODE XREF: IopStoreArcInformation+10617j
					; IopStoreArcInformation+1061Dj ...
		mov	ecx, [ecx]
		jmp	short loc_AE9FCF
; 

loc_AE9FF0:				; CODE XREF: IopStoreArcInformation+10611j
		mov	edx, offset _IoArcTableListHead
		jmp	loc_AD9AF4
; END OF FUNCTION CHUNK	FOR IopStoreArcInformation
; 
; START	OF FUNCTION CHUNK FOR EtwpReadConfigParameters

loc_AE9FFA:				; CODE XREF: EtwpReadConfigParameters+165j
		cmp	word ptr [ebp+var_A4], bx
		jb	loc_AD9DC9
		movzx	eax, word ptr [ebp+var_A4+2]
		push	50777445h
		add	eax, 2
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_AD9DC9
		movzx	ecx, word ptr [ebp+var_A4+2]
		push	ecx		; size_t
		push	[ebp+var_A0]	; void *
		push	esi		; void *
		call	_memcpy
		movzx	eax, word ptr [ebp+var_A4]
		add	esp, 0Ch
		shr	eax, 1
		push	5Ch
		pop	ecx
		cmp	[esi+eax*2-2], cx
		jz	loc_AD9DC9
		mov	[esi+eax*2], cx
		movzx	eax, word ptr [ebp+var_A4]
		shr	eax, 1
		xor	ecx, ecx
		mov	[esi+eax*2+2], cx
		jmp	loc_AD9DC9
; 

loc_AEA06F:				; CODE XREF: EtwpReadConfigParameters+1C8j
					; EtwpReadConfigParameters+1CFj
		mov	[ebp+var_9C], eax
		jmp	loc_AD9DD8
; END OF FUNCTION CHUNK	FOR EtwpReadConfigParameters
; 
; START	OF FUNCTION CHUNK FOR KeFindConfigurationNextEntry

loc_AEA07A:				; CODE XREF: KeFindConfigurationNextEntry+Dj
		mov	edx, [ebx]
		jmp	loc_AD9E9D
; 

loc_AEA081:				; CODE XREF: KeFindConfigurationNextEntry+72j
		cmp	edi, ecx
		jnz	short loc_AEA088
		and	dword ptr [eax], 0

loc_AEA088:				; CODE XREF: KeFindConfigurationNextEntry+7Ej
					; KeFindConfigurationNextEntry+8Aj ...
		mov	ecx, [edi+4]
		test	ecx, ecx
		jz	short loc_AEA0A5
		push	eax
		push	ebx
		push	[ebp+arg_8]
		push	[ebp+arg_4]
		push	ecx
		call	KeFindConfigurationNextEntry
		test	eax, eax
		jnz	loc_AD9EEA

loc_AEA0A5:				; CODE XREF: KeFindConfigurationNextEntry+10205j
		mov	edi, [edi+8]
		mov	eax, [ebp+arg_10]
		mov	edx, [ebp+arg_C]
		jmp	loc_AD9EBB
; END OF FUNCTION CHUNK	FOR KeFindConfigurationNextEntry
; 
; START	OF FUNCTION CHUNK FOR WheapCreatePerProcessorInfo

loc_AEA0B3:				; CODE XREF: WheapCreatePerProcessorInfo+46j
		inc	_WheapStatus
		or	dword_6BB454, 10h
		push	esi
		push	esi
		push	ebx
		push	2
		push	122h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_AEA0D0:				; CODE XREF: KitInitialize+1Dj
		mov	_KitEtwHandle, esi
		mov	dword_6FD64C, esi
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR WheapCreatePerProcessorInfo

;  S U B	R O U T	I N E 


sub_AEA0DE	proc near		; CODE XREF: IopInitCrashDumpDuringSysInit+75j
		push	ebx
		push	ebx
		xor	ecx, ecx
		call	IoInitializeCrashDump
		movzx	ebx, al
		neg	ebx
		sbb	ebx, ebx
		and	ebx, 3FFFFFFFh
		add	ebx, 0C0000001h
		jmp	loc_ADA0BF
sub_AEA0DE	endp

; 
; START	OF FUNCTION CHUNK FOR ExpWorkerFactoryInitialization

loc_AEA0FF:				; CODE XREF: ExpWorkerFactoryInitialization+1Fj
		mov	eax, esi
		jmp	short loc_AEA105
; 

loc_AEA103:				; CODE XREF: ExpWorkerFactoryInitialization+27j
		mov	eax, edx

loc_AEA105:				; CODE XREF: ExpWorkerFactoryInitialization+FF55j
		mov	_ExpWorkerFactoryThreadCreationTimeoutInSeconds, eax
		jmp	loc_ADA1D9
; 

loc_AEA10F:				; CODE XREF: ExpWorkerFactoryInitialization+35j
		mov	_ExpWorkerFactoryThreadIdleTimeoutInSeconds, esi
		jmp	loc_ADA1EF
; 

loc_AEA11A:				; CODE XREF: ExpWorkerFactoryInitialization+3Dj
		mov	_ExpWorkerFactoryThreadIdleTimeoutInSeconds, edx
		jmp	loc_ADA1EF
; END OF FUNCTION CHUNK	FOR ExpWorkerFactoryInitialization
; 
; START	OF FUNCTION CHUNK FOR KiInitializeNxSupportDiscard

loc_AEA125:				; CODE XREF: KiInitializeNxSupportDiscard+54j
		mov	eax, ds:_KeLoaderBlock
		push	(offset	loc_ADEA29+1) ;	char *
		push	dword ptr [eax+78h] ; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_AEA175
		mov	eax, ds:_KeLoaderBlock
		push	(offset	loc_ADEA1F+1) ;	char *
		push	dword ptr [eax+78h] ; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_ADA346
		mov	eax, ds:_KeLoaderBlock
		push	offset ??_C@_07LBDEDADF@EXECUTE@PBOPGDP@ ; char	*
		push	dword ptr [eax+78h] ; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_ADA346

loc_AEA175:				; CODE XREF: KiInitializeNxSupportDiscard+FE4Fj
		and	byte ptr ds:0FFDF02D5h,	0FCh
		jmp	loc_ADA354
; END OF FUNCTION CHUNK	FOR KiInitializeNxSupportDiscard
; 
; START	OF FUNCTION CHUNK FOR PopCreateTimebrokerServiceSid

loc_AEA181:				; CODE XREF: PopCreateTimebrokerServiceSid+82j
		push	67696450h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_ADA46A
; END OF FUNCTION CHUNK	FOR PopCreateTimebrokerServiceSid
; 
; START	OF FUNCTION CHUNK FOR PopInitializeHighPerfPowerRequest

loc_AEA191:				; CODE XREF: PopInitializeHighPerfPowerRequest+9Dj
		mov	ecx, [ebp+var_4]
		call	_PoDestroyReasonContext@4 ; PoDestroyReasonContext(x)
		jmp	loc_ADA51B
; END OF FUNCTION CHUNK	FOR PopInitializeHighPerfPowerRequest
; 
; START	OF FUNCTION CHUNK FOR MiInitializeBootDefaults

loc_AEA19E:				; CODE XREF: MiInitializeBootDefaults+47j
		or	ds:_MmLargePageDriverBufferLength, 0FFFFFFFFh
		xor	ebx, ebx
		inc	ebx
		mov	ds:_MmSpecialPoolTag, esi
		mov	ds:_MmProtectFreedNonPagedPool,	esi
		mov	byte_6D35B1, bl
		mov	ds:dword_7051B4, esi
		mov	ds:0FFDF02ECh, bl
		jmp	loc_ADA5B8
; 

loc_AEA1CB:				; CODE XREF: MiInitializeBootDefaults+58j
		mov	eax, ebx
		shl	eax, cl
		jmp	loc_ADA584
; 

loc_AEA1D4:				; CODE XREF: MiInitializeBootDefaults+65j
		dec	eax
		or	ds:_MiFlags, 80h
		mov	ds:_MmPageValidationFrequency, eax
		jmp	loc_ADA591
; 

loc_AEA1E9:				; CODE XREF: MiInitializeBootDefaults+73j
		mov	eax, ds:_MiFlags
		or	eax, ebx
		mov	ds:_MiFlags, eax
		cmp	_KernelVerifier, ebx
		jnz	loc_ADA59F
		or	eax, 2
		mov	ds:_MiFlags, eax
		jmp	loc_ADA59F
; 

loc_AEA20E:				; CODE XREF: MiInitializeBootDefaults+7Fj
		mov	ds:_MmProtectFreedNonPagedPool,	ebx
		jmp	loc_ADA5AB
; 

loc_AEA219:				; CODE XREF: MiInitializeBootDefaults+8Cj
		test	ecx, 400000h
		jnz	loc_ADA5B8
		or	ds:_MmLargePageDriverBufferLength, 0FFFFFFFFh
		mov	ds:_MmProtectFreedNonPagedPool,	ebx
		jmp	loc_ADA5B8
; 

loc_AEA237:				; CODE XREF: MiInitializeBootDefaults+13Cj
		push	offset ??_C@_06OJCAKAJO@USERVA@PBOPGDP@	; char *
		push	dword ptr [edi+78h] ; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AEA263
		push	offset ??_C@_01NEMOKFLO@?$DN@PBOPGDP@ ;	char *
		push	eax		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AEA263
		inc	eax
		push	eax		; char *
		call	_atol
		pop	ecx

loc_AEA263:				; CODE XREF: MiInitializeBootDefaults+FD22j
					; MiInitializeBootDefaults+FD33j
		mov	eax, 40000000h
		add	ds:_MmSystemRangeStart,	eax
		add	ds:_MmUserProbeAddress,	eax
		add	ds:_MmHighestUserAddress, eax
		add	ds:_MiMaximumWorkingSet, 40000h
		jmp	loc_ADA668
; END OF FUNCTION CHUNK	FOR MiInitializeBootDefaults
; 
; START	OF FUNCTION CHUNK FOR InitSkuSessionParameters

loc_AEA289:				; CODE XREF: InitSkuSessionParameters+2Ej
		or	dword ptr ds:0FFDF02F0h, 200h
		jmp	loc_ADA6F2
; 

loc_AEA298:				; CODE XREF: InitSkuSessionParameters+3Bj
		or	dword ptr ds:0FFDF02F0h, 400h
		leave
		retn
; END OF FUNCTION CHUNK	FOR InitSkuSessionParameters
; 
; START	OF FUNCTION CHUNK FOR KseShimDatabaseBootInitialize

loc_AEA2A4:				; CODE XREF: KseShimDatabaseBootInitialize+18j
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		mov	word_6C7022[eax*8], cx
		mov	ecx, 0E3h
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_AEA2ED
		push	ebx
		push	ecx
		push	offset ??_C@_0BO@PKNCBPOC@minkernel?2ntos?2kshim?2ksesdb?4c@PBOPGDP@
		push	offset ??_C@_0BO@MIHHOGEB@KsepShimDbDuringBoot?5?$DN?$DN?5FALSE@PBOPGDP@
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)

loc_AEA2ED:				; CODE XREF: KseShimDatabaseBootInitialize+FA44j
		push	9
		pop	ecx
		jmp	loc_ADA8B4
; 

loc_AEA2F5:				; CODE XREF: KseShimDatabaseBootInitialize+24j
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		mov	word_6C7022[eax*8], cx
		mov	ecx, 0E4h
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], cx
		jz	loc_ADA8C0
		push	ebx
		push	ecx
		push	offset ??_C@_0BO@PKNCBPOC@minkernel?2ntos?2kshim?2ksesdb?4c@PBOPGDP@
		push	offset ??_C@_0BJ@LBPKNCIA@KsepShimDbHandle?5?$DN?$DN?5NULL@PBOPGDP@
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)
		jmp	loc_ADA8C0
; 

loc_AEA347:				; CODE XREF: KseShimDatabaseBootInitialize+71j
		mov	edx, [ebp+arg_4]
		test	edx, edx
		jz	loc_ADA90D
		mov	edi, offset unk_6C7488
		push	edi
		call	KsepSdbBootInitialize
		test	eax, eax
		js	short loc_AEA37E
		mov	eax, dword_6C7480
		cmp	eax, dword_6C74A8
		jb	loc_ADA90D
		mov	ecx, edi
		call	_KsepSdbBootRelease@4 ;	KsepSdbBootRelease(x)
		jmp	loc_ADA90D
; 

loc_AEA37E:				; CODE XREF: KseShimDatabaseBootInitialize+FAC9j
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	2
		push	9
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 11Eh
		mov	dword_6C7024[eax*8], esi
		mov	esi, offset ??_C@_0DC@LAGJLJEN@KSE?3?5KsepSdbBootInitialize?5fail@PBOPGDP@
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_AEA3C4
		push	esi		; char *
		push	1		; int
		call	_KsepDebugPrint
		pop	ecx
		pop	ecx

loc_AEA3C4:				; CODE XREF: KseShimDatabaseBootInitialize+FB22j
		push	esi		; char *
		push	1		; int
		call	_KsepLogError
		pop	ecx
		pop	ecx
		jmp	loc_ADA90D
; END OF FUNCTION CHUNK	FOR KseShimDatabaseBootInitialize
; 
; START	OF FUNCTION CHUNK FOR MiInitializeSystemDefaults

loc_AEA3D3:				; CODE XREF: MiInitializeSystemDefaults+1Dj
		xor	eax, eax
		inc	eax
		jmp	loc_ADA95F
; 

loc_AEA3DB:				; CODE XREF: MiInitializeSystemDefaults+75j
		sub	eax, 1
		jnz	loc_ADA9B4

loc_AEA3E4:				; CODE XREF: MiInitializeSystemDefaults+63j
		mov	word_6D07B8, 1
		jmp	loc_ADA9B4
; 

loc_AEA3F2:				; CODE XREF: MiInitializeSystemDefaults+6Cj
		mov	word_6D07B8, bx
		jmp	loc_ADA9B4
; 

loc_AEA3FE:				; CODE XREF: MiInitializeSystemDefaults+CCj
		or	esi, 800h
		jmp	short loc_AEA40C
; 

loc_AEA406:				; CODE XREF: MiInitializeSystemDefaults+C3j
		or	esi, 4000000h

loc_AEA40C:				; CODE XREF: MiInitializeSystemDefaults+FAD4j
		mov	ds:_MiFlags, esi
		jmp	loc_ADAA02
; 

loc_AEA417:				; CODE XREF: MiInitializeSystemDefaults+E3j
		or	ds:_MiFlags, 800h
		jmp	loc_ADAA19
; 

loc_AEA426:				; CODE XREF: MiInitializeSystemDefaults+F8j
		or	ds:_MiFlags, 100h
		jmp	loc_ADAA42
; END OF FUNCTION CHUNK	FOR MiInitializeSystemDefaults
; 
; START	OF FUNCTION CHUNK FOR EtwpInitializeSecurity

loc_AEA435:				; CODE XREF: EtwpInitializeSecurity+B2j
		lea	eax, [ebp+var_208]
		push	eax
		lea	eax, [ebp+var_210]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_210]
		mov	[ebp+var_228], ebx
		mov	[ebp+var_220], eax
		lea	eax, [ebp+var_228]
		push	eax
		push	20019h
		push	offset _EtwpMutableSecurityKeyHandle
		mov	[ebp+var_224], edi
		mov	[ebp+var_21C], 240h
		mov	[ebp+var_218], edi
		mov	[ebp+var_214], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_ADAB0E
		jmp	loc_ADAAFE
; 

loc_AEA49B:				; CODE XREF: EtwpInitializeSecurity+EFj
		mov	eax, ds:_WmipDefaultAccessSd
		mov	_EtwpDefaultTraceSecurityDescriptor, eax
		jmp	loc_ADAB3B
; END OF FUNCTION CHUNK	FOR EtwpInitializeSecurity
; 
; START	OF FUNCTION CHUNK FOR ExpInitializeSvm

loc_AEA4AA:				; CODE XREF: ExpInitializeSvm+2Cj
		mov	eax, large fs:20h
		mov	ecx, 200h
		push	ebx
		imul	edx, esi, 34h
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	76537845h
		call	ExpAllocatePoolWithTagFromNode
		mov	esi, [ebp+var_4]
		cmp	esi, 1
		mov	_ExpSvmWorkQueues, eax
		jmp	loc_ADAB86
; END OF FUNCTION CHUNK	FOR ExpInitializeSvm
; 
; START	OF FUNCTION CHUNK FOR PspInitializeJobStructures

loc_AEA4E6:				; CODE XREF: PspInitializeJobStructures+64j
		mov	ds:_PspJobNoWakeChargeLimit, 32h
		jmp	loc_ADAF2C
; 

loc_AEA4F5:				; CODE XREF: PspInitializeJobStructures+70j
		mov	ds:_PspSystemNoWakeChargeLimit,	0C8h
		jmp	loc_ADAF38
; END OF FUNCTION CHUNK	FOR PspInitializeJobStructures
; 
; START	OF FUNCTION CHUNK FOR CmpInitGlobalQuotaAllowed

loc_AEA504:				; CODE XREF: CmpInitGlobalQuotaAllowed+22j
		cmp	ds:_CmRegistrySizeLimitType, 4
		jnz	loc_ADB03E
		mov	ecx, ds:_CmRegistrySizeLimit
		test	ecx, ecx
		jz	loc_ADB03E
		mov	ds:_CmpQuotaExplicitlySet, 1
		cmp	ecx, eax
		jnb	loc_ADB047
		mov	eax, ecx
		jmp	loc_ADB047
; 

loc_AEA535:				; CODE XREF: CmpInitGlobalQuotaAllowed+6Fj
		push	0
		call	_MmGetNumberOfPhysicalPages@4 ;	MmGetNumberOfPhysicalPages(x)
		shr	eax, 1
		jmp	loc_ADB090
; END OF FUNCTION CHUNK	FOR CmpInitGlobalQuotaAllowed
; 
; START	OF FUNCTION CHUNK FOR SaveNodeDistanceInformation

loc_AEA543:				; CODE XREF: SaveNodeDistanceInformation+4Bj
					; SaveNodeDistanceInformation+74j
		call	_KeQueryNumaCosts@0 ; KeQueryNumaCosts()
		mov	[ebp+var_2C], eax
		test	eax, eax
		jz	loc_AEAB32
		lea	eax, [esi-1]
		mov	[ebp+var_1C], eax
		test	eax, eax
		jz	loc_AEA610
		mov	ebx, [ebp+var_2C]
		xor	ecx, ecx
		xor	edx, edx
		mov	[ebp+var_28], ecx
		inc	edx

loc_AEA56C:				; CODE XREF: SaveNodeDistanceInformation+F457j
		cmp	edx, esi
		jnb	loc_AEA5FB
		mov	eax, esi
		shl	eax, 3
		mov	[ebp+var_20], eax
		lea	eax, [edx+ecx]
		lea	edi, [ebx+eax*8]
		sub	ebx, 8
		lea	eax, [ecx+edx]
		mov	ecx, esi
		add	eax, esi
		sub	ecx, edx
		mov	[ebp+var_3C], ecx
		lea	eax, [ebx+eax*8]
		mov	ebx, [ebp+var_20]
		mov	[ebp+var_24], eax
		mov	esi, eax

loc_AEA59C:				; CODE XREF: SaveNodeDistanceInformation+F43Dj
		mov	eax, [edi]
		mov	[ebp+var_20], eax
		mov	eax, [edi+4]
		mov	[ebp+var_24], eax
		mov	eax, [ebp+var_20]
		and	eax, [ebp+var_24]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_AEA5E2
		mov	eax, [ebp+var_24]
		shrd	[ebp+var_20], eax, 1
		mov	ecx, [esi+4]
		shr	eax, 1
		mov	[ebp+var_24], eax
		mov	eax, [esi]
		shrd	eax, ecx, 1
		shr	ecx, 1
		add	[ebp+var_20], eax
		mov	eax, [ebp+var_24]
		adc	eax, ecx
		mov	ecx, [ebp+var_20]
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[esi], ecx
		mov	ecx, [ebp+var_3C]
		mov	[esi+4], eax

loc_AEA5E2:				; CODE XREF: SaveNodeDistanceInformation+F400j
		add	edi, 8
		add	esi, ebx
		sub	ecx, 1
		mov	[ebp+var_3C], ecx
		jnz	short loc_AEA59C
		mov	esi, [ebp+var_34]
		mov	ecx, [ebp+var_28]
		mov	eax, [ebp+var_1C]
		mov	ebx, [ebp+var_2C]

loc_AEA5FB:				; CODE XREF: SaveNodeDistanceInformation+F3BEj
		add	ecx, esi
		inc	edx
		sub	eax, 1
		mov	[ebp+var_28], ecx
		mov	[ebp+var_1C], eax
		jnz	loc_AEA56C
		mov	ebx, [ebp+var_40]

loc_AEA610:				; CODE XREF: SaveNodeDistanceInformation+F3ABj
		lea	eax, ds:4[ebx*2]
		imul	eax, ebx
		push	2020654Bh
		add	eax, 4
		push	eax
		push	1
		mov	[ebp+var_4C], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	[ebp+var_3C], eax
		test	eax, eax
		jz	loc_AEAB19
		lea	edx, [ebx+1]
		mov	[eax], ebx
		lea	edx, [eax+edx*4]
		xor	ecx, ecx
		mov	[ebp+var_24], edx
		test	esi, esi
		jz	short loc_AEA676
		lea	edi, [eax+4]

loc_AEA64C:				; CODE XREF: SaveNodeDistanceInformation+F4C1j
		mov	edx, ds:_KeNodeBlock[ecx*4]
		mov	ax, [edx+8Ah]
		cmp	ax, [edx+8Ch]
		jnz	short loc_AEA66E
		mov	eax, [edx+98h]
		mov	[edi], eax
		add	edi, 4

loc_AEA66E:				; CODE XREF: SaveNodeDistanceInformation+F4B1j
		inc	ecx
		cmp	ecx, esi
		jb	short loc_AEA64C
		mov	edx, [ebp+var_24]

loc_AEA676:				; CODE XREF: SaveNodeDistanceInformation+F497j
		mov	ecx, ebx
		imul	ecx, ebx
		test	ecx, ecx
		jz	short loc_AEA68D
		or	eax, 0FFFFFFFFh
		mov	edi, edx
		shr	ecx, 1
		rep stosd
		adc	ecx, ecx
		rep stosw

loc_AEA68D:				; CODE XREF: SaveNodeDistanceInformation+F4CDj
		mov	eax, esi
		xor	edi, edi
		imul	eax, esi
		inc	edi
		xor	ecx, ecx
		xor	edx, edx
		mov	[ebp+var_20], eax
		test	eax, eax
		jz	loc_AEA740
		mov	ebx, [ebp+var_2C]

loc_AEA6A7:				; CODE XREF: SaveNodeDistanceInformation+F529j
		mov	eax, [ebx+edx*8+4]
		cmp	ecx, eax
		mov	esi, [ebx+edx*8]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_20]
		mov	[ebp+var_1C], esi
		ja	short loc_AEA6D6
		jb	short loc_AEA6C1
		cmp	edi, esi
		jnb	short loc_AEA6D6

loc_AEA6C1:				; CODE XREF: SaveNodeDistanceInformation+F50Bj
		mov	eax, [ebp+var_1C]
		mov	esi, [ebp+var_28]
		and	eax, esi
		cmp	eax, 0FFFFFFFFh
		mov	eax, [ebp+var_20]
		jz	short loc_AEA6D6
		mov	edi, [ebp+var_1C]
		mov	ecx, esi

loc_AEA6D6:				; CODE XREF: SaveNodeDistanceInformation+F509j
					; SaveNodeDistanceInformation+F50Fj ...
		inc	edx
		cmp	edx, eax
		jb	short loc_AEA6A7
		mov	esi, [ebp+var_34]
		mov	ebx, [ebp+var_40]
		cmp	ecx, 10000h
		jb	short loc_AEA740
		ja	short loc_AEA6EF
		test	edi, edi
		jz	short loc_AEA740

loc_AEA6EF:				; CODE XREF: SaveNodeDistanceInformation+F539j
		mov	esi, [ebp+var_20]
		mov	ebx, [ebp+var_2C]
		shrd	edi, ecx, 10h
		shr	ecx, 10h
		xor	edx, edx
		mov	[ebp+var_44], edi

loc_AEA701:				; CODE XREF: SaveNodeDistanceInformation+F585j
		mov	eax, [ebx+edx*8]
		mov	[ebp+var_28], eax
		mov	eax, [ebx+edx*8+4]
		mov	[ebp+var_1C], eax
		mov	eax, [ebp+var_28]
		and	eax, [ebp+var_1C]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_AEA732
		mov	edi, [ebp+var_2C]
		mov	eax, [ebp+var_1C]
		mov	ebx, [ebp+var_28]
		shrd	ebx, eax, 10h
		mov	[edi+edx*8], ebx
		mov	ebx, edi
		shr	eax, 10h
		mov	[ebx+edx*8+4], eax

loc_AEA732:				; CODE XREF: SaveNodeDistanceInformation+F567j
		inc	edx
		cmp	edx, esi
		jb	short loc_AEA701
		mov	esi, [ebp+var_34]
		mov	ebx, [ebp+var_40]
		mov	edi, [ebp+var_44]

loc_AEA740:				; CODE XREF: SaveNodeDistanceInformation+F4EEj
					; SaveNodeDistanceInformation+F537j ...
		push	ecx
		push	edi
		push	80000000h
		push	0
		call	__aulldiv
		and	[ebp+var_44], 0
		mov	edi, [ebp+var_20]
		mov	[ebp+var_28], edx
		mov	edx, [ebp+var_2C]
		mov	[ebp+var_1C], eax
		test	edi, edi
		jz	short loc_AEA7AE
		mov	esi, [ebp+var_44]
		mov	ebx, eax

loc_AEA767:				; CODE XREF: SaveNodeDistanceInformation+F5F6j
		mov	eax, [edx+esi*8+4]
		mov	ecx, [edx+esi*8]
		mov	[ebp+var_1C], eax
		mov	eax, ecx
		and	eax, [ebp+var_1C]
		cmp	eax, 0FFFFFFFFh
		jz	short loc_AEA795
		push	[ebp+var_28]
		push	ebx
		push	[ebp+var_1C]
		push	ecx
		call	__allmul
		mov	[ebp+var_58], eax
		mov	eax, edx
		mov	edx, [ebp+var_2C]
		shr	eax, 10h
		jmp	short loc_AEA79A
; 

loc_AEA795:				; CODE XREF: SaveNodeDistanceInformation+F5C9j
		mov	eax, 0FFFFh

loc_AEA79A:				; CODE XREF: SaveNodeDistanceInformation+F5E3j
		xor	ecx, ecx
		mov	[edx+esi*8], eax
		mov	[edx+esi*8+4], ecx
		inc	esi
		cmp	esi, edi
		jb	short loc_AEA767
		mov	esi, [ebp+var_34]
		mov	ebx, [ebp+var_40]

loc_AEA7AE:				; CODE XREF: SaveNodeDistanceInformation+F5B0j
		xor	eax, eax
		mov	[ebp+var_28], eax
		push	2
		pop	edi
		test	esi, esi
		jz	loc_AEA8CC

loc_AEA7BE:				; CODE XREF: SaveNodeDistanceInformation+F713j
		mov	ecx, ds:_KeNodeBlock[eax*4]
		mov	[ebp+var_44], ecx
		mov	ax, [ecx+8Ah]
		cmp	ax, [ecx+8Ch]
		jnz	loc_AEA8BA
		and	[ebp+var_1C], 0
		xor	eax, eax
		test	ebx, ebx
		jz	short loc_AEA808
		mov	edi, [ecx+98h]
		mov	ecx, [ebp+var_3C]
		add	ecx, 4

loc_AEA7F2:				; CODE XREF: SaveNodeDistanceInformation+F64Cj
		cmp	[ecx], edi
		jz	short loc_AEA800
		inc	eax
		add	ecx, 4
		cmp	eax, ebx
		jb	short loc_AEA7F2
		jmp	short loc_AEA808
; 

loc_AEA800:				; CODE XREF: SaveNodeDistanceInformation+F644j
		mov	ecx, eax
		imul	ecx, ebx
		mov	[ebp+var_1C], ecx

loc_AEA808:				; CODE XREF: SaveNodeDistanceInformation+F634j
					; SaveNodeDistanceInformation+F64Ej
		xor	edi, edi

loc_AEA80A:				; CODE XREF: SaveNodeDistanceInformation+F704j
		mov	eax, ds:_KeNodeBlock[edi*4]
		mov	[ebp+var_48], eax
		movzx	ecx, word ptr [eax+8Ah]
		mov	[ebp+var_20], ecx
		cmp	cx, [eax+8Ch]
		jnz	loc_AEA8B1
		mov	eax, [ebp+var_44]
		movzx	ecx, word ptr [eax+8Ah]
		mov	eax, [ebp+var_20]
		imul	ecx, esi
		movzx	eax, ax
		add	ecx, eax
		mov	[ebp+var_54], ecx
		cmp	dword ptr [edx+ecx*8], 0FFFFh
		jnz	short loc_AEA853
		cmp	dword ptr [edx+ecx*8+4], 0
		jz	short loc_AEA8B1

loc_AEA853:				; CODE XREF: SaveNodeDistanceInformation+F69Aj
		xor	eax, eax
		test	ebx, ebx
		jz	short loc_AEA888
		mov	esi, [ebp+var_48]
		mov	edx, [esi+98h]
		mov	esi, [ebp+var_3C]
		add	esi, 4
		mov	[ebp+var_20], edx
		mov	ecx, edx
		mov	[ebp+var_48], esi
		mov	esi, [ebp+var_34]
		mov	edx, [ebp+var_48]

loc_AEA876:				; CODE XREF: SaveNodeDistanceInformation+F6D0j
		cmp	[edx], ecx
		jz	short loc_AEA882
		inc	eax
		add	edx, 4
		cmp	eax, ebx
		jb	short loc_AEA876

loc_AEA882:				; CODE XREF: SaveNodeDistanceInformation+F6C8j
		mov	ecx, [ebp+var_54]
		mov	edx, [ebp+var_2C]

loc_AEA888:				; CODE XREF: SaveNodeDistanceInformation+F6A7j
		add	eax, [ebp+var_1C]
		mov	ebx, [ebp+var_24]
		mov	[ebp+var_54], eax
		movzx	eax, word ptr [edx+ecx*8]
		mov	ecx, [ebp+var_54]
		mov	[ebx+ecx*2], ax
		mov	ebx, [ebp+var_40]
		test	ax, ax
		jnz	short loc_AEA8B1
		mov	eax, [ebp+var_24]
		push	2
		pop	esi
		mov	[eax+ecx*2], si
		mov	esi, [ebp+var_34]

loc_AEA8B1:				; CODE XREF: SaveNodeDistanceInformation+F675j
					; SaveNodeDistanceInformation+F6A1j ...
		inc	edi
		cmp	edi, esi
		jb	loc_AEA80A

loc_AEA8BA:				; CODE XREF: SaveNodeDistanceInformation+F626j
		mov	eax, [ebp+var_28]
		inc	eax
		mov	[ebp+var_28], eax
		cmp	eax, esi
		jb	loc_AEA7BE
		push	2
		pop	edi

loc_AEA8CC:				; CODE XREF: SaveNodeDistanceInformation+F608j
		test	ebx, ebx
		jz	short loc_AEA8E6
		mov	ecx, [ebp+var_24]
		lea	eax, ds:2[ebx*2]

loc_AEA8DA:				; CODE XREF: SaveNodeDistanceInformation+F734j
		xor	edx, edx
		mov	[ecx], dx
		add	ecx, eax
		sub	ebx, 1
		jnz	short loc_AEA8DA

loc_AEA8E6:				; CODE XREF: SaveNodeDistanceInformation+F71Ej
		push	offset ??_C@_1HA@CJCIHDEO@?$AA?2?$AAr?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAm?$AAa?$AAc?$AAh?$AAi@PBOPGDP@
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_24], 0Ah
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1CI@GFOKFGED@?$AAV?$AAa?$AAr?$AAi?$AAa?$AAt?$AAi?$AAo?$AAn?$AA?5?$AAT?$AAh?$AAr?$AAe?$AAs@PBOPGDP@
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		xor	ebx, ebx
		mov	[ebp+var_84], 18h
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_80], ebx
		mov	[ebp+var_7C], eax
		lea	eax, [ebp+var_84]
		push	ebx
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_38]
		mov	[ebp+var_78], 240h
		push	eax
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], ebx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AEA988
		lea	eax, [ebp+var_64]
		push	eax
		push	14h
		lea	eax, [ebp+var_18]
		push	eax
		push	edi
		lea	eax, [ebp+var_60]
		push	eax
		push	[ebp+var_38]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AEA98C
		cmp	[ebp+var_14], 4
		jnz	short loc_AEA98C
		cmp	[ebp+var_10], 4
		jnz	short loc_AEA98C
		mov	edi, [ebp+var_C]
		mov	[ebp+var_24], edi
		cmp	edi, 32h
		ja	short loc_AEA97F
		cmp	edi, 1
		jnb	short loc_AEA98C

loc_AEA97F:				; CODE XREF: SaveNodeDistanceInformation+F7C8j
		mov	[ebp+var_24], 0Ah
		jmp	short loc_AEA98C
; 

loc_AEA988:				; CODE XREF: SaveNodeDistanceInformation+F796j
		or	[ebp+var_38], 0FFFFFFFFh

loc_AEA98C:				; CODE XREF: SaveNodeDistanceInformation+F7B1j
					; SaveNodeDistanceInformation+F7B7j ...
		mov	dl, bl
		mov	[ebp+var_2D], dl
		test	esi, esi
		jz	loc_AEAB19
		mov	edi, [ebp+var_2C]
		mov	[ebp+var_34], edi

loc_AEA99F:				; CODE XREF: SaveNodeDistanceInformation+F881j
		mov	ecx, ds:_KeNodeBlock[ebx*4]
		mov	ax, [ecx+8Ah]
		cmp	ax, [ecx+8Ch]
		jnz	short loc_AEAA24
		mov	edx, [ebp+var_34]
		xor	edi, edi
		mov	[ebp+var_1C], edx

loc_AEA9BE:				; CODE XREF: SaveNodeDistanceInformation+F861j
		mov	ecx, ds:_KeNodeBlock[edi*4]
		mov	ax, [ecx+8Ah]
		cmp	ax, [ecx+8Ch]
		jnz	short loc_AEAA08
		cmp	ebx, edi
		jz	short loc_AEAA08
		movzx	ecx, ds:_KeNumberNodes
		mov	eax, ds:_KeNodeDistance
		mov	edx, [edx]
		imul	ecx, ebx
		add	ecx, edi
		mov	ecx, [eax+ecx*4]
		mov	eax, edx
		sub	eax, ecx
		jns	short loc_AEA9F9
		mov	eax, ecx
		sub	eax, edx

loc_AEA9F9:				; CODE XREF: SaveNodeDistanceInformation+F843j
		imul	eax, 64h
		xor	edx, edx
		div	[ebp+var_24]
		cmp	eax, ecx
		ja	short loc_AEAA18
		mov	edx, [ebp+var_1C]

loc_AEAA08:				; CODE XREF: SaveNodeDistanceInformation+F823j
					; SaveNodeDistanceInformation+F827j
		inc	edi
		add	edx, 8
		mov	[ebp+var_1C], edx
		cmp	edi, esi
		jb	short loc_AEA9BE
		mov	dl, [ebp+var_2D]
		jmp	short loc_AEAA1D
; 

loc_AEAA18:				; CODE XREF: SaveNodeDistanceInformation+F853j
		mov	dl, 1
		mov	[ebp+var_2D], dl

loc_AEAA1D:				; CODE XREF: SaveNodeDistanceInformation+F866j
		test	dl, dl
		jnz	short loc_AEAA3F
		mov	edi, [ebp+var_34]

loc_AEAA24:				; CODE XREF: SaveNodeDistanceInformation+F804j
		mov	eax, esi
		inc	ebx
		shl	eax, 3
		add	edi, eax
		mov	[ebp+var_34], edi
		cmp	ebx, esi
		jb	loc_AEA99F
		test	dl, dl
		jz	loc_AEAB19

loc_AEAA3F:				; CODE XREF: SaveNodeDistanceInformation+F86Fj
		cmp	[ebp+var_38], 0FFFFFFFFh
		jz	short loc_AEAA69
		push	offset ??_C@_1BM@ODCPILIP@?$AAN?$AAo?$AAd?$AAe?$AA?5?$AAD?$AAi?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe@PBOPGDP@
		lea	eax, [ebp+var_60]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	[ebp+var_4C]
		lea	eax, [ebp+var_60]
		push	[ebp+var_3C]
		push	3
		push	0
		push	eax
		push	[ebp+var_38]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_AEAA69:				; CODE XREF: SaveNodeDistanceInformation+F893j
		movzx	eax, ds:_KeNumberNodes
		xor	edx, edx
		mov	ecx, ds:_KeNodeDistance
		shl	eax, 2
		mov	[ebp+var_28], edx
		mov	[ebp+var_54], eax
		mov	[ebp+var_24], ecx

loc_AEAA84:				; CODE XREF: SaveNodeDistanceInformation+F963j
		mov	edi, ds:_KeNodeBlock[edx*4]
		movzx	eax, word ptr [edi+8Ch]
		cmp	[edi+8Ah], ax
		jz	short loc_AEAAA2
		mov	edi, ds:_KeNodeBlock[eax*4]

loc_AEAAA2:				; CODE XREF: SaveNodeDistanceInformation+F8E9j
		xor	ebx, ebx
		mov	[ebp+var_1C], ecx

loc_AEAAA7:				; CODE XREF: SaveNodeDistanceInformation+F94Fj
		mov	eax, ds:_KeNodeBlock[ebx*4]
		movzx	edx, word ptr [eax+8Ch]
		mov	[ebp+var_4C], edx
		cmp	[eax+8Ah], dx
		jz	short loc_AEAACD
		mov	eax, edx
		movzx	eax, ax
		mov	eax, ds:_KeNodeBlock[eax*4]

loc_AEAACD:				; CODE XREF: SaveNodeDistanceInformation+F90Fj
		movzx	edx, word ptr [edi+8Ah]
		movzx	eax, word ptr [eax+8Ah]
		cmp	dx, ax
		jnz	short loc_AEAAE4
		xor	eax, eax
		jmp	short loc_AEAAF4
; 

loc_AEAAE4:				; CODE XREF: SaveNodeDistanceInformation+F92Ej
		mov	ecx, edx
		imul	ecx, esi
		add	ecx, eax
		mov	eax, [ebp+var_2C]
		mov	eax, [eax+ecx*8]
		mov	ecx, [ebp+var_1C]

loc_AEAAF4:				; CODE XREF: SaveNodeDistanceInformation+F932j
		mov	[ecx], eax
		inc	ebx
		add	ecx, 4
		mov	[ebp+var_1C], ecx
		cmp	ebx, esi
		jb	short loc_AEAAA7
		mov	edx, [ebp+var_28]
		mov	ecx, [ebp+var_24]
		inc	edx
		add	ecx, [ebp+var_54]
		mov	[ebp+var_28], edx
		mov	[ebp+var_24], ecx
		cmp	edx, esi
		jb	loc_AEAA84

loc_AEAB19:				; CODE XREF: SaveNodeDistanceInformation+F482j
					; SaveNodeDistanceInformation+F7E3j ...
		push	0
		push	[ebp+var_2C]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	eax, [ebp+var_3C]
		test	eax, eax
		jz	short loc_AEAB32
		push	0
		push	eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AEAB32:				; CODE XREF: SaveNodeDistanceInformation+F39Dj
					; SaveNodeDistanceInformation+F978j
		cmp	[ebp+var_38], 0FFFFFFFFh
		jz	loc_ADB22A
		push	[ebp+var_38]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_ADB22A
; END OF FUNCTION CHUNK	FOR SaveNodeDistanceInformation
; 
; START	OF FUNCTION CHUNK FOR EtwpInitializeCoverageSampler

loc_AEAB49:				; CODE XREF: EtwpInitializeCoverageSampler+98j
		push	edi
		push	edi
		push	edi
		push	0C0h
		push	5Eh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_AEAB59:				; CODE XREF: KeI386InitializeSEHOP+78j
		push	0
		push	0
		push	0Bh
		push	eax
		push	31h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_AEAB68:				; CODE XREF: ExpWnfAllocateDispatcher+3Aj
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		mov	edi, edx
		rep stosd
		mov	eax, 908h
		mov	[edx+2], bx
		mov	[edx], ax
		mov	al, 1
		and	dword ptr [edx+10h], 0
		and	dword ptr [edx+4], 0
		pop	edi
		mov	dword ptr [edx+0Ch], offset _ExpWnfWorkItemRoutine@4 ; ExpWnfWorkItemRoutine(x)
		pop	ebx
		retn
; END OF FUNCTION CHUNK	FOR EtwpInitializeCoverageSampler
; 
; START	OF FUNCTION CHUNK FOR PpmInitHeteroEngine

loc_AEAB92:				; CODE XREF: PpmInitHeteroEngine+51j
		push	edi
		push	ds:_PpmHeteroCapability
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		and	ds:_PpmHeteroCapability, 0

loc_AEABA5:				; CODE XREF: PpmInitHeteroEngine+39j
		mov	edi, 0C000009Ah
		jmp	loc_ADB499
; END OF FUNCTION CHUNK	FOR PpmInitHeteroEngine
; 
; START	OF FUNCTION CHUNK FOR VhdInitialize

loc_AEABAF:				; CODE XREF: VhdInitialize+5Ej
		inc	eax
		push	offset ??_C@_0L@MENOPLJP@partition?$CI@PBOPGDP@	; char *
		push	eax		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	loc_ADB69A
		mov	ecx, [edi+80h]
		mov	eax, [ecx]
		jmp	short loc_AEABD8
; 

loc_AEABCF:				; CODE XREF: VhdInitialize+F5A4j
		mov	edi, [eax+28h]
		test	edi, edi
		jnz	short loc_AEABE1
		mov	eax, [eax]

loc_AEABD8:				; CODE XREF: VhdInitialize+F597j
		cmp	eax, ecx
		jnz	short loc_AEABCF
		jmp	loc_ADB69A
; 

loc_AEABE1:				; CODE XREF: VhdInitialize+F59Ej
		lea	eax, [ebp+var_14]
		mov	ecx, edi	; int
		push	eax		; int
		lea	eax, [ebp+var_1]
		push	eax		; int
		lea	eax, [ebp+var_C]
		push	eax		; int
		lea	edx, [ebp+var_C8] ; void *
		call	_VhdiGetDiskParameters@20 ; VhdiGetDiskParameters(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_AEAC08
		xor	ebx, ebx
		inc	ebx
		jmp	loc_AEAE1A
; 

loc_AEAC08:				; CODE XREF: VhdInitialize+F5C8j
		mov	cl, byte ptr [ebp+var_1]
		mov	edi, [ebp+var_14]
		test	cl, cl
		jnz	short loc_AEAC53
		mov	ecx, [ebp+var_8]
		lea	eax, [ebp+var_C8]
		mov	[ebp+var_38], eax
		mov	eax, [ebp+var_C]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_38]
		push	eax
		push	offset _VhdiInitializeBootDisk@12 ; VhdiInitializeBootDisk(x,x,x)
		push	2
		pop	edx
		mov	[ebp+var_30], edi
		call	_PnpBootDeviceWait@16 ;	PnpBootDeviceWait(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_AEAC50
		push	2
		jmp	short loc_AEAC4A
; 

loc_AEAC48:				; CODE XREF: VhdInitialize+F714j
		push	5

loc_AEAC4A:				; CODE XREF: VhdInitialize+F610j
					; VhdInitialize+F6DDj
		pop	ebx
		jmp	loc_AEAE1A
; 

loc_AEAC50:				; CODE XREF: VhdInitialize+F60Cj
		mov	cl, byte ptr [ebp+var_1]

loc_AEAC53:				; CODE XREF: VhdInitialize+F5DAj
		lea	edx, [edi+2]
		xor	esi, esi

loc_AEAC58:				; CODE XREF: VhdInitialize+F62Bj
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, si
		jnz	short loc_AEAC58
		xor	eax, eax
		sub	edi, edx
		sar	edi, 1
		test	cl, cl
		push	esi
		setz	al
		dec	eax
		and	eax, 24h
		add	eax, 4Ah
		lea	ecx, [eax+edi*2]
		mov	eax, large fs:20h
		mov	[ebp+var_18], ecx
		mov	edx, ecx
		mov	ecx, 200h
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	42646856h
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		mov	[ebp+var_10], edi
		test	edi, edi
		jz	short loc_AEACCB
		cmp	byte ptr [ebp+var_1], bl
		jnz	short loc_AEACDC
		push	dword ptr [ebp+var_1C] ; char
		push	offset ??_C@_1DG@ICOLAHHE@?$AA?2?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi@PBOPGDP@ ; wchar_t *
		push	4Ah		; int
		push	edi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 10h
		mov	esi, eax
		jmp	short loc_AEAD0D
; 

loc_AEACCB:				; CODE XREF: VhdInitialize+F677j
					; VhdInitialize+F6B6j
		push	3
		jmp	short loc_AEACD1
; 

loc_AEACCF:				; CODE XREF: VhdInitialize+F781j
		push	7

loc_AEACD1:				; CODE XREF: VhdInitialize+F697j
		pop	ebx
		mov	esi, 0C0000017h
		jmp	loc_AEAE22
; 

loc_AEACDC:				; CODE XREF: VhdInitialize+F67Cj
		lea	eax, [ebp+var_24]
		push	eax
		push	offset _RamdiskBootDiskGuid
		call	_RtlStringFromGUID@8 ; RtlStringFromGUID(x,x)
		test	eax, eax
		js	short loc_AEACCB
		lea	eax, [ebp+var_24]
		push	eax		; char
		push	offset ??_C@_1CI@NBOCCOHM@?$AA?2?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAR?$AAa?$AAm?$AAd?$AAi?$AAs@PBOPGDP@ ; wchar_t *
		push	6Eh		; int
		push	edi		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 10h
		mov	esi, eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)

loc_AEAD0D:				; CODE XREF: VhdInitialize+F693j
		test	esi, esi
		jns	short loc_AEAD18
		push	4
		jmp	loc_AEAC4A
; 

loc_AEAD18:				; CODE XREF: VhdInitialize+F6D9j
		lea	ecx, [edi+2]
		xor	edx, edx

loc_AEAD1D:				; CODE XREF: VhdInitialize+F6F0j
		mov	ax, [edi]
		add	edi, 2
		cmp	ax, dx
		jnz	short loc_AEAD1D
		mov	eax, [ebp+var_14]
		sub	edi, ecx
		mov	edx, [ebp+var_18]
		mov	ecx, [ebp+var_10]
		push	eax
		sar	edi, 1
		mov	[ebp+var_8], eax
		call	_RtlStringCbCatW@12 ; RtlStringCbCatW(x,x,x)
		mov	ecx, [ebp+var_10]
		call	_VhdiMountVhdFile@4 ; VhdiMountVhdFile(x)
		mov	esi, eax
		test	esi, esi
		js	loc_AEAC48
		mov	eax, [ebp+var_10]
		mov	ecx, [ebp+var_8]
		mov	_NtVhdBootFile,	eax
		add	eax, 2
		mov	[ebp+var_10], eax
		dec	edi
		lea	edx, [ecx+2]

loc_AEAD65:				; CODE XREF: VhdInitialize+F739j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [ebp+var_28]
		jnz	short loc_AEAD65
		sub	ecx, edx
		xor	edx, edx
		sar	ecx, 1
		mov	[ebp+var_8], ecx
		push	edx
		lea	eax, [ecx+edi]
		lea	ecx, ds:0Eh[eax*2]
		mov	eax, large fs:20h
		mov	[ebp+var_18], ecx
		mov	edx, ecx
		mov	ecx, 200h
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	42646856h
		call	ExpAllocatePoolWithTagFromNode
		mov	[ebp+var_C], eax
		test	eax, eax
		jz	loc_AEACCF
		push	[ebp+var_18]	; size_t
		xor	ecx, ecx
		push	ecx		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [edi+edi]
		push	eax		; size_t
		mov	eax, [ebp+var_C]
		push	[ebp+var_10]	; void *
		add	eax, 8
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_8]
		lea	ecx, ds:0Ah[edi*2]
		mov	edi, [ebp+var_C]
		add	esp, 0Ch
		lea	eax, ds:2[eax*2]
		push	eax		; size_t
		push	[ebp+var_14]	; void *
		lea	eax, [edi+ecx]
		mov	[edi+4], ecx
		push	eax		; void *
		call	_memcpy
		mov	eax, [ebp+var_18]
		add	esp, 0Ch
		mov	off_6B34A8, edi
		mov	dword_6B64B4, eax
		mov	byte ptr [edi],	1

loc_AEAE1A:				; CODE XREF: VhdInitialize+F5CDj
					; VhdInitialize+F615j
		test	esi, esi
		jns	loc_ADB69A

loc_AEAE22:				; CODE XREF: VhdInitialize+F6A1j
		xor	eax, eax
		push	eax
		push	eax
		push	esi
		push	ebx
		push	12Fh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
; END OF FUNCTION CHUNK	FOR VhdInitialize
; START	OF FUNCTION CHUNK FOR ObpInitStackTrace

loc_AEAE33:				; CODE XREF: ObpInitStackTrace+87j
		mov	ebx, offset _ObpTraceProcessNameBuffer
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_AEAE3D:				; CODE XREF: ObpInitStackTrace+F72Cj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_AEAE3D
		sub	ecx, edx
		sar	ecx, 1
		push	7452624Fh
		lea	eax, [ecx+ecx]
		movzx	esi, ax
		lea	eax, [esi+2]
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	dword_6C42D4, eax
		test	eax, eax
		jz	loc_ADB7BD
		lea	ecx, [esi+2]
		mov	_ObpRegTraceProcessName, si
		mov	word_6C42D2, cx
		movzx	ecx, cx
		push	ecx		; size_t
		push	ebx		; void *
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		xor	esi, esi
		push	20h
		pop	ebx
		mov	[ebp+var_8], ebx
		jmp	loc_ADB7A7
; 

loc_AEAE9E:				; CODE XREF: ObpInitStackTrace+95j
		mov	ecx, offset _ObpTracePoolTagsBuffer
		lea	edx, [ecx+2]

loc_AEAEA6:				; CODE XREF: ObpInitStackTrace+F795j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, si
		jnz	short loc_AEAEA6
		sub	ecx, edx
		xor	edx, edx
		sar	ecx, 1
		push	5
		lea	eax, [ecx+1]
		pop	ecx
		div	ecx
		mov	ecx, eax
		cmp	ecx, 10h
		jbe	short loc_AEAEC9
		push	10h
		pop	ecx

loc_AEAEC9:				; CODE XREF: ObpInitStackTrace+F7AAj
		test	ecx, ecx
		jz	short loc_AEAF0E
		mov	edi, offset unk_6C44A6
		mov	esi, offset _ObpRegTracePoolTags
		mov	[ebp+var_4], edi

loc_AEAEDA:				; CODE XREF: ObpInitStackTrace+F7E8j
		mov	edx, [esi]
		mov	ebx, edi
		push	4
		pop	edi

loc_AEAEE1:				; CODE XREF: ObpInitStackTrace+F7D5j
		movzx	eax, word ptr [ebx]
		lea	ebx, [ebx-2]
		shl	edx, 8
		or	edx, eax
		sub	edi, 1
		jnz	short loc_AEAEE1
		mov	edi, [ebp+var_4]
		mov	[esi], edx
		add	edi, 0Ah
		add	esi, 4
		mov	[ebp+var_4], edi
		sub	ecx, 1
		jnz	short loc_AEAEDA
		mov	ebx, [ebp+var_8]
		xor	esi, esi
		mov	edi, offset _ObpRegTracePoolTags

loc_AEAF0E:				; CODE XREF: ObpInitStackTrace+F7B1j
		or	ebx, 10h
		jmp	loc_ADB7B5
; 

loc_AEAF16:				; CODE XREF: ObpInitStackTrace+9Dj
		cmp	_ObpTracePermanent, 0
		jz	short loc_AEAF22
		or	ebx, 40h

loc_AEAF22:				; CODE XREF: ObpInitStackTrace+F803j
		call	_ObpInitStackAndObjectTables@0 ; ObpInitStackAndObjectTables()
		test	eax, eax
		js	short loc_AEAF5D
		or	ebx, 1
		mov	_ObpRegTraceFlags, ebx
		mov	ds:_ObpTraceFlags, ebx
		test	bl, 10h
		jz	short loc_AEAF45
		mov	_ObpTracePoolTags, edi

loc_AEAF45:				; CODE XREF: ObpInitStackTrace+F823j
		test	bl, 20h
		jz	loc_ADB7BD
		mov	_ObpTraceProcessName, offset _ObpRegTraceProcessName
		jmp	loc_ADB7BD
; 

loc_AEAF5D:				; CODE XREF: ObpInitStackTrace+F80Fj
		test	bl, 10h
		jz	short loc_AEAF6E
		push	40h		; size_t
		push	esi		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch

loc_AEAF6E:				; CODE XREF: ObpInitStackTrace+F846j
		test	bl, 20h
		jz	loc_ADB7BD
		push	7452624Fh
		push	dword_6C42D4
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		push	esi
		push	offset _ObpRegTraceProcessName
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		jmp	loc_ADB7BD
; END OF FUNCTION CHUNK	FOR ObpInitStackTrace
; 
; START	OF FUNCTION CHUNK FOR MiProtectSharedUserPage

loc_AEAF97:				; CODE XREF: MiProtectSharedUserPage+3Fj
					; MiProtectSharedUserPage+49j ...
		mov	al, byte ptr word_6D07B8
		and	esi, 0FFFFFEFFh
		and	al, 1
		mov	[ebp+var_98], 21h
		movzx	eax, al
		cdq
		or	edx, 0FF800000h
		mov	[ebp+var_8C], ebx
		shld	edx, eax, 8
		shl	eax, 8
		or	edx, edi
		or	eax, esi
		nop
		mov	ecx, 0C07FEF80h
		push	ebx
		push	1
		mov	[ecx], eax
		lea	ecx, [ebp+var_A0]
		mov	ds:0C07FEF84h, edx
		mov	edx, 0FFDF0000h
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList
		jmp	loc_ADB902
; END OF FUNCTION CHUNK	FOR MiProtectSharedUserPage
; 
; START	OF FUNCTION CHUNK FOR MfgInitSystem

loc_AEAFFA:				; CODE XREF: MfgInitSystem+6Dj
		mov	ecx, 80h
		cmp	ax, cx
		jb	short loc_AEB00E
		mov	esi, 0C000000Dh
		jmp	loc_ADBBE9
; 

loc_AEB00E:				; CODE XREF: MfgInitSystem+F48Cj
		mov	word_6BBFE4, ax
		movzx	eax, word ptr [edi+0A4Ah]
		push	5067664Dh
		push	eax
		push	1
		mov	word_6BBFE6, ax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	dword_6BBFE8, eax
		test	eax, eax
		jnz	short loc_AEB041
		mov	esi, 0C000009Ah
		jmp	loc_AEB2BA
; 

loc_AEB041:				; CODE XREF: MfgInitSystem+F4BFj
		push	dword ptr [edi+0A4Ch]
		movzx	edx, word_6BBFE6
		mov	ecx, eax
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AEB2BA
		push	(offset	loc_ADC7ED+1)
		push	offset ??_C@_1CG@GMHJCNO@?$AA?2?$AAr?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAm?$AAa?$AAc?$AAh?$AAi@PBOPGDP@	; char
		push	offset ??_C@_19LJDFFCJJ@?$AA?$CF?$AAs?$AA?$CF?$AAs@PBOPGDP@ ; wchar_t *
		lea	eax, [ebp+var_208]
		push	200h		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	esi, eax
		add	esp, 14h
		test	esi, esi
		js	loc_AEB2BA
		lea	eax, [ebp+var_208]
		push	eax
		lea	eax, [ebp+var_234]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AEB2BA
		lea	eax, [ebp+var_234]
		mov	[ebp+var_228], 18h
		mov	[ebp+var_220], eax
		mov	edi, 0F003Fh
		lea	eax, [ebp+var_228]
		mov	[ebp+var_224], ebx
		push	eax
		push	edi
		lea	eax, [ebp+var_210]
		mov	[ebp+var_21C], 240h
		push	eax
		mov	[ebp+var_218], ebx
		mov	[ebp+var_214], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AEB2BA
		mov	eax, [ebp+var_210]
		mov	[ebp+var_224], eax
		lea	eax, [ebp+var_228]
		push	eax
		push	edi
		lea	eax, [ebp+var_22C]
		mov	[ebp+var_228], 18h
		push	eax
		mov	[ebp+var_21C], 240h
		mov	[ebp+var_220], offset word_6BBFE4
		mov	[ebp+var_218], ebx
		mov	[ebp+var_214], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AEB2BA
		push	[ebp+var_22C]
		call	_ZwClose@4	; ZwClose(x)
		or	_ExpManufacturingInformation, 1
		lea	eax, [ebp+var_23C]
		push	offset ??_C@_1BI@MPLGKGLB@?$AAL?$AAa?$AAs?$AAt?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl?$AAe@PBOPGDP@
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		movzx	eax, word_6BBFE6
		push	eax
		push	dword_6BBFE8
		lea	eax, [ebp+var_23C]
		push	1
		push	ebx
		push	eax
		push	[ebp+var_210]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AEB2BA
		push	offset ??_C@_1BA@OFLJGHK@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt@PBOPGDP@
		lea	eax, [ebp+var_234]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AEB2BA
		mov	eax, [ebp+var_210]
		mov	[ebp+var_224], eax
		lea	eax, [ebp+var_234]
		mov	[ebp+var_220], eax
		lea	eax, [ebp+var_228]
		push	8
		push	eax
		push	edi
		lea	eax, [ebp+var_20C]
		mov	[ebp+var_228], 18h
		push	eax
		mov	[ebp+var_21C], 340h
		mov	[ebp+var_218], ebx
		mov	[ebp+var_214], ebx
		call	_ZwOpenKeyEx@16	; ZwOpenKeyEx(x,x,x,x)
		test	eax, eax
		js	short loc_AEB235
		push	[ebp+var_20C]
		call	_ZwDeleteKey@4	; ZwDeleteKey(x)
		mov	esi, eax
		test	esi, esi
		js	loc_AEB2BA
		push	[ebp+var_20C]
		call	_ZwClose@4	; ZwClose(x)
		mov	[ebp+var_20C], ebx

loc_AEB235:				; CODE XREF: MfgInitSystem+F697j
		push	ebx
		push	3
		push	ebx
		push	ebx
		lea	eax, [ebp+var_228]
		push	eax
		push	edi
		lea	eax, [ebp+var_20C]
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AEB2BA
		push	offset word_6BBFE4
		push	(offset	loc_ADC7ED+1)
		push	offset ??_C@_1CG@GMHJCNO@?$AA?2?$AAr?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAm?$AAa?$AAc?$AAh?$AAi@PBOPGDP@	; char
		push	offset ??_C@_1BA@HGMBKIKB@?$AA?$CF?$AAs?$AA?$CF?$AAs?$AA?$CF?$AAw?$AAZ@PBOPGDP@	; wchar_t *
		lea	eax, [ebp+var_208]
		push	200h		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	esi, eax
		add	esp, 18h
		test	esi, esi
		js	short loc_AEB2BA
		lea	ecx, [ebp+var_208]
		lea	edx, [ecx+2]

loc_AEB28B:				; CODE XREF: MfgInitSystem+F71Ej
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_AEB28B
		sub	ecx, edx
		sar	ecx, 1
		lea	eax, [ecx+ecx]
		push	eax
		lea	eax, [ebp+var_208]
		push	eax
		push	6
		push	ebx
		push	offset _CmSymbolicLinkValueName
		push	[ebp+var_20C]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax

loc_AEB2BA:				; CODE XREF: MfgInitSystem+F4C6j
					; MfgInitSystem+F4E3j ...
		cmp	[ebp+var_20C], ebx
		jz	short loc_AEB2CD
		push	[ebp+var_20C]
		call	_ZwClose@4	; ZwClose(x)

loc_AEB2CD:				; CODE XREF: MfgInitSystem+F74Aj
		cmp	[ebp+var_210], ebx
		jz	loc_ADBBE9
		push	[ebp+var_210]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_ADBBE9
; END OF FUNCTION CHUNK	FOR MfgInitSystem
; 
; START	OF FUNCTION CHUNK FOR BcdInitializeBcdSyncMutant

loc_AEB2E9:				; CODE XREF: BcdInitializeBcdSyncMutant+56j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		leave
		retn
; END OF FUNCTION CHUNK	FOR BcdInitializeBcdSyncMutant
; 
; START	OF FUNCTION CHUNK FOR IopQueryDeviceResetRegistrySettings

loc_AEB2F3:				; CODE XREF: IopQueryDeviceResetRegistrySettings+30j
		mov	ecx, [ebp+var_4]
		cmp	dword ptr [ecx+0Ch], 4
		jnz	loc_ADBC8E
		mov	eax, [ecx+8]
		push	0
		push	ecx
		mov	esi, [ecx+eax]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		lea	eax, [esi-65h]
		cmp	eax, 74CBh
		ja	loc_ADBC8E
		mov	ebx, esi
		jmp	loc_ADBC8E
; 

loc_AEB323:				; CODE XREF: IopQueryDeviceResetRegistrySettings+4Bj
		mov	ecx, [ebp+var_4]
		cmp	dword ptr [ecx+0Ch], 4
		jnz	loc_ADBCA9
		mov	eax, [ecx+8]
		push	0
		push	ecx
		mov	esi, [ecx+eax]
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	esi, 64h
		ja	loc_ADBCA9
		mov	edi, esi
		jmp	loc_ADBCA9
; END OF FUNCTION CHUNK	FOR IopQueryDeviceResetRegistrySettings
; 
; START	OF FUNCTION CHUNK FOR MiExamineHalVa

loc_AEB34E:				; CODE XREF: MiExamineHalVa+F69Bj
		mov	edx, ecx
		sub	ecx, 8
		mov	eax, [ecx]
		and	eax, 1
		or	eax, 0
		jz	loc_ADBCF4

loc_AEB361:				; CODE XREF: MiExamineHalVa+39j
		test	ecx, edi
		jnz	short loc_AEB34E
		jmp	loc_ADBCDA
; END OF FUNCTION CHUNK	FOR MiExamineHalVa
; 
; START	OF FUNCTION CHUNK FOR PoFxRegisterDebugger

loc_AEB36A:				; CODE XREF: PoFxRegisterDebugger+64j
		mov	esi, [ebp+var_8C]
		push	4D584650h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_ADBD70
		push	esi		; size_t
		push	edi		; int
		push	ebx		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_8C]
		push	eax
		push	ebx
		push	esi
		push	21h
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	loc_AEB4EE
		cmp	[ebp+var_8C], esi
		ja	loc_AEB4EE
		lea	esi, [ebx+4]
		mov	edx, edi
		mov	eax, edi
		mov	[ebp+var_98], edi
		cmp	[ebx], edi
		jbe	loc_AEB4EE

loc_AEB3CF:				; CODE XREF: PoFxRegisterDebugger+F7E2j
		add	esi, edx
		mov	ecx, [esi]
		mov	edx, [esi+4]
		mov	[ebp+var_9C], edx
		cmp	ecx, 1
		jnz	short loc_AEB3EF
		cmp	[esi+8], edi
		jz	loc_AEB4DF
		lea	eax, [esi+0Ch]
		jmp	short loc_AEB425
; 

loc_AEB3EF:				; CODE XREF: PoFxRegisterDebugger+F6D9j
		test	ecx, ecx
		jnz	loc_AEB4DF
		mov	eax, [esi+10h]
		mov	ecx, eax
		shr	ecx, 5
		and	eax, 1Fh
		and	ecx, 7
		push	ecx
		push	eax
		push	dword ptr [esi+0Ch]
		movzx	eax, word ptr [esi+8]
		push	eax		; char
		push	offset ??_C@_1DM@JLCHDFIG@?$AAP?$AAC?$AAI?$AA_?$AAD?$AAE?$AAB?$AAU?$AAG?$AA_?$AA?$CF?$AA0?$AA4?$AAX?$AA_@PBOPGDP@ ; wchar_t *
		lea	eax, [ebp+var_34]
		push	30h		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 1Ch
		lea	eax, [ebp+var_34]

loc_AEB425:				; CODE XREF: PoFxRegisterDebugger+F6E7j
		push	eax
		lea	eax, [ebp+var_A4]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_50]
		push	38h		; size_t
		push	eax		; int
		rep stosd
		lea	eax, [ebp+var_88]
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_78], offset _PopFxDebuggerPowerCriticalTransitionCallback@12 ;	PopFxDebuggerPowerCriticalTransitionCallback(x,x,x)
		lea	eax, [ebp+var_50]
		xor	ecx, ecx
		mov	[ebp+var_54], eax
		inc	ecx
		lea	eax, [ebp+var_90]
		mov	[ebp+var_88], ecx
		push	eax
		lea	eax, [ebp+var_88]
		mov	[ebp+var_84], ecx
		push	eax
		lea	eax, [ebp+var_A4]
		mov	[ebp+var_5C], ecx
		push	eax
		call	PoFxRegisterCoreDevice
		test	eax, eax
		js	short loc_AEB4EE
		mov	eax, [ebp+var_90]
		or	dword ptr [eax+238h], 2
		mov	edi, [ebp+var_90]
		and	[ebp+var_94], 0
		mov	ecx, [edi+24h]
		test	ecx, ecx
		jz	short loc_AEB4C1
		mov	eax, [edi+28h]
		mov	[ebp+var_94], eax
		lea	eax, [ebp+var_94]
		push	eax
		push	15h
		call	dword ptr [ecx+40h]

loc_AEB4C1:				; CODE XREF: PoFxRegisterDebugger+F7A4j
		push	1
		push	0
		push	edi
		call	_PoFxActivateComponent@12 ; PoFxActivateComponent(x,x,x)
		push	edi
		call	PoFxStartDevicePowerManagement
		mov	eax, [ebp+var_98]
		xor	edi, edi
		mov	edx, [ebp+var_9C]

loc_AEB4DF:				; CODE XREF: PoFxRegisterDebugger+F6DEj
					; PoFxRegisterDebugger+F6EBj
		inc	eax
		mov	[ebp+var_98], eax
		cmp	eax, [ebx]
		jb	loc_AEB3CF

loc_AEB4EE:				; CODE XREF: PoFxRegisterDebugger+F6A2j
					; PoFxRegisterDebugger+F6AEj ...
		push	4D584650h
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	loc_ADBD70
; END OF FUNCTION CHUNK	FOR PoFxRegisterDebugger
; 
; START	OF FUNCTION CHUNK FOR PipWaitCriticalDevices

loc_AEB4FE:				; CODE XREF: PipWaitCriticalDevices+1Aj
		push	eax
		push	ebx
		push	3
		pop	edx
		call	_PnpBootDeviceWait@16 ;	PnpBootDeviceWait(x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	loc_ADBE21
		jmp	loc_ADBDF4
; 

loc_AEB517:				; CODE XREF: PipWaitCriticalDevices+36j
		push	dword ptr [edi+34h]
		mov	ecx, esi
		push	ebx
		push	4
		pop	edx
		call	_PnpBootDeviceWait@16 ;	PnpBootDeviceWait(x,x,x,x)
		mov	edx, eax
		test	edx, edx
		js	loc_ADBE21
		jmp	loc_ADBE10
; END OF FUNCTION CHUNK	FOR PipWaitCriticalDevices
; 
; START	OF FUNCTION CHUNK FOR PnpBusTypeGuidInitialize

loc_AEB534:				; CODE XREF: PnpBusTypeGuidInitialize+27j
		and	_PnpBusTypeGuidCountMax, 0
		mov	eax, 0C000009Ah
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR PnpBusTypeGuidInitialize
; 
; START	OF FUNCTION CHUNK FOR PopPdcCsCheckSystemVolumeDevice

loc_AEB542:				; CODE XREF: PopPdcCsCheckSystemVolumeDevice+35j
		mov	eax, ds:dword_A94414
		push	20h
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_2C]
		push	7
		push	eax
		lea	eax, [ebp+var_50]
		mov	[ebp+var_20], ebx
		push	eax
		push	80000000h
		lea	eax, [ebp+var_20]
		mov	[ebp+var_30], 1
		push	eax
		mov	[ebp+var_34], ebx
		mov	[ebp+var_50], 18h
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_44], 240h
		mov	[ebp+var_48], offset _IoArcBootDeviceName
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ebx
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AEB5DC
		push	0Ch
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_2C], ebx
		push	eax
		push	0Ch
		lea	eax, [ebp+var_10]
		mov	[ebp+var_28], ebx
		push	eax
		push	2D1400h
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_8], ebx
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+var_20]
		mov	[ebp+var_10], 7
		mov	[ebp+var_C], ebx
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AEB5DC
		cmp	[ebp+var_14], bl
		jnz	short loc_AEB5D5
		mov	byte ptr [ebp+var_30+1], 1
		jmp	short loc_AEB5DC
; 

loc_AEB5D5:				; CODE XREF: PopPdcCsCheckSystemVolumeDevice+F5FBj
		mov	_PopBsdSkipLogging, 1

loc_AEB5DC:				; CODE XREF: PopPdcCsCheckSystemVolumeDevice+F5BFj
					; PopPdcCsCheckSystemVolumeDevice+F5F6j ...
		lea	ecx, [ebp+var_38]
		call	_PopPdcCsDeviceNotification@4 ;	PopPdcCsDeviceNotification(x)
		cmp	[ebp+var_20], ebx
		jz	short loc_AEB5F1
		push	[ebp+var_20]
		call	_ZwClose@4	; ZwClose(x)

loc_AEB5F1:				; CODE XREF: PopPdcCsCheckSystemVolumeDevice+F615j
		call	_PopAcquirePolicyLock@0	; PopAcquirePolicyLock()
		lea	ecx, [ebp+var_24]
		call	_PopNetIsDisconnectStandbyActive@4 ; PopNetIsDisconnectStandbyActive(x)
		cmp	[ebp+var_24], 3
		jz	short loc_AEB611
		cmp	[ebp+var_24], 4
		mov	byte_6C2E37, 1
		jnz	short loc_AEB617

loc_AEB611:				; CODE XREF: PopPdcCsCheckSystemVolumeDevice+F630j
		mov	byte_6C2E37, bl

loc_AEB617:				; CODE XREF: PopPdcCsCheckSystemVolumeDevice+F63Dj
		call	_PopReleasePolicyLock@0	; PopReleasePolicyLock()
		jmp	loc_ADC00D
; END OF FUNCTION CHUNK	FOR PopPdcCsCheckSystemVolumeDevice
; 
; START	OF FUNCTION CHUNK FOR PiInitFirmwareResources

loc_AEB621:				; CODE XREF: PiInitFirmwareResources+23j
		lea	ebx, [ecx+0A8h]
		cmp	[ebx], ebx
		jz	loc_ADC091
		push	40h
		pop	eax
		push	3Eh
		mov	word ptr [ebp+var_1C+2], ax
		lea	ecx, [ebp+var_C]
		pop	eax
		push	esi
		push	esi
		mov	word ptr [ebp+var_1C], ax
		xor	edx, edx
		push	0F003Fh
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_18], offset ??_C@_1EA@OIKLMKHD@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@
		push	eax
		call	IopCreateRegistryKeyEx
		mov	edi, eax
		test	edi, edi
		js	loc_AEB7E4
		mov	edx, [ebp+var_C]
		lea	ecx, [ebp+var_8]
		push	0Ah
		pop	eax
		push	8
		mov	word ptr [ebp+var_1C+2], ax
		pop	eax
		push	esi
		push	esi
		mov	word ptr [ebp+var_1C], ax
		lea	eax, [ebp+var_1C]
		push	0F003Fh
		push	eax
		mov	[ebp+var_18], offset ??_C@_19LKGGJOEB@?$AAE?$AAS?$AAR?$AAT@PBOPGDP@
		call	IopCreateRegistryKeyEx
		mov	edi, eax
		test	edi, edi
		js	loc_AEB7D6
		mov	eax, [ebx]
		jmp	loc_AEB7CB
; 

loc_AEB69F:				; CODE XREF: PiInitFirmwareResources+F768j
		lea	esi, [eax+8]
		lea	eax, [ebp+var_24]
		mov	[ebp+var_4], esi
		push	eax
		push	esi
		call	_RtlStringFromGUID@8 ; RtlStringFromGUID(x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_AEB7D6
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_24]
		push	0
		push	0
		push	0F003Fh
		push	eax
		lea	ecx, [ebp+var_10]
		call	IopCreateRegistryKeyEx
		mov	edi, eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	edi, edi
		js	loc_AEB7D6
		push	0Ah
		pop	eax
		push	8
		mov	word ptr [ebp+var_1C+2], ax
		pop	eax
		push	4
		mov	word ptr [ebp+var_1C], ax
		lea	eax, [esi+10h]
		mov	esi, [ebp+var_10]
		push	eax
		push	4
		push	0
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_18], offset ??_C@_19BIEPDBPA@?$AAT?$AAy?$AAp?$AAe@PBOPGDP@ ; "Type"
		push	eax
		push	esi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	10h
		pop	eax
		push	0Eh
		mov	word ptr [ebp+var_1C+2], ax
		pop	eax
		mov	word ptr [ebp+var_1C], ax
		mov	eax, [ebp+var_4]
		push	4
		add	eax, 14h
		mov	[ebp+var_18], offset ??_C@_1BA@LIACFDLB@?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@PBOPGDP@
		push	eax
		push	4
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	2Eh
		pop	eax
		push	2Ch
		mov	word ptr [ebp+var_1C+2], ax
		pop	eax
		mov	word ptr [ebp+var_1C], ax
		mov	eax, [ebp+var_4]
		push	4
		add	eax, 18h
		mov	[ebp+var_18], offset ??_C@_1CO@CCJBOFHH@?$AAL?$AAo?$AAw?$AAe?$AAs?$AAt?$AAS?$AAu?$AAp?$AAp?$AAo?$AAr?$AAt?$AAe?$AAd@PBOPGDP@
		push	eax
		push	4
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	26h
		pop	eax
		push	24h
		mov	word ptr [ebp+var_1C+2], ax
		pop	eax
		mov	word ptr [ebp+var_1C], ax
		mov	eax, [ebp+var_4]
		push	4
		add	eax, 20h
		mov	[ebp+var_18], offset ??_C@_1CG@LGDNDENB@?$AAL?$AAa?$AAs?$AAt?$AAA?$AAt?$AAt?$AAe?$AAm?$AAp?$AAt?$AAV?$AAe?$AAr?$AAs@PBOPGDP@
		push	eax
		push	4
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	24h
		pop	eax
		push	22h
		mov	word ptr [ebp+var_1C+2], ax
		pop	eax
		mov	word ptr [ebp+var_1C], ax
		mov	eax, [ebp+var_4]
		push	4
		add	eax, 24h
		mov	[ebp+var_18], offset ??_C@_1CE@IHKFLCFN@?$AAL?$AAa?$AAs?$AAt?$AAA?$AAt?$AAt?$AAe?$AAm?$AAp?$AAt?$AAS?$AAt?$AAa?$AAt@PBOPGDP@ ; "L"
		push	eax
		push	4
		push	0
		lea	eax, [ebp+var_1C]
		push	eax
		push	esi
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	esi
		call	_ZwClose@4	; ZwClose(x)
		mov	eax, [ebp+var_14]
		mov	eax, [eax]

loc_AEB7CB:				; CODE XREF: PiInitFirmwareResources+F632j
		mov	[ebp+var_14], eax
		cmp	eax, ebx
		jnz	loc_AEB69F

loc_AEB7D6:				; CODE XREF: PiInitFirmwareResources+F62Aj
					; PiInitFirmwareResources+F64Bj ...
		cmp	[ebp+var_8], 0
		jz	short loc_AEB7E4
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_AEB7E4:				; CODE XREF: PiInitFirmwareResources+F5F5j
					; PiInitFirmwareResources+F772j
		cmp	[ebp+var_C], 0
		jz	loc_ADC093
		push	[ebp+var_C]
		call	_ZwClose@4	; ZwClose(x)
		jmp	loc_ADC093
; END OF FUNCTION CHUNK	FOR PiInitFirmwareResources
; 
; START	OF FUNCTION CHUNK FOR KiEnableNpxStateSwitching

loc_AEB7FB:				; CODE XREF: KiEnableNpxStateSwitching+1Fj
		mov	edx, offset _EnlightenedSwapContext_Xrstors
		mov	esi, offset _SwapContext_Xrstors
		jmp	loc_ADC33D
; 

loc_AEB80A:				; CODE XREF: KiEnableNpxStateSwitching+3Ej
		mov	eax, offset _EnlightenedSwapContext_Xsaves
		mov	ecx, offset _SwapContext_Xsaves
		jmp	loc_ADC365
; 

loc_AEB819:				; CODE XREF: KiEnableNpxStateSwitching+47j
		mov	eax, offset _EnlightenedSwapContext_Xsave
		mov	ecx, offset _SwapContext_Xsave
		jmp	loc_ADC365
; 

loc_AEB828:				; CODE XREF: KiEnableNpxStateSwitching+Dj
		mov	_SwapContext_NpxLoad, offset _SwapContext_Fxrstor
		mov	eax, offset _EnlightenedSwapContext_Fxsave
		mov	_EnlightenedSwapContext_NpxLoad, offset	_EnlightenedSwapContext_Fxrstor
		mov	ecx, offset _SwapContext_Fxsave
		jmp	loc_ADC365
; END OF FUNCTION CHUNK	FOR KiEnableNpxStateSwitching
; 
; START	OF FUNCTION CHUNK FOR MiInitializeNumaRangesTemporary

loc_AEB84B:				; CODE XREF: MiInitializeNumaRangesTemporary+23j
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	loc_ADC39B
		xor	ecx, ecx
		cmp	dword ptr [eax], 0FFFFFFFFh
		jz	loc_ADC3A0
		push	esi
		movzx	esi, ds:_KeNumberNodes
		xor	edx, edx

loc_AEB86B:				; CODE XREF: MiInitializeNumaRangesTemporary+F517j
		cmp	[edx+eax+4], esi
		jb	short loc_AEB879
		and	dword ptr [edx+eax+4], 0
		mov	eax, [ebp+var_4]

loc_AEB879:				; CODE XREF: MiInitializeNumaRangesTemporary+F4FDj
		mov	dword_6D0688, ecx
		inc	ecx
		mov	edx, ecx
		shl	edx, 3
		cmp	dword ptr [edx+eax], 0FFFFFFFFh
		jnz	short loc_AEB86B
		pop	esi
		jmp	loc_ADC3A0
; END OF FUNCTION CHUNK	FOR MiInitializeNumaRangesTemporary
; 
; START	OF FUNCTION CHUNK FOR PopSetupKsrCallbacks

loc_AEB891:				; CODE XREF: PopSetupKsrCallbacks+23j
		push	(offset	loc_ADE8EB+1)
		lea	eax, [ebp+var_10]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	1
		lea	eax, [ebp+var_10]
		mov	[ebp+var_28], 18h
		mov	[ebp+var_20], eax
		lea	eax, [ebp+var_28]
		push	esi
		push	eax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_24], esi
		push	eax
		mov	[ebp+var_1C], 50h
		mov	[ebp+var_18], esi
		mov	[ebp+var_14], esi
		call	_ExCreateCallback@16 ; ExCreateCallback(x,x,x,x)
		test	eax, eax
		js	loc_ADC3D1
		push	esi
		push	offset _PopKsrCallback@12 ; PopKsrCallback(x,x,x)
		push	[ebp+var_4]
		call	ExRegisterCallback
		jmp	loc_ADC3D1
; END OF FUNCTION CHUNK	FOR PopSetupKsrCallbacks
; 
; START	OF FUNCTION CHUNK FOR CcInitializeVacbs

loc_AEB8E7:				; CODE XREF: CcInitializeVacbs+29j
		push	esi
		push	esi
		push	0C000009Ah
		push	9045Fh
		push	34h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

loc_AEB8FB:				; CODE XREF: PiKsrInitialize+18j
		mov	_PnpKsrEnabled,	1
		call	_PiKsrNotifyInitialize@0 ; PiKsrNotifyInitialize()
		mov	ebx, eax
		jmp	loc_ADC4D6
; END OF FUNCTION CHUNK	FOR CcInitializeVacbs
; 
; START	OF FUNCTION CHUNK FOR KeInitializeSchedulerAssist

loc_AEB90E:				; CODE XREF: KeInitializeSchedulerAssist+Bj
		mov	eax, ds:_KiSchedulerAssistThreadFlagOverride
		cmp	eax, edx
		jnz	short loc_AEB922
		mov	ds:_KiSchedulerAssistThreadFlagEnabled,	edx
		jmp	loc_ADC535
; 

loc_AEB922:				; CODE XREF: KeInitializeSchedulerAssist+F409j
		sub	eax, 2
		neg	eax
		sbb	eax, eax
		and	eax, edx
		jmp	loc_ADC51D
; END OF FUNCTION CHUNK	FOR KeInitializeSchedulerAssist
; 
; START	OF FUNCTION CHUNK FOR PopDripsWatchdogInitialize

loc_AEB930:				; CODE XREF: PopDripsWatchdogInitialize+14j
		call	_PopDripsWatchdogInitializeActions@4 ; PopDripsWatchdogInitializeActions(x)
		test	eax, eax
		js	loc_ADC569
		call	_PopDripsWatchdogInitializeCallbackTimer@4 ; PopDripsWatchdogInitializeCallbackTimer(x)
		test	eax, eax
		js	loc_ADC569
		call	_PopDripsWatchdogInitializeDiagnosticTimer@4 ; PopDripsWatchdogInitializeDiagnosticTimer(x)
		test	eax, eax
		js	loc_ADC569
		or	dword_6C0718, 2
		jmp	loc_ADC560
; END OF FUNCTION CHUNK	FOR PopDripsWatchdogInitialize
; 
; START	OF FUNCTION CHUNK FOR PopRecordFirmwareResetReason

loc_AEB963:				; CODE XREF: PopRecordFirmwareResetReason+1Bj
		mov	eax, [esi+0C78h]
		push	edi
		push	8
		mov	dword_6D6F38, eax
		mov	edi, offset unk_6D6F40
		mov	eax, [esi+0C7Ch]
		add	esi, 0C80h
		pop	ecx
		mov	dword_6D6F3C, eax
		rep movsd
		pop	edi
		pop	esi
		retn
; END OF FUNCTION CHUNK	FOR PopRecordFirmwareResetReason

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CreateMiniNtBootKey()
_CreateMiniNtBootKey@0 proc near	; CODE XREF: Phase1InitializationDiscard(x)+DBEp

var_4C		= dword	ptr -4Ch
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 4Ch
		push	ebx
		push	esi
		push	edi
		push	6
		pop	ecx
		push	74696E49h
		xor	ebx, ebx
		lea	edi, [ebp+var_2C]
		xor	eax, eax
		mov	[ebp+var_C], ebx
		push	200h
		rep stosd
		push	1
		mov	[ebp+var_4], ebx
		mov	esi, ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_10], ebx
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_AEBADE
		push	ds:dword_A940CC
		push	offset ??_C@_1BG@PJGFOIGG@?$AA?$CF?$AAs?$AA?2?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl@PBOPGDP@
		push	100h
		push	edi
		call	_swprintf_s
		add	esp, 10h
		xor	eax, eax
		mov	[edi+1FEh], ax
		lea	eax, [ebp+var_14]
		push	edi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_14]
		mov	[ebp+var_2C], 18h
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_4]
		mov	[ebp+var_28], ebx
		push	eax
		mov	[ebp+var_20], 40h
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AEBADE
		push	(offset	loc_ADCC29+1)
		lea	eax, [ebp+var_14]
		mov	[ebp+var_8], ebx
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_4]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_14]
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_C]
		push	eax
		push	1
		push	ebx
		push	ebx
		lea	eax, [ebp+var_2C]
		mov	[ebp+var_2C], 18h
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_8]
		mov	[ebp+var_20], 40h
		push	eax
		mov	[ebp+var_1C], ebx
		mov	[ebp+var_18], ebx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AEBA8B
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_AEBA8B:				; CODE XREF: CreateMiniNtBootKey()+F4j
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	short loc_AEBADE
		push	ebx
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	al, ds:_InitForceInline
		cmp	al, 1
		jnz	short loc_AEBAD9
		push	8
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_4C]
		rep stosd
		lea	ecx, [ebp+var_4C]
		call	@ExTryToAcquireFastMutex@4 ; ExTryToAcquireFastMutex(x)
		mov	eax, large fs:124h
		dec	word ptr [eax+13Eh]
		nop
		mov	ecx, large fs:124h
		call	_KiLeaveGuardedRegionUnsafe@4 ;	KiLeaveGuardedRegionUnsafe(x)
		call	ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()

loc_AEBAD9:				; CODE XREF: CreateMiniNtBootKey()+118j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AEBADE:				; CODE XREF: CreateMiniNtBootKey()+3Aj
					; CreateMiniNtBootKey()+9Fj ...
		push	ebx
		push	ebx
		push	6
		push	esi
		push	32h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger
_CreateMiniNtBootKey@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ExBurnMemory(x, x, x, x)
_ExBurnMemory@16 proc near		; CODE XREF: INIT:00ACD149p
					; INIT:00ACD18Fp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		push	edi
		mov	edi, edx
		lea	ebx, [ecx+18h]
		mov	ecx, [ebx+4]
		mov	esi, edi

loc_AEBAFD:				; CODE XREF: ExBurnMemory(x,x,x,x)+39j
		mov	eax, [ecx+8]
		cmp	eax, 2
		jz	short loc_AEBB0A
		cmp	eax, 5
		jnz	short loc_AEBB1F

loc_AEBB0A:				; CODE XREF: ExBurnMemory(x,x,x,x)+18j
		mov	edx, [ecx+10h]
		test	edx, edx
		jz	short loc_AEBB1F
		cmp	edx, esi
		ja	short loc_AEBB31
		mov	eax, [ebp+arg_0]
		mov	[ecx+8], eax
		sub	esi, edx
		jz	short loc_AEBB26

loc_AEBB1F:				; CODE XREF: ExBurnMemory(x,x,x,x)+1Dj
					; ExBurnMemory(x,x,x,x)+24j
		mov	ecx, [ecx+4]
		cmp	ecx, ebx
		jnz	short loc_AEBAFD

loc_AEBB26:				; CODE XREF: ExBurnMemory(x,x,x,x)+32j
					; ExBurnMemory(x,x,x,x)+72j
		sub	edi, esi
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		pop	ebp
		retn	8
; 

loc_AEBB31:				; CODE XREF: ExBurnMemory(x,x,x,x)+28j
		mov	eax, [ecx+0Ch]
		sub	edx, esi
		mov	[ecx+10h], edx
		add	eax, edx
		mov	edx, [ebp+arg_4]
		mov	[edx+0Ch], eax
		mov	eax, [ebp+arg_0]
		mov	[edx+10h], esi
		mov	[edx+8], eax
		mov	eax, [ecx]
		cmp	[eax+4], ecx
		jnz	short loc_AEBB5F
		mov	[edx], eax
		xor	esi, esi
		mov	[edx+4], ecx
		mov	[eax+4], edx
		mov	[ecx], edx
		jmp	short loc_AEBB26
; 

loc_AEBB5F:				; CODE XREF: ExBurnMemory(x,x,x,x)+64j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
_ExBurnMemory@16 endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall InitSafeBoot(x)
_InitSafeBoot@4	proc near		; CODE XREF: INIT:00ABFC69p

var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 64h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		lea	eax, [ebp+var_30]
		push	2Ch		; size_t
		push	edi		; int
		push	eax		; void *
		mov	bl, cl
		mov	[ebp+var_44], edi
		mov	[ebp+var_34], edi
		mov	[ebp+var_38], edi
		mov	[ebp+var_40], edi
		mov	[ebp+var_3C], edi
		mov	[ebp+var_64], edi
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_60], edi
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_58], edi
		mov	[ebp+var_50], 40h
		mov	[ebp+var_54], offset _CmRegistryMachineSystemCurrentControlSetControlSafeBoot
		push	18h
		pop	esi
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_34]
		mov	[ebp+var_5C], esi
		push	eax
		mov	[ebp+var_4C], edi
		mov	[ebp+var_48], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_AEBCB7
		test	bl, bl
		jz	short loc_AEBC0B
		push	(offset	loc_ADC785+1)
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_60]
		push	eax		; int
		push	2Ch		; int
		lea	eax, [ebp+var_30]
		push	eax		; int
		push	2		; size_t
		lea	eax, [ebp+var_40]
		push	eax		; int
		push	[ebp+var_34]	; int
		call	NtQueryValueKey
		test	eax, eax
		sets	al
		dec	al
		and	bl, al

loc_AEBC0B:				; CODE XREF: InitSafeBoot(x)+76j
		push	(offset	loc_ADC7A3+1)
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_34]
		mov	[ebp+var_58], eax
		lea	eax, [ebp+var_40]
		mov	[ebp+var_54], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	1
		push	edi
		push	edi
		lea	eax, [ebp+var_5C]
		mov	[ebp+var_5C], esi
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_38]
		mov	[ebp+var_50], 40h
		push	eax
		mov	[ebp+var_4C], edi
		mov	[ebp+var_48], edi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		push	[ebp+var_34]
		mov	esi, eax
		call	NtClose
		test	esi, esi
		js	short loc_AEBCB7
		push	offset ??_C@_1BI@CBOLNBDL@?$AAO?$AAp?$AAt?$AAi?$AAo?$AAn?$AAV?$AAa?$AAl?$AAu?$AAe@PBOPGDP@
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		pop	esi
		push	esi
		push	offset _InitSafeBootMode
		push	esi
		push	edi
		lea	eax, [ebp+var_40]
		push	eax
		push	[ebp+var_38]
		call	NtSetValueKey
		cmp	bl, 1
		jnz	short loc_AEBCAF
		push	(offset	loc_ADC7C9+1)
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_44]
		mov	[ebp+var_44], 1
		push	eax
		push	esi
		push	edi
		lea	eax, [ebp+var_40]
		push	eax
		push	[ebp+var_38]
		call	NtSetValueKey

loc_AEBCAF:				; CODE XREF: InitSafeBoot(x)+121j
		push	[ebp+var_38]
		call	NtClose

loc_AEBCB7:				; CODE XREF: InitSafeBoot(x)+6Ej
					; InitSafeBoot(x)+F7j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_InitSafeBoot@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RegistryOverwriteCentralProcessor()
_RegistryOverwriteCentralProcessor@0 proc near
					; CODE XREF: StartFirstUserProcess:loc_AE8FE9p

var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_64		= dword	ptr -64h
var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 74h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		lea	edi, [ebp+var_30]
		push	0Ah
		pop	ecx
		xor	eax, eax
		mov	[ebp+var_6C], ebx
		rep stosd
		push	offset ??_C@_1HO@NHDPAOGO@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_68], ebx
		push	eax
		mov	[ebp+var_74], ebx
		mov	[ebp+var_70], ebx
		mov	[ebp+var_48], ebx
		mov	[ebp+var_44], ebx
		mov	[ebp+var_34], ebx
		mov	[ebp+var_4C], ebx
		mov	[ebp+var_40], ebx
		mov	[ebp+var_3C], ebx
		mov	[ebp+var_38], ebx
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_64], 18h
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	8
		lea	eax, [ebp+var_34]
		mov	[ebp+var_60], ebx
		push	eax
		mov	[ebp+var_58], 240h
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AEBE6B
		lea	eax, [ebp+var_4C]
		mov	edi, ebx
		push	eax
		push	26h
		lea	eax, [ebp+var_30]
		push	eax
		push	ebx
		push	ebx
		jmp	loc_AEBE55
; 

loc_AEBD5F:				; CODE XREF: RegistryOverwriteCentralProcessor()+19Fj
		inc	edi
		test	esi, esi
		js	loc_AEBE49
		mov	eax, [ebp+var_24]
		xor	ecx, ecx
		shr	eax, 1
		mov	word ptr [ebp+eax*2+var_20], cx
		lea	eax, [ebp+var_20]
		push	eax
		lea	eax, [ebp+var_74]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_34]
		mov	[ebp+var_60], eax
		lea	eax, [ebp+var_74]
		mov	[ebp+var_5C], eax
		lea	eax, [ebp+var_64]
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_38]
		mov	[ebp+var_64], 18h
		push	eax
		mov	[ebp+var_58], 240h
		mov	[ebp+var_54], ebx
		mov	[ebp+var_50], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_AEBE49
		push	offset ??_C@_1BM@EKKKCBGF@?$AAN?$AAo?$AAt?$AA?5?$AAA?$AAv?$AAa?$AAi?$AAl?$AAa?$AAb?$AAl?$AAe@PBOPGDP@ ;	"Not Available"
		lea	eax, [ebp+var_40]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	offset ??_C@_1CC@GHLLHEOD@?$AAV?$AAe?$AAn?$AAd?$AAo?$AAr?$AAI?$AAd?$AAe?$AAn?$AAt?$AAi?$AAf?$AAi?$AAe@PBOPGDP@ ; "VendorIdentifier"
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	eax, word ptr [ebp+var_40]
		add	eax, 2
		push	eax
		push	[ebp+var_3C]
		lea	eax, [ebp+var_48]
		push	1
		push	ebx
		push	eax
		push	[ebp+var_38]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1CI@HONJKKAP@?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo?$AAr?$AAN?$AAa?$AAm?$AAe?$AAS?$AAt@PBOPGDP@ ; "P"
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	eax, word ptr [ebp+var_40]
		add	eax, 2
		push	eax
		push	[ebp+var_3C]
		lea	eax, [ebp+var_48]
		push	1
		push	ebx
		push	eax
		push	[ebp+var_38]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1BG@IEICLFFJ@?$AAI?$AAd?$AAe?$AAn?$AAt?$AAi?$AAf?$AAi?$AAe?$AAr@PBOPGDP@
		lea	eax, [ebp+var_48]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		movzx	eax, word ptr [ebp+var_40]
		add	eax, 2
		push	eax
		push	[ebp+var_3C]
		lea	eax, [ebp+var_48]
		push	1
		push	ebx
		push	eax
		push	[ebp+var_38]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[ebp+var_38]
		call	_ZwClose@4	; ZwClose(x)

loc_AEBE49:				; CODE XREF: RegistryOverwriteCentralProcessor()+9Cj
					; RegistryOverwriteCentralProcessor()+EFj
		lea	eax, [ebp+var_4C]
		push	eax
		push	26h
		lea	eax, [ebp+var_30]
		push	eax
		push	ebx
		push	edi

loc_AEBE55:				; CODE XREF: RegistryOverwriteCentralProcessor()+94j
		push	[ebp+var_34]
		call	_ZwEnumerateKey@24 ; ZwEnumerateKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 8000001Ah
		jnz	loc_AEBD5F

loc_AEBE6B:				; CODE XREF: RegistryOverwriteCentralProcessor()+80j
		cmp	[ebp+var_34], ebx
		jz	short loc_AEBE78
		push	[ebp+var_34]
		call	_ZwClose@4	; ZwClose(x)

loc_AEBE78:				; CODE XREF: RegistryOverwriteCentralProcessor()+1A8j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_RegistryOverwriteCentralProcessor@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpAddAliasEntry(x,	x, x)
_CmpAddAliasEntry@12 proc near		; CODE XREF: CmpCreateHardwareProfiles+1D3F6p

var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 140h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		xor	eax, eax
		mov	[ebp+var_13C], 18h
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_11C], eax
		mov	edi, eax
		mov	[ebp+var_118], eax
		mov	ebx, edx
		mov	[ebp+var_114], eax
		mov	[ebp+var_110], eax
		mov	[ebp+var_124], eax
		mov	[ebp+var_120], eax
		mov	[ebp+var_12C], eax
		mov	[ebp+var_128], eax
		lea	eax, [ebp+var_13C]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_114]
		mov	[ebp+var_138], ecx
		push	eax
		mov	[ebp+var_130], 240h
		mov	[ebp+var_134], (offset loc_AF31D7+1)
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jnz	short loc_AEBF43
		lea	eax, [ebp+var_120]
		push	eax
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		lea	eax, [ebp+var_13C]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_114]
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax

loc_AEBF43:				; CODE XREF: CmpAddAliasEntry(x,x,x)+92j
		test	esi, esi
		jns	short loc_AEBF52
		and	[ebp+var_114], edi
		jmp	loc_AEC08A
; 

loc_AEBF52:				; CODE XREF: CmpAddAliasEntry(x,x,x)+BCj
					; CmpAddAliasEntry(x,x,x)+166j
		xor	esi, esi
		mov	eax, 100h
		mov	[ebp+var_11C], esi
		inc	edi
		mov	word ptr [ebp+var_11C+2], ax
		lea	eax, [ebp+var_10C]
		push	edi		; char
		mov	[ebp+var_118], eax
		lea	eax, [ebp+var_11C]
		push	offset ??_C@_19BLGDCJIP@?$AA?$CF?$AA0?$AA4?$AAd@PBOPGDP@ ; "%04d"
		push	eax		; int
		call	_RtlUnicodeStringPrintf
		mov	eax, [ebp+var_114]
		add	esp, 0Ch
		mov	[ebp+var_138], eax
		lea	eax, [ebp+var_11C]
		mov	[ebp+var_134], eax
		lea	eax, [ebp+var_13C]
		mov	[ebp+var_13C], 18h
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_110]
		mov	[ebp+var_130], 240h
		push	eax
		mov	[ebp+var_12C], esi
		mov	[ebp+var_128], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AEBFF7
		push	[ebp+var_110]
		call	_ZwClose@4	; ZwClose(x)
		cmp	edi, 0C8h
		jb	loc_AEBF52
		jmp	short loc_AEC003
; 

loc_AEBFF7:				; CODE XREF: CmpAddAliasEntry(x,x,x)+153j
		lea	eax, [esi+3FFFFFCCh]
		neg	eax
		sbb	eax, eax
		and	esi, eax

loc_AEC003:				; CODE XREF: CmpAddAliasEntry(x,x,x)+16Cj
		test	esi, esi
		jns	short loc_AEC010
		and	[ebp+var_110], 0
		jmp	short loc_AEC076
; 

loc_AEC010:				; CODE XREF: CmpAddAliasEntry(x,x,x)+17Cj
		lea	eax, [ebp+var_120]
		xor	edi, edi
		push	eax
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_13C]
		push	eax
		push	2001Fh
		lea	eax, [ebp+var_110]
		push	eax
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_AEC042
		mov	[ebp+var_110], edi
		jmp	short loc_AEC076
; 

loc_AEC042:				; CODE XREF: CmpAddAliasEntry(x,x,x)+1AFj
		mov	ecx, [ebp+var_110]
		mov	edx, ebx
		call	_CmpAddDockingInfo@8 ; CmpAddDockingInfo(x,x)
		mov	eax, [ebp+arg_0]
		push	4
		mov	[ebp+var_124], eax
		lea	eax, [ebp+var_124]
		push	eax
		push	4
		push	edi
		push	(offset	loc_AF31AF+1)
		push	[ebp+var_110]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax

loc_AEC076:				; CODE XREF: CmpAddAliasEntry(x,x,x)+185j
					; CmpAddAliasEntry(x,x,x)+1B7j
		cmp	[ebp+var_114], 0
		jz	short loc_AEC08A
		push	[ebp+var_114]
		call	_ZwClose@4	; ZwClose(x)

loc_AEC08A:				; CODE XREF: CmpAddAliasEntry(x,x,x)+C4j
					; CmpAddAliasEntry(x,x,x)+1F4j
		cmp	[ebp+var_110], 0
		jz	short loc_AEC09E
		push	[ebp+var_110]
		call	_ZwClose@4	; ZwClose(x)

loc_AEC09E:				; CODE XREF: CmpAddAliasEntry(x,x,x)+208j
		mov	ecx, [ebp+var_8]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
_CmpAddAliasEntry@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	CmpBuildRegMultiSz(int,void *,size_t)
_CmpBuildRegMultiSz@20 proc near	; CODE XREF: CmpInitializeSystemBiosInformation(x)+6Bp
					; CmpInitializeSystemBiosInformation(x)+7Fp ...

var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		cmp	[ebp+arg_8], 0
		mov	eax, ecx
		mov	[ebp+var_4], eax
		jz	short locret_AEC0EC
		push	esi
		push	edi
		mov	edi, [ebp+arg_0]
		push	[ebp+arg_8]	; size_t
		push	[ebp+arg_4]	; void *
		mov	esi, [edi]
		add	esi, eax
		push	esi		; void *
		call	_memcpy
		add	esi, [ebp+arg_8]
		xor	eax, eax
		add	esp, 0Ch
		mov	[esi], ax
		sub	esi, [ebp+var_4]
		add	esi, 2
		mov	[edi], esi
		pop	edi
		pop	esi

locret_AEC0EC:				; CODE XREF: CmpBuildRegMultiSz(x,x,x,x,x)+Fj
		leave
		retn	0Ch
_CmpBuildRegMultiSz@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpCreateControlSetOverride(x)
_CmpCreateControlSetOverride@4 proc near ; CODE	XREF: CmpCreateExtendedControlSets+1EA6Fp

var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 134h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		mov	edx, ecx
		lea	edi, [ebp+var_130]
		pop	ecx
		xor	eax, eax
		rep stosd
		push	dword ptr [edx+18h]
		xor	edi, edi
		mov	eax, 100h
		push	dword ptr [edx+1Ch] ; char
		mov	[ebp+var_118], edi
		mov	word ptr [ebp+var_118+2], ax
		lea	eax, [ebp+var_108]
		mov	[ebp+var_114], eax
		lea	eax, [ebp+var_118]
		push	offset ??_C@_1CE@EEBHDKEM@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AA?$CF?$AAw?$AAs?$AA?2?$AA?$CF@PBOPGDP@	; "\\"
		push	eax		; int
		mov	[ebp+var_10C], edi
		mov	[ebp+var_110], edi
		call	_RtlUnicodeStringPrintf
		mov	esi, eax
		add	esp, 10h
		test	esi, esi
		js	loc_AEC20C
		push	18h
		pop	ebx
		lea	eax, [ebp+var_118]
		mov	[ebp+var_130], ebx
		mov	[ebp+var_128], eax
		lea	eax, [ebp+var_130]
		push	eax
		push	20006h
		lea	eax, [ebp+var_10C]
		mov	[ebp+var_12C], edi
		push	eax
		mov	[ebp+var_124], 240h
		mov	[ebp+var_120], edi
		mov	[ebp+var_11C], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AEC20C
		mov	eax, [ebp+var_10C]
		push	edi
		push	edi
		push	edi
		mov	[ebp+var_12C], eax
		lea	eax, [ebp+var_130]
		push	edi
		push	eax
		push	20006h
		lea	eax, [ebp+var_110]
		mov	[ebp+var_130], ebx
		push	eax
		mov	[ebp+var_124], 240h
		mov	[ebp+var_128], offset _CmpControlSetOverride
		mov	[ebp+var_120], edi
		mov	[ebp+var_11C], edi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AEC20C
		mov	esi, edi

loc_AEC20C:				; CODE XREF: CmpCreateControlSetOverride(x)+71j
					; CmpCreateControlSetOverride(x)+C4j ...
		cmp	[ebp+var_110], edi
		jz	short loc_AEC21F
		push	[ebp+var_110]
		call	_ZwClose@4	; ZwClose(x)

loc_AEC21F:				; CODE XREF: CmpCreateControlSetOverride(x)+122j
		cmp	[ebp+var_10C], edi
		jz	short loc_AEC232
		push	[ebp+var_10C]
		call	_ZwClose@4	; ZwClose(x)

loc_AEC232:				; CODE XREF: CmpCreateControlSetOverride(x)+135j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_CmpCreateControlSetOverride@4 endp


;  S U B	R O U T	I N E 


; int __fastcall CmpGetSystemRelativeRegistryHiveFilePath(wchar_t *)
_CmpGetSystemRelativeRegistryHiveFilePath@4 proc near
					; CODE XREF: CmpInitializeDriverStores+1EAE1p
					; CmpInitializePreloadedHive+1D3FBp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, ecx
		push	5Ch		; wchar_t
		push	edi		; wchar_t *
		call	_wcsrchr
		mov	esi, eax
		pop	ecx
		pop	ecx
		test	esi, esi
		jz	short loc_AEC282
		cmp	esi, edi
		jbe	short loc_AEC282
		mov	ecx, esi
		sub	ecx, edi
		add	ecx, 2
		sar	ecx, 1
		cmp	ecx, 11h
		jbe	short loc_AEC284
		push	11h		; size_t
		lea	edi, [esi-20h]
		push	offset ??_C@_1CE@EFNBKPGE@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AA3?$AA2?$AA?2?$AAC?$AAo?$AAn?$AAf?$AAi@PBOPGDP@ ; wchar_t *
		push	edi		; wchar_t *
		call	__wcsnicmp
		add	esp, 0Ch
		test	eax, eax
		jnz	short loc_AEC284

loc_AEC282:				; CODE XREF: CmpGetSystemRelativeRegistryHiveFilePath(x)+14j
					; CmpGetSystemRelativeRegistryHiveFilePath(x)+18j
		mov	esi, edi

loc_AEC284:				; CODE XREF: CmpGetSystemRelativeRegistryHiveFilePath(x)+26j
					; CmpGetSystemRelativeRegistryHiveFilePath(x)+3Dj
		pop	edi
		mov	eax, esi
		pop	esi
		retn
_CmpGetSystemRelativeRegistryHiveFilePath@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpInitializeSystemBiosInformation(x)
_CmpInitializeSystemBiosInformation@4 proc near
					; CODE XREF: CmpInitializeMachineDependentConfiguration:loc_AE526Cp

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		or	[ebp+var_8], 0FFFFFFFFh
		mov	edx, ecx
		push	ebx
		push	esi
		push	edi
		push	6
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_28]
		rep stosd
		mov	edi, [edx+84h]
		push	20204D43h
		movzx	ecx, word ptr [edi+0A1Ch]
		movzx	eax, word ptr [edi+0A14h]
		movzx	ebx, word ptr [edi+0A0Ch]
		mov	[ebp+var_10], ecx
		add	ecx, 8
		mov	[ebp+var_C], eax
		add	eax, ecx
		add	eax, ebx
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_AEC37D
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_4]
		push	ebx		; size_t
		push	dword ptr [edi+0A10h] ;	void *
		mov	ecx, esi
		push	eax		; int
		call	_CmpBuildRegMultiSz@20 ; CmpBuildRegMultiSz(x,x,x,x,x)
		push	[ebp+var_C]	; size_t
		lea	eax, [ebp+var_4]
		mov	ecx, esi
		push	dword ptr [edi+0A18h] ;	void *
		push	eax		; int
		call	_CmpBuildRegMultiSz@20 ; CmpBuildRegMultiSz(x,x,x,x,x)
		push	[ebp+var_10]	; size_t
		lea	eax, [ebp+var_4]
		mov	ecx, esi
		push	dword ptr [edi+0A20h] ;	void *
		push	eax		; int
		call	_CmpBuildRegMultiSz@20 ; CmpBuildRegMultiSz(x,x,x,x,x)
		mov	edi, [ebp+var_4]
		xor	ebx, ebx
		push	ebx
		push	ebx
		xor	eax, eax
		mov	[esi+edi], ax
		lea	eax, [ebp+var_28]
		push	ebx
		push	ebx
		push	eax
		push	2
		lea	eax, [ebp+var_8]
		mov	[ebp+var_28], 18h
		push	eax
		mov	[ebp+var_24], ebx
		mov	[ebp+var_1C], 240h
		mov	[ebp+var_20], offset _CmRegistryMachineHardwareDescriptionSystemName
		mov	[ebp+var_18], ebx
		mov	[ebp+var_14], ebx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AEC376
		lea	eax, [edi+2]
		push	eax
		push	esi
		push	7
		push	ebx
		push	(offset	loc_AF318F+1)
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_AEC376:				; CODE XREF: CmpInitializeSystemBiosInformation(x)+D6j
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AEC37D:				; CODE XREF: CmpInitializeSystemBiosInformation(x)+54j
		cmp	[ebp+var_8], 0FFFFFFFFh
		jz	short loc_AEC38B
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_AEC38B:				; CODE XREF: CmpInitializeSystemBiosInformation(x)+F8j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_CmpInitializeSystemBiosInformation@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpSetNetworkValue(x)
_CmpSetNetworkValue@4 proc near		; CODE XREF: CmInitSystem1(x)+649p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	ebx, ebx
		mov	[ebp+var_20], 18h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_4], ebx
		push	eax
		push	ebx
		push	ebx
		push	ebx
		lea	eax, [ebp+var_20]
		mov	[ebp+var_8], ebx
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_4]
		mov	[ebp+var_1C], ebx
		push	eax
		mov	edi, ecx
		mov	[ebp+var_14], 240h
		mov	[ebp+var_18], offset _CmpCurrentControlSetControlPxePathString
		mov	[ebp+var_10], ebx
		mov	[ebp+var_C], ebx
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AEC41B
		push	dword ptr [edi+4]
		push	dword ptr [edi]
		push	3
		push	ebx
		push	(offset	loc_AF3217+1)
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AEC41B
		push	dword ptr [edi+0Ch]
		push	dword ptr [edi+8]
		push	3
		push	ebx
		push	(offset	loc_AF323F+1)
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AEC41B
		mov	esi, ebx

loc_AEC41B:				; CODE XREF: CmpSetNetworkValue(x)+50j
					; CmpSetNetworkValue(x)+6Bj ...
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_CmpSetNetworkValue@4 endp


;  S U B	R O U T	I N E 


; __stdcall CmpUpdateStateSeparationHiveOptions()
_CmpUpdateStateSeparationHiveOptions@0 proc near ; CODE	XREF: CmInitSystem1(x)+501p
		cmp	_CmStateSeparationAllHivesVolatile, 0
		jz	short loc_AEC44B
		xor	eax, eax
		mov	ecx, 8000h

loc_AEC43A:				; CODE XREF: CmpUpdateStateSeparationHiveOptions()+1Ej
		or	dword_6B1638[eax], ecx
		add	eax, 78h
		cmp	eax, 348h
		jb	short loc_AEC43A
		retn
; 

loc_AEC44B:				; CODE XREF: CmpUpdateStateSeparationHiveOptions()+7j
		cmp	_CmStateSeparationDevMode, 0
		mov	byte_6B16C4, 0
		jnz	short loc_AEC46C
		mov	ecx, 8000h
		or	dword_6B1728, ecx
		or	dword_6B17A0, ecx

loc_AEC46C:				; CODE XREF: CmpUpdateStateSeparationHiveOptions()+2Fj
		mov	byte_6B18A4, 0
		mov	byte_6B191B, 1
		retn
_CmpUpdateStateSeparationHiveOptions@0 endp


;  S U B	R O U T	I N E 


; __stdcall CmpInitCmPrivateAlloc()
_CmpInitCmPrivateAlloc@0 proc near	; CODE XREF: CmInitSystem1(x)+173p
		xor	eax, eax
		push	eax
		push	eax
		push	626B4D43h
		push	0B0h
		push	eax
		push	1
		push	offset _CmpFreePoolLookaside@8 ; CmpFreePoolLookaside(x,x)
		push	offset _CmpAllocatePoolWithTagLookaside@16 ; CmpAllocatePoolWithTagLookaside(x,x,x,x)
		push	offset _CmpKcbLookaside
		call	ExInitializeLookasideListExInternal
		retn
_CmpInitCmPrivateAlloc@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpGetKnownHivePathNode(x, x, x, x,	x, x, x, x)
_CmpGetKnownHivePathNode@32 proc near	; CODE XREF: CmpFindRedirectedDriverServiceStateNode+1BD86p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h
arg_10		= dword	ptr  18h
arg_14		= dword	ptr  1Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		and	[ebp+var_8], 0
		mov	esi, ecx
		and	[ebp+var_4], 0
		push	edi
		mov	edi, edx
		mov	edx, [ebp+arg_8]
		push	24h
		pop	ecx
		mov	eax, [edx+4]
		add	eax, ecx
		mov	[ebp+var_C], eax
		mov	ax, [edx+2]
		sub	ax, cx
		mov	word ptr [ebp+var_10+2], ax
		mov	ax, [edx]
		lea	edx, [ebp+var_8]
		sub	ax, cx
		lea	ecx, [ebp-10h]
		mov	word ptr [ebp+var_10], ax
		lea	eax, [ebp+arg_8+3]
		push	eax
		call	_CmpGetNextName@12 ; CmpGetNextName(x,x,x)
		test	al, al
		jz	short loc_AEC53D
		push	1
		push	(offset	loc_AF34BF+1)
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jnz	short loc_AEC51B
		push	1
		push	(offset	loc_AF3443+5)
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		test	al, al
		jz	short loc_AEC53D
		mov	esi, [ebp+arg_0]
		mov	edi, [ebp+arg_4]

loc_AEC51B:				; CODE XREF: CmpGetKnownHivePathNode(x,x,x,x,x,x,x,x)+5Ej
		test	esi, esi
		jz	short loc_AEC53D
		push	[ebp+arg_14]
		lea	eax, [ebp+var_10]
		mov	edx, edi
		push	[ebp+arg_10]
		mov	ecx, esi
		push	eax
		call	CmpFindHiveSubKey
		test	al, al
		jz	short loc_AEC53F
		mov	ecx, [ebp+arg_C]
		mov	[ecx], esi
		jmp	short loc_AEC53F
; 

loc_AEC53D:				; CODE XREF: CmpGetKnownHivePathNode(x,x,x,x,x,x,x,x)+4Aj
					; CmpGetKnownHivePathNode(x,x,x,x,x,x,x,x)+72j	...
		xor	al, al

loc_AEC53F:				; CODE XREF: CmpGetKnownHivePathNode(x,x,x,x,x,x,x,x)+93j
					; CmpGetKnownHivePathNode(x,x,x,x,x,x,x,x)+9Aj
		pop	edi
		pop	esi
		leave
		retn	18h
_CmpGetKnownHivePathNode@32 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLoadManufacturingModeNode(x, x, x, x)
_CmpLoadManufacturingModeNode@16 proc near
					; CODE XREF: CmpLoadManufacturingProfileNode(x,x,x,x,x)+2Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		or	[ebp+var_10], 0FFFFFFFFh
		lea	eax, [ebp+var_8]
		and	[ebp+var_C], 0
		or	[ebp+var_8], 0FFFFFFFFh
		and	[ebp+var_4], 0
		push	esi
		push	edi
		push	eax
		mov	esi, ecx
		push	edx
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	short loc_AEC5CA
		push	(offset	loc_AF34CB+5)
		mov	edx, eax
		mov	ecx, esi
		call	_CmpFindSubKeyByName@12	; CmpFindSubKeyByName(x,x,x)
		mov	edi, eax
		lea	eax, [ebp+var_8]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		cmp	edi, 0FFFFFFFFh
		jz	short loc_AEC5CA
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		push	esi
		call	dword ptr [esi+4]
		test	eax, eax
		jz	short loc_AEC5CA
		push	(offset	loc_AF33A3+5)
		mov	edx, eax
		mov	ecx, esi
		call	_CmpFindSubKeyByName@12	; CmpFindSubKeyByName(x,x,x)
		mov	edi, eax
		lea	eax, [ebp+var_10]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		cmp	edi, 0FFFFFFFFh
		jz	short loc_AEC5CA
		push	[ebp+arg_4]
		push	edi
		push	esi
		call	dword ptr [esi+4]
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		test	eax, eax
		jz	short loc_AEC5CA
		mov	al, 1
		jmp	short loc_AEC5CC
; 

loc_AEC5CA:				; CODE XREF: CmpLoadManufacturingModeNode(x,x,x,x)+27j
					; CmpLoadManufacturingModeNode(x,x,x,x)+44j ...
		xor	al, al

loc_AEC5CC:				; CODE XREF: CmpLoadManufacturingModeNode(x,x,x,x)+83j
		pop	edi
		pop	esi
		leave
		retn	8
_CmpLoadManufacturingModeNode@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLoadManufacturingProfileNode(x, x, x, x,	x)
_CmpLoadManufacturingProfileNode@20 proc near
					; CODE XREF: CmpLoadManufacturingProfileServicesNode(x,x,x,x,x)+23p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		or	[ebp+var_C], 0FFFFFFFFh
		xor	eax, eax
		push	esi
		mov	esi, ecx
		mov	[ebp+var_4], eax
		push	edi
		mov	[ebp+var_8], eax
		mov	[ebp+var_14], eax
		mov	[ebp+var_10], eax
		cmp	[ebp+arg_0], eax
		jz	short loc_AEC61E
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_4]
		push	eax
		call	_CmpLoadManufacturingModeNode@16 ; CmpLoadManufacturingModeNode(x,x,x,x)
		test	al, al
		jz	short loc_AEC61E
		push	[ebp+arg_0]
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		jns	short loc_AEC626
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		call	dword ptr [esi+8]

loc_AEC61E:				; CODE XREF: CmpLoadManufacturingProfileNode(x,x,x,x,x)+21j
					; CmpLoadManufacturingProfileNode(x,x,x,x,x)+32j ...
		xor	al, al

loc_AEC620:				; CODE XREF: CmpLoadManufacturingProfileNode(x,x,x,x,x)+84j
		pop	edi
		pop	esi
		leave
		retn	0Ch
; 

loc_AEC626:				; CODE XREF: CmpLoadManufacturingProfileNode(x,x,x,x,x)+42j
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_14]
		push	eax
		mov	ecx, esi
		call	_CmpFindSubKeyByName@12	; CmpFindSubKeyByName(x,x,x)
		mov	edi, eax
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		cmp	edi, 0FFFFFFFFh
		jz	short loc_AEC61E
		push	[ebp+arg_8]
		push	edi
		push	esi
		call	dword ptr [esi+4]
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		test	eax, eax
		jz	short loc_AEC61E
		mov	al, 1
		jmp	short loc_AEC620
_CmpLoadManufacturingProfileNode@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall CmpLoadManufacturingProfileServicesNode(x, x, x, x,	x)
_CmpLoadManufacturingProfileServicesNode@20 proc near ;	CODE XREF: CmpFindDrivers+1AEE6p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		lea	eax, [ebp+var_C]
		or	[ebp+var_C], 0FFFFFFFFh
		and	[ebp+var_8], 0
		push	esi
		push	edi
		push	eax
		lea	eax, [ebp+var_4]
		mov	esi, ecx
		push	eax
		push	[ebp+arg_0]
		call	_CmpLoadManufacturingProfileNode@20 ; CmpLoadManufacturingProfileNode(x,x,x,x,x)
		test	al, al
		jz	short loc_AEC6B7
		mov	edx, [ebp+var_4]
		mov	ecx, esi
		push	(offset	loc_AF3347+1)
		call	_CmpFindSubKeyByName@12	; CmpFindSubKeyByName(x,x,x)
		mov	edi, eax
		lea	eax, [ebp+var_C]
		push	eax
		push	esi
		call	dword ptr [esi+8]
		cmp	edi, 0FFFFFFFFh
		jz	short loc_AEC6B7
		push	[ebp+arg_8]
		push	edi
		push	esi
		call	dword ptr [esi+4]
		mov	ecx, [ebp+arg_4]
		mov	[ecx], eax
		test	eax, eax
		jz	short loc_AEC6B7
		mov	al, 1
		jmp	short loc_AEC6B9
; 

loc_AEC6B7:				; CODE XREF: CmpLoadManufacturingProfileServicesNode(x,x,x,x,x)+2Aj
					; CmpLoadManufacturingProfileServicesNode(x,x,x,x,x)+48j ...
		xor	al, al

loc_AEC6B9:				; CODE XREF: CmpLoadManufacturingProfileServicesNode(x,x,x,x,x)+5Dj
		pop	edi
		pop	esi
		leave
		retn	0Ch
_CmpLoadManufacturingProfileServicesNode@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpDiscoverTopologyAmd(x, x, x, x)
_HvlpDiscoverTopologyAmd@16 proc near	; CODE XREF: HvlpDiscoverTopologyWorker+17j

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		mov	[ebp+var_20], eax
		mov	ebx, ecx
		mov	eax, [ebp+arg_4]
		push	esi
		push	edi
		mov	[ebp+var_24], eax
		lea	edi, [ebp+var_14]
		xor	eax, eax
		mov	[ebp+var_1C], edx
		stosd
		xor	esi, esi
		inc	esi
		mov	edx, 80000000h
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_14]
		push	eax
		push	0
		mov	edi, esi
		call	_HvlpLpCpuid@16	; HvlpLpCpuid(x,x,x,x)
		mov	eax, [ebp+var_14]
		mov	edx, 80000008h
		mov	[ebp+var_18], eax
		cmp	eax, edx
		jb	short loc_AEC783
		lea	eax, [ebp+var_14]
		mov	ecx, ebx
		push	eax
		push	0
		call	_HvlpLpCpuid@16	; HvlpLpCpuid(x,x,x,x)
		mov	eax, [ebp+var_C]
		mov	ecx, eax
		shr	ecx, 0Ch
		and	ecx, 0Fh
		jnz	short loc_AEC739
		movzx	eax, al
		lea	eax, ds:1[eax*2]
		bsr	ecx, eax

loc_AEC739:				; CODE XREF: HvlpDiscoverTopologyAmd(x,x,x,x)+6Bj
		shl	esi, cl
		cmp	[ebp+var_18], 8000001Eh
		jb	short loc_AEC783
		lea	eax, [ebp+var_14]
		mov	edx, 80000001h
		push	eax
		push	0
		mov	ecx, ebx
		call	_HvlpLpCpuid@16	; HvlpLpCpuid(x,x,x,x)
		test	[ebp+var_C], 400000h
		jz	short loc_AEC783
		lea	eax, [ebp+var_14]
		mov	edx, 8000001Eh
		push	eax
		push	0
		mov	ecx, ebx
		call	_HvlpLpCpuid@16	; HvlpLpCpuid(x,x,x,x)
		mov	ecx, [ebp+var_10]
		mov	eax, esi
		shr	ecx, 8
		xor	edx, edx
		movzx	edi, cl
		inc	edi
		div	edi
		mov	esi, eax

loc_AEC783:				; CODE XREF: HvlpDiscoverTopologyAmd(x,x,x,x)+51j
					; HvlpDiscoverTopologyAmd(x,x,x,x)+83j	...
		mov	eax, [ebp+var_1C]
		mov	ecx, edi
		imul	ecx, esi
		xor	edx, edx
		div	ecx
		mov	ecx, [ebp+var_20]
		xor	edx, edx
		mov	[ecx], eax
		mov	eax, [ebp+var_1C]
		div	edi
		mov	ecx, [ebp+var_24]
		pop	edi
		pop	esi
		pop	ebx
		mov	[ecx], eax
		mov	ecx, [ebp+var_4]
		xor	ecx, ebp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_HvlpDiscoverTopologyAmd@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpDiscoverTopologyComplete()
_HvlpDiscoverTopologyComplete@0	proc near ; CODE XREF: HvlPhase2Initialize+7DDC6p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	[ebp+var_4], edi
		cmp	ds:_HvlpLogicalProcessorCount, edi
		jz	loc_AEC878
		mov	esi, offset dword_706028

loc_AEC7D2:				; CODE XREF: HvlpDiscoverTopologyComplete()+C1j
		cmp	dword ptr [esi+10h], 0FFFFFFFFh
		jnz	short loc_AEC7EA
		mov	edx, [esi]
		lea	eax, [esi+0Ch]
		mov	ecx, [esi-4]
		push	eax
		lea	eax, [esi+8]
		push	eax
		call	HvlpDiscoverTopologyWorker

loc_AEC7EA:				; CODE XREF: HvlpDiscoverTopologyComplete()+25j
		mov	ebx, [esi+8]
		cmp	ebx, dword_6FE154
		jbe	short loc_AEC7FB
		mov	dword_6FE154, ebx

loc_AEC7FB:				; CODE XREF: HvlpDiscoverTopologyComplete()+42j
		mov	eax, [esi+0Ch]
		mov	[ebp+var_8], eax
		cmp	eax, dword_6FE158
		jbe	short loc_AEC80E
		mov	dword_6FE158, eax

loc_AEC80E:				; CODE XREF: HvlpDiscoverTopologyComplete()+56j
		cmp	byte ptr [esi+58h], 0
		jz	short loc_AEC865
		lea	eax, [esi-8]
		mov	dl, 1
		mov	[ebp+var_C], eax
		mov	dh, dl
		cmp	eax, offset _HvlpLogicalProcessorRegions
		jz	short loc_AEC855
		mov	edi, [ebp+var_8]
		mov	ecx, offset unk_706030

loc_AEC82D:				; CODE XREF: HvlpDiscoverTopologyComplete()+9Bj
		cmp	byte ptr [ecx+50h], 0
		jz	short loc_AEC843
		cmp	[ecx], ebx
		setz	al
		dec	al
		and	dl, al
		cmp	[ecx+4], edi
		jnz	short loc_AEC843
		xor	dh, dh

loc_AEC843:				; CODE XREF: HvlpDiscoverTopologyComplete()+80j
					; HvlpDiscoverTopologyComplete()+8Ej
		add	ecx, 68h
		lea	eax, [ecx-10h]
		cmp	eax, [ebp+var_C]
		jnz	short loc_AEC82D
		mov	edi, [ebp+var_4]
		test	dl, dl
		jz	short loc_AEC85B

loc_AEC855:				; CODE XREF: HvlpDiscoverTopologyComplete()+72j
		inc	ds:_HvlpPackageCount

loc_AEC85B:				; CODE XREF: HvlpDiscoverTopologyComplete()+A2j
		test	dh, dh
		jz	short loc_AEC865
		inc	ds:_HvlpCoreCount

loc_AEC865:				; CODE XREF: HvlpDiscoverTopologyComplete()+61j
					; HvlpDiscoverTopologyComplete()+ACj
		inc	edi
		add	esi, 68h
		mov	[ebp+var_4], edi
		cmp	edi, ds:_HvlpLogicalProcessorCount
		jb	loc_AEC7D2

loc_AEC878:				; CODE XREF: HvlpDiscoverTopologyComplete()+16j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_HvlpDiscoverTopologyComplete@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpDiscoverTopologyIntel(x, x, x, x)
_HvlpDiscoverTopologyIntel@16 proc near	; CODE XREF: HvlpDiscoverTopologyWorker+1Dj

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_15		= byte ptr -15h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_1C], eax
		lea	edi, [ebp+var_14]
		xor	eax, eax
		mov	ebx, ecx
		mov	ecx, [ebp+arg_4]
		xor	esi, esi
		stosd
		mov	[ebp+var_20], ecx
		mov	[ebp+var_24], ebx
		mov	[ecx], edx
		mov	ecx, ebx
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_14]
		mov	edi, [ebp+var_1C]
		push	eax
		push	esi
		mov	[edi], edx
		xor	edx, edx
		call	_HvlpLpCpuid@16	; HvlpLpCpuid(x,x,x,x)
		mov	eax, [ebp+var_14]
		mov	[ebp+var_1C], eax
		cmp	eax, 0Bh
		jb	short loc_AEC926
		lea	eax, [ebp+var_14]
		mov	ecx, ebx
		push	eax
		push	esi
		push	0Bh
		pop	edx
		call	_HvlpLpCpuid@16	; HvlpLpCpuid(x,x,x,x)
		cmp	[ebp+var_10], esi
		jz	short loc_AEC923

loc_AEC8E2:				; CODE XREF: HvlpDiscoverTopologyIntel(x,x,x,x)+9Fj
		lea	eax, [ebp+var_14]
		mov	ecx, ebx
		push	eax
		push	esi
		push	0Bh
		pop	edx
		call	_HvlpLpCpuid@16	; HvlpLpCpuid(x,x,x,x)
		mov	eax, [ebp+var_C]
		inc	esi
		shr	eax, 8
		sub	eax, 1
		jz	short loc_AEC90C
		sub	eax, 1
		jnz	short loc_AEC917
		mov	ecx, [ebp+var_14]
		and	ecx, 1Fh
		shr	dword ptr [edi], cl
		jmp	short loc_AEC917
; 

loc_AEC90C:				; CODE XREF: HvlpDiscoverTopologyIntel(x,x,x,x)+7Ej
		mov	eax, [ebp+var_20]
		mov	ecx, [ebp+var_14]
		and	ecx, 1Fh
		shr	dword ptr [eax], cl

loc_AEC917:				; CODE XREF: HvlpDiscoverTopologyIntel(x,x,x,x)+83j
					; HvlpDiscoverTopologyIntel(x,x,x,x)+8Dj
		cmp	word ptr [ebp+var_10], 0
		jnz	short loc_AEC8E2
		jmp	loc_AEC9B4
; 

loc_AEC923:				; CODE XREF: HvlpDiscoverTopologyIntel(x,x,x,x)+63j
		mov	eax, [ebp+var_1C]

loc_AEC926:				; CODE XREF: HvlpDiscoverTopologyIntel(x,x,x,x)+4Fj
		push	4
		pop	edx
		cmp	eax, edx
		jb	short loc_AEC955
		lea	eax, [ebp+var_14]
		mov	ecx, ebx
		push	eax
		push	esi
		call	_HvlpLpCpuid@16	; HvlpLpCpuid(x,x,x,x)
		mov	eax, [ebp+var_14]
		xor	ebx, ebx
		shr	eax, 1Ah
		inc	ebx
		lea	eax, ds:1[eax*2]
		bsr	ecx, eax
		mov	al, bl
		shl	al, cl
		mov	[ebp+var_15], al
		jmp	short loc_AEC95B
; 

loc_AEC955:				; CODE XREF: HvlpDiscoverTopologyIntel(x,x,x,x)+AEj
		xor	ebx, ebx
		inc	ebx
		mov	[ebp+var_15], bl

loc_AEC95B:				; CODE XREF: HvlpDiscoverTopologyIntel(x,x,x,x)+D6j
		mov	ecx, [ebp+var_24]
		lea	eax, [ebp+var_14]
		push	eax
		push	esi
		mov	edx, ebx
		call	_HvlpLpCpuid@16	; HvlpLpCpuid(x,x,x,x)
		test	[ebp+var_8], 10000000h
		jz	short loc_AEC98D
		mov	eax, [ebp+var_10]
		shr	eax, 10h
		movzx	eax, al
		lea	eax, ds:0FFFFFFFFh[eax*2]
		bsr	ecx, eax
		mov	al, [ebp+var_15]
		shl	bl, cl
		jmp	short loc_AEC992
; 

loc_AEC98D:				; CODE XREF: HvlpDiscoverTopologyIntel(x,x,x,x)+F4j
		mov	al, [ebp+var_15]
		mov	bl, al

loc_AEC992:				; CODE XREF: HvlpDiscoverTopologyIntel(x,x,x,x)+10Ej
		movzx	ecx, al
		xor	edx, edx
		movzx	esi, bl
		mov	eax, esi
		mov	ebx, [ebp+var_20]
		div	ecx
		xor	edx, edx
		movzx	ecx, al
		mov	eax, [ebx]
		div	ecx
		xor	edx, edx
		mov	[ebx], eax
		mov	eax, [edi]
		div	esi
		mov	[edi], eax

loc_AEC9B4:				; CODE XREF: HvlpDiscoverTopologyIntel(x,x,x,x)+A1j
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_HvlpDiscoverTopologyIntel@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall HvlpLpCpuid(x, x, x, x)
_HvlpLpCpuid@16	proc near		; CODE XREF: HvlpDiscoverTopologyAmd(x,x,x,x)+3Fp
					; HvlpDiscoverTopologyAmd(x,x,x,x)+5Bp	...

var_40		= dword	ptr -40h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 44h
		push	ebx
		push	esi
		push	edi
		push	6
		mov	ebx, edx
		lea	edi, [ebp+var_40]
		mov	edx, ecx
		xor	eax, eax
		mov	[ebp+var_4], edx
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_28]
		push	6
		pop	ecx
		rep stosd
		cmp	edx, 0FFFFFFFFh
		jnz	short loc_AECA0A
		mov	ecx, [ebp+arg_0]
		mov	eax, ebx
		push	ebx
		cpuid
		mov	edi, ebx
		pop	ebx
		nop
		mov	esi, [ebp+arg_4]
		mov	[esi], eax
		mov	[esi+4], edi
		mov	[esi+8], ecx
		mov	[esi+0Ch], edx
		jmp	short loc_AECA82
; 

loc_AECA0A:				; CODE XREF: HvlpLpCpuid(x,x,x,x)+27j
		push	10h
		xor	edx, edx
		lea	ecx, [ebp+var_40]
		xor	edi, edi
		inc	edx
		push	edi
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	10h
		push	edi
		push	2
		pop	edx
		lea	ecx, [ebp+var_28]
		mov	esi, eax
		call	_HvlpAcquireHypercallPage@16 ; HvlpAcquireHypercallPage(x,x,x,x)
		push	[ebp+var_14]
		mov	ecx, [ebp+arg_0]
		mov	edi, eax
		push	[ebp+var_18]
		mov	eax, [ebp+var_4]
		push	[ebp+var_2C]
		mov	[esi], eax
		push	[ebp+var_30]
		mov	dword ptr [esi+4], 10000h
		push	1
		push	88h
		mov	[esi+8], ebx
		mov	[esi+0Ch], ecx
		call	_HvcallInitiateHypercall@24 ; HvcallInitiateHypercall(x,x,x,x,x,x)
		mov	ecx, [ebp+arg_4]
		mov	eax, [edi]
		mov	[ecx], eax
		mov	eax, [edi+4]
		mov	[ecx+4], eax
		mov	eax, [edi+8]
		mov	[ecx+8], eax
		mov	eax, [edi+0Ch]
		mov	[ecx+0Ch], eax
		lea	ecx, [ebp+var_28]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)
		lea	ecx, [ebp+var_40]
		call	_HvlpReleaseHypercallPage@4 ; HvlpReleaseHypercallPage(x)

loc_AECA82:				; CODE XREF: HvlpLpCpuid(x,x,x,x)+43j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_HvlpLpCpuid@16	endp


;  S U B	R O U T	I N E 


; __stdcall BvgaIndicateProgress()
_BvgaIndicateProgress@0	proc near	; DATA XREF: .data:006B2CBCo
		mov	eax, ds:_BvgaProgressIndicator
		xor	edx, edx
		inc	eax
		mov	ds:_BvgaProgressIndicator, eax
		imul	eax, 64h
		div	ds:dword_AFD024
		cmp	eax, 63h
		jbe	short loc_AECAA7
		push	63h
		pop	eax

loc_AECAA7:				; CODE XREF: BvgaIndicateProgress()+19j
		cmp	eax, ds:dword_AFD028
		jz	short locret_AECABA
		push	eax
		mov	ds:dword_AFD028, eax
		call	_BvgaUpdateProgressBar@4 ; BvgaUpdateProgressBar(x)

locret_AECABA:				; CODE XREF: BvgaIndicateProgress()+24j
		retn
_BvgaIndicateProgress@0	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopGetBootDiskInformation(x, x)
_IopGetBootDiskInformation@8 proc near	; CODE XREF: IoGetBootDiskInformation(x,x)+1Bp

var_198		= dword	ptr -198h
var_194		= dword	ptr -194h
var_190		= dword	ptr -190h
var_18C		= dword	ptr -18Ch
var_188		= dword	ptr -188h
var_184		= dword	ptr -184h
var_180		= dword	ptr -180h
var_17C		= dword	ptr -17Ch
var_178		= dword	ptr -178h
var_174		= dword	ptr -174h
var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_120		= dword	ptr -120h
var_114		= dword	ptr -114h
var_108		= byte ptr -108h
var_90		= byte ptr -90h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 194h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+194h+var_4], eax
		push	ebx
		push	esi
		push	edi
		mov	esi, edx
		mov	ebx, ecx
		mov	[esp+1A0h+var_174], ebx
		xor	eax, eax
		mov	[esp+1A0h+var_140], eax
		push	6
		pop	ecx
		lea	edi, [esp+1A0h+var_120]
		mov	[esp+1A0h+var_13C], eax
		rep stosd
		mov	[esp+1A0h+var_148], eax
		lea	edi, [esp+1A0h+var_130]
		mov	[esp+1A0h+var_144], eax
		mov	[esp+1A0h+var_15C], eax
		mov	[esp+1A0h+var_158], eax
		mov	[esp+1A0h+var_18C], eax
		mov	[esp+1A0h+var_154], eax
		mov	[esp+1A0h+var_150], eax
		mov	[esp+1A0h+var_184], eax
		mov	[esp+1A0h+var_164], eax
		mov	[esp+1A0h+var_160], eax
		stosd
		stosd
		stosd
		stosd
		call	_IoGetConfigurationInformation@0 ; IoGetConfigurationInformation()
		mov	eax, [eax]
		mov	[esp+1A0h+var_178], eax
		xor	eax, eax
		cmp	_InitializationPhase, 2
		mov	[esp+1A0h+var_138], eax
		mov	[esp+1A0h+var_134], eax
		mov	[esp+1A0h+var_190], eax
		jb	short loc_AECB54
		mov	eax, 0C0000189h
		jmp	loc_AECEFB
; 

loc_AECB54:				; CODE XREF: IopGetBootDiskInformation(x,x)+8Dj
		cmp	esi, 18h
		jnb	short loc_AECB63
		mov	eax, 0C000000Dh
		jmp	loc_AECEFB
; 

loc_AECB63:				; CODE XREF: IopGetBootDiskInformation(x,x)+9Cj
		cmp	esi, 40h
		mov	esi, ds:_KeLoaderBlock
		sbb	eax, eax
		not	eax
		mov	edi, [esi+80h]
		and	eax, ebx
		push	dword ptr [esi+68h]
		mov	[esp+1A4h+var_180], eax
		mov	[esp+1A4h+var_16C], edi
		mov	eax, [edi]
		mov	eax, [eax]
		mov	[esp+1A4h+var_14C], eax
		lea	eax, [esp+1A4h+var_140]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	dword ptr [esi+6Ch]
		lea	eax, [esp+1A4h+var_138]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		xor	eax, eax
		mov	[esp+1A0h+var_168], eax
		cmp	[esp+1A0h+var_178], eax
		jbe	loc_AECEF9

loc_AECBB2:				; CODE XREF: IopGetBootDiskInformation(x,x)+438j
		push	eax		; char
		push	offset ??_C@_0BO@FKAHPBKI@?2Device?2Harddisk?$CFd?2Partition0@PBOPGDP@ ; "\\Device\\Harddisk%d\\Partition0"
		lea	eax, [esp+1A8h+var_108]
		push	80h		; int
		push	eax		; char *
		call	RtlStringCchPrintfA
		add	esp, 10h
		lea	eax, [esp+1A0h+var_108]
		push	eax
		lea	eax, [esp+1A4h+var_148]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [esp+1A4h+var_148]
		push	eax
		lea	eax, [esp+1A8h+var_15C]
		push	eax
		call	RtlAnsiStringToUnicodeString
		test	eax, eax
		js	loc_AECEE6
		lea	eax, [esp+1A0h+var_18C]
		push	eax
		lea	eax, [esp+1A4h+var_184]
		push	eax
		push	80h
		lea	eax, [esp+1ACh+var_15C]
		push	eax
		call	IoGetDeviceObjectPointer
		mov	esi, eax
		lea	eax, [esp+1A0h+var_15C]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	esi, esi
		js	loc_AECEE6
		push	dword ptr [ebp+4] ; int
		lea	eax, [esp+1A4h+var_164]
		push	eax		; int
		lea	eax, [esp+1A8h+var_130]
		push	eax		; int
		push	0		; int
		push	18h		; int
		lea	eax, [esp+1B4h+var_120]
		push	eax		; int
		push	0		; size_t
		push	0		; void *
		push	[esp+1C0h+var_18C] ; int
		push	70000h		; int
		call	IopBuildDeviceIoControlRequest
		mov	esi, eax
		test	esi, esi
		jnz	short loc_AECC64

loc_AECC56:				; CODE XREF: IopGetBootDiskInformation(x,x)+1E4j
		mov	ecx, [esp+1A0h+var_184]
		call	ObfDereferenceObject
		jmp	loc_AECEE6
; 

loc_AECC64:				; CODE XREF: IopGetBootDiskInformation(x,x)+199j
		push	0
		push	0
		lea	eax, [esp+1A8h+var_130]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		mov	ecx, [esp+1A0h+var_18C]
		mov	edx, esi
		call	IofCallDriver
		cmp	eax, 103h
		jnz	short loc_AECC9D
		push	0
		push	0
		push	0
		push	5
		lea	eax, [esp+1B0h+var_130]
		push	eax
		call	KeWaitForSingleObject
		mov	eax, [esp+1A0h+var_164]

loc_AECC9D:				; CODE XREF: IopGetBootDiskInformation(x,x)+1C7j
		test	eax, eax
		js	short loc_AECC56
		mov	edi, 1000h
		push	6F426F49h
		push	edi
		jmp	short loc_AECD25
; 

loc_AECCAE:				; CODE XREF: IopGetBootDiskInformation(x,x)+278j
		push	dword ptr [ebp+4] ; int
		lea	eax, [esp+1ACh+var_16C]
		push	eax		; int
		lea	eax, [esp+1B0h+var_138]
		push	eax		; int
		xor	eax, eax
		push	eax		; int
		push	edi		; int
		push	ebx		; int
		push	eax		; size_t
		push	eax		; void *
		push	[esp+1C8h+var_194] ; int
		push	70050h		; int
		call	IopBuildDeviceIoControlRequest
		mov	esi, eax
		test	esi, esi
		jz	short loc_AECD39
		lea	eax, [esp+1A8h+var_138]
		push	eax
		call	_KeResetEvent@4	; KeResetEvent(x)
		mov	ecx, [esp+1A8h+var_194]
		mov	edx, esi
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jnz	short loc_AECD0D
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	5
		lea	eax, [esp+1B8h+var_138]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esp+1A8h+var_16C]

loc_AECD0D:				; CODE XREF: IopGetBootDiskInformation(x,x)+238j
		cmp	esi, 0C0000023h
		jnz	short loc_AECD3E
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		add	edi, edi
		push	6F426F49h
		push	edi

loc_AECD25:				; CODE XREF: IopGetBootDiskInformation(x,x)+1F1j
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	loc_AECCAE

loc_AECD39:				; CODE XREF: IopGetBootDiskInformation(x,x)+219j
		mov	esi, 0C000009Ah

loc_AECD3E:				; CODE XREF: IopGetBootDiskInformation(x,x)+258j
		mov	ecx, [esp+1A8h+var_18C]
		call	ObfDereferenceObject
		test	esi, esi
		jns	short loc_AECD58
		test	ebx, ebx
		jz	loc_AECEE6
		jmp	loc_AECEDE
; 

loc_AECD58:				; CODE XREF: IopGetBootDiskInformation(x,x)+28Ej
		mov	eax, 200h
		cmp	[esp+1A8h+var_114], eax
		jnb	short loc_AECD6D
		mov	[esp+1A8h+var_114], eax

loc_AECD6D:				; CODE XREF: IopGetBootDiskInformation(x,x)+2A9j
		mov	edi, [esp+1A8h+var_174]
		mov	ecx, [edi]
		jmp	loc_AECED2
; 

loc_AECD78:				; CODE XREF: IopGetBootDiskInformation(x,x)+41Dj
		cmp	[esp+1A8h+var_154], edi
		jnz	short loc_AECD8A
		cmp	[esp+1A8h+var_180], 1
		jnz	short loc_AECD8A
		cmp	dword ptr [ebx], 0
		jz	short loc_AECDA4

loc_AECD8A:				; CODE XREF: IopGetBootDiskInformation(x,x)+2C1j
					; IopGetBootDiskInformation(x,x)+2C8j
		lea	eax, [esp+1A8h+var_198]
		mov	edx, ecx
		push	eax
		mov	ecx, ebx
		call	IopVerifyDiskSignature
		mov	ecx, [esp+1A8h+var_190]
		test	al, al
		jz	loc_AECED0

loc_AECDA4:				; CODE XREF: IopGetBootDiskInformation(x,x)+2CDj
		and	[esp+1A8h+var_178], 0
		cmp	dword ptr [ebx+4], 0
		jbe	loc_AECED0
		mov	edi, [esp+1A8h+var_198]
		lea	esi, [ebx+38h]
		mov	[esp+1A8h+var_184], esi

loc_AECDBE:				; CODE XREF: IopGetBootDiskInformation(x,x)+40Bj
		test	edi, edi
		jnz	short loc_AECDCD
		cmp	[ebx], edi
		jnz	short loc_AECDCD
		mov	edi, [ebx+8]
		mov	[esp+1A8h+var_198], edi

loc_AECDCD:				; CODE XREF: IopGetBootDiskInformation(x,x)+305j
					; IopGetBootDiskInformation(x,x)+309j
		mov	eax, [esi+10h]
		test	eax, eax
		jz	loc_AECEAC
		push	eax
		push	dword ptr [ecx+0Ch] ; char
		lea	eax, [esp+1B0h+var_90]
		push	offset ??_C@_0BA@LLFPLPJL@?$CFspartition?$CI?$CFd?$CJ@PBOPGDP@ ; char *
		push	80h		; int
		push	eax		; char *
		call	RtlStringCchPrintfA
		add	esp, 14h
		lea	eax, [esp+1A8h+var_90]
		push	eax
		lea	eax, [esp+1ACh+var_15C]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [esp+1ACh+var_148]
		push	eax
		lea	eax, [esp+1B0h+var_15C]
		push	eax
		call	_RtlEqualString@12 ; RtlEqualString(x,x,x)
		test	al, al
		jz	short loc_AECE54
		mov	ecx, [esp+1A8h+var_17C]
		mov	[ecx+10h], edi
		mov	eax, [esi]
		mov	[ecx], eax
		mov	eax, [esi+4]
		mov	[ecx+4], eax
		mov	eax, [esp+1A8h+var_188]
		mov	ecx, [ebx]
		test	eax, eax
		jz	short loc_AECE54
		cmp	ecx, 1
		jnz	short loc_AECE50
		mov	[eax+38h], cl
		lea	esi, [ebx+8]
		lea	edi, [eax+18h]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [esp+1A8h+var_184]
		jmp	short loc_AECE54
; 

loc_AECE50:				; CODE XREF: IopGetBootDiskInformation(x,x)+380j
		mov	byte ptr [eax+38h], 0

loc_AECE54:				; CODE XREF: IopGetBootDiskInformation(x,x)+360j
					; IopGetBootDiskInformation(x,x)+37Bj ...
		push	1
		lea	eax, [esp+1ACh+var_140]
		push	eax
		lea	eax, [esp+1B0h+var_15C]
		push	eax
		call	_RtlEqualString@12 ; RtlEqualString(x,x,x)
		mov	edi, [esp+1A8h+var_198]
		test	al, al
		jz	short loc_AECEAC
		mov	ecx, [esp+1A8h+var_17C]
		mov	[ecx+14h], edi
		mov	eax, [esi]
		mov	[ecx+8], eax
		mov	eax, [esi+4]
		mov	[ecx+0Ch], eax
		cmp	dword ptr [ebx], 1
		mov	eax, [esp+1A8h+var_188]
		jnz	short loc_AECEA4
		test	eax, eax
		jz	short loc_AECEAC
		mov	byte ptr [eax+39h], 1
		lea	esi, [ebx+8]
		lea	edi, [eax+28h]
		movsd
		movsd
		movsd
		movsd
		mov	esi, [esp+1A8h+var_184]
		mov	edi, [esp+1A8h+var_198]
		jmp	short loc_AECEAC
; 

loc_AECEA4:				; CODE XREF: IopGetBootDiskInformation(x,x)+3CBj
		test	eax, eax
		jz	short loc_AECEAC
		mov	byte ptr [eax+39h], 0

loc_AECEAC:				; CODE XREF: IopGetBootDiskInformation(x,x)+317j
					; IopGetBootDiskInformation(x,x)+3B0j ...
		mov	eax, [esp+1A8h+var_178]
		add	esi, 90h
		mov	ecx, [esp+1A8h+var_190]
		inc	eax
		mov	[esp+1A8h+var_178], eax
		mov	[esp+1A8h+var_184], esi
		cmp	eax, [ebx+4]
		jb	loc_AECDBE
		mov	edi, [esp+1A8h+var_174]

loc_AECED0:				; CODE XREF: IopGetBootDiskInformation(x,x)+2E3j
					; IopGetBootDiskInformation(x,x)+2F2j
		mov	ecx, [ecx]

loc_AECED2:				; CODE XREF: IopGetBootDiskInformation(x,x)+2B8j
		mov	[esp+1A8h+var_190], ecx
		cmp	ecx, edi
		jnz	loc_AECD78

loc_AECEDE:				; CODE XREF: IopGetBootDiskInformation(x,x)+298j
		push	0
		push	ebx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AECEE6:				; CODE XREF: IopGetBootDiskInformation(x,x)+137j
					; IopGetBootDiskInformation(x,x)+164j ...
		mov	eax, [esp+1A8h+var_170]
		inc	eax
		mov	[esp+1A8h+var_170], eax
		cmp	eax, [esp+1A8h+var_180]
		jb	loc_AECBB2

loc_AECEF9:				; CODE XREF: IopGetBootDiskInformation(x,x)+F1j
		xor	eax, eax

loc_AECEFB:				; CODE XREF: IopGetBootDiskInformation(x,x)+94j
					; IopGetBootDiskInformation(x,x)+A3j
		mov	ecx, [esp+1A8h+var_C]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_IopGetBootDiskInformation@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopCachePreviousBootData(x)
_IopCachePreviousBootData@4 proc near	; CODE XREF: IopInitializeOfflineCrashDump+7E357p

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= word ptr -0Ch
var_A		= byte ptr -0Ah
var_9		= dword	ptr -9
var_5		= byte ptr -5
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		push	28h
		mov	esi, ecx
		mov	[ebp+var_14], 77FA9ABDh
		pop	ecx
		push	26h
		pop	eax
		xor	edi, edi
		mov	word ptr [ebp+var_28], ax
		push	edi
		lea	eax, [ebp+var_18]
		mov	[ebp+var_A], cl
		push	eax
		lea	eax, [ebp+var_20]
		mov	word ptr [ebp+var_28+2], cx
		push	eax
		lea	edx, [ebp+var_14]
		mov	[ebp+var_20], edi
		mov	ecx, offset ??_C@_1BK@BNBFJDPA@?$AAD?$AAu?$AAm?$AAp?$AAI?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe@PBOPGDP@
		mov	[ebp+var_1C], edi
		mov	[ebp+var_10], 4D320359h
		mov	[ebp+var_C], 60BDh
		mov	[ebp+var_9], 788FE7F4h
		mov	[ebp+var_5], 4Bh
		mov	[ebp+var_18], 8
		mov	[ebp+var_24], (offset loc_ADD995+5)
		call	_IoGetEnvironmentVariableEx@20 ; IoGetEnvironmentVariableEx(x,x,x,x,x)
		test	eax, eax
		js	short loc_AECF9A
		push	8
		lea	eax, [ebp+var_20]
		push	eax
		push	0Bh
		push	edi
		lea	eax, [ebp+var_28]
		push	eax
		push	dword ptr [esi]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_AECF9A:				; CODE XREF: IopCachePreviousBootData(x)+74j
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_IopCachePreviousBootData@4 endp


;  S U B	R O U T	I N E 


; __stdcall PipAddDevicesToBootDriver(x)
_PipAddDevicesToBootDriver@4 proc near	; CODE XREF: IopInitializeBootDrivers+6D0p
					; PipInitializeCoreDriversByGroup+D2p
		mov	edi, edi
		push	ecx
		mov	edx, [ecx+18h]
		push	ecx
		push	ecx
		sub	esp, 0Ch
		add	edx, 0Ch
		call	PipApplyFunctionToServiceInstances
		pop	ecx
		retn
_PipAddDevicesToBootDriver@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipCriticalDeviceWaitCallback(x, x,	x)
_PipCriticalDeviceWaitCallback@12 proc near ; DATA XREF: PipWaitCriticalDevices+13o

var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= byte ptr -104h
var_4		= dword	ptr -4
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 130h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	edx, dword ptr [ebp+arg_4]
		xor	eax, eax
		push	ebx
		mov	ebx, [ebp+arg_8]
		push	esi
		push	edi
		xor	esi, esi
		lea	edi, [ebp+var_130]
		mov	[ebp+var_110], esi
		mov	[ebp+var_10C], esi
		mov	[ebp+var_118], esi
		mov	[ebp+var_114], esi
		mov	[ebp+var_108], esi
		push	6
		pop	ecx
		rep stosd
		test	edx, edx
		jnz	short loc_AED016
		mov	esi, 0C000000Dh
		jmp	loc_AED0C4
; 

loc_AED016:				; CODE XREF: PipCriticalDeviceWaitCallback(x,x,x)+4Dj
		push	edx		; char
		push	offset ??_C@_0M@HCOOGNOF@?2ArcName?2?$CFs@PBOPGDP@ ; char *
		lea	eax, [ebp+var_104]
		push	100h		; int
		push	eax		; char *
		call	RtlStringCchPrintfA
		mov	esi, eax
		add	esp, 10h
		test	esi, esi
		js	short loc_AED0B0
		lea	eax, [ebp+var_104]
		push	eax
		lea	eax, [ebp+var_110]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_110]
		push	eax
		push	ebx
		call	RtlAnsiStringToUnicodeString
		mov	esi, eax
		test	esi, esi
		js	short loc_AED0B0
		xor	eax, eax
		mov	[ebp+var_130], 18h
		push	40h
		push	eax
		mov	[ebp+var_12C], eax
		mov	[ebp+var_120], eax
		mov	[ebp+var_11C], eax
		lea	eax, [ebp+var_118]
		push	eax
		lea	eax, [ebp+var_130]
		mov	[ebp+var_124], 240h
		push	eax
		push	80h
		lea	eax, [ebp+var_108]
		mov	[ebp+var_128], ebx
		push	eax
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	esi, eax

loc_AED0B0:				; CODE XREF: PipCriticalDeviceWaitCallback(x,x,x)+77j
					; PipCriticalDeviceWaitCallback(x,x,x)+9Fj
		cmp	[ebp+var_108], 0
		jz	short loc_AED0C4
		push	[ebp+var_108]
		call	_ZwClose@4	; ZwClose(x)

loc_AED0C4:				; CODE XREF: PipCriticalDeviceWaitCallback(x,x,x)+54j
					; PipCriticalDeviceWaitCallback(x,x,x)+FAj
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_PipCriticalDeviceWaitCallback@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipHardwareConfigExists(x, x)
_PipHardwareConfigExists@8 proc	near	; CODE XREF: PipHardwareConfigInit+12B7Ap

var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_218		= dword	ptr -218h
var_214		= dword	ptr -214h
var_210		= dword	ptr -210h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 224h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		xor	eax, eax
		mov	[ebp+var_224], edx
		push	esi
		push	edi
		mov	edi, ecx
		mov	[ebp+var_214], eax
		mov	bl, al
		mov	[ebp+var_220], eax
		mov	esi, eax
		mov	[ebp+var_21C], eax

loc_AED10F:				; CODE XREF: PipHardwareConfigExists(x,x)+E9j
		lea	eax, [ebp+var_218]
		mov	[ebp+var_218], 104h
		push	eax
		lea	eax, [ebp+var_210]
		mov	edx, edi
		push	eax
		push	esi
		call	__PnpCtxRegEnumKey@20 ;	_PnpCtxRegEnumKey(x,x,x,x,x)
		inc	esi
		test	eax, eax
		js	loc_AED1C6
		lea	eax, [ebp+var_214]
		mov	edx, edi
		push	eax
		push	1
		push	0
		lea	eax, [ebp+var_210]
		xor	ecx, ecx
		push	eax
		call	__PnpCtxRegOpenKey@24 ;	_PnpCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AED1BE
		mov	edx, [ebp+var_214]
		lea	eax, [ebp+var_218]
		push	eax
		lea	eax, [ebp+var_220]
		mov	[ebp+var_218], 4
		push	eax
		lea	eax, [ebp+var_21C]
		push	eax
		push	offset ??_C@_15NCCOGFKM@?$AAI?$AAd@PBOPGDP@
		call	__PnpCtxRegQueryValue@24 ; _PnpCtxRegQueryValue(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AED1AC
		cmp	[ebp+var_21C], 4
		jnz	short loc_AED1AC
		cmp	[ebp+var_218], 4
		jnz	short loc_AED1AC
		mov	eax, [ebp+var_224]
		cmp	[ebp+var_220], eax
		jnz	short loc_AED1AC
		mov	bl, 1

loc_AED1AC:				; CODE XREF: PipHardwareConfigExists(x,x)+B1j
					; PipHardwareConfigExists(x,x)+BAj ...
		push	[ebp+var_214]
		call	_ZwClose@4	; ZwClose(x)
		and	[ebp+var_214], 0

loc_AED1BE:				; CODE XREF: PipHardwareConfigExists(x,x)+7Ej
		test	bl, bl
		jz	loc_AED10F

loc_AED1C6:				; CODE XREF: PipHardwareConfigExists(x,x)+5Bj
		mov	ecx, [ebp+var_4]
		mov	al, bl
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PipHardwareConfigExists@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipMigrateCleanServiceCallback(x, x, x, x)
_PipMigrateCleanServiceCallback@16 proc	near ; DATA XREF: PipMigratePnpState+1466Bo

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	esi
		xor	ebx, ebx
		push	eax
		push	0F003Fh
		push	ebx
		push	[ebp+arg_8]
		mov	[ebp+var_4], ebx
		mov	esi, ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], ebx
		mov	[ebp+var_C], ebx
		call	__PnpCtxRegOpenKey@24 ;	_PnpCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_AED2C8
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+arg_8]
		push	edi
		push	4
		pop	edi
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+arg_8], edi
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	(offset	loc_ADE433+1)
		call	__PnpCtxRegQueryValue@24 ; _PnpCtxRegQueryValue(x,x,x,x,x,x)
		cmp	eax, 0C0000034h
		jz	loc_AED2C7
		test	eax, eax
		js	loc_AED2C7
		cmp	[ebp+var_8], edi
		jnz	short loc_AED2C7
		cmp	[ebp+arg_8], edi
		jnz	short loc_AED2C7
		cmp	[ebp+var_C], ebx
		jz	short loc_AED2C7
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_14]
		push	ebx
		push	ebx
		push	ebx
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	__PnpCtxRegQueryInfoKey@28 ; _PnpCtxRegQueryInfoKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AED2C7
		cmp	[ebp+var_10], ebx
		jz	short loc_AED2C7
		mov	edi, [ebp+var_14]
		inc	edi
		push	6E697050h
		lea	eax, [edi+edi]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_AED2C7
		lea	eax, [ebp+arg_8]
		push	eax
		push	esi
		push	ebx

loc_AED292:				; CODE XREF: PipMigrateCleanServiceCallback(x,x,x,x)+ECj
		mov	edx, [ebp+var_4]
		mov	[ebp+arg_8], edi
		call	__PnpCtxRegEnumKey@20 ;	_PnpCtxRegEnumKey(x,x,x,x,x)
		cmp	eax, 8000001Ah
		jz	short loc_AED2C5
		test	eax, eax
		js	short loc_AED2C5
		mov	edx, [ebp+var_4]
		mov	ecx, [ebp+arg_0]
		push	esi
		call	__PnpCtxRegDeleteTree@12 ; _PnpCtxRegDeleteTree(x,x,x)
		test	eax, eax
		jns	short loc_AED2BB
		inc	ebx
		jmp	short loc_AED2BD
; 

loc_AED2BB:				; CODE XREF: PipMigrateCleanServiceCallback(x,x,x,x)+DFj
		xor	ebx, ebx

loc_AED2BD:				; CODE XREF: PipMigrateCleanServiceCallback(x,x,x,x)+E2j
		lea	eax, [ebp+arg_8]
		push	eax
		push	esi
		push	ebx
		jmp	short loc_AED292
; 

loc_AED2C5:				; CODE XREF: PipMigrateCleanServiceCallback(x,x,x,x)+CBj
					; PipMigrateCleanServiceCallback(x,x,x,x)+CFj
		xor	ebx, ebx

loc_AED2C7:				; CODE XREF: PipMigrateCleanServiceCallback(x,x,x,x)+62j
					; PipMigrateCleanServiceCallback(x,x,x,x)+6Aj ...
		pop	edi

loc_AED2C8:				; CODE XREF: PipMigrateCleanServiceCallback(x,x,x,x)+37j
		mov	edx, [ebp+var_4]
		test	edx, edx
		jz	short loc_AED2D4
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)

loc_AED2D4:				; CODE XREF: PipMigrateCleanServiceCallback(x,x,x,x)+F6j
		test	esi, esi
		jz	short loc_AED2DF
		push	ebx
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AED2DF:				; CODE XREF: PipMigrateCleanServiceCallback(x,x,x,x)+FFj
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn	10h
_PipMigrateCleanServiceCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PipMigrateResetDeviceCallback(int,wchar_t *,int,int)
_PipMigrateResetDeviceCallback@16 proc near ; DATA XREF: PipMigratePnpState+1469Eo

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	edi
		push	offset ??_C@_1BK@CCOOHMCM@?$AAH?$AAT?$AAR?$AAE?$AAE?$AA?2?$AAR?$AAO?$AAO?$AAT?$AA?2?$AA0@PBOPGDP@ ; "HTREE\\ROOT\\0"
		push	[ebp+arg_4]	; wchar_t *
		xor	edi, edi
		mov	[ebp+var_4], edi
		mov	[ebp+var_8], edi
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AED381
		mov	edx, [ebp+arg_4]
		lea	eax, [ebp+var_C]
		mov	ecx, [ebp+arg_0]
		push	ebx
		push	4
		pop	ebx
		push	edi
		push	eax
		lea	eax, [ebp+var_4]
		mov	[ebp+var_C], ebx
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		push	0Bh
		push	edi
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AED340
		cmp	[ebp+var_8], ebx
		jnz	short loc_AED340
		cmp	[ebp+var_C], ebx
		jnz	short loc_AED340
		mov	eax, [ebp+var_4]
		jmp	short loc_AED345
; 

loc_AED340:				; CODE XREF: PipMigrateResetDeviceCallback(x,x,x,x)+48j
					; PipMigrateResetDeviceCallback(x,x,x,x)+4Dj ...
		mov	eax, edi
		mov	[ebp+var_4], eax

loc_AED345:				; CODE XREF: PipMigrateResetDeviceCallback(x,x,x,x)+57j
		test	al, 20h
		jnz	short loc_AED368
		mov	edx, [ebp+arg_4]
		or	eax, 20h
		mov	ecx, [ebp+arg_0]
		push	edi
		push	ebx
		mov	[ebp+var_4], eax
		lea	eax, [ebp+var_4]
		push	eax
		push	ebx
		push	0Bh
		push	edi
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AED380

loc_AED368:				; CODE XREF: PipMigrateResetDeviceCallback(x,x,x,x)+60j
		mov	edx, [ebp+arg_4]
		mov	ecx, [ebp+arg_0]
		push	edi
		push	edi
		push	edi
		push	edi
		push	(offset	loc_427A80+4)
		push	edi
		push	edi
		push	1
		call	__PnpSetObjectProperty@40 ; _PnpSetObjectProperty(x,x,x,x,x,x,x,x,x,x)

loc_AED380:				; CODE XREF: PipMigrateResetDeviceCallback(x,x,x,x)+7Fj
		pop	ebx

loc_AED381:				; CODE XREF: PipMigrateResetDeviceCallback(x,x,x,x)+22j
		mov	al, 1
		pop	edi
		leave
		retn	10h
_PipMigrateResetDeviceCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipResetDevice(x, x)
_PipResetDevice@8 proc near		; CODE XREF: PipResetMatchingFilteredDevices+14590p

var_80		= dword	ptr -80h
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_70		= dword	ptr -70h
var_6C		= dword	ptr -6Ch
var_68		= dword	ptr -68h
var_58		= dword	ptr -58h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 84h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_78], ecx
		lea	edi, [ebp+var_68]
		mov	ebx, edx
		stosd
		push	ebx		; char
		push	offset ??_C@_0BI@BGOEFHIP@Resetting?5device?5?8?$CFws?8?6@PBOPGDP@ ; "Resetting	device '%ws'\n"
		stosd
		stosd
		stosd
		xor	edi, edi
		push	edi		; int
		push	20h		; int
		mov	[ebp+var_74], edi
		mov	esi, edi
		mov	[ebp+var_70], edi
		mov	[ebp+var_80], edi
		mov	[ebp+var_7C], edi
		call	_DbgPrintEx
		add	esp, 10h
		cmp	_PipResetDeviceBreakOnReset, 0
		jz	short loc_AED3D9
		int	3		; Trap to Debugger

loc_AED3D9:				; CODE XREF: PipResetDevice(x,x)+4Ej
		push	edi
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_6C], 4Eh
		push	eax
		lea	eax, [ebp+var_58]
		mov	edx, ebx
		push	eax
		lea	eax, [ebp+var_70]
		push	eax
		push	9
		push	edi
		mov	edi, [ebp+var_78]
		mov	ecx, edi
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AED42E
		cmp	[ebp+var_70], 1
		jnz	short loc_AED42E
		cmp	[ebp+var_6C], 2
		jb	short loc_AED42E
		lea	eax, [ebp+var_58]
		push	eax
		lea	eax, [ebp+var_80]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		test	eax, eax
		js	short loc_AED42E
		lea	eax, [ebp+var_68]
		push	eax
		lea	eax, [ebp+var_80]
		push	eax
		call	_RtlGUIDFromString@8 ; RtlGUIDFromString(x,x)
		test	eax, eax
		jns	short loc_AED43A

loc_AED42E:				; CODE XREF: PipResetDevice(x,x)+76j
					; PipResetDevice(x,x)+7Cj ...
		xor	eax, eax
		lea	edi, [ebp+var_68]
		stosd
		stosd
		stosd
		stosd
		mov	edi, [ebp+var_78]

loc_AED43A:				; CODE XREF: PipResetDevice(x,x)+A4j
		mov	ecx, ebx
		call	__CmIsRootEnumeratedDevice@4 ; _CmIsRootEnumeratedDevice(x)
		test	al, al
		jnz	short loc_AED46C
		push	10h		; size_t
		lea	eax, [ebp+var_68]
		push	offset loc_427A64 ; void *
		push	eax		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_AED46C
		push	0
		mov	edx, ebx
		mov	ecx, edi
		call	__CmDeleteDevice@12 ; _CmDeleteDevice(x,x,x)
		jmp	loc_AED4FA
; 

loc_AED46C:				; CODE XREF: PipResetDevice(x,x)+BBj
					; PipResetDevice(x,x)+D2j
		push	ecx
		push	0
		push	11h
		mov	edx, ebx
		mov	ecx, edi
		call	__CmDeleteDeviceRegKey@20 ; _CmDeleteDeviceRegKey(x,x,x,x,x)
		test	eax, eax
		jns	short loc_AED480
		mov	esi, eax

loc_AED480:				; CODE XREF: PipResetDevice(x,x)+F4j
		push	ecx
		push	0
		push	12h
		mov	edx, ebx
		mov	ecx, edi
		call	__CmDeleteDeviceRegKey@20 ; _CmDeleteDeviceRegKey(x,x,x,x,x)
		test	esi, esi
		js	short loc_AED498
		test	eax, eax
		jns	short loc_AED498
		mov	esi, eax

loc_AED498:				; CODE XREF: PipResetDevice(x,x)+108j
					; PipResetDevice(x,x)+10Cj
		push	0
		lea	eax, [ebp+var_6C]
		mov	[ebp+var_6C], 4
		push	eax
		lea	eax, [ebp+var_74]
		mov	edx, ebx
		push	eax
		lea	eax, [ebp+var_70]
		mov	ecx, edi
		push	eax
		push	0Bh
		push	0
		call	__CmGetDeviceRegProp@32	; _CmGetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AED4CF
		cmp	[ebp+var_70], 4
		jnz	short loc_AED4CF
		cmp	[ebp+var_6C], 4
		jnz	short loc_AED4CF
		mov	eax, [ebp+var_74]
		jmp	short loc_AED4D1
; 

loc_AED4CF:				; CODE XREF: PipResetDevice(x,x)+134j
					; PipResetDevice(x,x)+13Aj ...
		xor	eax, eax

loc_AED4D1:				; CODE XREF: PipResetDevice(x,x)+145j
		test	al, 20h
		jnz	short loc_AED4FC
		push	0
		or	eax, 20h
		mov	edx, ebx
		push	4
		mov	[ebp+var_74], eax
		mov	ecx, edi
		lea	eax, [ebp+var_74]
		push	eax
		push	4
		push	0Bh
		push	0
		call	__CmSetDeviceRegProp@32	; _CmSetDeviceRegProp(x,x,x,x,x,x,x,x)
		test	esi, esi
		js	short loc_AED4FC
		test	eax, eax
		jns	short loc_AED4FC

loc_AED4FA:				; CODE XREF: PipResetDevice(x,x)+DFj
		mov	esi, eax

loc_AED4FC:				; CODE XREF: PipResetDevice(x,x)+14Bj
					; PipResetDevice(x,x)+16Cj ...
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PipResetDevice@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiLastGoodRevertCopyCallback(x, x, x, x)
_PiLastGoodRevertCopyCallback@16 proc near
					; DATA XREF: IopFileUtilWalkDirectoryTreeTopDown(x,x,x,x)+37o
					; IopFileUtilWalkDirectoryTreeTopDown(x,x,x,x)+81o

var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		mov	eax, [ebp+arg_C]
		and	[ebp+var_8], 0
		and	[ebp+var_4], 0
		push	ebx
		mov	ax, [eax]
		mov	ebx, [ebp+arg_0]
		add	ax, 2
		movzx	eax, ax
		mov	[ebp+arg_C], eax
		push	674C7050h
		movzx	eax, word ptr [ebx]
		push	eax
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edx, eax
		mov	[ebp+arg_0], edx
		test	edx, edx
		jnz	short loc_AED550
		mov	eax, 0C000009Ah
		jmp	short loc_AED5AF
; 

loc_AED550:				; CODE XREF: PiLastGoodRevertCopyCallback(x,x,x,x)+3Aj
		push	esi
		mov	esi, [ebx+4]
		push	edi
		push	6
		pop	ecx
		mov	edi, edx
		rep movsd
		mov	esi, [ebp+arg_C]
		movzx	eax, word ptr [ebx]
		movzx	ecx, si
		sub	eax, ecx
		shr	ecx, 1
		push	eax		; size_t
		mov	eax, [ebx+4]
		lea	eax, [eax+ecx*2]
		push	eax		; void *
		lea	eax, [edx+18h]
		push	eax		; void *
		call	_memcpy
		mov	ax, [ebx]
		lea	edx, [ebp+var_8]
		mov	edi, [ebp+arg_0]
		add	esp, 0Ch
		sub	ax, si
		mov	[ebp+var_4], edi
		add	ax, 18h
		mov	ecx, ebx
		mov	word ptr [ebp+var_8], ax
		push	1
		mov	word ptr [ebp+var_8+2],	ax
		call	IopFileUtilRename
		push	0
		push	edi
		mov	esi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		pop	edi
		mov	eax, esi
		pop	esi

loc_AED5AF:				; CODE XREF: PiLastGoodRevertCopyCallback(x,x,x,x)+41j
		pop	ebx
		leave
		retn	10h
_PiLastGoodRevertCopyCallback@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiLastGoodRevertLastKnownDirectory(x, x)
_PiLastGoodRevertLastKnownDirectory@8 proc near
					; CODE XREF: PpLastGoodDoBootProcessing+11595p
					; PpLastGoodDoBootProcessing+115A0p

var_26C		= dword	ptr -26Ch
var_268		= dword	ptr -268h
var_264		= dword	ptr -264h
var_260		= dword	ptr -260h
var_25C		= dword	ptr -25Ch
var_258		= dword	ptr -258h
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch
var_248		= dword	ptr -248h
var_244		= dword	ptr -244h
var_240		= dword	ptr -240h
var_23C		= dword	ptr -23Ch
var_238		= dword	ptr -238h
var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 26Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	6
		mov	ebx, ecx
		mov	[ebp+var_23C], edx
		pop	ecx
		xor	eax, eax
		lea	edi, [ebp+var_254]
		xor	esi, esi
		rep stosd
		mov	eax, 218h
		mov	[ebp+var_22C], esi
		push	eax		; size_t
		lea	eax, [ebp+var_220]
		mov	[ebp+var_228], esi
		push	esi		; int
		push	eax		; void *
		mov	[ebp+var_238], esi
		mov	[ebp+var_234], esi
		mov	[ebp+var_224], esi
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_230], esi
		mov	edi, 674C7050h
		push	edi
		push	21Ch
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_AED7EC
		push	ebx
		push	ecx
		mov	ecx, ebx
		call	_IopFileUtilWalkDirectoryTreeTopDown@16	; IopFileUtilWalkDirectoryTreeTopDown(x,x,x,x)
		mov	eax, [ebp+var_23C]
		xor	ebx, ebx
		mov	[ebp+var_264], eax
		lea	eax, [ebp+var_26C]
		push	eax
		push	0F003Fh
		lea	eax, [ebp+var_224]
		mov	[ebp+var_26C], 18h
		push	eax
		mov	[ebp+var_268], ebx
		mov	[ebp+var_260], 240h
		mov	[ebp+var_25C], ebx
		mov	[ebp+var_258], ebx
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		jns	short loc_AED698
		push	edi
		jmp	loc_AED7E6
; 

loc_AED698:				; CODE XREF: PiLastGoodRevertLastKnownDirectory(x,x)+DCj
		lea	eax, [ebp+var_230]
		xor	edi, edi
		push	eax
		push	21Ch
		push	esi
		inc	edi
		push	edi
		push	ebx
		jmp	loc_AED7B8
; 

loc_AED6AF:				; CODE XREF: PiLastGoodRevertLastKnownDirectory(x,x)+211j
		cmp	[ebp+var_230], ebx
		jz	loc_AED7A5
		cmp	dword ptr [esi+4], 4
		jnz	loc_AED7A5
		cmp	dword ptr [esi+0Ch], 4
		jnz	loc_AED7A5
		mov	eax, [esi+8]
		cmp	byte ptr [esi+eax], 1
		jnz	loc_AED7A5
		lea	eax, [ebp+var_220]
		mov	[ebp+var_22C], 2180000h
		mov	[ebp+var_228], eax
		lea	eax, [esi+14h]
		mov	[ebp+var_234], eax
		mov	ax, [esi+10h]
		mov	word ptr [ebp+var_238],	ax
		mov	word ptr [ebp+var_238+2], ax
		lea	eax, [ebp+var_22C]
		push	(offset	loc_ADE5CF+1) ;	void *
		push	eax		; int
		call	_RtlAppendUnicodeToString@8 ; RtlAppendUnicodeToString(x,x)
		lea	eax, [ebp+var_238]
		push	eax
		lea	eax, [ebp+var_22C]
		push	eax
		call	_RtlAppendUnicodeStringToString@8 ; RtlAppendUnicodeStringToString(x,x)
		movzx	ecx, word ptr [ebp+var_22C]
		push	0Dh
		shr	ecx, 1
		pop	eax
		cmp	ecx, eax
		jbe	short loc_AED75C

loc_AED741:				; CODE XREF: PiLastGoodRevertLastKnownDirectory(x,x)+1A6j
		cmp	word ptr [ebp+eax*2+var_220], 2Fh
		jnz	short loc_AED757
		push	5Ch
		pop	edx
		mov	word ptr [ebp+eax*2+var_220], dx

loc_AED757:				; CODE XREF: PiLastGoodRevertLastKnownDirectory(x,x)+196j
		inc	eax
		cmp	eax, ecx
		jb	short loc_AED741

loc_AED75C:				; CODE XREF: PiLastGoodRevertLastKnownDirectory(x,x)+18Bj
		lea	ecx, [ebp+var_22C]
		call	_IopFileUtilClearAttributes@8 ;	IopFileUtilClearAttributes(x,x)
		lea	eax, [ebp+var_22C]
		mov	[ebp+var_254], 18h
		mov	[ebp+var_24C], eax
		lea	eax, [ebp+var_254]
		push	eax
		mov	[ebp+var_250], ebx
		mov	[ebp+var_248], 240h
		mov	[ebp+var_244], ebx
		mov	[ebp+var_240], ebx
		call	_ZwDeleteFile@4	; ZwDeleteFile(x)

loc_AED7A5:				; CODE XREF: PiLastGoodRevertLastKnownDirectory(x,x)+101j
					; PiLastGoodRevertLastKnownDirectory(x,x)+10Bj	...
		lea	ecx, [ebp+var_230]
		mov	eax, edi
		push	ecx
		push	21Ch
		push	esi
		push	1
		inc	edi
		push	eax

loc_AED7B8:				; CODE XREF: PiLastGoodRevertLastKnownDirectory(x,x)+F6j
		push	[ebp+var_224]
		call	_ZwEnumerateValueKey@24	; ZwEnumerateValueKey(x,x,x,x,x,x)
		test	eax, eax
		jns	loc_AED6AF
		push	[ebp+var_224]
		call	_ZwDeleteKey@4	; ZwDeleteKey(x)
		push	[ebp+var_224]
		call	_ZwClose@4	; ZwClose(x)
		push	674C7050h

loc_AED7E6:				; CODE XREF: PiLastGoodRevertLastKnownDirectory(x,x)+DFj
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AED7EC:				; CODE XREF: PiLastGoodRevertLastKnownDirectory(x,x)+7Fj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_PiLastGoodRevertLastKnownDirectory@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipCommitPendingOsExtensionResource(x, x, x, x)
_PipCommitPendingOsExtensionResource@16	proc near
					; DATA XREF: PipProcessPendingOsExtensionResources+14542o

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_4]
		push	ebx
		push	esi
		push	eax
		xor	ebx, ebx
		push	4
		pop	edx
		mov	[ebp+var_4], ebx
		mov	[ebp+var_C], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_10], ebx
		mov	[ebp+var_14], ebx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AED92F
		push	edi
		mov	edi, [ebp+arg_4]
		test	edi, edi
		jnz	short loc_AED864
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_10]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	2001Fh
		push	ebx
		push	(offset	loc_ADE845+1)
		call	__PnpCtxRegOpenKey@24 ;	_PnpCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AED92E
		mov	edi, [ebp+var_10]

loc_AED864:				; CODE XREF: PipCommitPendingOsExtensionResource(x,x,x,x)+3Dj
		mov	ebx, [ebp+arg_8]
		test	ebx, ebx
		jnz	short loc_AED892
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [ebp+var_14]
		push	eax
		push	20019h
		push	ebx
		push	[ebp+arg_0]
		mov	edx, edi
		call	__PnpCtxRegOpenKey@24 ;	_PnpCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AED92E
		mov	ebx, [ebp+var_14]

loc_AED892:				; CODE XREF: PipCommitPendingOsExtensionResource(x,x,x,x)+6Ej
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_C]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	ecx
		push	20006h
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	offset ??_C@_1DI@FAEMCGLM@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAO?$AAs?$AAE?$AAx?$AAt?$AAe?$AAn@PBOPGDP@
		call	__PnpCtxRegCreateKey@32	; _PnpCtxRegCreateKey(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AED92E
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	ecx
		push	20006h
		push	ecx
		push	[ebp+arg_0]
		mov	ecx, _PiPnpRtlCtx
		call	__PnpCtxRegCreateKey@32	; _PnpCtxRegCreateKey(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AED92E
		mov	edx, [ebp+var_8]
		push	0
		push	ecx
		mov	ecx, ebx
		call	_PiDevCfgCopyDeviceKeys@16 ; PiDevCfgCopyDeviceKeys(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AED92E
		push	[ebp+arg_0]
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		call	__PnpCtxRegDeleteTree@12 ; _PnpCtxRegDeleteTree(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AED92E
		lea	eax, [ebp+arg_0]
		xor	ebx, ebx
		push	eax
		push	ebx
		push	ebx
		mov	edx, edi
		mov	[ebp+arg_0], ebx
		call	__PnpCtxRegEnumKey@20 ;	_PnpCtxRegEnumKey(x,x,x,x,x)
		cmp	eax, 8000001Ah
		jnz	short loc_AED92E
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	ebx
		call	__PnpCtxRegDeleteKey@12	; _PnpCtxRegDeleteKey(x,x,x)

loc_AED92E:				; CODE XREF: PipCommitPendingOsExtensionResource(x,x,x,x)+60j
					; PipCommitPendingOsExtensionResource(x,x,x,x)+8Ej ...
		pop	edi

loc_AED92F:				; CODE XREF: PipCommitPendingOsExtensionResource(x,x,x,x)+31j
		mov	edx, [ebp+var_8]
		test	edx, edx
		jz	short loc_AED93B
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)

loc_AED93B:				; CODE XREF: PipCommitPendingOsExtensionResource(x,x,x,x)+139j
		mov	edx, [ebp+var_C]
		test	edx, edx
		jz	short loc_AED947
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)

loc_AED947:				; CODE XREF: PipCommitPendingOsExtensionResource(x,x,x,x)+145j
		mov	edx, [ebp+var_10]
		test	edx, edx
		jz	short loc_AED953
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)

loc_AED953:				; CODE XREF: PipCommitPendingOsExtensionResource(x,x,x,x)+151j
		mov	edx, [ebp+var_14]
		test	edx, edx
		jz	short loc_AED95F
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)

loc_AED95F:				; CODE XREF: PipCommitPendingOsExtensionResource(x,x,x,x)+15Dj
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn	10h
_PipCommitPendingOsExtensionResource@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipCommitPendingService(x, x, x, x)
_PipCommitPendingService@16 proc near	; DATA XREF: PipProcessPendingServices+1457Do

var_60		= dword	ptr -60h
var_5C		= dword	ptr -5Ch
var_58		= dword	ptr -58h
var_54		= dword	ptr -54h
var_50		= dword	ptr -50h
var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_40		= dword	ptr -40h
var_28		= dword	ptr -28h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		xor	ecx, ecx
		push	ebx
		push	esi
		push	edi
		mov	edi, [ebp+arg_4]
		mov	[esp+30h+var_4], ecx
		mov	[esp+30h+var_10], ecx
		mov	[esp+30h+var_14], ecx
		mov	[esp+30h+var_18], ecx
		mov	[esp+30h+var_20], ecx
		mov	[esp+30h+var_1C], ecx
		mov	[esp+30h+var_C], ecx
		mov	[esp+30h+var_8], ecx
		test	edi, edi
		jnz	short loc_AED9EA
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [esp+30h+var_4]
		push	eax
		push	4
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AEDBC3
		mov	edx, [esp+30h+var_4]
		lea	eax, [esp+30h+var_C]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	2001Fh
		push	edi
		push	offset ??_C@_1FC@OBEGEIPL@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AA?2?$AAP?$AAe?$AAn?$AAd?$AAi?$AAn?$AAg@PBOPGDP@	; "Control\\PendingDriverOperations\\Service"...
		call	__PnpCtxRegOpenKey@24 ;	_PnpCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AEDBC3
		mov	edi, [esp+40h+var_1C]
		xor	ecx, ecx

loc_AED9EA:				; CODE XREF: PipCommitPendingService(x,x,x,x)+35j
		cmp	[ebp+arg_8], 0
		mov	ebx, [ebp+arg_0]
		jnz	short loc_AEDA1D
		lea	eax, [esp+40h+var_18]
		mov	edx, edi
		push	eax
		push	20019h
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		call	__PnpCtxRegOpenKey@24 ;	_PnpCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AEDBC3
		mov	eax, [esp+50h+var_28]
		mov	[ebp+arg_8], eax

loc_AEDA1D:				; CODE XREF: PipCommitPendingService(x,x,x,x)+8Aj
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [esp+50h+var_40]
		push	eax
		push	2001Fh
		push	0
		push	offset ??_C@_1BC@FNLKCFOP@?$AAE?$AAv?$AAe?$AAn?$AAt?$AAL?$AAo?$AAg@PBOPGDP@ ; "E"
		mov	edx, edi
		call	__PnpCtxRegOpenKey@24 ;	_PnpCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_AEDA55
		cmp	esi, 0C000017Ch
		jz	short loc_AEDA55
		test	esi, esi
		js	loc_AEDBC3

loc_AEDA55:				; CODE XREF: PipCommitPendingService(x,x,x,x)+DCj
					; PipCommitPendingService(x,x,x,x)+E4j
		mov	edx, [esp+60h+var_50]
		lea	eax, [esp+60h+var_4C]
		mov	ecx, _PiPnpRtlCtx
		push	eax
		push	20019h
		push	0
		push	ebx
		call	__PnpCtxRegOpenKey@24 ;	_PnpCtxRegOpenKey(x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000034h
		jz	short loc_AEDA8B
		cmp	esi, 0C000017Ch
		jz	short loc_AEDA8B
		test	esi, esi
		js	loc_AEDBC3

loc_AEDA8B:				; CODE XREF: PipCommitPendingService(x,x,x,x)+112j
					; PipCommitPendingService(x,x,x,x)+11Aj
		mov	ecx, _PiPnpRtlCtx
		lea	eax, [esp+70h+var_58]
		push	eax
		push	6
		pop	edx
		call	__PnpCtxGetCachedContextBaseKey@12 ; _PnpCtxGetCachedContextBaseKey(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AEDBC3
		mov	edx, [esp+70h+var_58]
		lea	eax, [esp+70h+var_54]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	ecx
		push	20006h
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		call	__PnpCtxRegCreateKey@32	; _PnpCtxRegCreateKey(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AEDBC3
		cmp	[esp+70h+var_5C], 0
		jz	short loc_AEDB23
		mov	edx, [esp+70h+var_58]
		lea	eax, [esp+70h+var_50]
		xor	ecx, ecx
		push	ecx
		push	eax
		push	ecx
		push	20006h
		push	ecx
		mov	ecx, _PiPnpRtlCtx
		push	offset ??_C@_1BC@FNLKCFOP@?$AAE?$AAv?$AAe?$AAn?$AAt?$AAL?$AAo?$AAg@PBOPGDP@ ; "E"
		call	__PnpCtxRegCreateKey@32	; _PnpCtxRegCreateKey(x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AEDBC3
		mov	ecx, [esp+70h+var_5C]
		test	ecx, ecx
		jz	short loc_AEDB23
		mov	edx, [esp+70h+var_50]
		push	0
		push	ecx
		call	_PiDevCfgCopyDeviceKeys@16 ; PiDevCfgCopyDeviceKeys(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AEDBC3

loc_AEDB23:				; CODE XREF: PipCommitPendingService(x,x,x,x)+16Fj
					; PipCommitPendingService(x,x,x,x)+1A4j
		mov	edx, [esp+70h+var_54]
		push	0
		push	ecx
		mov	ecx, [ebp+arg_8]
		call	_PiDevCfgCopyDeviceKeys@16 ; PiDevCfgCopyDeviceKeys(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AEDBC3
		cmp	[esp+70h+var_5C], 0
		jz	short loc_AEDB86
		mov	edx, [esp+70h+var_60]
		mov	ecx, _PiPnpRtlCtx
		push	ebx
		call	__PnpCtxRegDeleteTree@12 ; _PnpCtxRegDeleteTree(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AEDBC3
		mov	edx, [esp+70h+var_60]
		lea	eax, [esp+70h+var_58]
		xor	esi, esi
		push	eax
		push	esi
		push	esi
		mov	[esp+7Ch+var_58], esi
		call	__PnpCtxRegEnumKey@20 ;	_PnpCtxRegEnumKey(x,x,x,x,x)
		cmp	eax, 8000001Ah
		jnz	short loc_AEDB86
		mov	edx, [esp+70h+var_60]
		mov	ecx, _PiPnpRtlCtx
		push	esi
		call	__PnpCtxRegDeleteKey@12	; _PnpCtxRegDeleteKey(x,x,x)

loc_AEDB86:				; CODE XREF: PipCommitPendingService(x,x,x,x)+1DAj
					; PipCommitPendingService(x,x,x,x)+20Dj
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	ebx
		call	__PnpCtxRegDeleteTree@12 ; _PnpCtxRegDeleteTree(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AEDBC3
		lea	eax, [esp+70h+var_58]
		xor	ebx, ebx
		push	eax
		push	ebx
		push	ebx
		mov	edx, edi
		mov	[esp+7Ch+var_58], ebx
		call	__PnpCtxRegEnumKey@20 ;	_PnpCtxRegEnumKey(x,x,x,x,x)
		cmp	eax, 8000001Ah
		jnz	short loc_AEDBC3
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	ebx
		call	__PnpCtxRegDeleteKey@12	; _PnpCtxRegDeleteKey(x,x,x)

loc_AEDBC3:				; CODE XREF: PipCommitPendingService(x,x,x,x)+4Ej
					; PipCommitPendingService(x,x,x,x)+77j	...
		mov	edx, [esp+70h+var_54]
		test	edx, edx
		jz	short loc_AEDBD0
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)

loc_AEDBD0:				; CODE XREF: PipCommitPendingService(x,x,x,x)+262j
		mov	edx, [esp+70h+var_50]
		test	edx, edx
		jz	short loc_AEDBDD
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)

loc_AEDBDD:				; CODE XREF: PipCommitPendingService(x,x,x,x)+26Fj
		mov	edx, [esp+70h+var_60]
		test	edx, edx
		jz	short loc_AEDBEA
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)

loc_AEDBEA:				; CODE XREF: PipCommitPendingService(x,x,x,x)+27Cj
		mov	edx, [esp+70h+var_5C]
		test	edx, edx
		jz	short loc_AEDBF7
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)

loc_AEDBF7:				; CODE XREF: PipCommitPendingService(x,x,x,x)+289j
		mov	edx, [esp+70h+var_4C]
		test	edx, edx
		jz	short loc_AEDC04
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)

loc_AEDC04:				; CODE XREF: PipCommitPendingService(x,x,x,x)+296j
		mov	edx, [esp+70h+var_48]
		test	edx, edx
		jz	short loc_AEDC11
		call	__PnpCtxRegCloseKey@8 ;	_PnpCtxRegCloseKey(x,x)

loc_AEDC11:				; CODE XREF: PipCommitPendingService(x,x,x,x)+2A3j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn	10h
_PipCommitPendingService@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	PipPendingServicesFilter(wchar_t *,int,int,int)
_PipPendingServicesFilter@16 proc near	; DATA XREF: PipProcessPendingServices+14586o

arg_0		= dword	ptr  8
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_C]
		push	offset ??_C@_1BC@FNLKCFOP@?$AAE?$AAv?$AAe?$AAn?$AAt?$AAL?$AAo?$AAg@PBOPGDP@ ; "E"
		push	[ebp+arg_0]	; wchar_t *
		mov	byte ptr [esi],	0
		call	__wcsicmp
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	short loc_AEDC3E
		mov	byte ptr [esi],	1

loc_AEDC3E:				; CODE XREF: PipPendingServicesFilter(x,x,x,x)+1Dj
		xor	eax, eax
		pop	esi
		pop	ebp
		retn	10h
_PipPendingServicesFilter@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PipProcessPendingObjects(x,	x, x, x, x)
_PipProcessPendingObjects@20 proc near	; CODE XREF: PipProcessPendingServices+1458Bp
					; PipProcessPendingOsExtensionResources+1454Dp

var_234		= dword	ptr -234h
var_230		= dword	ptr -230h
var_22C		= dword	ptr -22Ch
var_228		= dword	ptr -228h
var_224		= dword	ptr -224h
var_220		= dword	ptr -220h
var_21C		= dword	ptr -21Ch
var_216		= byte ptr -216h
var_215		= dword	ptr -215h
var_8		= dword	ptr -8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 238h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	eax, ecx
		mov	[ebp+var_230], edx
		mov	ecx, [ebp+arg_4]
		xor	edx, edx
		push	esi
		push	edi
		mov	[ebp+var_234], ecx
		mov	esi, edx
		lea	ecx, [ebp+var_220]
		mov	byte ptr [ebp+var_215],	dl
		push	ecx
		lea	ecx, [ebp+var_215+1]
		mov	[ebp+var_224], edx
		push	ecx
		mov	ebx, edx
		mov	[ebp+var_22C], edx
		push	edx
		mov	edx, eax
		mov	[ebp+var_228], eax
		mov	[ebp+var_220], 104h
		call	__PnpCtxRegEnumKey@20 ;	_PnpCtxRegEnumKey(x,x,x,x,x)
		mov	[ebp+var_21C], 1
		jmp	loc_AEDE67
; 

loc_AEDCBB:				; CODE XREF: PipProcessPendingObjects(x,x,x,x,x)+22Aj
		cmp	edi, 0C000017Ch
		jz	loc_AEDE75
		test	edi, edi
		js	loc_AEDE79
		mov	edi, [ebp+var_228]
		lea	eax, [ebp+var_224]
		mov	ecx, _PiPnpRtlCtx
		mov	edx, edi
		push	eax
		push	1
		xor	eax, eax
		push	eax
		lea	eax, [ebp+var_215+1]
		push	eax
		call	__PnpCtxRegOpenKey@24 ;	_PnpCtxRegOpenKey(x,x,x,x,x,x)
		test	eax, eax
		js	loc_AEDE37
		mov	eax, [ebp+var_230]
		test	eax, eax
		jz	short loc_AEDD43
		lea	ecx, [ebp+var_215]
		xor	edx, edx
		push	ecx
		push	edx
		push	[ebp+var_224]
		lea	ecx, [ebp+var_215+1]
		mov	byte ptr [ebp+var_215],	dl
		push	ecx
		call	eax
		mov	edi, eax
		test	edi, edi
		js	loc_AEDE79
		cmp	byte ptr [ebp+var_215],	0
		jnz	loc_AEDE37
		mov	edi, [ebp+var_228]

loc_AEDD43:				; CODE XREF: PipProcessPendingObjects(x,x,x,x,x)+C0j
		mov	edx, [ebp+var_224]
		lea	eax, [ebp+var_220]
		push	eax
		push	esi
		lea	eax, [ebp+var_22C]
		mov	[ebp+var_220], ebx
		push	eax
		push	offset ??_C@_1CC@LPKCGKMO@?$AAD?$AAe?$AAp?$AAe?$AAn?$AAd?$AAO?$AAn?$AAF?$AAi?$AAr?$AAm?$AAw?$AAa?$AAr@PBOPGDP@
		call	__PnpCtxRegQueryValue@24 ; _PnpCtxRegQueryValue(x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jz	short loc_AEDD76
		cmp	eax, 80000005h
		jnz	short loc_AEDDC1

loc_AEDD76:				; CODE XREF: PipProcessPendingObjects(x,x,x,x,x)+128j
		test	esi, esi
		jz	short loc_AEDD85
		push	42706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AEDD85:				; CODE XREF: PipProcessPendingObjects(x,x,x,x,x)+133j
		mov	ebx, [ebp+var_220]
		push	42706E50h
		push	ebx
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_AEDE9B
		mov	edx, [ebp+var_224]
		lea	eax, [ebp+var_220]
		push	eax
		push	esi
		lea	eax, [ebp+var_22C]
		push	eax
		push	offset ??_C@_1CC@LPKCGKMO@?$AAD?$AAe?$AAp?$AAe?$AAn?$AAd?$AAO?$AAn?$AAF?$AAi?$AAr?$AAm?$AAw?$AAa?$AAr@PBOPGDP@
		call	__PnpCtxRegQueryValue@24 ; _PnpCtxRegQueryValue(x,x,x,x,x,x)

loc_AEDDC1:				; CODE XREF: PipProcessPendingObjects(x,x,x,x,x)+12Fj
		cmp	eax, 0C0000034h
		jnz	short loc_AEDDD8
		test	esi, esi
		jz	short loc_AEDE0D
		cmp	ebx, 2
		jb	short loc_AEDDDC
		xor	eax, eax
		mov	[esi], ax
		jmp	short loc_AEDDDC
; 

loc_AEDDD8:				; CODE XREF: PipProcessPendingObjects(x,x,x,x,x)+181j
		test	eax, eax
		js	short loc_AEDE37

loc_AEDDDC:				; CODE XREF: PipProcessPendingObjects(x,x,x,x,x)+18Aj
					; PipProcessPendingObjects(x,x,x,x,x)+191j
		xor	eax, eax
		test	esi, esi
		jz	short loc_AEDE0F
		cmp	ebx, 2
		jb	short loc_AEDE0F
		cmp	[esi], ax
		jz	short loc_AEDE0F
		push	ecx
		lea	edx, [ebp-216h]
		mov	[ebp+var_216], al
		mov	ecx, esi
		call	_PnpCheckDriverDependencies@12 ; PnpCheckDriverDependencies(x,x,x)
		test	eax, eax
		js	short loc_AEDE37
		cmp	[ebp+var_216], 0
		jz	short loc_AEDE37

loc_AEDE0D:				; CODE XREF: PipProcessPendingObjects(x,x,x,x,x)+185j
		xor	eax, eax

loc_AEDE0F:				; CODE XREF: PipProcessPendingObjects(x,x,x,x,x)+19Bj
					; PipProcessPendingObjects(x,x,x,x,x)+1A0j ...
		push	eax
		push	[ebp+var_224]
		lea	eax, [ebp+var_215+1]
		push	edi
		push	eax
		call	[ebp+var_234]
		test	eax, eax
		mov	eax, [ebp+var_21C]
		js	short loc_AEDE3D
		dec	eax
		mov	[ebp+var_21C], eax
		jmp	short loc_AEDE3D
; 

loc_AEDE37:				; CODE XREF: PipProcessPendingObjects(x,x,x,x,x)+B2j
					; PipProcessPendingObjects(x,x,x,x,x)+F2j ...
		mov	eax, [ebp+var_21C]

loc_AEDE3D:				; CODE XREF: PipProcessPendingObjects(x,x,x,x,x)+1E7j
					; PipProcessPendingObjects(x,x,x,x,x)+1F0j
		mov	edx, [ebp+var_228]
		lea	ecx, [ebp+var_220]
		push	ecx
		lea	ecx, [ebp+var_215+1]
		mov	[ebp+var_220], 104h
		push	ecx
		push	eax
		call	__PnpCtxRegEnumKey@20 ;	_PnpCtxRegEnumKey(x,x,x,x,x)
		inc	[ebp+var_21C]

loc_AEDE67:				; CODE XREF: PipProcessPendingObjects(x,x,x,x,x)+71j
		mov	edi, eax
		cmp	edi, 8000001Ah
		jnz	loc_AEDCBB

loc_AEDE75:				; CODE XREF: PipProcessPendingObjects(x,x,x,x,x)+7Cj
		xor	eax, eax
		mov	edi, eax

loc_AEDE79:				; CODE XREF: PipProcessPendingObjects(x,x,x,x,x)+84j
					; PipProcessPendingObjects(x,x,x,x,x)+E5j
		test	esi, esi
		jz	short loc_AEDE88
		push	42706E50h
		push	esi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)

loc_AEDE88:				; CODE XREF: PipProcessPendingObjects(x,x,x,x,x)+236j
					; PipProcessPendingObjects(x,x,x,x,x)+25Bj
		mov	ecx, [ebp+var_8]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
; 

loc_AEDE9B:				; CODE XREF: PipProcessPendingObjects(x,x,x,x,x)+157j
		mov	edi, 0C000009Ah
		jmp	short loc_AEDE88
_PipProcessPendingObjects@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PiKsrNotifyInitialize()
_PiKsrNotifyInitialize@0 proc near	; CODE XREF: CcInitializeVacbs+F52Ep

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	esi
		mov	eax, offset _PnpKsrNotifyList
		xor	esi, esi
		mov	dword_6CB584, eax
		mov	_PnpKsrNotifyList, eax
		xor	eax, eax
		inc	eax
		mov	[ebp+var_8], esi
		push	esi
		push	eax
		push	offset unk_6CB5AC
		mov	[ebp+var_4], esi
		mov	_PnpKsrNotifyLock, eax
		mov	dword_6CB5A4, esi
		mov	dword_6CB5A8, esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	(offset	loc_ADE8EB+1)
		lea	eax, [ebp+var_8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	esi
		lea	eax, [ebp+var_8]
		mov	[ebp+var_20], 18h
		mov	[ebp+var_18], eax
		lea	eax, [ebp+var_20]
		push	esi
		push	eax
		push	offset _PnpKsrCallbackObject
		mov	[ebp+var_1C], esi
		mov	[ebp+var_14], 50h
		mov	[ebp+var_10], esi
		mov	[ebp+var_C], esi
		call	_ExCreateCallback@16 ; ExCreateCallback(x,x,x,x)
		test	eax, eax
		js	short loc_AEDF37
		push	_IopRootDeviceNode
		push	offset _PipKsrCallback@12 ; PipKsrCallback(x,x,x)
		push	_PnpKsrCallbackObject
		call	ExRegisterCallback

loc_AEDF37:				; CODE XREF: PiKsrNotifyInitialize()+7Dj
		xor	eax, eax
		pop	esi
		leave
		retn
_PiKsrNotifyInitialize@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall IopFileUtilWalkDirectoryTreeTopDown(x, x, x, x)
_IopFileUtilWalkDirectoryTreeTopDown@16	proc near
					; CODE XREF: PiLastGoodRevertLastKnownDirectory(x,x)+89p

var_410		= dword	ptr -410h
var_40C		= dword	ptr -40Ch
var_408		= dword	ptr -408h
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 414h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		mov	ebx, [ebp+arg_4]
		lea	eax, [ebp+var_410]
		push	esi
		push	edi
		push	eax
		push	ecx
		mov	[ebp+var_40C], eax
		mov	[ebp+var_410], eax
		lea	eax, [ebp+var_408]
		push	eax
		push	ebx
		push	offset _PiLastGoodRevertCopyCallback@16	; PiLastGoodRevertCopyCallback(x,x,x,x)
		push	0Dh
		pop	edx
		call	_IopFileUtilWalkDirectoryTreeHelper@28 ; IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)
		mov	edi, eax

loc_AEDF82:				; CODE XREF: IopFileUtilWalkDirectoryTreeTopDown(x,x,x,x)+9Bj
		mov	esi, [ebp+var_410]
		lea	eax, [ebp+var_410]
		cmp	esi, eax
		jz	short loc_AEDFD9
		test	edi, edi
		js	short loc_AEDFDD
		cmp	[esi+4], eax
		jnz	short loc_AEE012
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_AEE012
		lea	ecx, [ebp+var_410]
		mov	[ebp+var_410], eax
		mov	[eax+4], ecx
		mov	eax, ecx
		push	eax
		push	ecx
		lea	eax, [ebp+var_408]
		push	eax
		push	ebx
		push	offset _PiLastGoodRevertCopyCallback@16	; PiLastGoodRevertCopyCallback(x,x,x,x)
		push	0Dh
		lea	ecx, [esi+8]
		pop	edx
		call	_IopFileUtilWalkDirectoryTreeHelper@28 ; IopFileUtilWalkDirectoryTreeHelper(x,x,x,x,x,x,x)
		push	0
		push	esi
		mov	edi, eax
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		jmp	short loc_AEDF82
; 

loc_AEDFD9:				; CODE XREF: IopFileUtilWalkDirectoryTreeTopDown(x,x,x,x)+54j
		test	edi, edi
		jns	short loc_AEE017

loc_AEDFDD:				; CODE XREF: IopFileUtilWalkDirectoryTreeTopDown(x,x,x,x)+58j
					; IopFileUtilWalkDirectoryTreeTopDown(x,x,x,x)+D4j
		lea	eax, [ebp+var_410]
		cmp	esi, eax
		jz	short loc_AEE017
		cmp	[esi+4], eax
		jnz	short loc_AEE012
		mov	eax, [esi]
		cmp	[eax+4], esi
		jnz	short loc_AEE012
		push	0
		lea	ecx, [ebp+var_410]
		mov	[ebp+var_410], eax
		push	esi
		mov	[eax+4], ecx
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		mov	esi, [ebp+var_410]
		jmp	short loc_AEDFDD
; 

loc_AEE012:				; CODE XREF: IopFileUtilWalkDirectoryTreeTopDown(x,x,x,x)+5Dj
					; IopFileUtilWalkDirectoryTreeTopDown(x,x,x,x)+64j ...
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_AEE017:				; CODE XREF: IopFileUtilWalkDirectoryTreeTopDown(x,x,x,x)+9Fj
					; IopFileUtilWalkDirectoryTreeTopDown(x,x,x,x)+A9j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_IopFileUtilWalkDirectoryTreeTopDown@16	endp


;  S U B	R O U T	I N E 


; __stdcall KeQueryNumaCosts()
_KeQueryNumaCosts@0 proc near		; CODE XREF: SaveNodeDistanceInformation:loc_AEA543p
		mov	edi, edi
		push	esi
		movzx	esi, ds:_KeNumberNodes
		imul	esi, esi
		push	edi
		push	616D754Eh
		shl	esi, 3
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_AEE05E
		push	esi		; size_t
		push	_KiActualNodeCost ; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_AEE05E:				; CODE XREF: KeQueryNumaCosts()+22j
		mov	eax, edi
		pop	edi
		pop	esi
		retn
_KeQueryNumaCosts@0 endp


;  S U B	R O U T	I N E 


; __stdcall KeQueryNumaGraph()
_KeQueryNumaGraph@0 proc near		; CODE XREF: MmInitSystem:loc_AE18C8p
		mov	edi, edi
		push	esi
		movzx	esi, ds:_KeNumberNodes
		imul	esi, esi
		push	edi
		push	616D754Eh
		add	esi, esi
		push	esi
		push	1
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_AEE096
		push	esi		; size_t
		push	_KiNodeGraph	; void *
		push	edi		; void *
		call	_memcpy
		add	esp, 0Ch

loc_AEE096:				; CODE XREF: KeQueryNumaGraph()+21j
		mov	eax, edi
		pop	edi
		pop	esi
		retn
_KeQueryNumaGraph@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiForceSymbolReferences()
_KiForceSymbolReferences@0 proc	near	; CODE XREF: KiInitSystem:loc_AE9194p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_1		= byte ptr -1

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20h
		push	edi
		xor	edi, edi
		cmp	large byte ptr fs:51h, 0
		mov	[ebp+var_8], edi
		jnz	loc_AEE1FF
		lea	eax, [ebp+var_8]
		mov	[ebp+var_1C], edi
		and	eax, 7FFFFFFCh
		mov	[ebp+var_18], eax
		jz	loc_AEE1DC
		push	esi
		mov	esi, large fs:124h
		dec	word ptr [esi+13Eh]
		nop
		inc	byte ptr [esi+1E6h]
		nop
		cmp	byte ptr [esi+1E6h], 1
		jz	short loc_AEE0F8

loc_AEE0EB:				; CODE XREF: KiForceSymbolReferences()+A3j
					; KiForceSymbolReferences()+F2j
		lea	eax, [esi+5Ch]
		lock bts dword ptr [eax], 10h
		jmp	loc_AEE1AE
; 

loc_AEE0F8:				; CODE XREF: KiForceSymbolReferences()+4Ej
		mov	cl, [esi+1E4h]
		mov	[ebp+var_10], edi
		test	cl, cl
		jnz	short loc_AEE11C
		lea	ecx, [esi+222h]
		cmp	byte ptr [ecx],	0
		jz	short loc_AEE180
		xor	al, al
		xchg	al, [ecx]
		mov	cl, [esi+1E4h]
		or	cl, al

loc_AEE11C:				; CODE XREF: KiForceSymbolReferences()+68j
		movzx	ecx, cl
		bsf	eax, ecx
		imul	edx, eax, 30h
		btr	ecx, eax
		mov	[ebp+var_10], eax
		mov	[esi+1E4h], cl
		add	edx, [esi+1E8h]
		mov	[ebp+var_C], edx

loc_AEE13A:				; CODE XREF: KiForceSymbolReferences()+104j
		mov	edi, edx
		test	edx, edx
		jz	short loc_AEE0EB
		lea	ecx, [ebp+var_8]
		lea	eax, [ebp+var_8]
		mov	[ebp+var_14], ecx
		mov	ecx, dword_6D07D0
		shr	eax, 15h
		cmp	[ebp+var_14], ecx
		jb	short loc_AEE160
		cmp	byte ptr dword_6D3994[eax], 1
		jz	short loc_AEE173

loc_AEE160:				; CODE XREF: KiForceSymbolReferences()+BAj
		lea	edx, [ebp+var_8]
		cmp	edx, ecx
		mov	edx, [ebp+var_C]
		jb	short loc_AEE1A1
		cmp	byte ptr dword_6D3994[eax], 0Bh
		jnz	short loc_AEE1A1

loc_AEE173:				; CODE XREF: KiForceSymbolReferences()+C3j
		mov	ecx, [esi+80h]
		call	_MmGetSessionIdEx@4 ; MmGetSessionIdEx(x)
		jmp	short loc_AEE1A4
; 

loc_AEE180:				; CODE XREF: KiForceSymbolReferences()+73j
		test	dword ptr ds:byte_70EFC4, 200h
		mov	[ebp+var_C], edi
		jz	loc_AEE0EB
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	_EtwTraceAutoBoostEntryExhaustion@8 ; EtwTraceAutoBoostEntryExhaustion(x,x)
		mov	edx, edi
		jmp	short loc_AEE13A
; 

loc_AEE1A1:				; CODE XREF: KiForceSymbolReferences()+CDj
					; KiForceSymbolReferences()+D6j
		or	eax, 0FFFFFFFFh

loc_AEE1A4:				; CODE XREF: KiForceSymbolReferences()+E3j
		mov	[edx+14h], eax
		nop
		mov	eax, [ebp+var_18]
		mov	[edx+10h], eax

loc_AEE1AE:				; CODE XREF: KiForceSymbolReferences()+58j
		nop
		dec	byte ptr [esi+1E6h]
		lea	eax, [ebp+var_1C]
		push	eax
		lea	edx, [ebp+var_8]
		mov	ecx, esi
		call	KiAbThreadRemoveBoosts
		nop
		add	word ptr [esi+13Eh], 1
		jnz	short loc_AEE1DB
		nop
		lea	eax, [esi+70h]
		cmp	[eax], eax
		jz	short loc_AEE1DB
		call	_KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()

loc_AEE1DB:				; CODE XREF: KiForceSymbolReferences()+131j
					; KiForceSymbolReferences()+139j
		pop	esi

loc_AEE1DC:				; CODE XREF: KiForceSymbolReferences()+2Aj
		lea	eax, [ebp+var_8]
		lock bts dword ptr [eax], 0
		setb	al
		test	edi, edi
		jz	short loc_AEE1FF
		test	al, al
		jnz	short loc_AEE1F5
		or	byte ptr [edi+0Eh], 1
		jmp	short loc_AEE1FF
; 

loc_AEE1F5:				; CODE XREF: KiForceSymbolReferences()+152j
		mov	edx, edi
		lea	ecx, [ebp+var_8]
		call	KeAbPostReleaseEx

loc_AEE1FF:				; CODE XREF: KiForceSymbolReferences()+16j
					; KiForceSymbolReferences()+14Ej ...
		mov	cl, 2
		call	ds:__imp_@KfRaiseIrql@4	; KfRaiseIrql(x)
		mov	[ebp+var_1], al
		lea	eax, [ebp+var_20]
		push	eax
		call	_ExTryAcquireSpinLockExclusiveAtDpcLevel@4 ; ExTryAcquireSpinLockExclusiveAtDpcLevel(x)
		mov	cl, [ebp+var_1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		pop	edi
		leave
		retn
_KiForceSymbolReferences@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiGetHalNumaConversionFactor(x)
_KiGetHalNumaConversionFactor@4	proc near ; CODE XREF: KiComputeNumaCosts+255ACp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		movzx	edx, ds:_KeNumberNodes
		mov	eax, ecx
		push	ebx
		push	esi
		xor	ebx, ebx
		mov	[ebp+var_10], eax
		mov	esi, ebx
		push	edi
		test	edx, edx
		jz	loc_AEE2E6
		mov	[ebp+var_8], ebx

loc_AEE245:				; CODE XREF: KiGetHalNumaConversionFactor(x)+81j
		mov	eax, _KiActualNodeCost
		mov	ecx, edx
		imul	ecx, esi
		mov	[ebp+var_4], ebx
		lea	ecx, [eax+ecx*8]
		mov	[ebp+var_C], ecx

loc_AEE258:				; CODE XREF: KiGetHalNumaConversionFactor(x)+75j
		mov	edi, [ecx]
		mov	eax, edi
		mov	ebx, [ecx+4]
		or	eax, ebx
		jz	short loc_AEE285
		mov	eax, edi
		and	eax, ebx
		cmp	eax, 0FFFFFFFFh
		jz	short loc_AEE285
		mov	ecx, [ebp+var_8]
		add	ecx, [ebp+var_4]
		mov	eax, ds:_KeNodeDistance
		mov	eax, [eax+ecx*4]
		mov	[ebp+var_14], eax
		cmp	eax, 1
		ja	short loc_AEE2A2
		mov	ecx, [ebp+var_C]

loc_AEE285:				; CODE XREF: KiGetHalNumaConversionFactor(x)+42j
					; KiGetHalNumaConversionFactor(x)+4Bj
		mov	eax, [ebp+var_4]
		add	ecx, 8
		inc	eax
		mov	[ebp+var_C], ecx
		mov	[ebp+var_4], eax
		cmp	eax, edx
		jb	short loc_AEE258
		add	[ebp+var_8], edx
		inc	esi
		cmp	esi, edx
		jnb	short loc_AEE2E3
		xor	ebx, ebx
		jmp	short loc_AEE245
; 

loc_AEE2A2:				; CODE XREF: KiGetHalNumaConversionFactor(x)+61j
		xor	ecx, ecx
		cmp	ecx, ebx
		jb	short loc_AEE2BE
		ja	short loc_AEE2AE
		cmp	eax, edi
		jb	short loc_AEE2BE

loc_AEE2AE:				; CODE XREF: KiGetHalNumaConversionFactor(x)+89j
		push	ebx
		imul	eax, 64h
		push	edi
		push	ecx
		push	eax
		call	__aulldiv
		push	3
		jmp	short loc_AEE2DB
; 

loc_AEE2BE:				; CODE XREF: KiGetHalNumaConversionFactor(x)+87j
					; KiGetHalNumaConversionFactor(x)+8Dj
		push	64h
		pop	esi
		mov	eax, ebx
		mul	esi
		push	0
		push	[ebp+var_14]
		mov	ecx, eax
		mov	eax, edi
		mul	esi
		add	ecx, edx
		push	ecx
		push	eax
		call	__aulldiv
		push	2

loc_AEE2DB:				; CODE XREF: KiGetHalNumaConversionFactor(x)+9Dj
		mov	esi, [ebp+var_10]
		pop	ecx
		mov	[esi], ecx
		jmp	short loc_AEE2F0
; 

loc_AEE2E3:				; CODE XREF: KiGetHalNumaConversionFactor(x)+7Dj
		mov	eax, [ebp+var_10]

loc_AEE2E6:				; CODE XREF: KiGetHalNumaConversionFactor(x)+1Dj
		mov	dword ptr [eax], 1
		xor	eax, eax
		xor	edx, edx

loc_AEE2F0:				; CODE XREF: KiGetHalNumaConversionFactor(x)+C2j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_KiGetHalNumaConversionFactor@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl KiNodeCostSort(const void	*,const	void *)
_KiNodeCostSort	proc near		; DATA XREF: MiInitializeNumaGraph+2B150o
					; KiComputeNumaCosts+256EAo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, [eax+0Ch]
		mov	edx, [eax+8]
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax+8]
		mov	eax, [eax+0Ch]
		cmp	esi, eax
		ja	short loc_AEE326
		jb	short loc_AEE317
		cmp	edx, ecx
		jnb	short loc_AEE31C

loc_AEE317:				; CODE XREF: _KiNodeCostSort+1Cj
		or	eax, 0FFFFFFFFh
		jmp	short loc_AEE32D
; 

loc_AEE31C:				; CODE XREF: _KiNodeCostSort+20j
		cmp	esi, eax
		jb	short loc_AEE32B
		ja	short loc_AEE326
		cmp	edx, ecx
		jbe	short loc_AEE32B

loc_AEE326:				; CODE XREF: _KiNodeCostSort+1Aj
					; _KiNodeCostSort+2Bj
		xor	eax, eax
		inc	eax
		jmp	short loc_AEE32D
; 

loc_AEE32B:				; CODE XREF: _KiNodeCostSort+29j
					; _KiNodeCostSort+2Fj
		xor	eax, eax

loc_AEE32D:				; CODE XREF: _KiNodeCostSort+25j
					; _KiNodeCostSort+34j
		pop	esi
		pop	ebp
		retn
_KiNodeCostSort	endp


;  S U B	R O U T	I N E 


; __stdcall KiEnableX87Clearing()
_KiEnableX87Clearing@0 proc near	; CODE XREF: KiInitializeKernel(x,x,x,x,x,x)+301p
		xor	eax, eax

loc_AEE332:				; CODE XREF: KiEnableX87Clearing()+1Bj
		mov	ecx, dword ptr ds:_KiX87JMPPointers[eax]
		cmp	byte ptr [ecx],	0EBh
		jnz	short loc_AEE345
		mov	edx, 9066h
		mov	[ecx], dx

loc_AEE345:				; CODE XREF: KiEnableX87Clearing()+Bj
		add	eax, 4
		cmp	eax, 8
		jb	short loc_AEE332
		retn
_KiEnableX87Clearing@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiAssignAdjustableNodes(x, x, x, x)
_KiAssignAdjustableNodes@16 proc near	; CODE XREF: KiPerformGroupConfiguration+2568Bp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		xor	eax, eax
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		cmp	ax, dx
		jnb	short loc_AEE3DB
		movzx	edx, dx
		mov	[ebp+var_4], edx
		push	ebx

loc_AEE36A:				; CODE XREF: KiAssignAdjustableNodes(x,x,x,x)+8Aj
		mov	eax, [esi]
		mov	[ebp+var_C], eax
		test	byte ptr [eax+0A5h], 8
		jnz	short loc_AEE3CF
		movzx	ebx, byte ptr [eax+0A4h]
		xor	ecx, ecx
		mov	[ebp+var_8], ebx

loc_AEE384:				; CODE XREF: KiAssignAdjustableNodes(x,x,x,x)+4Fj
		mov	eax, [ebp+arg_4]
		movzx	ebx, cx
		mov	[ebp+var_10], ebx
		mov	ebx, [eax+ebx*4]
		mov	eax, [ebp+var_C]
		cmp	ebx, [ebp+var_8]
		jnb	short loc_AEE3A1
		inc	ecx
		cmp	cx, 1
		jb	short loc_AEE384
		jmp	short loc_AEE3CF
; 

loc_AEE3A1:				; CODE XREF: KiAssignAdjustableNodes(x,x,x,x)+48j
		mov	edx, [ebp+arg_4]
		mov	[eax+88h], cx
		or	byte ptr [eax+0A5h], 2
		movzx	eax, byte ptr [eax+0A4h]
		sub	ebx, eax
		mov	eax, [ebp+var_10]
		mov	[edx+eax*4], ebx
		mov	edx, [ebp+var_4]
		cmp	di, cx
		ja	short loc_AEE3CF
		lea	eax, [ecx+1]
		movzx	edi, ax

loc_AEE3CF:				; CODE XREF: KiAssignAdjustableNodes(x,x,x,x)+28j
					; KiAssignAdjustableNodes(x,x,x,x)+51j	...
		add	esi, 4
		sub	edx, 1
		mov	[ebp+var_4], edx
		jnz	short loc_AEE36A
		pop	ebx

loc_AEE3DB:				; CODE XREF: KiAssignAdjustableNodes(x,x,x,x)+13j
		mov	ax, di
		pop	edi
		pop	esi
		leave
		retn	8
_KiAssignAdjustableNodes@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiAssignFixedNodes(x, x, x,	x, x, x)
_KiAssignFixedNodes@24 proc near	; CODE XREF: KiPerformGroupConfiguration+2565Dp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= word ptr -4
var_1		= byte ptr -1
arg_0		= word ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ds:_KiMaximumGroupSize
		push	ebx
		mov	ebx, [ebp+arg_C]
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	esi, 0FFFFh
		mov	[ebp+var_4], dx
		mov	[ebp+var_C], ecx
		mov	[edi], eax
		xor	eax, eax
		mov	[ebx], ax
		cmp	ax, dx
		jnb	short loc_AEE431
		movzx	edx, dx

loc_AEE415:				; CODE XREF: KiAssignFixedNodes(x,x,x,x,x,x)+47j
		mov	eax, [ecx]
		lea	ecx, [ecx+4]
		mov	[eax+88h], si
		and	byte ptr [eax+0A5h], 0FDh
		sub	edx, 1
		jnz	short loc_AEE415
		mov	dx, [ebp+var_4]

loc_AEE431:				; CODE XREF: KiAssignFixedNodes(x,x,x,x,x,x)+2Cj
		xor	eax, eax
		xor	ecx, ecx
		inc	ecx
		mov	esi, eax
		mov	[ebp+var_14], esi
		mov	[ebp+var_24], ecx
		cmp	ax, dx
		jnb	loc_AEE583

loc_AEE447:				; CODE XREF: KiAssignFixedNodes(x,x,x,x,x,x)+196j
		mov	eax, [ebp+var_C]
		movzx	ecx, si
		mov	eax, [eax+ecx*4]
		mov	[ebp+var_20], eax
		mov	dl, [eax+0A5h]
		mov	[ebp+var_1], dl
		test	dl, 8
		mov	dx, [ebp+var_4]
		jz	loc_AEE573
		cmp	si, [ebp+arg_0]
		jnb	short loc_AEE490
		mov	[eax+88h], si

loc_AEE476:				; CODE XREF: KiAssignFixedNodes(x,x,x,x,x,x)+126j
		or	byte ptr [eax+0A5h], 2
		movzx	eax, byte ptr [eax+0A4h]
		inc	word ptr [ebx+ecx*2]
		sub	[edi+ecx*4], eax
		jmp	loc_AEE573
; 

loc_AEE490:				; CODE XREF: KiAssignFixedNodes(x,x,x,x,x,x)+89j
		mov	ebx, ds:_KiMaximumGroupSize
		xor	ecx, ecx
		mov	[ebp+var_18], ebx
		inc	ecx
		xor	ebx, ebx
		cmp	bx, [ebp+arg_0]
		mov	[ebp+var_10], ebx
		mov	ebx, [ebp+arg_C]
		jnb	short loc_AEE50F
		movzx	esi, byte ptr [eax+0A4h]
		mov	eax, ebx
		mov	ebx, edi
		mov	[ebp+var_1C], esi
		mov	esi, [ebp+var_18]
		mov	[ebp+var_8], ebx

loc_AEE4BE:				; CODE XREF: KiAssignFixedNodes(x,x,x,x,x,x)+108j
		mov	edi, [ebp+var_1C]
		cmp	[ebx], edi
		mov	edi, [ebp+var_10]
		jb	short loc_AEE4DB
		movzx	ebx, word ptr [eax]
		mov	[ebp+var_18], ebx
		cmp	ebx, esi
		mov	ebx, [ebp+var_8]
		jnb	short loc_AEE4DB
		mov	esi, [ebp+var_18]
		movzx	ecx, di

loc_AEE4DB:				; CODE XREF: KiAssignFixedNodes(x,x,x,x,x,x)+E2j
					; KiAssignFixedNodes(x,x,x,x,x,x)+EFj
		inc	edi
		add	ebx, 4
		add	eax, 2
		mov	[ebp+var_10], edi
		mov	[ebp+var_8], ebx
		cmp	di, [ebp+arg_0]
		jb	short loc_AEE4BE
		mov	esi, [ebp+var_14]
		mov	eax, [ebp+var_20]
		mov	edi, [ebp+arg_8]
		mov	ebx, [ebp+arg_C]
		cmp	cx, word ptr [ebp+var_24]
		jz	short loc_AEE50F
		mov	[eax+88h], cx
		movzx	ecx, cx
		jmp	loc_AEE476
; 

loc_AEE50F:				; CODE XREF: KiAssignFixedNodes(x,x,x,x,x,x)+C4j
					; KiAssignFixedNodes(x,x,x,x,x,x)+11Aj
		cmp	[ebp+arg_4], 0
		jz	short loc_AEE58C
		xor	ecx, ecx
		cmp	[eax+8Ah], cx
		jnz	short loc_AEE573
		test	[ebp+var_1], 2
		mov	ecx, 0FFFFh
		mov	edx, [ebp+var_C]
		jnz	short loc_AEE53F

loc_AEE52E:				; CODE XREF: KiAssignFixedNodes(x,x,x,x,x,x)+159j
		add	esi, ecx
		movzx	eax, si
		mov	eax, [edx+eax*4]
		test	byte ptr [eax+0A5h], 2
		jz	short loc_AEE52E

loc_AEE53F:				; CODE XREF: KiAssignFixedNodes(x,x,x,x,x,x)+148j
		movzx	eax, si
		mov	edx, [edx+eax*4]
		movzx	eax, word ptr [edx+88h]
		mov	[edx+88h], cx
		mov	ecx, eax
		and	byte ptr [edx+0A5h], 0FDh
		mov	eax, 0FFFFh
		add	[ebx+ecx*2], ax
		movzx	eax, byte ptr [edx+0A4h]
		add	[edi+ecx*4], eax
		mov	dx, [ebp+var_4]

loc_AEE573:				; CODE XREF: KiAssignFixedNodes(x,x,x,x,x,x)+7Fj
					; KiAssignFixedNodes(x,x,x,x,x,x)+A7j ...
		inc	esi
		mov	[ebp+var_14], esi
		cmp	si, dx
		jb	loc_AEE447
		xor	ecx, ecx
		inc	ecx

loc_AEE583:				; CODE XREF: KiAssignFixedNodes(x,x,x,x,x,x)+5Dj
		mov	al, cl

loc_AEE585:				; CODE XREF: KiAssignFixedNodes(x,x,x,x,x,x)+1AAj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_AEE58C:				; CODE XREF: KiAssignFixedNodes(x,x,x,x,x,x)+12Fj
		xor	al, al
		jmp	short loc_AEE585
_KiAssignFixedNodes@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiShuffleAssignedNodes(x, x, x, x)
_KiShuffleAssignedNodes@16 proc	near	; CODE XREF: KiPerformGroupConfiguration+2567Cp

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= word ptr -4
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		mov	bx, dx
		xor	eax, eax
		push	esi
		mov	edx, ecx
		mov	[ebp+var_4], bx
		push	edi
		mov	[ebp+var_10], edx
		mov	[ebp+var_3C], eax

loc_AEE5AC:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+382j
		xor	cl, cl
		xor	esi, esi
		xor	edi, edi
		mov	[ebp+var_1], cl
		mov	[ebp+var_8], esi
		cmp	di, bx
		jnb	loc_AEE907
		mov	edi, edx
		mov	[ebp+var_38], edx

loc_AEE5C6:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+36Bj
		mov	edi, [edi]
		mov	[ebp+var_14], edi
		test	byte ptr [edi+0A5h], 2
		jz	loc_AEE8E8
		and	[ebp+var_30], 0
		mov	ecx, edx
		mov	ax, [ebp+var_4]
		xor	ebx, ebx
		mov	[ebp+var_C], 10h
		mov	[ebp+var_20], ebx
		mov	[ebp+var_34], ecx

loc_AEE5F1:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+2FBj
		mov	ecx, [ecx]
		mov	[ebp+var_28], ecx
		test	byte ptr [ecx+0A5h], 2
		jz	loc_AEE878
		cmp	si, bx
		jz	loc_AEE878
		movzx	ecx, word ptr [ecx+88h]
		movzx	edx, word ptr [edi+88h]
		mov	[ebp+var_24], ecx
		cmp	dx, cx
		jz	loc_AEE878
		mov	eax, [ebp+var_28]
		movzx	ecx, byte ptr [edi+0A4h]
		movzx	eax, byte ptr [eax+0A4h]
		cmp	si, bx
		jnb	short loc_AEE646
		mov	esi, [ebp+var_24]
		sub	ecx, eax
		movzx	esi, si
		jmp	short loc_AEE64C
; 

loc_AEE646:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+AAj
		sub	eax, ecx
		mov	esi, edx
		mov	ecx, eax

loc_AEE64C:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+B4j
		movzx	eax, si
		mov	esi, [ebp+arg_0]
		cmp	[esi+eax*4], ecx
		jb	loc_AEE871
		and	[ebp+var_18], 0
		mov	ecx, edx
		mov	edi, [ebp+var_10]
		xor	esi, esi
		mov	dx, [ebp+var_4]
		mov	ebx, [ebp+var_14]
		movzx	eax, cx
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_1C], ecx

loc_AEE679:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+147j
		cmp	si, ax
		jz	short loc_AEE6D0
		mov	eax, [edi]
		cmp	[eax+88h], cx
		jnz	short loc_AEE6CD
		test	byte ptr [eax+0A5h], 2
		jz	short loc_AEE6CD
		movzx	ecx, ds:_KeNumberNodes
		movzx	edx, word ptr [ebx+8Ah]
		imul	edx, ecx
		movzx	ecx, word ptr [eax+8Ah]
		mov	eax, [ebp+var_2C]
		add	edx, ecx
		mov	ecx, [ebp+arg_4]
		movzx	ecx, word ptr [ecx+eax*2]
		mov	eax, ds:_KeNodeDistance
		dec	ecx
		mov	eax, [eax+edx*4]
		xor	edx, edx
		div	ecx
		mov	ecx, [ebp+var_1C]
		add	[ebp+var_18], eax
		mov	dx, [ebp+var_4]

loc_AEE6CD:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+F7j
					; KiShuffleAssignedNodes(x,x,x,x)+100j
		mov	eax, [ebp+var_8]

loc_AEE6D0:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+ECj
		inc	esi
		add	edi, 4
		cmp	si, dx
		jb	short loc_AEE679
		mov	eax, [ebp+var_24]
		xor	esi, esi
		mov	edi, [ebp+var_10]
		mov	ebx, [ebp+var_20]
		movzx	ecx, ax
		movzx	eax, cx
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_2C], eax

loc_AEE6F0:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+1BEj
		cmp	si, bx
		jz	short loc_AEE747
		mov	eax, [edi]
		cmp	[eax+88h], cx
		jnz	short loc_AEE747
		test	byte ptr [eax+0A5h], 2
		jz	short loc_AEE747
		mov	ecx, [ebp+var_28]
		movzx	edx, word ptr [ecx+8Ah]
		movzx	ecx, ds:_KeNumberNodes
		imul	edx, ecx
		movzx	ecx, word ptr [eax+8Ah]
		mov	eax, [ebp+var_2C]
		add	edx, ecx
		mov	ecx, [ebp+arg_4]
		movzx	ecx, word ptr [ecx+eax*2]
		mov	eax, ds:_KeNodeDistance
		dec	ecx
		mov	eax, [eax+edx*4]
		xor	edx, edx
		div	ecx
		mov	ecx, [ebp+var_1C]
		add	[ebp+var_18], eax
		mov	dx, [ebp+var_4]

loc_AEE747:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+163j
					; KiShuffleAssignedNodes(x,x,x,x)+16Ej	...
		inc	esi
		add	edi, 4
		cmp	si, dx
		jb	short loc_AEE6F0
		mov	eax, [ebp+var_24]
		xor	ecx, ecx
		mov	edi, [ebp+var_10]
		xor	esi, esi
		movzx	eax, ax
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_24], eax

loc_AEE763:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+239j
		cmp	si, bx
		jz	short loc_AEE7C2
		mov	eax, [edi]
		mov	ebx, [ebp+var_24]
		cmp	[eax+88h], bx
		mov	ebx, [ebp+var_20]
		jnz	short loc_AEE7C2
		test	byte ptr [eax+0A5h], 2
		jz	short loc_AEE7C2
		mov	ecx, [ebp+var_14]
		movzx	edx, word ptr [ecx+8Ah]
		movzx	ecx, ds:_KeNumberNodes
		imul	edx, ecx
		movzx	ecx, word ptr [eax+8Ah]
		mov	eax, [ebp+var_2C]
		add	edx, ecx
		mov	ecx, [ebp+arg_4]
		movzx	ecx, word ptr [ecx+eax*2]
		mov	eax, ds:_KeNodeDistance
		dec	ecx
		mov	eax, [eax+edx*4]
		xor	edx, edx
		div	ecx
		mov	ecx, [ebp+var_1C]
		mov	dx, [ebp+var_4]
		add	ecx, eax
		mov	[ebp+var_1C], ecx

loc_AEE7C2:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+1D6j
					; KiShuffleAssignedNodes(x,x,x,x)+1E7j	...
		inc	esi
		add	edi, 4
		cmp	si, dx
		jb	short loc_AEE763
		mov	eax, [ebp+var_14]
		xor	esi, esi
		mov	edi, [ebp+var_10]
		movzx	edx, word ptr [eax+88h]
		movzx	eax, dx
		mov	[ebp+var_2C], eax
		mov	eax, [ebp+var_8]
		mov	ebx, [ebp+var_2C]
		mov	[ebp+var_24], edx

loc_AEE7E9:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+2B9j
		cmp	si, ax
		jz	short loc_AEE841
		mov	eax, [edi]
		cmp	[eax+88h], dx
		jnz	short loc_AEE83E
		test	byte ptr [eax+0A5h], 2
		jz	short loc_AEE83E
		mov	ecx, [ebp+var_28]
		movzx	edx, word ptr [ecx+8Ah]
		movzx	ecx, ds:_KeNumberNodes
		imul	edx, ecx
		movzx	ecx, word ptr [eax+8Ah]
		mov	eax, [ebp+arg_4]
		add	edx, ecx
		movzx	ecx, word ptr [eax+ebx*2]
		mov	eax, ds:_KeNodeDistance
		dec	ecx
		mov	eax, [eax+edx*4]
		xor	edx, edx
		div	ecx
		mov	ecx, [ebp+var_1C]
		mov	edx, [ebp+var_24]
		add	ecx, eax
		mov	[ebp+var_1C], ecx

loc_AEE83E:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+267j
					; KiShuffleAssignedNodes(x,x,x,x)+270j
		mov	eax, [ebp+var_8]

loc_AEE841:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+25Cj
		inc	esi
		add	edi, 4
		cmp	si, [ebp+var_4]
		jb	short loc_AEE7E9
		mov	eax, [ebp+var_18]
		mov	ebx, [ebp+var_20]
		mov	esi, [ebp+var_8]
		mov	edi, [ebp+var_14]
		cmp	ecx, eax
		jnb	short loc_AEE874
		sub	eax, ecx
		cmp	[ebp+var_30], eax
		jnb	short loc_AEE874
		movzx	edx, bx
		mov	[ebp+var_30], eax
		mov	ax, [ebp+var_4]
		mov	[ebp+var_C], edx
		jmp	short loc_AEE87B
; 

loc_AEE871:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+C5j
		mov	esi, [ebp+var_8]

loc_AEE874:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+2C9j
					; KiShuffleAssignedNodes(x,x,x,x)+2D0j
		mov	ax, [ebp+var_4]

loc_AEE878:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+6Dj
					; KiShuffleAssignedNodes(x,x,x,x)+76j ...
		mov	edx, [ebp+var_C]

loc_AEE87B:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+2DFj
		mov	ecx, [ebp+var_34]
		inc	ebx
		add	ecx, 4
		mov	[ebp+var_20], ebx
		mov	[ebp+var_34], ecx
		cmp	bx, ax
		jb	loc_AEE5F1
		push	10h
		pop	eax
		cmp	dx, ax
		jz	short loc_AEE8E4
		movzx	ecx, word ptr [edi+88h]
		mov	ebx, [ebp+arg_0]
		movzx	eax, dx
		mov	edx, [ebp+var_10]
		mov	[ebp+var_1], 1
		mov	eax, [edx+eax*4]
		movzx	esi, word ptr [eax+88h]
		mov	[edi+88h], si
		mov	[eax+88h], cx
		movzx	edx, byte ptr [eax+0A4h]
		movzx	edi, byte ptr [edi+0A4h]
		mov	eax, edx
		sub	eax, edi
		sub	edi, edx
		add	[ebx+ecx*4], eax
		mov	eax, esi
		mov	esi, [ebp+var_8]
		add	[ebx+eax*4], edi

loc_AEE8E4:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+307j
		mov	bx, [ebp+var_4]

loc_AEE8E8:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+42j
		mov	edi, [ebp+var_38]
		inc	esi
		mov	edx, [ebp+var_10]
		add	edi, 4
		mov	[ebp+var_8], esi
		mov	[ebp+var_38], edi
		cmp	si, bx
		jb	loc_AEE5C6
		mov	eax, [ebp+var_3C]
		mov	cl, [ebp+var_1]

loc_AEE907:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+2Bj
		inc	eax
		mov	[ebp+var_3C], eax
		test	cl, cl
		jz	short loc_AEE918
		cmp	eax, 0Ah
		jb	loc_AEE5AC

loc_AEE918:				; CODE XREF: KiShuffleAssignedNodes(x,x,x,x)+37Dj
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_KiShuffleAssignedNodes@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall KiGetTbLeafInfo()
_KiGetTbLeafInfo@0 proc	near		; CODE XREF: KeGetTbSize+28D6Dp

var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_1C], 1
		lea	edi, [ebp+var_14]
		stosd
		push	18h
		stosd
		stosd
		stosd
		pop	eax
		xor	edi, edi
		xor	ecx, ecx
		push	ebx
		cpuid
		mov	esi, ebx
		mov	[ebp+var_18], edi
		pop	ebx
		nop
		lea	ebx, [ebp+var_14]
		mov	[ebx], eax
		mov	[ebx+4], esi
		mov	[ebx+8], ecx
		mov	[ebx+0Ch], edx
		mov	eax, [ebp+var_14]
		mov	[ebp+var_24], eax

loc_AEE969:				; CODE XREF: KiGetTbLeafInfo()+C3j
		mov	eax, [ebp+var_1C]
		mov	ecx, edi
		push	18h
		mov	[ebp+var_20], eax
		pop	eax
		push	ebx
		cpuid
		mov	esi, ebx
		pop	ebx
		nop
		lea	ebx, [ebp+var_14]
		mov	[ebx], eax
		mov	[ebx+4], esi
		mov	[ebx+8], ecx
		mov	[ebx+0Ch], edx
		mov	edx, [ebp+var_8]
		mov	eax, edx
		or	eax, [ebp+var_C]
		mov	ecx, [ebp+var_10]
		or	eax, ecx
		or	eax, [ebp+var_14]
		jz	short loc_AEE9DB
		mov	ebx, [ebp+var_1C]
		mov	eax, edx
		shr	eax, 5
		and	eax, 7
		cmp	eax, ebx
		jb	short loc_AEE9DB
		test	cl, 1
		jz	short loc_AEE9DB
		and	edx, 1Fh
		cmp	edx, 1
		jz	short loc_AEE9BC
		cmp	edx, 3
		jnz	short loc_AEE9DB

loc_AEE9BC:				; CODE XREF: KiGetTbLeafInfo()+96j
		cmp	eax, ebx
		jbe	short loc_AEE9C3
		mov	[ebp+var_1C], eax

loc_AEE9C3:				; CODE XREF: KiGetTbLeafInfo()+9Fj
		cmp	[ebp+var_20], eax
		sbb	eax, eax
		shr	ecx, 10h
		imul	ecx, [ebp+var_C]
		not	eax
		and	eax, [ebp+var_18]
		add	eax, ecx
		mov	[ebp+var_18], eax
		jmp	short loc_AEE9DE
; 

loc_AEE9DB:				; CODE XREF: KiGetTbLeafInfo()+7Aj
					; KiGetTbLeafInfo()+89j ...
		mov	eax, [ebp+var_18]

loc_AEE9DE:				; CODE XREF: KiGetTbLeafInfo()+BAj
		inc	edi
		cmp	edi, [ebp+var_24]
		jbe	short loc_AEE969
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_KiGetTbLeafInfo@0 endp


;  S U B	R O U T	I N E 


; __stdcall KiInitializeCacheErrataSupport(x)
_KiInitializeCacheErrataSupport@4 proc near ; CODE XREF: KiInitMachineDependent+25681p
		cmp	ds:_KiTLBCOverride, 0
		push	ebx
		push	esi
		push	edi
		mov	bl, cl
		jz	short loc_AEEA17
		call	_KiDisableCacheErrataSource@0 ;	KiDisableCacheErrataSource()
		test	bl, bl
		jz	short loc_AEEA11
		and	ds:_KiCacheErrataMonitor, 0

loc_AEEA11:				; CODE XREF: KiInitializeCacheErrataSupport(x)+15j
					; KiInitializeCacheErrataSupport(x)+26j ...
		mov	al, 1

loc_AEEA13:				; CODE XREF: KiInitializeCacheErrataSupport(x)+49j
					; KiInitializeCacheErrataSupport(x)+C8j
		pop	edi
		pop	esi
		pop	ebx
		retn
; 

loc_AEEA17:				; CODE XREF: KiInitializeCacheErrataSupport(x)+Cj
		test	bl, bl
		jz	short loc_AEEA11
		mov	esi, ds:_KeNumberProcessors
		xor	ebx, ebx
		inc	ebx
		cmp	esi, ebx
		jnz	short loc_AEEA3E
		mov	ds:_KiTLBCOverride, ebx
		call	_KiDisableCacheErrataSource@0 ;	KiDisableCacheErrataSource()
		and	ds:_KiCacheErrataMonitor, 0
		mov	al, bl
		jmp	short loc_AEEA13
; 

loc_AEEA3E:				; CODE XREF: KiInitializeCacheErrataSupport(x)+33j
		imul	eax, esi, 0Ch
		push	2020654Bh
		add	eax, 38h
		push	eax
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_AEEAB9
		xor	edx, edx
		lea	ecx, [edi+4]	; void *
		mov	eax, 393870h
		div	esi
		push	0		; __int16
		push	0		; int
		mov	edx, offset @KiMonitorCacheErrata@8 ; int
		mov	[edi], eax
		call	_KeInitializeProfileCallback@16	; KeInitializeProfileCallback(x,x,x,x)
		xor	ebx, ebx
		lea	ecx, [edi+38h]
		test	esi, esi
		jz	short loc_AEEA97

loc_AEEA7F:				; CODE XREF: KiInitializeCacheErrataSupport(x)+A2j
		or	dword ptr [ecx], 0FFFFFFFFh
		xor	edx, edx
		inc	ebx
		and	dword ptr [ecx+4], 0
		mov	eax, ebx
		lea	ecx, [ecx+0Ch]
		div	esi
		mov	[ecx-4], edx
		cmp	ebx, esi
		jb	short loc_AEEA7F

loc_AEEA97:				; CODE XREF: KiInitializeCacheErrataSupport(x)+8Aj
		mov	eax, edi
		mov	ecx, offset _KiCacheErrataMonitor
		xchg	eax, [ecx]
		mov	ecx, [edi]
		xor	edx, edx
		call	_KeSetIntervalProfile@8	; KeSetIntervalProfile(x,x)
		lea	ecx, [edi+4]
		call	_KeStartProfile@4 ; KeStartProfile(x)
		test	al, al
		jnz	loc_AEEA11

loc_AEEAB9:				; CODE XREF: KiInitializeCacheErrataSupport(x)+65j
		xor	al, al
		jmp	loc_AEEA13
_KiInitializeCacheErrataSupport@4 endp


;  S U B	R O U T	I N E 


; __stdcall KsepEngineUninitialize(x)
_KsepEngineUninitialize@4 proc near	; CODE XREF: KseInitialize+20261p
		mov	edi, edi
		push	esi
		mov	esi, ecx
		test	esi, esi
		jnz	short loc_AEEB15
		xor	eax, eax
		inc	eax
		lock xadd _KsepHistoryErrorsIndex, eax
		inc	eax
		and	eax, 3Fh
		test	_KsepDebugFlag,	4
		push	2
		pop	ecx
		mov	word_6C7022[eax*8], cx
		mov	ecx, 371h
		mov	dword_6C7024[eax*8], 0C0000420h
		mov	_KsepHistoryErrors[eax*8], cx
		jz	short loc_AEEB15
		push	esi
		push	ecx
		push	offset ??_C@_0BP@FJIAFDAP@minkernel?2ntos?2kshim?2ksecore?4c@PBOPGDP@
		push	offset ??_C@_0P@CCGIFHAI@Engine?5?$CB?$DN?5NULL@PBOPGDP@
		call	_RtlAssert@16	; RtlAssert(x,x,x,x)

loc_AEEB15:				; CODE XREF: KsepEngineUninitialize(x)+7j
					; KsepEngineUninitialize(x)+42j
		mov	ecx, [esi+28h]
		test	ecx, ecx
		jz	short loc_AEEB25
		call	_KsepCacheUninitialize@4 ; KsepCacheUninitialize(x)
		and	dword ptr [esi+28h], 0

loc_AEEB25:				; CODE XREF: KsepEngineUninitialize(x)+5Aj
		or	dword ptr [esi], 3
		or	dword ptr [esi+8], 400h
		pop	esi
		retn
_KsepEngineUninitialize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MmTriageActiveInLastCrash(x)
_MmTriageActiveInLastCrash@4 proc near	; CODE XREF: VfTriageSystem+1A38Dp

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ecx+84h]
		sub	esp, 14h
		push	esi
		test	eax, eax
		jz	short loc_AEEB83
		cmp	dword ptr [eax], 0D30h
		jb	short loc_AEEB83
		mov	esi, [eax+1Ch]
		lea	edx, [ebp+var_14]
		lea	eax, [ebp+var_4]
		mov	ecx, esi
		push	eax
		lea	eax, [ebp+var_8]
		push	eax
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_10]
		push	eax
		call	_TriageGetBugcheckData@24 ; TriageGetBugcheckData(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AEEB83
		mov	ecx, esi
		call	_TriageGetMmInformation@4 ; TriageGetMmInformation(x)
		test	eax, eax
		jz	short loc_AEEB83
		cmp	dword ptr [eax+0Ch], 0
		jz	short loc_AEEB83
		xor	eax, eax
		inc	eax
		jmp	short loc_AEEB85
; 

loc_AEEB83:				; CODE XREF: MmTriageActiveInLastCrash(x)+11j
					; MmTriageActiveInLastCrash(x)+19j ...
		xor	eax, eax

loc_AEEB85:				; CODE XREF: MmTriageActiveInLastCrash(x)+50j
		pop	esi
		leave
		retn
_MmTriageActiveInLastCrash@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeSystemChannelOrdering(x, x)
_MiInitializeSystemChannelOrdering@8 proc near
					; CODE XREF: MiInitializeChannelOrdering+66059p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		imul	edx, eax, 280h
		push	ebx
		xor	ebx, ebx
		add	edx, [ecx+10h]
		mov	ecx, ds:_MxFreeDescriptor[eax*4]
		cmp	[ecx+4], ebx
		jz	short loc_AEEBAF
		mov	byte ptr [edx+203h], 2

loc_AEEBAF:				; CODE XREF: MiInitializeSystemChannelOrdering(x,x)+1Ej
		push	esi
		mov	esi, dword_6D06B4
		jmp	short loc_AEEBE8
; 

loc_AEEBB8:				; CODE XREF: MiInitializeSystemChannelOrdering(x,x)+63j
		movzx	ecx, word ptr [esi+6]
		cmp	ecx, eax
		jnz	short loc_AEEBE5
		movzx	ecx, word ptr [esi+8]
		cmp	[esi+0Ah], bl
		jnz	short loc_AEEBD3
		mov	byte ptr [ecx+edx+203h], 2
		jmp	short loc_AEEBE5
; 

loc_AEEBD3:				; CODE XREF: MiInitializeSystemChannelOrdering(x,x)+3Fj
		cmp	byte ptr [ecx+edx+203h], 2
		jz	short loc_AEEBE5
		mov	byte ptr [ecx+edx+203h], 1

loc_AEEBE5:				; CODE XREF: MiInitializeSystemChannelOrdering(x,x)+36j
					; MiInitializeSystemChannelOrdering(x,x)+49j ...
		add	esi, 0Ch

loc_AEEBE8:				; CODE XREF: MiInitializeSystemChannelOrdering(x,x)+2Ej
		cmp	dword ptr [esi], 0FFFFFFFFh
		jnz	short loc_AEEBB8
		mov	cl, [edx+203h]
		mov	eax, ebx
		pop	esi
		cmp	cl, 2
		jnz	short loc_AEEC05
		xor	eax, eax
		mov	[edx+201h], bx
		inc	eax

loc_AEEC05:				; CODE XREF: MiInitializeSystemChannelOrdering(x,x)+71j
		cmp	cl, 1
		jnz	short loc_AEEC19
		mov	[eax+edx+201h],	bx
		inc	eax
		mov	cl, [edx+203h]

loc_AEEC19:				; CODE XREF: MiInitializeSystemChannelOrdering(x,x)+80j
		test	cl, cl
		jnz	short loc_AEEC25
		mov	[eax+edx+201h],	bx

loc_AEEC25:				; CODE XREF: MiInitializeSystemChannelOrdering(x,x)+93j
		pop	ebx
		pop	ebp
		retn	4
_MiInitializeSystemChannelOrdering@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiInitializeEnclaveMetadataPage()
_MiInitializeEnclaveMetadataPage@0 proc	near ; CODE XREF: MiCreateEnclaveRegions:loc_AE27CFp

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		xor	edx, edx
		inc	edx
		mov	ecx, offset dword_6D35E0
		push	ebx
		push	esi
		push	edi
		call	MiReservePtes
		mov	esi, eax
		test	esi, esi
		jz	loc_AEED66
		push	0
		push	40h
		push	48h
		mov	edx, 4D424D45h
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		jz	loc_AEED58
		lea	ecx, [edi+8]
		mov	dword ptr [edi], 200h
		mov	[edi+4], ecx
		xor	edx, edx
		movsx	eax, byte ptr [ecx]
		bts	eax, 0
		mov	[ecx], al
		mov	ecx, offset _MiSystemPartition
		call	_MiGetEnclavePage@8 ; MiGetEnclavePage(x,x)
		mov	ebx, eax
		mov	[ebp+var_8], ebx
		cmp	ebx, 0FFFFFFFFh
		jz	loc_AEED44
		push	0C0000004h
		mov	edx, ebx
		mov	ecx, esi
		call	MiMakeValidPte
		and	[ebp+var_4], 0
		mov	ecx, esi
		mov	ebx, eax
		call	_MiPteInShadowRange@4 ;	MiPteInShadowRange(x)
		test	eax, eax
		jz	short loc_AEECF9
		call	_MiPteHasShadow@4 ; MiPteHasShadow(x)
		test	eax, eax
		jz	short loc_AEECDC
		xor	ecx, ecx
		inc	ecx
		cmp	byte ptr word_6D07B8+1,	0
		jnz	short loc_AEECFC

loc_AEECCA:				; CODE XREF: MiInitializeEnclaveMetadataPage()+CBj
		mov	eax, ebx
		and	eax, 1
		or	eax, 0
		jz	short loc_AEECFC
		or	edx, 80000000h
		jmp	short loc_AEECFC
; 

loc_AEECDC:				; CODE XREF: MiInitializeEnclaveMetadataPage()+92j
		mov	eax, large fs:124h
		mov	ecx, [ebp+var_4]
		mov	eax, [eax+80h]
		test	dword ptr [eax+3A8h], 1000h
		jnz	short loc_AEECCA
		jmp	short loc_AEECFC
; 

loc_AEECF9:				; CODE XREF: MiInitializeEnclaveMetadataPage()+89j
		mov	ecx, [ebp+var_4]

loc_AEECFC:				; CODE XREF: MiInitializeEnclaveMetadataPage()+9Ej
					; MiInitializeEnclaveMetadataPage()+A8j ...
		mov	[esi+4], edx
		nop
		mov	[esi], ebx
		test	ecx, ecx
		jz	short loc_AEED0F
		push	edx
		push	ebx
		mov	ecx, esi
		call	_MiWritePteShadow@12 ; MiWritePteShadow(x,x,x)

loc_AEED0F:				; CODE XREF: MiInitializeEnclaveMetadataPage()+DAj
		mov	ebx, esi
		shl	ebx, 9
		mov	ecx, ebx
		call	_KeCreateEnclaveMetadataPage@4 ; KeCreateEnclaveMetadataPage(x)
		test	eax, eax
		js	short loc_AEED41
		and	dword_6D358C, 0
		xor	eax, eax
		mov	dword_6D3584, ebx
		inc	eax
		mov	dword_6D3588, edi
		mov	dword_6D3590, 0
		jmp	short loc_AEED68
; 

loc_AEED41:				; CODE XREF: MiInitializeEnclaveMetadataPage()+F3j
		mov	ebx, [ebp+var_8]

loc_AEED44:				; CODE XREF: MiInitializeEnclaveMetadataPage()+66j
		push	0
		push	edi
		call	_ExFreePoolWithTag@8 ; ExFreePoolWithTag(x,x)
		cmp	ebx, 0FFFFFFFFh
		jz	short loc_AEED58
		mov	ecx, ebx
		call	_MiReturnEnclavePage@4 ; MiReturnEnclavePage(x)

loc_AEED58:				; CODE XREF: MiInitializeEnclaveMetadataPage()+37j
					; MiInitializeEnclaveMetadataPage()+125j
		push	1
		mov	edx, esi
		mov	ecx, offset dword_6D35E0
		call	_MiReleasePtes@12 ; MiReleasePtes(x,x,x)

loc_AEED66:				; CODE XREF: MiInitializeEnclaveMetadataPage()+1Cj
		xor	eax, eax

loc_AEED68:				; CODE XREF: MiInitializeEnclaveMetadataPage()+115j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_MiInitializeEnclaveMetadataPage@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiCreateBootSlabEntries(x, x, x, x)
_MiCreateBootSlabEntries@16 proc near	; CODE XREF: MiInitSystem+2A4E8p

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 10h
		push	esi
		mov	eax, edx
		mov	[ebp+var_8], ecx
		push	edi
		imul	edi, eax, 1Ch
		mov	[ebp+var_4], eax
		add	edi, ds:_MmPfnDatabase
		cmp	[ebp+arg_0], 0
		jz	loc_AEEE6D

loc_AEED92:				; CODE XREF: MiCreateBootSlabEntries(x,x,x,x)+FAj
		push	0
		push	40h
		push	70h
		mov	edx, 6553694Dh
		pop	ecx
		call	_MiAllocatePool@16 ; MiAllocatePool(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		jz	loc_AEEE8A
		mov	eax, [ebp+var_8]
		lea	edx, [esi+18h]
		mov	[esi+14h], eax
		lea	ecx, [esi+20h]
		mov	eax, [ebp+var_4]
		mov	dword ptr [edx], 200h
		mov	[edx+4], ecx
		mov	[esi+0Ch], eax
		add	eax, 1FFh
		push	edx
		mov	[esi+10h], eax
		call	_RtlSetAllBits@4 ; RtlSetAllBits(x)
		mov	eax, [ebp+var_8]
		cmp	dword ptr [eax+18h], 0
		jnz	short loc_AEEDF8
		mov	eax, 200h

loc_AEEDE4:				; CODE XREF: MiCreateBootSlabEntries(x,x,x,x)+89j
		cmp	dword ptr [edi+4], 0
		jnz	short loc_AEEDF0
		dec	dword_6D3620

loc_AEEDF0:				; CODE XREF: MiCreateBootSlabEntries(x,x,x,x)+7Bj
		add	edi, 1Ch
		sub	eax, 1
		jnz	short loc_AEEDE4

loc_AEEDF8:				; CODE XREF: MiCreateBootSlabEntries(x,x,x,x)+70j
		mov	ecx, [ebp+var_4]
		mov	edx, dword_6D5BBC
		shr	ecx, 9
		mov	eax, ecx
		mov	[ebp+var_C], ecx
		shr	eax, 5
		and	ecx, 1Fh
		mov	[ebp+var_10], edx
		push	0
		mov	eax, [edx+eax*4]
		sar	eax, cl
		test	al, 1
		jnz	short loc_AEEE75
		mov	ecx, [ebp+var_C]
		shr	ecx, 3
		add	ecx, edx
		mov	edx, [ebp+var_C]
		and	edx, 7
		push	1
		push	200h
		movsx	eax, byte ptr [ecx]
		bts	eax, edx
		mov	edx, [ebp+var_4]
		mov	[ecx], al
		mov	ecx, offset _MiSystemPartition
		call	MiUpdateLargePageBitMap
		mov	edx, [ebp+var_8]
		mov	ecx, offset _MiSystemPartition
		push	esi
		call	_MiInsertSlabEntry@12 ;	MiInsertSlabEntry(x,x,x)
		mov	eax, [ebp+arg_0]
		mov	ecx, 200h
		add	[ebp+var_4], ecx
		sub	eax, ecx
		mov	[ebp+arg_0], eax
		test	eax, eax
		jnz	loc_AEED92

loc_AEEE6D:				; CODE XREF: MiCreateBootSlabEntries(x,x,x,x)+1Fj
		xor	eax, eax

loc_AEEE6F:				; CODE XREF: MiCreateBootSlabEntries(x,x,x,x)+122j
		pop	edi
		pop	esi
		leave
		retn	8
; 

loc_AEEE75:				; CODE XREF: MiCreateBootSlabEntries(x,x,x,x)+AEj
		mov	eax, [ebp+var_8]
		push	dword ptr [eax+18h]
		push	dword ptr [esi+0Ch]
		push	3030311h
		push	1Ah
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AEEE8A:				; CODE XREF: MiCreateBootSlabEntries(x,x,x,x)+3Aj
		mov	eax, 0C000009Ah
		jmp	short loc_AEEE6F
_MiCreateBootSlabEntries@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiBootImageRelocated(x, x, x, x, x,	x)
_MiBootImageRelocated@24 proc near	; CODE XREF: MiHandleBootImage+29EB4p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ebx
		push	esi
		mov	esi, [ebp+arg_8]
		mov	ebx, edx
		mov	edx, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		mov	eax, edi
		sub	eax, edx
		mov	[ebx+18h], edi
		add	esi, eax
		mov	[esi+34h], edi
		push	dword ptr [ebx+20h]
		push	edi
		call	_MiUpdateThunks@16 ; MiUpdateThunks(x,x,x,x)
		or	dword ptr [ebx+34h], 1000000h
		mov	eax, [esi+28h]
		add	eax, edi
		mov	[ebx+1Ch], eax
		mov	eax, [ebp+arg_C]
		pop	edi
		shl	eax, 0Ch
		pop	esi
		mov	[ebx+20h], eax
		pop	ebx
		pop	ebp
		retn	10h
_MiBootImageRelocated@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiFreeBootDriverPages(x, x,	x, x, x)
_MiFreeBootDriverPages@20 proc near	; CODE XREF: MiInitializeDynamicVa+2A111p
					; MiHandleBootImage+29EC5p

var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_9C		= dword	ptr -9Ch
var_90		= dword	ptr -90h
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0E8h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_8], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		lea	eax, [ebp+var_A4]
		push	esi
		push	edi
		mov	edi, [ebp+arg_8]
		mov	esi, edx
		push	98h		; size_t
		push	0		; int
		push	eax		; void *
		mov	[ebp+var_AC], esi
		mov	[ebp+var_D8], ecx
		mov	[ebp+var_B0], edi
		call	_memset
		mov	eax, [ebp+arg_4]
		add	esp, 0Ch
		and	eax, 2
		mov	[ebp+var_C0], eax
		push	0
		pop	eax
		setz	al
		lea	eax, ds:4[eax*2]
		mov	[ebp+var_C4], eax
		test	edi, edi
		jnz	short loc_AEEF5F
		and	[ebp+var_90], edi
		lea	edi, [ebp+var_A4]
		mov	[ebp+var_9C], 21h
		mov	[ebp+var_B0], edi

loc_AEEF5F:				; CODE XREF: MiFreeBootDriverPages(x,x,x,x,x)+69j
		dec	ebx
		mov	eax, esi
		shl	eax, 9
		mov	ecx, eax
		mov	[ebp+var_A8], eax
		lea	ebx, [esi+ebx*8]
		mov	[ebp+var_B8], ebx
		call	_MI_IS_PHYSICAL_ADDRESS@4 ; MI_IS_PHYSICAL_ADDRESS(x)
		test	eax, eax
		jz	short loc_AEEFAF
		shr	esi, 9
		mov	ecx, offset loc_7FFFF8
		shr	ebx, 9
		and	esi, ecx
		mov	eax, 40000000h
		mov	[ebp+var_B4], 1
		sub	esi, eax
		and	ebx, ecx
		sub	ebx, eax
		mov	[ebp+var_AC], esi
		mov	[ebp+var_B8], ebx
		jmp	short loc_AEEFD0
; 

loc_AEEFAF:				; CODE XREF: MiFreeBootDriverPages(x,x,x,x,x)+A5j
		mov	edx, [ebp+var_A8]
		mov	eax, ebx
		and	[ebp+var_B4], 0
		sub	eax, esi
		add	eax, 8
		mov	ecx, edi
		push	0
		sar	eax, 3
		push	eax
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)

loc_AEEFD0:				; CODE XREF: MiFreeBootDriverPages(x,x,x,x,x)+D5j
		xor	edi, edi
		mov	[ebp+var_A8], edi
		jmp	loc_AEF10C
; 

loc_AEEFDD:				; CODE XREF: MiFreeBootDriverPages(x,x,x,x,x)+236j
		and	[ebp+var_D4], 0
		and	[ebp+var_D0], 0
		mov	edx, [esi]
		nop
		mov	ecx, [esi+4]
		mov	eax, ds:_ZeroPte
		mov	[ebp+var_E4], edx
		mov	[ebp+var_E0], ecx
		mov	[esi], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[esi+4], eax
		nop
		shrd	edx, ecx, 0Ch
		and	edx, 1FFFFFFh
		mov	[ebp+var_C8], edx
		imul	edx, 1Ch
		add	edx, ds:_MmPfnDatabase
		mov	[ebp+var_CC], edx
		mov	eax, [edx+18h]
		and	eax, offset loc_7FFFFF
		imul	eax, 1Ch
		add	eax, ds:_MmPfnDatabase
		mov	[ebp+var_D0], eax
		lea	eax, [edx+17h]
		xor	edx, edx
		mov	[ebp+var_BC], eax
		inc	edx
		cmp	[ebp+var_B4], 0
		jz	short loc_AEF0D0
		mov	ecx, [ebp+var_B0]
		push	esi
		call	_MiInsertLargeTbFlushEntry@12 ;	MiInsertLargeTbFlushEntry(x,x,x)
		mov	ebx, [ebp+var_BC]
		mov	esi, 200h
		mov	edi, [ebp+var_C0]

loc_AEF076:				; CODE XREF: MiFreeBootDriverPages(x,x,x,x,x)+1CAj
		lea	ecx, [ebx-17h]
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	cl, al
		test	edi, edi
		jnz	short loc_AEF088
		inc	word ptr [ebx-3]

loc_AEF088:				; CODE XREF: MiFreeBootDriverPages(x,x,x,x,x)+1AAj
		and	byte ptr [ebx],	0F7h
		lea	eax, [ebx-7]
		mov	edx, 7FFFFFFFh
		lock and [eax],	edx
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		add	ebx, 1Ch
		sub	esi, 1
		jnz	short loc_AEF076
		push	[ebp+var_C4]
		mov	ecx, [ebp+var_C8]
		xor	edx, edx
		call	_MiFreeLargePageMemory@12 ; MiFreeLargePageMemory(x,x,x)
		mov	esi, [ebp+var_AC]
		mov	eax, 200h
		mov	edi, [ebp+var_A8]
		mov	ebx, [ebp+var_B8]
		jmp	short loc_AEF0EE
; 

loc_AEF0D0:				; CODE XREF: MiFreeBootDriverPages(x,x,x,x,x)+17Fj
		mov	ecx, [ebp+var_CC]
		and	byte ptr [eax],	0F7h
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		xor	edx, edx
		mov	ecx, offset _MiSystemPartition
		inc	edx
		call	_MiFreeLargePageCharges@8 ; MiFreeLargePageCharges(x,x)
		xor	eax, eax
		inc	eax

loc_AEF0EE:				; CODE XREF: MiFreeBootDriverPages(x,x,x,x,x)+1F6j
		mov	ecx, [ebp+var_D0]
		add	edi, eax
		xor	edx, edx
		mov	[ebp+var_A8], edi
		call	_MiLockAndDecrementShareCount@8	; MiLockAndDecrementShareCount(x,x)
		add	esi, 8
		mov	[ebp+var_AC], esi

loc_AEF10C:				; CODE XREF: MiFreeBootDriverPages(x,x,x,x,x)+100j
		cmp	esi, ebx
		jbe	loc_AEEFDD
		mov	eax, [ebp+var_B0]
		lea	ecx, [ebp+var_A4]
		cmp	eax, ecx
		jnz	short loc_AEF12B
		mov	ecx, eax
		call	MiFlushTbList

loc_AEF12B:				; CODE XREF: MiFreeBootDriverPages(x,x,x,x,x)+24Aj
		mov	eax, [ebp+var_D8]
		cmp	eax, ds:_PsNtosImageBase
		jz	short loc_AEF154
		cmp	eax, ds:_PsHalImageBase
		jz	short loc_AEF154
		test	byte ptr [ebp+arg_4], 1
		jz	short loc_AEF15A
		neg	edi
		mov	eax, offset unk_6D362C
		lock xadd [eax], edi
		jmp	short loc_AEF15A
; 

loc_AEF154:				; CODE XREF: MiFreeBootDriverPages(x,x,x,x,x)+25Fj
					; MiFreeBootDriverPages(x,x,x,x,x)+267j
		sub	dword_6D361C, edi

loc_AEF15A:				; CODE XREF: MiFreeBootDriverPages(x,x,x,x,x)+26Dj
					; MiFreeBootDriverPages(x,x,x,x,x)+27Aj
		mov	ecx, [ebp+var_8]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	0Ch
_MiFreeBootDriverPages@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiTradeBootImagePage(x, x)
_MiTradeBootImagePage@8	proc near	; CODE XREF: MiHandleBootImage+29EEDp

var_C4		= dword	ptr -0C4h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A1		= byte ptr -0A1h
var_A0		= dword	ptr -0A0h
var_98		= dword	ptr -98h
var_8C		= dword	ptr -8Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0CCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		push	98h		; size_t
		xor	ebx, ebx
		lea	eax, [ebp+var_A0]
		mov	edi, ecx
		mov	esi, edx
		push	ebx		; int
		push	eax		; void *
		mov	[ebp+var_B4], edi
		call	_memset
		mov	[ebp+var_8C], ebx
		add	esp, 0Ch
		mov	[ebp+var_C4], ebx
		mov	ebx, [edi]
		mov	[ebp+var_98], 21h
		nop
		mov	eax, [edi+4]
		mov	ecx, edi
		shl	ecx, 9
		mov	[ebp+var_B0], eax
		mov	[ebp+var_C4], ecx
		nop
		mov	ecx, ebx
		shrd	ecx, eax, 0Ch
		and	ecx, 1FFFFFFh
		imul	edi, ecx, 1Ch
		mov	[ebp+var_B8], ecx
		imul	ecx, esi, 1Ch
		add	edi, ds:_MmPfnDatabase
		mov	[ebp+var_BC], edi
		add	ecx, ds:_MmPfnDatabase
		mov	[ebp+var_AC], ecx
		mov	ecx, edi
		call	_MiLockPageInline@4 ; MiLockPageInline(x)
		mov	ecx, [ebp+var_AC]
		mov	[ebp+var_A1], al
		call	_MiLockNestedPageAtDpcInline@4 ; MiLockNestedPageAtDpcInline(x)
		push	ecx
		mov	ecx, [ebp+var_AC]
		mov	edx, edi
		call	_MiCopyPfnEntryEx@12 ; MiCopyPfnEntryEx(x,x,x)
		mov	ecx, ds:_MiFlags
		shr	ecx, 0Fh
		and	ecx, 1
		jz	short loc_AEF245
		mov	eax, [edi+18h]
		and	eax, 70000000h
		cmp	eax, 30000000h
		jnz	short loc_AEF25C

loc_AEF245:				; CODE XREF: MiTradeBootImagePage(x,x)+C9j
		mov	edx, [ebp+var_B8]
		lea	eax, ds:4[ecx*2]
		push	eax
		push	0
		mov	ecx, esi
		call	_MiCopyPage@16	; MiCopyPage(x,x,x,x)

loc_AEF25C:				; CODE XREF: MiTradeBootImagePage(x,x)+D8j
		nop
		mov	eax, [ebp+var_B0]
		mov	edi, esi
		and	edi, 1FFFFFFh
		xor	ecx, ecx
		shld	ecx, edi, 0Ch
		and	ebx, 0FFFh
		and	eax, 0FFFFFFE0h
		shl	edi, 0Ch
		or	edi, ebx
		or	ecx, eax
		mov	[ebp+var_A8], edi

loc_AEF287:				; CODE XREF: MiTradeBootImagePage(x,x)+144j
					; MiTradeBootImagePage(x,x)+14Cj
		mov	eax, [ebp+var_B4]
		mov	esi, [eax]
		mov	edx, [eax+4]
		mov	eax, esi
		mov	[ebp+var_B0], edx
		nop
		mov	ebx, edi
		mov	edi, [ebp+var_B4]
		lock cmpxchg8b qword ptr [edi]
		mov	edi, [ebp+var_A8]
		cmp	eax, esi
		jnz	short loc_AEF287
		cmp	edx, [ebp+var_B0]
		jnz	short loc_AEF287
		mov	eax, [ebp+var_AC]
		mov	ebx, 7FFFFFFFh
		add	eax, 10h
		lock and [eax],	ebx
		mov	edi, [ebp+var_BC]
		lea	ecx, [ebp+var_A0]
		mov	edx, [ebp+var_C4]
		push	0
		push	1
		lea	esi, [edi+10h]
		or	dword ptr [esi], 40000000h
		call	_MiInsertTbFlushEntry@16 ; MiInsertTbFlushEntry(x,x,x,x)
		lea	ecx, [ebp+var_A0]
		call	MiFlushTbList
		test	ds:_MiFlags, 8000h
		jnz	short loc_AEF31E
		mov	eax, [edi+18h]
		and	eax, 70000000h
		cmp	eax, 30000000h
		jnz	short loc_AEF31E
		push	0Ch
		pop	edx
		mov	ecx, edi
		call	MiClearPfnImageVerified

loc_AEF31E:				; CODE XREF: MiTradeBootImagePage(x,x)+198j
					; MiTradeBootImagePage(x,x)+1A7j
		and	byte ptr [edi+17h], 0F7h
		mov	ecx, edi
		call	MiDecrementShareCount
		lock and [esi],	ebx
		mov	cl, [ebp+var_A1]
		call	ds:__imp_@KfLowerIrql@4	; KfLowerIrql(x)
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_MiTradeBootImagePage@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MiUpdateThunks(x, x, x, x)
_MiUpdateThunks@16 proc	near		; CODE XREF: MiBootImageRelocated(x,x,x,x,x,x)+23p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	eax, [ebp+arg_4]
		and	[ebp+var_4], 0
		dec	eax
		push	ebx
		push	esi
		mov	ebx, edx
		push	edi
		add	eax, ebx
		lea	edi, [ecx+10h]
		sub	[ebp+arg_0], ebx
		mov	esi, [edi]
		mov	[ebp+var_8], eax
		mov	[ebp+var_C], edi
		jmp	short loc_AEF3B3
; 

loc_AEF36E:				; CODE XREF: MiUpdateThunks(x,x,x,x)+71j
		lea	eax, [ebp+var_4]
		push	eax
		push	0Ch
		push	1
		push	dword ptr [esi+18h]
		call	_RtlImageDirectoryEntryToData@16 ; RtlImageDirectoryEntryToData(x,x,x,x)
		mov	edx, eax
		test	edx, edx
		jz	short loc_AEF3B1
		mov	ecx, [ebp+var_4]
		shr	ecx, 2
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	short loc_AEF3B1
		mov	esi, [ebp+arg_0]

loc_AEF394:				; CODE XREF: MiUpdateThunks(x,x,x,x)+62j
		mov	eax, [edx]
		cmp	eax, ebx
		jb	short loc_AEF3A3
		cmp	eax, [ebp+var_8]
		ja	short loc_AEF3A3
		add	eax, esi
		mov	[edx], eax

loc_AEF3A3:				; CODE XREF: MiUpdateThunks(x,x,x,x)+51j
					; MiUpdateThunks(x,x,x,x)+56j
		add	edx, 4
		sub	ecx, 1
		jnz	short loc_AEF394
		mov	esi, [ebp+arg_4]
		mov	edi, [ebp+var_C]

loc_AEF3B1:				; CODE XREF: MiUpdateThunks(x,x,x,x)+3Bj
					; MiUpdateThunks(x,x,x,x)+48j
		mov	esi, [esi]

loc_AEF3B3:				; CODE XREF: MiUpdateThunks(x,x,x,x)+25j
		mov	[ebp+arg_4], esi
		cmp	esi, edi
		jnz	short loc_AEF36E
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	8
_MiUpdateThunks@16 endp


;  S U B	R O U T	I N E 


; __stdcall MiFreeEmptyBootPageTable(x)
_MiFreeEmptyBootPageTable@4 proc near	; CODE XREF: MxCreateFreePfns(x)+BDp
		mov	edi, edi
		push	ecx
		mov	edx, [ecx+4]
		or	edx, 80000000h
		mov	eax, edx
		shl	eax, 12h
		cmp	eax, ds:_MiLowHalVa
		jnb	short loc_AEF3FC
		and	dword ptr [ecx+10h], 0C0000000h
		xor	eax, eax
		mov	[ecx+14h], ax
		mov	eax, ds:_ZeroPte
		mov	[edx], eax
		nop
		mov	eax, ds:dword_40F9FC
		mov	[edx+4], eax
		call	_MiLockAndInsertPageInFreeList@4 ; MiLockAndInsertPageInFreeList(x)

loc_AEF3FC:				; CODE XREF: MiFreeEmptyBootPageTable(x)+17j
		pop	ecx
		retn
_MiFreeEmptyBootPageTable@4 endp


;  S U B	R O U T	I N E 


; __stdcall MxBootDescriptorDepleted(x)
_MxBootDescriptorDepleted@4 proc near	; CODE XREF: MxGetNextPage+2A657p
		cmp	dword ptr [ecx+8], 0FFFFFFFFh
		jnz	short locret_AEF423
		mov	edx, [ecx+10h]
		mov	eax, [edx+8]
		test	eax, 40000000h
		jz	short locret_AEF423
		and	eax, 0BFFFFFFFh
		mov	[edx+8], eax
		mov	eax, [ecx+10h]
		or	dword ptr [eax+8], 80000000h

locret_AEF423:				; CODE XREF: MxBootDescriptorDepleted(x)+4j
					; MxBootDescriptorDepleted(x)+11j
		retn
_MxBootDescriptorDepleted@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __cdecl MxDescriptorSort(const void *,const void *)
_MxDescriptorSort proc near		; DATA XREF: MiCreateFreePfns:loc_AB66FDo

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		mov	eax, [ebp+arg_0]
		mov	edx, [eax]
		mov	eax, [ebp+arg_4]
		mov	ecx, [eax]
		mov	eax, [edx]
		cmp	eax, [ecx]
		sbb	eax, eax
		and	eax, 0FFFFFFFEh
		inc	eax
		pop	ebp
		retn
_MxDescriptorSort endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall MxSwitchDescriptors(x)
_MxSwitchDescriptors@4 proc near	; CODE XREF: MxGetNextPage+2A5D8p

var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	ecx, ds:_KeLoaderBlock
		push	ebx
		push	esi
		mov	esi, [ebp+arg_0]
		imul	eax, esi, 14h
		push	edi
		mov	[ebp+var_4], ecx
		lea	ebx, dword_AFF4E8[eax]
		mov	edi, [ebx+10h]
		lea	eax, [ecx+18h]
		mov	[ebp+arg_0], eax

loc_AEF466:				; CODE XREF: MxSwitchDescriptors(x)+B0j
		test	edi, edi
		jz	short loc_AEF46F
		mov	edi, [edi+4]
		jmp	short loc_AEF472
; 

loc_AEF46F:				; CODE XREF: MxSwitchDescriptors(x)+29j
		mov	edi, [ecx+1Ch]

loc_AEF472:				; CODE XREF: MxSwitchDescriptors(x)+2Ej
		cmp	edi, eax
		jz	short loc_AEF4C9

loc_AEF476:				; CODE XREF: MxSwitchDescriptors(x)+88j
		mov	eax, [edi+8]
		cmp	eax, 2
		jz	short loc_AEF483
		cmp	eax, 18h
		jnz	short loc_AEF4C1

loc_AEF483:				; CODE XREF: MxSwitchDescriptors(x)+3Dj
		movzx	edx, ds:_KeNumberNodes
		xor	eax, eax
		test	edx, edx
		jz	short loc_AEF4A1
		mov	ecx, offset unk_AFF3B8

loc_AEF495:				; CODE XREF: MxSwitchDescriptors(x)+60j
		cmp	edi, [ecx]
		jz	short loc_AEF4A1
		inc	eax
		add	ecx, 14h
		cmp	eax, edx
		jb	short loc_AEF495

loc_AEF4A1:				; CODE XREF: MxSwitchDescriptors(x)+4Fj
					; MxSwitchDescriptors(x)+58j
		cmp	eax, edx
		jb	short loc_AEF4C1
		mov	ecx, [edi+0Ch]
		call	MiSearchNumaNodeTable
		cmp	[eax+4], esi
		jz	short loc_AEF4F4
		xor	eax, eax
		mov	ecx, esi
		inc	eax
		shl	eax, cl
		test	ds:_MxBootDescriptorAnyNode, eax
		jnz	short loc_AEF4F4

loc_AEF4C1:				; CODE XREF: MxSwitchDescriptors(x)+42j
					; MxSwitchDescriptors(x)+64j
		mov	edi, [edi+4]
		cmp	edi, [ebp+arg_0]
		jnz	short loc_AEF476

loc_AEF4C9:				; CODE XREF: MxSwitchDescriptors(x)+35j
		xor	eax, eax
		mov	ecx, esi
		inc	eax
		shl	eax, cl
		mov	ecx, ds:_MxBootDescriptorAnyNode
		test	eax, ecx
		jnz	short loc_AEF515
		and	dword ptr [ebx+10h], 0
		bts	ecx, esi
		mov	eax, [ebp+arg_0]
		xor	edi, edi
		mov	ds:_MxBootDescriptorAnyNode, ecx
		mov	ecx, [ebp+var_4]
		jmp	loc_AEF466
; 

loc_AEF4F4:				; CODE XREF: MxSwitchDescriptors(x)+71j
					; MxSwitchDescriptors(x)+80j
		push	dword ptr [edi+10h]
		mov	edx, edi
		mov	ecx, ebx
		push	dword ptr [edi+0Ch]
		call	_MiInitializeBootMemoryDescriptor@16 ; MiInitializeBootMemoryDescriptor(x,x,x,x)
		or	dword ptr [edi+8], 40000000h
		mov	eax, ebx
		mov	ds:_MxFreeDescriptor[esi*4], ebx
		jmp	short loc_AEF517
; 

loc_AEF515:				; CODE XREF: MxSwitchDescriptors(x)+99j
		xor	eax, eax

loc_AEF517:				; CODE XREF: MxSwitchDescriptors(x)+D4j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
_MxSwitchDescriptors@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopDiagTraceDirtyTransition(x, x, x, x, x, x, x, x,	x, x, x, x)
_PopDiagTraceDirtyTransition@48	proc near ; CODE XREF: PopCheckShutdownMarker+273EDp

var_208		= dword	ptr -208h
var_200		= dword	ptr -200h
var_1F8		= dword	ptr -1F8h
var_1D4		= dword	ptr -1D4h
var_1D0		= dword	ptr -1D0h
var_1CC		= dword	ptr -1CCh
var_1C8		= dword	ptr -1C8h
var_1C4		= dword	ptr -1C4h
var_1C0		= dword	ptr -1C0h
var_1BB		= dword	ptr -1BBh
var_1B4		= dword	ptr -1B4h
var_1B0		= dword	ptr -1B0h
var_1AC		= dword	ptr -1ACh
var_19C		= dword	ptr -19Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_140		= dword	ptr -140h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= dword	ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= byte ptr  0Ch
arg_8		= dword	ptr  10h
arg_10		= dword	ptr  18h
arg_1C		= byte ptr  24h
arg_20		= byte ptr  28h
arg_24		= byte ptr  2Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 20Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		cmp	_PopDiagHandleRegistered, 0
		mov	eax, _ExBootAppFailureStatus
		push	ebx
		push	esi
		push	edi
		mov	ebx, edx
		mov	[ebp+var_1CC], eax
		mov	esi, ecx
		jz	loc_AEF81D
		push	offset _POP_ETW_EVENT_DIRTY_TRANSITION
		push	dword_6C1D74
		push	_PopDiagHandle
		call	EtwEventEnabled
		test	al, al
		jz	loc_AEF81D
		and	[ebp+var_1C0], 0
		lea	edi, [ebp+var_B8]
		and	[ebp+var_1C4], 0
		xor	eax, eax
		stosd
		mov	edx, [esi+84h]
		stosd
		stosd
		stosd
		xor	eax, eax
		cmp	[ebp+arg_4], al
		setnz	al
		mov	[ebp+var_1D0], eax
		xor	eax, eax
		cmp	[ebp+arg_24], al
		setnz	al
		xor	edi, edi
		mov	[ebp+var_1D4], eax
		inc	edi
		mov	al, [ebp+arg_1C]
		mov	byte ptr [ebp+var_1BB+2], al
		mov	al, [ebp+arg_20]
		mov	byte ptr [ebp+var_1BB],	al
		test	edx, edx
		jz	short loc_AEF600
		mov	edx, [edx+0D8h]
		test	edx, edx
		jz	short loc_AEF600
		mov	ecx, [edx+28h]
		mov	[ebp+var_1C0], ecx
		mov	eax, [edx+2Ch]
		mov	[ebp+var_B8], eax
		mov	eax, [edx+30h]
		mov	[ebp+var_B4], eax
		mov	eax, [edx+34h]
		mov	[ebp+var_B0], eax
		mov	eax, [edx+38h]
		mov	[ebp+var_AC], eax
		test	ecx, ecx
		jnz	short loc_AEF663

loc_AEF600:				; CODE XREF: PopDiagTraceDirtyTransition(x,x,x,x,x,x,x,x,x,x,x,x)+A5j
					; PopDiagTraceDirtyTransition(x,x,x,x,x,x,x,x,x,x,x,x)+AFj
		push	30h		; size_t
		lea	eax, [ebp+var_208]
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [ebp+var_208]
		mov	esi, offset ??_C@_1JM@PGOHLILP@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@PBOPGDP@
		lea	edi, [ebp+var_A8]
		mov	edx, offset ??_C@_19GFDACHI@?$AAI?$AAn?$AAf?$AAo@PBOPGDP@
		push	27h
		pop	ecx
		push	eax		; void *
		rep movsd
		push	0		; int
		push	30h		; size_t
		lea	ecx, [ebp+var_A8]
		call	PopReadRegKeyValue
		xor	edi, edi
		inc	edi
		test	eax, eax
		js	short loc_AEF663
		mov	eax, [ebp+var_200]
		mov	[ebp+var_1C0], eax
		mov	eax, [ebp+var_1F8]
		mov	[ebp+var_1C4], edi
		mov	[ebp+var_B8], eax

loc_AEF663:				; CODE XREF: PopDiagTraceDirtyTransition(x,x,x,x,x,x,x,x,x,x,x,x)+E0j
					; PopDiagTraceDirtyTransition(x,x,x,x,x,x,x,x,x,x,x,x)+125j
		push	4
		mov	[ebp+var_1C8], ebx
		lea	eax, [ebp+var_1C0]
		xor	ebx, ebx
		mov	[ebp+var_1BB+3], eax
		pop	esi
		mov	[ebp+var_1B4], ebx
		lea	ecx, [ebp+var_19C]
		mov	[ebp+var_1B0], esi
		mov	edx, ebx
		mov	[ebp+var_1AC], ebx

loc_AEF694:				; CODE XREF: PopDiagTraceDirtyTransition(x,x,x,x,x,x,x,x,x,x,x,x)+190j
		lea	eax, [ebp+var_B8]
		mov	[ecx-8], ebx
		lea	eax, [eax+edx*4]
		mov	[ecx-4], esi
		inc	edx
		mov	[ecx-0Ch], eax
		mov	[ecx], ebx
		lea	ecx, [ecx+10h]
		cmp	edx, esi
		jb	short loc_AEF694
		lea	eax, [ebp+var_1C8]
		mov	[ebp+var_164], ebx
		mov	[ebp+var_168], eax
		lea	eax, [ebp+arg_10]
		mov	[ebp+var_158], eax
		lea	eax, [ebp+var_1CC]
		mov	[ebp+var_148], eax
		lea	eax, [ebp+var_1BB+2]
		mov	[ebp+var_138], eax
		lea	eax, [ebp+var_1D0]
		mov	[ebp+var_128], eax
		lea	eax, [ebp+arg_0]
		mov	[ebp+var_118], eax
		mov	al, byte ptr [ebp+arg_8]
		mov	byte ptr [ebp+var_1BB+1], al
		lea	eax, [ebp+var_1BB+1]
		mov	[ebp+var_108], eax
		lea	eax, [ebp+var_1C4]
		mov	[ebp+var_F8], eax
		lea	eax, [ebp+var_1BB]
		mov	[ebp+var_E8], eax
		lea	eax, [ebp+arg_8]
		push	8
		pop	ecx
		mov	[ebp+var_D8], eax
		lea	eax, [ebp+var_1D4]
		mov	[ebp+var_C8], eax
		lea	eax, [ebp+var_1BB+3]
		push	eax
		push	10h
		push	ebx
		push	offset _POP_ETW_EVENT_DIRTY_TRANSITION
		push	dword_6C1D74
		mov	[ebp+var_160], esi
		push	_PopDiagHandle
		mov	[ebp+var_15C], ebx
		mov	[ebp+var_154], ebx
		mov	[ebp+var_150], ecx
		mov	[ebp+var_14C], ebx
		mov	[ebp+var_144], ebx
		mov	[ebp+var_140], esi
		mov	[ebp+var_13C], ebx
		mov	[ebp+var_134], ebx
		mov	[ebp+var_130], edi
		mov	[ebp+var_12C], ebx
		mov	[ebp+var_124], ebx
		mov	[ebp+var_120], esi
		mov	[ebp+var_11C], ebx
		mov	[ebp+var_114], ebx
		mov	[ebp+var_110], esi
		mov	[ebp+var_10C], ebx
		mov	[ebp+var_104], ebx
		mov	[ebp+var_100], edi
		mov	[ebp+var_FC], ebx
		mov	[ebp+var_F4], ebx
		mov	[ebp+var_F0], esi
		mov	[ebp+var_EC], ebx
		mov	[ebp+var_E4], ebx
		mov	[ebp+var_E0], edi
		mov	[ebp+var_DC], ebx
		mov	[ebp+var_D4], ebx
		mov	[ebp+var_D0], ecx
		mov	[ebp+var_CC], ebx
		mov	[ebp+var_C4], ebx
		mov	[ebp+var_C0], esi
		mov	[ebp+var_BC], ebx
		call	_EtwWrite@24	; EtwWrite(x,x,x,x,x,x)

loc_AEF81D:				; CODE XREF: PopDiagTraceDirtyTransition(x,x,x,x,x,x,x,x,x,x,x,x)+2Ej
					; PopDiagTraceDirtyTransition(x,x,x,x,x,x,x,x,x,x,x,x)+4Cj
		mov	ecx, [ebp+var_4]
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	28h
_PopDiagTraceDirtyTransition@48	endp


;  S U B	R O U T	I N E 


; __stdcall PopDripsWatchdogInitializeActions(x)
_PopDripsWatchdogInitializeActions@4 proc near
					; CODE XREF: PopDripsWatchdogInitialize:loc_AEB930p
		mov	eax, ds:_PopPlatformAoAcOverride
		push	ebx
		movzx	ebx, ds:_PopDripsWatchdogAction
		test	eax, eax
		jz	short loc_AEF851
		cmp	eax, 0FFFFFFFFh
		jz	short loc_AEF851
		test	bl, 10h
		jnz	short loc_AEF84E
		and	ebx, 0FFFFFFFDh
		jmp	short loc_AEF851
; 

loc_AEF84E:				; CODE XREF: PopDripsWatchdogInitializeActions(x)+19j
		or	ebx, 2

loc_AEF851:				; CODE XREF: PopDripsWatchdogInitializeActions(x)+Fj
					; PopDripsWatchdogInitializeActions(x)+14j ...
		call	_PopIsDirectedDripsEnabled@0 ; PopIsDirectedDripsEnabled()
		test	al, al
		jz	short loc_AEF872
		or	ebx, 100h
		call	PopCapturePlatformRole
		cmp	eax, 2
		jz	short loc_AEF872
		cmp	eax, 8
		jz	short loc_AEF872
		or	ebx, 1

loc_AEF872:				; CODE XREF: PopDripsWatchdogInitializeActions(x)+2Aj
					; PopDripsWatchdogInitializeActions(x)+3Aj ...
		mov	dword_6C071C, ebx
		xor	eax, eax
		pop	ebx
		retn
_PopDripsWatchdogInitializeActions@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopDripsWatchdogInitializeCallbackTimer(x)
_PopDripsWatchdogInitializeCallbackTimer@4 proc	near
					; CODE XREF: PopDripsWatchdogInitialize+F3F7p
		mov	edi, edi
		push	esi
		mov	esi, ds:_PopDripsCallbackInterval
		test	esi, esi
		jnz	short loc_AEF893
		mov	esi, ds:_PopDirectedDripsTimeout
		test	esi, esi
		jz	short loc_AEF8E3

loc_AEF893:				; CODE XREF: PopDripsWatchdogInitializeCallbackTimer(x)+Bj
		push	ecx
		mov	eax, offset _PopDripsWatchdogContext
		mov	dword_6C0790, esi
		push	eax
		push	offset _PopDripsWatchdogCallbackWorker@4 ; PopDripsWatchdogCallbackWorker(x)
		push	eax
		mov	edx, offset _PopDripsWatchdogTimerCallback@8 ; PopDripsWatchdogTimerCallback(x,x)
		mov	ecx, offset unk_6C0720
		call	_PopInitializeTimer@24 ; PopInitializeTimer(x,x,x,x,x,x)
		mov	eax, _PopDripsWatchdogDebounceInterval
		test	eax, eax
		jz	short loc_AEF8C9
		dec	eax
		xor	edx, edx
		div	esi
		inc	eax
		mov	_PopDripsWatchdogDebounceTickInterval, eax

loc_AEF8C9:				; CODE XREF: PopDripsWatchdogInitializeCallbackTimer(x)+40j
		cmp	_PopDripsWatchdogDebounceTickInterval, 1
		jnz	short loc_AEF8DC
		mov	_PopDripsWatchdogDebounceTickInterval, 2

loc_AEF8DC:				; CODE XREF: PopDripsWatchdogInitializeCallbackTimer(x)+54j
		or	dword_6C0794, 1

loc_AEF8E3:				; CODE XREF: PopDripsWatchdogInitializeCallbackTimer(x)+15j
		xor	eax, eax
		pop	esi
		retn
_PopDripsWatchdogInitializeCallbackTimer@4 endp


;  S U B	R O U T	I N E 


; __stdcall PopDripsWatchdogInitializeDiagnosticTimer(x)
_PopDripsWatchdogInitializeDiagnosticTimer@4 proc near
					; CODE XREF: PopDripsWatchdogInitialize+F404p
		mov	eax, ds:_PopDripsWatchdogTimeout
		test	eax, eax
		jz	short loc_AEF918
		push	ecx
		mov	dword_6C0858, eax
		mov	edx, offset _PopDripsWatchdogTimerCallback@8 ; PopDripsWatchdogTimerCallback(x,x)
		mov	eax, offset _PopDripsWatchdogContext
		mov	ecx, offset unk_6C07E8
		push	eax
		push	offset _PopDripsWatchdogDiagnosticWorker@4 ; PopDripsWatchdogDiagnosticWorker(x)
		push	eax
		call	_PopInitializeTimer@24 ; PopInitializeTimer(x,x,x,x,x,x)
		or	dword_6C085C, 1

loc_AEF918:				; CODE XREF: PopDripsWatchdogInitializeDiagnosticTimer(x)+7j
		xor	eax, eax
		retn
_PopDripsWatchdogInitializeDiagnosticTimer@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopEmRegister()
_PopEmRegister@0 proc near		; CODE XREF: PoInitSystem+5AFp

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		lea	eax, [ebp+var_4]
		push	eax		; int
		push	2		; int
		push	(offset	loc_404D34+4) ;	int
		push	1		; size_t
		push	offset _PopEmEntry ; int
		push	0		; int
		call	EmpProviderRegister
		leave
		retn
_PopEmRegister@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall PopReadErrataDeviceAllowedForInputSuppression()
_PopReadErrataDeviceAllowedForInputSuppression@0 proc near
					; CODE XREF: PoInitSystem:loc_AE4AF3p

var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		lea	eax, [ebp+var_4]
		mov	[ebp+var_4], 1
		push	eax		; int
		push	offset _GUID_EM_RULE_ALLOW_INPUT_SUPPRESSION_NOTIFICATION ; void *
		xor	bl, bl
		call	EmClientQueryRuleState
		cmp	[ebp+var_4], 2
		jnz	short loc_AEF963
		inc	bl

loc_AEF963:				; CODE XREF: PopReadErrataDeviceAllowedForInputSuppression()+22j
		mov	al, bl
		pop	ebx
		leave
		retn
_PopReadErrataDeviceAllowedForInputSuppression@0 endp


;  S U B	R O U T	I N E 


; __stdcall SshpUninitialize()
_SshpUninitialize@0 proc near		; CODE XREF: SshInitialize:loc_AC1B81p
		mov	edi, edi
		push	ebx
		call	_SshpUnsubscribeCallbacks@0 ; SshpUnsubscribeCallbacks()
		xor	ebx, ebx
		cmp	_SshpTelemetryHandleRegistered,	bl
		jz	short loc_AEF9A4
		mov	eax, dword_6B2FEC
		mov	ecx, dword_6B2FE8
		push	eax
		push	ecx
		mov	dword_6B2FD0, ebx
		mov	dword_6B2FE8, ebx
		mov	dword_6B2FEC, ebx
		call	EtwUnregister
		mov	_SshpTelemetryHandleRegistered,	bl

loc_AEF9A4:				; CODE XREF: SshpUninitialize()+10j
		cmp	_SshpTraceHandleRegistered, bl
		jz	short loc_AEF9B9
		push	ecx
		push	ecx
		call	_SSHSupportEtwUnregister@8 ; SSHSupportEtwUnregister(x,x)
		mov	_SshpTraceHandleRegistered, bl

loc_AEF9B9:				; CODE XREF: SshpUninitialize()+42j
					; SshpUninitialize()+63j
		mov	eax, _SshpLibraryList
		cmp	eax, offset _SshpLibraryList
		jz	short loc_AEF9CD
		push	eax
		call	_SleepstudyHelperDestroyLibrary@4 ; SleepstudyHelperDestroyLibrary(x)
		jmp	short loc_AEF9B9
; 

loc_AEF9CD:				; CODE XREF: SshpUninitialize()+5Bj
		mov	_SshpInitialized, bl
		pop	ebx
		retn
_SshpUninitialize@0 endp


;  S U B	R O U T	I N E 


; __stdcall SshpUnsubscribeCallbacks()
_SshpUnsubscribeCallbacks@0 proc near	; CODE XREF: SshpUninitialize()+3p
		mov	edi, edi
		push	ecx
		cmp	_SshpPowerSettingHandleInitialized, 0
		jz	short loc_AEF9ED
		call	_SSHSupportUnregisterPowerSettingCallback@4 ; SSHSupportUnregisterPowerSettingCallback(x)
		mov	_SshpPowerSettingHandleInitialized, 0

loc_AEF9ED:				; CODE XREF: SshpUnsubscribeCallbacks()+Aj
		cmp	_SshpWnfSubscriptionInitialized, 0
		jz	short loc_AEFA08
		push	_SshpWnfSubscription
		call	_ExUnsubscribeWnfStateChange@4 ; ExUnsubscribeWnfStateChange(x)
		mov	_SshpWnfSubscriptionInitialized, 0

loc_AEFA08:				; CODE XREF: SshpUnsubscribeCallbacks()+1Fj
		pop	ecx
		retn
_SshpUnsubscribeCallbacks@0 endp


;  S U B	R O U T	I N E 


; __stdcall RtlInitializeExceptionLog(x)
_RtlInitializeExceptionLog@4 proc near	; CODE XREF: INIT:00ACD8ACp
		mov	edi, edi
		push	esi
		push	67626445h
		mov	esi, 9F60h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	_RtlpExceptionLog2, eax
		test	eax, eax
		jz	short loc_AEFA37
		push	esi		; size_t
		push	0		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch

loc_AEFA37:				; CODE XREF: RtlInitializeExceptionLog(x)+1Fj
		pop	esi
		retn
_RtlInitializeExceptionLog@4 endp


;  S U B	R O U T	I N E 


; __stdcall RtlInitializeRangeListPackage()
_RtlInitializeRangeListPackage@0 proc near ; CODE XREF:	Phase1InitializationDiscard(x)+C26p
		push	10h
		push	656C5252h
		push	28h
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	offset _RtlpRangeListEntryLookasideList
		call	_ExInitializePagedLookasideList@28 ; ExInitializePagedLookasideList(x,x,x,x,x,x,x)
		retn
_RtlInitializeRangeListPackage@0 endp


;  S U B	R O U T	I N E 


; __stdcall SepSecureBootBuildRules()
_SepSecureBootBuildRules@0 proc	near	; CODE XREF: SeSecureBootRegisterPolicy+10A91p
		mov	ecx, dword_6FDDF4
		movzx	edx, word ptr [ecx+24h]
		test	dx, dx
		jz	short loc_AEFA98
		push	esi
		push	edi
		lea	esi, [ecx+3Ch]
		mov	edi, edx
		add	esi, [ecx+28h]
		mov	dword_6FE13C, esi
		test	edi, edi
		jz	short loc_AEFA96
		mov	edx, dword_6FE130
		add	esi, 4

loc_AEFA7E:				; CODE XREF: SepSecureBootBuildRules()+3Cj
		movzx	eax, byte ptr [esi+3]
		lea	esi, [esi+0Ch]
		and	eax, 0Fh
		bts	edx, eax
		sub	edi, 1
		jnz	short loc_AEFA7E
		mov	dword_6FE130, edx

loc_AEFA96:				; CODE XREF: SepSecureBootBuildRules()+21j
		pop	edi
		pop	esi

loc_AEFA98:				; CODE XREF: SepSecureBootBuildRules()+Dj
		cmp	word ptr [ecx+26h], 0
		jz	short loc_AEFAAC
		mov	eax, [ecx+2Ch]
		add	eax, 3Ch
		add	eax, ecx
		mov	dword_6FE138, eax

loc_AEFAAC:				; CODE XREF: SepSecureBootBuildRules()+4Bj
		xor	eax, eax
		retn
_SepSecureBootBuildRules@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SepSecureBootCheckForUpdates()
_SepSecureBootCheckForUpdates@0	proc near
					; CODE XREF: SeSecureBootRegisterPolicy:loc_AD92EDp

var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 38h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	esi
		push	edi
		xor	eax, eax
		mov	[ebp+var_38], 18h
		lea	edi, [ebp+var_18]
		mov	[ebp+var_2C], 240h
		stosd
		xor	esi, esi
		mov	[ebp+var_1C], esi
		mov	[ebp+var_20], esi
		mov	[ebp+var_34], esi
		stosd
		mov	[ebp+var_30], (offset loc_404E2B+1)
		mov	[ebp+var_28], esi
		mov	[ebp+var_24], esi
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_38]
		push	eax
		push	20019h
		lea	eax, [ebp+var_1C]
		push	eax
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_AEFB47
		lea	eax, [ebp+var_20]
		push	eax
		push	14h
		lea	eax, [ebp+var_18]
		push	eax
		push	2
		push	(offset	loc_404E13+1)
		push	[ebp+var_1C]
		call	_ZwQueryValueKey@24 ; ZwQueryValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AEFB47
		cmp	[ebp+var_14], 4
		jnz	short loc_AEFB47
		cmp	[ebp+var_10], 4
		jnz	short loc_AEFB47
		cmp	[ebp+var_C], esi
		jz	short loc_AEFB47
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	esi
		push	(offset	loc_4253AF+1)
		call	_NtUpdateWnfStateData@28 ; NtUpdateWnfStateData(x,x,x,x,x,x,x)

loc_AEFB47:				; CODE XREF: SepSecureBootCheckForUpdates()+58j
					; SepSecureBootCheckForUpdates()+75j ...
		cmp	[ebp+var_1C], esi
		jz	short loc_AEFB54
		push	[ebp+var_1C]
		call	_ZwClose@4	; ZwClose(x)

loc_AEFB54:				; CODE XREF: SepSecureBootCheckForUpdates()+9Bj
		mov	ecx, [ebp+var_4]
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
_SepSecureBootCheckForUpdates@0	endp


;  S U B	R O U T	I N E 


; int __fastcall VfInitSetVerifyDriverTargets(void *)
_VfInitSetVerifyDriverTargets@8	proc near ; CODE XREF: ViInitSystemPhase0+1A0C1p
					; ViMakeVerifierSettings(x,x)+47p ...
		mov	edi, edi
		push	esi
		mov	esi, edx
		cmp	esi, 1800h
		jbe	short loc_AEFB7C
		xor	eax, eax
		mov	esi, 17FEh
		mov	ds:word_B0162E,	ax

loc_AEFB7C:				; CODE XREF: VfInitSetVerifyDriverTargets(x,x)+Bj
		push	esi		; size_t
		push	ecx		; void *
		push	offset _MmVerifyDriverBuffer ; void *
		call	_memcpy
		and	_VfOptionFlags,	0FFFFFFFEh
		add	esp, 0Ch
		mov	ds:_MmVerifyDriverBufferLength,	esi
		pop	esi
		retn
_VfInitSetVerifyDriverTargets@8	endp


;  S U B	R O U T	I N E 


; __stdcall ViDisableVerification()
_ViDisableVerification@0 proc near	; CODE XREF: ViInitSystemPhase0:loc_AE6AAEp
					; ViInitSystemPhase0+1A3CFp
		or	ds:_MmVerifyDriverBufferLength,	0FFFFFFFFh
		xor	eax, eax
		mov	_MmVerifyDriverLevel, eax
		mov	_VfRuleClasses,	eax
		mov	dword_6FDE00, eax
		mov	ds:_VfRandomVerifiedDrivers, eax
		mov	_ViVerifyAllDrivers, eax
		mov	_VfSafeMode, 1
		retn
_ViDisableVerification@0 endp


;  S U B	R O U T	I N E 


; __stdcall ViLogAndLoadXdv(x)
_ViLogAndLoadXdv@4 proc	near		; CODE XREF: sub_AE213B+8Dp
					; sub_AE213B+BFp
		mov	edi, edi
		push	ecx
		push	esi
		push	edi
		lea	edi, [ecx+10h]
		mov	esi, [edi]
		jmp	short loc_AEFBE9
; 

loc_AEFBD3:				; CODE XREF: ViLogAndLoadXdv(x)+24j
		push	1
		push	offset _XdvName
		lea	eax, [esi+2Ch]
		push	eax
		call	_RtlEqualUnicodeString@12 ; RtlEqualUnicodeString(x,x,x)
		cmp	al, 1
		jz	short loc_AEFBEF
		mov	esi, [esi]

loc_AEFBE9:				; CODE XREF: ViLogAndLoadXdv(x)+Aj
		cmp	esi, edi
		jnz	short loc_AEFBD3
		xor	esi, esi

loc_AEFBEF:				; CODE XREF: ViLogAndLoadXdv(x)+1Ej
		test	esi, esi
		jz	short loc_AEFC1F
		mov	eax, [esi+18h]
		mov	ecx, esi
		mov	_ViDriverXDVBase, eax
		mov	eax, [esi+20h]
		mov	_ViDriverXDVImageSize, eax
		call	_ViXdvDriverLoadImage@4	; ViXdvDriverLoadImage(x)
		movzx	eax, al
		mov	ds:_XdvEnabled,	eax
		test	eax, eax
		jz	short loc_AEFC1F
		xor	edx, edx
		xor	ecx, ecx
		call	_VfNotifyVerifierExtensions@8 ;	VfNotifyVerifierExtensions(x,x)

loc_AEFC1F:				; CODE XREF: ViLogAndLoadXdv(x)+2Aj
					; ViLogAndLoadXdv(x)+4Dj
		pop	edi
		pop	esi
		pop	ecx
		retn
_ViLogAndLoadXdv@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfTriageAddDrivers(x)
_VfTriageAddDrivers@4 proc near		; CODE XREF: sub_AE213B+50p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		push	ebx
		push	esi
		xor	esi, esi
		test	_VerifierTriageActionTaken, 40000000h
		push	edi		; char
		mov	edi, ecx
		mov	[ebp+var_4], esi
		jnz	short loc_AEFC56
		push	offset ??_C@_0EF@FKCCFLMP@CRASH?5TRIAGE?3?5no?5suspect?5driver@PBOPGDP@	; "CRASH TRIAGE: no suspect drivers will b"...
		push	3		; int
		push	5Dh		; int
		call	_DbgPrintEx
		add	esp, 0Ch

loc_AEFC52:				; CODE XREF: VfTriageAddDrivers(x)+5Cj
		xor	eax, eax
		jmp	short loc_AEFCCF
; 

loc_AEFC56:				; CODE XREF: VfTriageAddDrivers(x)+1Cj
		push	offset ??_C@_0DM@OAGOANJA@CRASH?5TRIAGE?3?5will?5select?5targe@PBOPGDP@	; "CRASH TRIAGE: will select target driver"...
		push	3		; int
		push	5Dh		; int
		call	_DbgPrintEx
		mov	eax, [edi+84h]
		lea	edx, [ebp+var_4]
		add	esp, 0Ch
		mov	ebx, [eax+1Ch]
		mov	ecx, ebx
		mov	[ebp+var_8], ebx
		call	_TriageGetDriverCount@8	; TriageGetDriverCount(x,x)
		test	eax, eax
		js	short loc_AEFC52
		mov	edi, esi
		cmp	[ebp+var_4], esi
		jbe	short loc_AEFCCD

loc_AEFC88:				; CODE XREF: VfTriageAddDrivers(x)+A8j
		mov	edx, edi
		mov	ecx, ebx
		call	_TriageGetLoaderEntry@8	; TriageGetLoaderEntry(x,x)
		mov	ebx, eax
		test	ebx, ebx
		jz	short loc_AEFCC4
		test	dword ptr [ebx+34h], 8000000h
		jnz	short loc_AEFCC4
		lea	eax, [ebx+2Ch]
		push	eax		; char
		push	offset ??_C@_0EE@LACMLKGP@VfTriageAddDrivers?3?5Marking?5?$CFwZ@PBOPGDP@ ; "VfTriageAddDrivers:	Marking	%wZ for	ver"...
		push	3		; int
		push	5Dh		; int
		call	_DbgPrintEx
		add	esp, 10h
		mov	ecx, ebx
		call	_VfSuspectDriversAdd@4 ; VfSuspectDriversAdd(x)
		cmp	eax, 1
		jnz	short loc_AEFCC4
		xor	esi, esi
		inc	esi

loc_AEFCC4:				; CODE XREF: VfTriageAddDrivers(x)+72j
					; VfTriageAddDrivers(x)+7Bj ...
		mov	ebx, [ebp+var_8]
		inc	edi
		cmp	edi, [ebp+var_4]
		jb	short loc_AEFC88

loc_AEFCCD:				; CODE XREF: VfTriageAddDrivers(x)+63j
		mov	eax, esi

loc_AEFCCF:				; CODE XREF: VfTriageAddDrivers(x)+31j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_VfTriageAddDrivers@4 endp


;  S U B	R O U T	I N E 


; __stdcall ViFindTriageDriverTargets(x, x)
_ViFindTriageDriverTargets@8 proc near	; CODE XREF: VfTriageSystem+1A43Dp
		mov	eax, ds:_ViVerifyTriageRulesSize
		push	esi		; char
		mov	esi, offset _ViVerifyTriageRules
		lea	edx, _ViVerifyTriageRules[eax]
		cmp	edx, esi
		jbe	short loc_AEFD23

loc_AEFCE9:				; CODE XREF: ViFindTriageDriverTargets(x,x)+4Dj
		mov	ecx, [esi]
		mov	eax, ecx
		shr	eax, 10h
		and	eax, 7
		sub	eax, 0
		jz	short loc_AEFD38
		sub	eax, 1
		jz	short loc_AEFD17
		sub	eax, 1
		jnz	short loc_AEFD1F
		push	offset ??_C@_0CH@JLKGLPDN@CRASH?5TRIAGE?3?5found?5a?5?$GAtargets?8@PBOPGDP@ ; char *
		push	3		; int
		push	5Dh		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		mov	eax, esi
		pop	esi
		retn			; char
; 

loc_AEFD17:				; CODE XREF: ViFindTriageDriverTargets(x,x)+27j
		shr	ecx, 13h
		add	esi, 8
		add	esi, ecx

loc_AEFD1F:				; CODE XREF: ViFindTriageDriverTargets(x,x)+2Cj
		cmp	esi, edx
		jb	short loc_AEFCE9

loc_AEFD23:				; CODE XREF: ViFindTriageDriverTargets(x,x)+13j
		push	offset ??_C@_0CI@GLHLNLAP@CRASH?5TRIAGE?3?5no?5?$GAtargets?8?5rule@PBOPGDP@ ; char *

loc_AEFD28:				; CODE XREF: ViFindTriageDriverTargets(x,x)+69j
		push	3		; int
		push	5Dh		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		xor	eax, eax
		pop	esi
		retn
; 

loc_AEFD38:				; CODE XREF: ViFindTriageDriverTargets(x,x)+22j
		push	offset ??_C@_0EC@EKEAOEPB@CRASH?5TRIAGE?3?5zeroed?5rules?5stru@PBOPGDP@
		jmp	short loc_AEFD28
_ViFindTriageDriverTargets@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViFindTriageRule(x,	x, x)
_ViFindTriageRule@12 proc near		; CODE XREF: VfTriageSystem+1A3FFp
					; VfTriageSystem+1A413p

arg_0		= byte ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, ecx
		add	edx, esi
		jmp	short loc_AEFD7A
; 

loc_AEFD4B:				; CODE XREF: ViFindTriageRule(x,x,x)+3Dj
		mov	ecx, [esi]
		mov	eax, ecx
		shr	eax, 10h
		and	eax, 7
		sub	eax, 0
		jz	short loc_AEFDB1
		sub	eax, 1
		jz	short loc_AEFD66
		sub	eax, 1
		jnz	short loc_AEFD7A
		jmp	short loc_AEFD72
; 

loc_AEFD66:				; CODE XREF: ViFindTriageRule(x,x,x)+1Ej
		mov	eax, ecx
		xor	eax, dword ptr [ebp+arg_0]
		movzx	eax, ax
		test	eax, eax
		jz	short loc_AEFD99

loc_AEFD72:				; CODE XREF: ViFindTriageRule(x,x,x)+25j
		shr	ecx, 13h
		add	esi, 8
		add	esi, ecx

loc_AEFD7A:				; CODE XREF: ViFindTriageRule(x,x,x)+Aj
					; ViFindTriageRule(x,x,x)+23j
		cmp	esi, edx
		jb	short loc_AEFD4B
		push	dword ptr [ebp+arg_0] ;	char
		push	offset ??_C@_0DA@EENFKLGP@CRASH?5TRIAGE?3?5no?5rule?5found?5for@PBOPGDP@ ; char	*
		push	3		; int
		push	5Dh		; int
		call	_DbgPrintEx
		add	esp, 10h

loc_AEFD92:				; CODE XREF: ViFindTriageRule(x,x,x)+83j
		xor	eax, eax

loc_AEFD94:				; CODE XREF: ViFindTriageRule(x,x,x)+70j
		pop	esi
		pop	ebp
		retn	4		; char
; 

loc_AEFD99:				; CODE XREF: ViFindTriageRule(x,x,x)+31j
		push	dword ptr [ebp+arg_0] ;	char
		push	offset ??_C@_0DB@NEABKCED@CRASH?5TRIAGE?3?5rule?5was?5found?5fo@PBOPGDP@ ; char	*
		push	3		; int
		push	5Dh		; int
		call	_DbgPrintEx
		add	esp, 10h
		mov	eax, esi
		jmp	short loc_AEFD94
; 

loc_AEFDB1:				; CODE XREF: ViFindTriageRule(x,x,x)+19j
		push	offset ??_C@_0EC@EKEAOEPB@CRASH?5TRIAGE?3?5zeroed?5rules?5stru@PBOPGDP@	; char *
		push	3		; int
		push	5Dh		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		jmp	short loc_AEFD92
_ViFindTriageRule@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViMakeVerifierSettings(x, x)
_ViMakeVerifierSettings@8 proc near	; CODE XREF: VfTriageSystem+1A463p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		lea	eax, [ecx+4]
		mov	_VfVerifyMode, 1
		push	ebx
		mov	[ebp+var_8], eax
		mov	ebx, edx
		mov	eax, [eax]
		push	esi
		mov	_MmVerifyDriverLevel, eax
		mov	esi, offset ??_C@_13BBDEGPLJ@?$AA?$CK@PBOPGDP@
		mov	edx, [ecx]
		push	edi		; char
		xor	edi, edi
		shr	edx, 13h
		mov	[ebp+var_4], edi
		test	edx, edx
		jnz	short loc_AEFE06
		test	ebx, ebx
		jz	short loc_AEFE24
		mov	edx, [ebx]
		mov	ecx, ebx
		shr	edx, 13h

loc_AEFE06:				; CODE XREF: ViMakeVerifierSettings(x,x)+35j
		lea	edi, [ecx+8]
		mov	ecx, edi	; void *
		call	_VfInitSetVerifyDriverTargets@8	; VfInitSetVerifyDriverTargets(x,x)
		push	edi		; char
		push	offset ??_C@_0CJ@HLBJFCCN@CRASH?5TRIAGE?3?5target?5drivers?5ar@PBOPGDP@	; char *
		push	3		; int
		push	5Dh		; int
		call	_DbgPrintEx
		add	esp, 10h
		jmp	short loc_AEFE46
; 

loc_AEFE24:				; CODE XREF: ViMakeVerifierSettings(x,x)+39j
		push	4
		pop	edx
		mov	ecx, esi	; void *
		mov	[ebp+var_4], 1
		call	_VfInitSetVerifyDriverTargets@8	; VfInitSetVerifyDriverTargets(x,x)
		push	offset ??_C@_0CO@ONEBBCGJ@CRASH?5TRIAGE?3?5all?5drivers?5will?5@PBOPGDP@ ; char	*
		push	3		; int
		push	5Dh		; int
		call	_DbgPrintEx
		add	esp, 0Ch

loc_AEFE46:				; CODE XREF: ViMakeVerifierSettings(x,x)+5Ej
		mov	eax, [ebp+var_8]
		mov	_VerifierTriageActionTaken, 1
		push	dword ptr [eax]	; char
		push	offset ??_C@_0DM@KPCNIJOB@CRASH?5TRIAGE?3?5system?5will?5enabl@PBOPGDP@	; "CRASH TRIAGE: system	will enable verifi"...
		push	3		; int
		push	5Dh		; int
		call	_DbgPrintEx
		add	esp, 10h
		cmp	[ebp+var_4], 0
		jnz	short loc_AEFE6E
		mov	esi, edi

loc_AEFE6E:				; CODE XREF: ViMakeVerifierSettings(x,x)+A6j
		push	esi
		mov	edx, 200h
		mov	ecx, offset _ViVerifyTargets
		call	_RtlStringCbCopyW@12 ; RtlStringCbCopyW(x,x,x)
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ViMakeVerifierSettings@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall ViTriageSameDriversFromDump(x, x)
_ViTriageSameDriversFromDump@8 proc near ; CODE	XREF: VfTriageSystem+1A3A6p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_4], 0
		mov	eax, edx
		push	ebx
		push	esi
		mov	ebx, ecx
		mov	[ebp+var_8], eax
		push	edi		; char
		lea	edx, [ebp+var_4]
		mov	ecx, eax
		call	_TriageGetDriverCount@8	; TriageGetDriverCount(x,x)
		test	eax, eax
		jns	short loc_AEFEBC
		push	offset ??_C@_0DJ@LLPBLGK@CRASH?5TRIAGE?3?5failed?5to?5get?5dri@PBOPGDP@	; char *
		push	3		; int
		push	5Dh		; int
		call	_DbgPrintEx
		add	esp, 0Ch

loc_AEFEB8:				; CODE XREF: ViTriageSameDriversFromDump(x,x)+78j
		xor	eax, eax
		jmp	short loc_AEFF06
; 

loc_AEFEBC:				; CODE XREF: ViTriageSameDriversFromDump(x,x)+22j
		add	ebx, 10h
		mov	esi, [ebx]
		jmp	short loc_AEFEFF
; 

loc_AEFEC3:				; CODE XREF: ViTriageSameDriversFromDump(x,x)+7Ej
		xor	edi, edi
		cmp	[ebp+var_4], edi
		jbe	short loc_AEFEE6

loc_AEFECA:				; CODE XREF: ViTriageSameDriversFromDump(x,x)+61j
		mov	ecx, [ebp+var_8]
		mov	edx, edi
		call	_TriageGetLoaderEntry@8	; TriageGetLoaderEntry(x,x)
		test	eax, eax
		jz	short loc_AEFEE0
		mov	ecx, [esi+40h]
		cmp	ecx, [eax+40h]
		jz	short loc_AEFEFD

loc_AEFEE0:				; CODE XREF: ViTriageSameDriversFromDump(x,x)+53j
		inc	edi
		cmp	edi, [ebp+var_4]
		jb	short loc_AEFECA

loc_AEFEE6:				; CODE XREF: ViTriageSameDriversFromDump(x,x)+45j
		lea	eax, [esi+2Ch]
		push	eax		; char
		push	offset ??_C@_0DL@JKOFOHFA@Matching?5checksum?5for?5module?5?$CFw@PBOPGDP@ ; char *
		push	3		; int
		push	5Dh		; int
		call	_DbgPrintEx
		add	esp, 10h
		jmp	short loc_AEFEB8
; 

loc_AEFEFD:				; CODE XREF: ViTriageSameDriversFromDump(x,x)+5Bj
		mov	esi, [esi]

loc_AEFEFF:				; CODE XREF: ViTriageSameDriversFromDump(x,x)+3Ej
		cmp	esi, ebx
		jnz	short loc_AEFEC3
		xor	eax, eax
		inc	eax

loc_AEFF06:				; CODE XREF: ViTriageSameDriversFromDump(x,x)+37j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_ViTriageSameDriversFromDump@8 endp


;  S U B	R O U T	I N E 


; int __fastcall ViValidateTriageRules(char)
_ViValidateTriageRules@8 proc near	; CODE XREF: VfTriageSystem+1A3C6p
					; VfTriageSystem+1A3E1p
		mov	edi, edi
		push	ecx		; char
		add	edx, ecx
		cmp	ecx, edx
		jnb	short loc_AEFF2B

loc_AEFF14:				; CODE XREF: ViValidateTriageRules(x,x)+1Ej
		mov	eax, [ecx]
		test	eax, 70000h
		jz	short loc_AEFF56
		shr	eax, 13h
		add	ecx, 8
		add	ecx, eax
		cmp	ecx, edx
		ja	short loc_AEFF41
		jb	short loc_AEFF14

loc_AEFF2B:				; CODE XREF: ViValidateTriageRules(x,x)+7j
		push	offset ??_C@_0BN@PBKHKAOG@CRASH?5TRIAGE?3?5rules?5are?5ok?4?6@PBOPGDP@ ; char *

loc_AEFF30:				; CODE XREF: ViValidateTriageRules(x,x)+50j
		push	3		; int
		push	5Dh		; int
		call	_DbgPrintEx
		xor	eax, eax
		add	esp, 0Ch
		inc	eax
		pop	ecx
		retn			; char
; 

loc_AEFF41:				; CODE XREF: ViValidateTriageRules(x,x)+1Cj
		push	offset ??_C@_0CJ@CNPCFPHB@CRASH?5TRIAGE?3?5invalid?5rules?5str@PBOPGDP@	; char *
		push	3		; int
		push	5Dh		; int
		call	_DbgPrintEx
		add	esp, 0Ch
		xor	eax, eax
		pop	ecx
		retn
; 

loc_AEFF56:				; CODE XREF: ViValidateTriageRules(x,x)+10j
		push	offset ??_C@_0DE@PFHEJPLB@CRASH?5TRIAGE?3?5found?5zeroed?5rule@PBOPGDP@
		jmp	short loc_AEFF30
_ViValidateTriageRules@8 endp


;  S U B	R O U T	I N E 


; __stdcall VfSuspectDriversAdd(x)
_VfSuspectDriversAdd@4 proc near	; CODE XREF: VfTriageAddDrivers(x)+94p
		mov	edi, edi
		push	esi
		add	ecx, 2Ch
		call	_VfSuspectDriversAllocateEntry@4 ; VfSuspectDriversAllocateEntry(x)
		mov	esi, eax
		test	esi, esi
		jz	short loc_AEFF84
		call	_VfDriverLock@0	; VfDriverLock()
		mov	ecx, esi
		call	_VfSuspectDriversInsert@4 ; VfSuspectDriversInsert(x)
		call	_VfDriverUnlock@0 ; VfDriverUnlock()
		xor	eax, eax
		inc	eax
		pop	esi
		retn
; 

loc_AEFF84:				; CODE XREF: VfSuspectDriversAdd(x)+Fj
		xor	eax, eax
		pop	esi
		retn
_VfSuspectDriversAdd@4 endp


;  S U B	R O U T	I N E 


; __stdcall VfSuspectDriversIsLoaded(x)
_VfSuspectDriversIsLoaded@4 proc near	; CODE XREF: ViDriverReApplyVerifierForAll(x)+36p
		call	_ViSuspectDriversLookupEntry@4 ; ViSuspectDriversLookupEntry(x)
		test	eax, eax
		jz	short loc_AEFF9D
		mov	ecx, [eax+8]
		cmp	ecx, [eax+0Ch]
		jbe	short loc_AEFF9D
		xor	eax, eax
		inc	eax
		retn
; 

loc_AEFF9D:				; CODE XREF: VfSuspectDriversIsLoaded(x)+7j
					; VfSuspectDriversIsLoaded(x)+Fj
		xor	eax, eax
		retn
_VfSuspectDriversIsLoaded@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VfSuspectDriversParseRegistryString()
_VfSuspectDriversParseRegistryString@0 proc near ; CODE	XREF: sub_AE213B+13p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		mov	eax, ds:_MmVerifyDriverBufferLength
		mov	edx, offset _MmVerifyDriverBuffer
		and	[ebp+var_20], 0
		add	eax, 0FFFFFFFEh
		and	[ebp+var_1C], 0
		push	ebx
		push	esi
		push	edi
		mov	edi, _VfOptionFlags
		shr	eax, 1
		not	edi
		and	edi, 1
		mov	[ebp+var_4], edi
		lea	ebx, _MmVerifyDriverBuffer[eax*2]
		cmp	ebx, edx
		jbe	loc_AF007B
		push	9
		pop	ecx
		push	0Ah
		pop	esi
		mov	[ebp+var_C], esi
		mov	[ebp+var_10], 0Dh
		mov	[ebp+var_14], 20h
		mov	[ebp+var_18], 3000h
		mov	[ebp+var_8], 22h

loc_AF0004:				; CODE XREF: VfSuspectDriversParseRegistryString()+19Aj
		movzx	eax, word ptr [edx]
		cmp	ax, cx
		jz	loc_AF012A
		cmp	ax, si
		jz	loc_AF012A
		push	0Dh
		pop	esi
		cmp	ax, si
		jz	loc_AF012A
		push	20h
		pop	esi
		cmp	ax, si
		jz	loc_AF012A
		mov	esi, 3000h
		cmp	ax, si
		jz	loc_AF012A
		test	ax, ax
		jz	loc_AF012A
		cmp	eax, 2Ah
		jnz	short loc_AF0056
		cmp	edi, 1
		jz	loc_AF013F

loc_AF0056:				; CODE XREF: VfSuspectDriversParseRegistryString()+ABj
		lea	esi, [edx+2]
		cmp	ax, word ptr [ebp+var_8]
		jnz	short loc_AF00A8
		mov	edx, esi
		lea	esi, [edx+2]
		cmp	esi, ebx
		jnb	short loc_AF007B
		push	22h
		pop	eax

loc_AF006B:				; CODE XREF: VfSuspectDriversParseRegistryString()+D5j
		cmp	[esi], ax
		jz	short loc_AF0077
		add	esi, 2
		cmp	esi, ebx
		jb	short loc_AF006B

loc_AF0077:				; CODE XREF: VfSuspectDriversParseRegistryString()+CEj
		cmp	esi, ebx
		jb	short loc_AF00AC

loc_AF007B:				; CODE XREF: VfSuspectDriversParseRegistryString()+39j
					; VfSuspectDriversParseRegistryString()+C6j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AF0080:				; CODE XREF: VfSuspectDriversParseRegistryString()+10Aj
		movzx	eax, word ptr [esi]
		cmp	ax, cx
		jz	short loc_AF00AC
		cmp	ax, word ptr [ebp+var_C]
		jz	short loc_AF00AC
		cmp	ax, word ptr [ebp+var_10]
		jz	short loc_AF00AC
		cmp	ax, word ptr [ebp+var_14]
		jz	short loc_AF00AC
		cmp	ax, word ptr [ebp+var_18]
		jz	short loc_AF00AC
		test	ax, ax
		jz	short loc_AF00AC
		add	esi, 2

loc_AF00A8:				; CODE XREF: VfSuspectDriversParseRegistryString()+BDj
		cmp	esi, ebx
		jb	short loc_AF0080

loc_AF00AC:				; CODE XREF: VfSuspectDriversParseRegistryString()+D9j
					; VfSuspectDriversParseRegistryString()+E6j ...
		mov	eax, esi
		sub	eax, edx
		sar	eax, 1
		add	eax, eax
		jz	short loc_AF012C
		movzx	ecx, ax
		mov	word ptr [ebp+var_20], cx
		lea	eax, [ecx+2]
		mov	word ptr [ebp+var_20+2], ax
		cmp	ax, cx
		jb	short loc_AF007B
		mov	[ebp+var_1C], edx
		lea	ecx, [ebp+var_20]
		cmp	edi, 1
		jnz	short loc_AF00ED
		call	_VfSuspectDriversAllocateEntry@4 ; VfSuspectDriversAllocateEntry(x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_AF0122
		call	_VfDriverLock@0	; VfDriverLock()
		mov	ecx, edi
		call	_VfSuspectDriversInsert@4 ; VfSuspectDriversInsert(x)
		jmp	short loc_AF011D
; 

loc_AF00ED:				; CODE XREF: VfSuspectDriversParseRegistryString()+132j
		mov	edx, 44456656h
		call	_VfSuspectExcludedDriversAllocateEntry@8 ; VfSuspectExcludedDriversAllocateEntry(x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_AF0122
		call	_VfDriverLock@0	; VfDriverLock()
		mov	eax, dword_6BDFDC
		mov	ecx, offset _VfExcludedDriversList
		cmp	[eax], ecx
		jnz	short loc_AF014E
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	dword_6BDFDC, edi

loc_AF011D:				; CODE XREF: VfSuspectDriversParseRegistryString()+14Bj
		call	_VfDriverUnlock@0 ; VfDriverUnlock()

loc_AF0122:				; CODE XREF: VfSuspectDriversParseRegistryString()+13Dj
					; VfSuspectDriversParseRegistryString()+15Bj
		mov	edi, [ebp+var_4]
		push	9
		pop	ecx
		jmp	short loc_AF012C
; 

loc_AF012A:				; CODE XREF: VfSuspectDriversParseRegistryString()+6Aj
					; VfSuspectDriversParseRegistryString()+73j ...
		mov	esi, edx

loc_AF012C:				; CODE XREF: VfSuspectDriversParseRegistryString()+114j
					; VfSuspectDriversParseRegistryString()+188j
		lea	edx, [esi+2]
		cmp	edx, ebx
		jnb	loc_AF007B
		push	0Ah
		pop	esi
		jmp	loc_AF0004
; 

loc_AF013F:				; CODE XREF: VfSuspectDriversParseRegistryString()+B0j
		mov	_ViVerifyAllDrivers, 1
		jmp	loc_AF007B
; 

loc_AF014E:				; CODE XREF: VfSuspectDriversParseRegistryString()+16Ej
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall VfXdvExcludeParseRegistryString()
_VfXdvExcludeParseRegistryString@0:	; CODE XREF: sub_AE213B+21p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		mov	eax, ds:_VfXdvSuppressDriversBufferLength
		xor	ecx, ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_14], ecx
		push	ebx
		push	esi
		push	edi
		cmp	eax, 0FFFFFFFFh
		jnz	short loc_AF017B
		mov	ds:_VfXdvSuppressDriversBufferLength, ecx

loc_AF0176:				; CODE XREF: VfSuspectDriversParseRegistryString()+1EEj
					; VfSuspectDriversParseRegistryString()+262j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AF017B:				; CODE XREF: VfSuspectDriversParseRegistryString()+1CEj
		add	eax, 0FFFFFFFEh
		mov	edx, offset _VfXdvSuppressDriversBuffer
		shr	eax, 1
		lea	ebx, _VfXdvSuppressDriversBuffer[eax*2]
		cmp	ebx, edx
		jbe	short loc_AF0176
		push	9
		pop	ecx
		push	0Ah
		pop	edi
		push	0Dh
		pop	esi
		mov	[ebp+var_8], esi
		mov	[ebp+var_C], 20h
		mov	[ebp+var_10], 3000h
		mov	[ebp+var_4], 22h

loc_AF01B1:				; CODE XREF: VfSuspectDriversParseRegistryString()+320j
		movzx	eax, word ptr [edx]
		cmp	ax, cx
		jz	loc_AF02B0
		cmp	ax, di
		jz	loc_AF02B0
		cmp	ax, si
		jz	loc_AF02B0
		push	20h
		pop	esi
		cmp	ax, si
		jz	loc_AF02B0
		mov	esi, 3000h
		cmp	ax, si
		jz	loc_AF02B0
		test	ax, ax
		jz	loc_AF02B0
		lea	esi, [edx+2]
		cmp	ax, word ptr [ebp+var_4]
		jnz	short loc_AF0248
		mov	edx, esi
		lea	esi, [edx+2]
		cmp	esi, ebx
		jnb	loc_AF0176
		push	22h
		pop	eax

loc_AF020B:				; CODE XREF: VfSuspectDriversParseRegistryString()+275j
		cmp	[esi], ax
		jz	short loc_AF0217
		add	esi, 2
		cmp	esi, ebx
		jb	short loc_AF020B

loc_AF0217:				; CODE XREF: VfSuspectDriversParseRegistryString()+26Ej
		cmp	esi, ebx
		jnb	loc_AF0176
		jmp	short loc_AF024C
; 

loc_AF0221:				; CODE XREF: VfSuspectDriversParseRegistryString()+2AAj
		movzx	eax, word ptr [esi]
		cmp	ax, cx
		jz	short loc_AF024C
		cmp	ax, di
		jz	short loc_AF024C
		cmp	ax, word ptr [ebp+var_8]
		jz	short loc_AF024C
		cmp	ax, word ptr [ebp+var_C]
		jz	short loc_AF024C
		cmp	ax, word ptr [ebp+var_10]
		jz	short loc_AF024C
		test	ax, ax
		jz	short loc_AF024C
		add	esi, 2

loc_AF0248:				; CODE XREF: VfSuspectDriversParseRegistryString()+259j
		cmp	esi, ebx
		jb	short loc_AF0221

loc_AF024C:				; CODE XREF: VfSuspectDriversParseRegistryString()+27Fj
					; VfSuspectDriversParseRegistryString()+287j ...
		mov	eax, esi
		sub	eax, edx
		sar	eax, 1
		add	eax, eax
		jz	short loc_AF02B2
		movzx	ecx, ax
		mov	word ptr [ebp+var_18], cx
		lea	eax, [ecx+2]
		mov	word ptr [ebp+var_18+2], ax
		cmp	ax, cx
		jb	loc_AF0176
		mov	[ebp+var_14], edx
		lea	ecx, [ebp+var_18]
		mov	edx, 45586656h
		call	_VfSuspectExcludedDriversAllocateEntry@8 ; VfSuspectExcludedDriversAllocateEntry(x,x)
		mov	edi, eax
		test	edi, edi
		jz	short loc_AF02A8
		call	_VfDriverLock@0	; VfDriverLock()
		mov	eax, dword_6BDFD4
		mov	ecx, offset _VfXdvExcludedDriversList
		cmp	[eax], ecx
		jnz	short loc_AF02C5
		mov	[edi], ecx
		mov	[edi+4], eax
		mov	[eax], edi
		mov	dword_6BDFD4, edi
		call	_VfDriverUnlock@0 ; VfDriverUnlock()

loc_AF02A8:				; CODE XREF: VfSuspectDriversParseRegistryString()+2E1j
		push	9
		pop	ecx
		push	0Ah
		pop	edi
		jmp	short loc_AF02B2
; 

loc_AF02B0:				; CODE XREF: VfSuspectDriversParseRegistryString()+217j
					; VfSuspectDriversParseRegistryString()+220j ...
		mov	esi, edx

loc_AF02B2:				; CODE XREF: VfSuspectDriversParseRegistryString()+2B4j
					; VfSuspectDriversParseRegistryString()+30Ej
		lea	edx, [esi+2]
		cmp	edx, ebx
		jnb	loc_AF0176
		push	0Dh
		pop	esi
		jmp	loc_AF01B1
; 

loc_AF02C5:				; CODE XREF: VfSuspectDriversParseRegistryString()+2F4j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

; __stdcall ExInitTraceLogging()
_ExInitTraceLogging@0:			; CODE XREF: INIT:00ABFCE4p
		mov	edi, edi
		push	ecx
		push	0
		xor	edx, edx
		mov	ecx, offset dword_6B2A90
		call	_TraceLoggingRegisterEx_EtwRegister_EtwSetInformation@12 ; TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(x,x,x)
		pop	ecx
		retn
_VfSuspectDriversParseRegistryString@0 endp ; sp = -2Ch


;  S U B	R O U T	I N E 


; __stdcall BapdpIsTime1MoreRecentThanTime2(x, x)
_BapdpIsTime1MoreRecentThanTime2@8 proc	near ; CODE XREF: BapdpProcessWmdResults+14DA3p
		movzx	eax, word ptr [ecx]
		push	esi
		movzx	esi, word ptr [edx]
		cmp	ax, si
		jg	short loc_AF0344
		jl	short loc_AF0340
		movzx	eax, word ptr [ecx+2]
		movzx	esi, word ptr [edx+2]
		cmp	ax, si
		jg	short loc_AF0344
		jl	short loc_AF0340
		movzx	eax, word ptr [ecx+4]
		movzx	esi, word ptr [edx+4]
		cmp	ax, si
		jg	short loc_AF0344
		jl	short loc_AF0340
		movzx	eax, word ptr [ecx+6]
		movzx	esi, word ptr [edx+6]
		cmp	ax, si
		jg	short loc_AF0344
		jl	short loc_AF0340
		movzx	eax, word ptr [ecx+8]
		movzx	esi, word ptr [edx+8]
		cmp	ax, si
		jg	short loc_AF0344
		jl	short loc_AF0340
		movzx	eax, word ptr [ecx+0Ah]
		movzx	esi, word ptr [edx+0Ah]
		cmp	ax, si
		jg	short loc_AF0344
		jl	short loc_AF0340
		mov	ax, [ecx+0Ch]
		cmp	ax, [edx+0Ch]
		jg	short loc_AF0344

loc_AF0340:				; CODE XREF: BapdpIsTime1MoreRecentThanTime2(x,x)+Cj
					; BapdpIsTime1MoreRecentThanTime2(x,x)+1Bj ...
		xor	al, al
		pop	esi
		retn
; 

loc_AF0344:				; CODE XREF: BapdpIsTime1MoreRecentThanTime2(x,x)+Aj
					; BapdpIsTime1MoreRecentThanTime2(x,x)+19j ...
		mov	al, 1
		pop	esi
		retn
_BapdpIsTime1MoreRecentThanTime2@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BapdpRegisterEDrvHintInfo(x)
_BapdpRegisterEDrvHintInfo@4 proc near	; CODE XREF: BapdpProcessEDrvHintInfo+14D5Cp

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 30h
		push	ebx
		push	esi
		xor	esi, esi
		mov	[ebp+var_C], 1
		mov	[ebp+var_14], esi
		mov	[ebp+var_10], esi
		mov	[ebp+var_4], esi
		mov	[ebp+var_8], esi
		test	ecx, ecx
		jz	loc_AF044F
		cmp	dword ptr [ecx], 8
		jb	loc_AF044F
		test	byte ptr [ecx+4], 1
		jz	loc_AF044F
		push	offset ??_C@_1GG@IBGAEKLO@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@PBOPGDP@ ; "\\"
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	18h
		pop	ebx
		lea	eax, [ebp+var_14]
		mov	[ebp+var_2C], ebx
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_28], esi
		push	eax
		mov	[ebp+var_20], 240h
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	short loc_AF0435
		push	offset ??_C@_1DA@HBKKGICP@?$AAB?$AAi?$AAt?$AAL?$AAo?$AAc?$AAk?$AAe?$AAr?$AAE?$AAD?$AAr?$AAi?$AAv?$AAe@PBOPGDP@
		lea	eax, [ebp+var_14]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_4]
		push	esi
		push	1
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_14]
		push	esi
		mov	[ebp+var_24], eax
		lea	eax, [ebp+var_2C]
		push	esi
		push	eax
		push	6001Fh
		lea	eax, [ebp+var_8]
		mov	[ebp+var_2C], ebx
		push	eax
		mov	[ebp+var_20], 240h
		mov	[ebp+var_1C], esi
		mov	[ebp+var_18], esi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AF0435
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		push	offset ??_C@_1CM@NKIJFGBG@?$AAE?$AAD?$AAr?$AAi?$AAv?$AAe?$AAS?$AAu?$AAp?$AAp?$AAo?$AAr?$AAt?$AAe?$AAd@PBOPGDP@
		lea	eax, [ebp+var_14]
		mov	[ebp+var_4], esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [ebp+var_C]
		push	eax
		push	4
		push	esi
		lea	eax, [ebp+var_14]
		push	eax
		push	[ebp+var_8]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_AF0435:				; CODE XREF: BapdpRegisterEDrvHintInfo(x)+78j
					; BapdpRegisterEDrvHintInfo(x)+BDj
		cmp	[ebp+var_4], esi
		jz	short loc_AF0442
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)

loc_AF0442:				; CODE XREF: BapdpRegisterEDrvHintInfo(x)+F0j
		cmp	[ebp+var_8], esi
		jz	short loc_AF044F
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_AF044F:				; CODE XREF: BapdpRegisterEDrvHintInfo(x)+21j
					; BapdpRegisterEDrvHintInfo(x)+2Aj ...
		pop	esi
		pop	ebx
		leave
		retn
_BapdpRegisterEDrvHintInfo@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BapdpRegisterFwUpdateResults(x, x)
_BapdpRegisterFwUpdateResults@8	proc near ; CODE XREF: BapdpProcessFwUpdateResults+14DD0p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, ecx
		mov	[ebp+var_14], edi
		mov	esi, edx
		mov	[ebp+var_24], edi
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_8], edi
		mov	[ebp+var_4], edi
		test	ebx, ebx
		jz	loc_AF061D
		test	esi, esi
		jz	loc_AF061D
		mov	eax, [ebx]
		mov	ecx, eax
		mov	edx, [ebx+4]
		or	ecx, edx
		mov	[ebp+var_10], eax
		jz	loc_AF061D
		push	18h
		pop	ecx
		mov	eax, edx
		mul	ecx
		push	18h
		mov	ecx, eax
		mov	eax, [ebp+var_10]
		pop	edx
		mul	edx
		add	ecx, edx
		add	eax, 8
		adc	ecx, edi
		cmp	edi, ecx
		jb	loc_AF061D
		ja	short loc_AF04C5
		cmp	esi, eax
		jb	loc_AF061D

loc_AF04C5:				; CODE XREF: BapdpRegisterFwUpdateResults(x,x)+68j
		push	offset ??_C@_1IK@DJIKLOAN@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@PBOPGDP@ ; "\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControl"...
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	18h
		pop	eax
		mov	[ebp+var_3C], eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_3C]
		push	eax
		push	20019h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_38], edi
		push	eax
		mov	[ebp+var_30], 240h
		mov	[ebp+var_2C], edi
		mov	[ebp+var_28], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_AF0602
		lea	esi, [ebx+8]
		mov	[ebp+var_10], edi
		mov	[ebp+var_C], esi
		cmp	[ebx+4], edi
		jb	loc_AF0602
		ja	short loc_AF0525
		cmp	[ebx], edi
		jbe	loc_AF0602

loc_AF0525:				; CODE XREF: BapdpRegisterFwUpdateResults(x,x)+C8j
					; BapdpRegisterFwUpdateResults(x,x)+19Dj ...
		lea	eax, [ebp+var_24]
		push	eax
		push	esi
		call	_RtlStringFromGUID@8 ; RtlStringFromGUID(x,x)
		test	eax, eax
		js	loc_AF0602
		push	[ebp+var_20]
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	18h
		pop	eax
		mov	[ebp+var_3C], eax
		mov	eax, [ebp+var_8]
		mov	[ebp+var_38], eax
		lea	eax, [ebp+var_1C]
		mov	[ebp+var_34], eax
		lea	eax, [ebp+var_14]
		push	eax
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_3C]
		mov	[ebp+var_30], 240h
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_2C], edi
		push	eax
		mov	[ebp+var_28], edi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		mov	esi, eax
		lea	eax, [ebp+var_24]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	esi, esi
		js	short loc_AF0602
		push	offset ??_C@_1CG@LGDNDENB@?$AAL?$AAa?$AAs?$AAt?$AAA?$AAt?$AAt?$AAe?$AAm?$AAp?$AAt?$AAV?$AAe?$AAr?$AAs@PBOPGDP@
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	esi, [ebp+var_C]
		push	4
		lea	eax, [esi+10h]
		push	eax
		push	4
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	offset ??_C@_1CE@IHKFLCFN@?$AAL?$AAa?$AAs?$AAt?$AAA?$AAt?$AAt?$AAe?$AAm?$AAp?$AAt?$AAS?$AAt?$AAa?$AAt@PBOPGDP@ ; "L"
		lea	eax, [ebp+var_1C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [esi+14h]
		push	eax
		push	4
		push	edi
		lea	eax, [ebp+var_1C]
		push	eax
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		push	[ebp+var_4]
		call	_ZwClose@4	; ZwClose(x)
		push	18h
		pop	eax
		add	esi, eax
		mov	[ebp+var_4], edi
		mov	eax, [ebp+var_10]
		inc	eax
		mov	[ebp+var_C], esi
		mov	[ebp+var_10], eax
		cmp	edi, [ebx+4]
		jb	loc_AF0525
		ja	short loc_AF0605
		cmp	eax, [ebx]
		jb	loc_AF0525
		jmp	short loc_AF0605
; 

loc_AF0602:				; CODE XREF: BapdpRegisterFwUpdateResults(x,x)+B0j
					; BapdpRegisterFwUpdateResults(x,x)+C2j ...
		mov	edi, [ebp+var_4]

loc_AF0605:				; CODE XREF: BapdpRegisterFwUpdateResults(x,x)+1A3j
					; BapdpRegisterFwUpdateResults(x,x)+1ADj
		test	edi, edi
		jz	short loc_AF060F
		push	edi
		call	_ZwClose@4	; ZwClose(x)

loc_AF060F:				; CODE XREF: BapdpRegisterFwUpdateResults(x,x)+1B4j
		cmp	[ebp+var_8], 0
		jz	short loc_AF061D
		push	[ebp+var_8]
		call	_ZwClose@4	; ZwClose(x)

loc_AF061D:				; CODE XREF: BapdpRegisterFwUpdateResults(x,x)+28j
					; BapdpRegisterFwUpdateResults(x,x)+30j ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_BapdpRegisterFwUpdateResults@8	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BapdpRegisterWmdResult(x)
_BapdpRegisterWmdResult@4 proc near	; CODE XREF: BapdpProcessWmdResults+14DD6p

var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	esi, ecx
		mov	[ebp+var_C], edi
		mov	[ebp+var_18], edi
		mov	[ebp+var_14], edi
		test	esi, esi
		jz	loc_AF0732
		push	offset ??_C@_1GG@IBGAEKLO@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@PBOPGDP@ ; "\\"
		lea	eax, [ebp+var_18]
		mov	[ebp+var_8], edi
		push	eax
		mov	[ebp+var_4], edi
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	18h
		pop	ebx
		lea	eax, [ebp+var_18]
		mov	[ebp+var_30], ebx
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_30]
		push	eax
		push	20019h
		lea	eax, [ebp+var_8]
		mov	[ebp+var_2C], edi
		push	eax
		mov	[ebp+var_24], 240h
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edi
		call	_ZwOpenKey@12	; ZwOpenKey(x,x,x)
		test	eax, eax
		js	loc_AF0732
		push	offset ??_C@_1CC@FDHHNLFC@?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy?$AAD?$AAi?$AAa?$AAg?$AAn?$AAo?$AAs?$AAt?$AAi@PBOPGDP@
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	eax, [ebp+var_8]
		mov	[ebp+var_2C], eax
		lea	eax, [ebp+var_18]
		mov	[ebp+var_28], eax
		lea	eax, [ebp+var_C]
		push	eax
		push	edi
		push	edi
		push	edi
		lea	eax, [ebp+var_30]
		mov	[ebp+var_30], ebx
		push	eax
		push	20019h
		lea	eax, [ebp+var_4]
		mov	[ebp+var_24], 240h
		push	eax
		mov	[ebp+var_20], edi
		mov	[ebp+var_1C], edi
		call	_ZwCreateKey@28	; ZwCreateKey(x,x,x,x,x,x,x)
		push	[ebp+var_8]
		test	eax, eax
		js	short loc_AF072D
		call	_ZwClose@4	; ZwClose(x)
		push	offset ??_C@_1BA@HJAKFAGA@?$AAR?$AAe?$AAs?$AAu?$AAl?$AAt?$AAs@PBOPGDP@
		lea	eax, [ebp+var_18]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	dword ptr [esi+4]
		lea	eax, [ebp+var_18]
		push	esi
		push	3
		push	edi
		push	eax
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
		test	eax, eax
		js	short loc_AF072A
		push	offset ??_C@_1BG@KEIKIIOJ@?$AAR?$AAu?$AAn?$AAM?$AAe?$AAm?$AAD?$AAi?$AAa?$AAg@PBOPGDP@
		lea	eax, [ebp+var_18]
		mov	[ebp+var_10], 1
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	4
		lea	eax, [ebp+var_10]
		push	eax
		push	4
		push	edi
		lea	eax, [ebp+var_18]
		push	eax
		push	[ebp+var_4]
		call	_ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)

loc_AF072A:				; CODE XREF: BapdpRegisterWmdResult(x)+DCj
		push	[ebp+var_4]

loc_AF072D:				; CODE XREF: BapdpRegisterWmdResult(x)+B2j
		call	_ZwClose@4	; ZwClose(x)

loc_AF0732:				; CODE XREF: BapdpRegisterWmdResult(x)+1Aj
					; BapdpRegisterWmdResult(x)+64j
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_BapdpRegisterWmdResult@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __fastcall VhdiGetDiskParameters(int,void	*,int,int,int)
_VhdiGetDiskParameters@20 proc near	; CODE XREF: IopGetBootDiskInformationLite+26DBCp
					; VhdInitialize+F5BFp

var_2		= byte ptr -2
var_1		= byte ptr -1
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		mov	eax, [ebp+arg_0]
		push	esi
		mov	esi, ecx
		push	edi
		mov	edi, edx
		mov	edx, 0C000000Dh
		test	esi, esi
		jz	loc_AF0852
		test	edi, edi
		jz	loc_AF0852
		test	eax, eax
		jz	loc_AF0852
		cmp	[ebp+arg_8], 0
		jz	loc_AF0852
		cmp	dword ptr [esi+4], 6
		jnz	loc_AF0852
		cmp	dword ptr [esi+24h], 6
		jnz	loc_AF0852
		mov	ecx, [esi+0Ch]
		cmp	ecx, 5Ch
		jb	loc_AF0852
		mov	eax, [esi+44h]
		add	eax, 38h
		cmp	ecx, eax
		jb	loc_AF0852
		xor	ecx, ecx
		cmp	[esi+3Ch], ecx
		jnz	loc_AF0852
		cmp	dword ptr [esi+4Ch], 5
		jnz	loc_AF0852
		cmp	dword ptr [esi+58h], 5
		jnz	loc_AF0852
		push	ebx
		lea	ebx, [esi+5Ch]
		mov	eax, [ebx]
		test	eax, eax
		jnz	short loc_AF07E5
		cmp	dword ptr [ebx+10h], 3
		jnz	loc_AF0851
		push	90h		; size_t
		push	ecx		; int
		push	edi		; void *
		mov	[ebp+var_1], 1
		call	_memset
		add	esp, 0Ch
		xor	eax, eax
		jmp	short loc_AF0831
; 

loc_AF07E5:				; CODE XREF: VhdiGetDiskParameters(x,x,x,x,x)+8Bj
		cmp	eax, 6
		jnz	short loc_AF0851
		mov	[ebp+var_1], cl
		cmp	[ebx+20h], ecx
		jnz	short loc_AF0851
		push	90h		; size_t
		push	ecx		; int
		push	edi		; void *
		call	_memset
		mov	eax, [esi]
		xor	ecx, ecx
		mov	[edi+18h], eax
		inc	ecx
		mov	eax, [ebx+24h]
		add	esp, 0Ch
		cmp	eax, ecx
		jnz	short loc_AF081E
		mov	eax, [ebx+10h]
		mov	[edi+8], eax
		mov	eax, [ebx+14h]
		mov	[edi+0Ch], eax
		jmp	short loc_AF082E
; 

loc_AF081E:				; CODE XREF: VhdiGetDiskParameters(x,x,x,x,x)+D7j
		test	eax, eax
		jnz	short loc_AF084C
		mov	[edi], ecx
		lea	esi, [ebx+10h]
		add	edi, 30h
		movsd
		movsd
		movsd
		movsd

loc_AF082E:				; CODE XREF: VhdiGetDiskParameters(x,x,x,x,x)+E5j
		lea	eax, [ebx+28h]

loc_AF0831:				; CODE XREF: VhdiGetDiskParameters(x,x,x,x,x)+ACj
		mov	ecx, [ebp+arg_0]
		mov	[ecx], eax
		mov	ecx, [ebp+arg_8]
		mov	eax, [ebx+8]
		add	eax, ebx
		xor	edx, edx
		mov	[ecx], eax
		mov	eax, [ebp+arg_4]
		mov	cl, [ebp+var_1]
		mov	[eax], cl
		jmp	short loc_AF0851
; 

loc_AF084C:				; CODE XREF: VhdiGetDiskParameters(x,x,x,x,x)+E9j
		mov	edx, 0C000000Dh

loc_AF0851:				; CODE XREF: VhdiGetDiskParameters(x,x,x,x,x)+91j
					; VhdiGetDiskParameters(x,x,x,x,x)+B1j	...
		pop	ebx

loc_AF0852:				; CODE XREF: VhdiGetDiskParameters(x,x,x,x,x)+16j
					; VhdiGetDiskParameters(x,x,x,x,x)+1Ej	...
		pop	edi
		mov	eax, edx
		pop	esi
		leave
		retn	0Ch
_VhdiGetDiskParameters@20 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VhdiGetPartitionNumber(x, x, x)
_VhdiGetPartitionNumber@12 proc	near	; CODE XREF: VhdiInitializeBootDisk(x,x,x)+249p

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		mov	[ebp+var_C], edx
		push	edi
		test	ecx, ecx
		jz	loc_AF08EF
		test	edx, edx
		jz	short loc_AF08EF
		mov	edi, [ebp+arg_0]
		test	edi, edi
		jz	short loc_AF08EF
		push	ebx
		push	esi
		mov	esi, [ecx+4]
		xor	eax, eax
		mov	[ebp+arg_0], eax
		mov	ebx, 0C0000272h
		mov	[ebp+var_8], esi
		test	esi, esi
		jz	short loc_AF08B7
		mov	esi, [ecx]
		mov	[ebp+var_4], esi
		lea	esi, [ecx+60h]
		mov	ecx, [ebp+var_8]

loc_AF089A:				; CODE XREF: VhdiGetPartitionNumber(x,x,x)+91j
		cmp	[ebp+var_4], 0
		jnz	short loc_AF08BD
		mov	eax, [esi-28h]
		cmp	eax, [edx+8]
		jnz	short loc_AF08DC
		mov	eax, [esi-24h]
		cmp	eax, [edx+0Ch]
		jnz	short loc_AF08DC

loc_AF08B0:				; CODE XREF: VhdiGetPartitionNumber(x,x,x)+7Aj
		mov	eax, [esi-18h]
		xor	ebx, ebx
		mov	[edi], eax

loc_AF08B7:				; CODE XREF: VhdiGetPartitionNumber(x,x,x)+33j
					; VhdiGetPartitionNumber(x,x,x)+93j
		pop	esi
		mov	eax, ebx
		pop	ebx
		jmp	short loc_AF08F4
; 

loc_AF08BD:				; CODE XREF: VhdiGetPartitionNumber(x,x,x)+44j
		cmp	[ebp+var_4], 1
		jnz	short loc_AF08DF
		push	10h		; size_t
		lea	eax, [edx+30h]
		push	eax		; void *
		push	esi		; void *
		call	_memcmp
		add	esp, 0Ch
		test	eax, eax
		jz	short loc_AF08B0
		mov	edx, [ebp+var_C]
		mov	ecx, [ebp+var_8]

loc_AF08DC:				; CODE XREF: VhdiGetPartitionNumber(x,x,x)+4Cj
					; VhdiGetPartitionNumber(x,x,x)+54j
		mov	eax, [ebp+arg_0]

loc_AF08DF:				; CODE XREF: VhdiGetPartitionNumber(x,x,x)+67j
		inc	eax
		add	esi, 90h
		mov	[ebp+arg_0], eax
		cmp	eax, ecx
		jb	short loc_AF089A
		jmp	short loc_AF08B7
; 

loc_AF08EF:				; CODE XREF: VhdiGetPartitionNumber(x,x,x)+Ej
					; VhdiGetPartitionNumber(x,x,x)+16j ...
		mov	eax, 0C000000Dh

loc_AF08F4:				; CODE XREF: VhdiGetPartitionNumber(x,x,x)+61j
		pop	edi
		leave
		retn	4
_VhdiGetPartitionNumber@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VhdiGetVolumeNumber(x, x, x, x)
_VhdiGetVolumeNumber@16	proc near	; CODE XREF: VhdiInitializeBootDisk(x,x,x)+289p

var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= byte ptr -8Ch
var_88		= dword	ptr -88h
var_84		= dword	ptr -84h
var_70		= word ptr -70h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0BCh
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		mov	dword ptr [ebp+var_8C],	edx
		mov	edx, [ebp+arg_4]
		lea	edi, [ebp+var_B8]
		mov	esi, ecx
		mov	[ebp+var_90], edx
		push	6
		pop	ecx
		rep stosd
		lea	edi, [ebp+var_84]
		xor	ebx, ebx
		stosd
		mov	[ebp+var_A0], ebx
		mov	[ebp+var_9C], ebx
		mov	[ebp+var_98], ebx
		stosd
		mov	[ebp+var_94], ebx
		mov	[ebp+var_88], ebx
		stosd
		stosd
		stosd
		test	esi, esi
		jz	loc_AF0A46
		test	edx, edx
		jz	loc_AF0A46
		push	[ebp+arg_0]
		lea	eax, [ebp+var_70]
		push	dword ptr [ebp+var_8C] ; char
		push	offset ??_C@_1DO@HBNMGCKD@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi?$AAs@PBOPGDP@ ; "\\Device\\Harddisk%d\\Partition%d"
		push	64h		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	esi, eax
		add	esp, 14h
		test	esi, esi
		js	loc_AF0A3E
		lea	eax, [ebp+var_70]
		push	eax
		lea	eax, [ebp+var_98]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AF0A3E
		push	20h
		lea	eax, [ebp+var_98]
		mov	[ebp+var_B8], 18h
		mov	[ebp+var_B0], eax
		lea	eax, [ebp+var_A0]
		push	3
		push	eax
		lea	eax, [ebp+var_B8]
		mov	[ebp+var_B4], ebx
		push	eax
		push	0C0100000h
		lea	eax, [ebp+var_88]
		mov	[ebp+var_AC], 240h
		push	eax
		mov	[ebp+var_A8], ebx
		mov	[ebp+var_A4], ebx
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AF0A3E
		push	14h
		lea	eax, [ebp+var_84]
		push	eax
		push	ebx
		push	ebx
		push	56001Ch
		lea	eax, [ebp+var_A0]
		push	eax
		push	ebx
		push	ebx
		push	ebx
		push	[ebp+var_88]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AF0A3E
		mov	ecx, [ebp+var_90]
		mov	eax, [ebp+var_84]
		mov	[ecx], eax

loc_AF0A3E:				; CODE XREF: VhdiGetVolumeNumber(x,x,x,x)+91j
					; VhdiGetVolumeNumber(x,x,x,x)+ABj ...
		mov	ebx, [ebp+var_88]
		jmp	short loc_AF0A4B
; 

loc_AF0A46:				; CODE XREF: VhdiGetVolumeNumber(x,x,x,x)+63j
					; VhdiGetVolumeNumber(x,x,x,x)+6Bj
		mov	esi, 0C000000Dh

loc_AF0A4B:				; CODE XREF: VhdiGetVolumeNumber(x,x,x,x)+14Bj
		test	ebx, ebx
		jz	short loc_AF0A55
		push	ebx
		call	_ZwClose@4	; ZwClose(x)

loc_AF0A55:				; CODE XREF: VhdiGetVolumeNumber(x,x,x,x)+154j
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	8
_VhdiGetVolumeNumber@16	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VhdiInitializeBootDisk(x, x, x)
_VhdiInitializeBootDisk@12 proc	near	; DATA XREF: VhdInitialize+F5F8o

var_CE		= byte ptr -0CEh
var_CD		= byte ptr -0CDh
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
Source2		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_B8		= dword	ptr -0B8h
var_B4		= dword	ptr -0B4h
var_B0		= dword	ptr -0B0h
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= dword	ptr -90h
var_8C		= dword	ptr -8Ch
var_88		= word ptr -88h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0D4h
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+0D4h+var_4], eax
		mov	edx, [ebp+arg_4]
		xor	eax, eax
		and	[esp+0D4h+var_C0], eax
		push	ebx
		mov	ebx, [ebp+arg_0]
		mov	[esp+0D8h+var_B0], eax
		mov	[esp+0D8h+var_AC], eax
		mov	[esp+0D8h+var_A8], eax
		mov	[esp+0D8h+var_A4], eax
		push	esi
		mov	esi, [ebp+arg_8]
		push	edi
		lea	edi, [esp+0E0h+var_A0]
		push	6
		pop	ecx
		rep stosd
		test	ebx, ebx
		jz	loc_AF0D23
		test	edx, edx
		jz	loc_AF0D23
		test	esi, esi
		jz	loc_AF0D23
		mov	edi, [edx]
		mov	ecx, [edx+4]
		mov	eax, [edx+8]
		mov	edx, [edx+0Ch]
		mov	[esp+0E0h+var_BC], edi
		mov	[esp+0E0h+Source2], ecx
		mov	[esp+0E0h+var_B4], edx
		test	edi, edi
		jz	loc_AF0D23
		test	ecx, ecx
		jz	loc_AF0D23
		test	eax, eax
		jz	loc_AF0D23
		test	edx, edx
		jz	loc_AF0D23
		push	dword ptr [ebx+68h]
		push	esi
		call	_RtlCreateUnicodeStringFromAsciiz@8 ; RtlCreateUnicodeStringFromAsciiz(x,x)
		test	al, al
		jnz	short loc_AF0B15
		mov	eax, 0C0000001h
		jmp	loc_AF0D28
; 

loc_AF0B15:				; CODE XREF: VhdiInitializeBootDisk(x,x,x)+A1j
		call	_IoGetConfigurationInformation@0 ; IoGetConfigurationInformation()
		xor	edi, edi
		mov	[esp+0E0h+var_CD], 0
		mov	ecx, [eax]
		xor	eax, eax
		and	[esp+0E0h+var_CC], 0
		mov	[esp+0E0h+var_B8], ecx
		mov	[esp+0E0h+var_C8], eax
		test	ecx, ecx
		jz	loc_AF0CFF

loc_AF0B3A:				; CODE XREF: VhdiInitializeBootDisk(x,x,x)+271j
		push	eax		; char
		push	offset ??_C@_1DM@FMJIKGBL@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAH?$AAa?$AAr?$AAd?$AAd?$AAi?$AAs@PBOPGDP@ ; "\\Device\\Harddisk%d\\Partition0"
		lea	eax, [esp+0E8h+var_88]
		push	80h		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		mov	esi, eax
		add	esp, 10h
		test	esi, esi
		js	loc_AF0CCC
		lea	eax, [esp+0E0h+var_88]
		push	eax
		lea	eax, [esp+0E4h+var_B0]
		push	eax
		call	_RtlInitUnicodeStringEx@8 ; RtlInitUnicodeStringEx(x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AF0CCC
		and	[esp+0E0h+var_9C], 0
		lea	eax, [esp+0E0h+var_B0]
		and	[esp+0E0h+var_90], 0
		and	[esp+0E0h+var_8C], 0
		cmp	[esp+0E0h+var_CC], 0
		mov	[esp+0E0h+var_A0], 18h
		mov	[esp+0E0h+var_94], 240h
		mov	[esp+0E0h+var_98], eax
		jz	short loc_AF0BB1
		push	[esp+0E0h+var_CC]
		call	_ZwClose@4	; ZwClose(x)
		and	[esp+0E0h+var_CC], 0

loc_AF0BB1:				; CODE XREF: VhdiInitializeBootDisk(x,x,x)+139j
		push	20h
		push	3
		lea	eax, [esp+0E8h+var_A8]
		push	eax
		lea	eax, [esp+0ECh+var_A0]
		push	eax
		push	0C0100000h
		lea	eax, [esp+0F4h+var_CC]
		push	eax
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AF0CCC
		mov	ecx, [esp+0E0h+var_CC]
		call	_VhdiQueryVolumeVhdFilePath@4 ;	VhdiQueryVolumeVhdFilePath(x)
		test	eax, eax
		jz	short loc_AF0BF1
		mov	ecx, eax
		call	ExFreeHeapPool
		jmp	loc_AF0CCC
; 

loc_AF0BF1:				; CODE XREF: VhdiInitializeBootDisk(x,x,x)+17Bj
		test	edi, edi
		jz	short loc_AF0BFC
		mov	ecx, edi
		call	ExFreeHeapPool

loc_AF0BFC:				; CODE XREF: VhdiInitializeBootDisk(x,x,x)+18Bj
		mov	ebx, 1000h

loc_AF0C01:				; CODE XREF: VhdiInitializeBootDisk(x,x,x)+1F9j
		mov	eax, large fs:20h
		xor	esi, esi
		push	esi
		mov	edx, ebx
		mov	ecx, 200h
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	42646856h
		call	ExpAllocatePoolWithTagFromNode
		mov	edi, eax
		test	edi, edi
		jz	short loc_AF0C63
		push	ebx
		push	edi
		push	esi
		push	esi
		push	70050h
		lea	eax, [esp+0F4h+var_A8]
		push	eax
		push	esi
		push	esi
		push	esi
		push	[esp+104h+var_CC]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		cmp	esi, 0C0000023h
		jnz	short loc_AF0C68
		mov	ecx, edi
		call	ExFreeHeapPool
		add	ebx, ebx
		jmp	short loc_AF0C01
; 

loc_AF0C63:				; CODE XREF: VhdiInitializeBootDisk(x,x,x)+1CAj
		mov	esi, 0C0000017h

loc_AF0C68:				; CODE XREF: VhdiInitializeBootDisk(x,x,x)+1EEj
		test	esi, esi
		js	short loc_AF0CCC
		mov	ebx, [esp+0E0h+var_BC]
		mov	eax, [ebx]
		cmp	[edi], eax
		jnz	short loc_AF0CC4
		sub	eax, 0
		jz	short loc_AF0C94
		sub	eax, 1
		jnz	short loc_AF0CC4
		push	10h		; Length
		push	[esp+0E4h+Source2] ; Source2
		lea	eax, [edi+8]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 10h
		jmp	short loc_AF0CA6
; 

loc_AF0C94:				; CODE XREF: VhdiInitializeBootDisk(x,x,x)+211j
		push	4		; Length
		push	[esp+0E4h+Source2] ; Source2
		lea	eax, [edi+8]
		push	eax		; Source1
		call	_RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
		cmp	eax, 4

loc_AF0CA6:				; CODE XREF: VhdiInitializeBootDisk(x,x,x)+22Aj
		jnz	short loc_AF0CC4
		lea	eax, [esp+0E0h+var_C0]
		mov	edx, ebx
		push	eax
		mov	ecx, edi
		call	_VhdiGetPartitionNumber@12 ; VhdiGetPartitionNumber(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AF0CC4
		mov	al, 1
		mov	[esp+0E0h+var_CD], al
		jmp	short loc_AF0CC8
; 

loc_AF0CC4:				; CODE XREF: VhdiInitializeBootDisk(x,x,x)+20Cj
					; VhdiInitializeBootDisk(x,x,x)+216j ...
		mov	al, [esp+0E0h+var_CD]

loc_AF0CC8:				; CODE XREF: VhdiInitializeBootDisk(x,x,x)+25Aj
		test	al, al
		jnz	short loc_AF0CE1

loc_AF0CCC:				; CODE XREF: VhdiInitializeBootDisk(x,x,x)+EEj
					; VhdiInitializeBootDisk(x,x,x)+107j ...
		mov	eax, [esp+0E0h+var_C8]
		inc	eax
		mov	[esp+0E0h+var_C8], eax
		cmp	eax, [esp+0E0h+var_B8]
		jb	loc_AF0B3A
		jmp	short loc_AF0CF8
; 

loc_AF0CE1:				; CODE XREF: VhdiInitializeBootDisk(x,x,x)+262j
		push	[esp+0E0h+var_B4]
		mov	edx, [esp+0E4h+var_C8]
		push	[esp+0E4h+var_C0]
		mov	ecx, [esp+0E8h+var_CC]
		call	_VhdiGetVolumeNumber@16	; VhdiGetVolumeNumber(x,x,x,x)
		mov	esi, eax

loc_AF0CF8:				; CODE XREF: VhdiInitializeBootDisk(x,x,x)+277j
		cmp	[esp+0E0h+var_CD], 0
		jnz	short loc_AF0D04

loc_AF0CFF:				; CODE XREF: VhdiInitializeBootDisk(x,x,x)+CCj
		mov	esi, 0C000000Eh

loc_AF0D04:				; CODE XREF: VhdiInitializeBootDisk(x,x,x)+295j
		test	edi, edi
		jz	short loc_AF0D0F
		mov	ecx, edi
		call	ExFreeHeapPool

loc_AF0D0F:				; CODE XREF: VhdiInitializeBootDisk(x,x,x)+29Ej
		cmp	[esp+0E0h+var_CC], 0
		jz	short loc_AF0D1F
		push	[esp+0E0h+var_CC]
		call	_ZwClose@4	; ZwClose(x)

loc_AF0D1F:				; CODE XREF: VhdiInitializeBootDisk(x,x,x)+2ACj
		mov	eax, esi
		jmp	short loc_AF0D28
; 

loc_AF0D23:				; CODE XREF: VhdiInitializeBootDisk(x,x,x)+49j
					; VhdiInitializeBootDisk(x,x,x)+51j ...
		mov	eax, 0C000000Dh

loc_AF0D28:				; CODE XREF: VhdiInitializeBootDisk(x,x,x)+A8j
					; VhdiInitializeBootDisk(x,x,x)+2B9j
		mov	ecx, [esp+0E0h+var_4]
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn	0Ch
_VhdiInitializeBootDisk@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VhdiMountVhdFile(x)
_VhdiMountVhdFile@4 proc near		; CODE XREF: VhdInitialize+F70Bp

var_170		= dword	ptr -170h
var_16C		= dword	ptr -16Ch
var_168		= dword	ptr -168h
var_164		= dword	ptr -164h
var_160		= dword	ptr -160h
var_15C		= dword	ptr -15Ch
var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_144		= dword	ptr -144h
var_13C		= dword	ptr -13Ch
var_138		= dword	ptr -138h
var_134		= dword	ptr -134h
var_130		= dword	ptr -130h
var_12C		= dword	ptr -12Ch
var_128		= dword	ptr -128h
var_124		= dword	ptr -124h
var_120		= dword	ptr -120h
var_11C		= dword	ptr -11Ch
var_118		= dword	ptr -118h
var_114		= dword	ptr -114h
var_104		= dword	ptr -104h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E0		= dword	ptr -0E0h
var_BC		= dword	ptr -0BCh
var_A8		= dword	ptr -0A8h
var_84		= dword	ptr -84h
var_80		= word ptr -80h
var_7E		= word ptr -7Eh
var_7C		= dword	ptr -7Ch
var_78		= dword	ptr -78h
var_74		= dword	ptr -74h
var_20		= dword	ptr -20h
var_18		= dword	ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 15Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+15Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+168h+var_128]
		stosd
		xor	esi, esi
		push	6
		mov	ebx, ecx
		mov	[esp+16Ch+var_13C], esi
		pop	ecx
		stosd
		push	38h		; size_t
		push	esi		; int
		mov	[esp+170h+var_15C], ebx
		stosd
		mov	[esp+170h+var_138], esi
		mov	[esp+170h+var_134], esi
		mov	[esp+170h+var_154], esi
		stosd
		xor	eax, eax
		lea	edi, [esp+170h+var_118]
		mov	[esp+170h+var_130], esi
		rep stosd
		lea	eax, [esp+170h+var_A8]
		mov	[esp+170h+var_12C], esi
		push	eax		; void *
		mov	[esp+174h+var_14C], esi
		mov	[esp+174h+var_148], esi
		call	_memset
		add	esp, 0Ch
		mov	[esp+168h+var_150], esi
		mov	[esp+168h+var_144], esi
		test	ebx, ebx
		jnz	short loc_AF0DD0
		mov	esi, 0C000000Dh

loc_AF0DBF:				; CODE XREF: VhdiMountVhdFile(x)+B8j
					; VhdiMountVhdFile(x)+CAj ...
		xor	eax, eax
		push	eax
		push	eax
		push	esi
		push	5
		push	12Fh
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)

loc_AF0DD0:				; CODE XREF: VhdiMountVhdFile(x)+79j
		push	54h
		pop	eax
		push	eax		; size_t
		lea	eax, [esp+180h+var_114]
		push	esi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		lea	eax, [esp+17Ch+var_164]
		push	eax
		push	esi
		push	esi
		push	offset _GUID_DEVINTERFACE_SURFACE_VIRTUAL_DRIVE
		call	IoGetDeviceInterfaces
		mov	esi, eax
		test	esi, esi
		js	short loc_AF0DBF
		mov	eax, [esp+17Ch+var_164]
		xor	edi, edi
		cmp	[eax], di
		jnz	short loc_AF0E0B
		mov	esi, 0C0000225h
		jmp	short loc_AF0DBF
; 

loc_AF0E0B:				; CODE XREF: VhdiMountVhdFile(x)+C3j
		push	eax
		lea	eax, [esp+180h+var_14C]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [esp+17Ch+var_168]
		push	eax
		lea	eax, [esp+180h+var_158]
		push	eax
		push	10000000h
		lea	eax, [esp+188h+var_14C]
		push	eax
		call	IoGetDeviceObjectPointer
		mov	esi, eax
		test	esi, esi
		js	short loc_AF0DBF
		mov	ecx, ebx
		lea	edx, [ecx+2]

loc_AF0E3A:				; CODE XREF: VhdiMountVhdFile(x)+104j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, di
		jnz	short loc_AF0E3A
		sub	ecx, edx
		sar	ecx, 1
		push	42646856h
		lea	eax, ds:2[ecx*2]
		mov	[esp+180h+var_16C], eax
		add	eax, 20h
		push	eax
		push	200h
		mov	[esp+188h+var_154], eax
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_AF0E7B

loc_AF0E71:				; CODE XREF: VhdiMountVhdFile(x)+18Ej
		mov	esi, 0C0000017h
		jmp	loc_AF0DBF
; 

loc_AF0E7B:				; CODE XREF: VhdiMountVhdFile(x)+130j
		mov	[ebx+4], edi
		lea	eax, [ebx+20h]
		mov	esi, (offset loc_42742F+1)
		mov	dword ptr [ebx], 1
		lea	edi, [ebx+8]
		mov	dword ptr [ebx+18h], 20h
		movsd
		movsd
		movsd
		movsd
		mov	esi, [esp+17Ch+var_16C]
		push	esi		; size_t
		push	[esp+180h+var_170] ; void *
		mov	[ebx+1Ch], esi
		push	eax		; void *
		call	_memcpy
		add	esp, 0Ch
		add	esi, 21Ch
		push	42646856h
		push	esi
		push	200h
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+17Ch+var_16C], edi
		test	edi, edi
		jz	short loc_AF0E71
		xor	eax, eax
		push	eax
		push	1
		lea	eax, [esp+184h+var_13C]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [esp+17Ch+var_160]
		push	eax
		lea	eax, [esp+180h+var_13C]
		push	eax
		xor	eax, eax
		push	eax
		push	esi
		push	edi
		push	[esp+190h+var_154]
		push	ebx
		push	[esp+198h+var_168]
		push	2D592Ch
		call	_IoBuildDeviceIoControlRequest@36 ; IoBuildDeviceIoControlRequest(x,x,x,x,x,x,x,x,x)
		test	eax, eax
		jnz	short loc_AF0F0E

loc_AF0F04:				; CODE XREF: VhdiMountVhdFile(x)+3B4j
		mov	esi, 0C000009Ah
		jmp	loc_AF0DBF
; 

loc_AF0F0E:				; CODE XREF: VhdiMountVhdFile(x)+1C3j
		mov	ecx, [esp+17Ch+var_168]
		mov	edx, eax
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jnz	short loc_AF0F37
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+18Ch+var_13C]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esp+17Ch+var_160]

loc_AF0F37:				; CODE XREF: VhdiMountVhdFile(x)+1E2j
		test	esi, esi
		js	loc_AF0DBF
		mov	esi, [edi+14h]
		add	esi, edi
		push	5Ch
		pop	eax
		cmp	[esi], ax
		jnz	short loc_AF0F6A
		cmp	[esi+2], ax
		jnz	short loc_AF0F6A
		cmp	word ptr [esi+4], 2Eh
		jnz	short loc_AF0F6A
		cmp	[esi+6], ax
		jnz	short loc_AF0F6A
		push	3Fh
		pop	eax
		mov	[esi+2], ax
		mov	[esi+4], ax

loc_AF0F6A:				; CODE XREF: VhdiMountVhdFile(x)+20Bj
					; VhdiMountVhdFile(x)+211j ...
		mov	edx, [esp+17Ch+var_170]
		mov	ecx, edx
		lea	edi, [ecx+2]

loc_AF0F73:				; CODE XREF: VhdiMountVhdFile(x)+23Fj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, word ptr [esp+17Ch+var_150]
		jnz	short loc_AF0F73
		sub	ecx, edi
		sar	ecx, 1
		push	edx
		lea	eax, [ecx+101h]
		push	eax
		push	esi
		call	_wcscat_s
		add	esp, 0Ch
		lea	eax, [esp+17Ch+var_144]
		push	esi
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	54h
		mov	esi, offset _GUID_DEVINTERFACE_SURFACE_VIRTUAL_DRIVE
		mov	[esp+180h+var_80], 780h
		lea	edi, [esp+180h+var_114]
		mov	[esp+180h+var_7C], 54524956h
		xor	edx, edx
		mov	[esp+180h+var_78], offset loc_4B5344
		lea	eax, [esp+180h+var_144]
		mov	[esp+180h+var_20], edx
		movsd
		mov	[esp+180h+var_124], eax
		pop	eax
		push	5
		movsd
		pop	ecx
		push	15h
		mov	[esp+180h+var_7E], ax
		movsd
		mov	[esp+180h+var_84], edx
		mov	[esp+180h+var_12C], 18h
		mov	[esp+180h+var_128], edx
		movsd
		mov	esi, [esp+180h+var_16C]
		lea	edi, [esp+180h+var_104]
		mov	[esp+180h+var_F0], eax
		lea	eax, [esp+180h+var_84]
		mov	[esp+180h+var_120], 200h
		mov	[esp+180h+var_11C], edx
		mov	[esp+180h+var_118], edx
		mov	[esp+180h+var_EC], 4
		mov	[esp+180h+var_E0], 2
		rep movsd
		pop	ecx
		push	67h
		push	eax
		push	edx
		push	2
		lea	esi, [esp+18Ch+var_114]
		lea	edi, [esp+18Ch+var_74]
		rep movsd
		xor	edi, edi
		lea	eax, [esp+18Ch+var_160]
		inc	edi
		push	edi
		push	80h
		push	edx
		push	eax
		lea	eax, [esp+19Ch+var_12C]
		push	eax
		push	80000000h
		push	offset dword_7013E4
		call	_ZwCreateFile@44 ; ZwCreateFile(x,x,x,x,x,x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AF0DBF
		xor	ecx, ecx
		lea	eax, [esp+17Ch+var_170]
		push	ecx
		push	eax
		push	ecx
		push	ecx
		push	0C0100000h
		push	dword_7013E4
		mov	[esp+194h+var_170], ecx
		call	_ObReferenceObjectByHandle@24 ;	ObReferenceObjectByHandle(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AF0DBF
		push	[esp+17Ch+var_170]
		call	IoGetRelatedDeviceObject
		mov	esi, eax
		mov	[esp+17Ch+var_BC], edi
		xor	eax, eax
		push	eax
		push	edi
		lea	eax, [esp+184h+var_13C]
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	dword ptr [ebp+4] ; int
		lea	eax, [esp+180h+var_160]
		push	eax		; int
		lea	eax, [esp+184h+var_13C]
		push	eax		; int
		xor	eax, eax
		push	eax		; int
		push	eax		; int
		push	eax		; int
		push	38h		; size_t
		lea	eax, [esp+198h+var_BC]
		push	eax		; void *
		push	esi		; int
		push	2D191Ch		; int
		call	IopBuildDeviceIoControlRequest
		mov	edx, eax
		test	edx, edx
		jz	loc_AF0F04
		mov	eax, [edx+60h]
		mov	ecx, esi
		mov	edi, [esp+17Ch+var_170]
		mov	[eax-0Ch], edi
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jnz	short loc_AF1128
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+18Ch+var_13C]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esp+17Ch+var_160]

loc_AF1128:				; CODE XREF: VhdiMountVhdFile(x)+3D3j
		test	esi, esi
		js	loc_AF0DBF
		mov	ecx, ebx
		call	ExFreeHeapPool
		mov	ecx, [esp+17Ch+var_16C]
		call	ExFreeHeapPool
		test	edi, edi
		jz	short loc_AF114B
		mov	ecx, edi
		call	ObfDereferenceObject

loc_AF114B:				; CODE XREF: VhdiMountVhdFile(x)+403j
		mov	ecx, [esp+17Ch+var_158]
		test	ecx, ecx
		jz	short loc_AF1158
		call	ObfDereferenceObject

loc_AF1158:				; CODE XREF: VhdiMountVhdFile(x)+412j
		mov	ecx, [esp+17Ch+var_164]
		call	ExFreeHeapPool
		mov	ecx, [esp+17Ch+var_18]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_VhdiMountVhdFile@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall VhdiQueryVolumeVhdFilePath(x)
_VhdiQueryVolumeVhdFilePath@4 proc near	; CODE XREF: VhdiInitializeBootDisk(x,x,x)+174p

var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 0Ch
		and	[esp+0Ch+var_8], 0
		and	[esp+0Ch+var_4], 0
		push	ebx
		mov	ebx, ecx
		push	esi
		push	edi
		test	ebx, ebx
		jnz	short loc_AF119A
		xor	eax, eax
		jmp	short loc_AF1214
; 

loc_AF119A:				; CODE XREF: VhdiQueryVolumeVhdFilePath(x)+1Cj
		mov	edi, 208h

loc_AF119F:				; CODE XREF: VhdiQueryVolumeVhdFilePath(x)+82j
		mov	eax, large fs:20h
		mov	edx, edi
		push	0
		mov	ecx, 200h
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	42646856h
		call	ExpAllocatePoolWithTagFromNode
		mov	esi, eax
		test	esi, esi
		jz	short loc_AF11FC
		push	edi
		push	esi
		xor	ecx, ecx
		lea	eax, [esp+20h+var_8]
		push	ecx
		push	ecx
		push	2D5928h
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	ebx
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		cmp	eax, 0C0000023h
		jnz	short loc_AF1201
		mov	ecx, esi
		call	ExFreeHeapPool
		add	edi, edi
		jmp	short loc_AF119F
; 

loc_AF11FC:				; CODE XREF: VhdiQueryVolumeVhdFilePath(x)+57j
		mov	eax, 0C0000017h

loc_AF1201:				; CODE XREF: VhdiQueryVolumeVhdFilePath(x)+77j
		test	eax, eax
		jns	short loc_AF1212
		test	esi, esi
		jz	short loc_AF1212
		mov	ecx, esi
		call	ExFreeHeapPool
		xor	esi, esi

loc_AF1212:				; CODE XREF: VhdiQueryVolumeVhdFilePath(x)+8Bj
					; VhdiQueryVolumeVhdFilePath(x)+8Fj
		mov	eax, esi

loc_AF1214:				; CODE XREF: VhdiQueryVolumeVhdFilePath(x)+20j
		pop	edi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_VhdiQueryVolumeVhdFilePath@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall RamdiskStart(x)
_RamdiskStart@4	proc near		; CODE XREF: IopInitializeBootDrivers+2D14Dp

var_158		= dword	ptr -158h
var_154		= dword	ptr -154h
var_150		= dword	ptr -150h
var_14C		= dword	ptr -14Ch
var_148		= dword	ptr -148h
var_124		= dword	ptr -124h
var_110		= dword	ptr -110h
var_10C		= dword	ptr -10Ch
var_108		= dword	ptr -108h
var_104		= dword	ptr -104h
var_100		= dword	ptr -100h
var_FC		= dword	ptr -0FCh
var_F8		= dword	ptr -0F8h
var_F4		= dword	ptr -0F4h
var_F0		= dword	ptr -0F0h
var_EC		= dword	ptr -0ECh
var_E8		= dword	ptr -0E8h
var_E4		= dword	ptr -0E4h
var_E0		= dword	ptr -0E0h
var_DC		= byte ptr -0DCh
var_D8		= dword	ptr -0D8h
var_D4		= dword	ptr -0D4h
var_D0		= dword	ptr -0D0h
var_CC		= dword	ptr -0CCh
var_C8		= dword	ptr -0C8h
var_C4		= dword	ptr -0C4h
var_C0		= dword	ptr -0C0h
var_BC		= dword	ptr -0BCh
var_AC		= dword	ptr -0ACh
var_A8		= dword	ptr -0A8h
var_A4		= dword	ptr -0A4h
var_A0		= dword	ptr -0A0h
var_9C		= dword	ptr -9Ch
var_98		= dword	ptr -98h
var_94		= dword	ptr -94h
var_90		= word ptr -90h
var_8E		= dword	ptr -8Eh
var_8A		= word ptr -8Ah
var_88		= word ptr -88h
var_18		= byte ptr -18h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 114h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		push	38h		; size_t
		push	eax		; int
		mov	dword ptr [ebp+var_DC],	eax
		mov	esi, ecx
		mov	[ebp+var_D8], eax
		mov	[ebp+var_F0], eax
		mov	[ebp+var_EC], eax
		mov	[ebp+var_E4], eax
		mov	[ebp+var_E0], eax
		mov	[ebp+var_F8], eax
		mov	[ebp+var_F4], eax
		mov	[ebp+var_CC], eax
		mov	[ebp+var_C8], eax
		lea	eax, [ebp+var_C0]
		push	eax		; void *
		mov	[ebp+var_E8], esi
		call	_memset
		add	esp, 0Ch
		lea	edi, [ebp+var_110]
		xor	eax, eax
		mov	[ebp+var_D4], eax
		mov	[ebp+var_D0], eax
		push	6
		pop	ebx
		mov	ecx, ebx
		mov	[ebp+var_C4], eax
		rep stosd
		lea	ecx, [esi+18h]
		mov	eax, [ecx]
		cmp	eax, ecx
		jz	loc_AF15A6

loc_AF12B9:				; CODE XREF: RamdiskStart(x)+AAj
		cmp	dword ptr [eax+8], 19h
		mov	edx, eax
		jz	short loc_AF12C7
		mov	eax, [eax]
		cmp	eax, ecx
		jnz	short loc_AF12B9

loc_AF12C7:				; CODE XREF: RamdiskStart(x)+A4j
		cmp	eax, ecx
		jz	loc_AF15A6
		xor	eax, eax
		mov	[ebp+var_C0], 38h
		mov	[ebp+var_8A], ax
		lea	edi, [ebp+var_BC]
		xor	ecx, ecx
		mov	[ebp+var_AC], 3
		mov	[ebp+var_A8], ecx
		mov	esi, offset _RamdiskBootDiskGuid
		mov	[ebp+var_A4], ecx
		mov	[ebp+var_8E], ecx
		mov	eax, [edx+0Ch]
		mov	[ebp+var_94], eax
		xor	eax, eax
		mov	[ebp+var_90], ax
		and	eax, 0FFFFFFE2h
		or	eax, 2
		mov	[ebp+var_A8], eax
		movsd
		movsd
		movsd
		movsd
		mov	edi, [ebp+var_E8]
		mov	[ebp+var_98], ecx
		mov	eax, [edx+10h]
		shl	eax, 0Ch
		mov	esi, [edi+78h]
		mov	[ebp+var_A0], eax
		mov	[ebp+var_9C], ecx
		test	esi, esi
		jz	loc_AF13D9
		push	esi		; char *
		call	__strupr
		mov	[esp+124h+var_124], (offset loc_AE0C8A+6)
		push	esi		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AF1390
		push	offset ??_C@_01NEMOKFLO@?$DN@PBOPGDP@ ;	char *
		push	eax		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AF1390
		inc	eax
		push	eax		; char *
		call	_atol
		pop	ecx
		mov	[ebp+var_98], eax
		jmp	short loc_AF1396
; 

loc_AF1390:				; CODE XREF: RamdiskStart(x)+152j
					; RamdiskStart(x)+163j
		mov	eax, [ebp+var_98]

loc_AF1396:				; CODE XREF: RamdiskStart(x)+173j
		sub	[ebp+var_A0], eax
		push	(offset	loc_AE0CED+1) ;	char *
		sbb	[ebp+var_9C], 0
		push	esi		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AF13D9
		push	offset ??_C@_01NEMOKFLO@?$DN@PBOPGDP@ ;	char *
		push	eax		; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jz	short loc_AF13D9
		inc	eax
		push	eax		; char *
		call	__atoi64
		pop	ecx
		mov	[ebp+var_A0], eax
		mov	[ebp+var_9C], edx

loc_AF13D9:				; CODE XREF: RamdiskStart(x)+135j
					; RamdiskStart(x)+197j	...
		push	20h
		pop	ecx
		push	1Eh
		pop	eax
		mov	word ptr [ebp+var_CC], ax
		xor	edx, edx
		push	ecx
		lea	eax, [ebp+var_CC]
		mov	word ptr [ebp+var_CC+2], cx
		mov	[ebp+var_108], eax
		lea	eax, [ebp+var_D4]
		push	3
		push	eax
		lea	eax, [ebp+var_110]
		mov	[ebp+var_C8], offset ??_C@_1CA@JFAJFNPB@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAR?$AAa?$AAm?$AAd?$AAi?$AAs?$AAk@PBOPGDP@
		push	eax
		push	0C0000000h
		lea	eax, [ebp+var_C4]
		mov	[ebp+var_110], 18h
		push	eax
		mov	[ebp+var_10C], edx
		mov	[ebp+var_104], 240h
		mov	[ebp+var_100], edx
		mov	[ebp+var_FC], edx
		call	_ZwOpenFile@24	; ZwOpenFile(x,x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AF15A1
		mov	esi, [ebp+var_D4]
		test	esi, esi
		js	loc_AF15A1
		xor	ecx, ecx
		lea	eax, [ebp+var_C0]
		push	ecx
		push	ecx
		push	38h
		push	eax
		push	240000h
		lea	eax, [ebp+var_D4]
		push	eax
		push	ecx
		push	ecx
		push	ecx
		push	[ebp+var_C4]
		call	_ZwDeviceIoControlFile@40 ; ZwDeviceIoControlFile(x,x,x,x,x,x,x,x,x,x)
		push	[ebp+var_C4]
		mov	esi, eax
		call	_ZwClose@4	; ZwClose(x)
		test	esi, esi
		js	loc_AF159D
		mov	esi, [ebp+var_D4]
		test	esi, esi
		js	loc_AF159D
		push	offset ??_C@_06IKDJBIPJ@vdisk?$CI@PBOPGDP@ ; char *
		push	dword ptr [edi+68h] ; char *
		call	_strstr
		pop	ecx
		pop	ecx
		test	eax, eax
		jnz	loc_AF158C
		lea	eax, [ebp+var_DC]
		push	eax
		lea	eax, [ebp+var_BC]
		push	eax
		call	_RtlStringFromGUID@8 ; RtlStringFromGUID(x,x)
		mov	esi, eax
		test	esi, esi
		jns	short loc_AF14E6
		push	4
		jmp	loc_AF15A3
; 

loc_AF14E6:				; CODE XREF: RamdiskStart(x)+2C2j
		push	dword ptr [edi+68h] ; char
		lea	eax, [ebp+var_18]
		push	offset ??_C@_0M@HCOOGNOF@?2ArcName?2?$CFs@PBOPGDP@ ; char *
		push	14h		; int
		push	eax		; char *
		call	RtlStringCbPrintfA
		add	esp, 10h
		lea	eax, [ebp+var_18]
		push	eax
		lea	eax, [ebp+var_F0]
		push	eax
		call	_RtlInitAnsiString@8 ; RtlInitAnsiString(x,x)
		push	1
		lea	eax, [ebp+var_F0]
		push	eax
		lea	eax, [ebp+var_E4]
		push	eax
		call	RtlAnsiStringToUnicodeString
		mov	esi, eax
		test	esi, esi
		jns	short loc_AF152B
		push	5
		jmp	short loc_AF15A3
; 

loc_AF152B:				; CODE XREF: RamdiskStart(x)+30Aj
		lea	eax, [ebp+var_DC]
		push	eax		; char
		push	(offset	loc_AE0CA1+7) ;	wchar_t	*
		lea	eax, [ebp+var_88]
		push	6Ch		; int
		push	eax		; wchar_t *
		call	_RtlStringCbPrintfW
		add	esp, 10h
		lea	eax, [ebp+var_88]
		push	eax
		lea	eax, [ebp+var_F8]
		push	eax
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_F8]
		push	eax
		lea	eax, [ebp+var_E4]
		push	eax
		call	_IoCreateSymbolicLink@8	; IoCreateSymbolicLink(x,x)
		mov	esi, eax
		lea	eax, [ebp+var_DC]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		lea	eax, [ebp+var_E4]
		push	eax
		call	_RtlFreeUTF8String@4 ; RtlFreeUTF8String(x)
		test	esi, esi
		js	short loc_AF15AE

loc_AF158C:				; CODE XREF: RamdiskStart(x)+2A5j
		mov	ecx, [ebp+var_4]
		xor	eax, eax
		pop	edi
		pop	esi
		xor	ecx, ebp
		pop	ebx
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn
; 

loc_AF159D:				; CODE XREF: RamdiskStart(x)+280j
					; RamdiskStart(x)+28Ej
		push	3
		jmp	short loc_AF15A3
; 

loc_AF15A1:				; CODE XREF: RamdiskStart(x)+236j
					; RamdiskStart(x)+244j
		push	2

loc_AF15A3:				; CODE XREF: RamdiskStart(x)+2C6j
					; RamdiskStart(x)+30Ej	...
		pop	ebx
		jmp	short loc_AF15AE
; 

loc_AF15A6:				; CODE XREF: RamdiskStart(x)+98j
					; RamdiskStart(x)+AEj
		xor	ebx, ebx
		mov	esi, 0C000000Dh
		inc	ebx

loc_AF15AE:				; CODE XREF: RamdiskStart(x)+36Fj
					; RamdiskStart(x)+389j
		push	0
		push	0
		push	esi
		push	ebx
		push	0F8h
		call	_KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)
		int	3		; Trap to Debugger

; __stdcall SbpAddTransportToInstance()
_SbpAddTransportToInstance@0:		; CODE XREF: IopInitializeBootDrivers+2D187p
		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 24h
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+168h+var_148]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [esp+168h+var_158]
		push	eax
		lea	eax, [esp+16Ch+var_154]
		xor	edi, edi
		push	eax
		push	10000000h
		push	(offset	loc_A42F47+1)
		mov	[esp+178h+var_154], edi
		mov	ebx, edi
		mov	[esp+178h+var_150], edi
		mov	[esp+178h+var_14C], edi
		mov	[esp+178h+var_158], edi
		call	IoGetDeviceObjectPointer
		mov	esi, eax
		test	esi, esi
		js	loc_AF16F1
		mov	eax, large fs:20h
		mov	edx, 0D0h
		push	edi
		mov	ecx, 200h
		mov	eax, [eax+338h]
		movzx	eax, word ptr [eax+8Ah]
		or	eax, 80000000h
		push	eax
		push	42626D53h
		call	ExpAllocatePoolWithTagFromNode
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_AF164C

loc_AF1642:				; CODE XREF: RamdiskStart(x)+4A1j
		mov	esi, 0C000009Ah
		jmp	loc_AF16F1
; 

loc_AF164C:				; CODE XREF: RamdiskStart(x)+425j
		push	0C4h		; size_t
		lea	eax, [ebx+0Ch]
		push	edi		; int
		push	eax		; void *
		call	_memset
		add	esp, 0Ch
		mov	dword ptr [ebx+4], 2
		mov	dword ptr [ebx+8], 0C0h
		lea	edi, [ebx+0Ch]
		mov	esi, offset ??_C@_1MC@GGJHCNHO@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAV?$AAM?$AAB?$AAu?$AAs?$AA?2?$AA?$HL@LBKOJDO@ ; "\\Device\\VMBus\\{4d12e519-17a0-4ae4-8eaa-"...
		push	10h
		pop	eax
		push	30h
		mov	[ebx], ax
		xor	eax, eax
		pop	ecx
		mov	[ebx+2], ax
		lea	eax, [esp+168h+var_148]
		rep movsd
		xor	edi, edi
		push	edi
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	dword ptr [ebp+4] ; int
		lea	eax, [esp+16Ch+var_150]
		push	eax		; int
		lea	eax, [esp+170h+var_148]
		push	eax		; int
		push	edi		; int
		push	edi		; int
		push	edi		; int
		push	0D0h		; size_t
		push	ebx		; void *
		push	[esp+188h+var_158] ; int
		push	1401B0h		; int
		call	IopBuildDeviceIoControlRequest
		mov	edx, eax
		test	edx, edx
		jz	short loc_AF1642
		mov	ecx, [edx+60h]
		mov	eax, [esp+168h+var_154]
		mov	[ecx-0Ch], eax
		mov	byte ptr [ecx-24h], 0Dh
		mov	ecx, [esp+168h+var_158]
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jnz	short loc_AF16F1
		push	edi
		push	edi
		push	edi
		push	edi
		lea	eax, [esp+178h+var_148]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esp+168h+var_150]

loc_AF16F1:				; CODE XREF: RamdiskStart(x)+3EDj
					; RamdiskStart(x)+42Cj	...
		mov	ecx, [esp+168h+var_154]
		test	ecx, ecx
		jz	short loc_AF1703
		mov	edx, 746C6644h
		call	ObfDereferenceObjectWithTag

loc_AF1703:				; CODE XREF: RamdiskStart(x)+4DCj
		test	ebx, ebx
		jz	short loc_AF170E
		mov	ecx, ebx
		call	ExFreeHeapPool

loc_AF170E:				; CODE XREF: RamdiskStart(x)+4EAj
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		mov	esp, ebp
		pop	ebp
		retn
_RamdiskStart@4	endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SbpStartLanman()
_SbpStartLanman@0 proc near		; CODE XREF: IopInitializeBootDrivers:loc_AE0E6Fp

var_4C		= dword	ptr -4Ch
var_48		= dword	ptr -48h
var_44		= dword	ptr -44h
var_40		= dword	ptr -40h
var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_28		= dword	ptr -28h
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		and	esp, 0FFFFFFF8h
		sub	esp, 4Ch
		mov	eax, ___security_cookie
		xor	eax, esp
		mov	[esp+4Ch+var_4], eax
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [esp+58h+var_38]
		stosd
		xor	edx, edx
		push	9
		pop	ecx
		mov	[esp+58h+var_44], edx
		mov	ebx, edx
		stosd
		mov	[esp+58h+var_40], edx
		mov	[esp+58h+var_4C], edx
		mov	[esp+58h+var_48], edx
		stosd
		stosd
		xor	eax, eax
		lea	edi, [esp+58h+var_28]
		rep stosd
		lea	eax, [esp+58h+var_4C]
		mov	edi, edx
		push	eax
		lea	eax, [esp+5Ch+var_48]
		push	eax
		push	10000000h
		push	(offset	loc_A42F3B+5)
		call	IoGetDeviceObjectPointer
		mov	esi, eax
		test	esi, esi
		js	loc_AF19ED
		push	42626D53h
		push	8Ch
		mov	esi, 200h
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	ebx, eax
		test	ebx, ebx
		jnz	short loc_AF17A3

loc_AF1799:				; CODE XREF: SbpStartLanman()+172j
					; SbpStartLanman()+1D1j ...
		mov	esi, 0C000009Ah
		jmp	loc_AF19ED
; 

loc_AF17A3:				; CODE XREF: SbpStartLanman()+80j
		or	dword ptr [ebx+3Ch], 0FFFFFFFFh
		mov	eax, 1F4h
		push	5
		pop	edx
		push	2Dh
		pop	ecx
		push	0Ah
		mov	[ebx+18h], esi
		pop	esi
		mov	[ebx+28h], eax
		mov	[ebx+30h], eax
		xor	eax, eax
		inc	eax
		mov	[ebx+24h], esi
		mov	[ebx+2Ch], esi
		xor	esi, esi
		push	esi
		push	eax
		mov	[ebx+54h], eax
		mov	[ebx+58h], eax
		mov	[ebx+5Ch], eax
		mov	[ebx+60h], eax
		mov	[ebx+64h], eax
		mov	[ebx+68h], eax
		mov	[ebx+6Ch], eax
		mov	[ebx+70h], eax
		mov	[ebx+74h], eax
		mov	[ebx+78h], eax
		mov	[ebx+7Ch], eax
		mov	[ebx+80h], eax
		mov	[ebx+84h], eax
		lea	eax, [esp+60h+var_38]
		push	eax
		mov	dword ptr [ebx], 0E10h
		mov	dword ptr [ebx+8], 10h
		mov	dword ptr [ebx+4], 0FAh
		mov	dword ptr [ebx+0Ch], 258h
		mov	[ebx+10h], edx
		mov	[ebx+14h], ecx
		mov	dword ptr [ebx+1Ch], 11h
		mov	dword ptr [ebx+20h], 1800h
		mov	dword ptr [ebx+34h], 28h
		mov	[ebx+38h], ecx
		mov	dword ptr [ebx+40h], 3
		mov	dword ptr [ebx+44h], 14h
		mov	[ebx+48h], edx
		mov	dword ptr [ebx+4Ch], 3Ch
		mov	[ebx+50h], esi
		mov	[ebx+88h], esi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	dword ptr [ebp+4] ; int
		lea	eax, [esp+5Ch+var_44]
		push	eax		; int
		lea	eax, [esp+60h+var_38]
		push	eax		; int
		push	esi		; int
		push	8Ch		; int
		push	ebx		; int
		push	24h		; size_t
		lea	eax, [esp+74h+var_28]
		push	eax		; void *
		push	[esp+78h+var_4C] ; int
		push	80140191h	; int
		call	IopBuildDeviceIoControlRequest
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_AF1799
		mov	edx, [ecx+60h]
		mov	eax, [esp+58h+var_48]
		mov	[edx-0Ch], eax
		mov	byte ptr [edx-24h], 0Dh
		mov	edx, ecx
		mov	ecx, [esp+58h+var_4C]
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jnz	short loc_AF18C6
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+68h+var_38]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esp+58h+var_44]

loc_AF18C6:				; CODE XREF: SbpStartLanman()+199j
		test	esi, esi
		js	loc_AF19ED
		push	42626D53h
		push	76h
		mov	esi, 200h
		push	esi
		call	_ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
		mov	edi, eax
		mov	[esp+58h+var_3C], edi
		test	edi, edi
		jz	loc_AF1799
		push	76h		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		add	esp, 0Ch
		or	byte ptr [edi+41h], 1
		or	dword ptr [edi+44h], 0FFFFFFFFh
		mov	[edi+34h], esi
		mov	esi, offset ??_C@_1BM@DJIALBME@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?2?$AAv?$AAm?$AAs?$AAm?$AAb@LBKOJDO@
		mov	byte ptr [edi+54h], 1
		push	5Eh
		pop	eax
		push	1Eh
		pop	ecx
		push	1Ah
		mov	[edi+0Ch], ax
		pop	eax
		push	14h
		mov	[edi+56h], ax
		pop	eax
		push	6
		mov	[edi+4Ch], ecx
		mov	[edi+50h], ecx
		mov	[edi+18h], ecx
		mov	[edi+20h], eax
		mov	[edi+28h], eax
		lea	eax, [esp+5Ch+var_38]
		mov	byte ptr [edi+40h], 1Fh
		mov	dword ptr [edi+48h], 0Ah
		mov	dword ptr [edi+14h], 78h
		mov	dword ptr [edi+1Ch], 8000h
		mov	dword ptr [edi+24h], 5
		mov	dword ptr [edi+2Ch], 800h
		mov	dword ptr [edi+30h], 20h
		mov	dword ptr [edi+38h], 1000000h
		mov	dword ptr [edi+3Ch], 100000h
		add	edi, 58h
		pop	ecx
		rep movsd
		movsw
		xor	esi, esi
		push	esi
		push	1
		push	eax
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		push	dword ptr [ebp+4] ; int
		mov	edi, [esp+5Ch+var_3C]
		lea	eax, [esp+5Ch+var_44]
		push	eax		; int
		lea	eax, [esp+60h+var_38]
		push	eax		; int
		push	esi		; int
		push	esi		; int
		push	esi		; int
		push	76h		; size_t
		push	edi		; void *
		push	[esp+78h+var_4C] ; int
		push	1403A0h		; int
		call	IopBuildDeviceIoControlRequest
		mov	ecx, eax
		test	ecx, ecx
		jz	loc_AF1799
		mov	edx, [ecx+60h]
		mov	eax, [esp+58h+var_48]
		mov	[edx-0Ch], eax
		mov	byte ptr [edx-24h], 0Dh
		mov	edx, ecx
		mov	ecx, [esp+58h+var_4C]
		call	IofCallDriver
		mov	esi, eax
		cmp	esi, 103h
		jnz	short loc_AF19ED
		xor	eax, eax
		push	eax
		push	eax
		push	eax
		push	eax
		lea	eax, [esp+68h+var_38]
		push	eax
		call	KeWaitForSingleObject
		mov	esi, [esp+58h+var_44]

loc_AF19ED:				; CODE XREF: SbpStartLanman()+61j
					; SbpStartLanman()+87j	...
		mov	ecx, [esp+58h+var_48]
		test	ecx, ecx
		jz	short loc_AF19FA
		call	ObfDereferenceObject

loc_AF19FA:				; CODE XREF: SbpStartLanman()+2DCj
		test	ebx, ebx
		jz	short loc_AF1A05
		mov	ecx, ebx
		call	ExFreeHeapPool

loc_AF1A05:				; CODE XREF: SbpStartLanman()+2E5j
		test	edi, edi
		jz	short loc_AF1A10
		mov	ecx, edi
		call	ExFreeHeapPool

loc_AF1A10:				; CODE XREF: SbpStartLanman()+2F0j
		mov	ecx, [esp+58h+var_4]
		mov	eax, esi
		pop	edi
		pop	esi
		pop	ebx
		xor	ecx, esp
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		mov	esp, ebp
		pop	ebp
		retn
_SbpStartLanman@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall SbpWaitForVmbus()
_SbpWaitForVmbus@0 proc	near		; CODE XREF: IopInitializeBootDrivers+2D17Ep

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		push	esi
		push	edi
		xor	edi, edi
		mov	ebx, offset _SbiVmbusArrivalEvent
		push	edi
		push	1
		push	ebx
		mov	[ebp+var_4], edi
		call	_KeInitializeEvent@12 ;	KeInitializeEvent(x,x,x)
		lea	eax, [ebp+var_4]
		push	eax
		push	edi
		push	offset _SbpVmbusNotificationHandler@8 ;	SbpVmbusNotificationHandler(x,x)
		push	_PnpDriverObject
		push	offset _VSMB_INTERFACE_GUID
		push	1
		push	2
		call	IoRegisterPlugPlayNotification
		mov	esi, eax
		test	esi, esi
		js	short loc_AF1A88
		or	[ebp+var_C], 0FFFFFFFFh
		lea	eax, [ebp+var_10]
		push	eax
		push	edi
		push	edi
		push	edi
		push	ebx
		mov	[ebp+var_10], 0FA0A1F00h
		call	KeWaitForSingleObject
		push	[ebp+var_4]
		mov	esi, eax
		call	_IoUnregisterPlugPlayNotification@4 ; IoUnregisterPlugPlayNotification(x)

loc_AF1A88:				; CODE XREF: SbpWaitForVmbus()+40j
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_SbpWaitForVmbus@0 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TriageGetBugcheckData(x, x,	x, x, x, x)
_TriageGetBugcheckData@24 proc near	; CODE XREF: VfTriageSystem+1A306p
					; MmTriageActiveInLastCrash(x)+33p

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_TriagepVerifyDump@4 ; TriagepVerifyDump(x)
		test	al, al
		jnz	short loc_AF1AAA
		mov	eax, 0C000000Dh
		jmp	short loc_AF1AD1
; 

loc_AF1AAA:				; CODE XREF: TriageGetBugcheckData(x,x,x,x,x,x)+12j
		mov	eax, [esi+28h]
		mov	[edi], eax
		mov	eax, [ebp+arg_0]
		mov	ecx, [esi+2Ch]
		mov	[eax], ecx
		mov	eax, [ebp+arg_4]
		mov	ecx, [esi+30h]
		mov	[eax], ecx
		mov	eax, [ebp+arg_8]
		mov	ecx, [esi+34h]
		mov	[eax], ecx
		mov	eax, [ebp+arg_C]
		mov	ecx, [esi+38h]
		mov	[eax], ecx
		xor	eax, eax

loc_AF1AD1:				; CODE XREF: TriageGetBugcheckData(x,x,x,x,x,x)+19j
		pop	edi
		pop	esi
		pop	ebp
		retn	10h
_TriageGetBugcheckData@24 endp


;  S U B	R O U T	I N E 


; __stdcall TriageGetDriverCount(x, x)
_TriageGetDriverCount@8	proc near	; CODE XREF: VfTriageAddDrivers(x)+55p
					; ViTriageSameDriversFromDump(x,x)+1Bp
		mov	edi, edi
		push	esi
		push	edi
		mov	edi, edx
		mov	esi, ecx
		call	_TriagepVerifyDump@4 ; TriagepVerifyDump(x)
		test	al, al
		jz	short loc_AF1AFA
		mov	eax, _TriageImagePageSize
		add	eax, esi
		jz	short loc_AF1AFA
		mov	eax, [eax+34h]
		mov	[edi], eax
		xor	eax, eax
		jmp	short loc_AF1AFF
; 

loc_AF1AFA:				; CODE XREF: TriageGetDriverCount(x,x)+Fj
					; TriageGetDriverCount(x,x)+18j
		mov	eax, 0C000000Dh

loc_AF1AFF:				; CODE XREF: TriageGetDriverCount(x,x)+21j
		pop	edi
		pop	esi
		retn
_TriageGetDriverCount@8	endp


;  S U B	R O U T	I N E 


; __stdcall TriagepGetPageSize(x)
_TriagepGetPageSize@4 proc near		; CODE XREF: TriagepVerifyDump(x)+2Fp
		sub	ecx, 14Ch
		jz	short loc_AF1B26
		sub	ecx, 78h
		jz	short loc_AF1B26
		sub	ecx, 3Ch
		jz	short loc_AF1B20
		sub	ecx, 8464h
		jz	short loc_AF1B26
		or	eax, 0FFFFFFFFh
		retn
; 

loc_AF1B20:				; CODE XREF: TriagepGetPageSize(x)+10j
		mov	eax, 2000h
		retn
; 

loc_AF1B26:				; CODE XREF: TriagepGetPageSize(x)+6j
					; TriagepGetPageSize(x)+Bj ...
		mov	eax, 1000h
		retn
_TriagepGetPageSize@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall TriagepVerifyDump(x)
_TriagepVerifyDump@4 proc near		; CODE XREF: TriageGetLoaderEntry(x,x)+8p
					; TriageGetMmInformation(x)+5p	...

var_19		= byte ptr -19h
ms_exc		= CPPEH_RECORD ptr -18h

		push	0Ch
		push	offset dword_6AAE78
		call	__SEH_prolog4
		mov	esi, ecx
		test	esi, esi
		jnz	short loc_AF1B42
		xor	al, al
		jmp	short loc_AF1B9C
; 

loc_AF1B42:				; CODE XREF: TriagepVerifyDump(x)+10j
		xor	edx, edx
		mov	[ebp+ms_exc.disabled], edx
		cmp	dword ptr [esi+4], 504D5544h
		jnz	short loc_AF1B90
		cmp	dword ptr [esi], 45474150h
		jnz	short loc_AF1B90
		mov	ecx, [esi+20h]
		call	_TriagepGetPageSize@4 ;	TriagepGetPageSize(x)
		cmp	eax, 0FFFFFFFFh
		jz	short loc_AF1B90
		mov	_TriageImagePageSize, eax
		cmp	dword ptr [esi+0F88h], 4
		jnz	short loc_AF1B90
		mov	eax, [esi+1004h]
		cmp	dword ptr [eax+esi-4], 44475254h
		jnz	short loc_AF1B90
		mov	dl, 1
		jmp	short loc_AF1B90
; 

loc_AF1B87:				; DATA XREF: .text:006AAE8Co
		xor	eax, eax
		inc	eax
		retn
; 

loc_AF1B8B:				; DATA XREF: .text:006AAE90o
		mov	esp, [ebp+ms_exc.old_esp]
		xor	dl, dl

loc_AF1B90:				; CODE XREF: TriagepVerifyDump(x)+22j
					; TriagepVerifyDump(x)+2Aj ...
		mov	[ebp+var_19], dl
		mov	[ebp+ms_exc.disabled], 0FFFFFFFEh
		mov	al, dl

loc_AF1B9C:				; CODE XREF: TriagepVerifyDump(x)+14j
		mov	ecx, [ebp+ms_exc.prev_er]
		mov	large fs:0, ecx
		pop	ecx
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
_TriagepVerifyDump@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BgkInitialize	proc near		; CODE XREF: InbvDriverInitialize(x,x,x)+1Ep

var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AF2D2A SIZE 0000000F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ecx
		and	[ebp+var_4], 0
		push	esi
		push	edi
		mov	edi, ecx
		mov	esi, edx
		test	edi, edi
		jz	loc_AF1C5C
		cmp	esi, 1
		jz	loc_AF1C53
		test	esi, esi
		jnz	short loc_AF1BE2
		call	BgkDestroy
		and	dword_6FC680, esi
		call	BgkpLockBgfxCodeSection

loc_AF1BE2:				; CODE XREF: BgkInitialize+24j
		mov	ecx, [edi+84h]
		mov	edx, esi
		mov	ecx, [ecx+0DCh]
		call	_BgLibraryInitialize@8 ; BgLibraryInitialize(x,x)
		test	eax, eax
		js	short loc_AF1C4F
		test	esi, esi
		jnz	short loc_AF1C3A
		call	_BgConsoleGetInterface@4 ; BgConsoleGetInterface(x)
		mov	dword_6D4C74, eax
		test	eax, eax
		jz	short loc_AF1C1F
		push	esi
		push	dword_6FDF5C
		push	0FFC6C6C6h
		push	ds:_InitConsoleFlags
		call	dword ptr [eax]

loc_AF1C1F:				; CODE XREF: BgkInitialize+5Dj
		lea	eax, [ebp+var_4]
		push	eax
		push	offset dword_6FD1C0
		push	4
		push	9
		call	off_6B2BC4	; xHalQuerySystemInformation(x,x,x,x)
		test	eax, eax
		js	loc_AF2D2A

loc_AF1C3A:				; CODE XREF: BgkInitialize+4Fj
					; BgkInitialize+1188j
		mov	byte_6D4D58, 1
		mov	byte_6D4C7B, 1
		call	_BgkpTryEnableConsole@0	; BgkpTryEnableConsole()

loc_AF1C4D:				; CODE XREF: BgkInitialize+AEj
		xor	eax, eax

loc_AF1C4F:				; CODE XREF: BgkInitialize+4Bj
					; BgkInitialize+B5j
		pop	edi
		pop	esi
		leave
		retn
; 

loc_AF1C53:				; CODE XREF: BgkInitialize+1Cj
		cmp	byte_6D4D58, 0
		jnz	short loc_AF1C4D

loc_AF1C5C:				; CODE XREF: BgkInitialize+13j
		mov	eax, 0C0000001h
		jmp	short loc_AF1C4F
BgkInitialize	endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BgpBcInitializeCriticalMode proc near	; CODE XREF: BgpFwLibraryInitialize+4C9p
					; TxtpAddCacheEntry+1CA4p

var_3C		= dword	ptr -3Ch
var_38		= dword	ptr -38h
var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AF2D39 SIZE 00000058 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 3Ch
		push	ebx
		push	esi
		push	edi
		xor	eax, eax
		lea	edi, [ebp+var_28]
		stosd
		mov	ebx, ecx
		xor	ecx, ecx
		mov	esi, 400000h
		mov	[ebp+var_14], ecx
		mov	[ebp+var_10], ecx
		stosd
		mov	[ebp+var_34], ecx
		mov	[ebp+var_30], ecx
		mov	[ebp+var_2C], ecx
		stosd
		mov	eax, [ebx+54h]
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_18], ecx
		mov	[ebp+var_4], ecx
		test	eax, esi
		jnz	loc_AF2D39
		test	eax, 2000000h
		jnz	loc_AF2D44

loc_AF1CAE:				; CODE XREF: BgpBcInitializeCriticalMode+10E7j
		mov	[ebp+var_8], ecx
		mov	esi, ecx
		mov	[ebp+var_C], esi
		cmp	edx, 0FFFFFFFFh
		jz	loc_AF1F2B
		mov	ecx, 0C1008001h
		call	BcpFindMessage
		push	eax
		push	offset unk_6D6BE8
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, 0C1008008h
		call	BcpFindMessage
		push	eax
		push	offset unk_6D6BF8
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, 41008009h
		call	BcpFindMessage
		push	eax
		push	offset unk_6D6C00
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, 41008010h
		call	BcpFindMessage
		push	eax
		push	offset unk_6D6C08
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, 41008011h
		call	BcpFindMessage
		push	eax
		push	offset unk_6D6C10
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, 0C1008003h
		call	BcpFindMessage
		push	eax
		push	offset unk_6D6BF0
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, 41008014h
		call	BcpFindMessage
		push	eax
		push	offset unk_6D6C38
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, 41008015h
		call	BcpFindMessage
		push	eax
		push	offset unk_6D6C40
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, 41008016h
		call	BcpFindMessage
		push	eax
		push	offset unk_6D6C48
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, 41008018h
		call	BcpFindMessage
		push	eax
		push	offset unk_6D6C50
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, 41008017h
		call	BcpFindMessage
		push	eax
		push	offset unk_6D6C58
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, 41008019h
		call	BcpFindMessage
		push	eax
		push	offset unk_6D6C60
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, 41008020h
		call	BcpFindMessage
		push	eax
		push	offset unk_6D6C68
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, 41008021h
		call	BcpFindMessage
		push	eax
		push	offset unk_6D6C70
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4]
		mov	ecx, 0C1008012h
		push	eax
		lea	edx, [ebp+var_8]
		call	_BcpGetProgressMessages@12 ; BcpGetProgressMessages(x,x,x)
		test	eax, eax
		js	loc_AF2D5F
		push	[ebp+var_8]
		push	offset unk_6D6C18
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	[ebp+var_4]
		push	offset unk_6D6C20
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		lea	eax, [ebp+var_4]
		mov	ecx, 0C1008013h
		push	eax
		lea	edx, [ebp+var_C]
		call	_BcpGetProgressMessages@12 ; BcpGetProgressMessages(x,x,x)
		mov	esi, [ebp+var_C]
		test	eax, eax
		js	loc_AF2D5F
		push	esi
		push	offset unk_6D6C28
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		push	[ebp+var_4]
		push	offset unk_6D6C30
		call	_RtlInitUnicodeString@8	; RtlInitUnicodeString(x,x)
		mov	ecx, 41008006h
		call	BcpFindMessage
		cmp	word ptr [eax],	30h
		jz	loc_AF2D50

loc_AF1E60:				; CODE XREF: BgpBcInitializeCriticalMode+10F6j
		mov	eax, [ebx+54h]
		mov	edi, offset unk_6B58D8
		and	eax, 10000000h
		neg	eax
		sbb	eax, eax
		and	eax, 23F74Eh
		add	eax, 0FF0077D6h
		or	[ebp+var_38], 0FFFFFFFFh
		mov	[ebp+var_3C], eax

loc_AF1E82:				; CODE XREF: BgpBcInitializeCriticalMode+25Dj
		and	[ebp+var_C], 0
		mov	ebx, edi

loc_AF1E88:				; CODE XREF: BgpBcInitializeCriticalMode+252j
		mov	ecx, [ebx]
		lea	eax, [ebp+var_34]
		push	eax
		lea	eax, [ebp+var_30]
		push	eax
		lea	eax, [ebp+var_1C]
		push	eax
		push	ecx
		call	_BgpFoDetermineFontInformation@24 ; BgpFoDetermineFontInformation(x,x,x,x,x,x)
		test	eax, eax
		js	loc_AF2D5F
		mov	eax, [ebp+var_30]
		mov	[ebx], eax
		add	ebx, 4
		mov	eax, [ebp+var_C]
		inc	eax
		mov	[ebp+var_C], eax
		cmp	eax, 4
		jl	short loc_AF1E88
		add	edi, 48h
		cmp	edi, offset _Cc5MicroSeconds
		jl	short loc_AF1E82
		and	[ebp+var_2C], 0
		lea	edx, [ebp+var_14]
		lea	ecx, [ebp+var_3C]
		call	_BcpGetMaxResourceProfile@8 ; BcpGetMaxResourceProfile(x,x)
		test	eax, eax
		js	loc_AF2D5F
		mov	edi, [ebp+var_14]
		mov	ecx, edi
		call	BgpFwAllocateMemory
		test	eax, eax
		jz	loc_AF2D5F
		and	dword_6B6B28, 0
		lea	edx, [ebp+var_28]
		mov	_BcpWorkspace, eax
		lea	ecx, [ebp+var_3C]
		mov	eax, [ebp+var_10]
		mov	[ebp+var_28], eax
		mov	eax, [ebp+var_18]
		push	3
		mov	dword_6B6B24, edi
		mov	[ebp+var_24], eax
		call	BgpDisplayCharacterGetContext
		mov	dword_6D6C78, eax
		test	eax, eax
		jz	loc_AF2D5F
		or	dword_6B6BB8, 10h

loc_AF1F2B:				; CODE XREF: BgpBcInitializeCriticalMode+55j
					; BgpBcInitializeCriticalMode+10DBj ...
		pop	edi
		pop	esi
		xor	eax, eax
		pop	ebx
		leave
		retn
BgpBcInitializeCriticalMode endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpFoDetermineFontInformation(x, x,	x, x, x, x)
_BgpFoDetermineFontInformation@24 proc near ; CODE XREF: BgpBcInitializeCriticalMode+233p

var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h
arg_C		= dword	ptr  14h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 24h
		push	ebx
		push	esi
		xor	esi, esi
		lea	edx, [ebp+var_4]
		mov	ebx, ecx
		mov	[ebp+var_4], esi
		push	edi
		xor	ecx, ecx	; wchar_t *
		mov	[ebp+var_C], esi
		mov	[ebp+var_8], esi
		call	BgpFoGetFontHandle
		test	eax, eax
		js	short loc_AF1F9F
		or	[ebp+var_1C], 0FFFFFFFFh
		mov	edi, [ebp+var_4]
		and	[ebp+var_10], 0
		push	4
		mov	[ebp+var_20], esi
		mov	[ebp+var_18], edi
		pop	esi

loc_AF1F6C:				; CODE XREF: BgpFoDetermineFontInformation(x,x,x,x,x,x)+52j
		inc	esi
		lea	edx, [ebp+var_C]
		lea	ecx, [ebp+var_20]
		mov	[ebp+var_14], esi
		call	_BgpFoGetTextMetrics@8 ; BgpFoGetTextMetrics(x,x)
		test	eax, eax
		js	short loc_AF1F9F
		mov	edx, [ebp+var_8]
		cmp	edx, ebx
		jb	short loc_AF1F6C
		ja	short loc_AF1FA6

loc_AF1F88:				; CODE XREF: BgpFoDetermineFontInformation(x,x,x,x,x,x)+8Fj
		mov	ecx, [ebp+arg_4]
		mov	eax, [ebp+var_C]
		mov	[ecx], eax
		mov	eax, [ebp+arg_8]
		mov	[ecx+4], edx
		mov	[eax], esi
		mov	eax, [ebp+arg_C]
		mov	[eax], edi
		xor	eax, eax

loc_AF1F9F:				; CODE XREF: BgpFoDetermineFontInformation(x,x,x,x,x,x)+24j
					; BgpFoDetermineFontInformation(x,x,x,x,x,x)+4Bj ...
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	10h
; 

loc_AF1FA6:				; CODE XREF: BgpFoDetermineFontInformation(x,x,x,x,x,x)+54j
		cmp	esi, 5
		jbe	short loc_AF1FC3
		dec	esi
		lea	edx, [ebp+var_C]
		lea	ecx, [ebp+var_20]
		mov	[ebp+var_14], esi
		call	_BgpFoGetTextMetrics@8 ; BgpFoGetTextMetrics(x,x)
		test	eax, eax
		js	short loc_AF1F9F
		mov	edx, [ebp+var_8]
		jmp	short loc_AF1F88
; 

loc_AF1FC3:				; CODE XREF: BgpFoDetermineFontInformation(x,x,x,x,x,x)+77j
		mov	eax, 0C0000001h
		jmp	short loc_AF1F9F
_BgpFoDetermineFontInformation@24 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BcpFindMessage	proc near		; CODE XREF: BcpGetProgressMessages(x,x,x)+Dp
					; BgpBcInitializeCriticalMode+60p ...

; FUNCTION CHUNK AT 00AF2D91 SIZE 0000010D BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	ecx
		push	ebx
		push	esi
		push	edi
		mov	esi, ecx
		mov	edi, 41008018h
		cmp	esi, edi
		jz	short loc_AF203D

loc_AF1FDE:				; CODE XREF: BcpFindMessage+7Bj
		call	_ResFwFindMessage@4 ; ResFwFindMessage(x)
		mov	edx, eax
		test	edx, edx
		jz	loc_AF2D91
		mov	ecx, edx
		xor	ebx, ebx
		mov	esi, ebx
		lea	edi, [ecx+2]

loc_AF1FF6:				; CODE XREF: BcpFindMessage+35j
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_AF1FF6
		sub	ecx, edi
		sar	ecx, 1
		jz	short loc_AF202E

loc_AF2007:				; CODE XREF: BcpFindMessage+62j
		movzx	eax, word ptr [edx+esi*2]
		cmp	eax, 0Dh
		jz	short loc_AF2035
		cmp	eax, 0Ah
		jz	short loc_AF2035

loc_AF2015:				; CODE XREF: BcpFindMessage+71j
		mov	ecx, edx
		inc	esi
		lea	edi, [ecx+2]

loc_AF201B:				; CODE XREF: BcpFindMessage+5Aj
		mov	ax, [ecx]
		add	ecx, 2
		cmp	ax, bx
		jnz	short loc_AF201B
		sub	ecx, edi
		sar	ecx, 1
		cmp	esi, ecx
		jb	short loc_AF2007

loc_AF202E:				; CODE XREF: BcpFindMessage+3Bj
					; BcpFindMessage+7Dj ...
		pop	edi
		pop	esi
		mov	eax, edx
		pop	ebx
		leave
		retn
; 

loc_AF2035:				; CODE XREF: BcpFindMessage+44j
					; BcpFindMessage+49j
		xor	eax, eax
		mov	[edx+esi*2], ax
		jmp	short loc_AF2015
; 

loc_AF203D:				; CODE XREF: BcpFindMessage+12j
		mov	edx, dword_6B6C34
		test	edx, edx
		jz	short loc_AF1FDE
		jmp	short loc_AF202E
BcpFindMessage	endp

; 
		align 2

;  S U B	R O U T	I N E 


; __stdcall BgpConsoleGetFontName(x, x)
_BgpConsoleGetFontName@8 proc near	; CODE XREF: TxtpAddCacheEntry+AEDp
		cmp	ecx, 2
		jz	short loc_AF206B
		cmp	ecx, 1
		jz	short loc_AF2072
		cmp	ecx, 3
		jz	short loc_AF2079
		mov	eax, offset ??_C@_1DG@KMCKOAOK@?$AAM?$AAi?$AAc?$AAr?$AAo?$AAs?$AAo?$AAf?$AAt?$AA?5?$AAJ?$AAh?$AAe?$AAn?$AAg@NKKEPPGN@
		cmp	ecx, 4
		jz	short loc_AF2068
		mov	eax, offset ??_C@_1CA@JFGLNDEM@?$AAS?$AAe?$AAg?$AAo?$AAe?$AA?5?$AAM?$AAo?$AAn?$AAo?$AA?5?$AAB?$AAo?$AAo?$AAt@NKKEPPGN@

loc_AF2068:				; CODE XREF: BgpConsoleGetFontName(x,x)+17j
					; BgpConsoleGetFontName(x,x)+26j ...
		mov	[edx], eax
		retn
; 

loc_AF206B:				; CODE XREF: BgpConsoleGetFontName(x,x)+3j
		mov	eax, offset ??_C@_1BO@PJBLEDDD@?$AAM?$AAe?$AAi?$AAr?$AAy?$AAo?$AA?5?$AAC?$AAo?$AAn?$AAs?$AAo?$AAl?$AAe@NKKEPPGN@ ; "Meiryo Console"
		jmp	short loc_AF2068
; 

loc_AF2072:				; CODE XREF: BgpConsoleGetFontName(x,x)+8j
		mov	eax, offset ??_C@_1CM@EIIONOC@?$AAM?$AAa?$AAl?$AAg?$AAu?$AAn?$AA?5?$AAG?$AAo?$AAt?$AAh?$AAi?$AAc?$AA?5?$AAC@NKKEPPGN@ ;	"M"
		jmp	short loc_AF2068
; 

loc_AF2079:				; CODE XREF: BgpConsoleGetFontName(x,x)+Dj
		mov	eax, offset ??_C@_1DA@BHHMHDAE@?$AAM?$AAi?$AAc?$AAr?$AAo?$AAs?$AAo?$AAf?$AAt?$AA?5?$AAY?$AAa?$AAH?$AAe?$AAi@NKKEPPGN@
		jmp	short loc_AF2068
_BgpConsoleGetFontName@8 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

BgpFoInitialize	proc near		; CODE XREF: BgpFwLibraryInitialize+34Ep
					; BgpFwLibraryInitialize+487p ...

var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AF2ED7 SIZE 0000005F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 0Ch
		and	[ebp+var_8], 0
		mov	eax, offset _FopFontFileListHead
		and	[ebp+var_4], 0
		cmp	_FontLibraryInitialized, 0
		push	ebx
		push	esi
		push	edi
		mov	[ebp+var_C], edx
		mov	ebx, ecx
		jnz	short loc_AF20B7
		mov	dword_6B6B44, eax
		mov	_FopFontFileListHead, eax
		mov	_FontLibraryInitialized, 1

loc_AF20B7:				; CODE XREF: BgpFoInitialize+24j
		push	20h
		pop	ecx
		call	BgpFwAllocateMemory
		mov	esi, eax
		test	esi, esi
		jz	loc_AF2ED7
		push	8
		xor	eax, eax
		mov	edi, esi
		pop	ecx
		rep stosd
		lea	eax, [esi+18h]
		mov	[esi+8], ebx
		mov	[eax+4], eax
		xor	edx, edx
		mov	[eax], eax
		mov	ecx, ebx
		mov	eax, [ebp+var_C]
		mov	[esi+10h], eax
		lea	eax, [ebp+var_8]
		push	eax		; void *
		call	_FioFwReadUlongAtOffset@12 ; FioFwReadUlongAtOffset(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_AF2140
		cmp	[ebp+var_8], 74746366h
		jz	loc_AF2EE1
		mov	dword ptr [esi+0Ch], 1

loc_AF210A:				; CODE XREF: BgpFoInitialize+EB1j
		mov	ecx, esi
		call	FopInitializeFonts
		mov	edi, eax
		test	edi, edi
		js	short loc_AF2140
		mov	eax, _FopFontFileListHead
		mov	ecx, offset _FopFontFileListHead
		cmp	[eax+4], ecx
		jnz	short loc_AF213B
		mov	[esi], eax
		mov	[esi+4], ecx
		mov	[eax+4], esi
		mov	_FopFontFileListHead, esi

loc_AF2134:				; CODE XREF: BgpFoInitialize+C7j
					; BgpFoInitialize+E5Cj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AF213B:				; CODE XREF: BgpFoInitialize+A4j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
					; AL = character to display

loc_AF2140:				; CODE XREF: BgpFoInitialize+74j
					; BgpFoInitialize+95j ...
		mov	ecx, esi
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		jmp	short loc_AF2134
BgpFoInitialize	endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FopInitializeFonts proc	near		; CODE XREF: BgpFoInitialize+8Cp

var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

; FUNCTION CHUNK AT 00AF2F36 SIZE 0000001F BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	ebx
		mov	ebx, ecx
		push	esi
		xor	esi, esi
		mov	[ebp+var_10], ebx
		and	[ebp+var_4], esi
		push	edi
		cmp	[ebx+0Ch], esi
		jbe	loc_AF222B
		mov	[ebp+var_8], 0Ch

loc_AF216F:				; CODE XREF: FopInitializeFonts+DBj
		push	5Ch
		pop	ecx
		call	BgpFwAllocateMemory
		mov	edi, eax
		test	edi, edi
		jz	loc_AF2217
		push	5Ch		; size_t
		push	0		; int
		push	edi		; void *
		call	_memset
		lea	eax, [edi+50h]
		mov	[edi+8], ebx
		mov	[eax+4], eax
		xor	edx, edx
		mov	[eax], eax
		add	esp, 0Ch
		mov	eax, [ebp+var_4]
		mov	[edi+14h], eax
		test	byte ptr [ebx+14h], 1
		mov	[ebp+var_C], edx
		jnz	loc_AF2F36

loc_AF21AE:				; CODE XREF: FopInitializeFonts+E06j
		mov	[edi+18h], edx
		mov	ecx, [ebx+8]
		lea	eax, [edi+1Ch]
		and	[ebp+var_C], 0
		lea	ebx, [ebp+var_C]
		push	ebx
		push	eax
		push	636D6170h
		call	_FopGetTableOffsetAndSize@20 ; FopGetTableOffsetAndSize(x,x,x,x,x)
		mov	ebx, [ebp+var_10]
		test	eax, eax
		js	short loc_AF2240
		mov	edx, [edi+18h]
		lea	eax, [edi+10h]
		mov	ecx, [ebx+8]
		push	eax
		call	FopValidateFontNameTable
		test	eax, eax
		js	short loc_AF2240
		mov	edx, [edi+1Ch]
		lea	eax, [edi+0Ch]
		mov	ecx, [ebx+8]
		push	eax
		call	FopReadMappingTable
		test	eax, eax
		js	short loc_AF2240
		mov	ecx, edi
		call	_BgpRasInitializeRasterizer@4 ;	BgpRasInitializeRasterizer(x)
		test	eax, eax
		js	short loc_AF2240
		lea	eax, [ebx+18h]
		mov	ecx, [eax+4]
		cmp	[ecx], eax
		jnz	short loc_AF2249
		mov	[edi], eax
		inc	esi
		mov	[edi+4], ecx
		mov	[ecx], edi
		mov	[eax+4], edi

loc_AF2217:				; CODE XREF: FopInitializeFonts+31j
					; FopInitializeFonts+FDj
		mov	eax, [ebp+var_4]
		add	[ebp+var_8], 4
		inc	eax
		mov	[ebp+var_4], eax
		cmp	eax, [ebx+0Ch]
		jb	loc_AF216F

loc_AF222B:				; CODE XREF: FopInitializeFonts+18j
		neg	esi
		pop	edi
		sbb	esi, esi
		and	esi, 3FFFFF85h
		lea	eax, [esi-3FFFFF85h]
		pop	esi
		pop	ebx
		leave
		retn
; 

loc_AF2240:				; CODE XREF: FopInitializeFonts+85j
					; FopInitializeFonts+98j ...
		mov	ecx, edi
		call	FopFreeFontData
		jmp	short loc_AF2217
; 

loc_AF2249:				; CODE XREF: FopInitializeFonts+C0j
		push	3
		pop	ecx
		int	29h		; DOS 2+ internal - FAST PUTCHAR
FopInitializeFonts endp			; AL = character to display


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BgpRasInitializeRasterizer(x)
_BgpRasInitializeRasterizer@4 proc near	; CODE XREF: FopInitializeFonts+AFp

var_68		= dword	ptr -68h
var_56		= word ptr -56h
var_36		= word ptr -36h
var_30		= dword	ptr -30h
var_2C		= word ptr -2Ch
var_2A		= word ptr -2Ah
var_26		= word ptr -26h
var_20		= word ptr -20h
var_E		= word ptr -0Eh
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 6Ch
		push	ebx
		push	esi
		push	edi
		push	36h		; size_t
		xor	esi, esi
		lea	eax, [ebp+var_68]
		push	esi		; int
		push	eax		; void *
		mov	ebx, ecx
		call	_memset
		add	esp, 0Ch
		mov	[ebp+var_8], esi
		xor	eax, eax
		mov	[ebp+var_C], esi
		lea	edi, [ebp+var_30]
		lea	edx, [ebp+var_C]
		push	9
		pop	ecx
		rep stosd
		mov	eax, [ebx+8]
		lea	ecx, [ebx+2Ch]
		push	edx
		push	ecx
		push	68656164h
		mov	edi, [eax+8]
		mov	ecx, edi
		mov	eax, [ebx+18h]
		mov	edx, eax
		mov	[ebp+var_4], eax
		call	_FopGetTableOffsetAndSize@20 ; FopGetTableOffsetAndSize(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AF23FB
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_C]
		and	[ebp+var_C], 0
		mov	ecx, edi
		push	eax
		lea	eax, [ebx+28h]
		push	eax
		push	676C7966h
		call	_FopGetTableOffsetAndSize@20 ; FopGetTableOffsetAndSize(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AF23FB
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_C]
		and	[ebp+var_C], 0
		mov	ecx, edi
		push	eax
		lea	eax, [ebx+34h]
		push	eax
		push	6C6F6361h
		call	_FopGetTableOffsetAndSize@20 ; FopGetTableOffsetAndSize(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AF23FB
		mov	edx, [ebp+var_4]
		lea	eax, [ebp+var_C]
		and	[ebp+var_C], 0
		mov	ecx, edi
		push	eax
		lea	eax, [ebx+30h]
		push	eax
		push	686D7478h
		call	_FopGetTableOffsetAndSize@20 ; FopGetTableOffsetAndSize(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AF23FB
		mov	edx, [ebx+2Ch]
		lea	eax, [ebp+var_68]
		push	eax		; void *
		push	36h		; size_t
		mov	ecx, edi
		call	_FioFwReadBytesAtOffset@16 ; FioFwReadBytesAtOffset(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AF23FB
		mov	ax, [ebp+var_36]
		mov	edx, [ebp+var_4]
		mov	ch, al
		and	[ebp+var_C], 0
		mov	cl, ah
		mov	ax, [ebp+var_56]
		mov	[ebx+38h], cx
		mov	ch, al
		mov	cl, ah
		lea	eax, [ebp+var_C]
		push	eax
		lea	eax, [ebp+var_8]
		mov	[ebx+58h], cx
		push	eax
		push	68686561h
		mov	ecx, edi
		call	_FopGetTableOffsetAndSize@20 ; FopGetTableOffsetAndSize(x,x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AF23FB
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_30]
		push	eax		; void *
		push	24h		; size_t
		mov	ecx, edi
		call	_FioFwReadBytesAtOffset@16 ; FioFwReadBytesAtOffset(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AF23FB
		cmp	_RasterizerInitialized,	0
		mov	ax, [ebp+var_E]
		mov	ch, al
		mov	dword ptr [ebx+4Ch], 60h
		mov	cl, ah
		mov	ax, [ebp+var_26]
		mov	[ebx+44h], cx
		mov	ch, al
		mov	cl, ah
		mov	ax, [ebp+var_2C]
		mov	dh, al
		mov	[ebx+3Ah], cx
		mov	dl, ah
		mov	ax, [ebp+var_2A]
		mov	ch, al
		mov	[ebx+3Eh], dx
		mov	cl, ah
		mov	[ebx+42h], dx
		mov	ax, [ebp+var_20]
		mov	[ebx+40h], cx
		mov	ch, al
		mov	cl, ah
		mov	[ebx+3Ch], cx
		jnz	short loc_AF23FB
		and	dword_6B6AE0, 0
		mov	eax, offset _RaspBitmapCache
		mov	dword_6B6AC4, eax
		mov	_RaspBitmapCache, eax
		mov	dword_6B6ADC, 64h
		mov	_RasterizerInitialized,	1

loc_AF23FB:				; CODE XREF: BgpRasInitializeRasterizer(x)+54j
					; BgpRasInitializeRasterizer(x)+79j ...
		pop	edi
		mov	eax, esi
		pop	esi
		pop	ebx
		leave
		retn
_BgpRasInitializeRasterizer@4 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FopReadMappingTable proc near		; CODE XREF: FopInitializeFonts+A4p

var_1C		= dword	ptr -1Ch
var_16		= word ptr -16h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00AF2F55 SIZE 0000002A BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 1Ch
		and	[ebp+var_4], 0
		xor	eax, eax
		push	ebx
		push	esi
		push	edi
		lea	edi, [ebp+var_1C]
		mov	[ebp+var_8], edx
		stosd
		mov	esi, ecx
		mov	[ebp+var_C], esi
		stosd
		stosd
		stosw
		lea	eax, [ebp+var_4]
		push	eax
		call	FopReadCmapTable
		mov	ebx, [ebp+var_4]
		mov	edi, eax
		mov	[ebp+var_4], ebx
		test	edi, edi
		js	loc_AF252A
		movzx	edx, word ptr [ebx+2]
		lea	eax, [ebx+4]
		xor	ecx, ecx
		test	edx, edx
		jz	loc_AF2F61

loc_AF244D:				; CODE XREF: FopReadMappingTable+B59j
		cmp	word ptr [eax],	3
		jnz	loc_AF2F55
		cmp	word ptr [eax+2], 1
		jnz	loc_AF2F55
		mov	eax, [eax+4]
		test	eax, eax
		jz	loc_AF2F61
		add	eax, [ebp+var_8]
		lea	ecx, [ebp+var_1C]
		push	ecx		; void *
		mov	edx, eax
		mov	[ebp+var_8], eax
		mov	ecx, esi
		call	_FopReadSegmentMapHeader@12 ; FopReadSegmentMapHeader(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_AF252A
		push	1Ch
		pop	ecx
		call	BgpFwAllocateMemory
		mov	esi, eax
		test	esi, esi
		jz	loc_AF2F6B
		xor	eax, eax
		mov	[esi+4], eax
		mov	[esi+8], eax
		mov	[esi+0Ch], eax
		mov	[esi+10h], eax
		mov	[esi+14h], eax
		mov	[esi+18h], eax
		movzx	edi, word ptr [ebp+var_1C+2]
		movzx	eax, [ebp+var_16]
		sub	edi, 0Eh
		shr	eax, 1
		mov	ecx, edi
		mov	[esi], eax
		call	BgpFwAllocateMemory
		mov	ebx, eax
		test	ebx, ebx
		jz	loc_AF2F75
		mov	edx, [ebp+var_8]
		mov	ecx, [ebp+var_C]
		add	edx, 0Eh
		push	ebx		; void *
		shr	edi, 1
		push	edi		; int
		mov	[esi+4], ebx
		call	_FopReadPushortAtOffset@16 ; FopReadPushortAtOffset(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_AF2523
		mov	ecx, [esi]
		add	ecx, ecx
		mov	[esi+0Ch], ebx
		lea	eax, [ecx+2]
		add	eax, ebx
		mov	[esi+8], eax
		lea	eax, [ecx+1]
		lea	eax, [ebx+eax*2]
		mov	[esi+10h], eax
		imul	eax, ecx, 3
		add	eax, 2
		add	eax, ebx
		mov	[esi+14h], eax
		lea	eax, ds:2[ecx*4]
		add	eax, ebx
		mov	[esi+18h], eax
		mov	eax, [ebp+arg_0]
		mov	[eax], esi
		xor	esi, esi
		xor	edi, edi

loc_AF2523:				; CODE XREF: FopReadMappingTable+E7j
					; FopReadMappingTable+B78j
		test	esi, esi
		jnz	short loc_AF253E

loc_AF2527:				; CODE XREF: FopReadMappingTable+143j
		mov	ebx, [ebp+var_4]

loc_AF252A:				; CODE XREF: FopReadMappingTable+34j
					; FopReadMappingTable+82j ...
		test	ebx, ebx
		jz	short loc_AF2535
		mov	ecx, ebx
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_AF2535:				; CODE XREF: FopReadMappingTable+12Aj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_AF253E:				; CODE XREF: FopReadMappingTable+123j
		mov	ecx, esi
		call	_FopFreeMappingTable@4 ; FopFreeMappingTable(x)
		jmp	short loc_AF2527
FopReadMappingTable endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	FopReadPushortAtOffset(int,void	*)
_FopReadPushortAtOffset@16 proc	near	; CODE XREF: FopReadMappingTable+DEp

arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	edi
		mov	edi, [ebp+arg_4]
		push	edi		; void *
		lea	eax, [esi+esi]
		push	eax		; size_t
		call	_FioFwReadBytesAtOffset@16 ; FioFwReadBytesAtOffset(x,x,x,x)
		test	eax, eax
		js	short loc_AF257C
		xor	edx, edx
		test	esi, esi
		jz	short loc_AF257A

loc_AF2569:				; CODE XREF: FopReadPushortAtOffset(x,x,x,x)+30j
		mov	ax, [edi+edx*2]
		mov	ch, al
		mov	cl, ah
		mov	[edi+edx*2], cx
		inc	edx
		cmp	edx, esi
		jb	short loc_AF2569

loc_AF257A:				; CODE XREF: FopReadPushortAtOffset(x,x,x,x)+1Fj
		xor	eax, eax

loc_AF257C:				; CODE XREF: FopReadPushortAtOffset(x,x,x,x)+19j
		pop	edi
		pop	esi
		pop	ebp
		retn	8
_FopReadPushortAtOffset@16 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	FopReadSegmentMapHeader(void *)
_FopReadSegmentMapHeader@12 proc near	; CODE XREF: FopReadMappingTable+79p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	esi		; void *
		push	0Eh		; size_t
		call	_FioFwReadBytesAtOffset@16 ; FioFwReadBytesAtOffset(x,x,x,x)
		test	eax, eax
		js	short loc_AF25F1
		mov	ax, [esi]
		mov	ch, al
		mov	cl, ah
		mov	[esi], cx
		cmp	cx, 4
		jnz	short loc_AF25F6
		mov	ax, [esi+2]
		mov	ch, al
		mov	cl, ah
		mov	ax, [esi+4]
		mov	[esi+2], cx
		mov	ch, al
		mov	cl, ah
		mov	ax, [esi+6]
		mov	[esi+4], cx
		mov	ch, al
		mov	cl, ah
		mov	ax, [esi+8]
		mov	[esi+6], cx
		mov	ch, al
		mov	cl, ah
		mov	ax, [esi+0Ah]
		mov	[esi+8], cx
		mov	ch, al
		mov	cl, ah
		mov	ax, [esi+0Ch]
		mov	[esi+0Ah], cx
		mov	ch, al
		mov	cl, ah
		xor	eax, eax
		mov	[esi+0Ch], cx

loc_AF25F1:				; CODE XREF: FopReadSegmentMapHeader(x,x,x)+13j
					; FopReadSegmentMapHeader(x,x,x)+79j
		pop	esi
		pop	ebp
		retn	4
; 

loc_AF25F6:				; CODE XREF: FopReadSegmentMapHeader(x,x,x)+23j
		mov	eax, 0C000007Bh
		jmp	short loc_AF25F1
_FopReadSegmentMapHeader@12 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FopReadCmapTable proc near		; CODE XREF: FopReadMappingTable+25p

var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00AF2F7F SIZE 00000018 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 2Ch
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		push	esi
		push	edi
		mov	[ebp+var_2C], eax
		lea	edi, [ebp+var_10]
		xor	eax, eax
		mov	[ebp+var_24], edx
		stosd
		mov	[ebp+var_28], ecx
		stosd
		stosd
		xor	eax, eax
		mov	[ebp+var_1C], eax
		mov	edi, eax
		lea	eax, [ebp+var_10]
		push	eax		; void *
		push	4		; size_t
		call	_FioFwReadBytesAtOffset@16 ; FioFwReadBytesAtOffset(x,x,x,x)
		mov	esi, eax
		test	esi, esi
		js	loc_AF26F1
		mov	cx, word ptr [ebp+var_10]
		mov	dh, cl
		mov	dl, ch
		mov	cx, word ptr [ebp+var_10+2]
		mov	word ptr [ebp+var_10], dx
		mov	ah, cl
		mov	al, ch
		movzx	ecx, ax
		mov	[ebp+var_18], ecx
		mov	word ptr [ebp+var_10+2], ax
		push	ebx
		movzx	ebx, ax
		mov	ecx, ebx
		mov	[ebp+var_20], ecx
		test	dx, dx
		jnz	loc_AF2F7F
		push	0Ch
		pop	ecx
		mov	[ebp+var_14], ecx
		cmp	word ptr [ebp+var_18], di
		jz	loc_AF2F89
		lea	eax, [ebp+var_14]
		mov	[ebp+var_18], ebx
		push	eax
		lea	edx, ds:0FFFFFFF8h[ebx*8]
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	esi, eax
		test	esi, esi
		jnz	short loc_AF26EE
		mov	ecx, [ebp+var_14]

loc_AF269E:				; CODE XREF: FopReadCmapTable+994j
		call	BgpFwAllocateMemory
		mov	edi, eax
		test	edi, edi
		jz	short loc_AF2703
		mov	eax, [ebp+var_10]
		mov	[edi], eax
		mov	eax, [ebp+var_24]
		add	eax, 4
		mov	[ebp+var_14], eax
		test	ebx, ebx
		jz	short loc_AF26E7
		lea	ebx, [edi+4]

loc_AF26BE:				; CODE XREF: FopReadCmapTable+E7j
		mov	ecx, [ebp+var_28]
		mov	edx, eax
		push	ebx		; void *
		call	_FopReadEncodingRecord@12 ; FopReadEncodingRecord(x,x,x)
		mov	esi, eax
		test	esi, esi
		js	short loc_AF270A
		mov	ecx, [ebp+var_1C]
		add	ebx, 8
		mov	eax, [ebp+var_14]
		inc	ecx
		add	eax, 8
		mov	[ebp+var_1C], ecx
		mov	[ebp+var_14], eax
		cmp	ecx, [ebp+var_18]
		jb	short loc_AF26BE

loc_AF26E7:				; CODE XREF: FopReadCmapTable+BBj
		mov	eax, [ebp+var_2C]
		mov	[eax], edi
		test	esi, esi

loc_AF26EE:				; CODE XREF: FopReadCmapTable+9Bj
		js	short loc_AF270A

loc_AF26F0:				; CODE XREF: FopReadCmapTable+10Aj
					; FopReadCmapTable+10Ej ...
		pop	ebx

loc_AF26F1:				; CODE XREF: FopReadCmapTable+3Ej
		mov	ecx, [ebp+var_4]
		mov	eax, esi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_AF2703:				; CODE XREF: FopReadCmapTable+A9j
		mov	esi, 0C0000017h
		jmp	short loc_AF26F0
; 

loc_AF270A:				; CODE XREF: FopReadCmapTable+CFj
					; FopReadCmapTable:loc_AF26EEj
		test	edi, edi
		jz	short loc_AF26F0
		mov	ecx, edi
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		jmp	short loc_AF26F0
FopReadCmapTable endp

; 
		align 4

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	FopReadEncodingRecord(void *)
_FopReadEncodingRecord@12 proc near	; CODE XREF: FopReadCmapTable+C6p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	esi		; void *
		push	8		; size_t
		call	_FioFwReadBytesAtOffset@16 ; FioFwReadBytesAtOffset(x,x,x,x)
		test	eax, eax
		js	short loc_AF274D
		mov	ax, [esi]
		mov	ch, al
		mov	cl, ah
		mov	ax, [esi+2]
		mov	[esi], cx
		mov	ch, al
		mov	cl, ah
		mov	eax, [esi+4]
		bswap	eax
		mov	[esi+4], eax
		xor	eax, eax
		mov	[esi+2], cx

loc_AF274D:				; CODE XREF: FopReadEncodingRecord(x,x,x)+13j
		pop	esi
		pop	ebp
		retn	4
_FopReadEncodingRecord@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FopValidateFontNameTable proc near	; CODE XREF: FopInitializeFonts+91p

var_18		= dword	ptr -18h
var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00AF2F97 SIZE 00000021 BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 18h
		push	ebx
		push	esi
		push	edi
		lea	eax, [ebp+var_14]
		xor	ebx, ebx
		push	eax
		lea	eax, [ebp+var_C]
		mov	[ebp+var_10], ebx
		push	eax
		mov	esi, ecx
		mov	[ebp+var_C], ebx
		push	6E616D65h
		mov	[ebp+var_18], esi
		mov	[ebp+var_4], ebx
		mov	[ebp+var_8], ebx
		mov	[ebp+var_14], ebx
		call	_FopGetTableOffsetAndSize@20 ; FopGetTableOffsetAndSize(x,x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_AF2886
		mov	edx, [ebp+var_C]
		lea	eax, [ebp+var_8]
		push	eax
		mov	ecx, esi
		call	FopReadNamingTable
		mov	edi, eax
		test	edi, edi
		js	loc_AF2878
		mov	eax, [ebp+var_8]
		mov	ecx, ebx
		lea	esi, [eax+6]
		movzx	eax, word ptr [eax+2]
		test	eax, eax
		jz	loc_AF289B
		xor	edi, edi
		inc	edi

loc_AF27BE:				; CODE XREF: FopValidateFontNameTable+143j
		cmp	word ptr [esi],	3
		jnz	loc_AF288F
		cmp	[esi+2], di
		jnz	loc_AF288F
		mov	edx, 409h
		cmp	[esi+4], dx
		jnz	loc_AF288F
		cmp	[esi+6], di
		jnz	loc_AF288F
		movzx	ecx, word ptr [esi+8]
		lea	eax, [ebp+var_10]
		push	eax
		push	2
		pop	edx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_AF2872
		mov	ecx, [ebp+var_10]
		call	BgpFwAllocateMemory
		mov	ecx, eax
		mov	[ebp+var_4], ecx
		test	ecx, ecx
		jz	loc_AF2F97
		mov	eax, [ebp+var_8]
		movzx	edx, word ptr [esi+0Ah]
		push	ecx		; void *
		mov	ecx, [ebp+var_18]
		movzx	eax, word ptr [eax+4]
		add	eax, [ebp+var_C]
		add	edx, eax
		movzx	eax, word ptr [esi+8]
		push	eax		; size_t
		call	_FioFwReadBytesAtOffset@16 ; FioFwReadBytesAtOffset(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_AF2FA1
		shr	word ptr [esi+8], 1
		xor	ecx, ecx
		movzx	eax, word ptr [esi+8]
		mov	edx, [ebp+var_4]
		cmp	cx, ax
		jnb	short loc_AF2865

loc_AF2850:				; CODE XREF: FopValidateFontNameTable+111j
		mov	ax, [edx+ebx*2]
		mov	ch, al
		mov	cl, ah
		mov	[edx+ebx*2], cx
		inc	ebx
		movzx	eax, word ptr [esi+8]
		cmp	ebx, eax
		jb	short loc_AF2850

loc_AF2865:				; CODE XREF: FopValidateFontNameTable+FCj
		xor	eax, eax
		mov	[edx+ebx*2], ax
		mov	eax, [ebp+arg_0]
		mov	[eax], edx

loc_AF2870:				; CODE XREF: FopValidateFontNameTable+14Ej
		test	edi, edi

loc_AF2872:				; CODE XREF: FopValidateFontNameTable+ADj
		js	loc_AF2FA1

loc_AF2878:				; CODE XREF: FopValidateFontNameTable+4Fj
					; FopValidateFontNameTable+84Aj ...
		mov	eax, [ebp+var_8]
		test	eax, eax
		jz	short loc_AF2886
		mov	ecx, eax
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_AF2886:				; CODE XREF: FopValidateFontNameTable+37j
					; FopValidateFontNameTable+12Bj
		mov	eax, edi
		pop	edi
		pop	esi
		pop	ebx
		leave
		retn	4
; 

loc_AF288F:				; CODE XREF: FopValidateFontNameTable+70j
					; FopValidateFontNameTable+7Aj	...
		inc	ecx
		add	esi, 0Ch
		cmp	ecx, eax
		jb	loc_AF27BE

loc_AF289B:				; CODE XREF: FopValidateFontNameTable+63j
		mov	edi, 0C000007Bh
		jmp	short loc_AF2870
FopValidateFontNameTable endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

FopReadNamingTable proc	near		; CODE XREF: FopValidateFontNameTable+46p

var_34		= dword	ptr -34h
var_30		= dword	ptr -30h
var_2C		= dword	ptr -2Ch
var_28		= dword	ptr -28h
var_22		= word ptr -22h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

; FUNCTION CHUNK AT 00AF2FB8 SIZE 0000000E BYTES

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 34h
		mov	eax, ___security_cookie
		xor	eax, ebp
		mov	[ebp+var_4], eax
		mov	eax, [ebp+arg_0]
		mov	[ebp+var_34], eax
		xor	eax, eax
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	[ebp+var_2C], edx
		stosd
		mov	[ebp+var_30], ecx
		stosd
		stosd
		stosd
		stosw
		xor	eax, eax
		mov	[ebp+var_28], eax
		mov	esi, eax
		lea	eax, [ebp+var_18]
		push	eax		; void *
		push	6		; size_t
		call	_FioFwReadBytesAtOffset@16 ; FioFwReadBytesAtOffset(x,x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_AF2998
		mov	cx, word ptr [ebp+var_18]
		mov	dh, cl
		mov	dl, ch
		mov	cx, word ptr [ebp+var_18+2]
		mov	word ptr [ebp+var_18], dx
		mov	dh, cl
		mov	dl, ch
		mov	word ptr [ebp+var_18+2], dx
		push	ebx
		movzx	ebx, dx
		mov	eax, ebx
		mov	[ebp+var_20], eax
		mov	ax, [ebp+var_14]
		mov	ch, al
		mov	cl, ah
		mov	[ebp+var_22], cx
		push	12h
		pop	ecx
		mov	[ebp+var_1C], ecx
		test	dx, dx
		jz	loc_AF2FB8
		imul	edx, ebx, 0Ch
		lea	eax, [ebp+var_1C]
		push	eax
		mov	[ebp+var_20], ebx
		call	_RtlULongPtrAdd@12 ; RtlULongPtrAdd(x,x,x)
		mov	edi, eax
		test	edi, edi
		jnz	short loc_AF2995
		mov	ecx, [ebp+var_1C]

loc_AF293D:				; CODE XREF: FopReadNamingTable+71Fj
		call	BgpFwAllocateMemory
		mov	esi, eax
		test	esi, esi
		jz	short loc_AF29AA
		mov	eax, [ebp+var_18]
		mov	[esi], eax
		mov	ax, [ebp+var_22]
		mov	[esi+4], ax
		mov	eax, [ebp+var_2C]
		add	eax, 6
		mov	[ebp+var_1C], eax
		test	ebx, ebx
		jz	short loc_AF298E
		lea	ebx, [esi+6]

loc_AF2965:				; CODE XREF: FopReadNamingTable+EAj
		mov	ecx, [ebp+var_30]
		mov	edx, eax
		push	ebx		; void *
		call	_FopReadNameRecord@12 ;	FopReadNameRecord(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	short loc_AF29B1
		mov	ecx, [ebp+var_28]
		add	ebx, 0Ch
		mov	eax, [ebp+var_1C]
		inc	ecx
		add	eax, 0Ch
		mov	[ebp+var_28], ecx
		mov	[ebp+var_1C], eax
		cmp	ecx, [ebp+var_20]
		jb	short loc_AF2965

loc_AF298E:				; CODE XREF: FopReadNamingTable+BEj
		mov	eax, [ebp+var_34]
		mov	[eax], esi
		test	edi, edi

loc_AF2995:				; CODE XREF: FopReadNamingTable+96j
		js	short loc_AF29B1

loc_AF2997:				; CODE XREF: FopReadNamingTable+10Dj
					; FopReadNamingTable+111j ...
		pop	ebx

loc_AF2998:				; CODE XREF: FopReadNamingTable+41j
		mov	ecx, [ebp+var_4]
		mov	eax, edi
		pop	edi
		xor	ecx, ebp
		pop	esi
		call	@__security_check_cookie@4 ; __security_check_cookie(x)
		leave
		retn	4
; 

loc_AF29AA:				; CODE XREF: FopReadNamingTable+A4j
		mov	edi, 0C0000017h
		jmp	short loc_AF2997
; 

loc_AF29B1:				; CODE XREF: FopReadNamingTable+D2j
					; FopReadNamingTable:loc_AF2995j
		test	esi, esi
		jz	short loc_AF2997
		mov	ecx, esi
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		jmp	short loc_AF2997
FopReadNamingTable endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	FopReadNameRecord(void *)
_FopReadNameRecord@12 proc near		; CODE XREF: FopReadNamingTable+C9p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	esi		; void *
		push	0Ch		; size_t
		call	_FioFwReadBytesAtOffset@16 ; FioFwReadBytesAtOffset(x,x,x,x)
		test	eax, eax
		js	short loc_AF2A1B
		mov	ax, [esi]
		mov	ch, al
		mov	cl, ah
		mov	ax, [esi+2]
		mov	[esi], cx
		mov	ch, al
		mov	cl, ah
		mov	ax, [esi+4]
		mov	[esi+2], cx
		mov	ch, al
		mov	cl, ah
		mov	ax, [esi+6]
		mov	[esi+4], cx
		mov	ch, al
		mov	cl, ah
		mov	ax, [esi+8]
		mov	[esi+6], cx
		mov	ch, al
		mov	cl, ah
		mov	ax, [esi+0Ah]
		mov	[esi+8], cx
		mov	ch, al
		mov	cl, ah
		xor	eax, eax
		mov	[esi+0Ah], cx

loc_AF2A1B:				; CODE XREF: FopReadNameRecord(x,x,x)+13j
		pop	esi
		pop	ebp
		retn	4
_FopReadNameRecord@12 endp


;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall FopGetTableOffsetAndSize(x,	x, x, x, x)
_FopGetTableOffsetAndSize@20 proc near	; CODE XREF: FopInitializeFonts+7Bp
					; BgpRasInitializeRasterizer(x)+4Bp ...

var_28		= dword	ptr -28h
var_24		= dword	ptr -24h
var_20		= dword	ptr -20h
var_1C		= dword	ptr -1Ch
var_18		= dword	ptr -18h
var_14		= word ptr -14h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
arg_0		= dword	ptr  8
arg_4		= dword	ptr  0Ch
arg_8		= dword	ptr  10h

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 28h
		push	ebx
		xor	eax, eax
		mov	[ebp+var_C], ecx
		push	esi
		push	edi
		lea	edi, [ebp+var_18]
		mov	esi, edx
		stosd
		stosd
		stosd
		xor	eax, eax
		lea	edi, [ebp+var_28]
		stosd
		stosd
		stosd
		stosd
		lea	eax, [ebp+var_18]
		push	eax		; void *
		call	_FopReadOffsetTable@12 ; FopReadOffsetTable(x,x,x)
		mov	ecx, eax
		test	ecx, ecx
		js	short loc_AF2AC4
		movzx	ecx, [ebp+var_14]
		lea	eax, [esi+0Ch]
		xor	ebx, ebx
		mov	[ebp+var_8], eax
		test	ecx, ecx
		jz	short loc_AF2AB3

loc_AF2A60:				; CODE XREF: FopGetTableOffsetAndSize(x,x,x,x,x)+91j
		lea	ecx, [ebp+var_28]
		mov	edx, eax
		push	ecx		; void *
		mov	ecx, [ebp+var_C]
		push	10h		; size_t
		call	_FioFwReadBytesAtOffset@16 ; FioFwReadBytesAtOffset(x,x,x,x)
		mov	edx, [ebp+var_1C]
		mov	ecx, eax
		mov	esi, [ebp+var_20]
		mov	edi, [ebp+var_28]
		test	ecx, ecx
		js	short loc_AF2AC4
		mov	eax, [ebp+var_24]
		xor	ecx, ecx
		bswap	edi
		mov	[ebp+var_28], edi
		bswap	esi
		mov	[ebp+var_20], esi
		bswap	edx
		mov	[ebp+var_1C], edx
		bswap	eax
		mov	[ebp+var_24], eax
		test	ecx, ecx
		js	short loc_AF2AC4
		cmp	edi, [ebp+arg_0]
		jz	short loc_AF2ABA
		mov	eax, [ebp+var_8]
		inc	ebx
		movzx	ecx, [ebp+var_14]
		add	eax, 10h
		mov	[ebp+var_8], eax
		cmp	ebx, ecx
		jb	short loc_AF2A60

loc_AF2AB3:				; CODE XREF: FopGetTableOffsetAndSize(x,x,x,x,x)+3Ej
		mov	ecx, 0C0000225h
		jmp	short loc_AF2AC4
; 

loc_AF2ABA:				; CODE XREF: FopGetTableOffsetAndSize(x,x,x,x,x)+7Fj
		mov	eax, [ebp+arg_4]
		mov	[eax], esi
		mov	eax, [ebp+arg_8]
		mov	[eax], edx

loc_AF2AC4:				; CODE XREF: FopGetTableOffsetAndSize(x,x,x,x,x)+2Ej
					; FopGetTableOffsetAndSize(x,x,x,x,x)+5Dj ...
		pop	edi
		pop	esi
		mov	eax, ecx
		pop	ebx
		leave
		retn	0Ch
_FopGetTableOffsetAndSize@20 endp

; 
		align 2

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; int __stdcall	FopReadOffsetTable(void	*)
_FopReadOffsetTable@12 proc near	; CODE XREF: FopGetTableOffsetAndSize(x,x,x,x,x)+25p

arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		push	esi
		mov	esi, [ebp+arg_0]
		push	esi		; void *
		push	0Ch		; size_t
		call	_FioFwReadBytesAtOffset@16 ; FioFwReadBytesAtOffset(x,x,x,x)
		test	eax, eax
		js	short loc_AF2B22
		mov	eax, [esi]
		bswap	eax
		mov	[esi], eax
		cmp	eax, 10000h
		jnz	short loc_AF2B27
		mov	ax, [esi+6]
		mov	ch, al
		mov	cl, ah
		mov	ax, [esi+8]
		mov	[esi+6], cx
		mov	ch, al
		mov	cl, ah
		mov	ax, [esi+0Ah]
		mov	[esi+8], cx
		mov	ch, al
		mov	cl, ah
		mov	ax, [esi+4]
		mov	[esi+0Ah], cx
		mov	ch, al
		mov	cl, ah
		xor	eax, eax
		mov	[esi+4], cx

loc_AF2B22:				; CODE XREF: FopReadOffsetTable(x,x,x)+13j
					; FopReadOffsetTable(x,x,x)+5Ej
		pop	esi
		pop	ebp
		retn	4
; 

loc_AF2B27:				; CODE XREF: FopReadOffsetTable(x,x,x)+20j
		mov	eax, 0C00000BBh
		jmp	short loc_AF2B22
_FopReadOffsetTable@12 endp


;  S U B	R O U T	I N E 


; __stdcall BgkDisplayBackgroundUpdate()
_BgkDisplayBackgroundUpdate@0 proc near	; CODE XREF: Phase1InitializationDiscard(x)+286p
		mov	edi, edi
		push	ecx
		cmp	byte_6D4D58, 0
		jz	short loc_AF2B57
		cmp	byte_6D4C7B, 0
		jz	short loc_AF2B57
		mov	cl, 1
		call	_BgDisplayBackgroundUpdate@4 ; BgDisplayBackgroundUpdate(x)
		test	eax, eax
		js	short loc_AF2B55
		mov	byte_6D4C79, 1

loc_AF2B55:				; CODE XREF: BgkDisplayBackgroundUpdate()+1Ej
		pop	ecx
		retn
; 

loc_AF2B57:				; CODE XREF: BgkDisplayBackgroundUpdate()+Aj
					; BgkDisplayBackgroundUpdate()+13j
		mov	eax, 0C0000001h
		pop	ecx
		retn
_BgkDisplayBackgroundUpdate@0 endp


;  S U B	R O U T	I N E 


; __stdcall BgkDisplayProgressIndicator()
_BgkDisplayProgressIndicator@0 proc near ; CODE	XREF: Phase1InitializationDiscard(x)+281p
		mov	edi, edi
		push	ecx
		cmp	byte_6D4D58, 0
		jz	short loc_AF2B87
		cmp	byte_6D4C7B, 0
		jz	short loc_AF2B87
		mov	cl, 1
		call	_BgDisplayProgressIndicator@4 ;	BgDisplayProgressIndicator(x)
		test	eax, eax
		js	short loc_AF2B85
		mov	byte_6D4C7A, 1

loc_AF2B85:				; CODE XREF: BgkDisplayProgressIndicator()+1Ej
		pop	ecx
		retn
; 

loc_AF2B87:				; CODE XREF: BgkDisplayProgressIndicator()+Aj
					; BgkDisplayProgressIndicator()+13j
		mov	eax, 0C0000001h
		pop	ecx
		retn
_BgkDisplayProgressIndicator@0 endp


;  S U B	R O U T	I N E 


; __stdcall BgpFwInitializeLock()
_BgpFwInitializeLock@0 proc near	; CODE XREF: BgpFwLibraryInitialize+100p
		and	dword_6FB700, 0
		retn
_BgpFwInitializeLock@0 endp


;  S U B	R O U T	I N E 


??_C@_1CA@JFGLNDEM@?$AAS?$AAe?$AAg?$AAo?$AAe?$AA?5?$AAM?$AAo?$AAn?$AAo?$AA?5?$AAB?$AAo?$AAo?$AAt@NKKEPPGN@ proc	near
					; DATA XREF: BgpConsoleGetFontName(x,x)+19o
		push	ebx
		add	[ebp+0], ah
		add	[bx+0],	ch
		add	gs:[eax], ah
		add	[ebp+0], cl
		outsd
??_C@_1CA@JFGLNDEM@?$AAS?$AAe?$AAg?$AAo?$AAe?$AA?5?$AAM?$AAo?$AAn?$AAo?$AA?5?$AAB?$AAo?$AAo?$AAt@NKKEPPGN@ endp

		add	[esi+0], ch
		outsd
		add	[eax], ah
		add	[edx+0], al
		outsd
		add	[edi+0], ch
		jz	short $+2
; 
		db 2 dup(0)
; 

??_C@_1DA@BHHMHDAE@?$AAM?$AAi?$AAc?$AAr?$AAo?$AAs?$AAo?$AAf?$AAt?$AA?5?$AAY?$AAa?$AAH?$AAe?$AAi@NKKEPPGN@:
					; DATA XREF: BgpConsoleGetFontName(x,x):loc_AF2079o
		dec	ebp
		add	[ecx+0], ch
		arpl	[eax], ax
		jb	short $+2
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		and	[eax], al
		pop	ecx
		add	[ecx+0], ah
		dec	eax
		add	[ebp+0], ah
		imul	eax, [eax], 430020h
		outsd
		add	[esi+0], ch
		jnb	short $+2
		outsd
		add	[eax+eax+65h], ch
; 
		db 0
		db 2 dup(0)
; 

??_C@_1DG@KMCKOAOK@?$AAM?$AAi?$AAc?$AAr?$AAo?$AAs?$AAo?$AAf?$AAt?$AA?5?$AAJ?$AAh?$AAe?$AAn?$AAg@NKKEPPGN@:
					; DATA XREF: BgpConsoleGetFontName(x,x)+Fo
		dec	ebp
		add	[ecx+0], ch
		arpl	[eax], ax
		jb	short $+2
		outsd
		add	[ebx+0], dh
		outsd
		add	[esi+0], ah
		jz	short $+2
		and	[eax], al
		dec	edx
		add	[eax+0], ch
		add	gs:[esi+0], ch
		add	[bx+si+0], cl
		add	gs:[ecx+0], ch
		and	[eax], al
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[ebx+0], dh
		outsd
		add	[eax+eax+65h], ch
; 
		db 3 dup(0)
??_C@_1BO@PJBLEDDD@?$AAM?$AAe?$AAi?$AAr?$AAy?$AAo?$AA?5?$AAC?$AAo?$AAn?$AAs?$AAo?$AAl?$AAe@NKKEPPGN@:
					; DATA XREF: BgpConsoleGetFontName(x,x):loc_AF206Bo
		unicode	0, <Meiryo Console>,0
??_C@_1CM@EIIONOC@?$AAM?$AAa?$AAl?$AAg?$AAu?$AAn?$AA?5?$AAG?$AAo?$AAt?$AAh?$AAi?$AAc?$AA?5?$AAC@NKKEPPGN@ db 'M',0
					; DATA XREF: BgpConsoleGetFontName(x,x):loc_AF2072o
aAlgunGothicCon:
		unicode	0, <algun Gothic Console>,0
; 

??_C@_1EA@NCBJHMMM@?$AAY?$AAo?$AAu?$AAr?$AA?5?$AAd?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?5?$AAn?$AAe?$AAe@NKKEPPGN@:
					; DATA XREF: BcpDisplayEarlyBugCheckScreen(x,x,x)+3Co
		pop	ecx
		add	[edi+0], ch
		jnz	short $+2
		jb	short $+2
		and	[eax], al
		add	fs:[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		and	[eax], al
		outsb
		add	[ebp+0], ah
		add	gs:[eax+eax+73h], ah
		add	[eax], ah
		add	[eax+eax+6Fh], dh
		add	[eax], ah
		add	[edx+0], dh
		add	gs:[ebx+0], dh
		jz	short $+2
		popa
		add	[edx+0], dh
		jz	short $+2
		add	large cs:0A00h,	cl
		add	[eax+0], dl	; DATA XREF: BcpDisplayEarlyBugCheckScreen(x,x,x)+44o
		insb
		add	[ebp+0], ah
		popa
		add	[ebx+0], dh
		add	gs:[eax], ah
		add	[eax+0], ch
		outsd
		add	[eax+eax+64h], ch
		add	[eax], ah
		add	[eax+eax+6Fh], ah
		add	[edi+0], dh
		outsb
		add	[eax], ah
		add	[eax+eax+68h], dh
		add	[ebp+0], ah
		and	[eax], al
		jo	short $+2
		outsd
		add	[edi+0], dh
		add	gs:[edx+0], dh
		and	[eax], al
		bound	eax, [eax]
		jnz	short $+2
		jz	short $+2
		jz	short $+2
		outsd
		add	[esi+0], ch
		add	large cs:0A00h,	cl
; 
		db 0
; 

??_C@_15JNBOKNOG@?$AA?$AN?$AA?6@NKKEPPGN@:
					; DATA XREF: BcpDisplayEarlyBugCheckScreen(x,x,x)+D4o
					; BcpDisplayEarlyBugCheckScreen(x,x,x)+E6o ...
		or	eax, 0A00h
		add	[eax+0], dl	; DATA XREF: BcpDisplayEarlyBugCheckScreen(x,x,x):loc_AF30A4o
		popa
		add	[edx+0], dh
		popa
		add	[ebp+0], ch
		add	gs:[eax+eax+65h], dh
		add	[edx+0], dh
		jnb	short $+2
		cmp	al, [eax]
; 
		db 2 dup(0)
; 

??_C@_1BI@CCLCLLGJ@?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAC?$AAo?$AAd?$AAe?$AA?3@NKKEPPGN@:
					; DATA XREF: BcpDisplayEarlyBugCheckScreen(x,x,x)+4Co
		inc	ebp
		add	[edx+0], dh
		jb	short $+2
		outsd
		add	[edx+0], dh
		and	[eax], al
		inc	ebx
		add	[edi+0], ch
		add	fs:[ebp+0], ah
		cmp	al, [eax]
; 
		db 2 dup(0)
; 

??_C@_13HOIJIPNN@?$AA?5@NKKEPPGN@:	; DATA XREF: BcpDisplayEarlyBugCheckScreen(x,x,x)+54o
		and	[eax], al
; 
		db 2 dup(0)
; 
; START	OF FUNCTION CHUNK FOR BgkInitialize

loc_AF2D2A:				; CODE XREF: BgkInitialize+88j
		mov	dword_6FD1C0, 2
		jmp	loc_AF1C3A
; END OF FUNCTION CHUNK	FOR BgkInitialize
; 
; START	OF FUNCTION CHUNK FOR BgpBcInitializeCriticalMode

loc_AF2D39:				; CODE XREF: BgpBcInitializeCriticalMode+39j
		or	dword_6B6BB8, esi
		jmp	loc_AF1F2B
; 

loc_AF2D44:				; CODE XREF: BgpBcInitializeCriticalMode+44j
		mov	_BcpDisplayParameters, 1
		jmp	loc_AF1CAE
; 

loc_AF2D50:				; CODE XREF: BgpBcInitializeCriticalMode+1F6j
		or	dword_6B6BB8, 20000h
		jmp	loc_AF1E60
; 

loc_AF2D5F:				; CODE XREF: BgpBcInitializeCriticalMode+194j
					; BgpBcInitializeCriticalMode+1CAj ...
		cmp	[ebp+var_8], 0
		jz	short loc_AF2D6D
		mov	ecx, [ebp+var_8]
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_AF2D6D:				; CODE XREF: BgpBcInitializeCriticalMode+10FFj
		test	esi, esi
		jz	short loc_AF2D78
		mov	ecx, esi
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)

loc_AF2D78:				; CODE XREF: BgpBcInitializeCriticalMode+110Bj
		mov	eax, dword_6D6C78
		test	eax, eax
		jz	loc_AF1F2B
		mov	ecx, eax
		call	_BgpDisplayCharacterDestroyContext@4 ; BgpDisplayCharacterDestroyContext(x)
		jmp	loc_AF1F2B
; END OF FUNCTION CHUNK	FOR BgpBcInitializeCriticalMode
; 
; START	OF FUNCTION CHUNK FOR BcpFindMessage

loc_AF2D91:				; CODE XREF: BcpFindMessage+1Dj
		cmp	esi, edi
		ja	short loc_AF2E0E
		jz	short loc_AF2E04
		add	esi, 0BEFF7FFAh
		cmp	esi, 11h
		ja	loc_AF2E83
		movzx	eax, ds:byte_AF2EC5[esi]
		jmp	ds:off_AF2EA1[eax*4]

loc_AF2DB4:				; DATA XREF: INIT:off_AF2EA1o
		mov	edx, offset a1	; "1"
		jmp	loc_AF202E
; 

loc_AF2DBE:				; CODE XREF: BcpFindMessage+DE3j
					; DATA XREF: INIT:00AF2EA5o
		mov	edx, offset aWeReJustColl_1 ; "We're just collecting some error info, "...
		jmp	loc_AF202E
; 

loc_AF2DC8:				; CODE XREF: BcpFindMessage+DE3j
					; DATA XREF: INIT:00AF2EA9o
		mov	edx, offset aWeLlRestartFor ; "We'll restart for you."
		jmp	loc_AF202E
; 

loc_AF2DD2:				; CODE XREF: BcpFindMessage+DE3j
					; DATA XREF: INIT:00AF2EADo
		mov	edx, offset aYouCanRestart_ ; "You can restart."
		jmp	loc_AF202E
; 

loc_AF2DDC:				; CODE XREF: BcpFindMessage+DE3j
					; DATA XREF: INIT:00AF2EB1o
		mov	edx, offset aWhatFailed	; "What	failed:"
		jmp	loc_AF202E
; 

loc_AF2DE6:				; CODE XREF: BcpFindMessage+DE3j
					; DATA XREF: INIT:00AF2EB5o
		mov	edx, offset aStopCode ;	"Stop Code:"
		jmp	loc_AF202E
; 

loc_AF2DF0:				; CODE XREF: BcpFindMessage+DE3j
					; DATA XREF: INIT:00AF2EB9o
		mov	edx, offset aForMoreInforma ; "For more	information about this issue a"...
		jmp	loc_AF202E
; 

loc_AF2DFA:				; CODE XREF: BcpFindMessage+DE3j
					; DATA XREF: INIT:00AF2EBDo
		mov	edx, offset aYourWindowsIns ; "Your Windows Insider Build ran into a p"...
		jmp	loc_AF202E
; 

loc_AF2E04:				; CODE XREF: BcpFindMessage+DCBj
		mov	edx, offset aHttpsWww_windo ; "https://www.windows.com/stopcode"
		jmp	loc_AF202E
; 

loc_AF2E0E:				; CODE XREF: BcpFindMessage+DC9j
		mov	eax, 0C1008003h
		cmp	esi, eax
		ja	short loc_AF2E6B
		jz	short loc_AF2E61
		cmp	esi, 41008019h
		jz	short loc_AF2E57
		cmp	esi, 41008020h
		jz	short loc_AF2E4D
		cmp	esi, 41008021h
		jz	short loc_AF2E43
		cmp	esi, 0C1008001h
		jnz	short loc_AF2E83
		mov	edx, offset aYourDeviceRanI ; "Your device ran into a problem and need"...
		jmp	loc_AF202E
; 

loc_AF2E43:				; CODE XREF: BcpFindMessage+E65j
		mov	edx, offset aItIsNowSafeToP ; "It is now safe to power off the system."...
		jmp	loc_AF202E
; 

loc_AF2E4D:				; CODE XREF: BcpFindMessage+E5Dj
		mov	edx, offset aWeJustNeedAFew ; "We just need a few more seconds to shut"...
		jmp	loc_AF202E
; 

loc_AF2E57:				; CODE XREF: BcpFindMessage+E55j
		mov	edx, offset aPleaseReleaseT ; "Please release the power	button."
		jmp	loc_AF202E
; 

loc_AF2E61:				; CODE XREF: BcpFindMessage+E4Dj
		mov	edx, offset aIfYouCallASupp ; "If you call a support person, give them"...
		jmp	loc_AF202E
; 

loc_AF2E6B:				; CODE XREF: BcpFindMessage+E4Bj
		cmp	esi, 0C1008008h
		jz	short loc_AF2E94
		cmp	esi, 0C1008012h
		jz	short loc_AF2E8A
		cmp	esi, 0C1008013h
		jz	short loc_AF2E8A

loc_AF2E83:				; CODE XREF: BcpFindMessage+DD6j
					; BcpFindMessage+DE3j ...
		xor	edx, edx
		jmp	loc_AF202E
; 

loc_AF2E8A:				; CODE XREF: BcpFindMessage+EAFj
					; BcpFindMessage+EB7j
		mov	edx, offset a1Complete ; "%1% complete"
		jmp	loc_AF202E
; 

loc_AF2E94:				; CODE XREF: BcpFindMessage+EA7j
		mov	edx, offset aWeReJustCollec ; "We're just collecting some error info, "...
		jmp	loc_AF202E
; END OF FUNCTION CHUNK	FOR BcpFindMessage
; 
		dw 498Dh
		db 0
off_AF2EA1	dd offset loc_AF2DB4	; DATA XREF: BcpFindMessage+DE3r
		dd offset loc_AF2DBE
		dd offset loc_AF2DC8
		dd offset loc_AF2DD2
		dd offset loc_AF2DDC
		dd offset loc_AF2DE6
		dd offset loc_AF2DF0
		dd offset loc_AF2DFA
		dd offset loc_AF2E83
byte_AF2EC5	db 0			; DATA XREF: BcpFindMessage+DDCr
		dw 808h
		dd 8080801h, 2080808h, 4080803h
		db 5, 6, 7
; 
; START	OF FUNCTION CHUNK FOR BgpFoInitialize

loc_AF2ED7:				; CODE XREF: BgpFoInitialize+43j
		mov	edi, 0C0000017h
		jmp	loc_AF2134
; 

loc_AF2EE1:				; CODE XREF: BgpFoInitialize+7Dj
		or	dword ptr [esi+14h], 1
		lea	eax, [ebp+var_4]
		push	eax		; void *
		push	4
		pop	edx
		mov	ecx, ebx
		call	_FioFwReadUlongAtOffset@12 ; FioFwReadUlongAtOffset(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_AF2140
		cmp	[ebp+var_4], 10000h
		jz	short loc_AF2F19
		cmp	[ebp+var_4], 20000h
		jz	short loc_AF2F19
		mov	edi, 0C000007Bh
		jmp	loc_AF2140
; 

loc_AF2F19:				; CODE XREF: BgpFoInitialize+E84j
					; BgpFoInitialize+E8Dj
		lea	eax, [esi+0Ch]
		mov	ecx, ebx
		push	eax		; void *
		push	8
		pop	edx
		call	_FioFwReadUlongAtOffset@12 ; FioFwReadUlongAtOffset(x,x,x)
		mov	edi, eax
		test	edi, edi
		js	loc_AF2140
		jmp	loc_AF210A
; END OF FUNCTION CHUNK	FOR BgpFoInitialize
; 
; START	OF FUNCTION CHUNK FOR FopInitializeFonts

loc_AF2F36:				; CODE XREF: FopInitializeFonts+5Ej
		mov	edx, [ebp+var_8]
		lea	eax, [ebp+var_C]
		mov	ecx, [ebx+8]
		push	eax		; void *
		call	_FioFwReadUlongAtOffset@12 ; FioFwReadUlongAtOffset(x,x,x)
		test	eax, eax
		js	loc_AF2240
		mov	edx, [ebp+var_C]
		jmp	loc_AF21AE
; END OF FUNCTION CHUNK	FOR FopInitializeFonts
; 
; START	OF FUNCTION CHUNK FOR FopReadMappingTable

loc_AF2F55:				; CODE XREF: FopReadMappingTable+4Fj
					; FopReadMappingTable+5Aj
		inc	ecx
		add	eax, 8
		cmp	ecx, edx
		jb	loc_AF244D

loc_AF2F61:				; CODE XREF: FopReadMappingTable+45j
					; FopReadMappingTable+65j
		mov	edi, 0C0000225h
		jmp	loc_AF252A
; 

loc_AF2F6B:				; CODE XREF: FopReadMappingTable+94j
		mov	edi, 0C0000017h
		jmp	loc_AF252A
; 

loc_AF2F75:				; CODE XREF: FopReadMappingTable+C8j
		mov	edi, 0C0000017h
		jmp	loc_AF2523
; END OF FUNCTION CHUNK	FOR FopReadMappingTable
; 
; START	OF FUNCTION CHUNK FOR FopReadCmapTable

loc_AF2F7F:				; CODE XREF: FopReadCmapTable+6Ej
		mov	esi, 0C000007Bh
		jmp	loc_AF26F0
; 

loc_AF2F89:				; CODE XREF: FopReadCmapTable+7Ej
		mov	eax, [ebp+var_20]
		movzx	ebx, ax
		mov	[ebp+var_18], ebx
		jmp	loc_AF269E
; END OF FUNCTION CHUNK	FOR FopReadCmapTable
; 
; START	OF FUNCTION CHUNK FOR FopValidateFontNameTable

loc_AF2F97:				; CODE XREF: FopValidateFontNameTable+BEj
		mov	edi, 0C0000017h
		jmp	loc_AF2878
; 

loc_AF2FA1:				; CODE XREF: FopValidateFontNameTable+E6j
					; FopValidateFontNameTable:loc_AF2872j
		mov	eax, [ebp+var_4]
		test	eax, eax
		jz	loc_AF2878
		mov	ecx, eax
		call	_BgpFwFreeMemory@4 ; BgpFwFreeMemory(x)
		jmp	loc_AF2878
; END OF FUNCTION CHUNK	FOR FopValidateFontNameTable
; 
; START	OF FUNCTION CHUNK FOR FopReadNamingTable

loc_AF2FB8:				; CODE XREF: FopReadNamingTable+7Dj
		mov	eax, [ebp+var_20]
		movzx	ebx, ax
		mov	[ebp+var_20], ebx
		jmp	loc_AF293D
; END OF FUNCTION CHUNK	FOR FopReadNamingTable

;  S U B	R O U T	I N E 

; Attributes: bp-based frame

; __stdcall BcpDisplayEarlyBugCheckScreen(x, x,	x)
_BcpDisplayEarlyBugCheckScreen@12 proc near
					; CODE XREF: BgpFwDisplayBugCheckScreen(x,x,x,x,x)+46p

var_14		= dword	ptr -14h
var_10		= dword	ptr -10h
var_C		= dword	ptr -0Ch
var_8		= dword	ptr -8
var_4		= dword	ptr -4
arg_0		= dword	ptr  8

		mov	edi, edi
		push	ebp
		mov	ebp, esp
		sub	esp, 14h
		push	esi
		mov	[ebp+var_C], edx
		mov	[ebp+var_8], ecx
		call	_BgConsoleGetInterface@4 ; BgConsoleGetInterface(x)
		mov	esi, eax
		mov	[ebp+var_4], esi
		test	esi, esi
		jz	loc_AF3133
		push	ebx
		xor	ebx, ebx
		push	ebx
		push	0FF000000h
		push	0FFFFFFFFh
		push	2
		call	dword ptr [esi]
		test	eax, eax
		js	loc_AF312B
		push	edi
		call	dword ptr [esi+4]
		push	offset ??_C@_1EA@NCBJHMMM@?$AAY?$AAo?$AAu?$AAr?$AA?5?$AAd?$AAe?$AAv?$AAi?$AAc?$AAe?$AA?5?$AAn?$AAe?$AAe@NKKEPPGN@
		call	dword ptr [esi+0Ch]
		push	(offset	loc_AF2CA5+1)
		call	dword ptr [esi+0Ch]
		push	offset ??_C@_1BI@CCLCLLGJ@?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAC?$AAo?$AAd?$AAe?$AA?3@NKKEPPGN@
		call	dword ptr [esi+0Ch]
		push	offset ??_C@_13HOIJIPNN@?$AA?5@NKKEPPGN@
		call	dword ptr [esi+0Ch]
		mov	edi, [ebp+arg_0]
		push	30h
		pop	ecx
		push	78h
		pop	edx
		push	16h
		pop	eax
		mov	[ebp+var_10], ecx
		mov	[ebp+var_14], 41h
		cmp	[edi+0Ah], ax
		jb	short loc_AF30A4
		mov	eax, [edi+0Ch]
		mov	esi, [ebp+var_8]
		push	2
		pop	ebx
		mov	[eax], cx
		mov	eax, [edi+0Ch]
		push	1Ch
		pop	ecx
		mov	[eax+2], dx

loc_AF3054:				; CODE XREF: BcpDisplayEarlyBugCheckScreen(x,x,x)+C0j
		mov	eax, [edi+0Ch]
		mov	edx, esi
		shr	edx, cl
		and	dl, 0Fh
		lea	eax, [eax+ebx*2]
		mov	[ebp+arg_0], eax
		cmp	dl, 0Ah
		jnb	short loc_AF306D
		push	30h
		jmp	short loc_AF3072
; 

loc_AF306D:				; CODE XREF: BcpDisplayEarlyBugCheckScreen(x,x,x)+A1j
		sub	dl, 0Ah
		push	41h

loc_AF3072:				; CODE XREF: BcpDisplayEarlyBugCheckScreen(x,x,x)+A5j
		movzx	eax, dl
		pop	edx
		add	ax, dx
		inc	ebx
		sub	ecx, 4
		movzx	edx, ax
		mov	eax, [ebp+arg_0]
		mov	[eax], dx
		jns	short loc_AF3054
		mov	eax, [edi+0Ch]
		xor	ecx, ecx
		mov	esi, [ebp+var_4]
		mov	[eax+ebx*2], cx
		push	dword ptr [edi+0Ch]
		call	dword ptr [esi+0Ch]
		push	offset ??_C@_15JNBOKNOG@?$AA?$AN?$AA?6@NKKEPPGN@
		call	dword ptr [esi+0Ch]
		xor	ebx, ebx

loc_AF30A4:				; CODE XREF: BcpDisplayEarlyBugCheckScreen(x,x,x)+76j
		push	(offset	loc_AF2CF5+1)
		call	dword ptr [esi+0Ch]
		push	offset ??_C@_15JNBOKNOG@?$AA?$AN?$AA?6@NKKEPPGN@
		call	dword ptr [esi+0Ch]
		push	16h
		add	edi, 14h
		pop	eax

loc_AF30BA:				; CODE XREF: BcpDisplayEarlyBugCheckScreen(x,x,x)+162j
		cmp	[edi-2], ax
		jb	short loc_AF3121
		mov	eax, [edi]
		push	30h
		pop	ecx
		push	78h
		mov	[eax], cx
		mov	eax, [edi]
		pop	ecx
		push	2
		pop	edx
		push	1Ch
		mov	[eax+2], cx
		pop	ecx

loc_AF30D7:				; CODE XREF: BcpDisplayEarlyBugCheckScreen(x,x,x)+13Ej
		mov	eax, [ebp+var_C]
		mov	esi, [edi]
		mov	eax, [eax+ebx*4]
		shr	eax, cl
		and	al, 0Fh
		cmp	al, 0Ah
		jnb	short loc_AF30F0
		movzx	eax, al
		add	ax, word ptr [ebp+var_10]
		jmp	short loc_AF30F9
; 

loc_AF30F0:				; CODE XREF: BcpDisplayEarlyBugCheckScreen(x,x,x)+11Fj
		sub	al, 0Ah
		movzx	eax, al
		add	ax, word ptr [ebp+var_14]

loc_AF30F9:				; CODE XREF: BcpDisplayEarlyBugCheckScreen(x,x,x)+128j
		movzx	eax, ax
		mov	[esi+edx*2], ax
		inc	edx
		sub	ecx, 4
		jns	short loc_AF30D7
		mov	eax, [edi]
		xor	ecx, ecx
		mov	esi, [ebp+var_4]
		mov	[eax+edx*2], cx
		push	dword ptr [edi]
		call	dword ptr [esi+0Ch]
		push	offset ??_C@_15JNBOKNOG@?$AA?$AN?$AA?6@NKKEPPGN@
		call	dword ptr [esi+0Ch]
		push	16h
		pop	eax

loc_AF3121:				; CODE XREF: BcpDisplayEarlyBugCheckScreen(x,x,x)+F8j
		inc	ebx
		add	edi, 8
		cmp	ebx, 4
		jb	short loc_AF30BA
		pop	edi

loc_AF312B:				; CODE XREF: BcpDisplayEarlyBugCheckScreen(x,x,x)+32j
		mov	ecx, esi
		call	_BgConsoleDestroyInterface@4 ; BgConsoleDestroyInterface(x)
		pop	ebx

loc_AF3133:				; CODE XREF: BcpDisplayEarlyBugCheckScreen(x,x,x)+1Bj
		xor	eax, eax
		pop	esi
		leave
		retn	4
_BcpDisplayEarlyBugCheckScreen@12 endp

; 
		align 10h

??_C@_1DM@DCCFNFPF@?$AA?2?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAo?$AAo?$AAt?$AA?2?$AAS?$AAy?$AAs@EKOMKFNL@:
		pop	esp
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+5Ch], dh
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		xor	eax, [eax]
		xor	al, [eax]
		pop	esp
		add	[ebx+0], dh
		insd
		add	[ebx+0], dh
		jnb	short $+2
		add	cs:[ebp+0], ah
		js	short $+2
		add	gs:[eax], al
; 
		db 0
		align 10h

_NtInitialUserProcess:			; DATA XREF: StartFirstUserProcess+C0o
		cmp	al, [eax]
		cmp	al, 0
		inc	eax
; 
		db 31h,	0AFh, 0
; 

_CmpWindowsSysPartString:		; DATA XREF: CmpSetSystemValues+FAo
		sub	[eax], al
		sub	al, [eax]
		loopne	near ptr loc_AF31FB+3
		scasd

loc_AF318F:				; DATA XREF: CmpInitializeSystemBiosInformation(x)+E0o
		add	[edx], ah
		add	[eax+eax], ah

loc_AF3194:				; DATA XREF: CmpSetSystemValues+9Ao
		mov	esp, 2400AF70h
		add	[esi], ah

loc_AF319B:				; DATA XREF: CmpSetSystemValues+BDo
		add	[eax+esi*2+2000AFh], dl
		and	al, [eax]
		jo	short loc_AF3216
		scasd

loc_AF31A7:				; DATA XREF: CmpAddDockingInfo(x,x)+77o
		add	[eax], bl
		add	[edx], bl
		add	[eax+esi*2-51h], dl

loc_AF31AF:				; DATA XREF: CmpAddAliasEntry(x,x,x)+1DBo
		add	[edx], bl
		add	[eax+eax], bl
		cmp	[eax-51h], dh

loc_AF31B7:				; DATA XREF: CmpAddDockingInfo(x,x)+1Fo
		add	[eax], bl
		add	[edx], bl
		add	[eax+esi*2], bl
		scasd

loc_AF31BF:				; DATA XREF: CmpAddDockingInfo(x,x)+5Ao
		add	[eax+eax], cl
		push	cs
		add	[eax+esi*2], cl
		scasd

loc_AF31C7:				; DATA XREF: CmpCreateHardwareProfiles+2BBo
		add	[esi], bl
		add	[eax], ah
		add	ah, ch
		outsd
		scasd

loc_AF31CF:				; DATA XREF: CmpAddDockingInfo(x,x)+3Do
		add	[eax], bl
		add	[edx], bl
		add	al, dl
		outsd
		scasd

loc_AF31D7:				; DATA XREF: CmpAddAliasEntry(x,x,x)+7Bo
		add	[edx], cl
		add	[eax+eax], cl
		les	ebp, [edi-51h]

loc_AF31DF:				; DATA XREF: CmpSetSystemValues+11Ao
		add	[eax+eax], bl
		push	ds
; 
		db 0
		dd offset ??_C@_1BO@IJHFMHE@?$AAO?$AAs?$AAB?$AAo?$AAo?$AAt?$AAs?$AAt?$AAa?$AAt?$AAP?$AAa?$AAt?$AAh@EKOMKFNL@
; 

_CmpLastBootSucceededString:		; DATA XREF: CmpSetSystemValues+14Co
		and	al, [eax]
		and	al, 0
		sub	byte ptr [edi-51h], 0

_CmpLastBootShutdownString:		; DATA XREF: CmpSetSystemValues+182o
		and	[eax], al
		and	al, [eax]
		pop	esp
		outsd
		scasd

loc_AF31F7:				; DATA XREF: CmpCreateObjectTypes()+4Bo
		add	[esi], al
		add	[eax], cl

loc_AF31FB:				; CODE XREF: INIT:00AF318Cj
					; INIT:00AF324Dj
		add	[edi+ebp*2-51h], dl

loc_AF31FF:				; DATA XREF: CmpMigrateOOBELanguageToInstallationLanguage+1DBC1o
		add	[esi], bl
		add	[eax], ah
		add	[edi+ebp*2], dh
		scasd

loc_AF3207:				; DATA XREF: CmpSetSystemValues+DAo
		add	[eax+eax], ah
		add	es:[edi+ebp*2],	cl
		scasd

loc_AF320F:				; DATA XREF: CmpSetSystemValues+1DCBAo
		add	[eax+eax], ah
		db	26h
		add	ah, ah
		outsb

loc_AF3216:				; CODE XREF: INIT:00AF31A4j
		scasd

loc_AF3217:				; DATA XREF: CmpSetNetworkValue(x)+5Ao
		add	[edx], bl
		add	[eax+eax], bl
		enter	0FFFFAF6Eh, 0

_CmpCurrentControlSetControlPxePathString: ; DATA XREF:	CmpSetNetworkValue(x)+3Ao
		insb
		add	[esi+0], ch
		pop	eax
		outsb
		scasd

loc_AF3227:				; DATA XREF: CmpMigrateOOBELanguageToInstallationLanguage+1DB64o
		add	[esi+0], bh
		add	byte ptr [eax],	0D8h ; CmInitBootFeatureConfigurations(x)
		insd
		scasd

loc_AF322F:				; DATA XREF: CmpCreateControlSet+1CCo
		add	[edx], ah
		add	[eax+eax], ah
		mov	al, 6Dh

loc_AF3236:				; CODE XREF: INIT:00AF3285j
		scasd

loc_AF3237:				; DATA XREF: CmpSetSystemValues+6Do
		add	[eax+eax+66h], ah
		add	[eax+6Dh], cl
		scasd

loc_AF323F:				; DATA XREF: CmpSetNetworkValue(x)+76o
		add	[esi], bl
		add	[eax], ah
		add	[eax], ch
		insd
		scasd
		add	[eax+eax], ah
		db	26h
		add	ah, cl
		jns	short near ptr loc_AF31FB+3
		add	[eax+eax], cl
		push	cs
		add	[ecx+edi*2], ch
		scasd
		add	[esi], bl
		add	[eax], ah
		add	[ecx+edi*2], cl
		scasd
		add	[esi], ch
		add	[eax], dh
		add	[ecx+edi*2-51h], dh ; CODE XREF: INIT:00AF32B5j
		add	[esi], dh
		add	[eax], bh
		add	[ecx+edi*2], bh
		scasd
		add	[edx], al
		add	[eax+eax], al
		sub	[esi-51h], dh
		add	[esi], bl
		add	[eax], ah
		add	[eax+edi*2+1C00AFh], bl
		push	ds
		add	ah, ch
		js	short loc_AF3236
		add	[edx], cl
		add	[eax+eax], cl
		loopne	loc_AF3306
		scasd
		add	[eax+eax], bl
		push	ds
		add	[eax+78h], dl
		scasd
		add	[esi], dl
		add	[eax], bl
		add	[eax+edi*2+600AFh], al
		or	[eax], al
		jl	short near ptr loc_AF331B+3
		scasd
		add	[eax], ah
		add	[edx], ah

loc_AF32AB:				; CODE XREF: INIT:00AF32FDj
					; DATA XREF: CmpIsLoadType:loc_ACB7DCo	...
		add	[eax+edi*2+0A00AFh], bh
		or	al, 0
		cld
		ja	short near ptr loc_AF3263+3
		add	[edx], bl
		add	[eax+eax], bl
		xor	al, 78h
		scasd

loc_AF32BF:				; DATA XREF: CmpAddDriverToList+33Do
		add	[esi], al
		add	[eax], cl
		add	[eax+edi*2], ch
		scasd

loc_AF32C7:				; DATA XREF: CmpIsLoadType+1AF12o
		add	[eax], cl
		add	[edx], cl
		add	[eax+78h], dh
		scasd
		add	[esi], bl
		add	[eax], ah
		add	[eax+77h], ch

loc_AF32D6:				; CODE XREF: INIT:00AF3325j
		scasd
		add	[edx], ah
		add	[eax+eax], ah
		fdiv	dword ptr [edi-51h] ; CODE XREF: INIT:00AF332Dj
		add	[eax], ah
		add	[edx], ah
		add	[edi+esi*2+2000AFh], dh
		and	al, [eax]
		or	[eax-51h], bh
		add	[edx], ah
		add	[eax+eax], ah
		aam	76h

loc_AF32F6:				; CODE XREF: INIT:00AF3345j
		scasd
		add	[eax+eax], ch
		add	cs:[eax], bh
		ja	short near ptr loc_AF32AB+3
		add	[edx], ah
		add	[eax+eax], ah
		adc	al, 77h

loc_AF3306:				; CODE XREF: INIT:00AF328Cj
		scasd
		add	[eax], ch
		add	[edx], ch
; 
		db 0
		dd offset ??_C@_1CK@MAPACCND@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAS?$AAe?$AAt?$AAt?$AAi?$AAn?$AAg@EKOMKFNL@
; 

_CmpServiceWildcardString:		; DATA XREF: CmpIsLoadType+1AF66o
		add	al, [eax]
		add	al, 0
		sub	[esi-51h], dh
		add	[esi], bl
		add	[eax], ah

loc_AF331B:				; CODE XREF: INIT:00AF32A4j
					; INIT:00AF336Dj
					; DATA XREF: ...
		add	byte_7000AF[esi+esi*2],	dh
		jb	short $+2
		inc	eax
		jbe	short loc_AF32D6

loc_AF3327:				; DATA XREF: CmpFindRedirectedDriverServiceStateNode+1BCE5o
		add	[eax], bl
		add	[edx], bl
		add	al, bh
		jbe	short near ptr loc_AF32DC+2
		add	[edx], cl
		add	[eax+eax], cl
		mov	esp, 0A00AF75h	; CODE XREF: INIT:00AF3385j
		add	[eax+eax], cl
		sbb	al, 76h
		scasd

loc_AF333F:				; DATA XREF: CmpSortDriverList+6Fo
		add	[edx], ah
		add	[eax+eax], ah
		clc
		jnz	short loc_AF32F6

loc_AF3347:				; DATA XREF: CmpLoadServicesNode(x,x,x,x)+20o
					; CmpLoadManufacturingProfileServicesNode(x,x,x,x,x)+31o
		add	[eax], dl
		add	[edx], dl
		add	[esi+esi*2], ch
		scasd
		add	[eax], cl
		add	[edx], cl
		add	[eax+0A00AF75h], al
		add	[eax+eax], cl
		mov	al, 75h
		scasd
		add	[eax+eax], dl
		push	ss
		add	[eax+2E00AF75h], bl
		add	[eax], dh
		add	al, cl
		jnz	short near ptr loc_AF331B+3 ; CODE XREF: INIT:00AF33BDj
		add	[eax], cl
		add	[edx], cl
		add	ds:600AFh[esi*2], ch ; CODE XREF: INIT:00AF33C5j
		or	[eax], al
		js	short loc_AF33F3

loc_AF337E:				; CODE XREF: INIT:00AF33CDj
		scasd
		add	[edx], bl
		add	[eax+eax], bl
		pop	esp
		jnz	short near ptr loc_AF3334+2 ; CODE XREF: INIT:00AF33D5j
		add	[eax], cl
		add	[edx], cl
		add	[ebp+esi*2+2200AFh], cl
		and	al, 0
		loopne	near ptr loc_AF3409+1
		scasd
		add	[edx], bl
		add	[eax+eax], bl
		adc	[ebp-51h], dh

loc_AF339F:				; DATA XREF: CmpSortDriverList+A0o
		add	[eax], cl
		add	[edx], cl

loc_AF33A3:				; DATA XREF: CmpLoadManufacturingModeNode(x,x,x,x)+53o
		add	ds:2200AFh[esi*2], al
		and	al, 0
		cmp	[ebp-51h], dh

loc_AF33AF:				; DATA XREF: CmpAddDriverToList+EBo
		add	[edx], dl
		add	[eax+eax], dl
		test	al, 74h

loc_AF33B6:				; CODE XREF: INIT:00AF3405j
		scasd
		add	[esi], cl
		add	[eax], dl
		add	al, dl
		jz	short near ptr loc_AF336D+1

loc_AF33BF:				; DATA XREF: CmpFindRedirectedDriverServiceStateNode+1BC85o
		add	[eax], cl
		add	[edx], cl
		add	ah, al
		jz	short near ptr loc_AF3373+3 ; CODE XREF: INIT:00AF3415j

loc_AF33C7:				; DATA XREF: CmpFindGroupOrderList(x,x)+4Ao
		add	[eax+eax], bl
		push	ds
		add	[eax], bh
		jz	short loc_AF337E

loc_AF33CF:				; DATA XREF: CmpAddDriverToList+2AFo
		add	[edx], cl
		add	[eax+eax], cl
		pushf
		jz	short near ptr loc_AF3385+1 ; CODE XREF: INIT:00AF3425j
		add	[eax+eax], bl
		push	ds
		add	[esp+esi*2-51h], bh ; CODE XREF: INIT:00AF342Dj
		add	[eax+eax], al
		push	es

loc_AF33E3:				; CODE XREF: INIT:00AF3435j
					; DATA XREF: CmpAddDriverToList+251o
		add	[esp+esi*2+1800AFh], bh
		sbb	al, [eax]
		aam	73h

loc_AF33EE:				; CODE XREF: INIT:00AF343Dj
		scasd
		add	[eax], dl
		add	[edx], dl

loc_AF33F3:				; CODE XREF: INIT:00AF337Cj
		add	[esp+esi*2], ah
		scasd
		add	[edx], ah
		add	[eax+eax], ah
		add	[edi+ebp*4+0], dh

_CmpGroupAssignmentString:
		and	[eax], al
		and	al, [eax]
		pop	eax
		jz	short loc_AF33B6 ; CODE	XREF: INIT:00AF3455j
		add	[edx], ah

loc_AF3409:				; CODE XREF: INIT:00AF3394j
		add	[eax+eax], ah
		js	short loc_AF3481
		scasd
		add	[esi], cl
		add	[eax], dl
		add	ah, al
		jnb	short near ptr loc_AF33C5+1 ; CODE XREF: INIT:00AF3465j
		add	[esi], dl
		add	[eax], bl
		add	[ebx+esi*2+0C00AFh], ch
		push	cs
		add	al, dh
		jnb	short near ptr loc_AF33D5+1
		add	[esi], bl
		add	[eax], ah
		add	al, dh
		jb	short near ptr loc_AF33DB+3
		add	[edx], ah
		add	[eax+eax], ah
		push	esp
		jnb	short near ptr loc_AF33E3+3 ; CODE XREF: INIT:00AF3485j
		add	[eax], ah
		add	[edx], ah
		add	[eax], dh
		jnb	short loc_AF33EE

loc_AF343F:				; DATA XREF: CmpIsLoadType+1AF5Fo
		add	[esi], cl
		add	[eax], dl

loc_AF3443:				; DATA XREF: CmpGetKnownHivePathNode(x,x,x,x,x,x,x,x)+62o
		add	[ebx+esi*2+0E00AFh], bl
		adc	[eax], al
		jl	short near ptr loc_AF34BF+1
		scasd

loc_AF344F:				; DATA XREF: CmpAddDriverToList+31Ao
		add	[esi], bl
		add	[eax], ah
		add	al, dl
		jb	short near ptr loc_AF3405+1 ; CODE XREF: INIT:00AF34A5j

loc_AF3457:				; DATA XREF: CmpFindRedirectedDriverServiceStateNode+1BCB3o
		add	[esi], bl
		add	[eax], ah
		add	[eax+1E00AF72h], dh
		add	[eax], ah
		add	[eax], dl
		jnb	short near ptr loc_AF3415+1
		add	[eax], bl
		add	[edx], bl
		add	[edx+esi*2], bh
		scasd
		add	[eax], ah
		add	[edx], ah

loc_AF3473:				; DATA XREF: CmpFindHiveSubKey+4Eo
		add	[edx+esi*2+2200AFh], cl
		and	al, 0
		mov	al, 6Dh
		scasd
		add	[eax], dl

loc_AF3481:				; CODE XREF: INIT:00AF340Cj
		add	[edx], dl
		add	ah, ch
		jno	short near ptr loc_AF3435+1
		add	[edx], ch
		add	[eax+eax], ch
		adc	[edx-51h], dh
		add	[eax], dl
		add	[edx], dl
		add	[eax+72h], bl
		scasd
		add	[eax+eax], ch
		add	cs:[eax+1E00AF71h], al
		add	[eax], ah
		add	ah, cl
		jno	short near ptr loc_AF3455+1
		add	[edx], dl
		add	[eax+eax], dl

loc_AF34AC:				; DATA XREF: CmpAddDriverToList+1A5o
		mov	eax, 2400AF71h
		add	[esi], ah
		add	[ecx+esi*2], cl
		scasd

loc_AF34B7:				; DATA XREF: CmpAddDriverToList+1CFo
		add	[eax], bh
		add	[edx], bh
		add	[ecx+esi*2-51h], al

loc_AF34BF:				; CODE XREF: INIT:00AF344Cj
					; DATA XREF: CmpFindDrivers+EEo ...
		add	[eax+eax], cl
		push	cs
		add	[ecx+esi*2], dh
		scasd
		add	[esi], al
		add	[eax], cl

loc_AF34CB:				; DATA XREF: CmpFindGroupOrderList(x,x)+20o
					; CmpSortDriverList+3Eo ...
		add	[eax+0E00AF71h], dh
		add	[eax], dl
; 
		db 0
		dd offset ??_C@_1BA@JGFNDEFA@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl@EKOMKFNL@
; 

_CmpControlSetOverride:			; DATA XREF: CmpCreateControlSetOverride(x)+F9o
		and	al, 0

loc_AF34DA:				; DATA XREF: CmpGetSystemControlValues+37o
					; CmpGetSystemControlValues+172r
		add	es:[ecx+edi*2+76B400AFh], ah
		scasd
		add	[edx+edi*2], bl
		scasd
		add	[eax+47h], dl
		insb
; 
		db 0
		dd 3 dup(0)
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CG@FFOEBBPF@?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AAM@EKOMKFNL@
		dd offset _ObpObjectSecurityMode
		align 10h
		dd offset ??_C@_17ENFNLCDF@?$AAL?$AAS?$AAA@EKOMKFNL@
		dd offset ??_C@_1CK@JDMEECLM@?$AAA?$AAu?$AAd?$AAi?$AAt?$AAB?$AAa?$AAs?$AAe?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt@EKOMKFNL@
		dd offset _ObpAuditBaseDirectories
		dd 3 dup(0)
		dd offset ??_C@_17ENFNLCDF@?$AAL?$AAS?$AAA@EKOMKFNL@
		dd offset ??_C@_1CC@MBGHAOD@?$AAA?$AAu?$AAd?$AAi?$AAt?$AAB?$AAa?$AAs?$AAe?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt@EKOMKFNL@
		dd offset _ObpAuditBaseObjects
		align 10h
		dd offset ??_C@_1BE@NJDEJMON@?$AAL?$AAS?$AAA?$AA?2?$AAa?$AAu?$AAd?$AAi?$AAt@EKOMKFNL@
		dd offset ??_C@_1CO@DHIOJFAB@?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAA?$AAc?$AAc?$AAe?$AAs?$AAs?$AAe?$AAs@EKOMKFNL@
		dd offset _SepProcessAccessesToAudit
		dd 3 dup(0)
		dd offset ??_C@_1CI@GMLPCOJB@?$AAT?$AAi?$AAm?$AAe?$AAZ?$AAo?$AAn?$AAe?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa@EKOMKFNL@
		dd offset ??_C@_1BO@EAFFNCKE@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AAT?$AAi?$AAm?$AAe?$AAB?$AAi?$AAa?$AAs@EKOMKFNL@
		dd offset dword_717B74
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1CI@GMLPCOJB@?$AAT?$AAi?$AAm?$AAe?$AAZ?$AAo?$AAn?$AAe?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa@EKOMKFNL@
		dd offset ??_C@_19PDLMCIAJ@?$AAB?$AAi?$AAa?$AAs@EKOMKFNL@
		dd offset _ExpAltTimeZoneBias
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1CI@GMLPCOJB@?$AAT?$AAi?$AAm?$AAe?$AAZ?$AAo?$AAn?$AAe?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa@EKOMKFNL@
		dd offset ??_C@_1CI@GACLFHFI@?$AAR?$AAe?$AAa?$AAl?$AAT?$AAi?$AAm?$AAe?$AAI?$AAs?$AAU?$AAn?$AAi?$AAv?$AAe@EKOMKFNL@
		dd offset _ExpRealTimeIsUniversal
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BG@OGBFMEDC@?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AAF?$AAl?$AAa?$AAg@EKOMKFNL@
		dd offset _CmNtGlobalFlag
		dd 3 dup(0)
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BI@CLFLIEOH@?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AAF?$AAl?$AAa?$AAg?$AA2@EKOMKFNL@
		dd offset _CmNtGlobalFlag2
		align 10h
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CM@OODOIMLG@?$AAC?$AAW?$AAD?$AAI?$AAl?$AAl?$AAe?$AAg?$AAa?$AAl?$AAI?$AAn?$AAD?$AAL?$AAL@EKOMKFNL@
		dd offset _PspCurDirDevicesSkippedForDlls
		dd 3 dup(0)
		dd offset ??_C@_1DK@PIPBJCAA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DO@JLOIIPHD@?$AAA?$AAp?$AAp?$AAl?$AAi?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AAB?$AAl?$AAo?$AAc@EKOMKFNL@
		dd offset _PspJobNoWakeChargeLimit
		align 10h
		dd offset ??_C@_1DK@PIPBJCAA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AF7C73+1
		dd offset _PspSystemNoWakeChargeLimit
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BO@IGDMFFA@?$AAP?$AAa?$AAg?$AAe?$AAd?$AAP?$AAo?$AAo?$AAl?$AAQ?$AAu?$AAo?$AAt?$AAa@EKOMKFNL@
		dd offset unk_A9455C
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CE@NAICKCLE@?$AAN?$AAo?$AAn?$AAP?$AAa?$AAg?$AAe?$AAd?$AAP?$AAo?$AAo?$AAl?$AAQ?$AAu?$AAo@EKOMKFNL@
		dd offset _PspDefaultResourceLimits
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CA@OFCCNLFJ@?$AAP?$AAa?$AAg?$AAi?$AAn?$AAg?$AAF?$AAi?$AAl?$AAe?$AAQ?$AAu?$AAo?$AAt?$AAa@EKOMKFNL@
		dd offset unk_A94560
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@MGPMLEDB@?$AAW?$AAo?$AAr?$AAk?$AAi?$AAn?$AAg?$AAS?$AAe?$AAt?$AAP?$AAa?$AAg?$AAe?$AAs@EKOMKFNL@
		dd offset unk_A94564
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@IPKNCGG@?$AAA?$AAl?$AAl?$AAo?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AAP?$AAr?$AAe?$AAf?$AAe@EKOMKFNL@
		dd offset dword_7051C8
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BM@FCEHOMH@?$AAD?$AAy?$AAn?$AAa?$AAm?$AAi?$AAc?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy@EKOMKFNL@
		dd offset _MmDynamicPfn
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BE@MMFNEPDK@?$AAM?$AAi?$AAr?$AAr?$AAo?$AAr?$AAi?$AAn?$AAg@EKOMKFNL@
		dd offset dword_7051BC
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BG@CEGPHGFI@?$AAM?$AAo?$AAv?$AAe?$AAI?$AAm?$AAa?$AAg?$AAe?$AAs@EKOMKFNL@
		dd offset _MmRegistryState
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CC@KPMBFFK@?$AAL?$AAa?$AAr?$AAg?$AAe?$AAP?$AAa?$AAg?$AAe?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@EKOMKFNL@
		dd offset _MmLargePageDriverBuffer
		dd offset _MmLargePageDriverBufferLength
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CG@NHIOIKKP@?$AAL?$AAo?$AAw?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy?$AAT?$AAh?$AAr?$AAe?$AAs?$AAh@EKOMKFNL@
		dd offset dword_7051E8
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CI@IKEANOOE@?$AAH?$AAi?$AAg?$AAh?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy?$AAT?$AAh?$AAr?$AAe?$AAs@EKOMKFNL@
		dd offset dword_7051EC
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@MAOAIMAG@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAP?$AAa?$AAg?$AAe?$AAC?$AAo?$AAm?$AAb@EKOMKFNL@
		dd offset byte_7051B0
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AF7E67+1
		dd offset byte_7051AC
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AF7E4B+1
		dd offset unk_7051C0
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@CKMOFIPJ@?$AAM?$AAo?$AAd?$AAi?$AAf?$AAi?$AAe?$AAd?$AAW?$AAr?$AAi?$AAt?$AAe?$AAM?$AAa@EKOMKFNL@
		dd offset dword_7051C4
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CE@OFANJOFF@?$AAN?$AAo?$AAn?$AAP?$AAa?$AAg?$AAe?$AAd?$AAP?$AAo?$AAo?$AAl?$AAL?$AAi?$AAm@EKOMKFNL@
		dd offset _MmNonPagedPoolLimit
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BO@DNOMPJLB@?$AAP?$AAa?$AAg?$AAe?$AAd?$AAP?$AAo?$AAo?$AAl?$AAL?$AAi?$AAm?$AAi?$AAt@EKOMKFNL@
		dd offset _MmPagedPoolLimit
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CC@KBHPPOJK@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAC?$AAa?$AAc?$AAh?$AAe?$AAL?$AAi?$AAm?$AAi@EKOMKFNL@
		dd offset _MmSystemCacheLimit
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CA@JJLEAIDM@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAP?$AAt?$AAe?$AAs?$AAL?$AAi?$AAm?$AAi?$AAt@EKOMKFNL@
		dd offset _MmSystemPtesLimit
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CE@CIEOCMJD@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAS?$AAp?$AAa?$AAc?$AAe?$AAL?$AAi?$AAm@EKOMKFNL@
		dd offset _MmSessionSpaceLimit
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AF7F7F+1
		dd offset _PoolTrackTableSize
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@CEHMLOOP@?$AAP?$AAo?$AAo?$AAl?$AAT?$AAa?$AAg@EKOMKFNL@
		dd offset _MmSpecialPoolTag
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AF7FD3+1
		dd offset _MmSpecialPoolCatchOverruns
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CI@LPIFAHFA@?$AAP?$AAr?$AAo?$AAt?$AAe?$AAc?$AAt?$AAN?$AAo?$AAn?$AAP?$AAa?$AAg?$AAe?$AAd@EKOMKFNL@
		dd offset _MmProtectFreedNonPagedPool
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CC@DDDDJONN@?$AAT?$AAr?$AAa?$AAc?$AAk?$AAL?$AAo?$AAc?$AAk?$AAe?$AAd?$AAP?$AAa?$AAg?$AAe@EKOMKFNL@
		dd offset _MmTrackLockedPages
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BE@CJKNINII@?$AAT?$AAr?$AAa?$AAc?$AAk?$AAP?$AAt?$AAe?$AAs@EKOMKFNL@
		dd offset dword_7051B4
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@FGFJMEAL@?$AAP?$AAa?$AAg?$AAe?$AAV?$AAa?$AAl?$AAi?$AAd?$AAa?$AAt?$AAi?$AAo?$AAn?$AAA@EKOMKFNL@
		dd offset _MmPageValidationAction
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DA@NGIOLDMM@?$AAP?$AAa?$AAg?$AAe?$AAV?$AAa?$AAl?$AAi?$AAd?$AAa?$AAt?$AAi?$AAo?$AAn?$AAF@EKOMKFNL@
		dd offset _MmPageValidationFrequency
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CA@CKAJOIKN@?$AAF?$AAo?$AAr?$AAc?$AAe?$AAV?$AAa?$AAl?$AAi?$AAd?$AAa?$AAt?$AAe?$AAI?$AAo@EKOMKFNL@
		dd offset dword_7051B8
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CA@HPGAEJP@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAO?$AAp?$AAt?$AAi?$AAo?$AAn?$AAs@EKOMKFNL@
		dd offset _VfOptionFlags
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CG@DDLHKNPN@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAT?$AAi?$AAp?$AAD?$AAi?$AAs?$AAa@EKOMKFNL@
		dd offset _VerifierTipDisable
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DE@NLIDBPPN@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAN?$AAe?$AAw?$AAR?$AAu?$AAl?$AAe@EKOMKFNL@
		dd offset _VerifierNewRuleWorkaround
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CO@HEBPENNJ@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAI?$AAr?$AAp?$AAS?$AAt?$AAa?$AAc@EKOMKFNL@
		dd offset _IovIrpTracesLength
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@KOKAABFK@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAH?$AAa?$AAn?$AAd?$AAl?$AAe?$AAT@EKOMKFNL@
		dd offset _VfHandleTracingEntries
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AF8133+1
		dd offset _VfWdIrpTimeoutMsec
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CE@OMAJLJIP@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAy?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAL?$AAe?$AAv@EKOMKFNL@
		dd offset _MmVerifyDriverLevel
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BM@JKLADBPD@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAy?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAs@EKOMKFNL@
		dd offset _MmVerifyDriverBuffer
		dd offset _MmVerifyDriverBufferLength
		dd 0
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@MAPACCND@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAS?$AAe?$AAt?$AAt?$AAi?$AAn?$AAg@EKOMKFNL@
		dd offset _VfRuleClasses
		dd offset _VfRuleClassesSize
		dd 0
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CG@OMFLBEM@?$AAX?$AAd?$AAv?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAO?$AAp?$AAt?$AAi@EKOMKFNL@
		dd offset _VfFlightOptions
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BG@FKHICKAJ@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAy?$AAM?$AAo?$AAd?$AAe@EKOMKFNL@
		dd offset _VfVerifyMode
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BK@BGGEFFAP@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAy?$AAT?$AAr?$AAi?$AAa?$AAg?$AAe@EKOMKFNL@
		dd offset _ViVerifyTriage
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CE@PPLGPGCB@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAy?$AAT?$AAr?$AAi?$AAa?$AAg?$AAe?$AAR?$AAu?$AAl@EKOMKFNL@
		dd offset _ViVerifyTriageRules
		dd offset _ViVerifyTriageRulesSize
		dd 0
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DC@MHEDJDNG@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAF?$AAa?$AAu?$AAl?$AAt?$AAP?$AAr@EKOMKFNL@
		dd offset _VfFaultInjectionProbability
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DC@KHOJOKN@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAF?$AAa?$AAu?$AAl?$AAt?$AAB?$AAo@EKOMKFNL@
		dd offset _VfFaultInjectionBootMinutes
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DE@IAHJOFCH@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAF?$AAa?$AAu?$AAl?$AAt?$AAA?$AAp@EKOMKFNL@
		dd offset _VerifierFaultApplicationsBuffer
		dd offset _VerifierFaultApplicationsBufferSize
		dd 0
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CE@HNJACPIC@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAF?$AAa?$AAu?$AAl?$AAt?$AAT?$AAa@EKOMKFNL@
		dd offset _VerifierFaultTagsBuffer
		dd offset _VerifierFaultTagsBufferSize
		dd 0
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@KFCLOIKL@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAL?$AAw?$AAs?$AAp?$AAP?$AAo?$AAo@EKOMKFNL@
		dd offset _ViLwspPoolTags
		dd offset _ViLwspPoolTagsSize
		dd 0
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CM@JGABLCCH@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAR?$AAa?$AAn?$AAd?$AAo?$AAm?$AAT@EKOMKFNL@
		dd offset _VfRandomVerifiedDrivers
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DI@MPLMMFJA@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAT?$AAi?$AAp?$AAL?$AAi?$AAm?$AAi@EKOMKFNL@
		dd offset _ViTipControlLimitDenominator
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DE@OKMGEIMP@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAT?$AAi?$AAp?$AAL?$AAi?$AAm?$AAi@EKOMKFNL@
		dd offset _ViTipControlLimitNumerator
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CM@EFDMDBJD@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAT?$AAi?$AAp?$AAS?$AAp?$AAa?$AAr@EKOMKFNL@
		dd offset _ViTipControlSparseness
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CM@MEHIEDNP@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAT?$AAr?$AAi?$AAa?$AAg?$AAe?$AAC@EKOMKFNL@
		dd offset _VfTriageContext
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CI@OLDFCAEK@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAy?$AAB?$AAT?$AAS?$AAB?$AAu?$AAf?$AAf?$AAe?$AAr@EKOMKFNL@
		dd offset _ViVerifyBTSBufferSize
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CM@FCKBPIFI@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAy?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAs?$AAS?$AAu@EKOMKFNL@
		dd offset _VfXdvSuppressDriversBuffer
		dd offset _VfXdvSuppressDriversBufferLength
		dd 0
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DC@DCPPHACC@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAP?$AAo?$AAo?$AAl?$AAT?$AAr?$AAa@EKOMKFNL@
		dd offset _VfPoolTracesLength
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DI@JHEJPBNI@?$AAD?$AAe?$AAa?$AAd?$AAl?$AAo?$AAc?$AAk?$AAR?$AAe?$AAc?$AAu?$AAr?$AAs?$AAi@EKOMKFNL@
		dd offset _ViRecursionDepthLimitFromRegistry
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DC@GCHOLFMB@?$AAD?$AAe?$AAa?$AAd?$AAl?$AAo?$AAc?$AAk?$AAS?$AAe?$AAa?$AAr?$AAc?$AAh?$AAN@EKOMKFNL@
		dd offset _ViSearchedNodesLimitFromRegistry
		dd 2 dup(0)
		dd 1
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DE@GMADOGDK@?$AAM?$AAi?$AAn?$AAi?$AAm?$AAu?$AAm?$AAS?$AAt?$AAa?$AAc?$AAk?$AAC?$AAo?$AAm@EKOMKFNL@
		dd offset dword_7051D0
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DE@PALPLDHP@?$AAW?$AAo?$AAr?$AAk?$AAi?$AAn?$AAg?$AAS?$AAe?$AAt?$AAS?$AAw?$AAa?$AAp?$AAS@EKOMKFNL@
		dd offset _PspOutSwapSharedPages
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DA@IBKCMACI@?$AAV?$AAm?$AAP?$AAa?$AAu?$AAs?$AAe?$AAO?$AAu?$AAt?$AAs?$AAw?$AAa?$AAp?$AAS@EKOMKFNL@
		dd offset _VmPauseOutswapSizeCapMB
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DK@LJINDFFG@?$AAR?$AAe?$AAm?$AAo?$AAt?$AAe?$AAF?$AAi?$AAl?$AAe?$AAD?$AAi?$AAr?$AAt?$AAy@EKOMKFNL@
		dd offset _CcRemoteFileDPInlineFlushThreshold
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CE@LPKMBGK@?$AAM?$AAa?$AAx?$AAL?$AAa?$AAz?$AAy?$AAW?$AAr?$AAi?$AAt?$AAe?$AAP?$AAa?$AAg@EKOMKFNL@
		dd offset _CcMaxLazyWritePagesOverride
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DG@LJJOLMFF@?$AAC?$AAa?$AAc?$AAh?$AAe?$AAU?$AAn?$AAm?$AAa?$AAp?$AAB?$AAe?$AAh?$AAi?$AAn@EKOMKFNL@
		dd offset _CcUnmapBehindLength
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CE@GAMHPGCI@?$AAT?$AAo?$AAp?$AAB?$AAo?$AAt?$AAt?$AAo?$AAm?$AAD?$AAP?$AAT?$AAE?$AAq?$AAu@EKOMKFNL@
		dd offset _CcAzure_TopBottomDPTEqual
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DO@NODDNLBC@?$AAL?$AAa?$AAz?$AAy?$AAW?$AAr?$AAi?$AAt?$AAe?$AAr?$AAP?$AAe?$AAr?$AAc?$AAe@EKOMKFNL@
		dd offset _CcAzure_LazyWriterPercentageOfNumProcs
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BO@EOPFHBP@?$AAL?$AAa?$AAr?$AAg?$AAe?$AAW?$AAr?$AAi?$AAt?$AAe?$AAS?$AAi?$AAz?$AAe@EKOMKFNL@
		dd offset _CcAzure_LargeWriteSize
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DI@BAEMBMNO@?$AAS?$AAo?$AAf?$AAt?$AAT?$AAh?$AAr?$AAo?$AAt?$AAt?$AAl?$AAe?$AAL?$AAa?$AAr@EKOMKFNL@
		dd offset _CcAzure_SoftThrottleLargeWriteAtPct
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CM@IOHKKG@?$AAS?$AAo?$AAf?$AAt?$AAT?$AAh?$AAr?$AAo?$AAt?$AAt?$AAl?$AAe?$AAD?$AAe?$AAl@EKOMKFNL@
		dd offset _CcAzure_SoftThrottleDelayInMs
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CM@GCEGNNPI@?$AAS?$AAi?$AAm?$AAu?$AAl?$AAa?$AAt?$AAe?$AAC?$AAo?$AAm?$AAm?$AAi?$AAt?$AAS@EKOMKFNL@
		dd offset dword_7051F0
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DE@IHMFEAPG@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAP?$AAa?$AAd?$AAS?$AAe?$AAc?$AAt?$AAi?$AAo@EKOMKFNL@
		dd offset unk_7051F8
		dd 3 dup(0)
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DM@PDKJOCBE@?$AAS?$AAp?$AAe?$AAc?$AAi?$AAa?$AAl?$AAP?$AAu?$AAr?$AAp?$AAo?$AAs?$AAe?$AAM@EKOMKFNL@
		dd offset _MmSpecialPurposeMemoryStartPage
		dd offset _MmSpecialPurposeMemoryStartPageValueSize
		align 10h
		dd offset ??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DE@PHBCLLGF@?$AAS?$AAp?$AAe?$AAc?$AAi?$AAa?$AAl?$AAP?$AAu?$AAr?$AAp?$AAo?$AAs?$AAe?$AAM@EKOMKFNL@
		dd offset _MmSpecialPurposeMemoryPages
		dd 3 dup(0)
		dd offset ??_C@_1DE@GGNOAJBP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EA@FEILHEOL@?$AAA?$AAd?$AAd?$AAi?$AAt?$AAi?$AAo?$AAn?$AAa?$AAl?$AAC?$AAr?$AAi?$AAt?$AAi@EKOMKFNL@
		dd offset _ExpAdditionalCriticalWorkerThreads
		align 10h
		dd offset ??_C@_1DE@GGNOAJBP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DO@PPCLEAKI@?$AAA?$AAd?$AAd?$AAi?$AAt?$AAi?$AAo?$AAn?$AAa?$AAl?$AAD?$AAe?$AAl?$AAa?$AAy@EKOMKFNL@
		dd offset _ExpAdditionalDelayedWorkerThreads
		dd 3 dup(0)
		dd offset ??_C@_1DE@GGNOAJBP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DG@GELAFLBI@?$AAM?$AAa?$AAx?$AAi?$AAm?$AAu?$AAm?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAW?$AAo@EKOMKFNL@
		dd offset _ExpMaximumKernelWorkerThreads
		align 10h
		dd offset ??_C@_1DE@GGNOAJBP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DK@IMCKMECJ@?$AAW?$AAo?$AAr?$AAk?$AAe?$AAr?$AAT?$AAh?$AAr?$AAe?$AAa?$AAd?$AAT?$AAi?$AAm@EKOMKFNL@
		dd offset _ExpWorkerThreadTimeoutInSeconds
		dd 3 dup(0)
		dd offset ??_C@_1DE@GGNOAJBP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CM@BBANJFHC@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAW?$AAo?$AAr?$AAk?$AAe?$AAr?$AAT?$AAe?$AAs@EKOMKFNL@
		dd offset _ExpWorkerQueueTestFlags
		align 10h
		dd offset ??_C@_1DE@GGNOAJBP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EG@MCLNOCOB@?$AAW?$AAo?$AAr?$AAk?$AAe?$AAr?$AAF?$AAa?$AAc?$AAt?$AAo?$AAr?$AAy?$AAT?$AAh@EKOMKFNL@
		dd offset _ExpWorkerFactoryThreadCreationTimeoutInSeconds
		dd 3 dup(0)
		dd offset ??_C@_1DE@GGNOAJBP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DO@BMGNPFNP@?$AAW?$AAo?$AAr?$AAk?$AAe?$AAr?$AAF?$AAa?$AAc?$AAt?$AAo?$AAr?$AAy?$AAT?$AAh@EKOMKFNL@
		dd offset _ExpWorkerFactoryThreadIdleTimeoutInSeconds
		align 10h
		dd offset ??_C@_1DE@GGNOAJBP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DG@LLMOGBAG@?$AAF?$AAo?$AAr?$AAc?$AAe?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAM?$AAu?$AAt?$AAa@EKOMKFNL@
		dd offset _ExpForceEnableMutantAutoboost
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BG@ENKFBHBP@?$AAD?$AAP?$AAC?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@EKOMKFNL@
		dd offset _KiDPCTimeout
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CE@IEOAAJFD@?$AAD?$AAp?$AAc?$AAW?$AAa?$AAt?$AAc?$AAh?$AAd?$AAo?$AAg?$AAP?$AAe?$AAr?$AAi@EKOMKFNL@
		dd offset _KeDpcWatchdogPeriod
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DC@PKHGIDHP@?$AAD?$AAp?$AAc?$AAW?$AAa?$AAt?$AAc?$AAh?$AAd?$AAo?$AAg?$AAP?$AAr?$AAo?$AAf@EKOMKFNL@
		dd offset _KeDpcWatchdogProfileOffset
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DC@BOEKLBNH@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAD?$AAp?$AAc?$AAS?$AAc?$AAa?$AAl@EKOMKFNL@
		dd offset _KeVerifierDpcScalingFactor
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CA@MFKJFOCE@?$AAT?$AAh?$AAr?$AAe?$AAa?$AAd?$AAD?$AAp?$AAc?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe@EKOMKFNL@
		dd offset _KeThreadDpcEnable
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AF8B00+4
		dd offset _KiI386SEHOPEnabled
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BM@INBNPIKC@?$AAD?$AAp?$AAc?$AAQ?$AAu?$AAe?$AAu?$AAe?$AAD?$AAe?$AAp?$AAt?$AAh@EKOMKFNL@
		dd offset _KiMaximumDpcQueueDepth
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BO@NNJLCINI@?$AAM?$AAi?$AAn?$AAi?$AAm?$AAu?$AAm?$AAD?$AAp?$AAc?$AAR?$AAa?$AAt?$AAe@EKOMKFNL@
		dd offset _KiMinimumDpcRate
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DI@FAFGOAMG@?$AAM?$AAa?$AAx?$AAi?$AAm?$AAu?$AAm?$AAS?$AAh?$AAa?$AAr?$AAe?$AAd?$AAR?$AAe@EKOMKFNL@
		dd offset _KiMaximumSharedReadyQueueSize
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CG@CLKJBFLP@?$AAA?$AAd?$AAj?$AAu?$AAs?$AAt?$AAD?$AAp?$AAc?$AAT?$AAh?$AAr?$AAe?$AAs?$AAh@EKOMKFNL@
		dd offset _KiAdjustDpcThreshold
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CO@JCKNBFDP@?$AAP?$AAa?$AAs?$AAs?$AAi?$AAv?$AAe?$AAW?$AAa?$AAt?$AAc?$AAh?$AAd?$AAo?$AAg@EKOMKFNL@
		dd offset _KiPassiveWatchdogTimeout
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EE@DMNEKBAE@?$AAS?$AAc?$AAh?$AAe?$AAd?$AAu?$AAl?$AAe?$AAr?$AAA?$AAs?$AAs?$AAi?$AAs?$AAt@EKOMKFNL@
		dd offset _KiSchedulerAssistThreadFlagOverride
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DC@LCMPLHBA@?$AAS?$AAe?$AAr?$AAi?$AAa?$AAl?$AAi?$AAz?$AAe?$AAT?$AAi?$AAm?$AAe?$AAr?$AAE@EKOMKFNL@
		dd offset _KiSerializeTimerExpiration
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BG@CHDCBJBE@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAT?$AAs?$AAx@EKOMKFNL@
		dd offset _KiDisableTsx
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DG@FLFBDDAI@?$AAV?$AAp?$AAT?$AAh?$AAr?$AAe?$AAa?$AAd?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAW@EKOMKFNL@
		dd offset _KiVpThreadSystemWorkPriority
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BO@FMBDCCHJ@?$AAP?$AAe?$AAr?$AAf?$AAI?$AAs?$AAo?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAd@EKOMKFNL@
		dd offset _KiPerfIsoEnabled
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BO@BDBPCIGC@?$AAC?$AAa?$AAc?$AAh?$AAe?$AAI?$AAs?$AAo?$AAB?$AAi?$AAt?$AAm?$AAa?$AAp@EKOMKFNL@
		dd offset _KiCacheIsoBitmap
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BK@FNPPACOG@?$AAI?$AAd?$AAe?$AAa?$AAl?$AAD?$AAp?$AAc?$AAR?$AAa?$AAt?$AAe@EKOMKFNL@
		dd offset _KiIdealDpcRate
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CE@MKEAJFPJ@?$AAX?$AAM?$AAM?$AAI?$AAZ?$AAe?$AAr?$AAo?$AAi?$AAn?$AAg?$AAE?$AAn?$AAa?$AAb@EKOMKFNL@
		dd offset _KiXMMIZeroingEnable
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CI@BIDEDDAA@?$AAC?$AAa?$AAc?$AAh?$AAe?$AAE?$AAr?$AAr?$AAa?$AAt?$AAa?$AAO?$AAv?$AAe?$AAr@EKOMKFNL@
		dd offset _KiTLBCOverride
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CO@JGONJKFI@?$AAM?$AAa?$AAx?$AAD?$AAy?$AAn?$AAa?$AAm?$AAi?$AAc?$AAT?$AAi?$AAc?$AAk?$AAD@EKOMKFNL@
		dd offset _KiMaxDynamicTickDuration
		dd offset _KiMaxDynamicTickDurationSize
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EA@GNPIAFMM@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAE?$AAx?$AAc?$AAe?$AAp?$AAt?$AAi?$AAo@EKOMKFNL@
		dd offset _PspSehValidationPolicy
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CE@NNPBFBMJ@?$AAM?$AAi?$AAt?$AAi?$AAg?$AAa?$AAt?$AAi?$AAo?$AAn?$AAO?$AAp?$AAt?$AAi?$AAo@EKOMKFNL@
		dd offset _PspSystemMitigationOptions
		dd offset _PspSystemMitigationOptionsLength
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CO@GNDGOBAE@?$AAM?$AAi?$AAt?$AAi?$AAg?$AAa?$AAt?$AAi?$AAo?$AAn?$AAA?$AAu?$AAd?$AAi?$AAt@EKOMKFNL@
		dd offset _PspSystemMitigationAuditOptions
		dd offset _PspSystemMitigationAuditOptionsLength
		dd 2 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1FC@JLENHMLJ@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAF@EKOMKFNL@
		dd offset _PspDisableControlFlowGuardExportSuppression
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@CDGLEEOE@?$AAF?$AAo?$AAr?$AAc?$AAe?$AAI?$AAd?$AAl?$AAe?$AAG?$AAr?$AAa?$AAc?$AAe?$AAP@EKOMKFNL@
		dd offset _KiForceIdleGracePeriodInSec
		dd 3 dup(0)
		dd offset ??_C@_1DG@BLIMACAG@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CC@PJFJLKH@?$AAR?$AAN?$AAG?$AAA?$AAu?$AAx?$AAi?$AAl?$AAi?$AAa?$AAr?$AAy?$AAS?$AAe?$AAe@EKOMKFNL@
		dd offset _ExpRNGAuxiliarySeed
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CA@PPHAONLB@?$AAO?$AAb?$AAT?$AAr?$AAa?$AAc?$AAe?$AAP?$AAo?$AAo?$AAl?$AAT?$AAa?$AAg?$AAs@EKOMKFNL@
		dd offset _ObpTracePoolTagsBuffer
		dd offset _ObpTracePoolTagsLength
		dd 2 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CG@JHFLCAAO@?$AAO?$AAb?$AAT?$AAr?$AAa?$AAc?$AAe?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAN@EKOMKFNL@
		dd offset _ObpTraceProcessNameBuffer
		dd offset _ObpTraceProcessNameLength
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CC@CHDDJNBI@?$AAO?$AAb?$AAT?$AAr?$AAa?$AAc?$AAe?$AAP?$AAe?$AAr?$AAm?$AAa?$AAn?$AAe?$AAn@EKOMKFNL@
		dd offset _ObpTracePermanent
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@HJJNPICP@?$AAP?$AAo?$AAC?$AAl?$AAe?$AAa?$AAn?$AAS?$AAh?$AAu?$AAt?$AAd?$AAo?$AAw?$AAn@EKOMKFNL@
		dd offset _PopShutdownCleanly
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CM@OOPLPMFL@?$AAO?$AAb?$AAU?$AAn?$AAs?$AAe?$AAc?$AAu?$AAr?$AAe?$AAG?$AAl?$AAo?$AAb?$AAa@EKOMKFNL@
		dd offset _ObpUnsecureGlobalNamesBuffer
		dd offset _ObpUnsecureGlobalNamesLength
		dd 2 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CA@FOJGKJED@?$AAT?$AAi?$AAm?$AAe?$AAr?$AAC?$AAh?$AAe?$AAc?$AAk?$AAF?$AAl?$AAa?$AAg?$AAs@EKOMKFNL@
		dd offset _KeTimerCheckFlags
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CM@HJLIFNDC@?$AAA?$AAl?$AAw?$AAa?$AAy?$AAs?$AAT?$AAr?$AAa?$AAc?$AAk?$AAI?$AAo?$AAB?$AAo@EKOMKFNL@
		dd offset _PspAlwaysTrackIoBoosting
		dd 3 dup(0)
		dd offset ??_C@_1CM@JGIJKPEK@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CG@HMBLOHBN@?$AAS?$AAl?$AAe?$AAe?$AAp?$AAS?$AAt?$AAu?$AAd?$AAy?$AAD?$AAi?$AAs?$AAa?$AAb@EKOMKFNL@
		dd offset _PopSleepStudyDisabled
		align 10h
		dd offset ??_C@_1CM@JGIJKPEK@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EA@EHDFMNMB@?$AAS?$AAl?$AAe?$AAe?$AAp?$AAS?$AAt?$AAu?$AAd?$AAy?$AAD?$AAe?$AAv?$AAi?$AAc@EKOMKFNL@
		dd offset _PopSleepStudyDeviceAccountingLevel
		dd 3 dup(0)
		dd offset ??_C@_1CM@JGIJKPEK@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@MDMJEODA@?$AAW?$AAa?$AAt?$AAc?$AAh?$AAd?$AAo?$AAg?$AAS?$AAl?$AAe?$AAe?$AAp?$AAT?$AAi@EKOMKFNL@
		dd offset _PopWatchdogSleepTimeout
		align 10h
		dd offset ??_C@_1CM@JGIJKPEK@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CM@GDIINAON@?$AAW?$AAa?$AAt?$AAc?$AAh?$AAd?$AAo?$AAg?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAT@EKOMKFNL@
		dd offset _PopWatchdogResumeTimeout
		dd 3 dup(0)
		dd offset ??_C@_1CM@JGIJKPEK@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CC@OMMONJMM@?$AAI?$AAd?$AAl?$AAe?$AAS?$AAc?$AAa?$AAn?$AAI?$AAn?$AAt?$AAe?$AAr?$AAv?$AAa@EKOMKFNL@
		dd offset _PopIdleScanInterval
		align 10h
		dd offset ??_C@_1CM@JGIJKPEK@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BI@BPNLMJD@?$AAF?$AAl?$AAu?$AAs?$AAh?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@
		dd offset _PopFlushPolicy
		dd 3 dup(0)
		dd offset ??_C@_1CM@JGIJKPEK@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CC@LDEENHCJ@?$AAS?$AAk?$AAi?$AAp?$AAT?$AAi?$AAc?$AAk?$AAO?$AAv?$AAe?$AAr?$AAr?$AAi?$AAd@EKOMKFNL@
		dd offset _PopSkipTickPolicy
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CC@NACBKHGE@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAn?$AAa?$AAt?$AAe?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe@EKOMKFNL@
		dd offset _PopHiberEnabledReg
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DA@DHNINCF@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAn?$AAa?$AAt?$AAe?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe@EKOMKFNL@
		dd offset _PopHiberEnabledDefaultReg
		align 10h
		dd offset ??_C@_1DK@OLIMDCEF@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAF?$AAo?$AAr?$AAc?$AAe?$AAH?$AAi?$AAb?$AAe@EKOMKFNL@
		dd offset ??_C@_1O@MPKBHDFA@?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@
		dd offset _PopHiberForceDisabledReg
		dd 3 dup(0)
		dd offset ??_C@_1DK@OLIMDCEF@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAF?$AAo?$AAr?$AAc?$AAe?$AAH?$AAi?$AAb?$AAe@EKOMKFNL@
		dd offset loc_AF91E7+1
		dd offset unk_70EC44
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@DMPKJLLK@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe?$AAS?$AAi?$AAz?$AAe?$AAP?$AAe@EKOMKFNL@
		dd offset _PopHiberFileSizePercent
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BM@KJCJDEGO@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe?$AAT?$AAy?$AAp?$AAe@EKOMKFNL@
		dd offset _PopHiberFileTypeReg
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@PLIOKCDF@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe?$AAT?$AAy?$AAp?$AAe?$AAD?$AAe@EKOMKFNL@
		dd offset _PopHiberFileTypeDefaultReg
		dd 3 dup(0)
		dd offset ??_C@_1CM@OAIKEION@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe@EKOMKFNL@
		dd offset loc_AF92D3+1
		dd offset unk_705548
		align 10h
		dd offset ??_C@_1CM@OAIKEION@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe@EKOMKFNL@
		dd offset ??_C@_1CE@NLBBIGON@?$AAP?$AAe?$AAr?$AAc?$AAe?$AAn?$AAt?$AA1?$AAG?$AAB?$AAR?$AAe?$AAd?$AAu?$AAc@EKOMKFNL@
		dd offset unk_705544
		dd 3 dup(0)
		dd offset ??_C@_1CM@OAIKEION@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe@EKOMKFNL@
		dd offset ??_C@_1BO@LFFFEJEN@?$AAP?$AAe?$AAr?$AAc?$AAe?$AAn?$AAt?$AA2?$AAG?$AAB?$AAF?$AAu?$AAl?$AAl@EKOMKFNL@
		dd offset unk_705560
		align 10h
		dd offset ??_C@_1CM@OAIKEION@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe@EKOMKFNL@
		dd offset ??_C@_1CE@OCGJCLKN@?$AAP?$AAe?$AAr?$AAc?$AAe?$AAn?$AAt?$AA2?$AAG?$AAB?$AAR?$AAe?$AAd?$AAu?$AAc@EKOMKFNL@
		dd offset unk_70555C
		dd 3 dup(0)
		dd offset ??_C@_1CM@OAIKEION@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe@EKOMKFNL@
		dd offset loc_AF935B+1
		dd offset unk_705578
		align 10h
		dd offset ??_C@_1CM@OAIKEION@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe@EKOMKFNL@
		dd offset ??_C@_1CE@JAJIHBCN@?$AAP?$AAe?$AAr?$AAc?$AAe?$AAn?$AAt?$AA4?$AAG?$AAB?$AAR?$AAe?$AAd?$AAu?$AAc@EKOMKFNL@
		dd offset unk_705574
		dd 3 dup(0)
		dd offset ??_C@_1CM@OAIKEION@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe@EKOMKFNL@
		dd offset loc_AF939F+1
		dd offset unk_705590
		align 10h
		dd offset ??_C@_1CM@OAIKEION@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe@EKOMKFNL@
		dd offset ??_C@_1CE@HFHKMECN@?$AAP?$AAe?$AAr?$AAc?$AAe?$AAn?$AAt?$AA8?$AAG?$AAB?$AAR?$AAe?$AAd?$AAu?$AAc@EKOMKFNL@
		dd offset unk_70558C
		dd 3 dup(0)
		dd offset ??_C@_1CM@OAIKEION@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe@EKOMKFNL@
		dd offset ??_C@_1CA@MHDKIMFB@?$AAP?$AAe?$AAr?$AAc?$AAe?$AAn?$AAt?$AA1?$AA6?$AAG?$AAB?$AAF?$AAu?$AAl?$AAl@EKOMKFNL@
		dd offset unk_7055A8
		align 10h
		dd offset ??_C@_1CM@OAIKEION@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe@EKOMKFNL@
		dd offset ??_C@_1CG@IDLINFIN@?$AAP?$AAe?$AAr?$AAc?$AAe?$AAn?$AAt?$AA1?$AA6?$AAG?$AAB?$AAR?$AAe?$AAd?$AAu@EKOMKFNL@
		dd offset unk_7055A4
		dd 3 dup(0)
		dd offset ??_C@_1CM@OAIKEION@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe@EKOMKFNL@
		dd offset ??_C@_1CA@BGNPKLFF@?$AAP?$AAe?$AAr?$AAc?$AAe?$AAn?$AAt?$AA3?$AA2?$AAG?$AAB?$AAF?$AAu?$AAl?$AAl@EKOMKFNL@
		dd offset unk_7055C0
		align 10h
		dd offset ??_C@_1CM@OAIKEION@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe@EKOMKFNL@
		dd offset loc_AF9407+1
		dd offset unk_7055BC
		dd 3 dup(0)
		dd offset ??_C@_1CM@OAIKEION@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe@EKOMKFNL@
		dd offset loc_AF947F+1
		dd offset unk_7055D8
		align 10h
		dd offset ??_C@_1CM@OAIKEION@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe@EKOMKFNL@
		dd offset loc_AF944F+1
		dd offset unk_7055D4
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CC@LDNNKDKB@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAb?$AAo?$AAo?$AAt?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe@EKOMKFNL@
		dd offset _PopHiberbootEnabledReg
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DK@KGPKOFKM@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAn?$AAa?$AAt?$AAe?$AAC?$AAh?$AAe?$AAc?$AAk?$AAs@EKOMKFNL@
		dd offset _PopHiberChecksummingEnabledReg
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CO@BJHBBJPL@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAM?$AAi?$AAn?$AAi?$AAm?$AAa?$AAl?$AAH?$AAi@EKOMKFNL@
		dd offset _PopEnableMinimalHiberFile
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CM@JADPCEC@?$AAF?$AAo?$AAr?$AAc?$AAe?$AAM?$AAi?$AAn?$AAi?$AAm?$AAa?$AAl?$AAH?$AAi?$AAb@EKOMKFNL@
		dd offset _PopForceMinimalHiberFile
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CG@MJIPGMJC@?$AAT?$AAh?$AAe?$AAr?$AAm?$AAa?$AAl?$AAP?$AAo?$AAl?$AAl?$AAi?$AAn?$AAg?$AAM@EKOMKFNL@
		dd offset _PopThermalPollingMode
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DE@IEFPINNN@?$AAT?$AAh?$AAe?$AAr?$AAm?$AAa?$AAl?$AAT?$AAe?$AAl?$AAe?$AAm?$AAe?$AAt?$AAr@EKOMKFNL@
		dd offset _PopThermalTelemetryVerbosity
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DK@MAHGDGCP@?$AAS?$AAm?$AAa?$AAr?$AAt?$AAU?$AAs?$AAe?$AAr?$AAP?$AAr?$AAe?$AAs?$AAe?$AAn@EKOMKFNL@
		dd offset _PopSmartUserPresenceGracePeriod
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DI@MDOINOAN@?$AAS?$AAm?$AAa?$AAr?$AAt?$AAU?$AAs?$AAe?$AAr?$AAP?$AAr?$AAe?$AAs?$AAe?$AAn@EKOMKFNL@
		dd offset _PopSmartUserPresenceWakeOffset
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DM@HAEAFMAF@?$AAS?$AAm?$AAa?$AAr?$AAt?$AAU?$AAs?$AAe?$AAr?$AAP?$AAr?$AAe?$AAs?$AAe?$AAn@EKOMKFNL@
		dd offset _PopSmartUserPresenceCheckTimeout
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DA@DKNPLDHK@?$AAS?$AAm?$AAa?$AAr?$AAt?$AAU?$AAs?$AAe?$AAr?$AAP?$AAr?$AAe?$AAs?$AAe?$AAn@EKOMKFNL@
		dd offset _PopSmartUserPresenceAction
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CO@GEJKHHDI@?$AAD?$AAo?$AAz?$AAe?$AAD?$AAe?$AAf?$AAe?$AAr?$AAr?$AAa?$AAl?$AAM?$AAa?$AAx@EKOMKFNL@
		dd offset _PopDozeDeferralMaxSeconds
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DG@FDJAOGJG@?$AAD?$AAo?$AAz?$AAe?$AAD?$AAe?$AAf?$AAe?$AAr?$AAr?$AAa?$AAl?$AAC?$AAh?$AAe@EKOMKFNL@
		dd offset _PopDozeDeferralChecksToIgnore
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EI@BGKDCLDM@?$AAW?$AAi?$AAn?$AA3?$AA2?$AAk?$AAC?$AAa?$AAl?$AAl?$AAo?$AAu?$AAt?$AAW?$AAa@EKOMKFNL@
		dd offset _PopWin32kCalloutWatchdogTimeoutSeconds
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1FE@GNKAEAJI@?$AAP?$AAd?$AAc?$AAI?$AAd?$AAl?$AAe?$AAP?$AAh?$AAa?$AAs?$AAe?$AAD?$AAe?$AAf@EKOMKFNL@
		dd offset _PopPdcIdlePhaseDefaultWatchdogTimeoutSeconds
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DM@MIFCHHCE@?$AAF?$AAx?$AAA?$AAc?$AAc?$AAo?$AAu?$AAn?$AAt?$AAi?$AAn?$AAg?$AAT?$AAe?$AAl@EKOMKFNL@
		dd offset _PopDiagFxAccountingTelemetryDisabled
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1FC@KAOPAHPP@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAA?$AAc?$AAt?$AAi?$AAo?$AAn?$AAS?$AAu?$AAs?$AAp@EKOMKFNL@
		dd offset _PopPowerActionTransitioningWatchdogTimeoutDefault
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1FA@BMNDPLII@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAA?$AAc?$AAt?$AAi?$AAo?$AAn?$AAR?$AAe?$AAs?$AAu@EKOMKFNL@
		dd offset _PopPowerActionResumingWatchdogTimeoutDefault
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DI@KPFGGNIO@?$AAP?$AAr?$AAe?$AAS?$AAl?$AAe?$AAe?$AAp?$AAN?$AAo?$AAt?$AAi?$AAf?$AAi?$AAc@EKOMKFNL@
		dd offset _PopPreSleepNotificationSeconds
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BG@NLAIPHCD@?$AAM?$AAS?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAd@EKOMKFNL@
		dd offset _PopModernStandbyDisabled
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@DPLEPGKK@?$AAP?$AAl?$AAa?$AAt?$AAf?$AAo?$AAr?$AAm?$AAR?$AAo?$AAl?$AAe?$AAO?$AAv?$AAe@EKOMKFNL@
		dd offset _PopPlatformRoleOverride
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@JJMHJOPM@?$AAP?$AAl?$AAa?$AAt?$AAf?$AAo?$AAr?$AAm?$AAA?$AAo?$AAA?$AAc?$AAO?$AAv?$AAe@EKOMKFNL@
		dd offset _PopPlatformAoAcOverride
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CM@IAPAGLBE@?$AAP?$AAe?$AAr?$AAf?$AAB?$AAo?$AAo?$AAs?$AAt?$AAA?$AAt?$AAG?$AAu?$AAa?$AAr@EKOMKFNL@
		dd offset _PpmPerfBoostAtGuaranteed
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DC@MFFJEIKL@?$AAI?$AAp?$AAi?$AAL?$AAa?$AAs?$AAt?$AAC?$AAl?$AAo?$AAc?$AAk?$AAO?$AAw?$AAn@EKOMKFNL@
		dd offset _PpmIpiLastClockOwnerDisable
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@HCOBIFIA@?$AAM?$AAf?$AAB?$AAu?$AAf?$AAf?$AAe?$AAr?$AAi?$AAn?$AAg?$AAT?$AAh?$AAr?$AAe@EKOMKFNL@
		dd offset _PpmMfBufferingThreshold
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AF99F3+1
		dd offset _PpmMfOverridesDisabled
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DA@BPGBIGKK@?$AAL?$AAa?$AAt?$AAe?$AAn?$AAc?$AAy?$AAT?$AAo?$AAl?$AAe?$AAr?$AAa?$AAn?$AAc@EKOMKFNL@
		dd offset _PpmLatencyToleranceLimit
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DK@PCEKICFF@?$AAL?$AAa?$AAt?$AAe?$AAn?$AAc?$AAy?$AAT?$AAo?$AAl?$AAe?$AAr?$AAa?$AAn?$AAc@EKOMKFNL@
		dd offset dword_7054E4
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AF9A1B+1
		dd offset dword_7054E8
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DO@KGNGLMDB@?$AAL?$AAa?$AAt?$AAe?$AAn?$AAc?$AAy?$AAT?$AAo?$AAl?$AAe?$AAr?$AAa?$AAn?$AAc@EKOMKFNL@
		dd offset dword_7054EC
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1FG@MMPJNDKM@?$AAP?$AAe?$AAr?$AAf?$AAI?$AAd?$AAe?$AAa?$AAl?$AAA?$AAg?$AAg?$AAr?$AAe?$AAs@EKOMKFNL@
		dd offset _PpmPerfIdealAggressiveIncreaseThreshold
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CG@CLEKOLAN@?$AAP?$AAe?$AAr?$AAf?$AAS?$AAi?$AAn?$AAg?$AAl?$AAe?$AAS?$AAt?$AAe?$AAp?$AAS@EKOMKFNL@
		dd offset _PpmPerfSingleStepSize
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DO@CMKEEMJJ@?$AAP?$AAe?$AAr?$AAf?$AAC?$AAa?$AAl?$AAc?$AAu?$AAl?$AAa?$AAt?$AAe?$AAA?$AAc@EKOMKFNL@
		dd offset _PpmPerfCalculateActualUtilization
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@NBNKAMG@?$AAP?$AAe?$AAr?$AAf?$AAA?$AAr?$AAt?$AAi?$AAf?$AAi?$AAc?$AAi?$AAa?$AAl?$AAD@EKOMKFNL@
		dd offset _PpmPerfArtificialDomainSetting
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DA@EGJHOLNF@?$AAP?$AAa?$AAr?$AAk?$AAW?$AAi?$AAt?$AAh?$AAC?$AAo?$AAr?$AAe?$AAG?$AAr?$AAa@EKOMKFNL@
		dd offset _PpmParkUseCoreGranularity
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@INIJJANI@?$AAM?$AAu?$AAl?$AAt?$AAi?$AAp?$AAa?$AAr?$AAk?$AAG?$AAr?$AAa?$AAn?$AAu?$AAl@EKOMKFNL@
		dd offset _PpmParkMultiparkGranularity
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DC@BFKBJEED@?$AAC?$AAl?$AAa?$AAs?$AAs?$AA1?$AAI?$AAn?$AAi?$AAt?$AAi?$AAa?$AAl?$AAU?$AAn@EKOMKFNL@
		dd offset _PpmParkInitialClass1UnParkCount
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@NFJHMAEA@?$AAH?$AAi?$AAg?$AAh?$AAP?$AAe?$AAr?$AAf?$AAD?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo@EKOMKFNL@
		dd offset _PpmHighPerfDuration
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CO@IKFIIBAH@?$AAH?$AAi?$AAg?$AAh?$AAP?$AAe?$AAr?$AAf?$AAD?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo@EKOMKFNL@
		dd offset unk_7054BC
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CO@IFEJMCJN@?$AAH?$AAi?$AAg?$AAh?$AAP?$AAe?$AAr?$AAf?$AAD?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo@EKOMKFNL@
		dd offset unk_7054C0
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DM@EFEFJPCF@?$AAI?$AAd?$AAl?$AAe?$AAD?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn?$AAE?$AAx?$AAp@EKOMKFNL@
		dd offset _PpmIdleDurationExpirationTimeoutMs
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DA@GPKECOFB@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAI?$AAd?$AAl?$AAe?$AAS?$AAt?$AAa?$AAt@EKOMKFNL@
		dd offset _PpmIdleDisableStatesAtBoot
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DO@GFFAPAMB@?$AAH?$AAe?$AAt?$AAe?$AAr?$AAo?$AAg?$AAe?$AAn?$AAe?$AAo?$AAu?$AAs?$AAP?$AAp@EKOMKFNL@
		dd offset _PpmHeteroImplementationGeneration
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DC@OOGKHJLJ@?$AAB?$AAo?$AAo?$AAt?$AAH?$AAe?$AAt?$AAe?$AAr?$AAo?$AAP?$AAo?$AAl?$AAi?$AAc@EKOMKFNL@
		dd offset _PpmPerfBootHeteroPolicyOverrideEnabled
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AF9D7B+1
		dd offset _PopEnforceDisconnectedStandby
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DM@OHNKJMO@?$AAU?$AAs?$AAe?$AAr?$AAB?$AAa?$AAt?$AAt?$AAe?$AAr?$AAy?$AAD?$AAi?$AAs?$AAc@EKOMKFNL@
		dd offset _PopDisableBatteryDischargeEstimator
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DG@MFIBJIDM@?$AAU?$AAs?$AAe?$AAr?$AAB?$AAa?$AAt?$AAt?$AAe?$AAr?$AAy?$AAC?$AAh?$AAa?$AAr@EKOMKFNL@
		dd offset _PopUserBatteryChargingEstimator
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DO@CLBNCMIC@?$AAS?$AAt?$AAa?$AAn?$AAd?$AAb?$AAy?$AAC?$AAo?$AAn?$AAn?$AAe?$AAc?$AAt?$AAi@EKOMKFNL@
		dd offset _PopStandbyConnectivityGracePeriod
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CM@FPLAPGAD@?$AAE?$AAv?$AAe?$AAn?$AAt?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo?$AAr?$AAE@EKOMKFNL@
		dd offset _PopEventProcessorEnabled
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BO@ICIEGDJP@?$AAP?$AAd?$AAc?$AAO?$AAn?$AAe?$AAW?$AAa?$AAy?$AAE?$AAn?$AAt?$AAr?$AAy@EKOMKFNL@
		dd offset _PopPowerAggregatorOneWayEntry
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DG@GEGHAJID@?$AAP?$AAr?$AAo?$AAm?$AAo?$AAt?$AAe?$AAH?$AAi?$AAb?$AAe?$AAr?$AAn?$AAa?$AAt@EKOMKFNL@
		dd offset _PopPromoteHibernateToShutdown
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AF9F4F+1
		dd offset _PopCoalescingTimerInterval
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DA@ODKIKHK@?$AAC?$AAo?$AAa?$AAl?$AAe?$AAs?$AAc?$AAi?$AAn?$AAg?$AAF?$AAl?$AAu?$AAs?$AAh@EKOMKFNL@
		dd offset _PopCoalescingFlushInterval
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CO@LGOCNIBI@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAI?$AAn?$AAp?$AAu?$AAt?$AAS?$AAu?$AAp?$AAp@EKOMKFNL@
		dd offset _PopEnableInputSuppressionOverride
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EE@DDMHOOFP@?$AAI?$AAg?$AAn?$AAo?$AAr?$AAe?$AAL?$AAi?$AAd?$AAS?$AAt?$AAa?$AAt?$AAe?$AAF@EKOMKFNL@
		dd offset _PopLidStateForInputSuppressionOverride
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CE@DGMKNBG@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AAI?$AAd?$AAl?$AAe?$AAT?$AAi?$AAm?$AAe?$AAo@EKOMKFNL@
		dd offset _PopFxActiveIdleTimeout
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CI@ECONHEAJ@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AAI?$AAd?$AAl?$AAe?$AAT?$AAh?$AAr?$AAe?$AAs@EKOMKFNL@
		dd offset _PopFxActiveIdleThreshold
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CA@IIOONLCN@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AAI?$AAd?$AAl?$AAe?$AAL?$AAe?$AAv?$AAe?$AAl@EKOMKFNL@
		dd offset _PopFxActiveIdleLevel
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DC@HGIMIDFC@?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt?$AAe?$AAd?$AAF?$AAx?$AAD?$AAe?$AAf?$AAa?$AAu@EKOMKFNL@
		dd offset _PopFxDirectedFxDefaultTimeout
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CC@CNFCBBMN@?$AAI?$AAd?$AAl?$AAe?$AAS?$AAt?$AAa?$AAt?$AAe?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu@EKOMKFNL@
		dd offset _PopPepIdleStateTimeout
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DC@COPIDNEK@?$AAW?$AAa?$AAt?$AAc?$AAh?$AAd?$AAo?$AAg?$AAW?$AAo?$AAr?$AAk?$AAO?$AAr?$AAd@EKOMKFNL@
		dd offset _PopFxWatchdogWorkOrderTimeout
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AFA127+1
		dd offset _PopDripsCallbackInterval
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DM@MPGOEFBK@?$AAD?$AAr?$AAi?$AAp?$AAs?$AAW?$AAa?$AAt?$AAc?$AAh?$AAd?$AAo?$AAg?$AAD?$AAe@EKOMKFNL@
		dd offset _PopDripsWatchdogDebounceInterval
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@FFPGLEPF@?$AAD?$AAr?$AAi?$AAp?$AAs?$AAW?$AAa?$AAt?$AAc?$AAh?$AAd?$AAo?$AAg?$AAT?$AAi@EKOMKFNL@
		dd offset _PopDripsWatchdogTimeout
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AFA153+1
		dd offset _PopDripsWatchdogAction
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CM@LJNLFLPG@?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt?$AAe?$AAd?$AAD?$AAr?$AAi?$AAp?$AAs?$AAO?$AAv@EKOMKFNL@
		dd offset _PopDirectedDripsOverride
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@KGJADFEB@?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt?$AAe?$AAd?$AAD?$AAr?$AAi?$AAp?$AAs?$AAT?$AAi@EKOMKFNL@
		dd offset _PopDirectedDripsTimeout
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DM@BHBEDEBD@?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt?$AAe?$AAd?$AAD?$AAr?$AAi?$AAp?$AAs?$AAD?$AAe@EKOMKFNL@
		dd offset _PopDirectedDripsDebounceInterval
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CI@PDMBEHNP@?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt?$AAe?$AAd?$AAD?$AAr?$AAi?$AAp?$AAs?$AAA?$AAc@EKOMKFNL@
		dd offset _PopDirectedDripsAction
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DK@KDNAFMFI@?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt?$AAe?$AAd?$AAD?$AAr?$AAi?$AAp?$AAs?$AAW?$AAa@EKOMKFNL@
		dd offset _PopDirectedDripsWaitWakeTimeoutSeconds
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EI@BDHLEMOM@?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt?$AAe?$AAd?$AAD?$AAr?$AAi?$AAp?$AAs?$AAS?$AAu@EKOMKFNL@
		dd offset _PopDirectedDripsSurprisePowerOnTimeoutSeconds
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AFA31F+1
		dd offset _PopDirectedDripsDfxEnforcementPolicy
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DE@NNHPAJMO@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAV?$AAs?$AAy?$AAn?$AAc?$AAL?$AAa?$AAt@EKOMKFNL@
		dd offset _PpmDisableVsyncLatencyUpdate
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AFA393+1
		dd offset _PpmExitLatencyCheckEnabled
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DA@NFJODIOJ@?$AAE?$AAn?$AAe?$AAr?$AAg?$AAy?$AAE?$AAs?$AAt?$AAi?$AAm?$AAa?$AAt?$AAi?$AAo@EKOMKFNL@
		dd offset _PopEnergyEstimationEnabled
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EC@FFMHDBAI@?$AAC?$AAh?$AAe?$AAc?$AAk?$AAP?$AAo?$AAw?$AAe?$AAr?$AAS?$AAo?$AAu?$AAr?$AAc@EKOMKFNL@
		dd offset _PopCheckPowerSourceAfterRtcWakeTime
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AFA3C3+1
		dd offset _PopDripsSwHwDivergenceThreshold
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EE@LGMHJLK@?$AAD?$AAr?$AAi?$AAp?$AAs?$AAS?$AAw?$AAH?$AAw?$AAD?$AAi?$AAv?$AAe?$AAr?$AAg@EKOMKFNL@
		dd offset _PopDripsSwHwDivergenceEnableLiveDump
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DA@JMODGAP@?$AAI?$AAg?$AAn?$AAo?$AAr?$AAe?$AAC?$AAs?$AAC?$AAo?$AAm?$AAp?$AAl?$AAi?$AAa@EKOMKFNL@
		dd offset _PopIgnoreCsComplianceCheck
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DM@DBHHALLH@?$AAP?$AAe?$AAr?$AAf?$AAQ?$AAu?$AAe?$AAr?$AAy?$AAO?$AAn?$AAD?$AAe?$AAv?$AAi@EKOMKFNL@
		dd offset _PopFxPerfQueryOnDevicePowerChanges
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EA@LCLNGEDH@?$AAE?$AAn?$AAf?$AAo?$AAr?$AAc?$AAe?$AAC?$AAo?$AAn?$AAs?$AAo?$AAl?$AAe?$AAL@EKOMKFNL@
		dd offset _PopEnforceConsoleLockScreenTimeout
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DA@DKFIBNNP@?$AAD?$AAe?$AAe?$AAp?$AAI?$AAo?$AAC?$AAo?$AAa?$AAl?$AAe?$AAs?$AAc?$AAi?$AAn@EKOMKFNL@
		dd offset _PopDeepIoCoalescingEnabled
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EC@HIKFGPDA@?$AAA?$AAl?$AAl?$AAo?$AAw?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAe?$AAq?$AAu@EKOMKFNL@
		dd offset _PopPowerRequestConvertSystemToExecution
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1GC@JCHDELEI@?$AAA?$AAl?$AAl?$AAo?$AAw?$AAA?$AAu?$AAd?$AAi?$AAo?$AAT?$AAo?$AAE?$AAn?$AAa@EKOMKFNL@
		dd offset _PopPowerRequestActiveAudioEnablesExecutionRequired
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BG@ODDMENGF@?$AAT?$AAt?$AAm?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAd@EKOMKFNL@
		dd offset _TtmpEnabled
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CI@NINJCDFH@?$AAP?$AAr?$AAo?$AAx?$AAi?$AAm?$AAi?$AAt?$AAy?$AAE?$AAs?$AAc?$AAa?$AAp?$AAe@EKOMKFNL@
		dd offset _TtmpProximityEscapeMsec
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EA@CKBIHEDI@?$AAT?$AAi?$AAm?$AAe?$AAr?$AAR?$AAe?$AAb?$AAa?$AAs?$AAe?$AAT?$AAh?$AAr?$AAe@EKOMKFNL@
		dd offset _KiTimerRebaseThresholdOnDripsExit
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DE@KGBLDCIM@?$AAF?$AAx?$AAR?$AAu?$AAn?$AAt?$AAi?$AAm?$AAe?$AAL?$AAo?$AAg?$AAN?$AAu?$AAm@EKOMKFNL@
		dd offset _PopFxRuntimeLogNumberEntries
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CM@IHNLCAKN@?$AAC?$AAh?$AAe?$AAc?$AAk?$AAp?$AAo?$AAi?$AAn?$AAt?$AAS?$AAy?$AAs?$AAt?$AAe@EKOMKFNL@
		dd offset _PopCheckpointSystemSleepEnabledReg
		dd 3 dup(0)
		dd offset ??_C@_1CE@MCEFOCNO@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAM?$AAo?$AAd?$AAe?$AAr?$AAn?$AAS?$AAl?$AAe@EKOMKFNL@
		dd offset ??_C@_1BO@KDFMFDBP@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAd?$AAA?$AAc?$AAt?$AAi?$AAo?$AAn?$AAs@EKOMKFNL@
		dd offset _PopAggressiveStandbyActionsRegValue
		align 10h
		dd offset ??_C@_1CE@MCEFOCNO@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAM?$AAo?$AAd?$AAe?$AAr?$AAn?$AAS?$AAl?$AAe@EKOMKFNL@
		dd offset ??_C@_1CG@DEIALNEP@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAD?$AAs?$AAN?$AAe?$AAt?$AAR?$AAe?$AAf?$AAr@EKOMKFNL@
		dd offset _PopEnableDsNetRefresh
		dd 3 dup(0)
		dd offset ??_C@_1CM@PJLBNLMM@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAP?$AAo?$AAw?$AAe?$AAr?$AAT?$AAh?$AAr?$AAo@EKOMKFNL@
		dd offset ??_C@_1CG@OFBEBMOE@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAT?$AAh?$AAr?$AAo?$AAt?$AAt?$AAl?$AAi?$AAn?$AAg@EKOMKFNL@
		dd offset _PpmPerfQosGroupPolicyDisable
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AFA797+1
		dd offset _PpmPerfQosManageIdleProcessors
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EG@EKNNKNGB@?$AAC?$AAh?$AAe?$AAc?$AAk?$AAp?$AAo?$AAi?$AAn?$AAt?$AAS?$AAy?$AAs?$AAt?$AAe@EKOMKFNL@
		dd offset _PopCheckpointSystemSleepSimulateFlags
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EC@ONEJLBIL@?$AAS?$AAk?$AAi?$AAp?$AAH?$AAi?$AAb?$AAe?$AAr?$AAn?$AAa?$AAt?$AAe?$AAM?$AAe@EKOMKFNL@
		dd offset _PopEnableHibernateMemoryMapValidationOverride
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1FA@LMPCIOM@?$AAP?$AAo?$AAF?$AAx?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAI?$AAr?$AAp?$AAW?$AAa@EKOMKFNL@
		dd offset _PopPoFxSystemIrpWaitForReportDevicePoweredReg
		align 10h
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EO@BHNAKFPE@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAD?$AAi?$AAs?$AAp?$AAl?$AAa?$AAy?$AAB@EKOMKFNL@
		dd offset _PopDisableDisplayBurstOnPowerSourceChange
		dd 3 dup(0)
		dd offset ??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EI@KICOLFEI@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAI?$AAn?$AAb?$AAo?$AAx?$AAP?$AAe?$AAp@EKOMKFNL@
		dd offset _PopDisableInboxPepGeneratedConstraintsOverride
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CE@OHLELLPC@?$AAO?$AAb?$AAC?$AAa?$AAs?$AAe?$AAI?$AAn?$AAs?$AAe?$AAn?$AAs?$AAi?$AAt?$AAi@EKOMKFNL@
		dd offset _ObpCaseInsensitive
		dd 3 dup(0)
		dd offset ??_C@_1DG@DNIHPMPB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CA@FNJCKJAF@?$AAC?$AAo?$AAu?$AAn?$AAt?$AAO?$AAp?$AAe?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn?$AAs@EKOMKFNL@
		dd offset _IoCountOperations
		align 10h
		dd offset ??_C@_1DG@DNIHPMPB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CO@MCPKDEEK@?$AAL?$AAa?$AAr?$AAg?$AAe?$AAI?$AAr?$AAp?$AAS?$AAt?$AAa?$AAc?$AAk?$AAL?$AAo@EKOMKFNL@
		dd offset _IopLargeIrpStackLocations
		dd 3 dup(0)
		dd offset ??_C@_1DG@DNIHPMPB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DA@KMKGKDH@?$AAM?$AAe?$AAd?$AAi?$AAu?$AAm?$AAI?$AAr?$AAp?$AAS?$AAt?$AAa?$AAc?$AAk?$AAL@EKOMKFNL@
		dd offset _IopMediumIrpStackLocations
		align 10h
		dd offset ??_C@_1DG@DNIHPMPB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CO@KOGBLBIB@?$AAI?$AAo?$AAB?$AAl?$AAo?$AAc?$AAk?$AAL?$AAe?$AAg?$AAa?$AAc?$AAy?$AAF?$AAs@EKOMKFNL@
		dd offset _IopBlockLegacyFsFilters
		dd 3 dup(0)
		dd offset ??_C@_1DG@DNIHPMPB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CE@GHJMNGBB@?$AAI?$AAo?$AAC?$AAa?$AAs?$AAe?$AAI?$AAn?$AAs?$AAe?$AAn?$AAs?$AAi?$AAt?$AAi@EKOMKFNL@
		dd offset _IopCaseInsensitive
		align 10h
		dd offset ??_C@_1DG@DNIHPMPB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DC@EEKFCDEO@?$AAR?$AAe?$AAq?$AAu?$AAi?$AAr?$AAe?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAA?$AAc@EKOMKFNL@
		dd offset _IopRequireDeviceAccessCheck
		dd 3 dup(0)
		dd offset ??_C@_1DG@DNIHPMPB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CO@MFHFIDKO@?$AAI?$AAo?$AAF?$AAa?$AAi?$AAl?$AAZ?$AAe?$AAr?$AAo?$AAA?$AAc?$AAc?$AAe?$AAs@EKOMKFNL@
		dd offset _IopFailZeroAccessCreate
		align 10h
		dd offset ??_C@_1DG@DNIHPMPB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DO@IPALKECH@?$AAI?$AAo?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn@EKOMKFNL@
		dd offset _IopSessionZeroAccessCheckEnabled
		dd 3 dup(0)
		dd offset ??_C@_1DG@DNIHPMPB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DG@MNOBLPPI@?$AAI?$AAo?$AAA?$AAl?$AAl?$AAo?$AAw?$AAL?$AAo?$AAa?$AAd?$AAC?$AAr?$AAa?$AAs@EKOMKFNL@
		dd offset _IopAllowLoadCrashDumpDriver
		align 10h
		dd offset ??_C@_1DG@DNIHPMPB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EA@IDDFCAI@?$AAI?$AAo?$AAI?$AAr?$AAp?$AAC?$AAo?$AAm?$AAp?$AAl?$AAe?$AAt?$AAi?$AAo?$AAn@EKOMKFNL@
		dd offset _IopIrpCompletionTimeoutInSeconds
		dd 3 dup(0)
		dd offset ??_C@_17CDELMOAN@?$AAQ?$AAo?$AAS@EKOMKFNL@
		dd offset ??_C@_1CE@NKDBAAH@?$AAS?$AAt?$AAo?$AAr?$AAa?$AAg?$AAe?$AAB?$AAa?$AAs?$AAe?$AAI?$AAO?$AAS?$AAi@EKOMKFNL@
		dd offset _IopDiskIoAttributionBaseIoSize
		align 10h
		dd offset ??_C@_1DG@DNIHPMPB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CI@GFBEPOGP@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAD?$AAi?$AAs?$AAk?$AAC?$AAo?$AAu?$AAn@EKOMKFNL@
		dd offset _PsDisableDiskCounters
		dd 3 dup(0)
		dd offset ??_C@_1DG@DNIHPMPB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CM@DHAALLJL@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAB?$AAu?$AAf?$AAf?$AAe?$AAr?$AAe?$AAd@EKOMKFNL@
		dd offset _IopDisableBufferedIoInit
		align 10h
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@KMFCKJPP@?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc?$AAe?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@EKOMKFNL@
		dd offset _ExResourceTimeoutCount
		dd 3 dup(0)
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CG@NEPCKEJL@?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc?$AAe?$AAC?$AAh?$AAe?$AAc?$AAk?$AAF?$AAl@EKOMKFNL@
		dd offset _ExResourceCheckFlags
		align 10h
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DK@DFKCKMMF@?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc?$AAe?$AAE?$AAn?$AAf?$AAo?$AAr?$AAc?$AAe@EKOMKFNL@
		dd offset _ExpResourceEnforceOwnerTransfer
		dd 3 dup(0)
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CO@KFGOODJE@?$AAC?$AAr?$AAi?$AAt?$AAi?$AAc?$AAa?$AAl?$AAS?$AAe?$AAc?$AAt?$AAi?$AAo?$AAn@EKOMKFNL@
		dd offset dword_7051CC
		align 10h
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CG@KHHKKCCD@?$AAH?$AAe?$AAa?$AAp?$AAS?$AAe?$AAg?$AAm?$AAe?$AAn?$AAt?$AAR?$AAe?$AAs?$AAe@EKOMKFNL@
		dd offset dword_7051E4
		dd 3 dup(0)
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CE@BDMILKLE@?$AAH?$AAe?$AAa?$AAp?$AAS?$AAe?$AAg?$AAm?$AAe?$AAn?$AAt?$AAC?$AAo?$AAm?$AAm@EKOMKFNL@
		dd offset dword_7051E0
		align 10h
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DO@OACFDBCF@?$AAH?$AAe?$AAa?$AAp?$AAD?$AAe?$AAC?$AAo?$AAm?$AAm?$AAi?$AAt?$AAT?$AAo?$AAt@EKOMKFNL@
		dd offset dword_7051DC
		dd 3 dup(0)
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DO@PIGCMHBI@?$AAH?$AAe?$AAa?$AAp?$AAD?$AAe?$AAC?$AAo?$AAm?$AAm?$AAi?$AAt?$AAF?$AAr?$AAe@EKOMKFNL@
		dd offset dword_7051D8
		align 10h
		dd offset ??_C@_1BO@EDPDEJHE@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAO?$AAp?$AAt?$AAi?$AAo?$AAn?$AAs@EKOMKFNL@
		dd offset ??_C@_1BI@JPCMFPH@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAT?$AAy?$AAp?$AAe@EKOMKFNL@
		dd offset dword_7051D4
		dd 3 dup(0)
		dd offset ??_C@_1CA@BFNKNOIB@?$AAT?$AAe?$AAr?$AAm?$AAi?$AAn?$AAa?$AAl?$AA?5?$AAS?$AAe?$AAr?$AAv?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BI@LIHNICPI@?$AAT?$AAS?$AAA?$AAp?$AAp?$AAC?$AAo?$AAm?$AAp?$AAa?$AAt@EKOMKFNL@
		dd offset _ExpMultiUserTS
		align 10h
		dd offset ??_C@_1BO@EDPDEJHE@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAO?$AAp?$AAt?$AAi?$AAo?$AAn?$AAs@EKOMKFNL@
		dd offset ??_C@_1BK@HJNBLNLJ@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAS?$AAu?$AAi?$AAt?$AAe@EKOMKFNL@
		dd offset _CmSuiteBuffer
		dd offset _CmSuiteBufferLength
		dd offset _CmSuiteBufferType
		align 8
		dd offset ??_C@_1BO@EDPDEJHE@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAO?$AAp?$AAt?$AAi?$AAo?$AAn?$AAs@EKOMKFNL@
		dd offset ??_C@_1BM@NLGAGAOC@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@
		dd offset _ExpHostBootLicensingData
		dd offset dword_B15740
		dd offset dword_B15744
		align 10h
		dd offset ??_C@_1BA@HLGGGPNC@?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs@EKOMKFNL@
		dd offset ??_C@_1BG@MEBEMGBM@?$AAC?$AAS?$AAD?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@EKOMKFNL@
		dd offset _CmNtCSDVersion
		dd 3 dup(0)
		dd offset ??_C@_1BA@HLGGGPNC@?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs@EKOMKFNL@
		dd offset ??_C@_1BO@PKBACOLK@?$AAC?$AAS?$AAD?$AAR?$AAe?$AAl?$AAe?$AAa?$AAs?$AAe?$AAT?$AAy?$AAp?$AAe@EKOMKFNL@
		dd offset _CmNtCSDReleaseType
		align 10h
		dd offset ??_C@_1BA@HLGGGPNC@?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs@EKOMKFNL@
		dd offset ??_C@_1BO@LOIKKPLA@?$AAC?$AAS?$AAD?$AAB?$AAu?$AAi?$AAl?$AAd?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr@EKOMKFNL@
		dd offset _CmNtSpBuildNumber
		dd 3 dup(0)
		dd offset ??_C@_1BK@HGJAIMGI@?$AAN?$AAl?$AAs?$AA?2?$AAL?$AAa?$AAn?$AAg?$AAu?$AAa?$AAg?$AAe@EKOMKFNL@
		dd offset ??_C@_1BA@GHOECOCL@?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt@EKOMKFNL@
		dd offset _CmDefaultLanguageId
		dd offset _CmDefaultLanguageIdLength
		dd offset _CmDefaultLanguageIdType
		dd 1
		dd offset ??_C@_1BK@HGJAIMGI@?$AAN?$AAl?$AAs?$AA?2?$AAL?$AAa?$AAn?$AAg?$AAu?$AAa?$AAg?$AAe@EKOMKFNL@
		dd offset ??_C@_1CA@HNCMOGDF@?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAL?$AAa?$AAn?$AAg?$AAu?$AAa?$AAg?$AAe@EKOMKFNL@
		dd offset _CmInstallUILanguageId
		dd offset _CmInstallUILanguageIdLength
		dd offset _CmInstallUILanguageIdType
		dd 1
		dd offset ??_C@_15EODNFOFM@?$AA?$AA?$AA?$AA@EKOMKFNL@
		dd offset ??_C@_1CE@LLLFBDPK@?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AAS?$AAi?$AAz?$AAe?$AAL?$AAi?$AAm@EKOMKFNL@
		dd offset _CmRegistrySizeLimit
		dd offset _CmRegistrySizeLimitLength
		dd offset _CmRegistrySizeLimitType
		align 10h
		dd offset ??_C@_1EM@GLLAFOJP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@IEAFCDJK@?$AAF?$AAa?$AAs?$AAt?$AAB?$AAo?$AAo?$AAt@EKOMKFNL@
		dd offset _CmFastBoot
		dd 3 dup(0)
		dd offset ??_C@_1EM@GLLAFOJP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AFAF8F+1
		dd offset _CmSelfHeal
		align 10h
		dd offset ??_C@_1EM@GLLAFOJP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DE@BEFLENJI@?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AAL?$AAa?$AAz?$AAy?$AAF?$AAl?$AAu@EKOMKFNL@
		dd offset _CmpLazyFlushIntervalInSeconds
		dd 3 dup(0)
		dd offset ??_C@_1EM@GLLAFOJP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DM@GAKMMFJJ@?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AAL?$AAa?$AAz?$AAy?$AAR?$AAe?$AAc@EKOMKFNL@
		dd offset _CmpLazyReconcileIntervalInSeconds
		align 10h
		dd offset ??_C@_1EM@GLLAFOJP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DK@GPPALMBD@?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AAL?$AAa?$AAz?$AAy?$AAL?$AAo?$AAc@EKOMKFNL@
		dd offset _CmpLazyLocalizeIntervalInSeconds
		dd 3 dup(0)
		dd offset ??_C@_1EM@GLLAFOJP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DG@CNLFIMNC@?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AAL?$AAa?$AAz?$AAy?$AAF?$AAl?$AAu@EKOMKFNL@
		dd offset _CmpEnableLazyFlushBootDelayInterval
		align 10h
		dd offset ??_C@_1EM@GLLAFOJP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AFB02F+1
		dd offset _CmpLogFileSizeCap
		dd 3 dup(0)
		dd offset ??_C@_1EM@GLLAFOJP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DI@HCHONOFC@?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AAR?$AAe?$AAo?$AAr?$AAg?$AAa?$AAn@EKOMKFNL@
		dd offset _CmpReorganizeLimit
		align 10h
		dd offset ??_C@_1EM@GLLAFOJP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EA@IAHCAHDJ@?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AAR?$AAe?$AAo?$AAr?$AAg?$AAa?$AAn@EKOMKFNL@
		dd offset _CmpReorganizeDelayDays
		dd 3 dup(0)
		dd offset ??_C@_1EM@GLLAFOJP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DC@HNBGCLEL@?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AAF?$AAl?$AAu?$AAs?$AAh?$AAG?$AAl@EKOMKFNL@
		dd offset _CmpGlobalFlushControlFlags
		align 10h
		dd offset ??_C@_1EM@GLLAFOJP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CM@IENLEOL@?$AAV?$AAi?$AAr?$AAt?$AAu?$AAa?$AAl?$AAi?$AAz?$AAa?$AAt?$AAi?$AAo?$AAn?$AAE@EKOMKFNL@
		dd offset _CmVEEnabled
		dd 3 dup(0)
		dd offset ??_C@_1EM@GLLAFOJP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BO@KJDKHGMH@?$AAD?$AAe?$AAl?$AAa?$AAy?$AAC?$AAl?$AAo?$AAs?$AAe?$AAS?$AAi?$AAz?$AAe@EKOMKFNL@
		dd offset _CmpDelayedCloseSize
		align 10h
		dd offset ??_C@_1EM@GLLAFOJP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DG@GLDLBPGE@?$AAF?$AAr?$AAe?$AAe?$AAz?$AAe?$AAT?$AAh?$AAa?$AAw?$AAT?$AAi?$AAm?$AAe?$AAo@EKOMKFNL@
		dd offset _CmFreezeThawTimeoutInSeconds
		dd 3 dup(0)
		dd offset ??_C@_1EM@GLLAFOJP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CI@FPHHAKHL@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAH?$AAi?$AAv?$AAe?$AAL?$AAi?$AAm?$AAi?$AAt@EKOMKFNL@
		dd offset _CmSystemHiveLimitSize
		align 10h
		dd offset ??_C@_1EM@GLLAFOJP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@GKCPBCOI@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAP?$AAe?$AAr?$AAi?$AAo?$AAd?$AAi?$AAc?$AAB@EKOMKFNL@
		dd offset _CmpDoIdleProcessing
		dd 3 dup(0)
		dd offset ??_C@_1EM@GLLAFOJP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BK@GJFCEKLL@?$AAV?$AAo?$AAl?$AAa?$AAt?$AAi?$AAl?$AAe?$AAB?$AAo?$AAo?$AAt@EKOMKFNL@
		dd offset _CmpVolatileBoot
		align 10h
		dd offset ??_C@_1GI@DENEAKEJ@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AF73C0+4
		dd offset _CmpLKGEnabled
		dd 3 dup(0)
		dd offset ??_C@_1CO@KMCLAPKE@?$AAS?$AAt?$AAa?$AAt?$AAe?$AAS?$AAe?$AAp?$AAa?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn@EKOMKFNL@
		dd offset loc_AF73C0+4
		dd offset _CmStateSeparationEnabled
		align 10h
		dd offset ??_C@_1CO@KMCLAPKE@?$AAS?$AAt?$AAa?$AAt?$AAe?$AAS?$AAe?$AAp?$AAa?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn@EKOMKFNL@
		dd offset ??_C@_1CA@ONKNCBDM@?$AAD?$AAe?$AAv?$AAe?$AAl?$AAo?$AAp?$AAm?$AAe?$AAn?$AAt?$AAM?$AAo?$AAd?$AAe@EKOMKFNL@
		dd offset _CmStateSeparationDevMode
		dd 3 dup(0)
		dd offset ??_C@_1CO@KMCLAPKE@?$AAS?$AAt?$AAa?$AAt?$AAe?$AAS?$AAe?$AAp?$AAa?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn@EKOMKFNL@
		dd offset ??_C@_1CC@HNBLGIMP@?$AAA?$AAl?$AAl?$AAH?$AAi?$AAv?$AAe?$AAs?$AAV?$AAo?$AAl?$AAa?$AAt?$AAi?$AAl@EKOMKFNL@
		dd offset _CmStateSeparationAllHivesVolatile
		align 10h
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CI@CEOPHINK@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy?$AAS?$AAi?$AAm?$AAu@EKOMKFNL@
		dd offset _PopSimulate
		dd 3 dup(0)
		dd offset ??_C@_1DE@GGNOAJBP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DO@MDCOAGDG@?$AAM?$AAa?$AAx?$AAT?$AAi?$AAm?$AAe?$AAS?$AAe?$AAp?$AAa?$AAr?$AAa?$AAt?$AAi@EKOMKFNL@
		dd offset _ExpMaxTimeSeperationBeforeCorrect
		align 10h
		dd offset ??_C@_1CA@EJHPIDFK@?$AAP?$AAr?$AAi?$AAo?$AAr?$AAi?$AAt?$AAy?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl@EKOMKFNL@
		dd offset ??_C@_1DA@LIECLLEO@?$AAW?$AAi?$AAn?$AA3?$AA2?$AAP?$AAr?$AAi?$AAo?$AAr?$AAi?$AAt?$AAy?$AAS?$AAe@EKOMKFNL@
		dd offset _PsRawPrioritySeparation
		dd 3 dup(0)
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CC@OEFBDJFJ@?$AAD?$AAe?$AAb?$AAu?$AAg?$AAg?$AAe?$AAr?$AA?5?$AAR?$AAe?$AAt?$AAr?$AAi?$AAe@EKOMKFNL@
		dd offset _KdpContext
		align 10h
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CM@DEHGODC@?$AAD?$AAe?$AAb?$AAu?$AAg?$AAg?$AAe?$AAr?$AAM?$AAa?$AAx?$AAM?$AAo?$AAd?$AAu@EKOMKFNL@
		dd offset _DbgkpMaxModuleMsgs
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@NMDBGJA@?$AAW?$AAI?$AAN?$AA2?$AA0?$AA0?$AA0@EKOMKFNL@
		dd offset _Kd_WIN2000_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@EKOMKFNL@
		dd offset _Kd_SYSTEM_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_19KPGMKHOL@?$AAS?$AAM?$AAS?$AAS@EKOMKFNL@
		dd offset _Kd_SMSS_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1M@PBHOBGFC@?$AAS?$AAE?$AAT?$AAU?$AAP@EKOMKFNL@
		dd offset _Kd_SETUP_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_19ENNDBEJL@?$AAN?$AAT?$AAF?$AAS@EKOMKFNL@
		dd offset _Kd_NTFS_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1M@LFGFOCAF@?$AAF?$AAS?$AAT?$AAU?$AAB@EKOMKFNL@
		dd offset _Kd_FSTUB_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BE@OEMOMKBO@?$AAC?$AAR?$AAA?$AAS?$AAH?$AAD?$AAU?$AAM?$AAP@EKOMKFNL@
		dd offset _Kd_CRASHDUMP_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@POOLOHAD@?$AAC?$AAD?$AAA?$AAU?$AAD?$AAI?$AAO@EKOMKFNL@
		dd offset _Kd_CDAUDIO_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1M@NEPFDHKI@?$AAC?$AAD?$AAR?$AAO?$AAM@EKOMKFNL@
		dd offset _Kd_CDROM_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@CPLKIMMK@?$AAC?$AAL?$AAA?$AAS?$AAS?$AAP?$AAN?$AAP@EKOMKFNL@
		dd offset _Kd_CLASSPNP_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_19HLPJEMPA@?$AAD?$AAI?$AAS?$AAK@EKOMKFNL@
		dd offset _Kd_DISK_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@HCCLCMOH@?$AAR?$AAE?$AAD?$AAB?$AAO?$AAO?$AAK@EKOMKFNL@
		dd offset _Kd_REDBOOK_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@KGFNAHDH@?$AAS?$AAT?$AAO?$AAR?$AAP?$AAR?$AAO?$AAP@EKOMKFNL@
		dd offset _Kd_STORPROP_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@FLNKIHIH@?$AAS?$AAC?$AAS?$AAI?$AAP?$AAO?$AAR?$AAT@EKOMKFNL@
		dd offset _Kd_SCSIPORT_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BK@PEMAEFGI@?$AAS?$AAC?$AAS?$AAI?$AAM?$AAI?$AAN?$AAI?$AAP?$AAO?$AAR?$AAT@EKOMKFNL@
		dd offset _Kd_SCSIMINIPORT_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@BAHOLLMK@?$AAC?$AAO?$AAN?$AAF?$AAI?$AAG@EKOMKFNL@
		dd offset _Kd_CONFIG_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@NIJBFLJG@?$AAI?$AA8?$AA0?$AA4?$AA2?$AAP?$AAR?$AAT@EKOMKFNL@
		dd offset _Kd_I8042PRT_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@IOGFCALD@?$AAS?$AAE?$AAR?$AAM?$AAO?$AAU?$AAS?$AAE@EKOMKFNL@
		dd offset _Kd_SERMOUSE_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@NEFJHNBI@?$AAL?$AAS?$AAE?$AAR?$AAM?$AAO?$AAU?$AAS@EKOMKFNL@
		dd offset _Kd_LSERMOUS_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@KNJFIJAH@?$AAK?$AAB?$AAD?$AAH?$AAI?$AAD@EKOMKFNL@
		dd offset _Kd_KBDHID_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@DJECJIJ@?$AAM?$AAO?$AAU?$AAH?$AAI?$AAD@EKOMKFNL@
		dd offset _Kd_MOUHID_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@FLJLACIH@?$AAK?$AAB?$AAD?$AAC?$AAL?$AAA?$AAS?$AAS@EKOMKFNL@
		dd offset _Kd_KBDCLASS_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@KHBACBEB@?$AAM?$AAO?$AAU?$AAC?$AAL?$AAA?$AAS?$AAS@EKOMKFNL@
		dd offset _Kd_MOUCLASS_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@IHJNOKFB@?$AAT?$AAW?$AAO?$AAT?$AAR?$AAA?$AAC?$AAK@EKOMKFNL@
		dd offset _Kd_TWOTRACK_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@MHJJGBKB@?$AAW?$AAM?$AAI?$AAL?$AAI?$AAB@EKOMKFNL@
		dd offset _Kd_WMILIB_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_19CAINCBFJ@?$AAA?$AAC?$AAP?$AAI@EKOMKFNL@
		dd offset _Kd_ACPI_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_19EBBDPBIL@?$AAA?$AAM?$AAL?$AAI@EKOMKFNL@
		dd offset _Kd_AMLI_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@INAEFELG@?$AAH?$AAA?$AAL?$AAI?$AAA?$AA6?$AA4@EKOMKFNL@
		dd offset _Kd_HALIA64_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1M@EPGPFLF@?$AAV?$AAI?$AAD?$AAE?$AAO@EKOMKFNL@
		dd offset _Kd_VIDEO_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@NJEEFIKO@?$AAS?$AAV?$AAC?$AAH?$AAO?$AAS?$AAT@EKOMKFNL@
		dd offset _Kd_SVCHOST_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@DONIHOID@?$AAV?$AAI?$AAD?$AAE?$AAO?$AAP?$AAR?$AAT@EKOMKFNL@
		dd offset _Kd_VIDEOPRT_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1M@HIKGEDIA@?$AAT?$AAC?$AAP?$AAI?$AAP@EKOMKFNL@
		dd offset _Kd_TCPIP_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@OEAEEGOP@?$AAD?$AAM?$AAS?$AAY?$AAN?$AAT?$AAH@EKOMKFNL@
		dd offset _Kd_DMSYNTH_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@JILCHCMP@?$AAN?$AAT?$AAO?$AAS?$AAP?$AAN?$AAP@EKOMKFNL@
		dd offset _Kd_NTOSPNP_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@CGJOBJKL@?$AAF?$AAA?$AAS?$AAT?$AAF?$AAA?$AAT@EKOMKFNL@
		dd offset _Kd_FASTFAT_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1M@FPINNANL@?$AAS?$AAA?$AAM?$AAS?$AAS@EKOMKFNL@
		dd offset _Kd_SAMSS_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@KIMIIFMC@?$AAP?$AAN?$AAP?$AAM?$AAG?$AAR@EKOMKFNL@
		dd offset _Kd_PNPMGR_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@LDPMBPKI@?$AAN?$AAE?$AAT?$AAA?$AAP?$AAI@EKOMKFNL@
		dd offset _Kd_NETAPI_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@CGJFNME@?$AAS?$AAC?$AAS?$AAE?$AAR?$AAV?$AAE?$AAR@EKOMKFNL@
		dd offset _Kd_SCSERVER_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@JLKELIPB@?$AAS?$AAC?$AAC?$AAL?$AAI?$AAE?$AAN?$AAT@EKOMKFNL@
		dd offset _Kd_SCCLIENT_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@EDBLBJGB@?$AAS?$AAE?$AAR?$AAI?$AAA?$AAL@EKOMKFNL@
		dd offset _Kd_SERIAL_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@JGDGJAKM@?$AAS?$AAE?$AAR?$AAE?$AAN?$AAU?$AAM@EKOMKFNL@
		dd offset _Kd_SERENUM_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_19CEIKLEHF@?$AAU?$AAH?$AAC?$AAD@EKOMKFNL@
		dd offset _Kd_UHCD_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@NLGAHLIN@?$AAR?$AAP?$AAC?$AAP?$AAR?$AAO?$AAX?$AAY@EKOMKFNL@
		dd offset _Kd_RPCPROXY_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@GIDKNJFM@?$AAA?$AAU?$AAT?$AAO?$AAC?$AAH?$AAK@EKOMKFNL@
		dd offset _Kd_AUTOCHK_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@LPCHMKNG@?$AAD?$AAC?$AAO?$AAM?$AAS?$AAS@EKOMKFNL@
		dd offset _Kd_DCOMSS_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@FDGCEING@?$AAU?$AAN?$AAI?$AAM?$AAO?$AAD?$AAE?$AAM@EKOMKFNL@
		dd offset _Kd_UNIMODEM_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_17LAJLCPFL@?$AAS?$AAI?$AAS@EKOMKFNL@
		dd offset _Kd_SIS_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@NDGIMMPN@?$AAF?$AAL?$AAT?$AAM?$AAG?$AAR@EKOMKFNL@
		dd offset _Kd_FLTMGR_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@BFNBODGB@?$AAW?$AAM?$AAI?$AAC?$AAO?$AAR?$AAE@EKOMKFNL@
		dd offset _Kd_WMICORE_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@BLONPGFC@?$AAB?$AAU?$AAR?$AAN?$AAE?$AAN?$AAG@EKOMKFNL@
		dd offset _Kd_BURNENG_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1M@ENABOFNC@?$AAI?$AAM?$AAA?$AAP?$AAI@EKOMKFNL@
		dd offset _Kd_IMAPI_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_17HIBBPOGF@?$AAS?$AAX?$AAS@EKOMKFNL@
		dd offset _Kd_SXS_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@NCNDGEFJ@?$AAF?$AAU?$AAS?$AAI?$AAO?$AAN@EKOMKFNL@
		dd offset _Kd_FUSION_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@HAGOAFFK@?$AAI?$AAD?$AAL?$AAE?$AAT?$AAA?$AAS?$AAK@EKOMKFNL@
		dd offset _Kd_IDLETASK_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@LAKPCDKK@?$AAS?$AAO?$AAF?$AAT?$AAP?$AAC?$AAI@EKOMKFNL@
		dd offset _Kd_SOFTPCI_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_19OJPJNDDA@?$AAT?$AAA?$AAP?$AAE@EKOMKFNL@
		dd offset _Kd_TAPE_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1M@NGEKBHII@?$AAM?$AAC?$AAH?$AAG?$AAR@EKOMKFNL@
		dd offset _Kd_MCHGR_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_19EHJFODIJ@?$AAI?$AAD?$AAE?$AAP@EKOMKFNL@
		dd offset _Kd_IDEP_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@CCMMDNHM@?$AAP?$AAC?$AAI?$AAI?$AAD?$AAE@EKOMKFNL@
		dd offset _Kd_PCIIDE_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@CCEKCHDK@?$AAF?$AAL?$AAO?$AAP?$AAP?$AAY@EKOMKFNL@
		dd offset _Kd_FLOPPY_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_17GIEHFEFF@?$AAF?$AAD?$AAC@EKOMKFNL@
		dd offset _Kd_FDC_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@FLLOMPB@?$AAT?$AAE?$AAR?$AAM?$AAS?$AAR?$AAV@EKOMKFNL@
		dd offset _Kd_TERMSRV_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@JAGAADAG@?$AAW?$AA3?$AA2?$AAT?$AAI?$AAM?$AAE@EKOMKFNL@
		dd offset _Kd_W32TIME_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BG@EDAEBFFN@?$AAP?$AAR?$AAE?$AAF?$AAE?$AAT?$AAC?$AAH?$AAE?$AAR@EKOMKFNL@
		dd offset _Kd_PREFETCHER_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@JHEFHMBN@?$AAR?$AAS?$AAF?$AAI?$AAL?$AAT?$AAE?$AAR@EKOMKFNL@
		dd offset _Kd_RSFILTER_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@JMECDIHP@?$AAF?$AAC?$AAP?$AAO?$AAR?$AAT@EKOMKFNL@
		dd offset _Kd_FCPORT_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_17KACLLMCF@?$AAP?$AAC?$AAI@EKOMKFNL@
		dd offset _Kd_PCI_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_19NCJMPEKA@?$AAD?$AAM?$AAI?$AAO@EKOMKFNL@
		dd offset _Kd_DMIO_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@DAMPBOIF@?$AAD?$AAM?$AAC?$AAO?$AAN?$AAF?$AAI?$AAG@EKOMKFNL@
		dd offset _Kd_DMCONFIG_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@MCNLHGKO@?$AAD?$AAM?$AAA?$AAD?$AAM?$AAI?$AAN@EKOMKFNL@
		dd offset _Kd_DMADMIN_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BO@CMPFHEFK@?$AAW?$AAS?$AAO?$AAC?$AAK?$AAT?$AAR?$AAA?$AAN?$AAS?$AAP?$AAO?$AAR?$AAT@EKOMKFNL@
		dd offset _Kd_WSOCKTRANSPORT_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_17FKDGAAMC@?$AAV?$AAS?$AAS@EKOMKFNL@
		dd offset _Kd_VSS_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@ONHKGDAA@?$AAP?$AAN?$AAP?$AAM?$AAE?$AAM@EKOMKFNL@
		dd offset _Kd_PNPMEM_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BE@JHOCBNEO@?$AAP?$AAR?$AAO?$AAC?$AAE?$AAS?$AAS?$AAO?$AAR@EKOMKFNL@
		dd offset _Kd_PROCESSOR_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@ONGGPNBD@?$AAD?$AAM?$AAS?$AAE?$AAR?$AAV?$AAE?$AAR@EKOMKFNL@
		dd offset _Kd_DMSERVER_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_15KFCDODCM@?$AAS?$AAR@EKOMKFNL@
		dd offset _Kd_SR_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BG@CBLDGOCA@?$AAI?$AAN?$AAF?$AAI?$AAN?$AAI?$AAB?$AAA?$AAN?$AAD@EKOMKFNL@
		dd offset _Kd_INFINIBAND_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BE@EMFIGANI@?$AAI?$AAH?$AAV?$AAD?$AAR?$AAI?$AAV?$AAE?$AAR@EKOMKFNL@
		dd offset _Kd_IHVDRIVER_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@NIBCHNIE@?$AAI?$AAH?$AAV?$AAV?$AAI?$AAD?$AAE?$AAO@EKOMKFNL@
		dd offset _Kd_IHVVIDEO_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@OKMCNIOK@?$AAI?$AAH?$AAV?$AAA?$AAU?$AAD?$AAI?$AAO@EKOMKFNL@
		dd offset _Kd_IHVAUDIO_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BG@FDDPAKEP@?$AAI?$AAH?$AAV?$AAN?$AAE?$AAT?$AAW?$AAO?$AAR?$AAK@EKOMKFNL@
		dd offset _Kd_IHVNETWORK_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BK@GJFHDEAF@?$AAI?$AAH?$AAV?$AAS?$AAT?$AAR?$AAE?$AAA?$AAM?$AAI?$AAN?$AAG@EKOMKFNL@
		dd offset _Kd_IHVSTREAMING_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@KNINEFBA@?$AAI?$AAH?$AAV?$AAB?$AAU?$AAS@EKOMKFNL@
		dd offset _Kd_IHVBUS_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_17LFJDFBHF@?$AAH?$AAP?$AAS@EKOMKFNL@
		dd offset _Kd_HPS_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BM@IFPGFGF@?$AAR?$AAT?$AAL?$AAT?$AAH?$AAR?$AAE?$AAA?$AAD?$AAP?$AAO?$AAO?$AAL@EKOMKFNL@
		dd offset _Kd_RTLTHREADPOOL_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_17BBCCHIGH@?$AAL?$AAD?$AAR@EKOMKFNL@
		dd offset _Kd_LDR_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@BBGFHLK@?$AAT?$AAC?$AAP?$AAI?$AAP?$AA6@EKOMKFNL@
		dd offset _Kd_TCPIP6_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@FAEPPNJD@?$AAI?$AAS?$AAA?$AAP?$AAN?$AAP@EKOMKFNL@
		dd offset _Kd_ISAPNP_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_19DBABIMLO@?$AAS?$AAH?$AAP?$AAC@EKOMKFNL@
		dd offset _Kd_SHPC_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@HBMJKFNP@?$AAS?$AAT?$AAO?$AAR?$AAP?$AAO?$AAR?$AAT@EKOMKFNL@
		dd offset _Kd_STORPORT_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BK@CEBCMCDO@?$AAS?$AAT?$AAO?$AAR?$AAM?$AAI?$AAN?$AAI?$AAP?$AAO?$AAR?$AAT@EKOMKFNL@
		dd offset _Kd_STORMINIPORT_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BK@MCMLANOK@?$AAP?$AAR?$AAI?$AAN?$AAT?$AAS?$AAP?$AAO?$AAO?$AAL?$AAE?$AAR@EKOMKFNL@
		dd offset _Kd_PRINTSPOOLER_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BG@IPGNPLMN@?$AAV?$AAS?$AAS?$AAD?$AAY?$AAN?$AAD?$AAI?$AAS?$AAK@EKOMKFNL@
		dd offset _Kd_VSSDYNDISK_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@KGNJPLCF@?$AAV?$AAE?$AAR?$AAI?$AAF?$AAI?$AAE?$AAR@EKOMKFNL@
		dd offset _Kd_VERIFIER_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_17EEOFDCOB@?$AAV?$AAD?$AAS@EKOMKFNL@
		dd offset _Kd_VDS_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@OGMPALMC@?$AAV?$AAD?$AAS?$AAB?$AAA?$AAS@EKOMKFNL@
		dd offset _Kd_VDSBAS_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@GNFGANPB@?$AAV?$AAD?$AAS?$AAD?$AAY?$AAN@EKOMKFNL@
		dd offset _Kd_VDSDYN_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@BMCNIKPF@?$AAV?$AAD?$AAS?$AAD?$AAY?$AAN?$AAD?$AAR@EKOMKFNL@
		dd offset _Kd_VDSDYNDR_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@BLDEOPCG@?$AAV?$AAD?$AAS?$AAL?$AAD?$AAR@EKOMKFNL@
		dd offset _Kd_VDSLDR_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@OMLIOJCN@?$AAV?$AAD?$AAS?$AAU?$AAT?$AAI?$AAL@EKOMKFNL@
		dd offset _Kd_VDSUTIL_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@JKCEKNLO@?$AAD?$AAF?$AAR?$AAG?$AAI?$AAF?$AAC@EKOMKFNL@
		dd offset _Kd_DFRGIFC_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@KDAEEGIF@?$AAD?$AAE?$AAF?$AAA?$AAU?$AAL?$AAT@EKOMKFNL@
		dd offset _Kd_DEFAULT_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_15JEIFMHAO@?$AAM?$AAM@EKOMKFNL@
		dd offset _Kd_MM_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_19GHGNHGLD@?$AAD?$AAF?$AAS?$AAC@EKOMKFNL@
		dd offset _Kd_DFSC_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1M@FBPBKHKH@?$AAW?$AAO?$AAW?$AA6?$AA4@EKOMKFNL@
		dd offset _Kd_WOW64_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_19JGBANDJB@?$AAA?$AAL?$AAP?$AAC@EKOMKFNL@
		dd offset _Kd_ALPC_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_17LHOLIFIE@?$AAW?$AAD?$AAI@EKOMKFNL@
		dd offset _Kd_WDI_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@DKJLEKJG@?$AAP?$AAE?$AAR?$AAF?$AAL?$AAI?$AAB@EKOMKFNL@
		dd offset _Kd_PERFLIB_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_17BAELDECM@?$AAK?$AAT?$AAM@EKOMKFNL@
		dd offset _Kd_KTM_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@JBNHAGCD@?$AAI?$AAO?$AAS?$AAT?$AAR?$AAE?$AAS?$AAS@EKOMKFNL@
		dd offset _Kd_IOSTRESS_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_19PPGMMKDP@?$AAH?$AAE?$AAA?$AAP@EKOMKFNL@
		dd offset _Kd_HEAP_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_19MBPIHHGH@?$AAW?$AAH?$AAE?$AAA@EKOMKFNL@
		dd offset _Kd_WHEA_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@LOICENDC@?$AAU?$AAS?$AAE?$AAR?$AAG?$AAD?$AAI@EKOMKFNL@
		dd offset _Kd_USERGDI_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1M@LFBCBMIF@?$AAM?$AAM?$AAC?$AAS?$AAS@EKOMKFNL@
		dd offset _Kd_MMCSS_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_17COEBFFLN@?$AAT?$AAP?$AAM@EKOMKFNL@
		dd offset _Kd_TPM_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BI@OKFGLGGD@?$AAT?$AAH?$AAR?$AAE?$AAA?$AAD?$AAO?$AAR?$AAD?$AAE?$AAR@EKOMKFNL@
		dd offset _Kd_THREADORDER_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@OOGOINLN@?$AAE?$AAN?$AAV?$AAI?$AAR?$AAO?$AAN@EKOMKFNL@
		dd offset _Kd_ENVIRON_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_17JBNOFFOB@?$AAE?$AAM?$AAS@EKOMKFNL@
		dd offset _Kd_EMS_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_17BFJIAKMG@?$AAW?$AAD?$AAT@EKOMKFNL@
		dd offset _Kd_WDT_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@IAGPKMAK@?$AAF?$AAV?$AAE?$AAV?$AAO?$AAL@EKOMKFNL@
		dd offset _Kd_FVEVOL_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_19MADOJHGF@?$AAN?$AAD?$AAI?$AAS@EKOMKFNL@
		dd offset _Kd_NDIS_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@NPPJAEEJ@?$AAN?$AAV?$AAC?$AAT?$AAR?$AAA?$AAC?$AAE@EKOMKFNL@
		dd offset _Kd_NVCTRACE_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1M@DMCOPFJB@?$AAL?$AAU?$AAA?$AAF?$AAV@EKOMKFNL@
		dd offset _Kd_LUAFV_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BE@DNOENPHP@?$AAA?$AAP?$AAP?$AAC?$AAO?$AAM?$AAP?$AAA?$AAT@EKOMKFNL@
		dd offset _Kd_APPCOMPAT_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@DKDDNJBG@?$AAU?$AAS?$AAB?$AAS?$AAT?$AAO?$AAR@EKOMKFNL@
		dd offset _Kd_USBSTOR_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@NMALBGDH@?$AAS?$AAB?$AAP?$AA2?$AAP?$AAO?$AAR?$AAT@EKOMKFNL@
		dd offset _Kd_SBP2PORT_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@PJDDEKGG@?$AAC?$AAO?$AAV?$AAE?$AAR?$AAA?$AAG?$AAE@EKOMKFNL@
		dd offset _Kd_COVERAGE_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@PKBMAPNK@?$AAC?$AAA?$AAC?$AAH?$AAE?$AAM?$AAG?$AAR@EKOMKFNL@
		dd offset _Kd_CACHEMGR_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BC@HKJCNDBE@?$AAM?$AAO?$AAU?$AAN?$AAT?$AAM?$AAG?$AAR@EKOMKFNL@
		dd offset _Kd_MOUNTMGR_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_17IFMKMLMA@?$AAC?$AAF?$AAR@EKOMKFNL@
		dd offset _Kd_CFR_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_17BFBDFANB@?$AAT?$AAX?$AAF@EKOMKFNL@
		dd offset _Kd_TXF_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@DEBOEMCC@?$AAK?$AAS?$AAE?$AAC?$AAD?$AAD@EKOMKFNL@
		dd offset _Kd_KSECDD_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BG@NHAHDLNG@?$AAF?$AAL?$AAT?$AAR?$AAE?$AAG?$AAR?$AAE?$AAS?$AAS@EKOMKFNL@
		dd offset _Kd_FLTREGRESS_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_19MJDHPLJA@?$AAM?$AAP?$AAI?$AAO@EKOMKFNL@
		dd offset _Kd_MPIO_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1M@DGHGIEGL@?$AAM?$AAS?$AAD?$AAS?$AAM@EKOMKFNL@
		dd offset _Kd_MSDSM_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_19OOCGFPKP@?$AAU?$AAD?$AAF?$AAS@EKOMKFNL@
		dd offset _Kd_UDFS_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1M@FLOJNDDK@?$AAP?$AAS?$AAH?$AAE?$AAD@EKOMKFNL@
		dd offset _Kd_PSHED_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@OBDKHNPE@?$AAS?$AAT?$AAO?$AAR?$AAV?$AAS?$AAP@EKOMKFNL@
		dd offset _Kd_STORVSP_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1M@FFPFOGMM@?$AAL?$AAS?$AAA?$AAS?$AAS@EKOMKFNL@
		dd offset _Kd_LSASS_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BA@MOPPEILC@?$AAS?$AAS?$AAP?$AAI?$AAC?$AAL?$AAI@EKOMKFNL@
		dd offset _Kd_SSPICLI_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_17OFOOOAA@?$AAC?$AAN?$AAG@EKOMKFNL@
		dd offset _Kd_CNG_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1M@OJLALFJK@?$AAE?$AAX?$AAF?$AAA?$AAT@EKOMKFNL@
		dd offset _Kd_EXFAT_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BE@NJEKICK@?$AAF?$AAI?$AAL?$AAE?$AAT?$AAR?$AAA?$AAC?$AAE@EKOMKFNL@
		dd offset _Kd_FILETRACE_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1M@HPFEKJLP@?$AAX?$AAS?$AAA?$AAV?$AAE@EKOMKFNL@
		dd offset _Kd_XSAVE_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_15GIONIMAK@?$AAS?$AAE@EKOMKFNL@
		dd offset _Kd_SE_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BM@HFEEMJAN@?$AAD?$AAR?$AAI?$AAV?$AAE?$AAE?$AAX?$AAT?$AAE?$AAN?$AAD?$AAE?$AAR@EKOMKFNL@
		dd offset _Kd_DRIVEEXTENDER_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1M@LGJCJJJI@?$AAP?$AAO?$AAW?$AAE?$AAR@EKOMKFNL@
		dd offset _Kd_POWER_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BM@MIIBINJG@?$AAC?$AAR?$AAA?$AAS?$AAH?$AAD?$AAU?$AAM?$AAP?$AAX?$AAH?$AAC?$AAI@EKOMKFNL@
		dd offset _Kd_CRASHDUMPXHCI_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_19NOBFGLFJ@?$AAG?$AAP?$AAI?$AAO@EKOMKFNL@
		dd offset _Kd_GPIO_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_19MAFAEEEI@?$AAR?$AAE?$AAF?$AAS@EKOMKFNL@
		dd offset _Kd_REFS_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_17PLKPIGLP@?$AAW?$AAE?$AAR@EKOMKFNL@
		dd offset _Kd_WER_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1O@ICJJIJDF@?$AAC?$AAA?$AAP?$AAI?$AAM?$AAG@EKOMKFNL@
		dd offset _Kd_CAPIMG_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_19JCIJPNDF@?$AAV?$AAP?$AAC?$AAI@EKOMKFNL@
		dd offset _Kd_VPCI_Mask
		dd 3 dup(0)
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CG@OAEKLONO@?$AAS?$AAT?$AAO?$AAR?$AAA?$AAG?$AAE?$AAC?$AAL?$AAA?$AAS?$AAS?$AAM?$AAE?$AAM@EKOMKFNL@
		dd offset _Kd_STORAGECLASSMEMORY_Mask
		align 10h
		dd offset ??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1M@GOCPAKHL@?$AAF?$AAS?$AAL?$AAI?$AAB@EKOMKFNL@
		dd offset _Kd_FSLIB_Mask
		dd 3 dup(0)
		dd offset ??_C@_19MBPIHHGH@?$AAW?$AAH?$AAE?$AAA@EKOMKFNL@
		dd offset ??_C@_1DG@HOEOOOKM@?$AAS?$AAi?$AAn?$AAg?$AAl?$AAe?$AAB?$AAi?$AAt?$AAE?$AAc?$AAc?$AAE?$AAr?$AAr@EKOMKFNL@
		dd offset _WheapSingleBitEccErrorThreshold
		align 10h
		dd offset ??_C@_19MBPIHHGH@?$AAW?$AAH?$AAE?$AAA@EKOMKFNL@
		dd offset ??_C@_1DG@HCPJNHFA@?$AAM?$AAa?$AAx?$AAC?$AAo?$AAr?$AAr?$AAe?$AAc?$AAt?$AAe?$AAd?$AAM?$AAC?$AAE@EKOMKFNL@
		dd offset _WheapMaxCorrectedMCEOutstanding
		dd 3 dup(0)
		dd offset ??_C@_1BI@ICKPNKKL@?$AAW?$AAH?$AAE?$AAA?$AA?2?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@
		dd offset ??_C@_1BO@LBFJPMML@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAO?$AAf?$AAf?$AAl?$AAi?$AAn?$AAe@EKOMKFNL@
		dd offset _WheaRegPolicyDisableOffline
		align 10h
		dd offset ??_C@_1BI@ICKPNKKL@?$AAW?$AAH?$AAE?$AAA?$AA?2?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@
		dd offset ??_C@_1CE@GEOJMGFF@?$AAM?$AAe?$AAm?$AAP?$AAe?$AAr?$AAs?$AAi?$AAs?$AAt?$AAO?$AAf?$AAf?$AAl?$AAi@EKOMKFNL@
		dd offset _WheaRegPolicyMemPersistOffline
		dd 3 dup(0)
		dd offset ??_C@_1BI@ICKPNKKL@?$AAW?$AAH?$AAE?$AAA?$AA?2?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@
		dd offset ??_C@_1BM@OIKNOJHC@?$AAM?$AAe?$AAm?$AAP?$AAf?$AAa?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe@EKOMKFNL@
		dd offset _WheaRegPolicyMemPfaDisable
		align 10h
		dd offset ??_C@_1BI@ICKPNKKL@?$AAW?$AAH?$AAE?$AAA?$AA?2?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@
		dd offset loc_AFBF2F+1
		dd offset _WheaRegPolicyMemPfaPageCount
		dd 3 dup(0)
		dd offset ??_C@_1BI@ICKPNKKL@?$AAW?$AAH?$AAE?$AAA?$AA?2?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@
		dd offset ??_C@_1CA@KOMJJKMM@?$AAM?$AAe?$AAm?$AAP?$AAf?$AAa?$AAT?$AAh?$AAr?$AAe?$AAs?$AAh?$AAo?$AAl?$AAd@EKOMKFNL@
		dd offset _WheaRegPolicyMemPfaThreshold
		align 10h
		dd offset ??_C@_1BI@ICKPNKKL@?$AAW?$AAH?$AAE?$AAA?$AA?2?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@
		dd offset ??_C@_1BM@LFDBDPAM@?$AAM?$AAe?$AAm?$AAP?$AAf?$AAa?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@EKOMKFNL@
		dd offset _WheaRegPolicyMemPfaTimeout
		dd 3 dup(0)
		dd offset ??_C@_1BI@ICKPNKKL@?$AAW?$AAH?$AAE?$AAA?$AA?2?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@
		dd offset loc_AFBF4F+1
		dd offset _WheaRegPolicyIgnoreDummyWrite
		align 10h
		dd offset ??_C@_1BI@ICKPNKKL@?$AAW?$AAH?$AAE?$AAA?$AA?2?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@
		dd offset ??_C@_1CG@GGAGMKOM@?$AAR?$AAe?$AAs?$AAt?$AAo?$AAr?$AAe?$AAC?$AAm?$AAc?$AAi?$AAE?$AAn?$AAa?$AAb@EKOMKFNL@
		dd offset _WheapRegPolicyRestoreCmciEnabled
		dd 3 dup(0)
		dd offset ??_C@_1BI@ICKPNKKL@?$AAW?$AAH?$AAE?$AAA?$AA?2?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@
		dd offset ??_C@_1CO@EJEIPIDH@?$AAR?$AAe?$AAs?$AAt?$AAo?$AAr?$AAe?$AAC?$AAm?$AAc?$AAi?$AAM?$AAa?$AAx?$AAA@EKOMKFNL@
		dd offset _WheapRegPolicyRestoreCmciMaxAttempts
		align 10h
		dd offset ??_C@_1BI@ICKPNKKL@?$AAW?$AAH?$AAE?$AAA?$AA?2?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@
		dd offset loc_AFC00B+1
		dd offset _WheapRegPolicyRestoreCmciErrorLimit
		dd 3 dup(0)
		dd offset ??_C@_1BI@ICKPNKKL@?$AAW?$AAH?$AAE?$AAA?$AA?2?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@
		dd offset ??_C@_1CE@IFNODAPI@?$AAC?$AAM?$AAC?$AAT?$AAh?$AAr?$AAe?$AAs?$AAh?$AAo?$AAl?$AAd?$AAC?$AAo?$AAu@EKOMKFNL@
		dd offset _WheapRegPolicyCmciThresholdCount
		align 10h
		dd offset ??_C@_1BI@ICKPNKKL@?$AAW?$AAH?$AAE?$AAA?$AA?2?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@
		dd offset ??_C@_1CI@NKLDOMBM@?$AAC?$AAM?$AAC?$AAT?$AAh?$AAr?$AAe?$AAs?$AAh?$AAo?$AAl?$AAd?$AAS?$AAe?$AAc@EKOMKFNL@
		dd offset _WheapRegPolicyCmciThresholdTime
		dd 3 dup(0)
		dd offset ??_C@_1BI@ICKPNKKL@?$AAW?$AAH?$AAE?$AAA?$AA?2?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@
		dd offset ??_C@_1CA@KBCEKDGB@?$AAC?$AAM?$AAC?$AAP?$AAo?$AAl?$AAl?$AAi?$AAn?$AAg?$AAL?$AAi?$AAm?$AAi?$AAt@EKOMKFNL@
		dd offset _WheapRegPolicyCmciThresholdPollCount
		align 10h
		dd offset ??_C@_1BE@CAJFDKPL@?$AAW?$AAM?$AAI?$AA?2?$AAT?$AAr?$AAa?$AAc?$AAe@EKOMKFNL@
		dd offset ??_C@_1CA@EDHBOKHJ@?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl?$AAe?$AAI?$AAn?$AAt?$AAe?$AAr?$AAv?$AAa?$AAl@EKOMKFNL@
		dd offset _EtwpProfileInterval
		dd 3 dup(0)
		dd offset ??_C@_1BE@CAJFDKPL@?$AAW?$AAM?$AAI?$AA?2?$AAT?$AAr?$AAa?$AAc?$AAe@EKOMKFNL@
		dd offset ??_C@_1CA@IOIFOKG@?$AAM?$AAe?$AAm?$AAI?$AAn?$AAf?$AAo?$AAI?$AAn?$AAt?$AAe?$AAr?$AAv?$AAa?$AAl@EKOMKFNL@
		dd offset _EtwpMemInfoInterval
		align 10h
		dd offset ??_C@_1BE@CAJFDKPL@?$AAW?$AAM?$AAI?$AA?2?$AAT?$AAr?$AAa?$AAc?$AAe@EKOMKFNL@
		dd offset loc_AFC0B3+1
		dd offset _EtwpStackCaptureTimeout
		dd 3 dup(0)
		dd offset ??_C@_1BE@CAJFDKPL@?$AAW?$AAM?$AAI?$AA?2?$AAT?$AAr?$AAa?$AAc?$AAe@EKOMKFNL@
		dd offset ??_C@_1CG@EPJIJBDO@?$AAC?$AAo?$AAv?$AAe?$AAr?$AAa?$AAg?$AAe?$AAE?$AAn?$AAt?$AAr?$AAy?$AAC?$AAo@EKOMKFNL@
		dd offset _EtwpCoverageEntryCount
		align 10h
		dd offset ??_C@_1BE@CAJFDKPL@?$AAW?$AAM?$AAI?$AA?2?$AAT?$AAr?$AAa?$AAc?$AAe@EKOMKFNL@
		dd offset ??_C@_1CI@LHFBMEIN@?$AAC?$AAo?$AAv?$AAe?$AAr?$AAa?$AAg?$AAe?$AAF?$AAl?$AAu?$AAs?$AAh?$AAP?$AAe@EKOMKFNL@
		dd offset _EtwpCoverageFlushPeriod
		dd 3 dup(0)
		dd offset ??_C@_1BE@CAJFDKPL@?$AAW?$AAM?$AAI?$AA?2?$AAT?$AAr?$AAa?$AAc?$AAe@EKOMKFNL@
		dd offset ??_C@_1CI@OKKOPHDB@?$AAC?$AAo?$AAv?$AAe?$AAr?$AAa?$AAg?$AAe?$AAR?$AAe?$AAs?$AAe?$AAt?$AAP?$AAe@EKOMKFNL@
		dd offset _EtwpCoverageResetPeriod
		align 10h
		dd offset ??_C@_1CK@CPCDFBHM@?$AAE?$AAm?$AAb?$AAe?$AAd?$AAd?$AAe?$AAd?$AAN?$AAT?$AA?2?$AAE?$AAx?$AAe?$AAc@EKOMKFNL@
		dd offset ??_C@_1DA@FIAIHGJJ@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAn?$AAl?$AAy?$AAC?$AAo?$AAn?$AAf?$AAi@EKOMKFNL@
		dd offset _PsEmbeddedNTMask
		dd 3 dup(0)
		dd offset ??_C@_1BK@FINFFJHL@?$AAC?$AAr?$AAa?$AAs?$AAh?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl@EKOMKFNL@
		dd offset ??_C@_1BG@KMCBNDPK@?$AAA?$AAu?$AAt?$AAo?$AAR?$AAe?$AAb?$AAo?$AAo?$AAt@EKOMKFNL@
		dd offset _IopAutoReboot
		align 10h
		dd offset ??_C@_1DE@GGNOAJBP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CO@DFKOHCLH@?$AAT?$AAi?$AAc?$AAk?$AAc?$AAo?$AAu?$AAn?$AAt?$AAR?$AAo?$AAl?$AAl?$AAo?$AAv@EKOMKFNL@
		dd offset _InitTickRolloverDelay
		dd offset _InitTickRolloverDelayLength
		dd offset _InitTickRolloverDelayType
		align 8
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BO@FIFGBAMF@?$AAA?$AAl?$AAp?$AAc?$AAM?$AAe?$AAs?$AAs?$AAa?$AAg?$AAe?$AAL?$AAo?$AAg@EKOMKFNL@
		dd offset _AlpcpMessageLogEnabled
		align 10h
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BO@BOEJIPCA@?$AAA?$AAl?$AAp?$AAc?$AAW?$AAa?$AAk?$AAe?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@
		dd offset _AlpcpWakePolicyDefault
		dd 3 dup(0)
		dd offset ??_C@_1DE@GGNOAJBP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@FAPNGAJA@?$AAC?$AAo?$AAv?$AAe?$AAr?$AAa?$AAg?$AAe?$AAM?$AAa?$AAx?$AAP?$AAa?$AAg?$AAe@EKOMKFNL@
		dd offset _ExCovMaxPagedPoolToUse
		align 10h
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CM@ECAHNNAO@?$AAI?$AAm?$AAa?$AAg?$AAe?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAi?$AAo?$AAn?$AAO@EKOMKFNL@
		dd offset _ViImageExecutionOptions
		dd 3 dup(0)
		dd offset ??_C@_1CI@JODFHPHO@?$AAV?$AAa?$AAl?$AAi?$AAd?$AAa?$AAt?$AAi?$AAo?$AAn?$AAR?$AAu?$AAn?$AAl?$AAe@EKOMKFNL@
		dd offset ??_C@_1O@CHBCJGPP@?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl@EKOMKFNL@
		dd offset _CmGlobalValidationRunlevel
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DK@DKFGMOEL@?$AAB?$AAu?$AAg?$AAC?$AAh?$AAe?$AAc?$AAk?$AAU?$AAn?$AAe?$AAx?$AAp?$AAe?$AAc@EKOMKFNL@
		dd offset _KiBugCheckUnexpectedInterrupts
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@PBLHPFPI@?$AAD?$AAe?$AAb?$AAu?$AAg?$AAg?$AAe?$AAr?$AAI?$AAs?$AAS?$AAt?$AAa?$AAl?$AAl@EKOMKFNL@
		dd offset _KiDebuggerIsStallOwner
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CE@KFDOOGGC@?$AAD?$AAe?$AAb?$AAu?$AAg?$AAP?$AAo?$AAl?$AAl?$AAI?$AAn?$AAt?$AAe?$AAr?$AAv@EKOMKFNL@
		dd offset _KiDebugPollInterval
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DC@KOELKDCA@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAO?$AAf?$AAf?$AAF?$AAr?$AAo?$AAz?$AAe?$AAn?$AAP@EKOMKFNL@
		dd offset _KiPowerOffFrozenProcessors
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DE@FGNGDNA@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAL?$AAi?$AAg?$AAh?$AAt?$AAW?$AAe?$AAi@EKOMKFNL@
		dd offset _KiDisableLightWeightSuspend
		dd 3 dup(0)
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CM@PLHMKNEJ@?$AAE?$AAr?$AAr?$AAo?$AAr?$AAP?$AAo?$AAr?$AAt?$AAS?$AAt?$AAa?$AAr?$AAt?$AAT@EKOMKFNL@
		dd offset _DbgkErrorPortStartTimeout
		align 10h
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@BOKDLB@?$AAE?$AAr?$AAr?$AAo?$AAr?$AAP?$AAo?$AAr?$AAt?$AAC?$AAo?$AAm?$AAm?$AAT?$AAi@EKOMKFNL@
		dd offset _DbgkErrorPortCommTimeout
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DI@LKCFJDAG@?$AAO?$AAb?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt@EKOMKFNL@
		dd offset _ObpObjectSecurityInheritance
		align 10h
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DG@BGLENKAK@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAS?$AAi?$AAm?$AAu?$AAl?$AAa?$AAt?$AAe?$AAH?$AAi@EKOMKFNL@
		dd offset _PopSimulateHiberBugcheck
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EA@JKKABPCO@?$AAS?$AAe?$AAA?$AAl?$AAl?$AAo?$AAw?$AAA?$AAl?$AAl?$AAA?$AAp?$AAp?$AAl?$AAi@EKOMKFNL@
		dd offset _SepAllowAllApplicationAceRemoval
		align 10h
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CC@KKPADHEA@?$AAI?$AAn?$AAi?$AAt?$AAC?$AAo?$AAn?$AAs?$AAo?$AAl?$AAe?$AAF?$AAl?$AAa?$AAg@EKOMKFNL@
		dd offset _InitConsoleFlags
		dd 3 dup(0)
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DK@FLLHNMFO@?$AAM?$AAu?$AAl?$AAt?$AAi?$AAU?$AAs?$AAe?$AAr?$AAs?$AAI?$AAn?$AAS?$AAe?$AAs@EKOMKFNL@
		dd offset _RtlpMultiUsersInSessionSupported
		align 10h
		dd offset ??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AFC507+1
		dd offset _RtlpDisableIFEOCaching
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CG@OPIHDNIM@?$AAH?$AAy?$AAp?$AAe?$AAr?$AAS?$AAt?$AAa?$AAr?$AAt?$AAD?$AAi?$AAs?$AAa?$AAb@EKOMKFNL@
		dd offset _HvlVpStartDisabled
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EM@BOMHABCH@?$AAS?$AAe?$AAA?$AAl?$AAl?$AAo?$AAw?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAI@EKOMKFNL@
		dd offset _SepAllowSessionImpersonationCap
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DE@FLMAFHCN@?$AAI?$AAn?$AAt?$AAe?$AAr?$AAr?$AAu?$AAp?$AAt?$AAS?$AAt?$AAe?$AAe?$AAr?$AAi@EKOMKFNL@
		dd offset _KiInterruptSteeringDisabled
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EC@GEAHDILE@?$AAS?$AAe?$AAT?$AAo?$AAk?$AAe?$AAn?$AAS?$AAi?$AAn?$AAg?$AAl?$AAe?$AAt?$AAo@EKOMKFNL@
		dd offset _SepTokenSingletonAttributesConfig
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BM@DNBGCAEI@?$AAS?$AAe?$AAC?$AAo?$AAm?$AAp?$AAa?$AAt?$AAF?$AAl?$AAa?$AAg?$AAs@EKOMKFNL@
		dd offset _SeCompatFlags
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AFC65F+1
		dd offset _SeTokenLeakTracking
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AFC6CF+1
		dd offset _SeTokenDoesNotTrackSessionObject
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DE@JKGIIIBA@?$AAH?$AAe?$AAt?$AAe?$AAr?$AAo?$AAF?$AAa?$AAv?$AAo?$AAr?$AAe?$AAd?$AAC?$AAo@EKOMKFNL@
		dd offset _PpmHeteroFavoredCoreFallback
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DA@DJCFGEAB@?$AAV?$AAi?$AAr?$AAt?$AAu?$AAa?$AAl?$AAH?$AAe?$AAt?$AAe?$AAr?$AAo?$AAH?$AAy@EKOMKFNL@
		dd offset _PpmPerfQosTransitionHysteresisOverride
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1BI@JPPDHLFB@?$AAH?$AAr?$AAI?$AAn?$AAc?$AAr?$AAe?$AAm?$AAe?$AAn?$AAt@EKOMKFNL@
		dd offset _KiHrIncrement
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@NBNKKPJD@?$AAR?$AAe?$AAb?$AAa?$AAl?$AAa?$AAn?$AAc?$AAe?$AAM?$AAi?$AAn?$AAP?$AAr?$AAi@EKOMKFNL@
		dd offset _KiRebalanceMinPriority
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DI@MAOLDIHC@?$AAS?$AAe?$AAL?$AAp?$AAa?$AAc?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAW?$AAa?$AAt@EKOMKFNL@
		dd offset _SeLpacEnableWatsonReporting
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DK@GBKPEDDG@?$AAS?$AAe?$AAL?$AAp?$AAa?$AAc?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAW?$AAa?$AAt@EKOMKFNL@
		dd offset _SeLpacEnableWatsonThrottling
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CO@NPAEEIGN@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAW?$AAe?$AAr?$AAU?$AAs?$AAe?$AAr?$AAR?$AAe@EKOMKFNL@
		dd offset _DbgkEnableWerUserReporting
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset loc_AFC86F+1
		dd offset _SeAdminlessEnableWatsonReporting
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EA@FMGIIEHM@?$AAA?$AAd?$AAm?$AAi?$AAn?$AAl?$AAe?$AAs?$AAs?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe@EKOMKFNL@
		dd offset _SeAdminlessEnableWatsonThrottling
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EA@MLOINJPN@?$AAA?$AAd?$AAm?$AAi?$AAn?$AAl?$AAe?$AAs?$AAs?$AAE?$AAn?$AAf?$AAo?$AAr?$AAc@EKOMKFNL@
		dd offset _SeAdminlessEnforcementModeEnabled
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1EM@GKDNBKBJ@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAO?$AAw?$AAn?$AAe?$AAr?$AAP?$AAr?$AAo?$AAt@EKOMKFNL@
		dd offset _SeDeviceOwnerProtectionDowngradeAllowed
		dd 3 dup(0)
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CK@BGPNDLIH@?$AAC?$AAa?$AAc?$AAh?$AAe?$AAA?$AAw?$AAa?$AAr?$AAe?$AAS?$AAc?$AAh?$AAe?$AAd@EKOMKFNL@
		dd offset _KiCacheAwareScheduling
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1CO@JHBEJNJB@?$AAH?$AAe?$AAt?$AAe?$AAr?$AAo?$AAS?$AAc?$AAh?$AAe?$AAd?$AAu?$AAl?$AAe?$AAr@EKOMKFNL@
		dd offset _KiHeteroSchedulerOptions
		dd 3 dup(0)
		dd offset ??_C@_1BO@MHIGONBA@?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl@EKOMKFNL@
		dd offset ??_C@_17FOAIFHB@?$AAK?$AAV?$AAB@EKOMKFNL@
		dd offset _KernelVersionBump
		align 10h
		dd offset ??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@
		dd offset ??_C@_1DI@EEPNDFOE@?$AAA?$AAd?$AAm?$AAi?$AAn?$AAl?$AAe?$AAs?$AAs?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe@EKOMKFNL@
		dd offset _SeAdminlessEnableEventLogging
		dd 3 dup(0)
		dd offset ??_C@_1BO@CKFMEODG@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAV?$AAe?$AAl?$AAo?$AAc?$AAi?$AAt?$AAy@EKOMKFNL@
		dd offset ??_C@_1CO@ILGIFEAF@?$AAK?$AAV?$AAF?$AA_?$AAH?$AAo?$AAt?$AAP?$AAa?$AAt?$AAc?$AAh?$AAS?$AAi?$AAm@EKOMKFNL@
		dd offset _KvfFeatureStates
		dd 2 dup(0)
		dd 1, 6	dup(0)
; char *SearchStrings
_SearchStrings	dd offset ??_C@_03GDMIGCCC@Ver@EKOMKFNL@
					; DATA XREF: CmpGetBiosVersion:loc_AC73EBr
					; CmpGetBiosVersion+C2r
		dd offset loc_AFCA53+1
		dd offset ??_C@_03DIOLMKKK@Rel@EKOMKFNL@
		dd offset ??_C@_02IPIEAEPM@v0@EKOMKFNL@
		dd offset ??_C@_02JGJPDFLN@v1@EKOMKFNL@
		dd offset ??_C@_02LNLCGGHO@v2@EKOMKFNL@
		dd offset ??_C@_02KEKJFHDP@v3@EKOMKFNL@
		dd offset ??_C@_02OLOIMBPI@v4@EKOMKFNL@
		dd offset ??_C@_02PCPDPALJ@v5@EKOMKFNL@
		dd offset ??_C@_02NJNOKDHK@v6@EKOMKFNL@
		dd offset ??_C@_02MAMFJCDL@v7@EKOMKFNL@
		dd offset ??_C@_02EHFNIOPE@v8@EKOMKFNL@
		dd offset ??_C@_02FOEGLPLF@v9@EKOMKFNL@
		dd offset ??_C@_03HHOEKPLA@v?50@EKOMKFNL@
		dd offset ??_C@_03GOPPJOPB@v?51@EKOMKFNL@
		dd offset ??_C@_03EFNCMNDC@v?52@EKOMKFNL@
		dd offset ??_C@_03FMMJPMHD@v?53@EKOMKFNL@
		dd offset loc_AFCA92+2
		dd offset ??_C@_03KJDFLPF@v?55@EKOMKFNL@
		dd offset loc_AFCA9B+1
		dd offset loc_AFCA97+1
		dd offset ??_C@_03LPDNCFLI@v?58@EKOMKFNL@
		dd offset loc_AFCA9E+2
		align 8

_QStringTerminators:
		push	ss
		scas	dword ptr es:[di]
; 
		db 0
_EmptyValue	dd 0			; DATA XREF: CmpParseInfBuffer:loc_AC996Bo
					; CmpParseInfBuffer:loc_AE5D8Bo ...
; 

; char StringTerminators
_StringTerminators:			; DATA XREF: CmpGetToken+C2o
		pop	ebx
		pop	ebp

loc_AF6712:				; DATA XREF: CmpGetToken+1F7o
		cmp	eax, 2220092Ch
		or	cl, [ebx+ecx]
		or	eax, 0

loc_AF671F:				; DATA XREF: HvlpRegisterPowerPolicyCallbacks()+1Dr
		add	[esi+eax], ch
		inc	ecx

loc_AF6723:				; DATA XREF: HvlpRegisterPowerPolicyCallbacks()+12r
		add	ds:0C000000h, al
		push	es
		inc	ecx
		add	[esi], al
; 
		db 3 dup(0)
		dd offset loc_41063A+2
		dd 7
		dd offset _GUID_PROCESSOR_PERF_DECREASE_THRESHOLD
		dd 8
		dd offset loc_4105AB+1
		dd 9
		dd offset _GUID_PROCESSOR_PERF_DECREASE_POLICY
		dd 0Ah
		dd offset loc_410528+4
		dd 0Bh
		dd offset loc_4105CA+2
		dd 0Ch
		dd offset loc_41050A+2
		dd 0Dh
		dd offset _GUID_PROCESSOR_CORE_PARKING_MIN_CORES
		dd 0Eh
		dd offset _GUID_PROCESSOR_PERF_TIME_CHECK
		dd 0Fh
		dd offset _GUID_PROCESSOR_PERF_INCREASE_TIME
		dd 10h
		dd offset loc_410579+3
		dd 11h
		dd offset _GUID_PROCESSOR_PERF_BOOST_POLICY
		dd 12h
		dd offset loc_41059B+1
		dd 13h
; 

_HvlpPowerSettingList:			; DATA XREF: HvlpRegisterPowerPolicyCallbacks()+4Br
					; HvlpRegisterPowerPolicyCallbacks()+40r
		fadd	large qword ptr	ds:41h
; 
		dw 0
		dd offset loc_4105E9+3
		dd 1
		dd offset _GUID_PROCESSOR_IDLE_PROMOTE_THRESHOLD
		dd 2
		dd offset loc_41053B+1
		dd 3
		dd offset loc_41058B+1
		align 10h

_IopCompletionMapping:			; DATA XREF: IoCreateObjectTypes+165o
		add	[eax], eax
		add	al, [eax]
		add	al, [eax]
		add	al, [eax]
; 
		dd 120000h, 1F0003h
; 

_IopWaitCompletionMapping:		; DATA XREF: IoCreateObjectTypes+1C7o
		add	[eax], eax
		add	al, [eax]
		add	[eax], eax
		add	al, [eax]
		add	[eax], eax
		add	al, [eax]
		add	[eax], eax
; 
		dw 0Fh
_IopWstrHal:				; DATA XREF: IoReportHalResourceUsage+14o
		unicode	0, <Hardware Abstraction Layer>,0
		align 4

;  S U B	R O U T	I N E 


_IopWstrSystem	proc near		; DATA XREF: IopInitializeResourceMap+1Ao
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		and	[eax], al
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		outsd
_IopWstrSystem	endp

		add	[ebp+0], dh
		jb	short $+2
		arpl	[eax], ax
		add	gs:[ebx+0], dh
; 
		dd 0
_IopWstrLoaderReservedMemory:		; DATA XREF: IopInitializeResourceMap+55o
		unicode	0, <Loader Reserved>,0
_IopWstrPhysicalMemory:			; DATA XREF: IopInitializeResourceMap:loc_AB50D7o
		unicode	0, <Physical Memory>,0
_IopWstrSpecialMemory:			; DATA XREF: IopInitializeResourceMap:loc_AB5084o
		unicode	0, <Reserved>,0
		align 10h
_PnpClassificationRank dd 0		; DATA XREF: PnpEarlyLaunchImageNotificationPostProcess(x,x,x,x,x)+21r
					; PnpEarlyLaunchImageNotificationPostProcess(x,x,x,x,x)+28r
		dd 1, 3, 2
; 

_AlpcpPortMapping:			; DATA XREF: AlpcpInitSystem+A5o
		add	[eax], eax
		add	al, [eax]
		add	[eax], eax
		add	[eax], eax
; 
		dd 0
		dd 1F0001h
; 

_MiSectionMapping:			; DATA XREF: MiSectionInitialization+7Co
		add	eax, 2000200h
		add	[edx], al
		add	[eax], cl
		add	[edx], al
		add	[edi], bl
		add	[edi], cl

loc_AF68BF:				; DATA XREF: MiInitializeSessionIds+A9o
		add	[ecx], al
		add	[edx], al
		add	[edx], al
		add	[edx], al
		add	[ecx], al
		add	[edx], dl
		add	[ebx], al
		add	[edi], cl
; 
		db 0
_ObpTypeMapping	dd 3 dup(20000h), 0F0001h ; DATA XREF: ObInitSystem+1DFo
; 

_ObpDirectoryMapping:			; DATA XREF: ObInitSystem+24Fo
		add	eax, [eax]
		add	al, [eax]
		or	al, 0
		add	al, [eax]
		add	eax, [eax]
		add	al, [eax]
		str	word ptr [edi]

loc_AF68EF:				; DATA XREF: ObInitSystem+2DAo
		add	[ecx], al
		add	[edx], al
; 
		db 0
		dd 20000h, 20001h, 0F0001h
; 

_PopInitialSettingCallbacks:		; DATA XREF: PopInitializePowerSettingCallbacks()+11r
					; PopInitializePowerSettingCallbacks()+Br
		mov	eax, 0EE00407Fh
		scasb
		push	esi
		add	[eax-11FFBF81h], ch
		scasb
		push	esi
		add	[eax-59h], bl
		inc	eax
		add	[ecx-5BFF6547h], dh
		mov	al, [ecx+0]
		not	byte ptr [ecx-75h]
		add	[eax-74h], bl
		inc	eax
		add	dh, dh
		push	ecx
		mov	eax, [eax]
		add	[ebp+55EE0040h], cl
		mov	eax, [eax]
		and	[esi+40h], bh
		add	[eax+5000886Ah], ch
		jle	short near ptr loc_AF6978+3
		add	[eax+4000886Ah], ch
		jle	short near ptr loc_AF697F+4
		add	[eax-79h], bl
		push	esi
		add	[eax], bh
		push	esi
		inc	eax
		add	dh, bl
		imul	ecx, [eax+407E6000h], 0
		fisubr	word ptr [ebx-78h]
		add	[eax], dh
		lea	eax, [eax+0]
		and	[ecx-75h], bl
		add	[eax], ch
		push	esi
		inc	eax
		add	[esi], ah
		insd
		mov	[eax], al
		sbb	[esi+40h], dl
		add	[esi], ah
		insd
		mov	[eax], al
		mov	al, ds:2600407Eh
		insd
		mov	[eax], al

loc_AF6978:				; CODE XREF: INIT:00AF6939j
		sal	byte ptr [eax+eax*2+0],	1
		xor	[ebp+56h], cl

loc_AF697F:				; CODE XREF: INIT:00AF6941j
		add	[edx+esi*2+4D300040h], ah
		push	esi
		add	[eax-59FFBF81h], dl
		aam	57h
		add	[eax-59FFBF81h], bh
		aam	57h
		add	[edx+esi*2-7479FFC0h], ah
		xchg	al, [eax]
		nop
		jle	short near ptr loc_AF69E1+2
		add	[esi], ah
		insd
		mov	[eax], al
		cmp	byte ptr [esi+40h], 0
		db	26h
		insd
		mov	[eax], al
		mov	al, 7Eh
		inc	eax
		add	dh, bl
		outsb
		mov	[eax], al
		in	al, 7Eh
		inc	eax
		add	dh, bl
		outsb
		mov	[eax], al
		hlt
		jle	short near ptr loc_AF69FD+6
		add	dh, bl
		outsb
		mov	[eax], al
		add	al, 7Fh
		inc	eax
		add	dh, bl		; CODE XREF: INIT:00AF6A04j
		outsb
		mov	[eax], al
		jo	short near ptr loc_AF6A4C+4
		inc	eax
		add	[esi+2000886Ch], ch
		lea	eax, [eax+0]
		mov	ds, word ptr [eax-75h]
		add	[eax], dl

loc_AF69E1:				; CODE XREF: INIT:00AF69A1j
		lea	eax, [eax+0]
		dec	esp
		pop	eax
		mov	eax, [eax]
		inc	eax
		lea	eax, [eax+0]
		stosb
		setalc
		push	edi
		add	[esp+ecx*4], cl
		inc	eax
		add	ah, bl
		cmp	[ebx+408BFC00h], ecx
		add	[edx], bl

loc_AF69FD:				; CODE XREF: INIT:00AF69C1j
		mov	dword ptr [edi+0], offset _GUID_LOW_POWER_EPOCH
		loop	near ptr loc_AF69CB+1
		push	edi
		add	ah, bh
		mov	eax, [eax+0]
		mov	gs, [ebp-76A3FFAAh]
		inc	eax
		add	[ecx+ebp*4+57h], ch
		add	[ecx+ecx*4+40h], cl
		add	[ecx+ebp*4+57h], ch
		add	[ecx+ecx*4+40h], cl
		add	[esi+6C0056ADh], cl
		mov	[eax+0], eax
		insb
		test	eax, 896C0057h
		inc	eax
		add	[esi+7C0056ADh], cl
		mov	[eax+0], eax
		insb
		test	eax, 897C0057h
		inc	eax
		add	[esi-3FFFA953h], cl
		mov	word ptr [eax+0], es

loc_AF6A4C:				; CODE XREF: INIT:00AF69D0j
		mov	gs, [ebp-7673FFAAh]
		inc	eax
		add	[ecx+ebp*4+57h], ch
		add	[ecx+ecx*4-5271FFC0h], cl
		push	esi
		add	[ecx+ecx*4-5693FFC0h], bl
		push	edi
		add	[ecx+ecx*4-5271FFC0h], bl
		push	esi
		add	[ecx+ecx*4+33D20041h], al
		push	edi
		add	[ecx+ecx*4-24E5FFBFh], ah
		push	edi
		add	[ecx+ecx*4-256DFFBFh], dl
		push	edi
		add	[edx+ecx*4+4C9A0041h], dl
		mov	eax, [eax]
		push	0A0040A7h
		dec	esp
		mov	eax, [eax]
		mov	ah, 89h
		inc	ecx
		add	ah, bl
		pop	edi
		mov	eax, [eax]
		dec	eax
		mov	word ptr [eax+0], es
		push	ax
		mov	eax, [eax]
		les	ecx, [ecx+5FA40041h]
		mov	eax, [eax]
		mov	al, 8Ch
		inc	eax
		add	[edx+53h], dl
		mov	eax, [eax]
		mov	eax, 0DC00407Fh
		adc	eax, [edi+40A75800h]
		add	ah, bl
		adc	eax, [edi+4072A400h]
		add	ah, bl
		adc	eax, [edi+40A75800h]

loc_AF6AD3:				; DATA XREF: PspInitPhase0+4FFo
		add	ds:1009ACBh, bh
		add	[edx], al
		add	[edx], al
		add	[edx], al
; 
		db 0
		dd 20000h, 0F0003h

;  S U B	R O U T	I N E 


_NtdllExports	proc far		; DATA XREF: INIT:_NtdllExportInformationo
		pusha
		retf
_NtdllExports	endp ; sp = -20h

; 
		scasd
		add	ds:0CB7400A9h[eax*2], cl
		scasd
		add	ds:0CB8800A9h[eax*2], dl
		scasd
		add	[eax], dl
		inc	ebp
		test	eax, 0AFCB9C00h
		add	[esi+70h], dh
		add	al, dh
		retf	0AFh
; 
		dd offset _KeUserApcDispatcher
		dd offset ??_C@_0BJ@PGKGCADJ@KiUserCallbackDispatcher@EKOMKFNL@
		dd offset _KeUserCallbackDispatcher
		dd offset ??_C@_0BP@LPIFGB@KiRaiseUserExceptionDispatcher@EKOMKFNL@
		dd offset _KeRaiseUserExceptionDispatcher
		dd offset ??_C@_0BP@PLPPHEHH@ExpInterlockedPopEntrySListEnd@EKOMKFNL@
		dd offset _KeUserPopEntrySListEnd
		dd offset ??_C@_0CB@NBOJPKNI@ExpInterlockedPopEntrySListFaul@EKOMKFNL@
		dd offset _KeUserPopEntrySListFault
		dd offset ??_C@_0CC@CJPFKDHP@ExpInterlockedPopEntrySListResu@EKOMKFNL@
		dd offset _KeUserPopEntrySListResume
		dd offset loc_AFCC1B+1
		dd offset _PspSystemDllInitBlock
		dd offset ??_C@_0BD@OEGEGHJO@RtlpFreezeTimeBias@EKOMKFNL@
		dd offset _PspFreezeTimeBiasAddress
		dd offset ??_C@_0BJ@CDBADGFN@WerReportExceptionWorker@EKOMKFNL@
		dd offset _DbgkWerReportExceptionWorker
; 

_PspJobMapping:				; DATA XREF: PspInitPhase0+26Co
		add	al, 0
		add	al, [eax]
		or	eax, [eax]
		add	al, [eax]
; 
		dd 120000h, 1F003Fh
; 

_PspPartitionMapping:			; DATA XREF: PspInitPhase0+47Do
		add	[eax], eax
		add	al, [eax]
		add	al, [eax]
		add	al, [eax]
		add	[eax], eax
		adc	al, [eax]
		add	eax, [eax]
		pop	ds

loc_AF6B6F:				; DATA XREF: PspInitPhase0+319o
		add	[eax], dl
		add	al, 2
		add	dl, ch
		or	eax, [edx]
		add	[ecx], al
		adc	[edx], dl
		add	bh, bh
		call	fword ptr [edi]

loc_AF6B7F:				; DATA XREF: PspInitPhase0+3CEo
		add	[eax+0], cl
		add	al, [eax]
		aaa
		add	al, 2
; 
		db 0
		dd 121800h, 1FFFFFh
_PspActivityReferenceMapping dd	3 dup(20000h), 1F0000h ; DATA XREF: PspInitPhase0+5B6o
_NtdllExportInformation	dd offset _NtdllExports
					; DATA XREF: PspInitializeSystemDlls:loc_ACDD02r
dword_AF6BA4	dd 0Dh			; DATA XREF: PspInitializeSystemDlls+34r
					; PspInitializeSystemDlls+63r
		dd 0Ah dup(0)

;  S U B	R O U T	I N E 


_PspMemoryReserveObjectNames proc far	; DATA XREF: PspInitPhase0+51Eo
		sbb	al, 0
		push	ds
		add	[eax+2600AFCAh], ch
		add	[eax], ch
		add	al, cl
		retf	0AFh
_PspMemoryReserveObjectNames endp ; sp = -4

; 

_PspSiloStorageNonPagedTypeName:	; DATA XREF: PspInitPhase0+568o
					; PspInitializeSiloStructures+112o
		sub	al, [eax]
		sub	al, 0
		dec	eax
		int	3		; Trap to Debugger
		scasd
; 
		db 0
; 

_PspSiloStoragePagedTypeName:		; DATA XREF: PspInitializeSiloStructures+E5o
		and	al, 0
		add	es:[esp+ecx*8-51h], dh
; 
		db 0
_ExpWstrCallback:			; DATA XREF: ExpInitializeCallbacks()+98o
		unicode	0, <\Callback>,0
_ExpCallbackMapping dd 20000h, 20001h, 120000h,	1F0001h
					; DATA XREF: ExpInitializeCallbacks()+5Bo
_ExpDesktopMapping dd 3	dup(20000h), 0F0000h ; DATA XREF: ExpWin32Initialization()+B3o
_ExpWindowStationMapping dd 3 dup(20000h), 0F0000h ; DATA XREF:	ExpWin32Initialization()+36o
_ExpActivationObjectMapping dd 3 dup(20000h), 0F0000h
					; DATA XREF: ExpWin32Initialization()+1BBo
_ExpCoreMessagingMapping dd 3 dup(20000h), 0F0000h
					; DATA XREF: ExpWin32Initialization()+17Do
_ExpRawInputManagerMapping dd 3	dup(20000h), 0F0000h
					; DATA XREF: ExpWin32Initialization()+13Bo
_ExpCompositionMapping dd 3 dup(20000h), 0F0000h ; DATA	XREF: ExpWin32Initialization()+EFo
; 

_ExpTimerMapping:			; DATA XREF: ExpTimerInitialization()+55o
		add	[eax], eax
		add	al, [eax]
		add	al, [eax]
		add	al, [eax]
; 
		dd 120000h, 1F0003h
; 

_ExpEventMapping:			; DATA XREF: ExpEventInitialization()+40o
		add	[eax], eax
		add	al, [eax]
		add	al, [eax]
		add	al, [eax]
; 
		dd 120000h, 1F0003h
; 

_ExpSemaphoreMapping:			; DATA XREF: ExpSemaphoreInitialization()+47o
		add	[eax], eax
		add	al, [eax]
		add	al, [eax]
		add	al, [eax]
; 
		dd 120000h, 1F0003h
dword_AF6CA4	dd 20001Eh		; DATA XREF: ExpWorkerFactoryInitialization+DFo
		dd offset ??_C@_1CA@CDLNPKFB@?$AAT?$AAp?$AAW?$AAo?$AAr?$AAk?$AAe?$AAr?$AAF?$AAa?$AAc?$AAt?$AAo?$AAr?$AAy@EKOMKFNL@
; 

_ExpWorkerFactoryMapping:		; DATA XREF: ExpWorkerFactoryInitialization+CEo
		or	[eax], al
		add	al, [eax]
		add	al, 0
		add	al, [eax]
		add	eax, [eax]
		add	al, [eax]
		inc	dword ptr [eax]

loc_AF6CBA:				; DATA XREF: ExpMutantInitialization()+66o
		sldt	word ptr [ecx]
		add	[edx], al
; 
		db 0
		dd 20000h, 120000h, 1F0001h
; 

_ExpProfileMapping:			; DATA XREF: ExpProfileInitialization()+56o
		add	[eax], eax
		add	al, [eax]
		add	[eax], eax
		add	al, [eax]
		add	[eax], eax
		add	al, [eax]
		add	[eax], eax
		sldt	word ptr [eax]
; 
		db 3 dup(0)
; 

_BiBcdMutantDescriptor:			; DATA XREF: BcdInitializeBcdSyncMutant+36o
		add	[eax], eax
		add	al, 80h
; 
		dd 3 dup(0)
		dd 14h,	340002h, 2, 140000h, 120001h, 101h, 5000000h, 12h
		dd 180000h, 120001h, 201h, 5000000h, 20h, 220h
; 

??_C@_1CA@OGJIDCJM@?$AAB?$AAo?$AAo?$AAt?$AAS?$AAe?$AAr?$AAv?$AAe?$AAr?$AAR?$AAe?$AAp?$AAl?$AAy@EKOMKFNL@:
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+53h], dh
		add	[ebp+0], ah
		jb	short $+2
		jbe	short $+2
		add	gs:[edx+0], dh
		push	edx
		add	[ebp+0], ah
		jo	short $+2
		insb
		add	[ecx+0], bh
; 
		dw 0
; 

??_C@_1GG@IBGAEKLO@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@EKOMKFNL@:
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

??_C@_1CE@MEIKCFL@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAS@EKOMKFNL@:
		inc	ebx
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+0],	dh
; 
		db 0
		align 8

??_C@_1IA@HPIKAKLL@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@EKOMKFNL@:
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[esi+0], cl
		dec	esp
		add	[ebx+0], dl
		pop	esp
		add	[eax+eax+61h], cl
		add	[esi+0], ch
		add	[di+0],	dh
		popa
		add	[edi+0], ah
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1GO@BNGMMPEP@?$AA?2?$AAR?$AAE?$AAG?$AAI?$AAS?$AAT?$AAR?$AAY?$AA?2?$AAM?$AAA?$AAC?$AAH?$AAI@EKOMKFNL@:
		pop	esp
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		dec	ecx
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		pop	ecx
		add	[eax+eax+4Dh], bl
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		dec	ecx
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+53h], bl
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[eax+0], dl
		pop	eax
		add	[ebp+0], al
; 
		dd 0
; 

??_C@_1BM@MJMBOBFB@?$AAD?$AAH?$AAC?$AAP?$AAS?$AAe?$AAr?$AAv?$AAe?$AAr?$AAA?$AAC?$AAK@EKOMKFNL@:
		inc	esp
		add	[eax+0], cl
		inc	ebx
		add	[eax+0], dl
		push	ebx
		add	[ebp+0], ah
		jb	short $+2
		jbe	short $+2
		add	gs:[edx+0], dh
		inc	ecx
		add	[ebx+0], al
		dec	ebx
; 
		db 3 dup(0)
; 

??_C@_1CG@IFFAFGDB@?$AAD?$AAi?$AAr?$AAt?$AAy?$AAS?$AAh?$AAu?$AAt?$AAd?$AAo?$AAw?$AAn?$AAC?$AAo@EKOMKFNL@:
		inc	esp
		add	[ecx+0], ch
		jb	short $+2
		jz	short $+2
		jns	short $+2
		push	ebx
		add	[eax+0], ch
		jnz	short $+2
		jz	short $+2
		add	fs:[edi+0], ch
		ja	short $+2
		outsb
		add	[ebx+0], al
		outsd
		add	[ebp+0], dh
		outsb
		add	[eax+eax+0], dh
; 
		db 3 dup(0)
; 

??_C@_1CG@EEKKLGPP@?$AAF?$AAi?$AAr?$AAm?$AAw?$AAa?$AAr?$AAe?$AAB?$AAo?$AAo?$AAt?$AAD?$AAe?$AAv@EKOMKFNL@:
		inc	esi
		add	[ecx+0], ch
		jb	short $+2
		insd
		add	[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[edx+0], al
		outsd
		add	[edi+0], ch
		jz	short $+2
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
; 
		dd 0
; 

??_C@_1CA@HNCMOGDF@?$AAI?$AAn?$AAs?$AAt?$AAa?$AAl?$AAl?$AAL?$AAa?$AAn?$AAg?$AAu?$AAa?$AAg?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF4F54o
		dec	ecx
		add	[esi+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[eax+eax+6Ch], ch
		add	[eax+eax+61h], cl
		add	[esi+0], ch
		add	[di+0],	dh
		popa
		add	[edi+0], ah
		add	gs:[eax], al
; 
		db 0
; 

??_C@_17KACEIPNC@?$AAK?$AAe?$AAy@EKOMKFNL@:
		dec	ebx
		add	[ebp+0], ah
		jns	short $+2
; 
		dw 0
; 

??_C@_1CC@OEKFBOPF@?$AAL?$AAa?$AAs?$AAt?$AAB?$AAo?$AAo?$AAt?$AAS?$AAh?$AAu?$AAt?$AAd?$AAo?$AAw@EKOMKFNL@:
		dec	esp
		add	[ecx+0], ah
		jnb	short $+2
		jz	short $+2
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+53h], dh
		add	[eax+0], ch
		jnz	short $+2
		jz	short $+2
		add	fs:[edi+0], ch
		ja	short $+2
		outsb
; 
		db 0
		align 10h

??_C@_1CE@FIDFOEOC@?$AAL?$AAa?$AAs?$AAt?$AAB?$AAo?$AAo?$AAt?$AAS?$AAu?$AAc?$AAc?$AAe?$AAe?$AAd@EKOMKFNL@:
		dec	esp
		add	[ecx+0], ah
		jnb	short $+2
		jz	short $+2
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+53h], dh
		add	[ebp+0], dh
		arpl	[eax], ax
		arpl	[eax], ax
		add	gs:[ebp+0], ah
		add	fs:[ebp+0], ah
		add	fs:[eax], al
; 
		db 0
; 

??_C@_1BO@IJHFMHE@?$AAO?$AAs?$AAB?$AAo?$AAo?$AAt?$AAs?$AAt?$AAa?$AAt?$AAP?$AAa?$AAt?$AAh@EKOMKFNL@:
					; DATA XREF: INIT:00AF31E4o
		dec	edi
		add	[ebx+0], dh
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+73h], dh
		add	[eax+eax+61h], dh
		add	[eax+eax+50h], dh
		add	[ecx+0], ah
		jz	short $+2
		push	0
		add	[ecx+0], al
		insb
		add	[ecx+0], ch
		popa
		add	[ebx+0], dh
; 
		dw 0
; 

??_C@_1BK@JKLHPNBO@?$AAC?$AAa?$AAp?$AAa?$AAb?$AAi?$AAl?$AAi?$AAt?$AAi?$AAe?$AAs@EKOMKFNL@:
		inc	ebx
		add	[ecx+0], ah
		jo	short $+2
		popa
		add	[edx+0], ah
		imul	eax, [eax], 69006Ch
		jz	short $+2
		imul	eax, [eax], 730065h
; 
		dd 0
; 

??_C@_1CA@CEMLPECN@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAD?$AAo?$AAc?$AAk?$AAI?$AAn?$AAf?$AAo@EKOMKFNL@:
		inc	ebx
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	esp
		add	[edi+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 49h
		add	[esi+0], ch
		db	66h
		add	[edi+0], ch
; 
		dw 0
; 

??_C@_1O@KHOHJKPL@?$AAD?$AAo?$AAc?$AAk?$AAI?$AAD@EKOMKFNL@:
		inc	esp
		add	[edi+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 49h
		add	[eax+eax+0], al
; 
		db 3 dup(0)
; 

??_C@_1BK@DIMLADLC@?$AAD?$AAo?$AAc?$AAk?$AAi?$AAn?$AAg?$AAS?$AAt?$AAa?$AAt?$AAe@EKOMKFNL@:
		inc	esp
		add	[edi+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 69h
		add	[esi+0], ch
		add	[bp+di+0], dl
		jz	short $+2
		popa
		add	[eax+eax+65h], dh
; 
		db 0
		align 8

??_C@_1BM@IAAGELMO@?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl?$AAe?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr@EKOMKFNL@:
		push	eax
		add	[edx+0], dh
		outsd
		add	[esi+0], ah
		imul	eax, [eax], 65006Ch
		dec	esi
		add	[ebp+0], dh
		insd
		add	[edx+0], ah
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1BK@GBMCOKGG@?$AAS?$AAe?$AAr?$AAi?$AAa?$AAl?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr@EKOMKFNL@:
		push	ebx
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 6C0061h
		dec	esi
		add	[ebp+0], dh
		insd
		add	[edx+0], ah
		add	gs:[edx+0], dh
; 
		dd 0
; 

??_C@_1CC@DMHBPKKF@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAB?$AAo?$AAo?$AAt?$AAD?$AAe?$AAv?$AAi?$AAc@EKOMKFNL@:
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+44h], dh
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
; 
		dd 0
; 

??_C@_1CG@BLIBLCJE@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAS?$AAt?$AAa?$AAr?$AAt?$AAO?$AAp?$AAt?$AAi@EKOMKFNL@:
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	ebx
		add	[eax+eax+61h], dh
		add	[edx+0], dh
		jz	short $+2
		dec	edi
		add	[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dd 0
; 

??_C@_1CE@KEGILBAG@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAB?$AAi?$AAo?$AAs?$AAV?$AAe?$AAr?$AAs?$AAi@EKOMKFNL@:
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		inc	edx
		add	[ecx+0], ch
		outsd
		add	[ebx+0], dh
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dw 0
; 

??_C@_1CK@LADPALDF@?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AAS?$AAy?$AAs?$AAP?$AAa?$AAr?$AAt?$AAD@EKOMKFNL@:
		push	edi
		add	[ecx+0], ch
		outsb
		add	[eax+eax+6Fh], ah
		add	[edi+0], dh
		jnb	short $+2
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		push	eax
		add	[ecx+0], ah
		jb	short $+2
		jz	short $+2
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
; 
		dd 0
; 

??_C@_1CG@ECHCOIBH@?$AA?2?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AA?2?$AAM?$AAa?$AAc?$AAh?$AAi@EKOMKFNL@:
		pop	esp
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		pop	esp
		add	[ebp+0], cl
		popa
		add	[ebx+0], ah
		push	6E006900h
		add	[ebp+0], ah
		pop	esp
; 
		db 0
		dd 0
; 

??_C@_1O@GINMMDNN@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm@EKOMKFNL@:
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
; 
		dd 0
; 

??_C@_1DK@BGNOIKOO@?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl@EKOMKFNL@:
		pop	esp
		add	[ebx+0], al
		jnz	short $+2
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], dl
		add	gs:[edx+0], dh
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
		pop	esp
; 
		db 0
		align 10h

??_C@_1CO@JKLLGMLG@?$AAA?$AAp?$AAi?$AAS?$AAe?$AAt?$AAS?$AAc?$AAh?$AAe?$AAm?$AAa?$AAE?$AAx?$AAt@EKOMKFNL@:
		inc	ecx
		add	[eax+0], dh
		imul	eax, [eax], 650053h
		jz	short $+2
		push	ebx
		add	[ebx+0], ah
		push	6D006500h
		add	[ecx+0], ah
		inc	ebp
		add	[eax+0], bh
		jz	short $+2
		add	gs:[esi+0], ch
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dd 0
; 

??_C@_17DNCLJFIF@?$AAA?$AAC?$AAP@EKOMKFNL@:
		inc	ecx
		add	[ebx+0], al
		push	eax
; 
		db 3 dup(0)
; 

??_C@_1BE@DOHPGOGI@?$AAB?$AAo?$AAo?$AAt?$AAF?$AAl?$AAa?$AAg?$AAs@EKOMKFNL@:
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+46h], dh
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		jnb	short $+2
; 
		dw 0
; 

??_C@_1CA@PABBOCNB@?$AAB?$AAo?$AAo?$AAt?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAF?$AAl?$AAa?$AAg?$AAs@EKOMKFNL@:
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+44h], dh
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		inc	esi
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BC@OGJIHCJJ@?$AAC?$AAo?$AAd?$AAe?$AAP?$AAa?$AAg?$AAe@EKOMKFNL@:
		inc	ebx
		add	[edi+0], ch
		add	fs:[ebp+0], ah
		push	eax
		add	[ecx+0], ah
		add	[di+0],	ah
; 
		dd 0
; 

??_C@_1BA@JGFNDEFA@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl@EKOMKFNL@:
					; DATA XREF: INIT:00AF34D4o
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
; 
		db 3 dup(0)
; 

??_C@_1CM@HJMPPIEL@?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn?$AA?5?$AAM@EKOMKFNL@:
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[esi+0], ah
		imul	eax, [eax], 750067h
		jb	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax], ah
		add	[ebp+0], cl
		popa
		add	[esi+0], ch
		popa
		add	[edi+0], ah
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1BK@FINFFJHL@?$AAC?$AAr?$AAa?$AAs?$AAh?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl@EKOMKFNL@:
					; DATA XREF: INIT:00AF6288o
		inc	ebx
		add	[edx+0], dh
		popa
		add	[ebx+0], dh
		push	6F004300h
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

??_C@_1BC@HMHFCLJC@?$AAP?$AAo?$AAl?$AAi?$AAc?$AAi?$AAe?$AAs@EKOMKFNL@:
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 730065h
; 
		dd 0
; 

??_C@_1BA@GHOECOCL@?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF4F3Co
		inc	esp
		add	[ebp+0], ah
		db	66h
		add	[ecx+0], ah
		jnz	short $+2
		insb
		add	[eax+eax+0], dh
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		jnb	short $+2
; 
		dw 0
; 

??_C@_1CC@LPKCGKMO@?$AAD?$AAe?$AAp?$AAe?$AAn?$AAd?$AAO?$AAn?$AAF?$AAi?$AAr?$AAm?$AAw?$AAa?$AAr@EKOMKFNL@:
		inc	esp
		add	[ebp+0], ah
		jo	short $+2
		add	gs:[esi+0], ch
		add	fs:[edi+0], cl
		outsb
		add	[esi+0], al
		imul	eax, [eax], 6D0072h
		ja	short $+2
		popa
		add	[edx+0], dh
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CA@MIBAJKAO@?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAS?$AAt?$AAa?$AAt?$AAe?$AAP?$AAa?$AAt?$AAh@EKOMKFNL@:
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		push	ebx
		add	[eax+eax+61h], dh
		add	[eax+eax+65h], dh
		add	[eax+0], dl
		popa
		add	[eax+eax+68h], dh
; 
		db 3 dup(0)
; 

??_C@_1CA@JEMHMMKK@?$AAD?$AAe?$AAp?$AAe?$AAn?$AAd?$AAO?$AAn?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe@EKOMKFNL@:
		inc	esp
		add	[ebp+0], ah
		jo	short $+2
		add	gs:[esi+0], ch
		add	fs:[edi+0], cl
		outsb
		add	[ebx+0], dl
		add	gs:[edx+0], dh
		jbe	short $+2
		imul	eax, [eax], 650063h
; 
		dw 0
; 

??_C@_1CA@JBHODNBM@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAE?$AAm?$AAo?$AAt?$AAi?$AAc?$AAo?$AAn@EKOMKFNL@:
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		inc	ebp
		add	[ebp+0], ch
		outsd
		add	[eax+eax+69h], dh
		add	[ebx+0], ah
		outsd
		add	[esi+0], ch
; 
		dw 0
; 

??_C@_1CA@HDECAOIB@?$AAD?$AAi?$AAs?$AAp?$AAl?$AAa?$AAy?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAd@EKOMKFNL@:
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		jo	short $+2
		insb
		add	[ecx+0], ah
		jns	short $+2
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		dec	esp
		add	[edi+0], ch
		popa
		add	[eax+eax+50h], ah
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
; 
		dd 0
; 

??_C@_1CE@CDHMIPNA@?$AAD?$AAi?$AAs?$AAp?$AAl?$AAa?$AAy?$AAP?$AAa?$AAr?$AAa?$AAm?$AAe?$AAt?$AAe@EKOMKFNL@:
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		jo	short $+2
		insb
		add	[ecx+0], ah
		jns	short $+2
		push	eax
		add	[ecx+0], ah
		jb	short $+2
		popa
		add	[ebp+0], ch
		add	gs:[eax+eax+65h], dh
		add	[edx+0], dh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1CE@FNCJOJHI@?$AAD?$AAS?$AAA?$AA?5?$AAD?$AAa?$AAt?$AAa?$AAb?$AAa?$AAs?$AAe?$AA?5?$AAF?$AAi@EKOMKFNL@:
		inc	esp
		add	[ebx+0], dl
		inc	ecx
		add	[eax], ah
		add	[eax+eax+61h], al
		add	[eax+eax+61h], dh
		add	[edx+0], ah
		popa
		add	[ebx+0], dh
		add	gs:[eax], ah
		add	[esi+0], al
		imul	eax, [eax], 65006Ch
; 
		dw 0
; 

??_C@_1BA@LOGOFDCJ@?$AA?$CK?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@EKOMKFNL@:
		sub	al, [eax]
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
; 
		dw 0
; 

??_C@_1BI@EGFDNIAJ@?$AAE?$AAa?$AAr?$AAl?$AAy?$AAL?$AAa?$AAu?$AAn?$AAc?$AAh@EKOMKFNL@:
		inc	ebp
		add	[ecx+0], ah
		jb	short $+2
		insb
		add	[ecx+0], bh
		dec	esp
		add	[ecx+0], ah
		jnz	short $+2
		outsb
		add	[ebx+0], ah

loc_AF73C0:				; DATA XREF: INIT:00AF5104o
					; INIT:00AF511Co
		push	45000000h
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 0
; 

??_C@_1BK@PIFCGMJC@?$AAE?$AAr?$AAr?$AAo?$AAr?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl@EKOMKFNL@:
		inc	ebp
		add	[edx+0], dh
		jb	short $+2
		outsd
		add	[edx+0], dh
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
; 
		db 0
		align 10h

??_C@_1O@NOPLCKPO@?$AAE?$AAr?$AAr?$AAa?$AAt?$AAa@EKOMKFNL@:
		inc	ebp
		add	[edx+0], dh
		jb	short $+2
		popa
		add	[eax+eax+61h], dh
; 
		db 0
		align 10h

??_C@_1CE@JBNOHFCG@?$AAF?$AAi?$AAr?$AAm?$AAw?$AAa?$AAr?$AAe?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc@EKOMKFNL@:
		inc	esi
		add	[ecx+0], ch
		jb	short $+2
		insd
		add	[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[edx+0], dl
		add	gs:[ebx+0], dh
		outsd
		add	[ebp+0], dh
		jb	short $+2
		arpl	[eax], ax
		add	gs:[ebx+0], dh
; 
		dw 0
; 

??_C@_1BC@PKFGPGJB@?$AAF?$AAi?$AAl?$AAe?$AAN?$AAa?$AAm?$AAe@EKOMKFNL@:
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		dec	esi
		add	[ecx+0], ah
		insd
		add	[ebp+0], ah
; 
		dd 0
; 

??_C@_1BO@PJAAKPDP@?$AAG?$AAr?$AAo?$AAu?$AAp?$AAO?$AAr?$AAd?$AAe?$AAr?$AAL?$AAi?$AAs?$AAt@EKOMKFNL@:
		inc	edi
		add	[edx+0], dh
		outsd
		add	[ebp+0], dh
		jo	short $+2
		dec	edi
		add	[edx+0], dh
		add	fs:[ebp+0], ah
		jb	short $+2
		dec	esp
		add	[ecx+0], ch
		jnb	short $+2
		jz	short $+2
; 
		dd 0
; 

??_C@_1CC@KJLCEJGL@?$AAG?$AAr?$AAo?$AAu?$AAp?$AA?5?$AAA?$AAs?$AAs?$AAi?$AAg?$AAn?$AAm?$AAe?$AAn@EKOMKFNL@:
		inc	edi
		add	[edx+0], dh
		outsd
		add	[ebp+0], dh
		jo	short $+2
		and	[eax], al
		inc	ecx
		add	[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E0067h
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+0], dh
; 
		db 3 dup(0)
; 

??_C@_1BO@LMKEOBGK@?$AAH?$AAa?$AAr?$AAd?$AAw?$AAa?$AAr?$AAe?$AAC?$AAo?$AAn?$AAf?$AAi?$AAg@EKOMKFNL@:
		dec	eax
		add	[ecx+0], ah
		jb	short $+2
		add	fs:[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[ebx+0], al
		outsd
		add	[esi+0], ch
		db	66h
		add	[ecx+0], ch
		add	[bx+si], al
; 
		db 3 dup(0)
; 

??_C@_1M@BDEHGHEL@?$AAg?$AAr?$AAo?$AAu?$AAp@EKOMKFNL@:
		add	[bp+si+0], dh
		outsd
		add	[ebp+0], dh
		jo	short $+2
; 
		dw 0
; 

??_C@_1BE@CMLCLKJK@?$AAI?$AAm?$AAa?$AAg?$AAe?$AAP?$AAa?$AAt?$AAh@EKOMKFNL@:
		dec	ecx
		add	[ebp+0], ch
		popa
		add	[edi+0], ah
		add	gs:[eax+0], dl
		popa
		add	[eax+eax+68h], dh
; 
		db 3 dup(0)
; 

??_C@_15NCCOGFKM@?$AAI?$AAd@EKOMKFNL@:
		dec	ecx
		add	[eax+eax+0], ah
; 
		db 3 dup(0)
; 

??_C@_19LHIDJGHK@?$AAK?$AAe?$AAy?$AAs@EKOMKFNL@:
		dec	ebx
		add	[ebp+0], ah
		jns	short $+2
		jnb	short $+2
; 
		dd 0
; 

??_C@_1BA@EEMINDEM@?$AAI?$AAn?$AAf?$AAN?$AAa?$AAm?$AAe@EKOMKFNL@:
		dec	ecx
		add	[esi+0], ch
		db	66h
		add	[esi+0], cl
		popa
		add	[ebp+0], ch
		add	gs:[eax], al
		add	[eax+eax+61h], cl
		add	[ebx+0], dh
		jz	short $+2
		inc	ecx
		add	[eax+eax+74h], dh
		add	[ebp+0], ah
		insd
		add	[eax+0], dh
		jz	short $+2
		push	ebx
		add	[eax+eax+61h], dh
		add	[eax+eax+75h], dh
		add	[ebx+0], dh
; 
		dw 0
; 

??_C@_19HBOBIAED@?$AAl?$AAi?$AAs?$AAt@EKOMKFNL@:
		insb
		add	[ecx+0], ch
		jnb	short $+2
		jz	short $+2
; 
		dd 0
; 

??_C@_1BM@MFCPMGNM@?$AAL?$AAa?$AAs?$AAt?$AAK?$AAn?$AAo?$AAw?$AAn?$AAG?$AAo?$AAo?$AAd@EKOMKFNL@:
		dec	esp
		add	[ecx+0], ah
		jnb	short $+2
		jz	short $+2
		dec	ebx
		add	[esi+0], ch
		outsd
		add	[edi+0], dh
		outsb
		add	[edi+0], al
		outsd
		add	[edi+0], ch
		add	fs:[eax], al
		add	[esi+0], cl
		popa
		add	[ebp+0], ch
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CE@MMCPOLJK@?$AAM?$AAa?$AAn?$AAu?$AAf?$AAa?$AAc?$AAt?$AAu?$AAr?$AAi?$AAn?$AAg?$AAM?$AAo@EKOMKFNL@:
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ebp+0], dh
		db	66h
		add	[ecx+0], ah
		arpl	[eax], ax
		jz	short $+2
		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 67006Eh
		dec	ebp
		add	[edi+0], ch
		add	fs:[ebp+0], ah
; 
		dw 0
; 

??_C@_1BM@ODCPILIP@?$AAN?$AAo?$AAd?$AAe?$AA?5?$AAD?$AAi?$AAs?$AAt?$AAa?$AAn?$AAc?$AAe@EKOMKFNL@:
		dec	esi
		add	[edi+0], ch
		add	fs:[ebp+0], ah
		and	[eax], al
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		jz	short $+2
		popa
		add	[esi+0], ch
		arpl	[eax], ax
		add	gs:[eax], al
; 
		db 0
; 

??_C@_17HOIJKBC@?$AAN?$AAL?$AAS@EKOMKFNL@:
		dec	esi
		add	[eax+eax+53h], cl
; 
		db 3 dup(0)
; 

??_C@_19BBKOHLNC@?$AAN?$AAU?$AAM?$AAA@EKOMKFNL@:
		dec	esi
		add	[ebp+0], dl
		dec	ebp
		add	[ecx+0], al
; 
		dd 0
; 

??_C@_19BLLFJA@?$AAN?$AAT?$AAD?$AAS@EKOMKFNL@:
		dec	esi
		add	[eax+eax+44h], dl
		add	[ebx+0], dl
; 
		dd 0
; 

??_C@_1BG@PGIGMDPA@?$AAP?$AAa?$AAr?$AAa?$AAm?$AAe?$AAt?$AAe?$AAr?$AAs@EKOMKFNL@:
		push	eax
		add	[ecx+0], ah
		jb	short $+2
		popa
		add	[ebp+0], ch
		add	gs:[eax+eax+65h], dh
		add	[edx+0], dh
		jnb	short $+2
; 
		dd 0
; 

??_C@_1M@EOBHHNKJ@?$AAO?$AAE?$AAM?$AAC?$AAP@EKOMKFNL@:
		dec	edi
		add	[ebp+0], al
		dec	ebp
		add	[ebx+0], al
		push	eax
; 
		db 3 dup(0)
; 

??_C@_1M@OHGOPPGD@?$AAP?$AAh?$AAa?$AAs?$AAe@EKOMKFNL@:
		push	eax
		add	[eax+0], ch
		popa
		add	[ebx+0], dh
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1DA@JKLPELHG@?$AAP?$AAe?$AAn?$AAd?$AAi?$AAn?$AAg?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAO?$AAp@EKOMKFNL@:
		push	eax
		add	[ebp+0], ah
		outsb
		add	[eax+eax+69h], ah
		add	[esi+0], ch
		add	[si+0],	al
		jb	short $+2
		imul	eax, [eax], 650076h
		jb	short $+2
		dec	edi
		add	[eax+0], dh
		add	gs:[edx+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], dh
; 
		dw 0
; 

??_C@_1CE@HFPNPMLJ@?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe?$AAG?$AAr?$AAo?$AAu?$AAp?$AAO?$AAr?$AAd@EKOMKFNL@:
		push	ebx
		add	[ebp+0], ah
		jb	short $+2
		jbe	short $+2
		imul	eax, [eax], 650063h
		inc	edi
		add	[edx+0], dh
		outsd
		add	[ebp+0], dh
		jo	short $+2
		dec	edi
		add	[edx+0], dh
		add	fs:[ebp+0], ah
		jb	short $+2
; 
		dw 0
; 

??_C@_1M@PNBPANGG@?$AAR?$AAe?$AAs?$AAe?$AAt@EKOMKFNL@:
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		add	gs:[eax+eax+0],	dh
; 
		db 0
; 

??_C@_13BBDEGPLJ@?$AA?$CK@EKOMKFNL@:
		sub	al, [eax]
; 
		dw 0
; 

??_C@_1BC@DHAHNLLM@?$AAS?$AAe?$AAr?$AAv?$AAi?$AAc?$AAe?$AAs@EKOMKFNL@:
		push	ebx
		add	[ebp+0], ah
		jb	short $+2
		jbe	short $+2
		imul	eax, [eax], 650063h
		jnb	short $+2
; 
		dd 0
; 

??_C@_1HC@HGNNGFNE@?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAS@EKOMKFNL@:
		inc	ebx
		add	[ebp+0], dh
		jb	short $+2
		jb	short $+2
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+5Ch], dh
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		outsd
		add	[eax+eax+5Ch], ch
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+65h], dh
		add	[ebx+0], dl
		add	gs:[eax+0], dh
		popa
		add	[edx+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax+eax+52h], bl
		add	[ebp+0], ah
		add	fs:[ecx+0], ch
		jb	short $+2
		add	gs:[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		dec	ebp
		add	[ecx+0], ah
		jo	short $+2
; 
		dd 0
; 

??_C@_1CA@NGDFGHGA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF34F8o
					; INIT:00AF35A0o ...
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
; 
		dw 0
; 

??_C@_1CE@IOPMEOCL@?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAm?$AAe@EKOMKFNL@:
		dec	ebp
		add	[ebp+0], ah
		insd
		add	[edi+0], ch
		jb	short $+2
		jns	short $+2
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+0], dh
		add	[eax+eax+61h], dl
		add	[edx+0], dh
		add	[di+0],	ah
		jz	short $+2
		dec	esi
		add	[eax+eax+50h], dh
		add	[ecx+0], ah
		jz	short $+2
		push	0
; 
		db 0
; 

??_C@_1CE@OMAJLJIP@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAy?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAL?$AAe?$AAv@EKOMKFNL@:
					; DATA XREF: INIT:00AF3964o
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 790066h
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		dec	esp
		add	[ebp+0], ah
		jbe	short $+2
		add	gs:[eax+eax+0],	ch
		add	[eax+eax+69h], al
		add	[ebx+0], dh
		jo	short $+2
		insb
		add	[ecx+0], ah
		jns	short $+2
		push	eax
		add	[edx+0], dh
		add	gs:[edx+0], dl
		add	gs:[eax+eax+65h], ch
		add	[ecx+0], ah
		jnb	short $+2
		add	gs:[ebx+0], al
		outsd
		add	[eax+eax+6Fh], ch
		add	[edx+0], dh
; 
		dd 0
; 

??_C@_1CA@HPGAEJP@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAO?$AAp?$AAt?$AAi?$AAo?$AAn?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF38D4o
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		dec	edi
		add	[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1CK@MAPACCND@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAS?$AAe?$AAt?$AAt?$AAi?$AAn?$AAg@EKOMKFNL@:
					; DATA XREF: INIT:00AF330Co
					; INIT:00AF3994o
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		push	ebx
		add	[ebp+0], ah
		jz	short $+2
		jz	short $+2
		imul	eax, [eax], 67006Eh
		push	ebx
		add	[eax+eax+61h], dh
		add	[eax+eax+65h], dh
; 
		db 0
		dd 0
; 

??_C@_1CC@CCBGCEEO@?$AAL?$AAa?$AAr?$AAg?$AAe?$AAP?$AAa?$AAg?$AAe?$AAM?$AAi?$AAn?$AAi?$AAm?$AAu@EKOMKFNL@:
		dec	esp
		add	[ecx+0], ah
		jb	short $+2
		add	[di+0],	ah
		push	eax
		add	[ecx+0], ah
		add	[di+0],	ah
		dec	ebp
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ch
		insd
		add	[ebp+0], dh
		insd
; 
		db 0
		align 8

??_C@_1CE@KKPBGJPF@?$AAH?$AAo?$AAt?$AAP?$AAa?$AAt?$AAc?$AAh?$AAT?$AAa?$AAb?$AAl?$AAe?$AAS?$AAi@EKOMKFNL@:
		dec	eax
		add	[edi+0], ch
		jz	short $+2
		push	eax
		add	[ecx+0], ah
		jz	short $+2
		arpl	[eax], ax
		push	61005400h
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		push	ebx
		add	[ecx+0], ch
		jp	short $+2
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1M@IOJLKPKK@?$AAS?$AAt?$AAa?$AAr?$AAt@EKOMKFNL@:
		push	ebx
		add	[eax+eax+61h], dh
		add	[edx+0], dh
		jz	short $+2
; 
		dw 0
; 

??_C@_1CC@JIKEKHJB@?$AAi?$AAG?$AAp?$AAu?$AAI?$AAo?$AAm?$AAm?$AAu?$AAS?$AAe?$AAt?$AAt?$AAi?$AAn@EKOMKFNL@:
		imul	eax, [eax], 700047h
		jnz	short $+2
		dec	ecx
		add	[edi+0], ch
		insd
		add	[ebp+0], ch
		jnz	short $+2
		push	ebx
		add	[ebp+0], ah
		jz	short $+2
		jz	short $+2
		imul	eax, [eax], 67006Eh
; 
		dd 0
; 

??_C@_17COOIMOOP@?$AAT?$AAa?$AAg@EKOMKFNL@:
		push	esp
		add	[ecx+0], ah
		add	[bx+si], al
; 
		db 0
; 

??_C@_1BM@HPEBLEEL@?$AAS?$AAt?$AAa?$AAr?$AAt?$AAO?$AAv?$AAe?$AAr?$AAr?$AAi?$AAd?$AAe@EKOMKFNL@:
		push	ebx
		add	[eax+eax+61h], dh
		add	[edx+0], dh
		jz	short $+2
		dec	edi
		add	[esi+0], dh
		add	gs:[edx+0], dh
		jb	short $+2
		imul	eax, [eax], 650064h
; 
		dw 0
; 

??_C@_1BO@EDPDEJHE@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAO?$AAp?$AAt?$AAi?$AAo?$AAn?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF4E90o
					; INIT:00AF4EC0o ...
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+75h], ah
		add	[ebx+0], ah
		jz	short $+2
		dec	edi
		add	[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dd 0
; 

??_C@_19BIEPDBPA@?$AAT?$AAy?$AAp?$AAe@EKOMKFNL@:
		push	esp
		add	[ecx+0], bh
		jo	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_17GJEMPNKP@?$AAS?$AAR?$AAM@EKOMKFNL@:
		push	ebx
		add	[edx+0], dl
		dec	ebp
; 
		db 3 dup(0)
; 

??_C@_1BI@JPCMFPH@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAT?$AAy?$AAp?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF4E94o
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+75h], ah
		add	[ebx+0], ah
		jz	short $+2
		push	esp
		add	[ecx+0], bh
		jo	short $+2
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1CA@CEOCGBEL@?$AAA?$AAl?$AAl?$AAo?$AAw?$AAe?$AAd?$AAF?$AAe?$AAa?$AAt?$AAu?$AAr?$AAe?$AAs@EKOMKFNL@:
		inc	ecx
		add	[eax+eax+6Ch], ch
		add	[edi+0], ch
		ja	short $+2
		add	gs:[eax+eax+46h], ah
		add	[ebp+0], ah
		popa
		add	[eax+eax+75h], dh
		add	[edx+0], dh
		add	gs:[ebx+0], dh
; 
		dw 0
; 

??_C@_1CC@MPGHDFFL@?$AAS?$AAi?$AAd?$AAS?$AAh?$AAa?$AAr?$AAi?$AAn?$AAg?$AAP?$AAo?$AAl?$AAi?$AAc@EKOMKFNL@:
		push	ebx
		add	[ecx+0], ch
		add	fs:[ebx+0], dl
		push	72006100h
		add	[ecx+0], ch
		outsb
		add	[edi+0], ah
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
; 
		dd 0
; 

??_C@_1M@OAJFFPML@?$AAF?$AAl?$AAa?$AAg?$AAs@EKOMKFNL@:
		inc	esi
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BO@GDOLODAC@?$AAE?$AAx?$AAt?$AAe?$AAn?$AAd?$AAe?$AAd?$AA?5?$AAS?$AAt?$AAa?$AAt?$AAe@EKOMKFNL@:
		inc	ebp
		add	[eax+0], bh
		jz	short $+2
		add	gs:[esi+0], ch
		add	fs:[ebp+0], ah
		add	fs:[eax], ah
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[eax+eax+65h], dh
; 
		db 0
		dd 0
; 

??_C@_1CA@JMPEPMNF@?$AAF?$AAe?$AAa?$AAt?$AAu?$AAr?$AAe?$AAS?$AAe?$AAt?$AAt?$AAi?$AAn?$AAg?$AAs@EKOMKFNL@:
		inc	esi
		add	[ebp+0], ah
		popa
		add	[eax+eax+75h], dh
		add	[edx+0], dh
		add	gs:[ebx+0], dl
		add	gs:[eax+eax+74h], dh
		add	[ecx+0], ch
		outsb
		add	[edi+0], ah
		jnb	short $+2
; 
		dw 0
; 

??_C@_1O@IOCAGAEC@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl@EKOMKFNL@:
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
; 
		db 0
		dd 0
; 

??_C@_1DI@OJNFECI@?$AAF?$AAe?$AAa?$AAt?$AAu?$AAr?$AAe?$AAS?$AAe?$AAt?$AAt?$AAi?$AAn?$AAg?$AAs@EKOMKFNL@:
		inc	esi
		add	[ebp+0], ah
		popa
		add	[eax+eax+75h], dh
		add	[edx+0], dh
		add	gs:[ebx+0], dl
		add	gs:[eax+eax+74h], dh
		add	[ecx+0], ch
		outsb
		add	[edi+0], ah
		jnb	short $+2
		dec	edi
		add	[esi+0], dh
		add	gs:[edx+0], dh
		jb	short $+2
		imul	eax, [eax], 650064h
		dec	ebp
		add	[ecx+0], ah
		jnb	short $+2
		imul	eax, [eax], 0
; 
		db 0
; 

??_C@_1DA@LPDLMGGN@?$AAF?$AAe?$AAa?$AAt?$AAu?$AAr?$AAe?$AAS?$AAe?$AAt?$AAt?$AAi?$AAn?$AAg?$AAs@EKOMKFNL@:
		inc	esi
		add	[ebp+0], ah
		popa
		add	[eax+eax+75h], dh
		add	[edx+0], dh
		add	gs:[ebx+0], dl
		add	gs:[eax+eax+74h], dh
		add	[ecx+0], ch
		outsb
		add	[edi+0], ah
		jnb	short $+2
		dec	edi
		add	[esi+0], dh
		add	gs:[edx+0], dh
		jb	short $+2
		imul	eax, [eax], 650064h
; 
		dw 0
; 

??_C@_1CG@PBNNDBEJ@?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAS?$AAe?$AAt?$AAO?$AAv?$AAe?$AAr?$AAr@EKOMKFNL@:
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[ebx+0], dl
		add	gs:[eax+eax+4Fh], dh
		add	[esi+0], dh
		add	gs:[edx+0], dh
		jb	short $+2
		imul	eax, [eax], 650064h
; 
		dd 0
; 

??_C@_1CG@FIICBBG@?$AAF?$AAe?$AAa?$AAt?$AAu?$AAr?$AAe?$AAS?$AAi?$AAm?$AAu?$AAl?$AAa?$AAt?$AAi@EKOMKFNL@:
		inc	esi
		add	[ebp+0], ah
		popa
		add	[eax+eax+75h], dh
		add	[edx+0], dh
		add	gs:[ebx+0], dl
		imul	eax, [eax], 75006Dh
		insb
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dd 0
; 

??_C@_1CG@FFOEBBPF@?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt?$AAy?$AAM@EKOMKFNL@:
					; DATA XREF: INIT:00AF34FCo
		dec	edi
		add	[edx+0], ah
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		push	ebx
		add	[ebp+0], ah
		arpl	[eax], ax
		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 790074h
		dec	ebp
		add	[edi+0], ch
		add	fs:[ebp+0], ah
; 
		dd 0
; 

??_C@_1BO@JFJHGLBJ@?$AAP?$AAr?$AAo?$AAt?$AAe?$AAc?$AAt?$AAi?$AAo?$AAn?$AAM?$AAo?$AAd?$AAe@EKOMKFNL@:
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+65h], dh
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		dec	ebp
		add	[edi+0], ch
		add	fs:[ebp+0], ah
; 
		dd 0
; 

??_C@_1CK@JDMEECLM@?$AAA?$AAu?$AAd?$AAi?$AAt?$AAB?$AAa?$AAs?$AAe?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF3514o
		inc	ecx
		add	[ebp+0], dh
		add	fs:[ecx+0], ch
		jz	short $+2
		inc	edx
		add	[ecx+0], ah
		jnb	short $+2
		add	gs:[eax+eax+69h], al
		add	[edx+0], dh
		add	gs:[ebx+0], ah
		jz	short $+2
		outsd
		add	[edx+0], dh
		imul	eax, [eax], 730065h
; 
		dd 0
; 

??_C@_17ENFNLCDF@?$AAL?$AAS?$AAA@EKOMKFNL@: ; DATA XREF: INIT:00AF3510o
					; INIT:00AF3528o
		dec	esp
		add	[ebx+0], dl
		inc	ecx
; 
		db 3 dup(0)
; 

??_C@_1BE@NJDEJMON@?$AAL?$AAS?$AAA?$AA?2?$AAa?$AAu?$AAd?$AAi?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF3540o
		dec	esp
		add	[ebx+0], dl
		inc	ecx
		add	[eax+eax+61h], bl
		add	[ebp+0], dh
		add	fs:[ecx+0], ch
		jz	short $+2
; 
		dw 0
; 

??_C@_1CC@MBGHAOD@?$AAA?$AAu?$AAd?$AAi?$AAt?$AAB?$AAa?$AAs?$AAe?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF352Co
		inc	ecx
		add	[ebp+0], dh
		add	fs:[ecx+0], ch
		jz	short $+2
		inc	edx
		add	[ecx+0], ah
		jnb	short $+2
		add	gs:[edi+0], cl
		bound	eax, [eax]
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		jnb	short $+2
; 
		dd 0
; 

??_C@_1CI@GMLPCOJB@?$AAT?$AAi?$AAm?$AAe?$AAZ?$AAo?$AAn?$AAe?$AAI?$AAn?$AAf?$AAo?$AAr?$AAm?$AAa@EKOMKFNL@:
					; DATA XREF: INIT:00AF3558o
					; INIT:00AF3570o ...
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		pop	edx
		add	[edi+0], ch
		outsb
		add	[ebp+0], ah
		dec	ecx
		add	[esi+0], ch
		db	66h
		add	[edi+0], ch
		jb	short $+2
		insd
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dw 0
; 

??_C@_1CO@DHIOJFAB@?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAA?$AAc?$AAc?$AAe?$AAs?$AAs?$AAe?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF3544o
		push	eax
		add	[edx+0], dh
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		inc	ecx
		add	[ebx+0], ah
		arpl	[eax], ax
		add	gs:[ebx+0], dh
		jnb	short $+2
		add	gs:[ebx+0], dh
		push	esp
		add	[edi+0], ch
		inc	ecx
		add	[ebp+0], dh
		add	fs:[ecx+0], ch
		jz	short $+2
; 
		dd 0
; 

??_C@_19PDLMCIAJ@?$AAB?$AAi?$AAa?$AAs@EKOMKFNL@: ; DATA	XREF: INIT:00AF3574o
		inc	edx
		add	[ecx+0], ch
		popa
		add	[ebx+0], dh
; 
		dd 0
; 

??_C@_1BO@EAFFNCKE@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AAT?$AAi?$AAm?$AAe?$AAB?$AAi?$AAa?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF355Co
		inc	ecx
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 650076h
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		inc	edx
		add	[ecx+0], ch
		popa
		add	[ebx+0], dh
; 
		dd 0
; 

??_C@_1BG@OGBFMEDC@?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AAF?$AAl?$AAa?$AAg@EKOMKFNL@:
					; DATA XREF: INIT:00AF35A4o
		inc	edi
		add	[eax+eax+6Fh], ch
		add	[edx+0], ah
		popa
		add	[eax+eax+46h], ch
		add	[eax+eax+61h], ch
		add	[edi+0], ah
; 
		dd 0
; 

??_C@_1CI@GACLFHFI@?$AAR?$AAe?$AAa?$AAl?$AAT?$AAi?$AAm?$AAe?$AAI?$AAs?$AAU?$AAn?$AAi?$AAv?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF358Co
		push	edx
		add	[ebp+0], ah
		popa
		add	[eax+eax+54h], ch
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		dec	ecx
		add	[ebx+0], dh
		push	ebp
		add	[esi+0], ch
		imul	eax, [eax], 650076h
		jb	short $+2
		jnb	short $+2
		popa
		add	[eax+eax+0], ch
; 
		db 0
; 

??_C@_1CM@OODOIMLG@?$AAC?$AAW?$AAD?$AAI?$AAl?$AAl?$AAe?$AAg?$AAa?$AAl?$AAI?$AAn?$AAD?$AAL?$AAL@EKOMKFNL@:
					; DATA XREF: INIT:00AF35D4o
		inc	ebx
		add	[edi+0], dl
		inc	esp
		add	[ecx+0], cl
		insb
		add	[eax+eax+65h], ch
		add	[edi+0], ah
		popa
		add	[eax+eax+49h], ch
		add	[esi+0], ch
		inc	esp
		add	[eax+eax+4Ch], cl
		add	[ebx+0], dl
		add	gs:[ecx+0], ah
		jb	short $+2
		arpl	[eax], ax
; 
		dd 68h
; 

??_C@_1BI@CLFLIEOH@?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl?$AAF?$AAl?$AAa?$AAg?$AA2@EKOMKFNL@:
					; DATA XREF: INIT:00AF35BCo
		inc	edi
		add	[eax+eax+6Fh], ch
		add	[edx+0], ah
		popa
		add	[eax+eax+46h], ch
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		xor	al, [eax]
; 
		dw 0
; 

??_C@_1DO@JLOIIPHD@?$AAA?$AAp?$AAp?$AAl?$AAi?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AAB?$AAl?$AAo?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF35ECo
		inc	ecx
		add	[eax+0], dh
		jo	short $+2
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[edx+0], al
		insb
		add	[edi+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 65h
		add	[eax+eax+4Dh], ah
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		popa
		add	[edi+0], ah
		add	gs:[eax+eax+69h], cl
		add	[ebp+0], ch
		imul	eax, [eax], 74h
; 
		dw 0
; 

??_C@_1DK@PIPBJCAA@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF35E8o
					; INIT:00AF3600o
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ecx+0], dl
		jnz	short $+2
		outsd
		add	[eax+eax+61h], dh
		add	[eax], ah
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
; 
		dd 2 dup(0)
; 

??_C@_1EE@LFCJNLIB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF3618o
					; INIT:00AF3630o ...
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ebp+0], cl
		add	gs:[ebp+0], ch
		outsd
		add	[edx+0], dh
		jns	short $+2
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+0], dh

loc_AF7C73:				; DATA XREF: INIT:00AF3604o
		add	[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		inc	edx
		add	[eax+eax+6Fh], ch
		add	[ebx+0], ah
		imul	eax, [eax], 65h
		add	[eax+eax+4Dh], ah
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		popa
		add	[edi+0], ah
		add	gs:[eax+eax+69h], cl
		add	[ebp+0], ch
		imul	eax, [eax], 74h

??_C@_1CE@NAICKCLE@?$AAN?$AAo?$AAn?$AAP?$AAa?$AAg?$AAe?$AAd?$AAP?$AAo?$AAo?$AAl?$AAQ?$AAu?$AAo@EKOMKFNL@:
					; DATA XREF: INIT:00AF3634o
		dec	esi
		add	[edi+0], ch
		outsb
		add	[eax+0], dl
		popa
		add	[edi+0], ah
		add	gs:[eax+eax+50h], ah
		add	[edi+0], ch
		outsd
		add	[eax+eax+51h], ch
		add	[ebp+0], dh
		outsd
		add	[eax+eax+61h], dh
; 
		db 3 dup(0)
; 

??_C@_1BO@IGDMFFA@?$AAP?$AAa?$AAg?$AAe?$AAd?$AAP?$AAo?$AAo?$AAl?$AAQ?$AAu?$AAo?$AAt?$AAa@EKOMKFNL@:
					; DATA XREF: INIT:00AF361Co
		push	eax
		add	[ecx+0], ah
		add	[di+0],	ah
		add	fs:[eax+0], dl
		outsd
		add	[edi+0], ch
		insb
		add	[ecx+0], dl
		jnz	short $+2
		outsd
		add	[eax+eax+61h], dh
; 
		db 0
		dd 0
; 

??_C@_1CK@MGPMLEDB@?$AAW?$AAo?$AAr?$AAk?$AAi?$AAn?$AAg?$AAS?$AAe?$AAt?$AAP?$AAa?$AAg?$AAe?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF3664o
		push	edi
		add	[edi+0], ch
		jb	short $+2
		imul	eax, [eax], 69h
		add	[esi+0], ch
		add	[bp+di+0], dl
		add	gs:[eax+eax+50h], dh
		add	[ecx+0], ah
		add	[di+0],	ah
		jnb	short $+2
		push	ecx
		add	[ebp+0], dh
		outsd
		add	[eax+eax+61h], dh
; 
		db 0
		align 8

??_C@_1CA@OFCCNLFJ@?$AAP?$AAa?$AAg?$AAi?$AAn?$AAg?$AAF?$AAi?$AAl?$AAe?$AAQ?$AAu?$AAo?$AAt?$AAa@EKOMKFNL@:
					; DATA XREF: INIT:00AF364Co
		push	eax
		add	[ecx+0], ah
		add	[bx+di+0], ch
		outsb
		add	[edi+0], ah
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		push	ecx
		add	[ebp+0], dh
		outsd
		add	[eax+eax+61h], dh
; 
		db 3 dup(0)
; 

??_C@_1BM@FCEHOMH@?$AAD?$AAy?$AAn?$AAa?$AAm?$AAi?$AAc?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy@EKOMKFNL@:
					; DATA XREF: INIT:00AF3694o
		inc	esp
		add	[ecx+0], bh
		outsb
		add	[ecx+0], ah
		insd
		add	[ecx+0], ch
		arpl	[eax], ax
		dec	ebp
		add	[ebp+0], ah
		insd
		add	[edi+0], ch
		jb	short $+2
		jns	short $+2
; 
		dw 0
; 

??_C@_1CK@IPKNCGG@?$AAA?$AAl?$AAl?$AAo?$AAc?$AAa?$AAt?$AAi?$AAo?$AAn?$AAP?$AAr?$AAe?$AAf?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF367Co
		inc	ecx
		add	[eax+eax+6Ch], ch
		add	[edi+0], ch
		arpl	[eax], ax
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax+0], dl
		jb	short $+2
		add	gs:[esi+0], ah
		add	gs:[edx+0], dh
		add	gs:[esi+0], ch
		arpl	[eax], ax
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BG@CEGPHGFI@?$AAM?$AAo?$AAv?$AAe?$AAI?$AAm?$AAa?$AAg?$AAe?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF36C4o
		dec	ebp
		add	[edi+0], ch
		jbe	short $+2
		add	gs:[ecx+0], cl
		insd
		add	[ecx+0], ah
		add	[di+0],	ah
		jnb	short $+2
; 
		dd 0
; 

??_C@_1BE@MMFNEPDK@?$AAM?$AAi?$AAr?$AAr?$AAo?$AAr?$AAi?$AAn?$AAg@EKOMKFNL@:
					; DATA XREF: INIT:00AF36ACo
		dec	ebp
		add	[ecx+0], ch
		jb	short $+2
		jb	short $+2
		outsd
		add	[edx+0], dh
		imul	eax, [eax], 67006Eh
; 
		dw 0
; 

??_C@_1CG@NHIOIKKP@?$AAL?$AAo?$AAw?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy?$AAT?$AAh?$AAr?$AAe?$AAs?$AAh@EKOMKFNL@:
					; DATA XREF: INIT:00AF36F4o
		dec	esp
		add	[edi+0], ch
		ja	short $+2
		dec	ebp
		add	[ebp+0], ah
		insd
		add	[edi+0], ch
		jb	short $+2
		jns	short $+2
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ebx+0], dh
		push	6C006F00h
		add	[eax+eax+0], ah
; 
		db 3 dup(0)
; 

??_C@_1CC@KPMBFFK@?$AAL?$AAa?$AAr?$AAg?$AAe?$AAP?$AAa?$AAg?$AAe?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF36DCo
		dec	esp
		add	[ecx+0], ah
		jb	short $+2
		add	[di+0],	ah
		push	eax
		add	[ecx+0], ah
		add	[di+0],	ah
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		jnb	short $+2
; 
		dd 0
; 

??_C@_1CK@MAOAIMAG@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAP?$AAa?$AAg?$AAe?$AAC?$AAo?$AAm?$AAb@EKOMKFNL@:
					; DATA XREF: INIT:00AF3724o
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		push	eax
		add	[ecx+0], ah
		add	[di+0],	ah
		inc	ebx
		add	[edi+0], ch
		insd
		add	[edx+0], ah
		imul	eax, [eax], 69006Eh
		outsb
		add	[edi+0], ah
; 
		dd 0
; 

??_C@_1CI@IKEANOOE@?$AAH?$AAi?$AAg?$AAh?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy?$AAT?$AAh?$AAr?$AAe?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF370Co
		dec	eax
		add	[ecx+0], ch
		add	[bx+si+0], ch
		dec	ebp
		add	[ebp+0], ah
		insd
		add	[edi+0], ch
		jb	short $+2
		jns	short $+2
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ebx+0], dh
		push	6C006F00h
		add	[eax+eax+0], ah

loc_AF7E4B:				; DATA XREF: INIT:00AF3754o
		add	[ebp+0], al
		outsb
		add	[ecx+0], ah
		bound	eax, [eax]
		insb
		add	[ebp+0], ah
		inc	ebx
		add	[edi+0], ch
		outsd
		add	[eax+eax+69h], ch
		add	[esi+0], ch
		add	[bx+si], al

loc_AF7E67:				; DATA XREF: INIT:00AF373Co
		add	[eax+eax+69h], al
		add	[ebx+0], dh
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		push	eax
		add	[ecx+0], ah
		add	[bx+di+0], ch
		outsb
		add	[edi+0], ah
		inc	ebp
		add	[eax+0], bh
		add	gs:[ebx+0], ah
		jnz	short $+2
		jz	short $+2
		imul	eax, [eax], 650076h
; 
		dd 0
; 

??_C@_1CE@OFANJOFF@?$AAN?$AAo?$AAn?$AAP?$AAa?$AAg?$AAe?$AAd?$AAP?$AAo?$AAo?$AAl?$AAL?$AAi?$AAm@EKOMKFNL@:
					; DATA XREF: INIT:00AF3784o
		dec	esi
		add	[edi+0], ch
		outsb
		add	[eax+0], dl
		popa
		add	[edi+0], ah
		add	gs:[eax+eax+50h], ah
		add	[edi+0], ch
		outsd
		add	[eax+eax+4Ch], ch
		add	[ecx+0], ch
		insd
		add	[ecx+0], ch
		jz	short $+2
; 
		dw 0
; 

??_C@_1CK@CKMOFIPJ@?$AAM?$AAo?$AAd?$AAi?$AAf?$AAi?$AAe?$AAd?$AAW?$AAr?$AAi?$AAt?$AAe?$AAM?$AAa@EKOMKFNL@:
					; DATA XREF: INIT:00AF376Co
		dec	ebp
		add	[edi+0], ch
		add	fs:[ecx+0], ch
		db	66h
		add	[ecx+0], ch
		add	gs:[eax+eax+57h], ah
		add	[edx+0], dh
		imul	eax, [eax], 650074h
		dec	ebp
		add	[ecx+0], ah
		js	short $+2
		imul	eax, [eax], 75006Dh
		insd
; 
		db 0
		align 8

??_C@_1CC@KBHPPOJK@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAC?$AAa?$AAc?$AAh?$AAe?$AAL?$AAi?$AAm?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF37B4o
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		inc	ebx
		add	[ecx+0], ah
		arpl	[eax], ax
		push	4C006500h
		add	[ecx+0], ch
		insd
		add	[ecx+0], ch
		jz	short $+2
; 
		dd 0
; 

??_C@_1BO@DNOMPJLB@?$AAP?$AAa?$AAg?$AAe?$AAd?$AAP?$AAo?$AAo?$AAl?$AAL?$AAi?$AAm?$AAi?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF379Co
		push	eax
		add	[ecx+0], ah
		add	[di+0],	ah
		add	fs:[eax+0], dl
		outsd
		add	[edi+0], ch
		insb
		add	[eax+eax+69h], cl
		add	[ebp+0], ch
		imul	eax, [eax], 74h
; 
		dw 0
; 

??_C@_1CE@CIEOCMJD@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAS?$AAp?$AAa?$AAc?$AAe?$AAL?$AAi?$AAm@EKOMKFNL@:
					; DATA XREF: INIT:00AF37E4o
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		push	ebx
		add	[eax+0], dh
		popa
		add	[ebx+0], ah
		add	gs:[eax+eax+69h], cl
		add	[ebp+0], ch
		imul	eax, [eax], 74h

??_C@_1CA@JJLEAIDM@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAP?$AAt?$AAe?$AAs?$AAL?$AAi?$AAm?$AAi?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF37CCo
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	eax
		add	[eax+eax+65h], dh
		add	[ebx+0], dh
		dec	esp
		add	[ecx+0], ch
		insd
		add	[ecx+0], ch
		jz	short $+2
; 
		dw 0
; 

??_C@_1BA@CEHMLOOP@?$AAP?$AAo?$AAo?$AAl?$AAT?$AAa?$AAg@EKOMKFNL@:
					; DATA XREF: INIT:00AF3814o
		push	eax
		add	[edi+0], ch
		outsd
		add	[eax+eax+54h], ch
		add	[ecx+0], ah
		add	[bx+si], al

loc_AF7F7F:				; DATA XREF: INIT:00AF37FCo
		add	[eax+0], dl
		outsd
		add	[edi+0], ch
		insb
		add	[eax+eax+61h], dl
		add	[edi+0], ah
		push	ebx
		add	[ebp+0], ch
		popa
		add	[eax+eax+6Ch], ch
		add	[eax+eax+61h], dl
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		push	ebx
		add	[ecx+0], ch
		jp	short $+2
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1CI@LPIFAHFA@?$AAP?$AAr?$AAo?$AAt?$AAe?$AAc?$AAt?$AAN?$AAo?$AAn?$AAP?$AAa?$AAg?$AAe?$AAd@EKOMKFNL@:
					; DATA XREF: INIT:00AF3844o
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+65h], dh
		add	[ebx+0], ah
		jz	short $+2
		dec	esi
		add	[edi+0], ch
		outsb
		add	[eax+0], dl
		popa
		add	[edi+0], ah
		add	gs:[eax+eax+50h], ah
		add	[edi+0], ch
		outsd
		add	[eax+eax+0], ch

loc_AF7FD3:				; DATA XREF: INIT:00AF382Co
		add	[eax+0], dl
		outsd
		add	[edi+0], ch
		insb
		add	[eax+eax+61h], dl
		add	[edi+0], ah
		dec	edi
		add	[esi+0], dh
		add	gs:[edx+0], dh
		jb	short $+2
		jnz	short $+2
		outsb
		add	[ebx+0], dh
; 
		dw 0
; 

??_C@_1BE@CJKNINII@?$AAT?$AAr?$AAa?$AAc?$AAk?$AAP?$AAt?$AAe?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF3874o
		push	esp
		add	[edx+0], dh
		popa
		add	[ebx+0], ah
		imul	eax, [eax], 50h
		add	[eax+eax+65h], dh
		add	[ebx+0], dh
; 
		dw 0
; 

??_C@_1CC@DDDDJONN@?$AAT?$AAr?$AAa?$AAc?$AAk?$AAL?$AAo?$AAc?$AAk?$AAe?$AAd?$AAP?$AAa?$AAg?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF385Co
		push	esp
		add	[edx+0], dh
		popa
		add	[ebx+0], ah
		imul	eax, [eax], 4Ch
		add	[edi+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 65h
		add	[eax+eax+50h], ah
		add	[ecx+0], ah
		add	[di+0],	ah
		jnb	short $+2
; 
		dd 0
; 

??_C@_1DA@NGIOLDMM@?$AAP?$AAa?$AAg?$AAe?$AAV?$AAa?$AAl?$AAi?$AAd?$AAa?$AAt?$AAi?$AAo?$AAn?$AAF@EKOMKFNL@:
					; DATA XREF: INIT:00AF38A4o
		push	eax
		add	[ecx+0], ah
		add	[di+0],	ah
		push	esi
		add	[ecx+0], ah
		insb
		add	[ecx+0], ch
		add	fs:[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		inc	esi
		add	[edx+0], dh
		add	gs:[ecx+0], dh
		jnz	short $+2
		add	gs:[esi+0], ch
		arpl	[eax], ax
		jns	short $+2
; 
		dw 0
; 

??_C@_1CK@FGFJMEAL@?$AAP?$AAa?$AAg?$AAe?$AAV?$AAa?$AAl?$AAi?$AAd?$AAa?$AAt?$AAi?$AAo?$AAn?$AAA@EKOMKFNL@:
					; DATA XREF: INIT:00AF388Co
		push	eax
		add	[ecx+0], ah
		add	[di+0],	ah
		push	esi
		add	[ecx+0], ah
		insb
		add	[ecx+0], ch
		add	fs:[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		inc	ecx
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dd 0
; 

??_C@_1CG@DDLHKNPN@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAT?$AAi?$AAp?$AAD?$AAi?$AAs?$AAa@EKOMKFNL@:
					; DATA XREF: INIT:00AF38ECo
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		push	esp
		add	[ecx+0], ch
		jo	short $+2
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
; 
		dd 0
; 

??_C@_1CA@CKAJOIKN@?$AAF?$AAo?$AAr?$AAc?$AAe?$AAV?$AAa?$AAl?$AAi?$AAd?$AAa?$AAt?$AAe?$AAI?$AAo@EKOMKFNL@:
					; DATA XREF: INIT:00AF38BCo
		inc	esi
		add	[edi+0], ch
		jb	short $+2
		arpl	[eax], ax
		add	gs:[esi+0], dl
		popa
		add	[eax+eax+69h], ch
		add	[eax+eax+61h], ah
		add	[eax+eax+65h], dh
		add	[ecx+0], cl
		outsd
; 
		db 3 dup(0)
; 

??_C@_1CO@HEBPENNJ@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAI?$AAr?$AAp?$AAS?$AAt?$AAa?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF391Co
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		dec	ecx
		add	[edx+0], dh
		jo	short $+2
		push	ebx
		add	[eax+eax+61h], dh
		add	[ebx+0], ah
		imul	eax, [eax], 54h
		add	[edx+0], dh
		popa
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
; 
		dd 0
; 

??_C@_1DE@NLIDBPPN@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAN?$AAe?$AAw?$AAR?$AAu?$AAl?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF3904o
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		dec	esi
		add	[ebp+0], ah
		ja	short $+2
		push	edx
		add	[ebp+0], dh
		insb
		add	[ebp+0], ah
		push	edi
		add	[edi+0], ch
		jb	short $+2
		imul	eax, [eax], 61h
		add	[edx+0], dh
		outsd
		add	[ebp+0], dh
		outsb
		add	[eax+eax+0], ah

loc_AF8133:				; DATA XREF: INIT:00AF394Co
		add	[esi+0], dl
		add	gs:[edx+0], dh
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		dec	ecx
		add	[edx+0], dh
		jo	short $+2
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
; 
		dd 0
; 

??_C@_1CK@KOKAABFK@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAH?$AAa?$AAn?$AAd?$AAl?$AAe?$AAT@EKOMKFNL@:
					; DATA XREF: INIT:00AF3934o
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		dec	eax
		add	[ecx+0], ah
		outsb
		add	[eax+eax+6Ch], ah
		add	[ebp+0], ah
		push	esp
		add	[edx+0], dh
		popa
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
; 
		dd 0
; 

??_C@_1CG@OMFLBEM@?$AAX?$AAd?$AAv?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAO?$AAp?$AAt?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF39ACo
		pop	eax
		add	[eax+eax+76h], ah
		add	[esi+0], dl
		add	gs:[edx+0], dh
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		dec	edi
		add	[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dd 0
; 

??_C@_1BM@JKLADBPD@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAy?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF397Co
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 790066h
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BK@BGGEFFAP@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAy?$AAT?$AAr?$AAi?$AAa?$AAg?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF39DCo
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 790066h
		push	esp
		add	[edx+0], dh
		imul	eax, [eax], 670061h
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BG@FKHICKAJ@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAy?$AAM?$AAo?$AAd?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF39C4o
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 790066h
		dec	ebp
		add	[edi+0], ch
		add	fs:[ebp+0], ah
; 
		dd 0
; 

??_C@_1DC@MHEDJDNG@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAF?$AAa?$AAu?$AAl?$AAt?$AAP?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF3A0Co
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		inc	esi
		add	[ecx+0], ah
		jnz	short $+2
		insb
		add	[eax+eax+50h], dh
		add	[edx+0], dh
		outsd
		add	[edx+0], ah
		popa
		add	[edx+0], ah
		imul	eax, [eax], 69006Ch
		jz	short $+2
		jns	short $+2
; 
		dd 0
; 

??_C@_1CE@PPLGPGCB@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAy?$AAT?$AAr?$AAi?$AAa?$AAg?$AAe?$AAR?$AAu?$AAl@EKOMKFNL@:
					; DATA XREF: INIT:00AF39F4o
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 790066h
		push	esp
		add	[edx+0], dh
		imul	eax, [eax], 670061h
		add	gs:[edx+0], dl
		jnz	short $+2
		insb
		add	[ebp+0], ah
		jnb	short $+2
; 
		dw 0
; 

??_C@_1DE@IAHJOFCH@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAF?$AAa?$AAu?$AAl?$AAt?$AAA?$AAp@EKOMKFNL@:
					; DATA XREF: INIT:00AF3A3Co
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		inc	esi
		add	[ecx+0], ah
		jnz	short $+2
		insb
		add	[eax+eax+41h], dh
		add	[eax+0], dh
		jo	short $+2
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], dh
; 
		dw 0
; 

??_C@_1DC@KHOJOKN@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAF?$AAa?$AAu?$AAl?$AAt?$AAB?$AAo@EKOMKFNL@:
					; DATA XREF: INIT:00AF3A24o
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		inc	esi
		add	[ecx+0], ah
		jnz	short $+2
		insb
		add	[eax+eax+42h], dh
		add	[edi+0], ch
		outsd
		add	[eax+eax+4Dh], dh
		add	[ecx+0], ch
		outsb
		add	[ebp+0], dh
		jz	short $+2
		add	gs:[ebx+0], dh
; 
		dd 0
; 

??_C@_1CK@KFCLOIKL@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAL?$AAw?$AAs?$AAp?$AAP?$AAo?$AAo@EKOMKFNL@:
					; DATA XREF: INIT:00AF3A6Co
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		dec	esp
		add	[edi+0], dh
		jnb	short $+2
		jo	short $+2
		push	eax
		add	[edi+0], ch
		outsd
		add	[eax+eax+54h], ch
		add	[ecx+0], ah
		add	[bp+di+0], dh
; 
		dd 0
; 

??_C@_1CE@HNJACPIC@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAF?$AAa?$AAu?$AAl?$AAt?$AAT?$AAa@EKOMKFNL@:
					; DATA XREF: INIT:00AF3A54o
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		inc	esi
		add	[ecx+0], ah
		jnz	short $+2
		insb
		add	[eax+eax+54h], dh
		add	[ecx+0], ah
		add	[bp+di+0], dh
; 
		dw 0
; 

??_C@_1DI@MPLMMFJA@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAT?$AAi?$AAp?$AAL?$AAi?$AAm?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF3A9Co
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		push	esp
		add	[ecx+0], ch
		jo	short $+2
		dec	esp
		add	[ecx+0], ch
		insd
		add	[ecx+0], ch
		jz	short $+2
		inc	esp
		add	[ebp+0], ah
		outsb
		add	[edi+0], ch
		insd
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ah
		jz	short $+2
		outsd
		add	[edx+0], dh
; 
		dw 0
; 

??_C@_1CM@JGABLCCH@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAR?$AAa?$AAn?$AAd?$AAo?$AAm?$AAT@EKOMKFNL@:
					; DATA XREF: INIT:00AF3A84o
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		push	edx
		add	[ecx+0], ah
		outsb
		add	[eax+eax+6Fh], ah
		add	[ebp+0], ch
		push	esp
		add	[ecx+0], ah
		jb	short $+2
		add	[di+0],	ah
		jz	short $+2
		jnb	short $+2
; 
		dw 0
; 

??_C@_1CM@EFDMDBJD@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAT?$AAi?$AAp?$AAS?$AAp?$AAa?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF3ACCo
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		push	esp
		add	[ecx+0], ch
		jo	short $+2
		push	ebx
		add	[eax+0], dh
		popa
		add	[edx+0], dh
		jnb	short $+2
		add	gs:[esi+0], ch
		add	gs:[ebx+0], dh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1DE@OKMGEIMP@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAT?$AAi?$AAp?$AAL?$AAi?$AAm?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF3AB4o
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		push	esp
		add	[ecx+0], ch
		jo	short $+2
		dec	esp
		add	[ecx+0], ch
		insd
		add	[ecx+0], ch
		jz	short $+2
		dec	esi
		add	[ebp+0], dh
		insd
		add	[ebp+0], ah
		jb	short $+2
		popa
		add	[eax+eax+6Fh], dh
		add	[edx+0], dh
; 
		dw 0
; 

??_C@_1CI@OLDFCAEK@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAy?$AAB?$AAT?$AAS?$AAB?$AAu?$AAf?$AAf?$AAe?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF3AFCo
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 790066h
		inc	edx
		add	[eax+eax+53h], dl
		add	[edx+0], al
		jnz	short $+2
		db	66h
		add	[esi+0], ah
		add	gs:[edx+0], dh
		push	ebx
		add	[ecx+0], ch
		jp	short $+2
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1CM@MEHIEDNP@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAT?$AAr?$AAi?$AAa?$AAg?$AAe?$AAC@EKOMKFNL@:
					; DATA XREF: INIT:00AF3AE4o
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		push	esp
		add	[edx+0], dh
		imul	eax, [eax], 670061h
		add	gs:[ebx+0], al
		outsd
		add	[esi+0], ch
		jz	short $+2
		add	gs:[eax+0], bh
		jz	short $+2
; 
		dw 0
; 

??_C@_1DC@DCPPHACC@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAP?$AAo?$AAo?$AAl?$AAT?$AAr?$AAa@EKOMKFNL@:
					; DATA XREF: INIT:00AF3B2Co
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		push	eax
		add	[edi+0], ch
		outsd
		add	[eax+eax+54h], ch
		add	[edx+0], dh
		popa
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		dec	esp
		add	[ebp+0], ah
		outsb
		add	[edi+0], ah
		jz	short $+2
		push	0
; 
		db 0
; 

??_C@_1CM@FCKBPIFI@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAy?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AAs?$AAS?$AAu@EKOMKFNL@:
					; DATA XREF: INIT:00AF3B14o
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 790066h
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
		jnb	short $+2
		push	ebx
		add	[ebp+0], dh
		jo	short $+2
		jo	short $+2
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1DC@GCHOLFMB@?$AAD?$AAe?$AAa?$AAd?$AAl?$AAo?$AAc?$AAk?$AAS?$AAe?$AAa?$AAr?$AAc?$AAh?$AAN@EKOMKFNL@:
					; DATA XREF: INIT:00AF3B5Co
		inc	esp
		add	[ebp+0], ah
		popa
		add	[eax+eax+6Ch], ah
		add	[edi+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 53h
		add	[ebp+0], ah
		popa
		add	[edx+0], dh
		arpl	[eax], ax
		push	6F004E00h
		add	[eax+eax+65h], ah
		add	[ebx+0], dh
		dec	esp
		add	[ecx+0], ch
		insd
		add	[ecx+0], ch
		jz	short $+2
; 
		dd 0
; 

??_C@_1DI@JHEJPBNI@?$AAD?$AAe?$AAa?$AAd?$AAl?$AAo?$AAc?$AAk?$AAR?$AAe?$AAc?$AAu?$AAr?$AAs?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF3B44o
		inc	esp
		add	[ebp+0], ah
		popa
		add	[eax+eax+6Ch], ah
		add	[edi+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 52h
		add	[ebp+0], ah
		arpl	[eax], ax
		jnz	short $+2
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		inc	esp
		add	[ebp+0], ah
		jo	short $+2
		jz	short $+2
		push	69004C00h
		add	[ebp+0], ch
		imul	eax, [eax], 74h

??_C@_1DE@PALPLDHP@?$AAW?$AAo?$AAr?$AAk?$AAi?$AAn?$AAg?$AAS?$AAe?$AAt?$AAS?$AAw?$AAa?$AAp?$AAS@EKOMKFNL@:
					; DATA XREF: INIT:00AF3B8Co
		push	edi
		add	[edi+0], ch
		jb	short $+2
		imul	eax, [eax], 69h
		add	[esi+0], ch
		add	[bp+di+0], dl
		add	gs:[eax+eax+53h], dh
		add	[edi+0], dh
		popa
		add	[eax+0], dh
		push	ebx
		add	[eax+0], ch
		popa
		add	[edx+0], dh
		add	gs:[eax+eax+50h], ah
		add	[ecx+0], ah
		add	[di+0],	ah
		jnb	short $+2
; 
		dw 0
; 

??_C@_1DE@GMADOGDK@?$AAM?$AAi?$AAn?$AAi?$AAm?$AAu?$AAm?$AAS?$AAt?$AAa?$AAc?$AAk?$AAC?$AAo?$AAm@EKOMKFNL@:
					; DATA XREF: INIT:00AF3B74o
		dec	ebp
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ch
		insd
		add	[ebp+0], dh
		insd
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[ebx+0], ah
		imul	eax, [eax], 43h
		add	[edi+0], ch
		insd
		add	[ebp+0], ch
		imul	eax, [eax], 490074h
		outsb
		add	[edx+0], al
		jns	short $+2
		jz	short $+2
		add	gs:[ebx+0], dh
; 
		dw 0
; 

??_C@_1DK@LJINDFFG@?$AAR?$AAe?$AAm?$AAo?$AAt?$AAe?$AAF?$AAi?$AAl?$AAe?$AAD?$AAi?$AAr?$AAt?$AAy@EKOMKFNL@:
					; DATA XREF: INIT:00AF3BBCo
		push	edx
		add	[ebp+0], ah
		insd
		add	[edi+0], ch
		jz	short $+2
		add	gs:[esi+0], al
		imul	eax, [eax], 65006Ch
		inc	esp
		add	[ecx+0], ch
		jb	short $+2
		jz	short $+2
		jns	short $+2
		push	eax
		add	[ecx+0], ah
		add	[di+0],	ah
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ebx+0], dh
		push	6C006F00h
		add	[eax+eax+0], ah
; 
		db 3 dup(0)
; 

??_C@_1DA@IBKCMACI@?$AAV?$AAm?$AAP?$AAa?$AAu?$AAs?$AAe?$AAO?$AAu?$AAt?$AAs?$AAw?$AAa?$AAp?$AAS@EKOMKFNL@:
					; DATA XREF: INIT:00AF3BA4o
		push	esi
		add	[ebp+0], ch
		push	eax
		add	[ecx+0], ah
		jnz	short $+2
		jnb	short $+2
		add	gs:[edi+0], cl
		jnz	short $+2
		jz	short $+2
		jnb	short $+2
		ja	short $+2
		popa
		add	[eax+0], dh
		push	ebx
		add	[ecx+0], ch
		jp	short $+2
		add	gs:[ebx+0], al
		popa
		add	[eax+0], dh
		dec	ebp
		add	[edx+0], al
; 
		dw 0
; 

??_C@_1DG@LJJOLMFF@?$AAC?$AAa?$AAc?$AAh?$AAe?$AAU?$AAn?$AAm?$AAa?$AAp?$AAB?$AAe?$AAh?$AAi?$AAn@EKOMKFNL@:
					; DATA XREF: INIT:00AF3BECo
		inc	ebx
		add	[ecx+0], ah
		arpl	[eax], ax
		push	55006500h
		add	[esi+0], ch
		insd
		add	[ecx+0], ah
		jo	short $+2
		inc	edx
		add	[ebp+0], ah
		push	6E006900h
		add	[eax+eax+4Ch], ah
		add	[ebp+0], ah
		outsb
		add	[edi+0], ah
		jz	short $+2
		push	6E004900h
		add	[ebp+0], cl
		inc	edx
; 
		db 0
		align 10h

??_C@_1CE@LPKMBGK@?$AAM?$AAa?$AAx?$AAL?$AAa?$AAz?$AAy?$AAW?$AAr?$AAi?$AAt?$AAe?$AAP?$AAa?$AAg@EKOMKFNL@:
					; DATA XREF: INIT:00AF3BD4o
		dec	ebp
		add	[ecx+0], ah
		js	short $+2
		dec	esp
		add	[ecx+0], ah
		jp	short $+2
		jns	short $+2
		push	edi
		add	[edx+0], dh
		imul	eax, [eax], 650074h
		push	eax
		add	[ecx+0], ah
		add	[di+0],	ah
		jnb	short $+2
; 
		dw 0
; 

??_C@_1DO@NODDNLBC@?$AAL?$AAa?$AAz?$AAy?$AAW?$AAr?$AAi?$AAt?$AAe?$AAr?$AAP?$AAe?$AAr?$AAc?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF3C1Co
		dec	esp
		add	[ecx+0], ah
		jp	short $+2
		jns	short $+2
		push	edi
		add	[edx+0], dh
		imul	eax, [eax], 650074h
		jb	short $+2
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		arpl	[eax], ax
		add	gs:[esi+0], ch
		jz	short $+2
		popa
		add	[edi+0], ah
		add	gs:[edi+0], cl
		db	66h
		add	[esi+0], cl
		jnz	short $+2
		insd
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[ebx+0], ah
		jnb	short $+2
; 
		dd 0
; 

??_C@_1CE@GAMHPGCI@?$AAT?$AAo?$AAp?$AAB?$AAo?$AAt?$AAt?$AAo?$AAm?$AAD?$AAP?$AAT?$AAE?$AAq?$AAu@EKOMKFNL@:
					; DATA XREF: INIT:00AF3C04o
		push	esp
		add	[edi+0], ch
		jo	short $+2
		inc	edx
		add	[edi+0], ch
		jz	short $+2
		jz	short $+2
		outsd
		add	[ebp+0], ch
		inc	esp
		add	[eax+0], dl
		push	esp
		add	[ebp+0], al
		jno	short $+2
		jnz	short $+2
		popa
		add	[eax+eax+0], ch
; 
		db 0
; 

??_C@_1DI@BAEMBMNO@?$AAS?$AAo?$AAf?$AAt?$AAT?$AAh?$AAr?$AAo?$AAt?$AAt?$AAl?$AAe?$AAL?$AAa?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF3C4Co
		push	ebx
		add	[edi+0], ch
		db	66h
		add	[eax+eax+54h], dh
		add	[eax+0], ch
		jb	short $+2
		outsd
		add	[eax+eax+74h], dh
		add	[eax+eax+65h], ch
		add	[eax+eax+61h], cl
		add	[edx+0], dh
		add	[di+0],	ah
		push	edi
		add	[edx+0], dh
		imul	eax, [eax], 650074h
		inc	ecx
		add	[eax+eax+50h], dh
		add	[ebx+0], ah
		jz	short $+2
; 
		dw 0
; 

??_C@_1BO@EOPFHBP@?$AAL?$AAa?$AAr?$AAg?$AAe?$AAW?$AAr?$AAi?$AAt?$AAe?$AAS?$AAi?$AAz?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF3C34o
		dec	esp
		add	[ecx+0], ah
		jb	short $+2
		add	[di+0],	ah
		push	edi
		add	[edx+0], dh
		imul	eax, [eax], 650074h
		push	ebx
		add	[ecx+0], ch
		jp	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CM@GCEGNNPI@?$AAS?$AAi?$AAm?$AAu?$AAl?$AAa?$AAt?$AAe?$AAC?$AAo?$AAm?$AAm?$AAi?$AAt?$AAS@EKOMKFNL@:
					; DATA XREF: INIT:00AF3C7Co
		push	ebx
		add	[ecx+0], ch
		insd
		add	[ebp+0], dh
		insb
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[ebx+0], al
		outsd
		add	[ebp+0], ch
		insd
		add	[ecx+0], ch
		jz	short $+2
		push	ebx
		add	[ecx+0], ah
		jbe	short $+2
		imul	eax, [eax], 67006Eh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1CM@IOHKKG@?$AAS?$AAo?$AAf?$AAt?$AAT?$AAh?$AAr?$AAo?$AAt?$AAt?$AAl?$AAe?$AAD?$AAe?$AAl@EKOMKFNL@:
					; DATA XREF: INIT:00AF3C64o
		push	ebx
		add	[edi+0], ch
		db	66h
		add	[eax+eax+54h], dh
		add	[eax+0], ch
		jb	short $+2
		outsd
		add	[eax+eax+74h], dh
		add	[eax+eax+65h], ch
		add	[eax+eax+65h], al
		add	[eax+eax+61h], ch
		add	[ecx+0], bh
		dec	ecx
		add	[esi+0], ch
		dec	ebp
		add	[ebx+0], dh
; 
		dw 0
; 

??_C@_1DM@PDKJOCBE@?$AAS?$AAp?$AAe?$AAc?$AAi?$AAa?$AAl?$AAP?$AAu?$AAr?$AAp?$AAo?$AAs?$AAe?$AAM@EKOMKFNL@:
					; DATA XREF: INIT:00AF3CACo
		push	ebx
		add	[eax+0], dh
		add	gs:[ebx+0], ah
		imul	eax, [eax], 6C0061h
		push	eax
		add	[ebp+0], dh
		jb	short $+2
		jo	short $+2
		outsd
		add	[ebx+0], dh
		add	gs:[ebp+0], cl
		add	gs:[ebp+0], ch
		outsd
		add	[edx+0], dh
		jns	short $+2
		push	ebx
		add	[eax+eax+61h], dh
		add	[edx+0], dh
		jz	short $+2
		push	eax
		add	[ecx+0], ah
		add	[di+0],	ah
; 
		dw 0
; 

??_C@_1DE@IHMFEAPG@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAP?$AAa?$AAd?$AAS?$AAe?$AAc?$AAt?$AAi?$AAo@EKOMKFNL@:
					; DATA XREF: INIT:00AF3C94o
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	[eax+0], dl
		popa
		add	[eax+eax+53h], ah
		add	[ebp+0], ah
		arpl	[eax], ax
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
		dec	edi
		add	[esi+0], dh
		add	gs:[edx+0], dh
		jb	short $+2
		imul	eax, [eax], 650064h
; 
		dw 0
; 

??_C@_1DE@GGNOAJBP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF3CD8o
					; INIT:00AF3CF0o ...
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ebp+0], al
		js	short $+2
		add	gs:[ebx+0], ah
		jnz	short $+2
		jz	short $+2
		imul	eax, [eax], 650076h
; 
		dw 0
; 

??_C@_1DE@PHBCLLGF@?$AAS?$AAp?$AAe?$AAc?$AAi?$AAa?$AAl?$AAP?$AAu?$AAr?$AAp?$AAo?$AAs?$AAe?$AAM@EKOMKFNL@:
					; DATA XREF: INIT:00AF3CC4o
		push	ebx
		add	[eax+0], dh
		add	gs:[ebx+0], ah
		imul	eax, [eax], 6C0061h
		push	eax
		add	[ebp+0], dh
		jb	short $+2
		jo	short $+2
		outsd
		add	[ebx+0], dh
		add	gs:[ebp+0], cl
		add	gs:[ebp+0], ch
		outsd
		add	[edx+0], dh
		jns	short $+2
		push	eax
		add	[ecx+0], ah
		add	[di+0],	ah
		jnb	short $+2
; 
		dw 0
; 

??_C@_1DO@PPCLEAKI@?$AAA?$AAd?$AAd?$AAi?$AAt?$AAi?$AAo?$AAn?$AAa?$AAl?$AAD?$AAe?$AAl?$AAa?$AAy@EKOMKFNL@:
					; DATA XREF: INIT:00AF3CF4o
		inc	ecx
		add	[eax+eax+64h], ah
		add	[ecx+0], ch
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		popa
		add	[eax+eax+44h], ch
		add	[ebp+0], ah
		insb
		add	[ecx+0], ah
		jns	short $+2
		add	gs:[eax+eax+57h], ah
		add	[edi+0], ch
		jb	short $+2
		imul	eax, [eax], 65h
		add	[edx+0], dh
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ecx+0], ah
		add	fs:[ebx+0], dh
; 
		dd 0
; 

??_C@_1EA@FEILHEOL@?$AAA?$AAd?$AAd?$AAi?$AAt?$AAi?$AAo?$AAn?$AAa?$AAl?$AAC?$AAr?$AAi?$AAt?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF3CDCo
		inc	ecx
		add	[eax+eax+64h], ah
		add	[ecx+0], ch
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		popa
		add	[eax+eax+43h], ch
		add	[edx+0], dh
		imul	eax, [eax], 690074h
		arpl	[eax], ax
		popa
		add	[eax+eax+57h], ch
		add	[edi+0], ch
		jb	short $+2
		imul	eax, [eax], 65h
		add	[edx+0], dh
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ecx+0], ah
		add	fs:[ebx+0], dh
; 
		dw 0
; 

??_C@_1DK@IMCKMECJ@?$AAW?$AAo?$AAr?$AAk?$AAe?$AAr?$AAT?$AAh?$AAr?$AAe?$AAa?$AAd?$AAT?$AAi?$AAm@EKOMKFNL@:
					; DATA XREF: INIT:00AF3D24o
		push	edi
		add	[edi+0], ch
		jb	short $+2
		imul	eax, [eax], 65h
		add	[edx+0], dh
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ecx+0], ah
		add	fs:[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[edi+0], ch
		jnz	short $+2
		jz	short $+2
		dec	ecx
		add	[esi+0], ch
		push	ebx
		add	[ebp+0], ah
		arpl	[eax], ax
		outsd
		add	[esi+0], ch
		add	fs:[ebx+0], dh
; 
		dd 0
; 

??_C@_1DG@GELAFLBI@?$AAM?$AAa?$AAx?$AAi?$AAm?$AAu?$AAm?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAW?$AAo@EKOMKFNL@:
					; DATA XREF: INIT:00AF3D0Co
		dec	ebp
		add	[ecx+0], ah
		js	short $+2
		imul	eax, [eax], 75006Dh
		insd
		add	[ebx+0], cl
		add	gs:[edx+0], dh
		outsb
		add	[ebp+0], ah
		insb
		add	[edi+0], dl
		outsd
		add	[edx+0], dh
		imul	eax, [eax], 65h
		add	[edx+0], dh
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ecx+0], ah
		add	fs:[ebx+0], dh
; 
		dd 2 dup(0)
; 

??_C@_1EG@MCLNOCOB@?$AAW?$AAo?$AAr?$AAk?$AAe?$AAr?$AAF?$AAa?$AAc?$AAt?$AAo?$AAr?$AAy?$AAT?$AAh@EKOMKFNL@:
					; DATA XREF: INIT:00AF3D54o
		push	edi
		add	[edi+0], ch
		jb	short $+2
		imul	eax, [eax], 65h
		add	[edx+0], dh
		inc	esi
		add	[ecx+0], ah
		arpl	[eax], ax
		jz	short $+2
		outsd
		add	[edx+0], dh
		jns	short $+2
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ecx+0], ah
		add	fs:[ebx+0], al
		jb	short $+2
		add	gs:[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
; 
		dd 0
; 

??_C@_1CM@BBANJFHC@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAW?$AAo?$AAr?$AAk?$AAe?$AAr?$AAT?$AAe?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF3D3Co
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	[edi+0], dl
		outsd
		add	[edx+0], dh
		imul	eax, [eax], 65h
		add	[edx+0], dh
		push	esp
		add	[ebp+0], ah
		jnb	short $+2
		jz	short $+2
		inc	esi
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		jnb	short $+2
; 
		dw 0
; 

??_C@_1DG@LLMOGBAG@?$AAF?$AAo?$AAr?$AAc?$AAe?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAM?$AAu?$AAt?$AAa@EKOMKFNL@:
					; DATA XREF: INIT:00AF3D84o
		inc	esi
		add	[edi+0], ch
		jb	short $+2
		arpl	[eax], ax
		add	gs:[ebp+0], al
		outsb
		add	[ecx+0], ah
		bound	eax, [eax]
		insb
		add	[ebp+0], ah
		dec	ebp
		add	[ebp+0], dh
		jz	short $+2
		popa
		add	[esi+0], ch
		jz	short $+2
		inc	ecx
		add	[ebp+0], dh
		jz	short $+2
		outsd
		add	[edx+0], ah
		outsd
		add	[edi+0], ch
		jnb	short $+2
		jz	short $+2
; 
		dd 0
; 

??_C@_1DO@BMGNPFNP@?$AAW?$AAo?$AAr?$AAk?$AAe?$AAr?$AAF?$AAa?$AAc?$AAt?$AAo?$AAr?$AAy?$AAT?$AAh@EKOMKFNL@:
					; DATA XREF: INIT:00AF3D6Co
		push	edi
		add	[edi+0], ch
		jb	short $+2
		imul	eax, [eax], 65h
		add	[edx+0], dh
		inc	esi
		add	[ecx+0], ah
		arpl	[eax], ax
		jz	short $+2
		outsd
		add	[edx+0], dh
		jns	short $+2
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ecx+0], ah
		add	fs:[ecx+0], cl
		add	fs:[eax+eax+65h], ch
		add	[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[edi+0], ch
		jnz	short $+2
		jz	short $+2
; 
		dd 0
; 

??_C@_1BG@ENKFBHBP@?$AAD?$AAP?$AAC?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF3D9Co
		inc	esp
		add	[eax+0], dl
		inc	ebx
		add	[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[edi+0], ch
		jnz	short $+2
		jz	short $+2
; 
		dd 0
; 

??_C@_1CO@FLCCMNBF@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF3D98o
					; INIT:00AF3DB0o ...
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ebx+0], cl
		add	gs:[edx+0], dh
		outsb
		add	[ebp+0], ah
		insb
; 
		db 0
		dd 0
; 

??_C@_1DC@PKHGIDHP@?$AAD?$AAp?$AAc?$AAW?$AAa?$AAt?$AAc?$AAh?$AAd?$AAo?$AAg?$AAP?$AAr?$AAo?$AAf@EKOMKFNL@:
					; DATA XREF: INIT:00AF3DCCo
		inc	esp
		add	[eax+0], dh
		arpl	[eax], ax
		push	edi
		add	[ecx+0], ah
		jz	short $+2
		arpl	[eax], ax
		push	6F006400h
		add	[edi+0], ah
		push	eax
		add	[edx+0], dh
		outsd
		add	[esi+0], ah
		imul	eax, [eax], 65006Ch
		dec	edi
		add	[esi+0], ah
		db	66h
		add	[ebx+0], dh
		add	gs:[eax+eax+0],	dh
; 
		db 3 dup(0)
; 

??_C@_1CE@IEOAAJFD@?$AAD?$AAp?$AAc?$AAW?$AAa?$AAt?$AAc?$AAh?$AAd?$AAo?$AAg?$AAP?$AAe?$AAr?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF3DB4o
		inc	esp
		add	[eax+0], dh
		arpl	[eax], ax
		push	edi
		add	[ecx+0], ah
		jz	short $+2
		arpl	[eax], ax
		push	6F006400h
		add	[edi+0], ah
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 64006Fh
; 
		dw 0
; 

??_C@_1CA@MFKJFOCE@?$AAT?$AAh?$AAr?$AAe?$AAa?$AAd?$AAD?$AAp?$AAc?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF3DFCo
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ecx+0], ah
		add	fs:[eax+eax+70h], al
		add	[ebx+0], ah
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1DC@BOEKLBNH@?$AAV?$AAe?$AAr?$AAi?$AAf?$AAi?$AAe?$AAr?$AAD?$AAp?$AAc?$AAS?$AAc?$AAa?$AAl@EKOMKFNL@:
					; DATA XREF: INIT:00AF3DE4o
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 690066h
		add	gs:[edx+0], dh
		inc	esp
		add	[eax+0], dh
		arpl	[eax], ax
		push	ebx
		add	[ebx+0], ah
		popa
		add	[eax+eax+69h], ch
		add	[esi+0], ch
		add	[bp+0],	al
		popa
		add	[ebx+0], ah
		jz	short $+2
		outsd
		add	[edx+0], dh
; 
		dd 0
; 

??_C@_1BM@INBNPIKC@?$AAD?$AAp?$AAc?$AAQ?$AAu?$AAe?$AAu?$AAe?$AAD?$AAe?$AAp?$AAt?$AAh@EKOMKFNL@:
					; DATA XREF: INIT:00AF3E2Co
		inc	esp
		add	[eax+0], dh
		arpl	[eax], ax
		push	ecx
		add	[ebp+0], dh
		add	gs:[ebp+0], dh
		add	gs:[eax+eax+65h], al
		add	[eax+0], dh
		jz	short $+2

loc_AF8B00:				; DATA XREF: INIT:00AF3E14o
		push	4B000000h
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	[ebx+0], dl
		inc	ebp
		add	[eax+0], cl
		dec	edi
		add	[eax+0], dl
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1DI@FAFGOAMG@?$AAM?$AAa?$AAx?$AAi?$AAm?$AAu?$AAm?$AAS?$AAh?$AAa?$AAr?$AAe?$AAd?$AAR?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF3E5Co
		dec	ebp
		add	[ecx+0], ah
		js	short $+2
		imul	eax, [eax], 75006Dh
		insd
		add	[ebx+0], dl
		push	72006100h
		add	[ebp+0], ah
		add	fs:[edx+0], dl
		add	gs:[ecx+0], ah
		add	fs:[ecx+0], bh
		push	ecx
		add	[ebp+0], dh
		add	gs:[ebp+0], dh
		add	gs:[ebx+0], dl
		imul	eax, [eax], 65007Ah
; 
		dw 0
; 

??_C@_1BO@NNJLCINI@?$AAM?$AAi?$AAn?$AAi?$AAm?$AAu?$AAm?$AAD?$AAp?$AAc?$AAR?$AAa?$AAt?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF3E44o
		dec	ebp
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ch
		insd
		add	[ebp+0], dh
		insd
		add	[eax+eax+70h], al
		add	[ebx+0], ah
		push	edx
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CO@JCKNBFDP@?$AAP?$AAa?$AAs?$AAs?$AAi?$AAv?$AAe?$AAW?$AAa?$AAt?$AAc?$AAh?$AAd?$AAo?$AAg@EKOMKFNL@:
					; DATA XREF: INIT:00AF3E8Co
		push	eax
		add	[ecx+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 650076h
		push	edi
		add	[ecx+0], ah
		jz	short $+2
		arpl	[eax], ax
		push	6F006400h
		add	[edi+0], ah
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
; 
		dd 0
; 

??_C@_1CG@CLKJBFLP@?$AAA?$AAd?$AAj?$AAu?$AAs?$AAt?$AAD?$AAp?$AAc?$AAT?$AAh?$AAr?$AAe?$AAs?$AAh@EKOMKFNL@:
					; DATA XREF: INIT:00AF3E74o
		inc	ecx
		add	[eax+eax+6Ah], ah
		add	[ebp+0], dh
		jnb	short $+2
		jz	short $+2
		inc	esp
		add	[eax+0], dh
		arpl	[eax], ax
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ebx+0], dh
		push	6C006F00h
		add	[eax+eax+0], ah
; 
		db 3 dup(0)
; 

??_C@_1DC@LCMPLHBA@?$AAS?$AAe?$AAr?$AAi?$AAa?$AAl?$AAi?$AAz?$AAe?$AAT?$AAi?$AAm?$AAe?$AAr?$AAE@EKOMKFNL@:
					; DATA XREF: INIT:00AF3EBCo
		push	ebx
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 6C0061h
		imul	eax, [eax], 65007Ah
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		jb	short $+2
		inc	ebp
		add	[eax+0], bh
		jo	short $+2
		imul	eax, [eax], 610072h
		jz	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dd 0
; 

??_C@_1EE@DMNEKBAE@?$AAS?$AAc?$AAh?$AAe?$AAd?$AAu?$AAl?$AAe?$AAr?$AAA?$AAs?$AAs?$AAi?$AAs?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF3EA4o
		push	ebx
		add	[ebx+0], ah
		push	64006500h
		add	[ebp+0], dh
		insb
		add	[ebp+0], ah
		jb	short $+2
		inc	ecx
		add	[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 740073h
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ecx+0], ah
		add	fs:[esi+0], al
		insb
		add	[ecx+0], ah
		add	[bx+0],	cl
		jbe	short $+2
		add	gs:[edx+0], dh
		jb	short $+2
		imul	eax, [eax], 650064h
; 
		dw 0
; 

??_C@_1DG@FLFBDDAI@?$AAV?$AAp?$AAT?$AAh?$AAr?$AAe?$AAa?$AAd?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAW@EKOMKFNL@:
					; DATA XREF: INIT:00AF3EECo
		push	esi
		add	[eax+0], dh
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ecx+0], ah
		add	fs:[ebx+0], dl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edi
		add	[edi+0], ch
		jb	short $+2
		imul	eax, [eax], 50h
		add	[edx+0], dh
		imul	eax, [eax], 72006Fh
		imul	eax, [eax], 790074h
; 
		dd 0
; 

??_C@_1BG@CHDCBJBE@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAT?$AAs?$AAx@EKOMKFNL@:
					; DATA XREF: INIT:00AF3ED4o
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		push	esp
		add	[ebx+0], dh
		js	short $+2
; 
		dd 0
; 

??_C@_1BO@BDBPCIGC@?$AAC?$AAa?$AAc?$AAh?$AAe?$AAI?$AAs?$AAo?$AAB?$AAi?$AAt?$AAm?$AAa?$AAp@EKOMKFNL@:
					; DATA XREF: INIT:00AF3F1Co
		inc	ebx
		add	[ecx+0], ah
		arpl	[eax], ax
		push	49006500h
		add	[ebx+0], dh
		outsd
		add	[edx+0], al
		imul	eax, [eax], 6D0074h
		popa
		add	[eax+0], dh
; 
		dd 0
; 

??_C@_1BO@FMBDCCHJ@?$AAP?$AAe?$AAr?$AAf?$AAI?$AAs?$AAo?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAd@EKOMKFNL@:
					; DATA XREF: INIT:00AF3F04o
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		db	66h
		add	[ecx+0], cl
		jnb	short $+2
		outsd
		add	[ebp+0], al
		outsb
		add	[ecx+0], ah
		bound	eax, [eax]
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CE@MKEAJFPJ@?$AAX?$AAM?$AAM?$AAI?$AAZ?$AAe?$AAr?$AAo?$AAi?$AAn?$AAg?$AAE?$AAn?$AAa?$AAb@EKOMKFNL@:
					; DATA XREF: INIT:00AF3F4Co
		pop	eax
		add	[ebp+0], cl
		dec	ebp
		add	[ecx+0], cl
		pop	edx
		add	[ebp+0], ah
		jb	short $+2
		outsd
		add	[ecx+0], ch
		outsb
		add	[edi+0], ah
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1BK@FNPPACOG@?$AAI?$AAd?$AAe?$AAa?$AAl?$AAD?$AAp?$AAc?$AAR?$AAa?$AAt?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF3F34o
		dec	ecx
		add	[eax+eax+65h], ah
		add	[ecx+0], ah
		insb
		add	[eax+eax+70h], al
		add	[ebx+0], ah
		push	edx
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CO@JGONJKFI@?$AAM?$AAa?$AAx?$AAD?$AAy?$AAn?$AAa?$AAm?$AAi?$AAc?$AAT?$AAi?$AAc?$AAk?$AAD@EKOMKFNL@:
					; DATA XREF: INIT:00AF3F7Co
		dec	ebp
		add	[ecx+0], ah
		js	short $+2
		inc	esp
		add	[ecx+0], bh
		outsb
		add	[ecx+0], ah
		insd
		add	[ecx+0], ch
		arpl	[eax], ax
		push	esp
		add	[ecx+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 44h
		add	[ebp+0], dh
		jb	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
; 
		db 0
		dd 0
; 

??_C@_1CI@BIDEDDAA@?$AAC?$AAa?$AAc?$AAh?$AAe?$AAE?$AAr?$AAr?$AAa?$AAt?$AAa?$AAO?$AAv?$AAe?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF3F64o
		inc	ebx
		add	[ecx+0], ah
		arpl	[eax], ax
		push	45006500h
		add	[edx+0], dh
		jb	short $+2
		popa
		add	[eax+eax+61h], dh
		add	[edi+0], cl
		jbe	short $+2
		add	gs:[edx+0], dh
		jb	short $+2
		imul	eax, [eax], 650064h
; 
		dw 0
; 

??_C@_1CE@NNPBFBMJ@?$AAM?$AAi?$AAt?$AAi?$AAg?$AAa?$AAt?$AAi?$AAo?$AAn?$AAO?$AAp?$AAt?$AAi?$AAo@EKOMKFNL@:
					; DATA XREF: INIT:00AF3FACo
		dec	ebp
		add	[ecx+0], ch
		jz	short $+2
		imul	eax, [eax], 610067h
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		dec	edi
		add	[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1EA@GNPIAFMM@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAE?$AAx?$AAc?$AAe?$AAp?$AAt?$AAi?$AAo@EKOMKFNL@:
					; DATA XREF: INIT:00AF3F94o
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		inc	ebp
		add	[eax+0], bh
		arpl	[eax], ax
		add	gs:[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		inc	ebx
		add	[eax+0], ch
		popa
		add	[ecx+0], ch
		outsb
		add	[esi+0], dl
		popa
		add	[eax+eax+69h], ch
		add	[eax+eax+61h], ah
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
; 
		db 3 dup(0)
; 

??_C@_1FC@JLENHMLJ@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl?$AAF@EKOMKFNL@:
					; DATA XREF: INIT:00AF3FDCo
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
		add	[esi+0], al
		insb
		add	[edi+0], ch
		ja	short $+2
		inc	edi
		add	[ebp+0], dh
		popa
		add	[edx+0], dh
		add	fs:[ebp+0], al
		js	short $+2
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		push	ebx
		add	[ebp+0], dh
		jo	short $+2
		jo	short $+2
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dd 0
; 

??_C@_1CO@GNDGOBAE@?$AAM?$AAi?$AAt?$AAi?$AAg?$AAa?$AAt?$AAi?$AAo?$AAn?$AAA?$AAu?$AAd?$AAi?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF3FC4o
		dec	ebp
		add	[ecx+0], ch
		jz	short $+2
		imul	eax, [eax], 610067h
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		inc	ecx
		add	[ebp+0], dh
		add	fs:[ecx+0], ch
		jz	short $+2
		dec	edi
		add	[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dd 0
; 

??_C@_1DG@BLIMACAG@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF4008o
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ebx+0], cl
		add	gs:[edx+0], dh
		outsb
		add	[ebp+0], ah
		insb
		add	[eax+eax+52h], bl
		add	[esi+0], cl
		inc	edi
; 
		db 0
		dd 0
; 

??_C@_1CK@CDGLEEOE@?$AAF?$AAo?$AAr?$AAc?$AAe?$AAI?$AAd?$AAl?$AAe?$AAG?$AAr?$AAa?$AAc?$AAe?$AAP@EKOMKFNL@:
					; DATA XREF: INIT:00AF3FF4o
		inc	esi
		add	[edi+0], ch
		jb	short $+2
		arpl	[eax], ax
		add	gs:[ecx+0], cl
		add	fs:[eax+eax+65h], ch
		add	[edi+0], al
		jb	short $+2
		popa
		add	[ebx+0], ah
		add	gs:[eax+0], dl
		add	gs:[edx+0], dh
		imul	eax, [eax], 64006Fh
; 
		dd 0
; 

??_C@_1CA@PPHAONLB@?$AAO?$AAb?$AAT?$AAr?$AAa?$AAc?$AAe?$AAP?$AAo?$AAo?$AAl?$AAT?$AAa?$AAg?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF4024o
		dec	edi
		add	[edx+0], ah
		push	esp
		add	[edx+0], dh
		popa
		add	[ebx+0], ah
		add	gs:[eax+0], dl
		outsd
		add	[edi+0], ch
		insb
		add	[eax+eax+61h], dl
		add	[edi+0], ah
		jnb	short $+2
; 
		dw 0
; 

??_C@_1CC@PJFJLKH@?$AAR?$AAN?$AAG?$AAA?$AAu?$AAx?$AAi?$AAl?$AAi?$AAa?$AAr?$AAy?$AAS?$AAe?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF400Co
		push	edx
		add	[esi+0], cl
		inc	edi
		add	[ecx+0], al
		jnz	short $+2
		js	short $+2
		imul	eax, [eax], 69006Ch
		popa
		add	[edx+0], dh
		jns	short $+2
		push	ebx
		add	[ebp+0], ah
		add	gs:[eax+eax+0],	ah
; 
		db 3 dup(0)
; 

??_C@_1CC@CHDDJNBI@?$AAO?$AAb?$AAT?$AAr?$AAa?$AAc?$AAe?$AAP?$AAe?$AAr?$AAm?$AAa?$AAn?$AAe?$AAn@EKOMKFNL@:
					; DATA XREF: INIT:00AF4054o
		dec	edi
		add	[edx+0], ah
		push	esp
		add	[edx+0], dh
		popa
		add	[ebx+0], ah
		add	gs:[eax+0], dl
		add	gs:[edx+0], dh
		insd
		add	[ecx+0], ah
		outsb
		add	[ebp+0], ah
		outsb
		add	[eax+eax+0], dh
; 
		db 3 dup(0)
; 

??_C@_1CG@JHFLCAAO@?$AAO?$AAb?$AAT?$AAr?$AAa?$AAc?$AAe?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAN@EKOMKFNL@:
					; DATA XREF: INIT:00AF403Co
		dec	edi
		add	[edx+0], ah
		push	esp
		add	[edx+0], dh
		popa
		add	[ebx+0], ah
		add	gs:[eax+0], dl
		jb	short $+2
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		dec	esi
		add	[ecx+0], ah
		insd
		add	[ebp+0], ah
; 
		dd 0
; 

??_C@_1CM@OOPLPMFL@?$AAO?$AAb?$AAU?$AAn?$AAs?$AAe?$AAc?$AAu?$AAr?$AAe?$AAG?$AAl?$AAo?$AAb?$AAa@EKOMKFNL@:
					; DATA XREF: INIT:00AF4084o
		dec	edi
		add	[edx+0], ah
		push	ebp
		add	[esi+0], ch
		jnb	short $+2
		add	gs:[ebx+0], ah
		jnz	short $+2
		jb	short $+2
		add	gs:[edi+0], al
		insb
		add	[edi+0], ch
		bound	eax, [eax]
		popa
		add	[eax+eax+4Eh], ch
		add	[ecx+0], ah
		insd
		add	[ebp+0], ah
		jnb	short $+2
; 
		dw 0
; 

??_C@_1CK@HJJNPICP@?$AAP?$AAo?$AAC?$AAl?$AAe?$AAa?$AAn?$AAS?$AAh?$AAu?$AAt?$AAd?$AAo?$AAw?$AAn@EKOMKFNL@:
					; DATA XREF: INIT:00AF406Co
		push	eax
		add	[edi+0], ch
		inc	ebx
		add	[eax+eax+65h], ch
		add	[ecx+0], ah
		outsb
		add	[ebx+0], dl
		push	74007500h
		add	[eax+eax+6Fh], ah
		add	[edi+0], dh
		outsb
		add	[esi+0], al
		insb
		add	[ecx+0], ah
		add	[bp+di+0], dh
; 
		dd 0
; 

??_C@_1CM@HJLIFNDC@?$AAA?$AAl?$AAw?$AAa?$AAy?$AAs?$AAT?$AAr?$AAa?$AAc?$AAk?$AAI?$AAo?$AAB?$AAo@EKOMKFNL@:
					; DATA XREF: INIT:00AF40B4o
		inc	ecx
		add	[eax+eax+77h], ch
		add	[ecx+0], ah
		jns	short $+2
		jnb	short $+2
		push	esp
		add	[edx+0], dh
		popa
		add	[ebx+0], ah
		imul	eax, [eax], 49h
		add	[edi+0], ch
		inc	edx
		add	[edi+0], ch
		outsd
		add	[ebx+0], dh
		jz	short $+2
		imul	eax, [eax], 67006Eh
; 
		dw 0
; 

??_C@_1CA@FOJGKJED@?$AAT?$AAi?$AAm?$AAe?$AAr?$AAC?$AAh?$AAe?$AAc?$AAk?$AAF?$AAl?$AAa?$AAg?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF409Co
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		jb	short $+2
		inc	ebx
		add	[eax+0], ch
		add	gs:[ebx+0], ah
		imul	eax, [eax], 46h
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		jnb	short $+2
; 
		dw 0
; 

??_C@_1CG@HMBLOHBN@?$AAS?$AAl?$AAe?$AAe?$AAp?$AAS?$AAt?$AAu?$AAd?$AAy?$AAD?$AAi?$AAs?$AAa?$AAb@EKOMKFNL@:
					; DATA XREF: INIT:00AF40CCo
		push	ebx
		add	[eax+eax+65h], ch
		add	[ebp+0], ah
		jo	short $+2
		push	ebx
		add	[eax+eax+75h], dh
		add	[eax+eax+79h], ah
		add	[eax+eax+69h], al
		add	[ebx+0], dh
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CM@JGIJKPEK@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF40C8o
					; INIT:00AF40E0o ...
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[eax+0], dl
		outsd
		add	[edi+0], dh
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1CK@MDMJEODA@?$AAW?$AAa?$AAt?$AAc?$AAh?$AAd?$AAo?$AAg?$AAS?$AAl?$AAe?$AAe?$AAp?$AAT?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF40FCo
		push	edi
		add	[ecx+0], ah
		jz	short $+2
		arpl	[eax], ax
		push	6F006400h
		add	[edi+0], ah
		push	ebx
		add	[eax+eax+65h], ch
		add	[ebp+0], ah
		jo	short $+2
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
; 
		dd 2 dup(0)
; 

??_C@_1EA@EHDFMNMB@?$AAS?$AAl?$AAe?$AAe?$AAp?$AAS?$AAt?$AAu?$AAd?$AAy?$AAD?$AAe?$AAv?$AAi?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF40E4o
		push	ebx
		add	[eax+eax+65h], ch
		add	[ebp+0], ah
		jo	short $+2
		push	ebx
		add	[eax+eax+75h], dh
		add	[eax+eax+79h], ah
		add	[eax+eax+65h], al
		add	[esi+0], dh
		imul	eax, [eax], 650063h
		inc	ecx
		add	[ebx+0], ah
		arpl	[eax], ax
		outsd
		add	[ebp+0], dh
		outsb
		add	[eax+eax+69h], dh
		add	[esi+0], ch
		add	[si+0],	cl
		add	gs:[esi+0], dh
		add	gs:[eax+eax+0],	ch
; 
		db 0
; 

??_C@_1CC@OMMONJMM@?$AAI?$AAd?$AAl?$AAe?$AAS?$AAc?$AAa?$AAn?$AAI?$AAn?$AAt?$AAe?$AAr?$AAv?$AAa@EKOMKFNL@:
					; DATA XREF: INIT:00AF412Co
		dec	ecx
		add	[eax+eax+6Ch], ah
		add	[ebp+0], ah
		push	ebx
		add	[ebx+0], ah
		popa
		add	[esi+0], ch
		dec	ecx
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edx+0], dh
		jbe	short $+2
		popa
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

??_C@_1CM@GDIINAON@?$AAW?$AAa?$AAt?$AAc?$AAh?$AAd?$AAo?$AAg?$AAR?$AAe?$AAs?$AAu?$AAm?$AAe?$AAT@EKOMKFNL@:
					; DATA XREF: INIT:00AF4114o
		push	edi
		add	[ecx+0], ah
		jz	short $+2
		arpl	[eax], ax
		push	6F006400h
		add	[edi+0], ah
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
; 
		dw 0
; 

??_C@_1CC@LDEENHCJ@?$AAS?$AAk?$AAi?$AAp?$AAT?$AAi?$AAc?$AAk?$AAO?$AAv?$AAe?$AAr?$AAr?$AAi?$AAd@EKOMKFNL@:
					; DATA XREF: INIT:00AF415Co
		push	ebx
		add	[ebx+0], ch
		imul	eax, [eax], 540070h
		imul	eax, [eax], 6B0063h
		dec	edi
		add	[esi+0], dh
		add	gs:[edx+0], dh
		jb	short $+2
		imul	eax, [eax], 650064h
; 
		dd 0
; 

??_C@_1BI@BPNLMJD@?$AAF?$AAl?$AAu?$AAs?$AAh?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@:
					; DATA XREF: INIT:00AF4144o
		inc	esi
		add	[eax+eax+75h], ch
		add	[ebx+0], dh
		push	6F005000h
		add	[eax+eax+69h], ch
		add	[ebx+0], ah
		jns	short $+2
; 
		dw 0
; 

??_C@_1CC@NACBKHGE@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAn?$AAa?$AAt?$AAe?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF4174o
		dec	eax
		add	[ecx+0], ch
		bound	eax, [eax]
		add	gs:[edx+0], dh
		outsb
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[ebp+0], al
		outsb
		add	[ecx+0], ah
		bound	eax, [eax]
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1M@KHCHFCBG@?$AAP?$AAo?$AAw?$AAe?$AAr@EKOMKFNL@: ; DATA XREF: INIT:00AF4170o
					; INIT:00AF4188o ...
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1DK@OLIMDCEF@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAF?$AAo?$AAr?$AAc?$AAe?$AAH?$AAi?$AAb?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF41A0o
					; INIT:00AF41B8o
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		pop	esp
		add	[esi+0], al
		outsd
		add	[edx+0], dh
		arpl	[eax], ax
		add	gs:[eax+0], cl
		imul	eax, [eax], 650062h
		jb	short $+2
		outsb
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[eax+eax+69h], al
		add	[ebx+0], dh
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1DA@DHNINCF@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAn?$AAa?$AAt?$AAe?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF418Co
		dec	eax
		add	[ecx+0], ch
		bound	eax, [eax]
		add	gs:[edx+0], dh
		outsb
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[ebp+0], al
		outsb
		add	[ecx+0], ah
		bound	eax, [eax]
		insb
		add	[ebp+0], ah
		add	fs:[eax+eax+65h], al
		add	[esi+0], ah
		popa
		add	[ebp+0], dh
		insb
		add	[eax+eax+0], dh

loc_AF91E7:				; DATA XREF: INIT:00AF41BCo
		add	[edi+0], al
		jnz	short $+2
		popa
		add	[edx+0], dh
		add	fs:[ebp+0], ah
		add	fs:[eax+0], cl
		outsd
		add	[ebx+0], dh
		jz	short $+2
; 
		dw 0
; 

??_C@_1O@MPKBHDFA@?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@: ; DATA XREF: INIT:00AF41A4o
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
; 
		dd 0
; 

??_C@_1BM@KJCJDEGO@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe?$AAT?$AAy?$AAp?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF41ECo
		dec	eax
		add	[ecx+0], ch
		bound	eax, [eax]
		add	gs:[edx+0], dh
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		push	esp
		add	[ecx+0], bh
		jo	short $+2
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1CK@DMPKJLLK@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe?$AAS?$AAi?$AAz?$AAe?$AAP?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF41D4o
		dec	eax
		add	[ecx+0], ch
		bound	eax, [eax]
		add	gs:[edx+0], dh
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		push	ebx
		add	[ecx+0], ch
		jp	short $+2
		add	gs:[eax+0], dl
		add	gs:[edx+0], dh
		arpl	[eax], ax
		add	gs:[esi+0], ch
		jz	short $+2
; 
		dd 0
; 

??_C@_1CM@OAIKEION@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF4218o
					; INIT:00AF4230o ...
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		pop	esp
		add	[eax+0], cl
		imul	eax, [eax], 650062h
		jb	short $+2
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		inc	edx
		add	[ebp+0], dh
		arpl	[eax], ax
		imul	eax, [eax], 65h
		add	[eax+eax+0], dh
; 
		db 0
; 

??_C@_1CK@PLIOKCDF@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAF?$AAi?$AAl?$AAe?$AAT?$AAy?$AAp?$AAe?$AAD?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF4204o
		dec	eax
		add	[ecx+0], ch
		bound	eax, [eax]
		add	gs:[edx+0], dh
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
		push	esp
		add	[ecx+0], bh
		jo	short $+2
		add	gs:[eax+eax+65h], al
		add	[esi+0], ah
		popa
		add	[ebp+0], dh
		insb
		add	[eax+eax+0], dh
; 
		db 3 dup(0)
; 

??_C@_1CE@NLBBIGON@?$AAP?$AAe?$AAr?$AAc?$AAe?$AAn?$AAt?$AA1?$AAG?$AAB?$AAR?$AAe?$AAd?$AAu?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF4234o
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		arpl	[eax], ax
		add	gs:[esi+0], ch
		jz	short $+2
		xor	[eax], eax
		inc	edi
		add	[edx+0], al
		push	edx
		add	[ebp+0], ah
		add	fs:[ebp+0], dh
		arpl	[eax], ax
		add	gs:[eax+eax+0],	ah

loc_AF92D3:				; DATA XREF: INIT:00AF421Co
		add	[eax+0], dl
		add	gs:[edx+0], dh
		arpl	[eax], ax
		add	gs:[esi+0], ch
		jz	short $+2
		xor	[eax], eax
		inc	edi
		add	[edx+0], al
		inc	esi
		add	[ebp+0], dh
		insb
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

??_C@_1CE@OCGJCLKN@?$AAP?$AAe?$AAr?$AAc?$AAe?$AAn?$AAt?$AA2?$AAG?$AAB?$AAR?$AAe?$AAd?$AAu?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF4264o
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		arpl	[eax], ax
		add	gs:[esi+0], ch
		jz	short $+2
		xor	al, [eax]
		inc	edi
		add	[edx+0], al
		push	edx
		add	[ebp+0], ah
		add	fs:[ebp+0], dh
		arpl	[eax], ax
		add	gs:[eax+eax+0],	ah
; 
		db 0
; 

??_C@_1BO@LFFFEJEN@?$AAP?$AAe?$AAr?$AAc?$AAe?$AAn?$AAt?$AA2?$AAG?$AAB?$AAF?$AAu?$AAl?$AAl@EKOMKFNL@:
					; DATA XREF: INIT:00AF424Co
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		arpl	[eax], ax
		add	gs:[esi+0], ch
		jz	short $+2
		xor	al, [eax]
		inc	edi
		add	[edx+0], al
		inc	esi
		add	[ebp+0], dh
		insb
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

??_C@_1CE@JAJIHBCN@?$AAP?$AAe?$AAr?$AAc?$AAe?$AAn?$AAt?$AA4?$AAG?$AAB?$AAR?$AAe?$AAd?$AAu?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF4294o
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		arpl	[eax], ax
		add	gs:[esi+0], ch
		jz	short $+2
		xor	al, 0
		inc	edi
		add	[edx+0], al
		push	edx
		add	[ebp+0], ah
		add	fs:[ebp+0], dh
		arpl	[eax], ax
		add	gs:[eax+eax+0],	ah

loc_AF935B:				; DATA XREF: INIT:00AF427Co
		add	[eax+0], dl
		add	gs:[edx+0], dh
		arpl	[eax], ax
		add	gs:[esi+0], ch
		jz	short $+2
		xor	al, 0
		inc	edi
		add	[edx+0], al
		inc	esi
		add	[ebp+0], dh
		insb
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

??_C@_1CE@HFHKMECN@?$AAP?$AAe?$AAr?$AAc?$AAe?$AAn?$AAt?$AA8?$AAG?$AAB?$AAR?$AAe?$AAd?$AAu?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF42C4o
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		arpl	[eax], ax
		add	gs:[esi+0], ch
		jz	short $+2
		cmp	[eax], al
		inc	edi
		add	[edx+0], al
		push	edx
		add	[ebp+0], ah
		add	fs:[ebp+0], dh
		arpl	[eax], ax
		add	gs:[eax+eax+0],	ah

loc_AF939F:				; DATA XREF: INIT:00AF42ACo
		add	[eax+0], dl
		add	gs:[edx+0], dh
		arpl	[eax], ax
		add	gs:[esi+0], ch
		jz	short $+2
		cmp	[eax], al
		inc	edi
		add	[edx+0], al
		inc	esi
		add	[ebp+0], dh
		insb
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

??_C@_1CG@IDLINFIN@?$AAP?$AAe?$AAr?$AAc?$AAe?$AAn?$AAt?$AA1?$AA6?$AAG?$AAB?$AAR?$AAe?$AAd?$AAu@EKOMKFNL@:
					; DATA XREF: INIT:00AF42F4o
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		arpl	[eax], ax
		add	gs:[esi+0], ch
		jz	short $+2
		xor	[eax], eax
		add	ss:[edi+0], al
		inc	edx
		add	[edx+0], dl
		add	gs:[eax+eax+75h], ah
		add	[ebx+0], ah
		add	gs:[eax+eax+0],	ah
; 
		db 3 dup(0)
; 

??_C@_1CA@MHDKIMFB@?$AAP?$AAe?$AAr?$AAc?$AAe?$AAn?$AAt?$AA1?$AA6?$AAG?$AAB?$AAF?$AAu?$AAl?$AAl@EKOMKFNL@:
					; DATA XREF: INIT:00AF42DCo
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		arpl	[eax], ax
		add	gs:[esi+0], ch
		jz	short $+2
		xor	[eax], eax
		add	ss:[edi+0], al
		inc	edx
		add	[esi+0], al
		jnz	short $+2
		insb
		add	[eax+eax+0], ch

loc_AF9407:				; DATA XREF: INIT:00AF4324o
		add	[eax+0], dl
		add	gs:[edx+0], dh
		arpl	[eax], ax
		add	gs:[esi+0], ch
		jz	short $+2
		xor	eax, [eax]
		xor	al, [eax]
		inc	edi
		add	[edx+0], al
		push	edx
		add	[ebp+0], ah
		add	fs:[ebp+0], dh
		arpl	[eax], ax
		add	gs:[eax+eax+0],	ah
; 
		db 3 dup(0)
; 

??_C@_1CA@BGNPKLFF@?$AAP?$AAe?$AAr?$AAc?$AAe?$AAn?$AAt?$AA3?$AA2?$AAG?$AAB?$AAF?$AAu?$AAl?$AAl@EKOMKFNL@:
					; DATA XREF: INIT:00AF430Co
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		arpl	[eax], ax
		add	gs:[esi+0], ch
		jz	short $+2
		xor	eax, [eax]
		xor	al, [eax]
		inc	edi
		add	[edx+0], al
		inc	esi
		add	[ebp+0], dh
		insb
		add	[eax+eax+0], ch

loc_AF944F:				; DATA XREF: INIT:00AF4354o
		add	[eax+0], dl
		add	gs:[edx+0], dh
		arpl	[eax], ax
		add	gs:[esi+0], ch
		jz	short $+2
		push	ebp
		add	[esi+0], ch
		insb
		add	[ecx+0], ch
		insd
		add	[ecx+0], ch
		jz	short $+2
		add	gs:[eax+eax+52h], ah
		add	[ebp+0], ah
		add	fs:[ebp+0], dh
		arpl	[eax], ax
		add	gs:[eax+eax+0],	ah

loc_AF947F:				; DATA XREF: INIT:00AF433Co
		add	[eax+0], dl
		add	gs:[edx+0], dh
		arpl	[eax], ax
		add	gs:[esi+0], ch
		jz	short $+2
		push	ebp
		add	[esi+0], ch
		insb
		add	[ecx+0], ch
		insd
		add	[ecx+0], ch
		jz	short $+2
		add	gs:[eax+eax+46h], ah
		add	[ebp+0], dh
		insb
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

??_C@_1DK@KGPKOFKM@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAn?$AAa?$AAt?$AAe?$AAC?$AAh?$AAe?$AAc?$AAk?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF4384o
		dec	eax
		add	[ecx+0], ch
		bound	eax, [eax]
		add	gs:[edx+0], dh
		outsb
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[ebx+0], al
		push	63006500h
		add	[ebx+0], ch
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ch
		imul	eax, [eax], 67006Eh
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CC@LDNNKDKB@?$AAH?$AAi?$AAb?$AAe?$AAr?$AAb?$AAo?$AAo?$AAt?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF436Co
		dec	eax
		add	[ecx+0], ch
		bound	eax, [eax]
		add	gs:[edx+0], dh
		bound	eax, [eax]
		outsd
		add	[edi+0], ch
		jz	short $+2
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CM@JADPCEC@?$AAF?$AAo?$AAr?$AAc?$AAe?$AAM?$AAi?$AAn?$AAi?$AAm?$AAa?$AAl?$AAH?$AAi?$AAb@EKOMKFNL@:
					; DATA XREF: INIT:00AF43B4o
		inc	esi
		add	[edi+0], ch
		jb	short $+2
		arpl	[eax], ax
		add	gs:[ebp+0], cl
		imul	eax, [eax], 69006Eh
		insd
		add	[ecx+0], ah
		insb
		add	[eax+0], cl
		imul	eax, [eax], 650062h
		jb	short $+2
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1CO@BJHBBJPL@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAM?$AAi?$AAn?$AAi?$AAm?$AAa?$AAl?$AAH?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF439Co
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		dec	ebp
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ch
		insd
		add	[ecx+0], ah
		insb
		add	[eax+0], cl
		imul	eax, [eax], 650062h
		jb	short $+2
		inc	esi
		add	[ecx+0], ch
		insb
		add	[ebp+0], ah
; 
		dd 0
; 

??_C@_1DE@IEFPINNN@?$AAT?$AAh?$AAe?$AAr?$AAm?$AAa?$AAl?$AAT?$AAe?$AAl?$AAe?$AAm?$AAe?$AAt?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF43E4o
		push	esp
		add	[eax+0], ch
		add	gs:[edx+0], dh
		insd
		add	[ecx+0], ah
		insb
		add	[eax+eax+65h], dl
		add	[eax+eax+65h], ch
		add	[ebp+0], ch
		add	gs:[eax+eax+72h], dh
		add	[ecx+0], bh
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		bound	eax, [eax]
		outsd
		add	[ebx+0], dh
		imul	eax, [eax], 790074h
; 
		dw 0
; 

??_C@_1CG@MJIPGMJC@?$AAT?$AAh?$AAe?$AAr?$AAm?$AAa?$AAl?$AAP?$AAo?$AAl?$AAl?$AAi?$AAn?$AAg?$AAM@EKOMKFNL@:
					; DATA XREF: INIT:00AF43CCo
		push	esp
		add	[eax+0], ch
		add	gs:[edx+0], dh
		insd
		add	[ecx+0], ah
		insb
		add	[eax+0], dl
		outsd
		add	[eax+eax+6Ch], ch
		add	[ecx+0], ch
		outsb
		add	[edi+0], ah
		dec	ebp
		add	[edi+0], ch
		add	fs:[ebp+0], ah
; 
		dd 0
; 

??_C@_1DI@MDOINOAN@?$AAS?$AAm?$AAa?$AAr?$AAt?$AAU?$AAs?$AAe?$AAr?$AAP?$AAr?$AAe?$AAs?$AAe?$AAn@EKOMKFNL@:
					; DATA XREF: INIT:00AF4414o
		push	ebx
		add	[ebp+0], ch
		popa
		add	[edx+0], dh
		jz	short $+2
		push	ebp
		add	[ebx+0], dh
		add	gs:[edx+0], dh
		push	eax
		add	[edx+0], dh
		add	gs:[ebx+0], dh
		add	gs:[esi+0], ch
		arpl	[eax], ax
		add	gs:[edi+0], dl
		popa
		add	[ebx+0], ch
		add	gs:[edi+0], cl
		db	66h
		add	[esi+0], ah
		jnb	short $+2
		add	gs:[eax+eax+0],	dh
; 
		db 0
; 

??_C@_1DK@MAHGDGCP@?$AAS?$AAm?$AAa?$AAr?$AAt?$AAU?$AAs?$AAe?$AAr?$AAP?$AAr?$AAe?$AAs?$AAe?$AAn@EKOMKFNL@:
					; DATA XREF: INIT:00AF43FCo
		push	ebx
		add	[ebp+0], ch
		popa
		add	[edx+0], dh
		jz	short $+2
		push	ebp
		add	[ebx+0], dh
		add	gs:[edx+0], dh
		push	eax
		add	[edx+0], dh
		add	gs:[ebx+0], dh
		add	gs:[esi+0], ch
		arpl	[eax], ax
		add	gs:[edi+0], al
		jb	short $+2
		popa
		add	[ebx+0], ah
		add	gs:[eax+0], dl
		add	gs:[edx+0], dh
		imul	eax, [eax], 64006Fh
; 
		dd 0
; 

??_C@_1DA@DKNPLDHK@?$AAS?$AAm?$AAa?$AAr?$AAt?$AAU?$AAs?$AAe?$AAr?$AAP?$AAr?$AAe?$AAs?$AAe?$AAn@EKOMKFNL@:
					; DATA XREF: INIT:00AF4444o
		push	ebx
		add	[ebp+0], ch
		popa
		add	[edx+0], dh
		jz	short $+2
		push	ebp
		add	[ebx+0], dh
		add	gs:[edx+0], dh
		push	eax
		add	[edx+0], dh
		add	gs:[ebx+0], dh
		add	gs:[esi+0], ch
		arpl	[eax], ax
		add	gs:[ecx+0], al
		arpl	[eax], ax
		jz	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dw 0
; 

??_C@_1DM@HAEAFMAF@?$AAS?$AAm?$AAa?$AAr?$AAt?$AAU?$AAs?$AAe?$AAr?$AAP?$AAr?$AAe?$AAs?$AAe?$AAn@EKOMKFNL@:
					; DATA XREF: INIT:00AF442Co
		push	ebx
		add	[ebp+0], ch
		popa
		add	[edx+0], dh
		jz	short $+2
		push	ebp
		add	[ebx+0], dh
		add	gs:[edx+0], dh
		push	eax
		add	[edx+0], dh
		add	gs:[ebx+0], dh
		add	gs:[esi+0], ch
		arpl	[eax], ax
		add	gs:[ebx+0], al
		push	63006500h
		add	[ebx+0], ch
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
; 
		dw 0
; 

??_C@_1DG@FDJAOGJG@?$AAD?$AAo?$AAz?$AAe?$AAD?$AAe?$AAf?$AAe?$AAr?$AAr?$AAa?$AAl?$AAC?$AAh?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF4474o
		inc	esp
		add	[edi+0], ch
		jp	short $+2
		add	gs:[eax+eax+65h], al
		add	[esi+0], ah
		add	gs:[edx+0], dh
		jb	short $+2
		popa
		add	[eax+eax+43h], ch
		add	[eax+0], ch
		add	gs:[ebx+0], ah
		imul	eax, [eax], 73h
		add	[eax+eax+6Fh], dl
		add	[ecx+0], cl
		add	[bp+0],	ch
		outsd
		add	[edx+0], dh
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CO@GEJKHHDI@?$AAD?$AAo?$AAz?$AAe?$AAD?$AAe?$AAf?$AAe?$AAr?$AAr?$AAa?$AAl?$AAM?$AAa?$AAx@EKOMKFNL@:
					; DATA XREF: INIT:00AF445Co
		inc	esp
		add	[edi+0], ch
		jp	short $+2
		add	gs:[eax+eax+65h], al
		add	[esi+0], ah
		add	gs:[edx+0], dh
		jb	short $+2
		popa
		add	[eax+eax+4Dh], ch
		add	[ecx+0], ah
		js	short $+2
		push	ebx
		add	[ebp+0], ah
		arpl	[eax], ax
		outsd
		add	[esi+0], ch
		add	fs:[ebx+0], dh
; 
		dd 2 dup(0)
; 

??_C@_1FE@GNKAEAJI@?$AAP?$AAd?$AAc?$AAI?$AAd?$AAl?$AAe?$AAP?$AAh?$AAa?$AAs?$AAe?$AAD?$AAe?$AAf@EKOMKFNL@:
					; DATA XREF: INIT:00AF44A4o
		push	eax
		add	[eax+eax+63h], ah
		add	[ecx+0], cl
		add	fs:[eax+eax+65h], ch
		add	[eax+0], dl
		push	73006100h
		add	[ebp+0], ah
		inc	esp
		add	[ebp+0], ah
		db	66h
		add	[ecx+0], ah
		jnz	short $+2
		insb
		add	[eax+eax+57h], dh
		add	[ecx+0], ah
		jz	short $+2
		arpl	[eax], ax
		push	6F006400h
		add	[edi+0], ah
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
		push	ebx
		add	[ebp+0], ah
		arpl	[eax], ax
		outsd
		add	[esi+0], ch
		add	fs:[ebx+0], dh
; 
		dw 0
		align 8

??_C@_1EI@BGKDCLDM@?$AAW?$AAi?$AAn?$AA3?$AA2?$AAk?$AAC?$AAa?$AAl?$AAl?$AAo?$AAu?$AAt?$AAW?$AAa@EKOMKFNL@:
					; DATA XREF: INIT:00AF448Co
		push	edi
		add	[ecx+0], ch
		outsb
		add	[ebx], dh
		add	[edx], dh
		add	[ebx+0], ch
		inc	ebx
		add	[ecx+0], ah
		insb
		add	[eax+eax+6Fh], ch
		add	[ebp+0], dh
		jz	short $+2
		push	edi
		add	[ecx+0], ah
		jz	short $+2
		arpl	[eax], ax
		push	6F006400h
		add	[edi+0], ah
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
		push	ebx
		add	[ebp+0], ah
		arpl	[eax], ax
		outsd
		add	[esi+0], ch
		add	fs:[ebx+0], dh
; 
		dw 0
; 

??_C@_1FC@KAOPAHPP@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAA?$AAc?$AAt?$AAi?$AAo?$AAn?$AAS?$AAu?$AAs?$AAp@EKOMKFNL@:
					; DATA XREF: INIT:00AF44D4o
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		inc	ecx
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		push	ebx
		add	[ebp+0], dh
		jnb	short $+2
		jo	short $+2
		add	gs:[esi+0], ch
		add	fs:[edi+0], dl
		popa
		add	[eax+eax+63h], dh
		add	[eax+0], ch
		add	fs:[edi+0], ch
		add	[si+0],	dl
		imul	eax, [eax], 65006Dh
		outsd
		add	[ebp+0], dh
		jz	short $+2
		inc	esp
		add	[ebp+0], ah
		db	66h
		add	[ecx+0], ah
		jnz	short $+2
		insb
		add	[eax+eax+0], dh
; 
		db 3 dup(0)
; 

??_C@_1DM@MIFCHHCE@?$AAF?$AAx?$AAA?$AAc?$AAc?$AAo?$AAu?$AAn?$AAt?$AAi?$AAn?$AAg?$AAT?$AAe?$AAl@EKOMKFNL@:
					; DATA XREF: INIT:00AF44BCo
		inc	esi
		add	[eax+0], bh
		inc	ecx
		add	[ebx+0], ah
		arpl	[eax], ax
		outsd
		add	[ebp+0], dh
		outsb
		add	[eax+eax+69h], dh
		add	[esi+0], ch
		add	[si+0],	dl
		add	gs:[eax+eax+65h], ch
		add	[ebp+0], ch
		add	gs:[eax+eax+72h], dh
		add	[ecx+0], bh
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 0
; 

??_C@_1DI@KPFGGNIO@?$AAP?$AAr?$AAe?$AAS?$AAl?$AAe?$AAe?$AAp?$AAN?$AAo?$AAt?$AAi?$AAf?$AAi?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF4504o
		push	eax
		add	[edx+0], dh
		add	gs:[ebx+0], dl
		insb
		add	[ebp+0], ah
		add	gs:[eax+0], dh
		dec	esi
		add	[edi+0], ch
		jz	short $+2
		imul	eax, [eax], 690066h
		arpl	[eax], ax
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], dl
		add	gs:[ebx+0], ah
		outsd
		add	[esi+0], ch
		add	fs:[ebx+0], dh
; 
		dw 0
; 

??_C@_1FA@BMNDPLII@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAA?$AAc?$AAt?$AAi?$AAo?$AAn?$AAR?$AAe?$AAs?$AAu@EKOMKFNL@:
					; DATA XREF: INIT:00AF44ECo
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		inc	ecx
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jnz	short $+2
		insd
		add	[ebp+0], ah
		push	edi
		add	[ecx+0], ah
		jz	short $+2
		arpl	[eax], ax
		push	6F006400h
		add	[edi+0], ah
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
		inc	esp
		add	[ebp+0], ah
		db	66h
		add	[ecx+0], ah
		jnz	short $+2
		insb
		add	[eax+eax+0], dh
; 
		db 0
; 

??_C@_1CK@DPLEPGKK@?$AAP?$AAl?$AAa?$AAt?$AAf?$AAo?$AAr?$AAm?$AAR?$AAo?$AAl?$AAe?$AAO?$AAv?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF4534o
		push	eax
		add	[eax+eax+61h], ch
		add	[eax+eax+66h], dh
		add	[edi+0], ch
		jb	short $+2
		insd
		add	[edx+0], dl
		outsd
		add	[eax+eax+65h], ch
		add	[edi+0], cl
		jbe	short $+2
		add	gs:[edx+0], dh
		jb	short $+2
		imul	eax, [eax], 650064h
; 
		dd 0
; 

??_C@_1BG@NLAIPHCD@?$AAM?$AAS?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAd@EKOMKFNL@:
					; DATA XREF: INIT:00AF451Co
		dec	ebp
		add	[ebx+0], dl
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CM@IAPAGLBE@?$AAP?$AAe?$AAr?$AAf?$AAB?$AAo?$AAo?$AAs?$AAt?$AAA?$AAt?$AAG?$AAu?$AAa?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF4564o
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		db	66h
		add	[edx+0], al
		outsd
		add	[edi+0], ch
		jnb	short $+2
		jz	short $+2
		inc	ecx
		add	[eax+eax+47h], dh
		add	[ebp+0], dh
		popa
		add	[edx+0], dh
		popa
		add	[esi+0], ch
		jz	short $+2
		add	gs:[ebp+0], ah
		add	fs:[eax], al
; 
		db 0
; 

??_C@_1CK@JJMHJOPM@?$AAP?$AAl?$AAa?$AAt?$AAf?$AAo?$AAr?$AAm?$AAA?$AAo?$AAA?$AAc?$AAO?$AAv?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF454Co
		push	eax
		add	[eax+eax+61h], ch
		add	[eax+eax+66h], dh
		add	[edi+0], ch
		jb	short $+2
		insd
		add	[ecx+0], al
		outsd
		add	[ecx+0], al
		arpl	[eax], ax
		dec	edi
		add	[esi+0], dh
		add	gs:[edx+0], dh
		jb	short $+2
		imul	eax, [eax], 650064h
; 
		dd 0
; 

??_C@_1CK@HCOBIFIA@?$AAM?$AAf?$AAB?$AAu?$AAf?$AAf?$AAe?$AAr?$AAi?$AAn?$AAg?$AAT?$AAh?$AAr?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF4594o
		dec	ebp
		add	[esi+0], ah
		inc	edx
		add	[ebp+0], dh
		db	66h
		add	[esi+0], ah
		add	gs:[edx+0], dh
		imul	eax, [eax], 67006Eh
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ebx+0], dh
		push	6C006F00h
		add	[eax+eax+0], ah
; 
		db 3 dup(0)
; 

??_C@_1DC@MFFJEIKL@?$AAI?$AAp?$AAi?$AAL?$AAa?$AAs?$AAt?$AAC?$AAl?$AAo?$AAc?$AAk?$AAO?$AAw?$AAn@EKOMKFNL@:
					; DATA XREF: INIT:00AF457Co
		dec	ecx
		add	[eax+0], dh
		imul	eax, [eax], 61004Ch
		jnb	short $+2
		jz	short $+2
		inc	ebx
		add	[eax+eax+6Fh], ch
		add	[ebx+0], ah
		imul	eax, [eax], 4Fh
		add	[edi+0], dh
		outsb
		add	[ebp+0], ah
		jb	short $+2
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
; 
		dd 0
; 

??_C@_1DA@BPGBIGKK@?$AAL?$AAa?$AAt?$AAe?$AAn?$AAc?$AAy?$AAT?$AAo?$AAl?$AAe?$AAr?$AAa?$AAn?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF45C4o
		dec	esp
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[esi+0], ch
		arpl	[eax], ax
		jns	short $+2
		push	esp
		add	[edi+0], ch
		insb
		add	[ebp+0], ah
		jb	short $+2
		popa
		add	[esi+0], ch
		arpl	[eax], ax
		add	gs:[eax+eax+65h], al
		add	[esi+0], ah
		popa
		add	[ebp+0], dh
		insb
		add	[eax+eax+0], dh

loc_AF99F3:				; DATA XREF: INIT:00AF45ACo
		add	[ebp+0], cl
		db	66h
		add	[edi+0], cl
		jbe	short $+2
		add	gs:[edx+0], dh
		jb	short $+2
		imul	eax, [eax], 650064h
		jnb	short $+2
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al

loc_AF9A1B:				; DATA XREF: INIT:00AF45F4o
		add	[eax+eax+61h], cl
		add	[eax+eax+65h], dh
		add	[esi+0], ch
		arpl	[eax], ax
		jns	short $+2
		push	esp
		add	[edi+0], ch
		insb
		add	[ebp+0], ah
		jb	short $+2
		popa
		add	[esi+0], ch
		arpl	[eax], ax
		add	gs:[esi+0], al
		push	ebx
		add	[esi+0], dl
		push	eax
; 
		db 0
		align 8

??_C@_1DK@PCEKICFF@?$AAL?$AAa?$AAt?$AAe?$AAn?$AAc?$AAy?$AAT?$AAo?$AAl?$AAe?$AAr?$AAa?$AAn?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF45DCo
		dec	esp
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[esi+0], ch
		arpl	[eax], ax
		jns	short $+2
		push	esp
		add	[edi+0], ch
		insb
		add	[ebp+0], ah
		jb	short $+2
		popa
		add	[esi+0], ch
		arpl	[eax], ax
		add	gs:[esi+0], dl
		push	ebx
		add	[ecx+0], bh
		outsb
		add	[ebx+0], ah
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 3 dup(0)
		align 8

??_C@_1FG@MMPJNDKM@?$AAP?$AAe?$AAr?$AAf?$AAI?$AAd?$AAe?$AAa?$AAl?$AAA?$AAg?$AAg?$AAr?$AAe?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF4624o
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		db	66h
		add	[ecx+0], cl
		add	fs:[ebp+0], ah
		popa
		add	[eax+eax+41h], ch
		add	[edi+0], ah
		add	[bp+si+0], dh
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 650076h
		dec	ecx
		add	[esi+0], ch
		arpl	[eax], ax
		jb	short $+2
		add	gs:[ecx+0], ah
		jnb	short $+2
		add	gs:[eax+0], dl
		outsd
		add	[eax+eax+69h], ch
		add	[ebx+0], ah
		jns	short $+2
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ebx+0], dh
		push	6C006F00h
		add	[eax+eax+0], ah
; 
		db 3 dup(0)
; 

??_C@_1DO@KGNGLMDB@?$AAL?$AAa?$AAt?$AAe?$AAn?$AAc?$AAy?$AAT?$AAo?$AAl?$AAe?$AAr?$AAa?$AAn?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF460Co
		dec	esp
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[esi+0], ch
		arpl	[eax], ax
		jns	short $+2
		push	esp
		add	[edi+0], ch
		insb
		add	[ebp+0], ah
		jb	short $+2
		popa
		add	[esi+0], ch
		arpl	[eax], ax
		add	gs:[ecx+0], cl
		add	fs:[eax+eax+65h], ch
		add	[edx+0], dl
		add	gs:[ebx+0], dh
		imul	eax, [eax], 69006Ch
		add	gs:[esi+0], ch
		arpl	[eax], ax
		jns	short $+2
; 
		dd 0
; 

??_C@_1DO@CMKEEMJJ@?$AAP?$AAe?$AAr?$AAf?$AAC?$AAa?$AAl?$AAc?$AAu?$AAl?$AAa?$AAt?$AAe?$AAA?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF4654o
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		db	66h
		add	[ebx+0], al
		popa
		add	[eax+eax+63h], ch
		add	[ebp+0], dh
		insb
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[ecx+0], al
		arpl	[eax], ax
		jz	short $+2
		jnz	short $+2
		popa
		add	[eax+eax+55h], ch
		add	[eax+eax+69h], dh
		add	[eax+eax+69h], ch
		add	[edx+0], bh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
; 
		db 0
		align 10h

??_C@_1CG@CLEKOLAN@?$AAP?$AAe?$AAr?$AAf?$AAS?$AAi?$AAn?$AAg?$AAl?$AAe?$AAS?$AAt?$AAe?$AAp?$AAS@EKOMKFNL@:
					; DATA XREF: INIT:00AF463Co
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		db	66h
		add	[ebx+0], dl
		imul	eax, [eax], 67006Eh
		insb
		add	[ebp+0], ah
		push	ebx
		add	[eax+eax+65h], dh
		add	[eax+0], dh
		push	ebx
		add	[ecx+0], ch
		jp	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1DA@EGJHOLNF@?$AAP?$AAa?$AAr?$AAk?$AAW?$AAi?$AAt?$AAh?$AAC?$AAo?$AAr?$AAe?$AAG?$AAr?$AAa@EKOMKFNL@:
					; DATA XREF: INIT:00AF4684o
		push	eax
		add	[ecx+0], ah
		jb	short $+2
		imul	eax, [eax], 57h
		add	[ecx+0], ch
		jz	short $+2
		push	6F004300h
		add	[edx+0], dh
		add	gs:[edi+0], al
		jb	short $+2
		popa
		add	[esi+0], ch
		jnz	short $+2
		insb
		add	[ecx+0], ah
		jb	short $+2
		imul	eax, [eax], 790074h
; 
		dw 0
; 

??_C@_1CK@NBNKAMG@?$AAP?$AAe?$AAr?$AAf?$AAA?$AAr?$AAt?$AAi?$AAf?$AAi?$AAc?$AAi?$AAa?$AAl?$AAD@EKOMKFNL@:
					; DATA XREF: INIT:00AF466Co
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		db	66h
		add	[ecx+0], al
		jb	short $+2
		jz	short $+2
		imul	eax, [eax], 690066h
		arpl	[eax], ax
		imul	eax, [eax], 6C0061h
		inc	esp
		add	[edi+0], ch
		insd
		add	[ecx+0], ah
		imul	eax, [eax], 6Eh
; 
		dw 0
; 

??_C@_1DC@BFKBJEED@?$AAC?$AAl?$AAa?$AAs?$AAs?$AA1?$AAI?$AAn?$AAi?$AAt?$AAi?$AAa?$AAl?$AAU?$AAn@EKOMKFNL@:
					; DATA XREF: INIT:00AF46B4o
		inc	ebx
		add	[eax+eax+61h], ch
		add	[ebx+0], dh
		jnb	short $+2
		xor	[eax], eax
		dec	ecx
		add	[esi+0], ch
		imul	eax, [eax], 690074h
		popa
		add	[eax+eax+55h], ch
		add	[esi+0], ch
		jo	short $+2
		popa
		add	[edx+0], dh
		imul	eax, [eax], 43h
		add	[edi+0], ch
		jnz	short $+2
		outsb
		add	[eax+eax+0], dh
; 
		db 3 dup(0)
; 

??_C@_1CK@INIJJANI@?$AAM?$AAu?$AAl?$AAt?$AAi?$AAp?$AAa?$AAr?$AAk?$AAG?$AAr?$AAa?$AAn?$AAu?$AAl@EKOMKFNL@:
					; DATA XREF: INIT:00AF469Co
		dec	ebp
		add	[ebp+0], dh
		insb
		add	[eax+eax+69h], dh
		add	[eax+0], dh
		popa
		add	[edx+0], dh
		imul	eax, [eax], 47h
		add	[edx+0], dh
		popa
		add	[esi+0], ch
		jnz	short $+2
		insb
		add	[ecx+0], ah
		jb	short $+2
		imul	eax, [eax], 790074h
; 
		dd 0
; 

??_C@_1CO@IKFIIBAH@?$AAH?$AAi?$AAg?$AAh?$AAP?$AAe?$AAr?$AAf?$AAD?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo@EKOMKFNL@:
					; DATA XREF: INIT:00AF46E4o
		dec	eax
		add	[ecx+0], ch
		add	[bx+si+0], ch
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		db	66h
		add	[eax+eax+75h], al
		add	[edx+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], al
		push	ebx
		add	[ebp+0], al
		js	short $+2
		imul	eax, [eax], 74h
; 
		dw 0
; 

??_C@_1CK@NFJHMAEA@?$AAH?$AAi?$AAg?$AAh?$AAP?$AAe?$AAr?$AAf?$AAD?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo@EKOMKFNL@:
					; DATA XREF: INIT:00AF46CCo
		dec	eax
		add	[ecx+0], ch
		add	[bx+si+0], ch
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		db	66h
		add	[eax+eax+75h], al
		add	[edx+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[edx+0], al
		outsd
		add	[edi+0], ch
		jz	short $+2
; 
		dd 0
; 

??_C@_1DM@EFEFJPCF@?$AAI?$AAd?$AAl?$AAe?$AAD?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn?$AAE?$AAx?$AAp@EKOMKFNL@:
					; DATA XREF: INIT:00AF4714o
		dec	ecx
		add	[eax+eax+6Ch], ah
		add	[ebp+0], ah
		inc	esp
		add	[ebp+0], dh
		jb	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebp+0], al
		js	short $+2
		jo	short $+2
		imul	eax, [eax], 610072h
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
; 
		dw 0
; 

??_C@_1CO@IFEJMCJN@?$AAH?$AAi?$AAg?$AAh?$AAP?$AAe?$AAr?$AAf?$AAD?$AAu?$AAr?$AAa?$AAt?$AAi?$AAo@EKOMKFNL@:
					; DATA XREF: INIT:00AF46FCo
		dec	eax
		add	[ecx+0], ch
		add	[bx+si+0], ch
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		db	66h
		add	[eax+eax+75h], al
		add	[edx+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], dl
		js	short $+2
		inc	ebp
		add	[eax+0], bh
		imul	eax, [eax], 74h
; 
		dw 0
; 

??_C@_1DO@GFFAPAMB@?$AAH?$AAe?$AAt?$AAe?$AAr?$AAo?$AAg?$AAe?$AAn?$AAe?$AAo?$AAu?$AAs?$AAP?$AAp@EKOMKFNL@:
					; DATA XREF: INIT:00AF4744o
		dec	eax
		add	[ebp+0], ah
		jz	short $+2
		add	gs:[edx+0], dh
		outsd
		add	[edi+0], ah
		add	gs:[esi+0], ch
		add	gs:[edi+0], ch
		jnz	short $+2
		jnb	short $+2
		push	eax
		add	[eax+0], dh
		insd
		add	[ecx+0], cl
		insd
		add	[eax+0], dh
		insb
		add	[ebp+0], ah
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+61h], dh
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
; 
		db 0
		dd 0
; 

??_C@_1DA@GPKECOFB@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAI?$AAd?$AAl?$AAe?$AAS?$AAt?$AAa?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF472Co
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		dec	ecx
		add	[eax+eax+6Ch], ah
		add	[ebp+0], ah
		push	ebx
		add	[eax+eax+61h], dh
		add	[eax+eax+65h], dh
		add	[ebx+0], dh
		inc	ecx
		add	[eax+eax+42h], dh
		add	[edi+0], ch
		outsd
		add	[eax+eax+0], dh

loc_AF9D7B:				; DATA XREF: INIT:00AF4774o
		add	[ebp+0], al
		outsb
		add	[esi+0], ah
		outsd
		add	[edx+0], dh
		arpl	[eax], ax
		add	gs:[eax+eax+69h], al
		add	[ebx+0], dh
		arpl	[eax], ax
		outsd
		add	[esi+0], ch
		outsb
		add	[ebp+0], ah
		arpl	[eax], ax
		jz	short $+2
		add	gs:[eax+eax+53h], ah
		add	[eax+eax+61h], dh
		add	[esi+0], ch
		add	fs:[edx+0], ah
		jns	short $+2
; 
		dd 0
; 

??_C@_1DC@OOGKHJLJ@?$AAB?$AAo?$AAo?$AAt?$AAH?$AAe?$AAt?$AAe?$AAr?$AAo?$AAP?$AAo?$AAl?$AAi?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF475Co
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+48h], dh
		add	[ebp+0], ah
		jz	short $+2
		add	gs:[edx+0], dh
		outsd
		add	[eax+0], dl
		outsd
		add	[eax+eax+69h], ch
		add	[ebx+0], ah
		jns	short $+2
		dec	edi
		add	[esi+0], dh
		add	gs:[edx+0], dh
		jb	short $+2
		imul	eax, [eax], 650064h
; 
		dd 0
; 

??_C@_1DG@MFIBJIDM@?$AAU?$AAs?$AAe?$AAr?$AAB?$AAa?$AAt?$AAt?$AAe?$AAr?$AAy?$AAC?$AAh?$AAa?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF47A4o
		push	ebp
		add	[ebx+0], dh
		add	gs:[edx+0], dh
		inc	edx
		add	[ecx+0], ah
		jz	short $+2
		jz	short $+2
		add	gs:[edx+0], dh
		jns	short $+2
		inc	ebx
		add	[eax+0], ch
		popa
		add	[edx+0], dh
		add	[di+0],	ah
		inc	ebp
		add	[ebx+0], dh
		jz	short $+2
		imul	eax, [eax], 61006Dh
		jz	short $+2
		outsd
		add	[edx+0], dh
; 
		dd 0
; 

??_C@_1DM@OHNKJMO@?$AAU?$AAs?$AAe?$AAr?$AAB?$AAa?$AAt?$AAt?$AAe?$AAr?$AAy?$AAD?$AAi?$AAs?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF478Co
		push	ebp
		add	[ebx+0], dh
		add	gs:[edx+0], dh
		inc	edx
		add	[ecx+0], ah
		jz	short $+2
		jz	short $+2
		add	gs:[edx+0], dh
		jns	short $+2
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		arpl	[eax], ax
		push	72006100h
		add	[edi+0], ah
		add	gs:[ebp+0], al
		jnb	short $+2
		jz	short $+2
		imul	eax, [eax], 61006Dh
		jz	short $+2
		outsd
		add	[edx+0], dh
; 
		dw 0
; 

??_C@_1CM@FPLAPGAD@?$AAE?$AAv?$AAe?$AAn?$AAt?$AAP?$AAr?$AAo?$AAc?$AAe?$AAs?$AAs?$AAo?$AAr?$AAE@EKOMKFNL@:
					; DATA XREF: INIT:00AF47D4o
		inc	ebp
		add	[esi+0], dh
		add	gs:[esi+0], ch
		jz	short $+2
		push	eax
		add	[edx+0], dh
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		outsd
		add	[edx+0], dh
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 0
; 

??_C@_1DO@CLBNCMIC@?$AAS?$AAt?$AAa?$AAn?$AAd?$AAb?$AAy?$AAC?$AAo?$AAn?$AAn?$AAe?$AAc?$AAt?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF47BCo
		push	ebx
		add	[eax+eax+61h], dh
		add	[esi+0], ch
		add	fs:[edx+0], ah
		jns	short $+2
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[esi+0], ch
		add	gs:[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 690076h
		jz	short $+2
		jns	short $+2
		inc	edi
		add	[edx+0], dh
		popa
		add	[ebx+0], ah
		add	gs:[eax+0], dl
		add	gs:[edx+0], dh
		imul	eax, [eax], 64006Fh
; 
		dd 0
; 

??_C@_1DG@GEGHAJID@?$AAP?$AAr?$AAo?$AAm?$AAo?$AAt?$AAe?$AAH?$AAi?$AAb?$AAe?$AAr?$AAn?$AAa?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF4804o
		push	eax
		add	[edx+0], dh
		outsd
		add	[ebp+0], ch
		outsd
		add	[eax+eax+65h], dh
		add	[eax+0], cl
		imul	eax, [eax], 650062h
		jb	short $+2
		outsb
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[eax+eax+6Fh], dl
		add	[ebx+0], dl
		push	74007500h
		add	[eax+eax+6Fh], ah
		add	[edi+0], dh
		outsb
; 
		db 0
		align 10h

??_C@_1BO@ICIEGDJP@?$AAP?$AAd?$AAc?$AAO?$AAn?$AAe?$AAW?$AAa?$AAy?$AAE?$AAn?$AAt?$AAr?$AAy@EKOMKFNL@:
					; DATA XREF: INIT:00AF47ECo
		push	eax
		add	[eax+eax+63h], ah
		add	[edi+0], cl
		outsb
		add	[ebp+0], ah
		push	edi
		add	[ecx+0], ah
		jns	short $+2
		inc	ebp
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		jns	short $+2
; 
		dd 0
; 

??_C@_1DA@ODKIKHK@?$AAC?$AAo?$AAa?$AAl?$AAe?$AAs?$AAc?$AAi?$AAn?$AAg?$AAF?$AAl?$AAu?$AAs?$AAh@EKOMKFNL@:
					; DATA XREF: INIT:00AF4834o
		inc	ebx
		add	[edi+0], ch
		popa
		add	[eax+eax+65h], ch
		add	[ebx+0], dh
		arpl	[eax], ax
		imul	eax, [eax], 67006Eh
		inc	esi
		add	[eax+eax+75h], ch
		add	[ebx+0], dh
		push	6E004900h
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		jbe	short $+2
		popa
		add	[eax+eax+0], ch

loc_AF9F4F:				; DATA XREF: INIT:00AF481Co
		add	[ebx+0], al
		outsd
		add	[ecx+0], ah
		insb
		add	[ebp+0], ah
		jnb	short $+2
		arpl	[eax], ax
		imul	eax, [eax], 67006Eh
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		jb	short $+2
		dec	ecx
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edx+0], dh
		jbe	short $+2
		popa
		add	[eax+eax+0], ch
; 
		db 0
; 

??_C@_1EE@DDMHOOFP@?$AAI?$AAg?$AAn?$AAo?$AAr?$AAe?$AAL?$AAi?$AAd?$AAS?$AAt?$AAa?$AAt?$AAe?$AAF@EKOMKFNL@:
					; DATA XREF: INIT:00AF4864o
		dec	ecx
		add	[edi+0], ah
		outsb
		add	[edi+0], ch
		jb	short $+2
		add	gs:[eax+eax+69h], cl
		add	[eax+eax+53h], ah
		add	[eax+eax+61h], dh
		add	[eax+eax+65h], dh
		add	[esi+0], al
		outsd
		add	[edx+0], dh
		dec	ecx
		add	[esi+0], ch
		jo	short $+2
		jnz	short $+2
		jz	short $+2
		push	ebx
		add	[ebp+0], dh
		jo	short $+2
		jo	short $+2
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dw 0
; 

??_C@_1CO@LGOCNIBI@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAI?$AAn?$AAp?$AAu?$AAt?$AAS?$AAu?$AAp?$AAp@EKOMKFNL@:
					; DATA XREF: INIT:00AF484Co
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		dec	ecx
		add	[esi+0], ch
		jo	short $+2
		jnz	short $+2
		jz	short $+2
		push	ebx
		add	[ebp+0], dh
		jo	short $+2
		jo	short $+2
		jb	short $+2
		add	gs:[ebx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dd 0
; 

??_C@_1CI@ECONHEAJ@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AAI?$AAd?$AAl?$AAe?$AAT?$AAh?$AAr?$AAe?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF4894o
		inc	ecx
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 650076h
		dec	ecx
		add	[eax+eax+6Ch], ah
		add	[ebp+0], ah
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ebx+0], dh
		push	6C006F00h
		add	[eax+eax+0], ah
; 
		db 0
; 

??_C@_1CE@DGMKNBG@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AAI?$AAd?$AAl?$AAe?$AAT?$AAi?$AAm?$AAe?$AAo@EKOMKFNL@:
					; DATA XREF: INIT:00AF487Co
		inc	ecx
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 650076h
		dec	ecx
		add	[eax+eax+6Ch], ah
		add	[ebp+0], ah
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
; 
		dw 0
; 

??_C@_1DC@HGIMIDFC@?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt?$AAe?$AAd?$AAF?$AAx?$AAD?$AAe?$AAf?$AAa?$AAu@EKOMKFNL@:
					; DATA XREF: INIT:00AF48C4o
		inc	esp
		add	[ecx+0], ch
		jb	short $+2
		add	gs:[ebx+0], ah
		jz	short $+2
		add	gs:[eax+eax+46h], ah
		add	[eax+0], bh
		inc	esp
		add	[ebp+0], ah
		db	66h
		add	[ecx+0], ah
		jnz	short $+2
		insb
		add	[eax+eax+54h], dh
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
; 
		dd 0
; 

??_C@_1CA@IIOONLCN@?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AAI?$AAd?$AAl?$AAe?$AAL?$AAe?$AAv?$AAe?$AAl@EKOMKFNL@:
					; DATA XREF: INIT:00AF48ACo
		inc	ecx
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 650076h
		dec	ecx
		add	[eax+eax+6Ch], ah
		add	[ebp+0], ah
		dec	esp
		add	[ebp+0], ah
		jbe	short $+2
		add	gs:[eax+eax+0],	ch
; 
		db 0
; 

??_C@_1DC@COPIDNEK@?$AAW?$AAa?$AAt?$AAc?$AAh?$AAd?$AAo?$AAg?$AAW?$AAo?$AAr?$AAk?$AAO?$AAr?$AAd@EKOMKFNL@:
					; DATA XREF: INIT:00AF48F4o
		push	edi
		add	[ecx+0], ah
		jz	short $+2
		arpl	[eax], ax
		push	6F006400h
		add	[edi+0], ah
		push	edi
		add	[edi+0], ch
		jb	short $+2
		imul	eax, [eax], 4Fh
		add	[edx+0], dh
		add	fs:[ebp+0], ah
		jb	short $+2
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
; 
		dd 0
; 

??_C@_1CC@CNFCBBMN@?$AAI?$AAd?$AAl?$AAe?$AAS?$AAt?$AAa?$AAt?$AAe?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu@EKOMKFNL@:
					; DATA XREF: INIT:00AF48DCo
		dec	ecx
		add	[eax+eax+6Ch], ah
		add	[ebp+0], ah
		push	ebx
		add	[eax+eax+61h], dh
		add	[eax+eax+65h], dh
		add	[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[edi+0], ch
		jnz	short $+2
		jz	short $+2
; 
		dd 0
; 

??_C@_1DM@MPGOEFBK@?$AAD?$AAr?$AAi?$AAp?$AAs?$AAW?$AAa?$AAt?$AAc?$AAh?$AAd?$AAo?$AAg?$AAD?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF4924o
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 730070h
		push	edi
		add	[ecx+0], ah
		jz	short $+2
		arpl	[eax], ax
		push	6F006400h
		add	[edi+0], ah
		inc	esp
		add	[ebp+0], ah
		bound	eax, [eax]
		outsd
		add	[ebp+0], dh
		outsb
		add	[ebx+0], ah
		add	gs:[ecx+0], cl
		outsb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		jbe	short $+2
		popa
		add	[eax+eax+0], ch

loc_AFA127:				; DATA XREF: INIT:00AF490Co
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jo	short $+2
		jnb	short $+2
		inc	ebx
		add	[ecx+0], ah
		insb
		add	[eax+eax+62h], ch
		add	[ecx+0], ah
		arpl	[eax], ax
		imul	eax, [eax], 49h
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edx+0], dh
		jbe	short $+2
		popa
		add	[eax+eax+0], ch

loc_AFA153:				; DATA XREF: INIT:00AF4954o
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jo	short $+2
		jnb	short $+2
		push	edi
		add	[ecx+0], ah
		jz	short $+2
		arpl	[eax], ax
		push	6F006400h
		add	[edi+0], ah
		inc	ecx
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dw 0
; 

??_C@_1CK@FFPGLEPF@?$AAD?$AAr?$AAi?$AAp?$AAs?$AAW?$AAa?$AAt?$AAc?$AAh?$AAd?$AAo?$AAg?$AAT?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF493Co
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 730070h
		push	edi
		add	[ecx+0], ah
		jz	short $+2
		arpl	[eax], ax
		push	6F006400h
		add	[edi+0], ah
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
; 
		dd 0
; 

??_C@_1CK@KGJADFEB@?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt?$AAe?$AAd?$AAD?$AAr?$AAi?$AAp?$AAs?$AAT?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF4984o
		inc	esp
		add	[ecx+0], ch
		jb	short $+2
		add	gs:[ebx+0], ah
		jz	short $+2
		add	gs:[eax+eax+44h], ah
		add	[edx+0], dh
		imul	eax, [eax], 730070h
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
; 
		dd 0
; 

??_C@_1CM@LJNLFLPG@?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt?$AAe?$AAd?$AAD?$AAr?$AAi?$AAp?$AAs?$AAO?$AAv@EKOMKFNL@:
					; DATA XREF: INIT:00AF496Co
		inc	esp
		add	[ecx+0], ch
		jb	short $+2
		add	gs:[ebx+0], ah
		jz	short $+2
		add	gs:[eax+eax+44h], ah
		add	[edx+0], dh
		imul	eax, [eax], 730070h
		dec	edi
		add	[esi+0], dh
		add	gs:[edx+0], dh
		jb	short $+2
		imul	eax, [eax], 650064h
; 
		dw 0
; 

??_C@_1CI@PDMBEHNP@?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt?$AAe?$AAd?$AAD?$AAr?$AAi?$AAp?$AAs?$AAA?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF49B4o
		inc	esp
		add	[ecx+0], ch
		jb	short $+2
		add	gs:[ebx+0], ah
		jz	short $+2
		add	gs:[eax+eax+44h], ah
		add	[edx+0], dh
		imul	eax, [eax], 730070h
		inc	ecx
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dw 0
; 

??_C@_1DM@BHBEDEBD@?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt?$AAe?$AAd?$AAD?$AAr?$AAi?$AAp?$AAs?$AAD?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF499Co
		inc	esp
		add	[ecx+0], ch
		jb	short $+2
		add	gs:[ebx+0], ah
		jz	short $+2
		add	gs:[eax+eax+44h], ah
		add	[edx+0], dh
		imul	eax, [eax], 730070h
		inc	esp
		add	[ebp+0], ah
		bound	eax, [eax]
		outsd
		add	[ebp+0], dh
		outsb
		add	[ebx+0], ah
		add	gs:[ecx+0], cl
		outsb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		jbe	short $+2
		popa
		add	[eax+eax+0], ch
; 
		db 0
		align 8

??_C@_1EI@BDHLEMOM@?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt?$AAe?$AAd?$AAD?$AAr?$AAi?$AAp?$AAs?$AAS?$AAu@EKOMKFNL@:
					; DATA XREF: INIT:00AF49E4o
		inc	esp
		add	[ecx+0], ch
		jb	short $+2
		add	gs:[ebx+0], ah
		jz	short $+2
		add	gs:[eax+eax+44h], ah
		add	[edx+0], dh
		imul	eax, [eax], 730070h
		push	ebx
		add	[ebp+0], dh
		jb	short $+2
		jo	short $+2
		jb	short $+2
		imul	eax, [eax], 650073h
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		dec	edi
		add	[esi+0], ch
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
; 
		dw 0
; 

??_C@_1DK@KDNAFMFI@?$AAD?$AAi?$AAr?$AAe?$AAc?$AAt?$AAe?$AAd?$AAD?$AAr?$AAi?$AAp?$AAs?$AAW?$AAa@EKOMKFNL@:
					; DATA XREF: INIT:00AF49CCo
		inc	esp
		add	[ecx+0], ch
		jb	short $+2
		add	gs:[ebx+0], ah
		jz	short $+2
		add	gs:[eax+eax+44h], ah
		add	[edx+0], dh
		imul	eax, [eax], 730070h
		push	edi
		add	[ecx+0], ah
		imul	eax, [eax], 570074h
		popa
		add	[ebx+0], ch
		add	gs:[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[edi+0], ch
		jnz	short $+2
		jz	short $+2
; 
		dd 0
; 

??_C@_1DE@NNHPAJMO@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAV?$AAs?$AAy?$AAn?$AAc?$AAL?$AAa?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF4A14o
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		push	esi
		add	[ebx+0], dh
		jns	short $+2
		outsb
		add	[ebx+0], ah
		dec	esp
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[esi+0], ch
		arpl	[eax], ax
		jns	short $+2
		push	ebp
		add	[eax+0], dh
		add	fs:[ecx+0], ah
		jz	short $+2
		add	gs:[eax], al

loc_AFA31F:				; DATA XREF: INIT:00AF49FCo
		add	[eax+eax+69h], al
		add	[edx+0], dh
		add	gs:[ebx+0], ah
		jz	short $+2
		add	gs:[eax+eax+44h], ah
		add	[edx+0], dh
		imul	eax, [eax], 730070h
		inc	esp
		add	[esi+0], ah
		js	short $+2
		inc	ebp
		add	[esi+0], ch
		db	66h
		add	[edi+0], ch
		jb	short $+2
		arpl	[eax], ax
		add	gs:[ebp+0], ch
		add	gs:[esi+0], ch
		jz	short $+2
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
; 
		dw 0
; 

??_C@_1DA@NFJODIOJ@?$AAE?$AAn?$AAe?$AAr?$AAg?$AAy?$AAE?$AAs?$AAt?$AAi?$AAm?$AAa?$AAt?$AAi?$AAo@EKOMKFNL@:
					; DATA XREF: INIT:00AF4A44o
		inc	ebp
		add	[esi+0], ch
		add	gs:[edx+0], dh
		add	[bx+di+0], bh
		inc	ebp
		add	[ebx+0], dh
		jz	short $+2
		imul	eax, [eax], 61006Dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al

loc_AFA393:				; DATA XREF: INIT:00AF4A2Co
		add	[ebp+0], al
		js	short $+2
		imul	eax, [eax], 4C0074h
		popa
		add	[eax+eax+65h], dh
		add	[esi+0], ch
		arpl	[eax], ax
		jns	short $+2
		inc	ebx
		add	[eax+0], ch
		add	gs:[ebx+0], ah
		imul	eax, [eax], 45h
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al

loc_AFA3C3:				; DATA XREF: INIT:00AF4A74o
		add	[eax+eax+72h], al
		add	[ecx+0], ch
		jo	short $+2
		jnb	short $+2
		push	ebx
		add	[edi+0], dh
		dec	eax
		add	[edi+0], dh
		inc	esp
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		add	[di+0],	ah
		outsb
		add	[ebx+0], ah
		add	gs:[eax+eax+68h], dl
		add	[edx+0], dh
		add	gs:[ebx+0], dh
		push	6C006F00h
		add	[eax+eax+0], ah
; 
		db 3 dup(0)
; 

??_C@_1EC@FFMHDBAI@?$AAC?$AAh?$AAe?$AAc?$AAk?$AAP?$AAo?$AAw?$AAe?$AAr?$AAS?$AAo?$AAu?$AAr?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF4A5Co
		inc	ebx
		add	[eax+0], ch
		add	gs:[ebx+0], ah
		imul	eax, [eax], 50h
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		push	ebx
		add	[edi+0], ch
		jnz	short $+2
		jb	short $+2
		arpl	[eax], ax
		add	gs:[ecx+0], al
		db	66h
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		push	edx
		add	[eax+eax+63h], dh
		add	[edi+0], dl
		popa
		add	[ebx+0], ch
		add	gs:[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1DA@JMODGAP@?$AAI?$AAg?$AAn?$AAo?$AAr?$AAe?$AAC?$AAs?$AAC?$AAo?$AAm?$AAp?$AAl?$AAi?$AAa@EKOMKFNL@:
					; DATA XREF: INIT:00AF4AA4o
		dec	ecx
		add	[edi+0], ah
		outsb
		add	[edi+0], ch
		jb	short $+2
		add	gs:[ebx+0], al
		jnb	short $+2
		inc	ebx
		add	[edi+0], ch
		insd
		add	[eax+0], dh
		insb
		add	[ecx+0], ch
		popa
		add	[esi+0], ch
		arpl	[eax], ax
		add	gs:[ebx+0], al
		push	63006500h
		add	[ebx+0], ch
; 
		dw 0
		align 8

??_C@_1EE@LGMHJLK@?$AAD?$AAr?$AAi?$AAp?$AAs?$AAS?$AAw?$AAH?$AAw?$AAD?$AAi?$AAv?$AAe?$AAr?$AAg@EKOMKFNL@:
					; DATA XREF: INIT:00AF4A8Co
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 730070h
		push	ebx
		add	[edi+0], dh
		dec	eax
		add	[edi+0], dh
		inc	esp
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		add	[di+0],	ah
		outsb
		add	[ebx+0], ah
		add	gs:[ebp+0], al
		outsb
		add	[ecx+0], ah
		bound	eax, [eax]
		insb
		add	[ebp+0], ah
		dec	esp
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[eax+eax+75h], al
		add	[ebp+0], ch
		jo	short $+2
; 
		dw 0
		align 10h

??_C@_1EA@LCLNGEDH@?$AAE?$AAn?$AAf?$AAo?$AAr?$AAc?$AAe?$AAC?$AAo?$AAn?$AAs?$AAo?$AAl?$AAe?$AAL@EKOMKFNL@:
					; DATA XREF: INIT:00AF4AD4o
		inc	ebp
		add	[esi+0], ch
		db	66h
		add	[edi+0], ch
		jb	short $+2
		arpl	[eax], ax
		add	gs:[ebx+0], al
		outsd
		add	[esi+0], ch
		jnb	short $+2
		outsd
		add	[eax+eax+65h], ch
		add	[eax+eax+6Fh], cl
		add	[ebx+0], ah
		imul	eax, [eax], 53h
		add	[ebx+0], ah
		jb	short $+2
		add	gs:[ebp+0], ah
		outsb
		add	[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[edi+0], ch
		jnz	short $+2
		jz	short $+2
; 
		dw 0
; 

??_C@_1DM@DBHHALLH@?$AAP?$AAe?$AAr?$AAf?$AAQ?$AAu?$AAe?$AAr?$AAy?$AAO?$AAn?$AAD?$AAe?$AAv?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF4ABCo
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		db	66h
		add	[ecx+0], dl
		jnz	short $+2
		add	gs:[edx+0], dh
		jns	short $+2
		dec	edi
		add	[esi+0], ch
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		inc	ebx
		add	[eax+0], ch
		popa
		add	[esi+0], ch
		add	[di+0],	ah
		jnb	short $+2
; 
		dw 0
		align 10h

??_C@_1EC@HIKFGPDA@?$AAA?$AAl?$AAl?$AAo?$AAw?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAR?$AAe?$AAq?$AAu@EKOMKFNL@:
					; DATA XREF: INIT:00AF4B04o
		inc	ecx
		add	[eax+eax+6Ch], ch
		add	[edi+0], ch
		ja	short $+2
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	edx
		add	[ebp+0], ah
		jno	short $+2
		jnz	short $+2
		imul	eax, [eax], 650072h
		add	fs:[eax+0], dl
		outsd
		add	[edi+0], dh
		add	gs:[edx+0], dh
		push	edx
		add	[ebp+0], ah
		jno	short $+2
		jnz	short $+2
		add	gs:[ebx+0], dh
		jz	short $+2
		jnb	short $+2
; 
		dd 0
; 

??_C@_1DA@DKFIBNNP@?$AAD?$AAe?$AAe?$AAp?$AAI?$AAo?$AAC?$AAo?$AAa?$AAl?$AAe?$AAs?$AAc?$AAi?$AAn@EKOMKFNL@:
					; DATA XREF: INIT:00AF4AECo
		inc	esp
		add	[ebp+0], ah
		add	gs:[eax+0], dh
		dec	ecx
		add	[edi+0], ch
		inc	ebx
		add	[edi+0], ch
		popa
		add	[eax+eax+65h], ch
		add	[ebx+0], dh
		arpl	[eax], ax
		imul	eax, [eax], 67006Eh
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 0
; 

??_C@_1BG@ODDMENGF@?$AAT?$AAt?$AAm?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAd@EKOMKFNL@:
					; DATA XREF: INIT:00AF4B34o
		push	esp
		add	[eax+eax+6Dh], dh
		add	[ebp+0], al
		outsb
		add	[ecx+0], ah
		bound	eax, [eax]
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 3 dup(0)
		align 10h

??_C@_1GC@JCHDELEI@?$AAA?$AAl?$AAl?$AAo?$AAw?$AAA?$AAu?$AAd?$AAi?$AAo?$AAT?$AAo?$AAE?$AAn?$AAa@EKOMKFNL@:
					; DATA XREF: INIT:00AF4B1Co
		inc	ecx
		add	[eax+eax+6Ch], ch
		add	[edi+0], ch
		ja	short $+2
		inc	ecx
		add	[ebp+0], dh
		add	fs:[ecx+0], ch
		outsd
		add	[eax+eax+6Fh], dl
		add	[ebp+0], al
		outsb
		add	[ecx+0], ah
		bound	eax, [eax]
		insb
		add	[ebp+0], ah
		inc	ebp
		add	[eax+0], bh
		add	gs:[ebx+0], ah
		jnz	short $+2
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		push	edx
		add	[ebp+0], ah
		jno	short $+2
		jnz	short $+2
		imul	eax, [eax], 650072h
		add	fs:[eax+0], dl
		outsd
		add	[edi+0], dh
		add	gs:[edx+0], dh
		push	edx
		add	[ebp+0], ah
		jno	short $+2
		jnz	short $+2
		add	gs:[ebx+0], dh
		jz	short $+2
		jnb	short $+2
; 
		dd 2 dup(0)
; 

??_C@_1EA@CKBIHEDI@?$AAT?$AAi?$AAm?$AAe?$AAr?$AAR?$AAe?$AAb?$AAa?$AAs?$AAe?$AAT?$AAh?$AAr?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF4B64o
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		jb	short $+2
		push	edx
		add	[ebp+0], ah
		bound	eax, [eax]
		popa
		add	[ebx+0], dh
		add	gs:[eax+eax+68h], dl
		add	[edx+0], dh
		add	gs:[ebx+0], dh
		push	6C006F00h
		add	[eax+eax+4Fh], ah
		add	[esi+0], ch
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 730070h
		inc	ebp
		add	[eax+0], bh
		imul	eax, [eax], 74h

??_C@_1CI@NINJCDFH@?$AAP?$AAr?$AAo?$AAx?$AAi?$AAm?$AAi?$AAt?$AAy?$AAE?$AAs?$AAc?$AAa?$AAp?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF4B4Co
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+0], bh
		imul	eax, [eax], 69006Dh
		jz	short $+2
		jns	short $+2
		inc	ebp
		add	[ebx+0], dh
		arpl	[eax], ax
		popa
		add	[eax+0], dh
		add	gs:[ebp+0], cl
		jnb	short $+2
		add	gs:[ebx+0], ah
; 
		dw 0
; 

??_C@_1CM@IHNLCAKN@?$AAC?$AAh?$AAe?$AAc?$AAk?$AAp?$AAo?$AAi?$AAn?$AAt?$AAS?$AAy?$AAs?$AAt?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF4B94o
		inc	ebx
		add	[eax+0], ch
		add	gs:[ebx+0], ah
		imul	eax, [eax], 70h
		add	[edi+0], ch
		imul	eax, [eax], 74006Eh
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	ebx
		add	[eax+eax+65h], ch
		add	[ebp+0], ah
		jo	short $+2
; 
		dw 0
; 

??_C@_1DE@KGBLDCIM@?$AAF?$AAx?$AAR?$AAu?$AAn?$AAt?$AAi?$AAm?$AAe?$AAL?$AAo?$AAg?$AAN?$AAu?$AAm@EKOMKFNL@:
					; DATA XREF: INIT:00AF4B7Co
		inc	esi
		add	[eax+0], bh
		push	edx
		add	[ebp+0], dh
		outsb
		add	[eax+eax+69h], dh
		add	[ebp+0], ch
		add	gs:[eax+eax+6Fh], cl
		add	[edi+0], ah
		dec	esi
		add	[ebp+0], dh
		insd
		add	[edx+0], ah
		add	gs:[edx+0], dh
		inc	ebp
		add	[esi+0], ch
		jz	short $+2
		jb	short $+2
		imul	eax, [eax], 730065h
; 
		dw 0
; 

??_C@_1BO@KDFMFDBP@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAd?$AAA?$AAc?$AAt?$AAi?$AAo?$AAn?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF4BACo
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[ecx+0], al
		arpl	[eax], ax
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dd 0
; 

??_C@_1CE@MCEFOCNO@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAM?$AAo?$AAd?$AAe?$AAr?$AAn?$AAS?$AAl?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF4BA8o
					; INIT:00AF4BC0o
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		pop	esp
		add	[ebp+0], cl
		outsd
		add	[eax+eax+65h], ah
		add	[edx+0], dh
		outsb
		add	[ebx+0], dl
		insb
		add	[ebp+0], ah
		add	gs:[eax+0], dh
; 
		dw 0
; 

??_C@_1CM@PJLBNLMM@?$AAP?$AAo?$AAw?$AAe?$AAr?$AA?2?$AAP?$AAo?$AAw?$AAe?$AAr?$AAT?$AAh?$AAr?$AAo@EKOMKFNL@:
					; DATA XREF: INIT:00AF4BD8o
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		pop	esp
		add	[eax+0], dl
		outsd
		add	[edi+0], dh
		add	gs:[edx+0], dh
		push	esp
		add	[eax+0], ch
		jb	short $+2
		outsd
		add	[eax+eax+74h], dh
		add	[eax+eax+69h], ch
		add	[esi+0], ch
		add	[bx+si], al
; 
		db 0
; 

??_C@_1CG@DEIALNEP@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAD?$AAs?$AAN?$AAe?$AAt?$AAR?$AAe?$AAf?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF4BC4o
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		inc	esp
		add	[ebx+0], dh
		dec	esi
		add	[ebp+0], ah
		jz	short $+2
		push	edx
		add	[ebp+0], ah
		db	66h
		add	[edx+0], dh
		add	gs:[ebx+0], dh
		push	0

loc_AFA797:				; DATA XREF: INIT:00AF4BF4o
		add	[ecx+0], cl
		add	fs:[eax+eax+65h], ch
		add	[eax+0], dl
		jb	short $+2
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		outsd
		add	[edx+0], dh
		jnb	short $+2
		push	edx
		add	[ebp+0], ah
		jno	short $+2
		jnz	short $+2
		imul	eax, [eax], 650072h
		push	ecx
		add	[edi+0], ch
		jnb	short $+2
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+0], dh
; 
		db 3 dup(0)
; 

??_C@_1CG@OFBEBMOE@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAT?$AAh?$AAr?$AAo?$AAt?$AAt?$AAl?$AAi?$AAn?$AAg@EKOMKFNL@:
					; DATA XREF: INIT:00AF4BDCo
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		push	esp
		add	[eax+0], ch
		jb	short $+2
		outsd
		add	[eax+eax+74h], dh
		add	[eax+eax+69h], ch
		add	[esi+0], ch
		add	[bx+0],	cl
		db	66h
		add	[esi+0], ah
; 
		dd 0
; 

??_C@_1EC@ONEJLBIL@?$AAS?$AAk?$AAi?$AAp?$AAH?$AAi?$AAb?$AAe?$AAr?$AAn?$AAa?$AAt?$AAe?$AAM?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF4C24o
		push	ebx
		add	[ebx+0], ch
		imul	eax, [eax], 480070h
		imul	eax, [eax], 650062h
		jb	short $+2
		outsb
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[ebp+0], cl
		add	gs:[ebp+0], ch
		outsd
		add	[edx+0], dh
		jns	short $+2
		dec	ebp
		add	[ecx+0], ah
		jo	short $+2
		push	esi
		add	[ecx+0], ah
		insb
		add	[ecx+0], ch
		add	fs:[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dd 2 dup(0)
; 

??_C@_1EG@EKNNKNGB@?$AAC?$AAh?$AAe?$AAc?$AAk?$AAp?$AAo?$AAi?$AAn?$AAt?$AAS?$AAy?$AAs?$AAt?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF4C0Co
		inc	ebx
		add	[eax+0], ch
		add	gs:[ebx+0], ah
		imul	eax, [eax], 70h
		add	[edi+0], ch
		imul	eax, [eax], 74006Eh
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		push	ebx
		add	[eax+eax+65h], ch
		add	[ebp+0], ah
		jo	short $+2
		push	ebx
		add	[ecx+0], ch
		insd
		add	[ebp+0], dh
		insb
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[esi+0], al
		insb
		add	[ecx+0], ah
		add	[bp+di+0], dh
; 
		dd 0
; 

??_C@_1EO@BHNAKFPE@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAD?$AAi?$AAs?$AAp?$AAl?$AAa?$AAy?$AAB@EKOMKFNL@:
					; DATA XREF: INIT:00AF4C54o
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		jo	short $+2
		insb
		add	[ecx+0], ah
		jns	short $+2
		inc	edx
		add	[ebp+0], dh
		jb	short $+2
		jnb	short $+2
		jz	short $+2
		dec	edi
		add	[esi+0], ch
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		push	ebx
		add	[edi+0], ch
		jnz	short $+2
		jb	short $+2
		arpl	[eax], ax
		add	gs:[ebx+0], al
		push	6E006100h
		add	[edi+0], ah
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1FA@LMPCIOM@?$AAP?$AAo?$AAF?$AAx?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAI?$AAr?$AAp?$AAW?$AAa@EKOMKFNL@:
					; DATA XREF: INIT:00AF4C3Co
		push	eax
		add	[edi+0], ch
		inc	esi
		add	[eax+0], bh
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		dec	ecx
		add	[edx+0], dh
		jo	short $+2
		push	edi
		add	[ecx+0], ah
		imul	eax, [eax], 460074h
		outsd
		add	[edx+0], dh
		push	edx
		add	[ebp+0], ah
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		add	gs:[eax+eax+0],	ah
; 
		db 0
; 

??_C@_1CE@OHLELLPC@?$AAO?$AAb?$AAC?$AAa?$AAs?$AAe?$AAI?$AAn?$AAs?$AAe?$AAn?$AAs?$AAi?$AAt?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF4C84o
		dec	edi
		add	[edx+0], ah
		inc	ebx
		add	[ecx+0], ah
		jnb	short $+2
		add	gs:[ecx+0], cl
		outsb
		add	[ebx+0], dh
		add	gs:[esi+0], ch
		jnb	short $+2
		imul	eax, [eax], 690074h
		jbe	short $+2
		add	gs:[eax], al
; 
		db 0
		align 10h

??_C@_1EI@KICOLFEI@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAI?$AAn?$AAb?$AAo?$AAx?$AAP?$AAe?$AAp@EKOMKFNL@:
					; DATA XREF: INIT:00AF4C6Co
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		dec	ecx
		add	[esi+0], ch
		bound	eax, [eax]
		outsd
		add	[eax+0], bh
		push	eax
		add	[ebp+0], ah
		jo	short $+2
		inc	edi
		add	[ebp+0], ah
		outsb
		add	[ebp+0], ah
		jb	short $+2
		popa
		add	[eax+eax+65h], dh
		add	[eax+eax+43h], ah
		add	[edi+0], ch
		outsb
		add	[ebx+0], dh
		jz	short $+2
		jb	short $+2
		popa
		add	[ecx+0], ch
		outsb
		add	[eax+eax+73h], dh
; 
		db 3 dup(0)
; 

??_C@_1CA@FNJCKJAF@?$AAC?$AAo?$AAu?$AAn?$AAt?$AAO?$AAp?$AAe?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF4C9Co
		inc	ebx
		add	[edi+0], ch
		jnz	short $+2
		outsb
		add	[eax+eax+4Fh], dh
		add	[eax+0], dh
		add	gs:[edx+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], dh
; 
		dw 0
; 

??_C@_1DG@DNIHPMPB@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF4C98o
					; INIT:00AF4CB0o ...
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ecx+0], cl
		das
		add	[edi+0], cl
		and	[eax], al
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
; 
		dd 0
; 

??_C@_1DA@KMKGKDH@?$AAM?$AAe?$AAd?$AAi?$AAu?$AAm?$AAI?$AAr?$AAp?$AAS?$AAt?$AAa?$AAc?$AAk?$AAL@EKOMKFNL@:
					; DATA XREF: INIT:00AF4CCCo
		dec	ebp
		add	[ebp+0], ah
		add	fs:[ecx+0], ch
		jnz	short $+2
		insd
		add	[ecx+0], cl
		jb	short $+2
		jo	short $+2
		push	ebx
		add	[eax+eax+61h], dh
		add	[ebx+0], ah
		imul	eax, [eax], 4Ch
		add	[edi+0], ch
		arpl	[eax], ax
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], dh
; 
		dw 0
; 

??_C@_1CO@MCPKDEEK@?$AAL?$AAa?$AAr?$AAg?$AAe?$AAI?$AAr?$AAp?$AAS?$AAt?$AAa?$AAc?$AAk?$AAL?$AAo@EKOMKFNL@:
					; DATA XREF: INIT:00AF4CB4o
		dec	esp
		add	[ecx+0], ah
		jb	short $+2
		add	[di+0],	ah
		dec	ecx
		add	[edx+0], dh
		jo	short $+2
		push	ebx
		add	[eax+eax+61h], dh
		add	[ebx+0], ah
		imul	eax, [eax], 4Ch
		add	[edi+0], ch
		arpl	[eax], ax
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], dh
; 
		dd 0
; 

??_C@_1CE@GHJMNGBB@?$AAI?$AAo?$AAC?$AAa?$AAs?$AAe?$AAI?$AAn?$AAs?$AAe?$AAn?$AAs?$AAi?$AAt?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF4CFCo
		dec	ecx
		add	[edi+0], ch
		inc	ebx
		add	[ecx+0], ah
		jnb	short $+2
		add	gs:[ecx+0], cl
		outsb
		add	[ebx+0], dh
		add	gs:[esi+0], ch
		jnb	short $+2
		imul	eax, [eax], 690074h
		jbe	short $+2
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1CO@KOGBLBIB@?$AAI?$AAo?$AAB?$AAl?$AAo?$AAc?$AAk?$AAL?$AAe?$AAg?$AAa?$AAc?$AAy?$AAF?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF4CE4o
		dec	ecx
		add	[edi+0], ch
		inc	edx
		add	[eax+eax+6Fh], ch
		add	[ebx+0], ah
		imul	eax, [eax], 4Ch
		add	[ebp+0], ah
		add	[bx+di+0], ah
		arpl	[eax], ax
		jns	short $+2
		inc	esi
		add	[ebx+0], dh
		inc	esi
		add	[ecx+0], ch
		insb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		jnb	short $+2
; 
		dd 0
; 

??_C@_1CO@MFHFIDKO@?$AAI?$AAo?$AAF?$AAa?$AAi?$AAl?$AAZ?$AAe?$AAr?$AAo?$AAA?$AAc?$AAc?$AAe?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF4D2Co
		dec	ecx
		add	[edi+0], ch
		inc	esi
		add	[ecx+0], ah
		imul	eax, [eax], 5A006Ch
		add	gs:[edx+0], dh
		outsd
		add	[ecx+0], al
		arpl	[eax], ax
		arpl	[eax], ax
		add	gs:[ebx+0], dh
		jnb	short $+2
		inc	ebx
		add	[edx+0], dh
		add	gs:[ecx+0], ah
		jz	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1DC@EEKFCDEO@?$AAR?$AAe?$AAq?$AAu?$AAi?$AAr?$AAe?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAA?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF4D14o
		push	edx
		add	[ebp+0], ah
		jno	short $+2
		jnz	short $+2
		imul	eax, [eax], 650072h
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		inc	ecx
		add	[ebx+0], ah
		arpl	[eax], ax
		add	gs:[ebx+0], dh
		jnb	short $+2
		inc	ebx
		add	[eax+0], ch
		add	gs:[ebx+0], ah
		imul	eax, [eax], 0
; 
		db 3 dup(0)
; 

??_C@_1DG@MNOBLPPI@?$AAI?$AAo?$AAA?$AAl?$AAl?$AAo?$AAw?$AAL?$AAo?$AAa?$AAd?$AAC?$AAr?$AAa?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF4D5Co
		dec	ecx
		add	[edi+0], ch
		inc	ecx
		add	[eax+eax+6Ch], ch
		add	[edi+0], ch
		ja	short $+2
		dec	esp
		add	[edi+0], ch
		popa
		add	[eax+eax+43h], ah
		add	[edx+0], dh
		popa
		add	[ebx+0], dh
		push	75004400h
		add	[ebp+0], ch
		jo	short $+2
		inc	esp
		add	[edx+0], dh
		imul	eax, [eax], 650076h
		jb	short $+2
; 
		dd 0
; 

??_C@_1DO@IPALKECH@?$AAI?$AAo?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn@EKOMKFNL@:
					; DATA XREF: INIT:00AF4D44o
		dec	ecx
		add	[edi+0], ch
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		pop	edx
		add	[ebp+0], ah
		jb	short $+2
		outsd
		add	[ecx+0], al
		arpl	[eax], ax
		arpl	[eax], ax
		add	gs:[ebx+0], dh
		jnb	short $+2
		inc	ebx
		add	[eax+0], ch
		add	gs:[ebx+0], ah
		imul	eax, [eax], 0
; 
		db 3 dup(0)
; 

??_C@_17CDELMOAN@?$AAQ?$AAo?$AAS@EKOMKFNL@: ; DATA XREF: INIT:00AF4D88o
		push	ecx
		add	[edi+0], ch
		push	ebx
; 
		db 3 dup(0)
; 

??_C@_1EA@IDDFCAI@?$AAI?$AAo?$AAI?$AAr?$AAp?$AAC?$AAo?$AAm?$AAp?$AAl?$AAe?$AAt?$AAi?$AAo?$AAn@EKOMKFNL@:
					; DATA XREF: INIT:00AF4D74o
		dec	ecx
		add	[edi+0], ch
		dec	ecx
		add	[edx+0], dh
		jo	short $+2
		inc	ebx
		add	[edi+0], ch
		insd
		add	[eax+0], dh
		insb
		add	[ebp+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
		dec	ecx
		add	[esi+0], ch
		push	ebx
		add	[ebp+0], ah
		arpl	[eax], ax
		outsd
		add	[esi+0], ch
		add	fs:[ebx+0], dh
; 
		dw 0
; 

??_C@_1CI@GFBEPOGP@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAD?$AAi?$AAs?$AAk?$AAC?$AAo?$AAu?$AAn@EKOMKFNL@:
					; DATA XREF: INIT:00AF4DA4o
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		imul	eax, [eax], 43h
		add	[edi+0], ch
		jnz	short $+2
		outsb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1CE@NKDBAAH@?$AAS?$AAt?$AAo?$AAr?$AAa?$AAg?$AAe?$AAB?$AAa?$AAs?$AAe?$AAI?$AAO?$AAS?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF4D8Co
		push	ebx
		add	[eax+eax+6Fh], dh
		add	[edx+0], dh
		popa
		add	[edi+0], ah
		add	gs:[edx+0], al
		popa
		add	[ebx+0], dh
		add	gs:[ecx+0], cl
		dec	edi
		add	[ebx+0], dl
		imul	eax, [eax], 65007Ah
; 
		dw 0
; 

??_C@_1CK@KMFCKJPP@?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc?$AAe?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF4DD4o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		outsd
		add	[ebp+0], dh
		jb	short $+2
		arpl	[eax], ax
		add	gs:[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[edi+0], ch
		jnz	short $+2
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		jnz	short $+2
		outsb
		add	[eax+eax+0], dh
; 
		db 3 dup(0)
; 

??_C@_1CM@DHAALLJL@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAB?$AAu?$AAf?$AAf?$AAe?$AAr?$AAe?$AAd@EKOMKFNL@:
					; DATA XREF: INIT:00AF4DBCo
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		inc	edx
		add	[ebp+0], dh
		db	66h
		add	[esi+0], ah
		add	gs:[edx+0], dh
		add	gs:[eax+eax+49h], ah
		add	[edi+0], ch
		dec	ecx
		add	[esi+0], ch
		imul	eax, [eax], 74h

??_C@_1DK@DFKCKMMF@?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc?$AAe?$AAE?$AAn?$AAf?$AAo?$AAr?$AAc?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF4E04o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		outsd
		add	[ebp+0], dh
		jb	short $+2
		arpl	[eax], ax
		add	gs:[ebp+0], al
		outsb
		add	[esi+0], ah
		outsd
		add	[edx+0], dh
		arpl	[eax], ax
		add	gs:[edi+0], cl
		ja	short $+2
		outsb
		add	[ebp+0], ah
		jb	short $+2
		push	esp
		add	[edx+0], dh
		popa
		add	[esi+0], ch
		jnb	short $+2
		db	66h
		add	[ebp+0], ah
		jb	short $+2
; 
		dd 0
; 

??_C@_1CG@NEPCKEJL@?$AAR?$AAe?$AAs?$AAo?$AAu?$AAr?$AAc?$AAe?$AAC?$AAh?$AAe?$AAc?$AAk?$AAF?$AAl@EKOMKFNL@:
					; DATA XREF: INIT:00AF4DECo
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		outsd
		add	[ebp+0], dh
		jb	short $+2
		arpl	[eax], ax
		add	gs:[ebx+0], al
		push	63006500h
		add	[ebx+0], ch
		inc	esi
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		jnb	short $+2
; 
		dd 0
; 

??_C@_1CG@KHHKKCCD@?$AAH?$AAe?$AAa?$AAp?$AAS?$AAe?$AAg?$AAm?$AAe?$AAn?$AAt?$AAR?$AAe?$AAs?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF4E34o
		dec	eax
		add	[ebp+0], ah
		popa
		add	[eax+0], dh
		push	ebx
		add	[ebp+0], ah
		add	[di+0],	ch
		add	gs:[esi+0], ch
		jz	short $+2
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		add	gs:[edx+0], dh
		jbe	short $+2
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CO@KFGOODJE@?$AAC?$AAr?$AAi?$AAt?$AAi?$AAc?$AAa?$AAl?$AAS?$AAe?$AAc?$AAt?$AAi?$AAo?$AAn@EKOMKFNL@:
					; DATA XREF: INIT:00AF4E1Co
		inc	ebx
		add	[edx+0], dh
		imul	eax, [eax], 690074h
		arpl	[eax], ax
		popa
		add	[eax+eax+53h], ch
		add	[ebp+0], ah
		arpl	[eax], ax
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
; 
		dd 0
; 

??_C@_1DO@OACFDBCF@?$AAH?$AAe?$AAa?$AAp?$AAD?$AAe?$AAC?$AAo?$AAm?$AAm?$AAi?$AAt?$AAT?$AAo?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF4E64o
		dec	eax
		add	[ebp+0], ah
		popa
		add	[eax+0], dh
		inc	esp
		add	[ebp+0], ah
		inc	ebx
		add	[edi+0], ch
		insd
		add	[ebp+0], ch
		imul	eax, [eax], 540074h
		outsd
		add	[eax+eax+61h], dh
		add	[eax+eax+46h], ch
		add	[edx+0], dh
		add	gs:[ebp+0], ah
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ebx+0], dh
		push	6C006F00h
		add	[eax+eax+0], ah
; 
		db 3 dup(0)
; 

??_C@_1CE@BDMILKLE@?$AAH?$AAe?$AAa?$AAp?$AAS?$AAe?$AAg?$AAm?$AAe?$AAn?$AAt?$AAC?$AAo?$AAm?$AAm@EKOMKFNL@:
					; DATA XREF: INIT:00AF4E4Co
		dec	eax
		add	[ebp+0], ah
		popa
		add	[eax+0], dh
		push	ebx
		add	[ebp+0], ah
		add	[di+0],	ch
		add	gs:[esi+0], ch
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		insd
		add	[ebp+0], ch
		imul	eax, [eax], 74h

??_C@_1CA@BFNKNOIB@?$AAT?$AAe?$AAr?$AAm?$AAi?$AAn?$AAa?$AAl?$AA?5?$AAS?$AAe?$AAr?$AAv?$AAe?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF4EA8o
		push	esp
		add	[ebp+0], ah
		jb	short $+2
		insd
		add	[ecx+0], ch
		outsb
		add	[ecx+0], ah
		insb
		add	[eax], ah
		add	[ebx+0], dl
		add	gs:[edx+0], dh
		jbe	short $+2
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1DO@PIGCMHBI@?$AAH?$AAe?$AAa?$AAp?$AAD?$AAe?$AAC?$AAo?$AAm?$AAm?$AAi?$AAt?$AAF?$AAr?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF4E7Co
		dec	eax
		add	[ebp+0], ah
		popa
		add	[eax+0], dh
		inc	esp
		add	[ebp+0], ah
		inc	ebx
		add	[edi+0], ch
		insd
		add	[ebp+0], ch
		imul	eax, [eax], 460074h
		jb	short $+2
		add	gs:[ebp+0], ah
		inc	edx
		add	[eax+eax+6Fh], ch
		add	[ebx+0], ah
		imul	eax, [eax], 54h
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ebx+0], dh
		push	6C006F00h
		add	[eax+eax+0], ah
; 
		db 3 dup(0)
; 

??_C@_1BK@HJNBLNLJ@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAS?$AAu?$AAi?$AAt?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF4EC4o
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+75h], ah
		add	[ebx+0], ah
		jz	short $+2
		push	ebx
		add	[ebp+0], dh
		imul	eax, [eax], 650074h
; 
		dd 0
; 

??_C@_1BI@LIHNICPI@?$AAT?$AAS?$AAA?$AAp?$AAp?$AAC?$AAo?$AAm?$AAp?$AAa?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF4EACo
		push	esp
		add	[ebx+0], dl
		inc	ecx
		add	[eax+0], dh
		jo	short $+2
		inc	ebx
		add	[edi+0], ch
		insd
		add	[eax+0], dh
		popa
		add	[eax+eax+0], dh
; 
		db 0
; 

??_C@_1BA@HLGGGPNC@?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF4EF0o
					; INIT:00AF4F08o ...
		push	edi
		add	[ecx+0], ch
		outsb
		add	[eax+eax+6Fh], ah
		add	[edi+0], dh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1BM@NLGAGAOC@?$AAP?$AAr?$AAo?$AAd?$AAu?$AAc?$AAt?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@:
					; DATA XREF: INIT:00AF4EDCo
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+75h], ah
		add	[ebx+0], ah
		jz	short $+2
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
; 
		dw 0
; 

??_C@_1BO@PKBACOLK@?$AAC?$AAS?$AAD?$AAR?$AAe?$AAl?$AAe?$AAa?$AAs?$AAe?$AAT?$AAy?$AAp?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF4F0Co
		inc	ebx
		add	[ebx+0], dl
		inc	esp
		add	[edx+0], dl
		add	gs:[eax+eax+65h], ch
		add	[ecx+0], ah
		jnb	short $+2
		add	gs:[eax+eax+79h], dl
		add	[eax+0], dh
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BG@MEBEMGBM@?$AAC?$AAS?$AAD?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn@EKOMKFNL@:
					; DATA XREF: INIT:00AF4EF4o
		inc	ebx
		add	[ebx+0], dl
		inc	esp
		add	[esi+0], dl
		add	gs:[edx+0], dh
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dd 0
; 

??_C@_1BK@HGJAIMGI@?$AAN?$AAl?$AAs?$AA?2?$AAL?$AAa?$AAn?$AAg?$AAu?$AAa?$AAg?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF4F38o
					; INIT:00AF4F50o
		dec	esi
		add	[eax+eax+73h], ch
		add	[eax+eax+4Ch], bl
		add	[ecx+0], ah
		outsb
		add	[edi+0], ah
		jnz	short $+2
		popa
		add	[edi+0], ah
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BO@LOIKKPLA@?$AAC?$AAS?$AAD?$AAB?$AAu?$AAi?$AAl?$AAd?$AAN?$AAu?$AAm?$AAb?$AAe?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF4F24o
		inc	ebx
		add	[ebx+0], dl
		inc	esp
		add	[edx+0], al
		jnz	short $+2
		imul	eax, [eax], 64006Ch
		dec	esi
		add	[ebp+0], dh
		insd
		add	[edx+0], ah
		add	gs:[edx+0], dh
; 
		dd 0
; 

??_C@_1CE@LLLFBDPK@?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AAS?$AAi?$AAz?$AAe?$AAL?$AAi?$AAm@EKOMKFNL@:
					; DATA XREF: INIT:00AF4F6Co
		push	edx
		add	[ebp+0], ah
		add	[bx+di+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jns	short $+2
		push	ebx
		add	[ecx+0], ch
		jp	short $+2
		add	gs:[eax+eax+69h], cl
		add	[ebp+0], ch
		imul	eax, [eax], 74h
; 
??_C@_15EODNFOFM@?$AA?$AA?$AA?$AA@EKOMKFNL@ dd 2 dup(0)	; DATA XREF: INIT:00AF4F68o
; 

??_C@_1BC@IEAFCDJK@?$AAF?$AAa?$AAs?$AAt?$AAB?$AAo?$AAo?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF4F84o
		inc	esi
		add	[ecx+0], ah
		jnb	short $+2
		jz	short $+2
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+0], dh
; 
		db 3 dup(0)
; 

??_C@_1EM@GLLAFOJP@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF4F80o
					; INIT:00AF4F98o ...
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		db	66h
		add	[ecx+0], ch
		add	[di+0],	dh
		jb	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax], ah
		add	[ebp+0], cl
		popa
		add	[esi+0], ch
		popa
		add	[edi+0], ah
		add	gs:[edx+0], dh
; 
		dw 0
; 

??_C@_1DE@BEFLENJI@?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AAL?$AAa?$AAz?$AAy?$AAF?$AAl?$AAu@EKOMKFNL@:
					; DATA XREF: INIT:00AF4FB4o
		push	edx
		add	[ebp+0], ah
		add	[bx+di+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jns	short $+2
		dec	esp
		add	[ecx+0], ah
		jp	short $+2
		jns	short $+2
		inc	esi
		add	[eax+eax+75h], ch
		add	[ebx+0], dh
		push	6E004900h
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		jbe	short $+2
		popa
		add	[eax+eax+0], ch

loc_AFAF8F:				; DATA XREF: INIT:00AF4F9Co
		add	[ebx+0], dl
		add	gs:[eax+eax+66h], ch
		add	[eax+0], cl
		add	gs:[ecx+0], ah
		insb
		add	[ecx+0], ch
		outsb
		add	[edi+0], ah
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1DK@GPPALMBD@?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AAL?$AAa?$AAz?$AAy?$AAL?$AAo?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF4FE4o
		push	edx
		add	[ebp+0], ah
		add	[bx+di+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jns	short $+2
		dec	esp
		add	[ecx+0], ah
		jp	short $+2
		jns	short $+2
		dec	esp
		add	[edi+0], ch
		arpl	[eax], ax
		popa
		add	[eax+eax+69h], ch
		add	[edx+0], bh
		add	gs:[ecx+0], cl
		outsb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		jbe	short $+2
		popa
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

??_C@_1DM@GAKMMFJJ@?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AAL?$AAa?$AAz?$AAy?$AAR?$AAe?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF4FCCo
		push	edx
		add	[ebp+0], ah
		add	[bx+di+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jns	short $+2
		dec	esp
		add	[ecx+0], ah
		jp	short $+2
		jns	short $+2
		push	edx
		add	[ebp+0], ah
		arpl	[eax], ax
		outsd
		add	[esi+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 65006Ch
		dec	ecx
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edx+0], dh
		jbe	short $+2
		popa
		add	[eax+eax+0], ch

loc_AFB02F:				; DATA XREF: INIT:00AF5014o
		add	[edx+0], dl
		add	gs:[edi+0], ah
		imul	eax, [eax], 740073h
		jb	short $+2
		jns	short $+2
		dec	esp
		add	[edi+0], ch
		add	[bp+0],	al
		imul	eax, [eax], 65006Ch
		push	ebx
		add	[ecx+0], ch
		jp	short $+2
		add	gs:[ebx+0], al
		popa
		add	[eax+0], dh
; 
		dd 0
; 

??_C@_1DG@CNLFIMNC@?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AAL?$AAa?$AAz?$AAy?$AAF?$AAl?$AAu@EKOMKFNL@:
					; DATA XREF: INIT:00AF4FFCo
		push	edx
		add	[ebp+0], ah
		add	[bx+di+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jns	short $+2
		dec	esp
		add	[ecx+0], ah
		jp	short $+2
		jns	short $+2
		inc	esi
		add	[eax+eax+75h], ch
		add	[ebx+0], dh
		push	6F004200h
		add	[edi+0], ch
		jz	short $+2
		inc	esp
		add	[ebp+0], ah
		insb
		add	[ecx+0], ah
		jns	short $+2
; 
		dd 0
; 

??_C@_1EA@IAHCAHDJ@?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AAR?$AAe?$AAo?$AAr?$AAg?$AAa?$AAn@EKOMKFNL@:
					; DATA XREF: INIT:00AF5044o
		push	edx
		add	[ebp+0], ah
		add	[bx+di+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jns	short $+2
		push	edx
		add	[ebp+0], ah
		outsd
		add	[edx+0], dh
		add	[bx+di+0], ah
		outsb
		add	[ecx+0], ch
		jp	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax+eax+69h], cl
		add	[ebp+0], ch
		imul	eax, [eax], 440074h
		popa
		add	[ecx+0], bh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1DI@HCHONOFC@?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AAR?$AAe?$AAo?$AAr?$AAg?$AAa?$AAn@EKOMKFNL@:
					; DATA XREF: INIT:00AF502Co
		push	edx
		add	[ebp+0], ah
		add	[bx+di+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jns	short $+2
		push	edx
		add	[ebp+0], ah
		outsd
		add	[edx+0], dh
		add	[bx+di+0], ah
		outsb
		add	[ecx+0], ch
		jp	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax+eax+69h], cl
		add	[ebp+0], ch
		imul	eax, [eax], 74h

??_C@_1CM@IENLEOL@?$AAV?$AAi?$AAr?$AAt?$AAu?$AAa?$AAl?$AAi?$AAz?$AAa?$AAt?$AAi?$AAo?$AAn?$AAE@EKOMKFNL@:
					; DATA XREF: INIT:00AF5074o
		push	esi
		add	[ecx+0], ch
		jb	short $+2
		jz	short $+2
		jnz	short $+2
		popa
		add	[eax+eax+69h], ch
		add	[edx+0], bh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebp+0], al
		outsb
		add	[ecx+0], ah
		bound	eax, [eax]
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 0
; 

??_C@_1DC@HNBGCLEL@?$AAR?$AAe?$AAg?$AAi?$AAs?$AAt?$AAr?$AAy?$AAF?$AAl?$AAu?$AAs?$AAh?$AAG?$AAl@EKOMKFNL@:
					; DATA XREF: INIT:00AF505Co
		push	edx
		add	[ebp+0], ah
		add	[bx+di+0], ch
		jnb	short $+2
		jz	short $+2
		jb	short $+2
		jns	short $+2
		inc	esi
		add	[eax+eax+75h], ch
		add	[ebx+0], dh
		push	6C004700h
		add	[edi+0], ch
		bound	eax, [eax]
		popa
		add	[eax+eax+46h], ch
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		jnb	short $+2
; 
		dd 0
; 

??_C@_1DG@GLDLBPGE@?$AAF?$AAr?$AAe?$AAe?$AAz?$AAe?$AAT?$AAh?$AAa?$AAw?$AAT?$AAi?$AAm?$AAe?$AAo@EKOMKFNL@:
					; DATA XREF: INIT:00AF50A4o
		inc	esi
		add	[edx+0], dh
		add	gs:[ebp+0], ah
		jp	short $+2
		add	gs:[eax+eax+68h], dl
		add	[ecx+0], ah
		ja	short $+2
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
		dec	ecx
		add	[esi+0], ch
		push	ebx
		add	[ebp+0], ah
		arpl	[eax], ax
		outsd
		add	[esi+0], ch
		add	fs:[ebx+0], dh
; 
		dd 0
; 

??_C@_1BO@KJDKHGMH@?$AAD?$AAe?$AAl?$AAa?$AAy?$AAC?$AAl?$AAo?$AAs?$AAe?$AAS?$AAi?$AAz?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF508Co
		inc	esp
		add	[ebp+0], ah
		insb
		add	[ecx+0], ah
		jns	short $+2
		inc	ebx
		add	[eax+eax+6Fh], ch
		add	[ebx+0], dh
		add	gs:[ebx+0], dl
		imul	eax, [eax], 65007Ah
; 
		dd 0
; 

??_C@_1CK@GKCPBCOI@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAP?$AAe?$AAr?$AAi?$AAo?$AAd?$AAi?$AAc?$AAB@EKOMKFNL@:
					; DATA XREF: INIT:00AF50D4o
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		push	eax
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 64006Fh
		imul	eax, [eax], 420063h
		popa
		add	[ebx+0], ah
		imul	eax, [eax], 75h
		add	[eax+0], dh
; 
		dd 0
; 

??_C@_1CI@FPHHAKHL@?$AAS?$AAy?$AAs?$AAt?$AAe?$AAm?$AAH?$AAi?$AAv?$AAe?$AAL?$AAi?$AAm?$AAi?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF50BCo
		push	ebx
		add	[ecx+0], bh
		jnb	short $+2
		jz	short $+2
		add	gs:[ebp+0], ch
		dec	eax
		add	[ecx+0], ch
		jbe	short $+2
		add	gs:[eax+eax+69h], cl
		add	[ebp+0], ch
		imul	eax, [eax], 530074h
		imul	eax, [eax], 65007Ah
; 
		dw 0
		align 10h

??_C@_1GI@DENEAKEJ@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF5100o
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		db	66h
		add	[ecx+0], ch
		add	[di+0],	dh
		jb	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax], ah
		add	[ebp+0], cl
		popa
		add	[esi+0], ch
		popa
		add	[edi+0], ah
		add	gs:[edx+0], dh
		pop	esp
		add	[eax+eax+61h], cl
		add	[ebx+0], dh
		jz	short $+2
		dec	ebx
		add	[esi+0], ch
		outsd
		add	[edi+0], dh
		outsb
		add	[edi+0], al
		outsd
		add	[edi+0], ch
		add	fs:[eax], al
; 
		db 0
; 

??_C@_1BK@GJFCEKLL@?$AAV?$AAo?$AAl?$AAa?$AAt?$AAi?$AAl?$AAe?$AAB?$AAo?$AAo?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF50ECo
		push	esi
		add	[edi+0], ch
		insb
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 65006Ch
		inc	edx
		add	[edi+0], ch
		outsd
		add	[eax+eax+0], dh
; 
		db 3 dup(0)
; 

??_C@_1CA@ONKNCBDM@?$AAD?$AAe?$AAv?$AAe?$AAl?$AAo?$AAp?$AAm?$AAe?$AAn?$AAt?$AAM?$AAo?$AAd?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF5134o
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		add	gs:[eax+eax+6Fh], ch
		add	[eax+0], dh
		insd
		add	[ebp+0], ah
		outsb
		add	[eax+eax+4Dh], dh
		add	[edi+0], ch
		add	fs:[ebp+0], ah
; 
		dw 0
; 

??_C@_1CO@KMCLAPKE@?$AAS?$AAt?$AAa?$AAt?$AAe?$AAS?$AAe?$AAp?$AAa?$AAr?$AAa?$AAt?$AAi?$AAo?$AAn@EKOMKFNL@:
					; DATA XREF: INIT:00AF5118o
					; INIT:00AF5130o ...
		push	ebx
		add	[eax+eax+61h], dh
		add	[eax+eax+65h], dh
		add	[ebx+0], dl
		add	gs:[eax+0], dh
		popa
		add	[edx+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[eax+eax+50h], bl
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
; 
		dd 0
; 

??_C@_1CI@CEOPHINK@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy?$AAS?$AAi?$AAm?$AAu@EKOMKFNL@:
					; DATA XREF: INIT:00AF5164o
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		push	eax
		add	[edi+0], ch
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		jns	short $+2
		push	ebx
		add	[ecx+0], ch
		insd
		add	[ebp+0], dh
		insb
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1CC@HNBLGIMP@?$AAA?$AAl?$AAl?$AAH?$AAi?$AAv?$AAe?$AAs?$AAV?$AAo?$AAl?$AAa?$AAt?$AAi?$AAl@EKOMKFNL@:
					; DATA XREF: INIT:00AF514Co
		inc	ecx
		add	[eax+eax+6Ch], ch
		add	[eax+0], cl
		imul	eax, [eax], 650076h
		jnb	short $+2
		push	esi
		add	[edi+0], ch
		insb
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 65006Ch
; 
		dd 0
; 

??_C@_1CA@EJHPIDFK@?$AAP?$AAr?$AAi?$AAo?$AAr?$AAi?$AAt?$AAy?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo?$AAl@EKOMKFNL@:
					; DATA XREF: INIT:00AF5190o
		push	eax
		add	[edx+0], dh
		imul	eax, [eax], 72006Fh
		imul	eax, [eax], 790074h
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+72h], dh
		add	[edi+0], ch
		insb
; 
		db 3 dup(0)
; 

??_C@_1DO@MDCOAGDG@?$AAM?$AAa?$AAx?$AAT?$AAi?$AAm?$AAe?$AAS?$AAe?$AAp?$AAa?$AAr?$AAa?$AAt?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF517Co
		dec	ebp
		add	[ecx+0], ah
		js	short $+2
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		push	ebx
		add	[ebp+0], ah
		jo	short $+2
		popa
		add	[edx+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[edx+0], al
		add	gs:[esi+0], ah
		outsd
		add	[edx+0], dh
		add	gs:[ebx+0], al
		outsd
		add	[edx+0], dh
		jb	short $+2
		add	gs:[ebx+0], ah
		jz	short $+2
; 
		dd 0
; 

??_C@_1CC@OEFBDJFJ@?$AAD?$AAe?$AAb?$AAu?$AAg?$AAg?$AAe?$AAr?$AA?5?$AAR?$AAe?$AAt?$AAr?$AAi?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF51ACo
		inc	esp
		add	[ebp+0], ah
		bound	eax, [eax]
		jnz	short $+2
		add	[bx+0],	ah
		add	gs:[edx+0], dh
		and	[eax], al
		push	edx
		add	[ebp+0], ah
		jz	short $+2
		jb	short $+2
		imul	eax, [eax], 730065h
; 
		dd 0
; 

??_C@_1DA@LIECLLEO@?$AAW?$AAi?$AAn?$AA3?$AA2?$AAP?$AAr?$AAi?$AAo?$AAr?$AAi?$AAt?$AAy?$AAS?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF5194o
		push	edi
		add	[ecx+0], ch
		outsb
		add	[ebx], dh
		add	[edx], dh
		add	[eax+0], dl
		jb	short $+2
		imul	eax, [eax], 72006Fh
		imul	eax, [eax], 790074h
		push	ebx
		add	[ebp+0], ah
		jo	short $+2
		popa
		add	[edx+0], dh
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
; 
		db 3 dup(0)
		align 8

??_C@_1EG@IBJIGFPH@?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AA?5?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF51D8o
					; INIT:00AF51F0o ...
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		and	[eax], al
		dec	ebp
		add	[ecx+0], ah
		outsb
		add	[ecx+0], ah
		add	[di+0],	ah
		jb	short $+2
		pop	esp
		add	[eax+eax+65h], al
		add	[edx+0], ah
		jnz	short $+2
		add	[bx+si], ah
		add	[eax+0], dl
		jb	short $+2
		imul	eax, [eax], 74006Eh
		and	[eax], al
		inc	esi
		add	[ecx+0], ch
		insb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
; 
		dd 0
; 

??_C@_1CM@DEHGODC@?$AAD?$AAe?$AAb?$AAu?$AAg?$AAg?$AAe?$AAr?$AAM?$AAa?$AAx?$AAM?$AAo?$AAd?$AAu@EKOMKFNL@:
					; DATA XREF: INIT:00AF51C4o
		inc	esp
		add	[ebp+0], ah
		bound	eax, [eax]
		jnz	short $+2
		add	[bx+0],	ah
		add	gs:[edx+0], dh
		dec	ebp
		add	[ecx+0], ah
		js	short $+2
		dec	ebp
		add	[edi+0], ch
		add	fs:[ebp+0], dh
		insb
		add	[ebp+0], ah
		dec	ebp
		add	[ebx+0], dh
		add	[bp+di+0], dh
; 
		dw 0
; 

??_C@_1O@GBFINDKL@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM@EKOMKFNL@: ; DATA XREF: INIT:00AF51F4o
		push	ebx
		add	[ecx+0], bl
		push	ebx
		add	[eax+eax+45h], dl
		add	[ebp+0], cl
; 
		dd 0
; 

??_C@_1BA@NMDBGJA@?$AAW?$AAI?$AAN?$AA2?$AA0?$AA0?$AA0@EKOMKFNL@: ; DATA	XREF: INIT:00AF51DCo
		push	edi
		add	[ecx+0], cl
		dec	esi
		add	[edx], dh
		add	[eax], dh
		add	[eax], dh
		add	[eax], dh
; 
		db 3 dup(0)
; 

??_C@_1M@PBHOBGFC@?$AAS?$AAE?$AAT?$AAU?$AAP@EKOMKFNL@: ; DATA XREF: INIT:00AF5224o
		push	ebx
		add	[ebp+0], al
		push	esp
		add	[ebp+0], dl
		push	eax
; 
		db 3 dup(0)
; 

??_C@_19KPGMKHOL@?$AAS?$AAM?$AAS?$AAS@EKOMKFNL@: ; DATA	XREF: INIT:00AF520Co
		push	ebx
		add	[ebp+0], cl
		push	ebx
		add	[ebx+0], dl
; 
		dd 0
; 

??_C@_1M@LFGFOCAF@?$AAF?$AAS?$AAT?$AAU?$AAB@EKOMKFNL@: ; DATA XREF: INIT:00AF5254o
		inc	esi
		add	[ebx+0], dl
		push	esp
		add	[ebp+0], dl
		inc	edx
; 
		db 3 dup(0)
; 

??_C@_19ENNDBEJL@?$AAN?$AAT?$AAF?$AAS@EKOMKFNL@: ; DATA	XREF: INIT:00AF523Co
		dec	esi
		add	[eax+eax+46h], dl
		add	[ebx+0], dl
; 
		dd 0
; 

??_C@_1BA@POOLOHAD@?$AAC?$AAD?$AAA?$AAU?$AAD?$AAI?$AAO@EKOMKFNL@:
					; DATA XREF: INIT:00AF5284o
		inc	ebx
		add	[eax+eax+41h], al
		add	[ebp+0], dl
		inc	esp
		add	[ecx+0], cl
		dec	edi
; 
		db 3 dup(0)
; 

??_C@_1BE@OEMOMKBO@?$AAC?$AAR?$AAA?$AAS?$AAH?$AAD?$AAU?$AAM?$AAP@EKOMKFNL@:
					; DATA XREF: INIT:00AF526Co
		inc	ebx
		add	[edx+0], dl
		inc	ecx
		add	[ebx+0], dl
		dec	eax
		add	[eax+eax+55h], al
		add	[ebp+0], cl
		push	eax
; 
		db 3 dup(0)
; 

??_C@_1BC@CPLKIMMK@?$AAC?$AAL?$AAA?$AAS?$AAS?$AAP?$AAN?$AAP@EKOMKFNL@:
					; DATA XREF: INIT:00AF52B4o
		inc	ebx
		add	[eax+eax+41h], cl
		add	[ebx+0], dl
		push	ebx
		add	[eax+0], dl
		dec	esi
		add	[eax+0], dl
; 
		dd 0
; 

??_C@_1M@NEPFDHKI@?$AAC?$AAD?$AAR?$AAO?$AAM@EKOMKFNL@: ; DATA XREF: INIT:00AF529Co
		inc	ebx
		add	[eax+eax+52h], al
		add	[edi+0], cl
		dec	ebp
; 
		db 3 dup(0)
; 

??_C@_1BA@HCCLCMOH@?$AAR?$AAE?$AAD?$AAB?$AAO?$AAO?$AAK@EKOMKFNL@:
					; DATA XREF: INIT:00AF52E4o
		push	edx
		add	[ebp+0], al
		inc	esp
		add	[edx+0], al
		dec	edi
		add	[edi+0], cl
		dec	ebx
; 
		db 3 dup(0)
; 

??_C@_19HLPJEMPA@?$AAD?$AAI?$AAS?$AAK@EKOMKFNL@: ; DATA	XREF: INIT:00AF52CCo
		inc	esp
		add	[ecx+0], cl
		push	ebx
		add	[ebx+0], cl
; 
		dd 0
; 

??_C@_1BC@FLNKIHIH@?$AAS?$AAC?$AAS?$AAI?$AAP?$AAO?$AAR?$AAT@EKOMKFNL@:
					; DATA XREF: INIT:00AF5314o
		push	ebx
		add	[ebx+0], al
		push	ebx
		add	[ecx+0], cl
		push	eax
		add	[edi+0], cl
		push	edx
		add	[eax+eax+0], dl
; 
		db 3 dup(0)
; 

??_C@_1BC@KGFNAHDH@?$AAS?$AAT?$AAO?$AAR?$AAP?$AAR?$AAO?$AAP@EKOMKFNL@:
					; DATA XREF: INIT:00AF52FCo
		push	ebx
		add	[eax+eax+4Fh], dl
		add	[edx+0], dl
		push	eax
		add	[edx+0], dl
		dec	edi
		add	[eax+0], dl
; 
		dd 0
; 

??_C@_1O@BAHOLLMK@?$AAC?$AAO?$AAN?$AAF?$AAI?$AAG@EKOMKFNL@: ; DATA XREF: INIT:00AF5344o
		inc	ebx
		add	[edi+0], cl
		dec	esi
		add	[esi+0], al
		dec	ecx
		add	[edi+0], al
; 
		dd 0
; 

??_C@_1BK@PEMAEFGI@?$AAS?$AAC?$AAS?$AAI?$AAM?$AAI?$AAN?$AAI?$AAP?$AAO?$AAR?$AAT@EKOMKFNL@:
					; DATA XREF: INIT:00AF532Co
		push	ebx
		add	[ebx+0], al
		push	ebx
		add	[ecx+0], cl
		dec	ebp
		add	[ecx+0], cl
		dec	esi
		add	[ecx+0], cl
		push	eax
		add	[edi+0], cl
		push	edx
		add	[eax+eax+0], dl
; 
		db 3 dup(0)
; 

??_C@_1BC@IOGFCALD@?$AAS?$AAE?$AAR?$AAM?$AAO?$AAU?$AAS?$AAE@EKOMKFNL@:
					; DATA XREF: INIT:00AF5374o
		push	ebx
		add	[ebp+0], al
		push	edx
		add	[ebp+0], cl
		dec	edi
		add	[ebp+0], dl
		push	ebx
		add	[ebp+0], al
; 
		dd 0
; 

??_C@_1BC@NIJBFLJG@?$AAI?$AA8?$AA0?$AA4?$AA2?$AAP?$AAR?$AAT@EKOMKFNL@:
					; DATA XREF: INIT:00AF535Co
		dec	ecx
		add	[eax], bh
		add	[eax], dh
		add	[eax+eax], dh
		xor	al, [eax]
		push	eax
		add	[edx+0], dl
		push	esp
; 
		db 0
		align 8

??_C@_1O@KNJFIJAH@?$AAK?$AAB?$AAD?$AAH?$AAI?$AAD@EKOMKFNL@: ; DATA XREF: INIT:00AF53A4o
		dec	ebx
		add	[edx+0], al
		inc	esp
		add	[eax+0], cl
		dec	ecx
		add	[eax+eax+0], al
; 
		db 3 dup(0)
; 

??_C@_1BC@NEFJHNBI@?$AAL?$AAS?$AAE?$AAR?$AAM?$AAO?$AAU?$AAS@EKOMKFNL@:
					; DATA XREF: INIT:00AF538Co
		dec	esp
		add	[ebx+0], dl
		inc	ebp
		add	[edx+0], dl
		dec	ebp
		add	[edi+0], cl
		push	ebp
		add	[ebx+0], dl
; 
		dd 0
; 

??_C@_1BC@FLJLACIH@?$AAK?$AAB?$AAD?$AAC?$AAL?$AAA?$AAS?$AAS@EKOMKFNL@:
					; DATA XREF: INIT:00AF53D4o
		dec	ebx
		add	[edx+0], al
		inc	esp
		add	[ebx+0], al
		dec	esp
		add	[ecx+0], al
		push	ebx
		add	[ebx+0], dl
; 
		dd 0
; 

??_C@_1O@DJECJIJ@?$AAM?$AAO?$AAU?$AAH?$AAI?$AAD@EKOMKFNL@: ; DATA XREF:	INIT:00AF53BCo
		dec	ebp
		add	[edi+0], cl
		push	ebp
		add	[eax+0], cl
		dec	ecx
		add	[eax+eax+0], al
; 
		db 3 dup(0)
; 

??_C@_1BC@IHJNOKFB@?$AAT?$AAW?$AAO?$AAT?$AAR?$AAA?$AAC?$AAK@EKOMKFNL@:
					; DATA XREF: INIT:00AF5404o
		push	esp
		add	[edi+0], dl
		dec	edi
		add	[eax+eax+52h], dl
		add	[ecx+0], al
		inc	ebx
		add	[ebx+0], cl
; 
		dd 0
; 

??_C@_1BC@KHBACBEB@?$AAM?$AAO?$AAU?$AAC?$AAL?$AAA?$AAS?$AAS@EKOMKFNL@:
					; DATA XREF: INIT:00AF53ECo
		dec	ebp
		add	[edi+0], cl
		push	ebp
		add	[ebx+0], al
		dec	esp
		add	[ecx+0], al
		push	ebx
		add	[ebx+0], dl
; 
		dd 0
; 

??_C@_19CAINCBFJ@?$AAA?$AAC?$AAP?$AAI@EKOMKFNL@: ; DATA	XREF: INIT:00AF5434o
		inc	ecx
		add	[ebx+0], al
		push	eax
		add	[ecx+0], cl
; 
		dd 0
; 

??_C@_1O@MHJJGBKB@?$AAW?$AAM?$AAI?$AAL?$AAI?$AAB@EKOMKFNL@: ; DATA XREF: INIT:00AF541Co
		push	edi
		add	[ebp+0], cl
		dec	ecx
		add	[eax+eax+49h], cl
		add	[edx+0], al
; 
		dd 0
; 

??_C@_1BA@INAEFELG@?$AAH?$AAA?$AAL?$AAI?$AAA?$AA6?$AA4@EKOMKFNL@:
					; DATA XREF: INIT:00AF5464o
		dec	eax
		add	[ecx+0], al
		dec	esp
		add	[ecx+0], cl
		inc	ecx
		add	[esi], dh
		add	[eax+eax], dh
; 
		dw 0
; 

??_C@_19EBBDPBIL@?$AAA?$AAM?$AAL?$AAI@EKOMKFNL@: ; DATA	XREF: INIT:00AF544Co
		inc	ecx
		add	[ebp+0], cl
		dec	esp
		add	[ecx+0], cl
; 
		dd 0
; 

??_C@_1BA@NJEEFIKO@?$AAS?$AAV?$AAC?$AAH?$AAO?$AAS?$AAT@EKOMKFNL@:
					; DATA XREF: INIT:00AF5494o
		push	ebx
		add	[esi+0], dl
		inc	ebx
		add	[eax+0], cl
		dec	edi
		add	[ebx+0], dl
		push	esp
; 
		db 3 dup(0)
; 

??_C@_1M@EPGPFLF@?$AAV?$AAI?$AAD?$AAE?$AAO@EKOMKFNL@: ;	DATA XREF: INIT:00AF547Co
		push	esi
		add	[ecx+0], cl
		inc	esp
		add	[ebp+0], al
		dec	edi
; 
		db 3 dup(0)
; 

??_C@_1M@HIKGEDIA@?$AAT?$AAC?$AAP?$AAI?$AAP@EKOMKFNL@: ; DATA XREF: INIT:00AF54C4o
		push	esp
		add	[ebx+0], al
		push	eax
		add	[ecx+0], cl
		push	eax
; 
		db 3 dup(0)
; 

??_C@_1BC@DONIHOID@?$AAV?$AAI?$AAD?$AAE?$AAO?$AAP?$AAR?$AAT@EKOMKFNL@:
					; DATA XREF: INIT:00AF54ACo
		push	esi
		add	[ecx+0], cl
		inc	esp
		add	[ebp+0], al
		dec	edi
		add	[eax+0], dl
		push	edx
		add	[eax+eax+0], dl
; 
		db 3 dup(0)
; 

??_C@_1BA@JILCHCMP@?$AAN?$AAT?$AAO?$AAS?$AAP?$AAN?$AAP@EKOMKFNL@:
					; DATA XREF: INIT:00AF54F4o
		dec	esi
		add	[eax+eax+4Fh], dl
		add	[ebx+0], dl
		push	eax
		add	[esi+0], cl
		push	eax
; 
		db 3 dup(0)
; 

??_C@_1BA@OEAEEGOP@?$AAD?$AAM?$AAS?$AAY?$AAN?$AAT?$AAH@EKOMKFNL@:
					; DATA XREF: INIT:00AF54DCo
		inc	esp
		add	[ebp+0], cl
		push	ebx
		add	[ecx+0], bl
		dec	esi
		add	[eax+eax+48h], dl
; 
		db 3 dup(0)
; 

??_C@_1M@FPINNANL@?$AAS?$AAA?$AAM?$AAS?$AAS@EKOMKFNL@: ; DATA XREF: INIT:00AF5524o
		push	ebx
		add	[ecx+0], al
		dec	ebp
		add	[ebx+0], dl
		push	ebx
; 
		db 3 dup(0)
; 

??_C@_1BA@CGJOBJKL@?$AAF?$AAA?$AAS?$AAT?$AAF?$AAA?$AAT@EKOMKFNL@:
					; DATA XREF: INIT:00AF550Co
		inc	esi
		add	[ecx+0], al
		push	ebx
		add	[eax+eax+46h], dl
		add	[ecx+0], al
		push	esp
; 
		db 3 dup(0)
; 

??_C@_1O@LDPMBPKI@?$AAN?$AAE?$AAT?$AAA?$AAP?$AAI@EKOMKFNL@: ; DATA XREF: INIT:00AF5554o
		dec	esi
		add	[ebp+0], al
		push	esp
		add	[ecx+0], al
		push	eax
		add	[ecx+0], cl
; 
		dd 0
; 

??_C@_1O@KIMIIFMC@?$AAP?$AAN?$AAP?$AAM?$AAG?$AAR@EKOMKFNL@: ; DATA XREF: INIT:00AF553Co
		push	eax
		add	[esi+0], cl
		push	eax
		add	[ebp+0], cl
		inc	edi
		add	[edx+0], dl
; 
		dd 0
; 

??_C@_1BC@JLKELIPB@?$AAS?$AAC?$AAC?$AAL?$AAI?$AAE?$AAN?$AAT@EKOMKFNL@:
					; DATA XREF: INIT:00AF5584o
		push	ebx
		add	[ebx+0], al
		inc	ebx
		add	[eax+eax+49h], cl
		add	[ebp+0], al
		dec	esi
		add	[eax+eax+0], dl
; 
		db 3 dup(0)
; 

??_C@_1BC@CGJFNME@?$AAS?$AAC?$AAS?$AAE?$AAR?$AAV?$AAE?$AAR@EKOMKFNL@:
					; DATA XREF: INIT:00AF556Co
		push	ebx
		add	[ebx+0], al
		push	ebx
		add	[ebp+0], al
		push	edx
		add	[esi+0], dl
		inc	ebp
		add	[edx+0], dl
; 
		dd 0
; 

??_C@_1BA@JGDGJAKM@?$AAS?$AAE?$AAR?$AAE?$AAN?$AAU?$AAM@EKOMKFNL@:
					; DATA XREF: INIT:00AF55B4o
		push	ebx
		add	[ebp+0], al
		push	edx
		add	[ebp+0], al
		dec	esi
		add	[ebp+0], dl
		dec	ebp
; 
		db 3 dup(0)
; 

??_C@_1O@EDBLBJGB@?$AAS?$AAE?$AAR?$AAI?$AAA?$AAL@EKOMKFNL@: ; DATA XREF: INIT:00AF559Co
		push	ebx
		add	[ebp+0], al
		push	edx
		add	[ecx+0], cl
		inc	ecx
		add	[eax+eax+0], cl
; 
		db 3 dup(0)
; 

??_C@_1BC@NLGAHLIN@?$AAR?$AAP?$AAC?$AAP?$AAR?$AAO?$AAX?$AAY@EKOMKFNL@:
					; DATA XREF: INIT:00AF55E4o
		push	edx
		add	[eax+0], dl
		inc	ebx
		add	[eax+0], dl
		push	edx
		add	[edi+0], cl
		pop	eax
		add	[ecx+0], bl
; 
		dd 0
; 

??_C@_19CEIKLEHF@?$AAU?$AAH?$AAC?$AAD@EKOMKFNL@: ; DATA	XREF: INIT:00AF55CCo
		push	ebp
		add	[eax+0], cl
		inc	ebx
		add	[eax+eax+0], al
; 
		db 3 dup(0)
; 

??_C@_1O@LPCHMKNG@?$AAD?$AAC?$AAO?$AAM?$AAS?$AAS@EKOMKFNL@: ; DATA XREF: INIT:00AF5614o
		inc	esp
		add	[ebx+0], al
		dec	edi
		add	[ebp+0], cl
		push	ebx
		add	[ebx+0], dl
; 
		dd 0
; 

??_C@_1BA@GIDKNJFM@?$AAA?$AAU?$AAT?$AAO?$AAC?$AAH?$AAK@EKOMKFNL@:
					; DATA XREF: INIT:00AF55FCo
		inc	ecx
		add	[ebp+0], dl
		push	esp
		add	[edi+0], cl
		inc	ebx
		add	[eax+0], cl
		dec	ebx
; 
		db 3 dup(0)
; 

??_C@_17LAJLCPFL@?$AAS?$AAI?$AAS@EKOMKFNL@: ; DATA XREF: INIT:00AF5644o
		push	ebx
		add	[ecx+0], cl
		push	ebx
; 
		db 3 dup(0)
; 

??_C@_1BC@FDGCEING@?$AAU?$AAN?$AAI?$AAM?$AAO?$AAD?$AAE?$AAM@EKOMKFNL@:
					; DATA XREF: INIT:00AF562Co
		push	ebp
		add	[esi+0], cl
		dec	ecx
		add	[ebp+0], cl
		dec	edi
		add	[eax+eax+45h], al
		add	[ebp+0], cl
; 
		dd 0
; 

??_C@_1BA@BFNBODGB@?$AAW?$AAM?$AAI?$AAC?$AAO?$AAR?$AAE@EKOMKFNL@:
					; DATA XREF: INIT:00AF5674o
		push	edi
		add	[ebp+0], cl
		dec	ecx
		add	[ebx+0], al
		dec	edi
		add	[edx+0], dl
		inc	ebp
; 
		db 3 dup(0)
; 

??_C@_1O@NDGIMMPN@?$AAF?$AAL?$AAT?$AAM?$AAG?$AAR@EKOMKFNL@: ; DATA XREF: INIT:00AF565Co
		inc	esi
		add	[eax+eax+54h], cl
		add	[ebp+0], cl
		inc	edi
		add	[edx+0], dl
; 
		dd 0
; 

??_C@_1M@ENABOFNC@?$AAI?$AAM?$AAA?$AAP?$AAI@EKOMKFNL@: ; DATA XREF: INIT:00AF56A4o
		dec	ecx
		add	[ebp+0], cl
		inc	ecx
		add	[eax+0], dl
		dec	ecx
; 
		db 3 dup(0)
; 

??_C@_1BA@BLONPGFC@?$AAB?$AAU?$AAR?$AAN?$AAE?$AAN?$AAG@EKOMKFNL@:
					; DATA XREF: INIT:00AF568Co
		inc	edx
		add	[ebp+0], dl
		push	edx
		add	[esi+0], cl
		inc	ebp
		add	[esi+0], cl
		inc	edi
; 
		db 3 dup(0)
; 

??_C@_1O@NCNDGEFJ@?$AAF?$AAU?$AAS?$AAI?$AAO?$AAN@EKOMKFNL@: ; DATA XREF: INIT:00AF56D4o
		inc	esi
		add	[ebp+0], dl
		push	ebx
		add	[ecx+0], cl
		dec	edi
		add	[esi+0], cl
; 
		dd 0
; 

??_C@_17HIBBPOGF@?$AAS?$AAX?$AAS@EKOMKFNL@: ; DATA XREF: INIT:00AF56BCo
		push	ebx
		add	[eax+0], bl
		push	ebx
; 
		db 3 dup(0)
; 

??_C@_1BA@LAKPCDKK@?$AAS?$AAO?$AAF?$AAT?$AAP?$AAC?$AAI@EKOMKFNL@:
					; DATA XREF: INIT:00AF5704o
		push	ebx
		add	[edi+0], cl
		inc	esi
		add	[eax+eax+50h], dl
		add	[ebx+0], al
		dec	ecx
; 
		db 3 dup(0)
; 

??_C@_1BC@HAGOAFFK@?$AAI?$AAD?$AAL?$AAE?$AAT?$AAA?$AAS?$AAK@EKOMKFNL@:
					; DATA XREF: INIT:00AF56ECo
		dec	ecx
		add	[eax+eax+4Ch], al
		add	[ebp+0], al
		push	esp
		add	[ecx+0], al
		push	ebx
		add	[ebx+0], cl
; 
		dd 0
; 

??_C@_1M@NGEKBHII@?$AAM?$AAC?$AAH?$AAG?$AAR@EKOMKFNL@: ; DATA XREF: INIT:00AF5734o
		dec	ebp
		add	[ebx+0], al
		dec	eax
		add	[edi+0], al
		push	edx
; 
		db 3 dup(0)
; 

??_C@_19OJPJNDDA@?$AAT?$AAA?$AAP?$AAE@EKOMKFNL@: ; DATA	XREF: INIT:00AF571Co
		push	esp
		add	[ecx+0], al
		push	eax
		add	[ebp+0], al
; 
		dd 0
; 

??_C@_1O@CCMMDNHM@?$AAP?$AAC?$AAI?$AAI?$AAD?$AAE@EKOMKFNL@: ; DATA XREF: INIT:00AF5764o
		push	eax
		add	[ebx+0], al
		dec	ecx
		add	[ecx+0], cl
		inc	esp
		add	[ebp+0], al
; 
		dd 0
; 

??_C@_19EHJFODIJ@?$AAI?$AAD?$AAE?$AAP@EKOMKFNL@: ; DATA	XREF: INIT:00AF574Co
		dec	ecx
		add	[eax+eax+45h], al
		add	[eax+0], dl
; 
		dd 0
; 

??_C@_17GIEHFEFF@?$AAF?$AAD?$AAC@EKOMKFNL@: ; DATA XREF: INIT:00AF5794o
		inc	esi
		add	[eax+eax+43h], al
; 
		db 3 dup(0)
; 

??_C@_1O@CCEKCHDK@?$AAF?$AAL?$AAO?$AAP?$AAP?$AAY@EKOMKFNL@: ; DATA XREF: INIT:00AF577Co
		inc	esi
		add	[eax+eax+4Fh], cl
		add	[eax+0], dl
		push	eax
		add	[ecx+0], bl
; 
		dd 0
; 

??_C@_1BA@JAGAADAG@?$AAW?$AA3?$AA2?$AAT?$AAI?$AAM?$AAE@EKOMKFNL@:
					; DATA XREF: INIT:00AF57C4o
		push	edi
		add	[ebx], dh
		add	[edx], dh
		add	[eax+eax+49h], dl
		add	[ebp+0], cl
		inc	ebp
; 
		db 3 dup(0)
; 

??_C@_1BA@FLLOMPB@?$AAT?$AAE?$AAR?$AAM?$AAS?$AAR?$AAV@EKOMKFNL@: ; DATA	XREF: INIT:00AF57ACo
		push	esp
		add	[ebp+0], al
		push	edx
		add	[ebp+0], cl
		push	ebx
		add	[edx+0], dl
		push	esi
; 
		db 3 dup(0)
; 

??_C@_1BC@JHEFHMBN@?$AAR?$AAS?$AAF?$AAI?$AAL?$AAT?$AAE?$AAR@EKOMKFNL@:
					; DATA XREF: INIT:00AF57F4o
		push	edx
		add	[ebx+0], dl
		inc	esi
		add	[ecx+0], cl
		dec	esp
		add	[eax+eax+45h], dl
		add	[edx+0], dl
; 
		dd 0
; 

??_C@_1BG@EDAEBFFN@?$AAP?$AAR?$AAE?$AAF?$AAE?$AAT?$AAC?$AAH?$AAE?$AAR@EKOMKFNL@:
					; DATA XREF: INIT:00AF57DCo
		push	eax
		add	[edx+0], dl
		inc	ebp
		add	[esi+0], al
		inc	ebp
		add	[eax+eax+43h], dl
		add	[eax+0], cl
		inc	ebp
		add	[edx+0], dl
; 
		dd 0
; 

??_C@_17KACLLMCF@?$AAP?$AAC?$AAI@EKOMKFNL@: ; DATA XREF: INIT:00AF5824o
		push	eax
		add	[ebx+0], al
		dec	ecx
; 
		db 3 dup(0)
; 

??_C@_1O@JMECDIHP@?$AAF?$AAC?$AAP?$AAO?$AAR?$AAT@EKOMKFNL@: ; DATA XREF: INIT:00AF580Co
		inc	esi
		add	[ebx+0], al
		push	eax
		add	[edi+0], cl
		push	edx
		add	[eax+eax+0], dl
; 
		db 3 dup(0)
; 

??_C@_1BC@DAMPBOIF@?$AAD?$AAM?$AAC?$AAO?$AAN?$AAF?$AAI?$AAG@EKOMKFNL@:
					; DATA XREF: INIT:00AF5854o
		inc	esp
		add	[ebp+0], cl
		inc	ebx
		add	[edi+0], cl
		dec	esi
		add	[esi+0], al
		dec	ecx
		add	[edi+0], al
; 
		dd 0
; 

??_C@_19NCJMPEKA@?$AAD?$AAM?$AAI?$AAO@EKOMKFNL@: ; DATA	XREF: INIT:00AF583Co
		inc	esp
		add	[ebp+0], cl
		dec	ecx
		add	[edi+0], cl
; 
		dd 0
; 

??_C@_1BO@CMPFHEFK@?$AAW?$AAS?$AAO?$AAC?$AAK?$AAT?$AAR?$AAA?$AAN?$AAS?$AAP?$AAO?$AAR?$AAT@EKOMKFNL@:
					; DATA XREF: INIT:00AF5884o
		push	edi
		add	[ebx+0], dl
		dec	edi
		add	[ebx+0], al
		dec	ebx
		add	[eax+eax+52h], dl
		add	[ecx+0], al
		dec	esi
		add	[ebx+0], dl
		push	eax
		add	[edi+0], cl
		push	edx
		add	[eax+eax+0], dl
; 
		db 3 dup(0)
; 

??_C@_1BA@MCNLHGKO@?$AAD?$AAM?$AAA?$AAD?$AAM?$AAI?$AAN@EKOMKFNL@:
					; DATA XREF: INIT:00AF586Co
		inc	esp
		add	[ebp+0], cl
		inc	ecx
		add	[eax+eax+4Dh], al
		add	[ecx+0], cl
		dec	esi
; 
		db 3 dup(0)
; 

??_C@_1O@ONHKGDAA@?$AAP?$AAN?$AAP?$AAM?$AAE?$AAM@EKOMKFNL@: ; DATA XREF: INIT:00AF58B4o
		push	eax
		add	[esi+0], cl
		push	eax
		add	[ebp+0], cl
		inc	ebp
		add	[ebp+0], cl
; 
		dd 0
; 

??_C@_17FKDGAAMC@?$AAV?$AAS?$AAS@EKOMKFNL@: ; DATA XREF: INIT:00AF589Co
		push	esi
		add	[ebx+0], dl
		push	ebx
; 
		db 3 dup(0)
; 

??_C@_1BC@ONGGPNBD@?$AAD?$AAM?$AAS?$AAE?$AAR?$AAV?$AAE?$AAR@EKOMKFNL@:
					; DATA XREF: INIT:00AF58E4o
		inc	esp
		add	[ebp+0], cl
		push	ebx
		add	[ebp+0], al
		push	edx
		add	[esi+0], dl
		inc	ebp
		add	[edx+0], dl
; 
		dd 0
; 

??_C@_1BE@JHOCBNEO@?$AAP?$AAR?$AAO?$AAC?$AAE?$AAS?$AAS?$AAO?$AAR@EKOMKFNL@:
					; DATA XREF: INIT:00AF58CCo
		push	eax
		add	[edx+0], dl
		dec	edi
		add	[ebx+0], al
		inc	ebp
		add	[ebx+0], dl
		push	ebx
		add	[edi+0], cl
		push	edx
; 
		db 3 dup(0)
; 

??_C@_1BG@CBLDGOCA@?$AAI?$AAN?$AAF?$AAI?$AAN?$AAI?$AAB?$AAA?$AAN?$AAD@EKOMKFNL@:
					; DATA XREF: INIT:00AF5914o
		dec	ecx
		add	[esi+0], cl
		inc	esi
		add	[ecx+0], cl
		dec	esi
		add	[ecx+0], cl
		inc	edx
		add	[ecx+0], al
		dec	esi
		add	[eax+eax+0], al
; 
		db 3 dup(0)
; 

??_C@_15KFCDODCM@?$AAS?$AAR@EKOMKFNL@:	; DATA XREF: INIT:00AF58FCo
		push	ebx
		add	[edx+0], dl
; 
		dd 0
; 

??_C@_1BC@NIBCHNIE@?$AAI?$AAH?$AAV?$AAV?$AAI?$AAD?$AAE?$AAO@EKOMKFNL@:
					; DATA XREF: INIT:00AF5944o
		dec	ecx
		add	[eax+0], cl
		push	esi
		add	[esi+0], dl
		dec	ecx
		add	[eax+eax+45h], al
		add	[edi+0], cl
; 
		dd 0
; 

??_C@_1BE@EMFIGANI@?$AAI?$AAH?$AAV?$AAD?$AAR?$AAI?$AAV?$AAE?$AAR@EKOMKFNL@:
					; DATA XREF: INIT:00AF592Co
		dec	ecx
		add	[eax+0], cl
		push	esi
		add	[eax+eax+52h], al
		add	[ecx+0], cl
		push	esi
		add	[ebp+0], al
		push	edx
; 
		db 3 dup(0)
; 

??_C@_1BG@FDDPAKEP@?$AAI?$AAH?$AAV?$AAN?$AAE?$AAT?$AAW?$AAO?$AAR?$AAK@EKOMKFNL@:
					; DATA XREF: INIT:00AF5974o
		dec	ecx
		add	[eax+0], cl
		push	esi
		add	[esi+0], cl
		inc	ebp
		add	[eax+eax+57h], dl
		add	[edi+0], cl
		push	edx
		add	[ebx+0], cl
; 
		dd 0
; 

??_C@_1BC@OKMCNIOK@?$AAI?$AAH?$AAV?$AAA?$AAU?$AAD?$AAI?$AAO@EKOMKFNL@:
					; DATA XREF: INIT:00AF595Co
		dec	ecx
		add	[eax+0], cl
		push	esi
		add	[ecx+0], al
		push	ebp
		add	[eax+eax+49h], al
		add	[edi+0], cl
; 
		dd 0
; 

??_C@_1O@KNINEFBA@?$AAI?$AAH?$AAV?$AAB?$AAU?$AAS@EKOMKFNL@: ; DATA XREF: INIT:00AF59A4o
		dec	ecx
		add	[eax+0], cl
		push	esi
		add	[edx+0], al
		push	ebp
		add	[ebx+0], dl
; 
		dd 0
; 

??_C@_1BK@GJFHDEAF@?$AAI?$AAH?$AAV?$AAS?$AAT?$AAR?$AAE?$AAA?$AAM?$AAI?$AAN?$AAG@EKOMKFNL@:
					; DATA XREF: INIT:00AF598Co
		dec	ecx
		add	[eax+0], cl
		push	esi
		add	[ebx+0], dl
		push	esp
		add	[edx+0], dl
		inc	ebp
		add	[ecx+0], al
		dec	ebp
		add	[ecx+0], cl
		dec	esi
		add	[edi+0], al
; 
		dd 0
; 

??_C@_1BM@IFPGFGF@?$AAR?$AAT?$AAL?$AAT?$AAH?$AAR?$AAE?$AAA?$AAD?$AAP?$AAO?$AAO?$AAL@EKOMKFNL@:
					; DATA XREF: INIT:00AF59D4o
		push	edx
		add	[eax+eax+4Ch], dl
		add	[eax+eax+48h], dl
		add	[edx+0], dl
		inc	ebp
		add	[ecx+0], al
		inc	esp
		add	[eax+0], dl
		dec	edi
		add	[edi+0], cl
		dec	esp
; 
		db 3 dup(0)
; 

??_C@_17LFJDFBHF@?$AAH?$AAP?$AAS@EKOMKFNL@: ; DATA XREF: INIT:00AF59BCo
		dec	eax
		add	[eax+0], dl
		push	ebx
; 
		db 3 dup(0)
; 

??_C@_1O@BBGFHLK@?$AAT?$AAC?$AAP?$AAI?$AAP?$AA6@EKOMKFNL@: ; DATA XREF:	INIT:00AF5A04o
		push	esp
		add	[ebx+0], al
		push	eax
		add	[ecx+0], cl
		push	eax
		add	[esi], dh
; 
		db 0
		align 8

??_C@_17BBCCHIGH@?$AAL?$AAD?$AAR@EKOMKFNL@: ; DATA XREF: INIT:00AF59ECo
		dec	esp
		add	[eax+eax+52h], al
; 
		db 3 dup(0)
; 

??_C@_19DBABIMLO@?$AAS?$AAH?$AAP?$AAC@EKOMKFNL@: ; DATA	XREF: INIT:00AF5A34o
		push	ebx
		add	[eax+0], cl
		push	eax
		add	[ebx+0], al
; 
		dd 0
; 

??_C@_1O@FAEPPNJD@?$AAI?$AAS?$AAA?$AAP?$AAN?$AAP@EKOMKFNL@: ; DATA XREF: INIT:00AF5A1Co
		dec	ecx
		add	[ebx+0], dl
		inc	ecx
		add	[eax+0], dl
		dec	esi
		add	[eax+0], dl
; 
		dd 0
; 

??_C@_1BK@CEBCMCDO@?$AAS?$AAT?$AAO?$AAR?$AAM?$AAI?$AAN?$AAI?$AAP?$AAO?$AAR?$AAT@EKOMKFNL@:
					; DATA XREF: INIT:00AF5A64o
		push	ebx
		add	[eax+eax+4Fh], dl
		add	[edx+0], dl
		dec	ebp
		add	[ecx+0], cl
		dec	esi
		add	[ecx+0], cl
		push	eax
		add	[edi+0], cl
		push	edx
		add	[eax+eax+0], dl
; 
		db 3 dup(0)
; 

??_C@_1BC@HBMJKFNP@?$AAS?$AAT?$AAO?$AAR?$AAP?$AAO?$AAR?$AAT@EKOMKFNL@:
					; DATA XREF: INIT:00AF5A4Co
		push	ebx
		add	[eax+eax+4Fh], dl
		add	[edx+0], dl
		push	eax
		add	[edi+0], cl
		push	edx
		add	[eax+eax+0], dl
; 
		db 3 dup(0)
; 

??_C@_1BG@IPGNPLMN@?$AAV?$AAS?$AAS?$AAD?$AAY?$AAN?$AAD?$AAI?$AAS?$AAK@EKOMKFNL@:
					; DATA XREF: INIT:00AF5A94o
		push	esi
		add	[ebx+0], dl
		push	ebx
		add	[eax+eax+59h], al
		add	[esi+0], cl
		inc	esp
		add	[ecx+0], cl
		push	ebx
		add	[ebx+0], cl
; 
		dd 0
; 

??_C@_1BK@MCMLANOK@?$AAP?$AAR?$AAI?$AAN?$AAT?$AAS?$AAP?$AAO?$AAO?$AAL?$AAE?$AAR@EKOMKFNL@:
					; DATA XREF: INIT:00AF5A7Co
		push	eax
		add	[edx+0], dl
		dec	ecx
		add	[esi+0], cl
		push	esp
		add	[ebx+0], dl
		push	eax
		add	[edi+0], cl
		dec	edi
		add	[eax+eax+45h], cl
		add	[edx+0], dl
; 
		dd 0
; 

??_C@_17EEOFDCOB@?$AAV?$AAD?$AAS@EKOMKFNL@: ; DATA XREF: INIT:00AF5AC4o
		push	esi
		add	[eax+eax+53h], al
; 
		db 3 dup(0)
; 

??_C@_1BC@KGNJPLCF@?$AAV?$AAE?$AAR?$AAI?$AAF?$AAI?$AAE?$AAR@EKOMKFNL@:
					; DATA XREF: INIT:00AF5AACo
		push	esi
		add	[ebp+0], al
		push	edx
		add	[ecx+0], cl
		inc	esi
		add	[ecx+0], cl
		inc	ebp
		add	[edx+0], dl
; 
		dd 0
; 

??_C@_1O@GNFGANPB@?$AAV?$AAD?$AAS?$AAD?$AAY?$AAN@EKOMKFNL@: ; DATA XREF: INIT:00AF5AF4o
		push	esi
		add	[eax+eax+53h], al
		add	[eax+eax+59h], al
		add	[esi+0], cl
; 
		dd 0
; 

??_C@_1O@OGMPALMC@?$AAV?$AAD?$AAS?$AAB?$AAA?$AAS@EKOMKFNL@: ; DATA XREF: INIT:00AF5ADCo
		push	esi
		add	[eax+eax+53h], al
		add	[edx+0], al
		inc	ecx
		add	[ebx+0], dl
; 
		dd 0
; 

??_C@_1O@BLDEOPCG@?$AAV?$AAD?$AAS?$AAL?$AAD?$AAR@EKOMKFNL@: ; DATA XREF: INIT:00AF5B24o
		push	esi
		add	[eax+eax+53h], al
		add	[eax+eax+44h], cl
		add	[edx+0], dl
; 
		dd 0
; 

??_C@_1BC@BMCNIKPF@?$AAV?$AAD?$AAS?$AAD?$AAY?$AAN?$AAD?$AAR@EKOMKFNL@:
					; DATA XREF: INIT:00AF5B0Co
		push	esi
		add	[eax+eax+53h], al
		add	[eax+eax+59h], al
		add	[esi+0], cl
		inc	esp
		add	[edx+0], dl
; 
		dd 0
; 

??_C@_1BA@JKCEKNLO@?$AAD?$AAF?$AAR?$AAG?$AAI?$AAF?$AAC@EKOMKFNL@:
					; DATA XREF: INIT:00AF5B54o
		inc	esp
		add	[esi+0], al
		push	edx
		add	[edi+0], al
		dec	ecx
		add	[esi+0], al
		inc	ebx
; 
		db 3 dup(0)
; 

??_C@_1BA@OMLIOJCN@?$AAV?$AAD?$AAS?$AAU?$AAT?$AAI?$AAL@EKOMKFNL@:
					; DATA XREF: INIT:00AF5B3Co
		push	esi
		add	[eax+eax+53h], al
		add	[ebp+0], dl
		push	esp
		add	[ecx+0], cl
		dec	esp
; 
		db 3 dup(0)
; 

??_C@_15JEIFMHAO@?$AAM?$AAM@EKOMKFNL@:	; DATA XREF: INIT:00AF5B84o
		dec	ebp
		add	[ebp+0], cl
; 
		dd 0
; 

??_C@_1BA@KDAEEGIF@?$AAD?$AAE?$AAF?$AAA?$AAU?$AAL?$AAT@EKOMKFNL@:
					; DATA XREF: INIT:00AF5B6Co
		inc	esp
		add	[ebp+0], al
		inc	esi
		add	[ecx+0], al
		push	ebp
		add	[eax+eax+54h], cl
; 
		db 3 dup(0)
; 

??_C@_1M@FBPBKHKH@?$AAW?$AAO?$AAW?$AA6?$AA4@EKOMKFNL@: ; DATA XREF: INIT:00AF5BB4o
		push	edi
		add	[edi+0], cl
		push	edi
		add	[esi], dh
		add	[eax+eax], dh
; 
		dw 0
; 

??_C@_19GHGNHGLD@?$AAD?$AAF?$AAS?$AAC@EKOMKFNL@: ; DATA	XREF: INIT:00AF5B9Co
		inc	esp
		add	[esi+0], al
		push	ebx
		add	[ebx+0], al
; 
		dd 0
; 

??_C@_17LHOLIFIE@?$AAW?$AAD?$AAI@EKOMKFNL@: ; DATA XREF: INIT:00AF5BE4o
		push	edi
		add	[eax+eax+49h], al
; 
		db 3 dup(0)
; 

??_C@_19JGBANDJB@?$AAA?$AAL?$AAP?$AAC@EKOMKFNL@: ; DATA	XREF: INIT:00AF5BCCo
		inc	ecx
		add	[eax+eax+50h], cl
		add	[ebx+0], al
; 
		dd 0
; 

??_C@_17BAELDECM@?$AAK?$AAT?$AAM@EKOMKFNL@: ; DATA XREF: INIT:00AF5C14o
		dec	ebx
		add	[eax+eax+4Dh], dl
; 
		db 3 dup(0)
; 

??_C@_1BA@DKJLEKJG@?$AAP?$AAE?$AAR?$AAF?$AAL?$AAI?$AAB@EKOMKFNL@:
					; DATA XREF: INIT:00AF5BFCo
		push	eax
		add	[ebp+0], al
		push	edx
		add	[esi+0], al
		dec	esp
		add	[ecx+0], cl
		inc	edx
; 
		db 3 dup(0)
; 

??_C@_19PPGMMKDP@?$AAH?$AAE?$AAA?$AAP@EKOMKFNL@: ; DATA	XREF: INIT:00AF5C44o
		dec	eax
		add	[ebp+0], al
		inc	ecx
		add	[eax+0], dl
; 
		dd 0
; 

??_C@_1BC@JBNHAGCD@?$AAI?$AAO?$AAS?$AAT?$AAR?$AAE?$AAS?$AAS@EKOMKFNL@:
					; DATA XREF: INIT:00AF5C2Co
		dec	ecx
		add	[edi+0], cl
		push	ebx
		add	[eax+eax+52h], dl
		add	[ebp+0], al
		push	ebx
		add	[ebx+0], dl
; 
		dd 0
; 

??_C@_1BA@LOICENDC@?$AAU?$AAS?$AAE?$AAR?$AAG?$AAD?$AAI@EKOMKFNL@:
					; DATA XREF: INIT:00AF5C74o
		push	ebp
		add	[ebx+0], dl
		inc	ebp
		add	[edx+0], dl
		inc	edi
		add	[eax+eax+49h], al
; 
		db 3 dup(0)
; 

??_C@_19MBPIHHGH@?$AAW?$AAH?$AAE?$AAA@EKOMKFNL@: ; DATA	XREF: INIT:00AF5C5Co
					; INIT:00AF6078o ...
		push	edi
		add	[eax+0], cl
		inc	ebp
		add	[ecx+0], al
; 
		dd 0
; 

??_C@_17COEBFFLN@?$AAT?$AAP?$AAM@EKOMKFNL@: ; DATA XREF: INIT:00AF5CA4o
		push	esp
		add	[eax+0], dl
		dec	ebp
; 
		db 3 dup(0)
; 

??_C@_1M@LFBCBMIF@?$AAM?$AAM?$AAC?$AAS?$AAS@EKOMKFNL@: ; DATA XREF: INIT:00AF5C8Co
		dec	ebp
		add	[ebp+0], cl
		inc	ebx
		add	[ebx+0], dl
		push	ebx
; 
		db 3 dup(0)
; 

??_C@_1BA@OOGOINLN@?$AAE?$AAN?$AAV?$AAI?$AAR?$AAO?$AAN@EKOMKFNL@:
					; DATA XREF: INIT:00AF5CD4o
		inc	ebp
		add	[esi+0], cl
		push	esi
		add	[ecx+0], cl
		push	edx
		add	[edi+0], cl
		dec	esi
; 
		db 3 dup(0)
; 

??_C@_1BI@OKFGLGGD@?$AAT?$AAH?$AAR?$AAE?$AAA?$AAD?$AAO?$AAR?$AAD?$AAE?$AAR@EKOMKFNL@:
					; DATA XREF: INIT:00AF5CBCo
		push	esp
		add	[eax+0], cl
		push	edx
		add	[ebp+0], al
		inc	ecx
		add	[eax+eax+4Fh], al
		add	[edx+0], dl
		inc	esp
		add	[ebp+0], al
		push	edx
; 
		db 3 dup(0)
; 

??_C@_17BFJIAKMG@?$AAW?$AAD?$AAT@EKOMKFNL@: ; DATA XREF: INIT:00AF5D04o
		push	edi
		add	[eax+eax+54h], al
; 
		db 3 dup(0)
; 

??_C@_17JBNOFFOB@?$AAE?$AAM?$AAS@EKOMKFNL@: ; DATA XREF: INIT:00AF5CECo
		inc	ebp
		add	[ebp+0], cl
		push	ebx
; 
		db 3 dup(0)
; 

??_C@_19MADOJHGF@?$AAN?$AAD?$AAI?$AAS@EKOMKFNL@: ; DATA	XREF: INIT:00AF5D34o
		dec	esi
		add	[eax+eax+49h], al
		add	[ebx+0], dl
; 
		dd 0
; 

??_C@_1O@IAGPKMAK@?$AAF?$AAV?$AAE?$AAV?$AAO?$AAL@EKOMKFNL@: ; DATA XREF: INIT:00AF5D1Co
		inc	esi
		add	[esi+0], dl
		inc	ebp
		add	[esi+0], dl
		dec	edi
		add	[eax+eax+0], cl
; 
		db 3 dup(0)
; 

??_C@_1M@DMCOPFJB@?$AAL?$AAU?$AAA?$AAF?$AAV@EKOMKFNL@: ; DATA XREF: INIT:00AF5D64o
		dec	esp
		add	[ebp+0], dl
		inc	ecx
		add	[esi+0], al
		push	esi
; 
		db 3 dup(0)
; 

??_C@_1BC@NPPJAEEJ@?$AAN?$AAV?$AAC?$AAT?$AAR?$AAA?$AAC?$AAE@EKOMKFNL@:
					; DATA XREF: INIT:00AF5D4Co
		dec	esi
		add	[esi+0], dl
		inc	ebx
		add	[eax+eax+52h], dl
		add	[ecx+0], al
		inc	ebx
		add	[ebp+0], al
; 
		dd 0
; 

??_C@_1BA@DKDDNJBG@?$AAU?$AAS?$AAB?$AAS?$AAT?$AAO?$AAR@EKOMKFNL@:
					; DATA XREF: INIT:00AF5D94o
		push	ebp
		add	[ebx+0], dl
		inc	edx
		add	[ebx+0], dl
		push	esp
		add	[edi+0], cl
		push	edx
; 
		db 3 dup(0)
; 

??_C@_1BE@DNOENPHP@?$AAA?$AAP?$AAP?$AAC?$AAO?$AAM?$AAP?$AAA?$AAT@EKOMKFNL@:
					; DATA XREF: INIT:00AF5D7Co
		inc	ecx
		add	[eax+0], dl
		push	eax
		add	[ebx+0], al
		dec	edi
		add	[ebp+0], cl
		push	eax
		add	[ecx+0], al
		push	esp
; 
		db 3 dup(0)
; 

??_C@_1BC@PJDDEKGG@?$AAC?$AAO?$AAV?$AAE?$AAR?$AAA?$AAG?$AAE@EKOMKFNL@:
					; DATA XREF: INIT:00AF5DC4o
		inc	ebx
		add	[edi+0], cl
		push	esi
		add	[ebp+0], al
		push	edx
		add	[ecx+0], al
		inc	edi
		add	[ebp+0], al
; 
		dd 0
; 

??_C@_1BC@NMALBGDH@?$AAS?$AAB?$AAP?$AA2?$AAP?$AAO?$AAR?$AAT@EKOMKFNL@:
					; DATA XREF: INIT:00AF5DACo
		push	ebx
		add	[edx+0], al
		push	eax
		add	[edx], dh
		add	[eax+0], dl
		dec	edi
		add	[edx+0], dl
		push	esp
; 
		db 0
		dd 0
; 

??_C@_1BC@HKJCNDBE@?$AAM?$AAO?$AAU?$AAN?$AAT?$AAM?$AAG?$AAR@EKOMKFNL@:
					; DATA XREF: INIT:00AF5DF4o
		dec	ebp
		add	[edi+0], cl
		push	ebp
		add	[esi+0], cl
		push	esp
		add	[ebp+0], cl
		inc	edi
		add	[edx+0], dl
; 
		dd 0
; 

??_C@_1BC@PKBMAPNK@?$AAC?$AAA?$AAC?$AAH?$AAE?$AAM?$AAG?$AAR@EKOMKFNL@:
					; DATA XREF: INIT:00AF5DDCo
		inc	ebx
		add	[ecx+0], al
		inc	ebx
		add	[eax+0], cl
		inc	ebp
		add	[ebp+0], cl
		inc	edi
		add	[edx+0], dl
; 
		dd 0
; 

??_C@_17BFBDFANB@?$AAT?$AAX?$AAF@EKOMKFNL@: ; DATA XREF: INIT:00AF5E24o
		push	esp
		add	[eax+0], bl
		inc	esi
; 
		db 3 dup(0)
; 

??_C@_17IFMKMLMA@?$AAC?$AAF?$AAR@EKOMKFNL@: ; DATA XREF: INIT:00AF5E0Co
		inc	ebx
		add	[esi+0], al
		push	edx
; 
		db 3 dup(0)
; 

??_C@_1BG@NHAHDLNG@?$AAF?$AAL?$AAT?$AAR?$AAE?$AAG?$AAR?$AAE?$AAS?$AAS@EKOMKFNL@:
					; DATA XREF: INIT:00AF5E54o
		inc	esi
		add	[eax+eax+54h], cl
		add	[edx+0], dl
		inc	ebp
		add	[edi+0], al
		push	edx
		add	[ebp+0], al
		push	ebx
		add	[ebx+0], dl
; 
		dd 0
; 

??_C@_1O@DEBOEMCC@?$AAK?$AAS?$AAE?$AAC?$AAD?$AAD@EKOMKFNL@: ; DATA XREF: INIT:00AF5E3Co
		dec	ebx
		add	[ebx+0], dl
		inc	ebp
		add	[ebx+0], al
		inc	esp
		add	[eax+eax+0], al
; 
		db 3 dup(0)
; 

??_C@_1M@DGHGIEGL@?$AAM?$AAS?$AAD?$AAS?$AAM@EKOMKFNL@: ; DATA XREF: INIT:00AF5E84o
		dec	ebp
		add	[ebx+0], dl
		inc	esp
		add	[ebx+0], dl
		dec	ebp
; 
		db 3 dup(0)
; 

??_C@_19MJDHPLJA@?$AAM?$AAP?$AAI?$AAO@EKOMKFNL@: ; DATA	XREF: INIT:00AF5E6Co
		dec	ebp
		add	[eax+0], dl
		dec	ecx
		add	[edi+0], cl
; 
		dd 0
; 

??_C@_1M@FLOJNDDK@?$AAP?$AAS?$AAH?$AAE?$AAD@EKOMKFNL@: ; DATA XREF: INIT:00AF5EB4o
		push	eax
		add	[ebx+0], dl
		dec	eax
		add	[ebp+0], al
		inc	esp
; 
		db 3 dup(0)
; 

??_C@_19OOCGFPKP@?$AAU?$AAD?$AAF?$AAS@EKOMKFNL@: ; DATA	XREF: INIT:00AF5E9Co
		push	ebp
		add	[eax+eax+46h], al
		add	[ebx+0], dl
; 
		dd 0
; 

??_C@_1M@FFPFOGMM@?$AAL?$AAS?$AAA?$AAS?$AAS@EKOMKFNL@: ; DATA XREF: INIT:00AF5EE4o
		dec	esp
		add	[ebx+0], dl
		inc	ecx
		add	[ebx+0], dl
		push	ebx
; 
		db 3 dup(0)
; 

??_C@_1BA@OBDKHNPE@?$AAS?$AAT?$AAO?$AAR?$AAV?$AAS?$AAP@EKOMKFNL@:
					; DATA XREF: INIT:00AF5ECCo
		push	ebx
		add	[eax+eax+4Fh], dl
		add	[edx+0], dl
		push	esi
		add	[ebx+0], dl
		push	eax
; 
		db 3 dup(0)
; 

??_C@_17OFOOOAA@?$AAC?$AAN?$AAG@EKOMKFNL@: ; DATA XREF:	INIT:00AF5F14o
		inc	ebx
		add	[esi+0], cl
		inc	edi
; 
		db 3 dup(0)
; 

??_C@_1BA@MOPPEILC@?$AAS?$AAS?$AAP?$AAI?$AAC?$AAL?$AAI@EKOMKFNL@:
					; DATA XREF: INIT:00AF5EFCo
		push	ebx
		add	[ebx+0], dl
		push	eax
		add	[ecx+0], cl
		inc	ebx
		add	[eax+eax+49h], cl
; 
		db 3 dup(0)
; 

??_C@_1BE@NJEKICK@?$AAF?$AAI?$AAL?$AAE?$AAT?$AAR?$AAA?$AAC?$AAE@EKOMKFNL@:
					; DATA XREF: INIT:00AF5F44o
		inc	esi
		add	[ecx+0], cl
		dec	esp
		add	[ebp+0], al
		push	esp
		add	[edx+0], dl
		inc	ecx
		add	[ebx+0], al
		inc	ebp
; 
		db 3 dup(0)
; 

??_C@_1M@OJLALFJK@?$AAE?$AAX?$AAF?$AAA?$AAT@EKOMKFNL@: ; DATA XREF: INIT:00AF5F2Co
		inc	ebp
		add	[eax+0], bl
		inc	esi
		add	[ecx+0], al
		push	esp
; 
		db 3 dup(0)
; 

??_C@_15GIONIMAK@?$AAS?$AAE@EKOMKFNL@:	; DATA XREF: INIT:00AF5F74o
		push	ebx
		add	[ebp+0], al
; 
		dd 0
; 

??_C@_1M@HPFEKJLP@?$AAX?$AAS?$AAA?$AAV?$AAE@EKOMKFNL@: ; DATA XREF: INIT:00AF5F5Co
		pop	eax
		add	[ebx+0], dl
		inc	ecx
		add	[esi+0], dl
		inc	ebp
; 
		db 3 dup(0)
; 

??_C@_1M@LGJCJJJI@?$AAP?$AAO?$AAW?$AAE?$AAR@EKOMKFNL@: ; DATA XREF: INIT:00AF5FA4o
		push	eax
		add	[edi+0], cl
		push	edi
		add	[ebp+0], al
		push	edx
; 
		db 3 dup(0)
; 

??_C@_1BM@HFEEMJAN@?$AAD?$AAR?$AAI?$AAV?$AAE?$AAE?$AAX?$AAT?$AAE?$AAN?$AAD?$AAE?$AAR@EKOMKFNL@:
					; DATA XREF: INIT:00AF5F8Co
		inc	esp
		add	[edx+0], dl
		dec	ecx
		add	[esi+0], dl
		inc	ebp
		add	[ebp+0], al
		pop	eax
		add	[eax+eax+45h], dl
		add	[esi+0], cl
		inc	esp
		add	[ebp+0], al
		push	edx
; 
		db 3 dup(0)
; 

??_C@_19NOBFGLFJ@?$AAG?$AAP?$AAI?$AAO@EKOMKFNL@: ; DATA	XREF: INIT:00AF5FD4o
		inc	edi
		add	[eax+0], dl
		dec	ecx
		add	[edi+0], cl
; 
		dd 0
; 

??_C@_1BM@MIIBINJG@?$AAC?$AAR?$AAA?$AAS?$AAH?$AAD?$AAU?$AAM?$AAP?$AAX?$AAH?$AAC?$AAI@EKOMKFNL@:
					; DATA XREF: INIT:00AF5FBCo
		inc	ebx
		add	[edx+0], dl
		inc	ecx
		add	[ebx+0], dl
		dec	eax
		add	[eax+eax+55h], al
		add	[ebp+0], cl
		push	eax
		add	[eax+0], bl
		dec	eax
		add	[ebx+0], al
		dec	ecx
; 
		db 3 dup(0)
; 

??_C@_17PLKPIGLP@?$AAW?$AAE?$AAR@EKOMKFNL@: ; DATA XREF: INIT:00AF6004o
		push	edi
		add	[ebp+0], al
		push	edx
; 
		db 3 dup(0)
; 

??_C@_19MAFAEEEI@?$AAR?$AAE?$AAF?$AAS@EKOMKFNL@: ; DATA	XREF: INIT:00AF5FECo
		push	edx
		add	[ebp+0], al
		inc	esi
		add	[ebx+0], dl
; 
		dd 0
; 

??_C@_19JCIJPNDF@?$AAV?$AAP?$AAC?$AAI@EKOMKFNL@: ; DATA	XREF: INIT:00AF6034o
		push	esi
		add	[eax+0], dl
		inc	ebx
		add	[ecx+0], cl
; 
		dd 0
; 

??_C@_1O@ICJJIJDF@?$AAC?$AAA?$AAP?$AAI?$AAM?$AAG@EKOMKFNL@: ; DATA XREF: INIT:00AF601Co
		inc	ebx
		add	[ecx+0], al
		push	eax
		add	[ecx+0], cl
		dec	ebp
		add	[edi+0], al
; 
		dd 0
; 

??_C@_1M@GOCPAKHL@?$AAF?$AAS?$AAL?$AAI?$AAB@EKOMKFNL@: ; DATA XREF: INIT:00AF6064o
		inc	esi
		add	[ebx+0], dl
		dec	esp
		add	[ecx+0], cl
		inc	edx
; 
		db 3 dup(0)
; 

??_C@_1CG@OAEKLONO@?$AAS?$AAT?$AAO?$AAR?$AAA?$AAG?$AAE?$AAC?$AAL?$AAA?$AAS?$AAS?$AAM?$AAE?$AAM@EKOMKFNL@:
					; DATA XREF: INIT:00AF604Co
		push	ebx
		add	[eax+eax+4Fh], dl
		add	[edx+0], dl
		inc	ecx
		add	[edi+0], al
		inc	ebp
		add	[ebx+0], al
		dec	esp
		add	[ecx+0], al
		push	ebx
		add	[ebx+0], dl
		dec	ebp
		add	[ebp+0], al
		dec	ebp
		add	[edi+0], cl
		push	edx
		add	[ecx+0], bl
; 
		dd 0
; 

??_C@_1DG@HCPJNHFA@?$AAM?$AAa?$AAx?$AAC?$AAo?$AAr?$AAr?$AAe?$AAc?$AAt?$AAe?$AAd?$AAM?$AAC?$AAE@EKOMKFNL@:
					; DATA XREF: INIT:00AF6094o
		dec	ebp
		add	[ecx+0], ah
		js	short $+2
		inc	ebx
		add	[edi+0], ch
		jb	short $+2
		jb	short $+2
		add	gs:[ebx+0], ah
		jz	short $+2
		add	gs:[eax+eax+4Dh], ah
		add	[ebx+0], al
		inc	ebp
		add	[edi+0], cl
		jnz	short $+2
		jz	short $+2
		jnb	short $+2
		jz	short $+2
		popa
		add	[esi+0], ch
		add	fs:[ecx+0], ch
		outsb
		add	[edi+0], ah
; 
		dd 0
; 

??_C@_1DG@HOEOOOKM@?$AAS?$AAi?$AAn?$AAg?$AAl?$AAe?$AAB?$AAi?$AAt?$AAE?$AAc?$AAc?$AAE?$AAr?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF607Co
		push	ebx
		add	[ecx+0], ch
		outsb
		add	[edi+0], ah
		insb
		add	[ebp+0], ah
		inc	edx
		add	[ecx+0], ch
		jz	short $+2
		inc	ebp
		add	[ebx+0], ah
		arpl	[eax], ax
		inc	ebp
		add	[edx+0], dh
		jb	short $+2
		outsd
		add	[edx+0], dh
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ebx+0], dh
		push	6C006F00h
		add	[eax+eax+0], ah
; 
		db 3 dup(0)
; 

??_C@_1BO@LBFJPMML@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAO?$AAf?$AAf?$AAl?$AAi?$AAn?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF60ACo
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		dec	edi
		add	[esi+0], ah
		db	66h
		add	[eax+eax+69h], ch
		add	[esi+0], ch
		add	gs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1BI@ICKPNKKL@?$AAW?$AAH?$AAE?$AAA?$AA?2?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@:
					; DATA XREF: INIT:00AF60A8o
					; INIT:00AF60C0o ...
		push	edi
		add	[eax+0], cl
		inc	ebp
		add	[ecx+0], al
		pop	esp
		add	[eax+0], dl
		outsd
		add	[eax+eax+69h], ch
		add	[ebx+0], ah
		jns	short $+2
; 
		dw 0
; 

??_C@_1BM@OIKNOJHC@?$AAM?$AAe?$AAm?$AAP?$AAf?$AAa?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF60DCo
		dec	ebp
		add	[ebp+0], ah
		insd
		add	[eax+0], dl
		db	66h
		add	[ecx+0], ah
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
; 
		dw 0
; 

??_C@_1CE@GEOJMGFF@?$AAM?$AAe?$AAm?$AAP?$AAe?$AAr?$AAs?$AAi?$AAs?$AAt?$AAO?$AAf?$AAf?$AAl?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF60C4o
		dec	ebp
		add	[ebp+0], ah
		insd
		add	[eax+0], dl
		add	gs:[edx+0], dh
		jnb	short $+2
		imul	eax, [eax], 740073h
		dec	edi
		add	[esi+0], ah
		db	66h
		add	[eax+eax+69h], ch
		add	[esi+0], ch
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1CA@KOMJJKMM@?$AAM?$AAe?$AAm?$AAP?$AAf?$AAa?$AAT?$AAh?$AAr?$AAe?$AAs?$AAh?$AAo?$AAl?$AAd@EKOMKFNL@:
					; DATA XREF: INIT:00AF610Co
		dec	ebp
		add	[ebp+0], ah
		insd
		add	[eax+0], dl
		db	66h
		add	[ecx+0], ah
		push	esp
		add	[eax+0], ch
		jb	short $+2
		add	gs:[ebx+0], dh
		push	6C006F00h
		add	[eax+eax+0], ah

loc_AFBF2F:				; DATA XREF: INIT:00AF60F4o
		add	[ebp+0], cl
		add	gs:[ebp+0], ch
		push	eax
		add	[esi+0], ah
		popa
		add	[eax+0], dl
		popa
		add	[edi+0], ah
		add	gs:[ebx+0], al
		outsd
		add	[ebp+0], dh
		outsb
		add	[eax+eax+0], dh

loc_AFBF4F:				; DATA XREF: INIT:00AF613Co
		add	[ecx+0], cl
		add	[bp+0],	ch
		outsd
		add	[edx+0], dh
		add	gs:[eax+eax+75h], al
		add	[ebp+0], ch
		insd
		add	[ecx+0], bh
		push	edi
		add	[edx+0], dh
		imul	eax, [eax], 650074h
; 
		dd 0
; 

??_C@_1BM@LFDBDPAM@?$AAM?$AAe?$AAm?$AAP?$AAf?$AAa?$AAT?$AAi?$AAm?$AAe?$AAo?$AAu?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF6124o
		dec	ebp
		add	[ebp+0], ah
		insd
		add	[eax+0], dl
		db	66h
		add	[ecx+0], ah
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
; 
		dw 0
; 

??_C@_1CO@EJEIPIDH@?$AAR?$AAe?$AAs?$AAt?$AAo?$AAr?$AAe?$AAC?$AAm?$AAc?$AAi?$AAM?$AAa?$AAx?$AAA@EKOMKFNL@:
					; DATA XREF: INIT:00AF616Co
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[ebx+0], al
		insd
		add	[ebx+0], ah
		imul	eax, [eax], 61004Dh
		js	short $+2
		inc	ecx
		add	[eax+eax+74h], dh
		add	[ebp+0], ah
		insd
		add	[eax+0], dh
		jz	short $+2
		jnb	short $+2
; 
		dd 0
; 

??_C@_1CG@GGAGMKOM@?$AAR?$AAe?$AAs?$AAt?$AAo?$AAr?$AAe?$AAC?$AAm?$AAc?$AAi?$AAE?$AAn?$AAa?$AAb@EKOMKFNL@:
					; DATA XREF: INIT:00AF6154o
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[ebx+0], al
		insd
		add	[ebx+0], ah
		imul	eax, [eax], 6E0045h
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CE@IFNODAPI@?$AAC?$AAM?$AAC?$AAT?$AAh?$AAr?$AAe?$AAs?$AAh?$AAo?$AAl?$AAd?$AAC?$AAo?$AAu@EKOMKFNL@:
					; DATA XREF: INIT:00AF619Co
		inc	ebx
		add	[ebp+0], cl
		inc	ebx
		add	[eax+eax+68h], dl
		add	[edx+0], dh
		add	gs:[ebx+0], dh
		push	6C006F00h
		add	[eax+eax+43h], ah
		add	[edi+0], ch
		jnz	short $+2
		outsb
		add	[eax+eax+0], dh

loc_AFC00B:				; DATA XREF: INIT:00AF6184o
		add	[edx+0], dl
		add	gs:[ebx+0], dh
		jz	short $+2
		outsd
		add	[edx+0], dh
		add	gs:[ebx+0], al
		insd
		add	[ebx+0], ah
		imul	eax, [eax], 720045h
		jb	short $+2
		outsd
		add	[edx+0], dh
		dec	esp
		add	[ecx+0], ch
		insd
		add	[ecx+0], ch
		jz	short $+2
; 
		dw 0
; 

??_C@_1CA@KBCEKDGB@?$AAC?$AAM?$AAC?$AAP?$AAo?$AAl?$AAl?$AAi?$AAn?$AAg?$AAL?$AAi?$AAm?$AAi?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF61CCo
		inc	ebx
		add	[ebp+0], cl
		inc	ebx
		add	[eax+0], dl
		outsd
		add	[eax+eax+6Ch], ch
		add	[ecx+0], ch
		outsb
		add	[edi+0], ah
		dec	esp
		add	[ecx+0], ch
		insd
		add	[ecx+0], ch
		jz	short $+2
; 
		dw 0
; 

??_C@_1CI@NKLDOMBM@?$AAC?$AAM?$AAC?$AAT?$AAh?$AAr?$AAe?$AAs?$AAh?$AAo?$AAl?$AAd?$AAS?$AAe?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF61B4o
		inc	ebx
		add	[ebp+0], cl
		inc	ebx
		add	[eax+eax+68h], dl
		add	[edx+0], dh
		add	gs:[ebx+0], dh
		push	6C006F00h
		add	[eax+eax+53h], ah
		add	[ebp+0], ah
		arpl	[eax], ax
		outsd
		add	[esi+0], ch
		add	fs:[ebx+0], dh
; 
		dw 0
; 

??_C@_1CA@EDHBOKHJ@?$AAP?$AAr?$AAo?$AAf?$AAi?$AAl?$AAe?$AAI?$AAn?$AAt?$AAe?$AAr?$AAv?$AAa?$AAl@EKOMKFNL@:
					; DATA XREF: INIT:00AF61E4o
		push	eax
		add	[edx+0], dh
		outsd
		add	[esi+0], ah
		imul	eax, [eax], 65006Ch
		dec	ecx
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edx+0], dh
		jbe	short $+2
		popa
		add	[eax+eax+0], ch
; 
		db 0
; 

??_C@_1BE@CAJFDKPL@?$AAW?$AAM?$AAI?$AA?2?$AAT?$AAr?$AAa?$AAc?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF61E0o
					; INIT:00AF61F8o ...
		push	edi
		add	[ebp+0], cl
		dec	ecx
		add	[eax+eax+54h], bl
		add	[edx+0], dh
		popa
		add	[ebx+0], ah
		add	gs:[eax], al

loc_AFC0B3:				; DATA XREF: INIT:00AF6214o
		add	[ebx+0], dl
		jz	short $+2
		popa
		add	[ebx+0], ah
		imul	eax, [eax], 43h
		add	[ecx+0], ah
		jo	short $+2
		jz	short $+2
		jnz	short $+2
		jb	short $+2
		add	gs:[eax+eax+69h], dl
		add	[ebp+0], ch
		add	gs:[edi+0], ch
		jnz	short $+2
		jz	short $+2
; 
		dw 0
; 

??_C@_1CA@IOIFOKG@?$AAM?$AAe?$AAm?$AAI?$AAn?$AAf?$AAo?$AAI?$AAn?$AAt?$AAe?$AAr?$AAv?$AAa?$AAl@EKOMKFNL@:
					; DATA XREF: INIT:00AF61FCo
		dec	ebp
		add	[ebp+0], ah
		insd
		add	[ecx+0], cl
		outsb
		add	[esi+0], ah
		outsd
		add	[ecx+0], cl
		outsb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		jbe	short $+2
		popa
		add	[eax+eax+0], ch
; 
		db 0
; 

??_C@_1CI@LHFBMEIN@?$AAC?$AAo?$AAv?$AAe?$AAr?$AAa?$AAg?$AAe?$AAF?$AAl?$AAu?$AAs?$AAh?$AAP?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF6244o
		inc	ebx
		add	[edi+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		popa
		add	[edi+0], ah
		add	gs:[esi+0], al
		insb
		add	[ebp+0], dh
		jnb	short $+2
		push	65005000h
		add	[edx+0], dh
		imul	eax, [eax], 64006Fh
; 
		dw 0
; 

??_C@_1CG@EPJIJBDO@?$AAC?$AAo?$AAv?$AAe?$AAr?$AAa?$AAg?$AAe?$AAE?$AAn?$AAt?$AAr?$AAy?$AAC?$AAo@EKOMKFNL@:
					; DATA XREF: INIT:00AF622Co
		inc	ebx
		add	[edi+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		popa
		add	[edi+0], ah
		add	gs:[ebp+0], al
		outsb
		add	[eax+eax+72h], dh
		add	[ecx+0], bh
		inc	ebx
		add	[edi+0], ch
		jnz	short $+2
		outsb
		add	[eax+eax+0], dh
; 
		db 3 dup(0)
; 

??_C@_1CK@CPCDFBHM@?$AAE?$AAm?$AAb?$AAe?$AAd?$AAd?$AAe?$AAd?$AAN?$AAT?$AA?2?$AAE?$AAx?$AAe?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF6270o
		inc	ebp
		add	[ebp+0], ch
		bound	eax, [eax]
		add	gs:[eax+eax+64h], ah
		add	[ebp+0], ah
		add	fs:[esi+0], cl
		push	esp
		add	[eax+eax+45h], bl
		add	[eax+0], bh
		add	gs:[ebx+0], ah
		jnz	short $+2
		jz	short $+2
		imul	eax, [eax], 650076h
; 
		dd 0
; 

??_C@_1CI@OKKOPHDB@?$AAC?$AAo?$AAv?$AAe?$AAr?$AAa?$AAg?$AAe?$AAR?$AAe?$AAs?$AAe?$AAt?$AAP?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF625Co
		inc	ebx
		add	[edi+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		popa
		add	[edi+0], ah
		add	gs:[edx+0], dl
		add	gs:[ebx+0], dh
		add	gs:[eax+eax+50h], dh
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 64006Fh
; 
		dw 0
; 

??_C@_1BG@KMCBNDPK@?$AAA?$AAu?$AAt?$AAo?$AAR?$AAe?$AAb?$AAo?$AAo?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF628Co
		inc	ecx
		add	[ebp+0], dh
		jz	short $+2
		outsd
		add	[edx+0], dl
		add	gs:[edx+0], ah
		outsd
		add	[edi+0], ch
		jz	short $+2
; 
		dd 0
; 

??_C@_1DA@FIAIHGJJ@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAO?$AAn?$AAl?$AAy?$AAC?$AAo?$AAn?$AAf?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF6274o
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	[edi+0], cl
		outsb
		add	[eax+eax+79h], ch
		add	[ebx+0], al
		outsd
		add	[esi+0], ch
		db	66h
		add	[ecx+0], ch
		add	[di+0],	dh
		jb	short $+2
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
; 
		db 3 dup(0)
; 

??_C@_1BO@FIFGBAMF@?$AAA?$AAl?$AAp?$AAc?$AAM?$AAe?$AAs?$AAs?$AAa?$AAg?$AAe?$AAL?$AAo?$AAg@EKOMKFNL@:
					; DATA XREF: INIT:00AF62BCo
		inc	ecx
		add	[eax+eax+70h], ch
		add	[ebx+0], ah
		dec	ebp
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		popa
		add	[edi+0], ah
		add	gs:[eax+eax+6Fh], cl
		add	[edi+0], ah
; 
		dd 0
; 

??_C@_1CO@DFKOHCLH@?$AAT?$AAi?$AAc?$AAk?$AAc?$AAo?$AAu?$AAn?$AAt?$AAR?$AAo?$AAl?$AAl?$AAo?$AAv@EKOMKFNL@:
					; DATA XREF: INIT:00AF62A4o
		push	esp
		add	[ecx+0], ch
		arpl	[eax], ax
		imul	eax, [eax], 63h
		add	[edi+0], ch
		jnz	short $+2
		outsb
		add	[eax+eax+52h], dh
		add	[edi+0], ch
		insb
		add	[eax+eax+6Fh], ch
		add	[esi+0], dh
		add	gs:[edx+0], dh
		inc	esp
		add	[ebp+0], ah
		insb
		add	[ecx+0], ah
		jns	short $+2
; 
		dd 0
; 

??_C@_1CK@FAPNGAJA@?$AAC?$AAo?$AAv?$AAe?$AAr?$AAa?$AAg?$AAe?$AAM?$AAa?$AAx?$AAP?$AAa?$AAg?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF62ECo
		inc	ebx
		add	[edi+0], ch
		jbe	short $+2
		add	gs:[edx+0], dh
		popa
		add	[edi+0], ah
		add	gs:[ebp+0], cl
		popa
		add	[eax+0], bh
		push	eax
		add	[ecx+0], ah
		add	[di+0],	ah
		add	fs:[eax+0], dl
		outsd
		add	[edi+0], ch
		insb
; 
		db 0
		dd 0
; 

??_C@_1BO@BOEJIPCA@?$AAA?$AAl?$AAp?$AAc?$AAW?$AAa?$AAk?$AAe?$AAP?$AAo?$AAl?$AAi?$AAc?$AAy@EKOMKFNL@:
					; DATA XREF: INIT:00AF62D4o
		inc	ecx
		add	[eax+eax+70h], ch
		add	[ebx+0], ah
		push	edi
		add	[ecx+0], ah
		imul	eax, [eax], 65h
		add	[eax+0], dl
		outsd
		add	[eax+eax+69h], ch
		add	[ebx+0], ah
		jns	short $+2
; 
		dd 0
; 

??_C@_1CI@JODFHPHO@?$AAV?$AAa?$AAl?$AAi?$AAd?$AAa?$AAt?$AAi?$AAo?$AAn?$AAR?$AAu?$AAn?$AAl?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF6318o
		push	esi
		add	[ecx+0], ah
		insb
		add	[ecx+0], ch
		add	fs:[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		push	edx
		add	[ebp+0], dh
		outsb
		add	[eax+eax+65h], ch
		add	[esi+0], dh
		add	gs:[eax+eax+73h], ch
; 
		db 3 dup(0)
; 

??_C@_1CM@ECAHNNAO@?$AAI?$AAm?$AAa?$AAg?$AAe?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAi?$AAo?$AAn?$AAO@EKOMKFNL@:
					; DATA XREF: INIT:00AF6304o
		dec	ecx
		add	[ebp+0], ch
		popa
		add	[edi+0], ah
		add	gs:[ebp+0], al
		js	short $+2
		add	gs:[ebx+0], ah
		jnz	short $+2
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		dec	edi
		add	[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dw 0
; 

??_C@_1DK@DKFGMOEL@?$AAB?$AAu?$AAg?$AAC?$AAh?$AAe?$AAc?$AAk?$AAU?$AAn?$AAe?$AAx?$AAp?$AAe?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF6334o
		inc	edx
		add	[ebp+0], dh
		add	[bp+di+0], al
		push	63006500h
		add	[ebx+0], ch
		push	ebp
		add	[esi+0], ch
		add	gs:[eax+0], bh
		jo	short $+2
		add	gs:[ebx+0], ah
		jz	short $+2
		add	gs:[eax+eax+49h], ah
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edx+0], dh
		jb	short $+2
		jnz	short $+2
		jo	short $+2
		jz	short $+2
		jnb	short $+2
; 
		dd 0
; 

??_C@_1O@CHBCJGPP@?$AAG?$AAl?$AAo?$AAb?$AAa?$AAl@EKOMKFNL@: ; DATA XREF: INIT:00AF631Co
		inc	edi
		add	[eax+eax+6Fh], ch
		add	[edx+0], ah
		popa
		add	[eax+eax+0], ch
; 
		db 3 dup(0)
; 

??_C@_1CE@KFDOOGGC@?$AAD?$AAe?$AAb?$AAu?$AAg?$AAP?$AAo?$AAl?$AAl?$AAI?$AAn?$AAt?$AAe?$AAr?$AAv@EKOMKFNL@:
					; DATA XREF: INIT:00AF6364o
		inc	esp
		add	[ebp+0], ah
		bound	eax, [eax]
		jnz	short $+2
		add	[bx+si+0], dl
		outsd
		add	[eax+eax+6Ch], ch
		add	[ecx+0], cl
		outsb
		add	[eax+eax+65h], dh
		add	[edx+0], dh
		jbe	short $+2
		popa
		add	[eax+eax+0], ch
; 
		db 0
; 

??_C@_1CK@PBLHPFPI@?$AAD?$AAe?$AAb?$AAu?$AAg?$AAg?$AAe?$AAr?$AAI?$AAs?$AAS?$AAt?$AAa?$AAl?$AAl@EKOMKFNL@:
					; DATA XREF: INIT:00AF634Co
		inc	esp
		add	[ebp+0], ah
		bound	eax, [eax]
		jnz	short $+2
		add	[bx+0],	ah
		add	gs:[edx+0], dh
		dec	ecx
		add	[ebx+0], dh
		push	ebx
		add	[eax+eax+61h], dh
		add	[eax+eax+6Ch], ch
		add	[edi+0], cl
		ja	short $+2
		outsb
		add	[ebp+0], ah
		jb	short $+2
; 
		dd 0
; 

??_C@_1DE@FGNGDNA@?$AAD?$AAi?$AAs?$AAa?$AAb?$AAl?$AAe?$AAL?$AAi?$AAg?$AAh?$AAt?$AAW?$AAe?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF6394o
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		dec	esp
		add	[ecx+0], ch
		add	[bx+si+0], ch
		jz	short $+2
		push	edi
		add	[ebp+0], ah
		imul	eax, [eax], 680067h
		jz	short $+2
		push	ebx
		add	[ebp+0], dh
		jnb	short $+2
		jo	short $+2
		add	gs:[esi+0], ch
		add	fs:[eax], al
; 
		db 0
; 

??_C@_1DC@KOELKDCA@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAO?$AAf?$AAf?$AAF?$AAr?$AAo?$AAz?$AAe?$AAn?$AAP@EKOMKFNL@:
					; DATA XREF: INIT:00AF637Co
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		dec	edi
		add	[esi+0], ah
		db	66h
		add	[esi+0], al
		jb	short $+2
		outsd
		add	[edx+0], bh
		add	gs:[esi+0], ch
		push	eax
		add	[edx+0], dh
		outsd
		add	[ebx+0], ah
		add	gs:[ebx+0], dh
		jnb	short $+2
		outsd
		add	[edx+0], dh
		jnb	short $+2
; 
		dd 0
; 

??_C@_1CK@BOKDLB@?$AAE?$AAr?$AAr?$AAo?$AAr?$AAP?$AAo?$AAr?$AAt?$AAC?$AAo?$AAm?$AAm?$AAT?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF63C4o
		inc	ebp
		add	[edx+0], dh
		jb	short $+2
		outsd
		add	[edx+0], dh
		push	eax
		add	[edi+0], ch
		jb	short $+2
		jz	short $+2
		inc	ebx
		add	[edi+0], ch
		insd
		add	[ebp+0], ch
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
; 
		dd 0
; 

??_C@_1CM@PLHMKNEJ@?$AAE?$AAr?$AAr?$AAo?$AAr?$AAP?$AAo?$AAr?$AAt?$AAS?$AAt?$AAa?$AAr?$AAt?$AAT@EKOMKFNL@:
					; DATA XREF: INIT:00AF63ACo
		inc	ebp
		add	[edx+0], dh
		jb	short $+2
		outsd
		add	[edx+0], dh
		push	eax
		add	[edi+0], ch
		jb	short $+2
		jz	short $+2
		push	ebx
		add	[eax+eax+61h], dh
		add	[edx+0], dh
		jz	short $+2
		push	esp
		add	[ecx+0], ch
		insd
		add	[ebp+0], ah
		outsd
		add	[ebp+0], dh
		jz	short $+2
; 
		dw 0
; 

??_C@_1DG@BGLENKAK@?$AAP?$AAo?$AAw?$AAe?$AAr?$AAS?$AAi?$AAm?$AAu?$AAl?$AAa?$AAt?$AAe?$AAH?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF63F4o
		push	eax
		add	[edi+0], ch
		ja	short $+2
		add	gs:[edx+0], dh
		push	ebx
		add	[ecx+0], ch
		insd
		add	[ebp+0], dh
		insb
		add	[ecx+0], ah
		jz	short $+2
		add	gs:[eax+0], cl
		imul	eax, [eax], 650062h
		jb	short $+2
		inc	edx
		add	[ebp+0], dh
		add	[bp+di+0], ah
		push	63006500h
		add	[ebx+0], ch
; 
		dd 0
; 

??_C@_1DI@LKCFJDAG@?$AAO?$AAb?$AAO?$AAb?$AAj?$AAe?$AAc?$AAt?$AAS?$AAe?$AAc?$AAu?$AAr?$AAi?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF63DCo
		dec	edi
		add	[edx+0], ah
		dec	edi
		add	[edx+0], ah
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
		push	ebx
		add	[ebp+0], ah
		arpl	[eax], ax
		jnz	short $+2
		jb	short $+2
		imul	eax, [eax], 790074h
		dec	ecx
		add	[esi+0], ch
		push	72006500h
		add	[ecx+0], ch
		jz	short $+2
		popa
		add	[esi+0], ch
		arpl	[eax], ax
		add	gs:[eax], al
; 
		db 0
; 

??_C@_1CC@KKPADHEA@?$AAI?$AAn?$AAi?$AAt?$AAC?$AAo?$AAn?$AAs?$AAo?$AAl?$AAe?$AAF?$AAl?$AAa?$AAg@EKOMKFNL@:
					; DATA XREF: INIT:00AF6424o
		dec	ecx
		add	[esi+0], ch
		imul	eax, [eax], 430074h
		outsd
		add	[esi+0], ch
		jnb	short $+2
		outsd
		add	[eax+eax+65h], ch
		add	[esi+0], al
		insb
		add	[ecx+0], ah
		add	[bp+di+0], dh
; 
		dd 0
; 

??_C@_1EA@JKKABPCO@?$AAS?$AAe?$AAA?$AAl?$AAl?$AAo?$AAw?$AAA?$AAl?$AAl?$AAA?$AAp?$AAp?$AAl?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF640Co
		push	ebx
		add	[ebp+0], ah
		inc	ecx
		add	[eax+eax+6Ch], ch
		add	[edi+0], ch
		ja	short $+2
		inc	ecx
		add	[eax+eax+6Ch], ch
		add	[ecx+0], al
		jo	short $+2
		jo	short $+2
		insb
		add	[ecx+0], ch
		arpl	[eax], ax
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ecx+0], al
		arpl	[eax], ax
		add	gs:[edx+0], dl
		add	gs:[ebp+0], ch
		outsd
		add	[esi+0], dh
		popa
		add	[eax+eax+0], ch

loc_AFC507:				; DATA XREF: INIT:00AF6454o
		add	[eax+eax+69h], al
		add	[ebx+0], dh
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		dec	ecx
		add	[esi+0], al
		inc	ebp
		add	[edi+0], cl
		inc	ebx
		add	[ecx+0], ah
		arpl	[eax], ax
		push	6E006900h
		add	[edi+0], ah
; 
		dd 0
; 

??_C@_1DK@FLLHNMFO@?$AAM?$AAu?$AAl?$AAt?$AAi?$AAU?$AAs?$AAe?$AAr?$AAs?$AAI?$AAn?$AAS?$AAe?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF643Co
		dec	ebp
		add	[ebp+0], dh
		insb
		add	[eax+eax+69h], dh
		add	[ebp+0], dl
		jnb	short $+2
		add	gs:[edx+0], dh
		jnb	short $+2
		dec	ecx
		add	[esi+0], ch
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		push	ebx
		add	[ebp+0], dh
		jo	short $+2
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		add	gs:[eax+eax+0],	ah
; 
		db 3 dup(0)
		align 10h

??_C@_1EM@BOMHABCH@?$AAS?$AAe?$AAA?$AAl?$AAl?$AAo?$AAw?$AAS?$AAe?$AAs?$AAs?$AAi?$AAo?$AAn?$AAI@EKOMKFNL@:
					; DATA XREF: INIT:00AF6484o
		push	ebx
		add	[ebp+0], ah
		inc	ecx
		add	[eax+eax+6Ch], ch
		add	[edi+0], ch
		ja	short $+2
		push	ebx
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		dec	ecx
		add	[ebp+0], ch
		jo	short $+2
		add	gs:[edx+0], dh
		jnb	short $+2
		outsd
		add	[esi+0], ch
		popa
		add	[eax+eax+69h], dh
		add	[edi+0], ch
		outsb
		add	[ebx+0], al
		popa
		add	[eax+0], dh
		popa
		add	[edx+0], ah
		imul	eax, [eax], 69006Ch
		jz	short $+2
		jns	short $+2
; 
		dw 0
; 

??_C@_1CG@OPIHDNIM@?$AAH?$AAy?$AAp?$AAe?$AAr?$AAS?$AAt?$AAa?$AAr?$AAt?$AAD?$AAi?$AAs?$AAa?$AAb@EKOMKFNL@:
					; DATA XREF: INIT:00AF646Co
		dec	eax
		add	[ecx+0], bh
		jo	short $+2
		add	gs:[edx+0], dh
		push	ebx
		add	[eax+eax+61h], dh
		add	[edx+0], dh
		jz	short $+2
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 3 dup(0)
		align 8

??_C@_1EC@GEAHDILE@?$AAS?$AAe?$AAT?$AAo?$AAk?$AAe?$AAn?$AAS?$AAi?$AAn?$AAg?$AAl?$AAe?$AAt?$AAo@EKOMKFNL@:
					; DATA XREF: INIT:00AF64B4o
		push	ebx
		add	[ebp+0], ah
		push	esp
		add	[edi+0], ch
		imul	eax, [eax], 65h
		add	[esi+0], ch
		push	ebx
		add	[ecx+0], ch
		outsb
		add	[edi+0], ah
		insb
		add	[ebp+0], ah
		jz	short $+2
		outsd
		add	[esi+0], ch
		inc	ecx
		add	[eax+eax+74h], dh
		add	[edx+0], dh
		imul	eax, [eax], 750062h
		jz	short $+2
		add	gs:[ebx+0], dh
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[esi+0], ah
		imul	eax, [eax], 67h
; 
		dw 0
; 

??_C@_1DE@FLMAFHCN@?$AAI?$AAn?$AAt?$AAe?$AAr?$AAr?$AAu?$AAp?$AAt?$AAS?$AAt?$AAe?$AAe?$AAr?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF649Co
		dec	ecx
		add	[esi+0], ch
		jz	short $+2
		add	gs:[edx+0], dh
		jb	short $+2
		jnz	short $+2
		jo	short $+2
		jz	short $+2
		push	ebx
		add	[eax+eax+65h], dh
		add	[ebp+0], ah
		jb	short $+2
		imul	eax, [eax], 67006Eh
		inc	esp
		add	[ecx+0], ch
		jnb	short $+2
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al

loc_AFC65F:				; DATA XREF: INIT:00AF64E4o
		add	[ebx+0], dl
		add	gs:[eax+eax+6Fh], dl
		add	[ebx+0], ch
		add	gs:[esi+0], ch
		dec	esp
		add	[ebp+0], ah
		popa
		add	[ebx+0], ch
		inc	esp
		add	[ecx+0], ch
		popa
		add	[edi+0], ah
; 
		dw 0
; 

??_C@_1BM@DNBGCAEI@?$AAS?$AAe?$AAC?$AAo?$AAm?$AAp?$AAa?$AAt?$AAF?$AAl?$AAa?$AAg?$AAs@EKOMKFNL@:
					; DATA XREF: INIT:00AF64CCo
		push	ebx
		add	[ebp+0], ah
		inc	ebx
		add	[edi+0], ch
		insd
		add	[eax+0], dh
		popa
		add	[eax+eax+46h], dh
		add	[eax+eax+61h], ch
		add	[edi+0], ah
		jnb	short $+2
; 
		dw 0
; 

??_C@_1DE@JKGIIIBA@?$AAH?$AAe?$AAt?$AAe?$AAr?$AAo?$AAF?$AAa?$AAv?$AAo?$AAr?$AAe?$AAd?$AAC?$AAo@EKOMKFNL@:
					; DATA XREF: INIT:00AF6514o
		dec	eax
		add	[ebp+0], ah
		jz	short $+2
		add	gs:[edx+0], dh
		outsd
		add	[esi+0], al
		popa
		add	[esi+0], dh
		outsd
		add	[edx+0], dh
		add	gs:[eax+eax+43h], ah
		add	[edi+0], ch
		jb	short $+2
		add	gs:[esi+0], al
		popa
		add	[eax+eax+6Ch], ch
		add	[edx+0], ah
		popa
		add	[ebx+0], ah
		imul	eax, [eax], 0

loc_AFC6CF:				; DATA XREF: INIT:00AF64FCo
		add	[ebx+0], dl
		add	gs:[eax+eax+6Fh], dl
		add	[ebx+0], ch
		add	gs:[esi+0], ch
		inc	esp
		add	[edi+0], ch
		add	gs:[ebx+0], dh
		dec	esi
		add	[edi+0], ch
		jz	short $+2
		push	esp
		add	[edx+0], dh
		popa
		add	[ebx+0], ah
		imul	eax, [eax], 53h
		add	[ebp+0], ah
		jnb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		dec	edi
		add	[edx+0], ah
		push	0
		add	gs:[ebx+0], ah
		jz	short $+2
; 
		dd 0
; 

??_C@_1BI@JPPDHLFB@?$AAH?$AAr?$AAI?$AAn?$AAc?$AAr?$AAe?$AAm?$AAe?$AAn?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF6544o
		dec	eax
		add	[edx+0], dh
		dec	ecx
		add	[esi+0], ch
		arpl	[eax], ax
		jb	short $+2
		add	gs:[ebp+0], ch
		add	gs:[esi+0], ch
		jz	short $+2
; 
		dw 0
; 

??_C@_1DA@DJCFGEAB@?$AAV?$AAi?$AAr?$AAt?$AAu?$AAa?$AAl?$AAH?$AAe?$AAt?$AAe?$AAr?$AAo?$AAH?$AAy@EKOMKFNL@:
					; DATA XREF: INIT:00AF652Co
		push	esi
		add	[ecx+0], ch
		jb	short $+2
		jz	short $+2
		jnz	short $+2
		popa
		add	[eax+eax+48h], ch
		add	[ebp+0], ah
		jz	short $+2
		add	gs:[edx+0], dh
		outsd
		add	[eax+0], cl
		jns	short $+2
		jnb	short $+2
		jz	short $+2
		add	gs:[edx+0], dh
		add	gs:[ebx+0], dh
		imul	eax, [eax], 73h

??_C@_1DI@MAOLDIHC@?$AAS?$AAe?$AAL?$AAp?$AAa?$AAc?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAW?$AAa?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF6574o
		push	ebx
		add	[ebp+0], ah
		dec	esp
		add	[eax+0], dh
		popa
		add	[ebx+0], ah
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		push	edi
		add	[ecx+0], ah
		jz	short $+2
		jnb	short $+2
		outsd
		add	[esi+0], ch
		push	edx
		add	[ebp+0], ah
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		imul	eax, [eax], 67006Eh
; 
		dw 0
; 

??_C@_1CK@NBNKKPJD@?$AAR?$AAe?$AAb?$AAa?$AAl?$AAa?$AAn?$AAc?$AAe?$AAM?$AAi?$AAn?$AAP?$AAr?$AAi@EKOMKFNL@:
					; DATA XREF: INIT:00AF655Co
		push	edx
		add	[ebp+0], ah
		bound	eax, [eax]
		popa
		add	[eax+eax+61h], ch
		add	[esi+0], ch
		arpl	[eax], ax
		add	gs:[ebp+0], cl
		imul	eax, [eax], 50006Eh
		jb	short $+2
		imul	eax, [eax], 72006Fh
		imul	eax, [eax], 790074h
; 
		dd 0
; 

??_C@_1CO@NPAEEIGN@?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAW?$AAe?$AAr?$AAU?$AAs?$AAe?$AAr?$AAR?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF65A4o
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		push	edi
		add	[ebp+0], ah
		jb	short $+2
		push	ebp
		add	[ebx+0], dh
		add	gs:[edx+0], dh
		push	edx
		add	[ebp+0], ah
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		imul	eax, [eax], 67006Eh
; 
		dd 0
; 

??_C@_1DK@GBKPEDDG@?$AAS?$AAe?$AAL?$AAp?$AAa?$AAc?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe?$AAW?$AAa?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF658Co
		push	ebx
		add	[ebp+0], ah
		dec	esp
		add	[eax+0], dh
		popa
		add	[ebx+0], ah
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		push	edi
		add	[ecx+0], ah
		jz	short $+2
		jnb	short $+2
		outsd
		add	[esi+0], ch
		push	esp
		add	[eax+0], ch
		jb	short $+2
		outsd
		add	[eax+eax+74h], dh
		add	[eax+eax+69h], ch
		add	[esi+0], ch
		add	[bx+si], al
; 
		db 3 dup(0)
		align 10h

??_C@_1EA@FMGIIEHM@?$AAA?$AAd?$AAm?$AAi?$AAn?$AAl?$AAe?$AAs?$AAs?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF65D4o
		inc	ecx
		add	[eax+eax+6Dh], ah
		add	[ecx+0], ch
		outsb
		add	[eax+eax+65h], ch
		add	[ebx+0], dh
		jnb	short $+2
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		push	edi
		add	[ecx+0], ah
		jz	short $+2
		jnb	short $+2
		outsd
		add	[esi+0], ch
		push	esp
		add	[eax+0], ch
		jb	short $+2
		outsd
		add	[eax+eax+74h], dh
		add	[eax+eax+69h], ch
		add	[esi+0], ch
		add	[bx+si], al

loc_AFC86F:				; DATA XREF: INIT:00AF65BCo
		add	[ecx+0], al
		add	fs:[ebp+0], ch
		imul	eax, [eax], 6C006Eh
		add	gs:[ebx+0], dh
		jnb	short $+2
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		push	edi
		add	[ecx+0], ah
		jz	short $+2
		jnb	short $+2
		outsd
		add	[esi+0], ch
		push	edx
		add	[ebp+0], ah
		jo	short $+2
		outsd
		add	[edx+0], dh
		jz	short $+2
		imul	eax, [eax], 67006Eh
; 
		dd 0
; 

??_C@_1EM@GKDNBKBJ@?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe?$AAO?$AAw?$AAn?$AAe?$AAr?$AAP?$AAr?$AAo?$AAt@EKOMKFNL@:
					; DATA XREF: INIT:00AF6604o
		inc	esp
		add	[ebp+0], ah
		jbe	short $+2
		imul	eax, [eax], 650063h
		dec	edi
		add	[edi+0], dh
		outsb
		add	[ebp+0], ah
		jb	short $+2
		push	eax
		add	[edx+0], dh
		outsd
		add	[eax+eax+65h], dh
		add	[ebx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		inc	esp
		add	[edi+0], ch
		ja	short $+2
		outsb
		add	[edi+0], ah
		jb	short $+2
		popa
		add	[eax+eax+65h], ah
		add	[ecx+0], al
		insb
		add	[eax+eax+6Fh], ch
		add	[edi+0], dh
		add	gs:[eax+eax+0],	ah
; 
		db 0
		align 10h

??_C@_1EA@MLOINJPN@?$AAA?$AAd?$AAm?$AAi?$AAn?$AAl?$AAe?$AAs?$AAs?$AAE?$AAn?$AAf?$AAo?$AAr?$AAc@EKOMKFNL@:
					; DATA XREF: INIT:00AF65ECo
		inc	ecx
		add	[eax+eax+6Dh], ah
		add	[ecx+0], ch
		outsb
		add	[eax+eax+65h], ch
		add	[ebx+0], dh
		jnb	short $+2
		inc	ebp
		add	[esi+0], ch
		db	66h
		add	[edi+0], ch
		jb	short $+2
		arpl	[eax], ax
		add	gs:[ebp+0], ch
		add	gs:[esi+0], ch
		jz	short $+2
		dec	ebp
		add	[edi+0], ch
		add	fs:[ebp+0], ah
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		add	fs:[eax], al
; 
		db 0
; 

??_C@_1CO@JHBEJNJB@?$AAH?$AAe?$AAt?$AAe?$AAr?$AAo?$AAS?$AAc?$AAh?$AAe?$AAd?$AAu?$AAl?$AAe?$AAr@EKOMKFNL@:
					; DATA XREF: INIT:00AF6634o
		dec	eax
		add	[ebp+0], ah
		jz	short $+2
		add	gs:[edx+0], dh
		outsd
		add	[ebx+0], dl
		arpl	[eax], ax
		push	64006500h
		add	[ebp+0], dh
		insb
		add	[ebp+0], ah
		jb	short $+2
		dec	edi
		add	[eax+0], dh
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		jnb	short $+2
; 
		dd 0
; 

??_C@_1CK@BGPNDLIH@?$AAC?$AAa?$AAc?$AAh?$AAe?$AAA?$AAw?$AAa?$AAr?$AAe?$AAS?$AAc?$AAh?$AAe?$AAd@EKOMKFNL@:
					; DATA XREF: INIT:00AF661Co
		inc	ebx
		add	[ecx+0], ah
		arpl	[eax], ax
		push	41006500h
		add	[edi+0], dh
		popa
		add	[edx+0], dh
		add	gs:[ebx+0], dl
		arpl	[eax], ax
		push	64006500h
		add	[ebp+0], dh
		insb
		add	[ecx+0], ch
		outsb
		add	[edi+0], ah
; 
		dd 0
; 

??_C@_17FOAIFHB@?$AAK?$AAV?$AAB@EKOMKFNL@: ; DATA XREF:	INIT:00AF664Co
		dec	ebx
		add	[esi+0], dl
		inc	edx
; 
		db 3 dup(0)
; 

??_C@_1BO@MHIGONBA@?$AAV?$AAe?$AAr?$AAs?$AAi?$AAo?$AAn?$AA?2?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl@EKOMKFNL@:
					; DATA XREF: INIT:00AF6648o
		push	esi
		add	[ebp+0], ah
		jb	short $+2
		jnb	short $+2
		imul	eax, [eax], 6E006Fh
		pop	esp
		add	[ebx+0], cl
		add	gs:[edx+0], dh
		outsb
		add	[ebp+0], ah
		insb
; 
		db 0
		dd 0
; 

??_C@_1BO@CKFMEODG@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AAV?$AAe?$AAl?$AAo?$AAc?$AAi?$AAt?$AAy@EKOMKFNL@:
					; DATA XREF: INIT:00AF6678o
		dec	ebx
		add	[ebp+0], ah
		jb	short $+2
		outsb
		add	[ebp+0], ah
		insb
		add	[esi+0], dl
		add	gs:[eax+eax+6Fh], ch
		add	[ebx+0], ah
		imul	eax, [eax], 790074h
; 
		dd 0
; 

??_C@_1DI@EEPNDFOE@?$AAA?$AAd?$AAm?$AAi?$AAn?$AAl?$AAe?$AAs?$AAs?$AAE?$AAn?$AAa?$AAb?$AAl?$AAe@EKOMKFNL@:
					; DATA XREF: INIT:00AF6664o
		inc	ecx
		add	[eax+eax+6Dh], ah
		add	[ecx+0], ch
		outsb
		add	[eax+eax+65h], ch
		add	[ebx+0], dh
		jnb	short $+2
		inc	ebp
		add	[esi+0], ch
		popa
		add	[edx+0], ah
		insb
		add	[ebp+0], ah
		inc	ebp
		add	[esi+0], dh
		add	gs:[esi+0], ch
		jz	short $+2
		dec	esp
		add	[edi+0], ch
		add	[bx+0],	ah
		imul	eax, [eax], 67006Eh
; 
		dw 0
; 

??_C@_1CO@ILGIFEAF@?$AAK?$AAV?$AAF?$AA_?$AAH?$AAo?$AAt?$AAP?$AAa?$AAt?$AAc?$AAh?$AAS?$AAi?$AAm@EKOMKFNL@:
					; DATA XREF: INIT:00AF667Co
		dec	ebx
		add	[esi+0], dl
		inc	esi
		add	[edi+0], bl
		dec	eax
		add	[edi+0], ch
		jz	short $+2
		push	eax
		add	[ecx+0], ah
		jz	short $+2
		arpl	[eax], ax
		push	69005300h
		add	[ebp+0], ch
		jnz	short $+2
		insb
		add	[ecx+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
; 
		dd 0
; 

??_C@_03GDMIGCCC@Ver@EKOMKFNL@:		; DATA XREF: INIT:_SearchStringso
		push	esi
		db	65h
		jb	short $+3

??_C@_03DIOLMKKK@Rel@EKOMKFNL@:		; DATA XREF: INIT:00AF66B0o
		push	edx
		db	65h
		insb

loc_AFCA53:				; DATA XREF: INIT:00AF66ACo
		add	[edx+65h], dl
		jbe	short $+2

??_C@_02JGJPDFLN@v1@EKOMKFNL@:		; DATA XREF: INIT:00AF66B8o
		jbe	short near ptr loc_AFCA8A+1
; 
		dw 0
; 

??_C@_02IPIEAEPM@v0@EKOMKFNL@:		; DATA XREF: INIT:00AF66B4o
		jbe	short loc_AFCA8E
; 
		dw 0
; 

??_C@_02KEKJFHDP@v3@EKOMKFNL@:		; DATA XREF: INIT:00AF66C0o
		jbe	short near ptr loc_AFCA92+3
; 
		dw 0
; 

??_C@_02LNLCGGHO@v2@EKOMKFNL@:		; DATA XREF: INIT:00AF66BCo
		jbe	short near ptr loc_AFCA97+1
; 
		dw 0
; 

??_C@_02PCPDPALJ@v5@EKOMKFNL@:		; DATA XREF: INIT:00AF66C8o
		jbe	short near ptr loc_AFCA9E+1
; 
		dw 0
; 

??_C@_02OLOIMBPI@v4@EKOMKFNL@:		; DATA XREF: INIT:00AF66C4o
		jbe	short loc_AFCAA2
; 
		dw 0
; 

??_C@_02MAMFJCDL@v7@EKOMKFNL@:		; DATA XREF: INIT:00AF66D0o
		jbe	short loc_AFCAA9
; 
		dw 0
; 

??_C@_02NJNOKDHK@v6@EKOMKFNL@:		; DATA XREF: INIT:00AF66CCo
		jbe	short loc_AFCAAC
; 
		dw 0
; 

??_C@_02FOEGLPLF@v9@EKOMKFNL@:		; DATA XREF: INIT:00AF66D8o
		jbe	short near ptr loc_AFCAB1+2
; 
		dw 0
; 

??_C@_02EHFNIOPE@v8@EKOMKFNL@:		; DATA XREF: INIT:00AF66D4o
		jbe	short loc_AFCAB6
; 
		dw 0
; 

??_C@_03GOPPJOPB@v?51@EKOMKFNL@:	; DATA XREF: INIT:00AF66E0o
		jbe	short loc_AFCAA2
		xor	[eax], eax

??_C@_03HHOEKPLA@v?50@EKOMKFNL@:	; DATA XREF: INIT:00AF66DCo
		jbe	short loc_AFCAA6
		xor	[eax], al

??_C@_03FMMJPMHD@v?53@EKOMKFNL@:	; DATA XREF: INIT:00AF66E8o
		jbe	short near ptr loc_AFCAA9+1

loc_AFCA8A:				; CODE XREF: INIT:??_C@_02JGJPDFLN@v1@EKOMKFNL@j
		xor	eax, [eax]

??_C@_03EFNCMNDC@v?52@EKOMKFNL@:	; DATA XREF: INIT:00AF66E4o
		jbe	short near ptr loc_AFCAAC+2

loc_AFCA8E:				; CODE XREF: INIT:??_C@_02IPIEAEPM@v0@EKOMKFNL@j
		xor	al, [eax]

??_C@_03KJDFLPF@v?55@EKOMKFNL@:		; DATA XREF: INIT:00AF66F0o
		jbe	short near ptr loc_AFCAB1+1

loc_AFCA92:				; CODE XREF: INIT:??_C@_02KEKJFHDP@v3@EKOMKFNL@j
					; DATA XREF: INIT:00AF66ECo
		xor	eax, 34207600h

loc_AFCA97:				; CODE XREF: INIT:??_C@_02LNLCGGHO@v2@EKOMKFNL@j
					; DATA XREF: INIT:00AF66F8o
		add	[esi+20h], dh
		aaa

loc_AFCA9B:				; DATA XREF: INIT:00AF66F4o
		add	[esi+20h], dh

loc_AFCA9E:				; CODE XREF: INIT:??_C@_02PCPDPALJ@v5@EKOMKFNL@j
					; DATA XREF: INIT:00AF6700o
		add	ss:[esi+20h], dh

loc_AFCAA2:				; CODE XREF: INIT:??_C@_02OLOIMBPI@v4@EKOMKFNL@j
					; INIT:??_C@_03GOPPJOPB@v?51@EKOMKFNL@j
		cmp	[eax], eax

??_C@_03LPDNCFLI@v?58@EKOMKFNL@:	; DATA XREF: INIT:00AF66FCo
		jbe	short near ptr word_AFCAC6

loc_AFCAA6:				; CODE XREF: INIT:??_C@_03HHOEKPLA@v?50@EKOMKFNL@j
		cmp	[eax], al

??_C@_1BO@ODCKOAGG@?$AAU?$AAs?$AAe?$AAr?$AAA?$AAp?$AAc?$AAR?$AAe?$AAs?$AAe?$AAr?$AAv?$AAe@EKOMKFNL@:
		push	ebp

loc_AFCAA9:				; CODE XREF: INIT:??_C@_02MAMFJCDL@v7@EKOMKFNL@j
					; INIT:??_C@_03FMMJPMHD@v?53@EKOMKFNL@j
		add	[ebx+0], dh

loc_AFCAAC:				; CODE XREF: INIT:??_C@_02NJNOKDHK@v6@EKOMKFNL@j
					; INIT:??_C@_03EFNCMNDC@v?52@EKOMKFNL@j
		add	gs:[edx+0], dh
		inc	ecx

loc_AFCAB1:				; CODE XREF: INIT:??_C@_03KJDFLPF@v?55@EKOMKFNL@j
					; INIT:??_C@_02FOEGLPLF@v9@EKOMKFNL@j
		add	[eax+0], dh
		arpl	[eax], ax

loc_AFCAB6:				; CODE XREF: INIT:??_C@_02EHFNIOPE@v8@EKOMKFNL@j
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		add	gs:[edx+0], dh
		jbe	short $+2
		add	gs:[eax], al
; 
		db 0
word_AFCAC6	dw 0			; CODE XREF: INIT:??_C@_03LPDNCFLI@v?58@EKOMKFNL@j
; 

??_C@_1CI@GGODCCNK@?$AAI?$AAo?$AAC?$AAo?$AAm?$AAp?$AAl?$AAe?$AAt?$AAi?$AAo?$AAn?$AAR?$AAe?$AAs@EKOMKFNL@:
		dec	ecx
		add	[edi+0], ch
		inc	ebx
		add	[edi+0], ch
		insd
		add	[eax+0], dh
		insb
		add	[ebp+0], ah
		jz	short $+2
		imul	eax, [eax], 6E006Fh
		push	edx
		add	[ebp+0], ah
		jnb	short $+2
		add	gs:[edx+0], dh
		jbe	short $+2
		add	gs:[eax], al
		add	[ebx+69h], cl
		push	ebp
		jnb	short near ptr loc_AFCB58+2
		jb	short loc_AFCB38
		jo	short near ptr loc_AFCB58+4
		inc	esp
		imul	esi, [ebx+70h],	68637461h
		db	65h
		jb	short $+3

??_C@_0BJ@PGKGCADJ@KiUserCallbackDispatcher@EKOMKFNL@: ; DATA XREF: INIT:00AF6B10o
		dec	ebx
		imul	edx, [ebp+73h],	61437265h
		insb
		insb
		bound	esp, [ecx+63h]
		imul	eax, [ecx+ebp*2+73h], 70h
		popa
		jz	short loc_AFCB7C
		push	7265h
; 
		dw 0
; 

??_C@_0BP@LPIFGB@KiRaiseUserExceptionDispatcher@EKOMKFNL@: ; DATA XREF:	INIT:00AF6B18o
		dec	ebx
		imul	edx, [edx+61h],	55657369h
		jnb	short near ptr loc_AFCB8E+1
		jb	short near ptr loc_AFCB6E+3
		js	short near ptr loc_AFCB90+1
		db	65h
		jo	short near ptr loc_AFCBA4+1
		imul	ebp, [edi+6Eh],	70736944h

loc_AFCB38:				; CODE XREF: INIT:00AFCAF5j
		popa
		jz	short near ptr loc_AFCB9D+1
		push	7265h

??_C@_0BP@PLPPHEHH@ExpInterlockedPopEntrySListEnd@EKOMKFNL@: ; DATA XREF: INIT:00AF6B20o
		inc	ebp
		js	short loc_AFCBB3
		dec	ecx
		outsb
		jz	short loc_AFCBAC
		jb	short near ptr loc_AFCBB3+2
		outsd
		arpl	[ebx+65h], bp
		db	64h
		push	eax
		outsd
		jo	short loc_AFCB97
		outsb
		jz	short loc_AFCBC7
		jns	short loc_AFCBAA
		dec	esp

loc_AFCB58:				; CODE XREF: INIT:00AFCAF3j
					; INIT:00AFCAF7j
		imul	esi, [ebx+74h],	646E45h
; 
		db 0
; 

??_C@_0BD@INALBIAL@LdrInitializeThunk@EKOMKFNL@:
		dec	esp
		db	64h
		jb	short near ptr loc_AFCBAC+1
		outsb
		imul	esi, [ecx+ebp*2+61h], 657A696Ch
		push	esp

loc_AFCB6E:				; CODE XREF: INIT:00AFCB2Aj
		push	offset unk_6B6E75
		add	[edx+74h], dl
		insb
		push	ebp
		jnb	short near ptr loc_AFCBDE+1
		jb	short near ptr loc_AFCBCE+2

loc_AFCB7C:				; CODE XREF: INIT:00AFCB17j
		push	64616572h
		push	ebx
		jz	short near ptr loc_AFCBE4+1
		jb	short near ptr loc_AFCBF9+1
; 
		dw 0
; 

??_C@_0BC@OLOOOMKO@RtlUserFiberStart@EKOMKFNL@:
		push	edx
		jz	short near ptr byte_AFCBF7
		push	ebp
		jnb	short loc_AFCBF3

loc_AFCB8E:				; CODE XREF: INIT:00AFCB28j
		jb	short near ptr loc_AFCBD5+1

loc_AFCB90:				; CODE XREF: INIT:00AFCB2Cj
		imul	esp, [edx+65h],	61745372h

loc_AFCB97:				; CODE XREF: INIT:00AFCB50j
		jb	short loc_AFCC0D
; 
		db 3 dup(0)
; 

??_C@_0BK@CJAFJELE@KiUserExceptionDispatcher@EKOMKFNL@:
		dec	ebx

loc_AFCB9D:				; CODE XREF: INIT:00AFCB39j
		imul	edx, [ebp+73h],	78457265h

loc_AFCBA4:				; CODE XREF: INIT:00AFCB2Ej
		arpl	[ebp+70h], sp
		jz	short near ptr loc_AFCC10+2
		outsd

loc_AFCBAA:				; CODE XREF: INIT:00AFCB55j
		outsb
		inc	esp

loc_AFCBAC:				; CODE XREF: INIT:00AFCB45j
					; INIT:00AFCB61j
		imul	esi, [ebx+70h],	68637461h

loc_AFCBB3:				; CODE XREF: INIT:00AFCB41j
					; INIT:00AFCB47j
		db	65h
		jb	short $+3
; 
		dw 0
; 

??_C@_0BJ@CDBADGFN@WerReportExceptionWorker@EKOMKFNL@: ; DATA XREF: INIT:00AF6B48o
		push	edi
		db	65h
		jb	short near ptr loc_AFCC0D+1
		db	65h
		jo	short near ptr loc_AFCC2A+4
		jb	short loc_AFCC35
		inc	ebp
		js	short loc_AFCC27
		db	65h
		jo	short loc_AFCC3B

loc_AFCBC7:				; CODE XREF: INIT:00AFCB53j
		imul	ebp, [edi+6Eh],	6B726F57h

loc_AFCBCE:				; CODE XREF: INIT:00AFCB7Aj
		db	65h
		jb	short $+3
; 
		db 3 dup(0)
; 

??_C@_0CB@NBOJPKNI@ExpInterlockedPopEntrySListFaul@EKOMKFNL@: ;	DATA XREF: INIT:00AF6B28o
		inc	ebp

loc_AFCBD5:				; CODE XREF: INIT:loc_AFCB8Ej
		js	short near ptr byte_AFCC47
		dec	ecx
		outsb
		jz	short near ptr loc_AFCC3F+1
		jb	short loc_AFCC49
		outsd

loc_AFCBDE:				; CODE XREF: INIT:00AFCB78j
		arpl	[ebx+65h], bp
		db	64h
		push	eax
		outsd

loc_AFCBE4:				; CODE XREF: INIT:00AFCB82j
		jo	short near ptr loc_AFCC2A+1
		outsb
		jz	short near ptr loc_AFCC59+2
		jns	short loc_AFCC3E
		dec	esp
		imul	esi, [ebx+74h],	6C756146h

loc_AFCBF3:				; CODE XREF: INIT:00AFCB8Cj
		jz	short $+2
; 
		db 2 dup(0)
byte_AFCBF7	db 0			; CODE XREF: INIT:00AFCB89j
; 

??_C@_0CC@CJPFKDHP@ExpInterlockedPopEntrySListResu@EKOMKFNL@: ;	DATA XREF: INIT:00AF6B30o
		inc	ebp

loc_AFCBF9:				; CODE XREF: INIT:00AFCB84j
		js	short loc_AFCC6B
		dec	ecx
		outsb
		jz	short near ptr loc_AFCC63+1
		jb	short near ptr loc_AFCC6B+2
		outsd
		arpl	[ebx+65h], bp
		db	64h
		push	eax
		outsd
		jo	short near ptr loc_AFCC4D+2
		outsb
		jz	short near ptr loc_AFCC7D+2

loc_AFCC0D:				; CODE XREF: INIT:loc_AFCB97j
					; INIT:00AFCBB9j
		jns	short loc_AFCC62
		dec	esp

loc_AFCC10:				; CODE XREF: INIT:00AFCBA7j
		imul	esi, [ebx+74h],	75736552h
		insd
		add	gs:[eax], al

loc_AFCC1B:				; DATA XREF: INIT:00AF6B38o
		add	[esp+72h], cl
		push	ebx
		jns	short near ptr loc_AFCC92+3
		jz	short loc_AFCC89
		insd
		inc	esp
		insb

loc_AFCC27:				; CODE XREF: INIT:00AFCBC2j
		insb
		dec	ecx
		outsb

loc_AFCC2A:				; CODE XREF: INIT:loc_AFCBE4j
					; INIT:00AFCBBCj
		imul	esi, [edx+eax*2+6Ch], 6B636Fh
; 
		dw 0
; 

??_C@_0BD@OEGEGHJO@RtlpFreezeTimeBias@EKOMKFNL@: ; DATA	XREF: INIT:00AF6B40o
		push	edx

loc_AFCC35:				; CODE XREF: INIT:00AFCBBFj
		jz	short near ptr loc_AFCCA1+2
		jo	short near ptr loc_AFCC7D+2
		jb	short loc_AFCCA0

loc_AFCC3B:				; CODE XREF: INIT:00AFCBC4j
		db	65h
		jp	short near ptr loc_AFCCA1+2

loc_AFCC3E:				; CODE XREF: INIT:00AFCBE9j
		push	esp

loc_AFCC3F:				; CODE XREF: INIT:00AFCBD9j
		imul	ebp, [ebp+65h],	73616942h
; 
		db 0
byte_AFCC47	db 0			; CODE XREF: INIT:loc_AFCBD5j
; 

??_C@_1CM@JJOBNMMG@?$AAP?$AAs?$AAS?$AAi?$AAl?$AAo?$AAC?$AAo?$AAn?$AAt?$AAe?$AAx?$AAt?$AAN?$AAo@EKOMKFNL@:
		push	eax

loc_AFCC49:				; CODE XREF: INIT:00AFCBDBj
		add	[ebx+0], dh
		push	ebx

loc_AFCC4D:				; CODE XREF: INIT:00AFCC08j
		add	[ecx+0], ch
		insb
		add	[edi+0], ch
		inc	ebx
		add	[edi+0], ch
		outsb

loc_AFCC59:				; CODE XREF: INIT:00AFCBE7j
		add	[eax+eax+65h], dh
		add	[eax+0], bh
		jz	short $+2

loc_AFCC62:				; CODE XREF: INIT:loc_AFCC0Dj
		dec	esi

loc_AFCC63:				; CODE XREF: INIT:00AFCBFDj
		add	[edi+0], ch
		outsb
		add	[eax+0], dl
		popa

loc_AFCC6B:				; CODE XREF: INIT:loc_AFCBF9j
					; INIT:00AFCBFFj
		add	[edi+0], ah
		add	gs:[eax+eax+0],	ah
		add	[eax+0], dl
		jnb	short $+2
		push	ebx
		add	[ecx+0], ch
		insb

loc_AFCC7D:				; CODE XREF: INIT:00AFCC0Bj
					; INIT:00AFCC37j
		add	[edi+0], ch
		inc	ebx
		add	[edi+0], ch
		outsb
		add	[eax+eax+65h], dh

loc_AFCC89:				; CODE XREF: INIT:00AFCC22j
		add	[eax+0], bh
		jz	short $+2
		push	eax
		add	[ecx+0], ah

loc_AFCC92:				; CODE XREF: INIT:00AFCC20j
		add	[di+0],	ah
		add	fs:[eax], al
; 
		db 3 dup(0)
; 

??_C@_1CA@CDLNPKFB@?$AAT?$AAp?$AAW?$AAo?$AAr?$AAk?$AAe?$AAr?$AAF?$AAa?$AAc?$AAt?$AAo?$AAr?$AAy@EKOMKFNL@:
					; DATA XREF: INIT:00AF6CA8o
		push	esp
		add	[eax+0], dh

loc_AFCCA0:				; CODE XREF: INIT:00AFCC39j
		push	edi

loc_AFCCA1:				; CODE XREF: INIT:loc_AFCC35j
					; INIT:loc_AFCC3Bj
		add	[edi+0], ch
		jb	short $+2
		imul	eax, [eax], 65h
		add	[edx+0], dh
		inc	esi
		add	[ecx+0], ah
		arpl	[eax], ax
		jz	short $+2
		outsd
		add	[edx+0], dh
		jns	short $+2
; 
		dw 0
		align 200h
INIT		ends

; Section 21. (virtual address 006FD000)
; Virtual size			: 00019528 ( 103720.)
; Section size in file		: 00000200 (	512.)
; Offset to raw	data for section: 0067CE00
; Flags	C2000040: Data Discardable Readable Writable
; Alignment	: default
; 

; Segment type:	Pure data
; Segment permissions: Read/Write
INITDATA	segment	para public 'DATA' use32
		assume cs:INITDATA
		;org 0AFD000h
_InitTickRolloverDelayLength dd	4	; DATA XREF: INIT:loc_ACD46Er
					; INIT:00AF62ACo
_InitTickRolloverDelayType dd 4		; DATA XREF: INIT:00ACD477r
					; INIT:00AF62B0o
_CmSuiteBufferLength db	   0		; DATA XREF: INIT:00AF4ECCo
		db    1
		db    0
		db    0
_CmSuiteBufferType dd 0			; DATA XREF: ExpInitSystemPhase0()+AEr
					; INIT:00AF4ED0o
_CmInstallUILanguageIdLength dd	18h	; DATA XREF: CmpGetSystemControlValues+255r
					; INIT:00AF4F5Co
_CmInstallUILanguageIdType dd 0		; DATA XREF: CmpGetSystemControlValues:loc_ACB4F8r
					; INIT:00AF4F60o
_CmDefaultLanguageIdLength dd 18h	; DATA XREF: CmpGetSystemControlValues+234r
					; INIT:00AF4F44o
_CmDefaultLanguageIdType dd 0		; DATA XREF: CmpGetSystemControlValues:loc_ACB4D3r
					; INIT:00AF4F48o
_BvgaProgressIndicator dd 0		; DATA XREF: BvgaIndicateProgress()r
					; BvgaIndicateProgress()+8w
dword_AFD024	dd 19h			; DATA XREF: BvgaIndicateProgress()+10r
dword_AFD028	dd 0			; DATA XREF: BvgaIndicateProgress():loc_AECAA7r
					; BvgaIndicateProgress()+27w
_MmLargePageDriverBufferLength dd 400h	; DATA XREF: MiInitializeDriverImages+1Br
					; MiInitializeBootDefaults:loc_AEA19Ew	...
_PsRawPrioritySeparation dd 2		; DATA XREF: PspInitPhase0+1D3r
					; INIT:00AF5198o
_VfXdvSuppressDriversBufferLength dd 800h ; DATA XREF: VfClearVerifierSettings():loc_677216r
					; sub_AE213B:loc_AE2153r ...
_MmVerifyDriverBufferLength dd 1800h	; DATA XREF: ViInitSystemPhase0+145r
					; sub_AE213B+Ar ...
		align 10h
_CmNtGlobalFlag	dd 0			; DATA XREF: INIT:loc_ACD4A9r
					; INIT:00AF35A8o
_CmGlobalValidationRunlevel dd 0	; DATA XREF: INIT:loc_ACD42Cr
					; INIT:00AF6320o
_InitTableInfo	dw 0			; DATA XREF: RtlInitNlsTables+13o
					; RtlResetRtlTranslations+1Dr
		align 4
word_AFD04C	dw 0			; DATA XREF: RtlResetRtlTranslations+F2r
		align 10h
word_AFD050	dw 0			; DATA XREF: RtlResetRtlTranslations+FEr
		align 4
word_AFD054	dw 0			; DATA XREF: RtlResetRtlTranslations+97r
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_AFD064	dd 0			; DATA XREF: RtlResetRtlTranslations+D2r
dword_AFD068	dd 0			; DATA XREF: RtlResetRtlTranslations+E6r
		align 10h
dword_AFD070	dd 0			; DATA XREF: RtlResetRtlTranslations:loc_89635Dr
					; RtlResetRtlTranslations:loc_92D274r
word_AFD074	dw 0			; DATA XREF: RtlInitNlsTables+6o
					; RtlResetRtlTranslations+7r
		align 10h
word_AFD080	dw 0			; DATA XREF: RtlResetRtlTranslations+38r
		align 10h
dword_AFD090	dd 0			; DATA XREF: RtlResetRtlTranslations+6Er
dword_AFD094	dd 0			; DATA XREF: RtlResetRtlTranslations+7Fr
		db    0
		db    0
		db    0
		db    0
dword_AFD09C	dd 0			; DATA XREF: RtlResetRtlTranslations:loc_8962FAr
					; RtlResetRtlTranslations:loc_92D25Dr
dword_AFD0A0	dd 0			; DATA XREF: RtlInitNlsTables+36w
					; RtlResetRtlTranslations+10Ar	...
dword_AFD0A4	dd 0			; DATA XREF: RtlInitNlsTables+41w
					; RtlResetRtlTranslations+114r	...
_InitForceInline db 0			; DATA XREF: CreateMiniNtBootKey()+111r
		align 4
_CmNtGlobalFlag2 dd 0			; DATA XREF: INIT:00ACD436w
					; INIT:00ACD4B4r ...
; size_t InitNlsTableSize
_InitNlsTableSize dd 0			; DATA XREF: Phase1InitializationDiscard(x)+8E5r
					; Phase1InitializationDiscard(x):loc_AC0D20r ...
_BBTPagesToReserve dd 0			; DATA XREF: MiInitSystem+BEr
					; INIT:00ACD134w ...
; void *InitNlsTableBase
_InitNlsTableBase dd 0			; DATA XREF: Phase1InitializationDiscard(x)+9B6r
					; Phase1InitializationDiscard(x)+9C5w ...
_InitTickRolloverDelay dd 0		; DATA XREF: INIT:loc_ACD480w
					; INIT:loc_ACD486r ...
_CmpLoadOptions	dw 0			; DATA XREF: CmpInitializeLoadOptions+24w
					; CmpInitializeLoadOptions+60o	...
word_AFD0C2	dw 0			; DATA XREF: CmpInitializeLoadOptions+36w
dword_AFD0C4	dd 0			; DATA XREF: CmpInitializeLoadOptions+4Ew
					; CmpInitializeLoadOptions+70r	...
; void CmControlHive
_CmControlHive	db    0			; DATA XREF: CmSelectQualifiedInstallLanguage+119o
					; CmSelectQualifiedInstallLanguage+130o ...
		db    0
		db    0
		db    0
dword_AFD0CC	dd 0			; DATA XREF: CmSelectQualifiedInstallLanguage+135r
					; CmSelectQualifiedInstallLanguage+1A7r ...
dword_AFD0D0	dd 0			; DATA XREF: CmSelectQualifiedInstallLanguage+17Cr
					; CmSelectQualifiedInstallLanguage+2AFr ...
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_AFD0E4	dd 0			; DATA XREF: CmpGetSystemControlValues+A0w
					; CmpGetSystemControlValues+C8w
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
dword_AFD164	dd 0			; DATA XREF: CmpGetBootValueData:loc_ACB895r
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    0
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmSuiteBuffer	db    ?	;		; DATA XREF: ExpInitSystemPhase0()+C2o
					; INIT:00AF4EC8o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmInstallUILanguageFallbackToOOBm dd ?	; DATA XREF: CmpMigrateOOBELanguageToInstallationLanguage+1Fr
					; CmpGetSystemControlValues+1B22Bw
_Start		dd ?			; DATA XREF: CmpGetBiosVersion:loc_AC7373r
					; CmpGetBiosVersion+44w ...
_CmInstallUILanguageId db    ? ;	; DATA XREF: CmpGetSystemControlValues+25Bo
					; INIT:00AF4F58o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_CmDefaultLanguageId db	   ? ;		; DATA XREF: CmpGetSystemControlValues+23Ao
					; INIT:00AF4F40o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_BiosBegin	dd ?			; DATA XREF: CmpGetBiosVersion:loc_AC73CEr
					; CmpGetBiosVersion+125w
_End		dd ?			; DATA XREF: CmpGetBiosVersion+30r
					; CmpGetBiosVersion+E4r ...
_IoInitSystem_deviceNameBuffer db    ? ; ; DATA	XREF: INIT:00AC26C1o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_IoInitSystem_valueBuffer db	? ;	; DATA XREF: INIT:00AC2A3Fo
		db    ?	;
		db    ?	;
		db    ?	;
dword_AFDF0C	dd ?			; DATA XREF: INIT:00AC2A56r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_AFDF14	dd ?			; DATA XREF: INIT:00AC2A5Er
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_PnpDriverImageLoadPolicy dd ?		; DATA XREF: IopInitializeBootDrivers+85w
					; IopInitializeBootDrivers:loc_AB3E23r	...
_PnpBootDriverCallbackObject dd	?	; DATA XREF: IoRegisterBootDriverCallback(x,x)+1Fr
					; IoRegisterBootDriverCallback(x,x)+4Fo ...
_IopInitHalDeviceNode dd ?		; DATA XREF: IopAllocateLegacyBootResources+15r
					; IopAllocateLegacyBootResources:loc_AD1F50r ...
_IopInitReservedResourceList dd	?	; DATA XREF: IopInitializePlugPlayServices(x,x)+221w
					; IopAllocateLegacyBootResources:loc_AD1F2Er ...
_IopInitHalResources dd	?		; DATA XREF: IopCreateCmResourceList+10r
					; IopAllocateLegacyBootResources+1Dr ...
		align 10h
_KiNodeInit	dd ?			; DATA XREF: KeIsNodeInitialized(x)+9o
					; KiStartDynamicProcessor(x,x,x,x)+1D9o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_AFE080	db    ?	;		; DATA XREF: KiConfigureInitialNodes(x)+4Eo
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_AFE9C4	dd ?			; DATA XREF: .text:loc_410CC3w
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_MiLowHalVa	dd ?			; DATA XREF: MiInitializeSystemSpaceMap(x)+20r
					; MiInitializeSystemCache(x)+39r ...
_MxKernelFreedGapCharges dd ?		; DATA XREF: MiConstructLoaderEntry:loc_84A8E2r
_MxHalFreedGapCharges dd ?		; DATA XREF: MiConstructLoaderEntry+5AEr
dword_AFF34C	dd ?			; DATA XREF: MxConsumeLargePageSlush:loc_AB55D0r
					; MiCheckLargePageOk+3Fw
_MxHalDataTableEntry dd	?		; DATA XREF: MxConsumeLargePageSlush+1Er
					; MiCheckLargePageOk:loc_AD1A5Cw
_MxPfnMemoryDescriptorCache dd ?	; DATA XREF: MiIsRegularMemory(x,x)+4r
					; MiIsRegularMemory(x,x)+A7w
_MxFreeDescriptor dd ?			; DATA XREF: MxInitializeFreeNodeDescriptors+9Aw
					; MxGetNextPage:loc_AB722Dr ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_MxNonPfnMemoryDescriptorCache dd ?	; DATA XREF: MiIsRegularMemory(x,x):loc_AC9415r
					; MiIsRegularMemory(x,x):loc_AC949Aw
_MiHalScratchPte dd ?			; DATA XREF: MxGetPhase0Mappingr
					; MxGetPhase0Mapping+48w
_MxBootDescriptorAnyNode dd ?		; DATA XREF: MxSwitchDescriptors(x)+7Ar
					; MxSwitchDescriptors(x)+91r ...
_PspBootAccessToken dd ?		; DATA XREF: PspReferenceTokenForNewProcess(x,x,x,x):loc_7A2491r
					; PspInitPhase0+6DEw
_MxBootFreeDescriptor db    ? ;		; DATA XREF: MiCreateFreePfns+4Do
					; MxInitializeFreeNodeDescriptors+3Ao
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_AFF3B8	db    ?	;		; DATA XREF: MxSwitchDescriptors(x)+51o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_AFF4E8	dd ?			; DATA XREF: MiCreateFreePfns+2AF41o
					; MxSwitchDescriptors(x)+18r
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
_SeCiStateElements dd ?			; DATA XREF: SeCodeIntegrityInitializePolicy(x)+61w
_SeCiStateElementCount dd ?		; DATA XREF: SeCodeIntegrityInitializePolicy(x)+69w
_VfXdvSuppressDriversBuffer db	  ? ;	; DATA XREF: VfSuspectDriversParseRegistryString()+1DEo
					; VfSuspectDriversParseRegistryString()+1E5o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
; void MmVerifyDriverBuffer
_MmVerifyDriverBuffer db    ? ;		; DATA XREF: ViInitSystemPhase0+1A144o
					; ViInitSystemPhase0+1A14Eo ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_B000AE	db    ?	;		; DATA XREF: PAGE:00A40914o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
word_B0162E	dw ?			; DATA XREF: VfInitSetVerifyDriverTargets(x,x)+14w
_EtwBootPerfData dd ?			; DATA XREF: INIT:00ACD502w
					; EtwpTraceSystemInitialization+1180Ao
dword_B01634	dd ?			; DATA XREF: INIT:00ACD4F8w
dword_B01638	dd ?			; DATA XREF: INIT:00ACD526w
dword_B0163C	dd ?			; DATA XREF: INIT:00ACD52Bw
dword_B01640	dd ?			; DATA XREF: Phase1Initialization(x)+11w
dword_B01644	dd ?			; DATA XREF: Phase1Initialization(x)+16w
dword_B01648	dd ?			; DATA XREF: Phase1InitializationDiscard(x)+A48w
dword_B0164C	dd ?			; DATA XREF: Phase1InitializationDiscard(x)+A50w
dword_B01650	dd ?			; DATA XREF: Phase1InitializationDiscard(x)+AC0w
dword_B01654	dd ?			; DATA XREF: Phase1InitializationDiscard(x)+AC5w
dword_B01658	dd ?			; DATA XREF: Phase1InitializationDiscard(x)+672w
dword_B0165C	dd ?			; DATA XREF: Phase1InitializationDiscard(x)+677w
dword_B01660	dd ?			; DATA XREF: Phase1InitializationDiscard(x)+696w
dword_B01664	dd ?			; DATA XREF: Phase1InitializationDiscard(x)+68Ew
dword_B01668	dd ?			; DATA XREF: EtwInitializeSiloState+25Dw
dword_B0166C	dd ?			; DATA XREF: EtwInitializeSiloState+262w
dword_B01670	dd ?			; DATA XREF: EtwInitializeSiloState+276w
dword_B01674	dd ?			; DATA XREF: EtwInitializeSiloState+27Bw
dword_B01678	dd ?			; DATA XREF: Phase1InitializationDiscard(x)+8B6w
dword_B0167C	dd ?			; DATA XREF: Phase1InitializationDiscard(x)+8BDw
dword_B01680	dd ?			; DATA XREF: Phase1InitializationDiscard(x)+8E0w
dword_B01684	dd ?			; DATA XREF: Phase1InitializationDiscard(x)+8EAw
dword_B01688	dd ?			; DATA XREF: INIT:00ACD2B5w
dword_B0168C	dd ?			; DATA XREF: INIT:00ACD2BAw
dword_B01690	dd ?			; DATA XREF: INIT:00ACD2DEw
dword_B01694	dd ?			; DATA XREF: INIT:00ACD2D6w
dword_B01698	dd ?			; DATA XREF: MiInitNucleus(x)+12Cw
dword_B0169C	dd ?			; DATA XREF: MiInitNucleus(x)+131w
dword_B016A0	dd ?			; DATA XREF: MiInitNucleus(x)+13Ew
dword_B016A4	dd ?			; DATA XREF: MiInitNucleus(x)+143w
dword_B016A8	dd ?			; DATA XREF: MiInitNucleus(x)+1B7w
dword_B016AC	dd ?			; DATA XREF: MiInitNucleus(x)+1BCw
dword_B016B0	dd ?			; DATA XREF: MiInitNucleus(x)+1DAw
dword_B016B4	dd ?			; DATA XREF: MiInitNucleus(x)+1DFw
dword_B016B8	dd ?			; DATA XREF: MiInitNucleus(x)+1F0w
dword_B016BC	dd ?			; DATA XREF: MiInitNucleus(x)+1F5w
dword_B016C0	dd ?			; DATA XREF: MiInitNucleus(x)+206w
dword_B016C4	dd ?			; DATA XREF: MiInitNucleus(x)+20Bw
dword_B016C8	dd ?			; DATA XREF: MiInitNucleus(x)+21Bw
dword_B016CC	dd ?			; DATA XREF: MiInitNucleus(x)+220w
dword_B016D0	dd ?			; DATA XREF: MiInitNucleus(x)+2A1w
dword_B016D4	dd ?			; DATA XREF: MiInitNucleus(x)+2ABw
dword_B016D8	dd ?			; DATA XREF: MiInitNucleus(x)+3B0w
dword_B016DC	dd ?			; DATA XREF: MiInitNucleus(x)+3A7w
dword_B016E0	dd ?			; DATA XREF: MiInitNucleus(x)+44Aw
dword_B016E4	dd ?			; DATA XREF: MiInitNucleus(x)+44Fw
dword_B016E8	dd ?			; DATA XREF: MiInitNucleus(x)+49Fw
dword_B016EC	dd ?			; DATA XREF: MiInitNucleus(x)+4A4w
dword_B016F0	dd ?			; DATA XREF: MiInitNucleus(x)+4B5w
dword_B016F4	dd ?			; DATA XREF: MiInitNucleus(x)+4BAw
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_B01708	dd ?			; DATA XREF: MiInitSystem+2EBw
dword_B0170C	dd ?			; DATA XREF: MiInitSystem+2F0w
dword_B01710	dd ?			; DATA XREF: MiInitSystem+308w
dword_B01714	dd ?			; DATA XREF: MiInitSystem+30Dw
dword_B01718	dd ?			; DATA XREF: MiInitSystem+323w
dword_B0171C	dd ?			; DATA XREF: MiInitSystem+332w
dword_B01720	dd ?			; DATA XREF: MiInitSystem+360w
dword_B01724	dd ?			; DATA XREF: MiInitSystem+365w
dword_B01728	dd ?			; DATA XREF: MiInitSystem+405w
dword_B0172C	dd ?			; DATA XREF: MiInitSystem+40Aw
dword_B01730	dd ?			; DATA XREF: MiInitSystem+418w
dword_B01734	dd ?			; DATA XREF: MiInitSystem+41Dw
_ExpMultiUserTS	db ?			; DATA XREF: ExpInitSystemPhase0()+BCr
					; INIT:00AF4EB0o
		align 10h
_ExpHostBootLicensingData db	? ;	; DATA XREF: ExpInitLicensing(x)+1Fo
					; INIT:00AF4EE0o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
dword_B15740	dd ?			; DATA XREF: ExpInitLicensing(x)+Fw
					; INIT:00AF4EE4o
dword_B15744	dd ?			; DATA XREF: ExpInitLicensing(x)+19w
					; INIT:00AF4EE8o
unk_B15748	db    ?	;		; DATA XREF: RaspScanConvert+87625o
					; RaspScanConvert+87639o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_B15DCB	db    ?	;		; DATA XREF: SmpKeyedStoreEntryGet(x,x,x,x)+A6o
					; SmpKeyedStoreEntryGet(x,x,x,x)+369o ...
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
unk_B16388	db    ?	;		; DATA XREF: RaspScanConvert+21Fo
					; RaspScanConvert+87648o
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
		db    ?	;
INITDATA	ends


		end _KiSystemStartup@4
